逆向控制台程序

控制台程序X86:
EP入口处
CPU Disasm
地址        HEX 数据            指令                                                                              注释
00401604  |> \C745 FC FEFFF mov     dword ptr [ebp-4], -2
0040160B  |.  8B45 E0       mov     eax, dword ptr [ebp-20]
0040160E  |>  E8 E3060000   call    __SEH_epilog4                                                           ; [__SEH_epilog4
00401613  |.  C3            ret
00401614  |.  E8 B0030000   call    __security_init_cookie                                          ;EP入口
;00401619  \.^ E9 7AFEFFFF   jmp     __scrt_common_main_seh                              ;跳向Startup代码        
0040161E  /$  55            push    ebp                                                                     ; WOW64Test_x86.__raise_securityfailure(exception_pointers
0040161F  |.  8BEC          mov     ebp, es
00401621  |.  6A 00         push    0                                                                       ; /Filter = 00000000
00401623  |.  FF15 28204100 call    dword ptr [<&KERNEL32.SetUnhandledExceptionFilter>]                     ; \KERNEL32.SetUnhandledExceptionFilter
00401629  |.  FF75 08       push    dword ptr [exception_pointers]                                          ; /pExceptionInfo => [exception_pointers]
0040162C  |.  FF15 24204100 call    dword ptr [<&KERNEL32.UnhandledExceptionFilter>]                        ; \KERNEL32.UnhandledExceptionFilter
00401632  |.  68 090400C0   push    C0000409                                                                ; /ExitCode = 3221226505.
00401637  |.  FF15 2C204100 call    dword ptr [<&KERNEL32.GetCurrentProcess>]                               ; |[KERNEL32.GetCurrentProcess

 StartUP处

CPU Disasm
地址        HEX 数据                    指令                                                         注释
00401498  /$ /6A 14                 push    14                                                 ; INT WOW64Test_x86.__scrt_common_main_seh(void
0040149A  |. |68 607D4100           push    offset 00417D60
0040149F  |. |E8 0C080000           call    __SEH_prolog4                                      ; [__SEH_prolog4, 第一个函数,检测栈溢出?security cookie
004014A4  |. |6A 01                 push    1                                                  ; /module_type = 1
004014A6  |. |E8 2C030000           call    __scrt_initialize_crt                              ; \__scrt_initialize_crt    GetCommandLine    LoadLibrary  DLL
004014AB  |. |59                    pop     ecx
004014AC  |. |84C0                  test    al, al
004014AE  |. |75 07                 jnz     short 004014B7
004014B0  |> |6A 07                 push    7                                                  ; /code = 7
004014B2  |. |E8 20060000           call    __scrt_fastfail                                    ; \__scrt_fastfail
004014B7  |> |32DB                  xor     bl, bl
004014B9  |. |885D E7               mov     byte ptr [ebp-19], bl
004014BC  |. |8365 FC 00            and     dword ptr [ebp-4], 00000000
004014C0  |. |E8 DD020000           call    __scrt_acquire_startup_lock                        ; [__scrt_acquire_startup_lock
004014C5  |. |8845 DC               mov     byte ptr [ebp-24], al
004014C8  |. |A1 0C9B4100           mov     eax, dword ptr [__scrt_current_native_startup_stat
004014CD  |. |33C9                  xor     ecx, ecx
004014CF  |. |41                    inc     ecx
004014D0  |. |3BC1                  cmp     eax, ecx
004014D2  |.^|74 DC                 je      short 004014B0
004014D4  |. |85C0                  test    eax, eax
004014D6  |. |75 49                 jnz     short 00401521
004014D8  |. |890D 0C9B4100         mov     dword ptr [__scrt_current_native_startup_state], e
004014DE  |. |68 50214100           push    offset __xi_z                                      ; /last = 00412150
004014E3  |. |68 38214100           push    offset __xi_a                                      ; |first = 00412138
004014E8  |. |E8 72330000           call    _initterm_e                                        ; \_initterm_e, 测试函数指针列表?
004014ED  |. |59                    pop     ecx
004014EE  |. |59                    pop     ecx
004014EF  |. |85C0                  test    eax, eax
004014F1  |. |74 11                 jz      short 00401504
004014F3  |. |C745 FC FEFFFFFF      mov     dword ptr [ebp-4], -2
004014FA  |. |B8 FF000000           mov     eax, 0FF
004014FF  |. |E9 0A010000           jmp     0040160E
00401504  |> |68 34214100           push    offset __xc_z                                      ; /last = 00412134
00401509  |. |68 2C214100           push    offset __xc_a                                      ; |first = 0041212C
0040150E  |. |E8 F0320000           call    _initterm                                          ; \_initterm, 测试函数指针列表2?
00401513  |. |59                    pop     ecx
00401514  |. |59                    pop     ecx
00401515  |. |C705 0C9B4100 0200000 mov     dword ptr [__scrt_current_native_startup_state], 2
0040151F  |. |EB 05                 jmp     short 00401526
00401521  |> |8AD9                  mov     bl, cl
00401523  |. |885D E7               mov     byte ptr [ebp-19], bl
00401526  |> |FF75 DC               push    dword ptr [ebp-24]                                 ; /is_nested
00401529  |. |E8 06040000           call    __scrt_release_startup_lock                        ; \__scrt_release_startup_lock
0040152E  |. |59                    pop     ecx
0040152F  |. |E8 97050000           call    __scrt_get_dyn_tls_init_callback                   ; [__scrt_get_dyn_tls_init_callback
00401534  |. |8BF0                  mov     esi, eax
00401536  |. |33FF                  xor     edi, edi
00401538  |. |393E                  cmp     dword ptr [esi], edi
0040153A  |. |74 1A                 je      short 00401556
0040153C  |. |56                    push    esi                                                ; /target
0040153D  |. |E8 65030000           call    __scrt_is_nonwritable_in_current_image             ; \__scrt_is_nonwritable_in_current_image
00401542  |. |59                    pop     ecx
00401543  |. |84C0                  test    al, al
00401545  |. |74 0F                 jz      short 00401556
00401547  |. |57                    push    edi
00401548  |. |6A 02                 push    2
0040154A  |. |57                    push    edi
0040154B  |. |8B36                  mov     esi, dword ptr [esi]
0040154D  |. |8BCE                  mov     ecx, esi
0040154F  |. |E8 4C070000           call    _guard_check_icall                                 ; [_guard_check_icall
00401554  |. |FFD6                  call    esi
00401556  |> |E8 76050000           call    __scrt_get_dyn_tls_dtor_callback                   ; [__scrt_get_dyn_tls_dtor_callback
0040155B  |. |8BF0                  mov     esi, eax
0040155D  |. |393E                  cmp     dword ptr [esi], edi
0040155F  |. |74 13                 je      short 00401574
00401561  |. |56                    push    esi                                                ; /target
00401562  |. |E8 40030000           call    __scrt_is_nonwritable_in_current_image             ; \__scrt_is_nonwritable_in_current_image
00401567  |. |59                    pop     ecx
00401568  |. |84C0                  test    al, al
0040156A  |. |74 08                 jz      short 00401574
0040156C  |. |FF36                  push    dword ptr [esi]                                    ; /Arg1
0040156E  |. |E8 8F350000           call    _register_thread_local_exe_atexit_callback         ; \WOW64Test_x86._register_thread_local_exe_atexit_callback
00401573  |. |59                    pop     ecx
00401574  |> |57                    push    edi                                                ; /instance => 0
00401575  |. |E8 79090000           call    __telemetry_main_invoke_trigger                    ; \__telemetry_main_invoke_trigger
0040157A  |. |E8 2D360000           call    __p___wargv                                        ; [__p___wargv
0040157F  |. |8BF8                  mov     edi, eax
00401581  |. |E8 20360000           call    __p___argc                                         ; [__p___argc, MAIN参数
00401586  |. |8BF0                  mov     esi, eax
00401588  |. |E8 5D320000           call    _get_initial_wide_environment                      ; [_get_initial_wide_environment
0040158D  |. |50                    push    eax
0040158E  |. |FF37                  push    dword ptr [edi]                                    ; /argv
00401590  |. |FF36                  push    dword ptr [esi]                                    ; |argc
00401592  |. |E8 09FDFFFF           call    wmain                                              ; \wmain
00401597  |. |8BF0                  mov     esi, eax
00401599  |. |6A 00                 push    0                                                  ; /instance = 0
0040159B  |. |E8 EF090000           call    __telemetry_main_return_trigger                    ; \__telemetry_main_return_trigger
004015A0  |. |83C4 14               add     es, 14
004015A3  |. |E8 69340000           call    is_managed_app                                     ; [is_managed_app
004015A8  |. |84C0                  test    al, al
004015AA  |. |75 06                 jnz     short 004015B2
004015AC  |. |56                    push    esi                                                ; /return_code
004015AD  |. |E8 88350000           call    exit                                               ; \exit
004015B2  |> |84DB                  test    bl, bl
004015B4  |. |75 05                 jnz     short 004015BB
004015B6  |. |E8 22350000           call    _cexit                                             ; [_cexit
004015BB  |> |6A 00                 push    0                                                  ; /from_exit = FALSE
004015BD  |. |6A 01                 push    1                                                  ; |is_terminating = TRUE
004015BF  |. |E8 8D030000           call    __scrt_uninitialize_crt                            ; \__scrt_uninitialize_crt
004015C4  |. |59                    pop     ecx
004015C5  |. |59                    pop     ecx
004015C6  |. |C745 FC FEFFFFFF      mov     dword ptr [ebp-4], -2
004015CD  |. |8BC6                  mov     eax, esi
004015CF  \. |EB 3D                 jmp     short 0040160E
004015D1  /. |8B4D EC               mov     ecx, dword ptr [ebp-14]
004015D4  |. |8B01                  mov     eax, dword ptr [ecx]
004015D6  |. |8B00                  mov     eax, dword ptr [eax]
004015D8  |. |8945 E0               mov     dword ptr [ebp-20], eax
004015DB  |. |51                    push    ecx                                                ; /pxcptinfoptrs => [ARG.EBP-14]
004015DC  |. |50                    push    eax                                                ; |xcptnum
004015DD  |. |E8 C9290000           call    _seh_filter_exe                                    ; \_seh_filter_exe
004015E2  |. |59                    pop     ecx
004015E3  |. |59                    pop     ecx
004015E4  \. |C3                    ret

posted @ 2015-10-06 18:14  笔直的一道弯  阅读(974)  评论(0编辑  收藏  举报