-
-
[求助]逆向office漏洞检测相关软件
-
发表于: 2010-7-28 11:44 4732
-
由于本人没有office文件结构读写经验,对于相关的操作函数不知.有谁知道,请说一下.
我找了一个office漏洞检测软件逆向学习,想请帮我看一下,这几个函数是什么功能.
v10 = (*(int (__stdcall **)(void *, _DWORD, _DWORD, _DWORD, int *))(*(_DWORD *)ppObjectOpen + 44))
v10 = (*(int (__stdcall **)(int, signed int, void **, char *))(*(_DWORD *)v20 + 12))(v20, 1, &v14, &v9);
//这是某个软件中一个检测函数,谁帮我逆一下,说一下流程就可以了.谢了.
signed int __cdecl sub_4044B4(int a1, const WCHAR *pwcsName)
{
int v3; // ST1C_4@17
int v4; // [sp+0h] [bp-88h]@14
int v5; // [sp+4h] [bp-84h]@8
int v6; // [sp+8h] [bp-80h]@6
int v7; // [sp+Ch] [bp-7Ch]@3
int v8; // [sp+10h] [bp-78h]@17
char v9; // [sp+14h] [bp-74h]@9
HRESULT v10; // [sp+18h] [bp-70h]@2
size_t v11; // [sp+1Ch] [bp-6Ch]@15
void *v12; // [sp+20h] [bp-68h]@17
int v13; // [sp+24h] [bp-64h]@1
void *v14; // [sp+28h] [bp-60h]@9
int v15; // [sp+2Ch] [bp-5Ch]@10
size_t v16; // [sp+30h] [bp-58h]@15
unsigned int v17; // [sp+74h] [bp-14h]@1
void *ppObjectOpen; // [sp+78h] [bp-10h]@1
bool v19; // [sp+7Ch] [bp-Ch]@1
int v20; // [sp+80h] [bp-8h]@7
int v21; // [sp+84h] [bp-4h]@1
int v22; // [sp+88h] [bp+0h]@1
v17 = (unsigned int)&v22 ^ dword_415040;
ppObjectOpen = 0;
v13 = 0;
v19 = 0;
v21 = 0;
if ( a1 )
{
v10 = (*(int (__stdcall **)(int, const WCHAR *, _DWORD, signed int, _DWORD, _DWORD, void **))(*(_DWORD *)a1 + 24))(
a1,
pwcsName,
0,
16,
0,
0,
&ppObjectOpen);
if ( v10 < 0 )
{
v6 = (int)L"stgopen";
_CxxThrowException(&v6, &unk_413780);
}
}
else
{
v10 = StgOpenStorageEx(pwcsName, 0x20u, 4u, 0, 0, 0, &riid, &ppObjectOpen);
if ( v10 < 0 )
{
v7 = (int)L"Failed StgOpenStorageEx";
_CxxThrowException(&v7, &unk_413780);
}
}
v10 = (*(int (__stdcall **)(void *, _DWORD, _DWORD, _DWORD, int *))(*(_DWORD *)ppObjectOpen + 44))(
ppObjectOpen,
0,
0,
0,
&v20);
if ( v10 < 0 )
{
v5 = (int)L"enum";
_CxxThrowException(&v5, &unk_413780);
}
while ( 1 )
{
v10 = (*(int (__stdcall **)(int, signed int, void **, char *))(*(_DWORD *)v20 + 12))(v20, 1, &v14, &v9);
if ( v10 )
break;
if ( v15 == 1 )
{
v21 = sub_4044B4((int)ppObjectOpen, (WCHAR *)v14);
}
else
{
v10 = (*(int (__stdcall **)(void *, void *, _DWORD, signed int, _DWORD, int *))(*(_DWORD *)ppObjectOpen + 16))(
ppObjectOpen,
v14,
0,
16,
0,
&v13);
if ( v10 < 0 )
{
sub_4049F5("0x%08x: ", v10);
v4 = (int)L"Failed OpenStream";
_CxxThrowException(&v4, &unk_413780);
}
v11 = v16;
if ( v16 > 0x7FFFFFFF )
return 48;
v12 = (void *)sub_401D49(v11);
(*(void (__thiscall **)(int, int, void *, size_t, int *))(*(_DWORD *)v13 + 12))(v3, v13, v12, v11, &v8);
(*(void (__stdcall **)(int))(*(_DWORD *)v13 + 8))(v13);
if ( !memcmp(v14, L"__SRP_", 0xCu) )
dword_4162D8 = 1;
if ( !wcscmp((const wchar_t *)v14, L"WordDocument") )
v21 = sub_40256C(v12, v8, ppObjectOpen);
if ( !wcscmp((const wchar_t *)v14, L"CONTENTS") )
v21 = sub_401E5D(v12, v8);
if ( !wcscmp((const wchar_t *)v14, L"Contents") )
v21 = sub_401F12(v12, v8);
if ( !wcscmp((const wchar_t *)v14, L"PowerPoint Document") )
v21 = sub_403C42(v12, v8);
if ( !wcscmp((const wchar_t *)v14, L"Workbook") || !wcscmp((const wchar_t *)v14, L"Book") )
v21 = sub_402E4F(v12, v8);
if ( !wcscmp((const wchar_t *)v14, L"PROJECT") )
v21 = sub_40416F((char *)v12, v8);
if ( !wcscmp((const wchar_t *)v14, L"Var2Data") )
{
if ( v19 == 1 )
v21 = sub_4041F2(v12, v8);
}
v19 = !wcscmp((const wchar_t *)v14, L"VarMeta") && !wcscmp(pwcsName, L"CFilter");
if ( !wcscmp((const wchar_t *)v14, L"Ctls") )
v21 = sub_403BC3(v12, v8);
if ( !wcscmp((const wchar_t *)v14, L"VisioDocument") )
v21 = sub_402E04(v12);
if ( !wcscmp((const wchar_t *)v14 + 1, L"DocumentSummaryInformation")
|| !wcscmp((const wchar_t *)v14 + 1, L"SummaryInformation") )
v21 = sub_404364(v12, v8);
free(v12);
}
if ( v21 )
{
if ( ppObjectOpen )
(*(void (__stdcall **)(void *))(*(_DWORD *)ppObjectOpen + 8))(ppObjectOpen);
return v21;
}
}
if ( ppObjectOpen )
(*(void (__stdcall **)(void *))(*(_DWORD *)ppObjectOpen + 8))(ppObjectOpen);
return 0;
}
我找了一个office漏洞检测软件逆向学习,想请帮我看一下,这几个函数是什么功能.
v10 = (*(int (__stdcall **)(void *, _DWORD, _DWORD, _DWORD, int *))(*(_DWORD *)ppObjectOpen + 44))
v10 = (*(int (__stdcall **)(int, signed int, void **, char *))(*(_DWORD *)v20 + 12))(v20, 1, &v14, &v9);
//这是某个软件中一个检测函数,谁帮我逆一下,说一下流程就可以了.谢了.
signed int __cdecl sub_4044B4(int a1, const WCHAR *pwcsName)
{
int v3; // ST1C_4@17
int v4; // [sp+0h] [bp-88h]@14
int v5; // [sp+4h] [bp-84h]@8
int v6; // [sp+8h] [bp-80h]@6
int v7; // [sp+Ch] [bp-7Ch]@3
int v8; // [sp+10h] [bp-78h]@17
char v9; // [sp+14h] [bp-74h]@9
HRESULT v10; // [sp+18h] [bp-70h]@2
size_t v11; // [sp+1Ch] [bp-6Ch]@15
void *v12; // [sp+20h] [bp-68h]@17
int v13; // [sp+24h] [bp-64h]@1
void *v14; // [sp+28h] [bp-60h]@9
int v15; // [sp+2Ch] [bp-5Ch]@10
size_t v16; // [sp+30h] [bp-58h]@15
unsigned int v17; // [sp+74h] [bp-14h]@1
void *ppObjectOpen; // [sp+78h] [bp-10h]@1
bool v19; // [sp+7Ch] [bp-Ch]@1
int v20; // [sp+80h] [bp-8h]@7
int v21; // [sp+84h] [bp-4h]@1
int v22; // [sp+88h] [bp+0h]@1
v17 = (unsigned int)&v22 ^ dword_415040;
ppObjectOpen = 0;
v13 = 0;
v19 = 0;
v21 = 0;
if ( a1 )
{
v10 = (*(int (__stdcall **)(int, const WCHAR *, _DWORD, signed int, _DWORD, _DWORD, void **))(*(_DWORD *)a1 + 24))(
a1,
pwcsName,
0,
16,
0,
0,
&ppObjectOpen);
if ( v10 < 0 )
{
v6 = (int)L"stgopen";
_CxxThrowException(&v6, &unk_413780);
}
}
else
{
v10 = StgOpenStorageEx(pwcsName, 0x20u, 4u, 0, 0, 0, &riid, &ppObjectOpen);
if ( v10 < 0 )
{
v7 = (int)L"Failed StgOpenStorageEx";
_CxxThrowException(&v7, &unk_413780);
}
}
v10 = (*(int (__stdcall **)(void *, _DWORD, _DWORD, _DWORD, int *))(*(_DWORD *)ppObjectOpen + 44))(
ppObjectOpen,
0,
0,
0,
&v20);
if ( v10 < 0 )
{
v5 = (int)L"enum";
_CxxThrowException(&v5, &unk_413780);
}
while ( 1 )
{
v10 = (*(int (__stdcall **)(int, signed int, void **, char *))(*(_DWORD *)v20 + 12))(v20, 1, &v14, &v9);
if ( v10 )
break;
if ( v15 == 1 )
{
v21 = sub_4044B4((int)ppObjectOpen, (WCHAR *)v14);
}
else
{
v10 = (*(int (__stdcall **)(void *, void *, _DWORD, signed int, _DWORD, int *))(*(_DWORD *)ppObjectOpen + 16))(
ppObjectOpen,
v14,
0,
16,
0,
&v13);
if ( v10 < 0 )
{
sub_4049F5("0x%08x: ", v10);
v4 = (int)L"Failed OpenStream";
_CxxThrowException(&v4, &unk_413780);
}
v11 = v16;
if ( v16 > 0x7FFFFFFF )
return 48;
v12 = (void *)sub_401D49(v11);
(*(void (__thiscall **)(int, int, void *, size_t, int *))(*(_DWORD *)v13 + 12))(v3, v13, v12, v11, &v8);
(*(void (__stdcall **)(int))(*(_DWORD *)v13 + 8))(v13);
if ( !memcmp(v14, L"__SRP_", 0xCu) )
dword_4162D8 = 1;
if ( !wcscmp((const wchar_t *)v14, L"WordDocument") )
v21 = sub_40256C(v12, v8, ppObjectOpen);
if ( !wcscmp((const wchar_t *)v14, L"CONTENTS") )
v21 = sub_401E5D(v12, v8);
if ( !wcscmp((const wchar_t *)v14, L"Contents") )
v21 = sub_401F12(v12, v8);
if ( !wcscmp((const wchar_t *)v14, L"PowerPoint Document") )
v21 = sub_403C42(v12, v8);
if ( !wcscmp((const wchar_t *)v14, L"Workbook") || !wcscmp((const wchar_t *)v14, L"Book") )
v21 = sub_402E4F(v12, v8);
if ( !wcscmp((const wchar_t *)v14, L"PROJECT") )
v21 = sub_40416F((char *)v12, v8);
if ( !wcscmp((const wchar_t *)v14, L"Var2Data") )
{
if ( v19 == 1 )
v21 = sub_4041F2(v12, v8);
}
v19 = !wcscmp((const wchar_t *)v14, L"VarMeta") && !wcscmp(pwcsName, L"CFilter");
if ( !wcscmp((const wchar_t *)v14, L"Ctls") )
v21 = sub_403BC3(v12, v8);
if ( !wcscmp((const wchar_t *)v14, L"VisioDocument") )
v21 = sub_402E04(v12);
if ( !wcscmp((const wchar_t *)v14 + 1, L"DocumentSummaryInformation")
|| !wcscmp((const wchar_t *)v14 + 1, L"SummaryInformation") )
v21 = sub_404364(v12, v8);
free(v12);
}
if ( v21 )
{
if ( ppObjectOpen )
(*(void (__stdcall **)(void *))(*(_DWORD *)ppObjectOpen + 8))(ppObjectOpen);
return v21;
}
}
if ( ppObjectOpen )
(*(void (__stdcall **)(void *))(*(_DWORD *)ppObjectOpen + 8))(ppObjectOpen);
return 0;
}
赞赏
他的文章
- [求助]汇编语句 2809
- [求助]驱动内调用ZwAllocateVirtualMemory,分配特定地址 5575
- [求助]急 急。有什么好方法判断进程退出 3569
- 怎样判断电脑正在锁屏? 4778
- [求助]逆向office漏洞检测相关软件 4733
看原图
赞赏
雪币:
留言: