-
-
[讨论]这段反汇编代码怎么看?
-
发表于: 2013-3-5 14:31
-
最近逆个软件,以下是核心代码,但是看不懂什么意思啊?
反汇编要如何才能轻松看懂呢?
求指教,求带入门
0F0053B8 > /F605 14070000>test byte ptr ds:[0x714],0x3
0F0053BF . |74 05 je short ntvdm.0F0053C6
0F0053C1 . |E8 A6F0FFFF call ntvdm.DispatchInterrupts
0F0053C6 > |E8 2AEEFFFF call ntvdm.getMSW
0F0053CB . |A8 01 test al,0x1
0F0053CD . |74 3B je short ntvdm.0F00540A
0F0053CF . |391D 24CB060F cmp dword ptr ds:[0xF06CB24],ebx
0F0053D5 . |75 25 jnz short ntvdm.0F0053FC
0F0053D7 . |E8 47FAFFFF call ntvdm.getIF
0F0053DC . |85C0 test eax,eax
0F0053DE . |75 1C jnz short ntvdm.0F0053FC
0F0053E0 . |817D FC 00020>cmp dword ptr ss:[ebp-0x4],0x200
0F0053E7 . |75 13 jnz short ntvdm.0F0053FC
0F0053E9 . |8D45 F8 lea eax,dword ptr ss:[ebp-0x8]
0F0053EC . |50 push eax
0F0053ED . |6A 0D push 0xD
0F0053EF . |C745 F8 03000>mov dword ptr ss:[ebp-0x8],0x3
0F0053F6 . |FF15 8814000F call dword ptr ds:[<&ntdll.NtVdmControl>>; ntdll.ZwVdmControl
0F0053FC > |80A6 9A030000>and byte ptr ds:[esi+0x39A],0xFD
0F005403 . |E8 64F50300 call ntvdm.0F04496C
0F005408 . |EB 0E jmp short ntvdm.0F005418
0F00540A > |09BE 98030000 or dword ptr ds:[esi+0x398],edi
0F005410 . |53 push ebx
0F005411 . |53 push ebx
0F005412 . |FF15 8814000F call dword ptr ds:[<&ntdll.NtVdmControl>>; ntdll.ZwVdmControl
0F005418 > |3BC3 cmp eax,ebx
0F00541A . |0F8C 92000000 jl ntvdm.0F0054B2
0F005420 . |64:A1 1800000>mov eax,dword ptr fs:[0x18]
0F005426 . |A3 2CCC090F mov dword ptr ds:[CurrentMonitorTeb],eax
0F00542B . |64:A1 1800000>mov eax,dword ptr fs:[0x18]
0F005431 . |391D 24CB060F cmp dword ptr ds:[0xF06CB24],ebx
0F005437 . |8BB0 180F0000 mov esi,dword ptr ds:[eax+0xF18]
0F00543D . |75 11 jnz short ntvdm.0F005450
0F00543F . |E8 DFF9FFFF call ntvdm.getIF
0F005444 . |F7D8 neg eax
0F005446 . |1BC0 sbb eax,eax
0F005448 . |25 00020000 and eax,0x200
0F00544D . |8945 FC mov dword ptr ss:[ebp-0x4],eax
0F005450 > |A1 B819070F mov eax,dword ptr ds:[0xF0719B8]
0F005455 . |3BC3 cmp eax,ebx
0F005457 . |74 02 je short ntvdm.0F00545B
0F005459 . |FFD0 call eax
0F00545B > |8D8E 98030000 lea ecx,dword ptr ds:[esi+0x398]
0F005461 . |8B01 mov eax,dword ptr ds:[ecx]
0F005463 . |85C7 test edi,eax
0F005465 . |74 07 je short ntvdm.0F00546E
0F005467 . |25 FFFFFDFF and eax,0xFFFDFFFF
0F00546C . |8901 mov dword ptr ds:[ecx],eax
0F00546E > |8B86 AC050000 mov eax,dword ptr ds:[esi+0x5AC]
0F005474 . |0186 90030000 add dword ptr ds:[esi+0x390],eax
0F00547A . |8B86 A8050000 mov eax,dword ptr ds:[esi+0x5A8]
0F005480 . |83F8 07 cmp eax,0x7
0F005483 . |7C 08 jl short ntvdm.0F00548D
0F005485 . |889E 70060000 mov byte ptr ds:[esi+0x670],bl
0F00548B . |EB 12 jmp short ntvdm.0F00549F
反汇编要如何才能轻松看懂呢?
求指教,求带入门
0F0053B8 > /F605 14070000>test byte ptr ds:[0x714],0x3
0F0053BF . |74 05 je short ntvdm.0F0053C6
0F0053C1 . |E8 A6F0FFFF call ntvdm.DispatchInterrupts
0F0053C6 > |E8 2AEEFFFF call ntvdm.getMSW
0F0053CB . |A8 01 test al,0x1
0F0053CD . |74 3B je short ntvdm.0F00540A
0F0053CF . |391D 24CB060F cmp dword ptr ds:[0xF06CB24],ebx
0F0053D5 . |75 25 jnz short ntvdm.0F0053FC
0F0053D7 . |E8 47FAFFFF call ntvdm.getIF
0F0053DC . |85C0 test eax,eax
0F0053DE . |75 1C jnz short ntvdm.0F0053FC
0F0053E0 . |817D FC 00020>cmp dword ptr ss:[ebp-0x4],0x200
0F0053E7 . |75 13 jnz short ntvdm.0F0053FC
0F0053E9 . |8D45 F8 lea eax,dword ptr ss:[ebp-0x8]
0F0053EC . |50 push eax
0F0053ED . |6A 0D push 0xD
0F0053EF . |C745 F8 03000>mov dword ptr ss:[ebp-0x8],0x3
0F0053F6 . |FF15 8814000F call dword ptr ds:[<&ntdll.NtVdmControl>>; ntdll.ZwVdmControl
0F0053FC > |80A6 9A030000>and byte ptr ds:[esi+0x39A],0xFD
0F005403 . |E8 64F50300 call ntvdm.0F04496C
0F005408 . |EB 0E jmp short ntvdm.0F005418
0F00540A > |09BE 98030000 or dword ptr ds:[esi+0x398],edi
0F005410 . |53 push ebx
0F005411 . |53 push ebx
0F005412 . |FF15 8814000F call dword ptr ds:[<&ntdll.NtVdmControl>>; ntdll.ZwVdmControl
0F005418 > |3BC3 cmp eax,ebx
0F00541A . |0F8C 92000000 jl ntvdm.0F0054B2
0F005420 . |64:A1 1800000>mov eax,dword ptr fs:[0x18]
0F005426 . |A3 2CCC090F mov dword ptr ds:[CurrentMonitorTeb],eax
0F00542B . |64:A1 1800000>mov eax,dword ptr fs:[0x18]
0F005431 . |391D 24CB060F cmp dword ptr ds:[0xF06CB24],ebx
0F005437 . |8BB0 180F0000 mov esi,dword ptr ds:[eax+0xF18]
0F00543D . |75 11 jnz short ntvdm.0F005450
0F00543F . |E8 DFF9FFFF call ntvdm.getIF
0F005444 . |F7D8 neg eax
0F005446 . |1BC0 sbb eax,eax
0F005448 . |25 00020000 and eax,0x200
0F00544D . |8945 FC mov dword ptr ss:[ebp-0x4],eax
0F005450 > |A1 B819070F mov eax,dword ptr ds:[0xF0719B8]
0F005455 . |3BC3 cmp eax,ebx
0F005457 . |74 02 je short ntvdm.0F00545B
0F005459 . |FFD0 call eax
0F00545B > |8D8E 98030000 lea ecx,dword ptr ds:[esi+0x398]
0F005461 . |8B01 mov eax,dword ptr ds:[ecx]
0F005463 . |85C7 test edi,eax
0F005465 . |74 07 je short ntvdm.0F00546E
0F005467 . |25 FFFFFDFF and eax,0xFFFDFFFF
0F00546C . |8901 mov dword ptr ds:[ecx],eax
0F00546E > |8B86 AC050000 mov eax,dword ptr ds:[esi+0x5AC]
0F005474 . |0186 90030000 add dword ptr ds:[esi+0x390],eax
0F00547A . |8B86 A8050000 mov eax,dword ptr ds:[esi+0x5A8]
0F005480 . |83F8 07 cmp eax,0x7
0F005483 . |7C 08 jl short ntvdm.0F00548D
0F005485 . |889E 70060000 mov byte ptr ds:[esi+0x670],bl
0F00548B . |EB 12 jmp short ntvdm.0F00549F
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
忘了说了,是16位的COM程序,不能F5的呀
|
|
|
|
|
|
|
|
|
|
|
|
这是我逆一个加解密程序,这部分代码是还原部分的核心。太菜了看不懂
|
|
|
呜呜,貌似还真和WOW有关系啊,太菜了。
16为程序,通过NTVDM执行的,,,才发现这点,太菜了。。。。
|
|
|
|
