IDA -- idc delphi 类表的建立
原创 [email]dietrich_teickner@arcor.de[/email]
修改 [email]gzgzlxg@hotmail.com[/email]
IDA分析delphi程序时,对类表(包括vmt表),不能获得很好的效果,给分析delphi程序带来许多困难,
在IDA中使用手工分析这些类表,工作量之大不可用言语表达,而且要求分析者熟悉delphi的类表结构。
最近在网上下载了一个搜索delphi类表的 IDC 脚本,对这个脚本做了一些改动,使脚本能够建立清晰
的类表,创建类表名和注解。IDC 脚本是类C语法,所以就不在多加解释。有不明白处请读脚本。
这个脚本能够正确的建立所有的类表delphi字符串,类表的命名因为手头没有这些资料可能不正确,如
果你有这方面的资料可以自行修改,当然最好给我返回一份,这也是做人的起码道德。分析一个完整的
delphi需要几分钟时间,但对代码和一些C字符串、Unicode字符串不做处理,这个还需要你自己用手工
或其他辅助的IDC去解决。另外经过整理后,在使用IDA的分析命令对程序重新分析,因为有了类表,IDA
就能很好的分析所有的代码了。
在使用过程中如果发现bug,请发mail给我。
说明:
IDA 的脚本语言有许多bug和缺陷,尤其是循环语句,结果经常叫你哭笑不得,所以这个脚本的循环
语句都是用递减的,但如果你使用其他的方法,会有什么结果你自己试过就知道了(4.7-4.8版,4.9版我没
有用过不清楚)。还有一些函数形同虚设,返回的结果有很大的随意性,所以对C字符串和unicode字符串
没有做处理。
祝你使用愉快。
gzgzlxg
2006-02-27
下面是一些分析实例:
这是IDA分析完成后的结果。
CODE:00401000 CODE segment para public 'CODE' use32
CODE:00401000 assume cs:CODE
CODE:00401000 ;org 401000h
CODE:00401000 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
CODE:00401000 add al, 10h
CODE:00401002 inc eax
CODE:00401003 add [ebx], al
CODE:00401005 pop es
CODE:00401006 inc edx
CODE:00401007 outsd
CODE:00401008 outsd
CODE:00401009 ins byte ptr es:[edi], dx
CODE:0040100A db 65h
CODE:0040100A popa
CODE:0040100C outsb
CODE:0040100D add [eax], eax
CODE:0040100F dd 1000000h, 0, 5004010h, 736C6146h, 72540465h
CODE:00401023 jnz short loc_40108A
CODE:00401025
CODE:00401025 loc_401025: ; CODE XREF: HEADER:00400F53j
CODE:00401025 lea eax, [eax+0]
CODE:00401028 sub al, 10h
CODE:0040102A inc eax
CODE:0040102B add [edx], al
CODE:0040102D add al, 43h
CODE:0040102F push 17261h
CODE:00401034 dd 0FF000000h, 90000000h, 401040h, 6D530801h, 696C6C61h
CODE:00401034 dd 2746Eh, 0FFFFFF80h, 9000007Fh, 401058h, 6E490701h, 65676574h
CODE:00401034 dd 472h, 0FFFF8000h, 0C08B7FFFh, 401070h, 79420401h, 16574h
CODE:00401034 dd 0FF000000h, 90000000h, 401084h, 6F570401h
CODE:00401088 jb short loc_4010EE
CODE:0040108A
CODE:0040108A loc_40108A: ; CODE XREF: CODE:00401023j
CODE:0040108A add eax, [eax]
CODE:0040108C dd 0FF000000h, 900000FFh, 401098h, 61430801h, 6E696472h
CODE:0040108C dd 56C61h, 0FF000000h, 90FFFFFFh
CODE:004010AC dword_4010AC dd 4010B0h ; DATA XREF: sub_40E95C+65r
CODE:004010AC ; sub_40E95C+A4r ...
CODE:004010B0 dd 7453060Ah, 676E6972h, 401104h, 7 dup(0), 401104h, 4
CODE:004010B0 dd 0, 403F90h, 403F9Ch
CODE:004010EC db 0A0h, 3Fh
CODE:004010EE
CODE:004010EE loc_4010EE: ; CODE XREF: CODE:00401088j
CODE:004010EE inc eax
CODE:004010EF add [edi+edi+3F980040h], ah
CODE:004010F6 inc eax
CODE:004010F7 add al, ah
CODE:004010F9 cmp al, 40h
CODE:004010FB add ah, bh
CODE:004010FD cmp al, 40h
CODE:004010FF add [eax], bh
CODE:00401101 cmp eax, 54070040h
CODE:00401106 dec edi
CODE:00401107 bound ebp, [edx+65h]
CODE:0040110A arpl [eax+edx+11h], si
CODE:0040110E inc eax
CODE:0040110F add [edi], al
CODE:00401111 pop es
CODE:00401112 push esp
CODE:00401113 dec edi
CODE:00401114 bound ebp, [edx+65h]
CODE:00401117 arpl [esp+eax+11h], si
CODE:0040111B inc eax
CODE:0040111C dd 0, 6000000h, 74737953h, 6D65h, 401130h, 49490A0Fh, 7265746Eh
CODE:0040111C dd 65636166h, 0, 1, 0, 0C000h, 0, 79530646h, 6D657473h
CODE:0040111C dd 0FFFF0003h, 244483CCh, 0C5E9F804h, 83000053h, 0F8042444h
CODE:0040111C dd 53E3E9h, 24448300h, 0EDE9F804h, 0CC000053h, 40115DCCh
CODE:0040111C dd 40116700h, 40117100h, 100h, 2 dup(0), 0C000h, 0, 40117D46h
CODE:0040111C dd 800h, 0, 408D00h, 4011F8h, 401189h, 6 dup(0), 4011F8h
CODE:0040111C dd 0Ch, 4010B8h, 403F90h, 406500h, 40650Ch, 403FA4h, 403F98h
CODE:0040111C dd 40651Ch, 403CFCh, 403D38h, 6E495411h, 66726574h, 64656361h
CODE:0040111C dd 656A624Fh, 0C08B7463h, 401210h, 44540904h, 54657461h
CODE:0040111C dd 1656D69h
CODE:00401000 ; Segment type: Pure code
CODE:00401000 ; Segment permissions: Read/Write/Execute
CODE:00401000 CODE segment para public 'CODE' use32
CODE:00401000 assume cs:CODE
CODE:00401000 ;org 401000h
CODE:00401000 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
CODE:00401000 Boolean_Ptr dd offset Boolean ; DATA XREF: CODE:00401016o
CODE:00401004 Boolean db 3 ; DATA XREF: CODE:Boolean_Ptro
CODE:00401005 aBoolean db 7,'Boolean'
CODE:0040100D db 1
CODE:0040100E dd 0
CODE:00401012 dd 1
CODE:00401016 dd offset Boolean_Ptr
CODE:0040101A aFalse_2 db 5,'False'
CODE:00401020 aTrue_1 db 4,'True'
CODE:00401025 algn_401025: ; CODE XREF: HEADER:00400F53j
CODE:00401025 align 4
CODE:00401028 Char_Ptr dd offset Char
CODE:0040102C Char db 2 ; DATA XREF: CODE:Char_Ptro
CODE:0040102D aChar db 4,'Char'
CODE:00401032 db 1
CODE:00401033 dd 0
CODE:00401037 dd 0FFh
CODE:0040103B align 4
CODE:0040103C Smallint_Ptr dd offset Smallint
CODE:00401040 Smallint db 1 ; DATA XREF: CODE:Smallint_Ptro
CODE:00401041 aSmallint db 8,'Smallint'
CODE:0040104A db 2
CODE:0040104B dd 0FFFF8000h
CODE:0040104F dd 7FFFh
CODE:00401053 align 4
CODE:00401054 Integer_Ptr dd offset Integer
CODE:00401058 Integer db 1 ; DATA XREF: CODE:Integer_Ptro
CODE:00401059 aInteger db 7,'Integer'
CODE:00401061 db 4
CODE:00401062 dd 80000000h
CODE:00401066 dd 7FFFFFFFh
CODE:0040106A align 4
CODE:0040106C Byte_Ptr dd offset Byte
CODE:00401070 Byte db 1 ; DATA XREF: CODE:Byte_Ptro
CODE:00401071 aByte db 4,'Byte'
CODE:00401076 db 1
CODE:00401077 dd 0
CODE:0040107B dd 0FFh
CODE:0040107F align 4
CODE:00401080 Word_Ptr dd offset Word
CODE:00401084 Word db 1 ; DATA XREF: CODE:Word_Ptro
CODE:00401085 aWord db 4,'Word'
CODE:0040108A db 3
CODE:0040108B dd 0
CODE:0040108F dd 0FFFFh
CODE:00401093 align 4
CODE:00401094 Cardinal_Ptr dd offset Cardinal
CODE:00401098 Cardinal db 1 ; DATA XREF: CODE:Cardinal_Ptro
CODE:00401099 aCardinal db 8,'Cardinal'
CODE:004010A2 db 5
CODE:004010A3 dd 0
CODE:004010A7 dd 0FFFFFFFFh
CODE:004010AB align 4
CODE:004010AC String_0_Ptr dd offset String_0 ; DATA XREF: sub_40E95C+65r
CODE:004010AC ; sub_40E95C+A4r ...
CODE:004010B0 String_0 db 0Ah ; DATA XREF: CODE:String_0_Ptro
CODE:004010B1 aString_0 db 6,'String'
CODE:004010B8 _VmtPtr dd offset _ClassTab ; DATA XREF: CODE:004011D4o
CODE:004010B8 ; vmtSelfPtr
CODE:004010BC dd 0 ; vmtIntfTable
CODE:004010C0 dd 0 ; vmtAutoTable
CODE:004010C4 dd 0 ; vmtInitTable
CODE:004010C8 dd 0 ; vmtTypeInfo
CODE:004010CC dd 0 ; vmtFieldTable
CODE:004010D0 dd 0 ; vmtMethodTable
CODE:004010D4 dd 0 ; vmtDynamicTable
CODE:004010D8 dd offset _ClassTab ; vmtClassName
CODE:004010DC dd 4 ; vmtInstanceSize
CODE:004010E0 dd 0 ; vmtParent
CODE:004010E4 dd offset sub_403F90 ; vmtSafeCallException
CODE:004010E8 dd offset nullsub_7 ; vmtAfterConstruction
CODE:004010EC dd offset nullsub_6 ; vmtBeforeDestruction
CODE:004010F0 dd offset loc_403FA4 ; vmtDispatch
CODE:004010F4 dd offset nullsub_4 ; vmtDefaultHandler
CODE:004010F8 dd offset sub_403CE0 ; vmtNewInstance
CODE:004010FC dd offset sub_403CFC ; vmtFreeInstance
CODE:00401100 dd offset sub_403D38 ; vmtDestroy
CODE:00401104 _ClassTab db 7,'TObject' ; DATA XREF: CODE:_VmtPtro
CODE:00401104 ; CODE:004010D8o ...
CODE:00401104 ; vmtQueryInterface
CODE:0040110C Tobject_TypeInfo_Ptr dd offset Tobject_TypeInfo
CODE:00401110 Tobject_TypeInfo db 7 ; DATA XREF: CODE:Tobject_TypeInfo_Ptro
CODE:00401111 aTobject db 7,'TObject'
CODE:00401119 dd offset _ClassTab ; "TObject"
CODE:0040111D dd 0
CODE:00401121 dw 0
CODE:00401123 aSystem db 6,'System'
CODE:0040112A dw 0
CODE:0040112C Iinterface_Ptr dd offset Iinterface
CODE:00401130 Iinterface db 0Fh ; DATA XREF: CODE:Iinterface_Ptro
CODE:00401131 aIinterface db 10,'IInterface'
CODE:0040113C dd 0
CODE:00401140 db 1
CODE:00401141 dd 0 ; Data1
CODE:00401141 dw 0 ; Data2
CODE:00401141 dw 0 ; Data3
CODE:00401141 db 0C0h, 6 dup(0), 46h ; Data4
CODE:00401151 aSystem_0 db 6,'System'
CODE:00401158 dd 0FFFF0003h
CODE:0040115C db 0CCh ; ?
CODE:0040115D
CODE:0040115D ; 圹圹圹圹圹圹圹?S U B R O U T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹?
CODE:0040115D
CODE:0040115D
CODE:0040115D sub_40115D proc near ; DATA XREF: CODE:Tinterfacedobj_InftMethodTabo
CODE:0040115D
CODE:0040115D arg_0 = dword ptr 4
CODE:0040115D
CODE:0040115D ; FUNCTION CHUNK AT CODE:0040652C SIZE 00000026 BYTES
CODE:0040115D
CODE:0040115D add [esp+arg_0], 0FFFFFFF8h
CODE:00401162 jmp loc_40652C
CODE:00401162 sub_40115D endp
CODE:00401162
CODE:00401167
CODE:00401167 ; 圹圹圹圹圹圹圹?S U B R O U T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹?
CODE:00401167
CODE:00401167
CODE:00401167 sub_401167 proc near ; DATA XREF: CODE:00401181o
CODE:00401167
CODE:00401167 arg_0 = dword ptr 4
CODE:00401167
CODE:00401167 ; FUNCTION CHUNK AT CODE:00406554 SIZE 00000013 BYTES
CODE:00401167
CODE:00401167 add [esp+arg_0], 0FFFFFFF8h
CODE:0040116C jmp loc_406554
CODE:0040116C sub_401167 endp
CODE:0040116C
CODE:00401171
CODE:00401171 ; 圹圹圹圹圹圹圹?S U B R O U T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹?
CODE:00401171
CODE:00401171
CODE:00401171 sub_401171 proc near ; DATA XREF: CODE:00401185o
CODE:00401171
CODE:00401171 arg_0 = dword ptr 4
CODE:00401171
CODE:00401171 ; FUNCTION CHUNK AT CODE:00406568 SIZE 00000028 BYTES
CODE:00401171
CODE:00401171 add [esp+arg_0], 0FFFFFFF8h
CODE:00401176 jmp loc_406568
CODE:00401176 sub_401171 endp
CODE:00401176
CODE:0040117B db 0CCh ; ?
CODE:0040117C db 0CCh ; ?
CODE:0040117D Tinterfacedobj_InftMethodTab dd offset sub_40115D ; DATA XREF: CODE:0040119Do
CODE:00401181 dd offset sub_401167
CODE:00401185 dd offset sub_401171
CODE:00401189 Tinterfacedobj_IntfTab dd 1 ; DATA XREF: CODE:004011B0o
CODE:0040118D dd 0 ; Data1
CODE:0040118D dw 0 ; Data2
CODE:0040118D dw 0 ; Data3
CODE:0040118D db 0C0h, 6 dup(0), 46h ; Data4
CODE:0040119D dd offset Tinterfacedobj_InftMethodTab
CODE:004011A1 dd 8
CODE:004011A5 dd 0
CODE:004011A9 align 4
CODE:004011AC Tinterfacedobj_VmtPtr dd offset Tinterfacedobj_ClassTab ; vmtSelfPtr
CODE:004011B0 dd offset Tinterfacedobj_IntfTab ; vmtIntfTable
CODE:004011B4 dd 0 ; vmtAutoTable
CODE:004011B8 dd 0 ; vmtInitTable
CODE:004011BC dd 0 ; vmtTypeInfo
CODE:004011C0 dd 0 ; vmtFieldTable
CODE:004011C4 dd 0 ; vmtMethodTable
CODE:004011C8 dd 0 ; vmtDynamicTable
CODE:004011CC dd offset Tinterfacedobj_ClassTab ; vmtClassName
CODE:004011D0 dd 0Ch ; vmtInstanceSize
CODE:004011D4 dd offset _VmtPtr ; vmtParent
CODE:004011D8 dd offset sub_403F90 ; vmtSafeCallException
CODE:004011DC dd offset loc_406500 ; vmtAfterConstruction
CODE:004011E0 dd offset loc_40650C ; vmtBeforeDestruction
CODE:004011E4 dd offset loc_403FA4 ; vmtDispatch
CODE:004011E8 dd offset nullsub_4 ; vmtDefaultHandler
CODE:004011EC dd offset loc_40651C ; vmtNewInstance
CODE:004011F0 dd offset sub_403CFC ; vmtFreeInstance
CODE:004011F4 dd offset sub_403D38 ; vmtDestroy
CODE:004011F8 Tinterfacedobj_ClassTab db 17,'TInterfacedObject'
CODE:004011F8 ; DATA XREF: CODE:Tinterfacedobj_VmtPtro
CODE:004011F8 ; CODE:004011CCo
CODE:004011F8 ; vmtQueryInterface
CODE:0040120A align 4
CODE:0040120C Tdatetime_Ptr dd offset Tdatetime
CODE:00401210 Tdatetime db 4 ; DATA XREF: CODE:Tdatetime_Ptro
CODE:00401211 aTdatetime db 9,'TDateTime'
CODE:0040121B db 1
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
