📄 chap8-1-7.htm.primary

📁 加密与解密,软件加密保护技术与解决方案,看雪文档!
💻 PRIMARY
📖 第 1 页 / 共 3 页
字号:
上一页 1 23
  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; pop fs:[0] <br>
  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .if ValidPE==TRUE <br>
  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; invoke ShowTheFunctions, 
  hDlg, edi <br>
  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .else <br>
  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; invoke MessageBox,0, 
  addr NotValidPE, addr AppName, MB_OK+MB_ICONERROR<br>
  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .endif <br>
  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; invoke UnmapViewOfFile, pMapping 
  <br>
  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .else <br>
  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; invoke MessageBox, 0, addr 
  FileMappingError, addr AppName, MB_OK+MB_ICONERROR <br>
  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .endif <br>
  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; invoke CloseHandle,hMapping <br>
  &nbsp;&nbsp;&nbsp;&nbsp; .else <br>
  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; invoke MessageBox, 0, addr FileOpenMappingError, 
  addr AppName, MB_OK+MB_ICONERROR <br>
  &nbsp;&nbsp;&nbsp;&nbsp; .endif <br>
  &nbsp;&nbsp;&nbsp;&nbsp; invoke CloseHandle, hFile <br>
  &nbsp;&nbsp; .else <br>
  &nbsp;&nbsp;&nbsp;&nbsp; invoke MessageBox, 0, addr FileOpenError, addr AppName, 
  MB_OK+MB_ICONERROR <br>
  &nbsp;&nbsp; .endif <br>
  .endif <br>
  ret <br>
  ShowExportFunctions endp <br>
  <br>
  AppendText proc hDlg:DWORD,pText:DWORD <br>
  invoke SendDlgItemMessage,hDlg,IDC_EDIT,EM_REPLACESEL,0,pText <br>
  invoke SendDlgItemMessage,hDlg,IDC_EDIT,EM_REPLACESEL,0,addr CRLF <br>
  invoke SendDlgItemMessage,hDlg,IDC_EDIT,EM_SETSEL,-1,0 <br>
  ret <br>
  AppendText endp <br>
  <br>
  RVAToFileMap PROC uses edi esi edx ecx pFileMap:DWORD,RVA:DWORD <br>
  mov esi,pFileMap <br>
  assume esi:ptr IMAGE_DOS_HEADER <br>
  add esi,[esi].e_lfanew <br>
  assume esi:ptr IMAGE_NT_HEADERS <br>
  mov edi,RVA ; edi == RVA <br>
  mov edx,esi <br>
  add edx,sizeof IMAGE_NT_HEADERS <br>
  mov cx,[esi].FileHeader.NumberOfSections <br>
  movzx ecx,cx <br>
  assume edx:ptr IMAGE_SECTION_HEADER <br>
  .while ecx&gt;0<br>
  &nbsp;&nbsp; .if edi&gt;=[edx].VirtualAddress <br>
  &nbsp;&nbsp;&nbsp;&nbsp; mov eax,[edx].VirtualAddress <br>
  &nbsp;&nbsp;&nbsp;&nbsp; add eax,[edx].SizeOfRawData <br>
  &nbsp;&nbsp;&nbsp;&nbsp; .if edi<eax .while edi,AddressOfFunctions Header 
AddressOfNameOrdinals,ebx ebx,eax RVAToFileMap,pMapping,ebx 
ebx,[edi].AddressOfNameOrdinals esi,eax RVAToFileMap,pMapping,esi 
esi,[edi].AddressOfNames AddressOfFunctions,eax 
RVAToFileMap,pMapping,AddressOfFunctions AddressOfFunctions 
[edi].AddressOfFunctions Base [edi].nBase NumberOfNames pop [edi].NumberOfNames 
push temp 
ExportTable,eax,[edi].nBase,[edi].NumberOfFunctions,[edi].NumberOfNames,[edi].AddressOfFunctions,[edi].AddressOfNames,[edi].AddressOfNameOrdinals 
temp,addr wsprintf, pMapping,[edi].nName RVAToFileMap, 
eax,[edi].NumberOfFunctions IMAGE_EXPORT_DIRECTORY RVAToFileMap,pMapping,edi 
buffer AppendText,hDlg,addr SetDlgItemText,hDlg,IDC_EDIT,0 
AppName,MB_OK+MB_ICONERROR NoExportTable,addr addr MessageBox,0, invoke .if 
[edi].OptionalHeader.DataDirectory.VirtualAddress edi, IMAGE_NT_HEADERS edi:ptr 
edi,pNTHdr AddressOfNameOrdinals:DWORD AddressOfFunctions:DWORD Base:DWORD 
NumberOfNames:DWORD temp[512]:BYTE LOCAL pNTHdr:DWORD hDlg:DWORD, ebx esi uses 
proc ShowTheFunctions endp RVAToFileMap esi:nothing edx:nothing assume .endw ecx 
dec IMAGE_SECTION_HEADER edx,sizeof .endif ret eax,pFileMap offset file eax="=" 
eax,edi add eax,[edx].PointerToRawData and?s RVA specified between difference 
edi="=" edi,eax sub eax,[edx].VirtualAddress mov section this in is address The 
;>&lt;eax<br>
  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov eax,[edx].VirtualAddress <br>
  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sub edi,eax<br>
  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov eax,[edx].PointerToRawData <br>
  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; add eax,edi<br>
  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; add eax,pFileMap <br>
  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ret <br>
  &nbsp;&nbsp;&nbsp;&nbsp; .endif <br>
  &nbsp;&nbsp; .endif <br>
  &nbsp;&nbsp; add edx,sizeof IMAGE_SECTION_HEADER <br>
  &nbsp;&nbsp; dec ecx <br>
  .endw <br>
  assume edx:nothing <br>
  assume esi:nothing <br>
  mov eax,edi <br>
  ret <br>
  RVAToFileMap endp <br>
  <br>
  ShowTheFunctions proc uses esi ecx ebx hDlg:DWORD, pNTHdr:DWORD <br>
  LOCAL temp[512]:BYTE <br>
  LOCAL NumberOfNames:DWORD <br>
  LOCAL Base:DWORD <br>
  <br>
  mov edi,pNTHdr <br>
  assume edi:ptr IMAGE_NT_HEADERS <br>
  mov edi, [edi].OptionalHeader.DataDirectory.VirtualAddress <br>
  .if edi==0 <br>
  &nbsp; invoke MessageBox,0, addr NoExportTable,addr AppName,MB_OK+MB_ICONERROR 
  <br>
  &nbsp; ret <br>
  .endif <br>
  invoke SetDlgItemText,hDlg,IDC_EDIT,0 <br>
  invoke AppendText,hDlg,addr buffer <br>
  invoke RVAToFileMap,pMapping,edi <br>
  mov edi,eax <br>
  assume edi:ptr IMAGE_EXPORT_DIRECTORY <br>
  mov eax,[edi].NumberOfFunctions <br>
  invoke RVAToFileMap, pMapping,[edi].nName <br>
  invoke wsprintf, addr temp,addr ExportTable, eax, [edi].nBase, [edi].NumberOfFunctions, 
  [edi].NumberOfNames, [edi].AddressOfFunctions, [edi].AddressOfNames, [edi].AddressOfNameOrdinals 
  <br>
  invoke AppendText,hDlg,addr temp<br>
  invoke AppendText,hDlg,addr Header <br>
  push [edi].NumberOfNames<br>
  pop NumberOfNames<br>
  push [edi].nBase <br>
  pop Base <br>
  invoke RVAToFileMap,pMapping,[edi].AddressOfNames <br>
  mov esi,eax <br>
  invoke RVAToFileMap,pMapping,[edi].AddressOfNameOrdinals <br>
  mov ebx,eax <br>
  invoke RVAToFileMap,pMapping,[edi].AddressOfFunctions <br>
  mov edi,eax<br>
  .while NumberOfNames&gt;0 <br>
  &nbsp;&nbsp; invoke RVAToFileMap,pMapping,dword ptr [esi] <br>
  &nbsp;&nbsp; mov dx,[ebx] <br>
  &nbsp;&nbsp; movzx edx,dx <br>
  &nbsp;&nbsp; mov ecx,edx <br>
  &nbsp;&nbsp; shl edx,2 <br>
  &nbsp;&nbsp; add edx,edi <br>
  &nbsp;&nbsp; add ecx,Base <br>
  &nbsp;&nbsp; invoke wsprintf, addr temp,addr template,dword ptr [edx],ecx,eax 
  <br>
  &nbsp;&nbsp; invoke AppendText,hDlg,addr temp <br>
  &nbsp;&nbsp; dec NumberOfNames <br>
  &nbsp;&nbsp; add esi,4 <br>
  &nbsp;&nbsp; add ebx,2 <br>
  .endw <br>
  ret <br>
  ShowTheFunctions endp <br>
  end start </font></p>
<h3><font color="#000000">分析<font face="Arial, Helvetica, sans-serif">:</font></font></h3>
<p><font face="Fixedsys" color="#000000">mov edi,pNTHdr <br>
  assume edi:ptr IMAGE_NT_HEADERS <br>
  mov edi, [edi].OptionalHeader.DataDirectory.VirtualAddress <br>
  .if edi==0 <br>
  &nbsp; invoke MessageBox,0, addr NoExportTable,addr AppName,MB_OK+MB_ICONERROR 
  <br>
  &nbsp; ret <br>
  .endif </font></p>
<p><font face="MS Sans Serif" size="2" color="#000000">程序检验PE有效性后，定位到数据目录获取引出表的虚拟地址。若该虚拟地址为0，则文件不含引出符号。</font></p>
<p><font face="Fixedsys" color="#000000">mov eax,[edi].NumberOfFunctions <br>
  invoke RVAToFileMap, pMapping,[edi].nName <br>
  invoke wsprintf, addr temp,addr ExportTable, eax, [edi].nBase, [edi].NumberOfFunctions, 
  [edi].NumberOfNames, [edi].AddressOfFunctions, [edi].AddressOfNames, [edi].AddressOfNameOrdinals 
  <br>
  invoke AppendText,hDlg,addr temp </font></p>
<p><font face="MS Sans Serif" size="2" color="#000000">在编辑控件中显示<b>IMAGE_EXPORT_DIRECTORY</b> 
  结构的一些重要信息。</font></p>
<p><font face="Fixedsys" color="#000000">push [edi].NumberOfNames <br>
  pop NumberOfNames <br>
  push [edi].nBase <br>
  pop Base </font></p>
<p><font face="MS Sans Serif" size="2" color="#000000">由于我们要枚举所有函数名，就要知道引出表里的名字数目。<b>nBase</b> 
  在将<b>AddressOfFunctions</b> 数组索引转换成序数时派到用场。</font></p>
<p><font face="Fixedsys" color="#000000">invoke RVAToFileMap,pMapping,[edi].AddressOfNames 
  <br>
  mov esi,eax <br>
  invoke RVAToFileMap,pMapping,[edi].AddressOfNameOrdinals <br>
  mov ebx,eax <br>
  invoke RVAToFileMap,pMapping,[edi].AddressOfFunctions <br>
  mov edi,eax</font></p>
<p><font face="MS Sans Serif" size="2" color="#000000">将三个数组的地址相应存放到esi,，ebx，edi中。准备开始访问。</font></p>
<p><font face="Fixedsys" color="#000000">.while NumberOfNames&gt;0 </font></p>
<p><font face="MS Sans Serif" size="2" color="#000000">直到所有名字都被处理完毕。</font></p>
<p><font face="Fixedsys" color="#000000">&nbsp;&nbsp; invoke RVAToFileMap,pMapping,dword 
  ptr [esi] </font></p>
<p><font face="MS Sans Serif" size="2" color="#000000">由于esi指向包含名字字符串RVAs的数组，所以[esi]含有当前名字的RVA，需要将它转换成虚拟地址，后面wsprintf要用的。</font></p>
<p><font face="Fixedsys" color="#000000">&nbsp;&nbsp; mov dx,[ebx] <br>
  &nbsp;&nbsp; movzx edx,dx <br>
  &nbsp;&nbsp; mov ecx,edx<br>
  &nbsp;&nbsp; add ecx,Base <br>
  </font></p>
<p><font face="MS Sans Serif" size="2" color="#000000">ebx指向序数数组，值是字类型的。因此我们先要将其转换成双字，此时edx和ecx含有指向<b>AddressOfFunctions</b> 
  数组的索引。我们用edx作为索引值，而将ecx加上nBase得到函数的序数值。=</font></p>
<p><font face="Fixedsys" color="#000000">&nbsp;&nbsp; shl edx,2 <br>
  &nbsp;&nbsp; add edx,edi </font></p>
<p><font face="MS Sans Serif" size="2" color="#000000">索引乘以4 (<b>AddressOfFunctions</b> 
  数组中每个元素都是4字节大小) 然后加上数组首地址，这样edx指向的就是所要函数的RVA了。</font></p>
<p><font face="Fixedsys" color="#000000">&nbsp;&nbsp; invoke wsprintf, addr temp,addr 
  template,dword ptr [edx],ecx,eax <br>
  &nbsp;&nbsp; invoke AppendText,hDlg,addr temp </font></p>
<p><font face="MS Sans Serif" size="2" color="#000000">在编辑控件中显示函数的RVA, 序数, 和名字。</font></p>
<p><font face="Fixedsys" color="#000000">&nbsp;&nbsp; dec NumberOfNames <br>
  &nbsp;&nbsp; add esi,4 <br>
  &nbsp;&nbsp; add ebx,2 <br>
  .endw </font></p>
<p><font face="MS Sans Serif" size="2" color="#000000">修正计数器，<b>AddressOfNames</b> 
  和 <b>AddressOfNameOrdinals</b> 两数组的当前指针，继续遍历直到所有名字全都处理完毕。</font></p>
<p align=center><font size="2" color="#000000"><b>翻译：</b></font><font face="MS Sans Serif" size="2" color="#000000"><b>iamgufeng 
  [</b></font><font color="#000000"><a href="http://win32asm.cjb.net/" target="_blank"><font 
face="MS Sans Serif" size=2><b>Iczelion's Win32 Assembly Homepage</b></font></a><font face="MS Sans Serif" 
size=2><b>]</b><strong>[</strong></font><a href="http://asm.yeah.net/" target="_blank"><font 
face="MS Sans Serif" size=2><strong>LuoYunBin's Win32 ASM Page</strong></font></a><font face="MS Sans Serif" 
size=2><strong>]</strong></font></font></p>
<p align="center"><a href="../Catalog.htm"><img src="../image/navtoc.gif" width="84" height="23" border="0"></a><a href="Chap8-1-6.htm"><img src="../image/Navprev.gif" width="80" height="23" border="0"></a><a href="Chap8-2.htm"><img src="../image/navnext.gif" width="83" height="23" border="0"></a></p>
<hr width=735>
<div align="center"><span class="p9"><font size="2"><span class="p9"><font size="2"><span class="p9">Copyright 
  &copy; 2000-2001 <a href="http://www.pediy.com/">KanXue Studio</a> All Rights 
  Reserved.</span></font></span></font></span></div>
</body>
</html>
上一页 1 23
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -