[求助]Hex-Rays 解释Switch失败。。。-付费问答-看雪-安全社区|安全招聘|kanxue.com

最新回复 (3)
mavermaver 雪币： 141 活跃值： (1135) 能力值： ( LV2，RANK：150 ) 在线值：发帖 47 回帖 362 粉丝 1 关注私信	mavermaver 3 2 楼 IDA 5.2给出的代码： =========================================== .text:00415580 ; =============== S U B R O U T I N E ======================================= .text:00415580 .text:00415580 .text:00415580 sub_415580 proc near ; CODE XREF: sub_4157C0+5BFp .text:00415580 ; sub_4157C0+5FDp ... .text:00415580 .text:00415580 arg_0 = dword ptr 4 .text:00415580 arg_4 = dword ptr 8 .text:00415580 arg_8 = dword ptr 0Ch .text:00415580 .text:00415580 000 mov eax, [esp+arg_4] .text:00415584 000 push ebx .text:00415585 004 mov ebx, [esp+4+arg_0] .text:00415589 004 push ebp .text:0041558A 008 push esi .text:0041558B 00C push edi .text:0041558C 010 xor edi, edi .text:0041558E 010 mov esi, eax .text:00415590 010 cmp eax, edi .text:00415592 010 mov ebp, ecx .text:00415594 010 mov [esp+10h+arg_0], esi .text:00415598 010 jz loc_415792 ; jumptable 004155AD case 7 .text:0041559E .text:0041559E loc_41559E: ; CODE XREF: sub_415580+1E0j .text:0041559E 010 mov eax, [ebp+222Ch] .text:004155A4 010 cmp eax, 7 ; switch 8 cases .text:004155A7 010 ja loc_415788 ; default .text:004155A7 ; jumptable 004155AD case 6 .text:004155AD 010 jmp off_41579C[eax4] ; switch jump .text:004155B4 .text:004155B4 loc_4155B4: ; DATA XREF: .text:off_41579Co .text:004155B4 010 mov edx, ebx ; jumptable 004155AD case 2 .text:004155B6 .text:004155B6 loc_4155B6: ; CODE XREF: sub_415580+41j .text:004155B6 010 mov al, [edx] .text:004155B8 010 cmp al, 0Ah .text:004155BA 010 jz short loc_4155C3 .text:004155BC 010 inc edx .text:004155BD 010 cmp al, 0Dh .text:004155BF 010 jz short loc_4155D0 .text:004155C1 010 jmp short loc_4155B6 .text:004155C3 ; --------------------------------------------------------------------------- .text:004155C3 .text:004155C3 loc_4155C3: ; CODE XREF: sub_415580+3Aj .text:004155C3 010 inc edx .text:004155C4 010 mov dword ptr [ebp+222Ch], 4 .text:004155CE 010 jmp short loc_4155DA .text:004155D0 ; --------------------------------------------------------------------------- .text:004155D0 .text:004155D0 loc_4155D0: ; CODE XREF: sub_415580+3Fj .text:004155D0 010 mov dword ptr [ebp+222Ch], 3 .text:004155DA .text:004155DA loc_4155DA: ; CODE XREF: sub_415580+4Ej .text:004155DA 010 lea edi, [ebp+2230h] .text:004155E0 010 or ecx, 0FFFFFFFFh .text:004155E3 010 xor eax, eax .text:004155E5 010 repne scasb .text:004155E7 010 not ecx .text:004155E9 010 dec ecx .text:004155EA 010 mov eax, ecx .text:004155EC 010 sub ecx, ebx .text:004155EE 010 add ecx, edx .text:004155F0 010 cmp ecx, 10h .text:004155F3 010 mov [esp+10h+arg_4], ecx .text:004155F7 010 jg loc_415788 ; default .text:004155F7 ; jumptable 004155AD case 6 .text:004155FD 010 mov ecx, edx .text:004155FF 010 lea edi, [eax+ebp+2230h] .text:00415606 010 sub ecx, ebx .text:00415608 010 mov esi, ebx .text:0041560A 010 mov eax, ecx .text:0041560C 010 sub ebx, edx .text:0041560E 010 shr ecx, 2 .text:00415611 010 rep movsd .text:00415613 010 mov ecx, eax .text:00415615 010 mov eax, [esp+10h+arg_0] .text:00415619 010 and ecx, 3 .text:0041561C 010 add eax, ebx .text:0041561E 010 rep movsb .text:00415620 010 mov ecx, [esp+10h+arg_4] .text:00415624 010 mov [esp+10h+arg_0], eax .text:00415628 010 mov ebx, edx .text:0041562A 010 mov esi, eax .text:0041562C 010 mov byte ptr [ecx+ebp+2230h], 0 .text:00415634 010 jmp loc_41575A .text:00415639 ; --------------------------------------------------------------------------- .text:00415639 .text:00415639 loc_415639: ; CODE XREF: sub_415580+2Dj .text:00415639 ; DATA XREF: .text:off_41579Co .text:00415639 010 cmp byte ptr [ebx], 0Ah ; jumptable 004155AD case 3 .text:0041563C 010 jnz short loc_415644 .text:0041563E 010 inc ebx .text:0041563F 010 dec esi .text:00415640 010 mov [esp+10h+arg_0], esi .text:00415644 .text:00415644 loc_415644: ; CODE XREF: sub_415580+BCj .text:00415644 010 mov dword ptr [ebp+222Ch], 4 .text:0041564E 010 jmp loc_41575A .text:00415653 ; --------------------------------------------------------------------------- .text:00415653 .text:00415653 loc_415653: ; CODE XREF: sub_415580+2Dj .text:00415653 ; DATA XREF: .text:off_41579Co .text:00415653 010 lea edx, [ebp+2230h] ; jumptable 004155AD case 4 .text:00415659 010 mov [ebp+2228h], edi .text:0041565F 010 mov ecx, edx .text:00415661 010 mov al, [ecx] .text:00415663 010 test al, al .text:00415665 010 jz short loc_4156C8 .text:00415667 .text:00415667 loc_415667: ; CODE XREF: sub_415580+146j .text:00415667 010 cmp al, 30h .text:00415669 010 jl short loc_415688 .text:0041566B 010 cmp al, 39h .text:0041566D 010 jg short loc_415688 .text:0041566F 010 mov edi, [ebp+2228h] .text:00415675 010 sub edi, 3 .text:00415678 010 movsx eax, al .text:0041567B 010 shl edi, 4 .text:0041567E 010 add edi, eax .text:00415680 010 mov [ebp+2228h], edi .text:00415686 010 jmp short loc_4156C0 .text:00415688 ; --------------------------------------------------------------------------- .text:00415688 .text:00415688 loc_415688: ; CODE XREF: sub_415580+E9j .text:00415688 ; sub_415580+EDj .text:00415688 010 cmp al, 61h .text:0041568A 010 jl short loc_4156A2 .text:0041568C 010 cmp al, 66h .text:0041568E 010 jg short loc_4156A2 .text:00415690 010 mov edi, [ebp+2228h] .text:00415696 010 movsx eax, al .text:00415699 010 shl edi, 4 .text:0041569C 010 lea eax, [edi+eax-57h] .text:004156A0 010 jmp short loc_4156BA .text:004156A2 ; --------------------------------------------------------------------------- .text:004156A2 .text:004156A2 loc_4156A2: ; CODE XREF: sub_415580+10Aj .text:004156A2 ; sub_415580+10Ej .text:004156A2 010 cmp al, 41h .text:004156A4 010 jl short loc_4156C8 .text:004156A6 010 cmp al, 46h .text:004156A8 010 jg short loc_4156C8 .text:004156AA 010 mov edi, [ebp+2228h] .text:004156B0 010 movsx eax, al .text:004156B3 010 shl edi, 4 .text:004156B6 010 lea eax, [edi+eax-37h] .text:004156BA .text:004156BA loc_4156BA: ; CODE XREF: sub_415580+120j .text:004156BA 010 mov [ebp+2228h], eax .text:004156C0 .text:004156C0 loc_4156C0: ; CODE XREF: sub_415580+106j .text:004156C0 010 mov al, [ecx+1] .text:004156C3 010 inc ecx .text:004156C4 010 test al, al .text:004156C6 010 jnz short loc_415667 .text:004156C8 .text:004156C8 loc_4156C8: ; CODE XREF: sub_415580+E5j .text:004156C8 ; sub_415580+124j ... .text:004156C8 010 mov ecx, [ebp+2228h] .text:004156CE 010 mov byte ptr [edx], 0 .text:004156D1 010 neg ecx .text:004156D3 010 sbb ecx, ecx .text:004156D5 010 and ecx, 0FFFFFFFEh .text:004156D8 010 add ecx, 7 .text:004156DB 010 mov [ebp+222Ch], ecx .text:004156E1 010 jmp short loc_41575A .text:004156E3 ; --------------------------------------------------------------------------- .text:004156E3 .text:004156E3 loc_4156E3: ; CODE XREF: sub_415580+2Dj .text:004156E3 ; DATA XREF: .text:off_41579Co .text:004156E3 010 mov eax, [ebp+2228h] ; jumptable 004155AD case 5 .text:004156E9 010 cmp esi, eax .text:004156EB 010 jl short loc_415765 .text:004156ED 010 mov edx, [esp+10h+arg_8] .text:004156F1 010 mov ecx, ebp .text:004156F3 010 push edx .text:004156F4 014 push eax .text:004156F5 018 push ebx .text:004156F6 01C call sub_415530 .text:004156FB 010 mov eax, [ebp+2228h] .text:00415701 010 mov [ebp+2228h], edi .text:00415707 010 add ebx, eax .text:00415709 010 sub esi, eax .text:0041570B 010 mov [esp+10h+arg_0], esi .text:0041570F 010 mov [ebp+222Ch], edi .text:00415715 010 jmp short loc_41575A .text:00415717 ; --------------------------------------------------------------------------- .text:00415717 .text:00415717 loc_415717: ; CODE XREF: sub_415580+2Dj .text:00415717 ; DATA XREF: .text:off_41579Co .text:00415717 010 mov al, [ebx] ; jumptable 004155AD case 0 .text:00415719 010 cmp al, 0Ah .text:0041571B 010 jnz short loc_41572F .text:0041571D 010 inc ebx .text:0041571E 010 dec esi .text:0041571F 010 mov dword ptr [ebp+222Ch], 2 .text:00415729 010 mov [esp+10h+arg_0], esi .text:0041572D 010 jmp short loc_41575A .text:0041572F ; --------------------------------------------------------------------------- .text:0041572F .text:0041572F loc_41572F: ; CODE XREF: sub_415580+19Bj .text:0041572F 010 cmp al, 0Dh .text:00415731 010 jnz short loc_415750 .text:00415733 010 inc ebx .text:00415734 010 dec esi .text:00415735 010 mov dword ptr [ebp+222Ch], 1 .text:0041573F 010 mov [esp+10h+arg_0], esi .text:00415743 010 jmp short loc_41575A .text:00415745 ; --------------------------------------------------------------------------- .text:00415745 .text:00415745 loc_415745: ; CODE XREF: sub_415580+2Dj .text:00415745 ; DATA XREF: .text:off_41579Co .text:00415745 010 cmp byte ptr [ebx], 0Ah ; jumptable 004155AD case 1 .text:00415748 010 jnz short loc_415750 .text:0041574A 010 inc ebx .text:0041574B 010 dec esi .text:0041574C 010 mov [esp+10h+arg_0], esi .text:00415750 .text:00415750 loc_415750: ; CODE XREF: sub_415580+1B1j .text:00415750 ; sub_415580+1C8j .text:00415750 010 mov dword ptr [ebp+222Ch], 2 .text:0041575A .text:0041575A loc_41575A: ; CODE XREF: sub_415580+B4j .text:0041575A ; sub_415580+CEj ... .text:0041575A 010 xor edi, edi .text:0041575C 010 cmp esi, edi .text:0041575E 010 jz short loc_415792 ; jumptable 004155AD case 7 .text:00415760 010 jmp loc_41559E .text:00415765 ; --------------------------------------------------------------------------- .text:00415765 .text:00415765 loc_415765: ; CODE XREF: sub_415580+16Bj .text:00415765 010 mov eax, [esp+10h+arg_8] .text:00415769 010 mov ecx, ebp .text:0041576B 010 push eax .text:0041576C 014 push esi .text:0041576D 018 push ebx .text:0041576E 01C call sub_415530 .text:00415773 010 mov eax, [ebp+2228h] .text:00415779 010 pop edi .text:0041577A 00C sub eax, esi .text:0041577C 00C pop esi .text:0041577D 008 mov [ebp+2228h], eax .text:00415783 008 pop ebp .text:00415784 004 pop ebx .text:00415785 000 retn 0Ch .text:00415788 ; --------------------------------------------------------------------------- .text:00415788 .text:00415788 loc_415788: ; CODE XREF: sub_415580+27j .text:00415788 ; sub_415580+2Dj ... .text:00415788 010 mov dword ptr [ebp+222Ch], 6 ; default .text:00415788 ; jumptable 004155AD case 6 .text:00415792 .text:00415792 loc_415792: ; CODE XREF: sub_415580+18j .text:00415792 ; sub_415580+2Dj ... .text:00415792 010 pop edi ; jumptable 004155AD case 7 .text:00415793 00C pop esi .text:00415794 008 pop ebp .text:00415795 004 pop ebx .text:00415796 000 retn 0Ch .text:00415796 sub_415580 endp .text:00415796 .text:00415796 ; --------------------------------------------------------------------------- .text:00415799 align 4 .text:0041579C off_41579C dd offset loc_415717 ; DATA XREF: sub_415580+2Dr .text:0041579C dd offset loc_415745 ; jump table for switch statement .text:0041579C dd offset loc_4155B4 .text:0041579C dd offset loc_415639 .text:0041579C dd offset loc_415653 .text:0041579C dd offset loc_4156E3 .text:0041579C dd offset loc_415788 .text:0041579C dd offset loc_415792 .text:004157BC align 10h Hex-Rays的分析结果（分析时应注意光标一定要在被分析的子程序范围内）： ======================================================== char __thiscall sub_415580(int this, int a2, int a3, int a4) { int v4; // eax@1 int v5; // ebx@1 int v6; // ebp@1 int v7; // edi@1 int v8; // esi@1 int v9; // edx@3 char v10; // al@4 int v11; // ecx@14 int v12; // eax@20 unsigned int v13; // kr00_4@9 void v14; // edi@10 unsigned int v15; // ecx@10 int v16; // ecx@26 LOBYTE(v4) = a3; v5 = a2; v7 = 0; v8 = a3; v6 = this; a2 = a3; if ( a3 ) { while ( 1 ) { v4 = (_DWORD )(v6 + 8748); switch ( v4 ) { case 2: v9 = v5; while ( 1 ) { v10 = (_BYTE )v9; if ( (_BYTE )v9 == 10 ) break; ++v9; if ( v10 == 13 ) { (_DWORD )(v6 + 8748) = 3; goto LABEL_9; } } ++v9; (_DWORD )(v6 + 8748) = 4; LABEL_9: v13 = strlen((const char )(v6 + 8752)); v4 = v13 - 1; a3 = v9 + v13 - 1 - v5; if ( (signed int)(v9 + v13 - 1 - v5) > 16 ) goto LABEL_39; v14 = (void )(v6 + 8752 + v4); v15 = (unsigned int)(v9 - v5) >> 2; memcpy(v14, (const void )v5, 4 v15); v4 = v5 - v9 + a2; memcpy((char )v14 + 4 v15, (const void )(v5 + 4 v15), (v9 - v5) & 3); a2 = v4; v5 = v9; v8 = v4; (_BYTE )(v6 + 8752 + a3) = 0; goto LABEL_36; case 3: if ( (_BYTE )v5 == 10 ) { ++v5; --v8; a2 = v8; } (_DWORD )(v6 + 8748) = 4; goto LABEL_36; case 4: (_DWORD )(v6 + 8744) = v7; v11 = v6 + 8752; LOBYTE(v4) = (_BYTE )(v6 + 8752); if ( !(_BYTE)v4 ) goto LABEL_26; while ( 2 ) { if ( (_BYTE)v4 >= 48 && (_BYTE)v4 <= 57 ) { (_DWORD )(v6 + 8744) = (char)v4 + 16 * ((_DWORD )(v6 + 8744) - 3); goto LABEL_25; } if ( (_BYTE)v4 >= 97 && (_BYTE)v4 <= 102 ) { v12 = 16 * (_DWORD )(v6 + 8744) + (char)v4 - 87; LABEL_24: (_DWORD )(v6 + 8744) = v12; LABEL_25: LOBYTE(v4) = (_BYTE )(v11++ + 1); if ( !(_BYTE)v4 ) goto LABEL_26; continue; } break; } if ( (_BYTE)v4 >= 65 && (_BYTE)v4 <= 70 ) { v12 = 16 * (_DWORD )(v6 + 8744) + (char)v4 - 55; goto LABEL_24; } LABEL_26: v16 = (_DWORD )(v6 + 8744); (_BYTE )(v6 + 8752) = 0; (_DWORD )(v6 + 8748) = (-(v16 != 0) & 0xFFFFFFFE) + 7; goto LABEL_36; case 5: if ( v8 < (_DWORD )(v6 + 8744) ) { sub_415530(v5, v8, a4); v4 = (_DWORD )(v6 + 8744) - v8; (_DWORD )(v6 + 8744) = v4; return v4; } sub_415530(v5, (_DWORD )(v6 + 8744), a4); v4 = (_DWORD )(v6 + 8744); (_DWORD )(v6 + 8744) = v7; v5 += v4; v8 -= v4; a2 = v8; (_DWORD )(v6 + 8748) = v7; LABEL_36: v7 = 0; if ( !v8 ) return v4; break; case 0: LOBYTE(v4) = (_BYTE )v5; if ( (_BYTE )v5 == 10 ) { ++v5; --v8; (_DWORD )(v6 + 8748) = 2; a2 = v8; } else { if ( (_BYTE)v4 == 13 ) { ++v5; --v8; (_DWORD )(v6 + 8748) = 1; a2 = v8; } else { LABEL_35: (_DWORD )(v6 + 8748) = 2; } } goto LABEL_36; case 1: if ( (_BYTE )v5 == 10 ) { ++v5; --v8; a2 = v8; } goto LABEL_35; default: LABEL_39: (_DWORD )(v6 + 8748) = 6; return v4; case 7: return v4; } } } return v4; } 2007-12-5 16:31 0
jackniuniu 雪币： 200 活跃值： (14) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 16 粉丝 0 关注私信	jackniuniu 3 楼二楼的，你的代码和我的不太一样，我的跳转的表位于函数内部，不是在函数外部，Hex-Rays分析就挂了。有无可以修改的分析特征或者其他手段等，初次接触这玩意，不太熟悉。。。 2007-12-7 16:33 0
jackniuniu 雪币： 200 活跃值： (14) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 16 粉丝 0 关注私信	jackniuniu 4 楼唉，我终于找到真正的原因了：看看手册里面讲的，恰恰这种方式正好是idiom模式，只要期待下个版本了。。。。 switch analysis failed The switch idiom (an indirect jump) at the specified address could not be analyzed. Currently there isn't much you can do with this error, except writing a plugin which would hook to the is_switch function and recognize the switch. Not an easy task, though. If this error occurs on a database created by an old version of IDA, try to delete the offending instruction and recreate it. Doing so will reanalyze it and might fix the error because IDA 5.1 handles switches much better than older versions. 2008-1-21 17:47 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (3)
mavermaver 雪币： 141 活跃值： (1135) 能力值： ( LV2，RANK：150 ) 在线值：发帖 47 回帖 362 粉丝 1 关注私信	mavermaver 3 2 楼 IDA 5.2给出的代码： =========================================== .text:00415580 ; =============== S U B R O U T I N E ======================================= .text:00415580 .text:00415580 .text:00415580 sub_415580 proc near ; CODE XREF: sub_4157C0+5BFp .text:00415580 ; sub_4157C0+5FDp ... .text:00415580 .text:00415580 arg_0 = dword ptr 4 .text:00415580 arg_4 = dword ptr 8 .text:00415580 arg_8 = dword ptr 0Ch .text:00415580 .text:00415580 000 mov eax, [esp+arg_4] .text:00415584 000 push ebx .text:00415585 004 mov ebx, [esp+4+arg_0] .text:00415589 004 push ebp .text:0041558A 008 push esi .text:0041558B 00C push edi .text:0041558C 010 xor edi, edi .text:0041558E 010 mov esi, eax .text:00415590 010 cmp eax, edi .text:00415592 010 mov ebp, ecx .text:00415594 010 mov [esp+10h+arg_0], esi .text:00415598 010 jz loc_415792 ; jumptable 004155AD case 7 .text:0041559E .text:0041559E loc_41559E: ; CODE XREF: sub_415580+1E0j .text:0041559E 010 mov eax, [ebp+222Ch] .text:004155A4 010 cmp eax, 7 ; switch 8 cases .text:004155A7 010 ja loc_415788 ; default .text:004155A7 ; jumptable 004155AD case 6 .text:004155AD 010 jmp off_41579C[eax4] ; switch jump .text:004155B4 .text:004155B4 loc_4155B4: ; DATA XREF: .text:off_41579Co .text:004155B4 010 mov edx, ebx ; jumptable 004155AD case 2 .text:004155B6 .text:004155B6 loc_4155B6: ; CODE XREF: sub_415580+41j .text:004155B6 010 mov al, [edx] .text:004155B8 010 cmp al, 0Ah .text:004155BA 010 jz short loc_4155C3 .text:004155BC 010 inc edx .text:004155BD 010 cmp al, 0Dh .text:004155BF 010 jz short loc_4155D0 .text:004155C1 010 jmp short loc_4155B6 .text:004155C3 ; --------------------------------------------------------------------------- .text:004155C3 .text:004155C3 loc_4155C3: ; CODE XREF: sub_415580+3Aj .text:004155C3 010 inc edx .text:004155C4 010 mov dword ptr [ebp+222Ch], 4 .text:004155CE 010 jmp short loc_4155DA .text:004155D0 ; --------------------------------------------------------------------------- .text:004155D0 .text:004155D0 loc_4155D0: ; CODE XREF: sub_415580+3Fj .text:004155D0 010 mov dword ptr [ebp+222Ch], 3 .text:004155DA .text:004155DA loc_4155DA: ; CODE XREF: sub_415580+4Ej .text:004155DA 010 lea edi, [ebp+2230h] .text:004155E0 010 or ecx, 0FFFFFFFFh .text:004155E3 010 xor eax, eax .text:004155E5 010 repne scasb .text:004155E7 010 not ecx .text:004155E9 010 dec ecx .text:004155EA 010 mov eax, ecx .text:004155EC 010 sub ecx, ebx .text:004155EE 010 add ecx, edx .text:004155F0 010 cmp ecx, 10h .text:004155F3 010 mov [esp+10h+arg_4], ecx .text:004155F7 010 jg loc_415788 ; default .text:004155F7 ; jumptable 004155AD case 6 .text:004155FD 010 mov ecx, edx .text:004155FF 010 lea edi, [eax+ebp+2230h] .text:00415606 010 sub ecx, ebx .text:00415608 010 mov esi, ebx .text:0041560A 010 mov eax, ecx .text:0041560C 010 sub ebx, edx .text:0041560E 010 shr ecx, 2 .text:00415611 010 rep movsd .text:00415613 010 mov ecx, eax .text:00415615 010 mov eax, [esp+10h+arg_0] .text:00415619 010 and ecx, 3 .text:0041561C 010 add eax, ebx .text:0041561E 010 rep movsb .text:00415620 010 mov ecx, [esp+10h+arg_4] .text:00415624 010 mov [esp+10h+arg_0], eax .text:00415628 010 mov ebx, edx .text:0041562A 010 mov esi, eax .text:0041562C 010 mov byte ptr [ecx+ebp+2230h], 0 .text:00415634 010 jmp loc_41575A .text:00415639 ; --------------------------------------------------------------------------- .text:00415639 .text:00415639 loc_415639: ; CODE XREF: sub_415580+2Dj .text:00415639 ; DATA XREF: .text:off_41579Co .text:00415639 010 cmp byte ptr [ebx], 0Ah ; jumptable 004155AD case 3 .text:0041563C 010 jnz short loc_415644 .text:0041563E 010 inc ebx .text:0041563F 010 dec esi .text:00415640 010 mov [esp+10h+arg_0], esi .text:00415644 .text:00415644 loc_415644: ; CODE XREF: sub_415580+BCj .text:00415644 010 mov dword ptr [ebp+222Ch], 4 .text:0041564E 010 jmp loc_41575A .text:00415653 ; --------------------------------------------------------------------------- .text:00415653 .text:00415653 loc_415653: ; CODE XREF: sub_415580+2Dj .text:00415653 ; DATA XREF: .text:off_41579Co .text:00415653 010 lea edx, [ebp+2230h] ; jumptable 004155AD case 4 .text:00415659 010 mov [ebp+2228h], edi .text:0041565F 010 mov ecx, edx .text:00415661 010 mov al, [ecx] .text:00415663 010 test al, al .text:00415665 010 jz short loc_4156C8 .text:00415667 .text:00415667 loc_415667: ; CODE XREF: sub_415580+146j .text:00415667 010 cmp al, 30h .text:00415669 010 jl short loc_415688 .text:0041566B 010 cmp al, 39h .text:0041566D 010 jg short loc_415688 .text:0041566F 010 mov edi, [ebp+2228h] .text:00415675 010 sub edi, 3 .text:00415678 010 movsx eax, al .text:0041567B 010 shl edi, 4 .text:0041567E 010 add edi, eax .text:00415680 010 mov [ebp+2228h], edi .text:00415686 010 jmp short loc_4156C0 .text:00415688 ; --------------------------------------------------------------------------- .text:00415688 .text:00415688 loc_415688: ; CODE XREF: sub_415580+E9j .text:00415688 ; sub_415580+EDj .text:00415688 010 cmp al, 61h .text:0041568A 010 jl short loc_4156A2 .text:0041568C 010 cmp al, 66h .text:0041568E 010 jg short loc_4156A2 .text:00415690 010 mov edi, [ebp+2228h] .text:00415696 010 movsx eax, al .text:00415699 010 shl edi, 4 .text:0041569C 010 lea eax, [edi+eax-57h] .text:004156A0 010 jmp short loc_4156BA .text:004156A2 ; --------------------------------------------------------------------------- .text:004156A2 .text:004156A2 loc_4156A2: ; CODE XREF: sub_415580+10Aj .text:004156A2 ; sub_415580+10Ej .text:004156A2 010 cmp al, 41h .text:004156A4 010 jl short loc_4156C8 .text:004156A6 010 cmp al, 46h .text:004156A8 010 jg short loc_4156C8 .text:004156AA 010 mov edi, [ebp+2228h] .text:004156B0 010 movsx eax, al .text:004156B3 010 shl edi, 4 .text:004156B6 010 lea eax, [edi+eax-37h] .text:004156BA .text:004156BA loc_4156BA: ; CODE XREF: sub_415580+120j .text:004156BA 010 mov [ebp+2228h], eax .text:004156C0 .text:004156C0 loc_4156C0: ; CODE XREF: sub_415580+106j .text:004156C0 010 mov al, [ecx+1] .text:004156C3 010 inc ecx .text:004156C4 010 test al, al .text:004156C6 010 jnz short loc_415667 .text:004156C8 .text:004156C8 loc_4156C8: ; CODE XREF: sub_415580+E5j .text:004156C8 ; sub_415580+124j ... .text:004156C8 010 mov ecx, [ebp+2228h] .text:004156CE 010 mov byte ptr [edx], 0 .text:004156D1 010 neg ecx .text:004156D3 010 sbb ecx, ecx .text:004156D5 010 and ecx, 0FFFFFFFEh .text:004156D8 010 add ecx, 7 .text:004156DB 010 mov [ebp+222Ch], ecx .text:004156E1 010 jmp short loc_41575A .text:004156E3 ; --------------------------------------------------------------------------- .text:004156E3 .text:004156E3 loc_4156E3: ; CODE XREF: sub_415580+2Dj .text:004156E3 ; DATA XREF: .text:off_41579Co .text:004156E3 010 mov eax, [ebp+2228h] ; jumptable 004155AD case 5 .text:004156E9 010 cmp esi, eax .text:004156EB 010 jl short loc_415765 .text:004156ED 010 mov edx, [esp+10h+arg_8] .text:004156F1 010 mov ecx, ebp .text:004156F3 010 push edx .text:004156F4 014 push eax .text:004156F5 018 push ebx .text:004156F6 01C call sub_415530 .text:004156FB 010 mov eax, [ebp+2228h] .text:00415701 010 mov [ebp+2228h], edi .text:00415707 010 add ebx, eax .text:00415709 010 sub esi, eax .text:0041570B 010 mov [esp+10h+arg_0], esi .text:0041570F 010 mov [ebp+222Ch], edi .text:00415715 010 jmp short loc_41575A .text:00415717 ; --------------------------------------------------------------------------- .text:00415717 .text:00415717 loc_415717: ; CODE XREF: sub_415580+2Dj .text:00415717 ; DATA XREF: .text:off_41579Co .text:00415717 010 mov al, [ebx] ; jumptable 004155AD case 0 .text:00415719 010 cmp al, 0Ah .text:0041571B 010 jnz short loc_41572F .text:0041571D 010 inc ebx .text:0041571E 010 dec esi .text:0041571F 010 mov dword ptr [ebp+222Ch], 2 .text:00415729 010 mov [esp+10h+arg_0], esi .text:0041572D 010 jmp short loc_41575A .text:0041572F ; --------------------------------------------------------------------------- .text:0041572F .text:0041572F loc_41572F: ; CODE XREF: sub_415580+19Bj .text:0041572F 010 cmp al, 0Dh .text:00415731 010 jnz short loc_415750 .text:00415733 010 inc ebx .text:00415734 010 dec esi .text:00415735 010 mov dword ptr [ebp+222Ch], 1 .text:0041573F 010 mov [esp+10h+arg_0], esi .text:00415743 010 jmp short loc_41575A .text:00415745 ; --------------------------------------------------------------------------- .text:00415745 .text:00415745 loc_415745: ; CODE XREF: sub_415580+2Dj .text:00415745 ; DATA XREF: .text:off_41579Co .text:00415745 010 cmp byte ptr [ebx], 0Ah ; jumptable 004155AD case 1 .text:00415748 010 jnz short loc_415750 .text:0041574A 010 inc ebx .text:0041574B 010 dec esi .text:0041574C 010 mov [esp+10h+arg_0], esi .text:00415750 .text:00415750 loc_415750: ; CODE XREF: sub_415580+1B1j .text:00415750 ; sub_415580+1C8j .text:00415750 010 mov dword ptr [ebp+222Ch], 2 .text:0041575A .text:0041575A loc_41575A: ; CODE XREF: sub_415580+B4j .text:0041575A ; sub_415580+CEj ... .text:0041575A 010 xor edi, edi .text:0041575C 010 cmp esi, edi .text:0041575E 010 jz short loc_415792 ; jumptable 004155AD case 7 .text:00415760 010 jmp loc_41559E .text:00415765 ; --------------------------------------------------------------------------- .text:00415765 .text:00415765 loc_415765: ; CODE XREF: sub_415580+16Bj .text:00415765 010 mov eax, [esp+10h+arg_8] .text:00415769 010 mov ecx, ebp .text:0041576B 010 push eax .text:0041576C 014 push esi .text:0041576D 018 push ebx .text:0041576E 01C call sub_415530 .text:00415773 010 mov eax, [ebp+2228h] .text:00415779 010 pop edi .text:0041577A 00C sub eax, esi .text:0041577C 00C pop esi .text:0041577D 008 mov [ebp+2228h], eax .text:00415783 008 pop ebp .text:00415784 004 pop ebx .text:00415785 000 retn 0Ch .text:00415788 ; --------------------------------------------------------------------------- .text:00415788 .text:00415788 loc_415788: ; CODE XREF: sub_415580+27j .text:00415788 ; sub_415580+2Dj ... .text:00415788 010 mov dword ptr [ebp+222Ch], 6 ; default .text:00415788 ; jumptable 004155AD case 6 .text:00415792 .text:00415792 loc_415792: ; CODE XREF: sub_415580+18j .text:00415792 ; sub_415580+2Dj ... .text:00415792 010 pop edi ; jumptable 004155AD case 7 .text:00415793 00C pop esi .text:00415794 008 pop ebp .text:00415795 004 pop ebx .text:00415796 000 retn 0Ch .text:00415796 sub_415580 endp .text:00415796 .text:00415796 ; --------------------------------------------------------------------------- .text:00415799 align 4 .text:0041579C off_41579C dd offset loc_415717 ; DATA XREF: sub_415580+2Dr .text:0041579C dd offset loc_415745 ; jump table for switch statement .text:0041579C dd offset loc_4155B4 .text:0041579C dd offset loc_415639 .text:0041579C dd offset loc_415653 .text:0041579C dd offset loc_4156E3 .text:0041579C dd offset loc_415788 .text:0041579C dd offset loc_415792 .text:004157BC align 10h Hex-Rays的分析结果（分析时应注意光标一定要在被分析的子程序范围内）： ======================================================== char __thiscall sub_415580(int this, int a2, int a3, int a4) { int v4; // eax@1 int v5; // ebx@1 int v6; // ebp@1 int v7; // edi@1 int v8; // esi@1 int v9; // edx@3 char v10; // al@4 int v11; // ecx@14 int v12; // eax@20 unsigned int v13; // kr00_4@9 void v14; // edi@10 unsigned int v15; // ecx@10 int v16; // ecx@26 LOBYTE(v4) = a3; v5 = a2; v7 = 0; v8 = a3; v6 = this; a2 = a3; if ( a3 ) { while ( 1 ) { v4 = (_DWORD )(v6 + 8748); switch ( v4 ) { case 2: v9 = v5; while ( 1 ) { v10 = (_BYTE )v9; if ( (_BYTE )v9 == 10 ) break; ++v9; if ( v10 == 13 ) { (_DWORD )(v6 + 8748) = 3; goto LABEL_9; } } ++v9; (_DWORD )(v6 + 8748) = 4; LABEL_9: v13 = strlen((const char )(v6 + 8752)); v4 = v13 - 1; a3 = v9 + v13 - 1 - v5; if ( (signed int)(v9 + v13 - 1 - v5) > 16 ) goto LABEL_39; v14 = (void )(v6 + 8752 + v4); v15 = (unsigned int)(v9 - v5) >> 2; memcpy(v14, (const void )v5, 4 v15); v4 = v5 - v9 + a2; memcpy((char )v14 + 4 v15, (const void )(v5 + 4 v15), (v9 - v5) & 3); a2 = v4; v5 = v9; v8 = v4; (_BYTE )(v6 + 8752 + a3) = 0; goto LABEL_36; case 3: if ( (_BYTE )v5 == 10 ) { ++v5; --v8; a2 = v8; } (_DWORD )(v6 + 8748) = 4; goto LABEL_36; case 4: (_DWORD )(v6 + 8744) = v7; v11 = v6 + 8752; LOBYTE(v4) = (_BYTE )(v6 + 8752); if ( !(_BYTE)v4 ) goto LABEL_26; while ( 2 ) { if ( (_BYTE)v4 >= 48 && (_BYTE)v4 <= 57 ) { (_DWORD )(v6 + 8744) = (char)v4 + 16 * ((_DWORD )(v6 + 8744) - 3); goto LABEL_25; } if ( (_BYTE)v4 >= 97 && (_BYTE)v4 <= 102 ) { v12 = 16 * (_DWORD )(v6 + 8744) + (char)v4 - 87; LABEL_24: (_DWORD )(v6 + 8744) = v12; LABEL_25: LOBYTE(v4) = (_BYTE )(v11++ + 1); if ( !(_BYTE)v4 ) goto LABEL_26; continue; } break; } if ( (_BYTE)v4 >= 65 && (_BYTE)v4 <= 70 ) { v12 = 16 * (_DWORD )(v6 + 8744) + (char)v4 - 55; goto LABEL_24; } LABEL_26: v16 = (_DWORD )(v6 + 8744); (_BYTE )(v6 + 8752) = 0; (_DWORD )(v6 + 8748) = (-(v16 != 0) & 0xFFFFFFFE) + 7; goto LABEL_36; case 5: if ( v8 < (_DWORD )(v6 + 8744) ) { sub_415530(v5, v8, a4); v4 = (_DWORD )(v6 + 8744) - v8; (_DWORD )(v6 + 8744) = v4; return v4; } sub_415530(v5, (_DWORD )(v6 + 8744), a4); v4 = (_DWORD )(v6 + 8744); (_DWORD )(v6 + 8744) = v7; v5 += v4; v8 -= v4; a2 = v8; (_DWORD )(v6 + 8748) = v7; LABEL_36: v7 = 0; if ( !v8 ) return v4; break; case 0: LOBYTE(v4) = (_BYTE )v5; if ( (_BYTE )v5 == 10 ) { ++v5; --v8; (_DWORD )(v6 + 8748) = 2; a2 = v8; } else { if ( (_BYTE)v4 == 13 ) { ++v5; --v8; (_DWORD )(v6 + 8748) = 1; a2 = v8; } else { LABEL_35: (_DWORD )(v6 + 8748) = 2; } } goto LABEL_36; case 1: if ( (_BYTE )v5 == 10 ) { ++v5; --v8; a2 = v8; } goto LABEL_35; default: LABEL_39: (_DWORD )(v6 + 8748) = 6; return v4; case 7: return v4; } } } return v4; } 2007-12-5 16:31 0
jackniuniu 雪币： 200 活跃值： (14) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 16 粉丝 0 关注私信	jackniuniu 3 楼二楼的，你的代码和我的不太一样，我的跳转的表位于函数内部，不是在函数外部，Hex-Rays分析就挂了。有无可以修改的分析特征或者其他手段等，初次接触这玩意，不太熟悉。。。 2007-12-7 16:33 0
jackniuniu 雪币： 200 活跃值： (14) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 16 粉丝 0 关注私信	jackniuniu 4 楼唉，我终于找到真正的原因了：看看手册里面讲的，恰恰这种方式正好是idiom模式，只要期待下个版本了。。。。 switch analysis failed The switch idiom (an indirect jump) at the specified address could not be analyzed. Currently there isn't much you can do with this error, except writing a plugin which would hook to the is_switch function and recognize the switch. Not an easy task, though. If this error occurs on a database created by an old version of IDA, try to delete the offending instruction and recreate it. Doing so will reanalyze it and might fix the error because IDA 5.1 handles switches much better than older versions. 2008-1-21 17:47 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

[旧帖] [求助]Hex-Rays 解释Switch失败。。。 0.00雪花