十六進制編輯器和OllyDbg中的字節
[英]Bytes in hex editor and OllyDbg
問題描述
我試圖創建一個編譯器,然后開始了代碼生成部分。 基於我使用fasm編譯的簡單可執行文件,我開始使用Python進行導入的代碼生成。
這是Assembly中測試程序的源代碼:
format PE console
entry start
include 'win32a.inc'
macro import_part1 library, [api]
{
common
library#_str: db `library
forward
if rva $ mod 2 = 0
; db 0
end if
; When align is right, one byte from previous import name
; is used as byte for next import's hint.
api#_str = $-1
db 0, `api
common
db 0
}
import_part2_first = 0
macro import_part2 library, [api]
{
common
if import_part2_first = 0
align 4
import_part2_first = 1
else
dd 0
end if
library#_import:
forward
api dd rva api#_str
}
macro import_part3 [library]
{
common
data import
forward
dd 0, 0, 0, rva library#_str, rva library#_import
common
rd 5
end data
}
import_list equ
import_libraries equ
macro import library,[api]
{
common
import_list equ import_list import_#library
import_#library equ library,api
import_libraries equ import_libraries,library
}
macro importend
{
match a, import_list
\{
irps b, a \\{ match c, b \\\{ import_part1 c \\\} \\}
irps b, a \\{ match c, b \\\{ import_part2 c \\\} \\}
\}
match =,a,import_libraries \{ import_part3 a \}
}
start:
push var
call [printf]
push 0
call [ExitProcess]
var db 'Test', 0
;data import
;
;library kernel32, 'kernel32.dll', msvcrt, 'msvcrt.dll'
;
;import kernel32, ExitProcess, 'ExitProcess'
;import msvcrt, printf, 'printf'
;end data
import kernel32.dll, ExitProcess, AttachConsole
import msvcrt.dll, printf, scanf, puts
import user32.dll, MessageBoxA
importend
(OllyDbg)這是我用來生成導入的基礎部分(我無法發布圖片):
CPU Disasm
Address Hex dump Command Comments
00401017 . 006B 65 ADD BYTE PTR DS:[EBX+65], CH
0040101A . 72 6E 65 6C 33 32 2E 64 6C 6C 00 ASCII "rnel32.dll",0 ; ASCII "rnel32.dll"
00401025 . 45 78 69 74 50 72 6F 63 65 73 73 00 ASCII "ExitProcess",0 ; ASCII "ExitProcess"
00401031 . 41 74 74 61 63 68 43 6F 6E 73 6F 6C 65 00 ASCII "AttachConsole",0 ; ASCII "AttachConsole"
0040103F . 6D 73 76 63 72 74 2E 64 6C 6C 00 ASCII "msvcrt.dll",0 ; ASCII "msvcrt.dll"
0040104A . 70 72 69 6E 74 66 00 ASCII "printf",0 ; ASCII "printf"
00401051 . 73 63 61 6E 66 00 ASCII "scanf",0 ; ASCII "scanf"
00401057 . 70 75 74 73 00 ASCII "puts",0 ; ASCII "puts"
0040105C . 75 73 65 72 33 32 2E 64 6C 6C 00 ASCII "user32.dll",0 ; ASCII "user32.dll"
00401067 . 4D 65 73 73 61 67 65 42 6F 78 41 00 ASCII "MessageBoxA",0 ; ASCII "MessageBoxA"
00401073 90 NOP
Here is the problem:
00401074 . 647FA577 DD 77A57F64 -> ExitProcess
00401078 . 1878A577 DD 77A57818
0040107C . 00000000 DD 00000000
00401080 . C4D2B777 DD 77B7D2C4
00401084 . BF16C077 DD 77C016BF
00401088 . 9C3BC077 DD 77C03B9C
0040108C . 00000000 DD 00000000
00401090 . 9E278B77 DD 778B279E
00401094 . 00000000 DD 00000000 ; Struct 'IMAGE_IMPORT_DESCRIPTOR'
00401098 . 00000000 DD 00000000
0040109C . 00000000 DD 00000000
004010A0 . 18100000 DD 00001018
004010A4 . 74100000 DD 00001074
004010A8 . 00000000 DD 00000000 ; Struct 'IMAGE_IMPORT_DESCRIPTOR'
004010AC . 00000000 DD 00000000
004010B0 . 00000000 DD 00000000
004010B4 . 3F100000 DD 0000103F
004010B8 . 80100000 DD 00001080
004010BC . 00000000 DD 00000000 ; Struct 'IMAGE_IMPORT_DESCRIPTOR'
004010C0 . 00000000 DD 00000000
004010C4 . 00000000 DD 00000000
004010C8 . 5C100000 DD 0000105C
004010CC . 90100000 DD 00001090
004010D0 . 00000000 DD 00000000 ; Struct 'IMAGE_IMPORT_DESCRIPTOR'
004010D4 . 00000000 DD 00000000
004010D8 . 00000000 DD 00000000
004010DC . 00000000 DD 00000000
004010E0 . 00000000 DD 00000000
這是我的程序輸出:
kernel32.dll , 0
ExitProcess , 0
AttachConsole , 0
msvcrt.dll , 0
printf , 0
scanf , 0
puts , 0
user32.dll , 0
MessageBoxA , 0
90
-------------------
0x77a57f64
0x77a57818
0x0
0x77b7d2c4
0x77c016bf
0x77c03b9c
0x0
0x778b279e
-------------------
0x0
0x0
0x0
0x1018
0x1074
0x0
0x0
0x0
0x103f
0x1080
0x0
0x0
0x0
0x105c
0x1090
0x0
0x0
0x0
0x0
0x0
並生成文件:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 45 78 69 kernel32.dll.Exi
00000010 74 50 72 6F 63 65 73 73 00 41 74 74 61 63 68 43 tProcess.AttachC
00000020 6F 6E 73 6F 6C 65 00 6D 73 76 63 72 74 2E 64 6C onsole.msvcrt.dl
00000030 6C 00 70 72 69 6E 74 66 00 73 63 61 6E 66 00 70 l.printf.scanf.p
00000040 75 74 73 00 75 73 65 72 33 32 2E 64 6C 6C 00 4D uts.user32.dll.M
00000050 65 73 73 61 67 65 42 6F 78 41 00 90 64 7F A5 77 essageBoxA..d.¥w
00000060 18 78 A5 77 00 00 00 00 C4 D2 B7 77 BF 16 C0 77 .x¥w....ÄÒ·w¿.Àw
00000070 9C 3B C0 77 00 00 00 00 9E 27 8B 77 00 00 00 00 œ;Àw....ž'‹w....
00000080 00 00 00 00 00 00 00 00 00 00 00 00 18 10 00 00 ................
00000090 74 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 t...............
000000A0 3F 10 00 00 80 10 00 00 00 00 00 00 00 00 00 00 ?...€...........
000000B0 00 00 00 00 5C 10 00 00 90 10 00 00 00 00 00 00 ....\...........
000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
這是十六進制編輯器中測試程序的導入部分:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000210 6B 65 72 6E 65 6C 33 32 kernel32
00000220 2E 64 6C 6C 00 45 78 69 74 50 72 6F 63 65 73 73 .dll.ExitProcess
00000230 00 41 74 74 61 63 68 43 6F 6E 73 6F 6C 65 00 6D .AttachConsole.m
00000240 73 76 63 72 74 2E 64 6C 6C 00 70 72 69 6E 74 66 svcrt.dll.printf
00000250 00 73 63 61 6E 66 00 70 75 74 73 00 75 73 65 72 .scanf.puts.user
00000260 33 32 2E 64 6C 6C 00 4D 65 73 73 61 67 65 42 6F 32.dll.MessageBo
00000270 78 41 00 90 23 10 00 00 2F 10 00 00 00 00 00 00 xA..#.../.......
00000280 48 10 00 00 4F 10 00 00 55 10 00 00 00 00 00 00 H...O...U.......
00000290 65 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e...............
000002A0 18 10 00 00 74 10 00 00 00 00 00 00 00 00 00 00 ....t...........
000002B0 00 00 00 00 3F 10 00 00 80 10 00 00 00 00 00 00 ....?...€.......
000002C0 00 00 00 00 00 00 00 00 5C 10 00 00 90 10 00 00 ........\.......
000002D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
我不明白的是為什么OllyDbg和hex編輯器中的某些字節不同? 我還要做一些計算嗎?
1 個解決方案
解決方案1
0 2015-05-03 20:45:53
Here is the problem:
00401074 . 647FA577 DD 77A57F64 -> ExitProcess
00401078 . 1878A577 DD 77A57818
沒有問題。
在左列(轉儲)中,字節的順序與它們在內存中的順序相同。 所以低字節優先。
最后一列(命令)顯示與dword相同的4個字節,但未添加通常的前綴0x或后綴h 。
在C中串聯十六進制字節
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.