提供一个早年写的一个小工具,一直在用,赶紧很顺手,特推荐给大家。
欢迎垂询。
1,在OD正在跟踪分析某个保护壳的一段code的时候,感觉似曾相识,好像在哪里见过,好像是某个API。----这个时候你就需要用【fosomAPI速查】,快速找到这个API。
2,在用OD手动Hook的时候,jmp长跳之后,用汇编写一个小小的Call的时候,需要用一个API,但是IAT被破坏了。---这个时候,你就需要用【fosomAPI速查】,快速查到API,然后把机器码直接copy到OD里面,就OK了。
3,随便一个Dll,需要查一下EAT,并且看看某个导出函数的汇编,---这个时候,你就需要用【fosomAPI速查】。
4,几个机器码,可以查看对应的汇编。
5,根据Call首地址,快速查找API Name。或者,反之。
API速查.rar.
Code First character after #:
A: Direct Address.
C: Reg field in ModRm specifies Control register.
D: Reg field in ModRm specifies Debug register.
E: General purpose register or memory address specified in the ModRM byte.
F: EFlags register
G: Reg field in ModRM specifies a general register
H: Signed immidiate data
I: Imidiate data
J: Relative jump Offset
M: memory address spcified in the ModRM byte.
O: Relative Offset Word or DWord
P: Reg field in ModRM specifies a MMX register
Q: MMX register or memory address specified in the ModRM byte.
R: general purpose register specified in the ModRM byte.
S: Reg field in ModRM specifies a Segment register
T: Reg field in ModRM specifies a MMX register
P: Seg prefix override.
Second character after #
a: two Word or two DWord, only used by BOUND
b: Byte.
c: Byte or word
d: DWord
p: 32 or 16 bit pointer
q: QWord
s: 6Byte
v: Word or DWord
w: Word
t: Tera byte
Third character after #
j: jump Operand (Relative or absolute)
First character after @
e: used by register (@eax, @esp ..) return e with the character following when
operand size = 4 ortherwise only the following character.
g: Group, return the group insruction specified by OperandType
and the reg field of the ModRM byte.
h: Operand for group, return operands for the group insruction specified
by OperandType and the reg field of the ModRM byte.
m: Must have size, Size indicator always set.
o: Operand size, returns the name (bwdq) of the number following, divided
by two when operand size <> 4.
p: Seg prefix override. Sets the prefix to the following charchter + 's'
s: Size override (address or operand).
follow by o: operand size override
a: address size override
First character after %
c: Use the opcode instead in addition to the assembler instruction
今天发布源码。留着也没什么意思。
http://pan.baidu.com/share/link?shareid=3624365833&uk=3895584076