`
deepfuture
  • 浏览: 4338224 次
  • 性别: Icon_minigender_1
  • 来自: 湛江
博客专栏
073ec2a9-85b7-3ebf-a3bb-c6361e6c6f64
SQLite源码剖析
浏览量:79477
1591c4b8-62f1-3d3e-9551-25c77465da96
WIN32汇编语言学习应用...
浏览量:68496
F5390db6-59dd-338f-ba18-4e93943ff06a
神奇的perl
浏览量:101642
Dac44363-8a80-3836-99aa-f7b7780fa6e2
lucene等搜索引擎解析...
浏览量:281485
Ec49a563-4109-3c69-9c83-8f6d068ba113
深入lucene3.5源码...
浏览量:14636
9b99bfc2-19c2-3346-9100-7f8879c731ce
VB.NET并行与分布式编...
浏览量:65707
B1db2af3-06b3-35bb-ac08-59ff2d1324b4
silverlight 5...
浏览量:31370
4a56b548-ab3d-35af-a984-e0781d142c23
算法下午茶系列
浏览量:45290
社区版块
存档分类
最新评论

WIN32汇编-反汇编

CC++C#编程ASP
阅读更多

 学好WIN32汇编,平时需要多阅读编译器生成的汇编代码,因为编译器生成的代码是最规范和最优化的,从中可以学到汇编编程和语句优化的技巧。

    如何得到一个程序的反汇编代码呢?使用反汇编软件,不是使用DOS的DEBUG,WINIODWS平台上已经有多反汇编软件,读者可以从下面的地址中下载反汇编软件
下载示例分析文件GetID硬件特征码程序:http://www.91now.com/down/soft/137021.htm
   下面列出了取得硬件特征码程序的反汇编源代码,笔者将在随后对它进行分析:
Disassembly of File: D:\My Documents\GetID.exe
Code Offset = 00000400, Code Size = 00000200
Data Offset = 00000800, Data Size = 00000600
Number of Objects = 0004 (dec), Imagebase = 00400000h
   Object01:.text    RVA:00001000 Offset: 00000400 Size: 00000200 Flags: 60000020
   Object02:.rdata   RVA: 00002000 Offset:00000600 Size: 00000200 Flags: 40000040
   Object03:.data    RVA:00003000 Offset: 00000800 Size: 00000600 Flags: C0000040
   Object04:.rsrc    RVA:00004000 Offset: 00000E00 Size: 00002A00 Flags: C0000040

+++++++++++++++++++  菜单信息   ++++++++++++++++++
                程序没有菜单选项                     
+++++++++++++++++    对话框信息    ++++++++++++++++++
       There Are No Dialog Resources in This Application
+++++++++++++++++++     导入函数     ++++++++++++++++++
Number of Imported Modules=    2(decimal)
   Import Module 001:user32.dll
   Import Module 002:kernel32.dll
+++++++++++++++++++     重要模块资料    +++++++++++++++
   Import Module 001:user32.dll
 Addr:0000206C hint(019D) Name:MessageBoxA
   Import Module 002:kernel32.dll
 Addr:000020A6 hint(0080) Name:ExitProcess
 Addr:00002086 hint(0030) Name: CreateFileA
 Addr:00002094 hint(005A) Name:DeviceIoControl
+++++++++++++++++++     导出函数     ++++++++++++++++++
Number of Exported Functions = 0000 (decimal)
 

+++++++++++++++++++ ASSEMBLY CODE LISTING ++++++++++++++++++
//********************** Start of Code in Object .text**************
Program Entry Point = 00401000 (D:\My Documents\GetID.exe FileOffset:00001600)
 
//******************** Program Entry Point ********
:00401000B801000000             mov eax, 00000001
:004010050FA2                   cpuid
:00401007BEB7304000             mov esi, 004030B7
:0040100C50                     push eax
:0040100DE8E7000000             call 004010F9
:004010128906                   mov dword ptr [esi], eax
:0040101453                     push ebx
:00401015E8DF000000             call 004010F9
:0040101A894604                 mov dword ptr [esi+04], eax
:0040101D51                     push ecx
:0040101EE8D6000000             call 004010F9
:00401023894608                 mov dword ptr [esi+08], eax
:0040102652                     push edx
:00401027E8CD000000             call 004010F9
:0040102C89460C                 mov dword ptr [esi+0C], eax
:0040102FBF54304000             mov edi, 00403054
:00401034B910000000             mov ecx, 00000010
:00401039AC                     lodsb
:0040103AE8D9000000             call 00401118
:0040103F66AB                   stosw
:00401041E2F6                   loop 00401039
:004010436A00                   push 00000000
:004010456A00                   push 00000000
:004010476A03                   push 00000003
:004010496A00                   push 00000000
:0040104B6A03                   push 00000003
:0040104D68000000C0             push C0000000
* Possible StringData Ref from Data Obj->"\\.\PhysicalDrive0"
                                 |
:0040105268A0304000             push 004030A0
* Reference To: kernel32.CreateFileA, Ord:0030h
                                 |
:00401057E8DE000000             Call 0040113A
:0040105CA3B3304000             mov dword ptr [004030B3], eax
:00401061BBC7304000             mov ebx, 004030C7
:00401066C70300020000           mov dword ptr [ebx], 00000200
:0040106CC7430400010100         mov [ebx+04], 00010100
:00401073C7430800A0EC00         mov [ebx+08], 00ECA000
:0040107AC7430C00000000         mov [ebx+0C], 00000000
:00401081BBF7334000             mov ebx, 004033F7
:00401086C70312000000           mov dword ptr [ebx], 00000012
:0040108CC74304EC000000         mov [ebx+04], 000000EC
:00401093C7430801010001         mov [ebx+08], 01000101
:0040109AC7430C07000000         mov [ebx+0C], 00000007
:004010A16A00                   push 00000000
:004010A368F7334000             push 004033F7
:004010A86813020000             push 00000213
:004010AD68F7304000             push 004030F7
:004010B26A23                   push 00000023
:004010B468C7304000             push 004030C7
:004010B96888C00700             push 0007C088
:004010BEFF35B3304000           push dword ptr [004030B3]
* Reference To: kernel32.DeviceIoControl, Ord:005Ah
                                 |
:004010C4E877000000             Call 00401140
:004010C9BE1B314000             mov esi, 0040311B
:004010CEBF28304000             mov edi, 00403028
:004010D3B90A000000             mov ecx, 0000000A
:004010D866AD                   lodsw
:004010DA86C4                   xchg ah, al
:004010DC66AB                   stosw
:004010DEE2F8                   loop 004010D8
:004010E06A00                   push 00000000
* Possible StringData Ref from Data Obj->"本机硬件ID:"
                                 |
:004010E26800304000             push 00403000

* Possible StringData Ref from Data Obj->"你的硬件ID是:

硬盘ID:   "
                                       ->"                           

 "
                                       ->"CpuID:                      "
                                       ->"          

小技巧:你可以按 "
                                       ->"Ctrl+C 复制本框内容!"
                                 |
:004010E7680E304000             push 0040300E
:004010EC6A00                   push 00000000

* Reference To: user32.MessageBoxA, Ord:019Dh
                                 |
:004010EEE841000000             Call 00401134
:004010F350                     push eax

* Reference To: kernel32.ExitProcess, Ord:0080h
                                 |
:004010F4E84D000000             Call 00401146

* Referenced by a CALL at Addresses:
|:0040100D   ,:00401015   ,:0040101E   ,:00401027  
|
:004010F955                     push ebp
:004010FA8BEC                   mov ebp, esp
:004010FC53                     push ebx
:004010FD51                     push ecx
:004010FE8B4508                 mov eax, dword ptr [ebp+08]
:00401101B903000000             mov ecx, 00000003
:004011068AD8                   mov bl, al
:00401108C1E808                 shr eax, 08
:0040110BC1E308                 shl ebx, 08
:0040110EE2F6                   loop 00401106
:004011108BC3                   mov eax, ebx
:0040111259                     pop ecx
:004011135B                     pop ebx
:00401114C9                     leave
:00401115C20400                 ret 0004

 

* Referenced by a CALL at Address:
|:0040103A  
|
:004011188AE0                   mov ah, al
:0040111AC0E804                 shr al, 04
:0040111D80E40F                 and ah, 0F
:0040112080FC0A                 cmp ah, 0A
:004011237203                   jb 00401128
:0040112580C407                 add ah, 07

* Referenced by a (U)nconditional or (C)onditional Jump atAddress:
|:00401123(C)
|
:004011283C0A                   cmp al, 0A
:0040112A7202                   jb 0040112E
:0040112C0407                   add al, 07

* Referenced by a (U)nconditional or (C)onditional Jump atAddress:
|:0040112A(C)
|
:0040112E66053030               add ax, 3030
:00401132C3                     ret


:00401133CC                     int 03

* Referenced by a CALL at Address:
|:004010EE  
|

* Reference To: user32.MessageBoxA, Ord:019Dh
                                 |
:00401134FF2510204000           Jmp dword ptr [00402010]

* Referenced by a CALL at Address:
|:00401057  
|

* Reference To: kernel32.CreateFileA, Ord:0030h
                                 |
:0040113AFF2504204000           Jmp dword ptr [00402004]

* Referenced by a CALL at Address:
|:004010C4  
|

* Reference To: kernel32.DeviceIoControl, Ord:005Ah
                                 |
:00401140FF2508204000           Jmp dword ptr [00402008]

* Reference To: kernel32.ExitProcess, Ord:0080h
                                 |
:00401146FF2500204000           Jmp dword ptr [00402000]
:0040114C00000000000000000000   BYTE 10 DUP(0)
:0040115600000000000000000000   BYTE 10 DUP(0)
:0040116000000000000000000000   BYTE 10 DUP(0)
:0040116A00000000000000000000   BYTE 10 DUP(0)
:0040117400000000000000000000   BYTE 10 DUP(0)
:0040117E00000000000000000000   BYTE 10 DUP(0)
:0040118800000000000000000000   BYTE 10 DUP(0)
:0040119200000000000000000000   BYTE 10 DUP(0)
:0040119C00000000000000000000   BYTE 10 DUP(0)
:004011A600000000000000000000   BYTE 10 DUP(0)
:004011B000000000000000000000   BYTE 10 DUP(0)
:004011BA00000000000000000000   BYTE 10 DUP(0)
:004011C400000000000000000000   BYTE 10 DUP(0)
:004011CE00000000000000000000   BYTE 10 DUP(0)
:004011D800000000000000000000   BYTE 10 DUP(0)
:004011E200000000000000000000   BYTE 10 DUP(0)
:004011EC00000000000000000000   BYTE 10 DUP(0)
:004011F600000000000000000000   BYTE 10 DUP(0)

 有经验的程序员都知道,看别人代码是写代码必练的基本功,下面笔者和大家一起来看懂这段看似天书的汇编代码。

* Referenced by a CALL at Addresses:
|:0040100D   ,:00401015   ,:0040101E   ,:00401027  
|
:004010F955                     push ebp
:004010FA8BEC                   mov ebp, esp
:004010FC53                     push ebx
:004010FD51                     push ecx
:004010FE8B4508                 mov eax, dword ptr [ebp+08]
:00401101B903000000             mov ecx, 00000003
:004011068AD8                   mov bl, al
:00401108C1E808                 shr eax, 08
:0040110BC1E308                 shl ebx, 08
:0040110EE2F6                   loop 00401106
:004011108BC3                   mov eax, ebx
:0040111259                     pop ecx
:004011135B                     pop ebx
:00401114C9                     leave
:00401115C20400                 ret 0004
 
这是一段子程序,:0040100D   ,:00401015   ,:0040101E   ,:00401027 都对它进行了调用。所以先对这个子程序进行研究
:004010FE8B4508                 mov eax, dword ptr [ebp+08]
:00401101B903000000             mov ecx, 00000003
:004011068AD8                   mov bl, al
:00401108C1E808                 shr eax, 08
:0040110BC1E308                 shl ebx, 08
:0040110EE2F6                   loop 00401106
:004011108BC3                   mov eax, ebx
可以这个是一个循环,一循环三次
目的是将eax的值以字节为单位,反过来存放,存储器以字节为单位进行存储,对于字(16位),将要低8位放在低位地址,将高8位放在高位地址,因为存储器的地址单元是增加方向增长的,所以先将低8位放在ah,再将高8位取出放在AL,所以要反序取出。
ret指令返回并将调用者存放在堆栈中的返回地址弹出到EIP中,如果是段间调用的返回,弹出到CS:EIP
call执行的功能(段间),按顺序如下:
1、将CS寄存器中的值压入堆栈
2、把CALL指令的下条指令的32位偏移地址压入堆栈
3、拷贝48位的有效地址到CS:EIP
4、程序从了程序的第一条指令处开始执行
二、ret 立即数  
这种方式是指把返回地址弹出堆栈后,把该值与esp加,相当于堆栈顶去掉了若干字节的内容
 

* Referenced by a CALL at Address:
|:0040103A  
|
:004011188AE0                   mov ah, al
:0040111AC0E804                 shr al, 04
:0040111D80E40F                 and ah, 0F
:0040112080FC0A                 cmp ah, 0A
:004011237203                   jb 00401128
:0040112580C407                 add ah, 07

因为al中放了参数,所以将EAX的AL中的高4位移到ah中,要达到以十六进制显示,并且ASCII码为8位,所以进行了扩展,并且将十六进制码转化为ASCII码,

* Referenced by a (U)nconditional or (C)onditional Jump atAddress:
|:00401123(C)
|
:004011283C0A                   cmp al, 0A
:0040112A7202                   jb 0040112E
:0040112C0407                   add al, 07

* Referenced by a (U)nconditional or (C)onditional Jump atAddress:
|:0040112A(C)
|
:0040112E66053030               add ax, 3030
:00401132C3                     ret

以上完成将al由数字或字符分别转化成相应的两个ASCII码。

 

存储器以字节为单位进行存储,对于字(16位),将要低8位放在低位地址,将高8位放在高位地址,因为存储器的地址单元是增加方向增长的,且字的存储地址是低地址,取CPU序列号时,以4位为单位,所以先将低4位AL的低4位中,再将高4取出放在AL的高4位中,因此,这个子程序将AL的高位和低位调换过来,以还原正常。

 
 
//******************** Program Entry Point ********
:00401000B801000000             mov eax, 00000001
:004010050FA2                   cpuid
 
取得cpuid,从低32位到高32位放在eax,ebx,ecx,edx,

:00401007BEB7304000             mov esi, 004030B7
:0040100C50                     push eax
:0040100DE8E7000000             call 004010F9
:004010128906                   mov dword ptr [esi], eax
:0040101453                     push ebx
:00401015E8DF000000             call 004010F9
:0040101A894604                 mov dword ptr [esi+04], eax
:0040101D51                     push ecx
:0040101EE8D6000000             call 004010F9
:00401023894608                 mov dword ptr [esi+08], eax
:0040102652                     push edx
:00401027E8CD000000             call 004010F9
:0040102C89460C                 mov dword ptr [esi+0C], eax
调用子程序对CPUID进行反序,以还原正常的数值,因为存储将高位放在高地址,低位放在低地址。
:0040102FBF54304000             mov edi, 00403054
:00401034B910000000             mov ecx, 00000010
:00401039AC                     lodsb
:0040103AE8D9000000             call 00401118
:0040103F66AB                   stosw
:00401041E2F6                   loop 00401039
用4位单位进一步反序CPUID,并转化为ASCII码。
:004010436A00                   push 00000000
:004010456A00                   push 00000000
:004010476A03                   push 00000003
:004010496A00                   push 00000000
:0040104B6A03                   push 00000003
:0040104D68000000C0             push C0000000
* Possible StringData Ref from Data Obj->"\\.\PhysicalDrive0"
                                 |
:0040105268A0304000             push 004030A0
放置调用API的参数,最后入堆栈的参数是第一个参数
* Reference To: kernel32.CreateFileA, Ord:0030h
                                 |
:00401057E8DE000000             Call 0040113A
0040105CA3B3304000             mov dword ptr [004030B3], eax
:00401061BBC7304000             mov ebx, 004030C7
以下是二个变量的赋值
:00401066C70300020000           mov dword ptr [ebx], 00000200
:0040106CC7430400010100         mov [ebx+04], 00010100
:00401073C7430800A0EC00         mov [ebx+08], 00ECA000
:0040107AC7430C00000000         mov [ebx+0C], 00000000
:00401081BBF7334000             mov ebx, 004033F7
:00401086C70312000000           mov dword ptr [ebx], 00000012
:0040108CC74304EC000000         mov [ebx+04], 000000EC
:00401093C7430801010001         mov [ebx+08], 01000101
:0040109AC7430C07000000         mov [ebx+0C], 00000007
以下放置参数,调用API,取硬盘ID
:004010A16A00                   push 00000000
:004010A368F7334000             push 004033F7
:004010A86813020000             push 00000213
:004010AD68F7304000             push 004030F7
:004010B26A23                   push 00000023
:004010B468C7304000             push 004030C7
:004010B96888C00700             push 0007C088
:004010BEFF35B3304000           push dword ptr [004030B3]
* Reference To: kernel32.DeviceIoControl, Ord:005Ah
                                 |
:004010C4E877000000             Call 00401140
以下将取出的硬盘ID反序,以还原正常
:004010C9BE1B314000             mov esi, 0040311B
:004010CEBF28304000             mov edi, 00403028
:004010D3B90A000000             mov ecx, 0000000A
:004010D866AD                   lodsw
:004010DA86C4                   xchg ah, al
:004010DC66AB                   stosw
:004010DEE2F8                   loop 004010D8
:004010E06A00                   push 00000000
* Possible StringData Ref from Data Obj->"本机硬件ID:"
                                 |
:004010E26800304000             push 00403000

* Possible StringData Ref from Data Obj->"你的硬件ID是:

硬盘ID:   "
                                       ->"                           

 "
                                       ->"CpuID:                      "
                                       ->"          

小技巧:你可以按 "
                                       ->"Ctrl+C 复制本框内容!"
                                 |
:004010E7680E304000             push 0040300E
:004010EC6A00                   push 00000000

* Reference To: user32.MessageBoxA, Ord:019Dh
 调用API显示ID

                                |
:004010EEE841000000             Call 00401134
:004010F350                     push eax

* Reference To: kernel32.ExitProcess, Ord:0080h
                                 |
:004010F4E84D000000             Call 00401146

                ret

程序退出
:00401133CC                     int 03

* Referenced by a CALL at Address:
|:004010EE  
|

* Reference To: user32.MessageBoxA, Ord:019Dh
                                 |
:00401134FF2510204000           Jmp dword ptr [00402010]

* Referenced by a CALL at Address:
|:00401057  
|

* Reference To: kernel32.CreateFileA, Ord:0030h
                                 |
:0040113AFF2504204000           Jmp dword ptr [00402004]

* Referenced by a CALL at Address:
|:004010C4  
|

* Reference To: kernel32.DeviceIoControl, Ord:005Ah
                                 |
:00401140FF2508204000           Jmp dword ptr [00402008]

* Reference To: kernel32.ExitProcess, Ord:0080h
                                 |
:00401146FF2500204000           Jmp dword ptr [00402000]
:0040114C00000000000000000000   BYTE 10 DUP(0)
:0040115600000000000000000000   BYTE 10 DUP(0)
:0040116000000000000000000000   BYTE 10 DUP(0)
:0040116A00000000000000000000   BYTE 10 DUP(0)
:0040117400000000000000000000   BYTE 10 DUP(0)
:0040117E00000000000000000000   BYTE 10 DUP(0)
:0040118800000000000000000000   BYTE 10 DUP(0)
:0040119200000000000000000000   BYTE 10 DUP(0)
:0040119C00000000000000000000   BYTE 10 DUP(0)
:004011A600000000000000000000   BYTE 10 DUP(0)
:004011B000000000000000000000   BYTE 10 DUP(0)
:004011BA00000000000000000000   BYTE 10 DUP(0)
:004011C400000000000000000000   BYTE 10 DUP(0)
:004011CE00000000000000000000   BYTE 10 DUP(0)
:004011D800000000000000000000   BYTE 10 DUP(0)
:004011E200000000000000000000   BYTE 10 DUP(0)
:004011EC00000000000000000000   BYTE 10 DUP(0)
:004011F600000000000000000000   BYTE 10 DUP(0)

2
0
分享到:
| samba配置(从网上收集)
评论
发表评论

您还没有登录,请您登录后再发表评论

相关推荐

Magicbox
Global site tag (gtag.js) - Google Analytics