[原创]Reverse练习[高手勿进，菜鸟娱乐]-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

[原创]Reverse练习[高手勿进，菜鸟娱乐]

发表于: 2011-9-1 18:44 3931

[原创]Reverse练习[高手勿进，菜鸟娱乐]

邓韬

2011-9-1 18:44

3931

这个是用aogo汇编编译器创建的一个最简单的窗口，没事做，学习一下，源代码见附件，看下反汇编代码，
主函数入口：

.text:00401000 WinMain         proc near
.text:00401000                 push    0               ; lpModuleName
.text:00401002                 call    GetModuleHandleA
.text:00401007                 mov     hInstance, eax  ; 获得模块句柄
.text:0040100C                 push    0Ah             ; int
.text:0040100E                 push    0               ; int
.text:00401010                 push    0               ; int
.text:00401012                 push    hInstance       ; hInstance
.text:00401018                 call    MakeMain        ; 主要函数
.text:0040101D                 push    0               ; uExitCode
.text:0040101F                 call    ExitProcess
.text:0040101F WinMain         endp

上面就是这个入口点了，其中MakeMain是我命的名字，实际上看似这个函数有4个参数，实际上只有一个参数，那就是传入进去的hInstance，继续看MakeMain的代码

01024 ; int __stdcall MakeMain(HINSTANCE hInstance, int, int, int)
.text:00401024 MakeMain        proc near               ; CODE XREF: WinMain+18p
.text:00401024
.text:00401024 hWnd            = dword ptr -50h
.text:00401024 Msg             = tagMSG ptr -4Ch
.text:00401024 var_30          = WNDCLASSEXA ptr -30h
.text:00401024 hInstance       = dword ptr  8
.text:00401024
.text:00401024                 push    ebp
.text:00401025                 mov     ebp, esp
.text:00401027                 add     esp, 0FFFFFFB0h
.text:0040102A                 mov     [ebp+var_30.cbSize], 30h ; 这里是一个WNDCLASS结构 这个成员是结构的大小
.text:0040102A                                         ; WndClass.cbSize=sizeof(WNDCLASSEXA);
.text:00401031                 mov     [ebp+var_30.style], 2003h ; 这个成员是一个窗口风格，
.text:00401031                                         ; 这里是组合的，强制0x2003
.text:00401038                 mov     [ebp+var_30.lpfnWndProc], offset WindowProc ; 窗口过程，这是处理窗口消息的过程
.text:0040103F                 mov     [ebp+var_30.cbClsExtra], 0 ; 指定额外的字节数，这个是0
.text:00401046                 mov     [ebp+var_30.cbWndExtra], 0 ; 窗口实例分配的额外字节数
.text:0040104D                 push    [ebp+hInstance] ; 模块句柄
.text:00401050                 pop     [ebp+var_30.hInstance]
.text:00401053                 mov     [ebp+var_30.hbrBackground], COLOR_BTNSHADOW
.text:0040105A                 mov     [ebp+var_30.lpszMenuName], 0 ; 菜单
.text:00401061                 mov     [ebp+var_30.lpszClassName], offset ClassName ; "MASMPlus_Class"
.text:00401068                 push    64h             ; lpIconName
.text:0040106A                 push    [ebp+hInstance] ; hInstance
.text:0040106D                 call    LoadIconA
.text:00401072                 mov     [ebp+var_30.hIcon], eax ; 图标，这里不是空，我们就设置为空
.text:00401075                 push    7F00h           ; lpCursorName
.text:0040107A                 push    0               ; hInstance
.text:0040107C                 call    LoadCursorA
.text:00401081                 mov     [ebp+var_30.hCursor], eax ; 鼠标相关
.text:00401084                 mov     [ebp+var_30.hIconSm], 0 ; 与窗口相关联的一个小图标句柄
.text:0040108B                 lea     eax, [ebp+var_30]
.text:0040108E                 push    eax             ; 这里是一个指针
.text:0040108F                 call    RegisterClassExA ; 调用函数
.text:00401094                 push    0               ; lpParam
.text:00401096                 push    [ebp+hInstance] ; hInstance
.text:00401099                 push    0               ; hMenu
.text:0040109B                 push    0               ; hWndParent
.text:0040109D                 push    0C8h            ; nHeight
.text:004010A2                 push    190h            ; nWidth
.text:004010A7                 push    0C8h            ; Y
.text:004010AC                 push    0C8h            ; X
.text:004010B1                 push    0CF0000h        ; dwStyle
.text:004010B6                 push    offset WindowName ; "http://www.aogosoft.com"
.text:004010BB                 push    offset ClassName ; "MASMPlus_Class"
.text:004010C0                 push    0               ; dwExStyle
.text:004010C2                 call    CreateWindowExA ; 创建窗口
.text:004010C7                 mov     [ebp+hWnd], eax
.text:004010CA                 push    1               ; nCmdShow
.text:004010CC                 push    [ebp+hWnd]      ; hWnd
.text:004010CF                 call    ShowWindow      ; 显示窗口
.text:004010D4                 push    [ebp+hWnd]      ; hWnd
.text:004010D7                 call    UpdateWindow    ; 更新窗口数据
.text:004010DC
.text:004010DC loc_4010DC:                             ; CODE XREF: MakeMain+DEj
.text:004010DC                 push    0
.text:004010DE                 push    0
.text:004010E0                 push    0               ; hWnd
.text:004010E2                 lea     eax, [ebp+Msg]
.text:004010E5                 push    eax             ; lpMsg
.text:004010E6                 call    GetMessageA     ; 消息循环部分
.text:004010EB                 cmp     eax, 0
.text:004010EE                 jz      short loc_401104
.text:004010F0                 lea     eax, [ebp+Msg]
.text:004010F3                 push    eax
.text:004010F4                 call    TranslateMessage
.text:004010F9                 lea     eax, [ebp+Msg]
.text:004010FC                 push    eax
.text:004010FD                 call    DispatchMessageA ; 这里是个While循环，循环处理消息
.text:00401102                 jmp     short loc_4010DC
.text:00401104 ; ---------------------------------------------------------------------------
.text:00401104
.text:00401104 loc_401104:                             ; CODE XREF: MakeMain+CAj
.text:00401104                 mov     eax, [ebp+Msg.wParam]
.text:00401107                 leave                   ; return Msg.wParam
.text:00401108                 retn    10h
.text:00401108 MakeMain        endp

上面注意一下，结构成员收到的函数的返回值，仔细看一下，就明白了，一定要对应起来，比如：
push [ebp+hInstance] ; 模块句柄
对应
pop [ebp+var_30.hInstance]
这个就是传递参数的过程了
看下消息处理的WindowProc

.text:0040110B ; int __stdcall WindowProc(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam)
.text:0040110B WindowProc      proc near               ; DATA XREF: MakeMain+14o
.text:0040110B
.text:0040110B hWnd            = dword ptr  8
.text:0040110B Msg             = dword ptr  0Ch
.text:0040110B wParam          = dword ptr  10h
.text:0040110B lParam          = dword ptr  14h
.text:0040110B
.text:0040110B                 push    ebp
.text:0040110C                 mov     ebp, esp
.text:0040110E                 cmp     [ebp+Msg], WM_CREATE ; 消息处理过程
.text:00401112                 jnz     short WM_DESTROY
.text:00401114                 jmp     short locret_401136
.text:00401116 ; ---------------------------------------------------------------------------
.text:00401116
.text:00401116 WM_DESTROY:                             ; CODE XREF: WindowProc+7j
.text:00401116                 cmp     [ebp+Msg], WM_DESTROY ; 消息处理过程
.text:0040111A                 jnz     short default
.text:0040111C                 push    0               ; nExitCode
.text:0040111E                 call    PostQuitMessage
.text:00401123                 jmp     short locret_401136
.text:00401125 ; ---------------------------------------------------------------------------
.text:00401125
.text:00401125 default:                                ; CODE XREF: WindowProc+Fj
.text:00401125                 push    [ebp+lParam]    ; 默认的消息过程
.text:00401128                 push    [ebp+wParam]    ; wParam
.text:0040112B                 push    [ebp+Msg]       ; Msg
.text:0040112E                 push    [ebp+hWnd]      ; hWnd
.text:00401131                 call    DefWindowProcA
.text:00401136
.text:00401136 locret_401136:                          ; CODE XREF: WindowProc+9j
.text:00401136                                         ; WindowProc+18j
.text:00401136                 leave
.text:00401137                 retn    10h
.text:00401137 WindowProc      endp

其中上面是一个switch过程，仔细一看就知道，我逆向出来的源代码如下，其中我没传递一些函数
进去，编译器有问题，提示找不到xxxx.lib

#include <windows.h>
#include <winuser.h>
LRESULT CALLBACK WindowProc(HWND hwnd,UINT uMsg,WPARAM wParam,LPARAM lParam)
{
	switch(uMsg)
	{
		case WM_CREATE:
			return 0;
		case WM_DESTROY:
			PostQuitMessage(0);
			return 0;
		default:
			DefWindowProc(hwnd,uMsg,wParam,lParam);
	}
}
int MakeMain(HINSTANCE hInst)
{
	MSG Msg;
	WNDCLASSEXA WndClass;
	WndClass.cbSize=sizeof(WNDCLASSEXA);
	WndClass.style=0x2003;
	WndClass.lpfnWndProc=WindowProc;
	WndClass.cbClsExtra=0;
	WndClass.cbWndExtra=0;
	WndClass.hInstance=hInst;
	WndClass.hbrBackground=(HBRUSH)COLOR_BTNSHADOW;
	WndClass.lpszMenuName=NULL;
	WndClass.lpszClassName="MASMPlus_Class";
	WndClass.hIcon=NULL;
	WndClass.hCursor=LoadCursor(hInst,IDC_SIZENESW);
	WndClass.hIconSm=NULL;
	RegisterClassEx(&WndClass);
	HWND hWnd=CreateWindowEx(0,"MASMPlus_Class","http://www.aogosoft.com",
		0xCF0000,0xC8,0xC8,0x190,0xC8,NULL,NULL,hInst,NULL);
	ShowWindow(hWnd,SW_SHOW);
	UpdateWindow(hWnd);
	while(GetMessage(&Msg,NULL,0,0))
	{
		TranslateMessage(&Msg);
		DispatchMessage(&Msg);
	}
	return (int)Msg.wParam;
}    
int APIENTRY WinMain(HINSTANCE hInst, HINSTANCE hPrevInst, LPSTR lpszCmdline, int nCmdShow)
{
	hInst=GetModuleHandle(NULL);
	MakeMain(hInst);
	return 0;
}

本身的汇编代码如下

.386
.Model Flat, StdCall
Option Casemap :None

Include windows.inc
Include user32.inc
Include kernel32.inc
Include gdi32.inc

includelib gdi32.lib
IncludeLib user32.lib
IncludeLib kernel32.lib
include macro.asm
	
	WinMain PROTO :DWORD,:DWORD,:DWORD,:DWORD
	WndProc PROTO :DWORD,:DWORD,:DWORD,:DWORD
	
.DATA
	szClassName db "MASMPlus_Class",0
	
.DATA?
	hInstance	dd ?
	
.CODE
START:

	invoke GetModuleHandle,NULL
	mov hInstance,eax
	invoke WinMain,hInstance,NULL,NULL,SW_SHOWDEFAULT
	invoke ExitProcess,0

WinMain proc hInst:DWORD,hPrevInst:DWORD,CmdLine:DWORD,CmdShow:DWORD
	LOCAL wc   :WNDCLASSEX
	LOCAL msg  :MSG
	local hWnd :HWND
	
	mov wc.cbSize,sizeof WNDCLASSEX
	mov wc.style,CS_HREDRAW or CS_VREDRAW or CS_BYTEALIGNWINDOW
	mov wc.lpfnWndProc,offset WndProc
	mov wc.cbClsExtra,NULL
	mov wc.cbWndExtra,NULL
	push hInst
	pop wc.hInstance
	mov wc.hbrBackground,COLOR_BTNFACE+1
	mov wc.lpszMenuName,NULL
	mov wc.lpszClassName,offset szClassName
	invoke LoadIcon,hInst,100
	mov wc.hIcon,eax
	invoke LoadCursor,NULL,IDC_ARROW
	mov wc.hCursor,eax
	mov wc.hIconSm,0
	invoke RegisterClassEx, ADDR wc
	invoke CreateWindowEx,NULL,ADDR szClassName,CTXT("http://www.aogosoft.com"),WS_OVERLAPPEDWINDOW,200,200,400,200,NULL,NULL,hInst,NULL
	mov hWnd,eax
	invoke ShowWindow,hWnd,SW_SHOWNORMAL
	invoke UpdateWindow,hWnd
	
	StartLoop:
		invoke GetMessage,ADDR msg,NULL,0,0
			cmp eax, 0
			je ExitLoop
				invoke TranslateMessage, ADDR msg
				invoke DispatchMessage, ADDR msg
			jmp StartLoop
	ExitLoop:
	
mov eax,msg.wParam
ret
WinMain endp

WndProc proc hWin:DWORD,uMsg:DWORD,wParam :DWORD,lParam :DWORD
	.if uMsg==WM_CREATE
		
	.elseif uMsg == WM_DESTROY
		invoke PostQuitMessage,NULL
	.else
		invoke DefWindowProc,hWin,uMsg,wParam,lParam
	.endif
	ret
WndProc endp

END START

希望不会的能自己动手分析一遍，耐心点，仔细点。

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・0

免费・0

支持