ida使用Operand type将数转偏移指南以及switch修复
__text:0000000100003E70 SUB SP, SP, #0x30
__text:0000000100003E74 STP X29, X30, [SP,#0x20+var_s0]
__text:0000000100003E78 ADD X29, SP, #0x20
__text:0000000100003E7C STUR WZR, [X29,#var_4]
__text:0000000100003E80 B loc_100003E84
__text:0000000100003E84 ; ---------------------------------------------------------------------------
__text:0000000100003E84
__text:0000000100003E84 loc_100003E84 ; CODE XREF: _main+10↑j
__text:0000000100003E84 ; _main:loc_100003F4C↓j
__text:0000000100003E84 MOV X9, SP
__text:0000000100003E88 SUB X8, X29, #-var_8
__text:0000000100003E8C STR X8, [X9,#0x20+var_20]
__text:0000000100003E90 ADRL X0, aD ; "%d"
__text:0000000100003E98 BL _scanf
__text:0000000100003E9C LDUR W8, [X29,#var_8]
__text:0000000100003EA0 SUBS W8, W8, #1
__text:0000000100003EA4 STR X8, [SP,#0x20+var_10]
__text:0000000100003EA8 SUBS X8, X8, #5
__text:0000000100003EAC CSET W8, HI
__text:0000000100003EB0 TBNZ W8, #0, loc_100003F30
__text:0000000100003EB4 LDR X11, [SP,#0x20+var_10]
__text:0000000100003EB8 ADRL X10, dword_100003F50
__text:0000000100003EC0
__text:0000000100003EC0 loc_100003EC0 ; DATA XREF: _main:loc_100003EC0↓o
__text:0000000100003EC0 ADR X8, loc_100003EC0
__text:0000000100003EC4 LDRSW X9, [X10,X11,LSL#2]
__text:0000000100003EC8 ADD X8, X8, X9
__text:0000000100003ECC BR X8
__text:0000000100003ED0 ; ---------------------------------------------------------------------------
__text:0000000100003ED0 ADRL X0, aFuck1 ; "Fuck 1\n"
__text:0000000100003ED8 BL _printf
__text:0000000100003EDC B loc_100003F4C
__text:0000000100003EE0 ; ---------------------------------------------------------------------------
__text:0000000100003EE0 ADRL X0, aFuck2 ; "Fuck 2\n"
__text:0000000100003EE8 BL _printf
__text:0000000100003EEC B loc_100003F4C
__text:0000000100003EF0 ; ---------------------------------------------------------------------------
__text:0000000100003EF0 ADRL X0, aFuck3 ; "Fuck 3\n"
__text:0000000100003EF8 BL _printf
__text:0000000100003EFC B loc_100003F4C
__text:0000000100003F00 ; ---------------------------------------------------------------------------
__text:0000000100003F00 ADRL X0, aFuck4 ; "Fuck 4\n"
__text:0000000100003F08 BL _printf
__text:0000000100003F0C B loc_100003F4C
__text:0000000100003F10 ; ---------------------------------------------------------------------------
__text:0000000100003F10 ADRL X0, aFuck5 ; "Fuck 5\n"
__text:0000000100003F18 BL _printf
__text:0000000100003F1C B loc_100003F4C
__text:0000000100003F20 ; ---------------------------------------------------------------------------
__text:0000000100003F20 ADRL X0, aFuck5 ; "Fuck 5\n"
__text:0000000100003F28 BL _printf
__text:0000000100003F2C B loc_100003F4C
__text:0000000100003F30 ; ---------------------------------------------------------------------------
__text:0000000100003F30
__text:0000000100003F30 loc_100003F30 ; CODE XREF: _main+40↑j
__text:0000000100003F30 ADRL X0, aFuck ; "Fuck"
__text:0000000100003F38 BL _printf
__text:0000000100003F3C MOV W0, #0
__text:0000000100003F40 LDP X29, X30, [SP,#0x20+var_s0]
__text:0000000100003F44 ADD SP, SP, #0x30 ; '0'
__text:0000000100003F48 RET
__text:0000000100003F4C ; ---------------------------------------------------------------------------
__text:0000000100003F4C
__text:0000000100003F4C loc_100003F4C ; CODE XREF: _main+6C↑j
__text:0000000100003F4C ; _main+7C↑j ...
__text:0000000100003F4C B loc_100003E84
__text:0000000100003F4C ; End of function _main
__text:0000000100003F4C
__text:0000000100003F4C ; ---------------------------------------------------------------------------
__text:0000000100003F50 dword_100003F50 DCD 0x10 ; DATA XREF: _main+48↑o
__text:0000000100003F54 DCD 0x20
__text:0000000100003F58 DCD 0x30
__text:0000000100003F5C DCD 0x40
__text:0000000100003F60 DCD 0x50
__text:0000000100003F64 DCD 0x60下面这段jmp_table没有被ida认识
__text:0000000100003F50 dword_100003F50 DCD 0x10 ; DATA XREF: _main+48↑o
__text:0000000100003F54 DCD 0x20
__text:0000000100003F58 DCD 0x30
__text:0000000100003F5C DCD 0x40
__text:0000000100003F60 DCD 0x50
__text:0000000100003F64 DCD 0x60这段是负责跳转的地方
__text:0000000100003EB8 ADRL X10, dword_100003F50
__text:0000000100003EC0
__text:0000000100003EC0 loc_100003EC0 ; DATA XREF: _main:loc_100003EC0↓o
__text:0000000100003EC0 ADR X8, loc_100003EC0
__text:0000000100003EC4 LDRSW X9, [X10,X11,LSL#2]
__text:0000000100003EC8 ADD X8, X8, X9
__text:0000000100003ECC BR X8可以看到
__text:0000000100003EC0 ADR X8, loc_100003EC0
这代表0x100003EC0被作为调整的base
数据来源于
__text:0000000100003EB8 ADRL X10, dword_100003F50
LSL#2表示数据大小4个字节类型为dd
那怎么把下面的数据转换成偏移呢
__text:0000000100003F50 dword_100003F50 DCD 0x10 ; DATA XREF: _main+48↑o
__text:0000000100003F54 DCD 0x20
__text:0000000100003F58 DCD 0x30
__text:0000000100003F5C DCD 0x40
__text:0000000100003F60 DCD 0x50
__text:0000000100003F64 DCD 0x60如下图所示找到user-defined
紧接着选32bit,base用分析出的0x100003EC0
然后选中signed operand, 其实代表的是加操作数
可以看出base+0x10,已经是找到了分支
接着
5个需要重点关注的点
Address of jump table:跳转表的地址
Element base value:
__text:0000000100003EC0 ADR X8, loc_100003EC0
这代表0x100003EC0被作为调整的base
Start of the switch idiom:switch 语句的首个指令的地址,这个不是很严格
Input register of switch: 这个必须填写
__text:0000000100003ECC BR X8
switch analysis failed: switch information is incomplete or incorrect
错误可能是 寄存器没有填写
First(lowest) input value:第一个或者最小的 case 值,填写的1,错误可以观察出来
Default jump address:这个也可以观察出来
Signed jump table elements:计算跳转表元素时用加法
Subtract table elements:计算跳转表元素时用减法
修复后如下:
主要参考来源:
在 IDA Pro 中恢复 switch 语句 - ChinaNuke的博客