反汇编基础(不同语言的反汇编入口)

发表于 | 分类于 | |

🤔

  • 在我们反汇编时,第一步(这里不考虑脱壳的情况,脱壳会在之后介绍)就是要找代码的入口函数。
  • 一般使用OD打开工程时,并不会直接跳转到程序入口,而是先执行一系列的初始化工作,这些初始化工作通常是我们不需要关心的,所以我们需要先跳出这些函数,直接找到程序入口。

    如何找到入口时反汇编最基础的操作,因为太简单,过程不做赘述,下边是我总结的几种语言的入口特征:

c++

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
00401B70 >/$  55           PUSH EBP                                 
00401B71  |.  8BEC         MOV EBP,ESP
00401B73  |.  6A FF        PUSH -1
00401B75  |.  68 08254000  PUSH crackme.00402508
00401B7A  |.  68 F61C4000  PUSH <JMP.&MSVCRT._except_handler3>      
00401B7F  |.  64:A1 0000000  MOV EAX,DWORD PTR FS:[0]
00401B85  |.  50              PUSH EAX
00401B86  |.  64:8925 00000   MOV DWORD PTR FS:[0],ESP
00401B8D  |.  83EC 68         SUB ESP,68
00401B90  |.  53              PUSH EBX
00401B91  |.  56              PUSH ESI
00401B92  |.  57              PUSH EDI
00401B93  |.  8965 E8         MOV [LOCAL.6],ESP
00401B96  |.  33DB            XOR EBX,EBX
00401B98  |.  895D FC         MOV [LOCAL.1],EBX
00401B9B  |.  6A 02           PUSH 2
00401B9D  |.  FF15 98214000  CALL DWORD PTR DS:[<&MSVCRT.__set_app_ty>

汇编

1
2
3
4
5
6
7
8
9
10
11
00401025 >/$  6A F6          PUSH -0A                                
00401027  |.  E8 A0000000    CALL <JMP.&kernel32.GetStdHandle>        
0040102C  |.  A3 00304000    MOV DWORD PTR DS:[403000],EAX
00401031  |.  6A F5          PUSH -0B                                
00401033  |.  E8 94000000    CALL <JMP.&kernel32.GetStdHandle>       
00401038  |.  A3 04304000    MOV DWORD PTR DS:[403004],EAX
0040103D  |.  6A 01          PUSH 1                                   
0040103F  |.  68 00104000    PUSH EchoLine.00401000                   
00401044  |.  E8 8F000000    CALL <JMP.&kernel32.SetConsoleCtrlHandle>
00401049  |.  6A 07          PUSH 7                                   
0040104B  |.  FF35 00304000 PUSH DWORD PTR DS:[403000]

Delphi

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
0045D408 > $  55             push ebp
0045D409   .  8BEC           mov ebp,esp
0045D40B   .  83C4 F0        add esp,-0x10
0045D40E   .  B8 28D24500    mov eax,DELPHI.0045D228
0045D413   .  E8 6088FAFF    call DELPHI.00405C78
0045D418   .  A1 4CF14500    mov eax,dword ptr ds:[0x45F14C]
0045D41D   .  8B00           mov eax,dword ptr ds:[eax]
0045D41F   .  E8 08DFFFFF    call DELPHI.0045B32C
0045D424   .  8B0D 40F24500  mov ecx,dword ptr ds:[0x45F240] 
0045D42A   .  A1 4CF14500    mov eax,dword ptr ds:[0x45F14C]
0045D42F   .  8B00           mov eax,dword ptr ds:[eax]
0045D431   .  8B15 CCC84500  mov edx,dword ptr ds:[0x45C8CC] 
0045D437   .  E8 08DFFFFF    call DELPHI.0045B344
0045D43C   .  A1 4CF14500    mov eax,dword ptr ds:[0x45F14C]
0045D441   .  8B00           mov eax,dword ptr ds:[eax]
0045D443   .  E8 7CDFFFFF    call DELPHI.0045B3C4
0045D448   .  E8 2769FAFF    call DELPHI.00403D74
0045D44D   .  8D40 00        lea eax,dword ptr ds:[eax]

易语言

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
004464D1 >/$  55            push ebp
004464D2  |.  8BEC          mov ebp,esp
004464D4  |.  6A FF         push -0x1
004464D6  |.  68 B0C14600   push 易语言.0046C1B0
004464DB  |.  68 DCAC4400   push 易语言.0044ACDC  
004464E0  |.  64:A1 0000000>mov eax,dword ptr fs:[0]
004464E6  |.  50            push eax
004464E7  |.  64:8925 00000>mov dword ptr fs:[0],esp
004464EE  |.  83EC 58       sub esp,0x58
004464F1  |.  53            push ebx
004464F2  |.  56            push esi
004464F3  |.  57            push edi       ;  ntdll.7C930228
004464F4  |.  8965 E8       mov [local.6],esp
004464F7  |.  FF15 98514600 call dword ptr ds:[<&KERNEL32.GetVersion>;  kernel32.GetVersion
004464FD  |.  33D2          xor edx,edx

vb

1
2
3
4
5
6
7
004013EC > $  68 A4244000   PUSH Crack.004024A4
004013F1   .  E8 F0FFFFFF      CALL <JMP.&MSVBVM60.ThunRTMain>
004013F6   .  0000                ADD BYTE PTR DS:[EAX],AL
004013F8   .  0000                ADD BYTE PTR DS:[EAX],AL
004013FA   .  0000                ADD BYTE PTR DS:[EAX],AL
004013FC   .  3000                XOR BYTE PTR DS:[EAX],AL
004013FE   .  0000                ADD BYTE PTR DS:[EAX],AL

宇 wechat
扫描二维码,订阅微信公众号