Reverse disassembly code computes local variables of C ++

Reverse disassembly code computes local variables of C ++

The above describes the use of the EBP and ESP registers after C ++ disassembly. I believe you have some knowledge about this. If you have not read it, refer to the following:

Http://www.cnblogs.com/pugang/archive/2012/05/25/2518499.html

This article will not explain it too much. If you have any questions, please leave a message to discuss them.

First, clarify the problem to be solved in this article: How to understand which local variables are in our assembly code without source code.

For ease of illustration, the complete code is as follows:

Int internalfunctiona (INT nsizea1, int nsizea2)
{
00401000 push EBP
00401001 mov EBP, ESP
00401003 sub ESP, 0ch
Int localnsizea1 = nsizea1;
00401006 mov eax, dword ptr [nsizea1]
00401009 mov dword ptr [localnsizea1], eax
Int localnsizea2 = nsizea2;
0040100c mov ECx, dword ptr [nsizea2]
0040100f mov dword ptr [localnsizea2], ECx

Int nfunctiona = localnsizea1 + localnsizea2;
00401012 mov edX, dword ptr [localnsizea1]
00401015 add edX, dword ptr [localnsizea2]
00401018 mov dword ptr [nfunctiona], EDX

Return nfunctiona;
0040101b mov eax, dword ptr [nfunctiona]
}
0040101e mov ESP, EBP
00401020 pop EBP
00401021 RET

Int internalfunctionb (INT nsizeb1, int nsizeb2)
{
00401030 push EBP
00401031 mov EBP, ESP
00401033 push ECx

Int nfunctiona = internalfunctiona (nsizeb1, nsizeb2 );
00401034 mov eax, dword ptr [nsizeb2]
00401037 push eax
00401038 mov ECx, dword ptr [nsizeb1]
0040103b push ECx
0040103c call internalfunctiona (401000 H)
00401041 add ESP, 8
00401044 mov dword ptr [nfunctiona], eax
Return 0;
00401047 XOR eax, eax
}
00401049 mov ESP, EBP
0040104b pop EBP
0040104c RET

Int _ tmain (INT argc, _ tchar * argv [])
{
00401050 push EBP
00401051 mov EBP, ESP
00401053 push ECx

Int nfunctionval = internalfunctionb (36, 64 );
00401054 push 40 h
00401056 push 24 h
00401058 call internalfunctionb (401030 H)
0040105d add ESP, 8
00401060 mov dword ptr [nfunctionval], eax
Cout <"Hello solidmango! "<Endl;
00401063 mov eax, dword ptr [_ imp_std: Endl (402048 h)]
00401068 push eax
00401069 push offset ___ xi_z + 3ch (402154 H)
00401_e mov ECx, dword ptr [_ imp_std: cout (402078 h)]
00401074 push ECx
00401075 call STD: Operator <STD: char_traits <char> (401280 H)
0040107a add ESP, 8
0040107d mov ECx, eax
0040366f call dword ptr [_ imp_std: basic_ostream <char, STD: char_traits <char >:: operator <(40205ch)]
Return 0;
00401085 XOR eax, eax

}
00401087 mov ESP, EBP
00401089 pop EBP
0040108a RET

The call process is shown in. Let's take a look at the code below. In internalfunctiona (), there are three integer variables: localnsizea1, localnsizea2, nfunctiona,

00401003 sub ESP, 0ch
This command indicates that the stack has been moved to the EBP-0ch position after the three local variables are reserved on the stack, I believe that everyone understands that starting from EBP, local variables must be at a location lower than this address, that is, EBP-nvalue, that is, local variables are found.

 

 

Summary:

Some people may ask me where I write the meanings of these C ++ disassembly articles. Let me briefly describe them:

1. In some cases, due to C ++ or a relatively advanced language, some problems such as dump file are analyzed.
During the analysis, the granularity of C ++ is still a little large and the bit is not visible.

2. Sometimes we don't have C ++ code at all. We only have some DLL and exe,
The system running out problem also needs to be analyzed and solved.

3. You do not have to say anything about anti-virus.