分析没有main的exe程序(二)

分析没有main的exe程序

标题	分析没有main的exe程序（二）
关键字	C,汇编
出处	http://blog.csdn.net/heyangbin

上篇用C++和windos sdk搭配，这次不妨试试C++和汇编搭配。工具MASM32或RadAsm(推荐RadAsm)，CMD。首先是一段汇编代码：

.586
.model flat,stdcall
option casemap:none

.data
.code
extern C myentry: near
extern C TerminateProcess@8: near
extern C GetCurrentProcess@0: near

public STARTCODE

STARTCODE PROC NEAR C


callmyentry

push eax
call GetCurrentProcess@0
push eax
call TerminateProcess@8

STARTCODE endp
end STARTCODE

保存为Test.asm，在CMD下键入ML.EXE /c /coff /Cp /nologo /I"C:/RadASM/Masm32/Include" "test.asm"（注C:/RadASM/Masm32/Include路径是函数头文件路径）编译得到Test.obj

下面是一段C++代码：

#include <Windows.h>
intmyentry(void)
{
return0;
}

保存为main.cpp，在CMD下键入CL /cmain.cpp编译得到main.obj

然后输入如下命令：LINK.EXE /SUBSYSTEM:WINDOWS /RELEASE /VERSION:4.0 /LIBPATH:"C:/RadASM/Masm32/Lib" /OUT:"test.exe" "test.obj""main.obj"得到test.exe.

下面我们将它反汇编：dumpbin/disasm test.exe得到如下

00401000: E8 1B 00 00 00 call 00401020
00401005: 50push eax
00401006: E8 23 00 00 00 call 0040102E
0040100B: 50 push eax
0040100C: E8 17 00 00 00call 00401028
00401011: CCint 3
00401012: CCint 3
00401013: CC int 3
00401014: CCint 3
00401015: CC int 3
00401016: CC int 3
00401017: CCint 3
00401018: CCint 3
00401019: CCint 3
0040101A: CC int 3
0040101B: CC int 3
0040101C: CC int 3
0040101D: CC int 3
0040101E: CC int 3
0040101F: CC int 3
00401020: 55 push ebp
00401021: 8B EC mov ebp,esp
00401023: 33 C0 xor eax,eax
00401025: 5D pop ebp
00401026: C3 ret
00401027: CC int 3
00401028: FF 25 04 20 40 00 jmp dword ptr ds:[00402004h]
0040102E: FF 25 00 20 40 00 jmp dword ptr ds:[00402000h]
我们可以看到

00401000: E8 1B 00 00 00 call 00401020
00401005: 50push eax
00401006: E8 23 00 00 00 call 0040102E
0040100B: 50 push eax
0040100C: E8 17 00 00 00call 00401028

是Test.asm的实现，代码从00401000执行，call之后进入我们定义的myentry

00401020: 55 push ebp
00401021: 8B EC mov ebp,esp
00401023: 33 C0 xor eax,eax
00401025: 5D pop ebp
00401026: C3 ret
00401027: CC int 3

此段代码是main.cpp的实现，我们可以在main.cpp中添加要实现的代码，而非一定要在main函数中执行。