刚刚学习反编译,遇到了问题,希望有人指教。
我反编译了一个代理软件,用upx脱壳的,使用fi查看此程序是用vc6编译的,看程序界面应该是基于对话框的mfc程序模式。根据字符串资源调用定位到这段代码的,IDA反编译的代码和ollydbg调试的堆栈附后:
我的要求:这段代码返回到何处,或者说是从哪里跳转到这里的。
做过的实验:在IDA中没有这段代码的交叉引用,ollydbg中一直按“返回用户代码”还是停留在系统的dll代码中。
也在论坛中看了一些朋友写的关于MFC的消息机制和SHE结构的帖子,但是还是没能解决这个问题,希望一些朋友受累帮我分析一下,谢谢。
IDA中反编译的代码:
.text:004068DE ; [00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD "+" TO EXPAND]
.text:004068DF ; ---------------------------------------------------------------------------
.text:004068DF mov eax, offset loc_41EBA8
.text:004068E4 call __EH_prolog
.text:004068E9 push ecx
.text:004068EA push ebx
.text:004068EB push esi
.text:004068EC mov esi, ecx
.text:004068EE lea ecx, [ebp-10h]
.text:004068F1 call ??0CString@@QAE@XZ ; CString::CString(void)
.text:004068F6 mov eax, [ebp+8]
.text:004068F9 xor ebx, ebx
.text:004068FB dec eax
.text:004068FC mov [ebp-4], ebx
.text:004068FF jz loc_40699F
.text:00406905 sub eax, 3
.text:00406908 jz loc_406996 ; 端口
.text:0040690E dec eax
.text:0040690F jz short loc_40698D ; 服务器连接成功
.text:00406911 dec eax
.text:00406912 jz short loc_406975 ; 正在连接服务器
.text:00406914 dec eax
.text:00406915 jz short loc_406938 ; 服务器连接失败
.text:00406917 dec eax
.text:00406918 jnz loc_4069A6
.text:0040691E push 18h ; 网络连接故障
.text:00406920 lea ecx, [ebp-10h]
.text:00406923 call ?LoadStringA@CString@@QAEHI@Z ; CString::LoadStringA(uint)
.text:00406928 push dword ptr [ebp-10h]
.text:0040692B lea ecx, [esi+160h]
.text:00406931 call ?SetWindowTextA@CWnd@@QAEXPBD@Z ; CWnd::SetWindowTextA(char const *)
.text:00406936 jmp short loc_4069A6
.text:00406938 ; ---------------------------------------------------------------------------
.text:00406938
.text:00406938 loc_406938: ; CODE XREF: .text:00406915 j
.text:00406938 lea eax, [esi+1A4h]
.text:0040693E cmp [eax], ebx
.text:00406940 jz short loc_4069A6
.text:00406942 lea ecx, [ebp+8]
.text:00406945 mov [eax], ebx
.text:00406947 call ??0CString@@QAE@XZ ; CString::CString(void)
.text:0040694C mov byte ptr [ebp-4], 2
.text:00406950 push 0Eh
.text:00406952
.text:00406952 loc_406952: ; CODE XREF: .text:0040698B j
.text:00406952 lea ecx, [ebp+8]
.text:00406955 call ?LoadStringA@CString@@QAEHI@Z ; CString::LoadStringA(uint)
.text:0040695A push dword ptr [ebp+8]
.text:0040695D lea ecx, [esi+160h]
.text:00406963 call ?SetWindowTextA@CWnd@@QAEXPBD@Z ; CWnd::SetWindowTextA(char const *)
.text:00406968 lea ecx, [ebp+8]
.text:0040696B mov [ebp-4], bl
.text:0040696E call ??1CString@@QAE@XZ ; CString::~CString(void)
.text:00406973 jmp short loc_4069A6
.text:00406975 ; ---------------------------------------------------------------------------
.text:00406975
.text:00406975 loc_406975: ; CODE XREF: .text:00406912 j
.text:00406975 cmp [esi+1A4h], ebx
.text:0040697B jz short loc_4069A6
.text:0040697D lea ecx, [ebp+8]
.text:00406980 call ??0CString@@QAE@XZ ; CString::CString(void)
.text:00406985 mov byte ptr [ebp-4], 1
.text:00406989 push 0Ch
.text:0040698B jmp short loc_406952
.text:0040698D ; ---------------------------------------------------------------------------
.text:0040698D
.text:0040698D loc_40698D: ; CODE XREF: .text:0040690F j
.text:0040698D mov ecx, esi
.text:0040698F call sub_406129
.text:00406994 jmp short loc_4069A6
.text:00406996 ; ---------------------------------------------------------------------------
.text:00406996
.text:00406996 loc_406996: ; CODE XREF: .text:00406908 j
.text:00406996 mov ecx, esi
.text:00406998 call sub_4061AF
.text:0040699D jmp short loc_4069A6
.text:0040699F ; ---------------------------------------------------------------------------
.text:0040699F
.text:0040699F loc_40699F: ; CODE XREF: .text:004068FF j
.text:0040699F mov ecx, esi
.text:004069A1 call sub_406237
.text:004069A6
.text:004069A6 loc_4069A6: ; CODE XREF: .text:00406918 j
.text:004069A6 ; .text:00406936 j ...
.text:004069A6 or dword ptr [ebp-4], 0FFFFFFFFh
.text:004069AA lea ecx, [ebp-10h]
.text:004069AD call ??1CString@@QAE@XZ ; CString::~CString(void)
.text:004069B2 mov ecx, [ebp-0Ch]
.text:004069B5 pop esi
.text:004069B6 xor eax, eax
.text:004069B8 pop ebx
.text:004069B9 mov large fs:0, ecx
.text:004069C0 leave
.text:004069C1 retn 8
Ollydbg中的调用堆栈:
地址 堆栈 程序过程 / 参数 调用来自 结构
0012CB84 73D31B9B 包含 u1.004068DF MFC42.73D31B95 0012CB80
0012CBA4 73D31B05 包含 MFC42.73D31B9B MFC42.73D31AFF 0012CBA0
0012CC04 73D31A58 MFC42.#1109_AfxCallWndProc MFC42.73D31A53 0012CC00
0012CC24 73DC847D MFC42.#1578_AfxWndProc MFC42.73DC8478 0012CC20
0012CC28 00120106 Arg1 = 00120106
0012CC2C 00000464 Arg2 = 00000464
0012CC30 00000006 Arg3 = 00000006
0012CC34 00000000 Arg4 = 00000000
0012CC50 77D18734 包含 MFC42.73DC847D USER32.77D18731 0012CC4C
0012CC7C 77D18816 ? USER32.77D1870C USER32.77D18811 0012CC78
0012CCE4 77D189CD USER32.77D1875F USER32.77D189C8 0012CCE0
0012CCE8 00000000 Arg1 = 00000000
0012CCEC 73DC8444 Arg2 = 73DC8444
0012CCF0 00120106 Arg3 = 00120106
0012CCF4 00000464 Arg4 = 00000464
0012CCF8 00000006 Arg5 = 00000006
0012CCFC 00000000 Arg6 = 00000000
0012CD00 00657884 Arg7 = 00657884
0012CD04 00000001 Arg8 = 00000001
0012CD44 77D196C7 ? USER32.77D188F1 USER32.77D196C2 0012CD40
0012CD54 73D3125A ? USER32.DispatchMessageA MFC42.73D31254 0012CD50
0012CD58 0043AE2C pMsg = MSG(464) hw = 120106 ("xxxxxx6.8版") wParam = 6 lParam = 0
[课程]Android-CTF解题方法汇总!