反汇编引擎有很多,这个引擎没有Dll,是纯静态链接库,适合r3-r0环境,你可以将其编译为DLL文件,驱动强制注入到游戏进程中,让其快速反汇编,读取出反汇编代码并保存为txt文本,本地分析。

地址:https://github.com/BeaEngine/beaengine

BeaEngine 反汇编特定字符串

#include <stdio.h>

#include <Windows.h>

#define BEA_ENGINE_STATIC  // 指明使用静态Lib库

#define BEA_USE_STDCALL    // 指明使用stdcall调用约定

extern "C"

{

	#include "G:/beaengine/x64/BeaEngine.h"

	#pragma comment(lib, "G:/BeaEngine/x64/lib_static/BeaEngine.lib")

}

void DisassembleCode(char *start_offset, int size)

{

	DISASM Disasm_Info;

	int len;

	char *end_offset = (char*)start_offset + size;

	(void)memset(&Disasm_Info, 0, sizeof(DISASM));

	Disasm_Info.EIP = (UInt64)start_offset;

	Disasm_Info.Archi = 1;

	Disasm_Info.Options = MasmSyntax;

	while (!Disasm_Info.Error)

	{

		Disasm_Info.SecurityBlock = (UInt64)end_offset - Disasm_Info.EIP;

		if (Disasm_Info.SecurityBlock <= 0)

			break;

		len = Disasm(&Disasm_Info);

		switch (Disasm_Info.Error)

		{

		case OUT_OF_BLOCK:

			break;

		case UNKNOWN_OPCODE:

			printf("%s \n", &Disasm_Info.CompleteInstr);

			Disasm_Info.EIP += 1;

			Disasm_Info.Error = 0;

			break;

		default:

			printf("%s \n", &Disasm_Info.CompleteInstr);

			Disasm_Info.EIP += len;

		}

	}

}

int main(int argc,char *argv)

{

	char *buffer = "\x55\x8b\xec\x81\xec\x24\x03\x00\x00\x6a\x17";

	DisassembleCode(buffer, 11);

	BYTE bTest[] = { 0x68, 0x37, 0x31, 0x40, 0x00, 0xFF, 0x15, 0x0C, 0x20, 0x40 };

	DisassembleCode(buffer, 14);

	system("pause");

	return 0;

}

反汇编字节数组

// 反汇编字节数组

void DisassembleCodeByte(BYTE *ptr,int len)

{

	DISASM Disasm_Info;

	char *end_offset = (char*)ptr + 10;

	(void)memset(&Disasm_Info, 0, sizeof(DISASM));

	Disasm_Info.EIP = (UInt64)ptr;

	Disasm_Info.Archi = 1;                      // 1 = 表示反汇编32位 / 0 = 表示反汇编64位

	Disasm_Info.Options = MasmSyntax;           // 指定语法格式 MASM

	while (!Disasm_Info.Error)

	{

		Disasm_Info.SecurityBlock = (UInt64)end_offset - Disasm_Info.EIP;

		if (Disasm_Info.SecurityBlock <= 0)

			break;

		len = Disasm(&Disasm_Info);

		switch (Disasm_Info.Error)

		{

		case OUT_OF_BLOCK:

			break;

		case UNKNOWN_OPCODE:

			Disasm_Info.EIP += 1;

			Disasm_Info.Error = 0;

			break;

		default:

			printf("%s \n", &Disasm_Info.CompleteInstr);

			Disasm_Info.EIP += len;

		}

	}

}

int main(int argc, char *argv)

{

	BYTE bTest[] = { 0x55, 0x8b, 0xec, 0x81, 0xec, 0x24, 0x03, 0x00, 0x00, 0x6a, 0x17 };

	DisassembleCodeByte(bTest,10);

	system("pause");

	return 0;

}

反汇编时,显示虚拟地址

void DisassembleCodeInstr(char *start_offset, char *end_offset, int virtual_address)

{

	DISASM Disasm_Info;

	int len;

	(void)memset(&Disasm_Info, 0, sizeof(DISASM));

	Disasm_Info.EIP = (UINT64)start_offset;

	Disasm_Info.VirtualAddr = (UINT64)virtual_address;

	Disasm_Info.Archi = 0;

	Disasm_Info.Options = MasmSyntax;

	while (!Disasm_Info.Error)

	{

		Disasm_Info.SecurityBlock = (UInt64)end_offset - Disasm_Info.EIP;

		if (Disasm_Info.SecurityBlock <= 0)

			break;

		len = Disasm(&Disasm_Info);

		switch (Disasm_Info.Error)

		{

		case OUT_OF_BLOCK:

			break;

		case UNKNOWN_OPCODE:

			Disasm_Info.EIP += 1;

			Disasm_Info.VirtualAddr += 1;

			break;

		default:

			printf("%.16llx > %s\n", Disasm_Info.VirtualAddr,&Disasm_Info.CompleteInstr);

			Disasm_Info.EIP += len;

			Disasm_Info.VirtualAddr += len;

		}

	}

}

int main(int argc,char *argv)

{

	/*

	char *buffer = "\x55\x8b\xec\x81\xec\x24\x03\x00\x00\x6a\x17";

	DisassembleCode(buffer, 11);

	*/

	void *pBuffer = malloc(200);

	memcpy(pBuffer, main, 200);

	DisassembleCodeInstr((char *)pBuffer, (char *)pBuffer + 200, 0x401000);

	system("pause");

	return 0;

}

检查EAX寄存器状态: 如何只检索修改寄存器eax的指令,也就是说,当我们的寄存器REG0零号,发生写入请求时,将自动获取到此处的汇编代码位置。

void DisassembleCodeInstr(char *start_offset, char *end_offset, int virtual_address)

{

	DISASM Disasm_Info;

	int len;

	(void)memset(&Disasm_Info, 0, sizeof(DISASM));

	Disasm_Info.EIP = (UINT64)start_offset;

	Disasm_Info.VirtualAddr = (UINT64)virtual_address;

	Disasm_Info.Archi = 0;

	Disasm_Info.Options = MasmSyntax;

	while (!Disasm_Info.Error)

	{

		Disasm_Info.SecurityBlock = (UInt64)end_offset - Disasm_Info.EIP;

		if (Disasm_Info.SecurityBlock <= 0)

			break;

		len = Disasm(&Disasm_Info);

		switch (Disasm_Info.Error)

		{

		case OUT_OF_BLOCK:

			break;

		case UNKNOWN_OPCODE:

			Disasm_Info.EIP += 1;

			Disasm_Info.VirtualAddr += 1;

			break;

		default:

			if (

				((Disasm_Info.Operand1.AccessMode == WRITE) && (Disasm_Info.Operand1.Registers.gpr & REG0)) ||

				((Disasm_Info.Operand2.AccessMode == WRITE) && (Disasm_Info.Operand2.Registers.gpr & REG0)) ||

				(Disasm_Info.Instruction.ImplicitModifiedRegs.gpr & REG0)

				)

			{

				printf("%.16llx > %s \n", Disasm_Info.VirtualAddr, &Disasm_Info.CompleteInstr);

			}

			Disasm_Info.EIP += len;

			Disasm_Info.VirtualAddr += len;

		}

	}

}

解码第三方可执行文件:

void DisassembleCodeRange(unsigned char *StartCodeSection, unsigned char *EndCodeSection, int(Virtual_Address))

{

	DISASM Disasm_Info;

	int len;

	memset(&Disasm_Info, 0, sizeof(DISASM));

	Disasm_Info.EIP = (UInt64)StartCodeSection;

	Disasm_Info.VirtualAddr = (UInt64)Virtual_Address;

	Disasm_Info.Archi = 0;

	Disasm_Info.Options = MasmSyntax;

	while (!Disasm_Info.Error)

	{

		Disasm_Info.SecurityBlock = (int)EndCodeSection - Disasm_Info.EIP;

		len = Disasm(&Disasm_Info);

		if (Disasm_Info.Error >= 0)

		{

			printf("%.16llx > %s \n", Disasm_Info.VirtualAddr, &Disasm_Info.CompleteInstr);

			Disasm_Info.EIP += len;

			Disasm_Info.VirtualAddr += len;

		}

	}

}

int main(int argc, char *argv)

{

	void *uBuffer;

	FILE *fp  = fopen("c://main.exe", "rb+");

	fseek(fp, 0, SEEK_END);

	DWORD FileSize = ftell(fp);

	rewind(fp);

	uBuffer = malloc(FileSize);

	memset(uBuffer, 0, sizeof(uBuffer));

	fread(uBuffer, 1, FileSize, fp);

	fclose(fp);

	// 反汇编文件偏移为1025-1099处的机器指令.

	DisassembleCodeRange((unsigned char*)uBuffer + 1025, (unsigned char*)uBuffer + 1099, 0x401000);

	system("pause");

	return 0;

}

XEDPARSE 汇编引擎: 将汇编代码汇编为机器码,keystone 汇编引擎也可,https://www.keystone-engine.org/download

#include <stdio.h>

#include <Windows.h>

#define BEA_ENGINE_STATIC  // 指明使用静态Lib库

#define BEA_USE_STDCALL    // 指明使用stdcall调用约定

extern "C"

{

	#include "G:/XEDParse/XEDParse.h"

	#pragma comment(lib, "G:/XEDParse/XEDParse_x86.lib")

}

void printOpcode(const unsigned char* pOpcode, int nSize)

{

	for (int i = 0; i < nSize; ++i)

	{

		printf("%02X ", pOpcode[i]);

	}

}

int main(int argc, char *argv)

{

	XEDPARSE xed = { 0 };

	xed.x64 = TRUE;

	scanf_s("%llx", &xed.cip);

	// 获取汇编字符串

	gets_s(xed.instr, XEDPARSE_MAXBUFSIZE);

	if (XEDPARSE_OK != XEDParseAssemble(&xed))

	{

		printf("指令错误: %s\n", xed.error);

	}

	// 输出汇编机器码

	printf("%s : ", xed.instr);

	printOpcode(xed.dest, xed.dest_size);

	system("pause");

	return 0;

}

一次汇编多条指令

#include <stdio.h>

#include <Windows.h>

#define BEA_ENGINE_STATIC  // 指明使用静态Lib库

#define BEA_USE_STDCALL    // 指明使用stdcall调用约定

extern "C"

{

#include "G:/XEDParse/XEDParse.h"

#pragma comment(lib, "G:/XEDParse/XEDParse_x86.lib")

}

void printOpcode(const unsigned char* pOpcode, int nSize)

{

	for (int i = 0; i < nSize; ++i)

	{

		printf("%02X ", pOpcode[i]);

	}

	printf("\n");

}

int main(int argc, char *argv)

{

	XEDPARSE xed = { 0 };

	xed.x64 = FALSE;

	char *abc[] = {

		"xor eax,eax",

		"xor ebx,ebx",

		"push eax",

		"push ebx",

		"mov ecx,3"

	};

	for (int x = 0; x < 5; x++)

	{

		strcpy(xed.instr, abc[x]);

		if (XEDPARSE_OK != XEDParseAssemble(&xed))

		{

			printf("指令错误: %s\n", xed.error);

		}

		// 输出汇编机器码

		printf("%s : ", xed.instr);

		printOpcode(xed.dest, xed.dest_size);

	}

	system("pause");

	return 0;

}

汇编引擎实现转ShellCode:

#include <stdio.h>

#include <Windows.h>

extern "C"

{

#include "G:/XEDParse/XEDParse.h"

#pragma comment(lib, "G:/XEDParse/XEDParse_x86.lib")

}

int main(int argc, char *argv)

{

	XEDPARSE xed = { 0 };

	xed.x64 = FALSE;

	unsigned char *p;

	p = (unsigned char *)malloc(256);

	char *OpCode[15] = {

		"push ebp",

		"push ebp",

		"xor eax,eax",

		"mov eax,1",

		"endp"

	};

	for (int x = 0; x < sizeof(OpCode) / sizeof(OpCode[0]); x++)

	{

		if (strcmp(OpCode[x], "endp") == 0)

			break;

		strcpy(xed.instr, OpCode[x]);

		if (XEDPARSE_OK != XEDParseAssemble(&xed))

			break;

		// 将汇编机器码生成为ShellCode

		for (int y = 0; y < xed.dest_size; y++)

		{

			p[y] = xed.dest[y];

		}

	}

	system("pause");

	return 0;

}

C/C++ BeaEngine 反汇编引擎的更多相关文章

  1. 反汇编引擎diStorm3

    反汇编引擎diStorm3   diStorm3是Kali Linux自带的一款轻量级.容易使用的反汇编引擎.它可以反汇编生成16位.32位和64位指令.它支持的指令集包括FPU.MMX.SSE.SS ...

  2. 反汇编引擎Capstone

    反汇编引擎Capstone   Capstone是Kali Linux自带的一款轻量级反汇编引擎.它可以支持多种硬件构架,如ARM.ARM64.MIPS.X86.该框架使用C语言实现,但支持C++.P ...

  3. 驱动开发:内核LDE64引擎计算汇编长度

    本章开始LyShark将介绍如何在内核中实现InlineHook挂钩这门技术,内核挂钩的第一步需要实现一个动态计算汇编指令长度的功能,该功能可以使用LDE64这个反汇编引擎,该引擎小巧简单可以直接在驱 ...

  4. c++反汇编与逆向分析 小结

    第一章  熟悉工作环境和相关工具 1.1 熟悉OllyDBG  操作技巧 1.2 反汇编静态分析工具 IDA(最专业的逆向工具)     快捷键    功能     Enter     跟进函数实现 ...

  5. 反汇编基本原理与x86指令构造

    反汇编基本原理与x86指令构造 概要:旨在讲述程序的二进制代码转换到汇编.即反汇编的基本原理.以及 x86 架构的 CPU 的指令构造,有这个基础后就能够自己编写汇编程序了,也能够将二进制代码数据转换 ...

  6. C/C++ Capstone 引擎源码编译

    Capstone 是一个轻量级的多平台.多架构的反汇编框架.Capstone 旨在成为安全社区中二进制分析和反汇编的终极反汇编引擎.Capstone的编译非常简单只需要一步即可轻松得到对应的Lib库文 ...

  7. oracle 有用站点

    使用oradebug修改数据库scn – 提供专业ORACLE技术咨询和支持@Phone13429648788 - 惜分飞 Solaris上使用DTrace进行动态跟踪 老熊的三分地-Oracle及数 ...

  8. oracle 常用博客网址

    使用oradebug修改数据库scn – 提供专业ORACLE技术咨询和支持@Phone13429648788 - 惜分飞 Solaris上使用DTrace进行动态跟踪 老熊的三分地-Oracle及数 ...

  9. 汇编与C语句

    ---恢复内容开始--- 汇编与C语句 4.1C语句与汇编 学习了汇编语言之后,就需要将常用的C语言代码结构与相应的汇编语言联系起来.这样就可以在分析汇编语言的时候,明白它的意思.C语言中函数过程的调 ...

  10. virut详细分析

    Virut分析 0x00.综合描述 virut样本的执行过程大体可以分为六步:第一步,解密数据代码,并调用解密后的代码:第二步,通过互斥体判断系统环境,解密病毒代码并执行:第三步,创建内存映射文件,执 ...

随机推荐

  1. 打破虚拟边界的视频交互新方式,AR隔空书写的应用理念和探索实践

    AR隔空书写演示 随着技术的发展和超视频化的时代驱动,交互的形式日渐丰富.从屏幕点触,到语音交互,人脸.指纹.声纹,再到近年流行的AR和VR--人类早在语言出现之前便习惯使用肢体和手势这种近乎本能的沟 ...

  2. LT01 创建转储单

    一.LT01创建转储单 采购订单--MIGO收货--虚拟仓位--LT01上架--实体仓位--LT01下架--虚拟仓位--MIGO发料--生产订单 二.参考代码 "-------------- ...

  3. HDU - 2897 邂逅明下 (简单博弈)

    题目链接: https://vjudge.net/problem/HDU-2897 题目大意: 就是现在一堆石子有n颗, 每次只能拿走p~q颗, 当剩余少于p颗的时候必须一次拿完 拿走最后一颗的人败 ...

  4. S3C2440移植uboot之编译烧写uboot

    目录 移植环境 获取uboot 更新交叉编译工具 配置环境变量 移植环境 主 机:VMWare--ubuntu16.04 开发板:S3C2440 编译器:arm-linux-gcc-4.3.2.tgz ...

  5. C#设计模式02——原型模式的写法

    public class ProteType { private static ProteType _ProteType = new ProteType(); private ProteType() ...

  6. 第七届蓝桥杯大赛个人赛省赛(软件类)B组

    3.凑算式     B      DEFA + --- + ------- = 10     C      GHI     (如果显示有问题,可以参见[图1.jpg])   这个算式中A~I代表1~9 ...

  7. python之数学函数应用

    一.abs(x) 1.作用: 函数返回 x(数字)的绝对值,如果参数是一个复数,则返回它的大小(模) 2.举例说明: #1.abs() a = abs(-15) print(a) b = abs(1+ ...

  8. Security的一些配置

    package com.example.demo.config; import com.example.demo.Service.UserDetailsServiceImpl; import com. ...

  9. [转帖]jmeter实现分布式压测

    分布式实现的前提条件: 1.master机器和奴隶机的jmeter要一致 a. jmeter版本要一致 b.jdk主要版本要一致,比如都是jdk1.8,后面的小版本不一样不影响 c.jmeter脚本中 ...

  10. [转帖]FIO磁盘性能测试工具

    https://www.cnblogs.com/lyhabc/p/16708771.html 简介 一般我们测试硬盘或者存储的性能的时候,会用Linux系统自带的dd命令,因为是自带命令,简单易使用, ...