[挑战]一断读取文件的汇编代码供分析
这是一段读取文件然后解密的程序,解密部分我没上,循序渐进,在代码边上加注释00401130 /$ 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00401136 |. 6A FF PUSH -1
00401138 |. 68 D6AC4000 PUSH pwpack.0040ACD6
0040113D |. 50 PUSH EAX
0040113E |. 64:8925 000000>MOV DWORD PTR FS:[0],ESP
00401145 |. 81EC 5C030000 SUB ESP,35C
0040114B |. 53 PUSH EBX
0040114C |. 8BD9 MOV EBX,ECX
0040114E |. 8B03 MOV EAX,DWORD PTR DS:[EBX]
00401150 |. 85C0 TEST EAX,EAX
00401152 |. 56 PUSH ESI
00401153 |. 57 PUSH EDI
00401154 |. 74 0A JE SHORT pwpack.00401160
00401156 |. 50 PUSH EAX ; /stream
00401157 |. FF15 44B04000 CALL DWORD PTR DS:[<&MSVCR71.fclose>] ; \fclose
0040115D |. 83C4 04 ADD ESP,4
00401160 |> 8B43 10 MOV EAX,DWORD PTR DS:[EBX+10]
00401163 |. 8B30 MOV ESI,DWORD PTR DS:[EAX]
00401165 |. 3BF0 CMP ESI,EAX
00401167 |. 8D7B 10 LEA EDI,DWORD PTR DS:[EBX+10]
0040116A |. 74 17 JE SHORT pwpack.00401183
0040116C |. 8D6424 00 LEA ESP,DWORD PTR SS:[ESP]
00401170 |> 8BC6 /MOV EAX,ESI
00401172 |. 8B36 |MOV ESI,DWORD PTR DS:[ESI]
00401174 |. 50 |PUSH EAX
00401175 |. E8 02950000 |CALL <JMP.&MSVCR71.??3@YAXPAX@Z>
0040117A |. 8B07 |MOV EAX,DWORD PTR DS:[EDI]
0040117C |. 83C4 04 |ADD ESP,4
0040117F |. 3BF0 |CMP ESI,EAX
00401181 |.^75 ED \JNZ SHORT pwpack.00401170
00401183 |> 8B07 MOV EAX,DWORD PTR DS:[EDI]
00401185 |. 8900 MOV DWORD PTR DS:[EAX],EAX
00401187 |. 8B07 MOV EAX,DWORD PTR DS:[EDI]
00401189 |. 8940 04 MOV DWORD PTR DS:[EAX+4],EAX
0040118C |. 8B8424 7803000>MOV EAX,DWORD PTR SS:[ESP+378]
00401193 |. 68 68EA4000 PUSH pwpack.0040EA68 ; /mode = "rb"
00401198 |. 50 PUSH EAX ; |path
00401199 |. C703 00000000 MOV DWORD PTR DS:[EBX],0 ; |
0040119F |. FF15 DCB04000 CALL DWORD PTR DS:[<&MSVCR71._wfopen>] ; \_wfopen
004011A5 |. 83C4 08 ADD ESP,8
004011A8 |. 85C0 TEST EAX,EAX
004011AA |. 8903 MOV DWORD PTR DS:[EBX],EAX
004011AC |. 75 0A JNZ SHORT pwpack.004011B8
004011AE |. B8 01000000 MOV EAX,1
004011B3 |. E9 48020000 JMP pwpack.00401400
004011B8 |> 55 PUSH EBP
004011B9 |. 8B2D 20B04000 MOV EBP,DWORD PTR DS:[<&MSVCR71.fread>] ; MSVCR71.fread
004011BF |. 50 PUSH EAX ; /stream
004011C0 |. 6A 01 PUSH 1 ; |n = 1
004011C2 |. 8D4C24 44 LEA ECX,DWORD PTR SS:[ESP+44] ; |
004011C6 |. 6A 0C PUSH 0C ; |size = C (12.)
004011C8 |. 51 PUSH ECX ; |ptr
004011C9 |. FFD5 CALL EBP ; \fread
004011CB |. 8B4424 4C MOV EAX,DWORD PTR SS:[ESP+4C]
004011CF |. 83C4 10 ADD ESP,10
004011D2 |. 3D EF23CA4D CMP EAX,4DCA23EF
004011D7 |. 0F85 1D020000 JNZ pwpack.004013FA
004011DD |. 817C24 44 B789>CMP DWORD PTR SS:[ESP+44],56A089B7
004011E5 |. 0F85 0F020000 JNZ pwpack.004013FA
004011EB |. 8B13 MOV EDX,DWORD PTR DS:[EBX]
004011ED |. 8B35 3CB04000 MOV ESI,DWORD PTR DS:[<&MSVCR71.fseek>] ; MSVCR71.fseek
004011F3 |. 6A 02 PUSH 2 ; /whence = SEEK_END
004011F5 |. 6A F8 PUSH -8 ; |offset = FFFFFFF8 (-8.)
004011F7 |. 52 PUSH EDX ; |stream
004011F8 |. FFD6 CALL ESI ; \fseek
004011FA |. 8B03 MOV EAX,DWORD PTR DS:[EBX]
004011FC |. 50 PUSH EAX
004011FD |. 6A 01 PUSH 1
004011FF |. 8D4C24 2C LEA ECX,DWORD PTR SS:[ESP+2C]
00401203 |. 6A 04 PUSH 4
00401205 |. 51 PUSH ECX
00401206 |. FFD5 CALL EBP
00401208 |. 8B13 MOV EDX,DWORD PTR DS:[EBX]
0040120A |. 52 PUSH EDX
0040120B |. 6A 01 PUSH 1
0040120D |. 8D4424 5C LEA EAX,DWORD PTR SS:[ESP+5C]
00401211 |. 6A 04 PUSH 4
00401213 |. 50 PUSH EAX
00401214 |. FFD5 CALL EBP
00401216 |. 8B4424 64 MOV EAX,DWORD PTR SS:[ESP+64]
0040121A |. 83C4 2C ADD ESP,2C
0040121D |. 3D 02000200 CMP EAX,20002
00401222 |. 0F85 D2010000 JNZ pwpack.004013FA
00401228 |. 8B0B MOV ECX,DWORD PTR DS:[EBX]
0040122A |. 6A 02 PUSH 2
0040122C |. 68 E8FEFFFF PUSH -118
00401231 |. 51 PUSH ECX
00401232 |. FFD6 CALL ESI
00401234 |. 8B13 MOV EDX,DWORD PTR DS:[EBX]
00401236 |. 52 PUSH EDX
00401237 |. 6A 01 PUSH 1
00401239 |. 8D4424 5C LEA EAX,DWORD PTR SS:[ESP+5C]
0040123D |. 68 10010000 PUSH 110
00401242 |. 50 PUSH EAX
00401243 |. FFD5 CALL EBP
00401245 |. 8B4424 64 MOV EAX,DWORD PTR SS:[ESP+64]
00401249 |. 83C4 1C ADD ESP,1C
0040124C |. 3D EEFEFDFD CMP EAX,FDFDFEEE
00401251 |. 0F85 78010000 JNZ pwpack.004013CF
00401257 |. 81BC24 5401000>CMP DWORD PTR SS:[ESP+154],F00DBEEF
00401262 |. 0F85 67010000 JNZ pwpack.004013CF
00401268 |. 8B4424 50 MOV EAX,DWORD PTR SS:[ESP+50]
0040126C |. 8B0B MOV ECX,DWORD PTR DS:[EBX]
0040126E |. 35 627493A8 XOR EAX,A8937462
00401273 |. 6A 00 PUSH 0
00401275 |. 50 PUSH EAX
00401276 |. 51 PUSH ECX
00401277 |. 894424 5C MOV DWORD PTR SS:[ESP+5C],EAX
0040127B |. FFD6 CALL ESI
0040127D |. 83C4 0C ADD ESP,0C
00401280 |. 8BC7 MOV EAX,EDI
00401282 |. E8 C9190000 CALL pwpack.00402C50
00401287 |. 33F6 XOR ESI,ESI
00401289 |. 33FF XOR EDI,EDI
0040128B |. 897C24 2C MOV DWORD PTR SS:[ESP+2C],EDI
0040128F |. 897424 30 MOV DWORD PTR SS:[ESP+30],ESI
00401293 |. 897424 34 MOV DWORD PTR SS:[ESP+34],ESI
00401297 |. 89B424 7403000>MOV DWORD PTR SS:[ESP+374],ESI
0040129E |. 897424 20 MOV DWORD PTR SS:[ESP+20],ESI
004012A2 |. 897424 24 MOV DWORD PTR SS:[ESP+24],ESI
004012A6 |. 897424 28 MOV DWORD PTR SS:[ESP+28],ESI
004012AA |. C68424 7403000>MOV BYTE PTR SS:[ESP+374],1
004012B2 |. 397424 18 CMP DWORD PTR SS:[ESP+18],ESI
004012B6 |. 897424 14 MOV DWORD PTR SS:[ESP+14],ESI
004012BA |. 0F86 BF000000 JBE pwpack.0040137F
004012C0 |> 8B13 /MOV EDX,DWORD PTR DS:[EBX]
004012C2 |. 52 |PUSH EDX
004012C3 |. 6A 01 |PUSH 1
004012C5 |. 8D4424 24 |LEA EAX,DWORD PTR SS:[ESP+24]
004012C9 |. 6A 04 |PUSH 4
004012CB |. 50 |PUSH EAX
004012CC |. FFD5 |CALL EBP
004012CE |. 8B0B |MOV ECX,DWORD PTR DS:[EBX]
004012D0 |. 51 |PUSH ECX
004012D1 |. 6A 01 |PUSH 1
004012D3 |. 8D5424 28 |LEA EDX,DWORD PTR SS:[ESP+28]
004012D7 |. 6A 04 |PUSH 4
004012D9 |. 52 |PUSH EDX
004012DA |. FFD5 |CALL EBP
004012DC |. 8B5424 3C |MOV EDX,DWORD PTR SS:[ESP+3C]
004012E0 |. 8B4424 30 |MOV EAX,DWORD PTR SS:[ESP+30]
004012E4 |. 81F2 627493A8 |XOR EDX,A8937462
004012EA |. 35 5336A4F1 |XOR EAX,F1A43653
004012EF |. 83C4 20 |ADD ESP,20
004012F2 |. 3BD0 |CMP EDX,EAX
004012F4 |. 895424 1C |MOV DWORD PTR SS:[ESP+1C],EDX
004012F8 |. 894424 10 |MOV DWORD PTR SS:[ESP+10],EAX
004012FC |. 0F85 AF000000 |JNZ pwpack.004013B1
00401302 |. 8D7C24 2C |LEA EDI,DWORD PTR SS:[ESP+2C]
00401306 |. E8 E5160000 |CALL pwpack.004029F0
0040130B |. 8B0B |MOV ECX,DWORD PTR DS:[EBX]
0040130D |. 8B4424 2C |MOV EAX,DWORD PTR SS:[ESP+2C]
00401311 |. 8B7424 30 |MOV ESI,DWORD PTR SS:[ESP+30]
00401315 |. 51 |PUSH ECX
00401316 |. 2BF0 |SUB ESI,EAX
00401318 |. 6A 01 |PUSH 1
0040131A |. 56 |PUSH ESI
0040131B |. 50 |PUSH EAX
0040131C |. FFD5 |CALL EBP
0040131E |. 83C4 10 |ADD ESP,10
00401321 |. BA 14010000 |MOV EDX,114
00401326 |. 8D7C24 20 |LEA EDI,DWORD PTR SS:[ESP+20]
0040132A |. E8 C1160000 |CALL pwpack.004029F0
0040132F |. 56 |PUSH ESI ; /Arg2
00401330 |. 8B7424 30 |MOV ESI,DWORD PTR SS:[ESP+30] ; |
00401334 |. 56 |PUSH ESI ; |Arg1
00401335 |. 8D4C24 28 |LEA ECX,DWORD PTR SS:[ESP+28] ; |
00401339 |. E8 E2000000 |CALL pwpack.00401420 ; \pwpack.00401420
0040133E |. 85C0 |TEST EAX,EAX
00401340 |. 894424 10 |MOV DWORD PTR SS:[ESP+10],EAX
00401344 |. 0F85 8C000000 |JNZ pwpack.004013D6
0040134A |. 8B5424 20 |MOV EDX,DWORD PTR SS:[ESP+20]
0040134E |. 8DB424 5801000>|LEA ESI,DWORD PTR SS:[ESP+158]
00401355 |. E8 D6060000 |CALL pwpack.00401A30
0040135A |. 8BCE |MOV ECX,ESI
0040135C |. 8D43 10 |LEA EAX,DWORD PTR DS:[EBX+10]
0040135F |. E8 CC150000 |CALL pwpack.00402930
00401364 |. 8B4424 14 |MOV EAX,DWORD PTR SS:[ESP+14]
00401368 |. 8B4C24 18 |MOV ECX,DWORD PTR SS:[ESP+18]
0040136C |. 8B7C24 2C |MOV EDI,DWORD PTR SS:[ESP+2C]
00401370 |. 40 |INC EAX
00401371 |. 33F6 |XOR ESI,ESI
00401373 |. 3BC1 |CMP EAX,ECX
00401375 |. 894424 14 |MOV DWORD PTR SS:[ESP+14],EAX
00401379 |.^0F82 41FFFFFF \JB pwpack.004012C0
0040137F |> 8B9424 7C03000>MOV EDX,DWORD PTR SS:[ESP+37C]
00401386 |. 83C3 04 ADD EBX,4
00401389 |. 53 PUSH EBX
0040138A |. E8 71150000 CALL pwpack.00402900
0040138F |. 8B4424 20 MOV EAX,DWORD PTR SS:[ESP+20]
00401393 |. 3BC6 CMP EAX,ESI
00401395 |. 74 09 JE SHORT pwpack.004013A0
00401397 |. 50 PUSH EAX
00401398 |. E8 DF920000 CALL <JMP.&MSVCR71.??3@YAXPAX@Z>
0040139D |. 83C4 04 ADD ESP,4
004013A0 |> 3BFE CMP EDI,ESI
004013A2 |. 74 09 JE SHORT pwpack.004013AD
004013A4 |. 57 PUSH EDI
004013A5 |. E8 D2920000 CALL <JMP.&MSVCR71.??3@YAXPAX@Z>
004013AA |. 83C4 04 ADD ESP,4
004013AD |> 33C0 XOR EAX,EAX
004013AF |. EB 4E JMP SHORT pwpack.004013FF
004013B1 |> 8B4424 20 MOV EAX,DWORD PTR SS:[ESP+20]
004013B5 |. 3BC6 CMP EAX,ESI
004013B7 |. 74 09 JE SHORT pwpack.004013C2
004013B9 |. 50 PUSH EAX
004013BA |. E8 BD920000 CALL <JMP.&MSVCR71.??3@YAXPAX@Z>
004013BF |. 83C4 04 ADD ESP,4
004013C2 |> 3BFE CMP EDI,ESI
004013C4 |. 74 09 JE SHORT pwpack.004013CF
004013C6 |. 57 PUSH EDI
004013C7 |. E8 B0920000 CALL <JMP.&MSVCR71.??3@YAXPAX@Z>
004013CC |. 83C4 04 ADD ESP,4
004013CF |> B8 03000000 MOV EAX,3
004013D4 |. EB 29 JMP SHORT pwpack.004013FF
004013D6 |> 8BF8 MOV EDI,EAX
004013D8 |. 8B4424 20 MOV EAX,DWORD PTR SS:[ESP+20]
004013DC |. 85C0 TEST EAX,EAX
004013DE |. 74 09 JE SHORT pwpack.004013E9
004013E0 |. 50 PUSH EAX
004013E1 |. E8 96920000 CALL <JMP.&MSVCR71.??3@YAXPAX@Z>
004013E6 |. 83C4 04 ADD ESP,4
004013E9 |> 85F6 TEST ESI,ESI
004013EB |. 74 09 JE SHORT pwpack.004013F6
004013ED |. 56 PUSH ESI
004013EE |. E8 89920000 CALL <JMP.&MSVCR71.??3@YAXPAX@Z>
004013F3 |. 83C4 04 ADD ESP,4
004013F6 |> 8BC7 MOV EAX,EDI
004013F8 |. EB 05 JMP SHORT pwpack.004013FF
004013FA |> B8 02000000 MOV EAX,2
004013FF |> 5D POP EBP
00401400 |> 8B8C24 6803000>MOV ECX,DWORD PTR SS:[ESP+368]
00401407 |. 5F POP EDI
00401408 |. 5E POP ESI
00401409 |. 5B POP EBX
0040140A |. 64:890D 000000>MOV DWORD PTR FS:[0],ECX
00401411 |. 81C4 68030000 ADD ESP,368
00401417 \. C2 0400 RETN 4
