Are you sure you don't want to take a look at the interesting code analysis ?, Confirm code analysis
Introduction:Hello everyone, I am Xiaojiang. I am bored when I have a holiday at home. I have learned a lot from reading other blog articles, so I decided to write a blog to record my bit/s.
I would like to give you some details as much as possible, bring some knowledge to beginners and learn together.
Well, we didn't talk much nonsense. We went straight into the topic. Recently we saw a simple and interesting program in a forum.
The Code is as follows:
# Include <stdio. h>
Int main ()
{
Const short int c1 = 49920;
Const int c2 = 1073742008;
Int (* pf) () = (int (*) () & c2;
Printf ("% c \ n", * (char *) pf ()-19, * (char *) pf () + 1)-49 );
Return 0;
}
======================================== This is a gorgeous splitting line ======================================
I believe most people do not understand how this code works;
The result of this Code being thrown into VC ++ is::)
In Turbo3.0, this code shows the result of Abnormal program termination (program termination exception)
Here, the bytes of each compiler are different. It is better to say that the memory occupied by Turbo3.0 short (short integer) is 2B,
In VC ++, short occupies the same size of 4B and int.
In this analysis, the compiler is VC ++ 6.0.
Analysis process:
Let's start with const;
Const short int c1 = 49920;
Const int c2 = 1073742008;
These are two local variables. We convert them to hexadecimal for later analysis.
C1 = 0xC300, C2 = 0X400000b8
Let's take a look at their respective memory addresses.
C1 address: 0019FF3C, C2 = 0019FF38; we can clearly see that the number of bytes from c2 to c1 is 4B.
These two variables occupy continuous space. After assigning values to the variables, the memory unit storage bytecode starting from 0x0019ff38 is B8 00 00 40 00 C3.
The corresponding assembly code is: 0040102E mov dword ptr [ebp-8], 400000 h
Let's continue to analyze the next sentence
Int (* pf) () = (int (*) () & c2;
(Int (*) (); a function pointer parameter is defined as NULL and the return value is of the int type. Here, the function pointer pf points to the assembly code above, this is the execution process of this statement.
Next, analyze the following printf ("% c \ n", * (char *) pf ()-19, * (char *) pf () + 1) -49 );
* (Char *) pf ()-19 Code Analysis: Our function pointer pf () is pointing to the assembly code 0x400000, and then (char *) then convert the assembly code to a struct pointer to point to its address, and then subtract 19 from its address and then obtain the value of this address, because char occupies the memory byte (1B), one byte is obtained from this address. * (Char *) pf ()-19 is actually the byte content retrieved from the 0x400000 memory address and then 19 is subtracted.
The following sentence: * (char *) pf () + 1)-49 indicates that a byte content is taken from the 0x400000 + 1 address minus 49.
Next we open the compiler to find the address 0x400000 and the byte content.
Anyone familiar with the PE file structure must know that the exe file 0x400000 is the base address for Memory loading.
That is to say, 0x400000 bytes correspond to 0x4D, and 0x400001 bytes correspond to 0x5A.
This is the first two bytes of the pe file, "MZ"
0x400000 address = 0x4D
0x400001 address = 0x5A
As mentioned above
①: * (Char *) pf ()-19 is actually the byte content retrieved from the 0x400000 memory address and then 19 is subtracted.
②: * (Char *) pf () + 1)-49 indicates that a byte content is taken from the address 0x400000 + 1 minus 49.
①: 0x4D-19 = 58
②: 0x5A-49 = 41
Finally, output by % c::)
Although there are few codes, this code knowledge point is still widely used.
This code has been analyzed here. Don't like it. Thank you for reading it.