0

嗨,我遇到了 EXE 格式http://www.delorie.com/djgpp/doc/exe/的问题。

我已经将我的文件作为十六进制加载到我的编辑器(qedit)中,然后我反汇编了它,我很惊讶!

我的 CS 等于 0 和 IP,但我的程序代码(可能是 00000040 ?)稍后开始几个字节,我什至无法确定,因为我写的代码是下一个!

在 00000200 地址上,我可以看到 >my<(由我编写)反汇编代码。

那么你能解释一下 CS:IP(我的 0000:0000)指向哪里(给我地址)吗?因为当我阅读它时,它应该指向我的代码。

00000000 :4D 5A 90 00 03 00 00 00 - 04 00 00 00 FF FF 00 00
00000010 :B8 00 00 00 00 00 00 00 - 40 00 00 00 00 00 00 00
00000020 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000030 :00 00 00 00 00 00 00 00 - 00 00 00 00 A8 00 00 00
00000040 :0E 1F BA 0E 00 B4 09 CD - 21 B8 01 4C CD 21 54 68
00000050 :69 73 20 70 72 6F 67 72 - 61 6D 20 63 61 6E 6E 6F
00000060 :74 20 62 65 20 72 75 6E - 20 69 6E 20 44 4F 53 20
00000070 :6D 6F 64 65 2E 0D 0D 0A - 24 00 00 00 00 00 00 00
00000080 :5D 17 1D DB 19 76 73 88 - 19 76 73 88 19 76 73 88
00000090 :E5 56 61 88 18 76 73 88 - 52 69 63 68 19 76 73 88
000000A0 :00 00 00 00 00 00 00 00 - 50 45 00 00 4C 01 01 00
000000B0 :B8 EC 66 4B 00 00 00 00 - 00 00 00 00 E0 00 0F 01
000000C0 :0B 01 05 0C 00 02 00 00 - 00 00 00 00 00 00 00 00
000000D0 :00 10 00 00 00 10 00 00 - 00 20 00 00 00 00 40 00
000000E0 :00 10 00 00 00 02 00 00 - 04 00 00 00 00 00 00 00
000000F0 :04 00 00 00 00 00 00 00 - 00 20 00 00 00 02 00 00
00000100 :00 00 00 00 03 00 00 00 - 00 00 10 00 00 10 00 00
00000110 :00 00 10 00 00 10 00 00 - 00 00 00 00 10 00 00 00
00000120 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000130 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000140 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000150 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000160 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000170 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000180 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000190 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
000001A0 :2E 74 65 78 74 00 00 00 - 1B 00 00 00 00 10 00 00
000001B0 :00 02 00 00 00 02 00 00 - 00 00 00 00 00 00 00 00
000001C0 :00 00 00 00 20 00 00 60 - 00 00 00 00 00 00 00 00
000001D0 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
000001E0 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
000001F0 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000200 :33 C0 B0 32 50 66 B8 40 - 1F 50 B8 8F 7A 83 7C FF
00000210 :D0 33 C0 50 B8 FA CA 81 - 7C FF D0 00 00 00 00 00
00000220 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000230 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000240 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000250 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000260 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000270 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000280 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000290 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
000002A0 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
000002B0 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
000002C0 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
000002D0 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
000002E0 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
000002F0 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000300 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000310 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000320 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000330 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000340 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000350 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000360 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000370 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000380 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000390 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
000003A0 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
000003B0 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
000003C0 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
000003D0 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
000003E0 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
000003F0 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000400 :
4

2 回答 2

1

您在此处显示的是 .EXE 文件的十六进制视图。

还有另一件事,非常不同,那就是加载到内存中的程序

当您谈论 IP(指令指针,虽然我认为您实际上是指 EIP)时,您正在谈论要执行的下一条指令的内存地址。

运行一个可执行文件将使您的操作系统读取文件,找到部分(代码部分,数据部分等)并将它们映射到内存,创建一个进程。所有内存指针都指向这些位置,而不是可执行文件中的位置。

这就是差异的来源。

注意:作为记录,您提供的不是可执行文件的反汇编。它只是一个十六进制转储(也就是说,您将文件视为一系列十六进制值)。反汇编会显示实际的机器指令(MOV、CMP、JMP 等)。

于 2010-02-01T15:27:37.567 回答
0

IIRC dos exe 不会在绝对地址加载。它分配下一个可用的空闲段,并通过应用修复重新定位起始段(和段的负载)。(可以在您提供的 URL 中看到它的存在)。

段内的偏移量不会重新定位,但由于段每 16 个字节开始,因此不会花费太多的松弛内存。

这是合乎逻辑的,因为在 dos 中加载一些额外的 TSR 可以使二进制文件可以加载的第一个内存的地址更高。

查看链接器和加载器免费电子书,它以连贯的方式解释二进制格式:

http://www.iecc.com/linker/

==== 已添加 ===

哎呀,看到 djgpp 有点晚了。IIRC DJGPP 是 COFF。如果它是 djgpp 生成的,您可能应该查看 DJGPP 提供的实用程序,看看它是否有东西可以检查二进制文件(一个 -dump 程序左右)

于 2010-02-01T15:40:44.397 回答