网站首页 > 资源文章 正文
对于直接使用SDK而不使用第三方库的程序,我们要定位到程序的“关键代码”并不困难。通常在CreateWindow函数或DialogBoxParam函数下断点,可以直接获得其主界面的窗口过程或对话框过程。但是对于使用了MFC的程序,我们找到的窗口过程或对话框过程是在MFC提供的程序框架的内部,经过层层的分发和筛选,消息才最终到达用户代码,直接分析起来比较繁琐。
幸好,有一个Olly的脚本,可以直接帮助我们找到诸如OnOK()之类的函数。这个脚本用到的方法,是建立在对MFC内部机制充分理解的基础上,通过在消息分发的代码处下条件断点而完成的。
然而,我马上要讲到的这个方法,在一定程度上,比这个脚本还好使,可以一下就定位到我们感兴趣的代码处。而且,可以举一反三,如果你看明白了其中的思路,可以自己扩展成为十分强大的“必杀技”,不仅对MFC,对其它的应用程序框架也有效果。
我就不讲我如何想到的这个方法,只讲两个例子。如果你看懂了这个例子,其中的思路肯定会明白了。而且,十分简单。
我以MFC42为例。先打开VC6,创建一个MFC的对话框程序,按默认设置。我们在“OK”按钮的处理函数OnOK()的开头,写上这样一句:
__asm int 3然后,按Release编译。
现在,用OD调试程序,不要忽略int3异常,F9运行,点击“OK”,OD马上断下。
现在一般OD带有StrongOD,需要在StrongOD的设置中也进行设置,如下
看堆栈:
0012F8C0 73D323EB 返回到 mfc42.73D323EB
0012F8C4 73DCF07C offset mfc42.#CDialog::messageMap_4234到mfc42.73D323EB这看一下:
73D323E5 8B4D 08 mov ecx,dword ptr ss:[ebp+0x8]
73D323E8 FF55 14 call dword ptr ss:[ebp+0x14] ; 这句就是调用用户函数的CALL
73D323EB EB 7F jmp short mfc42.73D3246C ; 这就是堆栈中的 mfc42.73D323EB73D323EB处的`CALL [EBP+14]`的目标函数就是我们的OnOK()。记住这个地址。
按ALT+E,打开模块列表,双击下面MFC42.dll这一行; 就来到了MFC42.DLL这个模块的.text节了。好,我们按Ctrl+F,输入CALL [EBP+0X14],回车。搜索到的结果如下:
73D323BA FF55 14 call dword ptr ss:[ebp+0x14] ; 结果1
73D323BD E9 A8000000 jmp mfc42.73D3246A
73D323C2 8B45 18 mov eax,dword ptr ss:[ebp+0x18]
73D323C5 FF30 push dword ptr ds:[eax] ; RevOnOK.00401676
73D323C7 8B4D 08 mov ecx,dword ptr ss:[ebp+0x8]
73D323CA FF70 04 push dword ptr ds:[eax+0x4] ; RevOnOK.00401170
73D323CD FF55 14 call dword ptr ss:[ebp+0x14] ; 结果2
73D323D0 E9 97000000 jmp mfc42.73D3246C
73D323D5 8B4D 08 mov ecx,dword ptr ss:[ebp+0x8]
73D323D8 FF55 14 call dword ptr ss:[ebp+0x14] ; 结果3
73D323DB E9 8A000000 jmp mfc42.73D3246A
73D323E0 FF75 0C push dword ptr ss:[ebp+0xC]
73D323E3 EB 45 jmp short mfc42.73D3242A
73D323E5 8B4D 08 mov ecx,dword ptr ss:[ebp+0x8]
73D323E8 FF55 14 call dword ptr ss:[ebp+0x14] ; 结果4
73D323EB EB 7F jmp short mfc42.73D3246C
73D323ED FF75 0C push dword ptr ss:[ebp+0xC]
73D323F0 EB 2D jmp short mfc42.73D3241F
73D323F2 8B45 18 mov eax,dword ptr ss:[ebp+0x18]
73D323F5 FF30 push dword ptr ds:[eax] ; RevOnOK.00401676
73D323F7 8B4D 08 mov ecx,dword ptr ss:[ebp+0x8]
73D323FA FF70 04 push dword ptr ds:[eax+0x4] ; RevOnOK.00401170
73D323FD FF75 0C push dword ptr ss:[ebp+0xC]
73D32400 FF55 14 call dword ptr ss:[ebp+0x14] ; 结果5下面来看看此法的应用。
随便找一个MFC42的CM,用OD载入,有壳,不用管,直接F9,然后ALT+E,双击MFC42.DLL,CTRL+F,输入CALL [EBP+14],在第一个找到的地址处F2下断点。
点CM的确定按钮,OD断下,F2删除断点,F7。
这里就是按钮的处理函数。可以分析了。
如果你看明白了我的过程,那么你也应该明白我的思路。
MFC42.DLL的特征码就是指令CALL [EBP+14]
顺便说一下,所有的按钮控件的处理函数OnXXXClick()都经过这里。并且,编辑框控件的OnChange()函数,以及其它很多控件的消息,比如CheckBox的消息,甚至OnClose()也都经过这里。什么原因呢?因为MFC框架的消息分发过程,是按参数类型模板分类的。如果不理解,就不用理解了,只要记住方法就行了。
另外,对所有的MFC程序,如MFC71D,MFC90U等,这个方法都可以用,并且静态连接的也可以,并且Delphi的程序也可以,只要掌握了原理,方法大同小异。至于各自的“特征码”是什么,自己去找吧。
验证
在OnOK中写入如下代码:
::SetWindowText(GetDlgItem(IDC_EDIT_TEST)->m_hWnd,"Test");如上所述,在mfc42.dll中下面几处下断:
73D323BA mfc42 始终 call dword ptr ss:[ebp+0x14]
73D323CD mfc42 始终 call dword ptr ss:[ebp+0x14]
73D323D8 mfc42 始终 call dword ptr ss:[ebp+0x14]
73D323E8 mfc42 始终 call dword ptr ss:[ebp+0x14]
73D32400 mfc42 始终 call dword ptr ss:[ebp+0x14]F9,按下确定按钮,发现在下面断下:
73D323E8 FF55 14 call dword ptr ss:[ebp+0x14] ; 结果4按F7,来到OnOK的处理函数:
00401480 . 68 20 30 40 0>ascii "h 0@",0
00401485 . 68 E8030000 push 0x3E8
0040148A . E8 29020000 call <jmp.&MFC42.#CWnd::GetDlgItem_3092>
0040148F . 8B40 20 mov eax,dword ptr ds:[eax+0x20] ; |RevOnOK.0040157A
00401492 . 50 push eax ; |hWnd = 00402428
00401493 . FF15 D0214000 call dword ptr ds:[<&USER32.SetWindowTextA>] ; \SetWindowTextA
00401499 . C3 retn此外,在VS2005下进行了验证,并不适用,只能作罢!!!
某软件算法(IDA反编译)
资源ID(一)
MENUITEM "导出数据(&E)", 32783可以看到,这是一个菜单项按钮,ID为32783(十六进制为0x800F)
在IDA中搜索立即数,勾选Find all occurrences
双击搜索到的结果,往上翻,来到
使用IDA定位基于MFC的CrackMe的按钮函数-----实践篇(一)_ida mfc c代码-CSDN博客
的方法,在Local types中右键插入以下AFX_MSGMAP_ENTRY和AFX_MSGMAP数据结构体
struct AFX_MSGMAP_ENTRY
{
UINT nMessage;
UINT nCode;
UINT nID;
UINT nLastID;
UINT_PTR nSig;
void (*pfn)(void);
};
struct AFX_MSGMAP
{
const AFX_MSGMAP *(__stdcall *pfnGetBaseMap)();
const AFX_MSGMAP_ENTRY *lpEntries;
};右键,同步到idb
然后Alt+Q,将相应位置分别改为AFX_MSGMAP和AFX_MSGMAP_ENTRY,
消息映射表
按钮处理函数为sub_415560,进入按F5
int __thiscall sub_415560(_DWORD *this)
{
sub_413010(this);
return AfxMessageBox(0x5B9Bu, 0, 0xFFFFFFFF);
}可见,最后的处理函数为sub_413010
int __thiscall sub_413010(_DWORD *this)
{
_DWORD *v1; // edi@1
float v2; // esi@1
int v3; // ebx@1
const char *filename; // eax@2
FILE *fd; // ebp@2
int v6; // eax@4
double v7; // ST10_8@4
const char *v8; // eax@4
const char *v9; // eax@8
FILE *v10; // eax@8
float v11; // ebp@9
signed int v12; // esi@10
const char *v13; // eax@12
char v15; // [sp+40h] [bp-54h]@1
float v16; // [sp+44h] [bp-50h]@3
char v17; // [sp+48h] [bp-4Ch]@1
char v18; // [sp+4Ch] [bp-48h]@1
FILE *File; // [sp+50h] [bp-44h]@4
int v20; // [sp+90h] [bp-4h]@1
v1 = this;
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&v18);
v2 = 0.0;
v20 = 0;
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&v15);
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&v17);
v3 = v1[5602];
LOBYTE(v20) = 2;
if ( v1[5335] )
{
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::Format(&v18, "%s_%d.txt", v1 + 5617, v1[5329]);
filename = (const char *)ATL::CSimpleStringT<char,1>::operator char const *(&v18);
fd = fopen(filename, "wt");
if ( fd )
{
v16 = 0.0;
if ( v3 > 0 )
{
do
{
ATL::CSimpleStringT<char,1>::Empty(&v15);
v6 = v1[5335];
v7 = *(double *)(v6 + 8 * LODWORD(v2));
*(float *)&File = 1000000.0 / *(double *)(v6 + 8 * v3 + 8) * (double)SLODWORD(v16)
+ (double)(signed int)v1[5599];
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::Format(&v15, "%-8.1f %-8.3f \n", File, v7);
v8 = (const char *)ATL::CSimpleStringT<char,1>::operator char const *(&v15);
fprintf(fd, v8);
++LODWORD(v2);
v16 = v2;
}
while ( SLODWORD(v2) < v3 );
}
fclose(fd);
}
}
else if ( !v1[190] )
{
if ( v1[5334] )
{
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::Format(&v18, "%s.txt", v1 + 5617);
v9 = (const char *)ATL::CSimpleStringT<char,1>::operator char const *(&v18);
*(float *)&v10 = COERCE_FLOAT(fopen(v9, "wt"));
File = v10;
if ( *(float *)&v10 != 0.0 )
{
v11 = 0.0;
v16 = 0.0;
if ( v3 > 0 )
{
do
{
ATL::CSimpleStringT<char,1>::Empty(&v15);
v16 = 1000000.0 / (double)*(signed int *)(*(_DWORD *)v1[5334] + 4 * v3 + 4) * (double)SLODWORD(v16)
+ (double)(signed int)v1[5599];
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::Format(&v17, "%-8.1f", v16);
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::operator+=(&v15, &v17);
v12 = 0;
do
{
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::Format(
&v17,
"%-8d",
*(_DWORD *)(*(_DWORD *)(v1[5334] + v12) + 4 * LODWORD(v11)));
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::operator+=(&v15, &v17);
v12 += 4;
}
while ( v12 < 24 );
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::operator+=(&v15, &unk_447A00);
v13 = (const char *)ATL::CSimpleStringT<char,1>::operator char const *(&v15);
fprintf(File, v13);
++LODWORD(v11);
v16 = v11;
}
while ( SLODWORD(v11) < v3 );
v10 = File;
}
fclose(v10);
}
}
}
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::~CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&v17);
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::~CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&v15);
return ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::~CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&v18);
}资源ID(二)
对话框:102:052
CONTROL "浏览工程文件", 1363, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 68, 1, 60, 21 , 0x00000200可以看到,这是一个按钮,ID为1363(十六进制为0x0553)
在IDA中搜索立即数,勾选Find all occurrences
找到打开对话框的代码,如下
if ( CFileDialog::DoModal((CFileDialog *)&v32) == 1 )
{
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&v20);
LOBYTE(v33) = 3;
v5 = CFileDialog::GetPathName(&v32, &v21);
LOBYTE(v33) = 4;
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::operator=(&v20, v5);
LOBYTE(v33) = 3;
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::~CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&v21);
v19 = v6;
v21 = &v19;
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(
&v19,
&v20);
sub_408040((char)v19);
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::LoadStringA(&v23, 22431);
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&v22);
LOBYTE(v33) = 5;
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::Format(&v22, "%s", v20);
v7 = ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::ReverseFind(&v22, 92);
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::Left(&v22, &v27, v7 + 1);
LOBYTE(v33) = 6;
v19 = (const char *)(ATL::CSimpleStringT<char,1>::GetLength(&v22) - v7 - 1);
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::Right(&v22, &v24, v19);
LOBYTE(v33) = 7;
v8 = ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::ReverseFind(&v24, 46);注意到里面有个函数
sub_408040((void *)v1, (char)v18);点进去发现,是有关的
void __thiscall sub_408040(void *this, char a2)
{
char v2; // bl@1
const char *v3; // eax@1
FILE *v4; // eax@1
FILE *v5; // ebp@1
int v6; // esi@4
int v7; // eax@4
int v8; // eax@4
int v9; // eax@4
int v10; // eax@4
const char *v11; // eax@4
FILE *v12; // esi@4
int v13; // ecx@5
signed int v14; // eax@5
char v15; // dl@6
int v16; // [sp-14h] [bp-1A8h]@8
int v17; // [sp-10h] [bp-1A4h]@8
int v18; // [sp-Ch] [bp-1A0h]@8
int v19; // [sp-8h] [bp-19Ch]@8
const char *v20; // [sp-4h] [bp-198h]@4
char v21; // [sp+14h] [bp-180h]@13
unsigned __int8 v22; // [sp+15h] [bp-17Fh]@5
unsigned __int8 v23; // [sp+16h] [bp-17Eh]@5
unsigned __int8 v24; // [sp+17h] [bp-17Dh]@5
char v25; // [sp+18h] [bp-17Ch]@4
char v26; // [sp+1Ch] [bp-178h]@4
__int16 v27; // [sp+20h] [bp-174h]@3
char v28; // [sp+24h] [bp-170h]@4
int v29; // [sp+28h] [bp-16Ch]@5
char v30; // [sp+2Dh] [bp-167h]@5
char v31; // [sp+2Eh] [bp-166h]@3
char v32; // [sp+2Fh] [bp-165h]@3
__int16 v33[2]; // [sp+30h] [bp-164h]@5
unsigned __int16 v34; // [sp+34h] [bp-160h]@5
unsigned __int16 v35; // [sp+38h] [bp-15Ch]@5
int i; // [sp+3Ch] [bp-158h]@3
char v37[4]; // [sp+40h] [bp-154h]@5
char v38; // [sp+44h] [bp-150h]@4
void *v39; // [sp+48h] [bp-14Ch]@1
char v40; // [sp+4Ch] [bp-148h]@4
int v41; // [sp+50h] [bp-144h]@3
char v42; // [sp+54h] [bp-140h]@5
char v43; // [sp+58h] [bp-13Ch]@4
char v44; // [sp+5Ch] [bp-138h]@4
char v45; // [sp+60h] [bp-134h]@4
char v46; // [sp+64h] [bp-130h]@5
char v47; // [sp+68h] [bp-12Ch]@5
char v48[24]; // [sp+6Ch] [bp-128h]@6
char v49[24]; // [sp+84h] [bp-110h]@6
char v50[24]; // [sp+9Ch] [bp-F8h]@6
char v51[24]; // [sp+B4h] [bp-E0h]@6
char v52[24]; // [sp+CCh] [bp-C8h]@6
int v53; // [sp+E4h] [bp-B0h]@7
char v54; // [sp+E8h] [bp-ACh]@7
char v55[24]; // [sp+FCh] [bp-98h]@6
int v56; // [sp+114h] [bp-80h]@7
int v57; // [sp+118h] [bp-7Ch]@7
int v58; // [sp+11Ch] [bp-78h]@7
int v59; // [sp+120h] [bp-74h]@5
int v60; // [sp+124h] [bp-70h]@7
int v61; // [sp+128h] [bp-6Ch]@7
int v62; // [sp+12Ch] [bp-68h]@7
int v63; // [sp+130h] [bp-64h]@7
int v64; // [sp+134h] [bp-60h]@7
int v65; // [sp+138h] [bp-5Ch]@7
int v66; // [sp+13Ch] [bp-58h]@7
int v67; // [sp+140h] [bp-54h]@7
int v68; // [sp+144h] [bp-50h]@7
int v69; // [sp+148h] [bp-4Ch]@7
int v70; // [sp+14Ch] [bp-48h]@7
int v71; // [sp+150h] [bp-44h]@7
char v72; // [sp+154h] [bp-40h]@4
char v73[12]; // [sp+160h] [bp-34h]@5
char v74[12]; // [sp+16Ch] [bp-28h]@3
char DstBuf[12]; // [sp+178h] [bp-1Ch]@3
int v76; // [sp+190h] [bp-4h]@1
v39 = this;
v2 = 0;
v76 = 0;
v3 = (const char *)ATL::CSimpleStringT<char,1>::operator char const *(&a2);
v4 = fopen(v3, "rb");
v5 = v4;
if ( v4 )
{
fread(DstBuf, 1u, 0xCu, v4);
fread(v74, 1u, 0xCu, v5);
fread(&v41, 1u, 4u, v5);
fread(&v31, 1u, 1u, v5);
fread(&v27, 2u, 1u, v5);
fread(&v32, 1u, 1u, v5);
for ( i = 0; i < v27; ++i )
{
fread(&v72, 1u, 0xCu, v5);
v6 = ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::ReverseFind(&a2, 46);
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(
&v38,
&unk_444E20);
LOBYTE(v76) = 1;
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::Left(&a2, &v25, v6);
LOBYTE(v76) = 2;
v7 = sub_404F80((int)&v43, (int)&v25, (int)&v38);
LOBYTE(v76) = 3;
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::operator=(&v25, v7);
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::~CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&v43);
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&v28);
v20 = &v72;
LOBYTE(v76) = 4;
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::Format(&v28, "%s", &v72);
v8 = sub_407870((int)&v45, (int)&v28, (int)".dat");
LOBYTE(v76) = 5;
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::operator=(&v28, v8);
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::~CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&v45);
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&v26);
v20 = &v72;
LOBYTE(v76) = 6;
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::Format(&v26, "%s", &v72);
v9 = sub_407870((int)&v40, (int)&v26, (int)".mrt");
LOBYTE(v76) = 7;
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::operator=(&v26, v9);
LOBYTE(v76) = 6;
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::~CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&v40);
v10 = sub_404F80((int)&v44, (int)&v25, (int)&v28);
v20 = "rb";
v11 = (const char *)ATL::CSimpleStringT<char,1>::operator char const *(v10);
v12 = fopen(v11, v20);
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::~CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&v44);
if ( v12 )
{
fread(v73, 1u, 0xCu, v12);
fread(&v34, 2u, 1u, v12);
fread(&v35, 2u, 1u, v12);
fread(&v30, 1u, 1u, v12);
fread(&v42, 2u, 1u, v12);
fread(&v46, 2u, 1u, v12);
fread(v33, 2u, 1u, v12);
fread(&v22, 1u, 1u, v12);
fread(&v23, 1u, 1u, v12);
fread(v37, 2u, 1u, v12);
fread(&v24, 1u, 1u, v12);
fread(&v47, 4u, 1u, v12);
v13 = v24;
v29 = v22;
v59 = 0;
v14 = 0;
do
{
v15 = DstBuf[v14];
v51[v14] = v2;
v55[v14] = v2;
v50[v14] = v2;
v48[v14] = v15;
v49[v14] = v73[v14];
v52[v14] = v74[v14];
++v14;
}
while ( v14 < 12 );
v53 = v41;
v57 = v34;
v56 = v35;
v54 = v2;
v60 = 1;
v61 = 5;
v62 = 20;
v63 = 45;
v64 = 80;
v65 = 125;
v66 = 180;
v67 = 250;
v68 = 320;
v69 = 405;
v70 = 500;
v71 = 100;
v55[0] = (v22 != 1) + 49;
v58 = 10000 / (unsigned __int16)v33[0];
if ( v13 == 1 )
{
v20 = (const char *)v29;
v19 = v23;
v18 = *(_DWORD *)v37;
v17 = 1;
v16 = *(_DWORD *)v37;
v29 = (int)&v16;
sub_404F80((int)&v16, (int)&v25, (int)&v26);
sub_406E80(v33[0], v48, v12, v16, v17, v18, v19, (int)v20);
}
else
{
v20 = (const char *)v29;
v19 = v23;
v18 = *(_DWORD *)v37;
v17 = v13;
v16 = v13;
v29 = (int)&v16;
sub_404F80((int)&v16, (int)&v25, (int)&v26);
sub_407390(v33[0], v48, v12, v16, v17, v18, v19, (int)v20);
}
v2 = 0;
}
fclose(v12);
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::~CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&v26);
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::~CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&v28);
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::~CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&v25);
LOBYTE(v76) = v2;
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::~CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&v38);
}
fclose(v5);
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::~CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&a2);
}
else
{
ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::~CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&a2);
}
sub_440204(v21);
}最后,按理说想要的代码在`sub_407390`中,但是并没有找出来
int __stdcall sub_407390(__int16 a1, void *a2, FILE *File, char a4, int a5, __int16 a6, int a7, int a8)
{
const char *v8; // eax@1
FILE *v9; // eax@1
FILE *v10; // ebx@1
void (__cdecl *v11)(const void *, size_t, size_t, FILE *); // ebp@2
int v12; // esi@2
int v13; // ebp@4
int v14; // edi@5
int v15; // esi@6
int v16; // ecx@7
__int16 v17; // ax@9
double v18; // st5@10
int v19; // eax@10
signed int v20; // ecx@12
int v21; // eax@12
int v22; // ebx@18
int v23; // esi@19
int v24; // ecx@20
__int16 v25; // ax@22
__int16 v26; // di@22
double v27; // st5@23
int v28; // eax@23
double v29; // st5@25
int v30; // eax@25
double v31; // st5@27
int v32; // eax@27
signed int v33; // ecx@29
int v34; // eax@29
int v35; // esi@39
char Str; // [sp+Bh] [bp-203Dh]@2
int v38; // [sp+Ch] [bp-203Ch]@2
int v39; // [sp+10h] [bp-2038h]@4
int v40; // [sp+14h] [bp-2034h]@10
int v41; // [sp+18h] [bp-2030h]@23
int v42; // [sp+1Ch] [bp-202Ch]@2
int DstBuf; // [sp+20h] [bp-2028h]@2
int v44; // [sp+24h] [bp-2024h]@2
int v45; // [sp+28h] [bp-2020h]@2
int v46; // [sp+2Ch] [bp-201Ch]@2
int v47; // [sp+30h] [bp-2018h]@2
FILE *v48; // [sp+34h] [bp-2014h]@1
int v49; // [sp+38h] [bp-2010h]@18
int v50; // [sp+3Ch] [bp-200Ch]@2
int v51; // [sp+40h] [bp-2008h]@3
int v52; // [sp+44h] [bp-2004h]@2
int v53; // [sp+48h] [bp-2000h]@17
int v54; // [sp+4Ch] [bp-1FFCh]@17
char v55; // [sp+50h] [bp-1FF8h]@17
int v56; // [sp+54h] [bp-1FF4h]@17
int v57; // [sp+64h] [bp-1FE4h]@4
int v58[1016]; // [sp+68h] [bp-1FE0h]@14
int v59; // [sp+1048h] [bp-1000h]@34
int v60; // [sp+104Ch] [bp-FFCh]@34
char v61; // [sp+1050h] [bp-FF8h]@34
int v62; // [sp+1054h] [bp-FF4h]@34
int v63; // [sp+1064h] [bp-FE4h]@4
int v64[1016]; // [sp+1068h] [bp-FE0h]@31
v8 = (const char *)ATL::CSimpleStringT<char,1>::operator char const *(&a4);
v9 = fopen(v8, "wb");
v10 = v9;
v48 = v9;
if ( !v9 )
goto LABEL_41;
v11 = (void (__cdecl *)(const void *, size_t, size_t, FILE *))fwrite;
Str = 77;
fwrite(&Str, 1u, 1u, v9);
Str = 71;
fwrite(&Str, 1u, 1u, v10);
Str = 53;
fwrite(&Str, 1u, 1u, v10);
Str = 49;
fwrite(&Str, 1u, 1u, v10);
v52 = 123;
Str = 48;
fwrite(&Str, 1u, 4u, v10);
fwrite(&v52, 4u, 1u, v10);
fwrite(a2, 0xE8u, 1u, v10);
fwrite(&Str, 1u, 0x10Cu, v10);
v12 = a6 / 2;
v46 = a6 / 2;
DstBuf = 0;
v38 = 0;
v47 = 0;
v45 = 0;
v42 = 0;
v44 = 0;
v50 = 0;
if ( a7 <= 0 )
goto LABEL_38;
v51 = a7;
do
{
memset(&v63, 0, 0xFA0u);
v13 = 0;
memset(&v57, 0, 0xFA0u);
v39 = 0;
if ( a8 == 1 )
{
v14 = 0;
if ( v12 > 0 )
{
do
{
v15 = 2 * v13;
fread(&DstBuf, 2u, 1u, File);
fread(&v38, 2u, 1u, File);
if ( v13 )
{
v16 = v44;
}
else
{
v16 = (signed __int16)DstBuf;
v44 = (signed __int16)DstBuf;
}
v38 -= v16;
v17 = DstBuf - v16;
DstBuf -= v16;
if ( v15 < 999 )
{
v40 = v17;
v18 = (double)v17 / 2828.0 * 4194304.0;
v19 = abs((signed int)v18);
if ( v14 <= v19 )
{
v14 = v19;
v39 = 2 * v13;
}
v40 = (signed __int16)v38;
*(&v57 + 2 * v13) = (signed int)v18;
v20 = (signed int)(4194304.0 * ((double)v40 / 2828.0));
v21 = abs(v20);
if ( v14 <= v21 )
{
v14 = v21;
v39 = v15 + 1;
}
v58[2 * v13] = v20;
}
++v13;
}
while ( v13 < v46 );
v12 = v46;
v10 = v48;
}
v53 = v14;
v54 = v39;
v56 = a1;
v55 = 1;
fwrite(&v53, 0x1000u, 1u, v10);
++v42;
}
else
{
v22 = 0;
v49 = 0;
v40 = 0;
if ( v12 > 0 )
{
do
{
v23 = 2 * v39;
fread(&DstBuf, 2u, 1u, File);
fread(&v38, 2u, 1u, File);
fread(&v47, 2u, 1u, File);
fread(&v45, 2u, 1u, File);
if ( v39 )
{
v24 = v44;
}
else
{
v24 = (signed __int16)DstBuf;
v44 = (signed __int16)DstBuf;
v50 = (signed __int16)v47;
}
v38 -= v24;
v25 = DstBuf - v24;
v45 -= v50;
v26 = v47 - v50;
DstBuf -= v24;
v47 -= v50;
if ( v23 < 999 )
{
v41 = v25;
v27 = (double)v25 / 2828.0 * 4194304.0;
v28 = abs((signed int)v27);
if ( v22 <= v28 )
{
v22 = v28;
v49 = v23;
}
*(&v57 + v23) = (signed int)v27;
v41 = (signed __int16)v38;
v29 = (double)(signed __int16)v38 / 2828.0 * 4194304.0;
v30 = abs((signed int)v29);
if ( v22 <= v30 )
{
v22 = v30;
v49 = v23 + 1;
}
v41 = v26;
v58[v23] = (signed int)v29;
v31 = (double)v41 / 2828.0 * 4194304.0;
v32 = abs((signed int)v31);
if ( v13 <= v32 )
{
v13 = v32;
v40 = v23;
}
*(&v63 + v23) = (signed int)v31;
v41 = (signed __int16)v45;
v33 = (signed int)(4194304.0 * ((double)(signed __int16)v45 / 2828.0));
v34 = abs(v33);
if ( v13 <= v34 )
{
v13 = v34;
v40 = v23 + 1;
}
v64[v23] = v33;
}
++v39;
}
while ( v39 < v46 );
v12 = v46;
}
v53 = v22;
v10 = v48;
v54 = v49;
v59 = v13;
v60 = v40;
v56 = a1;
v62 = a1;
v55 = 1;
v61 = 1;
fwrite(&v53, 0x1000u, 1u, v48);
fwrite(&v59, 0x1000u, 1u, v10);
v42 += 2;
}
--v51;
}
while ( v51 );
if ( v42 < 6 )
{
v11 = (void (__cdecl *)(const void *, size_t, size_t, FILE *))fwrite;
LABEL_38:
memset(&v57, 0, 0xFA0u);
if ( 6 - v42 > 0 )
{
v35 = 6 - v42;
do
{
v53 = 0;
v54 = 0;
v56 = a1;
v55 = 0;
v11(&v53, 0x1000u, 1u, v10);
--v35;
}
while ( v35 );
}
}
LABEL_41:
fclose(v10);
return ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::~CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&a4);
}猜你喜欢
- 2025-01-13 美剧中常见的几个动词词组
- 2025-01-13 CAD多张图纸如何导出在一个pdf,介绍两种方法都可以试一试
- 2025-01-13 英译汉短篇小说——(11-2)
- 2025-01-13 神奇的Hook技术,一文读懂移动App逆向入门之Frida框架的简单使用
- 2025-01-13 笑点不一样,怎么做朋友!和老外怎么聊“哈哈”?
- 2025-01-13 六,网络安全.OllyDbg动态分析工具基础用法及Crakeme逆向破解
- 2025-01-13 老外说 I’m dead,可不是“我死了”
- 2025-01-13 软件逆向:IDA静态分析
- 2025-01-13 软件逆向:脱壳esp定律,以及原理
- 2025-01-13 虚拟机分析 ?
欢迎 你 发表评论:
- 最近发表
- 标签列表
-
- 电脑显示器花屏 (79)
- 403 forbidden (65)
- linux怎么查看系统版本 (54)
- 补码运算 (63)
- 缓存服务器 (61)
- 定时重启 (59)
- plsql developer (73)
- 对话框打开时命令无法执行 (61)
- excel数据透视表 (72)
- oracle认证 (56)
- 网页不能复制 (84)
- photoshop外挂滤镜 (58)
- 网页无法复制粘贴 (55)
- vmware workstation 7 1 3 (78)
- jdk 64位下载 (65)
- phpstudy 2013 (66)
- 卡通形象生成 (55)
- psd模板免费下载 (67)
- shift (58)
- localhost打不开 (58)
- 检测代理服务器设置 (55)
- frequency (66)
- indesign教程 (55)
- 运行命令大全 (61)
- ping exe (64)
本文暂时没有评论,来添加一个吧(●'◡'●)