WinDBG 技巧: 显示函数的汇编代码(uf 命令)

系统 1585 0

WinDBG的 uf 命令可以把二进制进行反汇编并显示汇编代码,帮助在没有源代码的情况下分析函数。 举个例子,已知Windows 下的扫雷程序(winmine.exe) 有个函数叫winmine!StartGame (通过 x winmine!* 命令) ,可以使用uf winmine!StartGame 命令显示该函数的汇编码:

 

 

0:000> uf winmine!StartGame
winmine!StartGame:
0100367a a1ac560001      mov     eax,dword ptr [winmine!Preferences+0xc (010056ac)]
0100367f 8b0da8560001    mov     ecx,dword ptr [winmine!Preferences+0x8 (010056a8)]
01003685 53              push    ebx
01003686 56              push    esi
01003687 57              push    edi
01003688 33ff            xor     edi,edi
0100368a 3b0534530001    cmp     eax,dword ptr [winmine!xBoxMac (01005334)]
01003690 893d64510001    mov     dword ptr [winmine!fTimer (01005164)],edi
01003696 750c            jne     winmine!StartGame+0x2a (010036a4)

winmine!StartGame+0x1e:
01003698 3b0d38530001    cmp     ecx,dword ptr [winmine!yBoxMac (01005338)]
0100369e 7504            jne     winmine!StartGame+0x2a (010036a4)

winmine!StartGame+0x26:
010036a0 6a04            push    4
010036a2 eb02            jmp     winmine!StartGame+0x2c (010036a6)

winmine!StartGame+0x2a:
010036a4 6a06            push    6

winmine!StartGame+0x2c:
010036a6 5b              pop     ebx
010036a7 a334530001      mov     dword ptr [winmine!xBoxMac (01005334)],eax
010036ac 890d38530001    mov     dword ptr [winmine!yBoxMac (01005338)],ecx
010036b2 e81ef8ffff      call    winmine!ClearField (01002ed5)
010036b7 a1a4560001      mov     eax,dword ptr [winmine!Preferences+0x4 (010056a4)]
010036bc 893d60510001    mov     dword ptr [winmine!iButtonCur (01005160)],edi
010036c2 a330530001      mov     dword ptr [winmine!cBombStart (01005330)],eax

winmine!StartGame+0x4d:
010036c7 ff3534530001    push    dword ptr [winmine!xBoxMac (01005334)]
010036cd e86e020000      call    winmine!Rnd (01003940)
010036d2 ff3538530001    push    dword ptr [winmine!yBoxMac (01005338)]
010036d8 8bf0            mov     esi,eax
010036da 46              inc     esi
010036db e860020000      call    winmine!Rnd (01003940)
010036e0 40              inc     eax
010036e1 8bc8            mov     ecx,eax
010036e3 c1e105          shl     ecx,5
010036e6 f684314053000180 test    byte ptr winmine!rgBlk (01005340)[ecx+esi],80h
010036ee 75d7            jne     winmine!StartGame+0x4d (010036c7)

winmine!StartGame+0x76:
010036f0 c1e005          shl     eax,5
010036f3 8d843040530001  lea     eax,winmine!rgBlk (01005340)[eax+esi]
010036fa 800880          or      byte ptr [eax],80h
010036fd ff0d30530001    dec     dword ptr [winmine!cBombStart (01005330)]
01003703 75c2            jne     winmine!StartGame+0x4d (010036c7)

winmine!StartGame+0x8b:
01003705 8b0d38530001    mov     ecx,dword ptr [winmine!yBoxMac (01005338)]
0100370b 0faf0d34530001  imul    ecx,dword ptr [winmine!xBoxMac (01005334)]
01003712 a1a4560001      mov     eax,dword ptr [winmine!Preferences+0x4 (010056a4)]
01003717 2bc8            sub     ecx,eax
01003719 57              push    edi
0100371a 893d9c570001    mov     dword ptr [winmine!cSec (0100579c)],edi
01003720 a330530001      mov     dword ptr [winmine!cBombStart (01005330)],eax
01003725 a394510001      mov     dword ptr [winmine!cBombLeft (01005194)],eax
0100372a 893da4570001    mov     dword ptr [winmine!cBoxVisit (010057a4)],edi
01003730 890da0570001    mov     dword ptr [winmine!cBoxVisitMac (010057a0)],ecx
01003736 c7050050000101000000 mov dword ptr [winmine!fStatus (01005000)],1
01003740 e825fdffff      call    winmine!UpdateBombCount (0100346a)
01003745 53              push    ebx
01003746 e805e2ffff      call    winmine!AdjustWindow (01001950)
0100374b 5f              pop     edi
0100374c 5e              pop     esi
0100374d 5b              pop     ebx
0100374e c3              ret

WinDBG 技巧: 显示函数的汇编代码(uf 命令)


更多文章、技术交流、商务合作、联系博主

微信扫码或搜索:z360901061

微信扫一扫加我为好友

QQ号联系: 360901061

您的支持是博主写作最大的动力,如果您喜欢我的文章,感觉我的文章对您有帮助,请用微信扫描下面二维码支持博主2元、5元、10元、20元等您想捐的金额吧,狠狠点击下面给点支持吧,站长非常感激您!手机微信长按不能支付解决办法:请将微信支付二维码保存到相册,切换到微信,然后点击微信右上角扫一扫功能,选择支付二维码完成支付。

【本文对您有帮助就好】

您的支持是博主写作最大的动力,如果您喜欢我的文章,感觉我的文章对您有帮助,请用微信扫描上面二维码支持博主2元、5元、10元、自定义金额等您想捐的金额吧,站长会非常 感谢您的哦!!!

发表我的评论
最新评论 总共0条评论