關(guān)于NX30的UF_MTX3_rotate_about_axis的逆向分析研究

1、注:按F5快捷健是IDA一個(gè)很好用的插件功能,能大大減少逆向程序員的工作強(qiáng)度,但是對(duì)于一些復(fù)雜的邏輯處理的還是不很好extern void UF_MTX3_rotate_about_axis (const double rotation_axis 3 , double rotation_angle, double mtx 9 );const double rotation_axis 3 InputVector of the rotation axisdouble rotation_angleInputAngle of the rotation (in radians)double mtx 9

2、OutputRotation MatrixUF_MTX3_rotate_about_axis是UgOpen里的一個(gè)輸出旋轉(zhuǎn)矩陣的函數(shù),他輸入一個(gè)旋轉(zhuǎn)軸,一個(gè)角度,輸出一個(gè)旋轉(zhuǎn)用的3維矩陣用IDA打開(kāi)libufun.dll找到UF_MTX3_rotate_about_axis經(jīng)更改調(diào)用函數(shù)參數(shù)顯示如下:; int _cdecl UF_MTX3_rotate_about_axis(int rotation_axis, double rotation_angle, int mtx) public _UF_MTX3_rotate_about_axis_UF_MTX3_rotate_about_axis

3、 proc near ; DATA XREF: .rdata:off_1033A6E8ovar_10= qword ptr -10hrotation_axis= dword ptr 8rotation_angle= qword ptr 0Chmtx = dword ptr 14h push ebp mov ebp, esp mov eax, ebp+mtx fld ebp+rotation_angle ; 把傳進(jìn)來(lái)的參數(shù)放入st0中 mov ecx, ebp+rotation_axis push eax push ecx sub esp, 8 ; 抬高棧8個(gè)字節(jié) fstp esp+10h+va

4、r_10 ; 將st0的值放入抬高棧的空間里 ; const double rotation_axis 3 , ; double rotation_angle, ; double mtx 9 ) call ds:_imp_?MTX3_rot_about_axisYAXNPBUVEC3_sPAUMTX3_sZ ; ; 調(diào)用NX內(nèi)核函數(shù) ; 注意參數(shù)位置調(diào)換過(guò) add esp, 10h ; c調(diào)用約定,將棧降低16個(gè)字節(jié) pop ebp retn_UF_MTX3_rotate_about_axis endp按下F5顯示如下void _cdecl UF_MTX3_rotate_about_axis(

5、const struct VEC3_s *rotation_axis, double rotation_angle, struct MTX3_s *mtx) MTX3_rot_about_axis(rotation_angle, rotation_axis, mtx);可見(jiàn)UF_MTX3_rotate_about_axis調(diào)用了MTX3_rot_about_axis,并且把參數(shù)的位置更改變化了MTX3_rot_about_axis這個(gè)函數(shù)在libugmath.dll里同樣用IDA打開(kāi)libugmath.dll找到MTX3_rot_about_axis函數(shù)顯示如下:; void _cdecl M

6、TX3_rot_about_axis(double rotation_angle, double *rotation_axis, const struct MTX3_s *mtx) public ?MTX3_rot_about_axisYAXNPBUVEC3_sPAUMTX3_sZ?MTX3_rot_about_axisYAXNPBUVEC3_sPAUMTX3_sZ proc near ; CODE XREF: ARC_SPLINE_ask_bisector_of_inscribed_angle(VEC3_s *,VEC3_s *,PNT3_s *,VEC3_s *,double,double

7、 *,double *,int *,VEC3_s *,PLN3_s *)+169p ; ARC_SPLINE_cre_matrix_of_rotation_around_axis(VEC3_s *,double,MTX3_s *)+1Ap .var_30= qword ptr -30hvar_28= qword ptr -28hunit_vec= qword ptr -20hmagnitude= qword ptr -8rotation_angle= qword ptr 8rotation_axis= dword ptr 10hmtx = dword ptr 14h push ebp mov

8、ebp, esp sub esp, 20h fld ds:_real3ddb7cdfd9d7bdbb ; 參數(shù)2,壓入st0 mov edx, ebp+rotation_axis lea eax, ebp+unit_vec push eax ; 參數(shù)4 lea ecx, ebp-8 push ecx ; 參數(shù)3 sub esp, 8 fstp esp+30h+var_30 ; 參數(shù)2,從st0彈出 push edx ; 參數(shù)1 call ?VEC3_unitizeYAHPBUVEC3_sNPANPAU1Z ; VEC3_unitize(VEC3_s const *,double,double

9、*,VEC3_s *) add esp, 14h test eax, eax jz short loc_201CBCB6 fld ebp+rotation_angle fsin fld ebp+rotation_angle fcos jmp short loc_201CBCC2; -loc_201CBCB6: ; CODE XREF: MTX3_rot_about_axis(double,VEC3_s const *,MTX3_s *)+28j fld ds:_real0000000000000000 fld ds:_real3ff0000000000000loc_201CBCC2: ; CO

10、DE XREF: MTX3_rot_about_axis(double,VEC3_s const *,MTX3_s *)+34j mov eax, ebp+mtx ; EAX fxch st(1) sub esp, 10h fstp esp+30h+var_28 lea ecx, ebp+unit_vec ; ECX fstp esp+30h+var_30 call sub_201CB3C0 add esp, 10h mov esp, ebp pop ebp retn?MTX3_rot_about_axisYAXNPBUVEC3_sPAUMTX3_sZ endp按下F5顯示如下:void _c

11、decl MTX3_rot_about_axis(double rotation_angle, double *rotation_axis, const struct MTX3_s *mtx) double fCos; / st62 double fSin; / st72 double unit_vec3; / sp+10h bp-20h1 double magnitude; / sp+28h bp-8h1 if ( VEC3_unitize(rotation_axis, 1.0e-10, &magnitude, unit_vec) ) fSin = sin(rotation_angl

12、e); fCos = cos(rotation_angle); else fSin = 0.0; fCos = 1.0; sub_201CB3C0(mtx, unit_vec, fCos, fSin);可見(jiàn)他先調(diào)用VEC3_unitize函數(shù)看看輸入的矢量是否是初始話的,如果初始化失敗,就 fSin = 0.0; fCos = 1.0;然后調(diào)用sub_201CB3C0這個(gè)子函數(shù)分析VEC3_unitize函數(shù); int _cdecl VEC3_unitize(double *rotation_axis, double a2, double *magnitude, double *unit_ve

13、c) public ?VEC3_unitizeYAHPBUVEC3_sNPANPAU1Z?VEC3_unitizeYAHPBUVEC3_sNPANPAU1Z proc near ; CODE XREF: ARC_SPLINE_ask_3pts_collinearity_3d(PNT3_s *,PNT3_s *,PNT3_s *,double *,int *)+D5p ; ARC_SPLINE_adjust_vec_on_pln(uchar,VEC3_s *,VEC3_s *)+44p .var_8= qword ptr -8rotation_axis= dword ptr 8a2 = qwor

14、d ptr 0Chmagnitude= dword ptr 14hunit_vec= dword ptr 18h push ebp mov ebp, esp sub esp, 8 mov eax, ds:_imp_?MACH_checking_level3HA ; int MACH_checking_level cmp dword ptr eax, 0 push esi mov esi, ebp+rotation_axis jle short loc_201DB4EE fld qword ptr esi fabs fcomp ds:_real43e158e460913d00 fnstsw ax

15、 test ah, 5 jp short loc_201DB4D9 fld qword ptr esi+8 fabs fcomp ds:_real43e158e460913d00 fnstsw ax test ah, 5 jp short loc_201DB4D9 fld qword ptr esi+10h fabs fcomp ds:_real43e158e460913d00 fnstsw ax test ah, 5 jnp short loc_201DB4EEloc_201DB4D9: ; CODE XREF: VEC3_unitize(VEC3_s const *,double,doub

16、le *,VEC3_s *)+23j ; VEC3_unitize(VEC3_s const *,double,double *,VEC3_s *)+35j push offset aVec3_is_finite ; "VEC3_is_finite (u)" push 44h push offset aDUgnx30Sand_16 ; "D:ugnx30sandboxsrcugmathnoindvec". call ds:_imp_?ERROR_assertion_failedYAXPBDH0Z ; ERROR_assertion_failed(char

17、 const *,int,char const *) add esp, 0Chloc_201DB4EE: ; CODE XREF: VEC3_unitize(VEC3_s const *,double,double *,VEC3_s *)+12j ; VEC3_unitize(VEC3_s const *,double,double *,VEC3_s *)+47j fld qword ptr esi+10h fld qword ptr esi+8 fld qword ptr esi fld st fmul st, st(1) fstp ebp+var_8 fstp st fld st fmul

18、 st, st(1) fld st(2) fmul st, st(3) faddp st(1), st fadd ebp+var_8 fabs fld ebp+a2 fmul ebp+a2 fcompp fnstsw ax fstp st test ah, 1 fstp st jz short loc_201DB568 fld qword ptr esi+10h mov ecx, ebp+magnitude fld qword ptr esi+8 mov eax, 1 fld st fmul st, st(1) fld st(2) fmul st, st(3) faddp st(1), st

19、fadd ebp+var_8 fsqrt fstp st(2) fstp st fld st fstp qword ptr ecx mov ecx, ebp+unit_vec fdivr ds:_real3ff0000000000000 fld st fmul qword ptr esi fstp qword ptr ecx fld st fmul qword ptr esi+8 fstp qword ptr ecx+8 fmul qword ptr esi+10h pop esi fstp qword ptr ecx+10h mov esp, ebp pop ebp retn; -loc_2

20、01DB568: ; CODE XREF: VEC3_unitize(VEC3_s const *,double,double *,VEC3_s *)+8Fj fld ds:_real0000000000000000 mov edx, ebp+magnitude mov ecx, ebp+unit_vec fstp qword ptr edx fld ds:_real0000000000000000 xor eax, eax fstp qword ptr ecx pop esi fld ds:_real0000000000000000 fstp qword ptr ecx+8 fld ds:_

21、real0000000000000000 fstp qword ptr ecx+10h mov esp, ebp pop ebp retn?VEC3_unitizeYAHPBUVEC3_sNPANPAU1Z endpF5后有:int _cdecl VEC3_unitize(double *rotation_axis, double a2, double *magnitude, double *unit_vec) int result; / eax7 double v5; / st57 double v6; / sp+4h bp-8h6 if ( MACH_checking_level >

22、 0 ) if ( fabs(*rotation_axis) >= 1.0e19 | fabs(rotation_axis1) >= 1.0e19 | fabs(rotation_axis2) >= 1.0e19 ) ERROR_assertion_failed("D:ugnx30sandboxsrcugmathnoindvec3.c", 68, "VEC3_is_finite (u)"); v6 = *rotation_axis * *rotation_axis; if ( a2 * a2 >= fabs(rotation_ax

23、is1 * rotation_axis1 + rotation_axis2 * rotation_axis2 + v6) ) / 如果矢量的平方和接近與0,就返回錯(cuò)誤 *magnitude = 0.0; result = 0; *unit_vec = 0.0; unit_vec1 = 0.0; unit_vec2 = 0.0; else result = 1; v5 = sqrt(rotation_axis1 * rotation_axis1 + rotation_axis2 * rotation_axis2 + v6); *(_QWORD *)magnitude = *(_QWORD *)&

24、amp;v5; *unit_vec = 1.0 / v5 * *rotation_axis; unit_vec1 = 1.0 / v5 * rotation_axis1; unit_vec2 = 1.0 / v5 * rotation_axis2; return result;他做的工作是如果矢量的平方和接近與0,就返回錯(cuò)誤,否則就返回一個(gè)?；玫氖噶?if ( MACH_checking_level > 0 ) if ( fabs(*rotation_axis) >= 1.0e19 | fabs(rotation_axis1) >= 1.0e19 | fabs(rotati

25、on_axis2) >= 1.0e19 ) ERROR_assertion_failed("D:ugnx30sandboxsrcugmathnoindvec3.c", 68, "VEC3_is_finite (u)"); 的意思是當(dāng)機(jī)器的檢測(cè)權(quán)限大于0時(shí),就報(bào)出診斷錯(cuò)誤接下來(lái)就看看sub_201CB3C0這個(gè)子函數(shù)到底做了些什么吧!這個(gè)子函數(shù)是我逆向最久的一個(gè)函數(shù),因?yàn)檫@個(gè)函數(shù)按F5實(shí)效了,于是我把浮點(diǎn)的棧一句一句的模擬出來(lái)最后得出公式:; void _usercall sub_201CB3C0(const struct MTX3_s *EAX&l

26、t;eax>, double *ECX<ecx>, double fCos, double fSin)sub_201CB3C0 proc near ; CODE XREF: MTX3_rot_about_axis(double,VEC3_s const *,MTX3_s *)+54pvar_20= qword ptr -20hvar_18= qword ptr -18hvar_10= qword ptr -10hvar_8= qword ptr -8fCos= qword ptr 8fSin= qword ptr 10h push ebp mov ebp, esp ; (ea

27、x->mtx, ecx->unit_vec, fCos, fSin) sub esp, 20h fld qword ptr ecx ; ecx0 fld qword ptr ecx+8 ; ecx1 fld qword ptr ecx+10h ; ecx2 fld ds:_real3ff0000000000000 ; st0:1 ; st1:ecx2 ; st2:ecx1 ; st3:ecx0 ; st4: ; st5: ; st6: ; st7: ; fsub ebp+fCos ; st0:1-fCos ; st1:ecx2 ; st2:ecx1 ; st3:ecx0 ; st4

28、: ; st5: ; st6: ; st7: ; fld st ; st0:1-fCos ; st1:1-fCos ; st2:ecx2 ; st3:ecx1 ; st4:ecx0 ; st5: ; st6: ; st7: ; fmul st, st(4) ; st0:(1-fCos)*ecx0 ; st1:1-fCos ; st2:ecx2 ; st3:ecx1 ; st4:ecx0 ; st5: ; st6: ; st7: ; fld st(1) ; st0:1-fCos ; st1:(1-fCos)*ecx0 ; st2:1-fCos ; st3:ecx2 ; st4:ecx1 ; st

29、5:ecx0 ; st6: ; st7: ; fmul st, st(4) ; st0:(1-fCos)*ecx1 ; st1:(1-fCos)*ecx0 ; st2:1-fCos ; st3:ecx2 ; st4:ecx1 ; st5:ecx0 ; st6: ; st7: ; fld st(1) ; st0:(1-fCos)*ecx0 ; st1:(1-fCos)*ecx1 ; st2:(1-fCos)*ecx0 ; st3:1-fCos ; st4:ecx2 ; st5:ecx1 ; st6:ecx0 ; st7: ; fmul st, st(5) ; st0:(1-fCos)*ecx0*

30、ecx1 ; st1:(1-fCos)*ecx1 ; st2:(1-fCos)*ecx0 ; st3:1-fCos ; st4:ecx2 ; st5:ecx1 ; st6:ecx0 ; st7: ; fld st(2) ; st0:(1-fCos)*ecx0 ; st1:(1-fCos)*ecx0*ecx1 ; st2:(1-fCos)*ecx1 ; st3:(1-fCos)*ecx0 ; st4:1-fCos ; st5:ecx2 ; st6:ecx1 ; st7:ecx0 ; fmul st, st(5) ; st0:(1-fCos)*ecx0*ecx2 ; st1:(1-fCos)*ec

31、x0*ecx1 ; st2:(1-fCos)*ecx1 ; st3:(1-fCos)*ecx0 ; st4:1-fCos ; st5:ecx2 ; st6:ecx1 ; st7:ecx0 ; fstp ebp+var_8 ; var_8=(1-fCos)*ecx0*ecx2 ; st0:(1-fCos)*ecx0*ecx1 ; st1:(1-fCos)*ecx1 ; st2:(1-fCos)*ecx0 ; st3:1-fCos ; st4:ecx2 ; st5:ecx1 ; st6:ecx0 ; st7: ; fld st(1) ; st0:(1-fCos)*ecx1 ; st1:(1-fCos)*ecx0*ecx1 ; st2