逆向工程 - 如何区分指令跟踪中的函数边界、入口点和指令 - 吾爱随笔录

如何区分指令跟踪中的函数边界、入口点和指令

逆向工程拆卸二元分析职能

2021-06-12 00:39:57

我有一个从二进制分析平台收集的指令跟踪，我已经将其转换为汇编指令。我想提取文件中的所有函数和函数调用，但与 IDA pro 反汇编不同，它不包含有关函数开始和结束的任何提示。
所以我的问题是如何区分每个函数边界、入口点及其指令。这是我输出的一小部分：

7c90e4f2:   sysenter 
7c9102d6:   cmpw   $0x5a4d,(%ecx)   I@0x00000000[0x00005a4d][2](R)  T0  M@0x7c800000[0x00005a4d][2](R)  T0
7c9102db:   jne    0x000000007c9102fa   J@0x00000000[0x0000001f][4](R)  T0
7c9102dd:   mov    0x3c(%ecx),%edx  M@0x7c80003c[0x000000f0][4](R)  T0  R@edx[0x7c90e4f4][4](W) T0
7c9102e0:   cmp    $0x10000000,%edx I@0x00000000[0x10000000][4](R)  T0  R@edx[0x000000f0][4](R) T0
7c9102e6:   jae    0x000000007c9102fa   J@0x00000000[0x00000014][4](R)  T0
7c9102e8:   lea    (%edx,%ecx,1),%eax   A@0x7c8000f0[0x00000000][4](R)  T0  R@eax[0x00000000][4](W) T0
7c9102eb:   mov    %eax,-0x1c(%ebp) R@eax[0x7c8000f0][4](R) T0  M@0x0022f758[0x00000010][4](W)  T0
7c9102ee:   cmpl   $0x4550,(%eax)   I@0x00000000[0x00004550][4](R)  T0  M@0x7c8000f0[0x00004550][4](R)  T0
7c9102f4:   jne    0x000000007c928c80   J@0x00000000[0x0001898c][4](R)  T0
7c9102fa:   orl    $0xffffffff,-0x4(%ebp)   I@0x00000000[0xffffffff][1](R)  T0  M@0x0022f770[0x00000000][4](RW) T0
7c9102fe:   call   0x000000007c90e8e6   J@0x00000000[0xffffe5e8][4](R)  T0  M@0x0022f748[0x7c9102c5][4](W)  T0
7c90e8e6:   mov    -0x10(%ebp),%ecx M@0x0022f764[0x0022f834][4](R)  T0  R@ecx[0x7c800000][4](W) T0
7c90e8e9:   mov    %ecx,%fs:0x0 R@ecx[0x0022f834][4](R) T0  M@0x7ffdf000[0x0022f764][4](W)  T0
7c90e8f0:   pop    %ecx M@0x0022f748[0x7c910303][4](R)  T0  R@ecx[0x0022f834][4](W) T0
7c90e8f1:   pop    %edi M@0x0022f74c[0x00000000][4](R)  T0  R@edi[0x00000000][4](W) T0
7c90e8f2:   pop    %esi M@0x0022f750[0x00000000][4](R)  T0  R@esi[0x00000000][4](W) T0
7c90e8f3:   pop    %ebx M@0x0022f754[0x00000000][4](R)  T0  R@ebx[0x00000000][4](W) T0
7c90e8f4:   leave   M@0x0022f774[0x0022f844][4](R)  T0  R@esp[0x0022f758][4](RW)    T0  R@ebp[0x0022f774][4](RW)    T0
7c90e8f5:   push   %ecx R@ecx[0x7c910303][4](R) T0  M@0x0022f774[0x0022f844][4](W)  T0
7c90e8f6:   ret     M@0x0022f774[0x7c910303][4](R)  T0
7c910303:   ret    $0x4 I@0x00000000[0x00000004][2](R)  T0  M@0x0022f778[0x7c91bd1b][4](R)  T0
7c91bd1b:   mov    %eax,-0x60(%ebp) R@eax[0x7c8000f0][4](R) T0  M@0x0022f7e4[0x7c910440][4](W)  T0
7c91bd1e:   cmp    %ebx,%eax    R@ebx[0x00000000][4](R) T0  R@eax[0x7c8000f0][4](R) T0
7c91bd20:   je     0x000000007c9407f4   J@0x00000000[0x00024ad4][4](R)  T0
7c91bd26:   lea    -0x34(%ebp),%eax A@0x0022f810[0x00000000][4](R)  T0  R@eax[0x7c8000f0][4](W) T0
7c91bd29:   push   %eax R@eax[0x0022f810][4](R) T0  M@0x0022f77c[0x7c800000][4](W)  T0
7c91bd2a:   push   $0xe I@0x00000000[0x0000000e][1](R)  T0  M@0x0022f778[0x7c91bd1b][4](W)  T0
7c91bd2c:   push   $0x1 I@0x00000000[0x00000001][1](R)  T0  M@0x0022f774[0x7c910303][4](W)  T0
7c91bd2e:   pushl  -0x1c(%ebp)  M@0x0022f828[0x7c800000][4](R)  T0  M@0x0022f770[0xffffffff][4](W)  T0
7c91bd31:   call   0x000000007c910326   J@0x00000000[0xffff45f5][4](R)  T0  M@0x0022f76c[0x7c910308][4](W)  T0
7c910326:   mov    %edi,%edi    R@edi[0x00000000][4](R) T0  R@edi[0x00000000][4](W) T0
7c910328:   push   %ebp R@ebp[0x0022f844][4](R) T0  M@0x0022f768[0x7c90e900][4](W)  T0
7c910329:   mov    %esp,%ebp    R@esp[0x0022f768][4](R) T0  R@ebp[0x0022f844][4](W) T0
7c91032b:   push   %ebx R@ebx[0x00000000][4](R) T0  M@0x0022f764[0x0022f834][4](W)  T0
7c91032c:   mov    0x8(%ebp),%ebx   M@0x0022f770[0x7c800000][4](R)  T0  R@ebx[0x00000000][4](W) T0
7c91032f:   test   $0x1,%bl I@0x00000000[0x00000001][1](R)  T0  R@bl[0x00000000][1](R)  T0
7c910332:   jne    0x000000007c9128f9   J@0x00000000[0x000025c7][4](R)  T0
7c910338:   push   %ebx R@ebx[0x7c800000][4](R) T0  M@0x0022f760[0x0022f828][4](W)  T0
7c910339:   call   0x000000007c9102b9   J@0x00000000[0xffffff80][4](R)  T0  M@0x0022f75c[0x0022f74c][4](W)  T0
7c9102b9:   push   $0xc I@0x00000000[0x0000000c][1](R)  T0  M@0x0022f758[0x7c8000f0][4](W)  T0
7c9102bb:   push   $0x7c910308  I@0x00000000[0x7c910308][4](R)  T0  M@0x0022f754[0x00000000][4](W)  T0
7c9102c0:   call   0x000000007c90e8ab   J@0x00000000[0xffffe5eb][4](R)  T0  M@0x0022f750[0x00000000][4](W)  T0
7c90e8ab:   push   $0x7c90e900  I@0x00000000[0x7c90e900][4](R)  T0  M@0x0022f74c[0x00000000][4](W)  T0
7c90e8b0:   mov    %fs:0x0,%eax M@0x7ffdf000[0x0022f834][4](R)  T0  R@eax[0x0022f810][4](W) T0
7c90e8b6:   push   %eax R@eax[0x0022f834][4](R) T0  M@0x0022f748[0x7c910303][4](W)  T0
7c90e8b7:   mov    0x10(%esp),%eax  M@0x0022f758[0x0000000c][4](R)  T0  R@eax[0x0022f834][4](W) T0
7c90e8bb:   mov    %ebp,0x10(%esp)  R@ebp[0x0022f768][4](R) T0  M@0x0022f758[0x0000000c][4](W)  T0
7c90e8bf:   lea    0x10(%esp),%ebp  A@0x0022f758[0x00000000][4](R)  T0  R@ebp[0x0022f768][4](W) T0
7c90e8c3:   sub    %eax,%esp    R@eax[0x0000000c][4](R) T0  R@esp[0x0022f748][4](RW)    T0
7c90e8c5:   push   %ebx R@ebx[0x7c800000][4](R) T0  M@0x0022f738[0x00000040][4](W)  T0
7c90e8c6:   push   %esi R@esi[0x00000000][4](R) T0  M@0x0022f734[0x0022f754][4](W)  T0
7c90e8c7:   push   %edi R@edi[0x00000000][4](R) T0  M@0x0022f730[0x00000008][4](W)  T0
7c90e8c8:   mov    -0x8(%ebp),%eax  M@0x0022f750[0x7c9102c5][4](R)  T0  R@eax[0x0000000c][4](W) T0
7c90e8cb:   mov    %esp,-0x18(%ebp) R@esp[0x0022f730][4](R) T0  M@0x0022f740[0x00000000][4](W)  T0
7c90e8ce:   push   %eax R@eax[0x7c9102c5][4](R) T0  M@0x0022f72c[0x00000018][4](W)  T0
7c90e8cf:   mov    -0x4(%ebp),%eax  M@0x0022f754[0x7c910308][4](R)  T0  R@eax[0x7c9102c5][4](W) T0
7c90e8d2:   movl   $0xffffffff,-0x4(%ebp)   I@0x00000000[0xffffffff][4](R)  T0  M@0x0022f754[0x7c910308][4](W)  T0
7c90e8d9:   mov    %eax,-0x8(%ebp)  R@eax[0x7c910308][4](R) T0  M@0x0022f750[0x7c9102c5][4](W)  T0
7c90e8dc:   lea    -0x10(%ebp),%eax A@0x0022f748[0x00000000][4](R)  T0  R@eax[0x7c910308][4](W) T0
7c90e8df:   mov    %eax,%fs:0x0 R@eax[0x0022f748][4](R) T0  M@0x7ffdf000[0x0022f834][4](W)  T0
7c90e8e5:   ret     M@0x0022f72c[0x7c9102c5][4](R)  T0
7c9102c5:   xor    %eax,%eax    R@eax[0x0022f748][4](R) T0  R@eax[0x0022f748][4](RW)    T0
7c9102c7:   mov    0x8(%ebp),%ecx   M@0x0022f760[0x7c800000][4](R)  T0  R@ecx[0x7c910303][4](W) T0
7c9102ca:   test   %ecx,%ecx    R@ecx[0x7c800000][4](R) T0  R@ecx[0x7c800000][4](R) T0
7c9102cc:   je     0x000000007c9102fe   J@0x00000000[0x00000032][4](R)  T0
7c9102ce:   cmp    $0xffffffff,%ecx I@0x00000000[0xffffffff][1](R)  T0  R@ecx[0x7c800000][4](R) T0
7c9102d1:   je     0x000000007c9102fe   J@0x00000000[0x0000002d][4](R)  T0
7c9102d3:   and    %eax,-0x4(%ebp)  R@eax[0x00000000][4](R) T0  M@0x0022f754[0xffffffff][4](RW) T0
7c9102d6:   cmpw   $0x5a4d,(%ecx)   I@0x00000000[0x00005a4d][2](R)  T0  M@0x7c800000[0x00005a4d][2](R)  T0
7c9102db:   jne    0x000000007c9102fa   J@0x00000000[0x0000001f][4](R)  T0
7c9102dd:   mov    0x3c(%ecx),%edx  M@0x7c80003c[0x000000f0][4](R)  T0  R@edx[0x000000f0][4](W) T0
7c9102e0:   cmp    $0x10000000,%edx I@0x00000000[0x10000000][4](R)  T0  R@edx[0x000000f0][4](R) T0
7c9102e6:   jae    0x000000007c9102fa   J@0x00000000[0x00000014][4](R)  T0
7c9102e8:   lea    (%edx,%ecx,1),%eax   A@0x7c8000f0[0x00000000][4](R)  T0  R@eax[0x00000000][4](W) T0
7c9102eb:   mov    %eax,-0x1c(%ebp) R@eax[0x7c8000f0][4](R) T0  M@0x0022f73c[0x00000000][4](W)  T0
7c9102ee:   cmpl   $0x4550,(%eax)   I@0x00000000[0x00004550][4](R)  T0  M@0x7c8000f0[0x00004550][4](R)  T0
7c9102f4:   jne    0x000000007c928c80   J@0x00000000[0x0001898c][4](R)  T0
7c9102fa:   orl    $0xffffffff,-0x4(%ebp)   I@0x00000000[0xffffffff][1](R)  T0  M@0x0022f754[0x00000000][4](RW) T0
7c9102fe:   call   0x000000007c90e8e6   J@0x00000000[0xffffe5e8][4](R)  T0  M@0x0022f72c[0x7c9102c5][4](W)  T0
7c90e8e6:   mov    -0x10(%ebp),%ecx M@0x0022f748[0x0022f834][4](R)  T0  R@ecx[0x7c800000][4](W) T0
7c90e8e9:   mov    %ecx,%fs:0x0 R@ecx[0x0022f834][4](R) T0  M@0x7ffdf000[0x0022f748][4](W)  T0
7c90e8f0:   pop    %ecx M@0x0022f72c[0x7c910303][4](R)  T0  R@ecx[0x0022f834][4](W) T0
7c90e8f1:   pop    %edi M@0x0022f730[0x00000000][4](R)  T0  R@edi[0x00000000][4](W) T0
7c90e8f2:   pop    %esi M@0x0022f734[0x00000000][4](R)  T0  R@esi[0x00000000][4](W) T0
7c90e8f3:   pop    %ebx M@0x0022f738[0x7c800000][4](R)  T0  R@ebx[0x7c800000][4](W) T0
7c90e8f4:   leave   M@0x0022f758[0x0022f768][4](R)  T0  R@esp[0x0022f73c][4](RW)    T0  R@ebp[0x0022f758][4](RW)    T0
7c90e8f5:   push   %ecx R@ecx[0x7c910303][4](R) T0  M@0x0022f758[0x0022f768][4](W)  T0
7c90e8f6:   ret     M@0x0022f758[0x7c910303][4](R)  T0
7c910303:   ret    $0x4 I@0x00000000[0x00000004][2](R)  T0  M@0x0022f75c[0x7c91033e][4](R)  T0
7c91033e:   test   %eax,%eax    R@eax[0x7c8000f0][4](R) T0  R@eax[0x7c8000f0][4](R) T0
7c910340:   je     0x000000007c912905   J@0x00000000[0x000025c5][4](R)  T0
7c910346:   mov    0x18(%eax),%cx   M@0x7c800108[0x0000010b][2](R)  T0  R@cx[0x00000303][2](W)  T0
7c91034a:   cmp    $0x10b,%cx   I@0x00000000[0x0000010b][2](R)  T0  R@cx[0x0000010b][2](R)  T0
7c91034f:   jne    0x000000007c947db0   J@0x00000000[0x00037a61][4](R)  T0
7c910355:   push   %eax R@eax[0x7c8000f0][4](R) T0  M@0x0022f760[0x7c800000][4](W)  T0
7c910356:   pushl  0x14(%ebp)   M@0x0022f77c[0x0022f810][4](R)  T0  M@0x0022f75c[0x7c91033e][4](W)  T0
7c910359:   pushl  0x10(%ebp)   M@0x0022f778[0x0000000e][4](R)  T0  M@0x0022f758[0x7c910303][4](W)  T0
7c91035c:   pushl  0xc(%ebp)    M@0x0022f774[0x00000001][4](R)  T0  M@0x0022f754[0xffffffff][4](W)  T0
7c91035f:   push   %ebx R@ebx[0x7c800000][4](R) T0  M@0x0022f750[0x7c910308][4](W)  T0
7c910360:   call   0x000000007c91036f   J@0x00000000[0x0000000f][4](R)  T0  M@0x0022f74c[0x7c90e900][4](W)  T0
7c91036f:   mov    %edi,%edi    R@edi[0x00000000][4](R) T0  R@edi[0x00000000][4](W) T0
7c910371:   push   %ebp R@ebp[0x0022f768][4](R) T0  M@0x0022f748[0x0022f834][4](W)  T0
7c910372:   mov    %esp,%ebp    R@esp[0x0022f748][4](R) T0  R@ebp[0x0022f768][4](W) T0

您可以在此处查看完整文件：http : //s000.tinyupload.com/index.php?file_id=03672391815896872254

1个回答

每个call函数中调用的地址是函数的开头（函数的入口点）。

每个ret地址都是该函数的结束地址（请注意，一个函数可能有多个ret）。

例如，在下面的代码片段中，0x000000007c90e8e6(or 0x7c90e8e6) 是函数的开头，并且0x7c90e8f6是该函数中最后一条指令的地址。（尽管如此，ret该函数中可能有不止一条指令。）

7c9102fe:   call   0x000000007c90e8e6   J@0x00000000[0xffffe5e8][4](R)  T0  M@0x0022f748[0x7c9102c5][4](W)  T0
7c90e8e6:   mov    -0x10(%ebp),%ecx M@0x0022f764[0x0022f834][4](R)  T0  R@ecx[0x7c800000][4](W) T0
7c90e8e9:   mov    %ecx,%fs:0x0 R@ecx[0x0022f834][4](R) T0  M@0x7ffdf000[0x0022f764][4](W)  T0
7c90e8f0:   pop    %ecx M@0x0022f748[0x7c910303][4](R)  T0  R@ecx[0x0022f834][4](W) T0
7c90e8f1:   pop    %edi M@0x0022f74c[0x00000000][4](R)  T0  R@edi[0x00000000][4](W) T0
7c90e8f2:   pop    %esi M@0x0022f750[0x00000000][4](R)  T0  R@esi[0x00000000][4](W) T0
7c90e8f3:   pop    %ebx M@0x0022f754[0x00000000][4](R)  T0  R@ebx[0x00000000][4](W) T0
7c90e8f4:   leave   M@0x0022f774[0x0022f844][4](R)  T0  R@esp[0x0022f758][4](RW)    T0  R@ebp[0x0022f774][4](RW)    T0
7c90e8f5:   push   %ecx R@ecx[0x7c910303][4](R) T0  M@0x0022f774[0x0022f844][4](W)  T0
7c90e8f6:   ret     M@0x0022f774[0x7c910303][4](R)  T0

其它你可能感兴趣的问题

上一篇在动态跟踪中区分本地函数调用和外部（导入）函数调用下一篇自动反混淆工具