下面是文件a.asm:
.386
.model flat, stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
;include \masm32\include\user32.inc
;includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
.data
limit equ 5
.code
start:
call delta
delta:
pop ebp
sub ebp, offset delta
mov esi, [esp]
and esi, 0FFFF0000h
call GetK32
invoke ExitProcess, 0
GetK32:
__1:
cmp byte ptr [ebp+K32_Limit], 00h
jz WeFailed
cmp word ptr [esi], "ZM"
jz CheckPE
__2:
sub esi, 10000h
dec byte ptr [ebp+K32_Limit]
jmp __1
CheckPE:
mov edi, [esi+3Ch]
add edi, esi
cmp dword ptr [edi], "EP"
jz WeGotK32
jmp __2
WeFailed:
mov esi, 0B7F70000h
WeGotK32:
xchg eax, esi
ret
K32_Limit dw limit
end start
编译连接:
ml /c /coff a.asm
link /SUBSYSTEM:windows /SECTION:.text,rwx a
可是OD打开a.exe的结果:
00401000 > $ E8 00000000 CALL a.00401005
00401005 $ 5D POP EBP
00401006 . 81ED 05104000 SUB EBP,a.00401005 ; Entry address
0040100C . 8B3424 MOV ESI,DWORD PTR SS:[ESP]
0040100F 81 DB 81
00401010 > E6 DB E6
00401011 00 DB 00
00401012 00 DB 00
00401013 FF DB FF
00401014 FF DB FF
00401015 . E8 07000000 CALL a.00401021
0040101A . 6A 00 PUSH 0 ; /ExitCode = 0
0040101C . E8 37000000 CALL <JMP.&kernel32.ExitProcess> ; \ExitProcess
00401021 $ 80BD 55104000 >CMP BYTE PTR SS:[EBP+401055],0
00401028 . 74 24 JE SHORT a.0040104E
0040102A . 66:813E 4D5A CMP WORD PTR DS:[ESI],5A4D
0040102F 74 DB 74 ; CHAR 't'
00401030 > 0E DB 0E
00401031 81 DB 81
00401032 EE DB EE
00401033 00 DB 00
00401034 00 DB 00
00401035 01 DB 01
00401036 > 00 DB 00
00401037 FE DB FE
00401038 8D DB 8D
00401039 55104000 DD a.00401055
0040103D .^EB E2 JMP SHORT a.00401021
0040103F 8B DB 8B
00401040 7E DB 7E ; CHAR '~'
00401041 3C DB 3C ; CHAR '<'
00401042 03 DB 03
00401043 FE DB FE
00401044 81 DB 81
00401045 . 3F 50 45 00 ASCII "?PE",0
00401049 00 DB 00
0040104A 74 DB 74 ; CHAR 't'
0040104B 07 DB 07
0040104C EB DB EB
0040104D E3 DB E3
0040104E > BE 0000F7B7 MOV ESI,B7F70000
00401053 . 96 XCHG EAX,ESI
00401054 . C3 RETN
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
