学好WIN32汇编,平时需要多阅读编译器生成的汇编代码,因为编译器生成的代码是最规范和最优化的,从中可以学到汇编编程和语句优化的技巧。
如何得到一个程序的反汇编代码呢?使用反汇编软件,不是使用DOS的DEBUG,WINIODWS平台上已经有多反汇编软件,读者可以从下面的地址中下载反汇编软件
http://www.pediy.com/tools/Disassemblers/W32Dasm/W32dsm8.93.rar
下载示例分析文件GetID硬件特征码程序:http://www.91now.com/down/soft/137021.htm
http://www.91now.com/down/downpage.asp?id=137021&dp=1&fid=12
下面列出了取得硬件特征码程序的反汇编源代码,笔者将在随后对它进行分析:
Disassembly of File: D:\My Documents\GetID.exe
Code Offset = 00000400, Code Size = 00000200
Data Offset = 00000800, Data Size = 00000600
Number of Objects = 0004 (dec), Imagebase = 00400000h
Object01:.text RVA:00001000 Offset: 00000400 Size: 00000200 Flags: 60000020
Object02:.rdata RVA: 00002000 Offset:00000600 Size: 00000200 Flags: 40000040
Object03:.data RVA:00003000 Offset: 00000800 Size: 00000600 Flags: C0000040
Object04:.rsrc RVA:00004000 Offset: 00000E00 Size: 00002A00 Flags: C0000040
+++++++++++++++++++ 菜单信息 ++++++++++++++++++
程序没有菜单选项
+++++++++++++++++ 对话框信息 ++++++++++++++++++
There Are No Dialog Resources in This Application
+++++++++++++++++++ 导入函数 ++++++++++++++++++
Number of Imported Modules= 2(decimal)
Import Module 001:user32.dll
Import Module 002:kernel32.dll
+++++++++++++++++++ 重要模块资料 +++++++++++++++
Import Module 001:user32.dll
Addr:0000206C hint(019D) Name:MessageBoxA
Import Module 002:kernel32.dll
Addr:000020A6 hint(0080) Name:ExitProcess
Addr:00002086 hint(0030) Name: CreateFileA
Addr:00002094 hint(005A) Name:DeviceIoControl
+++++++++++++++++++ 导出函数 ++++++++++++++++++
Number of Exported Functions = 0000 (decimal)
+++++++++++++++++++ ASSEMBLY CODE LISTING ++++++++++++++++++
//********************** Start of Code in Object .text**************
Program Entry Point = 00401000 (D:\My Documents\GetID.exe FileOffset:00001600)
//******************** Program Entry Point ********
:00401000B801000000 mov eax, 00000001
:004010050FA2 cpuid
:00401007BEB7304000 mov esi, 004030B7
:0040100C50 push eax
:0040100DE8E7000000 call 004010F9
:004010128906 mov dword ptr [esi], eax
:0040101453 push ebx
:00401015E8DF000000 call 004010F9
:0040101A894604 mov dword ptr [esi+04], eax
:0040101D51 push ecx
:0040101EE8D6000000 call 004010F9
:00401023894608 mov dword ptr [esi+08], eax
:0040102652 push edx
:00401027E8CD000000 call 004010F9
:0040102C89460C mov dword ptr [esi+0C], eax
:0040102FBF54304000 mov edi, 00403054
:00401034B910000000 mov ecx, 00000010
:00401039AC lodsb
:0040103AE8D9000000 call 00401118
:0040103F66AB stosw
:00401041E2F6 loop 00401039
:004010436A00 push 00000000
:004010456A00 push 00000000
:004010476A03 push 00000003
:004010496A00 push 00000000
:0040104B6A03 push 00000003
:0040104D68000000C0 push C0000000
* Possible StringData Ref from Data Obj->"\\.\PhysicalDrive0"
|
:0040105268A0304000 push 004030A0
* Reference To: kernel32.CreateFileA, Ord:0030h
|
:00401057E8DE000000 Call 0040113A
:0040105CA3B3304000 mov dword ptr [004030B3], eax
:00401061BBC7304000 mov ebx, 004030C7
:00401066C70300020000 mov dword ptr [ebx], 00000200
:0040106CC7430400010100 mov [ebx+04], 00010100
:00401073C7430800A0EC00 mov [ebx+08], 00ECA000
:0040107AC7430C00000000 mov [ebx+0C], 00000000
:00401081BBF7334000 mov ebx, 004033F7
:00401086C70312000000 mov dword ptr [ebx], 00000012
:0040108CC74304EC000000 mov [ebx+04], 000000EC
:00401093C7430801010001 mov [ebx+08], 01000101
:0040109AC7430C07000000 mov [ebx+0C], 00000007
:004010A16A00 push 00000000
:004010A368F7334000 push 004033F7
:004010A86813020000 push 00000213
:004010AD68F7304000 push 004030F7
:004010B26A23 push 00000023
:004010B468C7304000 push 004030C7
:004010B96888C00700 push 0007C088
:004010BEFF35B3304000 push dword ptr [004030B3]
* Reference To: kernel32.DeviceIoControl, Ord:005Ah
|
:004010C4E877000000 Call 00401140
:004010C9BE1B314000 mov esi, 0040311B
:004010CEBF28304000 mov edi, 00403028
:004010D3B90A000000 mov ecx, 0000000A
:004010D866AD lodsw
:004010DA86C4 xchg ah, al
:004010DC66AB stosw
:004010DEE2F8 loop 004010D8
:004010E06A00 push 00000000
* Possible StringData Ref from Data Obj->"本机硬件ID:"
|
:004010E26800304000 push 00403000
* Possible StringData Ref from Data Obj->"你的硬件ID是:
硬盘ID: "
->"
"
->"CpuID: "
->"
小技巧:你可以按 "
->"Ctrl+C 复制本框内容!"
|
:004010E7680E304000 push 0040300E
:004010EC6A00 push 00000000
* Reference To: user32.MessageBoxA, Ord:019Dh
|
:004010EEE841000000 Call 00401134
:004010F350 push eax
* Reference To: kernel32.ExitProcess, Ord:0080h
|
:004010F4E84D000000 Call 00401146
* Referenced by a CALL at Addresses:
|:0040100D ,:00401015 ,:0040101E ,:00401027
|
:004010F955 push ebp
:004010FA8BEC mov ebp, esp
:004010FC53 push ebx
:004010FD51 push ecx
:004010FE8B4508 mov eax, dword ptr [ebp+08]
:00401101B903000000 mov ecx, 00000003
:004011068AD8 mov bl, al
:00401108C1E808 shr eax, 08
:0040110BC1E308 shl ebx, 08
:0040110EE2F6 loop 00401106
:004011108BC3 mov eax, ebx
:0040111259 pop ecx
:004011135B pop ebx
:00401114C9 leave
:00401115C20400 ret 0004
* Referenced by a CALL at Address:
|:0040103A
|
:004011188AE0 mov ah, al
:0040111AC0E804 shr al, 04
:0040111D80E40F and ah, 0F
:0040112080FC0A cmp ah, 0A
:004011237203 jb 00401128
:0040112580C407 add ah, 07
* Referenced by a (U)nconditional or (C)onditional Jump atAddress:
|:00401123(C)
|
:004011283C0A cmp al, 0A
:0040112A7202 jb 0040112E
:0040112C0407 add al, 07
* Referenced by a (U)nconditional or (C)onditional Jump atAddress:
|:0040112A(C)
|
:0040112E66053030 add ax, 3030
:00401132C3 ret
:00401133CC int 03
* Referenced by a CALL at Address:
|:004010EE
|
* Reference To: user32.MessageBoxA, Ord:019Dh
|
:00401134FF2510204000 Jmp dword ptr [00402010]
* Referenced by a CALL at Address:
|:00401057
|
* Reference To: kernel32.CreateFileA, Ord:0030h
|
:0040113AFF2504204000 Jmp dword ptr [00402004]
* Referenced by a CALL at Address:
|:004010C4
|
* Reference To: kernel32.DeviceIoControl, Ord:005Ah
|
:00401140FF2508204000 Jmp dword ptr [00402008]
* Reference To: kernel32.ExitProcess, Ord:0080h
|
:00401146FF2500204000 Jmp dword ptr [00402000]
:0040114C00000000000000000000 BYTE 10 DUP(0)
:0040115600000000000000000000 BYTE 10 DUP(0)
:0040116000000000000000000000 BYTE 10 DUP(0)
:0040116A00000000000000000000 BYTE 10 DUP(0)
:0040117400000000000000000000 BYTE 10 DUP(0)
:0040117E00000000000000000000 BYTE 10 DUP(0)
:0040118800000000000000000000 BYTE 10 DUP(0)
:0040119200000000000000000000 BYTE 10 DUP(0)
:0040119C00000000000000000000 BYTE 10 DUP(0)
:004011A600000000000000000000 BYTE 10 DUP(0)
:004011B000000000000000000000 BYTE 10 DUP(0)
:004011BA00000000000000000000 BYTE 10 DUP(0)
:004011C400000000000000000000 BYTE 10 DUP(0)
:004011CE00000000000000000000 BYTE 10 DUP(0)
:004011D800000000000000000000 BYTE 10 DUP(0)
:004011E200000000000000000000 BYTE 10 DUP(0)
:004011EC00000000000000000000 BYTE 10 DUP(0)
:004011F600000000000000000000 BYTE 10 DUP(0)
有经验的程序员都知道,看别人代码是写代码必练的基本功,下面笔者和大家一起来看懂这段看似天书的汇编代码。
* Referenced by a CALL at Addresses:
|:0040100D ,:00401015 ,:0040101E ,:00401027
|
:004010F955 push ebp
:004010FA8BEC mov ebp, esp
:004010FC53 push ebx
:004010FD51 push ecx
:004010FE8B4508 mov eax, dword ptr [ebp+08]
:00401101B903000000 mov ecx, 00000003
:004011068AD8 mov bl, al
:00401108C1E808 shr eax, 08
:0040110BC1E308 shl ebx, 08
:0040110EE2F6 loop 00401106
:004011108BC3 mov eax, ebx
:0040111259 pop ecx
:004011135B pop ebx
:00401114C9 leave
:00401115C20400 ret 0004
这是一段子程序,:0040100D ,:00401015 ,:0040101E ,:00401027 都对它进行了调用。所以先对这个子程序进行研究
:004010FE8B4508 mov eax, dword ptr [ebp+08]
:00401101B903000000 mov ecx, 00000003
:004011068AD8 mov bl, al
:00401108C1E808 shr eax, 08
:0040110BC1E308 shl ebx, 08
:0040110EE2F6 loop 00401106
:004011108BC3 mov eax, ebx
可以这个是一个循环,一循环三次
目的是将eax的值以字节为单位,反过来存放,存储器以字节为单位进行存储,对于字(16位),将要低8位放在低位地址,将高8位放在高位地址,因为存储器的地址单元是增加方向增长的,所以先将低8位放在ah,再将高8位取出放在AL,所以要反序取出。
ret指令返回并将调用者存放在堆栈中的返回地址弹出到EIP中,如果是段间调用的返回,弹出到CS:EIP
call执行的功能(段间),按顺序如下:
1、将CS寄存器中的值压入堆栈
2、把CALL指令的下条指令的32位偏移地址压入堆栈
3、拷贝48位的有效地址到CS:EIP
4、程序从了程序的第一条指令处开始执行
二、ret 立即数
这种方式是指把返回地址弹出堆栈后,把该值与esp加,相当于堆栈顶去掉了若干字节的内容
* Referenced by a CALL at Address:
|:0040103A
|
:004011188AE0 mov ah, al
:0040111AC0E804 shr al, 04
:0040111D80E40F and ah, 0F
:0040112080FC0A cmp ah, 0A
:004011237203 jb 00401128
:0040112580C407 add ah, 07
因为al中放了参数,所以将EAX的AL中的高4位移到ah中,要达到以十六进制显示,并且ASCII码为8位,所以进行了扩展,并且将十六进制码转化为ASCII码,
* Referenced by a (U)nconditional or (C)onditional Jump atAddress:
|:00401123(C)
|
:004011283C0A cmp al, 0A
:0040112A7202 jb 0040112E
:0040112C0407 add al, 07
* Referenced by a (U)nconditional or (C)onditional Jump atAddress:
|:0040112A(C)
|
:0040112E66053030 add ax, 3030
:00401132C3 ret
以上完成将al由数字或字符分别转化成相应的两个ASCII码。
存储器以字节为单位进行存储,对于字(16位),将要低8位放在低位地址,将高8位放在高位地址,因为存储器的地址单元是增加方向增长的,且字的存储地址是低地址,取CPU序列号时,以4位为单位,所以先将低4位AL的低4位中,再将高4取出放在AL的高4位中,因此,这个子程序将AL的高位和低位调换过来,以还原正常。
//******************** Program Entry Point ********
:00401000B801000000 mov eax, 00000001
:004010050FA2 cpuid
取得cpuid,从低32位到高32位放在eax,ebx,ecx,edx,
:00401007BEB7304000 mov esi, 004030B7
:0040100C50 push eax
:0040100DE8E7000000 call 004010F9
:004010128906 mov dword ptr [esi], eax
:0040101453 push ebx
:00401015E8DF000000 call 004010F9
:0040101A894604 mov dword ptr [esi+04], eax
:0040101D51 push ecx
:0040101EE8D6000000 call 004010F9
:00401023894608 mov dword ptr [esi+08], eax
:0040102652 push edx
:00401027E8CD000000 call 004010F9
:0040102C89460C mov dword ptr [esi+0C], eax
调用子程序对CPUID进行反序,以还原正常的数值,因为存储将高位放在高地址,低位放在低地址。
:0040102FBF54304000 mov edi, 00403054
:00401034B910000000 mov ecx, 00000010
:00401039AC lodsb
:0040103AE8D9000000 call 00401118
:0040103F66AB stosw
:00401041E2F6 loop 00401039
用4位单位进一步反序CPUID,并转化为ASCII码。
:004010436A00 push 00000000
:004010456A00 push 00000000
:004010476A03 push 00000003
:004010496A00 push 00000000
:0040104B6A03 push 00000003
:0040104D68000000C0 push C0000000
* Possible StringData Ref from Data Obj->"\\.\PhysicalDrive0"
|
:0040105268A0304000 push 004030A0
放置调用API的参数,最后入堆栈的参数是第一个参数
* Reference To: kernel32.CreateFileA, Ord:0030h
|
:00401057E8DE000000 Call 0040113A
0040105CA3B3304000 mov dword ptr [004030B3], eax
:00401061BBC7304000 mov ebx, 004030C7
以下是二个变量的赋值
:00401066C70300020000 mov dword ptr [ebx], 00000200
:0040106CC7430400010100 mov [ebx+04], 00010100
:00401073C7430800A0EC00 mov [ebx+08], 00ECA000
:0040107AC7430C00000000 mov [ebx+0C], 00000000
:00401081BBF7334000 mov ebx, 004033F7
:00401086C70312000000 mov dword ptr [ebx], 00000012
:0040108CC74304EC000000 mov [ebx+04], 000000EC
:00401093C7430801010001 mov [ebx+08], 01000101
:0040109AC7430C07000000 mov [ebx+0C], 00000007
以下放置参数,调用API,取硬盘ID
:004010A16A00 push 00000000
:004010A368F7334000 push 004033F7
:004010A86813020000 push 00000213
:004010AD68F7304000 push 004030F7
:004010B26A23 push 00000023
:004010B468C7304000 push 004030C7
:004010B96888C00700 push 0007C088
:004010BEFF35B3304000 push dword ptr [004030B3]
* Reference To: kernel32.DeviceIoControl, Ord:005Ah
|
:004010C4E877000000 Call 00401140
以下将取出的硬盘ID反序,以还原正常
:004010C9BE1B314000 mov esi, 0040311B
:004010CEBF28304000 mov edi, 00403028
:004010D3B90A000000 mov ecx, 0000000A
:004010D866AD lodsw
:004010DA86C4 xchg ah, al
:004010DC66AB stosw
:004010DEE2F8 loop 004010D8
:004010E06A00 push 00000000
* Possible StringData Ref from Data Obj->"本机硬件ID:"
|
:004010E26800304000 push 00403000
* Possible StringData Ref from Data Obj->"你的硬件ID是:
硬盘ID: "
->"
"
->"CpuID: "
->"
小技巧:你可以按 "
->"Ctrl+C 复制本框内容!"
|
:004010E7680E304000 push 0040300E
:004010EC6A00 push 00000000
* Reference To: user32.MessageBoxA, Ord:019Dh
调用API显示ID
|
:004010EEE841000000 Call 00401134
:004010F350 push eax
* Reference To: kernel32.ExitProcess, Ord:0080h
|
:004010F4E84D000000 Call 00401146
ret
程序退出
:00401133CC int 03
* Referenced by a CALL at Address:
|:004010EE
|
* Reference To: user32.MessageBoxA, Ord:019Dh
|
:00401134FF2510204000 Jmp dword ptr [00402010]
* Referenced by a CALL at Address:
|:00401057
|
* Reference To: kernel32.CreateFileA, Ord:0030h
|
:0040113AFF2504204000 Jmp dword ptr [00402004]
* Referenced by a CALL at Address:
|:004010C4
|
* Reference To: kernel32.DeviceIoControl, Ord:005Ah
|
:00401140FF2508204000 Jmp dword ptr [00402008]
* Reference To: kernel32.ExitProcess, Ord:0080h
|
:00401146FF2500204000 Jmp dword ptr [00402000]
:0040114C00000000000000000000 BYTE 10 DUP(0)
:0040115600000000000000000000 BYTE 10 DUP(0)
:0040116000000000000000000000 BYTE 10 DUP(0)
:0040116A00000000000000000000 BYTE 10 DUP(0)
:0040117400000000000000000000 BYTE 10 DUP(0)
:0040117E00000000000000000000 BYTE 10 DUP(0)
:0040118800000000000000000000 BYTE 10 DUP(0)
:0040119200000000000000000000 BYTE 10 DUP(0)
:0040119C00000000000000000000 BYTE 10 DUP(0)
:004011A600000000000000000000 BYTE 10 DUP(0)
:004011B000000000000000000000 BYTE 10 DUP(0)
:004011BA00000000000000000000 BYTE 10 DUP(0)
:004011C400000000000000000000 BYTE 10 DUP(0)
:004011CE00000000000000000000 BYTE 10 DUP(0)
:004011D800000000000000000000 BYTE 10 DUP(0)
:004011E200000000000000000000 BYTE 10 DUP(0)
:004011EC00000000000000000000 BYTE 10 DUP(0)
:004011F600000000000000000000 BYTE 10 DUP(0)
