-
-
[旧帖] 逆向练习(逆向自己写的exe) 0.00雪花
-
发表于: 2015-6-17 15:59 1808
-
main: 00401250 push ebp 00401251 mov ebp,esp 00401253 sub esp,50h;16字节的参数 00401256 push ebx 00401257 push esi 00401258 push edi 00401259 lea edi,[ebp-50h] 0040125C mov ecx,14h 00401261 mov eax,0CCCCCCCCh 00401266 rep stos dword ptr [edi] 00401268 push offset string "\xc7\xeb\xca\xe4\xc8\xeb\xc4\xea\xd4\xc2\xc8\xd5\n" (00425030) 0040126D call printf (00401390) 00401272 add esp,4 00401275 lea eax,[ebp-0Ch] 00401278 push eax 00401279 lea ecx,[ebp-8] 0040127C push ecx 0040127D lea edx,[ebp-4] 00401280 push edx 00401281 push offset string "%d%d%d" (00425028) 00401286 call scanf (00401330);键盘输入为 scanf("%d%d%d",&[ebp-4], &[ebp-8], &[ebp-0Ch])赋值 0040128B add esp,10h 0040128E mov eax,dword ptr [ebp-0Ch] 00401291 push eax 00401292 mov ecx,dword ptr [ebp-8] 00401295 push ecx 00401296 mov edx,dword ptr [ebp-4] 00401299 push edx 0040129A call @ILT+0(number) (00401005);number([ebp-4],[ebp-8], [ebp-0Ch]); 0040129F add esp,0Ch 004012A2 mov dword ptr [ebp-10h],eax 004012A5 mov eax,dword ptr [ebp-10h] 004012A8 push eax 004012A9 push offset string "\xb5\xda%d\xcc\xec\n" (0042501c) 004012AE call printf (00401390) 004012B3 add esp,8 004012B6 pop edi 004012B7 pop esi 004012B8 pop ebx 004012B9 add esp,50h 004012BC cmp ebp,esp 004012BE call __chkesp (004012f0) 004012C3 mov esp,ebp 004012C5 pop ebp number: 004010A0 push ebp 004010A1 mov ebp,esp 004010A3 sub esp,0B0h 004010A9 push ebx 004010AA push esi 004010AB push edi 004010AC lea edi,[ebp-0B0h] 004010B2 mov ecx,2Ch 004010B7 mov eax,0CCCCCCCCh 004010BC rep stos dword ptr [edi] 004010BE mov dword ptr [ebp-4],0;[ebp-4]=0 004010C5 mov dword ptr [ebp-40h],1Fh 004010CC mov dword ptr [ebp-3Ch],1Ch 004010D3 mov dword ptr [ebp-38h],1Fh 004010DA mov dword ptr [ebp-34h],1Eh 004010E1 mov dword ptr [ebp-30h],1Fh 004010E8 mov dword ptr [ebp-2Ch],1Eh 004010EF mov dword ptr [ebp-28h],1Fh 004010F6 mov dword ptr [ebp-24h],1Fh 004010FD mov dword ptr [ebp-20h],1Eh 00401104 mov dword ptr [ebp-1Ch],1Fh 0040110B mov dword ptr [ebp-18h],1Eh 00401112 mov dword ptr [ebp-14h],1Fh;int arry[12]{31,28,31,30,31,30,31,30,31,30,31,30} 00401119 mov dword ptr [ebp-70h],1Fh 00401120 mov dword ptr [ebp-6Ch],1Dh 00401127 mov dword ptr [ebp-68h],1Fh 0040112E mov dword ptr [ebp-64h],1Eh 00401135 mov dword ptr [ebp-60h],1Fh 0040113C mov dword ptr [ebp-5Ch],1Eh 00401143 mov dword ptr [ebp-58h],1Fh 0040114A mov dword ptr [ebp-54h],1Fh 00401151 mov dword ptr [ebp-50h],1Eh 00401158 mov dword ptr [ebp-4Ch],1Fh 0040115F mov dword ptr [ebp-48h],1Eh 00401166 mov dword ptr [ebp-44h],1Fh;int arry2[12]{31,29,31,30,31,30,31,30,31,30,31,30} 0040116D mov eax,dword ptr [ebp+8];将第一个参数取出放入eax 00401170 push eax 00401171 call @ILT+5(leap) (0040100a);调用函数leap (0040100a) 00401176 add esp,4 00401179 cmp eax,1 0040117C jne number+109h (004011a9);eax与1不相等则跳转 for([ebp-8]=0;[ebp-8]<[ebp+0Ch];[ebp-8]++) 循环 { 0040117E mov dword ptr [ebp-8],0;[ebp-8]=0 00401185 jmp number+0F0h (00401190) 00401187 mov ecx,dword ptr [ebp-8] 0040118A add ecx,1 0040118D mov dword ptr [ebp-8],ecx 00401190 mov edx,dword ptr [ebp-8];edx=[ebp-8] 00401193 cmp edx,dword ptr [ebp+0Ch] 00401196 jge number+107h (004011a7);[ebp-8] >= [ebp+0Ch] 跳转 00401198 mov eax,dword ptr [ebp-8] 0040119B mov ecx,dword ptr [ebp-4] 0040119E add ecx,dword ptr [ebp+eax*4-70h];相当于伪代码 sum([ebp-4])+=a[i]([ebp-8]==i) [ebp+ecx*4-40h]获取arry[i]的值(int型数组所以偏移要*4) 004011A2 mov dword ptr [ebp-4],ecx 004011A5 jmp number+0E7h (00401187) 004011A7 jmp number+132h (004011d2) } for([ebp-8]=0;[ebp-8]<[ebp+0Ch];[ebp-8]++) 循环 { 004011A9 mov dword ptr [ebp-8],0;[ebp-8]=0 004011B0 jmp number+11Bh (004011bb) 004011B2 mov edx,dword ptr [ebp-8] 004011B5 add edx,1 004011B8 mov dword ptr [ebp-8],edx 004011BB mov eax,dword ptr [ebp-8];eax=[ebp-8] 004011BE cmp eax,dword ptr [ebp+0Ch];比较eax(0)与[ebp+0Ch](第三个参数) 004011C1 jge number+132h (004011d2);如果eax>=[ebp+0Ch]则转移 004011C3 mov ecx,dword ptr [ebp-8] 004011C6 mov edx,dword ptr [ebp-4] 004011C9 add edx,dword ptr [ebp+ecx*4-40h];相当于伪代码 sum([ebp-4])+=a[i]([ebp-8]==i) [ebp+ecx*4-40h]获取arry2[i]的值(int型数组所以偏移要*4) 004011CD mov dword ptr [ebp-4],edx 004011D0 jmp number+112h (004011b2) } 004011D2 mov eax,dword ptr [ebp-4];eax=[ebp-4] 004011D5 add eax,dword ptr [ebp+10h];eax=eax+[ebp+10] 004011D8 mov dword ptr [ebp-4],eax;[ebp-4]=eax 004011DB mov eax,dword ptr [ebp-4];返回值[ebp-4] 004011DE pop edi 004011DF pop esi 004011E0 pop ebx 004011E1 add esp,0B0h 004011E7 cmp ebp,esp 004011E9 call __chkesp (004012f0) 004011EE mov esp,ebp 004011F0 pop ebp leap: 00401030 push ebp 00401031 mov ebp,esp 00401033 sub esp,40h 00401036 push ebx 00401037 push esi 00401038 push edi 00401039 lea edi,[ebp-40h] 0040103C mov ecx,10h 00401041 mov eax,0CCCCCCCCh 00401046 rep stos dword ptr [edi] 00401048 mov eax,dword ptr [ebp+8];取出第一个参数 0040104B and eax,80000003h; 00401050 jns leap+27h (00401057);符号位不为1就跳转 00401052 dec eax 00401053 or eax,0FCh 00401056 inc eax 00401057 test eax,eax;做AND操作但不改变eax结果 00401059 jne leap+3Ah (0040106a);jne 如果ZF=0则不跳转 0040105B mov eax,dword ptr [ebp+8] 0040105E cdq;把EDX的所有位都设成EAX最高位的值. 也就是说,当EAX <80000000,MOV EDX,00000000h; 当EAX >= 80000000, EDX 则为FFFFFFFF 0040105F mov ecx,64h 00401064 idiv eax,ecx;除法 00401066 test edx,edx 00401068 jne leap+49h (00401079) 0040106A mov eax,dword ptr [ebp+8] 0040106D cdq 0040106E mov ecx,190h 00401073 idiv eax,ecx;32位被除数放在DX,AX中。其中DX为高位字,16位除数为源操作数,结果的16位端在AX中,16位余数在DX中 00401075 test edx,edx;检测商是否为0 00401077 jne leap+50h (00401080);jne 为0则不跳转 00401079 mov eax,1;返回值 0040107E jmp leap+52h (00401082) 00401080 xor eax,eax 00401082 pop edi 00401083 pop esi 00401084 pop ebx 00401085 mov esp,ebp 00401087 pop ebp 第一次发逆向源码有错请指教
赞赏
看原图
赞赏
雪币:
留言: