一直在用OD,但是但是OD的原理是啥?那些数据怎么来的?
于是,就花了几天用OD调试了一下OD,并写了点心得。呵呵。
【名称】 OD分析被调试进程的数据来源
【版本】 。\OllyICE\原版\英文原版\OLLYDBG.EXE v1.10
【工具】 IDA,
下面所以贴出来的代码都是基于 OLLYDBG.EXE v1.10英文版。可用IDA逆向参考。地址一定是匹配的。
【分析时间】 2010-09-22
【OD的数据】
数据表:
ModuleList,模块列表。
ThreadList,线程列表。
HeapList,堆内存列表。
MemoryList,内存列表。
WindowList,窗口列表。
HandleList,句柄列表。
PatchsList,补丁列表。
CallStackList,回调列表。
BreakPointList,用户断点列表。
RefrencesList,字符串参考列表。
RunTraceList, 运行跟踪列表。
SourceList, 源代码。
【枚举】
OD的大部分数据来源,是通过对被调试进程的枚举而获取的数据。
+ 下面是枚举的API描述:
线程枚举:可以得到当前操作系统的全部的线程,只能得到线程ID,对线程操作需要线程句柄,
句柄只能用 <jmp.&KERNEL32.WaitForDebugEvent>,调试事件才可以得到。
hSnapShot:=CreateToolHelp32SnapShot(TH32CS_SNAPTHREAD,Pid);
Thread32First(hSnapshot,lpte);
Thread32Next (hSnapshot,lpte );
进程枚举:
CreateToolHelp32Snapshot(TH32CS_SNAPPROCESS, 0);
Process32First(FSnap, PE)
Process32Next(FSnap, PE);
模块枚举:
hSnapShot:=CreateToolHelp32SnapShot(TH32CS_SNAPMODULE,Pid);
Module32First(hSnapShot,lphl)
Module32Next(hSnapShot,lphl)
【OD的这些数据的基本操作】
首先,OD通过进程枚举获取进程列表。
其次,开始创建,添加数据。
+ 创建数据池:
.text:00478013 loc_478013: ; CODE XREF: ShowProcessList+5Fj
.text:00478013 push 0 ; FuncAddr2
.text:00478015 push offset FuncOfProcessTable ; FuncAddr1
.text:0047801A push 100h ; ItemNum
.text:0047801F push 310h ; RecordSizeOfItem
.text:00478024 push offset aProcessTable ; "Process table"
.text:00478029 push offset ProcessTableClass ; pResultDataPointer
.text:0047802E call _Createsorteddata ; :创建存储数据块(ProcessTable,ThreadTable,ModuleTable,MemTable.....)
.text:0047802E ; :pResultDataPointer= 新数据块指针
.text:0047802E ; pSrcTableName = 数据块的名字
.text:0047802E ; RecordSizeOfItem= 每个记录的大小
.text:0047802E ; ItemNum = 数量
.text:0047802E ; Func1 = 这个数据Table模块对应的函数
.text:0047802E ; Func2 = 这个数据Table模块的附加函数
.text:00478033 add esp, 18h
.text:00478036 test eax, eax ; ProcessTableClass: Size=138h
.text:00478036 ; 004ED3FC 50 72 6F 63 65 73 73 20 74 61 62 6C 65 00 00 00 Process table...
.text:00478036 ; Name
.text:00478036 ; 004ED40C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
.text:00478036 ; ................
.text:00478036 ; 004ED4FC 00 00 00 00 00 00 00 00 00 01 00 00 FF FF FF FF
.text:00478036 ; Num Index=-1
.text:00478036 ; 004ED50C 7C 04 00 00 10 03 00 00 58 00 00 00 00 00 78 02
.text:00478036 ; RecordSize Addr_Items
.text:00478036 ; 004ED51C 10 7C 47 00 00 00 00 00 00 00 00 00 01 00 00 00
.text:00478036 ; AddrFunc
.text:00478036 ; 004ED52C 00 00 67 02 00 00 00 00
.text:00478036 ; Pointer_FuncLists
.text:00478038 jz short loc_478044
.text:0047803A mov eax, 1
.text:0047803F jmp loc_478680
.text:00478044 ; ---------------------------------------------------------------------------
.text:00478044
.text:00478044 loc_478044: ; CODE XREF: ShowProcessList+90j
.text:00478044 mov ListViewProcessListColum1Width, 9
.text:0047804E mov ListViewProcessListColum1Name, offset aProcess ; "Process"
.text:00478058 mov ListViewProcessListColum1Check, 0
.text:0047805F mov ListViewProcessListColum2Width, 9
.text:00478069 mov ListViewProcessListColum2Name, offset aName_0 ; "Name"
.text:00478073 mov ListViewProcessListColum2Check, 0
.text:0047807A mov ListViewProcessListColum3Width, 1Bh
.text:00478084 mov ListViewProcessListColum3Name, offset aWindow_0 ; "Window"
.text:0047808E mov ListViewProcessListColum3Check, 0
.text:00478095 mov ListViewProcessListColum4Width, 100h
.text:0047809F mov ListViewProcessListColum4Name, offset aPath_0 ; "Path"
.text:004780A9 mov ListViewProcessListColum4Check, 0
.text:004780B0 mov ListViewProcessListColumCount, 4
.text:004780BA push offset ListViewProcessListColumCount
.text:004780BF mov edx, IsShowListView
.text:004780C5 mov ListViewProcessList, edx
+ 把数据添加到数据池:
.text:00454EFC ; =============== S U B R O U T I N E =======================================
.text:00454EFC
.text:00454EFC ; 把数据添加到数据池:添加一个Record到 SortedData里面: 根据类型判断 Copy的大小。
.text:00454EFC ; 比如: Copy大小就是310h
.text:00454EFC ; 0012D3B4 004ED3FC ASCII "Process table"
.text:00454EFC ; 0012D3B8 0012D4F0
.text:00454EFC ; Attributes: bp-based frame
.text:00454EFC
.text:00454EFC ; int __cdecl Addsorteddata(int pDestSortedData,void *src)
.text:00454EFC public _Addsorteddata
.text:00454EFC _Addsorteddata proc near ; CODE XREF: _Setbreakpointext+112p
.text:00454EFC ; sub_41E604+7426p ...
.text:00454EFC
.text:00454EFC s1 = dword ptr -0Ch
.text:00454EFC var_8 = dword ptr -8
.text:00454EFC var_4 = dword ptr -4
.text:00454EFC pDestSortedData = dword ptr 8
.text:00454EFC src = dword ptr 0Ch
.text:00454EFC
.text:00454EFC push ebp ; zzzzzzzzzzzzzzzzzzz
.text:00454EFD mov ebp, esp
.text:00454EFF add esp, 0FFFFFFF4h
.text:00454F02 push ebx
.text:00454F03 push esi
Dll句柄表:(枚举, 通过读取内存模块得到) D
0012DA70 00475433 返回到 OLLYDBG.00475433 来自 OLLYDBG._Createsorteddata
//根据地址OLLYDBG.00475433,可以在IDA中看到详细的过程,下面类同。
0012DA74 004D6FC0 ASCII "Table of DLL handles"
0012DA78 004C16EC ASCII "Table of DLL handles"
0012DA7C 00000010 RecordSizeOfItem
0012DA80 00000100 ItemNum
0012DA84 00000000 Func1
0012DA88 0045F8CC Func2 //OLLYDBG.0045F8CC 关闭句柄
.text:0047541A push offset CloseHandle_0 ; Flag
.text:0047541F push 0 ; AddrFunc
.text:00475421 push 100h ; ItemNum
.text:00475426 push 10h ; RecordSizeOfItem
.text:00475428 push esi ; pSrcListName
.text:00475429 push offset aTableOfDllHandle ; pResultDataPointer
.text:0047542E call _Createsorteddata ; £o′′?¨′?′¢êy?Y?é
模块表:(枚举, 通过读取内存模块得到)
0012DA70 00475461 返回到 OLLYDBG.00475461 来自 OLLYDBG._Createsorteddata
0012DA74 004D70FC ASCII "Table of modules"
0012DA78 004C1701 ASCII "Table of modules"
0012DA7C 00000465
0012DA80 00000100
0012DA84 0045F830 OLLYDBG.0045F830
0012DA88 0045F8F0 OLLYDBG.0045F8F0
线程表: (枚举,DebugEvent.u线程句柄)
0012DA70 00475489 返回到 OLLYDBG.00475489 来自 OLLYDBG._Createsorteddata
0012DA74 004D7C94 ASCII "Table of threads"
0012DA78 004C1712 ASCII "Table of threads"
0012DA7C 0000066C
0012DA80 00000008
0012DA84 00478B98 OLLYDBG.00478B98
0012DA88 00000000
内存表: (用API:VirtualQueryEx循环查询),,Process Memory Page Query. 一个进程Page MaxCount=F000,每个PageSize=10000h
0012DA70 004754B4 返回到 OLLYDBG.004754B4 来自 OLLYDBG._Createsorteddata
0012DA74 004D77E4 ASCII "Table of allocated memory"
0012DA78 004C1723 ASCII "Table of allocated memory"
0012DA7C 00000048
0012DA80 00000200
0012DA84 00461160 OLLYDBG.00461160
0012DA88 004612C0 OLLYDBG.004612C0
//这个很重要,也最常用,所以特地贴出来。
VirtualQueryEx详细描述:
返回结果:
typedef struct _MEMORY_BASIC_INFORMATION32{
DWord BaseAddress; //A pointer to the base address of the region of pages
DWord AllocationBase; //A pointer to the base address of a range of pages allocated by the VirtualAlloc function. The page pointed to by the BaseAddress member is contained within this allocation range
DWord AllocationProtect; //清除保护 and dword ptr [esp+A4], 0FFFFFCFFh
{PAGE_EXECUTE 0x10
PAGE_EXECUTE_READ 0x20
PAGE_EXECUTE_READWRITE 0x40
PAGE_EXECUTE_WRITECOPY 0x80
PAGE_NOACCESS 0x01
PAGE_READONLY 0x02
PAGE_READWRITE 0x04
PAGE_WRITECOPY 0x08
PAGE_GUARD 0x100
PAGE_NOCACHE 0x200
PAGE_WRITECOMBINE 0x400 }
DWord RegionSize;
DWord State; // { MEM_COMMIT 0x1000 ,MEM_FREE 0x10000 ,MEM_RESERVE 0x2000 }
DWord Protect;
DWord Type; {MEM_IMAGE 0x1000000 , MEM_MAPPED 0x40000 ,MEM_PRIVATE 0x20000 }
} MEMORY_BASIC_INFORMATION32, *PMEMORY_BASIC_INFORMATION32 ;
堆列表HeapList: 得到Module之后根据PE格式解析得到 Heap
0012DA70 004754DC 返回到 OLLYDBG.004754DC 来自 OLLYDBG._Createsorteddata
0012DA74 004D7A31 ASCII "Heap table"
0012DA78 004C173D ASCII "Heap table"
0012DA7C 00000010
0012DA80 00000200
0012DA84 00462E40 OLLYDBG.00462E40
0012DA88 00000000
断点列表:
0012DA70 00475501 返回到 OLLYDBG.00475501 来自 OLLYDBG._Createsorteddata
0012DA74 004D7EE1 ASCII "Table of breakpoints"
0012DA78 004C1748 ASCII "Table of breakpoints"
0012DA7C 00000011
0012DA80 00000040
0012DA84 00000000
0012DA88 00419450 OLLYDBG.00419450
参考字符串列表: .Data段的指针得到
0012DA70 00475529 返回到 OLLYDBG.00475529 来自 OLLYDBG._Createsorteddata
0012DA74 004DE5CC ASCII "Table of references"
0012DA78 004C175D ASCII "Table of references"
0012DA7C 00000010
0012DA80 00000400
0012DA84 004716A0 OLLYDBG.004716A0
0012DA88 00000000
ProfileList:
0012DA70 00475554 返回到 OLLYDBG.00475554 来自 OLLYDBG._Createsorteddata
0012DA74 004DC684 ASCII "Profile"
0012DA78 004C1771 ASCII "Profile"
0012DA7C 00000010
0012DA80 00000400
0012DA84 0048DEC0 OLLYDBG.0048DEC0
0012DA88 00000000
源码文件列表:
0012DA70 0047557F 返回到 OLLYDBG.0047557F 来自 OLLYDBG._Createsorteddata
0012DA74 004E2AA4 ASCII "Table of source files"
0012DA78 004C1779 ASCII "Table of source files"
0012DA7C 0000000C
0012DA80 00000080
0012DA84 00495828 OLLYDBG.00495828
0012DA88 00000000
函数表:ProcedureData: (吧全部汇编解析之后得到的 FunctionList) { StartAddr ,Len,}
0012DA70 004755A7 返回到 OLLYDBG.004755A7 来自 OLLYDBG._Createsorteddata
0012DA74 004DC8CD ASCII "Procedure data"
0012DA78 004C178F ASCII "Procedure data"
0012DA7C 00000020
0012DA80 00000400
0012DA84 00000000
0012DA88 00000000
SwitchDataList:
0012DA70 004755CF 返回到 OLLYDBG.004755CF 来自 OLLYDBG._Createsorteddata
0012DA74 004DCA05 ASCII "Switch data"
0012DA78 004C179E ASCII "Switch data"
0012DA7C 00000020
0012DA80 00000400
0012DA84 00000000
0012DA88 00000000
窗口列表: (枚举)
0012DA70 004755FD 返回到 OLLYDBG.004755FD 来自 OLLYDBG._Createsorteddata
0012DA74 004DE928 ASCII "Table of windows"
0012DA78 004C17AA ASCII "Table of windows"
0012DA7C 00000258
0012DA80 00000100
0012DA84 00497D80 OLLYDBG.00497D80
0012DA88 00000000
句柄列表:
0012DA70 00475635 返回到 OLLYDBG.00475635 来自 OLLYDBG._Createsorteddata
0012DA74 004E2F14 ASCII "Table of handles"
0012DA78 004C17BB ASCII "Table of handles"
0012DA7C 00000248
0012DA80 00000100
0012DA84 0049D660 OLLYDBG.0049D660
0012DA88 00000000
CallStackList:
0012DA70 0047566A 返回到 OLLYDBG.0047566A 来自 OLLYDBG._Createsorteddata
0012DA74 004DCC58 ASCII "Call stack"
0012DA78 004C17CC ASCII "Call stack"
0012DA7C 00000120
0012DA80 00000100
0012DA84 00000000
0012DA88 00000000
CallTreeList:
0012DA70 00475692 返回到 OLLYDBG.00475692 来自 OLLYDBG._Createsorteddata
0012DA74 004D9BD4 ASCII "Call tree"
0012DA78 004C17D7 ASCII "Call tree"
0012DA7C 00000018
0012DA80 00000100
0012DA84 00000000
0012DA88 00000000
PatchesList: (历史记录表)
0012DA70 004756BA 返回到 OLLYDBG.004756BA 来自 OLLYDBG._Createsorteddata
0012DA74 004E316C ASCII "List of patches"
0012DA78 004C17E1 ASCII "List of patches"
0012DA7C 0000020C
0012DA80 00000040
0012DA84 00000000
0012DA88 00000000
AnalysisHintsList: ()
0012DA70 004756E2 返回到 OLLYDBG.004756E2 来自 OLLYDBG._Createsorteddata
0012DA74 004D9034 ASCII "Analysis hints"
0012DA78 004C17F1 ASCII "Analysis hints"
0012DA7C 0000000C
0012DA80 00000100
0012DA84 00000000
0012DA88 00000000
SEHchainList:
0012DA70 00475707 返回到 OLLYDBG.00475707 来自 OLLYDBG._Createsorteddata
0012DA74 004E33B9 ASCII "SEH chain"
0012DA78 004C1800 ASCII "SEH chain"
0012DA7C 00000014
0012DA80 00000040
0012DA84 00000000
0012DA88 00000000
InternalOllyDbgTable:
0012DA6C 004918A8 返回到 OLLYDBG.004918A8 来自 OLLYDBG._Createsorteddata
0012DA70 004EE028 ASCII "Internal OllyDbg table"
0012DA74 00000000
0012DA78 00000010
0012DA7C 00002000
0012DA80 00000000
0012DA84 00000000
【另外OD获取线程数据表的方法】
+ 获得 线程句柄+线程信息
OD方式线程句柄+线程信息:
0043961D . E8 E85B0700 call <jmp.&KERNEL32.WaitForDebugEvent> ; \WaitForDebugEvent
7C85B4AF E8 3A550200 call <jmp.&ntdll.DbgUiConvertStateChangeStructure>
7C97226C |. 56 push esi ; /pReqsize => NULL
7C97226D |. 894B 28 mov dword ptr [ebx+28], ecx ; |
7C972270 |. 6A 1C push 1C ; |Bufsize = 1C (28.)
7C972272 |. 8D4D CC lea ecx, dword ptr [ebp-34] ; |
7C972275 |. 51 push ecx ; |Buffer
7C972276 |. 56 push esi ; |InfoClass => 0
7C972277 |. FF70 10 push dword ptr [eax+10] ; |hThread
7C97227A |. E8 8FB5FBFF call ZwQueryInformationThread ; \ZwQueryInformationThread
004D5714 03 00 00 00 58 0E 00 00 80 0C 00 00 E4 00 00 00 ...X..€...?..
004D5724 D0 00 00 00 C4 00 00 00 00 00 40 00 00 00 00 00 ?..?....@.....
004D5734 00 00 00 00 00 F0 FD 7F 00 00 00 00 00 00 00 00 .....瘕........
004D5744 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
004D5754 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
004D5764 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
_DEBUG_EVENT::$E8D2578A27A7ED17B9C3B01BD68B5178 union ; (sizeof=0x54, standard type)
00000000 Exception EXCEPTION_DEBUG_INFO ?
00000000 CreateThread CREATE_THREAD_DEBUG_INFO ?
00000000 CreateProcessInfo CREATE_PROCESS_DEBUG_INFO ?
00000000 ExitThread EXIT_THREAD_DEBUG_INFO ?
00000000 ExitProcess EXIT_PROCESS_DEBUG_INFO ?
00000000 LoadDll LOAD_DLL_DEBUG_INFO ?
00000000 UnloadDll UNLOAD_DLL_DEBUG_INFO ?
00000000 DebugString OUTPUT_DEBUG_STRING_INFO ?
00000000 RipInfo RIP_INFO ?
00000000 _DEBUG_EVENT::$E8D2578A27A7ED17B9C3B01BD68B5178 ends
00000000
00000000 _DEBUG_EVENT struc ; (sizeof=0x60, standard type)
00000000 dwDebugEventCode dd ? ; 004D5714 03 00 00 00 28 0F 00 00 F8 0B 00 00 04 01 00 00
00000000 ; dwDebugEvent dwProcessID dwThreadID Exception
00000000 ; 004D5724 24 01 00 00 F0 00 00 00 00 00 40 00 00 00 00 00
00000000 ; CreateThread HandleThread ImageAddr
00000000 ; 004D5734 00 00 00 00 00 F0 FD 7F 00 00 00 00 00 00 00 00
00000000 ;
00000004 dwProcessId dd ?
00000008 dwThreadId dd ?
0000000C u _DEBUG_EVENT::$E8D2578A27A7ED17B9C3B01BD68B5178 ?
00000060 _DEBUG_EVENT ends
用VC是这么写的:
/************************************************************************/
/* Function Name : GetThreadStartAddress
/* Description : Get address of thread start routine
/* In : dwThreadID. the ID of the specified thread
/* Out : none
/* Return : Address of thread start routine if succeeds,
/* NULL if fails.
/************************************************************************/
LPVOID GetThreadStartAddress(const DWORD dwThreadID)
{
MOpenThread pfnOpenThread = (MOpenThread)GetProcAddress(
GetModuleHandle(TEXT( "Kernel32 ")), "OpenThread ");
if (NULL == pfnOpenThread) {
return NULL;
}
// Get thread handle
HANDLE hThread = pfnOpenThread(THREAD_QUERY_INFORMATION, NULL, dwThreadID);
if (NULL == hThread) {
return NULL;
}
// ! NtQueryInformationThread is available for use in Windows 2000 and
// Windows XP. It may be altered or unavailable in subsequent versions.
MNtQueryInformationThread pfnMNtQueryInformationThread =
(MNtQueryInformationThread)GetProcAddress(GetModuleHandle(TEXT( "ntdll ")),
"NtQueryInformationThread ");
if (NULL == pfnMNtQueryInformationThread) {
CloseHandle(hThread); // Do not forget to close thread 's handle
return NULL;
}
THREAD_INFORMATION_CLASS ThreadInformationClass = ThreadQuerySetWin32StartAddress;
char bufThreadStartAddr[0x04] = {0}; // Must be 0x04 when ThreadInformationClass
// is ThreadQuerySetWin32StartAddress
ULONG ulen = 0;
// Get the thread 's information
NTSTATUS retVal = pfnMNtQueryInformationThread(hThread,
ThreadInformationClass, (PVOID)bufThreadStartAddr, sizeof(bufThreadStartAddr),
&ulen);
// Do not forget to close thread 's handle
CloseHandle(hThread);
if (NT_SUCCESS(retVal)) // succeed in getting thread information
{
DWORD addr = 0;
// Get address from the char buffer-bufThreadStartAddr
memcpy(&addr,bufThreadStartAddr, sizeof(bufThreadStartAddr));
return (LPVOID)addr;
}
else {
return NULL;
}
}
【OD的反汇编引擎】
.text:0047EB0C ; 0012AC88 0042D9A6 返回到 OLLYDBG._Setcpu+38E 来自 OLLYDBG._Disassembleforward
.text:0047EB0C ; 0012AC8C 00000000
.text:0047EB0C ; 0012AC90 00401000 ImageCodeBaseAddr
.text:0047EB0C ; 0012AC94 0004F000 Size
.text:0047EB0C ; 0012AC98 0044F320 WindowShowFirstAddr,窗口显示的第一行地址
.text:0047EB0C ; 0012AC9C 00000001 CurFocusLine当前选中行相对于当前显示的第一行的偏移行
.text:0047EB0C ; 0012ACA0 00000001
.text:0047EB0C ;
.text:0047EB0C ;
.text:0047EB0C ; Attributes: bp-based frame
.text:0047EB0C
.text:0047EB0C ; int __cdecl Disassembleforward(int Temp,int dwImageAddr,int Size,int dwOEPAddr,int bFlag1,int bFlag2)
.text:0047EB0C public _Disassembleforward
.text:0047EB0C _Disassembleforward proc near ; CODE XREF: sub_41BB24+1F6p
.text:0047EB0C ; sub_41BB24+2D6p ...
.text:0047EB0C
.text:0047EB0C pResult = dword ptr -1168h
.text:0047EB0C src = dword ptr -808h
.text:0047EB0C n = dword ptr -8
.text:0047EB0C var_4 = dword ptr -4
.text:0047EB0C Temp = dword ptr 8
.text:0047EB0C dwImageAddr = dword ptr 0Ch
.text:0047EB0C Size = dword ptr 10h
.text:0047EB0C dwOEPAddr = dword ptr 14h
.text:0047EB0C bFlag1 = dword ptr 18h
.text:0047EB0C bFlag2 = dword ptr 1Ch
.text:0047EB0C
.text:0047EB0C push ebp
.text:0047EB0D mov ebp, esp
.text:0047EB0F add esp, 0FFFFF004h
.text:0047EB15 push eax
.text:0047EB16 add esp, 0FFFFFE98h
.text:0047EB1C push ebx
.text:0047EB1D push esi
.text:0047EB1E push edi
.text:0047EB1F mov ebx, [ebp+dwOEPAddr]
.text:0047EB22 mov esi, [ebp+Size]
.text:0047EB25 cmp ebx, [ebp+dwImageAddr]
.text:0047EB28 jnb short loc_47EB2D
.text:0047EB2A mov ebx, [ebp+dwImageAddr]
.text:0047EB2D
.text:0047EB2D loc_47EB2D: ; CODE XREF: _Disassembleforward+1Cj
.text:0047EB2D mov eax, [ebp+dwImageAddr]
.text:0047EB30 add eax, esi
.text:0047EB32 cmp ebx, eax
.text:0047EB34 ja loc_47ECCF
.text:0047EB3A cmp [ebp+bFlag1], 0
.text:0047EB3E jg short loc_47EB47
.text:0047EB40 mov eax, ebx
.text:0047EB42 jmp loc_47ECCF
.text:0047EB47 ; ---------------------------------------------------------------------------
.text:0047EB47
.text:0047EB47 loc_47EB47: ; CODE XREF: _Disassembleforward+32j
.text:0047EB47 cmp [ebp+Temp], 0
.text:0047EB4B jz short loc_47EB55
.text:0047EB4D mov edx, ebx
.text:0047EB4F sub edx, [ebp+dwImageAddr]
.text:0047EB52 add [ebp+Temp], edx
.text:0047EB55
.text:0047EB55 loc_47EB55: ; CODE XREF: _Disassembleforward+3Fj
.text:0047EB55 mov ecx, ebx
.text:0047EB57 sub ecx, [ebp+dwImageAddr]
.text:0047EB5A sub esi, ecx
.text:0047EB5C mov [ebp+dwImageAddr], ebx
.text:0047EB5F cmp [ebp+bFlag2], 0
.text:0047EB63 jz short loc_47EB80
.text:0047EB65 lea eax, [ebp+var_4]
.text:0047EB68 push eax
.text:0047EB69 mov edx, [ebp+dwImageAddr]
.text:0047EB6C push edx
.text:0047EB6D call _Finddecode
.text:0047EB72 add esp, 8
.text:0047EB75 mov edi, eax
.text:0047EB77 cmp esi, [ebp+var_4]
.text:0047EB7A jbe short loc_47EB82
.text:0047EB7C xor edi, edi
.text:0047EB7E jmp short loc_47EB82
.text:0047EB80 ; ---------------------------------------------------------------------------
.text:0047EB80
.text:0047EB80 loc_47EB80: ; CODE XREF: _Disassembleforward+57j
.text:0047EB80 xor edi, edi
.text:0047EB82
.text:0047EB82 loc_47EB82: ; CODE XREF: _Disassembleforward+6Ej
.text:0047EB82 ; _Disassembleforward+72j
.text:0047EB82 xor eax, eax
.text:0047EB84 xor ebx, ebx
.text:0047EB86 mov [ebp+n], eax
.text:0047EB89 jmp loc_47ECBC
.text:0047EB8E ; ---------------------------------------------------------------------------
.text:0047EB8E
.text:0047EB8E loc_47EB8E: ; CODE XREF: _Disassembleforward+1B8j
.text:0047EB8E test edi, edi
.text:0047EB90 jnz short loc_47EB96
.text:0047EB92 xor eax, eax
.text:0047EB94 jmp short loc_47EB9E
.text:0047EB96 ; ---------------------------------------------------------------------------
.text:0047EB96
.text:0047EB96 loc_47EB96: ; CODE XREF: _Disassembleforward+84j
.text:0047EB96 xor eax, eax
.text:0047EB98 mov al, [edi+ebx]
.text:0047EB9B and eax, 1Fh
.text:0047EB9E
.text:0047EB9E loc_47EB9E: ; CODE XREF: _Disassembleforward+88j
.text:0047EB9E dec eax
.text:0047EB9F sub eax, 2
.text:0047EBA2 jb short loc_47EBB9
.text:0047EBA4 dec eax
.text:0047EBA5 sub eax, 0Bh
.text:0047EBA8 jb short loc_47EBB9
.text:0047EBAA sub eax, 2
.text:0047EBAD jz short loc_47EBB9
.text:0047EBAF add eax, 0FFFFFFF4h
.text:0047EBB2 sub eax, 3
.text:0047EBB5 jb short loc_47EBDA
.text:0047EBB7 jmp short loc_47EBFB
.text:0047EBB9 ; ---------------------------------------------------------------------------
.text:0047EBB9
.text:0047EBB9 loc_47EBB9: ; CODE XREF: _Disassembleforward+96j
.text:0047EBB9 ; _Disassembleforward+9Cj ...
.text:0047EBB9 inc ebx
.text:0047EBBA lea eax, [edi+ebx]
.text:0047EBBD jmp short loc_47EBC1
.text:0047EBBF ; ---------------------------------------------------------------------------
.text:0047EBBF
.text:0047EBBF loc_47EBBF: ; CODE XREF: _Disassembleforward+C7j
.text:0047EBBF inc ebx
.text:0047EBC0 inc eax
.text:0047EBC1
.text:0047EBC1 loc_47EBC1: ; CODE XREF: _Disassembleforward+B1j
.text:0047EBC1 cmp esi, ebx
.text:0047EBC3 jbe loc_47ECB9
.text:0047EBC9 xor edx, edx
.text:0047EBCB mov dl, [eax]
.text:0047EBCD and edx, 1Fh
.text:0047EBD0 cmp edx, 3
.text:0047EBD3 jz short loc_47EBBF
.text:0047EBD5 jmp loc_47ECB9
.text:0047EBDA ; ---------------------------------------------------------------------------
.text:0047EBDA
.text:0047EBDA loc_47EBDA: ; CODE XREF: _Disassembleforward+A9j
.text:0047EBDA inc ebx
.text:0047EBDB lea eax, [edi+ebx]
.text:0047EBDE jmp short loc_47EBE2
.text:0047EBE0 ; ---------------------------------------------------------------------------
.text:0047EBE0
.text:0047EBE0 loc_47EBE0: ; CODE XREF: _Disassembleforward+E8j
.text:0047EBE0 inc ebx
.text:0047EBE1 inc eax
.text:0047EBE2
.text:0047EBE2 loc_47EBE2: ; CODE XREF: _Disassembleforward+D2j
.text:0047EBE2 cmp esi, ebx
.text:0047EBE4 jbe loc_47ECB9
.text:0047EBEA xor edx, edx
.text:0047EBEC mov dl, [eax]
.text:0047EBEE and edx, 1Fh
.text:0047EBF1 cmp edx, 13h
.text:0047EBF4 jz short loc_47EBE0
.text:0047EBF6 jmp loc_47ECB9
.text:0047EBFB ; ---------------------------------------------------------------------------
.text:0047EBFB
.text:0047EBFB loc_47EBFB: ; CODE XREF: _Disassembleforward+ABj
.text:0047EBFB cmp [ebp+Temp], 0
.text:0047EBFF jz short loc_47EC2C
.text:0047EC01 push 0 ; Flag3
.text:0047EC03 lea ecx, [ebp+pResult]
.text:0047EC09 push 0 ; Flag2
.text:0047EC0B push ecx ; pResult
.text:0047EC0C push 0 ; Flag1
.text:0047EC0E mov edx, esi
.text:0047EC10 mov eax, [ebp+dwImageAddr]
.text:0047EC13 sub edx, ebx
.text:0047EC15 add eax, ebx
.text:0047EC17 push eax ; ImageAddr
.text:0047EC18 push edx ; Size
.text:0047EC19 mov ecx, [ebp+Temp]
.text:0047EC1C add ecx, ebx
.text:0047EC1E push ecx ; pMemAddr
.text:0047EC1F call _Disasm ; 返回Eax=Size
.text:0047EC1F ; 00129AF4 0012A47C pMemAddr
.text:0047EC1F ; 00129AF8 00000010 Size
.text:0047EC1F ; 00129AFC 0044F320 ImageAddr
.text:0047EC1F ; 00129B00 00000000 Flag1
.text:0047EC1F ; 00129B04 00129B1C pResultAddr:结果返回当前ImageAddr
.text:0047EC1F ; 00129B08 00000000 Flag2 {0:得到Len,1,2,3,4:得到语言,5:线程,6 }
.text:0047EC1F ; 00129B0C 00000000 Flag3 线程ID
.text:0047EC1F ;
.text:0047EC1F ; pResultAddr+0: CurImageAddr
.text:0047EC1F ; pResultAddr+4: 机器码
.text:0047EC1F ; pResultAddr+104: 汇编语言
.text:0047EC1F ; pResultAddr+304: 注释
.text:0047EC1F ;
.text:0047EC24 add esp, 1Ch
.text:0047EC27 jmp loc_47ECB7
.text:0047EC2C ; ---------------------------------------------------------------------------
.text:0047EC2C 【OD打开_OpenEXEfile】
.text:0047731C _OpenEXEfile proc near ; CODE XREF: sub_431B90+1C2p
.text:0047731C ; sub_431B90+26Ap ...
.text:0047731C
.text:0047731C var_1D2C = dword ptr -1D2Ch
.text:0047731C ProcessInformation= _PROCESS_INFORMATION ptr -1BECh
.text:0047731C var_1BDC = dword ptr -1BDCh
.text:0047731C var_1BBC = dword ptr -1BBCh
.text:0047731C var_1B98 = word ptr -1B98h
.text:0047731C StartupInfo = _STARTUPINFOA ptr -1AFCh
.text:0047731C WideCharStr = word ptr -1AB8h
.text:0047731C CommandLine = byte ptr -18B0h
.text:0047731C buffer = byte ptr -7ACh
.text:0047731C ptr = dword ptr -5A8h
.text:0047731C var_5A4 = dword ptr -5A4h
.text:0047731C s1 = byte ptr -528h
.text:0047731C dir = byte ptr -428h
.text:0047731C FileName = dword ptr -328h
.text:0047731C CurrentDirectory= byte ptr -224h
.text:0047731C String = byte ptr -120h
.text:0047731C var_1C = dword ptr -1Ch
.text:0047731C ppv = dword ptr -18h
.text:0047731C var_14 = dword ptr -14h
.text:0047731C FilePart = dword ptr -10h
.text:0047731C var_8 = dword ptr -8
.text:0047731C var_4 = dword ptr -4
.text:0047731C arg_0 = dword ptr 8
.text:0047731C arg_4 = dword ptr 0Ch
.text:0047731C
.text:0047731C push ebp
.text:0047731D mov ebp, esp
.text:0047731F add esp, 0FFFFF004h
.text:00477325 push eax
.text:00477326 add esp, 0FFFFF2D4h
.text:0047732C push ebx
.text:0047732D push esi
.text:0047732E push edi
.text:0047732F mov ebx, [ebp+arg_0]
.text:00477332 mov esi, offset aTableOfDllHand ; "Table of DLL handles"
.text:00477337 xor eax, eax
.text:00477339 mov [ebp+var_8], eax
.text:0047733C lea edx, [ebp+s1]
。。。。。。。。。。。。。省略。。。。
.text:00477722 push 1 ; bool_RunStop
.text:00477724 call SetDebug_RunStop ; 设置开关:运行,停止
.text:00477729 pop ecx
.text:0047772A test eax, eax
.text:0047772C jz short loc_477736
.text:0047772E or eax, 0FFFFFFFFh
.text:00477731 jmp loc_477A87
.text:00477736 ; ---------------------------------------------------------------------------
.text:00477736
.text:00477736 loc_477736: ; CODE XREF: _OpenEXEfile+410j
.text:00477736 call ClearAppData_NewMEM ; 清除所有的数据:ImportList,ExportList,BreakPointList等等
.text:00477736 ; 然后NewMEM
。。。。。。。。。。。。。省略。。。。
.text:0047778C xor eax, eax ; int
.text:0047778E push esi
.text:0047778F lea edi, [ebp+String]
.text:00477795 or ecx, 0FFFFFFFFh
.text:00477798 repne scasb
.text:0047779A not ecx
.text:0047779C sub edi, ecx
.text:0047779E mov esi, offset DeDebugProcesPathFilename ; 被调试进程的 文件路径+文件名
.text:004777A3 xchg esi, edi
。。。。。。。。。。。。。省略。。。。
.text:004777C8 call j___fnsplit ; 分解路径
.text:004777CD add esp, 14h
.text:004777D0 push 0 ; name
。。。。。。。。。。。。。省略。。。。
.text:004777DC add esp, 8
.text:004777DF call SetPrivateProfile ; 设置调试权限
.text:004777E4 cmp byte_4D5C84, 0
。。。。。。。。。。。。。省略。。。。
.text:004779B1 mov DeAttachProcessID, eax ; 被附加的进程ID
.text:004779B6 mov edx, [ebp+ProcessInformation.dwThreadId] ; int
。。。。。。。。。。。。。省略。。。。
.text:00477A75 call WritePrivateProfileStringA_0
.text:00477A7A add esp, 8
.text:00477A7D push 3
.text:00477A7F call ShowClientWindow ; 刷新显示OD的界面
。。。。。。。。。。。。。省略。。。。
.text:00477A8C pop ebp
.text:00477A8D retn
.text:00477A8D _OpenEXEfile endp
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!