http://msdn.microsoft.com/ko-kr/library/e0z9k731(v=VS.80).aspx
int strcmp(
const char *string1,
const char *string2
);
-----------------------------3-5
MOV DWORD PTR SS:[EBP-4],0
PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
PUSH 03_05_Qu.00405030 ; |Title = "ITBANK"
PUSH 03_05_Qu.00405038 ; |Text = "Insert Argument"
PUSH 0 ; |hOwner = NULL
CALL DWORD PTR DS:[<&USER32.Message>; \MessageBoxA
MOV DWORD PTR SS:[EBP-8],0 ; i=0
JMP SHORT 03_05_Qu.0040103A
/MOV EAX,DWORD PTR SS:[EBP-8]
|ADD EAX,1
|MOV DWORD PTR SS:[EBP-8],EAX ; i++
MOV ECX,DWORD PTR SS:[EBP+10] ; ECX=lpcmd
|ADD ECX,DWORD PTR SS:[EBP-8]
|MOVSX EDX,BYTE PTR DS:[ECX] ; for(i=0,lcmd(i)!=0,i++){}
|TEST EDX,EDX
|JE SHORT 03_05_Qu.00401049 ; EAX=반복횟수
\JMP SHORT 03_05_Qu.00401031
/MOV EAX,DWORD PTR SS:[EBP-4] ; j=EBP-4
|CMP EAX,DWORD PTR SS:[EBP-8] ; while(j < i){
|JGE SHORT 03_05_Qu.00401080
|MOV ECX,DWORD PTR SS:[EBP+10]
|ADD ECX,DWORD PTR SS:[EBP-4] ; lpcmd=lpcmd+ j
|MOVSX EDX,BYTE PTR DS:[ECX] ; *(lpcmd+ j)
|MOV EAX,DWORD PTR SS:[EBP-C]
|LEA ECX,DWORD PTR DS:[EAX+EDX-2F] ; ECX=*[EBP-C+*(lpcmd+j)-2F]
|MOV DWORD PTR SS:[EBP-C],ECX ; EBP_C=[EAX+EDX-2F]
|MOV EDX,DWORD PTR SS:[EBP-4]
|ADD EDX,1
|MOV DWORD PTR SS:[EBP-4],EDX ; j=j+1
|MOV EAX,DWORD PTR SS:[EBP-4]
|CMP EAX,DWORD PTR SS:[EBP-8] ; if(j < i)
|JGE SHORT 03_05_Qu.0040107E
|MOV ECX,DWORD PTR SS:[EBP-C] ; ECX=EBP-C
|IMUL ECX,ECX,0A ; ECX=ECX*16
|MOV DWORD PTR SS:[EBP-C],ECX ; EBP-C=ECX
\JMP SHORT 03_05_Qu.00401049 ; }
MOV EDX,DWORD PTR SS:[EBP-C]
ADD EDX,54
CMP EDX,12C
-----------------------------3-6 malloc, new
heap영역을 가리키는 stack영역의 포인터주소가 바뀌면 힙은 계속남음
서버 망함
malloc free, new delete로 꼭 지워줘야한다.
MOV DWORD PTR SS:[EBP-8],0 ; int len =0
JMP SHORT 03_06_Qu.0040102C
/MOV EAX,DWORD PTR SS:[EBP-8]
|ADD EAX,1
|MOV DWORD PTR SS:[EBP-8],EAX ; len++
MOV ECX,DWORD PTR SS:[EBP+10]
|ADD ECX,DWORD PTR SS:[EBP-8]
|MOVSX EDX,BYTE PTR DS:[ECX]
|TEST EDX,EDX ; for(len=0, lpCmd[len], len++)
|JE SHORT 03_06_Qu.0040103B
\JMP SHORT 03_06_Qu.00401023
MOV EAX,DWORD PTR SS:[EBP-8] ; malloc(len+1)
ADD EAX,1 ; EAX = len + 1
PUSH EAX
CALL 03_06_Qu.00401093 ; name = new * char[len+1]
ADD ESP,4
MOV DWORD PTR SS:[EBP-C],EAX ; EAX=리턴값
MOV ECX,DWORD PTR SS:[EBP-C] ; ECX=EAX
MOV DWORD PTR SS:[EBP-4],ECX ; 리턴값(2)--윈도우가 알아서 지울때 사용
MOV DWORD PTR SS:[EBP-8],0
/MOV EDX,DWORD PTR SS:[EBP+10]
|ADD EDX,DWORD PTR SS:[EBP-8]
|MOVSX EAX,BYTE PTR DS:[EDX]
|TEST EAX,EAX
|JE SHORT 03_06_Qu.00401082 ; while(lpCmd[i])
|MOV ECX,DWORD PTR SS:[EBP-4] ; ECX=name
|ADD ECX,DWORD PTR SS:[EBP-8] ; name+i
|MOV EDX,DWORD PTR SS:[EBP+10]
|ADD EDX,DWORD PTR SS:[EBP-8] ; lpcmd[i]
|MOV AL,BYTE PTR DS:[EDX]
|MOV BYTE PTR DS:[ECX],AL
|MOV ECX,DWORD PTR SS:[EBP-8]
|ADD ECX,1
|MOV DWORD PTR SS:[EBP-8],ECX ; i++
\JMP SHORT 03_06_Qu.0040105A
MOV EDX,DWORD PTR SS:[EBP-4] ; call한 위치에서는 형태를 확인못하고 사용하는곳에서만 확인가능
ADD EDX,DWORD PTR SS:[EBP-8]
MOV BYTE PTR DS:[EDX],0
-------------------------------
3-7 strcmp
'리버싱' 카테고리의 다른 글
| 10일차, 브레이크 포인트, Frame Pointer Omission (0) | 2013.04.20 |
|---|---|
| 9일차, 시저암호화 (0) | 2013.04.18 |
| 7일차 리버싱의 오묘한맛 (0) | 2013.04.16 |
| 6일차, (0) | 2013.04.15 |
| 5일차, 점프, Argument(arguv, arguv) (0) | 2013.04.13 |