代码还原动态调试之 pstree 条件表达式

xiaozhiwise

已于 2024-07-03 14:25:15 修改

阅读量339

点赞数 5

分类专栏： Assembly 文章标签：汇编

于 2024-07-03 14:07:48 首次发布

本文链接：https://blog.csdn.net/xiaozhiwise/article/details/140150102

版权

Assembly 专栏收录该内容

443 篇文章 3 订阅

订阅专栏

1.条件表达式

lvl == level - 1 ? last ? shape_pointer->four : shape_pointer->second : gvar_9470[lvl + 1] ? shape_pointer->three : shape_pointer->first

2.有种cmp比较相等时为1，如 a == b， je跳转，表达式值为1

反汇编代码抽取相关部分:


    43cf:	48 8b 05 3a 4f 00 00 	mov    0x4f3a(%rip),%rax        # 9310 <age_to_color@@Base+0x30>    // 9310=shape_pointer
    43d6:	41 39 ee             	cmp    %ebp,%r14d               // level-1 ?= lvl
    43d9:	0f 84 49 07 00 00    	je     4b28 <__sprintf_chk@plt+0x23b8>  // edi=last ? (shape_pointer->four):(shape_pointer->second), jump 4409 
    43df:	48 8b 15 8a 50 00 00 	mov    0x508a(%rip),%rdx        # 9470 <stderr@@GLIBC_2.2.5+0x50>   // gvar_9470
    43e6:	42 8b 54 22 04       	mov    0x4(%rdx,%r12,1),%edx    // edx=gvar_9470+lvl*4+0x4=gvar_9470[lvl+1]
    43eb:	85 d2                	test   %edx,%edx                // edx ?= 0
    43ed:	0f 84 05 06 00 00    	je     49f8 <__sprintf_chk@plt+0x2288>  // rbx=shape_pointer->first,  jmpq 4409
    43f3:	48 8b 58 10          	mov    0x10(%rax),%rbx                  // rbx=shape_pointer->three
    43f7:	eb 10                	jmp    4409 <__sprintf_chk@plt+0x1c99>
    43f9:	0f 1f 80 00 00 00 00 	nopl   0x0(%rax)

    4400:	48 83 c3 01          	add    $0x1,%rbx
    4404:	e8 87 fb ff ff       	callq  3f90 <__sprintf_chk@plt+0x1820>    // fun_3f90(const char ch)

    4409:	0f be 3b             	movsbl (%rbx),%edi          // edi=gvar_9470[lvl+1] ? shape_pointer->three:shape_pointer->first
                                                                // edi=last ? (shape_pointer->four):(shape_pointer->second), 
    440c:	40 84 ff             	test   %dil,%dil
    440f:	75 ef                	jne    4400 <__sprintf_chk@plt+0x1c90>
    4411:	48 8d 45 01          	lea    0x1(%rbp),%rax                   // rax=(rbp+0x1)=lvl++
    4415:	49 39 ef             	cmp    %rbp,%r15                        // rbp=lvl, r15=level-1
    4418:	74 06                	je     4420 <__sprintf_chk@plt+0x1cb0>  // 跳出 if (leaf == 0)
    441a:	48 89 c5             	mov    %rax,%rbp                        // rbp=lvl
    441d:	eb 81                	jmp    43a0 <__sprintf_chk@plt+0x1c30>
    441f:	90                   	nop

    ....

    49f8:	48 8b 18             	mov    (%rax),%rbx              // rbx=shape_pointer->first
    49fb:	e9 09 fa ff ff       	jmpq   4409 <__sprintf_chk@plt+0x1c99>

    ....

    4b28:	8b 4c 24 10          	mov    0x10(%rsp),%ecx      // ecx=(rsp+0x10)=last
    4b2c:	85 c9                	test   %ecx,%ecx            // last ?= 0
    4b2e:	74 1c                	je     4b4c <__sprintf_chk@plt+0x23dc>  // rbx=shape_pointer->second
    4b30:	48 8b 58 18          	mov    0x18(%rax),%rbx      // rbx=shape_pointer->four
    4b34:	e9 d0 f8 ff ff       	jmpq   4409 <__sprintf_chk@plt+0x1c99>
    4b39:	0f 1f 80 00 00 00 00 	nopl   0x0(%rax)

    ....

    4b4c:	48 8b 58 08          	mov    0x8(%rax),%rbx       // rbx=shape_pointer->second
    4b50:	e9 b4 f8 ff ff       	jmpq   4409 <__sprintf_chk@plt+0x1c99>

    ....

说明：以上代码就是比条件表达式的运算，执行步骤化简为
lvl == level - 1 ? last ? shape_pointer->four : shape_pointer->second : gvar_9470[lvl + 1] ? shape_pointer->three : shape_pointer->first
= (0|1) ? (last ? shape_pointer->four : shape_pointer->second) : (gvar_9470[lvl + 1] ? shape_pointer->three : shape_pointer->first)
= (0|1) ? (shape_pointer->four|shape_pointer->second) : (shape_pointer->three|shape_pointer->first)

说明：以上代码就是比条件表达式的运算，执行步骤化简为

lvl == level - 1 ? last ? shape_pointer->four : shape_pointer->second : gvar_9470[lvl + 1] ? shape_pointer->three : shape_pointer->first

= (0|1) ? (last ? shape_pointer->four : shape_pointer->second) : (gvar_9470[lvl + 1] ? shape_pointer->three : shape_pointer->first)
= (0|1) ? (shape_pointer->four|shape_pointer->second) : (shape_pointer->three|shape_pointer->first)