1、常见代码反汇编
- sizeof
// sizeof不是函数,是编译器特性
NSLog(@"%ld", sizeof(long));
- a++ + a++ + a++
int a = 1;
int c = a++ + a++ + a++;
NSLog(@"%d", c);
debug
0x100000f0b <+27>: leaq 0x116(%rip), %rsi ; @"%d"
0x100000f12 <+34>: movl $0x1, -0x14(%rbp)
0x100000f19 <+41>: movl -0x14(%rbp), %edi
0x100000f1c <+44>: movl %edi, %ecx
0x100000f1e <+46>: addl $0x1, %ecx
0x100000f21 <+49>: movl %ecx, -0x14(%rbp)
0x100000f24 <+52>: movl -0x14(%rbp), %ecx
0x100000f27 <+55>: movl %ecx, %edx
0x100000f29 <+57>: addl $0x1, %edx
0x100000f2c <+60>: movl %edx, -0x14(%rbp)
0x100000f2f <+63>: addl %ecx, %edi
0x100000f31 <+65>: movl -0x14(%rbp), %ecx
0x100000f34 <+68>: movl %ecx, %edx
0x100000f36 <+70>: addl $0x1, %edx
0x100000f39 <+73>: movl %edx, -0x14(%rbp)
0x100000f3c <+76>: addl %ecx, %edi
0x100000f3e <+78>: movl %edi, -0x18(%rbp)
-> 0x100000f41 <+81>: movl -0x18(%rbp), %ecx
0x100000f44 <+84>: movq %rsi, %rdi
0x100000f47 <+87>: movl %ecx, %esi
0x100000f49 <+89>: movq %rax, -0x20(%rbp)
0x100000f4d <+93>: movb $0x0, %al
0x100000f4f <+95>: callq 0x100000f66 ; symbol stub for: NSLog
release
0x100000f4b <+11>: movq %rax, %rbx
-> 0x100000f4e <+14>: leaq 0xd3(%rip), %rdi ; @"%d"
0x100000f55 <+21>: movl $0x6, %esi
0x100000f5a <+26>: xorl %eax, %eax
0x100000f5c <+28>: callq 0x100000f72 ; symbol stub for: NSLog
/*
-0x14(%rbp) -> 局部变量a
-0x18(%rbp) -> 局部变量c
int a = 1;
int c = a++ + a++ + a++;
%edx的值 == 6
%r8d的值 == 3
a的值 = 4
0x100000f11 <+65>: movl $0x1, 局部变量a
0x100000f18 <+72>: movl 局部变量a, %edx
0x100000f1b <+75>: movl %edx, %r8d
0x100000f1e <+78>: addl $0x1, %r8d
0x100000f22 <+82>: movl %r8d, 局部变量a
0x100000f26 <+86>: movl 局部变量a, %r8d
0x100000f2a <+90>: movl %r8d, %r9d
0x100000f2d <+93>: addl $0x1, %r9d
0x100000f31 <+97>: movl %r9d, 局部变量a
0x100000f35 <+101>: addl %r8d, %edx
0x100000f38 <+104>: movl 局部变量a, %r8d
0x100000f3c <+108>: movl %r8d, %r9d
0x100000f3f <+111>: addl $0x1, %r9d
0x100000f43 <+115>: movl %r9d, 局部变量a
0x100000f47 <+119>: addl %r8d, %edx
0x100000f4a <+122>: movl %edx, 局部变量c
*/
int a = 1;
int c = ++a + a++ + ++a;
NSLog(@"%d", c);
//汇编代码为
0x100000f15 <+277>: movl $0x1, -0x18(%rbp)
0x100000f1c <+284>: movl -0x18(%rbp), %ecx
0x100000f1f <+287>: addl $0x1, %ecx
0x100000f22 <+290>: movl %ecx, -0x18(%rbp)
0x100000f25 <+293>: movl -0x18(%rbp), %edx
0x100000f28 <+296>: movl %edx, %esi
0x100000f2a <+298>: addl $0x1, %esi
0x100000f2d <+301>: movl %esi, -0x18(%rbp)
0x100000f30 <+304>: addl %edx, %ecx
0x100000f32 <+306>: movl -0x18(%rbp), %edx
0x100000f35 <+309>: addl $0x1, %edx
0x100000f38 <+312>: movl %edx, -0x18(%rbp)
0x100000f3b <+315>: addl %edx, %ecx
0x100000f3d <+317>: movl %ecx, -0x1c(%rbp)
0x100000f40 <+320>: movl -0x1c(%rbp), %esi
0x100000f43 <+323>: movq %rax, %rdi
0x100000f46 <+326>: movb $0x0, %al
0x100000f48 <+328>: callq 0x100000f5e ; symbol stub for: NSLog
0x100000f4d <+333>: movq -0x28(%rbp), %rdi
- if-else
int a = 10;
if (a > 10) {
NSLog(@"1");
} else if (a > 5) {
NSLog(@"2");
} else if (a > 1) {
NSLog(@"3");
} else {
NSLog(@"4");
}
//汇编代码为
0x100000ec6 <+22>: callq 0x100000f6e ; symbol stub for: objc_autoreleasePoolPush
-> 0x100000ecb <+27>: movl $0xa, -0x14(%rbp)
0x100000ed2 <+34>: cmpl $0xa, -0x14(%rbp)
0x100000ed6 <+38>: movq %rax, -0x20(%rbp)
0x100000eda <+42>: jle 0x100000ef6 ; <+70> at main.m:63
0x100000ee0 <+48>: leaq 0x141(%rip), %rax ; @"'1'"
0x100000ee7 <+55>: movq %rax, %rdi
0x100000eea <+58>: movb $0x0, %al
0x100000eec <+60>: callq 0x100000f62 ; symbol stub for: NSLog
0x100000ef1 <+65>: jmp 0x100000f51 ; <+161> at main.m:86
0x100000ef6 <+70>: cmpl $0x5, -0x14(%rbp)
0x100000efa <+74>: jle 0x100000f16 ; <+102> at main.m:65
0x100000f00 <+80>: leaq 0x141(%rip), %rax ; @"'2'"
0x100000f07 <+87>: movq %rax, %rdi
0x100000f0a <+90>: movb $0x0, %al
0x100000f0c <+92>: callq 0x100000f62 ; symbol stub for: NSLog
0x100000f11 <+97>: jmp 0x100000f4c ; <+156> at main.m
0x100000f16 <+102>: cmpl $0x1, -0x14(%rbp)
0x100000f1a <+106>: jle 0x100000f36 ; <+134> at main.m
0x100000f20 <+112>: leaq 0x141(%rip), %rax ; @"'3'"
0x100000f27 <+119>: movq %rax, %rdi
0x100000f2a <+122>: movb $0x0, %al
0x100000f2c <+124>: callq 0x100000f62 ; symbol stub for: NSLog
0x100000f31 <+129>: jmp 0x100000f47 ; <+151> at main.m
0x100000f36 <+134>: leaq 0x14b(%rip), %rax ; @"'4'"
0x100000f3d <+141>: movq %rax, %rdi
0x100000f40 <+144>: movb $0x0, %al
0x100000f42 <+146>: callq 0x100000f62 ; symbol stub for: NSLog
0x100000f47 <+151>: jmp 0x100000f4c ; <+156> at main.m
0x100000f4c <+156>: jmp 0x100000f51 ; <+161> at main.m:86
0x100000f51 <+161>: movq -0x20(%rbp), %rdi
0x100000f55 <+165>: callq 0x100000f68 ; symbol stub for: objc_autoreleasePoolPop
- for
for (int i = 0; i < 5; i++) {
NSLog(@"1");
}
debug
0x100000f2b <+27>: movl $0x0, -0x14(%rbp)
0x100000f32 <+34>: movq %rax, -0x20(%rbp)
0x100000f36 <+38>: cmpl $0x5, -0x14(%rbp)
0x100000f3a <+42>: jge 0x100000f5f ; <+79> at main.m:50
0x100000f40 <+48>: leaq 0xe1(%rip), %rax ; @"'1'"
0x100000f47 <+55>: movq %rax, %rdi
0x100000f4a <+58>: movb $0x0, %al
0x100000f4c <+60>: callq 0x100000f70 ; symbol stub for: NSLog
0x100000f51 <+65>: movl -0x14(%rbp), %eax
0x100000f54 <+68>: addl $0x1, %eax
0x100000f57 <+71>: movl %eax, -0x14(%rbp)
release
0x100000f47 <+18>: movl $0x5, %ebx
0x100000f4c <+23>: leaq 0xd5(%rip), %r15 ; @"'1'"
0x100000f53 <+30>: xorl %eax, %eax
0x100000f55 <+32>: movq %r15, %rdi
0x100000f58 <+35>: callq 0x100000f76 ; symbol stub for: NSLog
-> 0x100000f5d <+40>: decl %ebx
0x100000f5f <+42>: jne 0x100000f53 ; <+30> at main.m:20
- switch和if效率
int a = 4;
if (a == 1) {
NSLog(@"1");
} else if (a == 2) {
NSLog(@"2");
} else if (a == 3) {
NSLog(@"3");
} else if (a == 4) {
NSLog(@"4");
} else if (a == 5) {
NSLog(@"5");
} else {
NSLog(@"else");
}
0x100000e7b <+27>: movl $0x4, -0x14(%rbp)
0x100000e82 <+34>: cmpl $0x1, -0x14(%rbp)
0x100000e86 <+38>: movq %rax, -0x20(%rbp)
0x100000e8a <+42>: jne 0x100000ea6 ; <+70> at main.m:21
0x100000e90 <+48>: leaq 0x191(%rip), %rax ; @"'1'"
0x100000e97 <+55>: movq %rax, %rdi
0x100000e9a <+58>: movb $0x0, %al
0x100000e9c <+60>: callq 0x100000f5c ; symbol stub for: NSLog
0x100000ea1 <+65>: jmp 0x100000f4b ; <+235> at main.m:86
0x100000ea6 <+70>: cmpl $0x2, -0x14(%rbp)
0x100000eaa <+74>: jne 0x100000ec6 ; <+102> at main.m:23
0x100000eb0 <+80>: leaq 0x191(%rip), %rax ; @"'2'"
0x100000eb7 <+87>: movq %rax, %rdi
0x100000eba <+90>: movb $0x0, %al
0x100000ebc <+92>: callq 0x100000f5c ; symbol stub for: NSLog
0x100000ec1 <+97>: jmp 0x100000f46 ; <+230> at main.m
0x100000ec6 <+102>: cmpl $0x3, -0x14(%rbp)
0x100000eca <+106>: jne 0x100000ee6 ; <+134> at main.m:25
0x100000ed0 <+112>: leaq 0x191(%rip), %rax ; @"'3'"
0x100000ed7 <+119>: movq %rax, %rdi
0x100000eda <+122>: movb $0x0, %al
0x100000edc <+124>: callq 0x100000f5c ; symbol stub for: NSLog
0x100000ee1 <+129>: jmp 0x100000f41 ; <+225> at main.m
0x100000ee6 <+134>: cmpl $0x4, -0x14(%rbp)
0x100000eea <+138>: jne 0x100000f06 ; <+166> at main.m:27
0x100000ef0 <+144>: leaq 0x191(%rip), %rax ; @"'4'"
0x100000ef7 <+151>: movq %rax, %rdi
0x100000efa <+154>: movb $0x0, %al
0x100000efc <+156>: callq 0x100000f5c ; symbol stub for: NSLog
0x100000f01 <+161>: jmp 0x100000f3c ; <+220> at main.m
0x100000f06 <+166>: cmpl $0x5, -0x14(%rbp)
0x100000f0a <+170>: jne 0x100000f26 ; <+198> at main.m
0x100000f10 <+176>: leaq 0x191(%rip), %rax ; @"'5'"
0x100000f17 <+183>: movq %rax, %rdi
0x100000f1a <+186>: movb $0x0, %al
0x100000f1c <+188>: callq 0x100000f5c ; symbol stub for: NSLog
0x100000f21 <+193>: jmp 0x100000f37 ; <+215> at main.m
0x100000f26 <+198>: leaq 0x19b(%rip), %rax ; @"else"
0x100000f2d <+205>: movq %rax, %rdi
0x100000f30 <+208>: movb $0x0, %al
0x100000f32 <+210>: callq 0x100000f5c ; symbol stub for: NSLog
0x100000f37 <+215>: jmp 0x100000f3c ; <+220> at main.m
0x100000f3c <+220>: jmp 0x100000f41 ; <+225> at main.m
0x100000f41 <+225>: jmp 0x100000f46 ; <+230> at main.m
0x100000f46 <+230>: jmp 0x100000f4b ; <+235> at main.m:86
0x100000f4b <+235>: movq -0x20(%rbp), %rdi
0x100000f4f <+239>: callq 0x100000f62 ; symbol stub for: objc_autoreleasePoolPop
int a = 4;
switch (a) {
case 1:
NSLog(@"1");
break;
case 2:
NSLog(@"2");
break;
case 3:
NSLog(@"3");
break;
case 100:
NSLog(@"4");
break;
case 105:
NSLog(@"5");
break;
default:
NSLog(@"else");
break;
}
0x100000e62 <+34>: movl -0x14(%rbp), %edi
0x100000e65 <+37>: movl %edi, %ecx
0x100000e67 <+39>: subl $0x1, %ecx
0x100000e6a <+42>: movq %rax, -0x20(%rbp)
0x100000e6e <+46>: movl %edi, -0x24(%rbp)
0x100000e71 <+49>: movl %ecx, -0x28(%rbp)
0x100000e74 <+52>: je 0x100000ecf ; <+143> at main.m
0x100000e7a <+58>: jmp 0x100000e7f ; <+63> at main.m:33
0x100000e7f <+63>: movl -0x24(%rbp), %eax
0x100000e82 <+66>: subl $0x2, %eax
0x100000e85 <+69>: movl %eax, -0x2c(%rbp)
0x100000e88 <+72>: je 0x100000ee5 ; <+165> at main.m
0x100000e8e <+78>: jmp 0x100000e93 ; <+83> at main.m:33
0x100000e93 <+83>: movl -0x24(%rbp), %eax
0x100000e96 <+86>: subl $0x3, %eax
0x100000e99 <+89>: movl %eax, -0x30(%rbp)
0x100000e9c <+92>: je 0x100000efb ; <+187> at main.m
0x100000ea2 <+98>: jmp 0x100000ea7 ; <+103> at main.m:33
0x100000ea7 <+103>: movl -0x24(%rbp), %eax
0x100000eaa <+106>: subl $0x64, %eax
0x100000ead <+109>: movl %eax, -0x34(%rbp)
0x100000eb0 <+112>: je 0x100000f11 ; <+209> at main.m
0x100000eb6 <+118>: jmp 0x100000ebb ; <+123> at main.m:33
0x100000ebb <+123>: movl -0x24(%rbp), %eax
0x100000ebe <+126>: subl $0x69, %eax
0x100000ec1 <+129>: movl %eax, -0x38(%rbp)
0x100000ec4 <+132>: je 0x100000f27 ; <+231> at main.m
0x100000eca <+138>: jmp 0x100000f3d ; <+253> at main.m
0x100000ecf <+143>: leaq 0x152(%rip), %rax ; @"'1'"
0x100000ed6 <+150>: movq %rax, %rdi
0x100000ed9 <+153>: movb $0x0, %al
0x100000edb <+155>: callq 0x100000f60 ; symbol stub for: NSLog
0x100000ee0 <+160>: jmp 0x100000f4e ; <+270> at main.m:86
0x100000ee5 <+165>: leaq 0x15c(%rip), %rax ; @"'2'"
0x100000eec <+172>: movq %rax, %rdi
0x100000eef <+175>: movb $0x0, %al
0x100000ef1 <+177>: callq 0x100000f60 ; symbol stub for: NSLog
0x100000ef6 <+182>: jmp 0x100000f4e ; <+270> at main.m:86
0x100000efb <+187>: leaq 0x166(%rip), %rax ; @"'3'"
0x100000f02 <+194>: movq %rax, %rdi
0x100000f05 <+197>: movb $0x0, %al
0x100000f07 <+199>: callq 0x100000f60 ; symbol stub for: NSLog
0x100000f0c <+204>: jmp 0x100000f4e ; <+270> at main.m:86
0x100000f11 <+209>: leaq 0x170(%rip), %rax ; @"'4'"
0x100000f18 <+216>: movq %rax, %rdi
0x100000f1b <+219>: movb $0x0, %al
0x100000f1d <+221>: callq 0x100000f60 ; symbol stub for: NSLog
0x100000f22 <+226>: jmp 0x100000f4e ; <+270> at main.m:86
0x100000f27 <+231>: leaq 0x17a(%rip), %rax ; @"'5'"
0x100000f2e <+238>: movq %rax, %rdi
0x100000f31 <+241>: movb $0x0, %al
0x100000f33 <+243>: callq 0x100000f60 ; symbol stub for: NSLog
0x100000f38 <+248>: jmp 0x100000f4e ; <+270> at main.m:86
0x100000f3d <+253>: leaq 0x184(%rip), %rax ; @"else"
0x100000f44 <+260>: movq %rax, %rdi
0x100000f47 <+263>: movb $0x0, %al
0x100000f49 <+265>: callq 0x100000f60 ; symbol stub for: NSLog
0x100000f4e <+270>: movq -0x20(%rbp), %rdi
0x100000f52 <+274>: callq 0x100000f66 ; symbol stub for: objc_autoreleasePoolPop
2、编译器优化
1.png
3、外联汇编
.global _sum
_sum:
movq %rdi, %rax
addq %rsi, %rax
retq
4、内联汇编
int num1 = 10;
int num2 = 20;
int result;
__asm__(
"addl %%ebx, %%eax"
:"=a"(result)
:"b"(num1), "a"(num2)
);
5、lldb常见命令
-
读取寄存器的值
register read/格式
register read/x -
修改寄存器的值
register write 寄存器名称 数值
register write $rax 0 -
读取内存中的值
x/数量-格式-字节大小 内存地址
x/3xw 0x0000010 -
修改内存中的值
memory write 内存地址 数值
memory write 0x0000010 10 -
格式
x是16进制,f是浮点,d是十进制 -
字节大小
b – byte 1字节
h – half word 2字节
w – word 4字节
g – giant word 8字节 -
expression 表达式
可以简写:expr 表达式
expression$rax
expression$rax= 1 -
po 表达式
-
print 表达式
-
po/x $rax
-
po (int)$rax
6、破解
a)可执行文件的格式
-
PE
Windows平台(比如exe文件) -
ELF
Linux平台、Android平台 -
Mach-O
Mac、iOS平台
b)序列号破解
- 找到序列号
- 暴力破解
网友评论