如何将 BNE 指令更改为 BEQ 并更改其参数?
How can I change BNE instruction to BEQ and change its argument?
我反汇编一个arm程序后有如下代码。如何将此程序的二进制文件中的 bne 指令更改为 beq?以及如何更改 bne 跳跃偏移量?
e50b0008 str r0, [fp, #-8]
e50b100c str r1, [fp, #-12]
e51b3008 ldr r3, [fp, #-8]
e353000d cmp r3, #13
1a000001 bne 28 <main+0x28>
e3a03007 mov r3, #7
ea000000 b 2c <main+0x2c>
e3a03002 mov r3, #2
e1a00003 mov r0, r3
好的,我想我得到了有关如何将 beq 更改为 bne 的问题的答案。我编译并反汇编了这段C代码(也许这不是最好的解决方案,但我正在试验并且它只是为了反汇编):
int f(int i) {
if (i == 0) {
return 1;
}
return i + f(i - 1);
}
int max(int a) {
int res = 1;
for (int i = 0; i < a * 2; i++) {
if (i % 3 != a % 2) {
res += f(i);
}
}
return res;
}
这里如果把i % 3 != a % 2改成i % 3 == a % 2,那么反汇编代码的区别就是:
26c26
< 40: e3a02000 mov r2, #0
---
> 40: e3a0c000 mov ip, #0
28c28
< 48: e15e0002 cmp lr, r2
---
> 48: e15e000c cmp lr, ip
33,34c33,34
< 5c: e2822001 add r2, r2, #1
< 60: e1520004 cmp r2, r4
---
> 5c: e28cc001 add ip, ip, #1
> 60: e15c0004 cmp ip, r4
36,39c36,39
< 68: e0813295 umull r3, r1, r5, r2
< 6c: e3c13001 bic r3, r1, #1
< 70: e08330a1 add r3, r3, r1, lsr #1
< 74: e0423003 sub r3, r2, r3
---
> 68: e0823c95 umull r3, r2, r5, ip
> 6c: e3c23001 bic r3, r2, #1
> 70: e08330a2 add r3, r3, r2, lsr #1
> 74: e04c3003 sub r3, ip, r3
41,44c41,44
< 7c: 1afffff6 bne 5c <max+0x30>
< 80: e3520000 cmp r2, #0
< 84: 11a03002 movne r3, r2
< 88: 13a01000 movne r1, #0
---
> 7c: 0afffff6 beq 5c <max+0x30>
> 80: e35c0000 cmp ip, #0
> 84: 11a0300c movne r3, ip
> 88: 13a02000 movne r2, #0
46c46
< 90: e1a0c003 mov ip, r3
---
> 90: e1a01003 mov r1, r3
48c48
< 98: e081100c add r1, r1, ip
---
> 98: e0822001 add r2, r2, r1
50,53c50,53
< a0: e2811001 add r1, r1, #1
< a4: e2822001 add r2, r2, #1
< a8: e1520004 cmp r2, r4
< ac: e0800001 add r0, r0, r1
---
> a0: e2822001 add r2, r2, #1
> a4: e28cc001 add ip, ip, #1
> a8: e15c0004 cmp ip, r4
> ac: e0800002 add r0, r0, r2
57c57
< bc: e3a01001 mov r1, #1
---
> bc: e3a02001 mov r2, #1
我认为 0afffff6 beq 5c <max+0x30> 和 1afffff6 bne 5c <max+0x30> 是我需要的。所以,我们只需要将 0a 更改为 1a。考虑到字节顺序,python3 上的解决方案之一是:
# I need it if there are more 1a000001 fragments.
pref = b"\x0d\x00\x53\xe3"
suff = b"\x07\x30\xa0\xe3"
# source is file, which code is disassembled
with open("source", mode="rb") as rfile:
with open("cracked", mode="wb") as wfile:
data = rfile.read()
data = data.replace(pref + b"\x01\x00\x00\x1a" + suff, pref + b"\x01\x00\x00\x0a" + suff)
wfile.write(data)
我反汇编一个arm程序后有如下代码。如何将此程序的二进制文件中的 bne 指令更改为 beq?以及如何更改 bne 跳跃偏移量?
e50b0008 str r0, [fp, #-8]
e50b100c str r1, [fp, #-12]
e51b3008 ldr r3, [fp, #-8]
e353000d cmp r3, #13
1a000001 bne 28 <main+0x28>
e3a03007 mov r3, #7
ea000000 b 2c <main+0x2c>
e3a03002 mov r3, #2
e1a00003 mov r0, r3
好的,我想我得到了有关如何将 beq 更改为 bne 的问题的答案。我编译并反汇编了这段C代码(也许这不是最好的解决方案,但我正在试验并且它只是为了反汇编):
int f(int i) {
if (i == 0) {
return 1;
}
return i + f(i - 1);
}
int max(int a) {
int res = 1;
for (int i = 0; i < a * 2; i++) {
if (i % 3 != a % 2) {
res += f(i);
}
}
return res;
}
这里如果把i % 3 != a % 2改成i % 3 == a % 2,那么反汇编代码的区别就是:
26c26
< 40: e3a02000 mov r2, #0
---
> 40: e3a0c000 mov ip, #0
28c28
< 48: e15e0002 cmp lr, r2
---
> 48: e15e000c cmp lr, ip
33,34c33,34
< 5c: e2822001 add r2, r2, #1
< 60: e1520004 cmp r2, r4
---
> 5c: e28cc001 add ip, ip, #1
> 60: e15c0004 cmp ip, r4
36,39c36,39
< 68: e0813295 umull r3, r1, r5, r2
< 6c: e3c13001 bic r3, r1, #1
< 70: e08330a1 add r3, r3, r1, lsr #1
< 74: e0423003 sub r3, r2, r3
---
> 68: e0823c95 umull r3, r2, r5, ip
> 6c: e3c23001 bic r3, r2, #1
> 70: e08330a2 add r3, r3, r2, lsr #1
> 74: e04c3003 sub r3, ip, r3
41,44c41,44
< 7c: 1afffff6 bne 5c <max+0x30>
< 80: e3520000 cmp r2, #0
< 84: 11a03002 movne r3, r2
< 88: 13a01000 movne r1, #0
---
> 7c: 0afffff6 beq 5c <max+0x30>
> 80: e35c0000 cmp ip, #0
> 84: 11a0300c movne r3, ip
> 88: 13a02000 movne r2, #0
46c46
< 90: e1a0c003 mov ip, r3
---
> 90: e1a01003 mov r1, r3
48c48
< 98: e081100c add r1, r1, ip
---
> 98: e0822001 add r2, r2, r1
50,53c50,53
< a0: e2811001 add r1, r1, #1
< a4: e2822001 add r2, r2, #1
< a8: e1520004 cmp r2, r4
< ac: e0800001 add r0, r0, r1
---
> a0: e2822001 add r2, r2, #1
> a4: e28cc001 add ip, ip, #1
> a8: e15c0004 cmp ip, r4
> ac: e0800002 add r0, r0, r2
57c57
< bc: e3a01001 mov r1, #1
---
> bc: e3a02001 mov r2, #1
我认为 0afffff6 beq 5c <max+0x30> 和 1afffff6 bne 5c <max+0x30> 是我需要的。所以,我们只需要将 0a 更改为 1a。考虑到字节顺序,python3 上的解决方案之一是:
# I need it if there are more 1a000001 fragments.
pref = b"\x0d\x00\x53\xe3"
suff = b"\x07\x30\xa0\xe3"
# source is file, which code is disassembled
with open("source", mode="rb") as rfile:
with open("cracked", mode="wb") as wfile:
data = rfile.read()
data = data.replace(pref + b"\x01\x00\x00\x1a" + suff, pref + b"\x01\x00\x00\x0a" + suff)
wfile.write(data)