下面的代码易语言核心runtime(核心支持库krnln.fne)的易格式loader和部分核心services的逆向工程分析。仅仅是逆向分析而已,代码没有经过任何优化。其他就没什么好说的了,具体就看代码吧。
注:和E-Code Explorer配合使用会有意想不到的效果:)
////////////////////////////////////////////////////////////
//// MicroLoader v0.01
//// filename: MicroLoader.cpp
//// coder: monkeycz
//// create time: 2005/09/29 23:21
//// fix time: 2005/10/21
////////////////////////////////////////////////////////////
#include "MicroLoader.h"
PIMAGE_DOS_HEADER DosHeader = NULL;
PIMAGE_NT_HEADERS NtHeader = NULL;
PIMAGE_SECTION_HEADER SectionHeader = NULL;
PAPP_HEADER_INFO ECodeHeaderInfo = NULL;
PSECTION_INFO ThisSectionInfo = NULL;
PRELOCATION_INF ThisRelocationInfo = NULL;
UINT32 NumberOfSections = 0;
UINT32 ESectionVA = 0;
char SectionName[IMAGE_SIZEOF_SHORT_NAME + 1];
UINT32 ServerPointTable[ESERVERCOUNT];
typedef void (__stdcall* ECODESTART)(void);
ECODESTART ECodeStart = NULL;
PFN_GET_LIB_INFO GetThisNewInfo = NULL;
PSECTION_INFO pConstSectionOffset = NULL;
PSECTION_INFO pWinFormSectionOffset = NULL;
PSECTION_INFO pHelpFuncSectionOffset = NULL;
PSECTION_INFO pCodeSectionOffset = NULL;
PSECTION_INFO pVarSectionOffset = NULL;
PDLLCMD DllCmdHead = NULL;
PDLLCMD ThisDllCmd = NULL;
UINT32 DllCmdNO = 0;
PLIBINFO LibInfoHead = NULL;
PLIBINFO ThisLibInfo = NULL;
LIBSTRINGINFO ThisLibStringInfo;
UINT32 LibCount = 0;
UINT32 SaveAAddress = 0;
typedef void (__stdcall* UNKNOWFUN)(void);
UNKNOWFUN UnKnowFun = NULL;
HMODULE ThisLibrary = NULL;
HANDLE ThisHeap = NULL;
char* LibStringHead = NULL;
char* ThisLibString = NULL;
char ThisLibFileName[256];
PFN_EXECUTE_CMD** ThisCmdsFuncHead = NULL;
UINT32 LibCmdNO = 0;
PFN_NOTIFY_SYS MyNotifySys = NULL;
PFN_NOTIFY_LIB ThisNotifyLib = NULL;
char* ThisCmdLine = NULL;
char FileName_Full[256];
char FileName_Name[256];
char FileName_Path[256];
typedef void (__stdcall* GETNEWSOCK)(UINT32 Param1);
GETNEWSOCK GetNewSock = NULL;
char ErrorString[256];
INT ThisBaseCmdOffset = -1;
PFN_EXECUTE_CMD* ThisExecuteCmdPoint = NULL;
//定义临时变量
UINT32 i = 0;
UINT32 temp = 0;
UINT32* ptemp = NULL;
bool FindOK = false;
//声明函数
void Exit(void);
void _cdecl ServerFunction_09(UINT32 Param1);
UINT32 _cdecl ServerFunction_06(UINT32 Param1);
//实现核心基本命令
void _cdecl bnot (PMDATA_INF pRetData, INT nArgCount, PMDATA_INF pArgInf)
{
pRetData->m_int = ~(pArgInf->m_int);
pRetData->m_dtDataType = SDT_INT;
return;
}
void _cdecl band (PMDATA_INF pRetData, INT nArgCount, PMDATA_INF pArgInf)
{
INT result = 0;
result = pArgInf->m_int;
for(int i = 1; i <= (nArgCount - 1); i++)
{
result = result & (pArgInf + i)->m_int;
}
pRetData->m_int = result;
pRetData->m_dtDataType = SDT_INT;
return;
}
void _cdecl bor (PMDATA_INF pRetData, INT nArgCount, PMDATA_INF pArgInf)
{
INT result = 0;
result = pArgInf->m_int;
for(int i = 1; i <= (nArgCount - 1); i++)
{
result = result | (pArgInf + i)->m_int;
}
pRetData->m_int = result;
pRetData->m_dtDataType = SDT_INT;
return;
}
void _cdecl bxor (PMDATA_INF pRetData, INT nArgCount, PMDATA_INF pArgInf)
{
INT result = 0;
result = pArgInf->m_int;
for(int i = 1; i <= (nArgCount - 1); i++)
{
result = result ^ (pArgInf + i)->m_int;
}
pRetData->m_int = result;
pRetData->m_dtDataType = SDT_INT;
return;
}
void _cdecl shl (PMDATA_INF pRetData, INT nArgCount, PMDATA_INF pArgInf)
{
pRetData->m_int = pArgInf->m_int << (pArgInf + 1)->m_int;
pRetData->m_dtDataType = SDT_INT;
return;
}
void _cdecl shr (PMDATA_INF pRetData, INT nArgCount, PMDATA_INF pArgInf)
{
pRetData->m_int = pArgInf->m_int >> (pArgInf + 1)->m_int;
pRetData->m_dtDataType = SDT_INT;
return;
}
void _cdecl pstr (PMDATA_INF pRetData, INT nArgCount, PMDATA_INF pArgInf)
{
char* ThisStr = NULL, *NewStr = NULL;
UINT32 ThisStrLen = 0;
ThisStr = (char*)pArgInf->m_int;
try
{
ThisStrLen = strlen(ThisStr);
}
catch(...)
{
MessageBoxA(0, ERROR_021, "error", MB_ICONERROR);
ServerFunction_09(0);
return;
}
if(ThisStrLen != 0)
{
NewStr = (char *)ServerFunction_06(ThisStrLen + 1);
memcpy(NewStr, ThisStr, ThisStrLen + 1);
}
else
{
NewStr = NULL;
}
pRetData->m_pText = NewStr;
pRetData->m_dtDataType = SDT_TEXT;
return;
}
void _cdecl pbin (PMDATA_INF pRetData, INT nArgCount, PMDATA_INF pArgInf)
{
unsigned char* ThisBin = NULL, *NewBin = NULL;
UINT32 ThisBinLen = 0, *NewBinHead = NULL;
ThisBin = (unsigned char*)pArgInf->m_int;
ThisBinLen = (UINT32)(pArgInf++)->m_int;
if(ThisBinLen != 0)
{
NewBin = (unsigned char *)ServerFunction_06(ThisBinLen + 8);
NewBinHead = (UINT32*)NewBin;
memcpy(NewBin + 8, ThisBin, ThisBinLen);
(*NewBinHead) = 0x0001;
(*(NewBinHead++)) = ThisBinLen;
}
else
{
NewBin = NULL;
}
pRetData->m_pBin = NewBin;
pRetData->m_dtDataType = SDT_BIN;
return;
}
//核心代码从这里开始:)
void Exit(void)
{
if(DllCmdHead != NULL)
{
free(DllCmdHead);
}
if(LibInfoHead != NULL)
{
ThisLibInfo = LibInfoHead;
for(UINT32 i = 1; i <= LibCount; i++)
{
if(ThisLibInfo->ThisLibHandle == NULL || ThisLibInfo->ThisLibInfo == NULL)
{
continue;
}
ThisNotifyLib = ThisLibInfo->ThisLibInfo->m_pfnNotify;
if(ThisNotifyLib != NULL)
{
ThisNotifyLib(NL_FREE_LIB_DATA, 0, 0);
}
FreeLibrary(ThisLibInfo->ThisLibHandle);
ThisLibInfo->ThisLibHandle = NULL;
ThisLibInfo->ThisLibInfo = NULL;
ThisLibInfo++;
}
free(LibInfoHead);
}
if(ThisHeap != NULL)
{
HeapDestroy(ThisHeap);
}
}
__declspec(naked) void _cdecl ServerFunction_09(UINT32 Param1)
{
__asm
{
push ebp
mov ebp, esp
}
if(SaveAAddress != NULL)
{
UnKnowFun = (UNKNOWFUN)SaveAAddress;
UnKnowFun();
}
Exit();
ExitProcess(Param1);
__asm
{
ret
}
}
INT WINAPI ThisNotifySys(INT nMsg, DWORD dwParam1 = 0, DWORD dwParam2 = 0)
{
PMDATA_INF ThisDataInfo = NULL;
void* temppoint= NULL;
DWORD temp = 0;
switch(nMsg)
{
case NAS_GET_APP_ICON:
//通知系统创建并返回程序的图标
//和窗口组建相关,不处理
sprintf(ErrorString, "%s\n\nIntra error number is %d.", ERROR_016, NAS_GET_APP_ICON);
MessageBoxA(0, ErrorString, "error", MB_ICONERROR);
ServerFunction_09(0);
break;
case NAS_GET_LIB_DATA_TYPE_INFO:
//返回指定库定义数据类型的PLIB_DATA_TYPE_INFO定义信息指针
temp = dwParam1;
if((temp >> 30) == 0)
{
ThisLibInfo = LibInfoHead;
ThisLibInfo += ((temp >> 16) - 1);
return (INT)(ThisLibInfo->ThisLibInfo->m_pDataType + (((temp << 16) >> 16) - 1));
}
break;
case NAS_GET_HBITMAP:
//返回非NULL的HBITMAP句柄(注意使用完毕后释放),否则返回NULL
//和窗口组建相关,不处理
sprintf(ErrorString, "%s\n\nIntra error number is %d.", ERROR_016, NAS_GET_HBITMAP);
MessageBoxA(0, ErrorString, "error", MB_ICONERROR);
ServerFunction_09(0);
break;
case NAS_GET_LANG_ID:
//返回当前系统或运行环境所支持的语言ID
return 1;
case NAS_GET_VER:
//返回当前系统或运行环境的版本号
return 0x00000004;
case NAS_GET_PATH:
//返回当前开发或运行环境的某一类目录或文件名,目录名以“\”结束
1 2 3 4 5 下一页 |
安全中国首页 > 文章中心 > 逆向工程技术