如何手动读/写.exe机器码? [英] How to read / write .exe machine code manually?
问题描述
我不太熟悉编译器魔法.将人类可读的代码(或不真正可读的汇编指令)转换为机器代码的行为,对我来说,是火箭科学与巫术的结合.
I am not well acquainted to the compiler magic. The act of transforming human-readable code (or the not really readable Assembly instructions) into machine code is, for me, rocket science combined with sorcery.
我将把这个问题的主题缩小到 Win32 可执行文件 (.exe).当我在专门的查看器中打开这些文件时,我可以发现分散在各个地方的字符串(通常每个字符 16b),但其余的只是垃圾.我想不可读的部分(大部分)是机器代码(或者可能是资源,例如图像等......).
I will narrow down the subject of this question to Win32 executables (.exe). When I open these files up in a specialized viewer, I can find strings (usually 16b per character) scattered at various places, but the rest is just garbage. I suppose the unreadable part (majority) is the machine code (or maybe resources, such as images etc...).
是否有任何直接读取机器代码的方法?将 exe 作为文件流打开并逐字节读取,如何将这些单独的字节转换为汇编?这些指令字节和汇编指令之间是否有直接的映射关系?
Is there any straightforward way of reading the machine code? Opening the exe as a file stream and reading it byte by byte, how could one turn these individual bytes into Assembly? Is there a straightforward mapping between these instruction bytes and the Assembly instruction?
.exe是怎么写的?每条指令四个字节?更多的?较少的?我注意到一些应用程序可以像这样创建可执行文件:例如,在 ACD See 中,您可以将一系列图像导出到幻灯片中.但这不一定是 SWF 幻灯片,ACD See 也能够生成可执行的演示文稿.这是怎么做到的?
How is the .exe written? Four bytes per instruction? More? Less? I have noticed some applications can create executable files just like that: for example, in ACD See you can export a series of images into a slideshow. But this does not necessarily have to be a SWF slideshow, ACD See is also capable of producing EXEcutable presentations. How is that done?
我如何理解 EXE 文件中的内容?
How can I understand what goes on inside an EXE file?
推荐答案
OllyDbg 是一个很棒的反汇编工具将 EXE 转换为可读指令,并允许您逐一执行指令.它还告诉您程序使用了哪些 API 函数,以及它提供的参数(只要在堆栈中找到参数).
OllyDbg is an awesome tool that disassembles an EXE into readable instructions and allows you to execute the instructions one-by-one. It also tells you what API functions the program uses and if possible, the arguments that it provides (as long as the arguments are found on the stack).
一般来说,CPU 指令的长度是可变的,有些是一个字节,有些是 2 个,有些是 3 个,有些是 4 个等.这主要取决于指令期望的数据类型.有些指令是通用的,例如mov",它告诉 CPU 将数据从 CPU 寄存器移动到内存中的某个位置,反之亦然.实际上,有许多不同的mov"指令,用于处理 8 位、16 位、32 位数据的指令,用于从不同寄存器移动数据的指令等等.
Generally speaking, CPU instructions are of variable length, some are one byte, others are two, some three, some four etc. It mostly depends on the kind of data that the instruction expects. Some instructions are generalised, like "mov" which tells the CPU to move data from a CPU register to a place in memory, or vice versa. In reality, there are many different "mov" instructions, ones for handling 8-bit, 16-bit, 32-bit data, ones for moving data from different registers and so on.
您可以阅读 Paul Carter 博士的PC 汇编语言教程,这是一本免费的入门级书籍谈论组装以及英特尔 386 CPU 的运行方式.其中大部分甚至适用于现代消费级英特尔 CPU.
You could pick up Dr. Paul Carter's PC Assembly Language Tutorial which is a free entry level book that talks about assembly and how the Intel 386 CPU operates. Most of it is applicable even to modern day consumer Intel CPUs.
EXE 格式特定于 Windows.入口点(即第一条可执行指令)通常位于 EXE 文件中的同一位置.一下子解释起来有点困难,但是我提供的资源应该至少可以帮助治愈您的一些好奇心!:)
The EXE format is specific to Windows. The entry-point (i.e. the first executable instruction) is usually found at the same place within the EXE file. It's all kind of difficult to explain all at once, but the resources I've provided should help cure at least some of your curiosity! :)
这篇关于如何手动读/写.exe机器码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
