用W32asm反汇编Ntdll.dll文件的后的代码

之所以要反汇编这个文件是想查看其调用的函数信息,但是反汇编后还是不明白一下内容里有什么有用的信息,求解释。

   Object01: .text    RVA: 00001000 Offset: 00000400 Size: 000D5200 Flags: 60000020
   Object02: RT       RVA: 000D7000 Offset: 000D5600 Size: 00000200 Flags: 60000020
   Object03: .data    RVA: 000D8000 Offset: 000D5800 Size: 00006C00 Flags: C0000040
   Object04: .rsrc    RVA: 000E1000 Offset: 000DC400 Size: 00056200 Flags: 40000040
   Object05: .reloc   RVA: 00138000 Offset: 00132600 Size: 00004E00 Flags: 42000040




+++++++++++++++++++   菜 单 信 息    ++++++++++++++++++


                 程序没有菜单选项                      


+++++++++++++++++     对话框信息     ++++++++++++++++++


        There Are No Dialog Resources in This Application


+++++++++++++++++++      导入函数      ++++++++++++++++++
Number of Imported Modules =    0 (decimal)




+++++++++++++++++++      重要模块资料     +++++++++++++++


+++++++++++++++++++      导出函数      ++++++++++++++++++
Number of Exported Functions = 0000 (decimal)








+++++++++++++++++++ ASSEMBLY CODE LISTING ++++++++++++++++++
//********************** Start of Code in Object .text **************

Program Entry Point Not Available

:77EC1000 53                      push ebx

:77EC11B3 8D4DFC                  lea ecx, dword ptr [ebp-04]
:77EC11B6 51                      push ecx
:77EC11B7 6A00                    push 00000000
:77EC11B9 50                      push eax
:77EC11BA 57                      push edi
:77EC11BB E83A000000              call 77EC11FA
:77EC11C0 837DFC00                cmp dword ptr [ebp-04], 00000000
:77EC11C4 0F8727A80900            ja 77F5B9F1


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:77EC11B1(C)
|
:77EC11CA 837DF800                cmp dword ptr [ebp-08], 00000000
:77EC11CE 7415                    je 77EC11E5
:77EC11D0 8B4510                  mov eax, dword ptr [ebp+10]
:77EC11D3 85C0                    test eax, eax
:77EC11D5 0F8539A80900            jne 77F5BA14


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:77F5BA19(U)
|
:77EC11DB 33C0                    xor eax, eax
:77EC11DD 40                      inc eax


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:77F5B9EC(U)
|
:77EC11DE 5F                      pop edi
:77EC11DF 5E                      pop esi
:77EC11E0 5B                      pop ebx
:77EC11E1 C9                      leave
:77EC11E2 C20C00                  ret 000C






* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:77EC1193(C), :77EC11CE(C), :77F5B9E0(U), :77F5BA00(C), :77F5BA09(C)
|
:77EC11E5 8B4510                  mov eax, dword ptr [ebp+10]
:77EC11E8 85C0                    test eax, eax
:77EC11EA 0F85F5A70900            jne 77F5B9E5
:77EC11F0 E9F5A70900              jmp 77F5B9EA
:77EC11F5 90                      nop
:77EC11F6 90                      nop
:77EC11F7 90                      nop
:77EC11F8 90                      nop
:77EC11F9 90                      nop


* Referenced by a CALL at Address:
|:77EC11BB   
|
:77EC11FA 8BFF                    mov edi, edi
:77EC11FC 55                      push ebp
:77EC11FD 8BEC                    mov ebp, esp
:77EC11FF 83EC0C                  sub esp, 0000000C
:77EC1202 33C9                    xor ecx, ecx
:77EC1204 53                      push ebx
:77EC1205 8B5D08                  mov ebx, dword ptr [ebp+08]
:77EC1208 56                      push esi
:77EC1209 894DF4                  mov dword ptr [ebp-0C], ecx
:77EC120C 894DF8                  mov dword ptr [ebp-08], ecx
:77EC120F 894DFC                  mov dword ptr [ebp-04], ecx
:77EC1212 3BD9                    cmp ebx, ecx
:77EC1214 0F8437010000            je 77EC1351
:77EC121A 8B430C                  mov eax, dword ptr [ebx+0C]
:77EC121D 3BC1                    cmp eax, ecx
:77EC121F 0F842C010000            je 77EC1351
:77EC1225 8B750C                  mov esi, dword ptr [ebp+0C]
:77EC1228 3B7048                  cmp esi, dword ptr [eax+48]
:77EC122B 0F8320010000            jnb 77EC1351
:77EC1231 8B4514                  mov eax, dword ptr [ebp+14]
:77EC1234 3BC1                    cmp eax, ecx
:77EC1236 7402                    je 77EC123A
:77EC1238 8908                    mov dword ptr [eax], ecx


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:77EC1236(C)
|
:77EC123A 51                      push ecx
:77EC123B 8D45FC                  lea eax, dword ptr [ebp-04]
:77EC123E 50                      push eax
:77EC123F E881FEFFFF              call 77EC10C5
:77EC1244 85C0                    test eax, eax
:77EC1246 0F84DB000000            je 77EC1327
:77EC124C FF75FC                  push [ebp-04]
:77EC124F 56                      push esi
:77EC1250 E832030000              call 77EC1587
:77EC1255 85C0                    test eax, eax
:77EC1257 0F84CA000000            je 77EC1327
:77EC125D 57                      push edi
:77EC125E FF75FC                  push [ebp-04]
:77EC1261 8D450C                  lea eax, dword ptr [ebp+0C]
:77EC1264 50                      push eax
:77EC1265 E8F8000000              call 77EC1362
:77EC126A 85C0                    test eax, eax
:77EC126C 0F84AD000000            je 77EC131F


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:77EC1314(C)
|
:77EC1272 8B750C                  mov esi, dword ptr [ebp+0C]
:77EC1275 6BF630                  imul esi, 00000030
:77EC1278 037318                  add esi, dword ptr [ebx+18]
:77EC127B 8B4620                  mov eax, dword ptr [esi+20]
:77EC127E 8B7E14                  mov edi, dword ptr [esi+14]
:77EC1281 85C0                    test eax, eax
:77EC1283 7C11                    jl 77EC1296
:77EC1285 FF75FC                  push [ebp-04]
:77EC1288 50                      push eax
:77EC1289 E8F9020000              call 77EC1587
:77EC128E 85C0                    test eax, eax
:77EC1290 0F8490000000            je 77EC1326


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:77EC1283(C)
|
:77EC1296 8B4628                  mov eax, dword ptr [esi+28]
:77EC1299 85C0                    test eax, eax
:77EC129B 7C0D                    jl 77EC12AA
:77EC129D FF75FC                  push [ebp-04]
:77EC12A0 50                      push eax
:77EC12A1 E8E1020000              call 77EC1587
:77EC12A6 85C0                    test eax, eax
:77EC12A8 747C                    je 77EC1326


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:77EC129B(C)
|
:77EC12AA 8B4624                  mov eax, dword ptr [esi+24]
:77EC12AD 85C0                    test eax, eax
:77EC12AF 0F8D9FAF0900            jnl 77F5C254


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:77EC133A(C)
|
:77EC12B5 8B562C                  mov edx, dword ptr [esi+2C]
:77EC12B8 F6C201                  test dl, 01
:77EC12BB 7549                    jne 77EC1306
:77EC12BD 8B06                    mov eax, dword ptr [esi]
:77EC12BF 0B4604                  or eax, dword ptr [esi+04]
:77EC12C2 0F849AAF0900            je 77F5C262


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:77F5C268(C)
|
:77EC12C8 8B4610                  mov eax, dword ptr [esi+10]
:77EC12CB 85C0                    test eax, eax
:77EC12CD 7473                    je 77EC1342
:77EC12CF 250000FFFF              and eax, FFFF0000
:77EC12D4 0F8599AF0900            jne 77F5C273


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:77F5C278(C)
|
:77EC12DA 8B4B0C                  mov ecx, dword ptr [ebx+0C]
:77EC12DD 3B7944                  cmp edi, dword ptr [ecx+44]
:77EC12E0 7360                    jnb 77EC1342
:77EC12E2 8B4310                  mov eax, dword ptr [ebx+10]
:77EC12E5 C1E705                  shl edi, 05
:77EC12E8 03C7                    add eax, edi
:77EC12EA 83781800                cmp dword ptr [eax+18], 00000000
:77EC12EE 7516                    jne 77EC1306
:77EC12F0 8B7E1C                  mov edi, dword ptr [esi+1C]
:77EC12F3 037E18                  add edi, dword ptr [esi+18]
:77EC12F6 397804                  cmp dword ptr [eax+04], edi
:77EC12F9 7247                    jb 77EC1342
:77EC12FB 8B4014                  mov eax, dword ptr [eax+14]
:77EC12FE 85C0                    test eax, eax
:77EC1300 0F8D7DAF0900            jnl 77F5C283


* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:77EC12BB(C), :77EC12EE(C), :77F5C28C(U), :77F5C2A5(C), :77F5C2AD(U)
|
:77EC1306 FF75FC                  push [ebp-04]
:77EC1309 8D450C                  lea eax, dword ptr [ebp+0C]
:77EC130C 50                      push eax
:77EC130D E850000000              call 77EC1362
:77EC1312 85C0                    test eax, eax
:77EC1314 0F8558FFFFFF            jne 77EC1272
:77EC131A 3945F8                  cmp dword ptr [ebp-08], eax
:77EC131D 7507                    jne 77EC1326


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:77EC126C(C)
|
:77EC131F C745F401000000          mov [ebp-0C], 00000001


* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:77EC1290(C), :77EC12A8(C), :77EC131D(C), :77EC1340(U)
|
:77EC1326 5F                      pop edi


* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:77EC1246(C), :77EC1257(C)
|
:77EC1327 FF75FC                  push [ebp-04]
:77EC132A E818FDFFFF              call 77EC1047
:77EC132F 8B45F4                  mov eax, dword ptr [ebp-0C]


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:77F5C2B4(U)
|
:77EC1332 5E                      pop esi
:77EC1333 5B                      pop ebx
:77EC1334 C9                      leave
:77EC1335 C21000                  ret 0010






* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:77F5C25D(U)
|
:77EC1338 85C0                    test eax, eax
:77EC133A 0F8575FFFFFF            jne 77EC12B5
:77EC1340 EBE4                    jmp 77EC1326


* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:77EC12CD(C), :77EC12E0(C), :77EC12F9(C), :77F5C26E(U), :77F5C27E(U)
|:77F5C286(C)
|
:77EC1342 837D1000                cmp dword ptr [ebp+10], 00000000
:77EC1346 0F8545AF0900            jne 77F5C291
:77EC134C E948AF0900              jmp 77F5C299


* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:77EC1214(C), :77EC121F(C), :77EC122B(C)
|
:77EC1351 6A57                    push 00000057
:77EC1353 E882100500              call 77F123DA
:77EC1358 E955AF0900              jmp 77F5C2B2
:77EC135D 90                      nop
:77EC135E 90                      nop
:77EC135F 90                      nop
:77EC1360 90                      nop
:77EC1361 90                      nop


* Referenced by a CALL at Addresses:
|:77EC1265   , :77EC130D   , :77EC148D   , :77EC1556   
|
:77EC1362 8BFF                    mov edi, edi
:77EC1364 55                      push ebp
:77EC1365 8BEC                    mov ebp, esp
:77EC1367 8B4D0C                  mov ecx, dword ptr [ebp+0C]
:77EC136A 56                      push esi
:77EC136B 85C9                    test ecx, ecx
:77EC136D 7424                    je 77EC1393
:77EC136F 8B7508                  mov esi, dword ptr [ebp+08]
:77EC1372 85F6                    test esi, esi
:77EC1374 741D                    je 77EC1393
:77EC1376 8B5108                  mov edx, dword ptr [ecx+08]
:77EC1379 85D2                    test edx, edx
:77EC137B 7416                    je 77EC1393
:77EC137D 8B01                    mov eax, dword ptr [ecx]
:77EC137F 85C0                    test eax, eax
:77EC1381 7410                    je 77EC1393
:77EC1383 48                      dec eax
:77EC1384 8901                    mov dword ptr [ecx], eax
:77EC1386 8B0482                  mov eax, dword ptr [edx+4*eax]
:77EC1389 8906                    mov dword ptr [esi], eax
:77EC138B 33C0                    xor eax, eax
:77EC138D 40                      inc eax


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:77EC1395(U)
|
:77EC138E 5E                      pop esi
:77EC138F 5D                      pop ebp
:77EC1390 C20800                  ret 0008






* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:77EC136D(C), :77EC1374(C), :77EC137B(C), :77EC1381(C)
|
:77EC1393 33C0                    xor eax, eax
:77EC1395 EBF7                    jmp 77EC138E
:77EC1397 90                      nop
:77EC1398 90                      nop
:77EC1399 90                      nop
:77EC139A 90                      nop
:77EC139B 90                      nop


* Referenced by a CALL at Address:
|:77EC119C   
|
:77EC139C 8BFF                    mov edi, edi
:77EC139E 55                      push ebp
:77EC139F 8BEC                    mov ebp, esp
:77EC13A1 51                      push ecx
:77EC13A2 53                      push ebx
:77EC13A3 56                      push esi
:77EC13A4 8B7508                  mov esi, dword ptr [ebp+08]
:77EC13A7 33D2                    xor edx, edx
:77EC13A9 42                      inc edx
:77EC13AA 33DB                    xor ebx, ebx
:77EC13AC 57                      push edi
:77EC13AD 8955FC                  mov dword ptr [ebp-04], edx
:77EC13B0 3BF3                    cmp esi, ebx
:77EC13B2 0F848D000000            je 77EC1445
:77EC13B8 8B460C                  mov eax, dword ptr [esi+0C]
:77EC13BB 3BC3                    cmp eax, ebx
:77EC13BD 0F8482000000            je 77EC1445
:77EC13C3 8B4848                  mov ecx, dword ptr [eax+48]
:77EC13C6 3BCB                    cmp ecx, ebx
:77EC13C8 0F84ACA50900            je 77F5B97A
:77EC13CE 395858                  cmp dword ptr [eax+58], ebx
:77EC13D1 0F8CAAA50900            jl 77F5B981


:77EC1001 005900                  add byte ptr [ecx+00], bl
:77EC1004 53                      push ebx
:77EC1005 00540045                add byte ptr [eax+eax+45], dl
:77EC1009 004D00                  add byte ptr [ebp+00], cl
:77EC100C 0000                    add byte ptr [eax], al
:77EC100E 90                      nop
:77EC100F 90                      nop
:77EC1010 7200                    jb 77EC1012
:77EC1012 6300                    arpl dword ptr [eax], eax
:77EC1014 0000                    add byte ptr [eax], al
:77EC1016 8B460C                  mov eax, dword ptr [esi+0C]
:77EC1019 3BC7                    cmp eax, edi
:77EC101B 0F856EA60900            jne 77F5B68F
:77EC1021 64A118000000            mov eax, dword ptr fs:[00000018]
:77EC1027 8B4030                  mov eax, dword ptr [eax+30]
:77EC102A 56                      push esi
:77EC102B 57                      push edi
:77EC102C FF7018                  push [eax+18]
:77EC102F E8150F0500              call 77F11F49


* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:77F5B65D(C), :77F5B66A(U)
|
:77EC1034 33C0                    xor eax, eax
:77EC1036 E997F50600              jmp 77F305D2


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:77F305AC(C)
|
:77EC103B 33C0                    xor eax, eax
:77EC103D E976F50600              jmp 77F305B8
:77EC1042 90                      nop
:77EC1043 90                      nop
:77EC1044 90                      nop
:77EC1045 90                      nop
:77EC1046 90                      nop


* Referenced by a CALL at Addresses:
|:77EC132A   , :77EC1570   
|
:77EC1047 8BFF                    mov edi, edi
:77EC1049 55                      push ebp
:77EC104A 8BEC                    mov ebp, esp
:77EC104C 56                      push esi
:77EC104D 8B7508                  mov esi, dword ptr [ebp+08]
:77EC1050 85F6                    test esi, esi
:77EC1052 742F                    je 77EC1083
:77EC1054 8B4608                  mov eax, dword ptr [esi+08]
:77EC1057 85C0                    test eax, eax
:77EC1059 7414                    je 77EC106F
:77EC105B 50                      push eax
:77EC105C 64A118000000            mov eax, dword ptr fs:[00000018]
:77EC1062 8B4030                  mov eax, dword ptr [eax+30]
:77EC1065 6A00                    push 00000000
:77EC1067 FF7018                  push [eax+18]
:77EC106A E8DA0E0500              call 77F11F49


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:77EC1059(C)
|
:77EC106F 64A118000000            mov eax, dword ptr fs:[00000018]
:77EC1075 8B4030                  mov eax, dword ptr [eax+30]
:77EC1078 56                      push esi
:77EC1079 6A00                    push 00000000
:77EC107B FF7018                  push [eax+18]
:77EC107E E8C60E0500              call 77F11F49


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:77EC1052(C)
|
:77EC1083 5E                      pop esi
:77EC1084 5D                      pop ebp
:77EC1085 C20400                  ret 0004






* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:77F307D1(C)
|
:77EC1088 83CF02                  or edi, 00000002
:77EC108B E947F70600              jmp 77F307D7


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:77F307E3(C)
|
:77EC1090 83CF08                  or edi, 00000008
:77EC1093 E951F70600              jmp 77F307E9


* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:77F3081E(C), :77F5BA3B(U)
|
:77EC1098 33C0                    xor eax, eax
:77EC109A E9B5F70600              jmp 77F30854


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:77F30829(C)
|
:77EC109F 394D10                  cmp dword ptr [ebp+10], ecx
:77EC10A2 0F8487F70600            je 77F3082F
:77EC10A8 E988A90900              jmp 77F5BA35


未完……文件实在太长,不懂,求解释。












阅读更多

更多精彩内容