【Android 逆向】ARM while 逆向
阿新 • • 發佈:2022-03-19
#include <stdio.h> int dowhile(int n){ int i = 1; int s = 0; do{ s += i; }while(i++ < n); return s; } int whiledo(int n){ int i = 1; int s = 0; while(i <= n){ s += i++; } return s; } int main(int argc, char* argv[]){ printf("dowhile:%d\n", dowhile(100)); printf("while:%d\n", whiledo(100)); return 0; }
.text:00008570 ; =============== S U B R O U T I N E ======================================= .text:00008570 .text:00008570 .text:00008570 doWhile ; CODE XREF: main+8↓p .text:00008570 ; __unwind { .text:00008570 MOV R2, #0 .text:00008574 MOV R3, #1 ; i = 1 s=0 .text:00008578 .text:00008578 loc_8578 ; CODE XREF: doWhile+18↓j .text:00008578 ADD R2, R2, R3 ; s = s + i .text:0000857C ADD R3, R3, #1 ; i++ .text:00008580 SUB R1, R3, #1 ; tmp = i -1 .text:00008584 CMP R0, R1 .text:00008588 BGT loc_8578 ; if arg0(n) > tmp continue繼續迴圈 .text:0000858C MOV R0, R2 ; r0 為return值 r0 = s .text:00008590 BX LR ; 使用LR的值跳轉出函式 .text:00008590 ; } // starts at 8570 .text:00008590 ; End of function doWhile .text:00008590 .text:00008594 .text:00008594 ; =============== S U B R O U T I N E ======================================= .text:00008594 .text:00008594 .text:00008594 whileDo ; CODE XREF: main+20↓p .text:00008594 ; __unwind { .text:00008594 SUBS R2, R0, #0 .text:00008598 MOVLE R0, #0 .text:0000859C BXLE LR ; if n <= 0 跳出函式 .text:000085A0 MOV R0, #0 ; s = 0 .text:000085A4 MOV R3, #1 ; i = 1 .text:000085A8 .text:000085A8 loc_85A8 ; CODE XREF: whileDo+20↓j .text:000085A8 ADD R0, R0, R3 ; s += i .text:000085AC ADD R3, R3, #1 ; i++ .text:000085B0 CMP R2, R3 .text:000085B4 BGE loc_85A8 ; if n >= i contiue .text:000085B8 BX LR .text:000085B8 ; } // starts at 8594 .text:000085B8 ; End of function whileDo .text:000085B8 .text:000085BC .text:000085BC ; =============== S U B R O U T I N E ======================================= .text:000085BC .text:000085BC .text:000085BC ; .text:000085BC .text:000085BC ; int __cdecl main(int argc, const char **argv, const char **envp) .text:000085BC main ; CODE XREF: j_main↑j .text:000085BC ; __unwind { .text:000085BC PUSH {R4,LR} ; 棧上儲存R4 和 LR 的值 .text:000085C0 MOV R0, #0x64 ; 'd' ; 為RO 賦值100 .text:000085C4 BL doWhile ; 跳轉到doWhile。同時給LR賦值為0x85C8 .text:000085C8 MOV R1, R0 .text:000085CC LDR R0, =(aDowhileD - 0x85D8) ; 獲取字串在GOT的偏移 .text:000085D0 ADD R0, PC, R0 ; 獲取字串實際首地址 .text:000085D4 BL printf .text:000085D8 MOV R0, #0x64 ; 'd' ; 為R0 賦值100 .text:000085DC BL whileDo ; 跳轉到doWhile。同時給LR賦值為0x85E0 .text:000085E0 MOV R1, R0 .text:000085E4 LDR R0, =(aWhileD - 0x85F0) ; "while:%d\n" .text:000085E8 ADD R0, PC, R0 ; "while:%d\n" .text:000085EC BL printf .text:000085F0 MOV R0, #0 .text:000085F4 POP {R4,PC} .text:000085F4 ; End of function main .text:000085F4 .text:000085F4 ; -----