方法形成并检查位掩码 [英] Methods to form and check bitmasks
问题描述
这极有可能已被要求之前回答,但我的搜索是徒劳的。
This most likely has been asked and answered before, but my searches was futile.
问题是比特,字节口罩和检查。
Question is about bits, bytes masks and checking.
说的是有两个触发 0xC4 和 0xC5 :
196: 1100 0100 0xc4
197: 1100 0101 0xc5
检查的简单方式,如果 VAR 是将是:
if (var == 0xc5 || var == 0xc4) {
}
但有时一见这(或类似):
But sometimes one see this (or the like):
if ( ((var ^ magic) & mask) == 0) {
}
我的问题是如何找到的魔术的和的屏蔽的。什么方法,程序,技巧等将被用于形成这些值并断言如果存在
My question is how to find magic and mask. What methods, procedures, tricks etc. is to be utilized to form these values and to assert if any exists?
的 修改的
要澄清。是的,在这个确切的例子前者会更好然后是后者,但我的问题是多为一般的生成和检查这些各种口罩的。一般位操作。我省略了很多,试图使这个问题很简单。但是......
To clarify. Yes, in this exact example the former would be better then the latter, but my question is more as in general of generating and checking these kinds of masks. Bit twiddling in general. I omitted a lot and tried to make the question simple. But ...
作为一个例子,我有一个看看OllyDbg的反编译器源的来源,其中一个发现:
As an example I had a look at the source of OllyDbg decompiler source where one find:
if (((code ^ pd->code) & pd->mask) == 0)
FOUND
其中, code 0 - 3字节指令从指挥铸
Where code is 0 - 3 bytes of command cast from instruction.
unsigned long code = 0;
if (size > 0) *(((char *)&code) + 0) = cmd[0];
if (size > 1) *(((char *)&code) + 1) = cmd[1];
if (size > 2) *(((char *)&code) + 2) = cmd[2];
作为掩蔽只针对字节 CMD
和 PD 是的一部分:
struct t_cmddata {
uint32_t mask; Mask for first 4 bytes of the command
uint32_t code; Compare masked bytes with this
...
}
持有多头排列为:
holding a long array as:
const t_cmddata cmddata[] = {
/* mask code */
{ 0x0000FF, 0x000090, 1,00, NNN,NNN,NNN, C_CMD+0, "NOP" },
{ 0x0000FE, 0x00008A, 1,WW, REG,MRG,NNN, C_CMD+0, "MOV" },
{ 0x0000F8, 0x000050, 1,00, RCM,NNN,NNN, C_PSH+0, "PUSH" },
{ 0x0000FE, 0x000088, 1,WW, MRG,REG,NNN, C_CMD+0, "MOV" },
{ 0x0000FF, 0x0000E8, 1,00, JOW,NNN,NNN, C_CAL+0, "CALL" },
{ 0x0000FD, 0x000068, 1,SS, IMM,NNN,NNN, C_PSH+0, "PUSH" },
{ 0x0000FF, 0x00008D, 1,00, REG,MMA,NNN, C_CMD+0, "LEA" },
{ 0x0000FF, 0x000074, 1,CC, JOB,NNN,NNN, C_JMC+0, "JE,JZ" },
{ 0x0000F8, 0x000058, 1,00, RCM,NNN,NNN, C_POP+0, "POP" },
{ 0x0038FC, 0x000080, 1,WS, MRG,IMM,NNN, C_CMD+1, "ADD" },
{ 0x0000FF, 0x000075, 1,CC, JOB,NNN,NNN, C_JMC+0, "JNZ,JNE" },
{ 0x0000FF, 0x0000EB, 1,00, JOB,NNN,NNN, C_JMP+0, "JMP" },
{ 0x0000FF, 0x0000E9, 1,00, JOW,NNN,NNN, C_JMP+0, "JMP" },
{ 0x0000FE, 0x000084, 1,WW, MRG,REG,NNN, C_CMD+0, "TEST" },
{ 0x0038FE, 0x0000C6, 1,WW, MRG,IMM,NNN, C_CMD+1, "MOV" },
{ 0x0000FE, 0x000032, 1,WW, REG,MRG,NNN, C_CMD+0, "XOR" },
...
这将是一个典型的生活的用法的例子。如此反复:此方法。一直在寻找卡诺图等等 - 但认为有其他的等了同样的方法操作区。
That would be a typical live example of usage. So again: methods for this. Have been looking at Karnaugh map etc. – but thought there was other and so on method for the same district of operation.
推荐答案
鉴于你的两个值,
196: 1100 0100 0xc4
197: 1100 0101 0xc5
你想要屏蔽关闭为不同的位,在这种情况下,第0位因此,掩码值将是0×01的逆,0xFE的
you'd want to mask-off the bits that differ, in this case bit 0. So the mask value would be the inverse of 0x01, 0xFE.
IE浏览器。 0xC4&安培; 0xFE的== 0xC4和0xC5&安培; 0xFE的== 0xC4。
ie. 0xC4 & 0xFE == 0xC4, and 0xC5 & 0xFE == 0xC4.
这意味着这两个值成为0xC4。然后,你可以通过与应保持精确的位模式-ING XOR检查0xC4。
That means both values become 0xC4. Then you can check for 0xC4 by xor-ing with the exact bit pattern that should remain.
1100 0100 0xC4
IE浏览器。 0xC4 ^ 0xC4 == 0。
ie. 0xC4 ^ 0xC4 == 0.
1100 0100 1100 0101
& 1111 1110 1111 1110
---- ---- ---- ----
1100 0100 1100 0100
^ 1100 0100
---- ----
0000 0000
第一次面膜,或风险鸡犬不宁。
Mask first, or risk utter confusion.
通过实际源文件看,我还挺想他正试图进行模糊处理。许多功能要保。
Looking through the actual source file, I kinda think he is trying to be obfuscated. Many of the functions want factoring.
这篇关于方法形成并检查位掩码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
