Old hacker tells about reverse analysis: reverse analysis technology reveals all secrets

After the previous lessons, we now officially begin to talk about reverse analysis. Reverse Analysis refers to understanding the code functions by analyzing the disassembly code, such as the data structure of each interface, re-describing the code in advanced languages, and introducing the idea of the original software in reverse order. The following is an analysis of function calls, loops, and control statements.

In advanced languages, subroutines are too lazy to PASS Parameters on stacks.
For example, test1 (Par1, Par2, Par3: integer), the Assembly Code is as follows according to the call conventions of C, Psacal, and StdCall:

498) this. style. width = 498; "border = 0>

Function call

Call the test2 (par1, par2) function according to StdCall. The stack creation is as follows:
Push ebp to protect the original EBP pointer on site
Mov ebp, esp; set a new EBP pointer to the top of the stack
Sub esp, xxx; set aside space for local variables in the stack
... ...
Add esp, xxx; release the stack occupied by local variables
Pop ebp; recovery site ebp pointer
Ret 8; Return

498) this. style. width = 498; "border = 0>

Loop

If it is determined that a piece of code is a loop, you can analyze its counter. Generally, it uses the ecx register as the counter.

The following assembly code:

Xor ecx, ecx; ecx cleared: 0044366inc ecx; count... ... Cmp ecx, 05; loop 4 times jbe 00440000; repeat

The above assembly code is described in C language in the following three forms:

Bytes◆While (I <5 ){... ...} Bytes◆For (I = 0; I <5; I ++ ){... ...} Bytes◆I = 0 Repeati ++ ;... Unitl (I> = 5)

Control statement

If... Else statement:
Cmp byte prt [00221450], bl
Jne 1, 00221590
Case statement:

Assembly Code	Advanced statements
Mov eax, edi; Sub eax, 00000002 ; Je00401; Sub eax, 0000000E ; Jne 0040114E ...	Swith (K) { Case '0x2 ':...; Break; Case '0x10 ':...; Break;