[求助]如何在vc里面调用从程序中抠出来的汇编函数??-付费问答-看雪-安全社区|安全招聘|kanxue.com

[旧帖] [求助]如何在vc里面调用从程序中抠出来的汇编函数?? 0.00雪花

发表于: 2011-4-28 16:47 1564

[旧帖] [求助]如何在vc里面调用从程序中抠出来的汇编函数?? 0.00雪花

BombBomb

2011-4-28 16:47

1564

【求助】如何在vc里面调用从程序中抠出来的汇编函数??

背景:
跟踪一个软件的解密代码,想将其解密部分抠出来,然后在vc里面嵌入抠出来的这些代码...
不然用c来模拟里面的逻辑运算非搞的崩溃不可...所有调用到的函数至少1000多行...

问题:
1. 这个函数的临时变量空间怎么这么大(var_10748)...从头到尾也没找到开辟这么大的栈空间的代码..(我往回找也没找到)
2. 在.text:004762B0处的 call  用了一个  lea    ecx, [esp+10770h+var_10730] 做参数...
我是否要模拟出这个入口函数的堆栈空间才能调用 text:004762B0 处的call呢...
3. 由于水平太菜,也不知道描述的各位高手是否看得懂,如有高手愿意指点指点,是否能加Q 664726838~~~  那是非常感谢了..

下面是ida静态反汇编的代码:(是解密部分的入口函数)
注意:这些解密的函数的栈区寻址只用esp,没有用ebp寻址...论坛的一个高手说这种现象是 FPO, 是编译器优化的结果

.text:004760A3                and    esp, 0FFFFFFF8h ;这句不改变esp的值

.text:004760D3                mov    [esp+10758h+var_14], eax ; 像这样的语句,临时变量还要往回找吗
text:004760A0 ; =============== S U B R O U T I N E =======================================
.text:004760A0
.text:004760A0 ; Attributes: bp-based frame
.text:004760A0
.text:004760A0 sub_4760A0    proc near             ; CODE XREF: sub_4763D0+28p
.text:004760A0                                        ; sub_476980+6Cp ...
.text:004760A0
.text:004760A0 var_10748    = dword ptr -10748h
.text:004760A0 var_10744    = dword ptr -10744h
.text:004760A0 var_10740    = dword ptr -10740h
.text:004760A0 var_1073C    = dword ptr -1073Ch
.text:004760A0 var_10738    = dword ptr -10738h
.text:004760A0 var_10734    = dword ptr -10734h
.text:004760A0 var_10730    = byte ptr -10730h
.text:004760A0 buf          = byte ptr -10018h
.text:004760A0 var_10016    = byte ptr -10016h
.text:004760A0 var_10014    = dword ptr -10014h
.text:004760A0 var_14       = dword ptr -14h
.text:004760A0 var_C          = dword ptr -0Ch
.text:004760A0 var_4          = dword ptr -4
.text:004760A0 arg_0          = dword ptr  8
.text:004760A0 arg_4          = dword ptr  0Ch
.text:004760A0 arg_8          = dword ptr  10h
.text:004760A0 arg_C          = dword ptr  14h
.text:004760A0 arg_10       = dword ptr  18h
.text:004760A0 arg_14       = dword ptr  1Ch
.text:004760A0 arg_18       = dword ptr  20h
.text:004760A0 arg_1C       = dword ptr  24h
.text:004760A0
.text:004760A0                push ebp
.text:004760A1                mov    ebp, esp
.text:004760A3                and    esp, 0FFFFFFF8h
.text:004760A6                push 0FFFFFFFFh
.text:004760A8                push offset SEH_4760A0
.text:004760AD                mov    eax, large fs:0
.text:004760B3                push eax
.text:004760B4                mov    large fs:0, esp
.text:004760BB                push ecx
.text:004760BC                mov    eax, 1073Ch
.text:004760C1                call __alloca_probe
.text:004760C6                mov    eax, dword_4920CC
.text:004760CB                mov    edx, [ebp+arg_0]
.text:004760CE                push ebx
.text:004760CF                mov    ebx, [edx]
.text:004760D1                push esi
.text:004760D2                push edi
.text:004760D3                mov    [esp+10758h+var_14], eax
.text:004760DA                xor    eax, eax
.text:004760DC                mov    [esp+10758h+buf], 0
.text:004760E4                mov    ecx, 3FFFh
.text:004760E9                lea    edi, [esp+10758h+buf+1]
.text:004760F0                rep stosd
.text:004760F2                mov    ecx, [edx+30h]
.text:004760F5                stosw
.text:004760F7                stosb
.text:004760F8                mov    edi, [ebp+arg_4]
.text:004760FB                lea    eax, [edx+44h]
.text:004760FE                mov    [esp+10758h+var_10740], eax
.text:00476102                xor    eax, eax
.text:00476104                mov    [esp+10758h+var_10744], ecx
.text:00476108                mov    ecx, [ebp+arg_8]
.text:0047610B                mov    [esp+10758h+var_1073C], eax
.text:0047610F                push edi          ; int
.text:00476110                mov    [esp+1075Ch+var_1073C], ecx
.text:00476114                mov    ecx, [edx+4]
.text:00476117                mov    [esp+1075Ch+var_10738], eax
.text:0047611B                lea    edx, [esp+1075Ch+var_1073C]
.text:0047611F                push edx          ; int
.text:00476120                push offset loc_475A50 ; int
.text:00476125                mov    [esp+10764h+var_10734], eax
.text:00476129                mov    eax, [ebp+arg_C]
.text:0047612C                xor    esi, esi
.text:0047612E                push esi          ; flags
.text:0047612F                mov    [esp+10768h+var_10738], eax
.text:00476133                push 2             ; len
.text:00476135                lea    eax, [esp+1076Ch+buf]
.text:0047613C                push eax          ; buf
.text:0047613D                push ebx          ; s
.text:0047613E                mov    [esp+10774h+var_10734], ecx
.text:00476142                call sub_477060
.text:00476147                test eax, eax
.text:00476149                jz    short loc_47619D
.text:0047614B                jmp    short loc_476150
.text:0047614B ; ---------------------------------------------------------------------------
.text:0047614D                align 10h
.text:00476150
.text:00476150 loc_476150:                            ; CODE XREF: sub_4760A0+ABj
.text:00476150                                        ; sub_4760A0+FBj
.text:00476150                cmp    eax, 0FFFFFFFFh
.text:00476153                jz    short loc_4761C0
.text:00476155                add    esi, eax
.text:00476157                cmp    esi, 2
.text:0047615A                jge    short loc_476161
.text:0047615C                cmp    eax, 2
.text:0047615F                jl    short loc_476176
.text:00476161
.text:00476161 loc_476161:                            ; CODE XREF: sub_4760A0+BAj
.text:00476161                movzx eax, word ptr [esp+10758h+buf]
.text:00476169                cmp    eax, esi
.text:0047616B                jle    loc_476216
.text:00476171                cmp    esi, 2
.text:00476174                jge    short loc_47617B
.text:00476176
.text:00476176 loc_476176:                            ; CODE XREF: sub_4760A0+BFj
.text:00476176                mov    eax, 2
.text:0047617B
.text:0047617B loc_47617B:                            ; CODE XREF: sub_4760A0+D4j
.text:0047617B                push edi          ; int
.text:0047617C                lea    ecx, [esp+1075Ch+var_1073C]
.text:00476180                push ecx          ; int
.text:00476181                push offset loc_475A50 ; int
.text:00476186                push 0             ; flags
.text:00476188                sub    eax, esi
.text:0047618A                push eax          ; len
.text:0047618B                lea    edx, [esp+esi+1076Ch+buf]
.text:00476192                push edx          ; buf
.text:00476193                push ebx          ; s
.text:00476194                call sub_477060
.text:00476199                test eax, eax
.text:0047619B                jnz    short loc_476150
.text:0047619D
.text:0047619D loc_47619D:                            ; CODE XREF: sub_4760A0+A9j
.text:0047619D                test ebx, ebx
.text:0047619F                jz    short loc_4761AA
.text:004761A1                push 1             ; how
.text:004761A3                push ebx          ; s
.text:004761A4                call ds:shutdown
.text:004761AA
.text:004761AA loc_4761AA:                            ; CODE XREF: sub_4760A0+FFj
.text:004761AA                mov    eax, [ebp+arg_10]
.text:004761AD                mov    dword ptr [eax], 1
.text:004761B3                mov    [esp+10758h+var_10748], 0
.text:004761BB                jmp    loc_4763A1
.text:004761C0 ; ---------------------------------------------------------------------------
.text:004761C0
.text:004761C0 loc_4761C0:                            ; CODE XREF: sub_4760A0+B3j
.text:004761C0                call ds:WSAGetLastError
.text:004761C6                sub    eax, 10001h
.text:004761CB                jz    short loc_4761DD
.text:004761CD                dec    eax
.text:004761CE                jnz    short loc_476200
.text:004761D0                mov    [esp+10758h+var_10748], 6
.text:004761D8                jmp    loc_4763A1
.text:004761DD ; ---------------------------------------------------------------------------
.text:004761DD
.text:004761DD loc_4761DD:                            ; CODE XREF: sub_4760A0+12Bj
.text:004761DD                mov    ecx, [ebp+arg_0]
.text:004761E0                mov    edx, [ecx+4]
.text:004761E3                push 0             ; dwMilliseconds
.text:004761E5                push edx          ; hHandle
.text:004761E6                call ds:WaitForSingleObject
.text:004761EC                cmp    eax, 102h
.text:004761F1                jnz    short loc_476200
.text:004761F3                mov    [esp+10758h+var_10748], 5
.text:004761FB                jmp    loc_4763A1
.text:00476200 ; ---------------------------------------------------------------------------
.text:00476200
.text:00476200 loc_476200:                            ; CODE XREF: sub_4760A0+12Ej
.text:00476200                                        ; sub_4760A0+151j
.text:00476200                mov    eax, [ebp+arg_10]
.text:00476203                mov    dword ptr [eax], 1
.text:00476209                mov    [esp+10758h+var_10748], 2
.text:00476211                jmp    loc_4763A1
.text:00476216 ; ---------------------------------------------------------------------------
.text:00476216
.text:00476216 loc_476216:                            ; CODE XREF: sub_4760A0+CBj
.text:00476216                mov    ecx, [esp+10758h+var_10744]
.text:0047621A                test ecx, ecx
.text:0047621C                mov    [esp+10758h+var_10748], 0
.text:00476224                jz    loc_476330
.text:0047622A                cmp    eax, 7
.text:0047622D                jb    loc_476310
.text:00476233                mov    edx, [esp+10758h+var_10014]
.text:0047623A                lea    edi, [eax-6]
.text:0047623D                movzx esi, di
.text:00476240                mov    eax, esi
.text:00476242                lea    ecx, [esp+10758h+var_10014+2]
.text:00476249                mov    [esp+10758h+var_10744], edx
.text:0047624D                call sub_4759F0
.text:00476252                mov    ecx, [esp+10758h+var_10740]
.text:00476256                movzx dx, byte ptr [ecx]
.text:0047625A                mov    ecx, [esp+10758h+var_10014]
.text:00476261                add    edx, ecx
.text:00476263                add    eax, edx
.text:00476265                cmp    word ptr [esp+10758h+var_10016], ax
.text:0047626D                jnz    loc_476310
.text:00476273                cmp    cx, di
.text:00476276                ja    loc_476310
.text:0047627C                lea    ecx, [esp+10758h+var_10730]
.text:00476280                lea    edi, [esp+10758h+buf]
.text:00476287                call sub_477160
.text:0047628C                mov    eax, [esp+10758h+var_10740]
.text:00476290                push 1                                             ; arg_14
.text:00476292                push 10h                                           ; arg_10
.text:00476294                push eax                                           ; arg_c
.text:00476295                push esi                                           ; arg_8
.text:00476296                lea    ecx, [esp+10768h+var_10014+2]
.text:0047629D                push ecx                                           ; arg_4
.text:0047629E                mov    edx, edi
.text:004762A0                push edx                                           ; arg_0
.text:004762A1                lea    ecx, [esp+10770h+var_10730]       ; 此 ecx 就是下面call及其子call的ebp了
.text:004762A5                mov    [esp+10770h+var_4], 0
.text:004762B0                call sub_477950                                  ; 解密关键call 解密出明文!
.text:004762B5                test al, al
.text:004762B7                jnz    short loc_4762F0
.text:004762B9                test ebx, ebx
.text:004762BB                jz    short loc_4762C6
.text:004762BD                push 1             ; how
.text:004762BF                push ebx          ; s
.text:004762C0                call ds:shutdown
.text:004762C6
.text:004762C6 loc_4762C6:                            ; CODE XREF: sub_4760A0+21Bj
.text:004762C6                mov    eax, [ebp+arg_10]
.text:004762C9                lea    ecx, [esp+10758h+var_10730]
.text:004762CD                mov    dword ptr [eax], 1
.text:004762D3                mov    [esp+10758h+var_10748], 2
.text:004762DB                mov    [esp+10758h+var_4], 0FFFFFFFFh
.text:004762E6                call sub_477170
.text:004762EB                jmp    loc_4763A1
.text:004762F0 ; ---------------------------------------------------------------------------
.text:004762F0
.text:004762F0 loc_4762F0:                            ; CODE XREF: sub_4760A0+217j
.text:004762F0                mov    eax, [esp+10758h+var_10740]
.text:004762F4                inc    byte ptr [eax]
.text:004762F6                lea    ecx, [esp+10758h+var_10730]
.text:004762FA                mov    [esp+10758h+var_4], 0FFFFFFFFh
.text:00476305                call sub_477170
.text:0047630A                mov    eax, [esp+10758h+var_10744]
.text:0047630E                jmp    short loc_47635F
.text:00476310 ; ---------------------------------------------------------------------------
.text:00476310
.text:00476310 loc_476310:                            ; CODE XREF: sub_4760A0+18Dj
.text:00476310                                        ; sub_4760A0+1CDj ...
.text:00476310                test ebx, ebx
.text:00476312                jz    short loc_47631D
.text:00476314                push 1             ; how
.text:00476316                push ebx          ; s
.text:00476317                call ds:shutdown
.text:0047631D
.text:0047631D loc_47631D:                            ; CODE XREF: sub_4760A0+272j
.text:0047631D                mov    ecx, [ebp+arg_10]
.text:00476320                mov    dword ptr [ecx], 1
.text:00476326                mov    [esp+10758h+var_10748], 2
.text:0047632E                jmp    short loc_4763A1
.text:00476330 ; ---------------------------------------------------------------------------
.text:00476330
.text:00476330 loc_476330:                            ; CODE XREF: sub_4760A0+184j
.text:00476330                cmp    eax, 3
.text:00476333                jnb    short loc_476355
.text:00476335                test ebx, ebx
.text:00476337                jz    short loc_476342
.text:00476339                push 1             ; how
.text:0047633B                push ebx          ; s
.text:0047633C                call ds:shutdown
.text:00476342
.text:00476342 loc_476342:                            ; CODE XREF: sub_4760A0+297j
.text:00476342                mov    edx, [ebp+arg_10]
.text:00476345                mov    dword ptr [edx], 1
.text:0047634B                mov    [esp+10758h+var_10748], 2
.text:00476353                jmp    short loc_4763A1
.text:00476355 ; ---------------------------------------------------------------------------
.text:00476355
.text:00476355 loc_476355:                            ; CODE XREF: sub_4760A0+293j
.text:00476355                lea    edi, [esp+10758h+var_10016]
.text:0047635C                add    eax, 0FFFFFFFEh
.text:0047635F
.text:0047635F loc_47635F:                            ; CODE XREF: sub_4760A0+26Ej
.text:0047635F                cmp    ax, 2
.text:00476363                mov    ecx, [ebp+arg_10]
.text:00476366                mov    dx, [edi]
.text:00476369                mov    dword ptr [ecx], 0
.text:0047636F                mov    ecx, [ebp+arg_14]
.text:00476372                mov    [ecx], dx
.text:00476375                jnz    short loc_476382
.text:00476377                mov    edx, [ebp+arg_1C]
.text:0047637A                mov    dword ptr [edx], 0
.text:00476380                jmp    short loc_4763A1
.text:00476382 ; ---------------------------------------------------------------------------
.text:00476382
.text:00476382 loc_476382:                            ; CODE XREF: sub_4760A0+2D5j
.text:00476382                movzx eax, ax
.text:00476385                lea    ecx, [eax-2]
.text:00476388                mov    eax, [ebp+arg_1C]
.text:0047638B                mov    [eax], ecx
.text:0047638D                mov    edx, ecx
.text:0047638F                lea    esi, [edi+2]
.text:00476392                mov    edi, [ebp+arg_18]
.text:00476395                shr    ecx, 2
.text:00476398                rep movsd
.text:0047639A                mov    ecx, edx
.text:0047639C                and    ecx, 3
.text:0047639F                rep movsb
.text:004763A1
.text:004763A1 loc_4763A1:                            ; CODE XREF: sub_4760A0+11Bj
.text:004763A1                                        ; sub_4760A0+138j ...
.text:004763A1                mov    ecx, [esp+10758h+var_C]
.text:004763A8                mov    eax, [esp+10758h+var_10748]
.text:004763AC                mov    large fs:0, ecx
.text:004763B3                mov    ecx, [esp+10758h+var_14]
.text:004763BA                call sub_40F332
.text:004763BF                pop    edi
.text:004763C0                pop    esi
.text:004763C1                pop    ebx
.text:004763C2                mov    esp, ebp
.text:004763C4                pop    ebp
.text:004763C5                retn
.text:004763C5 sub_4760A0    endp

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・1

免费・0

支持

最新回复 (3)
十年寒窗雪币： 197 活跃值： (82) 能力值： ( LV2，RANK：10 ) 在线值：发帖 20 回帖 146 粉丝 2 关注私信	十年寒窗 2 楼 IDA F5之 2011-4-28 19:03 0
BombBomb 雪币： 95 活跃值： (13) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 55 粉丝 0 关注私信	BombBomb 3 楼 F5后的代码能用吗...自己改了好多天,现在全部C实现了 2011-8-15 13:09 0
exile 雪币： 2105 活跃值： (424) 能力值： ( LV4，RANK：50 ) 在线值：发帖 21 回帖 1266 粉丝 2 关注私信	exile 1 4 楼求高手名字。 2011-8-15 13:15 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

BombBomb

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (3)
十年寒窗雪币： 197 活跃值： (82) 能力值： ( LV2，RANK：10 ) 在线值：发帖 20 回帖 146 粉丝 2 关注私信	十年寒窗 2 楼 IDA F5之 2011-4-28 19:03 0
BombBomb 雪币： 95 活跃值： (13) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 55 粉丝 0 关注私信	BombBomb 3 楼 F5后的代码能用吗...自己改了好多天,现在全部C实现了 2011-8-15 13:09 0
exile 雪币： 2105 活跃值： (424) 能力值： ( LV4，RANK：50 ) 在线值：发帖 21 回帖 1266 粉丝 2 关注私信	exile 1 4 楼求高手名字。 2011-8-15 13:15 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复