MFC应用程序逆向经验总结

如何找到MFC App的InitInstance入口地址

OEP：

00401A83| E8 68040000 | call 00401EF0 | __security_init_cookiepping

00401A88| E9 36FDFFFF | jmp 004017C3 | __tmainCRTStartup

__tmainCRTStartup：

004017C3| 6A 5C | push 5C |

004017C5| 68 B83B4000 | push 403BB8 |

004017CA| E8 79060000 | call 00401E48 | __SEH_prolog4

中间代码省略……

004018FD| 0FB74D C4 | movzx ecx,word ptr ss:[ebp-3C] |

00401901| EB 03 | jmp short 00401906 |

00401903| 6A 0A | push 0A |

00401905| 59 | pop ecx |

00401906| 51 | push ecx |

00401907| 50 | push eax |

00401908| 53 | push ebx |

00401909| 68 00004000 | push 400000 |

0040190E| E8 AB070000 | call 004020BE |wWinMain

00401913| A3 30514000 | mov dword ptr ds:[405130],eax |

00401918| 391D 24514000 | cmp dword ptr ds:[405124],ebx |

0040191E| 75 4C | jnz short 0040196C |

00401920| 50 | push eax |

00401921| FF15 A8324000 | call dword ptr ds:[4032A8] |MSVCR80.exit

00401927| 66:83F9 22 | cmp cx,22 |

0040192B| 75 0B | jnz short 00401938 |

0040192D| 33C9 | xor ecx,ecx |

0040192F| 395D E4 | cmp dword ptr ss:[ebp-1C],ebx |

00401932| 0F94C1 | sete cl |

00401935| 894D E4 | mov dword ptr ss:[ebp-1C],ecx |

00401938| 40 | inc eax |

00401939| 40 | inc eax |

0040193A| EB 90 | jmp short 004018CC |

0040193C| 8B45 EC | mov eax,dword ptr ss:[ebp-14] |

0040193F| 8B08 | mov ecx,dword ptr ds:[eax] |

00401941| 8B09 | mov ecx,dword ptr ds:[ecx] |

00401943| 894D D8 | mov dword ptr ss:[ebp-28],ecx |

00401946| 50 | push eax |

00401947| 51 | push ecx |

00401948| E8 A9030000 | call 00401CF6 |jmp 到 MSVCR80._XcptFilter

0040194D| 59 | pop ecx |

0040194E| 59 | pop ecx |

0040194F| C3 | retn |

wWinMain：

004020BE| E9 19000000 | jmp 004020DC | AfxWinMain

……

004020DC| FF25 0C324000 | jmp dword ptr ds:[40320C] |MFC80U.7831D25F

AfxWinMain：

7831D25F| 53 | push ebx |

7831D260| 56 | push esi |

7831D261| 57 | push edi |

7831D262| 83CB FF | or ebx,FFFFFFFF |

7831D265| E8 CA2CFFFF | call 7830FF34 |MFC80U.7830FF34

7831D26A| 8B70 04 | mov esi,dword ptr ds:[eax+4] |

7831D26D| E8 4F2CFFFF | call 7830FEC1 |MFC80U.7830FEC1

7831D272| FF7424 1C | push dword ptr ss:[esp+1C] |

7831D276| 8B78 04 | mov edi,dword ptr ds:[eax+4] |

7831D279| FF7424 1C | push dword ptr ss:[esp+1C] |

7831D27D| FF7424 1C | push dword ptr ss:[esp+1C] |

7831D281| FF7424 1C | push dword ptr ss:[esp+1C] |

7831D285| E8 F3CA0200 | call 78349D7D |MFC80U.78349D7D

7831D28A| 85C0 | test eax,eax |

7831D28C| 74 3C | je short 7831D2CA |MFC80U.7831D2CA

7831D28E| 85FF | test edi,edi |

7831D290| 74 0E | je short 7831D2A0 |MFC80U.7831D2A0

7831D292| 8B07 | mov eax,dword ptr ds:[edi] |

7831D294| 8BCF | mov ecx,edi |

7831D296| FF90 98000000 | call dword ptr ds:[eax+98] |

7831D29C| 85C0 | test eax,eax |

7831D29E| 74 2A | je short 7831D2CA |MFC80U.7831D2CA

7831D2A0| 8B06 | mov eax,dword ptr ds:[esi] |

7831D2A2| 8BCE | mov ecx,esi |

7831D2A4| FF50 58 | call dword ptr ds:[eax+58] | CtestApp::InitInstance

如何找到MFC对话框的消息处理函数地址

参考：

MFC程序中的消息逆向：http://hi.baidu.com/asmcvc/blog/item/1c262e238cad8d5a9822ed81.html

CWnd::OnWndMsg(uint,uint,long,long *) .text 004015CC

004015CC| FF25 D4304000 | jmp dword ptr ds:[4030D4] |MFC80U.78312DF0

MFC80U.78312DF0：

78312DF0| 55 | push ebp |

78312DF1| 8BEC | mov ebp,esp |

78312DF3| 83E4 F8 | and esp,FFFFFFF8 |

78312DF6| 6A FF | push -1 |

78312DF8| 68 7ABF3A78 | push 783ABF7A |

78312DFD| 64:A1 00000000 | mov eax,dword ptr fs:[0] |

78312E03| 50 | push eax |

78312E04| 81EC 80000000 | sub esp,80 |

78312E0A| 53 | push ebx |

78312E0B| 56 | push esi |

78312E0C| 57 | push edi |

78312E0D| A1 18803C78 | mov eax,dword ptr ds:[783C8018] |

78312E12| 33C4 | xor eax,esp |

78312E14| 50 | push eax |

78312E15| 8D8424 90000000 | lea eax,dword ptr ss:[esp+90] |

78312E1C| 64:A3 00000000 | mov dword ptr fs:[0],eax |

78312E22| 8BF9 | mov edi,ecx |

78312E24| 33C9 | xor ecx,ecx |

78312E26| 894C24 14 | mov dword ptr ss:[esp+14],ecx |

78312E2A| C74424 20 FFFFFF7F | mov dword ptr ss:[esp+20],7FFFFFFF |

78312E32| 8B75 08 | mov esi,dword ptr ss:[ebp+8] |

78312E35| 81FE 11010000 | cmp esi,111 |

78312E3B| 898C24 98000000 | mov dword ptr ss:[esp+98],ecx |

78312E42| 75 25 | jnz short 78312E69 |MFC80U.78312E69

78312E44| FF75 10 | push dword ptr ss:[ebp+10] |

78312E47| 8B07 | mov eax,dword ptr ds:[edi] |

78312E49| FF75 0C | push dword ptr ss:[ebp+C] |

78312E4C| 8BCF | mov ecx,edi |

78312E4E| FF90 F0000000 | call dword ptr ds:[eax+F0] |

78312E54| 85C0 | test eax,eax |

78312E56| 0F84 FD010000 | je 78313059 |MFC80U.78313059

78312E5C| C74424 14 01000000 | mov dword ptr ss:[esp+14],1 |

78312E64| E9 28050000 | jmp 78313391 |MFC80U.78313391

78312E69| 83FE 4E | cmp esi,4E |

78312E6C| 75 2B | jnz short 78312E99 |MFC80U.78312E99

78312E6E| 8B45 10 | mov eax,dword ptr ss:[ebp+10] |

78312E71| 3908 | cmp dword ptr ds:[eax],ecx |

78312E73| 0F84 E0010000 | je 78313059 |MFC80U.78313059

78312E79| 8B17 | mov edx,dword ptr ds:[edi] |

78312E7B| 8D4C24 14 | lea ecx,dword ptr ss:[esp+14] |

78312E7F| 51 | push ecx |

78312E80| 50 | push eax |

78312E81| FF75 0C | push dword ptr ss:[ebp+C] |

78312E84| 8BCF | mov ecx,edi |

78312E86| FF92 F4000000 | call dword ptr ds:[edx+F4] |

78312E8C| 85C0 | test eax,eax |

78312E8E| 0F85 FD040000 | jnz 78313391 |MFC80U.78313391

78312E94| E9 C0010000 | jmp 78313059 |MFC80U.78313059

78312E99| 83FE 06 | cmp esi,6 |

78312E9C| 8B5D 10 | mov ebx,dword ptr ss:[ebp+10] |

78312E9F| 75 13 | jnz short 78312EB4 |MFC80U.78312EB4

78312EA1| 53 | push ebx |

78312EA2| E8 1EEEFFFF | call 78311CC5 |MFC80U.78311CC5

78312EA7| FF75 0C | push dword ptr ss:[ebp+C] |

78312EAA| 8BF0 | mov esi,eax |

78312EAC| E8 60EBFFFF | call 78311A11 |MFC80U.78311A11

78312EB1| 8B75 08 | mov esi,dword ptr ss:[ebp+8] |

78312EB4| 83FE 20 | cmp esi,20 |

78312EB7| 75 1C | jnz short 78312ED5 |MFC80U.78312ED5

78312EB9| 66:81FB FEFF | cmp bx,0FFFE |

78312EBE| 75 0F | jnz short 78312ECF |MFC80U.78312ECF

78312EC0| 8BC3 | mov eax,ebx |

78312EC2| C1E8 10 | shr eax,10 |

78312EC5| 50 | push eax |

78312EC6| 8BCF | mov ecx,edi |

78312EC8| E8 B0EBFFFF | call 78311A7D |MFC80U.78311A7D

78312ECD| EB 02 | jmp short 78312ED1 |MFC80U.78312ED1

78312ECF| 33C0 | xor eax,eax |

78312ED1| 85C0 | test eax,eax |

78312ED3| 75 87 | jnz short 78312E5C |MFC80U.78312E5C

78312ED5| 8B47 4C | mov eax,dword ptr ds:[edi+4C] |

78312ED8| 85C0 | test eax,eax |

78312EDA| 74 4E | je short 78312F2A |MFC80U.78312F2A

78312EDC| 8378 74 00 | cmp dword ptr ds:[eax+74],0 |

78312EE0| 7E 48 | jle short 78312F2A |MFC80U.78312F2A

78312EE2| 81FE 00020000 | cmp esi,200 |

78312EE8| 72 08 | jb short 78312EF2 |MFC80U.78312EF2

78312EEA| 81FE 09020000 | cmp esi,209 |

78312EF0| 76 1B | jbe short 78312F0D |MFC80U.78312F0D

78312EF2| 81FE 00010000 | cmp esi,100 |

78312EF8| 72 08 | jb short 78312F02 |MFC80U.78312F02

78312EFA| 81FE 0F010000 | cmp esi,10F |

78312F00| 76 0B | jbe short 78312F0D |MFC80U.78312F0D

78312F02| 8D86 7FFDFFFF | lea eax,dword ptr ds:[esi-281] |

78312F08| 83F8 10 | cmp eax,10 |

78312F0B| 77 1D | ja short 78312F2A |MFC80U.78312F2A

78312F0D| 8B4F 4C | mov ecx,dword ptr ds:[edi+4C] |

78312F10| 8B01 | mov eax,dword ptr ds:[ecx] |

78312F12| 8D5424 14 | lea edx,dword ptr ss:[esp+14] |

78312F16| 52 | push edx |

78312F17| 53 | push ebx |

78312F18| FF75 0C | push dword ptr ss:[ebp+C] |

78312F1B| 56 | push esi |

78312F1C| FF90 9C000000 | call dword ptr ds:[eax+9C] |

78312F22| 85C0 | test eax,eax |

78312F24| 0F85 67040000 | jnz 78313391 |MFC80U.78313391

78312F2A| 8B07 | mov eax,dword ptr ds:[edi] |

78312F2C| 8BCF | mov ecx,edi |

78312F2E| FF50 30 | call dword ptr ds:[eax+30] | CtestDlg::GetMessageMap 004011D0

CtestDlg::GetMessageMap：

004011D0| B8 78354000 | mov eax,403578 |

004011D5| C3 | retn |

数据窗口中跟随00403578：

00403578 00401680  @ ?GetThisMessageMap@CDialog@@

0040357C 00403500 㔀@ 00403500

00403580 >00320031 12

00403584 00000033 3.

其中00401680 是基类CDialog的消息映射信息；00403500 是CtestDlg类的消息映射信息，数据跟随00403500：

00403500 00000112 Ē. WM_SYSCOMMAND

00403504 00000000 ..

00403508 00000000 ..

0040350C 00000000 ..

00403510 0000001E ‑.

00403514 004012C0 ዀ@ CtestDlg::OnSysCommandeting destructor''

00403518 0000000F . WM_PAINT

0040351C 00000000 ..

00403520 00000000 ..

00403524 00000000 ..

00403528 00000013 .

0040352C 00401360 ፠@ CtestDlg::OnPaint deleting destructor'''

00403530 00000037 7. WM_QUERYDRAGICON

00403534 00000000 ..

00403538 00000000 ..

0040353C 00000000 ..

00403540 00000028 (.

00403544 00401440 ᑀ@ CtestDlg::OnQueryDragIconzer$

00403548 00000111 đ. WM_COMMAND

0040354C 00000000 ..

00403550 000003E8 Ϩ. 按钮的ID，十进制是1000

00403554 000003E8 Ϩ.

00403558 00000038 8.

0040355C 00401450 ᑐ@ CtestDlg::OnBnClickedButton1eApp''

00403560 00000000 ..

00403564 00000000 ..

00403568 00000000 ..

0040356C 00000000 ..

00403570 00000000 ..

00403574 00000000 ..

posted on 2011-09-23 16:20 BIGSING 阅读(657) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

大星星

MFC应用程序逆向经验总结

导航

公告