How to get the start address and return address of a C language function

In the anti-plug system, the return address of the function is often detected, confirming that the return address of the function is within the specified range, thus guaranteeing that the function in the game program is not called by the plug-in. This check method involves a basic technical problem, how to get the return address of the function?

For example, the first piece of code below:

#include <stdio.h>int main () {GetChar (); return 0;}

A very simple program, how do we get the start address and return address of the function? The start address gets very easy, as follows:

#include <stdio.h>int main () {printf ("%0x\n", main);   GetChar (); return 0;}

So how do you get the return address of a function? This is comparatively difficult. Let's look at the result of the first piece of code disassembly:

#include <stdio.h>intmain () {009919e0  push       ebp   009919E1  mov        ebp,esp  009919E3   sub        esp,0C0h  009919E9  push        ebx  009919EA  push        esi  009919EB  push       edi   009919ec  lea        edi,[ebp-0c0h]  009919f2   mov        ecx,30h  009919f7  mov         eax,0cccccccch  009919fc  rep stos    dword ptr es:[edi]     getchar (); 009919FE  mov         esi,esp  00991A00  call       dword  ptr [__imp__getchar  (9982b0h)] 00991a06  cmp         esi,esp  00991A08  call        @ILT +295 (__ RTC_CHECKESP)   (99112Ch)     return 0;00991A0D  xor         eax,eax  }00991A0F  pop         edi  00991A10  pop        esi   00991A11  pop        ebx  00991A12   add        esp,0C0h  00991A18  cmp         ebp,esp  00991A1A  call         @ILT +295 (__rtc_chECKESP)   (99112Ch)  00991a1f  mov         esp, ebp 00991a21  pop        ebp  00991a22   ret

the first part of the code is saved EBP the content, and then the ESP the content is written EBP :

009919E0 Push EBP

009919E1 mov Ebp,esp

Assembly Instructions Pager would do two things, one of which would Pager The address of an instruction following the instruction is pressed into the stack, and unconditionally jumps to Pager The calling point of the command to begin executing the subroutine.

and the Pager directive corresponds to the ret command, the execution begins Pager an instruction following the instruction.

So, ret instructions how to know Pager What is the address of the instruction at the back of the instruction? Because the call command has already pushed this instruction into the stack, the ret command can find The address of an instruction after the call command.

since ret command can be found Pager the return address, i.e. Pager the address of the next instruction, then we can also find!!!

Main Before and during the execution of the function, the stack is distributed as follows:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/6C/4B/wKioL1VFlR3CC9ZrAAGZmmRDNy4530.jpg "title=" Call stack. jpg "alt=" wkiol1vflr3cc9zraagzmmrdny4530.jpg "/>

through the above pictures, we can clearly see that Main The return address of the function is [Ebp+4] Place. So, get The code for the return address of the main function as follows:

#include <stdio.h>int main () {int re_addr;   __asm {mov Eax,dword ptr [ebp+4] mov re_addr,eax} printf ("%0x\n", re_addr);   GetChar (); return 0;}

which __tmaincrtstartup () function called the Main function, call the assembly code as follows:

Mainret = Main (argc, argv, ENVP);

00b81926 mov eax,dword ptr [envp (0b87140h)]

00B8192B push EAX

00B8192C mov ecx,dword ptr [argv (0b87144h)]

00b81932 push ECX

00b81933 mov edx,dword ptr [argc (0B8713CH)]

00b81939 push edx

00b8193a call @ILT +300 (_main) (0b81131h)

00b8193f Add esp,0ch

00b81942 mov dword ptr [Mainret (0b87154h)],eax

can be seen, Call main The address of an instruction after the instruction is: 00b8193f , and we get the Main The return address is as follows:

b8193f

It means we have the right results.

For other functions similar to the case, the following author will get a function of the return worthy function, made a function, provided to you, as follows:

#include <stdio.h> int get_return_addr () {int re_addr; __asm {mov Eax,dword ptr [EBP] mov ebx,dword ptr [eax+4] mov re_addr,ebx} returnre_addr;   } int main () {intre_addr=get_return_addr ();   printf ("%0x\n", re_addr);   GetChar (); return 0;}

Get_return_add function, why are there more than a few assembly instructions? Everyone can think for themselves.

This article is from the "C" blog, please be sure to keep this source http://5412097.blog.51cto.com/5402097/1641374

How to get the start address and return address of a C language function