IDA Debug .dll

[md88]

Hay, ich bin derzeit dabei eine dll zu debuggen. Ich habe 0 ahnung und habe bis jetzt nur das hier:

 Spoiler

Code:

.idata:102C90C4
.idata:102C90C4 ; Segment type: Externs
.idata:102C90C4 ; _idata
.idata:102C90C4 ; LPVOID __stdcall VirtualAlloc(LPVOID lpAddress,DWORD dwSize,DWORD flAllocationType,DWORD flProtect)
.idata:102C90C4                 extrn VirtualAlloc:dword
.idata:102C90C8 ; BOOL __stdcall VirtualFree(LPVOID lpAddress,DWORD dwSize,DWORD dwFreeType)
.idata:102C90C8                 extrn VirtualFree:dword
.idata:102C90CC ; HMODULE __stdcall GetModuleHandleA(LPCSTR lpModuleName)
.idata:102C90CC                 extrn GetModuleHandleA:dword
.idata:102C90D0 ; FARPROC __stdcall GetProcAddress(HMODULE hModule,LPCSTR lpProcName)
.idata:102C90D0                 extrn GetProcAddress:dword
.idata:102C90D4 ; void __stdcall ExitProcess(UINT uExitCode)
.idata:102C90D4                 extrn ExitProcess:dword
.idata:102C90D8 ; HMODULE __stdcall LoadLibraryA(LPCSTR lpLibFileName)
.idata:102C90D8                 extrn LoadLibraryA:dword
.idata:102C90DC
.idata:102C90E0 ;
.idata:102C90E0 ; Imports from user32.dll
.idata:102C90E0 ;
.idata:102C90E0 ; int __stdcall MessageBoxA(HWND hWnd,LPCSTR lpText,LPCSTR lpCaption,UINT uType)
.idata:102C90E0                 extrn MessageBoxA:dword
.idata:102C90E4
.idata:102C90E8 ;
.idata:102C90E8 ; Imports from advapi32.dll
.idata:102C90E8 ;
.idata:102C90E8 ; LONG __stdcall RegCloseKey(HKEY hKey)
.idata:102C90E8                 extrn RegCloseKey:dword
.idata:102C90EC
.idata:102C90F0 ;
.idata:102C90F0 ; Imports from oleaut32.dll
.idata:102C90F0 ;
.idata:102C90F0 ; void __stdcall SysFreeString(BSTR)
.idata:102C90F0                 extrn SysFreeString:dword
.idata:102C90F4
.idata:102C90F8 ;
.idata:102C90F8 ; Imports from gdi32.dll
.idata:102C90F8 ;
.idata:102C90F8 ; HFONT __stdcall CreateFontA(int,int,int,int,int,DWORD,DWORD,DWORD,DWORD,DWORD,DWORD,DWORD,DWORD,LPCSTR)
.idata:102C90F8                 extrn CreateFontA:dword
.idata:102C90FC
.idata:102C9100 ;
.idata:102C9100 ; Imports from shell32.dll
.idata:102C9100 ;
.idata:102C9100 ; HINSTANCE __stdcall ShellExecuteA(HWND hwnd,LPCSTR lpOperation,LPCSTR lpFile,LPCSTR lpParameters,LPCSTR lpDirectory,INT nShowCmd)
.idata:102C9100                 extrn ShellExecuteA:dword ; Opens or prints a specified file
.idata:102C9104
.idata:102C9108 ;
.idata:102C9108 ; Imports from version.dll
.idata:102C9108 ;
.idata:102C9108 ; BOOL __stdcall GetFileVersionInfoA(LPSTR lptstrFilename,DWORD dwHandle,DWORD dwLen,LPVOID lpData)
.idata:102C9108                 extrn GetFileVersionInfoA:dword ; Get version information about a specified file
.idata:102C910C
.idata:102C9110 ;
.idata:102C9110 ; Imports from msvcr100.dll
.idata:102C9110 ;
.idata:102C9110                 extrn _except_handler4_common:dword
.idata:102C9114
.idata:102C9114

und das hier:

Code:

0000:1035F980     ; BOOL __stdcall DllEntryPoint(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpReserved)
0000:1035F980                     public DllEntryPoint
0000:1035F980     DllEntryPoint:
0000:1035F980                     pusha
0000:1035F981                     call    $+5
0000:1035F986                     pop     ebp
0000:1035F987                     sub     ebp, 6
0000:1035F98D                     sub     ebp, 35F980h
0000:1035F993                     jmp     loc_1035F9E4
0000:1035F993     ; ---------------------------------------------------------------------------
0000:1035F998                     dd 47494E45h, 3203414Dh, 307DDh, 12001Bh, 200024h, 98B11DBBh
0000:1035F998                     dd 0D3A0F2CCh, 392E37D0h, 0EDF6947Dh, 995AA335h, 2, 0DC867DB4h
0000:1035F998                     dd 46824FEEh, 5ACBD5B0h, 7A84036Fh, 0E8D37ECEh, 0D8380D7Ah
0000:1035F998                     dd 0AF52C21h, 16D0F540h
0000:1035F9E4     ; ---------------------------------------------------------------------------
0000:1035F9E4
0000:1035F9E4     loc_1035F9E4:                           ; CODE XREF: .data:1035F993j
0000:1035F9E4                     mov     al, [esp+28h]
0000:1035F9EB                     cmp     al, 1
0000:1035F9EE                     jz      loc_1035F9FB
0000:1035F9F4                     popa
0000:1035F9F5                     xor     eax, eax
0000:1035F9F7                     inc     eax
0000:1035F9F8                     retn    0Ch
0000:1035F9FB     ; ---------------------------------------------------------------------------
0000:1035F9FB
0000:1035F9FB     loc_1035F9FB:                           ; CODE XREF: .data:1035F9EEj
0000:1035F9FB                     jmp     loc_1035FA04
0000:1035F9FB     ; ---------------------------------------------------------------------------
0000:1035FA00                     dd 0F9A8699h
0000:1035FA04     ; ---------------------------------------------------------------------------
0000:1035FA04
0000:1035FA04     loc_1035FA04:                           ; CODE XREF: .data:loc_1035F9FBj
0000:1035FA04                     mov     eax, 35F980h
0000:1035FA09                     add     eax, ebp
0000:1035FA0B                     add     eax, 0AAh
0000:1035FA11                     mov     ecx, 63Ch
0000:1035FA16                     mov     edx, 55E9B90Fh
0000:1035FA1B
0000:1035FA1B     loc_1035FA1B:                           ; CODE XREF: .data:1035FA1Fj
0000:1035FA1B                     xor     [eax], dl
0000:1035FA1D                     inc     eax
0000:1035FA1E                     dec     ecx
0000:1035FA1F                     jnz     loc_1035FA1B
0000:1035FA25                     jmp     loc_1035FA2E
0000:1035FA25     ; ---------------------------------------------------------------------------
0000:1035FA2A                     dw 60Dh
0000:1035FA2C     ; ---------------------------------------------------------------------------
0000:1035FA2C                     xor     ecx, [edi]
0000:1035FA2E
0000:1035FA2E     loc_1035FA2E:                           ; CODE XREF: .data:1035FA25j
0000:1035FA2E                     db      65h
0000:1035FA2E                     dec     edi

kann irgendjemand damit etwas anfangen?

[Daifoku]

wieso willst du eine DLL debuggen ?

Also der erste Code Block zeigt dir den import table an
Im Zweiten Block findet der eigentliche main loop der DLL statt

Da steht aber bisher nichts aufregendes ;-)