-
[逆向|C语言]C语言逆向2 数组switch case等
目录
今天文章内容照样是C语言逆向实战,逆向到的主要语法数组switch case等.
打开文件
观察模块
点击工具栏上的e看的用的哪些模块,点击exe后可以观察到除了main函数外,还有四个函数,首先逆向main函数,再依次逆向其他四个函数.四个函数看上去有部分乱码,就拿不是乱码的部分命名区分吧,分别是fun函数,text函数,menu函数,abc函数
关于od的使用上篇文章已经简单介绍过了,本文就不多赘述,不太懂的朋友们可以翻看我上篇文章.下面进入正题.
逆向main函数
进入main函数
可以看出,main函数主要是调用了四个函数,前三个函数是直接调用,abc函数有10个参数和一个返回值. 怎么看出来的,参数是从右往左push,注意是先push再call,所以call abc函数前push的全部都是abc函数的参数.函数的返回值是存放在eax这个寄存器里面的
- int fun()
- {
- return 0;
- }
- int text()
- {
- return 0;
- }
- int menu()
- {
- return 0;
- }
- int abc(int arg_8,int arg_c,int arg_10,int arg_14,int arg_18,int arg_1c,int arg_20,int arg_24,int arg_28,int arg_2c)
- {
- return 0;
- }
- int main(int argc, char* argv[])
- {
- int var_4;
- fun();
- text();
- menu();
- var_4=abc(1,2,3,4,5,6,7,8,9,10);
- printf("%d\n",var_4);
- return 0;
- }
根据main函数逆向出来的代码如上,下面依次逆向每个函数
逆向fun函数
逆向时先大概看几行主要做什么,譬如上面截图第二个红框表示for循环的范围.如何知道这是for循环,我以前的文章已经介绍了,传送门:[逆向|C语言]C语言for循环九九乘法表以及裸汇编_小星星01的博客-CSDN博客
反汇编太长,截图好麻烦,我复制在下面
- 00401390 > 55 push ebp ; ?fun@@YAHXZ
- 00401391 8BEC mov ebp,esp
- 00401393 81EC 80000000 sub esp,0x80
- 00401399 53 push ebx
- 0040139A 56 push esi ; <逆向2._mainCRTStartup>
- 0040139B 57 push edi ; <逆向2._mainCRTStartup>
- 0040139C 8D7D 80 lea edi,dword ptr ss:[ebp-0x80]
- 0040139F B9 20000000 mov ecx,0x20
- 004013A4 B8 CCCCCCCC mov eax,0xCCCCCCCC
- 004013A9 F3:AB rep stos dword ptr es:[edi]
- 004013AB 68 80514200 push offset <逆向2.aInput10Numbers> ; ASCII "input 10 numbers:\n"
- 004013B0 E8 5B020000 call <逆向2._printf>
- 004013B5 83C4 04 add esp,0x4
- 004013B8 68 78514200 push offset <逆向2.Source> ; ASCII "hello"
- 004013BD 8D45 C0 lea eax,dword ptr ss:[ebp-0x40]
- 004013C0 50 push eax
- 004013C1 E8 CA020000 call <逆向2._strcpy>
- 004013C6 83C4 08 add esp,0x8
- 004013C9 C745 D4 0000000>mov dword ptr ss:[ebp-0x2C],0x0
- 004013D0 EB 09 jmp short 逆向2.004013DB
- 004013D2 8B4D D4 mov ecx,dword ptr ss:[ebp-0x2C]
- 004013D5 83C1 01 add ecx,0x1
- 004013D8 894D D4 mov dword ptr ss:[ebp-0x2C],ecx ; <逆向2._mainCRTStartup>
- 004013DB 837D D4 0A cmp dword ptr ss:[ebp-0x2C],0xA
- 004013DF 7D 17 jge short 逆向2.004013F8
- 004013E1 8B55 D4 mov edx,dword ptr ss:[ebp-0x2C]
- 004013E4 8D4495 D8 lea eax,dword ptr ss:[ebp+edx*4-0x28]
- 004013E8 50 push eax
- 004013E9 68 BC504200 push offset <逆向2.aD> ; ASCII "%d"
- 004013EE E8 BD010000 call <逆向2._scanf>
- 004013F3 83C4 08 add esp,0x8
- 004013F6 ^ EB DA jmp short 逆向2.004013D2
- 004013F8 68 54514200 push 逆向2.00425154 ; ASCII "\n"
- 004013FD E8 0E020000 call <逆向2._printf>
- 00401402 83C4 04 add esp,0x4
- 00401405 C745 D0 0000000>mov dword ptr ss:[ebp-0x30],0x0
- 0040140C EB 09 jmp short 逆向2.00401417
- 0040140E 8B4D D0 mov ecx,dword ptr ss:[ebp-0x30]
- 00401411 83C1 01 add ecx,0x1
- 00401414 894D D0 mov dword ptr ss:[ebp-0x30],ecx ; <逆向2._mainCRTStartup>
- 00401417 837D D0 09 cmp dword ptr ss:[ebp-0x30],0x9
- 0040141B 7D 55 jge short 逆向2.00401472
- 0040141D C745 D4 0000000>mov dword ptr ss:[ebp-0x2C],0x0
- 00401424 EB 09 jmp short 逆向2.0040142F
- 00401426 8B55 D4 mov edx,dword ptr ss:[ebp-0x2C]
- 00401429 83C2 01 add edx,0x1
- 0040142C 8955 D4 mov dword ptr ss:[ebp-0x2C],edx ; <逆向2._mainCRTStartup>
- 0040142F B8 09000000 mov eax,0x9
- 00401434 2B45 D0 sub eax,dword ptr ss:[ebp-0x30]
- 00401437 3945 D4 cmp dword ptr ss:[ebp-0x2C],eax
- 0040143A 7D 34 jge short 逆向2.00401470
- 0040143C 8B4D D4 mov ecx,dword ptr ss:[ebp-0x2C]
- 0040143F 8B55 D4 mov edx,dword ptr ss:[ebp-0x2C]
- 00401442 8B448D D8 mov eax,dword ptr ss:[ebp+ecx*4-0x28]
- 00401446 3B4495 DC cmp eax,dword ptr ss:[ebp+edx*4-0x24]
- 0040144A 7E 22 jle short 逆向2.0040146E
- 0040144C 8B4D D4 mov ecx,dword ptr ss:[ebp-0x2C]
- 0040144F 8B548D D8 mov edx,dword ptr ss:[ebp+ecx*4-0x28]
- 00401453 8955 CC mov dword ptr ss:[ebp-0x34],edx ; <逆向2._mainCRTStartup>
- 00401456 8B45 D4 mov eax,dword ptr ss:[ebp-0x2C]
- 00401459 8B4D D4 mov ecx,dword ptr ss:[ebp-0x2C]
- 0040145C 8B548D DC mov edx,dword ptr ss:[ebp+ecx*4-0x24]
- 00401460 895485 D8 mov dword ptr ss:[ebp+eax*4-0x28],edx ; <逆向2._mainCRTStartup>
- 00401464 8B45 D4 mov eax,dword ptr ss:[ebp-0x2C]
- 00401467 8B4D CC mov ecx,dword ptr ss:[ebp-0x34]
- 0040146A 894C85 DC mov dword ptr ss:[ebp+eax*4-0x24],ecx ; <逆向2._mainCRTStartup>
- 0040146E ^ EB B6 jmp short 逆向2.00401426
- 00401470 ^ EB 9C jmp short 逆向2.0040140E
- 00401472 68 5C514200 push offset <逆向2.aTheSortedNumbe> ; ASCII "the sorted numbers :\n"
- 00401477 E8 94010000 call <逆向2._printf>
- 0040147C 83C4 04 add esp,0x4
- 0040147F C745 D4 0000000>mov dword ptr ss:[ebp-0x2C],0x0
- 00401486 EB 09 jmp short 逆向2.00401491
- 00401488 8B55 D4 mov edx,dword ptr ss:[ebp-0x2C]
- 0040148B 83C2 01 add edx,0x1
- 0040148E 8955 D4 mov dword ptr ss:[ebp-0x2C],edx ; <逆向2._mainCRTStartup>
- 00401491 837D D4 0A cmp dword ptr ss:[ebp-0x2C],0xA
- 00401495 7D 17 jge short 逆向2.004014AE
- 00401497 8B45 D4 mov eax,dword ptr ss:[ebp-0x2C]
- 0040149A 8B4C85 D8 mov ecx,dword ptr ss:[ebp+eax*4-0x28]
- 0040149E 51 push ecx ; <逆向2._mainCRTStartup>
- 0040149F 68 58514200 push offset <逆向2.aD_0> ; ASCII "%d\n"
- 004014A4 E8 67010000 call <逆向2._printf>
- 004014A9 83C4 08 add esp,0x8
- 004014AC ^ EB DA jmp short 逆向2.00401488
- 004014AE 68 54514200 push 逆向2.00425154 ; ASCII "\n"
- 004014B3 E8 58010000 call <逆向2._printf>
- 004014B8 83C4 04 add esp,0x4
- 004014BB 33C0 xor eax,eax
- 004014BD 5F pop edi ; kernel32.7573FA29
- 004014BE 5E pop esi ; kernel32.7573FA29
- 004014BF 5B pop ebx ; kernel32.7573FA29
- 004014C0 81C4 80000000 add esp,0x80
- 004014C6 3BEC cmp ebp,esp
- 004014C8 E8 A3000000 call <逆向2.__chkesp>
- 004014CD 8BE5 mov esp,ebp
- 004014CF 5D pop ebp ; kernel32.7573FA29
- 004014D0 C3 retn
上面是fun函数的反汇编,逆向出来代码如下:
- int fun()
- {
- int var_28[10];
- int var_2c;
- int var_30;
- int var_34;
- char var_40[10];
- printf("input 10 numbers:\n");
- strcpy(var_40,"hello");
- for (var_2c=0;var_2c<0xa;var_2c++)
- {
- scanf("%d",&var_28[var_2c]);
- }
- printf("\n");
- for (var_30=0;var_30<9;var_30++)
- {
- for (var_2c=0;var_2c<9-var_30;var_2c++)
- {
- if (var_28[var_2c]>var_28[var_2c+1])
- {
- var_34=var_28[var_2c];
- var_28[var_2c]=var_28[var_2c+1];
- var_28[var_2c+1]=var_34;
- }
- }
- }
- printf("\n");
- for (var_2c=0;var_2c<0xa;var_2c++)
- {
- printf("%d\n",var_28[var_2c]);
- }
- printf("\n");
- return 0;
- }
代码也很简单,主要就是几个for循环还有数组,怎么知道数组var_28有10个成员呢?数组首地址为ebp-0x28,0x28化为十进制等于40,除以前面的int类型4,结果就为10.如果还有不明白的,可以看看我之前写的关于数组的文章
传送门:[逆向|C语言]C语言数组计算数组的偏移_小星星01的博客-CSDN博客_数组偏移
[逆向|C语言]多维数组:找到成员偏移位置\通过反汇编计算数组的大小数量_小星星01的博客-CSDN博客
逆向test函数
这个函数有两个地方注意一下,其他的不难.
第一个如图红框所示部分,尽量不要一句句的逆,而是结合前后面综合分析了再逆,这段反汇编表示一个大小为20的数组,前两个成员赋值为1,其他成员赋值为0,首地址为ebp-0x54,直接可以这样写:
int var_54[20]={1,1};
第二个就是取余(%)
如图所示红框部分代表如果 var_4%5不为0则跳转,取余比较特殊,普通的和2的倍数的反汇编取余方式有所差异,感兴趣的可以自己去了解下.
反汇编如下:
- 00401280 > 55 push ebp ; ?text@@YAHXZ
- 00401281 8BEC mov ebp,esp
- 00401283 81EC 94000000 sub esp,0x94
- 00401289 53 push ebx
- 0040128A 56 push esi ; <逆向2._mainCRTStartup>
- 0040128B 57 push edi ; <逆向2._mainCRTStartup>
- 0040128C 8DBD 6CFFFFFF lea edi,dword ptr ss:[ebp-0x94]
- 00401292 B9 25000000 mov ecx,0x25
- 00401297 B8 CCCCCCCC mov eax,0xCCCCCCCC
- 0040129C F3:AB rep stos dword ptr es:[edi]
- 0040129E C745 AC 0100000>mov dword ptr ss:[ebp-0x54],0x1
- 004012A5 C745 B0 0100000>mov dword ptr ss:[ebp-0x50],0x1
- 004012AC B9 12000000 mov ecx,0x12
- 004012B1 33C0 xor eax,eax
- 004012B3 8D7D B4 lea edi,dword ptr ss:[ebp-0x4C]
- 004012B6 F3:AB rep stos dword ptr es:[edi]
- 004012B8 C745 FC 0200000>mov dword ptr ss:[ebp-0x4],0x2
- 004012BF EB 09 jmp short 逆向2.004012CA
- 004012C1 8B45 FC mov eax,dword ptr ss:[ebp-0x4] ; kernel32.BaseThreadInitThunk
- 004012C4 83C0 01 add eax,0x1
- 004012C7 8945 FC mov dword ptr ss:[ebp-0x4],eax
- 004012CA 837D FC 14 cmp dword ptr ss:[ebp-0x4],0x14
- 004012CE 7D 17 jge short 逆向2.004012E7
- 004012D0 8B4D FC mov ecx,dword ptr ss:[ebp-0x4] ; kernel32.BaseThreadInitThunk
- 004012D3 8B548D A4 mov edx,dword ptr ss:[ebp+ecx*4-0x5C] ; var54[var_4-2]
- 004012D7 8B45 FC mov eax,dword ptr ss:[ebp-0x4] ; kernel32.BaseThreadInitThunk
- 004012DA 035485 A8 add edx,dword ptr ss:[ebp+eax*4-0x58] ; var54[var_4-1]
- 004012DE 8B4D FC mov ecx,dword ptr ss:[ebp-0x4] ; kernel32.BaseThreadInitThunk
- 004012E1 89548D AC mov dword ptr ss:[ebp+ecx*4-0x54],edx ; var54[var_4]
- 004012E5 ^ EB DA jmp short 逆向2.004012C1
- 004012E7 C745 FC 0000000>mov dword ptr ss:[ebp-0x4],0x0
- 004012EE EB 09 jmp short 逆向2.004012F9
- 004012F0 8B55 FC mov edx,dword ptr ss:[ebp-0x4] ; kernel32.BaseThreadInitThunk
- 004012F3 83C2 01 add edx,0x1
- 004012F6 8955 FC mov dword ptr ss:[ebp-0x4],edx ; <逆向2._mainCRTStartup>
- 004012F9 837D FC 14 cmp dword ptr ss:[ebp-0x4],0x14
- 004012FD 7D 33 jge short 逆向2.00401332
- 004012FF 8B45 FC mov eax,dword ptr ss:[ebp-0x4] ; kernel32.BaseThreadInitThunk
- 00401302 99 cdq
- 00401303 B9 05000000 mov ecx,0x5
- 00401308 F7F9 idiv ecx ; <逆向2._mainCRTStartup>
- 0040130A 85D2 test edx,edx ; <逆向2._mainCRTStartup>
- 0040130C 75 0D jnz short 逆向2.0040131B
- 0040130E 68 54514200 push 逆向2.00425154 ; ASCII "\n"
- 00401313 E8 F8020000 call <逆向2._printf>
- 00401318 83C4 04 add esp,0x4
- 0040131B 8B55 FC mov edx,dword ptr ss:[ebp-0x4] ; kernel32.BaseThreadInitThunk
- 0040131E 8B4495 AC mov eax,dword ptr ss:[ebp+edx*4-0x54]
- 00401322 50 push eax
- 00401323 68 4C514200 push offset <逆向2.a12d> ; ASCII "%12d"
- 00401328 E8 E3020000 call <逆向2._printf>
- 0040132D 83C4 08 add esp,0x8
- 00401330 ^ EB BE jmp short 逆向2.004012F0
- 00401332 68 54514200 push 逆向2.00425154 ; ASCII "\n"
- 00401337 E8 D4020000 call <逆向2._printf>
- 0040133C 83C4 04 add esp,0x4
- 0040133F 33C0 xor eax,eax
- 00401341 5F pop edi ; kernel32.7573FA29
- 00401342 5E pop esi ; kernel32.7573FA29
- 00401343 5B pop ebx ; kernel32.7573FA29
- 00401344 81C4 94000000 add esp,0x94
- 0040134A 3BEC cmp ebp,esp
- 0040134C E8 1F020000 call <逆向2.__chkesp>
- 00401351 8BE5 mov esp,ebp
- 00401353 5D pop ebp ; kernel32.7573FA29
- 00401354 C3 retn
逆出来代码如下:
- int text()
- {
- int var_4;
- int var_54[20]={1,1};
- for (var_4=2;var_4<0x14;var_4++)
- {
- var_54[var_4]=var_54[var_4-2]+var_54[var_4-1];
- }
- for (var_4=0;var_4<0x14;var_4++)
- {
- if (var_4%5==0)
- {
- printf("\n");
- }
- printf("%12d",var_54[var_4]);
- }
- printf("\n");
- return 0;
- }
逆向menu函数
逆向menu这个函数主要注意switch case的反汇编
如图红框1,switch case多减去4字节的空间,用来存放表达式的结果
红框2红框3case地址表,表里放case数的地址
关于switch case 反汇编的问题,我以前的文章写过了
传送门:[逆向|C语言]C语言switch case以及它的反汇编_小星星01的博客-CSDN博客
menu函数反汇编如下:
- 00401130 > 55 push ebp ; ?Menu@@YAHXZ
- 00401131 8BEC mov ebp,esp
- 00401133 83EC 48 sub esp,0x48
- 00401136 53 push ebx
- 00401137 56 push esi ; <逆向2._mainCRTStartup>
- 00401138 57 push edi ; <逆向2._mainCRTStartup>
- 00401139 8D7D B8 lea edi,dword ptr ss:[ebp-0x48]
- 0040113C B9 12000000 mov ecx,0x12
- 00401141 B8 CCCCCCCC mov eax,0xCCCCCCCC
- 00401146 F3:AB rep stos dword ptr es:[edi]
- 00401148 C745 FC 0100000>mov dword ptr ss:[ebp-0x4],0x1
- 0040114F 837D FC 00 cmp dword ptr ss:[ebp-0x4],0x0
- 00401153 0F84 B6000000 je 逆向2.0040120F
- 00401159 68 30514200 push offset <逆向2.Format> ; ASCII "---------Menu---------\n"
- 0040115E E8 AD040000 call <逆向2._printf>
- 00401163 83C4 04 add esp,0x4
- 00401166 68 14514200 push offset <逆向2.aSell1> ; ASCII "----Sell----------1\n"
- 0040116B E8 A0040000 call <逆向2._printf>
- 00401170 83C4 04 add esp,0x4
- 00401173 68 F8504200 push offset <逆向2.aBuy2> ; ASCII "----Buy-----------2\n"
- 00401178 E8 93040000 call <逆向2._printf>
- 0040117D 83C4 04 add esp,0x4
- 00401180 68 DC504200 push offset <逆向2.aShowproduct3> ; ASCII "----ShowProduct---3\n"
- 00401185 E8 86040000 call <逆向2._printf>
- 0040118A 83C4 04 add esp,0x4
- 0040118D 68 C0504200 push offset <逆向2.aOut0> ; ASCII "----Out-----------0\n"
- 00401192 E8 79040000 call <逆向2._printf>
- 00401197 83C4 04 add esp,0x4
- 0040119A 8D45 FC lea eax,dword ptr ss:[ebp-0x4]
- 0040119D 50 push eax
- 0040119E 68 BC504200 push offset <逆向2.aD> ; ASCII "%d"
- 004011A3 E8 08040000 call <逆向2._scanf>
- 004011A8 83C4 08 add esp,0x8
- 004011AB 8B4D FC mov ecx,dword ptr ss:[ebp-0x4] ; kernel32.BaseThreadInitThunk
- 004011AE 894D F8 mov dword ptr ss:[ebp-0x8],ecx ; <逆向2._mainCRTStartup>
- 004011B1 837D F8 03 cmp dword ptr ss:[ebp-0x8],0x3
- 004011B5 77 46 ja short 逆向2.004011FD
- 004011B7 8B55 F8 mov edx,dword ptr ss:[ebp-0x8]
- 004011BA FF2495 22124000 jmp dword ptr ds:[edx*4+0x401222]
- 004011C1 68 90504200 push offset <逆向2.aYouAreBuyingSo> ; ASCII "you are buying something into store\n"
- 004011C6 E8 45040000 call <逆向2._printf>
- 004011CB 83C4 04 add esp,0x4
- 004011CE EB 3A jmp short 逆向2.0040120A
- 004011D0 68 6C504200 push offset <逆向2.aYouAreSellingT> ; ASCII "you are selling to consumer\n"
- 004011D5 E8 36040000 call <逆向2._printf>
- 004011DA 83C4 04 add esp,0x4
- 004011DD EB 2B jmp short 逆向2.0040120A
- 004011DF 68 54504200 push offset <逆向2.aCheckingTheSto> ; ASCII "checking the store\n"
- 004011E4 E8 27040000 call <逆向2._printf>
- 004011E9 83C4 04 add esp,0x4
- 004011EC EB 1C jmp short 逆向2.0040120A
- 004011EE 68 3C504200 push offset <逆向2.aTheProgramIsOu> ; ASCII "the Program is out\n"
- 004011F3 E8 18040000 call <逆向2._printf>
- 004011F8 83C4 04 add esp,0x4
- 004011FB EB 0D jmp short 逆向2.0040120A
- 004011FD 68 1C504200 push offset <逆向2.aYouPutAWrongSe> ; ASCII "You put a wrong selection\n"
- 00401202 E8 09040000 call <逆向2._printf>
- 00401207 83C4 04 add esp,0x4
- 0040120A ^ E9 40FFFFFF jmp 逆向2.0040114F
- 0040120F 33C0 xor eax,eax
- 00401211 5F pop edi ; kernel32.7573FA29
- 00401212 5E pop esi ; kernel32.7573FA29
- 00401213 5B pop ebx ; kernel32.7573FA29
- 00401214 83C4 48 add esp,0x48
- 00401217 3BEC cmp ebp,esp
- 00401219 E8 52030000 call <逆向2.__chkesp>
- 0040121E 8BE5 mov esp,ebp
- 00401220 5D pop ebp ; kernel32.7573FA29
- 00401221 C3 retn
逆出来的代码如下:
- int menu()
- {
- int var_4=1;
- while (var_4!=0)
- {
- printf("------Menu------\n");
- printf("-----------Sell-----1\n");
- printf("---------Buy--------2\n");
- printf("------showProduct---3\n");
- printf("---out------------0\n");
- scanf("%d",&var_4);
- switch(var_4)
- {
- case 1:
- {
- printf("you are buying somethiing into store\n");
- break;
- }
- case 2:
- {
- printf("you are selling to consumer\n");
- break;
- }
- case 3:
- {
- printf("checking the store\n");
- break;
- }
- case 0:
- {
- printf("the Program is out \n");
- break;
- }
- default:
- {
- printf("You put a wrong selection\n");
- }
- }
- }
- return 0;
- }
逆向abc函数
逆向abc函数主要注意代码优化问题
abc函数反汇编如下:
- 00401040 > 55 push ebp ; ?abc@@YAHHHHHHHHHHH@Z
- 00401041 8BEC mov ebp,esp
- 00401043 83EC 4C sub esp,0x4C
- 00401046 53 push ebx
- 00401047 56 push esi ; <逆向2._mainCRTStartup>
- 00401048 57 push edi ; <逆向2._mainCRTStartup>
- 00401049 8D7D B4 lea edi,dword ptr ss:[ebp-0x4C]
- 0040104C B9 13000000 mov ecx,0x13
- 00401051 B8 CCCCCCCC mov eax,0xCCCCCCCC
- 00401056 F3:AB rep stos dword ptr es:[edi]
- 00401058 837D 2C 64 cmp dword ptr ss:[ebp+0x2C],0x64
- 0040105C 7C 09 jl short 逆向2.00401067
- 0040105E C745 F4 0000000>mov dword ptr ss:[ebp-0xC],0x0
- 00401065 EB 51 jmp short 逆向2.004010B8
- 00401067 8B45 2C mov eax,dword ptr ss:[ebp+0x2C]
- 0040106A 83C0 0A add eax,0xA
- 0040106D 50 push eax
- 0040106E 8B4D 28 mov ecx,dword ptr ss:[ebp+0x28]
- 00401071 83C1 0A add ecx,0xA
- 00401074 51 push ecx ; <逆向2._mainCRTStartup>
- 00401075 8B55 24 mov edx,dword ptr ss:[ebp+0x24]
- 00401078 83C2 0A add edx,0xA
- 0040107B 52 push edx ; <逆向2._mainCRTStartup>
- 0040107C 8B45 20 mov eax,dword ptr ss:[ebp+0x20]
- 0040107F 83C0 0A add eax,0xA
- 00401082 50 push eax
- 00401083 8B4D 1C mov ecx,dword ptr ss:[ebp+0x1C]
- 00401086 83C1 0A add ecx,0xA
- 00401089 51 push ecx ; <逆向2._mainCRTStartup>
- 0040108A 8B55 18 mov edx,dword ptr ss:[ebp+0x18]
- 0040108D 83C2 0A add edx,0xA
- 00401090 52 push edx ; <逆向2._mainCRTStartup>
- 00401091 8B45 14 mov eax,dword ptr ss:[ebp+0x14]
- 00401094 83C0 0A add eax,0xA
- 00401097 50 push eax
- 00401098 8B4D 10 mov ecx,dword ptr ss:[ebp+0x10]
- 0040109B 83C1 0A add ecx,0xA
- 0040109E 51 push ecx ; <逆向2._mainCRTStartup>
- 0040109F 8B55 0C mov edx,dword ptr ss:[ebp+0xC]
- 004010A2 83C2 0A add edx,0xA
- 004010A5 52 push edx ; <逆向2._mainCRTStartup>
- 004010A6 8B45 08 mov eax,dword ptr ss:[ebp+0x8]
- 004010A9 83C0 0A add eax,0xA
- 004010AC 50 push eax
- 004010AD E8 67FFFFFF call <逆向2.j_?abc@@YAHHHHHHHHHHH@Z>
- 004010B2 83C4 28 add esp,0x28
- 004010B5 8945 F4 mov dword ptr ss:[ebp-0xC],eax
- 004010B8 8B4D F4 mov ecx,dword ptr ss:[ebp-0xC] ; kernel32.7573FA29
- 004010BB 894D F8 mov dword ptr ss:[ebp-0x8],ecx ; <逆向2._mainCRTStartup>
- 004010BE 8B55 08 mov edx,dword ptr ss:[ebp+0x8]
- 004010C1 0355 0C add edx,dword ptr ss:[ebp+0xC]
- 004010C4 0355 10 add edx,dword ptr ss:[ebp+0x10]
- 004010C7 0355 14 add edx,dword ptr ss:[ebp+0x14]
- 004010CA 0355 18 add edx,dword ptr ss:[ebp+0x18]
- 004010CD 0355 1C add edx,dword ptr ss:[ebp+0x1C]
- 004010D0 0355 20 add edx,dword ptr ss:[ebp+0x20]
- 004010D3 0355 24 add edx,dword ptr ss:[ebp+0x24]
- 004010D6 0355 28 add edx,dword ptr ss:[ebp+0x28]
- 004010D9 0355 2C add edx,dword ptr ss:[ebp+0x2C]
- 004010DC 0355 F8 add edx,dword ptr ss:[ebp-0x8]
- 004010DF 8955 FC mov dword ptr ss:[ebp-0x4],edx ; <逆向2._mainCRTStartup>
- 004010E2 8B45 FC mov eax,dword ptr ss:[ebp-0x4] ; kernel32.BaseThreadInitThunk
- 004010E5 5F pop edi ; kernel32.7573FA29
- 004010E6 5E pop esi ; kernel32.7573FA29
- 004010E7 5B pop ebx ; kernel32.7573FA29
- 004010E8 83C4 4C add esp,0x4C
- 004010EB 3BEC cmp ebp,esp
- 004010ED E8 7E040000 call <逆向2.__chkesp>
- 004010F2 8BE5 mov esp,ebp
- 004010F4 5D pop ebp ; kernel32.7573FA29
- 004010F5 C3 retn
逆出来代码如下:
- int abc(int arg_8,int arg_c,int arg_10,int arg_14,int arg_18,int arg_1c,int arg_20,int arg_24,int arg_28,int arg_2c)
- {
- int var_4;
- int var_8;
- int var_c;
- if (arg_2c>=0x64)
- {
- var_c=0;
- }
- else
- {
- var_c=abc(arg_8+10,arg_c+10,arg_10+10,arg_14+10,arg_18+10,arg_1c+10,arg_20+10,arg_24+10,arg_28+10,arg_2c+10);
- }
- var_8=var_c;
- var_4=arg_8+arg_c+arg_10+arg_14+arg_18+arg_1c+arg_20+arg_24+arg_28+arg_2c+var_8;
- return var_4;
- }
咋一看没什么问题,运行不报错,打开反汇编也和od里的一模一样,但是细想一下总觉得有点不妥
如图红框所示,var_c多少显得有点多余,为啥不直接用var_8,还要多此一举, 这里就要提到三目运算符了,多分配4个字节空间.
因此优化出来的代码如下,看的比较舒服
- int abc(int arg_8,int arg_c,int arg_10,int arg_14,int arg_18,int arg_1c,int arg_20,int arg_24,int arg_28,int arg_2c)
- {
- int var_4;
- int var_8;
- var_8=arg_2c>=0x64?0:abc(arg_8+10,arg_c+10,arg_10+10,arg_14+10,arg_18+10,arg_1c+10,arg_20+10,arg_24+10,arg_28+10,arg_2c+10);
- var_4=arg_8+arg_c+arg_10+arg_14+arg_18+arg_1c+arg_20+arg_24+arg_28+arg_2c+var_8;
- return var_4;
- }
今天的文章就到这里了,如果有任何不明白的地方欢迎与我交流,我必定知无不言。这篇文章也花了一定的心血,喜欢的小伙伴可以点赞关注哦。感激不尽!
-
相关阅读:
pytest 命令的使用
Linux 神奇命令大合集:掌控操作系统,成为技术达人!
elasticsearch搜索IK分词器实现单个字搜索
WordPress Page Builder KingComposer 2.9.6 Open Redirection
十三、W5100S/W5500+RP2040树莓派Pico<FTP Server>
Git撤销已经push到远程分支的commit
【LeetCode贪心#12】图解监控二叉树(正宗hard题,涉及贪心分析、二叉树遍历以及状态转移)
Arduino + ESP32-C3 + TFT(1.8‘ ST7735S)基础平台(实验七)温湿度动态图表显示的网页服务器
130-Vue中的监听事件——Watch
使用Fillder的一点总结
- 原文地址:https://blog.csdn.net/qq_62099321/article/details/126291371