我正在从事一个更大的逆向项目,并遇到了这一部分。我真的不明白这里发生了什么。除了绕过这个块并跳转到 0x400d2d 之外,没有其他方法可以沿着控制流进行。还要注意,该程序中还有其他位置使用“合理”参数调用 strtok,并且我已正确绕过这些部分。有人会分享一些我缺乏的智慧吗?谢谢!
mov esi, 0x401018 // delimiter argument '\'
mov edi, 0x0 // address at 0? doesn't make sense
call strtok
mov qword [rbp-0x48], rax // this is always going to return 0
cmp qword [rbp-0x48], 0x0
jne 0x400d2d // want to jump here, but can't
这在使用 strtok 函数时很常见。来自这里的示例代码
#include <string.h>
#include <stdio.h>
int main()
{
char str[80] = "This is - www.tutorialspoint.com - website";
const char s[2] = "-";
char *token;
/* get the first token */
token = strtok(str, s);
/* walk through other tokens */
while( token != NULL ) {
printf( " %s\n", token );
token = strtok(NULL, s);
}
}
拆卸:
.LC0:
.string " %s\n"
main:
push rbp
mov rbp, rsp
sub rsp, 112
movabs rax, 2338328219631577172
movabs rdx, 8463440690376286253
mov QWORD PTR [rbp-96], rax
mov QWORD PTR [rbp-88], rdx
movabs rax, 8102939320206389108
movabs rdx, 7885630523722066287
mov QWORD PTR [rbp-80], rax
mov QWORD PTR [rbp-72], rdx
movabs rax, 7598525184233975072
mov edx, 25972
mov QWORD PTR [rbp-64], rax
mov QWORD PTR [rbp-56], rdx
mov QWORD PTR [rbp-48], 0
mov QWORD PTR [rbp-40], 0
mov QWORD PTR [rbp-32], 0
mov QWORD PTR [rbp-24], 0
mov WORD PTR [rbp-98], 45
lea rdx, [rbp-98]
lea rax, [rbp-96]
mov rsi, rdx
mov rdi, rax
call strtok
mov QWORD PTR [rbp-8], rax
.L3:
cmp QWORD PTR [rbp-8], 0
je .L2
mov rax, QWORD PTR [rbp-8]
mov rsi, rax
mov edi, OFFSET FLAT:.LC0
mov eax, 0
call printf
lea rax, [rbp-98]
mov rsi, rax
mov edi, 0
call strtok
mov QWORD PTR [rbp-8], rax
jmp .L3
.L2:
mov eax, 0
leave
ret
令牌 = strtok(NULL, s); 行编译为
mov edi,0
call strtok
您可以使用网站https://godbolt.org/快速检查/比较不同的编译器及其程序集输出