掌握了基本技巧後,基本上已不難理解所有的反組譯碼結果。授之以魚不如授之以漁:
通過觀察自己寫的代碼的反組譯碼來掌握各種代碼的反組譯碼結果,從而逆向推測系統代碼的源碼。
調試自己寫的代碼時,可以不斷切換查看源碼和反組譯碼來定位代碼執行到何處
這裡用分別用兩個很簡單的C++和Objective-C類來做樣本:
class TestC { int m_var; public: int getVar(); void setVar(int var);};@interface TestOC : NSObject{ int m_var;}- (void)setVar:(int)var;@endint g_var = 0;int *g_pVar = &g_var;void TestC::setVar(int var){ int l_var = 0; l_var = var; m_var = var; g_var = var; *g_pVar = var;}@implementation TestOC- (void)setVar:(int)var{ int l_var = 0; l_var = var; m_var = var; g_var = var; *g_pVar = var;}@end
在外部,這樣調用:
- (void)viewDidLoad{ TestC test; test.setVar(100); TestOC *t = [[TestOC new] autorelease]; [t setVar:100]; .......
分別在兩個類的setVar加斷點,看反組譯碼結果。
WebViewResearch`TestC::setVar(int) at TestClass.mm:15:0x8bda: pushl %ebp0x8bdb: movl %esp, %ebp0x8bdd: calll 0x8be2 ; TestC::setVar(int) + 8 at TestClass.mm:150x8be2: popl %eax0x8be3: movl 12(%ebp), %ecx0x8be6: movl 8(%ebp), %edx0x8be9: movl %ecx, (%edx)0x8beb: movl %ecx, 30406(%eax)0x8bf1: movl 29170(%eax), %eax0x8bf7: movl %ecx, (%eax)0x8bf9: popl %ebp0x8bfa: ret
WebViewResearch`-[TestOC setVar:] at TestClass.mm:25:0x8bfb: pushl %ebp0x8bfc: movl %esp, %ebp0x8bfe: pushl %esi0x8bff: calll 0x8c04 ; -[TestOC setVar:] + 9 at TestClass.mm:290x8c04: popl %eax0x8c05: movl 29372(%eax), %edx0x8c0b: movl 16(%ebp), %ecx0x8c0e: movl 8(%ebp), %esi0x8c11: movl %ecx, (%esi,%edx)0x8c14: movl %ecx, 30372(%eax)0x8c1a: movl 29136(%eax), %eax0x8c20: movl %ecx, (%eax)0x8c22: popl %esi0x8c23: popl %ebp0x8c24: ret
以上是release版的結果。可以看到,編譯器做了最佳化,沒有實際用處的局部變數l_var直接被省略到了,既不為它分配空間,連對它的指派陳述式都沒要。
對於操作成員變數、全域變數,沒法直觀地看出來,需要自己計算好各個位移,才會明白那些帶括弧的間接定址的操作。這些麻煩的事情可以藉助IPA Pro來看(後面會有一系列來講)。
下面是調用兩個類的setVar函數的反組譯碼語句。
0x441e: leal -16(%ebp), %eax0x4421: movl %eax, (%esp)0x4424: movl $100, 4(%esp)0x442c: calll 0x8bda ; TestC::setVar(int) at TestClass.mm:15
0x445b: movl 45819(%esi), %ecx0x4461: movl %ecx, 4(%esp)0x4465: movl %eax, (%esp)0x4468: movl $100, 8(%esp)0x4470: calll 0x97c0 ; symbol stub for: objc_msgSend
可以看到C++能更直接地看出下一步的去向,OC則需要知道是哪個類的對象以及Selector(可用register read來查看)。
對比類的函數以及被調用處的行數,也可以間接地表明,Objective-C的效率會比C++慢一點,但也差不了多少。
Apple也有一些協助反組譯碼調試的文檔:
http://developer.apple.com/library/ios/#technotes/tn2239/_index.html
轉載請註明出處:http://blog.csdn.net/hursing
xcode反組譯碼調試iOS模擬器程式 |
| (一)查看反組譯碼 |
| (二)看懂反組譯碼 |
| (三)查看Objective-C函數與參數 |
| (四)自動斷點應用之NSNotificationCenter |
| (五)調試objc_msgSend函數 |
| (六)函數出入口處的處理與局部變數 |
| (七)Debug與Release的區別 |
| (八)反組譯碼自己的代碼來掌握規則 |
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
