能力值:
( LV8,RANK:130 )
|
-
-
2 楼
鼓励一下。^_^
用OD看了下,主要代码如下吧:
004010FC /$ 55 push ebp
004010FD |. 8BEC mov ebp, esp
004010FF |. 83C4 F8 add esp, -8
00401102 |. FF05 08304000 inc dword ptr [403008]
00401108 |. FF75 08 push dword ptr [ebp+8] ; /Text
0040110B |. 6A 67 push 67 ; |ControlID = 67 (103.)
0040110D |. FF35 04304000 push dword ptr [403004] ; |hWnd = NULL
00401113 |. E8 26040000 call <jmp.&user32.SetDlgItemTextA> ; \SetDlgItemTextA
00401118 |. FF75 0C push dword ptr [ebp+C] ; /<%s>
0040111B |. 68 A2204000 push 004020A2 ; |《%s》\n\n
00401120 |. 68 19314000 push 00403119 ; |s = FindFile.00403119
00401125 |. E8 DE030000 call <jmp.&user32.wsprintfA> ; \wsprintfA
0040112A |. 83C4 0C add esp, 0C
0040112D |. 68 19314000 push 00403119 ; /String = ""
00401132 |. E8 55040000 call <jmp.&kernel32.lstrlenA> ; \lstrlenA
00401137 |. 8BC8 mov ecx, eax
00401139 |. 6A 00 push 0 ; /pOverlapped = NULL
0040113B |. 8D45 F8 lea eax, dword ptr [ebp-8] ; |
0040113E |. 50 push eax ; |pBytesWritten
0040113F |. 51 push ecx ; |nBytesToWrite
00401140 |. 68 19314000 push 00403119 ; |Buffer = FindFile.00403119
00401145 |. FF35 15314000 push dword ptr [403115] ; |hFile = NULL
0040114B |. E8 2A040000 call <jmp.&kernel32.WriteFile> ; \WriteFile
00401150 |. C9 leave
00401151 \. C2 0800 retn 8
00401154 /$ 55 push ebp
00401155 |. 8BEC mov ebp, esp
00401157 |. 81C4 ACFBFFFF add esp, -454
0040115D |. 60 pushad
0040115E |. FF75 08 push dword ptr [ebp+8] ; /String2
00401161 |. 8D85 B8FDFFFF lea eax, dword ptr [ebp-248] ; |
00401167 |. 50 push eax ; |String1
00401168 |. E8 19040000 call <jmp.&kernel32.lstrcpyA> ; \lstrcpyA
0040116D |. 8D85 B8FDFFFF lea eax, dword ptr [ebp-248]
00401173 |. 50 push eax ; /String
00401174 |. E8 13040000 call <jmp.&kernel32.lstrlenA> ; \lstrlenA
00401179 |. 8DB5 B8FDFFFF lea esi, dword ptr [ebp-248]
0040117F |. 03F0 add esi, eax
00401181 |. 33C0 xor eax, eax
00401183 |. B0 5C mov al, 5C
00401185 |. 3846 FF cmp byte ptr [esi-1], al
00401188 |. 74 03 je short 0040118D
0040118A |. 66:8906 mov word ptr [esi], ax
0040118D |> 8D85 B8FDFFFF lea eax, dword ptr [ebp-248]
00401193 |. 50 push eax ; /String2
00401194 |. 8D85 B4FCFFFF lea eax, dword ptr [ebp-34C] ; |
0040119A |. 50 push eax ; |String1
0040119B |. E8 E6030000 call <jmp.&kernel32.lstrcpyA> ; \lstrcpyA
004011A0 |. 68 92204000 push 00402092 ; /*.*
004011A5 |. 8D85 B4FCFFFF lea eax, dword ptr [ebp-34C] ; |
004011AB |. 50 push eax ; |ConcatString
004011AC |. E8 CF030000 call <jmp.&kernel32.lstrcatA> ; \lstrcatA
004011B1 |. 8D85 C2FEFFFF lea eax, dword ptr [ebp-13E]
004011B7 |. 50 push eax ; /pFindFileData
004011B8 |. 8D85 B4FCFFFF lea eax, dword ptr [ebp-34C] ; |
004011BE |. 50 push eax ; |FileName
004011BF |. E8 9E030000 call <jmp.&kernel32.FindFirstFileA> ; \FindFirstFileA
004011C4 |. 83F8 FF cmp eax, -1
004011C7 |. 0F84 96000000 je 00401263
004011CD |. 8985 BCFEFFFF mov dword ptr [ebp-144], eax
004011D3 |> 8D85 B8FDFFFF /lea eax, dword ptr [ebp-248]
004011D9 |. 50 |push eax ; /String2
004011DA |. 8D85 B0FBFFFF |lea eax, dword ptr [ebp-450] ; |
004011E0 |. 50 |push eax ; |String1
004011E1 |. E8 A0030000 |call <jmp.&kernel32.lstrcpyA> ; \lstrcpyA
004011E6 |. 8D85 EEFEFFFF |lea eax, dword ptr [ebp-112]
004011EC |. 50 |push eax ; /StringToAdd
004011ED |. 8D85 B0FBFFFF |lea eax, dword ptr [ebp-450] ; |
004011F3 |. 50 |push eax ; |ConcatString
004011F4 |. E8 87030000 |call <jmp.&kernel32.lstrcatA> ; \lstrcatA
004011F9 |. F785 C2FEFFFF>|test dword ptr [ebp-13E], 10
00401203 |. 74 1D |je short 00401222
00401205 |. 80BD EEFEFFFF>|cmp byte ptr [ebp-112], 2E
0040120C |. 74 27 |je short 00401235
0040120E |. FF05 0C304000 |inc dword ptr [40300C]
00401214 |. 8D85 B0FBFFFF |lea eax, dword ptr [ebp-450]
0040121A |. 50 |push eax ; /Arg1
0040121B |. E8 34FFFFFF |call 00401154 ; \FindFile.00401154
00401220 |. EB 13 |jmp short 00401235
00401222 |> 8D85 EEFEFFFF |lea eax, dword ptr [ebp-112]
00401228 |. 50 |push eax ; /Arg2
00401229 |. 8D85 B0FBFFFF |lea eax, dword ptr [ebp-450] ; |
0040122F |. 50 |push eax ; |Arg1
00401230 |. E8 C7FEFFFF |call 004010FC ; \FindFile.004010FC
00401235 |> 8D85 C2FEFFFF |lea eax, dword ptr [ebp-13E]
0040123B |. 50 |push eax ; /pFindFileData
0040123C |. FFB5 BCFEFFFF |push dword ptr [ebp-144] ; |hFile
00401242 |. E8 21030000 |call <jmp.&kernel32.FindNextFileA> ; \FindNextFileA
00401247 |. 0BC0 |or eax, eax
00401249 |. 74 0D |je short 00401258
0040124B |. F605 14314000>|test byte ptr [403114], 2
00401252 |.^ 0F84 7BFFFFFF \je 004011D3
00401258 |> FFB5 BCFEFFFF push dword ptr [ebp-144] ; /hSearch
0040125E |. E8 F9020000 call <jmp.&kernel32.FindClose> ; \FindClose
00401263 |> 61 popad
00401264 |. C9 leave
00401265 \. C2 0400 retn 4
|
能力值:
( LV13,RANK:530 )
|
-
-
3 楼
发现ASM写的程序~总喜欢Pushad popad成对出现~
字符串函数用lstrXXX的kernel32.dll函数
基本不用Unicode相关函数~.算是识别ASM写的程序的一个标志吧 
|
能力值:
( LV8,RANK:130 )
|
-
-
4 楼
楼上的很细心啊。
|
能力值:
( LV13,RANK:1050 )
|
-
-
5 楼
public start
start proc near
push 0 ; lpModuleName
call GetModuleHandleA
mov hInstance, eax
push 0 ; dwInitParam
push offset DialogFunc ; lpDialogFunc
push 0 ; hWndParent
push 64h ; lpTemplateName
push hInstance ; hInstance
call DialogBoxParamA
push 0 ; uExitCode
call ExitProcess
start endp
DialogFunc proc near ; DATA XREF: start+E�o
.text:00401394
.text:00401394 String = byte ptr -108h
.text:00401394 ThreadId = dword ptr -4
.text:00401394 hDlg = dword ptr 8
.text:00401394 arg_4 = dword ptr 0Ch
.text:00401394 arg_8 = dword ptr 10h
.text:00401394
.text:00401394 push ebp
.text:00401395 mov ebp, esp
.text:00401397 add esp, 0FFFFFDECh
.text:0040139D push ebx
.text:0040139E push edi
.text:0040139F push esi
.text:004013A0 mov eax, [ebp+arg_4]
.text:004013A3 cmp eax, 10h
.text:004013A6 jnz short loc_4013C4
.text:004013A8 test byte_403114, 1
.text:004013AF jnz loc_4014D3
.text:004013B5 push 0 ; nResult
.text:004013B7 push [ebp+hDlg] ; hDlg
.text:004013BA call EndDialog
.text:004013BF jmp loc_4014D3
.text:004013C4 ; ---------------------------------------------------------------------------
.text:004013C4
.text:004013C4 loc_4013C4: ; CODE XREF: DialogFunc+12�j
.text:004013C4 cmp eax, 110h
.text:004013C9 jnz short loc_40140F
.text:004013CB push [ebp+hDlg]
.text:004013CE pop hDlg
.text:004013D4 push 3E8h ; lpIconName
.text:004013D9 push hInstance ; hInstance
.text:004013DF call LoadIconA
.text:004013E4 push eax ; lParam
.text:004013E5 push 1 ; wParam
.text:004013E7 push 80h ; Msg
.text:004013EC push [ebp+hDlg] ; hWnd
.text:004013EF call SendMessageA
.text:004013F4 push 0 ; lParam
.text:004013F6 push 104h ; wParam
.text:004013FB push 0C5h ; Msg
.text:00401400 push 65h ; nIDDlgItem
.text:00401402 push [ebp+hDlg] ; hDlg
.text:00401405 call SendDlgItemMessageA
.text:0040140A jmp loc_4014D3
.text:0040140F ; ---------------------------------------------------------------------------
.text:0040140F
.text:0040140F loc_40140F: ; CODE XREF: DialogFunc+35�j
.text:0040140F cmp eax, 111h
.text:00401414 jnz loc_4014C7
.text:0040141A mov eax, [ebp+arg_8]
.text:0040141D cmp ax, 66h
.text:00401421 jnz short loc_40144C
.text:00401423 push offset pszPath ; pszPath
.text:00401428 push [ebp+hDlg] ; int
.text:0040142B call sub_401058
.text:00401430 or eax, eax
.text:00401432 jz loc_4014D3
.text:00401438 push offset pszPath ; lpString
.text:0040143D push 65h ; nIDDlgItem
.text:0040143F push [ebp+hDlg] ; hDlg
.text:00401442 call SetDlgItemTextA
.text:00401447 jmp loc_4014D3
.text:0040144C ; ---------------------------------------------------------------------------
.text:0040144C
.text:0040144C loc_40144C: ; CODE XREF: DialogFunc+8D�j
.text:0040144C cmp ax, 65h
.text:00401450 jnz short loc_40147D
.text:00401452 push 104h ; cchMax
.text:00401457 lea eax, [ebp+String]
.text:0040145D push eax ; lpString
.text:0040145E push 65h ; nIDDlgItem
.text:00401460 push [ebp+hDlg] ; hDlg
.text:00401463 call GetDlgItemTextA
.text:00401468 mov ebx, eax
.text:0040146A push 1 ; nIDDlgItem
.text:0040146C push [ebp+hDlg] ; hDlg
.text:0040146F call GetDlgItem
.text:00401474 push ebx ; bEnable
.text:00401475 push eax ; hWnd
.text:00401476 call EnableWindow
.text:0040147B jmp short loc_4014D3
.text:0040147D ; ---------------------------------------------------------------------------
.text:0040147D
.text:0040147D loc_40147D: ; CODE XREF: DialogFunc+BC�j
.text:0040147D cmp ax, 1
.text:00401481 jnz short loc_4014D3
.text:00401483 test byte_403114, 1
.text:0040148A jz short loc_401495
.text:0040148C or byte_403114, 2
.text:00401493 jmp short loc_4014C5
.text:00401495 ; ---------------------------------------------------------------------------
.text:00401495
.text:00401495 loc_401495: ; CODE XREF: DialogFunc+F6�j
.text:00401495 push 104h ; cchMax
.text:0040149A push offset pszPath ; lpString
.text:0040149F push 65h ; nIDDlgItem
.text:004014A1 push [ebp+hDlg] ; hDlg
.text:004014A4 call GetDlgItemTextA
.text:004014A9 lea eax, [ebp+ThreadId]
.text:004014AC push eax ; lpThreadId
.text:004014AD push 0 ; dwCreationFlags
.text:004014AF push 0 ; lpParameter
.text:004014B1 push offset StartAddress ; lpStartAddress
.text:004014B6 push 0 ; dwStackSize
.text:004014B8 push 0 ; lpThreadAttributes
.text:004014BA call CreateThread
.text:004014BF push eax ; hObject
.text:004014C0 call CloseHandle
.text:004014C5
.text:004014C5 loc_4014C5: ; CODE XREF: DialogFunc+FF�j
.text:004014C5 jmp short loc_4014D3
.text:004014C7 ; ---------------------------------------------------------------------------
.text:004014C7
.text:004014C7 loc_4014C7: ; CODE XREF: DialogFunc+80�j
.text:004014C7 mov eax, 0
.text:004014CC pop esi
.text:004014CD pop edi
.text:004014CE pop ebx
.text:004014CF leave
.text:004014D0 retn 10h
.text:004014D3 ; ---------------------------------------------------------------------------
.text:004014D3
.text:004014D3 loc_4014D3: ; CODE XREF: DialogFunc+1B�j
.text:004014D3 ; DialogFunc+2B�j ...
.text:004014D3 mov eax, 1
.text:004014D8 pop esi
.text:004014D9 pop edi
.text:004014DA pop ebx
.text:004014DB leave
.text:004014DC retn 10h
.text:004014DC DialogFunc endp
StartAddress proc near ; DATA XREF: DialogFunc+11D�o
.text:00401268
.text:00401268 String = byte ptr -100h
.text:00401268
.text:00401268 push ebp
.text:00401269 mov ebp, esp
.text:0040126B add esp, 0FFFFFF00h
.text:00401271 push ebx
.text:00401272 push ecx
.text:00401273 push edx
.text:00401274 push esi
.text:00401275 push edi
.text:00401276 and byte_403114, 0FDh
.text:0040127D or byte_403114, 1
.text:00401284 push 65h ; nIDDlgItem
.text:00401286 push hDlg ; hDlg
.text:0040128C call GetDlgItem
.text:00401291 push 0 ; bEnable
.text:00401293 push eax ; hWnd
.text:00401294 call EnableWindow
.text:00401299 push 66h ; nIDDlgItem
.text:0040129B push hDlg ; hDlg
.text:004012A1 call GetDlgItem
.text:004012A6 push 0 ; bEnable
.text:004012A8 push eax ; hWnd
.text:004012A9 call EnableWindow
.text:004012AE push offset aGS ; "停止(&S)"
.text:004012B3 push 1 ; nIDDlgItem
.text:004012B5 push hDlg ; hDlg
.text:004012BB call SetDlgItemTextA
.text:004012C0 xor eax, eax
.text:004012C2 mov dword_403008, eax
.text:004012C7 mov dword_40300C, eax
.text:004012CC push 0 ; hTemplateFile
.text:004012CE push 80h ; dwFlagsAndAttributes
.text:004012D3 push 2 ; dwCreationDisposition
.text:004012D5 push 0 ; lpSecurityAttributes
.text:004012D7 push 1 ; dwShareMode
.text:004012D9 push 40000000h ; dwDesiredAccess
.text:004012DE push offset FileName ; "c:\\bach.txt"
.text:004012E3 call CreateFileA
.text:004012E8 mov hFile, eax
.text:004012ED push offset pszPath ; lpString2
.text:004012F2 call sub_401154
.text:004012F7 push dword_403008
.text:004012FD push dword_40300C
.text:00401303 push offset aD ; "共找到%d?
.text:00401308 lea eax, [ebp+String]
.text:0040130E push eax ; LPSTR
.text:0040130F call wsprintfA
.text:00401314 add esp, 10h
.text:00401317 lea eax, [ebp+String]
.text:0040131D push eax ; lpString
.text:0040131E push 67h ; nIDDlgItem
.text:00401320 push hDlg ; hDlg
.text:00401326 call SetDlgItemTextA
.text:0040132B push hFile ; hObject
.text:00401331 call CloseHandle
.text:00401336 push 66h ; nIDDlgItem
.text:00401338 push hDlg ; hDlg
.text:0040133E call GetDlgItem
.text:00401343 push 1 ; bEnable
.text:00401345 push eax ; hWnd
.text:00401346 call EnableWindow
.text:0040134B push 65h ; nIDDlgItem
.text:0040134D push hDlg ; hDlg
.text:00401353 call GetDlgItem
.text:00401358 push 1 ; bEnable
.text:0040135A push eax ; hWnd
.text:0040135B call EnableWindow
.text:00401360 push offset aKS ; "开始(&S)"
.text:00401365 push 1 ; nIDDlgItem
.text:00401367 push hDlg ; hDlg
.text:0040136D call SetDlgItemTextA
.text:00401372 push offset pszPath ; lpString
.text:00401377 push 65h ; nIDDlgItem
.text:00401379 push hDlg ; hDlg
.text:0040137F call SetDlgItemTextA
.text:00401384 and byte_403114, 0FEh
.text:0040138B pop edi
.text:0040138C pop esi
.text:0040138D pop edx
.text:0040138E pop ecx
.text:0040138F pop ebx
.text:00401390 leave
.text:00401391 retn 4
.text:00401391 StartAddress endp
|
能力值:
( LV2,RANK:10 )
|
-
-
6 楼
历尽千辛万苦,终于找到了dsofile,但是不会用.......网上大部分都是用VB,俺不懂,谁给说说WIN32汇编怎么用dsofile来获得文档摘要里的作者名?
|
能力值:
( LV2,RANK:10 )
|
-
-
7 楼
历尽千辛万苦,终于找到了dsofile,但是不会用.......网上大部分都是用VB,俺不懂,谁给说说WIN32汇编怎么用dsofile来获得文档摘要里的作者名?
|
能力值:
( LV2,RANK:10 )
|
-
-
8 楼
Set objFile = CreateObject("DSOFile.OleDocumentProperties")
objFile.Open("C:\Scripts\New_users.xls")
Wscript.Echo "Author: " & objFile.SummaryProperties.Author
这是网上搜到最有用的一段代码,下载过dsofile.dll文件后,我的想法是用loadlibrary 载入,之后用GetProcAddress来获得里面的函数一址,(问题是,这个函数叫什么名字?它的参数是什么?)
怎么把这三句话的意思用win32汇编表达出来?
|
能力值:
( LV2,RANK:10 )
|
-
-
9 楼
Set objFile = CreateObject("DSOFile.OleDocumentProperties")
objFile.Open("C:\Scripts\New_users.xls")
Wscript.Echo "Author: " & objFile.SummaryProperties.Author
这是网上搜到最有用的一段代码,下载过dsofile.dll文件后,我的想法是用loadlibrary 载入,之后用GetProcAddress来获得里面的函数一址,(问题是,这个函数叫什么名字?它的参数是什么?)
怎么把这三句话的意思用win32汇编表达出来?
|
能力值:
![]()
(RANK:1010 )
|
-
-
10 楼
我把3个主题合并了。
警告一次:对于同一主题,请不要重复发贴!
|
能力值:
( LV2,RANK:10 )
|
-
-
11 楼
风怒加剑精
我也不想重发,,是网络问题
|
能力值:
( LV2,RANK:10 )
|
-
-
12 楼
不错不错,楼主继续努力~!
|
