教材上给出了一些说明,虽然是断断续续的..
..之后通过单步,把断的地方都连起来了,也明白了VMP分析插件究竟做了些什么..
//表1,表2在最后.
加密之前的代码: 00401000 41 INC ECX 00401001 C3 RETN 00401002 > 40 INC EAX 00401003 40 INC EAX 00401004 40 INC EAX 00401005 40 INC EAX 00401006 40 INC EAX 00401007 40 INC EAX 00401008 ^ EB F8 JMP 401002 0040100A C3 RETN
之后用VMP默认加密,加密范围是[401002,401006]闭区间
加密后的代码: 之后的代码都是加密后EXE中的代码
00401000 41 INC ECX 00401001 C3 RETN 00401002 >- E9 7C170000 JMP 用于测试.00402783 00401007 40 INC EAX 00401008 ^ EB F8 JMP SHORT 用于测试.<ModuleEntryPoint> 0040100A C3 RETN
可以看出被加密的代码替换成jmp 402783了.
跟入后是
00402783 68 92274000 PUSH 用于测试.00402792 ;402792这个地址是字节码的存储地址 00402788 E8 EFFEFFFF CALL 用于测试.0040267C ;这个call是解释程序
跟进40267c后是
0040267C 52 PUSH EDX 0040267D 53 PUSH EBX 0040267E 50 PUSH EAX 0040267F 9C PUSHFD 00402680 51 PUSH ECX 00402681 56 PUSH ESI 00402682 57 PUSH EDI 00402683 56 PUSH ESI 00402684 55 PUSH EBP ;保存CONTEXT.. 00402685 68 00000000 PUSH 0x0 ** 0040268A 8B7424 2C MOV ESI,DWORD PTR SS:[ESP+0x2C] ;ESI = 402792 就是传入这个函数的那一个参数 0040268E 89E5 MOV EBP,ESP ;当前栈顶保存到EBP中,可认为是 真实程序的栈顶 00402690 81EC C0000000 SUB ESP,0xC0 ;这是为虚拟机开辟存储空间 00402696 89E7 MOV EDI,ESP ;EDI就是虚拟机的栈顶 00402698 0375 00 ADD ESI,DWORD PTR SS:[EBP] ;这里的[EBP]就是上面**处压进来的0 0040269B__ 8A06 MOV AL,BYTE PTR DS:[ESI] 0040269D 0FB6C0 MOVZX EAX,AL 004026A0 > 83C6 01 ADD ESI,0x1 ;把esi处单个字节放到AL中,零扩展成EAX,然后esi+1 004026A3 FF2485 A8214000 JMP DWORD PTR DS:[EAX*4+0x4021A8] ;根据arr_4021a8[eax]跳到对应地址执行指令
上面这一段代码就是初始化虚拟机,然后循环执行指令...
那么当我第一次执行到到
004026A3 FF2485 A8214000 JMP DWORD PTR DS:[EAX*4+0x4021A8]
EAX=0x39 0x39*4+0x4021A8 = 40228C 由表2得 [40228C] = 40206B
代码为:
0040206B 80E0 3C AND AL,0x3C 0040206E 8B55 00 MOV EDX,DWORD PTR SS:[EBP] 00402071 83C5 04 ADD EBP,0x4 00402074 891407 MOV DWORD PTR DS:[EDI+EAX],EDX 00402077 E9 1F060000 JMP 用于测试.0040269B
上面4行代码先不管他,直接看最后的jmp, 40269B就是
0040269B__ 8A06 MOV AL,BYTE PTR DS:[ESI] 0040269D 0FB6C0 MOVZX EAX,AL 004026A0 > 83C6 01 ADD ESI,0x1 004026A3 FF2485 A8214000 JMP DWORD PTR DS:[EAX*4+0x4021A8]
就是这个循环,ESI在表1中取到下一个字节,然后根据表2算出跳转地址,进行下一次字节码执行..
那么现在的问题就是终点在哪, 我第一次实验时,根据入口的
0040267C 52 PUSH EDX 0040267D 53 PUSH EBX 0040267E 50 PUSH EAX 0040267F 9C PUSHFD 00402680 51 PUSH ECX 00402681 56 PUSH ESI 00402682 57 PUSH EDI 00402683 56 PUSH ESI 00402684 55 PUSH EBP
估计出口肯定会有对应的pop,然后就在OD中搜索指令序列
pop eax pop ebx pop edx
然后就顺利地找到了
0040219B 89EC MOV ESP,EBP 0040219D 5A POP EDX 0040219E 5D POP EBP 0040219F 5E POP ESI 004021A0 5F POP EDI 004021A1 58 POP EAX 004021A2 59 POP ECX 004021A3 9D POPFD 004021A4 58 POP EAX 004021A5 5B POP EBX 004021A6 5A POP EDX 004021A7 C3 RETN
之后在40219B处下了个断点,运行断下后,查看ESI的值,就可以知道有多少字节码要执行,以及最后的那个字节码是什么.
得到ESI==402836
也就是说表1中402792~402836-1就是全部要执行的字节码了(A4 == 164).
原本的5条inc eax指令就变成了164个字节码..每个字节码由几条汇编指令来实现..果然变态..
接下来就是分析各个字节码对应的指令序列的功能:
有些预先注意的: ESI是字节码的地址 EBP(一开始)是 PUSH CONTEXT PUSH 0之后的栈顶,指着0 称为栈顶2 ESP(一开始是),EDI是虚拟机的栈顶,是EBP-0c0h, 称为栈顶1
栈顶1\2会变化,无论如何,就把EBP, EDI(ESP)的栈顶分别称为栈顶2和栈顶1 1在上,2在下
上面都指的是虚拟机的栈 开辟之后(402690 sub esp,0c0),以及销毁之前(40219B mov esp,ebp)
在表1中可以看到,字节码会重复出现,在表2中也可以看到表二的元素也有重复
对字节码0x39有: 0040206B 80E0 3C AND AL,0x3C 0040206E 8B55 00 MOV EDX,DWORD PTR SS:[EBP] 00402071 83C5 04 ADD EBP,0x4 00402074 891407 MOV DWORD PTR DS:[EDI+EAX],EDX 00402077 E9 1F060000 JMP 用于测试.0040269B
AND AL,3C ===> AL == 38
这几条指令完成的就是栈2顶pop出个dd存到(栈1顶+AL&3C的位置) [EDI+0x38]
字节码和3C And之后的值变成了一个位置.. 那么前面看到的表2的元素虽然会重复,但是对应的表1的值不一样,那么就算到了
同一个处理程序,得到的这个位置也会不一样..
对字节码0x31有: 0040206B 80E0 3C AND AL,0x3C 0040206E 8B55 00 MOV EDX,DWORD PTR SS:[EBP] 00402071 83C5 04 ADD EBP,0x4 00402074 891407 MOV DWORD PTR DS:[EDI+EAX],EDX 00402077 E9 1F060000 JMP 用于测试.0040269B
AND AL,3C ==> 0x31 & 0x3C = 0x30
跟0x39的完全一样,唯一个区别就是AL不同了,也就存在了不同的位置,[EDI+0x30]
对字节码0x19有: 0040206B 80E0 3C AND AL,0x3C 0040206E 8B55 00 MOV EDX,DWORD PTR SS:[EBP] 00402071 83C5 04 ADD EBP,0x4 00402074 891407 MOV DWORD PTR DS:[EDI+EAX],EDX 还是完全一样
AND AL,3C ==> 0x19 & 0x3c = 0x18 [EDI+0x18]
此时我已经觉得有些麻烦了,三个竟然都是重复的, 于是写了一个测试程序用于根据表1的字节码得到对应的处理程序的地址, 全部处理完毕后,得到的对应地址为(从402792~402835,闭区间,一共A4=164个地址):
表3:
0040206B 0040206B 0040206B 0040206B 0040206B 0040206B 0040206B 0040206B 0040206B 0040206B 0040206B 0040206B 00402112 0040206B 004025E5 0040205C 0040206B 0040206B 004025E5 00402644 00402763 004026CD 0040206B 00402112 00402708 004026CD 0040206B 004025E5 00402644 00402763 004026CD 0040206B 00402112 0040206B 004026CD 0040206B 0040205C 0040206B 0040206B 00402112 0040206B 004025E5 0040205C 0040206B 0040206B 004025E5 00402644 00402763 004026CD 0040206B 00402112 00402708 004026CD 0040206B 004025E5 004025E5 004026CD 0040206B 00402112 0040206B 004026CD 0040206B 0040205C 0040206B 0040206B 004025E5 00402112 0040206B 0040205C 0040206B 0040206B 004025E5 00402644 00402763 004026CD 0040206B 00402112 00402708 004026CD 0040206B 004025E5 004025E5 004026CD 0040206B 00402112 0040206B 004026CD 0040206B 0040205C 0040206B 0040206B 004025E5 00402112 0040206B 0040205C 0040206B 0040206B 004025E5 00402644 00402763 004026CD 0040206B 00402112 00402708 004026CD 0040206B 004025E5 00402644 00402763 004026CD 0040206B 00402112 0040206B 004026CD 0040206B 0040205C 0040206B 0040206B 004025E5 00402112 0040206B 0040205C 0040206B 0040206B 004025E5 00402644 00402763 004026CD 0040206B 00402112 00402708 004026CD 0040206B 004025E5 00402644 00402763 004026CD 0040206B 00402112 0040206B 004026CD 0040206B 0040205C 0040206B 0040206B 004025E5 004020BD 004020ED 004025E5 004020BD 004025E5 0040205C 0040206B 004025E5 004025E5 004025E5 004025E5 004025E5 004025E5 004025E5 004025E5 004025E5 004025E5 0040219B
之后就是把出现过的地址,不重复地分析一次就行了..
还得搞清楚在虚拟机里面的代码是怎样影响到外面的代码的..
为了更好地说明,加入一个堆栈示意图:
上面的PROC_40206B,做的就是EBP向下一格,值放在EDI+AL&3C的位置..
而这个时候的EBP的值,是虚拟机入口点40267C处那一堆PUSH CONTEXT, PUSH进来的,也就是说,初始状态下的上图应该为....
根据表3,前12个,都是FUNC_40206B,对应的字节码为
39 31 19 15 2D 05 09 0D 25 3D 01 29 AND 3C后,对应的值为 38 30 18 14 2C 04 08 0C 24 3C 00 28
可以看出,会把栈顶2中的数据取出来放到对应的EDI+38/30/18/14/....地址处
这12条opcode刚好对应着栈中的12个"有用的数据(0, oldXXX, oldXXX, ...., r, 402792)"..
另外,虚拟机中的代码究竟是如何影响到外部的,应该就是通过对EBP这边的数据不断的操作,然后最终的字节码是0x95,对应的
处理程序为FUNC_40219B
0040219B 89EC MOV ESP,EBP 0040219D 5A POP EDX 0040219E 5D POP EBP 0040219F 5E POP ESI 004021A0 5F POP EDI 004021A1 58 POP EAX 004021A2 59 POP ECX 004021A3 9D POPFD 004021A4 58 POP EAX 004021A5 5B POP EBX 004021A6 5A POP EDX 004021A7 C3 RETN
对照PUSH
0040267C 52 PUSH EDX ; 用于测试.<ModuleEntryPoint> 0040267D 53 PUSH EBX 0040267E 50 PUSH EAX 0040267F 9C PUSHFD 00402680 51 PUSH ECX 00402681 56 PUSH ESI 00402682 57 PUSH EDI 00402683 56 PUSH ESI 00402684 55 PUSH EBP 00402685 68 00000000 PUSH 0x0
在FUNC_40219B中,单步到了retn, 此时发现栈顶的元素值(其实就是堆栈图中的r)为401007,而不是40278D,
00402783 68 92274000 PUSH 用于测试.00402792 00402788 E8 EFFEFFFF CALL 用于测试.0040267C 0040278D A8 E3 TEST AL,0xE3
40278D就是进入虚拟机CALL前,CALL时推入的下一条指令地址,在执行字节码的过程中被替换成了401007,就是
00401000 41 INC ECX 00401001 C3 RETN 00401002 >- E9 7C170000 JMP 用于测试.00402783 00401007 40 INC EAX ;<---------------------------HERE 00401008 ^ EB F8 JMP SHORT 用于测试.<ModuleEntryPoint> 0040100A C3 RETN
出了虚拟机...运行完了那5条inc eax的虚拟指令后的下一条指令地址
之后的内容教材上都有..
VMP分析插件就是:
给各个处理函数命名(根据行为产生助记符),给EDI+XXX的空间命个名(作为寄存器,操作数),堆栈窗口显示的是 栈顶2
用到的文件:
http://images2015.cnblogs.com/blog/638600/201701/638600-20170112081555619-763736492.jpg
另存为.zip文件就行了
附录:
地址402792处的值为,称为 表1:
00402792 39 31 19 15 2D 05 09 0D 25 3D 01 29 F8 01 0C 54 91-..%=)?.T
004027A2 29 35 08 55 32 FB 0D F8 FE C6 0D 28 45 F6 A6 21 )5U2??(E靓!
004027B2 F8 01 93 1D 4E 01 21 F8 01 34 54 2D 01 20 45 32 ??N!?4T- E2
004027C2 93 09 F8 FE 93 09 2C 2C 93 0D F8 01 93 35 5E 0D ??,,???^.
004027D2 29 00 F8 01 C2 1D 0D 28 45 F9 93 21 F8 FE 93 01 ).??.(E鶕!?
004027E2 1C 1C 93 01 F8 01 A6 35 4E 21 01 0C F8 01 54 09 ???N!.?T.
004027F2 1D 00 41 F9 C6 2D F8 FE C6 21 08 41 F6 C6 29 F8 .A-?A銎)?
00402802 01 C6 11 4E 0D 0D 1C F8 01 54 35 2D 0C 55 32 FB ?N..?T5-.U2?
00402812 11 F8 FE A6 11 34 41 32 93 11 F8 01 93 11 4E 1D ?4A2???N
00402822 09 38 40 07 10 40 00 5E 29 3C 24 2C 08 04 34 14 .8@@.^)<$,4
00402832 18 30 38 95 00 00 00 00 00 00 00 00 00 00 00 00 08?...........
表4021A8处的值为, 称为表2:
004021A8 E5 25 40 00 6B 20 40 00 70 21 40 00 70 21 40 00 ?@.k @.p!@.p!@.
004021B8 E5 25 40 00 6B 20 40 00 ED 20 40 00 ED 20 40 00 ?@.k @.?@.?@.
004021C8 E5 25 40 00 6B 20 40 00 2A 26 40 00 2A 26 40 00 ?@.k @.*&@.*&@.
004021D8 E5 25 40 00 6B 20 40 00 32 27 40 00 68 26 40 00 ?@.k @.2'@.h&@.
004021E8 E5 25 40 00 6B 20 40 00 2A 26 40 00 00 20 40 00 ?@.k @.*&@.. @.
004021F8 E5 25 40 00 6B 20 40 00 E5 26 40 00 56 27 40 00 ?@.k @.?@.V'@.
00402208 E5 25 40 00 6B 20 40 00 CC 25 40 00 D5 25 40 00 ?@.k @.?@.?@.
00402218 E5 25 40 00 6B 20 40 00 FB 20 40 00 D5 20 40 00 ?@.k @.?@.?@.
00402228 E5 25 40 00 6B 20 40 00 ED 20 40 00 68 26 40 00 ?@.k @.?@.h&@.
00402238 E5 25 40 00 6B 20 40 00 22 27 40 00 97 20 40 00 ?@.k @."'@.?@.
00402248 E5 25 40 00 6B 20 40 00 71 27 40 00 71 27 40 00 ?@.k @.q'@.q'@.
00402258 E5 25 40 00 6B 20 40 00 68 26 40 00 70 21 40 00 ?@.k @.h&@.p!@.
00402268 E5 25 40 00 6B 20 40 00 63 27 40 00 ED 20 40 00 ?@.k @.c'@.?@.
00402278 E5 25 40 00 6B 20 40 00 CD 20 40 00 32 27 40 00 ?@.k @.?@.2'@.
00402288 E5 25 40 00 6B 20 40 00 13 20 40 00 7C 20 40 00 ?@.k @. @.| @.
00402298 E5 25 40 00 6B 20 40 00 F6 25 40 00 44 27 40 00 ?@.k @.?@.D'@.
004022A8 BD 20 40 00 44 26 40 00 27 20 40 00 ED 20 40 00 ?@.D&@.' @.?@.
004022B8 56 27 40 00 44 26 40 00 97 20 40 00 ED 20 40 00 V'@.D&@.?@.?@.
004022C8 D5 25 40 00 68 26 40 00 44 27 40 00 2A 26 40 00 ?@.h&@.D'@.*&@.
004022D8 22 27 40 00 AA 26 40 00 5C 20 40 00 0C 26 40 00 "'@.?@.\ @..&@.
004022E8 70 21 40 00 BB 25 40 00 22 27 40 00 22 27 40 00 p!@.?@."'@."'@.
004022F8 5C 20 40 00 44 26 40 00 AA 26 40 00 71 27 40 00 \ @.D&@.?@.q'@.
00402308 32 27 40 00 BB 26 40 00 55 21 40 00 2A 26 40 00 2'@.?@.U!@.*&@.
00402318 87 21 40 00 0C 26 40 00 5C 20 40 00 D5 20 40 00 ?@..&@.\ @.?@.
00402328 51 26 40 00 55 21 40 00 44 27 40 00 FB 20 40 00 Q&@.U!@.D'@.?@.
00402338 BD 20 40 00 87 21 40 00 E5 26 40 00 87 21 40 00 ?@.?@.?@.?@.
00402348 70 21 40 00 BB 26 40 00 AB 20 40 00 CD 20 40 00 p!@.?@.?@.?@.
00402358 27 20 40 00 27 20 40 00 F6 25 40 00 08 27 40 00 ' @.' @.?@.'@.
00402368 D5 20 40 00 7C 20 40 00 44 26 40 00 44 26 40 00 ?@.| @.D&@.D&@.
00402378 56 27 40 00 97 20 40 00 00 20 40 00 D5 20 40 00 V'@.?@.. @.?@.
00402388 CC 25 40 00 7C 20 40 00 F0 26 40 00 71 27 40 00 ?@.| @.?@.q'@.
00402398 97 20 40 00 0C 26 40 00 AB 20 40 00 44 27 40 00 ?@..&@.?@.D'@.
004023A8 00 20 40 00 BB 25 40 00 55 21 40 00 F0 26 40 00 . @.?@.U!@.?@.
004023B8 5C 20 40 00 E5 26 40 00 A8 25 40 00 F0 26 40 00 \ @.?@.?@.?@.
004023C8 39 20 40 00 51 26 40 00 32 27 40 00 7C 20 40 00 9 @.Q&@.2'@.| @.
004023D8 22 27 40 00 AA 26 40 00 71 27 40 00 F0 26 40 00 "'@.?@.q'@.?@.
004023E8 56 27 40 00 D5 20 40 00 97 20 40 00 CD 26 40 00 V'@.?@.?@.?@.
004023F8 BD 20 40 00 9B 21 40 00 39 20 40 00 F0 26 40 00 ?@.?@.9 @.?@.
00402408 44 27 40 00 D5 20 40 00 BB 26 40 00 ED 20 40 00 D'@.?@.?@.?@.
00402418 5C 20 40 00 56 27 40 00 D5 25 40 00 13 20 40 00 \ @.V'@.?@. @.
00402428 97 20 40 00 44 26 40 00 2A 26 40 00 13 20 40 00 ?@.D&@.*&@. @.
00402438 D5 25 40 00 4B 20 40 00 CD 26 40 00 0C 26 40 00 ?@.K @.?@..&@.
00402448 51 26 40 00 5C 20 40 00 51 26 40 00 87 21 40 00 Q&@.\ @.Q&@.?@.
00402458 CD 20 40 00 44 26 40 00 00 20 40 00 68 26 40 00 ?@.D&@.. @.h&@.
00402468 ED 20 40 00 A8 25 40 00 68 26 40 00 55 21 40 00 ?@.?@.h&@.U!@.
00402478 71 27 40 00 51 26 40 00 AA 26 40 00 BD 20 40 00 q'@.Q&@.?@.?@.
00402488 44 27 40 00 BD 20 40 00 00 20 40 00 13 20 40 00 D'@.?@.. @. @.
00402498 CD 20 40 00 7C 20 40 00 ED 20 40 00 56 27 40 00 ?@.| @.?@.V'@.
004024A8 22 27 40 00 F6 25 40 00 5C 20 40 00 2A 26 40 00 "'@.?@.\ @.*&@.
004024B8 D5 20 40 00 CC 25 40 00 CD 26 40 00 32 27 40 00 ?@.?@.?@.2'@.
004024C8 97 20 40 00 D5 25 40 00 2A 26 40 00 ED 20 40 00 ?@.?@.*&@.?@.
004024D8 F0 26 40 00 0C 26 40 00 D5 20 40 00 F6 25 40 00 ?@..&@.?@.?@.
004024E8 44 27 40 00 7C 20 40 00 CD 20 40 00 AB 20 40 00 D'@.| @.?@.?@.
004024F8 5C 20 40 00 44 26 40 00 97 20 40 00 71 27 40 00 \ @.D&@.?@.q'@.
00402508 CC 25 40 00 CC 25 40 00 9B 21 40 00 27 20 40 00 ?@.?@.?@.' @.
00402518 51 26 40 00 32 27 40 00 5C 20 40 00 2A 26 40 00 Q&@.2'@.\ @.*&@.
00402528 BB 25 40 00 CC 25 40 00 0C 26 40 00 AA 26 40 00 ?@.?@..&@.?@.
00402538 87 21 40 00 0C 26 40 00 27 20 40 00 AB 20 40 00 ?@..&@.' @.?@.
00402548 97 20 40 00 CD 20 40 00 00 20 40 00 2A 26 40 00 ?@.?@.. @.*&@.
00402558 56 27 40 00 56 27 40 00 E5 26 40 00 BB 26 40 00 V'@.V'@.?@.?@.
00402568 D5 25 40 00 CD 20 40 00 CD 26 40 00 27 20 40 00 ?@.?@.?@.' @.
00402578 ED 20 40 00 70 21 40 00 63 27 40 00 44 27 40 00 ?@.p!@.c'@.D'@.
00402588 12 21 40 00 63 27 40 00 9B 21 40 00 CD 26 40 00 !@.c'@.?@.?@.
00402598 ED 20 40 00 4B 20 40 00 08 27 40 00 87 21 40 00 ?@.K @.'@.?@.
转换程序 的源码为:
创建一个对话框资源,然后拉一个Edit控件上去就行了
#include <windows.h> #include <stdio.h> #include <strsafe.h> #include "resource.h" #include <windowsx.h> CHAR szInfo[100000] = { 0 }; int arr1[] = { 0x39,0x31,0x19,0x15,0x2D,0x05,0x09,0x0D,0x25,0x3D,0x01,0x29,0xF8,0x01,0x0C,0x54, 0x29,0x35,0x08,0x55,0x32,0xFB,0x0D,0xF8,0xFE,0xC6,0x0D,0x28,0x45,0xF6,0xA6,0x21, 0xF8,0x01,0x93,0x1D,0x4E,0x01,0x21,0xF8,0x01,0x34,0x54,0x2D,0x01,0x20,0x45,0x32, 0x93,0x09,0xF8,0xFE,0x93,0x09,0x2C,0x2C,0x93,0x0D,0xF8,0x01,0x93,0x35,0x5E,0x0D, 0x29,0x00,0xF8,0x01,0xC2,0x1D,0x0D,0x28,0x45,0xF9,0x93,0x21,0xF8,0xFE,0x93,0x01, 0x1C,0x1C,0x93,0x01,0xF8,0x01,0xA6,0x35,0x4E,0x21,0x01,0x0C,0xF8,0x01,0x54,0x09, 0x1D,0x00,0x41,0xF9,0xC6,0x2D,0xF8,0xFE,0xC6,0x21,0x08,0x41,0xF6,0xC6,0x29,0xF8, 0x01,0xC6,0x11,0x4E,0x0D,0x0D,0x1C,0xF8,0x01,0x54,0x35,0x2D,0x0C,0x55,0x32,0xFB, 0x11,0xF8,0xFE,0xA6,0x11,0x34,0x41,0x32,0x93,0x11,0xF8,0x01,0x93,0x11,0x4E,0x1D, 0x09,0x38,0x40,0x07,0x10,0x40,0x00,0x5E,0x29,0x3C,0x24,0x2C,0x08,0x04,0x34,0x14, 0x18,0x30,0x38,0x95 }; BYTE arr2[] = { 0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0x70,0x21,0x40,0x00,0x70,0x21,0x40,0x00, 0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0xED,0x20,0x40,0x00,0xED,0x20,0x40,0x00, 0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0x2A,0x26,0x40,0x00,0x2A,0x26,0x40,0x00, 0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0x32,0x27,0x40,0x00,0x68,0x26,0x40,0x00, 0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0x2A,0x26,0x40,0x00,0x00,0x20,0x40,0x00, 0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0xE5,0x26,0x40,0x00,0x56,0x27,0x40,0x00, 0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0xCC,0x25,0x40,0x00,0xD5,0x25,0x40,0x00, 0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0xFB,0x20,0x40,0x00,0xD5,0x20,0x40,0x00, 0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0xED,0x20,0x40,0x00,0x68,0x26,0x40,0x00, 0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0x22,0x27,0x40,0x00,0x97,0x20,0x40,0x00, 0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0x71,0x27,0x40,0x00,0x71,0x27,0x40,0x00, 0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0x68,0x26,0x40,0x00,0x70,0x21,0x40,0x00, 0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0x63,0x27,0x40,0x00,0xED,0x20,0x40,0x00, 0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0xCD,0x20,0x40,0x00,0x32,0x27,0x40,0x00, 0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0x13,0x20,0x40,0x00,0x7C,0x20,0x40,0x00, 0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0xF6,0x25,0x40,0x00,0x44,0x27,0x40,0x00, 0xBD,0x20,0x40,0x00,0x44,0x26,0x40,0x00,0x27,0x20,0x40,0x00,0xED,0x20,0x40,0x00, 0x56,0x27,0x40,0x00,0x44,0x26,0x40,0x00,0x97,0x20,0x40,0x00,0xED,0x20,0x40,0x00, 0xD5,0x25,0x40,0x00,0x68,0x26,0x40,0x00,0x44,0x27,0x40,0x00,0x2A,0x26,0x40,0x00, 0x22,0x27,0x40,0x00,0xAA,0x26,0x40,0x00,0x5C,0x20,0x40,0x00,0x0C,0x26,0x40,0x00, 0x70,0x21,0x40,0x00,0xBB,0x25,0x40,0x00,0x22,0x27,0x40,0x00,0x22,0x27,0x40,0x00, 0x5C,0x20,0x40,0x00,0x44,0x26,0x40,0x00,0xAA,0x26,0x40,0x00,0x71,0x27,0x40,0x00, 0x32,0x27,0x40,0x00,0xBB,0x26,0x40,0x00,0x55,0x21,0x40,0x00,0x2A,0x26,0x40,0x00, 0x87,0x21,0x40,0x00,0x0C,0x26,0x40,0x00,0x5C,0x20,0x40,0x00,0xD5,0x20,0x40,0x00, 0x51,0x26,0x40,0x00,0x55,0x21,0x40,0x00,0x44,0x27,0x40,0x00,0xFB,0x20,0x40,0x00, 0xBD,0x20,0x40,0x00,0x87,0x21,0x40,0x00,0xE5,0x26,0x40,0x00,0x87,0x21,0x40,0x00, 0x70,0x21,0x40,0x00,0xBB,0x26,0x40,0x00,0xAB,0x20,0x40,0x00,0xCD,0x20,0x40,0x00, 0x27,0x20,0x40,0x00,0x27,0x20,0x40,0x00,0xF6,0x25,0x40,0x00,0x08,0x27,0x40,0x00, 0xD5,0x20,0x40,0x00,0x7C,0x20,0x40,0x00,0x44,0x26,0x40,0x00,0x44,0x26,0x40,0x00, 0x56,0x27,0x40,0x00,0x97,0x20,0x40,0x00,0x00,0x20,0x40,0x00,0xD5,0x20,0x40,0x00, 0xCC,0x25,0x40,0x00,0x7C,0x20,0x40,0x00,0xF0,0x26,0x40,0x00,0x71,0x27,0x40,0x00, 0x97,0x20,0x40,0x00,0x0C,0x26,0x40,0x00,0xAB,0x20,0x40,0x00,0x44,0x27,0x40,0x00, 0x00,0x20,0x40,0x00,0xBB,0x25,0x40,0x00,0x55,0x21,0x40,0x00,0xF0,0x26,0x40,0x00, 0x5C,0x20,0x40,0x00,0xE5,0x26,0x40,0x00,0xA8,0x25,0x40,0x00,0xF0,0x26,0x40,0x00, 0x39,0x20,0x40,0x00,0x51,0x26,0x40,0x00,0x32,0x27,0x40,0x00,0x7C,0x20,0x40,0x00, 0x22,0x27,0x40,0x00,0xAA,0x26,0x40,0x00,0x71,0x27,0x40,0x00,0xF0,0x26,0x40,0x00, 0x56,0x27,0x40,0x00,0xD5,0x20,0x40,0x00,0x97,0x20,0x40,0x00,0xCD,0x26,0x40,0x00, 0xBD,0x20,0x40,0x00,0x9B,0x21,0x40,0x00,0x39,0x20,0x40,0x00,0xF0,0x26,0x40,0x00, 0x44,0x27,0x40,0x00,0xD5,0x20,0x40,0x00,0xBB,0x26,0x40,0x00,0xED,0x20,0x40,0x00, 0x5C,0x20,0x40,0x00,0x56,0x27,0x40,0x00,0xD5,0x25,0x40,0x00,0x13,0x20,0x40,0x00, 0x97,0x20,0x40,0x00,0x44,0x26,0x40,0x00,0x2A,0x26,0x40,0x00,0x13,0x20,0x40,0x00, 0xD5,0x25,0x40,0x00,0x4B,0x20,0x40,0x00,0xCD,0x26,0x40,0x00,0x0C,0x26,0x40,0x00, 0x51,0x26,0x40,0x00,0x5C,0x20,0x40,0x00,0x51,0x26,0x40,0x00,0x87,0x21,0x40,0x00, 0xCD,0x20,0x40,0x00,0x44,0x26,0x40,0x00,0x00,0x20,0x40,0x00,0x68,0x26,0x40,0x00, 0xED,0x20,0x40,0x00,0xA8,0x25,0x40,0x00,0x68,0x26,0x40,0x00,0x55,0x21,0x40,0x00, 0x71,0x27,0x40,0x00,0x51,0x26,0x40,0x00,0xAA,0x26,0x40,0x00,0xBD,0x20,0x40,0x00, 0x44,0x27,0x40,0x00,0xBD,0x20,0x40,0x00,0x00,0x20,0x40,0x00,0x13,0x20,0x40,0x00, 0xCD,0x20,0x40,0x00,0x7C,0x20,0x40,0x00,0xED,0x20,0x40,0x00,0x56,0x27,0x40,0x00, 0x22,0x27,0x40,0x00,0xF6,0x25,0x40,0x00,0x5C,0x20,0x40,0x00,0x2A,0x26,0x40,0x00, 0xD5,0x20,0x40,0x00,0xCC,0x25,0x40,0x00,0xCD,0x26,0x40,0x00,0x32,0x27,0x40,0x00, 0x97,0x20,0x40,0x00,0xD5,0x25,0x40,0x00,0x2A,0x26,0x40,0x00,0xED,0x20,0x40,0x00, 0xF0,0x26,0x40,0x00,0x0C,0x26,0x40,0x00,0xD5,0x20,0x40,0x00,0xF6,0x25,0x40,0x00, 0x44,0x27,0x40,0x00,0x7C,0x20,0x40,0x00,0xCD,0x20,0x40,0x00,0xAB,0x20,0x40,0x00, 0x5C,0x20,0x40,0x00,0x44,0x26,0x40,0x00,0x97,0x20,0x40,0x00,0x71,0x27,0x40,0x00, 0xCC,0x25,0x40,0x00,0xCC,0x25,0x40,0x00,0x9B,0x21,0x40,0x00,0x27,0x20,0x40,0x00, 0x51,0x26,0x40,0x00,0x32,0x27,0x40,0x00,0x5C,0x20,0x40,0x00,0x2A,0x26,0x40,0x00, 0xBB,0x25,0x40,0x00,0xCC,0x25,0x40,0x00,0x0C,0x26,0x40,0x00,0xAA,0x26,0x40,0x00, 0x87,0x21,0x40,0x00,0x0C,0x26,0x40,0x00,0x27,0x20,0x40,0x00,0xAB,0x20,0x40,0x00, 0x97,0x20,0x40,0x00,0xCD,0x20,0x40,0x00,0x00,0x20,0x40,0x00,0x2A,0x26,0x40,0x00, 0x56,0x27,0x40,0x00,0x56,0x27,0x40,0x00,0xE5,0x26,0x40,0x00,0xBB,0x26,0x40,0x00, 0xD5,0x25,0x40,0x00,0xCD,0x20,0x40,0x00,0xCD,0x26,0x40,0x00,0x27,0x20,0x40,0x00, 0xED,0x20,0x40,0x00,0x70,0x21,0x40,0x00,0x63,0x27,0x40,0x00,0x44,0x27,0x40,0x00, 0x12,0x21,0x40,0x00,0x63,0x27,0x40,0x00,0x9B,0x21,0x40,0x00,0xCD,0x26,0x40,0x00, 0xED,0x20,0x40,0x00,0x4B,0x20,0x40,0x00,0x08,0x27,0x40,0x00,0x87,0x21,0x40,0x00, }; INT_PTR DlgProc(HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lParam) { switch (uMsg) { case WM_INITDIALOG: { HWND hwndEdit = GetDlgItem(hwndDlg, IDC_EDIT1); CHAR szBuffer[100] = { 0 }; int nIndex = 0; int nAddr = 0; for (int i = 0; i < 164; ++i) { if (i % 4 == 0) { strcat_s(szInfo, "\r\n"); } nIndex = arr1[i]; nAddr = *(DWORD*)&arr2[nIndex*4]; StringCbPrintf(szBuffer, 100, "%08X ", nAddr); strcat_s(szInfo, szBuffer); } Edit_SetText(hwndEdit, szInfo); break; } case WM_CLOSE: { EndDialog(hwndDlg, 0); break; } } return FALSE; } int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, PSTR szCmdLine, int nCmdShow) { DialogBox(hInstance, MAKEINTRESOURCE(IDD_DIALOG1), NULL, (DLGPROC)DlgProc); return 0; }