-
逆向-破零ARM 64位版本
#include
#include
#includevoid aaa()
{
/*400734: a9b97bfd stp x29, x30, [sp, #-112]!
400738: 910003fd mov x29, sp
40073c: 52800140 mov w0, #0xa // #10
400740: b90013a0 str w0, [x29, #16] // [x29+16]=10
400744: 52800280 mov w0, #0x14 // #20
400748: b90017a0 str w0, [x29, #20] // [x29+20]=20 */
int a[2] = {10, 20};//40074c: 910043a0 add x0, x29, #0x10 // x0=x29+0x10 = 0x7ffffff3b0
//400750: f90037a0 str x0, [x29, #104] // [x29+104]=x29+0x10 --> 0x7ffffff408:0x7ffffff3b0
int *p1 = a;/*400754: 90000000 adrp x0, 400000 <_init-0x480>
400758: 91362000 add x0, x0, #0xd88 // x0=0x400d88
40075c: 910063a2 add x2, x29, #0x18 // x2=x29+0x18 = 0x7ffffff3b8
400760: aa0003e3 mov x3, x0 // x3=0x400d88
400764: a9400460 ldp x0, x1, [x3] // x0=[0x400d88]=0x200000001, x1=[0x400d90]=0xfffffff700000003
400768: a9000440 stp x0, x1, [x2] // [x29+0x18]=0x200000001, [x28+0x20]=0xfffffff700000003
40076c: a9410460 ldp x0, x1, [x3, #16] // x0=0x500000004 x1=0xfffffff800000006
400770: a9010440 stp x0, x1, [x2, #16] // 0x7ffffff3c8:0x0000000500000004 0x7ffffff3d0:0xfffffff800000006*/
int b[2][4] = {{1, 2, 3, -9}, {4, 5, 6, -8}};/*400774: 910063a0 add x0, x29, #0x18 // x0 = 0x7ffffff3b8
400778: f90033a0 str x0, [x29, #96] // 0x7ffffff400:0x7ffffff3b8 */
int (*p2)[4] = b;/*40077c: 52800041 mov w1, #0x2 // w1 = #2
400780: f94037a0 ldr x0, [x29, #104] // x0 = 0x7ffffff3b0
400784: 94000021 bl 400808// 400808(0x7ffffff3b0, 2)
400788: b9005fa0 str w0, [x29, #92] // 0x7ffffff3fc:0xfffff3b80000001e*/
int var1 = sum(p1, 2);/*40078c: 52800041 mov w1, #0x2 // #2
400790: f94033a0 ldr x0, [x29, #96] // x0 = 0x7ffffff3b8
400794: 94000035 bl 400868// 400868(0x7ffffff3b8, 2)
400798: b9005ba0 str w0, [x29, #88]*/
int var2 = sum2d(p2, 2);/*40079c: 90000000 adrp x0, 400000 <_init-0x480>
4007a0: 9136a000 add x0, x0, #0xda8
4007a4: 9100e3a2 add x2, x29, #0x38
4007a8: aa0003e3 mov x3, x0
4007ac: a9400460 ldp x0, x1, [x3]
4007b0: a9000440 stp x0, x1, [x2]
4007b4: f9400860 ldr x0, [x3, #16]
4007b8: f9000840 str x0, [x2, #16]*/
int c[6] = {4, 4, 4, 5, 5, 5};/*4007bc: 9100e3a0 add x0, x29, #0x38
4007c0: 528000c1 mov w1, #0x6 // #6
4007c4: 94000011 bl 400808
4007c8: b90057a0 str w0, [x29, #84]*/
int var3 = sum(c, 6);/*4007cc: 90000000 adrp x0, 400000 <_init-0x480>
4007d0: 91356000 add x0, x0, #0xd58
4007d4: b9405fa1 ldr w1, [x29, #92]
4007d8: 97ffff46 bl 4004f0
printf(" = %d\n", var1);/*4007dc: 90000000 adrp x0, 400000 <_init-0x480>
4007e0: 9135a000 add x0, x0, #0xd68
4007e4: b9405ba1 ldr w1, [x29, #88]
4007e8: 97ffff42 bl 4004f0
printf(" = %d\n", var1);/*4007ec: 90000000 adrp x0, 400000 <_init-0x480>
4007f0: 9135e000 add x0, x0, #0xd78
4007f4: b94057a1 ldr w1, [x29, #84]
4007f8: 97ffff3e bl 4004f0
printf(" = %d\n", var1);/*4007fc: d503201f nop
400800: a8c77bfd ldp x29, x30, [sp], #112
400804: d65f03c0 ret */
}int sum(int *va, int vb)
{
/*400808: d10083ff sub sp, sp, #0x20 // sp = 0x7ffffff380
40080c: f90007e0 str x0, [sp, #8] // x0 = 0x7ffffff3b0
400810: b90007e1 str w1, [sp, #4] // w1 = 2
400814: b9001bff str wzr, [sp, #24] // 0x7ffffff398: 0x0000000000000000
400818: b9001fff str wzr, [sp, #28] // 0x7ffffff39c: 0xfffff41000000000 */
int j = 0;
int i = 0;/*40081c: 1400000c b 40084c
400820: b9801fe0 ldrsw x0, [sp, #28] // x0 = 0 x0 = 1
400824: d37ef400 lsl x0, x0, #2 // x0 = 0 x0 = 4
400828: f94007e1 ldr x1, [sp, #8] // x1 = 0x7ffffff3b0 0x7ffffff3b0
40082c: 8b000020 add x0, x1, x0 // x0 = 0x7ffffff3b0 0x7ffffff3b4
400830: b9400000 ldr w0, [x0] // w0 = 10 w0 = 20
400834: b9401be1 ldr w1, [sp, #24] // w1 = 0 w1 = 10
400838: 0b000020 add w0, w1, w0 // w0 = 10 w0 = 30
40083c: b9001be0 str w0, [sp, #24] // [sp+24]=10 [sp+24]=30
400840: b9401fe0 ldr w0, [sp, #28] // w0 = 0 w0 = 1
400844: 11000400 add w0, w0, #0x1 // w0 = 1 w0 = 2
400848: b9001fe0 str w0, [sp, #28] // [sp+28]=1 [sp+28]=2
40084c: b9401fe1 ldr w1, [sp, #28] // w1 = 0, 1 2
400850: b94007e0 ldr w0, [sp, #4] // w0 = 2 2
400854: 6b00003f cmp w1, w0
400858: 54fffe4b b.lt 400820
for (i = 0; i < vb; i++) {
j += va[i];
}
/*40085c: b9401be0 ldr w0, [sp, #24] // w0 = 30
400860: 910083ff add sp, sp, #0x20 // sp = 0x7ffffff3a0
400864: d65f03c0 ret*/
return j;
}int sum2d(int (*va)[4], int vb)
{
/*400868: d10083ff sub sp, sp, #0x20 // sp = 0x7ffffff380
40086c: f90007e0 str x0, [sp, #8] // 0x7ffffff3b8
400870: b90007e1 str w1, [sp, #4] // 2
400874: b90017ff str wzr, [sp, #20] // 0
400878: b9001fff str wzr, [sp, #28] // 0 */
int j = 0;
int i = 0;
int k = 0;/*40087c: 14000015 b 4008d0
400880: b9001bff str wzr, [sp, #24] // 0
400884: 1400000d b 4008b8
400888: b9801fe0 ldrsw x0, [sp, #28] // x0 = 0 x0 = 0
40088c: d37cec00 lsl x0, x0, #4 // x0 = 0 x0 = 0
400890: f94007e1 ldr x1, [sp, #8] // x1 = 0x7ffffff3b8 x1=0x7ffffff3b8
400894: 8b000020 add x0, x1, x0 // x0 = 0x7ffffff3b8 x0=0x7ffffff3b8
400898: b9801be1 ldrsw x1, [sp, #24] // x1 = 0 x1 = 1
40089c: b8617800 ldr w0, [x0, x1, lsl #2] // [0x7ffffff3b8]=1 [0x7ffffff3bc]=2
4008a0: b94017e1 ldr w1, [sp, #20] // w1 = 0
4008a4: 0b000020 add w0, w1, w0 // w0 = 1
4008a8: b90017e0 str w0, [sp, #20] // [sp+20]=1
4008ac: b9401be0 ldr w0, [sp, #24] // w0 = 0
4008b0: 11000400 add w0, w0, #0x1 // w0 = 1
4008b4: b9001be0 str w0, [sp, #24] // [sp+24] = 1
4008b8: b9401be0 ldr w0, [sp, #24] // 0, 1
4008bc: 71000c1f cmp w0, #0x3 // [ EL=0 SS N ]
4008c0: 54fffe4d b.le 400888
4008c4: b9401fe0 ldr w0, [sp, #28]
4008c8: 11000400 add w0, w0, #0x1
4008cc: b9001fe0 str w0, [sp, #28]
4008d0: b9401fe1 ldr w1, [sp, #28] // w1 = 0
4008d4: b94007e0 ldr w0, [sp, #4] // w0 = 2
4008d8: 6b00003f cmp w1, w0 // 0x80200000 [ EL=0 SS N ]
4008dc: 54fffd2b b.lt 400880
for (i = 0; i < vb; i++) {
for (k = 0; k < 4; k++) {
j += va[i][k];
}
}
/*4008e0: b94017e0 ldr w0, [sp, #20]
4008e4: 910083ff add sp, sp, #0x20
4008e8: d65f03c0 ret */return j;
}int array_cal()
{
/*400a2c: a9bc7bfd stp x29, x30, [sp, #-64]!
400a30: 910003fd mov x29, sp
400a34: 90000000 adrp x0, 400000 <_init-0x480>
400a38: 913a2000 add x0, x0, #0xe88 // x0=0x400e88,放在数据段,获取数据段地址
400a3c: 9100a3a2 add x2, x29, #0x28 // x2=0x7ffffff3f8,堆栈地址
400a40: aa0003e3 mov x3, x0 // x3=0x400e88
400a44: a9400460 ldp x0, x1, [x3] // x0=0x200000001 x1=0x400000003,从数据段取出数据
400a48: a9000440 stp x0, x1, [x2] // 存入堆栈
400a4c: b9401060 ldr w0, [x3, #16] // w0 = 9
400a50: b9001040 str w0, [x2, #16] */
int a[5] = {1, 2, 3, 4, 9}; // 此处需要调试才能获取到具体值/*400a54: 9100a3a0 add x0, x29, #0x28 // x0 = 0x7ffffff3f8
400a58: 91005000 add x0, x0, #0x14 // x0 = 0x7ffffff40c
400a5c: f90013a0 str x0, [x29, #32] */
int *p1 = (int*)(&a + 1);/*400a60: 9100a3a0 add x0, x29, #0x28 // x0 = 0x7ffffff3f8
400a64: 11000400 add w0, w0, #0x1 // w0 = 0xfffff3f9
400a68: 93407c00 sxtw x0, w0 // 0xfffffffffffff3f9
400a6c: f9000fa0 str x0, [x29, #24] // 0x7ffffff3e8: 0xfffffffffffff3f9 */
int *p2 = (int*)((int)a + 1);/*400a70: 9100a3a0 add x0, x29, #0x28 // x0 = 0x7ffffff3f8
400a74: 91005000 add x0, x0, #0x14 // x0 = 0x7ffffff40c
400a78: b90017a0 str w0, [x29, #20] // w0 = 0x7ffffff40c 0x7ffffff3e4:0xfffff3f9fffff40 */
int p3 = (int)(a + 5);/*400a7c: 9100a3a1 add x1, x29, #0x28 // x1 = 0x7ffffff3f8 a
400a80: 90000000 adrp x0, 400000 <_init-0x480>
400a84: 91372000 add x0, x0, #0xdc8 // x0 = 0x400dc8
400a88: 97fffe9a bl 4004f0
printf("a = %x\n", a);/*400a8c: 9100a3a1 add x1, x29, #0x28 // x1 = 0x7ffffff3f8 &a
400a90: 90000000 adrp x0, 400000 <_init-0x480>
400a94: 91376000 add x0, x0, #0xdd8 // x0 = 0x400dd8
400a98: 97fffe96 bl 4004f0
printf("a = %p\n", &a);/*400a9c: 9100a3a0 add x0, x29, #0x28 // x0 = 0x7ffffff3f8
400aa0: 91001000 add x0, x0, #0x4 // x0 = 0x7ffffff3fc a+1
400aa4: 90000001 adrp x1, 400000 <_init-0x480>
400aa8: 91372022 add x2, x1, #0xdc8 // x2 = 0x400dc8
400aac: aa0003e1 mov x1, x0 // x1 = 0x7ffffff3fc
400ab0: aa0203e0 mov x0, x2 // x0 = 0x400dc8
400ab4: 97fffe8f bl 4004f0
printf("a = %p\n", a + 1);/*400ab8: 9100a3a0 add x0, x29, #0x28
400abc: 91005000 add x0, x0, #0x14 // &a+1
400ac0: 90000001 adrp x1, 400000 <_init-0x480>
400ac4: 91376022 add x2, x1, #0xdd8
400ac8: aa0003e1 mov x1, x0
400acc: aa0203e0 mov x0, x2
400ad0: 97fffe88 bl 4004f0
printf("a = %p\n", a + 5);/*400ad4: b94017a1 ldr w1, [x29, #20] // temp = &a+1
400ad8: 90000000 adrp x0, 400000 <_init-0x480>
400adc: 9137a000 add x0, x0, #0xde8
400ae0: 97fffe84 bl 4004f0
printf("*p3 = %x\n", p3);/*400ae4: b94017a1 ldr w1, [x29, #20] // temp = &a+1
400ae8: 90000000 adrp x0, 400000 <_init-0x480>
400aec: 9137e000 add x0, x0, #0xdf8
400af0: 97fffe80 bl 4004f0
printf("*p3 = %p\n", p3);/*400af4: 910053a1 add x1, x29, #0x14 // &temp 0x14=20
400af8: 90000000 adrp x0, 400000 <_init-0x480>
400afc: 91382000 add x0, x0, #0xe08
400b00: 97fffe7c bl 4004f0
printf("*p3 = %p\n", &p3);/*400b04: f94013a0 ldr x0, [x29, #32]
400b08: b9400001 ldr w1, [x0] // *ptr1
400b0c: 90000000 adrp x0, 400000 <_init-0x480>
400b10: 91386000 add x0, x0, #0xe18
400b14: 97fffe77 bl 4004f0
printf("*p1 = %x\n", *p1);/*400b18: f94013a0 ldr x0, [x29, #32]
400b1c: b9400001 ldr w1, [x0] // *ptr1
400b20: 90000000 adrp x0, 400000 <_init-0x480>
400b24: 9138a000 add x0, x0, #0xe28
400b28: 97fffe72 bl 4004f0
printf("*p1 = %p\n", *p1);/*400b2c: f94013a1 ldr x1, [x29, #32] // ptr1
400b30: 90000000 adrp x0, 400000 <_init-0x480>
400b34: 9138e000 add x0, x0, #0xe38
400b38: 97fffe6e bl 4004f0
printf("*p1 = %x\n", p1);/*400b3c: f94013a1 ldr x1, [x29, #32] // ptr1
400b40: 90000000 adrp x0, 400000 <_init-0x480>
400b44: 9138a000 add x0, x0, #0xe28
400b48: 97fffe6a bl 4004f0
printf("*p1 = %p\n", p1);/*400b4c: 910083a1 add x1, x29, #0x20 // &ptr1
400b50: 90000000 adrp x0, 400000 <_init-0x480>
400b54: 91392000 add x0, x0, #0xe48
400b58: 97fffe66 bl 4004f0
printf("*p1 = %p\n", &p1);/*400b5c: f94013a0 ldr x0, [x29, #32]
400b60: d1001000 sub x0, x0, #0x4 // ptr1[-1]
400b64: b9400001 ldr w1, [x0]
400b68: 90000000 adrp x0, 400000 <_init-0x480>
400b6c: 91396000 add x0, x0, #0xe58
400b70: 97fffe60 bl 4004f0
printf("*p1 = %d\n", p1[-1]);/*400b74: f9400fa1 ldr x1, [x29, #24] // ptr2
400b78: 90000000 adrp x0, 400000 <_init-0x480>
400b7c: 9139a000 add x0, x0, #0xe68
400b80: 97fffe5c bl 4004f0
printf("*p2 = %p\n", p2);/*400b84: 910063a1 add x1, x29, #0x18 // &ptr2
400b88: 90000000 adrp x0, 400000 <_init-0x480>
400b8c: 9139e000 add x0, x0, #0xe78
400b90: 97fffe58 bl 4004f0
printf("*p2 = %p\n", &p2);/*400b94: 52800000 mov w0, #0x0 // #0
400b98: a8c47bfd ldp x29, x30, [sp], #64
400b9c: d65f03c0 ret */
}void ccc()
{
/*400ba0: a9bc7bfd stp x29, x30, [sp, #-64]!
400ba4: 910003fd mov x29, sp*/
/*400ba8: a9017fbf stp xzr, xzr, [x29, #16] // 16, 20, 24, 28
400bac: a9027fbf stp xzr, xzr, [x29, #32] // 32, 36, 40, 44
400bb0: f9001bbf str xzr, [x29, #48] */ // 48, 52
int a[10] = {0};/*400bb4: 52800160 mov w0, #0xb // #11
400bb8: b90013a0 str w0, [x29, #16]*/
a[0] = 0xb;/*400bbc: 528001e0 mov w0, #0xf // #15
400bc0: b90017a0 str w0, [x29, #20]*/
a[1] = 0xf;/*400bc4: 52800280 mov w0, #0x14 // #20
400bc8: b9001ba0 str w0, [x29, #24]*/
a[2] = 0x14;/*400bcc: 52800320 mov w0, #0x19 // #25
400bd0: b9001fa0 str w0, [x29, #28]*/
a[3] = 0x19;/*400bd4: 528003c0 mov w0, #0x1e // #30
400bd8: b90023a0 str w0, [x29, #32]*/
a[4] = 0x1e;/*400bdc: 910043a0 add x0, x29, #0x10
400be0: 91002000 add x0, x0, #0x8
400be4: f9001fa0 str x0, [x29, #56]*/
int *p1 = a + 2;/*400be8: f9401fa0 ldr x0, [x29, #56]
400bec: b9400001 ldr w1, [x0]
400bf0: 90000000 adrp x0, 400000 <_init-0x480>
400bf4: 913a8000 add x0, x0, #0xea0
400bf8: 97fffe3e bl 4004f0
printf("p1 = %d\n", *p1);/*400bfc: f9401fa0 ldr x0, [x29, #56]
400c00: d1001000 sub x0, x0, #0x4
400c04: b9400001 ldr w1, [x0]
400c08: 90000000 adrp x0, 400000 <_init-0x480>
400c0c: 913a8000 add x0, x0, #0xea0
400c10: 97fffe38 bl 4004f0
printf("p1 = %d\n", *(p1 - 1));/*400c14: f9401fa0 ldr x0, [x29, #56]
400c18: d1002000 sub x0, x0, #0x8
400c1c: b9400001 ldr w1, [x0]
400c20: 90000000 adrp x0, 400000 <_init-0x480>
400c24: 913a8000 add x0, x0, #0xea0
400c28: 97fffe32 bl 4004f0
printf("p1 = %d\n", *(p1 - 2));/*400c2c: b94037a1 ldr w1, [x29, #52]
400c30: 90000000 adrp x0, 400000 <_init-0x480>
400c34: 913a8000 add x0, x0, #0xea0
400c38: 97fffe2e bl 4004f0
printf("a[9] = %d\n", a[9]);/*400c3c: 52800000 mov w0, #0x0 // #0
400c40: a8c47bfd ldp x29, x30, [sp], #64
400c44: d65f03c0 ret*/
return 0;
} -
相关阅读:
MongoDB的备份和恢复
为什么你的抖音小店做不好?因为你没有做好这两点,看完收藏
「设计模式」六大原则之里氏替换原则小结
数据结构--七大排序算法(更新ing)
宝塔面板操作日志是存放在哪里的? 如何删除部分日志记录?
【云原生-k8s篇】管理容器的顶级 Kubernetes工具有哪些?
损失函数(Loss Function)与代价函数(Cost Function)、目标函数(Objective Function)区别
Java中泛型的使用介绍(#自定义泛型 #通配符?的使用 # <? extend Person> # <? super Person>)
debian10编译安装mysql
WMware Tools安装失败segmentation fault解决方法
- 原文地址:https://blog.csdn.net/xiaozhiwise/article/details/127959849