[英]Reverse Engineering a recursive function
I have as a homework to reverse a function 我有作为扭转功能的功课
The assembler output is this: 汇编程序输出如下:
0x00000000004010c4 <+0>: sub $0x18,%rsp
0x00000000004010c8 <+4>: lea 0xc(%rsp),%rcx
0x00000000004010cd <+9>: lea 0x8(%rsp),%rdx
0x00000000004010d2 <+14>: mov $0x402995,%esi
0x00000000004010d7 <+19>: mov $0x0,%eax
0x00000000004010dc <+24>: callq 0x400cb0 <__isoc99_sscanf@plt>
0x00000000004010e1 <+29>: cmp $0x2,%eax
0x00000000004010e4 <+32>: jne 0x4010ed <phase_4+41>
0x00000000004010e6 <+34>: cmpl $0xe,0x8(%rsp)
0x00000000004010eb <+39>: jbe 0x4010f2 <phase_4+46>
0x00000000004010ed <+41>: callq 0x401671 <explode_bomb>
0x00000000004010f2 <+46>: mov $0xe,%edx
0x00000000004010f7 <+51>: mov $0x0,%esi
0x00000000004010fc <+56>: mov 0x8(%rsp),%edi
0x0000000000401100 <+60>: callq 0x401086 <func4>
0x0000000000401105 <+65>: cmp $0x3,%eax
0x0000000000401108 <+68>: jne 0x401111 <phase_4+77>
0x000000000040110a <+70>: cmpl $0x3,0xc(%rsp)
0x000000000040110f <+75>: je 0x401116 <phase_4+82>
0x0000000000401111 <+77>: callq 0x401671 <explode_bomb>
0x0000000000401116 <+82>: add $0x18,%rsp
0x000000000040111a <+86>: retq
My solution to this function looks like this: I think func4 should return 3 我对此函数的解决方案如下所示:我认为func4应该返回3
int phase4(const char* read ) {
int var1, var2;
if ((sscanf(read, "%d %d", &var1, &var2) != 2) || (var1 < 0xe))
explode_bomb();
if (func4(var1, 0, 0xe /*14*/) != 3)
explode_bomb();
if (var2 != 3)
explode_bomb();
return 3;
}
func4 looks like this: func4看起来像这样:
0x0000000000401086 <+0>: sub $0x8,%rsp
0x000000000040108a <+4>: mov %edx,%eax
0x000000000040108c <+6>: sub %esi,%eax
0x000000000040108e <+8>: mov %eax,%ecx
0x0000000000401090 <+10>: shr $0x1f,%ecx
0x0000000000401093 <+13>: add %ecx,%eax
0x0000000000401095 <+15>: sar %eax
0x0000000000401097 <+17>: lea (%rax,%rsi,1),%ecx
0x000000000040109a <+20>: cmp %edi,%ecx
0x000000000040109c <+22>: jle 0x4010aa <func4+36>
0x000000000040109e <+24>: lea -0x1(%rcx),%edx
0x00000000004010a1 <+27>: callq 0x401086 <func4>
0x00000000004010a6 <+32>: add %eax,%eax
0x00000000004010a8 <+34>: jmp 0x4010bf <func4+57>
0x00000000004010aa <+36>: mov $0x0,%eax
0x00000000004010af <+41>: cmp %edi,%ecx
0x00000000004010b1 <+43>: jge 0x4010bf <func4+57>
0x00000000004010b3 <+45>: lea 0x1(%rcx),%esi
0x00000000004010b6 <+48>: callq 0x401086 <func4>
0x00000000004010bb <+53>: lea 0x1(%rax,%rax,1),%eax
0x00000000004010bf <+57>: add $0x8,%rsp
0x00000000004010c3 <+61>: retq
My c code looks like this: 我的c代码看起来像这样:
int func4(unsigned rsi, unsigned rdi, unsigned rdx) {
unsigned rax = rdx;
rax -= rsi;
unsigned rcx = rax;
rcx >>= (unsigned)0x1f;
rax += rcx;
rax >>= (signed)1;
rcx = rax + rsi;
if (rcx <= rdi) {
rax = 0;
if (rcx >= rdi)
return rax;
else {
rax = func4(rdi, rsi + 1, rdx);
rax = rax + rax + 1;
}
} else {
rdx = rcx - 1;
rax = func4(rdi, rsi, rdx);
rax = rax + rax;
}
return rax;
}
But when I try the values from -512 to 512 I never get 3 as a result; 但是当我尝试从-512到512的值时,我从来没有得到3; what am I doing wrong?
我究竟做错了什么?
EDIT: 编辑:
I found the solution it looks like this: 我发现它看起来像这样的解决方案:
int func4(int32_t di, int32_t si, int32_t dx) {
int32_t ax = dx;
ax = ax - si;
int32_t cx = ax;
cx = (uint32_t)cx >> (uint32_t)0x1f;
ax = ax + cx;
ax = (int32_t)ax >> (int32_t)1;
cx = ax + si;
if (cx <= di)
goto first;
dx = cx - 1;
ax = func4(di, si, dx);
ax = ax + ax;
goto fin;
first:
ax = 0;
if (cx >= di)
goto fin;
si = cx + 1;
ax = func4(di, si, dx);
ax = ax + ax + 1;
fin:
return ax;
}
From a quick glance the problem might be here: 从快速浏览一下,问题可能在这里:
rax >>= (signed)1; // sar %eax
This is equivalent to: 这相当于:
rax = rax >> (signed)1;
Which does an unsigned shift (because the signedness of the shift operator is determined by the first operand, not the second). 这是无符号移位(因为移位运算符的符号由第一个操作数确定,而不是第二个操作数)。 So instead you should write:
所以相反你应该写:
rax = (unsigned)((signed)rax >> 1);
EDIT: similarly, you translated jle
and jge
incorrectly. 编辑:同样,你错误地翻译了
jle
和jge
。 These instructions do a signed comparison, whereas your corresponding C code does an unsigned comparison. 这些指令执行签名比较,而相应的C代码执行无符号比较。 Fix that too:
修复它:
if ((signed)rcx <= (signed)rdi) {
rax = 0;
if ((signed)rcx >= (signed)rdi)
...
How to generate C from assembly: 如何从汇编生成C:
Write out the assembly. 写下装配。 Then declare C variables with the same names as the registers, and go through the assembly replacing every arithmetical or logical assembly instruction with a C instruction, and every branch with if goto constructs.
然后使用与寄存器相同的名称声明C变量,并使用C指令替换每个算术或逻辑汇编指令的程序集,并使用if goto构造替换每个分支。 If you have calls you have to know the calling convention, of course.
如果你有电话,你当然必须知道电话会议。
Once the C is functional, gradually make it more human-like, at each point testing its behaviour against the assembly (if you have it), or the assembly-like C (if you can't assemble the assembly). 一旦C起作用,逐渐使它更像人类,在每个点测试它对组件的行为(如果你有),或类似组件的C(如果你不能组装组件)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.