-
-
[原创]函数反汇编实验<浮点型>
-
发表于: 2021-12-22 15:37
-
一、调用代码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | float x1, x2; if (TestMathMethod2(4, 5, 1, &x1, &x2)) {001B616A lea eax,[ebp+FFFFFC68h] 001B6170 push eax 001B6171 lea ecx,[ebp+FFFFFC74h] 001B6177 push ecx 001B6178 push ecx 001B6179 fld1 001B617B fstp dword ptr [esp] 001B617E push ecx 001B617F fld dword ptr ds:[001B9E24h] 001B6185 fstp dword ptr [esp] 001B6188 push ecx 001B6189 fld dword ptr ds:[001B9E18h] 001B618F fstp dword ptr [esp] 001B6192 call 001B1311 001B6197 add esp,14h 001B619A movzx edx,al 001B619D test edx,edx 001B619F je 001B6210 |
二、 函数实现
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 | bool TestMathMethod2(float a, float b, float c, float* x1, float* x2){001B1D70 push ebp 001B1D71 mov ebp,esp 001B1D73 sub esp,0ECh 001B1D79 push ebx 001B1D7A push esi 001B1D7B push edi 001B1D7C lea edi,[ebp+FFFFFF14h] 001B1D82 mov ecx,3Bh 001B1D87 mov eax,0CCCCCCCCh 001B1D8C rep stos dword ptr es:[edi] float discriminant, realPart, imaginaryPart; discriminant = b * b - 4 * a * c;001B1D8E fld dword ptr [ebp+0Ch] 001B1D91 fmul dword ptr [ebp+0Ch] 001B1D94 fld dword ptr [ebp+8] 001B1D97 fmul qword ptr ds:[001B9DF0h] 001B1D9D fmul dword ptr [ebp+10h] 001B1DA0 fsubp st(1),st 001B1DA2 fstp dword ptr [ebp-8] if (discriminant > 0) 001B1DA5 fld dword ptr [ebp-8] 001B1DA8 fcomp qword ptr ds:[001B9DE0h] 001B1DAE fnstsw ax 001B1DB0 test ah,41h 001B1DB3 jne 001B1E21 { *x1 = (-b + sqrt(discriminant)) / (2 * a);001B1DB5 fld dword ptr [ebp+0Ch] 001B1DB8 fchs 001B1DBA push ecx 001B1DBB fld dword ptr [ebp-8] 001B1DBE fstp dword ptr [esp] 001B1DC1 fstp qword ptr [ebp+FFFFFF14h] 001B1DC7 call 001B103C 001B1DCC add esp,4 001B1DCF fadd qword ptr [ebp+FFFFFF14h] 001B1DD5 fld dword ptr [ebp+8] 001B1DD8 fmul qword ptr ds:[001B9DD0h] 001B1DDE fdivp st(1),st 001B1DE0 mov eax,dword ptr [ebp+14h] 001B1DE3 fstp dword ptr [eax] *x2 = (-b - sqrt(discriminant)) / (2 * a); |
- 注意浮点寄存器的堆栈使用方式
- 注意浮点类型数据的查看方式
三、 IDA Pro 反编译重命名之后
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 | .text:00411D70 ; =============== S U B R O U T I N E =======================================.text:00411D70.text:00411D70 ; Attributes: bp-based frame.text:00411D70.text:00411D70 ; int __cdecl TestMathMethod2(float a, float b, float c, int pX1, int pX2).text:00411D70 TestMathMethod2 proc near ; CODE XREF: j_TestMathMethod2↑j.text:00411D70.text:00411D70 var_FC = dword ptr -0FCh.text:00411D70 var_EC = qword ptr -0ECh.text:00411D70 var_20 = dword ptr -20h.text:00411D70 var_14 = dword ptr -14h.text:00411D70 discriminant = dword ptr -8.text:00411D70 a = dword ptr 8.text:00411D70 b = dword ptr 0Ch.text:00411D70 c = dword ptr 10h.text:00411D70 pX1 = dword ptr 14h.text:00411D70 pX2 = dword ptr 18h.text:00411D70.text:00411D70 push ebp.text:00411D71 mov ebp, esp.text:00411D73 sub esp, 0ECh.text:00411D79 push ebx.text:00411D7A push esi.text:00411D7B push edi.text:00411D7C lea edi, [ebp+var_EC].text:00411D82 mov ecx, 3Bh ; ';'.text:00411D87 mov eax, 0CCCCCCCCh.text:00411D8C rep stosd.text:00411D8E fld [ebp+b] ; 将b的值取到浮点寄存器ST0.text:00411D91 fmul [ebp+b] ; b*b.text:00411D94 fld [ebp+a].text:00411D97 fmul ds:dbl_419DF0 ; a*4.0.text:00411D9D fmul [ebp+c] ; 4.0*a*b.text:00411DA0 fsubp st(1), st ; b*b - 4*a*c.text:00411DA2 fstp [ebp+discriminant] ; discriminant = b*b - 4*a*c.text:00411DA5 fld [ebp+discriminant].text:00411DA8 fcomp ds:dbl_419DE0.text:00411DAE fnstsw ax.text:00411DB0 test ah, 41h.text:00411DB3 jnz short if_1.text:00411DB5 fld [ebp+b].text:00411DB8 fchs ; -b.text:00411DBA push ecx.text:00411DBB fld [ebp+discriminant].text:00411DBE fstp [esp+0FCh+var_FC] ; float.text:00411DC1 fstp [ebp+var_EC] ; var_EC = -b 这里其实一个堆栈操作.text:00411DC7 call sub_41103C.text:00411DCC add esp, 4.text:00411DCF fadd [ebp+var_EC] ; -b + sub_41103c(discriminant).text:00411DD5 fld [ebp+a].text:00411DD8 fmul ds:dbl_419DD0 ; 2*a.text:00411DDE fdivp st(1), st ; (-b + sub_41103c(discriminant))/(2*a).text:00411DE0 mov eax, [ebp+pX1].text:00411DE3 fstp dword ptr [eax] ; *pX1 = (-b + sub_41103c(discriminant))/(2*a).text:00411DE5 fld [ebp+b].text:00411DE8 fchs.text:00411DEA push ecx.text:00411DEB fld [ebp+discriminant].text:00411DEE fstp [esp+0FCh+var_FC] ; float.text:00411DF1 fstp [ebp+var_EC].text:00411DF7 call sub_41103C.text:00411DFC add esp, 4.text:00411DFF fsubr [ebp+var_EC].text:00411E05 fld [ebp+a].text:00411E08 fmul ds:dbl_419DD0.text:00411E0E fdivp st(1), st.text:00411E10 mov eax, [ebp+pX2].text:00411E13 fstp dword ptr [eax].text:00411E15 mov al, 1.text:00411E17 jmp func_end.text:00411E1C ; ---------------------------------------------------------------------------.text:00411E1C jmp func_end_ret0.text:00411E21 ; ---------------------------------------------------------------------------.text:00411E21.text:00411E21 if_1: ; CODE XREF: TestMathMethod2+43↑j.text:00411E21 fld [ebp+discriminant].text:00411E24 fldz.text:00411E26 fucompp.text:00411E28 fnstsw ax.text:00411E2A test ah, 44h.text:00411E2D jp short if_2.text:00411E2F fld [ebp+b].text:00411E32 fchs.text:00411E34 push ecx.text:00411E35 fld [ebp+discriminant].text:00411E38 fstp [esp+0FCh+var_FC] ; float.text:00411E3B fstp [ebp+var_EC].text:00411E41 call sub_41103C.text:00411E46 add esp, 4.text:00411E49 fadd [ebp+var_EC].text:00411E4F fld [ebp+a].text:00411E52 fmul ds:dbl_419DD0.text:00411E58 fdivp st(1), st.text:00411E5A mov eax, [ebp+pX2].text:00411E5D fstp dword ptr [eax].text:00411E5F mov ecx, [ebp+pX1].text:00411E62 mov edx, [ebp+pX2].text:00411E65 fld dword ptr [edx].text:00411E67 fstp dword ptr [ecx].text:00411E69 mov al, 1.text:00411E6B jmp short func_end.text:00411E6D ; ---------------------------------------------------------------------------.text:00411E6D jmp short func_end_ret0.text:00411E6F ; ---------------------------------------------------------------------------.text:00411E6F.text:00411E6F if_2: ; CODE XREF: TestMathMethod2+BD↑j.text:00411E6F fld [ebp+b].text:00411E72 fchs.text:00411E74 fld [ebp+a].text:00411E77 fmul ds:dbl_419DD0.text:00411E7D fdivp st(1), st.text:00411E7F fstp [ebp+var_14].text:00411E82 fld [ebp+discriminant].text:00411E85 fchs.text:00411E87 push ecx.text:00411E88 fstp [esp+0FCh+var_FC] ; float.text:00411E8B call sub_41103C.text:00411E90 add esp, 4.text:00411E93 fld [ebp+a].text:00411E96 fmul ds:dbl_419DD0.text:00411E9C fdivp st(1), st.text:00411E9E fstp [ebp+var_20].text:00411EA1 xor al, al.text:00411EA3 jmp short func_end.text:00411EA5 ; ---------------------------------------------------------------------------.text:00411EA5.text:00411EA5 func_end_ret0: ; CODE XREF: TestMathMethod2+AC↑j.text:00411EA5 ; TestMathMethod2+FD↑j.text:00411EA5 xor al, al.text:00411EA7.text:00411EA7 func_end: ; CODE XREF: TestMathMethod2+A7↑j.text:00411EA7 ; TestMathMethod2+FB↑j ....text:00411EA7 pop edi.text:00411EA8 pop esi.text:00411EA9 pop ebx.text:00411EAA add esp, 0ECh.text:00411EB0 cmp ebp, esp.text:00411EB2 call sub_411221.text:00411EB7 mov esp, ebp.text:00411EB9 pop ebp.text:00411EBA retn.text:00411EBA TestMathMethod2 endp.text:00411EBA.text:00411EBA ; --------------------------------------------------------------------------- |
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
最后于 2021-12-22 17:54
被_THINCT编辑
,原因: 上传遗漏的图片
|
|
|---|---|
