[原创]分析运行过的反汇编代码-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[原创]分析运行过的反汇编代码
发表于: 2023-11-8 20:41 9594
[原创]分析运行过的反汇编代码

_THINCT
2023-11-8 20:41
9594
一、 阅读一个函数的反汇编代码，我将其归纳为四个角度:
还原对象代码如下：

先观察一下，该函数涉及到局部变量:

解读运行过程中，本模块被执行过的反汇编代码：

其中0x123存放到了寄存器esi引用内存中，并没有放到局部变量中，说明它的指针变量是可以被优化的。

以上是关于函数变量的赋值过程。

这部分代码是一个数组遍历的过程。

这样的形式，基本上可以认为是传入的结构体参数或者返回的结构体类型。

这里非常有意思的是，ebp-0x18这个地址不是直接作为左值的，而是通过相邻的地址较小的ebp-0x1C通过偏移来进行应用的。

上面基本可以看出结构体的赋值功能，类似C++的等号赋值语句了。

与开始提到的fs:0相呼应。
反汇编代码:
注: 此文仅作本人平时练习笔记用，如果文中有偏倚之处，望高手指点一二。如有受帮助的朋友，深感荣幸。

;ebp : 0x0019FF70

/*0x004011A0*/    push ebp

/*0x004011A1*/    mov ebp, esp

;ebp : 0x0019FF28

/*0x004011A3*/    push 0xFFFFFFFF

/*0x004011A5*/    push 0x40220D

/*0x004011AA*/    mov eax, dword ptr fs:[0x00000000]

/*0x004011B0*/    push eax

/*0x004011B1*/    sub esp, 0x18

/*0x004011B4*/    mov eax, dword ptr ds:[0x00404004]

/*0x004011B9*/    xor eax, ebp

/*0x004011BB*/    mov dword ptr ss:[ebp-0x10], eax

/*0x004011BE*/    push ebx

/*0x004011BF*/    push esi

/*0x004011C0*/    push edi

/*0x004011C1*/    push eax

/*0x004011C2*/    lea eax, ss:[ebp-0xC]

/*0x004011C5*/    mov dword ptr fs:[0x00000000], eax

/*0x004011CB*/    push 0x4

/*0x004011CD*/    call 0x004014CA

/*0x004014CA*/    push ebp

/*0x004014CB*/    mov ebp, esp

;ebp : 0x0019FEE8

;/*0x004014CD*/    jmp 0x004014DC

/*0x004014DC*/    push dword ptr ss:[ebp+0x8]

/*0x004014DF*/    call 0x004020DE

;/*0x004020DE*/    jmp dword ptr ds:[0x00403064]

/*0x76FA2610*/    mov edi, edi

/*0x76FA2651*/    ret

;ebp : 0x0019FF28

/*0x004014EA*/    ret

/*0x004011D2*/    mov esi, eax

/*0x004011D4*/    push 0x8

/*0x004011D6*/    mov dword ptr ds:[esi], 0x123

/*0x004011DC*/    call 0x004014CA

;ebp : 0x0019FEE4

/*0x004014E4*/    pop ecx

/*0x004014E5*/    test eax, eax

;/*0x004014E7*/    je 0x004014CF;GOTO BACK

/*0x004014E9*/    pop ebp

;ebp : 0x0019FF28

/*0x004011E1*/    mov edi, eax

/*0x004011E3*/    mov dword ptr ss:[ebp-0x24], 0x456

/*0x004011EA*/    push 0x4

/*0x004011EC*/    mov dword ptr ds:[edi+0x4], esi

/*0x004011EF*/    mov dword ptr ds:[edi], 0x888

/*0x004011F5*/    call 0x004014CA

/*0x004011FA*/    mov ebx, eax

/*0x004011FC*/    mov dword ptr ss:[ebp-0x14], 0x0

/*0x00401203*/    xorps xmm0, xmm0

/*0x00401206*/    mov dword ptr ss:[ebp-0x20], ebx

/*0x00401209*/    movq qword ptr ss:[ebp-0x1C], xmm0

/*0x0040120E*/    add esp, 0xC

/*0x00401211*/    mov dword ptr ss:[ebp-0x1C], 0x0

/*0x00401218*/    mov dword ptr ds:[ebx], 0x987

/*0x0040121E*/    mov dword ptr ss:[ebp-0x18], 0x0

/*0x00401225*/    mov dword ptr ss:[ebp-0x14], 0x0

/*0x0040122C*/    push edi

/*0x0040122D*/    push 0x0

/*0x0040122F*/    lea ecx, ss:[ebp-0x1C]

/*0x00401232*/    mov dword ptr ss:[ebp-0x4], 0x0

/*0x00401239*/    call 0x00401350

/*0x00401350*/    push ebp

/*0x00401351*/    mov ebp, esp

;ebp : 0x0019FEE4

/*0x00401353*/    sub esp, 0xC

/*0x00401356*/    mov eax, dword ptr ss:[ebp+0x8]

/*0x00401359*/    push edi

/*0x0040135A*/    mov edi, ecx

/*0x0040135C*/    mov dword ptr ss:[ebp-0x8], eax

/*0x0040135F*/    mov edx, dword ptr ds:[edi]

/*0x00401361*/    sub eax, edx

/*0x00401363*/    sar eax, 0x3

/*0x00401366*/    mov dword ptr ss:[ebp-0x4], eax

/*0x00401369*/    mov eax, dword ptr ds:[edi+0x4]

/*0x0040136C*/    sub eax, edx

/*0x0040136E*/    sar eax, 0x3

/*0x00401371*/    cmp eax, 0x1FFFFFFF

;/*0x00401376*/    je 0x004014A8

/*0x0040137C*/    mov ecx, dword ptr ds:[edi+0x8]

/*0x0040137F*/    sub ecx, edx

/*0x00401381*/    sar ecx, 0x3

/*0x00401384*/    push ebx

/*0x00401385*/    push esi

/*0x00401386*/    lea esi, ds:[eax+0x1]

/*0x00401389*/    mov edx, ecx

/*0x0040138B*/    shr edx, 0x1

/*0x0040138D*/    mov eax, 0x1FFFFFFF

/*0x00401392*/    sub eax, edx

/*0x00401394*/    mov dword ptr ss:[ebp-0xC], esi

/*0x00401397*/    cmp ecx, eax

;/*0x00401399*/    ja 0x004014A3

/*0x0040139F*/    lea eax, ds:[edx+ecx*1]

/*0x004013A2*/    mov ebx, esi

/*0x004013A4*/    cmp eax, esi

/*0x004013A6*/    cmovae ebx, eax

/*0x004013A9*/    cmp ebx, 0x1FFFFFFF

;/*0x004013AF*/    ja 0x004014A3

/*0x004013B5*/    shl ebx, 0x3

/*0x004013B8*/    cmp ebx, 0x1000

;/*0x004013BE*/    jb 0x004013E7

/*0x004013E7*/    test ebx, ebx

;/*0x004013E9*/    je 0x004013F8

/*0x004013EB*/    push ebx

/*0x004013EC*/    call 0x004014CA

/*0x004013F1*/    add esp, 0x4

/*0x004013F4*/    mov esi, eax

;/*0x004013F6*/    jmp 0x004013FA

/*0x004013FA*/    mov eax, dword ptr ss:[ebp-0x4]

/*0x004013FD*/    lea edx, ds:[esi+eax*8]

/*0x00401400*/    mov eax, dword ptr ss:[ebp+0xC]

/*0x00401403*/    mov dword ptr ss:[ebp-0x4], edx

/*0x00401406*/    mov ecx, dword ptr ds:[eax]

/*0x00401408*/    mov eax, dword ptr ds:[eax+0x4]

/*0x0040140B*/    mov dword ptr ds:[edx], ecx

/*0x0040140D*/    mov dword ptr ds:[edx+0x4], eax

/*0x00401410*/    mov eax, dword ptr ds:[edi+0x4]

/*0x00401413*/    mov edx, dword ptr ss:[ebp-0x8]

/*0x00401416*/    mov ecx, dword ptr ds:[edi]

/*0x00401418*/    cmp edx, eax

;/*0x0040141A*/    jne 0x0040142B

/*0x0040141C*/    sub eax, ecx

/*0x0040141E*/    push eax

/*0x0040141F*/    push ecx

/*0x00401420*/    push esi

/*0x00401421*/    call 0x004021F2

;/*0x004021F2*/    jmp dword ptr ds:[0x0040305C]

/*0x728E33E0*/    push edi

/*0x728E3916*/    ret

;ebp : 0x0019FF28

/*0x0040149A*/    ret 0x8

/*0x0040123E*/    mov esi, dword ptr ss:[ebp-0x18]

/*0x00401241*/    cmp esi, dword ptr ss:[ebp-0x14]

;/*0x00401244*/    je 0x00401254

/*0x00401254*/    lea eax, ss:[ebp-0x24]

/*0x00401257*/    push eax

/*0x00401258*/    push esi

/*0x00401259*/    lea ecx, ss:[ebp-0x1C]

/*0x0040125C*/    call 

;ebp : 0x0019FEE4

/*0x00401426*/    add esp, 0xC

;/*0x00401429*/    jmp 0x0040144E

/*0x0040144E*/    mov eax, dword ptr ds:[edi]

/*0x00401450*/    test eax, eax

;/*0x00401452*/    je 0x00401480

/*0x00401454*/    mov ecx, dword ptr ds:[edi+0x8]

/*0x00401457*/    sub ecx, eax

/*0x00401459*/    and ecx, 0xFFFFFFF8

/*0x0040145C*/    cmp ecx, 0x1000

;/*0x00401462*/    jb 0x00401476

/*0x00401476*/    push ecx

/*0x00401477*/    push eax

/*0x00401478*/    call 0x004014FA

/*0x004014FA*/    push ebp

/*0x004014FB*/    mov ebp, esp

;ebp : 0x0019FEBC

/*0x004014FD*/    push dword ptr ss:[ebp+0x8]

/*0x00401500*/    call 0x004018D3

;/*0x004018D3*/    jmp 0x00402156

;/*0x00402156*/    jmp dword ptr ds:[0x00403068]

/*0x76FA5F80*/    mov edi, edi

/*0x76FA5F9E*/    ret

;ebp : 0x0019FEE4

/*0x00401507*/    ret

/*0x0040147D*/    add esp, 0x8

/*0x00401480*/    mov eax, dword ptr ss:[ebp-0xC]

/*0x00401483*/    mov dword ptr ds:[edi], esi

/*0x00401485*/    lea ecx, ds:[esi+eax*8]

/*0x00401488*/    mov eax, dword ptr ss:[ebp-0x4]

/*0x0040148B*/    mov dword ptr ds:[edi+0x4], ecx

/*0x0040148E*/    lea ecx, ds:[ebx+esi*1]

/*0x00401491*/    pop esi

/*0x00401492*/    pop ebx

/*0x00401493*/    mov dword ptr ds:[edi+0x8], ecx

/*0x00401496*/    pop edi

/*0x00401497*/    mov esp, ebp

/*0x00401499*/    pop ebp

;ebp : 0x0019FF28

/*0x00401261*/    mov esi, dword ptr ss:[ebp-0x18]

/*0x00401264*/    mov edi, dword ptr ss:[ebp-0x1C]

/*0x00401267*/    xor ebx, ebx

/*0x00401269*/    sub esi, edi

/*0x0040126B*/    sar esi, 0x3

/*0x0040126E*/    test esi, esi

;/*0x00401270*/    je 0x0040128D

/*0x00401272*/    mov eax, dword ptr ds:[edi+ebx*8+0x4]

/*0x00401276*/    push dword ptr ds:[eax]

/*0x00401278*/    push dword ptr ds:[edi+ebx*8]

/*0x0040127B*/    push 0x403198

/*0x00401280*/    call 0x00401010

/*0x00401010*/    push ebp

/*0x00401011*/    mov ebp, esp

;ebp : 0x0019FEE0

/*0x00401013*/    push esi

/*0x00401014*/    mov esi, dword ptr ss:[ebp+0x8]

/*0x00401017*/    push 0x1

/*0x00401019*/    call dword ptr ds:[0x004030E0]

/*0x76FB57C0*/    mov edi, edi

/*0x76FB57CF*/    ret

/*0x76F999F0*/    mov edi, edi

/*0x76F99A10*/    ret

;ebp : 0x0019FF28

/*0x0040103F*/    ret

/*0x00401285*/    inc ebx

/*0x00401286*/    add esp, 0xC

/*0x00401289*/    cmp ebx, esi

;/*0x0040128B*/    jb 0x00401272;GOTO BACK

;ebp : 0x0019FEE0

/*0x76F999F2*/    push ebp

/*0x0040103A*/    add esp, 0x18

/*0x0040103D*/    pop esi

/*0x0040103E*/    pop ebp

;ebp : 0x0019FF28

/*0x0040128D*/    push 0x4031A0

/*0x00401292*/    call 0x00401010

;ebp : 0x0019FEE8

/*0x0040101F*/    add esp, 0x4

/*0x00401022*/    lea ecx, ss:[ebp+0xC]

/*0x00401025*/    push ecx

/*0x00401026*/    push 0x0

/*0x00401028*/    push esi

/*0x00401029*/    push eax

/*0x0040102A*/    call 0x00401000

/*0x00401000*/    mov eax, 0x4043F0

/*0x00401005*/    ret

/*0x0040102F*/    push dword ptr ds:[eax+0x4]

/*0x00401032*/    push dword ptr ds:[eax]

/*0x00401034*/    call dword ptr ds:[0x004030DC]

/*0x76F999F3*/    mov ebp, esp

;ebp : 0x0019FF28

/*0x00401297*/    add esp, 0x4

/*0x0040129A*/    test edi, edi

;/*0x0040129C*/    je 0x004012D0

/*0x0040129E*/    mov ecx, dword ptr ss:[ebp-0x14]

/*0x004012A1*/    mov eax, edi

/*0x004012A3*/    sub ecx, edi

/*0x004012A5*/    and ecx, 0xFFFFFFF8

/*0x004012A8*/    cmp ecx, 0x1000

;/*0x004012AE*/    jb 0x004012C6

/*0x004012C6*/    push ecx

/*0x004012C7*/    push edi

/*0x004012C8*/    call 0x004014FA

;ebp : 0x0019FEE4

/*0x00401505*/    pop ecx

/*0x00401506*/    pop ebp

;ebp : 0x0019FF28

/*0x004012CD*/    add esp, 0x8

/*0x004012D0*/    xor eax, eax

/*0x004012D2*/    mov ecx, dword ptr ss:[ebp-0xC]

/*0x004012D5*/    mov dword ptr fs:[0x00000000], ecx

/*0x004012DC*/    pop ecx

/*0x004012DD*/    pop edi

/*0x004012DE*/    pop esi

/*0x004012DF*/    pop ebx

/*0x004012E0*/    mov ecx, dword ptr ss:[ebp-0x10]

/*0x004012E3*/    xor ecx, ebp

/*0x004012E5*/    call 0x004014BC

/*0x004014BC*/    cmp ecx, dword ptr ds:[0x00404004]

;/*0x004014C2*/    jne 0x004014C5

/*0x004014C4*/    ret

/*0x004012EA*/    mov esp, ebp

/*0x004012EC*/    pop ebp

;ebp : 0x0019FF70

/*0x004012ED*/    ret

;ebp : 0x0019FF70

/*0x004011A0*/    push ebp

/*0x004011A1*/    mov ebp, esp

;ebp : 0x0019FF28

/*0x004011A3*/    push 0xFFFFFFFF

/*0x004011A5*/    push 0x40220D

/*0x004011AA*/    mov eax, dword ptr fs:[0x00000000]

/*0x004011B0*/    push eax

/*0x004011B1*/    sub esp, 0x18

/*0x004011B4*/    mov eax, dword ptr ds:[0x00404004]

/*0x004011B9*/    xor eax, ebp

/*0x004011BB*/    mov dword ptr ss:[ebp-0x10], eax

/*0x004011BE*/    push ebx

/*0x004011BF*/    push esi

/*0x004011C0*/    push edi

/*0x004011C1*/    push eax

/*0x004011C2*/    lea eax, ss:[ebp-0xC]

/*0x004011C5*/    mov dword ptr fs:[0x00000000], eax

/*0x004011CB*/    push 0x4

/*0x004011CD*/    call 0x004014CA

/*0x004014CA*/    push ebp

/*0x004014CB*/    mov ebp, esp

;ebp : 0x0019FEE8

;/*0x004014CD*/    jmp 0x004014DC

/*0x004014DC*/    push dword ptr ss:[ebp+0x8]

/*0x004014DF*/    call 0x004020DE

;/*0x004020DE*/    jmp dword ptr ds:[0x00403064]

/*0x76FA2610*/    mov edi, edi

/*0x76FA2651*/    ret

;ebp : 0x0019FF28

/*0x004014EA*/    ret

/*0x004011D2*/    mov esi, eax

/*0x004011D4*/    push 0x8

/*0x004011D6*/    mov dword ptr ds:[esi], 0x123

/*0x004011DC*/    call 0x004014CA

;ebp : 0x0019FEE4

/*0x004014E4*/    pop ecx

/*0x004014E5*/    test eax, eax

;/*0x004014E7*/    je 0x004014CF;GOTO BACK

/*0x004014E9*/    pop ebp

;ebp : 0x0019FF28

/*0x004011E1*/    mov edi, eax

/*0x004011E3*/    mov dword ptr ss:[ebp-0x24], 0x456

/*0x004011EA*/    push 0x4

/*0x004011EC*/    mov dword ptr ds:[edi+0x4], esi

/*0x004011EF*/    mov dword ptr ds:[edi], 0x888

/*0x004011F5*/    call 0x004014CA

/*0x004011FA*/    mov ebx, eax

/*0x004011FC*/    mov dword ptr ss:[ebp-0x14], 0x0

/*0x00401203*/    xorps xmm0, xmm0

/*0x00401206*/    mov dword ptr ss:[ebp-0x20], ebx

/*0x00401209*/    movq qword ptr ss:[ebp-0x1C], xmm0

/*0x0040120E*/    add esp, 0xC

/*0x00401211*/    mov dword ptr ss:[ebp-0x1C], 0x0

/*0x00401218*/    mov dword ptr ds:[ebx], 0x987

/*0x0040121E*/    mov dword ptr ss:[ebp-0x18], 0x0

/*0x00401225*/    mov dword ptr ss:[ebp-0x14], 0x0

/*0x0040122C*/    push edi

/*0x0040122D*/    push 0x0

/*0x0040122F*/    lea ecx, ss:[ebp-0x1C]

/*0x00401232*/    mov dword ptr ss:[ebp-0x4], 0x0

/*0x00401239*/    call 0x00401350

/*0x00401350*/    push ebp

/*0x00401351*/    mov ebp, esp

;ebp : 0x0019FEE4

/*0x00401353*/    sub esp, 0xC

/*0x00401356*/    mov eax, dword ptr ss:[ebp+0x8]

/*0x00401359*/    push edi

/*0x0040135A*/    mov edi, ecx

/*0x0040135C*/    mov dword ptr ss:[ebp-0x8], eax

/*0x0040135F*/    mov edx, dword ptr ds:[edi]

/*0x00401361*/    sub eax, edx

/*0x00401363*/    sar eax, 0x3

/*0x00401366*/    mov dword ptr ss:[ebp-0x4], eax

/*0x00401369*/    mov eax, dword ptr ds:[edi+0x4]

/*0x0040136C*/    sub eax, edx

/*0x0040136E*/    sar eax, 0x3

/*0x00401371*/    cmp eax, 0x1FFFFFFF

;/*0x00401376*/    je 0x004014A8

/*0x0040137C*/    mov ecx, dword ptr ds:[edi+0x8]

/*0x0040137F*/    sub ecx, edx

/*0x00401381*/    sar ecx, 0x3

/*0x00401384*/    push ebx

/*0x00401385*/    push esi

/*0x00401386*/    lea esi, ds:[eax+0x1]

/*0x00401389*/    mov edx, ecx

/*0x0040138B*/    shr edx, 0x1

/*0x0040138D*/    mov eax, 0x1FFFFFFF

/*0x00401392*/    sub eax, edx

/*0x00401394*/    mov dword ptr ss:[ebp-0xC], esi

/*0x00401397*/    cmp ecx, eax

;/*0x00401399*/    ja 0x004014A3

/*0x0040139F*/    lea eax, ds:[edx+ecx*1]

/*0x004013A2*/    mov ebx, esi

/*0x004013A4*/    cmp eax, esi

/*0x004013A6*/    cmovae ebx, eax

/*0x004013A9*/    cmp ebx, 0x1FFFFFFF

;/*0x004013AF*/    ja 0x004014A3

/*0x004013B5*/    shl ebx, 0x3

/*0x004013B8*/    cmp ebx, 0x1000

;/*0x004013BE*/    jb 0x004013E7

/*0x004013E7*/    test ebx, ebx

;/*0x004013E9*/    je 0x004013F8

/*0x004013EB*/    push ebx

/*0x004013EC*/    call 0x004014CA

/*0x004013F1*/    add esp, 0x4

/*0x004013F4*/    mov esi, eax

;/*0x004013F6*/    jmp 0x004013FA

/*0x004013FA*/    mov eax, dword ptr ss:[ebp-0x4]

/*0x004013FD*/    lea edx, ds:[esi+eax*8]

/*0x00401400*/    mov eax, dword ptr ss:[ebp+0xC]

/*0x00401403*/    mov dword ptr ss:[ebp-0x4], edx

/*0x00401406*/    mov ecx, dword ptr ds:[eax]

/*0x00401408*/    mov eax, dword ptr ds:[eax+0x4]

/*0x0040140B*/    mov dword ptr ds:[edx], ecx

/*0x0040140D*/    mov dword ptr ds:[edx+0x4], eax

/*0x00401410*/    mov eax, dword ptr ds:[edi+0x4]

/*0x00401413*/    mov edx, dword ptr ss:[ebp-0x8]

/*0x00401416*/    mov ecx, dword ptr ds:[edi]

/*0x00401418*/    cmp edx, eax

;/*0x0040141A*/    jne 0x0040142B

/*0x0040141C*/    sub eax, ecx

/*0x0040141E*/    push eax

/*0x0040141F*/    push ecx

/*0x00401420*/    push esi

/*0x00401421*/    call 0x004021F2

;/*0x004021F2*/    jmp dword ptr ds:[0x0040305C]

/*0x728E33E0*/    push edi

/*0x728E3916*/    ret

;ebp : 0x0019FF28

/*0x0040149A*/    ret 0x8

/*0x0040123E*/    mov esi, dword ptr ss:[ebp-0x18]

/*0x00401241*/    cmp esi, dword ptr ss:[ebp-0x14]

				登录后可查看完整内容
			
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！

		最后于  2023-11-8 20:47		
				被_THINCT编辑
				
		，原因： 		
	
		#调试逆向
		#其他内容
	
上传的附件：

			AddrFlowEasy.asm
		
		（9.06kb，12次下载）

			main.cpp
		
		（0.53kb，9次下载）

			Project1031.exe
		
		（11.00kb，13次下载）
收藏・14
免费・3
支持
最新回复 (2)
秋狝雪币： 2948 活跃值： (30846) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1568 粉丝 38 关注私信	秋狝 2 楼感谢分享 2023-11-9 09:18 1
院士雪币： 3527 活跃值： (3908) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 176 粉丝 2 关注私信	院士 3 楼感谢分享。 2023-11-9 12:51 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复
_THINCT
发帖
123
回帖
RANK
关注
私信
他的文章
关于我们
联系我们
企业服务
看雪公众号
最新回复 (2)
秋狝雪币： 2948 活跃值： (30846) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1568 粉丝 38 关注私信	秋狝 2 楼感谢分享 2023-11-9 09:18 1
院士雪币： 3527 活跃值： (3908) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 176 粉丝 2 关注私信	院士 3 楼感谢分享。 2023-11-9 12:51 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复