IDA分析一个简单dos程序密码

说到IDA这个工具是一个强大的静态反汇编工具,有多强大呢.俩个字总结神器.废话不多说,开搞.

目标程序（VC写的）

StaticPasswordOverflow.exe

IDA加载目标程序

main函数处的反汇编代码

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67


.text:00401270 ; Attributes: bp-based frame
.text:00401270
.text:00401270 ; int __cdecl main(int argc, const char **argv, const char **envp)
.text:00401270 _main           proc near               ; CODE XREF: ___tmainCRTStartup+15Ap
.text:00401270
.text:00401270 var_80          = byte ptr -80h
.text:00401270 argc            = dword ptr  8
.text:00401270 argv            = dword ptr  0Ch
.text:00401270 envp            = dword ptr  10h
.text:00401270
.text:00401270                 push    ebp
.text:00401271                 mov     ebp, esp
.text:00401273                 sub     esp, 80h
.text:00401279                 push    offset s->ReverseEngineeringWithIdaProExample12-StaticPasswo ; "Reverse Engineering with IDA Pro\nExampl"...
.text:0040127E                 call    sub_401554
.text:0040127E
.text:00401283
.text:00401283 loc_401283:
.text:00401283                 add     esp, 4
.text:00401286                 push    offset s->PleaseProvideThePasswordToContinuePassword ; "[*] Please Provide the password to cont"...
.text:0040128B                 call    sub_401554
.text:0040128B
.text:00401290                 add     esp, 4
.text:00401293                 push    80h             ; size_t
.text:00401298                 push    0               ; int
.text:0040129A                 lea     eax, [ebp+var_80]
.text:0040129D                 push    eax             ; void *
.text:0040129E                 call    _memset
.text:0040129E
.text:004012A3                 add     esp, 0Ch
.text:004012A6                 lea     ecx, [ebp+var_80]
.text:004012A9                 push    ecx
.text:004012AA                 push    offset s->127s  ; "%127s"
.text:004012AF                 call    _scanf
.text:004012AF
.text:004012B4                 add     esp, 8
.text:004012B7                 lea     edx, [ebp+var_80]
.text:004012BA                 push    edx             ; char *
.text:004012BB                 call    sub_4011C0
.text:004012BB
.text:004012C0                 add     esp, 4
.text:004012C3                 movsx   eax, al
.text:004012C6                 test    eax, eax
.text:004012C8                 jge     short loc_4012D9
.text:004012C8
.text:004012CA                 push    offset s->YouFailed_Goodbye_ ; "You failed. Goodbye.\n"
.text:004012CF                 call    sub_401554
.text:004012CF
.text:004012D4                 add     esp, 4
.text:004012D7                 jmp     short loc_4012E6
.text:004012D7
.text:004012D9 ; ---------------------------------------------------------------------------
.text:004012D9
.text:004012D9 loc_4012D9:                             ; CODE XREF: _main+58j
.text:004012D9                 push    offset s->YouWon_Goodbye_ ; "You won. Goodbye.\n"
.text:004012DE                 call    sub_401554
.text:004012DE
.text:004012E3                 add     esp, 4
.text:004012E3
.text:004012E6
.text:004012E6 loc_4012E6:                             ; CODE XREF: _main+67j
.text:004012E6                 mov     eax, 1
.text:004012EB                 mov     esp, ebp
.text:004012ED                 pop     ebp
.text:004012EE                 retn
.text:004012EE
.text:004012EE _main           endp

流程图,这就是IDA的强大之处,

jge short loc_4012D9就是关键跳,他的上一个call必然是关键call,也就是call sub_4011C0. sub_4011C0 子函数的反汇编代码:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90


.text:004011C0 ; int __cdecl sub_4011C0(char *)
.text:004011C0 sub_4011C0      proc near               ; CODE XREF: _main+4Bp
.text:004011C0
.text:004011C0 var_80          = byte ptr -80h
.text:004011C0 var_7F          = byte ptr -7Fh
.text:004011C0 var_7E          = byte ptr -7Eh
.text:004011C0 var_7D          = byte ptr -7Dh
.text:004011C0 var_7C          = byte ptr -7Ch
.text:004011C0 var_7B          = byte ptr -7Bh
.text:004011C0 var_7A          = byte ptr -7Ah
.text:004011C0 var_79          = byte ptr -79h
.text:004011C0 var_78          = byte ptr -78h
.text:004011C0 var_77          = byte ptr -77h
.text:004011C0 var_76          = byte ptr -76h
.text:004011C0 var_75          = byte ptr -75h
.text:004011C0 var_74          = byte ptr -74h
.text:004011C0 var_73          = byte ptr -73h
.text:004011C0 var_72          = byte ptr -72h
.text:004011C0 var_71          = byte ptr -71h
.text:004011C0 var_70          = byte ptr -70h
.text:004011C0 arg_0           = dword ptr  8
.text:004011C0
.text:004011C0                 push    ebp
.text:004011C1
.text:004011C1 loc_4011C1:
.text:004011C1                 mov     ebp, esp
.text:004011C3                 sub     esp, 80h
.text:004011C9                 push    80h             ; size_t
.text:004011CE                 push    0               ; int
.text:004011D0                 lea     eax, [ebp+var_80]
.text:004011D3                 push    eax             ; void *
.text:004011D4                 call    _memset
.text:004011D4
.text:004011D9                 add     esp, 0Ch
.text:004011DC                 mov     [ebp+var_70], 0
.text:004011E0                 mov     [ebp+var_75], 73h
.text:004011E4                 mov     [ebp+var_80], 74h
.text:004011E8                 mov     [ebp+var_76], 73h
.text:004011EC                 mov     [ebp+var_7F], 68h
.text:004011F0                 mov     [ebp+var_7A], 6Dh
.text:004011F4                 mov     [ebp+var_7C], 69h
.text:004011F8                 mov     [ebp+var_7B], 73h
.text:004011FC                 mov     [ebp+var_71], 64h
.text:00401200                 mov     [ebp+var_74], 77h
.text:00401204                 mov     [ebp+var_7E], 69h
.text:00401208                 mov     [ebp+var_7D], 73h
.text:0040120C                 mov     [ebp+var_78], 70h
.text:00401210                 mov     [ebp+var_73], 6Fh
.text:00401214                 mov     [ebp+var_72], 72h
.text:00401218                 mov     [ebp+var_79], 79h
.text:0040121C                 mov     [ebp+var_77], 61h
.text:00401220                 mov     ecx, [ebp+arg_0]
.text:00401223                 push    ecx             ; char *
.text:00401224                 lea     edx, [ebp+var_80]
.text:00401227                 push    edx             ; char *
.text:00401228                 call    _strcmp
.text:00401228
.text:0040122D                 add     esp, 8
.text:00401230                 test    eax, eax
.text:00401232                 jz      short loc_401247
.text:00401232
.text:00401234                 push    offset s->InvalidPassword ; "\n******* INVALID PASSWORD *******\n"
.text:00401239                 call    sub_401554
.text:00401239
.text:0040123E                 add     esp, 4
.text:00401241                 or      al, 0FFh
.text:00401243                 jmp     short loc_40125D
.text:00401243
.text:00401245 ; ---------------------------------------------------------------------------
.text:00401245                 jmp     short loc_40125D
.text:00401245
.text:00401247 ; ---------------------------------------------------------------------------
.text:00401247
.text:00401247 loc_401247:                             ; CODE XREF: sub_4011C0+72j
.text:00401247                 mov     eax, [ebp+arg_0]
.text:0040124A                 push    eax
.text:0040124B                 push    offset s->SIsCorrect_ ; "%s is correct. \n\n"
.text:00401250                 call    sub_401554
.text:00401250
.text:00401255                 add     esp, 8
.text:00401258                 call    sub_401000
.text:00401258
.text:0040125D
.text:0040125D loc_40125D:                             ; CODE XREF: sub_4011C0+83j
.text:0040125D                                         ; sub_4011C0+85j
.text:0040125D                 mov     esp, ebp
.text:0040125F                 pop     ebp
.text:00401260                 retn
.text:00401260
.text:00401260 sub_4011C0      endp

流程图

注意这一部分代码,是我们的密码

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17


mov     [ebp+var_70], 0
mov     [ebp+var_75], 73h
mov     [ebp+var_80], 74h
mov     [ebp+var_76], 73h
mov     [ebp+var_7F], 68h
mov     [ebp+var_7A], 6Dh
mov     [ebp+var_7C], 69h
mov     [ebp+var_7B], 73h
mov     [ebp+var_71], 64h
mov     [ebp+var_74], 77h
mov     [ebp+var_7E], 69h
mov     [ebp+var_7D], 73h
mov     [ebp+var_78], 70h
mov     [ebp+var_73], 6Fh
mov     [ebp+var_72], 72h
mov     [ebp+var_79], 79h
mov     [ebp+var_77], 61h

这是一个数组重新排序一下,懒得打了把书上的图截下来了:

其实从16进制70-80一共17个数字,而值是数组70-80里面存放的是字符对应的ASCII码，分别是0drowssapymsisiht，因为这个程序是一个普通的X86二进制文件，所以字符串是逆序的，所以正确的字符串是这样的，thisismypassword0，由于/0是字符串结束标志，所以我们需要输入的密码就是，thisismypassword。