objc反汇编分析,手工逆向libsystem_blocks.dylib
上一篇《block函数块为何物?》介绍了在函数中定义的block函数块的反汇编实现,我在文中再三指出__block变量和block函数块自始还都是stack-based的,还不完全适合在离开定义它们的范围之外使用,包括异步回调。本篇贴上我手工逆向的函数
libsystem_blocks.dylib`_Block_copy_internal。从名字可以看出blocks编程由系统提供的编程框架,_Block_copy_internal也就是block函数块的copy方法,是令block函数块适合用于异步回调必要的操作。
NSStackBlock的逆向定义请参考上一篇《block函数块为何物?》,下面是函数的逆向C++代码:
附上逆向时参照的反汇编片段快照:
libsystem_blocks.dylib`_Block_copy_internal: 0x10ce28458 <+0>: pushq %rbp 0x10ce28459 <+1>: movq %rsp, %rbp 0x10ce2845c <+4>: pushq %r15 0x10ce2845e <+6>: pushq %r14 0x10ce28460 <+8>: pushq %r13 0x10ce28462 <+10>: pushq %r12 0x10ce28464 <+12>: pushq %rbx 0x10ce28465 <+13>: pushq %rax 0x10ce28466 <+14>: movq %rdi, %rbx 0x10ce28469 <+17>: xorl %eax, %eax 0x10ce2846b <+19>: testq %rbx, %rbx 0x10ce2846e <+22>: je 0x10ce28534 ; <+220> 0x10ce28474 <+28>: leaq 0x8(%rbx), %rcx 0x10ce28478 <+32>: testl $0x1000000, 0x8(%rbx) 0x10ce2847f <+39>: jne 0x10ce284db ; <+131> 0x10ce28481 <+41>: testl $0x8000000, (%rcx) 0x10ce28487 <+47>: jne 0x10ce284f8 ; <+160> 0x10ce28489 <+49>: testl $0x10000000, (%rcx) 0x10ce2848f <+55>: jne 0x10ce28531 ; <+217> 0x10ce28495 <+61>: movb 0xbad(%rip), %al ; isGC 0x10ce2849b <+67>: testb %al, %al 0x10ce2849d <+69>: je 0x10ce28543 ; <+235> 0x10ce284a3 <+75>: movl 0x8(%rbx), %r13d 0x10ce284a7 <+79>: movl %r13d, %r12d 0x10ce284aa <+82>: andl $0x4000000, %r12d 0x10ce284b1 <+89>: movq 0xb48(%rip), %r8 ; _Block_allocator 0x10ce284b8 <+96>: movq 0x18(%rbx), %rax 0x10ce284bc <+100>: movq 0x8(%rax), %rdi 0x10ce284c0 <+104>: movb $0x1, %dl 0x10ce284c2 <+106>: jne 0x10ce285b8 ; <+352> 0x10ce284c8 <+112>: testl $0x40000000, (%rcx) 0x10ce284ce <+118>: jne 0x10ce285a2 ; <+330> 0x10ce284d4 <+124>: xorl %edx, %edx 0x10ce284d6 <+126>: jmp 0x10ce285b8 ; <+352> 0x10ce284db <+131>: movl (%rcx), %eax 0x10ce284dd <+133>: movl %eax, %edx 0x10ce284df <+135>: andl $0xfffe, %edx 0x10ce284e5 <+141>: cmpl $0xfffe, %edx 0x10ce284eb <+147>: je 0x10ce28531 ; <+217> 0x10ce284ed <+149>: leal 0x2(%rax), %edx 0x10ce284f0 <+152>: lock 0x10ce284f1 <+153>: cmpxchgl %edx, (%rcx) 0x10ce284f4 <+156>: jne 0x10ce284db ; <+131> 0x10ce284f6 <+158>: jmp 0x10ce28531 ; <+217> 0x10ce284f8 <+160>: testb %sil, %sil 0x10ce284fb <+163>: je 0x10ce28531 ; <+217> 0x10ce284fd <+165>: movl (%rcx), %eax 0x10ce284ff <+167>: movl %eax, %edx 0x10ce28501 <+169>: andl $0xfffe, %edx 0x10ce28507 <+175>: cmpl $0xfffe, %edx 0x10ce2850d <+181>: je 0x10ce28531 ; <+217> 0x10ce2850f <+183>: leal 0x2(%rax), %edx 0x10ce28512 <+186>: lock 0x10ce28513 <+187>: cmpxchgl %edx, (%rcx) 0x10ce28516 <+190>: jne 0x10ce284fd ; <+165> 0x10ce28518 <+192>: andl $0xfffe, %edx 0x10ce2851e <+198>: cmpl $0x2, %edx 0x10ce28521 <+201>: jne 0x10ce28531 ; <+217> 0x10ce28523 <+203>: movl $0x1, %esi 0x10ce28528 <+208>: movq %rbx, %rdi 0x10ce2852b <+211>: callq *0xae7(%rip) ; _Block_setHasRefcount 0x10ce28531 <+217>: movq %rbx, %rax 0x10ce28534 <+220>: addq $0x8, %rsp 0x10ce28538 <+224>: popq %rbx 0x10ce28539 <+225>: popq %r12 0x10ce2853b <+227>: popq %r13 0x10ce2853d <+229>: popq %r14 0x10ce2853f <+231>: popq %r15 0x10ce28541 <+233>: popq %rbp 0x10ce28542 <+234>: retq 0x10ce28543 <+235>: movq 0x18(%rbx), %r15 0x10ce28547 <+239>: movq 0x8(%r15), %rdi 0x10ce2854b <+243>: callq 0x10ce28b34 ; symbol stub for: malloc 0x10ce28550 <+248>: movq %rax, %r14 0x10ce28553 <+251>: xorl %eax, %eax 0x10ce28555 <+253>: testq %r14, %r14 0x10ce28558 <+256>: je 0x10ce28534 ; <+220> 0x10ce2855a <+258>: movq 0x8(%r15), %rdx 0x10ce2855e <+262>: movq %r14, %rdi 0x10ce28561 <+265>: movq %rbx, %rsi 0x10ce28564 <+268>: callq 0x10ce28b52 ; symbol stub for: memmove 0x10ce28569 <+273>: andl $0xffff0000, 0x8(%r14) 0x10ce28571 <+281>: orl $0x1000002, 0x8(%r14) 0x10ce28579 <+289>: leaq 0xbd0(%rip), %rax ; _NSConcreteMallocBlock 0x10ce28580 <+296>: movq %rax, (%r14) 0x10ce28583 <+299>: testl $0x2000000, 0x8(%rbx) 0x10ce2858a <+306>: je 0x10ce28629 ; <+465> 0x10ce28590 <+312>: movq 0x18(%rbx), %rax 0x10ce28594 <+316>: movq %r14, %rdi 0x10ce28597 <+319>: movq %rbx, %rsi 0x10ce2859a <+322>: callq *0x10(%rax) 0x10ce2859d <+325>: jmp 0x10ce28629 ; <+465> 0x10ce285a2 <+330>: leaq 0x10(%rax), %rdx 0x10ce285a6 <+334>: testl $0x2000000, (%rcx) 0x10ce285ac <+340>: cmoveq %rax, %rdx 0x10ce285b0 <+344>: cmpq $0x0, 0x18(%rdx) 0x10ce285b5 <+349>: setne %dl 0x10ce285b8 <+352>: movzbl %sil, %r15d 0x10ce285bc <+356>: movzbl %dl, %edx 0x10ce285bf <+359>: movl %r15d, %esi 0x10ce285c2 <+362>: callq *%r8 0x10ce285c5 <+365>: movq %rax, %r14 0x10ce285c8 <+368>: xorl %eax, %eax 0x10ce285ca <+370>: testq %r14, %r14 0x10ce285cd <+373>: je 0x10ce28534 ; <+220> 0x10ce285d3 <+379>: movq 0x18(%rbx), %rax 0x10ce285d7 <+383>: movq 0x8(%rax), %rdx 0x10ce285db <+387>: movq %r14, %rdi 0x10ce285de <+390>: movq %rbx, %rsi 0x10ce285e1 <+393>: callq 0x10ce28b52 ; symbol stub for: memmove 0x10ce285e6 <+398>: andl $0xf6ff0000, %r13d 0x10ce285ed <+405>: addl %r15d, %r15d 0x10ce285f0 <+408>: orl %r13d, %r15d 0x10ce285f3 <+411>: orl $0x8000000, %r15d 0x10ce285fa <+418>: movl %r15d, 0x8(%r14) 0x10ce285fe <+422>: testl $0x2000000, 0x8(%rbx) 0x10ce28605 <+429>: je 0x10ce28614 ; <+444> 0x10ce28607 <+431>: movq 0x18(%rbx), %rax 0x10ce2860b <+435>: movq %r14, %rdi 0x10ce2860e <+438>: movq %rbx, %rsi 0x10ce28611 <+441>: callq *0x10(%rax) 0x10ce28614 <+444>: testl %r12d, %r12d 0x10ce28617 <+447>: leaq 0xc32(%rip), %rax ; _NSConcreteAutoBlock 0x10ce2861e <+454>: cmovneq 0x19ea(%rip), %rax ; (void *)0x000000010ce29350: _NSConcreteFinalizingBlock 0x10ce28626 <+462>: movq %rax, (%r14) 0x10ce28629 <+465>: movq %r14, %rax 0x10ce2862c <+468>: jmp 0x10ce28534 ; <+220>
PS:博客园图片服务器不正常工作,数据上传后服务器返回http500,园方怡慢,迟迟还没解决。在此先占个placehoder。待园方解决问题后再上图。
逆向深入objc,c++
windows下仿objc动画层UI引擎
