Windows下反組譯工具例子

Windows下編寫的程式經編譯連結之後，就可用debug等調試工具調試執行，也能看到反組譯碼的結果，這很便於理解“彙編指令”是如何翻譯成“機器指令”的。對Windows程式，這樣的工具有很多，像SoftICE、TRW、W32dasm、IDA、Hiew等。這裡準備談一下W32dasm。

;===============================================================
;例：取命令列參數，並顯示到訊息框中
;檔案名稱：6.asm

.386
.model flat,stdcall
option casemap:none

include windows.inc ;常量及結構定義

include kernel32.inc ;函數原型聲明
include user32.inc

includelib kernel32.lib ;用到的引入庫
includelib user32.lib

.data
szCaption db "命令列參數",0

.code
start:
invoke GetCommandLine
invoke MessageBox,NULL,eax,addr szCaption,MB_OK
invoke ExitProcess,NULL
end start
---------------------------------------------------------
用到API函數：
LPTSTR GetCommandLine(VOID)
This function has no parameters.
The return value is a pointer to the command-line string for the current process.
---------------------------------------------------------
編譯連結：

---------------------------------------------------------

下面使用W32dasm來反組譯碼6.exe。

啟動W32dasm，從菜單Disassembler中選Open File to Disassemble...，從出現的對話方塊中選擇要進行反組譯碼的程式，比如6.exe並開啟。

若首次使用該反組譯碼工具，螢幕顯示可能有點亂，執行Disassembler/Font.../Select Font選擇合適的字型即可解決該問題。執行Disassembler/Font.../Save Default Font，這樣下次啟動該軟體時也不會亂啦。下面是6.exe反組譯碼後的結果：

Disassembly of File: 6.exe
Code Offset = 00000400, Code Size = 00000200
Data Offset = 00000800, Data Size = 00000200

Number of Objects = 0003 (dec), Imagebase = 00400000h

Object01: .text RVA: 00001000 Offset: 00000400 Size: 00000200 Flags: 60000020
Object02: .rdata RVA: 00002000 Offset: 00000600 Size: 00000200 Flags: 40000040
Object03: .data RVA: 00003000 Offset: 00000800 Size: 00000200 Flags: C0000040

+++++++++++++++++++ MENU INFORMATION ++++++++++++++++++

There Are No Menu Resources in This Application

+++++++++++++++++ DIALOG INFORMATION ++++++++++++++++++

There Are No Dialog Resources in This Application

+++++++++++++++++++ IMPORTED FUNCTIONS ++++++++++++++++++
Number of Imported Modules = 2 (decimal) ;本程式用到兩個引入庫

Import Module 001: KERNEL32.dll
Import Module 002: USER32.dll

+++++++++++++++++++ IMPORT MODULE DETAILS +++++++++++++++

Import Module 001: KERNEL32.dll ;要用到本庫中下面兩個函數

Addr:00002072 hint(00B6) Name: GetCommandLineA
Addr:00002064 hint(0075) Name: ExitProcess

Import Module 002: USER32.dll

Addr:00002092 hint(01BB) Name: MessageBoxA

+++++++++++++++++++ EXPORTED FUNCTIONS ++++++++++++++++++
Number of Exported Functions = 0000 (decimal)

+++++++++++++++++++ ASSEMBLY CODE LISTING ++++++++++++++++++
//********************** Start of Code in Object .text **************
Program Entry Point = 00401000 (6.exe File Offset:00001600)

* Reference To: KERNEL32.GetCommandLineA, Ord:00B6h
|

//******************** Program Entry Point ******** ;程式進入點
:00401000 E81D000000 Call 00401022 ;取命令列參數
:00401005 6A00 push 00000000
:00401007 680E304000 push 0040300E
:0040100C 50 push eax
:0040100D 6A00 push 00000000

* Reference To: USER32.MessageBoxA, Ord:01BBh
|
:0040100F E814000000 Call 00401028 ;顯示訊息框
:00401014 6A00 push 00000000

* Reference To: KERNEL32.ExitProcess, Ord:0075h
|
:00401016 E801000000 Call 0040101C ;結束程式
:0040101B CC int 03

* Referenced by a CALL at Address:
|:00401016
|

* Reference To: KERNEL32.ExitProcess, Ord:0075h
|
:0040101C FF2504204000 Jmp dword ptr [00402004] ;轉到ExitProcess去執行

* Referenced by a CALL at Address:
|:00401000
|

* Reference To: KERNEL32.GetCommandLineA, Ord:00B6h
|
:00401022 FF2500204000 Jmp dword ptr [00402000] ;轉到GetCommandLine去執行

* Reference To: USER32.MessageBoxA, Ord:01BBh
|
:00401028 FF250C204000 Jmp dword ptr [0040200C] ;轉到MessageBoxA去執行

-----------------------------------------------------------------------
問題：為什麼invoke GetCommandLine在編譯時間沒直接翻譯成Call dword ptr [00402000]而用下面的形式呢？
:00401000 E81D000000 Call 00401022 ;取命令列參數
. .
. .
. .
:00401022 FF2500204000 Jmp dword ptr [00402000] 轉到GetCommandLine去執行

注意：載入器在載入程式時，還存在一個重定位的問題，即動態連結程式庫中的函數的地址必須設定好後才能執行。假如某個函數要調用100次，使用第二種方法，載入器只需要修改一個地方的內容；而使用第一種方法，載入器就要修改100個地方的內容。顯然增大了載入器的工作量。

執行debug/Load Process，在出現的視窗中輸入命令參數（也可不輸），確定，出現下面的調試視窗，就象在dos下的debug中操作一樣進行操作.