汇编 x86 代码和进程虚拟内存
assembly x86 code and process virtual memory
我正在尝试理解下面的一段代码
data dd 1,2,3,4,5,6
myfunc:
lea eax, data
cmp eax, DWORD PTR [ebp-8]
jle SHORT L1
mov ecx, DWORD PTR [ebp-8]
add ecx, DWORD PTR [ebp-4]
mov DWORD PTR [ebp-4], ecx
mov edx, DWORD PTR [ebp-4]
sub edx, DWORD PTR [ebp-8]
mov DWORD PTR [ebp-8], edx
mov eax, DWORD PTR [ebp-4]
sub eax, DWORD PTR [ebp-8]
mov DWORD PTR [ebp-4], eax
L1:
mov eax, DWORD PTR [ebp-8]
第一行我知道它将加载到进程虚拟内存中,因为 dd 是用 4 bytes 定义的,所以可能是这样的?
data dd 1,2,3,4,5,6
4004000 01 ; 1
4004001 00 ; 0
4004002 00 ; 0
4004003 00 ; 0
4004004 02 ; 2
4004005 00 ; 0
4004006 00 ; 0
4004007 00 ; 0
4004008 03 ; 3
4004009 00 ; 0
400400A 00 ; 0
400400B 00 ; 0
4004008 04 ; 4
4004009 00 ; 0
400400A 00 ; 0
400400B 00 ; 0
400400C 05 ; 5
400400D 00 ; 0
400400E 00 ; 0
400400F 00 ; 0
4004010 06 ; 6
4004011 00 ; 0
4004012 00 ; 0
4004013 00 ; 0
然而,在标签之后,它会将 var data 的内存地址加载到 eax 寄存器中,然后将 eax 的值与 [ebp-8]
中存在的 DWORD 进行比较
我不明白的是 ebp 中没有我假设的地址所以可能是它丢失了 mov ebp,esp ?
即使我将 esp 移动到 ebp,我不明白的部分是代码说 ebp-8 应该是 ebp-4 也许指向定义的第一个 DWORD 的地址?
有人可以指导我正确的方向吗?
谢谢!
... its a block provided to me for research purposes probably from IDA Pro from a disassembled PE to understand what this function is doing along with effect of instructions on cpu registers
... i am trying to understand what does these instructions do when executed
... unfortunately i am still not able to figure out what will be the content of the registers once this subtract and addition happens to the ebp register
mov ecx, DWORD PTR [ebp-8]
add ecx, DWORD PTR [ebp-4]
mov DWORD PTR [ebp-4], ecx
mov edx, DWORD PTR [ebp-4]
sub edx, DWORD PTR [ebp-8]
mov DWORD PTR [ebp-8], edx
mov eax, DWORD PTR [ebp-4]
sub eax, DWORD PTR [ebp-8]
mov DWORD PTR [ebp-4], eax
这段代码本质上只是切换了[ebp-8]和[ebp-4]的局部变量。
与其要求 9 条指令和破坏 3 个寄存器,不如这样写:
mov edx, [ebp-8]
mov eax, [ebp-4]
mov [ebp-4], edx
mov [ebp-8], eax
lea eax, data
cmp eax, DWORD PTR [ebp-8]
jle SHORT L1
...
L1:
mov eax, DWORD PTR [ebp-8]
为清楚起见重写测试:
cmp DWORD PTR [ebp-8], data
jge SHORT L1
...
L1:
mov eax, [ebp-8]
如果[ebp-8]处的局部变量大于或等于数组的起始地址,则成为EAX中的结果。
如果[ebp-8]处的局部变量小于数组的起始地址,则[ebp-4]中的原始内容成为EAX中的结果。
如果切换部分不重要,下一个代码将产生相同的结果 EAX:
mov eax, [ebp-8]
cmp eax, data
jge SHORT L1
mov eax, [ebp-4]
L1:
我正在尝试理解下面的一段代码
data dd 1,2,3,4,5,6
myfunc:
lea eax, data
cmp eax, DWORD PTR [ebp-8]
jle SHORT L1
mov ecx, DWORD PTR [ebp-8]
add ecx, DWORD PTR [ebp-4]
mov DWORD PTR [ebp-4], ecx
mov edx, DWORD PTR [ebp-4]
sub edx, DWORD PTR [ebp-8]
mov DWORD PTR [ebp-8], edx
mov eax, DWORD PTR [ebp-4]
sub eax, DWORD PTR [ebp-8]
mov DWORD PTR [ebp-4], eax
L1:
mov eax, DWORD PTR [ebp-8]
第一行我知道它将加载到进程虚拟内存中,因为 dd 是用 4 bytes 定义的,所以可能是这样的?
data dd 1,2,3,4,5,6
4004000 01 ; 1
4004001 00 ; 0
4004002 00 ; 0
4004003 00 ; 0
4004004 02 ; 2
4004005 00 ; 0
4004006 00 ; 0
4004007 00 ; 0
4004008 03 ; 3
4004009 00 ; 0
400400A 00 ; 0
400400B 00 ; 0
4004008 04 ; 4
4004009 00 ; 0
400400A 00 ; 0
400400B 00 ; 0
400400C 05 ; 5
400400D 00 ; 0
400400E 00 ; 0
400400F 00 ; 0
4004010 06 ; 6
4004011 00 ; 0
4004012 00 ; 0
4004013 00 ; 0
然而,在标签之后,它会将 var data 的内存地址加载到 eax 寄存器中,然后将 eax 的值与 [ebp-8]
我不明白的是 ebp 中没有我假设的地址所以可能是它丢失了 mov ebp,esp ?
即使我将 esp 移动到 ebp,我不明白的部分是代码说 ebp-8 应该是 ebp-4 也许指向定义的第一个 DWORD 的地址?
有人可以指导我正确的方向吗?
谢谢!
... its a block provided to me for research purposes probably from IDA Pro from a disassembled PE to understand what this function is doing along with effect of instructions on cpu registers
... i am trying to understand what does these instructions do when executed
... unfortunately i am still not able to figure out what will be the content of the registers once this subtract and addition happens to the
ebpregister
mov ecx, DWORD PTR [ebp-8]
add ecx, DWORD PTR [ebp-4]
mov DWORD PTR [ebp-4], ecx
mov edx, DWORD PTR [ebp-4]
sub edx, DWORD PTR [ebp-8]
mov DWORD PTR [ebp-8], edx
mov eax, DWORD PTR [ebp-4]
sub eax, DWORD PTR [ebp-8]
mov DWORD PTR [ebp-4], eax
这段代码本质上只是切换了[ebp-8]和[ebp-4]的局部变量。
与其要求 9 条指令和破坏 3 个寄存器,不如这样写:
mov edx, [ebp-8]
mov eax, [ebp-4]
mov [ebp-4], edx
mov [ebp-8], eax
lea eax, data
cmp eax, DWORD PTR [ebp-8]
jle SHORT L1
...
L1:
mov eax, DWORD PTR [ebp-8]
为清楚起见重写测试:
cmp DWORD PTR [ebp-8], data
jge SHORT L1
...
L1:
mov eax, [ebp-8]
如果[ebp-8]处的局部变量大于或等于数组的起始地址,则成为EAX中的结果。
如果[ebp-8]处的局部变量小于数组的起始地址,则[ebp-4]中的原始内容成为EAX中的结果。
如果切换部分不重要,下一个代码将产生相同的结果 EAX:
mov eax, [ebp-8]
cmp eax, data
jge SHORT L1
mov eax, [ebp-4]
L1: