映射到错误变量的十六进制射线

逆向工程 艾达 六线谱
2021-06-23 20:18:22

汇编文件有多个变量,它们都使用 rax 寄存器。反编译器确实至少在某种程度上认识到了这一点,因为它确实创建了两个使用 rax 寄存器的变量。然而,它并没有正确地分割每一个的使用。这是汇编和反编译,以及关于什么是更准确的反编译的一些评论。

.text:000000014052DDA0 String__moveTextBackwards proc near
.text:000000014052DDA0                                         ; CODE XREF: sub_14003E380+86↑p
.text:000000014052DDA0                                         ; sub_1403CC850+19D2↑p ...
.text:000000014052DDA0                 mov     rax, [rcx+18h]
.text:000000014052DDA4                 movsxd  r10, r8d
.text:000000014052DDA7                 mov     r9, rcx
.text:000000014052DDAA                 lea     r8, [r10+rdx]
.text:000000014052DDAE                 cmp     r8, rax
.text:000000014052DDB1                 jnz     short loc_14052DDBA
.text:000000014052DDB3                 mov     rax, [rcx]
.text:000000014052DDB6                 jmp     qword ptr [rax+20h]
.text:000000014052DDBA ; ---------------------------------------------------------------------------
.text:000000014052DDBA
.text:000000014052DDBA loc_14052DDBA:                          ; CODE XREF: String__moveTextBackwards+11↑j
.text:000000014052DDBA                 ja      short loc_14052DDDF
.text:000000014052DDBC                 mov     rdx, r10
.text:000000014052DDBF                 neg     rdx
.text:000000014052DDC2
.text:000000014052DDC2 loc_14052DDC2:                          ; CODE XREF: String__moveTextBackwards+3D↓j
.text:000000014052DDC2                 mov     rax, [r9+8]
.text:000000014052DDC6                 inc     r8
.text:000000014052DDC9                 lea     rcx, [rax+rdx*2]
.text:000000014052DDCD                 movzx   eax, word ptr [rax+r8*2-2]
.text:000000014052DDD3                 mov     [rcx+r8*2-2], ax
.text:000000014052DDD9                 cmp     r8, [r9+18h]
.text:000000014052DDDD                 jbe     short loc_14052DDC2
.text:000000014052DDDF
.text:000000014052DDDF loc_14052DDDF:                          ; CODE XREF: String__moveTextBackwards:loc_14052DDBA↑j
.text:000000014052DDDF                 sub     [r9+18h], r10
.text:000000014052DDE3                 retn
.text:000000014052DDE3 String__moveTextBackwards endp

这被反编译为

{
  wchar_t *stringLength; // rax
  __int64 numBytesCopy; // r10
  String *thisCopy; // r9
  unsigned __int64 v6; // r8
  wchar_t *pText; // rax
  wchar_t *pMovedText; // rcx

  stringLength = (wchar_t *)this->stringLength; // This should really be an __int64, but since the compiler assumed this was the same variable that gets returned, it is forced to a wchar_t*
  numBytesCopy = numBytes;
  thisCopy = this;
  v6 = numBytes + a2;
  if ( (wchar_t *)v6 == stringLength )
    return (wchar_t *)((__int64 (__fastcall *)(String *, __int64, unsigned __int64, String *))this->vftbl_0_0000000140B4F448->sub_14052DB70)(
                        this,
                        a2,
                        v6,
                        this);
  if ( v6 <= (unsigned __int64)stringLength )
  {
    do
    {
      pText = thisCopy->pString;
      ++v6;
      pMovedText = &pText[-numBytesCopy];
      stringLength = (wchar_t *)pText[v6 - 1];  // From here until the end, the instances where stringLength is used would better be described as pText. But since both pText and stringLength use rax, it decided to use the wrong one here.
      pMovedText[v6 - 1] = (unsigned __int16)stringLength;
    }
    while ( v6 <= thisCopy->stringLength );
  }
  thisCopy->stringLength -= numBytesCopy;
  return stringLength;
}

有没有办法更改 Hex Rays 在选择使用错误变量的情况下使用的变量?它在这个字符串类的其他部分也犯了与这个类似的错误。

1个回答

目前没有,没有。有一个名为“Force new variable”的命令可以让您在函数的整个生命周期中的不同点的相同堆栈位置创建不同的变量,但它不适用于注册变量。

其它你可能感兴趣的问题
上一篇Radare2 中的 text_mn --> 含义? 下一篇逆向工程 Java - 去混淆符号