📄 stub.cod
字号:
; 86 : FinaliseTlsStuff();
00467 e8 00 00 00 00 call ?FinaliseTlsStuff@@YAXXZ ; FinaliseTlsStuff
; 87 : Jump();
0046c 8b 0d 00 00 00
00 mov ecx, DWORD PTR ?dwLoadAddress@@3KA ; dwLoadAddress
00472 a1 00 00 00 00 mov eax, DWORD PTR ?gev@@3UGlobalExternalVars@@A
00477 03 c1 add eax, ecx
00479 a3 00 00 00 00 mov DWORD PTR ?gev@@3UGlobalExternalVars@@A, eax
; 83 : GetLoadAddress();
0047e ff 35 00 00 00
00 push DWORD PTR ?gev@@3UGlobalExternalVars@@A
; 87 : Jump();
00484 b9 0d 00 00 00 mov ecx, 13 ; 0000000dH
00489 33 c0 xor eax, eax
0048b bf 00 00 00 00 mov edi, OFFSET FLAT:?gev@@3UGlobalExternalVars@@A ; gev
00490 f3 ab rep stosd
; 85 : ResolveImports();
00492 c3 ret 0
; 88 : }
00493 5f pop edi
00494 5e pop esi
00495 5b pop ebx
00496 8b e5 mov esp, ebp
00498 5d pop ebp
00499 c3 ret 0
_main ENDP
_TEXT ENDS
; COMDAT ?ResolveImports@@YAXXZ
_TEXT SEGMENT
_pIID$ = -8
_pImport$ = -4
_dwResult$ = -20
_hMod$ = -16
_dwOldProtect$ = -12
_pSecHdr$ = -24
_i$ = -8
?ResolveImports@@YAXXZ PROC NEAR ; ResolveImports, COMDAT
; 91 : {
00000 55 push ebp
00001 8b ec mov ebp, esp
00003 83 ec 18 sub esp, 24 ; 00000018H
; 92 : IMAGE_IMPORT_DESCRIPTOR* pIID;
; 93 : IMAGE_THUNK_DATA* pThunk;
; 94 : IMAGE_IMPORT_BY_NAME* pImport;
; 95 :
; 96 : DWORD dwTemp;
; 97 : DWORD dwResult;
; 98 : DWORD* pAddress;
; 99 : HMODULE hMod;
; 100 : BOOL bDestroyName;
; 101 : DWORD dwOldProtect;
; 102 :
; 103 : PIMAGE_DOS_HEADER pDosHdr;
; 104 : PIMAGE_NT_HEADERS pNtHdr;
; 105 : PIMAGE_SECTION_HEADER pSecHdr;
; 106 : DWORD dwSecStart;
; 107 : DWORD dwKatSup;
; 108 : LONG lJmp;
; 109 : WORD wNumSections;
; 110 : WORD wSizeO;
; 111 : int i;
; 112 :
; 113 : pDosHdr = (PIMAGE_DOS_HEADER)dwLoadAddress;
00006 a1 00 00 00 00 mov eax, DWORD PTR ?dwLoadAddress@@3KA ; dwLoadAddress
0000b 53 push ebx
0000c 56 push esi
; 114 : lJmp = pDosHdr->e_lfanew;
; 115 : dwKatSup = (DWORD)pDosHdr;
; 116 : dwKatSup += lJmp;
; 117 :
; 118 : pNtHdr = (PIMAGE_NT_HEADERS)dwKatSup;
; 119 :
; 120 : wNumSections = pNtHdr->FileHeader.NumberOfSections;
; 121 : wSizeO = pNtHdr->FileHeader.SizeOfOptionalHeader;
; 122 :
; 123 : dwSecStart = (DWORD)pNtHdr;
; 124 : dwSecStart += 24;
; 125 : dwSecStart += wSizeO;
0000d 33 f6 xor esi, esi
0000f 8b 48 3c mov ecx, DWORD PTR [eax+60]
00012 57 push edi
00013 03 c8 add ecx, eax
; 126 :
; 127 : dwTemp = gev.dwIATAddress + dwLoadAddress;
; 128 :
; 129 : for(i = 0; i < wNumSections-1; i++)
00015 c7 45 f8 00 00
00 00 mov DWORD PTR _i$[ebp], 0
0001c 66 8b 51 06 mov dx, WORD PTR [ecx+6]
00020 66 8b 71 14 mov si, WORD PTR [ecx+20]
00024 81 e2 ff ff 00
00 and edx, 65535 ; 0000ffffH
0002a 8d 4c 0e 18 lea ecx, DWORD PTR [esi+ecx+24]
0002e 8b 35 04 00 00
00 mov esi, DWORD PTR ?gev@@3UGlobalExternalVars@@A+4
00034 8d 7a ff lea edi, DWORD PTR [edx-1]
00037 03 f0 add esi, eax
00039 85 ff test edi, edi
0003b 7e 43 jle SHORT $L16772
$L16770:
; 130 : {
; 131 : pSecHdr = (PIMAGE_SECTION_HEADER)dwSecStart;
; 132 :
; 133 : if((dwTemp >= (pSecHdr->VirtualAddress + dwLoadAddress)) && (dwTemp < ((pSecHdr->VirtualAddress + dwLoadAddress) + pSecHdr->Misc.VirtualSize)))
0003d 8b 51 0c mov edx, DWORD PTR [ecx+12]
00040 89 4d e8 mov DWORD PTR _pSecHdr$[ebp], ecx
00043 8d 1c 02 lea ebx, DWORD PTR [edx+eax]
00046 3b f3 cmp esi, ebx
00048 72 0b jb SHORT $L16774
0004a 8b 59 08 mov ebx, DWORD PTR [ecx+8]
0004d 03 da add ebx, edx
0004f 03 d8 add ebx, eax
00051 3b f3 cmp esi, ebx
00053 72 10 jb SHORT $L17311
$L16774:
; 126 :
; 127 : dwTemp = gev.dwIATAddress + dwLoadAddress;
; 128 :
; 129 : for(i = 0; i < wNumSections-1; i++)
00055 8b 55 f8 mov edx, DWORD PTR _i$[ebp]
; 136 : break;
; 137 : }
; 138 :
; 139 : dwSecStart += sizeof(IMAGE_SECTION_HEADER);
00058 83 c1 28 add ecx, 40 ; 00000028H
0005b 42 inc edx
0005c 3b d7 cmp edx, edi
0005e 89 55 f8 mov DWORD PTR _i$[ebp], edx
00061 7c da jl SHORT $L16770
; 130 : {
; 131 : pSecHdr = (PIMAGE_SECTION_HEADER)dwSecStart;
; 132 :
; 133 : if((dwTemp >= (pSecHdr->VirtualAddress + dwLoadAddress)) && (dwTemp < ((pSecHdr->VirtualAddress + dwLoadAddress) + pSecHdr->Misc.VirtualSize)))
00063 eb 1b jmp SHORT $L16772
$L17311:
; 134 : {
; 135 : pfnVirtualProtect((void*)(pSecHdr->VirtualAddress + dwLoadAddress), pSecHdr->Misc.VirtualSize, PAGE_READWRITE, &dwOldProtect);
00065 8d 55 f4 lea edx, DWORD PTR _dwOldProtect$[ebp]
00068 52 push edx
00069 8b 51 08 mov edx, DWORD PTR [ecx+8]
0006c 8b 49 0c mov ecx, DWORD PTR [ecx+12]
0006f 6a 04 push 4
00071 03 c8 add ecx, eax
00073 52 push edx
00074 51 push ecx
00075 ff 15 00 00 00
00 call DWORD PTR ?pfnVirtualProtect@@3P6GHPAXKKPAK@ZA ; pfnVirtualProtect
0007b a1 00 00 00 00 mov eax, DWORD PTR ?dwLoadAddress@@3KA ; dwLoadAddress
$L16772:
; 140 : }
; 141 :
; 142 : pIID = (IMAGE_IMPORT_DESCRIPTOR*)dwTemp;
00080 8b fe mov edi, esi
; 143 :
; 144 : while(pIID)
00082 85 f6 test esi, esi
00084 89 7d f8 mov DWORD PTR _pIID$[ebp], edi
00087 0f 84 ff 00 00
00 je $L16784
$L16779:
; 145 : {
; 146 : if(pIID->OriginalFirstThunk)
0008d 8b 37 mov esi, DWORD PTR [edi]
0008f 85 f6 test esi, esi
; 147 : {
; 148 : dwTemp = pIID->OriginalFirstThunk + dwLoadAddress;
; 149 : pThunk = (IMAGE_THUNK_DATA*)dwTemp;
; 150 : }
; 151 : else if(pIID->FirstThunk)
00091 75 0b jne SHORT $L17319
00093 8b 77 10 mov esi, DWORD PTR [edi+16]
00096 85 f6 test esi, esi
00098 0f 84 ee 00 00
00 je $L16784
$L17319:
; 152 : {
; 153 : dwTemp = pIID->FirstThunk + dwLoadAddress;
; 154 : pThunk = (IMAGE_THUNK_DATA*)dwTemp;
; 155 : }
; 156 : else
; 157 : {
; 158 : break;
; 159 : }
; 160 :
; 161 : dwTemp = (DWORD)pThunk->u1.Function + dwLoadAddress;
; 162 : pImport = (IMAGE_IMPORT_BY_NAME*)dwTemp;
; 163 :
; 164 : dwTemp = (DWORD)pIID->Name + dwLoadAddress;
0009e 8b 5f 0c mov ebx, DWORD PTR [edi+12]
000a1 8b 0c 06 mov ecx, DWORD PTR [esi+eax]
000a4 03 f0 add esi, eax
000a6 03 d8 add ebx, eax
000a8 03 c8 add ecx, eax
; 165 : hMod = LoadLibrary((LPCSTR)dwTemp);
000aa 53 push ebx
000ab 89 4d fc mov DWORD PTR _pImport$[ebp], ecx
000ae ff 15 00 00 00
00 call DWORD PTR __imp__LoadLibraryA@4
000b4 8b d0 mov edx, eax
; 166 :
; 167 : if(hMod != INVALID_HANDLE_VALUE)
000b6 83 fa ff cmp edx, -1
000b9 89 55 f0 mov DWORD PTR _hMod$[ebp], edx
000bc 0f 84 a7 00 00
00 je $L16799
; 168 : {
; 169 : FillMemory((void*)dwTemp, strlen((LPCSTR)dwTemp), 0);
000c2 8b fb mov edi, ebx
000c4 83 c9 ff or ecx, -1
000c7 33 c0 xor eax, eax
000c9 f2 ae repne scasb
000cb f7 d1 not ecx
000cd 49 dec ecx
000ce 8b fb mov edi, ebx
000d0 8b d9 mov ebx, ecx
000d2 c1 e9 02 shr ecx, 2
000d5 f3 ab rep stosd
000d7 8b cb mov ecx, ebx
000d9 83 e1 03 and ecx, 3
000dc f3 aa rep stosb
; 170 : //memset((void*)dwTemp, 0, strlen((LPCSTR)dwTemp));
; 171 :
; 172 : dwTemp = (DWORD)pIID->FirstThunk + dwLoadAddress;
000de 8b 45 f8 mov eax, DWORD PTR _pIID$[ebp]
000e1 8b 1d 00 00 00
00 mov ebx, DWORD PTR ?dwLoadAddress@@3KA ; dwLoadAddress
000e7 8b 78 10 mov edi, DWORD PTR [eax+16]
; 173 : pAddress = (DWORD*)dwTemp;
; 174 :
; 175 : while(pThunk->u1.Function)
000ea 8b 06 mov eax, DWORD PTR [esi]
000ec 03 df add ebx, edi
000ee 85 c0 test eax, eax
000f0 74 74 je SHORT $L17318
000f2 eb 03 jmp SHORT $L16798
$L17317:
000f4 8b 55 f0 mov edx, DWORD PTR _hMod$[ebp]
$L16798:
; 176 : {
; 177 : dwTemp = (DWORD)pThunk->u1.Function;
; 178 :
; 179 : if(dwTemp & IMAGE_ORDINAL_FLAG32)
000f7 a9 00 00 00 80 test eax, -2147483648 ; 80000000H
000fc 74 09 je SHORT $L16801
; 180 : {
; 181 : dwTemp = (DWORD)pThunk->u1.Function & 0x0000ffff;
000fe 25 ff ff 00 00 and eax, 65535 ; 0000ffffH
; 182 : bDestroyName = FALSE;
00103 33 ff xor edi, edi
; 183 : }
; 184 : else
00105 eb 0b jmp SHORT $L16803
$L16801:
; 185 : {
; 186 : dwTemp = (DWORD)pImport->Name;
00107 8b 4d fc mov ecx, DWORD PTR _pImport$[ebp]
; 187 : bDestroyName = TRUE;
0010a bf 01 00 00 00 mov edi, 1
0010f 8d 41 02 lea eax, DWORD PTR [ecx+2]
$L16803:
; 188 : }
; 189 :
; 190 : dwResult = (DWORD)GetProcAddress(hMod, (LPCSTR)dwTemp);
00112 50 push eax
00113 52 push edx
00114 ff 15 00 00 00
00 call DWORD PTR __imp__GetProcAddress@8
; 191 :
; 192 : if(bDestroyName)
0011a 85 ff test edi, edi
0011c 89 45 ec mov DWORD PTR _dwResult$[ebp], eax
0011f 74 28 je SHORT $L16807
; 193 : {
; 194 : FillMemory((void*)pImport->Name, strlen((LPCSTR)pImport->Name), 0);
00121 8b 55 fc mov edx, DWORD PTR _pImport$[ebp]
00124 83 c9 ff or ecx, -1
00127 83 c2 02 add edx, 2
0012a 33 c0 xor eax, eax
0012c 8b fa mov edi, edx
0012e f2 ae repne scasb
00130 f7 d1 not ecx
00132 49 dec ecx
00133 8b fa mov edi, edx
00135 8b d1 mov edx, ecx
00137 c1 e9 02 shr ecx, 2
0013a f3 ab rep stosd
0013c 8b ca mov ecx, edx
0013e 83 e1 03 and ecx, 3
00141 f3 aa rep stosb
; 195 : //memset((void*)pImport->Name, 0, strlen((LPCSTR)pImport->Name));
; 196 :
; 197 : FillMemory((void*)pThunk, sizeof(IMAGE_THUNK_DATA), 0);
00143 c7 06 00 00 00
00 mov DWORD PTR [esi], 0
$L16807:
; 198 : //memset((void*)pThunk, 0, sizeof(IMAGE_THUNK_DATA));
; 199 : }
; 200 :
; 201 : *pAddress = dwResult;
00149 8b 45 ec mov eax, DWORD PTR _dwResult$[ebp]
; 202 : pAddress++;
; 203 : pThunk++;
0014c 83 c6 04 add esi, 4
0014f 89 03 mov DWORD PTR [ebx], eax
; 204 :
; 205 : dwTemp = (DWORD)pThunk->u1.Function + dwLoadAddress;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -