- 浏览: 4338224 次
- 性别:
- 来自: 湛江
博客专栏
-
SQLite源码剖析
浏览量:79477
-
WIN32汇编语言学习应用...
浏览量:68496
-
神奇的perl
浏览量:101642
-
lucene等搜索引擎解析...
浏览量:281485
-
深入lucene3.5源码...
浏览量:14636
-
VB.NET并行与分布式编...
浏览量:65707
-
silverlight 5...
浏览量:31370
-
算法下午茶系列
浏览量:45290
文章分类
最新评论
-
yoyo837:
counters15 写道目前只支持IE吗?插件的东西是跨浏览 ...
Silverlight 5 轻松开启绚丽的网页3D世界 -
shuiyunbing:
直接在前台导出方式:excel中的单元格样式怎么处理,比如某行 ...
Flex导出Excel -
di1984HIT:
写的很好~
lucene入门-索引网页 -
rjguanwen:
在win7 64位操作系统下,pygtk的Entry无法输入怎 ...
pygtk-entry -
ldl_xz:
http://www.9958.pw/post/php_exc ...
PHPExcel常用方法汇总(转载)
学好WIN32汇编,平时需要多阅读编译器生成的汇编代码,因为编译器生成的代码是最规范和最优化的,从中可以学到汇编编程和语句优化的技巧。
Code Offset = 00000400, Code Size = 00000200
Data Offset = 00000800, Data Size = 00000600
Object02:.rdata RVA: 00002000 Offset:00000600 Size: 00000200 Flags: 40000040
Object03:.data RVA:00003000 Offset: 00000800 Size: 00000600 Flags: C0000040
Object04:.rsrc RVA:00004000 Offset: 00000E00 Size: 00002A00 Flags: C0000040
+++++++++++++++++++ 菜单信息 ++++++++++++++++++
Number of Imported Modules= 2(decimal)
Import Module 002:kernel32.dll
Addr:00002086 hint(0030) Name: CreateFileA
Addr:00002094 hint(005A) Name:DeviceIoControl
Number of Exported Functions = 0000 (decimal)
+++++++++++++++++++ ASSEMBLY CODE LISTING ++++++++++++++++++
//********************** Start of Code in Object .text**************
Program Entry Point = 00401000 (D:\My Documents\GetID.exe FileOffset:00001600)
:00401000B801000000 mov eax, 00000001
:004010050FA2 cpuid
:00401007BEB7304000 mov esi, 004030B7
:0040100C50 push eax
:0040100DE8E7000000 call 004010F9
:004010128906 mov dword ptr [esi], eax
:0040101453 push ebx
:00401015E8DF000000 call 004010F9
:0040101A894604 mov dword ptr [esi+04], eax
:0040101D51 push ecx
:0040101EE8D6000000 call 004010F9
:00401023894608 mov dword ptr [esi+08], eax
:0040102652 push edx
:00401027E8CD000000 call 004010F9
:0040102C89460C mov dword ptr [esi+0C], eax
:0040102FBF54304000 mov edi, 00403054
:00401034B910000000 mov ecx, 00000010
:00401039AC lodsb
:0040103AE8D9000000 call 00401118
:0040103F66AB stosw
:00401041E2F6 loop 00401039
:004010436A00 push 00000000
:004010456A00 push 00000000
:004010476A03 push 00000003
:004010496A00 push 00000000
:0040104B6A03 push 00000003
:0040104D68000000C0 push C0000000
|
:00401057E8DE000000 Call 0040113A
:0040105CA3B3304000 mov dword ptr [004030B3], eax
:00401061BBC7304000 mov ebx, 004030C7
:00401066C70300020000 mov dword ptr [ebx], 00000200
:0040106CC7430400010100 mov [ebx+04], 00010100
:00401073C7430800A0EC00 mov [ebx+08], 00ECA000
:0040107AC7430C00000000 mov [ebx+0C], 00000000
:00401081BBF7334000 mov ebx, 004033F7
:00401086C70312000000 mov dword ptr [ebx], 00000012
:0040108CC74304EC000000 mov [ebx+04], 000000EC
:00401093C7430801010001 mov [ebx+08], 01000101
:0040109AC7430C07000000 mov [ebx+0C], 00000007
:004010A16A00 push 00000000
:004010A368F7334000 push 004033F7
:004010A86813020000 push 00000213
:004010AD68F7304000 push 004030F7
:004010B26A23 push 00000023
:004010B468C7304000 push 004030C7
:004010B96888C00700 push 0007C088
:004010BEFF35B3304000 push dword ptr [004030B3]
|
:004010C4E877000000 Call 00401140
:004010C9BE1B314000 mov esi, 0040311B
:004010CEBF28304000 mov edi, 00403028
:004010D3B90A000000 mov ecx, 0000000A
:004010D866AD lodsw
:004010DA86C4 xchg ah, al
:004010DC66AB stosw
:004010DEE2F8 loop 004010D8
:004010E06A00 push 00000000
|
:004010E26800304000 push 00403000
* Possible StringData Ref from Data Obj->"你的硬件ID是:
硬盘ID: "
->"
"
->"CpuID: "
->"
小技巧:你可以按 "
->"Ctrl+C 复制本框内容!"
|
:004010E7680E304000 push 0040300E
:004010EC6A00 push 00000000
* Reference To: user32.MessageBoxA, Ord:019Dh
|
:004010EEE841000000 Call 00401134
:004010F350 push eax
* Reference To: kernel32.ExitProcess, Ord:0080h
|
:004010F4E84D000000 Call 00401146
* Referenced by a CALL at Addresses:
|:0040100D ,:00401015 ,:0040101E ,:00401027
|
:004010F955 push ebp
:004010FA8BEC mov ebp, esp
:004010FC53 push ebx
:004010FD51 push ecx
:004010FE8B4508 mov eax, dword ptr [ebp+08]
:00401101B903000000 mov ecx, 00000003
:004011068AD8 mov bl, al
:00401108C1E808 shr eax, 08
:0040110BC1E308 shl ebx, 08
:0040110EE2F6 loop 00401106
:004011108BC3 mov eax, ebx
:0040111259 pop ecx
:004011135B pop ebx
:00401114C9 leave
:00401115C20400 ret 0004
* Referenced by a CALL at Address:
|:0040103A
|
:004011188AE0 mov ah, al
:0040111AC0E804 shr al, 04
:0040111D80E40F and ah, 0F
:0040112080FC0A cmp ah, 0A
:004011237203 jb 00401128
:0040112580C407 add ah, 07
* Referenced by a (U)nconditional or (C)onditional Jump atAddress:
|:00401123(C)
|
:004011283C0A cmp al, 0A
:0040112A7202 jb 0040112E
:0040112C0407 add al, 07
* Referenced by a (U)nconditional or (C)onditional Jump atAddress:
|:0040112A(C)
|
:0040112E66053030 add ax, 3030
:00401132C3 ret
:00401133CC int 03
* Referenced by a CALL at Address:
|:004010EE
|
* Reference To: user32.MessageBoxA, Ord:019Dh
|
:00401134FF2510204000 Jmp dword ptr [00402010]
* Referenced by a CALL at Address:
|:00401057
|
* Reference To: kernel32.CreateFileA, Ord:0030h
|
:0040113AFF2504204000 Jmp dword ptr [00402004]
* Referenced by a CALL at Address:
|:004010C4
|
* Reference To: kernel32.DeviceIoControl, Ord:005Ah
|
:00401140FF2508204000 Jmp dword ptr [00402008]
* Reference To: kernel32.ExitProcess, Ord:0080h
|
:00401146FF2500204000 Jmp dword ptr [00402000]
:0040114C00000000000000000000 BYTE 10 DUP(0)
:0040115600000000000000000000 BYTE 10 DUP(0)
:0040116000000000000000000000 BYTE 10 DUP(0)
:0040116A00000000000000000000 BYTE 10 DUP(0)
:0040117400000000000000000000 BYTE 10 DUP(0)
:0040117E00000000000000000000 BYTE 10 DUP(0)
:0040118800000000000000000000 BYTE 10 DUP(0)
:0040119200000000000000000000 BYTE 10 DUP(0)
:0040119C00000000000000000000 BYTE 10 DUP(0)
:004011A600000000000000000000 BYTE 10 DUP(0)
:004011B000000000000000000000 BYTE 10 DUP(0)
:004011BA00000000000000000000 BYTE 10 DUP(0)
:004011C400000000000000000000 BYTE 10 DUP(0)
:004011CE00000000000000000000 BYTE 10 DUP(0)
:004011D800000000000000000000 BYTE 10 DUP(0)
:004011E200000000000000000000 BYTE 10 DUP(0)
:004011EC00000000000000000000 BYTE 10 DUP(0)
:004011F600000000000000000000 BYTE 10 DUP(0)
有经验的程序员都知道,看别人代码是写代码必练的基本功,下面笔者和大家一起来看懂这段看似天书的汇编代码。
|:0040100D ,:00401015 ,:0040101E ,:00401027
|
:004010F955 push ebp
:004010FA8BEC mov ebp, esp
:004010FC53 push ebx
:004010FD51 push ecx
:004010FE8B4508 mov eax, dword ptr [ebp+08]
:00401101B903000000 mov ecx, 00000003
:004011068AD8 mov bl, al
:00401108C1E808 shr eax, 08
:0040110BC1E308 shl ebx, 08
:0040110EE2F6 loop 00401106
:004011108BC3 mov eax, ebx
:0040111259 pop ecx
:004011135B pop ebx
:00401114C9 leave
:00401115C20400 ret 0004
:00401101B903000000 mov ecx, 00000003
:004011068AD8 mov bl, al
:00401108C1E808 shr eax, 08
:0040110BC1E308 shl ebx, 08
:0040110EE2F6 loop 00401106
:004011108BC3 mov eax, ebx
* Referenced by a CALL at Address:
|:0040103A
|
:004011188AE0 mov ah, al
:0040111AC0E804 shr al, 04
:0040111D80E40F and ah, 0F
:0040112080FC0A cmp ah, 0A
:004011237203 jb 00401128
:0040112580C407 add ah, 07
因为al中放了参数,所以将EAX的AL中的高4位移到ah中,要达到以十六进制显示,并且ASCII码为8位,所以进行了扩展,并且将十六进制码转化为ASCII码,
* Referenced by a (U)nconditional or (C)onditional Jump atAddress:
|:00401123(C)
|
:004011283C0A cmp al, 0A
:0040112A7202 jb 0040112E
:0040112C0407 add al, 07
* Referenced by a (U)nconditional or (C)onditional Jump atAddress:
|:0040112A(C)
|
:0040112E66053030 add ax, 3030
:00401132C3 ret
以上完成将al由数字或字符分别转化成相应的两个ASCII码。
存储器以字节为单位进行存储,对于字(16位),将要低8位放在低位地址,将高8位放在高位地址,因为存储器的地址单元是增加方向增长的,且字的存储地址是低地址,取CPU序列号时,以4位为单位,所以先将低4位AL的低4位中,再将高4取出放在AL的高4位中,因此,这个子程序将AL的高位和低位调换过来,以还原正常。
:00401000B801000000 mov eax, 00000001
:004010050FA2 cpuid
:00401007BEB7304000 mov esi, 004030B7
:0040100C50 push eax
:0040100DE8E7000000 call 004010F9
:004010128906 mov dword ptr [esi], eax
:0040101453 push ebx
:00401015E8DF000000 call 004010F9
:0040101A894604 mov dword ptr [esi+04], eax
:0040101D51 push ecx
:0040101EE8D6000000 call 004010F9
:00401023894608 mov dword ptr [esi+08], eax
:0040102652 push edx
:00401027E8CD000000 call 004010F9
:0040102C89460C mov dword ptr [esi+0C], eax
:0040102FBF54304000 mov edi, 00403054
:00401034B910000000 mov ecx, 00000010
:00401039AC lodsb
:0040103AE8D9000000 call 00401118
:0040103F66AB stosw
:00401041E2F6 loop 00401039
:004010436A00 push 00000000
:004010456A00 push 00000000
:004010476A03 push 00000003
:004010496A00 push 00000000
:0040104B6A03 push 00000003
:0040104D68000000C0 push C0000000
|
:00401057E8DE000000 Call 0040113A
0040105CA3B3304000 mov dword ptr [004030B3], eax
:00401061BBC7304000 mov ebx, 004030C7
:00401066C70300020000 mov dword ptr [ebx], 00000200
:0040106CC7430400010100 mov [ebx+04], 00010100
:00401073C7430800A0EC00 mov [ebx+08], 00ECA000
:0040107AC7430C00000000 mov [ebx+0C], 00000000
:00401081BBF7334000 mov ebx, 004033F7
:00401086C70312000000 mov dword ptr [ebx], 00000012
:0040108CC74304EC000000 mov [ebx+04], 000000EC
:00401093C7430801010001 mov [ebx+08], 01000101
:0040109AC7430C07000000 mov [ebx+0C], 00000007
:004010A16A00 push 00000000
:004010A368F7334000 push 004033F7
:004010A86813020000 push 00000213
:004010AD68F7304000 push 004030F7
:004010B26A23 push 00000023
:004010B468C7304000 push 004030C7
:004010B96888C00700 push 0007C088
:004010BEFF35B3304000 push dword ptr [004030B3]
|
:004010C4E877000000 Call 00401140
:004010CEBF28304000 mov edi, 00403028
:004010D3B90A000000 mov ecx, 0000000A
:004010D866AD lodsw
:004010DA86C4 xchg ah, al
:004010DC66AB stosw
:004010DEE2F8 loop 004010D8
|
:004010E26800304000 push 00403000
* Possible StringData Ref from Data Obj->"你的硬件ID是:
硬盘ID: "
->"
"
->"CpuID: "
->"
小技巧:你可以按 "
->"Ctrl+C 复制本框内容!"
|
:004010E7680E304000 push 0040300E
:004010EC6A00 push 00000000
* Reference To: user32.MessageBoxA, Ord:019Dh
调用API显示ID
|
:004010EEE841000000 Call 00401134
:004010F350 push eax
* Reference To: kernel32.ExitProcess, Ord:0080h
|
:004010F4E84D000000 Call 00401146
ret
程序退出
:00401133CC int 03
* Referenced by a CALL at Address:
|:004010EE
|
* Reference To: user32.MessageBoxA, Ord:019Dh
|
:00401134FF2510204000 Jmp dword ptr [00402010]
* Referenced by a CALL at Address:
|:00401057
|
* Reference To: kernel32.CreateFileA, Ord:0030h
|
:0040113AFF2504204000 Jmp dword ptr [00402004]
* Referenced by a CALL at Address:
|:004010C4
|
* Reference To: kernel32.DeviceIoControl, Ord:005Ah
|
:00401140FF2508204000 Jmp dword ptr [00402008]
* Reference To: kernel32.ExitProcess, Ord:0080h
|
:00401146FF2500204000 Jmp dword ptr [00402000]
:0040114C00000000000000000000 BYTE 10 DUP(0)
:0040115600000000000000000000 BYTE 10 DUP(0)
:0040116000000000000000000000 BYTE 10 DUP(0)
:0040116A00000000000000000000 BYTE 10 DUP(0)
:0040117400000000000000000000 BYTE 10 DUP(0)
:0040117E00000000000000000000 BYTE 10 DUP(0)
:0040118800000000000000000000 BYTE 10 DUP(0)
:0040119200000000000000000000 BYTE 10 DUP(0)
:0040119C00000000000000000000 BYTE 10 DUP(0)
:004011A600000000000000000000 BYTE 10 DUP(0)
:004011B000000000000000000000 BYTE 10 DUP(0)
:004011BA00000000000000000000 BYTE 10 DUP(0)
:004011C400000000000000000000 BYTE 10 DUP(0)
:004011CE00000000000000000000 BYTE 10 DUP(0)
:004011D800000000000000000000 BYTE 10 DUP(0)
:004011E200000000000000000000 BYTE 10 DUP(0)
:004011EC00000000000000000000 BYTE 10 DUP(0)
:004011F600000000000000000000 BYTE 10 DUP(0)
发表评论
-
win下开发跨平台GUI程序的另类选择
2011-05-03 17:21 2152GTK+ ● GTK+的网站:www.gtk. ... -
win32汇编-送消息给其它应用程序
2010-02-20 16:42 28742个函数invoke postmessage,hwnd,msg ... -
WIN32汇编之菜单、加速键、快捷键
2010-02-20 16:38 3083(一)Invoke checkmenuitem,h ... -
WIN32汇编学习应用之defwindowproc
2010-02-20 16:36 2667defwindowproc窗口过程对一些消息的默认处理方式WM ... -
windows中WM_CLOSE消息和WM_DESTORY消息的不同之处
2010-02-20 16:33 23891、WM_CLOSE仅代表用户发出了关闭的指令,但窗口过程可以 ... -
WIN32汇编获取应用程序句柄
2010-02-20 16:32 2124getmodulehandle使用方法invoke getm ... -
WIN32汇编语言学习应用之消息获取
2010-02-20 16:31 1685MSG结构:MSG STURCTHwnd DWORD ?Mes ... -
一个WIN32汇编的完整窗口入门程序的理解与注释
2010-02-20 16:28 3659;WIN32汇编的注释是;,其实WIN32汇编和VC有很多 ... -
汇编中通用寄存器的目的
2010-02-20 16:24 21111、EAX和AX:累加器,所有的I/O指令用它来与外部设备 ... -
汇编几个段
2010-02-17 16:39 4184反汇编后几个段的含义 预定义段 一个WindowsNT ... -
WIN32汇编语言解析
2010-02-17 16:36 2521win32汇编中的sizeof win32汇编中的s ... -
设置与获取窗口标题文本
2010-02-17 16:32 1964获得: CString xx=""; ... -
win32汇编快速入门
2010-02-17 16:31 4621汇编可以开发WINDOWS程序 ... -
WIN32汇编-HELLO,WORLD!
2010-02-17 16:29 4343我们用WIN32汇编构建 ... -
保护模式下段寄存器的作用
2010-02-17 14:39 31601、保护模式一,虽然在寻址上没有分段的限制问题,但对要对一个地 ... -
玩转菜单-菜单资源
2010-02-08 17:31 1899菜单资源 WINDOWS程序的菜单通常编译前定义在资 ... -
二进制资源和自定义资源使用定义
2010-02-08 17:29 21481、二进制资源 (1)定义格式: 资源IDRCDA ... -
LISTBOX和LIST CONTROL的项目增加方法
2010-02-08 17:28 54031、LIST CONTROL(report方式): (1)类 ... -
取IP寄存器的当前值
2010-02-08 17:27 1869call $+3 POP CX 把IP寄存器的当前值放 ... -
ret/retn人为改变执行地址
2010-02-08 17:27 27801、CALL和RET/RETN是一对指令,CALL把返回 ...
相关推荐
win32 exe 反汇编 一个静态反汇编工具,也是破解人常用的工具之一
反汇编 win32 asm 汉化了的,好用
一个非常好的反汇编工具,对你的程序语言的学习会大有帮助。
Win32反汇编WinHexv19.3中文免费版 WinHexv1
学了16位汇编的都来看一下这个把。对于掌握dos汇编转到windows下面来基本上都是API的调用了。。。该书是反汇编入门书籍。
小巧的反汇编工具. 如果这款不符合你的要求, 我还上传一款有界面的反汇编工具, 请访问我的空间.
不过Win32dasm只能对应用程序进行静态反汇编,如果原程序经过了加密变换处理或着是被EXE压缩工具压缩过,那么用Win32dasm对程序进行反汇编就没有任何意义了。与Win32dasm相对应的另外一个反编译工具是IDA PRO,它的...
W32Dasm是一个静态反汇编工具,也是破解人常用的工具之一,它也被比 作破解人的屠龙刀。 W32Dasm10.0修改版是经Killer在W32Dasm8.93基础上修改的,修改后的 W32Dasm功能更强大,能完美显示中文字符串及VB程序...
反汇编 win32 asm 什么都不用说 两个字:好用!
W32Dasm是一个静态反汇编工具,也是破解人常用的工具之一。它通常被程序员使用,可被用来Crack软件。[1] 它也被比作破解人的屠龙刀。 版本是8.93,绿色,免安装,解压即可使用。
Win32汇编语言简明教程(适合反向工程和反病毒方向读者)
Win32汇编语言简明教程(适合反向工程和反病毒方向读者) 给你的快速指南!
win32汇编下调用反汇编引擎
经典的反汇编工具W32ASM,经典的反汇编工具W32ASM
教程名称:逆向反汇编视频教程【12集】课程目录:【】[逆向(1)]__win32汇编指令简介【】[逆向(10)]PE结构-section【】[逆向(11)] 函数工作原理-调用方式详解【】[逆向(12)]函数工作原理-使用EBP或者esp寻址以及...
支持断点、单步、反汇编、查看、修改内存等多种调试方式, 查看调试命令帮助信息请键入: h ------------------------------------------------------ 命令行: Win32DbgU.exe [调试目标程序路径名称] -----------...
win32反汇编,ida教程,win32编程及学习好工具
笔者从事汇编编程已经有十几年的历史了,从8086时代的DOS汇编编程开始到当前的Win32汇编编程,从一个初学者到现在能利用Win32汇编来解决大部分编程需求,中间也经过了很长时间的摸索和大量的挫折,所以笔者很清楚...
反汇编引擎的使用方法(Win32汇编方式下)
汇编工具,用于汇编语言的编程的学习,比较好用