首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 软件逆向
    3. 发新帖
[讨论]初学逆向,大牛有空的话浪费点时间帮忙看看小弟逆的正确否?
发表于: 2011-4-21 02:07 4699

[讨论]初学逆向,大牛有空的话浪费点时间帮忙看看小弟逆的正确否?

linziqingl 活跃值
4
2011-4-21 02:07
4699
我的反汇编程序如下:
* Referenced by a CALL at Address:
|:000115B0   
|
:00010C52    push ebp
:00010C53    mov ebp, esp
:00010C55    push ecx
:00010C56    push ebx
:00010C57    push esi
:00010C58    push edi
:00010C59    push 00010C2E
* Reference To: ntoskrnl.DbgPrint, Ord:002Dh
:00010C5E    Call 00011BC0
:00010C63    mov esi, dword ptr [ebp+08]
:00010C66    mov eax, dword ptr [esi+04]
:00010C69    mov dword ptr [ebp-04], eax
:00010C6C    mov eax, dword ptr [esi+08]
:00010C6F    sub eax, 00000000
:00010C72    pop ecx
:00010C73    je 00010CCF
:00010C75    dec eax
:00010C76    je 00010CA4
:00010C78    dec eax
:00010C79    jne 00010CF9
:00010C7B    push 00000004
:00010C7D    pop ebx
:00010C7E    lea eax, dword ptr [ebp+08]
:00010C81    push eax
:00010C82    lea eax, dword ptr [ebp-04]
:00010C85    push eax
:00010C86    push ebx
:00010C87    push dword ptr [esi]
:00010C89    call 0001091C
:00010C8E    mov edi, eax
:00010C90    test edi, edi
:00010C92    jne 00010D0F
:00010C94    push [esi+0C]
:00010C97    push [ebp-04]
:00010C9A    push [ebp+08]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00010C32(C)
|
:00010C9D    call 00010A2C
:00010CA2    jmp 00010D03
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00010C76(C)
|
:00010CA4    push 00000002
:00010CA6    pop ebx
:00010CA7    lea eax, dword ptr [ebp+08]
:00010CAA    push eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00010C40(C)
|
:00010CAB    lea eax, dword ptr [ebp-04]
:00010CAE    push eax
:00010CAF    push ebx
:00010CB0    push dword ptr [esi]
:00010CB2    call 0001091C
:00010CB7    mov edi, eax
:00010CB9    test edi, edi
:00010CBB    jne 00010D0F
:00010CBD    mov ax, word ptr [esi+0C]
:00010CC1    push eax
:00010CC2    push [ebp-04]
:00010CC5    push [ebp+08]
:00010CC8    call 00010A0A
:00010CCD    jmp 00010D03
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00010C73(C)
|
:00010CCF    lea eax, dword ptr [ebp+08]
:00010CD2    push eax
:00010CD3    lea eax, dword ptr [ebp-04]
:00010CD6    xor ebx, ebx
:00010CD8    push eax
:00010CD9    inc ebx
:00010CDA    push ebx
:00010CDB    push dword ptr [esi]
:00010CDD    call 0001091C
:00010CE2    mov edi, eax
:00010CE4    test edi, edi
:00010CE6    jne 00010D0F
:00010CE8    mov al, byte ptr [esi+0C]
:00010CEB    push eax
:00010CEC    push [ebp-04]
:00010CEF    push [ebp+08]
:00010CF2    call 000109E8
:00010CF7    jmp 00010CFF
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00010C79(C)
|
:00010CF9    mov ebx, dword ptr [ebp+08]
:00010CFC    mov edi, dword ptr [ebp+08]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00010CF7(U)
|
:00010CFF    test edi, edi
:00010D01    jne 00010D0F
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00010CA2(U), :00010CCD(U)
|
:00010D03    push ebx
:00010D04    push [ebp-04]
:00010D07    push [ebp+08]
:00010D0A    call 0001097C
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00010C92(C), :00010CBB(C), :00010CE6(C), :00010D01(C)
|
:00010D0F    mov eax, edi
:00010D11    pop edi
:00010D12    pop esi
:00010D13    pop ebx
:00010D14    leave
:00010D15    ret 0004

请大虾帮忙看看我逆向的结果是否正确,结果如下:

struct DATA1
{
    int a;//+0
    int b;//+4
    int c;//+8
    int d;//+0xc
};

NTSTATUS __stdcall fun2(
                                        DATA1 * SystemBuffer//ebp+0x8
                                       )
{
   int i=SystemBuffer->b;//ebp-4
   int ret;
   DbgPrint((short*)0x10C2E);
   switch(SystemBuffer->c)
   {
     case 0:{
                      ret=call __stdcall 1091C(SystemBuffer->a,1,&i,&SystemBuffer);
                      if(!ret)
                          call __stdcall 1097C(SystemBuffer,i,1);
                      break;
            }
     case 1:{
                       ret=call __stdcall 1091C(SystemBuffer->a,2,&i,&SystemBuffer);
                       if(!ret)
                       {
                             call __stdcall 10A0A(SystemBuffer,i,SystemBuffer->d&0xFFFF);
                             call __stdcall 1097C(SystemBuffer,i,2);
                       }
                       break;
            }
     case 2:{
                       ret=call __stdcall 1091C(SystemBuffer->a,4,&i,&SystemBuffer);
                       if(!ret)
                      {
                            call __stdcall 10A2C(SystemBuffer,i,SystemBuffer->d);
                            call __stdcall 1097C(SystemBuffer,i,4);
                      }
                      break;
            }
     default:
            {
                     if(NULL==(ret=(int)SystemBuffer))
                           call __stdcall 1097C(SystemBuffer,i,SystemBuffer);
                     bretk;
            }
   }
   return ret;
}

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 0
支持
分享
最新回复 (5)
jerrylhj
雪    币: 349
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
2
逆向最好用IDA,代码更具可读性
2011-4-21 09:25
0
mik
雪    币: 723
活跃值: (81)
能力值: ( LV9,RANK:170 )
在线值:
发帖
回帖
粉丝
私信
3 
void *func_10c52(void *p)
{
        var_ebp04 = p->b;
        void *ret;
        int val;

        DbgPrint(0x00010c2e);
	

        if (p->c == 0) {                // 10ccf
		val = 1;

                if (ret = func_1091c(p->a, 1, &var_ebp04, &p)) {
                        return ret;        // 10d0f
                } else {

                        fun_109e8(p, var_ebp04, (byte)p->d);
                }


        } else if (p->c == 1) {                // 10ca4

		val = 2;

                if (ret = fun_1091c(p->a, 2, &var_ebp04, &p)) {
                        return ret;        // 10d0f
                } else {
                        func_10a0a(p, var_ebp04, (word)p->d);
                }
        

        } else if (p->c == 2) {                // 10c7b

		val = 4;

                if (ret = func_1091c(p->a, 4, &var_ebp04, &p)) {
                        return ret;        // 10d0f
                } else {
                        func_10a2c(p, var_ebp04, p->d);
                }
        } else {
		val = p;

                if (p != NULL) 
                        return p;
        }

10d03:
       func_1097c(p, var_ebp04, val);

10d0f:
        return ret;
        
}

LZ 还是挺强的,我觉得有出入的几个地方吧:

1. 函数应该返回一个指针值,不是 NTSTATUS
2. 当 = 0 时,少了一个 func_1097c()
3. func_1097c() 最后一个参数是传给 func_1091c() 的第三个参数
4. 这个 data 结构最后一个成员是 int  有点不妥,感觉像个 union 结构
2011-4-21 09:51
0
mik
雪    币: 723
活跃值: (81)
能力值: ( LV9,RANK:170 )
在线值:
发帖
回帖
粉丝
私信
4
不过在 func_10a0a(p, var_ebp04, (word)p->d); 的处理上,

应该是 func_10a0a(p, var_ebp04, p->d & 0xffff)

LZ 这样是正确的
2011-4-21 10:00
0
付崇碧
雪    币: 49
活跃值: (29)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
5
佩服啊!!我太菜了,以至于无法完整的写出与汇编相对应的C代码。
2011-4-21 10:43
0
linziqingl
雪    币: 267
活跃值: (438)
能力值: ( LV9,RANK:190 )
在线值:
发帖
回帖
粉丝
私信
6
真的很感谢mik的指正!下次我一定更正这种错误!
2011-4-26 01:23
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//