首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 软件逆向
    3. 发新帖
[求助]能分析出D7函数的反汇编,是什么?(有图)
发表于: 2011-8-24 21:32 5734

[求助]能分析出D7函数的反汇编,是什么?(有图)

梦晰 活跃值
2011-8-24 21:32
5734
下面有人分析上传的代码,很明显能识别D7的函数.请教谁知道,这是OD的插件,
还什么?  不大象是IDA里复制出来..请救达人.

19.004539F0  |.  E8 EF04FBFF          call    00403EE4                        ;  D7.System.@LStrLAsg(void;void;void;void);

20.004539F5  |.  C745 F8 A077AE1A     mov     [local.2], 1AAE77A0

21.004539FC  |.  8BC7                 mov     eax, edi

22.004539FE  |.  E8 4904FBFF          call    00403E4C                        ;  D7.System.@LStrClr(void;void);

23.00453A03  |.  8B45 F4              mov     eax, [local.3]

24.00453A06  |.  E8 0107FBFF          call    0040410C                        ;  D7.System.@LStrLen(String):Integer;

25.00453A0B  |.  8BF0                 mov     esi, eax

26.00453A0D  |.  D1FE                 sar     esi, 1                          ;  注册码长度减半

27.00453A0F  |.  79 03                jns     short 00453A14

28.00453A11  |.  83D6 00              adc     esi, 0

29.00453A14  |>  85F6                 test    esi, esi

30.00453A16  |.  7E 4E                jle     short 00453A66

31.00453A18  |.  BB 01000000          mov     ebx, 1                          ;  ebx = 1

32.00453A1D  |>  8BC3                 /mov     eax, ebx                       ;  eax = ebx

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 0
支持
分享
最新回复 (7)
china
雪    币: 3689
活跃值: (4247)
能力值: (RANK:215 )
在线值:
发帖
回帖
粉丝
私信
2 
00492D38 > $  55            push    ebp
00492D39   .  8BEC          mov     ebp, esp
00492D3B   .  83C4 F0       add     esp, -10
00492D3E   .  B8 F8294900   mov     eax, 004929F8
00492D43   .  E8 8C3AF7FF   call    004067D4                         ;  	procedure _InitExe(InitTable: Pointer)
00492D48   .  A1 10594900   mov     eax, dword ptr [495910]
00492D4D   .  8B00          mov     eax, dword ptr [eax]
00492D4F   .  E8 4024FDFF   call    00465194                         ;  	[TApplication] procedure Initialize
00492D54   .  A1 10594900   mov     eax, dword ptr [495910]
00492D59   .  8B00          mov     eax, dword ptr [eax]
00492D5B   .  33D2          xor     edx, edx
00492D5D   .  E8 1A20FDFF   call    00464D7C                         ;  	[TApplication][Write property] procedure SetTitle(const Value: string)
00492D62   .  8B0D 345A4900 mov     ecx, dword ptr [495A34]          ;  keygen.00496D14
00492D68   .  A1 10594900   mov     eax, dword ptr [495910]
00492D6D   .  8B00          mov     eax, dword ptr [eax]
00492D6F   .  8B15 F41C4900 mov     edx, dword ptr [491CF4]          ;  keygen.00491D40
00492D75   .  E8 3224FDFF   call    004651AC                         ;  	[TApplication] procedure CreateForm(InstanceClass: TComponentClass; var Reference)
00492D7A   .  A1 10594900   mov     eax, dword ptr [495910]
00492D7F   .  8B00          mov     eax, dword ptr [eax]
00492D81   .  E8 A624FDFF   call    0046522C                         ;  	[TApplication] procedure Run
00492D86   .  E8 D916F7FF   call    00404464
00492D8B   .  90            nop


仔细看了下,你说的插件没见过,求一下。
2011-8-24 21:43
0
梦晰
雪    币: 208
活跃值: (39)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
3
我也没见过啦.看别人发的破文里的代码...
2011-8-24 22:18
0
私仇之路
雪    币: 73
活跃值: (16)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
4
不知道你说的是不是DeDeDark,他能反编译出D7的大部分资源,包括窗体,控件和各种事件,对很多库函数都能显示名字。贴一段反汇编的代码。

0044FBA0   55                     push    ebp
0044FBA1   8BEC                   mov     ebp, esp
0044FBA3   81C4D4FEFFFF           add     esp, $FFFFFED4
0044FBA9   53                     push    ebx
0044FBAA   56                     push    esi
0044FBAB   33C9                   xor     ecx, ecx
0044FBAD   898DD4FEFFFF           mov     [ebp+$FFFFFED4], ecx
0044FBB3   8DB5D8FEFFFF           lea     esi, [ebp+$FFFFFED8]
0044FBB9   33D2                   xor     edx, edx
0044FBBB   55                     push    ebp

* Possible String Reference to: '閽;?腠^[嬪]?
|
0044FBBC   687DFC4400             push    $0044FC7D

***** TRY
|
0044FBC1   64FF32                 push    dword ptr fs:[edx]
0044FBC4   648922                 mov     fs:[edx], esp

* Reference to control Timer3 : TTimer
|
0044FBC7   8B8004030000           mov     eax, [eax+$0304]
0044FBCD   33D2                   xor     edx, edx

* Reference to: ExtCtrls.TTimer.SetEnabled(TTimer;Boolean);
|           or: IBDatabase.TIBTimer.SetEnabled(TIBTimer;Boolean);
|           or: Menus.TMenu.SetOwnerDraw(TMenu;Boolean);
|
0044FBCF   E80453FDFF             call    00424ED8
0044FBD4   33D2                   xor     edx, edx
0044FBD6   B802000000             mov     eax, $00000002

* Reference to: TlHelp32.CreateToolhelp32Snapshot(DWORD;DWORD):Windows.THandle;
|           or: TlHelp32.Heap32ListFirst(Windows.THandle;tagHEAPLIST32;tagHEAPLIST32):BOOL;
|           or: TlHelp32.Heap32ListNext(Windows.THandle;tagHEAPLIST32;tagHEAPLIST32):BOOL;
|           or: TlHelp32.Process32First(Windows.THandle;tagPROCESSENTRY32;tagPROCESSENTRY32):BOOL;
|           or: TlHelp32.Process32Next(Windows.THandle;tagPROCESSENTRY32;tagPROCESSENTRY32):BOOL;
|           or: TlHelp32.Process32FirstW(Windows.THandle;tagPROCESSENTRY32W;tagPROCESSENTRY32W):BOOL;
|
0044FBDB   E80CF2FFFF             call    0044EDEC
0044FBE0   8BD8                   mov     ebx, eax
0044FBE2   C70628010000           mov     dword ptr [esi], $00000128
0044FBE8   8BD6                   mov     edx, esi
0044FBEA   8BC3                   mov     eax, ebx

* Reference to: TlHelp32.CreateToolhelp32Snapshot(DWORD;DWORD):Windows.THandle;
|           or: TlHelp32.Heap32ListFirst(Windows.THandle;tagHEAPLIST32;tagHEAPLIST32):BOOL;
|           or: TlHelp32.Heap32ListNext(Windows.THandle;tagHEAPLIST32;tagHEAPLIST32):BOOL;
|           or: TlHelp32.Process32First(Windows.THandle;tagPROCESSENTRY32;tagPROCESSENTRY32):BOOL;
|           or: TlHelp32.Process32Next(Windows.THandle;tagPROCESSENTRY32;tagPROCESSENTRY32):BOOL;
|           or: TlHelp32.Process32FirstW(Windows.THandle;tagPROCESSENTRY32W;tagPROCESSENTRY32W):BOOL;
|
0044FBEC   E81BF2FFFF             call    0044EE0C
0044FBF1   83F801                 cmp     eax, +$01
0044FBF4   1BC0                   sbb     eax, eax
0044FBF6   40                     inc     eax
0044FBF7   EB4C                   jmp     0044FC45
0044FBF9   8D85D4FEFFFF           lea     eax, [ebp+$FFFFFED4]
0044FBFF   8D5624                 lea     edx, [esi+$24]
0044FC02   B904010000             mov     ecx, $00000104

* Reference to: System.@LStrFromArray(String;String;PAnsiChar;Integer);
|           or: System.@WStrFromArray(WideString;WideString;PAnsiChar;Integer);
|
0044FC07   E87444FBFF             call    00404080
0044FC0C   8B85D4FEFFFF           mov     eax, [ebp+$FFFFFED4]

* Possible String Reference to: 'QQ.exe'
|
0044FC12   BA94FC4400             mov     edx, $0044FC94

* Reference to: System.@LStrCmp;
|
0044FC17   E80046FBFF             call    0040421C
0044FC1C   7518                   jnz     0044FC36
0044FC1E   8B4608                 mov     eax, [esi+$08]
0044FC21   50                     push    eax
0044FC22   6A00                   push    $00
0044FC24   68FF0F1F00             push    $001F0FFF

* Reference to: kernel32.OpenProcess()
|
0044FC29   E8F262FBFF             call    00405F20
0044FC2E   6A01                   push    $01
0044FC30   50                     push    eax

* Reference to: kernel32.TerminateProcess()
|
0044FC31   E83A63FBFF             call    00405F70
0044FC36   8BD6                   mov     edx, esi
0044FC38   8BC3                   mov     eax, ebx

* Reference to: TlHelp32.CreateToolhelp32Snapshot(DWORD;DWORD):Windows.THandle;
|           or: TlHelp32.Heap32ListFirst(Windows.THandle;tagHEAPLIST32;tagHEAPLIST32):BOOL;
|           or: TlHelp32.Heap32ListNext(Windows.THandle;tagHEAPLIST32;tagHEAPLIST32):BOOL;
|           or: TlHelp32.Process32First(Windows.THandle;tagPROCESSENTRY32;tagPROCESSENTRY32):BOOL;
|           or: TlHelp32.Process32Next(Windows.THandle;tagPROCESSENTRY32;tagPROCESSENTRY32):BOOL;
|           or: TlHelp32.Process32FirstW(Windows.THandle;tagPROCESSENTRY32W;tagPROCESSENTRY32W):BOOL;
|
0044FC3A   E8EDF1FFFF             call    0044EE2C
0044FC3F   83F801                 cmp     eax, +$01
0044FC42   1BC0                   sbb     eax, eax
0044FC44   40                     inc     eax
0044FC45   84C0                   test    al, al
0044FC47   75B0                   jnz     0044FBF9
0044FC49   6A00                   push    $00
0044FC4B   A164264500             mov     eax, dword ptr [$00452664]
0044FC50   50                     push    eax

* Possible String Reference to: 'U嬱j'
|
0044FC51   B8B4F04400             mov     eax, $0044F0B4
0044FC56   50                     push    eax
0044FC57   6A0D                   push    $0D
0044FC59   FF15282C4500           call    dword ptr [$00452C28]
0044FC5F   A3202C4500             mov     dword ptr [$00452C20], eax
0044FC64   33C0                   xor     eax, eax
0044FC66   5A                     pop     edx
0044FC67   59                     pop     ecx
0044FC68   59                     pop     ecx
0044FC69   648910                 mov     fs:[eax], edx

****** FINALLY
|

* Possible String Reference to: '^[嬪]?
|
0044FC6C   6884FC4400             push    $0044FC84
0044FC71   8D85D4FEFFFF           lea     eax, [ebp+$FFFFFED4]

* Reference to: System.@LStrClr(void;void);
|
0044FC77   E89441FBFF             call    00403E10
0044FC7C   C3                     ret


* Reference to: System.@HandleFinally;
|
0044FC7D   E9923BFBFF             jmp     00403814
0044FC82   EBED                   jmp     0044FC71

****** END
|
0044FC84   5E                     pop     esi
0044FC85   5B                     pop     ebx
0044FC86   8BE5                   mov     esp, ebp
0044FC88   5D                     pop     ebp
0044FC89   C3                     ret
2011-8-24 22:44
0
疯子
雪    币: 2242
活跃值: (488)
能力值: ( LV9,RANK:200 )
在线值:
发帖
回帖
粉丝
私信
5
用dede生成map文件,od装载下就行了..
2011-8-25 18:01
0
邓韬
雪    币: 278
活跃值: (709)
能力值: ( LV15,RANK:520 )
在线值:
发帖
回帖
粉丝
私信
6
IDA生成MAP,文件,OD装载一下就行啦
2011-8-25 18:11
0
张振江
雪    币: 122
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
7
gooodddd
2011-8-25 18:39
0
XPoy
雪    币: 242
活跃值: (473)
能力值: ( LV11,RANK:188 )
在线值:
发帖
回帖
粉丝
私信
8
delphi ida sig,搜索这个,老兄
2011-8-26 04:47
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//