本文介绍了什么是EBP + 8在这种情况下,OllyDbg中和汇编是什么意思?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我刚学汇编,为了学习如何使用无证功能调试技能OllyDbg的。现在,我有以下问题:

I am just learning Assembler and debugging skills in OllyDbg in order to learn how to use undocumented functions. Now I am having the following problem:

我有以下的code部分(从OllyDbg的):

I have the following code part (from OllyDbg):

MOV EDI,EDI
PUSH EBP
MOV EBP,ESP
MOV EAX, DWORD PTR SS:[EBP+8]
XOR EDX,EDX
LEA ECX, DWORD PTR DS:[EAX+4]
MOV DWORD PTR DS:[EAX], EDX
MOV DWORD PTR DS:[ECX+4],ECX
MOV DWORD PTR DS:[ECX],ECX
MOV DWORD PTR DS:[EAX+C],ECX
MOV ECX, DWORD PTR SS:[EBP+C]

这是函数的开始,目标是找到数据结构。所以我想通了,它首先推栈上的EBP,然后将ESP(当前堆栈指针)EBP,我认为现在定义功能的堆栈帧。现在教程说,在流行的布局,第一个参数被放置在[EBP + 8],第二个为[EBP + C]

This is the beginning of the function and the goal is to find the data structure. So I figured out that it first pushes the EBP on the stack and then move the ESP (current stack pointer) to EBP where I think it now defines a stack frame for the function. Now the tutorial says that in the popular layout the first argument is placed at [EBP+8] and the second at [EBP+C]

这是什么,我不明白。我怎么知道,第一个参数被放置在EBP + 8?

This is what I do not understand. How do I know that the first parameter is placed at EBP+8 ?

希望有人能帮帮我!
谢谢!

Hopefully someone can help me!Thanks!

推荐答案

什么样的​​无证功能你是什么意思?大会刚刚编译高层code的大部分时间。有几乎没有什么无证了。

What kind of "undocumented functions" do you mean? Assembly is just compiled high-level code most of the time. There's hardly anything "undocumented" about it.

EBP 是最常用的函数栈帧指针,特别是在C调用约定(也由名字的cdecl )。有了这个约定,参数传递以相反的顺序在堆栈上(例如最后一个参数推第一),和被调用函数使用 EBP 来访问它们。基于在code你贴出来,我认为数据结构可能由第一个参数指出来。看看:

EBP is most often used as the stack frame pointer in functions, most notably in the C calling convention (also known by the name cdecl). With this convention, the parameters are passed on the stack in reverse order (e.g. the last parameter is pushed first), and the called function uses EBP to access them. Based on the code you posted, I think the data structure might be pointed to by the first parameter. Have a look :

MOV EAX, DWORD PTR SS:[EBP+8]
LEA ECX, DWORD PTR DS:[EAX+4]
MOV DWORD PTR DS:[EAX], EDX
MOV DWORD PTR DS:[ECX+4],ECX
MOV DWORD PTR DS:[ECX],ECX
MOV DWORD PTR DS:[EAX+C],ECX
MOV ECX, DWORD PTR SS:[EBP+C]

第一个指令将第一个参数为 EAX 。然后,一个4偏移量添加到这个参数,搬进了 ECX 。请注意,这是由 LEA 指令,这是加载有效地址的简写完成。它用于无符号运算和编译器喜欢用它做指针运算,并添加偏移量时 - 所以每当你看到这个指令,你应该感到震惊,不管它的操作可能的是指向一个结构。当然,也没有办法知道。后来我们有一些 MOV s到并从该地址,其中 ECX 用于访问内存。的结构,如果存在的话,会是这个样子在C:

The first instruction moves the first argument into EAX. Then an offset of 4 is added to that argument and moved into ECX. Note that this is done by the LEA instruction, which is shorthand for "Load Effective Address". It is used for unsigned arithmetic and compilers like to use it when doing pointer arithmetic and adding offsets - so whenever you see this instruction, you should be alarmed that whatever it operates on might be a pointer to a structure. Of course, there's no way to know for sure. Later on we have some MOVs to and from that address, where ECX is used to access memory. The structures, if they exist, would look something like this in C :

struct a { /* pointed to by EAX / [EBP+8] */
    int memb1; /* MOV DWORD PTR DS:[EAX], EDX */
    struct b* memb2; /* LEA ECX, DWORD PTR DS:[EAX+4] */
    int memb3; /* unused? */
    int memb4; /* MOV DWORD PTR DS:[EAX+C],ECX */
};

struct b {
    int memb1; /* MOV DWORD PTR DS:[ECX],ECX */
    int memb2; /* MOV DWORD PTR DS:[ECX+4],ECX */
};

希望这在某种程度上将清除的东西了。逆向工程组装code是一个非常艰难和费时的任务,特别是如果你没有任何的API调用它会告诉你的应用程序使用参数的类型。

Hope this clears things up somehow. Reverse-engineering assembly code is a very hard and time-consuming task, especially if you don't have any API calls which would tell you the type of arguments used by the application.

这篇关于什么是EBP + 8在这种情况下,OllyDbg中和汇编是什么意思?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-20 15:46