The stack 堆栈

• The first one is your “dynamic memory”, that’s when you call ‘malloc’ or ‘new’ to allocate new memory, this goes from your RAM upward (or left-to-right), in the sense that if you allocate 10 bytes, you’ll first get address 0x1000 for example, then when you allocate another 30 bytes, you’ll get address 0x100A, then if you allocate another 16 bytes, you’ll get 0x1028, etc.
第一个是你的“动态内存”，即当你调用“malloc”或“new”来分配新的内存时，这是从你的RAM向上（或从左到右）进行的，从某种意义上说，如果你分配10个字节，你将首先得到地址0x1000例如，然后当你分配另外30个字节时，你将得到地址0x100A，然后如果你分配另外16个字节， 你会得到0x1028，等等。

• The second type of memory that you have access to is the stack, which is different, instead it grows downward (or right-to-left), and it’s used to store local variables in a function. So if you start with the stack at address 0x8000, then when you enter a function with 16 bytes worth of local variables, your stack now points to address 0x7FF0, then you enter another function with 64 bytes worth of local variables, and your stack now points to address 0x7FB0, etc. The way the stack works is by “stacking” data into it, you “push” data in the stack, which puts the variable/data into the stack and moves the stack pointer down, you can’t remove an item from anywhere in the stack, you can always only remove (pop) the last item you added (pushed). A stack is actually an abstract type of data, like a list, an array, a dictionary, etc. You can read more about what a stack is on wikipedia and it shows you how you can add and remove items on a stack with this image:
您可以访问的第二种类型的内存是堆栈，它是不同的，而是向下（或从右到左）增长，用于在函数中存储局部变量。因此，如果您从地址 0x8000 的堆栈开始，那么当您输入一个具有 16 个字节的局部变量的函数时，您的堆栈现在指向地址 0x7FF0，然后您输入另一个具有 64 个字节的局部变量的函数，并且您的堆栈现在指向地址 0x7FB0，等等。堆栈的工作方式是将数据“堆叠”到堆栈中，您将数据“推送”到堆栈中，这会将变量/数据放入堆栈中并向下移动堆栈指针，您不能从堆栈中的任何地方删除项目，您始终只能删除（弹出）您添加（推送）的最后一个项目。堆栈实际上是一种抽象类型的数据，如列表、数组、字典等。您可以在维基百科上阅读有关堆栈的更多信息，它向您展示了如何使用此图像在堆栈上添加和删除项目：

The registers 寄存器

• The EIP (Instruction Pointer) contains the address of the current instruction being executed.
EIP（指令指针）包含当前正在执行的指令的地址。

• The ESP (Stack Pointer) contains the address of the stack.
ESP（堆栈指针）包含堆栈的地址。

The instructions 说明

• “MOV“: move data from one operand into another
“MOV”：将数据从一个操作数移动到另一个操作数

• “ADD/SUB/MUL/DIV“: Add, Substract, Multiply, Divide one operand with another and store the result in a register
“ADD/SU/MUL/DIV”：加、减、乘、将一个操作数与另一个操作数相除，并将结果存储在寄存器中

• “AND/OR/XOR/NOT/NEG“: Perform logical and/or/xor/not/negate operations on the operand
“AND/OR/XOR/NOT/NEG”：在操作数上执行逻辑和/or/xor/not/negate运算

• “SHL/SHR“: Shift Left/Shift Right the bits in the operand
“SHL/SHR”：向左移动/向右移动操作数中的位

• “CMP/TEST“: Compare one register with an operand
“CMP/TEST”：将一个寄存器与操作数进行比较

• “JMP/JZ/JNZ/JB/JS/etc.”: Jump to another instruction (Jump unconditionally, Jump if Zero, Jump if Not Zero, Jump if Below, Jump if Sign, etc.)
“JMP/JZ/JNZ/JB/JS/etc.”：跳转到另一条指令（无条件跳转、如果为零则跳转、如果为零则跳转、如果低于则跳转、如果符号跳转等）

• “PUSH/POP“: Push an operand into the stack, or pop a value from the stack into a register
“PUSH/POP”：将操作数推入堆栈，或将堆栈中的值弹出到寄存器中

• “CALL“: Call a function. This is the equivalent of doing a “PUSH %EIP+4” + “JMP”. I’ll get into calling conventions later..
“CALL”：调用函数。这相当于执行 “PUSH %EIP+4” + “JMP”。我稍后会介绍调用约定。

• “RET“: Return from a function. This is the equivalent of doing a “POP %EIP”
“RET”：从函数返回。这相当于执行“POP %EIP”

A practical example 一个实际的例子

Binary or assembly? 二进制还是汇编？

• Because I’ve already reversed engineering it, you get the beautiful name “validate_upd_config” for the function, but technically, it was simply called “sub_FFF40311”
因为我已经对它进行了逆向工程，所以你得到了这个函数的美丽名字“validate_upd_config”，但从技术上讲，它只是被称为“sub_FFF40311”

• I had already reverse engineered the function that called it so I know that this function is receiving its arguments in an unusual way. The arguments aren’t pushed to the stack, instead, the first argument is stored in %ecx, and the second argument is stored in %edx
我已经对调用它的函数进行了逆向工程，因此我知道该函数正在以一种不寻常的方式接收其参数。参数不会推送到堆栈，而是将第一个参数存储在 %ecx 中，第二个参数存储在 %edx 中

• The first argument (%ecx, remember?) is an enum to indicate what type of UPD structure to validate, let me help you out and say that type ‘3’ is the FSPM_UPD (The configuration structure for the FSPM, the MemoryInit function), and that type ‘5’ is the FSPS_UPD (The configuration structure for the FSPS, the SiliconInit function).
第一个参数（%ecx，还记得吗？）是一个枚举，用于指示要验证的 UPD 结构类型，让我帮助您说类型“3”是FSPM_UPD（FSPM 的配置结构，MemoryInit 函数），类型“5”是FSPS_UPD（FSPS 的配置结构，SiliconInit 函数）。

• Reverse engineering is really about reading one line at a time, in a sequential manner, keep track of which blocks you reversed and be patient. You can’t look at it and expect to understand the function by viewing the big picture.
逆向工程实际上是以顺序方式一次读取一行，跟踪您反转了哪些块并要有耐心。你不能看着它，并期望通过观察大局来理解这个功能。

• It is very very useful in this case to have a dual monitor, so you can have one monitor for the assembly, and the other monitor for your C code editor. In my case, I actually recently bought an ultra-wide monitor and I split screen between my IDA window and my emacs window and it’s great. It’s hard otherwise to keep going back and forth between the assembly and the C code. That being said, I would suggest you do the same thing here and have a window on the side showing you the assembly image above (not the layout view) while you read the explanation on how to reverse engineer it below.
在这种情况下，拥有一个双显示器是非常非常有用的，因此你可以有一个显示器用于程序集，另一个显示器用于你的C代码编辑器。就我而言，我实际上最近买了一台超宽显示器，我在 IDA 窗口和 emacs 窗口之间分屏，这很棒。否则，很难在汇编和 C 代码之间来回切换。话虽如此，我建议您在这里做同样的事情，并在侧面设置一个窗口，向您展示上面的装配图像（而不是布局视图），同时您阅读下面有关如何对其进行逆向工程的说明。

Let’s get started! 让我们开始吧！

• The next line “cmp [edx+28h], eax” compares edx+0x28 to eax. Thankfully, we know now that edx points to the FSPM_UPD structure, and we can calculate that at offset 0x28 inside that structure, it’s the field StackBase within the FspmArchUpd field…
下一行“cmp [edx+28h]， eax”将 edx+0x28 与 eax 进行比较。值得庆幸的是，我们现在知道 edx 指向FSPM_UPD结构，我们可以计算出，在该结构内部的偏移0x28，它是 FspmArchUpd 字段中的字段 StackBase......

• and also, we still have in the back of our minds that ‘eax’ is initialized to zero, so, we know that the next 2 instructions are just checking if upd->FspmArchUpd.StackBase is == NULL.
而且，我们仍然在脑海中记住“eax”被初始化为零，因此，我们知道接下来的 2 条指令只是检查 upd->FspmArchUpd.StackBase 是否为 == NULL。

• Then we compare the StackSize with 0x26000, but the comparison is using “jb” for the jump, which is “jump if below”, so it checks if StackSize < 0x26000,
然后我们将 StackSize 与 0x26000进行比较，但比较是使用 “jb” 进行跳转，即 “jump if below”，因此它检查 StackSize 是否< 0x26000，

• finally it does a “test” with “edx+30h” (which is the BootloaderTolumSize field) and 0xFFF, then it does an unconditional jump to loc_FFF4035C, which itself does a “jz” to the return..
最后，它使用“edx+30h”（即 BootloaderTolumSize 字段）并0xFFF执行“测试”，然后无条件跳转到 loc_FFF4035C，它本身对返回值执行“jz”。

• which means if (BootloaderTolumSize & 0xFFF == 0) it will return whatever EAX contained (which is zero),
这意味着如果 （BootloaderTolumSize & 0xFFF == 0） 它将返回包含的任何 EAX（为零），

• but if it doesn’t, then it will continue to the next instruction which is the “mov eax, 80000002h”.
但如果没有，那么它将继续到下一条指令，即“MOV EAX，80000002H”。

1. When I looked at the hex dump, the instruction was simply “E8 00 00 00 00” which according to our previous CALL opcode table means “Call near, relative, displacement relative to next instruction”, so it wants to call the instruction 0 bytes from the next instruction. Since the call opcode itself is taking 5 bytes, that means it’s doing a call to its own function but skipping the call itself, so it’s basically jumping to the “pop eax”, right? Yes… but it’s not actually jumping to it, it’s “calling it”, which means that it just pushed into the stack the return address of the function… which means that our stack contains the address 0xFFF40244 and our next instruction to be executed is the one at the address 0xFFF40244. That’s because, if you remember, when we do a “ret”, it will pop the return address from the stack into the EIP (instruction pointer) register, that’s how it knows where to go back when the function finishes.
当我查看十六进制转储时，该指令只是“E8 00 00 00 00”，根据我们之前的 CALL 操作码表，它的意思是“调用接近、相对、相对于下一条指令的位移”，因此它希望从下一条指令开始调用指令 0 个字节。由于调用操作码本身占用 5 个字节，这意味着它正在调用自己的函数，但跳过了调用本身，因此它基本上是跳转到“pop eax”，对吧？是的。。。但它实际上并没有跳到它，而是在“调用它”，这意味着它只是将函数的返回地址推入堆栈......这意味着我们的堆栈包含地址 0xFFF40244，我们要执行的下一个指令是地址0xFFF40244的指令。这是因为，如果你还记得，当我们执行“ret”时，它会将堆栈中的返回地址弹出到 EIP（指令指针）寄存器中，这就是它知道函数结束时返回何处的方式。

2. So, then the instruction does a “pop eax” which will pop that return address into EAX, thus removing it from the stack and making the call above into a regular jump (since there is no return address in the stack anymore).
因此，然后该指令执行一个“pop eax”，它将该返回地址弹出到 EAX 中，从而将其从堆栈中删除并使上述调用成为常规跳转（因为堆栈中不再有返回地址）。

3. Then it does a “sub eax, 0FFF40244h”, which means it’s substracting 0xFFF40244 from eax (which should contain 0xFFF40244), so eax now contains the value “0”, right? You bet!
然后它执行“sub eax， 0FFF40244h”，这意味着它正在从 eax（应包含 0xFFF40244）中减去 0xFFF40244，因此 eax 现在包含值“0”，对吧？当然！

4. Then it adds to eax, the value “0xFFF4023F”, which is the address of our function itself. So, eax now contains the value 0xFFF4023F.
然后，它向 eax 添加值“0xFFF4023F”，即我们函数本身的地址。因此，eax 现在包含值 0xFFF4023F。

5. It will then substract from EAX, the value pointed to by [eax-15], which means the dword (4 bytes) value at the offset 0xFFF4023F – 0xF, so the value at 0xFFF40230, right… that value is 0x1AB (yep, I know, you didn’t have this information)… so, 0xFFF4023F – 0x1AB = 0xFFF40094!
然后，它将从 EAX 中减去 [eax-15] 指向的值，这意味着偏移量 0xFFF4023F – 0xF处的 dword（4 个字节）值，因此是 0xFFF40230 处的值，对吧......该值为 0x1AB（是的，我知道，你没有这些信息）......所以，0xFFF4023F – 0x1AB = 0xFFF40094！

6. And then the function returns.. with the value 0xFFF40094 in EAX, so it returns 0xFFF40094, which happens to be the pointer to the FSP_INFO_HEADER structure in the binary.
然后函数返回.的值在 EAX 中0xFFF40094，因此它返回 0xFFF40094，这恰好是指向二进制文件中FSP_INFO_HEADER结构的指针。

• If the FSP was loaded into a different memory address, then the “call $+5” would put the exact memory address of the next instruction into the stack, so when you pop it into eax then substract from it the expected address 0xFFF40244, this means that eax will contain the offset from where it was supposed to be.
如果 FSP 被加载到不同的内存地址，那么 “call $+5” 会将下一条指令的确切内存地址放入堆栈中，因此当您将其弹出到 eax 中，然后从中减去预期的地址0xFFF40244，这意味着 eax 将包含与它应该在的位置的偏移量。

• Above, we said eax would be equal to zero, yes, that’s true, but only in the usecase where the FSP is in the right memory address, as expected, otherwise, eax would simply contain the offset. Then you add to it 0xFFFF4023F which is the address of our function, and with the offset, that means eax now contains the exact memory address of the current function, wherever it was actually placed in RAM!
上面，我们说过 eax 等于零，是的，这是真的，但只有在 FSP 位于正确的内存地址的用例中，正如预期的那样，否则，eax 将仅包含偏移量。然后你向它添加0xFFFF4023F这是我们函数的地址，加上偏移量，这意味着 eax 现在包含当前函数的确切内存地址，无论它实际放置在 RAM 中的哪个位置！

• Then when it grabs the value 0x1AB (because that value is stored in RAM 15 bytes before the start of the function, that will work just fine) and substracts it from our current position, it gives us the address in RAM of the FSP_INFO_HEADER (because the compiler knows that the structure is located exactly 0x1AB bytes before the current function). This just makes everything be relative.
然后，当它获取值 0x1AB（因为该值在函数开始前 15 个字节存储在 RAM 中，这将正常工作）并从我们当前的位置减去它时，它会为我们提供 FSP_INFO_HEADER 的 RAM 地址（因为编译器知道结构位于当前函数之前 0x1AB 个字节）。这只是让一切都是相对的。

• I once spent a few days reverse engineering a function until about 30% of it when I finally realized that the function was… the C++ “+ operator” of the std::string class (which by the way, with the use of C++ templates made it excruciatingly hard to understand)!
我曾经花了几天时间对一个函数进行逆向工程，直到大约 30% 时我终于意识到该函数是......std：：string 类的 C++ “+ 运算符”（顺便说一下，使用 C++ 模板使其非常难以理解）！

• I once had to reverse engineer over 5000 lines of assembly code that all resolved into… 7 lines of C code. The code was for creating a hash and it was doing a lot of manipulation on data with different values on every iteration. There was a LOT of xor, or, and, shifting left and right of data, etc., which took maybe a hundred or so lines of assembly and it was all inside a loop, which the compiler decided that—to optimize it—it would unravel the loop (this means that instead of doing a jmp, it will just copy-paste the same code again), so instead of having to reverse engineer the code once and then see that it’s a loop that runs 64 times, I had to reverse engineer the same code 64 times because it was basically getting copy-pasted by the compiler in a single block but the compiler was “nice” enough that it was using completely different registers for every repetition of the loop, and the data was getting shifted in a weird way and using different constants and different variables at every iteration, and—as if that wasn’t enough— every 1/4th of the loop, changing the algorithm and making it very difficult to predict the pattern, forcing me to completely reverse engineer the 5000+ assembly lines into C, then slowly refactor and optimize the C code until it became that loop with 7 lines of code inside it… If you’re curious you can see the code here at line 39, where there is some operation common to all iterations, then 4 different operations depending on which iteration we are doing, and the variables used for each operation changes after each iteration (P, PP, PPP and PPPP get swapped every time), and the constant values and the indices used are different for each iteration as well (see constants.h). It was complicated and took a long while to reverse engineer.
我曾经不得不对 5000 多行汇编代码进行逆向工程，这些代码都解析为......7 行 C 代码。该代码用于创建哈希，并且在每次迭代中都对具有不同值的数据进行大量操作。有很多 xor、or、and、数据左右移动等，这可能需要一百行左右的组装行，而且它们都在一个循环内，编译器决定——为了优化它——它将解开循环（这意味着它不会执行 jmp，而是再次复制粘贴相同的代码）， 因此，我不必对代码进行一次逆向工程，然后看到它是一个运行 64 次的循环，而是不得不对相同的代码进行 64 次逆向工程，因为它基本上是被编译器在一个块中复制粘贴的，但编译器足够“好”，以至于它每次重复循环都使用完全不同的寄存器， 数据以一种奇怪的方式移动，在每次迭代时都使用不同的常量和不同的变量，而且——好像这还不够——每 1/4 个循环，改变算法并使其难以预测模式，迫使我将 5000+ 条装配线完全逆向工程为 C，然后慢慢重构和优化 C 代码，直到它变成那个里面有 7 行代码的循环......如果你好奇的话，可以在第 39 行看到代码，其中所有迭代都有一些共同的操作，然后是 4 个不同的操作，具体取决于我们正在执行的迭代，并且每次迭代后用于每个操作的变量都会发生变化（P、PP、PPP 和 PPPP 每次都会交换），并且每次迭代使用的常量值和索引也不同（参见 constants.h）。 这很复杂，需要很长时间才能进行逆向工程。

• Below is the calling graph of the PS3 firmware I worked on some years ago. All of these functions have been entirely reverse engineered (each black rectangle is actually an entire function, and the arrows show which function calls which other function), and the result was the ps3xport tool. As you can see, sometimes a function can be challenging to reverse, and sometimes a single function can call so many nested functions that it can get pretty complicated to keep track of what is doing what and how everything fits together. That function at the top of the graph was probably very simple, but it brought with it so much complexity because of a single “call”:
以下是我几年前使用的 PS3 固件的调用图。所有这些函数都完全经过了逆向工程（每个黑色矩形实际上是一个完整的函数，箭头显示哪个函数调用哪个其他函数），结果就是ps3xport工具。正如你所看到的，有时一个函数可能很难逆转，有时一个函数可以调用如此多的嵌套函数，以至于跟踪什么在做什么以及所有东西如何组合在一起可能会变得相当复杂。图顶部的那个函数可能非常简单，但由于一个“调用”，它带来了如此多的复杂性：

• Reverse engineering isn’t just about learning a new language, it’s a very different experience from “learning Java/Python/Rust after you’ve mastered C”, because of the way it works; it can sometimes be very easy and boring, sometimes it will be very challenging for a very simple piece of code.
逆向工程不仅仅是学习一门新语言，它与“掌握了 C 语言后再学习 Java/Python/Rust”的体验截然不同，因为它的工作方式;它有时可能非常简单和无聊，有时对于一段非常简单的代码来说会非常具有挑战性。

• It’s all about perseverance, being very careful (it’s easy to get lost or make a mistake, and very hard to track down and fix a mistake/typo if you make one), and being very patient. We’re talking days, weeks, months. That’s why reverse engineering is something that very few people do (compared to the number of people who do general software development). Remember also that our first example was 82 bytes of code, and the second one was only 19 bytes long, and most of the time, when you need to reverse engineer something, it’s many hundreds of KBs of code.
这一切都是关于毅力，非常小心（很容易迷路或犯错误，如果你犯了错误/错别字，很难追踪和纠正错误/错别字），并且非常有耐心。我们谈论的是几天、几周、几个月。这就是为什么逆向工程是很少有人做的事情（与从事一般软件开发的人数相比）。还要记住，我们的第一个示例是 82 字节的代码，第二个示例只有 19 个字节长，大多数时候，当您需要对某些内容进行逆向工程时，它是数百 KB 的代码。