2013年6月6日 星期四

天書夜讀

系統需求
above Windows XP + Visual Studio 2003/2005

test step
@vs
F9, set break point
F5, start debug

a function call disassembly will like this:
push ebp
mov ebp, esp
sub esp, xxxh
push ebx
push esi
push edi
...
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
ret

x86 assembly instruction

stack instruction
push, move a data to stack, and after push, esp will -4
pop, get a data from stack, and after push, esp will +4
sub,
add,
ret, eip jump to next address before call, after ret, next address will pop from stack
call, eip jump to function, after call, next address will push to stack

data instruction
mov,
xor,
lea, get address, when you see [xxxh], it means xxxh is an address, not value, so [xxxh] will represent an value at address xxxh

lea edi, [ebp-xxxh] equal to mov edi, ebp-xxxh, but mov doesn't support ebp-xxxh, so you can use lea to complete operation like this

stos(stosb, stosw, stosd), copy eax to [edi], then edi+4
rep, repeat operation untill ecx=0, after each operation, ecx-1

jump instruction
jmp,
jg, jump when greater
jl, jump when less
jge, jump when greater or equal
cmp,

hex value of instruction
int 3, 0cch

argument pass sequence
@C(_cdecl C), pass from right to left, recover stack by caller
push ebp
mov ebp, esp
sub esp, xxxh
push ebx
push esi
push edi
...
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp

_stdcall(WinAPI), pass from right to left, recover stack by function itself
Pascal, pass from left to right, recover stack by function itself

C example1 code:
#include "stdafx.h"
int _tmain(int argc, _TCHAR* argv[])
{
    return 0;
}

C example2 code:
#include "stdafx.h"

 int myfun1(int a, int b)
{
    int c=a+b;
    int i;
    for(i=0;i<50;i++)
    {
        c=c+i;
    }
    return c;
}

int _tmain(int argc, _TCHAR* argv[])
{
    int a=1; int b=2;
    myfun1( a, b);
    return 0;
}

typical dissembled for "for loop"
mov i, initial_i
jmp B

A:
    change i (mov eax, dword ptr [i]; add eax,1; mov dword ptr [i], eax)
B:
    cmp i, for_loop_count
    jge outside_of_for_loop
   ...
   jmp A

 typical dissembled for "do loop"
do {c=c+1;} while(c<100);

 A:
    change c (mov eax, dword ptr [c]; add eax,1; mov dword ptr [c], eax)
    cmp dword ptr [c], 64h
    jl A

 typical dissembled for "while loop"
 while(c<100) {c=c+1;}

 A:
    cmp dword ptr [c], 64h
    jge outside_of_while_loop
    change c (mov eax, dword ptr [c]; add eax,1; mov dword ptr [c], eax)
    jmp A

typical dissembled for "if else"
if(c>0 && c<10){}
else if(c>10 && c<100){}
else{}

cmp condition
jle next_if
...

typical dissembled for "switch case"
switch(c)
{
    case 0:{}
    case 1:{}
    default:{}
}

cmp ...
je ...
cmp ...
je ...
...
jmp ...

typical dissembled for "structure"
typedef struct{} mystruct;

char *buf[100];
mystruct *struct1=(mystruct *)buf;
...

mov eax, dword ptr [index]
imul eax, eax, struct_size
mov ecx, dword ptr [struct_variable]
mov dword ptr [ecx+eax], element1_value

mov eax, dword ptr [index]
imul eax, eax, struct_size
mov ecx, dword ptr [struct_variable]
mov dword ptr [ecx+eax+2nd_element_offset], element2_value

typical dissembled for "union, enum"
...













沒有留言:

張貼留言