.386
.model flat,stdcall
option casemap:none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Include 文件定义
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 数据段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.const
Caption db 'hello',0
Text db '你好 is my wife',0
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 代码段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.code
start:
invoke MessageBox,NULL,offset Text,offset Caption,MB_OK
;invoke GetModuleHandle,NULL
invoke ExitProcess,NULL
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
end start
反汇编调试
CPU Disasm
Address Hex dump Command Comments
00401000 /. 6A 00 PUSH 0 ; Type = MB_OK|MB_DEFBUTTON1|MB_APPLMODAL
00401002 |. 68 10204000 PUSH OFFSET 00402010 ; Caption = "hello"
00401007 |. 68 16204000 PUSH OFFSET 00402016 ; Text
0040100C 6A 00 PUSH 0
0040100E E8 07000000 CALL <JMP.&user32.MessageBoxA> ; Jump to user32.MessageBoxA
00401013 |. 6A 00 PUSH 0 ; /ExitCode = 0
00401015 \. E8 06000000 CALL <JMP.&kernel32.ExitProcess> ; \KERNEL32.ExitProcess
0040101A - FF25 08204000 JMP DWORD PTR DS:[<&user32.MessageBoxA>]
00401020 $- FF25 00204000 JMP DWORD PTR DS:[<&kernel32.ExitProcess
00401026 00 DB 00
00401027 00 DB 00
从start出开始执行,数据压缩堆栈,然后call 调用。若要逆向message中的数据,
CRTL + G 。 定位断点messagebox函数,然后查看堆栈压入的数据即可。
CPU Disasm
Address Hex dump Command Comments
75E7EAA5 |. FF75 14 PUSH DWORD PTR SS:[EBP+14] ; |Type
75E7EAA8 |. FF75 10 PUSH DWORD PTR SS:[EBP+10] ; |Caption
75E7EAAB |. FF75 0C PUSH DWORD PTR SS:[EBP+0C] ; |Text
75E7EAAE |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hOwner
75E7EAB1 |. E8 73FFFFFF CALL MessageBoxExA ; \USER32.MessageBoxExA
扫一扫
15万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
