x86 汇编具有相同目标的两条跳转指令 [英] x86 Assembly two jump instructions with the same target

问题描述

我试图理解 Michael Sikorski 所著的实用恶意软件分析"一书中的一个例子.有一个我不理解的反汇编技术示例.它说一种常见的技术是创建两个条件指令，即如果零跳转(JZ)和非零跳转(JNZ)，它们一起考虑实际上只是一个无条件指令(这对我来说很清楚).这是反汇编程序创建的两种可能结果的图形.

I try to understand an example form the book "Practical Malware Analysis" by Michael Sikorski. There is an example on anti disassembly techniques that i don't comprehend. It says that a common technique is to create two conditional instructions namely jump if zero (JZ) and jump if not zero (JNZ) which considered together are actually just one unconditional instruction (this is clear to me). Here are the graphics of the two possible results created by the disassembler.

以下引用参考图1:

在本例中，紧跟在两条条件跳转指令之后的指令似乎是 (call) 处的调用指令，从字节 0xE8 开始.然而，情况并非如此，因为两个条件跳转指令实际上都指向 0xE8 字节之外的 1 个字节

In this example, the instruction immediately following the two conditional jump instructions appears to be a call instruction at (call), beginning with the byte 0xE8. This is not the case, however, as both conditional jump instructions actually point 1 byte beyond the 0xE8 byte

这应该是什么意思，为什么跳转位置 loc_4011C4+1(+1 来自哪里)?在图 2 中是 loc_4011C5?有人能提供更详细的解释吗?

What is that supposed to mean and why is the jump location loc_4011C4+1 (where comes the +1 from)? and in Figure 2 it's loc_4011C5? Can someone provide a more detailed explanation?

推荐答案

汇编代码编译的结果是一段原生代码，更具体地说是一个字节序列，这个序列的不同部分对应来自原始汇编的指令.Intel x86 处理器有一个所谓的 CISC 指令集，这基本上意味着指令长度(以字节为单位)可以从 1 到大约 12 不等，这还没有考虑当今可用的指令集扩展.所提供的技术利用了这一事实.

The result of assembly code compilation is a piece of native code, more specifically a sequence of bytes, where different parts of this sequence correspond to instructions from the original assembly. Intel x86 processors have a so-called CISC instruction set, which basically means that instruction length in bytes can vary from 1 to some 12, and that's without considering instruction set extensions that are available nowadays. The technique presented makes use of this fact.

重点是用潜在的恶作剧来误导人们.第二个例子的代码(带有pop eax 和retn)就是我们要执行的和将要执行的.然而，因为我们在 pop eax 指令前面插入了一个假字节，反汇编的代码会在不注意的情况下看起来好像有一个call到内存中的某个位置，因为大多数不太聪明的反汇编程序会自动假设二进制的机器代码中没有间隙.

The whole point is to mislead the person with a potential mischief in their mind. Code of the second example (with pop eax and retn) is what we want to execute and what will be executed. However, because we inserted a fake byte in front of the pop eax instruction, disassembled code will without paying close attention appear as if there was a call to some location in memory, since most of the less bright disassemblers automatically assume that machine code of a binary has no gaps in it.

这种技术并非万无一失.更复杂的反汇编程序将揭示作者的真实意图.另请注意，如果试图闯入代码的人在调试环境中运行它，则此技术将再次无用.

This technique is not foolproof. More sophisticated diassemblers will reveal author's true intentions. Also note that if the person trying to break into the code is running it in a debug environment, this technique will once again be of no use.

这篇关于x86 汇编具有相同目标的两条跳转指令的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！