0:013> g
(abc.424): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=01464545 ebx=0000000a ecx=0000d0d0 edx=00000000 esi=01470000 edi=0146ad66
eip=77d1aa0e esp=0146ad24 ebp=0146ad70 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\USER32.dll - 
USER32!wvsprintfW+0x3d:
77d1aa0e 668906          mov     word ptr [esi],ax        ds:0023:01470000=????

0:013> kb
ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
0146ad70 77d1a9ca 0146f94c 0146fb54 0146ad94 USER32!wvsprintfW+0x3d
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\dwrcs\DWRCS.EXE - 
0146ad84 00423909 0146f94c 0146fb54 0146b0d8 USER32!wsprintfW+0x14
0146ad88 0146f94c 0146fb54 0146b0d8 04780058 DWRCS+0x23909
0146ad8c 0146fb54 0146b0d8 04780058 7c930208 0x146f94c
0146f94c 00200065 00650064 006b0073 006f0074 0x146fb54
0146f950 00650064 006b0073 006f0074 00200070 0x200065
0146fa8c f6faa501 81952e30 7ed2e5cc 1772a487 0x9d4a9af9
0146fa90 81952e30 7ed2e5cc 1772a487 7ac73d4e 0xf6faa501
0146fa94 7ed2e5cc 1772a487 7ac73d4e 830beb71 0x81952e30
0146fa98 1772a487 7ac73d4e 830beb71 70f31ef2 0x7ed2e5cc
0146fa9c 7ac73d4e 830beb71 70f31ef2 3df66aea 0x1772a487
0146faa0 830beb71 70f31ef2 3df66aea 2e8a87ac 0x7ac73d4e
0146faa4 70f31ef2 3df66aea 2e8a87ac 4e39a859 0x830beb71
0146faa8 3df66aea 2e8a87ac 4e39a859 dcdccb48 0x70f31ef2
0146faac 2e8a87ac 4e39a859 dcdccb48 657b2210 0x3df66aea
0146fab0 4e39a859 dcdccb48 657b2210 90903ab2 0x2e8a87ac
0146fab4 dcdccb48 657b2210 90903ab2 90909090 0x4e39a859
0146fab8 657b2210 90903ab2 90909090 90909090 0xdcdccb48
0146fabc 90903ab2 90909090 90909090 90909090 0x657b2210
0146fac0 90909090 90909090 90909090 90909090 0x90903ab2
0146fac4 90909090 90909090 90909090 90909090 0x90909090
0146fac8 90909090 90909090 90909090 90909090 0x90909090
0146facc 90909090 90909090 90909090 90909090 0x90909090

.text:0042385B loc_42385B:                             ; CODE XREF: sub_423570+12Fj
.text:0042385B                                         ; DATA XREF: .text:off_423F74_x0019_o
.text:0042385B                 push    430h            ; jumptable 0042369F case 40004
.text:00423860                 lea     ecx, [esp+51E0h+var_4EA4]
.text:00423867                 push    ecx             ; buf
.text:00423868                 mov     ecx, esi
.text:0042386A                 mov     [esp+51E4h+var_4EA8], eax
.text:00423871                 call    sub_40E0B0
.text:00423876                 test    eax, eax
.text:00423878                 jz      loc_423F0D
.text:0042387E                 cmp     dword_4AB6B0, ebx
.text:00423884                 jz      loc_423F1D
.text:0042388A                 cmp     ebp, ebx
.text:0042388C                 jz      loc_423ED2      ; jumptable 0042369F default case
.text:00423892                 push    206h            ; size_t
.text:00423897                 lea     eax, [esp+51E0h+var_626]
.text:0042389E                 xor     edx, edx
.text:004238A0                 push    ebx             ; int
.text:004238A1                 push    eax             ; void *
.text:004238A2                 mov     [esp+51E8h+String], dx
.text:004238AA                 call    _memset
.text:004238AF                 push    206h            ; size_t
.text:004238B4                 lea     edx, [esp+51ECh+var_41E]
.text:004238BB                 xor     ecx, ecx
.text:004238BD                 push    ebx             ; int
.text:004238BE                 push    edx             ; void *
.text:004238BF                 mov     [esp+51F4h+var_420], cx
.text:004238C7                 call    _memset
.text:004238CC                 mov     ecx, hModule
.text:004238D2                 add     esp, 18h
.text:004238D5                 push    104h
.text:004238DA                 lea     eax, [esp+51E0h+var_420]
.text:004238E1                 push    eax
.text:004238E2                 push    11h
.text:004238E4                 push    ecx
.text:004238E5                 call    off_4A2A24

0:013> bp 4238aa
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\dwrcs\DWRCS.EXE - 
0:013> bl
 0 e 004238aa     0001 (0001)  0:**** DWRCS+0x238aa
0:013> g
Breakpoint 0 hit
eax=0176f94e ebx=00000000 ecx=00161c88 edx=00000000 esi=01c73388 edi=009abdb0
eip=004238aa esp=0176ad8c ebp=009a4d90 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
DWRCS+0x238aa:
004238aa e801ea0300      call    DWRCS+0x622b0 (004622b0)

0:013> dd esp
0176ad8c  0176f94e 00000000 00000206 

0:013> p
eax=0176f94e ebx=00000000 ecx=00000000 edx=0176fb56 esi=01c73388 edi=009abdb0
eip=004238be esp=0176ad84 ebp=009a4d90 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
DWRCS+0x238be:
004238be 52              push    edx
0:013> p
eax=0176f94e ebx=00000000 ecx=00000000 edx=0176fb56 esi=01c73388 edi=009abdb0
eip=004238bf esp=0176ad80 ebp=009a4d90 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
DWRCS+0x238bf:
004238bf 66898c24d44d0000 mov     word ptr [esp+4DD4h],cx ss:0023:0176fb54=0000
0:013> p
eax=0176f94e ebx=00000000 ecx=00000000 edx=0176fb56 esi=01c73388 edi=009abdb0
eip=004238c7 esp=0176ad80 ebp=009a4d90 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
DWRCS+0x238c7:
004238c7 e8e4e90300      call    DWRCS+0x622b0 (004622b0)

0:013> dd esp
0176ad80  0176fb56 00000000 00000206 

.text:004238D5                 push    104h
.text:004238DA                 lea     eax, [esp+51E0h+var_420]
.text:004238E1                 push    eax
.text:004238E2                 push    11h
.text:004238E4                 push    ecx
.text:004238E5                 call    off_4A2A24

int sub_4599A1()
{
  sub_45A64A("user32.dll", (int)"LoadStringW", &off_4A2A24, dword_4B0AB4, (LONG)sub_45AAC9);
  return ((int (*)(void))off_4A2A24)();
}

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！