最初由 jdxyw 发布
我的意思是说,怎么从一堆反汇编后的代码中去辨认出,原本看似无关的一些东西是代码,或是数据。
经验
CODE:0041C28B mov esi, eax
CODE:0041C28D mov edx, esp
CODE:0041C28F mov eax, esi
CODE:0041C291 call sub_41BF1C
CODE:0041C291
CODE:0041C296 mov [esp+8], bl
CODE:0041C29A mov edx, esp
CODE:0041C29C mov eax, esi
CODE:0041C29E call sub_41BF34
CODE:0041C29E
CODE:0041C2A3 add esp, 2Ch
CODE:0041C2A6 pop esi
CODE:0041C2A7 pop ebx
CODE:0041C2A8 retn
CODE:0041C2A8
CODE:0041C2A8 ; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
CODE:0041C2A9 db 8Dh ; ?
CODE:0041C2AA db 40h ; @
CODE:0041C2AB db 0
CODE:0041C2AC db 8Bh ; ?
CODE:0041C2AD db 40h ; @
CODE:0041C2AE db 10h
CODE:0041C2AF db 8Ah ; ?
CODE:0041C2B0 db 40h ; @
CODE:0041C2B1 db 1Ah
CODE:0041C2B2 db 0C3h ; ?
CODE:0041C2B3 db 90h ; ?
CODE:0041C2B4 db 53h ; S
例如上面一段是代码,但IDA将其当成数据了,你尝试按C键,得到汇编代码,并且这段汇编代码流程也合理,那这段数据就是代码了:
CODE:0041C2A9 lea eax, [eax+0]
CODE:0041C2AC mov eax, [eax+10h]
CODE:0041C2AF mov al, [eax+1Ah]
CODE:0041C2B2 retn