甲鱼哥帮忙分析一下这个函数

戏++ · 发表于 2013-12-2 11:25:54

马上注册，结交更多好友，享用更多功能^_^

您需要登录才可以下载或查看，没有账号？立即注册

x

Disassembly of public: virtual unsigned int __thiscall PakInterface::FRead (0x101047E0)
; Section: .text
;= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
; EXP: public: virtual unsigned int __thiscall PakInterface::FRead(void *,int,int,struct PFILE *) - ?FRead@PakInterface@@UAEIPAXHHPAUPFILE@@@Z (626)
0x101047E0: 8B442410             MOV       EAX,DWORD PTR [ESP+0x10]
0x101047E4: 8B08                MOV       ECX,DWORD PTR [EAX]
0x101047E6: 85C9                TEST       ECX,ECX
0x101047E8: 8B542408             MOV       EDX,DWORD PTR [ESP+0x8]
0x101047EC: 0F8481000000          JZ       0x10104873    ; (*+0x87)
0x101047F2: 0FAF54240C          IMUL       EDX,DWORD PTR [ESP+0xC]
0x101047F7: 8B4004                MOV       EAX,DWORD PTR [EAX+0x4]
0x101047FA: 53                   PUSH       EBX
0x101047FB: 55                   PUSH       EBP
0x101047FC: 56                   PUSH       ESI
0x101047FD: 8B712C                MOV       ESI,DWORD PTR [ECX+0x2C]
0x10104800: 2BF0                SUB       ESI,EAX
0x10104802: 3BD6                CMP       EDX,ESI
0x10104804: 57                   PUSH       EDI
0x10104805: 8BDA                MOV       EBX,EDX
0x10104807: 7C02                JL       0x1010480B    ; (*+0x4)
0x10104809: 8BDE                MOV       EBX,ESI
0x1010480B: 8B5128                MOV       EDX,DWORD PTR [ECX+0x28]; <==0x10104807(*-0x4)
0x1010480E: 8B09                MOV       ECX,DWORD PTR [ECX]
0x10104810: 8B4908                MOV       ECX,DWORD PTR [ECX+0x8]
0x10104813: 8B2D0C851A10          MOV       EBP,DWORD PTR [0x101A850C]; .data:    ; .text:0xB8 0x0C 0x6E 0x13
0x10104819: 03CA                ADD       ECX,EDX
0x1010481B: 03C8                ADD       ECX,EAX
0x1010481D: 03C2                ADD       EAX,EDX
0x1010481F: 99                   CDQ
0x10104820: F7FD                IDIV       EBP
0x10104822: 85DB                TEST       EBX,EBX
0x10104824: 8B742414             MOV       ESI,DWORD PTR [ESP+0x14]
0x10104828: 8BFA                MOV       EDI,EDX
0x1010482A: 7E32                JLE       0x1010485E    ; (*+0x34)
0x1010482C: 895C241C             MOV       DWORD PTR [ESP+0x1C],EBX
0x10104830: 8BC7                MOV       EAX,EDI       ; <==0x1010485C(*+0x2C)
0x10104832: 99                   CDQ
0x10104833: F7FD                IDIV       EBP
0x10104835: 833D10851A1010       CMP       DWORD PTR [0x101A8510],0x10; .data: ; .text:0xB8 0x0C 0x6E 0x13
0x1010483C: A1FC841A10          MOV       EAX,DWORD PTR [0x101A84FC]; .data: 0x1011A4E0    ; .text:0xB8 0x0C 0x6E 0x13
0x10104841: 7305                JAE       0x10104848    ; (*+0x7)
0x10104843: B8FC841A10          MOV       EAX,0x101A84FC ; .data: 0x1011A4E0    ; .text:0xB8 0x0C 0x6E 0x13
0x10104848: 8A1410                MOV       DL,BYTE PTR [EAX+EDX]; <==0x10104841(*-0x7)
0x1010484B: 3211                XOR       DL,BYTE PTR [ECX]
0x1010484D: 8B44241C             MOV       EAX,DWORD PTR [ESP+0x1C]
0x10104851: 46                   INC       ESI
0x10104852: 8856FF                MOV       BYTE PTR [ESI-0x1],DL
0x10104855: 47                   INC       EDI
0x10104856: 41                   INC       ECX
0x10104857: 48                   DEC       EAX
0x10104858: 8944241C             MOV       DWORD PTR [ESP+0x1C],EAX
0x1010485C: 75D2                JNZ       0x10104830    ; (*-0x2C)
0x1010485E: 8B442420             MOV       EAX,DWORD PTR [ESP+0x20]; <==0x1010482A(*-0x34)
0x10104862: 015804                ADD       DWORD PTR [EAX+0x4],EBX
0x10104865: 5F                   POP       EDI
0x10104866: 8BC3                MOV       EAX,EBX
0x10104868: 5E                   POP       ESI
0x10104869: 99                   CDQ
0x1010486A: F77C2410             IDIV       DWORD PTR [ESP+0x10]
0x1010486E: 5D                   POP       EBP
0x1010486F: 5B                   POP       EBX
0x10104870: C21000                RET       0x10
;
0x10104873: 8B4008                MOV       EAX,DWORD PTR [EAX+0x8]; <==0x101047EC(*-0x87)
0x10104876: 8B4C240C             MOV       ECX,DWORD PTR [ESP+0xC]
0x1010487A: 50                   PUSH       EAX
0x1010487B: 8B442408             MOV       EAX,DWORD PTR [ESP+0x8]
0x1010487F: 51                   PUSH       ECX
0x10104880: 52                   PUSH       EDX
0x10104881: 50                   PUSH       EAX
0x10104882: FF1538C21110          CALL       DWORD PTR [MSVCR71.DLL!fread]; (0x1011C238)
0x10104888: 83C410                ADD       ESP,0x10
0x1010488B: C21000                RET       0x10
0x1010488E: CC                   INT
0x1010488F: CC                   INT

这是个静态反汇编出来的函数
看得懂的朋友能不能说说这个函数的算法
给小弟指点迷津

戏++ · 发表于 2013-12-9 15:29:35

int nid=0;
int f_read(char* thePtr, int theElemSize, int theCount,FILE* fp)
{
        int nread = fread(thePtr, theElemSize, theCount, fp);
        const char *pKey = "#$#SDFSF$%$%QAqw";
        int nLen=strlen(pKey);
        int nsize = theElemSize*theCount;
        
        for (int i=0;i<nsize;i++)
        {
                thePtr[i] = thePtr[i] ^ pKey[nid];
                nid++;
                if (nid==nLen)
                {
                        nid=0;
                }
        }

        return nread;        

}

大致被我折腾出来了，用了od这里整整，那里看看
谢谢甲鱼哥的视频
小弟弟先谢了

~逆天~ · 发表于 2013-12-9 16:55:55

求教下，哥们，你咋看懂的，我咋看的眼晕！看懂这个都要学会啥:sweat:

戏++ · 发表于 2013-12-9 22:22:44

~逆天~ 发表于 2013-12-9 16:55

登录/注册后可看大图

求教下，哥们，你咋看懂的，我咋看的眼晕！看懂这个都要学会啥

用OD调试的啊，看看甲鱼哥的视频就行了啊，主要是甲鱼哥讲得确实不错，功德无量

~逆天~ · 发表于 2013-12-10 09:58:00

我是说：你怎么能看着反汇编分析出的C语言，这需要什么功力啊？

戏++ · 发表于 2013-12-10 11:17:33

用od调试运行的，哈哈，看寄存器，内存,cpu

~逆天~ · 发表于 2013-12-10 13:58:19

小甲鱼哪个课程，第几章讲的这个？

戏++ · 发表于 2013-12-10 14:31:10

汇编语言,从头开始耐心听吧,还有od使用也有相关的视频的

正在写代码 · 发表于 2013-12-10 14:35:54

帮你顶个贴

htchina123 · 发表于 2013-12-10 15:10:02

确实讲得不错，目前仍在观看中，没什么结果，但仍在努力中

账号		自动登录	找回密码
密码			立即注册