Network security programming: C language reverse loop structure analysis

[[392807]]

The loop structures of C language include for loop, while loop, do loop and goto loop. This article introduces the first three loop methods.

1. for loop structure

The for loop can also be called a step loop. Its characteristic is that it is often used to define the scope of the loop. Let's look at a simple C language code, as follows:

 #include < stdio.h >    
 int main()  
 {  
 int nNum = 0 , nSum = 0 ;  
  for ( nNum = 1 ; nNum < = 100; nNum ++ )  
 {  
 nSum += nNum;  
 }  
  printf(" nSum = %d \r\n", nSum);
 return 0;  
 }

This is a typical program for finding the cumulative sum of 1 to 100. Through this program, we can understand the disassembly code of the for loop structure.

 .text:00401028 mov [ebp+nNum], 0  
 .text:0040102F mov [ebp+nSum], 0  
 .text:00401036 mov [ebp+nNum], 1  
 .text:0040103D jmp short LOC_CMP  
 .text:0040103F ; ---------------------------------------------------------------  
 .text:0040103F  
 .text:0040103F LOC_STEP: ; CODE XREF: _main+47j  
 .text:0040103F mov eax, [ebp+nNum]  
 .text:00401042 add eax, 1  
 .text:00401045 mov [ebp+nNum], eax  
 .text:00401048
 .text:00401048 LOC_CMP: ; CODE XREF: _main+2Dj  
 .text:00401048 cmp [ebp+nNum], 64h  
 .text:0040104C jg short LOC_ENDFOR  
 .text:0040104E mov ecx, [ebp+nSum]  
 .text:00401051 add ecx, [ebp+nNum]  
 .text:00401054 mov [ebp+nSum], ecx  
 .text:00401057 jmp short LOC_STEP  
 .text:00401059 ; ---------------------------------------------------------------  
 .text:00401059  
 .text:00401059 LOC_ENDFOR: ; CODE XREF: _main+3Cj  
 .text:00401059 mov edx, [ebp+nSum]  
 .text:0040105C push edx  
 .text:0040105D push offset Format; " nSum = %d \r\n"  
 .text:00401062 call _printf  
 .text:00401067 add esp, 8  
 .text:0040106A xor eax, eax

This time, the disassembled code has modified the variables and labels, which looks more intuitive. From the modified labels, the for structure can be divided into three parts: the part above LOC_STEP is the initialization part, the part below LOC_STEP is the part that modifies the loop variable, and the part below LOC_CMP and above LOC_ENDFOR is the part that compares the loop condition and the loop body.

The disassembled structure of the for loop is as follows:

 ; Initialize loop variables  
 jmp LOC_CMP  
 LOC_STEP:  
 ; Modify loop variable  
 LOC_CMP:  
 ; Loop variable determination  
 jxx LOC_ENDFOR  
 ; Loop body  
 jmp LOC_STEP  
 LOC_ENDOF:

Let’s use IDA to look at the generated process structure diagram, as shown in Figure 1.

Figure 1 Flowchart of the for structure

2. do…while loop structure

The body of the do loop is always executed once, which is the difference between the do loop and the while loop. Here is the code for adding 1 to 100. Let's take a look at its disassembly structure. First, let's look at the C language code, as follows:

 #include < stdio.h >    
 int main()  
 {  
 int nNum = 1 , nSum = 0 ;  
 do  
 {  
 nSum += nNum;  
 nNum++;  
 } while ( nNum < = 100 );  
  printf(" nSum = %d \r\n", nSum);  
 return 0;  
 }

The structure of the do loop is much simpler than that of the for loop, and the disassembled code is much less. Let's first look at the flowchart generated by IDA, as shown in Figure 2.

Figure 2 do loop flow chart

The disassembled code is as follows:

 .text:00401028 mov [ebp+nNum], 1  
 .text:0040102F mov [ebp+nSum], 0  
 .text:00401036  
 .text:00401036 LOC_DO: ; CODE XREF: _main+3Cj  
 .text:00401036 mov eax, [ebp+nSum]
 .text:00401039 add eax, [ebp+nNum]  
 .text:0040103C mov [ebp+nSum], eax  
 .text:0040103F mov ecx, [ebp+nNum]  
 .text:00401042 add ecx, 1  
 .text:00401045 mov [ebp+nNum], ecx  
 .text:00401048 cmp [ebp+nNum], 64h  
 .text:0040104C jle short LOC_DO  
 .text:0040104E mov edx, [ebp+nSum]  
 .text:00401051 push edx  
 .text:00401052 push offset Format; " nSum = %d \r\n"  
 .text:00401057 call _printf  
 .text:0040105C add esp, 8  
 .text:0040105F xor eax, eax

The body of the do loop is between LOC_DO and the jle of 0040104C. Its structure is as follows:

 ; Initialize loop variables  
 C_DO:  
 ; Execute loop body  
 ; Modify loop variable  
 ; Comparison of loop variables  
 Jxx LOC_DO

3. While loop structure

The difference between a while loop and a do loop is that a conditional check must be performed before entering the loop body. The loop body may not be executed once because the loop condition is not met.

 #include < stdio.h >    
 int main()  
 {  
 int nNum = 1 , nSum = 0 ;  
 while ( nNum < = 100 )  
 {  
 nSum += nNum;  
 nNum++;  
 }  
  printf(" nSum = %d \r\n", nSum);  
 return 0;
 }

Let's take a look at its disassembled code. The while loop has one more condition than the do loop, so there is one more branch. The disassembled code is as follows:

 .text:00401028 mov [ebp+nNum], 1  
 .text:0040102F mov [ebp+nSum], 0  
 .text:00401036  
 .text:00401036 LOC_WHILE: ; CODE XREF: _main+3Ej  
 .text:00401036 cmp [ebp+nNum], 64h  
 .text:0040103A jg short LOC_WHILEEND  
 .text:0040103C mov eax, [ebp+nSum]  
 .text:0040103F add eax, [ebp+nNum]  
 .text:00401042 mov [ebp+nSum], eax  
 .text:00401045 mov ecx, [ebp+nNum]  
 .text:00401048 add ecx, 1  
 .text:0040104B mov [ebp+nNum], ecx  
 .text:0040104E jmp short LOC_WHILE  
 .text:00401050 ; ---------------------------------------------------------------  
 .text:00401050  
 .text:00401050 LOC_WHILEEND: ; CODE XREF: _main+2Aj  
 .text:00401050 mov edx, [ebp+nSum]  
 .text:00401053 push edx  
 .text:00401054 push offset Format; " nSum = %d \r\n"  
 .text:00401059 call _printf  
 .text:0040105E add esp, 8  
 .text:00401061 xor eax, eax

The main part of the while loop is between LOC_WHILE and LOC_WHILEEND. The two sentences below LOC_WHILE are cmp and jxx instructions, and the jmp instruction is above LOC_WHILEEND. These two parts are in a fixed format, and their structure is organized as follows:

 ; Initialize loop variables, etc.  
 LOC_WHILE:  
 cmp xxx, xxx  
 jxx LOC_WHILEEND  
 ; Loop body  
 jmp LOC_WHILE  
 LOC_WHILEEND:

Let’s take a look at the flowchart generated by IDA, as shown in Figure 3.

Figure 3 while loop flow chart

Among the three types of loops, for loop, do loop and while loop, the do loop is obviously more efficient, and the while loop is relatively more efficient than the for loop.