tailieunhanh - reversing secrets of reverse engineering phần 10

Lần này nó quay ra rằng đólàCommandLineToArgvW. CommandLineToArgvW thực hiện phân tích một chuỗi dòng lệnh và trả về một mảng chuỗi, có chứa một tham số duy nhất. Hậu vệ phải gọi đây là chức năng trực tiếp bởi vì nó không làm cho việc sử dụng của một thư viện thời gian chạy, | Understanding Compiled Arithmetic 529 Most modern compilers provide built-in support for 64-bit data types. These data types are usually stored as two 32-bit integers in memory and the compiler generates special code when arithmetic operations are performed on them. The following sections describe how the common arithmetic functions are performed on such data types. Addition Sixty-four-bit integers are usually added by combining the ADD instruction with the ADC add with carry instruction. The ADC instruction is very similar to the standard ADD with the difference that it also adds the value of the carry flag CF to the result. The lower 32 bits of both operands are added using the regular ADD instruction which sets or clears CF depending on whether the addition produced a remainder. Then the upper 32 bits are added using ADC so that the result from the previous addition is taken into account. Here is a quick sample mov esi mov edi add eax Operand1_Low Operand1_High Operand2_Low adc edx Operand2_High Notice in this example that the two 64-bit operands are stored in registers. Because each register is 32 bits each operand uses two registers. The first operand uses ESI for the low part and EDI for the high part. The second operand uses EAX for the low-part and EDX for the high part. The result ends up in EDX EAX. Subtraction The subtraction case is essentially identical to the addition with CF being used as a borrow to connect the low part and the high part. The instructions used are SUB for the low part because it s just a regular subtraction and SBB for the high part because SBB also includes CF s value in the operation. mov sub mov sbb eax DWORD PTR Operand1_Low eax DWORD PTR Operand2_Low edx DWORD PTR Operand1_High edx DWORD PTR Operand2_High Multiplication Multiplying 64-bit numbers is too long and complex an operation for the compiler to embed within the code. Instead the compiler uses a predefined function 530 Appendix B called allmul that is called whenever two