S.l.e!ep.￠%

標題: 失業的娛樂-IDA逆向工程入門(一)(二)(三)(四)
作者: layper
時間: 2007-03-08,23:49
鏈接: http://bbs.pediy.com/showthread.php?t=40765

【文章標題】:?失業的娛樂-IDA逆向工程入門(一)
【文章作者】:?layper
【作者郵箱】:?layper@yahoo.com.cn
【作者主頁】:?http://blog.csdn.net/layper/
【下載地址】:?自己搜索下載
【作者聲明】:?只是感興趣，沒有其他目的。失誤之處敬請諸位大俠賜教!
--------------------------------------------------------------------------------
【詳細過程】
????牢騷一堆,對不起大家了.我是從2004年底開始玩crack的.曾經得到很多朋友的幫助.如hyd009,拉登徒弟,天邊涯等以前poje論壇兄弟們幫助(可惜已經很
??少碰見他們了).之間學習脫殼又到看雪論壇學習提問,得到很多高手的回答幫助尤其是fly大俠最為熱心,我之所以來這個論壇,全是因為fly大俠.看了很
??多他的文章,從中受益非淺.在此向你們說聲謝謝了.
??
??IDA是一個非常強大的反匯編工具,在reverse?engineerings中首選的工具.看這篇文章首先明確一個目的,我不是破解,如果你要看破解某某軟件的文章
??你可略過,這也不是什么高深的文章,因為,我剛開始學習逆向工程,高深的理論知識我不懂!!!由于本人知識所限錯漏難免,請多包含.
??
??在我看來,逆向工程是學習別人軟件編程的一種好方法.當你手頭上沒什么資料可以利用時,或者想了解或者模仿別人的軟件時,逆向工程不失為一種好辦法.
??(這就是為什么那么多公司在安裝協議要用戶同意不能逆向的原因:)).
??
??好多的逆向工程的文章一開始就跟你講什么虛函數,析構函數,庫等等,這些確實是經典,理論性很強,適合專業或高手看的.我是一開始就學破解,然后接觸匯編
??語言,之后又看了一些亂七八糟的書.編程菜鳥都算不上!!!一開始就來分析這么仔細,這么精益求精,對我來說----蚊子叮豬屁股---太肥了!:)
??
??對我來說,能夠把軟件逆向后的出源碼,并重新編譯能夠通過是我現階段最容易得到滿足的.依照這個思路,我開始就想把IDA里面反匯編的代碼修改后運行.但實踐
??證明這個不是一個有效好的方法.要修改IDA反編譯出來的代碼也比較困難.因為IDA中很多高級語言的結構,高級語言的庫,關鍵字在匯編中不支持或者沖突,就算能
??也很復雜,所以說,
??layper逆向工程第一要點:
??
??(一)從那里來,回到那里去.
??比如匯編語言寫的軟件,你就把它逆回匯編語言.
??用工具VC++寫的軟件,你就把他逆回VC++中.
??DELPHI的逆回DELPHI中(這個用DEDE逆向配合應該更好).
??當然,這個不是硬性規定,有些軟件他雖然用高級語言寫的,但反匯編代碼利用價值已經非常高了.
??
??根據這一點要求,我們不得不對逆向工程分析的研究分類,即分為asm,vc++,delphi這三大類,其他的如.net技術等不是我涉及的內容.
??
??下一篇開始,我分別用最簡單的win32程序開始分類講述.
??
??
??(注:雖然逆向工程這個想法在心里已經很久了,但實際學習就是這幾天的事,本人水平有限,做法可能不可取,或者可笑請多包涵.下篇
??心情好再寫了.)
??
--------------------------------------------------------------------------------
【版權聲明】:?本文原創于看雪技術論壇,?轉載請注明作者并保持文章的完整,?謝謝!

???????????????????????????????????????????????????????2007年03月02日?11:49:08

layper

【文章標題】:?失業的娛樂-IDA逆向工程入門(二)-匯編程序(1)
【文章作者】:?layper
【作者郵箱】:?layper@yahoo.com.cn
【作者主頁】:?http://blog.csdn.net/layper/
【下載地址】:?自己搜索下載
【作者聲明】:?只是感興趣，沒有其他目的。失誤之處敬請諸位大俠賜教!
--------------------------------------------------------------------------------
【詳細過程】
??這個是第二篇,入門就要從最簡單的開始!!!!!!!!
??
??為什么選匯編程序,因為在IDA逆向出來的就是匯編語言.所以選這個是最好入門的.在這之前你先準備好幾樣工具,IDA,masm32匯編工具包并安裝好,
??在radasm設置好你的路徑.
??
??(一)最簡單的win32匯編程序源碼
??hellow.asm
??
??.386
??.model?flat,stdcall
??option?casemap:none
??include?WINDOWS.INC
??include?user32.inc
??include?kernel32.inc
??includelib?user32.lib
??includelib?kernel32.lib
??.data
??sztitle?db?"你好",0
??sztext?db?"你好!祝你有個好的開始!!!",0
??.code
??start:
??invoke?MessageBox,NULL,offset?sztext,offset?sztitle,MB_OK
??invoke?ExitProcess,NULL
??end?start
??
??
??radasm默認編譯.無資源段
??
??
??
??(二)IDA自動識別的反匯編代碼(未優化直接保存)
??
??
??
??;
??;?賞屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯?
;??This?file?is?generated?by?The?Interactive?Disassembler?(IDA)???????
;??Copyright?(c)?2006?by?DataRescue?sa/nv,??<ida@datarescue.com>???????
;??Licensed?to:?Paul?Ashton?-?Blue?Lane?Technologies?(1-user?Advanced?03/2006)???s
??;?韌屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯?
;
??;?Input??MD5???:??10721E858F8E4DA3413D6FBFAE63E7B3
??
??;?File?Name???:??D:\lyp\hellow\hellow.exe
??;?Format??????:??Portable?executable?for??80386?(PE)
??;?Imagebase???:??400000
??;?Section?1.?(virtual?address?00001000)
??;?Virtual?size??????:?00000026?(???38.)
??;?Section?size?in?file????:?00000200?(??512.)
??;?Offset?to?raw??data?for?section:?00000400
??;?Flags??60000020:?Text?Executable?Readable
??;?Alignment??:?default
??
??????.686p
??????.mmx
??????.model?flat
??
??;?屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯?

??;?Segment?type:??Pure?code
??;?Segment?permissions:?Read/Execute
??_text????segment??para?public?'CODE'?use32
??????assume?cs:_text
??????;org?401000h
??????assume?es:nothing,?ss:nothing,?ds:_data,?fs:nothing,?gs:nothing
??
??;?***************?S?U?B??R?O?U?T??I?N?E?***************************************
??
??
??????public?start
??start????proc?near
??????push??0????;?uType
??????push??offset?Caption??;?"你好"
??????push??offset?Text??;?"你好!祝你有個好的開始!!!"
??????push??0????;?hWnd
??????call??MessageBoxA
??
??????push??0????;?uExitCode
??????call??ExitProcess
??
??start????endp
??
??;?[00000006?BYTES:?COLLAPSED?FUNCTION?MessageBoxA.?PRESS?KEYPAD??"+"?TO?EXPAND]
??;?[00000006?BYTES:?COLLAPSED?FUNCTION?ExitProcess.?PRESS?KEYPAD??"+"?TO?EXPAND]
??????align?200h
??_text????ends
??
??;?Section?2.?(virtual?address?00002000)
??;?Virtual?size??????:?00000092?(??146.)
??;?Section?size?in?file????:?00000200?(??512.)
??;?Offset?to?raw??data?for?section:?00000600
??;?Flags??40000040:?Data?Readable
??;?Alignment??:?default
??;
??;?Imports?from?kernel32.dll
??;
??;?屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯?

??;?Segment?type:??Externs
??;?_idata
??;?void?__stdcall?ExitProcess(UINT?uExitCode)
??????extrn?__imp_ExitProcess:dword?;??DATA?XREF:?ExitProcessr
??
??;
??;?Imports?from?user32.dll
??;
??;?int?__stdcall??MessageBoxA(HWND?hWnd,LPCSTR?lpText,LPCSTR?lpCaption,UINT?uType)
??????extrn?__imp_MessageBoxA:dword?;??DATA?XREF:?MessageBoxAr
??
??
??;?屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯?

??;?Segment?type:??Pure?data
??;?Segment?permissions:?Read
??_rdata????segment??para?public?'DATA'?use32
??????assume?cs:_rdata
??????;org?402010h
??????db??54h??;?T
??????db??20h
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db??6Ah??;?j
??????db??20h
??????db????0
??????db????0
??????db????8
??????db??20h
??????db????0
??????db????0
??????db??4Ch??;?L
??????db??20h
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db??84h??;??
????db??20h
??????db????0
??????db????0
??????db????0
??????db??20h
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db??76h??;?v
??????db??20h
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db??5Ch??;?\
??????db??20h
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db??9Dh??;??
????db????1
??????db??4Dh??;?M
??????db??65h??;?e
??????db??73h??;?s
??????db??73h??;?s
??????db??61h??;?a
??????db??67h??;?g
??????db??65h??;?e
??????db??42h??;?B
??????db??6Fh??;?o
??????db??78h??;?x
??????db??41h??;?A
??????db????0
??????db??75h??;?u
??????db??73h??;?s
??????db??65h??;?e
??????db??72h??;?r
??????db??33h??;?3
??????db??32h??;?2
??????db??2Eh??;?.
??????db??64h??;?d
??????db??6Ch??;?l
??????db??6Ch??;?l
??????db????0
??????db????0
??????db??80h??;??
??????db????0
??????db??45h??;?E
??????db??78h??;?x
??????db??69h??;?i
??????db??74h??;?t
??????db??50h??;?P
??????db??72h??;?r
??????db??6Fh??;?o
??????db??63h??;?c
??????db??65h??;?e
??????db??73h??;?s
??????db??73h??;?s
??????db????0
??????db??6Bh??;?k
??????db??65h??;?e
??????db??72h??;?r
??????db??6Eh??;?n
??????db??65h??;?e
??????db??6Ch??;?l
??????db??33h??;?3
??????db??32h??;?2
??????db??2Eh??;?.
??????db??64h??;?d
??????db??6Ch??;?l
??????db??6Ch??;?l
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??_rdata????ends
??
??;?Section?3.?(virtual?address?00003000)
??;?Virtual?size??????:?0000001E?(???30.)
??;?Section?size?in?file????:?00000200?(??512.)
??;?Offset?to?raw??data?for?section:?00000800
??;?Flags??C0000040:?Data?Readable??Writable
??;?Alignment??:?default
??;?屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯?

??;?Segment?type:??Pure?data
??;?Segment?permissions:?Read/Write
??_data????segment??para?public?'DATA'?use32
??????assume?cs:_data
??????;org?403000h
??;?char?Caption[]
??Caption????db?'你好',0?????????????;?DATA?XREF:?start+2o
??;?char?Text[]
??Text????db?'你好!祝你有個好的開始!!!',0?;?DATA?XREF:?start+7o
??????align?200h
??_data????ends
??
??
??????end?start
??用radasm編譯成功,不用修改!!!
??
??(三)比對文件
??
??(1)模式定義
??相同度:
??
??.386????????????????????????????????????????????????.686p??????????????????????;不同
??無??????????????????????????????????????????????????.mmx
??.model?flat,stdcall?????????????????????????????????.model?flat????????
??option?casemap:none?????????????????????????????????無?????????????????????????;不同
??
??我的IDA默認的為686p模式,model語句無語言模式,無option語句.
??
??(2)inc文件,lib文件去向
??
??源文件中的
??include?WINDOWS.INC
??include?user32.inc
??include?kernel32.inc
??includelib?user32.lib
??includelib?kernel32.lib
??消失在代碼中,要尋找回他們!!
??這幾個語句其實就是連接系統的dll文件的,在反匯編代碼中尋找user32.dll,kernel32.dll,找到這里
??;?Imports?from?kernel32.dll
??;
??;?屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯?
??
??;?Segment?type:??Externs
??;?_idata
??;?void?__stdcall?ExitProcess(UINT?uExitCode)
??????extrn?__imp_ExitProcess:dword?;??DATA?XREF:?ExitProcessr
??
??;
??;?Imports?from?user32.dll
??;
??;?int?__stdcall??MessageBoxA(HWND?hWnd,LPCSTR?lpText,LPCSTR?lpCaption,UINT?uType)
??????extrn?__imp_MessageBoxA:dword?;??DATA?XREF:?MessageBoxAr
??
??注釋很明白了,輸入表有兩個dll在_idata段,include語句的在_idata段找尋.
??
??(3)段定義的變化
??源代碼中段定義是這樣
??.段名
??而反匯編中的段定義
??段名????segment??para?public?'DATA'?use32
??????assume?cs:_data
??段名????ends
??傳統的dos匯編寫法.
??
??(4)段的增減
??我們通過比對,發現段的數量跟我們原本的不一致
??原本我們只有兩個段
??.data和.code段,而反匯編后變成
??.text和.idata和.rdata和.data段
??經過仔細辨認你就可以發現
??反匯編的text段就是源代碼中的.code段,data段是代碼段,.idata和.rdata是編譯器生成的,而idata是尋找include語句的地方,
??.idata基本沒什么用處,可以刪掉.
??
??(5)數據段
??通過比對發現基本上一致無什么增加,增加了一個????align?200h
??刪掉即可.
??
??(6)代碼段變化
??入口函數變化
??????????????????public?start
??start????proc?near
??????push??0????;?uType
??????push??offset?Caption??;?"你好"
??????push??offset?Text??;?"你好!祝你有個好的開始!!!"
??????push??0????;?hWnd
??????call??MessageBoxA
??
??????push??0????;?uExitCode
??????call??ExitProcess
??
??start????endp
??
??。。。。。。
??
??。。。。。。。
??
??????end?start
??
??注意end?start放在了所有段后面
??
??到這里我們大體上看完這個程序反匯編的大體輪廓。
??
--------------------------------------------------------------------------------
【經驗總結】
??(1)模式定義少了語言模式和opention語句，我們要看情況是否加回上去。
??(2)include語句尋找_idata中的dll名,得到常用包含庫文件.
??(3).rdate段不用看,可以刪掉
??(4)入口開始處尋找start.
??
--------------------------------------------------------------------------------
【版權聲明】:?本文原創于看雪技術論壇,?轉載請注明作者并保持文章的完整,?謝謝!

???????????????????????????????????????????????????????2007年03月02日?13:56:14

layper

【文章標題】:?失業的娛樂-IDA逆向工程入門(三)-匯編程序(2)
【文章作者】:?layper
【作者郵箱】:?layper@yahoo.comcn
【作者主頁】:?http://blog.csdn.net/layper/
【下載地址】:?自己搜索下載
【編寫語言】:?asm
【使用工具】:?IDA\reshack\radasm\
【作者聲明】:?只是感興趣，沒有其他目的。失誤之處敬請諸位大俠賜教!
--------------------------------------------------------------------------------
【詳細過程】
??多謝大家的支持,特別是fly還關心我的工作問題,無已回報,只能繼續寫些小文供大家批評了!!!
??
??上一篇我們所逆的是非常簡單的win32匯編,總共才兩個api函數,一個消息框和ExitProcess函數,這篇我們就涉及一個真正的窗口
??程序firstwindows,我學匯編是看了羅云彬的《windows環境下匯編語言程序設計》才入門的,我直接拿里面的例子來講吧,如果作
??者覺得不合適,我會刪去的!!!!!
??
??順便講一下學習逆向工程的方法,這個跟學脫殼方法類似,你先用一種語言寫一個程序(剛開始比較簡單的),編譯后用IDA或者
??其他工具反匯編,觀察源代碼和反匯編代碼有什么異同,想辦法在逆向代碼中逐漸靠近源代碼,最后再把他整理到編譯工具中不
??斷編譯,在編譯器中看那里出錯,逐步修改,直至成功,最后總結經驗,這樣就會逐步提高了.
??
??限于篇幅,我只把完整源碼貼出來,未修改的反匯編在壓縮包內的1.asm,請自行查看
??firstwindows源碼
??
??;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
??;?Sample?code?for?<?Win32ASM?Programming?>
??;?by?羅云彬,?http://asm.yeah.net
??;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
??;?FirstWindow.asm
??;?窗口程序的模板代碼
??;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
??;?使用?nmake?或下列命令進行編譯和鏈接:
??;?ml?/c?/coff?FirstWindow.asm
??;?Link?/subsystem:windows?FirstWindow.obj
??;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
??????.386
??????.model?flat,stdcall
??????option?casemap:none
??;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
??;?Include?文件定義
??;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
??include????windows.inc
??include????gdi32.inc
??includelib??gdi32.lib
??include????user32.inc
??includelib??user32.lib
??include????kernel32.inc
??includelib??kernel32.lib
??;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
??;?數據段
??;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
??????.data?
??
??hInstance??dd?????
??hWinMain??dd?????
??
??????.const
??
??szClassName??db??'MyClass',0
??szCaptionMain??db??'My?first?Window?!',0
??szText????db??'Win32?Assembly,?Simple?and?powerful?!',0
??;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
??;?代碼段
??;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
??????.code
??;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
??;?窗口過程
??;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
??_ProcWinMain??proc??uses?ebx?edi?esi,hWnd,uMsg,wParam,lParam
??????local??@stPs:PAINTSTRUCT
??????local??@stRect:RECT
??????local??@hDc
??
??????mov??eax,uMsg
??;********************************************************************
??????.if??eax?==??WM_PAINT
????????invoke??BeginPaint,hWnd,addr?@stPs
????????mov??@hDc,eax
??
????????invoke??GetClientRect,hWnd,addr?@stRect
????????invoke??DrawText,@hDc,addr?szText,-1,\
??????????addr?@stRect,\
??????????DT_SINGLELINE?or?DT_CENTER?or?DT_VCENTER
??
????????invoke??EndPaint,hWnd,addr?@stPs
??;********************************************************************
??????.elseif??eax?==??WM_CLOSE
????????invoke??DestroyWindow,hWinMain
????????invoke??PostQuitMessage,NULL
??;********************************************************************
??????.else
????????invoke??DefWindowProc,hWnd,uMsg,wParam,lParam
????????ret
??????.endif
??;********************************************************************
??????xor??eax,eax
??????ret
??
??_ProcWinMain??endp
??;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
??_WinMain??proc
??????local??@stWndClass:WNDCLASSEX
??????local??@stMsg:MSG
??
??????invoke??GetModuleHandle,NULL
??????mov??hInstance,eax
??????invoke??RtlZeroMemory,addr?@stWndClass,sizeof?@stWndClass
??;********************************************************************
??;?注冊窗口類
??;********************************************************************
??????invoke??LoadCursor,0,IDC_ARROW
??????mov??@stWndClass.hCursor,eax
??????push??hInstance
??????pop??@stWndClass.hInstance
??????mov??@stWndClass.cbSize,sizeof?WNDCLASSEX
??????mov??@stWndClass.style,CS_HREDRAW?or?CS_VREDRAW
??????mov??@stWndClass.lpfnWndProc,offset?_ProcWinMain
??????mov??@stWndClass.hbrBackground,COLOR_WINDOW?+?1
??????mov??@stWndClass.lpszClassName,offset?szClassName
??????invoke??RegisterClassEx,addr?@stWndClass
??;********************************************************************
??;?建立并顯示窗口
??;********************************************************************
??????invoke??CreateWindowEx,WS_EX_CLIENTEDGE,offset?szClassName,offset?szCaptionMain,\
????????WS_OVERLAPPEDWINDOW,\
????????100,100,600,400,\
????????NULL,NULL,hInstance,NULL
??????mov??hWinMain,eax
??????invoke??ShowWindow,hWinMain,SW_SHOWNORMAL
??????invoke??UpdateWindow,hWinMain
??;********************************************************************
??;?消息循環
??;********************************************************************
??????.while??TRUE
????????invoke??GetMessage,addr?@stMsg,NULL,0,0
????????.break??.if?eax??==?0
????????invoke??TranslateMessage,addr?@stMsg
????????invoke??DispatchMessage,addr?@stMsg
??????.endw
??????ret
??
??_WinMain??endp
??;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
??start:
??????call??_WinMain
??????invoke??ExitProcess,NULL
??;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
??????end??start
??
??在radasm編譯通過.
??
??用IAD反匯編載入完成后,點擊文件-創建文件-創建asm文件就得到未經修改的反匯編后得到的1.asm文件(有點繞口:)),直接用
??radasm打開,在radasm中ctrl+f5構建并運行看看結果怎樣,呵呵,出錯了.

因為一步一步來講比較長,我先把操作過程寫下來,在慢慢解釋,1.asm修改如下:
(一)增加模式定義\options語句\還原include語句
??????.686p
??????.mmx
??????.model?flat,stdcall
??????option?casemap:none
??include?WINDOWS.INC
??include?kernel32.inc
??includelib?kernel32.lib
??include?user32.inc
??includelib?user32.lib
(二)刪除結構MSG\POINT\PAINTSTRUCT\RECT,并把余下的結構移動到??includelib?user32.lib之后,即第一步之后,
然后做如下修改:
tagMSG????struc?;??(sizeof=0x1C,?standard?type)
hwnd????dd????????;?offset
message????dd??
wParam????dd??
lParam????dd??
time????dd??
pt????POINT??????;這里修改為pt????POINT?<>
tagMSG????ends

tagPAINTSTRUCT??struc?;??(sizeof=0x40,?standard?type)
hdc????dd????????;?offset
fErase????dd??
rcPaint????RECT????????;這里修改為rcPaint????RECT?<>
fRestore??dd??
fIncUpdate??dd??
rgbReserved??db?32?dup(?)
tagPAINTSTRUCT??ends
(三)對函數的局部變量進行修改
一共三個函數start\sub_401000和sub_401089,修改如下
sub_401089:
sub_401089??proc?near????;?CODE?XREF:?startp

Msg????=?MSG?ptr?-4Ch
var_30????=?WNDCLASSEXA?ptr?-30h
修改為:
sub_401089??proc?near????;?CODE?XREF:?startp

????LOCAL?Msg:MSG?
????LOCAL?var_30:WNDCLASSEXA?

sub_401000:

sub_401000??proc?near????;?DATA?XREF:?sub_401089+43o

hDC????=?dword??ptr?-54h
Rect????=?tagRECT?ptr?-50h
Paint????=?PAINTSTRUCT?ptr?-40h
hWnd????=?dword??ptr??8
Msg????=?dword??ptr??0Ch
wParam????=?dword??ptr??10h
lParam????=?dword??ptr??14h

修改為:
sub_401000??proc?uses?ebx?edi?esi?,hWnd,Msg,wParam,lParam????;?DATA?XREF:?sub_401089+43o

????LOCAL?hDC
????LOCAL?Rect:tagRECT
????LOCAL?Paint:PAINTSTRUCT

(四)_text段修改
刪除
在_text段前增加.code
_text????segment??para?public?'CODE'?use32
????assume?cs:_text
????;org?401000h
????assume?es:nothing,?ss:nothing,?ds:_data,?fs:nothing,?gs:nothing
和
_text????ends
注意:中間的代碼不要刪除!!!

(五)刪除align?40h

(六)移動修改_data段
在.code前增加.data,并且把_data段移動到這里
把
_data????segment??para?public?'DATA'?use32
????assume?cs:_data
????;org?403000h
和??????????;?sub_401089+A6r
_data????ends
刪除
注意:中間的代碼不要刪除!!!

(七)修改sub_401000的hWnd,只要出現有的都修改為hWnd1.

(八)刪除_idata段

(九)
把函數含有[ebp+變量]的代碼全部修改為變量
sub_401089的代碼
[ebp+var_30]?改為??var_30
[ebp+var_30.hCursor]??改為??var_30.hCursor
[ebp+var_30.hInstance]??改為??var_30.hInstance
[ebp+var_30.cbSize]??改為??var_30.cbSize
[ebp+var_30.style]??改為??var_30.style
[ebp+var_30.lpfnWndProc]??改為??var_30.lpfnWndProc
[ebp+var_30.hbrBackground]??改為??var_30.hbrBackground
[ebp+var_30.lpszClassName]??改為??var_30.lpszClassName
[ebp+Msg]????改為??Msg

sub_401000的代碼
[ebp+hDC]????改為??hDC
[ebp+Rect]????改為??Rect
[ebp+Paint]????改為??Paint
[ebp+hWnd1]????改為??hWnd1
[ebp+Msg]????改為??Msg
[ebp+wParam]????改為??wParam
[ebp+lParam]????改為??lParam

(十)刪掉函數多余的開頭
sub_401089處:
sub_401089??proc?near????;?CODE?XREF:?startp

????LOCAL?Msg:MSG?
????LOCAL?var_30:WNDCLASSEXA?

????push??ebp????;刪掉
????mov??ebp,?esp??刪掉
????add??esp,?0FFFFFFB4h??;刪掉

sub_401000處:
sub_401000??proc?near?uses?ebx?edi?esi?,hWnd1,Msg,wParam,lParam????;?DATA?XREF:?sub_401089+43o

????LOCAL?hDC
????LOCAL?Rect:tagRECT
????LOCAL?Paint:PAINTSTRUCT

????push??ebp??;刪掉
????mov??ebp,?esp??;刪掉
????add??esp,?0FFFFFFACh??;刪掉
????push??ebx????;刪掉
????push??edi????;刪掉
????push??esi????;刪掉

--------------------------------------------------------------------------------
【經驗總結】
?其實只要你把反編譯的代碼按照radasm的提示一步一步修改就可以了.
解釋:
(一)
這一步我在上篇已經解釋的比較明白了.因為我們匯編開頭就是那么幾句代碼.
include語句加回去這個是因為我們編譯的是匯編程序,這樣肯定要用到庫.如果IDA使用生成的_data段
就非常容易出錯.畢竟它只是"識別"而不是源碼!!!!!!!

(二)
?(1)刪除結構體MSG\POINT\PAINTSTRUCT\RECT
我們進行了第一步操作后,用radasm進行構建,就會提示我們
D:\masm32\Include\WINDOWS.INC(7873)?:?error?A2163:??:?POINT
D:\masm32\Include\WINDOWS.INC(7874)?:?error?A2163:??:?POINT
D:\masm32\Include\WINDOWS.INC(8841)?:?error?A2163:??:?MSG
D:\masm32\Include\WINDOWS.INC(8842)?:?error?A2163:??:?MSG
D:\masm32\Include\WINDOWS.INC(8843)?:?error?A2163:??:?MSG
D:\masm32\Include\WINDOWS.INC(8844)?:?error?A2163:??:?MSG
D:\masm32\Include\WINDOWS.INC(8845)?:?error?A2163:??:?MSG
D:\masm32\Include\WINDOWS.INC(8846)?:?error?A2163:??:?MSG
D:\masm32\Include\WINDOWS.INC(8846)?:?fatal?error?A1016:?

構建時發生錯誤.
總共編譯時間?271?毫秒

這個這個意思說我們的庫文件出錯,這個可能嗎?當然也有可能,但我想你首先應該想到是你的反匯編代碼錯.
先查詢一下windows.inc"出錯"的到底是什么
POINT?STRUCT
??x??DWORD????;7873行
??y??DWORD????;7874行
POINT?ENDS

MSG?STRUCT
??hwnd??????DWORD?????????;8841
??message???DWORD?????????;8842
??wParam????DWORD?????????;8843
??lParam????DWORD?????????;8844
??time??????DWORD?????????;8845
??pt????????POINT??????<>??;8846
MSG?ENDS

呵呵,你再看看反匯編代碼開頭
MSG????struc?;??(sizeof=0x1C,?standard?type)
hwnd????dd????????;?offset
message????dd??
wParam????dd??
lParam????dd??
time????dd??
pt????POINT??
MSG????ends

;?---------------------------------------------------------------------------

POINT????struc?;??(sizeof=0x8,?standard?type)
x????dd??
y????dd??
POINT????ends
明白怎么是這樣了吧?我們反匯編代碼重復定義了結構msg,point所以要把他們刪除.同理PAINTSTRUCT\RECT也刪除了.
(2)移動剩余結構到include語句后.
這一步我是為了省事,剩余三個結構
tagMSG????struc?;??(sizeof=0x1C,?standard?type)
hwnd????dd????????;?offset
message????dd??
wParam????dd??
lParam????dd??
time????dd??
pt????POINT??
tagMSG????ends
;?---------------------------------------------------------------------------
WNDCLASSEXA??struc?;??(sizeof=0x30,?standard?type)
cbSize????dd??
style????dd??
lpfnWndProc??dd????????;?offset
cbClsExtra??dd??
cbWndExtra??dd??
hInstance??dd????????;?offset
hIcon????dd????????;?offset
hCursor????dd????????;?offset
hbrBackground??dd????????;?offset
lpszMenuName??dd????????;?offset
lpszClassName??dd????????;?offset
hIconSm????dd????????;?offset
WNDCLASSEXA??ends
;?---------------------------------------------------------------------------
tagRECT????struc?;??(sizeof=0x10,?standard?type)
left????dd??
top????dd??
right????dd??
bottom????dd??
tagRECT????ends
;?---------------------------------------------------------------------------
tagPAINTSTRUCT??struc?;??(sizeof=0x40,?standard?type)
hdc????dd????????;?offset
fErase????dd??
rcPaint????RECT??
fRestore??dd??
fIncUpdate??dd??
rgbReserved??db?32?dup(?)
tagPAINTSTRUCT??ends
其中tagMSG和tagPAINTSTRUCT結構分別用到了POINT結構和RECT結構,剛才我們刪了,只有windows.inc中有
所以直接把他們剪切到這里省去出錯的機會.
(3)修改結構
tagMSG結構和tagPAINTSTRUCT結構修改,我是參照windows.inc結構定義方法.結構中用結構<>?:)
這個不一定完全正確,想研究這方面多閱讀.inc文件

(三)函數修改
在反匯編代碼中只要出現proc的,到現在為止我都看成是函數!!!
IDA反匯編都它的函數都變成這個樣子
sub_401000??proc?near????;?DATA?XREF:?sub_401089+43o

hDC????=?dword??ptr?-54h??;注意這里是減(-)
Rect????=?tagRECT?ptr?-50h
Paint????=?PAINTSTRUCT?ptr?-40h
hWnd????=?dword??ptr??8????;這里其實是加(+)
Msg????=?dword??ptr??0Ch
wParam????=?dword??ptr??10h
lParam????=?dword??ptr??14h

????push??ebp
????mov??ebp,?esp
????add??esp,?0FFFFFFACh
????push??ebx
????push??edi
????push??esi
????mov??eax,?[ebp+Msg]
這里就會出現一個問題.我們先前又刪結構又改結構,而這里又用到結構,不修改編譯也會出錯的.
我們改成比較正規的win32匯編程序格式.
剛才我提示加減的地方,總結一條規律給大家:
函數開頭?xx?=?結構?-?xxh?這個就是函數的局部變量,可用local?xx:結構替換.
函數開頭?xx?=?dword??ptr?xxh?這個是函數的參數,函數可改為
函數名?proc?xx

(四)_text段修改
代碼段
_text????segment??para?public?'CODE'?use32
????assume?cs:_text
????;org?401000h
????assume?es:nothing,?ss:nothing,?ds:_data,?fs:nothing,?gs:nothing
和
_text????ends
IDA這種段寫法有很大的弊端,也是引起我們修改后的代碼編譯不通過的一個很重要原因.(具體我還說不上來,我還很菜)

(五)刪除align?40h
align是反匯編代碼不通過編譯的一種常見錯誤.

(六)移動修改_data段
一般來說_data段是我們的數據段,一般我們放在前面.(呵呵,代碼順序也很重要)

(七)在數據段中
hWnd????dd????????;?DATA?XREF:?sub_401000+54r
??????????;?sub_401089+94w?sub_401089+9Br
??????????;?sub_401089+A6r
提示hWnd是函數sub_401089的,并不是sub_401000,所以要重命名他們.

(八)刪除_idata段
include語句已經有了函數定義,再保留這里就會出錯.

(九)
把函數含有[ebp+變量]的代碼全部修改為變量
[ebp+]這個是編譯器加上去的,我們直接用的話,編譯后會變成[ebp+ebp+變量],容易出錯.

(十)刪掉函數多余的開頭
反匯編代碼中,編譯器為你加上象這樣的代碼
????push??ebp
????mov??ebp,?esp
????add??esp,?0FFFFFFB4h
如果你直接編譯的話代碼就變成了:
????push??ebp
????mov??ebp,?esp
????add??esp,?0FFFFFFB4h
????push??ebp
????mov??ebp,?esp
????add??esp,?0FFFFFFB4h
重新編譯也容易出錯,所以要刪去.

同理,要注意函數結束地方看看是否要刪去.

(十一)
這里說一點跟上一篇不同的是沒有刪除_rdata,因為這里有我們程序要的數據,所以沒刪除.如
果你還想優化自己弄了!!!

呵呵,終于弄完這篇了,把它整理好花了好大工夫.錯誤難免,請多包涵!!!!

--------------------------------------------------------------------------------
【版權聲明】:?本文原創于看雪技術論壇,?轉載請注明作者并保持文章的完整,?謝謝!

???????????????????????????????????????????????????????2007年03月04日?12:21:20

S.l.e!ep.￠%

失業的娛樂-IDA逆向工程入門(一)(二)(三)(四)

日歷

公告

常用鏈接

留言簿(5)

隨筆分類(1107)

隨筆檔案(1098)

文章檔案(1)

相冊

收藏夾(3)

DataStruct

搜索

積分與排名

最新評論

閱讀排行榜

評論排行榜