本人写的rvatooffset过程,在导入表的查询中正常,在导出表的查询中,总比别人的小0c00h,请问高手是啥原因。rvatooffset过程的用法与说明我就不说了,我相信大家能看明白。
;made by correy
;made in 16.08.2009
;Email:leguanyuan@126.com
;QQ:112426112
;rc me.rc
;ml /coff test.asm /link /subsystem:windows me.res
;此文件我花了半个月的时间才完成,
;用十天的时间完成rvatooffset子程序
;用三天的时间完成遍历dll文件
;用三天的时间完成遍历api函数。
;此文件没有加入seh异常处理,对一些文件不能查询。
;本文件完全用汇编语言编成,没有汇编语言的高级语法。
;此文件没有考虑pe+的情况
.386
.model flat,stdcall
option casemap:none
include windows.inc
include kernel32.inc
include user32.inc
include comdlg32.inc
includelib user32.lib
includelib kernel32.lib
includelib comdlg32.lib
.data
correy db "made by correy",0
wrong db "will over!",0
FilterString db "pe File (*.exe, *.dll)",0,"*.exe;*.dll",0,0
h db "%8x",0
.data?
ofn OPENFILENAME <>
buffer db 256 DUP (?)
mz dd ?
pe dd ?
OptionalHeader dd ?
header dd ?
magic word ?
sizeOfOptionalHeader dd ?
sections dd ?
v dd ?
.code
rvatooffset proc sectionsn,head,rva
push esi
push edi
push ecx
mov edi,rva
mov esi,head
mov ecx,sectionsn
again:cmp ecx,0
jna show
cmp edi,[esi+12]
jb add40
mov eax,[esi+12]
add eax,[esi+16]
cmp edi,eax
jnb add40
mov eax,[esi+12]
sub edi,eax
mov eax,[esi+20]
add eax,edi
jmp show
add40:add esi,40
dec ecx
jmp again
show:pop ecx
pop edi
pop esi
ret
rvatooffset endp
start:
mov ofn.lStructSize,SIZEOF ofn
mov ofn.lpstrFilter, OFFSET FilterString
mov ofn.lpstrFile, OFFSET buffer
mov ofn.nMaxFile,512
mov ofn.Flags, OFN_FILEMUSTEXIST or OFN_PATHMUSTEXIST or OFN_LONGNAMES or OFN_EXPLORER or OFN_HIDEREADONLY
invoke GetOpenFileName, ADDR ofn
cmp eax,0
je exit
invoke CreateFile, addr buffer, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL
cmp eax,INVALID_HANDLE_VALUE
je exit
invoke CreateFileMapping,eax, NULL, PAGE_READONLY,0,0,0
cmp eax,0
je exit
invoke MapViewOfFile,eax,FILE_MAP_READ,0,0,0
cmp eax,0
je exit
mov mz,eax
mov esi,mz
add esi,3ch
mov esi,[esi]
mov eax,mz
add esi,eax
mov pe,esi
mov esi,pe
add esi,6
mov dx,word ptr [esi]
movsx edx,dx
mov sections,edx
mov esi,pe
add esi,24
mov OptionalHeader,esi ;保存可选头的地址。
mov esi,pe
add esi,20
mov dx,word ptr [esi]
movsx edx,dx
mov sizeOfOptionalHeader,edx
mov esi,OptionalHeader
add esi,sizeOfOptionalHeader
mov header,esi ;保存节头的地址。
mov esi,OptionalHeader
add esi,104
mov esi,[esi]
invoke rvatooffset,sections,header,esi
mov edi,eax
mov esi,eax
add edi,mz
again2:cmp dword ptr [edi+12],0
je exit
cmp dword ptr [edi+16],0
je exit
add eax,12
add eax,mz
mov eax,[eax]
invoke rvatooffset,sections,header,eax
add eax,mz
invoke MessageBox,0,eax,addr correy,0
mov eax,[edi+16]
invoke rvatooffset,sections,header,eax
add eax,mz
again3:push eax
cmp dword ptr [eax],0
je exit2
test dword ptr [eax],80000000h
jne exit2
invoke rvatooffset,sections,header,dword ptr [eax]
add eax,mz
add eax,2
invoke MessageBox,0,eax,addr correy,0
pop eax
add eax,4
jmp again3
exit2:
add edi,20
add esi,20
mov eax,esi
jmp again2
exit:invoke MessageBox,0,addr wrong,addr correy,0
invoke ExitProcess,NULL
end start
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;made by correy
;Email:leguanyuan@126.com
;QQ:112426112
;rc me.rc
;ml /coff test.asm /link /subsystem:windows me.res
.386
.model flat,stdcall
option casemap:none
include windows.inc
include kernel32.inc
include user32.inc
include comdlg32.inc
includelib user32.lib
includelib kernel32.lib
includelib comdlg32.lib
.data
correy db "made by correy",0
wrong db "error,will over!",0
FilterString db "dll File",0,"*.dll",0,0
h db "%8x",0
edata db "导出节或导出目录表的首地址",0
correy2 db "导出名称指针表",0
dllnameaddr db "dll name address:",0
dllname db "dll name :",0
ordinalbase db "ordinal base:",0
ordinalbaseaddr db "ordinal base address:",0
eat db "export address table rva:",0
np db "name pointer rva:",0
ot db "ordinal table rva:",0
ate db "address table entries",0
nnp db "number of name pointers",0
apiname db "api name is:",0
apiaddr db "api address is:",0
.data?
ofn OPENFILENAME <>
buffer db 256 DUP (?)
mz dd ?
pe dd ?
OptionalHeader dd ?
header dd ?
magic word ?
sizeOfOptionalHeader dd ?
sections dd ?
v dd ?
nnps dd ?
e dd ?
.code
rvatooffset proc sectionsn,head,rva
push esi
push edi
push ecx
mov edi,rva
mov esi,head
mov ecx,sectionsn
again:cmp ecx,0
jna show
cmp edi,[esi+12]
jb add40
mov eax,[esi+12]
add eax,[esi+16]
cmp edi,eax
jnb add40
mov eax,[esi+12]
sub edi,eax
mov eax,[esi+20]
add eax,edi
jmp show
add40:add esi,40
dec ecx
jmp again
show:pop ecx
pop edi
pop esi
ret
rvatooffset endp
start:
mov ofn.lStructSize,SIZEOF ofn
mov ofn.lpstrFilter, OFFSET FilterString
mov ofn.lpstrFile, OFFSET buffer
mov ofn.nMaxFile,512
mov ofn.Flags, OFN_FILEMUSTEXIST or OFN_PATHMUSTEXIST or OFN_LONGNAMES or OFN_EXPLORER or OFN_HIDEREADONLY
invoke GetOpenFileName, ADDR ofn
invoke CreateFile, addr buffer, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL
invoke CreateFileMapping,eax, NULL, PAGE_READONLY,0,0,0
invoke MapViewOfFile,eax,FILE_MAP_READ,0,0,0
mov mz,eax
mov esi,mz
add esi,3ch
mov esi,[esi]
mov eax,mz
add esi,eax
mov pe,esi
mov esi,pe
add esi,6
mov dx,word ptr [esi]
movsx edx,dx
mov sections,edx
mov esi,pe
add esi,24
mov OptionalHeader,esi ;保存可选头的地址。
mov esi,pe
add esi,20
mov dx,word ptr [esi]
movsx edx,dx
mov sizeOfOptionalHeader,edx
mov esi,OptionalHeader
add esi,sizeOfOptionalHeader
mov header,esi ;保存节头的地址。
mov esi,OptionalHeader
add esi,96
mov esi,[esi]
;导出节或导出目录表的首地址
invoke rvatooffset,sections,header,esi
mov edi,eax
mov esi,eax
;add edi,mz
invoke wsprintf,addr buffer,addr h,edi
;invoke MessageBox,0,addr buffer,addr edata,0
add edi,mz
mov e,edi;;导出节或导出目录表的首地址
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;dll name rva
push edi
add edi,12
mov edi,[edi]
invoke rvatooffset,sections,header,edi
push eax
invoke wsprintf,addr buffer,addr h,eax
;invoke MessageBox,0,addr buffer,addr dllnameaddr,0
pop eax
add eax,mz
;invoke MessageBox,0,eax,addr dllname,0
pop edi
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
push edi
add edi,16
mov edi,[edi]
invoke wsprintf,addr buffer,addr h,edi
;invoke MessageBox,0,addr buffer,addr ordinalbase,0
pop edi
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
push edi
add edi,20
mov edi,[edi]
invoke wsprintf,addr buffer,addr h,edi
;invoke MessageBox,0,addr buffer,addr ate,0
pop edi
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
push edi
add edi,24
mov edi,[edi]
mov nnps,edi
invoke wsprintf,addr buffer,addr h,edi
;invoke MessageBox,0,addr buffer,addr nnp,0
pop edi
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
push edi
add edi,28
mov edi,[edi]
invoke rvatooffset,sections,header,edi
push eax
invoke wsprintf,addr buffer,addr h,eax
invoke MessageBox,0,addr buffer,addr eat,0
pop eax
mov ecx,nnps
add eax,mz ;导出地址表的首地址
showapiaddr:
push eax
mov eax,[eax]
invoke rvatooffset,sections,header,eax
;add eax,mz
invoke wsprintf,addr buffer,addr h,eax
invoke MessageBox,0,addr buffer,addr apiaddr,0
pop eax
add eax,4
dec ecx
cmp ecx,0
jne showapiaddr
pop edi
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
push edi
add edi,32
mov edi,[edi]
invoke rvatooffset,sections,header,edi
mov ecx,nnps
add eax,mz
showapi:
push eax
mov eax,[eax]
invoke rvatooffset,sections,header,eax
add eax,mz
;invoke MessageBox,0,eax,addr apiname,0
pop eax
add eax,4
dec ecx
cmp ecx,0
jne showapi
push eax
invoke wsprintf,addr buffer,addr h,eax
;invoke MessageBox,0,addr buffer,addr np,0
pop eax
add eax,mz
pop edi
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
push edi
add edi,36
mov edi,[edi]
invoke rvatooffset,sections,header,edi
push eax
invoke wsprintf,addr buffer,addr h,eax
invoke MessageBox,0,addr buffer,addr ot,0
pop eax
mov ecx,nnps
add eax,mz
showo:
push eax
mov ax,word ptr [eax]
movzx eax,ax
invoke wsprintf,addr buffer,addr h,eax
invoke MessageBox,0,addr buffer,addr apiname,0
pop eax
add eax,2
dec ecx
cmp ecx,0
jne showo
add eax,mz
pop edi
invoke ExitProcess,NULL
end start
[课程]Android-CTF解题方法汇总!
