Use od to trace part of Kingsoft Ranger code and use assembly to restore its Function

This is even a boring time to track part of Kingsoft Ranger's code, and write the complete code according to the program process with the compilation. Let's be a trainer!

0041ec32/. 55 push EBP; Use EBP to read the stack and find external parameters. Therefore, save EBP first.
0041ec33 |. 8bec mov EBP, esp; Use EBP to read the stack, so that ESP is constantly changing
0041ec35 |. 51 push ECx
0041ec36 |. 56 push ESI
0041ec37 |. 57 push EDI; values of the above three registers are saved.
0041ec38 |. ff71 20 push dword ptr [ECx + 20];/the ID of the opened process, the third parameter
0041ec3b |. 6a 00 push 0; | whether the handle can be inherited; 0 indicates not inherited, and the second parameter
0041ec3d |. 6a 10 push 10; | open the process permission. Here is the read permission, the first parameter.
0041ec3f |. ff15 78f34500 call dword ptr [<& kernel32.openprocess>];/to open a process function, you must open it before using it.
0041ec45 |. 8bf0 mov ESI, eax; Save the return handle in eax to ESI
0041ec47 |. 85f6 test ESI, ESI; test ESI to check whether the function is successfully executed
0041ec49 |. 74 35 je short 0041ec80; skip to the end of the subroutine if the program fails.
0041ec4b |. 8b7d 10 mov EDI, dword ptr [EBP + 10]; save external 3rd parameters to EDI
0041ec4e |. 8d45 FC Lea eax, dword ptr [ebp-4]; value in memory when pushing ECx
0041ec51 |. 50 push eax; // returns the actual number of reads, the fifth Parameter
0041ec52 |. 57 push EDI; | number of bytes to read/write in [EBP + 10], fourth Parameter
0041ec53 |. ff75 0C push dword ptr [EBP + C]; | buffer for receiving read values, third parameter
0041ec56 |. 8365 FC 00 and dword ptr [ebp-4], 0; | returns the actual number of read buffers initially 0
0041ec5a |. ff75 08 push dword ptr [EBP + 8]; | start address, second parameter
0041ec5d |. 56 push ESI; | handle, first Parameter
0041ec5e |. ff15 74f34500 call dword ptr [<& kernel32.readprocessmemory>];/read process memory
0041ec64 |. 85c0 test eax, eax; test function return value
0041ec66 |. 74 11 je short 0041ec79; skip to the end of the subroutine if the program fails.
0041ec68 |. mongod fc cmp dword ptr [ebp-4], EDI; compare whether set read length and return length are the same
0041ec6b |. 75 0C jnz short 0041ec79; if not, jump to the end of the subroutine
0041ec6d |. 56 push ESI;/process ID, first Parameter
0041ec6e |. ff15 a0f34500 call dword ptr [<& kernel32.closehandle>];/end the process
0041ec74 |. 6a 01 Push 1; press 1 into the stack
0041ec76 |. 58 pop eax; play the previous 1 to eax
0041ec77 |. EB 09 JMP short 0041ec82; unconditional jump
0041ec79 |> 56 push ESI;/process ID, first Parameter
0041ec7a |. ff15 a0f34500 call dword ptr [<& kernel32.closehandle>];/end the process
0041ec80 |> 33c0 XOR eax, eax; eax clear o
0041ec82 |> 5f pop EDI
0041ec83 |. 5E pop ESI; restore the previously stored EDI and ESI
0041ec84 |. C9 leave
0041ec85/. C2 0c00 retn 0C; returns and clears 12 bytes from the stack

 

The following is the Code Compiled by sink. For everyone to understand that I have not used a lot of Assembly commands, I use the structure description of advanced languages.
_ Myreadprocessmemory proc uses edi esi lpbaseaddress, lpbuffer, dwsize;
Local @ lpnumberofbyteread; local variable, save the actual number of words returned for reading

Invoke OpenProcess, process_vm_read, null,; open the process in Read mode. The last parameter is the process handle I did not write, because I don't know how to get the process handle by pushing DWORD PTR [ECx + 20], who can tell me?
MoV ESI, eax; Save the return handle in eax to ESI
. If ESI = 1; Determine whether the function is successfully executed
MoV EDI, dwsize; Save the dwsize parameter to EDI
Lea eax, @ lpnumberofbyteread; load @ lpnumberofbyteread address to eax
Invoke readprocessmemory, ESI, lpbaseaddress, lpbuffer, dwsize, eax; read memory
. If eax = 1; Determine whether the function is successfully executed
. If @ lpnumberofbyteread = EDI; compare whether the specified read length and return length are the same
Invoke closehandle, ESI; terminate the process
Push 1; press 1 into the stack
Pop eax; play the previous 1 to eax as the return value, because the program will press the return value to eax by default.
JMP _ end; entries to the end
. Endif
. Endif
Invoke closehandle, ESI; terminate the process
. Endif
XOR eax, eax; eax clear o, because the return value is pressed to eax by default when the program returns, 0 indicates that the execution was not successful
_ End:
RET; Return
_ Myreadprocessmemory endp

 

By: xiaobin
QQ: 6750333