[求助]masm32的一个小exe，使用OD打开看到的汇编代码，有些地方不明白，请教请教：-经典问答-看雪-安全社区|安全招聘|kanxue.com

[求助]masm32的一个小exe，使用OD打开看到的汇编代码，有些地方不明白，请教请教：

发表于: 2009-1-23 12:45 4067

[求助]masm32的一个小exe，使用OD打开看到的汇编代码，有些地方不明白，请教请教：

神龙武士

2009-1-23 12:45

4067

masm32的一个小exe，使用OD打开看到的汇编代码，有些地方不明白，请教请教：
00401000 >  6A 00          PUSH 0
00401002 E8 D5020000    CALL <JMP.&kernel32.GetModuleHandleA>
00401007 A3 10304000    MOV DWORD PTR DS:[403010],EAX
0040100C E8 C5020000    CALL <JMP.&kernel32.GetCommandLineA>
00401011 A3 08304000    MOV DWORD PTR DS:[403008],EAX
00401016 6A 0A          PUSH 0A
00401018 FF35 08304000 PUSH DWORD PTR DS:[403008]
0040101E 6A 00          PUSH 0
00401020 FF35 10304000 PUSH DWORD PTR DS:[403010]
00401026 E8 06000000    CALL generic.00401031
0040102B 50             PUSH EAX
0040102C E8 9F020000    CALL <JMP.&kernel32.ExitProcess>
00401031 55             PUSH EBP
00401032 8BEC          MOV EBP,ESP
00401034 83C4 A4       ADD ESP,-5C
00401037 EB 0E          JMP SHORT generic.00401047
00401039 47             INC EDI
0040103A 65:6E          OUTS DX,BYTE PTR ES:[EDI]             ; I/O 命令
0040103C 65:72 69       JB SHORT generic.004010A8             ; 多余前缀
0040103F 635F 43       ARPL WORD PTR DS:[EDI+43],BX
00401042 6C             INS BYTE PTR ES:[EDI],DX                ; I/O 命令
00401043 61             POPAD
00401044 73 73          JNB SHORT generic.004010B9
00401046 00C7          ADD BH,AL
00401048 45             INC EBP
00401049 D030          SAL BYTE PTR DS:[EAX],1
0040104B 0000          ADD BYTE PTR DS:[EAX],AL
0040104D 00C7          ADD BH,AL
0040104F 45             INC EBP
00401050 D4 03          AAM 3
00401052 2000          AND BYTE PTR DS:[EAX],AL
00401054 00C7          ADD BH,AL
00401056 45             INC EBP
00401057 D87B 11       FDIVR DWORD PTR DS:[EBX+11]
0040105A 40             INC EAX
0040105B 00C7          ADD BH,AL
0040105D 45             INC EBP
0040105E DC00          FADD QWORD PTR DS:[EAX]
00401060 0000          ADD BYTE PTR DS:[EAX],AL
00401062 00C7          ADD BH,AL
00401064 45             INC EBP
00401065 E0 00          LOOPDNE SHORT generic.00401067
00401067 0000          ADD BYTE PTR DS:[EAX],AL
00401069 00FF          ADD BH,BH
0040106B 75 08          JNZ SHORT generic.00401075
0040106D 8F45 E4       POP DWORD PTR SS:[EBP-1C]
00401070 C745 F0 1000000>MOV DWORD PTR SS:[EBP-10],10
00401077 C745 F4 0000000>MOV DWORD PTR SS:[EBP-C],0
0040107E C745 F8 3910400>MOV DWORD PTR SS:[EBP-8],generic.0040103>; ASCII "Generic_Class"
00401085 68 F4010000    PUSH 1F4
0040108A FF75 08       PUSH DWORD PTR SS:[EBP+8]
0040108D E8 02020000    CALL <JMP.&user32.LoadIconA>
00401092 8945 E8       MOV DWORD PTR SS:[EBP-18],EAX
00401095 68 007F0000    PUSH 7F00
0040109A 6A 00          PUSH 0
0040109C E8 ED010000    CALL <JMP.&user32.LoadCursorA>
004010A1 8945 EC       MOV DWORD PTR SS:[EBP-14],EAX
004010A4 C745 FC 0000000>MOV DWORD PTR SS:[EBP-4],0
004010AB 8D45 D0       LEA EAX,DWORD PTR SS:[EBP-30]
004010AE 50             PUSH EAX
004010AF E8 F8010000    CALL <JMP.&user32.RegisterClassExA>
004010B4 C745 B0 F401000>MOV DWORD PTR SS:[EBP-50],1F4
004010BB C745 AC 5E01000>MOV DWORD PTR SS:[EBP-54],15E
004010C2 6A 00          PUSH 0
004010C4 E8 BF010000    CALL <JMP.&user32.GetSystemMetrics>
004010C9 50             PUSH EAX
004010CA FF75 B0       PUSH DWORD PTR SS:[EBP-50]
004010CD E8 88010000    CALL generic.0040125A
004010D2 8945 A8       MOV DWORD PTR SS:[EBP-58],EAX
004010D5 6A 01          PUSH 1
004010D7 E8 AC010000    CALL <JMP.&user32.GetSystemMetrics>
004010DC 50             PUSH EAX
004010DD FF75 AC       PUSH DWORD PTR SS:[EBP-54]
004010E0 E8 75010000    CALL generic.0040125A
004010E5 8945 A4       MOV DWORD PTR SS:[EBP-5C],EAX
004010E8 6A 00          PUSH 0
004010EA FF75 08       PUSH DWORD PTR SS:[EBP+8]
004010ED 6A 00          PUSH 0
004010EF 6A 00          PUSH 0
004010F1 FF75 AC       PUSH DWORD PTR SS:[EBP-54]
004010F4 FF75 B0       PUSH DWORD PTR SS:[EBP-50]
004010F7 FF75 A4       PUSH DWORD PTR SS:[EBP-5C]
004010FA FF75 A8       PUSH DWORD PTR SS:[EBP-58]
004010FD 68 0000CF00    PUSH 0CF0000
00401102 68 00304000    PUSH generic.00403000                   ; ASCII "Generic"
00401107 68 39104000    PUSH generic.00401039                   ; ASCII "Generic_Class"
0040110C 68 00030000    PUSH 300
00401111 E8 5A010000    CALL <JMP.&user32.CreateWindowExA>
00401116 A3 0C304000    MOV DWORD PTR DS:[40300C],EAX
0040111B 68 58020000    PUSH 258
00401120 FF75 08       PUSH DWORD PTR SS:[EBP+8]
00401123 E8 72010000    CALL <JMP.&user32.LoadMenuA>
00401128 50             PUSH EAX
00401129 FF35 0C304000 PUSH DWORD PTR DS:[40300C]
0040112F E8 84010000    CALL <JMP.&user32.SetMenu>
00401134 6A 01          PUSH 1
00401136 FF35 0C304000 PUSH DWORD PTR DS:[40300C]
0040113C E8 7D010000    CALL <JMP.&user32.ShowWindow>
00401141 FF35 0C304000 PUSH DWORD PTR DS:[40300C]
00401147 E8 7E010000    CALL <JMP.&user32.UpdateWindow>
0040114C 6A 00          PUSH 0
0040114E 6A 00          PUSH 0
00401150 6A 00          PUSH 0
00401152 8D45 B4       LEA EAX,DWORD PTR SS:[EBP-4C]
00401155 50             PUSH EAX
00401156 E8 27010000    CALL <JMP.&user32.GetMessageA>
0040115B 83F8 00       CMP EAX,0
0040115E 74 14          JE SHORT generic.00401174
00401160 8D45 B4       LEA EAX,DWORD PTR SS:[EBP-4C]
00401163 50             PUSH EAX
00401164 E8 5B010000    CALL <JMP.&user32.TranslateMessage>
00401169 8D45 B4       LEA EAX,DWORD PTR SS:[EBP-4C]
0040116C 50             PUSH EAX
0040116D E8 0A010000    CALL <JMP.&user32.DispatchMessageA>
00401172  ^ EB D8          JMP SHORT generic.0040114C
00401174 8B45 BC       MOV EAX,DWORD PTR SS:[EBP-44]
00401177 C9             LEAVE
00401178 C2 1000       RETN 10
0040117B 55             PUSH EBP
0040117C 8BEC          MOV EBP,ESP
0040117E 817D 0C 1101000>CMP DWORD PTR SS:[EBP+C],111
00401185 75 60          JNZ SHORT generic.004011E7
00401187 817D 10 E803000>CMP DWORD PTR SS:[EBP+10],3E8
0040118E 75 19          JNZ SHORT generic.004011A9
00401190 6A 00          PUSH 0
00401192 68 60F00000    PUSH 0F060
00401197 68 12010000    PUSH 112
0040119C FF75 08       PUSH DWORD PTR SS:[EBP+8]
0040119F E8 0E010000    CALL <JMP.&user32.SendMessageA>
004011A4 E9 9C000000    JMP generic.00401245
004011A9 817D 10 6C07000>CMP DWORD PTR SS:[EBP+10],76C
004011B0 0F85 8F000000 JNZ generic.00401245
004011B6 EB 19          JMP SHORT generic.004011D1
004011B8 41             INC ECX
004011B9 73 73          JNB SHORT generic.0040122E
004011BB 65:6D          INS DWORD PTR ES:[EDI],DX             ; I/O 命令
004011BD 626C65 72    BOUND EBP,QWORD PTR SS:[EBP+72]
004011C1 2C 20          SUB AL,20
004011C3 50             PUSH EAX
004011C4 75 72          JNZ SHORT generic.00401238
004011C6 65:2026       AND BYTE PTR GS:[ESI],AH
004011C9 2053 69       AND BYTE PTR DS:[EBX+69],DL
004011CC 6D             INS DWORD PTR ES:[EDI],DX             ; I/O 命令
004011CD 70 6C          JO SHORT generic.0040123B
004011CF 65:006A 00    ADD BYTE PTR GS:[EDX],CH
004011D3 68 00304000    PUSH generic.00403000                   ; ASCII "Generic"
004011D8 68 B8114000    PUSH generic.004011B8                   ; ASCII "Assembler, Pure & Simple"
004011DD FF75 08       PUSH DWORD PTR SS:[EBP+8]
004011E0 E8 BB000000    CALL <JMP.&user32.MessageBoxA>
004011E5 EB 5E          JMP SHORT generic.00401245
004011E7 837D 0C 01    CMP DWORD PTR SS:[EBP+C],1
004011EB 75 02          JNZ SHORT generic.004011EF
004011ED EB 56          JMP SHORT generic.00401245
004011EF 837D 0C 10    CMP DWORD PTR SS:[EBP+C],10
004011F3 75 3A          JNZ SHORT generic.0040122F
004011F5 EB 14          JMP SHORT generic.0040120B
004011F7 50             PUSH EAX
004011F8 6C             INS BYTE PTR ES:[EDI],DX                ; I/O 命令
004011F9 65:61          POPAD                                  ; 多余前缀
004011FB 73 65          JNB SHORT generic.00401262
004011FD 2043 6F       AND BYTE PTR DS:[EBX+6F],AL
00401200 6E             OUTS DX,BYTE PTR ES:[EDI]             ; I/O 命令
00401201 66:6972 6D 2045 IMUL SI,WORD PTR DS:[EDX+6D],4520
00401207 78 69          JS SHORT generic.00401272
00401209 74 00          JE SHORT generic.0040120B
0040120B 6A 04          PUSH 4
0040120D 68 00304000    PUSH generic.00403000                   ; ASCII "Generic"
00401212 68 F7114000    PUSH generic.004011F7                   ; ASCII "Please Confirm Exit"
00401217 FF75 08       PUSH DWORD PTR SS:[EBP+8]
0040121A E8 81000000    CALL <JMP.&user32.MessageBoxA>
0040121F 83F8 07       CMP EAX,7
00401222 75 21          JNZ SHORT generic.00401245
00401224 B8 00000000    MOV EAX,0
00401229 C9             LEAVE
0040122A C2 1000       RETN 10
0040122D EB 16          JMP SHORT generic.00401245
0040122F 837D 0C 02    CMP DWORD PTR SS:[EBP+C],2
00401233 75 10          JNZ SHORT generic.00401245
00401235 6A 00          PUSH 0
00401237 E8 6A000000    CALL <JMP.&user32.PostQuitMessage>
0040123C B8 00000000    MOV EAX,0
00401241 C9             LEAVE
00401242 C2 1000       RETN 10
00401245 FF75 14       PUSH DWORD PTR SS:[EBP+14]
00401248 FF75 10       PUSH DWORD PTR SS:[EBP+10]
0040124B FF75 0C       PUSH DWORD PTR SS:[EBP+C]
0040124E FF75 08       PUSH DWORD PTR SS:[EBP+8]
00401251 E8 20000000    CALL <JMP.&user32.DefWindowProcA>
00401256 C9             LEAVE
00401257 C2 1000       RETN 10
0040125A 55             PUSH EBP
0040125B 8BEC          MOV EBP,ESP
0040125D D16D 0C       SHR DWORD PTR SS:[EBP+C],1
00401260 D16D 08       SHR DWORD PTR SS:[EBP+8],1
00401263 8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
00401266 2945 0C       SUB DWORD PTR SS:[EBP+C],EAX
00401269 8B45 0C       MOV EAX,DWORD PTR SS:[EBP+C]
0040126C C9             LEAVE
0040126D C2 0800       RETN 8
00401270  - FF25 48204000 JMP DWORD PTR DS:[<&user32.CreateWindowE>; user32.CreateWindowExA
00401276  - FF25 20204000 JMP DWORD PTR DS:[<&user32.DefWindowProc>; user32.DefWindowProcA
0040127C  - FF25 40204000 JMP DWORD PTR DS:[<&user32.DispatchMessa>; user32.DispatchMessageA
00401282  - FF25 28204000 JMP DWORD PTR DS:[<&user32.GetMessageA>] ; user32.GetMessageA
00401288  - FF25 24204000 JMP DWORD PTR DS:[<&user32.GetSystemMetr>; user32.GetSystemMetrics
0040128E  - FF25 10204000 JMP DWORD PTR DS:[<&user32.LoadCursorA>] ; user32.LoadCursorA
00401294  - FF25 14204000 JMP DWORD PTR DS:[<&user32.LoadIconA>] ; user32.LoadIconA
0040129A  - FF25 18204000 JMP DWORD PTR DS:[<&user32.LoadMenuA>] ; user32.LoadMenuA
004012A0  - FF25 1C204000 JMP DWORD PTR DS:[<&user32.MessageBoxA>] ; user32.MessageBoxA
004012A6  - FF25 44204000 JMP DWORD PTR DS:[<&user32.PostQuitMessa>; user32.PostQuitMessage
004012AC  - FF25 4C204000 JMP DWORD PTR DS:[<&user32.RegisterClass>; user32.RegisterClassExA
004012B2  - FF25 2C204000 JMP DWORD PTR DS:[<&user32.SendMessageA>>; user32.SendMessageA
004012B8  - FF25 30204000 JMP DWORD PTR DS:[<&user32.SetMenu>]    ; user32.SetMenu
004012BE  - FF25 34204000 JMP DWORD PTR DS:[<&user32.ShowWindow>]  ; user32.ShowWindow
004012C4  - FF25 38204000 JMP DWORD PTR DS:[<&user32.TranslateMess>; user32.TranslateMessage
004012CA  - FF25 3C204000 JMP DWORD PTR DS:[<&user32.UpdateWindow>>; user32.UpdateWindow
004012D0  - FF25 08204000 JMP DWORD PTR DS:[<&kernel32.ExitProcess>; kernel32.ExitProcess
004012D6  - FF25 04204000 JMP DWORD PTR DS:[<&kernel32.GetCommandL>; kernel32.GetCommandLineA
004012DC  - FF25 00204000 JMP DWORD PTR DS:[<&kernel32.GetModuleHa>; kernel32.GetModuleHandleA
004012E2 0000          ADD BYTE PTR DS:[EAX],AL
004012E4 0000          ADD BYTE PTR DS:[EAX],AL
004012E6 0000          ADD BYTE PTR DS:[EAX],AL

有些地方指令，从来没有见过，看不明白，请教请教：
00401050 D4 03          AAM 3    ；AAM 3啥意思？
00401057 D87B 11       FDIVR DWORD PTR DS:[EBX+11]    ；FDIVR啥意思？
0040105E DC00          FADD QWORD PTR DS:[EAX]    ；FADD啥意思？
00401065 E0 00          LOOPDNE SHORT generic.00401067    ；LOOPDNE啥意思？
00401177 C9             LEAVE    ；LEAVE啥意思？
00401178 C2 1000       RETN 10    ；10啥意思,为什么要加一个10？
004011BB 65:6D          INS DWORD PTR ES:[EDI],DX       ；INS啥意思？
004011BD 626C65 72    BOUND EBP,QWORD PTR SS:[EBP+72]    ；BOUND啥意思？
004011CD 70 6C          JO SHORT generic.0040123B    ；JO啥意思？
004011F9 65:61          POPAD    ；POPAD啥意思？
00401200 6E             OUTS DX,BYTE PTR ES:[EDI]             ；OUTS啥意思？
00401201 66:6972 6D 2045 IMUL SI,WORD PTR DS:[EDX+6D],4520    ；IMUL啥意思？
00401207 78 69          JS SHORT generic.00401272    ；JS啥意思？
00401270  - FF25 48204000 JMP DWORD PTR DS:[<&user32.CreateWindowE>;  ；JMP到一个函数那里啥意思？
004012E4 0000          ADD BYTE PTR DS:[EAX],AL    ；代码后面有近1000行的“0000          ADD BYTE PTR DS:[EAX],AL”啥意思？

[培训]科锐逆向工程师培训第53期2025年7月8日开班！

收藏・1

免费・0

支持

最新回复 (9)
fixfix 雪币： 419 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 21 回帖 671 粉丝 0 关注私信	fixfix 2 楼最后的一个问题空闲的空间把其他的请CTRL+A 分析下看看感觉很花 2009-1-23 12:56 0
神龙武士雪币： 40 活跃值： (18) 能力值： ( LV2，RANK：10 ) 在线值：发帖 100 回帖 242 粉丝 1 关注私信	神龙武士 3 楼那就是说最后那近1000行“004012E4 0000 ADD BYTE PTR DS:[EAX],AL ”这样的代码，是多余的了，可以往里面写东西了，对吧？其他的问题呢,能不能指点一下？谢谢先有些地方指令，从来没有见过，看不明白，请教请教： 00401050 D4 03 AAM 3 ；AAM 3啥意思？ 00401057 D87B 11 FDIVR DWORD PTR DS:[EBX+11] ；FDIVR啥意思？ 0040105E DC00 FADD QWORD PTR DS:[EAX] ；FADD啥意思？ 00401065 E0 00 LOOPDNE SHORT generic.00401067 ；LOOPDNE啥意思？ 00401177 C9 LEAVE ；LEAVE啥意思？ 00401178 C2 1000 RETN 10 ；10啥意思,为什么要加一个10？ 004011BB 65:6D INS DWORD PTR ES:[EDI],DX ；INS啥意思？ 004011BD 626C65 72 BOUND EBP,QWORD PTR SS:[EBP+72] ；BOUND啥意思？ 004011CD 70 6C JO SHORT generic.0040123B ；JO啥意思？ 004011F9 65:61 POPAD ；POPAD啥意思？ 00401200 6E OUTS DX,BYTE PTR ES:[EDI] ；OUTS啥意思？ 00401201 66:6972 6D 2045 IMUL SI,WORD PTR DS:[EDX+6D],4520 ；IMUL啥意思？ 00401207 78 69 JS SHORT generic.00401272 ；JS啥意思？ 00401270 - FF25 48204000 JMP DWORD PTR DS:[<&user32.CreateWindowE>; ；JMP到一个函数那里啥意思？ 2009-1-23 16:29 0
书呆彭雪币： 2110 活跃值： (21) 能力值： (RANK：260 ) 在线值：发帖 30 回帖 1861 粉丝 2 关注私信	书呆彭 6 4 楼遇到没见过的指令查指令手册，既权威又省事，发到论坛上，还不如自己去查来得快来得准确。这里有手册的下载：23dK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3W2F1N6r3g2D9i4K6u0W2j5$3!0E0i4K6u0r3M7s2u0G2k6s2g2U0N6s2y4Q4x3V1k6H3M7X3!0U0k6i4y4K6L8%4u0Q4x3V1k6E0j5h3&6#2j5h3I4K6i4K6u0r3 上面贴出来的部分，前半部分 00401050 D4 03 AAM 3 ；AAM 3啥意思？ 00401057 D87B 11 FDIVR DWORD PTR DS:[EBX+11] ；FDIVR啥意思？ 0040105E DC00 FADD QWORD PTR DS:[EAX] ；FADD啥意思？ 00401065 E0 00 LOOPDNE SHORT generic.00401067 ；LOOPDNE啥意思？ 00401177 C9 LEAVE ；LEAVE啥意思？ 00401178 C2 1000 RETN 10 ；10啥意思,为什么要加一个10？有可能是一个函数的一部分代码，不过看起来怪怪的。而后面的部分 004011BB 65:6D INS DWORD PTR ES:[EDI],DX ；INS啥意思？ 004011BD 626C65 72 BOUND EBP,QWORD PTR SS:[EBP+72] ；BOUND啥意思？ 004011CD 70 6C JO SHORT generic.0040123B ；JO啥意思？ 004011F9 65:61 POPAD ；POPAD啥意思？ 00401200 6E OUTS DX,BYTE PTR ES:[EDI] ；OUTS啥意思？ 00401201 66:6972 6D 2045 IMUL SI,WORD PTR DS:[EDX+6D],4520 ；IMUL啥意思？ 00401207 78 69 JS SHORT generic.00401272 ；JS啥意思？根本不是代码，或者是加了密的代码。后面的00401270 - FF25 48204000 JMP DWORD PTR DS:[<&user32.CreateWindowE>; jmp到一个函数入口，没有什么特殊的意义，作用是可以把这个401270当作CreateWindowExA函数的入口来call。至于编译器为什么生成这样的代码，对不起，我也不清楚。我只知道有些情况编译器是直接call到IAT中的指针的，有些时候会call到这样一个jmp指令。 2009-1-23 17:59 0
小虾雪币： 2384 活跃值： (766) 能力值： (RANK：410 ) 在线值：发帖 36 回帖 2248 粉丝 7 关注私信	小虾 10 5 楼 00401037 EB 0E JMP SHORT generic.00401047 ; 从这一句可以很明显看出(从下面的反汇编上看根本看不到00401047这个地址)，这个程序应该有花指令。后面反汇编出来的根本不是可以正常执行的指令。 00401039 47 INC EDI 0040103A 65:6E OUTS DX,BYTE PTR ES:[EDI] ; I/O 命令 0040103C 65:72 69 JB SHORT generic.004010A8 ; 多余前缀 0040103F 635F 43 ARPL WORD PTR DS:[EDI+43],BX 00401042 6C INS BYTE PTR ES:[EDI],DX ; I/O 命令 00401043 61 POPAD 00401044 73 73 JNB SHORT generic.004010B9 00401046 00C7 ADD BH,AL 00401048 45 INC EBP 00401049 D030 SAL BYTE PTR DS:[EAX],1 0040104B 0000 ADD BYTE PTR DS:[EAX],AL 2009-1-23 18:05 0
sessiondiy 雪币： 2067 活跃值： (82) 能力值： ( LV9，RANK：180 ) 在线值：发帖 37 回帖 3244 粉丝 6 关注私信	sessiondiy 4 6 楼帮LZ整理了一下 00401000 6A 00 push 0 00401002 E8 D5020000 call 004012DC 00401007 A3 10304000 mov dword ptr [403010], eax 0040100C E8 C5020000 call 004012D6 00401011 A3 08304000 mov dword ptr [403008], eax 00401016 6A 0A push 0A 00401018 FF35 08304000 push dword ptr [403008] 0040101E 6A 00 push 0 00401020 FF35 10304000 push dword ptr [403010] 00401026 E8 06000000 call 00401031 0040102B 50 push eax 0040102C E8 9F020000 call 004012D0 00401031 55 push ebp 00401032 8BEC mov ebp, esp 00401034 83C4 A4 add esp, -5C 00401037 EB 0E jmp short 00401047 00767372 db 'Generic_Class', 0 00401047 C745 D0 3000000>mov dword ptr [ebp-30], 30 0040104E C745 D4 0320000>mov dword ptr [ebp-2C], 2003 00401055 C745 D8 7B11400>mov dword ptr [ebp-28], 0040117B 0040105C C745 DC 0000000>mov dword ptr [ebp-24], 0 00401063 C745 E0 0000000>mov dword ptr [ebp-20], 0 0040106A FF75 08 push dword ptr [ebp+8] 0040106D 8F45 E4 pop dword ptr [ebp-1C] 00401070 C745 F0 1000000>mov dword ptr [ebp-10], 10 00401077 C745 F4 0000000>mov dword ptr [ebp-C], 0 0040107E C745 F8 3910400>mov dword ptr [ebp-8], 00401039 ; ASCII "Generic_Class" 00401085 68 F4010000 push 1F4 0040108A FF75 08 push dword ptr [ebp+8] 0040108D E8 02020000 call 00401294 00401092 8945 E8 mov dword ptr [ebp-18], eax 00401095 68 007F0000 push 7F00 0040109A 6A 00 push 0 0040109C E8 ED010000 call 0040128E 004010A1 8945 EC mov dword ptr [ebp-14], eax 004010A4 C745 FC 0000000>mov dword ptr [ebp-4], 0 004010AB 8D45 D0 lea eax, dword ptr [ebp-30] 004010AE 50 push eax 004010AF E8 F8010000 call 004012AC 004010B4 C745 B0 F401000>mov dword ptr [ebp-50], 1F4 004010BB C745 AC 5E01000>mov dword ptr [ebp-54], 15E 004010C2 6A 00 push 0 004010C4 E8 BF010000 call 00401288 004010C9 50 push eax 004010CA FF75 B0 push dword ptr [ebp-50] 004010CD E8 88010000 call 0040125A 004010D2 8945 A8 mov dword ptr [ebp-58], eax 004010D5 6A 01 push 1 004010D7 E8 AC010000 call 00401288 004010DC 50 push eax 004010DD FF75 AC push dword ptr [ebp-54] 004010E0 E8 75010000 call 0040125A 004010E5 8945 A4 mov dword ptr [ebp-5C], eax 004010E8 6A 00 push 0 004010EA FF75 08 push dword ptr [ebp+8] 004010ED 6A 00 push 0 004010EF 6A 00 push 0 004010F1 FF75 AC push dword ptr [ebp-54] 004010F4 FF75 B0 push dword ptr [ebp-50] 004010F7 FF75 A4 push dword ptr [ebp-5C] 004010FA FF75 A8 push dword ptr [ebp-58] 004010FD 68 0000CF00 push 0CF0000 00401102 68 00304000 push 00403000 ; ASCII "Generic" 00401107 68 39104000 push 00401039 ; ASCII "Generic_Class" 0040110C 68 00030000 push 300 00401111 E8 5A010000 call 00401270 00401116 A3 0C304000 mov dword ptr [40300C], eax 0040111B 68 58020000 push 258 00401120 FF75 08 push dword ptr [ebp+8] 00401123 E8 72010000 call 0040129A 00401128 50 push eax 00401129 FF35 0C304000 push dword ptr [40300C] 0040112F E8 84010000 call 004012B8 00401134 6A 01 push 1 00401136 FF35 0C304000 push dword ptr [40300C] 0040113C E8 7D010000 call 004012BE 00401141 FF35 0C304000 push dword ptr [40300C] 00401147 E8 7E010000 call 004012CA 0040114C 6A 00 push 0 0040114E 6A 00 push 0 00401150 6A 00 push 0 00401152 8D45 B4 lea eax, dword ptr [ebp-4C] 00401155 50 push eax 00401156 E8 27010000 call 00401282 0040115B 83F8 00 cmp eax, 0 0040115E 74 14 je short 00401174 00401160 8D45 B4 lea eax, dword ptr [ebp-4C] 00401163 50 push eax 00401164 E8 5B010000 call 004012C4 00401169 8D45 B4 lea eax, dword ptr [ebp-4C] 0040116C 50 push eax 0040116D E8 0A010000 call 0040127C 00401172 ^ EB D8 jmp short 0040114C 00401174 8B45 BC mov eax, dword ptr [ebp-44] 00401177 C9 leave 00401178 C2 1000 retn 10 0040117B 55 push ebp 0040117C 8BEC mov ebp, esp 0040117E 817D 0C 1101000>cmp dword ptr [ebp+C], 111 00401185 75 60 jnz short 004011E7 00401187 817D 10 E803000>cmp dword ptr [ebp+10], 3E8 0040118E 75 19 jnz short 004011A9 00401190 6A 00 push 0 00401192 68 60F00000 push 0F060 00401197 68 12010000 push 112 0040119C FF75 08 push dword ptr [ebp+8] 0040119F E8 0E010000 call 004012B2 004011A4 E9 9C000000 jmp 00401245 004011A9 817D 10 6C07000>cmp dword ptr [ebp+10], 76C 004011B0 0F85 8F000000 jnz 00401245 004011B6 EB 19 jmp short 004011D1 004011B8 db "Assembler, Pure & Simple", 0 004011D1 6A 00 push 0 004011D3 68 00304000 push 00403000 004011D8 68 B8114000 push 004011B8 ; ASCII "Assembler, Pure & Simple" 004011DD FF75 08 push dword ptr [ebp+8] 004011E0 E8 BB000000 call 004012A0 004011E5 EB 5E jmp short 00401245 004011E7 837D 0C 01 cmp dword ptr [ebp+C], 1 004011EB 75 02 jnz short 004011EF 004011ED EB 56 jmp short 00401245 004011EF 837D 0C 10 cmp dword ptr [ebp+C], 10 004011F3 75 3A jnz short 0040122F 004011F5 EB 14 jmp short 0040120B 004011F7 db "Please Confirm Exit", 0 0040120B 6A 04 push 4 0040120D 68 00304000 push 00403000 ; ASCII "Generic" 00401212 68 F7114000 push 004011F7 ; ASCII "Please Confirm Exit" 00401217 FF75 08 push dword ptr [ebp+8] 0040121A E8 81000000 call 004012A0 0040121F 83F8 07 cmp eax, 7 00401222 75 21 jnz short 00401245 00401224 B8 00000000 mov eax, 0 00401229 C9 leave 0040122A C2 1000 retn 10 0040122D EB 16 jmp short 00401245 0040122F 837D 0C 02 cmp dword ptr [ebp+C], 2 00401233 75 10 jnz short 00401245 00401235 6A 00 push 0 00401237 E8 6A000000 call 004012A6 0040123C B8 00000000 mov eax, 0 00401241 C9 leave 00401242 C2 1000 retn 10 00401245 FF75 14 push dword ptr [ebp+14] 00401248 FF75 10 push dword ptr [ebp+10] 0040124B FF75 0C push dword ptr [ebp+C] 0040124E FF75 08 push dword ptr [ebp+8] 00401251 E8 20000000 call 00401276 00401256 C9 leave 00401257 C2 1000 retn 10 0040125A 55 push ebp 0040125B 8BEC mov ebp, esp 0040125D D16D 0C shr dword ptr [ebp+C], 1 00401260 D16D 08 shr dword ptr [ebp+8], 1 00401263 8B45 08 mov eax, dword ptr [ebp+8] 00401266 2945 0C sub dword ptr [ebp+C], eax 00401269 8B45 0C mov eax, dword ptr [ebp+C] 0040126C C9 leave 0040126D C2 0800 retn 8 00401270 - FF25 48204000 JMP DWORD PTR DS:[<&user32.CreateWindowE>; user32.CreateWindowExA 00401276 - FF25 20204000 JMP DWORD PTR DS:[<&user32.DefWindowProc>; user32.DefWindowProcA 0040127C - FF25 40204000 JMP DWORD PTR DS:[<&user32.DispatchMessa>; user32.DispatchMessageA 00401282 - FF25 28204000 JMP DWORD PTR DS:[<&user32.GetMessageA>] ; user32.GetMessageA 00401288 - FF25 24204000 JMP DWORD PTR DS:[<&user32.GetSystemMetr>; user32.GetSystemMetrics 0040128E - FF25 10204000 JMP DWORD PTR DS:[<&user32.LoadCursorA>] ; user32.LoadCursorA 00401294 - FF25 14204000 JMP DWORD PTR DS:[<&user32.LoadIconA>] ; user32.LoadIconA 0040129A - FF25 18204000 JMP DWORD PTR DS:[<&user32.LoadMenuA>] ; user32.LoadMenuA 004012A0 - FF25 1C204000 JMP DWORD PTR DS:[<&user32.MessageBoxA>] ; user32.MessageBoxA 004012A6 - FF25 44204000 JMP DWORD PTR DS:[<&user32.PostQuitMessa>; user32.PostQuitMessage 004012AC - FF25 4C204000 JMP DWORD PTR DS:[<&user32.RegisterClass>; user32.RegisterClassExA 004012B2 - FF25 2C204000 JMP DWORD PTR DS:[<&user32.SendMessageA>>; user32.SendMessageA 004012B8 - FF25 30204000 JMP DWORD PTR DS:[<&user32.SetMenu>] ; user32.SetMenu 004012BE - FF25 34204000 JMP DWORD PTR DS:[<&user32.ShowWindow>] ; user32.ShowWindow 004012C4 - FF25 38204000 JMP DWORD PTR DS:[<&user32.TranslateMess>; user32.TranslateMessage 004012CA - FF25 3C204000 JMP DWORD PTR DS:[<&user32.UpdateWindow>>; user32.UpdateWindow 004012D0 - FF25 08204000 JMP DWORD PTR DS:[<&kernel32.ExitProcess>; kernel32.ExitProcess 004012D6 - FF25 04204000 JMP DWORD PTR DS:[<&kernel32.GetCommandL>; kernel32.GetCommandLineA 004012DC - FF25 00204000 JMP DWORD PTR DS:[<&kernel32.GetModuleHa>; kernel32.GetModuleHandleA 2009-1-23 20:20 0
孙悟空雪币： 202 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 14 粉丝 0 关注私信	孙悟空 7 楼指令手册是英文的，看不懂呀。都不知道在哪下，打开网站全是英文 2009-1-23 21:45 0
liyuaq 雪币： 130 活跃值： (69) 能力值： ( LV3，RANK：20 ) 在线值：发帖 4 回帖 14 粉丝 0 关注私信	liyuaq 8 楼我要删了这个。 2009-1-24 13:51 0
liyuaq 雪币： 130 活跃值： (69) 能力值： ( LV3，RANK：20 ) 在线值：发帖 4 回帖 14 粉丝 0 关注私信	liyuaq 9 楼怎么删除那！！ 2009-1-24 13:52 0
liyuaq 雪币： 130 活跃值： (69) 能力值： ( LV3，RANK：20 ) 在线值：发帖 4 回帖 14 粉丝 0 关注私信	liyuaq 10 楼 004011BB 65:6D INS DWORD PTR ES:[EDI],DX ；INS啥意思？ 004011BD 626C65 72 BOUND EBP,QWORD PTR SS:[EBP+72] ；BOUND啥意思？ 004011CD 70 6C JO SHORT generic.0040123B ；JO啥意思？ 004011F9 65:61 POPAD ；POPAD啥意思？ 00401200 6E OUTS DX,BYTE PTR ES:[EDI] ；OUTS啥意思？ 00401201 66:6972 6D 2045 IMUL SI,WORD PTR DS:[EDX+6D],4520 ；IMUL啥意思？ 00401207 78 69 JS SHORT generic.00401272 ；JS啥意思？ -------------------------------------------------------------------------------- INS i/o 断口操作。。in ,out ,outs . BOUND 检查数组 JO 跳转指令 o标志。。也就是溢出标志 POPAD 。这个很常见的啊。和pushad一起用的。 pushad 是全部压栈,IA-32的PUSHAD指令在堆栈中按顺序压入下列寄存器: EAX,ECX,EDX,EBX,ESP,EBP,ESI和EDI IMUL 这个是乘法指令啊。是对mul的扩展。带符号位把。 JS 这个也一样跳转指令。s是sign。符号位标志 retn 这个是恢复堆栈用的。就是要堆栈平衡。比如本来堆栈esp基础上在加上n个长度 Enter的作用相当==push ebp和mov ebp,esp Leave的作用相当==mov esp,ebp和pop ebp Enter和leave的作用分别函数开始和结束 2009-1-24 13:53 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

神龙武士

100

发帖

242

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (9)
fixfix 雪币： 419 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 21 回帖 671 粉丝 0 关注私信	fixfix 2 楼最后的一个问题空闲的空间把其他的请CTRL+A 分析下看看感觉很花 2009-1-23 12:56 0
神龙武士雪币： 40 活跃值： (18) 能力值： ( LV2，RANK：10 ) 在线值：发帖 100 回帖 242 粉丝 1 关注私信	神龙武士 3 楼那就是说最后那近1000行“004012E4 0000 ADD BYTE PTR DS:[EAX],AL ”这样的代码，是多余的了，可以往里面写东西了，对吧？其他的问题呢,能不能指点一下？谢谢先有些地方指令，从来没有见过，看不明白，请教请教： 00401050 D4 03 AAM 3 ；AAM 3啥意思？ 00401057 D87B 11 FDIVR DWORD PTR DS:[EBX+11] ；FDIVR啥意思？ 0040105E DC00 FADD QWORD PTR DS:[EAX] ；FADD啥意思？ 00401065 E0 00 LOOPDNE SHORT generic.00401067 ；LOOPDNE啥意思？ 00401177 C9 LEAVE ；LEAVE啥意思？ 00401178 C2 1000 RETN 10 ；10啥意思,为什么要加一个10？ 004011BB 65:6D INS DWORD PTR ES:[EDI],DX ；INS啥意思？ 004011BD 626C65 72 BOUND EBP,QWORD PTR SS:[EBP+72] ；BOUND啥意思？ 004011CD 70 6C JO SHORT generic.0040123B ；JO啥意思？ 004011F9 65:61 POPAD ；POPAD啥意思？ 00401200 6E OUTS DX,BYTE PTR ES:[EDI] ；OUTS啥意思？ 00401201 66:6972 6D 2045 IMUL SI,WORD PTR DS:[EDX+6D],4520 ；IMUL啥意思？ 00401207 78 69 JS SHORT generic.00401272 ；JS啥意思？ 00401270 - FF25 48204000 JMP DWORD PTR DS:[<&user32.CreateWindowE>; ；JMP到一个函数那里啥意思？ 2009-1-23 16:29 0
书呆彭雪币： 2110 活跃值： (21) 能力值： (RANK：260 ) 在线值：发帖 30 回帖 1861 粉丝 2 关注私信	书呆彭 6 4 楼遇到没见过的指令查指令手册，既权威又省事，发到论坛上，还不如自己去查来得快来得准确。这里有手册的下载：23dK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3W2F1N6r3g2D9i4K6u0W2j5$3!0E0i4K6u0r3M7s2u0G2k6s2g2U0N6s2y4Q4x3V1k6H3M7X3!0U0k6i4y4K6L8%4u0Q4x3V1k6E0j5h3&6#2j5h3I4K6i4K6u0r3 上面贴出来的部分，前半部分 00401050 D4 03 AAM 3 ；AAM 3啥意思？ 00401057 D87B 11 FDIVR DWORD PTR DS:[EBX+11] ；FDIVR啥意思？ 0040105E DC00 FADD QWORD PTR DS:[EAX] ；FADD啥意思？ 00401065 E0 00 LOOPDNE SHORT generic.00401067 ；LOOPDNE啥意思？ 00401177 C9 LEAVE ；LEAVE啥意思？ 00401178 C2 1000 RETN 10 ；10啥意思,为什么要加一个10？有可能是一个函数的一部分代码，不过看起来怪怪的。而后面的部分 004011BB 65:6D INS DWORD PTR ES:[EDI],DX ；INS啥意思？ 004011BD 626C65 72 BOUND EBP,QWORD PTR SS:[EBP+72] ；BOUND啥意思？ 004011CD 70 6C JO SHORT generic.0040123B ；JO啥意思？ 004011F9 65:61 POPAD ；POPAD啥意思？ 00401200 6E OUTS DX,BYTE PTR ES:[EDI] ；OUTS啥意思？ 00401201 66:6972 6D 2045 IMUL SI,WORD PTR DS:[EDX+6D],4520 ；IMUL啥意思？ 00401207 78 69 JS SHORT generic.00401272 ；JS啥意思？根本不是代码，或者是加了密的代码。后面的00401270 - FF25 48204000 JMP DWORD PTR DS:[<&user32.CreateWindowE>; jmp到一个函数入口，没有什么特殊的意义，作用是可以把这个401270当作CreateWindowExA函数的入口来call。至于编译器为什么生成这样的代码，对不起，我也不清楚。我只知道有些情况编译器是直接call到IAT中的指针的，有些时候会call到这样一个jmp指令。 2009-1-23 17:59 0
小虾雪币： 2384 活跃值： (766) 能力值： (RANK：410 ) 在线值：发帖 36 回帖 2248 粉丝 7 关注私信	小虾 10 5 楼 00401037 EB 0E JMP SHORT generic.00401047 ; 从这一句可以很明显看出(从下面的反汇编上看根本看不到00401047这个地址)，这个程序应该有花指令。后面反汇编出来的根本不是可以正常执行的指令。 00401039 47 INC EDI 0040103A 65:6E OUTS DX,BYTE PTR ES:[EDI] ; I/O 命令 0040103C 65:72 69 JB SHORT generic.004010A8 ; 多余前缀 0040103F 635F 43 ARPL WORD PTR DS:[EDI+43],BX 00401042 6C INS BYTE PTR ES:[EDI],DX ; I/O 命令 00401043 61 POPAD 00401044 73 73 JNB SHORT generic.004010B9 00401046 00C7 ADD BH,AL 00401048 45 INC EBP 00401049 D030 SAL BYTE PTR DS:[EAX],1 0040104B 0000 ADD BYTE PTR DS:[EAX],AL 2009-1-23 18:05 0
sessiondiy 雪币： 2067 活跃值： (82) 能力值： ( LV9，RANK：180 ) 在线值：发帖 37 回帖 3244 粉丝 6 关注私信	sessiondiy 4 6 楼帮LZ整理了一下 00401000 6A 00 push 0 00401002 E8 D5020000 call 004012DC 00401007 A3 10304000 mov dword ptr [403010], eax 0040100C E8 C5020000 call 004012D6 00401011 A3 08304000 mov dword ptr [403008], eax 00401016 6A 0A push 0A 00401018 FF35 08304000 push dword ptr [403008] 0040101E 6A 00 push 0 00401020 FF35 10304000 push dword ptr [403010] 00401026 E8 06000000 call 00401031 0040102B 50 push eax 0040102C E8 9F020000 call 004012D0 00401031 55 push ebp 00401032 8BEC mov ebp, esp 00401034 83C4 A4 add esp, -5C 00401037 EB 0E jmp short 00401047 00767372 db 'Generic_Class', 0 00401047 C745 D0 3000000>mov dword ptr [ebp-30], 30 0040104E C745 D4 0320000>mov dword ptr [ebp-2C], 2003 00401055 C745 D8 7B11400>mov dword ptr [ebp-28], 0040117B 0040105C C745 DC 0000000>mov dword ptr [ebp-24], 0 00401063 C745 E0 0000000>mov dword ptr [ebp-20], 0 0040106A FF75 08 push dword ptr [ebp+8] 0040106D 8F45 E4 pop dword ptr [ebp-1C] 00401070 C745 F0 1000000>mov dword ptr [ebp-10], 10 00401077 C745 F4 0000000>mov dword ptr [ebp-C], 0 0040107E C745 F8 3910400>mov dword ptr [ebp-8], 00401039 ; ASCII "Generic_Class" 00401085 68 F4010000 push 1F4 0040108A FF75 08 push dword ptr [ebp+8] 0040108D E8 02020000 call 00401294 00401092 8945 E8 mov dword ptr [ebp-18], eax 00401095 68 007F0000 push 7F00 0040109A 6A 00 push 0 0040109C E8 ED010000 call 0040128E 004010A1 8945 EC mov dword ptr [ebp-14], eax 004010A4 C745 FC 0000000>mov dword ptr [ebp-4], 0 004010AB 8D45 D0 lea eax, dword ptr [ebp-30] 004010AE 50 push eax 004010AF E8 F8010000 call 004012AC 004010B4 C745 B0 F401000>mov dword ptr [ebp-50], 1F4 004010BB C745 AC 5E01000>mov dword ptr [ebp-54], 15E 004010C2 6A 00 push 0 004010C4 E8 BF010000 call 00401288 004010C9 50 push eax 004010CA FF75 B0 push dword ptr [ebp-50] 004010CD E8 88010000 call 0040125A 004010D2 8945 A8 mov dword ptr [ebp-58], eax 004010D5 6A 01 push 1 004010D7 E8 AC010000 call 00401288 004010DC 50 push eax 004010DD FF75 AC push dword ptr [ebp-54] 004010E0 E8 75010000 call 0040125A 004010E5 8945 A4 mov dword ptr [ebp-5C], eax 004010E8 6A 00 push 0 004010EA FF75 08 push dword ptr [ebp+8] 004010ED 6A 00 push 0 004010EF 6A 00 push 0 004010F1 FF75 AC push dword ptr [ebp-54] 004010F4 FF75 B0 push dword ptr [ebp-50] 004010F7 FF75 A4 push dword ptr [ebp-5C] 004010FA FF75 A8 push dword ptr [ebp-58] 004010FD 68 0000CF00 push 0CF0000 00401102 68 00304000 push 00403000 ; ASCII "Generic" 00401107 68 39104000 push 00401039 ; ASCII "Generic_Class" 0040110C 68 00030000 push 300 00401111 E8 5A010000 call 00401270 00401116 A3 0C304000 mov dword ptr [40300C], eax 0040111B 68 58020000 push 258 00401120 FF75 08 push dword ptr [ebp+8] 00401123 E8 72010000 call 0040129A 00401128 50 push eax 00401129 FF35 0C304000 push dword ptr [40300C] 0040112F E8 84010000 call 004012B8 00401134 6A 01 push 1 00401136 FF35 0C304000 push dword ptr [40300C] 0040113C E8 7D010000 call 004012BE 00401141 FF35 0C304000 push dword ptr [40300C] 00401147 E8 7E010000 call 004012CA 0040114C 6A 00 push 0 0040114E 6A 00 push 0 00401150 6A 00 push 0 00401152 8D45 B4 lea eax, dword ptr [ebp-4C] 00401155 50 push eax 00401156 E8 27010000 call 00401282 0040115B 83F8 00 cmp eax, 0 0040115E 74 14 je short 00401174 00401160 8D45 B4 lea eax, dword ptr [ebp-4C] 00401163 50 push eax 00401164 E8 5B010000 call 004012C4 00401169 8D45 B4 lea eax, dword ptr [ebp-4C] 0040116C 50 push eax 0040116D E8 0A010000 call 0040127C 00401172 ^ EB D8 jmp short 0040114C 00401174 8B45 BC mov eax, dword ptr [ebp-44] 00401177 C9 leave 00401178 C2 1000 retn 10 0040117B 55 push ebp 0040117C 8BEC mov ebp, esp 0040117E 817D 0C 1101000>cmp dword ptr [ebp+C], 111 00401185 75 60 jnz short 004011E7 00401187 817D 10 E803000>cmp dword ptr [ebp+10], 3E8 0040118E 75 19 jnz short 004011A9 00401190 6A 00 push 0 00401192 68 60F00000 push 0F060 00401197 68 12010000 push 112 0040119C FF75 08 push dword ptr [ebp+8] 0040119F E8 0E010000 call 004012B2 004011A4 E9 9C000000 jmp 00401245 004011A9 817D 10 6C07000>cmp dword ptr [ebp+10], 76C 004011B0 0F85 8F000000 jnz 00401245 004011B6 EB 19 jmp short 004011D1 004011B8 db "Assembler, Pure & Simple", 0 004011D1 6A 00 push 0 004011D3 68 00304000 push 00403000 004011D8 68 B8114000 push 004011B8 ; ASCII "Assembler, Pure & Simple" 004011DD FF75 08 push dword ptr [ebp+8] 004011E0 E8 BB000000 call 004012A0 004011E5 EB 5E jmp short 00401245 004011E7 837D 0C 01 cmp dword ptr [ebp+C], 1 004011EB 75 02 jnz short 004011EF 004011ED EB 56 jmp short 00401245 004011EF 837D 0C 10 cmp dword ptr [ebp+C], 10 004011F3 75 3A jnz short 0040122F 004011F5 EB 14 jmp short 0040120B 004011F7 db "Please Confirm Exit", 0 0040120B 6A 04 push 4 0040120D 68 00304000 push 00403000 ; ASCII "Generic" 00401212 68 F7114000 push 004011F7 ; ASCII "Please Confirm Exit" 00401217 FF75 08 push dword ptr [ebp+8] 0040121A E8 81000000 call 004012A0 0040121F 83F8 07 cmp eax, 7 00401222 75 21 jnz short 00401245 00401224 B8 00000000 mov eax, 0 00401229 C9 leave 0040122A C2 1000 retn 10 0040122D EB 16 jmp short 00401245 0040122F 837D 0C 02 cmp dword ptr [ebp+C], 2 00401233 75 10 jnz short 00401245 00401235 6A 00 push 0 00401237 E8 6A000000 call 004012A6 0040123C B8 00000000 mov eax, 0 00401241 C9 leave 00401242 C2 1000 retn 10 00401245 FF75 14 push dword ptr [ebp+14] 00401248 FF75 10 push dword ptr [ebp+10] 0040124B FF75 0C push dword ptr [ebp+C] 0040124E FF75 08 push dword ptr [ebp+8] 00401251 E8 20000000 call 00401276 00401256 C9 leave 00401257 C2 1000 retn 10 0040125A 55 push ebp 0040125B 8BEC mov ebp, esp 0040125D D16D 0C shr dword ptr [ebp+C], 1 00401260 D16D 08 shr dword ptr [ebp+8], 1 00401263 8B45 08 mov eax, dword ptr [ebp+8] 00401266 2945 0C sub dword ptr [ebp+C], eax 00401269 8B45 0C mov eax, dword ptr [ebp+C] 0040126C C9 leave 0040126D C2 0800 retn 8 00401270 - FF25 48204000 JMP DWORD PTR DS:[<&user32.CreateWindowE>; user32.CreateWindowExA 00401276 - FF25 20204000 JMP DWORD PTR DS:[<&user32.DefWindowProc>; user32.DefWindowProcA 0040127C - FF25 40204000 JMP DWORD PTR DS:[<&user32.DispatchMessa>; user32.DispatchMessageA 00401282 - FF25 28204000 JMP DWORD PTR DS:[<&user32.GetMessageA>] ; user32.GetMessageA 00401288 - FF25 24204000 JMP DWORD PTR DS:[<&user32.GetSystemMetr>; user32.GetSystemMetrics 0040128E - FF25 10204000 JMP DWORD PTR DS:[<&user32.LoadCursorA>] ; user32.LoadCursorA 00401294 - FF25 14204000 JMP DWORD PTR DS:[<&user32.LoadIconA>] ; user32.LoadIconA 0040129A - FF25 18204000 JMP DWORD PTR DS:[<&user32.LoadMenuA>] ; user32.LoadMenuA 004012A0 - FF25 1C204000 JMP DWORD PTR DS:[<&user32.MessageBoxA>] ; user32.MessageBoxA 004012A6 - FF25 44204000 JMP DWORD PTR DS:[<&user32.PostQuitMessa>; user32.PostQuitMessage 004012AC - FF25 4C204000 JMP DWORD PTR DS:[<&user32.RegisterClass>; user32.RegisterClassExA 004012B2 - FF25 2C204000 JMP DWORD PTR DS:[<&user32.SendMessageA>>; user32.SendMessageA 004012B8 - FF25 30204000 JMP DWORD PTR DS:[<&user32.SetMenu>] ; user32.SetMenu 004012BE - FF25 34204000 JMP DWORD PTR DS:[<&user32.ShowWindow>] ; user32.ShowWindow 004012C4 - FF25 38204000 JMP DWORD PTR DS:[<&user32.TranslateMess>; user32.TranslateMessage 004012CA - FF25 3C204000 JMP DWORD PTR DS:[<&user32.UpdateWindow>>; user32.UpdateWindow 004012D0 - FF25 08204000 JMP DWORD PTR DS:[<&kernel32.ExitProcess>; kernel32.ExitProcess 004012D6 - FF25 04204000 JMP DWORD PTR DS:[<&kernel32.GetCommandL>; kernel32.GetCommandLineA 004012DC - FF25 00204000 JMP DWORD PTR DS:[<&kernel32.GetModuleHa>; kernel32.GetModuleHandleA 2009-1-23 20:20 0
孙悟空雪币： 202 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 14 粉丝 0 关注私信	孙悟空 7 楼指令手册是英文的，看不懂呀。都不知道在哪下，打开网站全是英文 2009-1-23 21:45 0
liyuaq 雪币： 130 活跃值： (69) 能力值： ( LV3，RANK：20 ) 在线值：发帖 4 回帖 14 粉丝 0 关注私信	liyuaq 8 楼我要删了这个。 2009-1-24 13:51 0
liyuaq 雪币： 130 活跃值： (69) 能力值： ( LV3，RANK：20 ) 在线值：发帖 4 回帖 14 粉丝 0 关注私信	liyuaq 9 楼怎么删除那！！ 2009-1-24 13:52 0
liyuaq 雪币： 130 活跃值： (69) 能力值： ( LV3，RANK：20 ) 在线值：发帖 4 回帖 14 粉丝 0 关注私信	liyuaq 10 楼 004011BB 65:6D INS DWORD PTR ES:[EDI],DX ；INS啥意思？ 004011BD 626C65 72 BOUND EBP,QWORD PTR SS:[EBP+72] ；BOUND啥意思？ 004011CD 70 6C JO SHORT generic.0040123B ；JO啥意思？ 004011F9 65:61 POPAD ；POPAD啥意思？ 00401200 6E OUTS DX,BYTE PTR ES:[EDI] ；OUTS啥意思？ 00401201 66:6972 6D 2045 IMUL SI,WORD PTR DS:[EDX+6D],4520 ；IMUL啥意思？ 00401207 78 69 JS SHORT generic.00401272 ；JS啥意思？ -------------------------------------------------------------------------------- INS i/o 断口操作。。in ,out ,outs . BOUND 检查数组 JO 跳转指令 o标志。。也就是溢出标志 POPAD 。这个很常见的啊。和pushad一起用的。 pushad 是全部压栈,IA-32的PUSHAD指令在堆栈中按顺序压入下列寄存器: EAX,ECX,EDX,EBX,ESP,EBP,ESI和EDI IMUL 这个是乘法指令啊。是对mul的扩展。带符号位把。 JS 这个也一样跳转指令。s是sign。符号位标志 retn 这个是恢复堆栈用的。就是要堆栈平衡。比如本来堆栈esp基础上在加上n个长度 Enter的作用相当==push ebp和mov ebp,esp Leave的作用相当==mov esp,ebp和pop ebp Enter和leave的作用分别函数开始和结束 2009-1-24 13:53 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复