最近使用三方的一个工程, 但是有些逻辑封装成了lib库,关键地方看不到是不是很难受, 所以顺带找了找反编译的方法,反编译出来的代码是汇编代码,比方ANTHOR_MEASURE的代码,但多少能猜的八九不离十吧,知道调用了哪些方法,参数是什么,也就够了,也不算是逆向工程,做了简单记录;
00000000 <ANTHOR_MEASURE>:
0: 4ea8 ldr r6, [pc, #672] ; (2a4 <ANTHOR_MEASURE+0x2a4>)
2: 4ca9 ldr r4, [pc, #676] ; (2a8 <ANTHOR_MEASURE+0x2a8>)
4: 4fa9 ldr r7, [pc, #676] ; (2ac <ANTHOR_MEASURE+0x2ac>)
6: b090 sub sp, #64 ; 0x40
8: f04f 0b2d mov.w fp, #45 ; 0x2d
c: f44f 4a81 mov.w sl, #16512 ; 0x4080
10: f04f 0900 mov.w r9, #0
14: 2000 movs r0, #0
16: f7ff fffe bl 0 <dwt_setrxtimeout>
1a: 2000 movs r0, #0
1c: f7ff fffe bl 0 <dwt_rxenable>
20: 2100 movs r1, #0
22: 200f movs r0, #15
24: f7ff fffe bl 0 <dwt_read32bitoffsetreg>
28: 4230 tst r0, r6
2a: 60a0 str r0, [r4, #8]
2c: d0f8 beq.n 20 <ANTHOR_MEASURE+0x20>
2e: 8920 ldrh r0, [r4, #8]
30: 0440 lsls r0, r0, #17
32: d57d bpl.n 130 <ANTHOR_MEASURE+0x130>
34: 4652 mov r2, sl
36: 2100 movs r1, #0
38: 200f movs r0, #15
3a: f7ff fffe bl 0 <dwt_write32bitoffsetreg>
3e: 2100 movs r1, #0
40: 2010 movs r0, #16
42: f7ff fffe bl 0 <dwt_read32bitoffsetreg>
46: b240 sxtb r0, r0
48: f5b0 6f80 cmp.w r0, #1024 ; 0x400
4c: dc04 bgt.n 58 <ANTHOR_MEASURE+0x58>
4e: b281 uxth r1, r0
50: 2200 movs r2, #0
52: 4896 ldr r0, [pc, #600] ; (2ac <ANTHOR_MEASURE+0x2ac>)
54: f7ff fffe bl 0 <dwt_readrxdata>
58: 78b9 ldrb r1, [r7, #2]
5a: 4658 mov r0, fp
5c: fbb1 f2f0 udiv r2, r1, r0
60: fb0b 1212 mls r2, fp, r2, r1
64: 7923 ldrb r3, [r4, #4]
66: 429a cmp r2, r3
68: d1d4 bne.n 14 <ANTHOR_MEASURE+0x14>
GCC的可执行程序反汇编命令使用objdump:
gcc -c -o main.o main.c
objdump -s -d main.o > main.o.txt
objdump -f
显示文件头信息
objdump -d
反汇编需要执行指令的那些section
objdump -D
与-d类似,但反汇编中的所有section
objdump -h
显示Section Header信息
objdump -x
显示全部Header信息
objdump -s
将所有段的内容以十六进制的方式打印出来
ARM的lib库反汇编命令:
john@bogon gfast % mkdir temp
john@bogon gfast % cd temp
john@bogon temp % /Applications/ARM/bin/arm-none-eabi-objdump -s -d main.o > main.s
john@bogon gfast % /Applications/ARM/bin/arm-none-eabi-ar -t /Users/test.lib
stm32f10x_it.o
main.o
lib.o
stm32f10x_rcc.o
//解包lib库到当前文件,得到.o
/Applications/ARM/bin/arm-none-eabi-ar -x /Users/test.lib
//多用help Applications/ARM/bin/arm-none-eabi-ar -help
commands:
d - delete file(s) from the archive
m[ab] - move file(s) in the archive
p - print file(s) found in the archive
q[f] - quick append file(s) to the archive
r[ab][f][u] - replace existing or insert new file(s) into the archive
s - act as ranlib
t[O][v] - display contents of the archive
x[o] - extract file(s) from the archive
Windows平台lib库的反汇编,这里有破解的例子,有兴趣的同学可以看看:
dumpbin /disasm xxx.lib > test.txt
lib /list:liblist.txt XXX.lib
lib XXX.lib /extract:.\Debug\Encrypter.obj
1. extract静态lib中的obj文件,静态库是一个或者多个obj文件的打包,所以有人干脆把从obj文件生成lib的过程称为Archive,即合并到一起,即静态lib只是壳子
2. .\Debug\Encrypter.obj是从liblist.txt中读出的
dumpbin /all Encrypter.obj > encrypterdump.txt
dumpbin /disasm Encrypter.obj > encrypterDisasm.txt
hex编辑器hiew修改obj
图文无关