WinDBG的 uf 命令可以把二進制進行反匯編并顯示匯編代碼,幫助在沒有源代碼的情況下分析函數。 舉個例子,已知Windows 下的掃雷程序(winmine.exe) 有個函數叫winmine!StartGame (通過 x winmine!* 命令) ,可以使用uf winmine!StartGame 命令顯示該函數的匯編碼:
?
?
0:000>
uf winmine!StartGame
winmine!StartGame:
0100367a a1ac560001????? mov???? eax,dword ptr [winmine!Preferences+0xc (010056ac)]
0100367f 8b0da8560001??? mov???? ecx,dword ptr [winmine!Preferences+0x8 (010056a8)]
01003685 53????????????? push??? ebx
01003686 56????????????? push??? esi
01003687 57????????????? push??? edi
01003688 33ff??????????? xor???? edi,edi
0100368a 3b0534530001??? cmp???? eax,dword ptr [winmine!xBoxMac (01005334)]
01003690 893d64510001??? mov???? dword ptr [winmine!fTimer (01005164)],edi
01003696 750c??????????? jne???? winmine!StartGame+0x2a (010036a4)
winmine!StartGame+0x1e:
01003698 3b0d38530001??? cmp???? ecx,dword ptr [winmine!yBoxMac (01005338)]
0100369e 7504??????????? jne???? winmine!StartGame+0x2a (010036a4)
winmine!StartGame+0x26:
010036a0 6a04??????????? push??? 4
010036a2 eb02??????????? jmp???? winmine!StartGame+0x2c (010036a6)
winmine!StartGame+0x2a:
010036a4 6a06??????????? push??? 6
winmine!StartGame+0x2c:
010036a6 5b????????????? pop???? ebx
010036a7 a334530001????? mov???? dword ptr [winmine!xBoxMac (01005334)],eax
010036ac 890d38530001??? mov???? dword ptr [winmine!yBoxMac (01005338)],ecx
010036b2 e81ef8ffff????? call??? winmine!ClearField (01002ed5)
010036b7 a1a4560001????? mov???? eax,dword ptr [winmine!Preferences+0x4 (010056a4)]
010036bc 893d60510001??? mov???? dword ptr [winmine!iButtonCur (01005160)],edi
010036c2 a330530001????? mov???? dword ptr [winmine!cBombStart (01005330)],eax
winmine!StartGame+0x4d:
010036c7 ff3534530001??? push??? dword ptr [winmine!xBoxMac (01005334)]
010036cd e86e020000????? call??? winmine!Rnd (01003940)
010036d2 ff3538530001??? push??? dword ptr [winmine!yBoxMac (01005338)]
010036d8 8bf0??????????? mov???? esi,eax
010036da 46????????????? inc???? esi
010036db e860020000????? call??? winmine!Rnd (01003940)
010036e0 40????????????? inc???? eax
010036e1 8bc8??????????? mov???? ecx,eax
010036e3 c1e105????????? shl???? ecx,5
010036e6 f684314053000180 test??? byte ptr winmine!rgBlk (01005340)[ecx+esi],80h
010036ee 75d7??????????? jne???? winmine!StartGame+0x4d (010036c7)
winmine!StartGame+0x76:
010036f0 c1e005????????? shl???? eax,5
010036f3 8d843040530001? lea???? eax,winmine!rgBlk (01005340)[eax+esi]
010036fa 800880????????? or????? byte ptr [eax],80h
010036fd ff0d30530001??? dec???? dword ptr [winmine!cBombStart (01005330)]
01003703 75c2??????????? jne???? winmine!StartGame+0x4d (010036c7)
winmine!StartGame+0x8b:
01003705 8b0d38530001??? mov???? ecx,dword ptr [winmine!yBoxMac (01005338)]
0100370b 0faf0d34530001? imul??? ecx,dword ptr [winmine!xBoxMac (01005334)]
01003712 a1a4560001????? mov???? eax,dword ptr [winmine!Preferences+0x4 (010056a4)]
01003717 2bc8??????????? sub???? ecx,eax
01003719 57????????????? push??? edi
0100371a 893d9c570001??? mov???? dword ptr [winmine!cSec (0100579c)],edi
01003720 a330530001????? mov???? dword ptr [winmine!cBombStart (01005330)],eax
01003725 a394510001????? mov???? dword ptr [winmine!cBombLeft (01005194)],eax
0100372a 893da4570001??? mov???? dword ptr [winmine!cBoxVisit (010057a4)],edi
01003730 890da0570001??? mov???? dword ptr [winmine!cBoxVisitMac (010057a0)],ecx
01003736 c7050050000101000000 mov dword ptr [winmine!fStatus (01005000)],1
01003740 e825fdffff????? call??? winmine!UpdateBombCount (0100346a)
01003745 53????????????? push??? ebx
01003746 e805e2ffff????? call??? winmine!AdjustWindow (01001950)
0100374b 5f????????????? pop???? edi
0100374c 5e????????????? pop???? esi
0100374d 5b????????????? pop???? ebx
0100374e c3????????????? ret
更多文章、技術交流、商務合作、聯系博主
微信掃碼或搜索:z360901061
微信掃一掃加我為好友
QQ號聯系: 360901061
您的支持是博主寫作最大的動力,如果您喜歡我的文章,感覺我的文章對您有幫助,請用微信掃描下面二維碼支持博主2元、5元、10元、20元等您想捐的金額吧,狠狠點擊下面給點支持吧,站長非常感激您!手機微信長按不能支付解決辦法:請將微信支付二維碼保存到相冊,切換到微信,然后點擊微信右上角掃一掃功能,選擇支付二維碼完成支付。
【本文對您有幫助就好】元
