MFC应用程序逆向经验总结

zoukankan html css js c++ java

MFC应用程序逆向经验总结

如何找到MFC App的InitInstance入口地址

OEP：

00401A83| E8 68040000           | call    00401EF0                                  | __security_init_cookiepping

00401A88| E9 36FDFFFF           | jmp     004017C3                                  | __tmainCRTStartup

__tmainCRTStartup：

004017C3| 6A 5C                 | push    5C                                        |

004017C5| 68 B83B4000           | push    403BB8                                    |

004017CA| E8 79060000           | call    00401E48                                  | __SEH_prolog4

中间代码省略……

004018FD| 0FB74D C4             | movzx   ecx,word ptr ss:[ebp-3C]                  |

00401901| EB 03                 | jmp     short 00401906                            |

00401903| 6A 0A                 | push    0A                                        |

00401905| 59                    | pop     ecx                                       |

00401906| 51                    | push    ecx                                       |

00401907| 50                    | push    eax                                       |

00401908| 53                    | push    ebx                                       |

00401909| 68 00004000           | push    400000                                    |

0040190E| E8 AB070000           | call    004020BE                                  |wWinMain

00401913| A3 30514000           | mov     dword ptr ds:[405130],eax                 |

00401918| 391D 24514000         | cmp     dword ptr ds:[405124],ebx                 |

0040191E| 75 4C                 | jnz     short 0040196C                            |

00401920| 50                    | push    eax                                       |

00401921| FF15 A8324000         | call    dword ptr ds:[4032A8]                     |MSVCR80.exit

00401927| 66:83F9 22            | cmp     cx,22                                     |

0040192B| 75 0B                 | jnz     short 00401938                            |

0040192D| 33C9                  | xor     ecx,ecx                                   |

0040192F| 395D E4               | cmp     dword ptr ss:[ebp-1C],ebx                 |

00401932| 0F94C1                | sete    cl                                        |

00401935| 894D E4               | mov     dword ptr ss:[ebp-1C],ecx                 |

00401938| 40                    | inc     eax                                       |

00401939| 40                    | inc     eax                                       |

0040193A| EB 90                 | jmp     short 004018CC                            |

0040193C| 8B45 EC               | mov     eax,dword ptr ss:[ebp-14]                 |

0040193F| 8B08                  | mov     ecx,dword ptr ds:[eax]                    |

00401941| 8B09                  | mov    ecx,dword ptr ds:[ecx]                    |

00401943| 894D D8               | mov     dword ptr ss:[ebp-28],ecx                 |

00401946| 50                    | push    eax                                       |

00401947| 51                    | push    ecx                                       |

00401948| E8 A9030000           | call    00401CF6                                  |jmp 到 MSVCR80._XcptFilter

0040194D| 59                    | pop     ecx                                       |

0040194E| 59                    | pop     ecx                                       |

0040194F| C3                    | retn                                              |

wWinMain：

004020BE| E9 19000000           | jmp     004020DC                                  | AfxWinMain

……

004020DC| FF25 0C324000         | jmp     dword ptr ds:[40320C]                     |MFC80U.7831D25F

AfxWinMain：

7831D25F| 53                    | push    ebx                                       |

7831D260| 56                    | push    esi                                       |

7831D261| 57                    | push    edi                                       |

7831D262| 83CB FF               | or      ebx,FFFFFFFF                              |

7831D265| E8 CA2CFFFF           | call    7830FF34                                  |MFC80U.7830FF34

7831D26A| 8B70 04               | mov     esi,dword ptr ds:[eax+4]                  |

7831D26D| E8 4F2CFFFF           | call    7830FEC1                                  |MFC80U.7830FEC1

7831D272| FF7424 1C             | push    dword ptr ss:[esp+1C]                     |

7831D276| 8B78 04               | mov     edi,dword ptr ds:[eax+4]                  |

7831D279| FF7424 1C             | push    dword ptr ss:[esp+1C]                     |

7831D27D| FF7424 1C             | push    dword ptr ss:[esp+1C]                     |

7831D281| FF7424 1C             | push    dword ptr ss:[esp+1C]                     |

7831D285| E8 F3CA0200           | call   78349D7D                                  |MFC80U.78349D7D

7831D28A| 85C0                  | test    eax,eax                                   |

7831D28C| 74 3C                 | je      short 7831D2CA                            |MFC80U.7831D2CA

7831D28E| 85FF                  | test    edi,edi                                   |

7831D290| 74 0E                 | je      short 7831D2A0                            |MFC80U.7831D2A0

7831D292| 8B07                  | mov     eax,dword ptr ds:[edi]                    |

7831D294| 8BCF                  | mov     ecx,edi                                   |

7831D296| FF90 98000000         | call    dword ptr ds:[eax+98]                     |

7831D29C| 85C0                  | test    eax,eax                                   |

7831D29E| 74 2A                 | je      short 7831D2CA                            |MFC80U.7831D2CA

7831D2A0| 8B06                  | mov     eax,dword ptr ds:[esi]                    |

7831D2A2| 8BCE                  | mov     ecx,esi                                   |

7831D2A4| FF50 58               | call    dword ptr ds:[eax+58]                     | CtestApp::InitInstance

如何找到MFC对话框的消息处理函数地址

参考：

MFC程序中的消息逆向：http://hi.baidu.com/asmcvc/blog/item/1c262e238cad8d5a9822ed81.html

CWnd::OnWndMsg(uint,uint,long,long *) .text 004015CC

004015CC| FF25 D4304000         | jmp     dword ptr ds:[4030D4]                     |MFC80U.78312DF0

MFC80U.78312DF0：

78312DF0| 55                    | push    ebp                                       |

78312DF1| 8BEC                  | mov     ebp,esp                                   |

78312DF3| 83E4 F8               | and     esp,FFFFFFF8                              |

78312DF6| 6A FF                 | push    -1                                        |

78312DF8| 68 7ABF3A78           | push    783ABF7A                                  |

78312DFD| 64:A1 00000000        | mov     eax,dword ptr fs:[0]                      |

78312E03| 50                    | push    eax                                       |

78312E04| 81EC 80000000         | sub     esp,80                                    |

78312E0A| 53                    | push    ebx                                       |

78312E0B| 56                    | push    esi                                       |

78312E0C| 57                    | push    edi                                       |

78312E0D| A1 18803C78           | mov     eax,dword ptr ds:[783C8018]               |

78312E12| 33C4                  | xor     eax,esp                                   |

78312E14| 50                    | push    eax                                       |

78312E15| 8D8424 90000000       | lea     eax,dword ptr ss:[esp+90]                 |

78312E1C| 64:A3 00000000        | mov     dword ptr fs:[0],eax                      |

78312E22| 8BF9                  | mov     edi,ecx                                   |

78312E24| 33C9                  | xor     ecx,ecx                                   |

78312E26| 894C24 14             | mov     dword ptr ss:[esp+14],ecx                 |

78312E2A| C74424 20 FFFFFF7F    | mov     dword ptr ss:[esp+20],7FFFFFFF            |

78312E32| 8B75 08               | mov     esi,dword ptr ss:[ebp+8]                  |

78312E35| 81FE 11010000         | cmp     esi,111                                   |

78312E3B| 898C24 98000000       | mov     dword ptr ss:[esp+98],ecx                 |

78312E42| 75 25                 | jnz     short 78312E69                            |MFC80U.78312E69

78312E44| FF75 10               | push    dword ptr ss:[ebp+10]                     |

78312E47| 8B07                  | mov     eax,dword ptr ds:[edi]                    |

78312E49| FF75 0C               | push    dword ptr ss:[ebp+C]                      |

78312E4C| 8BCF                  | mov     ecx,edi                                   |

78312E4E| FF90 F0000000         | call    dword ptr ds:[eax+F0]                     |

78312E54| 85C0                  | test    eax,eax                                   |

78312E56| 0F84 FD010000         | je      78313059                                  |MFC80U.78313059

78312E5C| C74424 14 01000000    | mov     dword ptr ss:[esp+14],1                   |

78312E64| E9 28050000           | jmp     78313391                                  |MFC80U.78313391

78312E69| 83FE 4E               | cmp     esi,4E                                    |

78312E6C| 75 2B                 | jnz     short 78312E99                            |MFC80U.78312E99

78312E6E| 8B45 10               | mov     eax,dword ptr ss:[ebp+10]                 |

78312E71| 3908                  | cmp     dword ptr ds:[eax],ecx                    |

78312E73| 0F84 E0010000         | je      78313059                                  |MFC80U.78313059

78312E79| 8B17                  | mov     edx,dword ptr ds:[edi]                    |

78312E7B| 8D4C24 14             | lea     ecx,dword ptr ss:[esp+14]                 |

78312E7F| 51                    | push    ecx                                       |

78312E80| 50                    | push    eax                                       |

78312E81| FF75 0C               | push    dword ptr ss:[ebp+C]                      |

78312E84| 8BCF                  | mov     ecx,edi                                   |

78312E86| FF92 F4000000         | call    dword ptr ds:[edx+F4]                     |

78312E8C| 85C0                  | test    eax,eax                                   |

78312E8E| 0F85 FD040000         | jnz     78313391                                  |MFC80U.78313391

78312E94| E9 C0010000           | jmp     78313059                                  |MFC80U.78313059

78312E99| 83FE 06               | cmp     esi,6                                     |

78312E9C| 8B5D 10               | mov     ebx,dword ptr ss:[ebp+10]                 |

78312E9F| 75 13                 | jnz     short 78312EB4                            |MFC80U.78312EB4

78312EA1| 53                    | push    ebx                                       |

78312EA2| E8 1EEEFFFF           | call    78311CC5                                  |MFC80U.78311CC5

78312EA7| FF75 0C               | push    dword ptr ss:[ebp+C]                      |

78312EAA| 8BF0                  | mov     esi,eax                                   |

78312EAC| E8 60EBFFFF           | call    78311A11                                  |MFC80U.78311A11

78312EB1| 8B75 08               | mov     esi,dword ptr ss:[ebp+8]                  |

78312EB4| 83FE 20               | cmp     esi,20                                    |

78312EB7| 75 1C                 | jnz     short 78312ED5                            |MFC80U.78312ED5

78312EB9| 66:81FB FEFF          | cmp     bx,0FFFE                                  |

78312EBE| 75 0F                 | jnz     short 78312ECF                            |MFC80U.78312ECF

78312EC0| 8BC3                  | mov     eax,ebx                                   |

78312EC2| C1E8 10               | shr     eax,10                                    |

78312EC5| 50                    | push    eax                                       |

78312EC6| 8BCF                  | mov     ecx,edi                                   |

78312EC8| E8 B0EBFFFF           | call    78311A7D                                  |MFC80U.78311A7D

78312ECD| EB 02                 | jmp     short 78312ED1                            |MFC80U.78312ED1

78312ECF| 33C0                  | xor     eax,eax                                   |

78312ED1| 85C0                  | test    eax,eax                                   |

78312ED3| 75 87                 | jnz     short 78312E5C                            |MFC80U.78312E5C

78312ED5| 8B47 4C               | mov     eax,dword ptr ds:[edi+4C]                 |

78312ED8| 85C0                  | test    eax,eax                                   |

78312EDA| 74 4E                 | je      short 78312F2A                            |MFC80U.78312F2A

78312EDC| 8378 74 00            | cmp     dword ptr ds:[eax+74],0                   |

78312EE0| 7E 48                 | jle     short 78312F2A                            |MFC80U.78312F2A

78312EE2| 81FE 00020000         | cmp     esi,200                                   |

78312EE8| 72 08                 | jb      short 78312EF2                            |MFC80U.78312EF2

78312EEA| 81FE 09020000         | cmp     esi,209                                   |

78312EF0| 76 1B                 | jbe     short 78312F0D                            |MFC80U.78312F0D

78312EF2| 81FE 00010000         | cmp     esi,100                                   |

78312EF8| 72 08                 | jb      short 78312F02                            |MFC80U.78312F02

78312EFA| 81FE 0F010000         | cmp     esi,10F                                   |

78312F00| 76 0B                 | jbe     short 78312F0D                            |MFC80U.78312F0D

78312F02| 8D86 7FFDFFFF         | lea     eax,dword ptr ds:[esi-281]                |

78312F08| 83F8 10               | cmp     eax,10                                    |

78312F0B| 77 1D                 | ja      short 78312F2A                            |MFC80U.78312F2A

78312F0D| 8B4F 4C               | mov     ecx,dword ptr ds:[edi+4C]                 |

78312F10| 8B01                  | mov     eax,dword ptr ds:[ecx]                    |

78312F12| 8D5424 14             | lea     edx,dword ptr ss:[esp+14]                 |

78312F16| 52                    | push    edx                                       |

78312F17| 53                    | push    ebx                                       |

78312F18| FF75 0C               | push    dword ptr ss:[ebp+C]                      |

78312F1B| 56                    | push    esi                                       |

78312F1C| FF90 9C000000         | call    dword ptr ds:[eax+9C]                     |

78312F22| 85C0                  | test    eax,eax                                   |

78312F24| 0F85 67040000         | jnz     78313391                                  |MFC80U.78313391

78312F2A| 8B07                  | mov     eax,dword ptr ds:[edi]                    |

78312F2C| 8BCF                  | mov     ecx,edi                                   |

78312F2E| FF50 30               | call    dword ptr ds:[eax+30]                     | CtestDlg::GetMessageMap 004011D0

CtestDlg::GetMessageMap：

004011D0| B8 78354000           | mov     eax,403578                                |

004011D5| C3                    | retn                                              |

数据窗口中跟随00403578：

00403578 00401680  @ ?GetThisMessageMap@CDialog@@

0040357C 00403500 㔀@ 00403500

00403580 >00320031 12

00403584 00000033 3.

其中00401680 是基类CDialog的消息映射信息；00403500 是CtestDlg类的消息映射信息，数据跟随00403500：

00403500 00000112 Ē. WM_SYSCOMMAND

00403504 00000000 ..

00403508 00000000 ..

0040350C 00000000 ..

00403510 0000001E ‑.

00403514 004012C0 ዀ@ CtestDlg::OnSysCommandeting destructor''

00403518 0000000F . WM_PAINT

0040351C 00000000 ..

00403520 00000000 ..

00403524 00000000 ..

00403528 00000013 .

0040352C 00401360 ፠@ CtestDlg::OnPaint deleting destructor'''

00403530 00000037 7. WM_QUERYDRAGICON

00403534 00000000 ..

00403538 00000000 ..

0040353C 00000000 ..

00403540 00000028 (.

00403544 00401440 ᑀ@ CtestDlg::OnQueryDragIconzer$

00403548 00000111 đ. WM_COMMAND

0040354C 00000000 ..

00403550 000003E8 Ϩ.    按钮的ID，十进制是1000

00403554 000003E8 Ϩ.

00403558 00000038 8.

0040355C 00401450 ᑐ@ CtestDlg::OnBnClickedButton1eApp''

00403560 00000000 ..

00403564 00000000 ..

00403568 00000000 ..

0040356C 00000000 ..

00403570 00000000 ..

00403574 00000000 ..

欢迎访问我的个人博客：www.zhupite.com

查看全文

相关阅读:
vue-quill-editor的自定义设置字数长度方法和显示剩余数字
 element-ui表格show-overflow-tooltip="true"，鼠标移上去显示的宽度设置
 vue + elementui表单重置 resetFields问题（无法重置表单）
element ui表单验证，validate与resetFields的使用你知道哪些
 前端下载文件（GET、POST方法）
vue中使用elementui里的table时,需求是前面的勾选框根据条件判断是否可以勾选设置
 流体力学笔记第一章向量场的概念及运算
 Gersgorin定理
 奇异值分解的证明和直观理解
 2020机器学习学习笔记

原文地址：https://www.cnblogs.com/daxingxing/p/2186364.html