====================================================================
简单ReverseMe过程
====================================================================
前言:
首先说明的是,这个是以前的有人分析过,但是好像不完整
开始简单ReverseMe之前一定要PE文件机构认真的看看,熟悉一些常识。
那你就可以开始本篇简单的逆向了(好像不能说叫逆向),反正就是
和破解有一点不同了,对不知道的人就是新知识,我本人也是一个小
小的菜鸟,有一点心得不敢独享,就发出本篇烂文
==================================
==================================
主文:
看看程序就是叫你添加一个提示框,和使一个EXIT按钮起作用,看起来
不难嘛,其实真的不难。
用LORDPE查看区段如下:
Name VOffset VSize ROffset RSize Flags
.text 00001000 0000008A 00000400 00000200 60000020
.rdata 00002000 000000DC 00000600 00000200 40000040
.data 00003000 0000003C 00000800 00000200 C0000040
.rsrc 00004000 00000198 00000A00 00000200 C0000040
我们看到.text空间还有0x200-0x8A=0x176,足够我们用了
由于我们要在OD里添加,所以汇编代码:
00401000 > 6A 00 PUSH 0
00401002 E8 6B000000 CALL <JMP.&KERNEL32.GetModuleHandleA> ;模块
00401007 |. A3 38304000 MOV DWORD PTR DS:[403038],EAX ;下面创建窗口
0040100C |. 6A 00 PUSH 0 ; /lParam = NULL
0040100E |. 68 29104000 PUSH rm1.00401029 ; |DlgProc = rm1.00401029
00401013 |. 6A 00 PUSH 0 ; |hOwner = NULL
00401015 |. 6A 01 PUSH 1 ; |pTemplate = 1
00401017 |. FF35 38304000 PUSH DWORD PTR DS:[403038] ; |hInst = NULL
0040101D |. E8 56000000 CALL <JMP.&USER32.DialogBoxParamA> ; \DialogBoxParamA
00401022 |. 6A 00 PUSH 0 ; /ExitCode = 0
00401024 \. E8 43000000 CALL <JMP.&KERNEL32.ExitProcess> ; \ExitProcess
00401029 /. 55 PUSH EBP
0040102A |. 8BEC MOV EBP,ESP
0040102C |. 817D 0C 110100>CMP DWORD PTR SS:[EBP+C],111 ; 是否是WM_COMMAND,就是EXIT
00401033 75 1F JNZ SHORT rm1.00401054 ; 我们只要修改这里,跳到EndDialog的地方就OK了
00401035 |. 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
00401038 |. 66:83F8 64 CMP AX,64
0040103C |. 75 2A JNZ SHORT rm1.00401068
0040103E |. 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
00401040 |. 68 2F304000 PUSH rm1.0040302F ; |Title = "GOAL:"
00401045 |. 68 00304000 PUSH rm1.00403000 ; |Text = "Your job is to make me work as an exit button!"
0040104A |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hOwner
0040104D |. E8 32000000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA
00401052 |. EB 14 JMP SHORT rm1.00401068
00401054 |> 837D 0C 10 CMP DWORD PTR SS:[EBP+C],10
00401058 |. 75 0E JNZ SHORT rm1.00401068 ;下面就是结束窗口的函数,只要到这里窗口就OVER!
0040105A |. 6A 00 PUSH 0 ; /Result = 0
0040105C |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
0040105F |. E8 1A000000 CALL <JMP.&USER32.EndDialog> ; \EndDialog
00401064 |. C9 LEAVE
00401065 |. C2 1000 RETN 10
00401068 |> C9 LEAVE
00401069 \. C2 1000 RETN 10 ;下面是输入表
0040106C .-FF25 04204000 JMP DWORD PTR DS:[<&KERNEL32.ExitProcess>; kernel32.ExitProcess
00401072 $-FF25 00204000 JMP DWORD PTR DS:[<&KERNEL32.GetModuleHa>; kernel32.GetModuleHandleA
00401078 $-FF25 14204000 JMP DWORD PTR DS:[<&USER32.DialogBoxPara>; USER32.DialogBoxParamA
0040107E $-FF25 0C204000 JMP DWORD PTR DS:[<&USER32.EndDialog>] ; USER32.EndDialog
00401084 $-FF25 10204000 JMP DWORD PTR DS:[<&USER32.MessageBoxA>] ; USER32.MessageBoxA
============================================
============================================
第一部准备添加一个提示框,看一下函数原形
int MessageBox(
HWND hWnd, // handle of owner window
LPCTSTR lpText, // address of text in message box
LPCTSTR lpCaption, // address of title of message box
UINT uType // s t y l e of message box
);
我们在这里写MessageBoxA的Title和Text
00401100 . 6C 6E 6E 31 31>ASCII "lnn1123[BCG]",0;Title
0040110D 00 DB 00
0040110E 00 DB 00
0040110F 00 DB 00
00401110 . 54 68 69 73 20>ASCII "This is simple R";Text
00401120 . 65 76 65 72 73>ASCII "everseMe",0
Title,Text弄好了,那MessageBoxA函数呢,用LORDPE查看输入表里有这个函数
这就好办了,调用只要这样就行了;Call [00402010]
============================================
============================================
我们要改变程序运行流程了,看修改后的:
00401000 > $ E9 AB000000 JMP lnn1123.004010B0;到自己的代码地方
00401005 90 NOP;这里的代码后面要修补
00401006 90 NOP;这里的代码后面要修补
00401007 > A3 38304000 MOV DWORD PTR DS:[403038],EAX
0040100C . 6A 00 PUSH 0 ; /lParam = NULL
0040100E . 68 29104000 PUSH lnn1123.00401029 ; |DlgProc = lnn1123.00401029
00401013 . 6A 00 PUSH 0 ; |hOwner = NULL
00401015 . 6A 01 PUSH 1 ; |pTemplate = 1
00401017 . FF35 38304000 PUSH DWORD PTR DS:[403038] ; |hInst = NULL
0040101D . E8 56000000 CALL <JMP.&USER32.DialogBoxParamA> ; \DialogBoxParamA
00401022 . 6A 00 PUSH 0 ; /ExitCode = 0
00401024 . E8 43000000 CALL <JMP.&KERNEL32.ExitProcess> ; \ExitProcess
00401029 . 55 PUSH EBP
0040102A . 8BEC MOV EBP,ESP
0040102C . 817D 0C 110100>CMP DWORD PTR SS:[EBP+C],111
00401033 . 74 25 JE SHORT lnn1123.0040105A
00401035 . 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
00401038 . 66:83F8 64 CMP AX,64
0040103C . 75 2A JNZ SHORT lnn1123.00401068
0040103E . 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
00401040 . 68 2F304000 PUSH lnn1123.0040302F ; |Title = "GOAL:"
00401045 . 68 00304000 PUSH lnn1123.00403000 ; |Text = "Your job is to make me work as an exit button!"
0040104A . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hOwner
0040104D . E8 32000000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA
00401052 . EB 14 JMP SHORT lnn1123.00401068
00401054 . 837D 0C 10 CMP DWORD PTR SS:[EBP+C],10
00401058 . 75 0E JNZ SHORT lnn1123.00401068
0040105A > 6A 00 PUSH 0 ; /Result = 0
0040105C . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
0040105F . E8 1A000000 CALL <JMP.&USER32.EndDialog> ; \EndDialog
00401064 . C9 LEAVE
00401065 . C2 1000 RETN 10
00401068 > C9 LEAVE
00401069 . C2 1000 RETN 10
0040106C .-FF25 04204000 JMP DWORD PTR DS:[<&KERNEL32.ExitProcess>; kernel32.ExitProcess
00401072 .-FF25 00204000 JMP DWORD PTR DS:[<&KERNEL32.GetModuleHa>; kernel32.GetModuleHandleA
00401078 $-FF25 14204000 JMP DWORD PTR DS:[<&USER32.DialogBoxPara>; USER32.DialogBoxParamA
0040107E $-FF25 0C204000 JMP DWORD PTR DS:[<&USER32.EndDialog>] ; USER32.EndDialog
00401084 $-FF25 10204000 JMP DWORD PTR DS:[<&USER32.MessageBoxA>] ; USER32.MessageBoxA
0040108A 00 DB 00
0040108B 00 DB 00
0040108C 00 DB 00
0040108D 00 DB 00
0040108E 00 DB 00
0040108F 00 DB 00
00401090 00 DB 00
00401091 00 DB 00
00401092 00 DB 00
00401093 00 DB 00
00401094 00 DB 00
00401095 00 DB 00
00401096 00 DB 00
00401097 00 DB 00
00401098 00 DB 00
00401099 00 DB 00
0040109A 00 DB 00
0040109B 00 DB 00
0040109C 00 DB 00
0040109D 00 DB 00
0040109E 00 DB 00
0040109F 00 DB 00
004010A0 00 DB 00
004010A1 00 DB 00
004010A2 00 DB 00
004010A3 00 DB 00
004010A4 00 DB 00
004010A5 00 DB 00
004010A6 00 DB 00
004010A7 00 DB 00
004010A8 00 DB 00
004010A9 00 DB 00
004010AA 00 DB 00
004010AB 00 DB 00
004010AC 00 DB 00
004010AD 00 DB 00
004010AE 00 DB 00
004010AF 00 DB 00
004010B0 > 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
004010B2 . 68 00114000 PUSH lnn1123.00401100 ; |Title = "lnn1123[BCG]"
004010B7 . 68 10114000 PUSH lnn1123.00401110 ; |Text = "This is simple ReverseMe"
004010BC . 6A 00 PUSH 0 ; |hOwner = NULL
004010BE . FF15 10204000 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; \MessageBoxA
004010C4 . 6A 00 PUSH 0 ; 这里修补上面的代码
004010C6 . FF15 00204000 CALL DWORD PTR DS:[<&KERNEL32.GetModuleH>; 这里修补上面的代码
004010CC .^E9 36FFFFFF JMP lnn1123.00401007 ;跳回去继续执行程序
=============================================
=============================================
自己对比看看有什么变化,好了我们的提示框就这么搞定了,运行的时候肯定先
弹出一个提示框,还有程序要所EXIT按钮起作用,看第一段代码就知道怎么做了
看我的修改代码:
0040102C . 817D 0C 110100>CMP DWORD PTR SS:[EBP+C],111
00401033 . 74 25 JE SHORT lnn1123.0040105A;这里修改了
00401035 . 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
00401038 . 66:83F8 64 CMP AX,64
0040103C . 75 2A JNZ SHORT lnn1123.00401068
0040103E . 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
00401040 . 68 2F304000 PUSH lnn1123.0040302F ; |Title = "GOAL:"
00401045 . 68 00304000 PUSH lnn1123.00403000 ; |Text = "Your job is to make me work as an exit button!"
0040104A . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hOwner
0040104D . E8 32000000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA
00401052 . EB 14 JMP SHORT lnn1123.00401068
00401054 . 837D 0C 10 CMP DWORD PTR SS:[EBP+C],10
00401058 . 75 0E JNZ SHORT lnn1123.00401068
0040105A > 6A 00 PUSH 0 ; /Result = 0
0040105C . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
0040105F . E8 1A000000 CALL <JMP.&USER32.EndDialog> ; \EndDialog
总结:
这里没有提到很多PE的数据结构,为了让新手能够看下去,如果你知道那些数
据结构那更好,我的目的就是要新手看懂!老鸟就不要看了,
就这样就做好了,简单吧,不要看他简单,如果没有PE文件格式知识,很难懂的,
所以看看学习PE多重要啊,没有学的赶快学啊,上面的是简单了,但是如果你
想真正的添加程序功能,上面的这些你是必须要会的,最后谢谢你看完文章:)
