逆向分析_win_api基礎(2)

win_api基礎(2)

(一) 查看MessageBox返回值

環境 : vc++ 6.0

//msgbox2.cpp 配置工程爲 release
#include <windows.h>
#include <stdio.h>
#include <tchar.h>

int main()
{
    int a;
    a = MessageBoxA(NULL, "content", "title", MB_YESNO);
	printf("addr : %p, \t data : %d\n",&a, a));
	/*
    if(a == IDYES)
    {
        printf("addr : %p, \t data : %d\n",&a, char(a));
    }
	*/
    return 0;
}

MessageBox的返回值爲控件ID。通過printf來找到返回值放在哪個寄存器上。

生成exe文件後，用OLlydbg調試運行，按F8到出現彈窗，按下按鍵後如下:

00401113  |.  50               push eax
00401114  |.  FF35 30994000    push dword ptr ds:[0x409930]
0040111A  |.  FF35 2C994000    push dword ptr ds:[0x40992C]
00401120  |.  E8 DBFEFFFF      call msgbox2.00401000

重新運行exe,光標放在 00401120 call msgbox2.00401000 上，F7跟蹤

00401000  /$  51               push ecx                                 ;  msgbox2.004070D8
00401001  |.  6A 04            push 0x4                                 ; /Style = MB_YESNO|MB_APPLMODAL
00401003  |.  68 50704000      push msgbox2.00407050                    ; |Title = "title"
00401008  |.  68 48704000      push msgbox2.00407048                    ; |Text = "content"
0040100D  |.  6A 00            push 0x0                                 ; |hOwner = NULL
0040100F  |.  FF15 B0604000    call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
00401015  |.  894424 00        mov dword ptr ss:[esp],eax
00401019  |.  8D4C24 00        lea ecx,dword ptr ss:[esp]
0040101D  |.  0FBEC0           movsx eax,al
00401020  |.  50               push eax
00401021  |.  51               push ecx                                 ;  msgbox2.004070D8
00401022  |.  68 30704000      push msgbox2.00407030                    ;  ASCII "addr : %p, \t data : %d\n"
00401027  |.  E8 14000000      call msgbox2.00401040
0040102C  |.  33C0             xor eax,eax
0040102E  |.  83C4 10          add esp,0x10
00401031  \.  C3               retn

可以看出返回值放在EAX，變量地址放在ECX

00401020  |.  50               push eax
00401021  |.  51               push ecx                                 ;  msgbox2.004070D8
00401022  |.  68 30704000      push msgbox2.00407030                    ;  ASCII "addr : %p, \t data : %d\n"

(二) 重新用masm plus寫彙編程序驗證

;02_msgbox.asm
.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib

.data
MsgBoxCaption db "Tutorial",0
MsgBoxText  db "Win32 Assembly",0

.code
start:
invoke MessageBox, NULL, addr MsgBoxText, addr MsgBoxCaption, MB_YESNOCANCEL
.if eax == IDCANCEL
	invoke MessageBox, NULL, addr MsgBoxText, addr MsgBoxCaption, MB_OK
.endif
invoke ExitProcess, NULL
end start