黑客反汇编高速入门.docx
《黑客反汇编高速入门.docx》由会员分享,可在线阅读,更多相关《黑客反汇编高速入门.docx(25页珍藏版)》请在冰豆网上搜索。
黑客反汇编高速入门
黑客反汇编高速入门
我从事汇编语言研究大概几年前,因为是我为了开发sepl计算机语言编译器。
虽然到现在还没有开发出来,但是已经看到曙光了。
为了研究汇编,我从反汇编入手,做了破解,脱壳,调试等。
但是汇编对我来说一直是读天书,没有任何突破。
直到最近几天我有了重大发现。
有人说做黑客从反汇编sqlserver.exe文件开始,可是在数以百万计的汇编代码丛林中,你能看到什么呢?
能读懂么?
直到最近看了一本win32汇编书籍,他里面说可以把vc程序反汇编,获得汇编程序。
如果随便用ida反汇编,如过没有把原程序和汇编放在一起,那么仍然没有收获。
我按照说明操作了终于得到原程序和汇编放在一起的文件,就像在调试状态一样,每个c语言程序对应一个扩展名叫.cod文件.用它来学习真是大爽,天书变成可破解的代码!
具体做法是打开vc项目,选择菜单project->setting,在对话框选择c/c++页,然后category中选择ListingFiles,在下面Listingfiletype选择Assambly,machinecode,andSource,确定退出。
现在编译程序,在release/debug目录下面生成对应的cod文件,包含有汇编,机器码和源代码。
通过阅读cod文件,你将很快了解汇编,你会发现原程序和汇编并不完全一一对应,当并不妨碍你分析汇编。
如果你不停的阅读和学习cod,也许一个月后你就会成为反汇编高手了!
目前我刚开始2天。
我决定坚持一个月。
文件Base64.cod内容如下
TITLEE:
\cryptoLib\Base64.cpp
.386P
includelisting.inc
if@Versiongt510
.modelFLAT
else
_TEXTSEGMENTPARAUSE32PUBLIC'CODE'
_TEXTENDS
_DATASEGMENTDWORDUSE32PUBLIC'DATA'
_DATAENDS
CONSTSEGMENTDWORDUSE32PUBLIC'CONST'
CONSTENDS
_BSSSEGMENTDWORDUSE32PUBLIC'BSS'
_BSSENDS
_TLSSEGMENTDWORDUSE32PUBLIC'TLS'
_TLSENDS
;COMDAT?
?
_C@_0BB@NAAD@Magellan?
5MSWHEEL?
$AA@
_DATASEGMENTDWORDUSE32PUBLIC'DATA'
_DATAENDS
;COMDAT?
?
_C@_06FPAF@MouseZ?
$AA@
_DATASEGMENTDWORDUSE32PUBLIC'DATA'
..................
;COMDAT?
?
_7?
$basic_ostream@DU?
$char_traits@D@std@@@std@@6B@
CONSTSEGMENTDWORDUSE32PUBLIC'CONST'
CONSTENDS
;COMDAT?
npos@?
$basic_string@DU?
$char_traits@D@std@@V?
$allocator@D@2@@std@@2IB
CONSTSEGMENTDWORDUSE32PUBLIC'CONST'
CONSTENDS
FLATGROUP_DATA,CONST,_BSS,CRT$XCA,CRT$XCU,CRT$XCL,CRT$XCC,CRT$XCZ,xdata$x
ASSUMECS:
FLAT,DS:
FLAT,SS:
FLAT
endif
CONSTSEGMENT
_EnBase64TabDB'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123'
DB'456789+/',00H
ORG$+3
_DeBase64TabDB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB03eH
DB00H
DB00H
DB00H
DB03fH
DB034H
DB035H
DB036H
DB037H
DB038H
DB039H
DB03aH
DB03bH
DB03cH
DB03dH
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB01H
DB02H
DB03H
DB04H
DB05H
DB06H
DB07H
DB08H
DB09H
DB0aH
DB0bH
DB0cH
DB0dH
DB0eH
DB0fH
DB010H
DB011H
DB012H
DB013H
DB014H
DB015H
DB016H
DB017H
DB018H
DB019H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB01aH
DB01bH
DB01cH
DB01dH
DB01eH
DB01fH
DB020H
DB021H
DB022H
DB023H
DB024H
DB025H
DB026H
DB027H
DB028H
DB029H
DB02aH
DB02bH
DB02cH
DB02dH
DB02eH
DB02fH
DB030H
DB031H
DB032H
DB033H
CONSTENDS
CRT$XCUSEGMENT
_$S384DDFLAT:
_$E383
CRT$XCUENDS
PUBLIC?
EncodeBase64@@YAHPBEPADH@Z;EncodeBase64
;COMDAT?
EncodeBase64@@YAHPBEPADH@Z
_TEXTSEGMENT
_pSrc$=8
_pDst$=12
_nSrcLen$=16
_c1$=12
_c2$=8
_c3$=16
_nMod$=-4
?
EncodeBase64@@YAHPBEPADH@ZPROCNEAR;EncodeBase64,COMDAT
;7:
{
0000051pushecx
0000155pushebp
0000256pushesi
;8:
unsignedcharc1,c2,c3;//输入缓冲区读出3个字节
;9:
intnDstLen=0;//输出的字符计数
;10:
intnDiv=nSrcLen/3;//输入数据长度除以3得到的倍数
000038b742418movesi,DWORDPTR_nSrcLen$[esp+8]
00007b856555555moveax,1431655766;55555556H
0000cf7eeimulesi
0000e8bc2moveax,edx
0001033edxorebp,ebp
00012c1e81fshreax,31;0000001fH
0001503d0addedx,eax
;11:
intnMod=nSrcLen%3;//输入数据长度除以3得到的余数
000178bc6moveax,esi
000198bcamovecx,edx
0001bbe03000000movesi,3
0002099cdq
00021f7feidivesi
;12:
;13:
//每次取3个字节,编码成4个字符
;14:
for(inti=0;i0002385c9testecx,ecx
0002589542408movDWORDPTR_nMod$[esp+12],edx
000290f8edc0000
00jle$L132338
0002f8b442414moveax,DWORDPTR_pDst$[esp+8]
0003353pushebx
000348bd9movebx,ecx
000368d2c8d0000
0000leaebp,DWORDPTR[ecx*4]
0003d8b4c2414movecx,DWORDPTR_pSrc$[esp+12]
0004157pushedi
$L129542:
;15:
{
;16:
//取3个字节
;17:
c1=*pSrc++;
000428a11movdl,BYTEPTR[ecx]
0004441incecx
000458854241cmovBYTEPTR_c1$[esp+16],dl
;18:
c2=*pSrc++;
000498a11movdl,BYTEPTR[ecx]
;19:
c3=*pSrc++;
;20:
;21:
//编码成4个字符
;22:
*pDst++=EnBase64Tab[c1>>2];
0004b8b74241cmovesi,DWORDPTR_c1$[esp+16]
0004f41incecx
0005088542418movBYTEPTR_c2$[esp+16],dl
;23:
*pDst++=EnBase64Tab[((c1<<4)|(c2>>4))&0x3f];
000548b7c2418movedi,DWORDPTR_c2$[esp+16]
0005881e6ff0000
00andesi,255;000000ffH
0005e8a11movdl,BYTEPTR[ecx]
0006081e7ff0000
00andedi,255;000000ffH
0006688542420movBYTEPTR_c3$[esp+16],dl
0006a8bd6movedx,esi
0006cc1ea02shredx,2
0006f83e603andesi,3
0007241incecx
000738a92000000
00movdl,BYTEPTR_EnBase64Tab[edx]
000798810movBYTEPTR[eax],dl
0007b8bd7movedx,edi
0007dc1ea04shredx,4
00080c1e604shlesi,4
000830bd6oredx,esi
;24:
*pDst++=EnBase64Tab[((c2<<2)|(c3>>6))&0x3f];
000858b742420movesi,DWORDPTR_c3$[esp+16]
0008940inceax
0008a81e6ff0000
00andesi,255;000000ffH
000908a92000000
00movdl,BYTEPTR_EnBase64Tab[edx]
0009683e70fandedi,15;0000000fH
000998810movBYTEPTR[eax],dl
0009b8bd6movedx,esi
0009dc1ea06shredx,6
000a0c1e702shledi,2
000a30bd7oredx,edi
000a540inceax
;25:
*pDst++=EnBase64Tab[c3&0x3f];
000a683e63fandesi,63;0000003fH
000a940inceax
000aa8a92000000
00movdl,BYTEPTR_EnBase64Tab[edx]
000b08850ffmovBYTEPTR[eax-1],dl
000b38a96000000
00movdl,BYTEPTR_EnBase64Tab[esi]
000b98810movBYTEPTR[eax],dl
000bb40inceax
000bc4bdecebx
000bd7583jneSHORT$L129542
000bf8b542410movedx,DWORDPTR_nMod$[esp+20]
000c35fpopedi
000c45bpopebx
$L129544:
;26:
nDstLen+=4;
;27:
}
;28:
;29:
//编码余下的字节
;30:
if(nMod==1)
000c583fa01cmpedx,1
000c8754bjneSHORT$L129545
;31:
{
;32:
c1=*pSrc++;
000ca8a09movcl,BYTEPTR[ecx]
000cc5epopesi
000cd884c2410movBYTEPTR_c1$[esp+4],cl
;33:
*pDst++=EnBase64Tab[(c1&0xfc)>>2];
000d18b4c2410movecx,DWORDPTR_c1$[esp+4]
000d581e1ff0000
00andecx,255;000000ffH
000db8bd1movedx,ecx
;34:
*pDst++=EnBase64Tab[((c1&0x03)<<4)];
000dd83e103andecx,3
000e0c1ea02shredx,2
000e3c1e104shlecx,4
000e68a92000000
00movdl,BYTEPTR_EnBase64Tab[edx]
000ec8810movBYTEPTR[eax],dl
000ee8a89000000
00movcl,BYTEPTR_EnBase64Tab[ecx]
000f440inceax
000f58808movBYTEPTR[eax],cl
000f740inceax
;35:
*pDst++='=';
000f8c6003dmovBYTEPTR[eax],61;0000003dH
;45:
*pDst++=EnBase64Tab[((c2&0x0f)<<2)];
000fb40inceax
;46:
*pDst++='=';
000fcc6003dmovBYTEPTR[eax],61;0000003dH
000ff40inceax
;47:
nDstLen+=4;
0010083c504addebp,4
;48:
}
;49:
;50:
//输出加个结束符
;51:
*pDst='\0';
00103c60000movBYTEPTR[eax],0
;52:
;53:
returnnDstLen;
001068bc5moveax,ebp
001085dpopebp
;54:
}
0010959popecx
0010ac3ret0
$L132338:
;12:
;13:
//每次取3个字节,编码成4个字符
;14:
for(inti=0;i0010b8b442414moveax,DWORDPTR_pDst$[esp+8]
0010f8b4c2410movecx,DWORDPTR_pSrc$[esp+8]
00113ebb0jmpSHORT$L129544
$L129545:
;36:
*pDst++='=';
;37:
nDstLen+=4;
;38:
}
;39:
elseif(nMod==2)
0011583fa02cmpedx,2
00118755bjneSHORT$L132337
;40:
{
;41:
c1=*pSrc++;
0011a8a11movdl,BYTEPTR[ecx]
;42:
c2=*pSrc++;
0011c8a4901movcl,BYTEPTR[ecx+1]
0011f88542414movBYTEPTR_c1$[esp+8],dl
00123884c2410movBYTEPTR_c2$[esp+8],cl
;43:
*pDst++=EnBase64Tab[(c1&0xfc)>>2];
001278b4c2414movecx,DWORDPTR_c1$[esp+8]
0012b81e1ff0000
00andecx,255;000000ffH
001318bd1movedx,ecx
;44:
*pDst++=EnBase64Tab[((c1&0x03)<<4)|((c2&0xf0)>>4)];
0013383e103andecx,3
00136c1ea02shredx,2
00139c1e104shlecx,4
0013c8a92000000
00movdl,BYTEPTR_EnBase64Tab[edx]
001428810movBYTEPTR[eax],dl
001448b542410movedx,DWORDPTR_c2$[esp+8]
0014881e2ff0000
00andedx,255;000000ffH
0014e40inceax
0014f8bf2movesi,edx
;45:
*pDst++=EnBase64Tab[((c2&0x0f)<<2)];
0015183e20fandedx,15;0000000fH
00154c1ee04shresi,4
001570bf1oresi,ecx
0015940inceax
0015a40inceax
0015b8a8e000000
00movcl,BYTEPTR_EnBase64Tab[esi]
001618848femovBYTEPTR[eax-2],cl
001648a14950000
0000movdl,BYTEPTR_EnBase64Tab[edx*4]
0016b8850ffmovBYTEPTR[eax-1],dl
;46:
*pDst++='=';
0016ec6003dmovBYTEPTR[eax],61;0000003dH
0017140inceax
;47:
nDstLen+=4;
0017283c504addebp,4
$L132337:
;48:
}
;49:
;50:
//输出加个结束符
;51:
*pDst='\0';
00175c60000movBYTEPTR[eax],0
;52:
;53:
returnnDstLen;
001788bc5moveax,ebp
0017a5epopesi
0017b5dpopebp
;54:
}
0017c59popecx
0017dc3ret0
?
EncodeBase64@@YAHPBEPADH@ZENDP;EncodeBase64
_TEXTENDS
PUBLIC?
DecodeBase64@@YAHPBDPAEH@Z;DecodeBase64
;COMDAT?
DecodeBase64@@YAHPBDPAEH@Z
_TEXTSEGMENT
_pSrc$=8
_pDst$=12
_nSrcLen$=16
_c3$=12
_c4$=8
_lc1$=-5
_nDiv$=-4
?
DecodeBase64@@YAHPBDPAEH@ZPROCNEAR;DecodeBase64,COMDAT
;74:
{
0000083ec08subesp,8
;75:
unsignedcharc1,c2,c