对OllyDbg1输出函数底层分析(一)
看完了API级别基本用法,现在来看对应OllyDbg内部实现吧!这样可以和第二章作对照这里只进行简单分析即贴出C语言源码,如对逆向分析感兴趣,请关注我的书。以下部分每一节对应第二章的各个节,实为深入底层研究。深入分析OllyDbg加载插件过程
ODBG_Plugindata ODBG_Plugininit ODBG_Pluginmenu
加载插件是在OllyDbg启动后,加载调试程序前完成的,因此需要用OllyDbg调试自身。文档中说OllyDbg先检查_ODBG_Plugindata,那么下断点bp Kernel32.GetProcAddress,=="_ODBG_Plugindata"会发现断在以地址0x00496658开始的函数中。查看其反汇编代码,先进行总体分析,发现有多处调用GetProcAddress,初步判断为加载插件的模块,命名为LoadPlugin,反汇编代码如下:
.text:00496658 push ebx
.text:00496659 push esi
.text:0049665A push edi
.text:0049665B push ebp
.text:0049665C add esp, 0FFFFF004h
.text:00496662 mov ebp, offset alldll ; "*.dll"
.text:00496667 push eax
.text:00496668 add esp, 0FFFFFBB0h
.text:0049666E push 4B00h ; n
.text:00496673 push 0 ; c
.text:00496675 push offset unk_4F0AB4 ; s
.text:0049667A call _memset
.text:0049667F xor eax, eax
.text:00496681 add esp, 0Ch
.text:00496684 mov dword_4F55B4, eax
.text:00496689 xor eax, eax
.text:0049668B or ecx, 0FFFFFFFFh
.text:0049668E mov edi, offset aCUsersLichaoDe ;"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
.text:00496693 repne scasb
.text:00496695 not ecx
.text:00496697 sub edi, ecx
.text:00496699 lea esi,
.text:004966A0 xchg esi, edi
.text:004966A2 mov edx, ecx
.text:004966A4 mov eax, edi
.text:004966A6 shr ecx, 2
.text:004966A9 lea eax,
.text:004966B0 rep movsd
.text:004966B2 mov ecx, edx
.text:004966B4 and ecx, 3
.text:004966B7 rep movsb
.text:004966B9 push eax ; s
.text:004966BA call _strlen
.text:004966BF pop ecx
.text:004966C0 mov edi, eax
.text:004966C2 test edi, edi
.text:004966C4 jle short loc_4966DD
.text:004966C6 xor eax, eax
.text:004966C8 mov al,
.text:004966CF cmp eax, 5Ch
.text:004966D2 jz short loc_4966DD
.text:004966D4 mov , 5Ch
.text:004966DC inc edi
.text:004966DD
.text:004966DDloc_4966DD: ;CODE XREF: LoadPlugins+6Cj
.text:004966DD ;LoadPlugins+7Aj
.text:004966DD lea edx,
.text:004966E4 mov esi, ebp
.text:004966E6 add edi, edx
.text:004966E8 push edi
.text:004966E9 mov eax, edi
.text:004966EB movsd
.text:004966EC movsw
.text:004966EE pop edi
.text:004966EF lea edx,
.text:004966F6 push edx ; lpFindFileData
.text:004966F7 lea ecx,
.text:004966FE push ecx ; lpFileName
.text:004966FF call FindFirstFileA
.text:00496704 mov , eax
.text:00496708 cmp , 0FFFFFFFFh
.text:0049670D jnz short loc_496716
.text:0049670F xor eax, eax
.text:00496711 jmp loc_496B40
.text:00496716; ---------------------------------------------------------------------------
.text:00496716
.text:00496716loc_496716: ; CODE XREF: LoadPlugins+B5j
.text:00496716 call CreateMenu
.text:0049671B mov , eax
.text:0049671F cmp , 0
.text:00496724 jnz short loc_49672D
.text:00496726 xor eax, eax
.text:00496728 jmp loc_496B40
.text:0049672D; ---------------------------------------------------------------------------
.text:0049672D
.text:0049672Dloc_49672D: ;CODE XREF: LoadPlugins+CCj
.text:0049672D ;LoadPlugins+499j
.text:0049672D xor esi, esi
.text:0049672F push 0
.text:00496731 lea eax,
.text:00496738 push eax
.text:00496739 push 0
.text:0049673B push 0
.text:0049673D lea edx,
.text:00496744 push edx
.text:00496745 call j___fnsplit
.text:0049674A add esp, 14h
.text:0049674D lea ecx,
.text:00496750 push ecx ; s2
.text:00496751 lea eax,
.text:00496758 push eax ; s1
.text:00496759 call _stricmp
.text:0049675E add esp, 8
.text:00496761 test eax, eax
.text:00496763 jz loc_496AD3
.text:00496769 lea edx,
.text:0049676C push edx ; s2
.text:0049676D lea ecx,
.text:00496774 push ecx ; s1
.text:00496775 call _stricmp
.text:0049677A add esp, 8
.text:0049677D test eax, eax
.text:0049677F jz loc_496AD3
.text:00496785 xor eax, eax
.text:00496787 or ecx, 0FFFFFFFFh
.text:0049678A mov edi, offset aCUsersLichaoDe ;"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
.text:0049678F lea esi,
.text:00496796 repne scasb
.text:00496798 not ecx
.text:0049679A sub edi, ecx
.text:0049679C mov edx, ecx
.text:0049679E xchg esi, edi
.text:004967A0 shr ecx, 2
.text:004967A3 mov eax, edi
.text:004967A5 rep movsd
.text:004967A7 mov ecx, edx
.text:004967A9 lea eax,
.text:004967B0 and ecx, 3
.text:004967B3 rep movsb
.text:004967B5 push eax ; s
.text:004967B6 call _strlen
.text:004967BB pop ecx
.text:004967BC mov edi, eax
.text:004967BE test edi, edi
.text:004967C0 jle short loc_4967D9
.text:004967C2 xor eax, eax
.text:004967C4 mov al,
.text:004967CB cmp eax, 5Ch
.text:004967CE jz short loc_4967D9
.text:004967D0 mov , 5Ch
.text:004967D8 inc edi
.text:004967D9
.text:004967D9loc_4967D9: ;CODE XREF: LoadPlugins+168j
.text:004967D9 ;LoadPlugins+176j
.text:004967D9 lea edx,
.text:004967E0 xor eax, eax
.text:004967E2 add edi, edx
.text:004967E4 or ecx, 0FFFFFFFFh
.text:004967E7 push edi
.text:004967E8 mov esi, edi
.text:004967EA lea edi,
.text:004967F1 repne scasb
.text:004967F3 not ecx
.text:004967F5 sub edi, ecx
.text:004967F7 mov edx, ecx
.text:004967F9 xchg esi, edi
.text:004967FB shr ecx, 2
.text:004967FE mov eax, edi
.text:00496800 rep movsd
.text:00496802 mov ecx, edx
.text:00496804 and ecx, 3
.text:00496807 rep movsb
.text:00496809 pop edi
.text:0049680A lea eax,
.text:00496811 push eax ; lpLibFileName
.text:00496812 call LoadLibraryA
.text:00496817 mov esi, eax
.text:00496819 test esi, esi
.text:0049681B jz loc_496AD3
.text:00496821 lea eax,
.text:00496824 push eax ; lpProcName
.text:00496825 push esi ; hModule
.text:00496826 call GetProcAddress
.text:0049682B mov ebx, eax
.text:0049682D lea eax,
.text:00496830 push eax ; lpProcName
.text:00496831 push esi ; hModule
.text:00496832 call GetProcAddress
.text:00496837 mov edi, eax
.text:00496839 test ebx, ebx
.text:0049683B jz loc_496AD3
.text:00496841 test edi, edi
.text:00496843 jz loc_496AD3
.text:00496849 mov , 0
.text:0049684E lea eax,
.text:00496852 push eax
.text:00496853 call ebx
.text:00496855 pop ecx
.text:00496856 mov ecx, eax
.text:00496858 cmp ecx, 6Ah
.text:0049685B jl short loc_496869
.text:0049685D cmp ecx, 6Eh
.text:00496860 jg short loc_496869
.text:00496862 cmp , 0
.text:00496867 jnz short loc_49689C
.text:00496869
.text:00496869loc_496869: ;CODE XREF: LoadPlugins+203j
.text:00496869 ;LoadPlugins+208j
.text:00496869 mov eax, ecx
.text:0049686B mov ebx, 64h
.text:00496870 cdq
.text:00496871 idiv ebx
.text:00496873 push edx
.text:00496874 mov eax, ecx
.text:00496876 mov ecx, 64h
.text:0049687B cdq
.text:0049687C idiv ecx
.text:0049687E push eax
.text:0049687F lea eax,
.text:00496886 push eax ; arglist
.text:00496887 lea edx,
.text:0049688A push edx ; format
.text:0049688B push 0 ; highlight
.text:0049688D push 0 ; addr
.text:0049688F call _Addtolist
.text:00496894 add esp, 18h
.text:00496897 jmp loc_496AD3
.text:0049689C; ---------------------------------------------------------------------------
.text:0049689C
.text:0049689Cloc_49689C: ;CODE XREF: LoadPlugins+20Fj
.text:0049689C mov ebx, dword_4F55B4
.text:004968A2 shl ebx, 3
.text:004968A5 lea ebx,
.text:004968A8 lea ebx,
.text:004968AB lea ebx,
.text:004968AE add ebx, offset unk_4F0AB4
.text:004968B4 mov , esi
.text:004968B6 lea eax,
.text:004968B9 push esi
.text:004968BA mov esi, eax
.text:004968BC push edi
.text:004968BD xor eax, eax
.text:004968BF lea edi,
.text:004968C6 or ecx, 0FFFFFFFFh
.text:004968C9 repne scasb
.text:004968CB not ecx
.text:004968CD sub edi, ecx
.text:004968CF mov edx, ecx
.text:004968D1 xchg esi, edi
.text:004968D3 shr ecx, 2
.text:004968D6 mov eax, edi
.text:004968D8 rep movsd
.text:004968DA mov ecx, edx
.text:004968DC lea edx,
.text:004968E2 and ecx, 3
.text:004968E5 rep movsb
.text:004968E7 pop edi
.text:004968E8 pop esi
.text:004968E9 push 1Fh ; maxlen
.text:004968EB lea eax,
.text:004968EF push eax ; src
.text:004968F0 push edx ; dest
.text:004968F1 call _strncpy
.text:004968F6 add esp, 0Ch
.text:004968F9 lea ecx,
.text:004968FC mov byte ptr , 0
.text:00496903 push ecx ; lpProcName
.text:00496904 push esi ; hModule
.text:00496905 call GetProcAddress
.text:0049690A mov , eax
.text:00496910 lea eax,
.text:00496913 push eax ; lpProcName
.text:00496914 push esi ; hModule
.text:00496915 call GetProcAddress
.text:0049691A mov , eax
.text:00496920 lea edx,
.text:00496926 push edx ; lpProcName
.text:00496927 push esi ; hModule
.text:00496928 call GetProcAddress
.text:0049692D mov , eax
.text:00496933 lea ecx,
.text:00496939 push ecx ; lpProcName
.text:0049693A push esi ; hModule
.text:0049693B call GetProcAddress
.text:00496940 mov , eax
.text:00496946 lea eax,
.text:0049694C push eax ; lpProcName
.text:0049694D push esi ; hModule
.text:0049694E call GetProcAddress
.text:00496953 mov , eax
.text:00496959 lea edx,
.text:0049695F push edx ; lpProcName
.text:00496960 push esi ; hModule
.text:00496961 call GetProcAddress
.text:00496966 mov , eax
.text:0049696C lea ecx,
.text:00496972 push ecx ; lpProcName
.text:00496973 push esi ; hModule
.text:00496974 call GetProcAddress
.text:00496979 mov , eax
.text:0049697F lea eax,
.text:00496985 push eax ; lpProcName
.text:00496986 push esi ; hModule
.text:00496987 call GetProcAddress
.text:0049698C mov , eax
.text:00496992 lea edx,
.text:00496998 push edx ; lpProcName
.text:00496999 push esi ; hModule
.text:0049699A call GetProcAddress
.text:0049699F mov , eax
.text:004969A5 lea ecx,
.text:004969AB push ecx ; lpProcName
.text:004969AC push esi ; hModule
.text:004969AD call GetProcAddress
.text:004969B2 mov , eax
.text:004969B8 xor eax, eax
.text:004969BA mov , eax
.text:004969BD push esp
.text:004969BE mov edx, hwmain
.text:004969C4 push edx
.text:004969C5 push 6Eh
.text:004969C7 call edi
.text:004969C9 add esp, 0Ch
.text:004969CC mov edi, eax
.text:004969CE test edi, edi
.text:004969D0 jz short loc_4969F3
.text:004969D2 push edi
.text:004969D3 lea ecx,
.text:004969DA push ecx ; arglist
.text:004969DB lea eax,
.text:004969E1 push eax ; format
.text:004969E2 push 0 ; highlight
.text:004969E4 push 0 ; addr
.text:004969E6 call _Addtolist
.text:004969EB add esp, 14h
.text:004969EE jmp loc_496AD3
.text:004969F3; ---------------------------------------------------------------------------
.text:004969F3
.text:004969F3loc_4969F3: ;CODE XREF: LoadPlugins+378j
.text:004969F3 mov esi, dword_4F55B4
.text:004969F9 shl esi, 6
.text:004969FC add esi, 0E000h
.text:00496A02 mov , 0
.text:00496A07 cmp dword ptr , 0
.text:00496A0E jz short loc_496A2D
.text:00496A10 push 0
.text:00496A12 lea eax,
.text:00496A16 push eax
.text:00496A17 push 0
.text:00496A19 call dword ptr
.text:00496A1F add esp, 0Ch
.text:00496A22 test eax, eax
.text:00496A24 jz short loc_496A2D
.text:00496A26 cmp , 0
.text:00496A2B jnz short loc_496A31
.text:00496A2D
.text:00496A2Dloc_496A2D: ;CODE XREF: LoadPlugins+3B6j
.text:00496A2D ;LoadPlugins+3CCj
.text:00496A2D xor edi, edi
.text:00496A2F jmp short loc_496A38
.text:00496A31; ---------------------------------------------------------------------------
.text:00496A31
.text:00496A31loc_496A31: ;CODE XREF: LoadPlugins+3D3j
.text:00496A31 call CreateMenu
.text:00496A36 mov edi, eax
.text:00496A38
.text:00496A38loc_496A38: ;CODE XREF: LoadPlugins+3D7j
.text:00496A38 test edi, edi
.text:00496A3A jz short loc_496A52
.text:00496A3C lea eax,
.text:00496A40 mov dword_4F55BC, eax
.text:00496A45 push 1 ; int
.text:00496A47 push esi ; int
.text:00496A48 push ebx ; int
.text:00496A49 push edi ; hMenu
.text:00496A4A call sub_496260
.text:00496A4F add esp,10h
.text:00496A52
.text:00496A52loc_496A52: ;CODE XREF: LoadPlugins+3E2j
.text:00496A52 mov ecx, dword_4F55B4
.text:00496A58 cmp ecx, 0Ah
.text:00496A5B jge short loc_496A86
.text:00496A5D add ebx, 108h
.text:00496A63 push ebx
.text:00496A64 mov eax, ecx
.text:00496A66 inc eax
.text:00496A67 mov ecx, 0Ah
.text:00496A6C cdq
.text:00496A6D idiv ecx
.text:00496A6F push edx
.text:00496A70 lea eax,
.text:00496A76 push eax ; format
.text:00496A77 lea edx,
.text:00496A7B push edx ; buffer
.text:00496A7C call _sprintf
.text:00496A81 add esp, 10h
.text:00496A84 jmp short loc_496AA1
.text:00496A86; ---------------------------------------------------------------------------
.text:00496A86
.text:00496A86loc_496A86: ;CODE XREF: LoadPlugins+403j
.text:00496A86 add ebx, 108h
.text:00496A8C push ebx
.text:00496A8D lea eax,
.text:00496A93 push eax ; format
.text:00496A94 lea edx,
.text:00496A98 push edx ; buffer
.text:00496A99 call _sprintf
.text:00496A9E add esp, 0Ch
.text:00496AA1
.text:00496AA1loc_496AA1: ;CODE XREF: LoadPlugins+42Cj
.text:00496AA1 test edi, edi
.text:00496AA3 jnz short loc_496AB9
.text:00496AA5 lea ecx,
.text:00496AA9 push ecx ; lpNewItem
.text:00496AAA push esi ; uIDNewItem
.text:00496AAB push 0 ; uFlags
.text:00496AAD mov eax,
.text:00496AB1 push eax ; hMenu
.text:00496AB2 call AppendMenuA
.text:00496AB7 jmp short loc_496ACB
.text:00496AB9; ---------------------------------------------------------------------------
.text:00496AB9
.text:00496AB9loc_496AB9: ;CODE XREF: LoadPlugins+44Bj
.text:00496AB9 lea edx,
.text:00496ABD push edx ; lpNewItem
.text:00496ABE push edi ; uIDNewItem
.text:00496ABF push 10h ; uFlags
.text:00496AC1 mov ecx,
.text:00496AC5 push ecx ; hMenu
.text:00496AC6 call AppendMenuA
.text:00496ACB
.text:00496ACBloc_496ACB: ;CODE XREF: LoadPlugins+45Fj
.text:00496ACB inc dword_4F55B4
.text:00496AD1 xor esi, esi
.text:00496AD3
.text:00496AD3loc_496AD3: ;CODE XREF: LoadPlugins+10Bj
.text:00496AD3 ; LoadPlugins+127j ...
.text:00496AD3 test esi, esi
.text:00496AD5 jz short loc_496ADD
.text:00496AD7 push esi ; hLibModule
.text:00496AD8 call FreeLibrary
.text:00496ADD
.text:00496ADDloc_496ADD: ;CODE XREF: LoadPlugins+47Dj
.text:00496ADD lea eax,
.text:00496AE4 push eax ; lpFindFileData
.text:00496AE5 mov edx,
.text:00496AE9 push edx ; hFindFile
.text:00496AEA call FindNextFileA
.text:00496AEF test eax, eax
.text:00496AF1 jnz loc_49672D
.text:00496AF7 cmp dword_4F55B4, 0
.text:00496AFE jle short loc_496B31
.text:00496B00 lea ecx,
.text:00496B06 push ecx ; lpNewItem
.text:00496B07 mov eax,
.text:00496B0B push eax ; uIDNewItem
.text:00496B0C push 410h ; uFlags
.text:00496B11 push 3 ; uPosition
.text:00496B13 mov edx, hwmain
.text:00496B19 push edx ; hWnd
.text:00496B1A call GetMenu
.text:00496B1F push eax ; hMenu
.text:00496B20 call InsertMenuA
.text:00496B25 mov ecx, hwmain
.text:00496B2B push ecx ; hWnd
.text:00496B2C call DrawMenuBar
.text:00496B31
.text:00496B31loc_496B31: ;CODE XREF: LoadPlugins+4A6j
.text:00496B31 mov eax,
.text:00496B35 push eax ; hFindFile
.text:00496B36 call FindClose
.text:00496B3B mov eax, dword_4F55B4
.text:00496B40
.text:00496B40loc_496B40: ;CODE XREF: LoadPlugins+B9j
.text:00496B40 ;LoadPlugins+D0j
.text:00496B40 add esp, 1450h
.text:00496B46 pop ebp
.text:00496B47 pop edi
.text:00496B48 pop esi
.text:00496B49 pop ebx
.text:00496B4A retn
int pluginnum;PluginData plugindata;//最多32个插件char data;HANDLE hwmain; bool LoadPlugins(){ charpluginpath,filename,pluginname; HANDLEhFindFile; WIN32_FIND_DATAFindFileData; HMENUpluginmenu,popupmenu; HMODULE hmod; int ret; intpluginmenuid; memset(plugindata,sizeof(plugindata)); pluginnum=0; strcpy(pluginpath,"*.dll"); hFindFile=FindFirstFile(pluginpath,&FindFileData); if(hFindFile== INVALID_HANDLE_VALUE) return false; pluginmenu=CreateMenu(); if(!pluginmenu) return false; do {//搜索根目录下所有dll文件 hmod=NULL; fnsplit(FindFileData.cFileName,NULL,NULL,filename,NULL); if(stricmp(filename,"psapi")&& stricmp(filename,"dbghelp")) {//如果不是psapi.dll和dbghelp.dll strcpy(pluginpath,FindFileData.cFileName); hmod=LoadLibrary(pluginpath); if(hmod) { ODBG_Plugindata=GetProcAddress(hmod,"_ODBG_Plugindata"); ODBG_Plugininit=GetProcAddress(hmod,"_ODBG_Plugininit"); if(ODBG_Plugindata&& ODBG_Plugininit) { pluginname='\0'; ret=ODBG_Plugindata(pluginname); if(ret>= 106 && ret <= 110 && pluginname != '\0')//版本在1.06~1.10之间 { PluginData&curplugin=plugindata; curplugin.hPluginDll=hmod; strcpy(curplugin.DllName,FindFileData.cFileName); strncpy(curplugin.PluginName,pluginname,31); curplugin.PluginName='\0'; curplugin.ODBG_Pluginaction=GetProcAddress(hmod,"ODBG_Pluginaction"); curplugin.ODBG_Pluginmainloop=GetProcAddress(hmod,"ODBG_Pluginmainloop"); curplugin.ODBG_Pluginmenu=GetProcAddress(hmod,"ODBG_Pluginmenu"); curplugin.ODBG_Pluginshortcut=GetProcAddress(hmod,"ODBG_Pluginshortcut"); curplugin.ODBG_Pluginsaveudd=GetProcAddress(hmod,"ODBG_Pluginsaveudd"); curplugin.ODBG_Pluginuddrecord=GetProcAddress(hmod,"ODBG_Pluginuddrecord"); curplugin.ODBG_Pluginreset=GetProcAddress(hmod,"ODBG_Pluginreset"); curplugin.ODBG_Paused=GetProcAddress(hmod,"ODBG_Paused"); curplugin.ODBG_Pausedex=GetProcAddress(hmod,"ODBG_Pausedex"); curplugin.ODBG_Plugincmd=GetProcAddress(hmod,"ODBG_Plugincmd"); ulongfeature=0; ret=ODBG_Plugininit(110,hwmain,&feature); if(ret) { Addtolist(0,0,"Plugin'%s' failed to initialize (code %i)",filename,ret); } else { pluginmenuid=pluginnum*64+57344; pluginname='\0'; if(curplugin.ODBG_Pluginmenu)&& curplugin.ODBG_Pluginmenu(PM_MAIN,data,NULL)) { if(pluginname!= '\0'&& (popupmenu=CreateMenu()) != NULL) { CreateSubMenu(popupmenu,curplugin,pluginmenuid,1); } if(pluginnum>= 10) sprintf(pluginname,"%s",curplugin.pluginname); else sprintf(pluginname,"&%i%s",(pluginnum+1)%10,curplugin.pluginname); if(popupmenu) AppendMenu(pluginmenuid,MF_POPUP,popupmenu,pluginname); else AppendMenu(pluginmenuid,0,pluginmenuid,pluginname); pluginnum++; hmod=NULL; } } } else { Addtolist(0,0,"Plugin'%s' has invalid version (%i.%02i)",filename,ret/100,ret%100); } } } } if(hmod) FreeLibrary(hmod); } while(FindNextFile(hFindFile,&FindFileData));}可见加载过程是:ODBG_Plugindata => ODBG_Plugininit => ODBG_Pluginmenu,同理可分析其它函数。ODBG_Pluginmainloop继续来看ODBG_Pluginmainloop函数,如何断在插件中该函数入口呢,在这里我利用GetProcAddress返回值,先bp Kernel32.GetProcAddress,=="_ODBG_Pluginmainloop",Ctrl+F9执行到返回,再单步一次即可跳出GetProcAddress函数到ollydbg函数中,此时eax为返回值为获取到的函数地址,因此bp eax可以断在ODBG_Pluginmainloop函数内,运行后程序果然断在其中:.text:00401684 _ODBG_Pluginmainloopproc near.text:00401684 push ebp.text:00401685 mov ebp, esp.text:00401687 pop ebp.text:00401688 retn.text:00401688_ODBG_Pluginmainloop endpbookmark插件中该函数毫无趣味,来看一下调用关系,经过分析,跳出后的函数可以命名为CallEverymainloop,代码如下:.text:00496B4C push ebp.text:00496B4D mov ebp, esp.text:00496B4F push ebx.text:00496B50 push esi.text:00496B51 push edi.text:00496B52 mov edi,.text:00496B55 xor esi, esi.text:00496B57 mov ebx, offset plugininfo.text:00496B5C jmp short loc_496B76.text:00496B5E ;---------------------------------------------------------------------------.text:00496B5E.text:00496B5Eloc_496B5E: ;CODE XREF: CallEverymainloop+30j.text:00496B5E cmp dword ptr , 0.text:00496B65 jz short loc_496B6F.text:00496B67 push edi.text:00496B68 call dword ptr .text:00496B6E pop ecx.text:00496B6F.text:00496B6Floc_496B6F: ;CODE XREF: CallEverymainloop+19j.text:00496B6F inc esi.text:00496B70 add ebx, 258h.text:00496B76.text:00496B76loc_496B76: ;CODE XREF: CallEverymainloop+10j.text:00496B76 cmp esi, pluginnum.text:00496B7C jl short loc_496B5E.text:00496B7E pop edi.text:00496B7F pop esi.text:00496B80 pop ebx.text:00496B81 pop ebp.text:00496B82 retn voidCallEverymainloop(DEBUG_EVENT *debugevent){ for(int i=0;i<pluginnum;i++) { if(plugindata.ODBG_Pluginmainloop) plugindata. ODBG_Pluginmainloop(debugevent); }}继续跳出后发现即是主函数WinMain且处于消息循环代码中(如果使用IDA查看调用关系,会发现Suspendprocess和Injectcode函数中均调用了该函数。这里不做详解),分析后得到:if(procstatus != STAT_RUNNING){ CallEverymainloop(NULL); Sleep(1);}ODBG_pluginaction同理,ODBG_pluginaction函数调用函数可以得到:.text:004965E4 push ebp.text:004965E5 mov ebp, esp.text:004965E7 push ebx.text:004965E8 push esi.text:004965E9 mov edx, .text:004965EC cmp edx, 0E000h.text:004965F2 jge short loc_4965F8.text:004965F4 xor eax, eax.text:004965F6 jmp short loc_496653.text:004965F8 ;---------------------------------------------------------------------------.text:004965F8.text:004965F8loc_4965F8: ; CODE XREF: CallEveryaction+Ej.text:004965F8 lea eax, .text:004965FE test eax, eax.text:00496600 jns short loc_496605.text:00496602 add eax, 3Fh.text:00496605.text:00496605loc_496605: ;CODE XREF: CallEveryaction+1Cj.text:00496605 sar eax, 6.text:00496608 cmp eax, pluginnum.text:0049660E jl short loc_496614.text:00496610 xor eax, eax.text:00496612 jmp short loc_496653.text:00496614 ;---------------------------------------------------------------------------.text:00496614.text:00496614loc_496614: ;CODE XREF: CallEveryaction+2Aj.text:00496614 mov esi, eax.text:00496616 shl esi, 4.text:00496619 sub esi, eax.text:0049661B lea esi, .text:0049661E cmp dword ptr (plugininfo+238h), 0.text:00496626 jnz short loc_49662C.text:00496628 xor eax, eax.text:0049662A jmp short loc_496653.text:0049662C ;---------------------------------------------------------------------------.text:0049662C.text:0049662Cloc_49662C: ;CODE XREF: CallEveryaction+42j.text:0049662C mov ecx, eax.text:0049662E shl ecx, 6.text:00496631 add ecx, 0E000h.text:00496637 mov ebx, .text:0049663A push ebx.text:0049663B sub edx, ecx.text:0049663D push edx.text:0049663E mov edx, .text:00496641 push edx.text:00496642 mov eax, dword ptr (plugininfo+238h).text:00496649 call eax.text:0049664B add esp, 0Ch.text:0049664E mov eax, 1.text:00496653.text:00496653loc_496653: ;CODE XREF: CallEveryaction+12j.text:00496653 ; CallEveryaction+2Ej....text:00496653 pop esi.text:00496654 pop ebx.text:00496655 pop ebp.text:00496656 retn bool CallEveryaction(int origin,int resourceid,void*item){ intpluginindex; if(resourceid< 57344) returnfalse; pluginindex=(resourceid-57344)/64;//由菜单资源id得到插件序号,和前面插件加载过程相对应 if(pluginindex>= pluginnum || plugindata.ODBG_pluginaction== NULL) returnfalse; plugindata.ODBG_pluginaction(origin,resourceid-pluginindex*64+57344,item); returntrue;}ODBG_Pluginshortcut同理分析ODBG_Pluginshortcut可得到CPU窗口消息回调函数为:LRESULT CALLBACKWndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam){ ...... switch(message) { …… caseWM_KEYDOWN: caseWM_SYSKEYDOWN: returnCallEveryshortcut(PM_MAIN,GetKeyState(VK_CONTROL)&0x8000,message==WM_SYSKEYDOWN,GetKeyState(VK_SHIFT)&0x8000,wParam,NULL); break; …… } ......} .text:00496E98 push ebp.text:00496E99 mov ebp, esp.text:00496E9B push ebx.text:00496E9C push esi.text:00496E9D push edi.text:00496E9E mov edi, .text:00496EA1 cmp edi, 10h.text:00496EA4 jz short loc_496EB0.text:00496EA6 cmp edi, 11h.text:00496EA9 jz short loc_496EB0.text:00496EAB cmp edi, 12h.text:00496EAE jnz short loc_496EB4.text:00496EB0.text:00496EB0loc_496EB0: ;CODE XREF: CallEveryshortcut+Cj.text:00496EB0 ;CallEveryshortcut+11j.text:00496EB0 xor eax, eax.text:00496EB2 jmp short loc_496F27.text:00496EB4 ;---------------------------------------------------------------------------.text:00496EB4.text:00496EB4loc_496EB4: ;CODE XREF: CallEveryshortcut+16j.text:00496EB4 cmp , 0.text:00496EB8 setnz dl.text:00496EBB and edx, 1.text:00496EBE mov ebx, offset plugininfo.text:00496EC3 mov , edx.text:00496EC6 cmp , 0.text:00496ECA setnz cl.text:00496ECD and ecx, 1.text:00496ED0 mov , ecx.text:00496ED3 cmp , 0.text:00496ED7 setnz al.text:00496EDA and eax, 1.text:00496EDD xor esi, esi.text:00496EDF mov , eax.text:00496EE2 jmp short loc_496F1D.text:00496EE4 ;---------------------------------------------------------------------------.text:00496EE4.text:00496EE4loc_496EE4: ;CODE XREF: CallEveryshortcut+8Bj.text:00496EE4 cmp dword ptr , 0.text:00496EEB jz short loc_496F16.text:00496EED mov eax, .text:00496EF0 push eax.text:00496EF1 push edi.text:00496EF2 mov edx, .text:00496EF5 push edx.text:00496EF6 mov ecx, .text:00496EF9 push ecx.text:00496EFA mov eax, .text:00496EFD push eax.text:00496EFE mov edx, .text:00496F01 push edx.text:00496F02 call dword ptr .text:00496F08 add esp, 18h.text:00496F0B test eax, eax.text:00496F0D jz short loc_496F16.text:00496F0F mov eax, 1.text:00496F14 jmp short loc_496F27.text:00496F16 ;---------------------------------------------------------------------------.text:00496F16.text:00496F16loc_496F16: ;CODE XREF: CallEveryshortcut+53j.text:00496F16 ;CallEveryshortcut+75j.text:00496F16 inc esi.text:00496F17 add ebx, 258h.text:00496F1D.text:00496F1Dloc_496F1D: ;CODE XREF: CallEveryshortcut+4Aj.text:00496F1D cmp esi, pluginnum.text:00496F23 jl short loc_496EE4.text:00496F25 xor eax, eax.text:00496F27.text:00496F27loc_496F27: ;CODE XREF: CallEveryshortcut+1Aj.text:00496F27 ;CallEveryshortcut+7Cj.text:00496F27 pop edi.text:00496F28 pop esi.text:00496F29 pop ebx.text:00496F2A pop ebp.text:00496F2B retn int CallEveryshortcut(int orgin,bool ctrl,bool alt,boolshift,int key,void* item){ if(key ==VK_SHIFT || key == VK_CONTROL || key == VK_MENU)//单个键无效 return0; for(intpluginindex=0;pluginindex<pluginnum;pluginindex++) { if(plugindata.ODBG_Pluginshortcut(origin,ctrl,alt,shift,key,item)) return1; } return0;} 这是哪本书的第二章?
页:
[1]