简单赋值语句的逆向
signed int __fastcall sub_401020(int a1)
{
signed int v1; // edx@1
signed int result; // eax@2
v1 = 0;
do
{
result = 0;
do
{
*(_DWORD *)a1 = 0xFFEEFFEE;
if ( !v1 )
{
*(_DWORD *)(a1 + 4) = 0xFEFEFEFE;
LABEL_5:
*(_DWORD *)(a1 + 8) = 0xEFEFEFEF;
goto LABEL_6;
}
*(_DWORD *)(a1 + 4) = 0xEFEFEFEF;
if ( v1 != 9 )
goto LABEL_5;
*(_DWORD *)(a1 + 8) = 0xFEFEFEFE;
LABEL_6:
if ( !result )
{
*(_DWORD *)(a1 + 12) = 0xFEFEFEFE;
LABEL_8:
*(_DWORD *)(a1 + 16) = 0xEFEFEFEF;
goto LABEL_9;
}
*(_DWORD *)(a1 + 12) = 0xEFEFEFEF;
if ( result != 9 )
goto LABEL_8;
*(_DWORD *)(a1 + 16) = 0xFEFEFEFE;
LABEL_9:
++result;
a1 += 20;
}
while ( result < 9 );
++v1;
}
while ( v1 < 9 );
return result;
}先贴出来IDA逆向之后的代码,然后一一来分析
题目来自于:百度杯十一月第三场Reverse03
两个do-while嵌套,然后范围都是0-9,可以看作两个for循环,即写成这样:
for(i=0;i<9;i++)
for(j=0;j<9;j++){
…………
}然后,省略号里面都是赋值语句,首先注意赋值的对象:
*(_DWORD *)(a1)
*(_DWORD *)(a1 + 4)
*(_DWORD *)(a1 + 8)
*(_DWORD *)(a1 + 12)
*(_DWORD *)(a1 + 16)
然后,LABEL_9的地方有:a1 += 20
所以这里的指针相当于是控制了5个数组,每次a1自增加之后,会要给5个数组的横坐标为v1,纵坐标为result的地方赋值(之后就用i,j了)
不妨设5个数组为a1,a2,a3,a4,a5
那么,a1数组都是同一个数:0xFFEEFFEE(代码中出现a1的地方只有一次)
a2和a4也比较好判断,因为相当于有个if-else代码:
if ( !v1 )
{
*(_DWORD *)(a1 + 4) = 0xFEFEFEFE;
LABEL_5:
*(_DWORD *)(a1 + 8) = 0xEFEFEFEF;
goto LABEL_6;
}
*(_DWORD *)(a1 + 4) = 0xEFEFEFEF;a2,也就是这里的(a1+4),可以看到,i为0的时候,赋值为0xFEFEFEFE,i不为0的时候,赋值为0xEFEFEFEF
a4同理不作分析
a3和a5是比较难判断的,自己一开始也判断错了,默认为跟a2和a4的格式相同
注意这样的if语句:
if ( !v1 )
{
*(_DWORD *)(a1 + 4) = 0xFEFEFEFE;
LABEL_5:
*(_DWORD *)(a1 + 8) = 0xEFEFEFEF;
goto LABEL_6;
}
*(_DWORD *)(a1 + 4) = 0xEFEFEFEF;
if ( v1 != 9 )
goto LABEL_5;
*(_DWORD *)(a1 + 8) = 0xFEFEFEFE;goto语句:
当i不为0,会跳转到LABEL_5,执行(a1+8)的0xEFEFEFEF的赋值,然后跳转到LABEL_6
当i为0,也会执行(a1+8)的0xEFEFEFEF的赋值,然后跳转到LABEL_6
所以,*(_DWORD *)(a1 + 8) = 0xFEFEFEFE这个代码是执行不到的干扰代码
也即:a3中所有元素都是0xEFEFEFEF
下面把每个数组元素列出来:
设0xFFEEFFEE为0,0xFEFEFEFE为1,0xEFEFEFEF为2
那么各个数组分别为:
a1:
0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0
a2:
1 1 1 1 1 1 1 1 1
2 2 2 2 2 2 2 2 2
2 2 2 2 2 2 2 2 2
2 2 2 2 2 2 2 2 2
2 2 2 2 2 2 2 2 2
2 2 2 2 2 2 2 2 2
2 2 2 2 2 2 2 2 2
2 2 2 2 2 2 2 2 2
2 2 2 2 2 2 2 2 2
a3:
2 2 2 2 2 2 2 2 2
2 2 2 2 2 2 2 2 2
2 2 2 2 2 2 2 2 2
2 2 2 2 2 2 2 2 2
2 2 2 2 2 2 2 2 2
2 2 2 2 2 2 2 2 2
2 2 2 2 2 2 2 2 2
2 2 2 2 2 2 2 2 2
2 2 2 2 2 2 2 2 2
a4:
1 2 2 2 2 2 2 2 2
1 2 2 2 2 2 2 2 2
1 2 2 2 2 2 2 2 2
1 2 2 2 2 2 2 2 2
1 2 2 2 2 2 2 2 2
1 2 2 2 2 2 2 2 2
1 2 2 2 2 2 2 2 2
1 2 2 2 2 2 2 2 2
1 2 2 2 2 2 2 2 2
a5:
2 2 2 2 2 2 2 2 2
2 2 2 2 2 2 2 2 2
2 2 2 2 2 2 2 2 2
2 2 2 2 2 2 2 2 2
2 2 2 2 2 2 2 2 2
2 2 2 2 2 2 2 2 2
2 2 2 2 2 2 2 2 2
2 2 2 2 2 2 2 2 2
2 2 2 2 2 2 2 2 2然后继续~~~
完整版题解在这儿:
快手成长空间 767人发布