看过论坛的一些关于逆向的贴子
说说我的看法:逆向工程并不是对代码进行分析就算了,实际上要对工程进行一定的还原(源代码形式),当然难度挺大,要对算法非常熟悉。要系统的数据结构非常熟悉,才有能力推还原工程的数据结构。
这里仅对一个简短的函数进行还原,当然并不可能还原为原作者源代码,是还原为在函数的逻辑思想上最接近的形式。
ntdll!memcpy_s:
00000000`77abee8c 48895c2408 mov qword ptr [rsp+8],rbx
00000000`77abee91 4889742410 mov qword ptr [rsp+10h],rsi
00000000`77abee96 57 push rdi
00000000`77abee97 4883ec30 sub rsp,30h
00000000`77abee9b 498bd9 mov rbx,r9
00000000`77abee9e 498bf0 mov rsi,r8
00000000`77abeea1 488bfa mov rdi,rdx
00000000`77abeea4 4d85c9 test r9,r9
00000000`77abeea7 7504 jne ntdll!memcpy_s+0x21 (00000000`77abeead)
ntdll!memcpy_s+0x1d:
00000000`77abeea9 33c0 xor eax,eax
00000000`77abeeab eb1c jmp ntdll!memcpy_s+0x3d (00000000`77abeec9)
ntdll!memcpy_s+0x21:
00000000`77abeead 4885c9 test rcx,rcx
00000000`77abeeb0 7527 jne ntdll!memcpy_s+0x4d (00000000`77abeed9)
ntdll!memcpy_s+0x26:
00000000`77abeeb2 48214c2420 and qword ptr [rsp+20h],rcx
00000000`77abeeb7 4533c9 xor r9d,r9d
00000000`77abeeba 4533c0 xor r8d,r8d
00000000`77abeebd 33d2 xor edx,edx
00000000`77abeebf e85c95ffff call ntdll!invalid_parameter (00000000`77ab8420)
ntdll!memcpy_s+0x38:
00000000`77abeec4 b816000000 mov eax,16h
ntdll!memcpy_s+0x3d:
00000000`77abeec9 488b5c2440 mov rbx,qword ptr [rsp+40h]
00000000`77abeece 488b742448 mov rsi,qword ptr [rsp+48h]
00000000`77abeed3 4883c430 add rsp,30h
00000000`77abeed7 5f pop rdi
00000000`77abeed8 c3 ret
ntdll!memcpy_s+0x4d:
00000000`77abeed9 4d85c0 test r8,r8
00000000`77abeedc 7412 je ntdll!memcpy_s+0x64 (00000000`77abeef0)
ntdll!memcpy_s+0x52:
00000000`77abeede 483bd3 cmp rdx,rbx
00000000`77abeee1 720d jb ntdll!memcpy_s+0x64 (00000000`77abeef0)
ntdll!memcpy_s+0x57:
00000000`77abeee3 4c8bc3 mov r8,rbx
00000000`77abeee6 488bd6 mov rdx,rsi
00000000`77abeee9 e8e2f7fbff call ntdll!memcpy (00000000`77a7e6d0)
00000000`77abeeee ebb9 jmp ntdll!memcpy_s+0x1d (00000000`77abeea9)
ntdll!memcpy_s+0x64:
00000000`77abeef0 4c8bc2 mov r8,rdx
00000000`77abeef3 33d2 xor edx,edx
00000000`77abeef5 e8d63ffcff call ntdll!memset (00000000`77a82ed0)
00000000`77abeefa 4885f6 test rsi,rsi
00000000`77abeefd 7505 jne ntdll!memcpy_s+0x78 (00000000`77abef04)
ntdll!memcpy_s+0x73:
00000000`77abeeff 8d5e16 lea ebx,[rsi+16h]
00000000`77abef02 eb0a jmp ntdll!memcpy_s+0x82 (00000000`77abef0e)
ntdll!memcpy_s+0x78:
00000000`77abef04 483bfb cmp rdi,rbx
00000000`77abef07 73bb jae ntdll!memcpy_s+0x38 (00000000`77abeec4)
ntdll!memcpy_s+0x7d:
00000000`77abef09 bb22000000 mov ebx,22h
ntdll!memcpy_s+0x82:
00000000`77abef0e 488364242000 and qword ptr [rsp+20h],0
00000000`77abef14 4533c9 xor r9d,r9d
00000000`77abef17 4533c0 xor r8d,r8d
00000000`77abef1a 33d2 xor edx,edx
00000000`77abef1c 33c9 xor ecx,ecx
00000000`77abef1e e8fd94ffff call ntdll!invalid_parameter (00000000`77ab8420)
00000000`77abef23 8bc3 mov eax,ebx
00000000`77abef25 eba2 jmp ntdll!memcpy_s+0x3d (00000000`77abeec9)
if (arg4 == 0)
return 0;
STATUS memcpy_s(arg1, arg2, arg3, arg4)
{
if (arg4 == 0)
return 0;
if (arg1 == 0)
{
invalid_parameters(arg1, 0, 0, 0);
return 0x16; // 状态值
}
}
memset(char *dest, char c, unsigned int count)
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)