instructiongenerator3.html

这是个反向工程delphi的程序的全部源代码.能分析几乎所有的结构 Revendepro is a program to reverse engineer Delphi program. Reven

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN"
        "http://www.w3.org/TR/html4/frameset.dtd">
<HTML>
<HEAD>
<TITLE>Finding Classes</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" text="#000000" link="#0000FF" vlink="#0000CC" alink="#6666FF">
<h1><img alt="" src="findClasses.gif" width="32" height="32">Generating instructions. 
  Part 3.</h1>
<h2>Stack parameters.</h2>
<h3><A HREF="index.html"><img alt="" src="revendepro.gif" width="16" height="16" border="0">Revendepro page.</A></h3>
<p>I want to extend the code, already written to also support stack parameters.</p>
<p>A procedure which uses stack paramters is very easy to identify by the Ret 
  AA (AA &gt; 0), hereby I also discovered a but in the previous code I forgot 
  to include a check that the Ret instruction was Ret 0.</p>
<p>Then we must also require that ebp saves the stack frame, so we have to check 
  for push ebp; mov ebp, esp at the begin and pop ebp at the end. Herefor we face 
  the problem of implemention push and pop instructions. We could create new Instructions 
  types for them. This has the advantage that they can be easily identified, but 
  it makes it much more difficult so apply operations on them link, appending 
  as discussed in part 1: Some Basics. So I decided to implement them as two instructions 
  one for substracting 4 form esp and one for assing the value to esp^, this way 
  we can easily manipulate them, and we can also check that there remains nothing 
  on the stack, because eventually esp may not be changed. This implies that if 
  we call a procedure which gets something from the stack we must include something 
  after the call to change esp, maybe that is a to great drawback, but for now 
  I think this is the best option.</p>
<p>So I go writing a disassembler for push and pop instructions.<br>
  OK, allowing one assembler instruction generate multiple instruction requires 
  major changes.</p>
<p>After having identified this, we could at the paramters: If the procedure has 
  already other parameters, the procedure has simply pascal calling convention, 
  and eax, ecx and edx are all three parameters. If there are no parameters already, 
  the procedure has stdcall calling convention. Then we add AA / 4 Integer parameters, 
  so we also require that AAmust be a multiply of 4.</p>
<p>Then we must check that ebp is be preserved on the stack.</p>
<p>Then we must always also allow accessing these parameters with esp. So must 
  replace Pointer(esp + BB)^ parts with ParamBB, other acces to esp are not allowed.</p>
<hr>
 <a href="http://www.puthoon.com" target="_top"><img alt="" src="puthoonMini.gif" width=20 height=20 border=0></A><FONT Face="Symbol,fantasy">Puqwn</FONT><BR>
E-mail: <a href="MAILTO:puthoon@puthoon.com">puthoon@puthoon.com</a> 
<HR>
Copyright &copy; 1999, 2000 Puthoon. All rights reserved
</BODY>
</HTML>