第二节 2.4.1逆向并还原为C代码(网上解答)

<h3>逆向CallingConvention.exe，还原为C代码，记录过程。</h3> <hr /> <p><code>程序入口</code> <img src="https://www.showdoc.com.cn/server/api/attachment/visitfile/sign/c8ac589ecd4dde26ba35d292dd772ce7" alt="" /></p> <hr /> <p><code>main函数</code> <img src="https://www.showdoc.com.cn/server/api/attachment/visitfile/sign/8af4e441bc003d09badb340877743578" alt="" /></p> <hr /> <h3>通过Main函数识别出来程序大致框架如下：</h3> <h3>函数3为编译器自动添加的堆栈平衡检查函数</h3> <pre><code class="language-c"> void __fastcall func1(int a,int b,int c,int d,int e){ } void __cdecl func2(int x,int y){ } void main(int argc,char *argv[]) { func1(1,3,4,6,7); func2(m,n); }</code></pre> <hr /> <p><code>func1函数</code> <img src="https://www.showdoc.com.cn/server/api/attachment/visitfile/sign/f4399ff0df85ed92cae8321f26ea0e42" alt="" /></p> <h3>从以上汇编代码识别出func1的框架如下：</h3> <pre><code class="language-c">void __fastcall func1(int a,int b,int c,int d,int e){ int x=1; int y=3; func3(x,y,c); func4(); func4(); }</code></pre> <hr /> <p><code>func3函数</code> <img src="https://www.showdoc.com.cn/server/api/attachment/visitfile/sign/3e7012d516588857b49e2b7f11412145" alt="" /></p> <h3>func3函数大致框架如下：</h3> <pre><code class="language-c">int __cdecl func3(int x,int y,it z) { return x+y+z; } func1函数补充如下： void __fastcall func1(int a,int b,int c,int d,int e){ int x=1; int y=3; int z=func3(x,y,c); func4(x,y); func4(); }</code></pre> <hr /> <p><code>func4函数</code> <img src="https://www.showdoc.com.cn/server/api/attachment/visitfile/sign/c144a07f13046df20353da32875e5f89" alt="" /></p> <h3>func4的函数框架如下：</h3> <pre><code class="language-c">int cdecl func4(int x.int y) { return x+y; } func1函数补充如下： void __fastcall func1(int a,int b,int c,int d,int e){ int x=1; int y=3; int z=func3(x,y,c); int p=func4(x,y); func4(p,z); //运算后eax=0C }</code></pre> <hr /> <h3>到此，func1基本逆向完成，回到main函数，继续func2的逆向，如下：</h3> <p><code>func2函数</code> <img src="https://www.showdoc.com.cn/server/api/attachment/visitfile/sign/9f9107179b1ad856d0b4fb42b67d9304" alt="" /></p> <h3>进到func2函数内部，发现其应该是printf函数，那么回到main函数，继续完善，如下：</h3> <h3>Main函数</h3> <pre><code class="language-c">int cdecl func4(int x,int y) { return x+y; } void __fastcall func1(int a,int b,int c,int d,int e){ int x=1; int y=3; int z=func3(x,y,c); int p=func4(x,y); func4(p,z); //运算后eax=0C } void main(int argc,char *argv[]) { printf("%d",func1(1,3,4,6,7)); }</code></pre>