IF多分支逆向分析

案例

CPP代码

#include "stdafx.h"
int cnt;
void Function(int x, int y) {
	if (x == 1) {
		cnt = 1;
	} else if (y == 1) {
		cnt = 1;
	} else {
		cnt = 0;
	}
}
int main(int argc, char* argv[]) {
	Function(2,3);
	return 0;
}

反汇编代码

00401068   push        3
0040106A   push        2
0040106C   call        @ILT+10(Function) (0040100f)
00401071   add         esp,8

0040100F   jmp         Function (004106c0)

004106C0   push        ebp
004106C1   mov         ebp,esp
004106C3   sub         esp,40h
004106C6   push        ebx
004106C7   push        esi
004106C8   push        edi
004106C9   lea         edi,[ebp-40h]
004106CC   mov         ecx,10h
004106D1   mov         eax,0CCCCCCCCh
004106D6   rep stos    dword ptr [edi]
004106D8   cmp         dword ptr [ebp+8],1
004106DC   jne         Function+2Ah (004106ea)
004106DE   mov         dword ptr [0042c20c],1
004106E8   jmp         Function+46h (00410706)
004106EA   cmp         dword ptr [ebp+0Ch],1
004106EE   jne         Function+3Ch (004106fc)
004106F0   mov         dword ptr [0042c20c],1
004106FA   jmp         Function+46h (00410706)
004106FC   mov         dword ptr [0042c20c],0
00410706   pop         edi
00410707   pop         esi
00410708   pop         ebx
00410709   mov         esp,ebp
0041070B   pop         ebp
0041070C   ret

IF多分支语句的反汇编判断

IF_BEGIN:
	影响标志寄存器的指令
	jxx ELSE_IF_BEGIN
	......
IF_END:
	jmp END
ELSE_IF_BEGIN:
	影响标志寄存器的指令
	jxx ELSE_IF_BEGIN
	......
ELSE_IF_END:
	jmp END
......
......
ELSE_BEGIN:
	......
ELSE_END:
	......

特点：

1. 每个条件跳转指令要跳转的地址前面都有jmp指令
2. 这些jmp指令跳转的地址都是一样的
3. 如果某个分支没有条件判断，则为else部分

案例分析

[ebp+8]:x	[ebp+0Ch]:y

无

[0042c20c]:N

004106D8   cmp         dword ptr [ebp+8],1	;比较x和1
004106DC   jne         Function+2Ah (004106ea)	;x!=1则跳转到004106ea
004106DE   mov         dword ptr [0042c20c],1	;x==1则N=1
004106E8   jmp         Function+46h (00410706)	;上一行指令如果成功执行则跳转到00410706
004106EA   cmp         dword ptr [ebp+0Ch],1	;比较y和1
004106EE   jne         Function+3Ch (004106fc)	;y!=1则跳转到004106fc
004106F0   mov         dword ptr [0042c20c],1	;y==1则N=1
004106FA   jmp         Function+46h (00410706)	;上一行指令如果成功执行则跳转到00410706
004106FC   mov         dword ptr [0042c20c],0	;N=0

int N;
void Function(int x, int y) {
	if (x == 1) {
		N = 1;
	} else if (y == 1) {
		N = 1;
	} else {
		N = 0
	}
}

小总结：条件跳转的目的地址为下一个判断点

练习

反汇编代码

004010B0   push        ebp
004010B1   mov         ebp,esp
004010B3   sub         esp,4Ch
004010B6   push        ebx
004010B7   push        esi
004010B8   push        edi
004010B9   lea         edi,[ebp-4Ch]
004010BC   mov         ecx,13h
004010C1   mov         eax,0CCCCCCCCh
004010C6   rep stos    dword ptr [edi]
004010C8   mov         dword ptr [ebp-4],0
004010CF   mov         dword ptr [ebp-8],1
004010D6   mov         dword ptr [ebp-0Ch],2
004010DD   mov         eax,dword ptr [ebp+8]
004010E0   cmp         eax,dword ptr [ebp+0Ch]
004010E3   jg         004010f0
004010E5   mov         ecx,dword ptr [ebp-8]
004010E8   sub         ecx,1
004010EB   mov         dword ptr [ebp-4],ecx
004010EE   jmp         00401123
004010F0   mov         edx,dword ptr [ebp+0Ch]
004010F3   cmp         edx,dword ptr [ebp+10h]
004010F6   jl          00401103
004010F8   mov         eax,dword ptr [ebp-0Ch]
004010FB   add         eax,1
004010FE   mov         dword ptr [ebp-4],eax
00401101   jmp         00401123
00401103   mov         ecx,dword ptr [ebp+8]
00401106   cmp         ecx,dword ptr [ebp+10h]
00401109   jle         00401116
0040110B   mov         edx,dword ptr [ebp-8]
0040110E   add         edx,dword ptr [ebp-0Ch]
00401111   mov         dword ptr [ebp-4],edx
00401114   jmp         00401123
00401116   mov         eax,dword ptr [ebp-0Ch]
00401119   mov         ecx,dword ptr [ebp-8]
0040111C   lea         edx,[ecx+eax-1]
00401120   mov         dword ptr [ebp-4],edx
00401123   mov         eax,dword ptr [ebp-4]
00401126   add         eax,1
00401129   pop         edi
0040112A   pop         esi
0040112B   pop         ebx
0040112C   mov         esp,ebp
0040112E   pop         ebp
0040112F   ret

分析

[ebp+8]:x	[ebp+0Ch]:y	[ebp+10h]:z

[ebp-4]:a	[ebp-8]:b	[ebp-0Ch]:c

无

004010C8   mov         dword ptr [ebp-4],0	;a=0
004010CF   mov         dword ptr [ebp-8],1	;b=1
004010D6   mov         dword ptr [ebp-0Ch],2	;c=2
004010DD   mov         eax,dword ptr [ebp+8]
004010E0   cmp         eax,dword ptr [ebp+0Ch]	;比较x和y
004010E3   jg          004010f0			;x>y则跳转到004010f0
004010E5   mov         ecx,dword ptr [ebp-8]
004010E8   sub         ecx,1
004010EB   mov         dword ptr [ebp-4],ecx	;x<=y则a=b-1
004010EE   jmp         00401123
004010F0   mov         edx,dword ptr [ebp+0Ch]
004010F3   cmp         edx,dword ptr [ebp+10h]	;比较y和z
004010F6   jl          00401103			;y<z则跳转到00401103 004010f8="" mov="" eax,dword="" ptr="" [ebp-0ch]="" 004010fb="" add="" eax,1="" 004010fe="" dword="" [ebp-4],eax="" ;y="">=z则a=c+1
00401101   jmp         00401123
00401103   mov         ecx,dword ptr [ebp+8]
00401106   cmp         ecx,dword ptr [ebp+10h]	;比较x和z
00401109   jle         00401116			;x<=z则跳转到00401116
0040110B   mov         edx,dword ptr [ebp-8]
0040110E   add         edx,dword ptr [ebp-0Ch]
00401111   mov         dword ptr [ebp-4],edx	;x>z则a=b+c
00401114   jmp         00401123
00401116   mov         eax,dword ptr [ebp-0Ch]	;else_begin
00401119   mov         ecx,dword ptr [ebp-8]
0040111C   lea         edx,[ecx+eax-1]
00401120   mov         dword ptr [ebp-4],edx	;a=c+b-1
00401123   mov         eax,dword ptr [ebp-4]	;返回值eax设置
00401126   add         eax,1			;eax=a+1

eax

int Function(int x, int y) {
	int a = 0, b = 1, c = 2;
	if (x <= y) {
		a = b - 1;
	} else if (y >= z) {
		a = c + 1;
	} else if (x > z) {
		a = b + c;
	} else {
		a = c + b - 1;
	}
	return a + 1;
}