Use od to trace part of Kingsoft Ranger code and use assembly to restore its Function

Source: Internet
Author: User

This is even a boring time to track part of Kingsoft Ranger's code, and write the complete code according to the program process with the compilation. Let's be a trainer!

0041ec32/. 55 push EBP; Use EBP to read the stack and find external parameters. Therefore, save EBP first.
0041ec33 |. 8bec mov EBP, esp; Use EBP to read the stack, so that ESP is constantly changing
0041ec35 |. 51 push ECx
0041ec36 |. 56 push ESI
0041ec37 |. 57 push EDI; values of the above three registers are saved.
0041ec38 |. ff71 20 push dword ptr [ECx + 20];/the ID of the opened process, the third parameter
0041ec3b |. 6a 00 push 0; | whether the handle can be inherited; 0 indicates not inherited, and the second parameter
0041ec3d |. 6a 10 push 10; | open the process permission. Here is the read permission, the first parameter.
0041ec3f |. ff15 78f34500 call dword ptr [<& kernel32.openprocess>];/to open a process function, you must open it before using it.
0041ec45 |. 8bf0 mov ESI, eax; Save the return handle in eax to ESI
0041ec47 |. 85f6 test ESI, ESI; test ESI to check whether the function is successfully executed
0041ec49 |. 74 35 je short 0041ec80; skip to the end of the subroutine if the program fails.
0041ec4b |. 8b7d 10 mov EDI, dword ptr [EBP + 10]; save external 3rd parameters to EDI
0041ec4e |. 8d45 FC Lea eax, dword ptr [ebp-4]; value in memory when pushing ECx
0041ec51 |. 50 push eax; // returns the actual number of reads, the fifth Parameter
0041ec52 |. 57 push EDI; | number of bytes to read/write in [EBP + 10], fourth Parameter
0041ec53 |. ff75 0C push dword ptr [EBP + C]; | buffer for receiving read values, third parameter
0041ec56 |. 8365 FC 00 and dword ptr [ebp-4], 0; | returns the actual number of read buffers initially 0
0041ec5a |. ff75 08 push dword ptr [EBP + 8]; | start address, second parameter
0041ec5d |. 56 push ESI; | handle, first Parameter
0041ec5e |. ff15 74f34500 call dword ptr [<& kernel32.readprocessmemory>];/read process memory
0041ec64 |. 85c0 test eax, eax; test function return value
0041ec66 |. 74 11 je short 0041ec79; skip to the end of the subroutine if the program fails.
0041ec68 |. mongod fc cmp dword ptr [ebp-4], EDI; compare whether set read length and return length are the same
0041ec6b |. 75 0C jnz short 0041ec79; if not, jump to the end of the subroutine
0041ec6d |. 56 push ESI;/process ID, first Parameter
0041ec6e |. ff15 a0f34500 call dword ptr [<& kernel32.closehandle>];/end the process
0041ec74 |. 6a 01 Push 1; press 1 into the stack
0041ec76 |. 58 pop eax; play the previous 1 to eax
0041ec77 |. EB 09 JMP short 0041ec82; unconditional jump
0041ec79 |> 56 push ESI;/process ID, first Parameter
0041ec7a |. ff15 a0f34500 call dword ptr [<& kernel32.closehandle>];/end the process
0041ec80 |> 33c0 XOR eax, eax; eax clear o
0041ec82 |> 5f pop EDI
0041ec83 |. 5E pop ESI; restore the previously stored EDI and ESI
0041ec84 |. C9 leave
0041ec85/. C2 0c00 retn 0C; returns and clears 12 bytes from the stack

 

The following is the Code Compiled by sink. For everyone to understand that I have not used a lot of Assembly commands, I use the structure description of advanced languages.
_ Myreadprocessmemory proc uses edi esi lpbaseaddress, lpbuffer, dwsize;
Local @ lpnumberofbyteread; local variable, save the actual number of words returned for reading

Invoke OpenProcess, process_vm_read, null,; open the process in Read mode. The last parameter is the process handle I did not write, because I don't know how to get the process handle by pushing DWORD PTR [ECx + 20], who can tell me?
MoV ESI, eax; Save the return handle in eax to ESI
. If ESI = 1; Determine whether the function is successfully executed
MoV EDI, dwsize; Save the dwsize parameter to EDI
Lea eax, @ lpnumberofbyteread; load @ lpnumberofbyteread address to eax
Invoke readprocessmemory, ESI, lpbaseaddress, lpbuffer, dwsize, eax; read memory
. If eax = 1; Determine whether the function is successfully executed
. If @ lpnumberofbyteread = EDI; compare whether the specified read length and return length are the same
Invoke closehandle, ESI; terminate the process
Push 1; press 1 into the stack
Pop eax; play the previous 1 to eax as the return value, because the program will press the return value to eax by default.
JMP _ end; entries to the end
. Endif
. Endif
Invoke closehandle, ESI; terminate the process
. Endif
XOR eax, eax; eax clear o, because the return value is pressed to eax by default when the program returns, 0 indicates that the execution was not successful
_ End:
RET; Return
_ Myreadprocessmemory endp

 

By: xiaobin
QQ: 6750333

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.