所谓的代码还原,就是对目标软件进行反汇编调试分析,得出目标软件某一功能的实现代码。
此种技术是汇编应用之一,是别的语言无法完成的,可见汇编的魅力所在。本例,反汇编看雪写的Anti-Spy.exe,发现其原理是很简单的,并写出了汇编级的还原代码。Anti-Spy.exe是VC++语言写的,监视RegMON和FileMON软件是否在运行,RegMON和FileMON分别是监视注册和文件的软件,在破解中常用到。没时间,就把还原的代码放上来。见笑,很简单的
本想写篇反汇编分析的文章献给汇编初学者,没时间。
;资源文件,保存为1.rc
#include "resource.h"
#define DLG_MAIN 1
#define IDC_CHECKREG 1000
#define IDC_CHECKFILE 1001
DLG_MAIN DIALOGEX 100, 100, 98, 87
STYLE DS_MODALFRAME | WS_POPUP | WS_VISIBLE | WS_CAPTION | WS_SYSMENU
CAPTION "调试代码还原示例"
FONT 8, "MS Sans Serif"
BEGIN
PUSHBUTTON "检测RegMON",IDC_CHECKREG,12,7,73,19,0,WS_EX_STATICEDGE
PUSHBUTTON "检测FileMON",IDC_CHECKFILE,12,31,74,19,0,
WS_EX_STATICEDGE
PUSHBUTTON "退出",IDOK,12,55,73,19,0,WS_EX_STATICEDGE
END
;asm文件
.386
.model flat, stdcall
option casemap :none
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
DLG_MAIN equ 1
IDC_CHECKREG equ 1000
IDC_CHECKFILE equ 1001
.data
szRegFileName db '//./REGVXD',0
szFileFileName db '//./FILEVXD',0
szFileTitle db 'File Monitor - Sysinternals: www.sysinternals.com',0
szRegTitle db 'Registry Monitor - Sysinternals: www.sysinternals.com',0
szError db 'Error',0
szOk db 'OK',0
szRegNo db '没发现RegMon',0
szRegOK db 'RegMon正在运行',0
szFileNo db '没发现FileMon',0
szFileOK db 'FileMon正在运行',0
.data?
hInstance dd ?
.code
_CheckFile proc
invoke CreateFile,addr szFileFileName,GENERIC_READ+GENERIC_WRITE,3 ,0 ,3,80,0
.if eax == -1
lea eax,szFileTitle
push eax
push 0 ; |Class = 0
call FindWindow
neg eax
sbb eax,eax
neg eax
.elseif
push eax
call CloseHandle
mov eax,1
.endif
ret
_CheckFile endp
_CheckReg proc
invoke CreateFile,addr szRegFileName,GENERIC_READ+GENERIC_WRITE,3 ,0 ,3,80,0
.if eax == -1
lea eax,szRegTitle
push eax
push 0 ; |Class = 0
call FindWindow
neg eax
sbb eax,eax
neg eax
.elseif
push eax
call CloseHandle
mov eax,1
.endif
ret
_CheckReg endp
_ProcDlgMain proc uses ebx edi esi hWnd,wMsg,wParam,lParam
mov eax,wMsg
.if eax == WM_CLOSE
invoke EndDialog,hWnd,NULL
.elseif eax == WM_INITDIALOG
invoke SendMessage,hWnd,WM_SETICON,ICON_BIG,eax
.elseif eax == WM_COMMAND
mov eax,wParam
.if ax == IDOK
invoke EndDialog,hWnd,NULL
.elseif ax == IDC_CHECKFILE
invoke _CheckFile
.if eax == 1
invoke MessageBox,NULL,addr szFileOK,addr szOk,MB_OK
.else
invoke MessageBox,NULL,addr szFileNo,addr szError,MB_OK
.endif
.elseif ax == IDC_CHECKREG
invoke _CheckReg
.if eax == 1
invoke MessageBox,NULL,addr szRegOK,addr szOk,MB_OK
.else
invoke MessageBox,NULL,addr szRegNo,addr szError,MB_OK
.endif
.endif
.else
mov eax,FALSE
ret
.endif
mov eax,TRUE
ret
_ProcDlgMain endp
start:
invoke GetModuleHandle,NULL
mov hInstance,eax
invoke DialogBoxParam,hInstance,DLG_MAIN,NULL,offset _ProcDlgMain,NULL
invoke ExitProcess,NULL
end start