004015E7 |. 6A 20 push 20 ; /Count = 20 (32.)
004015E9 |. 68 42324000 push 00403242 ; |bbbb第二个框
004015EE |. FF75 0C push dword ptr [ebp+C] ; |hWnd
004015F1 |. E8 34010000 call <jmp.&USER32.GetWindowTextA> ; \GetWindowTextA
执行GetWindowTextA后,eax的值会变为字符串的长度要注意哦!
下面进入GetWindowTextA函数的call
0040172A $- FF25 24204000 jmp dword ptr [<&USER32.GetWindowTex>; USER32.GetWindowTextA
进入
函数内部
76140029 > 6A 08 push 8
7614002B 68 98001476 push 76140098
76140030 E8 F060FFFF call 76136125
76140035 8B5D 0C mov ebx, dword ptr [ebp+C]
76140038 33C0 xor eax, eax
7614003A 3BD8 cmp ebx, eax
7614003C 0F84 48020000 je 7614028A
76140042 3945 10 cmp dword ptr [ebp+10], eax
76140045 0F84 3F020000 je 7614028A
7614004B 8945 FC mov dword ptr [ebp-4], eax
7614004E 8803 mov byte ptr [ebx], al
76140050 8B4D 08 mov ecx, dword ptr [ebp+8]
76140053 E8 2B61FFFF call 76136183
76140058 8BF0 mov esi, eax
7614005A 8BFA mov edi, edx
7614005C 0BC7 or eax, edi
7614005E 0F84 8D190300 je 761719F1
76140064 57 push edi
76140065 56 push esi
76140066 E8 9A70FFFF call 76137105
7614006B 6A 01 push 1
7614006D 53 push ebx
7614006E FF75 10 push dword ptr [ebp+10]
76140071 6A 0D push 0D
76140073 57 push edi
76140074 56 push esi
76140075 85C0 test eax, eax
76140077 0F84 03020000 je 76140280
7614007D E8 CA94FFFF call 7613954C
76140082 C745 FC FEFFFFF>mov dword ptr [ebp-4], -2
76140089 E8 DC60FFFF call 7613616A
7614008E C2 0C00 retn 0C
F8单步步过,发现执行到7614007D 处eax变为4
7614007D E8 CA94FFFF call 7613954C
调试-执行到用户代码,返回,重新步入GetWindowTextA,然后步入7614007D处的CALL
7613954C 8BFF mov edi, edi
7613954E 55 push ebp
7613954F 8BEC mov ebp, esp
76139551 83EC 10 sub esp, 10
76139554 53 push ebx
76139555 56 push esi
76139556 8B75 08 mov esi, dword ptr [ebp+8]
76139559 8B06 mov eax, dword ptr [esi]
7613955B 57 push edi
7613955C 8B7D 10 mov edi, dword ptr [ebp+10]
7613955F 8945 F8 mov dword ptr [ebp-8], eax
76139562 C645 FE 00 mov byte ptr [ebp-2], 0
76139566 C645 FF 00 mov byte ptr [ebp-1], 0
7613956A 81FF E0030000 cmp edi, 3E0
76139570 72 0C jb short 7613957E
76139572 81FF E8030000 cmp edi, 3E8
76139578 0F86 B68B0000 jbe 76142134
7613957E 8B86 90000000 mov eax, dword ptr [esi+90]
76139584 8945 10 mov dword ptr [ebp+10], eax
76139587 E8 4BDBFFFF call 761370D7
7613958C 3B46 10 cmp eax, dword ptr [esi+10]
7613958F 0F85 9F8B0000 jnz 76142134
76139595 3B56 14 cmp edx, dword ptr [esi+14]
76139598 0F85 968B0000 jnz 76142134
7613959E 8A46 2A mov al, byte ptr [esi+2A]
761395A1 A8 04 test al, 4
761395A3 0F85 8B8B0000 jnz 76142134
761395A9 64:8B0D 1800000>mov ecx, dword ptr fs:[18]
761395B0 8B89 700F0000 mov ecx, dword ptr [ecx+F70]
761395B6 8B91 20080000 mov edx, dword ptr [ecx+820]
761395BC 8B52 18 mov edx, dword ptr [edx+18]
761395BF 0B91 38080000 or edx, dword ptr [ecx+838]
761395C5 81C1 00080000 add ecx, 800
761395CB F7C2 20200000 test edx, 2020
761395D1 0F85 5D8B0000 jnz 76142134
761395D7 C0E8 03 shr al, 3
761395DA F6D0 not al
761395DC 33C9 xor ecx, ecx
761395DE 33DB xor ebx, ebx
761395E0 83E0 01 and eax, 1
761395E3 395D 1C cmp dword ptr [ebp+1C], ebx
761395E6 0F94C1 sete cl
761395E9 3BC8 cmp ecx, eax
761395EB 0F85 25B30000 jnz 76144916
761395F1 8B9E 98000000 mov ebx, dword ptr [esi+98]
761395F7 2B5E 20 sub ebx, dword ptr [esi+20]
761395FA 8B86 9C000000 mov eax, dword ptr [esi+9C]
76139600 1B46 24 sbb eax, dword ptr [esi+24]
76139603 03DE add ebx, esi
76139605 1345 0C adc eax, dword ptr [ebp+C]
76139608 895D F0 mov dword ptr [ebp-10], ebx
7613960B 8945 F4 mov dword ptr [ebp-C], eax
7613960E E8 D3CBFFFF call 761361E6
76139613 85C0 test eax, eax
76139615 0F84 ADAF0200 je 761645C8
7613961B 807D FE 00 cmp byte ptr [ebp-2], 0
7613961F 0F85 0F8B0000 jnz 76142134
76139625 8D9F C0FDFFFF lea ebx, dword ptr [edi-240]
7613962B 83FB 0F cmp ebx, 0F
7613962E 0F86 D1B10200 jbe 76164805
76139634 81FF 19010000 cmp edi, 119
7613963A 0F84 D5B10200 je 76164815
76139640 6A 01 push 1
76139642 8D46 28 lea eax, dword ptr [esi+28]
76139645 50 push eax
76139646 FF75 18 push dword ptr [ebp+18]
76139649 FF75 14 push dword ptr [ebp+14]
7613964C 57 push edi
7613964D FF75 F8 push dword ptr [ebp-8]
76139650 FF75 10 push dword ptr [ebp+10]
76139653 FFB6 08010000 push dword ptr [esi+108]
76139659 E8 25D6FFFF call 76136C83
7613965E 8B0D 38011A76 mov ecx, dword ptr [761A0138]
76139664 F601 02 test byte ptr [ecx], 2
76139667 0F85 C3B10200 jnz 76164830
7613966D 5F pop edi
7613966E 5E pop esi
7613966F 5B pop ebx
76139670 C9 leave
76139671 C2 1800 retn 18
F8单步步过,发现执行到76139659处eax变为4
76139659 E8 25D6FFFF call 76136C83
进入76139659的call,重复执行发现在76136D35处,eax变为4
76136D35 E8 9DF5FFFF call 761362D7
重复执行发现在761362F7处,eax变为4
761362F7 FF55 08 call dword ptr [ebp+8]
继续步入
重复执行发现在761516D2处,eax变为4
761516D2 E8 0B000000 call 761516E2
继续步入
重复执行发现在76151749处,eax变为4
76151749 E8 0C000000 call EditWndProc
7615173E FF75 18 push dword ptr [ebp+18]
76151741 FF75 14 push dword ptr [ebp+14]
76151744 51 push ecx
76151745 FF75 0C push dword ptr [ebp+C]
76151748 56 push esi
76151749 E8 0C000000 call EditWndProc
网上查询资料后,网上记录的内部api EditWndProc参数为
static LRESULT CALLBACK EditWndProc ( HWND hwnd,
UINT uMsg,
WPARAM wParam,
LPARAM lParam
)Definition at line 2014 of file monthcal.c.
Referenced by MONTHCAL_EditYear().
{
MONTHCAL_INFO *infoPtr = (MONTHCAL_INFO *)GetWindowLongPtrW(GetParent(hwnd), 0);
TRACE("(hwnd=%p, uMsg=%x, wParam=%lx, lParam=%lx)\n",
hwnd, uMsg, wParam, lParam);
switch (uMsg)
{
case WM_GETDLGCODE:
return DLGC_WANTARROWS | DLGC_WANTALLKEYS;
case WM_DESTROY:
{
WNDPROC editProc = infoPtr->EditWndProc;
infoPtr->EditWndProc = NULL;
SetWindowLongPtrW(hwnd, GWLP_WNDPROC, (DWORD_PTR)editProc);
return CallWindowProcW(editProc, hwnd, uMsg, wParam, lParam);
}
case WM_KILLFOCUS:
break;
case WM_KEYDOWN:
if ((VK_ESCAPE == (INT)wParam) || (VK_RETURN == (INT)wParam))
break;
default:
return CallWindowProcW(infoPtr->EditWndProc, hwnd, uMsg, wParam, lParam);
}
SendMessageW(infoPtr->hWndYearUpDown, WM_CLOSE, 0, 0);
SendMessageW(hwnd, WM_CLOSE, 0, 0);
继续步入EditWndProc在OD中的信息
7615175A > 8BFF mov edi, edi
7615175C 55 push ebp
7615175D 8BEC mov ebp, esp
7615175F 83EC 20 sub esp, 20
76151762 8B4D 10 mov ecx, dword ptr [ebp+10]
76151765 53 push ebx
76151766 56 push esi
76151767 57 push edi
76151768 8B7D 08 mov edi, dword ptr [ebp+8]
7615176B 8B07 mov eax, dword ptr [edi]
7615176D 8BB7 28010000 mov esi, dword ptr [edi+128]
76151773 33DB xor ebx, ebx
76151775 8945 F8 mov dword ptr [ebp-8], eax
76151778 43 inc ebx
76151779 B8 D0000000 mov eax, 0D0
7615177E 895D FC mov dword ptr [ebp-4], ebx
76151781 3BC8 cmp ecx, eax
76151783 0F87 43080000 ja 76151FCC
76151789 0F84 1E8D0000 je 7615A4AD
7615178F 83C0 B1 add eax, -4F
76151792 3BC8 cmp ecx, eax
76151794 76 66 jbe short 761517FC
76151796 B8 BA000000 mov eax, 0BA
7615179B 3BC8 cmp ecx, eax
7615179D 0F86 D9100000 jbe 7615287C
761517A3 8BC1 mov eax, ecx
761517A5 2D C5000000 sub eax, 0C5
761517AA 0F84 FF070000 je 76151FAF
761517B0 48 dec eax
761517B1 0F84 D28C0000 je 7615A489
761517B7 83E8 06 sub eax, 6
761517BA 0F84 D48A0000 je 7615A294
761517C0 48 dec eax
761517C1 0F84 B18C0000 je 7615A478
761517C7 48 dec eax
761517C8 48 dec eax
761517C9 0F84 688C0000 je 7615A437
761517CF 85F6 test esi, esi
761517D1 74 1F je short 761517F2
761517D3 F646 68 01 test byte ptr [esi+68], 1
761517D7 FF75 18 push dword ptr [ebp+18]
761517DA FF75 14 push dword ptr [ebp+14]
761517DD FF75 10 push dword ptr [ebp+10]
761517E0 56 push esi
761517E1 FF75 F8 push dword ptr [ebp-8]
761517E4 0F85 E76D0000 jnz 761585D1
761517EA E8 24180000 call 76153013
761517EF 8945 FC mov dword ptr [ebp-4], eax
761517F2 8B45 FC mov eax, dword ptr [ebp-4]
761517F5 5F pop edi
761517F6 5E pop esi
761517F7 5B pop ebx
761517F8 C9 leave
761517F9 C2 1400 retn 14
F8单步步过
发现在761517EA处,eax变为4
761517EA E8 24180000 call 76153013
发现在761517EA处的内存断点和硬件断点,都不能让OD中断
OD进入最后一个代码段断点里面call调用的内存地址76153013
76153013 8BFF mov edi, edi
76153015 55 push ebp
76153016 8BEC mov ebp, esp
76153018 83EC 54 sub esp, 54
7615301B A1 20071A76 mov eax, dword ptr [761A0720]
76153020 33C5 xor eax, ebp
76153022 8945 FC mov dword ptr [ebp-4], eax
76153025 8B45 08 mov eax, dword ptr [ebp+8]
76153028 53 push ebx
76153029 8B5D 14 mov ebx, dword ptr [ebp+14]
7615302C 56 push esi
7615302D 8B75 0C mov esi, dword ptr [ebp+C]
76153030 8945 B8 mov dword ptr [ebp-48], eax
76153033 8B45 10 mov eax, dword ptr [ebp+10]
76153036 BA C4000000 mov edx, 0C4
7615303B 57 push edi
7615303C 8B7D 18 mov edi, dword ptr [ebp+18]
7615303F 3BC2 cmp eax, edx
76153041 0F87 32160000 ja 76154679
76153047 0F84 09020000 je 76153256
7615304D 8D4A ED lea ecx, dword ptr [edx-13]
76153050 3BC1 cmp eax, ecx
76153052 77 24 ja short 76153078
76153054 ^ 0F85 60FFFFFF jnz 76152FBA
7615305A 57 push edi
7615305B 53 push ebx
7615305C 6A 01 push 1
7615305E 56 push esi
7615305F E8 2F0E0000 call 76153E93
76153064 33C0 xor eax, eax
76153066 40 inc eax
76153067 8B4D FC mov ecx, dword ptr [ebp-4]
7615306A 5F pop edi
7615306B 5E pop esi
7615306C 33CD xor ecx, ebp
7615306E 5B pop ebx
7615306F E8 A430FEFF call 76136118
76153074 C9 leave
76153075 C2 1400 retn 14
看看最后一个call
7615306F E8 A430FEFF call 76136118
跟随进入
76136118 3B0D 20071A76 cmp ecx, dword ptr [761A0720]
7613611E 0F85 6D190600 jnz 76197A91
76136124 C3 retn
cmp ecx, dword ptr [761A0720]
查看内存761A0720处的数据窗口
761A0720 54 A4 DE 71 Tまq.
从761A0720处启动OD,单步跟踪从7613611E开始跳转
7613611E /0F85 6D190600 jnz 76197A91
跳转处的代码
76197A91 8BFF mov edi, edi ; Splish.00403258
76197A93 55 push ebp
76197A94 8BEC mov ebp, esp
76197A96 81EC 20030000 sub esp, 320
76197A9C 57 push edi
76197A9D A3 38081A76 mov dword ptr [761A0838], eax
76197AA2 890D 34081A76 mov dword ptr [761A0834], ecx
76197AA8 8915 30081A76 mov dword ptr [761A0830], edx
76197AAE 891D 2C081A76 mov dword ptr [761A082C], ebx
76197AB4 8935 28081A76 mov dword ptr [761A0828], esi
76197ABA 893D 24081A76 mov dword ptr [761A0824], edi
76197AC0 8C15 50081A76 mov word ptr [761A0850], ss
76197AC6 8C0D 44081A76 mov word ptr [761A0844], cs
76197ACC 8C1D 20081A76 mov word ptr [761A0820], ds
76197AD2 8C05 1C081A76 mov word ptr [761A081C], es
76197AD8 8C25 18081A76 mov word ptr [761A0818], fs
76197ADE 8C2D 14081A76 mov word ptr [761A0814], gs
76197AE4 9C pushfd
76197AE5 8F05 48081A76 pop dword ptr [761A0848]
76197AEB 8B45 04 mov eax, dword ptr [ebp+4]
76197AEE 8D4D 04 lea ecx, dword ptr [ebp+4]
76197AF1 83C1 04 add ecx, 4
76197AF4 890D 4C081A76 mov dword ptr [761A084C], ecx
76197AFA A3 40081A76 mov dword ptr [761A0840], eax
76197AFF C705 88071A76 0>mov dword ptr [761A0788], 10001
76197B09 8D4D 04 lea ecx, dword ptr [ebp+4]
76197B0C 8B49 FC mov ecx, dword ptr [ecx-4]
76197B0F A3 44071A76 mov dword ptr [761A0744], eax
76197B14 A1 20071A76 mov eax, dword ptr [761A0720]
76197B19 33FF xor edi, edi
76197B1B 890D 3C081A76 mov dword ptr [761A083C], ecx
76197B21 C705 38071A76 0>mov dword ptr [761A0738], C0000409
76197B2B 47 inc edi
76197B2C 893D 3C071A76 mov dword ptr [761A073C], edi
76197B32 8945 FC mov dword ptr [ebp-4], eax
76197B35 A1 70001A76 mov eax, dword ptr [761A0070]
76197B3A 8945 FC mov dword ptr [ebp-4], eax
76197B3D 6A 00 push 0
76197B3F FF15 4C031376 call dword ptr [<&KERNEL32.SetUnhandledExceptionFil>; kernel32.SetUnhandledExceptionFilter
76197B45 68 6C7B1976 push 76197B6C
76197B4A FF15 50031376 call dword ptr [<&KERNEL32.UnhandledExceptionFilter>; kernel32.UnhandledExceptionFilter
76197B50 68 090400C0 push C0000409
76197B55 89BD E0FCFFFF mov dword ptr [ebp-320], edi
76197B5B FF15 4C041376 call dword ptr [<&KERNEL32.GetCurrentProcess>] ; kernel32.GetCurrentProcess
76197B61 50 push eax
76197B62 FF15 54031376 call dword ptr [<&KERNEL32.TerminateProcess>] ; kernel32.TerminateProcess
76197B68 5F pop edi
76197B69 C9 leave
76197B6A C3 retn
F8单步步过,程序终止,,