我试图反汇编我用 masm 编写的测试二进制文件。以下是以下字节:
Microsoft (R) COFF/PE Dumper Version 10.00.40219.01
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file X:\test.exe
File Type: EXECUTABLE IMAGE
00401000: EB FE jmp 00401000
00401002: 33 C0 xor eax,eax
00401004: 33 DB xor ebx,ebx
00401006: 33 C9 xor ecx,ecx
00401008: 33 D2 xor edx,edx
0040100A: B8 02 00 00 00 mov eax,2
0040100F: BB 01 00 00 00 mov ebx,1
00401014: 3B C3 cmp eax,ebx
00401016: 7F 06 jg 0040101E
00401018: 2B C3 sub eax,ebx
0040101A: 3B C3 cmp eax,ebx
0040101C: 7F 22 jg 00401040
0040101E: B8 05 00 00 00 mov eax,5
00401023: BB 0A 00 00 00 mov ebx,0Ah
00401028: 3B C3 cmp eax,ebx
0040102A: 7F 06 jg 00401032
0040102C: 2B D8 sub ebx,eax
0040102E: 3B D8 cmp ebx,eax
00401030: 7F 07 jg 00401039
00401032: B8 0D 00 00 00 mov eax,0Dh
00401037: EB 0E jmp 00401047
00401039: BB 09 00 00 00 mov ebx,9
0040103E: EB 07 jmp 00401047
00401040: B9 17 00 00 00 mov ecx,17h
00401045: EB 00 jmp 00401047
00401047: 6A 00 push 0
00401049: E8 00 00 00 00 call 0040104E
0040104E: FF 25 00 20 40 00 jmp dword ptr ds:[00402000h]
以下是我的python脚本:
import os, sys
from pydbg import *
from pydbg.defines import *
pid = int(sys.argv[1])
def handler_breakpoint(pydbg):
if pydbg.first_breakpoint:
return DBG_CONTINUE
for thread_id in dbg.enumerate_threads():
context = dbg.get_thread_context(None, h_thread)
print("Eip = %08x" % context.Eip)
dbg.disasm(context.Eip)
return DBG_CONTINUE
dbg = pydbg()
dbg.set_callback(EXCEPTION_BREAKPOINT, handler_breakpoint)
dbg.attach(pid)
for thread_id in dbg.enumerate_threads():
context = dbg.get_thread_context(None, h_thread)
dbg.bp_set(context.Eip)
dbg.resume_all_threads()
pydbg.debug_event_loop(dbg)
我只想进入第一条 (jmp-0x2) 指令。
我检查了 pydbg API pydbg API和使用 pydbg 的各种项目,但对如何执行此操作一无所知。