Static disassembly refers to a method of disassembling executable code without executing related code, and obtaining an assembly program through static analysis of the code, thereby obtaining program functions. Currently, the most widely used static disassembly strategy is a recursive strategy based on the static control flow of the program. This strategy is briefly introduced below.
The recursive anti-assembly compilation scanning strategy is based on the program’s static control process and scans the executable code to obtain a more accurate disassembly result. In this strategy, each instruction that changes the program flow (for example, a jump instruction, a call instruction, etc.) is the key point of the disassembler scan. When these instructions are scanned, the target address of their jump or call is used as The beginning of a new block;
The return of the program to the class instruction and other instructions that indicate the end of the program is another key point of the disassembler scan. When this type of instruction is scanned, it indicates that the end of the block is currently being scanned. By using such a strategy, you can effectively skip the data embedded in the program and invalid code.
The general process of the strategy is:
global startaddr, endaddr
void disaamrec (addr)
{
while (staitaddr <= addr <= endaddr)
{
If (addr has been visited already)
I = instruction translated at address addr;
// I is a pointer to a structure describing the instruction
Mark addr as the visited address;
If (I is a view or call instruction)
(
For (I for every possible target t> do
disasmrec (t);
return;
1
else addr + = length (I);
The implementation of this strategy is based on the assumption that the static control flow of the disassembled object file can be obtained very accurately. However, with proper processing of the disassembly target program, the static control flow can be made less obvious,
This will cause the disassembly process of the disassembler to not work normally and effectively, and the disassembly results obtained will inevitably be inaccurate.
