希望大家?guī)兔獯? delphi的函數(shù) 的參數(shù)傳遞方式 從我反匯編的代碼來(lái)看好像不光是簡(jiǎn)單的壓棧,涉及到了多個(gè)寄存器
關(guān)于delphi 的函數(shù)調(diào)用和參數(shù)傳遞方式深入研究
delphi 代碼如下:
program Project1;
uses windows, SysUtils;
function a(d, dd: word; s, j, f: string): word;
begin
d := d - 1;
result := d + dd;
messagebox(0, pchar(inttostr(d) + s), pchar(inttostr(dd)), $0);
end;
var s: string;
begin
s := 'sssssssssss';
{ asm
mov dx,$11
mov ax,$33
call a;
end; }
a($33, $11, 'sssss', s, s);
end.
匯編代碼:
00407CA8 . 447C4000 DD Project1.00407C44
00407CAC > $ 55 PUSH EBP //保存棧頂
00407CAD . 8BEC MOV EBP,ESP //初始化堆棧
00407CAF . 83C4 F0 ADD ESP,-10 //開(kāi)辟10個(gè)字節(jié)的棧
00407CB2 . B8 6C7C4000 MOV EAX,Project1.00407C6C
00407CB7 . E8 34C7FFFF CALL Project1.004043F0
00407CBC . 33C0 XOR EAX,EAX //EAX清0
00407CBE . 55 PUSH EBP //保存棧頂
00407CBF . 68 037D4000 PUSH Project1.00407D03 //保存返回地址
00407CC4 . 64:FF30 PUSH DWORD PTR FS:[EAX] //
00407CC7 . 64:8920 MOV DWORD PTR FS:[EAX],ESP //
00407CCA . B8 48984000 MOV EAX,Project1.00409848
00407CCF . BA 187D4000 MOV EDX,Project1.00407D18 ; ASCII "sssssssssss" //初始化局部變量
00407CD4 . E8 2FB9FFFF CALL Project1.00403608
00407CD9 . 68 2C7D4000 PUSH Project1.00407D2C ; ASCII "jjjjjjjjjj"
00407CDE . 68 407D4000 PUSH Project1.00407D40 ; ASCII "ffffffffffff"
00407CE3 . B9 587D4000 MOV ECX,Project1.00407D58 ; ASCII "sssss"
00407CE8 . 66:BA 1100 MOV DX,11
00407CEC . 66:B8 3300 MOV AX,33
00407CF0 . E8 9BFEFFFF CALL Project1.00407B90 //調(diào)用函數(shù)
00407CF5 . 33C0 XOR EAX,EAX
00407CF7 . 5A POP EDX
00407CF8 . 59 POP ECX
00407CF9 . 59 POP ECX
00407CFA . 64:8910 MOV DWORD PTR FS:[EAX],EDX
00407CFD . 68 0A7D4000 PUSH Project1.00407D0A
00407D02 > C3 RETN ; RET used as a jump to 00407D0A
00407D03 .^E9 D4B2FFFF JMP Project1.00402FDC
00407D08 .^EB F8 JMP SHORT Project1.00407D02
00407D0A E8 DB E8
00407D0B B5 DB B5
00407D0C B7 DB B7
00407D0D FF DB FF
00407D0E FF DB FF
00407D0F 00 DB 00
00407D10 . FFFFFFFF DD FFFFFFFF
00407D14 . 0B000000 DD 0000000B
00407D18 . 73 73 73 73 73>ASCII "sssssssssss",0
00407D24 . FFFFFFFF DD FFFFFFFF
00407D28 . 0A000000 DD 0000000A
00407D2C . 6A 6A 6A 6A 6A>ASCII "jjjjjjjjjj",0
00407D37 00 DB 00
00407D38 . FFFFFFFF DD FFFFFFFF
00407D3C . 0C000000 DD 0000000C
00407D40 . 66 66 66 66 66>ASCII "ffffffffffff",0
00407D4D 00 DB 00
00407D4E 00 DB 00
00407D4F 00 DB 00
00407D50 . FFFFFFFF DD FFFFFFFF
00407D54 . 05000000 DD 00000005
00407D58 . 73 73 73 73 73>ASCII "sssss",0
function a(d, dd: word; s, j, f: string): word;
函數(shù)的代碼:
00407B90 /$ 55 PUSH EBP
00407B91 |. 8BEC MOV EBP,ESP
00407B93 |. 6A 00 PUSH 0
00407B95 |. 6A 00 PUSH 0
00407B97 |. 6A 00 PUSH 0
00407B99 |. 53 PUSH EBX
00407B9A |. 56 PUSH ESI
00407B9B |. 57 PUSH EDI
00407B9C |. 894D FC MOV DWORD PTR SS:[EBP-4],ECX
00407B9F |. 8BF2 MOV ESI,EDX
00407BA1 |. 8BD8 MOV EBX,EAX
00407BA3 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00407BA6 |. E8 49BDFFFF CALL Project1.004038F4
00407BAB |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
00407BAE |. E8 41BDFFFF CALL Project1.004038F4
00407BB3 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00407BB6 |. E8 39BDFFFF CALL Project1.004038F4
00407BBB |. 33C0 XOR EAX,EAX
00407BBD |. 55 PUSH EBP
00407BBE |. 68 317C4000 PUSH Project1.00407C31
00407BC3 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00407BC6 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00407BC9 |. 4B DEC EBX
00407BCA |. 8D3C1E LEA EDI,DWORD PTR DS:[ESI+EBX]
00407BCD |. 6A 00 PUSH 0
00407BCF |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
00407BD2 |. 0FB7C6 MOVZX EAX,SI
00407BD5 |. E8 5AD6FFFF CALL Project1.00405234
00407BDA |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00407BDD |. E8 22BDFFFF CALL Project1.00403904
00407BE2 |. 50 PUSH EAX
00407BE3 |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
00407BE6 |. 0FB7C3 MOVZX EAX,BX
00407BE9 |. E8 46D6FFFF CALL Project1.00405234
00407BEE |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
00407BF1 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
00407BF4 |. E8 33BCFFFF CALL Project1.0040382C
00407BF9 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
00407BFC |. E8 03BDFFFF CALL Project1.00403904
00407C01 |. 50 PUSH EAX ; |Text
00407C02 |. 6A 00 PUSH 0 ; |hOwner = NULL
00407C04 |. E8 23C9FFFF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA //這里stdcall方式調(diào)用messagebox
00407C09 |. 33C0 XOR EAX,EAX
00407C0B |. 5A POP EDX
00407C0C |. 59 POP ECX
00407C0D |. 59 POP ECX
00407C0E |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
00407C11 |. 68 387C4000 PUSH Project1.00407C38
00407C16 |> 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
00407C19 |. BA 03000000 MOV EDX,3
00407C1E |. E8 B5B9FFFF CALL Project1.004035D8
00407C23 |. 8D45 08 LEA EAX,DWORD PTR SS:[EBP+8]
00407C26 |. BA 02000000 MOV EDX,2
00407C2B |. E8 A8B9FFFF CALL Project1.004035D8
00407C30 \. C3 RETN
debug registers :
eax 00000000
ecx 00010101
edx ffffffff
ebx 7ffdf000
esp 0012ffc0
ebp 0012fff0
esi 00000000
edi 0012d870
eip 00407cad project1.<ModuleEntryPoint>
00407CCA . B8 48984000 MOV EAX,Project1.00409848
00407CCF . BA 187D4000 MOV EDX,Project1.00407D18 ; ASCII "sssssssssss" //初始化局部變量
00407CD4 . E8 2FB9FFFF CALL Project1.00403608
00407CD9 . 68 2C7D4000 PUSH Project1.00407D2C ; ASCII "jjjjjjjjjj"
00407CDE . 68 407D4000 PUSH Project1.00407D40 ; ASCII "ffffffffffff"
00407CE3 . B9 587D4000 MOV ECX,Project1.00407D58 ; ASCII "sssss"
00407CE8 . 66:BA 1100 MOV DX,11
00407CEC . 66:B8 3300 MOV AX,33
00407CF0 . E8 9BFEFFFF CALL Project1.00407B90 //調(diào)用函數(shù)
函數(shù)原型為function a(d, dd: word; s, j, f: string): word;
他的執(zhí)行順序是 先把J ,f 壓棧 , 把 s 存入 ecx ,然后,將 dd,d 分別存入 dx 和 ax ,delphi到底按照什么順序來(lái)處理參數(shù)d啊
Directive Parameter order Clean-upPasses parameters in registers?
register Left-to-right Routine Yes
pascal Left-to-right Routine No
cdecl Right-to-left Caller No
stdcall Right-to-left Routine No
safecall Right-to-left Routine No
參數(shù)傳遞方式:
Delphi中有自己的參數(shù)傳遞方式,而Windows API也有自己的參數(shù)傳遞方式,那么他們之間有什么不同呢,要如何做到兼容呢,尤其是在編寫(xiě)動(dòng)態(tài)庫(kù)時(shí)?
(1)cdecl:
通常是C/C++所使用的參數(shù)傳遞方式,它的傳遞方式是由右到左,而且當(dāng)被調(diào)用的函數(shù)結(jié)束之后,將會(huì)由調(diào)用函數(shù)本身來(lái)清除堆棧上的參數(shù)數(shù)據(jù).
(2)stdcall:
參數(shù)傳遞方式,也是由右到左,但是當(dāng)被調(diào)用的函數(shù)結(jié)束之后,則是由被調(diào)用函數(shù)來(lái)清除堆棧上的參數(shù)數(shù)據(jù),Win32API所有的輸出函數(shù)都是采用此中參數(shù)傳遞方式
(3)pascal:
是Delphi1.0與win16API所使用的參數(shù)傳遞方式,它的傳遞方式是由左到右,而且由被調(diào)用函數(shù)來(lái)清除堆棧上的參數(shù)數(shù)據(jù).
(4)fastcall:
是Delphi默認(rèn)所使用的參數(shù)傳遞方式,此種方式在傳遞參數(shù)時(shí)把前三個(gè)參數(shù)放在CPU的EAX,EDX,ECX三個(gè)緩存器種,剩下的參數(shù)則會(huì)由左到右地被取出放到堆棧中,而當(dāng)被調(diào)用的函數(shù)結(jié)束之 后,則是由被調(diào)用函數(shù)來(lái)清除堆棧上的參數(shù)數(shù)據(jù).
注:所以在引用C++動(dòng)態(tài)庫(kù)中的函數(shù)時(shí),要注意參數(shù)的傳遞方式,一般使用stdcall.還要注意字符串類型,C++在傳遞字符串時(shí),都是采用字符指針的
類型(Char *),所以你在Delphi的程序中就必 須使用PCHAR類型,而不是string類型.
Delphi編譯代碼和一般的C編譯代碼不太一樣,比如調(diào)用約定中,C的thiscall用ECX傳遞this指針,而Delphi的thiscall用
EAX傳遞this指針;C的fastcall一般用ECX/EDX兩個(gè)寄存器用于參數(shù)傳遞,而Delphi則用三個(gè)EAX/EDX/ECX;在使用浮點(diǎn)
數(shù)時(shí),C通過(guò)壓棧兩個(gè)DWORD傳遞double參數(shù),而Delphi則用FLD和FSTP直接通過(guò)FPU傳遞參數(shù)。修飾名也不一樣,這里不加敘述。
關(guān)于調(diào)用約定參考
http://baby.homeip.net/patrick/archives/000142.php
目前的IDA尚不支持加載.MAP/.SYM符號(hào)信息,根據(jù)DataRescue網(wǎng)站的說(shuō)明,可以通過(guò).IDC腳本加載(
http://www.ccso.com/faq.html)。DeDe的IDA/Softice符號(hào)輸出中據(jù)說(shuō)可以自動(dòng)檢測(cè)運(yùn)行的Soft-ICE并向其導(dǎo)入符號(hào),但實(shí)際使用時(shí)不是很靈光,根據(jù).MAP文件格式可以寫(xiě)一個(gè)程序?qū)⑵滢D(zhuǎn)換成.IDC腳本:
#!/usr/bin/perl
use strict;
sub dump_idc;
my $hex_pat = "[0-9A-Fa-f]+";
my $start;
my @entries;
while (<>) {
chop;
if ($start eq ''--fetch-next'') {
# start, length, name, class
($start) = m/$hex_pat:($hex_pat)\s+($hex_pat)H\s+(\w+)\s+(\w+)/;
if (!$start) {
print STDERR "Invalid .map file format!";
exit -1;
}
$start = hex($start);
next;
}
if (m/Start\s+Length\s+Name\s+Class/) {
$start = ''--fetch-next'';
next;
}
if (m/$hex_pat:($hex_pat)\s*(.*)$/) {
my ($offset, $entry) = (hex($1), $2);
my $rva = $offset + $start;
push @entries, [$rva, $entry];
}
}
@entries = sort { $a->[0] cmp $b->[0] } @entries;
&dump_idc;
sub dump_idc {
print "static main() {\n";
foreach (@entries) {
my ($rva, $entry) = @$_;
#$rva = hex($rva);
$entry =~ s/^\*/\$/;
$entry =~ s/^[<>\-]*//;
$entry =~ s/\(.*$//;
$entry =~ s/:.*$//;
$entry =~ s/\./?/;
$entry =~ s/\[([0-9]+)\]/_$1/g;
$entry =~ s/\[.*$/_$rva/;
$entry =~ s/;.*$//;
$entry =~ s/^\s *//;
next if !$entry;
printf "MakeName(0x%x, \"$entry\");\n", $rva, $entry;
}
print "}\n";
}
1;
有些程序在檢驗(yàn)注冊(cè)碼時(shí)通過(guò)拋出異常等行為確定是否注冊(cè)成功,關(guān)于異常Matt Pietrek有一篇著名文章
http://www.microsoft.com/msj/0197/Exception/Exception.aspx值得一讀。從匯編代碼上看,所有try/catch塊都有類似的結(jié)構(gòu):
CODE:004BDE4C xor eax, eax
CODE:004BDE4E push ebp
CODE:004BDE4F push offset loc_4BDE92
CODE:004BDE54 push dword ptr fs:[eax] ; 保存上一個(gè)handler
CODE:004BDE57 mov fs:[eax], esp
CODE:004BDE92 loc_4BDE92:
CODE:004BDE92 jmp _Any2_Handler_DevErr?
CODE:004BDE97 jmp short loc_4BDE89
CODE:004BDEEA pop edx ; 上一個(gè)handler
CODE:004BDEEB pop ecx
CODE:004BDEEC pop ecx
CODE:004BDEED mov fs:[eax], edx ; 恢復(fù)
注意到4BDE97H處代碼未被執(zhí)行,這是怎么回事呢?原來(lái)它是finally對(duì)應(yīng)的塊,SEH內(nèi)核會(huì)根據(jù)push offset
loc_4BDE92自動(dòng)得到4BDE97H的finally入口地址。因此在調(diào)試有異常處理的程序時(shí),有時(shí)需要在handler和finally的處理
程序處也設(shè)置斷點(diǎn)。
今天先到這里,可能的話下次再貼。
在周愛(ài)民的著作《DELPHI源代碼分析》中,對(duì)此有描述。