本文主要探讨了如何使用IDA来分析PCShrink 0.71的源代码,包括常量定义、段权限和调用函数等。作者分享了部分源码,并指出这些代码可能在脱壳过程中有用。文章还展示了代码中关于资源处理的细节,如检查文件类型、创建备份和压缩PE文件的逻辑。
这个东西对资源处理太棒了.正在还原它的源代码...
请问IDA怎么自定义常量?还有assume什么的?
这里是部分源码,也许脱壳有用吧...
都弄好以后会发布带资源的Full Source包:D
代码:--------------------------------------------------------------------------------
; [COLLAPSED ENUM MACRO_WM. PRESS KEYPAD "+" TO EXPAND]
; [COLLAPSED ENUM MACRO_IMAGE_ORDINAL_FLAG. PRESS KEYPAD "+" TO EXPAND]
; [COLLAPSED ENUM MACRO_IMAGE_ORDINAL. PRESS KEYPAD "+" TO EXPAND]
; [COLLAPSED ENUM MACRO_WM. PRESS KEYPAD "+" TO EXPAND]
; [COLLAPSED ENUM MACRO_IMAGE_ORDINAL_FLAG. PRESS KEYPAD "+" TO EXPAND]
; [COLLAPSED ENUM MACRO_IMAGE_ORDINAL. PRESS KEYPAD "+" TO EXPAND]
;
; ※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※
; ※ This file is generated by The Interactive Disassembler (IDA) ※
; ※ Copyright (c) 2003 by DataRescue sa/nv, <ida@datarescue.com> ※
; ※ [iNTERNAL RELEASE] ※
; ※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※
;
; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
; File Name : E:/Documents and Settings/Star/桌面/pcsnk071/PCSHRINK.EXE.unpacked_.exe
; Format : Portable executable for IBM PC (PE)
; Section 1. (virtual address 00001000)
; Virtual size : 00004000 ( 16384.)
; Section size in file : 00004000 ( 16384.)
; Offset to raw data for section: 00001000
; Flags E0000020: Text Executable Readable Writable
; Alignment : 16 bytes ?
model flat
; 屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯?
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
pcs1 segment para public 'CODE' use32
assume cs:pcs1
;org 401000h
assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
call GetProcessHeap
mov ds:hHeap, eax
call GetCommandLineA
or eax, eax
jz short start
xchg eax, esi
loc_401014: ; CODE XREF: pcs1:00401035j
cmp byte ptr [esi], 0
jz short start
shl eax, 8
lodsb
cmp eax, 72696E6Bh
jnz short loc_401029
cmp byte ptr [esi], 2Eh
jnz short loc_401037
loc_401029: ; CODE XREF: pcs1:00401022j
cmp eax, 2E657865h
jz short loc_401037
cmp eax, 2E455845h
jnz short loc_401014
loc_401037: ; CODE XREF: pcs1:00401027j
; pcs1:0040102Ej ...
lodsb
cmp al, 20h
jz short loc_401037
cmp al, 22h
jz short loc_401037
dec esi
push esi
push offset szBuffer
call lstrcpy
; 〓〓〓〓〓〓〓〓 S U B R O U T I N E 〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓
public start
start proc near ; CODE XREF: pcs1:00401011j
; pcs1:00401017j
push 0 ; lpModuleName
call GetModuleHandleA
mov ds:hInstance, eax
push 0 ; dwInitParam
push offset DialogFunc ; lpDialogFunc
push 0 ; hWndParent
push 65h ; lpTemplateName
push eax ; hInstance
call DialogBoxParamA
push eax ; uExitCode
call ExitProcess
; DWORD __stdcall MyThread(LPVOID)
MyThread: ; DATA XREF: pcs1:00401205o
mov ds:lpFileName, offset szBuffer
cmp ds:BackupFile, 1
jnz short @SkipBackupFile
push ds:lpFileName
call MakeBackup
@SkipBackupFile: ; CODE XREF: start+34j
push ds:lpFileName
push offset szCompressOK ; "Successfully compressed!/r/n Installed on"...
call lstrcat
call CompressPE
cmp ds:CompressResult, 0FCh
jz short @Exit
cmp ds:CompressResult, 0FFh
jz short @CompressError
push offset aCompressedObje ; "/r/n Compressed objects: "
push offset szCompressOK ; "Successfully compressed!/r/n Installed on"...
call lstrcat
push offset aOriginalSize ; "/r/nOriginal size: "
push offset szCompressOK ; "Successfully compressed!/r/n Installed on"...
call lstrcat
push 0 ; uType
push offset szCaption ; lpCaption
push offset szCompressOK ; lpText
push 0 ; hWnd
call MessageBoxA
xor eax, eax
jmp short @Exit
; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
@CompressError: ; CODE XREF: start+66j
push ds:lpFileName
push offset szCompressError ; "There was an error compressing the file"...
call lstrcat
push 30h ; uType
push offset szCaption ; lpCaption
push offset szCompressError ; lpText
push 0 ; hWnd
call MessageBoxA
mov eax, 2
@Exit: ; CODE XREF: start+5Dj start+9Bj
push 0 ; lParam
push 0 ; wParam
push WM_CLOSE ; Msg
push ds:hWnd ; hWnd
call SendMessageA
push 0 ; dwExitCode
call ExitThread ; 退出线程
retn
start endp ; sp = -4
; 〓〓〓〓〓〓〓〓 S U B R O U T I N E 〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓
; Attributes: bp-based frame
; BOOL __stdcall DialogFunc(HWND,UINT,WPARAM,LPARAM)
DialogFunc proc near ; DATA XREF: start+Eo
hWnd = dword ptr 8
Msg = dword ptr 0Ch
wParam = dword ptr 10h
enter 0, 0
DialogFunc endp
push ebx
push edi
push esi
mov eax, [ebp+8]
mov ds:hWnd, eax
cmp dword ptr [ebp+0Ch], WM_COMMAND
jz short @Command
cmp dword ptr [ebp+0Ch], WM_CLOSE
jz @Close
cmp dword ptr [ebp+0Ch], WM_INITDIALOG
jz @InitDialog
@UnknownMsg: ; CODE XREF: pcs1:00401243j
; pcs1:00401334j
xor eax, eax
pop esi
pop edi
pop ebx
leave
retn 10h
; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
@Command: ; CODE XREF: pcs1:00401140j
cmp dword ptr [ebp+10h], 1
jnz @NotOK
push 0
push ds:hOK
call EnableWindow
push 0
push ds:hBrowse
call EnableWindow
pusha
call ProcessCheckBoxes
popa
push 0FFh
push offset szBuffer
push 1000
push ds:hWnd
call GetDlgItemTextA
push 1004
push ds:hWnd
call IsDlgButtonChecked
mov ds:RestructureResourceData, eax
push 1005
push ds:hWnd
call IsDlgButtonChecked
mov ds:SectionMerging, eax
push 1012
push ds:hWnd
call IsDlgButtonChecked
mov ds:BackupFile, eax
push 1026
push ds:hWnd
call IsDlgButtonChecked
mov ds:CompressExportTable, eax
pusha
push offset ThreadId
push 0
push 0
push offset MyThread
push 0
push 0
call CreateThread
popa
jmp short @Return
; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
@NotOK: ; CODE XREF: pcs1:00401166j
cmp dword ptr [ebp+10h], 1003
jz @Browse
cmp dword ptr [ebp+10h], 2
jz short @Close
cmp dword ptr [ebp+10h], 1009
jz @virogen_cjb_net
cmp dword ptr [ebp+10h], 1008
jz @phrozencrew_com
jmp @UnknownMsg
; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
@Return: ; CODE XREF: pcs1:00401214j
; pcs1:00401351j ...
mov eax, 1
pop esi
pop edi
pop ebx
leave
retn 10h
; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
@Close: ; CODE XREF: pcs1:00401146j
; pcs1:00401227j
push 0 ; nExitCode
call PostQuitMessage
pop esi
pop edi
pop ebx
leave
retn 10h
; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
@InitDialog: ; CODE XREF: pcs1:00401153j
push 80h ; lpIconName
push ds:hInstance ; hInstance
call LoadIconA
push eax
push eax ; lParam
push 0 ; wParam
push WM_SETICON ; Msg
push ds:hWnd ; hWnd
call SendMessageA
pop eax
push eax ; lParam
push 1 ; wParam
push WM_SETICON ; Msg
push ds:hWnd ; hWnd
call SendMessageA
push offset szBuffer ; lpString
push 1000 ; nIDDlgItem
push ds:hWnd ; hDlg
call SetDlgItemTextA
push ds:RestructureResourceData ; uCheck
push 1004 ; nIDButton
push ds:hWnd ; hDlg
call CheckDlgButton
push ds:SectionMerging ; uCheck
push 3EDh ; nIDButton
push ds:hWnd ; hDlg
call CheckDlgButton
push ds:BackupFile ; uCheck
push 1012 ; nIDButton
push ds:hWnd ; hDlg
call CheckDlgButton
push 1011 ; nIDDlgItem
push ds:hWnd ; hDlg
call GetDlgItem
mov ds:hProgress, eax
push 1 ; &OK
push ds:hWnd ; hDlg
call GetDlgItem
mov ds:hOK, eax
push 1003 ; &Browse
push ds:hWnd ; hDlg
call GetDlgItem
mov ds:hBrowse, eax
pusha
call _CheckDlgButton
popa
jmp @UnknownMsg
; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
@virogen_cjb_net: ; CODE XREF: pcs1:00401230j
push 0
push 0
push 0
push offset szWeb1 ; "http://virogen.cjb.net"
push 0
push ds:hWnd
call ShellExecuteA
jmp @Return
; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
@phrozencrew_com: ; CODE XREF: pcs1:0040123Dj
push 0
push 0
push 0
push offset szWeb2 ; "http://www.phrozencrew.com"
push 0
push ds:hWnd
call ShellExecuteA
jmp @Return
; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
@Browse: ; CODE XREF: pcs1:0040121Dj
mov eax, ds:hWnd
mov ds:ofn.hwndOwner, eax
mov ds:ofn.lpstrFilter, offset aPeExeFiles ; "PE EXE files"
mov ds:ofn.lpstrFile, offset szBuffer
mov ds:ofn.lStructSize, 4Ch
mov ds:ofn.nMaxFile, 0FFh
mov ds:ofn.Flags, 4
push offset ofn
call GetOpenFileNameA
or eax, eax
jz short @NoSelectFile
push offset szBuffer
push 1000
push ds:hWnd
call SetDlgItemTextA
@NoSelectFile: ; CODE XREF: pcs1:004013BBj
jmp @Return
; 〓〓〓〓〓〓〓〓 S U B R O U T I N E 〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓
sub_4013D7 proc near ; CODE XREF: sub_4013D7+5Fp
; CompressPE+1D0p
pop eax
pop esi
push eax
or esi, esi
jz short loc_401452
movzx ecx, word ptr [esi+0Ch]
add cx, [esi+0Eh]
add esi, 10h
or ecx, ecx
jz short loc_401452
loc_4013ED: ; CODE XREF: sub_4013D7+6Ej
mov ebx, [esi+4]
test ebx, 80000000h
jz short loc_401449
cmp ds:dword_4037E3, 0
jnz short @GetProcAddress ; 去掉高位
pusha
push dword ptr [esi]
call sub_402291
popa
jnb short loc_401418
mov ds:ha_buzhidao, 0
jmp short @GetProcAddress ; 去掉高位
; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
loc_401418: ; CODE XREF: sub_4013D7+33j
mov ds:ha_buzhidao, 1
@GetProcAddress: ; CODE XREF: sub_4013D7+28j
; sub_4013D7+3Fj
and ebx, 7FFFFFFFh ; 去掉高位
add ebx, ds:dword_4037B7
pusha
inc ds:dword_4037E3
push ebx
call sub_4013D7
dec ds:dword_4037E3
popa
loc_401442: ; CODE XREF: sub_4013D7+79j
add esi, 8
loop loc_4013ED
jmp short loc_401452
; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
loc_401449: ; CODE XREF: sub_4013D7+1Fj
pusha
call sub_401458
popa
jmp short loc_401442
; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
loc_401452: ; CODE XREF: sub_4013D7+5j
; sub_4013D7+14j ...
mov eax, ds:dword_403C69
retn
sub_4013D7 endp ; sp = 4
; 〓〓〓〓〓〓〓〓 S U B R O U T I N E 〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓
sub_401458 proc near ; CODE XREF: sub_4013D7+73p
and ebx, 7FFFFFFFh
add ebx, ds:dword_4037B7
mov esi, ebx
cmp ds:ha_buzhidao, 1
jz short loc_40147E
mov edx, ds:dword_4037CB
add ds:dword_4037CB, 8
jmp short loc_40148B
; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
loc_40147E: ; CODE XREF: sub_401458+15j
mov edx, ds:dword_4037D7
add ds:dword_4037D7, 8
loc_40148B: ; CODE XREF: sub_401458+24j
mov [edx], esi
mov ecx, [esi+4]
push ebx
push ecx
push edx
push esi
push edi
push ebp
push ecx ; dwBytes
push 8 ; dwFlags
push ds:hHeap ; hHeap
call HeapAlloc
pop ebp
pop edi
pop esi
pop edx
pop ecx
pop ebx
mov [edx+4], eax
push eax
mov ebx, [esi]
call sub_401FC6
add ebx, ds:lpBaseAddress
pop edi
mov ecx, [esi+4]
mov esi, ebx
rep movsb
sub ebx, ds:dword_4037B7
retn
sub_401458 endp
请问IDA怎么自定义常量?还有assume什么的?
这里是部分源码,也许脱壳有用吧...
都弄好以后会发布带资源的Full Source包:D
代码:--------------------------------------------------------------------------------
; [COLLAPSED ENUM MACRO_WM. PRESS KEYPAD "+" TO EXPAND]
; [COLLAPSED ENUM MACRO_IMAGE_ORDINAL_FLAG. PRESS KEYPAD "+" TO EXPAND]
; [COLLAPSED ENUM MACRO_IMAGE_ORDINAL. PRESS KEYPAD "+" TO EXPAND]
; [COLLAPSED ENUM MACRO_WM. PRESS KEYPAD "+" TO EXPAND]
; [COLLAPSED ENUM MACRO_IMAGE_ORDINAL_FLAG. PRESS KEYPAD "+" TO EXPAND]
; [COLLAPSED ENUM MACRO_IMAGE_ORDINAL. PRESS KEYPAD "+" TO EXPAND]
;
; ※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※
; ※ This file is generated by The Interactive Disassembler (IDA) ※
; ※ Copyright (c) 2003 by DataRescue sa/nv, <ida@datarescue.com> ※
; ※ [iNTERNAL RELEASE] ※
; ※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※
;
; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
; File Name : E:/Documents and Settings/Star/桌面/pcsnk071/PCSHRINK.EXE.unpacked_.exe
; Format : Portable executable for IBM PC (PE)
; Section 1. (virtual address 00001000)
; Virtual size : 00004000 ( 16384.)
; Section size in file : 00004000 ( 16384.)
; Offset to raw data for section: 00001000
; Flags E0000020: Text Executable Readable Writable
; Alignment : 16 bytes ?
model flat
; 屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯?
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
pcs1 segment para public 'CODE' use32
assume cs:pcs1
;org 401000h
assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
call GetProcessHeap
mov ds:hHeap, eax
call GetCommandLineA
or eax, eax
jz short start
xchg eax, esi
loc_401014: ; CODE XREF: pcs1:00401035j
cmp byte ptr [esi], 0
jz short start
shl eax, 8
lodsb
cmp eax, 72696E6Bh
jnz short loc_401029
cmp byte ptr [esi], 2Eh
jnz short loc_401037
loc_401029: ; CODE XREF: pcs1:00401022j
cmp eax, 2E657865h
jz short loc_401037
cmp eax, 2E455845h
jnz short loc_401014
loc_401037: ; CODE XREF: pcs1:00401027j
; pcs1:0040102Ej ...
lodsb
cmp al, 20h
jz short loc_401037
cmp al, 22h
jz short loc_401037
dec esi
push esi
push offset szBuffer
call lstrcpy
; 〓〓〓〓〓〓〓〓 S U B R O U T I N E 〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓
public start
start proc near ; CODE XREF: pcs1:00401011j
; pcs1:00401017j
push 0 ; lpModuleName
call GetModuleHandleA
mov ds:hInstance, eax
push 0 ; dwInitParam
push offset DialogFunc ; lpDialogFunc
push 0 ; hWndParent
push 65h ; lpTemplateName
push eax ; hInstance
call DialogBoxParamA
push eax ; uExitCode
call ExitProcess
; DWORD __stdcall MyThread(LPVOID)
MyThread: ; DATA XREF: pcs1:00401205o
mov ds:lpFileName, offset szBuffer
cmp ds:BackupFile, 1
jnz short @SkipBackupFile
push ds:lpFileName
call MakeBackup
@SkipBackupFile: ; CODE XREF: start+34j
push ds:lpFileName
push offset szCompressOK ; "Successfully compressed!/r/n Installed on"...
call lstrcat
call CompressPE
cmp ds:CompressResult, 0FCh
jz short @Exit
cmp ds:CompressResult, 0FFh
jz short @CompressError
push offset aCompressedObje ; "/r/n Compressed objects: "
push offset szCompressOK ; "Successfully compressed!/r/n Installed on"...
call lstrcat
push offset aOriginalSize ; "/r/nOriginal size: "
push offset szCompressOK ; "Successfully compressed!/r/n Installed on"...
call lstrcat
push 0 ; uType
push offset szCaption ; lpCaption
push offset szCompressOK ; lpText
push 0 ; hWnd
call MessageBoxA
xor eax, eax
jmp short @Exit
; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
@CompressError: ; CODE XREF: start+66j
push ds:lpFileName
push offset szCompressError ; "There was an error compressing the file"...
call lstrcat
push 30h ; uType
push offset szCaption ; lpCaption
push offset szCompressError ; lpText
push 0 ; hWnd
call MessageBoxA
mov eax, 2
@Exit: ; CODE XREF: start+5Dj start+9Bj
push 0 ; lParam
push 0 ; wParam
push WM_CLOSE ; Msg
push ds:hWnd ; hWnd
call SendMessageA
push 0 ; dwExitCode
call ExitThread ; 退出线程
retn
start endp ; sp = -4
; 〓〓〓〓〓〓〓〓 S U B R O U T I N E 〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓
; Attributes: bp-based frame
; BOOL __stdcall DialogFunc(HWND,UINT,WPARAM,LPARAM)
DialogFunc proc near ; DATA XREF: start+Eo
hWnd = dword ptr 8
Msg = dword ptr 0Ch
wParam = dword ptr 10h
enter 0, 0
DialogFunc endp
push ebx
push edi
push esi
mov eax, [ebp+8]
mov ds:hWnd, eax
cmp dword ptr [ebp+0Ch], WM_COMMAND
jz short @Command
cmp dword ptr [ebp+0Ch], WM_CLOSE
jz @Close
cmp dword ptr [ebp+0Ch], WM_INITDIALOG
jz @InitDialog
@UnknownMsg: ; CODE XREF: pcs1:00401243j
; pcs1:00401334j
xor eax, eax
pop esi
pop edi
pop ebx
leave
retn 10h
; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
@Command: ; CODE XREF: pcs1:00401140j
cmp dword ptr [ebp+10h], 1
jnz @NotOK
push 0
push ds:hOK
call EnableWindow
push 0
push ds:hBrowse
call EnableWindow
pusha
call ProcessCheckBoxes
popa
push 0FFh
push offset szBuffer
push 1000
push ds:hWnd
call GetDlgItemTextA
push 1004
push ds:hWnd
call IsDlgButtonChecked
mov ds:RestructureResourceData, eax
push 1005
push ds:hWnd
call IsDlgButtonChecked
mov ds:SectionMerging, eax
push 1012
push ds:hWnd
call IsDlgButtonChecked
mov ds:BackupFile, eax
push 1026
push ds:hWnd
call IsDlgButtonChecked
mov ds:CompressExportTable, eax
pusha
push offset ThreadId
push 0
push 0
push offset MyThread
push 0
push 0
call CreateThread
popa
jmp short @Return
; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
@NotOK: ; CODE XREF: pcs1:00401166j
cmp dword ptr [ebp+10h], 1003
jz @Browse
cmp dword ptr [ebp+10h], 2
jz short @Close
cmp dword ptr [ebp+10h], 1009
jz @virogen_cjb_net
cmp dword ptr [ebp+10h], 1008
jz @phrozencrew_com
jmp @UnknownMsg
; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
@Return: ; CODE XREF: pcs1:00401214j
; pcs1:00401351j ...
mov eax, 1
pop esi
pop edi
pop ebx
leave
retn 10h
; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
@Close: ; CODE XREF: pcs1:00401146j
; pcs1:00401227j
push 0 ; nExitCode
call PostQuitMessage
pop esi
pop edi
pop ebx
leave
retn 10h
; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
@InitDialog: ; CODE XREF: pcs1:00401153j
push 80h ; lpIconName
push ds:hInstance ; hInstance
call LoadIconA
push eax
push eax ; lParam
push 0 ; wParam
push WM_SETICON ; Msg
push ds:hWnd ; hWnd
call SendMessageA
pop eax
push eax ; lParam
push 1 ; wParam
push WM_SETICON ; Msg
push ds:hWnd ; hWnd
call SendMessageA
push offset szBuffer ; lpString
push 1000 ; nIDDlgItem
push ds:hWnd ; hDlg
call SetDlgItemTextA
push ds:RestructureResourceData ; uCheck
push 1004 ; nIDButton
push ds:hWnd ; hDlg
call CheckDlgButton
push ds:SectionMerging ; uCheck
push 3EDh ; nIDButton
push ds:hWnd ; hDlg
call CheckDlgButton
push ds:BackupFile ; uCheck
push 1012 ; nIDButton
push ds:hWnd ; hDlg
call CheckDlgButton
push 1011 ; nIDDlgItem
push ds:hWnd ; hDlg
call GetDlgItem
mov ds:hProgress, eax
push 1 ; &OK
push ds:hWnd ; hDlg
call GetDlgItem
mov ds:hOK, eax
push 1003 ; &Browse
push ds:hWnd ; hDlg
call GetDlgItem
mov ds:hBrowse, eax
pusha
call _CheckDlgButton
popa
jmp @UnknownMsg
; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
@virogen_cjb_net: ; CODE XREF: pcs1:00401230j
push 0
push 0
push 0
push offset szWeb1 ; "http://virogen.cjb.net"
push 0
push ds:hWnd
call ShellExecuteA
jmp @Return
; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
@phrozencrew_com: ; CODE XREF: pcs1:0040123Dj
push 0
push 0
push 0
push offset szWeb2 ; "http://www.phrozencrew.com"
push 0
push ds:hWnd
call ShellExecuteA
jmp @Return
; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
@Browse: ; CODE XREF: pcs1:0040121Dj
mov eax, ds:hWnd
mov ds:ofn.hwndOwner, eax
mov ds:ofn.lpstrFilter, offset aPeExeFiles ; "PE EXE files"
mov ds:ofn.lpstrFile, offset szBuffer
mov ds:ofn.lStructSize, 4Ch
mov ds:ofn.nMaxFile, 0FFh
mov ds:ofn.Flags, 4
push offset ofn
call GetOpenFileNameA
or eax, eax
jz short @NoSelectFile
push offset szBuffer
push 1000
push ds:hWnd
call SetDlgItemTextA
@NoSelectFile: ; CODE XREF: pcs1:004013BBj
jmp @Return
; 〓〓〓〓〓〓〓〓 S U B R O U T I N E 〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓
sub_4013D7 proc near ; CODE XREF: sub_4013D7+5Fp
; CompressPE+1D0p
pop eax
pop esi
push eax
or esi, esi
jz short loc_401452
movzx ecx, word ptr [esi+0Ch]
add cx, [esi+0Eh]
add esi, 10h
or ecx, ecx
jz short loc_401452
loc_4013ED: ; CODE XREF: sub_4013D7+6Ej
mov ebx, [esi+4]
test ebx, 80000000h
jz short loc_401449
cmp ds:dword_4037E3, 0
jnz short @GetProcAddress ; 去掉高位
pusha
push dword ptr [esi]
call sub_402291
popa
jnb short loc_401418
mov ds:ha_buzhidao, 0
jmp short @GetProcAddress ; 去掉高位
; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
loc_401418: ; CODE XREF: sub_4013D7+33j
mov ds:ha_buzhidao, 1
@GetProcAddress: ; CODE XREF: sub_4013D7+28j
; sub_4013D7+3Fj
and ebx, 7FFFFFFFh ; 去掉高位
add ebx, ds:dword_4037B7
pusha
inc ds:dword_4037E3
push ebx
call sub_4013D7
dec ds:dword_4037E3
popa
loc_401442: ; CODE XREF: sub_4013D7+79j
add esi, 8
loop loc_4013ED
jmp short loc_401452
; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
loc_401449: ; CODE XREF: sub_4013D7+1Fj
pusha
call sub_401458
popa
jmp short loc_401442
; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
loc_401452: ; CODE XREF: sub_4013D7+5j
; sub_4013D7+14j ...
mov eax, ds:dword_403C69
retn
sub_4013D7 endp ; sp = 4
; 〓〓〓〓〓〓〓〓 S U B R O U T I N E 〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓
sub_401458 proc near ; CODE XREF: sub_4013D7+73p
and ebx, 7FFFFFFFh
add ebx, ds:dword_4037B7
mov esi, ebx
cmp ds:ha_buzhidao, 1
jz short loc_40147E
mov edx, ds:dword_4037CB
add ds:dword_4037CB, 8
jmp short loc_40148B
; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
loc_40147E: ; CODE XREF: sub_401458+15j
mov edx, ds:dword_4037D7
add ds:dword_4037D7, 8
loc_40148B: ; CODE XREF: sub_401458+24j
mov [edx], esi
mov ecx, [esi+4]
push ebx
push ecx
push edx
push esi
push edi
push ebp
push ecx ; dwBytes
push 8 ; dwFlags
push ds:hHeap ; hHeap
call HeapAlloc
pop ebp
pop edi
pop esi
pop edx
pop ecx
pop ebx
mov [edx+4], eax
push eax
mov ebx, [esi]
call sub_401FC6
add ebx, ds:lpBaseAddress
pop edi
mov ecx, [esi+4]
mov esi, ebx
rep movsb
sub ebx, ds:dword_4037B7
retn
sub_401458 endp
扫一扫
3781
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
