描述
驗證if、循環(huán)曙寡、switch在匯編當(dāng)中是怎么表示的
if 的匯編
新建的工程 源代碼
int g = 12;
void func(int a,int b){
if(a >b){
g = a;
}else{
g = b;
}
}
int main(int argc, char * argv[]) {
func(1, 2);
return 0;
}
匯編的代碼
ext:00000001000068B0 _func ; CODE XREF: _main+28↓p
__text:00000001000068B0
__text:00000001000068B0 var_8 = -8
__text:00000001000068B0 var_4 = -4
__text:00000001000068B0
__text:00000001000068B0 SUB SP, SP, #0x10
__text:00000001000068B4 STR W0, [SP,#0x10+var_4]
__text:00000001000068B8 STR W1, [SP,#0x10+var_8]
__text:00000001000068BC LDR W0, [SP,#0x10+var_4]
__text:00000001000068C0 LDR W1, [SP,#0x10+var_8]
__text:00000001000068C4 CMP W0, W1
__text:00000001000068C8 B.LE loc_1000068E0
__text:00000001000068CC ADRP X8, #_g@PAGE
__text:00000001000068D0 ADD X8, X8, #_g@PAGEOFF
__text:00000001000068D4 LDR W9, [SP,#0x10+var_4]
__text:00000001000068D8 STR W9, [X8]
__text:00000001000068DC B loc_1000068F0
__text:00000001000068E0 ; ---------------------------------------------------------------------------
__text:00000001000068E0
__text:00000001000068E0 loc_1000068E0 ; CODE XREF: _func+18↑j
__text:00000001000068E0 ADRP X8, #_g@PAGE
__text:00000001000068E4 ADD X8, X8, #_g@PAGEOFF
__text:00000001000068E8 LDR W9, [SP,#0x10+var_8]
__text:00000001000068EC STR W9, [X8]
__text:00000001000068F0
__text:00000001000068F0 loc_1000068F0 ; CODE XREF: _func+2C↑j
__text:00000001000068F0 ADD SP, SP, #0x10
__text:00000001000068F4 RET
__text:00000001000068F4 ; End of function _func
匯編代碼分析
- SUB SP, SP, #0x10
- 拉伸椙悴福空間
- STR W0, [SP,#0x10+var_4]轧邪,STR W1, [SP,#0x10+var_8],LDR W0, [SP,#0x10+var_4]羞海,LDR W1, [SP,#0x10+var_8]
- 將w0忌愚,w1入棧,并從棧讀到w0却邓,w1
- CMP W0, W1
- 這個是相當(dāng)于減法 w0 - w1硕糊,會修改標(biāo)志寄存器,>,<,= 申尤;
- B.LE loc_1000068E0
- LE 代表的含義是如果是w0小于等于w1那么會直接跳轉(zhuǎn)到后面寫的內(nèi)存的方法中去_text:00000001000068E0 ADRP X8, #_g@PAGE
- ADRP X8, #_g@PAGE 癌幕,ADD X8, X8, #_g@PAGEOFF 讀取一個全局變量_g 存入x8
- LDR W9, [SP,#0x10+var_8] 從棧讀取一個數(shù)據(jù)存入w9
- STR W9, [X8] 將w9存入x8的地址中
- 如果w0大于w1 走這里__text:00000001000068CC ADRP X8, #_g@PAGE
- ADRP X8, #_g@PAGE 衙耕,ADD X8, X8, #_g@PAGEOFF 讀取一個全局變量_g 存入x8
- LDR W9, [SP,#0x10+var_4] 從椕链空間讀取 [SP,#0x10+var_4] 數(shù)據(jù)放入w9
- STR W9, [X8] 將w9的值存入到x8的棧空間
- ADD SP, SP, #0x10 回復(fù)棾却空間
- RET 返回
匯編還原源代碼
因為w0时鸵、w1是兩個參數(shù),在main的匯編當(dāng)中有
int g = 12; //動態(tài)分析可以知道
func(int a , int b){
STR W0, [SP,#0x10+var_4]
STR W1, [SP,#0x10+var_8]
LDR W0, [SP,#0x10+var_4]
LDR W1, [SP,#0x10+var_8]
- int var_4 = a
- int var_8 = b
- int w0 = var_4
- int w1 = var_8
- if(w0>w1){
ADRP X8, #_g@PAGE
ADD X8, X8, #_g@PAGEOFF
LDR W9, [SP,#0x10+var_4]
STR W9, [X8]
int* x8 = &g;
int w9 = var_4;
*x8 = w9;
}else{
ADRP X8, #_g@PAGE
ADD X8, X8, #_g@PAGEOFF
LDR W9, [SP,#0x10+var_8]
STR W9, [X8]
int *x8 = &g
int w9 = var_8;
*x8 = w9
}
}
最簡化代碼
int g = 12;
void func{
if(a>b){
g = a;
}else{
g = b;
}
}xw
循環(huán)的匯編
源代碼 do while
int main(int argc, char * argv[]) {
int nSum = 0;
int i = 0;
do {
nSum = nSum + 1;
i++;
} while (i<100);
return 0;
}
匯編代碼
代碼分析
首先從SUB SP, SP, #0x20開始
- 拉伸棧空間
- 0x20+var_4 存入0
- 0x20+var_8 存入w0
- x1 入棧 SP,#0x20+var_10
- SP,#0x20+var_14存入0
- SP,#0x20+var_18存入0
loc_100006900 ; CODE XREF: _main+38↓j - w8 = 讀取[SP,#0x20+var_14]
- W8 = W8 + #1
- w8 存入SP,#0x20+var_14
- 從SP,#0x20+var_18 讀取給 w8
- W8 = W8+#1
- w8 存入 SP,#0x20+var_18
- SP,#0x20+var_18 讀取給w8
- CMP W8, #0x64 減法運算判斷
- B.LT loc_100006900 判斷如果小于執(zhí)行地址中的方法饰潜,如果大于等于直接走下面方法
- w8 = 0
- x0 = x8
- 恢復(fù)棾踝梗空間
- 返回
還原源代碼
先做后判斷 是do while
var_4 = 0
var_8 = w0
var_10 = x1
var_14 = 0
var_18 = 0
do{
w8 = var_14
w8 = w8 + 1
var_14 = w8
w8 = var_18
w8 = w8 + 1
var_18 = w8
w8 = var_18
}while(w8<0x64)
w8 = 0
x0 = x8
簡化
func(id w0,id w1){
do{
int var_14 = 0;
var_14 = var_14 + 1;
int var_18 = 0;
var_18 = var_18 + 1;
}while(var_18<0x64);
return 0;
}
源代碼while
int main(int argc, char * argv[]) {
int nSum = 0;
int i = 0;
while (i<100){
nSum = nSum + 1;
i++;
} ;
return 0;
}
匯編代碼while
0x104a1a8e4 <+0>: sub sp, sp, #0x20 ; =0x20
0x104a1a8e8 <+4>: str wzr, [sp, #0x1c]
0x104a1a8ec <+8>: str w0, [sp, #0x18]
0x104a1a8f0 <+12>: str x1, [sp, #0x10]
-> 0x104a1a8f4 <+16>: str wzr, [sp, #0xc]
0x104a1a8f8 <+20>: str wzr, [sp, #0x8]
0x104a1a8fc <+24>: ldr w8, [sp, #0x8]
0x104a1a900 <+28>: cmp w8, #0x64 ; =0x64
0x104a1a904 <+32>: b.ge 0x104a1a924 ; <+64> at main.m
0x104a1a908 <+36>: ldr w8, [sp, #0xc]
0x104a1a90c <+40>: add w8, w8, #0x1 ; =0x1
0x104a1a910 <+44>: str w8, [sp, #0xc]
0x104a1a914 <+48>: ldr w8, [sp, #0x8]
0x104a1a918 <+52>: add w8, w8, #0x1 ; =0x1
0x104a1a91c <+56>: str w8, [sp, #0x8]
0x104a1a920 <+60>: b 0x104a1a8fc ; <+24> at main.m:19
0x104a1a924 <+64>: mov w8, #0x0
0x104a1a928 <+68>: mov x0, x8
0x104a1a92c <+72>: add sp, sp, #0x20 ; =0x20
0x104a1a930 <+76>: ret
代碼分析
- sub sp, sp, #0x20 ; =0x20 拉伸棧空間
- 0x1c = 0
- 0x18 = w0
- 0x10 = x1
- 0xc = 0
- 0x8 = 0
- w8 = 0x8
- w8 和0x64比較大小 w8 - 0x64
- 如果上面的結(jié)果 大于等于執(zhí)行地址中的方法彭雾,否則向下執(zhí)行
- 小于等于
- w8 = 0xc
- w8 = w8 + 1
- 0xc = w8
- w8 = 0x8
- w8 = w8 + 1
- 0x8 = w8
- 小于等于
- w8 = 0
- x0 = x8
- 回復(fù)椀蹋空間
簡化代碼
int func(id a, id b){
int 0xc = 0
int 0x8 = 0
while(0x8<0x64){
0xc = 0xc + 1
0x8 = ox8 + 1
}
return 0;
}
源代碼循環(huán)for
int main(int argc, char * argv[]) {
for (int i = 0; i<100; i++) {
printf("woqu");
}
return 0;
}
匯編代碼
__text:00000001000068C8 _main
__text:00000001000068C8
__text:00000001000068C8 var_18 = -0x18
__text:00000001000068C8 var_14 = -0x14
__text:00000001000068C8 var_10 = -0x10
__text:00000001000068C8 var_8 = -8
__text:00000001000068C8 var_4 = -4
__text:00000001000068C8 var_s0 = 0
__text:00000001000068C8
__text:00000001000068C8 SUB SP, SP, #0x30
__text:00000001000068CC STP X29, X30, [SP,#0x20+var_s0]
__text:00000001000068D0 ADD X29, SP, #0x20
__text:00000001000068D4 STUR WZR, [X29,#var_4]
__text:00000001000068D8 STUR W0, [X29,#var_8]
__text:00000001000068DC STR X1, [SP,#0x20+var_10]
__text:00000001000068E0 STR WZR, [SP,#0x20+var_14]
__text:00000001000068E4
__text:00000001000068E4 loc_1000068E4 ; CODE XREF: _main+44↓j
__text:00000001000068E4 LDR W8, [SP,#0x20+var_14]
__text:00000001000068E8 CMP W8, #0x64
__text:00000001000068EC B.GE loc_100006910
__text:00000001000068F0 ADRP X0, #aWoqu@PAGE ; "woqu"
__text:00000001000068F4 ADD X0, X0, #aWoqu@PAGEOFF ; "woqu"
__text:00000001000068F8 BL _printf
__text:00000001000068FC STR W0, [SP,#0x20+var_18]
__text:0000000100006900 LDR W8, [SP,#0x20+var_14]
__text:0000000100006904 ADD W8, W8, #1
__text:0000000100006908 STR W8, [SP,#0x20+var_14]
__text:000000010000690C B loc_1000068E4
__text:0000000100006910 ; ---------------------------------------------------------------------------
__text:0000000100006910
__text:0000000100006910 loc_100006910 ; CODE XREF: _main+24↑j
__text:0000000100006910 MOV W8, #0
__text:0000000100006914 MOV X0, X8
__text:0000000100006918 LDP X29, X30, [SP,#0x20+var_s0]
__text:000000010000691C ADD SP, SP, #0x30
__text:0000000100006920 RET
__text:0000000100006920 ; End of function _main
分析
- 從 STUR WZR, [X29,#var_4] var_4 = 0
- var_8 = w0
- var_10 = x1
- var_14 = 0
- w8 = var_14
- 因為_text:00000001000068E4 loc_1000068E4 ,__text:000000010000690C B loc_1000068E4 所以是一個循環(huán)
- cmp w8 0x64 比較
- B.GE 上面大于等于直接跳出循環(huán)薯酝。
- 小于
- ADRP半沽、ADD獲取一個常量或者全局變量 “我去” x0 是參數(shù)
- BL printf 打印
- var_18 = w0
- w8 = var_14
- w8 = w8 + 1
- var_14 = w8
- 跳轉(zhuǎn)到 loc_1000068E4 B直接跳轉(zhuǎn)沒有 不用保存lr
- 下面的不用說了
簡化代碼
int func(id var_8, id var_10){
for(int var_14 = 0;var_14<0x64;i++){
printf("woqu");
}
return 0;
}
