文章目录
windows逆向笔记-c变量类型转换、循环、数组
循环语句的汇编代码
类型转换
- movsx 先符号扩展,再传送值
- movzx 先零扩展,再传送值
// 有符号扩展
mov al,0xff
movsx cx,al # ecx = 0x0000ffff
mov al,0xf
movsx cx,al # ecx = 0x0000000f
// 无符号扩展
mov al,0xff
movzx cx,al # ecx = 0x0000000f
if语句当有多个else的汇编:
cmp dword ptr [x],1
jle 0xCC2862h
cmp dword ptr [y],1
jle 0xCC2862h
mov eax,dword ptr [x]
mov dword ptr [y],eax
jmp 0xCC2869h
mov dword ptr [y],0Ah
do…while()是所有循环里面速度最快的
mov dword ptr [i],0
mov esi,esp
mov eax,dword ptr [i]
push eax
push offset string "%d" (116573Ch)
call dword ptr [MSVCR100D_NULL_THUNK_DATA (11682ACh)]
add esp,8
cmp esi,esp
call @ILT+440(__RTC_CheckEsp) (11611BDh)
mov eax,dword ptr [i]
add eax,1
mov dword ptr [i],eax
cmp dword ptr [i],64h
jl fun1+25h (1162D55h)
while循环语句
mov dword ptr [i],0
cmp dword ptr [i],64h
jge fun2+51h (1163021h)
mov esi,esp
mov eax,dword ptr [i]
push eax
push offset string "%d" (116573Ch)
call dword ptr [MSVCR100D_NULL_THUNK_DATA (11682ACh)
add esp,8
cmp esi,esp
call @ILT+440(__RTC_CheckEsp) (11611BDh)
mov eax,dword ptr [i]
add eax,1
mov dword ptr [i],eax
jmp fun2+25h (1162FF5h)
for(表达式1;表达式2;表达式3)
mov dword ptr [i],0
mov dword ptr [i],0
jmp fun3+37h (1163367h)
mov eax,dword ptr [i]
add eax,1
mov dword ptr [i],eax
cmp dword ptr [i],64h
jge fun3+5Ah (116338Ah)
mov esi,esp
mov eax,dword ptr [i]
push eax
push offset string "%d" (116573Ch)
call dword ptr [MSVCR100D_NULL_THUNK_DATA (11682ACh)]
add esp,8
cmp esi,esp
call @ILT+440(__RTC_CheckEsp) (11611BDh)
jmp fun3+2Eh (116335Eh)
- 参数传递的本质:将上层函数的变量或者表达式的值“复制一份”,传递给下一个调用。
多维数组的寻址:
对于编译器来说,几维数组都是按照一维数组来存储
50: int c[9] = {1,2,3,4,5,8,39,29,3};
011833D8 C7 45 C8 01 00 00 00 mov dword ptr [ebp-38h],1
011833DF C7 45 CC 02 00 00 00 mov dword ptr [ebp-34h],2
011833E6 C7 45 D0 03 00 00 00 mov dword ptr [ebp-30h],3
011833ED C7 45 D4 04 00 00 00 mov dword ptr [ebp-2Ch],4
011833F4 C7 45 D8 05 00 00 00 mov dword ptr [ebp-28h],5
011833FB C7 45 DC 08 00 00 00 mov dword ptr [ebp-24h],8
01183402 C7 45 E0 27 00 00 00 mov dword ptr [ebp-20h],27h
01183409 C7 45 E4 1D 00 00 00 mov dword ptr [ebp-1Ch],1Dh
01183410 C7 45 E8 03 00 00 00 mov dword ptr [ebp-18h],3
51: int a = 1;
01183417 C7 45 BC 01 00 00 00 mov dword ptr [ebp-44h],1
52: int b = 3;
0118341E C7 45 B0 03 00 00 00 mov dword ptr [ebp-50h],3
53: int x = c[a+b];
01183425 8B 45 BC mov eax,dword ptr [ebp-44h]
01183428 03 45 B0 add eax,dword ptr [ebp-50h]
// 寻址方式
0118342B 8B 4C 85 C8 mov ecx,dword ptr [ebp+eax*4-38h]
0118342F 89 4D A4 mov dword ptr [ebp-5Ch],ecx
- 二维数组找某个值:arr[n*二维容量+第m个数],n为行,m为列,下标以0开始
- 三维数组找某个值:arr[n二维容量三维容量+m*三维容量+第j个数],n为行,m为列,j为组下标以0开始
- 局部变量,32编译器分空间的时候是按4字节分的,用的时候按照各自大小用
- 结构体,32编译器分空间的时候是按照各自大小分的
- 结构体数据类型由小到大设计
switch语句
- 分支大于4且case值很接近时,编译器自动生成一张大表,用来存储各个分支语句的地址。
- case的序号可以是无序的,不影响结构大表的生成。
001734BE mov eax,dword ptr [x]
001734C1 mov dword ptr [ebp-0C4h],eax
001734C7 mov ecx,dword ptr [ebp-0C4h]
001734CD sub ecx,1
001734D0 mov dword ptr [ebp-0C4h],ecx
001734D6 cmp dword ptr [ebp-0C4h],3
001734DD ja $LN2+17h (17354Eh)
001734DF mov edx,dword ptr [ebp-0C4h]
001734E5 jmp dword ptr (173564h)[edx*4]
$LN5:
001734EC mov esi,esp
001734EE push offset string "value" (1757ACh)
001734F3 call dword ptr [MSVCR100D_NULL_THUNK_DATA (1782ACh)]
001734F9 add esp,4
001734FC cmp esi,esp
001734FE call @ILT+440(__RTC_CheckEsp) (1711BDh)
00173503 jmp $LN2+17h (17354Eh)
$LN4:
00173505 mov esi,esp
00173507 push offset string "2" (1757A8h)
0017350C call dword ptr [MSVCR100D_NULL_THUNK_DATA (1782ACh)]
00173512 add esp,4
00173515 cmp esi,esp
00173517 call @ILT+440(__RTC_CheckEsp) (1711BDh)
0017351C jmp $LN2+17h (17354Eh)
$LN3:
0017351E mov esi,esp
00173520 push offset string "3" (1757A4h)
00173525 call dword ptr [MSVCR100D_NULL_THUNK_DATA (1782ACh)]
0017352B add esp,4
0017352E cmp esi,esp
00173530 call @ILT+440(__RTC_CheckEsp) (1711BDh)
00173535 jmp $LN2+17h (17354Eh)
$LN2:
00173537 mov esi,esp
00173539 push offset string "value is %d" (1757A0h)
0017353E call dword ptr [MSVCR100D_NULL_THUNK_DATA (1782ACh)]
00173544 add esp,4
00173547 cmp esi,esp
00173549 call @ILT+440(__RTC_CheckEsp) (1711BDh)
扫一扫
360
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
