1. IT知识观首页
  2. 编程

记录一次某MFC软件算法逆向之旅

云烟 编程

记录一次某MFC软件算法逆向之旅对于直接使用 SDK 而不使用第三方库的程序 我们要定位到程序的 关键代码 并不困难 通常在 CreateWindow 函数或 DialogBoxPar 函数下断点 可以直接获得其主界面的窗口过程或对话框过程

欢迎大家来到IT世界,在知识的湖畔探索吧!

对于直接使用SDK而不使用第三方库的程序,我们要定位到程序的“关键代码”并不困难。通常在CreateWindow函数或DialogBoxParam函数下断点,可以直接获得其主界面的窗口过程或对话框过程。但是对于使用了MFC的程序,我们找到的窗口过程或对话框过程是在MFC提供的程序框架的内部,经过层层的分发和筛选,消息才最终到达用户代码,直接分析起来比较繁琐。

幸好,有一个Olly的脚本,可以直接帮助我们找到诸如OnOK()之类的函数。这个脚本用到的方法,是建立在对MFC内部机制充分理解的基础上,通过在消息分发的代码处下条件断点而完成的。

然而,我马上要讲到的这个方法,在一定程度上,比这个脚本还好使,可以一下就定位到我们感兴趣的代码处。而且,可以举一反三,如果你看明白了其中的思路,可以自己扩展成为十分强大的“必杀技”,不仅对MFC,对其它的应用程序框架也有效果。

我就不讲我如何想到的这个方法,只讲两个例子。如果你看懂了这个例子,其中的思路肯定会明白了。而且,十分简单。

我以MFC42为例。先打开VC6,创建一个MFC的对话框程序,按默认设置。我们在“OK”按钮的处理函数OnOK()的开头,写上这样一句:

__asm int 3

欢迎大家来到IT世界,在知识的湖畔探索吧!

然后,按Release编译。

现在,用OD调试程序,不要忽略int3异常,F9运行,点击“OK”,OD马上断下。

现在一般OD带有StrongOD,需要在StrongOD的设置中也进行设置,如下

记录一次某MFC软件算法逆向之旅



欢迎大家来到IT世界,在知识的湖畔探索吧!

看堆栈:

欢迎大家来到IT世界,在知识的湖畔探索吧!0012F8C0 73D323EB 返回到 mfc42.73D323EB 0012F8C4 73DCF07C offset mfc42.#CDialog::messageMap_4234

到mfc42.73D323EB这看一下:

73D323E5 8B4D 08 mov ecx,dword ptr ss:[ebp+0x8] 73D323E8 FF55 14 call dword ptr ss:[ebp+0x14] ; 这句就是调用用户函数的CALL 73D323EB EB 7F jmp short mfc42.73D3246C ; 这就是堆栈中的 mfc42.73D323EB

73D323EB处的`CALL [EBP+14]`的目标函数就是我们的OnOK()。记住这个地址。

按ALT+E,打开模块列表,双击下面MFC42.dll这一行; 就来到了MFC42.DLL这个模块的.text节了。好,我们按Ctrl+F,输入CALL [EBP+0X14],回车。搜索到的结果如下:

欢迎大家来到IT世界,在知识的湖畔探索吧!73D323BA FF55 14 call dword ptr ss:[ebp+0x14] ; 结果1 73D323BD E9 A jmp mfc42.73D3246A 73D323C2 8B45 18 mov eax,dword ptr ss:[ebp+0x18] 73D323C5 FF30 push dword ptr ds:[eax] ; RevOnOK.00 73D323C7 8B4D 08 mov ecx,dword ptr ss:[ebp+0x8] 73D323CA FF70 04 push dword ptr ds:[eax+0x4] ; RevOnOK.00 73D323CD FF55 14 call dword ptr ss:[ebp+0x14] ; 结果2 73D323D0 E9  jmp mfc42.73D3246C 73D323D5 8B4D 08 mov ecx,dword ptr ss:[ebp+0x8] 73D323D8 FF55 14 call dword ptr ss:[ebp+0x14] ; 结果3 73D323DB E9 8A000000 jmp mfc42.73D3246A 73D323E0 FF75 0C push dword ptr ss:[ebp+0xC] 73D323E3 EB 45 jmp short mfc42.73D3242A 73D323E5 8B4D 08 mov ecx,dword ptr ss:[ebp+0x8] 73D323E8 FF55 14 call dword ptr ss:[ebp+0x14] ; 结果4 73D323EB EB 7F jmp short mfc42.73D3246C 73D323ED FF75 0C push dword ptr ss:[ebp+0xC] 73D323F0 EB 2D jmp short mfc42.73D3241F 73D323F2 8B45 18 mov eax,dword ptr ss:[ebp+0x18] 73D323F5 FF30 push dword ptr ds:[eax] ; RevOnOK.00 73D323F7 8B4D 08 mov ecx,dword ptr ss:[ebp+0x8] 73D323FA FF70 04 push dword ptr ds:[eax+0x4] ; RevOnOK.00 73D323FD FF75 0C push dword ptr ss:[ebp+0xC] 73D32400 FF55 14 call dword ptr ss:[ebp+0x14] ; 结果5

下面来看看此法的应用。

随便找一个MFC42的CM,用OD载入,有壳,不用管,直接F9,然后ALT+E,双击MFC42.DLL,CTRL+F,输入CALL [EBP+14],在第一个找到的地址处F2下断点。

点CM的确定按钮,OD断下,F2删除断点,F7。

这里就是按钮的处理函数。可以分析了。

如果你看明白了我的过程,那么你也应该明白我的思路。

MFC42.DLL的特征码就是指令CALL [EBP+14]

顺便说一下,所有的按钮控件的处理函数OnXXXClick()都经过这里。并且,编辑框控件的OnChange()函数,以及其它很多控件的消息,比如CheckBox的消息,甚至OnClose()也都经过这里。什么原因呢?因为MFC框架的消息分发过程,是按参数类型模板分类的。如果不理解,就不用理解了,只要记住方法就行了。

另外,对所有的MFC程序,如MFC71D,MFC90U等,这个方法都可以用,并且静态连接的也可以,并且Delphi的程序也可以,只要掌握了原理,方法大同小异。至于各自的“特征码”是什么,自己去找吧。

验证

在OnOK中写入如下代码:

::SetWindowText(GetDlgItem(IDC_EDIT_TEST)->m_hWnd,"Test");

如上所述,在mfc42.dll中下面几处下断:

欢迎大家来到IT世界,在知识的湖畔探索吧!73D323BA mfc42 始终 call dword ptr ss:[ebp+0x14] 73D323CD mfc42 始终 call dword ptr ss:[ebp+0x14] 73D323D8 mfc42 始终 call dword ptr ss:[ebp+0x14] 73D323E8 mfc42 始终 call dword ptr ss:[ebp+0x14] 73D32400 mfc42 始终 call dword ptr ss:[ebp+0x14]

F9,按下确定按钮,发现在下面断下:

73D323E8 FF55 14 call dword ptr ss:[ebp+0x14] ; 结果4

按F7,来到OnOK的处理函数:

欢迎大家来到IT世界,在知识的湖畔探索吧!00 . 68 20 30 40 0>ascii "h 0@",0 00 . 68 E push 0x3E8 0040148A . E8  call <jmp.&MFC42.#CWnd::GetDlgItem_3092> 0040148F . 8B40 20 mov eax,dword ptr ds:[eax+0x20] ; |RevOnOK.0040157A 00 . 50 push eax ; |hWnd = 00 00 . FF15 D0 call dword ptr ds:[<&USER32.SetWindowTextA>] ; \SetWindowTextA 00 . C3 retn

此外,在VS2005下进行了验证,并不适用,只能作罢!!!

某软件算法(IDA反编译)

资源ID(一)

MENUITEM "导出数据(&E)", 32783

可以看到,这是一个菜单项按钮,ID为32783(十六进制为0x800F)

在IDA中搜索立即数,勾选Find all occurrences

记录一次某MFC软件算法逆向之旅

双击搜索到的结果,往上翻,来到

记录一次某MFC软件算法逆向之旅

使用IDA定位基于MFC的CrackMe的按钮函数—–实践篇(一)_ida mfc c代码-CSDN博客

的方法,在Local types中右键插入以下AFX_MSGMAP_ENTRY和AFX_MSGMAP数据结构体

记录一次某MFC软件算法逆向之旅 

欢迎大家来到IT世界,在知识的湖畔探索吧!struct AFX_MSGMAP_ENTRY { UINT nMessage; UINT nCode; UINT nID; UINT nLastID; UINT_PTR nSig; void (*pfn)(void); }; struct AFX_MSGMAP { const AFX_MSGMAP *(__stdcall *pfnGetBaseMap)(); const AFX_MSGMAP_ENTRY *lpEntries; };

右键,同步到idb

记录一次某MFC软件算法逆向之旅

然后Alt+Q,将相应位置分别改为AFX_MSGMAP和AFX_MSGMAP_ENTRY,

记录一次某MFC软件算法逆向之旅

消息映射表

记录一次某MFC软件算法逆向之旅

按钮处理函数为sub_,进入按F5

int __thiscall sub_(_DWORD *this) { sub_(this); return AfxMessageBox(0x5B9Bu, 0, 0xFFFFFFFF); }

可见,最后的处理函数为sub_

欢迎大家来到IT世界,在知识的湖畔探索吧!int __thiscall sub_(_DWORD *this) { _DWORD *v1; // edi@1 float v2; // esi@1 int v3; // ebx@1 const char *filename; // eax@2 FILE *fd; // ebp@2 int v6; // eax@4 double v7; // ST10_8@4 const char *v8; // eax@4 const char *v9; // eax@8 FILE *v10; // eax@8 float v11; // ebp@9 signed int v12; // esi@10 const char *v13; // eax@12 char v15; // [sp+40h] [bp-54h]@1 float v16; // [sp+44h] [bp-50h]@3 char v17; // [sp+48h] [bp-4Ch]@1 char v18; // [sp+4Ch] [bp-48h]@1 FILE *File; // [sp+50h] [bp-44h]@4 int v20; // [sp+90h] [bp-4h]@1 v1 = this; ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&v18); v2 = 0.0; v20 = 0; ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&v15); ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&v17); v3 = v1[5602]; LOBYTE(v20) = 2; if ( v1[5335] ) { ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::Format(&v18, "%s_%d.txt", v1 + 5617, v1[5329]); filename = (const char *)ATL::CSimpleStringT<char,1>::operator char const *(&v18); fd = fopen(filename, "wt"); if ( fd ) { v16 = 0.0; if ( v3 > 0 ) { do { ATL::CSimpleStringT<char,1>::Empty(&v15); v6 = v1[5335]; v7 = *(double *)(v6 + 8 * LODWORD(v2)); *(float *)&File = .0 / *(double *)(v6 + 8 * v3 + 8) * (double)SLODWORD(v16) + (double)(signed int)v1[5599]; ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::Format(&v15, "%-8.1f %-8.3f \n", File, v7); v8 = (const char *)ATL::CSimpleStringT<char,1>::operator char const *(&v15); fprintf(fd, v8); ++LODWORD(v2); v16 = v2; } while ( SLODWORD(v2) < v3 ); } fclose(fd); } } else if ( !v1[190] ) { if ( v1[5334] ) { ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::Format(&v18, "%s.txt", v1 + 5617); v9 = (const char *)ATL::CSimpleStringT<char,1>::operator char const *(&v18); *(float *)&v10 = COERCE_FLOAT(fopen(v9, "wt")); File = v10; if ( *(float *)&v10 != 0.0 ) { v11 = 0.0; v16 = 0.0; if ( v3 > 0 ) { do { ATL::CSimpleStringT<char,1>::Empty(&v15); v16 = .0 / (double)*(signed int *)(*(_DWORD *)v1[5334] + 4 * v3 + 4) * (double)SLODWORD(v16) + (double)(signed int)v1[5599]; ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::Format(&v17, "%-8.1f", v16); ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::operator+=(&v15, &v17); v12 = 0; do { ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::Format( &v17, "%-8d", *(_DWORD *)(*(_DWORD *)(v1[5334] + v12) + 4 * LODWORD(v11))); ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::operator+=(&v15, &v17); v12 += 4; } while ( v12 < 24 ); ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::operator+=(&v15, &unk_447A00); v13 = (const char *)ATL::CSimpleStringT<char,1>::operator char const *(&v15); fprintf(File, v13); ++LODWORD(v11); v16 = v11; } while ( SLODWORD(v11) < v3 ); v10 = File; } fclose(v10); } } } ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::~CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&v17); ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::~CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&v15); return ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::~CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&v18); }

资源ID(二)

对话框:102:052

CONTROL "浏览工程文件", 1363, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 68, 1, 60, 21 , 0x00000200

可以看到,这是一个按钮,ID为1363(十六进制为0x0553)

在IDA中搜索立即数,勾选Find all occurrences

记录一次某MFC软件算法逆向之旅

找到打开对话框的代码,如下

欢迎大家来到IT世界,在知识的湖畔探索吧!if ( CFileDialog::DoModal((CFileDialog *)&v32) == 1 ) { ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&v20); LOBYTE(v33) = 3; v5 = CFileDialog::GetPathName(&v32, &v21); LOBYTE(v33) = 4; ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::operator=(&v20, v5); LOBYTE(v33) = 3; ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::~CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&v21); v19 = v6; v21 = &v19; ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>( &v19, &v20); sub_((char)v19); ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::LoadStringA(&v23, 22431); ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&v22); LOBYTE(v33) = 5; ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::Format(&v22, "%s", v20); v7 = ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::ReverseFind(&v22, 92); ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::Left(&v22, &v27, v7 + 1); LOBYTE(v33) = 6; v19 = (const char *)(ATL::CSimpleStringT<char,1>::GetLength(&v22) - v7 - 1); ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::Right(&v22, &v24, v19); LOBYTE(v33) = 7; v8 = ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::ReverseFind(&v24, 46);

注意到里面有个函数

sub_((void *)v1, (char)v18);

点进去发现,是有关的

欢迎大家来到IT世界,在知识的湖畔探索吧!void __thiscall sub_(void *this, char a2) { char v2; // bl@1 const char *v3; // eax@1 FILE *v4; // eax@1 FILE *v5; // ebp@1 int v6; // esi@4 int v7; // eax@4 int v8; // eax@4 int v9; // eax@4 int v10; // eax@4 const char *v11; // eax@4 FILE *v12; // esi@4 int v13; // ecx@5 signed int v14; // eax@5 char v15; // dl@6 int v16; // [sp-14h] [bp-1A8h]@8 int v17; // [sp-10h] [bp-1A4h]@8 int v18; // [sp-Ch] [bp-1A0h]@8 int v19; // [sp-8h] [bp-19Ch]@8 const char *v20; // [sp-4h] [bp-198h]@4 char v21; // [sp+14h] [bp-180h]@13 unsigned __int8 v22; // [sp+15h] [bp-17Fh]@5 unsigned __int8 v23; // [sp+16h] [bp-17Eh]@5 unsigned __int8 v24; // [sp+17h] [bp-17Dh]@5 char v25; // [sp+18h] [bp-17Ch]@4 char v26; // [sp+1Ch] [bp-178h]@4 __int16 v27; // [sp+20h] [bp-174h]@3 char v28; // [sp+24h] [bp-170h]@4 int v29; // [sp+28h] [bp-16Ch]@5 char v30; // [sp+2Dh] [bp-167h]@5 char v31; // [sp+2Eh] [bp-166h]@3 char v32; // [sp+2Fh] [bp-165h]@3 __int16 v33[2]; // [sp+30h] [bp-164h]@5 unsigned __int16 v34; // [sp+34h] [bp-160h]@5 unsigned __int16 v35; // [sp+38h] [bp-15Ch]@5 int i; // [sp+3Ch] [bp-158h]@3 char v37[4]; // [sp+40h] [bp-154h]@5 char v38; // [sp+44h] [bp-150h]@4 void *v39; // [sp+48h] [bp-14Ch]@1 char v40; // [sp+4Ch] [bp-148h]@4 int v41; // [sp+50h] [bp-144h]@3 char v42; // [sp+54h] [bp-140h]@5 char v43; // [sp+58h] [bp-13Ch]@4 char v44; // [sp+5Ch] [bp-138h]@4 char v45; // [sp+60h] [bp-134h]@4 char v46; // [sp+64h] [bp-130h]@5 char v47; // [sp+68h] [bp-12Ch]@5 char v48[24]; // [sp+6Ch] [bp-128h]@6 char v49[24]; // [sp+84h] [bp-110h]@6 char v50[24]; // [sp+9Ch] [bp-F8h]@6 char v51[24]; // [sp+B4h] [bp-E0h]@6 char v52[24]; // [sp+CCh] [bp-C8h]@6 int v53; // [sp+E4h] [bp-B0h]@7 char v54; // [sp+E8h] [bp-ACh]@7 char v55[24]; // [sp+FCh] [bp-98h]@6 int v56; // [sp+114h] [bp-80h]@7 int v57; // [sp+118h] [bp-7Ch]@7 int v58; // [sp+11Ch] [bp-78h]@7 int v59; // [sp+120h] [bp-74h]@5 int v60; // [sp+124h] [bp-70h]@7 int v61; // [sp+128h] [bp-6Ch]@7 int v62; // [sp+12Ch] [bp-68h]@7 int v63; // [sp+130h] [bp-64h]@7 int v64; // [sp+134h] [bp-60h]@7 int v65; // [sp+138h] [bp-5Ch]@7 int v66; // [sp+13Ch] [bp-58h]@7 int v67; // [sp+140h] [bp-54h]@7 int v68; // [sp+144h] [bp-50h]@7 int v69; // [sp+148h] [bp-4Ch]@7 int v70; // [sp+14Ch] [bp-48h]@7 int v71; // [sp+150h] [bp-44h]@7 char v72; // [sp+154h] [bp-40h]@4 char v73[12]; // [sp+160h] [bp-34h]@5 char v74[12]; // [sp+16Ch] [bp-28h]@3 char DstBuf[12]; // [sp+178h] [bp-1Ch]@3 int v76; // [sp+190h] [bp-4h]@1 v39 = this; v2 = 0; v76 = 0; v3 = (const char *)ATL::CSimpleStringT<char,1>::operator char const *(&a2); v4 = fopen(v3, "rb"); v5 = v4; if ( v4 ) { fread(DstBuf, 1u, 0xCu, v4); fread(v74, 1u, 0xCu, v5); fread(&v41, 1u, 4u, v5); fread(&v31, 1u, 1u, v5); fread(&v27, 2u, 1u, v5); fread(&v32, 1u, 1u, v5); for ( i = 0; i < v27; ++i ) { fread(&v72, 1u, 0xCu, v5); v6 = ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::ReverseFind(&a2, 46); ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>( &v38, &unk_444E20); LOBYTE(v76) = 1; ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::Left(&a2, &v25, v6); LOBYTE(v76) = 2; v7 = sub_404F80((int)&v43, (int)&v25, (int)&v38); LOBYTE(v76) = 3; ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::operator=(&v25, v7); ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::~CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&v43); ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&v28); v20 = &v72; LOBYTE(v76) = 4; ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::Format(&v28, "%s", &v72); v8 = sub_((int)&v45, (int)&v28, (int)".dat"); LOBYTE(v76) = 5; ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::operator=(&v28, v8); ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::~CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&v45); ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&v26); v20 = &v72; LOBYTE(v76) = 6; ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::Format(&v26, "%s", &v72); v9 = sub_((int)&v40, (int)&v26, (int)".mrt"); LOBYTE(v76) = 7; ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::operator=(&v26, v9); LOBYTE(v76) = 6; ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::~CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&v40); v10 = sub_404F80((int)&v44, (int)&v25, (int)&v28); v20 = "rb"; v11 = (const char *)ATL::CSimpleStringT<char,1>::operator char const *(v10); v12 = fopen(v11, v20); ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::~CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&v44); if ( v12 ) { fread(v73, 1u, 0xCu, v12); fread(&v34, 2u, 1u, v12); fread(&v35, 2u, 1u, v12); fread(&v30, 1u, 1u, v12); fread(&v42, 2u, 1u, v12); fread(&v46, 2u, 1u, v12); fread(v33, 2u, 1u, v12); fread(&v22, 1u, 1u, v12); fread(&v23, 1u, 1u, v12); fread(v37, 2u, 1u, v12); fread(&v24, 1u, 1u, v12); fread(&v47, 4u, 1u, v12); v13 = v24; v29 = v22; v59 = 0; v14 = 0; do { v15 = DstBuf[v14]; v51[v14] = v2; v55[v14] = v2; v50[v14] = v2; v48[v14] = v15; v49[v14] = v73[v14]; v52[v14] = v74[v14]; ++v14; } while ( v14 < 12 ); v53 = v41; v57 = v34; v56 = v35; v54 = v2; v60 = 1; v61 = 5; v62 = 20; v63 = 45; v64 = 80; v65 = 125; v66 = 180; v67 = 250; v68 = 320; v69 = 405; v70 = 500; v71 = 100; v55[0] = (v22 != 1) + 49; v58 = 10000 / (unsigned __int16)v33[0]; if ( v13 == 1 ) { v20 = (const char *)v29; v19 = v23; v18 = *(_DWORD *)v37; v17 = 1; v16 = *(_DWORD *)v37; v29 = (int)&v16; sub_404F80((int)&v16, (int)&v25, (int)&v26); sub_406E80(v33[0], v48, v12, v16, v17, v18, v19, (int)v20); } else { v20 = (const char *)v29; v19 = v23; v18 = *(_DWORD *)v37; v17 = v13; v16 = v13; v29 = (int)&v16; sub_404F80((int)&v16, (int)&v25, (int)&v26); sub_(v33[0], v48, v12, v16, v17, v18, v19, (int)v20); } v2 = 0; } fclose(v12); ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::~CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&v26); ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::~CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&v28); ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::~CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&v25); LOBYTE(v76) = v2; ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::~CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&v38); } fclose(v5); ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::~CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&a2); } else { ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::~CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&a2); } sub_(v21); }

最后,按理说想要的代码在`sub_`中,但是并没有找出来

int __stdcall sub_(__int16 a1, void *a2, FILE *File, char a4, int a5, __int16 a6, int a7, int a8) { const char *v8; // eax@1 FILE *v9; // eax@1 FILE *v10; // ebx@1 void (__cdecl *v11)(const void *, size_t, size_t, FILE *); // ebp@2 int v12; // esi@2 int v13; // ebp@4 int v14; // edi@5 int v15; // esi@6 int v16; // ecx@7 __int16 v17; // ax@9 double v18; // st5@10 int v19; // eax@10 signed int v20; // ecx@12 int v21; // eax@12 int v22; // ebx@18 int v23; // esi@19 int v24; // ecx@20 __int16 v25; // ax@22 __int16 v26; // di@22 double v27; // st5@23 int v28; // eax@23 double v29; // st5@25 int v30; // eax@25 double v31; // st5@27 int v32; // eax@27 signed int v33; // ecx@29 int v34; // eax@29 int v35; // esi@39 char Str; // [sp+Bh] [bp-203Dh]@2 int v38; // [sp+Ch] [bp-203Ch]@2 int v39; // [sp+10h] [bp-2038h]@4 int v40; // [sp+14h] [bp-2034h]@10 int v41; // [sp+18h] [bp-2030h]@23 int v42; // [sp+1Ch] [bp-202Ch]@2 int DstBuf; // [sp+20h] [bp-2028h]@2 int v44; // [sp+24h] [bp-2024h]@2 int v45; // [sp+28h] [bp-2020h]@2 int v46; // [sp+2Ch] [bp-201Ch]@2 int v47; // [sp+30h] [bp-2018h]@2 FILE *v48; // [sp+34h] [bp-2014h]@1 int v49; // [sp+38h] [bp-2010h]@18 int v50; // [sp+3Ch] [bp-200Ch]@2 int v51; // [sp+40h] [bp-2008h]@3 int v52; // [sp+44h] [bp-2004h]@2 int v53; // [sp+48h] [bp-2000h]@17 int v54; // [sp+4Ch] [bp-1FFCh]@17 char v55; // [sp+50h] [bp-1FF8h]@17 int v56; // [sp+54h] [bp-1FF4h]@17 int v57; // [sp+64h] [bp-1FE4h]@4 int v58[1016]; // [sp+68h] [bp-1FE0h]@14 int v59; // [sp+1048h] [bp-1000h]@34 int v60; // [sp+104Ch] [bp-FFCh]@34 char v61; // [sp+1050h] [bp-FF8h]@34 int v62; // [sp+1054h] [bp-FF4h]@34 int v63; // [sp+1064h] [bp-FE4h]@4 int v64[1016]; // [sp+1068h] [bp-FE0h]@31 v8 = (const char *)ATL::CSimpleStringT<char,1>::operator char const *(&a4); v9 = fopen(v8, "wb"); v10 = v9; v48 = v9; if ( !v9 ) goto LABEL_41; v11 = (void (__cdecl *)(const void *, size_t, size_t, FILE *))fwrite; Str = 77; fwrite(&Str, 1u, 1u, v9); Str = 71; fwrite(&Str, 1u, 1u, v10); Str = 53; fwrite(&Str, 1u, 1u, v10); Str = 49; fwrite(&Str, 1u, 1u, v10); v52 = 123; Str = 48; fwrite(&Str, 1u, 4u, v10); fwrite(&v52, 4u, 1u, v10); fwrite(a2, 0xE8u, 1u, v10); fwrite(&Str, 1u, 0x10Cu, v10); v12 = a6 / 2; v46 = a6 / 2; DstBuf = 0; v38 = 0; v47 = 0; v45 = 0; v42 = 0; v44 = 0; v50 = 0; if ( a7 <= 0 ) goto LABEL_38; v51 = a7; do { memset(&v63, 0, 0xFA0u); v13 = 0; memset(&v57, 0, 0xFA0u); v39 = 0; if ( a8 == 1 ) { v14 = 0; if ( v12 > 0 ) { do { v15 = 2 * v13; fread(&DstBuf, 2u, 1u, File); fread(&v38, 2u, 1u, File); if ( v13 ) { v16 = v44; } else { v16 = (signed __int16)DstBuf; v44 = (signed __int16)DstBuf; } v38 -= v16; v17 = DstBuf - v16; DstBuf -= v16; if ( v15 < 999 ) { v40 = v17; v18 = (double)v17 / 2828.0 * .0; v19 = abs((signed int)v18); if ( v14 <= v19 ) { v14 = v19; v39 = 2 * v13; } v40 = (signed __int16)v38; *(&v57 + 2 * v13) = (signed int)v18; v20 = (signed int)(.0 * ((double)v40 / 2828.0)); v21 = abs(v20); if ( v14 <= v21 ) { v14 = v21; v39 = v15 + 1; } v58[2 * v13] = v20; } ++v13; } while ( v13 < v46 ); v12 = v46; v10 = v48; } v53 = v14; v54 = v39; v56 = a1; v55 = 1; fwrite(&v53, 0x1000u, 1u, v10); ++v42; } else { v22 = 0; v49 = 0; v40 = 0; if ( v12 > 0 ) { do { v23 = 2 * v39; fread(&DstBuf, 2u, 1u, File); fread(&v38, 2u, 1u, File); fread(&v47, 2u, 1u, File); fread(&v45, 2u, 1u, File); if ( v39 ) { v24 = v44; } else { v24 = (signed __int16)DstBuf; v44 = (signed __int16)DstBuf; v50 = (signed __int16)v47; } v38 -= v24; v25 = DstBuf - v24; v45 -= v50; v26 = v47 - v50; DstBuf -= v24; v47 -= v50; if ( v23 < 999 ) { v41 = v25; v27 = (double)v25 / 2828.0 * .0; v28 = abs((signed int)v27); if ( v22 <= v28 ) { v22 = v28; v49 = v23; } *(&v57 + v23) = (signed int)v27; v41 = (signed __int16)v38; v29 = (double)(signed __int16)v38 / 2828.0 * .0; v30 = abs((signed int)v29); if ( v22 <= v30 ) { v22 = v30; v49 = v23 + 1; } v41 = v26; v58[v23] = (signed int)v29; v31 = (double)v41 / 2828.0 * .0; v32 = abs((signed int)v31); if ( v13 <= v32 ) { v13 = v32; v40 = v23; } *(&v63 + v23) = (signed int)v31; v41 = (signed __int16)v45; v33 = (signed int)(.0 * ((double)(signed __int16)v45 / 2828.0)); v34 = abs(v33); if ( v13 <= v34 ) { v13 = v34; v40 = v23 + 1; } v64[v23] = v33; } ++v39; } while ( v39 < v46 ); v12 = v46; } v53 = v22; v10 = v48; v54 = v49; v59 = v13; v60 = v40; v56 = a1; v62 = a1; v55 = 1; v61 = 1; fwrite(&v53, 0x1000u, 1u, v48); fwrite(&v59, 0x1000u, 1u, v10); v42 += 2; } --v51; } while ( v51 ); if ( v42 < 6 ) { v11 = (void (__cdecl *)(const void *, size_t, size_t, FILE *))fwrite; LABEL_38: memset(&v57, 0, 0xFA0u); if ( 6 - v42 > 0 ) { v35 = 6 - v42; do { v53 = 0; v54 = 0; v56 = a1; v55 = 0; v11(&v53, 0x1000u, 1u, v10); --v35; } while ( v35 ); } } LABEL_41: fclose(v10); return ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::~CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>(&a4); }

免责声明:本站所有文章内容,图片,视频等均是来源于用户投稿和互联网及文摘转载整编而成,不代表本站观点,不承担相关法律责任。其著作权各归其原作者或其出版社所有。如发现本站有涉嫌抄袭侵权/违法违规的内容,侵犯到您的权益,请在线联系站长,一经查实,本站将立刻删除。 本文来自网络,若有侵权,请联系删除,如若转载,请注明出处:https://itzsg.com/125931.html

(0)
云烟云烟
0
上一篇 15小时前
下一篇 14小时前

相关推荐

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注

联系我们YX

mu99908888

在线咨询: 微信交谈

邮件:itzsgw@126.com

工作时间:时刻准备着!

关注微信