能力值:
( LV2,RANK:10 )
|
-
-
7 楼
终于找到它了:
00472260 /$ 68 2C800000 push 0000802C //32812 菜单ID
00472265 |. B9 B0B35800 mov ecx, 0058B3B0
0047226A |. E8 21000000 call 00472290
0047226F \. C3 retn
............
只有这里有菜单ID 0000802C
BP 47226A F9在程序运行前断下.因为菜单资源在DLL中,应该断在初始化时,在程序运行后,就不知道怎样断它,下面的代码是我跟了一个下午,请大家帮我看看,代码我大部分看不懂.
00472290 /$ 8B4424 04 mov eax, [esp+4]
00472294 |. 56 push esi
00472295 |. 8BF1 mov esi, ecx
00472297 |. 50 push eax
00472298 |. E8 6312FCFF call 00433500
@@@@@@@@@@@@@@@@@@@@@@@@@
00433500 /$ 8B4424 04 mov eax, [esp+4] ; 堆栈 ss:[0012FF10]=0000802C eax=0000802c
00433504 |. 56 push esi ; esi=0058B3B0 (ImpDXF.0058B3B0)
00433505 |. 8BF1 mov esi, ecx ; ecx=0058B3B0 (ImpDXF.0058B3B0)
00433507 |. 50 push eax ; eax=0000802C
00433508 |. E8 F3A2FEFF call 0041D800
$$$$$$$$$$$$
0041D800 /$ 6A FF push -1 ; 本地调用来自 00404CE8, 00404D48, 00404DA8, 00404E08, 00404E68, 00404EC8, 00404F28, 00404F88, 00404FE8, 00405048, 00433508, 0043C818, 00456838, 00484038, 00493E38, 00494058, 004C2F68
0041D802 |. 68 EB1A5200 push 00521AEB ; 00521AEB=00521AEB (入口地址); SE 处理程序安装
0041D807 |. 64:A1 0000000>mov eax, fs:[0] ; fs:[00000000]=[7FFDF000]=0012FFB0 eax=0000802c
0041D80D |. 50 push eax ; eax=0012FFB0
0041D80E |. 64:8925 00000>mov fs:[0], esp ; esp=0012FEF4 fs:[00000000]=[7FFDF000]=0012FFB0
0041D815 |. 51 push ecx ; ecx=0058B3B0 (ImpDXF.0058B3B0)
0041D816 |. 53 push ebx ; ebx=7FFD3000
0041D817 |. 55 push ebp ; ebp=0012FF2C
0041D818 |. 8BE9 mov ebp, ecx ; ecx=0058B3B0 (ImpDXF.0058B3B0)
0041D81A |. 56 push esi ; esi=0058B3B0 (ImpDXF.0058B3B0)
0041D81B |. 57 push edi ; edi=7C930738 (ntdll.7C930738)
0041D81C |. 896C24 10 mov [esp+10], ebp ; ebp=0058B3B0 (ImpDXF.0058B3B0) 堆栈 ss:[0012FEF0]=0058B3B0
0041D820 |. 8D4D 08 lea ecx, [ebp+8] ; 地址=0058B3B8 ecx=0058B3B0
0041D823 |. E8 C8AA0F00 call 005182F0
%%%%%%%%%%%%%%%%%%%%%%
005182F0 /$ 56 push esi ; esi=0058B3B0 (ImpDXF.0058B3B0)
005182F1 |. 8BF1 mov esi, ecx ; ecx=0058B3B8 (ImpDXF.0058B3B8)
005182F3 |. 6A 00 push 0
005182F5 |. 6A 00 push 0
005182F7 |. C706 00000000 mov dword ptr [esi], 0 ; ds:[0058B3B8]=00000000
005182FD |. E8 9EFEFFFF call 005181A0
#########################
005181A0 /$ 53 push ebx ; ebx=7FFD3000
005181A1 |. 55 push ebp ; ebp=0058B3B0 (ImpDXF.0058B3B0)
005181A2 |. 56 push esi ; esi=0058B3B8 (ImpDXF.0058B3B8)
005181A3 |. 57 push edi ; edi=7C930738 (ntdll.7C930738)
005181A4 |. 8BE9 mov ebp, ecx ; ecx=0058B3B8 (ImpDXF.0058B3B8)
005181A6 |. E8 55000000 call 00518200
//^^^^^^^^^^^^^^^^
00518200 /$ 56 push esi ; esi=0058B3B8 (ImpDXF.0058B3B8)
00518201 |. 8BF1 mov esi, ecx ; ecx=0058B3B8 (ImpDXF.0058B3B8)
00518203 |. 8B06 mov eax, [esi]
00518205 |. 50 push eax ; eax=00000000
00518206 |. E8 A5280000 call 0051AAB0
0051820B |. 83C4 04 add esp, 4
0051820E |. C706 00000000 mov dword ptr [esi], 0 ; ds:[0058B3B8]=00000000
00518214 |. 5E pop esi ; 堆栈 [0012FEB4]=0058B3B8 (ImpDXF.0058B3B8)
00518215 \. C3 retn ; 返回到 005181AB (ImpDXF.005181AB)
/^^^^^^^^^^^^^^^^^^
005181AB |. 8B5C24 14 mov ebx, [esp+14] ; 堆栈 ss:[0012FED0]=00000000
005181AF |. 8B4C24 18 mov ecx, [esp+18] ; 堆栈 ss:[0012FED4]=00000000
005181B3 |. 85DB test ebx, ebx ; ebx=00000000
005181B5 |. 75 04 jnz short 005181BB ; 跳转未实现
005181B7 |. 85C9 test ecx, ecx ; ecx=00000000
005181B9 |. 7E 34 jle short 005181EF ; 跳转已实现
........................
005181EF |> 5F pop edi ; 堆栈 [0012FEBC]=7C930738 (ntdll.7C930738)
005181F0 |. 8BC5 mov eax, ebp ; ebp=0058B3B8 (ImpDXF.0058B3B8)
005181F2 |. 5E pop esi ; 堆栈 [0012FEC0]=0058B3B8 (ImpDXF.0058B3B8)
005181F3 |. 5D pop ebp ; 堆栈 [0012FEC4]=0058B3B0 (ImpDXF.0058B3B0)
005181F4 |. 5B pop ebx ; 堆栈 [0012FEC8]=7FFD3000 (7FFD3000)
005181F5 \. C2 0800 retn 8 ; 返回到 00518302 (ImpDXF.00518302)
#########################
00518302 |. 8BC6 mov eax, esi ; esi=0058B3B8 (ImpDXF.0058B3B8)
00518304 |. 5E pop esi ; 堆栈 [0012FED8]=0058B3B0 (ImpDXF.0058B3B0)
00518305 \. C3 retn ; 返回到 0041D828 (ImpDXF.0041D828)
%%%%%%%%%%%%%%%%%%%%%%
0041D828 |. 66:8B4424 24 mov ax, [esp+24] ; 堆栈 ss:[0012FF04]=802C ax=B3B8
0041D82D |. C745 00 A0B15>mov dword ptr [ebp], 0053B1A0 ; 0053B1A0=0053B1A0 (ASCII "鹑O") SS:[0058B3B0]=00000000
0041D834 |. 66:8945 04 mov [ebp+4], ax ; ax=802C SS:[0058B3B4]=0000
0041D838 |. 8B3D E09B5800 mov edi, [589BE0] ; ds:[00589BE0]=02810040 edi=7C930738
0041D83E |. 33DB xor ebx, ebx
0041D840 |. 3BFB cmp edi, ebx ; ebx=00000000 edi=02810040
0041D842 |. 895C24 1C mov [esp+1C], ebx ; ebx=00000000 堆栈 ss:[0012FEFC]=FFFFFFFF
0041D846 |. 75 2B jnz short 0041D873 ; 跳转已实现
.........
0041D873 |> 33C9 xor ecx, ecx ; ecx=00000000
0041D875 |. 8D5424 24 lea edx, [esp+24] ; 堆栈地址=0012FF04, (ASCII ",",80)
0041D879 |. 66:8B4D 04 mov cx, [ebp+4] ; ss:[0058B3B4]=802C cx=0000
0041D87D |. 52 push edx ; edx=0012FF04, (ASCII ",",80)
0041D87E |. 894C24 28 mov [esp+28], ecx ; ecx=0000802C 堆栈地址ss:[0012FF04]=0000802c
0041D882 |. 8B47 08 mov eax, [edi+8] ; ds:[02810048]=000000A5
0041D885 |. 8B37 mov esi, [edi] ; ds:[02810040]=029CEB50
0041D887 |. C1E0 02 shl eax, 2 ; eax=000000A5
0041D88A |. C1F8 02 sar eax, 2 ; eax=00000294
0041D88D |. 50 push eax ; eax=000000A5
0041D88E |. 56 push esi ; esi=029CEB50
0041D88F |. E8 5C040B00 call 004CDCF0
0041D894 |. 8B4F 08 mov ecx, [edi+8] ; ds:[02810048]=000000A5
0041D897 |. 2BC6 sub eax, esi ; esi=029CEB50
0041D899 |. C1F8 02 sar eax, 2 ; eax=00000064
0041D89C |. 83C4 0C add esp, 0C ; esp=0012FED4
0041D89F |. 3BC1 cmp eax, ecx ; ecx=000000A5 eax=00000019
0041D8A1 |. 73 14 jnb short 0041D8B7 ; 跳转未实现
0041D8A3 |. 8B0F mov ecx, [edi] ; ds:[02810040]=029CEB50 ecx=000000A5
0041D8A5 |. 8B1481 mov edx, [ecx+eax*4] ; ds:[029CEBB4]=0000804B edx=00000001
0041D8A8 |. 8B4424 24 mov eax, [esp+24] ; 堆栈 ss:[0012FF04]=0000802C eax=00000019
0041D8AC |. 3BD0 cmp edx, eax ; eax=0000802C edx=0000804B
0041D8AE |. 75 07 jnz short 0041D8B7 ; 跳转已实现
0041D8B0 |. B8 01000000 mov eax, 1
0041D8B5 |. EB 02 jmp short 0041D8B9
0041D8B7 |> 33C0 xor eax, eax ; eax=0000802C 跳转 0041D8A1,0041D8AE
0041D8B9 |> 3AC3 cmp al, bl ; bl=00 al=00
0041D8BB |. 0F85 85000000 jnz 0041D946 ; 跳转未实现
0041D8C1 |. 8B35 E09B5800 mov esi, [589BE0] ; ds:[00589BE0]=02810040
0041D8C7 |. 33C0 xor eax, eax ; eax=00000000
0041D8C9 |. 66:8B45 04 mov ax, [ebp+4] ; ss:[0058B3B4]=802C
0041D8CD |. 8D4C24 24 lea ecx, [esp+24] ; 堆栈地址=0012FF04, (ASCII ",",80)
0041D8D1 |. 894424 24 mov [esp+24], eax ; eax=0000802C 堆栈 ss:[0012FF04]=0000802C
0041D8D5 |. 8B56 08 mov edx, [esi+8] ; ds:[02810048]=000000A5 edx=0000804B
0041D8D8 |. 8B1E mov ebx, [esi] ; ds:[02810040]=029CEB50
0041D8DA |. 51 push ecx ; ecx=0012FF04, (ASCII ",",80)
0041D8DB |. C1E2 02 shl edx, 2 ; edx=000000A5
0041D8DE |. C1FA 02 sar edx, 2 ; edx=00000294
0041D8E1 |. 52 push edx ; edx=000000A5
0041D8E2 |. 53 push ebx ; ebx=029CEB50
0041D8E3 |. E8 08040B00 call 004CDCF0
0041D8E8 |. 8BF8 mov edi, eax ; eax=029CEBB4, (ASCII "K",80)
0041D8EA |. 8B46 08 mov eax, [esi+8] ; ds:[02810048]=000000A5
0041D8ED |. 2BFB sub edi, ebx ; ebx=029CEB50
0041D8EF |. 83C4 0C add esp, 0C ; esp=0012FED4
0041D8F2 |. C1FF 02 sar edi, 2 ; edi=00000064
0041D8F5 |. 3BF8 cmp edi, eax ; eax=000000A5
0041D8F7 |. 73 1D jnb short 0041D916 ; 跳转未实现
0041D8F9 |. 8B0E mov ecx, [esi] ; ds:[02810040]=029CEB50
0041D8FB |. 8B5424 24 mov edx, [esp+24] ; 堆栈 ss:[0012FF04]=0000802C
0041D8FF |. 8D04BD 000000>lea eax, [edi*4] ; 地址=00000064
0041D906 |. 03C8 add ecx, eax ; eax=00000064 ecx=029CEB50
0041D908 |. 3B11 cmp edx, [ecx] ; ds:[029CEBB4]=0000804B edx=0000802C
0041D90A |. 75 0A jnz short 0041D916 ; 跳转已实现
...........
0041D916 |> 6A 04 push 4 ; 跳转来自 0041D8F7, 0041D90A
0041D918 |. 6A 01 push 1
0041D91A |. 57 push edi ; edi=00000019
0041D91B |. 8BCE mov ecx, esi ; esi=02810040 ecx=029CEBB4,(ASCII "K" ,80)
0041D91D |. E8 EEAD0F00 call 00518710
0041D922 |. 8B06 mov eax, [esi] ; ds:[02810040]=029CEB50
0041D924 |. 8B4C24 24 mov ecx, [esp+24] ; 堆栈 ss:[0012FF04]=0000802C
0041D928 |. 8D1CBD 000000>lea ebx, [edi*4] ; 地址=00000064
0041D92F |. 83C6 0C add esi, 0C ; esi=02810040
0041D932 |. 6A 04 push 4
0041D934 |. 6A 01 push 1
0041D936 |. 890C18 mov [eax+ebx], ecx ; ecx=0000802C
0041D939 |. 57 push edi ; edi=00000019
0041D93A |. 8BCE mov ecx, esi ; esi=0281004C
0041D93C |. E8 CFAD0F00 call 00518710
0041D941 |. 8B16 mov edx, [esi] ; ds:[0281004C]=029CE748, (ASCII ""90,"yX")
0041D943 |. 892C1A mov [edx+ebx], ebp ; ebp=0058B3B0 (ImpDXF.0058B3B0), ASCII ""A0,"庇"
0041D946 |> 8B4C24 14 mov ecx, [esp+14] ; 堆栈 ss:[0012FEF4]=0012FFB0
0041D94A |. 5F pop edi ; 堆栈 [0012FEE0]=7C930738 (ntdll.7C930738)
0041D94B |. 8BC5 mov eax, ebp ; ebp=0058B3B0 (ImpDXF.0058B3B0), ASCII ""A0,"庇"
0041D94D |. 5E pop esi ; 堆栈 [0012FEE4]=0058B3B0 (ImpDXF.0058B3B0), ASCII ""A0,"庇" esi=00281004C
0041D94E |. 5D pop ebp ; 堆栈 [0012FEE8]=0012FF2C (0012FF2C) Ebp=0058B3B0
0041D94F |. 64:890D 00000>mov fs:[0], ecx ; ecx=0012FFB0
0041D956 |. 5B pop ebx ; 堆栈 [0012FEEC]=7FFD3000 (7FFD3000) Ebx=00000064
0041D957 |. 83C4 10 add esp, 10 ; esp=0012FEF0, (ASCII ""B0,"池")
0041D95A \. C2 0400 retn 4 ; 返回到 0043350D (ImpDXF.0043350D)
$$$$$$$$$$$$
0043350D |. C706 C0E75300 mov dword ptr [esi], 0053E7C0 ; 0053E7C0=0053E7C0 (ASCII "鹑O")
00433513 |. 8BC6 mov eax, esi ; esi=0058B3B0 (ImpDXF.0058B3B0), ASCII "犁S"
00433515 |. 5E pop esi ; 堆栈 [0012FF08]=0058B3B0 (ImpDXF.0058B3B0), ASCII "犁S"
00433516 \. C2 0400 retn 4 ; 返回到 0047229D (ImpDXF.0047229D)
@@@@@@@@@@@@@@@@@@@@@@@@@
0047229D |. C706 B01E5400 mov dword ptr [esi], 00541EB0 ; 00541EB0=00541EB0 (ASCII "鹑O")
004722A3 |. 8BC6 mov eax, esi ; esi=0058B3B0 (ImpDXF.0058B3B0)
004722A5 |. 5E pop esi ; 堆栈 [0012FF14]=005825A4 (ImpDXF.005825A4)
004722A6 \. C2 0400 retn 4 ; 返回到 0047226F (ImpDXF.0047226F)
................
00472255 . /E9 16000000 jmp //00472270 来自0047226F
0047225A |90 nop
0047225B |90 nop
0047225C |90 nop
0047225D |90 nop
0047225E |90 nop
0047225F |90 nop
00472260 /$ |68 2C800000 push 802C
00472265 |. |B9 B0B35800 mov ecx, 0058B3B0
0047226A |. |E8 21000000 call 00472290
0047226F \. |C3 retn
00472270 > \68 80224700 push 00472280
00472275 . E8 76D00A00 call 0051F2F0
0047227A . 83C4 04 add esp, 4
0047227D . C3 retn
0051F2F0 /$ 8B4424 04 mov eax, [esp+4] ; 堆栈 ss:[0012FF20]=00472280 (ImpDXF.00472280)
0051F2F4 |. 50 push eax ; eax=00472280 (ImpDXF.00472280)
0051F2F5 |. E8 C6FFFFFF call 0051F2C0
0051F2FA |. 83C4 04 add esp, 4 ; esp=0012FF18
0051F2FD |. F7D8 neg eax ; eax=00472280 (ImpDXF.00472280)
0051F2FF |. 1BC0 sbb eax, eax ; eax=FFB8DD80
0051F301 |. F7D8 neg eax ; eax=FFFFFFFF
0051F303 |. 48 dec eax ; eax=00000001
0051F304 \. C3 retn ; 返回到 0047227A (ImpDXF.0047227A)
|