WinDBG 技巧: 显示函数的汇编代码(uf 命令)

WinDBG的 uf 命令可以把二进制进行反汇编并显示汇编代码,帮助在没有源代码的情况下分析函数。 举个例子,已知Windows 下的扫雷程序(winmine.exe) 有个函数叫winmine!StartGame (通过 x winmine!*命令) ,可以使用uf winmine!StartGame 命令显示该函数的汇编码:

 

 

0:000> uf winmine!StartGame
winmine!StartGame:
0100367a a1ac560001      mov     eax,dword ptr [winmine!Preferences+0xc (010056ac)]
0100367f 8b0da8560001    mov     ecx,dword ptr [winmine!Preferences+0x8 (010056a8)]
01003685 53              push    ebx
01003686 56              push    esi
01003687 57              push    edi
01003688 33ff            xor     edi,edi
0100368a 3b0534530001    cmp     eax,dword ptr [winmine!xBoxMac (01005334)]
01003690 893d64510001    mov     dword ptr [winmine!fTimer (01005164)],edi
01003696 750c            jne     winmine!StartGame+0x2a (010036a4)

winmine!StartGame+0x1e:
01003698 3b0d38530001    cmp     ecx,dword ptr [winmine!yBoxMac (01005338)]
0100369e 7504            jne     winmine!StartGame+0x2a (010036a4)

winmine!StartGame+0x26:
010036a0 6a04            push    4
010036a2 eb02            jmp     winmine!StartGame+0x2c (010036a6)

winmine!StartGame+0x2a:
010036a4 6a06            push    6

winmine!StartGame+0x2c:
010036a6 5b              pop     ebx
010036a7 a334530001      mov     dword ptr [winmine!xBoxMac (01005334)],eax
010036ac 890d38530001    mov     dword ptr [winmine!yBoxMac (01005338)],ecx
010036b2 e81ef8ffff      call    winmine!ClearField (01002ed5)
010036b7 a1a4560001      mov     eax,dword ptr [winmine!Preferences+0x4 (010056a4)]
010036bc 893d60510001    mov     dword ptr [winmine!iButtonCur (01005160)],edi
010036c2 a330530001      mov     dword ptr [winmine!cBombStart (01005330)],eax

winmine!StartGame+0x4d:
010036c7 ff3534530001    push    dword ptr [winmine!xBoxMac (01005334)]
010036cd e86e020000      call    winmine!Rnd (01003940)
010036d2 ff3538530001    push    dword ptr [winmine!yBoxMac (01005338)]
010036d8 8bf0            mov     esi,eax
010036da 46              inc     esi
010036db e860020000      call    winmine!Rnd (01003940)
010036e0 40              inc     eax
010036e1 8bc8            mov     ecx,eax
010036e3 c1e105          shl     ecx,5
010036e6 f684314053000180 test    byte ptr winmine!rgBlk (01005340)[ecx+esi],80h
010036ee 75d7            jne     winmine!StartGame+0x4d (010036c7)

winmine!StartGame+0x76:
010036f0 c1e005          shl     eax,5
010036f3 8d843040530001  lea     eax,winmine!rgBlk (01005340)[eax+esi]
010036fa 800880          or      byte ptr [eax],80h
010036fd ff0d30530001    dec     dword ptr [winmine!cBombStart (01005330)]
01003703 75c2            jne     winmine!StartGame+0x4d (010036c7)

winmine!StartGame+0x8b:
01003705 8b0d38530001    mov     ecx,dword ptr [winmine!yBoxMac (01005338)]
0100370b 0faf0d34530001  imul    ecx,dword ptr [winmine!xBoxMac (01005334)]
01003712 a1a4560001      mov     eax,dword ptr [winmine!Preferences+0x4 (010056a4)]
01003717 2bc8            sub     ecx,eax
01003719 57              push    edi
0100371a 893d9c570001    mov     dword ptr [winmine!cSec (0100579c)],edi
01003720 a330530001      mov     dword ptr [winmine!cBombStart (01005330)],eax
01003725 a394510001      mov     dword ptr [winmine!cBombLeft (01005194)],eax
0100372a 893da4570001    mov     dword ptr [winmine!cBoxVisit (010057a4)],edi
01003730 890da0570001    mov     dword ptr [winmine!cBoxVisitMac (010057a0)],ecx
01003736 c7050050000101000000 mov dword ptr [winmine!fStatus (01005000)],1
01003740 e825fdffff      call    winmine!UpdateBombCount (0100346a)
01003745 53              push    ebx
01003746 e805e2ffff      call    winmine!AdjustWindow (01001950)
0100374b 5f              pop     edi
0100374c 5e              pop     esi
0100374d 5b              pop     ebx
0100374e c3              ret

你可能感兴趣的:(命令)