WinDBG的 uf 命令可以把二进制进行反汇编并显示汇编代码,帮助在没有源代码的情况下分析函数。 举个例子,已知Windows 下的扫雷程序(winmine.exe) 有个函数叫winmine!StartGame (通过 x winmine!*命令) ,可以使用uf winmine!StartGame 命令显示该函数的汇编码:
0:000> uf winmine!StartGame
winmine!StartGame:
0100367a a1ac560001 mov eax,dword ptr [winmine!Preferences+0xc (010056ac)]
0100367f 8b0da8560001 mov ecx,dword ptr [winmine!Preferences+0x8 (010056a8)]
01003685 53 push ebx
01003686 56 push esi
01003687 57 push edi
01003688 33ff xor edi,edi
0100368a 3b0534530001 cmp eax,dword ptr [winmine!xBoxMac (01005334)]
01003690 893d64510001 mov dword ptr [winmine!fTimer (01005164)],edi
01003696 750c jne winmine!StartGame+0x2a (010036a4)
winmine!StartGame:
0100367a a1ac560001 mov eax,dword ptr [winmine!Preferences+0xc (010056ac)]
0100367f 8b0da8560001 mov ecx,dword ptr [winmine!Preferences+0x8 (010056a8)]
01003685 53 push ebx
01003686 56 push esi
01003687 57 push edi
01003688 33ff xor edi,edi
0100368a 3b0534530001 cmp eax,dword ptr [winmine!xBoxMac (01005334)]
01003690 893d64510001 mov dword ptr [winmine!fTimer (01005164)],edi
01003696 750c jne winmine!StartGame+0x2a (010036a4)
winmine!StartGame+0x1e:
01003698 3b0d38530001 cmp ecx,dword ptr [winmine!yBoxMac (01005338)]
0100369e 7504 jne winmine!StartGame+0x2a (010036a4)
01003698 3b0d38530001 cmp ecx,dword ptr [winmine!yBoxMac (01005338)]
0100369e 7504 jne winmine!StartGame+0x2a (010036a4)
winmine!StartGame+0x26:
010036a0 6a04 push 4
010036a2 eb02 jmp winmine!StartGame+0x2c (010036a6)
010036a0 6a04 push 4
010036a2 eb02 jmp winmine!StartGame+0x2c (010036a6)
winmine!StartGame+0x2a:
010036a4 6a06 push 6
010036a4 6a06 push 6
winmine!StartGame+0x2c:
010036a6 5b pop ebx
010036a7 a334530001 mov dword ptr [winmine!xBoxMac (01005334)],eax
010036ac 890d38530001 mov dword ptr [winmine!yBoxMac (01005338)],ecx
010036b2 e81ef8ffff call winmine!ClearField (01002ed5)
010036b7 a1a4560001 mov eax,dword ptr [winmine!Preferences+0x4 (010056a4)]
010036bc 893d60510001 mov dword ptr [winmine!iButtonCur (01005160)],edi
010036c2 a330530001 mov dword ptr [winmine!cBombStart (01005330)],eax
010036a6 5b pop ebx
010036a7 a334530001 mov dword ptr [winmine!xBoxMac (01005334)],eax
010036ac 890d38530001 mov dword ptr [winmine!yBoxMac (01005338)],ecx
010036b2 e81ef8ffff call winmine!ClearField (01002ed5)
010036b7 a1a4560001 mov eax,dword ptr [winmine!Preferences+0x4 (010056a4)]
010036bc 893d60510001 mov dword ptr [winmine!iButtonCur (01005160)],edi
010036c2 a330530001 mov dword ptr [winmine!cBombStart (01005330)],eax
winmine!StartGame+0x4d:
010036c7 ff3534530001 push dword ptr [winmine!xBoxMac (01005334)]
010036cd e86e020000 call winmine!Rnd (01003940)
010036d2 ff3538530001 push dword ptr [winmine!yBoxMac (01005338)]
010036d8 8bf0 mov esi,eax
010036da 46 inc esi
010036db e860020000 call winmine!Rnd (01003940)
010036e0 40 inc eax
010036e1 8bc8 mov ecx,eax
010036e3 c1e105 shl ecx,5
010036e6 f684314053000180 test byte ptr winmine!rgBlk (01005340)[ecx+esi],80h
010036ee 75d7 jne winmine!StartGame+0x4d (010036c7)
010036c7 ff3534530001 push dword ptr [winmine!xBoxMac (01005334)]
010036cd e86e020000 call winmine!Rnd (01003940)
010036d2 ff3538530001 push dword ptr [winmine!yBoxMac (01005338)]
010036d8 8bf0 mov esi,eax
010036da 46 inc esi
010036db e860020000 call winmine!Rnd (01003940)
010036e0 40 inc eax
010036e1 8bc8 mov ecx,eax
010036e3 c1e105 shl ecx,5
010036e6 f684314053000180 test byte ptr winmine!rgBlk (01005340)[ecx+esi],80h
010036ee 75d7 jne winmine!StartGame+0x4d (010036c7)
winmine!StartGame+0x76:
010036f0 c1e005 shl eax,5
010036f3 8d843040530001 lea eax,winmine!rgBlk (01005340)[eax+esi]
010036fa 800880 or byte ptr [eax],80h
010036fd ff0d30530001 dec dword ptr [winmine!cBombStart (01005330)]
01003703 75c2 jne winmine!StartGame+0x4d (010036c7)
010036f0 c1e005 shl eax,5
010036f3 8d843040530001 lea eax,winmine!rgBlk (01005340)[eax+esi]
010036fa 800880 or byte ptr [eax],80h
010036fd ff0d30530001 dec dword ptr [winmine!cBombStart (01005330)]
01003703 75c2 jne winmine!StartGame+0x4d (010036c7)
winmine!StartGame+0x8b:
01003705 8b0d38530001 mov ecx,dword ptr [winmine!yBoxMac (01005338)]
0100370b 0faf0d34530001 imul ecx,dword ptr [winmine!xBoxMac (01005334)]
01003712 a1a4560001 mov eax,dword ptr [winmine!Preferences+0x4 (010056a4)]
01003717 2bc8 sub ecx,eax
01003719 57 push edi
0100371a 893d9c570001 mov dword ptr [winmine!cSec (0100579c)],edi
01003720 a330530001 mov dword ptr [winmine!cBombStart (01005330)],eax
01003725 a394510001 mov dword ptr [winmine!cBombLeft (01005194)],eax
0100372a 893da4570001 mov dword ptr [winmine!cBoxVisit (010057a4)],edi
01003730 890da0570001 mov dword ptr [winmine!cBoxVisitMac (010057a0)],ecx
01003736 c7050050000101000000 mov dword ptr [winmine!fStatus (01005000)],1
01003740 e825fdffff call winmine!UpdateBombCount (0100346a)
01003745 53 push ebx
01003746 e805e2ffff call winmine!AdjustWindow (01001950)
0100374b 5f pop edi
0100374c 5e pop esi
0100374d 5b pop ebx
0100374e c3 ret
01003705 8b0d38530001 mov ecx,dword ptr [winmine!yBoxMac (01005338)]
0100370b 0faf0d34530001 imul ecx,dword ptr [winmine!xBoxMac (01005334)]
01003712 a1a4560001 mov eax,dword ptr [winmine!Preferences+0x4 (010056a4)]
01003717 2bc8 sub ecx,eax
01003719 57 push edi
0100371a 893d9c570001 mov dword ptr [winmine!cSec (0100579c)],edi
01003720 a330530001 mov dword ptr [winmine!cBombStart (01005330)],eax
01003725 a394510001 mov dword ptr [winmine!cBombLeft (01005194)],eax
0100372a 893da4570001 mov dword ptr [winmine!cBoxVisit (010057a4)],edi
01003730 890da0570001 mov dword ptr [winmine!cBoxVisitMac (010057a0)],ecx
01003736 c7050050000101000000 mov dword ptr [winmine!fStatus (01005000)],1
01003740 e825fdffff call winmine!UpdateBombCount (0100346a)
01003745 53 push ebx
01003746 e805e2ffff call winmine!AdjustWindow (01001950)
0100374b 5f pop edi
0100374c 5e pop esi
0100374d 5b pop ebx
0100374e c3 ret
本文转自 陈本峰 51CTO博客,原文链接:http://blog.51cto.com/wingeek/273967,如需转载请自行联系原作者
