关于汇编代码

Stda6a

这段汇编代码，不知道什么原因，就是运行不了，问过AI了，AI说stdcall约定自动清理参数，改完之后我也看了，栈确实平衡了，但还是运行不了，难道是易失寄存器的关系吗？
push字符串我也看过了，大小端序好像没问题，求各位大佬解惑。
思路：fs0x30进去PEB，然后找kernel32.dll，拿到GetProcAddress和LoadLibraryA的地址，call一个mydll.dll里的loader()函数
BITS 32GLOBAL _startSECTION .text_start:    mov eax, [fs:0x30]    mov eax, [eax + 0x0C]    mov eax, [eax + 0x14]    mov eax, [eax]    mov eax, [eax]    mov ebx, [eax + 0x10]    ; ===== 解析 PE =====    mov ecx, [ebx + 0x3C]    add ecx, ebx    add ecx, 0x18    add ecx, 0x60    mov edx, [ecx]    add edx, ebx    ; ===== Name Table =====    mov ecx, [edx + 0x20]    add ecx, ebx    mov edi, [edx + 0x18]    xor esi, esifind_GetProcAddress:    cmp esi, edi    jge not_found    mov eax, [ecx + esi*4]    add eax, ebx    cmp dword [eax], 0x50746547    jne next    cmp dword [eax+4], 0x41636F72    jne next    cmp dword [eax+8], 0x65726464    jne next    cmp dword [eax+12], 0x00007373    je foundnext:    inc esi    jmp find_GetProcAddressnot_found:    xor eax, eax    retfound:    mov ecx, [edx + 0x24]    add ecx, ebx    movzx ecx, word [ecx + esi*2]    mov eax, [edx + 0x1C]    add eax, ebx    mov eax, [eax + ecx*4]    add eax, ebx    mov ecx, eax   ; GetProcAddress    ; ===== "LoadLibraryA" =====    push 0x00000000    push 0x41797261    push 0x7262694C    push 0x64616F4C    mov edi, esp    push edi    push ebx    call ecx    add esp,0x10    ; eax = LoadLibraryA    ; ===== "mydll.dll" =====    push 0x0000006C    push 0x6C642E6C    push 0x6C64796D    mov edi, esp    push edi    call eax    add esp,0xC    ; eax = hModule    ; ===== "loader" =====    push 0x00007265    push 0x64616F6C    mov edi, esp    push edi    push eax    call ecx    add esp,0x8    call eax    ret

Stda6a

代码发到这里了，上面排版有点乱

[Asm] 纯文本查看 复制代码

mov eax, [fs:0x30]
    mov eax, [eax + 0x0C]
    mov eax, [eax + 0x14]
    mov eax, [eax]
    mov eax, [eax]
    mov ebx, [eax + 0x10]

    ; ===== 解析 PE =====
    mov ecx, [ebx + 0x3C]
    add ecx, ebx
    add ecx, 0x18
    add ecx, 0x60
    mov edx, [ecx]
    add edx, ebx

    ; ===== Name Table =====
    mov ecx, [edx + 0x20]
    add ecx, ebx
    mov edi, [edx + 0x18]

    xor esi, esi

find_GetProcAddress:
    cmp esi, edi
    jge not_found

    mov eax, [ecx + esi*4]
    add eax, ebx

    cmp dword [eax], 0x50746547
    jne next
    cmp dword [eax+4], 0x41636F72
    jne next
    cmp dword [eax+8], 0x65726464
    jne next
    cmp dword [eax+12], 0x00007373
    je found

next:
    inc esi
    jmp find_GetProcAddress

not_found:
    xor eax, eax
    ret

found:
    mov ecx, [edx + 0x24]
    add ecx, ebx
    movzx ecx, word [ecx + esi*2]

    mov eax, [edx + 0x1C]
    add eax, ebx
    mov eax, [eax + ecx*4]
    add eax, ebx

    mov ecx, eax   ; GetProcAddress

    ; ===== "LoadLibraryA" =====
    push 0x00000000
    push 0x41797261
    push 0x7262694C
    push 0x64616F4C
    mov edi, esp

    push edi
    push ebx
    call ecx
    add esp,0x10
    ; eax = LoadLibraryA

    ; ===== "mydll.dll" =====
    push 0x0000006C
    push 0x6C642E6C
    push 0x6C64796D
    mov edi, esp

    push edi
    call eax
    add esp,0xC
    ; eax = hModule

    ; ===== "loader" =====
    push 0x00007265
    push 0x64616F6C
    mov edi, esp

    push edi
    push eax
    call ecx
    add esp,0x8
    call eax
    ret

wszjljx

调用约定错误 EBX ESI EDI EBP这些非易失寄存器 使用之前需要函数自己先PUSH保存原值 在RET前POP恢复原值
具体参考https://learn.microsoft.com/zh-c ... tions?view=msvc-140

anning666

有没有大神帮忙解释一下,汇编这种非人类的代码是如何上手学习的.........感觉和经过混淆和加密的代码一个模样................

wanxiangyu

改了个可在vs2010下32位运行的代码，具体修改自己对比下吧


#include <stdio.h>

int main()
{
        printf("000\n");
__asm {
;语法
;mov eax, [fs:0x30]
mov eax, dword ptr fs:[0x30]
    mov eax, [eax + 0x0C]
    mov eax, [eax + 0x14]
    mov eax, [eax]
    mov eax, [eax]
    mov ebx, [eax + 0x10]

    ; ===== 解析 PE =====
    mov ecx, [ebx + 0x3C]
    add ecx, ebx
    add ecx, 0x18
    add ecx, 0x60
    mov edx, [ecx]
    add edx, ebx

    ; ===== Name Table =====
    mov ecx, [edx + 0x20]
    add ecx, ebx
    mov edi, [edx + 0x18]
    xor esi, esi

find_GetProcAddress:
    cmp esi, edi
    jge not_found

    mov eax, [ecx + esi*4]
    add eax, ebx
;语法
;cmp dword [eax], 0x50746547
cmp dword ptr [eax], 0x50746547
    jne next
;语法
;cmp dword [eax+4], 0x41636F72
cmp dword ptr [eax+4], 0x41636F72
    jne next
;语法
;cmp dword [eax+8], 0x65726464
cmp dword ptr [eax+8], 0x65726464
    jne next
;语法,注意这里,如果比较双字，你得要求确实存在两个零结尾,我这里不行,大概只有一个零?
;我简写了比较一个字,是不严谨的
;cmp dword [eax+12], 0x00007373
cmp word ptr [eax+12], 0x7373
    je found

next:
    inc esi
    jmp find_GetProcAddress

not_found:
    xor eax, eax
    ret

found:
    mov ecx, [edx + 0x24]
    add ecx, ebx
;语法
;movzx ecx, word [ecx + esi*2]
movzx ecx, word ptr [ecx + esi*2]

    mov eax, [edx + 0x1C]
    add eax, ebx
    mov eax, [eax + ecx*4]
    add eax, ebx

    mov ecx, eax   ; GetProcAddress
;这里又是一处关键修改,既然ecx存放GetProcAddress地址,那么下面多处的call调用,可能会破坏ecx值
;应该先存起起来,下面增加的多处push ecx/pop ecx的作用也是如此
;使得在最后取loader函数地址的时候,ecx仍然是GetProcAddress地址
;下面不再一一注释了,在vs2010下,32位可以正常运行
push ecx
    ; ===== "LoadLibraryA" =====
    push 0x00000000
    push 0x41797261
    push 0x7262694C
    push 0x64616F4C
    mov edi, esp

    push edi
    push ebx
    call ecx
    add esp,0x10
    ; eax = LoadLibraryA
pop ecx
push ecx
    ; ===== "mydll.dll" =====
    push 0x0000006C
    push 0x6C642E6C
    push 0x6C64796D
    mov edi, esp

    push edi
    call eax
    add esp,0xC
    ; eax = hModule
pop ecx
push ecx
    ; ===== "loader" =====
    push 0x00007265
    push 0x64616F6C
    mov edi, esp

    push edi
    push eax
    call ecx
    add esp,0x8
pop ecx
    call eax
    ;ret
}
        printf("999\n");
        return 0;
}