[求助]获取简单DLL中函数的功能-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[求助]获取简单DLL中函数的功能

发表于: 2014-2-25 16:35 4985

[求助]获取简单DLL中函数的功能

pstong

2014-2-25 16:35

4985

现有小DLL文件(附件中)一枚，DLL由VC++编译，求大神、雪友们解析DLL中两个函数的功能(算法)？感谢哦！

函数调用方式
declare integer Encrypt_String_Shift in sampleC.dll string @A,integer B,integer C
declare integer Encrypt_File_Shift in sampleC.dll string A,integer B,integer C,integer D

附W32dsm部分解析
Exported fn(): Encrypt_String_Shift - Ord:0001h
:100010B0 53                   push ebx
:100010B1 8B5C240C             mov ebx, dword ptr [esp+0C]
:100010B5 33D2                   xor edx, edx
:100010B7 85DB                   test ebx, ebx
:100010B9 7E3A                   jle 100010F5
:100010BB 56                   push esi
:100010BC 8B74240C             mov esi, dword ptr [esp+0C]
:100010C0 57                   push edi
:100010C1 8B7C2418             mov edi, dword ptr [esp+18]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100010EB(C)
|
:100010C5 8A0C32                mov cl, byte ptr [edx+esi]
:100010C8 85FF                   test edi, edi
:100010CA 8AC1                   mov al, cl
:100010CC 750A                   jne 100010D8
:100010CE C0F805                sar al, 05
:100010D1 2407                   and al, 07
:100010D3 C0E103                shl cl, 03
:100010D6 EB08                   jmp 100010E0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100010CC(C)
|
:100010D8 C0F803                sar al, 03
:100010DB 241F                   and al, 1F
:100010DD C0E105                shl cl, 05

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100010D6(U)
|
:100010E0 0AC1                   or al, cl
:100010E2 42                   inc edx
:100010E3 F6D0                   not al
:100010E5 884432FF             mov byte ptr [edx+esi-01], al
:100010E9 3BD3                   cmp edx, ebx
:100010EB 7CD8                   jl 100010C5
:100010ED 5F                   pop edi
:100010EE 5E                   pop esi
:100010EF 33C0                   xor eax, eax
:100010F1 5B                   pop ebx
:100010F2 C20C00                ret 000C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100010B9(C)
|
:100010F5 33C0                   xor eax, eax
:100010F7 5B                   pop ebx
:100010F8 C20C00                ret 000C

:100010FB 90                   nop
:100010FC 90                   nop
:100010FD 90                   nop
:100010FE 90                   nop
:100010FF 90                   nop

Exported fn(): Encrypt_File_Shift - Ord:0002h
:10001100 64A100000000          mov eax, dword ptr fs:[00000000]
:10001106 6AFF                   push FFFFFFFF
:10001108 6888180010             push 10001888
:1000110D 50                   push eax
:1000110E 64892500000000       mov dword ptr fs:[00000000], esp
:10001115 83EC10                sub esp, 00000010
:10001118 53                   push ebx
:10001119 55                   push ebp
:1000111A 56                   push esi
:1000111B 8B742430             mov esi, dword ptr [esp+30]
:1000111F 57                   push edi
:10001120 8B7C243C             mov edi, dword ptr [esp+3C]
:10001124 83FF01                cmp edi, 00000001
:10001127 740B                   je 10001134
:10001129 85F6                   test esi, esi
:1000112B 7507                   jne 10001134
:1000112D 33C0                   xor eax, eax
:1000112F E99E010000             jmp 100012D2

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

#调试逆向

上传的附件：

sampleC.zip （3.45kb，4次下载）

收藏・1

免费・0

支持

最新回复 (4)
whnet 雪币： 185 活跃值： (25) 能力值： ( LV2，RANK：10 ) 在线值：发帖 22 回帖 1029 粉丝 0 关注私信	whnet 2 楼直接IDA F5 。略修正 2014-2-25 17:17 0
pstong 雪币： 185 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 3 粉丝 0 关注私信	pstong 3 楼已经F5了，怎么修正啊？ int __stdcall Encrypt_String_Shift(int a1, int a2, int a3) { int v3; // edx@1 char v4; // cl@2 char v5; // al@2 char v6; // al@3 char v7; // cl@3 int result; // eax@6 v3 = 0; if ( a2 <= 0 ) { result = 0; } else { do { v4 = (_BYTE )(v3 + a1); v5 = (_BYTE )(v3 + a1); if ( a3 ) { v6 = (v5 >> 3) & 0x1F; v7 = 32 * v4; } else { v6 = (v5 >> 5) & 7; v7 = 8 * v4; } ++v3; (_BYTE )(v3 + a1 - 1) = ~(v7 \| v6); } while ( v3 < a2 ); result = 0; } return result; } —————————————————————————————— signed int __stdcall Encrypt_File_Shift(int a1, int a2, int a3, int a4) { signed int result; // eax@3 unsigned int v5; // ebp@6 SIZE_T v6; // esi@6 HGLOBAL v7; // eax@9 void v8; // ebx@9 SIZE_T v9; // edi@13 char v10; // cl@14 char v11; // al@14 char v12; // al@15 char v13; // cl@15 signed int i; // edi@21 int v15; // [sp+20h] [bp-1Ch]@4 int v16; // [sp+38h] [bp-4h]@4 LPVOID v17; // [sp+44h] [bp+8h]@11 if ( a4 == 1 \|\| a2 ) { CFile::CFile(&v15); v16 = 0; if ( CFile::Open(&v15, a1, 2, 0) ) { v5 = abs(a2); v6 = v5; if ( a4 != 2 \|\| v5 > CFile::GetLength(&v15) ) v6 = CFile::GetLength(&v15); v7 = GlobalAlloc(0, v6); v8 = v7; if ( v7 && GlobalSize(v7) >= v6 ) { v17 = GlobalLock(v8); ((void (__thiscall *)(int , _DWORD, _DWORD))(v15 + 48))(&v15, 0, 0); if ( ((int (__thiscall )(int , LPVOID, SIZE_T))(v15 + 60))(&v15, v17, v6) == v6 ) { v9 = 0; if ( v6 ) { do { v10 = ((_BYTE )v8 + v9); v11 = ((_BYTE )v8 + v9); if ( a3 ) { v12 = (v11 >> 3) & 0x1F; v13 = 32 * v10; } else { v12 = (v11 >> 5) & 7; v13 = 8 * v10; } ((_BYTE )v8 + v9) = ~(v13 \| v12); if ( a4 == 3 && !((v9 + 1) % v5) ) v9 += v5; ++v9; } while ( v9 < v6 ); } ((void (__thiscall )(int , _DWORD, _DWORD))(v15 + 48))(&v15, 0, 0); for ( i = 2000000; v6; v17 = (char )v17 + i ) { if ( v6 < i ) i = v6; ((void (__thiscall *)(int , LPVOID, signed int))(v15 + 64))(&v15, v17, i); if ( v6 <= i ) break; v6 -= i; } GlobalUnlock(v8); GlobalFree(v8); CFile::Close(&v15); v16 = -1; CFile::_CFile(&v15); result = 0; } else { v16 = -1; CFile::_CFile(&v15); result = -3; } } else { v16 = -1; CFile::_CFile(&v15); result = -2; } } else { v16 = -1; CFile::_CFile(&v15); result = -1; } } else { result = 0; } return result; } 2014-2-26 09:47 0
飘云雪币： 2443 活跃值： (464) 能力值： ( LV4，RANK：50 ) 在线值：发帖 9 回帖 189 粉丝 8 关注私信	飘云 1 4 楼 /* 100010B0 > 53 PUSH EBX 100010B1 8B5C24 0C MOV EBX, DWORD PTR SS:[ESP+0xC] 100010B5 33D2 XOR EDX, EDX ; i = EDX = 0 100010B7 85DB TEST EBX, EBX 100010B9 7E 3A JLE SHORT sampleC.100010F5 100010BB 56 PUSH ESI 100010BC 8B7424 0C MOV ESI, DWORD PTR SS:[ESP+0xC] ; szBuf 100010C0 57 PUSH EDI 100010C1 8B7C24 18 MOV EDI, DWORD PTR SS:[ESP+0x18] ; TRUE OR FALS 100010C5 8A0C32 MOV CL, BYTE PTR DS:[EDX+ESI] ; CL = szBuf[i] 100010C8 85FF TEST EDI, EDI ; EDI决定哪种处理方式 100010CA 8AC1 MOV AL, CL ; AL = CL 100010CC 75 0A JNZ SHORT sampleC.100010D8 100010CE C0F8 05 SAR AL, 0x5 100010D1 24 07 AND AL, 0x7 100010D3 C0E1 03 SHL CL, 0x3 100010D6 EB 08 JMP SHORT sampleC.100010E0 100010D8 C0F8 03 SAR AL, 0x3 ; AL = AL >> 3 100010DB 24 1F AND AL, 0x1F ; AL = AL & 0x1F 100010DD C0E1 05 SHL CL, 0x5 ; CL * 0x20 100010E0 0AC1 OR AL, CL ; AL \| CL 100010E2 42 INC EDX ; i++ 100010E3 F6D0 NOT AL ; AL = ~AL 100010E5 884432 FF MOV BYTE PTR DS:[EDX+ESI-0x1], AL ; 写回缓冲区 100010E9 3BD3 CMP EDX, EBX 100010EB ^ 7C D8 JL SHORT sampleC.100010C5 100010ED 5F POP EDI 100010EE 5E POP ESI 100010EF 33C0 XOR EAX, EAX 100010F1 5B POP EBX 100010F2 C2 0C00 RETN 0xC / #include <stdio.h> #include <Windows.h> INT __stdcall _Encrypt_String_Shift(byte szBuf, int len, BOOL b) { if (len <= 0) { return 0; } int i, x; for (i=0; i<len; i++) { x = szBuf[i]; if(b) szBuf[i] = ~((0x20 * x) \| (x >> 3) & 0x1F); else szBuf[i] = ~((0x8 * x) \| (x >> 5) & 0x7); } return 1; } void main() { // int __stdcall Encrypt_String_Shift(int a1, int a2, int a3) -- IDA函数原型 // 通过逆向，修正为如下原型： // INT __stdcall _Encrypt_String_Shift(byte* szBuf, int len, BOOL b) // 数据缓冲区，数据长度，加密方式 typedef int (__stdcall *pfnEncrypt_String_Shift)(PBYTE, INT, BOOL); // 函数指针类型 HINSTANCE hinstance = ::LoadLibrary("sampleC.dll"); pfnEncrypt_String_Shift Encrypt_String_Shift = (pfnEncrypt_String_Shift)GetProcAddress(hinstance, "Encrypt_String_Shift"); BYTE szBuf[4] = {0}; INT i; szBuf[0] = 0x11; szBuf[1] = 0x22; szBuf[2] = 0x33; szBuf[3] = 0x44; printf("加密前缓冲区：\n"); for (i = 0; i < 4; i++) { printf("%X\n", szBuf[i]); } _Encrypt_String_Shift(szBuf, 10, TRUE); printf("加密后缓冲区：\n"); for (i = 0; i < 4; i++) { printf("%X\n", szBuf[i]); } } 2014-3-1 14:45 0
pstong 雪币： 185 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 3 粉丝 0 关注私信	pstong 5 楼哇，果然都是高手啊，学习中... 感谢飘云 2014-3-3 16:24 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

pstong

发帖

回帖

RANK

关注

私信

他的文章

[求助]获取简单DLL中函数的功能 4986

关于我们

联系我们

企业服务

看雪公众号

最新回复 (4)
whnet 雪币： 185 活跃值： (25) 能力值： ( LV2，RANK：10 ) 在线值：发帖 22 回帖 1029 粉丝 0 关注私信	whnet 2 楼直接IDA F5 。略修正 2014-2-25 17:17 0
pstong 雪币： 185 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 3 粉丝 0 关注私信	pstong 3 楼已经F5了，怎么修正啊？ int __stdcall Encrypt_String_Shift(int a1, int a2, int a3) { int v3; // edx@1 char v4; // cl@2 char v5; // al@2 char v6; // al@3 char v7; // cl@3 int result; // eax@6 v3 = 0; if ( a2 <= 0 ) { result = 0; } else { do { v4 = (_BYTE )(v3 + a1); v5 = (_BYTE )(v3 + a1); if ( a3 ) { v6 = (v5 >> 3) & 0x1F; v7 = 32 * v4; } else { v6 = (v5 >> 5) & 7; v7 = 8 * v4; } ++v3; (_BYTE )(v3 + a1 - 1) = ~(v7 \| v6); } while ( v3 < a2 ); result = 0; } return result; } —————————————————————————————— signed int __stdcall Encrypt_File_Shift(int a1, int a2, int a3, int a4) { signed int result; // eax@3 unsigned int v5; // ebp@6 SIZE_T v6; // esi@6 HGLOBAL v7; // eax@9 void v8; // ebx@9 SIZE_T v9; // edi@13 char v10; // cl@14 char v11; // al@14 char v12; // al@15 char v13; // cl@15 signed int i; // edi@21 int v15; // [sp+20h] [bp-1Ch]@4 int v16; // [sp+38h] [bp-4h]@4 LPVOID v17; // [sp+44h] [bp+8h]@11 if ( a4 == 1 \|\| a2 ) { CFile::CFile(&v15); v16 = 0; if ( CFile::Open(&v15, a1, 2, 0) ) { v5 = abs(a2); v6 = v5; if ( a4 != 2 \|\| v5 > CFile::GetLength(&v15) ) v6 = CFile::GetLength(&v15); v7 = GlobalAlloc(0, v6); v8 = v7; if ( v7 && GlobalSize(v7) >= v6 ) { v17 = GlobalLock(v8); ((void (__thiscall *)(int , _DWORD, _DWORD))(v15 + 48))(&v15, 0, 0); if ( ((int (__thiscall )(int , LPVOID, SIZE_T))(v15 + 60))(&v15, v17, v6) == v6 ) { v9 = 0; if ( v6 ) { do { v10 = ((_BYTE )v8 + v9); v11 = ((_BYTE )v8 + v9); if ( a3 ) { v12 = (v11 >> 3) & 0x1F; v13 = 32 * v10; } else { v12 = (v11 >> 5) & 7; v13 = 8 * v10; } ((_BYTE )v8 + v9) = ~(v13 \| v12); if ( a4 == 3 && !((v9 + 1) % v5) ) v9 += v5; ++v9; } while ( v9 < v6 ); } ((void (__thiscall )(int , _DWORD, _DWORD))(v15 + 48))(&v15, 0, 0); for ( i = 2000000; v6; v17 = (char )v17 + i ) { if ( v6 < i ) i = v6; ((void (__thiscall *)(int , LPVOID, signed int))(v15 + 64))(&v15, v17, i); if ( v6 <= i ) break; v6 -= i; } GlobalUnlock(v8); GlobalFree(v8); CFile::Close(&v15); v16 = -1; CFile::_CFile(&v15); result = 0; } else { v16 = -1; CFile::_CFile(&v15); result = -3; } } else { v16 = -1; CFile::_CFile(&v15); result = -2; } } else { v16 = -1; CFile::_CFile(&v15); result = -1; } } else { result = 0; } return result; } 2014-2-26 09:47 0
飘云雪币： 2443 活跃值： (464) 能力值： ( LV4，RANK：50 ) 在线值：发帖 9 回帖 189 粉丝 8 关注私信	飘云 1 4 楼 /* 100010B0 > 53 PUSH EBX 100010B1 8B5C24 0C MOV EBX, DWORD PTR SS:[ESP+0xC] 100010B5 33D2 XOR EDX, EDX ; i = EDX = 0 100010B7 85DB TEST EBX, EBX 100010B9 7E 3A JLE SHORT sampleC.100010F5 100010BB 56 PUSH ESI 100010BC 8B7424 0C MOV ESI, DWORD PTR SS:[ESP+0xC] ; szBuf 100010C0 57 PUSH EDI 100010C1 8B7C24 18 MOV EDI, DWORD PTR SS:[ESP+0x18] ; TRUE OR FALS 100010C5 8A0C32 MOV CL, BYTE PTR DS:[EDX+ESI] ; CL = szBuf[i] 100010C8 85FF TEST EDI, EDI ; EDI决定哪种处理方式 100010CA 8AC1 MOV AL, CL ; AL = CL 100010CC 75 0A JNZ SHORT sampleC.100010D8 100010CE C0F8 05 SAR AL, 0x5 100010D1 24 07 AND AL, 0x7 100010D3 C0E1 03 SHL CL, 0x3 100010D6 EB 08 JMP SHORT sampleC.100010E0 100010D8 C0F8 03 SAR AL, 0x3 ; AL = AL >> 3 100010DB 24 1F AND AL, 0x1F ; AL = AL & 0x1F 100010DD C0E1 05 SHL CL, 0x5 ; CL * 0x20 100010E0 0AC1 OR AL, CL ; AL \| CL 100010E2 42 INC EDX ; i++ 100010E3 F6D0 NOT AL ; AL = ~AL 100010E5 884432 FF MOV BYTE PTR DS:[EDX+ESI-0x1], AL ; 写回缓冲区 100010E9 3BD3 CMP EDX, EBX 100010EB ^ 7C D8 JL SHORT sampleC.100010C5 100010ED 5F POP EDI 100010EE 5E POP ESI 100010EF 33C0 XOR EAX, EAX 100010F1 5B POP EBX 100010F2 C2 0C00 RETN 0xC / #include <stdio.h> #include <Windows.h> INT __stdcall _Encrypt_String_Shift(byte szBuf, int len, BOOL b) { if (len <= 0) { return 0; } int i, x; for (i=0; i<len; i++) { x = szBuf[i]; if(b) szBuf[i] = ~((0x20 * x) \| (x >> 3) & 0x1F); else szBuf[i] = ~((0x8 * x) \| (x >> 5) & 0x7); } return 1; } void main() { // int __stdcall Encrypt_String_Shift(int a1, int a2, int a3) -- IDA函数原型 // 通过逆向，修正为如下原型： // INT __stdcall _Encrypt_String_Shift(byte* szBuf, int len, BOOL b) // 数据缓冲区，数据长度，加密方式 typedef int (__stdcall *pfnEncrypt_String_Shift)(PBYTE, INT, BOOL); // 函数指针类型 HINSTANCE hinstance = ::LoadLibrary("sampleC.dll"); pfnEncrypt_String_Shift Encrypt_String_Shift = (pfnEncrypt_String_Shift)GetProcAddress(hinstance, "Encrypt_String_Shift"); BYTE szBuf[4] = {0}; INT i; szBuf[0] = 0x11; szBuf[1] = 0x22; szBuf[2] = 0x33; szBuf[3] = 0x44; printf("加密前缓冲区：\n"); for (i = 0; i < 4; i++) { printf("%X\n", szBuf[i]); } _Encrypt_String_Shift(szBuf, 10, TRUE); printf("加密后缓冲区：\n"); for (i = 0; i < 4; i++) { printf("%X\n", szBuf[i]); } } 2014-3-1 14:45 0
pstong 雪币： 185 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 3 粉丝 0 关注私信	pstong 5 楼哇，果然都是高手啊，学习中... 感谢飘云 2014-3-3 16:24 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复