装配新手,对某些指令有点困惑

时间:2014-09-29 14:19:29

标签: assembly windbg

所以我练习/慢慢地,但肯定地学习和刷新我的大会。这是一个随机反汇编的内核函数作为示例:

81a1e85f 8b450c          mov     eax,dword ptr [ebp+0Ch] // Moving value stored at memory address contained in the ebp register+0Ch to the eax register.
81a1e862 8b4048          mov     eax,dword ptr [eax+48h] // Moving value stored at memory address contained in the eax register+48h to the eax register.
81a1e865 8945f0          mov     dword ptr [ebp-10h],eax // Moving value stored at memory address contained in the epb-10h register to the eax register?
81a1e868 6a00            push    0 // ?
81a1e86a 8bc7            mov     eax,edi // Move contents of the edi register into eax.
81a1e86c c745fc22010000  mov     dword ptr [ebp-4],122h // ?
81a1e873 e8bf010000      call    nt!PspGetPreviousProcessThread (81a1ea37) // Call the function name nt!PspGetPreviousProcessThread?
81a1e878 8b5d14          mov     ebx,dword ptr [ebp+14h] // Moving value stored at memory address contained in the ebp register+14h to the ebx register.

我对其中的大部分内容都很陌生,所以毫无疑问我对其中某些内容有误,或者对所有内容都不对。任何人都可以让我知道我评论过的最重要的事情是什么?'因为我不熟悉。

此外,括号中的任何内容 - [ebp-4]例如,这被认为是一个解除引用的指针,对吗?

2 个答案:

答案 0 :(得分:5)

// Moving value stored at memory address contained in the ebp register+0Ch to the eax register.
// correct
    mov     eax,dword ptr [ebp+0Ch] 

// Moving value stored at memory address contained in the eax register+48h to the eax register.
// correct
    mov     eax,dword ptr [eax+48h] 

// Moving value stored at memory address contained in the epb-10h register to the eax register?    
// no, moving content of eax register (dword) to location [ebp-10h]
mov     dword ptr [ebp-10h],eax 

// ?
// pushes a 32-bit zero on stack - probably an argument to the call below
    push    0 

// Move contents of the edi register into eax.
// correct
    mov     eax,edi 

// ?
// store the 32-bit value 122h to location [ebp-4]
    mov     dword ptr [ebp-4],122h 

// Call the function name nt!PspGetPreviousProcessThread?
// correct
    call    nt!PspGetPreviousProcessThread (81a1ea37) 

// Moving value stored at memory address contained in the ebp register+14h to the ebx register
// correct
    mov     ebx,dword ptr [ebp+14h]

答案 1 :(得分:4)

  

此外,括号中的任何内容 - [ebp-4]例如,这被考虑   一个解除引用的指针,对吗?

虽然在您提供的示例中也是如此,但请注意,在x86 / x64语法的所有情况下都不是这样。具体来说,加载有效地址(LEA)命令使用方括号,但不执行指针解除引用。例如:

LEA EAX, [EBP+4]

将EBP的值加4,并将添加结果存储在EAX中。

Matt Pietrek从1998年开始写了一篇很棒的文章(!),其中涵盖了很多基础知识:

http://www.microsoft.com/msj/0298/hood0298.aspx

相关问题
最新问题