1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
│ 0x000011bf mov dword [var_34h], edi ; arg1
│ 0x000011c2 mov qword [var_18h], 0
│ 0x000011ca mov qword [var_10h], 0
│ 0x000011d2 mov edi, 0x18 ; size_t size
│ 0x000011d7 call sym.imp.malloc ; void *malloc(size_t size)
// var_20 malloc 的 heap 地址
// var_24 是计数的
//
│ 0x000011dc mov qword [var_20h], rax
│ 0x000011e0 mov qword [var_8h], 0
│ 0x000011e8 mov rax, qword [var_20h]
│ 0x000011ec mov qword [var_18h], rax
│ 0x000011f0 mov rax, qword [var_18h]
│ 0x000011f4 mov qword [rax + 8], 0
│ 0x000011fc mov dword [var_24h], 1
│ ┌─< 0x00001203 jmp 0x1258 ; 判断是否循环
│ │ ; CODE XREF from sym.build_list_node @ 0x125e
│ ┌──> 0x00001205 mov edi, 0x18 ; size_t size
│ ╎│ 0x0000120a call sym.imp.malloc ; void *malloc(size_t size)
│ ╎│ 0x0000120f mov qword [var_8h], rax ; var_8 = malloc(0x18)
│ ╎│ 0x00001213 mov rax, qword [var_8h]
│ ╎│ 0x00001217 mov edx, dword [var_24h] ;
│ ╎│ 0x0000121a mov dword [rax], edx ;*var_8 = var_24
│ ╎│ 0x0000121c mov rax, qword [var_20h]
│ ╎│ 0x00001220 mov rdx, qword [var_8h]
│ ╎│ 0x00001224 mov qword [rax + 0x10], rdx ;(DWORD*)var_20[2] = var_8
│ ╎│ 0x00001228 mov rax, qword [var_20h]
│ ╎│ 0x0000122c mov rdx, qword [var_8h]
│ ╎│ 0x00001230 mov qword [rax + 8], rdx ;(DWORD*)var_20[1] = var_8
│ ╎│ 0x00001234 mov rax, qword [var_8h]
│ ╎│ 0x00001238 mov qword [rax + 0x10], 0 ;(DWORD*)var_8[2] = 0
│ ╎│ 0x00001240 mov rax, qword [var_8h] ;
│ ╎│ 0x00001244 mov rdx, qword [var_20h]
│ ╎│ 0x00001248 mov qword [rax + 8], rdx ;(DWORD*)var_8[1] = var_20
│ ╎│ 0x0000124c mov rax, qword [var_8h]
│ ╎│ 0x00001250 mov qword [var_20h], rax ; var_20 = var_8
│ ╎│ 0x00001254 add dword [var_24h], 1
│ ╎│ ; CODE XREF from sym.build_list_node @ 0x1203
│ ╎└─> 0x00001258 mov eax, dword [var_24h]
│ ╎ 0x0000125b cmp eax, dword [var_34h]
│ └──< 0x0000125e jle 0x1205
|