//dy.c

#include <windows.h>

//C声明:
//int __stdcall dy(void * bdhsdz, int cssz[], int csgs);
//第一个参数:被调函数地址,第二个参数:参数数组,第三个参数:参数个数.
//dy(fp,0,0)表示无参函数调用.
//dy支持有返回值函数调用和无返回值函数调用.
//被调函数的返回值是dy的返回值.

declspec(dllexport) int declspec(naked) __stdcall dy(void *bdhsdz, int cssz[], int csgs)
{

bqq: cmpl $0x0,%eax;\
jl bqh;\
pushl %ds:(%ebx,%eax,0x4);\
decl %eax;\
jmp bqq;\
bqh: call *%ss:0x8(%ebp);\
movl %eax,%ebx;\
movl $0x4,%eax;\
imull %ss:0x10(%ebp);\
addl %eax,%esp;\
movl %ebx,%eax;\
popl %ebx;\
leave;\
ret $0xC\
");
}

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {
switch (fdwReason) {
case DLL_PROCESS_ATTACH:
// attach to process
// return FALSE to fail DLL load
break;
case DLL_PROCESS_DETACH:
// detach from process
break;
case DLL_THREAD_ATTACH:
// attach to thread
break;
case DLL_THREAD_DETACH:
// detach from thread
break;
}
return TRUE; // succesful
}

编译成dll:
gcc -m32 -static -Wall dy.c -s -O2 -Wl,--kill-at -mdll -o dy.dll

dy.dll静态分析:

调用测试:
//main.c

#include <stdio.h>

#include <stdlib.h>

int __stdcall dy(void * bdhsdz, int cssz[], int csgs);

int a[2];

int main(void)
{
a[0] = (int)"hello%d\n";
a[1] = 123;

}
gcc main.c -static -s -m32 -Wall -o main.exe -O2 dy.dll
main.exe运行效果
hello123
9
请按任意键继续. . .

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)