Test source
#include<stdio.h>#include<stdlib.h>#include <iostream>#include <vector>#include <list>#include <map>using namespace std;struct MyVector{ struct MyVector* pSelf; int* pDataStart; int* pDataEnd; int* pBufEnd;};void testVector() { // 动态数组,数据存储在堆内存中 // 当元素发生改变之后,会动态增加内存。 vector<int> vecObj; vecObj.push_back(1); vecObj.push_back(2); vecObj.push_back(3); vecObj.pop_back(); vecObj.push_back(4); // 遍历vector for (size_t i = 0; i < vecObj.size(); i++) { printf("vecObj[%d] = %d", i, vecObj[i]); } // 遍历vector vector<int>::iterator iter = vecObj.begin(); while (iter != vecObj.end()) {// iter.operator!=(vecObj.end()) int n = *iter; printf("vecObj i = %d", n); int main(){ testVector(); getchar(); return 0;}
2. Compiling
3. Remove the random base address (for easy search)
Instead of 0
4. Use Ida to open the call function in the main function
5. Select address with OD load view
6.call very much only look at the key to find the constructor of the vector with the object base address find something with Ida debugging with OD
7. Run to the next break data follow
Sure is CC.
8. Run constructors
Initialization (STL objects have a feature the first one always points to themselves)
Point to yourself
Running Push_back (1)
Go inside and see sure.
What about the other two fields, slow down and push a few more?
Push 3 x
Another pop, a look.
It's not changed. Only the third field is reduced and the last one is unchanged
Push one more and find the third one, the last or the same.
Go and see
The original pop memory is not changed but the index is reduced
What does that all mean?
The third is represented as the last element address of the last element in the fourth of the buffer.
You define a struct to parse it.
Inverse analysis of vector vectors of C + + vector