24,860
社区成员
发帖
与我相关
我的任务
分享求助反汇编的方法思路
现需写一个能够把Exe文件反汇编的工具。没有一点思路。
或者能够记录指定程序的执行汇编代码。
不太想用现有的工具,想做一个有自己特色的工具。
各位高手都来看下~~~~~~~~~~
指点些思路~~~~~~~
谢谢~
或者能够记录指定程序的执行汇编代码。
不太想用现有的工具,想做一个有自己特色的工具。
各位高手都来看下~~~~~~~~~~
指点些思路~~~~~~~
谢谢~
...全文
请发表友善的回复…
发表回复
我啃 2006-10-18
- 打赏
- 举报
http://sourceforge.net/projects/bindump
上可以下到DASM东西的最新版本
上可以下到DASM东西的最新版本
g961681 2006-10-13
- 打赏
- 举报
上面只有h头文件啊~~~~~~~~~
没c文件~~~~
没c文件~~~~
g961681 2006-10-13
- 打赏
- 举报
g961681@hotmail.com
g961681 2006-10-13
- 打赏
- 举报
好的,谢谢!
我现在没有PEDIY的帐号,楼主有的话,可以给我发一个邀请吗?
谢谢~~~~~~~~
我现在没有PEDIY的帐号,楼主有的话,可以给我发一个邀请吗?
谢谢~~~~~~~~
我啃 2006-10-13
- 打赏
- 举报
应该说这个写得很简练以及方便能看懂,也是我DASM代码一大收集之一:)
希望LZ能写出更好的
希望LZ能写出更好的
我啃 2006-10-13
- 打赏
- 举报
先要弄清楚PE文件(这个PEDIY上面有一个代码,然后找到POINT_OF_ENTRY然后开始识别
当然如何跳过花指令以及提高识别能力要经验和研究,可以到PEDIY上问问
还有几个文件,建议到sourceforge去下载它的程序:
http://sourceforge.net/projects/bindump
当然如何跳过花指令以及提高识别能力要经验和研究,可以到PEDIY上问问
还有几个文件,建议到sourceforge去下载它的程序:
http://sourceforge.net/projects/bindump
g961681 2006-10-13
- 打赏
- 举报
好的,谢谢~
先研究下~~~~~~
先研究下~~~~~~
我啃 2006-10-13
- 打赏
- 举报
主要思路就是Get opcode然后识别转换称ASM代码
我这里有一个SOURCEFORGE上的源代码
/*
*
* File Name:
*
* disasm.h
*
* Summary:
*
* This file was created to be included within a 'disassembler' project for PE
* image files running on x86 and x86-compatible processors.
*
*
*
* Copyright (C) 2004, Isaac Sigasa [isigasa@ananzi.co.za]
* All Rights Reserved
*
*
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* - Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* - Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED.
* IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
* ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*
*/
#ifndef DISASM_H
#define DISASM_H
#include <stdio.h>
#define N NULL
typedef struct _InstructionTemplate
{
char *strOpcode;
char *strOperandsDescr;
}InstructionTemplate, *PInstructionTemplate;
typedef union _RawOpcode
{
unsigned char cByteRawOpcode;
unsigned char ca2ByteRawOpcode[2];
}RawOpcode;
typedef union _RawDisplacement
{
unsigned char cByteRawDisplacement;
unsigned char ca2ByteRawDisplacement[2];
unsigned char ca4ByteRawDisplacement[4];
}RawDisplacement;
typedef union _RawImmediate
{
unsigned char cByteRawImmediate;
unsigned char ca2ByteRawImmediate[2];
unsigned char ca4ByteRawImmediate[4];
}RawImmediate;
typedef struct _IA32RawInstruction
{
unsigned char caRawPrefixes[4];
RawOpcode URawOpcode;
unsigned char ModRM;
unsigned char SIB;
RawDisplacement URawDisplacement;
RawImmediate URawImmediate;
}IA32RawInstruction;
typedef struct _IA32InstructionHelper
{
unsigned char cbRawPrefixes;
unsigned char cbRawOpcode;
unsigned char boolModRMExists;
unsigned char boolSIBExists;
unsigned char cbRawDisplacement;
unsigned char cbRawImmediate;
}IA32InstructionHelper;
typedef struct _IA32InstructionDescription
{
char strPrefix[64];
char strOpcode[64];
char strOperandA[64];
char strOperandB[64];
char strOperandC[64];
}IA32InstructionDescription;
typedef struct _IA32InstructionDecode
{
IA32RawInstruction SIA32RawInstruction;
IA32InstructionHelper SIA32InstructionHelper;
IA32InstructionDescription SIA32InstructionDescription;
}IA32InstructionDecode;
typedef enum tgDefaultOperationSizeAttrib{OpSize16 = 16, OpSize32 = 32}DefaultOperationSizeAttrib;
void Disassemble(const char*pLoadAddress,DefaultOperationSizeAttrib DSize,unsigned char *pStart, unsigned char *pEnd);
int FetchInstructionFrom1ByteOpcodeTable(const unsigned char *pStart,IA32InstructionDecode *pIA32Decode);
int FetchInstructionFrom2ByteOpcodeTable(const unsigned char *pStart,IA32InstructionDecode *pIA32Decode);
int FetchInstructionFromOpcodeExtensionsTable(unsigned const char ucEntry,const unsigned char* pStart,InstructionTemplate OpcodeExtensions[0x10][0x8][0x3],IA32InstructionDecode *pIA32Decode);
int FetchOpcode(const char * pLoadAddress, const unsigned char* pStart, IA32InstructionDecode *pIA32Decode, DefaultOperationSizeAttrib DSize);
unsigned int GetOperandTypeSize(const char *strType);
void GetMemoryOperandSizeStr(const char*strOpType, char *strOut,DefaultOperationSizeAttrib DSize, IA32InstructionDecode *pIA32Decode);
int DecodeGPRegisterRM(const unsigned int size, const unsigned char ModRM, char* strout);
int GetOutputBuffer(int iOpIndex, char** strOutput,IA32InstructionDecode *pIA32Decode);
int IsExplicitRegisterOperand(const char *strTest);
char strlastchr(const char* str);
#define ARRAYSIZE(p) (sizeof(p)/sizeof(*p))
#endif
我这里有一个SOURCEFORGE上的源代码
/*
*
* File Name:
*
* disasm.h
*
* Summary:
*
* This file was created to be included within a 'disassembler' project for PE
* image files running on x86 and x86-compatible processors.
*
*
*
* Copyright (C) 2004, Isaac Sigasa [isigasa@ananzi.co.za]
* All Rights Reserved
*
*
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* - Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* - Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED.
* IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
* ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*
*/
#ifndef DISASM_H
#define DISASM_H
#include <stdio.h>
#define N NULL
typedef struct _InstructionTemplate
{
char *strOpcode;
char *strOperandsDescr;
}InstructionTemplate, *PInstructionTemplate;
typedef union _RawOpcode
{
unsigned char cByteRawOpcode;
unsigned char ca2ByteRawOpcode[2];
}RawOpcode;
typedef union _RawDisplacement
{
unsigned char cByteRawDisplacement;
unsigned char ca2ByteRawDisplacement[2];
unsigned char ca4ByteRawDisplacement[4];
}RawDisplacement;
typedef union _RawImmediate
{
unsigned char cByteRawImmediate;
unsigned char ca2ByteRawImmediate[2];
unsigned char ca4ByteRawImmediate[4];
}RawImmediate;
typedef struct _IA32RawInstruction
{
unsigned char caRawPrefixes[4];
RawOpcode URawOpcode;
unsigned char ModRM;
unsigned char SIB;
RawDisplacement URawDisplacement;
RawImmediate URawImmediate;
}IA32RawInstruction;
typedef struct _IA32InstructionHelper
{
unsigned char cbRawPrefixes;
unsigned char cbRawOpcode;
unsigned char boolModRMExists;
unsigned char boolSIBExists;
unsigned char cbRawDisplacement;
unsigned char cbRawImmediate;
}IA32InstructionHelper;
typedef struct _IA32InstructionDescription
{
char strPrefix[64];
char strOpcode[64];
char strOperandA[64];
char strOperandB[64];
char strOperandC[64];
}IA32InstructionDescription;
typedef struct _IA32InstructionDecode
{
IA32RawInstruction SIA32RawInstruction;
IA32InstructionHelper SIA32InstructionHelper;
IA32InstructionDescription SIA32InstructionDescription;
}IA32InstructionDecode;
typedef enum tgDefaultOperationSizeAttrib{OpSize16 = 16, OpSize32 = 32}DefaultOperationSizeAttrib;
void Disassemble(const char*pLoadAddress,DefaultOperationSizeAttrib DSize,unsigned char *pStart, unsigned char *pEnd);
int FetchInstructionFrom1ByteOpcodeTable(const unsigned char *pStart,IA32InstructionDecode *pIA32Decode);
int FetchInstructionFrom2ByteOpcodeTable(const unsigned char *pStart,IA32InstructionDecode *pIA32Decode);
int FetchInstructionFromOpcodeExtensionsTable(unsigned const char ucEntry,const unsigned char* pStart,InstructionTemplate OpcodeExtensions[0x10][0x8][0x3],IA32InstructionDecode *pIA32Decode);
int FetchOpcode(const char * pLoadAddress, const unsigned char* pStart, IA32InstructionDecode *pIA32Decode, DefaultOperationSizeAttrib DSize);
unsigned int GetOperandTypeSize(const char *strType);
void GetMemoryOperandSizeStr(const char*strOpType, char *strOut,DefaultOperationSizeAttrib DSize, IA32InstructionDecode *pIA32Decode);
int DecodeGPRegisterRM(const unsigned int size, const unsigned char ModRM, char* strout);
int GetOutputBuffer(int iOpIndex, char** strOutput,IA32InstructionDecode *pIA32Decode);
int IsExplicitRegisterOperand(const char *strTest);
char strlastchr(const char* str);
#define ARRAYSIZE(p) (sizeof(p)/sizeof(*p))
#endif
g961681 2006-10-13
- 打赏
- 举报
http://community.csdn.net/Expert/topic/5081/5081139.xml?temp=.6800806
http://community.csdn.net/Expert/topic/5081/5081144.xml?temp=.1508905
或者是能够找到方法的方法也行,不要太难的那种。
http://community.csdn.net/Expert/topic/5081/5081144.xml?temp=.1508905
或者是能够找到方法的方法也行,不要太难的那种。
