[原创]显示出指定win32 api 的variable参数的内存中的值-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[原创]显示出指定win32 api 的variable参数的内存中的值

发表于: 2009-11-12 22:45 4585

[原创]显示出指定win32 api 的variable参数的内存中的值

syrhades

2009-11-12 22:45

4585

/*

*为了便于大家看不以IDC文件公布（因为临时用户不能下载）
*显示出指定win32 api 的variable参数的内存中的值
*举例用MessageBoxW ，的第二个参数 lpText
*int MessageBox(

HWND hWnd, // handle of owner window
LPCTSTR lpText, // address of text in message box
LPCTSTR lpCaption, // address of title of message box
UINT uType // style of message box
);
生成一个log文件，便于crack时参考，而不用手工去找
希望大家能够喜欢
本人希望能够找一份逆向的工作，如果觉得我还可以，希望能给我一个机会，
money 多少不在乎
我在上海，希望广大坛友能够帮我实现这个愿望
谢谢大家
能拉兄弟一把的请联系
qq：584401165，email：syrhades@126.com，msn：syrhades@hotmail.com
该idc版权归syrhades所有，若有雷同纯属巧合
*/

#include <idc.idc>

//output log file
// if the file doesn't exist, creat newlog,else dont creat logfile
static create_log(logname)
{
auto filename,flag,fp,tempstring;
flag="w";
filename="f:\\"+logname+".log";

fp=fopen(filename,flag);
   if (fp==0)
{
   printf("creat file lose");
   }
   else
     {
     printf("creat file successfully!");
     tempstring=GetInputFile();
     writestr(fp,logname+" has been created\n");
     writestr(fp,tempstring+" \n");
   fclose(fp);
}
return filename;
}
//------------------------------------------------
//Write some string into the log file
static writeinlogfile(logname,text_towrite)
{
auto func,addr,xref,source,filep,filename,flag;
flag="a+";
  filep=fopen(logname,flag);
if (filep!=0) //判断是否打开文件
{ //write in data
writestr(filep,text_towrite+"\n");
   //printf("creat file successfully");
fclose(filep);
}
  else
    printf("file doesn't exist");
}

//----------------------------------------------------
static findspecialcodetest(need_func,logname)
{
  auto func,addr,xref,source,filep,filename,flag;
printf(logname);
  flag="a+";
  filep=fopen(logname,flag);
if (filep!=0)
{
writestr(filep,need_func+"is found in database\n");
   printf("creat file successfully");
fclose(filep);
}


}

//-----------------------------------------------------

//定位function addr xref
static locate_func(need_func,var_seq,logname)//
{
auto temp,dst_addr,tempstring,fun_name,xrefaddr,addr,xref,source,loc_flag,count_push,text_addr;
xrefaddr=LocByName(need_func);
if (xrefaddr==BADADDR)
{
Warning("Sorry,%s not found in database",need_func);
return;//error tip
}
  else
{
   for (addr=RfirstB(xrefaddr);addr !=BADADDR;addr=RnextB(xrefaddr,addr))
   {
   xref=XrefType();
   if (xref==fl_CN||xref==fl_CF)
   {
   source= GetFunctionName(addr);
   Message("%s is called from )&& %x in %s \n",need_func,addr,source);
//write in log file some text
writeinlogfile(logname,need_func+" is in function's name:");
writeinlogfile(logname,source);
   //addr is dstaddr _message
   //Jump(addr);
   // Get previous addresss in the program
//    ea - linear address
// returns: BADADDR - the specified address in the first address

//long PrevAddr       (long ea);

   //Jump(PrevAddr(addr));//can skip
   count_push=var_seq;//set  count  to stop "push Text"
   /*set search conditon
   用PrevAddr(addr)往上找，直到第 var_seq 助记符为push，,
   below is right
   */
   //
   text_addr=addr;//保证 addr 不变

   //count_push 人工制定的位置，因为messageboxw中text在第二位

   while(count_push!=0)//定位第几个参数
   {
   text_addr=PrevAddr(text_addr);
   if(GetMnem(text_addr) == "push")//定位第几个参数

   {
   count_push=count_push-1;

   }

   }

//判断push 的操作数类型
printf("optype");
temp=GetOpType(text_addr,0);
//printl(temp);//output optype(tip)
tempstring=atoa(text_addr);
if(temp!=5)
{
printf("skip [push reg]");
   writeinlogfile(logname,"oprand is not Immediate Value,so skip ");
   writeinlogfile(logname,"but the addr: "+tempstring+" is doubtfulness ");

writeinlogfile(logname,"/---------------------------------------------------/");
   continue;}//skip [push reg]
   //below is ok show som information

   printf("search what I want at ");
   //write in log
   writeinlogfile(logname,"addr is "+tempstring);

   printf(tempstring);
   Jump(text_addr);
   loc_flag=AskYN(1,"Do you want to show text");
   if (loc_flag==0||loc_flag==-1)
      {
      continue;
   }
   else

     {
     printf("!!!!!!!!!showing text!!!!!!!!!!");
        //return text_addr to msgtextaddrbeta
   dst_addr=GetOperandValue(text_addr,0);
   writeinlogfile(logname,"Tip string is ");
   tempstring= show_text(dst_addr);
      writeinlogfile(logname,tempstring);
      writeinlogfile(logname,"/---------------------------------------------------/");
   printf("!!!!!!!!!showing text end!!!!!!!!!!");
     }
   }

}
}
}
//--------------------------------------------------------------------

static msgtextaddrbeta(call_addr)
{
auto value_return,temp,addrbyte,tempaddr,code,i;
i=4;
tempaddr="";
if(GetMnem(call_addr) == "push"&&Byte(call_addr)==0x68)
{
while(i!=0)
{addrbyte=Byte(call_addr+i);
tempaddr=tempaddr+form("%s",addrbyte);
//取push的opr 0
//temp=GetOpnd(call_addr,0);
//printf(temp);
i=i-1;

}
}
Message("addr is %x\n",xtol(tempaddr));
return 0;
}

//--------------------------------------------------------------------

static msgtextaddrbeta2(call_addr)
{//this is ok;
auto value_return,temp,addrbyte,tempaddr,dst_addr,code,i,flag;

dst_addr=GetOperandValue(call_addr,0);//取操作数的值 dst_addr is long;

Message("addr is %x\n",dst_addr);
//Jump(dst_addr);//jump to text memory ok;
return dst_addr;
}

//-------------------------------
  static msgtextaddrbeta3(call_addr)
{
auto value_return,temp,addrbyte,tempaddr,dst_addr,code,i,flag;
flag=SEARCH_DOWN||SEARCH_NEXT;
i=4;
tempaddr="";
if(GetMnem(call_addr) == "push"&&Byte(call_addr)==0x68)
{
temp=GetOpnd(call_addr,0);
//long FindText       (long ea,long flag,long y,long x,string str);
            // y - number of text line at ea to start from (0..MAX_ITEM_LINES)
            // x - x coordinate in this line
dst_addr=LocByName(temp);
}
Message("addr is %x\n",dst_addr);
return 0;
}


//------------------show special addr text -------------------
static show_text(special_addr)//have a return "strtemp"value
{
auto beginaddr,addrbyte,addrword,addrdword,i,end,flag_end,strtemp;
beginaddr=special_addr;

strtemp="";//clear strtemp
i=0;
flag_end=0;
while (flag_end==0)
{
addrbyte=Byte(beginaddr+i*2);
addrword=Word(beginaddr+i*2);
strtemp=strtemp+form("%s",addrbyte);

if (addrword==0x0000){
//printf ("string is end");//addrword==0x0000时，string结束了
flag_end=1;}//当addword=\0时，string结束
i=i+1;
}
printf(atoa(beginaddr)+" string is |");
printf(strtemp);
//output special log file

return strtemp;

}
//--------------------------------------------------------

static oscmd(cstr)
{
Exec (cstr);

}

//----------print string--------------------------------------------
static printf(cstr)
{
Message("***************%s*********************** \n",cstr);
}
//----------print long type--------------------------------------------
static printl(longstr)
{
Message("***************%x*********************** \n",longstr);
}

//-----------------------main()---------------------------------------------
//show special api function's variable ascii information
static main()
{
auto filename,i,outputfilename,result,dst_addr,msgboxtext_addr,fun_name;
filename=GetInputFile();
printf(filename);
//creat log file
i = strstr(filename,".");
  if ( i != -1 )
    {
i = i ;
filename=substr(filename,0,i);//filename = xxxx
   //printf(temp+"log");//

//return filename;    // get type of the resource
   }

fun_name="MessageBoxW";//this example is MessageBoxW,
// or other win32 api function's name
filename=filename+"_"+fun_name;
outputfilename=create_log(filename);//new a logfile
printf(outputfilename);
locate_func(fun_name,2,outputfilename);// 2 is api的第二个参数
//outputfilename

}

/*output file format example

-------------start--
Registration_MessageBoxW has been created
Registration.exe
MessageBoxW is in function's name:
showerrormsg
oprand is not Immediate Value,so skip
but the addr: .text:00401065 is doubtfulness
/---------------------------------------------------/
MessageBoxW is in function's name:
DialogFunc
addr is .text:0040135F
Tip string is
Failed to get module information, please restart your computer and try again.
/---------------------------------------------------/
MessageBoxW is in function's name:
DialogFunc
addr is .text:004013E7
Tip string is
Failed to get module path, please restart your computer and try again.
/---------------------------------------------------/
MessageBoxW is in function's name:
DialogFunc
addr is .text:00401449
Tip string is
Failed to get system information, please restart your computer and try again.
/---------------------------------------------------/
MessageBoxW is in function's name:
DialogFunc
addr is .text:00401558
Tip string is
Please copy the content from the key file into the box.
/---------------------------------------------------/
MessageBoxW is in function's name:
DialogFunc
addr is .text:0040178B
Tip string is
Thanks for registration!
/---------------------------------------------------/
MessageBoxW is in function's name:
DialogFunc
addr is .text:004017E3
Tip string is
Sorry, the contents of the key file were incorrect. Please try again.
If you just want to evaluate Foxit PDF Creator, please press the "Keep Evaluating" button.
/---------------------------------------------------/

----end----------------------
*/

[招生]科锐逆向工程师培训(2025年3月11日实地，远程教学同时开班, 第52期)！

收藏・1

免费

支持

最新回复 (1)
syrhades 雪币： 335 活跃值： (10) 能力值： ( LV8，RANK：120 ) 在线值：发帖 13 回帖 48 粉丝 0 关注私信	syrhades 2 2 楼自己顶这块好像人气不足 version2 更新放在http://bbs.pediy.com/showthread.php?t=100997 2009-11-13 11:29 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

syrhades

发帖

回帖

120

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (1)
syrhades 雪币： 335 活跃值： (10) 能力值： ( LV8，RANK：120 ) 在线值：发帖 13 回帖 48 粉丝 0 关注私信	syrhades 2 2 楼自己顶这块好像人气不足 version2 更新放在http://bbs.pediy.com/showthread.php?t=100997 2009-11-13 11:29 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

[原创]显示出指定win32 api 的variable参数的内存中的值

账号登录 验证码登录

账号登录

验证码登录