教材上给出了一些说明,虽然是断断续续的..

..之后通过单步,把断的地方都连起来了,也明白了VMP分析插件究竟做了些什么..

//表1,表2在最后.

 

加密之前的代码:
00401000    41              INC ECX
00401001    C3              RETN
00401002 >  40             INC EAX
00401003    40              INC EAX
00401004    40              INC EAX
00401005    40              INC EAX
00401006    40              INC EAX
00401007    40              INC EAX
00401008  ^ EB F8           JMP 401002
0040100A    C3              RETN

之后用VMP默认加密,加密范围是[401002,401006]闭区间

加密后的代码:   之后的代码都是加密后EXE中的代码
00401000
41 INC ECX 00401001 C3 RETN 00401002 >- E9 7C170000 JMP 用于测试.00402783 00401007 40 INC EAX 00401008 ^ EB F8 JMP SHORT 用于测试.<ModuleEntryPoint> 0040100A C3 RETN

可以看出被加密的代码替换成jmp 402783了.

跟入后是

00402783    68 92274000     PUSH 用于测试.00402792  ;402792这个地址是字节码的存储地址
00402788    E8 EFFEFFFF     CALL 用于测试.0040267C  ;这个call是解释程序

跟进40267c后是

0040267C    52              PUSH EDX
0040267D    53              PUSH EBX
0040267E    50              PUSH EAX
0040267F    9C              PUSHFD
00402680    51              PUSH ECX
00402681    56              PUSH ESI
00402682    57              PUSH EDI
00402683    56              PUSH ESI
00402684    55              PUSH EBP                           ;保存CONTEXT..
00402685    68 00000000     PUSH 0x0                           **
0040268A    8B7424 2C       MOV ESI,DWORD PTR SS:[ESP+0x2C]    ;ESI = 402792  就是传入这个函数的那一个参数
0040268E    89E5            MOV EBP,ESP                        ;当前栈顶保存到EBP中,可认为是 真实程序的栈顶
00402690    81EC C0000000   SUB ESP,0xC0                       ;这是为虚拟机开辟存储空间
00402696    89E7            MOV EDI,ESP                        ;EDI就是虚拟机的栈顶
00402698    0375 00         ADD ESI,DWORD PTR SS:[EBP]         ;这里的[EBP]就是上面**处压进来的0
0040269B__  8A06            MOV AL,BYTE PTR DS:[ESI]
0040269D    0FB6C0          MOVZX EAX,AL
004026A0 >  83C6 01         ADD ESI,0x1                        ;把esi处单个字节放到AL中,零扩展成EAX,然后esi+1
004026A3    FF2485 A8214000 JMP DWORD PTR DS:[EAX*4+0x4021A8]  ;根据arr_4021a8[eax]跳到对应地址执行指令

上面这一段代码就是初始化虚拟机,然后循环执行指令... 

 

 

那么当我第一次执行到到

004026A3    FF2485 A8214000 JMP DWORD PTR DS:[EAX*4+0x4021A8] 

EAX=0x39  0x39*4+0x4021A8 = 40228C    由表2得 [40228C] = 40206B

代码为:

0040206B    80E0 3C         AND AL,0x3C
0040206E    8B55 00         MOV EDX,DWORD PTR SS:[EBP]
00402071    83C5 04         ADD EBP,0x4
00402074    891407          MOV DWORD PTR DS:[EDI+EAX],EDX
00402077    E9 1F060000     JMP 用于测试.0040269B

上面4行代码先不管他,直接看最后的jmp, 40269B就是

0040269B__  8A06            MOV AL,BYTE PTR DS:[ESI]
0040269D    0FB6C0          MOVZX EAX,AL
004026A0 >  83C6 01         ADD ESI,0x1                        
004026A3    FF2485 A8214000 JMP DWORD PTR DS:[EAX*4+0x4021A8]  

就是这个循环,ESI在表1中取到下一个字节,然后根据表2算出跳转地址,进行下一次字节码执行..

那么现在的问题就是终点在哪,  我第一次实验时,根据入口的

0040267C    52              PUSH EDX
0040267D    53              PUSH EBX
0040267E    50              PUSH EAX
0040267F    9C              PUSHFD
00402680    51              PUSH ECX
00402681    56              PUSH ESI
00402682    57              PUSH EDI
00402683    56              PUSH ESI
00402684    55              PUSH EBP 

估计出口肯定会有对应的pop,然后就在OD中搜索指令序列

pop eax
pop ebx
pop edx

然后就顺利地找到了

0040219B    89EC            MOV ESP,EBP
0040219D    5A              POP EDX
0040219E    5D              POP EBP
0040219F    5E              POP ESI
004021A0    5F              POP EDI
004021A1    58              POP EAX
004021A2    59              POP ECX
004021A3    9D              POPFD
004021A4    58              POP EAX
004021A5    5B              POP EBX
004021A6    5A              POP EDX
004021A7    C3              RETN

之后在40219B处下了个断点,运行断下后,查看ESI的值,就可以知道有多少字节码要执行,以及最后的那个字节码是什么.

得到ESI==402836

也就是说表1中402792~402836-1就是全部要执行的字节码了(A4 == 164).

原本的5条inc eax指令就变成了164个字节码..每个字节码由几条汇编指令来实现..果然变态..

接下来就是分析各个字节码对应的指令序列的功能:

有些预先注意的:
ESI是字节码的地址
EBP(一开始)是
PUSH CONTEXT
PUSH 0之后的栈顶,指着0   称为栈顶2
ESP(一开始是),EDI是虚拟机的栈顶,是EBP-0c0h, 称为栈顶1
栈顶1\2会变化,无论如何,就把EBP, EDI(ESP)的栈顶分别称为栈顶2和栈顶1 1在上,2在下
上面都指的是虚拟机的栈 开辟之后(402690 sub esp,0c0),以及销毁之前(40219B mov esp,ebp)
在表1中可以看到,字节码会重复出现,在表2中也可以看到表二的元素也有重复
对字节码0x39有:
0040206B    80E0 3C         AND AL,0x3C
0040206E    8B55 00         MOV EDX,DWORD PTR SS:[EBP]
00402071    83C5 04         ADD EBP,0x4
00402074    891407          MOV DWORD PTR DS:[EDI+EAX],EDX
00402077    E9 1F060000     JMP 用于测试.0040269B

AND AL,3C  ===>  AL == 38
这几条指令完成的就是栈2顶pop出个dd存到(栈1顶+AL&3C的位置) [EDI+0x38]

字节码和3C And之后的值变成了一个位置.. 那么前面看到的表2的元素虽然会重复,但是对应的表1的值不一样,那么就算到了

同一个处理程序,得到的这个位置也会不一样..

 

对字节码0x31有:
0040206B    80E0 3C         AND AL,0x3C
0040206E    8B55 00         MOV EDX,DWORD PTR SS:[EBP]
00402071    83C5 04         ADD EBP,0x4
00402074    891407          MOV DWORD PTR DS:[EDI+EAX],EDX
00402077    E9 1F060000     JMP 用于测试.0040269B

AND AL,3C ==> 0x31 & 0x3C = 0x30
跟0x39的完全一样,唯一个区别就是AL不同了,也就存在了不同的位置,[EDI+0x30]

 

对字节码0x19有:
0040206B    80E0 3C         AND AL,0x3C
0040206E    8B55 00         MOV EDX,DWORD PTR SS:[EBP]
00402071    83C5 04         ADD EBP,0x4
00402074    891407          MOV DWORD PTR DS:[EDI+EAX],EDX

还是完全一样
AND AL,3C ==> 0x19 & 0x3c = 0x18 [EDI+0x18]

此时我已经觉得有些麻烦了,三个竟然都是重复的, 于是写了一个测试程序用于根据表1的字节码得到对应的处理程序的地址, 全部处理完毕后,得到的对应地址为(从402792~402835,闭区间,一共A4=164个地址):

表3:

0040206B  0040206B  0040206B  0040206B  
0040206B  0040206B  0040206B  0040206B  
0040206B  0040206B  0040206B  0040206B  
00402112  0040206B  004025E5  0040205C  
0040206B  0040206B  004025E5  00402644  
00402763  004026CD  0040206B  00402112  
00402708  004026CD  0040206B  004025E5  
00402644  00402763  004026CD  0040206B  
00402112  0040206B  004026CD  0040206B  
0040205C  0040206B  0040206B  00402112  
0040206B  004025E5  0040205C  0040206B  
0040206B  004025E5  00402644  00402763  
004026CD  0040206B  00402112  00402708  
004026CD  0040206B  004025E5  004025E5  
004026CD  0040206B  00402112  0040206B  
004026CD  0040206B  0040205C  0040206B  
0040206B  004025E5  00402112  0040206B  
0040205C  0040206B  0040206B  004025E5  
00402644  00402763  004026CD  0040206B  
00402112  00402708  004026CD  0040206B  
004025E5  004025E5  004026CD  0040206B  
00402112  0040206B  004026CD  0040206B  
0040205C  0040206B  0040206B  004025E5  
00402112  0040206B  0040205C  0040206B  
0040206B  004025E5  00402644  00402763  
004026CD  0040206B  00402112  00402708  
004026CD  0040206B  004025E5  00402644  
00402763  004026CD  0040206B  00402112  
0040206B  004026CD  0040206B  0040205C  
0040206B  0040206B  004025E5  00402112  
0040206B  0040205C  0040206B  0040206B  
004025E5  00402644  00402763  004026CD  
0040206B  00402112  00402708  004026CD  
0040206B  004025E5  00402644  00402763  
004026CD  0040206B  00402112  0040206B  
004026CD  0040206B  0040205C  0040206B  
0040206B  004025E5  004020BD  004020ED  
004025E5  004020BD  004025E5  0040205C  
0040206B  004025E5  004025E5  004025E5  
004025E5  004025E5  004025E5  004025E5  
004025E5  004025E5  004025E5  0040219B  

 

 之后就是把出现过的地址,不重复地分析一次就行了..

还得搞清楚在虚拟机里面的代码是怎样影响到外面的代码的..

 为了更好地说明,加入一个堆栈示意图:

上面的PROC_40206B,做的就是EBP向下一格,值放在EDI+AL&3C的位置..

而这个时候的EBP的值,是虚拟机入口点40267C处那一堆PUSH CONTEXT, PUSH进来的,也就是说,初始状态下的上图应该为....

根据表3,前12个,都是FUNC_40206B,对应的字节码为

39 31 19 15 2D 05 09 0D 25 3D 01 29
AND 3C后,对应的值为
38 30 18 14 2C 04 08 0C 24 3C 00 28

可以看出,会把栈顶2中的数据取出来放到对应的EDI+38/30/18/14/....地址处

这12条opcode刚好对应着栈中的12个"有用的数据(0, oldXXX, oldXXX, ...., r, 402792)"..

 

另外,虚拟机中的代码究竟是如何影响到外部的,应该就是通过对EBP这边的数据不断的操作,然后最终的字节码是0x95,对应的

处理程序为FUNC_40219B

0040219B    89EC            MOV ESP,EBP
0040219D    5A              POP EDX
0040219E    5D              POP EBP
0040219F    5E              POP ESI
004021A0    5F              POP EDI
004021A1    58              POP EAX
004021A2    59              POP ECX
004021A3    9D              POPFD
004021A4    58              POP EAX
004021A5    5B              POP EBX
004021A6    5A              POP EDX
004021A7    C3              RETN

对照PUSH

0040267C    52              PUSH EDX                                 ; 用于测试.<ModuleEntryPoint>
0040267D    53              PUSH EBX
0040267E    50              PUSH EAX
0040267F    9C              PUSHFD
00402680    51              PUSH ECX
00402681    56              PUSH ESI
00402682    57              PUSH EDI
00402683    56              PUSH ESI
00402684    55              PUSH EBP
00402685    68 00000000     PUSH 0x0

在FUNC_40219B中,单步到了retn, 此时发现栈顶的元素值(其实就是堆栈图中的r)为401007,而不是40278D,

00402783    68 92274000     PUSH 用于测试.00402792
00402788    E8 EFFEFFFF     CALL 用于测试.0040267C
0040278D    A8 E3           TEST AL,0xE3

40278D就是进入虚拟机CALL前,CALL时推入的下一条指令地址,在执行字节码的过程中被替换成了401007,就是

00401000    41              INC ECX
00401001    C3              RETN
00401002 >- E9 7C170000     JMP 用于测试.00402783
00401007    40              INC EAX                ;<---------------------------HERE
00401008  ^ EB F8           JMP SHORT 用于测试.<ModuleEntryPoint>
0040100A    C3              RETN

出了虚拟机...运行完了那5条inc eax的虚拟指令后的下一条指令地址

 

之后的内容教材上都有..

VMP分析插件就是:

给各个处理函数命名(根据行为产生助记符),给EDI+XXX的空间命个名(作为寄存器,操作数),堆栈窗口显示的是 栈顶2

用到的文件:

 

    http://images2015.cnblogs.com/blog/638600/201701/638600-20170112081555619-763736492.jpg  

另存为.zip文件就行了

 

附录:

地址402792处的值为,称为 表1:

00402792  39 31 19 15 2D 05 09 0D 25 3D 01 29 F8 01 0C 54  91-..%=)?.T
004027A2  29 35 08 55 32 FB 0D F8 FE C6 0D 28 45 F6 A6 21  )5U2??(E靓!
004027B2  F8 01 93 1D 4E 01 21 F8 01 34 54 2D 01 20 45 32  ??N!?4T- E2
004027C2  93 09 F8 FE 93 09 2C 2C 93 0D F8 01 93 35 5E 0D  ??,,???^.
004027D2  29 00 F8 01 C2 1D 0D 28 45 F9 93 21 F8 FE 93 01  ).??.(E鶕!?
004027E2  1C 1C 93 01 F8 01 A6 35 4E 21 01 0C F8 01 54 09  ???N!.?T.
004027F2  1D 00 41 F9 C6 2D F8 FE C6 21 08 41 F6 C6 29 F8  .A-?A銎)?
00402802  01 C6 11 4E 0D 0D 1C F8 01 54 35 2D 0C 55 32 FB  ?N..?T5-.U2?
00402812  11 F8 FE A6 11 34 41 32 93 11 F8 01 93 11 4E 1D  ?4A2???N
00402822  09 38 40 07 10 40 00 5E 29 3C 24 2C 08 04 34 14  .8@@.^)<$,4
00402832  18 30 38 95 00 00 00 00 00 00 00 00 00 00 00 00  08?...........

表4021A8处的值为, 称为表2:

004021A8  E5 25 40 00 6B 20 40 00 70 21 40 00 70 21 40 00  ?@.k @.p!@.p!@.
004021B8  E5 25 40 00 6B 20 40 00 ED 20 40 00 ED 20 40 00  ?@.k @.?@.?@.
004021C8  E5 25 40 00 6B 20 40 00 2A 26 40 00 2A 26 40 00  ?@.k @.*&@.*&@.
004021D8  E5 25 40 00 6B 20 40 00 32 27 40 00 68 26 40 00  ?@.k @.2'@.h&@.
004021E8  E5 25 40 00 6B 20 40 00 2A 26 40 00 00 20 40 00  ?@.k @.*&@.. @.
004021F8  E5 25 40 00 6B 20 40 00 E5 26 40 00 56 27 40 00  ?@.k @.?@.V'@.
00402208  E5 25 40 00 6B 20 40 00 CC 25 40 00 D5 25 40 00  ?@.k @.?@.?@.
00402218  E5 25 40 00 6B 20 40 00 FB 20 40 00 D5 20 40 00  ?@.k @.?@.?@.
00402228  E5 25 40 00 6B 20 40 00 ED 20 40 00 68 26 40 00  ?@.k @.?@.h&@.
00402238  E5 25 40 00 6B 20 40 00 22 27 40 00 97 20 40 00  ?@.k @."'@.?@.
00402248  E5 25 40 00 6B 20 40 00 71 27 40 00 71 27 40 00  ?@.k @.q'@.q'@.
00402258  E5 25 40 00 6B 20 40 00 68 26 40 00 70 21 40 00  ?@.k @.h&@.p!@.
00402268  E5 25 40 00 6B 20 40 00 63 27 40 00 ED 20 40 00  ?@.k @.c'@.?@.
00402278  E5 25 40 00 6B 20 40 00 CD 20 40 00 32 27 40 00  ?@.k @.?@.2'@.
00402288  E5 25 40 00 6B 20 40 00 13 20 40 00 7C 20 40 00  ?@.k @. @.| @.
00402298  E5 25 40 00 6B 20 40 00 F6 25 40 00 44 27 40 00  ?@.k @.?@.D'@.
004022A8  BD 20 40 00 44 26 40 00 27 20 40 00 ED 20 40 00  ?@.D&@.' @.?@.
004022B8  56 27 40 00 44 26 40 00 97 20 40 00 ED 20 40 00  V'@.D&@.?@.?@.
004022C8  D5 25 40 00 68 26 40 00 44 27 40 00 2A 26 40 00  ?@.h&@.D'@.*&@.
004022D8  22 27 40 00 AA 26 40 00 5C 20 40 00 0C 26 40 00  "'@.?@.\ @..&@.
004022E8  70 21 40 00 BB 25 40 00 22 27 40 00 22 27 40 00  p!@.?@."'@."'@.
004022F8  5C 20 40 00 44 26 40 00 AA 26 40 00 71 27 40 00  \ @.D&@.?@.q'@.
00402308  32 27 40 00 BB 26 40 00 55 21 40 00 2A 26 40 00  2'@.?@.U!@.*&@.
00402318  87 21 40 00 0C 26 40 00 5C 20 40 00 D5 20 40 00  ?@..&@.\ @.?@.
00402328  51 26 40 00 55 21 40 00 44 27 40 00 FB 20 40 00  Q&@.U!@.D'@.?@.
00402338  BD 20 40 00 87 21 40 00 E5 26 40 00 87 21 40 00  ?@.?@.?@.?@.
00402348  70 21 40 00 BB 26 40 00 AB 20 40 00 CD 20 40 00  p!@.?@.?@.?@.
00402358  27 20 40 00 27 20 40 00 F6 25 40 00 08 27 40 00  ' @.' @.?@.'@.
00402368  D5 20 40 00 7C 20 40 00 44 26 40 00 44 26 40 00  ?@.| @.D&@.D&@.
00402378  56 27 40 00 97 20 40 00 00 20 40 00 D5 20 40 00  V'@.?@.. @.?@.
00402388  CC 25 40 00 7C 20 40 00 F0 26 40 00 71 27 40 00  ?@.| @.?@.q'@.
00402398  97 20 40 00 0C 26 40 00 AB 20 40 00 44 27 40 00  ?@..&@.?@.D'@.
004023A8  00 20 40 00 BB 25 40 00 55 21 40 00 F0 26 40 00  . @.?@.U!@.?@.
004023B8  5C 20 40 00 E5 26 40 00 A8 25 40 00 F0 26 40 00  \ @.?@.?@.?@.
004023C8  39 20 40 00 51 26 40 00 32 27 40 00 7C 20 40 00  9 @.Q&@.2'@.| @.
004023D8  22 27 40 00 AA 26 40 00 71 27 40 00 F0 26 40 00  "'@.?@.q'@.?@.
004023E8  56 27 40 00 D5 20 40 00 97 20 40 00 CD 26 40 00  V'@.?@.?@.?@.
004023F8  BD 20 40 00 9B 21 40 00 39 20 40 00 F0 26 40 00  ?@.?@.9 @.?@.
00402408  44 27 40 00 D5 20 40 00 BB 26 40 00 ED 20 40 00  D'@.?@.?@.?@.
00402418  5C 20 40 00 56 27 40 00 D5 25 40 00 13 20 40 00  \ @.V'@.?@. @.
00402428  97 20 40 00 44 26 40 00 2A 26 40 00 13 20 40 00  ?@.D&@.*&@. @.
00402438  D5 25 40 00 4B 20 40 00 CD 26 40 00 0C 26 40 00  ?@.K @.?@..&@.
00402448  51 26 40 00 5C 20 40 00 51 26 40 00 87 21 40 00  Q&@.\ @.Q&@.?@.
00402458  CD 20 40 00 44 26 40 00 00 20 40 00 68 26 40 00  ?@.D&@.. @.h&@.
00402468  ED 20 40 00 A8 25 40 00 68 26 40 00 55 21 40 00  ?@.?@.h&@.U!@.
00402478  71 27 40 00 51 26 40 00 AA 26 40 00 BD 20 40 00  q'@.Q&@.?@.?@.
00402488  44 27 40 00 BD 20 40 00 00 20 40 00 13 20 40 00  D'@.?@.. @. @.
00402498  CD 20 40 00 7C 20 40 00 ED 20 40 00 56 27 40 00  ?@.| @.?@.V'@.
004024A8  22 27 40 00 F6 25 40 00 5C 20 40 00 2A 26 40 00  "'@.?@.\ @.*&@.
004024B8  D5 20 40 00 CC 25 40 00 CD 26 40 00 32 27 40 00  ?@.?@.?@.2'@.
004024C8  97 20 40 00 D5 25 40 00 2A 26 40 00 ED 20 40 00  ?@.?@.*&@.?@.
004024D8  F0 26 40 00 0C 26 40 00 D5 20 40 00 F6 25 40 00  ?@..&@.?@.?@.
004024E8  44 27 40 00 7C 20 40 00 CD 20 40 00 AB 20 40 00  D'@.| @.?@.?@.
004024F8  5C 20 40 00 44 26 40 00 97 20 40 00 71 27 40 00  \ @.D&@.?@.q'@.
00402508  CC 25 40 00 CC 25 40 00 9B 21 40 00 27 20 40 00  ?@.?@.?@.' @.
00402518  51 26 40 00 32 27 40 00 5C 20 40 00 2A 26 40 00  Q&@.2'@.\ @.*&@.
00402528  BB 25 40 00 CC 25 40 00 0C 26 40 00 AA 26 40 00  ?@.?@..&@.?@.
00402538  87 21 40 00 0C 26 40 00 27 20 40 00 AB 20 40 00  ?@..&@.' @.?@.
00402548  97 20 40 00 CD 20 40 00 00 20 40 00 2A 26 40 00  ?@.?@.. @.*&@.
00402558  56 27 40 00 56 27 40 00 E5 26 40 00 BB 26 40 00  V'@.V'@.?@.?@.
00402568  D5 25 40 00 CD 20 40 00 CD 26 40 00 27 20 40 00  ?@.?@.?@.' @.
00402578  ED 20 40 00 70 21 40 00 63 27 40 00 44 27 40 00  ?@.p!@.c'@.D'@.
00402588  12 21 40 00 63 27 40 00 9B 21 40 00 CD 26 40 00  !@.c'@.?@.?@.
00402598  ED 20 40 00 4B 20 40 00 08 27 40 00 87 21 40 00  ?@.K @.'@.?@.

 

转换程序 的源码为:

创建一个对话框资源,然后拉一个Edit控件上去就行了

#include <windows.h>
#include <stdio.h>
#include <strsafe.h>
#include "resource.h"
#include <windowsx.h>

CHAR szInfo[100000] = { 0 };


int arr1[] = {
0x39,0x31,0x19,0x15,0x2D,0x05,0x09,0x0D,0x25,0x3D,0x01,0x29,0xF8,0x01,0x0C,0x54,
0x29,0x35,0x08,0x55,0x32,0xFB,0x0D,0xF8,0xFE,0xC6,0x0D,0x28,0x45,0xF6,0xA6,0x21,
0xF8,0x01,0x93,0x1D,0x4E,0x01,0x21,0xF8,0x01,0x34,0x54,0x2D,0x01,0x20,0x45,0x32,
0x93,0x09,0xF8,0xFE,0x93,0x09,0x2C,0x2C,0x93,0x0D,0xF8,0x01,0x93,0x35,0x5E,0x0D,
0x29,0x00,0xF8,0x01,0xC2,0x1D,0x0D,0x28,0x45,0xF9,0x93,0x21,0xF8,0xFE,0x93,0x01,
0x1C,0x1C,0x93,0x01,0xF8,0x01,0xA6,0x35,0x4E,0x21,0x01,0x0C,0xF8,0x01,0x54,0x09,
0x1D,0x00,0x41,0xF9,0xC6,0x2D,0xF8,0xFE,0xC6,0x21,0x08,0x41,0xF6,0xC6,0x29,0xF8,
0x01,0xC6,0x11,0x4E,0x0D,0x0D,0x1C,0xF8,0x01,0x54,0x35,0x2D,0x0C,0x55,0x32,0xFB,
0x11,0xF8,0xFE,0xA6,0x11,0x34,0x41,0x32,0x93,0x11,0xF8,0x01,0x93,0x11,0x4E,0x1D,
0x09,0x38,0x40,0x07,0x10,0x40,0x00,0x5E,0x29,0x3C,0x24,0x2C,0x08,0x04,0x34,0x14,
0x18,0x30,0x38,0x95 };

BYTE arr2[] =
{
    0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0x70,0x21,0x40,0x00,0x70,0x21,0x40,0x00,
    0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0xED,0x20,0x40,0x00,0xED,0x20,0x40,0x00,
    0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0x2A,0x26,0x40,0x00,0x2A,0x26,0x40,0x00,
    0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0x32,0x27,0x40,0x00,0x68,0x26,0x40,0x00,
    0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0x2A,0x26,0x40,0x00,0x00,0x20,0x40,0x00,
    0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0xE5,0x26,0x40,0x00,0x56,0x27,0x40,0x00,
    0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0xCC,0x25,0x40,0x00,0xD5,0x25,0x40,0x00,
    0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0xFB,0x20,0x40,0x00,0xD5,0x20,0x40,0x00,
    0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0xED,0x20,0x40,0x00,0x68,0x26,0x40,0x00,
    0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0x22,0x27,0x40,0x00,0x97,0x20,0x40,0x00,
    0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0x71,0x27,0x40,0x00,0x71,0x27,0x40,0x00,
    0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0x68,0x26,0x40,0x00,0x70,0x21,0x40,0x00,
    0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0x63,0x27,0x40,0x00,0xED,0x20,0x40,0x00,
    0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0xCD,0x20,0x40,0x00,0x32,0x27,0x40,0x00,
    0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0x13,0x20,0x40,0x00,0x7C,0x20,0x40,0x00,
    0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0xF6,0x25,0x40,0x00,0x44,0x27,0x40,0x00,
    0xBD,0x20,0x40,0x00,0x44,0x26,0x40,0x00,0x27,0x20,0x40,0x00,0xED,0x20,0x40,0x00,
    0x56,0x27,0x40,0x00,0x44,0x26,0x40,0x00,0x97,0x20,0x40,0x00,0xED,0x20,0x40,0x00,
    0xD5,0x25,0x40,0x00,0x68,0x26,0x40,0x00,0x44,0x27,0x40,0x00,0x2A,0x26,0x40,0x00,
    0x22,0x27,0x40,0x00,0xAA,0x26,0x40,0x00,0x5C,0x20,0x40,0x00,0x0C,0x26,0x40,0x00,
    0x70,0x21,0x40,0x00,0xBB,0x25,0x40,0x00,0x22,0x27,0x40,0x00,0x22,0x27,0x40,0x00,
    0x5C,0x20,0x40,0x00,0x44,0x26,0x40,0x00,0xAA,0x26,0x40,0x00,0x71,0x27,0x40,0x00,
    0x32,0x27,0x40,0x00,0xBB,0x26,0x40,0x00,0x55,0x21,0x40,0x00,0x2A,0x26,0x40,0x00,
    0x87,0x21,0x40,0x00,0x0C,0x26,0x40,0x00,0x5C,0x20,0x40,0x00,0xD5,0x20,0x40,0x00,
    0x51,0x26,0x40,0x00,0x55,0x21,0x40,0x00,0x44,0x27,0x40,0x00,0xFB,0x20,0x40,0x00,
    0xBD,0x20,0x40,0x00,0x87,0x21,0x40,0x00,0xE5,0x26,0x40,0x00,0x87,0x21,0x40,0x00,
    0x70,0x21,0x40,0x00,0xBB,0x26,0x40,0x00,0xAB,0x20,0x40,0x00,0xCD,0x20,0x40,0x00,
    0x27,0x20,0x40,0x00,0x27,0x20,0x40,0x00,0xF6,0x25,0x40,0x00,0x08,0x27,0x40,0x00,
    0xD5,0x20,0x40,0x00,0x7C,0x20,0x40,0x00,0x44,0x26,0x40,0x00,0x44,0x26,0x40,0x00,
    0x56,0x27,0x40,0x00,0x97,0x20,0x40,0x00,0x00,0x20,0x40,0x00,0xD5,0x20,0x40,0x00,
    0xCC,0x25,0x40,0x00,0x7C,0x20,0x40,0x00,0xF0,0x26,0x40,0x00,0x71,0x27,0x40,0x00,
    0x97,0x20,0x40,0x00,0x0C,0x26,0x40,0x00,0xAB,0x20,0x40,0x00,0x44,0x27,0x40,0x00,
    0x00,0x20,0x40,0x00,0xBB,0x25,0x40,0x00,0x55,0x21,0x40,0x00,0xF0,0x26,0x40,0x00,
    0x5C,0x20,0x40,0x00,0xE5,0x26,0x40,0x00,0xA8,0x25,0x40,0x00,0xF0,0x26,0x40,0x00,
    0x39,0x20,0x40,0x00,0x51,0x26,0x40,0x00,0x32,0x27,0x40,0x00,0x7C,0x20,0x40,0x00,
    0x22,0x27,0x40,0x00,0xAA,0x26,0x40,0x00,0x71,0x27,0x40,0x00,0xF0,0x26,0x40,0x00,
    0x56,0x27,0x40,0x00,0xD5,0x20,0x40,0x00,0x97,0x20,0x40,0x00,0xCD,0x26,0x40,0x00,
    0xBD,0x20,0x40,0x00,0x9B,0x21,0x40,0x00,0x39,0x20,0x40,0x00,0xF0,0x26,0x40,0x00,
    0x44,0x27,0x40,0x00,0xD5,0x20,0x40,0x00,0xBB,0x26,0x40,0x00,0xED,0x20,0x40,0x00,
    0x5C,0x20,0x40,0x00,0x56,0x27,0x40,0x00,0xD5,0x25,0x40,0x00,0x13,0x20,0x40,0x00,
    0x97,0x20,0x40,0x00,0x44,0x26,0x40,0x00,0x2A,0x26,0x40,0x00,0x13,0x20,0x40,0x00,
    0xD5,0x25,0x40,0x00,0x4B,0x20,0x40,0x00,0xCD,0x26,0x40,0x00,0x0C,0x26,0x40,0x00,
    0x51,0x26,0x40,0x00,0x5C,0x20,0x40,0x00,0x51,0x26,0x40,0x00,0x87,0x21,0x40,0x00,
    0xCD,0x20,0x40,0x00,0x44,0x26,0x40,0x00,0x00,0x20,0x40,0x00,0x68,0x26,0x40,0x00,
    0xED,0x20,0x40,0x00,0xA8,0x25,0x40,0x00,0x68,0x26,0x40,0x00,0x55,0x21,0x40,0x00,
    0x71,0x27,0x40,0x00,0x51,0x26,0x40,0x00,0xAA,0x26,0x40,0x00,0xBD,0x20,0x40,0x00,
    0x44,0x27,0x40,0x00,0xBD,0x20,0x40,0x00,0x00,0x20,0x40,0x00,0x13,0x20,0x40,0x00,
    0xCD,0x20,0x40,0x00,0x7C,0x20,0x40,0x00,0xED,0x20,0x40,0x00,0x56,0x27,0x40,0x00,
    0x22,0x27,0x40,0x00,0xF6,0x25,0x40,0x00,0x5C,0x20,0x40,0x00,0x2A,0x26,0x40,0x00,
    0xD5,0x20,0x40,0x00,0xCC,0x25,0x40,0x00,0xCD,0x26,0x40,0x00,0x32,0x27,0x40,0x00,
    0x97,0x20,0x40,0x00,0xD5,0x25,0x40,0x00,0x2A,0x26,0x40,0x00,0xED,0x20,0x40,0x00,
    0xF0,0x26,0x40,0x00,0x0C,0x26,0x40,0x00,0xD5,0x20,0x40,0x00,0xF6,0x25,0x40,0x00,
    0x44,0x27,0x40,0x00,0x7C,0x20,0x40,0x00,0xCD,0x20,0x40,0x00,0xAB,0x20,0x40,0x00,
    0x5C,0x20,0x40,0x00,0x44,0x26,0x40,0x00,0x97,0x20,0x40,0x00,0x71,0x27,0x40,0x00,
    0xCC,0x25,0x40,0x00,0xCC,0x25,0x40,0x00,0x9B,0x21,0x40,0x00,0x27,0x20,0x40,0x00,
    0x51,0x26,0x40,0x00,0x32,0x27,0x40,0x00,0x5C,0x20,0x40,0x00,0x2A,0x26,0x40,0x00,
    0xBB,0x25,0x40,0x00,0xCC,0x25,0x40,0x00,0x0C,0x26,0x40,0x00,0xAA,0x26,0x40,0x00,
    0x87,0x21,0x40,0x00,0x0C,0x26,0x40,0x00,0x27,0x20,0x40,0x00,0xAB,0x20,0x40,0x00,
    0x97,0x20,0x40,0x00,0xCD,0x20,0x40,0x00,0x00,0x20,0x40,0x00,0x2A,0x26,0x40,0x00,
    0x56,0x27,0x40,0x00,0x56,0x27,0x40,0x00,0xE5,0x26,0x40,0x00,0xBB,0x26,0x40,0x00,
    0xD5,0x25,0x40,0x00,0xCD,0x20,0x40,0x00,0xCD,0x26,0x40,0x00,0x27,0x20,0x40,0x00,
    0xED,0x20,0x40,0x00,0x70,0x21,0x40,0x00,0x63,0x27,0x40,0x00,0x44,0x27,0x40,0x00,
    0x12,0x21,0x40,0x00,0x63,0x27,0x40,0x00,0x9B,0x21,0x40,0x00,0xCD,0x26,0x40,0x00,
    0xED,0x20,0x40,0x00,0x4B,0x20,0x40,0x00,0x08,0x27,0x40,0x00,0x87,0x21,0x40,0x00,
};
INT_PTR DlgProc(HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lParam)
{
    switch (uMsg)
    {
        case WM_INITDIALOG:
        {
            HWND hwndEdit = GetDlgItem(hwndDlg, IDC_EDIT1);
            CHAR szBuffer[100] = { 0 };
            int nIndex = 0;
            int nAddr = 0;
            for (int i = 0; i < 164; ++i)
            {
                if (i % 4 == 0)
                {
                    strcat_s(szInfo, "\r\n");
                }
                nIndex = arr1[i];
                nAddr = *(DWORD*)&arr2[nIndex*4];
                StringCbPrintf(szBuffer, 100, "%08X  ", nAddr);
                strcat_s(szInfo, szBuffer);
            }

            Edit_SetText(hwndEdit, szInfo);
            break;
        }

        case WM_CLOSE:
        {
            EndDialog(hwndDlg, 0);
            break;
        }
    }

    return FALSE;
}


int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, PSTR szCmdLine, int nCmdShow)
{
    DialogBox(hInstance, MAKEINTRESOURCE(IDD_DIALOG1), NULL, (DLGPROC)DlgProc);

    return 0;
}

 

posted on 2017-01-12 08:17  fuckitup123  阅读(825)  评论(0编辑  收藏  举报