Day7:数组与指针识别
数组与指针识别
数组与指针识别
整型一维数组
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51.text:00464260 mov [ebp+var_14], 1
.text:00464267 mov [ebp+var_10], 2
.text:0046426E mov [ebp+var_C], 3
.text:00464275 lea eax, [ebp+var_14] ; 数组首地址
.text:00464278 push eax ; 传参
.text:00464279 call sub_45D447
.text:0046427E add esp, 4
;sub_45D447
.text:004640D0 arg_0 = dword ptr 8
.text:004640D0
.text:004640D0 push ebp
.text:004640D1 mov ebp, esp
.text:004640D3 sub esp, 0C0h
.text:004640D9 push ebx
.text:004640DA push esi
.text:004640DB push edi
.text:004640DC mov edi, ebp
.text:004640DE xor ecx, ecx
.text:004640E0 mov eax, 0CCCCCCCCh
.text:004640E5 rep stosd
.text:004640E7 mov ecx, offset unk_54D014
.text:004640EC call sub_45FF35
.text:004640F1 nop
.text:004640F2 mov eax, 4
.text:004640F7 shl eax, 1 ; eax=4*2^1=8
.text:004640F9 mov ecx, [ebp+arg_0] ; [ebp+arg_0]是传入的参数,即数组首地址
.text:004640FC mov edx, [ecx+eax] ; [ecx+eax]即[ebp+arg_0+eax],即[ebp+10h]
.text:004640FF push edx
.text:00464100 mov eax, 4
.text:00464105 shl eax, 0 ; eax=4*2^0=4
.text:00464108 mov ecx, [ebp+arg_0]
.text:0046410B mov edx, [ecx+eax] ; 即[ebp+0Ch]
.text:0046410E push edx
.text:0046410F mov eax, 4
.text:00464114 imul ecx, eax, 0 ; ecx=4*0=0
.text:00464117 mov edx, [ebp+arg_0]
.text:0046411A mov eax, [edx+ecx] ; 即[ebp+8],即[ebp+arg_0],数组首位
.text:0046411D push eax
.text:0046411E push offset aDDD ; "%d %d %d"
.text:00464123 call sub_45DB5E ; printf
.text:00464128 add esp, 10h
.text:0046412B pop edi
.text:0046412C pop esi
.text:0046412D pop ebx
.text:0046412E add esp, 0C0h
.text:00464134 cmp ebp, esp
.text:00464136 call sub_45F17F
.text:0046413B mov esp, ebp
.text:0046413D pop ebp
.text:0046413E retn源码
1
2
3
4
5
6
7
8void IntShow(int* n) {
printf("%d %d %d", n[0], n[1], n[2]);
}
int main(){
int arr[3] = { 1,2,3 };
IntShow(arr);
return 0;
}字符型一维数组
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39.text:00464281 mov eax, ds:dword_520E60 ; 'lleh'
.text:00464286 mov [ebp+var_24], eax ; 用eax过渡,传给局部变量
.text:00464289 mov cx, ds:word_520E64 ; 'o'
.text:00464290 mov [ebp+var_20], cx ; 用cx过渡,传给局部变量
.text:00464294 lea eax, [ebp+var_24]
.text:00464297 push eax ; 前半段的地址入栈
.text:00464298 call sub_45E3AB
.text:0046429D add esp, 4
;sub_45E3AB
.text:00463FC0 arg_0 = dword ptr 8
.text:00463FC0
.text:00463FC0 push ebp
.text:00463FC1 mov ebp, esp
.text:00463FC3 sub esp, 0C0h
.text:00463FC9 push ebx
.text:00463FCA push esi
.text:00463FCB push edi
.text:00463FCC mov edi, ebp
.text:00463FCE xor ecx, ecx
.text:00463FD0 mov eax, 0CCCCCCCCh
.text:00463FD5 rep stosd
.text:00463FD7 mov ecx, offset unk_54D014
.text:00463FDC call sub_45FF35
.text:00463FE1 nop
.text:00463FE2 mov eax, [ebp+arg_0] ; 参数传给eax
.text:00463FE5 push eax
.text:00463FE6 push offset aS ; "%s"
.text:00463FEB call sub_45DB5E ; printf
.text:00463FF0 add esp, 8
.text:00463FF3 pop edi
.text:00463FF4 pop esi
.text:00463FF5 pop ebx
.text:00463FF6 add esp, 0C0h
.text:00463FFC cmp ebp, esp
.text:00463FFE call sub_45F17F
.text:00464003 mov esp, ebp
.text:00464005 pop ebp
.text:00464006 retn源码
1
2
3
4
5
6
7
8void CharShow(char* n) {
printf("%s", n);
}
int main(){
char buf[] = { "hello" };
CharShow(buf);
return 0;
}数组作为返回值
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57.text:004642C3 call sub_45FC79
.text:004642C8 mov [ebp+var_40], eax ; 从返回值中取出传到局部变量
.text:004642CB mov eax, [ebp+var_40] ; 放入寄存器中push作为参数
.text:004642CE push eax
.text:004642CF push offset aS ; "%s"
.text:004642D4 call sub_45DB59 ; printf
.text:004642D9 add esp, 8
;sub_45FC79
.text:00464020 var_14 = byte ptr -14h
.text:00464020 var_10 = dword ptr -10h
.text:00464020 var_C = word ptr -0Ch
.text:00464020 var_A = byte ptr -0Ah
.text:00464020 var_4 = dword ptr -4
.text:00464020
.text:00464020 push ebp
.text:00464021 mov ebp, esp
.text:00464023 sub esp, 0D4h
.text:00464029 push ebx
.text:0046402A push esi
.text:0046402B push edi
.text:0046402C lea edi, [ebp+var_14]
.text:0046402F mov ecx, 5
.text:00464034 mov eax, 0CCCCCCCCh
.text:00464039 rep stosd
.text:0046403B mov eax, ___security_cookie
.text:00464040 xor eax, ebp
.text:00464042 mov [ebp+var_4], eax
.text:00464045 mov ecx, offset unk_54E014
.text:0046404A call sub_45FF35
.text:0046404F nop
.text:00464050 mov eax, ds:dword_521E60 ; 'oviv'
.text:00464055 mov [ebp+var_10], eax ; eax过渡,传给局部变量
.text:00464058 mov cx, ds:word_521E64 ; '05'
.text:0046405F mov [ebp+var_C], cx ; cx过渡,传给局部变量
.text:00464063 mov dl, ds:byte_521E66
.text:00464069 mov [ebp+var_A], dl
.text:0046406C lea eax, [ebp+var_10] ; 前半段给eax,作为返回值传递
.text:0046406F push edx
.text:00464070 mov ecx, ebp
.text:00464072 push eax
.text:00464073 lea edx, dword_4640A0
.text:00464079 call sub_45EC52
.text:0046407E pop eax
.text:0046407F pop edx
.text:00464080 pop edi
.text:00464081 pop esi
.text:00464082 pop ebx
.text:00464083 mov ecx, [ebp+var_4]
.text:00464086 xor ecx, ebp ; StackCookie
.text:00464088 call j_@__security_check_cookie@4 ; __security_check_cookie(x)
.text:0046408D add esp, 0D4h
.text:00464093 cmp ebp, esp
.text:00464095 call sub_45F17A
.text:0046409A mov esp, ebp
.text:0046409C pop ebp
.text:0046409D retn源码
1
2
3
4
5
6
7
8
9char* CrZT() {
char temp[7] = "vivo50";
return temp;
}
int main(){
char* p = CrZT();
printf("%s", p);
return 0;
}整形二维数组(和一维数组没有本质上的区别,都是占用一段连续的内存空间)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35.text:004642DC mov [ebp+var_58], 1
.text:004642E3 mov [ebp+var_54], 2
.text:004642EA mov [ebp+var_50], 3
.text:004642F1 mov [ebp+var_4C], 4
.text:004642F8 mov eax, 8
.text:004642FD shl eax, 0 ; eax=8*2^0=8
.text:00464300 lea ecx, [ebp+eax+var_58] ; 即[ebp+var_58+8],即[ebp+var_50]
.text:00464304 mov edx, 4
.text:00464309 shl edx, 0 ; edx=4*2^0=4
.text:0046430C mov eax, [ecx+edx] ; 即[ebp+var_58+0Ch],即[ebp+var_4C]
.text:0046430F push eax
.text:00464310 mov ecx, 8
.text:00464315 shl ecx, 0 ; ecx=8*2^0=8
.text:00464318 lea edx, [ebp+ecx+var_58] ; 即[ebp+var_58+8],即[ebp+var_50]
.text:0046431C mov eax, 4
.text:00464321 imul ecx, eax, 0 ; ecx=0
.text:00464324 mov edx, [edx+ecx] ; 即[ebp+var_50]
.text:00464327 push edx
.text:00464328 mov eax, 8
.text:0046432D imul ecx, eax, 0 ; ecx=8*0=0
.text:00464330 lea edx, [ebp+ecx+var_58] ; 即[ebp+var_58]
.text:00464334 mov eax, 4
.text:00464339 shl eax, 0 ; eax=4*2^0=4
.text:0046433C mov ecx, [edx+eax] ; 即[ebp+var_54]
.text:0046433F push ecx
.text:00464340 mov edx, 8
.text:00464345 imul eax, edx, 0 ; eax=8*0=0
.text:00464348 lea ecx, [ebp+eax+var_58] ; 即[ebp+var_58]
.text:0046434C mov edx, 4
.text:00464351 imul eax, edx, 0 ; ecx=4*0=0
.text:00464354 mov ecx, [ecx+eax] ; 即[ebp+var_58]
.text:00464357 push ecx
.text:00464358 push offset aDDDD ; "%d,%d,%d,%d"
.text:0046435D call sub_45DB59 ; printf
.text:00464362 add esp, 14h源码
1
2int num[2][2] = { {1,2},{3,4} };
printf("%d,%d,%d,%d", num[0][0], num[0][1], num[1][0], num[1][1]);
Day7:数组与指针识别