From the up and down a program unixc.rar, in Readme.txt, the author said: This program simulates the Save and Resume function in UNIX, and introduces how to use the compilation in the VC to make machine-level operations. The main function is simple first introduced into two External functions, extern "c" indicates the traditional C name habits. Function SAVE Saves the program pointer in (* s) and returns 0, why is IF (& SP)) {...} IF after the statement Never executed, but the results indicate that it is executed. This problem is the same as the IF statement (first sentence) of the processor scheduling function (Switch) in UNIX. After the program executes Save (& SP) Execute the ELSE statement for the leave, save the program pointer in the SP. RESUME (& SP) in the SP. ELSE statement, the function is very embarrassing to change the return address in the stack, changed to the SP, the program The pointer is changed to the execution condition determination .Resume returns 1, the condition is met, execute the IF statement. Save function stack: EIP EBP 8S EBP 4EBP EBP 0RESUME function stack is the same as SAVE.
New Win32 engineering, join the UNIXC.CPP and UNIX.OBJ. UNIX.Obj is generated by mASM6.11: ml / c / coff unix.asm, generates the OBJ in the COFF format instead of the OMF format. This article Mainly by reverse assembly, how to make the IF module that execute the program will execute the ELSE module of the program by saving the return address.
--- E: / procedure_Productive /unixc/unixc.cpp ------------------------------------- -----------
1:
2: #include
3: EXTERN "C" int SAVE (long * s);
4: EXTERN "C" Int resume (long * s);
5: void main ()
6: {
00401030 PUSH EBP
Save the stack bottom pointer
ESP = 0012FF80
EBP = 0012FFC0
0012FF80 C0 FF 12 ... The value of EBP in the stack
00401031 MOV EBP, ESP // Top of the current stack as a stack
ESP = 0012FF80
EBP = 0012FF80
00401033 SUB ESP, 44H // Stack space for 44 h
ESP = 0012FF3C stack top pointer
EBP = 0012FF80 At this point
00401036 Push EBX / / Put the register to be used in the stack
ESP = 0012FF38
EBP = 0012FF80
012FF39 F0 FD 7F 瘕. / / For EBX
0012FF3C 02 00 00 ...
00401037 PUSH ESI
00401038 PUSH EDI
ESP = 0012FF30
EBP = 0012FF80
0012FF30 00 00 00 ... for EDI
0012FF33 00 00 00 ... for ESI
0012FF36 00 00 00 ...
0012FF39 F0 FD 7F 瘕.
0012FF3C 02 00 00 ...
00401039 LEA EDI, [EBP-44H]
EDI = 0012FF3C
0040103C MOV ECX, 11H / / Counter 11H * 4 = 44h
00401041 MOV EAX, 0cccccccch
00401046 Rep Stos DWORD PTR [EDI] // The 44 bytes are initialized to CC, INT 37: Long SPP;
0012FF7C CC CC CC hot.
& sp = 0x0012FF7C
8: Printf ("Both the code in the means !!!!! / n"); ("BTH THE CODE IN THE!
00401048 Push Offset String "Both the code in the means" ... (00422050)
0040104D Call Printf (004010C0)
00401052 Add ESP, 4
9: IF (& SPP))
00401055 Lea EAX, [EBP-4]
// pay the address of the SPP to EAX
EAX = 0x0012FF7C
00401058 PUSH EAX
ESP = 0012FF2C
EBP = 0012FF80
012FF2C 7C FF 12 | .. // EAX Fortress
0012FF2F 00 00 00 ...
0012FF32 00 00 00 ...
0012FF35 00 00 00 ...
0012FF38 00 F0 FD. 瘕
0012FF3B 7F CC CC. Hot
0012ff3e cc CC CC hot.
00401059 Call @ ilt 5 (_MAIN 176080) (0040100A)
ESP = 0012FF28
EBP = 0012FF80
012FF26 12 00 5E .. ^ Subprogram Returns, the address of the statement to be executed
0012FF29 10 40 00. @.
0012FF2C 7C FF 12 | ..
0012FF2F 00 00 00 ...
0012FF32 00 00 00 ...
0040105E Add ESP, 4 Pop-up the argument when calling _save
ESP = 0012FF30
EBP = 0012FF80
00401061 Test Eax, EAX
// Return to zero because we set EAX to zero
00401063 JE main 44h (00401074)
10: {
11: Printf ("Return Form The IF / N);
00401065 Push Offset String "Return Form the IF / N" (00422038)
0040106A Call Printf (004010C0)
0040106F ADD ESP, 4
12: Return;
00401072 JMP main 5DH (0040108D)
13:}
14: Else
15: {
16: Printf ("Return Form the else / n");
00401074 Push Offset String "Return Form the else / n" (0042201C)
00401079 Call Printf (004010C0)
0040107E Add ESP, 417: Resume (& SPP);
00401081 LEA ECX, [EBP-4]
Pay the address of the SPP to ECX, as a function called by the function
ECX = 0012FF7C
00401084 PUSH ECX
In the stack
ESP = 0012FF2C
EBP = 0012FF80
0012FF2C 7C FF 12 | .. SPP address
0012FF2F 00 00 00 ...
00401085 Call @ ilt 0 (_MAIN 176098) (00401005)
0040108A Add ESP, 4
18:}
19: Return;
20:}
0040108D POP EDI
0040108E POP ESI
0040108F POP EBX
00401090 Add ESP, 44H
00401093 CMP EBP, ESP
00401095 Call __chkesp (00401140)
0040109A MOV ESP, EBP
0040109c POP EBP
0040109D RET
Sub function_save
_save:
ESP = 0012FF28
EBP = 0012FF80
012FF26 12 00 5E .. ^ _save returns, the address of the statement to be executed
0012FF29 10 40 00. @.
0012FF2C 7C FF 12 | ..
0012FF2F 00 00 00 ...
0012FF32 00 00 00 ...
0042B000 PUSH EBP
ESP = 0012FF24
EBP = 0012FF80
0012FF24 80 FF 12 € .. EBP
0012FF27 00 5E 10. ^. _Save returns, the address of the statement to be executed
0012FF2A 40 00 7c @. |
0012FF2D FF 12 00 ...
0012FF30 00 00 00 ...
0042B001 MOV EBP, ESP
ESP = 0012FF24
EBP = 0012FF24
0042B003 MOV ESI, DWORD PTR [EBP 8]
ESI = 0012FF7C SPP address to ESI
0042B006 MOV EAX, DWORD PTR [EBP 4]
EAX = 0040105e _save returns, the next address to EAX
0042B009 MOV DWORD PTR [ESI], EAX
Keep _save returned when _save returned to the address of the statement to be executed 0040105E
012FF7C 5E 10 40 ^. @
0012ff7f 00 c0 ff ...
0042B00B POP EBP
ESP = 0012FF28 ESP = ESP 4
EBP = 0012FF80
012f28 5e 10 40 ^. @ Return the address of the statement to be executed
0012FF2B 00 7c ff.
0012ff2e 12 00 00 ...
0012FF31 00 00 00 ...
0042B00C MOV EAX, 0 // 郅 return result is 00042B011 RET back to the main function
Sub function _resume
_Resume:
0042B012 PUSH EBP
0042B013 MOV EBP, ESP
ESP = 0012FF24
EBP = 0012FF24
012FF24 80 FF 12 € ..
0012FF27 00 8A 10 ... // Function call returns, the next address of the statement to be executed 0040108A
0012FF2A 40 00 7c @. |
0012FF2D FF 12 00 ...
At this time, I have to pay attention to the EBP 4 is the address of the function call back, the next address to execute, 0040108A
We want to change the return address of the function, change to the first instruction after _SAVE, and the address of the instruction is placed in EBP 8
0042B015 MOV ESI, DWORD PTR [EBP 8]
Remove the address of the first address after _SAVE to store the address of SPP 0012FF7C
0042B018 MOV EAX, DWORD PTR [ESI]
This is the first instruction that is changed to ESI Eax Eax = 0x0040105E this is the first instruction to execute _save instead of the first instruction after normal execution _Resume
0042B01A MOV DWORD PTR [EBP 4], EAX
Modify the address of the first instruction to be executed after returning the _Resume function
012FF24 80 FF 12 € ..
012FF27 00 5E 10. ^. // After returning, the address of the statement to be executed is changed from 0040108A to 0040105E
0012FF2A 40 00 7c @. |
0012FF2D FF 12 00 ...
0042B01D POP EBP
0042B01E MOV EAX, 1
/ / The value is 1, returns, but the program will jump to the first instruction after _save, so that Else and IF are executed.
0042B023 RET
In general, the address of the next instruction to returns a breakpoint is saved by a variable, and then replaces the program normally to the address to achieve the purpose.
