2008/12/21

反組譯

在網路上找到 Win32Program Disassembler 工具,反組譯了一個小程式:
#include <stdio.h>
int main(){
    int a=0;
    while(a>-1)
        printf("%d\n",a++);
    return 0;
}

發現程式載入了二個 DLL 檔:
+++++++++++++++++++ IMPORTED FUNCTIONS +++++++++++++++++++

Number of Imported Modules =    2 (decimal)

   Import Module 001: KERNEL32.dll
   Import Module 002: msvcrt.dll

+++++++++++++++++++ IMPORT MODULE DETAILS +++++++++++++++++

   Import Module 001: KERNEL32.dll 

Addr:00005104 hint(0001) Name: AddAtomA
Addr:00005110 hint(009B) Name: ExitProcess
Addr:00005120 hint(00AF) Name: FindAtomA
Addr:0000512C hint(00DC) Name: GetAtomNameA
Addr:0000513C hint(02DF) Name: SetUnhandledExceptionFilter

   Import Module 002: msvcrt.dll 

Addr:0000515C hint(0027) Name: __getmainargs
Addr:0000516C hint(003C) Name: __p__environ
Addr:0000517C hint(003E) Name: __p__fmode
Addr:0000518C hint(0050) Name: __set_app_type
Addr:000051A0 hint(0079) Name: _cexit
Addr:000051AC hint(00E9) Name: _iob
Addr:000051B4 hint(015E) Name: _onexit
Addr:000051C0 hint(0184) Name: _setmode
Addr:000051CC hint(0215) Name: abort
Addr:000051D4 hint(021C) Name: atexit
Addr:000051E0 hint(0230) Name: fflush
Addr:000051EC hint(0239) Name: fprintf
Addr:000051F8 hint(023F) Name: free
Addr:00005200 hint(0272) Name: malloc
Addr:0000520C hint(027F) Name: printf
Addr:00005218 hint(0290) Name: signal

看起來這個就是 OS 提供的 system calls,其中包括記憶體配置和一些 IO 函式。另外,找到了 while 迴圈所在的程式片段:
:004012B0 895C2404                mov dword[esp+04], ebx
:004012B4 43                      inc ebx
:004012B5 C7042400304000          mov dword[esp+esp], 00403000
                      (StringData)"%d "
:004012BC E83F050000              call 00401800
                            ;;call msvcrt.printf
:004012C1 83FBFF                  cmp ebx, -00000001
:004012C4 7FEA                    jg 004012B0

可以用 UltraEdit 把 004012C4 這個指令給成 nop,這樣就會跳出迴圈結束程式。

沒有留言:

張貼留言