cpp反汇编之类和结构体分析

最新推荐文章于 2024-03-20 22:46:15 发布
最新推荐文章于 2024-03-20 22:46:15 发布
阅读量908 收藏
点赞数
分类专栏: 反汇编 cpp 文章标签: cpp 反汇编
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/u011185633/article/details/44922215
版权

废话不多说。。

#include<stdio.h>

class CNumber
{
public:
	CNumber()
	{
		m_nOne = 1;
		m_nTwo = 2;
	}
	int __stdcall GetNumberOne()
	{
		return m_nOne;
	}
	int GetNumberTwo()
	{
		return m_nTwo;
	}<pre name="code" class="plain">1:    #include<stdio.h>
2:
3:    class CNumber
4:    {
5:    public:
6:        CNumber()
00401060   push        ebp
00401061   mov         ebp,esp
00401063   sub         esp,44h
00401066   push        ebx
00401067   push        esi
00401068   push        edi
00401069   push        ecx
0040106A   lea         edi,[ebp-44h]
0040106D   mov         ecx,11h
00401072   mov         eax,0CCCCCCCCh
00401077   rep stos    dword ptr [edi]
00401079   pop         ecx
0040107A   mov         dword ptr [ebp-4],ecx
7:        {
8:            m_nOne = 1;
0040107D   mov         eax,dword ptr [ebp-4]
00401080   mov         dword ptr [eax],1
9:            m_nTwo = 2;
00401086   mov         ecx,dword ptr [ebp-4]
00401089   mov         dword ptr [ecx+4],2
10:       }
00401090   mov         eax,dword ptr [ebp-4]
00401093   pop         edi
00401094   pop         esi
00401095   pop         ebx
00401096   mov         esp,ebp
00401098   pop         ebp
00401099   ret

11:       int GetNumberOne()
12:       {
13:           return m_nOne;
14:       }
15:       int GetNumberTwo()
16:       {
17:           return m_nTwo;
18:       }
19:   private:
20:       int m_nOne;
21:       int m_nTwo;
22:   };
23:   int main()
24:   {
00401020   push        ebp
00401021   mov         ebp,esp
00401023   sub         esp,48h
00401026   push        ebx
00401027   push        esi
00401028   push        edi
00401029   lea         edi,[ebp-48h]
0040102C   mov         ecx,12h
00401031   mov         eax,0CCCCCCCCh
00401036   rep stos    dword ptr [edi]
25:       CNumber number;
00401038   lea         ecx,[ebp-8]
0040103B   call        @ILT+0(CNumber::CNumber) (00401005)
26:       return 0;
00401040   xor         eax,eax
27:   }
00401042   pop         edi
00401043   pop         esi
00401044   pop         ebx
00401045   add         esp,48h
00401048   cmp         ebp,esp
0040104A   call        __chkesp (004010b0)
0040104F   mov         esp,ebp
00401051   pop         ebp
00401052   ret

1:    #include<stdio.h>
2:
3:    struct A
4:    {
5:        int m_nInt;
6:        float m_fFloat;
7:    };
8:
9:    int main()
10:   {
004011A0   push        ebp
004011A1   mov         ebp,esp
004011A3   sub         esp,4Ch
004011A6   push        ebx
004011A7   push        esi
004011A8   push        edi
004011A9   lea         edi,[ebp-4Ch]
004011AC   mov         ecx,13h
004011B1   mov         eax,0CCCCCCCCh
004011B6   rep stos    dword ptr [edi]
11:       A a;
12:       A *pA = &a;
004011B8   lea         eax,[ebp-8]
004011BB   mov         dword ptr [ebp-0Ch],eax
13:       printf("%p\n" , pA);
004011BE   mov         ecx,dword ptr [ebp-0Ch]
004011C1   push        ecx
004011C2   push        offset string "%p\n" (0042601c)
004011C7   call        printf (00401210)
004011CC   add         esp,8
14:       printf("%p\n" , &pA->m_fFloat);
004011CF   mov         edx,dword ptr [ebp-0Ch]
004011D2   add         edx,4				偏移地址
004011D5   push        edx
004011D6   push        offset string "%p\n" (0042601c)
004011DB   call        printf (00401210)
004011E0   add         esp,8
15:       return 0;
004011E3   xor         eax,eax
16:   }
004011E5   pop         edi
004011E6   pop         esi
004011E7   pop         ebx
004011E8   add         esp,4Ch
004011EB   cmp         ebp,esp
004011ED   call        __chkesp (00401340)
004011F2   mov         esp,ebp
004011F4   pop         ebp
004011F5   ret

__stdcall不用ecx传递this指针,而是使用栈传递。

11:       int __stdcall GetNumberOne()
12:       {
00401160   push        ebp
00401161   mov         ebp,esp
00401163   sub         esp,40h
00401166   push        ebx
00401167   push        esi
00401168   push        edi
00401169   lea         edi,[ebp-40h]
0040116C   mov         ecx,10h
00401171   mov         eax,0CCCCCCCCh
00401176   rep stos    dword ptr [edi]
13:           return m_nOne;
00401178   mov         eax,dword ptr [ebp+8]	this
0040117B   mov         eax,dword ptr [eax]
14:       }
0040117D   pop         edi
0040117E   pop         esi
0040117F   pop         ebx
00401180   mov         esp,ebp
00401182   pop         ebp
00401183   ret         4

15:       int GetNumberTwo()
16:       {
00410AE0   push        ebp
00410AE1   mov         ebp,esp
00410AE3   sub         esp,44h
00410AE6   push        ebx
00410AE7   push        esi
00410AE8   push        edi
00410AE9   push        ecx
00410AEA   lea         edi,[ebp-44h]
00410AED   mov         ecx,11h
00410AF2   mov         eax,0CCCCCCCCh
00410AF7   rep stos    dword ptr [edi]
00410AF9   pop         ecx			this
00410AFA   mov         dword ptr [ebp-4],ecx
17:           return m_nTwo;
00410AFD   mov         eax,dword ptr [ebp-4]
00410B00   mov         eax,dword ptr [eax+4]
18:       }
00410B03   pop         edi
00410B04   pop         esi
00410B05   pop         ebx
00410B06   mov         esp,ebp
00410B08   pop         ebp
00410B09   ret

反汇编分析

1:    #include<stdio.h>
2:
3:    class CStatic
4:    {
5:    public:
6:        void ShowNumber();
7:        int m_nInt;
8:        static int m_snInt;
9:    };
10:   void CStatic :: ShowNumber()
11:   {
00401290   push        ebp
00401291   mov         ebp,esp
00401293   sub         esp,44h
00401296   push        ebx
00401297   push        esi
00401298   push        edi
00401299   push        ecx
0040129A   lea         edi,[ebp-44h]
0040129D   mov         ecx,11h
004012A2   mov         eax,0CCCCCCCCh
004012A7   rep stos    dword ptr [edi]
004012A9   pop         ecx
004012AA   mov         dword ptr [ebp-4],ecx
12:       printf("m_nInt = %d , m_snInt = %d\n" , m_nInt , m_snInt);
004012AD   mov         eax,[CStatic::m_snInt (00428a30)]
004012B2   push        eax
004012B3   mov         ecx,dword ptr [ebp-4]
004012B6   mov         edx,dword ptr [ecx]
004012B8   push        edx
004012B9   push        offset string "m_nInt = %d , m_snInt = %d\n" (00426024)
004012BE   call        printf (00401340)
004012C3   add         esp,0Ch
13:   }
004012C6   pop         edi
004012C7   pop         esi
004012C8   pop         ebx
004012C9   add         esp,44h
004012CC   cmp         ebp,esp
004012CE   call        __chkesp (00401470)
004012D3   mov         esp,ebp
004012D5   pop         ebp
004012D6   ret

14:   int CStatic::m_snInt = 9;
15:   int main()
16:   {
004012F0   push        ebp
004012F1   mov         ebp,esp
004012F3   sub         esp,44h
004012F6   push        ebx
004012F7   push        esi
004012F8   push        edi
004012F9   lea         edi,[ebp-44h]
004012FC   mov         ecx,11h
00401301   mov         eax,0CCCCCCCCh
00401306   rep stos    dword ptr [edi]
17:       CStatic sta;
18:       sta.m_nInt = 2;
00401308   mov         dword ptr [ebp-4],2
19:       sta.ShowNumber();
0040130F   lea         ecx,[ebp-4]
00401312   call        @ILT+5(CStatic::ShowNumber) (0040100a)
20:       return 0;
00401317   xor         eax,eax
21:   }
00401319   pop         edi
0040131A   pop         esi
0040131B   pop         ebx
0040131C   add         esp,44h
0040131F   cmp         ebp,esp
00401321   call        __chkesp (00401470)
00401326   mov         esp,ebp
00401328   pop         ebp
00401329   ret

1:    #include<stdio.h>
2:
3:    class CFunTest
4:    {
5:    public:
6:        int m_nOne;
7:        int m_nTwo;
8:    };
9:    void ShowFuncTest(CFunTest fun)
10:   {
00401350   push        ebp
00401351   mov         ebp,esp
00401353   sub         esp,40h
00401356   push        ebx
00401357   push        esi
00401358   push        edi
00401359   lea         edi,[ebp-40h]
0040135C   mov         ecx,10h
00401361   mov         eax,0CCCCCCCCh
00401366   rep stos    dword ptr [edi]
11:       printf("m_nOne = %d , m_nTwo = %d\n" , fun.m_nOne , fun.m_nTwo);
00401368   mov         eax,dword ptr [ebp+0Ch]
0040136B   push        eax
0040136C   mov         ecx,dword ptr [ebp+8]
0040136F   push        ecx
00401370   push        offset string "m_nOne = %d , m_nTwo = %d\n" (00426048)
00401375   call        printf (00401400)
0040137A   add         esp,0Ch
12:   }
0040137D   pop         edi
0040137E   pop         esi
0040137F   pop         ebx
00401380   add         esp,40h
00401383   cmp         ebp,esp
00401385   call        __chkesp (00401530)
0040138A   mov         esp,ebp
0040138C   pop         ebp
0040138D   ret

13:   void main()
14:   {
004013A0   push        ebp
004013A1   mov         ebp,esp
004013A3   sub         esp,48h
004013A6   push        ebx
004013A7   push        esi
004013A8   push        edi
004013A9   lea         edi,[ebp-48h]
004013AC   mov         ecx,12h
004013B1   mov         eax,0CCCCCCCCh
004013B6   rep stos    dword ptr [edi]
15:       CFunTest fun;
16:       fun.m_nOne = 9;
004013B8   mov         dword ptr [ebp-8],9
17:       fun.m_nTwo = 99;
004013BF   mov         dword ptr [ebp-4],63h
18:       ShowFuncTest(fun);
004013C6   mov         eax,dword ptr [ebp-4]
004013C9   push        eax
004013CA   mov         ecx,dword ptr [ebp-8]
004013CD   push        ecx
004013CE   call        @ILT+0(ShowFuncTest) (00401005)
004013D3   add         esp,8
19:   }
004013D6   pop         edi
004013D7   pop         esi
004013D8   pop         ebx
004013D9   add         esp,48h
004013DC   cmp         ebp,esp
004013DE   call        __chkesp (00401530)
004013E3   mov         esp,ebp
004013E5   pop         ebp
004013E6   ret


1:    #include<stdio.h>
2:    #include<string.h>
3:    class CFunTest
4:    {
5:    public:
6:        int m_nOne;
7:        int m_nTwo;
8:        char m_szName[32];
9:    };
10:   void ShowFuncTest(CFunTest fun)
11:   {
00401350   push        ebp
00401351   mov         ebp,esp
00401353   sub         esp,40h
00401356   push        ebx
00401357   push        esi
00401358   push        edi
00401359   lea         edi,[ebp-40h]
0040135C   mov         ecx,10h
00401361   mov         eax,0CCCCCCCCh
00401366   rep stos    dword ptr [edi]
12:       printf("m_nOne = %d , m_nTwo = %d , m_szName = %s\n" , fun.m_nOne , fun.m_nTwo , fun.m_szName);
00401368   lea         eax,[ebp+10h]		//m_szName
0040136B   push        eax
0040136C   mov         ecx,dword ptr [ebp+0Ch]	//m_nTwo
0040136F   push        ecx
00401370   mov         edx,dword ptr [ebp+8]	//m_nOne
00401373   push        edx
00401374   push        offset string "m_nOne = %d , m_nTwo = %d , m_sz"... (00427050)
00401379   call        printf (00401400)
0040137E   add         esp,10h
13:   }
00401381   pop         edi
00401382   pop         esi
00401383   pop         ebx
00401384   add         esp,40h
00401387   cmp         ebp,esp
00401389   call        __chkesp (00401530)
0040138E   mov         esp,ebp
00401390   pop         ebp
00401391   ret

14:   void main()
15:   {
004013A0   push        ebp
004013A1   mov         ebp,esp
004013A3   sub         esp,68h
004013A6   push        ebx
004013A7   push        esi
004013A8   push        edi
004013A9   lea         edi,[ebp-68h]
004013AC   mov         ecx,1Ah
004013B1   mov         eax,0CCCCCCCCh
004013B6   rep stos    dword ptr [edi]
16:       CFunTest fun;
17:       fun.m_nOne = 9;
004013B8   mov         dword ptr [ebp-28h],9
18:       fun.m_nTwo = 99;
004013BF   mov         dword ptr [ebp-24h],63h
19:       strcpy(fun.m_szName , "NAME");
004013C6   push        offset string "NAME" (00426040)
004013CB   lea         eax,[ebp-20h]		ebp-32  m_szName
004013CE   push        eax
004013CF   call        strcpy (00407c80)
20:       ShowFuncTest(fun);
004013D4   add         esp,0E0h		//sub esp , 68h  add esp , 0e0h
004013D7   mov         ecx,0Ah
004013DC   lea         esi,[ebp-28h]
004013DF   mov         edi,esp
004013E1   rep movs    dword ptr [edi],dword ptr [esi]	40BYTE
004013E3   call        @ILT+0(ShowFuncTest) (00401005)
004013E8   add         esp,28h		40BYTE
21:   }
004013EB   pop         edi
004013EC   pop         esi
004013ED   pop         ebx
004013EE   add         esp,68h
004013F1   cmp         ebp,esp
004013F3   call        __chkesp (00401530)
004013F8   mov         esp,ebp
004013FA   pop         ebp
004013FB   ret

004013D4   add         esp,0E0h
004013D7   mov         ecx,0Ah
004013DC   lea         esi,[ebp-28h]
004013DF   mov         edi,esp		edi即是esp栈顶  此处进行值传递
004013E1   rep movs    dword ptr [edi],dword ptr [esi]
004013E3   call        @ILT+0(ShowFuncTest) (00401005)
004013E8   add         esp,28h

 EAX = 0018FF28 EBX = 7EFDE000
 ECX = 00000000 EDX = 00000000
 ESI = 0018FF48 EDI = 0018FED4
 EIP = 004013E3 ESP = 0018FEAC
 EBP = 0018FF48 EFL = 00000207


0018FEAC  09 00 00 00 63 00 00 00 4E 41 4D  ...c...NAM
0018FEB7  45 00 CC CC CC CC CC CC CC CC CC  E.烫烫烫烫.
0018FEC2  CC CC CC CC CC CC CC CC CC CC CC  烫烫烫烫烫.
0018FECD  CC CC CC CC CC CC CC 00 00 00 00  烫烫烫.....
0018FED8  00 00 00 00 00 E0 FD 7E CC CC CC  .....帻~烫.
0018FEE3  CC CC CC CC CC CC CC CC CC CC CC  烫烫烫烫烫.

private:int m_nOne;int m_nTwo;};struct tagTest{char m_cChar;double m_dDouble;int m_nInt;float m_fFloat;};int main1(){CNumber number;printf("%d\n" , number.GetNumberOne());printf("%d\n" , number.GetNumberTwo());tagTest tag;tag.m_dDouble = 1.0;printf("%d\n" , sizeof(tagTest));printf("%p\n" , &tag.m_cChar);printf("%p\n" , &tag.m_dDouble);printf("%p\n" , &tag.m_nInt);printf("%p\n" , &tag.m_fFloat);return 0;} 

 

 

 

另一个例子
 

 

#include<stdio.h>

class CReturn 
{
public:
	int m_nNumber;
	int m_nArray[10];
};
CReturn GetReturn()
{
	CReturn ret;
	ret.m_nNumber = 0;
	for(int i = 0; i < 10; ++i)
	{
		ret.m_nArray[i] = i + 1;
	}
	return ret;
}
void main()
{
	CReturn objA;
	objA = GetReturn();
	printf("%d %d %d\n" , objA.m_nNumber , objA.m_nArray[0] , objA.m_nArray[9]);
	
}

 

 反汇编分析 

 

 

1:    #include<stdio.h>
2:
3:    class CReturn
4:    {
5:    public:
6:        int m_nNumber;
7:        int m_nArray[10];
8:    };
9:    CReturn GetReturn()
10:   {
004016F0   push        ebp	ebp=ebp0-2ch-8h
004016F1   mov         ebp,esp
004016F3   sub         esp,70h
004016F6   push        ebx
004016F7   push        esi
004016F8   push        edi
004016F9   lea         edi,[ebp-70h]
004016FC   mov         ecx,1Ch
00401701   mov         eax,0CCCCCCCCh
00401706   rep stos    dword ptr [edi]
11:       CReturn ret;
12:       ret.m_nNumber = 0;
00401708   mov         dword ptr [ebp-2Ch],0
13:       for(int i = 0; i < 10; ++i)
0040170F   mov         dword ptr [ebp-30h],0	i
00401716   jmp         GetReturn+31h (00401721)
00401718   mov         eax,dword ptr [ebp-30h]
0040171B   add         eax,1
0040171E   mov         dword ptr [ebp-30h],eax
00401721   cmp         dword ptr [ebp-30h],0Ah	i < 10
00401725   jge         GetReturn+46h (00401736)
14:       {
15:           ret.m_nArray[i] = i + 1;
00401727   mov         ecx,dword ptr [ebp-30h]
0040172A   add         ecx,1
0040172D   mov         edx,dword ptr [ebp-30h]
00401730   mov         dword ptr [ebp+edx*4-28h],ecx	//m_nArray[i] = i + 1
16:       }
00401734   jmp         GetReturn+28h (00401718)
17:       return ret;
00401736   mov         ecx,0Bh			//0B 11 44字节
0040173B   lea         esi,[ebp-2Ch]
0040173E   mov         edi,dword ptr [ebp+8]	//传送数据  返回值
00401741   rep movs    dword ptr [edi],dword ptr [esi]
00401743   mov         eax,dword ptr [ebp+8]
18:   }
00401746   pop         edi
00401747   pop         esi
00401748   pop         ebx
00401749   mov         esp,ebp
0040174B   pop         ebp
0040174C   ret

19:   void main()
20:   {
00401770   push        ebp
00401771   mov         ebp,esp
00401773   sub         esp,0C4h			//预留栈空间  12*16+4
00401779   push        ebx
0040177A   push        esi
0040177B   push        edi
0040177C   lea         edi,[ebp-0C4h]
00401782   mov         ecx,31h
00401787   mov         eax,0CCCCCCCCh
0040178C   rep stos    dword ptr [edi]
21:       CReturn objA;				//44  11*4 2ch  ebp-2ch
22:       objA = GetReturn();
0040178E   lea         eax,[ebp-84h]		//8*16+4 44+44
00401794   push        eax			//返回地址压栈
00401795   call        @ILT+45(GetReturn) (00401032)	
0040179A   add         esp,4			//eax栈平衡
0040179D   mov         esi,eax			//返回值地址
0040179F   mov         ecx,0Bh
004017A4   lea         edi,[ebp-58h]
004017A7   rep movs    dword ptr [edi],dword ptr [esi]	//传送至临时对象  临时对象释放时,可能存在多次释放资源现象。
004017A9   mov         ecx,0Bh
004017AE   lea         esi,[ebp-58h]		
004017B1   lea         edi,[ebp-2Ch]
004017B4   rep movs    dword ptr [edi],dword ptr [esi]
23:       printf("%d %d %d\n" , objA.m_nNumber , objA.m_nArray[0] , objA.m_nArray[9]);
004017B6   mov         ecx,dword ptr [ebp-4]
004017B9   push        ecx
004017BA   mov         edx,dword ptr [ebp-28h]
004017BD   push        edx
004017BE   mov         eax,dword ptr [ebp-2Ch]
004017C1   push        eax
004017C2   push        offset string "%d %d %d\n" (00429090)
004017C7   call        printf (00401800)
004017CC   add         esp,10h
24:
25:   }
004017CF   pop         edi
004017D0   pop         esi
004017D1   pop         ebx
004017D2   add         esp,0C4h
004017D8   cmp         ebp,esp
004017DA   call        __chkesp (00401930)
004017DF   mov         esp,ebp
004017E1   pop         ebp
004017E2   ret

 

 例子 

 

 

#include<stdio.h>
#include<string.h>

class CMyString
{
public:
	CMyString()
	{
		m_pString = new char[10];
		if(NULL == m_pString)
		{
			return ;
		}
		strcpy(m_pString , "Hello");
	}
	~CMyString()
	{
		if(m_pString != NULL)
		{
			delete [] m_pString;
			m_pString = NULL;
		}
	}
	char * GetString()
	{
		return m_pString;
	}
private:
	char *m_pString;
};

void ShowMyString(CMyString str)
{
	printf("%s\n" , str.GetString());
}
int main5()
{
	CMyString str;
	ShowMyString(str);	//
	return 0;
}
 

 反汇编分析 

 

 

1:    #include<stdio.h>
2:    #include<string.h>
3:
4:    class CMyString
5:    {
6:    public:
7:        CMyString()
00401660   push        ebp
00401661   mov         ebp,esp
00401663   sub         esp,48h
00401666   push        ebx
00401667   push        esi
00401668   push        edi
00401669   push        ecx
0040166A   lea         edi,[ebp-48h]
0040166D   mov         ecx,12h
00401672   mov         eax,0CCCCCCCCh
00401677   rep stos    dword ptr [edi]
00401679   pop         ecx
0040167A   mov         dword ptr [ebp-4],ecx
8:        {
9:            m_pString = new char[10];
0040167D   push        0Ah
0040167F   call        operator new (00401ea0)
00401684   add         esp,4
00401687   mov         dword ptr [ebp-8],eax
0040168A   mov         eax,dword ptr [ebp-4]
0040168D   mov         ecx,dword ptr [ebp-8]
00401690   mov         dword ptr [eax],ecx
10:           if(NULL == m_pString)
00401692   mov         edx,dword ptr [ebp-4]
00401695   cmp         dword ptr [edx],0
00401698   jne         CMyString::CMyString+3Ch (0040169c)
11:           {
12:               return ;
0040169A   jmp         CMyString::CMyString+4Fh (004016af)
13:           }
14:           strcpy(m_pString , "Hello");
0040169C   push        offset string "Hello" (00429088)
004016A1   mov         eax,dword ptr [ebp-4]
004016A4   mov         ecx,dword ptr [eax]
004016A6   push        ecx
004016A7   call        strcpy (00401850)
004016AC   add         esp,8
15:       }
004016AF   mov         eax,dword ptr [ebp-4]
004016B2   pop         edi
004016B3   pop         esi
004016B4   pop         ebx
004016B5   add         esp,48h
004016B8   cmp         ebp,esp
004016BA   call        __chkesp (00401810)
004016BF   mov         esp,ebp
004016C1   pop         ebp
004016C2   ret

16:       ~CMyString()
17:       {
00401510   push        ebp
00401511   mov         ebp,esp
00401513   sub         esp,48h
00401516   push        ebx
00401517   push        esi
00401518   push        edi
00401519   push        ecx
0040151A   lea         edi,[ebp-48h]
0040151D   mov         ecx,12h
00401522   mov         eax,0CCCCCCCCh
00401527   rep stos    dword ptr [edi]
00401529   pop         ecx
0040152A   mov         dword ptr [ebp-4],ecx
18:           if(m_pString != NULL)
0040152D   mov         eax,dword ptr [ebp-4]
00401530   cmp         dword ptr [eax],0
00401533   je          CMyString::~CMyString+42h (00401552)
19:           {
20:               delete [] m_pString;
00401535   mov         ecx,dword ptr [ebp-4]
00401538   mov         edx,dword ptr [ecx]
0040153A   mov         dword ptr [ebp-8],edx
0040153D   mov         eax,dword ptr [ebp-8]
00401540   push        eax
00401541   call        operator delete (00401e10)
00401546   add         esp,4
21:               m_pString = NULL;
00401549   mov         ecx,dword ptr [ebp-4]
0040154C   mov         dword ptr [ecx],0
22:           }
23:       }
00401552   pop         edi
00401553   pop         esi
00401554   pop         ebx
00401555   add         esp,48h
00401558   cmp         ebp,esp
0040155A   call        __chkesp (00401810)
0040155F   mov         esp,ebp
00401561   pop         ebp
00401562   ret

24:       char * GetString()
25:       {
00401580   push        ebp
00401581   mov         ebp,esp
00401583   sub         esp,44h
00401586   push        ebx
00401587   push        esi
00401588   push        edi
00401589   push        ecx
0040158A   lea         edi,[ebp-44h]
0040158D   mov         ecx,11h
00401592   mov         eax,0CCCCCCCCh
00401597   rep stos    dword ptr [edi]
00401599   pop         ecx
0040159A   mov         dword ptr [ebp-4],ecx
26:           return m_pString;
0040159D   mov         eax,dword ptr [ebp-4]	eax相当于二维指针
004015A0   mov         eax,dword ptr [eax]
27:       }
004015A2   pop         edi
004015A3   pop         esi
004015A4   pop         ebx
004015A5   mov         esp,ebp
004015A7   pop         ebp
004015A8   ret

28:   private:
29:       char *m_pString;
30:   };
31:
32:   void ShowMyString(CMyString str)
33:   {
00401470   push        ebp
00401471   mov         ebp,esp
00401473   push        0FFh
00401475   push        offset __ehhandler$?ShowMyString@@YAXVCMyString@@@Z (00417769)
0040147A   mov         eax,fs:[00000000]
00401480   push        eax
00401481   mov         dword ptr fs:[0],esp
00401488   sub         esp,40h
0040148B   push        ebx
0040148C   push        esi
0040148D   push        edi
0040148E   lea         edi,[ebp-4Ch]
00401491   mov         ecx,10h
00401496   mov         eax,0CCCCCCCCh
0040149B   rep stos    dword ptr [edi]
0040149D   mov         dword ptr [ebp-4],0
34:       printf("%s\n" , str.GetString());
004014A4   lea         ecx,[ebp+8]
004014A7   call        @ILT+0(CMyString::GetString) (00401005)		ECX = 0018FEE4
004014AC   push        eax
004014AD   push        offset string "%s\n" (00429084)
004014B2   call        printf (004016e0)
004014B7   add         esp,8
35:   }
004014BA   mov         dword ptr [ebp-4],0FFFFFFFFh
004014C1   lea         ecx,[ebp+8]					ECX = 0018FEE4
004014C4   call        @ILT+60(CMyString::~CMyString) (00401041)	//释放资源
004014C9   mov         ecx,dword ptr [ebp-0Ch]
004014CC   mov         dword ptr fs:[0],ecx
004014D3   pop         edi
004014D4   pop         esi
004014D5   pop         ebx
004014D6   add         esp,4Ch
004014D9   cmp         ebp,esp
004014DB   call        __chkesp (00401810)
004014E0   mov         esp,ebp
004014E2   pop         ebp
004014E3   ret

36:   int main()
37:   {
004015C0   push        ebp
004015C1   mov         ebp,esp
004015C3   push        0FFh
004015C5   push        offset __ehhandler$_main (00417789)
004015CA   mov         eax,fs:[00000000]
004015D0   push        eax
004015D1   mov         dword ptr fs:[0],esp
004015D8   sub         esp,48h
004015DB   push        ebx
004015DC   push        esi
004015DD   push        edi
004015DE   lea         edi,[ebp-54h]
004015E1   mov         ecx,12h
004015E6   mov         eax,0CCCCCCCCh
004015EB   rep stos    dword ptr [edi]
38:       CMyString str;
004015ED   lea         ecx,[ebp-10h]
004015F0   call        @ILT+30(CMyString::CMyString) (00401023)
004015F5   mov         dword ptr [ebp-4],0
39:       ShowMyString(str);  //
004015FC   mov         eax,dword ptr [ebp-10h]
004015FF   push        eax
00401600   call        @ILT+55(ShowMyString) (0040103c)
00401605   add         esp,4
40:       return 0;
00401608   mov         dword ptr [ebp-14h],0
0040160F   mov         dword ptr [ebp-4],0FFFFFFFFh
00401616   lea         ecx,[ebp-10h]
00401619   call        @ILT+60(CMyString::~CMyString) (00401041)	 ECX = 0018FF38 
0040161E   mov         eax,dword ptr [ebp-14h]
41:   }
00401621   mov         ecx,dword ptr [ebp-0Ch]
00401624   mov         dword ptr fs:[0],ecx
0040162B   pop         edi
0040162C   pop         esi
0040162D   pop         ebx
0040162E   add         esp,54h
00401631   cmp         ebp,esp
00401633   call        __chkesp (00401810)
00401638   mov         esp,ebp
0040163A   pop         ebp
0040163B   ret

ShowMyString EAX = 00713A48 == [ebp - 10h]

00713A48  48 65 6C 6C 6F 00 CD CD CD CD FD  Hello.屯屯.
00713A53  FD FD FD AD BA AB AB AB AB AB AB  韩.
00713A5E  AB AB 00 00 00 00 00 00 00 00 D8  .........
00713A69  47 B3 B5 B1 93 00 00 08 0F 71 00  G车睋....q.
00713A74  C4 00 71 00 EE FE EE FE EE FE EE  ..q.铪铪铪.
00713A7F  FE EE FE EE FE EE FE EE FE EE FE  .

lea         ecx,[ebp+8]		ECX = 0018FEE4
0040159A   mov         dword ptr [ebp-4],ecx	 ECX = 0018FEE4
EBP = 0018FEDC
0018FED1  FF 18 00 69 77 41 00 00 00 00 00  ...iwA.....
0018FEDC  48 FF 18 00 05 16 40 00 48 3A 71  H.....@.H:q
0018FEE7  00 00 00 00 00 00 00 00 00 00 E0  ...........
0040152A   mov         dword ptr [ebp-4],ecx	 ECX = 0018FEE4

 EAX = 0018FEE4 EBX = 7EFDE000
 ECX = 0018FEE4 EDX = 0042BCA0
 ESI = 00000000 EDI = 0018FE7C
 EIP = 00401538 ESP = 0018FE28
 EBP = 0018FE7C EFL = 00000206

00401535   mov         ecx,dword ptr [ebp-4]
00401538   mov         edx,dword ptr [ecx]
0040153A   mov         dword ptr [ebp-8],edx
0040153D   mov         eax,dword ptr [ebp-8]
00401540   push        eax
00401541   call        operator delete (00401e10)
00401546   add         esp,4

0018FE63  CC CC CC CC CC CC CC CC CC CC CC  烫烫烫烫烫.
0018FE6E  CC CC CC CC CC CC CC CC CC CC E4  烫烫烫烫烫.
0018FE79  FE 18 00 DC FE 18 00 C9 14 40 00  ...荥....@.
0018FE84  3C FF 18 00 00 00 00 00 00 E0 FD  <........帻
0018FE8F  7E CC CC CC CC CC CC CC CC CC CC  ~烫烫烫烫烫

0018FE63  CC CC CC CC CC CC CC CC CC CC CC  烫烫烫烫烫.
0018FE6E  CC CC CC CC CC CC 48 3A 71 00 E4  烫烫烫H:q..
0018FE79  FE 18 00 DC FE 18 00 C9 14 40 00  ...荥....@.
0018FE84  3C FF 18 00 00 00 00 00 00 E0 FD  <........帻

0018FE6E  CC CC CC CC CC CC 48 3A 71 00 E4  烫烫烫H:q..
0018FE79  FE 18 00 DC FE 18 00 C9 14 40 00  ...荥....@.
0018FE84  3C FF 18 00 00 00 00 00 00 E0 FD  <........帻

 EAX = 00000001 EBX = 7EFDE000
 ECX = 0018FF3C EDX = 0071015C
 ESI = 00000000 EDI = 0018FF3C
 EIP = 00401616 ESP = 0018FEE8
 EBP = 0018FF48 EFL = 00000206

40:       return 0;
00401608   mov         dword ptr [ebp-14h],0
0040160F   mov         dword ptr [ebp-4],0FFFFFFFFh
00401616   lea         ecx,[ebp-10h]
00401619   call        @ILT+60(CMyString::~CMyString) (00401041)
0040161E   mov         eax,dword ptr [ebp-14h]
41:   }

 EAX = 00000001 EBX = 7EFDE000
 ECX = 0018FF38 EDX = 0071015C
 ESI = 00000000 EDI = 0018FF3C
 EIP = 00401619 ESP = 0018FEE8
 EBP = 0018FF48 EFL = 00000206

00401529   pop         ecx
0040152A   mov         dword ptr [ebp-4],ecx
18:           if(m_pString != NULL)
0040152D   mov         eax,dword ptr [ebp-4]
00401530   cmp         dword ptr [eax],0
00401533   je          CMyString::~CMyString+42h (00401552)
19:           {
20:               delete [] m_pString;
00401535   mov         ecx,dword ptr [ebp-4]
00401538   mov         edx,dword ptr [ecx]
0040153A   mov         dword ptr [ebp-8],edx
0040153D   mov         eax,dword ptr [ebp-8]
00401540   push        eax
00401541   call        operator delete (00401e10)
00401546   add         esp,4
21:               m_pString = NULL;
00401549   mov         ecx,dword ptr [ebp-4]
0040154C   mov         dword ptr [ecx],0
22:           }
23:       }

 EAX = CCCCCCCC EBX = 7EFDE000
 ECX = 0018FF38 EDX = 0071015C
 ESI = 00000000 EDI = 0018FEE0
 EIP = 0040152A ESP = 0018FE8C
 EBP = 0018FEE0 EFL = 00000212

00401535   mov         ecx,dword ptr [ebp-4]

 EAX = 0018FF38 EBX = 7EFDE000
 ECX = 0018FF38 EDX = 0071015C
 ESI = 00000000 EDI = 0018FEE0
 EIP = 00401538 ESP = 0018FE8C
 EBP = 0018FEE0 EFL = 00000206
00401538   mov         edx,dword ptr [ecx]
 EAX = 0018FF38 EBX = 7EFDE000
 ECX = 0018FF38 EDX = 00713A48
 ESI = 00000000 EDI = 0018FEE0
 EIP = 0040153A ESP = 0018FE8C
 EBP = 0018FEE0 EFL = 00000206

00401540   push        eax
00401541   call        operator delete (00401e10)
 EAX = 00713A48 EBX = 7EFDE000
 ECX = 0018FF38 EDX = 00713A48
 ESI = 00000000 EDI = 0018FEE0
 EIP = 00401541 ESP = 0018FE88
 EBP = 0018FEE0 EFL = 00000206

 

 

 


                

        

        

    

  


    

      

        

            

              
                
                  _子木_
                
              
            

            

                关注
              
            

        

        

          
      

      

            

                专栏目录
          









                



	

		

			

				
					
[网络安全自学篇] 九十四.《Windows黑客编程技术详解》之提权技术(令牌权限提升和Bypass UAC)

				
			

			

				

					杨秀璋的专栏
				

				

					09-12
					
					2万+
					
				

			

		

		

			
				
这是作者网络安全自学教程系列,主要是关于安全工具和实践操作的在线笔记,特分享出来与博友们学习,希望您喜欢,一起进步。这篇文章将带着大家来学习《Windows黑客编程技术详解》,其作者是甘迪文老师,推荐大家购买来学习。作者将采用实际编程和图文结合的方式进行分享,并且会进一步补充相关知识点。第六篇文章主要介绍木马病毒提权技术,包括进程访问令牌权限提升和Bypass UAC,希望对您有所帮助。

			
		

	



                

              
                



	

		

			

				
					
C++ 类的反汇编

				
			

			

				

					ez scope
				

				

					07-04
					
					2469
					
				

			

		

		

			
				
C++的类与C++的结构体本质上没有什么不同,唯一不同的可能即是在编译期默认的成员访问全乡不同。当我们new 一个类时,在heap中申请了一块内存区域,
用于保存类的实体,并且调用了类的构造函数。当我们调用delete时,调用了析构函数,并调用了heap内存块释放函数。
今天随便写了一个简单的类,并对其进行了反汇编分析,由此记录下来,环境如下:
操作系统:win7 sp1 x86_64
调

			
		

	



                


  
              

                


	

		

			

				
					
C++反汇编->类,结构体,命名空间分析

				
			

			

				

					Rana专栏
				

				

					04-12
					
					1431
					
				

			

		

		

			
				
C++反汇编->类,结构体,命名空间分析

			
		

	





	

		

			

				
					
结构体作为参数的反汇编

				
			

			

				

					weixin_30493321的博客
				

				

					10-14
					
					331
					
				

			

		

		

			
				
1:函数传参数的方式是将数据进行拷贝传递的。
2:基本数据类型编译器一般是通过PUSH指令来将参数入栈的,但是当传入的参数是结构体时,会采取,函数堆栈初始化的方式进行参数的拷贝
PUST EBP
MOVE EBP,ESP
SUP ESP,40H
MOV ESI,[EBP-40]
MOV EAX,0CCCCCCCH
MOV ECX,16H;     需要初始化的堆栈的长度是4...

			
		

	



		

			
		



	

		

			

				
					
结构体反汇编分析

				
			

			

				

					qq_31125257的博客
				

				

					10-19
					
					394
					
				

			

		

		

			
				
一、为什么用结构体?
char、short、int、float、数组等都是宽度不同的容器,用来存储程序执行所需要和所产生的数据,其中数组是存储相同宽度数据的容器,那么当需要存储不同宽度的不同类型的数据时,结构体是一个非常适合的选择

二、结构体的定义和使用
结构体的定义

 结构体内部变量在定义时,除了自身以外可以使用任何类型(不能递归定义)


结构体的使用
void function() {
/*提升堆栈:默认大小0xC0:分配的栈空间大小----0x100-0xC0=0x40
001D44E0  pu

			
		

	





	

		

			

				
					
C++ 反汇编:函数与结构体

				
			

			

				

					CSDN
				

				

					04-22
					
					8252
					
				

			

		

		

			
				
函数是任何一个高级语言中必须要存在的一个东西,使用函数式编程可以让程序可读性更高,充分发挥了模块化设计思想的精髓,今天我将带大家一起来探索函数的实现机理,探索编译器到底是如何对函数这个关键字进行实现的,从而更好地理解编译行为。

			
		

	





	

		

			

				
					
C++反汇编与逆向分析技术揭秘小笔记

				
			

			

				

					无题
				

				

					06-29
					
					3163
					
				

			

		

		

			
				
题记:分析能力很大程度体现在分析效率上,语法细节乃至数据代码间的复杂性不应该成为主要困难
 
所谓逆向分析,不应该只是单纯的逆向代码,真正目标应该是逆向出代码作者的思维、意图
即透过代码分析意图 
 
第二章:
编译器一旦发现代码中有浮点计算,则初始化浮点寄存器
汉字编码方式有些特殊,ascii和unicode都有与之匹配的编码格式,所以即使汉字使用2个字节,在char型字符串中任然

			
		

	





	

		

			

				
					
红队专题-REVERSE汇编/二进制PWN/逆向/反编译

				
			

			

				

					aming小老弟
				

				

					10-10
					
					1237
					
				

			

		

		

			
				
ROP(Return-Oriented Programming)链是一种计算机安全领域中的攻击技术,用于绕过内存执行保护措施,实现利用漏洞进行代码注入和控制流劫持。由一系列已存在于程序内存中的代码片段(称为gadget)组成的,这些片段通常是程序的合法指令序列。通过将这些gadget按照特定的顺序串联起来,攻击者可以构造出一条可执行的ROP链,用于实现特定的攻击目的。ROP链的基本原理依赖于已存在的代码片段,而不是插入自定义的恶意代码。这样可以避免执行数据区域中的恶意代码,

			
		

	





	

		

			

				
					
xcode反汇编调试iOS模拟器程序

				
			

			

				

					gfdhjf的博客
				

				

					02-23
					
					269
					
				

			

		

		

			
				
xcode反汇编调试iOS模拟器程序

			
		

	





	

		

			

				
					
Rust的各种花式汇编操作

				
			

			

				

					VenmoSnake的博客
				

				

					04-19
					
					5391
					
				

			

		

		

			
				
Rust的各种花式汇编操作使用nightly rust的asm!宏assembly template约束输出约束输入约束Clobber约束options更多例子在stable rust中嵌入汇编代码使用静态链接来嵌入汇编代码汇编函数的参数传递汇编函数的返回值向汇编函数传递指针向汇编函数传递数组向汇编函数传递结构体使用T作为参数使用&T作为参数
使用nightly rust的asm!宏
Ru...

			
		

	





	

		

			

				
					
反编译DLL文件为.CPP工具

				
			

			

				

					12-19
				

			

		

		

			
				
一、简介

  AheadLib 是用来生成一个特洛伊DLL的工具,用于分析DLL中的函数参数调用(比如记录Socket send了什么等等)、更改函数功能(随心所欲了:)、更改界面功能(比如在Hook里面生成一个按钮,截获事件等等)。

二、使用

  1.用 AheadLib 打开要模拟的 DLL,生成一个 CPP 文件。
  2.用 Visual Studio 6.0/.NET 建立一个 DLL 工程,把这个 CPP 文件加入到项目中。
  3.使用 Release 方式编译,生成的 DLL 将和原来的 DLL 具有一模一样的导出函数,并且能顺利把这些函数转发到原来的函数中。
  4.AheadLib 还可以生成 Hook 代码,用于截取当前进程的所有消息,这样就可以随心所欲地处理各种消息了 (修改第三方程序界面功能的好助手)。

三、备注

  1.如果导出函数过多,在 Visual Studio 6.0 中,如果出现编译错误,请在项目属性关闭与编译头功能。
  2.如果是 C++ 、C __stdcall、C __fastcall 的方式导出的话,生成的函数声明将会还原成原代码级别(可能需要修改才能编译,比如导出C++类的情况)。此时使用 __declspec(dllexport) 导出 ——不能指定导出序号。
  3.如果是 NONAME 或者 C _CDECL 方式导出(比如 DEF 导出,大多数Windows DLL都是这种情况,比如WS2_32等等),则使用#pragma comment(linker, "/EXPORT:...)导出,且指定导出序号。
  4.如果系统中没有 DbgHelp.dll,将无法识别 C++ 模式的导出。

			
		

	





	

		

			

				
					
反汇编结构识别

					
最新发布

				
			

			

				

					2401_83680667的博客
				

				

					03-20
					
					174
					
				

			

		

		

			
				
典型汇编结构识别

			
		

	





	

		

			

				
					
c语言结构体反汇编,结构体位操作--反汇编(一)

				
			

			

				

					weixin_39817391的博客
				

				

					05-24
					
					439
					
				

			

		

		

			
				
先看下面的代码:1 #include 2 #include 34 typedef unsigned long  ulong;56 struct A7 {8     ulong board_type:       1;9     ulong channel_type:     3;10     ulong fpga_en :         1;11     ulong fpga_downloade...

			
		

	





	

		

			

				
					
C语言反汇编_数组和结构体

				
			

			

				

					qq_35289660的博客
				

				

					03-13
					
					1131
					
				

			

		

		

			
				
C语言反汇编_数组与结构体
文章目录C语言反汇编_数组与结构体@[toc]0 . 说明1.数组1.数组对应堆栈空的分配2.数组的寻址1.一维数组2.二维数组3.三维数组3.数组的作为函数参数2.结构体
0 . 说明
​	看滴水逆向视频总结笔记
​	编译器VC++6.0
1.数组
1.数组对应堆栈空的分配
​	数组在汇编中的位置与普通局部变量有一些细节上的差异,一般局部变量都是从栈底依次分配到栈底,...

			
		

	





	

		

			

				
					
反汇编(六)C/C++ 结构体与类(4)--从内存角度再谈多态、多重继承、菱形继承

				
			

			

				

					qq_38576022的博客
				

				

					08-15
					
					595
					
				

			

		

		

			
				
目录

    1.识别类和类之间的关系

1.1 虚函数

1.2虚函数特性的失效

2.多重继承

3.抽象类(纯虚函数的实现原理在这里补充)

4.菱形继承

类之间的关系与现实社会非常相似。类的继承和派生是一个从抽象到具体的过程。

 什么是抽象到具体的过程?以 “生物” 为例子,生物仅仅代表是一个概念。从某种程度上,它是抽象的。我们无法知道这是一个怎么样的一个东西,什么样...

			
		

	





	

		

			

				
					
反汇编 结构体 系统函数

				
			

			

				

					
				

				

					08-10
					
					689
					
				

			

		

		

			
				
typedef struct EH3_EXCEPTION_REGISTRATION
{
    DWORD    Next;
    DWORD    ExceptionHandler;
    DWORD    ScopeTable;
    DWORD    TryLevel;
}_EH3_EXCEPTION_REGISTRATION;

typedef struct CPPEH_RECORD...

			
		

	





	

		

			

				
					
cpp反汇编之控制结构

				
			

			

				

					jinya
				

				

					04-01
					
					694
					
				

			

		

		

			
				
控制结构主要是关于  if/else   switch/case

废话不多说。。献上代码及反汇编分析。。
#include

int main(int argc , char *argv[])
{
	int nInt = 9;
//	if(0 == nInt)
	__asm
	{
		cmp DWORD PTR [EBP - 4h] , 0 ;
		jle __exit;
	}
//	__

			
		

	





	

		

			

				
					
cpp反汇编分析之构造函数

				
			

			

				

					jinya
				

				

					03-31
					
					677
					
				

			

		

		

			
				
子类构造函数先调用父类。子类保留父类一块空间。
以一个例子分析:
class A  
{  
public:  
    A()  {     }  
    ~A() {    cout<<"~A"<<endl;   }  
};  
   
class B:public A  
{  
    public:  
        B(A &a):_a(a)  
        {

			
		

	





	

		

			

				
					
C++ 反汇编简要

				
			

			

				

					梦的灰色边沿...
				

				

					06-19
					
					2678
					
				

			

		

		

			
				
C/C++都需要经过编译器变成对应的机器码,通常编译器对程序员是个黑盒子。有些时候我们可能会纠结编译器会不会进行RVO,EBO等优化,以及一些在我们看起来应该正常的代码因为一些UB的行为被C++编译器优化成了不可预期的代码。这时候如果我们了解具体代码是如何编译成对应的二进制机器码对我们查具体的问题非常有益。另一种场景,在开发软件时,线上环境能够复现的问题,我们本地可能是无法复现的。这就需要我们根据线上的堆栈分析具体的原因。

			
		

	





	

		

			

				
					

				
			

			

				

					
				

			

		

		

			
				

			
		

	



              




          




        



    





    



      

      

        
      

      





	

		评论	
	

	
	




  

    

      添加红包
      
    

    

      

        
        

          
          
        

        
请填写红包祝福语或标题

      

      

        
        

          
          
        

        
红包个数最小为10个

      

      

        
        

          
          
        

        
红包金额最低5元

      

      

        
        

          当前余额3.43前往充值 >
        

      

      

        

          需支付:10.00

        
        
      

    

  





  

    
    
  

  

    
    
  








  

    

      

        

          

            
            
成就一亿技术人!

          

          

        

        

          

          

            领取后你会自动成为博主和红包主的粉丝
            规则
          

        

      

      

        

          

            
              
            
            

              
hope_wisdom
 发出的红包
            

          

        

        

          

          

          

        

      

    

    

  



      
      

      
实付

      
使用余额支付

      

        

          

            
            点击重新获取
          

        

        
扫码支付

      

      

        
          
            
          
          
        
      

      

        
        钱包余额
          0
          

            
            

              

                
抵扣说明:

                
 1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
 2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

              

            

          

      

      余额充值