【文章標(biāo)題】: 失業(yè)的娛樂(lè)-IDA逆向工程入門(mén)(二)-匯編程序(1)
【文章作者】: layper
【作者郵箱】: layper@yahoo.com.cn
【作者主頁(yè)】: http://blog.csdn.net/layper/
【下載地址】: 自己搜索下載
【作者聲明】: 只是感興趣���,沒(méi)有其他目的���。失誤之處敬請(qǐng)諸位大俠賜教!
--------------------------------------------------------------------------------
【詳細(xì)過(guò)程】
這個(gè)是第二篇,入門(mén)就要從最簡(jiǎn)單的開(kāi)始!!!!!!!!
為什么選匯編程序,因?yàn)樵贗DA逆向出來(lái)的就是匯編語(yǔ)言.所以選這個(gè)是最好入門(mén)的.在這之前你先準(zhǔn)備好幾樣工具,IDA,masm32匯編工具包并安裝好,
在radasm設(shè)置好你的路徑.
(一)最簡(jiǎn)單的win32匯編程序源碼
hellow.asm
.386
.model flat,stdcall
option casemap:none
include WINDOWS.INC
include user32.inc
include kernel32.inc
includelib user32.lib
includelib kernel32.lib
.data
sztitle db "你好",0
sztext db "你好!祝你有個(gè)好的開(kāi)始!!!",0
.code
start:
invoke MessageBox,NULL,offset sztext,offset sztitle,MB_OK
invoke ExitProcess,NULL
end start
radasm默認(rèn)編譯.無(wú)資源段
(二)IDA自動(dòng)識(shí)別的反匯編代碼(未優(yōu)化直接保存)
;
; 賞屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯?
; ?This file is generated by The Interactive Disassembler (IDA) ?
; ?Copyright (c) 2006 by DataRescue sa/nv, <ida@datarescue.com> ?
; ?Licensed to: Paul Ashton - Blue Lane Technologies (1-user Advanced 03/2006) ?s
; 韌屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯?
;
; Input MD5 : 10721E858F8E4DA3413D6FBFAE63E7B3
; File Name : D:\lyp\hellow\hellow.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 400000
; Section 1. (virtual address 00001000)
; Virtual size : 00000026 ( 38.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00000400
; Flags 60000020: Text Executable Readable
; Alignment : default
.686p
.mmx
.model flat
; 屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯?
; Segment type: Pure code
; Segment permissions: Read/Execute
_text segment para public 'CODE' use32
assume cs:_text
;org 401000h
assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
; *************** S U B R O U T I N E ***************************************
public start
start proc near
push 0 ; uType
push offset Caption ; "你好"
push offset Text ; "你好!祝你有個(gè)好的開(kāi)始!!!"
push 0 ; hWnd
call MessageBoxA
push 0 ; uExitCode
call ExitProcess
start endp
; [00000006 BYTES: COLLAPSED FUNCTION MessageBoxA. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION ExitProcess. PRESS KEYPAD "+" TO EXPAND]
align 200h
_text ends
; Section 2. (virtual address 00002000)
; Virtual size : 00000092 ( 146.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00000600
; Flags 40000040: Data Readable
; Alignment : default
;
; Imports from kernel32.dll
;
; 屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯?
; Segment type: Externs
; _idata
; void __stdcall ExitProcess(UINT uExitCode)
extrn __imp_ExitProcess:dword ; DATA XREF: ExitProcess�r
;
; Imports from user32.dll
;
; int __stdcall MessageBoxA(HWND hWnd,LPCSTR lpText,LPCSTR lpCaption,UINT uType)
extrn __imp_MessageBoxA:dword ; DATA XREF: MessageBoxA�r
; 屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯?
; Segment type: Pure data
; Segment permissions: Read
_rdata segment para public 'DATA' use32
assume cs:_rdata
;org 402010h
db 54h ; T
db 20h
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 6Ah ; j
db 20h
db 0
db 0
db 8
db 20h
db 0
db 0
db 4Ch ; L
db 20h
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 84h ; ?
db 20h
db 0
db 0
db 0
db 20h
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 76h ; v
db 20h
db 0
db 0
db 0
db 0
db 0
db 0
db 5Ch ; \
db 20h
db 0
db 0
db 0
db 0
db 0
db 0
db 9Dh ; ?
db 1
db 4Dh ; M
db 65h ; e
db 73h ; s
db 73h ; s
db 61h ; a
db 67h ; g
db 65h ; e
db 42h ; B
db 6Fh ; o
db 78h ; x
db 41h ; A
db 0
db 75h ; u
db 73h ; s
db 65h ; e
db 72h ; r
db 33h ; 3
db 32h ; 2
db 2Eh ; .
db 64h ; d
db 6Ch ; l
db 6Ch ; l
db 0
db 0
db 80h ; ?
db 0
db 45h ; E
db 78h ; x
db 69h ; i
db 74h ; t
db 50h ; P
db 72h ; r
db 6Fh ; o
db 63h ; c
db 65h ; e
db 73h ; s
db 73h ; s
db 0
db 6Bh ; k
db 65h ; e
db 72h ; r
db 6Eh ; n
db 65h ; e
db 6Ch ; l
db 33h ; 3
db 32h ; 2
db 2Eh ; .
db 64h ; d
db 6Ch ; l
db 6Ch ; l
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
_rdata ends
; Section 3. (virtual address 00003000)
; Virtual size : 0000001E ( 30.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00000800
; Flags C0000040: Data Readable Writable
; Alignment : default
; 屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯?
; Segment type: Pure data
; Segment permissions: Read/Write
_data segment para public 'DATA' use32
assume cs:_data
;org 403000h
; char Caption[]
Caption db '你好',0 ; DATA XREF: start+2�o
; char Text[]
Text db '你好!祝你有個(gè)好的開(kāi)始!!!',0 ; DATA XREF: start+7�o
align 200h
_data ends
end start
用radasm編譯成功,不用修改!!!
(三)比對(duì)文件
(1)模式定義
相同度:
.386 .686p ;不同
無(wú) .mmx
.model flat,stdcall .model flat
option casemap:none 無(wú) ;不同
我的IDA默認(rèn)的為686p模式,model語(yǔ)句無(wú)語(yǔ)言模式,無(wú)option語(yǔ)句.
(2)inc文件,lib文件去向
源文件中的
include WINDOWS.INC
include user32.inc
include kernel32.inc
includelib user32.lib
includelib kernel32.lib
消失在代碼中,要尋找回他們!!
這幾個(gè)語(yǔ)句其實(shí)就是連接系統(tǒng)的dll文件的,在反匯編代碼中尋找user32.dll,kernel32.dll,找到這里
; Imports from kernel32.dll
;
; 屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯?
; Segment type: Externs
; _idata
; void __stdcall ExitProcess(UINT uExitCode)
extrn __imp_ExitProcess:dword ; DATA XREF: ExitProcess�r
;
; Imports from user32.dll
;
; int __stdcall MessageBoxA(HWND hWnd,LPCSTR lpText,LPCSTR lpCaption,UINT uType)
extrn __imp_MessageBoxA:dword ; DATA XREF: MessageBoxA�r
注釋很明白了,輸入表有兩個(gè)dll在_idata段,include語(yǔ)句的在_idata段找尋.
(3)段定義的變化
源代碼中段定義是這樣
.段名
而反匯編中的段定義
段名 segment para public 'DATA' use32
assume cs:_data
段名 ends
傳統(tǒng)的dos匯編寫(xiě)法.
(4)段的增減
我們通過(guò)比對(duì),發(fā)現(xiàn)段的數(shù)量跟我們?cè)镜牟灰恢?br> 原本我們只有兩個(gè)段
.data和.code段,而反匯編后變成
.text和.idata和.rdata和.data段
經(jīng)過(guò)仔細(xì)辨認(rèn)你就可以發(fā)現(xiàn)
反匯編的text段就是源代碼中的.code段,data段是代碼段,.idata和.rdata是編譯器生成的,而idata是尋找include語(yǔ)句的地方,
.idata基本沒(méi)什么用處,可以刪掉.
(5)數(shù)據(jù)段
通過(guò)比對(duì)發(fā)現(xiàn)基本上一致無(wú)什么增加,增加了一個(gè) align 200h
刪掉即可.
(6)代碼段變化
入口函數(shù)變化
public start
start proc near
push 0 ; uType
push offset Caption ; "你好"
push offset Text ; "你好!祝你有個(gè)好的開(kāi)始!!!"
push 0 ; hWnd
call MessageBoxA
push 0 ; uExitCode
call ExitProcess
start endp
���。���。���。���。���。���。
���。���。���。���。。���。。
end start
注意end start放在了所有段后面
到這里我們大體上看完這個(gè)程序反匯編的大體輪廓���。
--------------------------------------------------------------------------------
【經(jīng)驗(yàn)總結(jié)】
(1)模式定義少了語(yǔ)言模式和opention語(yǔ)句,我們要看情況是否加回上去���。
(2)include語(yǔ)句尋找_idata中的dll名,得到常用包含庫(kù)文件.
(3).rdate段不用看,可以刪掉
(4)入口開(kāi)始處尋找start.
--------------------------------------------------------------------------------
【版權(quán)聲明】: 本文原創(chuàng)于看雪技術(shù)論壇, 轉(zhuǎn)載請(qǐng)注明作者并保持文章的完整, 謝謝!
2007年03月02日 13:56:14