黑客反汇编高速入门.docx
- 文档编号:17842796
- 上传时间:2023-08-04
- 格式:DOCX
- 页数:25
- 大小:20.21KB
黑客反汇编高速入门.docx
《黑客反汇编高速入门.docx》由会员分享,可在线阅读,更多相关《黑客反汇编高速入门.docx(25页珍藏版)》请在冰点文库上搜索。
黑客反汇编高速入门
黑客反汇编高速入门
我从事汇编语言研究大概几年前,因为是我为了开发sepl计算机语言编译器。
虽然到现在还没有开发出来,但是已经看到曙光了。
为了研究汇编,我从反汇编入手,做了破解,脱壳,调试等。
但是汇编对我来说一直是读天书,没有任何突破。
直到最近几天我有了重大发现。
有人说做黑客从反汇编sqlserver.exe文件开始,可是在数以百万计的汇编代码丛林中,你能看到什么呢?
能读懂么?
直到最近看了一本win32汇编书籍,他里面说可以把vc程序反汇编,获得汇编程序。
如果随便用ida反汇编,如过没有把原程序和汇编放在一起,那么仍然没有收获。
我按照说明操作了终于得到原程序和汇编放在一起的文件,就像在调试状态一样,每个c语言程序对应一个扩展名叫.cod文件.用它来学习真是大爽,天书变成可破解的代码!
具体做法是打开vc项目,选择菜单project->setting,在对话框选择c/c++页,然后category中选择ListingFiles,在下面Listingfiletype选择Assambly,machinecode,andSource,确定退出。
现在编译程序,在release/debug目录下面生成对应的cod文件,包含有汇编,机器码和源代码。
通过阅读cod文件,你将很快了解汇编,你会发现原程序和汇编并不完全一一对应,当并不妨碍你分析汇编。
如果你不停的阅读和学习cod,也许一个月后你就会成为反汇编高手了!
目前我刚开始2天。
我决定坚持一个月。
文件Base64.cod内容如下
TITLEE:
\cryptoLib\Base64.cpp
.386P
includelisting.inc
if@Versiongt510
.modelFLAT
else
_TEXTSEGMENTPARAUSE32PUBLIC'CODE'
_TEXTENDS
_DATASEGMENTDWORDUSE32PUBLIC'DATA'
_DATAENDS
CONSTSEGMENTDWORDUSE32PUBLIC'CONST'
CONSTENDS
_BSSSEGMENTDWORDUSE32PUBLIC'BSS'
_BSSENDS
_TLSSEGMENTDWORDUSE32PUBLIC'TLS'
_TLSENDS
;COMDAT?
?
_C@_0BB@NAAD@Magellan?
5MSWHEEL?
$AA@
_DATASEGMENTDWORDUSE32PUBLIC'DATA'
_DATAENDS
;COMDAT?
?
_C@_06FPAF@MouseZ?
$AA@
_DATASEGMENTDWORDUSE32PUBLIC'DATA'
..................
;COMDAT?
?
_7?
$basic_ostream@DU?
$char_traits@D@std@@@std@@6B@
CONSTSEGMENTDWORDUSE32PUBLIC'CONST'
CONSTENDS
;COMDAT?
npos@?
$basic_string@DU?
$char_traits@D@std@@V?
$allocator@D@2@@std@@2IB
CONSTSEGMENTDWORDUSE32PUBLIC'CONST'
CONSTENDS
FLATGROUP_DATA,CONST,_BSS,CRT$XCA,CRT$XCU,CRT$XCL,CRT$XCC,CRT$XCZ,xdata$x
ASSUMECS:
FLAT,DS:
FLAT,SS:
FLAT
endif
CONSTSEGMENT
_EnBase64TabDB'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123'
DB'456789+/',00H
ORG$+3
_DeBase64TabDB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB03eH
DB00H
DB00H
DB00H
DB03fH
DB034H
DB035H
DB036H
DB037H
DB038H
DB039H
DB03aH
DB03bH
DB03cH
DB03dH
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB01H
DB02H
DB03H
DB04H
DB05H
DB06H
DB07H
DB08H
DB09H
DB0aH
DB0bH
DB0cH
DB0dH
DB0eH
DB0fH
DB010H
DB011H
DB012H
DB013H
DB014H
DB015H
DB016H
DB017H
DB018H
DB019H
DB00H
DB00H
DB00H
DB00H
DB00H
DB00H
DB01aH
DB01bH
DB01cH
DB01dH
DB01eH
DB01fH
DB020H
DB021H
DB022H
DB023H
DB024H
DB025H
DB026H
DB027H
DB028H
DB029H
DB02aH
DB02bH
DB02cH
DB02dH
DB02eH
DB02fH
DB030H
DB031H
DB032H
DB033H
CONSTENDS
CRT$XCUSEGMENT
_$S384DDFLAT:
_$E383
CRT$XCUENDS
PUBLIC?
EncodeBase64@@YAHPBEPADH@Z;EncodeBase64
;COMDAT?
EncodeBase64@@YAHPBEPADH@Z
_TEXTSEGMENT
_pSrc$=8
_pDst$=12
_nSrcLen$=16
_c1$=12
_c2$=8
_c3$=16
_nMod$=-4
?
EncodeBase64@@YAHPBEPADH@ZPROCNEAR;EncodeBase64,COMDAT
;7:
{
0000051pushecx
0000155pushebp
0000256pushesi
;8:
unsignedcharc1,c2,c3;//输入缓冲区读出3个字节
;9:
intnDstLen=0;//输出的字符计数
;10:
intnDiv=nSrcLen/3;//输入数据长度除以3得到的倍数
000038b742418movesi,DWORDPTR_nSrcLen$[esp+8]
00007b856555555moveax,1431655766;55555556H
0000cf7eeimulesi
0000e8bc2moveax,edx
0001033edxorebp,ebp
00012c1e81fshreax,31;0000001fH
0001503d0addedx,eax
;11:
intnMod=nSrcLen%3;//输入数据长度除以3得到的余数
000178bc6moveax,esi
000198bcamovecx,edx
0001bbe03000000movesi,3
0002099cdq
00021f7feidivesi
;12:
;13:
//每次取3个字节,编码成4个字符
;14:
for(inti=0;i 0002385c9testecx,ecx 0002589542408movDWORDPTR_nMod$[esp+12],edx 000290f8edc0000 00jle$L132338 0002f8b442414moveax,DWORDPTR_pDst$[esp+8] 0003353pushebx 000348bd9movebx,ecx 000368d2c8d0000 0000leaebp,DWORDPTR[ecx*4] 0003d8b4c2414movecx,DWORDPTR_pSrc$[esp+12] 0004157pushedi $L129542: ;15: { ;16: //取3个字节 ;17: c1=*pSrc++; 000428a11movdl,BYTEPTR[ecx] 0004441incecx 000458854241cmovBYTEPTR_c1$[esp+16],dl ;18: c2=*pSrc++; 000498a11movdl,BYTEPTR[ecx] ;19: c3=*pSrc++; ;20: ;21: //编码成4个字符 ;22: *pDst++=EnBase64Tab[c1>>2]; 0004b8b74241cmovesi,DWORDPTR_c1$[esp+16] 0004f41incecx 0005088542418movBYTEPTR_c2$[esp+16],dl ;23: *pDst++=EnBase64Tab[((c1<<4)|(c2>>4))&0x3f]; 000548b7c2418movedi,DWORDPTR_c2$[esp+16] 0005881e6ff0000 00andesi,255;000000ffH 0005e8a11movdl,BYTEPTR[ecx] 0006081e7ff0000 00andedi,255;000000ffH 0006688542420movBYTEPTR_c3$[esp+16],dl 0006a8bd6movedx,esi 0006cc1ea02shredx,2 0006f83e603andesi,3 0007241incecx 000738a92000000 00movdl,BYTEPTR_EnBase64Tab[edx] 000798810movBYTEPTR[eax],dl 0007b8bd7movedx,edi 0007dc1ea04shredx,4 00080c1e604shlesi,4 000830bd6oredx,esi ;24: *pDst++=EnBase64Tab[((c2<<2)|(c3>>6))&0x3f]; 000858b742420movesi,DWORDPTR_c3$[esp+16] 0008940inceax 0008a81e6ff0000 00andesi,255;000000ffH 000908a92000000 00movdl,BYTEPTR_EnBase64Tab[edx] 0009683e70fandedi,15;0000000fH 000998810movBYTEPTR[eax],dl 0009b8bd6movedx,esi 0009dc1ea06shredx,6 000a0c1e702shledi,2 000a30bd7oredx,edi 000a540inceax ;25: *pDst++=EnBase64Tab[c3&0x3f]; 000a683e63fandesi,63;0000003fH 000a940inceax 000aa8a92000000 00movdl,BYTEPTR_EnBase64Tab[edx] 000b08850ffmovBYTEPTR[eax-1],dl 000b38a96000000 00movdl,BYTEPTR_EnBase64Tab[esi] 000b98810movBYTEPTR[eax],dl 000bb40inceax 000bc4bdecebx 000bd7583jneSHORT$L129542 000bf8b542410movedx,DWORDPTR_nMod$[esp+20] 000c35fpopedi 000c45bpopebx $L129544: ;26: nDstLen+=4; ;27: } ;28: ;29: //编码余下的字节 ;30: if(nMod==1) 000c583fa01cmpedx,1 000c8754bjneSHORT$L129545 ;31: { ;32: c1=*pSrc++; 000ca8a09movcl,BYTEPTR[ecx] 000cc5epopesi 000cd884c2410movBYTEPTR_c1$[esp+4],cl ;33: *pDst++=EnBase64Tab[(c1&0xfc)>>2]; 000d18b4c2410movecx,DWORDPTR_c1$[esp+4] 000d581e1ff0000 00andecx,255;000000ffH 000db8bd1movedx,ecx ;34: *pDst++=EnBase64Tab[((c1&0x03)<<4)]; 000dd83e103andecx,3 000e0c1ea02shredx,2 000e3c1e104shlecx,4 000e68a92000000 00movdl,BYTEPTR_EnBase64Tab[edx] 000ec8810movBYTEPTR[eax],dl 000ee8a89000000 00movcl,BYTEPTR_EnBase64Tab[ecx] 000f440inceax 000f58808movBYTEPTR[eax],cl 000f740inceax ;35: *pDst++='='; 000f8c6003dmovBYTEPTR[eax],61;0000003dH ;45: *pDst++=EnBase64Tab[((c2&0x0f)<<2)]; 000fb40inceax ;46: *pDst++='='; 000fcc6003dmovBYTEPTR[eax],61;0000003dH 000ff40inceax ;47: nDstLen+=4; 0010083c504addebp,4 ;48: } ;49: ;50: //输出加个结束符 ;51: *pDst='\0'; 00103c60000movBYTEPTR[eax],0 ;52: ;53: returnnDstLen; 001068bc5moveax,ebp 001085dpopebp ;54: } 0010959popecx 0010ac3ret0 $L132338: ;12: ;13: //每次取3个字节,编码成4个字符 ;14: for(inti=0;i 0010b8b442414moveax,DWORDPTR_pDst$[esp+8] 0010f8b4c2410movecx,DWORDPTR_pSrc$[esp+8] 00113ebb0jmpSHORT$L129544 $L129545: ;36: *pDst++='='; ;37: nDstLen+=4; ;38: } ;39: elseif(nMod==2) 0011583fa02cmpedx,2 00118755bjneSHORT$L132337 ;40: { ;41: c1=*pSrc++; 0011a8a11movdl,BYTEPTR[ecx] ;42: c2=*pSrc++; 0011c8a4901movcl,BYTEPTR[ecx+1] 0011f88542414movBYTEPTR_c1$[esp+8],dl 00123884c2410movBYTEPTR_c2$[esp+8],cl ;43: *pDst++=EnBase64Tab[(c1&0xfc)>>2]; 001278b4c2414movecx,DWORDPTR_c1$[esp+8] 0012b81e1ff0000 00andecx,255;000000ffH 001318bd1movedx,ecx ;44: *pDst++=EnBase64Tab[((c1&0x03)<<4)|((c2&0xf0)>>4)]; 0013383e103andecx,3 00136c1ea02shredx,2 00139c1e104shlecx,4 0013c8a92000000 00movdl,BYTEPTR_EnBase64Tab[edx] 001428810movBYTEPTR[eax],dl 001448b542410movedx,DWORDPTR_c2$[esp+8] 0014881e2ff0000 00andedx,255;000000ffH 0014e40inceax 0014f8bf2movesi,edx ;45: *pDst++=EnBase64Tab[((c2&0x0f)<<2)]; 0015183e20fandedx,15;0000000fH 00154c1ee04shresi,4 001570bf1oresi,ecx 0015940inceax 0015a40inceax 0015b8a8e000000 00movcl,BYTEPTR_EnBase64Tab[esi] 001618848femovBYTEPTR[eax-2],cl 001648a14950000 0000movdl,BYTEPTR_EnBase64Tab[edx*4] 0016b8850ffmovBYTEPTR[eax-1],dl ;46: *pDst++='='; 0016ec6003dmovBYTEPTR[eax],61;0000003dH 0017140inceax ;47: nDstLen+=4; 0017283c504addebp,4 $L132337: ;48: } ;49: ;50: //输出加个结束符 ;51: *pDst='\0'; 00175c60000movBYTEPTR[eax],0 ;52: ;53: returnnDstLen; 001788bc5moveax,ebp 0017a5epopesi 0017b5dpopebp ;54: } 0017c59popecx 0017dc3ret0 ? EncodeBase64@@YAHPBEPADH@ZENDP;EncodeBase64 _TEXTENDS PUBLIC? DecodeBase64@@YAHPBDPAEH@Z;DecodeBase64 ;COMDAT? DecodeBase64@@YAHPBDPAEH@Z _TEXTSEGMENT _pSrc$=8 _pDst$=12 _nSrcLen$=16 _c3$=12 _c4$=8 _lc1$=-5 _nDiv$=-4 ? DecodeBase64@@YAHPBDPAEH@ZPROCNEAR;DecodeBase64,COMDAT ;74: { 0000083ec08subesp,8 ;75: unsignedcharc1,c2,c
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- 黑客 汇编 高速 入门