IF多分支逆向分析
2021/8/23 6:28:47
本文主要是介绍IF多分支逆向分析,对大家解决编程问题具有一定的参考价值,需要的程序猿们随着小编来一起学习吧!
IF多分支逆向分析
案例
CPP代码
#include "stdafx.h"
int cnt;
void Function(int x, int y) {
if (x == 1) {
cnt = 1;
} else if (y == 1) {
cnt = 1;
} else {
cnt = 0;
}
}
int main(int argc, char* argv[]) {
Function(2,3);
return 0;
}
反汇编代码
00401068 push 3 0040106A push 2 0040106C call @ILT+10(Function) (0040100f) 00401071 add esp,8 0040100F jmp Function (004106c0) 004106C0 push ebp 004106C1 mov ebp,esp 004106C3 sub esp,40h 004106C6 push ebx 004106C7 push esi 004106C8 push edi 004106C9 lea edi,[ebp-40h] 004106CC mov ecx,10h 004106D1 mov eax,0CCCCCCCCh 004106D6 rep stos dword ptr [edi] 004106D8 cmp dword ptr [ebp+8],1 004106DC jne Function+2Ah (004106ea) 004106DE mov dword ptr [0042c20c],1 004106E8 jmp Function+46h (00410706) 004106EA cmp dword ptr [ebp+0Ch],1 004106EE jne Function+3Ch (004106fc) 004106F0 mov dword ptr [0042c20c],1 004106FA jmp Function+46h (00410706) 004106FC mov dword ptr [0042c20c],0 00410706 pop edi 00410707 pop esi 00410708 pop ebx 00410709 mov esp,ebp 0041070B pop ebp 0041070C ret
IF多分支语句的反汇编判断
IF_BEGIN: 影响标志寄存器的指令 jxx ELSE_IF_BEGIN ...... IF_END: jmp END ELSE_IF_BEGIN: 影响标志寄存器的指令 jxx ELSE_IF_BEGIN ...... ELSE_IF_END: jmp END ...... ...... ELSE_BEGIN: ...... ELSE_END: ......
特点:
- 每个条件跳转指令要跳转的地址前面都有
jmp指令 - 这些
jmp指令跳转的地址都是一样的 - 如果某个分支没有条件判断,则为
else部分
案例分析
| 分析参数 | [ebp+8]:x [ebp+0Ch]:y |
| 分析局部变量 | 无 |
| 分析全局变量 | [0042c20c]:N |
| 功能分析 |
004106D8 cmp dword ptr [ebp+8],1 ;比较x和1 004106DC jne Function+2Ah (004106ea) ;x!=1则跳转到004106ea 004106DE mov dword ptr [0042c20c],1 ;x==1则N=1 004106E8 jmp Function+46h (00410706) ;上一行指令如果成功执行则跳转到00410706 004106EA cmp dword ptr [ebp+0Ch],1 ;比较y和1 004106EE jne Function+3Ch (004106fc) ;y!=1则跳转到004106fc 004106F0 mov dword ptr [0042c20c],1 ;y==1则N=1 004106FA jmp Function+46h (00410706) ;上一行指令如果成功执行则跳转到00410706 004106FC mov dword ptr [0042c20c],0 ;N=0 |
| 返回值分析 | 无 |
| 还原成C函数 |
int N;
void Function(int x, int y) {
if (x == 1) {
N = 1;
} else if (y == 1) {
N = 1;
} else {
N = 0
}
}
|
小总结:条件跳转的目的地址为下一个判断点
练习
反汇编代码
004010B0 push ebp 004010B1 mov ebp,esp 004010B3 sub esp,4Ch 004010B6 push ebx 004010B7 push esi 004010B8 push edi 004010B9 lea edi,[ebp-4Ch] 004010BC mov ecx,13h 004010C1 mov eax,0CCCCCCCCh 004010C6 rep stos dword ptr [edi] 004010C8 mov dword ptr [ebp-4],0 004010CF mov dword ptr [ebp-8],1 004010D6 mov dword ptr [ebp-0Ch],2 004010DD mov eax,dword ptr [ebp+8] 004010E0 cmp eax,dword ptr [ebp+0Ch] 004010E3 jg 004010f0 004010E5 mov ecx,dword ptr [ebp-8] 004010E8 sub ecx,1 004010EB mov dword ptr [ebp-4],ecx 004010EE jmp 00401123 004010F0 mov edx,dword ptr [ebp+0Ch] 004010F3 cmp edx,dword ptr [ebp+10h] 004010F6 jl 00401103 004010F8 mov eax,dword ptr [ebp-0Ch] 004010FB add eax,1 004010FE mov dword ptr [ebp-4],eax 00401101 jmp 00401123 00401103 mov ecx,dword ptr [ebp+8] 00401106 cmp ecx,dword ptr [ebp+10h] 00401109 jle 00401116 0040110B mov edx,dword ptr [ebp-8] 0040110E add edx,dword ptr [ebp-0Ch] 00401111 mov dword ptr [ebp-4],edx 00401114 jmp 00401123 00401116 mov eax,dword ptr [ebp-0Ch] 00401119 mov ecx,dword ptr [ebp-8] 0040111C lea edx,[ecx+eax-1] 00401120 mov dword ptr [ebp-4],edx 00401123 mov eax,dword ptr [ebp-4] 00401126 add eax,1 00401129 pop edi 0040112A pop esi 0040112B pop ebx 0040112C mov esp,ebp 0040112E pop ebp 0040112F ret
分析
| 分析参数 | [ebp+8]:x [ebp+0Ch]:y [ebp+10h]:z |
| 分析局部变量 | [ebp-4]:a [ebp-8]:b [ebp-0Ch]:c |
| 分析全局变量 | 无 |
| 功能分析 |
004010C8 mov dword ptr [ebp-4],0 ;a=0 004010CF mov dword ptr [ebp-8],1 ;b=1 004010D6 mov dword ptr [ebp-0Ch],2 ;c=2 004010DD mov eax,dword ptr [ebp+8] 004010E0 cmp eax,dword ptr [ebp+0Ch] ;比较x和y 004010E3 jg 004010f0 ;x>y则跳转到004010f0 004010E5 mov ecx,dword ptr [ebp-8] 004010E8 sub ecx,1 004010EB mov dword ptr [ebp-4],ecx ;x<=y则a=b-1 004010EE jmp 00401123 004010F0 mov edx,dword ptr [ebp+0Ch] 004010F3 cmp edx,dword ptr [ebp+10h] ;比较y和z 004010F6 jl 00401103 ;y<z则跳转到00401103 004010f8="" mov="" eax,dword="" ptr="" [ebp-0ch]="" 004010fb="" add="" eax,1="" 004010fe="" dword="" [ebp-4],eax="" ;y="">=z则a=c+1 00401101 jmp 00401123 00401103 mov ecx,dword ptr [ebp+8] 00401106 cmp ecx,dword ptr [ebp+10h] ;比较x和z 00401109 jle 00401116 ;x<=z则跳转到00401116 0040110B mov edx,dword ptr [ebp-8] 0040110E add edx,dword ptr [ebp-0Ch] 00401111 mov dword ptr [ebp-4],edx ;x>z则a=b+c 00401114 jmp 00401123 00401116 mov eax,dword ptr [ebp-0Ch] ;else_begin 00401119 mov ecx,dword ptr [ebp-8] 0040111C lea edx,[ecx+eax-1] 00401120 mov dword ptr [ebp-4],edx ;a=c+b-1 00401123 mov eax,dword ptr [ebp-4] ;返回值eax设置 00401126 add eax,1 ;eax=a+1 |
| 返回值分析 | eax |
| 还原成C函数 |
int Function(int x, int y) {
int a = 0, b = 1, c = 2;
if (x <= y) {
a = b - 1;
} else if (y >= z) {
a = c + 1;
} else if (x > z) {
a = b + c;
} else {
a = c + b - 1;
}
return a + 1;
}
|
这篇关于IF多分支逆向分析的文章就介绍到这儿,希望我们推荐的文章对大家有所帮助,也希望大家多多支持为之网!
- 2024-09-28微服务架构中API版本控制的实践
- 2024-09-28AI给的和自己写的Python代码,都无法改变输入框的内容,替换也不行
- 2024-09-27Sentinel配置限流资料:新手入门教程
- 2024-09-27Sentinel配置限流资料详解
- 2024-09-27Sentinel限流资料:新手入门教程
- 2024-09-26Sentinel限流资料入门详解
- 2024-09-26Springboot框架资料:初学者入门教程
- 2024-09-26Springboot框架资料详解:新手入门教程
- 2024-09-26Springboot企业级开发资料:新手入门指南
- 2024-09-26SpringBoot企业级开发资料新手指南
