Original: first recognized exe program disassembly small sense Recently, due to the needs of a project, I initially contacted the exe program disassembly. After several days, I finally met the real face of the algorithms that were urgently needed in the program. Looking back at the entire process, I have a small feeling. In order to remember the mental journey of the first-time program disassembly, we have recorded the superficial feelings of the program disassembly process.
I. Working Environment:
1,Shell Check Tool: PEiD is used to preliminarily determine whether the exe program is shelled and what development software is used );
2,Decompilation tool: After checking by the Shell check tool, DeDe uses the BorlandC ++ 1999" Therefore, DeDe of the specific decompilation Delphi program is used to preliminarily determine the location of the program module and Function Method to divide the corresponding assembly instruction address of the exe program );
3,Disassembly dynamic debugging tool: OllyICE, I .e., OD; used for dynamic disassembly debugging program related code logic );
4,Development Environment: VS. NET 2005;
5,Other tools: EditPlus, notepad, calculator, etc;Ii. Basic Knowledge:
1,Assembly program design: mainly provides a deep understanding of program data storage, stack usage, subroutine calling, and other techniques. Address jump rules for different types of data generally jump to the length of this type );
2,C ++ Program Design: basic syntax structure; usage and control of pointers and data types;
3,Basic usage of related tools and software;Iii. Working Process:
My disassembly process is:
Shell check-> Shelling and determining the environment used by the Development Program->Decompilation-> Locate the start and end addresses of Assembly commands for main function modules or functions.->Disassembly preparation-> Find the feature string or feature value in the program and further determine the location of the Code logic to be decompiled->Start disassembly and debuggingTo analyze the specific process of code logic to be decompiled-> the analyzed logical processImplemented in c ++.1, Shell query:
Run PeiD and open the exe program to be decompiled. Here we call it test.exe.
Example 1: 650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'alt =" "src =" http://img1.51cto.com/attachment/201001/201001131263364000765.bmp "border =" 0 "/>
Microsoft Visual C ++ 7.0 Dll Method 3" Is the development environment of the program.
Next in the lower right corner of the electric shock window ">" button, let's see if the program is shelled, such as 2: 650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'alt =" "src =" http://img1.51cto.com/attachment/201001/201001131263364026828.bmp "border =" 0 "/>
Click the "-" button at the rightmost of the "entropy", "EP Verification", and "quick verification" lines to check whether the shell is added.
The test.exe program is too clean. If there is no shelling, you can use the corresponding decompilation tool for the next step. Pai_^2Decompilation:
In "1.", the program I actually decompile is 1999" Therefore, DeDe 3.5 is selected as the decompilation tool. For details about how to use DeDe3.5, visit the website.
3: 650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'alt =" "src =" http://img1.51cto.com/attachment/201001/201001131263364197515.jpg "border =" 0 "/>
3First, locate the assembly instruction address corresponding to the main module and function:
Based on the decompiled code framework of the partial classification and method, two sets of suspicious assembly instruction CIDR blocks are identified.
Such as 4: 650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'alt =" "src =" http://img1.51cto.com/attachment/201001/201001131263364211562.jpg "border =" 0 "/>
Select the process button, as shown in. Double-click Button3Click in the lower-right list to view the function body corresponding to this method. Of course, the function body we see in this way will not be the function body in the general sense. This function body only has a framework that looks like a high-level language, and the function body contains assembly code, however, this is enough. We need to perform detailed disassembly debugging and analysis later. Hey. Function body 5 is as follows:
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'alt =" "src =" http://www.bkjia.com/uploads/allimg/131228/1Q6362a8-2.jpg "border =" 0 "/>
Well, write down the first and last addresses of this function and start the disassembly operation.
4, Disassembly preparation:
Open the test.exe program by using odollyice.pdf, for example, 6:
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'alt =" "src =" http://www.bkjia.com/uploads/allimg/131228/1Q6361T3-3.jpg "border =" 0 "/>
Find the first and last addresses recorded just now. For example, the first address is 00401EC4 and the last address is 00401EF5.
5, Disassembly debugging:
Based on the assembly instruction address located in Step 4, combined with Key Strings such as [ASCII "Hello OD"] and [ASCII "this is OllyDbg DeAsm"] in section 6, search all matching strings to start debugging with OD. For more information, see the help file provided by OD.
Analyze the logic flow of the required part of the assembly code one by one. In the meantime, other auxiliary tools can be used to help record the numerical transfer track and Transformation Method in the dynamic analysis process.
6, C ++ implementation:Use C ++ to implement the same functions based on the analyzed assembly code logic.Note: apart from some ASCII string locating methods, you can also use constants declared in the program, such as constant strings, ing control matrices, and counters for more accurate positioning. The above is the record of the main process of program disassembly. Note: Due to the limitation of the "confidentiality agreement", it is inconvenient to discuss too much project code details here. Please forgive me. I hope that my predecessors who have experience in disassembly will give me some advice. Thank you for your attention. Haha ^_^
This article is from the fish blog in the air, please be sure to keep this source http://airfish.blog.51cto.com/358752/264819