当前位置：网站首页>[software reverse - basic knowledge] analysis method, assembly instruction architecture

1.1、 The process ：
It is mainly about binary machine code ------> Disassembly ------> Assembly code （ Functional analysis ）
1.2、 shortcoming ：
The decompiled assembly code is missing symbols from the source code 、 Data structure and other information
It is necessary to restore the above information through reverse analysis as much as possible , In order to analyze the original logic and functions of the program
1.3、 Handle
The code structure （ The framework of the program --- trunk ）、 data structure （ Branch --- Leaf ）、 operation （ The branches of the ）
1.4、 classification ：
The main method ： Static analysis 、 Dynamic analysis .
1.5、 Ideas
Constant discrimination （ Built in constant ）、 Data structure characteristics （ Function behavior ）、 Network behavior characteristics （ internal data , Algorithm and its operation mechanism ）

Two 、 Analysis method ：

2.1、 Static analysis
Without executing the code file , A method of static analysis of code , Instead, observe the external characteristics of the code file , It mainly includes ： File type analysis and static disassembly 、 Decompile .
File type analysis is mainly used to understand what language the program is written in or what compiler it is compiled with , And whether the program has been encrypted .
In the reverse process , It mainly uses the disassembly tool to view the internal code , Analyze code structure .

2.2、 Dynamic analysis
A method of dynamic analysis of code during the execution of program files , Analyze the code through debugging , Get the status of memory, etc .
In the reverse process , The debugger is usually used to analyze the internal structure and implementation principle of the program .
Common reverse goals are Windows、Linux Under the platform x86、x64 Binary executable

3、 ... and 、 Assembly instruction architecture

3.1、 brief introduction ：
The processor architecture of reverse analyzers is usually Intel framework
therefore ,Intel x86 and x64 Command system ： Including register group 、 Instruction set 、 Call specification

3.2、x86 Command system
Register group
General registers ： Include EAX、EBX、ECX、EDX、ESI、EBP、ESP
Instruction pointer register （EIP）： Point to the current instruction to be executed
Status identification register （EFLAGS）： Control the branch jump of the program according to the value of the state in the state identification register .
Segment register ：CS、DS、SS、ES、FS、GS. In the current operating system ,CS、DS、SS and ES The base address of the segment register of is usually 0.
Special register ： Include DR0-DR7, Used to set hardware breakpoints .
Assembly instruction set
There are two grammatical notations ：Intel and AT&T.
Common reverse analysis tools IDA Pro、Ollydbg and MASM Usually use Intel Notation , and UNIX Tools on the system gcc Usually comply with AT&T Notation .Intel Notation occupies a dominant position in practice , It is also the notation used in this book .
Intel Assembly language program statement format ：
Action items Destination operands , Source operands
among , Operation items are generally some instructions in assembly language , such as add（ Add ）、mov（ Move ） Such as instruction . The destination operand and the source operand are generally registers 、 Memory address or immediate number .
The instructions mainly include ：
（1） Data transfer instructions （ The most frequently used instructions ）
Format ：MOV DEST,SRC
function ： Put a byte 、 Word or doubleword from source operand SRC Passed to destination operand DEST.
（2） Stack operation and function call
Stack operations include stacking （PUSH） And out of the stack （POP）
Function call and return pass through CALL/RET Instructions implement .CALL The instruction will change the current EIP Save to stack ,RET Instruction reads the stack , Get the return address .
（3） Count 、 Logical operation instructions
Such as add、sub、mul、div、and、or、xor etc.
（4） Control transfer instructions
cmp： Subtract two operands , Modify the status identification register .
test： Perform and operations on two operands , Modify the status identification register .
jmp： Force jump command .
jcc： Conditional jump instructions , Include jz、jnz etc. .
（5） Special instructions
Some special instructions ：
int3 Instructions ： The corresponding bytecode is 0xcc, It is mainly used to set soft breakpoints .
int 0x80：Linux In the system 32 Bit system call instruction .
x86 Application Binary Interface
Call convention refers to a series of rules , It specifies how function calls are made at the machine level . For a particular system , It is composed of application binary interface （Application Binary Interface,ABI） Defined .
When a function call occurs , First, add the parameters to the stack from right to left , And then through call Instruction pushes the return address of a function onto the stack . Last , In the new function, the previous ebp Save to stack , meanwhile esp Will subtract a certain value , Leave some stack space for local variables .

3.3、x64 Command system
x64 Instruction system and x86 The instruction system is roughly the same , Here we mainly explain the differences
Register group
RAX、RBX、RDX、RCX、RBP、RDI、RSI、RSP,R8～R15.
System call instructions
syscall/sysret yes Linux 64 System call mode of bit operating system .
x64 Application Binary Interface
Microsoft’s x64 ABI：
It is mainly used for Windows In the operating system 64 Bit program
Microsoft’s x64 ABI Before 4 A parameter passes through the register RCX、RDX、R8、R9 Pass on , The rest is passed through the stack , But it will be reserved on the stack 0x20 Bytes of space is used before temporary saving 4 Parameters , The return value is RAX.
Corresponding function call form ：RAX func(RCX, RDX, R8, R9, [rsp+0x20], [rsp+0x28], ……)
SysV x64 ABI：
It is mainly used for Linux、BSD、MAC Etc. in the operating system 64 Bit program
SysV x64 ABI Before 6 Parameters （RDI、RSI、RDX、RCX、R8、R9） Pass... By register , The rest is passed through the stack , There is no front on the stack 6 Parameters reserve space , The return value is RAX register .
Corresponding function call form ：RAX func(RDI, RSI, RDX, RCX, R8, R9, [RSP+8], [RSP+0x10], ……)