-
-
[原创]32位反汇编引擎开发笔记:Step.3_经典定长指令的解析
-
发表于: 2020-10-8 16:48
-
Step.3_经典定长指令的解析
由于硬编码种类繁多,按顺序分析不合理,所以我们将根据Intel白皮书(Step.1中已提供下载) 图A-2 与 A-3中提供的数据,先从定长指令开始入手,本节将会先解析 50~5F 40~4F 0F80~0F8F 70~7F 90~97 B0~BF C2 C3 CA CB E0 E1 E2 E3 E8 E9 EA EB这些经典定长指令.将解析的逻辑通过这些简单的指令梳理清楚
本节功能实现
在进行硬编码解析的时候,我们需要先明白这样一个道理:一段硬编码解析开始位置的不同,将会导致整段汇编代码发生巨大的变化
为什么这样说呢,举个简单的例子
我们都知道 0x74 对应的指令为JZ,后面跟着一个字节的数据用来确定跳转距离,这是个两字节的定长指令,而我们知道 0x50对应的指令为PUSH EAX,这是个一字节的定长指令
那么假如有这样一段数据 XX XX XX 74 50 XX XX,那么当引擎想要解析这段硬编码时,必须确定从何处开始,如果从74处开始解析,指令会变成JZ XX,后面的50将会被吞入JZ指令中
若从50处开始解析,那么会变成PUSH EAX,前面的74可能会成为上一句指令的一部分
所以不同的开始位置将会改变指令的含义,由此推出解析逻辑:
首先确定解析开始位置,位置确定后,根据首字节数据进行解析,当解析完改条指令后,索引向后移动刚刚解析完的指令的长度,这样就可以保证解析的完整性,不会丢字节,多吞字节
理清了逻辑,我们就要进行代码的实现了
由于代码分开说明会很混乱,因此所有说明将会写在注释里
定义DisAssm结构,用于封装引擎所需函数、数据
由于直接拿exe去验证的话,会有很多硬编码我们还没解析到,因此我这里将读取出来的codeList直接写死一串字节
这串字节刚好包含了我们解析的字节,并且很多字节既可以是偏移也可以是OpCode
OD打开经典的飞鸽,将这段编码写到401000处
可以看到这是这段编码从0x50处开始解析的结果
运行我们的程序进行对比
进行对比后结果是没有什么区别的,至此我们的引擎中对于定长指令的解析已经全部结束
下章开始将会进行最复杂的变长指令的解析
定长指令的解析主要是锻炼思路方法,因此很多冗余代码其实可以进行函数封装的
我这里图房间就没进行封装,直接CV了,如果看着不方便的话,附加给各位上传了项目源码
感谢各位的阅读
#include <windows.h>#include <stdlib.h>#include <malloc.h>#include <memory.h>#include <tchar.h>#include <Tlhelp32.h>#include <string>#include <math.h>#include <atlconv.h>#include <atlstr.h>#include <commdlg.h>/*
引擎结构体,用于封装所需要的信息
*/
struct DisAssm{public: unsigned char* codeList; //待解析的硬编码数组
long int codeSize; //硬编码长度
TCHAR* str; //汇编语句,方便SetWindowText的使用
long int index; //索引,指向当前解析的位置
DWORD baseAddr; //数组开始位置对应的VirtualAddress
/*
拼接字符串函数
*/
void append(const TCHAR* tempStr) {
TCHAR* temp = (TCHAR*)malloc(256);
memset(temp, 0,256);
_stprintf(temp,L"0x%08X\t\t", baseAddr + index);
wcscat(str, temp);
wcscat(str, tempStr);
free(temp);
}
/*
反汇编引擎函数
*/
void start() {
//初始化字符串指针
str = (TCHAR*)malloc(256);
memset(str, 0, 256);
unsigned char t[50] = {
0x50 ,0x5F ,0x40 ,0x4F ,0x0F ,0x84 ,0x50 ,0x5F ,0x14 ,0x7F ,
0x78 ,0x0f ,0x90 ,0x95 ,0xB0 ,0x90 ,0xB8 ,0x0F ,0x80 ,0xC2 ,0xC3 ,0xC3 ,0xC2 ,
0xC2 ,0xC3 ,0xE0 ,0x90 ,0xE8 ,0x12 ,0x34 ,0x56 ,0x78 ,0xE9 ,0x90 ,0x0F ,0x80 ,
0x12 ,0xEB,0x90 ,0xEA ,0xE8 ,0xE9 ,0x00 ,0x00 ,0x0F ,0x80
};
codeList = t;
codeSize = 50;
//写个循环,只要索引没有到达最后那就一直解析
while (index < codeSize)
{//由于硬编码从00~FF,因此我们此处不采用switch格式
//50~5F的解析
if (codeList[index] >= 0x50 && codeList[index] <= 0x5F)
{
Translate_50_5F();
continue;
}
//40~4F的解析
if (codeList[index] >= 0x40 && codeList[index] <= 0x4F)
{
Translate_40_4F();
continue;
}
//70~7F的解析
if (codeList[index] >= 0x70 && codeList[index] <= 0x7F)
{
Translate_70_7F();
continue;
}
//90~97的解析
if (codeList[index] >= 0x90 && codeList[index] <= 0x97)
{
Translate_90_97();
continue;
}
//B0~BF的解析
if (codeList[index] >= 0xB0 && codeList[index] <= 0xBF)
{
Translate_B0_BF();
continue;
}
//C2的解析
if (codeList[index] == 0xC2)
{
Translate_C2();
continue;
}
//C3的解析
if (codeList[index] == 0xC3)
{
Translate_C3();
continue;
}
//CA的解析
if (codeList[index] == 0xCA)
{
Translate_CA();
continue;
}
//CB的解析
if (codeList[index] == 0xCB)
{
Translate_CB();
continue;
}
//E0 E1 E2 E3的解析
if (codeList[index] >= 0xE0 && codeList[index] <= 0xE3)
{
Translate_E0_E3();
continue;
}
//E8的解析
if (codeList[index] == 0xE8)
{
Translate_E8();
continue;
}
//E9的解析
if (codeList[index] == 0xE9)
{
Translate_E9();
continue;
}
//EA的解析
if (codeList[index] == 0xEA)
{
Translate_EA();
continue;
}
//EB的解析
if (codeList[index] == 0xEB)
{
Translate_EB();
continue;
}
//0F的解析
if (codeList[index] == 0x0F)
{
//0F80~0F8F的解析
if (codeList[index + 1] >= 0x80 && codeList[index + 1] <= 0x8F)
{
Translate_0F80_0F8F();
continue;
}
}
//由于很多指令我们没有进行解析,所以直接索引后移跳过
index++;
}
}
/*
50~5F的解析
*/
void Translate_50_5F() {
switch (codeList[index])
{
case 0x50:
append(L"50\t\tPUSH EAX\r\n");
break;
case 0x51:
append(L"51\t\tPUSH ECX\r\n");
break;
case 0x52:
append(L"52\t\tPUSH EDX\r\n");
break;
case 0x53:
append(L"53\t\tPUSH EBX\r\n");
break;
case 0x54:
append(L"54\t\tPUSH ESP\r\n");
break;
case 0x55:
append(L"55\t\tPUSH EBP\r\n");
break;
case 0x56:
append(L"56\t\tPUSH ESI\r\n");
break;
case 0x57:
append(L"57\t\tPUSH EDI\r\n");
break;
case 0x58:
append(L"58\t\tPOP EAX\r\n");
break;
case 0x59:
append(L"59\t\tPOP ECX\r\n");
break;
case 0x5A:
append(L"5A\t\tPOP EDX\r\n");
break;
case 0x5B:
append(L"5B\t\tPOP EBX\r\n");
break;
case 0x5C:
append(L"5C\t\tPOP ESP\r\n");
break;
case 0x5D:
append(L"5D\t\tPOP EBP\r\n");
break;
case 0x5E:
append(L"5E\t\tPOP ESI\r\n");
break;
case 0x5F:
append(L"5F\t\tPOP EDI\r\n");
break;
}
//解析完成后索引+1,之所以加一,是因为50~5F全部是一字节的定长指令
index++;
}
/*
40~4F的解析
*/
void Translate_40_4F() {
switch (codeList[index])
{
case 0x40:
append(L"40\t\tINC EAX\r\n");
break;
case 0x41:
append(L"41\t\tINC ECX\r\n");
break;
case 0x42:
append(L"42\t\tINC EDX\r\n");
break;
case 0x43:
append(L"43\t\tINC EBX\r\n");
break;
case 0x44:
append(L"44\t\tINC ESP\r\n");
break;
case 0x45:
append(L"45\t\tINC EBP\r\n");
break;
case 0x46:
append(L"46\t\tINC ESI\r\n");
break;
case 0x47:
append(L"47\t\tINC EDI\r\n");
break;
case 0x48:
append(L"48\t\tDEC EAX\r\n");
break;
case 0x49:
append(L"49\t\tDEC ECX\r\n");
break;
case 0x4A:
append(L"4A\t\tDEC EDX\r\n");
break;
case 0x4B:
append(L"4B\t\tDEC EBX\r\n");
break;
case 0x4C:
append(L"4C\t\tDEC ESP\r\n");
break;
case 0x4D:
append(L"4D\t\tDEC EBP\r\n");
break;
case 0x4E:
append(L"4E\t\tDEC ESI\r\n");
break;
case 0x4F:
append(L"4F\t\tDEC EDI\r\n");
break;
}
//解析完成后索引+1,之所以加一,是因为40~4F全部是一字节的定长指令
index++;
}
/*
0F80~0F8F的解析
*/
void Translate_0F80_0F8F() {
switch (codeList[index + 1])
{
case 0x80:
{
//取出跳转后面的四字节偏移
DWORD im = *((DWORD*)(codeList + index + 2));
//计算跳转实际位置
im = im + 6 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 3));
BYTE b2 = *((BYTE*)(codeList + index + 4));
BYTE b3 = *((BYTE*)(codeList + index + 5));
BYTE b4 = *((BYTE*)(codeList + index + 6));
_stprintf(tt, L"0F80%02X%02X%02X%02X\t\tJO %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
break;
}
case 0x81:
{
//取出跳转后面的四字节偏移
DWORD im = *((DWORD*)(codeList + index + 2));
//计算跳转实际位置
im = im + 6 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 2));
BYTE b2 = *((BYTE*)(codeList + index + 3));
BYTE b3 = *((BYTE*)(codeList + index + 4));
BYTE b4 = *((BYTE*)(codeList + index + 5));
_stprintf(tt, L"0F81 %02X%02X%02X%02X\tJNO %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
break;
}
case 0x82:
{
//取出跳转后面的四字节偏移
DWORD im = *((DWORD*)(codeList + index + 2));
//计算跳转实际位置
im = im + 6 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 2));
BYTE b2 = *((BYTE*)(codeList + index + 3));
BYTE b3 = *((BYTE*)(codeList + index + 4));
BYTE b4 = *((BYTE*)(codeList + index + 5));
_stprintf(tt, L"0F82 %02X%02X%02X%02X\tJB %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
break;
}
case 0x83:
{
//取出跳转后面的四字节偏移
DWORD im = *((DWORD*)(codeList + index + 2));
//计算跳转实际位置
im = im + 6 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 2));
BYTE b2 = *((BYTE*)(codeList + index + 3));
BYTE b3 = *((BYTE*)(codeList + index + 4));
BYTE b4 = *((BYTE*)(codeList + index + 5));
_stprintf(tt, L"0F83 %02X%02X%02X%02X\tJNB %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
break;
}
case 0x84:
{
//取出跳转后面的四字节偏移
DWORD im = *((DWORD*)(codeList + index + 2));
//计算跳转实际位置
im = im + 6 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 2));
BYTE b2 = *((BYTE*)(codeList + index + 3));
BYTE b3 = *((BYTE*)(codeList + index + 4));
BYTE b4 = *((BYTE*)(codeList + index + 5));
_stprintf(tt, L"0F84 %02X%02X%02X%02X\tJE %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
break;
}
case 0x85:
{
//取出跳转后面的四字节偏移
DWORD im = *((DWORD*)(codeList + index + 2));
//计算跳转实际位置
im = im + 6 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 2));
BYTE b2 = *((BYTE*)(codeList + index + 3));
BYTE b3 = *((BYTE*)(codeList + index + 4));
BYTE b4 = *((BYTE*)(codeList + index + 5));
_stprintf(tt, L"0F85 %02X%02X%02X%02X\tJNE %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
break;
}
case 0x86:
{
//取出跳转后面的四字节偏移
DWORD im = *((DWORD*)(codeList + index + 2));
//计算跳转实际位置
im = im + 6 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 2));
BYTE b2 = *((BYTE*)(codeList + index + 3));
BYTE b3 = *((BYTE*)(codeList + index + 4));
BYTE b4 = *((BYTE*)(codeList + index + 5));
_stprintf(tt, L"0F86 %02X%02X%02X%02X\tJNA %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
break;
}
case 0x87:
{
//取出跳转后面的四字节偏移
DWORD im = *((DWORD*)(codeList + index + 2));
//计算跳转实际位置
im = im + 6 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 2));
BYTE b2 = *((BYTE*)(codeList + index + 3));
BYTE b3 = *((BYTE*)(codeList + index + 4));
BYTE b4 = *((BYTE*)(codeList + index + 5));
_stprintf(tt, L"0F87 %02X%02X%02X%02X\tJA %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
break;
}
case 0x88:
{
//取出跳转后面的四字节偏移
DWORD im = *((DWORD*)(codeList + index + 2));
//计算跳转实际位置
im = im + 6 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 2));
BYTE b2 = *((BYTE*)(codeList + index + 3));
BYTE b3 = *((BYTE*)(codeList + index + 4));
BYTE b4 = *((BYTE*)(codeList + index + 5));
_stprintf(tt, L"0F88 %02X%02X%02X%02X\tJS %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
break;
}
case 0x89:
{
//取出跳转后面的四字节偏移
DWORD im = *((DWORD*)(codeList + index + 2));
//计算跳转实际位置
im = im + 6 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 2));
BYTE b2 = *((BYTE*)(codeList + index + 3));
BYTE b3 = *((BYTE*)(codeList + index + 4));
BYTE b4 = *((BYTE*)(codeList + index + 5));
_stprintf(tt, L"0F89 %02X%02X%02X%02X\tJNS %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
break;
}
case 0x8A:
{
//取出跳转后面的四字节偏移
DWORD im = *((DWORD*)(codeList + index + 2));
//计算跳转实际位置
im = im + 6 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 2));
BYTE b2 = *((BYTE*)(codeList + index + 3));
BYTE b3 = *((BYTE*)(codeList + index + 4));
BYTE b4 = *((BYTE*)(codeList + index + 5));
_stprintf(tt, L"0F8A %02X%02X%02X%02X\tJP %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
break;
}
case 0x8B:
{
//取出跳转后面的四字节偏移
DWORD im = *((DWORD*)(codeList + index + 2));
//计算跳转实际位置
im = im + 6 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 2));
BYTE b2 = *((BYTE*)(codeList + index + 3));
BYTE b3 = *((BYTE*)(codeList + index + 4));
BYTE b4 = *((BYTE*)(codeList + index + 5));
_stprintf(tt, L"0F8B %02X%02X%02X%02X\tJNP %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
break;
}
case 0x8C:
{
//取出跳转后面的四字节偏移
DWORD im = *((DWORD*)(codeList + index + 2));
//计算跳转实际位置
im = im + 6 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 2));
BYTE b2 = *((BYTE*)(codeList + index + 3));
BYTE b3 = *((BYTE*)(codeList + index + 4));
BYTE b4 = *((BYTE*)(codeList + index + 5));
_stprintf(tt, L"0F8C %02X%02X%02X%02X\tJL %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
break;
}
case 0x8D:
{
//取出跳转后面的四字节偏移
DWORD im = *((DWORD*)(codeList + index + 2));
//计算跳转实际位置
im = im + 6 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 2));
BYTE b2 = *((BYTE*)(codeList + index + 3));
BYTE b3 = *((BYTE*)(codeList + index + 4));
BYTE b4 = *((BYTE*)(codeList + index + 5));
_stprintf(tt, L"0F8D %02X%02X%02X%02X\tJNL %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
break;
}
case 0x8E:
{
//取出跳转后面的四字节偏移
DWORD im = *((DWORD*)(codeList + index + 2));
//计算跳转实际位置
im = im + 6 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 2));
BYTE b2 = *((BYTE*)(codeList + index + 3));
BYTE b3 = *((BYTE*)(codeList + index + 4));
BYTE b4 = *((BYTE*)(codeList + index + 5));
_stprintf(tt, L"0F8E %02X%02X%02X%02X\tJNG %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
break;
}
case 0x8F:
{
//取出跳转后面的四字节偏移
DWORD im = *((DWORD*)(codeList + index + 2));
//计算跳转实际位置
im = im + 6 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 2));
BYTE b2 = *((BYTE*)(codeList + index + 3));
BYTE b3 = *((BYTE*)(codeList + index + 4));
BYTE b4 = *((BYTE*)(codeList + index + 5));
_stprintf(tt, L"0F8F %02X%02X%02X%02X\tJG %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
break;
}
}
//解析完成后索引+6,之所以加6,是因为0F80~0F8F全部是6字节的定长指令
index+=6;
}
/*
70~7F的解析
*/
void Translate_70_7F() {
switch (codeList[index])
{
case 0x70:
{
//取出跳转后面的1字节偏移
DWORD im = *((BYTE*)(codeList + index + 1));
//计算跳转实际位置
im = im + 2 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
_stprintf(tt, L"70 %02X\t\tJO SHORT %08X\r\n", b1, im);
append(tt);
free(tt);
break;
}
case 0x71:
{
//取出跳转后面的1字节偏移
DWORD im = *((BYTE*)(codeList + index + 1));
//计算跳转实际位置
im = im + 2 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
_stprintf(tt, L"71 %02X\t\tJNO SHORT %08X\r\n", b1, im);
append(tt);
free(tt);
break;
}
case 0x72:
{
//取出跳转后面的1字节偏移
DWORD im = *((BYTE*)(codeList + index + 1));
//计算跳转实际位置
im = im + 2 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
_stprintf(tt, L"72 %02X\t\tJB SHORT %08X\r\n", b1, im);
append(tt);
free(tt);
break;
}
case 0x73:
{
//取出跳转后面的1字节偏移
DWORD im = *((BYTE*)(codeList + index + 1));
//计算跳转实际位置
im = im + 2 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
_stprintf(tt, L"73 %02X\t\tJNB SHORT %08X\r\n", b1, im);
append(tt);
free(tt);
break;
}
case 0x74:
{
//取出跳转后面的1字节偏移
DWORD im = *((BYTE*)(codeList + index + 1));
//计算跳转实际位置
im = im + 2 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
_stprintf(tt, L"74 %02X\t\tJZ SHORT %08X\r\n", b1, im);
append(tt);
free(tt);
break;
}
case 0x75:
{
//取出跳转后面的1字节偏移
DWORD im = *((BYTE*)(codeList + index + 1));
//计算跳转实际位置
im = im + 2 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
_stprintf(tt, L"75 %02X\t\tJNZ SHORT %08X\r\n", b1, im);
append(tt);
free(tt);
break;
}
case 0x76:
{
//取出跳转后面的1字节偏移
DWORD im = *((BYTE*)(codeList + index + 1));
//计算跳转实际位置
im = im + 2 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
_stprintf(tt, L"76 %02X\t\tJBE SHORT %08X\r\n", b1, im);
append(tt);
free(tt);
break;
}
case 0x77:
{
//取出跳转后面的1字节偏移
DWORD im = *((BYTE*)(codeList + index + 1));
//计算跳转实际位置
im = im + 2 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
_stprintf(tt, L"77 %02X\t\tJNBE SHORT %08X\r\n", b1, im);
append(tt);
free(tt);
break;
}
case 0x78:
{
//取出跳转后面的1字节偏移
DWORD im = *((BYTE*)(codeList + index + 1));
//计算跳转实际位置
im = im + 2 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
_stprintf(tt, L"78 %02X\t\tJS SHORT %08X\r\n", b1, im);
append(tt);
free(tt);
break;
}
case 0x79:
{
//取出跳转后面的1字节偏移
DWORD im = *((BYTE*)(codeList + index + 1));
//计算跳转实际位置
im = im + 2 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
_stprintf(tt, L"79 %02X\t\tJNS SHORT %08X\r\n", b1, im);
append(tt);
free(tt);
break;
}
case 0x7A:
{
//取出跳转后面的1字节偏移
DWORD im = *((BYTE*)(codeList + index + 1));
//计算跳转实际位置
im = im + 2 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
_stprintf(tt, L"7A %02X\t\tJP SHORT %08X\r\n", b1, im);
append(tt);
free(tt);
break;
}
case 0x7B:
{
//取出跳转后面的1字节偏移
DWORD im = *((BYTE*)(codeList + index + 1));
//计算跳转实际位置
im = im + 2 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
_stprintf(tt, L"7B %02X\t\tJNP SHORT %08X\r\n", b1, im);
append(tt);
free(tt);
break;
}
case 0x7C:
{
//取出跳转后面的1字节偏移
DWORD im = *((BYTE*)(codeList + index + 1));
//计算跳转实际位置
im = im + 2 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
_stprintf(tt, L"7C %02X\t\tJL SHORT %08X\r\n", b1, im);
append(tt);
free(tt);
break;
}
case 0x7D:
{
//取出跳转后面的1字节偏移
DWORD im = *((BYTE*)(codeList + index + 1));
//计算跳转实际位置
im = im + 2 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
_stprintf(tt, L"7D %02X\t\tJNL SHORT %08X\r\n", b1, im);
append(tt);
free(tt);
break;
}
case 0x7E:
{
//取出跳转后面的1字节偏移
DWORD im = *((BYTE*)(codeList + index + 1));
//计算跳转实际位置
im = im + 2 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
_stprintf(tt, L"7E %02X\t\tJNG SHORT %08X\r\n", b1, im);
append(tt);
free(tt);
break;
}
case 0x7F:
{
//取出跳转后面的1字节偏移
DWORD im = *((BYTE*)(codeList + index + 1));
//计算跳转实际位置
im = im + 2 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
_stprintf(tt, L"7F %02X\t\tJG SHORT %08X\r\n", b1, im);
append(tt);
free(tt);
break;
}
}
//解析完成后索引+2,之所以加2,是因为70~7F全部是2字节的定长指令
index+=2;
}
/*
90~97的解析
*/
void Translate_90_97() {
switch (codeList[index])
{
case 0x90:
append(L"90\t\tNOP\r\n");
break;
case 0x91:
append(L"91\t\tXCHG EAX,ECX\r\n");
break;
case 0x92:
append(L"92\t\tXCHG EAX,EDX\r\n");
break;
case 0x93:
append(L"93\t\tXCHG EAX,EBX\r\n");
break;
case 0x94:
append(L"94\t\tXCHG EAX,ESP\r\n");
break;
case 0x95:
append(L"95\t\tXCHG EAX,EBP\r\n");
break;
case 0x96:
append(L"96\t\tXCHG EAX,ESI\r\n");
break;
case 0x97:
append(L"97\t\tXCHG EAX,EDI\r\n");
break;
}
//解析完成后索引+1,之所以加一,是因为90~97全部是一字节的定长指令
index++;
}
/*
B0~BF的解析
*/
void Translate_B0_BF() {
switch (codeList[index])
{
case 0xB0:
{
//取出MOV后面的1字节立即数
DWORD im = *((BYTE*)(codeList + index + 1));
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
_stprintf(tt, L"B0 %02X\t\tMOV AL, %02X\r\n", b1, im);
append(tt);
free(tt);
break;
}
case 0xB1:
{
//取出MOV后面的1字节立即数
DWORD im = *((BYTE*)(codeList + index + 1));
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
_stprintf(tt, L"B1 %02X\t\tMOV CL, %02X\r\n", b1, im);
append(tt);
free(tt);
break;
}
case 0xB2:
{
//取出MOV后面的1字节立即数
DWORD im = *((BYTE*)(codeList + index + 1));
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
_stprintf(tt, L"B2 %02X\t\tMOV DL, %02X\r\n", b1, im);
append(tt);
free(tt);
break;
}
case 0xB3:
{
//取出MOV后面的1字节立即数
DWORD im = *((BYTE*)(codeList + index + 1));
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
_stprintf(tt, L"B3 %02X\t\tMOV BL, %02X\r\n", b1, im);
append(tt);
free(tt);
break;
}
case 0xB4:
{
//取出MOV后面的1字节立即数
DWORD im = *((BYTE*)(codeList + index + 1));
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
_stprintf(tt, L"B4 %02X\t\tMOV AH, %02X\r\n", b1, im);
append(tt);
free(tt);
break;
}
case 0xB5:
{
//取出MOV后面的1字节立即数
DWORD im = *((BYTE*)(codeList + index + 1));
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
_stprintf(tt, L"B5 %02X\t\tMOV CH, %02X\r\n", b1, im);
append(tt);
free(tt);
break;
}
case 0xB6:
{
//取出MOV后面的1字节立即数
DWORD im = *((BYTE*)(codeList + index + 1));
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
_stprintf(tt, L"B6 %02X\t\tMOV DH, %02X\r\n", b1, im);
append(tt);
free(tt);
break;
}
case 0xB7:
{
//取出MOV后面的1字节立即数
DWORD im = *((BYTE*)(codeList + index + 1));
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
_stprintf(tt, L"B7 %02X\t\tMOV BH, %02X\r\n", b1, im);
append(tt);
free(tt);
break;
}
case 0xB8:
{
//取出MOV后面的4字节立即数
DWORD im = *((DWORD*)(codeList + index + 1));
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
BYTE b2 = *((BYTE*)(codeList + index + 2));
BYTE b3 = *((BYTE*)(codeList + index + 3));
BYTE b4 = *((BYTE*)(codeList + index + 4));
_stprintf(tt, L"B8 %02X%02X%02X%02X\tMOV EAX, %08X\r\n", b1,b2,b3,b4,im);
append(tt);
free(tt);
break;
}
case 0xB9:
{
//取出MOV后面的4字节立即数
DWORD im = *((DWORD*)(codeList + index + 1));
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
BYTE b2 = *((BYTE*)(codeList + index + 2));
BYTE b3 = *((BYTE*)(codeList + index + 3));
BYTE b4 = *((BYTE*)(codeList + index + 4));
_stprintf(tt, L"B9 %02X%02X%02X%02X\tMOV ECX, %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
break;
}
case 0xBA:
{
//取出MOV后面的4字节立即数
DWORD im = *((DWORD*)(codeList + index + 1));
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
BYTE b2 = *((BYTE*)(codeList + index + 2));
BYTE b3 = *((BYTE*)(codeList + index + 3));
BYTE b4 = *((BYTE*)(codeList + index + 4));
_stprintf(tt, L"BA %02X%02X%02X%02X\tMOV EDX, %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
break;
}
case 0xBB:
{
//取出MOV后面的4字节立即数
DWORD im = *((DWORD*)(codeList + index + 1));
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
BYTE b2 = *((BYTE*)(codeList + index + 2));
BYTE b3 = *((BYTE*)(codeList + index + 3));
BYTE b4 = *((BYTE*)(codeList + index + 4));
_stprintf(tt, L"BB %02X%02X%02X%02X\tMOV EBX, %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
break;
}
case 0xBC:
{
//取出MOV后面的4字节立即数
DWORD im = *((DWORD*)(codeList + index + 1));
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
BYTE b2 = *((BYTE*)(codeList + index + 2));
BYTE b3 = *((BYTE*)(codeList + index + 3));
BYTE b4 = *((BYTE*)(codeList + index + 4));
_stprintf(tt, L"BC %02X%02X%02X%02X\tMOV ESP, %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
break;
}
case 0xBD:
{
//取出MOV后面的4字节立即数
DWORD im = *((DWORD*)(codeList + index + 1));
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
BYTE b2 = *((BYTE*)(codeList + index + 2));
BYTE b3 = *((BYTE*)(codeList + index + 3));
BYTE b4 = *((BYTE*)(codeList + index + 4));
_stprintf(tt, L"BD %02X%02X%02X%02X\tMOV EBP, %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
break;
}
case 0xBE:
{
//取出MOV后面的4字节立即数
DWORD im = *((DWORD*)(codeList + index + 1));
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
BYTE b2 = *((BYTE*)(codeList + index + 2));
BYTE b3 = *((BYTE*)(codeList + index + 3));
BYTE b4 = *((BYTE*)(codeList + index + 4));
_stprintf(tt, L"BE %02X%02X%02X%02X\tMOV ESI, %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
break;
}
case 0xBF:
{
//取出MOV后面的4字节立即数
DWORD im = *((DWORD*)(codeList + index + 1));
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
BYTE b2 = *((BYTE*)(codeList + index + 2));
BYTE b3 = *((BYTE*)(codeList + index + 3));
BYTE b4 = *((BYTE*)(codeList + index + 4));
_stprintf(tt, L"BF %02X%02X%02X%02X\tMOV EDI, %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
break;
}
}
if (codeList[index]<0xB8)
{
index += 2;
}
else {
index += 5;
}
}
/*
C2的解析
*/
void Translate_C2() {
//取出RETN后面的2字节立即数
DWORD im = *((WORD*)(codeList + index + 1));
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
BYTE b2 = *((BYTE*)(codeList + index + 2));
_stprintf(tt, L"C2 %02X%02X\t\tRETN %04X\r\n", b1, b2, im);
append(tt);
free(tt);
index += 3;
}
/*
C3的解析
*/
void Translate_C3() {
append(L"C3\t\tRETN\r\n");
index ++;
}
/*
CA的解析
*/
void Translate_CA() {
//取出RETF后面的2字节立即数
DWORD im = *((WORD*)(codeList + index + 1));
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
BYTE b2 = *((BYTE*)(codeList + index + 2));
_stprintf(tt, L"CA %02X%02X\t\tRETF %04X\r\n", b1, b2, im);
append(tt);
free(tt);
index += 3;
}
/*
CB的解析
*/
void Translate_CB() {
append(L"CB\t\tRETF\r\n");
index ++;
}
/*
E0 E1 E2 E3的解析
*/
void Translate_E0_E3() {
switch (codeList[index])
{
case 0xE0:
{
//取出EX后面的1字节立即数
char im = *((char*)(codeList + index + 1));
DWORD ii = im + baseAddr + index + 2;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
_stprintf(tt, L"E0 %02X\t\tLOOPNE SHORT %08X\r\n", (BYTE)im, ii);
append(tt);
free(tt);
break;
}
case 0xE1:
{
//取出EX后面的1字节立即数
char im = *((char*)(codeList + index + 1));
DWORD ii = im + baseAddr + index + 2;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
_stprintf(tt, L"E1 %02X\t\tLOOPE SHORT %08X\r\n", (BYTE)im, ii);
append(tt);
free(tt);
break;
}
case 0xE2:
{
//取出EX后面的1字节立即数
char im = *((char*)(codeList + index + 1));
DWORD ii = im + baseAddr + index + 2;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
_stprintf(tt, L"E2 %02X\t\tLOOP SHORT %08X\r\n", (BYTE)im, ii);
append(tt);
free(tt);
break;
}
case 0xE3:
{
//取出EX后面的1字节立即数
char im = *((char*)(codeList + index + 1));
DWORD ii = im + baseAddr + index + 2;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
_stprintf(tt, L"E3 %02X\t\tJECXZ SHORT %08X\r\n", (BYTE)im, ii);
append(tt);
free(tt);
break;
}
}
index += 2;
}
/*
E8的解析
*/
void Translate_E8() {
//取出E8后面的4字节立即数
DWORD im = *((DWORD*)(codeList + index + 1));
im = im + 5 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
BYTE b2 = *((BYTE*)(codeList + index + 2));
BYTE b3 = *((BYTE*)(codeList + index + 3));
BYTE b4 = *((BYTE*)(codeList + index + 4));
_stprintf(tt, L"E8 %02X%02X%02X%02X\tCALL %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
index += 5;
}
/*
E9的解析
*/
void Translate_E9() {
//取出E9后面的4字节立即数
DWORD im = *((DWORD*)(codeList + index + 1));
im = im + 5 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
BYTE b2 = *((BYTE*)(codeList + index + 2));
BYTE b3 = *((BYTE*)(codeList + index + 3));
BYTE b4 = *((BYTE*)(codeList + index + 4));
_stprintf(tt, L"E9 %02X%02X%02X%02X\tJMP %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
index += 5;
}
/*
EB的解析
*/
void Translate_EB() {
//取出EB后面的1字节立即数
char im = *((char*)(codeList + index + 1));
DWORD ii = im + 2 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
_stprintf(tt, L"EB %02X\t\tJMP SHORT %08X\r\n", b1, ii);
append(tt);
free(tt);
index += 2;
}
/*
EA的解析
*/
void Translate_EA() {
//取出EA后面的4字节立即数
DWORD im1 = *((DWORD*)(codeList + index + 1));
//取出EA后面的2字节跨段数据
WORD im2 = *((WORD*)(codeList + index + 5));
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
BYTE b2 = *((BYTE*)(codeList + index + 2));
BYTE b3 = *((BYTE*)(codeList + index + 3));
BYTE b4 = *((BYTE*)(codeList + index + 4));
BYTE b5 = *((BYTE*)(codeList + index + 5));
BYTE b6 = *((BYTE*)(codeList + index + 6));
_stprintf(tt, L"EA %02X%02X%02X%02X:%02X%02X JMP FAR %04X:%08X\r\n", b1,b2,b3,b4,b5,b6, im2,im1);
append(tt);
free(tt);
index += 7;
}
};#include <windows.h>#include <stdlib.h>#include <malloc.h>#include <memory.h>#include <tchar.h>#include <Tlhelp32.h>#include <string>#include <math.h>#include <atlconv.h>#include <atlstr.h>#include <commdlg.h>/*
引擎结构体,用于封装所需要的信息
*/
struct DisAssm{public: unsigned char* codeList; //待解析的硬编码数组
long int codeSize; //硬编码长度
TCHAR* str; //汇编语句,方便SetWindowText的使用
long int index; //索引,指向当前解析的位置
DWORD baseAddr; //数组开始位置对应的VirtualAddress
/*
拼接字符串函数
*/
void append(const TCHAR* tempStr) {
TCHAR* temp = (TCHAR*)malloc(256);
memset(temp, 0,256);
_stprintf(temp,L"0x%08X\t\t", baseAddr + index);
wcscat(str, temp);
wcscat(str, tempStr);
free(temp);
}
/*
反汇编引擎函数
*/
void start() {
//初始化字符串指针
str = (TCHAR*)malloc(256);
memset(str, 0, 256);
unsigned char t[50] = {
0x50 ,0x5F ,0x40 ,0x4F ,0x0F ,0x84 ,0x50 ,0x5F ,0x14 ,0x7F ,
0x78 ,0x0f ,0x90 ,0x95 ,0xB0 ,0x90 ,0xB8 ,0x0F ,0x80 ,0xC2 ,0xC3 ,0xC3 ,0xC2 ,
0xC2 ,0xC3 ,0xE0 ,0x90 ,0xE8 ,0x12 ,0x34 ,0x56 ,0x78 ,0xE9 ,0x90 ,0x0F ,0x80 ,
0x12 ,0xEB,0x90 ,0xEA ,0xE8 ,0xE9 ,0x00 ,0x00 ,0x0F ,0x80
};
codeList = t;
codeSize = 50;
//写个循环,只要索引没有到达最后那就一直解析
while (index < codeSize)
{//由于硬编码从00~FF,因此我们此处不采用switch格式
//50~5F的解析
if (codeList[index] >= 0x50 && codeList[index] <= 0x5F)
{
Translate_50_5F();
continue;
}
//40~4F的解析
if (codeList[index] >= 0x40 && codeList[index] <= 0x4F)
{
Translate_40_4F();
continue;
}
//70~7F的解析
if (codeList[index] >= 0x70 && codeList[index] <= 0x7F)
{
Translate_70_7F();
continue;
}
//90~97的解析
if (codeList[index] >= 0x90 && codeList[index] <= 0x97)
{
Translate_90_97();
continue;
}
//B0~BF的解析
if (codeList[index] >= 0xB0 && codeList[index] <= 0xBF)
{
Translate_B0_BF();
continue;
}
//C2的解析
if (codeList[index] == 0xC2)
{
Translate_C2();
continue;
}
//C3的解析
if (codeList[index] == 0xC3)
{
Translate_C3();
continue;
}
//CA的解析
if (codeList[index] == 0xCA)
{
Translate_CA();
continue;
}
//CB的解析
if (codeList[index] == 0xCB)
{
Translate_CB();
continue;
}
//E0 E1 E2 E3的解析
if (codeList[index] >= 0xE0 && codeList[index] <= 0xE3)
{
Translate_E0_E3();
continue;
}
//E8的解析
if (codeList[index] == 0xE8)
{
Translate_E8();
continue;
}
//E9的解析
if (codeList[index] == 0xE9)
{
Translate_E9();
continue;
}
//EA的解析
if (codeList[index] == 0xEA)
{
Translate_EA();
continue;
}
//EB的解析
if (codeList[index] == 0xEB)
{
Translate_EB();
continue;
}
//0F的解析
if (codeList[index] == 0x0F)
{
//0F80~0F8F的解析
if (codeList[index + 1] >= 0x80 && codeList[index + 1] <= 0x8F)
{
Translate_0F80_0F8F();
continue;
}
}
//由于很多指令我们没有进行解析,所以直接索引后移跳过
index++;
}
}
/*
50~5F的解析
*/
void Translate_50_5F() {
switch (codeList[index])
{
case 0x50:
append(L"50\t\tPUSH EAX\r\n");
break;
case 0x51:
append(L"51\t\tPUSH ECX\r\n");
break;
case 0x52:
append(L"52\t\tPUSH EDX\r\n");
break;
case 0x53:
append(L"53\t\tPUSH EBX\r\n");
break;
case 0x54:
append(L"54\t\tPUSH ESP\r\n");
break;
case 0x55:
append(L"55\t\tPUSH EBP\r\n");
break;
case 0x56:
append(L"56\t\tPUSH ESI\r\n");
break;
case 0x57:
append(L"57\t\tPUSH EDI\r\n");
break;
case 0x58:
append(L"58\t\tPOP EAX\r\n");
break;
case 0x59:
append(L"59\t\tPOP ECX\r\n");
break;
case 0x5A:
append(L"5A\t\tPOP EDX\r\n");
break;
case 0x5B:
append(L"5B\t\tPOP EBX\r\n");
break;
case 0x5C:
append(L"5C\t\tPOP ESP\r\n");
break;
case 0x5D:
append(L"5D\t\tPOP EBP\r\n");
break;
case 0x5E:
append(L"5E\t\tPOP ESI\r\n");
break;
case 0x5F:
append(L"5F\t\tPOP EDI\r\n");
break;
}
//解析完成后索引+1,之所以加一,是因为50~5F全部是一字节的定长指令
index++;
}
/*
40~4F的解析
*/
void Translate_40_4F() {
switch (codeList[index])
{
case 0x40:
append(L"40\t\tINC EAX\r\n");
break;
case 0x41:
append(L"41\t\tINC ECX\r\n");
break;
case 0x42:
append(L"42\t\tINC EDX\r\n");
break;
case 0x43:
append(L"43\t\tINC EBX\r\n");
break;
case 0x44:
append(L"44\t\tINC ESP\r\n");
break;
case 0x45:
append(L"45\t\tINC EBP\r\n");
break;
case 0x46:
append(L"46\t\tINC ESI\r\n");
break;
case 0x47:
append(L"47\t\tINC EDI\r\n");
break;
case 0x48:
append(L"48\t\tDEC EAX\r\n");
break;
case 0x49:
append(L"49\t\tDEC ECX\r\n");
break;
case 0x4A:
append(L"4A\t\tDEC EDX\r\n");
break;
case 0x4B:
append(L"4B\t\tDEC EBX\r\n");
break;
case 0x4C:
append(L"4C\t\tDEC ESP\r\n");
break;
case 0x4D:
append(L"4D\t\tDEC EBP\r\n");
break;
case 0x4E:
append(L"4E\t\tDEC ESI\r\n");
break;
case 0x4F:
append(L"4F\t\tDEC EDI\r\n");
break;
}
//解析完成后索引+1,之所以加一,是因为40~4F全部是一字节的定长指令
index++;
}
/*
0F80~0F8F的解析
*/
void Translate_0F80_0F8F() {
switch (codeList[index + 1])
{
case 0x80:
{
//取出跳转后面的四字节偏移
DWORD im = *((DWORD*)(codeList + index + 2));
//计算跳转实际位置
im = im + 6 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 3));
BYTE b2 = *((BYTE*)(codeList + index + 4));
BYTE b3 = *((BYTE*)(codeList + index + 5));
BYTE b4 = *((BYTE*)(codeList + index + 6));
_stprintf(tt, L"0F80%02X%02X%02X%02X\t\tJO %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
break;
}
case 0x81:
{
//取出跳转后面的四字节偏移
DWORD im = *((DWORD*)(codeList + index + 2));
//计算跳转实际位置
im = im + 6 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 2));
BYTE b2 = *((BYTE*)(codeList + index + 3));
BYTE b3 = *((BYTE*)(codeList + index + 4));
BYTE b4 = *((BYTE*)(codeList + index + 5));
_stprintf(tt, L"0F81 %02X%02X%02X%02X\tJNO %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
break;
}
case 0x82:
{
//取出跳转后面的四字节偏移
DWORD im = *((DWORD*)(codeList + index + 2));
//计算跳转实际位置
im = im + 6 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 2));
BYTE b2 = *((BYTE*)(codeList + index + 3));
BYTE b3 = *((BYTE*)(codeList + index + 4));
BYTE b4 = *((BYTE*)(codeList + index + 5));
_stprintf(tt, L"0F82 %02X%02X%02X%02X\tJB %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
break;
}
case 0x83:
{
//取出跳转后面的四字节偏移
DWORD im = *((DWORD*)(codeList + index + 2));
//计算跳转实际位置
im = im + 6 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 2));
BYTE b2 = *((BYTE*)(codeList + index + 3));
BYTE b3 = *((BYTE*)(codeList + index + 4));
BYTE b4 = *((BYTE*)(codeList + index + 5));
_stprintf(tt, L"0F83 %02X%02X%02X%02X\tJNB %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
break;
}
case 0x84:
{
//取出跳转后面的四字节偏移
DWORD im = *((DWORD*)(codeList + index + 2));
//计算跳转实际位置
im = im + 6 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 2));
BYTE b2 = *((BYTE*)(codeList + index + 3));
BYTE b3 = *((BYTE*)(codeList + index + 4));
BYTE b4 = *((BYTE*)(codeList + index + 5));
_stprintf(tt, L"0F84 %02X%02X%02X%02X\tJE %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
break;
}
case 0x85:
{
//取出跳转后面的四字节偏移
DWORD im = *((DWORD*)(codeList + index + 2));
//计算跳转实际位置
im = im + 6 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 2));
BYTE b2 = *((BYTE*)(codeList + index + 3));
BYTE b3 = *((BYTE*)(codeList + index + 4));
BYTE b4 = *((BYTE*)(codeList + index + 5));
_stprintf(tt, L"0F85 %02X%02X%02X%02X\tJNE %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
break;
}
case 0x86:
{
//取出跳转后面的四字节偏移
DWORD im = *((DWORD*)(codeList + index + 2));
//计算跳转实际位置
im = im + 6 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 2));
BYTE b2 = *((BYTE*)(codeList + index + 3));
BYTE b3 = *((BYTE*)(codeList + index + 4));
BYTE b4 = *((BYTE*)(codeList + index + 5));
_stprintf(tt, L"0F86 %02X%02X%02X%02X\tJNA %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
break;
}
case 0x87:
{
//取出跳转后面的四字节偏移
DWORD im = *((DWORD*)(codeList + index + 2));
//计算跳转实际位置
im = im + 6 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 2));
BYTE b2 = *((BYTE*)(codeList + index + 3));
BYTE b3 = *((BYTE*)(codeList + index + 4));
BYTE b4 = *((BYTE*)(codeList + index + 5));
_stprintf(tt, L"0F87 %02X%02X%02X%02X\tJA %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
break;
}
case 0x88:
{
//取出跳转后面的四字节偏移
DWORD im = *((DWORD*)(codeList + index + 2));
//计算跳转实际位置
im = im + 6 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 2));
BYTE b2 = *((BYTE*)(codeList + index + 3));
BYTE b3 = *((BYTE*)(codeList + index + 4));
BYTE b4 = *((BYTE*)(codeList + index + 5));
_stprintf(tt, L"0F88 %02X%02X%02X%02X\tJS %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
break;
}
case 0x89:
{
//取出跳转后面的四字节偏移
DWORD im = *((DWORD*)(codeList + index + 2));
//计算跳转实际位置
im = im + 6 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 2));
BYTE b2 = *((BYTE*)(codeList + index + 3));
BYTE b3 = *((BYTE*)(codeList + index + 4));
BYTE b4 = *((BYTE*)(codeList + index + 5));
_stprintf(tt, L"0F89 %02X%02X%02X%02X\tJNS %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
break;
}
case 0x8A:
{
//取出跳转后面的四字节偏移
DWORD im = *((DWORD*)(codeList + index + 2));
//计算跳转实际位置
im = im + 6 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 2));
BYTE b2 = *((BYTE*)(codeList + index + 3));
BYTE b3 = *((BYTE*)(codeList + index + 4));
BYTE b4 = *((BYTE*)(codeList + index + 5));
_stprintf(tt, L"0F8A %02X%02X%02X%02X\tJP %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
break;
}
case 0x8B:
{
//取出跳转后面的四字节偏移
DWORD im = *((DWORD*)(codeList + index + 2));
//计算跳转实际位置
im = im + 6 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 2));
BYTE b2 = *((BYTE*)(codeList + index + 3));
BYTE b3 = *((BYTE*)(codeList + index + 4));
BYTE b4 = *((BYTE*)(codeList + index + 5));
_stprintf(tt, L"0F8B %02X%02X%02X%02X\tJNP %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
break;
}
case 0x8C:
{
//取出跳转后面的四字节偏移
DWORD im = *((DWORD*)(codeList + index + 2));
//计算跳转实际位置
im = im + 6 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 2));
BYTE b2 = *((BYTE*)(codeList + index + 3));
BYTE b3 = *((BYTE*)(codeList + index + 4));
BYTE b4 = *((BYTE*)(codeList + index + 5));
_stprintf(tt, L"0F8C %02X%02X%02X%02X\tJL %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
break;
}
case 0x8D:
{
//取出跳转后面的四字节偏移
DWORD im = *((DWORD*)(codeList + index + 2));
//计算跳转实际位置
im = im + 6 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 2));
BYTE b2 = *((BYTE*)(codeList + index + 3));
BYTE b3 = *((BYTE*)(codeList + index + 4));
BYTE b4 = *((BYTE*)(codeList + index + 5));
_stprintf(tt, L"0F8D %02X%02X%02X%02X\tJNL %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
break;
}
case 0x8E:
{
//取出跳转后面的四字节偏移
DWORD im = *((DWORD*)(codeList + index + 2));
//计算跳转实际位置
im = im + 6 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 2));
BYTE b2 = *((BYTE*)(codeList + index + 3));
BYTE b3 = *((BYTE*)(codeList + index + 4));
BYTE b4 = *((BYTE*)(codeList + index + 5));
_stprintf(tt, L"0F8E %02X%02X%02X%02X\tJNG %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
break;
}
case 0x8F:
{
//取出跳转后面的四字节偏移
DWORD im = *((DWORD*)(codeList + index + 2));
//计算跳转实际位置
im = im + 6 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 2));
BYTE b2 = *((BYTE*)(codeList + index + 3));
BYTE b3 = *((BYTE*)(codeList + index + 4));
BYTE b4 = *((BYTE*)(codeList + index + 5));
_stprintf(tt, L"0F8F %02X%02X%02X%02X\tJG %08X\r\n", b1, b2, b3, b4, im);
append(tt);
free(tt);
break;
}
}
//解析完成后索引+6,之所以加6,是因为0F80~0F8F全部是6字节的定长指令
index+=6;
}
/*
70~7F的解析
*/
void Translate_70_7F() {
switch (codeList[index])
{
case 0x70:
{
//取出跳转后面的1字节偏移
DWORD im = *((BYTE*)(codeList + index + 1));
//计算跳转实际位置
im = im + 2 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
_stprintf(tt, L"70 %02X\t\tJO SHORT %08X\r\n", b1, im);
append(tt);
free(tt);
break;
}
case 0x71:
{
//取出跳转后面的1字节偏移
DWORD im = *((BYTE*)(codeList + index + 1));
//计算跳转实际位置
im = im + 2 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
_stprintf(tt, L"71 %02X\t\tJNO SHORT %08X\r\n", b1, im);
append(tt);
free(tt);
break;
}
case 0x72:
{
//取出跳转后面的1字节偏移
DWORD im = *((BYTE*)(codeList + index + 1));
//计算跳转实际位置
im = im + 2 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
_stprintf(tt, L"72 %02X\t\tJB SHORT %08X\r\n", b1, im);
append(tt);
free(tt);
break;
}
case 0x73:
{
//取出跳转后面的1字节偏移
DWORD im = *((BYTE*)(codeList + index + 1));
//计算跳转实际位置
im = im + 2 + baseAddr + index;
TCHAR* tt = (TCHAR*)malloc(256);
memset(tt, 0, 256);
BYTE b1 = *((BYTE*)(codeList + index + 1));
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
最后于 2020-10-13 17:42
被SSH山水画编辑
,原因:
