-
-
[原创]IDA Pro 代码还原之改名入门篇
-
发表于: 2021-12-22 11:07 4641
-
- 代码还原其实就是反汇编改名过程
- 调用堆栈只需要分析到能猜到功能效果即止
C++源代码
1 2 3 4 5 6 7 8 9 10 11 | void TestSortMethod_BubbleSort(int* h, size_t len){ if (h == NULL) return; if (len <= 1) return; for (int i = 0; i < len - 1; ++i) for (int j = 0; j < len - 1 - i; ++j) if (h[j] > h[j + 1]) Swap(h[j], h[j + 1]); return;} |
还原之前的代码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 | .text:00412280 ; =============== S U B R O U T I N E =======================================.text:00412280.text:00412280 ; Attributes: bp-based frame.text:00412280.text:00412280 ; int __cdecl sub_412280(float).text:00412280 sub_412280 proc near ; CODE XREF: sub_41103C↑j.text:00412280.text:00412280 var_D0 = dword ptr -0D0h.text:00412280 var_C0 = byte ptr -0C0h.text:00412280 arg_0 = dword ptr 8.text:00412280.text:00412280 push ebp.text:00412281 mov ebp, esp.text:00412283 sub esp, 0C0h.text:00412289 push ebx.text:0041228A push esi.text:0041228B push edi.text:0041228C lea edi, [ebp+var_C0].text:00412292 mov ecx, 30h ; '0'.text:00412297 mov eax, 0CCCCCCCCh.text:0041229C rep stosd.text:0041229E push ecx.text:0041229F fld [ebp+arg_0].text:004122A2 fstp [esp+0D0h+var_D0] ; float.text:004122A5 call sub_41101E.text:004122AA add esp, 4.text:004122AD pop edi.text:004122AE pop esi.text:004122AF pop ebx.text:004122B0 add esp, 0C0h.text:004122B6 cmp ebp, esp.text:004122B8 call sub_411221.text:004122BD mov esp, ebp.text:004122BF pop ebp.text:004122C0 retn.text:004122C0 sub_412280 endp.text:004122C0.text:004122C0 ; ---------------------------------------------------------------------------.text:004122C1 align 20h.text:004122E0.text:004122E0 ; =============== S U B R O U T I N E =======================================.text:004122E0.text:004122E0 ; Attributes: bp-based frame.text:004122E0.text:004122E0 ; int __cdecl sub_4122E0(float).text:004122E0 sub_4122E0 proc near ; CODE XREF: sub_41101E↑j.text:004122E0.text:004122E0 X = qword ptr -0D8h.text:004122E0 var_C4 = dword ptr -0C4h.text:004122E0 arg_0 = dword ptr 8.text:004122E0.text:004122E0 push ebp.text:004122E1 mov ebp, esp.text:004122E3 sub esp, 0C4h.text:004122E9 push ebx.text:004122EA push esi.text:004122EB push edi.text:004122EC lea edi, [ebp+var_C4].text:004122F2 mov ecx, 31h ; '1'.text:004122F7 mov eax, 0CCCCCCCCh.text:004122FC rep stosd.text:004122FE fld [ebp+arg_0].text:00412301 sub esp, 8.text:00412304 fstp [esp+0D8h+X] ; X.text:00412307 call j_sqrt.text:0041230C add esp, 8.text:0041230F fstp [ebp+var_C4].text:00412315 fld [ebp+var_C4].text:0041231B pop edi.text:0041231C pop esi.text:0041231D pop ebx.text:0041231E add esp, 0C4h.text:00412324 cmp ebp, esp.text:00412326 call sub_411221.text:0041232B mov esp, ebp.text:0041232D pop ebp.text:0041232E retn.text:0041232E sub_4122E0 endp.text:0041232E.text:0041232E ; ---------------------------------------------------------------------------.text:0041232F db 21h dup(0CCh).text:00412350.text:00412350 ; =============== S U B R O U T I N E =======================================.text:00412350.text:00412350 ; Attributes: bp-based frame.text:00412350.text:00412350 sub_412350 proc near ; CODE XREF: sub_411163↑j.text:00412350.text:00412350 var_D8 = byte ptr -0D8h.text:00412350 var_14 = dword ptr -14h.text:00412350 var_8 = dword ptr -8.text:00412350 arg_0 = dword ptr 8.text:00412350 arg_4 = dword ptr 0Ch.text:00412350.text:00412350 push ebp.text:00412351 mov ebp, esp.text:00412353 sub esp, 0D8h.text:00412359 push ebx.text:0041235A push esi.text:0041235B push edi.text:0041235C lea edi, [ebp+var_D8].text:00412362 mov ecx, 36h ; '6'.text:00412367 mov eax, 0CCCCCCCCh.text:0041236C rep stosd.text:0041236E cmp [ebp+arg_0], 0.text:00412372 jnz short loc_412376.text:00412374 jmp short loc_4123F1.text:00412376 ; ---------------------------------------------------------------------------.text:00412376.text:00412376 loc_412376: ; CODE XREF: sub_412350+22↑j.text:00412376 cmp [ebp+arg_4], 1.text:0041237A ja short loc_41237E.text:0041237C jmp short loc_4123F1.text:0041237E ; ---------------------------------------------------------------------------.text:0041237E.text:0041237E loc_41237E: ; CODE XREF: sub_412350+2A↑j.text:0041237E mov [ebp+var_8], 0.text:00412385 jmp short loc_412390.text:00412387 ; ---------------------------------------------------------------------------.text:00412387.text:00412387 loc_412387: ; CODE XREF: sub_412350:loc_4123EF↓j.text:00412387 mov eax, [ebp+var_8].text:0041238A add eax, 1.text:0041238D mov [ebp+var_8], eax.text:00412390.text:00412390 loc_412390: ; CODE XREF: sub_412350+35↑j.text:00412390 mov eax, [ebp+arg_4].text:00412393 sub eax, 1.text:00412396 cmp [ebp+var_8], eax.text:00412399 jnb short loc_4123F1.text:0041239B mov [ebp+var_14], 0.text:004123A2 jmp short loc_4123AD.text:004123A4 ; ---------------------------------------------------------------------------.text:004123A4.text:004123A4 loc_4123A4: ; CODE XREF: sub_412350:loc_4123ED↓j.text:004123A4 mov eax, [ebp+var_14].text:004123A7 add eax, 1.text:004123AA mov [ebp+var_14], eax.text:004123AD.text:004123AD loc_4123AD: ; CODE XREF: sub_412350+52↑j.text:004123AD mov eax, [ebp+arg_4].text:004123B0 sub eax, 1.text:004123B3 sub eax, [ebp+var_8].text:004123B6 cmp [ebp+var_14], eax.text:004123B9 jnb short loc_4123EF.text:004123BB mov eax, [ebp+var_14].text:004123BE mov ecx, [ebp+arg_0].text:004123C1 mov edx, [ebp+var_14].text:004123C4 mov esi, [ebp+arg_0].text:004123C7 mov eax, [ecx+eax*4].text:004123CA cmp eax, [esi+edx*4+4].text:004123CE jle short loc_4123ED.text:004123D0 mov eax, [ebp+var_14].text:004123D3 mov ecx, [ebp+arg_0].text:004123D6 lea edx, [ecx+eax*4+4].text:004123DA push edx.text:004123DB mov eax, [ebp+var_14].text:004123DE mov ecx, [ebp+arg_0].text:004123E1 lea edx, [ecx+eax*4].text:004123E4 push edx.text:004123E5 call sub_41100A.text:004123EA add esp, 8.text:004123ED.text:004123ED loc_4123ED: ; CODE XREF: sub_412350+7E↑j.text:004123ED jmp short loc_4123A4.text:004123EF ; ---------------------------------------------------------------------------.text:004123EF.text:004123EF loc_4123EF: ; CODE XREF: sub_412350+69↑j.text:004123EF jmp short loc_412387.text:004123F1 ; ---------------------------------------------------------------------------.text:004123F1.text:004123F1 loc_4123F1: ; CODE XREF: sub_412350+24↑j.text:004123F1 ; sub_412350+2C↑j ....text:004123F1 pop edi.text:004123F2 pop esi.text:004123F3 pop ebx.text:004123F4 add esp, 0D8h.text:004123FA cmp ebp, esp.text:004123FC call sub_411221.text:00412401 mov esp, ebp.text:00412403 pop ebp.text:00412404 retn.text:00412404 sub_412350 endp.text:00412404.text:00412404 ; --------------------------------------------------------------------------- |
还原(重命名)之后的代码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 | .text:00412340 ; =============== S U B R O U T I N E =======================================.text:00412340.text:00412340 ; Attributes: bp-based frame.text:00412340.text:00412340 TestSortMethod_BubbleSort proc near ; CODE XREF: .text:00411307↑j.text:00412340 ; j_sort↑j.text:00412340.text:00412340 init_stack_size = byte ptr -0D8h.text:00412340 loop_j = dword ptr -14h.text:00412340 loop_i = dword ptr -8.text:00412340 arr = dword ptr 8.text:00412340 len = dword ptr 0Ch.text:00412340.text:00412340 push ebp.text:00412341 mov ebp, esp.text:00412343 sub esp, 0D8h.text:00412349 push ebx.text:0041234A push esi.text:0041234B push edi.text:0041234C lea edi, [ebp+init_stack_size].text:00412352 mov ecx, 36h ; '6'.text:00412357 mov eax, 0CCCCCCCCh.text:0041235C rep stosd.text:0041235E cmp [ebp+arr], 0.text:00412362 jnz short loc_412366 ; 只要是不跳转到最后的都是有效边界.text:00412364 jmp short func_end ; return.text:00412366 ; ---------------------------------------------------------------------------.text:00412366.text:00412366 loc_412366: ; CODE XREF: TestSortMethod_BubbleSort+22↑j.text:00412366 cmp [ebp+len], 1.text:0041236A ja short loop_i_init ; len>1 无符号大于则跳转.text:0041236C jmp short func_end.text:0041236E ; ---------------------------------------------------------------------------.text:0041236E.text:0041236E loop_i_init: ; CODE XREF: TestSortMethod_BubbleSort+2A↑j.text:0041236E mov [ebp+loop_i], 0.text:00412375 jmp short loop_i_cmp.text:00412377 ; ---------------------------------------------------------------------------.text:00412377.text:00412377 loop_i_iter: ; CODE XREF: TestSortMethod_BubbleSort:loop_i_continue↓j.text:00412377 mov eax, [ebp+loop_i].text:0041237A add eax, 1.text:0041237D mov [ebp+loop_i], eax.text:00412380.text:00412380 loop_i_cmp: ; CODE XREF: TestSortMethod_BubbleSort+35↑j.text:00412380 mov eax, [ebp+len].text:00412383 sub eax, 1.text:00412386 cmp [ebp+loop_i], eax ; i<len-1.text:00412389 jnb short func_end.text:0041238B mov [ebp+loop_j], 0.text:00412392 jmp short loop_j_cmp.text:00412394 ; ---------------------------------------------------------------------------.text:00412394.text:00412394 loop_j_iter: ; CODE XREF: TestSortMethod_BubbleSort:loop_j_continue↓j.text:00412394 mov eax, [ebp+loop_j].text:00412397 add eax, 1.text:0041239A mov [ebp+loop_j], eax.text:0041239D.text:0041239D loop_j_cmp: ; CODE XREF: TestSortMethod_BubbleSort+52↑j.text:0041239D mov eax, [ebp+len].text:004123A0 sub eax, 1.text:004123A3 sub eax, [ebp+loop_i].text:004123A6 cmp [ebp+loop_j], eax ; j<(len-1-i).text:004123A9 jnb short loop_i_continue.text:004123AB mov eax, [ebp+loop_j].text:004123AE mov ecx, [ebp+arr].text:004123B1 mov edx, [ebp+loop_j].text:004123B4 mov esi, [ebp+arr].text:004123B7 mov eax, [ecx+eax*4].text:004123BA cmp eax, [esi+edx*4+4] ; cmp arr[j],arr[j+1].text:004123BE jle short loop_j_continue.text:004123C0 mov eax, [ebp+loop_j].text:004123C3 mov ecx, [ebp+arr].text:004123C6 lea edx, [ecx+eax*4+4] ; arr[j+1].text:004123CA push edx.text:004123CB mov eax, [ebp+loop_j].text:004123CE mov ecx, [ebp+arr].text:004123D1 lea edx, [ecx+eax*4].text:004123D4 push edx.text:004123D5 call sub_411325 ; Swap(arr[j], arr[j+1]).text:004123DA add esp, 8.text:004123DD.text:004123DD loop_j_continue: ; CODE XREF: TestSortMethod_BubbleSort+7E↑j.text:004123DD jmp short loop_j_iter.text:004123DF ; ---------------------------------------------------------------------------.text:004123DF.text:004123DF loop_i_continue: ; CODE XREF: TestSortMethod_BubbleSort+69↑j.text:004123DF jmp short loop_i_iter.text:004123E1 ; ---------------------------------------------------------------------------.text:004123E1.text:004123E1 func_end: ; CODE XREF: TestSortMethod_BubbleSort+24↑j.text:004123E1 ; TestSortMethod_BubbleSort+2C↑j ....text:004123E1 pop edi.text:004123E2 pop esi.text:004123E3 pop ebx.text:004123E4 add esp, 0D8h ; 栈平衡.text:004123EA cmp ebp, esp.text:004123EC call sub_411217 ; 检测平衡符号,忽略.text:004123F1 mov esp, ebp.text:004123F3 pop ebp.text:004123F4 retn.text:004123F4 TestSortMethod_BubbleSort endp |
赞赏
|
|
|---|---|
|
|
他的文章
- 重新认识线程sleep 818
- [原创]CPU爆高,程序卡顿分析 1669
- [原创]再战堆栈损坏:Critical error detected c0000374 1243
- [原创]在无用的堆栈中分析DLL版本错误 1314
- [原创]小白也能通过特征码定位源码 2752
赞赏
雪币:
留言:
