插入代码
```PUSH EBX
00401087 |. 56 PUSH ESI
00401088 |. 57 PUSH EDI
//保存寄存器
00401089 |. 8D7D B4 LEA EDI,DWORD PTR SS:[EBP-4C]
0040108C |. B9 13000000 MOV ECX,13
00401091 |. B8 CCCCCCCC MOV EAX,CCCCCCCC
00401096 |. F3:AB REP STOS DWORD PTR ES:[EDI]
//填充缓冲区
00401098 |. C745 FC 10000>MOV DWORD PTR SS:[EBP-4],10
0040109F |. C745 F8 20000>MOV DWORD PTR SS:[EBP-8],20
//0x10放入局部变量x中,0x20 放入局部变量y中
004010A6 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004010A9 |. 50 PUSH EAX
//局部变量Y取出来放在寄存器eax然后压入堆栈
004010AA |. 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
004010AD |. 51 PUSH ECX
////局部变量x取出来放在寄存器ecx然后压入堆栈
004010AE |. E8 57FFFFFF CALL ifelse.0040100A
// call指令跳转地址是0040100A,也就是个跳转表地址,因为是DEBUG模式,release就没有,call 指令修改EIP,相当于跳转到目的地址,将下一条地址也就是004010B3压入堆栈,用于返回 e8 57FFFFFF 的计算方法:x=要跳转的地址-当前call指令地址+5,也就是下一行地址。
{
X=0040100A-004010B3=FFFFFF57 ,按照高位在后,低位在前,也就是57 FF FF FF
}
004010B3 |. 83C4 08 ADD ESP,8
//平衡堆栈
004010B6 |. 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
//取FUnction函数的返回值放在ebp-0xc,
004010B9 |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
// 放在返回值edx
004010BC |. 52 PUSH EDX
004010BD |. 68 D05F4200 PUSH ifelse.00425FD0
004010C2 |. E8 99E80000 CALL ifelse.0040F960
//打印。。。。
004010C7 |. 83C4 08 ADD ESP,8
004010CA |. 33C0 XOR EAX,EAX
004010CC |. 5F POP EDI
004010CD |. 5E POP ESI
004010CE |. 5B POP EBX
004010CF |. 83C4 4C ADD ESP,4C
004010D2 |. 3BEC CMP EBP,ESP
004010D4 |. E8 77000000 CALL ifelse.00401150
004010D9 |. 8BE5 MOV ESP,EBP
004010DB |. 5D POP EBP
004010DC \. C3 RETN
FUnction()
0040100A $ /E9 11000000 JMP ifelse.00401020
0040100F |CC INT3
00401010 |CC INT3
00401011 |CC INT3
00401012 |CC INT3
00401013 |CC INT3
00401014 |CC INT3
00401015 |CC INT3
00401016 |CC INT3
00401017 |CC INT3
00401018 |CC INT3
00401019 |CC INT3
0040101A |CC INT3
0040101B |CC INT3
0040101C |CC INT3
0040101D |CC INT3
0040101E |CC INT3
0040101F |CC INT3
00401020 /> \55 PUSH EBP
00401021 |. 8BEC MOV EBP,ESP
00401023 |. 83EC 44 SUB ESP,44
//一个参数
00401026 |. 53 PUSH EBX
00401027 |. 56 PUSH ESI
00401028 |. 57 PUSH EDI
00401029 |. 8D7D BC LEA EDI,DWORD PTR SS:[EBP-44]
0040102C |. B9 11000000 MOV ECX,11
00401031 |. B8 CCCCCCCC MOV EAX,CCCCCCCC
00401036 |. F3:AB REP STOS DWORD PTR ES:[EDI]
00401038 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
//取main压入的第二个参数(栈先进后出,后进先出),此时ebp+8中保存的就是0x10
Ebp+4中保存的就是函数返回地址,ebp+c保存的就是最先压入的参数,也就是0x20;
0040103B |. 3B45 0C CMP EAX,DWORD PTR SS:[EBP+C]
//第一个参数和第二个参数进行比较,小于等于就跳转。
0040103E |. 7E 08 JLE SHORT ifelse.00401048
{翻译:
If(X>y)
{
//X->ecx, ecx-->Function的局部变量i i=ecx=x
Int I=x;
}
00401040 |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
00401043 |. 894D FC MOV DWORD PTR SS:[EBP-4],ECX
00401046 |. EB 16 JMP SHORT ifelse.0040105E
If(X<=y )
{
X-> edx, 比较x和y(ebp+c) ,y->eax, y->i
// int i=y;
}
00401048 |> 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
0040104B |. 3B55 0C CMP EDX,DWORD PTR SS:[EBP+C]
0040104E |. 7D 08 JGE SHORT ifelse.00401058
00401050 |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
00401053 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00401056 |. EB 06 JMP SHORT ifelse.0040105E
00401058 |> 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
0040105B |. 894D FC MOV DWORD PTR SS:[EBP-4],ECX
0040105E |> 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
// i放在eax中,也就是保存返回值
00401061 |. 5F POP EDI
00401062 |. 5E POP ESI
00401063 |. 5B POP EBX
00401064 |. 8BE5 MOV ESP,EBP
00401066 |. 5D POP EBP
00401067 \. C3 RETN
//自己写自己逆向结果:
Int Function(int x,int y)
{
If(x>y)
{
Int i=x;
}
Else if(x<=y)
{
Int i=y;
}
}
Void main()
{
int x=0x10;
Int y=0x20;
Int r=Function(x,y);
Printf(“%d”,r);
}
,技术很菜很菜,但是一直在学习,希望能得到论坛大佬帮助
