一、模拟CE搜索数据
1、按照1字节搜索数据
#include <windows.h>
#include <stdio.h>
char data[100] =
{
0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x07,0x09,
0x00,0x20,0x10,0x03,0x03,0x0C,0x00,0x00,0x44,0x00,
0x00,0x33,0x00,0x47,0x0C,0x0E,0x00,0x0D,0x00,0x11,
0x00,0x00,0x00,0x02,0x64,0x00,0x00,0x00,0xAA,0x00,
0x00,0x00,0x64,0x10,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x02,0x00,0x74,0x0F,0x41,0x00,0x00,0x00,
0x01,0x00,0x00,0x00,0x05,0x00,0x00,0x00,0x0A,0x00,
0x00,0x02,0x74,0x0F,0x41,0x00,0x06,0x08,0x00,0x00,
0x00,0x00,0x00,0x64,0x00,0x0F,0x00,0x00,0x0D,0x00,
0x00,0x00,0x23,0x00,0x00,0x64,0x00,0x00,0x64,0x00
};
void main(){
char* a;
a=data;
for(int i=0;i<100;i++)
{
printf("打印第%d个值,该值为%d,地址为%dn",i,*(a+i),a+i);
}
}
2、按照2字节搜索数据
#include <windows.h>
#include <stdio.h>
char data[100] =
{
0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x07,0x09,
0x00,0x20,0x10,0x03,0x03,0x0C,0x00,0x00,0x44,0x00,
0x00,0x33,0x00,0x47,0x0C,0x0E,0x00,0x0D,0x00,0x11,
0x00,0x00,0x00,0x02,0x64,0x00,0x00,0x00,0xAA,0x00,
0x00,0x00,0x64,0x10,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x02,0x00,0x74,0x0F,0x41,0x00,0x00,0x00,
0x01,0x00,0x00,0x00,0x05,0x00,0x00,0x00,0x0A,0x00,
0x00,0x02,0x74,0x0F,0x41,0x00,0x06,0x08,0x00,0x00,
0x00,0x00,0x00,0x64,0x00,0x0F,0x00,0x00,0x0D,0x00,
0x00,0x00,0x23,0x00,0x00,0x64,0x00,0x00,0x64,0x00
};
void main(){
short* a;
a=(short*)data;
for(int i=0;i<50;i++)
{
printf("打印第%d个值,该值为%x,地址为%xn",i,*(a+i),a+i);
}
}
3、按照4字节搜索数据
#include <windows.h>
#include <stdio.h>
char data[100] =
{
0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x07,0x09,
0x00,0x20,0x10,0x03,0x03,0x0C,0x00,0x00,0x44,0x00,
0x00,0x33,0x00,0x47,0x0C,0x0E,0x00,0x0D,0x00,0x11,
0x00,0x00,0x00,0x02,0x64,0x00,0x00,0x00,0xAA,0x00,
0x00,0x00,0x64,0x10,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x02,0x00,0x74,0x0F,0x41,0x00,0x00,0x00,
0x01,0x00,0x00,0x00,0x05,0x00,0x00,0x00,0x0A,0x00,
0x00,0x02,0x74,0x0F,0x41,0x00,0x06,0x08,0x00,0x00,
0x00,0x00,0x00,0x64,0x00,0x0F,0x00,0x00,0x0D,0x00,
0x00,0x00,0x23,0x00,0x00,0x64,0x00,0x00,0x64,0x00
};
void main(){
int* a;
a=(int*)data;
for(int i=0;i<25;i++)
{
printf("打印第%d个值,该值为%x,地址为%xn",i,*(a+i),a+i);
}
}
4、int型搜索
#include <windows.h>
#include <stdio.h>
char data[100] =
{
0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x07,0x09,
0x00,0x20,0x10,0x03,0x03,0x0C,0x00,0x00,0x44,0x00,
0x00,0x33,0x00,0x47,0x0C,0x0E,0x00,0x0D,0x00,0x11,
0x00,0x00,0x00,0x02,0x64,0x00,0x00,0x00,0xAA,0x00,
0x00,0x00,0x64,0x10,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x02,0x00,0x74,0x0F,0x41,0x00,0x00,0x00,
0x01,0x00,0x00,0x00,0x05,0x00,0x00,0x00,0x0A,0x00,
0x00,0x02,0x74,0x0F,0x41,0x00,0x06,0x08,0x00,0x00,
0x00,0x00,0x00,0x64,0x00,0x0F,0x00,0x00,0x0D,0x00,
0x00,0x00,0x23,0x00,0x00,0x64,0x00,0x00,0x64,0x00
};
void main(){
int* a;
a=(int*)data;
char* x;
x=data;
for(int i=0;i<100-4;i++)
{
if(*a == 0x64)
{
printf("地址为%x,值为%xn",a,*(a));
}
x++;
a =(int*)x;
}
}
https://blog.51cto.com/u_15069441/4150841
1、数据类型为int型,即宽度为4个字节,需要注意在内存中整数存储时高位存高位低位存低位,如果某4字节的值为0x00 0x01 0x02 0x03,那int型值应为0x03020100
2、注意指针加法的跨度,char*+1内存地址+1,short*+1内存地址+2,int*+1内存地址+4
3、内存并没有指定变量范围,也就是说任意4个连续的地址都有可能是一个int类型
4、注意结束点,因为int类型宽度为4,所以在扫描时结束点因为内存长度-4
二、字符串指针
#include <windows.h>
#include <stdio.h>
char* x="china"; //常量字符串,存储在常量区,不可以被修改。
//x存储在堆栈中,但是china存储在常量区。
char y[]="china";
void main(){
// *(x+1) = 'a';
x = "china1";
}
x的指向的首地址可以修改,但是地址指向的值不可以修改。
三、字符串函数
字符串大小
#include <windows.h>
#include <stdio.h>
int strlen(char *s) {
int i=0;
while(*(s) != '�')
{
s++;
i++;
}
return i;
}
void main(){
int length;
char* x="china";
length=strlen(x);
printf("%dn",length);
}
字符串替换
#include <windows.h>
#include <stdio.h>
char* strcpy(char* dest, char* src) {
char* r=dest;
while(*(r) != 0)
{
*r = *(src);
r++;
src++;
}
return dest;
}
void main(){
char* res;
char x[]="china";
char y[]="CHINA";
res = strcpy(x,y);
printf("%sn",res);
}
四、指针数组与数组指针
指针数组:存储指针的数组。
数组指针:指针指向一个数组。
#include <windows.h>
#include <stdio.h>
void main(){
int (*px)[5];
px = (int (*)[5])10;
printf("%dn",sizeof(px));
printf("%dn",px);
px++;
printf("%dn",px);
}
获取数组指针中的值。(使用两个星号)
五、结构体指针
通过指针获取结构体
#include <windows.h>
#include <stdio.h>
struct Arg{
int a;
int b;
int c;
};
void main(){
Arg s;
s.a = 10;
s.b = 20;
s.c = 30;
Arg* px = &s;
printf("%dn",px->a);
}
结构体指针不一定存储结构体。
Arg s;
s.a = 10;
s.b = 20;
s.c = 30;
int x;
Arg* px = &x;
六、通过指针访问变量
#include <windows.h>
#include <stdio.h>
void main(){
char p = 10;
char* x = &p;
printf("%dn",x[0]);
printf("%dn",*x);
printf("%dn",*(x+0));
}
#include <windows.h>
#include <stdio.h>
void main(){
char p = 10;
char* x = &p;
char** y=&x;
printf("%dn",*(*(y)));
printf("%dn",y[0][0]);
}
七、使用指针来遍历数组
#include <windows.h>
#include <stdio.h>
void main(){
int arr[16] = {1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16};
int* p;
p = arr;
for(int i=0;i<16;i++)
{
printf("第%d个数的地址为%x,值为%dn",i,p+i,*(p+i));
}
}
八、使用数组首地址遍历数组
#include <windows.h>
#include <stdio.h>
void main(){
int arr[16] = {1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16};
for(int i=0;i<16;i++)
{
printf("第%d个数的地址为%x,值为%dn",i,arr+i,*(arr+i));
}
}
九、函数指针
函数指针的声明
返回类型(*函数名)(参数表)
int (*shellcode)(char shellcode)
void(*)(void) --表示一个返回值为void,没有参数的函数指针
(void(*)(void))func--表示【将func这个函数强转成返回值为void,没有参数的函数】的类型转换
unsigned char buf[] =
"shellcode is here";
main()
{
( (void(*)(void))&buf)();
}
// 将fun强转成【(void (*)(void)】的类型并且进行调用
#include <stdio.h>
void fun(){
printf("xxxxxxxxxxxxxn");
}
int main(void)
{
(*(void (*)(void))fun)();
return 0;
}
#include <stdio.h>
void fun(){
printf("xxxxxxxxxxxxxn");
}
int main(void)
{
void (*p)(void);
p = fun;
(*p)();
(*(void (*)(void))fun)();
return0;
}
https://blog.csdn.net/Edidaughter/article/details/117194879
原文始发于微信公众号(土拨鼠的安全屋):逆向基础 | C语言指针学习
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论