1, Tested C statements and compiled x86 assembly code
int a; int b; int main(void) { int c; if (c) a = 4; else b = 5; return 0; }
1 .text:0000000000400457 push rbp 2 .text:0000000000400458 mov rbp, rsp 3 .text:000000000040045B sub rsp, 10h 4 .text:000000000040045F mov [rbp-10], rsp 5 .text:0000000000400463 lea rax, [rbp-4] 6 .text:0000000000400467 movsxd rax, dword ptr [rax] 7 .text:000000000040046A cmp eax, 0 8 .text:000000000040046D jz short loc_400483 9 .text:000000000040046F lea rax, a 10 .text:0000000000400476 push rax 11 .text:0000000000400477 mov rax, 4 12 .text:000000000040047E pop rdi 13 .text:000000000040047F mov [rdi], eax 14 .text:0000000000400481 jmp short loc_400495 15 .text:0000000000400483 ; --------------------------------------------------------------- 16 .text:0000000000400483 17 .text:0000000000400483 loc_400483: ; CODE XREF: main+16↑j 18 .text:0000000000400483 lea rax, b 19 .text:000000000040048A push rax 20 .text:000000000040048B mov rax, 5 21 .text:0000000000400492 pop rdi 22 .text:0000000000400493 mov [rdi], eax 23 .text:0000000000400495 24 .text:0000000000400495 loc_400495: ; CODE XREF: main+2A↑j 25 .text:0000000000400495 mov rax, 0 26 .text:000000000040049C jmp short loc_4004A5 27 .text:000000000040049E ; --------------------------------------------------------------- 28 .text:000000000040049E mov rax, 0 29 .text:00000000004004A5 30 .text:00000000004004A5 loc_4004A5: ; CODE XREF: main+45↑j 31 .text:00000000004004A5 mov rsp, rbp 32 .text:00000000004004A8 pop rbp 33 .text:00000000004004A9 retn
2, x86 assembly to virtual machine assembly
The fourth sentence "mov [rbp-10], rsp", memory address [rbp-10] assign a value to "MOV, RBP, RSP" in the second sentence, so the fourth sentence is transformed into
"Mov [rsp-10], RSP", and then judge the value of RSP. RSP is "sub rsp, 10h" in the third sentence, so the fourth sentence is transformed into "mov [rsp-10], rsp-10",
At this time, you can define the variable V1 with the address [rsp-10], and generate the virtual machine assembly statement V1 = & v1.
The eighth sentence "jz short loc_400483" is also the statement we focus on, because it is a conditional jump, and the execution flow of the program may be due to
This statement is no longer executed sequentially. The jump in the eighth sentence determines whether the z-bit of the flag bit of the cpu flag register is 0, so search for the latest affected flag bit
The seventh sentence is "cmp eax, 0", and the sixth sentence is "movsxd" rax, dword ptr [rax]",
This is a read memory operation. Continue to look up who modified rax. Find the fifth sentence "lea rax, [rbp-4]", and then generate the variable V2 with the address of v2
[rbp-4], and generate an IF statement. The condition of the if statement is judged as v2.
Continue to analyze the assembly statement downward. The next assembly statement is the then part of the if statement. When you encounter the 13th sentence "mov [rdi], eax", this is a
Write memory operation, analyze memory address and value. The memory address is in rdi. The 12th sentence is "pop rdi". Continue to search for the recent stack pressing operation and encounter the 10th sentence
"push rax", continue to analyze the value of rax. In the ninth sentence, "lea rax, a", rdi is the address of A. Let's pursue eax, the 11th sentence "mov rax, 4",
The virtual machine assembly statement a = 4 is generated. In the 14th sentence, jmp generates a goto tag and the then part until the assembly language address is less than the address LOC_ four hundred thousand four hundred and eighty-three
Up to the maximum value of.
Let's analyze the eighth sentence "jz short loc_400483" and jump to LOC_ 400483. The following statement is the else part of if. After analysis, see section 22
Sentence "mov" [rdi], eax ", this is a write memory operation to analyze the memory address and value. The memory address is in RDI, and the 21st sentence is "pop" rdi",
Continue to search for the latest stack pressing operation. In the 19th sentence, "push rax", continue to analyze the value of rax. In the 18th sentence, "lea rax, b", rdi is the address of b. Again
In pursuit of eax, the 20th sentence "mov rax, 5" generates the virtual machine assembly statement b = 5. At this time, judge whether the address of the assembly instruction is greater than that generated in the 14th sentence
goto tag, if greater than or equal to, ends the else part.
3, Virtual machine assembly to c language
1. Virtual machine assembly language
The code paragraph reads as follows:
|OP_GET_LOCAL|
|1|
|OP_JUMP_IF_FALSE|
|0xXX|
|0xXX|
|OP_POP|
|OP_CONSTANT|
|0|
|OP_SET_GLOBAL|
|2|
|OP_JUMP|
|0xYY|
|0xYY|
0xXXXX: |OP_POP|
|OP_CONSTANT|
|1|
|OP_SET_GLOBAL|
|3|
0xYYYY: | other instructions|
The constant segment is:
|4|
|5|
|a|
|b|
The Local segment is:
|v1|
|v2|
The execution process of the above statement is OP_GET_LOCAL 1 pushes the variable v2 to the stack, OP_JUMP_IF_FALSE judge stack top v2
Whether it is true. If it is true, it will not jump and execute the then branch. Otherwise, it will jump to 0xXXXX and run the else branch. In the then branch, first put v2 at the top of the stack
Pop up, then push constant 4 onto the stack, and then write 4 to variable a. Then jump to 0xYYYY and run the following statement. else branch
The stack top v2 pops up, then pushes the constant 5 into the stack, and then writes 5 to the variable b.
2. Decompile to c language
Encountered OP_JUMP_IF_FALSE, generate an IF statement. The condition of if is the top element of the stack. Track the operation at the top of the stack. It is
OP_GET_LOCAL, the condition of the if statement is v2.
Sequential analysis to OP_SET_GLOBAL 2, this statement writes the public variable a with the value OP_CONSTANT 0 pushes in 4 to generate a statement
a = 4. OP_JUMP generates a label, and the then part of the if statement ends, because the assembly address has reached 0xXXXX.
Then analyze the instruction from 0xXXXX, OP_SET_GLOBAL 3. This statement writes the public variable b with the value
OP_ The 5 pushed by constant 1 generates the statement b = 5. The else branch ends because the assembly address has reached the OP_JUMP
Generated label.