Fatal编程技术网
  • assembly/
  • Assembly 刚开始组装,对一些说明有点困惑

Assembly 刚开始组装,对一些说明有点困惑

assembly windbg

Assembly 刚开始组装,对一些说明有点困惑,assembly,windbg,Assembly,Windbg,因此,我正在练习/缓慢但肯定地学习和复习我的装配。以下是一个随机反汇编的内核函数示例: 81a1e85f 8b450c mov eax,dword ptr [ebp+0Ch] // Moving value stored at memory address contained in the ebp register+0Ch to the eax register. 81a1e862 8b4048 mov eax,dword ptr [eax+4

因此,我正在练习/缓慢但肯定地学习和复习我的装配。以下是一个随机反汇编的内核函数示例:

81a1e85f 8b450c          mov     eax,dword ptr [ebp+0Ch] // Moving value stored at memory address contained in the ebp register+0Ch to the eax register.
81a1e862 8b4048          mov     eax,dword ptr [eax+48h] // Moving value stored at memory address contained in the eax register+48h to the eax register.
81a1e865 8945f0          mov     dword ptr [ebp-10h],eax // Moving value stored at memory address contained in the epb-10h register to the eax register?
81a1e868 6a00            push    0 // ?
81a1e86a 8bc7            mov     eax,edi // Move contents of the edi register into eax.
81a1e86c c745fc22010000  mov     dword ptr [ebp-4],122h // ?
81a1e873 e8bf010000      call    nt!PspGetPreviousProcessThread (81a1ea37) // Call the function name nt!PspGetPreviousProcessThread?
81a1e878 8b5d14          mov     ebx,dword ptr [ebp+14h] // Moving value stored at memory address contained in the ebp register+14h to the ebx register.
我对大部分内容都很陌生,所以毫无疑问,我要么在某些方面错了,要么在所有方面都错了。有人能告诉我最重要的是我评论的地方发生了什么吗?因为我不熟悉

另外,括号中的任何内容--[ebp-4]例如,这被认为是一个取消引用的指针,对吗

// Moving value stored at memory address contained in the ebp register+0Ch to the eax register.
// correct
    mov     eax,dword ptr [ebp+0Ch] 

// Moving value stored at memory address contained in the eax register+48h to the eax register.
// correct
    mov     eax,dword ptr [eax+48h] 

// Moving value stored at memory address contained in the epb-10h register to the eax register?    
// no, moving content of eax register (dword) to location [ebp-10h]
mov     dword ptr [ebp-10h],eax 

// ?
// pushes a 32-bit zero on stack - probably an argument to the call below
    push    0 

// Move contents of the edi register into eax.
// correct
    mov     eax,edi 

// ?
// store the 32-bit value 122h to location [ebp-4]
    mov     dword ptr [ebp-4],122h 

// Call the function name nt!PspGetPreviousProcessThread?
// correct
    call    nt!PspGetPreviousProcessThread (81a1ea37) 

// Moving value stored at memory address contained in the ebp register+14h to the ebx register
// correct
    mov     ebx,dword ptr [ebp+14h]
此外,括号中的任何内容--[ebp-4]例如,这是考虑的 一个取消引用的指针,对吗

// Moving value stored at memory address contained in the ebp register+0Ch to the eax register.
// correct
    mov     eax,dword ptr [ebp+0Ch] 

// Moving value stored at memory address contained in the eax register+48h to the eax register.
// correct
    mov     eax,dword ptr [eax+48h] 

// Moving value stored at memory address contained in the epb-10h register to the eax register?    
// no, moving content of eax register (dword) to location [ebp-10h]
mov     dword ptr [ebp-10h],eax 

// ?
// pushes a 32-bit zero on stack - probably an argument to the call below
    push    0 

// Move contents of the edi register into eax.
// correct
    mov     eax,edi 

// ?
// store the 32-bit value 122h to location [ebp-4]
    mov     dword ptr [ebp-4],122h 

// Call the function name nt!PspGetPreviousProcessThread?
// correct
    call    nt!PspGetPreviousProcessThread (81a1ea37) 

// Moving value stored at memory address contained in the ebp register+14h to the ebx register
// correct
    mov     ebx,dword ptr [ebp+14h]
虽然在您提供的示例中是这样,但请注意,在x86/x64语法中并非所有情况下都是这样。具体来说,Load-Effective-Address(LEA)命令使用方括号,但不执行指针解引用。例如:

LEA EAX, [EBP+4]
将EBP值加4,并将相加结果存储在EAX中

Matt Pietrek在1998年(!)发表了一篇优秀的文章,涵盖了许多基本知识:

此外,括号中的任何内容--[ebp-4]例如,这是考虑的 一个取消引用的指针,对吗

// Moving value stored at memory address contained in the ebp register+0Ch to the eax register.
// correct
    mov     eax,dword ptr [ebp+0Ch] 

// Moving value stored at memory address contained in the eax register+48h to the eax register.
// correct
    mov     eax,dword ptr [eax+48h] 

// Moving value stored at memory address contained in the epb-10h register to the eax register?    
// no, moving content of eax register (dword) to location [ebp-10h]
mov     dword ptr [ebp-10h],eax 

// ?
// pushes a 32-bit zero on stack - probably an argument to the call below
    push    0 

// Move contents of the edi register into eax.
// correct
    mov     eax,edi 

// ?
// store the 32-bit value 122h to location [ebp-4]
    mov     dword ptr [ebp-4],122h 

// Call the function name nt!PspGetPreviousProcessThread?
// correct
    call    nt!PspGetPreviousProcessThread (81a1ea37) 

// Moving value stored at memory address contained in the ebp register+14h to the ebx register
// correct
    mov     ebx,dword ptr [ebp+14h]
虽然在您提供的示例中是这样,但请注意,在x86/x64语法中并非所有情况下都是这样。具体来说,Load-Effective-Address(LEA)命令使用方括号,但不执行指针解引用。例如:

LEA EAX, [EBP+4]
将EBP值加4,并将相加结果存储在EAX中

Matt Pietrek在1998年(!)发表了一篇优秀的文章,涵盖了许多基本知识:

是的,括号中的任何内容,如
[ebp-4]
都是一个取消引用的指针。“EBP
寄存器中的任何内容,减去4,用作地址”。更准确地说,在32位系统上,它是当前子例程的第一个局部变量。是的,括号中的任何内容,如
[ebp-4]
都是未引用的指针。“EBP
寄存器中的任何内容,减去4,用作地址”。更准确地说,在32位系统上,它是当前子例程的第一个局部变量。当我可以时,它将标记为应答。关于MOV指令的问题。。。。哦,点击提示-让我编辑。那么,在另一个寄存器后面的寄存器是否总是要移动到另一个寄存器?示例:1-mov eax,dword ptr[ebp+0Ch]ebp正在移动到eax。2-mov dword ptr[ebp-10h],eax eax正在移动到ebp。是的,在Intel语法中,目标在左侧,源在右侧。(并非所有说明都会修改目标,请考虑
cmp
测试
,等等)。谢谢,非常感谢您的澄清。如果可以,我将标记为答案。关于MOV指令的问题。。。。哦,点击提示-让我编辑。那么,在另一个寄存器后面的寄存器是否总是要移动到另一个寄存器?示例:1-mov eax,dword ptr[ebp+0Ch]ebp正在移动到eax。2-mov dword ptr[ebp-10h],eax eax正在移动到ebp。是的,在Intel语法中,目标在左侧,源在右侧。(并非所有说明都会修改目标,请考虑
cmp
测试
,等等)。谢谢,非常感谢您的澄清。我正在打盹,很抱歉迟到了+1。非常感谢,谢谢您的澄清!我在打盹,抱歉迟到了+1。非常感谢,谢谢您的澄清!