Archive for 九月, 2008

GetTickCount 计算1+1 1亿次的时间

汇编&逆向 | Posted by 老沙
9月 30 2008

GetTickCount最小计数时间在15MS左右

timer.asm:

    .386
    .model flat,stdcall
    option casemap:none
; Include 文件定义
include    windows.inc
include    user32.inc
includelib  user32.lib
include    kernel32.inc
includelib  kernel32.lib
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
ID_TIMER1  equ  1
DLG_MAIN  equ  1
IDC_COUNT  equ  101
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 数据段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    .data?
hInstance  dd    ?
tick1    dd    ?
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 代码段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    .code
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 计算过程
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

_ProcDlgMain  proc  uses ebx edi esi,hWnd,uMsg,wParam,lParam
    mov  eax,uMsg
    .if  eax ==  WM_TIMER
      mov  eax,wParam
      .if  eax == ID_TIMER1
        invoke  MessageBeep,-1
      .endif
    .elseif  eax ==  WM_INITDIALOG
      invoke GetTickCount
      mov tick1,eax
      .while 1
        add edi,1
        .break .if edi > 100000000
        ;.continue
      .endw
      invoke GetTickCount
      sub eax,tick1
      invoke  SetDlgItemInt,hWnd,IDC_COUNT,eax,FALSE
    .elseif eax ==  WM_COMMAND
      mov  eax,wParam
      .if ax == IDOK
        invoke GetTickCount
        mov tick1,eax
        .while 1
          add edi,1
          .break .if edi > 100000000
          ;.continue
        .endw
        invoke GetTickCount
        sub eax,tick1
        invoke  SetDlgItemInt,hWnd,IDC_COUNT,eax,FALSE
      .endif
    .elseif  eax ==  WM_CLOSE
      invoke  EndDialog,hWnd,NULL
    .else
      mov  eax,FALSE
      ret
    .endif
    mov  eax,TRUE
    ret

_ProcDlgMain  endp

start:
    invoke  GetModuleHandle,NULL
    mov  hInstance,eax
    invoke  DialogBoxParam,hInstance,DLG_MAIN,NULL,offset _ProcDlgMain,NULL
    invoke  ExitProcess,NULL
    end  start

timer.rc:

//>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
#include    <resource.h>
//>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
#define  DLG_MAIN    1
#define  ICO_1      1
#define  IDC_COUNT    101
//>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
ICO_1  ICON    "1.ico"
//>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
DLG_MAIN DIALOG 70, 110, 120, 70
STYLE DS_MODALFRAME | WS_POPUP | WS_VISIBLE | WS_CAPTION | WS_SYSMENU
CAPTION "1+1 1亿次 小杰的博客"
FONT 9, "宋体"
{
LTEXT "计数:", -1, 35, 16, 25, 10
LTEXT "", IDC_COUNT, 62, 16, 40, 10
DEFPUSHBUTTON "开始", IDOK, 35, 36, 50, 20
}

一个秒表的例子(汇编代码)

汇编&逆向 | Posted by 老沙
9月 29 2008

WM_TIME是一个低级消息,只有窗口的消息队列中没有其它消息才会发送WM_TIME消息,否则不会处理,过后不会重新发送.

time.asm代码:

    .386
    .model flat,stdcall
    option casemap:none
; Include 文件定义
include    windows.inc
include    user32.inc
includelib  user32.lib
include    kernel32.inc
includelib  kernel32.lib
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
ID_TIMER1  equ  1
DLG_MAIN  equ  1
IDC_COUNT  equ  101
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 数据段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    .data?
hInstance  dd    ?
hWinMain  dd    ?
idTimer    dd    ?
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 代码段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    .code
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 定时器过程
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_ProcTimer  proc  _hWnd,_uMsg,_idEvent,_dwTime
    pushad
    invoke  GetDlgItemInt,hWinMain,IDC_COUNT,NULL,FALSE
    inc  eax
    invoke  SetDlgItemInt,hWinMain,IDC_COUNT,eax,FALSE
    popad
    ret
_ProcTimer  endp

_ProcDlgMain  proc  uses ebx edi esi,hWnd,uMsg,wParam,lParam
    mov  eax,uMsg
    .if  eax ==  WM_TIMER
      mov  eax,wParam
      .if  eax == ID_TIMER1
        invoke  MessageBeep,-1
      .endif
    .elseif  eax ==  WM_INITDIALOG
      push  hWnd
      pop  hWinMain
      invoke  SetTimer,hWnd,ID_TIMER1,2000,NULL
      invoke  SetTimer,NULL,NULL,1000,addr _ProcTimer
      mov  idTimer,eax
    .elseif  eax ==  WM_CLOSE
      invoke  KillTimer,hWnd,ID_TIMER1
      invoke  KillTimer,NULL,idTimer
      invoke  EndDialog,hWnd,NULL
    .else
      mov  eax,FALSE
      ret
    .endif
    mov  eax,TRUE
    ret

_ProcDlgMain  endp

start:
    invoke  GetModuleHandle,NULL
    mov  hInstance,eax
    invoke  DialogBoxParam,hInstance,DLG_MAIN,NULL,offset _ProcDlgMain,NULL
    invoke  ExitProcess,NULL
    end  start

time.rc代码:

//>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
#include    <resource.h>
//>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
#define  DLG_MAIN    1
#define  ICO_1      1
#define  IDC_COUNT    101
//>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
ICO_1  ICON    "1.ico"
//>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
DLG_MAIN DIALOG 70, 110, 113, 40
STYLE DS_MODALFRAME | WS_POPUP | WS_VISIBLE | WS_CAPTION | WS_SYSMENU
CAPTION "计时器 小杰的博客"
FONT 9, "宋体"
{
LTEXT "计数:", -1, 35, 16, 25, 10
LTEXT "", IDC_COUNT, 62, 16, 40, 10
}

源码下载:
点击下载

热键关闭显示器(delphi源码转汇编)

汇编&逆向 | Posted by 老沙
9月 28 2008

delphi代码:

program open;

uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls;

{$R *.res}

const
WM_HOTKEY = $0312;

var
WinH : Longint=0;
Msg : tMsg;

begin
RegisterHotKey(0,0,MOD_ALT,ord('X')); //注册Alt+Z
while GetMessage(Msg, 0, 0, 0) do
if Msg.message=WM_HOTKEY then
begin
sleep(500);
SendMessage(Application.Handle,WM_SYSCOMMAND,SC_MONITORPOWER,2);
end;

end.

汇编代码:

.386
.Model Flat, StdCall
Option Casemap :None

Include windows.inc
Include user32.inc
Include kernel32.inc
Include gdi32.inc

includelib gdi32.lib
IncludeLib user32.lib
IncludeLib kernel32.lib
;include macro.asm

WinMain PROTO :DWORD,:DWORD,:DWORD,:DWORD
WndProc PROTO :DWORD,:DWORD,:DWORD,:DWORD

icMyHotKey equ 2010

.const
szFmt_d db '%d', 0

.DATA
szClassName db "close windows",0
szCaption db "http://www.kumouse.com",0
szt db "热键:ALT+X 功能:关闭显示器 作者:美丽人生",0
szc db "说明",0

.DATA?
hInstance dd ?
hFind HINSTANCE ?

.CODE
START:

invoke GetModuleHandle,NULL
mov hInstance,eax
invoke WinMain,hInstance,NULL,NULL,SW_SHOWDEFAULT
invoke ExitProcess,0

WinMain proc hInst:DWORD,hPrevInst:DWORD,CmdLine:DWORD,CmdShow:DWORD
LOCAL wc :WNDCLASSEX
LOCAL msg :MSG
local hWnd :HWND

mov wc.cbSize,sizeof WNDCLASSEX
mov wc.style,CS_HREDRAW or CS_VREDRAW or CS_BYTEALIGNWINDOW
mov wc.lpfnWndProc,offset WndProc
mov wc.cbClsExtra,NULL
mov wc.cbWndExtra,NULL
push hInst
pop wc.hInstance
mov wc.hbrBackground,COLOR_BTNFACE+1
mov wc.lpszMenuName,NULL
mov wc.lpszClassName,offset szClassName
;invoke LoadIcon,hInst,100
mov wc.hIcon,NULL
;invoke LoadCursor,NULL,IDC_ARROW
mov wc.hCursor,NULL
mov wc.hIconSm,0
invoke RegisterClassEx, ADDR wc
;invoke CreateWindowEx,NULL,ADDR szClassName,CTXT("http://www.kumouse.com"),WS_OVERLAPPEDWINDOW,200,200,400,200,NULL,NULL,hInst,NULL
invoke CreateWindowEx,NULL,ADDR szClassName,addr szCaption,WS_OVERLAPPEDWINDOW,200,200,400,200,NULL,NULL,hInst,NULL
mov hWnd,eax
;invoke ShowWindow,hWnd,SW_SHOWNORMAL
invoke UpdateWindow,hWnd

StartLoop:
invoke GetMessage,ADDR msg,NULL,0,0
cmp eax, 0
je ExitLoop
invoke TranslateMessage, ADDR msg
invoke DispatchMessage, ADDR msg
jmp StartLoop
ExitLoop:

mov eax,msg.wParam
ret
WinMain endp

WndProc proc hWin:DWORD,uMsg:DWORD,wParam :DWORD,lParam :DWORD
local cBuf[32]:BYTE

.if uMsg==WM_CREATE

invoke RegisterHotKey,hWin,icMyHotKey,MOD_ALT,VK_X ;定义热键
invoke MessageBox,NULL,addr szt,addr szc,1

.elseif uMsg == WM_HOTKEY ;处理热键消息
  invoke Sleep,500
  invoke SendMessage,hWin,WM_SYSCOMMAND,SC_MONITORPOWER,2

.elseif uMsg == WM_DESTROY

invoke UnregisterHotKey,hWin,icMyHotKey ;取消定义的热键

invoke PostQuitMessage,NULL
.else
invoke DefWindowProc,hWin,uMsg,wParam,lParam
.endif
ret
WndProc endp
END START

代码下载:
点击下载

全局热键隐藏当前窗口(delphi 改写为汇编)

汇编&逆向 | Posted by 老沙
9月 25 2008

我用的是MASMPlus的标准WIN EXE模板
在本网站的http://www.kumouse.com/article.asp?id=41可以下载到

代码如下:(delphi)

program open;

uses
Windows;

{$R *.res}

const
WM_HOTKEY = $0312;

var
WinH : Longint=0;
Msg : tMsg;

begin
MessageBox(
GetActiveWindow(),
PChar('热键:ALT+Z 功能:隐藏当前窗口 作者:美丽人生'),
PChar('说明'),
MB_OK);

RegisterHotKey(0,0,MOD_ALT,ord('Z')); //注册Alt+Z
while GetMessage(Msg, 0, 0, 0) do
if Msg.message=WM_HOTKEY then
if WinH=0 then
begin
WinH:=GetForegroundWindow;
ShowWindow(WinH,SW_HIDE);
end
else
begin
ShowWindow(WinH,SW_SHOW);
WinH:=0;
end;
end.

代码如下:(汇编)

.386
.Model Flat, StdCall
Option Casemap :None

Include windows.inc
Include user32.inc
Include kernel32.inc
Include gdi32.inc

includelib gdi32.lib
IncludeLib user32.lib
IncludeLib kernel32.lib
;include macro.asm

WinMain PROTO :DWORD,:DWORD,:DWORD,:DWORD
WndProc PROTO :DWORD,:DWORD,:DWORD,:DWORD

idMyHotKey equ 2008
idMyHotKeyq equ 2009

.const
szFmt_d db '%d', 0

.DATA
szClassName db "hide windows",0
szCaption db "http://www.kumouse.com",0
szt db "热键:ALT+Z 功能:隐藏当前窗口 CTRT+Q 关闭热键 作者:美丽人生",0
szc db "说明",0

.DATA?
hInstance dd ?
hFind HINSTANCE ?

.CODE
START:

invoke GetModuleHandle,NULL
mov hInstance,eax
invoke WinMain,hInstance,NULL,NULL,SW_SHOWDEFAULT
invoke ExitProcess,0

WinMain proc hInst:DWORD,hPrevInst:DWORD,CmdLine:DWORD,CmdShow:DWORD
LOCAL wc :WNDCLASSEX
LOCAL msg :MSG
local hWnd :HWND

mov wc.cbSize,sizeof WNDCLASSEX
mov wc.style,CS_HREDRAW or CS_VREDRAW or CS_BYTEALIGNWINDOW
mov wc.lpfnWndProc,offset WndProc
mov wc.cbClsExtra,NULL
mov wc.cbWndExtra,NULL
push hInst
pop wc.hInstance
mov wc.hbrBackground,COLOR_BTNFACE+1
mov wc.lpszMenuName,NULL
mov wc.lpszClassName,offset szClassName
;invoke LoadIcon,hInst,100
mov wc.hIcon,NULL
;invoke LoadCursor,NULL,IDC_ARROW
mov wc.hCursor,NULL
mov wc.hIconSm,0
invoke RegisterClassEx, ADDR wc
;invoke CreateWindowEx,NULL,ADDR szClassName,CTXT("http://www.kumouse.com"),WS_OVERLAPPEDWINDOW,200,200,400,200,NULL,NULL,hInst,NULL
invoke CreateWindowEx,NULL,ADDR szClassName,addr szCaption,WS_OVERLAPPEDWINDOW,200,200,400,200,NULL,NULL,hInst,NULL
mov hWnd,eax
;invoke ShowWindow,hWnd,SW_SHOWNORMAL
invoke UpdateWindow,hWnd

StartLoop:
invoke GetMessage,ADDR msg,NULL,0,0
cmp eax, 0
je ExitLoop
invoke TranslateMessage, ADDR msg
invoke DispatchMessage, ADDR msg
jmp StartLoop
ExitLoop:

mov eax,msg.wParam
ret
WinMain endp

WndProc proc hWin:DWORD,uMsg:DWORD,wParam :DWORD,lParam :DWORD
local cBuf[32]:BYTE

.if uMsg==WM_CREATE

invoke RegisterHotKey,hWin,idMyHotKey,MOD_ALT,VK_Z ;定义热键
invoke RegisterHotKey,hWin,idMyHotKeyq,MOD_CONTROL,VK_Q
invoke MessageBox,NULL,addr szt,addr szc,1

.elseif uMsg == WM_HOTKEY ;处理热键消息     
    ;invoke wsprintf, ADDR cBuf, ADDR szFmt_d,lParam
    ;invoke MessageBox,NULL,addr cBuf,addr cBuf,1
.if lParam == 5a0001h
  .if hFind == 0
      invoke GetForegroundWindow
      mov hFind,eax
      invoke ShowWindow,hFind,SW_HIDE
    .elseif hFind != 0
      invoke ShowWindow,hFind,SW_SHOW
      mov hFind,0
  pop eax
    .endif
.elseif lParam == 510002h
  invoke SendMessage,hWin,WM_DESTROY,NULL,NULL
.endif

.elseif uMsg == WM_DESTROY

invoke UnregisterHotKey,hWin,idMyHotKey ;取消定义的热键
invoke UnregisterHotKey,hWin,idMyHotKeyq

invoke PostQuitMessage,NULL
.else
invoke DefWindowProc,hWin,uMsg,wParam,lParam
.endif
ret
WndProc endp
END START

原码下载:
点击下载

改变记事本标题栏文字(汇编)

汇编&逆向 | Posted by 老沙
9月 09 2008

其实就是用了一下sendmessage但是要注意postmessage无法处理参数中含有指针的消息,比如WM_SETTEXT,WM_COPYDATA等.
代码如下:

    .386
    .model flat,stdcall
    option casemap:none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Include 文件定义
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

include    windows.inc
include    user32.inc
includelib   user32.lib
include    kernel32.inc
includelib   kernel32.lib
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 数据段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    .data
hWnd    dd  ?
szBuffer   db  256 dup (?)

    .const
szCaption   db  'SendMessage',0
szDestClass  db  'Notepad',0   ;目标窗口的窗口类
szText    db  '这是一个测试',0
szNotFound  db  '目标无法找到!',0

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 代码段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    .code
start:
    invoke  FindWindow,addr szDestClass,NULL
    .if  eax
      mov  hWnd,eax  ;找到目标窗口则发送消息
      invoke  SendMessage,hWnd,WM_SETTEXT,0,addr szText
    .else
      invoke  MessageBox,NULL,offset szNotFound,offset szCaption,MB_OK
    .endif
    invoke  ExitProcess,NULL
    end  start

逆向相关工具

汇编&逆向 | Posted by 老沙
9月 01 2008

LordPE DLX增强版

2008.5.31
资源名溢出漏洞。缓冲区长度检测是char,但是拷贝的时候是wchar,所以溢出了。by somuch

2006.11.30更新
freecat制作的功能插件LordPeFix.dll,修正LordPE只显示60个进程的bug

2005.10.15
(1) 为LordPE查看输入表部分加上搜索功能
(2) 为LordPE查看输入表部分加右键菜单(复制ThunkRVA/FirstThunk列).
(3) 当点击LordPE查看输入表部分中"View always FirstThunk",保持光条在原来位置.(LordPE默认会将光条置到0行)
(4) 修改FLC(File Location Calulator)窗口中各个文本框(VA,RVA,Offset)为只读属性,此时可以用鼠标复制里面的文本

点击下载1 LordPE DLX增强版
点击下载2 LordPE DLX增强版

OllyICE(OllyDbg)

OllyICE v1.10 修改版(OllyDbg) [2008.1.1]

由于OllyDBG 1.1(http://www.ollydbg.de)官方很长一段时间没更新,故一些爱好者对OllyDBG修改,新增了一些功能或修正一些bug,OllyICE就是其中的一个修改版,取名OllyICE只是便于区分,其实质还是OllyDBG,版权归OllyDBG官方所有。

文件组成:
OllyICE.EXE 中文汉化版,是在cao_cong汉化第二版基础上修改的。
OLLYDBG.EXE 英文修改版,修改的地方与OllyICE.exe一样。

OllyICE.EXE与OLLYDBG.EXE同时做了如下修改:
1.窗口、类名等常见修改;
2.格式化字符串的漏洞[OutPutDebugString]补丁;
3.参考dyk158的ODbyDYK v1.10 ,自动配置UDD、PLUGIN为绝对路径;
4.参考nbw的"OD复制BUG分析和修正"一文,修正从内存区复制数据时,有时无法将所有的数据都复制到剪贴板的bug。
5.参考ohuangkeo“不被OD分析原因之一和修补方法”,稍改进了OD识别PE格式能力(可能仍报是非PE文件,但己可调试了)。
6.修正OllyScript.dll插件bpwm命令内存读写都中断的问题。
7.jingulong的Loaddll.exe,可以方便让OllDbg中断在dll的入口。
8.感谢DarkBul告知SHIFT+F2条件窗口显示的bug及修复。
9.感谢dreaman修复Findlabel,Findname,Findnextname三个函数处理字符串会溢出的bug。
10.改善sprintf函数显示某些浮点数会崩溃的bug,这里的修复代码直接引用heXer的代码。
11.该修改版,配合HideOD插件,可以很好地隐藏OD。
12.新增实用的快捷键功能
13.修正Themida v1.9.x.x检测OllyICE的Anti,配合HideToolz即可调试Themida v1.9.x.x加壳程序。
14.LOCKLOSE添加了部分API和结构体信息。
点击下载 OllyICE(OllyDbg)

VC自带的小工具 Spy++
点击下载 Spy++