【发布时间】:2019-01-16 10:28:12
【问题描述】:
我真的(真的)是 IDA 新手(以及一般的调试),所以我想问一些方向。
我有这个子/功能:
sub_5AE50B proc near ; CODE XREF: sub_4F0E29+252p
.text:005AE50B ; sub_5B81A9+36p
.text:005AE50B
.text:005AE50B var_548 = dword ptr -548h
.text:005AE50B var_544 = dword ptr -544h
.text:005AE50B var_540 = dword ptr -540h
.text:005AE50B var_53C = dword ptr -53Ch
.text:005AE50B var_538 = dword ptr -538h
.text:005AE50B var_534 = dword ptr -534h
.text:005AE50B var_530 = dword ptr -530h
.text:005AE50B var_52C = dword ptr -52Ch
.text:005AE50B var_528 = dword ptr -528h
.text:005AE50B var_524 = dword ptr -524h
.text:005AE50B var_520 = dword ptr -520h
.text:005AE50B var_51C = dword ptr -51Ch
.text:005AE50B var_518 = dword ptr -518h
.text:005AE50B var_514 = dword ptr -514h
.text:005AE50B var_510 = dword ptr -510h
.text:005AE50B var_50C = dword ptr -50Ch
.text:005AE50B var_508 = dword ptr -508h
.text:005AE50B var_504 = dword ptr -504h
.text:005AE50B var_500 = dword ptr -500h
.text:005AE50B var_4FC = dword ptr -4FCh
.text:005AE50B var_4F8 = dword ptr -4F8h
.text:005AE50B var_4F4 = dword ptr -4F4h
.text:005AE50B var_4F0 = dword ptr -4F0h
.text:005AE50B var_4EC = dword ptr -4ECh
.text:005AE50B var_4E8 = dword ptr -4E8h
.text:005AE50B var_4E4 = dword ptr -4E4h
.text:005AE50B var_4E0 = dword ptr -4E0h
.text:005AE50B var_4DC = dword ptr -4DCh
.text:005AE50B var_4D8 = dword ptr -4D8h
.text:005AE50B var_4D4 = dword ptr -4D4h
.text:005AE50B var_4D0 = dword ptr -4D0h
.text:005AE50B var_4CC = dword ptr -4CCh
.text:005AE50B var_4C8 = dword ptr -4C8h
.text:005AE50B var_4C4 = dword ptr -4C4h
.text:005AE50B var_4C0 = dword ptr -4C0h
.text:005AE50B var_4BC = dword ptr -4BCh
.text:005AE50B var_4B8 = dword ptr -4B8h
.text:005AE50B var_4B4 = dword ptr -4B4h
.text:005AE50B var_4B0 = dword ptr -4B0h
.text:005AE50B var_4AC = dword ptr -4ACh
.text:005AE50B var_4A8 = dword ptr -4A8h
.text:005AE50B var_4A4 = dword ptr -4A4h
.text:005AE50B var_4A0 = byte ptr -4A0h
.text:005AE50B var_49C = dword ptr -49Ch
.text:005AE50B var_498 = dword ptr -498h
.text:005AE50B var_494 = dword ptr -494h
.text:005AE50B var_490 = dword ptr -490h
.text:005AE50B var_48C = dword ptr -48Ch
.text:005AE50B var_488 = dword ptr -488h
.text:005AE50B var_484 = dword ptr -484h
.text:005AE50B var_480 = dword ptr -480h
.text:005AE50B var_47C = dword ptr -47Ch
.text:005AE50B var_478 = dword ptr -478h
.text:005AE50B var_474 = dword ptr -474h
.text:005AE50B var_470 = dword ptr -470h
.text:005AE50B var_46C = dword ptr -46Ch
.text:005AE50B var_468 = dword ptr -468h
.text:005AE50B var_464 = dword ptr -464h
.text:005AE50B var_460 = dword ptr -460h
.text:005AE50B var_45C = dword ptr -45Ch
.text:005AE50B var_458 = dword ptr -458h
.text:005AE50B var_454 = dword ptr -454h
.text:005AE50B var_450 = dword ptr -450h
.text:005AE50B var_444 = dword ptr -444h
.text:005AE50B var_440 = dword ptr -440h
.text:005AE50B var_43C = dword ptr -43Ch
.text:005AE50B var_438 = dword ptr -438h
.text:005AE50B var_434 = dword ptr -434h
.text:005AE50B var_430 = dword ptr -430h
.text:005AE50B var_42C = dword ptr -42Ch
.text:005AE50B var_428 = dword ptr -428h
.text:005AE50B var_424 = dword ptr -424h
.text:005AE50B var_418 = dword ptr -418h
.text:005AE50B var_414 = dword ptr -414h
.text:005AE50B var_410 = dword ptr -410h
.text:005AE50B var_40C = dword ptr -40Ch
.text:005AE50B var_408 = dword ptr -408h
.text:005AE50B var_404 = dword ptr -404h
.text:005AE50B var_400 = dword ptr -400h
.text:005AE50B var_3FC = dword ptr -3FCh
.text:005AE50B var_3F8 = dword ptr -3F8h
.text:005AE50B var_3EC = dword ptr -3ECh
.text:005AE50B var_3E8 = dword ptr -3E8h
.text:005AE50B var_3E4 = dword ptr -3E4h
.text:005AE50B var_3E0 = dword ptr -3E0h
.text:005AE50B var_3DC = dword ptr -3DCh
.text:005AE50B var_3D8 = dword ptr -3D8h
.text:005AE50B var_3D4 = dword ptr -3D4h
.text:005AE50B var_3D0 = dword ptr -3D0h
.text:005AE50B var_3CC = dword ptr -3CCh
.text:005AE50B var_3C8 = dword ptr -3C8h
.text:005AE50B var_3C4 = dword ptr -3C4h
.text:005AE50B var_3C0 = dword ptr -3C0h
.text:005AE50B var_3BC = dword ptr -3BCh
.text:005AE50B var_3B8 = dword ptr -3B8h
.text:005AE50B var_3AC = dword ptr -3ACh
.text:005AE50B var_3A8 = dword ptr -3A8h
.text:005AE50B var_3A4 = dword ptr -3A4h
.text:005AE50B var_3A0 = dword ptr -3A0h
.text:005AE50B var_39C = dword ptr -39Ch
.text:005AE50B var_398 = dword ptr -398h
.text:005AE50B var_394 = dword ptr -394h
.text:005AE50B var_390 = dword ptr -390h
.text:005AE50B var_38C = dword ptr -38Ch
.text:005AE50B var_380 = dword ptr -380h
.text:005AE50B var_37C = dword ptr -37Ch
.text:005AE50B var_378 = dword ptr -378h
.text:005AE50B var_374 = dword ptr -374h
.text:005AE50B var_370 = dword ptr -370h
.text:005AE50B var_36C = dword ptr -36Ch
.text:005AE50B var_368 = dword ptr -368h
.text:005AE50B var_364 = dword ptr -364h
.text:005AE50B var_360 = dword ptr -360h
.text:005AE50B var_35C = dword ptr -35Ch
.text:005AE50B var_358 = dword ptr -358h
.text:005AE50B var_354 = dword ptr -354h
.text:005AE50B var_350 = dword ptr -350h
.text:005AE50B var_34C = dword ptr -34Ch
.text:005AE50B var_348 = dword ptr -348h
.text:005AE50B var_344 = dword ptr -344h
.text:005AE50B var_340 = dword ptr -340h
.text:005AE50B var_33C = dword ptr -33Ch
.text:005AE50B var_338 = dword ptr -338h
.text:005AE50B var_334 = dword ptr -334h
.text:005AE50B var_330 = dword ptr -330h
.text:005AE50B var_32C = dword ptr -32Ch
.text:005AE50B var_328 = dword ptr -328h
.text:005AE50B var_324 = dword ptr -324h
.text:005AE50B var_320 = dword ptr -320h
.text:005AE50B var_31C = dword ptr -31Ch
.text:005AE50B var_318 = dword ptr -318h
.text:005AE50B var_314 = dword ptr -314h
.text:005AE50B var_310 = dword ptr -310h
.text:005AE50B var_30C = dword ptr -30Ch
.text:005AE50B var_308 = dword ptr -308h
.text:005AE50B var_304 = dword ptr -304h
.text:005AE50B v = dword ptr -2FCh
.text:005AE50B var_2F8 = dword ptr -2F8h
.text:005AE50B var_2F4 = dword ptr -2F4h
.text:005AE50B var_2F0 = dword ptr -2F0h
.text:005AE50B var_2EC = dword ptr -2ECh
.text:005AE50B var_2E8 = dword ptr -2E8h
.text:005AE50B var_2E4 = dword ptr -2E4h
.text:005AE50B var_2E0 = dword ptr -2E0h
.text:005AE50B var_2DC = dword ptr -2DCh
.text:005AE50B var_2D8 = dword ptr -2D8h
.text:005AE50B var_2D4 = dword ptr -2D4h
.text:005AE50B var_2D0 = dword ptr -2D0h
.text:005AE50B var_2CC = dword ptr -2CCh
.text:005AE50B var_2C8 = dword ptr -2C8h
.text:005AE50B var_2C4 = dword ptr -2C4h
.text:005AE50B var_2C0 = dword ptr -2C0h
.text:005AE50B var_2BC = dword ptr -2BCh
.text:005AE50B var_2B8 = dword ptr -2B8h
.text:005AE50B var_2B4 = dword ptr -2B4h
.text:005AE50B var_2B0 = dword ptr -2B0h
.text:005AE50B var_2AC = dword ptr -2ACh
.text:005AE50B var_2A8 = dword ptr -2A8h
.text:005AE50B var_2A4 = dword ptr -2A4h
.text:005AE50B var_298 = dword ptr -298h
.text:005AE50B var_294 = dword ptr -294h
.text:005AE50B var_290 = dword ptr -290h
.text:005AE50B var_28C = dword ptr -28Ch
.text:005AE50B var_288 = dword ptr -288h
.text:005AE50B var_284 = dword ptr -284h
.text:005AE50B var_280 = dword ptr -280h
.text:005AE50B var_274 = dword ptr -274h
.text:005AE50B var_270 = dword ptr -270h
.text:005AE50B var_26C = dword ptr -26Ch
.text:005AE50B var_268 = dword ptr -268h
.text:005AE50B var_264 = dword ptr -264h
.text:005AE50B var_260 = dword ptr -260h
.text:005AE50B var_25C = dword ptr -25Ch
.text:005AE50B var_250 = dword ptr -250h
.text:005AE50B var_24C = dword ptr -24Ch
.text:005AE50B var_248 = dword ptr -248h
.text:005AE50B var_244 = dword ptr -244h
.text:005AE50B var_240 = dword ptr -240h
.text:005AE50B var_23C = dword ptr -23Ch
.text:005AE50B var_238 = dword ptr -238h
.text:005AE50B var_22C = dword ptr -22Ch
.text:005AE50B var_228 = dword ptr -228h
.text:005AE50B var_224 = dword ptr -224h
.text:005AE50B var_220 = dword ptr -220h
.text:005AE50B var_21C = dword ptr -21Ch
.text:005AE50B var_218 = dword ptr -218h
.text:005AE50B var_214 = dword ptr -214h
.text:005AE50B var_210 = dword ptr -210h
.text:005AE50B var_20C = dword ptr -20Ch
.text:005AE50B var_208 = dword ptr -208h
.text:005AE50B var_204 = dword ptr -204h
.text:005AE50B var_200 = dword ptr -200h
.text:005AE50B var_1FC = dword ptr -1FCh
.text:005AE50B var_1F0 = dword ptr -1F0h
.text:005AE50B var_1EC = dword ptr -1ECh
.text:005AE50B var_1E8 = dword ptr -1E8h
.text:005AE50B var_1E4 = dword ptr -1E4h
.text:005AE50B var_1E0 = dword ptr -1E0h
.text:005AE50B var_1DC = dword ptr -1DCh
.text:005AE50B var_1D8 = dword ptr -1D8h
.text:005AE50B var_1CC = dword ptr -1CCh
.text:005AE50B var_1C8 = dword ptr -1C8h
.text:005AE50B var_1C4 = dword ptr -1C4h
.text:005AE50B var_1C0 = dword ptr -1C0h
.text:005AE50B var_1BC = dword ptr -1BCh
.text:005AE50B var_1B0 = dword ptr -1B0h
.text:005AE50B var_1AC = dword ptr -1ACh
.text:005AE50B var_1A8 = dword ptr -1A8h
.text:005AE50B var_1A4 = dword ptr -1A4h
.text:005AE50B var_1A0 = dword ptr -1A0h
.text:005AE50B var_19C = dword ptr -19Ch
.text:005AE50B var_198 = dword ptr -198h
.text:005AE50B var_194 = dword ptr -194h
.text:005AE50B var_190 = dword ptr -190h
.text:005AE50B var_184 = dword ptr -184h
.text:005AE50B var_180 = dword ptr -180h
.text:005AE50B var_17C = dword ptr -17Ch
.text:005AE50B var_178 = dword ptr -178h
.text:005AE50B var_174 = dword ptr -174h
.text:005AE50B var_170 = dword ptr -170h
.text:005AE50B var_16C = dword ptr -16Ch
.text:005AE50B var_168 = dword ptr -168h
.text:005AE50B var_164 = dword ptr -164h
.text:005AE50B var_160 = dword ptr -160h
.text:005AE50B var_154 = dword ptr -154h
.text:005AE50B var_150 = dword ptr -150h
.text:005AE50B var_14C = dword ptr -14Ch
.text:005AE50B var_148 = dword ptr -148h
.text:005AE50B var_144 = dword ptr -144h
.text:005AE50B var_140 = dword ptr -140h
.text:005AE50B var_13C = dword ptr -13Ch
.text:005AE50B var_138 = dword ptr -138h
.text:005AE50B var_134 = dword ptr -134h
.text:005AE50B var_130 = dword ptr -130h
.text:005AE50B var_12C = dword ptr -12Ch
.text:005AE50B var_128 = dword ptr -128h
.text:005AE50B var_124 = dword ptr -124h
.text:005AE50B var_120 = dword ptr -120h
.text:005AE50B var_11C = dword ptr -11Ch
.text:005AE50B var_118 = dword ptr -118h
.text:005AE50B var_114 = dword ptr -114h
.text:005AE50B var_110 = dword ptr -110h
.text:005AE50B var_10C = dword ptr -10Ch
.text:005AE50B var_108 = dword ptr -108h
.text:005AE50B var_104 = dword ptr -104h
.text:005AE50B var_100 = dword ptr -100h
.text:005AE50B var_FC = dword ptr -0FCh
.text:005AE50B var_F8 = dword ptr -0F8h
.text:005AE50B var_F4 = dword ptr -0F4h
.text:005AE50B var_F0 = dword ptr -0F0h
.text:005AE50B var_EC = dword ptr -0ECh
.text:005AE50B var_E8 = dword ptr -0E8h
.text:005AE50B var_E4 = dword ptr -0E4h
.text:005AE50B var_E0 = dword ptr -0E0h
.text:005AE50B var_DC = dword ptr -0DCh
.text:005AE50B var_D8 = dword ptr -0D8h
.text:005AE50B var_D4 = dword ptr -0D4h
.text:005AE50B var_D0 = dword ptr -0D0h
.text:005AE50B var_CC = dword ptr -0CCh
.text:005AE50B var_C8 = dword ptr -0C8h
.text:005AE50B var_C4 = dword ptr -0C4h
.text:005AE50B var_C0 = dword ptr -0C0h
.text:005AE50B var_BC = dword ptr -0BCh
.text:005AE50B var_B8 = dword ptr -0B8h
.text:005AE50B var_B4 = dword ptr -0B4h
.text:005AE50B var_B0 = dword ptr -0B0h
.text:005AE50B var_AC = dword ptr -0ACh
.text:005AE50B var_A8 = dword ptr -0A8h
.text:005AE50B var_A4 = dword ptr -0A4h
.text:005AE50B var_A0 = dword ptr -0A0h
.text:005AE50B var_9C = dword ptr -9Ch
.text:005AE50B var_98 = dword ptr -98h
.text:005AE50B var_94 = dword ptr -94h
.text:005AE50B var_90 = dword ptr -90h
.text:005AE50B var_84 = dword ptr -84h
.text:005AE50B var_80 = dword ptr -80h
.text:005AE50B var_7C = dword ptr -7Ch
.text:005AE50B var_78 = dword ptr -78h
.text:005AE50B var_74 = dword ptr -74h
.text:005AE50B var_70 = dword ptr -70h
.text:005AE50B var_6C = dword ptr -6Ch
.text:005AE50B var_68 = dword ptr -68h
.text:005AE50B var_64 = dword ptr -64h
.text:005AE50B var_60 = dword ptr -60h
.text:005AE50B var_5C = dword ptr -5Ch
.text:005AE50B var_58 = dword ptr -58h
.text:005AE50B var_54 = dword ptr -54h
.text:005AE50B var_50 = dword ptr -50h
.text:005AE50B var_4C = dword ptr -4Ch
.text:005AE50B var_48 = dword ptr -48h
.text:005AE50B var_44 = dword ptr -44h
.text:005AE50B var_40 = dword ptr -40h
.text:005AE50B var_3C = dword ptr -3Ch
.text:005AE50B var_38 = dword ptr -38h
.text:005AE50B var_34 = dword ptr -34h
.text:005AE50B var_30 = dword ptr -30h
.text:005AE50B var_2C = dword ptr -2Ch
.text:005AE50B var_28 = dword ptr -28h
.text:005AE50B var_24 = dword ptr -24h
.text:005AE50B var_20 = dword ptr -20h
.text:005AE50B var_1C = dword ptr -1Ch
.text:005AE50B alpha = dword ptr -18h
.text:005AE50B var_14 = dword ptr -14h
.text:005AE50B var_10 = dword ptr -10h
.text:005AE50B var_C = dword ptr -0Ch
.text:005AE50B var_4 = dword ptr -4
.text:005AE50B arg_0 = dword ptr 8
.text:005AE50B arg_C = dword ptr 14h
.text:005AE50B
.text:005AE50B push ebp
.text:005AE50C mov ebp, esp
.text:005AE50E push 0FFFFFFFFh
.text:005AE510 push offset loc_876BAE
.text:005AE515 mov eax, large fs:0
.text:005AE51B push eax
.text:005AE51C mov large fs:0, esp
.text:005AE523 sub esp, 524h
.text:005AE529 mov eax, [ebp+arg_0]
.text:005AE52C mov ecx, [eax+30h]
.text:005AE52F imul ecx, 0F4h
.text:005AE535 mov edx, dword_596CB28
.text:005AE53B add edx, ecx
.text:005AE53D mov [ebp+var_10], edx
.text:005AE540 mov byte ptr [ebp+var_14], 1
.text:005AE544 cmp dword_7B46AF4, 0
.text:005AE54B jnz short loc_5AE567
.text:005AE54D cmp dword_7B46AF4, 0
.text:005AE554 jnz loc_5B817B
.text:005AE55A mov eax, [ebp+arg_0]
.text:005AE55D cmp dword ptr [eax+3Ch], 0FFFFFFFEh
.text:005AE561 jz loc_5B817B
.text:005AE567
.text:005AE567 loc_5AE567: ; CODE XREF: sub_5AE50B+40j
.text:005AE567 cmp [ebp+arg_C], 0Ah
.text:005AE56B jnz loc_5AE7C9
.text:005AE571 mov [ebp+alpha], 3F000000h
.text:005AE578 mov [ebp+var_1C], 0
.text:005AE57F jmp short loc_5AE58A
它有很多 vars,从 var_548 递减 4 x 4 直到您在图像上看到的内容。
现在我知道这应该是一个看起来像这样的函数:
void __cdecl sub_5DE260(STRUCT *lpInfo, int a1, int a2, int a3)
(我知道这是因为其他人在论坛上发布了它)
现在,这是我的疑问(对不起,如果它很愚蠢),为什么函数有 4 个参数? (我在那里只看到 2 arg_,那么不应该是 2 吗?)我知道为什么会这样.. 但我不确定.. 我看到 vars 下降了 4 x 4,并且 args 是 _0 和 _C 这意味着如果它也是 4 x 4,那么中间还会有 2 个 args.. 但我真的不知道。
第二个问题,你怎么知道第一个参数是一个结构?我在这里唯一的想法是它与那里的“Alpha”有关。我也会问如何获得该结构,但这可能很难,所以我想先了解更基本的部分。 :)
编辑:抱歉添加了图片,我现在复制了文字。
此函数有 2 个调用,我现在将两个都添加:
loc_4F1058: ; CODE XREF: sub_4F0E29+219j
.text:004F1058 push 0
.text:004F105A push 0
.text:004F105C mov ecx, [ebp+var_64]
.text:004F105F mov edx, [ecx]
.text:004F1061 mov ecx, [ebp+var_64]
.text:004F1064 call dword ptr [edx+18h]
.text:004F1067
.text:004F1067 loc_4F1067: ; CODE XREF: sub_4F0E29+206j
.text:004F1067 ; sub_4F0E29+22Dj
.text:004F1067 cmp [ebp+var_60], 0
.text:004F106B jz short loc_4F1083
.text:004F106D push 0
.text:004F106F mov eax, [ebp+arg_8]
.text:004F1072 push eax
.text:004F1073 mov cl, [ebp+var_38]
.text:004F1076 push ecx
.text:004F1077 mov edx, [ebp+arg_4]
.text:004F107A push edx
.text:004F107B call sub_5AE50B
.text:004F1080 add esp, 10h
.text:004F1083
.text:004F1083 loc_4F1083: ; CODE XREF: sub_4F0E29+242j
.text:004F1083 jmp short loc_4F109B
另一个看起来像这样:
loc_5B81CF: ; CODE XREF: sub_5B81A9+22j
.text:005B81CF mov ecx, [ebp+arg_C]
.text:005B81D2 push ecx
.text:005B81D3 mov edx, [ebp+arg_8]
.text:005B81D6 push edx
.text:005B81D7 mov al, [ebp+arg_4]
.text:005B81DA push eax
.text:005B81DB mov ecx, [ebp+arg_0]
.text:005B81DE push ecx
.text:005B81DF call sub_5AE50B
.text:005B81E4 add esp, 10h
.text:005B81E7
.text:005B81E7 loc_5B81E7: ; CODE XREF: sub_5B81A9+24j
.text:005B81E7 pop ebp
.text:005B81E8 retn
.text:005B81E8 sub_5B81A9 endp
这有帮助吗? 我仍然不知道如何使用该函数,因为我不明白参数应该是什么样子。论坛上的这个人发布了我上面写的函数,但它有一个我不知道的结构.
【问题讨论】:
-
如果
call指令在反汇编中显示以确保为调用设置了什么,这将有所帮助。 (或者这是被调用的函数本身;很难说因为你没有显示地址。) -
不可能说,因为你还没有展示整个功能。也不要发布图片,剪切和粘贴反汇编代码。
-
@OP:带有
STRUCT *lpInfo的C 签名显示了一个指向 结构的指针,而不是结构arg。如果 arg 是 一个按值传递的结构,它可能会大于 4 个字节,并且(至少在某些 32 位 x86 调用约定中)被调用者复制到堆栈中,而不是通过引用传递。说到调用约定,我们可以排除__fastcall作为仅对 2 个命名堆栈 args 的解释,除非第一个寄存器 arg 未被使用,因为函数写入 ECX 而不先读取它。所以没有注册参数;gcc -mregparm=2也可以被排除在破坏 EAX 之外。 -
我已经编辑了第一篇文章,替换了图片并添加了 2 个函数调用。
标签: assembly x86 reverse-engineering calling-convention ida