今天做了一个简单的structrue,编译得到一个pbd文件,在pb中,全局结构是代码最少的。
发现几个问题:
1.pbkiller无法得到blob{n}这种申明,ue查看是他少分析了一部分字节,比如dec{2},dec{4}都不能反编译,全部编译为:dec。
2.pbkiller目录下的文件vmxxx.dat大致为一个包含pb所有内置对象,函数,实践,属性调用的例程。可能视图通过此样本与客户代码比较得到反编译信息。具体还得研究。另外shudepb当时应该也是参考此软件,我记得之前好像他说参考pbkiller不断对比调试之类的话,在哪里看到的搞忘了。
*经查:vm196.dat来自pbvm90.dll的0x422200h处的资料。看样子是pb9的全部枚举和对象清单。
3.对pbkiller的原理进行了透析:编译一个pbd,然后启动pbkiller,然后ue修改pbd的字节,逐渐推断和比较,终于分析出pbkiller依赖的部分,这些部分就形成解析源码的依据。目前我对structrue已经完全解析,而且知道了各部分的真正含义。包括blob{256}是如何申明和表示的。后续其他对象可能很复杂,比如window。但我现在已经打开思路,并会沿着这个思路一致研究下去。
4.附上我分析的pbd文件,是一个结构:
a。源码:
global type str_a from structure
blob{256} aaa
boolean bbb
character ccc
checkbox ddd
commandbutton eee
datawindow fff
datawindowchild ggg
date hhh
datetime iii
decimal { 0 } jjj
decimal { 2 } kkk
decimal { 4 } lll
double mmm
w_bbbb nnn
end type
b。关键字节(无关字节我已经抹为00了),具体含义我就不便写的太明白了。本来写在这里也主要给自己留个参考。
00001200h: 44 41 54 2A 00 14 00 00 F6 01 00 00 08 00 00 00 ; DAT*....?......
00001210h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00001220h: 00 00 DE 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ..?............
00001230h: 00 00 73 74 72 75 63 74 75 72 65 00 73 74 72 5F ; ..structure.str_
00001240h: 61 00 61 63 63 65 73 73 69 62 6C 65 73 74 61 74 ; a.accessiblestat
00001250h: 65 00 61 63 63 65 73 73 69 62 69 6C 69 74 79 00 ; e.accessibility.
00001260h: 6D 61 69 6C 72 65 63 69 70 69 65 6E 74 00 65 6E ; mailrecipient.en
00001270h: 76 69 72 6F 6E 6D 65 6E 74 00 6D 61 69 6C 66 69 ; vironment.mailfi
00001280h: 6C 65 64 65 73 63 72 69 70 74 69 6F 6E 00 6D 61 ; ledescription.ma
00001290h: 69 6C 6D 65 73 73 61 67 65 00 64 61 74 61 77 69 ; ilmessage.datawi
000012a0h: 6E 64 6F 77 63 68 69 6C 64 00 6C 69 73 74 76 69 ; ndowchild.listvi
000012b0h: 65 77 69 74 65 6D 00 74 72 65 65 76 69 65 77 69 ; ewitem.treeviewi
000012c0h: 74 65 6D 00 63 6F 6E 6E 65 63 74 69 6F 6E 69 6E ; tem.connectionin
000012d0h: 66 6F 00 63 68 65 63 6B 62 6F 78 00 63 6F 6D 6D ; fo.checkbox.comm
000012e0h: 61 6E 64 62 75 74 74 6F 6E 00 64 61 74 61 77 69 ; andbutton.datawi
000012f0h: 6E 64 6F 77 00 77 5F 62 62 62 62 00 70 6F 77 65 ; ndow.w_bbbb.powe
00001300h: 72 6F 62 6A 65 63 74 00 54 01 00 00 00 00 FF FF ; robject.T.....
00001310h: 00 00 08 00 00 00 00 00 00 00 40 15 00 00 00 00 ; ..........@.....
00001320h: 00 00 FF FF 00 00 12 00 00 00 00 00 00 00 00 15 ; ..............
00001330h: 00 00 00 00 00 00 FF FF 00 00 18 00 00 00 02 00 ; ..............
00001340h: 00 00 00 00 00 00 00 00 00 00 FF FF 00 00 28 00 ; ............(.
00001350h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF ; ..............
00001360h: 00 00 36 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ..6.............
00001370h: 00 00 FF FF 00 00 44 00 00 00 00 00 00 00 00 00 ; ....D.........
00001380h: 00 00 00 00 00 00 FF FF 00 00 50 00 00 00 00 00 ; ........P.....
00001390h: 00 00 00 00 00 00 00 00 00 00 FF FF 00 00 64 00 ; ............d.
000013a0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF ; ..............
000013b0h: 00 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ..p.............
000013c0h: 00 00 FF FF 00 00 80 00 00 00 00 00 00 00 00 00 ; ....€.........
000013d0h: 00 00 00 00 00 00 FF FF 00 00 8D 00 00 00 00 00 ; ........?....
000013e0h: 00 00 00 00 00 00 00 00 00 00 FF FF 00 00 9A 00 ; ............?
000013f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF ; ..............
00001400h: 44 41 54 2A 00 16 00 00 F6 01 00 00 A9 00 00 00 ; DAT*....?..?..
00001410h: 00 00 00 00 00 00 00 00 00 00 00 00 FF FF 00 00 ; ..............
00001420h: B2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ?..............
00001430h: FF FF 00 00 C0 00 00 00 00 00 00 00 00 00 00 00 ; ..?..........
00001440h: 00 00 00 00 FF FF 00 00 CB 00 00 00 00 00 00 00 ; ......?......
00001450h: 00 00 00 00 00 00 00 00 FF FF 00 00 D2 00 00 00 ; ..........?..
00001460h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 ; ................
00001470h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00001480h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00001490h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000014a0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000014b0h: 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 ; ................
000014c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000014d0h: 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; @...............
000014e0h: 61 61 61 00 62 62 62 00 63 63 63 00 64 64 64 00 ; aaa.bbb.ccc.ddd.
000014f0h: 65 65 65 00 66 66 66 00 67 67 67 00 68 68 68 00 ; eee.fff.ggg.hhh.
00001500h: 69 69 69 00 6A 6A 6A 00 6B 6B 6B 00 6C 6C 6C 00 ; iii.jjj.kkk.lll.
00001510h: 6D 6D 6D 00 6E 6E 6E 00 18 01 00 00 00 00 FF FF ; mmm.nnn.......
00001520h: 00 00 08 00 00 00 00 00 00 00 00 1D 0B 00 00 00 ; ................
00001530h: 00 00 FF FF 00 00 0C 00 00 00 00 00 00 00 00 00 ; ..............
00001540h: 07 00 00 00 00 00 FF FF 00 00 10 00 00 00 00 00 ; ..............
00001550h: 00 00 00 00 12 00 00 00 00 00 FF FF 00 00 14 00 ; ..............
00001560h: 00 00 00 00 00 00 00 00 0C 80 00 00 00 00 FF FF ; .........€....
00001570h: 00 00 18 00 00 00 00 00 00 00 00 00 0D 80 00 00 ; .............€..
00001580h: 00 00 FF FF 00 00 1C 00 00 00 00 00 00 00 00 00 ; ..............
00001590h: 0E 80 00 00 00 00 FF FF 00 00 20 00 00 00 00 00 ; .€...... .....
000015a0h: 00 00 00 00 08 80 00 00 00 00 FF FF 00 00 24 00 ; .....€......$.
000015b0h: 00 00 00 00 00 00 00 00 0C 00 00 00 00 00 FF FF ; ..............
000015c0h: 00 00 28 00 00 00 00 00 00 00 00 00 0E 00 00 00 ; ..(.............
000015d0h: 00 00 FF FF 00 00 2C 00 00 00 00 00 00 00 00 00 ; ....,.........
000015e0h: 05 00 00 00 00 00 FF FF 00 00 30 00 00 00 00 00 ; ........0.....
000015f0h: 00 00 04 0D 05 00 00 00 00 00 FF FF 00 00 34 00 ; ............4.
00001600h: 44 41 54 2A 00 00 00 00 A2 00 00 00 00 00 00 00 ; DAT*....?......
00001610h: 08 0D 05 00 00 00 00 00 FF FF 00 00 38 00 00 00 ; ..........8...
00001620h: 00 00 00 00 00 0D 04 00 00 00 00 00 FF FF 00 00 ; ..............
00001630h: 3C 00 00 00 00 00 00 00 00 00 0F 80 00 00 00 00 ; <..........€....
//补充
主要任务:
1. 各种对象的编译后数据结构分析(主要是win,structre,menu,funciton,uo,比如函数的变量在哪,变量的类型,accesstype,返回值类型等)
2. 从对象角度看:pb中都是对象(structre除外,它保持c的习惯;function除外,它也保持c函数习惯,其他几种都可以看做对象object,凡是对象就有几个要素:a.它的名字就是新类型;2.属性区(共享和实例);3.函数(分外部和局部)与事件;4.控件,比如tab里面放置的子控件;5.局部结构体)
3. 分析要点:a. 各种对象存放编译后数据的框架(结构);b.变量申明和初始值;c. 文字和数字字面量; d.赋值操作; e. 混合运算; f.函数和事件调用;g. 特殊语法分析,如if,for,while,try...catch,throws等;h.sql语法嵌入和变量绑定。