《逆向工程核心原理》学习笔记2
- 栈就是一小段内存空间,大小记录在PE头中
- RETN 8 =RETN POP 8 stdcall清理方式 被调用者清理,cdecl调用者清理
- Nags 唠叨
- VB ThunRTMain 函数 调用消息框 rtcMsgBox
- Set Breakpoint on every call to rtcMsgBox
- 1 opcode == 1 byte
- 4 bytes == 1 dword
- registers is 32 bit
Lena视频学习
这是书本介绍的,这是tuts4youcrackme下载地址,里面还有视频教程和一些其他教程。
Assembler : The Basics In Reversing
SS stack segment
C-Flag >FFFFFFFF and <0 时设置segmens(a page in a book) + offsets(a specific line on that page)
add eax,ebx ;; Register, Register
add eax,123 ;; Register, Value
add eax,dword ptr [404000] ;; Register, Dword Pointer [value]
add eax,dword ptr [eax] ;; Register, Dword Pointer [register]
add eax,dword ptr [eax+00404000] ;; Register, Dword Pointer [register+value]
add dword ptr [404000],eax ;; Dword Pointer [value], Register
add dword ptr [404000],123 ;; Dword Pointer [value], Value
add dword ptr [eax],eax ;; Dword Pointer [register], Register
add dword ptr [eax],123 ;; Dword Pointer [register], Value
add dword ptr [eax+404000],eax ;; Dword Pointer [register+value], Register
add dword ptr [eax+404000],123 ;; Dword Pointer [register+value], valueINT3 and INTO are interrupt calls that take no parameters but call the handlers for interrupts 3 and 4, respectively.
JA* - Jump if (unsigned) above - CF=0 and ZF=0
JAE - Jump if (unsigned) above or equal - CF=0
JB* - Jump if (unsigned) below - CF=1
JBE - Jump if (unsigned) below or equal - CF=1 or ZF=1
JC - Jump if carry flag set - CF=1
JCXZ - Jump if CX is 0 - CX=0
JE** - Jump if equal - ZF=1
JECXZ - Jump if ECX is 0 - ECX=0
JG* - Jump if (signed) greater - ZF=0 and SF=OF (SF = Sign Flag)
JGE* - Jump if (signed) greater or equal - SF=OF
JL* - Jump if (signed) less - SF != OF (!= is not)
JLE* - Jump if (signed) less or equal - ZF=1 and OF != OF
JMP** - Jump - Jumps always
JNA - Jump if (unsigned) not above - CF=1 or ZF=1
JNAE - Jump if (unsigned) not above or equal - CF=1
JNB - Jump if (unsigned) not below - CF=0
JNBE - Jump if (unsigned) not below or equal - CF=0 and ZF=0
JNC - Jump if carry flag not set - CF=0
JNE** - Jump if not equal - ZF=0
JNG - Jump if (signed) not greater - ZF=1 or SF!=OF
JNGE - Jump if (signed) not greater or equal - SF!=OF
JNL - Jump if (signed) not less - SF=OF
JNLE - Jump if (signed) not less or equal - ZF=0 and SF=OF
JNO - Jump if overflow flag not set - OF=0
JNP - Jump if parity flag not set - PF=0
JNS - Jump if sign flag not set - SF=0
JNZ - Jump if not zero - ZF=0
JO - Jump if overflow flag is set - OF=1
JP - Jump if parity flag set - PF=1
JPE - Jump if parity is equal - PF=1
JPO - Jump if parity is odd - PF=0
JS - Jump if sign flag is set - SF=1
JZ - Jump if zero - ZF=1LEA (Load Effective Address)
Syntax: LEA dest,src
LEA can be treated the same way as the MOV instruction. It isn’t used too much for its original function, but more for quick multiplications like this:
lea eax, dword ptr [4*ecx+ebx]
*which gives eax the value of 4ecx+ebx**ptr== pointer
POP
Syntax: POP dest
POP loads the value of byte/word/dword ptr [esp] jian接寻址 esp指向的值zuo wei dizhiand puts it into dest.
TEST
Syntax: TEST operand1, operand2
This instruction is in 99% of all cases used for “TEST EAX, EAX”. It performs a Logical
AND(AND instruction) but does not save the values.** It only sets the Z-Flag, when EAX is 0 or clears it, when EAX is not 0. The O/C flags are always cleared.**
XOR
Syntax: XOR dest,src
The XOR instruction connects two values using logical exclusive OR (remember OR uses inclusive OR).This instruction clears the O-Flag and the C-Flag and can set the Z-Flag.
To understand XOR better, consider those two binary values:
1001010110
0101001101 If you XOR them, the result is 1100011011
The most often seen use of XOR is “XOR, EAX, EAX”. This will set EAX to 0, because when you XOR a value with itself, the result is always 0. I hope you understand why, else
write down a value on paper and try ;)