Disassembly determine if statements
Disassembly determine if the statement is basically around the JCC instruction, if you want to have a deep understanding, can practice on their own JCC instruction
Effects of various types of instruction execution flag
JXX XXXX
. 1, a case
mov eax, dword ptr [ebp + 8] Analysis: cmp Affected flag
cmp eax, dword ptr [ebp + 0Ch] jle: less than or equal to jump to 00,401,059
JLE 00,401,059
2, case II
mov eax, dword ptr [ebp + 8] analysis: cmp Affected flag
cmp eax, dword ptr [ebp + 0Ch] jl: less than jump
JL 00,401,059
. 3, case III
mov eax, dword ptr [ebp + 8] jge: greater than or equal to jump
cmp eax, dword PTR [EBP + 0Ch]
JGE 00,401,059
. 4, case IV
mov eax, dword ptr [ebp + 8] jg: greater than jump
cmp eax, dword PTR [EBP + 0Ch]
JG 00,401,059
Just to name a few, we are interested can try all of the JCC instruction, in order to deepen understanding
case analysis
In analyzing the if statement, we have to have an overall concept that before the function call, the first analysis of a large section, as follows:
The function call codes:
Push Analysis. 5:
Push two parameters. 4
Call 0040100f
the Add ESP,. 8
Analysis of the first instance:
1 00401030 push ebp
2 00401031 mov ebp,esp
3 00401033 sub esp,40h
4 00401036 push ebx
5 00401037 push esi
6 00401038 push edi
7 00401039 lea edi,[ebp-40h]
8 0040103C mov ecx,10h
9 00401041 mov eax,0CCCCCCCCh
10 00401046 rep stos dword ptr [edi]
11 00401048 mov eax,dword ptr [ebp+8]
12 0040104B cmp eax,dword ptr [ebp+0Ch]
13 0040104E jle 00401059
14 00401050 mov ecx,dword ptr [ebp+8]
15 00401053 mov dword ptr [004225c4],ecx
16 00401059 pop edi
17 0040105A pop esi
18 0040105B pop ebx
19 0040105C mov esp,ebp
20 0040105E pop ebp
21 0040105F ret
I marked it with a color in the Excel, the same two colors up and down, we can not see, there have been explored before, opening up a series of operations carried out by the stack, the actual function block is the middle piece of purple
Our analysis process can be roughly divided into the following five steps:
函数内部功能分析:
1、分析参数:
[ebp+8] : X [ebp+0Ch] :Y
2、分析局部变量
无
3、分析全局变量
mov dword ptr 004225c4,ecx
4、功能分析
mov eax,dword ptr [ebp+8]
cmp eax,dword ptr [ebp+0Ch]
将参数X存到到EAX中,然后比较EAX,与参数Y的大小
如果X<=Y 那么跳转到00401059的位置
否则,将X的值存储到全局变量中
5、返回值分析
无
分析第二个实例:
调用处代码:
push 5
push 4
call 0040100f
add esp,8
函数内部:
1 00401030 push ebp
2 00401031 mov ebp,esp
3 00401033 sub esp,44h
4 00401036 push ebx
5 00401037 push esi
6 00401038 push edi
7 00401039 lea edi,[ebp-44h]
8 0040103C mov ecx,11h
9 00401041 mov eax,0CCCCCCCCh
10 00401046 rep stos dword ptr [edi]
11 00401048 mov eax,[004225c4]
12 0040104D mov dword ptr [ebp-4],eax
13 00401050 mov ecx,dword ptr [ebp+8]
14 00401053 cmp ecx,dword ptr [ebp+0Ch]
15 00401056 jg 00401064
16 00401058 mov edx,dword ptr [ebp+0Ch]
17 0040105B add edx,dword ptr [ebp-4]
18 0040105E mov dword ptr [004225c4],edx
19 00401064 pop edi
20 00401065 pop esi
21 00401066 pop ebx
22 00401067 mov esp,ebp
23 00401069 pop ebp
24 0040106A ret
我还是在Excel中标注一下颜色:
函数内部功能分析:
1、分析参数:
Y: ebp+8 Z: ebp+c
2、分析局部变量
A:ebp-4
3、分析全局变量
Global:dword ptr [004225c4],edx
4、功能分析
a、00401048 mov eax,[004225c4]
0040104D mov dword ptr [ebp-4],eax
A = Global
b、00401050 mov ecx,dword ptr [ebp+8]
00401053 cmp ecx,dword ptr [ebp+0Ch]
参数Y与Z比较大小
c、00401056 jg 00401064
如果Y比Z大,则跳转至0x00401064,否则程序走下一步
d、00401058 mov edx,dword ptr [ebp+0Ch]
0040105B add edx,dword ptr [ebp-4]
0040105E mov dword ptr [004225c4],edx
到这一步,说明Y小于等于Z,将Z与A相加,并把相加的值赋给Global
5、返回值分析
无
6、还原成C函数
1 int Global;
2 void function(int Z, int Y)
3 {
4 int A = Global;
5 if (Y <= Z)
6 {
7 Global = A + Z;
8 }
9 }
IF...ELSE...语句的反汇编判断:
IF...ELSE...语句的反汇编判断:
IF_BEGIN:
先执行各类影响标志位的指令
jxx ELSE_BEGIN
......
IF_END:
jmp END
ELSE_BEGIN:
......
ELSE_END:
END:
特点分析:
1、如果不跳转,那么会执行到jmp处,jmp直接跳转到END处
2、如果跳转,则会直接跳过jmp END处的代码,直接执行后面的代码
总结:
跳转执行一部分代码,不跳转执行另外一部分代码
第一个jxx跳转的地址前面有一个jmp ,可以判断是if...else...语句
第一个案例分析
1 004010B0 push ebp
2 004010B1 mov ebp,esp
3 004010B3 sub esp,44h
4 004010B6 push ebx
5 004010B7 push esi
6 004010B8 push edi
7 004010B9 lea edi,[ebp-44h]
8 004010BC mov ecx,11h
9 004010C1 mov eax,0CCCCCCCCh
10 004010C6 rep stos dword ptr [edi]
11 004010C8 mov eax,[004225c4]
12 004010CD mov dword ptr [ebp-4],eax
13 004010D0 mov ecx,dword ptr [ebp+8]
14 004010D3 cmp ecx,dword ptr [ebp+0Ch]
15 004010D6 jle 004010e6
16 004010D8 mov edx,dword ptr [ebp+8]
17 004010DB add edx,dword ptr [ebp-4]
18 004010DE mov dword ptr [004225c4],edx
19 004010E4 jmp 004010f1
20 004010E6 mov eax,dword ptr [ebp+0Ch]
21 004010E9 add eax,dword ptr [ebp-4]
22 004010EC mov [004225c4],eax
23 004010F1 pop edi
24 004010F2 pop esi
25 004010F3 pop ebx
26 004010F4 mov esp,ebp
27 004010F6 pop ebp
28 004010F7 ret
函数内部功能分析:
1、分析参数:
[ebp+8] : X [ebp+0Ch] :Y
2、分析局部变量
[ebp-4] = eax = [004225c4]
3、分析全局变量
[004225c4] G
4、功能分析
a、004010C8 mov eax,[004225c4]
004010CD mov dword ptr [ebp-4],eax
Local = Global
b、004010D0 mov ecx,dword ptr [ebp+8]
004010D3 cmp ecx,dword ptr [ebp+0Ch]
比较X与Y的大小
c、如果Y<=X 那么执行
004010E6 mov eax,dword ptr [ebp+0Ch] X
004010E9 add eax,dword ptr [ebp-4] Local + X
004010EC mov [004225c4],eax Global = Local + X
d、如果Y>X 那么执行
004010D8 mov edx,dword ptr [ebp+8] Y
004010DB add edx,dword ptr [ebp-4] Local + Y
004010DE mov dword ptr [004225c4],edx Global = Local + Y
004010E4 jmp 004010f1
5、返回值分析
无
未完待续......
未完待续......
未完待续......
未完待续......
未完待续......
未完待续......