如何手动读取/写入.exe机器代码? [英] How to read / write .exe machine code manually?
问题描述
我不太熟悉编译器魔术.对我来说,将人类可读的代码(或不是真正的 可读的汇编指令)转换为机器代码的行为,是结合了巫术的火箭科学.
I am not well acquainted to the compiler magic. The act of transforming human-readable code (or the not really readable Assembly instructions) into machine code is, for me, rocket science combined with sorcery.
我将把这个问题的范围缩小到Win32可执行文件(.exe).当我在专门的查看器中打开这些文件时,我可以找到分散在各个地方的字符串(通常每个字符16b),但是其余的只是垃圾.我想不可读的部分(大部分)是机器代码(或者也许是资源,例如图像等).
I will narrow down the subject of this question to Win32 executables (.exe). When I open these files up in a specialized viewer, I can find strings (usually 16b per character) scattered at various places, but the rest is just garbage. I suppose the unreadable part (majority) is the machine code (or maybe resources, such as images etc...).
有什么简单的方法可以读取机器代码?将exe作为文件流打开并逐字节读取它,怎么能将这些单独的字节转换为Assembly?这些指令字节和Assembly指令之间是否存在直接映射?
Is there any straightforward way of reading the machine code? Opening the exe as a file stream and reading it byte by byte, how could one turn these individual bytes into Assembly? Is there a straightforward mapping between these instruction bytes and the Assembly instruction?
.exe是如何编写的?每个指令四个字节?更多的?较少的?我注意到有些应用程序可以像这样创建可执行文件:例如,在ACD See中,您可以将一系列图像导出到幻灯片中.但这不一定是SWF幻灯片,ACD See也能够生成EXEcutable演示文稿.怎么做?
How is the .exe written? Four bytes per instruction? More? Less? I have noticed some applications can create executable files just like that: for example, in ACD See you can export a series of images into a slideshow. But this does not necessarily have to be a SWF slideshow, ACD See is also capable of producing EXEcutable presentations. How is that done?
我如何理解EXE文件中发生了什么?
How can I understand what goes on inside an EXE file?
推荐答案
OllyDbg 是一个很棒的工具,它可以分解EXE转换为可读的指令,并允许您一对一地执行指令.它还告诉您程序使用什么API函数,并在可能的情况下告诉程序提供的参数(只要在堆栈上找到了这些参数即可).
OllyDbg is an awesome tool that disassembles an EXE into readable instructions and allows you to execute the instructions one-by-one. It also tells you what API functions the program uses and if possible, the arguments that it provides (as long as the arguments are found on the stack).
通常来说,CPU指令的长度是可变的,有些是一个字节,有些是两个字节,有些是三个,有些是四个,等等.这主要取决于指令所期望的数据类型.一些指令是通用的,例如"mov",它告诉CPU将数据从CPU寄存器移到内存中的某个位置,反之亦然.实际上,有许多不同的"mov"指令,用于处理8位,16位,32位数据的指令,用于从不同寄存器中移动数据的指令,等等.
Generally speaking, CPU instructions are of variable length, some are one byte, others are two, some three, some four etc. It mostly depends on the kind of data that the instruction expects. Some instructions are generalised, like "mov" which tells the CPU to move data from a CPU register to a place in memory, or vice versa. In reality, there are many different "mov" instructions, ones for handling 8-bit, 16-bit, 32-bit data, ones for moving data from different registers and so on.
您可以选择Paul Carter博士的 PC汇编语言教程,这是一本入门级的免费书籍.讨论组装以及Intel 386 CPU的工作方式.大部分内容甚至适用于当今的消费类英特尔CPU.
You could pick up Dr. Paul Carter's PC Assembly Language Tutorial which is a free entry level book that talks about assembly and how the Intel 386 CPU operates. Most of it is applicable even to modern day consumer Intel CPUs.
EXE格式特定于Windows.入口点(即第一条可执行指令)通常位于EXE文件中的同一位置.一次全部解释都是很困难的,但是我提供的资源应该至少可以帮助您解决一些好奇心! :)
The EXE format is specific to Windows. The entry-point (i.e. the first executable instruction) is usually found at the same place within the EXE file. It's all kind of difficult to explain all at once, but the resources I've provided should help cure at least some of your curiosity! :)
这篇关于如何手动读取/写入.exe机器代码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
