IF-ELSE逆向分析

案例

CPP程式碼：

#include "stdafx.h"
int max_num;
void Function(int x, int y) {
	if (x > y) {
		max_num = x;
	} else {
		max_num = y;
	}
}
int main(int argc, char* argv[]) {
	Function(2,3);
	return 0;
}

反彙編：

00401068   push        3
0040106A   push        2
0040106C   call        @ILT+10(Function) (0040100f)
00401071   add         esp,8

0040100F   jmp         Function (004106c0)

004106C0   push        ebp
004106C1   mov         ebp,esp
004106C3   sub         esp,40h
004106C6   push        ebx
004106C7   push        esi
004106C8   push        edi
004106C9   lea         edi,[ebp-40h]
004106CC   mov         ecx,10h
004106D1   mov         eax,0CCCCCCCCh
004106D6   rep stos    dword ptr [edi]
004106D8   mov         eax,dword ptr [ebp+8]
004106DB   cmp         eax,dword ptr [ebp+0Ch]
004106DE   jle         Function+2Bh (004106eb)	;如果x<=y跳轉到004106eb
004106E0   mov         ecx,dword ptr [ebp+8]
004106E3   mov         dword ptr [max_num (0042c20c)],ecx
004106E9   jmp         Function+34h (004106f4)	;如果上方程式碼成功執行，則跳轉到004106f4
004106EB   mov         edx,dword ptr [ebp+0Ch]
004106EE   mov         dword ptr [max_num (0042c20c)],edx
004106F4   pop         edi
004106F5   pop         esi
004106F6   pop         ebx
004106F7   mov         esp,ebp
004106F9   pop         ebp
004106FA   ret

 

IF-ELSE語句的反彙編判斷：

IF_BEGIN
	先執行各類影響標誌暫存器的指令
	jxx ELSE_BEGIN
IF_END
	jmp END
	ELSE_BEGIN
	......
	ELSE_END
END

特點：

1. 如果不跳轉，那麼會執行到jmp處，jmp直接跳轉到END處
2. 如果跳轉，則會直接跳過jmp END處的程式碼，直接執行後面的程式碼

總結：

• 跳轉執行一部分程式碼，不跳轉執行另外一部分程式碼
• 第一個jxx跳轉的地址前有一個jmp，可以判斷是if...else...語句

練習

004010B0   push        ebp	
004010B1   mov         ebp,esp	
004010B3   sub         esp,48h	
004010B6   push        ebx	
004010B7   push        esi	
004010B8   push        edi	
004010B9   lea         edi,[ebp-48h]	
004010BC   mov         ecx,12h	
004010C1   mov         eax,0CCCCCCCCh	
004010C6   rep stos    dword ptr [edi]	
004010C8   mov         eax,[004225c4]	
004010CD   mov         dword ptr [ebp-4],eax	
004010D0   mov         dword ptr [ebp-8],2	
004010D7   mov         ecx,dword ptr [ebp+8]	
004010DA   cmp         ecx,dword ptr [ebp+0Ch]	
004010DD   jl          004010e8	
004010DF   mov         edx,dword ptr [ebp-8]	
004010E2   add         edx,1	
004010E5   mov         dword ptr [ebp-8],edx	
004010E8   mov         eax,dword ptr [ebp+8]	
004010EB   cmp         eax,dword ptr [ebp+0Ch]	
004010EE   jge         004010fb	
004010F0   mov         ecx,dword ptr [ebp-8]	
004010F3   mov         dword ptr [004225c4],ecx	
004010F9   jmp         00401107	
004010FB   mov         edx,dword ptr [ebp-4]	
004010FE   add         edx,dword ptr [ebp-8]	
00401101   mov         dword ptr [004225c4],edx	
00401107   pop         edi	
00401108   pop         esi	
00401109   pop         ebx	
0040110A   mov         esp,ebp	
0040110C   pop         ebp	
0040110D   ret
 

[ebp+8]:x	[ebp+0Ch]:y

[ebp-4]:a	[ebp-8]:b

[004225c4]:N

004010C8   mov         eax,[004225c4]		;將N賦值給a
004010CD   mov         dword ptr [ebp-4],eax	
004010D0   mov         dword ptr [ebp-8],2	;將2賦值給b
004010D7   mov         ecx,dword ptr [ebp+8]	
004010DA   cmp         ecx,dword ptr [ebp+0Ch]	;比較x和y的大小
004010DD   jl          004010e8			;如果x＜y跳轉到004010e8 
004010DF   mov         edx,dword ptr [ebp-8]	;否則b=b+1
004010E2   add         edx,1
004010E5   mov         dword ptr [ebp-8],edx
004010E8   mov         eax,dword ptr [ebp+8]
004010EB   cmp         eax,dword ptr [ebp+0Ch]	;比較x和y的大小
004010EE   jge         004010fb			;如果x>=y跳轉到004010fb 
004010F0   mov         ecx,dword ptr [ebp-8]	
004010F3   mov         dword ptr [004225c4],ecx	;否則N=b
004010F9   jmp         00401107
004010FB   mov         edx,dword ptr [ebp-4]
004010FE   add         edx,dword ptr [ebp-8]
00401101   mov         dword ptr [004225c4],edx	;N=a+b

int N;
void Function(int x, int y) {
	int a = N;
	int b = 2;
	if (x >= y) {
		b += 1;
	}
	if (x < y) {
		N = b;
	} else {
		N = a + b;
	}
}