谁能帮我解释一段代码? <script src="/js/html_1.js" type="text/javascript"></script>
- 每条指令都能看懂,但合在一起就不知道有什么用了
没办法,帮不了你!
不好意思哈,再等高手 - 这种反汇编,而且缺少上下文的东西相信没有人能看得懂!
楼主可能会失望了! -
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005251C6(C)
|
:005251DD C745E000000000 mov [ebp-20], 00000000
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005251DB(U)
|
:005251E4 8B55E0 mov edx, dword ptr [ebp-20]
:005251E7 8955EC mov dword ptr [ebp-14], edx
:005251EA C745FCFFFFFFFF mov [ebp-04], FFFFFFFF
:005251F1 8B45EC mov eax, dword ptr [ebp-14]
:005251F4 8945F0 mov dword ptr [ebp-10], eax
:005251F7 8B4DE4 mov ecx, dword ptr [ebp-1C]
:005251FA E821000000 call 00525220
:005251FF 8B4DE4 mov ecx, dword ptr [ebp-1C]
:00525202 8B55F0 mov edx, dword ptr [ebp-10]
:00525205 8911 mov dword ptr [ecx], edx
:00525207 8B45E4 mov eax, dword ptr [ebp-1C]
:0052520A 8B4DF4 mov ecx, dword ptr [ebp-0C]
:0052520D 64890D00000000 mov dword ptr fs:[00000000], ecx
:00525214 8BE5 mov esp, ebp
:00525216 5D pop ebp
:00525217 C20400 ret 0004
:0052521A CC int 03
:0052521B CC int 03
:0052521C CC int 03
:0052521D CC int 03
:0052521E CC int 03
:0052521F CC int 03
* Referenced by a CALL at Addresses:
|:0052517A , :005251FA , :00526971
|
:00525220 55 push ebp
:00525221 8BEC mov ebp, esp
:00525223 51 push ecx
:00525224 894DFC mov dword ptr [ebp-04], ecx
:00525227 8B45FC mov eax, dword ptr [ebp-04]
:0052522A 833800 cmp dword ptr [eax], 00000000
:0052522D 7413 je 00525242
:0052522F 8B4DFC mov ecx, dword ptr [ebp-04]
:00525232 8B09 mov ecx, dword ptr [ecx]
:00525234 E897010000 call 005253D0
:00525239 8B55FC mov edx, dword ptr [ebp-04]
:0052523C C70200000000 mov dword ptr [edx], 00000000
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0052522D(C)
|
:00525242 8BE5 mov esp, ebp
:00525244 5D pop ebp
:00525245 C3 ret
:00525246 CC int 03
:00525247 CC int 03
:00525248 CC int 03
:00525249 CC int 03
:0052524A CC int 03
:0052524B CC int 03
:0052524C CC int 03
:0052524D CC int 03
:0052524E CC int 03
:0052524F CC int 03
* Referenced by a CALL at Address:
|:0052511F
|
:00525250 55 push ebp
:00525251 8BEC mov ebp, esp
:00525253 51 push ecx
:00525254 894DFC mov dword ptr [ebp-04], ecx
:00525257 8B45FC mov eax, dword ptr [ebp-04]
:0052525A C7400400000000 mov [eax+04], 00000000
:00525261 8B4DFC mov ecx, dword ptr [ebp-04]
:00525264 C7410801000000 mov [ecx+08], 00000001
:0052526B 8B5508 mov edx, dword ptr [ebp+08]
:0052526E 52 push edx
:0052526F E80F190300 call 00556B83
:00525274 8B4DFC mov ecx, dword ptr [ebp-04]
:00525277 8901 mov dword ptr [ecx], eax
:00525279 8B55FC mov edx, dword ptr [ebp-04]
:0052527C 833A00 cmp dword ptr [edx], 00000000
:0052527F 7510 jne 00525291
:00525281 837D0800 cmp dword ptr [ebp+08], 00000000
:00525285 740A je 00525291
:00525287 680E000780 push 8007000E
:0052528C E8A6180300 call 00556B37
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0052527F(C), :00525285(C)
|
:00525291 8B45FC mov eax, dword ptr [ebp-04]
:00525294 8BE5 mov esp, ebp
:00525296 5D pop ebp
:00525297 C20400 ret 0004
:0052529A CC int 03
:0052529B CC int 03
:0052529C CC int 03
:0052529D CC int 03
:0052529E CC int 03
:0052529F CC int 03
* Referenced by a CALL at Address:
|:005251D3
|
:005252A0 55 push ebp
:005252A1 8BEC mov ebp, esp
:005252A3 83EC14 sub esp, 00000014
:005252A6 894DEC mov dword ptr [ebp-14], ecx
:005252A9 8B45EC mov eax, dword ptr [ebp-14]
:005252AC C7400400000000 mov [eax+04], 00000000
:005252B3 8B4DEC mov ecx, dword ptr [ebp-14]
:005252B6 C7410801000000 mov [ecx+08], 00000001
:005252BD 8B4D08 mov ecx, dword ptr [ebp+08]
:005252C0 E8DB000000 call 005253A0
:005252C5 8945F4 mov dword ptr [ebp-0C], eax
:005252C8 8B4D0C mov ecx, dword ptr [ebp+0C]
:005252CB E8D0000000 call 005253A0
:005252D0 8945F0 mov dword ptr [ebp-10], eax
:005252D3 8B55F4 mov edx, dword ptr [ebp-0C]
:005252D6 0355F0 add edx, dword ptr [ebp-10]
:005252D9 D1E2 shl edx, 1
:005252DB 52 push edx
:005252DC 6A00 push 00000000 - 如果没加密可用smartcheck.exe调试.
看加密否,可以用fi.exe,or peid.exe(看雪论坛有工具下 http://www.pediy.com/ ) - 谢谢。您推荐的书我有机会一定会仔细研读的。
我其实一句句基本都能看懂,就是合在一起看不太懂是什么意思了。这段代码其实是用W32dasmV10反出来的。-_-! 谈不上解密,只是想知道这个软件调用某个控件时所使用的参数,参数是字符串的。我想应该就是这段代码了,因为有:
* Possible StringData Ref from Data Obj ->"a=" 这么一段,主要是其中的a=
后面的代码就应该是参数了。。也不知道我推理的对不对,这段代码我觉得“嫌疑”最大,所以想努力看懂它到底是算出了个什么结果(是个字符串就对了)。。:(
这段东东不会经过了加密算法吧?我觉得实在没有必要加密的。一个调用的参数都加密,那还得了。哈。但不知道为什么会这么复杂。
一般算出一个字符串会是什么步骤呢?我最熟悉的高级语言是VB,就是如果VB中一个给变量赋值的操作——“a='aaa'”,在汇编里会怎么表现出来呢?(VB的代码反不了,所以无法研究~ -_-!) - 应该先能请几个call指令 所调用过程的作用!!
这样整个思路才能进行下去…… - :00524DE1 E8FA020000 call 005250E0
这个CALL为:
:005250E0 55 push ebp
:00524DFD E88E030000 call 00525190
这个CALL为:
:00525190 55 push ebp
:00524E0C E85F030000 call 00525170
这个CALL为:
:00525170 55 push ebp
:00524E19 E8C9C80300 call 005616E7
这个CALL为:
:005616E7 53 push ebx
:00524E31 E8AA020000 call 005250E0
这个CALL为:
:005250E0 55 push ebp
call相关的一些代码
* Referenced by a CALL at Addresses:
|:00524D7C , :00524DA6 , :00524DE1 , :00524E31 , :00524E92
|:00524EB8 , :00527DDF
|
:005250E0 55 push ebp
:005250E1 8BEC mov ebp, esp
:005250E3 6AFF push FFFFFFFF
:005250E5 683B7C5900 push 00597C3B
:005250EA 64A100000000 mov eax, dword ptr fs:[00000000]
:005250F0 50 push eax
:005250F1 64892500000000 mov dword ptr fs:[00000000], esp
:005250F8 83EC10 sub esp, 00000010
:005250FB 894DE8 mov dword ptr [ebp-18], ecx
:005250FE 6A0C push 0000000C
:00525100 E82EB70300 call 00560833
:00525105 83C404 add esp, 00000004
:00525108 8945EC mov dword ptr [ebp-14], eax
:0052510B C745FC00000000 mov [ebp-04], 00000000
:00525112 837DEC00 cmp dword ptr [ebp-14], 00000000
:00525116 7411 je 00525129
:00525118 8B4508 mov eax, dword ptr [ebp+08]
:0052511B 50 push eax
:0052511C 8B4DEC mov ecx, dword ptr [ebp-14]
:0052511F E82C010000 call 00525250
:00525124 8945E4 mov dword ptr [ebp-1C], eax
:00525127 EB07 jmp 00525130
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00525116(C)
|
:00525129 C745E400000000 mov [ebp-1C], 00000000
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00525127(U)
|
:00525130 8B4DE4 mov ecx, dword ptr [ebp-1C]
:00525133 894DF0 mov dword ptr [ebp-10], ecx
:00525136 C745FCFFFFFFFF mov [ebp-04], FFFFFFFF
:0052513D 8B55E8 mov edx, dword ptr [ebp-18]
:00525140 8B45F0 mov eax, dword ptr [ebp-10]
:00525143 8902 mov dword ptr [edx], eax
:00525145 8B4DE8 mov ecx, dword ptr [ebp-18]
:00525148 833900 cmp dword ptr [ecx], 00000000
:0052514B 750A jne 00525157
:0052514D 680E000780 push 8007000E
:00525152 E8E0190300 call 00556B37
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0052514B(C)
|
:00525157 8B45E8 mov eax, dword ptr [ebp-18]
:0052515A 8B4DF4 mov ecx, dword ptr [ebp-0C]
:0052515D 64890D00000000 mov dword ptr fs:[00000000], ecx
:00525164 8BE5 mov esp, ebp
:00525166 5D pop ebp
:00525167 C20400 ret 0004
:0052516A CC int 03
:0052516B CC int 03
:0052516C CC int 03
:0052516D CC int 03
:0052516E CC int 03
:0052516F CC int 03
* Referenced by a CALL at Addresses:
|:00524DD1 , :00524E0C , :00524E5C , :00524F49 , :00524F58
|:00524F82 , :0052668F , :00526EFD , :00527886 , :00527973
|:00527E1E , :005280F5 , :00528383 , :00528476 , :0052859C
|:0052868F , :00528C87 , :00529201 , :0052AFFF , :0052B4AD
|:0052B5C8 , :0052BDEF , :0052C81C , :0052C926 , :0052CABD
|:0052CBCA , :0052D9E9 , :00597BCF , :00597BDB , :00597BE7
|:00597BF3 , :00597BFF , :00597C0B , :00597D28 , :00597DCF
|:00597E9A , :00597EB2 , :00597F15 , :00597F4E , :00597F81
|:00597FA2 , :00597FCC , :00597FED , :00598068 , :005980D8
|:005983E8 , :00598461 , :00598479 , :00598518 , :0059863B
|:00598653 , :0059866B , :00598683 , :005987B8
|
:00525170 55 push ebp
:00525171 8BEC mov ebp, esp
:00525173 51 push ecx
:00525174 894DFC mov dword ptr [ebp-04], ecx
:00525177 8B4DFC mov ecx, dword ptr [ebp-04]
:0052517A E8A1000000 call 00525220
:0052517F 8BE5 mov esp, ebp
:00525181 5D pop ebp
:00525182 C3 ret
:00525183 CC int 03
:00525184 CC int 03
:00525185 CC int 03
:00525186 CC int 03
:00525187 CC int 03
:00525188 CC int 03
:00525189 CC int 03
:0052518A CC int 03
:0052518B CC int 03
:0052518C CC int 03
:0052518D CC int 03
:0052518E CC int 03
:0052518F CC int 03
* Referenced by a CALL at Addresses:
|:00524DC2 , :00524DFD , :00524E4D
|
:00525190 55 push ebp
:00525191 8BEC mov ebp, esp
:00525193 6AFF push FFFFFFFF
:00525195 685B7C5900 push 00597C5B
:0052519A 64A100000000 mov eax, dword ptr fs:[00000000]
:005251A0 50 push eax
:005251A1 64892500000000 mov dword ptr fs:[00000000], esp
:005251A8 83EC14 sub esp, 00000014
:005251AB 894DE4 mov dword ptr [ebp-1C], ecx
:005251AE 6A0C push 0000000C
:005251B0 E87EB60300 call 00560833
:005251B5 83C404 add esp, 00000004
:005251B8 8945E8 mov dword ptr [ebp-18], eax
:005251BB C745FC00000000 mov [ebp-04], 00000000
:005251C2 837DE800 cmp dword ptr [ebp-18], 00000000
:005251C6 7415 je 005251DD
:005251C8 8B4508 mov eax, dword ptr [ebp+08]
:005251CB 50 push eax
:005251CC 8B4DE4 mov ecx, dword ptr [ebp-1C]
:005251CF 51 push ecx
:005251D0 8B4DE8 mov ecx, dword ptr [ebp-18]
:005251D3 E8C8000000 call 005252A0
:005251D8 8945E0 mov dword ptr [ebp-20], eax
:005251DB EB07 jmp 005251E4
- 感觉上,这个不像是vb的程序
它没用到一些msvbvm60等等的dll
vb中的a="123456"
反汇编后用到msvbvm60!_vbavarcopy
请用fi.exe确认一下 - 一般算出一个字符串会是什么步骤呢?我最熟悉的高级语言是VB,就是如果VB中一个给变量赋值的操作——“a='aaa'”,在汇编里会怎么表现出来呢?(VB的代码反不了,所以无法研究~ -_-!)--------------------------------------------------------------------------
楼主,我在这里说一下“a='aaa’"的问题
a=aaa在被编译成exe文件后.
假设a 的地址是 x,那么a='aaa'的汇编就是
在PE文件的数据区域可能有个已经定义的字符串是'aaa',现在假设'aaa"的RVA是X,变量a的RVA为Y
那么
a=aaa,的汇编语句就是
push eax
mov eax,offset X
mov Y,{eax]
pop eax
这是间接赋值,其实就是传地址
当然也有直接赋值的
push eax
mov eax ,dword ptr X
mov dword ptr Y,eax ;用dword ptr是为了内存对其
pop eax
当然还有另外的一种可能,那就是PE文件数据区没有 字符串"aaa"
设变量a的RVA为X
那么语句就是
push eax
mov eax,dword ptr X
mov dword ptr[eax], 'aaa'
pop eax
以上三种具体是哪一种可能,要看具体的编译器了
最后建议楼主用反编译软件.我觉得IDA PRO更好用
它能把进栈参数都标出来..很清晰,一看就懂..
- 看不懂,只能指导一下你,不知道这些常识你知道否
push指令常用作把参数压入堆栈,和紧跟后面的第一个call对应。这里(可能用vc编译的,pascall和其它的语言和这里我说的有区别)的push指令无需和pop指令对应,在相应的函数内(也就是call指令后面地址的那段子程序)自动会更改esp的值。另外象这样的指令
mov dword ptr [ebp+FFFFF4DC], eax
由ebp参与寻址的操作数一般为表示局部变量
因为一般的子程序或者函数一开始为这样的指令
push ebp
mov ebp,esp
你是学加密与解密的吧,《加密与解密》第二版比较不错,但是首先你要把汇编学好