刚看了A1Pass的关于如何找main函数入口
http://bbs.pediy.com/showthread.php?t=113691
自己试验了下,不知道到对不对,请帮忙看一下:
环境:
C代码如下:
#include <stdio.h>
int main(int argc, char * argv[] )
{
printf("Hello World!\r\n");
return 0;
}
编译环境是Qt+MinGW
用的是IDA6.5
release版
1.我先找到了hello字符串:
.text:004026F0 ; =============== S U B R O U T I N E =======================================
.text:004026F0
.text:004026F0 ; Attributes: bp-based frame
.text:004026F0
.text:004026F0 sub_4026F0 proc near ; CODE XREF: sub_401180+259p
.text:004026F0
.text:004026F0 Str = dword ptr -10h
.text:004026F0
.text:004026F0 push ebp
.text:004026F1 mov ebp, esp
.text:004026F3 and esp, 0FFFFFFF0h
.text:004026F6 sub esp, 10h
.text:004026F9 call sub_401EF0
.text:004026FE mov [esp+10h+Str], offset Str ; "Hello World!\r"
.text:00402705 call puts
.text:0040270A xor eax, eax
.text:0040270C leave
.text:0040270D retn
.text:0040270D sub_4026F0 endp
2.根据IDA的交叉引用,找到了调用sub_4026F0的地方:
.text:0040139D loc_40139D: ; CODE XREF: sub_401180+326j
.text:0040139D mov esi, [ebp+var_6C]
.text:004013A0 mov dword ptr [esi+eax], 0
.text:004013A7 mov ds:dword_406018, esi
.text:004013AD call sub_401EF0
.text:004013B2 mov eax, ds:__initenv
.text:004013B7 mov edx, ds:dword_406014
.text:004013BD mov [eax], edx
.text:004013BF mov eax, ds:dword_406014
.text:004013C4 mov [esp+88h+Size], eax
.text:004013C8 mov eax, ds:dword_406018
.text:004013CD mov [esp+88h+Src], eax
.text:004013D1 mov eax, ds:dword_40601C
.text:004013D6 mov [esp+88h+dwMilliseconds], eax
.text:004013D9 call sub_4026F0
.text:004013DE mov ecx, ds:dword_406008
.text:004013E4 test ecx, ecx
.text:004013E6 mov ds:dword_40600C, eax
.text:004013EB jz loc_4014AB
.text:004013F1 mov edx, ds:dword_406004
.text:004013F7 test edx, edx
.text:004013F9 jnz short loc_401405
.
text:004013FB call _cexit
.text:00401400 mov eax, ds:dword_40600C
3.我看到这里有 call _cexit
不知道这里是不是主函数? 才开始自学逆向,什么都不懂,请指教,谢谢。
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
