C++ Disassembly and Reverse Analysis – Reading Notes
Table of contents
C++ reverse requirements
Many programs are developed by C++/ [MFC] . In reverse, you must master the process of C++ development. You don’t need to be proficient. You can understand the source code and know the corresponding assembly.
C++ programs have some rules that are different from those of C. Through the study of this book, we will be able to understand the programs developed by C++, how to identify them, and how the [source code] and the compiler conspire to become assembly. After reading this book, it is like participating in Take the Windows Reverse Course.
Catalog of a C++ reverse course
Chapter 3 C++ and MFC/Reverse Exercise 3000 yuan
3.1 What is the difference between a structure and a class
3.2 The essence of the this pointer in encapsulation
3.3 Constructor and destructor
3.4 What are the benefits
of inheritance 3.5 Multiple inheritance and diamond inheritance
3.6 Pure virtual function and virtual Function
3.7 What is the relationship between polymorphism and virtual function
3.8 Virtual inheritance and destructor call virtual function
3.9 The magic of function overloading
3.10 What is operator overloading
3.11 How templates are used
3.12 Class templates and namespaces
of containers 3.14 Vector of containers
of container 3.16 list of container
3.17 usage of iterator
3.18 input stream and file stream
3.19 set map
3.20 element count of stl and minimum value
3.21 function object and unary predicate
3.22 stl search and delete
3.23 C++ exception
3.24 execution of a Win32 program Process (the essence of the message mechanism)
3.25 Win32 creation display window
3.26 Win32 message dispatch process
3.27 Win32 message loop and message function
3.28 Win32 dialog message process
3.29 The relationship between MFC and Win32 programs
3.32 MFC dialog
menu3.34 MFC drawing3.35 MFC
text operation 3. Reverse of all C++ syntax 4. Entry methods of buttons and other controls
Knowledge point 1: Parameters of int main(int argc, char* argv)
argc is the number of parameters, argv is the parameter list, string format, space is the separator, the default first parameter is the function name;
Knowledge point 2: Constructors and destructors
initialization and destruction functions that run before and after C++ class functions;
Before the main function runs, there are 8-9 entry functions: including
__scrt_common_main// Initialize buffer overflow global variables
__scrt_common_main_seh// Initialize global data in c++ syntax
invoke_main// Invoke the main function and pass command line parameter information
In short, when you see such functions, you can ignore them. They are automatically generated by the compiler, not the source code of the software.
C++ stipulates that global objects and static objects must be constructed before the main function.
main has three parameters: the number of parameters argc, the parameter list argv and the environment variable envp.
.text:00411334 ; int __cdecl main_0(int argc, const char **argv, const char **envp) .text:00411334 _main_0 proc near ; CODE XREF: invoke_main+2E↓p .text:00411334 .text:00411334 argc = dword ptr 4 .text:00411334 argv = dword ptr 8 .text:00411334 envp = dword ptr 0Ch .text:00411334 .text:00411334 jmp _main .text:00411334 _main_0 endp
Knowledge point 3: Location of local variables and parameters:
At the function entry position, the address of the local variable is ptr – x, which is usually a variable 4 bytes in length. The parameter is ptr + x. In the above code, aegc is ptr+4, argv is ptr + 8, and there are no local variables;
In the following example, we look at the example with local variables and no parameters:
.text:004123D0 ; int __cdecl main() .text:004123D0 _main proc near ; CODE XREF: _main_0↑j .text:004123D0 .text:004123D0 var_1C = byte ptr -1Ch .text:004123D0 i = dword ptr -18h .text:004123D0 a = dword ptr -0Ch .text:004123D0 var_4 = dword ptr -4 .text:004123D0 .text:004123D0 push ebp .text:004123D1 mov ebp, esp .text:004123D3 sub esp, 0DCh .text:004123D9 push ebx .text:004123DA push esi .text:004123DB push edi
Knowledge point 4: The assembly source code corresponding to operations such as addition, subtraction, multiplication and division, XOR, etc.:
This part is similar to what I learned in school, but it should be noted that there will be some changes in compiler optimization, mainly to improve efficiency and save space.
Knowledge point 5: Process control
Conditional judgment if-else, switch, loop: code in assembly such as do, while, for, etc.;
Knowledge point 6: How functions work
It mainly talks about the stack frame processing mechanism of different calling conventions. The more you look at it, the more transparent it is, such as the operation of the stack top pointer and the stack bottom pointer, and the transfer of local variables and parameters.
The memory space temporarily allocated by malloc and new is called the heap, which is released by free and delete.
There are two reference books at hand, “C++ [Disassembly] and Reverse Analysis”and”Learn C++ Programming from Scratch”, which echo each other. Here you see constructors and destructors, and there you see the practice and assembly code of these functions, so learning is very efficient.