-
-
[原创]新年好 逆向一个最简单的程序 高手跳过
-
发表于: 2007-1-1 01:12
-
【写作日期】 2007年1月1日
【写作作者】 bzhkl
【作者邮箱】 it6688@yahoo.com.cn
【使用工具】 OD vc++6.0
【破解平台】 XP
【软件下载】 自己编译
【写作动机】 只想帮助超级菜鸟(不知道这里有没有) 从最简单的开始 没有什么技术含量
#include "stdio.h"
#include "windows.h"
void main()
{
::MessageBox(0, "begin", "caption", MB_OK);
int a[5] = {1,3,5,7,9};
int b[5] = {0,2,4,6,8};
int c[10];
int i, j ,k;
i = j = k = 0;
while(k < 10)
{
if(a[i] < b[j] && i < 5)
{
c[k] = a[i];
i++;
k++;
}
if(a[i] >= b[j] && j < 5)
{
c[k] = b[j];
j++;
k++;
}
if(i >= 5 ||j >=5)
break;
}
while(i < 5)
{
c[k] = a[i];
k++;
i++;
}
while(j < 5)
{
c[k] = b[j];
k++;
j++;
}
for(int len = 0; len < k; len++)
printf("%d", c[len]);
::MessageBox(0, "end", "c", MB_OK);
}
下面是关键反汇编
可以用;;MessageBox 断下
特意加了个消息框
0040102E |. 8BF4 mov esi,esp
00401030 |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
00401032 |. 68 B42F4200 push lianxi.00422FB4 ; |Title = "caption"
00401037 |. 68 2C204200 push lianxi.0042202C ; |Text = "begin"
0040103C |. 6A 00 push 0 ; |hOwner = NULL
0040103E |. FF15 ACA24200 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
00401044 |. 3BF4 cmp esi,esp
00401046 |. E8 65020000 call lianxi.004012B0
0040104B |. C745 EC 01000>mov dword ptr ss:[ebp-14],1 ; 下面是 数组a和b 子函数中通常用 ebp-x 表示局部变量
00401052 |. C745 F0 03000>mov dword ptr ss:[ebp-10],3
00401059 |. C745 F4 05000>mov dword ptr ss:[ebp-C],5
00401060 |. C745 F8 07000>mov dword ptr ss:[ebp-8],7
00401067 |. C745 FC 09000>mov dword ptr ss:[ebp-4],9
0040106E |. C745 D8 00000>mov dword ptr ss:[ebp-28],0
00401075 |. C745 DC 02000>mov dword ptr ss:[ebp-24],2
0040107C |. C745 E0 04000>mov dword ptr ss:[ebp-20],4
00401083 |. C745 E4 06000>mov dword ptr ss:[ebp-1C],6
0040108A |. C745 E8 08000>mov dword ptr ss:[ebp-18],8
00401091 |. C745 A4 00000>mov dword ptr ss:[ebp-5C],0 ; 这和下面一句 k=0
00401098 |. 8B45 A4 mov eax,dword ptr ss:[ebp-5C]
0040109B |. 8945 A8 mov dword ptr ss:[ebp-58],eax ; 这一句 j = k
0040109E |. 8B4D A8 mov ecx,dword ptr ss:[ebp-58] ; 这和下面一句为 i = j
004010A1 |. 894D AC mov dword ptr ss:[ebp-54],ecx ; 因为C语言中赋值是从右向左 所以认为这样
004010A4 |> 837D A4 0A /cmp dword ptr ss:[ebp-5C],0A ; k, 10 比较
004010A8 |. 7D 7F |jge short lianxi.00401129 ; 大于的话就 break;
004010AA |. 8B55 AC |mov edx,dword ptr ss:[ebp-54] ; ebp-54 存放的是 i
004010AD |. 8B45 A8 |mov eax,dword ptr ss:[ebp-58] ; ebp-58 存放的是 j 当然在没有源代码时可以任意设一个
004010B0 |. 8B4C95 EC |mov ecx,dword ptr ss:[ebp+edx*4-14] ; ebp-14是数组a的首地址 edx为i 这样实现数组遍历
004010B4 |. 3B4C85 D8 |cmp ecx,dword ptr ss:[ebp+eax*4-28] ; ebp-28是数组b的首地址 同样利用eax的递增遍历 再比较a[i]和b[j]
004010B8 |. 7D 26 |jge short lianxi.004010E0 ; a[i] > b[i]的话跳
004010BA |. 837D AC 05 |cmp dword ptr ss:[ebp-54],5 ; i < 5 ? 通过以上分析ebp-5c 为 k 地址 ebp - 58 为 j的地址 ebp - 54 为i的地址
004010BE |. 7D 20 |jge short lianxi.004010E0 ; 大于的话跳
004010C0 |. 8B55 A4 |mov edx,dword ptr ss:[ebp-5C] ; mov edx, k
004010C3 |. 8B45 AC |mov eax,dword ptr ss:[ebp-54] ; mov eax, i
004010C6 |. 8B4C85 EC |mov ecx,dword ptr ss:[ebp+eax*4-14] ; mov ecx, a[i]
004010CA |. 894C95 B0 |mov dword ptr ss:[ebp+edx*4-50],ecx ; mov c[k], a[i]
004010CE |. 8B55 AC |mov edx,dword ptr ss:[ebp-54] ; 下面三行是 i++;
004010D1 |. 83C2 01 |add edx,1
004010D4 |. 8955 AC |mov dword ptr ss:[ebp-54],edx
004010D7 |. 8B45 A4 |mov eax,dword ptr ss:[ebp-5C] ; 下面三行是 k++;
004010DA |. 83C0 01 |add eax,1
004010DD |. 8945 A4 |mov dword ptr ss:[ebp-5C],eax
004010E0 |> 8B4D AC |mov ecx,dword ptr ss:[ebp-54] ; 同上 下面是 if(a[i] >= b[j] && j < 5) 的处理
004010E3 |. 8B55 A8 |mov edx,dword ptr ss:[ebp-58]
004010E6 |. 8B448D EC |mov eax,dword ptr ss:[ebp+ecx*4-14]
004010EA |. 3B4495 D8 |cmp eax,dword ptr ss:[ebp+edx*4-28] ; 比较 a[i], b[i]
004010EE |. 7C 26 |jl short lianxi.00401116
004010F0 |. 837D A8 05 |cmp dword ptr ss:[ebp-58],5 ; j<5?
004010F4 |. 7D 20 |jge short lianxi.00401116 ; 大于的话跳
004010F6 |. 8B4D A4 |mov ecx,dword ptr ss:[ebp-5C] ; 下面同上分析
004010F9 |. 8B55 A8 |mov edx,dword ptr ss:[ebp-58]
004010FC |. 8B4495 D8 |mov eax,dword ptr ss:[ebp+edx*4-28]
00401100 |. 89448D B0 |mov dword ptr ss:[ebp+ecx*4-50],eax
00401104 |. 8B4D A8 |mov ecx,dword ptr ss:[ebp-58] ; j++
00401107 |. 83C1 01 |add ecx,1
0040110A |. 894D A8 |mov dword ptr ss:[ebp-58],ecx
0040110D |. 8B55 A4 |mov edx,dword ptr ss:[ebp-5C] ; k++
00401110 |. 83C2 01 |add edx,1
00401113 |. 8955 A4 |mov dword ptr ss:[ebp-5C],edx
00401116 |> 837D AC 05 |cmp dword ptr ss:[ebp-54],5
0040111A |. 7D 06 |jge short lianxi.00401122 ; i>5时跳到401122 再跳出循环
0040111C |. 837D A8 05 |cmp dword ptr ss:[ebp-58],5
00401120 |. 7C 02 |jl short lianxi.00401124 ; 小于5的话跳到401124 再到最上的 while 处
00401122 |> EB 05 |jmp short lianxi.00401129 ; 相当于 breake
00401124 |>^ E9 7BFFFFFF \jmp lianxi.004010A4
00401129 |> 837D AC 05 /cmp dword ptr ss:[ebp-54],5 ; i<5?
0040112D |. 7D 22 |jge short lianxi.00401151 ; 大于的话跳出循环
0040112F |. 8B45 A4 |mov eax,dword ptr ss:[ebp-5C] ; eax = k
00401132 |. 8B4D AC |mov ecx,dword ptr ss:[ebp-54] ; ecx = i
00401135 |. 8B548D EC |mov edx,dword ptr ss:[ebp+ecx*4-14] ; edx = a[i]
00401139 |. 895485 B0 |mov dword ptr ss:[ebp+eax*4-50],edx ; c[k] = a[i]
0040113D |. 8B45 A4 |mov eax,dword ptr ss:[ebp-5C] ; 下面三行k++
00401140 |. 83C0 01 |add eax,1
00401143 |. 8945 A4 |mov dword ptr ss:[ebp-5C],eax
00401146 |. 8B4D AC |mov ecx,dword ptr ss:[ebp-54] ; 下面三行i++
00401149 |. 83C1 01 |add ecx,1
0040114C |. 894D AC |mov dword ptr ss:[ebp-54],ecx
0040114F |.^ EB D8 \jmp short lianxi.00401129
00401151 |> 837D A8 05 /cmp dword ptr ss:[ebp-58],5 ; 分析同上面的循环
00401155 |. 7D 22 |jge short lianxi.00401179
00401157 |. 8B55 A4 |mov edx,dword ptr ss:[ebp-5C]
0040115A |. 8B45 A8 |mov eax,dword ptr ss:[ebp-58]
0040115D |. 8B4C85 D8 |mov ecx,dword ptr ss:[ebp+eax*4-28]
00401161 |. 894C95 B0 |mov dword ptr ss:[ebp+edx*4-50],ecx
00401165 |. 8B55 A4 |mov edx,dword ptr ss:[ebp-5C]
00401168 |. 83C2 01 |add edx,1
0040116B |. 8955 A4 |mov dword ptr ss:[ebp-5C],edx
0040116E |. 8B45 A8 |mov eax,dword ptr ss:[ebp-58]
00401171 |. 83C0 01 |add eax,1
00401174 |. 8945 A8 |mov dword ptr ss:[ebp-58],eax
00401177 |.^ EB D8 \jmp short lianxi.00401151
00401179 |> C745 A0 00000>mov dword ptr ss:[ebp-60],0 ; len = 0
00401180 |. EB 09 jmp short lianxi.0040118B
00401182 |> 8B4D A0 /mov ecx,dword ptr ss:[ebp-60] ; 下面三行为len++
00401185 |. 83C1 01 |add ecx,1
00401188 |. 894D A0 |mov dword ptr ss:[ebp-60],ecx
0040118B |> 8B55 A0 mov edx,dword ptr ss:[ebp-60] ; edx = len
0040118E |. 3B55 A4 |cmp edx,dword ptr ss:[ebp-5C] ; cmp len, k
00401191 |. 7D 17 |jge short lianxi.004011AA ; len>k 循环结束
00401193 |. 8B45 A0 |mov eax,dword ptr ss:[ebp-60] ; eax = len
00401196 |. 8B4C85 B0 |mov ecx,dword ptr ss:[ebp+eax*4-50] ; ebp-50 为数组c的首地址 利用len改变地址实现遍历 下面的函数是printf
0040119A |. 51 |push ecx ; /Arg2
0040119B |. 68 28204200 |push lianxi.00422028 ; |Arg1 = 00422028 ASCII "%d"
004011A0 |. E8 8B000000 |call lianxi.00401230 ; \lianxi.00401230
004011A5 |. 83C4 08 |add esp,8 ; 堆栈平衡
004011A8 |.^ EB D8 \jmp short lianxi.00401182
004011AA |> 8BF4 mov esi,esp
004011AC |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
004011AE |. 68 20204200 push lianxi.00422020 ; |Title = "c"
004011B3 |. 68 1C204200 push lianxi.0042201C ; |Text = "end"
004011B8 |. 6A 00 push 0 ; |hOwner = NULL
004011BA |. FF15 ACA24200 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
呵呵 就这样吧
【写作作者】 bzhkl
【作者邮箱】 it6688@yahoo.com.cn
【使用工具】 OD vc++6.0
【破解平台】 XP
【软件下载】 自己编译
【写作动机】 只想帮助超级菜鸟(不知道这里有没有) 从最简单的开始 没有什么技术含量
#include "stdio.h"
#include "windows.h"
void main()
{
::MessageBox(0, "begin", "caption", MB_OK);
int a[5] = {1,3,5,7,9};
int b[5] = {0,2,4,6,8};
int c[10];
int i, j ,k;
i = j = k = 0;
while(k < 10)
{
if(a[i] < b[j] && i < 5)
{
c[k] = a[i];
i++;
k++;
}
if(a[i] >= b[j] && j < 5)
{
c[k] = b[j];
j++;
k++;
}
if(i >= 5 ||j >=5)
break;
}
while(i < 5)
{
c[k] = a[i];
k++;
i++;
}
while(j < 5)
{
c[k] = b[j];
k++;
j++;
}
for(int len = 0; len < k; len++)
printf("%d", c[len]);
::MessageBox(0, "end", "c", MB_OK);
}
下面是关键反汇编
可以用;;MessageBox 断下
特意加了个消息框0040102E |. 8BF4 mov esi,esp
00401030 |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
00401032 |. 68 B42F4200 push lianxi.00422FB4 ; |Title = "caption"
00401037 |. 68 2C204200 push lianxi.0042202C ; |Text = "begin"
0040103C |. 6A 00 push 0 ; |hOwner = NULL
0040103E |. FF15 ACA24200 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
00401044 |. 3BF4 cmp esi,esp
00401046 |. E8 65020000 call lianxi.004012B0
0040104B |. C745 EC 01000>mov dword ptr ss:[ebp-14],1 ; 下面是 数组a和b 子函数中通常用 ebp-x 表示局部变量
00401052 |. C745 F0 03000>mov dword ptr ss:[ebp-10],3
00401059 |. C745 F4 05000>mov dword ptr ss:[ebp-C],5
00401060 |. C745 F8 07000>mov dword ptr ss:[ebp-8],7
00401067 |. C745 FC 09000>mov dword ptr ss:[ebp-4],9
0040106E |. C745 D8 00000>mov dword ptr ss:[ebp-28],0
00401075 |. C745 DC 02000>mov dword ptr ss:[ebp-24],2
0040107C |. C745 E0 04000>mov dword ptr ss:[ebp-20],4
00401083 |. C745 E4 06000>mov dword ptr ss:[ebp-1C],6
0040108A |. C745 E8 08000>mov dword ptr ss:[ebp-18],8
00401091 |. C745 A4 00000>mov dword ptr ss:[ebp-5C],0 ; 这和下面一句 k=0
00401098 |. 8B45 A4 mov eax,dword ptr ss:[ebp-5C]
0040109B |. 8945 A8 mov dword ptr ss:[ebp-58],eax ; 这一句 j = k
0040109E |. 8B4D A8 mov ecx,dword ptr ss:[ebp-58] ; 这和下面一句为 i = j
004010A1 |. 894D AC mov dword ptr ss:[ebp-54],ecx ; 因为C语言中赋值是从右向左 所以认为这样
004010A4 |> 837D A4 0A /cmp dword ptr ss:[ebp-5C],0A ; k, 10 比较
004010A8 |. 7D 7F |jge short lianxi.00401129 ; 大于的话就 break;
004010AA |. 8B55 AC |mov edx,dword ptr ss:[ebp-54] ; ebp-54 存放的是 i
004010AD |. 8B45 A8 |mov eax,dword ptr ss:[ebp-58] ; ebp-58 存放的是 j 当然在没有源代码时可以任意设一个
004010B0 |. 8B4C95 EC |mov ecx,dword ptr ss:[ebp+edx*4-14] ; ebp-14是数组a的首地址 edx为i 这样实现数组遍历
004010B4 |. 3B4C85 D8 |cmp ecx,dword ptr ss:[ebp+eax*4-28] ; ebp-28是数组b的首地址 同样利用eax的递增遍历 再比较a[i]和b[j]
004010B8 |. 7D 26 |jge short lianxi.004010E0 ; a[i] > b[i]的话跳
004010BA |. 837D AC 05 |cmp dword ptr ss:[ebp-54],5 ; i < 5 ? 通过以上分析ebp-5c 为 k 地址 ebp - 58 为 j的地址 ebp - 54 为i的地址
004010BE |. 7D 20 |jge short lianxi.004010E0 ; 大于的话跳
004010C0 |. 8B55 A4 |mov edx,dword ptr ss:[ebp-5C] ; mov edx, k
004010C3 |. 8B45 AC |mov eax,dword ptr ss:[ebp-54] ; mov eax, i
004010C6 |. 8B4C85 EC |mov ecx,dword ptr ss:[ebp+eax*4-14] ; mov ecx, a[i]
004010CA |. 894C95 B0 |mov dword ptr ss:[ebp+edx*4-50],ecx ; mov c[k], a[i]
004010CE |. 8B55 AC |mov edx,dword ptr ss:[ebp-54] ; 下面三行是 i++;
004010D1 |. 83C2 01 |add edx,1
004010D4 |. 8955 AC |mov dword ptr ss:[ebp-54],edx
004010D7 |. 8B45 A4 |mov eax,dword ptr ss:[ebp-5C] ; 下面三行是 k++;
004010DA |. 83C0 01 |add eax,1
004010DD |. 8945 A4 |mov dword ptr ss:[ebp-5C],eax
004010E0 |> 8B4D AC |mov ecx,dword ptr ss:[ebp-54] ; 同上 下面是 if(a[i] >= b[j] && j < 5) 的处理
004010E3 |. 8B55 A8 |mov edx,dword ptr ss:[ebp-58]
004010E6 |. 8B448D EC |mov eax,dword ptr ss:[ebp+ecx*4-14]
004010EA |. 3B4495 D8 |cmp eax,dword ptr ss:[ebp+edx*4-28] ; 比较 a[i], b[i]
004010EE |. 7C 26 |jl short lianxi.00401116
004010F0 |. 837D A8 05 |cmp dword ptr ss:[ebp-58],5 ; j<5?
004010F4 |. 7D 20 |jge short lianxi.00401116 ; 大于的话跳
004010F6 |. 8B4D A4 |mov ecx,dword ptr ss:[ebp-5C] ; 下面同上分析
004010F9 |. 8B55 A8 |mov edx,dword ptr ss:[ebp-58]
004010FC |. 8B4495 D8 |mov eax,dword ptr ss:[ebp+edx*4-28]
00401100 |. 89448D B0 |mov dword ptr ss:[ebp+ecx*4-50],eax
00401104 |. 8B4D A8 |mov ecx,dword ptr ss:[ebp-58] ; j++
00401107 |. 83C1 01 |add ecx,1
0040110A |. 894D A8 |mov dword ptr ss:[ebp-58],ecx
0040110D |. 8B55 A4 |mov edx,dword ptr ss:[ebp-5C] ; k++
00401110 |. 83C2 01 |add edx,1
00401113 |. 8955 A4 |mov dword ptr ss:[ebp-5C],edx
00401116 |> 837D AC 05 |cmp dword ptr ss:[ebp-54],5
0040111A |. 7D 06 |jge short lianxi.00401122 ; i>5时跳到401122 再跳出循环
0040111C |. 837D A8 05 |cmp dword ptr ss:[ebp-58],5
00401120 |. 7C 02 |jl short lianxi.00401124 ; 小于5的话跳到401124 再到最上的 while 处
00401122 |> EB 05 |jmp short lianxi.00401129 ; 相当于 breake
00401124 |>^ E9 7BFFFFFF \jmp lianxi.004010A4
00401129 |> 837D AC 05 /cmp dword ptr ss:[ebp-54],5 ; i<5?
0040112D |. 7D 22 |jge short lianxi.00401151 ; 大于的话跳出循环
0040112F |. 8B45 A4 |mov eax,dword ptr ss:[ebp-5C] ; eax = k
00401132 |. 8B4D AC |mov ecx,dword ptr ss:[ebp-54] ; ecx = i
00401135 |. 8B548D EC |mov edx,dword ptr ss:[ebp+ecx*4-14] ; edx = a[i]
00401139 |. 895485 B0 |mov dword ptr ss:[ebp+eax*4-50],edx ; c[k] = a[i]
0040113D |. 8B45 A4 |mov eax,dword ptr ss:[ebp-5C] ; 下面三行k++
00401140 |. 83C0 01 |add eax,1
00401143 |. 8945 A4 |mov dword ptr ss:[ebp-5C],eax
00401146 |. 8B4D AC |mov ecx,dword ptr ss:[ebp-54] ; 下面三行i++
00401149 |. 83C1 01 |add ecx,1
0040114C |. 894D AC |mov dword ptr ss:[ebp-54],ecx
0040114F |.^ EB D8 \jmp short lianxi.00401129
00401151 |> 837D A8 05 /cmp dword ptr ss:[ebp-58],5 ; 分析同上面的循环
00401155 |. 7D 22 |jge short lianxi.00401179
00401157 |. 8B55 A4 |mov edx,dword ptr ss:[ebp-5C]
0040115A |. 8B45 A8 |mov eax,dword ptr ss:[ebp-58]
0040115D |. 8B4C85 D8 |mov ecx,dword ptr ss:[ebp+eax*4-28]
00401161 |. 894C95 B0 |mov dword ptr ss:[ebp+edx*4-50],ecx
00401165 |. 8B55 A4 |mov edx,dword ptr ss:[ebp-5C]
00401168 |. 83C2 01 |add edx,1
0040116B |. 8955 A4 |mov dword ptr ss:[ebp-5C],edx
0040116E |. 8B45 A8 |mov eax,dword ptr ss:[ebp-58]
00401171 |. 83C0 01 |add eax,1
00401174 |. 8945 A8 |mov dword ptr ss:[ebp-58],eax
00401177 |.^ EB D8 \jmp short lianxi.00401151
00401179 |> C745 A0 00000>mov dword ptr ss:[ebp-60],0 ; len = 0
00401180 |. EB 09 jmp short lianxi.0040118B
00401182 |> 8B4D A0 /mov ecx,dword ptr ss:[ebp-60] ; 下面三行为len++
00401185 |. 83C1 01 |add ecx,1
00401188 |. 894D A0 |mov dword ptr ss:[ebp-60],ecx
0040118B |> 8B55 A0 mov edx,dword ptr ss:[ebp-60] ; edx = len
0040118E |. 3B55 A4 |cmp edx,dword ptr ss:[ebp-5C] ; cmp len, k
00401191 |. 7D 17 |jge short lianxi.004011AA ; len>k 循环结束
00401193 |. 8B45 A0 |mov eax,dword ptr ss:[ebp-60] ; eax = len
00401196 |. 8B4C85 B0 |mov ecx,dword ptr ss:[ebp+eax*4-50] ; ebp-50 为数组c的首地址 利用len改变地址实现遍历 下面的函数是printf
0040119A |. 51 |push ecx ; /Arg2
0040119B |. 68 28204200 |push lianxi.00422028 ; |Arg1 = 00422028 ASCII "%d"
004011A0 |. E8 8B000000 |call lianxi.00401230 ; \lianxi.00401230
004011A5 |. 83C4 08 |add esp,8 ; 堆栈平衡
004011A8 |.^ EB D8 \jmp short lianxi.00401182
004011AA |> 8BF4 mov esi,esp
004011AC |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
004011AE |. 68 20204200 push lianxi.00422020 ; |Title = "c"
004011B3 |. 68 1C204200 push lianxi.0042201C ; |Text = "end"
004011B8 |. 6A 00 push 0 ; |hOwner = NULL
004011BA |. FF15 ACA24200 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
呵呵 就这样吧
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
这样的效果比自己盲目的直接看汇编要好得多
|
|
|
|
|
|
|
|
|
|
|
|
|
