C++ Disassembly and Reverse Analysis – Reading Notes

Hits: 0

Table of contents

C++ reverse requirements

Catalog of a C++ reverse course

Knowledge point 1: parameters of int main(int argc, char* argv[])

Knowledge point 2: Constructor and destructor

Knowledge point 3: Location of local variables and parameters:

Knowledge point 4: The assembly source code corresponding to operations such as addition, subtraction, multiplication and division, XOR, etc.:

Knowledge point 5: Process control

Knowledge point 6: How functions work

summary:

C++ reverse requirements

Many programs are developed by C++/ [MFC] . In reverse, you must master the process of C++ development. You don’t need to be proficient. You can understand the source code and know the corresponding assembly.

C++ programs have some rules that are different from those of C. Through the study of this book, we will be able to understand the programs developed by C++, how to identify them, and how the [source code] and the compiler conspire to become assembly. After reading this book, it is like participating in Take the Windows Reverse Course.

Catalog of a C++ reverse course

Chapter 3 C++ and MFC/Reverse Exercise     3000 yuan
3.1 What is the difference between a structure and a class
3.2 The essence of the this pointer in encapsulation
3.3 Constructor and destructor
3.4 What are the benefits
of inheritance 3.5 Multiple inheritance and diamond inheritance
3.6 Pure virtual function and virtual Function
3.7 What is the relationship between polymorphism and virtual function
3.8 Virtual inheritance and destructor call virtual function
3.9 The magic of function overloading
3.10 What is operator overloading
3.11 How templates are used
3.12 Class templates and namespaces
3.13 String
of containers 3.14 Vector of containers
3.15 deque
of container 3.16 list of container
3.17 usage of iterator
3.18 input stream and file stream
3.19 set map
3.20 element count of stl and minimum value
3.21 function object and unary predicate
3.22 stl search and delete
3.23 C++ exception
3.24 execution of a Win32 program Process (the essence of the message mechanism)
3.25 Win32 creation display window
3.26 Win32 message dispatch process
3.27 Win32 message loop and message function
3.28 Win32 dialog message process
3.29 The relationship between MFC and Win32 programs
3.32 MFC dialog
box3.33 MFC
menu3.34 MFC drawing3.35 MFC
text operation 3. Reverse of all C++ syntax 4. Entry methods of buttons and other controls

Knowledge point 1: Parameters of int main(int argc, char* argv[])

argc is the number of parameters, argv is the parameter list, string format, space is the separator, the default first parameter is the function name;

Knowledge point 2: Constructors and destructors

initialization and destruction functions that run before and after C++ class functions;

Before the main function runs, there are 8-9 entry functions: including

mainCRTstartup,wmainCRTStartup,

__scrt_common_main// Initialize buffer overflow global variables

__scrt_common_main_seh// Initialize global data in c++ syntax

invoke_main// Invoke the main function and pass command line parameter information

In short, when you see such functions, you can ignore them. They are automatically generated by the compiler, not the source code of the software.

C++ stipulates that global objects and static objects must be constructed before the main function.

main has three parameters: the number of parameters argc, the parameter list argv and the environment variable envp.

.text:00411334 ; int __cdecl main_0(int argc, const char **argv, const char **envp)
.text:00411334 _main_0         proc near               ; CODE XREF: invoke_main+2E↓p
.text:00411334
.text:00411334 argc            = dword ptr  4
.text:00411334 argv            = dword ptr  8
.text:00411334 envp            = dword ptr  0Ch
.text:00411334
.text:00411334                 jmp     _main
.text:00411334 _main_0         endp

Knowledge point 3: Location of local variables and parameters:

At the function entry position, the address of the local variable is ptr – x, which is usually a variable 4 bytes in length. The parameter is ptr + x. In the above code, aegc is ptr+4, argv is ptr + 8, and there are no local variables;

In the following example, we look at the example with local variables and no parameters:

.text:004123D0 ; int __cdecl main()
.text:004123D0 _main           proc near               ; CODE XREF: _main_0↑j
.text:004123D0
.text:004123D0 var_1C          = byte ptr -1Ch
.text:004123D0 i               = dword ptr -18h
.text:004123D0 a               = dword ptr -0Ch
.text:004123D0 var_4           = dword ptr -4
.text:004123D0
.text:004123D0                 push    ebp
.text:004123D1                 mov     ebp, esp
.text:004123D3                 sub     esp, 0DCh
.text:004123D9                 push    ebx
.text:004123DA                 push    esi
.text:004123DB                 push    edi

Knowledge point 4: The assembly source code corresponding to operations such as addition, subtraction, multiplication and division, XOR, etc.:

This part is similar to what I learned in school, but it should be noted that there will be some changes in compiler optimization, mainly to improve efficiency and save space.

Knowledge point 5: Process control

Conditional judgment if-else, switch, loop: code in assembly such as do, while, for, etc.;

Knowledge point 6: How functions work

It mainly talks about the stack frame processing mechanism of different calling conventions. The more you look at it, the more transparent it is, such as the operation of the stack top pointer and the stack bottom pointer, and the transfer of local variables and parameters.

The memory space temporarily allocated by malloc and new is called the heap, which is released by free and delete.

summary:

There are two reference books at hand, “C++ [Disassembly] and Reverse Analysis”and”Learn C++ Programming from Scratch”, which echo each other. Here you see constructors and destructors, and there you see the practice and assembly code of these functions, so learning is very efficient.

You may also like...

Leave a Reply

Your email address will not be published.