member variable, virtual function table pointer, and then to the normal member variable. And then we'll see what it looks like in the virtual function table:A virtual function table is also an address that holds a virtual function for each item in 4 bytes. The address of the saved virtual function is discharged in the order declared by the function, the first one holds the virtual function of the first declaration, the second item holds the second one, and so on. Let's see what each item in thi
after the function call is complete. (Win32API Follow the stdcall parameter Specification , not in the scope of this article ) Here is the test codevoidSwap (__int64* _pnx, __int64*_pny) {__int64 ntemp= *_pnx; *_PNX = *_pny; *_PNY =ntemp;}voidSwap (__int64 _nx, __int64_ny) {__int64 ntemp=_nx; _nx=_ny; _ny=ntemp;}voidSetValue (__int64 _nx) {__int64 ntemp=_nx;}//Test001voidGetMemory (__int64*_pbuff) {_pbuff=New__int64[4];}//Test002voidGetMemory (__int64**_ppbuff) { *_ppbuff =New__int6
accounted for 10 bytes, to 4-byte alignment, so you need to complement two bytes, so two 0xcc, resulting in a 10 byte between the BF and array. The one next to the above array should be two 0xcc to complement the alignment. It was deliberately marked to the back. The purpose of this identification here is to illustrate the principle of checkstackvars this inspection.
OK, clear the memory distribution, then checkstackvars at what time to perform the check, in C + + code can not be displayed to
We all know that after JDK 5 introduced the mechanism of automatic disassembly box, this is a good thing to write code. Integer object comparison between -128~127 these old stems do not mention, their own look at the source code can be understood, today we say something unexpected
A.java has class A,a method Add (int i), which is a primitive type, perfect match
class A {public
static void Main (string[] args) {
b.add (1);
}
}
B.java
c
I helped my friends kill the virus a few days ago, and I caught the virus by the way. Today, we will conduct a reverse analysis on it to see how it works.
Environment Description: a virtual machine with Windows XP is installed.Object: a USB flash drive VirusTools:PEID (shell Check Tool)Ollydbg (Dynamic Disassembly tool)
I. Seduce the enemy and discover the virus
1. This is a USB flash drive virus. First, run it on the virtual machine to make itself po
follows:Figure 1 shell check for pandatvIt can be seen that this program is not shelled, so it does not involve shelling, and it is written by Borland Delphi 6.0-7.0. The Code Compiled by Delphi is different from the code written by VC ++. The two most obvious differences are as follows:1. When a function is called, parameters are not transferred completely using stacks, but mainly using registers. That is, the Delphi compiler transfers function parameters using register by default. This is tot
local processor, which negatively affects the performance. Although the increasing execution speed of modern processors will eventually alleviate this problem, it is still obvious. One way for VM developers to speed up execution is to use a bytecode instruction set that is smaller than the local processor assembler. Local applications may contain up to 400 commands, while Java applications generally use up to 200 commands. Fewer commands mean that hackers can analyze code more quickly for rever
WinRAR is one of the most commonly used software. Since it is not a free software, after the trial period, every time you open winRAR, you will be prompted to register a dialog box, which is annoying. Therefore, my general practice is to download a lower version of winrar after it is cracked (the latest version of WinRAR is often slow to crack), so if you want to taste it, you have to wait for a while.I recently read "hacker disassembly and decryption
WinRAR is one of the most commonly used software. Since it is not a free software, after the trial period, every time you open WinRAR, you will be prompted to register a dialog box, which is annoying. Therefore, my general practice is to download a lower version of WinRAR after it is cracked (the latest version of WinRAR is often slow to crack), so if you want to taste it, you have to wait for a while.
I recently read "hacker disassembly and decryptio
which can
Not Represent section addresses, such as A. Out.
-B bfdname
-Target = bfdname
Specify the target format. This is not necessary. objdump can automatically recognize many formats,
For example: objdump-B oasys-M VAX-H Fu. o
Displays the summary of the Fu. O header, explicitly indicating that the file is oasys In the VAX system.
The target file generated by the compiler. Objdump-I will show what can be specified here
Target code format list
-Demangle
-C decodes the underlying symbolic nam
Clear all breakpoints in the project.
Debugging. Disassembly
CTRL + ALT + d
The Disassembly window is displayed.
Debug. Enable breakpoint
CTRL + F9
Switch the breakpoint from disabled to enabled.
Debugging. Exception
CTRL + d,CTRL + E
The "exception" dialog box is displayed.
Debugging. Instant
CTRL + d,CTRL + I
The "instant" window is displayed
First, through the disassembly language, let's take a look at the relationship between the simplest recursive function and the stack.
In Visual Studio 2008 and debug environments, you can view the language after disassembly in debug/Windows/disassembly. Now let's take a look at factorial n! Implementation
The C language implementation code is as follows:
#includ
DEBUG:A (Compendium)
Merges the 8086/8087/8088 memory code directly into memory.
This command creates the executable machine code from the assembly language statement. All values are in hexadecimal format and must be entered in one to four characters. Specifies the prefix memory code before the referenced operation code (opcode).
A [address]
Parameters
Address
Specifies where to type assembly-language instructions. Use a hexadecimal value for address and type each value that does not end with t
*} ${[emailprotected]} variable name matching, matching variable names starting with prefix, output matching variable names: [emailprotected]:~# Echo ${! p*} PAT PATH pipestatus PPID PS1 PS2 PS4 PW PWD [emailprotected]:~# Echo ${[emailnbsp ;p rotected]} PAT PATH pipestatus PPID PS1 PS2 PS4 PW PWD [emailprotected]:~# ${!name[@]} ${!name[*]} The list of array keys. If the name is an array variable, it expands
select popular tools because these tools have been widely studied and have a general "Shelling" approach.
2. In addition to shell processing, it is best to embed anti-tracking code during software development to prevent "brute-force" tools from finding software registration vulnerabilities.
There are many anti-tracking methods for the software. Common examples are the random change of the memory address of key code using the spending command. The following is an example.
The initial source code
compiled by Delphi. Of course, it's important to use Dede disassembly to find the keyCode. After disassembly, find the "register" button in the "register" dialog box and click the response code at 0x004f0b60. The initialization code of the "register" dialog box is at 0x004f0d18.
After Dede's work is done, open Ida pro disassembly. This tool is not only the kin
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.