本帖最后由 当红小生 于 2010-4-7 14:29 编辑
最近总遇到这个程序干脆写出来大家交流下、、、如果写的不好大家不要仍砖头哇、、、
查找InitInstance函数入口
1、手动跟踪法
找到MSVCRT.exit上面的那个call跟进
00401AD7 |. 53 push ebx ; /pModule
00401AD8 |. FF15 10204000 call dword ptr ds:[<&KERNEL32.GetModuleHandle>; \GetModuleHandleA
00401ADE |. 50 push eax
00401ADF |. E8 5E000000 call 54afa408.00401B42-------------------------这个CALL进去
00401AE4 |. 8945 98 mov dword ptr ss:[ebp-68],eax
00401AE7 |. 50 push eax ; /status
00401AE8 |. FF15 BC214000 call dword ptr ds:[<&MSVCRT.exit>] ; \exit
来到这里第一个call跟进
00401B42 /$ FF7424 10 push dword ptr ss:[esp+10]
00401B46 |. FF7424 10 push dword ptr ss:[esp+10]
00401B4A |. FF7424 10 push dword ptr ss:[esp+10]
00401B4E |. FF7424 10 push dword ptr ss:[esp+10]
00401B52 |. E8 43000000 call <jmp.&MFC42.#1576>-------------------------这个CALL进去
00401B57 \. C2 1000 retn 10
00401B9A $- FF25 90214000 jmp dword ptr ds:[<&MFC42.#1576>] ; 这个进去
00401BA0 . 8D4D 8C lea ecx,dword ptr ss:[ebp-74]
00401BA3 .^ E9 88F5FFFF jmp 54afa408.00401130
00401BA8 $ B8 40254000 mov eax,54afa408.00402540 ; 结构异常处理程序
00401BAD .^ E9 F8FDFFFF jmp <jmp.&MSVCRT.__CxxFrameHandler>
73D3CF6D 8B06 mov eax,dword ptr ds:[esi]
73D3CF6F 8BCE mov ecx,esi
73D3CF71 FF50 58 call dword ptr ds:[eax+58]-----------------------这个CALL进去
73D3CF74 85C0 test eax,eax
73D3CF76 75 16 jnz short MFC42.73D3CF8E
004010B0 . 6A FF push -1 ; (Initial CPU selection) 这里就是“InitInstance()”函数的入口处
004010B2 . 68 A81B4000 push 54afa408.00401BA8 ; SE 处理程序安装
004010B7 . 64:A1 00000000 mov eax,dword ptr fs:[0]
004010BD . 50 push eax
004010BE . 64:8925 00000000 mov dword ptr fs:[0],esp
004010C5 . 83EC 68 sub esp,68
004010C8 . 56 push esi
004010C9 . 8BF1 mov esi,ecx
004010CB . 6A 00 push 0
2、断点法
bp GetModuleHandleA 然后返回
看见那个call跟进,然后遇到第一call跟进
在代码段下内存访问断点运行就可以到达上述地址
--------------------------------------------------------------------------------美丽的分割线、、、、
查找OnInitDialog函数的入口处
bp AppendMenuA 然后返回就可以看到
004012B4 . 55 push ebp ; /pItem => NULL
004012B5 . 55 push ebp ; |ItemID => 0
004012B6 . 68 00080000 push 800 ; |Flags = MF_BYCOMMAND|MF_SEPARATOR|MF_ENABLED|MF_STRING
004012BB . 52 push edx ; |hMenu
004012BC . FFD3 call ebx ; \AppendMenuA
004012BE . 8B4424 10 mov eax,dword ptr ss:[esp+10]
004012C2 . 8B4F 04 mov ecx,dword ptr ds:[edi+4]
004012C5 . 50 push eax ; /pItem
004012C6 . 6A 10 push 10 ; |ItemID = 10 (16.)
004012C8 . 55 push ebp ; |Flags => MF_BYCOMMAND|MF_ENABLED|MF_STRING
004012C9 . 51 push ecx ; |hMenu
004012CA . FFD3 call ebx ; \AppendMenuA
004012CC > 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
004012D0 . C74424 1C FFFFFF>mov dword ptr ss:[esp+1C],-1
004012D8 . E8 41060000 call <jmp.&MFC42.#800>
004012DD > 8B56 64 mov edx,dword ptr ds:[esi+64]
004012E0 . 8B46 20 mov eax,dword ptr ds:[esi+20]
004012E3 . 8B3D 08224000 mov edi,dword ptr ds:[<&USER32.SendMessageA>] ; user32.SendMessageA
004012E9 . 52 push edx ; /lParam
004012EA . 6A 01 push 1 ; |wParam = 1
004012EC . 68 80000000 push 80 ; |Message = WM_SETICON
004012F1 . 50 push eax ; |hWnd
004012F2 . FFD7 call edi ; \SendMessageA
004012F4 . 8B4E 64 mov ecx,dword ptr ds:[esi+64]
004012F7 . 8B56 20 mov edx,dword ptr ds:[esi+20]
004012FA . 51 push ecx ; /lParam
004012FB . 55 push ebp ; |wParam
004012FC . 68 80000000 push 80 ; |Message = WM_SETICON
00401301 . 52 push edx ; |hWnd
00401302 . FFD7 call edi ; \SendMessageA
然后往上看就是函数头部了
00401250 . 6A FF push -1
00401252 . 68 E81B4000 push 54afa408.00401BE8 ; OnInitDialog函数的入口处
00401257 . 64:A1 00000000 mov eax,dword ptr fs:[0]
0040125D . 50 push eax
0040125E . 64:8925 00000000 mov dword ptr fs:[0],esp
00401265 . 51 push ecx
00401266 . 53 push ebx
00401267 . 55 push ebp
00401268 . 56 push esi
00401269 . 57 push edi
0040126A . 8BF1 mov esi,ecx
0040126C . E8 F9050000 call <jmp.&MFC42.#4710>
| 
发表于 2010-4-7 14:16
发表于 2010-4-7 14:18
发表于 2010-4-7 14:42
|
发表于 2010-4-10 10:15
