EsperCrackMe1的不完全破解第二部分-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

EsperCrackMe1的不完全破解第二部分

发表于: 2007-6-21 00:59 11736

EsperCrackMe1的不完全破解第二部分

seya

2007-6-21 00:59

11736

今天把这个Crack me的VM部分的分析贴出来，也许有人说，不就是个Crack me,费这么大劲干嘛，我想首先我还比较“新”，直接搞商业壳的VM肯定吃力不讨好，不如拿这个练习下，也算知道VM是什么了！
至于注册机，我反而没兴趣写了，今天太晚了，也许明天看看有时间的话再说。
而且我还有个想法，如果有人能通过下面的伪代码，分析出用户名的算法，那我将会非常高兴！
不过还是算了，这个伪代码个人的味道很浓，很难期待别人也和我同样的理解某些注释，主要怪我写的太不合规范，我念的书少，很多东西和专业的人叫法都不一样！理解也不一样！
下面就是VM部分的分析:
============拆解========
伪代码:
   说明:为了使大家看得懂,尽可能模仿平时大家看的汇编风格,多数语句的定义同8086汇编，个别有操作差异的，请参考后面注释。
寄存器，r10  等等是为了便于和原反汇编代码中的[esp+10]等对照，容易记忆，你也可以叫它们eax等等，不影响理解。
下面这部分程序中的汇编伪代码和平是看到的含义不尽相同，如果你怕弄混，可以把它们都加上VM_前缀。
   指令只有2种：4个字节的和8个字节的，8个字节的前4个字节是操作码，后4个为操作数。VM_EIP控制这块很值得借鉴。
   另外，这些程序前面的地址运行时是创建线程时分配的，所以很可能大家的每次都不一样，只有相对偏移值是固定的，大家对照原可执行文件看的时候注意。
==============
指令表:
C表示指令中应包含的操作数。
VM_opcode=5    ???                      ;估计是检测错误的，对算法影响不大
VM_opcode=10    lea r10,[r10*4+r20]
VM_opcode=11    mov r20,C
VM_opcode=17    inc [r28+C]
VM_opcode=27    mov [r28+C],r10
VM_opcode=30    idiv r20,r10             ;返回:r20=余数，r10=商；这应该是有符号数除法?
VM_opcode=33    mov r20,r10
VM_opcode=34    add r10,r20
VM_opcode=35    shl r10,r20
VM_opcode=39    jmp C
VM_opcode=3a    mov r10,[r28+C]
VM_opcode=3c    mov r10,r20
VM_opcode=42    mov r20,r14;mov r14,r14+C ;r20=原栈顶指针，然后栈顶指针+C;不是pop r20哦,原来看错了
VM_opcode=43    ???                         ;这个应该也是检测错误的,不翻译了,程序中全用???代替，反正，就当它什么也不干也行
VM_opcode=45    shr r10,r20
VM_opcode=46    VM_Ret                      ;操作：mov [r44+20],[r14+8+[r14+8]+4];mov r14,[r14+8+[r14+8]+4];pop VM_EIP;goto VM_Quit1
VM_opcode=47    pop r20
VM_opcode=4A    and r10,r20
VM_opcode=4C    push r10
VM_opcode=55    mov r20,r28+C    ;更正：应为mov r20,[r28+C]
VM_opcode=59    VM_Start                   ;sub r14,4;;push r28;;mov r28,r14
VM_opcode=5B    VM_quit
VM_opcode=6D    not r10
VM_opcode=75    imul r10,C
VM_opcode=76    push C
VM_opcode=77    xor r10,r20
VM_opcode=7F    xor r10,r10
VM_opcode=82    jz  C                         ;if r10=0 then goto 003A4728+C
VM_opcode=8B    mov r10,C
VM_opcode=91    add r10,C
VM_opcode=96    jne C
VM_opcode=97    mov r10,ds:[r10]             ;更正 mov r10,[r10]
                                                                     ；间接寻址需要+真实ESI

其余未用到
=============
伪代码程序
===============================================
VM_quit1：
003A4728  0000005B,00000000          VM_quit                ;这一个指令执行的操作很多，所以用了一个“高级”的标签。只要你走到这里，出口就不远啦。
======
start1:
003A4730  00000059                   VM_START                ;执行的操作：sub r14,4;;push r28;;mov r28,r14
003A4734  00000043                   ???
003A4738  00000076,7FED7FED          push 7FED7FED
003A4740  00000043                   ???
003A4744  00000076,EEEEEEEE          push EEEEEEEE
003A474C  00000043                   ???
003A4750  00000076,00000000          push 0
003A4758  00000039,00000044          jmp 44                   ;jmp L2; ;goto 003A476C
L3:
003A4760  00000043                   ???
003A4764  00000017,FFFFFFF4          inc [r28+FFFFFFF4]       ;(-c)
L2:
003A476C  0000003A,FFFFFFF4          mov r10,[r28+FFFFFFF4 ]
003A4774  00000055,0000000C          mov r20,r28+0000000C
003A477C  00000010                   lea r10,[r10*4+r20]
003A4780  00000097                   mov r10,ds:[r10]
   ;r10=400 ;ds:[400]='s e y a' 73000000 65000000 79000000 61000000
003A4784  00000082,0000014C          jz  14C                   ;jz L1 ;to 004a4874
003A478C  00000043                   ???
003A4790  0000007F                   xor r10,r10
003A4794  0000004C                   push r10
003A4798  0000003A,FFFFFFF4          mov r10,[r28+FFFFFFF4]    ;(-c)
003A47A0  00000055,0000000C          mov r20,r28+0000000C
003A47A8  00000010                   lea r10,[r10*4+r20]
003A47AC  00000097                   mov r10,ds:[r10]
003A47B0  00000091,FFFFFFD1          add r10,FFFFFFD1
003A47B8  00000033                   mov r20,r10
003A47BC  0000008B,00000100          mov r10,00000100
003A47C4  00000030                   idiv r20,r10             ;返回:r20余数，r10商；
003A47C8  0000003C                   mov r10,r20
003A47CC  00000005,000000FF          ???
003A47D4  00000047                   pop r20
003A47D8  00000010                   lea r10,[r10*4+r20]
003A47DC  00000097                   mov r10,ds:[r10]
003A47E0  0000004C                   push r10
003A47E4  0000003A,FFFFFFF8          mov r10,[r28+FFFFFFF8]
003A47EC  00000055,FFFFFFFC          mov r20,r28+FFFFFFFC
003A47F4  00000034                   add r10,r20
003A47F8  00000047                   pop r20
003A47FC  00000077                   xor r10,r20
003A4800  00000027,FFFFFFFC          mov [r28+FFFFFFFC],r10
003A4808  00000043                   ???
003A480C  0000003A,FFFFFFF4          mov r10,[r28+FFFFFF4]
003A4814  00000055,000000C             mov r20,r28+000000C
003A481C  00000010                   lea r10,[r10*4+r20]
003A4820  00000097                   mov r10,ds:[r10]          ;ds:[400]='seya' 73 65 79 61
003A4824  00000055,FFFFFFFC          mov r20,r28+FFFFFFFC
003A482C  00000034                   add r10,r20
003A4830  00000055,FFFFFFF8          mov r20,r28+FFFFFFF8
003A4838  00000034                   add r10,r20
003A483C  0000004C                   push r10
003A4840  0000003A,FFFFFFF8          mov r10,[r28+FFFFFF8]
003A4848  00000011,00000005          mov r20,5
003A4850  00000035                   shl r10,r20
003A4854  00000047                   pop r20
003A4858  00000034                   add r10,r20
003A485C  00000091,00000003          add r10,3
003A4864  00000027,FFFFFFF8          mov [r28+c],r10
003A486C  00000039,00000038          jmp 38                         ;jmp L3;goto 4a4760
L1:
003A4874  00000042,00000004          mov r20,r14;mov r14,r14+00000004  ;r20=原栈顶指针，然后栈顶指针+C;不是pop r20哦,原来看错了
003A487C  00000043                   ???
003A4880  0000003A,FFFFFFFC          mov r10,[r28+FFFFFFFC]
003A4888  00000042,00000008          mov r20,r14;mov r14,r14+00000008
003A4890  00000046                   VM_ret                         ;操作：mov [r44+20],[r14+8+[r14+8]+4];mov r14,[r14+8+[r14+8]+4];pop VM_EIP;goto VM_Quit1
==========

START2:
003A4894  00000059                   VM_START                         ;执行的操作：sub r14,4;;push r28;;mov r28,r14
003A4898  00000043                   ???
003A489C  00000076,00000000          push 0
003A48A4  00000043                   ???
003A48A8  00000076,00000000          push 0
003A48B0  00000039,0000019C          jmp 19c                            ;jmp L4;goto 3A48C4
L8:
003A48B8  00000043                   ???
003A48BC  00000017,FFFFFFF8          inc [r28+FFFFFFF8]             ;(-8)
L4:
003A48C4  0000003A,FFFFFFF8          mov r10,[r28+FFFFFFF8](-8)
003A48CC  00000055,0000000C          mov r20,[r28+0000000C]
003A48D4  00000010                   lea r10,[r10*4+r20]
                                                                     ;lea ebx, dword ptr [edi+ebx*4];mov dword ptr [esp+10],ebx
003A48D8  00000097                   mov r10,ds:[r10]                ;ds:[400]='seya'
003A48DC  00000082,000002E0          jz  2e0                         ;jz L5;to 3A4A08;if r10=0 then goto 3A4728+2e0
003A48E4  00000043                   ???
003A48E8  0000003A,FFFFFFF8          mov r10,[r28+FFFFFFF8]
003A48F0  00000011,00000001          mov r20,1
003A48F8  0000004A                   and r10,r20
003A48FC  00000096,0000025C          jne 25c                      ;jne L6;to 3a4984
003A4904  00000043                   ???
003A4908  0000003A,FFFFFFFC          mov r10,[r28+FFFFFFFC]       ;ebx=r10;;r28=43ec指向堆栈顶部
003A4910  0000004C                   push ebx, bx=r10
003A4914  0000003A,FFFFFFFC    mov r10,[r28+FFFFFFFC](-4)          ;r28
003A491C  00000011,00000007    mov r20,7
003A4924  00000035             shl r10,r20                         ;shl,ebx,edi,mov r10,ebx;;edi=r20;ebx=r10
003A4928  0000004C             push ebx                            ;r14-4;ebx=r10;
003A492C  0000003A,FFFFFFF8    mov r10,[r28+FFFFFFF8](-8)          ;r28
003A4934  00000055,0000000C    mov r20,[r28+0000000C]             ;edi=r20
003A493C  00000010             lea r10,[r10*4+r20]                ;r10=400
003A4940  00000097             mov r10,ds:[r10]                   ;r10=ebx;;ds:[400]='seya' 73 65 79 61
003A4944  00000047             pop r20                            ;r14-4
003A4948  00000077             xor r10,r20
003A494C  0000004C             push r10                            ;ebx=r10
003A4950  0000003A,FFFFFFFC    mov r10,[r28+FFFFFFFC]
003A4958  00000011,00000003    mov r20,3
003A4960  00000045             shr r10,r20                         ;edi,ebx,ecx
003A4964  00000047             pop r20                            ;r14+4;;r14目前可以判定是堆栈寄存器，寻址的基址固定为003A4C50
003A4968  00000077             xor r10,r20                         ;r10,bx,di=73;'s'
003A496C  00000047             pop r20
003A4970  00000077             xor r10,r20                         ;bx='s'
003A4974  00000027,FFFFFFFC    mov [r28+FFFFFFFC],r10
003A497C  00000039,000002D8    jmp 2d8                            ;jmp L7;to003A4A00;
L6:
003A4984  00000043             ???
003A4988  0000003A,FFFFFFFC    mov r10,[r28+FFFFFFFC](-4)
003A4990  0000004C             push r10
003A4994  0000003A,FFFFFFFC    mov r10,[r28+FFFFFFFC](-4)
003A499C  00000011,0000000B    mov r20,0000000B
003A49A4  00000035             shl r10,r20
003A49A8  0000004C             push r10
003A49AC  0000003A,FFFFFFF8    mov r10,[r28+FFFFFFF8](-8)
003A49B4  00000055，0000000C    mov r20,[r28+0000000C]
003A49BC  00000010             lea r10,[r10*4+r20]
003A49C0  00000097             mov r10,ds:[r10]                      ;r10=ebx;;ds:[400]='seya' 73 65 79 61
003A49C4  00000047             pop r20
003A49C8  00000077             xor r10,r20
003A49CC  0000004C             push r10
003A49D0  0000003A,FFFFFFFC    mov r10,[r28+FFFFFFFC](-4)
003A49D8  00000011,00000005    mov r20,5
003A49E0  00000045             shr r10,r20
003A49E4  00000047             pop r20
003A49E8  00000077             xor r10,r20
003A49EC  0000006D             not r10
003A49F0  00000047             pop r20
003A49F4  00000077             xor r10,r20
003A49F8  00000027,FFFFFFFC    mov [r28+FFFFFFFC],r10
L7:
003A4A00  00000039,00000190    jmp 190                            ;jmp L8;to 003A48B8
L5:
003A4A08  00000042,00000004    mov r20,r14;mov r14,r14+00000004;
003A4A10  00000043             ???
003A4A14  0000003A,FFFFFFFC    mov r10,[r28+FFFFFFFC](-4)
003A4A1C  00000042,00000004    mov r20,r14;mov r14,r14+00000004;
003A4A24  00000046             VM_ret
==============
VM_START3:
003A4A28  00000059             VM_START                            ;执行的操作:sub r14,4;push r28;mov r28,r14
                                                                     ;当前栈顶指针-4，然后把r28入栈，最后使r28=当前栈顶指针
003A4A2C  00000043             ???
003A4A30  00000076,00000000    push 0
003A4A38  00000043             ???
003A4A3C  00000076,00000000    push 0
003A4A44  00000039,00000330    jmp 330                            ;jmp L9;goto 003A4A58
L11:
003A4A4C  00000043             ???
003A4A50  00000017,FFFFFFF8    inc [r28+FFFFFFF8]
L9
003A4A58  0000003A,FFFFFFF8    mov r10,[r28+FFFFFFF8](-8)
003A4A60  00000055,0000000C    mov r20,r28+0000000C
003A4A68  00000010             lea r10,[r10*4+r20]
003A4A6C  00000097             mov r10,ds:[r10]
003A4A70  00000082,000003AC    jz 3ac                               ;jz L10;go 003A4AD4 ;;test r10,0
003A4A78  00000043             ???
003A4A7C  0000003A,FFFFFFFC    mov r10,[r28+FFFFFFFC]                ;(-4)
003A4A84  00000075,811C9DC5    imul r10,811C9DC5
003A4A8C  00000027,FFFFFFFC    mov [r28+FFFFFFFC],r10
003A4A94  00000043             ???
003A4A98  0000003A,FFFFFFFC    mov r10,[r28+FFFFFFFC](-4)
003A4AA0  0000004C             push r10
003A4AA4  0000003A,FFFFFFF8    mov r10,[r28+FFFFFFF8](-8)
003A4AAC  00000055,0000000C    mov r20,r28+0000000C
003A4AB4  00000010             lea r10,[r10*4+r20]
003A4AB8  00000097             mov r10,ds:[r10]                      ;r10=ebx;;ds:[400]='seya' 73 65 79 61
003A4ABC  00000047             pop r20
003A4AC0  00000077             xor r10,r20
003A4AC4  00000027,FFFFFFFC    mov [r28+FFFFFFFC],r10
003A4ACC  00000039,00000324    jmp 324                               ;jmp L11;goto 3A4A4C
L10:
003A4AD4  00000042,00000004    mov r20,r14;mov r14,r14+00000004
003A4ADC  00000043             ???
003A4AE0  0000003A,FFFFFFFC    mov r10,[r28+FFFFFFFC](-4)
003A4AE8  00000042,00000004    mov r20,r14;mov r14,r14+00000004
003A4AF0  00000046             VM_ret

=============
start4:
003A4AF4  00000059             VM_START                            ;执行的操作：sub r14,4;;push r28;;mov r28,r14
003A4AF8  00000043             ???
003A4AFC  00000076,00000000    push 0
003A4B04  00000043             ???
003A4B08  00000076,00000000    push 0
003A4B10  00000043             ???
003A4B14  00000076,00000000    push 0
003A4B1C  00000039,00000408    jmp 408                               ;jmp L12;goto 3A4B30
L15:
003A4B24  00000043             ???
003A4B28  00000017,FFFFFFF4    inc [r28+FFFFFFF4]
L12:
003A4B30  0000003A,FFFFFFF4    mov r10,[r28+FFFFFFF4]
003A4B38  00000055,0000000C    mov r20,r28+0000000C
003A4B40  00000010             lea r10,[r10*4+r20]
003A4B44  00000097             mov r10,ds:[r10]
003A4B48  00000082,00000508    jz  508                               ;jz L13;goto 3A4C30
003A4B50  00000043             ???
003A4B54  0000003A,FFFFFFFC    mov r10,[r28+FFFFFFFC]
003A4B5C  00000011,00000004    mov r20,4
003A4B64  00000035             shl r10,r20
003A4B68  0000004C             push r10
003A4B6C  0000003A,FFFFFFF4    mov r10,[r28+FFFFFFF4]
003A4B74  00000055,0000000C    mov r20,r28+0000000C
003A4B7C  00000010             lea r10,[r10*4+r20]
003A4B80  00000097             mov r10,ds:[r10]                         ;r10=ebx;;ds:[400]='seya' 73 65 79 61
003A4B84  00000047             pop r20
003A4B88  00000034             add r10,r20
003A4B8C  00000027,FFFFFFFC    mov [r28+FFFFFFFC],r10
003A4B94  00000043             ???
003A4B98  0000003A,FFFFFFFC    mov r10,[r28+FFFFFFFC]
003A4BA0  00000011,F0000000    mov r20,C
003A4BA8  0000004A             and r10,r20
003A4BAC  00000027,FFFFFFF8    mov [r28+c],r10
003A4BB4  00000043             ???
003A4BB8  0000003A,FFFFFFF8    mov r10,[r28+FFFFFFF8]
003A4BC0  00000082,000004D4    jz  4D4                               ;jz L14;goto 3A4BFC
003A4BC8  00000043             ???
003A4BCC  0000003A,FFFFFFFC    mov r10,[r28+FFFFFFFC]
003A4BD4  0000004C             push r10
003A4BD8  0000003A,FFFFFFF8    mov r10,[r28+FFFFFFF8]
003A4BE0  00000011,00000018    mov r20,18
003A4BE8  00000045             shr r10,r20
003A4BEC  00000047             pop r20
003A4BF0  00000077             xor r10,r20
003A4BF4  00000027,FFFFFFFC    mov [r28+FFFFFFFC],r10
L14:
003A4BFC  00000043             ???
003A4C00  0000003A,FFFFFFFC    mov r10,[r28+FFFFFFFC]
003A4C08  0000004C             push r10
003A4C0C  0000003A,FFFFFFF8    mov r10,[r28+FFFFFFF8]
003A4C14  0000006D             not r10
003A4C18  00000047             pop r20
003A4C1C  0000004A             and r10,r20
003A4C20  00000027,FFFFFFFC    mov [r28+FFFFFFFC],r10
003A4C28  00000039,000003FC    jmp 3fc                               ;jmp L15;goto 3A4B24
L13
003A4C30  00000042,00000004    mov r20,r14;mov r14,r14+4
003A4C38  00000043             ???
003A4C3C  0000003A,FFFFFFFC    mov r10,[r28+C]
003A4C44  00000042,00000008    mov r20,r14;mov r14,r14+8
003A4C4C  00000046             VM_ret
===============

共4个VM_START和与其配对的VM_RET
程序运行时创建4个线程,每个有不同的入口,分别对用户名进行4种运算得到4个数传回主程序.

登录后可查看完整内容

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・1

免费・7

支持

最新回复 (15)
seya 雪币： 328 活跃值： (10) 能力值： ( LV9，RANK：210 ) 在线值：发帖 17 回帖 134 粉丝 0 关注私信	seya 5 2 楼 VM的主要流程： jmp dword ptr [ecx4+401D90] 00400DB1 \|> \8B4D 00 mov ecx, dword ptr [ebp] ; EBP读入指令流;第一条:vm_opcode59 00400DB4 \|. 83C5 04 add ebp, 4 ; VM_EIP++ 00400DB7 \|. 49 dec ecx ; 58 00400DB8 \|. 81F9 9C000000 cmp ecx, 9C ; 9c,VM_exit 00400DBE \|. 0F87 1B0E0000 ja 00401BDF 00400DC4 \|> FF248D 901D40>/jmp dword ptr [ecx4+401D90] ;ecx=code编号-1 ;code处理函数入口地址=ecx4+401d90 00400DCB \|> 8B45 00 \|mov eax, dword ptr [ebp] 00400DCE \|. 8B1C30 \|mov ebx, dword ptr [eax+esi] . . . . . 00401BC2 \|> \8B5C24 10 \|mov ebx, dword ptr [esp+10] ;这是为了保证r10和ebx的值始终同步 00401BC6 \|> 8B45 00 \|mov eax, dword ptr [ebp] ; VM_opcode; Default case of switch 00401147 00401BC9 \|. 8D48 FF \|lea ecx, dword ptr [eax-1] ; VM_opcode-1 00401BCC \|. 83C5 04 \|add ebp, 4 ; VM_EIP++ 00401BCF \|. 81F9 9C000000 \|cmp ecx, 9C ; VM_exit? 00401BD5 \|.^ 0F86 E9F1FFFF \jbe 00400DC4 ======== 指令处理例程入口地址表：注意这一句！！！ 00400DC4 jmp dword ptr [ecx4+401D90] ecx=code编号-1 code处理函数入口地址=ecx*4+401d90 共169条指令1-a9: 1 \| 2 \| 3 \| 4 00401D90 7E 10 40 00 99 14 40 00 3A 17 40 00 21 0F 40 00 00401DA0 F9 19 40 00 5D 14 40 00 88 19 40 00 49 17 40 00 00401DB0 3E 17 40 00 DB 1B 40 00 DB 1B 40 00 14 18 40 00 00401DC0 F9 16 40 00 0D 14 40 00 DB 1B 40 00 5F 10 40 00 00401DD0 E8 0E 40 00 DB 1B 40 00 BA 15 40 00 DB 1B 40 00 00401DE0 64 0E 40 00 DB 1B 40 00 E9 17 40 00 E6 11 40 00 00401DF0 9E 0F 40 00 DB 14 40 00 1D 17 40 00 7F 0E 40 00 00401E00 51 18 40 00 8E 13 40 00 DB 1B 40 00 DB 1B 40 00 00401E10 3E 11 40 00 B1 13 40 00 F9 13 40 00 8B 16 40 00 00401E20 DB 1B 40 00 1E 12 40 00 3D 0F 40 00 DB 1B 40 00 00401E30 2C 15 40 00 DB 1B 40 00 21 14 40 00 5C 12 40 00 00401E40 FC 1A 40 00 EB 18 40 00 71 14 40 00 6C 15 40 00 00401E50 F7 0E 40 00 2C 17 40 00 89 11 40 00 73 10 40 00 00401E60 C1 14 40 00 03 16 40 00 1D 16 40 00 0A 18 40 00 00401E70 B5 14 40 00 EF 0D 40 00 9D 16 40 00 7E 11 40 00 00401E80 D9 15 40 00 EF 0E 40 00 DC 1A 40 00 C6 1B 40 00 00401E90 DB 1B 40 00 8A 12 40 00 85 1B 40 00 DB 1B 40 00 00401EA0 CE 14 40 00 50 13 40 00 73 12 40 00 85 14 40 00 00401EB0 1F 0E 40 00 12 16 40 00 34 0E 40 00 A7 11 40 00 00401EC0 F9 14 40 00 DB 1B 40 00 F0 1A 40 00 57 1B 40 00 00401ED0 0C 0F 40 00 65 0F 40 00 DD 0D 40 00 E8 1A 40 00 00401EE0 07 0E 40 00 DC 1A 40 00 02 18 40 00 DB 1B 40 00 00401EF0 F8 12 40 00 6B 10 40 00 D3 1C 40 00 0B 17 40 00 00401F00 45 1B 40 00 0A 15 40 00 DB 1B 40 00 D8 16 40 00 00401F10 DB 1B 40 00 2F 1A 40 00 27 10 40 00 30 18 40 00 00401F20 49 14 40 00 CB 0D 40 00 35 14 40 00 C0 10 40 00 00401F30 B5 0F 40 00 CD 17 40 00 76 0F 40 00 49 18 40 00 00401F40 45 16 40 00 8D 17 40 00 E8 1A 40 00 1E 18 40 00 00401F50 DB 1B 40 00 51 0F 40 00 DB 1B 40 00 80 16 40 00 00401F60 61 16 40 00 CD 11 40 00 28 16 40 00 1B 15 40 00 00401F70 AD 14 40 00 D7 17 40 00 69 17 40 00 9F 17 40 00 00401F80 E8 14 40 00 BA 11 40 00 75 16 40 00 DB 1B 40 00 00401F90 DB 1B 40 00 D1 13 40 00 57 17 40 00 7B 17 40 00 00401FA0 2F 0F 40 00 DA 0F 40 00 9F 10 40 00 69 1B 40 00 00401FB0 F8 15 40 00 DB 1B 40 00 D9 0E 40 00 3A 12 40 00 00401FC0 C1 12 40 00 94 11 40 00 2C 10 40 00 DB 1B 40 00 00401FD0 50 16 40 00 AE 15 40 00 AE 15 40 00 87 0F 40 00 00401FE0 49 0E 40 00 E5 13 40 00 36 10 40 00 4D 17 40 00 00401FF0 22 13 40 00 33 16 40 00 B7 17 40 00 9D 1A 40 00 00402000 B5 16 40 00 D6 10 40 00 E6 10 40 00 F6 10 40 00 00402010 03 11 40 00 13 11 40 00 20 11 40 00 2D 11 40 00 00402020 57 11 40 00 C6 1B 40 00 60 11 40 00 69 11 40 00 00402030 72 11 40 00 =========== 指令流: VM就是从这里读opcode的，我在上面伪代码那里已经分析过了，列在这里，大家能看得更清楚 003A46B0 00 00 00 00 43 00 00 00 33 09 13 00 BD 01 08 00 ....C...3..?. 003A46C0 46 07 00 00 E0 F1 08 08 04 00 08 00 68 00 00 00 F..囫..h... 003A46D0 90 05 00 00 90 09 00 00 90 49 00 00 FF FF FF FF ?..?..怚.. 003A46E0 38 00 00 00 58 00 00 00 58 00 00 00 58 00 00 00 8...X...X...X... 003A46F0 58 00 00 00 58 00 00 00 08 00 00 00 5A 00 00 00 X...X......Z... 003A4700 6C 01 00 00 5D 00 00 00 00 03 00 00 60 00 00 00 l..]......`... 003A4710 CC 03 00 00 63 00 00 00 1F 00 48 31 00 48 32 00 ?..c....H1.H2. 003A4720 48 33 00 48 34 00 00 00 5B 00 00 00 00 00 00 00 H3.H4...[....... 003A4730 59 00 00 00 43 00 00 00 76 00 00 00 ED 7F ED 7F Y...C...v...?? 003A4740 43 00 00 00 76 00 00 00 EE EE EE EE 43 00 00 00 C...v...铑铑C... 003A4750 76 00 00 00 00 00 00 00 39 00 00 00 44 00 00 00 v.......9...D... 003A4760 43 00 00 00 17 00 00 00 F4 FF FF FF 3A 00 00 00 C......?:... 003A4770 F4 FF FF FF 55 00 00 00 0C 00 00 00 10 00 00 00 ?U.......... 003A4780 97 00 00 00 82 00 00 00 4C 01 00 00 43 00 00 00 ?..?..L..C... 003A4790 7F 00 00 00 4C 00 00 00 3A 00 00 00 F4 FF FF FF ...L...:...? 003A47A0 55 00 00 00 0C 00 00 00 10 00 00 00 97 00 00 00 U..........?.. 003A47B0 91 00 00 00 D1 FF FF FF 33 00 00 00 8B 00 00 00 ?..?3...?.. 003A47C0 00 01 00 00 30 00 00 00 3C 00 00 00 05 00 00 00 ...0...<...... 003A47D0 FF 00 00 00 47 00 00 00 10 00 00 00 97 00 00 00 ...G......?.. 003A47E0 4C 00 00 00 3A 00 00 00 F8 FF FF FF 55 00 00 00 L...:...?U... 003A47F0 FC FF FF FF 34 00 00 00 47 00 00 00 77 00 00 00 ?4...G...w... 003A4800 27 00 00 00 FC FF FF FF 43 00 00 00 3A 00 00 00 '...?C...:... 003A4810 F4 FF FF FF 55 00 00 00 0C 00 00 00 10 00 00 00 ?U.......... 003A4820 97 00 00 00 55 00 00 00 FC FF FF FF 34 00 00 00 ?..U...?4... 003A4830 55 00 00 00 F8 FF FF FF 34 00 00 00 4C 00 00 00 U...?4...L... 003A4840 3A 00 00 00 F8 FF FF FF 11 00 00 00 05 00 00 00 :...?...... 003A4850 35 00 00 00 47 00 00 00 34 00 00 00 91 00 00 00 5...G...4...?.. 003A4860 03 00 00 00 27 00 00 00 F8 FF FF FF 39 00 00 00 ...'...?9... 003A4870 38 00 00 00 42 00 00 00 04 00 00 00 43 00 00 00 8...B......C... 003A4880 3A 00 00 00 FC FF FF FF 42 00 00 00 08 00 00 00 :...?B...... 003A4890 46 00 00 00 59 00 00 00 43 00 00 00 76 00 00 00 F...Y...C...v... 003A48A0 00 00 00 00 43 00 00 00 76 00 00 00 00 00 00 00 ....C...v....... 003A48B0 39 00 00 00 9C 01 00 00 43 00 00 00 17 00 00 00 9...?..C...... 003A48C0 F8 FF FF FF 3A 00 00 00 F8 FF FF FF 55 00 00 00 ?:...?U... 003A48D0 0C 00 00 00 10 00 00 00 97 00 00 00 82 00 00 00 .......?..?.. 003A48E0 E0 02 00 00 43 00 00 00 3A 00 00 00 F8 FF FF FF ?..C...:...? 003A48F0 11 00 00 00 01 00 00 00 4A 00 00 00 96 00 00 00 ......J...?.. 003A4900 5C 02 00 00 43 00 00 00 3A 00 00 00 FC FF FF FF \..C...:...? 003A4910 4C 00 00 00 3A 00 00 00 FC FF FF FF 11 00 00 00 L...:...?... 003A4920 07 00 00 00 35 00 00 00 4C 00 00 00 3A 00 00 00 ...5...L...:... 003A4930 F8 FF FF FF 55 00 00 00 0C 00 00 00 10 00 00 00 ?U.......... 003A4940 97 00 00 00 47 00 00 00 77 00 00 00 4C 00 00 00 ?..G...w...L... 003A4950 3A 00 00 00 FC FF FF FF 11 00 00 00 03 00 00 00 :...?...... 003A4960 45 00 00 00 47 00 00 00 77 00 00 00 47 00 00 00 E...G...w...G... 003A4970 77 00 00 00 27 00 00 00 FC FF FF FF 39 00 00 00 w...'...?9... 003A4980 D8 02 00 00 43 00 00 00 3A 00 00 00 FC FF FF FF ?..C...:...? 003A4990 4C 00 00 00 3A 00 00 00 FC FF FF FF 11 00 00 00 L...:...?... 003A49A0 0B 00 00 00 35 00 00 00 4C 00 00 00 3A 00 00 00 ...5...L...:... 003A49B0 F8 FF FF FF 55 00 00 00 0C 00 00 00 10 00 00 00 ?U.......... 003A49C0 97 00 00 00 47 00 00 00 77 00 00 00 4C 00 00 00 ?..G...w...L... 003A49D0 3A 00 00 00 FC FF FF FF 11 00 00 00 05 00 00 00 :...?...... 003A49E0 45 00 00 00 47 00 00 00 77 00 00 00 6D 00 00 00 E...G...w...m... 003A49F0 47 00 00 00 77 00 00 00 27 00 00 00 FC FF FF FF G...w...'...? 003A4A00 39 00 00 00 90 01 00 00 42 00 00 00 04 00 00 00 9...?..B...... 003A4A10 43 00 00 00 3A 00 00 00 FC FF FF FF 42 00 00 00 C...:...?B... 003A4A20 04 00 00 00 46 00 00 00 59 00 00 00 43 00 00 00 ...F...Y...C... 003A4A30 76 00 00 00 00 00 00 00 43 00 00 00 76 00 00 00 v.......C...v... 003A4A40 00 00 00 00 39 00 00 00 30 03 00 00 43 00 00 00 ....9...0..C... 003A4A50 17 00 00 00 F8 FF FF FF 3A 00 00 00 F8 FF FF FF ...?:...? 003A4A60 55 00 00 00 0C 00 00 00 10 00 00 00 97 00 00 00 U..........?.. 003A4A70 82 00 00 00 AC 03 00 00 43 00 00 00 3A 00 00 00 ?..?..C...:... 003A4A80 FC FF FF FF 75 00 00 00 C5 9D 1C 81 27 00 00 00 ?u...艥?... 003A4A90 FC FF FF FF 43 00 00 00 3A 00 00 00 FC FF FF FF ?C...:...? 003A4AA0 4C 00 00 00 3A 00 00 00 F8 FF FF FF 55 00 00 00 L...:...?U... 003A4AB0 0C 00 00 00 10 00 00 00 97 00 00 00 47 00 00 00 .......?..G... 003A4AC0 77 00 00 00 27 00 00 00 FC FF FF FF 39 00 00 00 w...'...?9... 003A4AD0 24 03 00 00 42 00 00 00 04 00 00 00 43 00 00 00 $..B......C... 003A4AE0 3A 00 00 00 FC FF FF FF 42 00 00 00 04 00 00 00 :...?B...... 003A4AF0 46 00 00 00 59 00 00 00 43 00 00 00 76 00 00 00 F...Y...C...v... 003A4B00 00 00 00 00 43 00 00 00 76 00 00 00 00 00 00 00 ....C...v....... 003A4B10 43 00 00 00 76 00 00 00 00 00 00 00 39 00 00 00 C...v.......9... 003A4B20 08 04 00 00 43 00 00 00 17 00 00 00 F4 FF FF FF ..C......? 003A4B30 3A 00 00 00 F4 FF FF FF 55 00 00 00 0C 00 00 00 :...?U....... 003A4B40 10 00 00 00 97 00 00 00 82 00 00 00 08 05 00 00 ...?..?.... 003A4B50 43 00 00 00 3A 00 00 00 FC FF FF FF 11 00 00 00 C...:...?... 003A4B60 04 00 00 00 35 00 00 00 4C 00 00 00 3A 00 00 00 ...5...L...:... 003A4B70 F4 FF FF FF 55 00 00 00 0C 00 00 00 10 00 00 00 ?U.......... 003A4B80 97 00 00 00 47 00 00 00 34 00 00 00 27 00 00 00 ?..G...4...'... 003A4B90 FC FF FF FF 43 00 00 00 3A 00 00 00 FC FF FF FF ?C...:...? 003A4BA0 11 00 00 00 00 00 00 F0 4A 00 00 00 27 00 00 00 ......餔...'... 003A4BB0 F8 FF FF FF 43 00 00 00 3A 00 00 00 F8 FF FF FF ?C...:...? 003A4BC0 82 00 00 00 D4 04 00 00 43 00 00 00 3A 00 00 00 ?..?..C...:... 003A4BD0 FC FF FF FF 4C 00 00 00 3A 00 00 00 F8 FF FF FF ?L...:...? 003A4BE0 11 00 00 00 18 00 00 00 45 00 00 00 47 00 00 00 ......E...G... 003A4BF0 77 00 00 00 27 00 00 00 FC FF FF FF 43 00 00 00 w...'...?C... 003A4C00 3A 00 00 00 FC FF FF FF 4C 00 00 00 3A 00 00 00 :...?L...:... 003A4C10 F8 FF FF FF 6D 00 00 00 47 00 00 00 4A 00 00 00 ?m...G...J... 003A4C20 27 00 00 00 FC FF FF FF 39 00 00 00 FC 03 00 00 '...?9...?.. 003A4C30 42 00 00 00 04 00 00 00 43 00 00 00 3A 00 00 00 B......C...:... 003A4C40 FC FF FF FF 42 00 00 00 08 00 00 00 46 00 00 00 ?B......F... ============= 真实计算机的堆栈和VM的寄存器对应如下： ESP+00 00DFFE7C 00DFFFEC <-进入VM后真实ESP在这里,VM运行过程中，真实的ESP是不变的。 ESP+04 00DFFE80 003A47B0 ESP+08 00DFFE84 003A47B4 ASCII "seya" ESP+0c 00DFFE88 003A47B0 ESP+10 00DFFE8C 00000000 r10 ESP+14 00DFFE90 000043F0 r14:VM_ESP ESP+18 00DFFE94 000043FC ESP+1c 00DFFE98 00000414 ESP+20 00DFFE9C 00000000 r20 ESP+24 00DFFEA0 003A4728 转移的基准地址 offiset+003A4728这是最上面那句VM_quit的地址！ ESP+28 00DFFEA4 00000000 始终等于初始的VM_ESP ESP+2c 00DFFEA8 00000414 ESP+30 00DFFEAC 003A4E30 ESP+34 00DFFEB0 003A48A0 ESP+38 00DFFEB4 00000528 ESP+3c 00DFFEB8 00000038 ESP+40 00DFFEBC 0040236B 返回到 EsperCra.0040236B 来自 EsperCra.00400C00 ESP+44 00DFFEC0 00DFFF18 ESP+48 00DFFEC4 00DFFF08 ESP+4c 00DFFEC8 00000001 ESP+50 00DFFECC 00DFFF18 ============= 说一下分析的思路,刚下手的时候完全没感觉，经过反复观察，试探，思考终于搞定了。因为是虚拟的机器，不知道它用什么方式工作，也不知道它采用几个寄存器，不过在思考过后决定先从最简单的OPCODE分析。什么操作是最简单的？也许每个人都有自己的看法，不过我觉得特征最明显的指令就是最容易下手的。突破口就是栈！目前常见的计算机几乎都是存在堆栈结构的，而这个VM也正是一个典型的栈式计算机！出栈、入栈，不光要产生数据的传送，还要对栈顶指针作加减操作，特征很明显，也很有规律，总是先出栈再加指针，先减指针再入栈（假设栈向低位生长）。因此当找到了代表栈操作的两个VM_opcode时，胜利已经可以看得见了，这时已经掌握的信息是很多的：VM_EIP使用的真实寄存器(EBP)、栈使用的内存空间、以及栈顶指针的表达方式、还有基址变址的一些参数，有了这些做基础，几乎剩下的工作就是重复的粘粘贴贴了。然而一个人做这项工作显然很考验精力、耐力，做到现在我已经不太可能再重头校对了，也许会存在某些错误，甚至有的指令功能分析的存在误解，我虽然尽量避免，不过，如果真的存在错误，请大家不吝赐教！最后，让我发句牢骚：VM的时代来临了，做苦工的日子还远么？ 2007-6-21 00:59 0
seya 雪币： 328 活跃值： (10) 能力值： ( LV9，RANK：210 ) 在线值：发帖 17 回帖 134 粉丝 0 关注私信	seya 5 3 楼 ============= VM的核心代码，后面的注释都是自己分析的时候为了方便弄上的，很多地方前后表达很含糊，前后风格不统一，不少地方还弄错了，也有些地方当时觉得一看就明白了，没加注释，大家对付看吧，实在没力气改了！ 00400DB1 \8B4D 00 mov ecx, dword ptr [ebp] ; EBP读入指令流;vm_opcode59 00400DB4 83C5 04 add ebp, 4 ; VM_EIP++ 00400DB7 49 dec ecx ; 58 00400DB8 81F9 9C000000 cmp ecx, 9C ; 9c,VM_exit 00400DBE 0F87 1B0E0000 ja 00401BDF 00400DC4 FF248D 901D4000 /jmp dword ptr [ecx4+401D90] ; ecx=code编号-1;code处理函数入口地址=ecx4+401d90 00400DCB 8B45 00 \|mov eax, dword ptr [ebp] 00400DCE 8B1C30 \|mov ebx, dword ptr [eax+esi] 00400DD1 83C5 04 \|add ebp, 4 00400DD4 895C24 10 \|mov dword ptr [esp+10], ebx 00400DD8 E9 E90D0000 \|jmp 00401BC6 00400DDD 8B45 00 \|mov eax, dword ptr [ebp] 00400DE0 8B3C30 \|mov edi, dword ptr [eax+esi] 00400DE3 83C5 04 \|add ebp, 4 00400DE6 897C24 20 \|mov dword ptr [esp+20], edi 00400DEA E9 D70D0000 \|jmp 00401BC6 00400DEF 8B45 00 \|mov eax, dword ptr [ebp] ; 取操作数;;VM_opcode 3a 00400DF2 8B5424 28 \|mov edx, dword ptr [esp+28] ; 从28号寄存器取数/堆栈底部 00400DF6 83C5 04 \|add ebp, 4 ; 指向下一指令 00400DF9 03C2 \|add eax, edx ; 栈顶指针 00400DFB 8B1C30 \|mov ebx, dword ptr [eax+esi] ; 从堆栈取数 00400DFE 895C24 10 \|mov dword ptr [esp+10], ebx ; 操作数送10号寄存器 00400E02 E9 BF0D0000 \|jmp 00401BC6 ; mov r10,[r28+C] 00400E07 8B45 00 \|mov eax, dword ptr [ebp] ; 取操作数 00400E0A 8B4C24 28 \|mov ecx, dword ptr [esp+28] ; 从28号寄存器取数 00400E0E 83C5 04 \|add ebp, 4 ; 校正下一指令地址,这是因为指令长度是可变的 00400E11 03C1 \|add eax, ecx ; 栈顶指针 00400E13 8B3C30 \|mov edi, dword ptr [eax+esi] ; 出栈 00400E16 897C24 20 \|mov dword ptr [esp+20], edi ; 送20号寄存器 00400E1A E9 A70D0000 \|jmp 00401BC6 ; mov r20,r28+c 00400E1F 8B45 00 \|mov eax, dword ptr [ebp] 00400E22 8B1430 \|mov edx, dword ptr [eax+esi] 00400E25 8B1C16 \|mov ebx, dword ptr [esi+edx] 00400E28 83C5 04 \|add ebp, 4 00400E2B 895C24 10 \|mov dword ptr [esp+10], ebx 00400E2F E9 920D0000 \|jmp 00401BC6 00400E34 8B45 00 \|mov eax, dword ptr [ebp] 00400E37 8B0430 \|mov eax, dword ptr [eax+esi] 00400E3A 8B3C06 \|mov edi, dword ptr [esi+eax] 00400E3D 83C5 04 \|add ebp, 4 00400E40 897C24 20 \|mov dword ptr [esp+20], edi 00400E44 E9 7D0D0000 \|jmp 00401BC6 00400E49 8B45 00 \|mov eax, dword ptr [ebp] 00400E4C 8B4C24 28 \|mov ecx, dword ptr [esp+28] 00400E50 83C5 04 \|add ebp, 4 00400E53 03C1 \|add eax, ecx 00400E55 8B1430 \|mov edx, dword ptr [eax+esi] 00400E58 8B1C16 \|mov ebx, dword ptr [esi+edx] 00400E5B 895C24 10 \|mov dword ptr [esp+10], ebx 00400E5F E9 620D0000 \|jmp 00401BC6 00400E64 8B45 00 \|mov eax, dword ptr [ebp] 00400E67 8B4C24 28 \|mov ecx, dword ptr [esp+28] 00400E6B 83C5 04 \|add ebp, 4 00400E6E 03C1 \|add eax, ecx 00400E70 8B1430 \|mov edx, dword ptr [eax+esi] 00400E73 8B3C16 \|mov edi, dword ptr [esi+edx] 00400E76 897C24 20 \|mov dword ptr [esp+20], edi 00400E7A E9 470D0000 \|jmp 00401BC6 00400E7F 8B45 00 \|mov eax, dword ptr [ebp] 00400E82 8B4C24 2C \|mov ecx, dword ptr [esp+2C] 00400E86 83C5 04 \|add ebp, 4 00400E89 3BD9 \|cmp ebx, ecx 00400E8B 7C 0A \|jl short 00400E97 00400E8D 3B5C24 14 \|cmp ebx, dword ptr [esp+14] 00400E91 0F8C 820D0000 \|jl 00401C19 00400E97 8B4C24 44 \|mov ecx, dword ptr [esp+44] 00400E9B 3B59 24 \|cmp ebx, dword ptr [ecx+24] 00400E9E 0F83 790D0000 \|jnb 00401C1D 00400EA4 48 \|dec eax ; Switch (cases 1..4) 00400EA5 74 25 \|je short 00400ECC 00400EA7 48 \|dec eax 00400EA8 74 15 \|je short 00400EBF 00400EAA 83E8 02 \|sub eax, 2 00400EAD 0F85 130D0000 \|jnz 00401BC6 00400EB3 8B1C33 \|mov ebx, dword ptr [ebx+esi] ; Case 4 of switch 00400EA4 00400EB6 895C24 10 \|mov dword ptr [esp+10], ebx 00400EBA E9 070D0000 \|jmp 00401BC6 00400EBF 0FB71C33 \|movzx ebx, word ptr [ebx+esi] ; Case 2 of switch 00400EA4 00400EC3 895C24 10 \|mov dword ptr [esp+10], ebx 00400EC7 E9 FA0C0000 \|jmp 00401BC6 00400ECC 0FB61C33 \|movzx ebx, byte ptr [ebx+esi] ; Case 1 of switch 00400EA4 00400ED0 895C24 10 \|mov dword ptr [esp+10], ebx 00400ED4 E9 ED0C0000 \|jmp 00401BC6 00400ED9 8B5D 00 \|mov ebx, dword ptr [ebp] ; VM_opcode 8B 00400EDC 895C24 10 \|mov dword ptr [esp+10], ebx 00400EE0 83C5 04 \|add ebp, 4 00400EE3 E9 DE0C0000 \|jmp 00401BC6 ; mov r10,C 00400EE8 8B7D 00 \|mov edi, dword ptr [ebp] ; 取操作数 00400EEB 897C24 20 \|mov dword ptr [esp+20], edi ; mov r20,edi 00400EEF 83C5 04 \|add ebp, 4 ; 下一指令 00400EF2 E9 CF0C0000 \|jmp 00401BC6 ; mov r20,c 00400EF7 8B5D 00 \|mov ebx, dword ptr [ebp] 00400EFA 8B4424 28 \|mov eax, dword ptr [esp+28] 00400EFE 83C5 04 \|add ebp, 4 00400F01 03D8 \|add ebx, eax 00400F03 895C24 10 \|mov dword ptr [esp+10], ebx 00400F07 E9 BA0C0000 \|jmp 00401BC6 00400F0C 8B7D 00 \|mov edi, dword ptr [ebp] 00400F0F 8B4424 28 \|mov eax, dword ptr [esp+28] 00400F13 83C5 04 \|add ebp, 4 00400F16 03F8 \|add edi, eax 00400F18 897C24 20 \|mov dword ptr [esp+20], edi 00400F1C E9 A50C0000 \|jmp 00401BC6 00400F21 8B45 00 \|mov eax, dword ptr [ebp] 00400F24 83C5 04 \|add ebp, 4 00400F27 891C30 \|mov dword ptr [eax+esi], ebx 00400F2A E9 930C0000 \|jmp 00401BC2 00400F2F 8B45 00 \|mov eax, dword ptr [ebp] 00400F32 83C5 04 \|add ebp, 4 00400F35 893C30 \|mov dword ptr [eax+esi], edi 00400F38 E9 850C0000 \|jmp 00401BC2 00400F3D 8B45 00 \|mov eax, dword ptr [ebp] ; 取操作数;op27 00400F40 8B4C24 28 \|mov ecx, dword ptr [esp+28] ; mov ecx,r28 00400F44 83C5 04 \|add ebp, 4 ; 指向下一指令 00400F47 03C1 \|add eax, ecx 00400F49 891C30 \|mov dword ptr [eax+esi], ebx ; mov [eax],ebx 00400F4C E9 710C0000 \|jmp 00401BC2 ; mov [r28+c],r10 00400F51 8B45 00 \|mov eax, dword ptr [ebp] 00400F54 8B5424 28 \|mov edx, dword ptr [esp+28] 00400F58 83C5 04 \|add ebp, 4 00400F5B 03C2 \|add eax, edx 00400F5D 893C30 \|mov dword ptr [eax+esi], edi 00400F60 E9 5D0C0000 \|jmp 00401BC2 00400F65 8B45 00 \|mov eax, dword ptr [ebp] 00400F68 8B0430 \|mov eax, dword ptr [eax+esi] 00400F6B 83C5 04 \|add ebp, 4 00400F6E 891C06 \|mov dword ptr [esi+eax], ebx 00400F71 E9 4C0C0000 \|jmp 00401BC2 00400F76 8B45 00 \|mov eax, dword ptr [ebp] 00400F79 8B0C30 \|mov ecx, dword ptr [eax+esi] 00400F7C 83C5 04 \|add ebp, 4 00400F7F 893C0E \|mov dword ptr [esi+ecx], edi 00400F82 E9 3B0C0000 \|jmp 00401BC2 00400F87 8B45 00 \|mov eax, dword ptr [ebp] 00400F8A 8B5424 28 \|mov edx, dword ptr [esp+28] 00400F8E 83C5 04 \|add ebp, 4 00400F91 03C2 \|add eax, edx 00400F93 8B0430 \|mov eax, dword ptr [eax+esi] 00400F96 891C06 \|mov dword ptr [esi+eax], ebx 00400F99 E9 240C0000 \|jmp 00401BC2 00400F9E 8B45 00 \|mov eax, dword ptr [ebp] 00400FA1 8B4C24 28 \|mov ecx, dword ptr [esp+28] 00400FA5 83C5 04 \|add ebp, 4 00400FA8 03C1 \|add eax, ecx 00400FAA 8B1430 \|mov edx, dword ptr [eax+esi] 00400FAD 893C16 \|mov dword ptr [esi+edx], edi 00400FB0 E9 0D0C0000 \|jmp 00401BC2 00400FB5 3B7C24 2C \|cmp edi, dword ptr [esp+2C] 00400FB9 7C 0A \|jl short 00400FC5 00400FBB 3B7C24 14 \|cmp edi, dword ptr [esp+14] 00400FBF 0F8C 350C0000 \|jl 00401BFA 00400FC5 8B4424 44 \|mov eax, dword ptr [esp+44] 00400FC9 3B78 24 \|cmp edi, dword ptr [eax+24] 00400FCC 0F83 2C0C0000 \|jnb 00401BFE 00400FD2 891C37 \|mov dword ptr [edi+esi], ebx 00400FD5 E9 E80B0000 \|jmp 00401BC2 00400FDA 8B45 00 \|mov eax, dword ptr [ebp] 00400FDD 8B4C24 2C \|mov ecx, dword ptr [esp+2C] 00400FE1 83C5 04 \|add ebp, 4 00400FE4 3BF9 \|cmp edi, ecx 00400FE6 7C 0A \|jl short 00400FF2 00400FE8 3B7C24 14 \|cmp edi, dword ptr [esp+14] 00400FEC 0F8C 270C0000 \|jl 00401C19 00400FF2 8B4C24 44 \|mov ecx, dword ptr [esp+44] 00400FF6 3B79 24 \|cmp edi, dword ptr [ecx+24] 00400FF9 0F83 1E0C0000 \|jnb 00401C1D 00400FFF 48 \|dec eax ; Switch (cases 1..4) 00401000 74 1D \|je short 0040101F 00401002 48 \|dec eax 00401003 74 11 \|je short 00401016 00401005 83E8 02 \|sub eax, 2 00401008 0F85 B80B0000 \|jnz 00401BC6 0040100E 891C37 \|mov dword ptr [edi+esi], ebx ; Case 4 of switch 00400FFF 00401011 E9 AC0B0000 \|jmp 00401BC2 00401016 66:891C37 \|mov word ptr [edi+esi], bx ; Case 2 of switch 00400FFF 0040101A E9 A30B0000 \|jmp 00401BC2 0040101F 881C37 \|mov byte ptr [edi+esi], bl ; Case 1 of switch 00400FFF 00401022 E9 9B0B0000 \|jmp 00401BC2 00401027 8D1C9F \|lea ebx, dword ptr [edi+ebx4] 0040102A EB 0A \|jmp short 00401036 0040102C 8B4D 00 \|mov ecx, dword ptr [ebp] 0040102F D3E3 \|shl ebx, cl 00401031 83C5 04 \|add ebp, 4 00401034 03DF \|add ebx, edi 00401036 3B5C24 2C \|cmp ebx, dword ptr [esp+2C] ; opcode=97;;cmp r10,r2c 0040103A 7C 0A \|jl short 00401046 0040103C 3B5C24 14 \|cmp ebx, dword ptr [esp+14] 00401040 0F8C B40B0000 \|jl 00401BFA 00401046 8B4424 44 \|mov eax, dword ptr [esp+44] ; mov,r44 0040104A 3B58 24 \|cmp ebx, dword ptr [eax+24] ; cmp r10,r2c 0040104D 0F83 AB0B0000 \|jnb 00401BFE 00401053 8B1C33 \|mov ebx, dword ptr [ebx+esi] ; offiset 400='s' 00401056 895C24 10 \|mov dword ptr [esp+10], ebx ; 操作数送10号寄存器/mov[reg,bx] 0040105A E9 670B0000 \|jmp 00401BC6 ; mov r10,ds:[r10] 0040105F 8D1C9F \|lea ebx, dword ptr [edi+ebx4] ; 指令10/取offiset400 00401062 895C24 10 \|mov dword ptr [esp+10], ebx ; 送10号寄存器 00401066 E9 5B0B0000 \|jmp 00401BC6 ; lea r10,[r104+r20] 0040106B 8B4D 00 \|mov ecx, dword ptr [ebp] 0040106E 83C5 04 \|add ebp, 4 00401071 D3E3 \|shl ebx, cl 00401073 03DF \|add ebx, edi ; VM_opcode 34 00401075 895C24 10 \|mov dword ptr [esp+10], ebx ; add r10,r20 00401079 E9 480B0000 \|jmp 00401BC6 0040107E 8B45 00 \|mov eax, dword ptr [ebp] 00401081 83C5 04 \|add ebp, 4 00401084 83F8 04 \|cmp eax, 4 00401087 0F83 390B0000 \|jnb 00401BC6 0040108D B9 04000000 \|mov ecx, 4 00401092 2BC8 \|sub ecx, eax 00401094 33D9 \|xor ebx, ecx 00401096 895C24 10 \|mov dword ptr [esp+10], ebx 0040109A E9 270B0000 \|jmp 00401BC6 0040109F 8B45 00 \|mov eax, dword ptr [ebp] 004010A2 83C5 04 \|add ebp, 4 004010A5 83F8 04 \|cmp eax, 4 004010A8 0F83 180B0000 \|jnb 00401BC6 004010AE BA 04000000 \|mov edx, 4 004010B3 2BD0 \|sub edx, eax 004010B5 33FA \|xor edi, edx 004010B7 897C24 20 \|mov dword ptr [esp+20], edi 004010BB E9 060B0000 \|jmp 00401BC6 004010C0 8B45 00 \|mov eax, dword ptr [ebp] 004010C3 83C5 04 \|add ebp, 4 004010C6 83F8 06 \|cmp eax, 6 ; Switch (cases 0..6) 004010C9 0F87 F70A0000 \|ja 00401BC6 004010CF FF2485 04204000 \|jmp dword ptr [eax4+402004] 004010D6 8B4424 34 \|mov eax, dword ptr [esp+34] ; Case 0 of switch 004010C6 004010DA 8B58 0C \|mov ebx, dword ptr [eax+C] 004010DD 895C24 10 \|mov dword ptr [esp+10], ebx 004010E1 E9 E00A0000 \|jmp 00401BC6 004010E6 8B4C24 34 \|mov ecx, dword ptr [esp+34] ; Case 1 of switch 004010C6 004010EA 8B59 10 \|mov ebx, dword ptr [ecx+10] 004010ED 895C24 10 \|mov dword ptr [esp+10], ebx 004010F1 E9 D00A0000 \|jmp 00401BC6 004010F6 8B5C24 2C \|mov ebx, dword ptr [esp+2C] ; Case 2 of switch 004010C6 004010FA 895C24 10 \|mov dword ptr [esp+10], ebx 004010FE E9 C30A0000 \|jmp 00401BC6 00401103 8B5424 44 \|mov edx, dword ptr [esp+44] ; Case 3 of switch 004010C6 00401107 8B5A 24 \|mov ebx, dword ptr [edx+24] 0040110A 895C24 10 \|mov dword ptr [esp+10], ebx 0040110E E9 B30A0000 \|jmp 00401BC6 00401113 8B5C24 14 \|mov ebx, dword ptr [esp+14] ; Case 4 of switch 004010C6 00401117 895C24 10 \|mov dword ptr [esp+10], ebx 0040111B E9 A60A0000 \|jmp 00401BC6 00401120 8B5C24 28 \|mov ebx, dword ptr [esp+28] ; Case 5 of switch 004010C6 00401124 895C24 10 \|mov dword ptr [esp+10], ebx 00401128 E9 990A0000 \|jmp 00401BC6 0040112D 8B4424 24 \|mov eax, dword ptr [esp+24] ; Case 6 of switch 004010C6 00401131 8BDD \|mov ebx, ebp 00401133 2BD8 \|sub ebx, eax 00401135 895C24 10 \|mov dword ptr [esp+10], ebx 00401139 E9 880A0000 \|jmp 00401BC6 0040113E 8B45 00 \|mov eax, dword ptr [ebp] 00401141 83C0 FE \|add eax, -2 00401144 83C5 04 \|add ebp, 4 00401147 83F8 04 \|cmp eax, 4 ; Switch (cases 0..4) 0040114A 0F87 760A0000 \|ja 00401BC6 00401150 FF2485 20204000 \|jmp dword ptr [eax4+402020] 00401157 895C24 2C \|mov dword ptr [esp+2C], ebx ; Case 0 of switch 00401147 0040115B E9 660A0000 \|jmp 00401BC6 00401160 895C24 14 \|mov dword ptr [esp+14], ebx ; Case 2 of switch 00401147 00401164 E9 5D0A0000 \|jmp 00401BC6 00401169 895C24 28 \|mov dword ptr [esp+28], ebx ; Case 3 of switch 00401147 0040116D E9 540A0000 \|jmp 00401BC6 00401172 8B4424 24 \|mov eax, dword ptr [esp+24] ; Case 4 of switch 00401147 00401176 8D2C03 \|lea ebp, dword ptr [ebx+eax] 00401179 E9 480A0000 \|jmp 00401BC6 0040117E 8BDF \|mov ebx, edi ; VM_opcode 3c 00401180 895C24 10 \|mov dword ptr [esp+10], ebx 00401184 E9 3D0A0000 \|jmp 00401BC6 ; mov r10,r20 00401189 8BFB \|mov edi, ebx 0040118B 897C24 20 \|mov dword ptr [esp+20], edi 0040118F E9 320A0000 \|jmp 00401BC6 00401194 8BC3 \|mov eax, ebx 00401196 8BDF \|mov ebx, edi 00401198 8BF8 \|mov edi, eax 0040119A 895C24 10 \|mov dword ptr [esp+10], ebx 0040119E 897C24 20 \|mov dword ptr [esp+20], edi 004011A2 E9 1F0A0000 \|jmp 00401BC6 004011A7 8B4424 14 \|mov eax, dword ptr [esp+14] ; 取栈顶指针mov eax,r14 004011AB 83E8 04 \|sub eax, 4 ; -4 004011AE 894424 14 \|mov dword ptr [esp+14], eax ; 修改栈顶指针mov r14,eax 004011B2 891C30 \|mov dword ptr [eax+esi], ebx ; 入栈push ebx/movebx,r10,esi指向栈底 004011B5 E9 080A0000 \|jmp 00401BC2 ; push r10 004011BA 8B4424 14 \|mov eax, dword ptr [esp+14] 004011BE 83E8 04 \|sub eax, 4 004011C1 894424 14 \|mov dword ptr [esp+14], eax 004011C5 893C30 \|mov dword ptr [eax+esi], edi 004011C8 E9 F5090000 \|jmp 00401BC2 004011CD 8B4D 00 \|mov ecx, dword ptr [ebp] ; 取操作数 004011D0 8B4424 14 \|mov eax, dword ptr [esp+14] ; mov eax,r14 004011D4 83C5 04 \|add ebp, 4 ; 指向下一条指令 004011D7 83E8 04 \|sub eax, 4 ; sub r14,4 004011DA 894424 14 \|mov dword ptr [esp+14], eax ; 更新栈顶指针 004011DE 890C30 \|mov dword ptr [eax+esi], ecx ; 操作数入栈 004011E1 E9 DC090000 \|jmp 00401BC2 ; push C 004011E6 8B4D 00 \|mov ecx, dword ptr [ebp] 004011E9 83C5 04 \|add ebp, 4 004011EC 85C9 \|test ecx, ecx 004011EE 0F84 D2090000 \|je 00401BC6 004011F4 8B4424 14 \|mov eax, dword ptr [esp+14] 004011F8 8B5424 30 \|mov edx, dword ptr [esp+30] 004011FC 8D6424 00 \|lea esp, dword ptr [esp] 00401200 83E8 04 \|/sub eax, 4 00401203 49 \|\|dec ecx 00401204 891C10 \|\|mov dword ptr [eax+edx], ebx 00401207 8B5C24 10 \|\|mov ebx, dword ptr [esp+10] 0040120B ^ 75 F3 \|\jnz short 00401200 0040120D 8B7424 30 \|mov esi, dword ptr [esp+30] 00401211 8B7C24 20 \|mov edi, dword ptr [esp+20] 00401215 894424 14 \|mov dword ptr [esp+14], eax 00401219 E9 A8090000 \|jmp 00401BC6 0040121E 8B4D 00 \|mov ecx, dword ptr [ebp] 00401221 8B4424 14 \|mov eax, dword ptr [esp+14] 00401225 8B0C31 \|mov ecx, dword ptr [ecx+esi] 00401228 83C5 04 \|add ebp, 4 0040122B 83E8 04 \|sub eax, 4 0040122E 894424 14 \|mov dword ptr [esp+14], eax 00401232 890C30 \|mov dword ptr [eax+esi], ecx 00401235 E9 88090000 \|jmp 00401BC2 0040123A 8B45 00 \|mov eax, dword ptr [ebp] 0040123D 8B4C24 14 \|mov ecx, dword ptr [esp+14] 00401241 8B5424 28 \|mov edx, dword ptr [esp+28] 00401245 83E9 04 \|sub ecx, 4 00401248 83C5 04 \|add ebp, 4 0040124B 03C2 \|add eax, edx 0040124D 8B0430 \|mov eax, dword ptr [eax+esi] 00401250 894C24 14 \|mov dword ptr [esp+14], ecx 00401254 890431 \|mov dword ptr [ecx+esi], eax 00401257 E9 66090000 \|jmp 00401BC2 0040125C 8B4424 14 \|mov eax, dword ptr [esp+14] 00401260 8B1C30 \|mov ebx, dword ptr [eax+esi] 00401263 83C0 04 \|add eax, 4 00401266 895C24 10 \|mov dword ptr [esp+10], ebx 0040126A 894424 14 \|mov dword ptr [esp+14], eax 0040126E E9 53090000 \|jmp 00401BC6 00401273 8B4424 14 \|mov eax, dword ptr [esp+14] ; 取栈顶指针;mov eax,r14 00401277 8B3C30 \|mov edi, dword ptr [eax+esi] ; mov edi,[r14] 0040127A 83C0 04 \|add eax, 4 ; 栈顶指针+4 0040127D 897C24 20 \|mov dword ptr [esp+20], edi ; mov r20,edi 00401281 894424 14 \|mov dword ptr [esp+14], eax ; 修改栈顶指针;op47 00401285 E9 3C090000 \|jmp 00401BC6 ; pop r20 0040128A 8B4424 14 \|mov eax, dword ptr [esp+14] ; mov eax,r14 0040128E 8B4D 00 \|mov ecx, dword ptr [ebp] ; 取操作数;mov ecx,c 00401291 8BF8 \|mov edi, eax ; mov edi,r14 00401293 03C1 \|add eax, ecx ; add eax,c 00401295 8B4C24 2C \|mov ecx, dword ptr [esp+2C] ; mov r2c,ecx 00401299 83C1 40 \|add ecx, 40 ; add,ecx,40 0040129C 83C5 04 \|add ebp, 4 ; 指向下一个指令 0040129F 3BC8 \|cmp ecx, eax ; cmp r2c+40,r14+c 004012A1 897C24 20 \|mov dword ptr [esp+20], edi ; mov r20,r14 004012A5 894424 14 \|mov dword ptr [esp+14], eax ; mov r14 ,r14+c 004012A9 ^ 0F8F F5FAFFFF \|jg 00400DA4 ; if r2c+40<r14+c then VM_exit 004012AF 8B5424 44 \|mov edx, dword ptr [esp+44] 004012B3 3B42 24 \|cmp eax, dword ptr [edx+24] 004012B6 ^ 0F8F 84FAFFFF \|jg 00400D40 ; if r14+c>[r44+24] then VM_exit 004012BC E9 05090000 \|jmp 00401BC6 ; mov r20,r14;mov r14,r14+c; 004012C1 8B4424 2C \|mov eax, dword ptr [esp+2C] 004012C5 8B4D 00 \|mov ecx, dword ptr [ebp] 004012C8 8B5424 14 \|mov edx, dword ptr [esp+14] 004012CC 8BF8 \|mov edi, eax 004012CE 03C1 \|add eax, ecx 004012D0 8D48 40 \|lea ecx, dword ptr [eax+40] 004012D3 83C5 04 \|add ebp, 4 004012D6 3BCA \|cmp ecx, edx 004012D8 897C24 20 \|mov dword ptr [esp+20], edi 004012DC 894424 2C \|mov dword ptr [esp+2C], eax 004012E0 ^ 0F8F BEFAFFFF \|jg 00400DA4 004012E6 8B5424 44 \|mov edx, dword ptr [esp+44] 004012EA 3B42 1C \|cmp eax, dword ptr [edx+1C] 004012ED ^ 0F8C 63FAFFFF \|jl 00400D56 004012F3 E9 CE080000 \|jmp 00401BC6 004012F8 8B4424 14 \|mov eax, dword ptr [esp+14] ; mov eax,r14;;VM_esp=[esp+14] 004012FC 8B5424 2C \|mov edx, dword ptr [esp+2C] ; mov edx,r2c 00401300 8B4C24 28 \|mov ecx, dword ptr [esp+28] ; mov ecx,r28 00401304 83E8 04 \|sub eax, 4 ; r14-4 00401307 83C2 40 \|add edx, 40 0040130A 3BD0 \|cmp edx, eax ; if r2c+40>r14-4 then 0040130C 894424 14 \|mov dword ptr [esp+14], eax ; mov r14,r14-4 00401310 890C30 \|mov dword ptr [eax+esi], ecx ; mov [r14-4],r28 00401313 894424 28 \|mov dword ptr [esp+28], eax ; mov r28,r14-4 00401317 ^ 0F8F 87FAFFFF \|jg 00400DA4 ; sub r14,4;;push r28;;mov r28,r14-4 0040131D E9 A0080000 \|jmp 00401BC2 00401322 8B4424 14 \|mov eax, dword ptr [esp+14] 00401326 8B0C30 \|mov ecx, dword ptr [eax+esi] 00401329 8B6C30 04 \|mov ebp, dword ptr [eax+esi+4] 0040132D 83C0 04 \|add eax, 4 00401330 83C0 04 \|add eax, 4 00401333 894424 14 \|mov dword ptr [esp+14], eax 00401337 3B6C24 38 \|cmp ebp, dword ptr [esp+38] 0040133B 894C24 28 \|mov dword ptr [esp+28], ecx 0040133F 0F83 F3080000 \|jnb 00401C38 00401345 8B5424 24 \|mov edx, dword ptr [esp+24] 00401349 03EA \|add ebp, edx 0040134B E9 76080000 \|jmp 00401BC6 00401350 8B4424 14 \|mov eax, dword ptr [esp+14] ; 取栈顶指针mov eax,r14 00401354 8B0C30 \|mov ecx, dword ptr [eax+esi] ; 取栈顶元素mov ecx,[r14] 00401357 8B6C30 04 \|mov ebp, dword ptr [eax+esi+4] ; 取栈顶第二个元素mov ebp,[r14+4] 0040135B 83C0 04 \|add eax, 4 ; add eax,4 0040135E 894C24 28 \|mov dword ptr [esp+28], ecx ; 栈顶元素送r28 mov r28,ecx 00401362 8B4C24 38 \|mov ecx, dword ptr [esp+38] ; mov ecx,r38 00401366 83C0 04 \|add eax, 4 ; add eax,4 00401369 3BE9 \|cmp ebp, ecx 0040136B 0F83 C7080000 \|jnb 00401C38 ; if [r14+4]>r28 then VM_exit 00401371 8B5424 24 \|mov edx, dword ptr [esp+24] ; mov edx,r24 00401375 8B0C30 \|mov ecx, dword ptr [eax+esi] ; 取栈顶第三个元素mov ecx,[r14+8] 00401378 03EA \|add ebp, edx ; add ebp,r24;;VM_EIP+r24+栈顶第二个的元素 0040137A 8B5424 44 \|mov edx, dword ptr [esp+44] ; mov edx,r44 0040137E 8D4408 04 \|lea eax, dword ptr [eax+ecx+4] ; lea eax,[r14+8+[r14+8]+4]；；ecx=4 00401382 894424 14 \|mov dword ptr [esp+14], eax ; 栈顶指针指向原第5个元素mov r14,eax；；r14=r14+16 00401386 8942 20 \|mov dword ptr [edx+20], eax ; mov [r44+20],eax 00401389 E9 38080000 \|jmp 00401BC6 ; mov [r44+20],[r14+8+[r14+8]+4];;mov r14,[r14+8+[r14+8]+4];pop VM_EIP 0040138E 8B4C24 24 \|mov ecx, dword ptr [esp+24] 00401392 8B4424 14 \|mov eax, dword ptr [esp+14] 00401396 8BD5 \|mov edx, ebp 00401398 2BD1 \|sub edx, ecx 0040139A 83E8 04 \|sub eax, 4 0040139D 83C2 04 \|add edx, 4 004013A0 891430 \|mov dword ptr [eax+esi], edx 004013A3 8B6D 00 \|mov ebp, dword ptr [ebp] 004013A6 894424 14 \|mov dword ptr [esp+14], eax 004013AA 03E9 \|add ebp, ecx 004013AC E9 11080000 \|jmp 00401BC2 004013B1 8B4424 14 \|mov eax, dword ptr [esp+14] 004013B5 8B4C24 24 \|mov ecx, dword ptr [esp+24] 004013B9 83E8 04 \|sub eax, 4 004013BC 2BE9 \|sub ebp, ecx 004013BE 892C30 \|mov dword ptr [eax+esi], ebp 004013C1 8B5C24 10 \|mov ebx, dword ptr [esp+10] 004013C5 894424 14 \|mov dword ptr [esp+14], eax 004013C9 8D2C0B \|lea ebp, dword ptr [ebx+ecx] 004013CC E9 F5070000 \|jmp 00401BC6 004013D1 85DB \|test ebx, ebx ; op82 004013D3 ^ 0F85 16FBFFFF \|jnz 00400EEF ; if r10=0 then goto 004013D9 8B6D 00 \|mov ebp, dword ptr [ebp] 004013DC 036C24 24 \|add ebp, dword ptr [esp+24] ; jz c ;;r24 004013E0 E9 E1070000 \|jmp 00401BC6 004013E5 85DB \|test ebx, ebx 004013E7 ^ 0F84 02FBFFFF \|je 00400EEF ; jne c 004013ED 8B6D 00 \|mov ebp, dword ptr [ebp] 004013F0 036C24 24 \|add ebp, dword ptr [esp+24] 004013F4 E9 CD070000 \|jmp 00401BC6 004013F9 3BDF \|cmp ebx, edi 004013FB ^ 0F85 EEFAFFFF \|jnz 00400EEF 00401401 8B6D 00 \|mov ebp, dword ptr [ebp] 00401404 036C24 24 \|add ebp, dword ptr [esp+24] 00401408 E9 B9070000 \|jmp 00401BC6 0040140D 3BDF \|cmp ebx, edi 0040140F ^ 0F84 DAFAFFFF \|je 00400EEF 00401415 8B6D 00 \|mov ebp, dword ptr [ebp] 00401418 036C24 24 \|add ebp, dword ptr [esp+24] 0040141C E9 A5070000 \|jmp 00401BC6 00401421 3BDF \|cmp ebx, edi 00401423 ^ 0F83 C6FAFFFF \|jnb 00400EEF 00401429 8B6D 00 \|mov ebp, dword ptr [ebp] 0040142C 036C24 24 \|add ebp, dword ptr [esp+24] 00401430 E9 91070000 \|jmp 00401BC6 00401435 3BDF \|cmp ebx, edi 00401437 ^ 0F87 B2FAFFFF \|ja 00400EEF 0040143D 8B6D 00 \|mov ebp, dword ptr [ebp] 00401440 036C24 24 \|add ebp, dword ptr [esp+24] 00401444 E9 7D070000 \|jmp 00401BC6 00401449 3BDF \|cmp ebx, edi 0040144B ^ 0F86 9EFAFFFF \|jbe 00400EEF 00401451 8B6D 00 \|mov ebp, dword ptr [ebp] 00401454 036C24 24 \|add ebp, dword ptr [esp+24] 00401458 E9 69070000 \|jmp 00401BC6 0040145D 3BDF \|cmp ebx, edi 0040145F ^ 0F82 8AFAFFFF \|jb 00400EEF 00401465 8B6D 00 \|mov ebp, dword ptr [ebp] 00401468 036C24 24 \|add ebp, dword ptr [esp+24] 0040146C E9 55070000 \|jmp 00401BC6 00401471 3BDF \|cmp ebx, edi 00401473 ^ 0F8D 76FAFFFF \|jge 00400EEF 00401479 8B6D 00 \|mov ebp, dword ptr [ebp] 0040147C 036C24 24 \|add ebp, dword ptr [esp+24] 00401480 E9 41070000 \|jmp 00401BC6 00401485 3BDF \|cmp ebx, edi 00401487 ^ 0F8F 62FAFFFF \|jg 00400EEF 0040148D 8B6D 00 \|mov ebp, dword ptr [ebp] 00401490 036C24 24 \|add ebp, dword ptr [esp+24] 00401494 E9 2D070000 \|jmp 00401BC6 00401499 3BDF \|cmp ebx, edi 0040149B ^ 0F8E 4EFAFFFF \|jle 00400EEF 004014A1 8B6D 00 \|mov ebp, dword ptr [ebp] 004014A4 036C24 24 \|add ebp, dword ptr [esp+24] 004014A8 E9 19070000 \|jmp 00401BC6 004014AD 3BDF \|cmp ebx, edi 004014AF ^ 0F8C 3AFAFFFF \|jl 00400EEF 004014B5 8B6D 00 \|mov ebp, dword ptr [ebp] ; 取操作数;;op39 004014B8 036C24 24 \|add ebp, dword ptr [esp+24] ; add ebp,ebp+r24 004014BC E9 05070000 \|jmp 00401BC6 ; add ebp,ebp+r24 004014C1 8BCF \|mov ecx, edi ; VM_opcode 35 004014C3 D3E3 \|shl ebx, cl ; shl,ebx,edi 004014C5 895C24 10 \|mov dword ptr [esp+10], ebx ; mov r10,ebx 004014C9 E9 F8060000 \|jmp 00401BC6 ; shl r10,r20 004014CE 8BCF \|mov ecx, edi 004014D0 D3EB \|shr ebx, cl 004014D2 895C24 10 \|mov dword ptr [esp+10], ebx 004014D6 E9 EB060000 \|jmp 00401BC6 ; shr r10,r20 004014DB 8BCF \|mov ecx, edi 004014DD D3FB \|sar ebx, cl 004014DF 895C24 10 \|mov dword ptr [esp+10], ebx 004014E3 E9 DE060000 \|jmp 00401BC6 004014E8 8B4D 00 \|mov ecx, dword ptr [ebp] 004014EB 83C5 04 \|add ebp, 4 004014EE D3E3 \|shl ebx, cl 004014F0 895C24 10 \|mov dword ptr [esp+10], ebx 004014F4 E9 CD060000 \|jmp 00401BC6 004014F9 8B4D 00 \|mov ecx, dword ptr [ebp] 004014FC 83C5 04 \|add ebp, 4 004014FF D3E7 \|shl edi, cl 00401501 897C24 20 \|mov dword ptr [esp+20], edi 00401505 E9 BC060000 \|jmp 00401BC6 0040150A 8B4D 00 \|mov ecx, dword ptr [ebp] 0040150D 83C5 04 \|add ebp, 4 00401510 D3EB \|shr ebx, cl 00401512 895C24 10 \|mov dword ptr [esp+10], ebx 00401516 E9 AB060000 \|jmp 00401BC6 0040151B 8B4D 00 \|mov ecx, dword ptr [ebp] 0040151E 83C5 04 \|add ebp, 4 00401521 D3EF \|shr edi, cl 00401523 897C24 20 \|mov dword ptr [esp+20], edi 00401527 E9 9A060000 \|jmp 00401BC6 0040152C 85FF \|test edi, edi 0040152E 0F84 23070000 \|je 00401C57 00401534 8BC3 \|mov eax, ebx 00401536 99 \|cdq 00401537 F7FF \|idiv edi 00401539 8BCF \|mov ecx, edi 0040153B 8BD8 \|mov ebx, eax 0040153D 99 \|cdq 0040153E F7FF \|idiv edi 00401540 895C24 10 \|mov dword ptr [esp+10], ebx 00401544 8BFA \|mov edi, edx 00401546 85FF \|test edi, edi 00401548 897C24 20 \|mov dword ptr [esp+20], edi 0040154C 0F84 74060000 \|je 00401BC6 00401552 8BD1 \|mov edx, ecx 00401554 33D7 \|xor edx, edi 00401556 0F8D 6A060000 \|jge 00401BC6 0040155C 4B \|dec ebx 0040155D 03F9 \|add edi, ecx 0040155F 895C24 10 \|mov dword ptr [esp+10], ebx 00401563 897C24 20 \|mov dword ptr [esp+20], edi 00401567 E9 5A060000 \|jmp 00401BC6 0040156C 85DB \|test ebx, ebx ; VM_opcode 30 0040156E 0F84 E3060000 \|je 00401C57 00401574 8BC7 \|mov eax, edi ; r20 00401576 99 \|cdq 00401577 F7FB \|idiv ebx ; /r10 00401579 8BCB \|mov ecx, ebx 0040157B 8BD8 \|mov ebx, eax 0040157D 8BC7 \|mov eax, edi ; r20 0040157F 99 \|cdq 00401580 F7F9 \|idiv ecx ; /r10 00401582 895C24 10 \|mov dword ptr [esp+10], ebx ; 第一步的商 00401586 8BFA \|mov edi, edx ; 余数 00401588 85FF \|test edi, edi 0040158A 897C24 20 \|mov dword ptr [esp+20], edi ; r20=余数 0040158E 0F84 32060000 \|je 00401BC6 ; 余数为0返回 00401594 8BC1 \|mov eax, ecx ; 除数 00401596 33C7 \|xor eax, edi ; xor 除数，原数 00401598 0F8D 28060000 \|jge 00401BC6 0040159E 4B \|dec ebx 0040159F 03F9 \|add edi, ecx ; 原数+除数 004015A1 895C24 10 \|mov dword ptr [esp+10], ebx ; mov r10,商减一 004015A5 897C24 20 \|mov dword ptr [esp+20], edi ; 原数+除数 004015A9 E9 18060000 jmp 00401BC6 ; idiv r20,r10;返回:r20余数，r10商；以上是有符号数除法? 004015AE 0FAFDF \|imul ebx, edi 004015B1 895C24 10 \|mov dword ptr [esp+10], ebx 004015B5 E9 0C060000 \|jmp 00401BC6 004015BA 85FF \|test edi, edi 004015BC 0F84 95060000 \|je 00401C57 004015C2 8BC3 \|mov eax, ebx 004015C4 33D2 \|xor edx, edx 004015C6 F7F7 \|div edi 004015C8 8BD8 \|mov ebx, eax 004015CA 8BFA \|mov edi, edx 004015CC 895C24 10 \|mov dword ptr [esp+10], ebx 004015D0 897C24 20 \|mov dword ptr [esp+20], edi 004015D4 E9 ED050000 \|jmp 00401BC6 004015D9 85DB \|test ebx, ebx 004015DB 0F84 76060000 \|je 00401C57 004015E1 8BC7 \|mov eax, edi 004015E3 33D2 \|xor edx, edx 004015E5 F7F3 \|div ebx 004015E7 8BD8 \|mov ebx, eax 004015E9 8BFA \|mov edi, edx 004015EB 895C24 10 \|mov dword ptr [esp+10], ebx 004015EF 897C24 20 \|mov dword ptr [esp+20], edi 004015F3 E9 CE050000 \|jmp 00401BC6 004015F8 2BDF \|sub ebx, edi 004015FA 895C24 10 \|mov dword ptr [esp+10], ebx 004015FE E9 C3050000 \|jmp 00401BC6 00401603 8BCF \|mov ecx, edi 00401605 2BCB \|sub ecx, ebx 00401607 8BD9 \|mov ebx, ecx 00401609 895C24 10 \|mov dword ptr [esp+10], ebx 0040160D E9 B4050000 \|jmp 00401BC6 00401612 23DF \|and ebx, edi ; op4a 00401614 895C24 10 \|mov dword ptr [esp+10], ebx ; and r10,r20 00401618 E9 A9050000 \|jmp 00401BC6 0040161D 0BDF \|or ebx, edi 0040161F 895C24 10 \|mov dword ptr [esp+10], ebx 00401623 E9 9E050000 \|jmp 00401BC6 00401628 33DF \|xor ebx, edi ; ;op77 0040162A 895C24 10 \|mov dword ptr [esp+10], ebx ; mov r10,ebx 0040162E E9 93050000 \|jmp 00401BC6 ; xor r10,r20 00401633 33D2 \|xor edx, edx 00401635 85DB \|test ebx, ebx 00401637 0F94C2 \|sete dl 0040163A 8BDA \|mov ebx, edx 0040163C 895C24 10 \|mov dword ptr [esp+10], ebx 00401640 E9 81050000 \|jmp 00401BC6 00401645 F7D3 \|not ebx 00401647 895C24 10 \|mov dword ptr [esp+10], ebx ; mov r10,ebx 0040164B E9 76050000 \|jmp 00401BC6 ; not r10 00401650 8B45 00 \|mov eax, dword ptr [ebp] ; 取操作数 00401653 83C5 04 \|add ebp, 4 00401656 03D8 \|add ebx, eax 00401658 895C24 10 \|mov dword ptr [esp+10], ebx 0040165C E9 65050000 \|jmp 00401BC6 ; add r10,C 00401661 8B45 00 \|mov eax, dword ptr [ebp] ; 取操作数;;VM_opcode 75 00401664 83C5 04 \|add ebp, 4 ; 指向下一条指令 00401667 0FAFC3 \|imul eax, ebx ; 操作数bx 0040166A 8BD8 \|mov ebx, eax ; 保持ebx,r10同步 0040166C 895C24 10 \|mov dword ptr [esp+10], ebx ; mov r10,ebx 00401670 E9 51050000 \|jmp 00401BC6 ; imul r10,c 00401675 33DB \|xor ebx, ebx ; VM_opcode 7f 00401677 895C24 10 \|mov dword ptr [esp+10], ebx 0040167B E9 46050000 \|jmp 00401BC6 ; xor r10,r10 00401680 33FF \|xor edi, edi 00401682 897C24 20 \|mov dword ptr [esp+20], edi 00401686 E9 3B050000 \|jmp 00401BC6 0040168B 8B45 00 \|mov eax, dword ptr [ebp] 0040168E 83C5 04 \|add ebp, 4 00401691 C70430 00000000 \|mov dword ptr [eax+esi], 0 00401698 E9 25050000 \|jmp 00401BC2 0040169D 8B45 00 \|mov eax, dword ptr [ebp] 004016A0 8B4C24 28 \|mov ecx, dword ptr [esp+28] 004016A4 83C5 04 \|add ebp, 4 004016A7 03C1 \|add eax, ecx 004016A9 C70430 00000000 \|mov dword ptr [eax+esi], 0 004016B0 E9 0D050000 \|jmp 00401BC2 004016B5 8BD3 \|mov edx, ebx 004016B7 81E2 FF000000 \|and edx, 0FF 004016BD 81FA 80000000 \|cmp edx, 80 004016C3 0F8C FD040000 \|jl 00401BC6 004016C9 81CB 00FFFFFF \|or ebx, FFFFFF00 004016CF 895C24 10 \|mov dword ptr [esp+10], ebx 004016D3 E9 EE040000 \|jmp 00401BC6 004016D8 8BC7 \|mov eax, edi 004016DA 25 FF000000 \|and eax, 0FF 004016DF 3D 80000000 \|cmp eax, 80 004016E4 0F8C DC040000 \|jl 00401BC6 004016EA 81CF 00FFFFFF \|or edi, FFFFFF00 004016F0 897C24 20 \|mov dword ptr [esp+20], edi 004016F4 E9 CD040000 \|jmp 00401BC6 004016F9 33C9 \|xor ecx, ecx 004016FB 3BDF \|cmp ebx, edi 004016FD 0F94C1 \|sete cl 00401700 8BD9 \|mov ebx, ecx 00401702 895C24 10 \|mov dword ptr [esp+10], ebx 00401706 E9 BB040000 \|jmp 00401BC6 0040170B 33D2 \|xor edx, edx 0040170D 3BDF \|cmp ebx, edi 0040170F 0F95C2 \|setne dl 00401712 8BDA \|mov ebx, edx 00401714 895C24 10 \|mov dword ptr [esp+10], ebx 00401718 E9 A9040000 \|jmp 00401BC6 0040171D 3BDF \|cmp ebx, edi 0040171F 1BDB \|sbb ebx, ebx 00401721 F7DB \|neg ebx 00401723 895C24 10 \|mov dword ptr [esp+10], ebx 00401727 E9 9A040000 \|jmp 00401BC6 2007-6-21 01:00 0
seya 雪币： 328 活跃值： (10) 能力值： ( LV9，RANK：210 ) 在线值：发帖 17 回帖 134 粉丝 0 关注私信	seya 5 4 楼 0040172C 3BFB \|cmp edi, ebx 0040172E 1BDB \|sbb ebx, ebx 00401730 43 \|inc ebx 00401731 895C24 10 \|mov dword ptr [esp+10], ebx 00401735 E9 8C040000 \|jmp 00401BC6 0040173A 3BFB \|cmp edi, ebx 0040173C 1BDB \|sbb ebx, ebx 0040173E F7DB \|neg ebx 00401740 895C24 10 \|mov dword ptr [esp+10], ebx 00401744 E9 7D040000 \|jmp 00401BC6 00401749 3BDF \|cmp ebx, edi 0040174B 1BDB \|sbb ebx, ebx 0040174D 43 \|inc ebx 0040174E 895C24 10 \|mov dword ptr [esp+10], ebx 00401752 E9 6F040000 \|jmp 00401BC6 00401757 33C0 \|xor eax, eax 00401759 3BDF \|cmp ebx, edi 0040175B 0F9CC0 \|setl al 0040175E 8BD8 \|mov ebx, eax 00401760 895C24 10 \|mov dword ptr [esp+10], ebx 00401764 E9 5D040000 \|jmp 00401BC6 00401769 33C9 \|xor ecx, ecx 0040176B 3BDF \|cmp ebx, edi 0040176D 0F9EC1 \|setle cl 00401770 8BD9 \|mov ebx, ecx 00401772 895C24 10 \|mov dword ptr [esp+10], ebx 00401776 E9 4B040000 \|jmp 00401BC6 0040177B 33D2 \|xor edx, edx 0040177D 3BDF \|cmp ebx, edi 0040177F 0F9FC2 \|setg dl 00401782 8BDA \|mov ebx, edx 00401784 895C24 10 \|mov dword ptr [esp+10], ebx 00401788 E9 39040000 \|jmp 00401BC6 0040178D 33C0 \|xor eax, eax 0040178F 3BDF \|cmp ebx, edi 00401791 0F9DC0 \|setge al 00401794 8BD8 \|mov ebx, eax 00401796 895C24 10 \|mov dword ptr [esp+10], ebx 0040179A E9 27040000 \|jmp 00401BC6 0040179F 8B45 00 \|mov eax, dword ptr [ebp] 004017A2 33C9 \|xor ecx, ecx 004017A4 83C5 04 \|add ebp, 4 004017A7 3BD8 \|cmp ebx, eax 004017A9 0F94C1 \|sete cl 004017AC 8BD9 \|mov ebx, ecx 004017AE 895C24 10 \|mov dword ptr [esp+10], ebx 004017B2 E9 0F040000 \|jmp 00401BC6 004017B7 8B45 00 \|mov eax, dword ptr [ebp] 004017BA 33DB \|xor ebx, ebx 004017BC 83C5 04 \|add ebp, 4 004017BF 3BF8 \|cmp edi, eax 004017C1 0F94C3 \|sete bl 004017C4 895C24 10 \|mov dword ptr [esp+10], ebx 004017C8 E9 F9030000 \|jmp 00401BC6 004017CD 47 \|inc edi 004017CE 897C24 20 \|mov dword ptr [esp+20], edi 004017D2 E9 EF030000 \|jmp 00401BC6 004017D7 8B45 00 \|mov eax, dword ptr [ebp] 004017DA 8B0C30 \|mov ecx, dword ptr [eax+esi] 004017DD 83C5 04 \|add ebp, 4 004017E0 41 \|inc ecx 004017E1 890C30 \|mov dword ptr [eax+esi], ecx 004017E4 E9 D9030000 \|jmp 00401BC2 004017E9 8B45 00 \|mov eax, dword ptr [ebp] ; 取操作数;;op17 004017EC 8B5424 28 \|mov edx, dword ptr [esp+28] ; mov edx,r28 004017F0 03C2 \|add eax, edx 004017F2 8B0C30 \|mov ecx, dword ptr [eax+esi] ; mov ecx,[r28+c]；；esi存放基址 004017F5 03C6 \|add eax, esi 004017F7 83C5 04 \|add ebp, 4 ; 指向下一个指令 004017FA 41 \|inc ecx 004017FB 8908 \|mov dword ptr [eax], ecx 004017FD E9 C0030000 \|jmp 00401BC2 ; inc [r28+c] 00401802 FF0433 \|inc dword ptr [ebx+esi] 00401805 E9 B8030000 \|jmp 00401BC2 0040180A 4B \|dec ebx 0040180B 895C24 10 \|mov dword ptr [esp+10], ebx 0040180F E9 B2030000 \|jmp 00401BC6 00401814 4F \|dec edi 00401815 897C24 20 \|mov dword ptr [esp+20], edi 00401819 E9 A8030000 \|jmp 00401BC6 0040181E 8B45 00 \|mov eax, dword ptr [ebp] 00401821 8B0C30 \|mov ecx, dword ptr [eax+esi] 00401824 83C5 04 \|add ebp, 4 00401827 49 \|dec ecx 00401828 890C30 \|mov dword ptr [eax+esi], ecx 0040182B E9 92030000 \|jmp 00401BC2 00401830 8B45 00 \|mov eax, dword ptr [ebp] 00401833 8B4C24 28 \|mov ecx, dword ptr [esp+28] 00401837 03C1 \|add eax, ecx 00401839 8B0C30 \|mov ecx, dword ptr [eax+esi] 0040183C 03C6 \|add eax, esi 0040183E 83C5 04 \|add ebp, 4 00401841 49 \|dec ecx 00401842 8908 \|mov dword ptr [eax], ecx 00401844 E9 79030000 \|jmp 00401BC2 00401849 FF0C33 \|dec dword ptr [ebx+esi] 0040184C E9 71030000 \|jmp 00401BC2 00401851 8B4D 00 \|mov ecx, dword ptr [ebp] 00401854 8B5424 2C \|mov edx, dword ptr [esp+2C] 00401858 83C5 04 \|add ebp, 4 0040185B 3BDA \|cmp ebx, edx 0040185D 7C 0A \|jl short 00401869 0040185F 3B5C24 14 \|cmp ebx, dword ptr [esp+14] 00401863 0F8C 0D040000 \|jl 00401C76 00401869 8B7424 44 \|mov esi, dword ptr [esp+44] 0040186D 3B5E 24 \|cmp ebx, dword ptr [esi+24] 00401870 0F83 04040000 \|jnb 00401C7A 00401876 8D0419 \|lea eax, dword ptr [ecx+ebx] 00401879 3BC2 \|cmp eax, edx 0040187B 7E 0E \|jle short 0040188B 0040187D 3B4424 14 \|cmp eax, dword ptr [esp+14] 00401881 0F8C 0E040000 \|jl 00401C95 00401887 8B7424 44 \|mov esi, dword ptr [esp+44] 0040188B 8B76 24 \|mov esi, dword ptr [esi+24] 0040188E 3BC6 \|cmp eax, esi 00401890 0F87 FF030000 \|ja 00401C95 00401896 3BFA \|cmp edi, edx 00401898 7C 0A \|jl short 004018A4 0040189A 3B7C24 14 \|cmp edi, dword ptr [esp+14] 0040189E 0F8C F1030000 \|jl 00401C95 004018A4 3BFE \|cmp edi, esi 004018A6 0F83 E9030000 \|jnb 00401C95 004018AC 03F9 \|add edi, ecx 004018AE 3BFA \|cmp edi, edx 004018B0 7E 0A \|jle short 004018BC 004018B2 3B7C24 14 \|cmp edi, dword ptr [esp+14] 004018B6 0F8C D9030000 \|jl 00401C95 004018BC 3BFE \|cmp edi, esi 004018BE 0F87 D1030000 \|ja 00401C95 004018C4 8B4424 30 \|mov eax, dword ptr [esp+30] 004018C8 8B5424 20 \|mov edx, dword ptr [esp+20] 004018CC 8D3403 \|lea esi, dword ptr [ebx+eax] 004018CF 8D3C02 \|lea edi, dword ptr [edx+eax] 004018D2 8BC1 \|mov eax, ecx 004018D4 C1E9 02 \|shr ecx, 2 004018D7 F3:A5 \|rep movs dword ptr es:[edi], dword > 004018D9 8BC8 \|mov ecx, eax 004018DB 83E1 03 \|and ecx, 3 004018DE F3:A4 \|rep movs byte ptr es:[edi], byte pt> 004018E0 8B7424 30 \|mov esi, dword ptr [esp+30] 004018E4 8BFA \|mov edi, edx 004018E6 E9 D7020000 \|jmp 00401BC2 004018EB 8B4D 00 \|mov ecx, dword ptr [ebp] 004018EE 8B5424 2C \|mov edx, dword ptr [esp+2C] 004018F2 83C5 04 \|add ebp, 4 004018F5 3BDA \|cmp ebx, edx 004018F7 7C 0A \|jl short 00401903 004018F9 3B5C24 14 \|cmp ebx, dword ptr [esp+14] 004018FD 0F8C B1030000 \|jl 00401CB4 00401903 8B7424 44 \|mov esi, dword ptr [esp+44] 00401907 3B5E 24 \|cmp ebx, dword ptr [esi+24] 0040190A 0F83 A8030000 \|jnb 00401CB8 00401910 8D0419 \|lea eax, dword ptr [ecx+ebx] 00401913 3BC2 \|cmp eax, edx 00401915 7E 0E \|jle short 00401925 00401917 3B4424 14 \|cmp eax, dword ptr [esp+14] 0040191B 0F8C 17030000 \|jl 00401C38 00401921 8B7424 44 \|mov esi, dword ptr [esp+44] 00401925 8B76 24 \|mov esi, dword ptr [esi+24] 00401928 3BC6 \|cmp eax, esi 0040192A 0F87 08030000 \|ja 00401C38 00401930 3BFA \|cmp edi, edx 00401932 7C 0A \|jl short 0040193E 00401934 3B7C24 14 \|cmp edi, dword ptr [esp+14] 00401938 0F8C FA020000 \|jl 00401C38 0040193E 3BFE \|cmp edi, esi 00401940 0F83 F2020000 \|jnb 00401C38 00401946 03F9 \|add edi, ecx 00401948 3BFA \|cmp edi, edx 0040194A 7E 0A \|jle short 00401956 0040194C 3B7C24 14 \|cmp edi, dword ptr [esp+14] 00401950 0F8C E2020000 \|jl 00401C38 00401956 3BFE \|cmp edi, esi 00401958 0F87 DA020000 \|ja 00401C38 0040195E 8B4424 30 \|mov eax, dword ptr [esp+30] 00401962 8B5424 20 \|mov edx, dword ptr [esp+20] 00401966 8D3C03 \|lea edi, dword ptr [ebx+eax] 00401969 8D3402 \|lea esi, dword ptr [edx+eax] 0040196C 33DB \|xor ebx, ebx 0040196E F3:A6 \|repe cmps byte ptr es:[edi], byte pt> 00401970 74 05 \|je short 00401977 00401972 1BDB \|sbb ebx, ebx 00401974 83DB FF \|sbb ebx, -1 00401977 8B7424 30 \|mov esi, dword ptr [esp+30] 0040197B 8B7C24 20 \|mov edi, dword ptr [esp+20] 0040197F 895C24 10 \|mov dword ptr [esp+10], ebx 00401983 E9 3E020000 \|jmp 00401BC6 00401988 8B45 00 \|mov eax, dword ptr [ebp] 0040198B 8B5424 2C \|mov edx, dword ptr [esp+2C] 0040198F 83C5 04 \|add ebp, 4 00401992 3BFA \|cmp edi, edx 00401994 7C 0A \|jl short 004019A0 00401996 3B7C24 14 \|cmp edi, dword ptr [esp+14] 0040199A 0F8C 79020000 \|jl 00401C19 004019A0 8B4C24 44 \|mov ecx, dword ptr [esp+44] 004019A4 3B79 24 \|cmp edi, dword ptr [ecx+24] 004019A7 0F83 70020000 \|jnb 00401C1D 004019AD 8D0C38 \|lea ecx, dword ptr [eax+edi] 004019B0 3BCA \|cmp ecx, edx 004019B2 7E 0A \|jle short 004019BE 004019B4 3B4C24 14 \|cmp ecx, dword ptr [esp+14] 004019B8 0F8C 7A020000 \|jl 00401C38 004019BE 8B5424 44 \|mov edx, dword ptr [esp+44] 004019C2 3B4A 24 \|cmp ecx, dword ptr [edx+24] 004019C5 0F87 6D020000 \|ja 00401C38 004019CB 83F8 04 \|cmp eax, 4 004019CE 0F82 F2010000 \|jb 00401BC6 004019D4 8D0C37 \|lea ecx, dword ptr [edi+esi] 004019D7 C1E8 02 \|shr eax, 2 004019DA 8D9B 00000000 \|lea ebx, dword ptr [ebx] 004019E0 8919 \|/mov dword ptr [ecx], ebx 004019E2 8B5C24 10 \|\|mov ebx, dword ptr [esp+10] 004019E6 83C1 04 \|\|add ecx, 4 004019E9 48 \|\|dec eax 004019EA ^ 75 F4 \|\jnz short 004019E0 004019EC 8B7424 30 \|mov esi, dword ptr [esp+30] 004019F0 8B7C24 20 \|mov edi, dword ptr [esp+20] 004019F4 E9 CD010000 \|jmp 00401BC6 004019F9 8B45 00 \|mov eax, dword ptr [ebp] ; VM_opcode 5 004019FC 83C5 04 \|add ebp, 4 004019FF 3BD8 \|cmp ebx, eax ; 比较r10和操作数 00401A01 0F86 BF010000 \|jbe 00401BC6 ; 估计是检测错误的，对算法影响不大 00401A07 8B4424 24 \|mov eax, dword ptr [esp+24] 00401A0B 8B4C24 18 \|mov ecx, dword ptr [esp+18] 00401A0F 8B5424 1C \|mov edx, dword ptr [esp+1C] 00401A13 2BE8 \|sub ebp, eax 00401A15 8B4424 44 \|mov eax, dword ptr [esp+44] 00401A19 8968 10 \|mov dword ptr [eax+10], ebp 00401A1C 5D \|pop ebp 00401A1D 5E \|pop esi 00401A1E 5F \|pop edi 00401A1F 8948 20 \|mov dword ptr [eax+20], ecx 00401A22 8950 18 \|mov dword ptr [eax+18], edx 00401A25 B8 04000000 \|mov eax, 4 00401A2A 5B \|pop ebx 00401A2B 83C4 30 \|add esp, 30 00401A2E C3 \|retn 00401A2F 8B4424 24 \|mov eax, dword ptr [esp+24] 00401A33 8B5424 2C \|mov edx, dword ptr [esp+2C] 00401A37 8BCD \|mov ecx, ebp 00401A39 2BC8 \|sub ecx, eax 00401A3B 8B4424 44 \|mov eax, dword ptr [esp+44] 00401A3F 8948 10 \|mov dword ptr [eax+10], ecx 00401A42 8B4C24 28 \|mov ecx, dword ptr [esp+28] 00401A46 8948 14 \|mov dword ptr [eax+14], ecx 00401A49 8B4C24 14 \|mov ecx, dword ptr [esp+14] 00401A4D 8948 20 \|mov dword ptr [eax+20], ecx 00401A50 03CE \|add ecx, esi 00401A52 51 \|push ecx 00401A53 8950 18 \|mov dword ptr [eax+18], edx 00401A56 8D5424 14 \|lea edx, dword ptr [esp+14] 00401A5A 52 \|push edx 00401A5B 53 \|push ebx 00401A5C 50 \|push eax 00401A5D FF50 08 \|call dword ptr [eax+8] 00401A60 83C4 10 \|add esp, 10 00401A63 85C0 \|test eax, eax 00401A65 0F84 57010000 \|je 00401BC2 00401A6B 83F8 0C \|cmp eax, 0C 00401A6E 8B5424 18 \|mov edx, dword ptr [esp+18] 00401A72 0F85 C9020000 \|jnz 00401D41 00401A78 8B4424 44 \|mov eax, dword ptr [esp+44] 00401A7C 8B4C24 10 \|mov ecx, dword ptr [esp+10] 00401A80 5D \|pop ebp 00401A81 8948 54 \|mov dword ptr [eax+54], ecx 00401A84 8B4C24 18 \|mov ecx, dword ptr [esp+18] 00401A88 5E \|pop esi 00401A89 8978 58 \|mov dword ptr [eax+58], edi 00401A8C 5F \|pop edi 00401A8D 8950 5C \|mov dword ptr [eax+5C], edx 00401A90 8948 60 \|mov dword ptr [eax+60], ecx 00401A93 B8 0C000000 \|mov eax, 0C 00401A98 5B \|pop ebx 00401A99 83C4 30 \|add esp, 30 00401A9C C3 \|retn 00401A9D 8B45 00 \|mov eax, dword ptr [ebp] 00401AA0 8B5C24 24 \|mov ebx, dword ptr [esp+24] 00401AA4 8B5424 2C \|mov edx, dword ptr [esp+2C] 00401AA8 83C5 04 \|add ebp, 4 00401AAB 8BCD \|mov ecx, ebp 00401AAD 2BCB \|sub ecx, ebx 00401AAF 8B5C24 44 \|mov ebx, dword ptr [esp+44] 00401AB3 894B 10 \|mov dword ptr [ebx+10], ecx 00401AB6 8B4C24 28 \|mov ecx, dword ptr [esp+28] 00401ABA 894B 14 \|mov dword ptr [ebx+14], ecx 00401ABD 8B4C24 14 \|mov ecx, dword ptr [esp+14] 00401AC1 894B 20 \|mov dword ptr [ebx+20], ecx 00401AC4 03CE \|add ecx, esi 00401AC6 51 \|push ecx 00401AC7 8953 18 \|mov dword ptr [ebx+18], edx 00401ACA 8D5424 14 \|lea edx, dword ptr [esp+14] 00401ACE 52 \|push edx 00401ACF 50 \|push eax 00401AD0 53 \|push ebx 00401AD1 FF53 08 \|call dword ptr [ebx+8] 00401AD4 83C4 10 \|add esp, 10 00401AD7 E9 DE000000 \|jmp 00401BBA 00401ADC 8B45 00 \|mov eax, dword ptr [ebp] 00401ADF 8D6C28 04 \|lea ebp, dword ptr [eax+ebp+4] 00401AE3 E9 DE000000 \|jmp 00401BC6 00401AE8 83C5 08 \|add ebp, 8 00401AEB E9 D6000000 \|jmp 00401BC6 00401AF0 8B4C24 24 \|mov ecx, dword ptr [esp+24] 00401AF4 8D2C0B \|lea ebp, dword ptr [ebx+ecx] 00401AF7 E9 CA000000 \|jmp 00401BC6 00401AFC 8B55 00 \|mov edx, dword ptr [ebp] 00401AFF 8B4C24 24 \|mov ecx, dword ptr [esp+24] 00401B03 8B6C11 08 \|mov ebp, dword ptr [ecx+edx+8] 00401B07 8D4411 04 \|lea eax, dword ptr [ecx+edx+4] 00401B0B 03E9 \|add ebp, ecx 00401B0D 8B08 \|mov ecx, dword ptr [eax] 00401B0F 83C0 08 \|add eax, 8 00401B12 85C9 \|test ecx, ecx 00401B14 0F8E AC000000 \|jle 00401BC6 00401B1A 8D9B 00000000 \|lea ebx, dword ptr [ebx] 00401B20 3918 \|/cmp dword ptr [eax], ebx 00401B22 74 0D \|\|je short 00401B31 00401B24 49 \|\|dec ecx 00401B25 83C0 08 \|\|add eax, 8 00401B28 85C9 \|\|test ecx, ecx 00401B2A ^ 7F F4 \|\jg short 00401B20 00401B2C E9 95000000 \|jmp 00401BC6 00401B31 85C9 \|test ecx, ecx 00401B33 0F8E 8D000000 \|jle 00401BC6 00401B39 8B68 04 \|mov ebp, dword ptr [eax+4] 00401B3C 036C24 24 \|add ebp, dword ptr [esp+24] 00401B40 E9 81000000 \|jmp 00401BC6 00401B45 8B4424 14 \|mov eax, dword ptr [esp+14] 00401B49 8B0C30 \|mov ecx, dword ptr [eax+esi] 00401B4C 891C30 \|mov dword ptr [eax+esi], ebx 00401B4F 8BD9 \|mov ebx, ecx 00401B51 895C24 10 \|mov dword ptr [esp+10], ebx 00401B55 EB 6F \|jmp short 00401BC6 00401B57 8B4424 14 \|mov eax, dword ptr [esp+14] 00401B5B 8B0C30 \|mov ecx, dword ptr [eax+esi] 00401B5E 893C30 \|mov dword ptr [eax+esi], edi 00401B61 8BF9 \|mov edi, ecx 00401B63 897C24 20 \|mov dword ptr [esp+20], edi 00401B67 EB 59 \|jmp short 00401BC2 00401B69 8B45 00 \|mov eax, dword ptr [ebp] 00401B6C 8B4C24 14 \|mov ecx, dword ptr [esp+14] 00401B70 8B5424 28 \|mov edx, dword ptr [esp+28] 00401B74 83E9 04 \|sub ecx, 4 00401B77 83C5 04 \|add ebp, 4 00401B7A 03C2 \|add eax, edx 00401B7C 894C24 14 \|mov dword ptr [esp+14], ecx 00401B80 890431 \|mov dword ptr [ecx+esi], eax 00401B83 EB 3D \|jmp short 00401BC2 00401B85 8B4424 44 \|mov eax, dword ptr [esp+44] ; mov eax,r44;;VM_opcode 43 00401B89 8B40 0C \|mov eax, dword ptr [eax+C] ; mov eax,[r44+0xC] 00401B8C 85C0 \|test eax, eax 00401B8E 74 36 \|je short 00401BC6 ; if [r44+c]<>0 then VM_exit 00401B90 8B5C24 44 \|mov ebx, dword ptr [esp+44] 00401B94 8B4C24 28 \|mov ecx, dword ptr [esp+28] 00401B98 8B5424 14 \|mov edx, dword ptr [esp+14] 00401B9C 894B 14 \|mov dword ptr [ebx+14], ecx 00401B9F 8B4C24 2C \|mov ecx, dword ptr [esp+2C] 00401BA3 8953 20 \|mov dword ptr [ebx+20], edx 00401BA6 894B 18 \|mov dword ptr [ebx+18], ecx 00401BA9 8B4C24 24 \|mov ecx, dword ptr [esp+24] 00401BAD 8BD5 \|mov edx, ebp 00401BAF 2BD1 \|sub edx, ecx 00401BB1 53 \|push ebx 00401BB2 8953 10 \|mov dword ptr [ebx+10], edx 00401BB5 FFD0 \|call eax 00401BB7 83C4 04 \|add esp, 4 00401BBA 85C0 \|test eax, eax 00401BBC 0F85 95010000 \|jnz 00401D57 00401BC2 8B5C24 10 \|mov ebx, dword ptr [esp+10] ; 这是为了保证r10和ebx的值始终同步 00401BC6 8B45 00 \|mov eax, dword ptr [ebp] ; VM_opcode; Default case of switch 00401147; Default case of switch 00401147 00401BC9 8D48 FF \|lea ecx, dword ptr [eax-1] ; VM_opcode-1 00401BCC 83C5 04 \|add ebp, 4 ; VM_EIP++ 00401BCF 81F9 9C000000 \|cmp ecx, 9C ; VM_exit? 00401BD5 ^ 0F86 E9F1FFFF \jbe 00400DC4 00401BDB 8B4424 44 mov eax, dword ptr [esp+44] 00401BDF 8B4C24 18 mov ecx, dword ptr [esp+18] 00401BE3 8B5424 1C mov edx, dword ptr [esp+1C] 00401BE7 5D pop ebp 00401BE8 8948 20 mov dword ptr [eax+20], ecx 00401BEB 8950 18 mov dword ptr [eax+18], edx 00401BEE B8 06000000 mov eax, 6 00401BF3 5E pop esi 00401BF4 5F pop edi 00401BF5 5B pop ebx 00401BF6 83C4 30 add esp, 30 00401BF9 C3 retn 00401BFA 8B4424 44 mov eax, dword ptr [esp+44] 00401BFE 8B4C24 18 mov ecx, dword ptr [esp+18] 00401C02 8B5424 1C mov edx, dword ptr [esp+1C] 00401C06 5D pop ebp 00401C07 5E pop esi 00401C08 5F pop edi 00401C09 8948 20 mov dword ptr [eax+20], ecx 00401C0C 8950 18 mov dword ptr [eax+18], edx 00401C0F B8 05000000 mov eax, 5 00401C14 5B pop ebx 00401C15 83C4 30 add esp, 30 00401C18 C3 retn 00401C19 8B4C24 44 mov ecx, dword ptr [esp+44] 00401C1D 8B4424 18 mov eax, dword ptr [esp+18] 00401C21 8B5424 1C mov edx, dword ptr [esp+1C] 00401C25 5D pop ebp 00401C26 5E pop esi 00401C27 5F pop edi 00401C28 8941 20 mov dword ptr [ecx+20], eax 00401C2B 8951 18 mov dword ptr [ecx+18], edx 00401C2E B8 05000000 mov eax, 5 00401C33 5B pop ebx 00401C34 83C4 30 add esp, 30 00401C37 C3 retn 00401C38 8B4424 44 mov eax, dword ptr [esp+44] 00401C3C 8B4C24 18 mov ecx, dword ptr [esp+18] 00401C40 8B5424 1C mov edx, dword ptr [esp+1C] 00401C44 5D pop ebp 00401C45 5E pop esi 00401C46 5F pop edi 00401C47 8948 20 mov dword ptr [eax+20], ecx 00401C4A 8950 18 mov dword ptr [eax+18], edx 00401C4D B8 05000000 mov eax, 5 00401C52 5B pop ebx 00401C53 83C4 30 add esp, 30 00401C56 C3 retn 00401C57 8B4424 44 mov eax, dword ptr [esp+44] 00401C5B 8B4C24 18 mov ecx, dword ptr [esp+18] 00401C5F 8B5424 1C mov edx, dword ptr [esp+1C] 00401C63 5D pop ebp 00401C64 5E pop esi 00401C65 5F pop edi 00401C66 8948 20 mov dword ptr [eax+20], ecx 00401C69 8950 18 mov dword ptr [eax+18], edx 00401C6C B8 0B000000 mov eax, 0B 00401C71 5B pop ebx 00401C72 83C4 30 add esp, 30 00401C75 C3 retn 00401C76 8B7424 44 mov esi, dword ptr [esp+44] 00401C7A 8B4424 18 mov eax, dword ptr [esp+18] 00401C7E 8B4C24 1C mov ecx, dword ptr [esp+1C] 00401C82 5D pop ebp 00401C83 8946 20 mov dword ptr [esi+20], eax 00401C86 894E 18 mov dword ptr [esi+18], ecx 00401C89 5E pop esi 00401C8A 5F pop edi 00401C8B B8 05000000 mov eax, 5 00401C90 5B pop ebx 00401C91 83C4 30 add esp, 30 00401C94 C3 retn 00401C95 8B4424 44 mov eax, dword ptr [esp+44] 00401C99 8B5424 18 mov edx, dword ptr [esp+18] 00401C9D 8B4C24 1C mov ecx, dword ptr [esp+1C] 00401CA1 5D pop ebp 00401CA2 5E pop esi 00401CA3 5F pop edi 00401CA4 8950 20 mov dword ptr [eax+20], edx 00401CA7 8948 18 mov dword ptr [eax+18], ecx 00401CAA B8 05000000 mov eax, 5 00401CAF 5B pop ebx 00401CB0 83C4 30 add esp, 30 00401CB3 C3 retn 00401CB4 8B7424 44 mov esi, dword ptr [esp+44] 00401CB8 8B4424 1C mov eax, dword ptr [esp+1C] 00401CBC 8B5424 18 mov edx, dword ptr [esp+18] 00401CC0 5D pop ebp 00401CC1 8946 18 mov dword ptr [esi+18], eax 00401CC4 8956 20 mov dword ptr [esi+20], edx 00401CC7 5E pop esi 00401CC8 5F pop edi 00401CC9 B8 05000000 mov eax, 5 00401CCE 5B pop ebx 00401CCF 83C4 30 add esp, 30 00401CD2 C3 retn 00401CD3 8B45 00 mov eax, dword ptr [ebp] ; 取操作数 00401CD6 8B4C24 48 mov ecx, dword ptr [esp+48] ; mov ecx,r48 00401CDA 83C5 04 add ebp, 4 ; 下一指令 00401CDD 85C9 test ecx, ecx 00401CDF 74 02 je short 00401CE3 00401CE1 8919 mov dword ptr [ecx], ebx ; 保存要传回的参数,哦也,就是他了 00401CE3 8B4C24 44 mov ecx, dword ptr [esp+44] 00401CE7 8B7424 24 mov esi, dword ptr [esp+24] ; esi=old _eip 00401CEB 8B5424 28 mov edx, dword ptr [esp+28] 00401CEF 2BEE sub ebp, esi 00401CF1 83F8 0C cmp eax, 0C 00401CF4 8951 14 mov dword ptr [ecx+14], edx 00401CF7 8959 54 mov dword ptr [ecx+54], ebx 00401CFA 8979 58 mov dword ptr [ecx+58], edi 00401CFD 8969 10 mov dword ptr [ecx+10], ebp 00401D00 75 29 jnz short 00401D2B 00401D02 8B4424 14 mov eax, dword ptr [esp+14] 00401D06 8B5424 2C mov edx, dword ptr [esp+2C] 00401D0A 5D pop ebp 00401D0B 8941 20 mov dword ptr [ecx+20], eax 00401D0E 8B4424 14 mov eax, dword ptr [esp+14] 00401D12 5E pop esi 00401D13 8951 18 mov dword ptr [ecx+18], edx 00401D16 8B5424 14 mov edx, dword ptr [esp+14] 00401D1A 5F pop edi 00401D1B 8941 5C mov dword ptr [ecx+5C], eax 00401D1E 8951 60 mov dword ptr [ecx+60], edx 00401D21 B8 0C000000 mov eax, 0C 00401D26 5B pop ebx 00401D27 83C4 30 add esp, 30 00401D2A C3 retn 00401D2B 8B5424 18 mov edx, dword ptr [esp+18] 00401D2F 5D pop ebp 00401D30 5E pop esi 00401D31 8951 20 mov dword ptr [ecx+20], edx 00401D34 8B5424 14 mov edx, dword ptr [esp+14] 00401D38 5F pop edi 00401D39 8951 18 mov dword ptr [ecx+18], edx 00401D3C 5B pop ebx 00401D3D 83C4 30 add esp, 30 00401D40 C3 retn 00401D41 8B4C24 44 mov ecx, dword ptr [esp+44] 00401D45 5D pop ebp 00401D46 5E pop esi 00401D47 8951 20 mov dword ptr [ecx+20], edx 00401D4A 8B5424 14 mov edx, dword ptr [esp+14] 00401D4E 5F pop edi 00401D4F 8951 18 mov dword ptr [ecx+18], edx 00401D52 5B pop ebx 00401D53 83C4 30 add esp, 30 00401D56 C3 retn 00401D57 83F8 0C cmp eax, 0C 00401D5A 8B5424 1C mov edx, dword ptr [esp+1C] 00401D5E 8B4C24 18 mov ecx, dword ptr [esp+18] 00401D62 75 1D jnz short 00401D81 00401D64 8B4424 10 mov eax, dword ptr [esp+10] 00401D68 5D pop ebp 00401D69 5E pop esi 00401D6A 897B 58 mov dword ptr [ebx+58], edi 00401D6D 8943 54 mov dword ptr [ebx+54], eax 00401D70 5F pop edi 00401D71 894B 5C mov dword ptr [ebx+5C], ecx 00401D74 8953 60 mov dword ptr [ebx+60], edx 00401D77 B8 0C000000 mov eax, 0C 00401D7C 5B pop ebx 00401D7D 83C4 30 add esp, 30 00401D80 C3 retn 00401D81 5D pop ebp 00401D82 5E pop esi 00401D83 5F pop edi 00401D84 894B 20 mov dword ptr [ebx+20], ecx 00401D87 8953 18 mov dword ptr [ebx+18], edx 00401D8A 5B pop ebx 00401D8B 83C4 30 add esp, 30 00401D8E C3 retn 2007-6-21 01:00 0
yingyue 雪币： 1844 活跃值： (35) 能力值： ( LV3，RANK：30 ) 在线值：发帖 16 回帖 2595 粉丝 3 关注私信	yingyue 5 楼分开来看有点累的说，还是支持你的继续分析 2007-6-21 01:04 0
坚持到底雪币： 538 活跃值： (460) 能力值： ( LV9，RANK：290 ) 在线值：发帖 12 回帖 245 粉丝 2 关注私信	坚持到底 7 6 楼支持下，LZ辛苦了。。 2007-6-21 01:49 0
dewar 雪币： 297 活跃值： (21) 能力值： ( LV9，RANK：330 ) 在线值：发帖 9 回帖 125 粉丝 0 关注私信	dewar 8 7 楼强啊，支持楼主。超级的耐力！学习 2007-6-21 08:16 0
Bughoho 雪币： 1946 活跃值： (248) 能力值： (RANK：330 ) 在线值：发帖 72 回帖 1217 粉丝 27 关注私信	Bughoho 8 8 楼我想我得重新看一下这个cm了. 2007-6-21 10:58 0
seya 雪币： 328 活跃值： (10) 能力值： ( LV9，RANK：210 ) 在线值：发帖 17 回帖 134 粉丝 0 关注私信	seya 5 9 楼今天根据昨天写的伪代码跟了一次,看看算法,结果... 总的来说还是发现原来的伪代码有不少错误,不少地方还值得推敲,嘿嘿. 003A4730 00000059 VM_START ;执行的操作：sub r14,4;;push r28;;mov r28,r14 003A4738 00000076,7FED7FED push 7FED7FED 003A4744 00000076,EEEEEEEE push EEEEEEEE 003A4750 00000076,00000000 push 0 003A4758 00000039,00000044 jmp 44 ;jmp L2; ;goto 003A476C L3: 003A4760 00000043 003A4764 00000017,FFFFFFF4 inc [r28+FFFFFFF4] ;计数器++ L2: 003A476C 0000003A,FFFFFFF4 mov r10,[r28+FFFFFFF4] ;计数器,第一次循环=0 003A4774 00000055,0000000C mov r20,[r28+0000000C] ;[r28+0000000C]=400 003A477C 00000010 lea r10,[r104+r20] 003A4780 00000097 mov r10,ds:[r10] ；取73's'；去VM的数据区找： ;r10=400 ;ds:[400]='s e y a' 73000000 65000000 79000000 61000000 003A4784 00000082,0000014C jz 14C ;jz L1 ;to 004a4874；如果r10=0的话就跳 003A478C 00000043 003A4790 0000007F xor r10,r10 003A4794 0000004C push r10 003A4798 0000003A,FFFFFFF4 mov r10,[r28+FFFFFFF4] ;计数器,第一次循环=0 003A47A0 00000055,0000000C mov r20,[r28+0000000C] ;[r28+0000000C]=400 003A47A8 00000010 lea r10,[r104+r20] 003A47AC 00000097 mov r10,ds:[r10] ;取73's'('seya') 003A47B0 00000091,FFFFFFD1 add r10,FFFFFFD1 ;73 add ffffffd1!! 003A47B8 00000033 mov r20,r10 ;r20=73 add ffffffd1=44 003A47BC 0000008B,00000100 mov r10,00000100 ;r10=100 003A47C4 00000030 idiv r20,r10 ;返回:r20余数，r10商； 003A47C8 0000003C mov r10,r20 ;r10= (73 add ffffffd1) mod 100=44 003A47D4 00000047 pop r20 ;r20=0 003A47D8 00000010 lea r10,[r104+r20] ;r10=110 003A47DC 00000097 mov r10,ds:[r10] ;ds:[r10]=[esi+r10]=71b18589 晕,又要查表,对用户名ASCII值进行运算后查找下面这个表： ESI=3A4BB8 003A4BB8 00 00 00 00 96 30 07 77 2C 61 0E EE BA 51 09 99 ....?w,a詈Q. 003A4BC8 19 C4 6D 07 8F F4 6A 70 35 A5 63 E9 A3 95 64 9E 膍忯jp5椋昫 003A4BD8 32 88 DB 0E A4 B8 DC 79 1E E9 D5 E0 88 D9 D2 97 2堐じ躽檎鄨僖 003A4BE8 2B 4C B6 09 BD 7C B1 7E 07 2D B8 E7 91 1D BF 90 +L?絴眫-哥?繍 003A4BF8 64 10 B7 1D F2 20 B0 6A 48 71 B9 F3 DE 41 BE 84 d??癹Hq贵轆緞 003A4C08 7D D4 DA 1A EB E4 DD 6D 51 B5 D4 F4 C7 85 D3 83 }在脘輒Q翟羟呌 003A4C18 56 98 6C 13 C0 A8 6B 64 7A F9 62 FD EC C9 65 8A V榣括kdz鵥蒭 003A4C28 4F 5C 01 14 D9 6C 06 63 63 3D 0F FA F5 0D 08 8D O\賚cc=. 003A4C38 C8 20 6E 3B 5E 10 69 4C E4 41 60 D5 72 71 67 A2 ?n;^iL銩`誶qg 003A4C48 D1 E4 03 3C 47 D4 04 4B FD 85 0D D2 6B B5 0A A5 唁<G?K齾.襨? 003A4C58 FA A8 B5 35 6C 98 B2 42 D6 C9 BB DB 40 F9 BC AC ?l槻B稚慧@ 003A4C68 E3 6C D8 32 75 5C DF 45 CF 0D D6 DC 59 3D D1 AB 鉲?u\逧?周Y=勋 003A4C78 AC 30 D9 26 3A 00 DE 51 80 51 D7 C8 16 61 D0 BF ??:.轖€Q兹a锌 003A4C88 B5 F4 B4 21 23 C4 B3 56 99 95 BA CF 0F A5 BD B8 掉?#某V檿合ソ 003A4C98 9E B8 02 28 08 88 05 5F B2 D9 0C C6 24 E9 0B B1 灨(?_操.?? 003A4CA8 87 7C 6F 2F 11 4C 68 58 AB 1D 61 C1 3D 2D 66 B6 噟o/LhX?a?-f 003A4CB8 90 41 DC 76 06 71 DB 01 BC 20 D2 98 2A 10 D5 EF 怉躹q??覙诊 003A4CC8 89 85 B1 71 1F B5 B6 06 A5 E4 BF 9F 33 D4 B8 E8 墔眖刀ヤ繜3愿 003A4CD8 A2 C9 07 78 34 F9 00 0F 8E A8 09 96 18 98 0E E1 ⑸x4?帹.?? 003A4CE8 BB 0D 6A 7F 2D 3D 6D 08 97 6C 64 91 01 5C 63 E6 ?j-=m條d?\c 003A4CF8 F4 51 6B 6B 62 61 6C 1C D8 30 65 85 4E 00 62 F2 鬛kkbal?e匩.b 003A4D08 ED 95 06 6C 7B A5 01 1B C1 F4 08 82 57 C4 0F F5 頃l{?留俉? 003A4D18 C6 D9 B0 65 50 E9 B7 12 EA B8 BE 8B 7C 88 B9 FC 瀑癳P榉旮緥\|埞 003A4D28 DF 1D DD 62 49 2D DA 15 F3 7C D3 8C 65 4C D4 FB ?輇I-?髚訉eL喳 003A4D38 58 61 B2 4D CE 51 B5 3A 74 00 BC A3 E2 30 BB D4 Xa睲蜵?t.迹?辉 003A4D48 41 A5 DF 4A D7 95 D8 3D 6D C4 D1 A4 FB F4 D6 D3 AミJ讜?m难糁 003A4D58 6A E9 69 43 FC D9 6E 34 46 88 67 AD D0 B8 60 DA j閕Cn4F坓竊 003A4D68 73 2D 04 44 E5 1D 03 33 5F 4C 0A AA C9 7C 0D DD s-D?3_L.\|. 003A4D78 3C 71 05 50 AA 41 02 27 10 10 0B BE 86 20 0C C9 <qP狝'締 . 003A4D88 25 B5 68 57 B3 85 6F 20 09 D4 66 B9 9F E4 61 CE %礹W硡o .詅篃鋋 003A4D98 0E F9 DE 5E 98 C9 D9 29 22 98 D0 B0 B4 A8 D7 C7 ^樕?"樞按ㄗ 003A4DA8 17 3D B3 59 81 0D B4 2E 3B 5C BD B7 AD 6C BA C0 =砓??;\椒璴豪 003A4DB8 20 83 B8 ED B6 B3 BF 9A 0C E2 B6 03 9A D2 B1 74 兏矶晨?舛氁眛 003A4DC8 39 47 D5 EA AF 77 D2 9D 15 26 DB 04 83 16 DC 73 9G贞痺覞&??躶 003A4DD8 12 0B 63 E3 84 3B 64 94 3E 6A 6D 0D A8 5A 6A 7A c銊;d?jm.╖jz 003A4DE8 0B CF 0E E4 9D FF 09 93 27 AE 00 0A B1 9E 07 7D ?錆.??.睘} 003A4DF8 44 93 0F F0 D2 A3 08 87 68 F2 01 1E FE C2 06 69 D?鹨?噃?i 003A4E08 5D 57 62 F7 CB 67 65 80 71 36 6C 19 E7 06 6B 6E ]Wb魉ge€q6l?kn 003A4E18 76 1B D4 FE E0 2B D3 89 5A 7A DA 10 CC 4A DD 67 v轧?訅Zz?蘆輌 003A4E28 6F DF B9 F9 F9 EF BE 8E 43 BE B7 17 D5 8E B0 60 o吖锞嶤痉諑癭 003A4E38 E8 A3 D6 D6 7E 93 D1 A1 C4 C2 D8 38 52 F2 DF 4F 瑁种~撗∧仑8R蜻O 003A4E48 F1 67 BB D1 67 57 BC A6 DD 06 B5 3F 4B 36 B2 48 駁谎gW鸡??K6睭 003A4E58 DA 2B 0D D8 4C 1B 0A AF F6 4A 03 36 60 7A 04 41 ?.豅.J6`zA 003A4E68 C3 EF 60 DF 55 DF 67 A8 EF 8E 6E 31 79 BE 69 46 蔑`遀遟巒1y緄F 003A4E78 8C B3 61 CB 1A 83 66 BC A0 D2 6F 25 36 E2 68 52 尦a?僨紶襬%6鈎R 003A4E88 95 77 0C CC 03 47 0B BB B9 16 02 22 2F 26 05 55 晈.?G还"/&U 003A4E98 BE 3B BA C5 28 0B BD B2 92 5A B4 2B 04 6A B3 5C ?号(讲抁?j砛 003A4EA8 A7 FF D7 C2 31 CF D0 B5 8B 9E D9 2C 1D AE DE 5B ?茁1闲祴炠,[ 003A4EB8 B0 C2 64 9B 26 F2 63 EC 9C A3 6A 75 0A 93 6D 02 奥d?騝鞙u.搈 003A4EC8 A9 06 09 9C 3F 36 0E EB 85 67 07 72 13 57 00 05 ?.?6雲grW. 003A4ED8 82 4A BF 95 14 7A B8 E2 AE 2B B1 7B 38 1B B6 0C 侸繒z糕?眥8? 003A4EE8 9B 8E D2 92 0D BE D5 E5 B7 EF DC 7C 21 DF DB 0B 泿覓.菊宸镘\|!咣 003A4EF8 D4 D2 D3 86 42 E2 D4 F1 F8 B3 DD 68 6E 83 DA 1F 砸訂B庠聒齿hn冓 003A4F08 CD 16 BE 81 5B 26 B9 F6 E1 77 B0 6F 77 47 B7 18 ?緛[&滚醱皁wG? 003A4F18 E6 5A 08 88 70 6A 0F FF CA 3B 06 66 5C 0B 01 11 鎆坧j?f\ 003A4F28 FF 9E 65 8F 69 AE 62 F8 D3 FF 6B 61 45 CF 6C 16 瀍廼産kaE蟣 003A4F38 78 E2 0A A0 EE D2 0D D7 54 83 04 4E C2 B3 03 39 x?狀?譚?N鲁9 003A4F48 61 26 67 A7 F7 16 60 D0 4D 47 69 49 DB 77 6E 3E a&g`蠱GiI踳n> 003A4F58 4A 6A D1 AE DC 5A D6 D9 66 0B DF 40 F0 3B D8 37 Jj旬躗仲f這?? 003A4F68 53 AE BC A9 C5 9E BB DE 7F CF B2 47 E9 FF B5 30 S┡灮?喜G?? 003A4F78 1C F2 BD BD 8A C2 BA CA 30 93 B3 53 A6 A3 B4 24 蚪綂潞?摮SΓ? 003A4F88 05 36 D0 BA 93 06 D7 CD 29 57 DE 54 BF 67 D9 23 6泻?淄)W轙縢? 003A4F98 2E 7A 66 B3 B8 4A 61 C4 02 1B 68 5D 94 2B 6F 2A .zf掣Ja?h]?o* 003A4FA8 37 BE 0B B4 A1 8E 0C C3 1B DF 05 5A 8D EF 02 2D 7?础???Z嶏- 003A4FB8 73 00 00 00 65 00 00 00 79 00 00 00 61 00 00 00 s...e...y...a... 003A4FC8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4FD8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4FE8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4FF8 00 00 00 00 00 00 00 00 00 0A 3C 01 00 10 00 00 ..........<... 只跟了第一段，差不多能知道算法了。跟踪这个伪代码比较好的方法是在00401BC9这里下断,按一下f9执行一条指令，对照昨天发的伪代码程序段观察寄存器EBX和EDI的值就行了，作者主要用的是r10和r20两个寄存器，分别与真实的EBX和EDI保持等值，这样，就和逆向普通的程序没多大区别了。当然，你还得找个地方画出VM的堆栈，或是数据窗口跟踪VM的堆栈地址（ESI+43ec），这样才能掌握程序的行动！ 00401BC2 8B5C24 10 \|mov ebx, dword ptr [esp+10] ; 这是为了保证r10和ebx的值始终同步 00401BC6 8B45 00 \|mov eax, dword ptr [ebp] ; VM_opcode; Default case of switch 00401147; Default case of switch 00401147 00401BC9 8D48 FF \|lea ecx, dword ptr [eax-1] ; VM_opcode-1 00401BCC 83C5 04 \|add ebp, 4 ; VM_EIP++ 00401BCF 81F9 9C000000 \|cmp ecx, 9C ; VM_exit? 00401BD5 ^ 0F86 E9F1FFFF \jbe 00400DC4 2007-6-21 11:09 0
yijun8354 雪币： 1919 活跃值： (901) 能力值： ( LV9，RANK：490 ) 在线值：发帖 22 回帖 784 粉丝 1 关注私信	yijun8354 12 10 楼太强悍了～～ 2007-6-21 12:14 0
yaleond 雪币： 244 活跃值： (10) 能力值： ( LV4，RANK：50 ) 在线值：发帖 2 回帖 142 粉丝 0 关注私信	yaleond 1 11 楼不是一般的强悍..... 2007-6-21 15:44 0
yingyue 雪币： 1844 活跃值： (35) 能力值： ( LV3，RANK：30 ) 在线值：发帖 16 回帖 2595 粉丝 3 关注私信	yingyue 12 楼说来说去不就是强悍吧，地球人都知道但因为某件事，我准备把楼主来个灭口，呵呵，大家叫他小心了 2007-6-21 16:39 0
seya 雪币： 328 活跃值： (10) 能力值： ( LV9，RANK：210 ) 在线值：发帖 17 回帖 134 粉丝 0 关注私信	seya 5 13 楼 [QUOTE=yingyue;325411]说来说去不就是强悍吧，地球人都知道但因为某件事，我准备把楼主来个灭口，呵呵，大家叫他小心了[/QUOTE] 啥事啊？我都没线索的说。。。。 2007-6-21 23:08 0
invent 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 10 粉丝 0 关注私信	invent 14 楼学习了~~~~~~~~~ 2007-6-22 15:59 0
invent 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 10 粉丝 0 关注私信	invent 15 楼不懂 2007-6-22 15:59 0
seya 雪币： 328 活跃值： (10) 能力值： ( LV9，RANK：210 ) 在线值：发帖 17 回帖 134 粉丝 0 关注私信	seya 5 16 楼郁闷。又发现了不少错误，改不过来呀 2007-7-13 08:12 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

seya

发帖

134

回帖

210

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (15)
seya 雪币： 328 活跃值： (10) 能力值： ( LV9，RANK：210 ) 在线值：发帖 17 回帖 134 粉丝 0 关注私信	seya 5 2 楼 VM的主要流程： jmp dword ptr [ecx4+401D90] 00400DB1 \|> \8B4D 00 mov ecx, dword ptr [ebp] ; EBP读入指令流;第一条:vm_opcode59 00400DB4 \|. 83C5 04 add ebp, 4 ; VM_EIP++ 00400DB7 \|. 49 dec ecx ; 58 00400DB8 \|. 81F9 9C000000 cmp ecx, 9C ; 9c,VM_exit 00400DBE \|. 0F87 1B0E0000 ja 00401BDF 00400DC4 \|> FF248D 901D40>/jmp dword ptr [ecx4+401D90] ;ecx=code编号-1 ;code处理函数入口地址=ecx4+401d90 00400DCB \|> 8B45 00 \|mov eax, dword ptr [ebp] 00400DCE \|. 8B1C30 \|mov ebx, dword ptr [eax+esi] . . . . . 00401BC2 \|> \8B5C24 10 \|mov ebx, dword ptr [esp+10] ;这是为了保证r10和ebx的值始终同步 00401BC6 \|> 8B45 00 \|mov eax, dword ptr [ebp] ; VM_opcode; Default case of switch 00401147 00401BC9 \|. 8D48 FF \|lea ecx, dword ptr [eax-1] ; VM_opcode-1 00401BCC \|. 83C5 04 \|add ebp, 4 ; VM_EIP++ 00401BCF \|. 81F9 9C000000 \|cmp ecx, 9C ; VM_exit? 00401BD5 \|.^ 0F86 E9F1FFFF \jbe 00400DC4 ======== 指令处理例程入口地址表：注意这一句！！！ 00400DC4 jmp dword ptr [ecx4+401D90] ecx=code编号-1 code处理函数入口地址=ecx*4+401d90 共169条指令1-a9: 1 \| 2 \| 3 \| 4 00401D90 7E 10 40 00 99 14 40 00 3A 17 40 00 21 0F 40 00 00401DA0 F9 19 40 00 5D 14 40 00 88 19 40 00 49 17 40 00 00401DB0 3E 17 40 00 DB 1B 40 00 DB 1B 40 00 14 18 40 00 00401DC0 F9 16 40 00 0D 14 40 00 DB 1B 40 00 5F 10 40 00 00401DD0 E8 0E 40 00 DB 1B 40 00 BA 15 40 00 DB 1B 40 00 00401DE0 64 0E 40 00 DB 1B 40 00 E9 17 40 00 E6 11 40 00 00401DF0 9E 0F 40 00 DB 14 40 00 1D 17 40 00 7F 0E 40 00 00401E00 51 18 40 00 8E 13 40 00 DB 1B 40 00 DB 1B 40 00 00401E10 3E 11 40 00 B1 13 40 00 F9 13 40 00 8B 16 40 00 00401E20 DB 1B 40 00 1E 12 40 00 3D 0F 40 00 DB 1B 40 00 00401E30 2C 15 40 00 DB 1B 40 00 21 14 40 00 5C 12 40 00 00401E40 FC 1A 40 00 EB 18 40 00 71 14 40 00 6C 15 40 00 00401E50 F7 0E 40 00 2C 17 40 00 89 11 40 00 73 10 40 00 00401E60 C1 14 40 00 03 16 40 00 1D 16 40 00 0A 18 40 00 00401E70 B5 14 40 00 EF 0D 40 00 9D 16 40 00 7E 11 40 00 00401E80 D9 15 40 00 EF 0E 40 00 DC 1A 40 00 C6 1B 40 00 00401E90 DB 1B 40 00 8A 12 40 00 85 1B 40 00 DB 1B 40 00 00401EA0 CE 14 40 00 50 13 40 00 73 12 40 00 85 14 40 00 00401EB0 1F 0E 40 00 12 16 40 00 34 0E 40 00 A7 11 40 00 00401EC0 F9 14 40 00 DB 1B 40 00 F0 1A 40 00 57 1B 40 00 00401ED0 0C 0F 40 00 65 0F 40 00 DD 0D 40 00 E8 1A 40 00 00401EE0 07 0E 40 00 DC 1A 40 00 02 18 40 00 DB 1B 40 00 00401EF0 F8 12 40 00 6B 10 40 00 D3 1C 40 00 0B 17 40 00 00401F00 45 1B 40 00 0A 15 40 00 DB 1B 40 00 D8 16 40 00 00401F10 DB 1B 40 00 2F 1A 40 00 27 10 40 00 30 18 40 00 00401F20 49 14 40 00 CB 0D 40 00 35 14 40 00 C0 10 40 00 00401F30 B5 0F 40 00 CD 17 40 00 76 0F 40 00 49 18 40 00 00401F40 45 16 40 00 8D 17 40 00 E8 1A 40 00 1E 18 40 00 00401F50 DB 1B 40 00 51 0F 40 00 DB 1B 40 00 80 16 40 00 00401F60 61 16 40 00 CD 11 40 00 28 16 40 00 1B 15 40 00 00401F70 AD 14 40 00 D7 17 40 00 69 17 40 00 9F 17 40 00 00401F80 E8 14 40 00 BA 11 40 00 75 16 40 00 DB 1B 40 00 00401F90 DB 1B 40 00 D1 13 40 00 57 17 40 00 7B 17 40 00 00401FA0 2F 0F 40 00 DA 0F 40 00 9F 10 40 00 69 1B 40 00 00401FB0 F8 15 40 00 DB 1B 40 00 D9 0E 40 00 3A 12 40 00 00401FC0 C1 12 40 00 94 11 40 00 2C 10 40 00 DB 1B 40 00 00401FD0 50 16 40 00 AE 15 40 00 AE 15 40 00 87 0F 40 00 00401FE0 49 0E 40 00 E5 13 40 00 36 10 40 00 4D 17 40 00 00401FF0 22 13 40 00 33 16 40 00 B7 17 40 00 9D 1A 40 00 00402000 B5 16 40 00 D6 10 40 00 E6 10 40 00 F6 10 40 00 00402010 03 11 40 00 13 11 40 00 20 11 40 00 2D 11 40 00 00402020 57 11 40 00 C6 1B 40 00 60 11 40 00 69 11 40 00 00402030 72 11 40 00 =========== 指令流: VM就是从这里读opcode的，我在上面伪代码那里已经分析过了，列在这里，大家能看得更清楚 003A46B0 00 00 00 00 43 00 00 00 33 09 13 00 BD 01 08 00 ....C...3..?. 003A46C0 46 07 00 00 E0 F1 08 08 04 00 08 00 68 00 00 00 F..囫..h... 003A46D0 90 05 00 00 90 09 00 00 90 49 00 00 FF FF FF FF ?..?..怚.. 003A46E0 38 00 00 00 58 00 00 00 58 00 00 00 58 00 00 00 8...X...X...X... 003A46F0 58 00 00 00 58 00 00 00 08 00 00 00 5A 00 00 00 X...X......Z... 003A4700 6C 01 00 00 5D 00 00 00 00 03 00 00 60 00 00 00 l..]......`... 003A4710 CC 03 00 00 63 00 00 00 1F 00 48 31 00 48 32 00 ?..c....H1.H2. 003A4720 48 33 00 48 34 00 00 00 5B 00 00 00 00 00 00 00 H3.H4...[....... 003A4730 59 00 00 00 43 00 00 00 76 00 00 00 ED 7F ED 7F Y...C...v...?? 003A4740 43 00 00 00 76 00 00 00 EE EE EE EE 43 00 00 00 C...v...铑铑C... 003A4750 76 00 00 00 00 00 00 00 39 00 00 00 44 00 00 00 v.......9...D... 003A4760 43 00 00 00 17 00 00 00 F4 FF FF FF 3A 00 00 00 C......?:... 003A4770 F4 FF FF FF 55 00 00 00 0C 00 00 00 10 00 00 00 ?U.......... 003A4780 97 00 00 00 82 00 00 00 4C 01 00 00 43 00 00 00 ?..?..L..C... 003A4790 7F 00 00 00 4C 00 00 00 3A 00 00 00 F4 FF FF FF ...L...:...? 003A47A0 55 00 00 00 0C 00 00 00 10 00 00 00 97 00 00 00 U..........?.. 003A47B0 91 00 00 00 D1 FF FF FF 33 00 00 00 8B 00 00 00 ?..?3...?.. 003A47C0 00 01 00 00 30 00 00 00 3C 00 00 00 05 00 00 00 ...0...<...... 003A47D0 FF 00 00 00 47 00 00 00 10 00 00 00 97 00 00 00 ...G......?.. 003A47E0 4C 00 00 00 3A 00 00 00 F8 FF FF FF 55 00 00 00 L...:...?U... 003A47F0 FC FF FF FF 34 00 00 00 47 00 00 00 77 00 00 00 ?4...G...w... 003A4800 27 00 00 00 FC FF FF FF 43 00 00 00 3A 00 00 00 '...?C...:... 003A4810 F4 FF FF FF 55 00 00 00 0C 00 00 00 10 00 00 00 ?U.......... 003A4820 97 00 00 00 55 00 00 00 FC FF FF FF 34 00 00 00 ?..U...?4... 003A4830 55 00 00 00 F8 FF FF FF 34 00 00 00 4C 00 00 00 U...?4...L... 003A4840 3A 00 00 00 F8 FF FF FF 11 00 00 00 05 00 00 00 :...?...... 003A4850 35 00 00 00 47 00 00 00 34 00 00 00 91 00 00 00 5...G...4...?.. 003A4860 03 00 00 00 27 00 00 00 F8 FF FF FF 39 00 00 00 ...'...?9... 003A4870 38 00 00 00 42 00 00 00 04 00 00 00 43 00 00 00 8...B......C... 003A4880 3A 00 00 00 FC FF FF FF 42 00 00 00 08 00 00 00 :...?B...... 003A4890 46 00 00 00 59 00 00 00 43 00 00 00 76 00 00 00 F...Y...C...v... 003A48A0 00 00 00 00 43 00 00 00 76 00 00 00 00 00 00 00 ....C...v....... 003A48B0 39 00 00 00 9C 01 00 00 43 00 00 00 17 00 00 00 9...?..C...... 003A48C0 F8 FF FF FF 3A 00 00 00 F8 FF FF FF 55 00 00 00 ?:...?U... 003A48D0 0C 00 00 00 10 00 00 00 97 00 00 00 82 00 00 00 .......?..?.. 003A48E0 E0 02 00 00 43 00 00 00 3A 00 00 00 F8 FF FF FF ?..C...:...? 003A48F0 11 00 00 00 01 00 00 00 4A 00 00 00 96 00 00 00 ......J...?.. 003A4900 5C 02 00 00 43 00 00 00 3A 00 00 00 FC FF FF FF \..C...:...? 003A4910 4C 00 00 00 3A 00 00 00 FC FF FF FF 11 00 00 00 L...:...?... 003A4920 07 00 00 00 35 00 00 00 4C 00 00 00 3A 00 00 00 ...5...L...:... 003A4930 F8 FF FF FF 55 00 00 00 0C 00 00 00 10 00 00 00 ?U.......... 003A4940 97 00 00 00 47 00 00 00 77 00 00 00 4C 00 00 00 ?..G...w...L... 003A4950 3A 00 00 00 FC FF FF FF 11 00 00 00 03 00 00 00 :...?...... 003A4960 45 00 00 00 47 00 00 00 77 00 00 00 47 00 00 00 E...G...w...G... 003A4970 77 00 00 00 27 00 00 00 FC FF FF FF 39 00 00 00 w...'...?9... 003A4980 D8 02 00 00 43 00 00 00 3A 00 00 00 FC FF FF FF ?..C...:...? 003A4990 4C 00 00 00 3A 00 00 00 FC FF FF FF 11 00 00 00 L...:...?... 003A49A0 0B 00 00 00 35 00 00 00 4C 00 00 00 3A 00 00 00 ...5...L...:... 003A49B0 F8 FF FF FF 55 00 00 00 0C 00 00 00 10 00 00 00 ?U.......... 003A49C0 97 00 00 00 47 00 00 00 77 00 00 00 4C 00 00 00 ?..G...w...L... 003A49D0 3A 00 00 00 FC FF FF FF 11 00 00 00 05 00 00 00 :...?...... 003A49E0 45 00 00 00 47 00 00 00 77 00 00 00 6D 00 00 00 E...G...w...m... 003A49F0 47 00 00 00 77 00 00 00 27 00 00 00 FC FF FF FF G...w...'...? 003A4A00 39 00 00 00 90 01 00 00 42 00 00 00 04 00 00 00 9...?..B...... 003A4A10 43 00 00 00 3A 00 00 00 FC FF FF FF 42 00 00 00 C...:...?B... 003A4A20 04 00 00 00 46 00 00 00 59 00 00 00 43 00 00 00 ...F...Y...C... 003A4A30 76 00 00 00 00 00 00 00 43 00 00 00 76 00 00 00 v.......C...v... 003A4A40 00 00 00 00 39 00 00 00 30 03 00 00 43 00 00 00 ....9...0..C... 003A4A50 17 00 00 00 F8 FF FF FF 3A 00 00 00 F8 FF FF FF ...?:...? 003A4A60 55 00 00 00 0C 00 00 00 10 00 00 00 97 00 00 00 U..........?.. 003A4A70 82 00 00 00 AC 03 00 00 43 00 00 00 3A 00 00 00 ?..?..C...:... 003A4A80 FC FF FF FF 75 00 00 00 C5 9D 1C 81 27 00 00 00 ?u...艥?... 003A4A90 FC FF FF FF 43 00 00 00 3A 00 00 00 FC FF FF FF ?C...:...? 003A4AA0 4C 00 00 00 3A 00 00 00 F8 FF FF FF 55 00 00 00 L...:...?U... 003A4AB0 0C 00 00 00 10 00 00 00 97 00 00 00 47 00 00 00 .......?..G... 003A4AC0 77 00 00 00 27 00 00 00 FC FF FF FF 39 00 00 00 w...'...?9... 003A4AD0 24 03 00 00 42 00 00 00 04 00 00 00 43 00 00 00 $..B......C... 003A4AE0 3A 00 00 00 FC FF FF FF 42 00 00 00 04 00 00 00 :...?B...... 003A4AF0 46 00 00 00 59 00 00 00 43 00 00 00 76 00 00 00 F...Y...C...v... 003A4B00 00 00 00 00 43 00 00 00 76 00 00 00 00 00 00 00 ....C...v....... 003A4B10 43 00 00 00 76 00 00 00 00 00 00 00 39 00 00 00 C...v.......9... 003A4B20 08 04 00 00 43 00 00 00 17 00 00 00 F4 FF FF FF ..C......? 003A4B30 3A 00 00 00 F4 FF FF FF 55 00 00 00 0C 00 00 00 :...?U....... 003A4B40 10 00 00 00 97 00 00 00 82 00 00 00 08 05 00 00 ...?..?.... 003A4B50 43 00 00 00 3A 00 00 00 FC FF FF FF 11 00 00 00 C...:...?... 003A4B60 04 00 00 00 35 00 00 00 4C 00 00 00 3A 00 00 00 ...5...L...:... 003A4B70 F4 FF FF FF 55 00 00 00 0C 00 00 00 10 00 00 00 ?U.......... 003A4B80 97 00 00 00 47 00 00 00 34 00 00 00 27 00 00 00 ?..G...4...'... 003A4B90 FC FF FF FF 43 00 00 00 3A 00 00 00 FC FF FF FF ?C...:...? 003A4BA0 11 00 00 00 00 00 00 F0 4A 00 00 00 27 00 00 00 ......餔...'... 003A4BB0 F8 FF FF FF 43 00 00 00 3A 00 00 00 F8 FF FF FF ?C...:...? 003A4BC0 82 00 00 00 D4 04 00 00 43 00 00 00 3A 00 00 00 ?..?..C...:... 003A4BD0 FC FF FF FF 4C 00 00 00 3A 00 00 00 F8 FF FF FF ?L...:...? 003A4BE0 11 00 00 00 18 00 00 00 45 00 00 00 47 00 00 00 ......E...G... 003A4BF0 77 00 00 00 27 00 00 00 FC FF FF FF 43 00 00 00 w...'...?C... 003A4C00 3A 00 00 00 FC FF FF FF 4C 00 00 00 3A 00 00 00 :...?L...:... 003A4C10 F8 FF FF FF 6D 00 00 00 47 00 00 00 4A 00 00 00 ?m...G...J... 003A4C20 27 00 00 00 FC FF FF FF 39 00 00 00 FC 03 00 00 '...?9...?.. 003A4C30 42 00 00 00 04 00 00 00 43 00 00 00 3A 00 00 00 B......C...:... 003A4C40 FC FF FF FF 42 00 00 00 08 00 00 00 46 00 00 00 ?B......F... ============= 真实计算机的堆栈和VM的寄存器对应如下： ESP+00 00DFFE7C 00DFFFEC <-进入VM后真实ESP在这里,VM运行过程中，真实的ESP是不变的。 ESP+04 00DFFE80 003A47B0 ESP+08 00DFFE84 003A47B4 ASCII "seya" ESP+0c 00DFFE88 003A47B0 ESP+10 00DFFE8C 00000000 r10 ESP+14 00DFFE90 000043F0 r14:VM_ESP ESP+18 00DFFE94 000043FC ESP+1c 00DFFE98 00000414 ESP+20 00DFFE9C 00000000 r20 ESP+24 00DFFEA0 003A4728 转移的基准地址 offiset+003A4728这是最上面那句VM_quit的地址！ ESP+28 00DFFEA4 00000000 始终等于初始的VM_ESP ESP+2c 00DFFEA8 00000414 ESP+30 00DFFEAC 003A4E30 ESP+34 00DFFEB0 003A48A0 ESP+38 00DFFEB4 00000528 ESP+3c 00DFFEB8 00000038 ESP+40 00DFFEBC 0040236B 返回到 EsperCra.0040236B 来自 EsperCra.00400C00 ESP+44 00DFFEC0 00DFFF18 ESP+48 00DFFEC4 00DFFF08 ESP+4c 00DFFEC8 00000001 ESP+50 00DFFECC 00DFFF18 ============= 说一下分析的思路,刚下手的时候完全没感觉，经过反复观察，试探，思考终于搞定了。因为是虚拟的机器，不知道它用什么方式工作，也不知道它采用几个寄存器，不过在思考过后决定先从最简单的OPCODE分析。什么操作是最简单的？也许每个人都有自己的看法，不过我觉得特征最明显的指令就是最容易下手的。突破口就是栈！目前常见的计算机几乎都是存在堆栈结构的，而这个VM也正是一个典型的栈式计算机！出栈、入栈，不光要产生数据的传送，还要对栈顶指针作加减操作，特征很明显，也很有规律，总是先出栈再加指针，先减指针再入栈（假设栈向低位生长）。因此当找到了代表栈操作的两个VM_opcode时，胜利已经可以看得见了，这时已经掌握的信息是很多的：VM_EIP使用的真实寄存器(EBP)、栈使用的内存空间、以及栈顶指针的表达方式、还有基址变址的一些参数，有了这些做基础，几乎剩下的工作就是重复的粘粘贴贴了。然而一个人做这项工作显然很考验精力、耐力，做到现在我已经不太可能再重头校对了，也许会存在某些错误，甚至有的指令功能分析的存在误解，我虽然尽量避免，不过，如果真的存在错误，请大家不吝赐教！最后，让我发句牢骚：VM的时代来临了，做苦工的日子还远么？ 2007-6-21 00:59 0
seya 雪币： 328 活跃值： (10) 能力值： ( LV9，RANK：210 ) 在线值：发帖 17 回帖 134 粉丝 0 关注私信	seya 5 3 楼 ============= VM的核心代码，后面的注释都是自己分析的时候为了方便弄上的，很多地方前后表达很含糊，前后风格不统一，不少地方还弄错了，也有些地方当时觉得一看就明白了，没加注释，大家对付看吧，实在没力气改了！ 00400DB1 \8B4D 00 mov ecx, dword ptr [ebp] ; EBP读入指令流;vm_opcode59 00400DB4 83C5 04 add ebp, 4 ; VM_EIP++ 00400DB7 49 dec ecx ; 58 00400DB8 81F9 9C000000 cmp ecx, 9C ; 9c,VM_exit 00400DBE 0F87 1B0E0000 ja 00401BDF 00400DC4 FF248D 901D4000 /jmp dword ptr [ecx4+401D90] ; ecx=code编号-1;code处理函数入口地址=ecx4+401d90 00400DCB 8B45 00 \|mov eax, dword ptr [ebp] 00400DCE 8B1C30 \|mov ebx, dword ptr [eax+esi] 00400DD1 83C5 04 \|add ebp, 4 00400DD4 895C24 10 \|mov dword ptr [esp+10], ebx 00400DD8 E9 E90D0000 \|jmp 00401BC6 00400DDD 8B45 00 \|mov eax, dword ptr [ebp] 00400DE0 8B3C30 \|mov edi, dword ptr [eax+esi] 00400DE3 83C5 04 \|add ebp, 4 00400DE6 897C24 20 \|mov dword ptr [esp+20], edi 00400DEA E9 D70D0000 \|jmp 00401BC6 00400DEF 8B45 00 \|mov eax, dword ptr [ebp] ; 取操作数;;VM_opcode 3a 00400DF2 8B5424 28 \|mov edx, dword ptr [esp+28] ; 从28号寄存器取数/堆栈底部 00400DF6 83C5 04 \|add ebp, 4 ; 指向下一指令 00400DF9 03C2 \|add eax, edx ; 栈顶指针 00400DFB 8B1C30 \|mov ebx, dword ptr [eax+esi] ; 从堆栈取数 00400DFE 895C24 10 \|mov dword ptr [esp+10], ebx ; 操作数送10号寄存器 00400E02 E9 BF0D0000 \|jmp 00401BC6 ; mov r10,[r28+C] 00400E07 8B45 00 \|mov eax, dword ptr [ebp] ; 取操作数 00400E0A 8B4C24 28 \|mov ecx, dword ptr [esp+28] ; 从28号寄存器取数 00400E0E 83C5 04 \|add ebp, 4 ; 校正下一指令地址,这是因为指令长度是可变的 00400E11 03C1 \|add eax, ecx ; 栈顶指针 00400E13 8B3C30 \|mov edi, dword ptr [eax+esi] ; 出栈 00400E16 897C24 20 \|mov dword ptr [esp+20], edi ; 送20号寄存器 00400E1A E9 A70D0000 \|jmp 00401BC6 ; mov r20,r28+c 00400E1F 8B45 00 \|mov eax, dword ptr [ebp] 00400E22 8B1430 \|mov edx, dword ptr [eax+esi] 00400E25 8B1C16 \|mov ebx, dword ptr [esi+edx] 00400E28 83C5 04 \|add ebp, 4 00400E2B 895C24 10 \|mov dword ptr [esp+10], ebx 00400E2F E9 920D0000 \|jmp 00401BC6 00400E34 8B45 00 \|mov eax, dword ptr [ebp] 00400E37 8B0430 \|mov eax, dword ptr [eax+esi] 00400E3A 8B3C06 \|mov edi, dword ptr [esi+eax] 00400E3D 83C5 04 \|add ebp, 4 00400E40 897C24 20 \|mov dword ptr [esp+20], edi 00400E44 E9 7D0D0000 \|jmp 00401BC6 00400E49 8B45 00 \|mov eax, dword ptr [ebp] 00400E4C 8B4C24 28 \|mov ecx, dword ptr [esp+28] 00400E50 83C5 04 \|add ebp, 4 00400E53 03C1 \|add eax, ecx 00400E55 8B1430 \|mov edx, dword ptr [eax+esi] 00400E58 8B1C16 \|mov ebx, dword ptr [esi+edx] 00400E5B 895C24 10 \|mov dword ptr [esp+10], ebx 00400E5F E9 620D0000 \|jmp 00401BC6 00400E64 8B45 00 \|mov eax, dword ptr [ebp] 00400E67 8B4C24 28 \|mov ecx, dword ptr [esp+28] 00400E6B 83C5 04 \|add ebp, 4 00400E6E 03C1 \|add eax, ecx 00400E70 8B1430 \|mov edx, dword ptr [eax+esi] 00400E73 8B3C16 \|mov edi, dword ptr [esi+edx] 00400E76 897C24 20 \|mov dword ptr [esp+20], edi 00400E7A E9 470D0000 \|jmp 00401BC6 00400E7F 8B45 00 \|mov eax, dword ptr [ebp] 00400E82 8B4C24 2C \|mov ecx, dword ptr [esp+2C] 00400E86 83C5 04 \|add ebp, 4 00400E89 3BD9 \|cmp ebx, ecx 00400E8B 7C 0A \|jl short 00400E97 00400E8D 3B5C24 14 \|cmp ebx, dword ptr [esp+14] 00400E91 0F8C 820D0000 \|jl 00401C19 00400E97 8B4C24 44 \|mov ecx, dword ptr [esp+44] 00400E9B 3B59 24 \|cmp ebx, dword ptr [ecx+24] 00400E9E 0F83 790D0000 \|jnb 00401C1D 00400EA4 48 \|dec eax ; Switch (cases 1..4) 00400EA5 74 25 \|je short 00400ECC 00400EA7 48 \|dec eax 00400EA8 74 15 \|je short 00400EBF 00400EAA 83E8 02 \|sub eax, 2 00400EAD 0F85 130D0000 \|jnz 00401BC6 00400EB3 8B1C33 \|mov ebx, dword ptr [ebx+esi] ; Case 4 of switch 00400EA4 00400EB6 895C24 10 \|mov dword ptr [esp+10], ebx 00400EBA E9 070D0000 \|jmp 00401BC6 00400EBF 0FB71C33 \|movzx ebx, word ptr [ebx+esi] ; Case 2 of switch 00400EA4 00400EC3 895C24 10 \|mov dword ptr [esp+10], ebx 00400EC7 E9 FA0C0000 \|jmp 00401BC6 00400ECC 0FB61C33 \|movzx ebx, byte ptr [ebx+esi] ; Case 1 of switch 00400EA4 00400ED0 895C24 10 \|mov dword ptr [esp+10], ebx 00400ED4 E9 ED0C0000 \|jmp 00401BC6 00400ED9 8B5D 00 \|mov ebx, dword ptr [ebp] ; VM_opcode 8B 00400EDC 895C24 10 \|mov dword ptr [esp+10], ebx 00400EE0 83C5 04 \|add ebp, 4 00400EE3 E9 DE0C0000 \|jmp 00401BC6 ; mov r10,C 00400EE8 8B7D 00 \|mov edi, dword ptr [ebp] ; 取操作数 00400EEB 897C24 20 \|mov dword ptr [esp+20], edi ; mov r20,edi 00400EEF 83C5 04 \|add ebp, 4 ; 下一指令 00400EF2 E9 CF0C0000 \|jmp 00401BC6 ; mov r20,c 00400EF7 8B5D 00 \|mov ebx, dword ptr [ebp] 00400EFA 8B4424 28 \|mov eax, dword ptr [esp+28] 00400EFE 83C5 04 \|add ebp, 4 00400F01 03D8 \|add ebx, eax 00400F03 895C24 10 \|mov dword ptr [esp+10], ebx 00400F07 E9 BA0C0000 \|jmp 00401BC6 00400F0C 8B7D 00 \|mov edi, dword ptr [ebp] 00400F0F 8B4424 28 \|mov eax, dword ptr [esp+28] 00400F13 83C5 04 \|add ebp, 4 00400F16 03F8 \|add edi, eax 00400F18 897C24 20 \|mov dword ptr [esp+20], edi 00400F1C E9 A50C0000 \|jmp 00401BC6 00400F21 8B45 00 \|mov eax, dword ptr [ebp] 00400F24 83C5 04 \|add ebp, 4 00400F27 891C30 \|mov dword ptr [eax+esi], ebx 00400F2A E9 930C0000 \|jmp 00401BC2 00400F2F 8B45 00 \|mov eax, dword ptr [ebp] 00400F32 83C5 04 \|add ebp, 4 00400F35 893C30 \|mov dword ptr [eax+esi], edi 00400F38 E9 850C0000 \|jmp 00401BC2 00400F3D 8B45 00 \|mov eax, dword ptr [ebp] ; 取操作数;op27 00400F40 8B4C24 28 \|mov ecx, dword ptr [esp+28] ; mov ecx,r28 00400F44 83C5 04 \|add ebp, 4 ; 指向下一指令 00400F47 03C1 \|add eax, ecx 00400F49 891C30 \|mov dword ptr [eax+esi], ebx ; mov [eax],ebx 00400F4C E9 710C0000 \|jmp 00401BC2 ; mov [r28+c],r10 00400F51 8B45 00 \|mov eax, dword ptr [ebp] 00400F54 8B5424 28 \|mov edx, dword ptr [esp+28] 00400F58 83C5 04 \|add ebp, 4 00400F5B 03C2 \|add eax, edx 00400F5D 893C30 \|mov dword ptr [eax+esi], edi 00400F60 E9 5D0C0000 \|jmp 00401BC2 00400F65 8B45 00 \|mov eax, dword ptr [ebp] 00400F68 8B0430 \|mov eax, dword ptr [eax+esi] 00400F6B 83C5 04 \|add ebp, 4 00400F6E 891C06 \|mov dword ptr [esi+eax], ebx 00400F71 E9 4C0C0000 \|jmp 00401BC2 00400F76 8B45 00 \|mov eax, dword ptr [ebp] 00400F79 8B0C30 \|mov ecx, dword ptr [eax+esi] 00400F7C 83C5 04 \|add ebp, 4 00400F7F 893C0E \|mov dword ptr [esi+ecx], edi 00400F82 E9 3B0C0000 \|jmp 00401BC2 00400F87 8B45 00 \|mov eax, dword ptr [ebp] 00400F8A 8B5424 28 \|mov edx, dword ptr [esp+28] 00400F8E 83C5 04 \|add ebp, 4 00400F91 03C2 \|add eax, edx 00400F93 8B0430 \|mov eax, dword ptr [eax+esi] 00400F96 891C06 \|mov dword ptr [esi+eax], ebx 00400F99 E9 240C0000 \|jmp 00401BC2 00400F9E 8B45 00 \|mov eax, dword ptr [ebp] 00400FA1 8B4C24 28 \|mov ecx, dword ptr [esp+28] 00400FA5 83C5 04 \|add ebp, 4 00400FA8 03C1 \|add eax, ecx 00400FAA 8B1430 \|mov edx, dword ptr [eax+esi] 00400FAD 893C16 \|mov dword ptr [esi+edx], edi 00400FB0 E9 0D0C0000 \|jmp 00401BC2 00400FB5 3B7C24 2C \|cmp edi, dword ptr [esp+2C] 00400FB9 7C 0A \|jl short 00400FC5 00400FBB 3B7C24 14 \|cmp edi, dword ptr [esp+14] 00400FBF 0F8C 350C0000 \|jl 00401BFA 00400FC5 8B4424 44 \|mov eax, dword ptr [esp+44] 00400FC9 3B78 24 \|cmp edi, dword ptr [eax+24] 00400FCC 0F83 2C0C0000 \|jnb 00401BFE 00400FD2 891C37 \|mov dword ptr [edi+esi], ebx 00400FD5 E9 E80B0000 \|jmp 00401BC2 00400FDA 8B45 00 \|mov eax, dword ptr [ebp] 00400FDD 8B4C24 2C \|mov ecx, dword ptr [esp+2C] 00400FE1 83C5 04 \|add ebp, 4 00400FE4 3BF9 \|cmp edi, ecx 00400FE6 7C 0A \|jl short 00400FF2 00400FE8 3B7C24 14 \|cmp edi, dword ptr [esp+14] 00400FEC 0F8C 270C0000 \|jl 00401C19 00400FF2 8B4C24 44 \|mov ecx, dword ptr [esp+44] 00400FF6 3B79 24 \|cmp edi, dword ptr [ecx+24] 00400FF9 0F83 1E0C0000 \|jnb 00401C1D 00400FFF 48 \|dec eax ; Switch (cases 1..4) 00401000 74 1D \|je short 0040101F 00401002 48 \|dec eax 00401003 74 11 \|je short 00401016 00401005 83E8 02 \|sub eax, 2 00401008 0F85 B80B0000 \|jnz 00401BC6 0040100E 891C37 \|mov dword ptr [edi+esi], ebx ; Case 4 of switch 00400FFF 00401011 E9 AC0B0000 \|jmp 00401BC2 00401016 66:891C37 \|mov word ptr [edi+esi], bx ; Case 2 of switch 00400FFF 0040101A E9 A30B0000 \|jmp 00401BC2 0040101F 881C37 \|mov byte ptr [edi+esi], bl ; Case 1 of switch 00400FFF 00401022 E9 9B0B0000 \|jmp 00401BC2 00401027 8D1C9F \|lea ebx, dword ptr [edi+ebx4] 0040102A EB 0A \|jmp short 00401036 0040102C 8B4D 00 \|mov ecx, dword ptr [ebp] 0040102F D3E3 \|shl ebx, cl 00401031 83C5 04 \|add ebp, 4 00401034 03DF \|add ebx, edi 00401036 3B5C24 2C \|cmp ebx, dword ptr [esp+2C] ; opcode=97;;cmp r10,r2c 0040103A 7C 0A \|jl short 00401046 0040103C 3B5C24 14 \|cmp ebx, dword ptr [esp+14] 00401040 0F8C B40B0000 \|jl 00401BFA 00401046 8B4424 44 \|mov eax, dword ptr [esp+44] ; mov,r44 0040104A 3B58 24 \|cmp ebx, dword ptr [eax+24] ; cmp r10,r2c 0040104D 0F83 AB0B0000 \|jnb 00401BFE 00401053 8B1C33 \|mov ebx, dword ptr [ebx+esi] ; offiset 400='s' 00401056 895C24 10 \|mov dword ptr [esp+10], ebx ; 操作数送10号寄存器/mov[reg,bx] 0040105A E9 670B0000 \|jmp 00401BC6 ; mov r10,ds:[r10] 0040105F 8D1C9F \|lea ebx, dword ptr [edi+ebx4] ; 指令10/取offiset400 00401062 895C24 10 \|mov dword ptr [esp+10], ebx ; 送10号寄存器 00401066 E9 5B0B0000 \|jmp 00401BC6 ; lea r10,[r104+r20] 0040106B 8B4D 00 \|mov ecx, dword ptr [ebp] 0040106E 83C5 04 \|add ebp, 4 00401071 D3E3 \|shl ebx, cl 00401073 03DF \|add ebx, edi ; VM_opcode 34 00401075 895C24 10 \|mov dword ptr [esp+10], ebx ; add r10,r20 00401079 E9 480B0000 \|jmp 00401BC6 0040107E 8B45 00 \|mov eax, dword ptr [ebp] 00401081 83C5 04 \|add ebp, 4 00401084 83F8 04 \|cmp eax, 4 00401087 0F83 390B0000 \|jnb 00401BC6 0040108D B9 04000000 \|mov ecx, 4 00401092 2BC8 \|sub ecx, eax 00401094 33D9 \|xor ebx, ecx 00401096 895C24 10 \|mov dword ptr [esp+10], ebx 0040109A E9 270B0000 \|jmp 00401BC6 0040109F 8B45 00 \|mov eax, dword ptr [ebp] 004010A2 83C5 04 \|add ebp, 4 004010A5 83F8 04 \|cmp eax, 4 004010A8 0F83 180B0000 \|jnb 00401BC6 004010AE BA 04000000 \|mov edx, 4 004010B3 2BD0 \|sub edx, eax 004010B5 33FA \|xor edi, edx 004010B7 897C24 20 \|mov dword ptr [esp+20], edi 004010BB E9 060B0000 \|jmp 00401BC6 004010C0 8B45 00 \|mov eax, dword ptr [ebp] 004010C3 83C5 04 \|add ebp, 4 004010C6 83F8 06 \|cmp eax, 6 ; Switch (cases 0..6) 004010C9 0F87 F70A0000 \|ja 00401BC6 004010CF FF2485 04204000 \|jmp dword ptr [eax4+402004] 004010D6 8B4424 34 \|mov eax, dword ptr [esp+34] ; Case 0 of switch 004010C6 004010DA 8B58 0C \|mov ebx, dword ptr [eax+C] 004010DD 895C24 10 \|mov dword ptr [esp+10], ebx 004010E1 E9 E00A0000 \|jmp 00401BC6 004010E6 8B4C24 34 \|mov ecx, dword ptr [esp+34] ; Case 1 of switch 004010C6 004010EA 8B59 10 \|mov ebx, dword ptr [ecx+10] 004010ED 895C24 10 \|mov dword ptr [esp+10], ebx 004010F1 E9 D00A0000 \|jmp 00401BC6 004010F6 8B5C24 2C \|mov ebx, dword ptr [esp+2C] ; Case 2 of switch 004010C6 004010FA 895C24 10 \|mov dword ptr [esp+10], ebx 004010FE E9 C30A0000 \|jmp 00401BC6 00401103 8B5424 44 \|mov edx, dword ptr [esp+44] ; Case 3 of switch 004010C6 00401107 8B5A 24 \|mov ebx, dword ptr [edx+24] 0040110A 895C24 10 \|mov dword ptr [esp+10], ebx 0040110E E9 B30A0000 \|jmp 00401BC6 00401113 8B5C24 14 \|mov ebx, dword ptr [esp+14] ; Case 4 of switch 004010C6 00401117 895C24 10 \|mov dword ptr [esp+10], ebx 0040111B E9 A60A0000 \|jmp 00401BC6 00401120 8B5C24 28 \|mov ebx, dword ptr [esp+28] ; Case 5 of switch 004010C6 00401124 895C24 10 \|mov dword ptr [esp+10], ebx 00401128 E9 990A0000 \|jmp 00401BC6 0040112D 8B4424 24 \|mov eax, dword ptr [esp+24] ; Case 6 of switch 004010C6 00401131 8BDD \|mov ebx, ebp 00401133 2BD8 \|sub ebx, eax 00401135 895C24 10 \|mov dword ptr [esp+10], ebx 00401139 E9 880A0000 \|jmp 00401BC6 0040113E 8B45 00 \|mov eax, dword ptr [ebp] 00401141 83C0 FE \|add eax, -2 00401144 83C5 04 \|add ebp, 4 00401147 83F8 04 \|cmp eax, 4 ; Switch (cases 0..4) 0040114A 0F87 760A0000 \|ja 00401BC6 00401150 FF2485 20204000 \|jmp dword ptr [eax4+402020] 00401157 895C24 2C \|mov dword ptr [esp+2C], ebx ; Case 0 of switch 00401147 0040115B E9 660A0000 \|jmp 00401BC6 00401160 895C24 14 \|mov dword ptr [esp+14], ebx ; Case 2 of switch 00401147 00401164 E9 5D0A0000 \|jmp 00401BC6 00401169 895C24 28 \|mov dword ptr [esp+28], ebx ; Case 3 of switch 00401147 0040116D E9 540A0000 \|jmp 00401BC6 00401172 8B4424 24 \|mov eax, dword ptr [esp+24] ; Case 4 of switch 00401147 00401176 8D2C03 \|lea ebp, dword ptr [ebx+eax] 00401179 E9 480A0000 \|jmp 00401BC6 0040117E 8BDF \|mov ebx, edi ; VM_opcode 3c 00401180 895C24 10 \|mov dword ptr [esp+10], ebx 00401184 E9 3D0A0000 \|jmp 00401BC6 ; mov r10,r20 00401189 8BFB \|mov edi, ebx 0040118B 897C24 20 \|mov dword ptr [esp+20], edi 0040118F E9 320A0000 \|jmp 00401BC6 00401194 8BC3 \|mov eax, ebx 00401196 8BDF \|mov ebx, edi 00401198 8BF8 \|mov edi, eax 0040119A 895C24 10 \|mov dword ptr [esp+10], ebx 0040119E 897C24 20 \|mov dword ptr [esp+20], edi 004011A2 E9 1F0A0000 \|jmp 00401BC6 004011A7 8B4424 14 \|mov eax, dword ptr [esp+14] ; 取栈顶指针mov eax,r14 004011AB 83E8 04 \|sub eax, 4 ; -4 004011AE 894424 14 \|mov dword ptr [esp+14], eax ; 修改栈顶指针mov r14,eax 004011B2 891C30 \|mov dword ptr [eax+esi], ebx ; 入栈push ebx/movebx,r10,esi指向栈底 004011B5 E9 080A0000 \|jmp 00401BC2 ; push r10 004011BA 8B4424 14 \|mov eax, dword ptr [esp+14] 004011BE 83E8 04 \|sub eax, 4 004011C1 894424 14 \|mov dword ptr [esp+14], eax 004011C5 893C30 \|mov dword ptr [eax+esi], edi 004011C8 E9 F5090000 \|jmp 00401BC2 004011CD 8B4D 00 \|mov ecx, dword ptr [ebp] ; 取操作数 004011D0 8B4424 14 \|mov eax, dword ptr [esp+14] ; mov eax,r14 004011D4 83C5 04 \|add ebp, 4 ; 指向下一条指令 004011D7 83E8 04 \|sub eax, 4 ; sub r14,4 004011DA 894424 14 \|mov dword ptr [esp+14], eax ; 更新栈顶指针 004011DE 890C30 \|mov dword ptr [eax+esi], ecx ; 操作数入栈 004011E1 E9 DC090000 \|jmp 00401BC2 ; push C 004011E6 8B4D 00 \|mov ecx, dword ptr [ebp] 004011E9 83C5 04 \|add ebp, 4 004011EC 85C9 \|test ecx, ecx 004011EE 0F84 D2090000 \|je 00401BC6 004011F4 8B4424 14 \|mov eax, dword ptr [esp+14] 004011F8 8B5424 30 \|mov edx, dword ptr [esp+30] 004011FC 8D6424 00 \|lea esp, dword ptr [esp] 00401200 83E8 04 \|/sub eax, 4 00401203 49 \|\|dec ecx 00401204 891C10 \|\|mov dword ptr [eax+edx], ebx 00401207 8B5C24 10 \|\|mov ebx, dword ptr [esp+10] 0040120B ^ 75 F3 \|\jnz short 00401200 0040120D 8B7424 30 \|mov esi, dword ptr [esp+30] 00401211 8B7C24 20 \|mov edi, dword ptr [esp+20] 00401215 894424 14 \|mov dword ptr [esp+14], eax 00401219 E9 A8090000 \|jmp 00401BC6 0040121E 8B4D 00 \|mov ecx, dword ptr [ebp] 00401221 8B4424 14 \|mov eax, dword ptr [esp+14] 00401225 8B0C31 \|mov ecx, dword ptr [ecx+esi] 00401228 83C5 04 \|add ebp, 4 0040122B 83E8 04 \|sub eax, 4 0040122E 894424 14 \|mov dword ptr [esp+14], eax 00401232 890C30 \|mov dword ptr [eax+esi], ecx 00401235 E9 88090000 \|jmp 00401BC2 0040123A 8B45 00 \|mov eax, dword ptr [ebp] 0040123D 8B4C24 14 \|mov ecx, dword ptr [esp+14] 00401241 8B5424 28 \|mov edx, dword ptr [esp+28] 00401245 83E9 04 \|sub ecx, 4 00401248 83C5 04 \|add ebp, 4 0040124B 03C2 \|add eax, edx 0040124D 8B0430 \|mov eax, dword ptr [eax+esi] 00401250 894C24 14 \|mov dword ptr [esp+14], ecx 00401254 890431 \|mov dword ptr [ecx+esi], eax 00401257 E9 66090000 \|jmp 00401BC2 0040125C 8B4424 14 \|mov eax, dword ptr [esp+14] 00401260 8B1C30 \|mov ebx, dword ptr [eax+esi] 00401263 83C0 04 \|add eax, 4 00401266 895C24 10 \|mov dword ptr [esp+10], ebx 0040126A 894424 14 \|mov dword ptr [esp+14], eax 0040126E E9 53090000 \|jmp 00401BC6 00401273 8B4424 14 \|mov eax, dword ptr [esp+14] ; 取栈顶指针;mov eax,r14 00401277 8B3C30 \|mov edi, dword ptr [eax+esi] ; mov edi,[r14] 0040127A 83C0 04 \|add eax, 4 ; 栈顶指针+4 0040127D 897C24 20 \|mov dword ptr [esp+20], edi ; mov r20,edi 00401281 894424 14 \|mov dword ptr [esp+14], eax ; 修改栈顶指针;op47 00401285 E9 3C090000 \|jmp 00401BC6 ; pop r20 0040128A 8B4424 14 \|mov eax, dword ptr [esp+14] ; mov eax,r14 0040128E 8B4D 00 \|mov ecx, dword ptr [ebp] ; 取操作数;mov ecx,c 00401291 8BF8 \|mov edi, eax ; mov edi,r14 00401293 03C1 \|add eax, ecx ; add eax,c 00401295 8B4C24 2C \|mov ecx, dword ptr [esp+2C] ; mov r2c,ecx 00401299 83C1 40 \|add ecx, 40 ; add,ecx,40 0040129C 83C5 04 \|add ebp, 4 ; 指向下一个指令 0040129F 3BC8 \|cmp ecx, eax ; cmp r2c+40,r14+c 004012A1 897C24 20 \|mov dword ptr [esp+20], edi ; mov r20,r14 004012A5 894424 14 \|mov dword ptr [esp+14], eax ; mov r14 ,r14+c 004012A9 ^ 0F8F F5FAFFFF \|jg 00400DA4 ; if r2c+40<r14+c then VM_exit 004012AF 8B5424 44 \|mov edx, dword ptr [esp+44] 004012B3 3B42 24 \|cmp eax, dword ptr [edx+24] 004012B6 ^ 0F8F 84FAFFFF \|jg 00400D40 ; if r14+c>[r44+24] then VM_exit 004012BC E9 05090000 \|jmp 00401BC6 ; mov r20,r14;mov r14,r14+c; 004012C1 8B4424 2C \|mov eax, dword ptr [esp+2C] 004012C5 8B4D 00 \|mov ecx, dword ptr [ebp] 004012C8 8B5424 14 \|mov edx, dword ptr [esp+14] 004012CC 8BF8 \|mov edi, eax 004012CE 03C1 \|add eax, ecx 004012D0 8D48 40 \|lea ecx, dword ptr [eax+40] 004012D3 83C5 04 \|add ebp, 4 004012D6 3BCA \|cmp ecx, edx 004012D8 897C24 20 \|mov dword ptr [esp+20], edi 004012DC 894424 2C \|mov dword ptr [esp+2C], eax 004012E0 ^ 0F8F BEFAFFFF \|jg 00400DA4 004012E6 8B5424 44 \|mov edx, dword ptr [esp+44] 004012EA 3B42 1C \|cmp eax, dword ptr [edx+1C] 004012ED ^ 0F8C 63FAFFFF \|jl 00400D56 004012F3 E9 CE080000 \|jmp 00401BC6 004012F8 8B4424 14 \|mov eax, dword ptr [esp+14] ; mov eax,r14;;VM_esp=[esp+14] 004012FC 8B5424 2C \|mov edx, dword ptr [esp+2C] ; mov edx,r2c 00401300 8B4C24 28 \|mov ecx, dword ptr [esp+28] ; mov ecx,r28 00401304 83E8 04 \|sub eax, 4 ; r14-4 00401307 83C2 40 \|add edx, 40 0040130A 3BD0 \|cmp edx, eax ; if r2c+40>r14-4 then 0040130C 894424 14 \|mov dword ptr [esp+14], eax ; mov r14,r14-4 00401310 890C30 \|mov dword ptr [eax+esi], ecx ; mov [r14-4],r28 00401313 894424 28 \|mov dword ptr [esp+28], eax ; mov r28,r14-4 00401317 ^ 0F8F 87FAFFFF \|jg 00400DA4 ; sub r14,4;;push r28;;mov r28,r14-4 0040131D E9 A0080000 \|jmp 00401BC2 00401322 8B4424 14 \|mov eax, dword ptr [esp+14] 00401326 8B0C30 \|mov ecx, dword ptr [eax+esi] 00401329 8B6C30 04 \|mov ebp, dword ptr [eax+esi+4] 0040132D 83C0 04 \|add eax, 4 00401330 83C0 04 \|add eax, 4 00401333 894424 14 \|mov dword ptr [esp+14], eax 00401337 3B6C24 38 \|cmp ebp, dword ptr [esp+38] 0040133B 894C24 28 \|mov dword ptr [esp+28], ecx 0040133F 0F83 F3080000 \|jnb 00401C38 00401345 8B5424 24 \|mov edx, dword ptr [esp+24] 00401349 03EA \|add ebp, edx 0040134B E9 76080000 \|jmp 00401BC6 00401350 8B4424 14 \|mov eax, dword ptr [esp+14] ; 取栈顶指针mov eax,r14 00401354 8B0C30 \|mov ecx, dword ptr [eax+esi] ; 取栈顶元素mov ecx,[r14] 00401357 8B6C30 04 \|mov ebp, dword ptr [eax+esi+4] ; 取栈顶第二个元素mov ebp,[r14+4] 0040135B 83C0 04 \|add eax, 4 ; add eax,4 0040135E 894C24 28 \|mov dword ptr [esp+28], ecx ; 栈顶元素送r28 mov r28,ecx 00401362 8B4C24 38 \|mov ecx, dword ptr [esp+38] ; mov ecx,r38 00401366 83C0 04 \|add eax, 4 ; add eax,4 00401369 3BE9 \|cmp ebp, ecx 0040136B 0F83 C7080000 \|jnb 00401C38 ; if [r14+4]>r28 then VM_exit 00401371 8B5424 24 \|mov edx, dword ptr [esp+24] ; mov edx,r24 00401375 8B0C30 \|mov ecx, dword ptr [eax+esi] ; 取栈顶第三个元素mov ecx,[r14+8] 00401378 03EA \|add ebp, edx ; add ebp,r24;;VM_EIP+r24+栈顶第二个的元素 0040137A 8B5424 44 \|mov edx, dword ptr [esp+44] ; mov edx,r44 0040137E 8D4408 04 \|lea eax, dword ptr [eax+ecx+4] ; lea eax,[r14+8+[r14+8]+4]；；ecx=4 00401382 894424 14 \|mov dword ptr [esp+14], eax ; 栈顶指针指向原第5个元素mov r14,eax；；r14=r14+16 00401386 8942 20 \|mov dword ptr [edx+20], eax ; mov [r44+20],eax 00401389 E9 38080000 \|jmp 00401BC6 ; mov [r44+20],[r14+8+[r14+8]+4];;mov r14,[r14+8+[r14+8]+4];pop VM_EIP 0040138E 8B4C24 24 \|mov ecx, dword ptr [esp+24] 00401392 8B4424 14 \|mov eax, dword ptr [esp+14] 00401396 8BD5 \|mov edx, ebp 00401398 2BD1 \|sub edx, ecx 0040139A 83E8 04 \|sub eax, 4 0040139D 83C2 04 \|add edx, 4 004013A0 891430 \|mov dword ptr [eax+esi], edx 004013A3 8B6D 00 \|mov ebp, dword ptr [ebp] 004013A6 894424 14 \|mov dword ptr [esp+14], eax 004013AA 03E9 \|add ebp, ecx 004013AC E9 11080000 \|jmp 00401BC2 004013B1 8B4424 14 \|mov eax, dword ptr [esp+14] 004013B5 8B4C24 24 \|mov ecx, dword ptr [esp+24] 004013B9 83E8 04 \|sub eax, 4 004013BC 2BE9 \|sub ebp, ecx 004013BE 892C30 \|mov dword ptr [eax+esi], ebp 004013C1 8B5C24 10 \|mov ebx, dword ptr [esp+10] 004013C5 894424 14 \|mov dword ptr [esp+14], eax 004013C9 8D2C0B \|lea ebp, dword ptr [ebx+ecx] 004013CC E9 F5070000 \|jmp 00401BC6 004013D1 85DB \|test ebx, ebx ; op82 004013D3 ^ 0F85 16FBFFFF \|jnz 00400EEF ; if r10=0 then goto 004013D9 8B6D 00 \|mov ebp, dword ptr [ebp] 004013DC 036C24 24 \|add ebp, dword ptr [esp+24] ; jz c ;;r24 004013E0 E9 E1070000 \|jmp 00401BC6 004013E5 85DB \|test ebx, ebx 004013E7 ^ 0F84 02FBFFFF \|je 00400EEF ; jne c 004013ED 8B6D 00 \|mov ebp, dword ptr [ebp] 004013F0 036C24 24 \|add ebp, dword ptr [esp+24] 004013F4 E9 CD070000 \|jmp 00401BC6 004013F9 3BDF \|cmp ebx, edi 004013FB ^ 0F85 EEFAFFFF \|jnz 00400EEF 00401401 8B6D 00 \|mov ebp, dword ptr [ebp] 00401404 036C24 24 \|add ebp, dword ptr [esp+24] 00401408 E9 B9070000 \|jmp 00401BC6 0040140D 3BDF \|cmp ebx, edi 0040140F ^ 0F84 DAFAFFFF \|je 00400EEF 00401415 8B6D 00 \|mov ebp, dword ptr [ebp] 00401418 036C24 24 \|add ebp, dword ptr [esp+24] 0040141C E9 A5070000 \|jmp 00401BC6 00401421 3BDF \|cmp ebx, edi 00401423 ^ 0F83 C6FAFFFF \|jnb 00400EEF 00401429 8B6D 00 \|mov ebp, dword ptr [ebp] 0040142C 036C24 24 \|add ebp, dword ptr [esp+24] 00401430 E9 91070000 \|jmp 00401BC6 00401435 3BDF \|cmp ebx, edi 00401437 ^ 0F87 B2FAFFFF \|ja 00400EEF 0040143D 8B6D 00 \|mov ebp, dword ptr [ebp] 00401440 036C24 24 \|add ebp, dword ptr [esp+24] 00401444 E9 7D070000 \|jmp 00401BC6 00401449 3BDF \|cmp ebx, edi 0040144B ^ 0F86 9EFAFFFF \|jbe 00400EEF 00401451 8B6D 00 \|mov ebp, dword ptr [ebp] 00401454 036C24 24 \|add ebp, dword ptr [esp+24] 00401458 E9 69070000 \|jmp 00401BC6 0040145D 3BDF \|cmp ebx, edi 0040145F ^ 0F82 8AFAFFFF \|jb 00400EEF 00401465 8B6D 00 \|mov ebp, dword ptr [ebp] 00401468 036C24 24 \|add ebp, dword ptr [esp+24] 0040146C E9 55070000 \|jmp 00401BC6 00401471 3BDF \|cmp ebx, edi 00401473 ^ 0F8D 76FAFFFF \|jge 00400EEF 00401479 8B6D 00 \|mov ebp, dword ptr [ebp] 0040147C 036C24 24 \|add ebp, dword ptr [esp+24] 00401480 E9 41070000 \|jmp 00401BC6 00401485 3BDF \|cmp ebx, edi 00401487 ^ 0F8F 62FAFFFF \|jg 00400EEF 0040148D 8B6D 00 \|mov ebp, dword ptr [ebp] 00401490 036C24 24 \|add ebp, dword ptr [esp+24] 00401494 E9 2D070000 \|jmp 00401BC6 00401499 3BDF \|cmp ebx, edi 0040149B ^ 0F8E 4EFAFFFF \|jle 00400EEF 004014A1 8B6D 00 \|mov ebp, dword ptr [ebp] 004014A4 036C24 24 \|add ebp, dword ptr [esp+24] 004014A8 E9 19070000 \|jmp 00401BC6 004014AD 3BDF \|cmp ebx, edi 004014AF ^ 0F8C 3AFAFFFF \|jl 00400EEF 004014B5 8B6D 00 \|mov ebp, dword ptr [ebp] ; 取操作数;;op39 004014B8 036C24 24 \|add ebp, dword ptr [esp+24] ; add ebp,ebp+r24 004014BC E9 05070000 \|jmp 00401BC6 ; add ebp,ebp+r24 004014C1 8BCF \|mov ecx, edi ; VM_opcode 35 004014C3 D3E3 \|shl ebx, cl ; shl,ebx,edi 004014C5 895C24 10 \|mov dword ptr [esp+10], ebx ; mov r10,ebx 004014C9 E9 F8060000 \|jmp 00401BC6 ; shl r10,r20 004014CE 8BCF \|mov ecx, edi 004014D0 D3EB \|shr ebx, cl 004014D2 895C24 10 \|mov dword ptr [esp+10], ebx 004014D6 E9 EB060000 \|jmp 00401BC6 ; shr r10,r20 004014DB 8BCF \|mov ecx, edi 004014DD D3FB \|sar ebx, cl 004014DF 895C24 10 \|mov dword ptr [esp+10], ebx 004014E3 E9 DE060000 \|jmp 00401BC6 004014E8 8B4D 00 \|mov ecx, dword ptr [ebp] 004014EB 83C5 04 \|add ebp, 4 004014EE D3E3 \|shl ebx, cl 004014F0 895C24 10 \|mov dword ptr [esp+10], ebx 004014F4 E9 CD060000 \|jmp 00401BC6 004014F9 8B4D 00 \|mov ecx, dword ptr [ebp] 004014FC 83C5 04 \|add ebp, 4 004014FF D3E7 \|shl edi, cl 00401501 897C24 20 \|mov dword ptr [esp+20], edi 00401505 E9 BC060000 \|jmp 00401BC6 0040150A 8B4D 00 \|mov ecx, dword ptr [ebp] 0040150D 83C5 04 \|add ebp, 4 00401510 D3EB \|shr ebx, cl 00401512 895C24 10 \|mov dword ptr [esp+10], ebx 00401516 E9 AB060000 \|jmp 00401BC6 0040151B 8B4D 00 \|mov ecx, dword ptr [ebp] 0040151E 83C5 04 \|add ebp, 4 00401521 D3EF \|shr edi, cl 00401523 897C24 20 \|mov dword ptr [esp+20], edi 00401527 E9 9A060000 \|jmp 00401BC6 0040152C 85FF \|test edi, edi 0040152E 0F84 23070000 \|je 00401C57 00401534 8BC3 \|mov eax, ebx 00401536 99 \|cdq 00401537 F7FF \|idiv edi 00401539 8BCF \|mov ecx, edi 0040153B 8BD8 \|mov ebx, eax 0040153D 99 \|cdq 0040153E F7FF \|idiv edi 00401540 895C24 10 \|mov dword ptr [esp+10], ebx 00401544 8BFA \|mov edi, edx 00401546 85FF \|test edi, edi 00401548 897C24 20 \|mov dword ptr [esp+20], edi 0040154C 0F84 74060000 \|je 00401BC6 00401552 8BD1 \|mov edx, ecx 00401554 33D7 \|xor edx, edi 00401556 0F8D 6A060000 \|jge 00401BC6 0040155C 4B \|dec ebx 0040155D 03F9 \|add edi, ecx 0040155F 895C24 10 \|mov dword ptr [esp+10], ebx 00401563 897C24 20 \|mov dword ptr [esp+20], edi 00401567 E9 5A060000 \|jmp 00401BC6 0040156C 85DB \|test ebx, ebx ; VM_opcode 30 0040156E 0F84 E3060000 \|je 00401C57 00401574 8BC7 \|mov eax, edi ; r20 00401576 99 \|cdq 00401577 F7FB \|idiv ebx ; /r10 00401579 8BCB \|mov ecx, ebx 0040157B 8BD8 \|mov ebx, eax 0040157D 8BC7 \|mov eax, edi ; r20 0040157F 99 \|cdq 00401580 F7F9 \|idiv ecx ; /r10 00401582 895C24 10 \|mov dword ptr [esp+10], ebx ; 第一步的商 00401586 8BFA \|mov edi, edx ; 余数 00401588 85FF \|test edi, edi 0040158A 897C24 20 \|mov dword ptr [esp+20], edi ; r20=余数 0040158E 0F84 32060000 \|je 00401BC6 ; 余数为0返回 00401594 8BC1 \|mov eax, ecx ; 除数 00401596 33C7 \|xor eax, edi ; xor 除数，原数 00401598 0F8D 28060000 \|jge 00401BC6 0040159E 4B \|dec ebx 0040159F 03F9 \|add edi, ecx ; 原数+除数 004015A1 895C24 10 \|mov dword ptr [esp+10], ebx ; mov r10,商减一 004015A5 897C24 20 \|mov dword ptr [esp+20], edi ; 原数+除数 004015A9 E9 18060000 jmp 00401BC6 ; idiv r20,r10;返回:r20余数，r10商；以上是有符号数除法? 004015AE 0FAFDF \|imul ebx, edi 004015B1 895C24 10 \|mov dword ptr [esp+10], ebx 004015B5 E9 0C060000 \|jmp 00401BC6 004015BA 85FF \|test edi, edi 004015BC 0F84 95060000 \|je 00401C57 004015C2 8BC3 \|mov eax, ebx 004015C4 33D2 \|xor edx, edx 004015C6 F7F7 \|div edi 004015C8 8BD8 \|mov ebx, eax 004015CA 8BFA \|mov edi, edx 004015CC 895C24 10 \|mov dword ptr [esp+10], ebx 004015D0 897C24 20 \|mov dword ptr [esp+20], edi 004015D4 E9 ED050000 \|jmp 00401BC6 004015D9 85DB \|test ebx, ebx 004015DB 0F84 76060000 \|je 00401C57 004015E1 8BC7 \|mov eax, edi 004015E3 33D2 \|xor edx, edx 004015E5 F7F3 \|div ebx 004015E7 8BD8 \|mov ebx, eax 004015E9 8BFA \|mov edi, edx 004015EB 895C24 10 \|mov dword ptr [esp+10], ebx 004015EF 897C24 20 \|mov dword ptr [esp+20], edi 004015F3 E9 CE050000 \|jmp 00401BC6 004015F8 2BDF \|sub ebx, edi 004015FA 895C24 10 \|mov dword ptr [esp+10], ebx 004015FE E9 C3050000 \|jmp 00401BC6 00401603 8BCF \|mov ecx, edi 00401605 2BCB \|sub ecx, ebx 00401607 8BD9 \|mov ebx, ecx 00401609 895C24 10 \|mov dword ptr [esp+10], ebx 0040160D E9 B4050000 \|jmp 00401BC6 00401612 23DF \|and ebx, edi ; op4a 00401614 895C24 10 \|mov dword ptr [esp+10], ebx ; and r10,r20 00401618 E9 A9050000 \|jmp 00401BC6 0040161D 0BDF \|or ebx, edi 0040161F 895C24 10 \|mov dword ptr [esp+10], ebx 00401623 E9 9E050000 \|jmp 00401BC6 00401628 33DF \|xor ebx, edi ; ;op77 0040162A 895C24 10 \|mov dword ptr [esp+10], ebx ; mov r10,ebx 0040162E E9 93050000 \|jmp 00401BC6 ; xor r10,r20 00401633 33D2 \|xor edx, edx 00401635 85DB \|test ebx, ebx 00401637 0F94C2 \|sete dl 0040163A 8BDA \|mov ebx, edx 0040163C 895C24 10 \|mov dword ptr [esp+10], ebx 00401640 E9 81050000 \|jmp 00401BC6 00401645 F7D3 \|not ebx 00401647 895C24 10 \|mov dword ptr [esp+10], ebx ; mov r10,ebx 0040164B E9 76050000 \|jmp 00401BC6 ; not r10 00401650 8B45 00 \|mov eax, dword ptr [ebp] ; 取操作数 00401653 83C5 04 \|add ebp, 4 00401656 03D8 \|add ebx, eax 00401658 895C24 10 \|mov dword ptr [esp+10], ebx 0040165C E9 65050000 \|jmp 00401BC6 ; add r10,C 00401661 8B45 00 \|mov eax, dword ptr [ebp] ; 取操作数;;VM_opcode 75 00401664 83C5 04 \|add ebp, 4 ; 指向下一条指令 00401667 0FAFC3 \|imul eax, ebx ; 操作数bx 0040166A 8BD8 \|mov ebx, eax ; 保持ebx,r10同步 0040166C 895C24 10 \|mov dword ptr [esp+10], ebx ; mov r10,ebx 00401670 E9 51050000 \|jmp 00401BC6 ; imul r10,c 00401675 33DB \|xor ebx, ebx ; VM_opcode 7f 00401677 895C24 10 \|mov dword ptr [esp+10], ebx 0040167B E9 46050000 \|jmp 00401BC6 ; xor r10,r10 00401680 33FF \|xor edi, edi 00401682 897C24 20 \|mov dword ptr [esp+20], edi 00401686 E9 3B050000 \|jmp 00401BC6 0040168B 8B45 00 \|mov eax, dword ptr [ebp] 0040168E 83C5 04 \|add ebp, 4 00401691 C70430 00000000 \|mov dword ptr [eax+esi], 0 00401698 E9 25050000 \|jmp 00401BC2 0040169D 8B45 00 \|mov eax, dword ptr [ebp] 004016A0 8B4C24 28 \|mov ecx, dword ptr [esp+28] 004016A4 83C5 04 \|add ebp, 4 004016A7 03C1 \|add eax, ecx 004016A9 C70430 00000000 \|mov dword ptr [eax+esi], 0 004016B0 E9 0D050000 \|jmp 00401BC2 004016B5 8BD3 \|mov edx, ebx 004016B7 81E2 FF000000 \|and edx, 0FF 004016BD 81FA 80000000 \|cmp edx, 80 004016C3 0F8C FD040000 \|jl 00401BC6 004016C9 81CB 00FFFFFF \|or ebx, FFFFFF00 004016CF 895C24 10 \|mov dword ptr [esp+10], ebx 004016D3 E9 EE040000 \|jmp 00401BC6 004016D8 8BC7 \|mov eax, edi 004016DA 25 FF000000 \|and eax, 0FF 004016DF 3D 80000000 \|cmp eax, 80 004016E4 0F8C DC040000 \|jl 00401BC6 004016EA 81CF 00FFFFFF \|or edi, FFFFFF00 004016F0 897C24 20 \|mov dword ptr [esp+20], edi 004016F4 E9 CD040000 \|jmp 00401BC6 004016F9 33C9 \|xor ecx, ecx 004016FB 3BDF \|cmp ebx, edi 004016FD 0F94C1 \|sete cl 00401700 8BD9 \|mov ebx, ecx 00401702 895C24 10 \|mov dword ptr [esp+10], ebx 00401706 E9 BB040000 \|jmp 00401BC6 0040170B 33D2 \|xor edx, edx 0040170D 3BDF \|cmp ebx, edi 0040170F 0F95C2 \|setne dl 00401712 8BDA \|mov ebx, edx 00401714 895C24 10 \|mov dword ptr [esp+10], ebx 00401718 E9 A9040000 \|jmp 00401BC6 0040171D 3BDF \|cmp ebx, edi 0040171F 1BDB \|sbb ebx, ebx 00401721 F7DB \|neg ebx 00401723 895C24 10 \|mov dword ptr [esp+10], ebx 00401727 E9 9A040000 \|jmp 00401BC6 2007-6-21 01:00 0
seya 雪币： 328 活跃值： (10) 能力值： ( LV9，RANK：210 ) 在线值：发帖 17 回帖 134 粉丝 0 关注私信	seya 5 4 楼 0040172C 3BFB \|cmp edi, ebx 0040172E 1BDB \|sbb ebx, ebx 00401730 43 \|inc ebx 00401731 895C24 10 \|mov dword ptr [esp+10], ebx 00401735 E9 8C040000 \|jmp 00401BC6 0040173A 3BFB \|cmp edi, ebx 0040173C 1BDB \|sbb ebx, ebx 0040173E F7DB \|neg ebx 00401740 895C24 10 \|mov dword ptr [esp+10], ebx 00401744 E9 7D040000 \|jmp 00401BC6 00401749 3BDF \|cmp ebx, edi 0040174B 1BDB \|sbb ebx, ebx 0040174D 43 \|inc ebx 0040174E 895C24 10 \|mov dword ptr [esp+10], ebx 00401752 E9 6F040000 \|jmp 00401BC6 00401757 33C0 \|xor eax, eax 00401759 3BDF \|cmp ebx, edi 0040175B 0F9CC0 \|setl al 0040175E 8BD8 \|mov ebx, eax 00401760 895C24 10 \|mov dword ptr [esp+10], ebx 00401764 E9 5D040000 \|jmp 00401BC6 00401769 33C9 \|xor ecx, ecx 0040176B 3BDF \|cmp ebx, edi 0040176D 0F9EC1 \|setle cl 00401770 8BD9 \|mov ebx, ecx 00401772 895C24 10 \|mov dword ptr [esp+10], ebx 00401776 E9 4B040000 \|jmp 00401BC6 0040177B 33D2 \|xor edx, edx 0040177D 3BDF \|cmp ebx, edi 0040177F 0F9FC2 \|setg dl 00401782 8BDA \|mov ebx, edx 00401784 895C24 10 \|mov dword ptr [esp+10], ebx 00401788 E9 39040000 \|jmp 00401BC6 0040178D 33C0 \|xor eax, eax 0040178F 3BDF \|cmp ebx, edi 00401791 0F9DC0 \|setge al 00401794 8BD8 \|mov ebx, eax 00401796 895C24 10 \|mov dword ptr [esp+10], ebx 0040179A E9 27040000 \|jmp 00401BC6 0040179F 8B45 00 \|mov eax, dword ptr [ebp] 004017A2 33C9 \|xor ecx, ecx 004017A4 83C5 04 \|add ebp, 4 004017A7 3BD8 \|cmp ebx, eax 004017A9 0F94C1 \|sete cl 004017AC 8BD9 \|mov ebx, ecx 004017AE 895C24 10 \|mov dword ptr [esp+10], ebx 004017B2 E9 0F040000 \|jmp 00401BC6 004017B7 8B45 00 \|mov eax, dword ptr [ebp] 004017BA 33DB \|xor ebx, ebx 004017BC 83C5 04 \|add ebp, 4 004017BF 3BF8 \|cmp edi, eax 004017C1 0F94C3 \|sete bl 004017C4 895C24 10 \|mov dword ptr [esp+10], ebx 004017C8 E9 F9030000 \|jmp 00401BC6 004017CD 47 \|inc edi 004017CE 897C24 20 \|mov dword ptr [esp+20], edi 004017D2 E9 EF030000 \|jmp 00401BC6 004017D7 8B45 00 \|mov eax, dword ptr [ebp] 004017DA 8B0C30 \|mov ecx, dword ptr [eax+esi] 004017DD 83C5 04 \|add ebp, 4 004017E0 41 \|inc ecx 004017E1 890C30 \|mov dword ptr [eax+esi], ecx 004017E4 E9 D9030000 \|jmp 00401BC2 004017E9 8B45 00 \|mov eax, dword ptr [ebp] ; 取操作数;;op17 004017EC 8B5424 28 \|mov edx, dword ptr [esp+28] ; mov edx,r28 004017F0 03C2 \|add eax, edx 004017F2 8B0C30 \|mov ecx, dword ptr [eax+esi] ; mov ecx,[r28+c]；；esi存放基址 004017F5 03C6 \|add eax, esi 004017F7 83C5 04 \|add ebp, 4 ; 指向下一个指令 004017FA 41 \|inc ecx 004017FB 8908 \|mov dword ptr [eax], ecx 004017FD E9 C0030000 \|jmp 00401BC2 ; inc [r28+c] 00401802 FF0433 \|inc dword ptr [ebx+esi] 00401805 E9 B8030000 \|jmp 00401BC2 0040180A 4B \|dec ebx 0040180B 895C24 10 \|mov dword ptr [esp+10], ebx 0040180F E9 B2030000 \|jmp 00401BC6 00401814 4F \|dec edi 00401815 897C24 20 \|mov dword ptr [esp+20], edi 00401819 E9 A8030000 \|jmp 00401BC6 0040181E 8B45 00 \|mov eax, dword ptr [ebp] 00401821 8B0C30 \|mov ecx, dword ptr [eax+esi] 00401824 83C5 04 \|add ebp, 4 00401827 49 \|dec ecx 00401828 890C30 \|mov dword ptr [eax+esi], ecx 0040182B E9 92030000 \|jmp 00401BC2 00401830 8B45 00 \|mov eax, dword ptr [ebp] 00401833 8B4C24 28 \|mov ecx, dword ptr [esp+28] 00401837 03C1 \|add eax, ecx 00401839 8B0C30 \|mov ecx, dword ptr [eax+esi] 0040183C 03C6 \|add eax, esi 0040183E 83C5 04 \|add ebp, 4 00401841 49 \|dec ecx 00401842 8908 \|mov dword ptr [eax], ecx 00401844 E9 79030000 \|jmp 00401BC2 00401849 FF0C33 \|dec dword ptr [ebx+esi] 0040184C E9 71030000 \|jmp 00401BC2 00401851 8B4D 00 \|mov ecx, dword ptr [ebp] 00401854 8B5424 2C \|mov edx, dword ptr [esp+2C] 00401858 83C5 04 \|add ebp, 4 0040185B 3BDA \|cmp ebx, edx 0040185D 7C 0A \|jl short 00401869 0040185F 3B5C24 14 \|cmp ebx, dword ptr [esp+14] 00401863 0F8C 0D040000 \|jl 00401C76 00401869 8B7424 44 \|mov esi, dword ptr [esp+44] 0040186D 3B5E 24 \|cmp ebx, dword ptr [esi+24] 00401870 0F83 04040000 \|jnb 00401C7A 00401876 8D0419 \|lea eax, dword ptr [ecx+ebx] 00401879 3BC2 \|cmp eax, edx 0040187B 7E 0E \|jle short 0040188B 0040187D 3B4424 14 \|cmp eax, dword ptr [esp+14] 00401881 0F8C 0E040000 \|jl 00401C95 00401887 8B7424 44 \|mov esi, dword ptr [esp+44] 0040188B 8B76 24 \|mov esi, dword ptr [esi+24] 0040188E 3BC6 \|cmp eax, esi 00401890 0F87 FF030000 \|ja 00401C95 00401896 3BFA \|cmp edi, edx 00401898 7C 0A \|jl short 004018A4 0040189A 3B7C24 14 \|cmp edi, dword ptr [esp+14] 0040189E 0F8C F1030000 \|jl 00401C95 004018A4 3BFE \|cmp edi, esi 004018A6 0F83 E9030000 \|jnb 00401C95 004018AC 03F9 \|add edi, ecx 004018AE 3BFA \|cmp edi, edx 004018B0 7E 0A \|jle short 004018BC 004018B2 3B7C24 14 \|cmp edi, dword ptr [esp+14] 004018B6 0F8C D9030000 \|jl 00401C95 004018BC 3BFE \|cmp edi, esi 004018BE 0F87 D1030000 \|ja 00401C95 004018C4 8B4424 30 \|mov eax, dword ptr [esp+30] 004018C8 8B5424 20 \|mov edx, dword ptr [esp+20] 004018CC 8D3403 \|lea esi, dword ptr [ebx+eax] 004018CF 8D3C02 \|lea edi, dword ptr [edx+eax] 004018D2 8BC1 \|mov eax, ecx 004018D4 C1E9 02 \|shr ecx, 2 004018D7 F3:A5 \|rep movs dword ptr es:[edi], dword > 004018D9 8BC8 \|mov ecx, eax 004018DB 83E1 03 \|and ecx, 3 004018DE F3:A4 \|rep movs byte ptr es:[edi], byte pt> 004018E0 8B7424 30 \|mov esi, dword ptr [esp+30] 004018E4 8BFA \|mov edi, edx 004018E6 E9 D7020000 \|jmp 00401BC2 004018EB 8B4D 00 \|mov ecx, dword ptr [ebp] 004018EE 8B5424 2C \|mov edx, dword ptr [esp+2C] 004018F2 83C5 04 \|add ebp, 4 004018F5 3BDA \|cmp ebx, edx 004018F7 7C 0A \|jl short 00401903 004018F9 3B5C24 14 \|cmp ebx, dword ptr [esp+14] 004018FD 0F8C B1030000 \|jl 00401CB4 00401903 8B7424 44 \|mov esi, dword ptr [esp+44] 00401907 3B5E 24 \|cmp ebx, dword ptr [esi+24] 0040190A 0F83 A8030000 \|jnb 00401CB8 00401910 8D0419 \|lea eax, dword ptr [ecx+ebx] 00401913 3BC2 \|cmp eax, edx 00401915 7E 0E \|jle short 00401925 00401917 3B4424 14 \|cmp eax, dword ptr [esp+14] 0040191B 0F8C 17030000 \|jl 00401C38 00401921 8B7424 44 \|mov esi, dword ptr [esp+44] 00401925 8B76 24 \|mov esi, dword ptr [esi+24] 00401928 3BC6 \|cmp eax, esi 0040192A 0F87 08030000 \|ja 00401C38 00401930 3BFA \|cmp edi, edx 00401932 7C 0A \|jl short 0040193E 00401934 3B7C24 14 \|cmp edi, dword ptr [esp+14] 00401938 0F8C FA020000 \|jl 00401C38 0040193E 3BFE \|cmp edi, esi 00401940 0F83 F2020000 \|jnb 00401C38 00401946 03F9 \|add edi, ecx 00401948 3BFA \|cmp edi, edx 0040194A 7E 0A \|jle short 00401956 0040194C 3B7C24 14 \|cmp edi, dword ptr [esp+14] 00401950 0F8C E2020000 \|jl 00401C38 00401956 3BFE \|cmp edi, esi 00401958 0F87 DA020000 \|ja 00401C38 0040195E 8B4424 30 \|mov eax, dword ptr [esp+30] 00401962 8B5424 20 \|mov edx, dword ptr [esp+20] 00401966 8D3C03 \|lea edi, dword ptr [ebx+eax] 00401969 8D3402 \|lea esi, dword ptr [edx+eax] 0040196C 33DB \|xor ebx, ebx 0040196E F3:A6 \|repe cmps byte ptr es:[edi], byte pt> 00401970 74 05 \|je short 00401977 00401972 1BDB \|sbb ebx, ebx 00401974 83DB FF \|sbb ebx, -1 00401977 8B7424 30 \|mov esi, dword ptr [esp+30] 0040197B 8B7C24 20 \|mov edi, dword ptr [esp+20] 0040197F 895C24 10 \|mov dword ptr [esp+10], ebx 00401983 E9 3E020000 \|jmp 00401BC6 00401988 8B45 00 \|mov eax, dword ptr [ebp] 0040198B 8B5424 2C \|mov edx, dword ptr [esp+2C] 0040198F 83C5 04 \|add ebp, 4 00401992 3BFA \|cmp edi, edx 00401994 7C 0A \|jl short 004019A0 00401996 3B7C24 14 \|cmp edi, dword ptr [esp+14] 0040199A 0F8C 79020000 \|jl 00401C19 004019A0 8B4C24 44 \|mov ecx, dword ptr [esp+44] 004019A4 3B79 24 \|cmp edi, dword ptr [ecx+24] 004019A7 0F83 70020000 \|jnb 00401C1D 004019AD 8D0C38 \|lea ecx, dword ptr [eax+edi] 004019B0 3BCA \|cmp ecx, edx 004019B2 7E 0A \|jle short 004019BE 004019B4 3B4C24 14 \|cmp ecx, dword ptr [esp+14] 004019B8 0F8C 7A020000 \|jl 00401C38 004019BE 8B5424 44 \|mov edx, dword ptr [esp+44] 004019C2 3B4A 24 \|cmp ecx, dword ptr [edx+24] 004019C5 0F87 6D020000 \|ja 00401C38 004019CB 83F8 04 \|cmp eax, 4 004019CE 0F82 F2010000 \|jb 00401BC6 004019D4 8D0C37 \|lea ecx, dword ptr [edi+esi] 004019D7 C1E8 02 \|shr eax, 2 004019DA 8D9B 00000000 \|lea ebx, dword ptr [ebx] 004019E0 8919 \|/mov dword ptr [ecx], ebx 004019E2 8B5C24 10 \|\|mov ebx, dword ptr [esp+10] 004019E6 83C1 04 \|\|add ecx, 4 004019E9 48 \|\|dec eax 004019EA ^ 75 F4 \|\jnz short 004019E0 004019EC 8B7424 30 \|mov esi, dword ptr [esp+30] 004019F0 8B7C24 20 \|mov edi, dword ptr [esp+20] 004019F4 E9 CD010000 \|jmp 00401BC6 004019F9 8B45 00 \|mov eax, dword ptr [ebp] ; VM_opcode 5 004019FC 83C5 04 \|add ebp, 4 004019FF 3BD8 \|cmp ebx, eax ; 比较r10和操作数 00401A01 0F86 BF010000 \|jbe 00401BC6 ; 估计是检测错误的，对算法影响不大 00401A07 8B4424 24 \|mov eax, dword ptr [esp+24] 00401A0B 8B4C24 18 \|mov ecx, dword ptr [esp+18] 00401A0F 8B5424 1C \|mov edx, dword ptr [esp+1C] 00401A13 2BE8 \|sub ebp, eax 00401A15 8B4424 44 \|mov eax, dword ptr [esp+44] 00401A19 8968 10 \|mov dword ptr [eax+10], ebp 00401A1C 5D \|pop ebp 00401A1D 5E \|pop esi 00401A1E 5F \|pop edi 00401A1F 8948 20 \|mov dword ptr [eax+20], ecx 00401A22 8950 18 \|mov dword ptr [eax+18], edx 00401A25 B8 04000000 \|mov eax, 4 00401A2A 5B \|pop ebx 00401A2B 83C4 30 \|add esp, 30 00401A2E C3 \|retn 00401A2F 8B4424 24 \|mov eax, dword ptr [esp+24] 00401A33 8B5424 2C \|mov edx, dword ptr [esp+2C] 00401A37 8BCD \|mov ecx, ebp 00401A39 2BC8 \|sub ecx, eax 00401A3B 8B4424 44 \|mov eax, dword ptr [esp+44] 00401A3F 8948 10 \|mov dword ptr [eax+10], ecx 00401A42 8B4C24 28 \|mov ecx, dword ptr [esp+28] 00401A46 8948 14 \|mov dword ptr [eax+14], ecx 00401A49 8B4C24 14 \|mov ecx, dword ptr [esp+14] 00401A4D 8948 20 \|mov dword ptr [eax+20], ecx 00401A50 03CE \|add ecx, esi 00401A52 51 \|push ecx 00401A53 8950 18 \|mov dword ptr [eax+18], edx 00401A56 8D5424 14 \|lea edx, dword ptr [esp+14] 00401A5A 52 \|push edx 00401A5B 53 \|push ebx 00401A5C 50 \|push eax 00401A5D FF50 08 \|call dword ptr [eax+8] 00401A60 83C4 10 \|add esp, 10 00401A63 85C0 \|test eax, eax 00401A65 0F84 57010000 \|je 00401BC2 00401A6B 83F8 0C \|cmp eax, 0C 00401A6E 8B5424 18 \|mov edx, dword ptr [esp+18] 00401A72 0F85 C9020000 \|jnz 00401D41 00401A78 8B4424 44 \|mov eax, dword ptr [esp+44] 00401A7C 8B4C24 10 \|mov ecx, dword ptr [esp+10] 00401A80 5D \|pop ebp 00401A81 8948 54 \|mov dword ptr [eax+54], ecx 00401A84 8B4C24 18 \|mov ecx, dword ptr [esp+18] 00401A88 5E \|pop esi 00401A89 8978 58 \|mov dword ptr [eax+58], edi 00401A8C 5F \|pop edi 00401A8D 8950 5C \|mov dword ptr [eax+5C], edx 00401A90 8948 60 \|mov dword ptr [eax+60], ecx 00401A93 B8 0C000000 \|mov eax, 0C 00401A98 5B \|pop ebx 00401A99 83C4 30 \|add esp, 30 00401A9C C3 \|retn 00401A9D 8B45 00 \|mov eax, dword ptr [ebp] 00401AA0 8B5C24 24 \|mov ebx, dword ptr [esp+24] 00401AA4 8B5424 2C \|mov edx, dword ptr [esp+2C] 00401AA8 83C5 04 \|add ebp, 4 00401AAB 8BCD \|mov ecx, ebp 00401AAD 2BCB \|sub ecx, ebx 00401AAF 8B5C24 44 \|mov ebx, dword ptr [esp+44] 00401AB3 894B 10 \|mov dword ptr [ebx+10], ecx 00401AB6 8B4C24 28 \|mov ecx, dword ptr [esp+28] 00401ABA 894B 14 \|mov dword ptr [ebx+14], ecx 00401ABD 8B4C24 14 \|mov ecx, dword ptr [esp+14] 00401AC1 894B 20 \|mov dword ptr [ebx+20], ecx 00401AC4 03CE \|add ecx, esi 00401AC6 51 \|push ecx 00401AC7 8953 18 \|mov dword ptr [ebx+18], edx 00401ACA 8D5424 14 \|lea edx, dword ptr [esp+14] 00401ACE 52 \|push edx 00401ACF 50 \|push eax 00401AD0 53 \|push ebx 00401AD1 FF53 08 \|call dword ptr [ebx+8] 00401AD4 83C4 10 \|add esp, 10 00401AD7 E9 DE000000 \|jmp 00401BBA 00401ADC 8B45 00 \|mov eax, dword ptr [ebp] 00401ADF 8D6C28 04 \|lea ebp, dword ptr [eax+ebp+4] 00401AE3 E9 DE000000 \|jmp 00401BC6 00401AE8 83C5 08 \|add ebp, 8 00401AEB E9 D6000000 \|jmp 00401BC6 00401AF0 8B4C24 24 \|mov ecx, dword ptr [esp+24] 00401AF4 8D2C0B \|lea ebp, dword ptr [ebx+ecx] 00401AF7 E9 CA000000 \|jmp 00401BC6 00401AFC 8B55 00 \|mov edx, dword ptr [ebp] 00401AFF 8B4C24 24 \|mov ecx, dword ptr [esp+24] 00401B03 8B6C11 08 \|mov ebp, dword ptr [ecx+edx+8] 00401B07 8D4411 04 \|lea eax, dword ptr [ecx+edx+4] 00401B0B 03E9 \|add ebp, ecx 00401B0D 8B08 \|mov ecx, dword ptr [eax] 00401B0F 83C0 08 \|add eax, 8 00401B12 85C9 \|test ecx, ecx 00401B14 0F8E AC000000 \|jle 00401BC6 00401B1A 8D9B 00000000 \|lea ebx, dword ptr [ebx] 00401B20 3918 \|/cmp dword ptr [eax], ebx 00401B22 74 0D \|\|je short 00401B31 00401B24 49 \|\|dec ecx 00401B25 83C0 08 \|\|add eax, 8 00401B28 85C9 \|\|test ecx, ecx 00401B2A ^ 7F F4 \|\jg short 00401B20 00401B2C E9 95000000 \|jmp 00401BC6 00401B31 85C9 \|test ecx, ecx 00401B33 0F8E 8D000000 \|jle 00401BC6 00401B39 8B68 04 \|mov ebp, dword ptr [eax+4] 00401B3C 036C24 24 \|add ebp, dword ptr [esp+24] 00401B40 E9 81000000 \|jmp 00401BC6 00401B45 8B4424 14 \|mov eax, dword ptr [esp+14] 00401B49 8B0C30 \|mov ecx, dword ptr [eax+esi] 00401B4C 891C30 \|mov dword ptr [eax+esi], ebx 00401B4F 8BD9 \|mov ebx, ecx 00401B51 895C24 10 \|mov dword ptr [esp+10], ebx 00401B55 EB 6F \|jmp short 00401BC6 00401B57 8B4424 14 \|mov eax, dword ptr [esp+14] 00401B5B 8B0C30 \|mov ecx, dword ptr [eax+esi] 00401B5E 893C30 \|mov dword ptr [eax+esi], edi 00401B61 8BF9 \|mov edi, ecx 00401B63 897C24 20 \|mov dword ptr [esp+20], edi 00401B67 EB 59 \|jmp short 00401BC2 00401B69 8B45 00 \|mov eax, dword ptr [ebp] 00401B6C 8B4C24 14 \|mov ecx, dword ptr [esp+14] 00401B70 8B5424 28 \|mov edx, dword ptr [esp+28] 00401B74 83E9 04 \|sub ecx, 4 00401B77 83C5 04 \|add ebp, 4 00401B7A 03C2 \|add eax, edx 00401B7C 894C24 14 \|mov dword ptr [esp+14], ecx 00401B80 890431 \|mov dword ptr [ecx+esi], eax 00401B83 EB 3D \|jmp short 00401BC2 00401B85 8B4424 44 \|mov eax, dword ptr [esp+44] ; mov eax,r44;;VM_opcode 43 00401B89 8B40 0C \|mov eax, dword ptr [eax+C] ; mov eax,[r44+0xC] 00401B8C 85C0 \|test eax, eax 00401B8E 74 36 \|je short 00401BC6 ; if [r44+c]<>0 then VM_exit 00401B90 8B5C24 44 \|mov ebx, dword ptr [esp+44] 00401B94 8B4C24 28 \|mov ecx, dword ptr [esp+28] 00401B98 8B5424 14 \|mov edx, dword ptr [esp+14] 00401B9C 894B 14 \|mov dword ptr [ebx+14], ecx 00401B9F 8B4C24 2C \|mov ecx, dword ptr [esp+2C] 00401BA3 8953 20 \|mov dword ptr [ebx+20], edx 00401BA6 894B 18 \|mov dword ptr [ebx+18], ecx 00401BA9 8B4C24 24 \|mov ecx, dword ptr [esp+24] 00401BAD 8BD5 \|mov edx, ebp 00401BAF 2BD1 \|sub edx, ecx 00401BB1 53 \|push ebx 00401BB2 8953 10 \|mov dword ptr [ebx+10], edx 00401BB5 FFD0 \|call eax 00401BB7 83C4 04 \|add esp, 4 00401BBA 85C0 \|test eax, eax 00401BBC 0F85 95010000 \|jnz 00401D57 00401BC2 8B5C24 10 \|mov ebx, dword ptr [esp+10] ; 这是为了保证r10和ebx的值始终同步 00401BC6 8B45 00 \|mov eax, dword ptr [ebp] ; VM_opcode; Default case of switch 00401147; Default case of switch 00401147 00401BC9 8D48 FF \|lea ecx, dword ptr [eax-1] ; VM_opcode-1 00401BCC 83C5 04 \|add ebp, 4 ; VM_EIP++ 00401BCF 81F9 9C000000 \|cmp ecx, 9C ; VM_exit? 00401BD5 ^ 0F86 E9F1FFFF \jbe 00400DC4 00401BDB 8B4424 44 mov eax, dword ptr [esp+44] 00401BDF 8B4C24 18 mov ecx, dword ptr [esp+18] 00401BE3 8B5424 1C mov edx, dword ptr [esp+1C] 00401BE7 5D pop ebp 00401BE8 8948 20 mov dword ptr [eax+20], ecx 00401BEB 8950 18 mov dword ptr [eax+18], edx 00401BEE B8 06000000 mov eax, 6 00401BF3 5E pop esi 00401BF4 5F pop edi 00401BF5 5B pop ebx 00401BF6 83C4 30 add esp, 30 00401BF9 C3 retn 00401BFA 8B4424 44 mov eax, dword ptr [esp+44] 00401BFE 8B4C24 18 mov ecx, dword ptr [esp+18] 00401C02 8B5424 1C mov edx, dword ptr [esp+1C] 00401C06 5D pop ebp 00401C07 5E pop esi 00401C08 5F pop edi 00401C09 8948 20 mov dword ptr [eax+20], ecx 00401C0C 8950 18 mov dword ptr [eax+18], edx 00401C0F B8 05000000 mov eax, 5 00401C14 5B pop ebx 00401C15 83C4 30 add esp, 30 00401C18 C3 retn 00401C19 8B4C24 44 mov ecx, dword ptr [esp+44] 00401C1D 8B4424 18 mov eax, dword ptr [esp+18] 00401C21 8B5424 1C mov edx, dword ptr [esp+1C] 00401C25 5D pop ebp 00401C26 5E pop esi 00401C27 5F pop edi 00401C28 8941 20 mov dword ptr [ecx+20], eax 00401C2B 8951 18 mov dword ptr [ecx+18], edx 00401C2E B8 05000000 mov eax, 5 00401C33 5B pop ebx 00401C34 83C4 30 add esp, 30 00401C37 C3 retn 00401C38 8B4424 44 mov eax, dword ptr [esp+44] 00401C3C 8B4C24 18 mov ecx, dword ptr [esp+18] 00401C40 8B5424 1C mov edx, dword ptr [esp+1C] 00401C44 5D pop ebp 00401C45 5E pop esi 00401C46 5F pop edi 00401C47 8948 20 mov dword ptr [eax+20], ecx 00401C4A 8950 18 mov dword ptr [eax+18], edx 00401C4D B8 05000000 mov eax, 5 00401C52 5B pop ebx 00401C53 83C4 30 add esp, 30 00401C56 C3 retn 00401C57 8B4424 44 mov eax, dword ptr [esp+44] 00401C5B 8B4C24 18 mov ecx, dword ptr [esp+18] 00401C5F 8B5424 1C mov edx, dword ptr [esp+1C] 00401C63 5D pop ebp 00401C64 5E pop esi 00401C65 5F pop edi 00401C66 8948 20 mov dword ptr [eax+20], ecx 00401C69 8950 18 mov dword ptr [eax+18], edx 00401C6C B8 0B000000 mov eax, 0B 00401C71 5B pop ebx 00401C72 83C4 30 add esp, 30 00401C75 C3 retn 00401C76 8B7424 44 mov esi, dword ptr [esp+44] 00401C7A 8B4424 18 mov eax, dword ptr [esp+18] 00401C7E 8B4C24 1C mov ecx, dword ptr [esp+1C] 00401C82 5D pop ebp 00401C83 8946 20 mov dword ptr [esi+20], eax 00401C86 894E 18 mov dword ptr [esi+18], ecx 00401C89 5E pop esi 00401C8A 5F pop edi 00401C8B B8 05000000 mov eax, 5 00401C90 5B pop ebx 00401C91 83C4 30 add esp, 30 00401C94 C3 retn 00401C95 8B4424 44 mov eax, dword ptr [esp+44] 00401C99 8B5424 18 mov edx, dword ptr [esp+18] 00401C9D 8B4C24 1C mov ecx, dword ptr [esp+1C] 00401CA1 5D pop ebp 00401CA2 5E pop esi 00401CA3 5F pop edi 00401CA4 8950 20 mov dword ptr [eax+20], edx 00401CA7 8948 18 mov dword ptr [eax+18], ecx 00401CAA B8 05000000 mov eax, 5 00401CAF 5B pop ebx 00401CB0 83C4 30 add esp, 30 00401CB3 C3 retn 00401CB4 8B7424 44 mov esi, dword ptr [esp+44] 00401CB8 8B4424 1C mov eax, dword ptr [esp+1C] 00401CBC 8B5424 18 mov edx, dword ptr [esp+18] 00401CC0 5D pop ebp 00401CC1 8946 18 mov dword ptr [esi+18], eax 00401CC4 8956 20 mov dword ptr [esi+20], edx 00401CC7 5E pop esi 00401CC8 5F pop edi 00401CC9 B8 05000000 mov eax, 5 00401CCE 5B pop ebx 00401CCF 83C4 30 add esp, 30 00401CD2 C3 retn 00401CD3 8B45 00 mov eax, dword ptr [ebp] ; 取操作数 00401CD6 8B4C24 48 mov ecx, dword ptr [esp+48] ; mov ecx,r48 00401CDA 83C5 04 add ebp, 4 ; 下一指令 00401CDD 85C9 test ecx, ecx 00401CDF 74 02 je short 00401CE3 00401CE1 8919 mov dword ptr [ecx], ebx ; 保存要传回的参数,哦也,就是他了 00401CE3 8B4C24 44 mov ecx, dword ptr [esp+44] 00401CE7 8B7424 24 mov esi, dword ptr [esp+24] ; esi=old _eip 00401CEB 8B5424 28 mov edx, dword ptr [esp+28] 00401CEF 2BEE sub ebp, esi 00401CF1 83F8 0C cmp eax, 0C 00401CF4 8951 14 mov dword ptr [ecx+14], edx 00401CF7 8959 54 mov dword ptr [ecx+54], ebx 00401CFA 8979 58 mov dword ptr [ecx+58], edi 00401CFD 8969 10 mov dword ptr [ecx+10], ebp 00401D00 75 29 jnz short 00401D2B 00401D02 8B4424 14 mov eax, dword ptr [esp+14] 00401D06 8B5424 2C mov edx, dword ptr [esp+2C] 00401D0A 5D pop ebp 00401D0B 8941 20 mov dword ptr [ecx+20], eax 00401D0E 8B4424 14 mov eax, dword ptr [esp+14] 00401D12 5E pop esi 00401D13 8951 18 mov dword ptr [ecx+18], edx 00401D16 8B5424 14 mov edx, dword ptr [esp+14] 00401D1A 5F pop edi 00401D1B 8941 5C mov dword ptr [ecx+5C], eax 00401D1E 8951 60 mov dword ptr [ecx+60], edx 00401D21 B8 0C000000 mov eax, 0C 00401D26 5B pop ebx 00401D27 83C4 30 add esp, 30 00401D2A C3 retn 00401D2B 8B5424 18 mov edx, dword ptr [esp+18] 00401D2F 5D pop ebp 00401D30 5E pop esi 00401D31 8951 20 mov dword ptr [ecx+20], edx 00401D34 8B5424 14 mov edx, dword ptr [esp+14] 00401D38 5F pop edi 00401D39 8951 18 mov dword ptr [ecx+18], edx 00401D3C 5B pop ebx 00401D3D 83C4 30 add esp, 30 00401D40 C3 retn 00401D41 8B4C24 44 mov ecx, dword ptr [esp+44] 00401D45 5D pop ebp 00401D46 5E pop esi 00401D47 8951 20 mov dword ptr [ecx+20], edx 00401D4A 8B5424 14 mov edx, dword ptr [esp+14] 00401D4E 5F pop edi 00401D4F 8951 18 mov dword ptr [ecx+18], edx 00401D52 5B pop ebx 00401D53 83C4 30 add esp, 30 00401D56 C3 retn 00401D57 83F8 0C cmp eax, 0C 00401D5A 8B5424 1C mov edx, dword ptr [esp+1C] 00401D5E 8B4C24 18 mov ecx, dword ptr [esp+18] 00401D62 75 1D jnz short 00401D81 00401D64 8B4424 10 mov eax, dword ptr [esp+10] 00401D68 5D pop ebp 00401D69 5E pop esi 00401D6A 897B 58 mov dword ptr [ebx+58], edi 00401D6D 8943 54 mov dword ptr [ebx+54], eax 00401D70 5F pop edi 00401D71 894B 5C mov dword ptr [ebx+5C], ecx 00401D74 8953 60 mov dword ptr [ebx+60], edx 00401D77 B8 0C000000 mov eax, 0C 00401D7C 5B pop ebx 00401D7D 83C4 30 add esp, 30 00401D80 C3 retn 00401D81 5D pop ebp 00401D82 5E pop esi 00401D83 5F pop edi 00401D84 894B 20 mov dword ptr [ebx+20], ecx 00401D87 8953 18 mov dword ptr [ebx+18], edx 00401D8A 5B pop ebx 00401D8B 83C4 30 add esp, 30 00401D8E C3 retn 2007-6-21 01:00 0
yingyue 雪币： 1844 活跃值： (35) 能力值： ( LV3，RANK：30 ) 在线值：发帖 16 回帖 2595 粉丝 3 关注私信	yingyue 5 楼分开来看有点累的说，还是支持你的继续分析 2007-6-21 01:04 0
坚持到底雪币： 538 活跃值： (460) 能力值： ( LV9，RANK：290 ) 在线值：发帖 12 回帖 245 粉丝 2 关注私信	坚持到底 7 6 楼支持下，LZ辛苦了。。 2007-6-21 01:49 0
dewar 雪币： 297 活跃值： (21) 能力值： ( LV9，RANK：330 ) 在线值：发帖 9 回帖 125 粉丝 0 关注私信	dewar 8 7 楼强啊，支持楼主。超级的耐力！学习 2007-6-21 08:16 0
Bughoho 雪币： 1946 活跃值： (248) 能力值： (RANK：330 ) 在线值：发帖 72 回帖 1217 粉丝 27 关注私信	Bughoho 8 8 楼我想我得重新看一下这个cm了. 2007-6-21 10:58 0
seya 雪币： 328 活跃值： (10) 能力值： ( LV9，RANK：210 ) 在线值：发帖 17 回帖 134 粉丝 0 关注私信	seya 5 9 楼今天根据昨天写的伪代码跟了一次,看看算法,结果... 总的来说还是发现原来的伪代码有不少错误,不少地方还值得推敲,嘿嘿. 003A4730 00000059 VM_START ;执行的操作：sub r14,4;;push r28;;mov r28,r14 003A4738 00000076,7FED7FED push 7FED7FED 003A4744 00000076,EEEEEEEE push EEEEEEEE 003A4750 00000076,00000000 push 0 003A4758 00000039,00000044 jmp 44 ;jmp L2; ;goto 003A476C L3: 003A4760 00000043 003A4764 00000017,FFFFFFF4 inc [r28+FFFFFFF4] ;计数器++ L2: 003A476C 0000003A,FFFFFFF4 mov r10,[r28+FFFFFFF4] ;计数器,第一次循环=0 003A4774 00000055,0000000C mov r20,[r28+0000000C] ;[r28+0000000C]=400 003A477C 00000010 lea r10,[r104+r20] 003A4780 00000097 mov r10,ds:[r10] ；取73's'；去VM的数据区找： ;r10=400 ;ds:[400]='s e y a' 73000000 65000000 79000000 61000000 003A4784 00000082,0000014C jz 14C ;jz L1 ;to 004a4874；如果r10=0的话就跳 003A478C 00000043 003A4790 0000007F xor r10,r10 003A4794 0000004C push r10 003A4798 0000003A,FFFFFFF4 mov r10,[r28+FFFFFFF4] ;计数器,第一次循环=0 003A47A0 00000055,0000000C mov r20,[r28+0000000C] ;[r28+0000000C]=400 003A47A8 00000010 lea r10,[r104+r20] 003A47AC 00000097 mov r10,ds:[r10] ;取73's'('seya') 003A47B0 00000091,FFFFFFD1 add r10,FFFFFFD1 ;73 add ffffffd1!! 003A47B8 00000033 mov r20,r10 ;r20=73 add ffffffd1=44 003A47BC 0000008B,00000100 mov r10,00000100 ;r10=100 003A47C4 00000030 idiv r20,r10 ;返回:r20余数，r10商； 003A47C8 0000003C mov r10,r20 ;r10= (73 add ffffffd1) mod 100=44 003A47D4 00000047 pop r20 ;r20=0 003A47D8 00000010 lea r10,[r104+r20] ;r10=110 003A47DC 00000097 mov r10,ds:[r10] ;ds:[r10]=[esi+r10]=71b18589 晕,又要查表,对用户名ASCII值进行运算后查找下面这个表： ESI=3A4BB8 003A4BB8 00 00 00 00 96 30 07 77 2C 61 0E EE BA 51 09 99 ....?w,a詈Q. 003A4BC8 19 C4 6D 07 8F F4 6A 70 35 A5 63 E9 A3 95 64 9E 膍忯jp5椋昫 003A4BD8 32 88 DB 0E A4 B8 DC 79 1E E9 D5 E0 88 D9 D2 97 2堐じ躽檎鄨僖 003A4BE8 2B 4C B6 09 BD 7C B1 7E 07 2D B8 E7 91 1D BF 90 +L?絴眫-哥?繍 003A4BF8 64 10 B7 1D F2 20 B0 6A 48 71 B9 F3 DE 41 BE 84 d??癹Hq贵轆緞 003A4C08 7D D4 DA 1A EB E4 DD 6D 51 B5 D4 F4 C7 85 D3 83 }在脘輒Q翟羟呌 003A4C18 56 98 6C 13 C0 A8 6B 64 7A F9 62 FD EC C9 65 8A V榣括kdz鵥蒭 003A4C28 4F 5C 01 14 D9 6C 06 63 63 3D 0F FA F5 0D 08 8D O\賚cc=. 003A4C38 C8 20 6E 3B 5E 10 69 4C E4 41 60 D5 72 71 67 A2 ?n;^iL銩`誶qg 003A4C48 D1 E4 03 3C 47 D4 04 4B FD 85 0D D2 6B B5 0A A5 唁<G?K齾.襨? 003A4C58 FA A8 B5 35 6C 98 B2 42 D6 C9 BB DB 40 F9 BC AC ?l槻B稚慧@ 003A4C68 E3 6C D8 32 75 5C DF 45 CF 0D D6 DC 59 3D D1 AB 鉲?u\逧?周Y=勋 003A4C78 AC 30 D9 26 3A 00 DE 51 80 51 D7 C8 16 61 D0 BF ??:.轖€Q兹a锌 003A4C88 B5 F4 B4 21 23 C4 B3 56 99 95 BA CF 0F A5 BD B8 掉?#某V檿合ソ 003A4C98 9E B8 02 28 08 88 05 5F B2 D9 0C C6 24 E9 0B B1 灨(?_操.?? 003A4CA8 87 7C 6F 2F 11 4C 68 58 AB 1D 61 C1 3D 2D 66 B6 噟o/LhX?a?-f 003A4CB8 90 41 DC 76 06 71 DB 01 BC 20 D2 98 2A 10 D5 EF 怉躹q??覙诊 003A4CC8 89 85 B1 71 1F B5 B6 06 A5 E4 BF 9F 33 D4 B8 E8 墔眖刀ヤ繜3愿 003A4CD8 A2 C9 07 78 34 F9 00 0F 8E A8 09 96 18 98 0E E1 ⑸x4?帹.?? 003A4CE8 BB 0D 6A 7F 2D 3D 6D 08 97 6C 64 91 01 5C 63 E6 ?j-=m條d?\c 003A4CF8 F4 51 6B 6B 62 61 6C 1C D8 30 65 85 4E 00 62 F2 鬛kkbal?e匩.b 003A4D08 ED 95 06 6C 7B A5 01 1B C1 F4 08 82 57 C4 0F F5 頃l{?留俉? 003A4D18 C6 D9 B0 65 50 E9 B7 12 EA B8 BE 8B 7C 88 B9 FC 瀑癳P榉旮緥\|埞 003A4D28 DF 1D DD 62 49 2D DA 15 F3 7C D3 8C 65 4C D4 FB ?輇I-?髚訉eL喳 003A4D38 58 61 B2 4D CE 51 B5 3A 74 00 BC A3 E2 30 BB D4 Xa睲蜵?t.迹?辉 003A4D48 41 A5 DF 4A D7 95 D8 3D 6D C4 D1 A4 FB F4 D6 D3 AミJ讜?m难糁 003A4D58 6A E9 69 43 FC D9 6E 34 46 88 67 AD D0 B8 60 DA j閕Cn4F坓竊 003A4D68 73 2D 04 44 E5 1D 03 33 5F 4C 0A AA C9 7C 0D DD s-D?3_L.\|. 003A4D78 3C 71 05 50 AA 41 02 27 10 10 0B BE 86 20 0C C9 <qP狝'締 . 003A4D88 25 B5 68 57 B3 85 6F 20 09 D4 66 B9 9F E4 61 CE %礹W硡o .詅篃鋋 003A4D98 0E F9 DE 5E 98 C9 D9 29 22 98 D0 B0 B4 A8 D7 C7 ^樕?"樞按ㄗ 003A4DA8 17 3D B3 59 81 0D B4 2E 3B 5C BD B7 AD 6C BA C0 =砓??;\椒璴豪 003A4DB8 20 83 B8 ED B6 B3 BF 9A 0C E2 B6 03 9A D2 B1 74 兏矶晨?舛氁眛 003A4DC8 39 47 D5 EA AF 77 D2 9D 15 26 DB 04 83 16 DC 73 9G贞痺覞&??躶 003A4DD8 12 0B 63 E3 84 3B 64 94 3E 6A 6D 0D A8 5A 6A 7A c銊;d?jm.╖jz 003A4DE8 0B CF 0E E4 9D FF 09 93 27 AE 00 0A B1 9E 07 7D ?錆.??.睘} 003A4DF8 44 93 0F F0 D2 A3 08 87 68 F2 01 1E FE C2 06 69 D?鹨?噃?i 003A4E08 5D 57 62 F7 CB 67 65 80 71 36 6C 19 E7 06 6B 6E ]Wb魉ge€q6l?kn 003A4E18 76 1B D4 FE E0 2B D3 89 5A 7A DA 10 CC 4A DD 67 v轧?訅Zz?蘆輌 003A4E28 6F DF B9 F9 F9 EF BE 8E 43 BE B7 17 D5 8E B0 60 o吖锞嶤痉諑癭 003A4E38 E8 A3 D6 D6 7E 93 D1 A1 C4 C2 D8 38 52 F2 DF 4F 瑁种~撗∧仑8R蜻O 003A4E48 F1 67 BB D1 67 57 BC A6 DD 06 B5 3F 4B 36 B2 48 駁谎gW鸡??K6睭 003A4E58 DA 2B 0D D8 4C 1B 0A AF F6 4A 03 36 60 7A 04 41 ?.豅.J6`zA 003A4E68 C3 EF 60 DF 55 DF 67 A8 EF 8E 6E 31 79 BE 69 46 蔑`遀遟巒1y緄F 003A4E78 8C B3 61 CB 1A 83 66 BC A0 D2 6F 25 36 E2 68 52 尦a?僨紶襬%6鈎R 003A4E88 95 77 0C CC 03 47 0B BB B9 16 02 22 2F 26 05 55 晈.?G还"/&U 003A4E98 BE 3B BA C5 28 0B BD B2 92 5A B4 2B 04 6A B3 5C ?号(讲抁?j砛 003A4EA8 A7 FF D7 C2 31 CF D0 B5 8B 9E D9 2C 1D AE DE 5B ?茁1闲祴炠,[ 003A4EB8 B0 C2 64 9B 26 F2 63 EC 9C A3 6A 75 0A 93 6D 02 奥d?騝鞙u.搈 003A4EC8 A9 06 09 9C 3F 36 0E EB 85 67 07 72 13 57 00 05 ?.?6雲grW. 003A4ED8 82 4A BF 95 14 7A B8 E2 AE 2B B1 7B 38 1B B6 0C 侸繒z糕?眥8? 003A4EE8 9B 8E D2 92 0D BE D5 E5 B7 EF DC 7C 21 DF DB 0B 泿覓.菊宸镘\|!咣 003A4EF8 D4 D2 D3 86 42 E2 D4 F1 F8 B3 DD 68 6E 83 DA 1F 砸訂B庠聒齿hn冓 003A4F08 CD 16 BE 81 5B 26 B9 F6 E1 77 B0 6F 77 47 B7 18 ?緛[&滚醱皁wG? 003A4F18 E6 5A 08 88 70 6A 0F FF CA 3B 06 66 5C 0B 01 11 鎆坧j?f\ 003A4F28 FF 9E 65 8F 69 AE 62 F8 D3 FF 6B 61 45 CF 6C 16 瀍廼産kaE蟣 003A4F38 78 E2 0A A0 EE D2 0D D7 54 83 04 4E C2 B3 03 39 x?狀?譚?N鲁9 003A4F48 61 26 67 A7 F7 16 60 D0 4D 47 69 49 DB 77 6E 3E a&g`蠱GiI踳n> 003A4F58 4A 6A D1 AE DC 5A D6 D9 66 0B DF 40 F0 3B D8 37 Jj旬躗仲f這?? 003A4F68 53 AE BC A9 C5 9E BB DE 7F CF B2 47 E9 FF B5 30 S┡灮?喜G?? 003A4F78 1C F2 BD BD 8A C2 BA CA 30 93 B3 53 A6 A3 B4 24 蚪綂潞?摮SΓ? 003A4F88 05 36 D0 BA 93 06 D7 CD 29 57 DE 54 BF 67 D9 23 6泻?淄)W轙縢? 003A4F98 2E 7A 66 B3 B8 4A 61 C4 02 1B 68 5D 94 2B 6F 2A .zf掣Ja?h]?o* 003A4FA8 37 BE 0B B4 A1 8E 0C C3 1B DF 05 5A 8D EF 02 2D 7?础???Z嶏- 003A4FB8 73 00 00 00 65 00 00 00 79 00 00 00 61 00 00 00 s...e...y...a... 003A4FC8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4FD8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4FE8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4FF8 00 00 00 00 00 00 00 00 00 0A 3C 01 00 10 00 00 ..........<... 只跟了第一段，差不多能知道算法了。跟踪这个伪代码比较好的方法是在00401BC9这里下断,按一下f9执行一条指令，对照昨天发的伪代码程序段观察寄存器EBX和EDI的值就行了，作者主要用的是r10和r20两个寄存器，分别与真实的EBX和EDI保持等值，这样，就和逆向普通的程序没多大区别了。当然，你还得找个地方画出VM的堆栈，或是数据窗口跟踪VM的堆栈地址（ESI+43ec），这样才能掌握程序的行动！ 00401BC2 8B5C24 10 \|mov ebx, dword ptr [esp+10] ; 这是为了保证r10和ebx的值始终同步 00401BC6 8B45 00 \|mov eax, dword ptr [ebp] ; VM_opcode; Default case of switch 00401147; Default case of switch 00401147 00401BC9 8D48 FF \|lea ecx, dword ptr [eax-1] ; VM_opcode-1 00401BCC 83C5 04 \|add ebp, 4 ; VM_EIP++ 00401BCF 81F9 9C000000 \|cmp ecx, 9C ; VM_exit? 00401BD5 ^ 0F86 E9F1FFFF \jbe 00400DC4 2007-6-21 11:09 0
yijun8354 雪币： 1919 活跃值： (901) 能力值： ( LV9，RANK：490 ) 在线值：发帖 22 回帖 784 粉丝 1 关注私信	yijun8354 12 10 楼太强悍了～～ 2007-6-21 12:14 0
yaleond 雪币： 244 活跃值： (10) 能力值： ( LV4，RANK：50 ) 在线值：发帖 2 回帖 142 粉丝 0 关注私信	yaleond 1 11 楼不是一般的强悍..... 2007-6-21 15:44 0
yingyue 雪币： 1844 活跃值： (35) 能力值： ( LV3，RANK：30 ) 在线值：发帖 16 回帖 2595 粉丝 3 关注私信	yingyue 12 楼说来说去不就是强悍吧，地球人都知道但因为某件事，我准备把楼主来个灭口，呵呵，大家叫他小心了 2007-6-21 16:39 0
seya 雪币： 328 活跃值： (10) 能力值： ( LV9，RANK：210 ) 在线值：发帖 17 回帖 134 粉丝 0 关注私信	seya 5 13 楼 [QUOTE=yingyue;325411]说来说去不就是强悍吧，地球人都知道但因为某件事，我准备把楼主来个灭口，呵呵，大家叫他小心了[/QUOTE] 啥事啊？我都没线索的说。。。。 2007-6-21 23:08 0
invent 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 10 粉丝 0 关注私信	invent 14 楼学习了~~~~~~~~~ 2007-6-22 15:59 0
invent 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 10 粉丝 0 关注私信	invent 15 楼不懂 2007-6-22 15:59 0
seya 雪币： 328 活跃值： (10) 能力值： ( LV9，RANK：210 ) 在线值：发帖 17 回帖 134 粉丝 0 关注私信	seya 5 16 楼郁闷。又发现了不少错误，改不过来呀 2007-7-13 08:12 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复