About the invocation of a compiled language function (iii)

Connect to the above: http://blog.csdn.net/prsniper/article/details/40653235

Class Delete will not say, interested friends to follow up and see it, a hint: The destructor also has parameters and return values.

Below we look at the bare function, the bare function from the execution efficiency can be comparable with the assembly language, but it is not very good to say, we go along

The temporary stack of the constructor, the recovery register, and so on, was given a name called Prolog and Epilog.

And the bare function does not automatically compile these parts, in fact, the bare function is equivalent to a label in assembly language, and its invocation is constrained by the previous conventions

In addition to the empty naked function is nothing to do, unnecessary do not do, the necessary do not do, is what to achieve their own, in fact, is to self-assembly

Of course, the bare function can not be a member of the class function, for example, we use the __CDECL convention, directly copy Fndefaultcall, regardless of the efficiency of execution

:      ret = Fnnakedcall (+, +, &var1); 00401428   Lea         edx,[ebp-14h]0040142b   Push        edx0040142c   push        15h0040142e   push        14h00401430   push        13h00401432   call        @ILT +15 (Fnnakedcall) (00401014) 00401437   add         esp,10h0040143a   mov         dword ptr [ebp-18h],eax133:

You can see that the calling convention conforms to the __CDECL convention, so keep a look:

68:69: __declspec (naked) int __cdecl fnnakedcall (int arg1, short arg2, char arg3, void *arg4): {004012d0 push EBP71://1. The value of all registers here is the same as before the call 72://2. Referencing any local variable with a variable name is equivalent to referencing a key function variable or parameter 73://3.         Must be responsible for the maintenance of registers, here functions as __cdecl74: __asm{75:push ebp; Prolog Begin76:mov EBP, ESP004012D1 mov ebp,esp77:sub ESP, 50h004012d3 Sub Esp,50h78:p Ush EBX004012D6 push Ebx79:push esi004012d7 push Esi80:push E         DI004012D8 push Edi81:lea EDI, [ebp-50h]004012d9 Lea Edi,[ebp-50h]82:mov ECX, 14H004012DC mov ecx,14h83:mov eax, 0CCCCCCCCH004012E1 mov eax,0ccccccc Ch84:rep stos DWORD ptr [EDI]; Prolog End004012e6 Rep stos dword ptr [edi]85:86://var1 = Arg1;87:mov eax, DWORD ptr [EBP + 8]; [ESP + 8]004012e8 mov eax,dword ptr [Ebp+8]88:mov dword ptr [ebp-4], eax; [Esp-4]004012eb mov dword ptr [ebp-4],eax89:///var2 = Arg2;90:mov cx, word ptr [         EBP + 0CH]004012EE mov cx,word ptr [Ebp+0ch]91:mov word ptr [ebp-8], CX004012F2 mov         Word ptr [ebp-8],cx92:///VAR3 = Arg3;93:mov dl, byte ptr [ebp + 10H]004012F6 mov           Dl,byte ptr [Ebp+10h]94:mov byte ptr [ebp-0ch], DL004012F9 mov byte ptr [ebp-0ch],dl95: p = (int *) Arg4;96:mov eax, DWORD ptr [Ebp + 14H]004012FC mov eax,dword ptr [ebp+ 14h]97:mov DWORD ptr [ebp-10h], EAX004012FF mov dword ptr [ebp-10h],eax98://*p         = -1;99:mov ecx, DWORD ptr [ebp-10h]00401302 mov ecx,dword ptr [Ebp-10h]100:mov DWORD PTR [ECX], 0ffffffffh00401305 mov dword ptr [ecx],0ffffffffh101://Return 22;102:mov E AX, 16h; 0x16 = 220040130B mov eax,16h103:104:pop edi; Epilog begin00401310 pop edi105:pop esi00401311 pop esi106:pop ebx                 00401312 pop Ebx107:mov ESP, ebp00401313 mov esp,ebp108:pop EBP ; Epilog end00401315 pop ebp109://Return to caller function (does not use RET 10h) 110:ret0040131 6 RET---No source file--------------------------------------------------------------00401317 int 3

Although the copy came a bit misplaced, but it is not difficult to see, our assembly code was copied, with once Thai said: Tittle.

This means that we just have to make sure that the call Convention is met after the register is called, and we can do whatever we want.

I do not want you to fall into the abyss of philosophy, but I can only use this statement to describe:

It is one thing to do what you do and what you can do for yourself, and that is dialectical.

Remember the fastcall in the previous said that the variables are stored to save it, hehe, with naked can be avoided, to achieve the real fastcall

In addition, some commonly used inline assembly functions can also be output in this way, of course, need to have a certain assembly language basis

Again, we can not even construct the stack, using ESP instead of EBP, that is, eliminating Prolog and epilog.

The article seems to be over here, so what's the use of knowing it? If you have such an idea, it would be nice, and it's usually known to people.

There is the idea that there is a habit or character to apply.

So, let's try to make a few use of it:

1. Improve the ability to debug the program, more in-depth find out the source of the bug, and draw a deeper layer of solution

such as unexplained crashes, buffer overflows, and this:

2. Improve the level of program development, such as common Strcpy,memset and so on, should write their own, better play the performance of the machine,

A French scientist, using a normal computer to calculate pi, can be as efficient as a supercomputer.

It is impossible to do this kind of work by math alone. He must be familiar with the instruction architecture of the computer.

3. A certain degree of knowledge of reverse and software encryption

For example, just knowing eax as the return value, you should realize that it is easy to bypass the authorization verification with just one function!

Since you can think of ways to bypass other people's programs, you should come up with a plan to prevent others from simply bypassing.

The actual software encryption and decryption is not that simple, but at least there is a perception that

Speaking of cracking, I also want to talk nonsense, some learning to crack friends, anti-assembly out, modify the instructions, that the world's software will be able to crack the

The software industry is full of frustration, so let's take an example:

Load a program using OD:

00531001 >              pushad00531002    E8 03000000 call    0053100a00531007  -E9 eb045d45     jmp     45b014f70053100c              push    ebp0053100d    C3              retn

Initially found that the situation is not quite right, of course, full-time to crack friends can see immediately, this is the shell after the program, the beginning of the shell is running the program,

Unzip or decrypt the actual code, then jump to the actual entrance to execute, then the shelling can be, then we continue to see

046620D1 81EC 00040000 Sub ESP, 400046620D7 push ebp046620d8 8BEC mov ebp , Esp046620da push eax046620db EB 0E jmp short 046620eb046620dd 838B 84240804 0& Gt;or DWORD ptr [ebx+4082484], 0046620E4 00EB add bl, ch046620e6 01f0 add eax, ES     I046620e8 EB jmp Short 046620ee046620ea esp046620eb ^ eb F1 jmp Short 046620de046620ed 6BEB 0C imul ebp, ebx, 0c046620f0 B7 6B mov bh, 6b046620f2 8D            Max FB Lea eax, DWORD ptr [Eax-5]046620f5 EB, jmp short 046620f8046620f7 09EB      or EBX, ebp046620f9 push es046620fa 9B wait046620fb 0D ebf4e7e8 or    EAX, e8e7f4eb04662100 EB 0D jmp short 0466210f04662102 9C pushfd04662103 FE89 45eceb03 Dec byte ptr [ecx+3ebec45]04662109 BB 4b62eb06 mov ebx, 6eb624b0466210e-66:eb F3 jmp short 00002104 

At 046620EB jmp Short 046620DE, however disassembly does not start for 0X046620DE instructions

Only 046620DD is or DWORD ptr[ebx+ ...], 0, what's going on?

Let's change the byte of 046620DD to int 3, 0xCC and then look at it.

Direct input 16 CC one BYTE

Look at the Disassembly window again.

It turned into a

046620DE 8b8424 08040000 mov eax, DWORD ptr [esp+408]

Exactly in JMP's destination address, isn't this bullying Candide?

Good, this is the flower instruction, but also is a kind of flower instruction, let you disassemble the later also is disorderly

Of course, the flower instruction directly assembles the level of encryption, if you reverse 360 of the program, you will find that the load appears to be abnormal, only use static disassembly

The elders often speak, however persuasive, outsmart,

The world is beautiful, but also ugly, both the courage to give, but also to know how to protect themselves, is the true truth

Well, about the function call, we pull so much, think back to the < hack empire, and sometimes don't know if the world is real, at least the code should be true

It seems that the dead of night is time ...

About the invocation of a compiled language function (iii)