OllyDbg导入IDA符号插件LoadMap分析

元始天尊 发表于 2015-1-14 10:52:33

LoadMap插件可以在OllyDbg中调试程序时显示IDA符号，大大降低代码分析难度。先用IDA制作map文件，先用IDA载入exe文件，手动分析修改成容易理解的符号后，File->Produce file->Create map file创建map文件，使用OllyDbg载入exe文件，在插件界面选择map文件路径，就可以看到OllyDgb带符号了。
经我分析，该插件代码并不复杂，本质上还是解析map文件，而该文件格式并不复杂，下面是我截取的一段：

Start       Length Name                Class
0002:00000000 0000AF000H .text                CODE
0003:00000000 00005B000H .data                DATA
0004:00000000 000001000H .tls                DATA
0005:00000000 000001000H .rdata             DATA
0006:00000000 000002000H .idata             DATA

Address       Publics by Value

0001:00000000    start
0001:00000012    loc_6051012
0001:00000059    __GetExceptDLLinfo
0001:00000140    sub_6051140
0001:00000150    loc_6051150
0001:0000018D    loc_605118D
0001:0000018F    loc_605118F
0001:000001B1    loc_60511B1
0001:000001BE    loc_60511BE
0001:000001F1    loc_60511F1
0001:000044AC    _Assemble
0001:000044D3    loc_60554D3
0001:000044D8    loc_60554D8
0001:000044E6    loc_60554E6
0001:000044F8    loc_60554F8
0001:00004514    loc_6055514
。。。。。。。。。。。。。。

关键反汇编代码：
.text:100010A0 ; void __cdecl LoadMap()
.text:100010A0 LoadMap       proc near             ; CODE XREF: _ODBG_Pluginaction:loc_100012BDj
.text:100010A0
.text:100010A0 var_204       = dword ptr -204h
.text:100010A0 str          = byte ptr -200h
.text:100010A0 MapFileName = byte ptr -100h
.text:100010A0
.text:100010A0             sub esp, 204h
.text:100010A6             push esi
.text:100010A7             push 18h          ; type
.text:100010A9             call _Plugingetvalue
.text:100010AE             mov esi, eax
.text:100010B0             add esp, 4
.text:100010B3             test esi, esi
.text:100010B5             jnz short loc_100010E7
.text:100010B7             push offset aMapconvA ; "MapConv 错误: 无进程用于添加 map 信息"
.text:100010BC             push 1             ; highlight
.text:100010BE             push eax          ; addr
.text:100010BF             call _Addtolist
.text:100010C4             mov eax, hOllyWnd
.text:100010C9             add esp, 0Ch
.text:100010CC             push 40h          ; uType
.text:100010CE             push offset Caption; "LoadMap v0.1"
.text:100010D3             push offset Text ; "是这样 - 如果你没有调试任何程序 - 你不?...
.text:100010D8             push eax          ; hWnd
.text:100010D9             call ds:MessageBoxA
.text:100010DF             pop esi
.text:100010E0             add esp, 204h
.text:100010E6             retn
.text:100010E7 ; ---------------------------------------------------------------------------
.text:100010E7
.text:100010E7 loc_100010E7:                         ; CODE XREF: LoadMap+15j
.text:100010E7             push esi          ; addr
.text:100010E8             call _Findmodule
.text:100010ED             mov edx,
.text:100010F0             lea ecx,
.text:100010F3             push ecx
.text:100010F4             push edx
.text:100010F5             push esi
.text:100010F6             push offset aMainbaseXCodeb ; "MainBase: %X, CodeBase: %X, %s"
.text:100010FB             push 0             ; highlight
.text:100010FD             push 0             ; addr
.text:100010FF             mov MainModule, eax
.text:10001104             call _Addtolist
.text:10001109             push 0             ; getarguments
.text:1000110B             push offset defext ; ".map"
.text:10001110             lea eax,
.text:10001117             push eax          ; name
.text:10001118             push offset title ; "选择 map 文件"
.text:1000111D             mov , 0
.text:10001125             call _Browsefilename
.text:1000112A             add esp, 2Ch
.text:1000112D             test eax, eax
.text:1000112F             jz    loc_10001280
.text:10001135             push edi
.text:10001136             lea ecx,
.text:1000113D             push offset aRt    ; "rt"
.text:10001142             push ecx          ; char *
.text:10001143             call _fopen
.text:10001148             mov edi, eax
.text:1000114A             add esp, 8
.text:1000114D             test edi, edi
.text:1000114F             jnz short loc_10001172
.text:10001151             lea edx,
.text:10001158             push edx
.text:10001159             push offset aLoadmapA ; "LoadMap 错误: 无法打开 %s"
.text:1000115E             push 1             ; highlight
.text:10001160             push eax          ; addr
.text:10001161             call _Addtolist
.text:10001166             add esp, 10h
.text:10001169             pop edi
.text:1000116A             pop esi
.text:1000116B             add esp, 204h
.text:10001171             retn
.text:10001172 ; ---------------------------------------------------------------------------
.text:10001172
.text:10001172 loc_10001172:                         ; CODE XREF: LoadMap+AFj
.text:10001172             test byte ptr , 10h
.text:10001176             jnz loc_10001238
.text:1000117C             lea esp,
.text:10001180
.text:10001180 loc_10001180:                         ; CODE XREF: LoadMap+192j
.text:10001180             push 6             ; size_t
.text:10001182             lea eax,
.text:10001186             push offset a0001 ; " 0001:"
.text:1000118B             push eax          ; char *
.text:1000118C             call _strncmp
.text:10001191             add esp, 0Ch
.text:10001194             test eax, eax
.text:10001196             jnz loc_1000121A
.text:1000119C             push 10h          ; int
.text:1000119E             lea ecx,
.text:100011A2             push ecx          ; char **
.text:100011A3             lea edx,
.text:100011A7             push edx          ; char *
.text:100011A8             call _strtol
.text:100011AD             mov esi, eax
.text:100011AF             add esp, 0Ch
.text:100011B2             test esi, esi
.text:100011B4             jnz short loc_100011C3
.text:100011B6             push edi
.text:100011B7             push 100h
.text:100011BC             lea eax,
.text:100011C0             push eax
.text:100011C1             jmp short loc_10001225
.text:100011C3 ; ---------------------------------------------------------------------------
.text:100011C3
.text:100011C3 loc_100011C3:                         ; CODE XREF: LoadMap+114j
.text:100011C3             mov cl,
.text:100011C7             test cl, cl
.text:100011C9             lea eax,
.text:100011CD             jz    short loc_100011E7
.text:100011CF             nop
.text:100011D0
.text:100011D0 loc_100011D0:                         ; CODE XREF: LoadMap+145j
.text:100011D0             mov cl,
.text:100011D2             cmp cl, 0Dh
.text:100011D5             jz    short loc_100011DC
.text:100011D7             cmp cl, 0Ah
.text:100011DA             jnz short loc_100011DF
.text:100011DC
.text:100011DC loc_100011DC:                         ; CODE XREF: LoadMap+135j
.text:100011DC             mov byte ptr , 0
.text:100011DF
.text:100011DF loc_100011DF:                         ; CODE XREF: LoadMap+13Aj
.text:100011DF             mov cl,
.text:100011E2             inc eax
.text:100011E3             test cl, cl
.text:100011E5             jnz short loc_100011D0
.text:100011E7
.text:100011E7 loc_100011E7:                         ; CODE XREF: LoadMap+12Dj
.text:100011E7             mov edx, MainModule
.text:100011ED             mov eax,
.text:100011F0             lea ecx,
.text:100011F4             push ecx          ; name
.text:100011F5             add eax, esi
.text:100011F7             push 31h          ; type
.text:100011F9             push eax          ; addr
.text:100011FA             call _Quickinsertname
.text:100011FF             mov edx, MainModule
.text:10001205             mov eax,
.text:10001208             lea ecx,
.text:1000120C             push ecx          ; name
.text:1000120D             add eax, esi
.text:1000120F             push 36h          ; type
.text:10001211             push eax          ; addr
.text:10001212             call _Quickinsertname
.text:10001217             add esp, 18h
.text:1000121A
.text:1000121A loc_1000121A:                         ; CODE XREF: LoadMap+F6j
.text:1000121A             push edi          ; FILE *
.text:1000121B             push 100h          ; int
.text:10001220             lea ecx,
.text:10001224             push ecx          ; char *
.text:10001225
.text:10001225 loc_10001225:                         ; CODE XREF: LoadMap+121j
.text:10001225             call _fgets
.text:1000122A             mov al,
.text:1000122D             add esp, 0Ch
.text:10001230             test al, 10h
.text:10001232             jz    loc_10001180
.text:10001238
.text:10001238 loc_10001238:                         ; CODE XREF: LoadMap+D6j
.text:10001238             push edi          ; FILE *
.text:10001239             call _fclose
.text:1000123E             call _Mergequicknames
.text:10001243             push offset aLoadmapJMap ; "LoadMap: 成功: Map 文件成功导入"
.text:10001248             push 0             ; highlight
.text:1000124A             push 0             ; addr
.text:1000124C             call _Addtolist
.text:10001251             mov edx, hOllyWnd
.text:10001257             add esp, 10h
.text:1000125A             push 40h          ; uType
.text:1000125C             push offset Caption; "LoadMap v0.1"
.text:10001261             push offset aMap ; "Map 文件成功导入"
.text:10001266             push edx          ; hWnd
.text:10001267             call ds:MessageBoxA
.text:1000126D             push 8             ; mode
.text:1000126F             push 0             ; stackaddr
.text:10001271             push 0             ; dumpaddr
.text:10001273             push 0             ; asmaddr
.text:10001275             push 0             ; threadid
.text:10001277             call _Setcpu
.text:1000127C             add esp, 14h
.text:1000127F             pop edi
.text:10001280
.text:10001280 loc_10001280:                         ; CODE XREF: LoadMap+8Fj
.text:10001280             pop esi
.text:10001281             add esp, 204h
.text:10001287             retn

分析结果：

#include <Windows.h>
#include "Plugin.h"
#include <stdio.h>

HINSTANCE hInst;
HWND hOllyWnd;
t_module* MainModule;
BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved)
{
if(fdwReason == DLL_PROCESS_ATTACH)
hInst=hinstDLL;
return 1;
}

extc int_export cdecl ODBG_Pluginmenu(int origin,char data,void *item)
{
if(origin != PM_MAIN)
return 0;
memcpy(data,"0 载入 Map 文件|1 关于",25);
return 1;
}

extc int_export cdecl ODBG_Plugininit(int ollydbgversion,HWND hw, ulong *features)
{
if(ollydbgversion < 108)
return -1;
hOllyWnd=hw;
Addtolist(0,0,"LoadMap version 0.1 by lgx/iPB loaded");
return 0;
}

extc int_export cdecl ODBG_Plugindata(char shortname)
{
strcpy(shortname,"LoadMap");
return 108;
}

void LoadMap()
{
ulong mainbase=Plugingetvalue(VAL_MAINBASE);
if(!mainbase)
{
Addtolist(0,1,"MapConv 错误: 无进程用于添加 map 信息");
MessageBox(hOllyWnd,"是这样 - 如果你没有调试任何程序 - 你不需要 .map 文件 ;-)","LoadMap v0.1",MB_OK|MB_ICONASTERISK);
return;
}
MainModule=Findmodule(mainbase);
Addtolist(0,0,"MainBase: %X, CodeBase: %X, %s",mainbase,MainModule->codebase,MainModule->path);
char MapFileName;
FILE* file;
char str;
MapFileName= '\0';
if(!Browsefilename("选择 map 文件",MapFileName,".map",0))
return;
file=fopen(MapFileName,"rt");
if(!file)
{
Addtolist(0,1,"LoadMap 错误: 无法打开 %s",MapFileName);
return;
}
/*map文件格式
0001:00000000    start
0001:00000012    loc_6051012
0001:00000059    __GetExceptDLLinfo
0001:00000140    sub_6051140
0001:00000150    loc_6051150
0001:0000018D    loc_605118D
0001:0000018F    loc_605118F
*/
while(!feof(file))
{
fgets(str,256,file);
if(!strncmp(str," 0001:",6))
{
char* endptr;
long offset=strtol(str+6,&endptr,16);//每行偏移6处为相对地址
if(offset)
{
char* ptr=str+21;//每行偏移21处为IDA符号名
while(*ptr)
{
if(*ptr == '\r' || *ptr == '\n')
*ptr='\0';
ptr++;
}
Quickinsertname(MainModule->codebase+offset,NM_LABEL,str+21);
Quickinsertname(MainModule->codebase+offset,NM_COMMENT,str+21);
}
}
}
fclose(file);
Mergequicknames();
Addtolist(0,0,"LoadMap: 成功: Map 文件成功导入");
MessageBox(hOllyWnd,"Map 文件成功导入","LoadMap v0.1",MB_OK|MB_ICONASTERISK);
Setcpu(0,0,0,0,CPU_ASMFOCUS);
}

extc void _export cdecl ODBG_Pluginaction(int origin,int action,void *item)
{
if(origin != PM_MAIN)
return;
if(action == 0)
LoadMap();
else if(action == 1)
MessageBox(hOllyWnd,"LoadMap version 0.1 by lgx/iPB","LoadMap v0.1",MB_OK|MB_ICONASTERISK);
}

页: [1]

技术宅的结界's Archiver

OllyDbg导入IDA符号插件LoadMap分析