比如你用local在栈上定义了一个局部变量LocalVar,你知道实际的指令是什么么?一般都差不多像下面的样子:
push ebp
mov esp, ebp
sub esp, 4
现在栈上就有了4各字节的空间,这就是你的局部变量。
接下来,你执行mov LocalVar, 4,那么实际的指令又是什么?是这样:
mov dword ptr [ebp-4], 4
于是,这个局部变量的“地址”就是ebp-4——显然,它不是一个固定的地址。现在需要将它的“地址”作为参数传给某个函数,你这样写:
invoke/call SomeFunc, addr LocalVar
实际生成的指令是:
lea eax, [ebp-4]
push eax
call SomeFunc
当然,你也可以写成:
mov eax, ebp
sub eax, 4
push eax
call SomeFunc
看到了,这里多了一条指令。这就是lea的好处。于是,lea又多了一个非常美妙的用途:作简单的算术计算,特别是有了32位指令的增强寻址方式,更是“如虎添翼”:
比如你要算EAX*4+EBX+3,结果放入EDX,怎么办?
mov edx, eax
shl edx, 2
add edx, ebx
add edx, 3
现在用lea一条指令搞定:
lea edx, [ebx+eax*4+3] // 相当于 lea edx, [eax*4+ebx+3],这里完全与内存地址无关
lea的英文解释是: Load Effective Address.(加入有效地址,开始迷惑效地址是什么???既然是有效地址与mov ax , [address] 又有什么不同呢?其实他们都是等效的。 后来知道实际上是一个偏移量可以是立即数,也可以是经过四则运算的结果,更省空间,更有效率)
参考:
http://blog.csdn.net/lostspeed/article/details/8959142
http://www.cnitblog.com/textbox/articles/51912.html
-------------------------------------------------------------------------------
亲自花了两小时研究一个小例子,VC6 Debug版本:
源程序:
#include "stdafx.h" int add(int i) { int x = i+4; return x; } int fun() { int i=10; return add(i); } int main() { int y = fun(); return y; }
汇编程序:
// 知识点: // ESP:寄存器存放当前线程的栈顶指针(堆栈指针),压入堆栈的数据越多,ESP也就越来越小,用它只可访问栈顶 // EBP:寄存器存放当前线程的栈底指针(基址指针,base pointer),用它可直接存取堆栈中的数据 // __cdecl 所有参数从右到左依次入栈,这些参数由调用者清除,称为手动清栈 // 编译器提前生成的函数跳转代码,一共3个函数,地址准确对应: @ILT+0(?add@@YAHH@Z): 00401005 jmp add (00401030) // 执行前 ESP = 0012FED0 // 执行后 ESP = 0012FED0 无条件跳转,不需要压栈 @ILT+5(?fun@@YAHXZ): 0040100A jmp fun (00401070) @ILT+10(_main): 0040100F jmp main (004010c0) int add(int i) { 00401030 push ebp // 执行前 ESP = 0012FED0 EBP = 0012FF28 // 执行后 ESP = 0012FECC EBP = 0012FF28 (ESP减少4,第二次偏移) 00401031 mov ebp,esp // 执行后 ESP = 0012FECC EBP = 0012FECC (保护esp的值,这样esp可随便使用了) 00401033 sub esp,44h // 执行后 ESP = 0012FE88 EBP = 0012FECC 给栈增加44h的空间 00401036 push ebx // 执行后 ESP = 0012FE84 00401037 push esi // 执行后 ESP = 0012FE80 00401038 push edi // 执行后 ESP = 0012FE7C 00401039 lea edi,[ebp-44h] // 执行后 EDI = 0012FE88 0040103C mov ecx,11h 00401041 mov eax,0CCCCCCCCh 00401046 rep stos dword ptr [edi] int x = i+4; 00401048 mov eax,dword ptr [ebp+8] // 执行前 EBP = 0012FECC,执行 EBP + 8 = 0012FED4,就取到了fun函数压栈的数据 0040104B add eax,4 // 前面call的时候导致了两次减4,所以要加8。此时用EBP访问数据。此时eax也是空闲的 0040104E mov dword ptr [ebp-4],eax // 把eax的值放到[ebp-4]里,相当于为x赋值了 return x; 00401051 mov eax,dword ptr [ebp-4] // 函数的返回值为eax } 00401054 pop edi 00401055 pop esi 00401056 pop ebx 00401057 mov esp,ebp // 恢复ESP,即退出函数前,栈顶指针不变 00401059 pop ebp // 恢复EBP,站底指针 0040105A ret // 这里不用加44,因为add没有调用其它函数 int fun() { 00401070 push ebp 00401071 mov ebp,esp 00401073 sub esp,44h 00401076 push ebx 00401077 push esi 00401078 push edi 00401079 lea edi,[ebp-44h] 0040107C mov ecx,11h 00401081 mov eax,0CCCCCCCCh 00401086 rep stos dword ptr [edi] int i=10; 00401088 mov dword ptr [ebp-4],0Ah // i是函数内第一个局部变量,占据了[ebp-4]的位置,因此把0Ah这个值放里 15: return add(i); 0040108F mov eax,dword ptr [ebp-4] // 把这个i局部变量的值,临时放到eax里,目的是为了方便压栈 00401092 push eax // 准备调用add函数,要给它准备所有参数,即把i的值压栈(cdeclf方式)。 // 执行前 ESP = 0012FED8 EBP = 0012FF28 // 执行后 ESP = 0012FED4 EBP = 0012FF28 (ESP减少4) // 注意,ESP的值在整个CPU里是唯一的,各个函数之间会相互影响(特别是cdecl调用方式下),push会导致ESP的值减4(可观察CPU状态) 00401093 call @ILT+0(add) (00401005) // 执行前 ESP = 0012FED4 EBP = 0012FF28 // 执行后 ESP = 0012FED0 EBP = 0012FF28 (ESP减少4,第一次偏移。call语句自动就包括了压栈功能) // 一共两次减小4 00401098 add esp,4 } 0040109B pop edi 0040109C pop esi 0040109D pop ebx 0040109E add esp,44h // 调用者清除,对应add函数造成的esp减少了44 004010A1 cmp ebp,esp 004010A3 call __chkesp (00401110) 004010A8 mov esp,ebp 004010AA pop ebp 004010AB ret int main() { int y = fun(); 004010D8 call @ILT+5(fun) (0040100a) // 呼叫语句,执行fun函数。此函数执行完毕后,会把运算结果放在eax里。 004010DD mov dword ptr [ebp-4],eax // 本地变量y占据了[ebp-4]的位置,所以需要把前面函数的执行结果eax放到这个位置 return y; 004010E0 mov eax,dword ptr [ebp-4] // 把[ebp-4]的值放到eax里,相当于main函数的返回值已经在eax里了 } 004010E3 pop edi 004010E4 pop esi 004010E5 pop ebx 004010E6 add esp,44h // 调用者清除,对应fun函数造成的esp减少了44 004010E9 cmp ebp,esp 004010EB call __chkesp (00401110) 004010F0 mov esp,ebp 004010F2 pop ebp 004010F3 ret
不知道release版本有没有这个ESP-44的问题,之所以花了2小时,就是因为这个原因。可是VC++为什么要这样做呢?难道是为了给调用函数的时候,留出足够的栈空间(够放10个参数了,另一个4字节空间是被调用函数自己造成的)?
----------------------------------------------------------------------------------
再接再厉,使用W32Dasm反汇编并精简之后得到的代码(VC自身也可看Release版的汇编源码):
Disassembly of File: C:DevChinaZip_CrackToolsw32dasmlll_cdcel.exe Code Offset = 00001000, Code Size = 00004000 Data Offset = 00006000, Data Size = 00003000 Number of Objects = 0003 (dec), Imagebase = 00400000h Object01: .text RVA: 00001000 Offset: 00001000 Size: 00004000 Flags: 60000020 Object02: .rdata RVA: 00005000 Offset: 00005000 Size: 00001000 Flags: 40000040 Object03: .data RVA: 00006000 Offset: 00006000 Size: 00003000 Flags: C0000040 +++++++++++++++++++ IMPORT MODULE DETAILS +++++++++++++++ Import Module 001: KERNEL32.dll // 导入系统API地址,地址都很小,低于0x004000000 Addr:000054F8 hint(00CA) Name: GetCommandLineA Addr:0000550A hint(0174) Name: GetVersion Addr:00005518 hint(007D) Name: ExitProcess Addr:00005526 hint(029E) Name: TerminateProcess Addr:0000553A hint(00F7) Name: GetCurrentProcess Addr:000056D6 hint(00BF) Name: GetCPInfo Addr:000056E2 hint(00B9) Name: GetACP Addr:000056EC hint(0131) Name: GetOEMCP Addr:000056F8 hint(02BB) Name: VirtualAlloc Addr:00005708 hint(01A2) Name: HeapReAlloc Addr:00005716 hint(013E) Name: GetProcAddress Addr:00005728 hint(01C2) Name: LoadLibraryA Addr:00005738 hint(01E4) Name: MultiByteToWideChar Addr:0000574E hint(01BF) Name: LCMapStringA Addr:0000575E hint(01C0) Name: LCMapStringW Addr:0000576E hint(0153) Name: GetStringTypeA Addr:00005780 hint(0156) Name: GetStringTypeW +++++++++++++++++++ ASSEMBLY CODE LISTING ++++++++++++++++++ //********************** Start of Code in Object .text ************** Program Entry Point = 00401030 (C:DevChinaZip_CrackToolsw32dasmlll_cdcel.exe File Offset:00006030) // 估计是 int add(int i) :00401000 8B442404 mov eax, dword ptr [esp+04] :00401004 83C004 add eax, 00000004 :00401007 C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401020(U) // 估计是 int fun() :00401010 6A0A push 0000000A :00401012 E8E9FFFFFF call 00401000 :00401017 83C404 add esp, 00000004 :0040101A C3 ret * Referenced by a CALL at Address: |:004010DF :00401020 E9EBFFFFFF jmp 00401010 // 一句单独的跳转语句(准备跳转到fun函数),main函数就是靠它调用fun函数 //******************** Program Entry Point ******** // 估计是 int main(),那么多前期准备!!! :00401030 55 push ebp :00401031 8BEC mov ebp, esp :00401033 6AFF push FFFFFFFF :00401035 68A0504000 push 004050A0 :0040103A 688C1C4000 push 00401C8C :0040103F 64A100000000 mov eax, dword ptr fs:[00000000] :00401045 50 push eax :00401046 64892500000000 mov dword ptr fs:[00000000], esp :0040104D 83EC10 sub esp, 00000010 :00401050 53 push ebx :00401051 56 push esi :00401052 57 push edi :00401053 8965E8 mov dword ptr [ebp-18], esp * Reference To: KERNEL32.GetVersion, Ord:0174h | :00401056 FF1504504000 Call dword ptr [00405004] :0040105C 33D2 xor edx, edx :0040105E 8AD4 mov dl, ah :00401060 8915E4844000 mov dword ptr [004084E4], edx :00401066 8BC8 mov ecx, eax :00401068 81E1FF000000 and ecx, 000000FF :0040106E 890DE0844000 mov dword ptr [004084E0], ecx :00401074 C1E108 shl ecx, 08 :00401077 03CA add ecx, edx :00401079 890DDC844000 mov dword ptr [004084DC], ecx :0040107F C1E810 shr eax, 10 :00401082 A3D8844000 mov dword ptr [004084D8], eax :00401087 6A00 push 00000000 :00401089 E8A80A0000 call 00401B36 :0040108E 59 pop ecx :0040108F 85C0 test eax, eax :00401091 7508 jne 0040109B :00401093 6A1C push 0000001C :00401095 E89A000000 call 00401134 :0040109A 59 pop ecx * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401091(C) | :0040109B 8365FC00 and dword ptr [ebp-04], 00000000 :0040109F E872070000 call 00401816 * Reference To: KERNEL32.GetCommandLineA, Ord:00CAh | :004010A4 FF1500504000 Call dword ptr [00405000] :004010AA A3D8894000 mov dword ptr [004089D8], eax :004010AF E830060000 call 004016E4 :004010B4 A3C0844000 mov dword ptr [004084C0], eax :004010B9 E8D9030000 call 00401497 :004010BE E81B030000 call 004013DE :004010C3 E890000000 call 00401158 :004010C8 A1F4844000 mov eax, dword ptr [004084F4] :004010CD A3F8844000 mov dword ptr [004084F8], eax :004010D2 50 push eax :004010D3 FF35EC844000 push dword ptr [004084EC] :004010D9 FF35E8844000 push dword ptr [004084E8] :004010DF E83CFFFFFF call 00401020 // 估计是调用fun()函数 :004010E4 83C40C add esp, 0000000C :004010E7 8945E4 mov dword ptr [ebp-1C], eax :004010EA 50 push eax :004010EB E895000000 call 00401185 :004010F0 8B45EC mov eax, dword ptr [ebp-14] :004010F3 8B08 mov ecx, dword ptr [eax] :004010F5 8B09 mov ecx, dword ptr [ecx] :004010F7 894DE0 mov dword ptr [ebp-20], ecx :004010FA 50 push eax :004010FB 51 push ecx :004010FC E859010000 call 0040125A :00401101 59 pop ecx :00401102 59 pop ecx :00401103 C3 ret
反汇编知识匮乏,目前只能到这步了,先混个脸熟。。。