目录

前言

一、c语言代码

二、运行结果

1.直接调试

2.Use disassembly for microscopic observation

总结

前言

This phenomenon was briefly mentioned in the previous article,This article continues to explore this question

一、c语言代码

#include<stdio.h>
main()
{
	int a = 1, b = 1;
	printf("%d", a + b);
}

二、运行结果

1.直接调试

使用devc++编译的（TDM-GCC 4.9.2 64-bit Release,下同）：

“test.exe”(Win32): 已加载“D:\编程\devctest\test.exe”.
“test.exe”(Win32): 已加载“C:\Windows\System32\ntdll.dll”.
“test.exe”(Win32): 已加载“C:\Windows\System32\kernel32.dll”.
“test.exe”(Win32): 已加载“C:\Windows\System32\KernelBase.dll”.
“test.exe”(Win32): 已加载“C:\Windows\System32\msvcrt.dll”.
线程 0x44f0 已退出,返回值为 0 (0x0).
线程 0x4da8 已退出,返回值为 1 (0x1).
程序“[16652] test.exe”已退出,返回值为 1 (0x1).

It can be seen that the return value is not0.

使用vs2022的debug模式编译的（我把cThe language standard was changed to the latest,release模式同）：

“cTest.exe”(Win32): 已加载“D:\编程\cTest\x64\Debug\cTest.exe”.已加载符号.
“cTest.exe”(Win32): 已加载“C:\Windows\System32\ntdll.dll”.
“cTest.exe”(Win32): 已加载“C:\Windows\System32\kernel32.dll”.
“cTest.exe”(Win32): 已加载“C:\Windows\System32\KernelBase.dll”.
“cTest.exe”(Win32): 已加载“C:\Windows\System32\vcruntime140d.dll”.
“cTest.exe”(Win32): 已加载“C:\Windows\System32\ucrtbased.dll”.
线程 0x3ad4 已退出,返回值为 0 (0x0).
“cTest.exe”(Win32): 已加载“C:\Windows\System32\kernel.appcore.dll”.
“cTest.exe”(Win32): 已加载“C:\Windows\System32\msvcrt.dll”.
线程 0x34f8 已退出,返回值为 0 (0x0).
线程 0x22c0 已退出,返回值为 0 (0x0).
程序“[2132] cTest.exe”已退出,返回值为 0 (0x0).

 使用vs2022的release模式编译的：

“cTest.exe”(Win32): 已加载“D:\编程\cTest\x64\Release\cTest.exe”.已加载符号.
“cTest.exe”(Win32): 已加载“C:\Windows\System32\ntdll.dll”.
“cTest.exe”(Win32): 已加载“C:\Windows\System32\kernel32.dll”.
“cTest.exe”(Win32): 已加载“C:\Windows\System32\KernelBase.dll”.
“cTest.exe”(Win32): 已加载“C:\Windows\System32\ucrtbase.dll”.
“cTest.exe”(Win32): 已加载“C:\Windows\System32\vcruntime140.dll”.
线程 0x17a4 已退出,返回值为 0 (0x0).
“cTest.exe”(Win32): 已加载“C:\Windows\System32\kernel.appcore.dll”.
“cTest.exe”(Win32): 已加载“C:\Windows\System32\msvcrt.dll”.
线程 0x2ed4 已退出,返回值为 0 (0x0).
线程 0x52ec 已退出,返回值为 0 (0x0).
程序“[18804] cTest.exe”已退出,返回值为 0 (0x0).
 

2.Use disassembly for microscopic observation

使用devc++编译的：

It can be seen that the main entry point of the program is no longer calledmain了.And the language is recognizedc++.Observed several lines of disassembly findingsshrCommands are used more often.

下面是函数mainCRTStartup的反汇编.

0000000000401500  sub         rsp,28h  
0000000000401504  mov         rax,qword ptr [404420h]  
000000000040150B  mov         dword ptr [rax],0  
0000000000401511  call        0000000000402110  
0000000000401516  call        00000000004011B0  
000000000040151B  nop  
000000000040151C  nop  
000000000040151D  add         rsp,28h  
0000000000401521  ret  

 我们找不到和1,1+1或者是2Directly related instructions.The following call I did not go to study,Because it gets more and more complicated,I'm also not very familiar with assembly.0000000000402110hThe name of the function after the jump__security_init_cookie,它没有参数,This particular function is in gs_support.c中有定义.

使用vs2022的debug模式编译的：

It can be found that the name of the main function has not changed.And the language recognition is correct.

Below is the disassembly of the main function： 

     1: #include<stdio.h>
     2: main()
     3: {
00007FF6BA5A1860  push        rbp  
00007FF6BA5A1862  push        rdi  
00007FF6BA5A1863  sub         rsp,128h  
00007FF6BA5A186A  lea         rbp,[rsp+20h]  
00007FF6BA5A186F  lea         rcx,[__8757079D_源@c (07FF6BA5B1008h)]  
00007FF6BA5A1876  call        __CheckForDebuggerJustMyCode (07FF6BA5A1361h)  
     4:     int a = 1, b = 1;
00007FF6BA5A187B  mov         dword ptr [a],1  
00007FF6BA5A1882  mov         dword ptr [b],1  
     5:     printf("%d", a + b);
00007FF6BA5A1889  mov         eax,dword ptr [b]  
00007FF6BA5A188C  mov         ecx,dword ptr [a]  
00007FF6BA5A188F  add         ecx,eax  
00007FF6BA5A1891  mov         eax,ecx  
00007FF6BA5A1893  mov         edx,eax  
00007FF6BA5A1895  lea         rcx,[string "%d" (07FF6BA5A9C10h)]  
00007FF6BA5A189C  call        printf (07FF6BA5A118Bh)  
     6: }
00007FF6BA5A18A1  xor         eax,eax  
00007FF6BA5A18A3  lea         rsp,[rbp+108h]  
00007FF6BA5A18AA  pop         rdi  
00007FF6BA5A18AB  pop         rbp  
00007FF6BA5A18AC  ret  

We've clearly seen the computer do it honestly1+1的计算.The whole assembly code is not difficult to sumccorresponding language sentences.同时不难发现rcxas the first parameterrdx作为第二参数.

需要注意：1.Braces are not just curly brackets,它也会被执行,There is assembly code in it;2.与devc++The disassembly is different,When the closing brace is executed,在微观尺度上visual c通过eaxXOR with itself clears it,Thus ensuring a return to normal0;3.与devc++Compared to the specific protectionrdi和rbp的值.

We found one more specific function__CheckForDebuggerJustMyCode,原型如下：

void __fastcall __CheckForDebuggerJustMyCode(unsigned char *JMC_flag);

它在debugger_jmc.c中有定义.

使用vs2022的release模式编译的：

“调用堆栈”The initial display content in the window and debug模式没什么区别,The main entry point of the program is also calledmain.

Below is the disassembly of the main function：

     1: #include<stdio.h>
     2: main()
     3: {
00007FF713ED1070  sub         rsp,28h  
     4:     int a = 1, b = 1;
     5:     printf("%d", a + b);
00007FF713ED1074  mov         edx,2  
00007FF713ED1079  lea         rcx,[string "%d" (07FF713ED2250h)]  
00007FF713ED1080  call        printf (07FF713ED1010h)  
     6: }
00007FF713ED1085  xor         eax,eax  
00007FF713ED1087  add         rsp,28h  
00007FF713ED108B  ret  

You can see that the program is about to endeaxA clearing operation has been done.注意,程序并没有执行1+1的运算,but the result2sent directly toedx来当printf函数的第二参数！

At the same time the program is not called__CheckForDebuggerJustMyCode函数,也没有对rdi和rbpvalue is protected.

总结

编译器不同,The compilation mode is different,will affect the operation results！