【文章標(biāo)題】:?失業(yè)的娛樂-IDA逆向工程入門(二)-匯編程序(1)
【文章作者】:?layper
【作者郵箱】:?layper@yahoo.com.cn
【作者主頁】:?http://blog.csdn.net/layper/
【下載地址】:?自己搜索下載
【作者聲明】:?只是感興趣，沒有其他目的。失誤之處敬請(qǐng)諸位大俠賜教!
--------------------------------------------------------------------------------
【詳細(xì)過程】
??這個(gè)是第二篇,入門就要從最簡單的開始!!!!!!!!
??
??為什么選匯編程序,因?yàn)樵贗DA逆向出來的就是匯編語言.所以選這個(gè)是最好入門的.在這之前你先準(zhǔn)備好幾樣工具,IDA,masm32匯編工具包并安裝好,
??在radasm設(shè)置好你的路徑.
??
??(一)最簡單的win32匯編程序源碼
??hellow.asm
??
??.386
??.model?flat,stdcall
??option?casemap:none
??include?WINDOWS.INC
??include?user32.inc
??include?kernel32.inc
??includelib?user32.lib
??includelib?kernel32.lib
??.data
??sztitle?db?"你好",0
??sztext?db?"你好!祝你有個(gè)好的開始!!!",0
??.code
??start:
??invoke?MessageBox,NULL,offset?sztext,offset?sztitle,MB_OK
??invoke?ExitProcess,NULL
??end?start
??
??
??radasm默認(rèn)編譯.無資源段
??
??
??
??(二)IDA自動(dòng)識(shí)別的反匯編代碼(未優(yōu)化直接保存)
??
??
??
??;
??;?賞屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯?
;??This?file?is?generated?by?The?Interactive?Disassembler?(IDA)???????
;??Copyright?(c)?2006?by?DataRescue?sa/nv,??<ida@datarescue.com>???????
;??Licensed?to:?Paul?Ashton?-?Blue?Lane?Technologies?(1-user?Advanced?03/2006)???s
??;?韌屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯?
;
??;?Input??MD5???:??10721E858F8E4DA3413D6FBFAE63E7B3
??
??;?File?Name???:??D:\lyp\hellow\hellow.exe
??;?Format??????:??Portable?executable?for??80386?(PE)
??;?Imagebase???:??400000
??;?Section?1.?(virtual?address?00001000)
??;?Virtual?size??????:?00000026?(???38.)
??;?Section?size?in?file????:?00000200?(??512.)
??;?Offset?to?raw??data?for?section:?00000400
??;?Flags??60000020:?Text?Executable?Readable
??;?Alignment??:?default
??
??????.686p
??????.mmx
??????.model?flat
??
??;?屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯?

??;?Segment?type:??Pure?code
??;?Segment?permissions:?Read/Execute
??_text????segment??para?public?'CODE'?use32
??????assume?cs:_text
??????;org?401000h
??????assume?es:nothing,?ss:nothing,?ds:_data,?fs:nothing,?gs:nothing
??
??;?***************?S?U?B??R?O?U?T??I?N?E?***************************************
??
??
??????public?start
??start????proc?near
??????push??0????;?uType
??????push??offset?Caption??;?"你好"
??????push??offset?Text??;?"你好!祝你有個(gè)好的開始!!!"
??????push??0????;?hWnd
??????call??MessageBoxA
??
??????push??0????;?uExitCode
??????call??ExitProcess
??
??start????endp
??
??;?[00000006?BYTES:?COLLAPSED?FUNCTION?MessageBoxA.?PRESS?KEYPAD??"+"?TO?EXPAND]
??;?[00000006?BYTES:?COLLAPSED?FUNCTION?ExitProcess.?PRESS?KEYPAD??"+"?TO?EXPAND]
??????align?200h
??_text????ends
??
??;?Section?2.?(virtual?address?00002000)
??;?Virtual?size??????:?00000092?(??146.)
??;?Section?size?in?file????:?00000200?(??512.)
??;?Offset?to?raw??data?for?section:?00000600
??;?Flags??40000040:?Data?Readable
??;?Alignment??:?default
??;
??;?Imports?from?kernel32.dll
??;
??;?屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯?

??;?Segment?type:??Externs
??;?_idata
??;?void?__stdcall?ExitProcess(UINT?uExitCode)
??????extrn?__imp_ExitProcess:dword?;??DATA?XREF:?ExitProcessr
??
??;
??;?Imports?from?user32.dll
??;
??;?int?__stdcall??MessageBoxA(HWND?hWnd,LPCSTR?lpText,LPCSTR?lpCaption,UINT?uType)
??????extrn?__imp_MessageBoxA:dword?;??DATA?XREF:?MessageBoxAr
??
??
??;?屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯?

??;?Segment?type:??Pure?data
??;?Segment?permissions:?Read
??_rdata????segment??para?public?'DATA'?use32
??????assume?cs:_rdata
??????;org?402010h
??????db??54h??;?T
??????db??20h
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db??6Ah??;?j
??????db??20h
??????db????0
??????db????0
??????db????8
??????db??20h
??????db????0
??????db????0
??????db??4Ch??;?L
??????db??20h
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db??84h??;??
????db??20h
??????db????0
??????db????0
??????db????0
??????db??20h
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db??76h??;?v
??????db??20h
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db??5Ch??;?\
??????db??20h
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db??9Dh??;??
????db????1
??????db??4Dh??;?M
??????db??65h??;?e
??????db??73h??;?s
??????db??73h??;?s
??????db??61h??;?a
??????db??67h??;?g
??????db??65h??;?e
??????db??42h??;?B
??????db??6Fh??;?o
??????db??78h??;?x
??????db??41h??;?A
??????db????0
??????db??75h??;?u
??????db??73h??;?s
??????db??65h??;?e
??????db??72h??;?r
??????db??33h??;?3
??????db??32h??;?2
??????db??2Eh??;?.
??????db??64h??;?d
??????db??6Ch??;?l
??????db??6Ch??;?l
??????db????0
??????db????0
??????db??80h??;??
??????db????0
??????db??45h??;?E
??????db??78h??;?x
??????db??69h??;?i
??????db??74h??;?t
??????db??50h??;?P
??????db??72h??;?r
??????db??6Fh??;?o
??????db??63h??;?c
??????db??65h??;?e
??????db??73h??;?s
??????db??73h??;?s
??????db????0
??????db??6Bh??;?k
??????db??65h??;?e
??????db??72h??;?r
??????db??6Eh??;?n
??????db??65h??;?e
??????db??6Ch??;?l
??????db??33h??;?3
??????db??32h??;?2
??????db??2Eh??;?.
??????db??64h??;?d
??????db??6Ch??;?l
??????db??6Ch??;?l
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??????db????0
??_rdata????ends
??
??;?Section?3.?(virtual?address?00003000)
??;?Virtual?size??????:?0000001E?(???30.)
??;?Section?size?in?file????:?00000200?(??512.)
??;?Offset?to?raw??data?for?section:?00000800
??;?Flags??C0000040:?Data?Readable??Writable
??;?Alignment??:?default
??;?屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯?

??;?Segment?type:??Pure?data
??;?Segment?permissions:?Read/Write
??_data????segment??para?public?'DATA'?use32
??????assume?cs:_data
??????;org?403000h
??;?char?Caption[]
??Caption????db?'你好',0?????????????;?DATA?XREF:?start+2o
??;?char?Text[]
??Text????db?'你好!祝你有個(gè)好的開始!!!',0?;?DATA?XREF:?start+7o
??????align?200h
??_data????ends
??
??
??????end?start
??用radasm編譯成功,不用修改!!!
??
??(三)比對(duì)文件
??
??(1)模式定義
??相同度:
??
??.386????????????????????????????????????????????????.686p??????????????????????;不同
??無??????????????????????????????????????????????????.mmx
??.model?flat,stdcall?????????????????????????????????.model?flat????????
??option?casemap:none?????????????????????????????????無?????????????????????????;不同
??
??我的IDA默認(rèn)的為686p模式,model語句無語言模式,無option語句.
??
??(2)inc文件,lib文件去向
??
??源文件中的
??include?WINDOWS.INC
??include?user32.inc
??include?kernel32.inc
??includelib?user32.lib
??includelib?kernel32.lib
??消失在代碼中,要尋找回他們!!
??這幾個(gè)語句其實(shí)就是連接系統(tǒng)的dll文件的,在反匯編代碼中尋找user32.dll,kernel32.dll,找到這里
??;?Imports?from?kernel32.dll
??;
??;?屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯?
??
??;?Segment?type:??Externs
??;?_idata
??;?void?__stdcall?ExitProcess(UINT?uExitCode)
??????extrn?__imp_ExitProcess:dword?;??DATA?XREF:?ExitProcessr
??
??;
??;?Imports?from?user32.dll
??;
??;?int?__stdcall??MessageBoxA(HWND?hWnd,LPCSTR?lpText,LPCSTR?lpCaption,UINT?uType)
??????extrn?__imp_MessageBoxA:dword?;??DATA?XREF:?MessageBoxAr
??
??注釋很明白了,輸入表有兩個(gè)dll在_idata段,include語句的在_idata段找尋.
??
??(3)段定義的變化
??源代碼中段定義是這樣
??.段名
??而反匯編中的段定義
??段名????segment??para?public?'DATA'?use32
??????assume?cs:_data
??段名????ends
??傳統(tǒng)的dos匯編寫法.
??
??(4)段的增減
??我們通過比對(duì),發(fā)現(xiàn)段的數(shù)量跟我們?cè)镜牟灰恢?br />??原本我們只有兩個(gè)段
??.data和.code段,而反匯編后變成
??.text和.idata和.rdata和.data段
??經(jīng)過仔細(xì)辨認(rèn)你就可以發(fā)現(xiàn)
??反匯編的text段就是源代碼中的.code段,data段是代碼段,.idata和.rdata是編譯器生成的,而idata是尋找include語句的地方,
??.idata基本沒什么用處,可以刪掉.
??
??(5)數(shù)據(jù)段
??通過比對(duì)發(fā)現(xiàn)基本上一致無什么增加,增加了一個(gè)????align?200h
??刪掉即可.
??
??(6)代碼段變化
??入口函數(shù)變化
??????????????????public?start
??start????proc?near
??????push??0????;?uType
??????push??offset?Caption??;?"你好"
??????push??offset?Text??;?"你好!祝你有個(gè)好的開始!!!"
??????push??0????;?hWnd
??????call??MessageBoxA
??
??????push??0????;?uExitCode
??????call??ExitProcess
??
??start????endp
??
??。。。。。。
??
??。。。。。。。
??
??????end?start
??
??注意end?start放在了所有段后面
??
??到這里我們大體上看完這個(gè)程序反匯編的大體輪廓。
??
--------------------------------------------------------------------------------
【經(jīng)驗(yàn)總結(jié)】
??(1)模式定義少了語言模式和opention語句，我們要看情況是否加回上去。
??(2)include語句尋找_idata中的dll名,得到常用包含庫文件.
??(3).rdate段不用看,可以刪掉
??(4)入口開始處尋找start.
??
--------------------------------------------------------------------------------
【版權(quán)聲明】:?本文原創(chuàng)于看雪技術(shù)論壇,?轉(zhuǎn)載請(qǐng)注明作者并保持文章的完整,?謝謝!

???????????????????????????????????????????????????????2007年03月02日?13:56:14

【文章標(biāo)題】:?失業(yè)的娛樂-IDA逆向工程入門(三)-匯編程序(2)
【文章作者】:?layper
【作者郵箱】:?layper@yahoo.comcn
【作者主頁】:?http://blog.csdn.net/layper/
【下載地址】:?自己搜索下載
【編寫語言】:?asm
【使用工具】:?IDA\reshack\radasm\
【作者聲明】:?只是感興趣，沒有其他目的。失誤之處敬請(qǐng)諸位大俠賜教!
--------------------------------------------------------------------------------
【詳細(xì)過程】
??多謝大家的支持,特別是fly還關(guān)心我的工作問題,無已回報(bào),只能繼續(xù)寫些小文供大家批評(píng)了!!!
??
??上一篇我們所逆的是非常簡單的win32匯編,總共才兩個(gè)api函數(shù),一個(gè)消息框和ExitProcess函數(shù),這篇我們就涉及一個(gè)真正的窗口
??程序firstwindows,我學(xué)匯編是看了羅云彬的《windows環(huán)境下匯編語言程序設(shè)計(jì)》才入門的,我直接拿里面的例子來講吧,如果作
??者覺得不合適,我會(huì)刪去的!!!!!
??
??順便講一下學(xué)習(xí)逆向工程的方法,這個(gè)跟學(xué)脫殼方法類似,你先用一種語言寫一個(gè)程序(剛開始比較簡單的),編譯后用IDA或者
??其他工具反匯編,觀察源代碼和反匯編代碼有什么異同,想辦法在逆向代碼中逐漸靠近源代碼,最后再把他整理到編譯工具中不
??斷編譯,在編譯器中看那里出錯(cuò),逐步修改,直至成功,最后總結(jié)經(jīng)驗(yàn),這樣就會(huì)逐步提高了.
??
??限于篇幅,我只把完整源碼貼出來,未修改的反匯編在壓縮包內(nèi)的1.asm,請(qǐng)自行查看
??firstwindows源碼
??
??;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
??;?Sample?code?for?<?Win32ASM?Programming?>
??;?by?羅云彬,?http://asm.yeah.net
??;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
??;?FirstWindow.asm
??;?窗口程序的模板代碼
??;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
??;?使用?nmake?或下列命令進(jìn)行編譯和鏈接:
??;?ml?/c?/coff?FirstWindow.asm
??;?Link?/subsystem:windows?FirstWindow.obj
??;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
??????.386
??????.model?flat,stdcall
??????option?casemap:none
??;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
??;?Include?文件定義
??;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
??include????windows.inc
??include????gdi32.inc
??includelib??gdi32.lib
??include????user32.inc
??includelib??user32.lib
??include????kernel32.inc
??includelib??kernel32.lib
??;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
??;?數(shù)據(jù)段
??;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
??????.data?
??
??hInstance??dd?????
??hWinMain??dd?????
??
??????.const
??
??szClassName??db??'MyClass',0
??szCaptionMain??db??'My?first?Window?!',0
??szText????db??'Win32?Assembly,?Simple?and?powerful?!',0
??;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
??;?代碼段
??;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
??????.code
??;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
??;?窗口過程
??;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
??_ProcWinMain??proc??uses?ebx?edi?esi,hWnd,uMsg,wParam,lParam
??????local??@stPs:PAINTSTRUCT
??????local??@stRect:RECT
??????local??@hDc
??
??????mov??eax,uMsg
??;********************************************************************
??????.if??eax?==??WM_PAINT
????????invoke??BeginPaint,hWnd,addr?@stPs
????????mov??@hDc,eax
??
????????invoke??GetClientRect,hWnd,addr?@stRect
????????invoke??DrawText,@hDc,addr?szText,-1,\
??????????addr?@stRect,\
??????????DT_SINGLELINE?or?DT_CENTER?or?DT_VCENTER
??
????????invoke??EndPaint,hWnd,addr?@stPs
??;********************************************************************
??????.elseif??eax?==??WM_CLOSE
????????invoke??DestroyWindow,hWinMain
????????invoke??PostQuitMessage,NULL
??;********************************************************************
??????.else
????????invoke??DefWindowProc,hWnd,uMsg,wParam,lParam
????????ret
??????.endif
??;********************************************************************
??????xor??eax,eax
??????ret
??
??_ProcWinMain??endp
??;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
??_WinMain??proc
??????local??@stWndClass:WNDCLASSEX
??????local??@stMsg:MSG
??
??????invoke??GetModuleHandle,NULL
??????mov??hInstance,eax
??????invoke??RtlZeroMemory,addr?@stWndClass,sizeof?@stWndClass
??;********************************************************************
??;?注冊(cè)窗口類
??;********************************************************************
??????invoke??LoadCursor,0,IDC_ARROW
??????mov??@stWndClass.hCursor,eax
??????push??hInstance
??????pop??@stWndClass.hInstance
??????mov??@stWndClass.cbSize,sizeof?WNDCLASSEX
??????mov??@stWndClass.style,CS_HREDRAW?or?CS_VREDRAW
??????mov??@stWndClass.lpfnWndProc,offset?_ProcWinMain
??????mov??@stWndClass.hbrBackground,COLOR_WINDOW?+?1
??????mov??@stWndClass.lpszClassName,offset?szClassName
??????invoke??RegisterClassEx,addr?@stWndClass
??;********************************************************************
??;?建立并顯示窗口
??;********************************************************************
??????invoke??CreateWindowEx,WS_EX_CLIENTEDGE,offset?szClassName,offset?szCaptionMain,\
????????WS_OVERLAPPEDWINDOW,\
????????100,100,600,400,\
????????NULL,NULL,hInstance,NULL
??????mov??hWinMain,eax
??????invoke??ShowWindow,hWinMain,SW_SHOWNORMAL
??????invoke??UpdateWindow,hWinMain
??;********************************************************************
??;?消息循環(huán)
??;********************************************************************
??????.while??TRUE
????????invoke??GetMessage,addr?@stMsg,NULL,0,0
????????.break??.if?eax??==?0
????????invoke??TranslateMessage,addr?@stMsg
????????invoke??DispatchMessage,addr?@stMsg
??????.endw
??????ret
??
??_WinMain??endp
??;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
??start:
??????call??_WinMain
??????invoke??ExitProcess,NULL
??;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
??????end??start
??
??在radasm編譯通過.
??
??用IAD反匯編載入完成后,點(diǎn)擊文件-創(chuàng)建文件-創(chuàng)建asm文件就得到未經(jīng)修改的反匯編后得到的1.asm文件(有點(diǎn)繞口:)),直接用
??radasm打開,在radasm中ctrl+f5構(gòu)建并運(yùn)行看看結(jié)果怎樣,呵呵,出錯(cuò)了.

因?yàn)橐徊揭徊絹碇v比較長,我先把操作過程寫下來,在慢慢解釋,1.asm修改如下:
(一)增加模式定義\options語句\還原include語句
??????.686p
??????.mmx
??????.model?flat,stdcall
??????option?casemap:none
??include?WINDOWS.INC
??include?kernel32.inc
??includelib?kernel32.lib
??include?user32.inc
??includelib?user32.lib
(二)刪除結(jié)構(gòu)MSG\POINT\PAINTSTRUCT\RECT,并把余下的結(jié)構(gòu)移動(dòng)到??includelib?user32.lib之后,即第一步之后,
然后做如下修改:
tagMSG????struc?;??(sizeof=0x1C,?standard?type)
hwnd????dd????????;?offset
message????dd??
wParam????dd??
lParam????dd??
time????dd??
pt????POINT??????;這里修改為pt????POINT?<>
tagMSG????ends

tagPAINTSTRUCT??struc?;??(sizeof=0x40,?standard?type)
hdc????dd????????;?offset
fErase????dd??
rcPaint????RECT????????;這里修改為rcPaint????RECT?<>
fRestore??dd??
fIncUpdate??dd??
rgbReserved??db?32?dup(?)
tagPAINTSTRUCT??ends
(三)對(duì)函數(shù)的局部變量進(jìn)行修改
一共三個(gè)函數(shù)start\sub_401000和sub_401089,修改如下
sub_401089:
sub_401089??proc?near????;?CODE?XREF:?startp

Msg????=?MSG?ptr?-4Ch
var_30????=?WNDCLASSEXA?ptr?-30h
修改為:
sub_401089??proc?near????;?CODE?XREF:?startp

????LOCAL?Msg:MSG?
????LOCAL?var_30:WNDCLASSEXA?



sub_401000:

sub_401000??proc?near????;?DATA?XREF:?sub_401089+43o

hDC????=?dword??ptr?-54h
Rect????=?tagRECT?ptr?-50h
Paint????=?PAINTSTRUCT?ptr?-40h
hWnd????=?dword??ptr??8
Msg????=?dword??ptr??0Ch
wParam????=?dword??ptr??10h
lParam????=?dword??ptr??14h

修改為:
sub_401000??proc?uses?ebx?edi?esi?,hWnd,Msg,wParam,lParam????;?DATA?XREF:?sub_401089+43o

????LOCAL?hDC
????LOCAL?Rect:tagRECT
????LOCAL?Paint:PAINTSTRUCT


(四)_text段修改
刪除
在_text段前增加.code
_text????segment??para?public?'CODE'?use32
????assume?cs:_text
????;org?401000h
????assume?es:nothing,?ss:nothing,?ds:_data,?fs:nothing,?gs:nothing
和
_text????ends
注意:中間的代碼不要?jiǎng)h除!!!

(五)刪除align?40h

(六)移動(dòng)修改_data段
在.code前增加.data,并且把_data段移動(dòng)到這里
把
_data????segment??para?public?'DATA'?use32
????assume?cs:_data
????;org?403000h
和??????????;?sub_401089+A6r
_data????ends
刪除
注意:中間的代碼不要?jiǎng)h除!!!

(七)修改sub_401000的hWnd,只要出現(xiàn)有的都修改為hWnd1.

(八)刪除_idata段

(九)
把函數(shù)含有[ebp+變量]的代碼全部修改為變量
sub_401089的代碼
[ebp+var_30]?改為??var_30
[ebp+var_30.hCursor]??改為??var_30.hCursor
[ebp+var_30.hInstance]??改為??var_30.hInstance
[ebp+var_30.cbSize]??改為??var_30.cbSize
[ebp+var_30.style]??改為??var_30.style
[ebp+var_30.lpfnWndProc]??改為??var_30.lpfnWndProc
[ebp+var_30.hbrBackground]??改為??var_30.hbrBackground
[ebp+var_30.lpszClassName]??改為??var_30.lpszClassName
[ebp+Msg]????改為??Msg

sub_401000的代碼
[ebp+hDC]????改為??hDC
[ebp+Rect]????改為??Rect
[ebp+Paint]????改為??Paint
[ebp+hWnd1]????改為??hWnd1
[ebp+Msg]????改為??Msg
[ebp+wParam]????改為??wParam
[ebp+lParam]????改為??lParam

(十)刪掉函數(shù)多余的開頭
sub_401089處:
sub_401089??proc?near????;?CODE?XREF:?startp

????LOCAL?Msg:MSG?
????LOCAL?var_30:WNDCLASSEXA?

????push??ebp????;刪掉
????mov??ebp,?esp??刪掉
????add??esp,?0FFFFFFB4h??;刪掉

sub_401000處:
sub_401000??proc?near?uses?ebx?edi?esi?,hWnd1,Msg,wParam,lParam????;?DATA?XREF:?sub_401089+43o

????LOCAL?hDC
????LOCAL?Rect:tagRECT
????LOCAL?Paint:PAINTSTRUCT


????push??ebp??;刪掉
????mov??ebp,?esp??;刪掉
????add??esp,?0FFFFFFACh??;刪掉
????push??ebx????;刪掉
????push??edi????;刪掉
????push??esi????;刪掉


--------------------------------------------------------------------------------
【經(jīng)驗(yàn)總結(jié)】
?其實(shí)只要你把反編譯的代碼按照radasm的提示一步一步修改就可以了.
解釋:
(一)
這一步我在上篇已經(jīng)解釋的比較明白了.因?yàn)槲覀儏R編開頭就是那么幾句代碼.
include語句加回去這個(gè)是因?yàn)槲覀兙幾g的是匯編程序,這樣肯定要用到庫.如果IDA使用生成的_data段
就非常容易出錯(cuò).畢竟它只是"識(shí)別"而不是源碼!!!!!!!

(二)
?(1)刪除結(jié)構(gòu)體MSG\POINT\PAINTSTRUCT\RECT
我們進(jìn)行了第一步操作后,用radasm進(jìn)行構(gòu)建,就會(huì)提示我們
D:\masm32\Include\WINDOWS.INC(7873)?:?error?A2163:??:?POINT
D:\masm32\Include\WINDOWS.INC(7874)?:?error?A2163:??:?POINT
D:\masm32\Include\WINDOWS.INC(8841)?:?error?A2163:??:?MSG
D:\masm32\Include\WINDOWS.INC(8842)?:?error?A2163:??:?MSG
D:\masm32\Include\WINDOWS.INC(8843)?:?error?A2163:??:?MSG
D:\masm32\Include\WINDOWS.INC(8844)?:?error?A2163:??:?MSG
D:\masm32\Include\WINDOWS.INC(8845)?:?error?A2163:??:?MSG
D:\masm32\Include\WINDOWS.INC(8846)?:?error?A2163:??:?MSG
D:\masm32\Include\WINDOWS.INC(8846)?:?fatal?error?A1016:?

構(gòu)建時(shí)發(fā)生錯(cuò)誤.
總共編譯時(shí)間?271?毫秒

這個(gè)這個(gè)意思說我們的庫文件出錯(cuò),這個(gè)可能嗎?當(dāng)然也有可能,但我想你首先應(yīng)該想到是你的反匯編代碼錯(cuò).
先查詢一下windows.inc"出錯(cuò)"的到底是什么
POINT?STRUCT
??x??DWORD????;7873行
??y??DWORD????;7874行
POINT?ENDS

MSG?STRUCT
??hwnd??????DWORD?????????;8841
??message???DWORD?????????;8842
??wParam????DWORD?????????;8843
??lParam????DWORD?????????;8844
??time??????DWORD?????????;8845
??pt????????POINT??????<>??;8846
MSG?ENDS

呵呵,你再看看反匯編代碼開頭
MSG????struc?;??(sizeof=0x1C,?standard?type)
hwnd????dd????????;?offset
message????dd??
wParam????dd??
lParam????dd??
time????dd??
pt????POINT??
MSG????ends

;?---------------------------------------------------------------------------

POINT????struc?;??(sizeof=0x8,?standard?type)
x????dd??
y????dd??
POINT????ends
明白怎么是這樣了吧?我們反匯編代碼重復(fù)定義了結(jié)構(gòu)msg,point所以要把他們刪除.同理PAINTSTRUCT\RECT也刪除了.
(2)移動(dòng)剩余結(jié)構(gòu)到include語句后.
這一步我是為了省事,剩余三個(gè)結(jié)構(gòu)
tagMSG????struc?;??(sizeof=0x1C,?standard?type)
hwnd????dd????????;?offset
message????dd??
wParam????dd??
lParam????dd??
time????dd??
pt????POINT??
tagMSG????ends
;?---------------------------------------------------------------------------
WNDCLASSEXA??struc?;??(sizeof=0x30,?standard?type)
cbSize????dd??
style????dd??
lpfnWndProc??dd????????;?offset
cbClsExtra??dd??
cbWndExtra??dd??
hInstance??dd????????;?offset
hIcon????dd????????;?offset
hCursor????dd????????;?offset
hbrBackground??dd????????;?offset
lpszMenuName??dd????????;?offset
lpszClassName??dd????????;?offset
hIconSm????dd????????;?offset
WNDCLASSEXA??ends
;?---------------------------------------------------------------------------
tagRECT????struc?;??(sizeof=0x10,?standard?type)
left????dd??
top????dd??
right????dd??
bottom????dd??
tagRECT????ends
;?---------------------------------------------------------------------------
tagPAINTSTRUCT??struc?;??(sizeof=0x40,?standard?type)
hdc????dd????????;?offset
fErase????dd??
rcPaint????RECT??
fRestore??dd??
fIncUpdate??dd??
rgbReserved??db?32?dup(?)
tagPAINTSTRUCT??ends
其中tagMSG和tagPAINTSTRUCT結(jié)構(gòu)分別用到了POINT結(jié)構(gòu)和RECT結(jié)構(gòu),剛才我們刪了,只有windows.inc中有
所以直接把他們剪切到這里省去出錯(cuò)的機(jī)會(huì).
(3)修改結(jié)構(gòu)
tagMSG結(jié)構(gòu)和tagPAINTSTRUCT結(jié)構(gòu)修改,我是參照windows.inc結(jié)構(gòu)定義方法.結(jié)構(gòu)中用結(jié)構(gòu)<>?:)
這個(gè)不一定完全正確,想研究這方面多閱讀.inc文件

(三)函數(shù)修改
在反匯編代碼中只要出現(xiàn)proc的,到現(xiàn)在為止我都看成是函數(shù)!!!
IDA反匯編都它的函數(shù)都變成這個(gè)樣子
sub_401000??proc?near????;?DATA?XREF:?sub_401089+43o

hDC????=?dword??ptr?-54h??;注意這里是減(-)
Rect????=?tagRECT?ptr?-50h
Paint????=?PAINTSTRUCT?ptr?-40h
hWnd????=?dword??ptr??8????;這里其實(shí)是加(+)
Msg????=?dword??ptr??0Ch
wParam????=?dword??ptr??10h
lParam????=?dword??ptr??14h

????push??ebp
????mov??ebp,?esp
????add??esp,?0FFFFFFACh
????push??ebx
????push??edi
????push??esi
????mov??eax,?[ebp+Msg]
這里就會(huì)出現(xiàn)一個(gè)問題.我們先前又刪結(jié)構(gòu)又改結(jié)構(gòu),而這里又用到結(jié)構(gòu),不修改編譯也會(huì)出錯(cuò)的.
我們改成比較正規(guī)的win32匯編程序格式.
剛才我提示加減的地方,總結(jié)一條規(guī)律給大家:
函數(shù)開頭?xx?=?結(jié)構(gòu)?-?xxh?這個(gè)就是函數(shù)的局部變量,可用local?xx:結(jié)構(gòu)替換.
函數(shù)開頭?xx?=?dword??ptr?xxh?這個(gè)是函數(shù)的參數(shù),函數(shù)可改為
函數(shù)名?proc?xx

(四)_text段修改
代碼段
_text????segment??para?public?'CODE'?use32
????assume?cs:_text
????;org?401000h
????assume?es:nothing,?ss:nothing,?ds:_data,?fs:nothing,?gs:nothing
和
_text????ends
IDA這種段寫法有很大的弊端,也是引起我們修改后的代碼編譯不通過的一個(gè)很重要原因.(具體我還說不上來,我還很菜)

(五)刪除align?40h
align是反匯編代碼不通過編譯的一種常見錯(cuò)誤.

(六)移動(dòng)修改_data段
一般來說_data段是我們的數(shù)據(jù)段,一般我們放在前面.(呵呵,代碼順序也很重要)

(七)在數(shù)據(jù)段中
hWnd????dd????????;?DATA?XREF:?sub_401000+54r
??????????;?sub_401089+94w?sub_401089+9Br
??????????;?sub_401089+A6r
提示hWnd是函數(shù)sub_401089的,并不是sub_401000,所以要重命名他們.

(八)刪除_idata段
include語句已經(jīng)有了函數(shù)定義,再保留這里就會(huì)出錯(cuò).

(九)
把函數(shù)含有[ebp+變量]的代碼全部修改為變量
[ebp+]這個(gè)是編譯器加上去的,我們直接用的話,編譯后會(huì)變成[ebp+ebp+變量],容易出錯(cuò).

(十)刪掉函數(shù)多余的開頭
反匯編代碼中,編譯器為你加上象這樣的代碼
????push??ebp
????mov??ebp,?esp
????add??esp,?0FFFFFFB4h
如果你直接編譯的話代碼就變成了:
????push??ebp
????mov??ebp,?esp
????add??esp,?0FFFFFFB4h
????push??ebp
????mov??ebp,?esp
????add??esp,?0FFFFFFB4h
重新編譯也容易出錯(cuò),所以要?jiǎng)h去.

同理,要注意函數(shù)結(jié)束地方看看是否要?jiǎng)h去.

(十一)
這里說一點(diǎn)跟上一篇不同的是沒有刪除_rdata,因?yàn)檫@里有我們程序要的數(shù)據(jù),所以沒刪除.如
果你還想優(yōu)化自己弄了!!!

呵呵,終于弄完這篇了,把它整理好花了好大工夫.錯(cuò)誤難免,請(qǐng)多包涵!!!!

--------------------------------------------------------------------------------
【版權(quán)聲明】:?本文原創(chuàng)于看雪技術(shù)論壇,?轉(zhuǎn)載請(qǐng)注明作者并保持文章的完整,?謝謝!

???????????????????????????????????????????????????????2007年03月04日?12:21:20