黑客反汇编高速入门

黑客反汇编高速入门我从事汇编语言研究大概几年前，因为是我为了开发sepl计算机语言编译器。虽然到现在还没有开发出来，但是已经看到曙光了。为了研究汇编，我从反汇编入手，做了破解，脱壳，调试等。但是汇编对我来说一直是读天书，没有任何突破。直到最近几天我有了重大发现。有人说做黑客从反汇编sqlserver.exe文件开始，可是在数以百万计的汇编代码丛林中，你能看到什么呢？能读懂么？直到最近看了一本win32汇编书籍，他里面说可以把vc程序反汇编，获得汇编程序。如果随便用ida反汇编，如过没有把原程序和汇编放在一起，那么仍然没有收获。我按照说明操作了终于得到原程序和汇编放在一起的文件，就像在调试状态一样，每个c语言程序对应一个扩展名叫.cod文件.用它来学习真是大爽，天书变成可破解的代码！具体做法是打开vc项目，选择菜单project-setting,在对话框选择c/c++页，然后category中选择ListingFiles，在下面Listingfiletype选择Assambly,machinecode,andSource,确定退出。现在编译程序，在release/debug目录下面生成对应的cod文件，包含有汇编，机器码和源代码。通过阅读cod文件，你将很快了解汇编，你会发现原程序和汇编并不完全一一对应，当并不妨碍你分析汇编。如果你不停的阅读和学习cod,也许一个月后你就会成为反汇编高手了！目前我刚开始2天。我决定坚持一个月。文件Base64.cod内容如下TITLEE:\cryptoLib\Base64.cpp.386Pincludelisting.incif@Versiongt510.modelFLATelse_TEXTSEGMENTPARAUSE32PUBLIC'CODE'_TEXTENDS_DATASEGMENTDWORDUSE32PUBLIC'DATA'_DATAENDSCONSTSEGMENTDWORDUSE32PUBLIC'CONST'CONSTENDS_BSSSEGMENTDWORDUSE32PUBLIC'BSS'_BSSENDS_TLSSEGMENTDWORDUSE32PUBLIC'TLS'_TLSENDS;COMDAT??_C@_0BB@NAAD@Magellan?5MSWHEEL?$AA@_DATASEGMENTDWORDUSE32PUBLIC'DATA'_DATAENDS;COMDAT??_C@_06FPAF@MouseZ?$AA@_DATASEGMENTDWORDUSE32PUBLIC'DATA'..................;COMDAT??_7?$basic_ostream@DU?$char_traits@D@std@@@std@@6B@CONSTSEGMENTDWORDUSE32PUBLIC'CONST'CONSTENDS;COMDAT?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IBCONSTSEGMENTDWORDUSE32PUBLIC'CONST'CONSTENDSFLATGROUP_DATA,CONST,_BSS,CRT$XCA,CRT$XCU,CRT$XCL,CRT$XCC,CRT$XCZ,xdata$xASSUMECS:FLAT,DS:FLAT,SS:FLATendifCONSTSEGMENT_EnBase64TabDB'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123'DB'456789+/',00HORG$+3_DeBase64TabDB00HDB00HDB00HDB00HDB00HDB00HDB00HDB00HDB00HDB00HDB00HDB00HDB00HDB00HDB00HDB00HDB00HDB00HDB00HDB00HDB00HDB00HDB00HDB00HDB00HDB00HDB00HDB00HDB00HDB00HDB00HDB00HDB00HDB00HDB00HDB00HDB00HDB00HDB00HDB00HDB00HDB00HDB00HDB03eHDB00HDB00HDB00HDB03fHDB034HDB035HDB036HDB037HDB038HDB039HDB03aHDB03bHDB03cHDB03dHDB00HDB00HDB00HDB00HDB00HDB00HDB00HDB00HDB01HDB02HDB03HDB04HDB05HDB06HDB07HDB08HDB09HDB0aHDB0bHDB0cHDB0dHDB0eHDB0fHDB010HDB011HDB012HDB013HDB014HDB015HDB016HDB017HDB018HDB019HDB00HDB00HDB00HDB00HDB00HDB00HDB01aHDB01bHDB01cHDB01dHDB01eHDB01fHDB020HDB021HDB022HDB023HDB024HDB025HDB026HDB027HDB028HDB029HDB02aHDB02bHDB02cHDB02dHDB02eHDB02fHDB030HDB031HDB032HDB033HCONSTENDSCRT$XCUSEGMENT_$S384DDFLAT:_$E383CRT$XCUENDSPUBLIC?EncodeBase64@@YAHPBEPADH@Z;EncodeBase64;COMDAT?EncodeBase64@@YAHPBEPADH@Z_TEXTSEGMENT_pSrc$=8_pDst$=12_nSrcLen$=16_c1$=12_c2$=8_c3$=16_nMod$=-4?EncodeBase64@@YAHPBEPADH@ZPROCNEAR;EncodeBase64,COMDAT;7:{0000051pushecx0000155pushebp0000256pushesi;8:unsignedcharc1,c2,c3;//输入缓冲区读出3个字节;9:intnDstLen=0;//输出的字符计数;10:intnDiv=nSrcLen/3;//输入数据长度除以3得到的倍数000038b742418movesi,DWORDPTR_nSrcLen$[esp+8]00007b856555555moveax,1431655766;55555556H0000cf7eeimulesi0000e8bc2moveax,edx0001033edxorebp,ebp00012c1e81fshreax,31;0000001fH0001503d0addedx,eax;11:intnMod=nSrcLen%3;//输入数据长度除以3得到的余数000178bc6moveax,esi000198bcamovecx,edx0001bbe03000000movesi,30002099cdq00021f7feidivesi;12:;13://每次取3个字节，编码成4个字符;14:for(inti=0;inDiv;i++)0002385c9testecx,ecx0002589542408movDWORDPTR_nMod$[esp+12],edx000290f8edc000000jle$L1323380002f8b442414moveax,DWORDPTR_pDst$[esp+8]0003353pushebx000348bd9movebx,ecx000368d2c8d00000000leaebp,DWORDPTR[ecx*4]0003d8b4c2414movecx,DWORDPTR_pSrc$[esp+12]0004157pushedi$L129542:;15:{;16://取3个字节;17:c1=*pSrc++;000428a11movdl,BYTEPTR[ecx]0004441incecx000458854241cmovBYTEPTR_c1$[esp+16],dl;18:c2=*pSrc++;000498a11movdl,BYTEPTR[ecx];19:c3=*pSrc++;;20:;21://编码成4个字符;22:*pDst++=EnBase64Tab[c12];0004b8b74241cmovesi,DWORDPTR_c1$[esp+16]0004f41incecx0005088542418movBYTEPTR_c2$[esp+16],dl;23:*pDst++=EnBase64Tab[((c14)|(c24))&0x3f];000548b7c2418movedi,DWORDPTR_c2$[esp+16]0005881e6ff000000andesi,255;000000ffH0005e8a11movdl,BYTEPTR[ecx]0006081e7ff000000andedi,255;000000ffH0006688542420movBYTEPTR_c3$[esp+16],dl0006a8bd6movedx,esi0006cc1ea02shredx,20006f83e603andesi,30007241incecx000738a9200000000movdl,BYTEPTR_EnBase64Tab[edx]000798810movBYTEPTR[eax],dl0007b8bd7movedx,edi0007dc1ea04shredx,400080c1e604shlesi,4000830bd6oredx,esi;24:*pDst++=EnBase64Tab[((c22)|(c36))&0x3f];000858b742420movesi,DWORDPTR_c3$[esp+16]0008940inceax0008a81e6ff000000andesi,255;000000ffH000908a9200000000movdl,BYTEPTR_EnBase64Tab[edx]0009683e70fandedi,15;0000000fH000998810movBYTEPTR[eax],dl0009b8bd6movedx,esi0009dc1ea06shredx,6000a0c1e702shledi,2000a30bd7oredx,edi000a540inceax;25:*pDst++=EnBase64Tab[c3&0x3f];000a683e63fandesi,63;0000003fH000a940inceax000aa8a9200000000movdl,BYTEPTR_EnBase64Tab[edx]000b08850ffmovBYTEPTR[eax-1],dl000b38a9600000000movdl,BYTEPTR_EnBase64Tab[esi]000b98810movBYTEPTR[eax],dl000bb40inceax000bc4bdecebx000bd7583jneSHORT$L129542000bf8b542410movedx,DWORDPTR_nMod$[esp+20]000c35fpopedi000c45bpopebx$L129544:;26:nDstLen+=4;;27:};28:;29://编码余下的字节;30:if(nMod==1)000c583fa01cmpedx,1000c8754bjneSHORT$L129545;31:{;32:c1=*pSrc++;000ca8a09movcl,BYTEPTR[ecx]000cc5epopesi000cd884c2410movBYTEPTR_c1$[esp+4],cl;33:*pDst++=EnBase64Tab[(c1&0xfc)2];000d18b4c2410movecx,DWORDPTR_c1$[esp+4]000d581e1ff000000andecx,255;000000ffH000db8b