标 题:ParaBytes
ReverseMe #4 - 我的修改,相关附件可以去iPB下载 (4千字)
发信人:DiKeN
时 间:2002-8-14 10:35:04
详细信息:
ReverseMe #4 - Where did my button go? :)
add a New Section,modify the reserveme and add my code.
=================================================================
1.you need to add a button,
make it with the same font,
Caption : Random
=================================================================
下载:ParaBytes ReverseMe #4
要求:
1.增加一个按钮,
使按钮标题为Random,并和Exit按钮有同样的字体
2.给按钮增加一个功能,让其点击后,用MessageBox显示一个随机数
=================================================================
过程:
=================================================================
= =
= 1.分析程序大概流程 =
= =
=================================================================
0040119A /. 55 PUSH EBP
0040119B |. 8BEC MOV EBP,ESP
0040119D |. 81C4 E4FEFFF>ADD ESP,-11C
004011A3 |. 817D 0C 1101>CMP [ARG.2],111
004011AA |. 75 19 JNZ SHORT ReMe4.004011C5=======>是WM_COMMAND消息吗?
004011AC |. 817D 10 697A>CMP [ARG.3],7A69
004011B3 |. 0F85 E000000>JNZ ReMe4.00401299=============>是Exit按钮吗?
004011B9 |. 6A 00 PUSH 0 ; /ExitCode = 0
004011BB |. E8 62010000 CALL <JMP.&USER32.PostQuitMessage> ; \PostQuitMessage
004011C0 |. E9 D4000000 JMP ReMe4.00401299=============>转到DefWindowProcA
004011C5 |> 837D 0C 01 CMP [ARG.2],1
004011C9 |. 75 79 JNZ SHORT ReMe4.00401244
004011C5 |> 837D 0C 01 CMP [ARG.2],1
004011C9 |. 75 79 JNZ SHORT ReMe4.00401244=======>是程序初始化吗?WM_CREATE?这个我也没查是什么
004011CB |. 6A 00 PUSH 0 ; /lParam = NULL
004011CD |. FF35 6030400>PUSH [DWORD DS:403060] ; |hInst = NULL
004011D3 |. 68 697A0000 PUSH 7A69 ; |hMenu = 00007A69
004011D8 |. FF75 08 PUSH [ARG.1] ; |hParent
004011DB |. 6A 14 PUSH 14 ; |Height = 14 (20.)
004011DD |. 6A 50 PUSH 50 ; |Width = 50 (80.)
004011DF |. 6A 64 PUSH 64 ; |Y = 64 (100.)
004011E1 |. 6A 64 PUSH 64 ; |X = 64 (100.)
004011E3 |. 68 00000050 PUSH 50000000 ; |style = WS_CHILD|WS_VISIBLE
004011E8 |. 68 3C304000 PUSH ReMe4.0040303C ; |WindowName = "Exit"
004011ED |. 68 35304000 PUSH ReMe4.00403035 ; |Class = "BUTTON"
004011F2 |. 68 00000200 PUSH 20000 ; |Extstyle = WS_EX_STATICEDGE
004011F7 |. E8 F6000000 CALL <JMP.&USER32.CreateWindowExA> ; \CreateWindowExA
好了,这儿创建按钮,设置字体......
用LordPE打开分析节信息,物理大小太小, 无以增加那么多代码,增加一个节,把代码添进去
=================================================================
= =
= 2.用LordPE增加一个节, 你应该会吧! 我就不多说了. =
= =
==================================================================================================================================
= =
= 3.增加一个按钮, =
= 使按钮标题为Random,并和Exit按钮有同样的字体 =
= =
=================================================================
首先把流程改一下:
004011AC |. 817D 10 697A0000 CMP [ARG.3],7A69
004011B3 |. 0F85 17000000 JNZ ReverseM.004011D0
004011B9 |. 6A 00 PUSH 0 ; /ExitCode = 0
004011BB |. E8 62010000 CALL <JMP.&USER32.PostQuitMessage> ; \PostQuitMessage
004011C0 |. E9 D4000000 JMP ReverseM.00401299
004011C5 |> 837D 0C 01 CMP [ARG.2],1
004011C9 |. 75 79 JNZ SHORT ReverseM.00401244
004011CB |.-E9 30400000 JMP ReverseM.00405200====>WM_CREATE
004011D0 \>-E9 FB400000 JMP ReverseM.004052D0====>Random.Click
修改这些代码,就可以增加一个按钮了
=================================================================
这部分是原来的创建按钮代码
00405200 6A 00 PUSH 0
00405202 FF35 60304000 PUSH [DWORD DS:403060]
00405208 68 697A0000 PUSH 7A69
0040520D FF75 08 PUSH [DWORD SS:EBP+8]
00405210 6A 14 PUSH 14
00405212 6A 50 PUSH 50
00405214 6A 64 PUSH 64
00405216 6A 64 PUSH 64
00405218 68 00000050 PUSH 50000000
0040521D 68 3C304000 PUSH Me4.0040303C ; ASCII "Exit"
00405222 68 35304000 PUSH Me4.00403035 ; ASCII "BUTTON"
00405227 68 00000200 PUSH 20000
0040522C E8 C1C0FFFF CALL <JMP.&USER32.CreateWindowExA>
00405231 A3 7C304000 MOV [DWORD DS:40307C],EAX
00405236 68 41304000 PUSH Me4.00403041 ; ASCII "MS Sans Serif"
0040523B 6A 00 PUSH 0
0040523D 6A 00 PUSH 0
0040523F 6A 00 PUSH 0
00405241 6A 00 PUSH 0
00405243 6A 01 PUSH 1
00405245 6A 00 PUSH 0
00405247 6A 00 PUSH 0
00405249 6A 00 PUSH 0
0040524B 68 90010000 PUSH 190
00405250 6A 00 PUSH 0
00405252 6A 00 PUSH 0
00405254 6A 00 PUSH 0
00405256 6A 0B PUSH 0B
00405258 E8 8FC0FFFF CALL <JMP.&GDI32.CreateFontA>
0040525D A3 80304000 MOV [DWORD DS:403080],EAX<======这儿保存了字体句柄, 呆会用得着
00405262 6A 00 PUSH 0
00405264 FF35 80304000 PUSH [DWORD DS:403080]
0040526A 6A 30 PUSH 30
0040526C FF35 7C304000 PUSH [DWORD DS:40307C]
00405272 E8 B7C0FFFF CALL <JMP.&USER32.SendMessageA>
这部分是增加的创建按钮"Random"代码
00405277 6A 00 PUSH 0
00405279 FF35 60304000 PUSH [DWORD DS:403060]
0040527F 68 007A0000 PUSH 7A00
00405284 FF75 08 PUSH [DWORD SS:EBP+8]
00405287 6A 14 PUSH 14
00405289 6A 50 PUSH 50
0040528B 6A 32 PUSH 32
0040528D 6A 64 PUSH 64
0040528F 68 00000050 PUSH 50000000
00405294 68 C7524000 PUSH Me4.004052C7 ; ASCII "Random"
00405299 68 35304000 PUSH Me4.00403035 ; ASCII "BUTTON"
0040529E 68 00000200 PUSH 20000
004052A3 E8 4AC0FFFF CALL <JMP.&USER32.CreateWindowExA>
004052A8 A3 84304000 MOV [DWORD DS:403084],EAX<======保存按钮句柄
004052AD A3 88304000 MOV [DWORD DS:403088],EAX<======我作为随机数种子保存了
004052B2 6A 00 PUSH 0
004052B4 FF35 80304000 PUSH [DWORD DS:403080]<======这儿保存了字体句柄, 呆会用得着
004052BA 6A 30 PUSH 30
004052BC 50 PUSH EAX
004052BD E8 6CC0FFFF CALL <JMP.&USER32.SendMessageA>
004052C2 -E9 D2BFFFFF JMP Me4.00401299
004052C7 db 'Random',0
=================================================================
= =
= 4. 显示MesssageBox对话框 =
= =
=================================================================
004052D0 60 PUSHAD
004052D1 A1 88304000 MOV EAX,[DWORD DS:403088]<====读取随机数种子,
<========================================下面是我设计的伪随机数算法
004052D6 B9 26117919 MOV ECX,19791126<====我生日的阳历
004052DB BA 07107979 MOV EDX,79791007<====我生日的阴历^_^
004052E0 33C1 XOR EAX,ECX
004052E2 33C2 XOR EAX,EDX
004052E4 33D2 XOR EDX,EDX
004052E6 50 PUSH EAX
004052E7 B9 0A0A0A0A MOV ECX,0A0A0A0A
004052EC F7F1 DIV ECX
004052EE 8915 88304000 MOV [DWORD DS:403088],EDX
004052F4 B9 A0A0A0A0 MOV ECX,A0A0A0A0
004052F9 58 POP EAX
004052FA F7F1 DIV ECX
004052FC C1E2 16 SHL EDX,16
004052FF 0915 88304000 OR [DWORD DS:403088],EDX<===保存随机数种子
00405305 A1 88304000 MOV EAX,[DWORD DS:403088]
0040530A 50 PUSH EAX
0040530B 52 PUSH EDX
0040530C E8 9DBFFFFF CALL Me4.004012AE<=====原来程序中的伪随机数字过程,稍后再分析
00405311 68 00564000 PUSH Me4.00405600
00405316 50 PUSH EAX
00405317 E8 A8BFFFFF CALL Me4.004012C4<=====源程序中的转字符串的运算,很有意思,稍候分析
0040531C 90 NOP
0040531D 90 NOP
0040531E 6A 00 PUSH 0
00405320 68 40534000 PUSH Me4.00405340 ; ASCII "Randomize-DiKeN[iPB]"
00405325 68 00564000 PUSH Me4.00405600
0040532A 6A 00 PUSH 0
0040532C E8 EBBFFFFF CALL <JMP.&USER32.MessageBoxA>===显示MessageBoxA
00405331 61 POPAD
00405332 -E9 62BFFFFF JMP Me4.00401299<==========返回默认消息
=================================================================
= =
= 5.其它相关 =
= =
=================================================================
i)伪随机数运算rand(x1,x2);
004012AE /$ 55 PUSH EBP
004012AF |. 8BEC MOV EBP,ESP
004012B1 |. D16D 0C SHR [ARG.2],1
004012B4 |. D16D 08 SHR [ARG.1],1
004012B7 |. 8B45 08 MOV EAX,[ARG.1]
004012BA |. 2945 0C SUB [ARG.2],EAX
004012BD |. 8B45 0C MOV EAX,[ARG.2]
004012C0 |. C9 LEAVE
004012C1 \. C2 0800 RETN 8
================================================================
int rand(int x1,int x2){ | function rand(var x1,x2:integer);
int xx1=x1,xx2=x2; | begin
xx1=xx1>>1; | x1:=x1 shr 1;
xx2=xx2>>1; | x2:=x2 shr 1;
return xx2-xx1; | rand:=x2-x1;
} | end
================================================================
ii)转换子过程
004012C4 /. 55 PUSH EBP
004012C5 |. 8BEC MOV EBP,ESP
004012C7 |. 60 PUSHAD
004012C8 |. 8B7D 0C MOV EDI,[ARG.2]
004012CB |. 8B45 08 MOV EAX,[ARG.1]
004012CE |. B9 0A000000 MOV ECX,0A
004012D3 |. 6A 00 PUSH 0
004012D5 |> 33D2 /XOR EDX,EDX
004012D7 |. F7F1 |DIV ECX
004012D9 |. 80C2 30 |ADD DL,30
004012DC |. 52 |PUSH EDX
004012DD |. 85C0 |TEST EAX,EAX
004012DF |.^75 F4 \JNZ SHORT ReverseM.004012D5
004012E1 |> 58 /POP EAX
004012E2 |. AA |STOS [BYTE ES:EDI]
004012E3 |. 84C0 |TEST AL,AL
004012E5 |.^75 FA \JNZ SHORT ReverseM.004012E1
004012E7 |. 61 POPAD
004012E8 |. C9 LEAVE
004012E9 \. C2 0800 RETN 8
================================================================
这部分使用高级语言很难描述:它使用堆栈作为临时空间;
每次将mod 0xA的结果+0x30压栈,直到商为0;
然后就出栈,把结果存入到输出缓冲区. 这个过程真是秒哉!实在是有意思!!
================================================================DiKeN/iPB http://www.ipbchina.org/bbs/