反汇编引擎编写
说在前面
反汇编引擎是众多逆向分析工具都必有,也是比较核心的功能,编写需要的基础知识已经在硬编码前面几节内容说到,本次编写只针对了Mod R/M 和 SIB字段的编写,写的并不全,经过这次编写主要还是练习c++,写到后面发现还是最开始设计时,功能封装并没有设计好,其实写这个引擎设计非常重要,但这次编写没有设计好思路,写到后面已经没有再想写的欲望了:结构很乱,最开始定义成员的时候就没有想好。说到底还是经验太少。不过在编写过程中还是收获很多,对c++理解又深刻了一些,多练其实是提升代码水平的不二之选。还是写了一小段,舍不得,先记录下来吧。下次写个完整的出来。
代码
编译环境 win10 vs2019
1 #include <iostream> 2 #include <string> 3 #include <windows.h> 4 5 6 class PrintIns 7 { 8 private: 9 DWORD Index; 10 DWORD FindIndex(LPSTR Buffer,char cha) 11 { 12 for (DWORD i = 0; Buffer[i] != 0; i++) 13 { 14 if (Buffer[i] == cha) 15 { 16 return i; 17 } 18 } 19 return 0; 20 } 21 LPCSTR DeterminSegReg(LPSTR Buffer) 22 { 23 DWORD IndexEnd = FindIndex(Buffer, ']'); 24 for (DWORD i = FindIndex(Buffer,'['); i< IndexEnd; i++) 25 { 26 if (Buffer[i] == 'e') 27 { 28 if (Buffer[i + 1] == 'b' || Buffer[i + 1] == 's') 29 { 30 if (Buffer[i + 2] == 'p') 31 return "ss"; 32 } 33 } 34 } 35 return "ds"; 36 } 37 LPSTR FixBuffer(LPSTR Buffer,int SubIndex, const LPBYTE HardCode,DWORD ModNum,DWORD Disp) //修复缓冲区,主要是修复段寄存器,定位到ModR/M字段 38 { 39 LPSTR NewBuffer = (LPSTR)malloc(0x20); 40 DWORD NewIndex = Index; 41 NewIndex = NewIndex - SubIndex; 42 memset(NewBuffer, 0, 0x20); 43 if (Disp != NULL) 44 { 45 sprintf(NewBuffer, "%s%s%s+%s+%x%s", DeterminSegReg(Buffer), ":[", ReadBase(HardCode[++NewIndex], ModNum), ReadIndexScale(HardCode[NewIndex]), Disp, "]"); 46 } 47 else 48 { 49 sprintf(NewBuffer, "%s%s%s+%s%s", DeterminSegReg(Buffer), ":[", ReadBase(HardCode[++NewIndex], ModNum), ReadIndexScale(HardCode[NewIndex]), "]"); 50 } 51 return NewBuffer; 52 } 53 void PrintVariableLengthIns(const LPBYTE HardCode) 54 { 55 IfModRM(HardCode); 56 } 57 void IfModRM(const LPBYTE HardCode) 58 { 59 DWORD Reg = (HardCode[++Index] & 0x38) >> 3; 60 DWORD Mod = (HardCode[Index] & 0xC0) >> 6; 61 DWORD RM = HardCode[Index] & 0x07; 62 Index--; //定位到opcode 63 if (0x0 <= HardCode[Index] && 0x3 >= HardCode[Index]) 64 { 65 MeanAdd(HardCode, Mod, RM, Reg); 66 } 67 else if (0x8 <= HardCode[Index] && 0xB >= HardCode[Index]) 68 { 69 MeanOr(HardCode, Mod, RM, Reg); 70 } 71 else if (0x10 <= HardCode[Index] && 0x13 >= HardCode[Index]) 72 { 73 MeanAdc(HardCode, Mod, RM, Reg); 74 } 75 else if (0x18 <= HardCode[Index] && 0x1B >= HardCode[Index]) 76 { 77 MeanSbb(HardCode, Mod, RM, Reg); 78 } 79 else if (0x20 <= HardCode[Index] && 0x23 >= HardCode[Index]) 80 { 81 MeanAnd(HardCode, Mod, RM, Reg); 82 } 83 else if (0x28 <= HardCode[Index] && 0x2B >= HardCode[Index]) 84 { 85 MeanSub(HardCode, Mod, RM, Reg); 86 } 87 else if (0x30 <= HardCode[Index] && 0x33 >= HardCode[Index]) 88 { 89 MeanXor(HardCode, Mod, RM, Reg); 90 } 91 else if (0x38 <= HardCode[Index] && 0x3B >= HardCode[Index]) 92 { 93 MeanCmp(HardCode, Mod, RM, Reg); 94 } 95 else if (0x88 <= HardCode[Index] && 0x8B > HardCode[Index]) 96 { 97 MeanMov(HardCode, Mod, RM, Reg); 98 } 99 100 101 } 102 LPCSTR ReadRegX8(DWORD RegNumber) 103 { 104 switch (RegNumber) 105 { 106 case 0x0: 107 return "al"; 108 case 0x1: 109 return "cl"; 110 case 0x2: 111 return "dl"; 112 case 0x3: 113 return "bl"; 114 case 0x4: 115 return "ah"; 116 case 0x5: 117 return "ch"; 118 case 0x6: 119 return "dh"; 120 case 0x7: 121 return "bh"; 122 default: 123 return "false"; 124 } 125 } 126 LPCSTR ReadRegX32(DWORD RegNumber) 127 { 128 switch (RegNumber) 129 { 130 case 0x0: 131 return "eax"; 132 case 0x1: 133 return "ecx"; 134 case 0x2: 135 return "edx"; 136 case 0x3: 137 return "ebx"; 138 case 0x4: 139 return "esp"; 140 case 0x5: 141 return "ebp"; 142 case 0x6: 143 return "esi"; 144 case 0x7: 145 return "edi"; 146 default: 147 return "false"; 148 } 149 } 150 LPCSTR ReadModRM(const LPBYTE HardCode, DWORD ModNum, DWORD RMNum) 151 { 152 if (ModNum == 0x0) 153 { 154 Index++; //ModR/M字段 155 LPSTR Buffer = (LPSTR)malloc(0x20); 156 memset(Buffer, 0, 0x20); 157 DWORD disp32; 158 switch (RMNum) 159 { 160 case 0x0: 161 sprintf(Buffer, "%s%s%s","ds:[", "eax","]"); 162 return Buffer; 163 case 0x1: 164 sprintf(Buffer, "%s%s%s", "ds:[", "ecx", "]"); 165 return Buffer; 166 case 0x2: 167 sprintf(Buffer, "%s%s%s", "ds:[", "edx", "]"); 168 return Buffer; 169 case 0x3: 170 sprintf(Buffer, "%s%s%s", "ds:[", "ebx", "]"); 171 return Buffer; 172 case 0x4: 173 sprintf(Buffer, "%s%s%s%s", "ss:[",ReadBase(HardCode[++Index], ModNum), ReadIndexScale(HardCode[Index]),"]"); 174 return FixBuffer(Buffer,1, HardCode, ModNum,NULL); 175 case 0x5: 176 disp32 = (HardCode[++Index]) + (HardCode[++Index] << 8) + (HardCode[++Index] << 16) + (HardCode[++Index] << 24); 177 sprintf(Buffer,"%s%x%s", "ds:[", disp32,"]"); 178 return Buffer; 179 case 0x6: 180 sprintf(Buffer, "%s%s%s", "ds:[", "esi", "]"); 181 return Buffer; 182 case 0x7: 183 sprintf(Buffer, "%s%s%s", "ds:[", "edi", "]"); 184 return Buffer; 185 default: 186 return Buffer; 187 } 188 } 189 else if (ModNum == 0x1) 190 { 191 Index++; 192 DWORD disp8 = HardCode[++Index]; 193 LPSTR BufferDisp8 = (LPSTR)malloc(0x20); 194 memset(BufferDisp8, 0, 0x20); 195 LPSTR NewBuffer; 196 switch (RMNum) 197 { 198 case 0x0: 199 sprintf(BufferDisp8, "%s%s%x%s", "ds:[","eax+", disp8, "]"); 200 return BufferDisp8; 201 case 0x1: 202 sprintf(BufferDisp8, "%s%s%x%s", "ds:[", "ecx+", disp8, "]"); 203 return BufferDisp8; 204 case 0x2: 205 sprintf(BufferDisp8, "%s%s%x%s", "ds:[", "edx+", disp8, "]"); 206 return BufferDisp8; 207 case 0x3: 208 sprintf(BufferDisp8, "%s%s%x%s", "ds:[", "ebx+", disp8, "]"); 209 return BufferDisp8; 210 case 0x4: 211 disp8 = HardCode[++Index]; 212 sprintf(BufferDisp8, "%s%s%s+%x%s", "ss:[", ReadBase(HardCode[--Index], ModNum), ReadIndexScale(HardCode[Index]), disp8, "]"); 213 NewBuffer = FixBuffer(BufferDisp8, 1, HardCode, ModNum, disp8); 214 Index++; 215 return NewBuffer; 216 case 0x5: 217 sprintf(BufferDisp8, "%s%s%x%s", "ds:[", "ebpx+", disp8, "]"); 218 return FixBuffer(BufferDisp8,1, HardCode, ModNum, disp8); 219 case 0x6: 220 sprintf(BufferDisp8, "%s%s%x%s", "ds:[", "esi+", disp8, "]"); 221 return BufferDisp8; 222 case 0x7: 223 sprintf(BufferDisp8, "%s%s%x%s", "ds:[", "edi+", disp8, "]"); 224 return BufferDisp8; 225 default: 226 return BufferDisp8; 227 } 228 } 229 // 230 else if (ModNum == 0x2) 231 { 232 Index++; 233 DWORD disp32 = (HardCode[++Index]) + (HardCode[++Index] << 8) + (HardCode[++Index] << 16) + (HardCode[++Index] << 24); 234 LPSTR BufferDisp32 = (LPSTR)malloc(0x20); 235 memset(BufferDisp32, 0, 0x20); 236 LPSTR NewBuffer; 237 switch (RMNum) 238 { 239 case 0x0: 240 sprintf(BufferDisp32, "%s%s%x%s", "ds:[", "eax+", disp32, "]"); 241 return BufferDisp32; 242 case 0x1: 243 sprintf(BufferDisp32, "%s%s%x%s", "ds:[", "ecx+", disp32, "]"); 244 return BufferDisp32; 245 case 0x2: 246 sprintf(BufferDisp32, "%s%s%x%s", "ds:[", "edx+", disp32, "]"); 247 return BufferDisp32; 248 case 0x3: 249 sprintf(BufferDisp32, "%s%s%x%s", "ds:[", "ebx+", disp32, "]"); 250 return BufferDisp32; 251 case 0x4: 252 Index = Index - 3; //定位到SIB字段 253 disp32 = (HardCode[++Index]) + (HardCode[++Index] << 8) + (HardCode[++Index] << 16) + (HardCode[++Index] << 24); //算偏移 254 Index = Index - 4; //重新定位到SIB字段 255 sprintf(BufferDisp32, "%s%s%s+%x%s", "ss:[", ReadBase(HardCode[Index], ModNum), ReadIndexScale(HardCode[Index]), disp32, "]"); 256 NewBuffer = FixBuffer(BufferDisp32, 1, HardCode, ModNum, disp32); 257 Index = Index + 4; //索引复原 258 return NewBuffer; 259 case 0x5: 260 sprintf(BufferDisp32, "%s%s%x%s", "ds:[", "ebp+", disp32, "]"); 261 return FixBuffer(BufferDisp32, 5, HardCode, ModNum, disp32); 262 case 0x6: 263 sprintf(BufferDisp32, "%s%s%x%s", "ds:[", "esi+", disp32, "]"); 264 return BufferDisp32; 265 case 0x7: 266 sprintf(BufferDisp32, "%s%s%x%s", "ds:[", "edi+", disp32, "]"); 267 return BufferDisp32; 268 default: 269 return BufferDisp32; 270 } 271 } 272 else if (ModNum == 0x3) 273 { 274 LPSTR Buffer = (LPSTR)malloc(0x20); 275 memset(Buffer, 0, 0x20); 276 switch (RMNum) 277 { 278 case 0x0: 279 sprintf(Buffer, "%s%s%s", "ds:[", "eax", "]"); 280 return Buffer; 281 case 0x1: 282 sprintf(Buffer, "%s%s%s", "ds:[", "ecx", "]"); 283 return Buffer; 284 case 0x2: 285 sprintf(Buffer, "%s%s%s", "ds:[", "edx", "]"); 286 return Buffer; 287 case 0x3: 288 sprintf(Buffer, "%s%s%s", "ds:[", "ebx", "]"); 289 return Buffer; 290 case 0x4: 291 sprintf(Buffer, "%s%s%s", "ds:[", "esp", "]"); 292 return Buffer; 293 case 0x5: 294 sprintf(Buffer, "%s%s%s", "ds:[", "ebp", "]"); 295 return Buffer; 296 case 0x6: 297 sprintf(Buffer, "%s%s%s", "ds:[", "esi", "]"); 298 return Buffer; 299 case 0x7: 300 sprintf(Buffer, "%s%s%s", "ds:[", "edi", "]"); 301 return Buffer; 302 default: 303 return Buffer; 304 } 305 } 306 else 307 { 308 return "ModRMfalse"; 309 } 310 } 311 LPCSTR ReadBase(DWORD SibNumber,DWORD Mod) 312 { 313 DWORD Base = SibNumber & 0x07; 314 switch (Base) 315 { 316 case 0x0: 317 return "eax"; 318 case 0x1: 319 return "ecx"; 320 case 0x2: 321 return "edx"; 322 case 0x3: 323 return "ebx"; 324 case 0x4: 325 return "esp"; 326 case 0x5: 327 if (Mod == 0x0) 328 { 329 return ""; 330 } 331 else 332 { 333 return "ebp"; 334 } 335 case 0x6: 336 return "esi"; 337 case 0x7: 338 return "edi"; 339 default: 340 return "false"; 341 } 342 } 343 LPCSTR ReadIndexScale(DWORD SibNumber) 344 { 345 DWORD Scale = (SibNumber & 0xC0) >> 6; 346 DWORD Inde = (SibNumber & 0x38) >> 3; 347 if (Scale == 0x0) 348 { 349 switch (Inde) 350 { 351 case 0x0: 352 return "eax"; 353 case 0x1: 354 return "ecx"; 355 case 0x2: 356 return "edx"; 357 case 0x3: 358 return "ebx"; 359 case 0x4: 360 return "还没写"; 361 case 0x5: 362 return "ebp"; 363 case 0x6: 364 return "esi"; 365 case 0x7: 366 return "edi"; 367 default: 368 return "false"; 369 } 370 } 371 if (Scale == 0x1) 372 { 373 switch (Inde) 374 { 375 case 0x0: 376 return "eax*2"; 377 case 0x1: 378 return "ecx*2"; 379 case 0x2: 380 return "edx*2"; 381 case 0x3: 382 return "ebx*2"; 383 case 0x4: 384 return "还没写"; 385 case 0x5: 386 return "ebp*2"; 387 case 0x6: 388 return "esi*2"; 389 case 0x7: 390 return "edi*2"; 391 default: 392 return "false"; 393 } 394 } 395 if (Scale == 0x2) 396 { 397 switch (Inde) 398 { 399 case 0x0: 400 return "eax*4"; 401 case 0x1: 402 return "ecx*4"; 403 case 0x2: 404 return "edx*4"; 405 case 0x3: 406 return "ebx*4"; 407 case 0x4: 408 return "还没写"; 409 case 0x5: 410 return "ebp*4"; 411 case 0x6: 412 return "esi*4"; 413 case 0x7: 414 return "edi*4"; 415 default: 416 return "false"; 417 } 418 } 419 if (Scale == 0x3) 420 { 421 switch (Inde) 422 { 423 case 0x0: 424 return "eax*8"; 425 case 0x1: 426 return "ecx*8"; 427 case 0x2: 428 return "edx*8"; 429 case 0x3: 430 return "ebx*8"; 431 case 0x4: 432 return "还没写"; 433 case 0x5: 434 return "ebp*8"; 435 case 0x6: 436 return "esi*8"; 437 case 0x7: 438 return "edi*8"; 439 default: 440 return "false"; 441 } 442 } 443 } 444 public: 445 446 void CallDisasmEngine(const LPBYTE HardCode,DWORD HClength) //传入一个数组地址和它的长度 447 { 448 for (Index = 0; Index < HClength; Index++) 449 { 450 //push系列 451 if (0x50 <= HardCode[Index] && HardCode[Index] <= 0x57) 452 { 453 switch (HardCode[Index]) 454 { 455 case 0x50: 456 printf("%08x %x: push eax\n",Index, HardCode[Index]); 457 break; 458 case 0x51: 459 printf("%08x %x: push ecx\n", Index, HardCode[Index]); 460 break; 461 case 0x52: 462 printf("%08x %x: push edx\n", Index, HardCode[Index]); 463 break; 464 case 0x53: 465 printf("%08x %x: push ebx\n", Index, HardCode[Index]); 466 break; 467 case 0x54: 468 printf("%08x %x: push esp\n", Index, HardCode[Index]); 469 break; 470 case 0x55: 471 printf("%08x %x: push ebp\n", Index, HardCode[Index]); 472 break; 473 case 0x56: 474 printf("%08x %x: push esi\n", Index, HardCode[Index]); 475 break; 476 case 0x57: 477 printf("%08x %x: push edi\n", Index, HardCode[Index]); 478 break; 479 } 480 } 481 //pop系列 482 else if (0x58 <= HardCode[Index] && HardCode[Index] <= 0x5F) 483 { 484 switch (HardCode[Index]) 485 { 486 case 0x58: 487 printf("%08x %x: pop eax\n", Index, HardCode[Index]); 488 break; 489 case 0x59: 490 printf("%08x %x: pop ecx\n", Index, HardCode[Index]); 491 break; 492 case 0x5A: 493 printf("%08x %x: pop edx\n", Index, HardCode[Index]); 494 break; 495 case 0x5B: 496 printf("%08x %x: pop ebx\n", Index, HardCode[Index]); 497 break; 498 case 0x5C: 499 printf("%08x %x: pop esp\n", Index, HardCode[Index]); 500 break; 501 case 0x5D: 502 printf("%08x %x: pop ebp\n", Index, HardCode[Index]); 503 break; 504 case 0x5E: 505 printf("%08x %x: pop esi\n", Index, HardCode[Index]); 506 break; 507 case 0x5F: 508 printf("%08x %x: pop edi\n", Index, HardCode[Index]); 509 break; 510 } 511 continue; 512 } 513 //INC系列 514 else if (0x40 <= HardCode[Index] && HardCode[Index] <= 0x47) 515 { 516 switch (HardCode[Index]) 517 { 518 case 0x40: 519 printf("%08x %x: inc eax\n", Index, HardCode[Index]); 520 break; 521 case 0x41: 522 printf("%08x %x: inc ecx\n", Index, HardCode[Index]); 523 break; 524 case 0x42: 525 printf("%08x %x: inc edx\n", Index, HardCode[Index]); 526 break; 527 case 0x43: 528 printf("%08x %x: inc ebx\n", Index, HardCode[Index]); 529 break; 530 case 0x44: 531 printf("%08x %x: inc esp\n", Index, HardCode[Index]); 532 break; 533 case 0x45: 534 printf("%08x %x: inc ebp\n", Index, HardCode[Index]); 535 break; 536 case 0x46: 537 printf("%08x %x: inc esi\n", Index, HardCode[Index]); 538 break; 539 case 0x47: 540 printf("%08x %x: inc edi\n", Index, HardCode[Index]); 541 break; 542 } 543 } 544 //DEC系列 545 else if (0x48 <= HardCode[Index] && HardCode[Index] <= 0x4F) 546 { 547 switch (HardCode[Index]) 548 { 549 case 0x48: 550 printf("%08x %x: dec eax\n", Index, HardCode[Index]); 551 break; 552 case 0x49: 553 printf("%08x %x: dec ecx\n", Index, HardCode[Index]); 554 break; 555 case 0x4A: 556 printf("%08x %x: dec edx\n", Index, HardCode[Index]); 557 break; 558 case 0x4B: 559 printf("%08x %x: dec ebx\n", Index, HardCode[Index]); 560 break; 561 case 0x4C: 562 printf("%08x %x: dec esp\n", Index, HardCode[Index]); 563 break; 564 case 0x4D: 565 printf("%08x %x: dec ebp\n", Index, HardCode[Index]); 566 break; 567 case 0x4E: 568 printf("%08x %x: dec esi\n", Index, HardCode[Index]); 569 break; 570 case 0x4F: 571 printf("%08x %x: dec edi\n", Index, HardCode[Index]); 572 break; 573 } 574 } 575 //MOV Rb, Ib 576 else if (0xB0 <= HardCode[Index] && HardCode[Index] <= 0xB7) 577 { 578 switch (HardCode[Index]) 579 { 580 case 0xB0: 581 printf("mov al,%x\n", HardCode[++Index]); 582 break; 583 case 0xB1: 584 printf("mov cl,%x\n", HardCode[++Index]); 585 break; 586 case 0xB2: 587 printf("mov dl,%x\n", HardCode[++Index]); 588 break; 589 case 0xB3: 590 printf("mov bl,%x\n", HardCode[++Index]); 591 break; 592 case 0xB4: 593 printf("mov ah,%x\n", HardCode[++Index]); 594 break; 595 case 0xB5: 596 printf("mov ch,%x\n", HardCode[++Index]); 597 break; 598 case 0xB6: 599 printf("mov dh,%x\n", HardCode[++Index]); 600 break; 601 case 0xB7: 602 printf("mov dh,%x\n", HardCode[++Index]); 603 break; 604 } 605 } 606 //MOV ERX, Id 607 else if (0xB8 <= HardCode[Index] && HardCode[Index] <= 0xBF) 608 { 609 switch (HardCode[Index]) 610 { 611 case 0xB8: 612 printf("mov eax,%x%x%x%x\n", HardCode[++Index], HardCode[++Index], HardCode[++Index], HardCode[++Index]); 613 break; 614 case 0xB9: 615 printf("mov ecx,%x%x%x%x\n", HardCode[++Index], HardCode[++Index], HardCode[++Index], HardCode[++Index]); 616 break; 617 case 0xBA: 618 printf("mov edx,%x%x%x%x\n", HardCode[++Index], HardCode[++Index], HardCode[++Index], HardCode[++Index]); 619 break; 620 case 0xBB: 621 printf("mov ebx,%x%x%x%x\n", HardCode[++Index], HardCode[++Index], HardCode[++Index], HardCode[++Index]); 622 break; 623 case 0xBC: 624 printf("mov esp,%x%x%x%x\n", HardCode[++Index], HardCode[++Index], HardCode[++Index], HardCode[++Index]); 625 break; 626 case 0xBD: 627 printf("mov ebp,%x%x%x%x\n", HardCode[++Index], HardCode[++Index], HardCode[++Index], HardCode[++Index]); 628 break; 629 case 0xBE: 630 printf("mov esi,%x%x%x%x\n", HardCode[++Index], HardCode[++Index], HardCode[++Index], HardCode[++Index]); 631 break; 632 case 0xBF: 633 printf("mov edi,%x%x%x%x\n", HardCode[++Index], HardCode[++Index], HardCode[++Index], HardCode[++Index]); 634 break; 635 } 636 } 637 //XCHG EAX, ERX 638 else if (0x90 <= HardCode[Index] && HardCode[Index] <= 0x97) 639 { 640 switch (HardCode[Index]) 641 { 642 case 0x90: 643 printf("nop\n"); 644 break; 645 case 0x91: 646 printf("xchg ecx,eax\n"); 647 break; 648 case 0x92: 649 printf("xchg edx,eax\n"); 650 break; 651 case 0x93: 652 printf("xchg ebx,eax\n"); 653 break; 654 case 0x94: 655 printf("xchg esp,eax\n"); 656 break; 657 case 0x95: 658 printf("xchg ebp,eax\n"); 659 break; 660 case 0x96: 661 printf("xchg esi,eax\n"); 662 break; 663 case 0x97: 664 printf("xchg edi,eax\n"); 665 break; 666 } 667 } 668 //JCC ib 669 else if (0x70 <= HardCode[Index] && HardCode[Index] <= 0x7F) 670 { 671 switch (HardCode[Index]) 672 { 673 case 0x70: 674 printf("jo %x\n", HardCode[++Index]); 675 break; 676 case 0x71: 677 printf("jno %x\n", HardCode[++Index]); 678 break; 679 case 0x72: 680 printf("jb %x\n", HardCode[++Index]); 681 break; 682 case 0x73: 683 printf("jnb %x\n", HardCode[++Index]); 684 break; 685 case 0x74: 686 printf("je %x\n", HardCode[++Index]); 687 break; 688 case 0x75: 689 printf("jne %x\n", HardCode[++Index]); 690 break; 691 case 0x76: 692 printf("jna %x\n", HardCode[++Index]); 693 break; 694 case 0x77: 695 printf("ja %x\n", HardCode[++Index]); 696 break; 697 case 0x78: 698 printf("js %x\n", HardCode[++Index]); 699 break; 700 case 0x79: 701 printf("jns %x\n", HardCode[++Index]); 702 break; 703 case 0x7A: 704 printf("jp %x\n", HardCode[++Index]); 705 break; 706 case 0x7B: 707 printf("jnp %x\n", HardCode[++Index]); 708 break; 709 case 0x7C: 710 printf("jl %x\n", HardCode[++Index]); 711 break; 712 case 0x7D: 713 printf("jnl %x\n", HardCode[++Index]); 714 break; 715 case 0x7E: 716 printf("jle %x\n", HardCode[++Index]); 717 break; 718 case 0x7F: 719 printf("jg %x\n", HardCode[++Index]); 720 break; 721 } 722 } 723 //JCC id 724 else if(0x0F == HardCode[Index]) 725 { 726 if (0x80 <= HardCode[++Index] && HardCode[Index] <= 0x8F) 727 { 728 switch (HardCode[Index]) 729 { 730 case 0x80: 731 printf("jo %x%x%x%x\n", HardCode[++Index], HardCode[++Index], HardCode[++Index], HardCode[++Index]); 732 break; 733 case 0x81: 734 printf("jno %x%x%x%x\n", HardCode[++Index], HardCode[++Index], HardCode[++Index], HardCode[++Index]); 735 break; 736 case 0x82: 737 printf("jb %x%x%x%x\n", HardCode[++Index], HardCode[++Index], HardCode[++Index], HardCode[++Index]); 738 break; 739 case 0x83: 740 printf("jnb %x%x%x%x\n", HardCode[++Index], HardCode[++Index], HardCode[++Index], HardCode[++Index]); 741 break; 742 case 0x84: 743 printf("je %x%x%x%x\n", HardCode[++Index], HardCode[++Index], HardCode[++Index], HardCode[++Index]); 744 break; 745 case 0x85: 746 printf("jne %x%x%x%x\n", HardCode[++Index], HardCode[++Index], HardCode[++Index], HardCode[++Index]); 747 break; 748 case 0x86: 749 printf("jna %x%x%x%x\n", HardCode[++Index], HardCode[++Index], HardCode[++Index], HardCode[++Index]); 750 break; 751 case 0x87: 752 printf("ja %x%x%x%x\n", HardCode[++Index], HardCode[++Index], HardCode[++Index], HardCode[++Index]); 753 break; 754 case 0x88: 755 printf("js %x%x%x%x\n", HardCode[++Index], HardCode[++Index], HardCode[++Index], HardCode[++Index]); 756 break; 757 case 0x89: 758 printf("jns %x%x%x%x\n", HardCode[++Index], HardCode[++Index], HardCode[++Index], HardCode[++Index]); 759 break; 760 case 0x8A: 761 printf("jp %x%x%x%x\n", HardCode[++Index], HardCode[++Index], HardCode[++Index], HardCode[++Index]); 762 break; 763 case 0x8B: 764 printf("jnp %x%x%x%x\n", HardCode[++Index], HardCode[++Index], HardCode[++Index], HardCode[++Index]); 765 break; 766 case 0x8C: 767 printf("jl %x%x%x%x\n", HardCode[++Index], HardCode[++Index], HardCode[++Index], HardCode[++Index]); 768 break; 769 case 0x8D: 770 printf("jnl %x%x%x%x\n", HardCode[++Index], HardCode[++Index], HardCode[++Index], HardCode[++Index]); 771 break; 772 case 0x8E: 773 printf("jle %x%x%x%x\n", HardCode[++Index], HardCode[++Index], HardCode[++Index], HardCode[++Index]); 774 break; 775 case 0x8F: 776 printf("jg %x%x%x%x\n", HardCode[++Index], HardCode[++Index], HardCode[++Index], HardCode[++Index]); 777 break; 778 } 779 } 780 } 781 //LOOP 782 else if (0xE0 <= HardCode[Index] && HardCode[Index] <= 0xE2) 783 { 784 switch (HardCode[Index]) 785 { 786 case 0xE0: 787 printf("loopne %x\n", HardCode[++Index]); 788 break; 789 case 0xE1: 790 printf("loope %x\n", HardCode[++Index]); 791 break; 792 case 0xE2: 793 printf("loop %x\n", HardCode[++Index]); 794 break; 795 } 796 } 797 //Jrcxz 798 else if (0xE0 == HardCode[Index]) 799 { 800 printf("jrcxz %x\n", HardCode[++Index]); 801 } 802 //e8 e9 ea eb 803 else if (0xE8 <= HardCode[Index] && HardCode[Index] <= 0xEB) 804 { 805 switch (HardCode[Index]) 806 { 807 case 0xE8: 808 printf("call %x%x%x%x\n", HardCode[++Index], HardCode[++Index], HardCode[++Index], HardCode[++Index]); 809 break; 810 case 0xE9: 811 printf("jmp %x%x%x%x\n", HardCode[++Index], HardCode[++Index], HardCode[++Index], HardCode[++Index]); 812 break; 813 case 0xEA: 814 printf("loop %x%x%x%x %x%x\n", HardCode[++Index], HardCode[++Index], HardCode[++Index], HardCode[++Index], HardCode[++Index], HardCode[++Index]); 815 break; 816 case 0xEB: 817 printf("loop %x\n", HardCode[++Index]); 818 break; 819 } 820 } 821 //c2 c3 822 else if (HardCode[Index] == 0xc2) 823 { 824 printf("ret %x%x\n", HardCode[++Index], HardCode[++Index]); 825 } 826 else if (HardCode[Index] == 0xc3) 827 { 828 printf("ret\n"); 829 } 830 else if (HardCode[Index] == 0xCB) 831 { 832 printf("ret far"); 833 } 834 else if (HardCode[Index] == 0xCA) 835 { 836 printf("ret far %x%x", HardCode[++Index], HardCode[++Index]); 837 } 838 else 839 { 840 PrintVariableLengthIns(HardCode); 841 } 842 843 } 844 } 845 //解释Add 846 void MeanAdd(const LPBYTE HardCode, DWORD Mod, DWORD RM, DWORD Reg) 847 { 848 LPCSTR buffer; 849 switch (HardCode[Index]) 850 { 851 case 0x00: 852 buffer = ReadModRM(HardCode, Mod, RM); 853 printf("add byte ptr ""%s"",%s\n", buffer, ReadRegX8(Reg)); 854 free((LPVOID)buffer); 855 break; 856 case 0x01: 857 buffer = ReadModRM(HardCode, Mod, RM); 858 printf("add dword ptr ""%s"",%s\n", buffer, ReadRegX32(Reg)); 859 free((LPVOID)buffer); 860 break; 861 case 0x02: 862 buffer = ReadModRM(HardCode, Mod, RM); 863 printf("add %s,byte ptr ""%s\n", ReadRegX8(Reg), buffer); 864 free((LPVOID)buffer); 865 break; 866 case 0x03: 867 buffer = ReadModRM(HardCode, Mod, RM); 868 printf("add %s,dword ptr ""%s\n", ReadRegX32(Reg), buffer); 869 free((LPVOID)buffer); 870 break; 871 } 872 } 873 //解释or 874 void MeanOr(const LPBYTE HardCode, DWORD Mod, DWORD RM, DWORD Reg) 875 { 876 LPCSTR buffer; 877 switch (HardCode[Index]) 878 { 879 case 0x08: 880 buffer = ReadModRM(HardCode, Mod, RM); 881 printf("or byte ptr ""%s"",%s\n", buffer, ReadRegX8(Reg)); 882 free((LPVOID)buffer); 883 break; 884 case 0x09: 885 buffer = ReadModRM(HardCode, Mod, RM); 886 printf("or dword ptr ""%s"",%s\n", buffer, ReadRegX32(Reg)); 887 free((LPVOID)buffer); 888 break; 889 case 0x0A: 890 buffer = ReadModRM(HardCode, Mod, RM); 891 printf("or %s,byte ptr ""%s\n", ReadRegX8(Reg), buffer); 892 free((LPVOID)buffer); 893 break; 894 case 0x0B: 895 buffer = ReadModRM(HardCode, Mod, RM); 896 printf("or %s,dword ptr ""%s\n", ReadRegX32(Reg), buffer); 897 free((LPVOID)buffer); 898 break; 899 } 900 } 901 //解释ADC 902 void MeanAdc(const LPBYTE HardCode, DWORD Mod, DWORD RM, DWORD Reg) 903 { 904 LPCSTR buffer; 905 switch (HardCode[Index]) 906 { 907 case 0x10: 908 buffer = ReadModRM(HardCode, Mod, RM); 909 printf("adc byte ptr ""%s"",%s\n", buffer, ReadRegX8(Reg)); 910 free((LPVOID)buffer); 911 break; 912 case 0x11: 913 buffer = ReadModRM(HardCode, Mod, RM); 914 printf("adc dword ptr ""%s"",%s\n", buffer, ReadRegX32(Reg)); 915 free((LPVOID)buffer); 916 break; 917 case 0x12: 918 buffer = ReadModRM(HardCode, Mod, RM); 919 printf("adc %s,byte ptr ""%s\n", ReadRegX8(Reg), buffer); 920 free((LPVOID)buffer); 921 break; 922 case 0x13: 923 buffer = ReadModRM(HardCode, Mod, RM); 924 printf("adc %s,dword ptr ""%s\n", ReadRegX32(Reg), buffer); 925 free((LPVOID)buffer); 926 break; 927 } 928 } 929 void MeanSbb(const LPBYTE HardCode, DWORD Mod, DWORD RM, DWORD Reg) 930 { 931 LPCSTR buffer; 932 switch (HardCode[Index]) 933 { 934 case 0x18: 935 buffer = ReadModRM(HardCode, Mod, RM); 936 printf("sbb byte ptr ""%s"",%s\n", buffer, ReadRegX8(Reg)); 937 free((LPVOID)buffer); 938 break; 939 case 0x19: 940 buffer = ReadModRM(HardCode, Mod, RM); 941 printf("sbb dword ptr ""%s"",%s\n", buffer, ReadRegX32(Reg)); 942 free((LPVOID)buffer); 943 break; 944 case 0x1A: 945 buffer = ReadModRM(HardCode, Mod, RM); 946 printf("sbb %s,byte ptr ""%s\n", ReadRegX8(Reg), buffer); 947 free((LPVOID)buffer); 948 break; 949 case 0x1B: 950 buffer = ReadModRM(HardCode, Mod, RM); 951 printf("sbb %s,dword ptr ""%s\n", ReadRegX32(Reg), buffer); 952 free((LPVOID)buffer); 953 break; 954 } 955 } 956 void MeanAnd(const LPBYTE HardCode, DWORD Mod, DWORD RM, DWORD Reg) 957 { 958 LPCSTR buffer; 959 switch (HardCode[Index]) 960 { 961 case 0x20: 962 buffer = ReadModRM(HardCode, Mod, RM); 963 printf("and byte ptr ""%s"",%s\n", buffer, ReadRegX8(Reg)); 964 free((LPVOID)buffer); 965 break; 966 case 0x21: 967 buffer = ReadModRM(HardCode, Mod, RM); 968 printf("and dword ptr ""%s"",%s\n", buffer, ReadRegX32(Reg)); 969 free((LPVOID)buffer); 970 break; 971 case 0x22: 972 buffer = ReadModRM(HardCode, Mod, RM); 973 printf("and %s,byte ptr ""%s\n", ReadRegX8(Reg), buffer); 974 free((LPVOID)buffer); 975 break; 976 case 0x23: 977 buffer = ReadModRM(HardCode, Mod, RM); 978 printf("and %s,dword ptr ""%s\n", ReadRegX32(Reg), buffer); 979 free((LPVOID)buffer); 980 break; 981 } 982 } 983 void MeanSub(const LPBYTE HardCode, DWORD Mod, DWORD RM, DWORD Reg) 984 { 985 LPCSTR buffer; 986 switch (HardCode[Index]) 987 { 988 case 0x28: 989 buffer = ReadModRM(HardCode, Mod, RM); 990 printf("sub byte ptr ""%s"",%s\n", buffer, ReadRegX8(Reg)); 991 free((LPVOID)buffer); 992 break; 993 case 0x29: 994 buffer = ReadModRM(HardCode, Mod, RM); 995 printf("sub dword ptr ""%s"",%s\n", buffer, ReadRegX32(Reg)); 996 free((LPVOID)buffer); 997 break; 998 case 0x2A: 999 buffer = ReadModRM(HardCode, Mod, RM); 1000 printf("sub %s,byte ptr ""%s\n", ReadRegX8(Reg), buffer); 1001 free((LPVOID)buffer); 1002 break; 1003 case 0x2B: 1004 buffer = ReadModRM(HardCode, Mod, RM); 1005 printf("sub %s,dword ptr ""%s\n", ReadRegX32(Reg), buffer); 1006 free((LPVOID)buffer); 1007 break; 1008 } 1009 } 1010 void MeanXor(const LPBYTE HardCode, DWORD Mod, DWORD RM, DWORD Reg) 1011 { 1012 LPCSTR buffer; 1013 switch (HardCode[Index]) 1014 { 1015 case 0x30: 1016 buffer = ReadModRM(HardCode, Mod, RM); 1017 printf("xor byte ptr ""%s"",%s\n", buffer, ReadRegX8(Reg)); 1018 free((LPVOID)buffer); 1019 break; 1020 case 0x31: 1021 buffer = ReadModRM(HardCode, Mod, RM); 1022 printf("xor dword ptr ""%s"",%s\n", buffer, ReadRegX32(Reg)); 1023 free((LPVOID)buffer); 1024 break; 1025 case 0x32: 1026 buffer = ReadModRM(HardCode, Mod, RM); 1027 printf("xor %s,byte ptr ""%s\n", ReadRegX8(Reg), buffer); 1028 free((LPVOID)buffer); 1029 break; 1030 case 0x33: 1031 buffer = ReadModRM(HardCode, Mod, RM); 1032 printf("xor %s,dword ptr ""%s\n", ReadRegX32(Reg), buffer); 1033 free((LPVOID)buffer); 1034 break; 1035 } 1036 } 1037 void MeanCmp(const LPBYTE HardCode, DWORD Mod, DWORD RM, DWORD Reg) 1038 { 1039 LPCSTR buffer; 1040 switch (HardCode[Index]) 1041 { 1042 case 0x38: 1043 buffer = ReadModRM(HardCode, Mod, RM); 1044 printf("cmp byte ptr ""%s"",%s\n", buffer, ReadRegX8(Reg)); 1045 free((LPVOID)buffer); 1046 break; 1047 case 0x39: 1048 buffer = ReadModRM(HardCode, Mod, RM); 1049 printf("cmp dword ptr ""%s"",%s\n", buffer, ReadRegX32(Reg)); 1050 free((LPVOID)buffer); 1051 break; 1052 case 0x3A: 1053 buffer = ReadModRM(HardCode, Mod, RM); 1054 printf("cmp %s,byte ptr ""%s\n", ReadRegX8(Reg), buffer); 1055 free((LPVOID)buffer); 1056 break; 1057 case 0x3B: 1058 buffer = ReadModRM(HardCode, Mod, RM); 1059 printf("cmp %s,dword ptr ""%s\n", ReadRegX32(Reg), buffer); 1060 free((LPVOID)buffer); 1061 break; 1062 } 1063 } 1064 //解释Mov 1065 void MeanMov(const LPBYTE HardCode,DWORD Mod,DWORD RM,DWORD Reg) 1066 { 1067 LPCSTR buffer; 1068 switch (HardCode[Index]) 1069 { 1070 case 0x88: 1071 buffer = ReadModRM(HardCode, Mod, RM); 1072 printf("mov byte ptr ""%s"",%s\n", buffer, ReadRegX8(Reg)); 1073 free((LPVOID)buffer); 1074 break; 1075 case 0x89: 1076 buffer = ReadModRM(HardCode, Mod, RM); 1077 printf("mov dword ptr ""%s"",%s\n", buffer, ReadRegX32(Reg)); 1078 free((LPVOID)buffer); 1079 break; 1080 case 0x8A: 1081 buffer = ReadModRM(HardCode, Mod, RM); 1082 printf("mov %s,byte ptr ""%s\n", ReadRegX8(Reg), buffer); 1083 free((LPVOID)buffer); 1084 break; 1085 case 0x8B: 1086 buffer = ReadModRM(HardCode, Mod, RM); 1087 printf("mov %s,dword ptr ""%s\n", ReadRegX32(Reg), buffer); 1088 free((LPVOID)buffer); 1089 break; 1090 } 1091 } 1092 1093 }; 1094 class TestPrintIns 1095 { 1096 public: 1097 void TestIns() 1098 { 1099 PrintIns hcTest; 1100 LPBYTE BigBuffer = (LPBYTE)malloc(0x1000); 1101 memset(BigBuffer, 0, 0x1000); 1102 BYTE HardCode[] = { 0xB2,0x45,0x54 ,0xb8,0x56,0x12,0x45,0x36,0x90,0x96,0xb3,0x12 1103 ,0x0F,0x82,0x12,0x34,0x56,0x78,0xE0,0x50, 1104 0xC2,0x12,0xc3,0x23,0x23, 1105 0x88,0x01,0x89,0x03,0x8A,0x07,0x8B,0x26, 1106 0x8b,0x66,0x12 1107 ,0x89,0x2c,0x14,0x89,0xAC,0x15,0x12,0x34,0x56,0x78,0x89,0x2c,0x15, 1108 0x88,0x15,0x12,0x45,0x56,0x78, 1109 0x00,0x0F,0x00,0x3D,0x60,0x42,0x43,0x00, 1110 0x08,0xAC,0xD2,0x43,0x00,0x00,0x0F,0x11,0x2C,0x01,0x1B,0xAC,0x45,0x00,0x00,0x12,0x34, 1111 0x22,0x3c,0xd0,0x2B,0xAC,0x83,0x12,0x34,0x56,0x78,0x33,0xac,0x5e,0x12,0x34,0x56,0x78,0x3b,0x56,0x18}; 1112 memcpy(BigBuffer, HardCode, sizeof(HardCode)); 1113 hcTest.CallDisasmEngine(BigBuffer, sizeof(HardCode)); 1114 } 1115 1116 }; 1117 int main() 1118 { 1119 TestPrintIns Test; 1120 Test.TestIns(); 1121 1122 }
运行是这样
偏移和硬编码都没写,基本的反汇编翻译功能是有了。
