Recently, due to the needs of a project, I initially contacted the exe program disassembly. After several days, I finally met the real face of the algorithms that were urgently needed in the program. Looking back at the entire process, I have a small feeling. In order to remember the mental journey of the first-time program disassembly, we have recorded the superficial feelings of the program disassembly process.
I. Working Environment:
1
,Shell checking tool: PEiD (used to preliminarily determine whether the exe program is shelled and which development software is used );
2
,Decompilation tool: DeDe (after checking the shell check, the program to be decompiled is written in "BorlandC ++ 1999". Therefore, DeDe is used to decompile the Delphi Program; it is used to preliminarily determine the location of the assembly instruction address of the exe program in the program module and Function Method Division );
3
,Disassembly dynamic debugging tool: OllyICE (I .e., OD; used for dynamic disassembly debugging program related code logic );
4
,Development Environment: VS. NET 2005;
5
,Other tools: EditPlus, notepad, calculator, etc;
Ii. Basic Knowledge:
1
,Assembly program design: mainly provides a deep understanding of program data storage, stack usage, subroutine calling, and other techniques; address jump rules for different types of data (usually jump to the length of this type );
2
,C ++ Program Design: basic syntax structure; usage and control of pointers and data types;
3
,Basic usage of related tools and software;
Iii. Working Process:
My disassembly process is:
Shell check-> Shelling and determining the environment used by the Development Program->
Decompilation-> Locate the start and end addresses of Assembly commands for main function modules or functions.->
Disassembly preparation-> Find the feature string or feature value in the program and further determine the location of the Code logic to be decompiled->
Start disassembly and debuggingTo analyze the specific process of code logic to be decompiled-> the analyzed logical process
Implemented in c ++.
1
, Shell query:
Run PeiD and open the exe program to be decompiled. Here we call it test.exe.
For example, 1: The Line "Microsoft Visual C ++ 7.0 Dll Method 3" above "Multi-scan" is the development environment of the program.
Next, click the ">" button in the lower right corner of the electric shock window to check whether the program is shelled, such as 2: click the "-" button at the rightmost of the "entropy", "EP Verification", and "quick verification" lines to check whether the shell is added.
The test.exe program is too clean. If there is no shelling, you can use the corresponding decompilation tool for the next step. Pai_^
2
Decompilation:
In "1.", the program I actually decompiled is compiled by "BorlandC ++ 1999". Therefore, DeDe 3.5 is selected as the decompilation tool. DeDe3.5 is used in a specific way, please check it online.
3:
3
First, locate the assembly instruction address corresponding to the main module and function:
Based on the decompiled code framework of the partial classification and method, two sets of suspicious assembly instruction CIDR blocks are identified.
4: select the process button, as shown in. Double-click Button3Click in the lower-right list to view the function body corresponding to this method. Of course, the function body we see in this way will not be the function body in the general sense. This function body only has a framework that looks like a high-level language, and the function body contains assembly code, however, this is enough. We need to perform detailed disassembly debugging and analysis later. Hey. Function body 5 is as follows:
Well, write down the first and last addresses of this function and start the disassembly operation.
4
, Disassembly preparation:
Use od(ollyice.exe to open the test.exe program, for example, 6:
Find the first and last addresses recorded just now. For example, the first address is 00401EC4 and the last address is 00401EF5.
5
, Disassembly debugging:
Based on the assembly instruction address located in Step 4, combined with Key Strings such as [ASCII "Hello OD"] and [ASCII "this is OllyDbg DeAsm"] in section 6, search all matching strings to start debugging with OD. For more information, see the help file provided by OD.
Analyze the logic flow of the required part of the assembly code one by one. In the meantime, other auxiliary tools can be used to help record the numerical transfer track and Transformation Method in the dynamic analysis process.
6
, C ++ implementation:Use C ++ to implement the same functions based on the analyzed assembly code logic.
Note: apart from some ASCII string locating methods, you can also use constants declared in the program, such as constant strings, ing control matrices, and counters for more accurate positioning.
The above is the record of the main process of program disassembly. Note: Due to the limitation of the "confidentiality agreement", it is inconvenient to discuss too much project code details here. Please forgive me. I hope that my predecessors who have experience in disassembly will give me some advice. Thank you for your attention. Haha ^_^
This article is from the fish blog in the air, please be sure to keep this source http://airfish.blog.51cto.com/358752/264819
