系統需求
above Windows XP + Visual Studio 2003/2005
test step
@vs
F9, set break point
F5, start debug
a function call disassembly will like this:
push ebp
mov ebp, esp
sub esp, xxxh
push ebx
push esi
push edi
...
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
ret
x86 assembly instruction
stack instruction
push, move a data to stack, and after push, esp will -4
pop, get a data from stack, and after push, esp will +4
sub,
add,
ret, eip jump to next address before call, after ret, next address will pop from stack
call, eip jump to function, after call, next address will push to stack
data instruction
mov,
xor,
lea, get address, when you see [xxxh], it means xxxh is an address, not value, so [xxxh] will represent an value at address xxxh
lea edi, [ebp-xxxh] equal to mov edi, ebp-xxxh, but mov doesn't support ebp-xxxh, so you can use lea to complete operation like this
stos(stosb, stosw, stosd), copy eax to [edi], then edi+4
rep, repeat operation untill ecx=0, after each operation, ecx-1
jump instruction
jmp,
jg, jump when greater
jl, jump when less
jge, jump when greater or equal
cmp,
hex value of instruction
int 3, 0cch
argument pass sequence
@C(_cdecl C), pass from right to left, recover stack by caller
push ebp
mov ebp, esp
sub esp, xxxh
push ebx
push esi
push edi
...
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
_stdcall(WinAPI), pass from right to left, recover stack by function itself
Pascal, pass from left to right, recover stack by function itself
C example1 code:
#include "stdafx.h"
int _tmain(int argc, _TCHAR* argv[])
{
return 0;
}
C example2 code:
#include "stdafx.h"
int myfun1(int a, int b)
{
int c=a+b;
int i;
for(i=0;i<50;i++)
{
c=c+i;
}
return c;
}
int _tmain(int argc, _TCHAR* argv[])
{
int a=1; int b=2;
myfun1( a, b);
return 0;
}
typical dissembled for "for loop"
mov i, initial_i
jmp B
A:
change i (mov eax, dword ptr [i]; add eax,1; mov dword ptr [i], eax)
B:
cmp i, for_loop_count
jge outside_of_for_loop
...
jmp A
typical dissembled for "do loop"
do {c=c+1;} while(c<100);
A:
change c (mov eax, dword ptr [c]; add eax,1; mov dword ptr [c], eax)
cmp dword ptr [c], 64h
jl A
typical dissembled for "while loop"
while(c<100) {c=c+1;}
A:
cmp dword ptr [c], 64h
jge outside_of_while_loop
change c (mov eax, dword ptr [c]; add eax,1; mov dword ptr [c], eax)
jmp A
typical dissembled for "if else"
if(c>0 && c<10){}
else if(c>10 && c<100){}
else{}
cmp condition
jle next_if
...
typical dissembled for "switch case"
switch(c)
{
case 0:{}
case 1:{}
default:{}
}
cmp ...
je ...
cmp ...
je ...
...
jmp ...
typical dissembled for "structure"
typedef struct{} mystruct;
char *buf[100];
mystruct *struct1=(mystruct *)buf;
...
mov eax, dword ptr [index]
imul eax, eax, struct_size
mov ecx, dword ptr [struct_variable]
mov dword ptr [ecx+eax], element1_value
mov eax, dword ptr [index]
imul eax, eax, struct_size
mov ecx, dword ptr [struct_variable]
mov dword ptr [ecx+eax+2nd_element_offset], element2_value
typical dissembled for "union, enum"
...
沒有留言:
張貼留言