教案逆向分析一个完整的c 程序包含寄存器与参数传递详解.docxVIP

逆向分析一个完整的C++程序包含寄存器与参数传递详解最近在分析C++ dump?文件的时候觉得有必要将一些必要的反汇编东西总结一下以备别人参考，自己有时间的时候也可以进行更多的改进。下面通过一个简单的C++代码转成汇编代码后的详细解释说明一下C++和汇编的对应关系，以及如何识别汇编代码中进行的一些操作的意义。代码的调用关系如下图所示：完整C++代码下：??int?InternalFunctionA(int?nSizeA1,?int?nSizeA2){????int?localnSizeA1?=?nSizeA1;????int?localnSizeA2?=?nSizeA2;????int?nFunctionA?=?localnSizeA1?+?localnSizeA2;????return?nFunctionA;}int?InternalFunctionB(int?nSizeB1,?int?nSizeB2){????int?nFunctionA?=?InternalFunctionA(nSizeB1,?nSizeB2);????return?0;}int?_tmain(int?argc,?_TCHAR*?argv[]){????????int?nFunctionVal?=?InternalFunctionB(36,?64);????coutHello?SolidMango!endl;????return?0;}?那么这段简单的C++代码在转换成汇编代码之后是什么样子的呢？让我们拭目以待，首先让我们看看main函数转换后的代码（debug版）, 如下，我们逐条来进行分析，?int?_tmain(int?argc,?_TCHAR*?argv[])?push????????ebp??//栈底压?mov?????????ebp,esp?//栈底下移，更详细的请参考我关于ebp,esp的解?sub?????????esp,0CCh?//局部变量预留空?push????????ebx??//保存ebx??0041157A??push????????esi??//保存esi??0041157B??push????????edi??//保存edi??0041157C??lea?????????edi,[ebp-0CCh] //下移edi到栈?mov?????????ecx,33h?//0CCh/4 = 33?mov?????????eax,0CCCCCCCCh?//eax赋值0041158C??rep?stos????dword?ptr?es:[edi]?//从edi开始做33h次赋值0CCCCCCCCh?，初始化栈内存????????int?nFunctionVal?=?InternalFunctionB(36,?64);0041158E??push????????40h??//参数64入栈?push????????24h??//参数36入?call????????InternalFunctionB?(41101Eh)?);//到41101Eh处函数调?add?????????esp,8?//函数调用后将参数弹出，清理栈0041159A??mov?????????dword?ptr?[nFunctionVal],eax?????coutHello?SolidMango!endl;0041159D??mov?????????esi,esp?0041159F??mov?????????eax,dword?ptr?[__imp_std::endl?(41A338h)]?004115A4??push????????eax??004115A5??push????????offset?string?Hello?SolidMango!?(417800h)?004115AA??mov?????????ecx,dword?ptr?[__imp_std::cout?(41A33Ch)]?004115B0??push????????ecx??004115B1??call????????std::operatorstd::char_traitschar??(411163h)?004115B6??add?????????esp,8?004115B9??mov?????????ecx,eax?004115BB??call????????dword?ptr?[__imp_std::basic_ostreamchar,std::char_traitschar?::operator?(41A320h