IF-ELSE逆向分析
IF-ELSE逆向分析
案例
CPP代码:
#include "stdafx.h"
int max_num;
void Function(int x, int y) {
if (x > y) {
max_num = x;
} else {
max_num = y;
}
}
int main(int argc, char* argv[]) {
Function(2,3);
return 0;
}
反汇编:
00401068 push 3
0040106A push 2
0040106C call @ILT+10(Function) (0040100f)
00401071 add esp,8
0040100F jmp Function (004106c0)
004106C0 push ebp
004106C1 mov ebp,esp
004106C3 sub esp,40h
004106C6 push ebx
004106C7 push esi
004106C8 push edi
004106C9 lea edi,[ebp-40h]
004106CC mov ecx,10h
004106D1 mov eax,0CCCCCCCCh
004106D6 rep stos dword ptr [edi]
004106D8 mov eax,dword ptr [ebp+8]
004106DB cmp eax,dword ptr [ebp+0Ch]
004106DE jle Function+2Bh (004106eb) ;如果x<=y跳转到004106eb
004106E0 mov ecx,dword ptr [ebp+8]
004106E3 mov dword ptr [max_num (0042c20c)],ecx
004106E9 jmp Function+34h (004106f4) ;如果上方代码成功执行,则跳转到004106f4
004106EB mov edx,dword ptr [ebp+0Ch]
004106EE mov dword ptr [max_num (0042c20c)],edx
004106F4 pop edi
004106F5 pop esi
004106F6 pop ebx
004106F7 mov esp,ebp
004106F9 pop ebp
004106FA ret
IF-ELSE语句的反汇编判断:
IF_BEGIN
先执行各类影响标志寄存器的指令
jxx ELSE_BEGIN
IF_END
jmp END
ELSE_BEGIN
......
ELSE_END
END
特点:
- 如果不跳转,那么会执行到
jmp处,jmp直接跳转到END处 - 如果跳转,则会直接跳过
jmp END处的代码,直接执行后面的代码
总结:
- 跳转执行一部分代码,不跳转执行另外一部分代码
- 第一个
jxx跳转的地址前有一个jmp,可以判断是if...else...语句
练习
004010B0 push ebp
004010B1 mov ebp,esp
004010B3 sub esp,48h
004010B6 push ebx
004010B7 push esi
004010B8 push edi
004010B9 lea edi,[ebp-48h]
004010BC mov ecx,12h
004010C1 mov eax,0CCCCCCCCh
004010C6 rep stos dword ptr [edi]
004010C8 mov eax,[004225c4]
004010CD mov dword ptr [ebp-4],eax
004010D0 mov dword ptr [ebp-8],2
004010D7 mov ecx,dword ptr [ebp+8]
004010DA cmp ecx,dword ptr [ebp+0Ch]
004010DD jl 004010e8
004010DF mov edx,dword ptr [ebp-8]
004010E2 add edx,1
004010E5 mov dword ptr [ebp-8],edx
004010E8 mov eax,dword ptr [ebp+8]
004010EB cmp eax,dword ptr [ebp+0Ch]
004010EE jge 004010fb
004010F0 mov ecx,dword ptr [ebp-8]
004010F3 mov dword ptr [004225c4],ecx
004010F9 jmp 00401107
004010FB mov edx,dword ptr [ebp-4]
004010FE add edx,dword ptr [ebp-8]
00401101 mov dword ptr [004225c4],edx
00401107 pop edi
00401108 pop esi
00401109 pop ebx
0040110A mov esp,ebp
0040110C pop ebp
0040110D ret
| 分析参数 | [ebp+8]:x [ebp+0Ch]:y |
| 分析局部变量 | [ebp-4]:a [ebp-8]:b |
| 分析全局变量 | [004225c4]:N |
| 功能分析 |
004010C8 mov eax,[004225c4] ;将N赋值给a 004010CD mov dword ptr [ebp-4],eax 004010D0 mov dword ptr [ebp-8],2 ;将2赋值给b 004010D7 mov ecx,dword ptr [ebp+8] 004010DA cmp ecx,dword ptr [ebp+0Ch] ;比较x和y的大小 004010DD jl 004010e8 ;如果x<y跳转到004010e8 004010DF mov edx,dword ptr [ebp-8] ;否则b=b+1 004010E2 add edx,1 004010E5 mov dword ptr [ebp-8],edx 004010E8 mov eax,dword ptr [ebp+8] 004010EB cmp eax,dword ptr [ebp+0Ch] ;比较x和y的大小 004010EE jge 004010fb ;如果x>=y跳转到004010fb 004010F0 mov ecx,dword ptr [ebp-8] 004010F3 mov dword ptr [004225c4],ecx ;否则N=b 004010F9 jmp 00401107 004010FB mov edx,dword ptr [ebp-4] 004010FE add edx,dword ptr [ebp-8] 00401101 mov dword ptr [004225c4],edx ;N=a+b |
| 返回值分析 | 无 |
| 还原成C函数 |
int N;
void Function(int x, int y) {
int a = N;
int b = 2;
if (x >= y) {
b += 1;
}
if (x < y) {
N = b;
} else {
N = a + b;
}
}
|
