Crack

& # P"#$%
.1384 P

:I

--. ( )* (

P"#$% & #

[= ] Crack

! /

.S 752
ISBN : 964-377-164-4 : - < 70000
.T
. U$? AY Z .3 ." #!

# & --

T#

U$?

"V<

.2 . U$? " B< -- W

T# .1
.I U . .(
P ( )* .
QA76/9/

005/8
84-21939

9[8

I < "5# N H

www.naghoospress.ir

Crack

- +,

:
:

( )* (

\ 9#

] JZ

M " BV

< "# B

< " _

^
:

5
.A8

.( ( "

"T
( c ; A8

1384

- +,

&5) 2000

" 6

&78

+,

<& = 2;

" 9:

- < 70000

AB

964-377-164-4

964-377-164-4

ISBN

:GH;
27 =$; -M

` L<

P"T "5; PAV + , P(&a# + ,

b B# + , c<( b

-"#$% & #

N,

-L<(

12 I

&5)

#
K - $J I

66411715 -66406834 -66966749 :L 5

K :I

> ?

! "

# " $% & '

( ) * +# ,- .

' .( 8 9 " 6
1 +6=4>

0 1 "2

. : ; 4 <2

- )( 1 ' &

;$

+ < H4 E% "2 !
4 3 2

"2

45 . &

% ; ",? . !
'(

.:2

"& '% D

3 . ,-

% 45 6,7-

. &
.

,2 . ! *;

@-4

4.

C"

?4? 5
A 5:5

"; ,D E%

:% G + ( , % C 4F E% ' (
.

+' ?.IC #

7,?

",? J <
. 45 4

!"
#

84 ' $

%& $

! "

?O.45 + ?624& N
!5

; P .Q

. ?Q 7
"
! .

. > ' %

= !4 #<
. 2

R #
E%

; 6

. '( 4

' .

1384 ' $

"M ( % 4 '.
"R .
1

% ?O.45 . 4= U
4%@C ' 4<

.! 4 T ? E%

E%

1.4

% &( +) 2 E%

E% " *;4 V
. O 42

+ @5

"2 ! % ;
.:& " &

4= .

*S T ? .
"2 6

4
% ?N.

,/ . O & " =45 2

O 2 94?

"2 6

:& " $

C1
'
. 47 J ,2 +

"2

E%
) 2

23 ............................................................................................................
29 ...................................................................................................................
29 ........................................................................................
29 .......................................................................................................
30 .......................................................................
31 ................................................................................. ! "#
32 ........................................................................... % & '
32 ............................................................. ! "# %

() *

! !) -) .! /

32 ............................................................................. -" !

4 56

33 ............................................... 9

-7

-! "# % 23/
-:

!) () *
.( !8

34 ............................................................................. ! "# %
35 .................................................................... ) 6

- ! 01 / 23/

33 ..............................................................................

33 .................................................... ! "# %

! !)
) <

;
= >

! "# %

39 ...................................................................................................................
39 .......................................................................................... +

$ %&' () *!"#

39 ..............................................................

-A #

'! B .

! .

39 ................................................................................... C D / E
40 .......................................... 2C

- C D / !)

-A # ' B FG

41 ......................................................................................... Visual C++

)3

. +/ 0 1. ( 2,

- Crack

10

41 ......................................................................... Delphi C++ Builder

41 ........................................................................................ Visual Basic
43 ....................................................................... (..., VB .Net, C#) .NET
44 ........................................................................................... PEiD ! "# %
44 ........................................................................... Language 2000 ! "# %
45 ....................................................................................... ) ! 5.

! .

46 ................................................................... Dependency Walker ! "# %

48 .................................................................................................. 5.

! .

49 ........................................................................... Resource Tuner ! "# %

50 ........................................................................ Resource Hacker ! "# %
52 .........................................................................

-A # ! G

! .

52 ....................................................................................... PEView ! "# %

53 ................................................ 6 JC=

!)

-A #

;#

54 .............................................................................. Process ' K"6

! .
! .

55 .................................................................... Process Explorer ! "# %

56 ...................................................................... Process Viewer ! "# %
57 .......................................................................................... -dll

! .

58 ...................................................... (' !

! .

60 ......................................................................

-2B) -Thread
. JO# =

61 .....................................................................
63 ...................................................................... A # J

P#

! .

-(! ,
!) -

! .
;#

! .

63 ........................................................................... File Monitor ! "# %

66 ....................................................................... Registry !) -

;#

! .

11
66 ................................................................... Registry Monitor ! "# %
68 ............................................................ 8 ' > 8 ! J
68 .......................................................... () *

!) -

;#

! .

-Connection

)!

! .

69 .................................................................................... Netstat ! "# %

70 ........................................................................

8 !) -() ) Q) 8

71 ...................................................................................
71 .......................................... 8

<

! .

-! !)

-'! / !) (Promiscuous) 4 .

73 .............................................................................................. -Sniffer
73 ................................................................. Winpcap Libpcap

-! ".

74 .................................................................................. Ethereal ! "# %

76 .................................................. (

)8

81 ............................................. ! "#

-'! T J

R) / +8S
!) -

;#

82 ............................................................................... ! "#

- :

83 .................................................................................. ! "# %

- :

83 ..................................................................................... Q

! .

-'! T

83 ........................................................................ Serial Monitor ! "# %

85 ............................................................................... Protocol Analyzer
85 ............................................................................... Log File playback
88 ...................................................................................... USB

-'! T

88 ......................................................................... USB Monitor ! "# %

90 .................................................................... API 5.
90 ..........................................................
92 ...................................................... API 5.

)!

G #
. /

G #

! .

-A #

! 01! . ' C,U

)3

. +/ 0 1. ( 2,

- Crack

12

93 ............................................................. API 5.

G # . '! O

93 ............................................................................API Monitor ! "# %

93 ..................................................................... - Process

. C#V ;

95 ................................................................. API 5.

- C#V ;

98 .......................................................................... Smart Check ! "# %

103.............................................................................. SoftSnoop ! "# %
104.................................................................... API
105.......................................................... API

G # . '! O

G # !) '

W )<

111................................................................................................................
111............................................................................................................ 5
112.......................................................................................... - Disassembler
113...................................................................................... W32Dasm ! "# %
120................................................................................... PE Explorer ! "# %
121........................................................................................ / !) < 6
122..................................................................................... - E 6!

! .

123................................................................................ VCL X

! .

125...................................................................................... - ,

() *

127.......................................... (IDA Pro) Interactive Disassembler ! "# %

128........................................................................................ (

129........................................................................................ / !) < 6
134...................................................................................... -E 6!
135................................................................................. -! ) ,

! .
-Y 1

135....................................................................................... -'! [ C# -1

) /

13
137....................................................................... -

G # C/ ! ) , -2

138.................................................................. 5.

G # ! ) , -3

139....................................... 5.

G # ! ) , -4

.(

%<

143............................................................................................................... )
143................................................................................................... 2 Decompiler
143............................................................................... C/C++ Decompliers
144.................................. REC (Reverse Engineering Compiler) ! "# %
152............................................................................... JAVA Decompilers
152................................................. DJ JAVA Decompiler (JAD) ! "# %
153..................................................................... Visual Basic Decompilers
154......................................................................... VB Reformer ! "# %
157........................................................... C++ Builder / Delphi Decopilers
157................................................... DeDe (Delphi Decompiler) ! "# %
168.................................................................................. .Net Decompilers
171................................................................................................................ 78 9
171...................................................................................................... 2 Debugger
171...........................................................................................................
172.......................................................................................... OllyDbg! "# %
173.................................................................................... \ 8 ) ' C,U E
173................................................................. \ 8 )
175........................................................... 6 V = !)
176................................................\ 8 )

= !) dll

= !)
6

6 A #

-A # . Q F

-A # CG ) 5.

179..................................................... (CPU window) Olly Dbg CB ( < T

)3

. +/ 0 1. ( 2,

- Crack

14

187.......................................................................... (Breakpoints) 24 ]
187..................................................................................

,; 24 ]

188................................................................................... >

24 ]

191............................................................ ^! "1 . ( ,- >

24 ]

194......................................................... ( < T

- <

200........................................................ O# = . 202............................................ O# =

-_ C.

. 24 ]

. 24 ]

. Y F ! 8 24 ]

203........................................................................... ! "#
204............................................................. \ 8 )

-)

24 ]

. 24 ]

206................................................................................................. /
206.......................................................... Disassembler !) / =
208............................................. (

%<

G # 8

! .

- "1

! .

212................................................................................... < 6

- "1

213............................................................................... 213.......................................................... A,; !

. < 6
. < 6

215............................................. -A,; !

8)7

217...................

6! G

6 A #+

%<

218............................................................. (

%<

< 6

G #

< 6

-E 6!

< 6

221...................................................................................... -Thread

! .

223.........................................................................

! .

. JO# = =

226........................................................................
227........................................................

. `) *

)
)!

233.................................................................... 6 G

-(! ,

dll

-A #

) ! 5.

! .
! .
! .

15
239...................................................... (

%<

245.............................................................

!)
6

! . )!

245............................................................................. C=
249................................................. (

G #

! . aQ /

. C=

-A,; !

251................................................. (Run Trace)

! .

)Q

! .

6 A=

. )!

259............................................................................................................... 7;<
259........................................................................... > # ( 2 > ) $

?- 8>

260..................................................................................... 5.

!) '

W )<

260....................................................................................

! 5.

!)

261........................................................................................... 264........................................................................ -\
265......................................................... ()!

!)

-( < T !)

)) Visual C++

-\

267......................................................................... Delphi / C++ Builder

268....................................................................................... Visual Basic
271.........................................................
273.........................................

-A # .

-A # ! G

6 5.

' F 3 !) '

273.......................................................................... - b
275....................................... ) ! 5.
277... (Export Table)(

!) B5.

280.....................................

284...................................................................

' Uc> !)

-A # CG )5. R) / # S

- A # !) - section

284........................................................

W )<

- dll R) / # S

!) 5.
.

R) / # S

-A #

- / !) '

'! B . '

288.................................................................... 6 A=

R) / # S

!) '

W )<
W )<
W )<

)3

. +/ 0 1. ( 2,

- Crack

291...................................................

16
6

-A # .

- / R) / # S

299................................................................................................................ 7@12
299............................................................................................... AB"
300........................................................................................... ) U

( 2 5 C)
-d

302.......................................................................................................... -' 8e
302.........................................................................................

,U

-' 8e

303......................................................................................... ,f

-' 8e

304....................................................................................... 1(!

-' 8e

304........................................................................................ gG

-' 8e

305.......................................................................................................... Stack
306................................................................. 80x86
308............................ & . hi

-R . !) () *

)!

-(

) T !) - -)7!)b

C/

308......................................................................... S !

-! G
- fC,U

308............................................................................... 5,6 fC,U

310............................................................................. j * fC,U
312............................................................................. d

fC,U

314............................................................................. 9 S fC,U
316............................................................................... - - ++

- fC,U

317............................................................................................ -

318.............................................................................................. C

319....................................................................................... Q

319........................................................................................... * )

320............................................................................ Q

T `)

17
320............................................................................................... 8 / E
321................................................................................. Ck
322........................................................................... Ck

- W
- W

-)7!)b

324.....................................................................................

() T ' K"6

325................................................................ O# = l F G %"
325..................................................................... Ck
325........................................................... - !b
326....

8 k ' ! 8U <

5.

31 .!

- W

-)!

-)! /! . O# = l F G

( Gm

. 4

327................................................................................

- W )<

- W ` =

328...........................................................................
328......................................................

- W

- W d

n -)7!)b

331..........................................................................................

- W

332.................................................................................. !
333................................................................................

- C=

. !) ]

. - C=

334................................................................................ o !) ]

. - C=

335.................................................................................... f ! ,

. - C=

338............................................................................

-! G

338....................................................................... IF-THEN-ELSE ' !

341.............................................................................................. -]

345..................................................................... >

6 . 6 '!

346.................................................................................... V .

346............................................... ((Condition)? Do-it: Continue) ! G

349.................................................................... Switch-case-break ' !

)3

. +/ 0 1. ( 2,

- Crack

18

355................................................................................. X

- !b

371............................................................................................... 5.
372................................................................................... 376............................................... IDA Pro

() *

G #

. 5.

380.......................................................................... 5.

! /) G
-R

1!b

380................................................................ -R

1!b R)

-) )! 4

382............................................... o b Q ! ^ !

-R

1!b ) ;

387................................................................. 3T !) -R

1!b -)7!)b

390........................................... Default Arguments: q #p T

-R

392.................................................................................. 5.

31 . )

392.............................................. return fC,U

() *

R ) 1 .

402......................... E 6! . (

1!b j >

()

410..............................................

-R

. )

- W j >

1!b

31 . )
!

) 1 .

417............................................................................................................... 7@;2
417...........................................................................................................
418......................................................................................

. 32

419......................................................... Macro Assembler

() *

423....................................... C8,

. Windows k

.
"

.Q B

426...................................................................................... ()

)<

431...................................................................................... ()

( <T

)<

444.................................................................................................... V p ,
451........................................................................................ Keyboard ) !
456............................................................................................ Mouse

) !

19
461..............................................................................................................
470............................................................................................

-Q

. CB ( < T R U . DialogBox

() *

490....................................... 6 G / ) ! ! ". R U . DialogBox

() *

477............................................

499...................................................................................... A #

O# =

512.......................................................................... O# = . (

-A #

523....................................................................................................... Process
532........................................................................................... Multithreading
540....................................................................................................Event s
546........................................................................ - dll

() *

552..........................................................................................

G
,U

( k
-Q

561................................................................................................ Subclassing
568............................................................................................. Superclassing
576....................................................................................................... Bitmap
584........................................................................ (1 p .) Win32 Debug API
595......................................................................... ( 2p .)Win32 Debug API
604....................................................................... (3 p .) Win32 Debug API
609...................................................................... (1p .)

-A # ! G

612..................................................................... (2 p .)

-A # ! G

620................................................. File Header (3 p .)

-A # ! G

623......................................... Optional Header (4 p .)

-A # ! G

625.............................................Section Table (5 p .)

-A # ! G

636.............................................. Import Table (6 p .)

-A # ! G

)3

. +/ 0 1. ( 2,

- Crack

20

654..................................................Export Table(7p .)

-A # ! G

659.................................................................................................................. 7 .
659........................................ NT F

. G ( 2E

> ) 2) > )

8>

659...............................................................................

! ,;

659................................................................................... d
662................................................... NT ()

> .+ . /
. !

CB

"6

!) - Device Driver

663................................. (IRQL) Interrupt Request Level *4

G!) t i

663..................................................................................... (Services) -u
664............................................................... (SCM) Service Control Manager
668.............................................................................. SCM . ] 8 !
669......................................................................................

! 4 .

6 ! !) vF

673........................................................................................ ! !)

673......................................................................................... ! !)

Y0=

675.................................................................................. ()
675......................................................Ring 0

! !) [ G

-! !) G

A D /( k

676......................................................................................... ()

! !)

679......................................................... CG )

. ! !)

1 C.

() *

686..................................................................................! !) ! /) G E
687...................................................................................CMOS .
688.......................... ! "#

-'! T .

-( 6

)
. ! !)

700............................................................................................. I/O d
701........................................................ (Virtophys) ! !)

707................................................................................................... ! ".

21
708................................................................................................ ! !)
710.................................................................................................. A # X
714....................................................................... - Device . ] 8 !
715...................................................................................... I/O

! 4 .
/

- /

717............................................................................................... -() ) Q) 8
723..................................................................................................................... +" "H
723...................................................................................... 80x86 $ ) @

+% "8

+ I
)!

R 1

! !) ;

= >

! > . > .

-! "# %

!) l

- /

- 1b % U A ) . S = Q = !) .

- Q W3

;# .

. ob
!

y =

0T R 86

'

a7 ;

- ,i

/) 1

D /

-d

2>

D /

-! "# %
R1 /

"
() *

BG -

)!

1! / .

a() 8 ! )! G . . G ^

ob F

9! <

lG

1) R) .

dCU V

-( 1

! "# %

() / )!

ba

x/

-() )

. /
a -! 3/ x/ !) 7 ;

! 4 () *

-d

! "# %

! 4 q ; )!

4 n

hi

ob .

v8

!) o

.) f. ! 4
-d

a ,

V a(

.R

# 1 O !) l G ! G

!) .

(
V

# 3T

/ )) 1 6

! .

j k a . < Q 6 AB = S = 9 /

. 6

..

hi

. z= 8

7 ;

) !) V 8>

C/ . # 3 T z= 8
.) / - G

V ,
)

9 / V !) (
7 ;
. -)

o
)

K!
. U

. G . ! Rb

-^ !
o

! 9 / V aR 1 ! f .
/

f. 6

-!

.9 /

; 9 /V V

8 ) #

. A / +C

. V FF

1 C6

. ,1!)
1)

)<
o .

#/ 4 Y B
a; 6

. 6

J B' K
+ k !)
+

hi

. ) C,U . C /
) !)

9 /V (

b /

- ) # 9 /V

# 1 O !) l G ! G
.)

54

. 6

# 1 ! 4 () *

CB V 8>
.

!)

)!

# 3T

)3

- Crack

. +/ 0 1. ( 2,

24
:L

F4 o

) ! Rb .

A Ud

. C/

. !) !7 ;

@ M

8
o

b / ) #
-! ".

() *

: +@ ; 9 M
!) 8

. <

A Ud

-! ".

() *

) C,U ( k

F4

! G

- ! )! G .

. C / +C

/ ) #

. !) ! ,

.
-! "# %

7 ;

E . )
!)

- % < A. 4 NT

0 .

() T A. 4 NT ()

. -) % <

9X

&.

()
G

2003 , XP , 2000

G ) -

! .9 /V

! . o (
-

/m

= !)
API 5.

aA Ud

!) ! -

! . !) G

)
CG )

V V .!/ .
!) C8,
-! G

R.
B

1)

. !% &
. /

x/
G .

-V , / )

2 O E

F P.

F4 / ) # .

. , 4 . !
1)

-Q x

-^ ! )!

Q @5 J>
pT /)

7@

d- # C8,

aE
pTp .
- / _!)

25

+ I

BcG

-p . . C/ - f a9 / V

( k

! G

o.

.d

b! O

ob

-v i

.% &'

) .! / )!

a7 ;

: 1 RK/

d-*

. 56 !
.

+
)!

! -! "# %

X "6

p . V !) .

) C,U ( k (! .!) ' Uc>

() / # ; ' C,U V A o
.)

() ) h S

-Q x

. !

-! ".

$ %&' () * !"# : 2 RK/

! b 5,6 A=

! O

. !

() *

. ob

() / # ; ! -! "# %

' C,U V % <

-! ".

p .V

-)

! 4

! .

- . ! / ) C,U ( k
25

! O

-/ .

) / : 3 RK/

. /

'

p .V

# ; - /V

! . A Ck

2 Decompiler : 4 RK/
- C D /+

- / R) / Decompile ! O

. !

-! ". p . V

. /

# ; R 1

2 Debugger : 5 RK/
! -

!Q

C=

. C=

6 ' C,U ' K"6

. -)

! 4

! . )!

> # (2 > ) $
- / a! G
o. R

! .'

W )< ! O

!! O

."

. () *

-Q x

)!
-)

%<

- Debugger +
?- 8> : 6 RK/

! . ! C /
6

-A #

p .V

-! "# %
. /

! .
-:

K! v i

)3

- Crack

. +/ 0 1. ( 2,

26
AB"

j 4) ! > . ! A D / ' C,U

. & . hi

-R . !) () *

( 2 5 C) : 7 RK/

)!

-! G

p .V

! 4

! . )!

. -)
E
(

() ) h S

! 4

! . )!
o

C8,

R.

. -

" API 5.

() *

1) E

> )

! O

AB"

O /E +/

> .+ . / : 8 RK/

. ) < ( k p . V !) a
( k

/m / ! >R ,-

) C,U ( k a -! G

. !% &

a^

pTp .V

= !) .
. /

NT F
.

ob )<
() T

. G ( 2E

) C,U ( k

= > ()

> ) 2) > )

-! !) ! G

! !)

8>

b V = !)
1

d- # 7 ;

> .+ . / : 9 RK/

# ; ! O

[ AF# V !) av i

o. R

Uc>
V

!! O
.

X86 AB"
()

R U .

-(

) T
/

-A,; !
(

(2 " ) @

, ,S V !) R

()! b o b

- . 56 ! .) f. ! 4 R 1

-) .! /

+" "H
-

A ) .

( ,- . 80x86

/'kS
G () *

)!

56

+" "H CD
2C

-p . !) .

9 / V !) () *
.

)!

-/

E 6! , ,S CD !)

-! ".
)!

= CD V

C/

-! ". 7!)b . 9 /

OV
T 7!)b j >

! 9 / V )!

!) ) G

-) o 3 T

. /Q ! 9 /V R1
omidgl@gmail.com
behzad.lajevardi@gmail.com

> . / W B-)
')
.

a' O

'

!( ) *+

& . C=

! o6 !) ^c

o (

Q Fk

. -^c V {& ,; . )

1 - Q Fk

!Qx R U ..

k 7 ;

A=
7 ;

o !

, a Rb
:

.() <

o )

.
.

!) ! 7 ;

.i

6 Q Fk

-) .! /

o. _!)

-(

'! B

A &)

X "6

-1

C. 4 /

k .d

G . /

k .d

!) '

W ) < -3

"6

Q Fk

1! . -4

! O

. Rb (

.) 6

V T C=

-^ !
1

. "6 V V . +. ! Q Fk
. /)< !

!) C/ % o* !)

, (

-2

!) 'c 3 9 )!
/m d - *

.d -)

! 4

3.

! . )!

! . -5
b ! O

2C

,.
. Qx R U . .
.
)<

# 1! 4 6

F V ^ ) T

X"6

D / !) . G { 8

'! B !)

() ) ! 4

! ) . D/ ! O

)!

!
2C

4) . O )!
! . )!
(

! Rb R

! V !) 7 ;
' o6

X"6

!"

! .

t >a
CAD
.)

D /

-! "# %

) < t > .) / ) < ) 6

# 1!/ .

-) .! /
F V# 1

-! "# %
() *

!) !

,/

. .)
W % "

6 Q Fk ) <

)3

. +/ 0 1. ( 2,

- Crack

30

(1-1) A

(X
.

( b

!V R= >

!) [ / !

-d

; 8> R o6 !) ) 6
-d
-(

X "6

-Q
-7

. ! / k X "6

-d
a-

,/ .

= >

. a -% -

<

>E

! !) 7 ;

! . /

V R= >. /

/ . j 4)
-

- ..
6
zk. d

! . .Qx R U ..
o b ) /! / ( k

!
Q C V [) =

# 1 !

- f

; 8> !) ) 6

. /)< d

[ ) = !)

31

)3
() /
E

Qx R U ..

= !) / -

. 8k 7 ;
! 4 () *

)<

o Q <)

)!

T [ 5, <

) < Rb A o

-!

A Ck

t >
IC

(
o !)

- 6 G

# 1
-)

g 3 "

- ) ! ^ ) T
. !) !

(2-1) A

f)

-! ".

. K!

1 1
-!

1A Ck

! o b V . +. !
."

! !)
."

F ^ ) T . ! "# %

,. @

= >

. (
. ! Rb X "6 a!

,/ . -

() /
, . /

t >
V

! /) G ! >
)<

-) .! / / ! ) ) 6 Rb

D / !) !
i Q 6)<

)3

- Crack

. +/ 0 1. ( 2,

32

EZ $ .
[ !) / d 8. Q = . () /

T7 ;

. 8

F 1@

C/ ) {& , = (
.)

) ! ) G 'c 3
'! B C /
d

! - !) 7 ;

! .

)!
R

!) .)! ) "
#'

!) a)! )

. -^ ! V

() *

)!

! ) . D/

. -

V# 1(
3.'

A 3

4 Y B) 6 .

8 " b

() *

L> <

() ) ' k S

1! / .

i
. 6

,-

-^ ! V

1! / .

A84 j 4)

1! / . )!

G . !) .) 1

,; '! F. Rb % <
-^ ! V

1! / .

) 6
V , "

! .% " (

*1 v i
.

!) 7 ;

V !) Rb

1! / .
-) .! /

)3

. +@<) ) 2 /) 5 E

-^ !

G . . d ! ) F4 p . V !) a (

V
1 4

() *
# 4>!

R . .)! ) ( oU . !
.

iG R

! )! G .

> 2+. ".

. 6

"/ ,

! "# %

.d

.(

.
!

/ -f

2() [V 5 \;5
o

! !) (Cryptology) " ! 23/

. ! / ! "# %
.

CB p 7 ;

<

. 6

! . z= 8 9 / V !)

23 )
dCU -

!) GlG'

.)) f ) < 9 Ci
(}

-^ !

V !)
!f" !
T . 3. /

33

. . ] !#
. 6
o

4 56

! 4p
!

-d

) .! /

a) 1 , ! 4 R 1 ( / () *

b )!
! .

2;S

!) A U

. ) /! / Decompile > .

CU . -! 3/
.

() *

! "# %

G . !) /

.. /

a j 4)

) 6

1 , ! 4 ^ 0T )!

V ,

V !) () *

n7 ;

)!

-^ !

-^ !

.) . - G <
)! ) ) 6 9
'

! "# %

W R ) 1 .a /

- ) C,U ( k )!

() *

)<

-g
W -

!) # / ' "6 V

-7!

~{& ,;

C/ p 7 ;
'! B !)

Y >

C /

> / FE) B

j 4) ' Uc>
.

- C. 4 R) / # S
R 8 3T

a b) 6 .
R .! /

d!
6 (! "-

- /

! o b ' Uc>
'

W -! "# %

() b

W )<

o b !) /

! G !) ! Rb / 7!
V !) .

-! "# %

V ` /
) / ,

) . !) !

- /

a -Q

3 . 'c 3
V

.) 6 .
/d

/ ) .

8 3T , 4

. -! "# %

-! "# %
6

01

. !

)<

ob

V ,

8 3T Q Fk Rb
-! "# %

() *

uT . ) . () /

) ! "# %

f ) {& ,;

-! "# %

> # . ))

. / ,

() / A= ! o b 'c 3 o

x/ !)
. 6

b Rb . {& , = / ) . (Y2K) 2000 Q

! B

-A # R !) (

. ,> 2 ^ >

nb !) / 'c 3 V

x/ R

Ak {c /
- /

'

! G !) -! "# %

)3

( !8

! !) {& ,; -7

) ! G !)

-/

P4 d

R . -! "# % V 23/
!)

# 1
.

A &) V

- 3 7

. # 1 - G '! B

. ! / o b . ( ! 8 ad

x/ !)

. \;5

) C,U ( k )!

'

! . .

4 56

Q K ( 2) 3
!)

-! "# %

! G !) -! "# %

) F 1@

f .

)!
.

6
f)

A 3
Q = !)
( Gm

) . () / )

= >

. 6

.. ) .(

! . -! "# %
.

V R .! /

A,k 7 ;

)3

- Crack

. +/ 0 1. ( 2,

8 3T > G . ) 6
Q ,;
)<

-^ !
!'

() *

34

-! "# %

- : !) '

. / d ! ) )!

b .7 ;

W )<

d- )

- 1 !) '

" )!

W )<
f

!/

) 1

. ! "# %

'! B A U d

.) 1

'! B \!".

() ) g 3
3-1A

!) .)

) <
- /

= >7 ;
W C,6

! "# %
)<

o
() T

= >

* !

. !/

A &) . ! / V {& ,; .

7 ;
-^ !

6 ! "# % ( b
. /

( -3 !

(3-1) A

Q ,U

. ,>

, '! B . {& ,;

(Forwarde...) d
O )!

% < A. 4

)3
o

o
-(

j 4)

() /

_ '
) 6

( T!

, 4 ) . / ! / V A=
C/

. /

. ' Uc> . 6
-(

!)

6R.

!) .
. /

)!

'! B V
. uD

T V [ % < A=

(
C/ t >

35

#
/
)!

. / 5.
V

[ "6 o b
(

) 6

. /

.
ob

% /-

2C

o . .) . ! "# %

S U / 7!
(Native API) NT

-R

!) 7 ;
!)

Fk

( 3 K!

7 ;

1! / .

! /0 )!

"[

Ck 5.
#

3 .(
. o

;
/m / )!

) );
-^ ! )!

R .

. ' Uc> k*B

. , ) 6

-) .! /
.

3.'kS

o ) .! / )!

. d-

.
/

. ,> (E

!) 7 ;

5. ! "- V [ A
ob

)3

-) .! /

-) .! /
!)

;.

-AF# !)

- G K!

!3

/ 012

&- .

+
d
.

. 56 ! ' Uc>
8 {# B

[ - /
a

<

! b5,6 7 ;

.{8

;.

o ..

;.

-% 4 a

o !) % 4 V

-% 4 ' Uc> V V

4>

1 4 !

3 . )!

'! B O )!

! "# %

do

*1 R

O )!

! "# %

! / / ) . - G iG
X "6 )!

Y - .

! . *C

)R ..

o b V . +. ! a (
.

/) 1

$ %&' () *!"#

-p

3.!
b a ' Uc>

!) , ' Uc>
. U

. ! ,

! b5,6 C=

!)

. G ) T d - G o b . AF# V !)

@ > $) `+/ > # ( 2 >

! Rb
.

= !)

O )!

A #R

'! B !) .)! ) / A #
. / ;6

6 .

"#! G

8 AF# .

a' Uc>

! . 3.

!)

-A # ! G

) /

! b5,6

! .

C=

'! B .

. 56 ! j 4) ' Uc>

A> a 5 b . >
{& ,;

. -) ! 4 e

A # !) 5.
a <

k {c / ;. A=

!) !

-() ) a - / !) .

C D /E

. ! BG! G

' * {c / f )
.)
.d

- C D / . /) 1

9
.

k ' Uc>
R

<

!) C D / O !) ) G l G

! b5,6 !) % 4 V

A D / A=

.(

/ -f

C D /E
o.

)3

- Crack

. +/ 0 1. ( 2,

40

(1-2) A

A D / A=

"6 '! B . d !

.d /

(!

F4 <

- * !/

A # !) ! -7!)b o b

6 .

!) . ! )

b (1-2) A

. /

G . .

() / Y0= ! -v [ .

! ) , . {& , =

.d /

-% a

- C D / {& ,;
. /

Q !

(Comment) , - !

!)

1 -

V "f 6

\A@K ( 2 A> a 5 )
Rb uD

() / ,6 V T hi

'! B & . hi

-R . !) ) 6

,/ R

oC # do ' B FG

. (

. & . hi

G .a ) /
! 4

p- / !

o A D /!.

C++ Builder R .
.

.d -)

Y0= o b % ,

- C D / x/

- 1 T p- / A ) . 3 . ! / V . /

Turbo Assembler C D / .

-/

oC # {& ,;

> # (2 > $ `

. !(

Visual C++ R . Q x R U . . -)

! . !R

A D / !

= !) ) 1

Macro Assembler C D /

G ad !

C6 A D / A=

.) !

pTV

T 8

! . )!

Y ;

/ ,

A D / A=
.

!) [ .

. /Q=

-R . !) !

41

$ %&' () *!"# /

Visual C++
,6

) A. 4 (

Bitmap a Dialog A 84

A ) V ,- . .
() *

. A / ! i. Visual C++ +

R.

)!

5.

- ! )! G .

Rb

!) & .

Y0=

oC # (Resource) 5.

-A #

-v [ .

Visual C++ +
/

6 A # !) - , - !

a (

&. U

! "#

& ,;

- ...

-A #

-! !) V

.
.)

Delphi C++Builder
C,6
zU .

. ! ) / 3 ' B FG { 8

1)

/ !) ) 6 "

. ob R

a -R . V +

6 A # !)

Decompile A=

<

!)

. !) ) 6
(

ob

6
X

-7c/

-A #

3.

.) 1
% &

. " ! ' Uc>

(
V

6
R.

"

,/ 8 6

-A # A ) V ,- . )

. - /

!)

()

CU . ) 6 V . .

- ! )! G . . G { 8

f ) l G 5.

a )!

-A # .

5.

- ! )! G .

& . d<=
A D /

n -R . V +
. /

G
'! B
-A #

6 A # . Static '! F. {& ,;

ob+

-A #

() *

-R . V +

-A # a

,6

. . ! / +. !

-A #

( Gm

Visual Basic
! > .
a-

, ,6
A 84

MSVBVM

CB
. / 5.

. {c / Visual Basic +

R.
-! /
+

C/

/ , () *

-A # V !) ... 5.

! > . API 5.

-A #
Q ,;

G # a i ' C,U a -9 F
.

%<

)3

. +/ 0 1. ( 2,
) ;

() . [ / !
:

- Crack

G # ( c;. V
.(

. (2-2)A
VB Code

42
/ /

d<=

=(

!! O

..

= !)

- MsvbvmXX.dll A #

-A # d<= A ) V ,- . .

. - f vCi R

-A #

- ! )! G .

T U

Compiled VB Code
.
push

jmp_MSVBVM60.DLL!__vbaExceptHandler

mov

eax,fs:[00000000h]

.
jnz

L004016DC

push

L004022CC

push

L00401350

call

[MSVBVM60.DLL!__vbaNew2]

mov

esi,[L004022CC]

.
push

esi

push

eax

call

[MSVBVM60.DLL!__vbaHresultCheckObj]

lea

ebx,[ebp-18h]

Sub Main
Dim a As String
a = Clipboard.GetText
If a = "xman" Then MsgBox a

End Sub

push

esi

push

eax

call

[MSVBVM60.DLL!__vbaHresultCheckObj]

mov

edx,[ebp-18h]

lea

ecx,[ebp-14h]

mov

dword ptr [ebp-18h],00000000h

call

[MSVBVM60.DLL!__vbaStrMove]

lea

ecx,[ebp-1Ch]

call

[MSVBVM60.DLL!__vbaFreeObj]

mov

edx,[ebp-14h]

push

edx

push

L00401374

call

[MSVBVM60.DLL!__vbaStrCmp]

test

eax,eax

jnz

L004017D2

.
push

00000000h

push

ecx

mov

dword ptr [ebp-5Ch],00004008h

call

[MSVBVM60.DLL!MSVBVM60.595]

lea

edx,[ebp-4Ch]

.
push

ecx

push

00000003h

call

[MSVBVM60.DLL!__vbaFreeVarList]

(2-2) A

43

a - Dialog

)!

-A # % , . 5.

Ak

5.

Q ,; ! > . (

( Gm

= !)

msvbvmXX.dll A # () . ' *

$ %&' () *!"# /
6

/ , () *

- C D /
.) 1

-A #

-Bitmap

....
(

( oU .

6 R

!) ! o b

(..., VB .Net, C#) .NET

(
R.
-

C.

, ,6

. / !) ) 6

5.

V ,- . /
5.

. .NET

-A # ! G

A 8 V

() .

/!

- C D / +

R.

,6

. - /.

-A #

(Intermediate Language) IL %

. +

> .NET Framework

) . ! o b C=

-A # /

. /Y F
+. ! ) <

)!

5.
. ! ) )!

bY ;

.
.d

-R . +

.
(

. C D / R. E g 3

&. U

zU .
. !d

-R . V Visual Basic

Q ,; ! > . "
V

6 ! G

' * {c / - C D /

6 A. 4 ' !

. -R . V +

1 6

/ , () *
6

-! ".

...

,.! /

-A # ' B FG . / Q =
.

o. ) /

T 8

)3

- Crack

. +/ 0 1. ( 2,

44

PEiD ) 3
-A # ) <
f)

. /

CB k*B a

. () *

)!

g 3 "
A

R.

C D /E

! -A #
.NET

!) .

G .R

g 3
A D /E

. -! ". V
aR .

- C D / . Rb ! 1

. ( cU /

.V

. /

- C. 4

( -3 !

.V

(3-2 )A

.)!

hS

) 6

() . ()

, ,S CD !) ! "# % V

.V .!/^ !
0.92

Tools\PEiD

Language 2000 ) 3
(

= > G #

..

4b +
. -)

/
! 4p

) 6

C D /
T k !

R. E

g 3
.

-R .

-! ".
;

, ,S CD !) ! "# % V 4.5
Tools\Language2000

f)
2>

45

+
. /

$ %&' () *!"# /

( - 3 ! ! "# % V

CB k*B a

!)

(4-2) A

( ) !/ _

. (dll)

.
-

. / a)!

A U d

) G !) !

)!

R)! b

)!
.

! > . ob
. !

. /

. /

() *

V !)

5.
-

. /

. . -)
. / ;6

A Ud
2C

. V . 5.

. /%

5.

a o b ! 01! . % f - !) A U d

-API

/ ! >R ,- /V

) ! 5.

01

)!

-A # . /

% < ! ... 7!)b h kF ' C,U

8 AF# .

- API 5.

-A # /
!)

) /

<

() *

_ 3

!) . ! ) ( Gm

() / ! 01! . O# =
. 56 ! A / ' Uc>

)3

. +/ 0 1. ( 2,

) G

-! / % <

A #

!) () *

a-

- Crack

46

. API 5.
)!
.

5.
)!

) G V-m !) O )!

A Ud
)!

!)

# / ' Uc> V

Q ,U
. )!

)!

!)

!) -

. /

) / d.

!)

ob

3 . ' "6 .

. 6

!) a /

() *

- ) .! /

A / = >

.
6

<

!) . -)

. /d <

Dependency Walker ) 3
/ !) ) 6
! "# %

6 A #

)!

5.

dll

-A #

! .

. )

Dependency Walker ! "# %

. ( ,- . /

) 6

-! "# %
Y ;

K ! " Visual Studio 6

.(

ob V

, ,S CD !) ! "# % V 1
Tools\DependencyWalker

A #

! .

! .

( -3

! ! "# %

CB
. -)

k*B (5-2) A

!)

R 3 ! Notepad.exe

47

$ %&' () *!"# /

(5-2) A

( -3

.) G /

f ,- Q x R U . . -)
Msvcrt.dll

() / () *

. -)
g 3

. !) () *

() / g 3 ! O )!
. -)

R3

R 3 ! O )!

. JO# = .

. /R

. /

6 A #

. Kernel32.dll ntdll.dll

p , !lGJ

)!

Notepad.exe

. / 5.
.

. -)

G!) ! ) , 1 (! ,

p , ! - f .

. /

/
. /

) ! 5.

2 `! , J =

5.

3 `! , J =

. / !) ) 6
-A # )!

!) !

J C/

3 . ' "6 4 `! , J =

A D / ! Time Stamp , 4 Q x R U . . /

f % f -!) ! O )!

. /

< 7!)b aBase , 4

)3

- Crack

. +/ 0 1. ( 2,

48

!/
-() )
-

=!) /
!a

6 A #`

. / #S ) G
) < ...

O )!

-A # X "6 V

-() ) V . /
. f)E

6 A # 5.

!) a)

6
.

. O )!

-( < T a

# 1Q

.(

2 ; pT

5.

2 ; pT

-( < T a - B a

# . ! U

6 A # !) ) 6

(Resource) 5.

,o

! of !
(

) /

-() ) (

) .

. .! / +. ! {& ,;
! . a)! ) ! 4

. 6

6 A # 5.

. / ) < o b ) C,U X "6 . 8

: /

( -3

- )!

!) -

/ ' k S ( ,- . ! )!

. /
# 1!/ .7

1(!

( Gm !

R U .

, 4

. G!

5.

.
!)

- C/ : Accelerator

/ : Animated Cursor

-_ k

.
. / ( Gm !
ob

...

ob

() *

[ /_ k

.! / +. !
` k

= > !) /
-

-_ k

. . 56 !

b :Animated Icon

-R

)!

j 4) ' Uc> .

'! B !) .)
. / ;6

A 84

BG'F 3

p ,

C. 4

V , 2C
.

ob

. (
ob

() *

)!

. 6
/V a

- ! ) ;

!) ) 6

-u/ . \

- !
) : Dialog

= !) -u/ . \

. S #pT
` k

/ : Cursor

- ) ;.

-( < T

() *

8 AF# .

# 1
. .

2 ; pT

# 1 O !) o b

8 AF# .

. !) () *

-! "#

. ! "#

. !) /

'! B !) .
;6

!) % / - /

F : Bitmap

. 3

() *

) . 56 ! j 4) ' Uc> .
. /

# 1!/ . (

8e

!)

- ' F 3 ( ,- . ! Cursors , 4 !) ) 6
! obV

) 6

! "#

+k

. 6

.
/
A Ud

)!

# : Font

- 1 : Group Cursor
/

g 3

49

! "#

/ -( 1 V

$ %&' () *!"# /

*1 R

<

!) . / 9

p ,

. /
B FG /

g 3 ! Icons , 4 !) ) 6

-R

- 1 : Group Icon

b
. !)

.)

() *

ob

.! / +. !

() *

ob

.! / +. ! = >!) {& ,;
-( < T = > !) {& ,;

` k

!) -

. 56 !

j 4) ' Uc> .

-% W T ) <

. {& ,;

-( 1 . 3

)!

-R

b : Icon

)!

: Menu

'! B !) .)

. / ;6
)!

8 AF# .

. `) *

! a(

aQ Fk

)!

.
6

-A # 5.

! .

CB %

! : String

. 56 !

6 A #J

-! ".

() *
ob

.)
! )!

() *

b 5.

ob

Uc> : Version

= !) / /

o. a ) /

)<

g 3
. /Q=
:d

Resource Tuner ) 3
Resource Tuner J
.
/

.
G

! )! G . "

-A # 5.
. G!

- C D / l G 5.

( - 3 Shell32.dll A # 5.

. .! / +. !

! .

. -! ". V

! . !) Rb

a! "# % V !)

C++ Builder Delphi A 84

! . Q = !) ! ! "# %

4!

Heaventools /

G
.'
Borland

CB Jk*B (6-2) A
. /

!)

)3

. +/ 0 1. ( 2,

- Crack

50

(6-2) A

.)!
) G O )!

5.

a! "# %

BGhS

V !) Save

() . ()
- "1

. ! "# % V !) 5.

() *

. / () *

ob

, ,S CD !) ! "# % V 1.97

) 6

() / ( Gm

.! /
1 6

! .
'! B !)

-A # '! B . !

Tools\ResourceTuner

Resource Hacker ) 3
! "# %
.

6
.

-A # 5.

! )! G . . G

Explorer.exe

- C. 4

6 A # 5.

) J

!)

-! "# %

a2 ;S .! / +. ! ) 6 . /
! . Q = !) ! ! "# %

f)

Resource hacker

CB Jk*B (7-2) A
. /

!)

( -3

51

$ %&' () *!"# /

. ! "# % V !) 5.

(7-2) A

" ! "# % V .)!

BGhS

() . ()

! )! G .

) 6

1 6

-A # !) 5.

! .

` Gm

C. 4

, ,S CD !) ! "# % V 3.4
Tools\ResourceHacker

)!
U

!) '

W ) < AF# !) .

-! ".

t i

R . 8 i 5.
3.

-zk. 5.

! . )!
!) '

!)

W )<
.

3.

, 4 V !)

-^ !
! 4

! . )!

"

)3

- Crack

. +/ 0 1. ( 2,

52

> # ( 2 > ) @G
- Header

A #
. /g 3
. .
v i V

O )!

-)! /! !) ) 6

A # !) ' Uc>

! S

` k )!

-A # ! G

. A / ! > . 8 AF#

!)

- 1b V

p .7a

-A #! G

ob .

-A # ! G

!) # / ' Uc> V

!) ! )

)!

. / ;6
:d ) T

-() ) )!

'
.

!) *

)
6

) a' Uc> V

! .

j 4)

'! B !) /

! .J

) /

b! O
# lFG

-! ".

# ;

.Q=

PEView ) 3
-() ) () /
p ,

- )!

` k

C/ t >

! . o

!) -

/'kS
! "# %

6 A # !) ) 6

( ,- . ! - Header

V !) (

-() )
. -)

p ,

Q=

!)

R 3 Notepad.exe

' Uc> ! "# % V

/

-)! /! !) ) 6

() ) p , ' Uc> . j 4) - f . . -)

. /d < !
)! /!

6 A #
CB

!) ' Uc>
Jk*B

! "# %

a(8-2)

6 A #

IMAGE_OPTIONAL_HEADER

53

$ %&' () *!"# /

(8-2) A

.)!

BGhS

() . ()

) 6

. ! "# % V +

' Uc>

! .

, ,S CD !) ! "# % V 0.8
Tools\PEView

# cA_
R . ! 8 i

'! F.

) C,U ` k )!

!) ! C /

! .%<
. /

A 84

Rb E

.% &
A Ud

> # (2 > (2

-A #

A,U

{,

! .

- [ 6 R
5.

aR

a-

() b V

! .

{& ,;

.d ) /

O )!

! . / d 8. Q = .) . - G 6

)!
/

!) A84 , 4 !)

= !) . / ) <

'! B !) A U d

() / o ! ...

) /

-^ ! )!

, -

f[

= !)

! .

j 4) ' Uc>

.% &J
Y >

-A # a O# =
) 6

. /

6 .
<

) < ! Rb

P#
6

)3

- Crack

. +/ 0 1. ( 2,

C=

V !)

.)! ) %

%<

! 01! . JC=

54

6 A #

a C=

- , 4 () . _ 3

V .

( 3

-A # % ,

. / () /

T"

. / .

!)) 6 "

3 . 5.

T ob .R

f)
.

)!

O )!

- .

) A. 4 "

a+

A 84

'! B !)

' Uc> . 6
.

. ! 01! . ' C,U . ] .

.
Y >

-)! /! !) ) 6

,
f ) )!

! .+

f)

)R

6 .

() ) T o b . A U d

. (3

! 01! . O# = . A84 JC=

.Y >

6 R
.)

. ) C,U ` k
A=

. !

hS

!)
-m

6 R
F

() . * !

, 4

. a '!

.)

^! "1 A U d

) -

' Uc>

. { x/

;# )!

. aRb +

!)

!) /
() ) 8x

!) j 4) ' Uc> V
(

# 1!/ .

-^ !

. /)<

Process $ d3#
O !) Process
5.

!) ... - Thread a -Q !

% , . 6 Q = !) J

. -

) BFG

-(! ,

P#

# 1

ob

! . .

a B F G JO# =

, 4 V !) /

- Process . 56 !

) C,U ` k

!) / )

f ) B F G )!
A /

)!

'

G . uD

W )<

) 6

9X

NT `)

.) ) d - G h S
8

*
-

- Process

!) ) 6

() / # ; ! o b

/
.

, )

ob +

' B FG
!) - Process

j 4) ' Uc> .
. / ;6

!)

) /

R U .

!) . G ) T d ob

;.

! .

'! B

8 AF# .
. )

-! "# %

, 4 V !) . ! ) ) 6 o b ' B FG
! - Process

! ) NT ()

C/ Q ,U

!) -Process

' B FG )!
.)!

! .
f

) 6 9X

.
-

!) /

55

$ %&' () *!"# /

Process Explorer ) 3
Process Explorer ! "# %

/
)!

!)

4) !

- C. 4

G .

. ' K"6
() *

a - Process

! .!/

. -! "# %

() ) ! 4 .! / ! G !) !

` k )! !)

) !) . /

. -)

R 3 Win XP A U d

) # . Fk

K! d

.) / d - G R . !

!) ) 6

'
-Process

3 . v i ! "# % V

! . ! / Q = !) ! ! "# % V

C/

CB Jk*B (9-2) A

(9-2) A

C C

'! B . ! C;#

- Process

C/

! "# %

( -3
. -)

/ ! i ,p ,

)3

. +/ 0 1. ( 2,

- Crack

56
, ,S CD !) ! "# % V 8.2

) 6

Tools\ProcessExplorer

Process Viewer ) 3
- Process ' B FG
- C. 4

G .

! .

. 3. /

) !) .)! ) '

-! "# %

W )<

. /

Process Viewer

f)
-

() *

.) / d - G () *
. /

( - 3 Win XP

! . ! / Q = !) ! ! "# % V

.
Rb

! "# % V

CB Jk*B (10-2) A

!)

(10-2) A

) 6

, ,S CD !) ! "# % V 3.7
Tools\ProcessViewer

CB A=

G . .a ) /

T 8

b > .

- Process . / Q =

-! "# %
:d /

(!

ob

! .

57

$ %&' () *!"# /

2 dll
- /
d

! 01_
+

% f - !) O )!

. / ! G Rb

. -dll

! O
.

exe

() *

dll

. !

.
. 56 ! j 4) ' Uc> V
!) o b E
.

* !

A Ud

() *

9
6

-dll

"

-! "# %

G . !)

f)

- Q) ; { 8

ob

. o b V . +. !

'! B !) .)

o*

X "6

k %4 V

-A #

.+
G

;S

! .

' Uc> ` - 3 ! O
!

C/ . .d /

() *

A /

. /

( - 3 (11-2) A

)!

!) / )! 01

- dll

< JO# =
j 4) ' Uc>

8 AF# .

CB Jk*B !) - Process
() *

, 4 V !) Q x R U .

explorer.exe, Process +

6 A #+

zk8

) Debug A=

R U . ' Uc> V V

. Process Viewer ! "# %

. 6

- dll ! 01! . ` k . 56 !

Modules ` < T aModules J "1 9

( ,- . ! explorer.exe

!) /

!)

. / ;6
.] .

-() )

f JO# = . ! 01! . % f - !) - dll

)a

7!)b V ,-

!) V ,- .

() *

6 A # ! 01! . % f - !) A U

6 . module W

-A #

*1 / ! >R ,-

G .. /

! 01! . O# = .

() / ! 01! . O# = . +

V !) /

X"6 / -dll V

6 A # ) ! 5.
.

!) -

) /

C;#

! 01! .

-dll

!) explorer.exe

-dll

p , . o b )!

(
!)

.
"6

)3

. +/ 0 1. ( 2,

- Crack

58

(11-2) A

< JO# = !) Rb 7!)b

Uc> adll -

6 R

() T ! O

,-*

aR ",-

'! B .

)< Q

Thread

! -() ) ^ ) T
dll

2C

-A # +

6 R ",- ! > . / )
) .! /

/ !) ) 6 "

*C

. !) Multithreading

. / ;6

-p .

) /

/ ! >R ,-

Ok

!)

Thread Process

() *
[ .

G . !) Q x R U . . ! ) ( oU . ! B G
f)

-Thread

-Thread /
(

!)

Thread

.! / . ] 8 !
.

) < ! a(

-A U d

/ ! >R ,-

( 2 \`) 2Thread

.)
J* : % / -

( -3

K! A /

($ ) @
.V [

)<

.
. `) *

-Thread . 56 !
8 AF# .

() . .! / +. !
) 6
)!

j 4) ' Uc> .

-Thread V . > 8 !

! of

. ! ) ( oU .
-ActiveX
'! B !)
-

"

59

+
-Thread ` - 3 ! O

!) ) 6

. Process Explorer ! "# %

.d /
aProperties J "1 9

! "# %

Threads p . !) .)

. 56 !

4) ' Uc> ( ,- . O )!
( - 3 ! Rb (12-2) A

() *

, 4 V

Process

! .

() ) p , process ' B FG . ] .
process

!) / )

!)

! . explorer.exe

o b ' B FG

CB ` < T !) O )!

a k*B V
. /

$ %&' () *!"# /

C/ .
Jk*B

-Thread J C/

. ! / Q = !)
() ) p , o b C;#

;S

' B FG

(12-2) A

- C;#
J,/)

;S
! .

(
C/

()! b
O )!

-`
Thread 9

module ( ,- . - Thread J C/
..

/m State , 4 !) "

. -) , G Rb

! .

ob
Kill

)3

- Crack

. +/ 0 1. ( 2,

60
+ . / cg _ ( h

.l F
!)

O# =

<

P#

O# = V

.f14

!) Process -

!)

.{ , a

! 01! .

.+

.
.

` k

. P# V a) 6

P# V !) ) 6
.

. * !

' Uc> )!

! "# % V

JO# =

!) .)! 01
. /

!) # / p ) V

) .)) 1

l F .

;. A=

=
- )!

"6

-A # . 6

' * 'F 3

ob -

() *
!

) G

C/ . .d -)

, 4 V !)
! 4

! .

. memory ` < T amemory J "1

p , .

!)

P# Process Viewer ! "# %

! .

/ ! >R ,-

-Dll .

CB Jk*B !) explorer.exe

P# !) ) 6

V (13-2) A

' Uc>

. Debug JC=

! explorer.exe JO# =

)!

) /

!) C / ' K"6 ( ,- . ! explorer.exe

( - 3 explorer.exe JO# =

P# . ] .

' "6 ( ,- . ! ( < T

(13-2) A

. `) *
-() ) V . (

)!

dll

-A # . O# =

! ! CB J

-() )

P#

- , 4
( Gm

."

( -3
- , 4

/ ! >R ,# lFG

61
V

+
=

- ..

. `) *
.

)!

$ %&' () *!"# /

' Uc>

/ a Ck

) G l G ' B FG

!) /)

@
)
/

-(! , V .)! ) ! ) G . l F
o ..

!) ! 8 6 !

. )!

-)

.'

() *

)!

`) *

.d -)

p , o b ' B FG ( ,- . !

P#

( 2F) "<

) /

!) Process -

-(! ,

)!

- C/ R) 3#
.V +
. /

-(! ,

' K"6

! .

() T ' K"6 ) C,U ` k )!

-(! , Process Explorer ! "# %

k*B V T J = Ctrl+H

*1 Segment

! a -'! T a -Thread a -A # . ] .

. / g 3 Rb
+

- W

! 4

! . )!

() *

. , 4 V !)

! notepad.exe J

CB Jk*B !) notepad.exe 9
() *

)!

( - 3 ! o b (14-2) A

-(! ,

.
J C/

!) / -)

)3

. +/ 0 1. ( 2,

- Crack

62

(14-2) A

(! , a% aE
O )!

) `! ,

)
! .

-(! ,

.] .

' Uc>

a 3 . ' Uc> .
. /9

( -3

'! B !) .

! Properties J "1 () /

/ ! >R ,-

)
!

C/

63

$ %&' () *!"# /

> c
)!

' Uc>

!) G
"

)!

( Gm

-() ) a(

f ) X "6

.) / (!

( Gm ' Uc> R

A #J

;. A=
-A #

{& ,;

G .

!)

` k . 56 !

R) /

.:

-) C,U

p A #J

!) -

1 - %<

A84 -! "# %

V .) / (!

_ 3 )!

` - 3 '! B !)

)!

;#

zk. )!

-^ !

() *

a ) !) / ) / (!

5.

() ) ! 4

<

o .

a) C,U ` k )!

'! B !) .

!) o b
!) -

A #

;#

G aA #

-! "# %

-! "# %

. R

C,6 Rb

. aA #

! . ' C,U

! . )!

! Rb

A,U .

1 C6 > .

-! !) . R

!)

,- "K =

8 AF# .

- Y ; Monitoring . /

! . o b !) / ! ) ) 6
7

) G

/ ! ) ( oU .

) [ . {& ,; A # J

. ! b
A. 4

() / () *

) O

. % / - / A # !) V

/ )! )

/ ! >R ,-

C,6 Rb

j 4) ' Uc> .

! 8U /

!) . ! b

;# V

. / ;6
V .

A Ud

) /

'! B !)

!) / / g 3 Rb `) *

() *

-'! T a -pipe . R

-! !)

C/ '

. -A #

J* : A # . ! / 5.

! "#

! 8 6
!

! of

E) 2

o b C,6

A # .

! .V [%<
/

() T
.

! 4

File Monitor ) 3
File Monitor ! "# % aA # J

/
p ,

;# J C/ ! "# %
.

;# - )!

V .
!)

!) -

;#

! )! G .

! .
V !)

4) ' Uc> ( ,- .

. -! ". V

) # . Fk

- C. 4

-dll

Process

b JU ,<

.)! 01
) 6

-Process

! . )!
() /

! .

1 C6 (

- C#V ;

-Process

C # - ! "# %
-

. . / #S

;# p ,
! . )!

6 V

. Q ,; ! > .

- C#V dO
. !

f)

. .)!
-Process

)3

. +/ 0 1. ( 2,

- Crack

64

!) / ! >R ,- . -) ! 3# ! Ctrl+L

-2) A

- C#V ; R

. (

- C/

() /

C/ ! ". !

() ) p , Filter ` < T A,U V % < .

!) Rb J,/)

( - 3 (15

. -)

! O )!

(15-2) A

) k R

! "# % V a O )!

+#

Q x R U . .)! ) ,
() *

A #

.. #

*C

y*
lG

)!

.(

() ) p , ' Uc>

D /

, CD

!)

BG

- !)

! . / -) ! 4

- !) . ! -

! .

3 . [ - j. i ! O
! . ! ! . )!

! . R) /
!

CB Jk*B

;#

Volumes
. /) k

(16-2)A

! "# % a! ". !
- C#

() *

Capture J,/)

! .

. ! "# % V (17-2) A
.

C/ . )!

- !)

!) Q x R U . /

notepad.exe explorer.exe

- Process

- C#dO

uT

;# p , . E

! . Q W3 (

g 3

65

$ %&' () *!"# /

(17-2) A

aE

aProcess % aR

!)

A 84

'! B !) .

' Uc> . / # S Rb .
.

1! 4

! . )!

4) ' Uc> a
(

g 3

) 6

f ) * ' Uc>

( -3

G .

/ ! >R ,-

;# J<

! B G Process

() / Y0=
(! . )

;# -

)!

54

!) (

( Gm

aA #
"

, ,S CD !) ! "# % V 6.07
Tools\FileMonitor

! .

! b5,6

)3

- Crack

. +/ 0 1. ( 2,

66

Registry ) 2
.] .

',O

( Gm

!) -! "# % .)! ) ( oU . ! Rb ' Uc>

! o b % " 54

!)

V . ! b
.

)!

.R

1 ! 4 () *

-p /

!) !

A Ud

` -3

-! "# %
'! B

)!

^ !

) G"

2C

-! "# % +
;#

! . .. /g 3

! .

. () *

) Rb ) C,U ` k . 56 !

4) ' Uc>

Registry Monitor ) 3
Registry Monitor ! "# % Registry !) .) 1

%<

-Process +

;#

! .J

!) -! "# % V

;# ' K"6 )!

!) !

;# p , Q = !) ! "# %

4) ' Uc> /
.)! 01

explorer.exe a Process

= !) / ! )

Registry !) -

W
. #

f)

. -) ! 4 () *

v 6'
ob

/ ! >R ,-

-() )

. ! )!

)!

)!

API 5.

);

) 6 . -() )

-() ) )!
.

J* : A U d

() / ( Gm Ak V !) ! ) G

) 6 Registry !) -() )
5.

!) Registry

. Ck

) /

CB Jk*B (18-2) A
. -)

p ,
!)
R3

67

$ %&' () *!"# /

(18-2) A

J<

! "# %
'

a
a i

W )< R

;# E

aProcess % aR

! . Double Click . .
.! / . () ) p , ! O )!

() ) p , ' Uc>
f)

* ' Uc>
(

/ ! >R ,G .

;#

Registry Editor
. -)

) 6

, ,S CD !) ! "# % V
Tools\ Registry Monitor

)3

- Crack

. +/ 0 1. ( 2,

68

+ B< $ ' B-) c

-() ) Q) 8
!

D /

! .

- /

- 8

! .! O

. ' Uc> V

AB =

- # 3T

!) )

a f ) )!

() *

S = Q = !) .
4

. ! )! G .
. /

-7

) G 3. [ -!3

(
!) /

V . # 1

() *

-7
R

zU .

/ !) / . -)

a) !

Dos

D /

-Q

! bV#

1 C6
V

-( 6

'

_ iG

-() )

. ! ". R U .

ob V

) G

() *

-7

-7

. /

) G^

{& ,;

-^ !

() *

. !) G"

-! ". +
C.

S = Q =!)

"

( Gm
^

!) . /

6'

) /

1 ! > . -! "# %

)!

() *

() ) j. i

. {& , = . /

()

-! "# %

.)

E) 2

() *
. !R

-A U d
'! B CD

,/

R U"

' Uc>

- 1 T

) G
V

. 8

3. [ - !3
- 8

ob

);

D /

() / () b !

ob
- 8

D / R ! ". /

D /

- 8

!) -! "# %
.

;#

) o3 {c / o b > 8 !

! 8U /

. a

O )!

.
F

) ! ' Uc> Q) 8
'F 3

!) !

C/ '
- CU . R

7!)b V ;
.

) T

. QF

A Ud

! "# %
! .

() *

/m v i

) O
;#

. 6

23/ ! O

! . A=

p . V !)

( 2 Connection

F4 /
!) ) 6

' Uc> Q) 8 . uD

- B
j 4)

, 4 ) . -

F 1@
.

! . % " a(

`) *

-! "# %
)!

Q ,; ! > .
5.

() / ) < !
)!

) /
() *

- Connection

- Connection

. . / g 3 Rb > 8 !

! .
)!

.) . T " ' > 8 ! V

69

$ %&' () *!"# /

Netstat ) 3
-A U d

( ,- . /

-Connection

C;#

C / ' K"6 ( ,- . ! - Connection

!) GlG
'kS

. /

( ,- . ! () *

)!

( - 3 -Connection

.Y ;

! "# % V .)

! T () . Console E

Jo

! "# %

K ! u/

! "# % V .)! 01

p , .

- )!

./?

() *

. /( -3

- )!

!T

p , Q =!) ! ! "# % V (19-2) A

!)

. / )! )
!) -

!) Q x R U .

netstat -o
Active Connections
Proto

Local Address

Foreign Address

State

PID

TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP

omidpc:3214
omidpc:3257
omidpc:3258
omidpc:3259
omidpc:3260
omidpc:3220
omidpc:3274
omidpc:3276
omidpc:3277
omidpc:3278
omidpc:3239
omidpc:3241
omidpc:3267
omidpc:3272
omidpc:3273

cs57.msg.dcn.yahoo.com:5050
www.sony.com:http
www.sony.com:http
www.sony.com:http
www.sony.com:http
origin2.microsoft.com:http
nameservices.net:http
nameservices.net:http
nameservices.net:http
nameservices.net:http
kundenserver.de:http
unknown.Level3.net:http
64.154.80.250:http
212.143.22.80:http
g.websponsors.com:http

ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
LAST_ACK
ESTABLISHED
LISTEN
LISTEN
ESTABLISHED

2696
3448
3448
3448
3448
2788
3568
3568
3568
3568
2864
3008
3448
3568
3568

(19-2) A

'! T `! ,

() *

7!)b aA

TE

() ) p , ' Uc>

'! B !) .
.

Connection

/
;S

( -3

/ ! >R ,-

F a Ck

) " Connection ` /) < Process `! ,

D /
. -o

)3

. +/ 0 1. ( 2,

- Crack

70

+ B< ) 2F
- Connection

d ! ) F4 p . V !) . G b !
.d -) ! 4
!

)!

!) -

-A

;#

! .

T a] 8 ! ` k

! . )!

! . ` k )!

* ' Uc>

. /g 3 ob+
A 8 (Packet)

' Uc>
Q

/ .

. .

D /

= -() ) . ( cU
.

"

iG Q

C/

-/

! (20-2) A

- 8

)8

)8

-() ) Q

! . V . -)

)8

o ..

!) -! "# %

/ ! >R ,-

T E

A 84

)8

( -3

A 3

) 8 uD

!) . -) , ! 4 -! "# % ! G !) !
. /

-() )

-() ) () *
)

7!)b a 8 7!)b aA

D /

!) -() ) {& ,;

. - /

V , Q ,; ! > .

' Uc> Q) 8

) /

!) A84 , 4 !)

! -! "# % +

CB p . -! "# %

. 56 ! !

B-

(
/
-

Uc> V [ A U

D /

8 !) !

(20-2) A

A Ud

. ! o b uD

.+

() ) % <

(
ob

() / ! 4 . ] 8 ! ! "#
"
! A=

' Uc>
(

! . !

! "#
. /

-() ) a /

( -3 A

C,U A U d

. ! !) .

# !) A=
8

()

%)

;. JC=

!) .)

'! /

! "#

8
Ck J 8

# !)
> O )!

! /' * V

! "# %

!) / ! >R ,-

. ' Uc> R

. Rb JC
.

A
! !)
. ! -

A84 JC=
!

.
.3

7 ; '! F.

71

$ %&' () *!"# /

(E 8 ( 2) > )
<

-! !)

-() ) Q) 8
! "#

. /

-! "# %

) C,U

A /

j 4)

CB ! !) V "f 6

= ! !) V . i

( -3 !

<

1^! "1

. Q ,; ! > .

< ! !) / '! B V

R U.

< ! !)

= !) .

-! !) ) C,U ` k (21-2) A

.)

() *

) - G A / '! O

!) . /

A,U A U d

(21-2) A

()

< ! !) .

! "1
A

. A Ud

'! B !)

() ) ! 4

= ! !) . ! (

! . )!

.)

G!) a /
!

G!)

( -3 A

# !) ' Uc>

< ! !) .)

< ! !) ;. JC=

Q8) )U

!) / ! >R ,-

!) . /

o ob

{ 4) ' Uc> Q !

! () /

+ B< ( 2$) 5 ) (Promiscuous) ] /

(

A 8

= CB

.
.

-() )

. {& ,;

D /

-'! / .

! .p .V
'! / . (

D /

' Uc> . ( cU -

D / . ( cU

Q ,; ! > .
-

. .

*: .

"

- 8
.V

F
(

()

! A. 4 "

!) ' Uc> a
/

*1 / ! >R ,-

o ..

()

8 7!)b A 84
#

8 !) ) 6

- (Media Access Control) MAC %

() ) 7!)b . . R

7!)b /

# uD

/ ' Uc>
,;

f)

Ck

- 8 !)

D /%, Y >
. 3 .
. Q 84

!)
!

)3

- Crack

. +/ 0 1. ( 2,
/ MAC

! . !
+

)8

8 '! / ! !) .
C /

= V !) . ! ) 4 .
. % , < !) /

<
() *

( -3 !

Q 84 ! o b % ,

()

%< (

-! !)

() *

. .) / ( Gm ! o b
.

. /

=%

# 0T " ! /0 J 8 '! / +

! . R

^ !V

72

.
8

-'! / x/

a 8 !) ) 6

. .

()

-'! / !) 4 .

)8
=

-() ) C/

.
D /

# A U d

'! B !) () ) % < -

8 !) (

.V

! .

! . C /Q

-() ) Q) 8 ^ ! (22-2) A

/
!)

(22-2) A

2 `! ,
/

D / / F

. ( cU (

) 6

.) 1

! 4 ^ 0T )!

! )) G O )!

Rb F 7!)b

()

#J .a
" 5!,
J . V # 0T
.)!

g 3 A

!) / ! >R ,-

D / J 8 '! / Y >
8 !) ) 6

.i ob .(

-'! /

() ) l F G 7!)b .

73

$ %&' () *!"# /

2 Sniffer
{& ,;

)8

. J C/

!) -() ) Q) 8
! . A / Q

T 1A Ck % .
*

/ )< ! O

! b5,6

<

-! !)

! ) -Sniffer Q ,; ! > . . /

, 4

. !) () *

! .

)!

T E

J* :

C /Q
,

- Filter V

O )!

/(

) !) /

)8

1! / . . .

. ( 8 d<= A ) .
!

)) G(

- Sniffer !) - Filter

' * 2C

!) (

/ ' Uc> a - &

!/ . (

! .

- (Protocol Analyzer)

)8

-() )

- Sniffer x/ a - 8 !) (

-%"

4 .

() *

.)! ) ( oU . ! Rb !) ) 6
. ! *C

-Sniffer

-! ".

() *

. R) /

^ !. /

.) ) d - G ! 4

C#
! .

1 C6
! . )!

! ob

Winpcap Libpcap ( 2) 3/
5.

) ;
-! "# %

)<

<

-! !) A

- Sniffer

- ! ". V .

= >

. ! 8

. /

Ao

! . ! ". V . (

. -! ". V
!

)8

A Ud

!) ! /
.

) 6

= !) .

-! "# % V [ G

-! "# %

= >

. # !)

f. ! 4 () *

2C
-! "# %

Winpcap

. / 5.

vF A. 4 NT 9X `)

. /

)!

! () / o Sniffer
. Rb

-! ".

C/

, ,S CD !) ! "# % V 3.1
Tools\Winpcap

!) - Sniffer G

!)

/ -)

K ! u/

. ! o. 3
.)

- C. 4 Libpcap

# 1!/ .A Ud

)3

- Crack

. +/ 0 1. ( 2,

74
Ethereal ) 3

. ! ". V .
)

) # . Fk

'

)8

8 !) (

4!

. Sniffer

! . ! C /Q

Protocol Analyzer
) 6

- C. 4

() *
.

, ,S CD !) ! "# % V 0.10.4

) 6

Tools\Ethreal
:
- C. 4

) d - G ! "# % V

- C. 4 ' F 3

! ) 8o.

.)! ) ) 6 2C
-%)

a 8

-'! /

*C

v8

V ,- . -)

) !)

j >

.! / . ! ) 6

. Ethereal

-A U d
-! "#

! . !

() . Open Source ! "# %

- C. 4 R) / # S R

31 ! "# % V R "#

G .

*C

)8

.Q

.) 1 '! B ...
-! "# %

f)

Sun Snoop

2>+

( Gm

! .

MS Network Monitor , tcpdump . R

A Ck

C,6

! "# % V
/

!) "

.) / (!
-! "# %

G .

A Ck

-)!

. !(

)8

Y i; A. 4
.

. 6
!)

' Uc>

! "# %

4!

# 1 ! / . -! "# % V +

. Filtering d

) ) G O )!

)! ) ! 2C

() / # S Rb . !

! . C /Q

T 18,000

-A

() *

! "# %

V do
.! / R

V 'F 3

- G () ) R 3

'

. 56 !

-Q x v 4 !) ! "# %

() *
! "# %

.
V

.! / aR) . Open Source

4) ' Uc> a(
V

! .

- C. 4

p . A Ck
v = .

f)

) <

. -) ! 4 R .! /
. ! "# %

( Gm ' Uc> V . / ( Gm Sun snoop tcpdump C,6

.
.

-) .! /

/m )!

! G
. 6

G . Q = . )! b

75

+
V .

V 0.10.4 J

# 1 ! "# %

$ %&' () *!"# /

K!

.) . - G ' *
A84 a (Linux !)) Libpcap (

!)) Winpcap
.
: /

-! ".

vF

f)

. {& , =

! "# % V `) *

o "

-! ". V

( - 3 ! ! "# % V

. 6

% & vF

CB Jk*B (23-2) A

!)

(23-2) A

:
. 56 !
.] .

CB

, 4

' Uc> ( ,- . ! (

' Uc> . 3 2

-p . a

. -

. k*B a
)8

! .

!/ .
a

. -

-() )

j 4)
.(

A /

/
-

-)! /! . 56 ! ! C /
! .! O

() ) p ,
.)

" ,

G!) ! G
(

/ ! >R ,-

, 4V
p , .

- G

! .

-1
-

. Rb

j 4) ' Uc> a , 4 V

' Uc> V . -)
, 4 -

( -3

C/ . .)! 01
.

!) ) 6

! .

p ,

C/ . .)

-2
.

# 1

p . !) , 4 Rb % G ' Uc>

)3

. +/ 0 1. ( 2,

- Crack

() ) p ,

. - .] .

.)

76
% G ' Uc>

, 4 V !)

/m / ! >R ,- -3

F < + B ( 2+@ / > >

!/ V

+8S ' C,U

/9
.) 6

! Start J "1 Capture

- "1

a -

- : (24-2) A

O 5 LBH

. Q) 8 +8S E

,- Capture Options Jk*B

. -)

(24-2) A

! O

p , !

77

+
. (

$ %&' () *!"# /

h 3 ( < T V do

- "1

G .a

!)

Capture / Interface
)
+

9
(

+8S

. () *

) 8 ' Uc> +8S

.)! ) ) 6 q # p T '! B .

)!

! "#

a Capture Options ` < T

) 6

"1 V .)

%)

, 4 V !)

8 '! /

{& ,;

Generic Adapter J "1

() *

-%)

Capture / Capture Filter

. - C # V .)
(

)8

V ; (

+8S

. R) / ) k

! . Winpcap / Libpcap +

- C#

2 ;

, 4 V !)

BGR.

() *

.
: / 6

/m

-Q x

. ob

- C. 4

- C#V . 8

Q ,U

b)< ! O

Host 202.2.2.0
.202.2.2.0 a IP 7!)b +

# !)

Q !

. % , +8S
Tcp port 80

. 8 !) ) 6

(http) 80 '! T +

D /%,

)8

. +8S

Host omidpc and tcp port 80

!) omidpc %

D /

80 '! T +

# !)

Q !

. +8S
. 8

IP proto UDP
. 8 !) (

) 8 UDP

. +8S

Not host omidpc

Q ! omidpc

! /0
.

D /+

ob

n .

8 !) (

)8

. % , +8S

# !)

D / / ! B!) aIP 6 .
D /%
() * '! B!) :+# Q ,U ] !) (
! . o b % , a . B F G IPV [ ! )

)3

- Crack

. +/ 0 1. ( 2,

V '

78

- C#V

2 ; ` k .

A /

j 4)

b! O

. / ;6

! "# %

Capture File(s)
(

)8

. ` Gm

)!

-A #

A #A 3 ` k

7!)b , 4 V !)
.)

g 3

Stop Capture
.(

# !)

# !)

.) ;

uT +8S ' C,U /

a ) k V [9

() /

8 !) (

,<= a
/V ;

'! B !) /

)8
. -)

BG

- ) k

Q x R U . .)
.

) 6

V ; +8S ' C,U

.R T . -

- G +8S ' C,U J, G zU . * . y *

. +8S . E

R 3 (25-2) A

! "# %

, 4 V !)

a Capture

; ) ;

/% / -

- "1

uT

,- Capture Jk*B !) ! ) G ) C,U

(25-2) A

.(

- C#+
.

. B!) ) ; . 56 ! ! b ' Uc> k*B V

(

C#

1 , ! 4 8 k )!

. /

( 3 )!

) 6

. -)

( -3

/ ! >R ,-

K! ! o b A

! b ' Uc> V !) A84 JC=

T . 6

!) (

V ;

79

aA84 JC=

!) (
.! / "

^ !
.

1 /
' *

Ethereal

V ; ]
C=

R) # y *

V !) . -)
.

) 6

BG

/)
.

BG ]

1 .

+8S

. , Q ,U (

() ) p ,

, 4 !) /
b .
.

. !

) '! B . +8S ' C,U % ,

p , !(

/m Capture Options

$ %&' () *!"# /

# 1 O !) o b ) <

- : Filter Expression Jk*B a ,/) V

C # ) < Q = !) ! k*B V (26-2) A

!)

! . !

1! / .
. !

+Expression J,/)
! .

- C#)<

- C#
1! / .

.
()

! .

C/ . . / V ; . /

(26-2) A

- : CB Jk*B

- C# . - C# V

- C#V

! ". !

. ik
( - 3 FTP

C/ .
.p ,
= !)
-

)3

- Crack

. +/ 0 1. ( 2,

Filter , 4 !)

)<

'! B !) () / ) <
- fC,U %

V ;

80

J !
) ;

C # aOk J,/)

'! B . O )!

- C#

, y #^ !

'! B !) . / % n) f

. or

and

. / () *
CD !) / Rb

, -! .

! "# %

() *

C/ .

. .) 1

! 4

- fC,U JC
"

-"

V ) C,U ` k .
. / ;6

! .

j 4)
a

. ! ob

) 6

, ,S

81

() 3
! "#

-'! T
% f,- !)

)!

!) j 4)

() *

)!

. +8

()

C/ p

K ( 2$) 9 c

1 ! > . -! "#

-() ) V . /

A / ' Uc> V

). /

-A

! .

-! "# %

$ %&' () *!"# /

-! "# %

() *
*

E) 2

! "# %

-'! T V j >

a -! "#

) G ' Uc>

> .

) /
/ ! >R ,-

-() ) Q) 8 ! O
! "#

) C,U . 56 ! !

) C,U ` k

) 8 ' Uc>
*

-() )

C/ '
. / g 3 -! "#

! "#

! "# %

! "#

V.

! "#

)V. >8!

J ! !) 7 ;

o J

-A

!) () . Q

T 23/ Q x R U .
!

. /

. /
! "#
)8

- :
-() ) J C/ .

() /

o -

;# V

JC

. -'! T +

# 1 ! 4 'c> J ) 8
C / ^! "1
.

, Q ,U (

. !

) 8 ' Uc>

)8

-() )

C/ p

! . Q ,; ! > .

!) - : V .) 1
'! B !)

)!

%<

! "# %

! ) A / '! O (
! . ! BG

)3

. +/ 0 1. ( 2,

- Crack

82
() 3

) 8 ' Uc>
)!

! "# %

! )! G .

-() )
1A Ck

& . R ,>

. /

D/
+

# 1 ! 4 '! T ) V . Q F
{& ,; ' Uc> V . /

C. 4 '! 4

- : V aA

( - 3 ! Rb 1A Ck ! "# %

(27-2) A

K (2 ^.

!) {& ,; - : V

( Gm ) G JO# = !) ! (

) C,U CU . .) 1

- : V

! 4

! .
.

(27-2) A

!)

83

$ %&' () *!"# /

() 3
.3

) C,U

'! B !)
(

() T

<

)! ) A / '! O (
# . -^! "1 V

-! !)

() *

. - :

!) . / o ^! "1 (

)8

.
b! /

# ; USB

{& ,;

< ! !) V . ! ) -Sinffer

) 8 ' Uc> .

;. JC=

.(2 ^.

() ) p ,

-'! T . '! O
.

-() )
(

. ! "# %

- ! )! G .

( Gm

) , 4 V !)

& . R ,>

>

C. 4

( 2$) 9

Serial Monitor ) 3
5

'

. /

j 4) '! O Q
( Gm

-'! T +

+8S !) Rb

`! . ) % <
!V
8

! "# %

g 3

AB # . 6
-)

-'! T . '! O

)8

* !

`) k

(! . ) ! -)

-! "#
.

! J C/

- C. 4

f)

)<

) G

) C /

-)

..

! J C/ R) /
'! B !) o b

< '! B . o b V .

-() )

-)

# 1 ! / . ! "# %

) 6

! .
.

. () # y *

. /
CB

- : V

) C,U ` k

< ! !) A,U V

!) . !

-() )

!) '! T

-! "# %
<

. ! "# %

! .

* - a

! "#

<
) C,U

, ,S CD !) ! "# % V 3.16
Tools\SerialMonitor

.d -)
!/V

. . -) ! 3# ! F2

- ! ,

!/E

C/
.

() /
(

! 4

! . )!

! ! "# % V ) C,U ` k R /

C/ New Session J,/)

- : (28-2) A

! . a! / E

New Session Wizard Jk*B

. /

)3

. +/ 0 1. ( 2,

- Crack

84

(28-2) A

k*B V !) .)

- : Monitor Session Type Jk*B Next J,/)

.)

.
(29-2)A

! .

C/ .

V ; ' C,U

85

$ %&' () *!"# /
Serial Port Monitor

.Q

'! T

54

!)

(
(

)8

-() )

( Gm A #

-)

! +8S '! O ! O

!)

() # y *

-)

. ) C,U

! .)

# 1!/

< '! B . (! . ) Log File Playback

)<

Protocol Analyzer
V

{& ,; . /

'! O

D /
.)

'! T ) V . -() ) Q) 8
() *

o b ) C,U ` k

! .

= !) ) C,U

>8!

-A

T A Ck

Log File playback

'! B . Serial Port Monitor
-)

. -)

!V

-! "# %

! `! . ) ) <

' Uc>

;i4

! v = .

+8S

-! "#

. !

CB `

.E

! "# %

-)

! `! . ) ) < ! O

*1 / ! >R ,- .)
)8

= !) (
` . V . / # ; ! "# %

` .

-() )
U

V ;

-)

,- O )!

'! T ;. Jk*B !) .d /

() *

! .

<

* -

V ;

"1 V 9

` . . /

. 58 R U . ! (
.)

<
.

+8S v
+8S

-)

V ; ' Uc> +8S R

! Serial Port Monitor

.)

a , 4 V !)
(30-2) A

)3

. +/ 0 1. ( 2,

- Crack

86

(30-2) A

R) / ( Gm

. C # % " '! B !) (

)!

- ^! "1 E
.)

(31-2) A

;. Jk*B !)
V ; -)

87
O )!

+
'! T

.)! 01

-() ) a -)
p , . > .

! +8S . E
-( < T !)

(32-2) A

$ %&' () *!"# /
! "# %

aWizard A=

.v 4

uT ! ' Uc> V

J, G .
() /

)3

. +/ 0 1. ( 2,

- Crack

88
USB ( 2$) 9
USB Monitor ) 3

USB

-() *

Plug and
-V .! ) a -

-'! T

2C

-! "# %

() . ! )! G .

3 . R ,>

! 8U -! "#

-! "#

C. 4

S = Q = !)
USB

) % " a -'! T

!)

p
. / *

ob +
6

= !) / )

1V

-! "# %

! "#
(

-! "#

! "# %

)8

-() )

V `) *

)!

Ta

-() *
>8!

-'! T

.)! ) USB

-'! T

. Serial Monitor ! "# %

<)

. 6

) C,U ` k )!

() . ! / . USB

)8

8 3T . G . Play

, . /

... - 1b V

-A

!) # /
T

: R U . USB Monitor ! "# %

-() ) p , Q = !) ! ! "# % V

.3

) C,U

CB Jk*B (33-2) A
. /

!)

( - 3 USB

89

$ %&' () *!"# /

(33-2) A

) 6

, ,S CD !) ! "# % V 2.26
Tools\USBMonitor

)3

- Crack

. +/ 0 1. ( 2,

90

API !/ - ( 2 . G
)!

Q ,U % <

o6

A Ud
.

v = .

. /

( ,- . !

. /

.(

. A Ud
-A # !) /

-A # V

= >

-! "# %

V !) ) 6

API 5.

.'

5. 6000

p. .

!) . (

G .%
. /

( -3

/ ! >R ,.) G
!) API

U ,< 54
) ) C,U ` k

- )!

>

) /

) .@

!) -

E S

/'kS

( +. K/ @5 ( 2 >
User32.dll

V !) ) 6

5.

.! / +. !

:) / (!

)!

)<
.R

. ;.

C,6 Rb

. !)

.ob
... - ,/) a -

a -

. -( < T

- <

C,6
2C

b a-

/ a -

. A 84

)<

)<

G
G

-! ".

-( < T V . -% T Q
!) - ,

)<

! 01! . G

-A # !) 5.
... -

. /

-( < T ) <

.! / ) !

.
a -R

-) .! /

# 1X
. -\

.)! . / 7

. /A #V

!a-

a -\

.)! . C/

)
G

91

$ %&' () *!"# /
Kernel32.dll

A Ud

CB 5.

C/ 2 :

Q /

J* :

= !) Rb R !) 5.

!) . ! ) ( oU . ! -Thread a -Process a O# = a -A # A 84

G . .

.
.d

!) ) 6

! "#

-! !)

(!

. - Thread
) !

-! "#

. / V !) ) 6

-A # a - ! / ) Q

. - Thread

. 6 G

. /V

- Process

)<

- Process V . ] 8 !

O# = A 84

5.

.d

% f,- G
G

lFG

.Process

5.

R) / Debug G

GDI32.dll
!)

# 1 !/ .

# 1X

: /

o6

( -3 !

% < A. 4 5.
-

...
a-

6 G

;CS [ aA i
-( f )

. /V +
V +

#[

# 1Q

! .

Cursor a Metafile a Bitmap A 84

)!

# 1

# 1

,U

- O# =

-A #

) ;
G

d ! G
F [ G

# 1
...

(DC)

K ! 5.

aR) / # S

aR ,/ a( )

p , Jk*B

- cT
)<

! 01! . G

() *

Icon
- !

-dC4

# 1
# 1

-! ".

- O# =

,=

G
- ,- G

-! ".
-

! d ! G

)3

- Crack

. +/ 0 1. ( 2,

92
Winmm.dll

_ k

F a - B A 84

% < A. 4 5.

V +

! [

C,U

-! ".

() *

o6 A # V !) ) 6

!)

# 1!/ .

.
-CD ROM a B

-! !)

-! !)

- MPEG a - Avi A 84

....
API 5.

)!

- .(

()

!) j 4) ' Uc> V
#

g R .

) /

!T . .

A / a5 6 = > . .

- f NT
.

9X `)

. / ! 01! . A=
(

A=

/m ,
ob

()
o.

() *

(
a

54

/m v i
.

/m v i

. 56 !

8 AF# .

% aImport Table %

6 A #

! 01! . % f -!) . /

# 1 O !) B F G JO# = .

K ! 5.

' C,U .
5.

, 4 !)

. JO# = !) dll

!)
)!

-7!)b h kF ' C,U ;. JC=

.

! ob

- / /)

g 3 ! ) G
b

() / ! 4 . ] 8 ! API 5.

G #
'! B!)
-A # ! 01! .

/ ! >R ,-

)!

!) . /
-/ .

.d

() [V) / $ A"%

-A #

. /

v8 A,U V .)

) 6

A / ' Uc> .

API !/ - . G
API 5.

) C,U ` k

() . API 5.

j 4)
-

G #

o. ! / E

3.

31 . !

. Rb X "6

. 6

G #` k .

.t >(

p T G

! [ 5.

-m ! F ) < ! O

. / ;6

!) API 5.

` k aAPI 5.

() *

G # -R
.)

' B p T +8S a) <

_ k

) !)

/m a

() *

/! F

)a

_ k

(Joystick)

5.

. /

-A #

A Ud

f A # Rb

%<

. /

()

'! B . Call
. /

-A #
.

-A # +
Jump

G # ) G CG )

93

() / ! 01! . ! ) G O )!

. /

-A #

"

. / () *
API o b . tciB !) / API

$ %&' () *!"# /

ob

G # . '! O

6 JC=
)!

5.

-! ".

.d

!)

-A #

7!)b

G . .

o. Q =
*1 " Sniffer

. - f a)

API !/ - ( 2 . G

/ $) g.

API Monitor ) 3
!

. ) .! / ! ". V . b

.R

! )! G .

Q ,U !) Rb

! "# %

- C# V .
/

. API Sniffing

!,

G #p ,

# 1 !/ . R 1
API E S

A/ !) API

. /

! "# % V

'

G # Process %

Q ,U d

Y ;

- C. 4

- C. 4

ob ` /
(

* !

-! ". V

()

1 B
.

- C#

G # ( 8 d<=
1 C6 a

! .

.! / O )!

, ,S CD !) ! "# % V 1.5

) 6

Tools\APIMonitor
() *
e

!) % 4 V
k '

. !

{& ,; .d -)
;. A=

! 4

! . )!

AB =

! ! "# %

. !/ ` k Q=

C # V ; aSniffing

-! "# %
. -)

2 Process ( / @A J
!)

6 Q = !) 2C

%<

-Process !)

V , API 5.

G # p , a -Process

C#V ; .R

G #

. 6

! 4

a) f. '! B d
.) / ) k ! o b +

(35-2) A
. /

Process Filter Jk*B aCapture

)< d

!) ) 6

- Process

Process Filter J "1 9

. !

- C#V ; R

.
-:

)3

. +/ 0 1. ( 2,

- Crack

94

(35-2) A

, 4 !)

!d

!) ) 6

-Process % a
. /( -3

(36-2) A

!) / ! >R ,-

Task Manager

Processes

95

$ %&' () *!"# /

(36-2) A

API !/ - ( / > 2 @A J
d

. ! API

) . ) G ) C,U ` k
-

G # p , / -)

g 3 ! ) G O )!

E S

E S
,

. API 5.

/m / ! >R ,-

V API Monitor ! "# %

. !R

A,U V .

= !)

/) k ob

F 3

.
-

)
. /

aCapture
. -)

API Filter J "1 9

! ) G O )!

'U S

.
R

/
,

( - 3 (37-2) A
.

!) / ! >R ,-

() ) p , API Filter ` < T

)3

- Crack

. +/ 0 1. ( 2,

6 G ` < T !) ,

n API

96
-

G # f) a- C# V V ; . /
.

o .
() ) p ,

(37-2) A

! Capture
(

%<

!) API 5.

Capture API Events J "1 aAPI

-

G #
.(

a /
V ;

G #p ,

( - 3 (38-2) A

- C# . 6

!) / ! >R ,- . / 9

. notepad calc
.)

+8S E

-%

() ) p ,

. Process ) +
. CB Jk*B

97

$ %&' () *!"# /

(38-2) A

() *

!) (

Double Click Rb

! R) /

! .

. 56 ! ! C / ' Uc>

T! O
G #

. (39-2) A
. -)

p , Rb

. < 6'
. 56 !

'! B !)

j 4) ' Uc> v / ! O

.. /

,- API Details ` < T ! / V

.. /

31 . !

"

5.

!T

)3

- Crack

. +/ 0 1. ( 2,

98

(38-2) A

Smart Check ) 3
V .

-! "# %

6 'c 3 5#!

() / +8S !

p ,

6 A #) G

)!

!) (

6 A #
() *

() ) p , ' Uc>

-! ". V

Y ;

() . ! / . " API Sniffer

)
! ob

.) 6

+
)!

% < API

-ActiveX

o. _!)

C. 4 ) <

-dll v = . 8
3.

-)! /! a - . e C,6

. 56 ! !

5.

* ' Uc> ! "# %

. -)

.(

Q !

V V ,- .

p , () # y *

- iG "

! T )!

C C '! B .

G zU .

!) (

- ! )! G . 8
. 2C

! ".
! "# % V

.)) 1
...

R U .
G #

V . -)
-

G #

() ) p , ' Uc>
!

-Thread J, G E

"

99

$ %&' () *!"# /

, ,S CD !) ! "# % V 6.3

) 6

Tools\SmartCheck
)!

! Rb

() *

` k

o. a ) /

T 8

b ! "# %

V '

. /Q=

.d -) ! 4
!
-

W Rb ' , O
.(

A # -

( Gm ' , O
. ! "# %

. aAPI Sniffer

, 4 !)
V

/
/

.
; V
. /

Settings ` < T aProgram

A #

. O )!

' , O !) !

) 6
.

R U . ! "# %

- G (!

.' *

( Gm !

f)

ob .

.a
,

) !) /

/)<
6 A #

6 A #
(3

a(

R) /

uT

. (39-2) A
. -)

(39-2) A

() *

-A # .

1 6 ' , O a(

Settings J "1 9
W )< R

! .

,.

)3

. +/ 0 1. ( 2,
API Sniffer

- Crack

100

R U . ! "# % V

() *

. / () *

F !) (

Advanced Settings ( < T Error Detection , 4

. -)

! # 3 T ' , O !)

'! B!) /

() ) R 3 ' , O

Advanced ,/)

W R

) 6

. (

! .

C/ .

- : (40-2) A

(40-2) A

/)
Rb .

v8 a9
.

8 6

Suppress System API and OLE Calls

-A #

6 A #+

. -) p ,
Settings ( < T

Files to Check
. /) k

BG

%<

() ) g 3 ! -ActiveX

, 4 !) a /
-A # . ! -

( - 3 (41-2) A
G #

"1 R) / ! G
G # ! "# % V
-OLE a -dll A 84
!) / ! >R ,-

1^! "1 ' C,U

101

$ %&' () *!"# /

.
(41-2) A

! 4 () *

)!

6 A #+

V ) C,U ( k

# )!

A # () *

8 6

-A # .

.
-

)!
1

G #

! 4 ! /0

a(

() ) p ,

!) ' Uc>
, 9

!) (

. /

'! B !) <

!)

() ) p ,

Settings ( < T

! B G 5.

!) Q x R U . .)

# !) .

-A # /

. !

() ) p ,

( - 3 ! notepad.exe

-A #
6 .

Error Suppression , 4 !)

C # A,U V
-

) 6

!) ! o b

() ) g 3 ! "# % V +

zU . - C # V Q ,U . / V ; API 5.
-2) A

8 6

= !)

G # ) ; p- /
6 A #

.(

V ;

/ Y0=
3.

- C # (42

)3

. +/ 0 1. ( 2,

- Crack

102

(42-2) A

Start
(

6 O )!

"1

%<

! .

6 A #

! "# % A,U V % < . . -)! 3# ! F5 C/

j 4) ' Uc> ( ,- . ! # 1 '! B

(43-2) A

G #

!) . -)

( - 3 notepad ! "# %

p ,
(

- .(
+8S

6 ! O

! Program

() / 9

G # Smart Check ! "# %

Q !

!T

CB k*B
)!

G # p , Q =!) ! ! "# % V

!) C /
CB k*B
. /

103

$ %&' () *!"# /

(43-2) A

A #

6 % f - !) ) 6

+8S ' C,U 24

)! ) ! 4 program

. / () *

!) view

G #p ,

Show all events

"1

!) / Event Reporting
.(

%<

G #

! .

-! "# %

f)

'! B !)

5.

W V .)
.

6
!

Q ,U

!VG
W

) ! 4 Q ;#

SoftSnoop ) 3

* !

24

!) Rb

= !) ! "# %

" , API Sniffing

a)

W Q ,U

.! / O )!

O )!

6 A #

) 6

-p /

.)! ) API 5.

. '

! T !) '

# 1 ! / . ! "# %

. /

Debugger

- C. 4 /

! Rb / ! "# %

6 A #

31 . !
'

!) "

"1

G #( -3
.

'! B !)

API 5.

! !) ! / V

) C,U ( k

..

! .! O

, ,S CD !) ! "# % V 1.3
Tools\SoftSnoop

G #
.
.

Rb

)3

- Crack

. +/ 0 1. ( 2,

, 4 !) .d -)

! 4

) < ( k uD

104

! . )!

-Q x v 4 !) ! ! "# %

h 3 a # 1 %<
.) 1

! 4

V ) C,U ( k Q =

G # . '! O
! . )!

. % & A=

G # V !) '

API ( 2 . G
BG

-^ !

V . /

. ! ob
!/V

" ! "# %

V ad ) ) ! 4

() *

. /

.)) 1

) G O )!

-A # "
-

#! ! "# % V ' , O
. .d -)

! . )!

W ) G O )!

() ) p , API 5.

(
G #

, 4

o.

6 A #

# . ' Uc>

! >R ,- . -)! 3# ! F1

C/

)< R

() ) p , Options ( < T

. -)

Options
6 A #E

(44-2) A

/ $) g.

-! "# %
R) /

! . .! / 3 . [ - R

- C#

() / 9

! o b / C84

C#

R) / .

o6

A84

G #p , ! O

( - 3 (44-2) A
A84 !

,-

"/ , zU .

! Set Options
/

"1

!) /

. ' , O !) '

105

-A #

5.

. 6

! O )!

$ %&' () *!"# /

- C#a /

( -3

/ ! >R ,-

. /V ;
. API 5.

-%

p , ! O

. .

Qx

() / . ! O )!

! /0 Q x ' , O

() ) p , ' Uc> (45-2) A

!) (

V ;

/)

C#

!) . / ( - 3 ! (

( - 3 ! /0 ' , O

)!

() *

%<
'

G #

W Q ,U

uT

() ) p , ' Uc> aRb

. ! notepad.exe A #

. 6

MessageBoxW

B (

Options , 4 !)

6 A #

. /

k*B !) CreateFileW

- G () ) p ,

. / () *

G # o

. /

6 .
6

uT

(45-2) A

API ( 2 . G
31 . !
-p /
. . !)

) C,U ( k
.

.)! b ) 6

-p /
. O )!

! T !) '
! .! O
! .
API 5.

W Q ,U
.'

! "# %
1V

V a

!) !

G # API 5.
#

W R

?- 8>

*1 / ! >R ,-

.)! ) ! (

. Q x R U . .)
31 . !

) $

-() *
,=

.
- iG

)3

- Crack

. +/ 0 1. ( 2,

5.

. ! *4

106

. API 5.

! Action

( <T. /9
-7!)b !) 24

)< R

.(

Q !

! Set BPX
,

! T !) '

"1 ! O V

,- Set Breakpoint
API 5.

! O )!

. . / ) < ) G O )!

() ) p , (46-2) A
. -)

W )< ! O

lG

<

(46-2) A

MessageBoxA 5.
5.

G # '! B !)
!

! T !) '

. *4
6 A #
W )< R

Q x V !) a /

6 % f - !) .
,

. (

( -3 A

# 1 O !) MessageBoxW

(
24

!) / ! >R ,-

{ 4

Rb

!(

.)
W " ) G O )!
! Action

. /9

API 5.

31 . )

) 5.

Modify API Return Value

Modify API Return Value ( < T A,U V

. -)

!)

. ! ) G O )!

31 . )

/m {c84 / ! >R ,-

"1 ! O V

( - 3 (47-2) A
V ; R

() ) 5.

V ;

. . / Q ,U !
!) / ! >R ,-

. (

() ) p ,

107

$ %&' () *!"# /

(47-2) A

A # aA84 A=

!) (

2 ; 24

. a24

V a'

W R 3 ( Gm CU . .

i 2 ;
(

24

. 6

p
.

b! O

. 6

. .d /

. a(

/ ; uD

MessageBoxW 5.

G #

.)

!! O

uT notepad

() *

. ! "# %

! a5. V

. 24

,- Softsnoop ! "# %

- : (48-2) A

notepad R !)

() /

MessageBoxW 5.

5Ci ! ,

() / . ! notepad.exe

6 ! Rb

! G Rb

. /

/m v i R

CB *B

(48-2) A

5.

. (

Q !

!T

"1

! O

A,U V

. . -) ! 3# ! F4

!T

W ( 6 ,
. -)

! . ! ) G (

, Q ,U notepad ! "# %

. .
C/
.

) '

() / 9
(

! Stack !) (

Action

- : (49-2) A
!) )

,
Y >

C=

V !)

MessageBoxW

! Modify API Stack

,- Modify API Stack ( < T
MessageBoxW 5.

)3

- Crack

. +/ 0 1. ( 2,

108

(49-2) A

<

!) .
.) / ) < ! (

E
!

# o b . Stack +

()

( /V ;
(33)

)'

!
6

( - 3 (50-2) A
CB % W T . (

/ MessageBoxW 5.
6 . d -)

"1 anotepad ! "# %

%

5.

!v

6
V

.(

. .d /

!) / ! >R ,- .)
() ) p , % W T

!T

Q ! %! o[
Rb !) ) 6

. Q = .d /

Action
a

/ ! >R ,-

!) )

!T!

Q x V !)

( Gm

() / V "f 6 ! 16

! Resume All Threads

!

!T

() /

) ! "#

W A ) . a /
.

(50-2) A

W .

- ,/) % W T ( < T A

() ) p , ! iG % W T
-: A

Stack !) (

! T !) R

W !
!

)!

' *

5
- /
R

! . a! "# %

) C,U ( k A Ck

. -( ! V
)

k "

j 4) aV

X "6

a' Uc>

V,i

/ ! "# %

;# d

-^ ! V

{ ,i ^ ! V .

!) .

. ) ;

Rb

! . ...

-E 6! a5.

.(

A # !) ) 6

! O

-A,; !

-/

! . .

C D / Rb !) () *

- / A,U !) . /

() . ! "# %
.

CB

- /

#/p )V

. 6

- / A Ck

! . ! ) G

!) {& ,; .d / "/ ,

= !) / F

C8,

G)< ! O

-R . !) Q

R.

;. A=

-! G
- , -!

# 1 '! B

R) . g 3 '! B !) )!

G . !)

/
)!

() *

G ) < ! O ,o. ) ;
R. E

& . hi R .

.%4V
3.

& . hi

C D /

-A,; !

. ) F

x/ !) / V

A D /

) R ,-

C8,
a - C=

() *

o
3.

-! "# %

# S Rb . o.

3 . [ - aR .
(

) '! B . / (

!)

-A,; !

4 Y B

C / C++

-A Ck a(

.)) 1
A # )<

-V

o Q Fk !) )!

- / Disassembler

,6

! O

-A,; !

A D /

- / .

- ! 8< ad !

- F
.(

CB

! b5,6 A=

! "# % Rb
.

. {& ,;

) /

Decompiler

)!
)"

-! G
O )!

/ 8

R.

-! "# %
A Ck

# 1 ! / . ! "# % ) C,U

-! G

. ! (

'! B . {& ,;

6
6
-/

- Decompiler

o. A Ck

)3

- Crack

. +/ 0 1. ( 2,

112

2 Disassembler
Disassemble aQ) ;
!

.(

!) a o.

! X86

C8,

C8,

. . a(
. A Ck

-m

F )< ! O

-CPU

. Rb Q) ; V

A D / /
"< { ,i !
..

1 -

6 A #

. 'c 3 ) 6

6 A # !) ) 6
-/

Assembly Code

Machine Code (HEX)

. .)

*1 R) /

C8,
. /

,6 A,U .
-/

R b

.
( -3

(1-3)
o

6 A # !)

Compiled Machine Code (Binary)

push

00000100h

68 00 01 00 00

01101000 00000000 00000001 00000000

00000000

push

[ebp+08h]

FF 75 08

11111111 01110101 00001000

call

[4020B4]

FF 15 B4 20 40 00

11111111 00010101 10110100 00100000

01000000 00000000

mov

ebx,eax

8B D8

10001011 11011000

mov

eax,[403106]

A1 06 31 40 00

10100001 00000110 00110001 01000000

00000000

mov

ecx,0000000Ah

B9 0A 00 00 00

10111001 00001010 00000000 00000000

00000000

xor

edx,edx

33 D2

00110011 11010010

div

ecx

F7 F1

11110111 11110001

add

edx,00000030h

83 C2 30

10000011 11000010 00110000

add

eax,00000030h

83 C0 30

10000011 11000000 00110000

shl

edx,08h

C1 E2 08

11000001 11100010 00001000

add

eax,edx

03 C2

00000011 11000010

mov

[40316D],ax

66 A3 6D 31 40 00

01100110 10100011 01101101 00110001

01000000 00000000

mov

edx,[40310A]

8B 15 0A 31 40 00

10001011 00010101 00001010 00110001

01000000 00000000

mov

eax,403159

B8 59 31 40 00

10111000 01011001 00110001 01000000

00000000

cmp

edx,00000002h

83 FA 02

10000011 11111010 00000010

(1-3) A

!) / )

,6

R) / A D /

V
. /

- / R) / Disassemble

/ .{,
()

a C8,
. A=

!) !
. 6

) -a /
. .)

. % & ' C,U { ,i a) 1

( -3

/ ! > R ,-

*1 Opcode Rb . tciB
! 4 () *

)!

C8,

113

p .V

A 3

A Ck

do

* .

= !) .

! )! G . B G 1 T

6 A # !) -() )

-A,; !

) //

" (

) R) )" ,

g 3 !/
.)! ) )

.)! ) o b ( / 6 V
JAVA

-! G
lG

. f . C D /+
< V

-A,; !

- / /

Z80 , 80x86

)% / -

() / () *

) G

-V

-A,; !

) 6

Qx R U .

! 01 /

. !

. !) !) G
-A Ck

! . -Disassembler x/ a(

.. /

#S (

!) ) 6

C8,

/! /

C8,

/ . ! BG

- , -!

R T

- /

3.

G! O

() ) % < Rb

! . ! );

- , -! V Q x R U
. / g 3 ! C8,

C8,

.) < A D /

. A,U !) /

. ) ! R U . a .! / Y >

) 6

Rb .

. /

f)

, -Disassembler

h kF R .

.)
V

o.

) /

b - Disassembler

T 8

.d -) ! 4

! . )!

! ob

# 1!/

-) .! / . / Q =

- C. 4 () / ( - 3 ! -! "# %

W32Dasm ) 3
16

- /

< 6

Y >
.)

6
4 A Ck

-A # R) / Disassemble
! .

API 5.

)!

C8,

- , -!

G #

) 6

# ;

V .

- /. /

() 8 ! )! G .
- , - ! a C8,

, 4

- C. 4 ! "# %

"< % U A ) . (

, ( - 3 o b !) "
G ."

. !

. -! ". V

. 32
K! (

.
C8,

&.

/ .(

#S

6 A # !) ) 6

a! "# %

- , -! o

5.

5.

, ,S CD !) ! "# % V 8.7

. -E 6!

Tools\W32Dasm
.d -)

! 4

! . zk. )!

-Q x v 4 !) ! ! "# % V . ! / ( k Q =

)3

. +/ 0 1. ( 2,

F10

C/ R) 3#

- Crack

Go to

114
Go to program entry point
.

( < T aF12 C/ R) 3#
7!)b . V #! R
O )!

7!)b /

' Uc> v /
. / ;6

Go to

6 A # AG

Go to Code Location

() ) p , (2-3) A

) 6

. /

)<

'! B !) .

8 AF# .

"1 9
.
"1 9

. -2

,- Go to code location
.! /

. !

6 A # !)
6

. -1

-A # !)

6 A #

< 7!)b a , 4 V !)
<

-7!)b . 56 ! 3 .

(2-3) A

= !) , JE , JMP

^ T ;i4 7!)b /
! Rb O )!

T!

A,U V

(3-3) A
. /

"1 9

!) .

) R) / Q 8 )

! . R) / Double Click .

Excute Jump

T '!

! o6 C/
T!

( - 3 " ! Rb <

) Rb F
/.

() *

. -3

g 3
.

() / 9

7!)b . Excute Text

% < JE !

115

) //

(3-3) A

- C/ v /

Q8)

! Return from Last Jump

T !
"1

) V Gb

31 .

. -4

() / () *

Ctrl + Left

. /9

Execute text

)3

- Crack

. +/ 0 1. ( 2,

g 3
9

O )!

5.

;i4 7!)b /
Call !

! Rb a O )!

Execute Call
G # V Gb
Imports

6 A #

"1 9

..

"1

() / () *

API 5.

G # R) / Q 8 ) ! O

o6

o6

# 1 '! B
. (4-3) A

p , . > .

. -5

() *

() /

5. 7!)b . Execute Text

O )!
[

C/
C/

Q8)

. /9

! Functions

-E 6!

! . ! O

! Functions

. . / 9
.)! 01

! . R) / Double Click .

) ! API 5.

)!

=!) 5.

31 .

) !

( <T !/ V

116

Imports

. -6

"1

,- Imported functions

. / % ( ,- . !

6 A # () *

(4-3) A
7!)b . (5-3) A
O )!

5.

. # 1 '! B

,;.

. CB ( < T a O )!

-E 6!
-E 6!

C/ v

! .

..

5. %
- GA

.!/V .. /!

! . R) / Double Click .
API 5. Rb . E 6! V
(! . ) ! ! /0 A,U
.)

/ 5.

117

) //

(5-3) A

Exports

"1

6 A #

. Exported functions ( < T ! / V

.)! 01
. /

p , . !

!) B 5.

(6-3) A

. /

. -7

! Functions

.. /9

6 A #Y >

( - 3 ! Kernel32.dll

! .! O
!) B 5.

!) B 5.

C/
(6-3) A

!)

)3

- Crack

. +/ 0 1. ( 2,

O )!

5. E

7!)b a
.

118

!) ) 6

! . R) / Double Click . -8

5.

- G () ) p ,

. CB k*B !) (7-3) A

,-

(7-3) A

! a - u/ . \
9

. . / () *

R U . .)
6 A # !) ) 6

) A 84

6 A # !) ) 6

Refs

!) ) 6

01 p ,

! 5.

5.

- "1

6 A # !) > .
.(

. -E 6!

() ) p ,
. /

! .! O
-

5.

(8-3) A

. -9

"1 !) Q x

( - 3 ! explorer.exe

119

) //

(8-3) A

7!)b . (9-3) A
O )!

,-! "# %
58

;.

CB ( < T a O )!
-E 6!

! .

..

58

! . R) / Double Click .

- GA
. /!

(9-3) A

58 Rb . E 6! V
(! . ) ! ! /0 A,U

)3

- Crack

. +/ 0 1. ( 2,

120

PE Explorer ) 3
.! / +. !
) !)

!)

() *

! .
b !

!) ! "# %
.! /

() .
G

) !) .

! .
Delphi

V 9 G
4 !
! "# %

# 1 ! / . o. _!)
-! G

-A #

A84 Q F# !) ! "# % V

() . ! ) G . . G
.

! .

. -! "# %

- C. 4

9 8k

! )! G . "

. G!

- C. 4 . ( cU .) / d - G () *
V +

C. 4 ) < ! O

A Ck !) Rb

C8,

! "# %

C++ Builder A 84

ob

Rb Disassembler p . a

. "

- /.

* !

Borland /

) 6

"
-A #

- , -!

- C. 4

f)

- C D / !) () *

.) ) d - G ! 4 zk. )!

! )! G .

! ) . !) !
V

)!
! ob

, ,S CD !) ! "# % V 1.97
Tools\PEExplorer

.!/( k a ) /

b PE Explorer '

T 8

V Disassembler k*B

C/

, (10-3) A

'F 3

!) .) ) d - G ! 4
. /

G . . /Q=
! . )!

! ! "# %

( - 3 ! ! "# %

121

) //

(10-3) A

5)
"1
. . / () *

6 A #
Ctrl + G

7!)b !) R

BG
- C/

8@ #

< 7!)b . Disassembler CB k*B Q

() / 9

() ) p , (11-3) A

! Navigate

Select Address

j. i Select Address ( < T A,U V

. -)

.
(11-3) A

. ! O )!

)3

. +/ 0 1. ( 2,

- Crack

Call , JMP
R) / Double Click
Q Ak

C8,

122

'!

Enter
. 31 .

) !) (

C/ R) 3#

() *
O )!

. '! B V !) .

i
A

-7!)b R) / Q 8 ) ! O

O )!

7!)b . aRb

'!

! .

Esc C/

. / () *

2 b #)
() / 9
%<
Ak
A

! 7!)b Rb
-E 6!

CB

. al G 7!)b
.

'! B !) . -)

!) . / Double Click a References

403D7C

< 7!)b . (

%< d

-E 6!

! .! O

. References ( < T A,U V . . -) ! 3# ! R C/ uD

(
k*B Q

.(

) /

%<

!) O )!

p , ! O )!
E 6!

7!)b . (

! .

- ;6

-E 6! p , Q = !) ! Disassembler ( < T (12-3)

. /

(12-3) A

( -3

123

) //

VCL i <
() *

)!

a- W

)!

Delphi

a -() ) E

2 ; VCL
= !)

C/ a! /0

. / !)

- C D / C

* X

= !) (Virtual Component Library) VCL

. /
C++ Builder

. (

-A # l G ! G

'! B . a

6 A # .

)!

'! B . R

6
. 6

X "6

)<
. G

-)

! .

, -!

1 T
/

.
!) ! VCL
X

-)

E
X

. O )!

A D / % f - !)

)!

.(

. ! ,O

! G

.! / . a

-%

%<

-^ !

h kB _!) . .

. () /

) C,U ( k

. 56 ! !

* !

R 3 sample.exe

6 A #

! O )!
. ! b

/m / ! >R ,-

! . . . -)

. -)

! 4 Rb R !)

. (Event handlers)

-E 6!

2 ; p , Q = !) ! Disassembler ( < T (13-3) A

. /V . (

. / PE Explorer
/m . 6

F. -Q

- C D / V V ,-

6 A # !) VCL X

Borland

- iG a

6 A # ) C,U ( k

1 T

2 ! ; R) / Q 8 ) R
V !) () *

!)

# 1 O !)

! .

6 A # !) VCL X

-A # !)

. .

.) 1
(

) /

VCL

. '
.

-A #

6 A # !) TObject

)3

. +/ 0 1. ( 2,

- Crack

124

(13-3) A

! . Click )
. -)

! .

1 T

R 3 sample.exe

- / p , Q =!) ! Disassembler ( < T (14-3) A

6 A # !) TMainForm %

Cancel ,/)

125

) //

(14-3) A

2 ". E F 1@
() *

<

-7!)b
!

-E 6! )

)!

d<= . 6

!/ ob p ,

. C8,

- / !) < 6 % f - !)

. a( < T

() *
.)! b

CB

, ob

/ /

() *

' *

. . ! ) ! 4 k*B V T !) View 1 ~ 4
+C

C8,

' * () k T

7!)b . Rb !) / ! O )!
!) a(

. / () *
aF7

C/ R) 3#

-%

. uD
4

Call SUB_L00428010 !
.) ) - G p , ) G !) !

,/

)9
6 A #

. ! /

! .

. ! "# %

-, V

ob

() / 9
. F9

) !) (

-, R U . f)

!)

. . / () *

-View

V T!

a .! / .
,/

! . x/ = R

) a! O V

E 6! 7!)b p ,

, T

a' !

() *

'! B !)
(

F6

! o[

E 6!
- C/

. (15-3) A
428010

BG

aview

)
<
-( < T

!) Q x R U .
< 7!)b aView2

)3

. +/ 0 1. ( 2,

- Crack

126

(15-3) A

Swap Current
() k A,U V
.)) 1

"1
.
;

CB

, .

,/

= !) . -) ! 3# ! F5

C/

,/

, !) (

R) / <. 6
() / () *

() ) p , () k . CB

View
, !) (

'! B !)
View
() ) p ,

127

) //

(IDA Pro) Interactive Disassembler ) 3

6
O !) (

C8,

- C D / () *
! "# %

R) / Disassembler

-A # A Ck
)!

- /

5.

! ) ) G !) "

! ! "# %
,=

A /
,! 4

. 6

! .

-/

V +

- iG p- /

<

-(

) T

-(

) T

o. _!)

4 !)

Z80 a X86

-(

C. 4 ) < ! O
-Y 1

-! ) ,

() / A o

X "6
! "# %

C,6 Rb

/ )! ) !

.) / (!

6 # B zU .

) T .R

# 1
a

R) / Disassemble

-A # A Ck

-! ". /

A Ck "

. .

.)) 1
Q

() . ! )! G . . G !

C8,

X "6
!)

- , -!

# 1!/ .(

! b5,6 A=

x/ g 3

- / j 4) !

);

! "# %

. ! ) # . Fk

-! G

6 G ' Uc> a C8,

. ! o b +. !

' Uc>

! . A Ck

)!

.) 6

.Net JAVA

, ,S CD !) ! "# % V 4.6

) 6

Tools\IDAPro
:

- ) k
- 80x86 Q

.
)!

- f

Win 32 !) PE

# /

.)) 1
() *

! ) ! "# % V

)!

) 6

# 1 O !)

) 6

) Ta

8 3T A. 4 f

) T o

-1

# Q 84 )!

6 A #

# o

-2

. 32

/ Widows GUI

.! / +. !

.)!

V !) (
) k

-A # o

8 3T A. 4
T R) / ( Gm
V

-A #

() *

-3

/
-4
. -5

)3

. +/ 0 1. ( 2,

o. a ) /

- Crack
T 8

. ! / Q = !) ! ! "# %

128

b ! "# %

V '

' B FG

CB k*B a (16-3) A

G . . / Q=

!) .d ) D. Rb . ! / ( k
( - 3 notepad.exe

. /

! .

6 A #

(16-3) A

FX 9 > >
.! / +
C /(

Disassemble

(
T

- / h kF

( Gm d
.

'! B !)
T
! Rb

() *

!6`

T () ) ( f T %
'! B !)

!) ! "# %

- C. 4 . 6

a...

-() ) a -7!)b . Rb l F G

# 1 O !) (

T ( Gm

. / A # V .)! ) ! A #

() / ( Gm ) G !) ! (

T C;#

-% ) <

Disassemble

.A #V [

-A #

File

!) save as
.)

save

!) (

T A / ( Gm

;S

( Gm idb A #

- "1

'! B . (

C;# (
T

! "# % V Q ,; ! > .

= V !) /

idb

G
. /

. / () *

) 1 .

T ( Gm ! O
.

) 6

129

) //

5)
! O

. !

!) ) 6

) ;

- C. 4

) ;

G . .

-E 6!

Disassembler

'

-^ T a -

!) / -)

K!

-! "# %

/m / ! >R ,-

G # R) / Q 8 ) j >

V !) ! ;

-/

! .

" IDA . /

'

8@ #
!Ao

K!

C8,

.) / d - G (!
6 A #
. -) ! 3# ! G C/
!) ( 6

< 7!)b . Disassembler k*B Q

BG

! JUMP

() / 9

! O

jump to address

/
ob

. -1
"1

Jump to address ( < T ! / V

() ) p , (17-3) A
. -)

.! / . ! O )!

< 7!)b

(17-3) A

call aJMP
R) 3#

O )!

Ak

C8,
!

'!

) !) (

31 .

) !) (
() *

() *

-7!)b R) / Q 8 )

7!)b 9

. '! B V !)

'!

,- ! O V

7!)b

. . -) p ,
,1!)

() *

) !) (
, !) 1005B66

Esc C/

. . -)! 3# ! Alt + Enter

1 C6 zU .

7!)b a(18-3) A

< 7!)b

C/

6 k*B !) ! ! /0 7!)b

6 ( < T A,U V

Q 8 ) !) 5

! /0 7!)b . Enter

. / () *
!

. -2

'! B !)
C/

() C,U y #

.) ) - G p , ) G !) ! O )!
Qx

!) .)) 1

-7!)b R) /

Q 8 ) ! /0 ^ ! . Jmp Short Loc_1005B66

.

() ) p , View-B %

)3

. +/ 0 1. ( 2,

- Crack

130

(18-3) A

. G!
!) (

.'
() *

! "# %
<

V a C8,

-7!)b R) / Q 8 ) ( - 3

[ / ( < T A,U V . . ! ) f o b
p , . ! /0 7!)b !) ! C8,
Scroll

-Q /

- / !) -7!)b 5

( <TV

! !7
-/

) () k

. .

C. 4 ) < ! O

.Qx R U ..
1 (!

- : 1 (!
W

# 1 O !) !

# / o a C8,

- /

V T !) (19-3) A

,-

'! B !) .
. / () *

01 - G
) G7

131

) //

(19-3) A

"1

a C8,

. -) ! 3# ! Ctrl + P
. !) 6

5.

/ !) ) 6

- C/
(

() / () *

5.

! .

Jump

- : (20-3) A

'! B !) -3

Jump to functions
,- Jump ( < T A,U V
.)! 01

p ,

(20-3) A

5. Rb 2 ; Ak
) ! 7!)b

!) ) 6

5.

! . R) / Double Click .

% U '! B !) IDA aq #p T ! > . .

C8,

/ !)

)3
(

- Crack

. +/ 0 1. ( 2,
) . ! 5.

C8,
a

132

'! B !)

/ !) -E 6!

5.

() /

C/ Rb 2 ; Ak !) 5. %

R) / Q 8 ) !) 5

() *
3.

. -)

! O )!

5.

.(

G zU .

! .

j. i Rename address ( < T A,U V

p , (21-3) A

Rb %

! O

. 5.

V . -)

! O V

. .)) 1

! Rename d b

.. /9

)% V ; ( 6 ,

. (

() )

(21-3) A

5#! ( k

! /) G

! 01 %

. / () *
V ; !

-%

C8,

! !) 5
! O )!
Rename

7!)b

."
ob

<

) < zU .
V

-7!)b

. .)) 1

Rb

! .

Jump by name

!(

! 01 %

/ ! >R ,-

'! B !) -4

6 A #
!

C/ . A84 Q x

"1

-7!)b . ;6

,-

! /0 7!)b . E 6!
( 6 ,

X "6

() / 9

7!)b Rb . ! O )!

() /

) ,CU ( k

,- Choose a Name ( < T A,U V . . -) ! 3# ! Ctrl + L

. -)

( -3

V . / E 6! o b . % " '! B !)

. -) 8
! Jump

'! B !) / )! ) ) 6 - ! 01% !) AG

. ! O

"1 9

- "1 k*B V !)

% a
.

'! B !)

- C/

() / 9

. (

- : (22-3)

133

) //

(22-3) A

- /

! . /

a -A,; !

) a5.

-A Ck

. 6

.) G .

. " IDA a /

( - 3 !) / ! >R ,-

A 84

() )

/ 2C

- , 4

. !

.) 1
9

! O )!

! Mark Position

! O )!

7!)b

% V ; R

C8,

/ !) Q

"1 a(

() ) p ,

-7!)b

- : (23-3) A

-% a -)

O !) ) ! 5.
5
/
j. i

! .
!

C/ Rb

(23-3) A

E 6! ! O

!
.

! . a() /

( < T A,U V
. -)

%<

.. /

! /0 7!)b

)3

- Crack

. +/ 0 1. ( 2,

() /

C/ -

( < T A,U V

) 7!)b

.. /9

134
! .

! /0 7!)b . ;6

(24-3) A

,- ! O )!
.)

% a(

'! B !)

() ) p ,

7!)b Rb . Disassembler

(24-3) A

2b #)
() / 9

! 7!)b Rb
(

. al G 7!)b

.(

. 3 xrefs ( < T A,U V

. (25-3) A

! . R) / Double Click . . -)

%< d

-E 6!

! .! O

. . -) ! 3# ! X

p , ! O )!

7!)b . (

C8,

) /

C/ uD

%<

/ !) E 6! Rb Ak

-E 6!
.

(25-3) A

%<
,/)

G #

! . uD

5.
() / 9

%<

! O )!

,- Function Call ( < T A,U V

.. /

5.

G #

'! B !)

. ! O V
C/ ! ". !

. . / # !) ! Rb

!) 54 Open Function Calls

135

( ,- . ! ! /0 5. +

%<

G #

.)! 01

) //

() ) p , (26-3) A

p , . Rb

%<

G #

(26-3) A

! .! O

. ! "# %

V +

.) / d - G () *

(
%<

-Y 1
-E 6! R) / Q 8 )

'

;.
6

! o. A Ck

2)
p , ! O
-Y 1

-! ) ,

! .

) C,U ( k

-Y 1 ) < !) Rb

A Ck .
A /

6 A #
5 6

= > .

a! "# % V
6

, 4 !)

".

* !

2j V

.'

-E 6! a -

G #

o. [ -

)<

-! ) ,

) !) !

. / ! Rb X "6 ! "# %

2$)
.)

() *

) C,U ( k

Q8)

. .) 1

()

. -'! [ C# C

%<

-]

o. p , ! O
-^ T p ,

6 A #
.)! )

. -'! [ C#
R) / Q 8 ) C

) C,U ( k
"

A -1

/ ! >R ,-

. {& ,; A,U V
!

! .

,/ 4 Y B . () . Q ,;

R) /
=

)3

. +/ 0 1. ( 2,

Flow

"1 uD

aA,U V

.a /

- Crack

() / 9

136

Rb d !

( - 3 (27-3) A

'! B . Rb R T

. !E

7!)b

. a'! [ C# ) < ! O
View

!) / ! >R ,- . / 9

7!)b

! Chart

6 Wingraph32 ! "# %

.)! 01

p , . '! [ C#

(27-3) A

() ) p ,
uD
V

C8,

() / 9
.

F 3
! O )!

( -3
. -)

! 4

;i4

! . ! '! [ C# d ! ' C,U

() k (28-3) A

/ ! >R ,- . / () *
! . )!

!(

View

,-

'! B !)

. ! O V
!) 54

. . -) % < (

Flow Chart

"1

g 3 () k o wingraph 32 ! "# % ^ !

137

) //

2 . G

A5 )

(28-3) A

. /( -3 !
(29-3) A
!) (

%<

6 A # !) (

!) / ! >R ,- . / 9
-

G # C/

%<

View

G # C/

!) ,

! Function Calls

! ) , wingraph32 ! "# %
.

A,U V

". -2

'! B !)
"1 ! O V
.. /

( -3

01 - G p , . ! C8,

)3

. +/ 0 1. ( 2,

- Crack

138

(29-3) A

!/ - E 2 . G
6 A #E
! 5.
! "# %
! O )!

%<

7!)b

aA,U V
5.

! O V

. . / () *
8

G #

%<

C C

.. /( -3

View
-

!) 54
G #

!) ,

". -3

'! B !)

! ) , '! B . ! B G 5.
xrefs to

! ) , (30-3) A

"1

() / 9
,- Wingraph32
.) ) - G p ,

139

) //

(30-3) A

!) ! 5. V [

a -'! [ C#

, 4 !) (

/m ^ !
. -) ! 4

!/ - +A
5.

5. +
() / 9

! O )!

Wingraph32 ! "# %
. ! O )!

%<

5. +

5. E

A,U V % <
(

G #

%<

! . )!

'! B !)
d

+/ F < 8. ( 2 . G
8

C C

7!)b

!) ,

! O V

. . / () *

View

G #

() *

!) ,

'! B !)

. . / ( - 3 ! O )!
!) 54 Xrefs From

C C

". -4

! ) , (31-3) A
.

"1
.3

01 - G p ,

)3

. +/ 0 1. ( 2,

- Crack

140

(31-3) A

!) ! 5. V [

a -'! [ C#

, 4 !) (

/m ^ !
. -)! 4

() *

! . )!

'! B !)
d

!) ,

Decompiler

2 Decompiler
Disassemble
..

- / A Ck

. _!) A. 4

R. . E

"<

B!)

() .

-Decompiler

- C D /!) /

o6 "

R"

-! ". V

.
C D / !) (

!)

() .

-(

-! G

. 6

# 1!/ . > .

= > - C D /

BGE

-^ ! . f . )
(

A D /

-A # [

( T o b R) / Decompile

. % & ' C,U a

B!)

= !) .

! )! G . "

! 4 .7 ;

i. ! {& ,;

C D / 1 TV.
.

) C,U ( k

1 1

# 1!/ .

o. 6

=!)

o Y -.

- a)
() T

. > .

) A D / A=

-! ". -Decompiler

'! 4 T

. . - / V A 8 ob %,

-Decompiler
W ^

. R) /A D / o6 2C

- .)! ) - / R) / A D /
'

R) / Decompile

) =

o6

- C D /

.) 6

.(

-Decompiler

j#

.) ) d - G ! 4

3.
,/
> .

G . p . V !)
! . )!

C / C++ Decompliers
G

= > !)

A ) .)

() *

- / G

! O

.) 6
V

;
2C

! )! G . "

-R . V !) () *
&.!

)" (
*

-! "# %

-! "#

. / )

-! ". a -)

..

. ! > . C/C++

G .
CB

)!

A U

.'

W "

%< (
#/
Q

) C,U ( k A Ck

- W

. . )

-! "# %

-R . V

- C D /R

- 1 T

! .

b! /

) =

a-

G # a!

- /V . /
C/ p

. - / V R) / Decompile

G .g 3 .
5.

"< !)

/ ! >R ,.R 1

() . ) ; !
-! G

-d

b! /

- / a Ck

-R .

-! ". V ) 6
- C= a -]
C8,

- / .

A 84
8

- /V .
. /

)3

. +/ 0 1. ( 2,

- Crack

144

REC (Reverse Engineering Compiler) ) 3

- / R) / Decompile

V
E
.

8 3T . 6
! )! G .
- , -!

&.!

. ! ". V .)
. ) C,U

)!

6
. /

o.
-A #

k C/C++

a -(

() . ! )! G . . G !

- / ) C,U ( k

! ". o Decompiler V

. j#

) T
.

A U
G

j 4) _!) ) < ! O
! ". V .

8 3T A U d

) 6

.(

V +

-A # R 1

K ! C/C++

# 1!/ . - C D /
V

' 6 .

- C D /+

-d

! "# %

*1 R

1
- /

( o. "

1V +

*
A D /

- C D / (PE)

, ,S CD !) ! "# % V 1.6
Tools\REC

.d

. - f ! "# % V

C,U Q x

C++ Code
int FindMax(int Ar[],int Size){
int i,Max;
i=0;
Max=0;
do{
if (Max < Ar[i]) Max=Ar[i];
i++;
}while (i < Size);
return Max;
}
void Main()
{
int Array[10];
int Max;
Max=FindMax(Array,10);
MessageBox(0,"Max Found","Test Caption",0);
return 0;
}

o. E

2 Decompiler / )

145

-------------------------------------------------------------

Disassembled Code
L00401000: 55
8b
83
c7
c7
L00401014: 8b
8b
8b
3b
7d
8b
8b
8b
89
L0040102e: 8b
83
89
8b
3b
7c
8b
8b
5d
c3
L00401046: 55
8b
83
6a
8d
50
e8
83
89
6a
68
68
6a
ff
33
8b
5d
c2

ec
ec
45
45
45
4d
55
14
0c
45
4d
14
55
45
c0
45
4d
4d
d5
45
e5

08
f8 00 00 00 00
fc 00 00 00 00
f8
08
fc
81
f8
08
81
fc
f8
01
f8
f8
0c
fc

ec
ec 2c
0a
45 d8
a9
c4
45
00
30
40
00
15
c0
e5

ff ff ff
08
d4
60 40 00
60 40 00
9c 50 40 00

10 00

push ebp
mov ebp,esp
sub esp,+0x8
mov dword [ebp-0x8],0x0
mov dword [ebp-0x4],0x0
mov eax,[ebp-0x8]
mov ecx,[ebp+0x8]
mov edx,[ebp-0x4]
cmp edx,[ecx+eax*4]
jnl 0x40102e
mov eax,[ebp-0x8]
mov ecx,[ebp+0x8]
mov edx,[ecx+eax*4]
mov [ebp-0x4],edx
mov eax,[ebp-0x8]
add eax,+0x1
mov [ebp-0x8],eax
mov ecx,[ebp-0x8]
cmp ecx,[ebp+0xc]
jl 0x401014
mov eax,[ebp-0x4]
mov esp,ebp
pop ebp
ret
push ebp
mov ebp,esp
sub esp,+0x2c
push +0xa
lea eax,[ebp-0x28]
push eax
call 0x401000
add esp,+0x8
mov [ebp-0x2c],eax
push +0x0
push dword 0x406030
push dword 0x406040
push +0x0
call [0x40509c]
xor eax,eax
mov esp,ebp
pop ebp
ret 0x10

)3

- Crack

. +/ 0 1. ( 2,

146

--------------------------------------------------------

REC Output (without symbolic information)

/* Procedure: 0x00401000 - 0x00401045
* Argument size: 0
* Local size: 8
* Save regs size: 0
*/
L00401000(A8, Ac)
/* unknown */ void A8;
/* unknown */ void Ac;
{
/* unknown */ void Vf8;
/* unknown */ void Vfc;
Vf8 = 0;
Vfc = 0;
do {
if(Vfc < *(A8 + Vf8 * 4)) {
Vfc = *(A8 + Vf8 * 4);
}
Vf8 = Vf8 + 1;
} while(Vf8 < Ac);
return(Vfc);
}
/*
*
*
*
*/

Procedure: 0x00401046 - 0x00401078

Argument size: -28
Local size: 44
Save regs size: 0

L00401046()
{
/* unknown */ void
/* unknown */ void

Vfd4;
Vfd8;

Vfd4 = L00401000( & Vfd8, 10);

*__imp__MessageBoxA(0, "Max Found", "Test Caption", 0);
return(0);
}

() *

( k

o.

! ! "# % V ) C,U ( k

C/ = > . & . Q x . / Q =
.d -) ! 4

! . )!

! Rb

2 Decompiler / )

147
DOS Q

+G

/j >

. )!

. /

.! / +

! ) ! "# % V

! 4 . ] 8 ! .! / . () / # !) ! ) G
:

. ! "# % V

- ) ! aR

() *

^ !V

()

> REC.exe sample.exe

& . Q x !) sample.exe /

,=

-A # E

! "# %

V '! B V !) (AOUT , ELF, PE , COFF)

! . A Ck )!

! o b uD

6 A # . % ,-

REC

! 8U /

() *
R

R
#

#A #%

-A # .

/ =

T . C # !) -^ ) T V

6 G ' Uc> . -)

! 4

6 A # . 56 !

A #

j 4)

- G ( Gm O )!

j 4) ' Uc> R) / g 3 ! O

! "# % V )

) ! A # . 56 !

3.
Uc>

G . 6 G

( - 3 ! Rb X "6

.
-/

A # V . /
.

. /

. ! "# %

6 A # () )

/ O )!
.+

) 6

() ) g 3 ! O )!

.
j 4) A Ck . <

-A # V

- cmd

!)

Q x !)

#!wrec
option: +hexconst
option: -doloops
types: winuser.o
types: winbase.o
file: file.exe
region: 0x80000400 0x80001600 0x400 text
region: 0x80001600 0x80002000 0x1600 data
symbol:
symbol:
symbol:
symbol:

0x80107fe0,
0x80108078,
0x801080d8,
0x8010813c,

0x80108077
0x801080d7
0x8010813b
0x801081ff

T
T
T
T

CrearImage()
LoadImage(char *, int, int)
StoreImage()
MoveImage(char *, int, int)

patterns: libmips.pat

) !)

'! B !) .

#!wrec
"< d-

. Cmd

" :" / ! / . /

-A #
Rb

/
-R

( -3
1!b !

/ ! >R ,)

)3

. +/ 0 1. ( 2,

- Crack

o . . / () *

O )!

A. 4 )!

'!

148
. !) #

/! /

! . .Q=. # 1 -

A # !) ' k S

! 4

! . )!

!)

V [

) /

. G ) T d - G -A # V !) () *
Option
.

! "# %

.(

# 1 O !) ' , O

( /g 3 !

. / ( - 3 ! "# % '

)V

!) ! o b ' K"6

'! B !)
Types

5.

-! G

a -() ) E

. 56 !

A # 1 Qx R U . .
A #

a /

user32.dll

. / !) ) 6

. )! ) % winuser.o / !

V . ( ,- / ! )!

2 ; pT
API 5.

g 3 !

)!

API 5.

O )!

. / V !) ) 6

Related File

5.

)V
)!
6

2 ; pT
cmd

Q 6 !) . / # S > .
!) . /

.. /( -3 )

( -3

S U C/C++
.

Type File

-A # !

6 A # !) () *

-A #

Related File R

! -A #

. /A #a

= /

o b 2 ; p T ( ,- .

() *

A # !) -A # V
/ ! > .

Uc>

S U ! "# %
- C D /+
/m "

> .

Description

FCNTL.O

FCNTL.H

This file defines constants for the file control

options used by the _open() function.

STDIO.O

STDIO.H

This file defines the structures, values, macros,

and functions used by the level 2 I/O ("standard
I/O") routines.

STDLIB.O

STDLIB.H

This include file contains the function declarations

for commonly used library functions which either
don't fit somewhere else, or, cannot be declared in
the normal place for other reasons.

STRING.O

STRING.H

This file contains the function declarations for the

string manipulation functions.

mmsystem.o

MMSYSTEM.H
(mmsystem.dll)

Include file for Multimedia API's.

shellapi.o

SHELLAPI.H
(shell32.dll)

SHELL32.DLL functions, types, and definitions.

2 Decompiler / )

149
Type File

Related File

Description

winbase.o

WINBASE.H
(kernel32.dll)

This module defines the 32-Bit Windows Base

APIs.

wingdi.o

WINGDI.H
(gdi32.dll)

GDI procedure declarations, constant definitions

and macros.

winreg.o

WINREG.H
(advapi32.dll)

This module contains the function prototypes and

constant, type and structure definitions for the
Windows 32-Bit Registry API.

winuser.o

WINUSER.H
(user32.dll)

USER procedure declarations, constant definitions

and macros

! O

. . / () *

E 6! ! "# %

ob

)< !) G(

V '

)2 ; pT

-A # V

-A #

'! B !)

( k . 56 !

j 4) ' Uc>

# !)
. /
File

g 3 Decompile ' C,U

A #V . /

/m {c84 /

. ! O )!

6 A #!

. )!

)V

-A # E
Region

7!)b aE

.)! 01

) 6
d

- 1(!

!
. /

6 A # 2C

'! B !) /

! .

A Ck ( k

) 6
R

. # 1

) V !) () *

=
! .

. data =

! .! O

6 G A # !) =

#b

G R

)!

/ 'kS

.(

- G ! 4
) G(

)V

) =

() *

!T

# 1 O !) E

! . )!

. text =

/ !) (

R) / # ;

) < zU .
( k
. /

region:

Decompile ' C,U ! O

Decompile

( ,- . ! !

)!

! 01! . % f - !) R T

Decompile ' C,U !) 3 . U

A # o.
!) -

'!

g 3 A # !) O )!

e Rb
-

() *
.

V . /
!) .)) 1

( -3

1 C6
6 G

! T - ) C,U

Start Address

End Address

File Offset

Region Type

0x8001000

0x80109b4

0x8FF

text

)3

- Crack

. +/ 0 1. ( 2,

150
Symbol

) 6

5.

. ! -

! <

)%

6 GA #

o.

5. R T 7!)b R) / g 3 a!
# 1 !/ .

! T aR T aE
G zU .
)V

REC +

7!)b o b

-% V . /
! T !) . /

)"

! /) G ! > . ;. A=

! T '!

)V

V ;

6 A # !)

CB / .

3. [ -

!)

)!

! S
.)
Patterns

-() )

"f 6

# 1 ! / . REC +
! f

. ! BG

;. A=

-A # V ! G

- f '!

!) -% V . /

Q x !) .

) V !) () *
V ;

6 GA #

)!

8, %
o.

Pat

-A #

.lG
G ) < zU .
. /

.
(

( -3

MyFunction() size: 16
A0 00 0A 24 08 00 40 01
00 00 09 24 00 00 00 00
;
MyData size: 14
B5 A7 0A 24 08 2D 01 00 09 24 00 AA 00 00
;

! ". V ! G !)
"

o.
# / ' Uc>

G
() *

6 A # )!

!)

)
. ! ! "# % V

3.

' Uc> [ -

. .

3.

6 G

-8

(
o

/ ! >R ,-

6 A # a) 1 ! 4

Q x !) .) . - G ! )! G .
. /

( -3

> .

Cmd A # !)

151

2 Decompiler / )

hexdump(char * fname)
{
unsigned char buff[16];
unsigned long offset;
struct _IO_FILE* fp;
struct stat st;
int cnt;
if(stat(fname, & st) != 0) {
fp = fopen(fname, "rb");
if(fp != 0) {
offset = 0;
L08048867:
if(st.st_size > offset) {
cnt = fread( & buff, 1, 16, fp);
if(cnt != 0) {
dumpline( & buff, offset, cnt);
offset = offset + cnt;
goto L08048867;
}
} else {
}
fclose(fp);
eax = 0;
} else {
perror(fname);
eax = 1;
}
} else {
perror(fname);
eax = 1;
}
}

)3

- Crack

. +/ 0 1. ( 2,

152

JAVA Decompilers
!) -applet '! B .
-

.R. V

-Byte-Code %

- C D /.
R.

. Byte-Code V

R.

1 ! > . JAVA R .

()

# 1!/ . f)

. -

,6

.V

..

6 ! "#

- C D /+

)!

.e

"

&.!

ob
( k

-! G

6 G

) !) .)

() T
/

# 1 ! / . JAVA

"

,6

> .

v8 ^ ! V
()

1! /

. A D / A=

. / JAVA

- ! )!) G .

) < A D / ! O

-Decompiler V

- Decompiler

." R. V

- C D / +

. !(
(

. R) / A D / ! O

= > 1)

! JAVA

! . )!

/)

() *

R.

T . {& ,;

-Decompiler V

.) ) d - G ! 4

.V

-! "# %

( oU . o b

/ , ,6

< V
. -

'! B -Byte-Code . (

a) 1

C.

-! "# %

) .! /

( Gm Class

*: .

(JAVA Virtual Machine) JAVA

..

.(

. {,

j#

) C,U

DJ JAVA Decompiler (JAD) ) 3

! "# %

JAVA

() / A,U JAD ! ".

+. !

JAD /
!

. (

V ! ". V ) <

. -! ". V

QD /! O
! "# %

() *

. /

-Decompiler V

TR U .

CU .)! b

. h kF .
CB

= >

)!
R .

k*B (1-4) A
( -3 (

Decompile

) 6

! ". V

= !) DJ JAVA Decompiler
o. () *

. ! )!

.! / +. ! 4 #
ob 6 GA #

!) .)

d- # Rb

# ;

6 DOS Q

.! /
/ !)

/m / ! >R ,- () . ()

4 1! / . JAVA

- C D / +

) <

- / p , Q = !) ! DJ JAVA Decompiler

, ,S CD !) ! "# % V 3.7
Tools\ DJJavaDecompiler

2 Decompiler / )

153

(1-4) A

Visual Basic Decompilers

%

. +

R.

! VB
R

. ! ) G

< V

" (

A D /

/ /
U

6
6

. 4

!) .

+
6

A84

Visual Basic

- / V .) /

A 8 P-Code

A 8 V

-A # V ) 6 V . )! ) ) 6 V

, 4
/ zU .

= !) / dll A #

A D /R

6 G

-A # V

= !)

R.

A 3 ! /0 dll A #

V ,- /

R.

.) /

.(

. ! /0 dll A # . '

) ;

G # ( cU .

.)
A # !) V

)!

-A,; !

- ! )! G . ) k !
) k
E

6 -A # !) (
-7!)b . 56 ! !

-A # !) (

() *

-! G

() *

. / +. ! .
8

. " Rb
g 3 .

ob
%U . 6

-Decompiler a
3 . o b x/ ) C,U

-Decompiler V ) 6 V

* ' Uc>
X

C D / V () *

() . ) ; !

C C

! G

ob 'F 3

. .)
% a5.

6
.
6

)3

- Crack

. +/ 0 1. ( 2,

) C,U

O )!

154

6 A # C/ ! G

!) do !

1 A,U V . / g 3
.)

. G ) T d - G VB

- Decompilers V

j#

k Rb

! . . zk. V

) !)

VB Reformer ) 3
A D /
T
-Q

6
.

-A # !) () *

5.

. Rb CB ) C,U *1 R

a -% # . ] .
.

a .! / +. !
G

TV .

. A / ! > . .! / +. ! . ] .

. !) V ) , 8 6{ # B /)

()! b ) 6

) 6

! ". V

# 1! / . Visual Basic C

.)

-A # A

! .! O

-A # o
.

() *

O )!

6 A #

obV.

c.

-A # o

.(
G
-7c/

ob

, ,S CD !) ! "# % V 4.1
Tools\VBReformer

. G ) T d - G Rb . Q x
F. X

-% # 8

[ .

) !) /

C C p , Q = !) ! ! "# %

()

CB k*B (2-4) A
. /

. ! ". V . ! / ( k

( - 3 o b !) ) 6

!)

2 Decompiler / )

155

(2-4) A

, 4
a /
> .

- Ak
( - 3 (3-4) A
C8,

- /

. !) ) 6

5.

!) / ! >R ,- . / () *

)!

G!) ! ) ,

7!)b a -E 6! 7!)b . 56 !
.)

!) ' Uc>

# !) ! O

Procedures-code

* ' Uc> a5.

() ) p , ( < T

-9

! , 4 !)

)3

. +/ 0 1. ( 2,

- Crack

156

(3-4) A

. Ressources Visual Basic

, 4
.

() *
) D. O )!

(4-4) A

Qx

,-

6 A # !) VB )!

'! B!)
5.

! .

2 Decompiler / )

157

C++ Builder / Delphi Decompilers

ob

- Borland

-A #

/ . A / ! > . A D / % f - !) -R . V
!) ! O
{ 8
V

. / o b !) (
#

ob

. 6

-! "# %

2 ; pT
)

= > % f - !) / X

) 6 '! B R ,- . "
- C D /V . ) 1
5.

RC Data %

5.

-! G

. () *

() . ! )! G . . G

2!;

-%

.a ) /

b - C D /V

! > . ! Rb ) C,U ( k

#! d - G - C D / V

v 6

-R . V !)

G v8 ) G .

. -% V . ! )

() *

"

. .! / +. ! . ] .
.

-7c/

q #p T '! B . VB

-! G

, 4 !) -() ) V . /

-() )

V ; (

- / 3.

.) GlG

A 8 V
# 1 O !) aX

)!

A D / A # !) a (

- C D /

. . ! ) o. 3 ! G

) 6

G ob 6 G

Decompile

R) / ( Gm

v8 a (

-7c/

o (
(

84 A. 4

C++ Builder

.(
.e

- Decompiler /
.

Delphi

( Gm

-A # ' B FG

X
6 A #

G . . /Q=

-Decompiler V

.) 6

.) ) d - G ! 4

! . )!

4
A /

DeDe (Delphi Decompiler) ) 3

C++ Builder , Delphi - C D /
.(

A D /

-Decompiler V

.) 6

-A # R) / Decompile ! O
.)

) 6

A /

! "# % V

Borland

# 1 ! / . - C D / V 2 ~7

G
C

, ,S CD !) ! "# % V 3.50.03
Tools\DeDe
.d -)

! 4

! . )!

! ! ". V . ! / ( k Q =

A # ! / V % < . . -) ! 3# ! Process ,/) () / . ! O )!

,

A,U V

. . -) ! 3# ! OK ,/) uD

A Ck )!

() ) p ,
! Rb uD

%WT .3
(Dump) () /

WT

6 DeDe +

/ 8B

6 A # aE

6 A #A /

G . O# =

! /0
6

/ - G
6 A # DeDe

! O )!
. -)

! 4

! .

)3

. +/ 0 1. ( 2,

- Crack

158

(5-4) A

6 . / -)
() *

)!

a)

/ ! 8<

h6

DeDe a O# k

! 01! . O# = . / ! Rb
O# = . ! 01! . % f - !) (

-A #

G . () *

O )!

6 A #

O# k

() ) p , (6-4) A

.3

WT

G . C=

j. i Extended Analyses ( < T a% W T V

.. /

() *

-A # % ,
.

CU .

! G (

R) . " b

-) ! 4
/

'! B !)

%cU ! ' C,U V

.)

() ) p ,

(6-4) A

G .
! .
R3 !

! 01 %
. .) 1

23/ ! O
'! B
< 6

(
!

j 4)
G

A84 C=

. (7-4) A

! . Extended Analyses p . !)
!) /

-7c/

a -! G

( < T Extended Analyses

.) ) - G

2 Decompiler / )

159

(7-4) A

A Ck <

() ) p , DeDe CB ( < T Extended Analyses ' C,U % ,

v = . ! /0 ' Uc> a o.
. G) Td - G o b

G ! O
! . .

. .)! 01
) !) /

p ,

. ! (

*C

%<

uT
! .

-p . . E S
Classes Info

C / ' Uc> ( ,- .
G .a /

6 A # !) () *

( - 3 (8-4) A

q #p T ! > . /
A ) V ,- . .
.

)!

!) / ! >R ,- .)

- C++Bulder/Delphi
& . d<=

, 4 V !)

01 p , .

- C D / )!

() ) ! 4 - C D / V +
- ! )! G .

-7c/ C/

- C D /+

-7c/ a -7c/ V
G

- . 56 !

6
G

-A # % , !)
6

-A # /

)3

. +/ 0 1. ( 2,

- Crack

160

(8-4) A

Rb %
(9-4) A
-

! . a O )!

7c/ . 56 !

j 4) ' Uc>

,- Class Information ( < T A,U V

. 56 !

# !) ! O

p , .

(9-4) A

'! B !)

. . / Double click -7c/

4) ' Uc> ( ,- . ! ! /0 7c/

.)! 01

X PU

6 A # !)

!)

(
-E

-:

-7!)b

2 Decompiler / )

161
5.

(! .!) "

* !

C,6 Rb

7c/ l G

. ' Uc> ( < T V !)

/ )! ) ) 6 "
-

.] .

-E
-)! /!

( -3 &.A

7!)b 7c/
- iG

!) / ! >R ,-

.] .

5. a7c/ 9

-! G
(

5.

.) / (!
Units Info
(

unit , C++ Builder/Delphi

, 4 !) .

. ...

-! G

( ,- . O )!
(10-4) A
!;
unit E

a5.

aX

7!)b -% V

.(
(

-Unit
% )

-A #

a -7c/ 2 ! ;

6 A #

!) / ! >R ,- .
-%

- C D / !) /

G .

. a

, 4 {& ,;

- !) (
(

Units Info
2 ;

CU .
() *

(10-4) A

-A # V .

% U
/

/ ! >R ,-

-Unit C/

() *

01 p ,

-7c/
/

( -3

Unit_00480100
6 A # !) O )!

)3

. +/ 0 1. ( 2,

- Crack

162
Forms

p , . O )!
! /0

6 A # !) (

- C D / )!

() *

)!

-( < T C/

-A # '! B . ! o b

, 4 V !)

'! B !) .)
. / () *

ob

01
() / ( Gm

(11-4) A

A,U V

. . / Double Click Rb
.)

! .

01 p , . O )!

O )!

% #

-:A

( -3 ! O

( < T ( ,- . DFM Inspector ( < T

2 Decompiler / )

163

(12-4) A

)! /! a O )!

( < T !) (

() *

-Q /

() ) p , DFM Inspector ( < T !) (

! . / = .a /

() ) R 3

( -3

C C ! G

/ ! >R ,-

!) " Rb . :
.)

- ,/)

!
.

-A # !) '

W )< R

DeDe C;#

) 3 , 8 6 { # B DFM Inspector ` < T !) ) 6

- Q ;# n

Procedures
01 p ,
. (
(

.d
/m " )

6 A # !) ) 6

5.

Unit v = . 5.
! Rb % a

. 56 !

4) !

( - 3 (13-4) A

. BG )

! .

TQ

() *

!;

. ' Uc>

, 4 V !)

!) / ! >R ,- .)
5.
5.

! B !)

)!

!) .

)3

- Crack

. +/ 0 1. ( 2,

164

(13-4) A

. / Double Click aEvents

.)

!) Rb %

! . a5.

() ) R 3 (14-4) A

(14-4) A

.] .

- /( -3 ! O

,- Disassembler ( < T A,U V .

2 Decompiler / )

165
() ) p , o

O )!

-7c/ . -E 6!

% a7c/ E
- / A Ck

5.

G # )!

a7c/ %

.] .
!)

. 56 !

"< !) ! ,

( -3 &.A

* ' Uc> a

' Uc> V .
. -) !

O )!
i

!
a

A,; !

!)

) /

C8,
)

/!) (

! B !) .)

G # V R) / Q 8 ) . a
%<

k*B !) 5. Rb . ] .

C8,

! .

BG
C8,

-^ T R) /Q 8 ) ! O

'!

!) ^ T 7!)b . :

. (call) 5.

G # A,; !

!) / ! >R ,- .) ) - G p ,

-d b
.

(15-4) A

;6

! B !) . / Double Click

(15-4) A

-Unit

) /

G # R) / Q 8 ) % f - !) ,
-/

-E 6 V

-E 6!

() ) p , Disassembler ( < T [

V .)
'! B . (

()! b (

G #

%<

! /0 A,; !

!) / ! >R ,- .)

6 A # !) ) 6
(

() / Disassemble ! ! /0 5. DeDe a
-

C C

! .

. ;i4 ^ T !

a O )!
! Rb

- / Disassembler ( < T !)

C8,

, !) o b
,1!)
! .

C/ . a /

C C
8
1 C6

- G () ) p , Disassembler

)3

. +/ 0 1. ( 2,

(16-4) A

- Crack

166

unit - !) (

,-

() *

-Q / ( - 3
Events

. /9

'! B !)

6 . ! Controls

"1

(16-4) A

a - 1(!
C

a- W

.(

-)!

T , G

a CB

C D / !) .)
(

/ !

-A # !)
<

() b 5. V
-A #

CB * :

- /

. (17-4) A

! .

'! B!)
- ....

-7c/ ) <

. {& ,; C++Builder/Delphi
.] .

O )!

- C D /

- / {& ,; . /
dpr o b

/m /! >R ,- .

! Q ,; ! > . .

procedures k*B !) DPR ,/)

-/

! . / ( -3

T A # !) 5. V

.)

C8,

6 A # V nb
6

( Gm - C D / V (

pT
G

Ak

A #

T Delphi
. % &

nb 5. V 7!)b

- C D /V

5. V

- /( -3 ! O

.] .

,- / Disassembler ( < T A,U V

.. /

.) ) - G p , ! 5. V

.] .

.
.
C/

2 Decompiler / )

167

(17-4) A

)3

. +/ 0 1. ( 2,

- Crack

168

.NET Decompilers
( IL) +
V

. .Net

R.

C/ ! G

) C,U ( k k

) !) / ! >R ,- .

# 1 ! / . IL

. G !
.

Decompile

6
6

-Decompiler .

() . ! )! G .

A #(

) ;

/ !) ) 6
- G

- C D /+

< V
- JAVA
- /

-! ". V +

# 1!/ .) < A D /

-A #

W .

- / p , Q =!) ! Reflector ! "# %

/m / ! >R ,+

- C D /

) 6

,- - C D /

Decompile
R .

1)

( -3 ) G

Tools\Reflector

- / a )

CB k*B (18-4) A

, ,S CD !) ! "# % V 4.1

(18-4) A

,6

- /)< ! O

. /

!)
6

Debugger

2 Debugger
+ I
-Debugger '

_!

. () / () *
() *

) G

5i4 ! > . a& . hi

... - iG . )!

Pascal , C++

- /

,=
.

-R .

. -! "# %

- iG 5#! 23/ ! O

,- & . hi

) < A=

. -R . V

.(

A Ck aQ /

%< ! O

/! O

. -! ". V

- /Q

/! O

. -Debugger V {& ,; .)

() *
Debugger
! "#

! . ob '

. -! ". V
6

-A #
.

6
d

.)
.! /

-! "# %

!/( k

o "

'

() /

! .] .

o
' K"6

/ ! >R ,-

-/

! . -

! . -

-Debugger V
! ob V

# 1 ! / . ...

-Debugger
-A #

) C,U ( k

()
,! 4

! .%< ! O

-() *
V

) .! / T

.) ) d - G ! 4

! . )!

A D /

! .

C/! > . .)

. {& ,;

. -Debugger
. 6

- /

Soft Ice .)

Y ;

! .%< ! O

f) E

! . j 4)

) ) . -Debugger V

k -Debugger V V

# ;

!) ) 6 "

"/ ,

.! /

-! !)

( )

!Q

.
! .

!)

..

() *
f)

# 1!/ .

AF# V !) a o b .
A / ! > . ! Rb

- C. 4

)3

- Crack

. +/ 0 1. ( 2,

172

OllyDbg) 3
! . aA Ck
) / d- G

!) ;

hS

a! "# %

! Rb

- C. 4

.'

.! /

p . V !) .)! ) (Win32 PE)

- C. 4 '

() ) ! 4

V '

'

3.) /d- G ;

'

)!

! . )!

. ;
<

- 18)V

!)

. /

. ! ". V ' B FG

! G 9 / V

- C. 4 V

. -)

. o b CG ) 5.
!) - dll

! .(
.

A # !) (

6 A #

. C8,

- / !) API )!

() *

Q ,U ' , O

5.

. ASCII

'

-A # R) / \ 8 )

W R) / ( Gm

\ 8 ) ' C,U % f G

!Tg 3

8 3T G

-)!

- / !) < 6 ' C,U

6 A # R) / \ 8 ) % f - !) >
.\ 8 ) A=

(! . )

!) (

6 .

6 '!
R . a\ 8 )

>

) R) / Q 8 )
6 A=

24

2C

. j 4) 5

!) C8,

- / !) '

8 3T G

E
.

-^ ! K !
W )< R
.

- C D /+

() *

)!

-! G

6
8 3T G

1 1E
]

. U

.
. C8,

! .

UNICODE

C/

. R) / \ 8 ) G

- iG

(! . ) () *
.

Rb A /

! "# % V

6 % f - !) /

'! B !) o b

CB =

! . A Ck !) & . !

"< '! B . dll

G #

-A #

-/

- , 4

G . . !01 - f

.Multi Thread
. C8,

-A #

o . .d -) h S

.d / (!
.d

! ! "# % V 2C

. 6

G
G

6 A #

G .g 3

2 Debugger /78 9

173
.

, ,S CD !) ! "# % V 1.10

) 6

Tools\OllyDbg

l B> $ A"% b <

ob

v = .

.! / .)

. / nb dll

nb \ 8 ) ' C,U ^ !
6 A #

. ! \ 8 ) ' C,U () / 9

l B>
1)
. Rb

.! O V
6

.. / 6 \8)
. BG R

# +G

= !) ! O )!
-

!T /

_)

! B !)

() /

> # > ( #

6 A #

. / /m Arguments , 4 !) (1-5) A

(1-5) A

. ! ". V !)

'! B!)
. ! O )!
,- ! o b )

A #
()! b

)3

. +/ 0 1. ( 2,

Explorer

. dll

- Crack
exe

174

-A # R) / .

Add to Exphorer

"1

. / Q ;# !

. !

. (2-5) A
"1 V (

"1
,- ! O

- : ( < T !) uD

! / 1)
V

! O

/ #S

() / 9

! Options

(2-5) A

Explorer !) o b R) / !

%f- !

-A # / ) . - G !) 4

. / nb ! \ 8 ) ' C,U () / ! 01! . OllyDbg R !) . a) 6

(3-5) A

"1 V R

Q ;# .
() *

2 Debugger /78 9

175

# J _)
-

. . / -)

Attach
(
.
9

!R

"1 ! O V
!)

API 5.

)!

8. (Single Step) \ 8 )

. ! ob

,- Select Process ( < T A,U V

. (4-5) A
- )!

..

V - 18) .

> # ( 2 > +/

a ! ) ! Rb . Q F

' Uc> ( ,- . ! d
F4 / ! O )!

!) 6 Q = !)
.

() *

/ ! >R ,-

AF

6 Q = !)

File

.. /9

. /

(4-5) A

(
-

. C/
. .)! 01

p ,

C/ ! Attach ,/) () /

)3

- Crack

. +/ 0 1. ( 2,

176

_ ) dll ( 2 >

l B>
<
%

!) .
.

'! B . dll

6 A #

a -A # E

,/

! 4 ! "# %

CB

-A # R) / \ 8 )

! 4

) !

. \8) R

/ ! >R ,. OllyDbg

)< ! O

loaddll.exe

dll A # R) / \ 8 ) F4 .! / /

! B !) .)! )

. !)

! 01! . ! O

! dll

! . )!

-A # CG ) 5.

() *

6 A # R !)

! Rb OllyDbg

AG )
dll

V , d

AG !/ - ( #

6 A #V . /

. Rb

-A # CG ) 5.

() /

D/

) . ) G

6 A #

. Q= . /

() *

G # ( k Qx

.) ) d - G
MessageBoxW %

user32 .dll A # CG ) 5.

. !

d ! ) F4 Q x V !)
.d /

!.V

. /

! B !) .d /

6
.

G #

,- ! ! /0 dll A #

-A #
- G 6

%WT .

. !)

() ) % < ! A,U V

(5-5) A

dll A # loaddll.exe

() / ! 01! . ! O )!
.] .

- / /

% f - !)
V

) 6

! > .

! .

nb ! \ 8 )
Rb (

nb , 4 V

! Call Dll Export

Export

A Ck ' C,U
() b 5.

- G 6 a O )!

A # ! 01! .

dll A # /

)!

!) B 5.

,- Call Export ( < T A,U V

b

! .

/ dll

uT ' C,U V

"1 a! /0 dll +

() ) p , (6-5) A
. /9

-/

/ Q ,; ! > . \ 8 ) ' C,U .

.)

.)

. /

. OllyDbg a' C,U

6 A # C

. aMessageBoxW 5.

, 4

G # ! O
/ 9

Debug
G #! O

2 Debugger /78 9

177

(6-5) A

) ; a

O )!

5.

f. O !)
.

) !

API 5.

)!

!T

!T

5. V

! T ;. C=

!) .)

! B !) a O )!

() ) g 3 Rb ) !

. ! BG!
() b ^ ! (7-5) A

5. 9

'! B !) .
!) . / () *
. /

q #p T

uT
-

!T
V ;

- "1

( - 3 ! MessageBoxW 5.

)3

. +/ 0 1. ( 2,

- Crack

178

(7-5) A

() /

C/ ! Call ,/)

() b 5.

. /

. /

( -3

!T

() *

(8-5) A

!T

)!

/Q=

G # ! MessageBoxW 5.

. ! 5. V

G # <

(8-5) A

!)

2 Debugger /78 9

179

(CPU window) Olly Dbg A` F 8 9

' C,U

- : CB ( < T a

6 A #

. /

! 01! .

! .

A Ck ' C,U R T

( - 3 ! k*B V (9-5) A

uT

!) .)) 1

nb \ 8 )

( -3

/ ! >R ,-

(9-5) A

- , 4V
. ....
!) .

-.

-' 8e C;#
.

, 4 T . k*B V

;S a\ 8 ) ' C,U ' K"6 . 56 ! !

/ = - , 4V
.) ) d - G ! 4

! .
! . )!

Tab

C/

! k*B V 2C

/
Uc>
() *

) BG *:
. . ! 01

p ,

- , 4 ) C,U ( k

Disassembler -1
! >R ,- .)
B G ' Uc>

01 p , . O )!
- /)

R
. -)

6 A #(

Disassemble

- / , 4 V !)

! o[ . Disassembler , 4 ) / ( - 3
%< " ! BG2 :

01 p , . !

)3

- Crack

. +/ 0 1. ( 2,

180
Address

R) / Double Click . .)
A 8

C;# i

() ) p ,
a 8

6 A # !) - i

-7!)b .

<

< 7!)b R

-7!)b aR

V !)

-7!)b

! .

(10-5) A

Hex Dump
p , Hex '! B . O )!
R

A,;

V ! /0 ' Uc> . ( cU a /
-7!)b . 56 ! !
. /

g 3 5.

* !

. ( 3 Disassemble % G ' Uc>

( - 3 (11-5) A

. ' Uc> - /! / V .

. -E 6!

-A,; !

(11-5) A

-"
) F

, 4 V !)

!) / ! >R ,- .)
,/

- /! / G .

X 8 a5.

R T E

() )
=

2 Debugger /78 9

181

Disassembly
- / V !)

'! B !) .

8 ; \ 8 ) A=
!) O )!

Q > !) o (

A,;

01 p ,

Q ,U '

! .! O V

W /

.. !

,- Assemble ( < T ! / V

(12-5) A

. C8,

- /R

) 6

. / Q ,U !

O )!

6 A #

! .

V !)
W

. . / Double Click aDisassemble R

.)

() ) p ,

(12-5) A

!) . / V "f 6 ) G O )!
,/

6 A,; !

- G T NOP e .
C84 A,; !
ob v

)+

P#
- G

6 A,; !

) . !) 6
#S

3.
# 1
)

P# a

6 A,; !
;.

.)) f

A,; !

;.

( < T V !)

. Q ;# Fill with Nop's

P# 1 a

-A,; !

zU . /
[ /

A,; !

-A,; !

. C84 A,;
W

-A,; !

)v

P# /

P# /

"1 /

)!

! B

P#

! B !) .

#S

P# a

) 4) 3 ,- <

!) .)

zU . () . C84 A,; !

Comment
-! G

'kS
. :

! aAPI
'! B !) .

comment R

p , (13-5) A

G # . 56 !
(

! .! O V

()! b

* !
! .

. ' Uc> R

A Ck A=

. . / # S O )!

V !)

!) (
."

!) G(

,- Add Comment ( < T A,U V . . / Double click O )!

.)

)
i
() )

)3

- Crack

. +/ 0 1. ( 2,

182

(13-5) A

) 6

'kS

! O

.a

Ctrl + F1
() *
"1

() / # S O )!
API 5.

. )!
- C/
.

() /

. !(

G #
! Rb

)!

) /

. ! /0 5.

( < T V !)
! B !) -)

W !

. 56 ! j 4) ' Uc>

# !)

OllyDbg . / () *

, -! A #

. ! A # V .)! ) % win32.hlp /

1 6! > .

. / # ; ! "# % V

)'kS

O )!

() / 9

. API 5.

! O V
() *

uD

) 6

b Help

Select API Help

, ,S CD !) , - ! A # V
Tools\Win32.hlp

. 56 !

4) ' Uc> Ctrl + F1

- C/

() *

.
. ! b

, -! A # V
.(

# ;

uT

G # API 5.

2 Debugger /78 9

183

(14-5) A

Information -2
(

Q !

-R

A # +G . +G

1!b a C;# A,; !

) . 56 !

* ' Uc>

6 % f - !) ' Uc> V .)

-7!)b R) / Q 8 )

."

! *C

01 p ,

- "1 , 4 V .

. G) Td - G o bh S

) !) .

( ) _!

CB ( < T

, 4 V !)

. G!

, -! a

Rb .

() ) p ,

6
)

Dump -3
)!

() *

. O# =

, 4 !) V . ( cU .)
.

A # 2C

01 p , . ...

# 1 O !) "

-() ) V

- , 4%G

-() ) , 4 V !)

Float , Integer , Text , Byte , Hex A 84

! . / =

< 6! O

- "1 Dump

. *C

. G) T d - G o bh S

) !)

Registers -4
V !) '
!

! .

W )<
C/ .

C. 4

01 p , . d
'! B !) .)) 1

-' 8e C;#
)<

.! /

.R

, 4 V !)

'! B !)

)3

- Crack

. +/ 0 1. ( 2,
! . )!

"

! FPU

184

MMX , 3DNOW

-' 8e !) ) 6

a , 4V R U

. -)

() ) ! 4

W ! O

.a

'! B !)

(15-5) A

O )!

' 8e !) ) 6

)< R

! .

- : (16-5) A

-' 8e C;# !

,- Modify ( < T A,U V

.)! b

(16-5) A

d- # 2C

. . / Double Click
-'! B . ! '

2 Debugger /78 9

185
+

- C/

!) (
hS

() / 9

() ) p ,

) !) .

! O )!

' 8e !

. / () *

'
R"

-7!)b R) / Q 8 )

W V

.!

V p- /

."

*C

)< ! O

p "#

- "1 , 4 V !)

# 1 O !) Disassembler , Stack , Dump C,6

- , 4

. G) Td - G o b
Stack -5
;

'

C,6

01 p , . Rb !) ) 6

CB k*B =

!) a) 6

)
.

"

. !

G # !)
6

(17-5) A

/ ! G Rb

stack

P# , 4 V !)
< 6! O

# 1 O !) Disassembler , Dump

. stack

'! B !) .)
. .(pop)

!T

-7!)b R) / Q 8 )

-7!)b ( Gm ! O

uT ! O V
. / () *

31 .

() *

5.

! F U V Gb

{& ,;
. -

/ ! >R ,-

!TQ ! ! O

(push) () / # S stack

j. i Pop DWORD, Push DWORD

- "1

C/

(17-5) A

Q ,U ! ) G O )!
.. /9
! G !) ! '

'

! Modify
W )< R

W aStack !) ) 6
"1 a

!
(

C/

-() )
O )!

)
FU9

() ) p , (18-5) A

!)

'! B !)
uT ! O V

.. /

,- Modify ( < T A,U V

. -)

! 4 ,

)3

. +/ 0 1. ( 2,

- Crack

186

(18-5) A

2 Debugger /78 9

187

(Breakpoints) \] - W I.
-) .! / 24
\ 8 ) A=

-. /

!)

!) g 3 aA.
.
d

() *

8 3T 24
+

() /

/!

ob

1! / .

/ *1 R

)R

. / 6

# V , . "6

OllyDbg !) 24

1! / . ( k

. !) B G

() . 31! / !

!)

. ' C,U V !) ,
.

! . )!

OllyDbg

1E

) < zU .

. ! \ 8 ) ' C,U

24 ]

R 1

1! / . ( k a o b . +C

i !) .)) 1 ' C,U V !) 5

f .v

d- G! 4

)! )

) !)
.) )

"
a O )!
.

7!)b !) ]

6 Q

) G(
. 24
24
6

R) )! 4

)'

V . -)

) !

]
]

24

7!)b Rb . :
! .

1V ) ; .

. / () *

ob

- , 4 !) o b

() *

! 4 () *
24

( Gm

)!

V a)

)<

-A,; !

) ) D.

.)

. +G . +G

(! . ) O )!

o. 3

e "

O )!

7!)b

7!)b 9

Hex Dump

6 . a() ) % < !

1V

) !)

f - data

V ; 24

OllyDbg

A # /

a24 ]

) k

B G ) C,U

. (

. ) 1

Debugger

BG

% f - !) (

1 6 ! > . ! "# %

R) 3# Disassembler , 4 !) O )!

zU . o

! 01! . OllyDbg +

()

) !) (INT3) \ 8 ) *4 A,; !
) ;

-A # !) ! \ 8 ) A=

) .! / T V

! .

/ , 4 !) + # 24

obv

) .R

.! / ;. . C=

() . 8 ;

)<

- 24

A,; !

() / ) < ! o b
.)) 1

-A # V . /

uT .

\] - W I. -1

. A # -

! B !) .) 1

Q ,U (! . ) ! /) G ! > .
V )< ^ !V

4 !) R) / Double Click .

()
F2

C/

) - G

)3

. +/ 0 1. ( 2,

- Crack

188

(19-4)A

. /!

/'kS
(

( ,- . 24

) < 24 ]

) < 24

) A. 4 View

!) / ! >R ,- .

!) -

Breakpoints ` < T

. / () *
A

! y # ' C,U

R) / Q ;# n ! O

( -3 ! O

Breakpoints J "1 j >

C /

() ) .! / . o b R) / Q ;# n '

( < T V !)

W )< R

( -3

() ) p ,

( <TV
(20-5)
- )!

(20-5) A

' < \] - W I. -2
% f - !) OllyDbg / ' * V
'! B !)
) 6 .)

() /
24

! .a

.
(

V ;

,; 24
.! / +

(\ 8 ) J*4 ) INT3 A,; !

)+

,- { 4) 24

/ ! BG]
6

ob .R

! ! /0 +

1V
6
! 4 .

2 Debugger /78 9

189
() *

)!

) .! / T

.)) 1

\ 8 ) ' C,U R

-% W T v = . ( < T

Disassembler , 4 !) ! O )!

() / 9
(21-5) A

- <

/ zU . 24

1V

T R) / \ 8 ) !) 24

)< ! O

,- Add Condition ` < T A,U V . . -) ! 3# ! Shift+F2

- C/ uD

.! / . ! O )!

. 24

. -)

7!)b

a]

V ; R

() ) p ,

(21-5) A

a9 G
.

G . ( cU /
-Q x

() *

# 1 O !) -]

) !) .

A /

j 4)

! .! O

() *

. (1-5) Q 6 !) . / ;6

!) "

Sample

! "# %
() ) h S

-]

V !) -]

V '

) 8;

2 ; R

2 ; ` k

.
.

1 OllyDbg

. ! BG

! ( T !

. . G ) T d - G ! "# %

.
Category

V ;

() *
-]

! .

)!
E

1
-Q x

Description

10

constant 0x10 (unsigned). All integer

constants are assumed hexadecimal unless
followed by a decimal point;

10.

decimal constant 10 (signed);

Constants

WM_PAINT

Window Paint Message (Value = HF)

Characters

'A'

character constant 0x41

Numeric
Systems

)3

. +/ 0 1. ( 2,

- Crack

Category

190

Sample

Description

EAX

contents of register EAX, interpreted as

unsigned number.

EAX.

contents of register EAX, interpreted as

signed number.

[123456]

contents of unsigned doubleword at address

123456. By default, OllyDbg assumes
doubleword operands.

DWORD PTR [123456]

same as above. Keyword PTR is optional.

[SIGNED BYTE 123456]

contents of signed byte at address 123456.

OllyDbg allows both MASM- and IDEALlike memory expressions.

[[123456]]

doubleword at address that is stored in

doubleword at address 123456.

STRING [123456]

ASCII zero-terminated string that begins at

address 123456. Square brackets are
necessary because you display the contents
of memory

EAX.<0.

0 if EAX is in range 0..0x7FFFFFFF and 1

otherwise. Notice that constant 0 is also
signed. When comparing signed with
unsigned, OllyDbg always converts signed
operand to unsigned.

EAX<0

always 0 (false), because unsigned numbers

are always positive.

Registers

Memory
Addresses

Strings

(EAX>0 && EAX<9) ||

ECX==2

[STRING 123456]=="Brown
fox"

true if memory starting from address

0x00123456 contains ASCII string "Brown
fox", "BROWN FOX JUMPS", "brown
fox???" or similar. The comparison is caseinsensitive and limited in length to the
length of text constant.

EAX=="Brown fox"

same as above, EAX is treated as a pointer.

UNICODE [EAX]=="Brown
fox"

OllyDbg treats EAX as a pointer to

UNICODE string, converts it to ASCII and
compares with text constant.

[ESP+8]==WM_PAINT

in expressions, you can use hundreds of

symbolic constants from Windows API.

Conditions

(1-5)

2 Debugger /78 9

191
Breakpoints ` < T

() / () *
` < T A,U V
. ! -]

. . -) ! 3# ! Shift+F2

!) '

W )< R

Q ,U

-]

W ! O

- C/ A84 A=

,- O )!

'! B !)
7!)b !)

,- Change Condition

() ) p , (22-5) A

. -)

.! /

(22-5) A

m) 3V / F "2 ' < \] - W I. -3

( cU

/' * V

V . -) % < 2C
(

,;

-'! B . "

# . O# =

( Gm A # !)

-7!)b

-^! "1 V

>

24

1^! "1 ' C,U a24

-' 8e !) ) 6

Disassembler , 4 !) ! O )!

7!)b

Ji

1V
) C,U .
-^! "1

) !) / ! >R ,- .
( - 3 Log ` < T !)

. 24

.
(

1V ) < ! O

Set Conditional Log Breakpoint ` < T A,U V . . -) ! 3# ! Shift+F4

.)

' Uc> A

6 G a) / d - G (!
.)

() / 9

,- { 4) 24

- C/ uD

() ) p , (23-5) A

,-

)3

. +/ 0 1. ( 2,

- Crack

192

(23-5) A

! . .

) !) /

*C

- , 4

!) ( < T V

( -3

/ ! >R ,-

. G ) T d - G o b ) C,U
Condition
. /

T (1-5) Q 6 !) (

/m
.)

/)

V ;

O )!

, 4 V !)

, Q ,U

>

1 - a C # V R) .

G '! B !)
Explanation

V [ ) < '! B !) . / /m ) G ^! "1 )!

-^! "1

!) > .

^! "1

!) ! -

/'kS

C # V !)

' k S V a24

,
.

Expression
V .)

g 3

T (1-5) Q 6 V

! ) ^! "1 !) ! o b p ,
4

. O# =

F4 / O )!
-' 8e !) ) 6

' Uc>
)

, 4 V !)
' Uc>
. /

2 Debugger /78 9

193

Decode Value of expression as

g 3 Expression

, 4 !) (
.

/m ' Uc> p ,

. (24-5) A

!) (

g 3

. O )!
-

, 4 V !)

/)

(24-5) A

Pause Program
9

'! B !) .)! ) ) 6 \ 8 ) A=

(INT3) 24

zU . (

# 1( )
(

. / ! 24

# 1 ( ) a]
.)) 1

/m ]

!)

! O

Ji

24

- "1

, 4 V !)

Ji aOn Condition J "1

! 4 . '! B !) o 24

Pass Count C # !) .)) 1

-' 4c ) ;

V # 1 O !) . 24
!R

. 24

Ji Q ' 4c 20 a(23-5) A

zU . ;. . % 21 ' 4c !) 24

!) . / g 3

Ji V

< !) .

Log Value of Expression

A84

, 4

- "1 . 3

- "1 / )

g 3

1^! "1 +

, 4 V !)
.)! )

Log Function Arguments

Q x R U .) a
-

! T J C/

. (
! "1

g 3 OllyDbg

. Rb

- "1 V (( < T
. / o

- <

!T
T

5.

/
API

G # % f - !) ! O )!

5.

! B !)
-

G #
.

)3

- Crack

. +/ 0 1. ( 2,

O )!

A #

194

6 '! B !) a! /0 ^ ! . 24

() ) p , Log Data ` < T !) 24

Log Data ( < T A,U V

' K"6 R) / g 3

- C/

( <TV ` -3

.)

uT

! "1 aOllyDbg JC

1V ) C,U ` k
Alt+L

. . / () *

Ji ) <

..

- G

() ) p , (25-5) A

,-

(25-5) A

',O

- "1 . 6

Q8)

-^! "1 V

. 24

! . /
.

6 GA # 9

-^! "1 ( < T V !)

o ..

C,U

()

(
!

01 p , .
.a )

24

.)) 1

.)
! 4 () *

- A84
R

)!

#
(

, 4 !) (

! . 24

) < OllyDbg +
-() *

` -3

.(

O )!

( <T

- <

9 ( / \] - W I. -4
,- ~ 4) 24

T .(

Q !

2 ; Windows ` < T j >

1)
X "6

'! B !)

A # . ! 6 G

! /) G ! > . o b

. G ) T d - G ( < T V ) C,U ` k

V;

. +G . +G R) /

F 8 9(2 8
V

/ ! >R ,-

!) Log to file J "1 R) / Q ;# .

( <T V

. /A

/'

( -3

.
-

]
)!

1V
-]

!TQ /! O
. 24

! . .

1V

) !) .

2 Debugger /78 9

195
V

View

.. /9

A #+

)<

! Windows J "1

-( < T

. 24

V )< ! O

,- Windows ` < T A,U

- : (26-5) A
.)! 01

p , . ! O )!

)!

-( < T

(26-5) A

!) .
+

)<
! Rb

uT a

/ ( -3 !

G Windows ` < T !) (

!) .

() ) p ,

`) *

)!

-( < T

'! BV

n !)

)
.

/ ! >R ,A84 <

. () / 6 OllyDbg
.) . - G

Windows ` < T !) (
. /9

() ) p ,

!) ! O )!

! Message breakpoint J "1 ) 6

.)

- : (27-5) A

` <T
() *

. 24

V ; ! O

. uD

() / 9

,- Set Breakpoint ` < T A,U V .

)3

- Crack

. +/ 0 1. ( 2,

196

(27-5) A

obhS

) !) /

*C

- , 4

!) ( < T V

( -3

/ ! >R ,-

. G) Td - G
Messages
.

C#R U .

O )!

-% W T

= !) / )) 1
! .

V ; O )!

- C # V V ; . .)

-% W T E
9

% W T , 4 V !)

k -% W T
.

- 1
!) . (
() *
"

lG%WT

C # V a) / - G ( - 3

.( 1 E S

v = . -% W T V (2-5) Q 6 !) .

-^ !

, ,S CD !) /

-% W T V
/ ;6

. 56 !

j 4) ' Uc>

# !) ! O

Win32 API Reference A 84

1^! "1
"/ , ) G

V !) / ! >R ,. d- . +8

-% W T

'! B

API '

(Win32.hlp) .

. ob
.

) 6

2 Debugger /78 9

197
Category

Messages

Creation and destruction

WM_CREATE, WM_DESTROY, WM_CLOSE,

WM_QUERYENDSESSION, WM_QUIT,WM_ENDSESSION,
WM_NCCREATE, WM_NCDESTROY, WM_INITDIALOG

Window activation

WM_ACTIVATE, WM_SETFOCUS, WM_KILLFOCUS,WM_ENABLE,

WM_SHOWWINDOW, WM_CHILDACTIVATE,
WM_QUERYNEWPALETTE

Window position and size

WM_MOVE, WM_SIZE, WM_QUERYOPEN, WM_SHOWWINDOW,

WM_GETMINMAXINFO, WM_WINDOWPOSCHANGING,
WM_WINDOWPOSCHANGED, WM_NCCALCSIZE, WM_SIZING,
WM_MOVING, WM_ENTERSIZEMOVE, WM_EXITSIZEMOVE

Commands and
notifications

WM_MEASUREITEM, WM_COMMNOTIFY,
WM_NOTIFY,WM_NOTIFYFORMAT, WM_STYLECHANGING,
WM_STYLECHANGED, WM_COMMAND, WM_SYSCOMMAND,
WM_ENTERIDLE, WM_PARENTNOTIFY, WM_MDIRESTORE

System

WM_SYSCOLORCHANGE, WM_WININICHANGE,
WM_DEVMODECHANGE, WM_ACTIVATEAPP, WM_FONTCHANGE,
WM_TIMECHANGE, WM_COMPACTING, WM_POWER,
WM_USERCHANGED, WM_DISPLAYCHANGE, WM_NCACTIVATE,
WM_POWERBROADCAST, WM_DEVICECHANGE,
WM_PALETTEISCHANGING, WM_PALETTECHANGED

Drawing

WM_SETREDRAW, WM_PAINT, WM_ERASEBKGND,

WM_PAINTICON, WM_ICONERASEBKGND, WM_DRAWITEM,
WM_NCPAINT, WM_QUERYNEWPALETTE, WM_PRINT,
WM_PRINTCLIENT

Scrolling

WM_HSCROLL, WM_VSCROLL, WM_CTLCOLORSCROLLBAR

Icon

WM_QUERYOPEN, WM_QUERYDRAGICON, WM_GETICON,

WM_SETICON

MDI

WM_MDICREATE, WM_MDIDESTROY, WM_MDIACTIVATE,

WM_MDIRESTORE, WM_MDINEXT, WM_MDIMAXIMIZE,
WM_MDITILE, WM_MDICASCADE, WM_MDIICONARRANGE,
WM_MDIGETACTIVE, WM_MDISETMENU

Dialog

WM_CANCELMODE, WM_NEXTDLGCTL, WM_MEASUREITEM,

WM_DELETEITEM, WM_GETDLGCODE, WM_CTLCOLORMSGBOX,
WM_CTLCOLORDLG

Menu

WM_MEASUREITEM, WM_HELP, WM_CONTEXTMENU,

WM_INITMENU, WM_INITMENUPOPUP, WM_MENUSELECT,
WM_MENUCHAR, WM_ENTERMENULOOP, WM_EXITMENULOOP,
WM_NEXTMENUWM_MDIREFRESHMENU

)3

. +/ 0 1. ( 2,

- Crack

198

Category

Messages

Text

WM_SETTEXT, WM_GETTEXT, WM_GETTEXTLENGTH,

WM_SETFONT, WM_GETFONT

Mouse

WM_SETCURSOR, WM_MOUSEACTIVATE, WM_NCHITTEST,

WM_NCMOUSEMOVE, WM_NCLBUTTONDOWN,
WM_NCLBUTTONUP, WM_NCLBUTTONDBLCLK,
WM_NCRBUTTONDOWN, WM_NCRBUTTONUP,
WM_NCRBUTTONDBLCLK, WM_NCMBUTTONDOWN,
WM_NCMBUTTONUP, WM_NCMBUTTONDBLCLK,
WM_MOUSEMOVE, WM_LBUTTONDOWN, WM_LBUTTONUP,
WM_LBUTTONDBLCLK, WM_RBUTTONDOWN, WM_RBUTTONUP,
WM_RBUTTONDBLCLK, WM_MBUTTONDOWN, WM_MBUTTONUP,
WM_MBUTTONDBLCLK, WM_MOUSEWHEEL,
WM_XBUTTONDOWN, WM_XBUTTONUP, WM_XBUTTONDBLCLK,
WM_CAPTURECHANGED

Keyboard

WM_VKEYTOITEM, WM_CHARTOITEM, WM_SETHOTKEY,

WM_GETHOTKEY, WM_KEYDOWN, WM_KEYUP, WM_CHAR,
WM_DEADCHAR, WM_SYSKEYDOWN, WM_SYSKEYUP,
WM_SYSCHAR, WM_SYSDEADCHAR, WM_HOTKEY

Clipboard

WM_CUT, WM_COPY, WM_PASTE, WM_CLEAR, WM_UNDO,

WM_RENDERFORMAT, WM_RENDERALLFORMATS,
WM_DESTROYCLIPBOARD, WM_DRAWCLIPBOARD,
WM_PAINTCLIPBOARD, WM_VSCROLLCLIPBOARD,
WM_SIZECLIPBOARD, WM_ASKCBFORMATNAME,
WM_CHANGECBCHAIN, WM_HSCROLLCLIPBOARD

Edit control

All EM_xxx messages

Static control

All STM_xxx messages

Button

All BM_xxx messages, WM_CTLCOLORBTN

Combo box

All CB_xxx messages, WM_COMPAREITEM

List box

All LB_xxx messages, WM_COMPAREITEM, WM_CTLCOLORLISTBOX

IME

All WM_IME_xxx messages

User-defined

All messages equal or above WM_USER

(2-5)

2 Debugger /78 9

199

Break
',O
V

.)

# 1 O !) 24

. .

Ji

- A84

, 4

() / ) < (
. /

'

2 ;

uD

` <T <

.. /

A,U >

!) (
. 6

. !

TE
24

)<

>

. /

24

Ji

)!

7!)b !)
]

, 4V

!) (

- "1 !)

. 3 ~ 4) ;.

-]

, 4

OllyDbg a' , O

1^! "1 . ( ,- >

,- ~ 4) 24

(28-5) A

( - 3 (27-5) A

,O

! . ',O

Disassembler , 4 !) ! O )!

() / 9

OllyDbg +

>

V ; ',O

O )!

W )< ! O

Ji ) C,U ( =

Ji V

Ji 7!)b
!) . / () *

24

;. . C=

. 24

V !)

Shift+F4

- C/

# 1!/ .',O

() *

. !

(28-5) A

!)

() / +8S ! ,

24

Ji ) <

uT (

O )!

-% W T
o

4) ^! "1 OllyDbg a

-^! "1 (29-5) A

6 A #R

6 .

!) .) ) - G p , Log Data ` < T

. /

( -3 !

)3

- Crack

. +/ 0 1. ( 2,

200

(29-5) A

`) *

)!

!T

) C,U ` k a( < T

- <

j 4)

! . .

. / ;6

+g _ +/ 2
B G `) k !) V
!) ! 24
.

! 4
)

G ' C,U . )! ! O

() *

~& ,; a24

e k '

. ! 6

! "#
V

24

24

'c 3 . ~& ,; "

;.

O )!

.v

!) 24

j 4)

. A/

! "# %

CU .
) .

P#

CU . . -)

1V

() k V ; !) .! /

"f 6

1V

. JO# =

. 4096 `) k !) (

, 4 !) .)) 1

1V

-d

() *

b! /

'&c G . Windows 95/98 A U

() . ( ,- )

. ~& ,; 24

# 1 O !)

ob

( / \] - W I. -5

- ) k

. (

8 AF# .

2 ; ` 6 OllyDbg .)

. 4096 () k V `

.e

!) o b

'! B !)

-() k
() *

. -)

% U.

) n

-24

- G # ;

( ,zU .
! "#
.

Disassembler

, 4 !) ! O )!

Memory on J "1 a k*B

7!)b

Breakpoints
. /9

. 24

V )< ! O

.
.

() / 9

Dump

! Memory on Write

Access

, 4

uD

2 Debugger /78 9

201

(30-5) A

-_ C. V . ! ) !
.

. JO# =

. /

* !

() / 9
(

. JO# =
P# . (
C/ p
View

- : (31-5) A

!) .)! 01

_ C.

p , .

8 3T

! 01! .
6

-dll

-A # 5.

. -

! Memory J "1

24
6

-A #

,- Memory map ` < T A,U V . . / () *

- ' F 3 ( ,- . !
.) ) d - G ! 4

! . )!

(31-5) A

- Section {& ,;

) . )! !) 24
. 24

. JO# = !) ) 6
! Rb ) C,U ` k

f)E
]

E V

V )< ! O
Alt+M

- C/

-_ C.

( < T V ' K"6

)3

- Crack

. +/ 0 1. ( 2,

- "1
. / () *
A84 E

() / 9

202

)!

_ C. (

Set memory breakpoint on write

,- { 4) E

() ) p ,

Set memory breakpoint on access

- ) k a = `

n /

) 6
.

Q ;# ! .

uT / ' * V

YcG .
!) o 24
ob
() *

{& ,; .
. `) *

) ;

- () *
)!

+g _ ( 2C A/ ( / j

) B > \] - W I. -6

.
/

A84 E
) k E

. 3 { 4) 24
V V ,- .

) 6

. / () *

!
ob

V.

! /) G ! > .

) ;

- . C84 E

2 ; A. 4 (NT, 2000, XP, 2003) NT `)

-dll . (

%<

- 31 .

V ) C,U

G #Q

/! O

.)
uT () / 9

View

! Memory J "1

. 24 ]

. / () *

(32-5) A

F2 C/

E V )< ! O
O )!

_ C. 9

2 Debugger /78 9

203
. /!

! ! /0 ' C,U 24 ]

() 3
.3

8 3T 80x86

) C,U

. )! ! O
CU . .)

. ob
() *

) U4) ;
6

)!

) O# = 24
P#

24

() *

24

a! "#

,; 24
aR

A/ ) ; a ! "#

. ) a(Byte)

/ zU . o b

{,

(INT3)

K \] - W I. -7

) T+

B G `) k

! "#
(Word)

. ! o[

. JO# =

. () *

) k (Dword)
.

{& ,; .

-(

V Y0= ! O

V
]

G ' C,U
- ) k

-() k

. ob `

8 3T . 6

. .)
.)) 1 ,

A U

-d

, 4

+
-

24

!)

]
8 3T

1V
&.

A,; !

Breakpoints

) 7!)b

, 4
. /9

. a/

(33-5) A

Windows ME, 2000, XP, 2003

.)!

, 4 !) ! O )!

, 4 !) 24
,- uD

() / 9

) 6 ob

() *

1V ) <

Disassembler

! Hardware On Execution J "1 aDisassembler

(33-5) A

)3

. +/ 0 1. ( 2,

- Crack
. a data

!) ! O )!

7!)b

!(

Ji Dump

) 24

! 8U 24

204

-() k

O# = . -

Breakpoint , 4

1V 2C

)
uD

. 24

)< ! O

Dump , 4

() / 9

( - 3 (34-5) A

!) / ! >R ,- . / 9

.On execute On write aOn access :

(34-5) A

.)
.)

Q ;# O )!

aR

Q ;# O )!

`) k !) A,; !

/)

6 % f -!)

Q ;# O )!

% f - !) : On write

`) k !) () ) V

`) k

- , 4 !) : On execute

1 - . : On access

.
p

T k !

.4

-() k

24
.

1V

A. 4 Dump

l B> ( 2
6 A=
!) .

!) do
f.

-)

) . !Q

G .

. ) G V,i

'! B !)

5Ci

.) ) d - G ! 4
. -)
. -)

!
!

. JO# =

P# .

. JO# =
. -)

P#
!

6 dll A #
dll A #
. !)

. 6

/m / ! >R ,+

/ -) ! 4

> ) ( / \] - W I. -8

h kB ) C,U ! O
O )!
! . )!

. - 18)

6 A #

! 01! .

!V

G .

! -)

! 01! . % f -!) : dll A #

R

! G % f -!) : dll A #

6 Thread

! 01! .
R

! G

) < % f -!) : Thread ) <

2 Debugger /78 9

205
! Thread

. -)
!)

# 1 O !) ! /0

-)

. ! 24

)<

OllyDbg

. .

7 = !

! Debugging Options J "1 ! O

.)

! J, G % f -!) : Thread J, G

,- Debugging Options ` < T A,U V . . / 9

- : (35-5) A

i
Options

(35-5) A

. 24

)< ! O

. /9
.Q

/ (

% < ! O )!

! ob

% / -) G

24
'

.
W

Events , 4 !)

- "1 ( < T V

6
-

( -3

. 6

! O )!

! R) ) ! . ay # ' , O V ;

C=

! .

, .)! ) ) 6 \ 8 )

/ ! >R ,-

. /Q8) !

V !) .)
6

-)

!
uT

OllyDbg

'! B !) () )

)3

- Crack

. +/ 0 1. ( 2,

206

5
- /
-

! .

! .

1V

! Ao

! O

. !

OllyDbg a )

'

( ) _!

....

. G) Td - G'

- G / ! >R ,-

-( < T a -Thread a
V

! . .

. JO# = a C8,

) !) . -)

Disassembler )
Ao

Disassembler ` < T !) ! -7!)b

! .

R) / / =

.) / d - G (!

3. U

5 _ ( 2+ >3V

! a - "1
ob .

. / )! Rb !) ! O )!

. . / () *
7!)b

V
/

) * +/ J@ )

< 7!)b . Disassembler ` < T Q

P# !) O )!

,- Enter Expression ` < T A,U V

(36-5) A

'

) !) /

nK;
. JO# =

) /

! O

Ctrl+G
(

- C/
() ) p ,

(36-5) A

- GA

O )!

2 . G
. aA

G #

^ T

,- A,U V
.

-A,; !

- GA

2m 9 ) F < F 1@

) !) (

. . -) ! 3# ! Enter
O )!

< 7!)b . a( < T V

() *

C/ uD
G #

( 2 ) * O 5 B.

-7!)b R) / Q 8 ) ! O
() / 9
^ T!

! ! /0 A,; !

.
)

) F 7!)b . (37-5)

2 Debugger /78 9

207

(37-5) A

Disassembler

/ C;# 7!)b . Q

, 4 !)

! O

/ =

. V ,- .
.

G #
C84

-7!)b R) / Q 8 ) % f - !)
;. 7!)b . -

f. ! / . ! * C/

+ +

/ = Disassembler , 4 !) 5.
- C/ .)) 1

O )!

Disassembler ` < T !) C84

6 A # !) ) 6
;. 5. E

7!)b 7
5.

)*

.
v

/ 5 _
'! B !)

R) / Q 8 ) !) 5

7!)b . ! ,

() *

g 3 EIP ' 8e +

!/ - b <
V . /

+ C/

zU .

. Ctrl + -

Ctrl

.) / - G A

(38-5) A

)3

- Crack

. +/ 0 1. ( 2,

208
2 . G

! ! /0 7!)b

(39-5)A

. a O )!

7!)b . -

%<

-E 6!

O )!

^ T

G #

O 5 B.

-^ T R) / Q 8 ) ! O

Disassembler

!) / ! >R ,- . / ;6

01 p , . (

2m 9 o 2b #) !>

Go to , 4 . uD

Go to

Gb p . !) a /

G # 7!)b . a o b 9

() /
( -3

(39-5) A

F < 8. ( 2 . G
"

5.

(
/

( ) _!

A,U !) .)
5.

%<

! 5. Rb +

# 1 ! / . 5.
) aAPI -

. -

.)
%<

uD
.)

G #"
() / 9

G # R) / Q 8 ) ! O

O )!

G #VG
() *
5.

+ A

G # 8

C C

%) . ! O

1!

%<

()

' C,U !)
-

G # 8

, 4 !) ! Rb E

) /
OllyDbg

.'

/ 5.
(

* !

%< d

. -E 6!

Disassembler

- : (40-5) A

. !

B-

G #

! .! O
.! > .'

. 5.

! ."

C C ` -3 ! O

7!)b

,- Call tree ` < T A,U V . . / () *

. a5. Rb . (
Ctrl+K

- C/

2 Debugger /78 9

209

(40-5) A

Uc> % / - /

! o[ . ( < T V

( -3

. ! 01

/ ! >R ,-

p , . ! BG
Called from

! >R ,- .)
(

() ) p ,

# 1 O !) *C

O )!

- "1 R

5.

%<

V X PU
.d -)

G #

.a /
! 4

-7!)b R

( - 3 (41-5) A

! . )!

! ob

V !)
!) /

G . /

)3

. +/ 0 1. ( 2,

- Crack

210

(41-5) A

Call tree for calling procedure

5.

7!)b !) (

C C
%<

p , ! 41FFD0 5.

Call tree ` < T a "1 V

() *

O )!

G #9

G # R) / Q 8 ) . & . Q x !) .) ) - G p , ! ( /
8

C C

(42-5) A

.
G #

,- Call tree ` < T a41FFEE

.) ) - G

2 Debugger /78 9

211

(42-5) A

41FFEE 7!)b !)

G # a5. V
() *

5.

!)

( - 3 Disassembler , 4 !) / ! >R ,-

/
! . !)
.

.
A

) 6 .
C84

# 1 '! B O )!

;. JC=

.- +

- C/

Follow Command in Disassembler

- G () ) p , Disassembler , 4 !) O )!

7!)b a "1 V 9

\] - W I.
24

)< ! O

. ! 24
a5.

. ) ;

2 ;

) C,U ` k

- "1 , 4 V !) a ) / ( - 3 -Q x !) / ! >R ,"

! .

ob

G . .)! ) ) 6

A Ck A=

!) . ! ) R

V !) ) 6

.)

-() *

G #

-7!)b !) 2C
-

, 4 V !) ) 6

G # J C/
- "1

)3

- Crack

. +/ 0 1. ( 2,

212
Procedure
.

O )!

5. (7!)b) %

=R

V
Calls

G # 5. V +

5.

6 A # CG ) 5.

n
5.

C C ! ) , a O )!

'! B

/ ! >R ,- .)
% C;

V !)
() ) p ,

API

G #

! . R) / Double Click . aCalled From R

5.

G #

) /( -3
- Call EBX

.
8

! > . / ;.

,-

- G () ) p , Call tree ` < T !) Rb

'! B V ,- .

. /Q8) ! # 1
!

nb " > "

!) / )

. /

/! / . d

Space C/

1 C6 o b p ,

() *

G #%

'! B !) .

) 6
-

/G

Comment
f .

Calls

!) :

) ! 4 hi V Gb !) 9

k -

-dll) ,

!)

,; 5.

() .

! 4 .

) -

-\ . R U .
-dll !) ) 6
a5.

) 6 R

! . V )!

V !) Rb

Pure E

= !)

/ ,

5.

. kS
ob

%<

f ) 5. G # .

System ! / )

y By #+
. / ;.

V !) ' k S R U . J !

!)

() ) p ,

.)

G # !

- SYS E

! B !) .

.(

- G () *

* ' Uc> Comment R

. 56 !
C C !) Leaf

G #v

G # G!)

!) ) 6

5. E

% /-

'! BV

n !) .

)
1

8@ # ( 2+ >3V
C,6
O !) (
)<

!) !

) ;

) )!

4 Y B

! - "1 V V

-d b p , R
. < 6
< 6

,o

G .

/ OllyDbg !) ) 6

C. 4 ) < ! O
- C. 4 V

) !). /

1 C6

- "1 aDisassembler

. *C
() *

-( < T x/ !)

/
6 A #

o ..

# 1

! . % f - !) ,1!)

.) ) d - G ! 4

! . )!

2 Debugger /78 9

213

2+@<) ( 8@ #
.

! V .)! )

Ctrl + B

- C/

6 A # !) ! (
! O V

.)

. HEX

..

OllyDbg

< 6 R
UNICODE aASCII

,- Search ( < T A,U V . . / () *

() ) p , (43-5) A

(43-5) A

-7

- /! /

. ! O )!

(block) section
R

! R) / )! R

Hex , 4 !) V

- f

! . < 6V

( < T V !)

uT ! < 6 ' C,U

o . . / 2 ; / ! /
Ctrl + L

- C/

. -)

) f)

. . -) % <

O )!

A,; !

) 7

Find Command ` < T A,U V . . / () *

. -)

.! / . ! O )!

A,; !

() *
-

. !

- < 6

Ctrl + F

- C/

)V ; R

/ ! >R ,-

. ( cU .)! ) ) 6 )!

" ) @
! O

( -3
() *

. .) 1

. % C;
'! B C;#

!V# ! O

,>

! -

/ 8@ #
'! B !)

A,; !

() ) p , (44-5) A

< 6
,-

)3

. +/ 0 1. ( 2,

- Crack

214

(44-5) A

2 ; R

OllyDbg a -A,; !

!)

! O

. .

(3-5) Q 6 j. i h B n ' !

< 6 ' C,U !)

( ) _!

< 6 A=

C/ ' ,C/

3 . Y i;

C. 4 ) < ! O

!) ! A,; !

) h B n

) G O )!

-A,; !

. / () *
Keyword Matches

Keywords

Imprecise Commands

R8

Any 8-bit register (AL,BL, CL, DL, AH, BH, CH, DH)

R16

Any 16-bit register (AX, BX, CX, DX, SP, BP, SI, DI)

R32

Any 32-bit register (EAX, EBX, ECX, EDX, ESP, EBP, ESI, EDI)

FPU

Any FPU register (ST0..ST7)

MMX

Any MMX register (MM0..MM7)

CRX

Any control register (CR0..CR7)

DRX

Any debug register (DR0..DR7)

CONST

Any constant

OFFSET

Same as CONST

Command

Matches

JCC

Any conditional jump (JE, JC, JNGE...)

SETCC

Any conditional set byte (SETE, SETC, SETNGE... )

CMOVCC

Any conditional move (CMOVE, CMOVC, CMOVNGE...)

(3-5)

2 Debugger /78 9

215
A,; !

- MOV

R32, [CONST]

< 6 J ! Qx

2 " ) @
. -A,; !

! .

<

` k

! . !)

.e

- 8)

!) . /

() *

(... 5.

C/

. ! BG

( ) _!

A=

!) OllyDbg . / ) <

kB V ; !) ! o b () ) ! 4

! . 3 AF# !) / ! >R ,-

. OllyDbg .)
(

2 ;

! . )!

6 A # X "6 ) C,U

- f

-A,; !

() *

. o b R) / Q 8 )

G . /
- /

ad b -

' C,U

- / !) - 8 ) V

(Opcode) V

*C

) O )!

Disassemble

.! / +

/ 8@ #

aStack ' C,U

. ... Mov aCall a -^ T

. 6

E ( + B.

- C D /a

. )!

! O V

.
C,U E

do !

-d

T k ! MOV EAX , [10000] MOV ESI , [401045]

.) ) - G ! 4 p

%< ! O

R U

) 6

() *

)!

. ! V , '& = J C/ < 6
.) / - G Q ,U O )!

'!

C/ ' ,C/

j 4) j. i
-A,; !

< 6 )!

C. 4 ) < ! O

) J 8 ) 2 ; !) "

. V

. ( cU . / () *

T! O

h B n A,; !

. o

RA

ob

-' * V

LEA EAX , [4*EAX+EAX] A,; !

! O

."

ob

(3-5) Q 6 j. i h B n

! 8U /

) Q x R U . .)

, [4*EAX+EAX] A,; !

) J 8 ) V ; % f - !)

f ) h B n ' 8e ) a .! / O )!

{ 4) h B n ' 8e ) V 2 ; . RB
p

-A,; !

) -

/
. / () *

A,; !

) 6

h B n A,; !

.) ) -

ANY n h B n !

g 3 '! B !) .)

# 1 ! / . < 6 )!

-Q x

- GA

, R U ..

Q > !) ' 8e

T ! LEA ESI

) !) ' 8e ( 1 ) R) / g 3

V an ) ; R)

T k ! LEA ESI , [4*ESI+ESI]

T ! O

. / 6

)!

LEA RA , [4*RA + RA]

n ) ; R) ) p

(3-5) Q 6 !) R32 . 3

-) ! 4 p

. -A,; !

f. ! 4 () *

# 1 !/ .
) )

) a! /0 ' 8e ) . ( cU

! -A,; !

J 8 ) !) A,; !
)

) ; -!

)
)

)3

- Crack

. +/ 0 1. ( 2,

Search Sequence

216

Sequence 1

Sequence 1

PUSH EBP

PUSH EBP

SUB ESP,1C
PUSH EBP

SUB ESP,1C

PUSH ESP

ANY 2

PUSH ESP

PUSH 0

MOV EBP,ESP

MOV EBP,ESP

MOV EBP,ESP

LEA RB,[4*RA+RA]

LEA EAX,[4*EBX+EBX]

ANY

LEA ESI,[4*ESI+ESI]

LEA EAX,[4*EBX+EBX]
PUSH EAX
LEA ESI,[4*ESI+ESI]

LEA R32,[4*RB+RB]

(4-5)

. / () *

Ctrl + S

J 8 ) R) / )! R

- C/
(

Sequence 1

PUSH EBP
SUB ESP,1C
MOV EBP,ESP

LEA EAX,[4*EBX+EBX]
INC EAX
PUSH EAX
LEA ESI,[4*ESI+ESI]

Diassembler , 4 !) - < 6

() ) p , (45-5) A

,- Find Sequence ` < T A,U V .

. /

(45-5) A

%< ! O

)< ! < 6

2 Debugger /78 9

217
> # > L
!) do

6 A #+
.

. ob

OllyDbg . ! ) # /
ad

n ad

\ 8 ) A=

!) V

#) G ( 2 . G

# 1 '! B 6! G

% / - ) C,U ` k
6! G

! .

. ! ob

6 G 7!)b

() *

< 6

X "6

G # a 6! G

G # 2C

# 1 O !) .! /

A. 4 " GetProcAddress 5.

G #

( 8@ #

6 A # 2C

- API

b ob . /

G # C,6

. ( cU .

- F < 8.

! .

G #
< 6

-v /
.(

6! G

-^ T

G #

%<

.
Search for

, 4 !) All Intermodular Calls J "1

,- Found Intermodular Calls ` < T A,U V % <

- < 6
. . / () *

%< ! O

Diassembler

.)

- : (46-5) A

(46-5) A

!) (

%<

6! G

R) / Q 8 ) ! O

.
. / () *

G # J C/

C /

( < T V !)

" ( < T V !) ) 6
... 5.

)!

!) ' Uc>

.)
# !) a24

( -3

/ ! >R ,-

() ) p ,
]

)< a-

6 A #
G #

)3

. +/ 0 1. ( 2,

- Crack

! O

. ! BG R

OllyDbg a

% ( < T V !) ! O V
V

)" a

..

% f -!) a /

218
!) (

( ) _!

() ) p ,

G #)

G # 5. % 7

( - 3 (47-5) A
.

!) / ! i ,- . /
- G9

) ; A ).

!) a(

< 6
! O )!

5.

J ! .%

(47-5) A

F < 8. ( 2b #) ( 8@ #
.. /

o !g 3

Selected J "1 uD
A,U V
.(

.. /9
%<

!)b . (
() / 9

%<

-E 6! J C/

Diassembler , 4 !) ! O )!

Diassembler
G # J C/

Find References to
(
.)! 01

- : (48-5) A

'! B !)
7!)b
, 4

. ! O V
! Command

,- References ` < T

p , . ! C;# Section !) O )!

7!)b

2 Debugger /78 9

219

(48-5) A

. / () *

24

)<

-E 6! R) / Q 8 ) ! O

" (V T , 4) Information

J C/

.)
Qx

# 1!/ . ob 5

R U

%<

() *

, 4 !) a /

R) / Q 8 ) ! O

B G 7!)b

" ( <T V

( -3 &.A
.

/ )! ) ) 6 -E 6! V

O )!

A,; !

MOV EAX , [401045]

-E 6! J C/

- % < A. 4
9

*C

y > . 7!)b

k 401234 7!)b .

! B !)

MOV EAX , [EBP-8]

. / o ! ! /0 V ;
Qx R U . .

!) / ! >R ,-

V ; 7!)b . (

. -E 6!

-E 6! R U . f,-

) 6
-A,; !

. ! O V

MOV EAX,401234
MOV EAX,DWORD PTR [00401234]
MOV BYTE PTR [EBX*4+EDI+00401234],AL
JNE 00401234
CALL 00401234
DD 00401234

! Address Constant J "1 uD

() / 9

! O )!

References ` < T A,U V . . / 9

Diassembler

!) () *

-E 6!

)!

7!)b . (

%<

A,; !

Find References to , 4
(

.)! 01

- : (49-5) A

,-

p , . ! ! /0 A,; !

)3

. +/ 0 1. ( 2,

- Crack

220

(49-5) A

p , 403184 7!)b . (

%<

-E 6!

. /

( - 3 & . Q x !) / ! >R ,.

() )

2 Debugger /78 9

221

2Thread
6 R ",- ! > .
! . .)

() *

\!".

R) / 24
- J* :

-! "# %

' B FG
! "# %
ob

X "6 -Thread

.
W

!) 2 : d

! O

! "# %

!) do

` -) A 3 X "6

-Thread A /

1 ! / . ) C,U ` k

/ ! >R ,-

. ob

~& ,; .
-Thread ' K"6

)<

o b R) . V .

! .! O

..

. ob

. / ;6
R) / 24

. OllyDbg aHit Trace a+G . +G

! MultiThread

. R) / \ 8 ) R

6 A=

) /

!) \ 8 )

( C;# Thread

8 AF# .

C. 4 ) < ! O

n) -Thread

W )<

\ 8 ) A=

!)

,- -Threads ` < T A,U V

6 A #+

.. /9

)<

-Thread ` - 3 ! O

)<

View

.
4

. /
!) '

% /

! Threads J "1
.)

.
ob

() ) p , (50-5) A

(50-5) A

() ) p ,

B G ' Uc> Thread -

:) ) d - G ! 4
.

( - 3 & . Q x !) / ! >R ,! . )!

V ; Create Thread 5. +
.

.)

V ; GetLastError 5. +

. JO# =

) !) ! o b
/ Thread J

P# !) Thread 5. E

/ Thread !) () ) !

G . /
: Ident

7!)b : Entry

iG V Gb : Last Error

)3

- Crack

. +/ 0 1. ( 2,
.

222
p , ! Thread C;#

/ -)

6 Q = !) Q ;# Thread : Active

.
.
.

Trace a OllyDbg +

OllyDbg a f )

-Thread R) / \ 8 )

n!) /

'! BV

) -

{c84

) 6 MultiThread
#

. .! /
) /

.
.

) 6
-

-Thread ' B FG

.(

Q ;# Thread : Paused

-) d

R) . V .

= . ! Rb
.A /Q

, G Thread

!) Thread
!) Thread

6 R

aj C; ! O

G
"

! > .

/ R) / \ 8 )
! : Finished

6 R

) A. 4 (NT, 2000, XP, 2003) NT `)

W

= !) Thread : Traced

j C;

()! b!) j C;

)!

= !) Thread : Suspended

j C;

! .A ) .

) 6

;S : Status

'

: User Time

'

: System Time

!) o
k*B V
. / () *

2 Debugger /78 9

223

+ . / cg _ _ .
)
A #

)
dll

)!

v = . O# =
A 84

< JO# =

. f14 .

-A # . -) ! 4 () *

P# V .

; ' B FG

Q = !)

P#

. JO# = =

1
!)

!)

)!

< JO# = V

- /

,- Memory map ` < T A,U V

..

BG
*C

ob

/ ! >R ,-

-() k !)

. _ 3 ' B FG

-v /

View

.. /9

() / -)7!)b ! () k V

! 4

` -3 ! O

. -

) /

6 aV

aR

! Memory J "1 a\ 8 )
.)

- : (51-5) A

(51-5) A

G .. (
)!

!)

() ) p , ( < T V !)
Uc>

= /

-R

.(

.d
V

! . .

) !) .

. JO# = 2C
6 A #

)!

() ) p , ' Uc> .
O )!

J=

=
dll

( -3

-A # . jC;

6 A # !)

B G ' Uc> p , Q
. G) Td - G

/ ! >R ,=

- Q) ; Section
- /
- ) C,U

(
-R

)3

- Crack

. +/ 0 1. ( 2,
. /

g 3

224

. JO# =

P# !) ! O )!
. /

dll

(Section)

6 A #

, 4 .] .
.)

dll

(Section)

6 A #

7!)b : Address

J= E

J= `

O )!

! B !) : Owner

J=

() ) p , ! /0 A # % R

, 4 .] .

O )!

J=

V !)

p , ! /0 J = '

k )!

!) !

kS

! B !) : Section

() ) p , ! /0 A # !) Rb Q) ; Section % R

.)

: Size

g 3 ! O )!

V !)

V : Contains

'! B !) R

. -)
. /)

g 3 () *

)< ^ !k

O )!

V !) : Type

J= E R
.

! of ! dll

. /
- W

' Uc>

/
! O
.

6 A #

! of

f ' Uc>

'! B !) .)
ob

() *

F ~& ,;

( Gm ! O

. JO# = . (
() *
` k

. =

O# = . (

E V : Imag
. : Priv

{& ,;

. /

() *

) G B FG

-A # . ] .

" 2C

{& ,;

V : Map

. V . ' Uc> Q) 8 ! O
-A # )!

!)

3 . ' Uc> v /
. / ;6

/ /

V;

aR

G O

! O )!

! . # gF
A 84

O# = g F

' Uc> v / ! O
;6

8 AF# .

() ) p , O )!
(

=
2C

V; E WaRY =

' C,U
'! B !) .
ob

() *

J= J

- G 6

8 AF#

) E : Access

J=

.
.)

. ob

, 4 V !) : Initial

)E
\ 8 ) A=

!) ( < T V

- W )<

b - G!) " 4

'! B Global Alloc

Local Alloc

` k

. ~& ,;

() *

O# = g F

-^ ! . 56 !

j 4)
. /

2 Debugger /78 9

225
Dump ` < T a Dump J "1
!) .)! 01
. -)

p , .v
W (

)E

() *

O )!

J=

# . ! ! /0 J = ' Uc>
. !

# V Dump ` < T

(52-5) A

! . R) / Double Click .
(
() *

- : (52-5) A
.

,'! B

)3

- Crack

. +/ 0 1. ( 2,

226

@
)
a .

-'! T a -A # . ] .

-(! ,
)!

!) (Process) 6 Q = !) J

-(! ,
! . /

!) !

* !

)
o . .

. -

-(! ,

% f,-

- ' K"6

(53-5) A
.)! 01

\ 8 ) A=

!)

. `) *

,- Handles ` < T A,U V

. . / () *

View

p , . !

)<

-! ". a -)

)!

() T ' K"6 ) C,U ` k

)!

.+

{c84 / ! >R ,-

. `) *

. / g 3 Rb
6

(!

) /

V .)! ) ! ) G . l F

. )!

.'

( 2F) "<

-(! ,

! .! O

Handles J "1

-(! ,

-:

(53-5) A

) ; aE

A 84

> .

' Uc>

) `! ,
.)

( <TV
Actualize

!) 54 Actualize J "1
. 8

( -3

01 p , . %

. ! /) G ! > . {& ,; ( < T V !) ) 6

A84 JC=

(53-5) A
W

-d b a o.

/ ! >R ,-

) hi a -E 6!

' Uc> /
,- ' Uc> V
G)< ! O
. b

) 6
.! O

. . / () *
!) " 4 ! .

2 Debugger /78 9

227

+ . / p 1@
V . 5.

- /V

01 _

)!
. /

() *

) ;

)!

/) 1

6 A #

A Ud

'! B "

.)

-A #

-A # V

\ 8 ) A=

!)

( ,- . !
! 01! . +
- /+

. `) *
dll

)!

-A # V

6 A=

dll

2C
G . )!

!) . /

() *

/ ! >R ,6

-A #

! . %<

) /
-A #

- API 5.
V

. ( cU

) G O )!

o b !) / )! ) ) 6
! . \ 8 ) ' C,U )!

6 A # . 3 ~ 4) ' C,U V % < ` k

`) *

.. /9
-A #

G . /

-A # /

l G dll 5.

)!

Executable Modules ` < T A,U V

.
J "1

() *

! . A=

! .

6 A # `) *

!)

V !)

R) / \ 8 )

) 6 . dll

-A #

f ) ) ; dll

."

x/ !) . b

. / )!

_ 3 ! > . ob

Q ,U % < ! O

. dll

.! O

dll ( 2 >

)!
View
(

!) f ) G . Rb !) ) 6
. (

(54-5) A

dll

) 6

-A #

! . ! O

! Executable Modules
() ) p , (54-5) A
.)! 01

p , .

) ! Q 6 j8> .
! 01! . API

G #

,- ' K"6

-A #
6 A #

)3

. +/ 0 1. ( 2,

!) E

7!)b A

- "1 .

- Crack
(

() ) p , ' Uc> dll A # -

A #

!) / ! ) dll A # -

228

`! ,
. !

()

( -3

a% a ) ! 7!)b ad<= a

1 ' C,U % <

/ ! >R ,-

. JO# =

" ( <TV

. G) Td - G o b

P#

!) ) 6

G .

! . .

Actualize
# 1 '! B (! . ) dll

.) 6
dll
/

-A # ! 01! . % f - !) OllyDbg +
.

) 6

. !

! . Actualize

-A #

! . ' C,U

"1 V 9

! /) G ! > . A,U V )!

x/ !) .)

) '! B . A,U V % <

A84 JC=

! 01! .

,
6

) 1

'! B

-d b a o.

G! O
. b

.
6
.

!) " 4

View Memory
(55-5) A

,- Memory map ` < T

.)! 01

p , .

"1 V

() *

O )!

P# !) ! ! /0 dll A #

. JO# =

dll A # 9
;4

.
-:

(55-5) A

View Code in CPU

a! /0 A #

! . R) / Double Click

! ! /0 A # (Section) = V

"1 V

' Uc> (56-5) A

() *

O )!

dll A # 9

,- (Disassembler) CPU ` < T

.) ) - G p ,

2 Debugger /78 9

229

(56-5) A

,-

G Qx

" Disassembler
) J<

, 4 !) dll

o . . / () *

-A # .

( <TV

)! O
View , 4

(57-5)

.) . - G

(57-5) A

)3

- Crack

. +/ 0 1. ( 2,

230
Follow Entry

7!)b . (Diesassembler) CPU ` < T a "1 V

.

() *

dll A # 9

O )!

! /0 dll A # (Entry Point) ) !

- GA

View Names
. b - G!) p , . O )!
.! / +

V ;

- G! 4

dll A # !) () *

-%

! . )!

)!

-%

"1 V 9

. / a 6 G a ) ! 5.

A /! >. 6 G

.] .

) ! 5.

{& ,; -% V

! . p . !) /

. # 1

Mark as non-system Dll / Mark as System Dll

!) /

NT `)
dll
!)

-dll

-A # ,

5.

!) System32

R U . ! dll A #
B FG V

) - G

q #p T ! > . 2C

! / )

9X

- "1 V

() *

! . !)

!) System ! / )
'! B !)

) !) / ! >R ,- . / # ;
.

01 - G d

. !) ! 4
n

! . A Ck A=

Update .udd File Now

Q ,U ' , O a -"

b a-

' ;#) !) ' Uc> V

<

A #R

! .
!) . /

! G % f - !) Udd

' Uc>

"1 V

() *

. Udd

` Gm ! O
exe

() *

T .

dll A # -

-A # Q ,; ! > . .) .
.

-A #
. ... 24

- G () *

OllyDbg
]

A. 4 "

a(
;.

. (unload) O# =

'! B !)
. /

udd A # !) ! ! /0

. > .

View Run Trace Profile

p , O )!
- G! 4

dll A #
! . )!

. (Run trace)
A / ! > . \ 8 )

! . )! ' C,U

- "1

-^ ! , 4 !) /

"1 V 9

- G () )
. # 1

Aualyze all modules

CB / Section o OllyDbg !) dll
! 4 j 4)

! .

A Ck )!

exe A #

! 01! . % f - !) Q ,; ! > .

()! ) ! 4 Rb !) (Entry Point)

) ! 7!)b /

= )

2 Debugger /78 9

231
;.

(Analyze)

! . ' C,U

A84 ! C8,

, 4

(58-5) A

!) . # 1 - G

. /

( - 3 Rb

(58-5) A

# p "# !
G )<
a() *

. -

! . V %<

. ( cU .

G # a -E 6! a5.
;.

;. - /

# S Rb .

-() k )!

! .%< ! O

' C,U V % < R . a , 4 V !) (

!)

! .V
.

( b

! )! G . # /

)!

"

! 01! . dll

) / - G ( - 3 Rb !) (
.

/m

"

- /

,/

( -3

- /! /

g 3 OllyDbg

! . ' C,U

. <

/ ! >R ,-

, -!

. ' Uc> ' C,U V % <

/)

. ' Uc>

! 4 () *

!) !

. ob

-A #

( Gm > .

. JO# =

# f '! B o b

uT a 3 .
. ...

!) .

R . / ! >R ,- .) . - G <
;. ' ;#) !) (

udd

!
- G

.
-A #

P# !) / = % f - !)

! .% &J

! . /

)3

. +/ 0 1. ( 2,

J "1

(59-5) A

- Crack

232
C;# (Section)

,-

! . ' C,U V % < ! O

Analyze code

. / () *

(59-5) A

A84 / )
%,
R

. !"

f)

-A # !)) "
6

. JO# = 2C

!) ) 6

b ' C,U Analyze all modules J "1

. ' C,U V % <

(udd

"

-A #

o . . -) % <

b ' C,U
.

() *

O )!

` Gm . 6
) -

-A # )
.

) ; . 6

! .

. `) *

;. ' ;#) !) a_ 3
.

dll

) - G
- dll

' C,U V `! . ) % <

1 -%<
dll

)!

-A #
~ 8

-A # `) *
.

{& ,;

2 Debugger /78 9

233

# G ( ) !/ . {& ,;

)!

API 5.

! 4

G #a

exe A #
exe
;6

JC

5.

. ) ! 5.

) ! 5.

! 01! . dll A #

,- 6 G 5.

. 56 !

8 AF# .

- ;.

. JO# = . (

CG ) 5.

-A #

-Q 6

6 A # R !) /

R U .

j 4) ' Uc> v / ! O
ob

() *

/ ! >R ,-

n '! B

k 5.

5.

. .

f. ! 4 () *

)< ` k

/' * V

) /

,
.

- dll

)!

dll

-A # 6 G

) !
. /

G #
. !) a

dll

-E 6! A / Q

/"

- ) C,U ` k

X "6

6 A #
J

!)

6 G

) ! 5.

C/ Q ,U

ob .(
.)

() ) p ,

C;# 7!)b . :

Names ` < T A,U V

. . / () *

dll

exe A # 6 G

Ctrl + N

! (Export) 6 G (Import) ) ! 5.

) ! 5.

9
! .! O

- : (60-5) A
.)! 01

(60-5) A

%<
k
.

Disassembler , 4 !)

- C/
-%

! .

,p , .

)3
5.
() *

. +/ 0 1. ( 2,
J C/

- Crack
. Names in all modules J "1

p , ! O

! 01! . dll exe

. JO# = . (

A # % Module R

234

!) 5.

'! B !)

-A # J C/ !) (

( -3

() *

(61-5) A

6 G

) !

!) / ! >R ,- . /

/m "

> .

(61-5) A

) '! B . !
) ! 5.

( <T V

R) / Q 8 )

) A. 4 k*B V

Q
+

. /

/ ! O

!) 54
.

C / '

/ )! ) ) 6
( -3 !

- "1

() *

Names ` < T !) . / v

o b . # 1 '! B

V !) ) 6

(62-5) A

Sort by

-E 6!

- "1 (62-5) A

6 G
!) .

2 Debugger /78 9

235
5.
! 4

R) / Q 8 ) a24
! . )!

) < ' C,U A

! - "1 V

G .

) !) .

- "1

( -3

/ ! >R ,-

- ' Uc> p , ( k

-E 6!
.) ) d - G

Find References
` < T a "1 V
d

() *

A #

6 G

) ! 5.

G # J C/
.)! 01

!) O )!

5. 9

,- References

- : (63-5) A

p , . ! ! /0 A # !) O )!

5.

# 1 '! B

( -3

/ ! >R ,-

(63-5) A

)<

R) / Q 8 ) ! O
.)! ) ) 6

!) (

- "1 " Reference ` < T !)

() ) p ,

G #

. B FG

,U 24 ]
View call tree

(
%<

- : (64-5) A
-

! > . ;.

G #

,- Call Tree ` < T a "1 V

O )!

6 G

- , 4 !) ! Rb ' K"6

) ! 5.

() *
# 1 '! B

O )!
-

5. 9
G #

call tree ` < T .) ) - G p , ! Rb +

.) ) d - G ! 4

! . )!

# 1
j 4)

)3

. +/ 0 1. ( 2,

- Crack

236

(64-5) A

Help on Symbolic Name

"1 V
.

. aWin32.hlp ,/ A # R) . ) 6

() *

- G () ) p , Rb ) C,U ` k

5. Rb )!

O )!

5. 9

'! B !)

!) C / ' k S aCtrl+F1

- C/

Toggle breakpoint
!) O )!
5. E
a24

5. E
7!)b

7!)b
.

,; 24

V V ; . /
.) / - G ) <

. ! *4
Ji
o ..

O )!

5.

Ji

, 4V

(65-5) A
(

!) . / V ;

- "1

() *

. JO# =

.
P#

V ; kernel32.dll A # !) CreateFileA

. # 1 '! B

G # J C/

! . C /Q

2 Debugger /78 9

237

(65-5) A

Set breakpoint on every reference

ob /' * V .
C;# dll
%<

exe A # !) O )!
-

G #

) 6

G #Q

24

(66-5) A

. (

C84 24
. 24
/

]
.

. 3 (on reference) -E 6!

]
5.

.(

)< R

-E 6!
!) C84 E

() k V ; R

!) .)) 1

.(

. 24 ]
-

G # J C/

. 8

ob

A84 E

!) .

g 3 A #

) n

-24

V ; Sample.exe A # !) LoadImageA 5.

..

) < zU .

. # 1 '! B

) C,U

! .
Q ,U
!) (

V ,- .)!
G # J C/

)3

. +/ 0 1. ( 2,

- Crack

238

(66-5) A

'! B

G #

/ ! >R ,- .

dll

exe A #
.

! .

/ f ) 24

# 1 ! / . O )!

1V

GetProcAddress 5.

) !) ) 6

(Export)
5.

6 G 5.

G #! O

() *

. /

6 G 7!)b

() *

7!)b

! O

-7!)b V .)

) 6
. # 1
. 5. V
() *

2 Debugger /78 9

239

F < 8. ( -) - ( 2 . G
Call

-A,; !

/ ( 31 .) RET ' !

. Q
.

31 . 7!)b ` Gm Stack

) !)

G #

- G Q 8 ) h kB ! > .

56 ! j 4) ' Uc> V
J

!) '
.)

V
9

# 1 O
. /

) a24
C/

! Stack '

CB Thread

. o

!R

C,6

C;# Ji

2C

- , 4 5.

Q !
24

-24

4!

!T

!) .

;. A,; !

'& =

%<

!)

!
-

)
. !)

G # .

) C,U ` k

. OllyDbg

() *
31 .

-7!)b a -

'! B !) o ' Uc> V

! ' C,U V OllyDbg

/ ! >R ,-

. <

! /0 Call

)<

( T
.(

' C,U % ,

.(
.

5.
!

,o

! 5.
e .

JC

-2 :

( Gm
24

-) .! /

) /

-p ,

G #
) 6

) A. 4 a)!
.) ) - G % <

!) Call Stack J "1

(67-5) A

a O )!

Ji !)

,- Call Stack ` < T A,U V

. 24
. . / () *

uT a' Uc> V p , ! O
Alt+K
.

(67-5) A

- C/

View

- G () ) p ,

)3

- Crack

. +/ 0 1. ( 2,
!)

G # . 56 ! C /

p , ' Uc> .

j 4) ' Uc> ( < T V !)

01 p , .

, 4p , Q
V !) (

240

- /

- .
.d

() ) p , ' Uc> ' K"6

( -3

!T

/ ! >R ,-

C;# Ak

%<

T . Call Stack ` < T !) (

R
! . .

) !) .

> .

' Uc>

() )
BG

. G ) T d - G -R
Address
P# !)

!)b / /

g 3 ! Stack !) O )!

!T

7!)b V # 1 ! 4 Ak
.

. JO# =
Stack

! > .) UV . /

g 3 Stack
.

5.

P# !) ! A84 , 4 !) (

.(

Q !

!T

/m 7!)b . :

31 . 7!)b

Q ,;

Procedre > Procedure / Arguments

.

() ) p , 5.

-R 1 !b

G # 5. % R

V !)

Called From
G # ! procedure

(68-5) A

!Q
!) .

/
-

, 4 !) (

-7!)b

/m 5.

C,; !

R) / Q 8 ) ! O

) A. 4 ( < T V

+
. /

) 7!)b

=R

() /

Call stack ` < T !)

/ )! ) ) 6 \ 8 ) Q = !)

( -3 !

V !) ) 6

- "1

2 Debugger /78 9

241

(68-5) A

Show Arguments / Hide Arguments

! 5.

.(

Q !

!T p , % U

p ,

- "1 V

() *

. /g 3
Follow Address in stack
CPU ` < T

stack

, 4 !) :

7!)b a "1 V

() *
.

(69-5) A

- G9

O )!

(69-5) A

.
,-

)3

. +/ 0 1. ( 2,

- Crack

242
Show Procdure

> .

A # !) ! /0 5. E

7!)b a "1 V
(

() *

7!)b a "1 V
.a /

Disassembler

( -3

() *

(70-5) A

, 4 !) User32.dll A #

!) O )!
!) / ! i ,- .

5. 9

- G9

DialogBoxParamA 5. E
.

(70-5) A

Show call
!) / :
.
5.

call A,; !

- G 9

) 7!)b

Disassembler

G # 7!)b

"1 V
.

"1 V

() *

, 4 !) a
() *

. a /
9

!) O )!
(

i 9

() ) p , Called from

, 4

( - 3 (71-5) A

!) / ! >R ,-

Disassembler , 4 !) DialogBoxParamA

2 Debugger /78 9

243

(71-5) A

Execute to return
/ (

G # 5.

Ji
. /

31 . % f -

"1 V
( -3
;. !

- G 24

= !) . #

(72-5) A

) !)

- G

!) / ! i ,- . /
)

/m Procedure R

!)

() *

Call

"1 V

"1 V

;. 7!)b !) 24
() *

uT

401470 7!)b !) Call DWORD PTR DS: [<& User32.DialogParamA>]

.

)3

- Crack

. +/ 0 1. ( 2,

244

(72-5) A

kB

)!

G . !) Call Stack ` < T !) (

() ) p , ' Uc>

% " '! B !) / )

() *

)!

!Ta-

() ) p , ' Uc> /
B

G # . )! ! O

<

!)

. CPU ` < T

) 6

! )! G . # / 4)
Stack , 4 !) (
. /

2 Debugger /78 9

245

> # . ) /> )
.

JC=

!R

24

!)

. C=

) '

! .

C= V . ) 1 - G . \ 8 ) Q = !) J
-Debugger . 56 !

) C,U ` k

# 1

6 A # !) -A,; !

aStack a -' 8e
.)

k Rb X "6

. C=

^ ! )
54

/! O
V

) G .

! . )!

)< '

C=

. ( cU .
. /

/"

!)

. C=

6 J

o
1!

o .
6

CB % 1 ...

O# =

OllyDbg

!) -A,; !

! . )! ! O

!) ! ! "# %

() T

V '

+A_
!) o

6 E

-^ !

() / Q
V

.] .

.R
! 24

/ ! -A,; !
- "1

)
.

/ ! >R ,- .

- () *

C,6 Rb

)! ) ) 6

6 A #

zU . /

F12

() 8 ! )! G . # / 4)
- G 24

C/
dll

! .! / a C=

) 6

.)! b

f ) ^ ! .) / (!

-A # !)

. C=

! R) / 24

- G 6

! . )!

+/ +A_

C/ V

24
() *

G #V

CG ) !)

f)

) !) .

( #
6 !)

!) 6 . C=

) A. 4

() *

^ !V

."

.) ) d - G ! 4

'! B . ! Rb

. C=

.'

6 A #

() *

- G

) /

C=

()

( ) _!

8 AF# . o b

W Q

. ! ) # . Fk

/a

. . #

!) # / ' Uc> V

. j 4) ) C,U ` k

! "# % V '

* !

)!

= !) .

/ (! . ) % " '! B

j 4) ' Uc> v / ! O

6 v

;S !) o b +

JC=

.
) . !Q

. . !Q

. / ;6
j >

'

uT -Debugger A,U V

) ) - G % < ! ) G O )!
. J, G

a -Debugger J C/ )!

6 !) o b

. A,; !

) /o @ 5

. C=

! 24
! O

R 1

=
1 1
1E

. .)

! {& ,;
.

(Step into) F7
A,; !

C;# A,; !
)

- C/

() *

. ! -A,; !

- C/ V R) 3# ! . - . / v
) /

! B !) /

6 Q

..

/
f.

. 24

uT

) . (Step over) F8

V !) Step into Step over ' * .)

G # 5. )! ollyDbg , (Step into) F7 R) 3# .

. (call)

6
G #

)3

- Crack

. +/ 0 1. ( 2,

5. E

7!)b

,- call
A,; !

= !)

- G 24

! . F8 C/ R) 3# .
!

5. V E

) (F8 C/) Step Over J "1

-A,; !
)

uT

' C,U

246

=!)

() *

!) .)

..

5.

Call

24

. /

- G Q 8 ) O )!

- GQ8)

'! B . O )!

) V ) C,U ` k (73-5) A

7!)b !)
6 -A,; !
-A,; !

;. A,; !

) J C/ aCall
) !) 5.

( -3 ! obV.

31 .

-' *

^ !

(73-5) A

/ step inot
- C/
V

step over

a /

() *
8

.! / +

R) / Q 8 )

! - C/ V

R) 3#

.
= !)

(Animate into) Ctrl+F7 (Animate over) Ctrl+F8

/m / ! >R ,- . / () *

% " '! B !) . /

8
. / () *

! F8

F7

- C/

ESC C/

R) 3#

= !) - "1

' C,U V R) / 24

! O

E* ( #
C=
&.

6 ` k
U

.! /
6 E

) 1
/

'! B Q ,; ! > .
o ..

5Ci ( -A,; !

!a 6 E
)

V !)

) C=

2 Debugger /78 9

247
6

. .) . - G ! )! G . (Debugger R .

! R) /Q 8 ) ! O

) . y # ^ ! !)

! 24

(RUN) F9 C/

. / () *

- G 24

Q = !) C;# A,; !

/ 24 ]
) !)

() *

C/ V

0TR

! ^ ! V !) :24

.
6

! a O )!

Q 8 ) C=

'

. C=

W
6

! .%<

. )! f )

y #

() *

F9 C/

-^ !

'! B

() *

. :(F12) pause J "1

() *

)" )

y # '! B .
.

() *

- G 24

. ' C,U 24

uT

(! . ) `) *

.
.)

! O

(F12) pause J "1

J "1 )

. / () *
.

! >R ,- .
5.

"1 V

() *

() *

) Ji

. 24

.R

+
!

! J, G ! O

. Q ,; ! > . 31 .

uT

R) / Q 8 )

.R
)

!
)

G # 7!)b . 31 .

! 24
.

(74-5) A

- / 5

-A,; !

# 1!/ .( /

. ' C,U 401063 7!)b !)

. 24

'! B !) : Execute till return -1

- G Q 8 ) ) b '! B . (Return) 31 . A,; !

.

J "1

.a

24 ]

uT (74-5) A

!)

Q 8 ) Execute till return

)3

. +/ 0 1. ( 2,

!)

!
.

!)

6
6 ! O

() *

- Crack
6 ) b '! B . 5. V

24

() *

. 54

- G 24

1V !) .

"1 V

.! /
-A #

- G # 1 O !) ,
R U . ! O )!
- / R) / Q 8 ) A=
!) .

6 A=

dll

-A # R U .

W V

24

o ..
C,6

) 6

System

! 01! .

f. O !) .! /
)!

Kernel32.dll A #

. /

'! B !) .

! (

LoadImageA 5.

(75-5) A

- /

-/) b

)! 4

() *

! . )!

! .! / / +
.

-A #
.

!) '

/ ! >R ,-

/ 401098 7!)b

- dll % , q #p T '! B .

() ) ! 4

( -3
)

-A #

- /

- / . ( 31 .) R

01 - G e ! /0 )!
!)

x/ !) : Execute till user code -2

. 54

Executable modules ` < T

-A #

-5) A

-A,; !

(RetN 10) 31 . A,; !

(! . )

! a(F12) pause J "1

! / ) R !) /
)!

248

!) a

() *
,

.
G #

uT (75

!)b !) ! /0 5.

2 Debugger /78 9

249
'! B .
5.

6
G #

! Execute till user code J "1

() *

;. A,; !

Q8)

.! / / .

) 7!)b !)

/
(

( -3

31 .

- , 4 )!

) < zU .

() . * !

K ! Hit trace %

. ! BG

. /g 3

BG

!)

;.

Uc> V

j 4)

uD .)

! .

@5

) /

) ! G !) )!

-Q / % < ! O

OllyDbg ! O V

`) k !) ! / ` 3

J "1

(
O )!

' C,U !)

`) k

. !)

. .)) 1
6

) b

LoadImageA

24

F < # (2 " ) @
/` 3

/ ! >R ,-

/
.

() /

. ! O

. / () *
`) k Disassembler

O )!

4 !)

Hit trace , 4 !) Add selection J "1

. ! O V
uD

. :g 3 `) k

() / 9

(76-5) A

-1

,- !

Disassembler

. / () *

(76-5) A

,; 24
uD

Ji

() k !) ) 6

() . V .

! Rb

! . Hex dump

A,; !

. ! /0 Ji R

, 4 !) (

Q ;#

6 A,; !

. OllyDbg a -() k V ; .

) )

uT

) / - G ) < (INT3)

R U . ! Rb . :
. /

<

!) )

! O

obv

zU . Data

'! B !) . / 9 6

! o b {c84 / )

() *

B F

-() k !) 24

/ ; 24

V
24

Data

)<

A,; !
! 01

cU " 4
) 6

-() k V ; A=
-() k

. -

.d () ) ! 4

)Q
! . )!

!)
/

)3

- Crack

. +/ 0 1. ( 2,

Q /

k `) k

250

. ! C;# 5. `) k

, 4 !) O )!

5. `) k !)

. / () *

'! B !) : C;# 5. 9
!)b 9

uT ! O

,- add procedure J "1

(77-5) A

-2

. . / #S
aDisassembler

(77-5) A

(Analyze)

5.
! O

! . ' C,U

uT :(

5.

. Add All recognized procedures J "1

. / () *

/ ' C,U

.(

5.

, 9

-() k
-() k

) 6
, 9

(78-5) A

/)

() "# Hit trace

. / () *

2 ;

."
-() k

f ) J "1 ! o[ a -() k V ;
B FG

Y0= ! O

uT
. ob

2 Debugger /78 9

251

(79-5) A

() *

/ k `) k
. / ! G Q

V ;

. : Remove from Selection

, 49
/ k

-() k J C/

-() k

"1 V

"1 V
6 24

() *

O )!

= !)

! / . ;. . C;# R

8. V .

! C;# A # !) (

. : Mark selection as not traced

`) k 9

"1

. : Remove from module

() *
.

J C/

! Rb

) . = Rb

a() k Rb `! . ) Q

/! O

- / .] .

dKcU

/)

)<

.)
V

A84 J "1

"1 V ) C,U : Mark module as not traced

,- { 4)

# 1

- G

<

C;# A # !) (

V ;

-() k J C/ / ' *

(Run Trace) + . / ( # _
' Uc> V
JO# =

)"

-' 8e
.

;S !) -A,; !

) C,U ` k

)V

! . !) -

V
.)

A # /
^ !

O )!

- , 4 !)

6 A=

,- ^ ! V ) C,U ` k .)

. 56 ! ! C / ' K"6 A,; !

) -

- / . )!
6

j 4)

V
9

! .

uT /
do

/> )
/ ! >R ,-

W )!
)) 1

!) # /

)<

k o b V . +. ! X "6

j 4) . )! ! O

"1 OllyDbg

. !

Run trace ^ ! V

uT OllyDbg / ' * V .

( ) _!

Hit trace

)3

- Crack

. +/ 0 1. ( 2,

%< R

() / ( Gm

() ) ! 4
. /

A,; !

. 31! / !
,

) -

.. /

uT / !

,; 24

` < T A,U V
. ! O )!

-]

-% T a -' 8e

j 4)

. OllyDbg

. )!

! 24

!R

/ zU .

A /Q

!.

Set condition J "1

(

! .
A84

/V ;

2 ; R

o. . )! ' C,U E

. 8

Debug

;S a C;# 7!)b

. ! o b R) / Q 8 )

. . / g 3 a

!)

. ! )

. . / () *

...

K"6

() *

. . )! A=

A ,k d

! . )!

d- # .! /

- "1 V
. >

252

- : (80-5) A

.
() *
/)<

V V ;

,- Condition to pause
. /

d- # ,

(80-5) A

)!

! ob

G .

) !) /

) 6 . -]

( -3

/ ! >R ,-

.) ) d - G ! 4
.
` .

. O )!

` . !) C;# A,; !

! G C;# A,; !

) 7!)b /

) 7!)b /

! B !) 24

! B !) 24

: EIP is in range

: EIP is outside the range

.

. O )!

! .

2 Debugger /78 9

253
>
! 4

J !

! . )!

/
A84

: Condition is true

;S R b ) 6 . '! B !) 24
- , 4 !)

>

! V ! G

.)

g 3
.

- /

'!

; ) ; /

# 1

: Command count is

! B !) 24

.
g 3
! 4

- f

! . )!

A84

;. A,; !

) /

- , 4 !) - f 2 ; ! G
. / 6

: Command is one of

! B !) 24

^ !.

(5-5) Q 6 . ! b) ! O

XOR EAX , EAX

.i (

# 1

XOR ESI , EDX

XOR R32 , R32

XOR RA , RA
XOR RA , RB
(5-5)

. / nb ! . )! ' C,U
- / . )!

R) / Q 8 )

- /) b
V a

6 ! O

- G 6

p- / ! O
. /V ;

a ) / V ; 24

. (Trace into) Ctrl+F11

/ ! >R ,- . / () *
)

ob

JO# = .

!01

. ! B G `) k
Run trace , 4 !) ) 6

Q 8 ) (F9) Run J "1

() *

) !) . /

. !
( -3 !

6 uD

-A,; !

/!

/Q=

! O

-A,; !

-]

- C/

call

() .

Disassembler
) C,U ` k

. ! ) G O )!

. (Trace over) Ctrl+F12

. .)! ) = "
. )!

)+

)V +

. (Run trace) . )! ^ !

!5

- "1

6 A=
() *

. ! O V

() / V ; ! O )!

, 4 V !) ) 6
.) ) d - G ! 4

!) ! .
-() k

- "1 (81-5) A
! . )!

! ob

!) . /
G .

)3

. +/ 0 1. ( 2,

- Crack

254

(81-5) A

`) k : Add selection

.)

#S Q

/ k

-() k

.(

.)

#S Q

/ k

-() k

. C;# 5. `) k : Add procedure

Call

Jump

-A,; !

) : Add Branches in procedure

5. !) (

.)
-() k

.(

5.

#S Q

/ k

-() k

-7!)b : Add Entries of all procedures

.
Q /
/

k
- C=

-() k
Q

. )! ' C,U Y0= ! O

Y0= C;# A # !) ) 6

-A,; !

Run J "1
(82-5) A
.

+
j 4)

- C/
-

() *

/ k

! . %< ! O

4) ' Uc> ( ,- . ! (

"1 V

{& ,; .)

() *

-)

! G
!

!)

-() k % , : Remove from module

'! B !) 6
.

() ) ! 4

,- Run Trace ` < T A,U V % <

- . 56 !

#S Q

`) k : Skip selection when tracing

.)
.

. C;#

. . / () *

. )!

-A,; !

! . )!

! 24

uT

!(

. )!

View

!) Trace

(
.)! 01

-:
p ,

2 Debugger /78 9

255

(82-5) A

Disassembler
` <T
() *

Run Trace ` < T ) !) (

Trace
.

!) o b ` Gm "

-7!)b V . f - ,- ) < ! O

( - 3 (82-5) A
. )! ' Uc>

!) / ! >R ,- . / () *
! .

j 4)

Debugging Options

! .%< R

( <TV

.)! ) ) 6
5.

- /

dll

-A # !)

Trace , 4 !)

"1 V

'! B

! . )! . C , , )!

. / Q ;# ! "Always Trace Over System Dlls" J "1

Debugging ` < T

Synchronize CPU and Run Trace J "1

, 4 !) 54
(

! O

( - 3 (83-5) A

x/ !)
!

API

!) / ! >R ,.)! ) ! 4 Options

)3

. +/ 0 1. ( 2,

- Crack

256

(83-5) A

4 5

/ !! 6

> # (2 > ) $
A # !) o b ) C,U ( k
!)

)!

a-

' *
'
9

'

X "6

% & -

. ) C,U ( k

! .V %<
6

W V )< ( k a-

W ) < Ak h kB 9
/ *1 R

f . A84 A=

.
!) (
.)

! . )!

! .

.R 1

! /0 )!

uT )!

# / ' Uc> V

G . !) . ) /
(

1E

)<

. 6

. .)! ) C /

,-

ob%<

)<
-A # !) '

C=

) !) R . '
O )!

W )< R 1

-A #

6
A #
! .

! . .

() .

# 1!/ .^ !
V !) h kB
W %<

.Y >

. .) 1 ! 4

.(

.) =

-AF# !)

O )!

. 6

! b5,6 ' Uc> . )

, !) ,1!)

-A Ck % < ( k . A84

! !) o b

! )! G . )

-) C,U ) < zU .

d- G! 4

?- 8>

<
G

!) .)! )
-p /

-^ ! AF# V !)
.) )

)3

. +/ 0 1. ( 2,

- Crack

260

!/
R . !)
.) 1

W a! "# %
'! B

;.

- : ' K"6 !)
-() *

W ! O

6 5.

) $
. {& ,; '

R) / # S

Resource Tuner (PE Explorer), Resource Hacker

.) / d - G () *

?- 8>

-! "# %
-A # 5.

() ) p ,
- C. 4

!) '

-A # +

. Resource Hacker
5.

!) ! ) G O )!

() ) p ,
.

() *

! R.

. ! O )!

W ! O
A #

,- Find Text

! (1-6) A

"1

. / < 6

) 6

1V

. .)
() *

?-

() *
.

() /

6 A #

, ,S CD !) ! "# % V 3.4
Tools\ ResourceHacker

(1-6) A

W )< ! O

. {& ,; '

. ! O V

, 4 V !)

( +@<) !/
6

261

> # (2 > ) $

Compile script ,/)

() *

6 A # !) o b Q ,U

. aRb !) '

W )<

'! B !)

?- 8> /7;<

O )!

() / ( Gm 4

! R) /

! > . !(

uT

Q ,U '
Save

. / () *

W
"1

(2-6) A

2
PE ! "# %

'

, 4 V !) .

A84 , 4 . 3 " '

.d /

() *

'

?-

1V ) .! / )!

1V )< ! O

. Explorer

, ,S CD !) ! "# % V 1.97

) 6

Tools\PEExplorer
,/) uD

() / . PE Explorer ! "# %

O )!

6 A # !) ) 6

5.
.

A,U V

! O )!

.. /

C/ ! ". !

6 A #

. ! O V

! Resource viewer

- G () ) p , Resource , 4 !) (3-6) A

,-

)3

. +/ 0 1. ( 2,

- Crack

262

(3-6) A

! O

! Menu G

() / 9

() ) p , Find ( < T A,U V

. /
)< ! O
( < T A,U V
A

.a

.. /

' B FG !)

, 4 !) (

() ) p ,

. . -) ! 3# ! Ctrl+F

d- # ! -

6 A # 5.

!) ) 6

!) ) 6

C/ ! ". !
W )< R

CG )

- C/ a) 6
-

!) O )!

() ) p , (4-6) A
. /

C C
-

!) < 6

! . < 6R

! Resource Editor ,/)

(

R) /
Rb

(
T

! .'

uT
W

,- Resource Editor
) < ! O )!

-:

263

> # (2 > ) $

?- 8> /7;<

(4-6) A

Right Justify
6

(5-6) A

Right Order ' B FG

.

, R U .. /

Caption

! # ! O )!

! !)

W )<

! "# % !) ) 6

.Qx R U .
. /

)3

- Crack

. +/ 0 1. ( 2,

264

(5-6) A

!) Ok ,/)

! .

C/

uT O )!
File

. / () *

6 A #

! .(

!) 54 save File as

)< '

k
!) ! O )!
(

( Gm

. ) .! / +. ! !) ! CB p

! "# %
-\

-:A
)

ob

-( < T

! .'

Delphi / C++ Builder a Visual C++

R U . -\
. X "6 V
-( < T
!) / )! )

)
1V

W .

6 A #

- /

G . !)
)<
! .

! .

W )<

-( < T

A /

.+
! . .
.

. <

?-

/ ! >R ,-

!) . /

) !) . -)

'! B

-A # !)

. G ) T d - G Visual Basic

) 6
9

O )!

2F 8 9 )

-\

- C D /+

-( < T Q ,; ! > . /
V , )!

>

W )< ( k .

Resource Editor ( < T

"1

2l

W Q ,U ! O

-A # 5.

6 % f - !)
() . ( T !
1 , ! 4

! . )!

K"6
T '! B
. -\
, 4V

265

> # (2 > ) $

( ) .@
! O

. )!
ob

-\

- a -)

)A Ud
() *

Visual C++ C
)

V ,- . !

/ ! >R ,-

o b ' K"6 Q

> ) Visual C++

(2l

.(

( oU . q #p T '! B . )!

o v8

?- 8> /7;<

() *

-\

)V

/ .

. Q ,; ! > .
-( < T
.] .

' K"6

. <

!)

.)) 1
)!

-\

. ! O )!
Q /)(
)<

! .'
6 A #

W )< ! O
. ! O

. .d /

() *

! . Dialog , 4

() ) p , ( < T
aA,U V

. Resource Hacker ! "# %

( - 3 (6-6) A

O )!

6
\

ob

, 4 V !)

-A # !) (
)9

uT

!) / ! >R ,- . /
.)

( Gm

() /

C/ ( O )!

() ) p , '

(6-6) A

Insert Control
R

(
/

( -3

() ) p , (7-6)

,- Control Editor ( < T

<

/ ! >R ,- . -)

(
.

! . !

No to All R U . ,/)

6Q

"1 V
/

aQ x !) (

() *
)<

2 ;

#S Q

)3

. +/ 0 1. ( 2,

- Crack

266

(7-6) A

!)

W %<

6Q

/R

#S

uT ! Q x \

)
. /

(8-6) A

- : (8-6) A
( - 3 -Q

!)
/R

267

> # (2 > ) $

?- 8> /7;<
Edit Control

. /)<

O )!

Q / ' B FG !) !

"1 V

() *

Edit Dialog
. / Q ,U O )!

) ' B FG !) !

C C/ ! Compile Script ,/)

"1 V

6 A # !) o b Q ,U ! O

. a'

. / save ! O )!

() *

W )<

uT

A # uD

() /

Delphi / C++ Builder

( Gm ! O
( Gm

.) GlG

Borland /

-! G

RC Data , 4 !) -() ) V . /

6 A # 5.

G
() *

- C D / {& ,;
-( < T

.! / +. !
.

-A #

RC Data
A

, 4 !)

! .'
() /

,- Rb ' B FG

W )< ! O

. ! O )!
A,U V

. PE Explorer ! "# %
6 A #

/9

! O )!
.

(9-6) A

. ! O

, 4 V !)
. .d /

() *

( < T Resource Viewer

- G -:

! , !) (9-6)

)3

- Crack

. +/ 0 1. ( 2,

Resource Editor ,/)

. .)
.

! . O )!

, Q ,U O )!

( <T

! .'

W )< ! O

,- Resource Editor ( < T A,U V

- : (10-6) A

' B FG !)

268

( < T !) ) 6

-Q

/ 8

( <T! G

-:A

'! B !)

.. /

C C

C/ ! ". !

O )!

!) ! ) G (

)'

/9
Q

/ Rb

(10-6) A

a O )!
'

Value

, 4 !) '

. % " '! B !)

() / () *

/ ' B FG

W Q ,U ! O
. / () *

File

Save file as

"1

W %<

uT /

Apply ,/)
'

'

uT a

) 6
8e ! O

6 A #

.
! .

Visual Basic
( Gm ! O
, 4 !) ) .! / +. !

.) GlG

-( < T . ] .
. !

-! G

Borland

- C D /

' Uc> Q ,; ! > . . /

! 4 VB +

() *
6

,- " VB
.! / +. !
-A # 5.

269

> # (2 > ) $

-( < T

! .'

. VB Reformer ! "# %

W )< ! O

.d /

?- 8> /7;<
- C. 4

VB

() *

, 4 V !)
-A # .! / +. !

, ,S CD !) ! "# % V 4.1

) 6

Tools\ VBReformer
(Form) -( < T
(11-6) A

! O )!

( < T () / . ! O )!

,- ! /0 ( < T . ] .

% G ' Uc>

6 A #

. ! O V

! , !) A,U V
.

.. /9
- G () ) p ,

(11-6) A

) 6
A

# 1 X "6

-Q

/ ' K"6

'F 3

,- ! Edit / Properties p . a O )!

' B FG

! . !) G(

)'

! .'

X"6

p .V

W )<
/9

.
uT a

() *
.

'! B !)
6 A # !)

. . / Q ;# (12-6)
, Q ,U O )!

X"6

)3

. +/ 0 1. ( 2,

- Crack

270

(12-6) A

"1

6 A #

! . o b Q ,U
. / () *

O )!

File

'

W %<

uT

!) 54 Save binary as

271

> # (2 > ) $

?- 8> /7;<

> # ( 2 > +/ > # !/

6 5.

A # 5.
6

-A #

, 4 .

-A #

-! ".

6 5.

) !) .

!
+

)!
!

"1

6 5.
)!

(13-6) A

5.

'! B .

- C D /+

.(
6

-A # .

6 5.

. Resource Hacker ! "# %

6 A #

,- uD . / 9

. <

. / () *

(13-6) A

) . f)

# 1 O !)
() / A D /

T ' C,U

C/ A

A #V

R) / # S ! O
- C. 4

!) .) / d - G o
58

-A #

. .) / d - G () *

! O )!

"

ob

6 A #

# 1 O !) 5.

p . V Q x !) 1)
=

# S O )!

!) {& ,;

F a -Dialog C,6

/ ! >R ,- . / () *

6 A #

R) / # S ! O

! a

'! B !)

.) / d - G () *
6 5.

...

5.

T .A #
o

- / R) / # S A=

k R 1

- C D / !)
A D / res

- C. 4

Q ,; ! > . .

Visual C++ C,6

!) .

6
)!

. ! ) G O )!

A84 5.
V

. .

. /

)!

() *

Delphi

O 5+ H

. -A #

, 4 V !)
6

f)

-A #

6 A #

() / . Resource Hacker
Save Resource as a *.res file

)3

. +/ 0 1. ( 2,

- Crack

! Add a new Resource

. .)

"1

272

() /

/ ! >R ,- . / 9

! A84 C=

res A # Open

!) (

() ) p , Select new resource , 4 !) res A # !) (

.)

uT

,- Add a new Resource ( < T A,U V . . / 9

() ) p , (14-6) A

( -3

6 A # ares A # ( Gm

. ! O )!

"1

() *

( Gm 58 %

(14-6) A

A # !) '
#S

W ( Gm ! O
6 A # . ,

Rb

f)

! Add resource a O )!

() / 9

58 Q = . / () *
6

-A #

File

58 9

!) 54 save

6 A # !) ) 6

uT

- "1

-A,; !

- /

. / () *
Icon

Bitmap

"1 O )!

6 A # R) /

!) . / V ; ! O )!
# 1 O !)

6 58

Bitmap

,
.

O )!

uT ! O
Icon A #

58
V

! B !)

res A # ) <

. . !

) 6
.

! Add a new Resource

() / 9

Add a new Resource ` < T

. !

Resource Name , 4
. / # S ! 58

A=

!) o b .

)! O

6 5.

.(

V ;

-%

/
.

.
- G () *

) 6
;.

273

> # (2 > ) $

> # ( 2 > ) @G
' Uc>

( Gm ! O

! G

)!

!) # / ' Uc> V

.)

k '

W )<

AF# .

( T `) )
). /

() *

C= !) )!

-A # ) C,U ( k

?- 8> /7;<

K; ) $

?- 8>

-R , G

!)

) G CG ) ' K"6

-! G

do

! G

.] .

o b ) C,U ( k
. 56 !

-A #
-A # V

j 4) ' Uc> v / ! O
. / ;6

#S a
W
!

-A # .

a f ) )!

-/

-! ". AF# V !) .d /

! 4

! . )!

"

-section R) / # S C,6
) ! 5.

Q 6 .

6 A # !) (

! o b ) C,U ( k

-dll

)!

( Gm

() / # ; '

1 1 )!

5.

/ ' Uc>
1V

.
8
!)

R) /
- b

)< ! O

.) ) d - G

2 >*
-A #

- b

!) '

W )< ! O

$ %&' )

. PE Tools ! "# %

- C. 4

?-

, 4 V !)

.) / d - G () *

) 6

, ,S CD !) ! "# % V 1.54
Tools\ PETools

6 A # Tools

! O )!

Dos Header , 4 ' K"6 (

!) ! ) G (

)'

PE Editor
. (15-6) A
'! B !) .)! 01
. /9

"1 9

uT ! O

,- PE Editor ( < T A,U V . . /

p ,
b

. ! O )!
V

O )!

6 A #
X "6

)3

. +/ 0 1. ( 2,

- Crack

274

(15-6) A

Image File Header

() *
. /

Optional Header
( -3 - b

- b

!) '

File Header

V X "6

- ,/)

)<

! O

'! B !)

Image Optional Header

' Uc> p , Q =!) ! ! "# % V (16-6) A

!) . /

275

> # (2 > ) $

?- 8> /7;<

(16-6) A

( ) !/ ! 01! . v8

6 A #

! /0 dll CG ) 5.

() *

- C. 4 R / # S ! O
!)

. #/ #S

) ! 5.
R

.^ !V

P# )!

)!

5.

{& ,; . -)

x/ !)

R) / # S ! O

. IIDKing

) 6

6 A #

() *

) 6

) 6

! "# %

.) / d - G () *
.

-dll R) / # S R

5.

6 A # ! 01! . % f - !) O )!

.)!
. -dll

2 dll O 5 + H

) !/ -

dll A #

- /+

-! "# %
-A # !)

- C. 4
6

!
.

6
- /

, 4 V !)

-A # ) ! 5.

, ,S CD !) ! "# % V 2.01
Tools\ IIDKing

)3

dll

. O )!
. /9
(

- Crack

. +/ 0 1. ( 2,

Pick File ,/)

! .

C/ Pick dlls ,/)

! . ) ! dll R) / g 3

6 A #9
dll A #

! O )!

!) B 5.
!) G

276

(
)!

5.

() /

p , . ! ! /0 dll +
C/ add ,/)

. /

uT ! O

,- Choose API ( < T A,U V

- : (17-6) A
.)! 01

C/

.
.

(Export Functions)

! . () / 9

() ) p ,

(17-6) A

CB k*B
A=

f ) 5.

!) a(

5.

dll %

-dll R) / # S ! O

( - 3 (18-6) A

!) / ! >R ,-

'! B !) .

() ) p ,
. /!

!y #

277

> # (2 > ) $

?- 8> /7;<

(18-6) A

6 A #

! .'

W Q ,U ! O

.a

)!

C/ Add them ,/)

. /

(Export Table) F < ) ` !/ CG ) 5.

(
A /
%<

- /

! .

+/ > # ( 2 >

() *

!) B 5.

)! O

. 5.

% & CG ) 5.

!TV

-dll C/ V ;

) ! 5.

. -^ ! V

() *

- ) C,U ( k

A84 /

ob ) !

dll

! . a O )!

AG !/ - O 5+ H
V,i

) ! 7!)b R) / # S a
V

uT

()

-A # B FG

o ..

-A # V Y >

!T

! O

4)
.)

dll
ob

6 A #

Export Table , 4 . O )!
-dll Y >

!) B )!

CG ) 5.

7!)b R) / # S

5.

,-

uT
O )!

. / () *
.(

) 5.

R) / # S ! O

. Export Adder ! "# %

.d /

() *

-A # Y >

'

(Export table) (

, 4 V !)
!) B 5.

)3

- Crack

. +/ 0 1. ( 2,

278
) 6

, ,S CD !) ! "# % V 1.1
Tools\ ExportAdder

!) / ! >R ,-

Y >

/ g 3 PE File , 4 !) ! O )!

!) B 5.

O )!
.

6 A #R

6 A #
uT

. ! O V

( -3 "

(19-6)

- G () ) p , Export List , 4 !) ) 6 '! B !) A # V

(19-6) A

() / 9

O )!

5.

Add Export , 4 !)

! Add ,/) () / )! RVA , 4 !)

# S Exports

. , Y >

. a

6 A # !) ! Rb (
2 ; 5.

6 5.

R) / # S

< ) ) ! 7!)b uD

( -3

/ ! >R ,- . /
.

C/

279

> # (2 > ) $

?- 8> /7;<

(20-6) A

6 A # !) o b ( Gm ! O

. Save as ,/)

O )!

5.

R) / # S

uT

. / () *

)3

. +/ 0 1. ( 2,

- Crack

280

> # ( 2 > ) 2 Section

#S .
.d /

o b !) / ! ) ) 6

6 A # .

T O )!

!/ .

6 () )
.

! .

) ; )!

1 -

W )<

- b

( Gm ! O

-)7!)b R 1

6
a5.

-A # !) '
a() ) a /
6

-A,; !

?- > O 5 + H

)+

) 6

- , 4 R) /
/m / ! >R ,-

!) (

6 A=
- C. 4

.) / d - G ( *

!)

-section

. Lord PE ! "# %

R) / # S ! O

W ) < A=

# 1

, 4 V !)

-section ' B FG

, ,S CD !) ! "# % V Delux
Tools\ LordPE

.. /9

. !A #

! O )!

- b

() ) p , X "6

do X "6
)

!) "

6 A # PE Editor ,/)
G . (
!) G(

- : (21-6) A
)'

! .

C/

uT ! O V

,- PE Editor ( < T A,U

'! B !) .)! 01

p ,

. /)< (

(21-6) A

281

> # (2 > ) $

A,U V

! sections

.. /9

! O )!

6 A # !) ) 6

- "1 ( < T V
.

!)

6 section R) / # S

"1 a
C;#

- Section

( - 3 (22-6) A

# 1 O !)

?- 8> /7;<

6 A #

' W )< ! O

- : Section Table ( < T

!) / ! >R ,- .)! 01

- Section

! .! O

p , .
. );

(22-6) A

Edit Section Header

!) / ! >R ,- . -)
a

6 A # !)

< E

' B FG / Flag

W ! O )!

section ' B FG

7!)b a%
6 A # !)

! 8U ' B FG V
=E

"1 V
/

7!)b a ;4
. /

() *

( - 3 (23-6) A
(

< (

V ; ! section

)3

- Crack

. +/ 0 1. ( 2,

282

(23-6) A

aR

Ga 6

C. 4 C,6

! section ' B FG C# V

aSection Flags ( < T !) ) 6

- "1

() *

( -3

.. /
. -)

/ ! >R ,-

V ; R

#.

W ! ' B FG
Hex Edit Section

,- ! O )!

. -) % < Rb
. /

section () k Hex !

! . !

< 6 ' C,U

8 3T ASCII Unicode

"1 V
'! B !)

k*B V !) ) 6

() *

() / ( - 3 (24-6)
< 6

- "1

283

> # (2 > ) $

?- 8> /7;<

(24-6) A

Load Section From Disk

#S

C;#

6 A #

- section . ! A # !) (
- section .

( Gm section

6 section

"1 V

R U . !A #

() *

f ) '! 8U .

.
/

. / # S O )!
a- b

- section v = .

1 6A # [ .

6 A #

! O

. / () *

.
Split

"1

Save section to disk

. /

Gm

1 6A #

R U . ! C;# section ' Uc>

Add Section Header

. /

#S

6 A #

- b

. !

6 section

)<

.% &

/ ' Uc>

Wipe Section Header

. /

_T

6 A #

- b

! C;# section . ] .

/ ' Uc>

)3

- Crack

. +/ 0 1. ( 2,

284

> # (2 > (2 5) $
- C D / /
! /
!) '

A 3 -() )

. 6

. . -)

W )< ) 1

A84

! G

. 56 !

6 A #

! 4

% < Rb CG )

. -)
( k

- /

1 6

- /+

C/ . ! O )!

- , 4 !) ! ' Uc> V R)! b

/ ! >R ,-

-section !) ! o b {& ,; R 1
6

C / ' Uc> a /

C/! > .

?- 8>

-A # ' Uc>

-p /

- , 4 !) '

- /V

W %< ! O

) .( k .

)!

O )!

!) '

k 7 ;

W )<

-^ !

o ' C,U x/ !)
, 4 V !) .

! . )!

Qx

o . .) ) d - G ! 4
3.

! .

. b -

()

-A Ck % <
) . #/

( T

o
.

C=
4)

() *
1!".

! . )!

R U . {& ,;

C=

# / ' Uc> V

. !
6

() /

# !) .! /

-A # !) '

- . < v / V , . X"6 / ) . - G "

! 8U ,C/ 6

A84 / d ! )

()

-A #

@ > $) `+/ $
!)

o .

! "# % ) ,CU

.d () ) ! 4
/ )) 1

-/

W )<

( T

?- 8>

, 4 V Q x !)

.) ) - G p , ! ) G CB k*B R) . h kB '! B

(25-6) A

- G 6

'! B .

iG % W T . a

!) ! 8U ,C/ R) / )!

! "# %

6 .
.

285

> # (2 > ) $

?- 8> /7;<

(26-6) A

kB R) / [ R . / d -)
. - .
6 A #
R) /

- /

T! O

() *
5.

MessageBox , API 5.

.d /
]

o Y -'

o . .)

-9

aE

ob

! .'

-7!)b

do

() *

.d -)

9
]

(27-6) A

;. A=

' C,U

.) / d - G () *

! .
v
-

! O

. ,

..

GetWindowText

R U .

OllyDbg
,- /

! 4

V 9

. ! \ 8 ) ' C,U OllyDbg ! "# %

. !

-() k

!)

W Q ,U

! 8U .

) C,U ( k . 6
]

Q=

W ) < A=

5.

) - G

.V

6 A #
. ob

24

!d- G

) ! 8U C,/ - . ! 8U ,C/

a O )!

!) )!

. !) v

)< ! O

V )< ! O

. Q ,; ! > . aAPI )!

. 8

nb Q x V

. 24

\ 8 ) ' C,U E

V , . "6 "
.

-/

) .

! - Debugger +

V h kB 9

. < v /

7!)b R)! b

' C,U V

.V

! . Debug , 4 !) / ! >R ,- .

i 9

e ]

j>

A ) ..

k . !

. ! CB k*B .) ! ( 6

O )!

.a

A Ck )!

() *

.Q=

! . 4 AF# !) / ! >R ,( ) _!

API 5.

MessageBoxA 5.

G #

G #
.

)3

- Crack

. +/ 0 1. ( 2,

286

)!

!
6

5.

!) ! 8U ,C/

() / 6 \ 8 )

! aOK ,/) R) 3#
G # A,; !

uT
/)

!) ! Q x
( -3

24

. 24

(28-6) A

V )<

uT

!) / ! >R ,- .d /

4014CA 7!)b !) 24
.

MessageBoxA

(28-6) A

>
kB

^ T A,; !
! . *:

6
= !) A,; !

4014BC 7!)b . ! 8U ,C/ R) .

4014CA 7!)b
)V .

A84

-A,; !

) .

-f .

d - G 4014B1 7!)b !) JNZ 4014BC

!) '! B !)

) ( oU . ! (

)! ! 8U ,C/

287

> # (2 > ) $

;i4 p

T A,; !

) .a >

^ T A,; !

?- 8> /7;<

) V R) / V "f 6 . .) / - G ^ T

o . .) / d - G # !) iG % W T 3 ,- ! 8U ,C/ V # 1 O !) R . aQ) ; (JMP)

'! B ^ T ( 1 - (NOP) e .
!) ! O

..

- G

Assemble ( < T A,U V . d /

. /

)<

C;# A,; !

! C;# A,; !
)Q >

) . A,; !

!) .

) V R) / V "f 6 . /

) /d-

# !) iG % W T

# f

Double Click a Disassembly , 4 !) 4014B1 7!)b

) !)
8 (

-A,; !

W )< R

V "f 6 A,; !

- Gv

;.

() ) p , (29-6) A

) Opcode Q > /

-A,; !

,-

) 6

) '! B V !)

. 3.

(29-6) A

V "f 6 NOP A,; !

, 4
A #

(30-6) A
!
.)

) ) . >

,-

6 A # !) (

6 A # A,U V

CB A # V "f 6

^ T A,; !
Q ,U '

. . / () *
/ )) 1

)
W

( Gm ! O

/ ! >R ,.Q=.

Copy to Excutable

CB

Q ,U Rb

( -3

! .'

)3

. +/ 0 1. ( 2,

- Crack

288

(30-6) A

' ,C/ A. !) p /

! .R .Qx

. /

. -)

d- G 6

) ) G

!) '

Q ,U
1)

6 A # !) '

W ( Gm (

W ( Gm)

O# k

. O# = !) ! O )!
. !'

6 A #

W )<

'

A # !) o b Q ,U ( k "
! 01! . ! Y -

1)

. /

'

-! ".

Q ,U ! O )!

W )!

6 A # ! /) G ! > .

0TR

uT a -A # V !) '
() *

Q ,U (

?- 8>

V ,

! /d /

)!

W )<
.

! 01! .

<

) $

-A # vCn !) Q x R U . .

! 01! .

!) -! ". V

'! B . '

6 .

! . () / Q 84 ! o b ! 8U

# _
() 8 V , (

A #

!) # / ' Uc>

!)
.

6 A #

W )< ! O

! O V
'

)!

. .d /

() /

= /)

-A # V

o !) .

V ; pT

'! B . ! '

( Gm
Y W

6
() /

289

> # (2 > ) $

Y0da Process Patcher ! "# %

.d /

() *

-! ". V ) C,U ( k R

A84 Q x !) '

W )<

?- 8> /7;<
V

!! O

. Loader

! 01! .

) !)

)< ! O

uT ! O V

, ,S CD !) ! "# % V 2000

) 6

Tools\Y0daProcessPatcher
! Add Patch

"1 a! "# %

.)

V !) O )!

6 A # R) / g 3

,- Add Patch ( < T A,U V . . / 9

() ) p , (31-6) A

(31-6) A

: (
Q x !) / d /

g 3 ! O )!

, 4

() k E

. C=

Disassembly ( < T
A,; !

) Q) ;

() k % G

Hex Dump R

/ ! ) ! 7509 !

4014B1 7!)b

-Opcode , 4 V !) : Original Bytes

!)

! -Opcode V .d /

)!

- / V aQ x !) . / ( - 3 OllyDbg
.

!) / d /

)!

< 7!)b , 4 V !) :RVA

.

Hex '! B . ! O )!

>

^ T

)! Hex '! B . ! V "f 6 Opcode , 4 V !) : Patch Bytes

.

NOP A,; !

) ) Q) ;

9090 aQ x

' Uc>

)3
%

- Crack

. +/ 0 1. ( 2,
.

6 A #

A,U V

A # ! /) G ! > . Loader.exe
W v8

/ .)
. /

290

.. / 9

! Make Loader

6 . .)

Q ,U Rb O# = !) O )!
T

W O )!

k .

(32-6) A

)<

CB

'

W uD

! (

"1 aR) / # S

uT

6 A # ! / !) loader.exe
(

! 01! . CB

O# = !)

6 A #

6
-/

291

> # (2 > ) $

?- 8> /7;<

> # ( 2 > +/ > # ( 2 5 O 5 + H

/ d !)

9 Ci

R) / # S
6

<
6

- / V R) "#

!) ) 6

5.

. .
!

) ! O

W ! O

uT /

'! B !)

. '

W )<

. ob

() / # S

o . .d / () *
() / () *

{ 8

() ) ! 4

^ ! V .d /
O# =

P# a5.

. !

() *

c.

- /

- ! 8<

- /

- ) = ) < v8

! "# %

6 A # CB

6 A # () *

- /

- P# !)

. Delphi a Visual C++

! ".

Macro Assembler 6.11 C D /

6

& . hi

-A # . o b R) / # S

-R .

. ob

- C. 4
R
! ob

CB

() . !

6 A # ) ! Q

- G

{& ,; a) 6

) 6

-/

- ) k A ).

, () *

- /)<

. Code snippet Creator

- / )< ! O

.) / d - G () *

() / ) <
o ) k

a , 4 V !) .)
6

- /

- /! O V

.
! O

- / AG )

)!

)! ) )
/ () *

. !)

,- o b

G # CB

( Gm ! O

6 A # .

O )!

.d /
-section

. ( cU )!

O )!

, ,S CD !) C D / V 6.11
Tools\ MacroAssembler

) 6

, ,S CD !) ! "# % V 1.05
Tools\ CodesnippetCreator

A / ! > . Assembly

, 4 !) Macro Assembler .

56 ! j 4) ' Uc> v / ! O

. Rb

!)

'! B !) .
. / () *

/ V .d / # S Notepad.exe
CB

. )!

6 A # .

uT () ) p , !

()
WT

.
# 1! 4

C D / V !)
/

-^ !
! . )!
.( k .

d ! ) F4 p . V Q x !)

. V a . !) /

- G v8

)3

- Crack

. +/ 0 1. ( 2,
,- !

6`

292

() / 6 ! Code Snippet Creator

. ! O V

. .)

. / ) < (33-6) A

(33-6) A

6 A # .

! ) F4 / ! ) G O )!

/ ! >R ,- . / )! ! "# %

CB k*B !)

Macro Assembler 6.11

!)

/ () *
W )< R

) /)< !
() / g 3

O )!

Action
(

!) 54 Options
() ) p , (34-6) A
. /

6`

! O V

.(

/m

Turbo Assembler

A84 . / () *
"1

T /Q=

/ # S Notepad.exe

- / R) / A D / ! O

. Assemble ' C,U % <

C D / ' K"6
V

.. /g 3 !) G

,- General Options ( < T A,U

) < ! Assembler Linker

!T

293

> # (2 > ) $

?- 8> /7;<

(34-6) A

(Linker) Linker.exe
O )!

' K"6

-A #

Link ' C,U <

!) !

! T R) / g 3

Assemble

. / () *

"1
(

W Q x V !)
uT .d () / ) <

a / ! 0f 6 ' C,U
- : (35-6) A

( -3

/ ! >R ,-

(Assembler) ML.exe

)!

Obj A # G

! O

,- Assembler Output ( < T A,U V

.)! 01

p , . ! Assemble

(35-6) A

54 Export
V a O )!
Bin A #

"1

6 A # .(
() / () *

Export

> .
)<
"1

Obj A # a(

. R) .

- / R) / # S
! O V

..

p T .)

!) '! B !)

Q ;# File

( Gm B G

# .

!)
. - /

)3

- Crack

. +/ 0 1. ( 2,

!) ,

- / !) () *

iG

( 3 )<

294

API 5.

)!

o bin A # a

/
.

! B !)
) 6

O )!

) 6

. /)< !

6 A # ) ! 5.
.) / - G # !)

'! B .

(36-6) A

() *

)!

- G 6

V !) MessageBoxW 5.

) 6
5.

API 5.

/ ! >R ,- d / () *

'! B . ! ) G
.d /

. <

!) .

)< !

Notepad.exe A # ) ! 5.
)!

) 6

MessageBoxA 5.

V !) (MessageBoxA)
6 . Rb

MessageBoxA 5. Unicode
o Bin A # Assemble ' C,U % <

(37-6) A

Q 6 . -f .
d

)! )

MessageBoxW
uT () )

295

> # (2 > ) $

( k Project Options

"1

() *

6 A # .

,- Project Options ( < T A,U V . .d / g 3 !

?- 8> /7;<
- / R) / # S

6 / ' K"6
.)

A84

R) / # S

() ) p , (38-6)

(38-6) A

Rb (

a () )

Disassemble

P#

- / Notepad.exe

() . 1006F4A . . (Entry Paint) E

P# R U .
d- Rb

!.

6 A=

pT

(
o

- /

T0

- /

A ) . .)
!

7!)b /

d- G

. / )! ) ! 4 1009700 7!)b () k !)

!) - / V 7!)b () k
6

Basic Header . - f .

6 A #

# 1!/ .
/

! B !) a

-/

- G 6

. C 3 a

. O# = !)

( Gm
.

.
. !)

-() )
. b

, 4 !) 1009700 7!)b R) / g 3
< 7!)b !)

Notepad.exe

Patch in to Existing section

6 A #

C;#

P# !)

6
.

EntryPoint) 1006F4A 7!)b R) / g 3

(

() )

6 A # CB E

- /E
7!)b .

!a

. /

6
)

- G ( Gm 1009700
"1 9

6 A # ) ! 7!)b a( C;#

- /%,
)U

- / aSnippet VA

Redirect EntryPoint RVA

7!)b . Notepad.exe

"1 9

uT / )
,- 6 A=

g 3
(

)3

. +/ 0 1. ( 2,

- Crack

6 A # .

- / R) / # S ! O

. / () *
uD

Action

296
. O )!

!) 54 Patch Target File

() ) p , Test % W T

. Notepad.exe A #
.

(39-6) A

! T R) / g 3
"1

a O )!

'

uT
W Q ,U

6 . a' C,U kB '! B !)

- G () ) p , ! "# % V

CB ( < T

AB"
a7 ;

o !)

Disassembler

-! "# %

C/ '
C

a (

Disassemble

.(

A84
- /

)!
C8,

R.

.( k .9 /V

-! G
- / _!)

j 4) A Ck

o. _!) ! O
.

j 4) A Ck

R.

() . * !
R
.

uD
j 4)

) d - G C8,
! . )!

A D / C=

. !)

!) ! & . hi

) .)

,- . 6

# lFG

) 6 '! B !)

) 6

o b h kB

- /

G . . !

-R . !) () *

% &

. -) !

) R . Rb . (

C/ d - *

# 1 ! / . -! "# % !) () *

. o

_!) !) g

V )

, 4V .

V !) # / . < V

_!) !) ! g

!) A Ck

Gb , 4 aE S

- , 4 !) / ! >R ,-

( n W32Dasm aIDA

.
!) C8,

( 2 5 C)

)!

!)

. p . V !)
Q

-! G
.) ) d - G ! 4

)3

- Crack

. +/ 0 1. ( 2,

300

( % ( 2 7@
() *

)!

lG

-() ) p ,

-() ) p ,

() *

ob

aE

- !) (

!) (

( Gm

. !

1 1

. - .

U ,<

-^ ! -

-() )

-() )

) C,U ( k

) 6

/ ! >R ,-

- !) . -)

G . .

. ! BGR 4R

D /

-^ ! V

D / x/ !) / -() ) )!

( Gm

( Gm

( Gm

!) .)

() *

.) / d - G (!

)! ) O )!

! "# %

! 4
a)

* . f .
. # 1 O !) o b
Nibble

-() ) ( Gm
. 6

. {& ,;

. .) 1

p ,

/ )

! 4 () *

( Gm ! O

. ! o[

Hexadecimal

)!

. ! Rb R

.) ) ! 4 () *

Nibble

(Binary Coded Decimal) BCD

a / ) < ! 2C
)!

)! ) (

U ,<

= 16

= 16

. ! o[ / V

,/ / ,

1 -

-() )

(1-7) A

Byte
V

() *

T R U . ! Rb R

-(

) T !) () *

O# =

6 G

)!

-(

A 3
V

) !

)!

/)

() ) E

/ ' Uc> ;i4 V

( - 3 (2-7) A

^ ! d/ R U . 0 (! ,

. Rb

[ /

!) / ! >R ,- .

. Rb !) /
.)

Byte

,o .)! b 9 = . -

-( f ) -)7!)b ! O

) TV +
- .a /

# 1 O !)

U ,<

C/ !) () ) E
. 80x86

) TV .
= !) . /
.

! 01(! ,
.V

D /

3-

() *

CB

) f. ! 4 () *

'! B .

^ ! T R U . 7 (! ,

( -)
.

301

AB"

( 2 5 C) /7@12

(2-7) A

( Gm ! O
.

a -) p

f. ! 4 () *

)!

T ! 2C

-d #

= 256
=

.8V

. 3

F a

. 6

- /! /p ,
Word

! 01(! , (3-7) A

/)

word

. 16

U ,<

(3-7) A

0 ... 7

- . U ,<

A 3

*1 High order Byte

.)

E ( Gm ! O
.)

..

() *

. ob

Unicode

. 815

^ ! T

a -) p

a /

( -3

- . U ,<

= 65536

T ! 2C

- /! /

Word

. )

2C

. ^ ! d/

. 16 / V
.

/ ! >R ,-

. 6

.
.

-R . !) Integer ! U () )
DWord > Double Word

'! B . U ,< V .)
- . U ,<
( Gm ! O

DWord a

^ ! d/ word a 015

. DWord

.
.)) 1

word )
- . U ,<

-R . !) .)
() *

(4-7) A

. 32
. .)

U ,<
! 01(! ,

*1 ^ ! T word a1631

Float ! 3U ) U

Long ) U E

)3

. +/ 0 1. ( 2,

- Crack

302

2$ Bq
-() )

() *

() *

I/O

( Gm ! O
O# =

-7!)b .

( - 3 ! 80386+

. /

. 2C
.

-(

- f
) a' !

) T !) -' 8e
)

) T !) ) 6

6 Q
CB

/ ! >R ,-

/ a' 8 k % <

-' 8e (5-7) A

o6

!) .)

(5-7) A
:

.d

-( 1 . o b

() *

Q ,; ^ ! v = . -' 8e

"% ( 2 $ Bq
!/
)!

! ob

P#

-' 8e a EDX , DX a ECX , CX , EBX a BX , EAX a AX

,U
,

%,

/ V !) a -' 8e V .

, 4 ) . (DX , CX , BX , AX)
, 4 ) A
.

AX

. 16

-' 8e .

' 8e Q x R U . .

) A. 4 Rb %
ob #

. 32

, 4 - /
a

. 16

-' 8e V

- ) # . Fk
^ !

(^ ! d/) AL

-) ! 4 () *
^ ! d/
(^ !

. ( cU & . 80386

.EDX , ECX , EBX , EAX :

k d
. 1
T) AH

- f

) T

! 8U / ! ) ) G !) " !

303

AB"

( 2 5 C) /7@12
EAX / AX $ Bq

Rb . ( cU .)

G . !) .)

() *

-' 8e

CB fC,U R U .

"

! Q ,U
[ /V

8 k

G .

/ a' 8e V

-A,; !

6 G
() *

) !) ' 8e V

) ! Q ,U !) ' 8e

'! B !) -A,; !

.)
EBX / BX $ Bq
() *

- -)7!)b ;

. gG

R U . "

8 k ' C,U !) ' 8e V

.)) 1
ECX / CX $ Bq

!) ' 8e V

Rb . ( cU .)

() *

- C= !) 1 ^! ,
.)) 1

() *

R U . ' 8e V

- *

{& ,;

8 k Q ,U

G .

EDX / DX $ Bq
Rb

() *

6 Ga

AX , ' 8e *6

) ! Q ,U

- \!".

G . /

() *

%"C

/d

.)
)!

. 32

. 16 a

.8j *

Y ; () ) ' 8e . ' 8e V

5,6 Q ,U

() *
.

9 S Q ,U !) .
EAX , EDX
,U

DX

-' 8e
.

f. ! 4 () *

"r ( 2$ Bq
.)

() *

O# = =

-)7!)b ! O

. {& ,; -' 8e V
CS $ Bq

A,; !
.)

) 1(!

!)

3/

O# =

#b !

( cU . 7!)b V .)! ) ) G !) ! /
6

o6 /

C,; !

,f E

7!)b

) 7!)b ( / g 3 a(IP / EIP)

DS $ Bq

#b

( cU . 7!)b V
.)

()
-() )

R . ..
,f

-() )
F 3 R

,f E

7!)b

! ) DS ' 8e

. E 6! v8 aA,; !

!)

)3

- Crack

. +/ 0 1. ( 2,

304
SS $ Bq

' 8e !)

( cU . 7!)b V .)! ) ) G !) ! (Stack)

#b

3T E

7!)b ' 8e V

-)7!)b ! 3T !) !) ! 6 ,C/ (SP/ESP) 3T 1(!

. /

ES $ Bq
.)

() *

O# = -)7!)b !

)! O

. ' 8e V

! Q ,U

G . !)

GS , FS ( 2 $ Bq
# 1 O !) & . 80386

. (

-(

) T !) /

- #S

,f

-' 8e

VF) < ( 2$ Bq
(IP / EIP) $ ) @
() *

3/

/m / ! >R ,- .

O# =

. /

;. A,; !

o6

;. !

) 7!)b (CS) /

,f

V F) < $ Bq

#b 7!)b
E

= ' 8e V

7!)b
.)) 1

#b V

g 3 )

(SP / ESP) +@;9 VF) < $ Bq

3T !) ! 6 ,C/ . a)

v/

SS ' 8e .

/ /

d- # !

#b

' 8e V !
. /

(BP / EBP)
()

3T .

-() )

-7!)b A

a-

T 1(!

(!
' 8e

! T . E 6! A,U ' 8e V
. /

Ao

nG < ( 2 $ Bq
(SI / ESI) $ Bq
.

)!

! Q ,U

G . !) / )

8 gG

R U . ' 8e V
(DI/ EDI) $ Bq

)!

! Q ,U

G . !) / )

F gG

R U . ' 8e V

305

AB"

( 2 5 C) /7@12

Stack
) k !

.)

( Gm (
. Cache

( Gm ! O

) T

-' 8e !)

RAM

8 6

.)
Stack C/ ! G

-() ) R "

- O# =

) k V

# 1 ,/ 6 % f - !) -! "# %

pop , push A,U ) +

( k

/
(6-7) A

RAM O# =

!) . / .

/ ! >R ,-

. 8Cn ! O
)!

-() )

"6 " [ 3T

. ( Gm ! ! "# %
. /

..

)!

Stack
' Uc>

( - 3 ! pop , push ) C,U

(6-7) A

# S stack

!) .
R,G

..

. . -() ) 3 ,- a /
- G ! G /
.)

() ) V

( - 3 (6-7) A
(

!) / ! >R ,-

)! () ) V Gb 3 ,- <

*1 (Last In First Out) LIFO { =ciB -() )

)3

- Crack

. +/ 0 1. ( 2,

306

80x86 ( 2F .E
(

# 1 O !) O# =

a- W

A 84

!) % 4 V

*C

a - -)7!)b E

-^ ! 80x86

1 1

-() ) R , G

9) 2 2

)< ! O

1) .

-(

a -)! /! a - !b

k 80x86 !) C8,

f)

2$ Bq 2
/

V % & ! / o . / A,U
1! / . ( k

!) .)

,U

() *

-' 8e

A,; !

80x86

! .
-

) T !)

-^ ! V .

# 1!/ . f)E
.)

) *

C,U

)*

-A,; !

R U . O )!

) x/

' 8e %

( - 3 ! MOV A,; !

. /

MOV destination , source

. 32,16,8
) 1! 4 6

)!

-' 8e . /
. /

D/ F
o .

( - 3 ! Rb ) .! / ( k

. 8

C,U

! -() ) A,; !

# 1 ! / . A,; !
!) .

)V

)V

C,U R U .

C,U ) (

R) . R
. /

Mov al , bl
Mov ax , cx
Mov ebx , edx

+g _ 2
# 1 O !) O# = .
!) .) /

. 2C

. 8> ( 1 5 !) ! o b R

^ ! 20

80x86

p.a &.
- f

.3

.) ) d - G ! 4

)*
-(

o b x/ /

! . )!

O# =

3. -

8088h 7!)b !) ) 6

" Rb ) .! / / )
!

! ob
F

Qx R U ..

) T!)
G .
;. #

-)7!)b V

. ! EAX ' 8e aMov eax, ds: [8088h] A,; !

,o
)

307

AB"

dl ' 8e !) ) 6

Mov ds : [1234h], dl A,; !

. -)

( 2 5 C) /7@12
/

-) !

! 4 () ) O# =

. () )

1234h 7!)b !) !

(7-7) A

2$ Bq E F 1@
-' 8e j >

n '! B . O# =

()

/ 7 I@

s 2

F 3 7!)b .

-A,; !

) . -f Qx R U .. /

)*

() *
T

.
)

Mov eax , [ebx]

Mov al , [bx]
Mov al , ss : [bp]

(8-7) A

-(

) T )!

-A,; !

) . 56 !

3 . ' Uc>

. / ;6

# !)

. % " '! B !)

9 / Gb , ,S .

80x86

)3

. +/ 0 1. ( 2,

Z/M

- Crack

308

( 2O /E ) F 1@

( A5 ( 2) @G

>

<

H >) ( 2 rA"% >

<

!"# rA"% >

. ADD !

; 8> ) U
%<

'! 8U

o. /

,6 ADD V

.)

- C D / .)

() *

", ) U ^ ) T

zU . ^ ! V . / ,6 LEA C , [a + b + Const] V
!R

V V ,- .

offset R)! b

. LEA A,; !

%< ! /

) ! / -)

) . + fC,U )!

5,6 / =

) CB Y - . b
o. /

!
.! O

- C D / !) )!

x/ !)

. fADD

ADD XXX , 1 V "f 6 ! INC XXX !

V , V ,- . /

5,6 AB = / -)

<

-)

) . ! c = a +b + Const
!)

W V [ /)

,-

-' 8e

P;. !)

j >
.

% < " ! ADD

. -)

: / 6
"+ " fC,U

Qx

:Q x

main()
{
int a, b, c;
c = a + b;
printf("%x\n", c);
c=c+1;
printf("%x\n", c);
}

C++
main

proc near

var_c
var_b
var_a

= dword ptr - 0Ch

= dword ptr -8
= dword ptr -4
push
mov

u> ) "+ " rA"% F < disassemble 5

; CODE XREF: start+AFTp

ebp
ebp, esp

.)

. 3T 9 4

309

AB"
sub

esp, 0Ch

.)
mov

() ) l F G

.)
mov

- W

. O# =

! 01! . EAX !) Var_a W !

eax, [ebp+var_b]

() ) ! 4 EAX ' 8e !) AB = )

5,6 EAX . Var_a W !

[ebp+var_c], eax

D/ Var_c !) Var_b Var_a 5,6 AB =

.)
mov
push
push
call
add

Ck

eax, [ebp+var_a]

.)
add

( 2 5 C) /7@12

ecx, [ebp+var_c]
ecx
offset asc_406030 ; "%x\n"
_printf
esp, 8

Printf("%\n", Var_C)
mov

edx, [ebp+var_c]

.)
add

edx, 1

.)
mov

! 01! . EDX !)Var_c W !

() ) ! 4 EDX !) AB = (

[ebp+var_c], edx

Var_c = Var_c + 1 )
mov
push
push
call
add

5,6 EDX . 0x1 !

! ! . Var_c !

eax, [ebp+var_c]
eax
offset asc_406034 ; "%x\n"
_printf
esp, 8

Printf("%x\n", Var_C)
mov
pop

esp, ebp
ebp

)3

. +/ 0 1. ( 2,

- Crack

310
.)

. 3T 9 4

retn
main

endp

. fSUBX

", ) U

. ! SUB XXX ,1 !
SUB A , Const

) {& ,;
6 .
.

. SUB !

; 8> ) U
-)

%<

V , " '4
.

Sub

v> 1- rA"% >

<

) . C/! > . j *

fC,U

o. /

- C D / .)

,6

V "f 6 DEC XXX !

G .. /
ADD R [

ADD a , -Const

/ () *

" "j * fC,U

:Q x

main()
{
int a, b, c;
c = a - b;
printf("%x\n", c);
c = c - 10;
printf("%x\n", c);
}

v> 1- rA"% / F < disassemble 5

main

proc near

var_c
var_b
var_a

= dword ptr -0Ch

= dword ptr -8
= dword ptr -4
push
mov

; CODE XREF: start+AFTp

ebp
ebp, esp

.)
sub

esp, 0Ch

.)
mov

. 3T 9 4

eax, [ebp+var_a]

() ) l F G

Ck

- W

. O# =

311

AB"

! 01! . EAX !) Var_a W !

.)
sub

eax, [ebp+var_b]

() ) ! 4 EAX !) AB = )

.)
mov

d/ Var_a

Var_b W !

[ebp+var_c], eax

() ) ! 4 Var_c !) Var_a Var_b ' *

.)
mov
push
push
call
add

( 2 5 C) /7@12

ecx, [ebp+var_c]
ecx
offset asc_406030 ; "%x\n"
_printf
esp, 8

Printf ("%x\n", Var_C)

mov

edx, [ebp+var_c]

! 01! . EDX !) Var_c W !

.)
sub

edx, 0Ah

.)
mov

() ) ! 4 EDX !) AB = )

d/ Var_c

0xA !

[ebp+var_c], edx

.)
mov
push
push
call
add

eax, [ebp+var_c]
eax
offset asc_406034 ; "%x\n"
_printf
esp, 8

mov
pop

esp, ebp
ebp

. Var_c W !

Printf ("%x\n", Var_C)

.)
retn
main

endp

. 3T 9 4

)3

- Crack

. +/ 0 1. ( 2,

312
7

. IDIV

) U
.2

-R

( /d

. DIV V

cU R . ) U
!

1 .)

,6

! . *

C/! > . . /
V

/V

! . . = *
W

. .)

A )V

-Q

. .)! )
#!/V

- .) ; N <

) Rb

.V

cU ) U d

3/

V "f 6 9 S . ! d
N

"[ !

) V !) .

.9 S

^ !

. -

! *

! R) / ) 1

- .%, . /)
/0 .)

5,6

Q >A

40

3 . Div

' C,U

# 3T

- C D /

V Rb V
d

' C,U C/! > . / d

!) . a / b = 2 /b a/2

V ,-

) . DIV !

. . =

() ) *

4) =9 S

.. /

cU

zU . R [ .

A84 2 -1 ) U
(

!)

cU ) U d

#S =
d

a!

^ ! . /)

. ad

,/ U

( T ,/ ! )

) 1 zU . ! )

)
R

. fDIVX

V "f 6 SHR a,N !

<

) "/" fC,U

) . {& ,; (d

", ) U

`! , N

. /

6 )! ) 9 S

/
) U

#S (

^ ! . a . C d4!

cU

AB = R

zU . ! / V .)
.V

) U

R [)
2R

#/!/V

I- rA"% >

Y ;

/ )! ) ) 6

V.' * ) 6 V
.

A 3 ! d-

: / 6
: "/" d

..

Qx

fC,U

main()
{
int a;
printf("%x %x\n", a/32, a/10);
}

.C++ Q } !) (/) d
main

proc near

var_a

= dword ptr -4
push
mov

fC,U . (

disassemble /

; CODE XREF: start+AFTp

ebp
ebp, esp

. 3T 9 4

313

AB"
push

ecx

)
mov

( 2 5 C) /7@12

() ) l F G

Ck

- W

. O# =

eax, [ebp+var_a]

D/ EAX !) Var_a

W !

cdq

.)
mov

1 (EDX:EAX) DWORD 2 (

()

ecx, 0Ah

() ) ! 4 ECX !) 0xA !

)
idiv

EAX = .)

. EAX !

ecx

() ) ! 4 EAX !)

, 4 ! G

0xA . EDX:EAX !
Var_a / 0xA

push

eax

)
mov

# Printf 5.

()

. ' 8 k AB =

eax, [ebp+var_a]

! 01! . EAX !) Var_a

W !

cdq

.)
and

()

1(EDX:EAX) DWORD 2 (

edx, 1Fh

)
add

. EAX !

EDX ^ ! d/

.5

eax, edx

#S

[ / ; 8> ) U . aR

) 1 R) . V .

.) U

cU

)3

- Crack

. +/ 0 1. ( 2,
sar

314

eax, 5

' C,U ` -)R 3 & . !

)4

; .

(32) 25 . ) U d

Q) ;
.

push
push
call
add

eax
offset aXX
_printf
esp, 0Ch

.5 . = *
EAX = Var_a / 32

; "%x %x\n"

Printf("%x %x", Var_a/5xA, Var_a/32)

mov
pop

esp, ebp
ebp

.)

. 3T 9 4

retn
main

endp

Q H rA"% >
IMUL
1 .)

. MUL V

cU R . ) U
,6

",

V "f 6 SHL !

V .

)) G

) G R) / # S . .
!

. FMULX

.) U 9 S
k

/ LEA !

. !)
.

) . C D /+

) . {& ,; IMUL

8 a 4 a 2 !) 9 S ! -' 8e
MUL !

A
(

) TE

) . 6
.

. C

8 .) / ) < " ! 9 5 3 !) 9 S R
.)!

[ ) .! / 9 S !) )

-)

{& ,; 9 S fC,U
cU . ) U 9 S

MUL ' !
)

<

.2R

[ .
.(

R .!

V .)! )
LEA !
() *

) )V . /
9

2V.

aAB = . !

f) B

. LEA

: / 6

Qx

"* "9 S fC,U

main ()
{
int a;
printf("%x %x %x\n", a*16, a*4+5, a*13);
}

( /9 S

! ) U a!
A

)+

:Q x

315

AB"
C++

main

proc near

var_a

= dword ptr -4
push
mov

( 2 5 C) /7@12

- > H * rA"% / F < disassemble 5

u> L

; CODE XREF: start+AFTp

ebp
ebp, esp

.)
push

ecx

() ) l F G Var_a Ck

.)
mov

. O# =

eax, [ebp+var_a]

! 01! . EAX !) Var_a W !

.)
imul

. -)
push

eax, 0Dh

! 4 EAX !) ! AB = () / 9 S 0xD !) ! Var_a W !

mov

# Printf 5.

()

! 01! . ECX !) Var_a !

edx, ds:5[ecx*4]

() ) ! 4 EDX !) AB =

# S Rb . 5 !
.)

push

. Var_a * 0xD AB =

ecx, [ebp+var_a]

.)
lea

)V

eax

.)

uD

9 S 4 !) ECX !

.)

%<

!) ! / V .)

edx

.)
mov

. 3T 9 4

eax, [ebp+var_a]

()

# Printf 5.

. Var_a * 4+5 '! 8U !

)3

. +/ 0 1. ( 2,

- Crack

316
! 01! . EAX !) Var_a W !

.)
shl

eax, 4

9 S 16 !) Var_a W !

.)
push

eax

.)
push
call
add

# Printf 5.

()

offset aXXX
_printf
esp, 10h

. Var_a * 16 '! 8U AB =

; "%x %x %x\n"

Printf("%x %x %x", Var_a * 16, Var_a * 4+5, Var_a *0xD)

mov
pop

esp, ebp
ebp

.)

. 3T 9 4

retn
main

endp

- - ++ ( 2 rA"%
a
!

8 3T - - ++ fC,U )

CB '! B R ,- . - fC,U V . /
) C/

=!) .

'! B . " - -

,6 a = a - b

A84 ^ ! R ,- . o b
++ l G

- fC,U .)
.

,6
.

C++ C

()

a=ab . A D / R
. /

-R .
=a+b

!) a = b

A 8 a=a-1

a=a+1

317

AB"

( 2 5 C) /7@12

2+@<) >
. 1)

. -

) 6
.

BG
.

!. /)< !

6 'c 3 -

- 1 T
. !) -

d- ) , U A. 4 )

23/
! 5

/ ob V

()

O . Q ( f !)

.%G

< 6 !/ V

.d ) T

.)! ) ) 6

- / . ()
ob
. *C

/! / [
N

A4 =

1
Ax

. /

! 8U d/ ) ; !) .

) 6 Rb .

."

*B . { 8

AK 4 " , -

8/

. [ / N 1 .d /
- T ) ; 8

. !)

. AF#c.
.

!
R

4* v

4 .

.(

!) < 6 .
!R

: / 6

. ,

/! / ) k ) ;

! A/! > . .

U 6! )! ) ) 6

/! /

. \!". N

A. 4 no

yes

ok

A 3 )! ) ) 6
V , .
!

1)
:

)<

T ! 8;

d /
Qx

- / ! / {& ,;

Q > A4 = / d / q # 1 .
(8

"[ -

-d ! f

O 7

Y = a) U

) ; 3 2

! . 1(!
.d

/ ' cU

.N

#/

)d- G(8
Q 6 !) /

a(

A 3

(f

! . . / )! )

.
. (

<

!d

.!/

!)

BEGIN
WriteLn ('Hello, Sailor!');
END

() ) p . )! aA D /

uT .

A D /Q

T C D /
.d /
(

.data:00404040 unk_404040
.data:00404041
.data:00404042
.data:00404043
.data:00404044
.data:00404045
.data:00404046

db
db
db
db
db
db
db

OEh
48h
65h
6Ch
6Ch
6Fh
2Ch

;
;
;
;
;
;
;

H
e
1
1
0
,

() *
( -3 !

A D / Q x () ) p .

' Uc>
k

)3

- Crack

. +/ 0 1. ( 2,

318

.data:00404047
.data:00404048
.data:00404049
.data:0040404A
.data:0040404B
.data:0040404C
.data:0040404D
.data:0040404E
.data:0040404F
.data:00404050 word_404050

Rb .
E

f[ / d 8. d - G
offset R) / )!

writeln 5.

20h ;
53h ;
61h ;
69h ;
6Ch ;
6Fh ;
72h ;
21h ;
0 ;
1332h

Q=

s
a
i
1
o
r
!

Rb !)

<Alt>+<I> C/ ) v /

. " [ [ uT

/ )! ) ) 6

. !)

C,U

T !) /

<Alt> + <I>

< 6

Y ;

.)

E 6!

%<

CU

!Q >

C/ (! . ) R) ) ! 3# ."Hello, Salilor!"

()

T 0x404040

. !

:AF#c.
push
push
push
call
push
call
push
call
call
leave
retn

/d )

; )

. ) 1

.text:00401033
.text:00401038
.text:0040103B
.text:0040103D
.text:00401042
.text:00401045
.text:0040104A
.text:0040104F
.text:00401054
.text:00401059
.text:0040105A

. ! / V IDA Pro !) .

T . 0x404041 !

*
.

; )! ) ! 4 0x404040 a offset !) 0xE !

- /! / ) ;
AF#c.

db
db
db
db
db
db
db
db
db
dw

C,U

< 6 J<

404040h
[ebp+var_4]
0
FPC_WRITE_TEXT_SHORTSTR
[ebp+var_4]
FPC_WRITELN_END
offset loc_40102A
FPC_IOCHECK
FPC_DO_EXIT

d- Rb () k

C.

. ,

#/

!
.

- -

!E

C ( 2+@<)
C

/! / .

.)

! .

!) Zero

# 1 ! 4 () *
(

)!

! ( /d G

. Z /

" ASCIIZ -

(
-A U d

( /5i4 R U .

-)

!) ;
%<

! V
.! > .

B G * : "\0"

319

AB"

aSegment Q > .

Dos !)
ASCII

6 .

) T
!Q >

! . )!
.. /

1!".
. , v

!)
! .

!) "

A ,k d

. ! )

! O

d G *B *- . !

. -

! oba /

) k

V .

. *B A
5i4 a
C

.p T A. 4 A84

. / A 8 double word . ! -

() 8

C=

,/ 3.1

! .QF

() *

/ ! / double word . /

. .

/! /

. uT

. 64k

8 ;

!.

!(

. ' Uc> ^ ) T

.. /
, G

ob R . . /

. ASCIIZ

P# (

-A U d

ASCIIZ

! V .d ) T

a D/ ' C,U

b # . /

,/ NT/9X

.f12

, - f

() ) l F G

( 2 5 C) /7@12

- C D /.

1)

1! 4

!/V

9 ( 2+@<)
.

!Q >

= /

^ ) T R
O# =
E

.
.

255 x/ = -

!) o b . !

) *B Q > .

! . .
1)

t i
-

C#

f) .

.R

f)

.(

.) / ! /
!Q >

! o b . j 4) ! > . /

^ ! V
!

4 .

) T ; 8> E

T !) .

Y ; Q

- W

! .

! . .

.
5
T

/ double word

. [ C#V
-

() *

a , G / ! / R) /

- f

C#V Q
.

! R

() ) % <
. 32

/! / Q

!Q >
.

( /%

!E V .
1

.
T(

1 ( 2+@<)
*)
.
Q > {8

! Q > x/ =

"

Q
)

; .

. )

() / v /
.

() *

! Q

# p "#

. ) .

! ! F 3 V
T

.E V

o. -

!(
-

C # Q > * ) !)

! .

! ' B FG V

o.

! V .(& . ^ ) T U

. 65535
*)

) k

)3

- Crack

. +/ 0 1. ( 2,

320

9 p @ V ( 2+@<)
V Q >

; .

# p "#

/
V
() *

" [ Rb
.

)!

'!

. ob

.4 .

3.{8

!Q >

x/ !) 8 . -)
d

V .

!) f
.

C # d<= -

V !)

{8

. f14

lFG - b #
!.

! E

p "# zU . -

9X

. . O# =
!E

!
NT

V .

G C#
.)

B 5 -b .
C 8/

5.

-:
() *

/! / V

() *

! V . -)

1 ! 4 () *

.)

! .)
)!

!(

. 1(!

. /
a

8/

) Q > !) f

^ ) T( 6 ,

! . /C

. / 5.

! / ASCIIZ

! !) *B V
%f-

T C

. .

)! G . Q

! ;4 E

- C D /

, G *B . { , =
T

. 1(!

R)

.Q

8/

!R U . ob .

G . !)
1)

,;

! %,
-

6 . C D / aC
.

5.

. /
. /

. !

321

AB"

( 2 5 C) /7@12

AP ( 2 ?@
1!b a /

. .

G # ! 5.

. !

V.

5. R T

/ Call !

) .)

3T 9 4 5. aQ / V # 1
3T & . . ESP) -)

(!
Ax

P# V

1(!

V y* V

7!)b

, RET !

6 . !Q

1!b

()
& . !) !

- W

# 5.

. /

31 . 7!)b

. .)

1 C6
!
Ck

)!

n !)

) 1 . p C84 !

V Gb Rb

( Gm !
P#

3T . G Rb J<

d . & . d !)
6 .

&.

- !) ! "#

. ( ! o .) . - G
P#

P# .( /

ESP 1(!

_T

)!

) '! B V
) . !

& . a 3T ) b

31 . 7!)b EBP (

V [ !) 1 .) 1 ! 4 () *

;. . / Q W
/

3T !) )

! 4 -R

1!b f )

Qx

;.

%,

uT . -)

!) -R

3T

a 6 A=

() ) ! 4

-7!)b !)) )! ) ! 4 EBP

- *4 ( /Q / +
() *

() ) ! 4 3T !) Ck

<

! 4 ESP . . ! Rb () / ( Gm ! EBP C84 !

-() ) .( V T

. !) ! 4 ) b

uT

>

! 3T

. ! ESP !
)! ) .

3T
.

. 5.
!

a5. . -) p , 5.
G # R !) ! 3T (9-7) A [ p . : 5[! 4 ESP . . ! Rb
/ ( Gm ! EBP C84 !
a() / . ! 3T 9 4
- W . ! O# =
. 0x14 l F G (9-7) A
! p . . -)
/ = ; .) 1 '! B ESP ' 8e R) . & . . A,U V . -) R 3 Ck
! )+
Ck
- W
. )! JO# = . V T 7!)b . -R
.
! ESP ' 8e !
5. a 6
;. .)
() ) l F G 3T P# push
( Q W O# = ! / V .
) 1
. p C84 !
. ! Rb () ) p "#
9 4 () / . . ! EBP !
uD
/ ) b ! Ck
- W +
.) . ! 3T

31 .
G

)3

. +/ 0 1. ( 2,

Ck

- Crack

- W

322

. 3T !) P# l F G %"

(9-7)A

AP ( 2 ?@
)V V.y # o .
f)R . ..
a) 6 V

-)7!)b . 3 '! B .
EBP & . Ck

. . ! ) * offset Ck

[EBP-XXX]

1!b

- W
- W

[EBP+XXX] Q x

3T

-R

1!b

- EBP V T -R
) EBP .
..

)*

Ck

- W

1!b /

8x offset o

- " , A. 4 1)
.

Ck

1!b

. )V
W

323

AB"

)
.

# 1
3T 9 4 /
Ck

- W

-R
%<

G .
f-.

! F= R U .

(!

- Rb f ) Y > !) Ck

-)7!)b ) 3 % <
"

D/ V

- C D / R 1 -) ;

R = > .)

- C D / Q= - . . !

% < ESP j >

! -R

1!b

- W

- W

5.

A 3

-! / R) / ( T .
*

-)7!)b (10-7)A

-! /

= !)
-R

1!b

( T -R

-)7!)b / ! ) ! V

. ! 0f. ) b

Ck

Y >

8e

D/ EBP !) ESP !

1 .)

o. /

Ck

3T 9 4 . /
- W

! /

( 2 5 C) /7@12

1!b

4cU -)

. ! EBP ' 8e () )

)3

- Crack

. +/ 0 1. ( 2,

324

(E
.)! ) ) 6

Ck

. a P#

) b

!) ADD ESP, XXX

.) 1 ! 4 o
1(!

- W

' 8e p "# . R

o6

5.
Ck

6 Q > !)
- W '! B V

) 1

! 4 () *

- do8 { 8

"

) b POP !

. )

)!

^ ! V .d " !

O# =

) b

V , aADD ESP, XXX !

D/ EBP !) ESP !

9 $ d3#
-^ !

SUB ESP ,XXX Q x

. !)

;. .

8. ! MOV ESP, EBP ! G

lFG ! O

-d ! f
(ESP) 3T

)+

. 3T 9 4 /

4
W EBP

) . O# = Gb !) . / ,
() *

c. ' 8e
.

!)

) .

. d/ Ck

- W ) ; /

Table 8.14: Allocating and Clearing Memory for Local Variables

Action

Implementation variants

Allocating memory

SUB ESP, xxx

ADD ESP, - xxx

PUSH reg

Releasing memory

ADD ESP, xxx

SUB ESP, - xxx

POP reg

MOV ESP, EBP

AP ( 2 ?@ ( / +g _ (E

ADD

SUB ' !

() *

O# = l F G 1 .
! G
.

. POP !

V , 5.

. O# = l F G
P# . ' U 6!

. O# = l F G
hS

< 6 Ck

@G (1-7)

.(

() .! / . %"

A. 4 a % o. R . O# = l F G / -)

" , A. 4 n
.

E* x

() *

) b

3T !) -' 8e

)A
- W

V ,.(

Push !

( Gm

()

-' 8e l F G
() ) l F G
.

() *

O# = l F G
.

R3

)A

.) ; V#

* EBP ' 8e

;4

.
&.

325

AB"

+g _ x

( 2 5 C) /7@12

@G 3 .

>

<

push ebp
push ebp
push ecx
push ecx
xxx
xxx
mov [ebp-4], 0x666
xxx
xxx
xxx
pop ecx
pop ecx
pop ebp
pop ebp
ret
ret

! G

! Q x !)

) 5.

Push !

. !) /

)+

<b

() *

U 6! - [

V ,

P#

. 4 !) ECX ' 8e

Ck

Q x !)

MOV [EBP - 4], OX666

.

) 6 ADD ESP , XXX

- W offset V

. !) Ck

# ;

. . l F G Rb .

. ) ; . . . offset V

- W

!) ! 0X666 !

( Gm EBP & .

g 3 5.

lFG

Ck

P# l F G )!

.)
.)) 1

) 6

D/ Var_4 Ck

1 . /

)!

)) 6

Ck

SUB ESP , XXX

# 1 '! B ECX

&.+

a # l F G O# = !

1!". [EBP-XXX] '! 8U C/ R !) f ) R . .

- W

8 .

Ck

- W

.(

() )
. ) f

AP ( 2 ?@ +
Mov !

() *

.!

Push !

() *

. 3T !) !

{& ,; - C8,

-)

l F G )! ) ) 6
d

% < Mov !

Ck

- W

() *

. ! -)!

2+> )*
[ /

-u

. ! ) ! 4 ESP 1(!
[EBP - 0x4] > )

1
.

! 4 d8

-)7!)b *

3T

() *

x/ !)
. ,4cU

2 ) 5) +/ +g _ x
v

. O# = !) - !b

! ) offset !)
offset +

. (! )

- C D / )!

- Push !

!b

-)!

Mov [EBP_04], OX666

R) / )!
)

2 ) I

Ck

)! 4
- W

@G
-)! /!

[ / 7!)b !)
/m / ! >R ,.[EBP - 0x10]

)3

- Crack

. +/ 0 1. ( 2,

+8 @.
Qx

!/ - ,>
. . -)

@;VE / ) I F G0 ( /

1!b R U . ! ' ! 8U

! a+b '! 8U !

5.

. C D / myfunc 5.
)

326

' ! 8U J8 k

( Gm

() *

( 2 ?@
8>
- B P $ ) B%

( 6 & . hi

f[ - C D / / -)

< A 3 . / 8 k
R3 (

. /
mov

disassemble /

( Gm ! 5.

31 .

eax, [ebp+var_C]

D/ Rb !) Var_c Ck

.)
push

5.

x/

A84 myfunc(a+b, myfunc_2(c)]

G #

. </ !) 5,6 V AB = /

AB = !

-R .

W !

) < tEAX

3T !) tEAX

.)

# myfunc

eax

1!b R U . Var_c Ck

.R

call
add

( Gm

()

myfunc
esp, 4

O !)

! EAX .)) 1

. EAX ' 8e AG ) . myfunc 5. !

. # 1

push

eax

.)
mov

O !)
W

# myfunc_2 5.

()

.R

1!b R U . myfunc 5. +

ecx, [ebp+var_4]

4
.

R U . R ,- ECX .)

()

() *

EAX ' 8e

D/ ECX !) Var_4 Ck

C D / [ /

V
.

add

ecx, [ebp+var_8]

ECX:=Var_4+Var_8
push

31 . !

ecx

!
)!

W !

- .)
f ) C84

# 1
4

327

AB"
.)

call

()

# myfunc_2 5.

. Ck

) 5,6 AB =

_myfunc_2

@]
+G [ . ) k o b ` = )!
/ R

( 2 5 C) /7@12

% o*
.

zU . {& ,;

Ck

x/ !)
- W

tmp=a+b ; myfunc(tmp)

- Ck
.

- W (

add eax, [ebp+var_8],

push eax
call MyFunc

. Rb ! G !)

; var_8 := var_4
; ^ tEAX := var_4
; ^ tEAX += var_8
; MyFunc (var_4 + var_8)

.v

- W

() .

do# A. 4 myfunc(a+b) Q x
:

mov eax, [ebp+var_4]

( 2 ?@ pE _

hS

. /
.
Qx

)3

- Crack

. +/ 0 1. ( 2,

328

(
.

f)"[ - G

= ! & . hi

/ Mov EAX , [401066] Q x

V ,-

Ck

- W

-R . !)

C 3 !
.

. !/

! 4 () *
.) )

j >
5.

n '! B . )

- W
()

Q=.

# ob .
.

/
- W
-)

. [ /)

- W
. /

R3 (
.)! b

. Ok
-)!

-R

1!b

( 2 ?@ 7 I@
# 5.

*1 v i .d

*. 5.

. E 6! .

- W

. ! ob
1!b R U . !

. ' U 6! % , R

-)7!)b 1(!
R [

()

vCi V . / -)7!)b

/ d ! ) xchg %

)*

5.
!)

.R

6 ,-!)

s 2

. xchg 5. .d / ; d- . !
. -)

!) Rb !

) G ! T 5. +

() / () *

- W

6 R ,- <
) . !

- W

t i Q V Q = .)

Uc> {c84 5.

V "f 6 d- . ! ) G

() *

W ! ob!

b R . !

) Rb (! .!)

()

<

W 7!)b 0x401066

! .

)!

! i.

>
- W

-)7!)b d

) .! / Y - G

- W

( 2 ?@

;.
W

/ q #
)d- G

% / /

) ,

)! )

b '! B . !
, ()

< 6

. /

b R)

#include <stdio.h>
int a; int b;

b a

- W

xchg (int *a, int *b)

. /
{
int c; c=*a; *b=*a; *b=c;
}

6 . 6 ! -R

1!b )

/ ;.

329
5.

AB"
-R

1!b 1 .

-)7!)b 1(!
.

() *

( 2 5 C) /7@12

.d

-)7!)b d

n '! B . -R

n '! B .

1!b
- W

main ( )
{
a=0x666; b=0x777;
xchg (&a, &b);
}

.C++ Q }

C D /

main

() *

- W !

proc near
ebp
ebp, esp

push
mov

b R)

disassemble /

#(

; CODE XREF: start+AFTp

.)
mov

/ -)

. 3T 9 4

dword_405428, 666h

R3 d

n -)7!)b .)

-)!

dword_405428

.
mov

R . V .)
,- d

()

# 5.

.R

dword_40542c

1!b R U . dword_40542c
() *

. !

- W

W
5.

offset

.) / - G -)7!)b Ck

- W

offset dword_405428

.)

main
xchg

-)!

offset dword_40542C

n '! B . 1(!

push

dword_40542C, 777h

.)
push

call
add

xchg
esp, 8

pop
retn

ebp
endp
proc near

()

# 5.

. dword_405428

; CODE XREF: main+21Yp

W Offset

)3

. +/ 0 1. ( 2,

var_4
arg_0
arg_4

- Crack

330

= dword ptr -4
= dword ptr 8
= dword ptr 0Ch
push
mov

ebp
ebp, esp

.)
push

ecx

l F G Var_4 Ck

. .
mov

! 01! . EAX !) arg_0 R

"< + # .)
.

-)7!)b d
(

mov

mov

W
/ /

[ebp+var_4], ecx

D/ Var_4 Ck

W !) *arg_0 !

edx, [ebp+arg_4]

! 01! . EDX !) arg_4 R

.)
mov

1!b

n '! B .

-)7!)b

.)
mov

. O# =

ecx, [eax]

G # 5. A Ck

mov

eax, [ebp+arg_0]

.)
mov

. 3T 9 4

1!b

eax, [ebp+arg_0]

.)

! 01! . EAX !) *arg_0 R

1!b

.)

! 01! . ECX !) *arg_0 R

1!b

ecx, [eax]

[edx], ecx

.)

D/ [arg_4] !) arg_0[0] !

331

AB"
mov

edx, [ebp+arg_4]

! 01! . EDX !) arg_4 !

.)
mov

eax, [ebp+var_4]

! 01! . EAX !) Var_4 Ck

.)
mov

mov
pop
retn

endp

dword_405428
dword_40542C

dd 0
dd 0

Main+D]W, E 6!
. -)7!)b

() /

" Wirte"
;

- W
.

; DATA XREF: main+3Yw main+1CYo

; DATA XREF: main+DYw main+17Yo

)V

offset
.

! 01! . *arg_4 !) *arg_0 !

esp, ebp
ebp

xchg

W !

[edx], eax

.)

( 2 5 C) /7@12

T !
. W)

. O)

- Main+17]O

; V

W
E 6!

. Main+3]W

-)!

Main+1C]O aE 6! ) V

. Offset .(

n -)7!)b

) . ' U 6! % , IDA

- W

. d- E 6! . R)

) .(V

offset R)! b
(

()

# E 6!

@ > ( 2 ?@
o b . !)

) k ` = /' * V .
- W .

-)7!)b d

) A. 4

'! B . ) -

- W

,-

- W

() / # ; ! o b / ;. AG )
! 4 () ) p . !) ) - .

+#

- d-

.(E 6! . -)7!)b R

,-

!) "6)

)3

- Crack

. +/ 0 1. ( 2,

332

)
Ax o

TE

J,- . ! ) v U . E 6! /

G!) R ) . . ! ) C6

- ! G

/ =

. C= -2

! obR

. !) ]

o & . hi

if-then-else

Q ( f !) / d .

. - C= -1 :)! ) ) 6

<

-R . !) - C=

'! B . / switch

- >

.) /
-3 o !) ]

- ( 2 +IA_ >

!) o b

- C= E

CB E

.+

!) ]

. - C=

(11-7)A

1 Q

= !) . C=

6 '! B V
%<

C=

% G +
ado ' !
!

) X x

-2

n !) )

%<

.^ T

. +Cn

7 ;
). /

) ]

C=

) +
!/

C=

C=

-1 :

-E

)"

!)

.^ T
6 ]

. .

8 3T ! o b
. /

C= % G ]

1 % )
C=

C=

)
.) 0T

-]

C= % G ]
)

n !)

# / uT .

. +# C R.
! C= % G ]

-]

= !) . .

6 '! B V

+# C D / - /

C=

)
.

!) for

C=
C=

while

repeat-until

333

AB"

( 2 5 C) /7@12

@/ ) W < / 2+IA_
( b d- # While (expression) !

)+

J C= Q x

. !) ]
..

. - C= Q

C R . !)

expression /

C= J ) ]

while (a<10)
a++

C D / /
[ ,
(

V , '4

!) % G ]

.% G ]

-1
.

. /

C=

. C= /

P;. . / ) < ! [ , E

.)! ) ! 4
/

- C= . !

!) a < 10 ]

/ !) . / A 8
.

. ! ) o !) ]

C= % G ]
! , !)

) ]

while:

cmp a, 10
jae end
inc A
jmp while
end:

cmp a, 10
jb continue
jmp end
continue:
inc a
jmp while
end:

While !

) +

A. 4 d

1V R

C=

. !) ]

)! ) ! 4

- C= A 8

! > .
8

/)

( ))

/!
"

% G ]

- % G ]

) ]

. C=

o. - C D / J,- uT .

)
while:

. !

- C D /
. C= :Q x

!) /
!

.(8

- C=

V .

while (a >= 0)
a++

.
.

1!". a

[ /7 ; Qx
. /

.:

( -3 !7 ;

6 (1- >
-

1V .7 ;
- fC,U A /

V [ . C=
- fC,U
(8-5)Q 6 !)

)3

. +/ 0 1. ( 2,

- Crack
I

334

rA"%

rA"%

==

!=

!=

==

>

<=

<

>=

<=

>

>=

<
(2-7)

@. ) W < / 2+IA_
() T do-while !

R . !) .
1)

. o !) ]

)+

. - C= C R . !)

!) ]

'! B repeat \ unit !

. - C= .) 1

)+

A 8 V

!/V Q

/ . C 3 -R .
J C= :Q x

do
a++;
while (a < 10)
:)

A 8

/ . o !) ]

R3

. !) ]

. C= /

C++ Q }

V,i

. C=

A D / /

repeat :
inc a
cmp a,10
Jl repeat
end :
!) ]

. - C= / -)

!) ]

. - C= A 8

o !) ]

C D / /

. !) ]

. - C=
6 !.

o !) ]

. C= /

- C D /.

6 ' * . ! ) ! o !) ]

{ , = )! ) ! 4 o

!) o b ]

!)
5

. - C= .
/

- C= /

o
.

335
- G

! . !]

)
.

- !) )

(a < b)
6 !8

C= o

( 2 5 C) /7@12

%< !.

C= /

. !) ]

!) ]

A84 Q x

!) ]

- 1^ ) T !) /

. - C= /

! . !) .) /

! .

CU do while(a < (b-1)) d /

V !/V

CU V

V,i

C= . Rb A 8 !)

do while((a+1) < b) d / # S a . =

.) v U . ^ T %
o

/ Ck

. a= =b /

C=

!) A 3 V 5#!
d/ a

AB"

o. (

[ /

-7!)b

,/

r<) "< / 2+IA_

. !) ]

. - C=

,- o b ( U 4

. , - C=

f !,

- C=

,- for (a = 0 ; a < 10 ; a++) J C= Q x

..

a = 0;
while (a < 10)
(
.
.
.
a++;
)

%<

! . !

o. /
C= % G ]

- C D /.

8 R

/ !

) . !Q

V , ob(
/a f !,

A D / /
-)!

;. -)
.

f !,

. C= Q x

mov a, xxx

.)

-)!

f !,

jmp conditional

.)

%<

C=

) ]

.^ T

repeat:

C=

) !)

C= E

, 4V

)3

. +/ 0 1. ( 2,

- Crack

336

add a, xxx [sub a, xxx]

.)

) C= f ! ,

conditional:
cmp
a, xxx

.)

! . C=

) ]

jxx repeat

#!p T

V,i

1 . G

- C D / .)
%< !.

%<

C=

. A4 =

. /

. .^ T

C= V

A 8 o !) ]

!)

b / ! ) C

C= ]

V g 3 !) ;

. ! for J C= ) ) ! " [ V [

. C=

f ! , A 8 :Q x
mov a, xxx

.)

-)!

C= J . Rb

;.

f !,

repeat:

C= nb , 4 V

add a, xxx [sub a, xxx]

. /

W f !,

cmp a, xxx

.)

! . C= J ) ]

jxx repeat

# 3T

- C D / x/ .)

C D / /)
. !)

)
A 8

-) , p- / !

%<
() *

%<

!/V . /
- C=

+ # DEC !

A 8

C= % < ' ;#) ) ; Q

3- / . 3 "#
C,U !

C=

3- /
/

C= ]

- C= . ! 3 "#

.+#

C=

= V [ !) )

, Rb

!)

/!

!T

1
- C=
V,i

f ) () *

C=

. 3- /

- C=

337

AB"

CMP !

! (Zero Flag) *B d[ T

= V !) . /

( 2 5 C) /7@12
!

*B . /

f-

C.

.) . - G ! S n A,XXX
. 3- / . 3 "#

C=

A 8 :Q x

mov a, xxx

.)

-) !

f !,

repeat:

C= J . Rb

;.

C=

, 4V

dec a

. .

p- / f ! ,

jnz repeat

.
]

.
U

- C=

. !) ]

o . /

A 3 !

^ ! - '& =
j >
]

! Rb /
. C= p ,

. !) .

.
-

()
. (repeat \ unil)

- C=

While A!=0 !

for

- C= .

. ! for

- C= C D / ' , O
CK

V [.

A. 4 { ,i )! ) ! 4 o
C= ji
while-do

1 .)!

d-

!) o b ]

A 8 o

!)

) 6 for G

'! F
.d /

4V

- C=
. BG

n!) d -) p , for C=
() *

o !)

. !)

)3

- Crack

. +/ 0 1. ( 2,

338

@ 5 ( 2) @G

>

<

IF-THEN-ELSE $ ) @
-d ! f !) ' C,U

6 v

.a = b + c Q x

:Q x

..

. >
..

. ,

) !

>
.

.)! ) ) 6 d ! f E
) !

-() ) .

) C/! > .

-() ) .
>

.e >

-d ! f !) ' C,U

if C is Zero Then a= b/c , else send an error

-R .

vC4 -9 ;3

!) o b

() T ' K"6 .
.

(Branch) 9 ;3

(
.

do !

else, then, if

. o b h kB

'! B . o b C/ ! G

C/ ' ,C/

d ) T ,

. 2C

-R .

IF (condition) THEN {statement1; statementN;} ELSE {statement11;

statement1M;}

'! B V

) . +Cn ]

.!/V . /A 8 V
1

,/ ) ; 80x86 ()
! 8

'!

'!

6 Satement N
G

-(

) / )! ) ) 6 (

) . ! '!
Satement 1 ) .
) ;

/
:V

Test

ECX , ECX / JNZ

XXX / MOV

C D / J* :

!) if ]

6 Statement1M

) T" ! .)
) T )

) /

1 /

Statement11

8 3T ! >
6 .Qx

a' !
/

ECX , ECX / If Z

MOV

. -)

! Mov EAX , 0x666 !

^ T

. Goto "6 " [ / ) /

)
3T

EAX , 0x666

:
Test

EAX , 0x666

6 ( 6 a
BASIC R .

. /

. *B Z d[ T /

( -3 !E S

IF A=B THEN PRINT "A=B" 10 IF A=B THEN GOTO 30

20 GOTO 40
30 PRINT "A=B"

40 ... // The rest of code

! 80x86

.R
V

!
-(

)V
) T"!

Q x !) . # 0T , !

339
.

AB"
/

7 ; !]

! G

a -)

% < d- /

( 2 5 C) /7@12

o. /

ob

= - C D / x/
!

)Qx R U

A 8

/ 8

If (Conditions) then {Statements}

)
.if-then 9 ;3

)<

/ 8

IF (NOT condition) THEN continue

statement1;
...
statementN;
continue:
...

'!

) _ C.

7 ;
.)

. ]

( 8 [ then

CB

C/ J,C/ . {Statement1 : StatementN}

: / 6
.

Qx

CB /

.
.

10 IF A<>B THEN 30
20 PRINT "A=B"
30 ...// The rest of the code

'!

= CB /

= V !)

If A=B then Print A+B

. /

)< !

/ () / 7 ; ! ]

C D /

10 IF A=B THEN 30
20 PRINT "A<>B"
30 ...// The rest of the code

:'! 8U A 8 ( k
If (Condition) then {Statement1 ; StatementN;} Else
Statement1M;}

! . .Q=

{Statement11 ;

)3

. +/ 0 1. ( 2,

- Crack

340

. /

A,U '! B V

. - C D / P;. . G ) T d - G

IF (condition) THEN do_it

statement11;
...
statement1N;
GOTO continue:
do_it:

6 if ^ T

.)
statement1;
...
statementM;
continue:

. /

A 8 '! B V

. f ) P;.

IF (NOT condition) THEN else

statement1;
...
statementM;
GOTO continue
else:

6 else ^ T

.)
statement11;
...
statement1M;
continue:

R . V . . .) ) , % < !
C 3
/ !

! / V [ C84

.) . - G V ,

4cU 1 Q x

..

7 ; !]

. CB / . .

) C D / ) C,U V

1 1

-^ ! . ! -]

R [ / , )<

: / () *
If (C <> 0) THEN a = b / c

G C D /

ELSE

PRINT ERROR

:'! 8U

'! 8U

341

AB"

If (C= =0) THEN PRINT ERROR

( 2 5 C) /7@12

ELSE a = b / c

/ () *

2W < b .
if(a= =b) ()
8/

-.

, .

. 8/

( T

if ((a= =b) && (a!=o)) :( T

()
:

[ /a

True V . !
!)
!

!) '! 8U

"#p , . ) 1

[ /a

: / 6

. False V . !
y # 2C

Qx V

..

-]

-]

V [ . A 8 A. 4 ( T

-E

()

+Cn '! 8U

) 1

() T .

.V .

-]

-]

-1

>

-2

!) '! 8U )

. If ((a>b)= = 1)

() T .

8/

1!". a 1!".

() ) p , *B n )

V ,

()

XOR , NOT , OR , AND :

. +Cn '! 8U Q ,; ! i. . /
.)

.
)

() ) p , *B

!) If ((a>b)!=0) Q x

!)

!)

() T . 6

If ((666= =777)= = 0) Printf (Test!)

'! 8U /

o . b - G !) p , . k*B

777!=666

*B . . 777

If ((a=b)= =0) V

J<

666

! ."[ [Qx V

-.

- G () ) p , Test!

false . . (666=777) ]

*B

.
!

uT

.) ) - G

-]

-]

8/
. >

- G
V

( T]
'!

! . *B . o b
() *

. )

() *

.A D /R
'! 8U ;. JC=

- G () ) 8
.

!) C D / .)
!)

A 8

()

-]

)<
.

8/
()
.

a .b!

f)
< !)

v/

( T
-]

. !

i
-]
.

- G V "f 6 Goto

)3

- Crack

. +/ 0 1. ( 2,

342
:()

. 8/ ]

A 8

IF a!=b THEN continue

IF a==0 THEN continue
...// The code of the condition
:continue
... // The rest of code

) . - G Rb ) G
! .

=cB .

! . [

/ -)

AND .

!( 6 V

C D / ) G ( oU . ()

V .

-]

! .

. 8/
/

-]

V
8

A 8

f f[

,P E S

!) ]
:d

V
.

1
'! B .

If ((filename) and (f = fopen(& filename[o], rw)))

fopen !

) / (!

Qx

( 3 () ) l F G

. .d ) T

( T ' ! 8U A Ck

P# . Filename 1(!

= V !)

()

-]

'c 3

B
.Q=
: /

If ((a= =b) && (a!=0))

. -)

! [ )

A D / /V

4 d 8. Q =

If ((a= =b) && (a!=0)) '! 8U A D / J<

IF a!=b THEN continue
IF a==0 THEN continue
...
...
...
:continu
...

d- Rb

Yc G

! .+#!
1 ." !
S 4 d4!

)V . / ,

d[ T a
/)

; 8> ) U
!

. Sub !

) ! -

Sub YcG . CMP !

C,U !

cU d[ T a C d[ T a *B d[ T .)! 01
C d[ T .)

) V :CMP ) @

) Q) ; !
e

CB 1^ ) T

a Zero flag )

)
-d[ T

*B p- / J<

343

AB"

() ) ! 4 AB =

.V

^ ! . . .

cU d[ T .)

# 1

( 2 5 C) /7@12

y *

.V

^ ! .
.)

) 6

.)

- .) ;

() *

>

3 . ' 8 k J<

-^ T

/)

-d[ T

! .

"!
..

:)! ) ! 4 (3-7) Q 6 !) ; 8> ) U

Condition

cU

! .!/%<

The state of the flags

Carry flag

Sign flag

a == b

a != b

Unsigned

JC

JB

Signed

!=OF

JL

JNGE

Unsigned

JA

JNBE

Signed

==OF

JG

JNLE

Unsigned

JAE

JNB

Signed

==OF

JGE

JNL
JNA

a > b

a >=b

a <=b

JNZ

Unsigned

(ZF == 1) || (CF == 1)

JBE

Signed

? !=OF

JLE

B . $ A"% (3-7)

CPU

FPU

SF

ZF

AF

PC

CF

15

14

13

12

11

10

Busy!

C3(ZF)

'!

) . if (()

9 / W B-) O

>

AB =

JNAE

JNC

JNG

9(2 " ) @

CPU / fpu ( 27

C2(PF) C1 C0(CF)
% (4-7)

'! 8U) Then do-it '! 8U C/! > .

.)

cmp a, b
jxx do_it
continue:

JNE

.* r<E

TOP

Instruction

Zero flag

a < b

,6

)3

- Crack

. +/ 0 1. ( 2,
(Move

Lea

) !

344
e

) T

.
R) / Set ! O
a]

)A

). /

-^ T

o. ! O
! / p- /

T *B !
.

-(

1^ ) T pipeline C

-^ T CMP !

-]
o.

-A,; !

)
)V.

) T : Set ' < ( 2 " ) @

. ! Rb '! B V

() *

! . /

f. ! 4 >

) V .(Set XX)

E 4 '! B !) -A,; !

Set XX !
d

-A,; !

-d[ T

E 4 % f -!)

n !)
/

() /

!) G

- C D / !)

zU . -^ T

.)

() *

()

C,U

1! > .
-9 ;3
. ) 1

Table 22: The Boolean Set-On-Condition Instructions

Instruction
SETA

SETNBE

SETG

SETNLE

SETAE SETNC

Relationship
a>b

SETNB

a>=b

SETGE SETNL
SETB

SETC

SETL

SETNGE

SETBE SETNA

SETNAE a<b

a<=b

SETZ

SETNE SETNZ

Unsigned

CF == 0 && ZF ==
0

Signed

ZF == 0 && SF ==
OF

Unsigned

CF == 0

Signed

SF == OF

Unsigned

CF == 1

Signed

SF !=OF

Unsigned CF == 1 || ZF ==
1
Signed

ZF == 1 || SF !=
OF

a==b

ZF == 1

a!=0

ZF == 0

SETLE SETNG
SETE

Condition

Set-on ' < J

/$) @

(5-7)

345

AB"

( 2 5 C) /7@12
' <$) @

JNS JS, JNP, JP, JNO-JO, JECXZ, JCXZ .)! ) ) 6

o
/

o. /

- C D / . !) d

J[E]CXZ Rb

>

/ Q) ; . ! CMP [E]CX ,0 \ JZ do-it ! G

^ T!

' C,U . JECXZ

]8!

() *

\!". ) U ^ ) T

.!

! > . JNZ

. S !

JS >

) 3-

JCXZ + #

{& ,;

-)

. / !) JNS JO >

-^ ) T

.(

%<

V "f 6 do-it

. /
.)

r>

-^ T

. 1024 ; 8> ) U Q x

.)

() *

.V

.)

^ ! .!

Table 23: The Auxiliary Conditional Jumps

Jump if

Instruction

Flags

JCXZ

the CX register equals zero.

CX == 0

JECXZ

the ECX register equals zero.

ECX == 0

JO

there is an overflow.

OF == 1

JNO

there is no overflow.

OF == 0

JP/JPE

parity of the least significant byte of the result is even. PF == 1

JNP/JPO parity of the least significant byte of the result is odd.

PF == 0

JS

the sign bit is set.

SF == 1

JNS

the sign bit is cleared

SF == 0

"5 ' < ( 2m 9 (6-7)

' < > # +/ # $ ) @

. /
-A,; !

8 3T ! CMOVXX >
)V .

6 . 6 '!

. 58

! !

a]

) II %

R) .
. /

. ! ! / V [

.d ) ) % <

d /
>

! . If a<b then a=b !

6 . 6

() *

! , !)

- 1^ ) T

!) '! B !) !
1 C6 # S
)

)V

-^ T

! . ! C
>

^ T

() *

)3

- Crack

. +/ 0 1. ( 2,

cmp a, b
cmovb a, b
mov a, b

346

cmp a, b
jae continue:

continue:

J
if (a) then Q x

..

. . . True

*B n !

Zero

Test A , A Ax
. A!=0 1

) . ! CMPA , 0 !

/ '!
Zero flag

. . .

i False

,6 if (a!=0) then do-it '! 8U . do-it

.)
Or A , A

*B !

/ ( 2+ > I

. A= =0 1 -

disassemble / !) Test EAX , EAX \ JZ do-it

) - C D / x/ {& ,;
= J,- !). /

/) 6 V
.

*B aflag

..)

V .

V "f 6

` -)R 3 (

((Condition)? Do-it: Continue) ) @G

.

(condition)

V A D / AB =
.

if-then-else

8 .

Do-it:continue

! 8U

R.

!)

A 8 if (condition) THEN a = do-it else a = continue

0TY i;

o. !)" ? " fC,U .

3 ,- ' !
: / 6

' < ( 2 rA"% >

Qx

)
.
<

main()
{
int a;
int b;
a=(a>0)?1:-1;
if (b>0)
b=1;
else
b=-1;
return a+b;
}

C++

u> A> a 5 E F 1@

/ F < disassemble 5

347

AB"
push
mov

( 2 5 C) /7@12

ebp
ebp, esp

.)
sub

esp, 8

.)
xor

. 3T 9 4

() ) l F G

Ck

- W

eax, eax

*B EAX

)
cmp

[ebp+var_a], 0

.)
setle

1 .)

1 .)

() ) ! 4 a1 !) ox1 !

. Var_ a<= 0 1

.)

() ) ! 4 a1 !) *B

eax

-1 . . EAX !

. Var_a > 0 1 Q = .)

2 . . EAX !

1 .)

. Var_a > 0 1 Q = .

*B [

*B EAX !

% )

. "<. - . % ,

. Var_a <= 0 1 .)

eax, 0FFFFFFFFh

1 . . EAX !

. Var_a > 0 1 Q = .)
.)

mov

. Var_a <=0

eax, 2

.)
add

EAX

d/ =

*B EAX !

.)
and

*B . W

al

. Var_a > 0 !

dec

. P#

[ebp+var_a], eax

d/ EAX

-1 . . EAX !

0x1 !

. Var_a <= 0

)3

. +/ 0 1. ( 2,

IF-THEN-ELSE p .

- Crack
nb

348

? fC,U R T <

! Var_a

.)

!) AB =
.

cmp

[ebp+var_b], 0

*B . Var_b W !

.)
jle

short else

.)
mov

. Var_b <= 0 1

%< ^ T

[ebp+var_b], 1

.)
jmp

Var_b . 1 !

() ) 8

short continue

% < Continue v [ . . ^ T

.)
else:

; CODE XREF: _main+1DYj

[ebp+var_b], 0FFFFFFFFh

mov

Var_b W !) -1 !

.)
continue:

()

if-then-else
. -)
mov

() T / d
p- / !

/0 .
b! / >

mov
pop

)A ) .

? fC,U

eax, [ebp+var_a]

! 01! . EAX !) Var_a W !

eax, [ebp+var_b]

! EAX !) AB = )

.)

if-then-else p . R T , 4 V

-^ T V

.)
add

5,6 Var_b W !

. Var_a W !

esp, ebp
ebp

.)

. 3T 9 4

349

AB"

( 2 5 C) /7@12

retn

Switch-case-break $ ) @
!

)" Q
C/ ! G

# ; C R . !) Switch !

T R . !) .

. .)! ) C !) Switch

1)
:

3 . Y i;

) Q) ; Switch !

'!

G p "#

() T case

) .) ) R 3 ! Switch !

IF (a == x1) THEN statement1 ELSE IF (a == x2) THEN statement2

ELSE
IF (a == x3) THEN statement3 ELSE IF (a == x4) THEN statement4
ELSE

: /

( - 3 (5-5) A

Switch ) @

! G

() / < 6

AF#c.

() *

Qx

.. /

A5 +"# - (12-7)

& >

C.

+ # Switch !

. - W

!) ! p . V

,6 V T . & .

<

<

!) d

) !) .d / g 3
! Switch !

G!) V G

C D /

() *

R .

! Switch !

) - C D / .)
. / 6

: C++ Q }

G!) p ,

. Switch !

)(

)
! .

C++ Q }
disassemble /

)3

- Crack

. +/ 0 1. ( 2,

350

main

proc near

var_tmp
var_a

= dword ptr -8
= dword ptr -4

push
mov

; CODE XREF: start+AFTp

ebp
ebp, esp

.)
sub

esp, 8

.)
mov

() ) l F G

!)

AG

W V !

1 C6

..

. /

. P#

! 01! . EAX !) Var_a W !

W Switch !

)< !) GlG 4

) -

e !
.d /

cmp

- W

[ebp+var_tmp], eax

V , o R

Ck

eax, [ebp+var_a]

.)
mov

. 3T 9 4

) V ) C,U f f[ !)

Var_a R U . Var_tmp W

() *

[ebp+var_tmp], 2

, G 0x666 . (

*B . case CB / !) .)

2 . Var_a W !
. .

jg

^ TV .

short loc_401026

) 6

CB / !) " [ V [ .)

%< ^ T
, Printf 5.

.)
cmp

{c84 ! / V .

G # . o

[ebp+var_tmp], 2

g 3

C D /!/R 6

short loc_40104F

2 . Var_a

.)
.

jz

. Var_a > 2 1

()

W ,[ T - (

!
%<

351

AB"

V .)

Printf ("a= = 2") 5.

.
cmp

( 2 5 C) /7@12
. 2 . . Var_a

G # .^ TV

. Case 2: Printf ("a= = 2") p . ,6

( b

jz

, 4

0 . Var_a W !

short loc_401031

Printf("a= = 0") 5.
.

[ebp+var_tmp], 0

.)

. *B . . Var_a

G # .^ TV

. Case 0 : Printf("a= = 0") p . ,6

( b
cmp

, 4V .

1
- G

[ebp+var_tmp], 1

10 . Var_a W !

.)
jz

V .)

short loc_401040

Printf("a= = 1") 5.

.
jmp

p . ,6

. 1 . . Var_a !

G # .^ TV

. Case 1: Printf("a= = 1") p . ,6

( b

, 4

short loc_40106D

, 4 V .

- G

o
.

loc_401026:

Printf("Default")

G # . ^ T V

. default: Printf("Default")

( b

; CODE XREF: main+10Yj

- GA

p .V

.Q

.2

1!". Var_a !

Cmp [ebp+var_tmp] , 666H

666H !

.)
jz

short loc_40105E

Printf ("a= = 666h") 5.

( b

. Var_a W !

G # .^ TV

. 666h . . . Var_a

. Case 666 : Printf ("a= = 666h") p . ,6

, 4V .

- G o
.

)3

. +/ 0 1. ( 2,
jmp

p .

- Crack

352

short loc_40106D

,6

- G

Printf("Default") 5.

( b

G #

. ^ T V

. default : Printf ("Default")

loc_401031:
; CODE XREF: main+1CYj
; printf("A == 0")
push
offset aA0 ; "A == 0"
call
_printf
add
esp, 4
jmp
short loc_40107A

Switch !
6 case

! G . Q

-p .

- G

, 4V
C/

.)! ) ! 4 break !

)V

) 6 break !

) 1 .)

, 4 V !)
()

.)
loc_401040:
; CODE XREF: main+22Yj
; printf("A == 1")
push
offset aA1 ; "A == 1"
call
_printf
add
esp, 4
jmp
short loc_40107A
loc_40104F:
; CODE XREF: main+16Yj
; printf("A == 2")
push
offset aA2 ; "A == 2"
call
_printf
add
esp, 4
jmp
short loc_40107A
loc_40105E:
; CODE XREF: main+2DYj
; printf("A == 666h")
push
offset aA666h ; "A == 666h"
call
_printf
add
esp, 4
jmp
short loc_40107A
loc_40106D:
; CODE XREF: main+24Yj main+2FYj
; printf("Default")
push
offset aDefault ; "Default"
call
_printf
add
esp, 4
loc_40107A:
...

; CODE XREF: main+3EYj main+4DYj

.Switch !

)R T

353

AB"
mov
pop

( 2 5 C) /7@12

esp, ebp
ebp

.)

. 3T 9 4

retnm
main

endp

.
^ ) Tv
(

!)
2 ;

W . Rb
/

Switch

;. .)!

) 6

! #!

3T ^ ) T :

hS
v

C D / A 3 V A= > G . . b - G!)

ob

Y > !) ! 2

)aG

)<

1!". ) U

o. ^ ! V .

6 .
-)

.)

1V

case 5

-case

C D / [.

Y -

.!/V .
) T

() 3# ! - G!)

[ /) U C D / /

666h p .
(

. a>2

! . !) f

/ Rb Q >
. Gb

a>2 ]

8 . / 6

A. 4 1)

! 4 [ Y > !) ! 2

G!) Q

G!) V G

) ,6 (13-7) A

)<

i
/ 6

G #v

. case - B 1

V !) ) ) - G ! [

. Switch !

() *

-case ,- d-

CB / !) /

! B R ,- . Printf 5.

C++ Q }

- G ) < (13-7) A

= V !) .)! 01

_! # d ! f a!

!
< 6

- Crack

)3

. +/ 0 1. ( 2,

(3

*1 (! . V !) " [ -)!

) .

!) case ]

1
.

!) .)! ) ! -case

. /
f. ! 4

354

.R

2 ; /

! . [

(a = = 1)

! B R ,- . { 4)

! Switch !

.d
!)

-)
-

! B !) /

"/

-G

- G

! G

! /0

. !

! JG

G!) ' C,U V % <

;. ' !

v i R) / Q 84 .
>

. ! Switch A,; !

o ..

. Rb

Y0= '! B !)

. { ,i aQ) ;

!) >

-)

(a= =0x666)

!
.

() / v /

W j= C D /
() T -

)d

v/

(a = = 0) a (a = = 2) [

. a= = 0x666 /

!)

A,U ) G l G J 1 . (! . V !)

:d /
G!)

6 v

>

& . Q x !)
,

- G

0 a != 1 { ,i

C 3 - R . <
uT .d ! b
.

);

) - G Switch !

!)
G!)
)

355

AB"

( 2 5 C) /7@12

i <
-

-^ !

ob.

-X
G !

, 4 V !) .
9 8k R

. () / 5,6 6
-

. f .

.
1 -

,- C R . !) X

-)! /!
.R

!) ! d- .

-() )

-)

- / !) + # -)! /! /
,;

- W

V A 3 V

,- o b X "6

! . ! ob

( 6 R

. .

do# A. 4

do .)

#! V .

<

CG ) ! G

!) -)! /! .) / d - G

R) / disassemble Q > !) -)! /!

R b zU . /

!)

2+> )* >

Rb A Ck

"<

A /! > .A D /R
. !
: / 6

:A D /R

Qx

f
.Q=

!) -)! /! Y0=

#include <stdio.h>
#include <string.h>
struct zzz
{
char s0[16];
int a;
float f;
};
func(struct zzz y)

! / V { ,U , 4 V !)

.d /

.d ! 0f. p , . ! Ck

1 C6 5.
W

.!
)<

. )! /! R)
*

{
printf("%s %x %f\n", &y.s0[0], y.a, y.f);
}
main()
{
struct zzz y;
strcpy(&y.s0[0], "Hello, Sailor!");
y.a = 0x666;
y.f = 6.6;
func(y);

' C,U d

#
.

/
d -)

o.
%< !

)3

. +/ 0 1. ( 2,

- Crack

356

disassemble /

A D / R . !) -! /! Y0= (
main
var_18
var_8
var_4

proc near
= byte ptr -18h
= dword ptr -8
= dword ptr -4

; CODE XREF: start+AFTp

" , A. 4

,;

Ck

- W

)! /!

PU

3T !)

P#

push
ebp
mov
ebp, esp
sub esp, 18h

.)
push
push
push

() ) l F G

esi
edi
offset aHelloSailor ; "Hello, Sailor!"

lea eax, [ebp+var_18]

.)! )! 4 3- offset !) V

QW

var_18

;.

P# d<= V .
.

push
call

D/

!E

W V

. 1(!

/ 0x18-0x8=0x10 o6
/ /

g 3

)! /!

PU

/ Ck

W !) () ) p .

esp, 8
[ebp+var_8], 666h

.)
mov

. 16 Q) ;

eax
strcpy

.)
add
mov

var_18 Ck

W .

() ) l F G l F G DWord E

. 0x666 !

[ebp+var_4], 40D33333h

.
sub esp, 18h

Float

# !) 6.6 Q) ; !

357

AB"

. )! /!

PU R)

Ck

. C D /+

P# l F G <

. /
mov

( 2 5 C) /7@12

( - 3 ! 5.

!)

.!

ecx, 6

- W

.
. .

. 16 .

- G

D/

l F G float , int E

. 24 Q) ;
a - W

/ Double word 6

% / -

. 4 (string)

lea esi, [ebp+var_18]

.d ! b
mov

) . d ! ) ! Rb

! ) . D/ F4 / )! /! . 1(!

edi, esp

. b

) .(

)<

Ck

. 1 (!

repe movsd
call

{c84

= !)

add
pop
pop
mov
pop
retn
main

func

)! ) ! 4

3T

& . !)

, ()

Ck

1 (!

()

esp, 18h
edi
esi
esp, ebp
ebp
endp

.d /

V "f 6 Rb CG ) X PU 2 ; . ! )! /! Q =
,;

main()
{
char s0[16];
int a;
float f;
strcpy(&s0[0], "Hello, Sailor!");
a=0x666;
f=6.6;

- W

-)! /! V .

)3

- Crack

. +/ 0 1. ( 2,

358

,;

- W

-)! /! V .

main

proc near

var_18
var_14
var_4

= dword ptr -18h

= byte ptr -14h
= dword ptr -4

C D / /
! B .
v

X PU

G
push
mov
sub

-v

. Ck
.

aR) / disassemble R

- W . /

2 ;

!) Q = - . .

A84 C=

/ . !Qx V Q=

; CODE XREF: start+AFTp

! 4 3T !) 8

. )! /!

.d /

( - 3 < !) !

. / !) /
1! 4

!) b / d -) g 3 d

3T !)

! B .
(

-)

2 ;

-' *
h6
.!) /
- W

ebp
ebp, esp
esp, 18h

.)

() ) l F G A84 Q x

,- 3T

. 0x18

push
offset aHelloSailor ; "Hello, Sailor!"
lea eax, [ebp+var_14]
push
eax
call
strcpy
add
esp, 8
mov
[ebp+var_4], 666h
mov
[ebp+var_18], 40D33333h

Ck

- W

)! /!

V.R

- d-

,.

mov
pop
retn
main

. .
AK 4 " ,

esp, ebp
ebp
endp

func

proc near

var_8
arg_0
arg_10
arg_14

=
=
=
=

qword ptr -8
byte ptr 8
dword ptr 18h
dword ptr 1Ch

; CODE XREF: main+36Yp

. - /
,;

359
/ !)
" ,

AB"
)

()

# 5.

3T . Ck - W

)! /

) ;

.d /

( 2 5 C) /7@12

, R ,- / R

A,U V V . d

. ! 5.

1!b

+# [ 1
disassemble

, (

CB 2 ; p T d

, uT .d

AK 4

push
ebp
mov
ebp, esp
fld [ebp+arg_14]

3T !) )! ) ! 4 EAX 1(!

0x14

#b !) / Floating point E

) U

! 01! . FPU

.)
sub esp, 8

.)

() ) l F G

Ck

- W

.8

fstp [esp+8+var_8]

.)
mov
push

W !) Floating point !

eax, [ebp+arg_10]
eax

.) 1
lea

( Gm Ck

! 4 3T !) (

func

.d
'4

( Gm Real W

ecx, [ebp+arg_0]

. b
push
push
call
add
pop
retn

Ga(

ecx
offset aSXF
printf
esp, 14h
ebp

) .R

1!b V

. 1(!

; "%s %x %f\n"

endp

AK 4
P;.
. /

,;

- W

)! /!

-) % < ! ! / V
. ! 58

/! G

" ,

d-

-() ) V . ' > 8 ! V #

,

!) .

. / R 1A Ck
(8

! [) "

O .
G .
ob

)3

- Crack

. +/ 0 1. ( 2,
,- ,6

;4

A D /R

! > . o b .)
/

G #%,

!)

= V !)

360
) < )! /!

# 1 O !) o b

T 1(!

)! ) )! /!

#S

.
!b

O# =

B U
-R

!b

- ! !) ) G

. )! /!
R
) G9

C. / + #
O .

f-

.d

- 6

!)

)! /!

B U

. C

C++ /

o6

() ) E

!b U
,

!b

C=

5.

E
+

o6

W
*

. / ( Gm

)<

!b

!)

, 4 V !) .) . - G

-)7!)b o b B U
) .
R

.) / - G ) < !

'! B .

!E

)! /!

. ! C

/ d -)

!b B U Q ,; ! > . ( cU .

d !) ! /

) G 2 ; !)

. ! 1(!

= ) - !)

) V-m !) .)! ) f . u

2C

O !) '! B V

8 3T ! E

< !) / " [ .
. -)

)! > . /

1(!

V ,

"# O
.

! 4 ^ ) T )!

W V [ /% 1

/d /q #Q=

W ( 6

A 3 V 5#!

!b R [

1)

. /d ) , d
/

.)! ) f ! 2C
a)! /!

y #

. {& , = d

C D /+

- !b /

disassemble / . /

!b E

!b V .

S ! ' C,U . 3 ,-

W Rb !)

{& , =

!b )! /! R

- G

!b R

! . U
.

PU

(!

- !b V . . .

v = .

.) . - G R

Q > {& ,;

1(!

V )! /!

day [7] '! B .

)! /!
)

.+

. struct week {int Monday; int Tuesday: } '! B

' Uc> ( Gm

d- % o*

)! /!

' 8 k V AB = )

)! /!

[ Y F R"

/ () *

. / () *

- W

T_ 3

d !) ! /

CU

)! /!

PU /

1(!

. -)! /!

.d / ' P4
! *-

!b

A. 4 - W E
1

. % & offset

. ;4

1)

-)7!)b

V j >

!b B U /

-)7!)b j >

d) / ( -3 ! E

A,U A

( = -

'! B 1(!

FU

-E

p. . 1 .

, Rb . 1 (!

B G F U (! ,

.) . - G
)! /!

>8!

-)7!)b '! B V ,- . d-

'! B !)

n ! > . o b -)7!)b - 1
.) 1

W '! B V

..

A 8 )! /! . !
E

-() )

. ! A84 Q x Q =

/ [ C D / / d 8. d - G

361

AB"
:5.

funct

proc near

var_8
arg_0

= qword ptr -8
= dword ptr 8

( 2 5 C) /7@12
. )! /! 1(!

; CODE XREF: sub_0_401029+29Tp

.) 1
push
mov
mov

R)

1!b

+ # 5.

ebp
ebp, esp
eax, [ebp+arg_0]

.d

- EAX ' 8e !) a(

Q !

-R

1!b ! 01! . Q = !) , 4 V !)

fld dword ptr [eax+14h]

FPU 3T !) )! ) ! 4 EAX 1(!

0x14 aoffset !) / floating point !

.)
EAX {
!b

).

)! /!

1(!

5.

B U f) .

.(

()

1!b R ,- / EAX {&

#R
TE

C.

. , ()

.) 1
sub

! 01! .

! 4 () *

1(!
)!

esp, 8

.)

() ) l F G

Ck

- W

. 3-

fstp [esp+8+var_8]

.d
mov

G var_8 Ck

{ ,i !

/d

- ;4 !

R) / ( Gm Q = !) , 4 V !)

ecx, [ebp+arg_0]

.)
mov

! 01! . ECX !) (

()

# 5.

. /

1 (!

edx, [ecx+10h]

V .)

! 01! . EDX !) a)! ) ! 4 0x10 a offset !) /

.d ! ) ! /

)! /!

uT .

. , floatingpoint

)3

- Crack

. +/ 0 1. ( 2,
push

362

edx

.)
mov
push

3T !) (

G C84 !

eax, [ebp+arg_0]
eax

Rb d )! b

) . !

% , ) /! V

FUV

{8

)!

Q= .

Rb PU V

. 1(!

R ,- / )! /! . 1(!

.)! ) ! 4 0x10 aoffset !) F U V

, 54

() *

)!

)! /!

PU

, 4 V !)

)" .d ) ) ! 4 3T !) !

..

() / Q W

. 0x10

.d ". 7 = ! )! /! ! G

struct xxx{
char x[0x10] || int x[4] || ___int16[8] || __int64[2];
int y;
float z;
}
push

offset aSXF

.d /

. e ! () ) E

q #

/ -)
() .

; "%s %x %f\n"

!( 6 V

.
.

)!

R . FUV
!) a

)! /!

printf
esp, 14h
ebp

funct

endp

main

proc near

var_18
var_8
var_4

= byte ptr -18h

= dword ptr -8
= dword ptr -4

.d ! ) ! /
push
mov
sub

. () *

char x[x010]

Rb 6 G

.
call
add
pop
retn

; CODE XREF: start+AFTp

Ck

W V [ . /

O . Q ( f !)

ebp
ebp, esp
esp, 18h

.)! ) 6 ' Uc> R) / ( Gm

. 3T

363

AB"

push
lea
push
call

!)

1)

/ Ck

( b
Ck

offset aHelloSailor; "Hello, Sailor!"

eax, [ebp+var_18]
eax
unknown_libname_1

. a / A Ck

( 2 5 C) /7@12

strcpy

"< R . ! V
. 0x10 . 1 (!

#.

) . 3T d # . 8

W V

. strcmp

, 5. V

#.

.
add

.) 1

unknown_libname_1
R

#b offset

1!b ) 5. V .d .

* ; p T V [ " strcmp 5.

)! )

# !) # .

+#

( 3

mov

mov

.d ) , ! Rb E

()

lea
push

6
. /
)! /!

# Rb .

.4(

1!b

var_8

Ck

-)!

var_4

-)!

, 4V

/ ;. ) C,U A Ck

! . . Q= .

. floating point

Dword

W V

/d.

. <

ecx, [ebp+var_18]
ecx

/ var_10 Ck

! #.

-R

[ebp+var_4], 40D33333h

. Rb E

!)

) . 3T

[ebp+var_8], 666h

.Dword E

-)!

esp, 8

)" offset p- /

W V

G # 5. A Ck
. 0x10 A/

-)7!)b ! Rb
. 1 (!

C.

. ,

. 1(!
! . .

a5. .d
. /

C. ! T 3T Q

. 0x10 (

# !) !
. 0x10+ #

! # . . 1(!

5.
.

struct x{
char var_18[10];
int var_8;
float var_4
}

.(
(

5. V
()

()

/d

# 1(!
# 5.

!)

. /

uT

)3

- Crack

. +/ 0 1. ( 2,
. !b

call
add
mov
pop
retn
sub_0_401029

364
)! /!

! G

V a /

y # -() ) E

funct
esp, 4
esp, ebp
ebp
endp

i <
(5. )
PU

) T

1(!
R

+
!)

,- X

) G offset +

a -() ) A

- -)! /! R ,- 54

() ) B U .

( Friend, Public

<

n 5.

< 5.

. !

B ) GX

! 4 ^ ) T )!

! 4X

: *= ' B FG

!) /

AK 4 " ,

+ # protected 5.

R !)
.)

G #" X

)! /!

,;
G #

!) /
_T
! b)

f)j >

<

: *= ' B FG

..
/ d

>

!) C++ R . !) X

C D /+

G # )! ) ! 4 X

public protected 5.
()

<b

< Q 6 .lG
#! V .

! E S

A D /

V d

public 5.

class MyClass{
void demo_1 (void);
int a;
int b;
public:
virtual void demo_2(void);
int c;
};
MyClass zzz;

.)

) G (14-7) A

! G

. C D /+

365

AB"

O# = !) X

f[d

AK 4 " , ()

Q = )! ) jC; X
" , )! /!

V.d

p , (14-7)A

)! /!

[ . ;.

X
V ,

.)! ) ( B FG) private B U + # /

.d / () *
PU

d / () *
: /

V.

[ / d -) g 3

. /

class

struct

n{

,U d -)

)! /!

struct

C/ ' ,C/

o. !
d- . ! Q x

struct MyClass{
void demo(void);
int x;
private:
void demo_private(void);
int y;
};
class MyClass{
void demo_private(void);
int y;
public:
void demo(void);
int x;

f[ /

f[ d /

)V .

.class struct

};

( 2 5 C) /7@12

pTQ

V Q=

T !X

T '&

.v

q # p T ! > . .d
d

: *=

AK 4

2 ;

PU /

-7c/

- public q #p T ! > . )! /!
C/ ' ,C/

() *

.X

2 ;

)3

. +/ 0 1. ( 2,

)<

C D /+

- Crack
o !) /

R U . !

. 5.

366

! ) y # d- .

k O

A4 = / )! /! - .

) /( -3

ob

{ 8

!/V

< 5.

G # (Virtual table)
! 4 Rb

< 5.

[ .] .

< Q 6 . 1(!

. ]8!

.X

j >

;.

- /

) -

.)

O !) X

.d
()

[ / d . !)

f[

n '! B . o b

, % , !) ! 1(!

C D /.
. -)

jC;

/ ;.

,- { 4)

V .

this 1(!

Rb .

R ,- / )! )

"[

C.

..

5.

X
() ) 1

;.

-)

() ) p . !)
new 5.

!X

V ,/

/ 2 ; ! this 1(!

! (exception) iG

() ) l F G

() T .

"[

#include <stdio.h>
class MyClass{
public:
void demo(void);

G #V

. uT .) 8. V .

this ! <,- 1(!

.(

- C D / x/ /

.4

." X

new fCU

1!b R U . -) l F G

; .

l F G heap

1(!
uT .

.
.

<

. O# = R "

) f . heap
. a_ C.

. /

) 6

. 1 / ! O# = R " A4 =
. C/4

- .

, . +8

() *

() T .

! G

G #A
R

,; 5.

-.

3T !) Rb ) G

V .) 1

5. Rb X

, 1(!

V ,-

5.

P# A4 = .)! ) y # 2C

. { , = O# = V . .
E

aX

, .

l F G Rb .

. l F G A. 4
,

)<

() *

disassemble / !) X

R ,- { 4) (

. -)

.1 R

1 .

1!b

g 3 this 1(!

.) ; /
(

< R

) G aX

V .)

.X

! # =

V , Rb (

V . ' * AB = (
() *

G # ) G ;4 7!)b

A4 = /
() T

C. ) ) l F G ! heap

. C D /

.)

() ) l F G

. '! B V !) R [

. null

. delete fC,U

/_T ! "[

.) . V .

! Rb R .

:d ) T

Qx

K! . Q =

: Rb ! G

367

AB"

( 2 5 C) /7@12

int x;
private:
demo_private(void);
int y;
};
void MyClass: :demo_private(void)
{
printf ("Private\n");
}
void MyClass: :demo(void)
{
printf("MyClass\n");
this->demo_private();
this->y=0x666;
}
main()
{
MyClass *zzz = new MyClass;
zzz->demo();
zzz->x=0x777;
}

'! B .
ob! G

main
push
push
call

% C; { ;i4
.

. 8

"[V ,

() . q #

esi, eax
esp, 4

mov

ecx, esi

. 8 a new fC,U

() ) l F G X
R U .E S
. -)

mov
add

disassemble /

; operator new(unit)

, . ! O# =

. , AB

; CODE XREF: start+AFTp

lFG X

-A Ck .

disassemble /

- .d -)

. Qx V
;.

proc near
esi
8
??2@YAPAXI@Z

.V (

R3 !

() *

. O# = /

V Char * x = new char [8]

V

kB

! . f f[

)3
X

. +/ 0 1. ( 2,

- Crack

368

ECX .)

, . 1 (!

()

# 5.

. ' 8e j >

() b this (!
.

call

%<
.d

demo

! / [ 5. V
a !

)< !X

% C;

, V . /

(!

5. V ) G R [

! demo 5.

- .d

Rb . ECX /
. , a . jC;

jC;

, 4 V !)

/d )

G # ! demo 5.

() /
.

mov

G # .

public 5.

demo 5. .

. -)
/ ;.
() /

dword ptr [esi], 777h

" Public f ) PU

/d.

!)

(!

int E

) 1

"[

, . ESI / d /

X
W

/ )! ) ) 6 X

! b)
V !)

class myclass{
public:
void demo(void)
int x;
}

. ) 1
pop
retn

. "[

endp

demo

proc near

V void V

CU

; CODE XREF: main+FYp

.d ! ) ! 4

aX

PU / demo 5. !) Q =

esi
esi, ecx

.)
push
call
add

esi

main

push
mov

5. V

offset aMyclass
printf
esp, 4

! 01! . ECX ' 8e !) this 1 (!

; "MyClass\n"

369

AB"

private

B FG {& , =

PU

5. V .)

G #X

.
mov
call

( 2 5 C) /7@12
G # f ) 5.
5.

j >

R [ )! )

ecx, esi
demo_private

private {& , = "

) j8> . .

V )! ) ) 6 X
.

V !) f )

'! B .

.X

! G

class myclass{
void demo_provate(void);
int y;
public:
void demo(void);
int x;
}

/ d / V ,P d

5.

private

! G
{8

, .d () / 23/ ! Rb ! G

B FG )!

f ) 5. - R !)
' S #V

!) Q x

-V R [ / d ) / (
. private

..

d /

B FG

(8

iG

. AB V

.y W

!)

. uT

.) /
pop
retn
demo

!X

1 -

(3

G !/

demo_private
G #a X

. (! . ) !

. /R

esi
endp

demo_private proc near

; CODE XREF: demo+12Yp

.
push
call
pop
retn
demo_private

offset aPrivate
printf
ecx

demo_private 5. V

; "Private\n"

endp

2+. ". i <

O . .)! ) ) 6 X
.)! ) ) 6 X
.

Rb

, +#
,

X
)

C. )!

V.

) 6 X
' *

)<

/ !) / X

)<
.

8
,

C D /+

)V V.
7c/

/ !)

1p , X

)3
V

,
() *

).

a2 , a1 5.

-X
D/ a(

d !) A %

! ) 7c/ V
a1 5.

f)

)! ) ! G !) ! a1 5.

f)
n

370

G # ! a2 5.

. .d /

a2 5.
V ,

- Crack

. +/ 0 1. ( 2,

V [

j3

-7c/ !) o b

ob

, V

/ C

. /

c/ /
.d /

/ d -) h S

) < 7c/

+ # this 1(!

V 23/

d-

.)! ) ! G !) !

. !+

e ! 5.
.)

a3 ! Rb /

d
Q

, !) /

a2 , a1

f ) 5.
. 7c/

= ) - !) .

- AF
, )

. Q 7c/

, /V
.

-m

) . . o

o b . jC;

5.

.)! b
/ !) + # X

..

3 1

(8
.) !

- AF

( 3
R

) . 8
X

,
V.

. -7c/

% o.
/q #

f)

, .

G # a3 5.

C D /+

Y - .

. a2, a1 5.

= V !) .

j3 % )

/q #

(
e!

)<
]8!

'! B . ! CB / R
X

A D /R

V . "1 - BcG ! > .

!) )! ) ! 4 CB

371

AB"

( 2 5 C) /7@12

!/ - >
V . ..

.)
A. 4

. 2C
*. uT

'

V . ) f

() /

. ! ob

*. 5.

!) >

! T 5.

. /

1!b

.Q

.Qx

' C,U 5.
!

/V

;.

) fC,U R U .

() *

V ad / R . ! -^ ! V v ;
' C,U Ret

Call V

'!

! Rb RET !

(!

Rb . CALL !

3 ,- /
.

.d /

-)

) /

. / o b epilog .

.d

-A,; !
.

! 5.

R T

lG v

. 5.

31 . 7!)b d

-( !
o
V ,-

/0
31 .

;. !

) 7!)b CALL !
6

) 6 V

)+

)! )

5. E

/ ' U 6!

3T

. E

/ d
1

() *

R T RET !

. epilog

=V .

7!)b /

,/

G #

5. R T RET !

..

% < ! 5.

<b . !

3. /d

! 4 3T & . !) !

. 5.

G #

. 7!)b Rb . JUMP

. - C D /

-7!)b /

uT 7!)b . 5.

.) 0T
!) .d /

f[ .

R . .d ) 1

() *

'! B CALL V

5.

!R T . !) G

G #

" d-

!)b . /

do % / -

. )

G #

n^ T

^ ! ) . ! 5.
) 0T

/ /

!) !

R T ! 5. RET !

. -)

do

aRb

! O

31 . 7!)b

. -)
&.

R) / disassemble

6 ' C,U AB =

. .)! ) ) 6 A 3 V A=

d / ( Gm l G

C/

/ ( Gm !

.) ) % < ! ! / V R

/ ! >R ,-

5.

. </ . ! Q

1!b ( ,- ! Rb

n^ T!

/R ) 1 .

b ) 1 .

! function

) 1 . !) G

Ck

/ /

. -R

CB

.) f. R

. ! !

G # ! 5.

! 5. V

ob

CB p . 5.

-p . !) /

-R . ! G

<

' U 6! ^ !
/0

Prolog Rb . / )

<

)3

- Crack

. +/ 0 1. ( 2,

372

2 . G
)!
!)

T ! CALL ' !

fC,U .d /

G #) G%

. /

,; 5.

& = V [ !) CALL !

AF#c. !

)%,

) fC,U .

<

disassemble /

() / < 6 ! (

7!)b .

>

5. E

7!)b !

)V

8 k A D / ' C,U Q >

.
.d ) T

Qx

.
.Q=

: 5. d

G #

func();
main()
{
int a;
func();
a=0x666;
func();
}
func()
{
int a;
a++;
}

'! B . { 8

A D / <

.text:00401000 push ebp

.text:00401001 mov ebp, esp
.text:00401003 push ecx

.text:00401004 call 401019

5. E
+G

7!)b a!
.

, 4 V

) V AF#c. fC,U <

!) Q = .

% offset . ! CALL !

) fC,U

!) .d

! CALL !

Rb / p . offset
; d /

! 01% ! 5.

) .

j 4) '! 8U .
d !

.text:00401019
.d /

.text:00401009 mov dword ptr [ebp-4], 666h

.text:00401010 call 401019

, 4 V !)

V "f 6 5.

373
V

AB"
!) .text:401019 +G ( - 3 . .d ! ) 5.

/d.
V

, 4 V !)

!/

( 2 5 C) /7@12

f)

G #

" p . V !)

R . 5. 2 ; '! B . {c84 ' !

v/

.d / V "f 6 call offset Function_name . ! call 401019 /

.text:00401015 mov esp, ebp
.text:00401017 pop ebp
.text:00401018 retn

R T { , = , 4 V Q = - . .d
'!

)E

a+G V
.

;. .

6
.

5.

31 .

* G

# 1 '! B CALL !

) fC,U +

.!

-Ak

. , 4 V !)
5.

5.

V .d .

! ) G 5.

.text:00401019 push ebp

5. E

7!)b , 4 V . () / E 6! 7!)b V
my function ! 5. V .

.d
.text:0040101A
.text:0040101C
.text:0040101D
.text:00401020
.text:00401023
.text:00401026
.text:00401028
.text:00401029

' 8e j >
.) 1
8 k

) V [ fC,U

.) GlG%

!)

. 5.

mov ebp, esp

push ecx
mov eax, [ebp-4]
add eax, 1
mov [ebp-4], eax
mov esp, ebp
pop ebp
retn

.
G #

. CALL !

5.

. 1

o ( -)R 3 d- Gb +G .

8 .

-7!)b '! B V !) .

'! B

6 R

() /

T ! Rb

!)

()

. " [ ,-

- G ( T ,/ ! /

5.

) / ( -3
/ () *

T ' B . 7!)b 8 k ' C,U

/ ( Gm ! 5. 7!)b

. , 4V

! B .

/ ! >R ,-

5. d
)

n
()

. C D /

= - !)
.d /

. / 6
: 1 (!
func();
main()
{
int (a*) ();

() *

Qx
. 5.

.Q=
G #

)3

- Crack

. +/ 0 1. ( 2,

374

a=func;
a();
}

:
: 1 (!
.text:00401000
.text:00401001
.text:00401003
.text:00401004
.text:0040100B

() /

() *

push
mov
push
mov
call

'! B .

. 5.

.A D / <

G #

disassemble /

.(

ebp
ebp, esp
ecx
dword ptr [ebp-4], 401012
dword ptr [ebp-4]

() T ! 5. d

G # / )! ) ! 4 CALL !

.)! ) ! 4 [EBP-4]
+G .
V

.Q

/.

. ! +G V Q = .

5.

7!)b { 4) / )

) & . +G ) !)
# .text:401012

()
.d /

, 4 V !)

G !) 5. 7!)b

! mov dword ptr [ebp-4], 401012 !

C/ '! B .

V "f 6

6!

mov dword ptr [ebp-4], offset Function_name

.text:0040100E
.text:00401010
.text:00401011

G # jmp !
:

mov
pop
retn

() *

.^ !V

esp, ebp
ebp

) '! B . 5.

= V

() ) ! 4 stack !) 31 . 7!)b !

C/ t > )

.PUSH ret_addrr/JMP func_addr

7!)b func_addr

31 . 7!)b Ret_addr

.
ob

V ,

f ) '!

b , d-

3T 3 ,- !

) )V

5. d
/

n
) 6

. / 6 f
JMP !

;. +G . Q
5.

) 8 U [ CALL !

/ a5. V # R T

;. / d -

V ,

) /)

uT 3 ,- CALL !
= !)

)) 1

t i Q
)

() *

V , Q=
. .d / () *

. ! T 5. !) 5.

G #

375

AB"
) '! B .

.d / () *
R [ -) ,

= V [ !) a .
JMP !

BG <

!"[ )d /
. 31 .

V ^ ! o .)!

.Q

< 6.
1 .

/ / ;.

) 6

=!

#!

* Ak

# 5. !) d / g 3 !

! 5. d
uT

) <b

( 2 5 C) /7@12

()

C 3 !

T(
f)

G # 5.

.)

() *

'!

. 5.

)
() ) Rb

) /

: / 6
JMP !

. .) ) d - G
.

V [

! JMP A84

! . )!

6 Q

31 . 7!)b

. JMP ' !

A= ( ! - A 3 V
.d -) ! 4

)!

. ! / ;.

-^ T

( /

Qx

G #

.A D /

o /

funct();
main()
{
__asm
{
LEA ESI, return_addr
PUSH ESI
JMP funct
return_addr:
}
}

:
JMP !
.text:00401000
.text:00401001
.text:00401003
.text:00401004
.text:00401005
.text:00401006
.text:0040100C

push
mov
push
push
push
lea
push

() *

. 5.

.
)

'! B .
G #

.(

disassemble /

ebp
ebp, esp
ebx
esi
edi
esi, [401012h]
esi

.text:0040100D jmp 401017

!E S

f[ .

5.

G #

C. .

,; ^ T

, +G V
d .

.d .

#! 0x401017 7!)b . ! / V

!)
.

)3

. +/ 0 1. ( 2,

.text:00401017
.text:00401018
.text:0040101A
.text:0040101B

push
mov
pop
retn

. ; 8> ! > . )
(

() ) ! 4 !

- Crack
ebp
ebp, esp
ebp

# - G </ . !

() ) ! 4 3T & . !) ESI ' 8e !

)+

;. E

/ ret !

6 Q

a push ebp !

)+

G #

d) 1
V .

! push ESI !
.

pop
pop
pop
pop
retn

) 401000C

0x401012 Rb !
(

. !

)! ) ! CALL !

() *

. / !

G #

( T

) = !) o b ! b { 8

. -)

! d/ !

. a( T

! 4 ) G 5. E

!) !

- /

/ ,

push
mov
sub

a) 1
-

= /

'! B
.

- ;.

- C D / x/ : Prolog

o. ! / /
.)

8 . /d

IDA /

. -) g 3

<

IDA Pro

- fC,U A Ck
. /

B!)

G #

/ !/ - ) 5 G >

6 5.

JMP !

) /

edi
esi
ebx
ebp

IDA Pro E F 1@
d-

!)b

stack !)

)+

.
.text:00401012
.text:00401013
.text:00401014
.text:00401015
.text:00401016

# [ ,

) ! 4 JMP !

6 V !) .d .
7!)b !

)V /

)! ) ! 4 stack & . !) /

) . pop ebp !
! . ! stack

+G !) d /
JMP !

)! ) ! 4 " [ [ 6 Rb !)

6 R ,- . Q = .)
(

376

Prolog / -)

ebp
ebp, esp
esp, xx

'! B . \

T ! / AB =

377

AB"

3T !)

. Rb !

Ck

D/ EBP !) a ESP

. 3T .)
. .

() *

p- / Ck

- W

- W

.(

( 2 5 C) /7@12
. EBP ' 8e

-)7!)b

3T . 1(!

' 8e !

Q = .)

- C D /

- W
5.

() *

T. /

() *

(! O

IDA

. ESP ) G

. -)7!)b ! O

+G

a /

,-

f[ /

.) .

() *

A 3 Sub ESP , XXX !

V T . ! Rb 1(!

.) .

() *

d/ !

. ADD !

#/!

ESP p "# .

)+

D/ esp !) a) /

.)

!) 5.
/

o.
.!

ebp
esp, 64h

Epilog 2
mov
pop
retn

esp, ebp
ebp

V "f 6 ! EBP

A,U ^ ! ) . Epilog

3T V T . / EBP !

(!

MOV ESP, EBP / POP EBP POP EBP / ADD ESP, xxx ' !
.

6 d..) / () *
G) G

-R

.) ; .

() *

1!b

)+

mask

! 3T

. 5.

. . n .)

C 'c 8
.

f ) '!

24

. d-

() *

% < RETn !
- C D /

RET !

) .

.)

- Epilog

) /d

/0

3T '! B . /
v

T 'c 8

)+
) .

01 ( /

;. : Epilog

:) 6
Epilog 1
pop
add
retn

Ck

+#(

- a! / % ,

: /

o.

/ () *

. 5.

! 3T 5.

A #

. /
V

) v

,- EBP ' 8e

-' 8e f )
.

C84 !

( Gm

. ESP !

() ) l F G O# = _ C. (

. PUSH EBP/MOV EBP, ESP/SUB ESP, xx :' !

/

! / V 54
3T

< 6V . .

- C D / !)
x/ !) )
31 . % f - /

G # / ( oU . ! 3T C

)3

. +/ 0 1. ( 2,

!) 5.

-R

p . !) ) 0T

- Crack

1!b . /

() *

378
T C 'c 8

% < 5. ) G +

3T

_T

windows !) API 5.

8/
.

! 4 [ .

.) / d - G h 3 A / ! > . ! zk8 V 5.
1 .

5. R T

3 ,- . /

) < epilog
G

! 4

. epilog ob

. aRET V

% / -

)! ) ) 6 d-

6 A # !) a) 1 ,

. RET!

. C D /a

.Q

epilog
.)

/(1- /
!! )
' <

int func(int a)
{
return a++;
a=1/a;
return a;
}

push
mov
mov
mov
add
mov
pop
retn

-R

1!b

. RET uT

;. b /

/ - C D /

! ) + # 5.

3T

)V [

6 epilog a epilog V

f)

) !) !

;. / " [ -

# / 5. epilog p ,

! ) 5.
/ [
. 3 ,-

- f ) R . . . -) ,
. ! S n /R U

s rA"% E

/ 5 J@K>) )

ebp
ebp, esp
eax, [ebp+arg_0]
ecx, [ebp+arg_0]
ecx, 1
[ebp+arg_0], ecx
ebp

epilog V [ . ;.
int func(int a)
{
if (!a) return a++;
return 1/a;
}

epilog V [ . (
push
mov
cmp
jnz
mov
mov
add
mov
pop
retn

ebp
ebp, esp
[ebp+arg_0], 0
short loc_0_401017
eax, [ebp+arg_0]
ecx, [ebp+arg_0]
ecx, 1
[ebp+arg_0], ecx
ebp

A D / 5.

.(

disassemble /

379
(

AB"
6 prolog R . 5. aRb

Q8)

uT

( 2 5 C) /7@12

5. epilog !

b '! B . , 4 V
.

loc_0_401017:

() . A84 5.

) a /V

Q = .JMP
& . !)

/ -)

R3 V

G # CALL !
31 . !

b / d 8.
.) .

mov
cdq
Idiv

/
) .Q

.!/V
!) /

^ T

5.

) (! .!)

. !
. ,
Q

/ a' U 6! V
6 5.

5.

q # < !) G

/ d 8.

)! ) ! 4 3T

eax, 1
[ebp+arg_0]

loc_0_401020:
pop
ebp
retn

; CODE XREF: sub_0_401000+15Yj

U ,< !) LEAVE , ENTER ! ) ) b 80286 f ) T / 4 :+@ .

) . ( ) < 3T 9 4 V . R) / .
. o b . b T '! )
! ) )V
.)
, () *
ob
- C D / % / - !) (
%<
A
10 !) ENTER ! ) % T
!) a ) / A,U / ! .
'! B V ,- . .)
%<
A
5 !) Q ,; '! B . /
'! ) .
,;
=!)
%<
A
5 !) LEAVE
.)
%<
A
) !) ,;

d /

PUSH EBP / MOV EBP, ESP / SUB ESB, XXX

() *

.d /
.^ !V
5.
C8,

o !) C D /
'!

MOV ESP , EBP / POP EBP

() *

8 3T ! naked

B G . 5.

; . / ) < Prolog epilog R . ;.

) R) / # S .

) '! B . ! ! / V

. ,

ENTER
LEAVE

C++ Q }
/ -)

6 .
6 .

: Naked !/ ( 6 u

. -) , ! 4 RET !
. -) % <

. __asm{ret}

.
)

)3

- Crack

. +/ 0 1. ( 2,

5.

8 3T

,U

C/! > . . / , ) < ! (

. R= >R
;. ) < R

380

!)

.) ) - G % < ! Rb

C. 4 V { ;4

.) . ( O

epilog R . ;.

n U S

) 6 R

-%"

f R . ad

disassemble

. / G) T"

"-

. A Ck

. 8Ci

C/ p .
1)

: )! ) ) 6 5.

D/

.)

()

.Q

1!b R)

= !) .E 6! .

# Rb . 1 (!

G # 5. 2 ; p T . ( cU ( /
-R

1!b 1 .

1 .)! ) ! 4
f[

/ [(

) f - ,- "

8e [ !)

</ !) -R

G # 5. )
()

1!b [ / -) R 3

1!b / / 2 ;

6 (

G # 5.

8
/V

;. /
.

Q=.

2C

- C D /V. !1

R [. / , lG
.)! b

) 6

! A &)

-' 8e j >

-2

3T j >

-3

. !

6 'c 3

/ A= !

c 3

-R

1!b

()

) ]

. G .!/ /V

1!b /

. V ,- .

1!b

3T R) /

1!b R)

! .

# -' 8e j >

# 3T j >

/V;

T . ! 8< ! - C D / R 1

(2

()

()

-R

.^ !

V)* O @

& > ,/

-1

# Rb . -R

-R

%<

1!b

= !)

2O

<

3T j >

E 6! . Q

; R .V

-R
( /

. -R

) !

V)* >

5.

-' 8e
5.

. !) /

!/ - ( 2O
zk. V .

() *

. Naked '! B .

1p T A. 4 n ^ ! [ . C D / / V

.)! ) ) 6 Prolog

. Return

= > C !) ! !) V

. G

) <

# %"

[ /d #
/ Rb p . ^ ! V

-R

1!b

# 1! 4
GQ
' o.
#V
*

381

AB"

-^ ! ,-

) G V . ) )! 4

# 1 d ,F

_ 3

) ; V # 0T . ! ! / V

2 ; / 8

. 3T !) [ .

3 T R U . _ a

()

2 ; / 8

! 4

() *

5.

- G ()

y > .
,C/ o b %

. ) ; Rb

.)

uT

-R

1!b /

/! / o b %

A84 A D / R

!)

f-

#S p

, 4 V !) .

) 6 ^ ! V !)

! this 1(!

- C D / x/ . /
.

o.

, 4v 6

C D / . 8

G #E

EAX

) tcB V
- Rb

T .

3T C
(

. /

()! b

!) /

- C D /

* ! Rb *C
! 4 C D /

G !

. C

o6

' C,U . / 1 A Ck

ad /

) ]

' 8e j >

-R

1!b f )

. (Optimizer)
V . /

\> ^
:)

C/

- :y R 9

"

.) f. '! B

! . .![

) ]

) G ) tcB . . C D /

' 8e j >
%"

() ) ! 4 __fastcall

! hS

! -^ !

. Q

! 4
) ]

Borland

. ECX ' 8e #

C D / - !) Rb ji
.d

k B

01 . : ) . @

.) 1
)!

) ]

R . ) ) 4 V : fastcall

C/ ,C/

C D / /

01 . : pascal

o !) this 1(!

3T j >

! 4

, G @

) ]

'! B ! T 5. +

T fastcall ) )! 4 . / ;.

! ;.

1!b __stdcall V
% .) 1

8 3T ! __fastcall
A84

/ ;.

.V ,

< !) .

1!b PASCLA V

-R

#
01 . : C

Gb !) " this 1(!

-R

# -' 8e j >

! T 5. ( oU . 3T C

) )! 4 V

. /

C ) )! 4

! . [

3T !) [ .

3T .a /

1!b R)

1!b __cdecl V

-R

# 3T j >

-R

# 5. ( oU . 3T C

() / () *

.)

. - C D /R= >R [

! . ! -) )! 4 V Q = . ) ) % <

.
.

. / () *
:d /

( 2 5 C) /7@12

! . A Ck ! 5.

y # f)

j 2
/

)3

- Crack

. +/ 0 1. ( 2,

5.

. /

-R

1!b ) ;

t i

. d- G

382

Q=

() *

[ R

G #

. ) )! 4 [

1!b - E

!/

[ )

'! B

. '! B V
1

;i4 % U V

.
. () / () *

) ! G !) !

. G G

# !)

) 1

! T 5.
-R
-

[ . -R

2 ; pT

G(

G # 5. +

1!b V # 1 ! 4 v

() . G

. a

. / 5.

)!

1)

C D /

G # E

1 ! > . PASCAL

()
G #^ !

-R

.d /

. 1 )!

. !

. .)! )

1!b V . :

f ) )!

1!b / d

.(

! 5.

4 a5.
()

! ' Uc> V .d /

) )! 4 E
PASCAL

! 4 () *

. y # '&

StdCall

) -

1!b

. ob 2 ; pT /
! 4 3T !) v

)) 1

. !) .d / g 3

;i4 % U R ,- ) 6 V .
.

^ !j >

.d

G # ^ ! .

V !) .

- ) C,U

=!

.d ! b

.*
)V

8/

' 8e a 3T j >

1 . . Q
3T
. /

) !
1)

!/

V ,- .)
!R

V ,

.) /
.

- G

)!

!) .)

G #

-R

b ! / o b ^! ,

. () /
R

) m )

) .
;. )!

-' 8e

. /

-() )

V !) C/! > . .

.R

& . !) / ! >R ,1!b .

4

uT /

PASCAL ) )! 4

. ) ; n !
V

. -

()
. o

#
3T

!) f ! O

1!b R U . /

T )!
1)

- G <

PUSH !

5. ' C,U A ,

V)*

-R

o6

# 5.

) . 5.

1!b Q ! ! O

! F
()

3T

<
-R

"

POP 3T
) .

3T

() *
() *

1!b

G RETn !

"

2O

1!b d ) / (!

- W j >

) .

)d- G!/

G # q #p T ^ !

StdCall ^ ! )
ad

CU .

A. 4 3T !) -R

{& , = a
)

_T

cdecl ) )! 4 .

n !).d ! ) ! /

5. 2 ; p T /
E

. 3T

()

.d ) D. o b t
3T 1 .) 1

) . 1 uT
-

.) ;

.) ;
5.

/m / ! >R ,! . cdecl )!

.)! ) ! 4 ADD ESP , n !

383

AB"

.) ;

. .

- G d- . 3T R
!) a -)

%<

6 5.

! /

! 4

3T !) /

/V

o. /

()

()

#!

#
.

.) ;

/! /

a !b a() ) )! /! a

- C D /

() *

. . 5.

.(
5.

/ A Ck . .
5.

.(

.R

)d- G ob

()

, " !(
.d ) T

-R

()

[ /Qx

24

. -R

1!b R)
() / dO

. /

1!b ) ;

/d

Qx

.
. ,

P# / ! [ -

6 .

3T )!

# ( -) R 3 MOVS !
!(

V ,

= )!

)! G

-R

Y F )! )
)

P;.

. 3- double E

PUSH !

.) ;

) . 3T

% U( 6 lG+
#

! . !

()

Y F

1!b ) ; d
#

! 3T R

V ,- /

MOVS !

) . / () *

n !)

G . .)

.(

. /

.) ; d /q #d

;. '! B V

. -)
Rb . (

( 2 5 C) /7@12

*1 v i

n a5.

, 4 V !)

(! T) ( /

G #

G . !) .d -) g 3 ! 3T j >

! . . Q = .) . - G do8 " Q

) /g 3

4)

PUSH
0x404040
CALL MyFuct :0x404040

a( 0x404040

. 1(!

/ ! >R ,- (E 6! . R)
O -R
f[ 5. V
[ ob!

, (

#)

#) (

.e !

/ V .) f. ! 4

! . )!

) C,U aE

g 3 a /

: / 6

Qx

()

#!

. /R

() ) ! 4 0x404040 (Offset)

G # 5. A Ck
/ /

)(

"

!/(

()

. 3T !) - W

) /R .
# Rb . /

-)7!)b . 3 .
2O

#include <stdio.h>
#include <string.h>
struct XT{
char s0[20];
int x;
};
void MyFunc(double a, struct XT xt)

#b !) / )! /!

"< R . ) / ( - 3 ()
# 5.

1!b

V)* O @

Q x V !)
V !) ;i4
-R

1!b .

() .

b! O
3.

)3

. +/ 0 1. ( 2,

- Crack

384

{
printf("%f, %x, %s\n", a, xt.x, &xt.s0[0]);
}
main()
{
struct XT xt;
strcpy(&xt.s0[0], "Hello, World!");
xt.x = 0x777;
MyFunc(6.66, xt);
}

. C++ Q }

'! B . aq #p T ' , O

C D / .

.V (

disassemble /
.

.C++ Q }

() *

main

proc near

var_18
var_4

= byte ptr -18h

= dword ptr -4
ebp
ebp, esp
esp, 18h

push
mov
sub

.(

1!b

Q !

5. \

( Gm 3T !) {& , = / -)

EDI , ESI

-' 8e

3T . ( cU a5. V

5.

1!b /

.v i V

V ,
!)

V . .)
!

. -R

f .

V ,

R 3 -' 8e h B -)!

1!b Q !

. 1 .

%U

, ()

3T !) o b R) ) ! 4 a

() *
()

"
#

;.

offset aHelloWorld ; "Hello, World!"

! O
) . 3T

.)

()

#R

;. A=

!)

() ) Rb 3T 7!)b d
R) ) ! 4

PUSH V

T .] .

.
push

disassemble /

esi
edi

1!b R U .
. -R

1!b R)

; CODE XREF: start+AFTp

R
push
push

. -R

1!b R U . a

! -^ ! V
.

. 1 (!

( Gm 3T !) 4

! > . /
.

! > . .e!

V , V ,- .)

() *
1!b

, 4 V !)
! () b ' 8e

C D /- /d )
R)

/
) 6

R 3 3 ,- 3T !) . e

385

AB"
lea

eax, [ebp+var_18]

! 4 EAX !) Ck

.) 1
push

aR
.

1!b

. -) , ! -R
[ .

#.

. 1(!

eax

1!b V

call

( 2 5 C) /7@12

.
)

A. 4 -R

1!b ,- .)

)!

3T !) [ - ;. . V

( Gm

/d

3T !) EAX

. V,i d

strcpy

1!b Q ! v
-R

1!b

. strcpy (char , char) 5. 2 ; p T

( 6

/
:

cdecl ) )! 4

() *
.

'! B V

. / 5.

.(

/ <

!) .

,1

! 4

Strcpy ( & buff [o], "Hello , World!")

add
esp, 8

()

# 3T . R

1!b ) o
. ) 8 5.

mov

/d
-R

.)

) . 3T

PUSH EDI PUSH ESI <

1!b

.8
!) .

[ebp+var_4], 777h

1(!

.e

V { ,i .)

.) 1 ! 4 O# =
sub

f. <

() k V !)

, .! /

Ck

- W

.)

() ) l F G
.

!)

()

- W

# 5.

.!

. O# =
. -R

1!b

ecx, 6

.d ) , ! ! / V
lea

-() )

esp, 18h

)<

mov

W !) 0x777 . e !

() ) ! 4 Ck

CU

() ) ! 4 Ecx !) 0x6 . e !

esi, [ebp+var_18]

() ) ! 4 ESI ' 8e !) a

"Hello, world!"

D/

= / Ck # . . 1(!
.)

)3

- Crack

. +/ 0 1. ( 2,
mov

386

edi, esp

! 4 EDI ' 8e !) a 3T & . !) (

.) 1

( Gm () ) . 1(!

repe movsd

Rb

P#

D/ 3T !)

double word - (

V .(
-R

. (64) (

1!b ) ;

.)

! O

) .
W

3T

()

# 5.

.!

/
.

R)

ECX 1 ^! , ' 8e (

4
-

. /

QW

! 3T

. ) ; 7

! ( ,- "

P#

QW

. 20 R
d /

[ebp + var_18] 7!)b

!
1!b

() *
' Uc>

0x777 . e !

var_4

'! B . ! )! /! ! G

Q=

W V uT .

.d /

# , 4V

6). /

. !/ V %<

D/ 3T !) [ebp + var_18 + 0x14]

.)

.)

! A/ .

struct x{
char s0[20]
int x
}
push
push

int 64 E

401AA3D7h
0A3D70A4h

1!b

V ,
.

call

)V .

V , E g 3 - /V

() *

..

1!b )
. double

MyFunc

o .d / 23/ ! 5. 2 ; p T d
.

add
pop
pop
mov
pop
retn
sub_401022

() ) ! 4 3T !) f ) R

)! /!

esp, 20h
edi
esi
esp, ebp
ebp
endp

,
[

*
R

G # myfunc

.)

1!b V

387

AB"

( 2 5 C) /7@12

+@;9 ) 2O
V

) .

f)

!Q

3T !) B U V

FU ) /

FU(
! 4 Rb !)
W

d-

FU )

3T !) R

"

!b

P#

G #E

9X

-R

1!b -)7!)b

)"

1!b R)

!b

. 6

. d -)
1 double

d -) ^

)"

G # 5.

. .) ) ! 4
G # .d -)
( Gm ! Call

1 .d /

aoffset . ( cU

. 6

. .) 1

! 4

31 .

3T !) -R

1!b

# ! section E S

() / ^

a -) , % < ! /

[ / .

:)

) k

() k !)

6 ,-

A 3

!/V

! section (! ,

# ! / !) .d -) l F G Rb

. ( EBP {& ,; ) l G ' 8e

1!b ,- offset

B U

.d ! ) . 3T

FU )

G # (

-^ T

.4
W

. ! 3T

!) Flat O# = Q

- C D / .d / () *

-R

)"

. 3T

,- 3T

. 8 / d !)

'! B segment

) 1

% o*

. () / 8 k ! Rb offset d

1)

31 . 7!)b a -R

! ))

8x

) *

3T

! B !)

! B !) Q x R U . .)! ) !

! 5.

)"

NT

W !

. a)! )

31 . 7!)b .d

FU . /

) .

54 ' * segment !) (

.(
;.

. /

) offset + #

;. !

B G A,U ) !)

. ! Rb / ) . d - G ! 8< a 3T ' ;i4

. ! 3T
lFG (

;4

) . ! O )!
.

:)

d !) ! / %

3T 1(!

d- 3T .d ! b

01

V)* 2

1!". 7!)b

8 k Q

. /

() *

3T /

<b

% nR

#V

o.

1!b Offset

arg_offset = N*size_element + size_return_address

.)
4 . . NT 9X ()

^! ,
!) / -)

*B

3T & .

N (! , R

R 3 ! 3T ' ;i4 (

Size_element
.

31 . 7!)b ( Gm ! O

. (

( b

. FU
) . C84 Q

P# (

. 4 . . 9x , NT

.
) ; d

() ) l F G

offset V

) .

# .d ! b

; .d -)
) . !

Size_return_ Address
!) d- (

%< V u U .
(

1!b

V .
!/

-)7!)b /

.
{& ,;

-R

1!b
.

)3

- Crack

. +/ 0 1. ( 2,

( Gm 3T R ,- !)
.d /

R ) . .)! ) ) 6
-)7!)b

D/ Rb !) ESP !

.)

h kF ! Q
-R

#V

) b ! O

W 5.

6 Q > !) ESP !
W Rb !

-)7!)b

!'

-)

.E S

%<

% < ESP j >

(

. /V
)

o. /

..

proc

arg_0
arg_4
arg_8
arg_1C

=
=
=
=

()

# 5.

zU . {

8 .

() /

" [ - .)

1!b -

) U .d ! )

V ,

!) f

. #S

-. /

-R

1!b offset

. .d / Q 8 )

.a
.

Disassemble /

'

. 4 )! )

ebp
ebp, esp

! R

. IDA +

)! ) .
V

. -1
3T 9 4 E

1!b ! o[ IDA

,C/ [ R U . ! Rb IDA

3T

)<

Rb

f ! 31 . 7!)b

5. Rb

.(3
.

/ .) / ) , U

G # 5.

8 .)

.)
push
mov

/R
i Rb !)

; .) f. ! T 3T . ! (

) ! Rb

-! /

! 5.
O !) 2C

! .

. 8 3T (frame) 9 4 .

. 8

near ; CODE XREF: main+39Yp

1!b 1

!/ V . /

;. /

1!b # !) Q = !) 5.

, 3 ,- A ) V ,- . .) 1

C6

Qx

! > . ! -)7!)b

. e ESP . 8

dword ptr 8
dword ptr 0Ch
byte ptr 10h
dword ptr 24h

IDA . R

. ! ESP !

. .d

-R
MyFunc

O i

- C D / .

3T )!

: / 6

int 64 Q x

# : R) / # S . a)
a / R 1A Ck

! /

! G Rb

V V

R [Q= - .

MOV EAX , [EBP + 0x10]

. -)

1!b [ d

W ,-

. EBP ' 8e

1!b -)7!)b ^ ! V !) 9 G

1!b [ / d / 8 k d

; . /

A84 EBP C84 !

31 . 7!)b (

aEBP ' 8e

388

- iG

offset # 1 ! 4 arg

. 4 .)
() *

6 . 6 EBP
EBP ' 8e C84

389

AB"
lea

eax, [ebp+arg_8]

1!b % / . ] .

! 4 3T 9 4 E
.d () / )!

1 (!

/ d / 23/

7!)b . 8
!

3T !) int E

push

8
!

. Q = a( b

#b !) R

[ / d 8.
. /

;. 5.

( 2 5 C) /7@12

d !
Rb

(!

1!b V

.R

. 1(!

() / 8 k IDA .

G # 5.

A84 .

1!b

g 3

. Q =.
R

. EBP + ARG_8 uT .

.R

1!b R U . 1(!

V {& , = .) 1

! 4 3T !) ( b

) . 1(!

/d
V

..

! b) .)

() ) ! 4 ECX !) EBP + ARG_1 C R

ARG_8

Rb E

0x8 + 0x14 = 0x1cRb

() ) ! 4 3T !) ( b

) .a

)!

3T !) / ! g 3

#b

) . W

Q=

edx

*.

;. 5.

. !R

1!b

d /

)!

3T !) (! . ) ! Rb

eax, [ebp+arg_0]
eax

.)
push
call

edx, [ebp+arg_4]

.d
mov
push

1!b

ecx

.d )! b
push

0x14 offset!) a)! /!

)! ) ! 4 E

.)
mov

- G ()

ecx, [ebp+arg_1C]

.
push

() ) ! 4

eax

mov

() )

1!b 2 -d b V Gb

!) int E

offset aFXS ; "%f,%x,%s\n"

_printf

3T )! " g 3

1!b V

)3

/ ! >R ,- .)
/
V

- Crack

. +/ 0 1. ( 2,
()

# Rb .

ob E

. /

p , /
! 4 Ak
/

V; !

.] .

! 6 G

.!

! P#

.8

. 1 (!
# /

C++ Q }
V .

! . <

. / !
" %s "

).

.V d /

. ) . .)
!

)
g 3

( /g 3

.8

. ! 5. 2 ; p T / d

hex '! B . integer ) U

.
.

Floatingpoint E
P#

, 4 V !)

() ) ! 4 3T !) int E

, -! . 1 .

!) . / Q W

G #

1!b ) ; printf 5.

-R

. "%f"( / g 3 V

) d - G d / ;6
.

!V

" %x "( / g 3 V

) GE

# .d ! ) ! printf 5.

) ; .)! )

.d ) ) ! 4 3T !) !
uD

390

3T !) R

1!b ) V # 1

6 G

. "%f" ( / g 3

double

{8

Float

, 4 V !) . /
: /

QW

( -3 !

Cdecl myfunc (double a , struct b)

CB v
(

G(

G # 5. +

,o p 5. 2 ; p T !) -R

1!b CB v

# !)

- G

! .

()

A Ck .) 1

-R

3T

G #

! 4 . CB C
(

G # 5.
.

add
pop
retn
MyFunc

esp, 14h
ebp

.d /

cdecl

Q = - . .d / 23/ d

1!b V . ] 8 !

'! B (

; .

! . .!/V .

! -

<

. !

.
)V

endp

. ! 5. V

C++ R . a ! ) )

2 ; pTd

-R

d ) / #! p T ,/ < !)

1!b / ;.
.

G # !)

,; 5.
.

t i Q

G # . 4 # q #p T )
.

V.

! o b ((

R 9 ( 2O
o )< ! O

()! b d- # ! q # p T )
:)

)! )

! - W
C. . / , * !

Default Arguments: y
2 ; R

G #E

G #

. 5.

V)*
.

() *
) , 4 V !)

G # b -1

G #) 5. % / -2

391

AB"

tcB / ! >R ,- ! % &

.)!

5.

f)

-R

1!b C D / )

G # . 4 #q #pT!

( 2 5 C) /7@12

G # q #p T )

. ;.

G # uT /

#S

. 5.
.d /

' 8e Q x

4
)

. ! zk. V

:q #pT )

R)

#include <stdio.h>
MyFunc(int a=1, int b=2, int c=3)
{
printf("%x %x %x\n", a, b, c);
}
main()
{
MyFunc();
}

. /

( -3

!) ! (

F < disassemble 5

y R9 > I O @
main
push
mov
push
push
push

main

()

proc near
ebp
ebp, esp
3
2
1

# 5.

. C D /+

call

MyFunc

add
pop
retn

esp, 0Ch
ebp
endp

disassemble /

; CODE XREF: start+AFTp

q #p T )

%,

( -3

/ ! >R ,-

)3

- Crack

. +/ 0 1. ( 2,

392

!/ - @;VE / > I
. return fC,U +

R ,- 5.

31 . !

{& ,;

/ ! >R ,.)) 1

int xdiv(int a, int b, int *c=0)

{
if (!b) return -1;
if (c) c[0]=a % b;
return a / b;
}

! 4 c!) (

) 1
!) .

( ) 1 . !!

!)

() *

. !b .aR

4. 8 . ) 1
[ 5.

31 .

1!b h kB d

/ ! >R ,- .

Q ! ! O

xdiv 5.

()

# 5.

. E 6! . /

. ob

1 1

-^ !

.) ) d - G ! 4

! . )!

: @;VE / > I ( 2 3 .
(

,/ (

) T 3T

' 8e j > ) return fC,U

-R

() *

. )

R ) 1 . -1

R ) 1 . -2

1!b E 6! j >
heap j >
- W

CPU

() *

)
. )

-d[ T j >

return rA"% E F 1@
/

# 1 ! 4 EAX . e !) return fC,U +

! B !)
.)

V V ,- .)) 1

! 01! . EDX !)
.

,/ (

a ) 1

. !

3T j >

A 3
.) . -

. - B

R ) 1 . -4
)

R ) 1 . -5

/ > I O.

31 . !
. 32 /

/s

# / Rb R ) 1 .

VE /

) )! 4 7

< ' 8e

float E

( ) 1 . EDX : EAX

.
-' 8e

) T

,CU & .

R ) 1 . -3

<

# :
54

.
<

x/ !)

-' 8e j >

V ,

)! /!

;.

) T 3T

,/ (

393

AB"

Ec> R .
Ck

C D /

. E 6!

-' 8e !) !

1!b V

5.

R ) 1 .

< R

struct mystruct myfunc (int a , int b) 5.

5.

- /R
.d ! b
/
.

) 6

W
.

. 1(!

Struct

! o b j 4) 2 ; p T d

= V !)

'! B V

.(

-)

-! () *

24

Rb

R . -' 8e 1 .) 1
. 31 -

G # 5.

( Gm EDX

'! B
. !

) f f[ (! .!) !
*B ! EAX ' 8e & . ,
EAX

3 ,- vCi V

-' 8e !) (
.

. ()

1!b

. /

.
/

V ,

+ # C++ Q }

.( b

) !) /

3 . j 4) ' Uc> (
-

() . void

31 . !

() *

31 . !

( ) 1 .

6j >

5. E

<

o.
! .

(
A Ck

d- # EAX ' 8e . (

i AND fC,U
(

G # 5.

() *
u

5.

G # 5.

. .)! b

* my , int a , int b)

void E T

() ) ! 4 !
5.

. !)

EAX !) ! !

-)7!)b ! EAX ' 8e V T , {& ,; char E Q x

O .. /

P#

( Gm ! <

.2 ;pT) 6 V .. ) 1

mystruct * myfunc (Struct mystruct

EDX

. /

uT void myfunc (strtuct mystruct * my, int a , int b)

A D /

) .V

( 2 5 C) /7@12

() *

! B !)

(
.

G # 5. +
V ,

h kB

)3

. +/ 0 1. ( 2,

- Crack

394

Type (Length)

Returned via

1 byte

AL or AX

2 bytes

AX

4 bytes

DX:AX

Real

DX:BX:AX

Float

DX:AX or Coprocessor stack

Double

Coprocessor stack

Near pointer

AX

Far pointer

DX:AX

More than 4 bytes

Implicit argument by reference

@ / 16 ( 2 A> a 5 ) Return rA"% E F 1@

/) I

VE / 3 .

(7-7)

Type (Length)

Returned via

1 byte

AL or AX or EAX

2 bytes

AX or EAX

4 bytes

EAX

8 bytes

EDX:EAX

Float

Coprocessor stack or EAX

Double

Coprocessor stack or EDX:EAX

Near pointer

EAX

More than 8 bytes

Implicit argument by reference

@ / 32 ( 2 A> a 5 ) Return rA"% E F 1@

/) I

VE / 3 .

(8-7)

395

AB"
. -)

R3 !E

) 1 .

.(

( 2 5 C) /7@12
() *

%"

;. Q x

CB E

) 1 .

) 1 .p ,

#include <stdio.h>
#include <malloc.h>

return fC,U +

char E

char char_func (char a, char b)

{
return a+b;
}

return fC,U +

int E

) 1 .p ,

) 1 .p ,

int int_func(int a, int b)

{
return a+b;
}

return

! "# $ int 64

__int64 int64_func(__int64 a, __int64 b)

{
return a+b;
}

return fC,U +

int . 1 (!

int* near_func(int* a, int* b)

{
int *c;
c=(int *)malloc(sizeof(int));
c[0]=a[0]+b[0];
return c;
}
main()
{
int a;
int b;
a=0x666;
b=0x777;
printf("%x\n",

)3

- Crack

. +/ 0 1. ( 2,

396

char_func(0x1,0x2)+
int_func(0x3,0x4)+
int64_func(0x5,0x6)+
near_func(&a,&b)[0]);

pT',O

. C++ Q }

C D /

() *
.

C++

u> L

proc near

arg_0
arg_4

= byte ptr 8
= byte ptr 0Ch
push
mov

'! B . a ) 6

- F < > a 5 A` b . > I

char_func

disassemble /

.Qx V (

q #

VE / F < disassemble 5

; CODE XREF: main+1ATp

ebp
ebp, esp

.)

. 3T 9 4

movsx eax, [ebp+arg_0]

.)

1 int (

()

! 01! . EAX !) !

. (

cU / ! / E

arg_0 R

1!b

cU / ! / E

arg_4 R

1!b

movsx ecx, [ebp+arg_4]

.)

()

1 int (

add

( Gm EAX !)
E j 4)
R

! 01! . ECX !) ! )

. (

eax, ecx

5,6 d- .
*

.)

% < 5.

A, k int

1!b ) 5,6 .
.)! ) ) 6 " !

()
"1 ) V

'! B V

pop
retn
char_func

ebp

int_func

proc near

arg_0
arg_4

= dword ptr 8
= dword ptr 0Ch

1 int (

. / arg_4

31 . !

R! b d- #

. char

arg_0

endp
; CODE XREF: main+29Tp

1!b

.!/V .

int

n !) .) f. ! 4 int !)

-R

() . V ,
.

A &) . char

397

AB"

push
mov

( 2 5 C) /7@12

ebp
ebp, esp

.)
mov

eax, [ebp+arg_0]

! 01! . EAX !) arg_0 R

.)
add

V .)

int Rb

pop
retn
int_func

ebp

int64_func

proc near

arg_0
arg_4
arg_8
arg_C

=
=
=
=

5,6 d- . arg_4

,= E

arg_0

( ) 1 . 5. +

-R

1!b !

endp

dword
dword
dword
dword

ptr
ptr
ptr
ptr

; CODE XREF: main+40Tp

8
0Ch
10h
14h

ebp
ebp, esp

.)
mov

mov

. 3T 9 4

eax, [ebp+arg_0]

.)
add

1!b !

eax, [ebp+arg_4]

( Gm EAX ' 8e !) AB =

push
mov

. 3T 9 4

! 01! . EAX !) arg_0 R

1!b !

eax, [ebp+arg_8]

5,6 d- . arg_8

arg_0

.)

! 01! . EDX !) arg_4 R

-R

edx, [ebp+arg_4]

adc edx, [ebp+arg_C]

1!b !

1!b

)3
arg_8
E

- Crack

. +/ 0 1. ( 2,
arg_0 5,6
-R

EDX : EAX

398

/ C d4! . <
- , arg_c

1!b )

-' 8e j >

arg_8

'8 k V

5,6 d- . arg_c
arg_4

<

uT .

arg_4

Arg_0 .)

-R

1!b

5,6 (

- G 5,6 d- . /

4.

- int 64

. 31 - G .
pop
retn
int64_func

ebp

near_func

proc near

var_4
arg_0
arg_4

= dword ptr -4
= dword ptr 8
= dword ptr 0Ch
push
mov

endp
; CODE XREF: main+54Tp

ebp
ebp, esp

.)
push

ecx

push
call
add

4
_malloc
esp, 4

() ) l F G heap

.)
mov

() ) ! 4 var_4 W !) O# = . (

arg_0 R

() ) l F G 1 (!

eax, [ebp+arg_0]

.)
mov

( Gm ECX !

. ! o[ (

[ebp+var_4], eax

.)
mov

. 3T 9 4

! 01! . EAX !) arg_0 R

ecx, [eax]

1!b .)

! 01! . ECX !) EAX ' 8e +

() ) E 6! int !
.

mov

1!b !

edx, [ebp+arg_4]

int * E

399

AB"

! 01! . EDX !) arg_4 R

.)
add

.)

(!

Rb . EDX ' 8e +
.

mov

! 01! . EAX !) heap

.
Int*

G int !

O# =

int * a arg_40 R

1!b

() ) l F G O# = _ C. . 1(!

[eax], ecx

D/ heap !) * arg_4

.)

eax, [ebp+var_4]

.)

mov

1!b !

ecx, [edx]

5,6 * arg_0 .

mov

( 2 5 C) /7@12

* arg_0 5,6 AB =

eax, [ebp+var_4]

V .)

! 01! . EAX !) heap

. '! B V

. /

() ) l F G O# = _ C. . 1(!

O . 5. 2 ; p T .)

( ) 1 . 5. +

myfunc (int *a , int *b)

mov
pop
retn
near_func

esp, ebp
ebp

main

proc near

var_8
var_4

= dword ptr -8
= dword ptr -4
push
mov

endp
; CODE XREF: start+AFTp

ebp
ebp, esp

.)
sub

esp, 8

.)
push
push

. 3T 9 4

esi
edi

() ) l F G

Ck

- W

. P#

)3

. +/ 0 1. ( 2,

- Crack

400
.

mov

( Gm 3T !) -' 8e

[ebp+var_4], 666h

.)
mov

( Gm

int E

Ck

/ var_4

W !) 0x666 !

[ebp+var_8], 777h

.)
push
push
call
add

( Gm

int E

/ var_8

G # char_func (1, 2) 5.

esi, al

.)
push
push
call
add

cU int (

() ) ^

1!

. int !

5. V .)

. (char) 5.

31 . !

4
3
int_func
esp, 8

. ) 1
add

W !) 0x777 !

2
1
char_func
esp, 8

.)
movsx

Ck

G # int_func ( 4 3) 5.

eax, esi

.)

5,6

) 1

. 5.

. ESI

/ !

cdq

!) (
int

A 8

. int

5.

. a)! ) ! 4 EAX ' 8e !) / (double word)

,C/ 4 !
31 . !

/ -)
.

mov
mov

R 3 V .)
% C;

,C/ ) !

() ) ! 4 EDX : EAX

R ,- ! / V Y - 8 .

-' 8e
A 8 64

esi, eax
edi, edx

.)

D/ EDI : ESI

-' 8e !) a # ^

,C/ 4 !

401

AB"
push
push
push
push
call
add

0
6
0
5
int64_func
esp, 10h

. int 64 E

Q=. ) 1

( 2 5 C) /7@12

G # int64_func (5 , 6) 5.

5. V .)
.

! C84

-^

1 Y - % o*

add
esi, eax
adc edi, edx

EDI : ESI

-' 8e !) ) 6

. int64_func +

,C/ 4 !

() )

31 . !
.)

lea

eax, [ebp+var_8]

! 01! . EAX !) var_8

.)
push

# near_func 5.

()

.R

1!b R U . var_8 1(!

! 01! . ECX !) var_4 W

# near_func 5.

()

.R

1!b R U . var_4 1(!

near_func
esp, 8

G # near_func 5.

.)
mov

. 1(!

ecx

.)
call
add

. 1(!

ecx, [ebp+var_4]

.)
push

eax

.)
lea

5,6

eax, [eax]

. EAX ' 8e !) ! int E

W
.)

1(!

5. V

(!

! 01! . EAX !) W V !

{c84 / ! >R ,Q=. ) 1

)3

. +/ 0 1. ( 2,

- Crack

402

cdq

.)

1 ,C/ 4 . EAX

() ) ^

add
esi, eax
adc edi, edx

.
push
push

push

# printf 5.

()

. 5,6 V AB =

offset unk_406030

call
add

_printf
esp, 0Ch

pop
pop
mov
pop
retn

edi
esi
esp, ebp
ebp

main

.)

()

( 2O

V)* v> ' E

1!b j >

31 . )

! . 1(!

endp

b #) / F < F @
A=

8 !

. aE 6! . (

()

, 4 V !) . # 1 ! 4

R U . ! ob
!) ( 3

V !) . -)
.

,C/ ! o[ a )

edi
esi

.)

5,6 d- .

! . )!

) /

5.

-)!

- W

. 1(!

hS

o. ! +

O )!

{c84 /
.(

()

;.
-R

A=

-R

1!b

1!b R

! - 1(!

b /)

! .

. uD .) /

G # 5.

! .

A Ck .

) ! E 6! . (
. <F @

#include <stdio.h>
#include <string.h>

-R

@;VE / > I

()

- W

31 .

)! ) ) 6
C,U

b #) / +5 > 2 ?@ v> ' E ) I

ob

, A=
.

VE /

403

AB"

( 2 5 C) /7@12

void Reverse{char *dst, const char *src)

{
strcpy(dst,src);
_strrev( dst);
}

dst

.)

! !) (

7 ; src

7 ; s

void Reverse(char *s) {

_strrev( s );
}

! s ) G !) AB = <

.)

int sum(int a,int b)

. ) 1

. !R

1!b ) 5,6 AB = 5. V

E 6! . (

{
a+=b; return a;
}

o b . Ck

- W

,-

()

-R

.)

1!b
! #!

main()
{
char s0[]="Hello, Sailor!";
char s1 [100];
Reverse(&s1[0], &s0[0]);
printf("%s\n", &s1[0]);

.)

! s1 !) (

7 ; so

. s1

Reverse(&s1[0]);
printf("%s\n", &s1 [0]);

.)

7 ; uD (

printf("%x\n", sum(0x666, 0x777));

.)

[ ) U ) 5,6 AB =

)3

. +/ 0 1. ( 2,

- Crack

: b #) / F < F @

( 2 ?@ v> ' E > I

main

proc near

var_74
var_10
var_C
var_8
var_4

=
=
=
=
=
push
mov

404
.

V E / F < disassemble 5

; CODE XREF: start+AFTp

byte ptr -74h

dword ptr -10h
dword ptr -0Ch
dword ptr -8
word ptr -4

ebp
ebp, esp

.)
sub

esp, 74h

. .
mov

!) !

lFG

Ck

() ) ! 4 EAX !) "Hello, Sailor!"

C D / .)

. /

W V E ) !

4!

4.

( b

D/ var_10 Ck

!O )
) .(

D/ Ck

.4
- W

D/

0x10 !

. ) ; ^! ,

ecx ;

"Hello, sailor!"

!A

. 16 E ,< !)

/ var_10 W

. s[ 0x10]

ecx, [ebp+var_10]

! 01! . ECX !)
push

!Q

W !) "Hello , sailor!"
.)

.)

. O# =

[ebp+var_10], eax
ecx, dword ptr aHelloSailor+4
[ebp+var_C], ecx
edx, dword ptr aHelloSailor+8
[ebp+var_8], edx
ax, word ptr aHelloSailor+0Ch
[ebp+var_4], ax

char

lea

- W

eax, dword ptr aHelloSailor ; "Hello, Sailor!"

! {& , =

mov
mov
mov
mov
mov
mov
mov

. 3T 9 4

. 1(!

405
!

AB"
W

IDA .)

! IDA ( 8

()

a(

D/

# Reverse_1 5.
f[ / E S

( 2 5 C) /7@12

. "Hello , sailor"

..

! . 1(!

()! b

) . (8
. /

lea

push

.)

! 01! . ECX !) var_74 ( 3

# Reverse_1 5.

;. / var_10
a( 3

) . var_10

W . b

-)!

call
add

. 1(!

R)

# ( -3
Rb +

lea

push

Rb !)

. 1(!

..

!A
.

- G

100

# 1! 4

- -) p , !)
5.

/ d ". 7 =

G # Reverse_1 5.

! 01! . EAX !) Var_74 W

W V (

() /

- G
!

G # 5. .)
(

()
G # 5.

) ! Var_10

.) . V,i R
push
call
add

. 1(!

eax

V j >

# Printf 5.

. Var_74 W

/ d ". 7 = d

<

. 1(!

!) .

V , Reverse_1 5. a ) 1 . !
, 5.

/ ; i R .

/)<

()
!
W

offset unk_406040
_printf
esp, 8

.)
lea

eax, [ebp+var_74]

.)

. 1(!

Reverse_1
esp, 8

.)

var_74 W offset R) / d/

"Hello , sailor!"

. ) 1 . ! !

-)!

Ck

. s1[100] 2 ; . char E

V . 0x74 0x10=0x64.

100 . . !

-) !

edx

()

var_74

edx, [ebp+var_74]

.)

ecx, [ebp+var_74]

G # 6 G

!p , ! O

. Printf 5.

)3

- Crack

. +/ 0 1. ( 2,

5.

31 . !

406
T Var_74

{ - : W V .)

.
push

-)

Reverse_1

ecx

V , " Reverse_2 5. .)
- {cB

. ECX ' 8e

. 1(!

W !

# Reverse_2 5.

()

-) ! 4 Var_74

V !

. Var_74
W

. 1(!

!) ! ) G

31 . !

. ) f . ! !
call
add

Reverse_2
esp, 4

G # Reverse_2 5.

.)
lea

ecx, [ebp+var_74]

! 01! . EDX !) Var_74 W

.)
push

5.

edx

31 . !

. 6

/ d ". 7 = d
E S

. 1(!

8 . -)

. .)

( 3 () *

! 4 Var_74

# Printf 5.

()

. Var_74 W

! of EDX:EAX

a)
W !) -' 8e

6 . !) G

-' 8e +

31 . !
.

push
call
add

push

call

a5. V

q #

offset unk_406044
_printf
esp, 8

G # Printf 5.

.)
push

. 1(!

777h

.)

()

# Sum 5.

. int E

0x777 !

.)

()

# Sum 5.

. int E

0x444 !

666h

Sum

407

AB"
add

( 2 5 C) /7@12

esp, 8

G # Sum 5.

.)
push

Printf 5.

eax

.R

1!b R U .

Sum 5.

31 . !

/ EAX ' 8e

A
.)

push
call
add

()

offset unk_406048
_printf
esp, 8

G # Printf 5.

.)
mov
pop

esp, ebp
ebp

.)

. 3T 9 4

retn
main

endp

! >R ,- .

. '! B V
. /

(3

int _cdecl Reverse_1 (chart*,int) '! B . 5.

(8
.
-)!

. 5.

2 ; pT

# . . 1(!

# 1 O !) Source R U . "

[ R
!

]8

2 ; pT

G # 5.

{c84

1!b Reverse (char *dst , char *src)

1!b

# 1 O !) F

R U
.)

Reverse_1

proc near

arg_0
arg_4

= dword ptr 8
= dword ptr 0Ch
push
mov

; CODE XREF: main+32Yp

ebp
ebp, esp

.)
mov

eax, [ebp+arg_4]

. 3T 9 4

)3

- Crack

. +/ 0 1. ( 2,

408
.)

push

()

! 01! . ECX !) arg_0 R

1!b !

# Strcpy . arg_0 R

1!b !

()

strcpy
esp, 8

Rb . arg_0 /

(!

1!b

. arg_4 R

ecx

.)
call
add

# Strcpy 5.

ecx, [ebp+arg_0]

.)
push

1!b

eax

.)
mov

! 01! . EAX !) arg_4 R

# . !) )

Rb . arg_4 +

(!

.)
mov

#. . R

edx, [ebp+arg_0]

! 01! . arg_4 R

1!b V .)

1!b
. /

push

) 1

'! B V

(!

D/ J ! A

()

# _Strrev 5.

. arg_0 R

1!b

__strrev
esp, 4

Reverse_1 5. . /
/

EDX ' 8e !

k +

edx

.)
call
add

D/

7 ; !)
.

(!

Rb . arg_0 +

# E 6! . / arg_0 j >

()

. 5. 2 ; p T ) 6 V

..

4.

W R . /

! Strrev 5.

/
!) G
(!

31 . !
Rb . arg_4
.

) /^

8 ! Const ( /2 B
. /

(!

. void Reverse_1 (char *dst, const char *src)

G+# W

. Source 1(!

/ -)

R3

409

AB"
pop

( 2 5 C) /7@12

ebp

.)
retn
Reverse_1

endp

Int _cdecl Reverse_2 (Char *):

Reverse_2

proc near

arg_0

= dword ptr 8
push
mov

. 3T 9 4

'! B V

. 5. h kB 2 ; p T

; CODE XREF: main+4FYp

ebp
ebp, esp

.)
mov

eax, [ebp+arg_0]

! 01 ! . EAX !) arg_0 R

.)
push

call
add

pop

()

# Strrev 5.

. arg_0 R

1!b

__strrev
esp, 4

Reverse_2 5. uT .)

1!b

eax ; char *

.)

31 . !

. 3T 9 4

!)

S # / /

() ) ! 4 6 R ,- !) <
' 8e

) 1

. arg_0 R

7 ;

1!b j >

!
!) G

ebp

.)

. 3T 9 4

retn

.) . - G '! B V

. Reverse_2 2 ; p T a(

%<

! . V Gb 7

. void Reverse_2 (char *s)

Reverse_2

endp

)3

- Crack

. +/ 0 1. ( 2,

410

Sum

proc near ; CODE XREF: main+72Yp

arg_0
arg_4

= dword ptr 8
= dword ptr 0Ch
push
mov

ebp
ebp, esp

.)
mov

eax, [ebp+arg_0]

.)
add

mov

()

.(

()

() ) ! 4 EAX !) <

/! F

5,6 d- . arg_4 arg_0

-R

-R
-R

1!b
1!b . /

D/ arg_0 !) arg_4

V , .)

!) q # V
.

) 6

.
.)

mov

1!b !

1!b

[ebp+arg_0], eax

.(

! 01! . EAX !) arg_0 R

eax, [ebp+arg_4]

.)

) 1 .

. 3T 9 4

.
V.

arg_0 5,6 AB =
1!b j >

) . 3T

! #! Ck

- W

5.

,- a!

eax, [ebp+arg_0]

'! B V

D/ EAX ' 8e !)

. 5. 2 ; p T uT .)

31 . !

&=

int Sum (int a, int b)

pop

ebp

.)

. 3T 9 4

retn
Sum

endp

(
%, .
. 5.

8
-.

^ !!

) 1 . !

) 1 .
. 5.

( 2 ?@ v> ' E ) I

- W
<

- W

() *

VE /

Q ,; ! > .
- W

411

AB"

A Ck

"< . . , ) <

() 8

5.

bd

-Rb !) !

! . A. 4
. /

.!/V

-)

- W

C/ d

% &(

%< !!/V

() ) p . !
%<

() / !

- W +

do .

, 4 !) o b . (

W
(

. .) 1

-E 6! uD

) ! ob

) 1 .

G # 5.

/ )!

R)

) !

# a(

j k

G #

- W
-

G # 5.
! .

- W

. ob

% /

#b . ( ,- !

.d -) ! 4
.

) G(

!) j 4)

'! B

()! b

( 2 5 C) /7@12

- W j >

! . )!
!

! /
) 1 .

#include <stdio.h>
char* MyFunc(int a)
{
static char x[7][16]=("Monday", "Tuesday", "Wednesday", \
"Thursday", "Friday", "Saturday", "Sunday"};
return &x[a-1][0];
}
main()
{
printf("%s\n", MyFunc(6));
}

'! B . q #p T ' , O

. C++ Q }

C D /

() *

.Qx V (

disassemble /
:

:
MyFunc

proc near

arg_0

= dword ptr 8
push
mov

- W j >

) 1 .(

disassemble /

; CODE XREF: main+5Tp

ebp
ebp, esp

.)
mov

eax, [ebp+arg_0]

.)
sub

. 3T 9 4

eax, 1

! 01! . EAX !) arg_0 R

1!b !

)3

- Crack

. +/ 0 1. ( 2,
arg_0 /

1(!

.E S
.

412
.

< - 1(!

V .)

EAX

d/ =

! . S ! ' C,U C R . !) 8 .

shl eax, 4

(16) 4 R
add

.)

. 2 Q) ;

! ,

E 6! () ) p . !) .

9 S 16 !) arg_0 < !)

eax, offset aMonday; "Monday"

#S

pop

. Shift ! o[ .)

!Q 6 . /

T 1(!

- W

.( b

.!

- W A

() ) p .

ebp

Rb . EAX ' 8e /

(!

l F G JO# = . 1(!
.

!b

F U . 1(!

) 1 .V. 4 #-

. , () ) p . !)

- W

/ ! i ,- .)

3T 9 4
( ) 1 .

) 1 . heap

. 1(!

retn
MyFunc

endp

main

proc near
push
mov

; CODE XREF: start+AFTp

ebp
ebp, esp

.)
push

.)
call
add

()

# myfunc 5.

. int E

( /g 3

MyFunc
esp, 4

G # myfunc 5.

.)
push

. 3T 9 4

eax

! .)

()

# Printf 5.
.

. myfunc 5. +
! . 1(!

(
V

( ) 1 .!

/ -)

R3

413

AB"
push
call
add

offset aS
_printf
esp, 8

pop

ebp

( 2 5 C) /7@12

; "%s\n"

.)

. 3T 9 4

retn
main

endp

aMonday

db 'Monday',0, 0, 0, 0, 0 ; DATA XREF: MyFunc+CYo

7 =V ` /

! () )

. E 6! E

V p ,
.

aTuesday db 'Tuesday',0,0,0,0,0,0,0,0,0
aWednesday db 'Wednesday',0,0,0,0,0,0,0,0,0,0,0
aThursday db 'Thursday',0,0,0,0,0,0,0,0,0
aFriday db 'Friday',0,0,0,0,0,0,0,0,0
aSaturday db 'Saturday',0,0,0,0,0,0,0,0,0
aSunday db 'Sunday',0,0,0,0,0
aS db '%s', 0Ah, 0
; DATA XREF: main+EYo

() .

+ I
) 6

/ () *

-R .

6 . C8,

& . hi
V

-R .

. C D /
/

. !) .

-5

. C D /

[ /J

. { ,i

-R . .

.!/V

-R .

.^ !V

[ /

/ o

) 6

!/

- Dll

() *

ob /

)! ) ) 6 & . hi

. Msvcrt.dll A #

) G 5.

.
V

-Version J

V Visual C )!

!)
!) . /

.
d

c 3 54

-dll

)!

!/
)!

Rb

3 . CU V ,- .
-R .

!) () *

. /Q=.
.d ) T

. 32

!) 54

# 4>
.

() *

!) & . U

. ' B FG

x/ !) ^ ! V
b

) 6

() *

"
.
! . .

5
/

. -dll
6A 3

. R. V

! / C8,

-dll V

= / /

-A #

+ # q #p T ! > .
. /

) G 5.

5.

. ! 8< ! .! / /

) G . {& ,; Rb

f)' *

() *

C )!

& . hi

G . . /

.. /

G .

o b vF

vF

-R .

Visual C++ Q x

o.

. 8 .) / - G o
.

. 6 R

U F ^ -

/R ) G 1
/

C8,

.(

. 6 G / o

. ! C8,

ob

d<= d/ C8,

# 3 T - C D / [ 1 . / 23/ ! C8,

- G

C8,

User32 Kernel32

. \!".

-(

[ /

- , 4
b C8,

() *

TV

{& ,;

.V

.
v ;

"

)3

- Crack

. +/ 0 1. ( 2,

418

@ / 32 ( 2+ . /
(

-cpu R

K ! 80286

!) /

< '! B . /

O# k + k !)

1 6 JO# =

.)! ) ! O# =
!) . ,. ! ) #

*1 ( Protected CPU Mode ) CPU `

.)
() / ) <

P# !) !

. 32

O# k

Rb .

. 32 J

. -

. f 1 4 x/ = -)7!)b

5S

( General Protection Fault)

,U

/
: *=

4 .
Co

. -. /

. 32

. -

iG ) < zU .

. '! B V

.)) 1
-

. J,- Win16 !) . (Win16 YcG .)

) k

Win32 !)

. ES

. data/code

! f) J

P# !) Win32 J

o ) G JO# =
)

) f

P# .

JO# =

. -

P# .

) u

C. 4 V .
.)

f ) aWin32 k .)! ) ' *

f .

Flat Q

8G f )

) 6

P# 4GB

,f

. 1!". ,/ V

JO# = Q

A 3

-' 8e . R)
/ () *

. 16 , 4
o .d !

O# = .)!
C/

O# =

.'

."

- ,f

) 6

P#

-Q
,f

O# = Q

!O

- -)7!)b

() *

!) -' 8e V
.

.
!

Macro

! "# %

- G (!
o.
-

Borland /

d- . 8 6 '

.V

!)
) /

.Q
C8,

. 32

Y ; . !)
G

.
-

-' 8e

-' 8e V !) !

) 1 .

A84
. /

1 -

() *

-! ". . ;. zk8 !)

. ' B FG . 8

! ".

Turbo Assembler :
.^ ! O

. % f - !) /

) > G . 3 ,- uT .)!

) k

,f ' 8e -

. ebx aebp aedi aesi

-! / % <

'! B . ! o b

.
.

) G CG )

1 /

) 1 .) GJ

. Win32 k

b Rb .

!)

; V . V V ,. /

)!

. 64k

f) /
i

O# = Q

b / Q=

. !/ V
! 8U C8,

) V . Microsoft /

.. /E

R.

.
G

.
Assembler

419
/

E
(

> )

Macro Assembler

() *
. !)

O /E +/

-/V

6.11 J

Rb & .

AB"

> .+ . / /7@;2

. 9 / V !) . ! )

. 32

-' *

.V

, ,S CD !) C D / V 6.11

) 6

Tools\Masm6.11
A #

(.obj)

( -3

. Object A #

. ml.exe A #

!) ! o b . ! / ^ ! / /

() *

Macro Assembler 6.11

6 A #

. Link.exe

: /
ml /c /coff < abcdef ghci jcd >
link /subsystem:windows
< abcdef

: / () *
ml /coff

)! ) !

6 A # G

obj ghci jcd

^ !

>

& . JC=

)%<

6 .

< abcdef ghci jcd >

C. 4 /

6 A # y # A=

R) ." b

'! B !)

- G)<

Macro Assembler E F 1@
)
)! ) -

- C= ! G

() T

. ()

'!

(>3
-1

- ( 2 +IA_ + > I

Macro Assembler

! 8U /

.if , .elseif , .endif , .repeat , .until , .while , .endw , .break , .continue

.if
! G

{,=

/ !) ! ! G

) ! Pascal aC

.
V

() T ^ ! ()

& . hi
Qx

-R .
.

. J. <

!) . ( ) ! if / else
: /

.IF eax == 1
< If klef emd nopb qloprsn >
.ELSEIF eax == 3
< ELSEIF klef emd nopb qloprsn >

( -3

C8,

)3

. +/ 0 1. ( 2,

- Crack

420

.ELSE

< ELSE klef emd nopb qloprsn >

.ENDIF

* b)

-^ T . ! ) G

. /

! 8< ,
:Qx

f)
.

* !
< "

!)

.! G

if ' !

V
). /

.IF eax == 1
.IF ebx == 2
< teu vn ew xpyz klef qloprsn >

.ENDIF

.ENDIF
.) ) % < ! & . A,U R

.IF (eax == 1

&&

d-

()

^ ! .

ebx == 2)

< teu vn ew xpyz klef qloprsn >

.ENDIF

: -)

R 3 ! C8,

==

. .

!=
>
<

. .
R) . 1!".
R) .

[ /

>=

1!".

<=

[ /

/ !) () *

A. 4

- fC,U

421

E
&&

> )

AB"

O /E +/

> .+ . / /7@;2

i AND

||

i OR
.Repeat

:Qx

. /

6 V; ]

R) . ! 4 . R

! '!

/ C. !

)V

!(

V ; '!

.REPEAT
< qloprsn >
.UNTIL eax == 1

. -)

% < eax == 1 ]

! 4 .R

.While
a)

. !) C= ]

/' * V

. /

A,U REPEAT

,- { 4) !

)V

:Q x

.WHILE eax == 1
< qloprsn >
.ENDW

:Qx

. .)

() *

C=

! G

.!

)V

.WHILE edx == 1
inc eax
.IF eax == 7
.BREAK
.ENDIF
.ENDW

. /

T , G WHILE J C= )

! 4 . eax == 7 ]

.Continue

)3
!)

. +/ 0 1. ( 2,
C= ]

- Crack

()

422

# _ C.
.

. .
6

6 /)

_ C. ' !

v8

) )

C= !) !

)V

[ (! . ) ) 6 '! B
Invoke ) @

5.

() *

- C8,

f) . 8

C8,

:Q x
{nc|
push
push
push
call

" V

.. /

()

1!". V
!

-2

/ *1 R

. ! ob

G #

}vo
parameter3
parameter2
parameter1
procedure

oprsnInvoke
invoke procedure, parameter1, parameter2, parameter3

) , U A. 4

()

Invoke

{ 4) ^ ! ) - !) (

)< V

.
: / # ;

. . ! 5. J

J ,

. Invoke !

() *

PROTO STDCALL testproc:DWORD, :DWORD, :DWORD

) !

! T R U . ! Dword

3 / ! testproc %

'! B . <

<

T &. 2 ;

G # '! B !) Q = . /

# ; a) 1

Invoke testproc, 1, 2, 3, 4

) !

!T3

testproc <

T / /

)"

1 ,

() ) iG % W T C8,
!

-)

!) .

- O )!
.

% < ! /) G ! > . !
E

R ,-

) !

{ 4) <

V,i ^ ! /

/ () *

- W
T

# !)

Q
-

() *

/ A,U C8,

V ,-

!T /

offset

6 . addr

2 ;

. V,i
Invoke !
'! B . - <

)
T

423

> )

AB"

O /E +/

> .+ . / /7@;2

testproc PROTO STDCALL :DWORD, :DWORD, :DWORD

code.
testproc proc param1:DWORD, param2:DWORD, param3:DWORD
ret
testproc endp

: / A,U

'! B .

<

R !) Ck

- W 2 ;

<~rb jcd> : <~rb xpd >LOCAL

. / () *

, > .

AB"
.
-f
.d /

C8,

/
/ !) -

! . ! Rb d - G

. 32

.! G
/

! G !) - W V

/ Windows P-

-^ !

<

. ' B FG
o. Q = . ) /

( -3 !

! G

o .

> .+ . /

G . . A84 z= 8 !)

b) 1
C

!/ . ob
!) .d

.386
.MODEL Flat, STDCALL
.DATA
<Your initialized data>
......
.DATA?
<Your uninitialized data>
......
.CONST
<Your constants>
......
.CODE
<label>
<Your code>
.....
end <label>

.386

)3

. +/ 0 1. ( 2,

U ,<

- Crack

C8,

" 0586

/ () *

424

, - !) directive

( C D /

0486

80386

. / () *

-Cpu

.386

p . V
-A,; !

() *

(! V

V,i

.MODEL FLAT, STDCALL

.Model
*1 / ! >R ,- . /

g 3 ! , J

. `) *

)!

O# = Q

Flat Q

directive

Win32 !) ) 6

o
.Stdcall

Q ! v
.

!TQ ! ^ !. /

) ! Pascal

Stdcall !

g 3 ! )

/ /

! T Q ! ^ ! C8,
g 3 ! - <

T . -

!T

. DATA
. DATA?
. CONST
. CODE
. " [ Win32 !) / ! ) )

%
i

-p . . ! ) G J
. /

! 01

cU !

! Section

.) .

. JO# = 7!)b % ,
;. Section

o Section

! directive ! o[ -

d-

) 6 Segment

()!

. /

.d

Logical

code data J ) ) . -Section

.d
.

.d

. -Data Section

.DATA
.

QW

p .V

-() ) /

P# !

.V
.)

nb

-() ) A

() "# (.exe)

p .V
6 A # d<=
.DATA?

425

. p . V . / () *
+

P# .)! )
.)!

> )

(memory) O# =
O# = !
e -

AB"

O /E +/

. /

> .+ . / /7@;2

- W

-() ) A

[ .E

. , J

. / /

6 A # d<=

! .)

QW

p .V

g 3

C8,

p .V

- W
.CONST

W A. 4 n

6 54

!) /

-(constant)

.e

p .V
.

:)

. /

6 < .(.Code) )! ) ) 6

. /

.p .

+#

<label>
end<label>

V.

. , J

. /%, . /

g 3

C8,

. ! , J
.

. /`

d-

! )V

end <label> <label>

)3

- Crack

. +/ 0 1. ( 2,

426

F
J

! G

1)

. / d

. ()

+ . / ,> 8>

d- G

R 3 ! Win32

. -)

, ,S CD !) , 4 V

) 6

.] .

p . V !)

-A #

-/

SourceCodes\Asm32\Chapter2
o b J,- "/
5.

d- # ) G

API .

, OU JU ,< A

V [ !) 5.

.%,

Gdi32.dll a Kernel32.dll a .User32.dll :

! 8U o b

-Process

O# = . /

J* : 5.

=!) . ! ) ! /

A
)! ) ) 6

.! / +. ! p .

. /
ob

, J
)) G
() /

;.

API 5.

)!

, () *

. , J

6 A # !) !

.
)!

.
' Uc>

, (Import Libraries) ! ) ! 4
R) /

T . !) 4

. '! BV

.(

,
. /
-

!) 5.

6 A # !) ) 6
- /

dll %

' Uc>

)!

API 5.

T ! O )!

' Uc>
k

6 A # . o b 5.

. </

C/

6 54 !) /

. / !) () b '! B . ' Uc> V . -) ! 4 ) G

n !) . /

O )!
.

. ,

) '! B .

, J

. ( cU

-CD A / JU ,<
.

T)

! ' Uc> V .

k
-dll V

R .V .

Gdi32

. ] 3 .) 1 ! / . !

, -!

User32

- dll CB dll

f)

!) # / ' Uc> ,
. #

O# =

;.

# !) (Win32 API Reference) API 56

.

.
;.

-) C,U /

!) "

)!

Kernel32

J* :
# 1

. / !) ) 6

/ (MSDN) R

/ !

R !) /

G . / . ! ) ! 4 dll A #

. ! ) ( oU . !
. ! ) ( oU . !

5.

(Application Programming Interface) API

) Rb . Win32

V . !)

. !

.)
. !) () *

. / . !) GJ

. , ,

! 01! . O# = .
)!

5.

% A

O )!
J

' Uc> V .

API 5.
.

4
G

427

A,U uD
5.

() /

/ API 5.

. !Q

! 01! . ! -dll
G

% .Unicode

;.

. ) /
.

AB"

!) . -)

ANSI

f)

O /E +/

QW

!d

V !) . ! )

P#
.

ANSI

.
,

.. b

CU V ,- . .

65536
/

() / Q W
/

() *

. /

k -

-)!

/! / E

.)! ) ) G !) ! )

54

8 3T Unicode

WinNT

ANSI d

. {& ,;

:d / # S Rb . ! / d ! ) F4 /

- /! /

!b

-R .

) < Unicode

. /

F4 / i k
/

.. /

/! / - .

x/ !)

b `) *

Unicode

T .

[ A

. 2 Unicode

, ,S A #

. ANSI )!

T !
P#

O )!

- ANSI l F

T .

() . (Null) *B . %

/! / -

. v

7!)b h kF

(wide char) W

b )!

! 5.

. ! ) ) 6 API 5.

q #p T '! B . Win95 . b

4 .)! ) ! 4 Rb

%<

. /
A 3

> .+ . / /7@;2

T ! ' Uc> V

1 - <

.MessageBoxA Q x

. / f) E
ANSI

> )

8 3T !

.v

/! /

5. g 3

( -3 ! /R .J

!)

.386
.model flat, stdcall
.data
.code
start:
end start

nb )! ) ) 6

. .
W !
5.

6
.

. / CB Label

Gb

. /

-A,; !

. )! ) !

)
.

6
31 .

!R

;. / C,; !
-A,; !

)V

uT

Start & . Q x !) /

) .

Ret aJe aJmp aJne

) G ! / . R) ) R T F4

-A,; !
.

. / () *
ExitProcess proto uExitCode:DWORD

Gb !) .) )
ExitProcess

)3

- Crack

. +/ 0 1. ( 2,

C8,

. ! 5.

428
, .)! ) % 5. (prototype)

' F 3 5.

. ! (Type Checking) E

%<

/ ' C,U

C8,

<

, & . +G
!) /

( - 3 ! prototype

: /

g 3

!) . -)

FunctionName PROTO
...,[ParameterName]:DataType,[ParameterName]:DataType

# ; DWORD E

.)
` k

) !

call `)

!) . / () *

. ExitProcess 5. A84 2 ; p T !)

!T

6 . Invoke

: /
INVOKE

5.

/ ;

( - 3 ! Invoke !

() *

expression [,arguments]

/ . 5.

!T.

. 5.

. 1(!

5.

Q p .
.

! / ) !) {& ,;
A # !) dll

/ !) ) 6

5.

C8,

J, ,S

-2 ; p T .

(.inc) -A # V

! 4 kernel32.dll A # !) ExitProcess 5. Q x
ExitProcess 5.
.

31 . 54

.Q=.

!) !

-A # !) API 5.
.. (

5. V 2 ; p T

31 . !

uExitCode

6 d-

-2 ; p T x/
T . ! ) ! 4 include

( Gm % R ,- .

, ,S

= kernel32.inc A # uT a)! )
! T 5. V 2 ; !) ad
. /

g 3

invoke ExitProcess, 0

() /

T , G U
.

! G

. / ! ) Win32
-) , % <

!/

, & = . -) ! 4 start

.
.V

.. /
. -)

.386
.model flat, stdcall
option casemap:none

;. ! & . +G

31 .

R 3 ! Win32 )!

429

> )

AB"

O /E +/

> .+ . / /7@;2

include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
.data
.code
start:
invoke ExitProcess,0
end start

R) / 7 =
() *

..

7 = Y = R) . [ /

"option casemap:none" !

\!". . q #p T ! > . C8,

(Case-Sensitive) Y =

[ /

1!". . Rb
.d /

. !) () *
Kernel32.dll !) ) 6
) G

.A #

Includelib

( , ,S

, ,S /

oC # A /

)!

-' 8e

5.

-2 ; p T

V
-A #

.) Include

- ! / )
, ,S

(c:\masm32\include\user32.inc) :Q x
.) 3 () ) R 3 k*B
6

! .

. / . Q = .d -)

W T Rb

= Kernel32.inc A #

K ! Kernel32.lib ) !

.
o. .d /

= Windows.inc , ,S A #

-! G

() *

. /+

. ! o b uT d ! )

. .( ) !
. . / /m

6 . / ! > .d /

p , (MessageBox) % W T 8;6

/ )
A,
+

. /

.)

;. !
! A84

.Q=

! %WT V
: /

.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib
.data
db "HELLO WORLD !!!",0 MsgBoxCaption
db "HELLO WORLD !!!",0
MsgBoxText
.code
start:
invoke MessageBox, NULL, addr MsgBoxText, addr MsgBoxCaption,
MB_OK
invoke ExitProcess, NULL
end start

- Crack

430

)3

. +/ 0 1. ( 2,

() *

)! ) ! 4 User32.dll A # !) / MessageBox 5.
.d /

%WT

# S , ,S

-A #

) % W T 8;6 R U

. !

/d /

)!

-A #

NULL

() *

. !) uT .d /

! ) Data p . !)

# ; ! *B . %
.

Windows.inc , ,S A # !) / d () / () *

. % W T 8;6

% W T 8;6 !) (

() ) p ,

MB-OK . e )

. !)
. (

# ;

Invoke MessageBox, NULL, addr MsgBoxText, addr MsgBoxCaption, MB_OK

!) R [ . /
;.

g 3 ! ! T ( <T .

! T ) .d -)

g 3 ! % W T 8;6 E
,/)

()

! *B
5.

% W T 8;6

) (! ,

NULL !

Gb
/d /

!T. /

MessageBox 5. !) Q

!T V

. ad !

( <T -

V ; !%WT ( <TR U

V ; MB-OK . e

() *

. < !)
.d ! )

!T
<
! 7!)b
. /
OK

431

> )

AB"

O /E +/

> .+ . / /7@;2

F
.

, ,S CD !) , 4 V

) 6

F 8 9 ,> 8>

.] .

-A #

-/

SourceCodes\Asm32\Chapter3
V .

. ) G .! / +. ! = > o6 API 5.

. /

! 8<

.%,

f ) R .! / .

.)

() b ! > . .! / +. ! = >

%<

.( <T

)<

o pT

-( < T
.( !

() *

R .! / )

6 .! / +. !

Dailog Box

.A84 C=

!) (

2 ; 7c/
(

- .)

-% W T R) / [

^ ) T > .

.
.

V # 1 -1

-' * d- .

.
.

. 8

( T!

MessageBox
!

o . C=

. '! B !)

DOS

( <T)<

",-

.u

! G

C. 4

)!

, . /
)) G

-6

# !) '! B !) -7

.
! G -8

) /( -3

R U ."

-3

3/ . -5

.R

! G

-A U d

) ! d- . " b
=

8e -2

BG%WT^ ) TQ
Rb R

!)

'! B !)) ( < T p , -4

% W T Rb % W T

. .! / +
DOS

BcG ! > .

.( < T (Client Area) ! / i

.( < T . (

. dR

'! B !) /) ( < T 7c/

Rb % <

. - .!/

-/

. / ! )!
.

! > .

. d-

. .! / +. ! . / 23/ !

.)! ) ! 4 o b ! G !) V,i
:

. ;

1R ,-

V A ).

. . !) )

. ') U

.
8

)3

. +/ 0 1. ( 2,

d /

(!

- Crack

432

[ . Win32 ASM .

do

.)
!) ! Rb () ) ! 4 , ,S A #
,

,=

- iG

4 Y B

Windows.inc A # C8,
R ) G

!) ! 5.
)
/

. Q = .)) 1

/ ;
API 56

o zU . /

. !)

R"

-' 8e

. !/ V . /

. , ,S A # V

V ,- .)! ) ) G !) !

-%

)!

2 ; pT

-! G
. /)< !

CB

. ( T ' K"6 . R

# ; ) G

. ! / % f - !) ,

-! G

%,

# ; ) G

. Q

A / S = Q =!) . - /
- . e x/ /

)!

. . !
,1!)

A84

-! G
- .e

% U zU .
... d !

Hutch

- .e2!;
o* ; p T

V . / () *
( <T

- /

.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
WinMain proto :DWORD,:DWORD,:DWORD,:DWORD
.DATA
; initialized data
ClassName db "SimpleWinClass",0
AppName db "Our First Window",0
.DATA?
hInstance HINSTANCE ?
CommandLine LPSTR ?
.CODE
start:
invoke GetModuleHandle, NULL
mov hInstance,eax
invoke GetCommandLine
mov CommandLine,eax
invoke WinMain, hInstance,NULL,CommandLine, SW_SHOWDEFAULT
invoke ExitProcess, eax
WinMain proc
hInst:HINSTANCE,hPrevInst:HINSTANCE,CmdLine:LPSTR,CmdShow:DWORD
LOCAL wc:WNDCLASSEX
LOCAL msg:MSG
LOCAL hwnd:HWND

4
ob

433

> )

AB"

O /E +/

> .+ . / /7@;2

mov
wc.cbSize,SIZEOF WNDCLASSEX
mov
wc.style, CS_HREDRAW or CS_VREDRAW
mov
wc.lpfnWndProc, OFFSET WndProc
mov
wc.cbClsExtra,NULL
mov
wc.cbWndExtra,NULL
push hInstance
pop
wc.hInstance
mov
wc.hbrBackground,COLOR_WINDOW+1
mov
wc.lpszMenuName,NULL
mov
wc.lpszClassName,OFFSET ClassName
invoke LoadIcon,NULL,IDI_APPLICATION
mov
wc.hIcon,eax
mov
wc.hIconSm,eax
invoke LoadCursor,NULL,IDC_ARROW
mov
wc.hCursor,eax
invoke RegisterClassEx, addr wc
invoke CreateWindowEx,NULL,\
ADDR ClassName,\
ADDR AppName,\
WS_OVERLAPPEDWINDOW,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
NULL,\
NULL,\
hInst,\
NULL
mov
hwnd,eax
invoke ShowWindow, hwnd,CmdShow
invoke UpdateWindow, hwnd
.WHILE TRUE
invoke GetMessage, ADDR msg,NULL,0,0
.BREAK .IF (!eax)
invoke TranslateMessage, ADDR msg
invoke DispatchMessage, ADDR msg
.ENDW
mov
eax,msg.wParam
ret
WinMain endp
WndProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
.IF uMsg==WM_DESTROY
invoke PostQuitMessage,NULL
.ELSE
invoke DefWindowProc,hWnd,uMsg,wParam,lParam
ret
.ENDIF
xor eax,eax
ret
WndProc endp
end start

)3

. +/ 0 1. ( 2,
.)! )

- Crack
. ,- V

! ob

f)
!)

. !

= . / () *

. -

.%,

. ob

! Winmain

) Winmain %

.
C8,

-)

.(

v<;

. .

. ;.

! ,

6 .

f)%

. o

- C D / V !) . !

. R) / A D /

, ,

-/

o b . -)

)!

. !

- C D / V '! B V

,
.

x/

/ D/ O )!

. ( 6 ,

. ,= ,

Winmain

V ,

. 8 4R U . - /V

! / R ,- { 4) V . ! ) ! 4 Winmain R !)

- C D / /

()
- ,

. !
%< C

434

.)!

) 6

;. -

)
n !)

) k V
. !)

.386
.model flat,stdcall
option casemap:none
WinMain proto :DWORD,:DWORD,:DWORD,:DWORD
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib

/m c84 /

d /

G # ! 5. V d
. .d /

)!

.'

"C

A84 .

G # ! Rb Invoke !
-A # . /

() *

) .d
a

.d ) T

-/

Winmain 5. 2 ; p T

! . .Q=
;. !

).

uD .d / # ; ! Rb 2 ; p T

- User32.dll
.d /

Kernel32.dll !) / ;.

, ,S ) G

. . ! 5.

() *

.DATA
ClassName db "SimpleWinClass",0
AppName db "Our First Window",0
.DATA?
hInstance HINSTANCE ?
CommandLine LPSTR ?

-() ) . ] .

p .V

435

> )

AB"

O /E +/

> .+ . / /7@;2

.d () / # ; ! (ASCIIZ) *B . %

. (

-) !

ob ) - /

) 6

{ ;.

f)
-

.R

= !) HINSTANCE

-%

4# p . V

- W

/ : Classname

( <T%

/ : AppName

# ;

) .DATA?p . !)

.
() ) E

( < T 7c/ %
.

. (
.

.DATA p . !)

! )

) : CommandLine

# +G !
LPSTR
.

) 6

.)!
. .

) (! ,
.

= !) /

- / .

InstanceHandle
.
.

: /

W R . API 5.
T

- G -) !

) 6

R 4

. A,; !

)V

ModuleHandle a Win32 !) . ) 1

.)

.CODE

) %, A

G #

() *

. !

R U . : Isntance Handle

. ) # . Fk

! 4 eax !) ) 6 '! B !) 5.
,.

-A,; !

GetModuleHandle 5.

V .

- DWORD

1 ! 4 <Start Label> a <StartLabel>

,- v [ . % .

.) 1

GetModuleHandle, NULL
hInstance,eax
GetCommandLine
CommandLine,eax
WinMain, hInstance,NULL,CommandLine, SW_SHOWDEFAULT
ExitProcess,eax

end v [ . ) V .

R U .

() ) E

.
.CODE
start:
invoke
mov
invoke
mov
invoke
invoke
.....
end start

/ : hInstance

) (! ,

API 5.
D / O# = !)

31 . !

) ;

31 . !

!T

. iG 7!)b

API 5.

G # !) eax a ecx a edx )

. )! ) ! 4 eax !) / 5.

31 . 54
/

.
n /

!)
!O

R . vCi

)3

- Crack

. +/ 0 1. ( 2,

. ! o b 5.

31 . 54
.

!)

- G 6

% " '! B !)

# 1 !R

436
( Gm ! ebp ,esi ,edi ,edx

A 3 . )
# +G ' !

. ,

-' 8e !) ) 6

. '! B V

n !) . /

GetCommandLine 5.

) 1
G # .

. /^ ) T ! ob
:

! 8U /

# !)

) !

+G a() 6 '! B !))

-

)!

) 6

. C84 (

C84

P#

6 !.V

.V

G #

) (! ,

.E

uT .

Winmain

, Win32 !) .

o 3 ,- hPrevInst !

!TV .
(

! T ! o[

;S

o ) G .l F

b /

O# = !)

#
.

6 . Win16 R ! )

g 3

) (! ,

!) ( < T

, ,- Rb !) /

;. !

!TV

) /

() *
. G

/%,

!)

. ;. 2 ; .

-) ! 4 GetCommandLine !

W -

R !) / 5. V
, G

Winmain %

() *

;. a

Winmain 5.

31 .

ExitProcess 5.

. ) !

31 . !

. . /d /

) 6

5. V R !) /

uT .

)<

! T R U . )! ) ! 4 eax
. -)

WinMain proc
Inst:HINSTANCE,hPrevInst:HINSTANCE,CmdLine:LPSTR,CmdShow:DWORD

. /

2 ; proc

;.

) !

.) / () *

V; %

- W

. ! Stack

Winmain 5.

!T .
5.

# ; & . +G

! !) o b .

O# = LOCAL

/ )

LOCAL wc:WNDCLASSEX
LOCAL msg:MSG
LOCAL hwnd:HWND

2 ! ; . -)
( -3

l F G 5.
!) !

/ )V

Ck
() *

( k .

. 5. 2 ;

;.

4)

. LOCAL
. /

437

> )

LOCAL

<~rb jcd>:<~rb xpd>

Stack

O# = /

C8,

;.

ob
54

- () *

.
!)

, ,

A. 4
/

ob . 2 ;

;.

> .+ . / /7@;2

. ! WNDCLASSEX ! G

2 ; Rb !) / ;. AG ) !) + # Ck
f)

- Stack

T '! B . /

O /E +/

. LOCAL WC:WNDCLASSEX Q x

. / ! ! WC Ck
%,

AB"

) '! B .

V.

R G # 5.

O# =

= !) o b

. ! O )!

.
- W

. 31 . 5. ! /
f. O !)

! ! 5.

!
. ) !

. -) l F G
mov
wc.cbSize,SIZEOF WNDCLASSEX
mov
wc.style, CS_HREDRAW or CS_VREDRAW
mov
wc.lpfnWndProc, OFFSET WndProc
mov
wc.cbClsExtra,NULL
mov
wc.cbWndExtra,NULL
push hInstance
pop
wc.hInstance
mov
wc.hbrBackground,COLOR_WINDOW+1
mov
wc.lpszMenuName,NULL
mov
wc.lpszClassName,OFFSET ClassName
invoke LoadIcon,NULL,IDI_APPLICATION
mov
wc.hIcon,eax
mov
wc.hIconSm,eax
invoke LoadCursor,NULL,IDC_ARROW
mov
wc.hCursor,eax
invoke RegisterClassEx, addr wc

)<

= !) - / V

o Y -.

- ()

. % o*
.

) ;

/ .Rb ! / ( k

g 3 ! ... % #
1

( <T

V . /

5. a

/ aR

d ) & . !) / > iG

(Window Class) ( < T 7c/

" [ : Window Class

B FG "6 .

- ! ( < T Q

.d-*

) < ( < T 7c/

( <T)
!

' B FG

!( <T , . /
.

)3

- Crack

. +/ 0 1. ( 2,

% T 8;6 aV
5.

8;6 a ,/)

) .)! ) (

V % &!/ o . !

5.

V ; pT

( <T

7c/ 8e .

. /
Q

438

G #(

-7c/

-7c/ V

V ; pT

) ;

() *

7c/ %

. , .(...

. ! CreateWindowEx

/ .)! ) % LPFNWNDPROC ,WNDCLASSEX PU V

1(!

% Window Procedure / )! )

) G .

5.

. ( < T 7c/ - .

,o
( <T
.)! )

7c/

,o

-)

a7
(

-( < T % ,

:
!

. /

( <TVG

-)
-)
(

!
!

( 1b

. -%WT

-% W T V . /
-% W T . j 4)

-)

!)

. /V
. /

WNDCLASSEX STRUCT DWORD

cbSize
DWORD
style
DWORD
lpfnWndProc
DWORD
cbClsExtra
DWORD
cbWndExtra
DWORD
hInstance
DWORD
hIcon
DWORD
hCursor
DWORD
hbrBackground
DWORD
lpszMenuName
DWORD
lpszClassName
DWORD
hIconSm
DWORD
WNDCLASSEX ENDS

. SIZEOF fC,U

: Window Procedure

.)

) < Rb .

-% W T
() *
f

ob .

T o

. *: .

Y B !) G 4

[ or fC,U

. ...

)! . /
= !)

( - 3 ! WNDCLASSEX

PU

!)

?
?
?
?
?
?
?
?
?
?
?
?

. v = . WNDCLASSEX 7c/ "

() *

.7c/ V +

TQ

3. ,

/ () *
d- . ! 8

. ( <T

.7c/ V +

)< ( <T

.Q

:CbSize

Rb "

# !)

) < ( < T 8 :Style

6 8

() / v /

5. 7!)b :LpfnWndProc

439

.V A Ud

. /

AB"

V ; 7c/ ! G

. -) ! 4 Rb !) ! ) G l G
g 3 7c/ V +

> )

. ! #S

-() )

)< ( <T

. !

#S

-) !
. /

. ) ; :CbClsExtra

-) !

*B . ! -

. ) ; :CbWndExtra

*B . ! o b A U d
g 3 !

V ; LoadIcon 5. +

.)

> .+ . / /7@;2

, . /

. /

.)

O /E +/

/R

V ; LoadCursor 5. +

.7c/ +

)< ( <T

.( < T

b .

/ .

/ /
:HInstance

) (! , :HIcon
) (! , :HCursor

! :HBrBackGround
) (! , :LpszMenuName

.( < T 7c/ % :LpszClassName

.( < T R U C

[ /R

b .

) (! , :HIconSm

invoke CreateWindowEx, NULL,\

ADDR ClassName,\
ADDR AppName,\
WS_OVERLAPPEDWINDOW,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
NULL,\
NULL,\
hInst,\
NULL

( <T G
! T 12

. ! CreateWindowEX 5. d
! ) 5. V

) 6

.d /

d ) / 8e ! ( < T 7c/
G #(

;.

K ! ( < T 7c/ 7
.

.
) !

)3

- Crack

. +/ 0 1. ( 2,

440

CreateWindowExA proto dwExStyle:DWORD,\

lpClassName:DWORD,\
lpWindowName:DWORD,\
dwStyle:DWORD,\
X:DWORD,\
Y:DWORD,\
nWidth:DWORD,\
nHeight:DWORD,\
hWndParent:DWORD ,\
hMenu:DWORD,\
hInstance:DWORD,\
lpParam:DWORD

<

2 ; ! topmost window

!) . /

Null

. / () *

'! B V

= !) .)! ) ) G !) ! ( < T 7c/ %

7c/

! /0 7c/ . /
.

!) / . /

V;

! ( <T %

#S

8 (! ,

7!)b : LpClassName

( <T

. 8 4 R U . ( < T 7c/

V ; pT

/ *B . %

-7c/

!) ! ( < T
d

-:

R .

- C/

( <T

. Rb V .

)! b , ) 6

() ) R 3 Titlebar

. /

Q ,;

! > . .

) G . !( <T'F

C 3 Null

( <T Q

. / v / d- . "or "!
!

() *

!)

T . ! 2C

k*B !) ( < T & .

)!

. /

g 3

-Q
,

1d ,F / )

- 8

() *

- ,/)
Alt+F4
,
: X, Y

1 'F

CW_UseDefault
! 01 A U

q U : NWidth , nHeight

! ( <T E*!

. / () *
.

!TV . /

V ; ) 6 '! B !) ! ! T ( < T .

% /

- 1

(Child Window)

. G

/ g 3

. / () *

. /
!

: DwStyle

- G Close , Maximize , Minimize

WS_OVERLAPPEDWINDOW Q

V ; ! ( <T Q
.

8e

7!)b : LpWindowName

. /

R ) G(

.)
<

: DwExStyle

- 8

n !) . / /m ! O )!

/ *B . %

() *

( <T

#( <T

" CW_UseDefault
) (! , : HWndParent

( <T b /
.

1
Rb ! T ( < T

441

i. ! /

) 4) .

- G

)! ) ' * (MDI)

AB"

. " Rb

[+

O /E +/

() *

-( < T % , ! T ( < T R

. !)

'! B !) . /

g 3 ! ( <T

g 3 ( < T 7c/

..

q #p T

! Rb ) <

F4 /

!)

. hMenu

( <T 1 .

(! O

8;6

,/)

(Control ID) O )!

( <T .

() ) - /

!T

: hMenu
/m

)<

( <T -

2 ; pT

-( < T

! G

. ob

V !) .

: LpParam

1(!

(MDI)

Null !
# !)

!)

) (! , : HIsntance

. .

-() )

= !) hMenu . / () *

-() ) .

f 3 / d -)

GetWindowLong 5.

7c/ !) (

(! , hMenu )!

# F4 /
V

, () *

CLIENTCREATESTRUCT () ) Q

() *

) (! ,

!T

() / ) < ! ( < T /

.d ! ) ( < T . ! o b R)

-( < T < !)

! ) q #p T ! > . 7c/ V +
"f 6

. ( ... V

# ! T

lpszMenuName PU < b !)

6 .

. ! q #p T

. .

# ! T i. ! . < !)

. / ( f WNDCLASSEX 7c/ 2 ; . (! . ) .)
-( < T . /

> .+ . / /7@;2

) k ) G ! T (client area) ! / i

.
Null

> )

!TV

.+

{& ,;

. {& ,; .)

. ( < T .)

, ()

. / () *
mov
hwnd,eax
invoke ShowWindow, hwnd,CmdShow
invoke UpdateWindow, hwnd

O )!

( <T .

.d G

V .d / () *
. /

) (! , CreateWindowEX 5. " b
( < T .d /

ShowWindow 5.

# !) ! ( < T
. /

. O )!

G #( <T !/ i

.WHILE TRUE

.ENDW

( Gm ! Rb

invoke
.BREAK
invoke
invoke

-() *

. Rb p ,
;S
3/ .

. .)

#
.

G # '! B !)
/) 1

! 4 eax !)

, () ) p , ! /) G ! >

) (! , a ( < T R) ) R 3
. ! UpdateWindow

GetMessage, ADDR msg,NULL,0,0

.IF (!eax)
TranslateMessage, ADDR msg
DispatchMessage, ADDR msg

. 5.
Rb

;.

)3

- Crack

. +/ 0 1. ( 2,

! Rb

. uT . / # !) ) ! R

+ # Module Y >
.

442

. .d -)

%< %WT

C=

-% W T GetMessage 5. +

. MSG ! G

#
.)

Q > !) . / ,

.)! ) ! 4 k*B

GetMessage 5. . /
# F4

) 6 ( <T

WM_QUIT % W T # !) '! B !) . -)

# 1 ! )! . / % G
. /

()

. Rb

- ) !

#S

! . /

. /

-% W T

! .Q

Uc> . ! G

. !Q

5. V GetMessage 5.

! . , G

C=

: TranslateMessage

,/ 5.

-% W T 2B . ) < ! WM_CHAR

() 3#

C/

= WM_CHAR % W T

(Scan Codes) )! . / % G

f. ( ) !

/( <T <

GetMessage 5.

31 . !

/
) !

! B !) .
.

) !

.)
6 %WT

# !) !

WT /

) < ! FALSE

G zU . % W T C= !) / /

! .

T T ! > . C= V .)! ) ) 6 % W T C=

. 1(!

( <TQ=

. ! ! / V .d / -)

T )! ) ! ( < T . o b R)
31 .

G #V

- ) !

! .

/ , () *

)! . /

-() ) : DispatchMessage

T . !%WT

. /

mov
eax,msg.wParam
ret
WinMain endp

! 4 MSG ! G

) 1

wParam p . !) Rb

31 . !

S = Q = !) . -) ! 4 eax ' 8e !) ! ^!
.

. 8 TV

4 .

/ ! / R ,> .

a% W T C= , G '! B !)
. Rb R)

o.

/ ,

() *

31 . !

WndProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM

()

# Rb
.

!)

. -% W T /
) U

{ 4)
,-

( <T .

. -)

MSG ! G

C.
!) ,

() # y * ( < T Rb . ] .

) (! , Q

.
)

! /

R 3 p / Rb . 8

!T.

UMSG /

. o b x/ /
#

( <T

( <T <
.

) 6

TV
.

2 ; % W T R ! ". BFG %WT

4) . () / # !) ! % W T ( < T <

!)
! B

T.

443

E
.

() *

-% W T

G .

> )

. /

AB"

O /E +/

- #S

> .+ . / /7@;2
! T WParam LParam

.IF uMsg==WM_DESTROY
invoke PostQuitMessage,NULL
.ELSE
invoke DefWindowProc,hWnd,uMsg,wParam,lParam
ret
.ENDIF
xor eax,eax
ret
WndProc endp

. .)! ) ! 4

T Rb .
.

!) .)

. %WT /

. % W T ' Uc>
%<

,-

1 T R ,- /

.%WT /

! B !) . /

C/ R)
f

! B !)

31 . *B

() /

31 . !

DefWindowProc 5.

,;

. p . V

f) , ( <T

. !) G /

, Ec>

.)
.+ #%WTV

()

,f

T aRb

WT o

#( <TR
= !) .)!

-)

. !%WT .
. ,

!)

-% W T

. d- Gb !)

! d ! 0f. d / ! 01

# !) ! % W T V

CB <

[ !(

G # .

WM_DESTROY % W T -) T Rb .

!) % W T V .
. 31 .

-% W T .

.V
. '! B

) 6

k*B

. / () b
() *
5.
)

WM_CLOSE % W T
G # .

zU . % W T V .)
. 31 .

.
! G
()

1 C6 ( < T R
. 1) b

# ,

- G

WM_DESTROY

# !)

! B !)
uT . /

. . WM_QUIT % W T PostQuitMessage

% W T C= , G zU . / / 31 . *B !

. ! WM_DESTROY % W T DestroyWindow 5.

G # .
.

. GetMessage 5.
,

.)

*. ) G ( < T <

)3

- Crack

. +/ 0 1. ( 2,

444

J@ R> ".
.

, ,S CD !) , 4 V

) 6

.] .

-A #

-/

SourceCodes\Asm32\Chapter4
- .)

.! / +. !

CU V

O )!

Ak !) ! Rb .d /

# 1 ! 4 d- ! / g 3
() *

25* 80 ) ;. . , Dos !) .
Q ,U

. uT .)

-( < T (
uT . -)

( 6 v /

. ,

. e k*B

# ! Ax
V .) )
.)

:)! ) ) 6

5.

!V p ,
. ) /

!) G

. .] .

. ) 1

. BFG

! 2C

-( < T ) ;.

!) .)

# 1 ! ". .

a ! a

. ,
.

A )

uD

) (! , R)! b

V ! ".

G . .)
-)!

.a

= !) V

! ".
-f )

. p , Q = !)

- q #p T

!) /

% " % U zU . q #p T
.

1 1

-^ !

. WM_PAINT % W T . T !) BeginPaint 5.

G # -1

!) GetDC 5.

G # -2

. O )!

54

. . ! V ! ". .

() ) R , G

.'F 3 V

p . !) V R 3/

. p , k*B

V R
G # -

i !) V [

AG ) !) /

#
/ )

/ Dos

! jCi Q

# 1 ' F 3 V ! ". ' F 3

W !

p , k*B

. ,

( < T . V ! ". p , k*B )!

.d /

i !) ! " [ -

= !) / (! , V

! of

. V

W '! B !) ! ) G

<

. ! ". V .)

! -

f)

k*B

6 . {& ,;

!)

-( < T

/! /

. 3 .) G( <T !/

. k*B

() *

T ) ;

. V . k*B

() ) g 3 ! .! / +. ! ' F 3
.)

A 3 A
V V

.! /

T ! > . a o b R) . 0T

!) V

Windows !) k*B

.) G

. !

() *

V R 3/ (

1 C6 f

W ! ob

(! ,

f . /

2C

.. /( 6 v /

. /

# 1

' * c / Dos

!) . /

A84 . -) g 3
V

K"6 /

445

E
= !) .

.)

6 ! ". .

) (! , R)! b

. / 8G . ) G 3/
;S

! Rb

4 Rb

!) ! ! /

3/

> .+ . / /7@;2

. CreateDC 5.

G # -3

. CreateDC 5.

)<

. ! WM_PAINT % W T

( <T

6 . / , ( Gm ! ( < T ! / i
. /

. T !) /
i

O /E +/

2B !) ! WM_PAINT % W T
i %WTV

AB"

6 ( Device Content ) DC

() *

y*

> )

-)

!) ' Uc> % ,

# !) ! WM_PAINT % W T ( < T

V ,P ! -( < T ! / i

( <T

. f f[ )!

# 1

. #

! 4( <T .(
. , . / 3/

4 " ;. . /

-% W T

. !) G !/

! b5,6 WM_PAINT

. / 3/ . ! ) G ! / i
. 8;

Ai

8;

Ai

4 .)! ) 3/ . .

! WM_PAINT % W T U
Ai

( <T

!/

5Ci ( < T

'! BV

. A4 =

n !) . /

.
( b

Ai
#

. /

VG

Ai

! > . !/ V .
EndPaint 5.
V

8; ! !8U .
5. V

x/ . ". B ( < T ! /

. T

# 1 ! ". .

. ,

. /
p , ) G( <T !/

() *

i +

) 1 .

%<

!) ! V

8;

8;
Ai
1

/ C=

!)

3/ . -2

# 1 ! ". R) / -! -3

.)
) !

) (! , V # 1 -1

%, A / ! > . /

i R 3/

Rb .

. ! ValidateRect

8;

-A i

G # V.

Q ! !

.( <T !/ i
. Rb Q

) 6

. ! WM_PAINT % W T " 8

( <T

G # .

[ /R U

^ ) T ! WM_PAINT % W T

/ 6 WM_PAINT % W T

.BeginPaint 5.

G # ! BeginPaint 5.
/ ,

G # 8;

Ai

)!

% W T V ( ,- . .

. /
DefWindowproc 5.

. /

! / i !) 8 ;

. WM_PAINT % W T . T !) ,

8;

b Rb .

= / ! Paintstruct ! G

'F

VG

.)

) /

! 8<

BeginPaint 5. +

. !

# 1 5.

% / -

! T R U . ! ". .

) (! ,

5.

.Qx

.Q=

/d

. -)

)3

. +/ 0 1. ( 2,

- Crack

.386
.model flat,stdcall
option casemap:none
WinMain proto :DWORD,:DWORD,:DWORD,:DWORD
include \masm32\include\windows.inc
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
.DATA
ClassName db "SimpleWinClass",0
AppName db "Our First Window",0
OurText db "Win32 assembly is great and easy!",0
.DATA?
hInstance HINSTANCE ?
CommandLine LPSTR ?
.CODE
start:
invoke GetModuleHandle, NULL
mov
hInstance,eax
invoke GetCommandLine
mov CommandLine,eax
invoke WinMain, hInstance,NULL,CommandLine, SW_SHOWDEFAULT
invoke ExitProcess,eax
WinMain proc hInst:HINSTANCE,\
hPrevInst:HINSTANCE,\
CmdLine:LPSTR,\
CmdShow:DWORD
LOCAL wc:WNDCLASSEX
LOCAL msg:MSG
LOCAL hwnd:HWND
mov
wc.cbSize,SIZEOF WNDCLASSEX
mov
wc.style, CS_HREDRAW or CS_VREDRAW
mov
wc.lpfnWndProc, OFFSET WndProc
mov
wc.cbClsExtra,NULL
mov
wc.cbWndExtra,NULL
push hInst
pop
wc.hInstance
mov
wc.hbrBackground,COLOR_WINDOW+1
mov
wc.lpszMenuName,NULL
mov
wc.lpszClassName,OFFSET ClassName
invoke LoadIcon,NULL,IDI_APPLICATION
mov
wc.hIcon,eax
mov
wc.hIconSm,eax
invoke LoadCursor,NULL,IDC_ARROW
mov
wc.hCursor,eax
invoke RegisterClassEx, addr wc
invoke CreateWindowEx, NULL,\
ADDR ClassName,\
ADDR AppName,\
WS_OVERLAPPEDWINDOW,\

446

447

> )

AB"

O /E +/

> .+ . / /7@;2

CW_USEDEFAULT,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
NULL,\
NULL,\
hInst,\
NULL
mov
hwnd,eax
invoke ShowWindow, hwnd,SW_SHOWNORMAL
invoke UpdateWindow, hwnd
.WHILE TRUE
invoke GetMessage, ADDR msg,NULL,0,0
.BREAK .IF (!eax)
invoke TranslateMessage, ADDR msg
invoke DispatchMessage, ADDR msg
.ENDW
mov
eax,msg.wParam
ret
WinMain endp
WndProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
LOCAL hdc:HDC
LOCAL ps:PAINTSTRUCT
LOCAL rect:RECT
.IF uMsg==WM_DESTROY
invoke PostQuitMessage,NULL
.ELSEIF uMsg==WM_PAINT
invoke BeginPaint, hWnd, ADDR ps
mov
hdc,eax
invoke GetClientRect, hWnd, ADDR rect
invoke DrawText, hdc,\
ADDR OurText,\
-1,\
ADDR rect, \
DT_SINGLELINE or DT_CENTER or DT_VCENTER
invoke EndPaint,hWnd, ADDR ps
.ELSE
invoke DefWindowProc, hWnd, uMsg, wParam, lParam
ret
.ENDIF
xor
eax, eax
ret
WndProc endp
end start

:d -)

hS

! do '

W < !)

LOCAL hdc:HDC
LOCAL ps:PAINTSTRUCT
LOCAL rect:RECT

- A84 Q x

- / R ,-

.V

- / x/

)3

- Crack

. +/ 0 1. ( 2,

448

WM_PAINT p . !) API

() *
5. +

Rb !

5. +

Rb

/)

() *

-d b /

Rect .d

.! G

i R 3/ /

LONG
LONG
LONG
LONG

) (! ,

Ck

V ; BeginPaint
BeginPaint

-) !

-)!
!)

- W

. hdc

( Gm

= !) .

4 . /

( -3

Ps .)

! T R U . ! Ps

Rb . ) !
. /

RECT Struct
left
top
right
bottom
RECT ends

PaintStruct ! G

!R T .( <T !/

! ". .

# BeginPaint 5.

()

# 1 5.

G # ! EndPaint 5.

() /
b2 ; /

RECT ! G

?
?
?
?

.
.

.
Ai

Ai

& . [

V T

: Left , Top

1'F

: Right , Bottom

1'F

invoke
mov
invoke
invoke

BeginPaint,hWnd, ADDR ps
hdc,eax
GetClientRect,hWnd, ADDR rect
DrawText, hdc,\
ADDR OurText,\
-1,\
ADDR rect, \
DT_SINGLELINE or DT_CENTER or DT_VCENTER
invoke EndPaint,hWnd, ADDR ps

G #

;. . /

! GetClientRect 5.
,

. RECT ! G
.)

() *

G # ! BeginPaint 5. WM_PAINT % W T . T !)

, uD .) 1

! 4 eax !) ! ". .

!) ) ;. V . /
DrawText 5.

G # ( <T

. ) !
. /

DrawText proto hdc:HDC,\

lpString:DWORD,\
nCount:DWORD,\
lpRect:DWORD,\

) (! , 5. V " b
!/

! T R U . Rb

) ;. V # 1
/)

( - 3 ! DrawText 5. 2 ;

) 1 .
!)

449

> )

AB"

O /E +/

> .+ . / /7@;2

uFormat:DWORD

[ ' K"6 G . 5. V .
hi

5.

. ! O )!

() b )

()

. & . hi API 5.

!V [

3 . ' K"6 . V

!) V # 1 ! 4
. /

k*B
V

. . -)

% < ! /) G '! B . ! V

DrawText 5. . / () *

. RECT ! G

# 5. V

DrawText

.d -)

TextOut V T

!) Rb ) ;. / g 3 A i

hS

! 5. V

) !

) (! , : Hdc

.! ". .
. *B . %

! .d / [

.d / g 3 nCount
.%

V;

bd- G

! 1 . /

V; ! 6 G
n !) d -)

: LpString

! . 1(!

;. W !) ! / ! / ) ;

. nCount '! B V

- /! / ) ;

!TQ=

. '! B V

n !)

- / ! / ) ; : nCount

-1 !

!TV

. *B

. /g 3 ! 6 G
i

Ai

V . / [ Rb !) ! V
. /[ !

<

!)

.)

- G

Rb

() ) p , A i
.d /
. /
. -)
. -)

# 1 ! ". R) / -!

/ Ci

! G !)

, / /

!)

/ /

f[ V
() *

g 3 !V

+G

! 4 "/

! 4 "/

!)

!/

g 3 !

g 3 : uFormat

v / d- . or fC,U . /
:Dt_singleline G
! V :Dt_center G

# O

! V :Dt_vcenter G

!) ) ,U O

. ! EndPaint 5.

: lpRect

. 1(!

R 3/ V # R T
. /

.d /

/m ! p . V

G # ! BeginPaint EndPaint 5.

. /
. -) % <

/ 3/ .

G #

BcG ! > . Q =

) WM_PAINT % W T . T !)

G # ) V V . -) % < ( < T ! / i

:)! ) ) 6 ( ! )

6 .'

uT

. - G

f ) % W T T !) ! ! / i

/ !/ - G

)3

. +/ 0 1. ( 2,

- Crack

G # ) V V . ! O )!

450

-! / () /

G # ! ReleaseDC , GetDC 5.

-1

. -) % <
B

!/

A/ R) / A> .

. ! UpdateWindow

-% W T 2B !) ! WM_PAINT % W T / d /

! 8< !

InvalidateRect 5.
!/V

. .d

-) ! 4 ( < T

-2

451

> )

AB"

O /E +/

> .+ . / /7@;2

Keyboard ( )
.

, ,S CD !) , 4 V

) 6

.] .

-A #

-/

SourceCodes\Asm32\Chapter5
! Rb

!) 6 Q = !)

1 .)! ) ( oU . ! Q ;# ( < T . )! . / ' . S R)

/ )! ) ! ) ! 7 / # o b

+#

R) / ( f . ! Q ;# ( < T

PC -

. % , / )! ) ) 6 )! . /

, .)

. k*B

*1 7 / #

. {& ,;

. /d
V ,

!) ( < T

) GV.
-( < T [

Q ;# ( < T Rb .

. -) g 3 (Title Bar) R U C
) . )! . / .
%WT
.

a
(

. ,

.)! ) ) 6 % W T E
-) ! 3# !

C/

() ) ! 3# C/ / /
)V ..

) )! . / .
1

g 3

C/ ,

4 Qx

V;

. . / ( f - /! /

WM_KEYDOWN ,

) / -! ! C/ ,

54

!WM_KEYDOWN, WM_KEYUP

. vCi

.9
o. R

j= )!
V

V !)
.a ) /

4
C/

U ,< R U . )! . / .

!) .

WM_CHAR . TranslateMessage 5. +
.

! #! ,/)

Q ;# ( < T . ! WM_CHAR % W T

-% W T

U ,<

Q ;# ( < T . ! WM_KEYDOWN

. /
!a

) v = . 54 !)

V !) . / ( f - C/

( < T . ! WM_KEYUP % W T

# Rb . ! a

()
/

-% W T

-)

! 3#

/ ! / .! / /

( < T . ! WM_KEYUP
'! B !) .

,6

/ ,6 WM_CHAR . ! o b

/^ ) T

T Rb

b /Q=

( k

)! . / . 8
: / 6

.386
.model flat,stdcall
option casemap:none
WinMain proto :DWORD,:DWORD,:DWORD,:DWORD
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\gdi32.inc

V !)

)3

. +/ 0 1. ( 2,

- Crack

includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\gdi32.lib
.data
ClassName db "SimpleWinClass",0
AppName db "Our First Window",0
char WPARAM 20h
.data?
hInstance HINSTANCE ?
CommandLine LPSTR ?
.code
start:
invoke GetModuleHandle, NULL
mov
hInstance,eax
invoke GetCommandLine
mov CommandLine,eax
invoke WinMain, hInstance,NULL,CommandLine, SW_SHOWDEFAULT
invoke ExitProcess,eax
WinMain proc
hInst:HINSTANCE,hPrevInst:HINSTANCE,CmdLine:LPSTR,CmdShow:DWORD
LOCAL wc:WNDCLASSEX
LOCAL msg:MSG
LOCAL hwnd:HWND
mov
wc.cbSize,SIZEOF WNDCLASSEX
mov
wc.style, CS_HREDRAW or CS_VREDRAW
mov
wc.lpfnWndProc, OFFSET WndProc
mov
wc.cbClsExtra,NULL
mov
wc.cbWndExtra,NULL
push hInst
pop
wc.hInstance
mov
wc.hbrBackground,COLOR_WINDOW+1
mov
wc.lpszMenuName,NULL
mov
wc.lpszClassName,OFFSET ClassName
invoke LoadIcon,NULL,IDI_APPLICATION
mov
wc.hIcon,eax
mov
wc.hIconSm,eax
invoke LoadCursor,NULL,IDC_ARROW
mov
wc.hCursor,eax
invoke RegisterClassEx, addr wc
invoke CreateWindowEx, NULL,\
ADDR ClassName,\
ADDR AppName,\
WS_OVERLAPPEDWINDOW,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
NULL,\
NULL,\
hInst,\
NULL

452

453

> )

AB"

O /E +/

> .+ . / /7@;2

mov
hwnd,eax
invoke ShowWindow, hwnd,SW_SHOWNORMAL
invoke UpdateWindow, hwnd
.WHILE TRUE
invoke GetMessage, ADDR msg,NULL,0,0
.BREAK .IF (!eax)
invoke TranslateMessage, ADDR msg
invoke DispatchMessage, ADDR msg
.ENDW
mov
eax,msg.wParam
ret
WinMain endp
WndProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
LOCAL hdc:HDC
LOCAL ps:PAINTSTRUCT
.IF uMsg==WM_DESTROY
invoke PostQuitMessage,NULL
.ELSEIF uMsg==WM_CHAR
push wParam
pop char
invoke InvalidateRect, hWnd,NULL,TRUE
.ELSEIF uMsg==WM_PAINT
invoke BeginPaint,hWnd, ADDR ps
mov
hdc,eax
invoke TextOut,hdc,0,0,ADDR char,1
invoke EndPaint,hWnd, ADDR ps
.ELSE
invoke DefWindowProc,hWnd,uMsg,wParam,lParam
ret
.ENDIF
xor
eax,eax
ret
WndProc endp
end start

.d ) T

.V

! . .Q=

char WPARAM 20h

!

. !

W V .d /

i !.V
/ space

.
/! /

2 ; (

( <T /
A ) V ,- . )!

# !)

- / ! / ( Gm

.d /
) 6

.d -)

W p . V !)

space / ! / R ,- / 20

-) !
) !

. !

/! / - a /
R 3 Rb

.ELSEIF uMsg==WM_CHAR
push wParam
pop char
invoke InvalidateRect, hWnd,NULL,TRUE

3/ . ! ) G ! /
6 . !

P#

)3

- Crack

. +/ 0 1. ( 2,

T . WM_CHAR % W T .

#S ( <T <
5. uD

! 4 char

. -)

454

!)

# 1

; () k 5. V . /
.

p/

) !

G # !/

! i

/! /

= !)

.)

3/ .

. ! InvalidateRect

!8U . !( <T !/

WM_PAINT % W T Q ! zU .

Y >

.p .V

.)

( <T

( - 3 ! InvalidateRect 5. 2 ; p T

. /

!)

InvalidateRect proto hWnd:HWND,\

lpRect:DWORD,\
bErase:DWORD

!) .d / ! 8 U . ! Rb d - G

!/

3T R) / _ T .

_ T BeginPaint

Ci

: LpRect

. 1(!

! 8 U . ( < T ! / i A/ Null

.)
1 .

G # % f - !) ! 8 ;

flag

. /

Ai

() *

'! B
: bErase

. True

3T

W V
. /

i R 3/
.d /
GetDC

)!

() *

' Uc> % , /

ReleaseDC 5.
/

3/ . . ] .

5.

!/

uD

!)

/ }

() / ( Gm ! ! /

i R 3/ . ] .
( <T

/)

# 1 ! 4 WM_CHAR

<

G # . WM_CHAR ^ ) T Q > !) !

- / a)! ) 3/ . .

, ( <T <

() *

. WM_PAINT % W T

Rb R 3/

. -) ! 4 WM_CHAR p . !) !
.] .

V d /

- / ' Uc> /

, 4 !)

- /
E

!/

= !)
<

- .! /

3 .

A 3
i

3/ .

o. ^ ! uT . / 3/ . ! ! / i

'! B !) .d -) ! 4 WM_CHAR p . !) ! ( < T

G # .
.

!/

T . ! WM_PAINT % W T InvalidateRect

*. ) G ( < T <

invoke TextOut,hdc,0,0,ADDR char,1

( <T
5.

. ! WM_PAINT % W T )

. Q ,; j8>

TextOut 5. uD

6
(

(
.)

()

WM_PAINT

G #V

! ". .

()

B (0,0) ' F

B InvalidateRect 5.
, 4 '!
) (! ,

) <
V# 1

!) .

4
#

. BeginPaint

!) ! / i !) V R 3/

455

!) ! O )!
A

!)

! !/ i

/! /
W a)
3/ .

-)
x/ =
.

> )

! 3# !

A4 = ( < T
)!

AB"

O /E +/

C/

' Uc> % ,

> .+ . / /7@;2
6 !

. ,

8. .! / ( < T & . [ ,
)

, -:( <T'

4 Q=
1
-:

.d () ) ! 4 WM_PAINT p . !)

)3

- Crack

. +/ 0 1. ( 2,

456

Mouse ( )
.

, ,S CD !) , 4 V

) 6

.] .

-A #

-/

SourceCodes\Asm32\Chapter6
T Rb . ( < T
%<

C/ /

!)

i !)

# !) ! 7

8B 7

) !
[

f[ / d

C/

# !)
. /

() ) g 3 ! 7
! 7

()

/ =a

! , [

# Q ;# ( < T . { ,

()

,/) a R U !

;# ' F 3
-

. Rb

!7

1 (!

A 84

!/

n j>

# 1( ) ! ob

54

[ !V

;# V .

x/ !)

#
.

-%WT [ 1 .
"/ ,

) !
-( < T

double-click

( <T

-%WT.

. Q ;# ( < T Rb

( < T x/ =

!/ i

> .

( <T .7

! ) ) 6 " ...
.

)! .

-% W T YcG . .

) p . V !)

. p . V Q x .d - .

' Uc>

C/ A

/ )! . /

.] .

A4 =
)!

! 8U / )! ) ) 6 % W T ) 7

C/ -

WM_RBUTTONUP v WM_LBUTTONUP v WM_RBUTTONDOWN v WM_LBUTTONDOWN

WM_MBUTTONUP
%WT

1 .

WM_MBUTTONDOWN
/ =

)! ) ! 4 Rb 1(!

-% W T
V

!/
/

n !) . /

# !) "

-% W T
7

CS_DBCLICK

! WM_RBUTTONDBCLK

V % , !) . / # !) ! Mouse Up , Mouse Down

High word X g

.
.R

Rb

& . [ ,

V ; ! Ctrl

Shift

. !)

) 6

"

;4
1'F

- C/

C#

( <T

7c/

WM_LBUTTONDBCLK

-%WT

Low word .) . - G 7

-( <T !/ i
/ /

-7

T . ! WM_MOUSEMOVE

( <T <
!

C/

.) / () *

+ # ( < T '! B
= lParam - % W T
/ /

g 3 !Y

- C/

= wParam

8/

- C/ Q

457

> )

AB"

O /E +/

> .+ . / /7@;2

.386
.model flat,stdcall
option casemap:none
WinMain proto :DWORD,:DWORD,:DWORD,:DWORD
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\gdi32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\gdi32.lib
.data
ClassName db "SimpleWinClass",0
AppName db "Our First Window",0
MouseClick db 0
; 0=no click yet
.data?
hInstance HINSTANCE ?
CommandLine LPSTR ?
hitpoint POINT <>
.code
start:
invoke GetModuleHandle, NULL
mov
hInstance,eax
invoke GetCommandLine
mov CommandLine,eax
invoke WinMain, hInstance,NULL,CommandLine, SW_SHOWDEFAULT
invoke ExitProcess,eax
WinMain proc
hInst:HINSTANCE,hPrevInst:HINSTANCE,CmdLine:LPSTR,CmdShow:DWORD
LOCAL wc:WNDCLASSEX
LOCAL msg:MSG
LOCAL hwnd:HWND
mov
wc.cbSize,SIZEOF WNDCLASSEX
mov
wc.style, CS_HREDRAW or CS_VREDRAW
mov
wc.lpfnWndProc, OFFSET WndProc
mov
wc.cbClsExtra,NULL
mov
wc.cbWndExtra,NULL
push hInst
pop
wc.hInstance
mov
wc.hbrBackground,COLOR_WINDOW+1
mov
wc.lpszMenuName,NULL
mov
wc.lpszClassName,OFFSET ClassName
invoke LoadIcon,NULL,IDI_APPLICATION
mov
wc.hIcon,eax
mov
wc.hIconSm,eax
invoke LoadCursor,NULL,IDC_ARROW
mov
wc.hCursor,eax
invoke RegisterClassEx, addr wc
invoke CreateWindowEx, NULL,\
ADDR ClassName,\

)3

. +/ 0 1. ( 2,

- Crack

458
ADDR AppName,\
WS_OVERLAPPEDWINDOW,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
NULL,\
NULL,\
hInst,\
NULL

mov
hwnd,eax
invoke ShowWindow, hwnd,SW_SHOWNORMAL
invoke UpdateWindow, hwnd
.WHILE TRUE
invoke GetMessage, ADDR msg,NULL,0,0
.BREAK .IF (!eax)
invoke DispatchMessage, ADDR msg
.ENDW
mov
eax,msg.wParam
ret
WinMain endp
WndProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
LOCAL hdc:HDC
LOCAL ps:PAINTSTRUCT
.IF uMsg==WM_DESTROY
invoke PostQuitMessage,NULL
.ELSEIF uMsg==WM_LBUTTONDOWN
mov eax,lParam
and eax,0FFFFh
mov hitpoint.x,eax
mov eax,lParam
shr eax,16
mov hitpoint.y,eax
mov MouseClick,TRUE
invoke InvalidateRect,hWnd,NULL,TRUE
.ELSEIF uMsg==WM_PAINT
invoke BeginPaint,hWnd, ADDR ps
mov
hdc,eax
.IF MouseClick
invoke lstrlen,ADDR AppName
invoke TextOut,hdc,\
hitpoint.x,\
hitpoint.y,\
ADDR AppName,\
eax
.ENDIF
invoke EndPaint,hWnd, ADDR ps
.ELSE
invoke DefWindowProc,hWnd,uMsg,wParam,lParam
ret
.ENDIF
xor
eax,eax

459

> )

AB"

O /E +/

> .+ . / /7@;2

ret
WndProc endp
end start
.ELSEIF uMsg==WM_LBUTTONDOWN
mov eax,lParam
and eax,0FFFFh
mov hitpoint.x,eax
mov eax,lParam
shr eax,16
mov hitpoint.y,eax
mov MouseClick,TRUE
invoke InvalidateRect,hWnd,NULL,TRUE

! WM_LBUTTONDOWN % W T
!) ! Rb ) . - G

!/

!) 7

1 (!

C/ O

( <T

= lParam ) /

'F

# !)

'! B . Rb 2 ; / .) / d - G ( Gm POINT E

POINT STRUCT
x
dd ?
y
dd ?
POINT ENDS

A4 =

; ) / - G True ! 7

C/ . ] .
.

C#

() # y *

%WTV

# !)

! / i !) 7

uT

C/

mov eax,lParam
and eax,0FFFFh
mov hitpoint.x,eax

POINT ! G

)! ) ! 4 lParam W Low word !) X ' F

PU

hitpoint.x !) ! Rb d

d / *B ! eax ' 8e

High word , 4

/V

>G .

. 32 ,

.d / ( Gm
shr eax,16
mov hitpoint.y,eax

!) Rb R) / ( Gm

. a)! ) ! 4 lParam

Low word !) Y g

16 eax pG [ . ! ! / V .d -) ! 4 eax ' 8e Low word

i !)
;4

C/ d -) R 3 WM_PAINT p . . / V

( Gm

uT a 3 . 7

;4

!) ! V

CU .

. hitpoint.y

, 4 !) ! Rb

> G . .d -)
!

/V
%<
() )

! .
!

.
!/

)3

. +/ 0 1. ( 2,

- Crack

460

B ! InvalidateRect 5.

( <T /d

;.

True ! MouseClick C# 7

d /
. /

!/ i

3/ . . ! 8< !

.IF MouseClick
invoke lstrlen,ADDR AppName
invoke TextOut,hdc,hitpoint.x,hitpoint.y,ADDR AppName,eax
.ENDIF

)< ( <T /
uT

() * y *

d -)
7

4 .

() # y *
C/ - /

C/ b / /

= !)

! 4 False ! MouseClick
C/

A4 = 1 .d -)

. ! lstrlen 5.
Textout 5.

/
!

. WM_PAINT , 4 /

# !) WM_PAINT % W T

.)

"[

!/

W True . ! Rb ) # y * 7
) 6

! T V Gb R U .

- G[V
b

() /

!7
G # p , )!

!)

;4

C/ /
;4

8
f-

!) # y *
!Q >V# 1
.d

461

> )

AB"

O /E +/

, ,S CD !) , 4 V

) 6

> .+ . / /7@;2

.] .

oC #

-/

SourceCodes\Asm32\Chapter7
. / !

. !

() . T

Edit , File

. -

a
1 .

=!)

, -! /

! 8<

- C. 4 . U
() *

.)

1 6

5.

-A # !) 5.

1 1E
C=

)!

/ () *

Rb )!

)!

- . !
/
58

5.

5.

- D

!) .
A

o.

! 4 ! help d b Gb !) {& ,;
6( <TR
(Resourse) 5.

.rc -A # V

.
(

-A #

o. .

F. '! B .

Visual C++

C D /

( /
1)

f3

g 3
G !
. -)

C D /

/ v/

. !) {& ,;

5.

) G

A #

. ! ob 'F 3

. !/ V
( 6 ,

! 8U
2 ;

o !)

- . ! 5.

R
. /

/ () *
- f3

. zU .

T {& ,; .

6 A #

V . /)<

A # [ 1 . /

V ^ ! V

ob

.
() *

Rb

A ) . . / () *

.)

%< ,

dialogbox , menu , icon , string , bitmap :

...

. . ! 5.
-A,; !

. ! ".

. -)
C6 !)

,o

! . .

! > . .d / () *

01 (...) Rb R U

"6 V

R 3 .! / . -)

R) /

o6 .! / . ,/

Q d b ) )!

/ ! ) ) 6 )!

.! / . -)

! 4 Help , Edit V . -

k - <T

.
f3

5.

f3

. / )<

. ! ) ) 6 Borland C++
:
MyMenu

MENU

{
[menu list here]
}

'! B .

58

)3

- Crack

. +/ 0 1. ( 2,

MyMenu .

(struct) )! /!

1V

MenuList .
4

6 . 8 ) 1
Q

/ /

462

TR

2 ; V

! 4 {} V .
. 4cU )!

2 ;

( - 3 ! MenuItem 2 ; a

. /

. /

/ () *

" End

g 3
Begin

. PopUp

MenuItem

, ) < Rb V T

=.

!) .)

-d b
/

MenuItem

#CR

MENUITEM "&text", ID [,options]

g 3

R U

. !

! ) Rb

;. Y = V

()

( <T

%WT -d b

uD
/)

MenuItem

zU . R [

WT /

.] .

%WTV

# !

C/ ,C/ . 2 ; V
A84 &

V ; ID Rb

f - .)
,o .)

cU . /

;. .

. +G

zU . ID V )

d b

.
V . /

! G

)U

! d b

'! B !) options p .

' B FG

:
% W T / WM_COMMAND % W T

. /
R U

Q ;#

/G !d bR U"

! WM_COMMAND % W T

6 i !) Rb

;.

-d b d b V

! 8U ' B FG
; :grayed

/)< !

d bR

Q ;# n
.

-: -

obR

:Inactive

) U '! B . Rb
zU . :Menubreak

/)

.
n ..
. /v/

1
f

! 4 k*B

! Y > !) Rb

. or fC,U . ! & .

;.

d b V :Help
Inactive Grayed

-9
:

POPUP "&text" [,options]

{
[menu list]
}

-d b

'! B . popup

2 ;

463

!) - d b
'!

a)

> )
4

AB"
/

menulist .)

) A

/ )! ) ) 6

MENUITEM !

. 3/

[ / ( < T !)

. -) E 6! ) G

. . ! Rb

)
# +G

O /E +/
)<

/V ;

[ / ( <T
MENUITEM

MENUITEM SEPARATOR

. ) /)< !) G

WNDCLASSEX )! /!

. POPUP

58

. -) % <
/

popup !

. V T
BG E

> .+ . / /7@;2

'! B ) .

A # / Rb

;.

!!/V

/ lpszMenuName !) -1

PU

. ! ) First Menu %

.DATA
MenuName db "FirstMenu",0
..
..
.CODE
..
mov
wc.lpszMenuName, OFFSET MenuName
..

. / () *

CreateWindowEx

!T

.DATA
MenuName db "FirstMenu",0
hMenu HMENU ?
..
..
.CODE
..
invoke LoadMenu, hInst, OFFSET MenuName
mov

hMenu, eax

invoke CreateWindowEx,NULL,OFFSET ClsName,\

OFFSET Caption, WS_OVERLAPPEDWINDOW,\
CW_USEDEFAULT,CW_USEDEFAULT,\
CW_USEDEFAULT,CW_USEDEFAULT,\
NULL,\
hMenu,\
hInst,\

) (! ,

-2

)3

. +/ 0 1. ( 2,

- Crack

464

NULL\
..

..

V q #pT
.) . - G

'! B .
V

) !) GlG
5.

[^ ! )V ' * /

. /

!( <T

# !) WM_COMMAND % W T
Q=.

( <T
d b Rb ID

4
!) ( < T

! B !)

% ) ^ !

()

# CreateWindowEx

Q = .)

. )! ) ! 4

!)

() / 9

!d b

! , b

.! /

Low word

/ /

= wParam

.d ! ) !
7c/ !) Rb d

( <T - - G

f[ / d .
.

. # / ' Uc>

-( < T % ,

- ^ ! V !) . / () *

WNDCLASSEX )! /! !) / Rb q # p T
)

) < 7c/ V

) (! ,

V ,

E 6! WNDCLASSEX )! /! . !

-)

) < 7c/ V +
a)

D. /

R) / g 3 . () / ) <

() *

f[ / -)
. / () *

.386
.model flat,stdcall
option casemap:none
WinMain proto :DWORD,:DWORD,:DWORD,:DWORD
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
.data
ClassName db "SimpleWinClass",0
AppName db "Our First Window",0
MenuName db "FirstMenu",0
Test_string db "You selected Test menu item",0
Hello_string db "Hello, my friend",0
Goodbye_string db "See you again, bye",0

.!/ /
4
)<

R3 Qx V
Rb

a( < T

465

> )

AB"

O /E +/

> .+ . / /7@;2

.data?
hInstance HINSTANCE ?
CommandLine LPSTR ?
.const
IDM_TEST equ 1
IDM_HELLO equ 2
IDM_GOODBYE equ 3
IDM_EXIT equ 4
.code
start:
invoke GetModuleHandle, NULL
mov
hInstance,eax
invoke GetCommandLine
mov CommandLine,eax
invoke WinMain, hInstance,NULL,CommandLine, SW_SHOWDEFAULT
invoke ExitProcess,eax
WinMain proc
hInst:HINSTANCE,hPrevInst:HINSTANCE,CmdLine:LPSTR,CmdShow:DWORD
LOCAL wc:WNDCLASSEX
LOCAL msg:MSG
LOCAL hwnd:HWND
mov
wc.cbSize,SIZEOF WNDCLASSEX
mov
wc.style, CS_HREDRAW or CS_VREDRAW
mov
wc.lpfnWndProc, OFFSET WndProc
mov
wc.cbClsExtra,NULL
mov
wc.cbWndExtra,NULL
push hInst
pop
wc.hInstance
mov
wc.hbrBackground,COLOR_WINDOW+1
mov
wc.lpszMenuName,OFFSET MenuName
mov
wc.lpszClassName,OFFSET ClassName
invoke LoadIcon,NULL,IDI_APPLICATION
mov
wc.hIcon,eax
mov
wc.hIconSm,eax
invoke LoadCursor,NULL,IDC_ARROW
mov
wc.hCursor,eax
invoke RegisterClassEx, addr wc
invoke CreateWindowEx, NULL,\
ADDR ClassName,\
ADDR AppName,\
WS_OVERLAPPEDWINDOW,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
NULL,\
NULL,\
hInst,\
NULL
mov
hwnd,eax
invoke ShowWindow, hwnd,SW_SHOWNORMAL
invoke UpdateWindow, hwnd

)3

. +/ 0 1. ( 2,

- Crack

466

.WHILE TRUE
invoke GetMessage, ADDR msg,NULL,0,0
.BREAK .IF (!eax)
invoke DispatchMessage, ADDR msg
.ENDW
mov
eax,msg.wParam
ret
WinMain endp
WndProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
.IF uMsg==WM_DESTROY
invoke PostQuitMessage,NULL
.ELSEIF uMsg==WM_COMMAND
mov eax,wParam
.IF ax==IDM_TEST
invoke MessageBox,NULL,\
ADDR Test_string,\
OFFSET AppName,\
MB_OK
.ELSEIF ax==IDM_HELLO
invoke MessageBox, NULL,\
ADDR Hello_string,\
OFFSET AppName,\
MB_OK
.ELSEIF ax==IDM_GOODBYE
invoke MessageBox,NULL,\
ADDR Goodbye_string,\
OFFSET AppName,\
MB_OK
.ELSE
invoke DestroyWindow,hWnd
.ENDIF
.ELSE
invoke DefWindowProc,hWnd,uMsg,wParam,lParam
ret
.ENDIF
xor
eax,eax
ret
WndProc endp
end start
********************************************************************
********************************************************************
Menu.rc
********************************************************************
********************************************************************
#define IDM_TEST 1
#define IDM_HELLO 2
#define IDM_GOODBYE 3
#define IDM_EXIT 4
FirstMenu MENU
{
POPUP "&PopUp"

467

> )

AB"

O /E +/

> .+ . / /7@;2

{
MENUITEM
MENUITEM
MENUITEM
MENUITEM

"&Say Hello",IDM_HELLO
"Say &GoodBye", IDM_GOODBYE
SEPARATOR
"E&xit",IDM_EXIT

}
MENUITEM "&Test", IDM_TEST
}

.d /
#define
#define
#define
#define

A Ck

"< ! 58 A #

IDM_TEST 1
IDM_HELLO 2
IDM_GOODBYE 3
IDM_EXIT 4

! !

-. /

V;

!) (
o b R) .

2 ;

-ID & . ] iG

. !

o . # 1 O !) - ID V

% &]

FirstMenu MENU

.)
POPUP "&PopUp"
{
MENUITEM
MENUITEM
MENUITEM
MENUITEM
}

2 ; MENU

C/ ,C/ .

"&Say Hello",IDM_HELLO
"Say &GoodBye", IDM_GOODBYE
SEPARATOR
"E&xit",IDM_EXIT

( / 6

d bV

) 6

. /

2 ; d b 4 . popup
.

&. /
(separator)

MENUITEM "&Test", IDM_TEST

CB
.d /

A Ck

!) ! .

"< !

2 ;
. CB / Q =

)3

. +/ 0 1. ( 2,

- Crack

468

MenuName db "FirstMenu",0
Test_string db "You selected Test menu item",0
Hello_string db "Hello, my friend",0
Goodbye_string db "See you again, bye",0

V [

58

;. p . . / () *

A # !) ,

- G

ob

p , MessageBox !) ) / 9

58

A # !)
/

! -

.
/

R ,- MenuName

/ g 3

B G d b .! /

. +#

/ 2 ;
-

- G () )

IDM_TEST equ 1
IDM_HELLO equ 2
IDM_GOODBYE equ 3
IDM_EXIT equ 4

R ,- { 4)

V .( < T <

T !) () *

! O
.

. ID 2 ;

-d b

. 58 A # !) (

2 ;

.ELSEIF uMsg==WM_COMMAND
mov eax,wParam
.IF ax==IDM_TEST
invoke MessageBox,NULL,\
ADDR Test_string,\
OFFSET AppName,\
MB_OK
.ELSEIF ax==IDM_HELLO
invoke MessageBox, NULL,\
ADDR Hello_string,\
OFFSET AppName,\
MB_OK
.ELSEIF ax==IDM_GOODBYE
invoke MessageBox,NULL,\
ADDR Goodbye_string,\
OFFSET AppName,\
MB_OK
.ELSE
invoke DestroyWindow,hWnd
.ENDIF

d b

.! /

wParam W
-ID .

WM_COMMAND % W T ^ ) T . ( < T <

4 .d ) T

T !)

lowWord , 4 !) WM_COMMAND % W T . ( ,- Rb Id / 9

b () / ( Gm eax !) ! wParam !

.! /

5. Exit

, 4 !)

4 Q

, 4
. b

!) .d /

!) p ,

uT .)

()

#( <T

d () / 2 ;

. MessageBox !)

a /

. !) A84

! -d b

469
d

E
#

Rb .

> )

AB"

!TR U . !) G( <T

O /E +/

) (! ,

()

.)
Q=V

..

! /%, d!
. / !)

()

F4 <
[ /'

. ( < T 7c/ !)

!). / 9
W

.+#

B ! DestroyWindow
( <TR

.% lFG

) G ( < T !)
.

> .+ . / /7@;2

! 01! .

. zU . /
.

/ ! >R ,-

. ! *C

^ ! ) - !) 58 A #
.d -)

R3

o- !
d -) R 3

!) ! o b / d / ) <

data?
.
hInstance HINSTANCE ?
CommandLine LPSTR ?
hMenu HMENU ?

) (! , R) / ( Gm

. HMENU E

2 ;

invoke LoadMenu, hInst, OFFSET MenuName

mov
hMenu,eax
invoke CreateWindowEx, NULL,\
ADDR ClassName,\
ADDR AppName,\
WS_OVERLAPPEDWINDOW,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
NULL,\
NULL,\
hInst,\
NULL

(! ,

R U . ) !

. ! 58 A # !)
.d

. ! LoadMenu 5. a CreateWindowEx 5.
. 1 (!

LoadMenu 5. .d /

CreateWindowEx 5.

. ) !

G #a

G #

A84

! T R U . ! Rb /

)
) 1

)3

- Crack

. +/ 0 1. ( 2,

470

.E
.

, ,S CD !) , 4 V

) 6

.] .

(2

oC #

@5

- /

SourceCodes\Asm32\Chapter8
6 G

) !

-! ". V

,o

-Q /

() *

.) ) d - G ! 4
x/ /

# 1 O !) R

-Q / ! o b
=

^ )

. !(

CU V ,- . .d /

^ ) T !7

!. )

, 4 V !) .) / () *
DialogBox !) ! o b

! . )!

2 ; pT

)! . /

d /

( < T 7c/ ) ;
54
#

5Ci ! ! T ( < T /

. )! ) R

. 54 !)

!a

-% W T R ) G -Q / V .

. -Q / V .

ob'

( k p . V !)

) G DialogBox "6 R U . o b

() *

R"

'

/ <b

() *

W ob

) .R

,; ( < T

!)

# -Q

/V

.) ) ! 4
edit , radio-button , checkbox :
CreateWindow 5.

! -Q / V ( < T

-7c/

. ClassName

R ,-

. ,= /

f)

W Rb

;S

() *

-7c/

. . ...

register ,
1 Qx

..

. Q / Rb ID ! T ( < T .
f-aQ

/ {& ,; .)

/)<

uT .)

5Ci ! ! T ( < T
! T ( <T

! T ( < T . wParam

, listbox , button
/ register

ob
(

V ; pT

) (! ,
() *

! 8U

*. ) G R

/ '! B V

( <T <

W T . * . y * Rb
WM_CREATE % W T

T !) - Q

. BG)
# !)

High word !) o b (NotificationCode) Ec>

# . !
..

uT !

Low word!) ) G ID ( ,- ! WM_COMMAND

g 3

/ .

.)! ) ! 4 lParam !) o b
5. .

! T . -) ! 4 "button" ! CreateWindow 5. !) ClassName

wParam

( <T

/0 . / ) < CreateWindowEx

% & / d
- G

% W T -Q / V .d
(! ,

2 ; pT

. -Q / V

!T. (

. ID V
o

! ob

/ ) < button

!T

! 8U (

!
*. (

) SendMessage 5. +
) ( <T . !

WT

1 -

#
)

" ! T ( <T
SendMessage

471

. !%WT

# 1 ) !

> )

AB"

O /E +/

!TR U . !( <T

,/)
. V ,- .)

edit Q /

!) / d

.( <T

() ) p , MessageBox

lParam a wParam

) (! ,
. /

> .+ . / /7@;2

d- G

edit R !) V

! 4 Edit Box R !) ! V
. /

.)! b

( <T

p . V Q x !)

.
. -)

O )!

/
"1 4 .

C/ ! ,/)
!)

: Say Hello :1

_ T ! Edit Box R !) V : Clear Edit Box :2

!) p , . Message Box

! Edit Box R !) V : Get Text :3

. -)

.386
.model flat,stdcall
option casemap:none
WinMain proto :DWORD,:DWORD,:DWORD,:DWORD
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
.data
ClassName db "SimpleWinClass",0
AppName db "Our First Window",0
MenuName db "FirstMenu",0
ButtonClassName db "button",0
ButtonText db "My First Button",0
EditClassName db "edit",0
TestString db "Wow! I'm in an edit box now",0
.data?
hInstance HINSTANCE ?
CommandLine LPSTR ?
hwndButton HWND ?
hwndEdit HWND ?
buffer db 512 dup(?)
.const
ButtonID equ 1
EditID equ 2
IDM_HELLO equ 1
IDM_CLEAR equ 2
IDM_GETTEXT equ 3
IDM_EXIT equ 4
.code
start:

, G !

. : Exit :4

)3

. +/ 0 1. ( 2,

- Crack

invoke GetModuleHandle, NULL

mov
hInstance,eax
invoke GetCommandLine
mov CommandLine,eax
invoke WinMain, hInstance,NULL,CommandLine, SW_SHOWDEFAULT
invoke ExitProcess,eax
WinMain proc
hInst:HINSTANCE,hPrevInst:HINSTANCE,CmdLine:LPSTR,CmdShow:DWORD
LOCAL wc:WNDCLASSEX
LOCAL msg:MSG
LOCAL hwnd:HWND
mov
wc.cbSize,SIZEOF WNDCLASSEX
mov
wc.style, CS_HREDRAW or CS_VREDRAW
mov
wc.lpfnWndProc, OFFSET WndProc
mov
wc.cbClsExtra,NULL
mov
wc.cbWndExtra,NULL
push hInst
pop
wc.hInstance
mov
wc.hbrBackground,COLOR_BTNFACE+1
mov
wc.lpszMenuName,OFFSET MenuName
mov
wc.lpszClassName,OFFSET ClassName
invoke LoadIcon,NULL,IDI_APPLICATION
mov
wc.hIcon,eax
mov
wc.hIconSm,eax
invoke LoadCursor,NULL,IDC_ARROW
mov
wc.hCursor,eax
invoke RegisterClassEx, addr wc
invoke CreateWindowEx, WS_EX_CLIENTEDGE,\
ADDR ClassName, \
ADDR AppName,\
WS_OVERLAPPEDWINDOW,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
300,\
200,\
NULL,\
NULL,\
hInst,\
NULL
mov
hwnd,eax
invoke ShowWindow, hwnd,SW_SHOWNORMAL
invoke UpdateWindow, hwnd
.WHILE TRUE
invoke GetMessage, ADDR msg,NULL,0,0
.BREAK .IF (!eax)
invoke TranslateMessage, ADDR msg
invoke DispatchMessage, ADDR msg
.ENDW
mov
eax,msg.wParam
ret
WinMain endp

472

473

> )

AB"

O /E +/

> .+ . / /7@;2

WndProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM

.IF uMsg==WM_DESTROY
invoke PostQuitMessage,NULL
.ELSEIF uMsg==WM_CREATE
invoke CreateWindowEx, WS_EX_CLIENTEDGE,\
ADDR EditClassName,\
NULL,\
WS_CHILD or WS_VISIBLE or WS_BORDER
or ES_LEFT or ES_AUTOHSCROLL,\
50,\
35,\
200,\
25,\
hWnd,\
8,\
hInstance,\
NULL
mov hwndEdit,eax
invoke SetFocus, hwndEdit
invoke CreateWindowEx, NULL,\
ADDR ButtonClassName,\
ADDR ButtonText,\
WS_CHILD or WS_VISIBLE or
BS_DEFPUSHBUTTON,\
75,\
70,\
140,\
25,\
hWnd,\
ButtonID,\
hInstance,\
NULL
mov hwndButton,eax
.ELSEIF uMsg==WM_COMMAND
mov eax,wParam
.IF lParam==0
.IF ax==IDM_HELLO
invoke SetWindowText,hwndEdit,ADDR TestString
.ELSEIF ax==IDM_CLEAR
invoke SetWindowText,hwndEdit,NULL
.ELSEIF ax==IDM_GETTEXT
invoke GetWindowText,hwndEdit,ADDR buffer,512
invoke MessageBox,NULL,\
ADDR buffer,\
ADDR AppName,\
MB_OK
.ELSE
invoke DestroyWindow,hWnd
.ENDIF
.ELSE
.IF ax==ButtonID
shr eax,16

)3

. +/ 0 1. ( 2,

- Crack

474

.IF ax==BN_CLICKED
invoke SendMessage,hWnd,WM_COMMAND,IDM_GETTEXT,0
.ENDIF
.ENDIF
.ENDIF
.ELSE
invoke DefWindowProc,hWnd,uMsg,wParam,lParam
ret
.ENDIF
xor
eax,eax
ret
WndProc endp
end start
.ELSEIF uMsg==WM_CREATE
invoke CreateWindowEx, WS_EX_CLIENTEDGE,\
ADDR ClassName, \
ADDR AppName,\
WS_OVERLAPPEDWINDOW,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
300,\
200,\
NULL,\
NULL,\
hInst,\
NULL
mov hwndEdit,eax
invoke SetFocus, hwndEdit
invoke CreateWindowEx, NULL,\
ADDR ButtonClassName,\
ADDR ButtonText,\
WS_CHILD or WS_VISIBLE or
BS_DEFPUSHBUTTON,\
75,\
70,\
140,\
25,\
hWnd,\
ButtonID,\
hInstance,\
NULL
mov hwndButton,eax

O )!

-Q / aCreateWindowEx 5. +

Q x R U . .) / () *
-.

*C

. O . #! # ( < T

- 8

/ hi

/)

WM_CREATE % W T

# !)

-Q / ) <

)< !) G

. .d /

zU . WS_EX_CLIENTDGE

uT
8

475

Qx R U . .
! ) edit Q

API 56

A 84

"

#S lG

> )

AB"

- 8

O /E +/
! ) Q ,;

(button style) BS_

- 8

C/ R) /

..

. -) ! 4 ! Q

) (! , a Q / - ) <

/ ID a

#Q

3T

Win32 API Reference

6 . /d

/0

. C 3 -!/V

.d /

- 8

(edit style) ES_

) (! ,

;. .)! b , ) 6

. ( cU Q

! ) button Q /

3T

- 8

. / ;6
#( <T /

> .+ . / /7@;2

( Gm

;.

-() *

. ! Rb

B ! SetFocus 5. d - . editbox . ! ) ! 7 / #

/ - .d

! 4 . ] 8 ! ) G ! T ( < T . WM_COMMAND % W T +

. /

.ELSEIF uMsg==WM_COMMAND
mov eax,wParam
.IF lParam==0

) G

b a ! T ( < T . WM_COMMAND % W T R)

;S

Q /

WM_COMMAND

-%WTV.R

f[ uT . /

AK 4

. /

# ."
*

( -3

8G .
()

Q 6 !) ! T

Low word of wParam

High word of wParam

lParam

Menu

Menu ID

Control

Control ID

Notification Code

Child Window Handle

g 3 ) . *B 1 . /

! O V
) *B !

. .

[ ! lParam !

. 3 ,- a

. jC; % W T '! B V

n !) a

" Notification Code R [

/ () *

/ ! >R ,Y >

%WT

wParam

,
.

)3

- Crack

. +/ 0 1. ( 2,

476

.IF ax==IDM_HELLO
invoke SetWindowText,hwndEdit,ADDR TestString
.ELSEIF ax==IDM_CLEAR
invoke SetWindowText,hwndEdit,NULL
.ELSEIF ax==IDM_GETTEXT
invoke GetWindowText,hwndEdit,ADDR buffer,512
invoke MessageBox,NULL,ADDR buffer,ADDR AppName,MB_OK

-) ! 4 EditBox !) ! V

.
R U

SetWindowText 5.

. / _ T ! EditBox '

5. V +
" EditBox !) ) 6

k Null !

.. /q U"

G # .

. 5.

G #
Label

! ,/)

GetWindowText 5.

. / () *

.IF ax==ButtonID
shr eax,16
.IF ax==BN_CLICKED
invoke SendMessage,hWnd,WM_COMMAND,IDM_GETTEXT,0
.ENDIF
.ENDIF

1 .

/ ID . wParam

. .Q

Ec>

/ /

[ ! wParam

! B !) .d /

. .d -) p , MessageBox

!/V
.

Q ; cB ! / V

Rb wParam

() /

. IDM_GETEXT , 4

*. ( < T

!) .)
.E
R

.
,

* -( <T

- / o. -) R
.

zU .

(! . ) ! / d
d

. 1

. IDM_GETTEXT
()

!) G

wParam

word

GetText d b 9

) !
.) / () *

.V ,

# MessageLoop !) ! TranslateMessage 5.

G A. 4 ) !

. ! )! . / % G ) !

) 6 EditBox !)

) -

!)

. ! SendMessage 5. a /

) (! ,
.

. a) . BN_CLICK

G # lParam !) IDM_GETTEXT

e R ,- { 4) ! / V .d /
AK 4 ) V V .

V T .d

Low !) WM_COMMAND % W T ! T ( < T

.

, 4 ) .

, 4 / ! WM_COMMAND % W T

SendMessage 5. a

6 . uT .

High word

!) ! EditBox AG ) V

.d /

Low word

1 C6 /

Low word , 4 b / d /

. ,
R

EditBox!) V

G # ! 5. V

1 . / ,6

477

> )

AB"

, ,S CD !) , 4 V

) 6

> .+ . / /7@;2

% +/ DialogBox E F 1@

+ . / A` F 8 9 O
.

O /E +/

.] .

oC #

-/

SourceCodes\Asm32\Chapter9
, Tab C/ +
;S V .

!)

! R) /

3T !

O )!

! T( <T
i

. - ,- '! B .
# (o

. () / ! / # / (
C/ 7 / #

() . Rb -

#( <T! /

/) -( < T % , /

A. 4

W (! o

f ) C

V "

. AB !)

% &d
.!/

-Q / /

' K"6 )!

A84 .

. /

V
,;

7 / # R) / <. 6

o /.\
d

. / d!

V .d / ! / Rb .
! ".

1 .)

!)

/ /

' C,U
V

f[ /

!
.

*1 ' Uc>

.(

1)

1 Q ,; '! B . .

# 1 ( oU . ! Rb

-)

! i. -) ! 4 u/ . \

. Rb

= >

-R
!
)

Tab
A,U

. /
-Q

3 .
Q ,U

f - ,-

C/ R) . .! /

f[ ) G u/ . \

.Q B
.(

= > . G .

A,U

f[ ) G R !)

= !) .
R .! / )
. ! / d<= p- /

. R ) G -) ! 4
!) ! - Rb 1

. A )

) ! ! ". R U .

. uT . /
*

. !

.! /

API Win32

. CB zk. . (! . ) Q = .)! )
/

1 . ! ".

'! B . "

7c/

[ DialogBox d

! O

. / "[ o . /

() *

= > - DialogBox

!/ . 6 G

! T( <T !/

V [ R b ) 6

-( < T

R o T Rb . /

= > j 4) !

A,U ! ". 8;6

.d ) 1
#Q

. /V R . /

!/V

v/

. q #p T C/ R U . Enter R)

) . ...

/G .

DialogBox ( < T . )! . /

G!

CU .

- !1

- DialogBox

( ) _!

W !7 / #

( /

.! T( <T

.
Rb 2 :

p . " [ DialogBox .

,; ( < T

-)

.)

.
. !/

. A84 AF# Q x . 1

. 54 !)

!) G

!) Q ,U

. o /.\
,; ( < T

. -) % < ! )! . /

!) !
i

)3

u/ . \

- Crack

. +/ 0 1. ( 2,
)

! .! / ' Uc>

' B FG ,

/0 . /

A D /

58 A #

f[ /

(resource) 5.

b 58

f3

! 4

u/ . \

/ () *

) 5.

!/V
.

. Modless E

(Word #

!)

. Modeless

. - .!

f[

f.

" u/ . \

/a

-Q / ( ,- . ! u/ .

A 84

f3

5.

o. .d / ,

) '! B . u/ . \

!) ) 6

!)

- u/ . \

! 4

!!/V
-Q

/ R) )

CB E

- ( < T . ! ) ! 7 / # / -)

p . )A

C/ / d

f3

Modal

) G /

)
( 6

;. E . / A

. :Application Modal -1

- ( < T f ) . ! 7 / # -) , ( 6 ,
6 Q = !)

) Rb .

Rb

) f)

% < ' C,U

E
)a

Modal

!) Find ( < T
:

. R ,-

)<

. 58

. / "[ o

uD

!) d- ! / !) ,- ( n u/ . \

. / () *

478

. ! 7 / # Q

( 6

/ A
. -)

- . ! 7 / #

W ( 6

-) T ( < T V

A84 :System Modal -2

. -) ,
G # . Modal E

5.
System

CreateDialogParam 5.

Application Modal E
% #V

- .

SendDlgItemMessage 5.
'! F. 5. V ! G

DS_SYSMODAL % # !) Modal

f !) 1 .
() *

G # . Modless E
) < DialogBoxParam

' * o .

. d / () *
.

u/ . \

( <T

. .)

. / ! 4 . ] 8 ! u/ . \

SendDlgItemMessage proto hwndDlg:DWORD,\

idControl:DWORD,\
uMsg:DWORD,\
wParam:DWORD,\
lParam:DWORD

A 8 SystemModal E
)

-Q

479

E
-

. /

! B !) Q x

> )

AB"

O /E +/

* !

: / () *

> .+ . / /7@;2

-Q

/ .]8!

. 5. V

f. EditBox

!V

call SendDlgItemMessage, hDlg,\

ID_EDITBOX,\
WM_GETTEXT,\
256,\
ADDR text_buffer

Win32 API

2C

o W T Q ! ( k )!

!)

# !) ' C,U

. / ;6

() / K ! 5. V [ ' Uc> Q !
()

. !

. 5.

lParam , wParam

Reference

CheckDlgButton , GetDlgItemText A 84

V . ...

3 . ' Uc>

1!) % W T -

. R

. /

zU .

/
.

R U ..

u/ . \

T . ! - % W T Windows DialogBox Manager

- <
.

DlgProc

6 . /' * V .

-%WT . !
1 /

\
V

) <

Ta <

TV

- % W T ^ ) T )!

. f) !( 3 ^ ) T
;4

T . 8 !

TV .

Qx

( <T <

. / () *

u/ . \

<

) <

T V R [

) ! ! ".

() / () *

! #!

,; ( < T

! 8<

f) /

V ^ !V

7c/

,- u/ . \
" . /

False !

'! B

, DefWindowProc 5.

^ ! ) .R

R U . Rb

R U . u/ . \
)

T
# !)

W T u/ . \

.d ) T Q ^ !
ob

.( <T <
G # /

T . / () *

-1 .) / () *

) <

True/False Rb 6 G !

.) /^ ) T !

- % W T u/ . \

. CB ( < T R U . Rb

5. +

! G

. u/ . \

!) C/ ( U 4 . /

) 1 . eax !) ! True !

n !)
.

( <T <

) G CG ) DialogBox Manager.

= !) "

'! B . - <

proto hDlg:DWORD ,\
iMsg:DWORD ,\
wParam:DWORD ,\
lParam:DWORD

LRESULT
/

-u/ . \
-2 . / () *

)
) G

! . . p . V !)
)! G

= V !) . / 8e RegisterClassEx

# !) ( < T <

Tj >

! -%WT

)3
\

. +/ 0 1. ( 2,

- Crack

) ) < % f - !) ! o b

.) G"

! Tab Order

V ; ( < T 7c/ ! G
.)!

480

) G
)! . /

i ' C,U

!) ! ) G ( < T R

! T( <T / /

.) 6 . !

)<

#
. /

/
/.\

V
)
.d !

-Q

/R ) G

)<

. ( cU .) 1

. a u/ .
( oU

. ^ ! V !) . /

p .V Qx

.Q=

.386
.model flat,stdcall
option casemap:none
WinMain proto :DWORD,:DWORD,:DWORD,:DWORD
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
.data
ClassName db "DLGCLASS",0
MenuName db "MyMenu",0
DlgName db "MyDialog",0
AppName db "Our First Dialog Box",0
TestString db "Wow! I'm in an edit box now",0
.data?
hInstance HINSTANCE ?
CommandLine LPSTR ?
buffer db 512 dup(?)
.const
IDC_EDIT
equ
3000
IDC_BUTTON
equ
3001
IDC_EXIT
equ
3002
IDM_GETTEXT
equ
32000
IDM_CLEAR
equ
32001
IDM_EXIT
equ 32002
.code
start:
invoke GetModuleHandle, NULL
mov
hInstance,eax
invoke GetCommandLine
mov CommandLine,eax
invoke WinMain, hInstance,NULL,CommandLine, SW_SHOWDEFAULT
invoke ExitProcess,eax
WinMain proc
hInst:HINSTANCE,hPrevInst:HINSTANCE,CmdLine:LPSTR,CmdShow:DWORD
LOCAL wc:WNDCLASSEX
LOCAL msg:MSG
LOCAL hDlg:HWND
mov
wc.cbSize,SIZEOF WNDCLASSEX
mov
wc.style, CS_HREDRAW or CS_VREDRAW

481

> )

AB"

O /E +/

> .+ . / /7@;2

mov
wc.lpfnWndProc, OFFSET WndProc
mov
wc.cbClsExtra,NULL
mov
wc.cbWndExtra,DLGWINDOWEXTRA
push hInst
pop
wc.hInstance
mov
wc.hbrBackground,COLOR_BTNFACE+1
mov
wc.lpszMenuName,OFFSET MenuName
mov
wc.lpszClassName,OFFSET ClassName
invoke LoadIcon,NULL,IDI_APPLICATION
mov
wc.hIcon,eax
mov
wc.hIconSm,eax
invoke LoadCursor,NULL,IDC_ARROW
mov
wc.hCursor,eax
invoke RegisterClassEx, addr wc
invoke CreateDialogParam,hInstance,ADDR DlgName,NULL,NULL,NULL
mov
hDlg,eax
invoke ShowWindow, hDlg,SW_SHOWNORMAL
invoke UpdateWindow, hDlg
invoke GetDlgItem,hDlg,IDC_EDIT
invoke SetFocus,eax
.WHILE TRUE
invoke GetMessage, ADDR msg,NULL,0,0
.BREAK .IF (!eax)
invoke IsDialogMessage, hDlg, ADDR msg
.IF eax ==FALSE
invoke TranslateMessage, ADDR msg
invoke DispatchMessage, ADDR msg
.ENDIF
.ENDW
mov
eax,msg.wParam
ret
WinMain endp
WndProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
.IF uMsg==WM_DESTROY
invoke PostQuitMessage,NULL
.ELSEIF uMsg==WM_COMMAND
mov eax,wParam
.IF lParam==0
.IF ax==IDM_GETTEXT
invoke GetDlgItemText,hWnd,IDC_EDIT,ADDR buffer,512
invoke MessageBox,NULL,\
ADDR buffer,\
ADDR AppName,\
MB_OK
.ELSEIF ax==IDM_CLEAR
invoke SetDlgItemText,hWnd,IDC_EDIT,NULL
.ELSE
invoke DestroyWindow,hWnd
.ENDIF
.ELSE
mov edx,wParam
shr edx,16

)3

. +/ 0 1. ( 2,

- Crack

482

.IF dx==BN_CLICKED
.IF ax==IDC_BUTTON
invoke SetDlgItemText,hWnd,\
IDC_EDIT,\
ADDR TestString
.ELSEIF ax==IDC_EXIT
invoke SendMessage,hWnd,WM_COMMAND,IDM_EXIT,0
.ENDIF
.ENDIF
.ENDIF
.ELSE
invoke DefWindowProc,hWnd,uMsg,wParam,lParam
ret
.ENDIF
xor
eax,eax
ret
WndProc endp
end start

Dialog.rc

#include "resource.h"
#define IDC_EDIT
#define IDC_BUTTON
#define IDC_EXIT
#define IDM_GETTEXT
#define IDM_CLEAR
#define IDM_EXIT

3000
3001
3002
32000
32001
32003

MyDialog DIALOG 10, 10, 205, 60

STYLE 0x0004 | DS_CENTER | WS_CAPTION | WS_MINIMIZEBOX |
WS_SYSMENU | WS_VISIBLE | WS_OVERLAPPED | DS_MODALFRAME | DS_3DLOOK
CAPTION "Our First Dialog Box"
CLASS "DLGCLASS"
BEGIN
EDITTEXT
IDC_EDIT,
15,17,111,13, ES_AUTOHSCROLL |
ES_LEFT
DEFPUSHBUTTON
"Say Hello", IDC_BUTTON,
141,10,52,13
PUSHBUTTON
"E&xit", IDC_EXIT, 141,26,52,13, WS_GROUP
END
MyMenu MENU
BEGIN
POPUP "Test Controls"

483

E
BEGIN
MENUITEM
MENUITEM
MENUITEM
MENUITEM
END

> )

AB"

O /E +/

> .+ . / /7@;2

"Get Text", IDM_GETTEXT

"Clear Text", IDM_CLEAR
"", , 0x0800 /*MFT_SEPARATOR*/
"E&xit", IDM_EXIT

END

() /

6! ( < T 7c/

% & f)a
u/ . \

R U . ! u/ . \

)! G

f[ / -)

*1 / ! > R ,- . / ) < ! ) G O )!
)

. ! /) G ! > . o b

/ )<

.d /

( < T a Rb
) ! i. !

! . ! u/ . \

R3 Qx V
() *

)! G

. uD

-Q

Q=.

)<

MyDialog DIALOG 10, 10, 205, 60

q Uaxayv

. Rb

;. ) U ! o[

d /

%cU ! O )!
.

)%

- u/ . \

. !)
)E*!

STYLE 0x0004 | DS_CENTER | WS_CAPTION | WS_MINIMIZEBOX |

WS_SYSMENU | WS_VISIBLE | WS_OVERLAPPED | DS_MODALFRAME | DS_3DLOOK

.d /

V ; ! u/ . \

-:A

CAPTION "Our First Dialog Box"

.)

() ) R 3 u/ . \

)R U!

!) V V

CLASS "DLGCLASS"

-)

.)! ) ! 4 7c/ %
BEGIN
EDITTEXT
DEFPUSHBUTTON
PUSHBUTTON
END

( 6

. /
C/ ,C/ V

IDC_EDIT,

CLASS
;. .d /

C/ ,C/ V .
() *

( < T 7c/

do !

. +G V

R U . u/ .

15,17,111,13, ES_AUTOHSCROLL | ES_LEFT

"Say Hello", IDC_BUTTON,

141,10,52,13
"E&xit", IDC_EXIT, 141,26,52,13

)3

- Crack

. +/ 0 1. ( 2,

^ ! {& ,; .

484

! 4 End , Begin V . o b . /

2 ; !

.
control-type

"text"

!) 5.

'

'! F.

- Q / & . _ C.
#

-Q

/2 ;

,controlID, x, y, width, height [,styles]

Rb <

R )

..

58

Control-Type

- .e

MSDN

. / ;6
mov
mov

wc.cbWndExtra,DLGWINDOWEXTRA
wc.lpszClassName,OFFSET ClassName

! u/ . \
8

)! G

d- G

f-

! DLGWINDOWEXTRA !

CLASS

C/ ,C/

;. /

( < T )! /! PU

PU V

,U R ,- { 4) o

.d /

R ,- { U

;. .

Null !

d -)

.ad /
,- "

.d ) )

%<

/d

PU

8e RegisterClassEx 5. +

. {& ,;

8e ( < T 7c/ R U .

. 7c/ %

# ; A84

PU V
/0
.

.d -)

! 7c/ Rb a

,; ( < T 7c/

R) / 8e

# ;
. /

invoke CreateDialogParam,hInstance,ADDR DlgName,NULL,NULL,NULL

! ) G u/ . \

) Q x V !) .d /

b CreateDialogParam 5.

V .d /

)<

(! , :

! 8U / d /

(!

% )

) < ! ) G u/ . \

-) !

!T /d

() *

!Q

/0 .u/ . \

)+#
)! G

) a ( < T 7c/ 8e

) !

. 1 (!

) G

- Q

! T 5 5.
.

.
(

Modless E

() / 9

/) 1

uT

/ ( ,- . u/ . \

7c/ %
) C=

. 1
V !)

.) / - G # !) ! WM_CREATE % W T Q ,; j8> ( < T <

485

> )

AB"

O /E +/

> .+ . / /7@;2

invoke GetDlgItem,hDlg,IDC_EDIT
invoke SetFocus,eax

.d -)

Edit Q / . ! ) ! 7 / # d - G

. GetDlgItem 5.

6
;. ! /
G #
(! ,

p .V

) < u/ . \

uT

G # d -) ! 4 WM_CREATE p . !) ! / V

. uT .

( 3 )<

b ) 6 . Rb

-Q /R

uT ! +G ) V

.d

# 1 !Q

(! , GetDlgItem 5. .d -)

-Q

Rb !)

/ u/ . \

! 4 UpdateWindow 5.

. ) 1

b( <T .

MessageLoop )!

invoke IsDialogMessage, hDlg, ADDR msg

.IF eax ==FALSE
invoke TranslateMessage, ADDR msg
invoke DispatchMessage, ADDR msg
.ENDIF

5.

d /

,6

! %WT
; V

V !) A84 AF# . o
5.

A84

) 1 . ! True !
f)

6 . a ) f. Edit Q /
6 . !

(! , 5. V . /
.

V !) .d / () *

i ' C,U DialogBox Manager

-) % < ! )! . /
% o* % W T /

/ V

5. V

() / ^ ) T

. ! IsDialogMessage
/

! B !) .d /

G #

b DialogBox Manager

() .

! V

- G

() *

GetDlgItemText 5.
()

CB ( < T R U . u/ . \

( <T
. / ) 0T

GetWindowText

( <T .

) (! ,

f ) ^ ! . d ! ) F4 ;. Q x !)

MessageLoop 4 # / ) / d - G ) < Application Modal E

u/ . \

( <T <

Qx
T

)3

. +/ 0 1. ( 2,

- Crack

486

.386
.model flat,stdcall
option casemap:none
DlgProc proto :DWORD,:DWORD,:DWORD,:DWORD
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
.data
DlgName db "MyDialog",0
AppName db "Our Second Dialog Box",0
TestString db "Wow! I'm in an edit box now",0
.data?
hInstance HINSTANCE ?
CommandLine LPSTR ?
buffer db 512 dup(?)
.const
IDC_EDIT
equ 3000
IDC_BUTTON
equ 3001
IDC_EXIT
equ 3002
IDM_GETTEXT equ 32000
IDM_CLEAR
equ 32001
IDM_EXIT
equ 32002
.code
start:
invoke GetModuleHandle, NULL
mov
hInstance,eax
invoke DialogBoxParam, hInstance, ADDR DlgName,NULL, addr
DlgProc, NULL
invoke ExitProcess,eax
DlgProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
.IF uMsg==WM_INITDIALOG
invoke GetDlgItem, hWnd,IDC_EDIT
invoke SetFocus,eax
.ELSEIF uMsg==WM_CLOSE
invoke SendMessage,hWnd,WM_COMMAND,IDM_EXIT,0
.ELSEIF uMsg==WM_COMMAND
mov eax,wParam
.IF lParam==0
.IF ax==IDM_GETTEXT
invoke GetDlgItemText,hWnd,IDC_EDIT,ADDR buffer,512
invoke MessageBox,NULL,\
ADDR buffer,\
ADDR AppName,\
MB_OK
.ELSEIF ax==IDM_CLEAR
invoke SetDlgItemText,hWnd,IDC_EDIT,NULL

487

> )

AB"

O /E +/

> .+ . / /7@;2

.ELSEIF ax==IDM_EXIT
invoke EndDialog, hWnd,NULL
.ENDIF
.ELSE
mov edx,wParam
shr edx,16
.if dx==BN_CLICKED
.IF ax==IDC_BUTTON
invoke SetDlgItemText,hWnd,\
IDC_EDIT,\
ADDR TestString
.ELSEIF ax==IDC_EXIT
invoke SendMessage,hWnd,WM_COMMAND,IDM_EXIT,0
.ENDIF
.ENDIF
.ENDIF
.ELSE
mov eax,FALSE
ret
.ENDIF
mov eax,TRUE
ret
DlgProc endp
end start
dialog.rc (part 2)
#include "resource.h"
#define IDC_EDIT
#define IDC_BUTTON
#define IDC_EXIT
#define IDR_MENU1
#define IDM_GETTEXT
#define IDM_CLEAR
#define IDM_EXIT

3000
3001
3002
3003
32000
32001
32003

MyDialog DIALOG 10, 10, 205, 60

STYLE 0x0004 | DS_CENTER | WS_CAPTION | WS_MINIMIZEBOX |
WS_SYSMENU | WS_VISIBLE | WS_OVERLAPPED | DS_MODALFRAME | DS_3DLOOK
CAPTION "Our Second Dialog Box"
MENU IDR_MENU1
BEGIN
EDITTEXT
IDC_EDIT,
15,17,111,13, ES_AUTOHSCROLL |
ES_LEFT
DEFPUSHBUTTON
"Say Hello", IDC_BUTTON,
141,10,52,13
PUSHBUTTON
"E&xit", IDC_EXIT, 141,26,52,13
END
IDR_MENU1
BEGIN

MENU

)3

- Crack

. +/ 0 1. ( 2,

488

POPUP "Test Controls"

BEGIN
MENUITEM "Get Text", IDM_GETTEXT
MENUITEM "Clear Text", IDM_CLEAR
MENUITEM "", , 0x0800 /*MFT_SEPARATOR*/
MENUITEM "E&xit", IDM_EXIT
END
END

DlgProc proto :DWORD,:DWORD,:DWORD,:DWORD

b addr fC,U

() *

( - 3 ! DlgProc 5. 2 ; p T

/. /

. -) E 6! DialogBoxParam 5.
invoke DialogBoxParam, hInstance,\
ADDR DlgName,\
NULL,\
addr DlgProc,\
NULL

) (! , :
u/ . \

! 8U / /

) <

! T 5 . ! DialogBoxParam 5. & . +G

G #

T 7!)b a ! T ( < T

) (! , a u/ . \
.\

) /

) < modal E

u/ . \

) )!

! G

% a

!) l G ' Uc>

DialogBoxParam 5.

)
/ ,

31 . )

V.

u/ .

.IF uMsg==WM_INITDIALOG
invoke GetDlgItem, hWnd,IDC_EDIT
invoke SetFocus,eax
.ELSEIF uMsg==WM_CLOSE
invoke SendMessage,hWnd,WM_COMMAND,IDM_EXIT,0

%WT

/ ' *

%WT

V
# !)

! 4 , 4 V !) !

A,U ( < T
/

<

<

T V

. ' C,U . ] .

WT V
/

,- u/ . \

<

. / ,

# !) WM_CREATE

WM_INITDIALOG
. -)

489

E
. WM_CLOSE % W T

C/ ! close ,/) .! / /
T !)

> )

f- - G

58 A #

.Q=.

) . /
/0 .
b

58

/
.

1 uT . /

.
/. \
.

() *

) !)
! S^ !V

() *

WM_DESTROY

. -) R 3 ! C,; u U /

G # ! EndDialog 5. IDM_EXIT % W T .

(! o

,/ - ,

> .+ . / /7@;2

. DialogBox Manager

& . Q x !) . / ^ ) T ! WM_CLOSE % W T

EndDialog 5.

O /E +/

( <T V .

.d /
() *

AB"

8. V .

/.\

) - G

, DestroyWindow 5. )!

6 . /
1 !/ .
() *

(! , Rb Q 8 ) . / ! Menu

V
.

/m A. 4
d ) / () *

V !) . /

W d /p

b !

IDR_Menu1

( b ) 6 . DialogBoxWindow
C/ ,C/

. u/ . \

)! G

!) /

.d / # S

)3

- Crack

. +/ 0 1. ( 2,

490

% +/ DialogBox E F 1@

# G / ( ) ) 3/ O
.

, ,S CD !) , 4 V

) 6

.] .

oC #

-/

SourceCodes\Asm32\Chapter10
/d

Q x R U . . G b d - G u/ . \

.d / () *

6 G

. 6 G
o /.\
5.

() *

) <

) !

) !

. .)

'! B !) . /
!

. ! )! .

Y - /

-%WT^ ) T

' C,U

G ..

A # V !) v
() *

!T

() *

,/ .

.. G b - G

DialogBoxParam 5.
% & DialogBoxParam

. / ! 01

DialogBox Manager

2 ; pT
. )!

) G

o /.\

.! / +. !

) V . ...

)<

A #a

5.

- )! /! V )!

)<

. !) - \
- .d

)V

f f[ p . V !) . / ;6

o b CB

. ob

() *

o C. 4
OpenFile \

,/ GetSaveFileName

!) 3 . ' Uc>

# a ! a [:

GetOpenFileName 5.

. -) % <

C= !) ! IsDialogMessage

R .! /

() *

R U . ! )! /! . 1 (!
-

( k hS

-) ! 4 o W T

. !

. Q x R U . . / () *

ob

() *

f[

G # . . / ! 4 . ] 8 ! Comdlg.lib A # .

5.

Save File \

5.

G # '! B !)

! ) ! 4 Comdlg.dll A # !) o / . \

p . V !)

- u/ . \

f)!/

() *

)V

3.'

)!

CreateDialogParam

() *

() / K ! R

! 8U o / . \

!)

! CB ( < T Q ,; j8> ,

. CreateDialogParam 5.

5.

-! ". R U .

-! ". R U . ! o / . \

)p ,
T .(

) )!

..

) !

!T

Win32 API Reference .

.d /

R . ! OpenFile

GetOpenFileName proto lpofn:DWORD

.
/

1 (!

/
; V

/
.

# !)

) !

. True 5. V

!T

o 5. V

31 . !

1 .

( -3

/ ! i ,-

OPENFILENAME )! /!

491

False 5.

31 . !

'! B V

> )

AB"

n !) .

O /E +/

() / 9

> .+ . / /7@;2

R) / .

. ! C # .! /
.) . - G

OPENFILENAME )! /!

.d ) T
STRUCT OPENFILENAME
lStructSize
hwndOwner
hInstance
lpstrFilter
lpstrCustomFilter
nMaxCustFilter
nFilterIndex
lpstrFile
nMaxFile
lpstrFileTitle
nMaxFileTitle
lpstrInitialDir
lpstrTitle
Flags
nFileOffset
nFileExtension
lpstrDefExt
lCustData
lpfnHook
lpTemplateName
OPENFILENAME ENDS

. .d -)

t
.

!)

DWORD
HWND
HINSTANCE
LPCSTR
LPSTR
DWORD
DWORD
LPSTR
DWORD
LPSTR
DWORD
LPCSTR
LPCSTR
DWORD
WORD
WORD
LPCSTR
LPARAM
DWORD
LPCSTR

,U () *

)!

?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?

/ ! )! /! V

f. ,/ API 56
.

hS Q

!) 3 . ' k S

) (! , : hwndOwner

)( <T
) /

) (! , : hInstance

*B . %
:Q x R U . .

FilterString

G . p . V !)

. v = . OPENFILENAME )! /! Q > : lStructSize

() / ) < ! \

! a *6 - !) /

PU

)! /! V PU )!

.\
.

! . .Q=

! *6 [
.

C#

f % )

db "All Files (*.*)",0, "*.*",0

db "Text Files (*.txt)",0,"*.txt",0,0

: lpstrFilter
! A # E Rb

)3

- Crack

. +/ 0 1. ( 2,

.)

() *

oC # R) /
-) ! 4

C#

C#

492
.

*6 - !) % )

!) # S *B

! /d
.

/0

) 4)

. V ,-

.)
.1!

C#

" ; % )

.)

C#

() *

C#% /

Q !.

p . V Q x !) .d -)

.d /
.)! ) ) G !) ! (
%

/9

. / () *

A #A /
.

Rb

V ,- .

. ! C # .! / /

% )

.2aQ

C#

q # p T C # R U . "*.txt

() *

#. .

f- .

'! B !)

g 3 : nFilterIndex

. / /

) v

*B .

1 (!

: lpstrFile

. 260 # . V Q > A4 =

/)

( Gm # . V !) Rb A /
.lpstrFile # . Q > : nMaxFile

.u/ . \
. /
CB %
'! B

/! / V

(! , !

. A #

! . 1 (!

V ; ! u/ . \

1 Qx

! !) x Y = u

A #

)R U

; 18

)E

! C # .! / /
R U

. . /

: lpstrTitle

' B FG : Flags
f - : nFileOffset
g 3

! A #

. c:\windows\system\x.dll

V !

.) . - G
/! / V

(! ,

PU V

.! / +

'! B !) : nFileExtension

A #9

.)! ) ) G !) A #

-)

p , ! OpenFile E

.)! 01

u/ . \

p , . MessageBox

!)

)
bA /

! !)

.d !

p .V Qx

. a File

Open

/9

T
.Q=

"1 9

! C # .! / 1

493

> )

AB"

O /E +/

> .+ . / /7@;2

.386
.model flat,stdcall
option casemap:none
WinMain proto :DWORD,:DWORD,:DWORD,:DWORD
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\comdlg32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\comdlg32.lib
.const
IDM_OPEN equ 1
IDM_EXIT equ 2
MAXSIZE equ 260
OUTPUTSIZE equ 512
.data
ClassName db "SimpleWinClass",0
AppName db "Our Main Window",0
MenuName db "FirstMenu",0
ofn
OPENFILENAME <>
FilterString db "All Files",0,"*.*",0
db "Text Files",0,"*.txt",0,0
buffer db MAXSIZE dup(0)
OurTitle db "-=Our First Open File Dialog Box=-: Choose the file to
open",0
FullPathName db "The Full Filename with Path is: ",0
FullName db "The Filename is: ",0
ExtensionName db "The Extension is: ",0
OutputString db OUTPUTSIZE dup(0)
CrLf db 0Dh,0Ah,0
.data?
hInstance HINSTANCE ?
CommandLine LPSTR ?
.code
start:
invoke GetModuleHandle, NULL
mov
hInstance,eax
invoke GetCommandLine
mov CommandLine,eax
invoke WinMain, hInstance,NULL,CommandLine, SW_SHOWDEFAULT
invoke ExitProcess,eax
WinMain proc
hInst:HINSTANCE,hPrevInst:HINSTANCE,CmdLine:LPSTR,CmdShow:DWORD
LOCAL wc:WNDCLASSEX
LOCAL msg:MSG
LOCAL hwnd:HWND
mov
wc.cbSize,SIZEOF WNDCLASSEX
mov
wc.style, CS_HREDRAW or CS_VREDRAW
mov
wc.lpfnWndProc, OFFSET WndProc
mov
wc.cbClsExtra,NULL

)3

. +/ 0 1. ( 2,

- Crack

mov
wc.cbWndExtra,NULL
push hInst
pop
wc.hInstance
mov
wc.hbrBackground,COLOR_WINDOW+1
mov
wc.lpszMenuName,OFFSET MenuName
mov
wc.lpszClassName,OFFSET ClassName
invoke LoadIcon,NULL,IDI_APPLICATION
mov
wc.hIcon,eax
mov
wc.hIconSm,eax
invoke LoadCursor,NULL,IDC_ARROW
mov
wc.hCursor,eax
invoke RegisterClassEx, addr wc
invoke CreateWindowEx, WS_EX_CLIENTEDGE,\
ADDR ClassName,\
ADDR AppName,\
WS_OVERLAPPEDWINDOW,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
300,\
200,\
NULL,\
NULL,\
hInst,\
NULL
mov
hwnd,eax
invoke ShowWindow, hwnd,SW_SHOWNORMAL
invoke UpdateWindow, hwnd
.WHILE TRUE
invoke GetMessage, ADDR msg,NULL,0,0
.BREAK .IF (!eax)
invoke TranslateMessage, ADDR msg
invoke DispatchMessage, ADDR msg
.ENDW
mov
eax,msg.wParam
ret
WinMain endp
WndProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
.IF uMsg==WM_DESTROY
invoke PostQuitMessage,NULL
.ELSEIF uMsg==WM_COMMAND
mov eax,wParam
.if ax==IDM_OPEN
mov ofn.lStructSize,SIZEOF ofn
push hWnd
pop ofn.hwndOwner
push hInstance
pop ofn.hInstance
mov ofn.lpstrFilter, OFFSET FilterString
mov ofn.lpstrFile, OFFSET buffer
mov ofn.nMaxFile,MAXSIZE
mov ofn.Flags, OFN_FILEMUSTEXIST or \
OFN_PATHMUSTEXIST or \

494

495

> )

AB"

O /E +/

> .+ . / /7@;2

OFN_LONGNAMES or \
OFN_EXPLORER or \
OFN_HIDEREADONLY
mov ofn.lpstrTitle, OFFSET OurTitle
invoke GetOpenFileName, ADDR ofn
.if eax==TRUE
invoke lstrcat,offset OutputString,\
OFFSET FullPathName
invoke lstrcat,offset OutputString,ofn.lpstrFile
invoke lstrcat,offset OutputString,offset CrLf
invoke lstrcat,offset OutputString,offset FullName
mov eax,ofn.lpstrFile
push ebx
xor ebx,ebx
mov bx,ofn.nFileOffset
add eax,ebx
pop ebx
invoke lstrcat,offset OutputString,eax
invoke lstrcat,offset OutputString,offset CrLf
invoke lstrcat,offset OutputString,\
offset ExtensionName
mov eax,ofn.lpstrFile
push ebx
xor ebx,ebx
mov bx,ofn.nFileExtension
add eax,ebx
pop ebx
invoke lstrcat,offset OutputString,eax
invoke MessageBox,hWnd,\
OFFSET OutputString,\
ADDR AppName,\
MB_OK
invoke RtlZeroMemory,offset OutputString,OUTPUTSIZE
.endif
.else
invoke DestroyWindow, hWnd
.endif
.ELSE
invoke DefWindowProc,hWnd,uMsg,wParam,lParam
ret
.ENDIF
xor
eax,eax
ret
WndProc endp
end start

.d ) T

. /

! . .Q=

)3

- Crack

. +/ 0 1. ( 2,

496

mov ofn.lStructSize,SIZEOF ofn

push hWnd
pop ofn.hwndOwner
push hInstance
pop ofn.hInstance

.d /
mov

! ofn )! /! Q ,; PU

-) !

ofn.lpstrFilter, OFFSET FilterString

.d /

! lpstrFilter

-) !

FilterString db "All Files",0,"*.*",0

db "Text Files",0,"*.txt",0,0

% )

!hS

*C

' ! 8U

V . / )!

! *B

!.
- C#

. d-

f R) / g 3

C#

) U n ! #! , u/ . \

- *B . %

..

%! o[

) 4)

!hS

- *.* *.txt Q x V !) / ) / () *

! Gb !) .
)

! ! o[ - /

V , '! B V

n !)

# !
. ".

mov
mov

ofn.lpstrFile, OFFSET buffer

ofn.nMaxFile,MAXSIZE

b Q > x/ = ;. i

!)

() / V ; (

A #

% ( Gm

. !

.d /
mov

V ; ! o /.\

,= /

A #%

! .! / /

! oC # % u/ . \

g 3

ofn.Flags, OFN_FILEMUSTEXIST or \
OFN_PATHMUSTEXIST or \
OFN_LONGNAMES or \
OFN_EXPLORER or \
OFN_HIDEREADONLY

OFN_PATHMUSTEXIST . /

#.

) /

) ) C,U ( k

' B FG ofC#

%cU OFN_FILEMUSTEXIST

V ; OFN_LONGNAMES .

) ) 6

. -) p , A / '! F.

497

E
. explorer

.
API 56

u/ . \

o b )!

> )

)
!)

AB"

-:A

O /E +/

g 3 OFN_EXPLORER

/ /

3 . ' Uc>

> .+ . / /7@;2

..

. - C# V ) ;
. / E 6!

mov

ofn.lpstrTitle, OFFSET OurTitle

.d /

g 3 ! u/ . \

)R U

invoke GetOpenFileName, ADDR ofn

! T R U . ! ofn )! /! . 1 (!

() /

/9

. ! !

! C # .! /

!) True !

) 1 ,

.! / +

G # ! GetOpenFileName 5.
5. V .d

Rb . ) !

-) ! 3# ! Cancel ,/)

C # 1 .) 8. ! ( < T

.) . - G False a EAX !

n !) # 1 - G ! 4 eax

'! F

.if eax==TRUE
invoke lstrcat,offset OutputString,\
OFFSET FullPathName
invoke lstrcat,offset OutputString,ofn.lpstrFile
invoke lstrcat,offset OutputString,offset CrLf
invoke lstrcat,offset OutputString,offset FullName

MessageBox !) p ,
d -)
. .d /
() *

Crlf

"

.
.

. ! 6 G

l F G OutputString
() *

6 G

+G ( / 6

mov
push
xor
mov
add

. ! O# =

! R 8 [ d- .

- /! /

. !) / ! i ,- .) !
10 , 13

" 2C
;. i

. .

! C # .! / /

/ C. ! O V
. lstrcat %

. .d /

() b

. API 5.

- i !) -

! R) ) ! 4

() ) R T ! C;# i

- / ! / V # 1 ! 4 d- ! / !) AB = '! 8U V
eax,ofn.lpstrFile
ebx
ebx,ebx
bx,ofn.nFileOffset
eax,ebx

f-

( -3

)3

. +/ 0 1. ( 2,

- Crack

498

pop ebx
invoke lstrcat,offset OutputString,eax

ofn.lpstrFile

WORD E

nFileOffset

Low !) ! nFileOffset !

= nFileOffset . ! ) h S

& . ] iG

d / 5,6 ofn.lpstrFile . ! Rb d

. A 3 V 5#!
.d /

..

5,6 lpstrFile .

DWORD E

lpstrFile

() ) ! 4 ebx

b uD

,
word

invoke MessageBox,hWnd,\
OFFSET OutputString,\
ADDR AppName,\
MB_OK

.d -)

b () ) ! 4 MessageBox

p ,

!) ! A84 C=

!) (

)< V Q=

invoke RtlZerolMemory,offset OutputString,OUTPUTSIZE

. .d / _ T

. d -) ! 4 OutputString W !) !
.d /

() *

f)

!d

RtlZeroMemory 5.

.
!/

499

> )

AB"

O /E +/

> .+ . / /7@;2

>
.

, ,S CD !) , 4 V

) 6

+g _ > >

.] .

-A #

-/

SourceCodes\Asm32\Chapter11
4 O# =

P#

Process - .

7!)b .

,f

o 8e C/ Q

i
(!

- . o 8e !
.)

k near 5.

! GlobalAlloc

9 = . far 5.

"6 o b A ) V ,- .
LocalAlloc 1

. O# = E

f ) " near

.Local Global

(! ,

'! B . Rb

! ! GlobalAlloc 5.

5. V . /

. ) 1

. ! O# =

, 4 Rb . 1 (!

() *

. ! O )!

_ C.

O# = _ C. .

) !

Unlock ! O )!

5. V .d /

. /
5. V .d /

) b
. /

()

;.

- () *

# !) ) !

O# = _ C. .

-3

, 4V

() *

.] .

. -4

1 (!

. ! O# = _ C. GlobalFree 5. +
! T R U . ! O# = _ C. .

1 (!

. ,

. 1 (!

O# = _ C. GlobalUnlock 5.
A> . ! O# =

-2

! T R U . ! O# =

d- . GlobalAlloc 5. !) GMEM_FIXED C#

- G O )!

-1

_ C. GlobalLock 5. +

) 1

O# = !) V

". B

O# = l F G A=

. ) 1
. / () *

<

G # . ! O# =

Lock ! O )!

) (! , 5. V .d /

5. V

Process Ck heap . ] 8 !

. # 1 - G
.

- 1
! 8U /

) V ) C,U Win32 !)

P#

far

X"6 ! o b A ) V ,- .

() *
R

.f1

) ) G O# =

) 6

. Global 5.

! 4 .

(!
)

) Win16 !) . !

. ! b

/ )! ) ! G !)

. -. /

CB E

. Local 5.

! 4 .

Flat Q

() *
C. 4 V .

- Segment . ] 8 !

Win32 !) O# =

.(1 )

W R .

O# = 5.

!/ . f)

. -

V !) . /

b ! O# =

)) 6

()

() *

31 . !

-5

) (! ,
. !&.^ !
C# V

() *

.. /

)3

- Crack

. +/ 0 1. ( 2,

. 1 (!

V R)

p . V !)
.

- /R

# .

500
GlobalLock 5.

G # .

) .

. / ) b ! O# = GlobalUnlock 5.

G # R . GlobalFree 5.

G 54

O# = . ! /

!)

V ,

d () / () *

.
R

f)

)! ) Dos . 8

! / A=

Rb . f )

o. - : Win32 !) A # 6 G

( - 3 Win32 !) ! ! / V A=

!) . / A 8 API 5.

^ !
-

) ! ' C,U

. ! - *4

.+#
. /

. / () *
. ,
) G O )!

. 5. V .CreateFile 5. +

0T Y i; !
" pipe

Dos Q

. ! O )!

! ".

'!

. ! A # 1 (!

/a o! T .!/
A # .

A #)<

. Rb

() / Q / ! o b

(! , V

() *

% < ReadFile WriteFile 5.

. !) !u U .

A # .

) (! , 5. V .)

() )

/ -)

W ! O )!

() *

.. ) 1

Rb

O# = . A #

G Q ,U -2

% < CloseFile 5.

5.

() *

# !) ) !

. A # V . -3
!TR U . !

p .V Qx

( 6 .! / . () ) p , ! OpenFile \
A #'

.! / . / 9
. / ( Gm

) i

' Uc> Q

.d !
A #

'! B !)

G # . !V

. /

. !

V ,- . / 6 !
. /A

V .d -)

. -1

A # . ( cU

) (! , 5. V a

SetFilePointer 5.

R) /

6 A # !)

.Q=

Edit Q
b Save

.V
/ !) p ,
"1 9

501

> )

AB"

O /E +/

> .+ . / /7@;2

.386
.model flat,stdcall
option casemap:none
WinMain proto :DWORD,:DWORD,:DWORD,:DWORD
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\comdlg32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\comdlg32.lib
.const
IDM_OPEN equ 1
IDM_SAVE equ 2
IDM_EXIT equ 3
MAXSIZE equ 260
MEMSIZE equ 65535
; ID of the edit
EditID equ 1
control
.data
ClassName db "Win32ASMEditClass",0
AppName db "Win32 ASM Edit",0
EditClass db "edit",0
MenuName db "FirstMenu",0
ofn
OPENFILENAME <>
FilterString db "All Files",0,"*.*",0
db "Text Files",0,"*.txt",0,0
buffer db MAXSIZE dup(0)
.data?
hInstance HINSTANCE ?
CommandLine LPSTR ?
; Handle to the edit
hwndEdit HWND ?
control
; File handle
hFile HANDLE ?
;handle to the
hMemory HANDLE ?
allocated memory block
;pointer to the
pMemory DWORD ?
allocated memory block
; number of bytes
SizeReadWrite DWORD ?
actually read or write
.code
start:
invoke GetModuleHandle, NULL
mov
hInstance,eax
invoke GetCommandLine
mov CommandLine,eax
invoke WinMain, hInstance,NULL,CommandLine, SW_SHOWDEFAULT
invoke ExitProcess,eax
WinMain proc
hInst:HINSTANCE,hPrevInst:HINSTANCE,CmdLine:LPSTR,CmdShow:SDWORD
LOCAL wc:WNDCLASSEX

)3

. +/ 0 1. ( 2,

- Crack

502

LOCAL msg:MSG
LOCAL hwnd:HWND
mov
wc.cbSize,SIZEOF WNDCLASSEX
mov
wc.style, CS_HREDRAW or CS_VREDRAW
mov
wc.lpfnWndProc, OFFSET WndProc
mov
wc.cbClsExtra,NULL
mov
wc.cbWndExtra,NULL
push hInst
pop
wc.hInstance
mov
wc.hbrBackground,COLOR_WINDOW+1
mov
wc.lpszMenuName,OFFSET MenuName
mov
wc.lpszClassName,OFFSET ClassName
invoke LoadIcon,NULL,IDI_APPLICATION
mov
wc.hIcon,eax
mov
wc.hIconSm,eax
invoke LoadCursor,NULL,IDC_ARROW
mov
wc.hCursor,eax
invoke RegisterClassEx, addr wc
invoke CreateWindowEx, WS_EX_CLIENTEDGE,\
ADDR ClassName,\
ADDR AppName,\
WS_OVERLAPPEDWINDOW,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
300,\
200,\
NULL,\
NULL,\
hInst,\
NULL
mov
hwnd,eax
invoke ShowWindow, hwnd,SW_SHOWNORMAL
invoke UpdateWindow, hwnd
.WHILE TRUE
invoke GetMessage, ADDR msg,NULL,0,0
.BREAK .IF (!eax)
invoke TranslateMessage, ADDR msg
invoke DispatchMessage, ADDR msg
.ENDW
mov
eax,msg.wParam
ret
WinMain endp
WndProc proc uses ebx hWnd:HWND, uMsg:UINT, wParam:WPARAM,
lParam:LPARAM
.IF uMsg==WM_CREATE
invoke CreateWindowEx,NULL,\
ADDR EditClass,\
NULL,\
WS_VISIBLE or WS_CHILD or ES_LEFT or
ES_MULTILINE or\
ES_AUTOHSCROLL or ES_AUTOVSCROLL,0,\
0,\

503

> )

AB"

O /E +/

> .+ . / /7@;2

0,\
0,\
hWnd,\
EditID,\
hInstance,\
NULL
mov hwndEdit,eax
invoke SetFocus,hwndEdit
;===========================================================
;
Initialize the members of OPENFILENAME structure
;===========================================================
mov ofn.lStructSize,SIZEOF ofn
push hWnd
pop ofn.hWndOwner
push hInstance
pop ofn.hInstance
mov ofn.lpstrFilter, OFFSET FilterString
mov ofn.lpstrFile, OFFSET buffer
mov ofn.nMaxFile,MAXSIZE
.ELSEIF uMsg==WM_SIZE
mov eax,lParam
mov edx,eax
shr edx,16
and eax,0ffffh
invoke MoveWindow,hwndEdit,0,0,eax,edx,TRUE
.ELSEIF uMsg==WM_DESTROY
invoke PostQuitMessage,NULL
.ELSEIF uMsg==WM_COMMAND
mov eax,wParam
.if lParam==0
.if ax==IDM_OPEN
mov ofn.Flags, OFN_FILEMUSTEXIST or \
OFN_PATHMUSTEXIST or \
OFN_LONGNAMES or\
OFN_EXPLORER or \
OFN_HIDEREADONLY
invoke GetOpenFileName, ADDR ofn
.if eax==TRUE
invoke CreateFile, ADDR buffer,\
GENERIC_READ or GENERIC_WRITE
,\
FILE_SHARE_READ or
FILE_SHARE_WRITE,\
NULL,\
OPEN_EXISTING,\
FILE_ATTRIBUTE_ARCHIVE,\
NULL
mov hFile,eax
invoke GlobalAlloc,GMEM_MOVEABLE or \
GMEM_ZEROINIT, MEMSIZE
mov hMemory,eax
invoke GlobalLock,hMemory

)3

. +/ 0 1. ( 2,

- Crack

504

mov pMemory,eax
invoke ReadFile, hFile,\
pMemory,\
MEMSIZE-1,\
ADDR SizeReadWrite,\
NULL
invoke SendMessage, hwndEdit,\
WM_SETTEXT,\
NULL,\
pMemory
invoke CloseHandle,hFile
invoke GlobalUnlock,pMemory
invoke GlobalFree,hMemory
.endif
invoke SetFocus,hwndEdit
.elseif ax==IDM_SAVE
mov ofn.Flags,OFN_LONGNAMES or\
OFN_EXPLORER or OFN_HIDEREADONLY
invoke GetSaveFileName, ADDR ofn
.if eax==TRUE
invoke CreateFile,\
ADDR buffer,\
GENERIC_READ or
GENERIC_WRITE ,\
FILE_SHARE_READ or
FILE_SHARE_WRITE,\
NULL,\
CREATE_NEW,\
FILE_ATTRIBUTE_ARCHIVE,\
NULL
mov hFile,eax
invoke GlobalAlloc,\
GMEM_MOVEABLE or \
GMEM_ZEROINIT,\
MEMSIZE
mov hMemory,eax
invoke GlobalLock,hMemory
mov pMemory,eax
invoke SendMessage,hwndEdit,\
WM_GETTEXT,\
MEMSIZE-1,\
pMemory
invoke WriteFile, hFile,\
pMemory,\
eax,\
ADDR SizeReadWrite,\
NULL
invoke CloseHandle,hFile
invoke GlobalUnlock,pMemory
invoke GlobalFree,hMemory
.endif
invoke SetFocus,hwndEdit

505

> )

AB"

O /E +/

> .+ . / /7@;2

.else
invoke DestroyWindow, hWnd
.endif
.endif
.ELSE
invoke DefWindowProc,hWnd,uMsg,wParam,lParam
ret
.ENDIF
xor
eax,eax
ret
WndProc endp
end start

.d ) T

- /

! . .Q=

invoke CreateWindowEx, WS_EX_CLIENTEDGE,\

ADDR ClassName,\
ADDR AppName,\
WS_OVERLAPPEDWINDOW,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
300,\
200,\
NULL,\
NULL,\
hInst,\
NULL
mov hwndEdit,eax

! T C/ / d

. f - ,- ! O

/0 .d /

. ! ob

) !)

5.

G # .

CreateWindowEx 5.
CB

-( <Tp ,

f)
)<

d -)

) < Edit Q /
! 4 *B ! Q

= V !) .d /
!)
.^ !V

-) !
Q

WM_CREATE p . !)
/ ) ;.

'F

a ( <T

!/

.] .
i

) ;.

. ShowWindow

/ p ,
.d () / () *

WS_VISIBLE

. / () *
;==========================================================
;
Initialize the members of OPENFILENAME structure
;==========================================================
mov ofn.lStructSize,SIZEOF ofn
push hWnd
pop ofn.hWndOwner
push hInstance
pop ofn.hInstance

"

)3

- Crack

. +/ 0 1. ( 2,
mov
mov
mov

) !) Rb

ofn.lpstrFilter, OFFSET FilterString

ofn.lpstrFile, OFFSET buffer
ofn.nMaxFile,MAXSIZE

d- G

GetOpenFileName
/

)!

506

R [.

ofn PU

. . Edit Q

-) !

GetSaveFileName _ 3 PU + #

V Ax

-! / % <

/)<

" Save

. !) .d / () *

Ak WM_CREATE .d /

. 8
.

%<

.!.

o a

;.

-) !
.

!
!)

.ELSEIF uMsg==WM_SIZE
mov eax,lParam
mov edx,eax
shr edx,16
and eax,0ffffh
invoke MoveWindow,hwndEdit,0,0,eax,edx,TRUE

! % W T V .) / d - G

# !) ! WM_SIZE % W T

! G

. .d /

)< !.V

%WTV
.

# !)

CS_HREDRAW

. () / () *
. .d /

() *

Q /(

! T( <T !/

# !) lParam

p . .d /
W

# !) " )

a( < T ) ;. R) )

CS_VREDRAW
. Edit Q

! ' Uc> V .d

. ' Uc> V

uD .

o
f - ,-

!/ i q UA
() *

.( <T /

. ! ! T( <T !/

. ( cU 5. V .d /

/ ) ;.

CB ( < T (

f-

. ( < T 7c/
.

B #V

i E*!

oT

Rb Low word

MoveWindow 5. +

Edit

. / V ; k*B !) " ! Rb ' F

.if ax==IDM_OPEN
mov ofn.Flags, OFN_FILEMUSTEXIST or \
OFN_PATHMUSTEXIST or \
OFN_LONGNAMES or\
OFN_EXPLORER or OFN_HIDEREADONLY
invoke GetOpenFileName, ADDR ofn

-) !
.d /

! ofn ! G

flag p .

G # OpenFile \

) /9

)p ,

! File

Open

"1 .! /

. ! GetOpenFileName 5. uD

4
() /

507

> )

AB"

O /E +/

> .+ . / /7@;2

.if eax==TRUE
invoke CreateFile, ADDR buffer,\
GENERIC_READ or \
GENERIC_WRITE ,\
FILE_SHARE_READ or FILE_SHARE_WRITE,\
NULL,OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIVE,\
NULL
mov hFile,eax

g 3

() /

.A #
,U

. ! CreateFile 5. a .! / +

G # Rb R) / .
uT . / . V

!)
:

. ) 1

G! O

. ! O )!

. !(

.A # .

A #

A #9
. 5. V

) (! ,

'! F. 5. V 2 ; p T . d /

( Gm

uT
/d /

5. V a

;.

- () *

CreateFile proto lpFileName:DWORD,\

dwDesiredAccess:DWORD,\
dwShareMode:DWORD,\
lpSecurityAttributes:DWORD,\
dwCreationDistribution:DWORD\,
dwFlagsAndAttributes:DWORD\,
hTemplateFile:DWORD

.)

%< A #

,Write Read ( 6

! .

! 4

C,U [ / /

( Attributes ) /

. ^) G ' F 3 7
. /

. /
. /
V

g 3 :

.R

# !) A # ) G ' F 3

. ! A # : GENERIC_READ

,U [ / /

g 3 : dwShareMode
.)

.)

. !A # :0

. ! A # : GENERIC_WRITE

.V

! . - Process f ) +

. !

dwDesiredAccess

() ) - Process f ) . R

f - A # V

. f)

%< (

.A #

- Process : 0

G ( 6 : FILE_SHARE_READ

)3

- Crack

. +/ 0 1. ( 2,

508

() ) - Process f ) . A #

.)

,- Win 9X !) /

( 6 : FILE_SHARE_WRITE

!V

' F 3 : lpSecurityAttributes

V ; !A #

. )!
O )!

f - ! CreateFile 5. ) C,U ( k :dwCreationDistribution

A # /

. /
.(

) < c84 O )!

A # 1

g 3
.

.(

: CREATE_NEW

6A #
.)

.(

) < c84 A # 1

6A #

) < c84

. 5.

: CREATE_ALWAYS
. /

. ( 3 ) < c84 O )!

A # 1

. !

; A # : OPEN_EXISTING
.

.(

)<

) < c84 O )!

A # 1

() / A,U CREATE_NEW

6A #

. Rb

- G 6

. ! A # : OPEN_ALWAYS
,- '! F

n !)

/
. /

b"

) .

V.

b'

- G 6

() / . ! A # : TRUNCATE_EXISTING

. 5.

. ( 3 ) < c84 O )!

ReadOnly , Hidden

g 3 ! ...

A # 1 . /

*B

A # ' F 3 : dwFlagsAndAttributes
. /

b - G !) Archive '! B . A # : FILE_ATTRIBUTE_ARCHIVE

.)

!) .
;

.
.

Rb !) ) 6
6
. )!

oC # Q ,;

_ T R 8 3T

A # : FILE_ATTRIBUTE_COMPRESSED

() 3# '! F. G
G

_! R

- G
BG
!)

' Uc> % , R) . () 3#
oC # ) <

.q #pT

. V A # )!
=

() 3#

= - A # : FILE_ATTRIBUTE_NORMAL
R o T A # : FILE_ATTRIBUTE_HIDDEN
.)

, () ) p , -

509

> )

AB"

O /E +/

> .+ . / /7@;2

G + # '! B . A # : FILE_ATTRIBUTE_READONLY

.) /_T
! 4 () *

)!

A U d

" [ Rb

A # V : FILE_ATTRIBVTE_SYSTEM

.) 1
invoke GlobalAlloc,GMEM_MOVEABLE or GMEM_ZEROINIT,MEMSIZE
mov

hMemory,eax

invoke GlobalLock,hMemory
mov

pMemory,eax

WriteFile

ReadFile 5.

. ! O# = _ C.
_ C.

. 5.
;. C=
.

() *

_ C.

. GlobalAlloc

!) . ) . - G (

.A # /

. GMEM_MOVABLE C# : d

GMEM_ZEROINIT . -)

g 3

) 1

. ! O# =

<. 6 ( 6

-) % < ! ) G * :
V

1 (!

4 . /
/d

-) !

)<

*B . ! O# =
) (! ,

Globallock 5.

O !)

O# = !) f[! D

() ) l F G O# = _ C. .

. ! O# = _ C. .

f-

= eax
. ! (! ,

invoke ReadFile, hFile,\

pMemory,\
MEMSIZE-1,\
ADDR SizeReadWrite,\
NULL
invoke SendMessage,\
hwndEdit,\
WM_SETTEXT,\
NULL,\
pMemory

.d /
5.

() *
) !

' Uc> R
!TV

O# = _ C. .
A #
A #

. /
(

1 (!
o .) ;

. ReedFile 5.

*B Offset !) Rb 1 (!
!TV
;.

o . ;4 ) ; /

).
!T.d

O )!

() *

() b O# = _ C.

a)

)<

. C #

A # .

) (! ,

# 1 O !) ' Uc>

! of

W 7!)b d- %! o[

!T

4
4

ReadFile
. /
(

- G ( Gm Rb !)

)3

- Crack

. +/ 0 1. ( 2,
%WT +

!) ! (

! (

510

G ' Uc>

! ! O# = 7!)b ! / V

p , ! O )!

O# = _ C. R) /
..d /

A # R

Q ! Edit Q

k Edit Q / % W T V Q !

A #'

uT

/ .WM_SETTEXT
! 4 lParam

uT . d -)

. )) - G
invoke CloseHandle,hFile
invoke GlobalUnlock,pMemory
invoke GlobalFree,hMemory
.endif

( Gm

Y -

d !) f

CloseHandle 5.

. !A # /

G #

uT . C84 A # !)

!) . d /

) b ! O# = _ C. ;. C=

"

/ () *

f)aA #

Save ' C,U

' Uc> R

6A #

!) . d .

. Rb

!) ' Uc>

baA #

) (! ,

O# =

) b .

!
.d /

uT

) b ! O# =

R)

#
54

< !)

invoke SetFocus,hwndEdit

) 1
R

! G !) ! 7 / # a )

G ' C,U C=

V !) . )) 1 . Edit Q / .

[ ' * Save \
n .

'! B !) () )
.

W !A #'
5.

. / () *

.7 / #a)

. /

.! /

f ) A # !) ! o b a File

) ) < . / ( Gm
)!

! Open File \

() ) p , k*B

!%,

f.A #

Save

"1

Open File \

% !) CB ' * 54 !) .)!

" GetSaveFileName 5. !) ofn PU % ,

Flag

mov ofn.Flags, OFN_LONGNAMES or\

OFN_EXPLORER or \
OFN_HIDEREADONLY

OFN_PATHMUSTEXIST uT .d / ) <
u/ . \
.

. "

) V '! B V

n !)

! dwCreationDistribution

_ 3 Open File p . . V T i

6 A #

d- G

, 4 V !)

01 ! / ofC#

. OFN_FILEMUSTEXIST

! T .) ) -

) "6 .

. /

6 A # )< ( 6

. .d -)

W CREATE_NEW
.

511

> )

AB"

O /E +/

> .+ . / /7@;2

invoke SendMessage,hwndEdit,\
WM_GETTEXT,\
MEMSIZE-1,\
pMemory
invoke WriteFile, hFile,\
pMemory,\
eax,\
ADDR SizeReadWrite,\
NULL

Rb '
!) (
.d

/d

( Gm

Rb . ! WM_GETTEXT % W T a Edit Q

- () ) Q > eax !)

31 . !

6 A # !) ! o b a Edit Q / '

. -)
k

/'

# !)

! 4(

g 3

O# = _ C. !) !

# !)

uT . /

g 3 ! #.

)3

- Crack

. +/ 0 1. ( 2,

512

+g _ +/ F < < r. ( A>

.

, ,S CD !) , 4 V

) 6

.] .

-A #

-/

SourceCodes\Asm32\Chapter12
Rb )! )

6 2;S i

/ ) - Ga

T ) # - G 4 *
C G .d
d

.A #
5.

.(

() *

. .d /

() *

() *

f)

o6 ! ". R U . A #

/ C. l F G . 8 A #
)! G . Rb . R

/ () *
f

. ' Uc> /

f )!

1 C6

) Rb .

1)

2 :

. .)

/! F

A # !) ' Uc> V

V !) .)

Q
1 ) .9 G

V ,- . !

A # 6 G ) !

() *

A # 1 /

! 01! . O# = . c84 A # % , /

V . - () ) Q) 8 A,U .

' ;#) .

A #

API 5.

() ) Q) 8

GA #

1!". O )!

d / ( Gm O# = !) ! A # A/ d

O# = . 1 (!
] .

! . . G . ! A84 p . Q x

! ! O# = _ C.

Yc zU . ! / V

. () /

O# = .

- Process V . -

2C

- Process % , /

O# =

. ! / a 2C

- Process

7 =!

.) /
.)

)
oC #

- () *

! "1! .

A #

.A #
f

{& ,; A ) V ,- . -)
!

!A #(
(

. C #

A #(
/

. d-

!)

e
-! /
!A #

-! /
.
6(

. /
.d /
.d /

G #A # .

-!

o ) k

W ! Rb (

/ () *
". V ,

< 6

() T

" (PE Loader)

Q .)! ) ) 6 A #
() *

!)

O# = !)

() *

f O# = !) ! C #
oC # . ! /

, /
.

. ! 01! . 54

8 . /
G+#

= > !) A,U !)

. Q ,U

( -3 !A #

.A #

; R . V .)
%<

. . -)

. /)<

O# = !)

A=

!)

() *

. ! CreateFile 5.

-1

) (! , ( ,- . ! CreateFileMapping 5.

-2

G # O )!

A # R) / .

513

E
G # O# = !) a A # A/
. ) 1

, 4

. !(
.d /

O# = !) A #

> )

f R) . V .

O /E +/

.V

A # !) V
R) / _ T

> .+ . / /7@;2

. ! MapViewOfFile 5.

f A #
() *

AB"

1 (!
R

5. V .d /

. 1 (!

() /

G # (

.d /

() *

A # 1 (!

Rb . ) !

A #%

() / 9

( ,- . CloseHandle 5.

OpenFile \

. ( < T R U y # A,U R) . " b

. ! O )!

A # a File

/0 . /

( Gm

. / () *

)j >

CB A # V .

. -7
.Q=

! C # / -)

( 6 ,

.V

'! B !) . /

.A #

A #'

. GlobalAlloc

-6

p .V Qx

Save as d b 9

6 A # !) ! (

O# = l F G

G #

!TR U . !

.d !
. ! Rb

-5

. ! CloseHandle 5.

f A # V .
.d

-4

. ! UnMapViewOfFile 5.
.d /

. 1 (!

-3

R / .) / - G
k

;.

C/

() *
T

. . / ( Gm f )
8

. V !) / d

)3

. +/ 0 1. ( 2,

- Crack

514

.386
.model flat,stdcall
WinMain proto :DWORD,:DWORD,:DWORD,:DWORD
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\comdlg32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\comdlg32.lib
.const
IDM_OPEN equ 1
IDM_SAVE equ 2
IDM_EXIT equ 3
MAXSIZE equ 260
.data
ClassName db "Win32ASMFileMappingClass",0
AppName db "Win32 ASM File Mapping Example",0
MenuName db "FirstMenu",0
ofn
OPENFILENAME <>
FilterString db "All Files",0,"*.*",0
db "Text Files",0,"*.txt",0,0
buffer db MAXSIZE dup(0)
hMapFile HANDLE 0
.data?
hInstance HINSTANCE ?
CommandLine LPSTR ?
hFileRead HANDLE ?
hFileWrite HANDLE ?
hMenu HANDLE ?
pMemory DWORD ?
SizeWritten DWORD ?
.code
start:
invoke GetModuleHandle, NULL
mov
hInstance,eax
invoke GetCommandLine
mov CommandLine,eax
invoke WinMain, hInstance,NULL,CommandLine, SW_SHOWDEFAULT
invoke ExitProcess,eax
WinMain proc
hInst:HINSTANCE,hPrevInst:HINSTANCE,CmdLine:LPSTR,CmdShow:DWORD
LOCAL wc:WNDCLASSEX
LOCAL msg:MSG
LOCAL hwnd:HWND
mov
wc.cbSize,SIZEOF WNDCLASSEX
mov
wc.style, CS_HREDRAW or CS_VREDRAW
mov
wc.lpfnWndProc, OFFSET WndProc
mov
wc.cbClsExtra,NULL

515

> )

AB"

O /E +/

> .+ . / /7@;2

mov
wc.cbWndExtra,NULL
push hInst
pop
wc.hInstance
mov
wc.hbrBackground,COLOR_WINDOW+1
mov
wc.lpszMenuName,OFFSET MenuName
mov
wc.lpszClassName,OFFSET ClassName
invoke LoadIcon,NULL,IDI_APPLICATION
mov
wc.hIcon,eax
mov
wc.hIconSm,eax
invoke LoadCursor,NULL,IDC_ARROW
mov
wc.hCursor,eax
invoke RegisterClassEx, addr wc
invoke CreateWindowEx, WS_EX_CLIENTEDGE,\
ADDR ClassName,\
ADDR AppName,\
WS_OVERLAPPEDWINDOW,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
300,\
200,\
NULL,\
NULL,\
hInst,\
NULL
mov
hwnd,eax
invoke ShowWindow, hwnd,SW_SHOWNORMAL
invoke UpdateWindow, hwnd
.WHILE TRUE
invoke GetMessage, ADDR msg,NULL,0,0
.BREAK .IF (!eax)
invoke TranslateMessage, ADDR msg
invoke DispatchMessage, ADDR msg
.ENDW
mov
eax,msg.wParam
ret
WinMain endp
WndProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
.IF uMsg==WM_CREATE
invoke GetMenu,hWnd
mov hMenu,eax
mov ofn.lStructSize,SIZEOF ofn
push hWnd
pop ofn.hWndOwner
push hInstance
pop ofn.hInstance
mov ofn.lpstrFilter, OFFSET FilterString
mov ofn.lpstrFile, OFFSET buffer
mov ofn.nMaxFile,MAXSIZE
.ELSEIF uMsg==WM_DESTROY
.if hMapFile!=0
call CloseMapFile
.endif

)3

. +/ 0 1. ( 2,

- Crack

516

invoke PostQuitMessage,NULL
.ELSEIF uMsg==WM_COMMAND
mov eax,wParam
.if lParam==0
.if ax==IDM_OPEN
mov ofn.Flags, OFN_FILEMUSTEXIST or \
OFN_PATHMUSTEXIST or \
OFN_LONGNAMES or\
OFN_EXPLORER or \
OFN_HIDEREADONLY
invoke GetOpenFileName, ADDR ofn
.if eax==TRUE
invoke CreateFile, ADDR buffer,\
GENERIC_READ ,\
0,\
NULL,\
OPEN_EXISTING,\
FILE_ATTRIBUTE_ARCHIVE,\
NULL
mov hFileRead,eax
invoke CreateFileMapping, hFileRead,\
NULL,\
PAGE_READONLY,\
0,\
0,\
NULL
mov
hMapFile,eax
mov
eax,OFFSET buffer
movzx edx,ofn.nFileOffset
add
eax,edx
invoke SetWindowText,hWnd,eax
invoke EnableMenuItem,hMenu,IDM_OPEN,MF_GRAYED
invoke EnableMenuItem,hMenu,IDM_SAVE,MF_ENABLED
.endif
.elseif ax==IDM_SAVE
mov ofn.Flags, OFN_LONGNAMES or\
OFN_EXPLORER or \
OFN_HIDEREADONLY
invoke GetSaveFileName, ADDR ofn
.if eax==TRUE
invoke CreateFile,\
ADDR buffer,\
GENERIC_READ or GENERIC_WRITE ,\
FILE_SHARE_READ or FILE_SHARE_WRITE,\
NULL,\
CREATE_NEW,\
FILE_ATTRIBUTE_ARCHIVE,\
NULL
mov hFileWrite,eax
invoke MapViewOfFile,hMapFile,\
FILE_MAP_READ,\
0,\

517

> )

AB"

O /E +/

> .+ . / /7@;2

0,\
0
mov pMemory,eax
invoke GetFileSize,hFileRead,NULL
invoke WriteFile,hFileWrite,\
pMemory,\
eax,\
ADDR SizeWritten,\
NULL
invoke UnmapViewOfFile,pMemory
call
CloseMapFile
invoke CloseHandle,hFileWrite
invoke SetWindowText,hWnd,ADDR AppName
invoke EnableMenuItem,hMenu,IDM_OPEN,MF_ENABLED
invoke EnableMenuItem,hMenu,IDM_SAVE,MF_GRAYED
.endif
.else
invoke DestroyWindow, hWnd
.endif
.endif
.ELSE
invoke DefWindowProc,hWnd,uMsg,wParam,lParam
ret
.ENDIF
xor
eax,eax
ret
WndProc endp
CloseMapFile PROC
invoke CloseHandle,hMapFile
mov
hMapFile,0
invoke CloseHandle,hFileRead
ret
CloseMapFile endp
end start

)3

. +/ 0 1. ( 2,

- Crack

518

.d ) T

-/

! . .Q=

invoke CreateWindowEx, WS_EX_CLIENTEDGE,\

ADDR ClassName,\
ADDR AppName,\
WS_OVERLAPPEDWINDOW,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
300,\
200,\
NULL,\
NULL,\
hInst,\
NULL

G # Rb R) / .
d -)

. ! CreateFile 5. a ) / 9

! 4 *B ! dwShareMode
. /)<

() /

! O )!
.

A # !)

A # .! /

;.

G + # '! F. ! A # .d /
W f)

- Process d - G ,

invoke CreateFileMapping,hFileRead,\
NULL,\
PAGE_READONLY,\
0,\
0,\
NULL

() *

O# = !) O )!

A #

f )<
. /

. CreateFileMapping 5.
( - 3 ! 5. V 2 ; p T

CreateFileMapping proto hFile

lpFileMappingAttributes
flProtect
dwMaximumSizeHigh
dwMaximumSizeLow
lpName

)!

O# = (

. / () *

g 3 dwMaximumSizeHigh

" A #

BG , 4

dwMaximumSizeLow

C=

V !)

!) .d /

:DWORD,\
:DWORD,\
:DWORD,\
:DWORD,\
:DWORD,\
:DWORD

.
!T ) +

5. V

519

!)

6(

. CB A #

! 4 *B ! & .
!T !

!T ) -

> )

AB"

O /E +/

. A # ;4 (

1!". (

. . . CB A # . (

q # pT

> .+ . / /7@;2
g 3 (

f A #(

l G . A #

1 . /

- G

f )<

1 . b

. -)

. -) ! 4 Null ! lpFileMappingAttributes
Q

Qx

'F 3 .

!) . /

8 'F 3 V

.
(!

( ) !

f A #
) 6

.d /

. 5. '! B V
/(

. ! 0f. _

. f)

! T V uT . /

() *

( k flProtect

O# k

PAGE_READONLY

() *

n !)

V ; R ) G+

V !) . / V ; ! % V
1

! (

- G 6

1 . /
.d

V;

) 4

f A #

CreateFile 5.
. lpName

< %

- Process . ! A # V

A #V

- G

. Process + # Q x

R ) G

mov
eax,OFFSET buffer
movzx edx,ofn.nFileOffset
add
eax,edx
invoke SetWindowText,hWnd,eax

A #%

. ! ( < T R U a CreateFileMapping 5.

+#d- G

( Gm

/ ! nFileOffset

)! /! PU

G # R) . " b

# . !) A # A /
W

.d /

'! B !)

( ,- . % V .d -)

uT )

() ) p , R U !) A # %
OPENFILENAME

# S # . 7!)b . a

invoke EnableMenuItem,hMenu,IDM_OPEN,MF_GRAYED
invoke EnableMenuItem,hMenu,IDM_SAVE,MF_ENABLED

"1

() / Q ;#

() *

n ! Open

- d b l G
/9

! Save as

( ,- . ! O# = !) (

"1 /
W

. d- . R ",- ! A # [

. EnableMenuItem 5.

.d /

.! /

8B ! / V

"1 A #
f A #

d /

.! /

Q ;# ! Save
uT .)

.! / G '! B !) .)

! G

.d 8. CB A #

.ELSEIF uMsg==WM_DESTROY
.if hMapFile!=0
call CloseMapFile
.endif
invoke PostQuitMessage,NULL

)3

. +/ 0 1. ( 2,

hMapFile W !

- Crack

520

. a ) / # !) ! WM_DESTROY % W T ( < T

'! B . ! CloseMapFile 5. a

. *B

n Rb !

! B !) .d /

4
[ !

.d /

G #

CloseMapFile PROC
invoke CloseHandle,hMapFile
mov
hMapFile,0
invoke CloseHandle,hFileRead
ret
CloseMapFile endp

d b9
+

. .)
b a .! / +

) b !d

5.

. ! CB A #

A #9

uT . -)

p , ! Save \

f A # 5. V
. a Save as

) < CreateFile 5.

.d /

invoke MapViewOfFile,hMapFile,\
FILE_MAP_READ,\
0,\
0,\
0
mov pMemory,eax

A #

O )!
.

'! F. 5. V 2 ; p T .d /

MapViewOfFile

' Uc> d - G

uT d

G # O# = !) (

uT
f

proto
hFileMappingObject:DWORD,\
dwDesiredAccess:DWORD,\
dwFileOffsetHigh:DWORD,\
dwFileOffsetLow:DWORD,\
dwNumberOfBytesToMap:DWORD

+ # Q x V !) . /
.d /

F4 / A #

. ! MapViewOfFile 5. a 6 G A # ) <

, 4 R) ) ! 4

FILE_MAP_READ . e

() *
R T

. ! A # A/ d - G

V; !A # .

)E
<

# dwFileOffsetHigh
Q x V !) . /
.d

dwDesiredAccess
!) a d

.A #

dwFileOffsetLow

g 3 a d ! ) O# = .
1

O !) *B

b
f E

521
. /

E
g 3

O# = .

. - . *B !
(
A #

> )

!TV

.a

' Uc>

O /E +/

> .+ . / /7@;2

o . ) ; dwNumberOfByteToMap

. / !

! 01! . O# = !) A # O )!
O )!

AB"

f O# = !) ! A # A/ - G

, 4 , MapViewOfFile 5.

= / ) / - G # !) ! O# =

, 4V

G #
.

uT

1 (!

,
.

invoke GetFileSize,hFileRead,NULL

.f14

p.A #(

1 .) 1

! 4 eax !) A # (

( Gm )! ) % FileSizeHighWord / 5. % )
.d

( ) ! Rb uT d !

GetFileSize 5.

! T !) Rb
!

G # .

High DWORD , 4

oC # V [ . ! / ! O

.)

invoke WriteFile, hFileWrite,\

pMemory,\
eax,\
ADDR SizeWritten,\
NULL

.d

6 G A # !) ! ' Uc>

invoke UnmapViewOfFile,pMemory

.d /

! G O# =

!A #

call
CloseMapFile
invoke CloseHandle,hFileWrite

.d .

! oC # C/

invoke SetWindowText,hWnd,ADDR AppName

.( < T R U

) 1 .

invoke EnableMenuItem,hMenu,IDM_OPEN,MF_ENABLED
invoke EnableMenuItem,hMenu,IDM_SAVE,MF_GRAYED

)3

. +/ 0 1. ( 2,

- Crack
.d /

522
Q ;# n ! save d b () / Q ;# ! open d b Q =

523

> )

AB"

O /E +/

> .+ . / /7@;2

Process
.

, ,S CD !) , 4 V

) 6

.] .

-A #

-/

SourceCodes\Asm32\Chapter13
5.

- () ) a / a B F G O# =

P# A

! 8U Process

.
.

2B

! a O# =

Process a

P# A

A4 = Process - .)

) / ( - 3 & . 2 ; !) / ! i ,-

)<

!V
.

a 2B V . /

) < '!

Process

2B .

) 2B

;. A=

Rb

!) 1 .

.a /
/

<

O# =

2B Rb
5.
. /

P#

uT . /
G # .

b 1)

# !) Process

f P# V !) !

( - 3 ! 5. V 2 ; p T

)<

)<

CreateProcess proto lpApplicationName

lpCommandLine
lpProcessAttributes
lpThreadAttributes
bInheritHandles
dwCreationFlags
lpEnvironment
lpCurrentDirectory
lpStartupInfo
lpProcessInformation

1 .

. Rb R .

. / g 3 lpCommandLine

/
! T !) !

)V

"[

)
. !

f )'!

G!)

() / ) < Rb

)
4

! '!

!) . / ) < !

. /

(Thread) ' !

6 A #

Win32 !) .)

! Process

nb !

. /)<

) GlG

)
4

. BFG
CB ' !

6 Process a CreateProcess
:DWORD,\
:DWORD,\
:DWORD,\
:DWORD,\
:DWORD,\
:DWORD,\
:DWORD,\
:DWORD,\
:DWORD,\
:DWORD

6 A # % lpApplicationName
6 A #%

. -) ! 4 Null ! Rb

)3

- Crack

. +/ 0 1. ( 2,

! B !)
"

524

/m / ! i ,- . /

6 A #A

g 3 !R

# +G

1!b lpCommandLine

. () ) ! 4 Null ! lpApplicationName !

!TV

."notepad.exe my.txt" Q x R U . .
Process

2B

' F 3 lpProseccAttributes

. !

lpThreadAttributes

. /
)<

- (! ,

6 Process b / /

, .

.
. /
)

.a

V ,- . / ) < Rb !) !
o*B

() / p

6 Process ' !

. NORMAL_PRIORITY_CLASS

4
b

/g 3

Process + k

) G

)!

= >

. /

b B # V !)

. ,
- C# V

/ C. .

6 Process a - . Null !

!TV

.) .

. !

! . ) G ! T

CB ( < T ! o: ( k
( <T

C;#

-:A

STARTUPINFO )! /! .
)

PU GetStartupInfo 5.

() *

. 1 .)

!TA

)! /! V . /

() *

. /

PROCESS_INFORMATION )! /! .

! )! /! V

PU

!) .)

( Gm Rb !) 5. +

1 (!
a

g 3

lpStartupInfo

V ; !

6 Process

g 3 ! Process

CB

. ! )! /!

lpProcessInformaion
6 Process

' Uc>
. /

PROCESS_INFORMATION STRUCT
hProcess
HANDLE ?
hThread
HANDLE ?
dwProcessId
DWORD ?

() *

lpCurrentDirectory

. / T ! T Process !) o b )
/

! . ! T Process

1 (!

!) ) 6

6 Process , Null R) ) ! 4 '! B !) . /

! . 1 (!

lpEnvironment

1 (!

.) .
6 Process

{& ,; . / g 3 d

Qx R U .

.)
ob

dwCreationFlag

) 2B %
=

CB ' !

) ! T Process +

C# V [ A

6 Process /

)<

V;

g 3 bInheritHandles

6 Process ) C,U ( k /

g 3 !
24

( -3

525

dwThreadId
DWORD
PROCESS_INFORMATION ENDS

> )

) (! , .

( ) 1 . API 5.

.)

. / () *
/
A #

'c 3

f)+

(! ,

() *

Process

[ GetExitCodeProcess 5.
V ,
.)) 1
. /

> .+ . / /7@;2

(Process Handle) Process

!) Process

O /E +/

' * d b ) (Process ID) Process

Process

AB"

) (! ,

Process
+

.
/

, R) 8

! 01! . % f - !)

G #

uT

Q ;# Process b /

O# = !) Rb h kB

) U

A ) . (! ,

CreateProcess 5.

/)

)<

( - 3 ! GetExitCodeProcess 5. ! G

!)

GetExitCodeProcess proto hProcess:DWORD, lpExitCode:DWORD

- G g 3 lpExitCode

6 Q = !) Process

. / 24

! Process , G

!T+
U

;S 5. a

. STILL_ACTIVE . . !

. ! O )!

'! B !)
V

1 .) /

Process , TerminateProcess 5. +
. /

( - 3 ! 5. V ! G

!)

TerminateProcess proto hProcess:DWORD, uExitCode:DWORD

- dll . !

. , G
.

. R) / 24
4 . O# = !) R ,- o b

. . G ^ ! 5. V
-) , Ec>
.d !

)<

/ 24

6 Process
!(

.V a

) < Process -

- AF

. . /

p .V Qx

.Q=

! Create Process d b .! /

. .! / 1 Q = .
. /9

() *

msgbox.exe

. /

! Terminate Process d b

)3

. +/ 0 1. ( 2,

- Crack

526

.386
.model flat,stdcall
option casemap:none
WinMain proto :DWORD,:DWORD,:DWORD,:DWORD
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
.const
IDM_CREATE_PROCESS equ 1
IDM_TERMINATE equ 2
IDM_EXIT equ 3
.data
ClassName db "Win32ASMProcessClass",0
AppName db "Win32 ASM Process Example",0
MenuName db "FirstMenu",0
processInfo PROCESS_INFORMATION <>
programname db "msgbox.exe",0
.data?
hInstance HINSTANCE ?
CommandLine LPSTR ?
hMenu HANDLE ?
ExitCode DWORD ?
.code
start:
invoke GetModuleHandle, NULL
mov
hInstance,eax
invoke GetCommandLine
mov CommandLine,eax
invoke WinMain, hInstance,NULL,CommandLine, SW_SHOWDEFAULT
invoke ExitProcess,eax
WinMain proc
hInst:HINSTANCE,hPrevInst:HINSTANCE,CmdLine:LPSTR,CmdShow:DWORD
LOCAL wc:WNDCLASSEX
LOCAL msg:MSG
LOCAL hwnd:HWND
mov
wc.cbSize,SIZEOF WNDCLASSEX
mov
wc.style, CS_HREDRAW or CS_VREDRAW
mov
wc.lpfnWndProc, OFFSET WndProc
mov
wc.cbClsExtra,NULL
mov
wc.cbWndExtra,NULL
push hInst
pop
wc.hInstance
mov
wc.hbrBackground,COLOR_WINDOW+1
mov
wc.lpszMenuName,OFFSET MenuName
mov
wc.lpszClassName,OFFSET ClassName
invoke LoadIcon,NULL,IDI_APPLICATION
mov
wc.hIcon,eax
mov
wc.hIconSm,eax
invoke LoadCursor,NULL,IDC_ARROW
mov
wc.hCursor,eax

527

> )

AB"

O /E +/

> .+ . / /7@;2

invoke RegisterClassEx, addr wc

invoke CreateWindowEx, WS_EX_CLIENTEDGE,\
ADDR ClassName,\
ADDR AppName,\
WS_OVERLAPPEDWINDOW,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
300,\
200,\
NULL,\
NULL,\
hInst,\
NULL
mov
hwnd,eax
invoke ShowWindow, hwnd,SW_SHOWNORMAL
invoke UpdateWindow, hwnd
invoke GetMenu,hwnd
mov hMenu,eax
.WHILE TRUE
invoke GetMessage, ADDR msg,NULL,0,0
.BREAK .IF (!eax)
invoke TranslateMessage, ADDR msg
invoke DispatchMessage, ADDR msg
.ENDW
mov
eax,msg.wParam
ret
WinMain endp
WndProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
LOCAL startInfo:STARTUPINFO
.IF uMsg==WM_DESTROY
invoke PostQuitMessage,NULL
.ELSEIF uMsg==WM_INITMENUPOPUP
invoke GetExitCodeProcess,processInfo.hProcess,ADDR ExitCode
.if eax==TRUE
.if ExitCode==STILL_ACTIVE
invoke EnableMenuItem,hMenu,\
IDM_CREATE_PROCESS,\
MF_GRAYED
invoke EnableMenuItem,hMenu,\
IDM_TERMINATE,\
MF_ENABLED
.else
invoke EnableMenuItem,hMenu,\
IDM_CREATE_PROCESS,\
MF_ENABLED
invoke EnableMenuItem,hMenu,IDM_TERMINATE,MF_GRAYED
.endif
.else
invoke EnableMenuItem,hMenu,\
IDM_CREATE_PROCESS,\

)3

. +/ 0 1. ( 2,

- Crack

528
MF_ENABLED

invoke EnableMenuItem,hMenu,IDM_TERMINATE,MF_GRAYED
.endif
.ELSEIF uMsg==WM_COMMAND
mov eax,wParam
.if lParam==0
.if ax==IDM_CREATE_PROCESS
.if processInfo.hProcess!=0
invoke CloseHandle,processInfo.hProcess
mov processInfo.hProcess,0
.endif
invoke GetStartupInfo,ADDR startInfo
invoke CreateProcess,ADDR programname,\
NULL,\
NULL,\
NULL,\
FALSE,\
NORMAL_PRIORITY_CLASS,\
NULL,\
NULL,\
ADDR startInfo,\
ADDR processInfo
invoke CloseHandle,processInfo.hThread
.elseif ax==IDM_TERMINATE
invoke GetExitCodeProcess,processInfo.hProcess,\
ADDR ExitCode
.if ExitCode==STILL_ACTIVE
invoke TerminateProcess,processInfo.hProcess,0
.endif
invoke CloseHandle,processInfo.hProcess
mov processInfo.hProcess,0
.else
invoke DestroyWindow,hWnd
.endif
.endif
.ELSE
invoke DefWindowProc,hWnd,uMsg,wParam,lParam
ret
.ENDIF
xor
eax,eax
ret
WndProc endp
end start

529

> )

AB"

O /E +/

> .+ . / /7@;2

.d ) T
( Gm

;.

- () *

. !

) (! ,

WM_INITMENUPOPUP % W T
ob p ,

A84

! . .Q=

() / ) < ! CB ( < T
! Process

. /9

- d b ' B FG

- /

.! / /

B #V

f-. /

# !) !

.d /

() *

.ELSEIF uMsg==WM_INITMENUPOPUP
invoke GetExitCodeProcess,processInfo.hProcess,ADDR ExitCode
.if eax==TRUE
.if ExitCode==STILL_ACTIVE
invoke EnableMenuItem,hMenu,\
IDM_CREATE_PROCESS,\
MF_GRAYED
invoke EnableMenuItem,hMenu,IDM_TERMINATE,MF_ENABLED
.else
invoke EnableMenuItem,hMenu,\
IDM_CREATE_PROCESS,\
MF_ENABLED
invoke EnableMenuItem,hMenu,IDM_TERMINATE,MF_GRAYED
.endif
.else
invoke EnableMenuItem,hMenu,\
IDM_CREATE_PROCESS,\
MF_ENABLED
invoke EnableMenuItem,hMenu,IDM_TERMINATE,MF_GRAYED
.endif

Q ;# ! Start Process d b
.

.(

- O )!

! B !)

[ GerExitCodeProcess 5.

; V

.d / Q ;#
(

.(3 E

c84 Process /

b /d /

!) .

) 1 . ! Flase !

5.

n ! Terminate Process
O )!

Process /

Process 1 Q x V !)

.d / Q ;#

n ! Terminate Process d b

() *

. .d -) % < ! A,U V u U

! B !) .
"1

. uT .

V ( -) R 3

6 Q = !) Process
( 3 E

c84 Process

) 1 . ! True !

5.

)3
!

- Crack

. +/ 0 1. ( 2,
! O

a!

..

)V

530
- Process b / d /

6 Q = !)

STILL_ACTIVE !

. . '! B !) .d /

Q ;# n ! Start Process

.d /

"1 uT

;. C=

. ! ExitCode
- Process

6 Q = !)

.if ax==IDM_CREATE_PROCESS
.if processInfo.hProcess!=0
invoke CloseHandle,processInfo.hProcess
mov processInfo.hProcess,0
.endif
invoke GetStartupInfo,ADDR startInfo
invoke CreateProcess,ADDR programname,\
NULL,\
NULL,\
NULL,\
FALSE,\
NORMAL_PRIORITY_CL
ASS,\
NULL,\
NULL,\
ADDR startInfo,\
ADDR processInfo
invoke CloseHandle,processInfo.hThread

/ hProcess b / d /

)! /! PU
*B 3 ,-

[ Start Process d b 9

'! B !)

PROCESS_INFORMATION

. c84

.d () / 2 ; .data , 4 !) ! PROCESS_INFORMATION )! /!
) (! ,

#
.d -)

5. Q = .d /
5. V

() *

31 . !

. .d /

PU

C=

V !) uT .

'!
5.

Q x V !) / d

/0 .d /

) 2B 24

) 2B . E 6!
Yc

!/ V %<

) !

) /

) CB 2B .

(3

) (! ,

= !)

- Process
;. C=

d -)

!)

G # ! CreateProcess

( T ! Q x R [ d ()

) (! , V
.

! T R U . )! /! V

a 5. V

G #

() *
%<

uT

[ !
U

Processinfo )! /!

) (! , V . .d .
.

. ! GetStartupInfo 5.
.

. 54 !)

hProcess !

. *B 2

CreateProcess 5.

31 . !

/ ! '!

Process ' !
d

%< !!/V

G # Startinfo )! /! PU R) / T

.d /

# Process

, G

) . - G

A ) .+#

! !/ V d!
.d /

#
1 C6

531

> )

AB"

O /E +/

> .+ . / /7@;2

.elseif ax==IDM_TERMINATE
invoke GetExitCodeProcess,processInfo.hProcess,\
ADDR ExitCode
.if ExitCode==STILL_ACTIVE
invoke TerminateProcess,processInfo.hProcess,0
.endif
invoke CloseHandle,processInfo.hProcess
mov processInfo.hProcess,0

6 Process / d /

. a .! / +

! Process , TerminateProcess 5.
.d .

() *

# Process .

Terminate Process d b 9

'! B !)

. a R) . Q ;# '! B !) .

Q ;#

) (! , "

o C=

!) .d .

V.

)3

- Crack

. +/ 0 1. ( 2,

532

Multithreading
.

, ,S CD !) , 4 V

) 6

.] .

-A #

-/

SourceCodes\Asm32\Chapter14
.d -)

! 4

! Multithread

! . )!

. G b - G
, .
5.

'!

CB ' !

) 2B

) < ! 5.
.

" '!

= A4 =

= !) . / ) < "
v = .

, Win16 !)

- () *

) < ^ ! p . V !)

- 2B V . > 8 !

) 2B

V a) G

. Q

#S

. - /

- 2B ) G

A. 4 Win32 !) o

!) V ,-

# !) A84 p . !)
. !) % " '! B !)

CB
-

)!

. . R ",- /

C. 4 V . / () *
.)!

A 84

T Rb 5.

- .

! ) - 2B V
2B - .

2B ) !
01

-.

B FG '! F. o b
f ) 2B .

54

4
!)

,U
/

,U

- %WT
.
B

(
. !

/ , )<
= >
^ !

- (! ,
o 8e

) ( Gm ) G !) ! ) G

;S V Gb

. C84

. / .

. !) G

) . - 2B

V : /) 5 L/ ) ( 2 \` -1
. /

( < T - 2B E

3T !) ! / % <

Rb A ) )! ) ! ) G . l F

T .! / . ( < T V j >

- 2B % ,
Stack

() / ) < ! ) G l G ( < T - 2B E
. -)

) 6 Rb

-) G .l F

.
-%WT

!) /

ob

V : () 5 ( 2 \` -2

.& B

!) Multithreading

# !) !

/ # !) !
-

o. () *

.
.d /

-! /

3T !) - 2B f )

! / R U . - 2B f )

() . u K!

-) ! 4 .! / +. !

-! / Q

! CB 2B

CB 2B ^ ! V !) . -) % < !
.

533

" R

!/. /

! 01

) GR

..

Q k - 2B V

,
. !

AB"

^! "1 u K! .

4.

do !

& >

-! / # S

.) 1

O /E +/

> .+ . / /7@;2

! / . ! -! / a .! / +. ! Q

! -! / % , u K! / ) . ! 4 1 . -)
V ,- . "

> )

() ) % < ! O )!

. 6

) .

CreateThread 5.

() *

A,U '! B

T *:

'!

CB 2B

) 2B ) <
. /

CreateThread proto lpThreadAttributes

dwStackSize
lpStartAddress
lpParameter
dwCreationFlags
lpThreadId

! B !) . /

g 3 !

. - . Null !
Null !

() *

2B O )!

!TV

' C,U 5. V . /

( -3

lpThreadAttributes

)!
q #pT

6 2B - G

g 3 ! O )!

3T (

.) . - G CB 2B (

dwStackSize
6 2B 3T (

) 2B 5. 7!)b lpStartAddress

g 3 ! '!
. 32 ) !

# 1 !

:DWORD,\
:DWORD,\
:DWORD,\
:DWORD,\
:DWORD,\
:DWORD

. / () *

'! B !) . /

. 32 !

"

6 2B

-! /

f ) -) % < ^) G

- 2B ) < .

( oU . ! .! / ' !

!) ! Rb 2 ; p T / d /

/ . R ",- u K! V

!T

! /0 5. . -)

%< !

. ) 1
dwCreationFlag . / Q ! 2B . ! Rb
;. a 2B ' !

) /

; V

. *B !

! CREATE_SUSPENDED C# a *B 2

! ) F4 /

! T lpParameter

. /

;S

. R

)<

g 3 ! 2B
.

. /
" b

5.

W V !

G # 1 . /
'! B V

g 3 !

n !) .) 1

6 2B .

! 4 lpThreadID

g 3

) (! , lpThreadID
W !) (! ,

V !

.) . - G Null
5.

G #

uT a CREATE_SUSPENDED C#
. /

6 .E

() *

% U '! B !)

2B 5. a CreateThread

)3

- Crack

. +/ 0 1. ( 2,
..)

24

534

) 2B a CREATE_SUSPENDED C#

'!

() *

'! B !)

ResumeThread 5.

. / () *

Rb

, - & . / +0, + 1 02 / $ 3 3 & 4 / Ret % & #

'( ) $ *+
'( ) $ & 0 $
6 7 $ 3 / 89 .0,4
3 5 & ExitThread ) $
.0 ,4 : ; # 7<
O )!

;# . a TerminateThread 5.

2B

2B 5. V
Rb .

G # .

/ () *

T ' C,U % <

() *

! S 54

_T

'! B !)

!) + # 5. V

B #-

. -) , G

, G

. O )!
.)

.d /
:

! . ! - 2B

. >8!

! 8U / ! ) ) 6 ,U

, () )

2C

- W

Q=
E

() *
-%WT
Event

!) . / () *
..

!Q
.

"

,U

- W A

- 2B V . ] 8 ! ) <

) O !) ! - 2B ) C,U
/

1 -)

6 2B ,C

3 '-8

! [

/A

. / 2C ! ,

%WT [9
WM_USER % W T

-) % <
.

- G 6
-

- 2B

uT . ! 01
.^ !V

2B )

)! /! -) !

() *

4 Qx R U

Q = !) / *B

)! /! !) g4 ' Uc>
. '&

#) F '! B .
.

. C 3 -

5#!
V ,

R) / \ 8 )
/ 'c 3

-%WT

V ,-

. .! / +. ! E

2B ) - 1

. / ! / o .) / () *
!) G

C/ ' !

)! /!

- 2B V . ] 8 !

2 ;

() *

*.y*

b , ) 6
() *

T 5.

/ A,U ] = .

/ ; .

4 oU

",-

. MultiThread

. / () *
.^ !V

,U

f ) 2B .

1V v

V R) / Y > . .

/ !(

-%WT.

# > ) +. !

R U

. % o* Y > ) -

:Q x R U . . / ) <

. /

TR U .

535

> )

AB"

O /E +/

> .+ . / /7@;2

WM_MYCUSTOMMSG equ WM_USER+100h

/ , () *

) G

-%WT

. /2 ; ) G
R U .
,

, ^ !V
)!

& . WM_USER !

. Rb

. ! BG

. !/E

) G .l F

-%WT )
f)

( <T a

(1-

() *

.! / +. ! E

! / 2B R [

- 2B

/ () *

# > ) i. !

. / # !) ! ,
. /

( - 3 ! - 2B V . > 8 !

-%WT

-!

!)

User interface Thread --> global variable(s) --> Worker thread

Worker Thread ---> custom window message(s) --> User Interface Thread

1 . / ( f C#
" '!

,-

) 2B )

.d () / () *

^ !V

Event

(! . ! '!

" p . V Q x !) 54 !)
() *

) 2B

. Q ;#
. /

% < ! . 600,000,000 ! "add eax , eax "A,U

%,

uT . / Q ;#
. /
-) Q

Q 84 ! ,

, ' C,U V % <

b

- % W T a ( < T Rb

= !) C# V
.E

p .V Qx

.Q=

. Savage Calculation d b 9
b
;. (

. ! ' 8 k A/
. -)

V Gb

-! / % <

> !) Q ,; ! > . / d

() / <. 6

6 ! / 2B

O )!
.d !

( <T . !/-

>8!

) .! / ' !

/0 . -)

, Q x R U . . -) % <
- : MessageBox
'c 3
) .

f
f

.
CB

a'8 k
1 C6

T ! / . CB 2B

)3

. +/ 0 1. ( 2,

- Crack

.386
.model flat,stdcall
option casemap:none
WinMain proto :DWORD,:DWORD,:DWORD,:DWORD
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
.const
IDM_CREATE_THREAD equ 1
IDM_EXIT equ 2
WM_FINISH equ WM_USER+100h
.data
ClassName db "Win32ASMThreadClass",0
AppName db "Win32 ASM MultiThreading Example",0
MenuName db "FirstMenu",0
SuccessString db "The calculation is completed!",0
.data?
hInstance HINSTANCE ?
CommandLine LPSTR ?
hwnd HANDLE ?
ThreadID DWORD ?
.code
start:
invoke GetModuleHandle, NULL
mov
hInstance,eax
invoke GetCommandLine
mov CommandLine,eax
invoke WinMain, hInstance,NULL,CommandLine, SW_SHOWDEFAULT
invoke ExitProcess,eax
WinMain proc
hInst:HINSTANCE,hPrevInst:HINSTANCE,CmdLine:LPSTR,CmdShow:DWORD
LOCAL wc:WNDCLASSEX
LOCAL msg:MSG
mov
wc.cbSize,SIZEOF WNDCLASSEX
mov
wc.style, CS_HREDRAW or CS_VREDRAW
mov
wc.lpfnWndProc, OFFSET WndProc
mov
wc.cbClsExtra,NULL
mov
wc.cbWndExtra,NULL
push hInst
pop
wc.hInstance
mov
wc.hbrBackground,COLOR_WINDOW+1
mov
wc.lpszMenuName,OFFSET MenuName
mov
wc.lpszClassName,OFFSET ClassName
invoke LoadIcon,NULL,IDI_APPLICATION
mov
wc.hIcon,eax
mov
wc.hIconSm,eax
invoke LoadCursor,NULL,IDC_ARROW

536

537

> )

AB"

O /E +/

> .+ . / /7@;2

mov
wc.hCursor,eax
invoke RegisterClassEx, addr wc
invoke CreateWindowEx, WS_EX_CLIENTEDGE,\
ADDR ClassName,\
ADDR AppName,\
WS_OVERLAPPEDWINDOW,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
300,\
200,\
NULL,\
NULL,\
hInst,\
NULL
mov
hwnd,eax
invoke ShowWindow, hwnd,SW_SHOWNORMAL
invoke UpdateWindow, hwnd
.WHILE TRUE
invoke GetMessage, ADDR msg,NULL,0,0
.BREAK .IF (!eax)
invoke TranslateMessage, ADDR msg
invoke DispatchMessage, ADDR msg
.ENDW
mov
eax,msg.wParam
ret
WinMain endp
WndProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
.IF uMsg==WM_DESTROY
invoke PostQuitMessage,NULL
.ELSEIF uMsg==WM_COMMAND
mov eax,wParam
.if lParam==0
.if ax==IDM_CREATE_THREAD
mov eax,OFFSET ThreadProc
invoke CreateThread,NULL,\
NULL,\
eax,\
0,\
ADDR ThreadID
invoke CloseHandle,eax
.else
invoke DestroyWindow,hWnd
.endif
.endif
.ELSEIF uMsg==WM_FINISH
invoke MessageBox,NULL,\
ADDR SuccessString,\
ADDR AppName,\
MB_OK
.ELSE

)3

. +/ 0 1. ( 2,

- Crack

538

invoke DefWindowProc,hWnd,uMsg,wParam,lParam
ret
.ENDIF
xor
eax,eax
ret
WndProc endp
ThreadProc PROC USES ecx Param:DWORD
mov ecx,600000000
Loop1:
add eax,eax
dec ecx
jz
Get_out
jmp Loop1
Get_out:
invoke PostMessage,hwnd,WM_FINISH,NULL,NULL
ret
ThreadProc ENDP
end start

.d ) T
. /

)<

'! B . !

6 2B

- / A Ck

"< . Q =

CreateThread d b 9

. a .! / +

.if ax==IDM_CREATE_THREAD
mov eax,OFFSET ThreadProc
invoke CreateThread,NULL,\
NULL,\
eax,\
NULL,\
0,\
ADDR ThreadID
invoke CloseHandle,eax

2B . R ",- ! ThreadProc %
. CreateThread 5. a

. U
(! ,

() *

F4

V V . .)) 1
,

f) /

G # R) . " b

A ) .. /
58 Yc zU .
Rb e o

!/ .E

/
#

)<

6 2B

& . 5.

'! B !) . /

ThreadProc

d .

bd!

'!

) 2B V .

! '!
;

CB

)) 1

) 2B
.

. / () *

)
) (! ,

(! , V

539

> )

AB"

O /E +/

> .+ . / /7@;2

ThreadProc PROC USES ecx Param:DWORD

mov ecx,600000000
Loop1:
add eax,eax
dec ecx
jz
Get_out
jmp Loop1
Get_out:
invoke PostMessage,hwnd,WM_FINISH,NULL,NULL
ret
ThreadProc ENDP

%WT ob%,
/

uT

- %WT

() ) % < ! ' 8 k ThreadProc

WM_FINISH % W T .
. /

/ ! > R ,-

CB ( < T . ! WM_FINISH

( -3

b2 ; a

!) .d () / 2 ; R ) G

WM_FINISH equ WM_USER+100h

() ) % < ! ! / V
a CB ( < T +
.

%WT V

# !) . .

!R T .'8 k

% W T ! / '!

WM_USER . 100h R) / # S .

3.

/ /

%cU

-)

p , ! MessageBox

) 2B . d- CB ( < T - G

1 .) . # >
. / A,U

. / # S KillThread %
!

C# !) .) / d - G () *
.

6 2B ' !

C# R U . Rb
)

/
;

! 4 True . . ! C# !

31 . (

. a .! / +
! G C=

] 8 ! Q x V !)

'! F.
. , b

*.
-d b .

/2 ;

,U

. False 24

. ThreadProc

. / [ C= !) ! C# V !
. -)

. o % W T V .d

;
.

W
. True
!)

KillThread d b 9
V ( - 3 . ThreadProc
. .

, G '!

W
'! B !)
.
) 2B

)3

- Crack

. +/ 0 1. ( 2,

540

Event {<
.

, ,S CD !) , 4 V

) 6

.] .

-A #

-/

SourceCodes\Asm32\Chapter15
! 4 .]8! f

.lG

! 8U / d /

! . - 2B V . ] 8 !

= )+# / /
/

= !)

. () / ) < ! Event
= !) Event
.

. o

!) ! Rb ! G

- 2B

! 4 .

f[ / d ) A84 AF# !)

. ! f ) ^ ! ) AF# V !) . /

! .

= > .

= !) 8

/ d /

!s V

,U

() *

= !)

. /

() *

. Null !

R) ) ! 4 . / /

5.

G #

False !

!TV

. -) % < ResetEvent 5.
!

!TV !
.

a)

() *

) < Signaled

G # R) . " b

g 3 !)

'! B !) .)

" [ R"

Event s

)<

q #pT

( -3

;S

Rb

1 : bManualReset

- G

= . ! Event s WaitForSingalObject

= . Event /

. /

CPU 5.

. ! A,U V R ) G

- G ) < Nonsignalled

!TR U .% V
5.

. a ) 8. Nonsignalled

;S : lpEventAttribute

- G () *

uT ! /) G ! i.

:DWORD,\
:DWORD,\
:DWORD,\

g 3 ! Event
.

/!

. /
CreateEvent proto lpEventAttributes
bManualReset
bInitialState
lpName:DWORD

. Nonsignalled

- 2B

CreateEvent 5.

W :

- 2B !) (

- Rb O

4 .)! ) V

, .)! ) ! 4 Nonsignalled

4 . /

. Q ;#

,- Event s . Event s

A,U

Signalled

f-

- % W T . '!

. '! B V

n !) - .

- G

1 : bInitialState

= . Event '! B V

n !) . -) ! 4 True

!V %
() *

. 1 (!

OpenEvent 5.

: lpName
.

) !

541

!) . /

W API 5.

b ResetEvent 5.

= !)

AB"

O /E +/

) (! ,

Rb

31 . !

.) . - G Null

31 . !

) < Event .

g 3 !(

SetEvent 5. . -)

> )

Event

! .

( - 3 ! 5. V ! G

CreateEvent
'! B V

) < Event

= !) ! O )!

Event

!(

! 4 Signaled

-)

2B !) WaitForSingleObject 5.
. /

)+

> .+ . / /7@;2

! 4 Nonsignalled

. . -)
!) .d /

() *

O )!

WaitForSingleObject proto hObject:DWORD, dwTimeout:DWORD

Event s . /

g 3 !

R ",- s

) (! , hObject

.
. b

Signaled

O
=V

3 ,-

= .
- G

) !

. 5.

1 . /

31 . 5. (

g 3 R

INFINITE !
.d !

Run Thread d b 9
(

- : MessageBox

Stop d b 9

'! B !) .)
d- R T !)

() ) p ,
/

.( <T

.! / ' 8 k V % < Q > !) . -)

.386
.model flat,stdcall
option casemap:none
WinMain proto :DWORD,:DWORD,:DWORD,:DWORD
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
.const
IDM_START_THREAD equ 1
IDM_STOP_THREAD equ 2
IDM_EXIT equ 3
WM_FINISH equ WM_USER+100h
.data
ClassName db "Win32ASMEventClass",0
AppName db "Win32 ASM Event Example",0

R ",-

V# R T .

p .V Qx

!'8 k %<
. / 24

x/ = dwTimeOut

'

. / () *

!,

) !O
.Q=

. Q x V !)
6 2B a .! /

Ec> ! ' 8 k % ,
!(

) < 2B Thread

)3

. +/ 0 1. ( 2,

- Crack

MenuName db "FirstMenu",0
SuccessString db "The calculation is completed!",0
StopString db "The thread is stopped",0
EventStop BOOL FALSE
.data?
hInstance HINSTANCE ?
CommandLine LPSTR ?
hwnd HANDLE ?
hMenu HANDLE ?
ThreadID DWORD ?
ExitCode DWORD ?
hEventStart HANDLE ?
.code
start:
invoke GetModuleHandle, NULL
mov
hInstance,eax
invoke GetCommandLine
mov CommandLine,eax
invoke WinMain, hInstance,NULL,CommandLine, SW_SHOWDEFAULT
invoke ExitProcess,eax
WinMain proc
hInst:HINSTANCE,hPrevInst:HINSTANCE,CmdLine:LPSTR,CmdShow:DWORD
LOCAL wc:WNDCLASSEX
LOCAL msg:MSG
mov
wc.cbSize,SIZEOF WNDCLASSEX
mov
wc.style, CS_HREDRAW or CS_VREDRAW
mov
wc.lpfnWndProc, OFFSET WndProc
mov
wc.cbClsExtra,NULL
mov
wc.cbWndExtra,NULL
push hInst
pop
wc.hInstance
mov
wc.hbrBackground,COLOR_WINDOW+1
mov
wc.lpszMenuName,OFFSET MenuName
mov
wc.lpszClassName,OFFSET ClassName
invoke LoadIcon,NULL,IDI_APPLICATION
mov
wc.hIcon,eax
mov
wc.hIconSm,eax
invoke LoadCursor,NULL,IDC_ARROW
mov
wc.hCursor,eax
invoke RegisterClassEx, addr wc
invoke CreateWindowEx, WS_EX_CLIENTEDGE,\
ADDR ClassName,\
ADDR AppName,\
WS_OVERLAPPEDWINDOW,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
300,\
200,\
NULL,\
NULL,\
hInst,\
NULL

542

543

> )

AB"

O /E +/

> .+ . / /7@;2

mov
hwnd,eax
invoke ShowWindow, hwnd,SW_SHOWNORMAL
invoke UpdateWindow, hwnd
invoke GetMenu,hwnd
mov hMenu,eax
.WHILE TRUE
invoke GetMessage, ADDR msg,NULL,0,0
.BREAK .IF (!eax)
invoke TranslateMessage, ADDR msg
invoke DispatchMessage, ADDR msg
.ENDW
mov
eax,msg.wParam
ret
WinMain endp
WndProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
.IF uMsg==WM_CREATE
invoke CreateEvent,NULL,FALSE,FALSE,NULL
mov hEventStart,eax
mov eax,OFFSET ThreadProc
invoke CreateThread,NULL,\
NULL,\
eax,\
NULL,\
0,\
ADDR ThreadID
invoke CloseHandle,eax
.ELSEIF uMsg==WM_DESTROY
invoke PostQuitMessage,NULL
.ELSEIF uMsg==WM_COMMAND
mov eax,wParam
.if lParam==0
.if ax==IDM_START_THREAD
invoke SetEvent,hEventStart
invoke EnableMenuItem,hMenu,\
IDM_START_THREAD,\
MF_GRAYED
invoke EnableMenuItem,hMenu,\
IDM_STOP_THREAD,\
MF_ENABLED
.elseif ax==IDM_STOP_THREAD
mov EventStop,TRUE
invoke EnableMenuItem,hMenu,\
IDM_START_THREAD,\
MF_ENABLED
invoke EnableMenuItem,hMenu,\
IDM_STOP_THREAD,\
MF_GRAYED
.else

)3

. +/ 0 1. ( 2,

- Crack

544

invoke DestroyWindow,hWnd
.endif
.endif
.ELSEIF uMsg==WM_FINISH
invoke MessageBox,NULL,ADDR SuccessString,ADDR AppName,MB_OK
.ELSE
invoke DefWindowProc,hWnd,uMsg,wParam,lParam
ret
.ENDIF
xor
eax,eax
ret
WndProc endp
ThreadProc PROC USES ecx Param:DWORD
invoke WaitForSingleObject,hEventStart,INFINITE
mov ecx,600000000
.WHILE ecx!=0
.if EventStop!=TRUE
add eax,eax
dec ecx
.else
invoke MessageBox,hwnd,\
ADDR StopString,\
ADDR AppName,\
MB_OK
mov EventStop,FALSE
jmp ThreadProc
.endif
.ENDW
invoke PostMessage,hwnd,WM_FINISH,NULL,NULL
invoke EnableMenuItem,hMenu,IDM_START_THREAD,MF_ENABLED
invoke EnableMenuItem,hMenu,IDM_STOP_THREAD,MF_GRAYED
jmp
ThreadProc
ret
ThreadProc ENDP
end start

.d ) T
.IF uMsg == WM_CREATE
invoke CreateEvent,NULL,FALSE,FALSE,NULL
mov hEventStart,eax
mov eax,OFFSET ThreadProc
invoke CreateThread,NULL,\
NULL,\
eax,\
NULL,\
0,\
ADDR ThreadID
invoke CloseHandle,eax

.V

-/

! . .Q=

545

! i ,- .d /

AB"

O /E +/

> .+ . / /7@;2

) < WM_CREATE % W T ^ ) T Q > !) ! ' !

Signaled

6 a

> )

= ! O !)

CU . ' !

) 2B

) 2B Event s
( - 3 V T / !) /
.)

ThreadProc PROC USES ecx Param:DWORD

invoke WaitForSingleObject,hEventStart,INFINITE
mov ecx,600000000

= O

5. V .

6 2B ) <

WaitForSingleObject 5.

uT ! / V . . / ,

'! B . a ) / 9

31 . Rb

G # a

+G V

Event s

A84

! Run Thread d b .! /

4 .d ! )

f V/

= !)

! 4 Signaled

.d -)

Signaled
b

= !) ! Event

.if ax==IDM_START_THREAD
invoke SetEvent,hEventStart

! WaitForSignalObject 5.
Stop Thread d b 9

.. /

) .
E

Signaled

= . ! Event s

! ) G ! / '!
.d -)

SetEvent 5.

) 2B () / 31 . . ! 8<

! 4 True ! EventStop

,U W !

.if EventStop==FALSE
add eax,eax
dec ecx
.else
invoke MessageBox, hwnd,\
ADDR StopString,\
ADDR AppName,\
MB_OK
mov EventStop,FALSE
jmp ThreadProc
.endif

/0

. /
!T !

^ T WaitForSignalObject 5.
8. Nonsignalled

() / 24

! '!

= . ! Event R ) G

.d () ) ! 4 False ! CreateEvent 5.

) 2B A,U V
8

/ d

bManualReset

)3

- Crack

. +/ 0 1. ( 2,

546

2 dll E F 1@
.

, ,S CD !) , 4 V

) 6

.] .

oC #

F P.

-/

SourceCodes\Asm32\Chapter16
-

. /

o !V

. -V

Dos A U d
. /

) 6
!)

01

'! B !)

a (Linker) ( -)
^ !V

. .) )

))

! 4

.^ !V . /
Rb

) #/ . <

. 1 .

-_ 3

- )

! 4

o
-

!) .

T a A D / C=

/ ! ) ( / () *
() *

5.

2C 5.

- 6 Q = !)
.

Y F

A Ud

(Dynamic Link Libraries)

. /
5.

! of

( Gm

-Q !V R

.. ! ,

O# = R !) dll

) 6
.

p .

BFG

() *
. -

- dll . 6 R

Rb

D/
) ;

() *
- D/

1 .

- /

D/

- /

'! B

. /

hS
.

k 5.

- dll

. /

.) 6 V

() *

!)

*1 dll o b . ! F G

ob . ,
dll

P#

. / A 3 V R) / Y > .

, V [ ,

. % , V . ! dll

)! ) ) 6 dll
!) -

.ES

.d -)
. ! dll Rb

V uT /

O# = a ! /0 ^ !
.

Q 84 A. 4

dG !

! 01! . O# = . ! )! )

5.

V !) {& ,;

R U . - dll 54 !) .)

! > .

O# = Yc zU .

.d

/ 6 = Rb !) ! ) G

V !) Q = . /

. !

V !) ^ ! V Q

. V [ = Rb !)

A= ( ! .)

. /

- D/ ! of

! ) {& ,;

*1 (Static Linking)

Q ;# O# = !)

o ! P;.

. Object A # . ! O )!

. / .)

. !) !

!) 1

() /

.)) 1 , d
!)

,U

6 A # !) ! Rb
-

4 Y B . ! 8<

. / !) !

!)

. . GQx CR.

y #^ !
Dos

. ,=

,
3 . )!

% / - 54 !)
O . . !) ) G

= !)

" # O# = !) uT .)! 01

!) .)! ) ! ) G l G (Data Section) dll

_
- () )

547

> )

AB"

' * c / Dos !)

CU V ,- . .

O /E +/
d

> .+ . / /7@;2

. /

)!

.)
! G ) G

. O# =

dll A,U V
a

. Rb

b 1)

() /

() *

() *

Q = !)

f)

- 1

.)

6 A #

. uT -) ! 4
o

6 A # !) !

. /!/ /

() /

() *

. % & ' Uc> -

. /V . /

A #V

! - dll )!

)!

!)

( -3 .a /

. !) 5.

.d /
/

; R .V

. / () *
.

T ! ob

dll Rb

! 4

! 01! . /

V ,

!T"

! .! / iG % W T

5.

Rb

uD

.)) 1

Rb

G #
() /

.a

/ () *

dll ! 01! .

P# .

!)^ !V

. / .^ !V
- dll
!) # / ' Uc>

iG % W T ! B . a
! S

. 6

. o
.

C 3 V [
6

-)

) ) G

. LoadLibrary 5.
e zU .

() *
V

V ,- ,

v k

)!

b 7!)b GetProcessAddress 5.
. / d<= !) /

dll

( oU . ! - dll ! 01! . 1

. /Q8) !
a Rb

. a

. / /

dll Rb CG ) 5.

-) ! 4

oC # ! 01! .

R .

. ) !

) !

/ ! 01! . ! dll R ) G 1

() / 8G . Rb

) GlGv ;

. B F G O# =

! B !) a ! 0f.

) 6 .)

. '! B !) a
! / . (! . )

ob

!)

6 A # R !) () /

! 01! . .

6 = dll # ;

!) # / ' Uc>

. . ! ) ) G !) ! - dll

- ,-

)!
/

.)! )

31 dll Q 8 ) .

!) / .

) 6

f)

! . ! ob

" )!

! 01! . ! ,

- dll R ) G a

)!

.&=

. 6 54

' Uc> ( -)

. /
. / ! 01! . !

,- (Import Libraries) ) !

. oU 6! 7!)b h kF . uD

O# = !) dll

- dll )!

T ! ob

. -)
.

O# =

!) ( -)

. !) / ;.

() *

. 1 . /

! G " d

! 5.

< . / ! 01! . () /

- G 4.d

. - 7!)b h kF 54

6 A # R !)

Rb . /

% U '! B !)

. o

.
Vf

!) a dll .

6 R

dll Rb

*1

.
/

1
.

/ () *

)3
dll

- Crack

. +/ 0 1. ( 2,
G

' K"6

548
b LoadLibrary 5.

() *

v ;

" . /Q=
.d !

R 3 ! dll

. -)

C/ ! G

V T /

.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
.data
.code
DllEntry proc hInstDLL:HINSTANCE, reason:DWORD, reserved1:DWORD
mov eax,TRUE
ret
DllEntry Endp
TestFunction proc
ret
TestFunction endp
End DllEntry
LIBRARY
EXPORTS

DLLSkeleton
TestFunction

. /

G #

54

!)
.)

.) .
!) ! o b / ) 1

)<
V.
) !

) AG

! 01! . ! . V
.)

. /

. dll -

5.

. dll /

-1

dll

-2

! G O# =

6 '!

) 2B

( / () *

. /

-3

! '!

) 2B

( / () *

. /

-4

!T

5. V .

- ) b AG

5. % 9
. /

)!

!)

( -3

DllEntry proc hInstDLL:HINSTANCE, reason:DWORD, reserved1:DWORD

mov eax,TRUE

549

> )

AB"

O /E +/

> .+ . / /7@;2

ret
DllEntry Endp

) (! , Ax (! , V .

1)

. f)

/ ( Gm

dll .

) (! , hInstDLL

Rb

/ () *

( b !) - G
. ! b

.
.Q !.

. / /

-! / % <

# !) ! !

) . !) !

Reason

dll : DLL_PROCESS_ATTACH

B # R U . Rb

.)

)!

. / () *
! G Q = !) dll /

) 1 .

_T

B # R U . Rb
. / () *

2B

() b

V :DLL_PROCESS_DETACH

( -) R 3 !

( / () *

. O# =
-! / d

.(

( / () *

() . V .

True !

eax . a -)

,. j#

! / V !) -) l F G

j >

, 5.

- G

() *

! . dll

dll G

!) ! o b %
o C=

!) A # V

5.
.

;.
.

% / /

)
! B !)

R ) 1 . '! B

. / ,

False !

-/

R ) 1 . . AG

5.

A84 ! ) G 5.
G # A. 4 f )

.)! ) ! 4 (.def) 2 ; A # !)
.d

LIBRARY
EXPORTS

- G

False !

. . ! O# = !

/ 2 ; AG

V . -) ! 4 (Export) ! B
.)

) ) G

1 C6 dll ! 01! .

. /

! '!

() / ) < ! ' !

1 C6 dll ! 01! .

1 Q x R U . .) / - G

- O# =

( -) R 3 : DLL_THREAD_ATTACH

. /

.
!) . -)

! !

P#

( -) R 3 :DLL_THREAD_DETACH

. /

.
2B

. O# =

A #V ! G

. -f Q=

DLLSkeleton
TestFunction

2 ; ! dll CG ) % LIBRARY !
1

( -)

. . EXPORT !

).
) . -)

. !Q

. Q ,; ! i.

. i dll A # %

)3

. +/ 0 1. ( 2,

- Crack

/ d ! ) F4 Q x V !) .
.d -)
"/dll"

f. ! 4 () *

! 4 EXPORT

!)

dll R) /

/.

550
)!

f)

.+

5.

b % uT .d - . ! TestFunction 5.
. switch ) () / # S
Qx

..

() *

-) % <

. /

( 6
f)!/

"/def:<2 ; A # 7!)b> "

f)

link /DLL /SUBSYSTEM:WINDOWS /DEF:DLLSkeleton.def

/LIBPATH:c:\masm32\DLLSkeleton.obj

A # R) /
. /

- "/c/coff/cp"A84

uT .

. / R ,- Lib A # .

) !

. !)
() *

! 01! .

Rb . A # V

,- obj A # ) <

. C8,

- G ) < Lib A #
!) 5.

. ! LoadLibrary 5.

dll A #
f[ / d -)

dll A #

.if eax==NULL
invoke MessageBox,NULL,\
addr DllNotFound,\
addr AppName,\
MB_OK

a obj

() *

. f)

R3

Qx .Q=

.d

.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib
.data
LibName db "DLLSkeleton.dll",0
FunctionName db "TestHello",0
DllNotFound db "Cannot load library",0
AppName db "Load Library",0
FunctionNotFound db "TestHello function not found",0
.data?
hLib dd ?
TestHelloAddr dd ?
.code
start:
invoke LoadLibrary,addr LibName

- switch
-

f. ! / . dll A #

551

> )

AB"

O /E +/

> .+ . / /7@;2

.else
mov hLib,eax
invoke GetProcAddress,hLib,addr FunctionName
.if eax==NULL
invoke MessageBox,NULL,\
addr FunctionNotFound,\
addr AppName,\
MB_OK
.else
mov TestHelloAddr,eax
call [TestHelloAddr]
.endif
invoke FreeLibrary,hLib
.endif
invoke ExitProcess,NULL
end start

)3

- Crack

. +/ 0 1. ( 2,

552

"% ( 2
.

) 6

, ,S CD !) , 4 V

.] .

-A #

@5

-/

SourceCodes\Asm32\Chapter17
ob

f[
.)

. ! .! /

A84 ()
. / )<
:

V !) (

# 1 +. ! a 3.1

. " 95
R /

- [

-Q

/ /

/ 5

/V .

. )!

.! / +

) . ! 8< R
() )

) p . V !)

p .V

= !) . / () *

V [ R) "# . 95

1 ! > . StatusBar ToolBar

! ob ) G /
! 8U - Q

,U

ob
.

) ; .) /
.

# 1 !/

6 Win9X WinNT !) ! o b #
Toolbar
Tooltip
Status bar
Property sheet
Property page
Tree view
List view
Animation
Drag list
Header
Hot-key
Image list
Progress bar
Right edit
Tab
Trackbar
Up-down

553
5.

> )

Yc zU . O# = !) o b ! 01! .

AB"

!) ) 6

O /E +/

> .+ . / /7@;2

-Q

/E

) ;

! ) ! 4 Comctl32.dll A # !) RichEdit Q / "6 . o b ,- .)

. / () *
E 6!

1 - ) 6 '! B !) /

. O# = .

-Q

/V

)< ) G lG
. Rb

() *

)<

Comctl32.dll !) ;. % InitCommonControls
! /) G ! > . Comctl32.dll A # a

R ) G

o c/ C
.

, .d /

- Q

' * c / f)

) G u/ . \

. !) Rb .

= !) .)

"

-Q

! 01! .
,U

- Q

V !) RichEdit

/ .

! . ! -Q /V )< ( k Q=.
/ () *

'! B !)

. -) , % < ! B G ! / 5. V ) G
.

,/ LoadLibrary 5.

f.

) . o b R) / # S

. 58

f3
. /)< ! ob

) < CreateWindow
5.

o b ) C,U /

CreateWindowEx 5.
!) ) G ) <
( - 3 ! 5.

() *

,U

B G 5.

ob

!) .

()

V %

-Q
G .

/%, 8
.

. CreateWindow

CreateToolbarEx
CreateStatusWindow
CreatePropertySheetPage
PropertySheet
ImageList_Create
-Q

/V

!) .

. ! ob

o c/ %
. /

% &
( -3

> .

,U

-Q

/)<

o c/ % ( ,- . !

)3

- Crack

. +/ 0 1. ( 2,

Class Name

Common Control

ToolbarWindow32

Toolbar

tooltips_class32

Tooltip

msctls_statusbar32

Status bar

SysTreeView32

Tree view

SysListView32

List view

SysAnimate32

Animation

SysHeader32

Header

msctls_hotkey32

Hot-key

msctls_progress32

Progress bar

RICHEDIT

Rich edit

msctls_updown32

Up-down

SysTabControl32

Tab

. !) ! ) G l G (
V .
ob

) G lG

Property Sheet

5.

o c/

,;

. TVS_XXXX Q x

Win32 API Refrence )!

! T( <T . ob]8! ( k
WM_COMMAND % W T

6 .

V !) 56

- ( <T
. .

-Q

- "

,U
/a

-Q
#

DragListBox

o 8

-Q

) G lG

o. .ListView Q

.ad /)< !
,U

Property Page, ImageList

List Box E

! ) A ) V ,- .

WS_CHILD

. / () *

TreeView Q

554

o 8

/
!)

. LVS_XXXX
f[ d )

-Q / YcG . .d !

/Q=
) G

555
6

E
-%WT. /

Win32 .

() *
)!

) G! T

V !)

> )

AB"

O /E +/

. WM_NOTIFY % W T

-( <T .]8!

3 . ' K"6

> .+ . / /7@;2

. .)! ) ) 6

-Q

/V

. / ;6
.d !

.d

! . ! Progress Bar

Status Bar

() *

."

API Refrence

p .V Qx

.Q=

) < ( k Q x V !)

.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\comctl32.inc
includelib \masm32\lib\comctl32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
WinMain PROTO :DWORD,:DWORD,:DWORD,:DWORD
.const
IDC_PROGRESS equ 1
; control IDs
IDC_STATUS equ 2
IDC_TIMER equ 3
.data
db "CommonControlWinClass",0 ClassName
db "Common Control Demo",0 AppName
,0
ProgressClass db "msctls_progress32"
db "Finished!",0
Message
dd 0
TimerID
.data?
hInstance HINSTANCE ?
hwndProgress dd ?
hwndStatus dd ?
CurrentStep dd ?
.code
start:
invoke GetModuleHandle, NULL
mov
hInstance,eax
invoke WinMain, hInstance,NULL,NULL, SW_SHOWDEFAULT
invoke ExitProcess,eax
invoke InitCommonControls
WinMain proc
hInst:HINSTANCE,hPrevInst:HINSTANCE,CmdLine:LPSTR,CmdShow:DWORD
LOCAL wc:WNDCLASSEX

)3

. +/ 0 1. ( 2,

- Crack

LOCAL msg:MSG
LOCAL hwnd:HWND
mov
wc.cbSize,SIZEOF WNDCLASSEX
mov
wc.style, CS_HREDRAW or CS_VREDRAW
mov
wc.lpfnWndProc, OFFSET WndProc
mov
wc.cbClsExtra,NULL
mov
wc.cbWndExtra,NULL
push hInst
pop
wc.hInstance
mov
wc.hbrBackground,COLOR_APPWORKSPACE
mov
wc.lpszMenuName,NULL
mov
wc.lpszClassName,OFFSET ClassName
invoke LoadIcon,NULL,IDI_APPLICATION
mov
wc.hIcon,eax
mov
wc.hIconSm,eax
invoke LoadCursor,NULL,IDC_ARROW
mov
wc.hCursor,eax
invoke RegisterClassEx, addr wc
invoke CreateWindowEx, WS_EX_CLIENTEDGE,\
ADDR ClassName,\
ADDR AppName,\
WS_OVERLAPPED + WS_CAPTION +\
WS_SYSMENU + WS_MINIMIZEBOX+\
WS_MAXIMIZEBOX + WS_VISIBLE,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
NULL,\
NULL,\
hInst,\
NULL
mov
hwnd,eax
.while TRUE
invoke GetMessage, ADDR msg,NULL,0,0
.BREAK .IF (!eax)
invoke TranslateMessage, ADDR msg
invoke DispatchMessage, ADDR msg
.endw
mov eax,msg.wParam
ret
WinMain endp
WndProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
.if uMsg==WM_CREATE
invoke CreateWindowEx,NULL,ADDR ProgressClass,NULL,\
WS_CHILD+WS_VISIBLE,100,\
200,300,20,hWnd,IDC_PROGRESS,\
hInstance,NULL
mov hwndProgress,eax
mov eax,1000 ; the lParam of PBM_SETRANGE message contains the range
mov CurrentStep,eax
shl eax,16
; the high range is in the high word

556

557

> )

AB"

O /E +/

> .+ . / /7@;2

invoke SendMessage,hwndProgress,PBM_SETRANGE,0,eax
invoke SendMessage,hwndProgress,PBM_SETSTEP,10,0
invoke CreateStatusWindow,WS_CHILD+WS_VISIBLE,\
NULL,\
hWnd,\
IDC_STATUS
mov hwndStatus,eax
invoke SetTimer,hWnd,IDC_TIMER,100,NULL
mov TimerID,eax
.elseif uMsg==WM_DESTROY
invoke PostQuitMessage,NULL
.if TimerID!=0
invoke KillTimer,hWnd,TimerID
.endif
.elseif uMsg==WM_TIMER
; when a timer event occurs
invoke SendMessage,hwndProgress,PBM_STEPIT,0,0
sub CurrentStep,10
.if CurrentStep==0
invoke KillTimer,hWnd,TimerID
mov TimerID,0
invoke SendMessage,hwndStatus,SB_SETTEXT,0,addr Message
invoke MessageBox,hWnd,\
addr Message,\
addr AppName,\
MB_OK+MB_ICONINFORMATION
invoke SendMessage,hwndStatus,SB_SETTEXT,0,0
invoke SendMessage,hwndProgress,PBM_SETPOS,0,0
.endif
.else
invoke DefWindowProc,hWnd,uMsg,wParam,lParam
ret
.endif
xor eax,eax
ret
WndProc endp
end start

)3

. +/ 0 1. ( 2,

- Crack

558

.d ) T

.V

-/

! . .Q=

invoke WinMain, hInstance,NULL,NULL, SW_SHOWDEFAULT

invoke ExitProcess,eax
invoke InitCommonControls

> G . + # d () ) ! 4 ExitProcess
% U '! B !)

) !

;. ! InitCommonControls 5.

! / . Comctl32.dll . E 6!

G #

R U . o 5. V d -) R 3

.) / - G ! /

!) .

,U

-Q

/"

.if uMsg==WM_CREATE
invoke CreateWindowEx, WS_EX_CLIENTEDGE,\
ADDR ClassName,\
ADDR AppName,\
WS_OVERLAPPED + WS_CAPTION +\
WS_SYSMENU + WS_MINIMIZEBOX+\
WS_MAXIMIZEBOX + WS_VISIBLE,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
NULL,\
NULL,\
hInst,\
NULL
mov hwndProgress,eax

CreateWindowEx 5.
A ) .

-Q

/d

/0 .d /

)< !

# !) ) !

!TR U . !Q

/ C/ .d / , () *

f ) ID V
. / () *

/ ID
aQ

,U

-Q

/ C=

! T( <T .

/( <T .

WS_CHILD

V !)
) (! ,

) (! , V

,U

mov eax,1000
mov CurrentStep,eax
shl eax,16
invoke SendMessage,hwndProgress,PBM_SETRANGE,0,eax
invoke SendMessage,hwndProgress,PBM_SETSTEP,10,0

559

*B

/ '! F

. .) 1
!

AB"

= .d / g 3

O /E +/

.a

() *

()

% W T R)
. 8

V ,- . /

o. Q

'! B !)
, 4. /g 3

PBM_SETSTEP % W T

# Progress Bar . / PBM_STEPIT % W T - .

# .

T Q > p "#

/dO (

uT

High word , 4 !) d, "/

V Q x V !) . / g 3 ! ^ T !

.
lParam

g 3 ! () k % W T V

W V Low word , 4 !) d,

! 4

> .+ . / /7@;2

. Progress Bar ) <

b () k

() k PBM_SETRANGE % W T

! ) G O )!
!

q #pT

> )

; d

# 1 O !) 10 !

10 (

() *

.b !

Q > PBM_SETPOS

) ! > . ! .b !

. -)

. A84

invoke CreateStatusWindow,WS_CHILD+WS_VISIBLE,\
NULL,\
hWnd,\
IDC_STATUS
mov hwndStatus,eax
invoke SetTimer,hWnd,\
IDC_TIMER,\
100,\
NULL
; create a timer
mov TimerID,eax

uT .d /

) < Status Bar

!) ! Progress Bar !
pTa

CreateStatusWindow 5.

.d /

() *

) < " Timer

d ! ) F4 Q x V !) .d /

!) .d ! ) = Timer Q /
Timer

)<

. uT .d -) p "#
. Rb

() *

. C=
aQ

V !)

/V )<

e C 100

-( .

( - 3 ! SetTimer 5. 2 ;

SetTimer PROTO hWnd:DWORD, TimerID:DWORD, TimeInterval:DWORD,

lpTimerProc:DWORD

! T( <T .
. ,

. /

g 3 ! timer

-( .

. *B n

) (! , hWnd
TimeID

e C v = . TimerInterval

)3

- Crack

. +/ 0 1. ( 2,

.)

G #

560

! R T . Intervial R

! T ( < T . ! WM_TIMER % W T ,

/ Timer 5. 7!)b lpTimerProc

a 5. 7!)b

6 . Null

() *

'! B !)
.)

*B !

'! B V

( ) 1 . ID !

n !) .)

8 ! TimeID !

. -) ! 4 *B

." b

# - G
G #V

A ) V ,- . .)

( ) 1 .

.elseif uMsg==WM_TIMER
invoke SendMessage,hwndProgress,PBM_STEPIT,0,0
sub CurrentStep,10
.if CurrentStep==0
invoke KillTimer,hWnd,TimerID
mov TimerID,0
invoke SendMessage,hwndStatus,SB_SETTEXT,0,addr Message
invoke MessageBox,hWnd,\
addr Message,\
addr AppName,\
MB_OK+MB_ICONINFORMATION
invoke SendMessage,hwndStatus,SB_SETTEXT,0,0
invoke SendMessage,hwndProgress,PBM_SETPOS,0,0
.endif

! T ( < T . ! WM_TIMER % W T ,

V !) . -) ! 4 , 4 V !)

6 C=

! d, "/
() *

!
d .

. ! MessageBox

.!
V.

.
V
! ,

uD .d /

() / _ T ! Status Bar R !) V

! R T . Interval !) (
V !) - G

/ !

- /.

4
#

[ a Progress Bar p "# . R ",- Q x

b /d /

KillTimer 5.

. 8x T 1 .

[ Status Bar R !) !
. a .! / +
.d ! b

g 3 R

OK ,/) 9

!) ) G

SB_SETTEXT % W T
. .d -)

R 3 .! /

= . ! Progress Bar uD

561

> )

AB"

O /E +/

> .+ . / /7@;2

Subclassing
.

, ,S CD !) , 4 V

) 6

.] .

oC #

-/

SourceCodes\Asm32\Chapter18
V

"

!) Subclassing

() / () *

f[ / d

p . V !)

.d
o C. 4 Q

.R /

b Q x R U . . -)

!lG

/! /

. () /

)!

-( <TR ) G /
Subclassing

f. 6

Q 84 ! 16

- /! / a

- /! /

% f - !) / ! ) Q

Rb !)

W -d

^ ! V

. .

- 16

T . ! WM_CHAR % W T
,
*.

CB

<

V Qx

. ,

,; Q

Q 84

1 4

! !E S

/q #

() *

'! B

= !) .

G . ! ) !

! " [ .! / /

AG ) !) <

T . ! O )!

8 ) U / ,
a /

# 1! 4

V !) .

/ V R !) !)

. -) j 8i
Q /( <T <

(
A= ( !

8 !) ) U + # / ! ) = Edit Q

) !

!) 1

)! ) ! O )!

.d /
!) . /

. !) () *

) Edit Q

/)< !

. , 'c 3

.&,=

W ! ob

G . /

.!/V

.Q=.

( o.

TV .

Edit

- %WT d

f-

d / )<

. # 1 - G ! 4 Edit Q /

V.

<

Before Subclassing
> edit control's window procedure ---Windows
After Subclassing
Windows ---> our window procedure ---> edit control's window
procedure

( <TE

-Q

/ . ) k Subclassing

() *

/d

.) 1 ! 4 () *
PU

/ )! ) ! 4 lpfnWndProc

. ! WNDCLASSEX 7c/

PU V !

!) ( < T <
d

. 1 .

T 7!)b

/0
)!

/ ! i ,-

WNDCLASSEX )! /!

)3

. +/ 0 1. ( 2,

- Crack

()

T . - % W T ;. . V

( <T <

562
a d / V "f 6 R ) G <

.) ) d - G % < SetWindowLong 5.

() *

T 7!)b

. !!/V .

- G

SetWindowLong PROTO hWnd:DWORD, nIndex:DWORD, dwNewLong:DWORD

. /
)

g 3 ! O )!

) (! , hWnd

( <T

g 3 d ! ) ! Rb

! T nIndex

F4 /

.
.( < T

6 #S

.( < T
.( < T
.

.
. .

.
)

uD .d /
() /

) < Edit Q /
G # nIndex

. ! ) G ' C,U 5.
-%WT /d /

! b) .d /
() *

:GWL_ID

. 32 !

:GWL_USERDATA

g 3 ! O )!

!T

6!

6( <T <

. .

()

Rb . %

( Gm

;.

. ! ob

d!

- () *

! / uT
T 7!)b

-) % <

. !!

ob . !/

:DWORD,\
:DWORD,\
:DWORD,\
:DWORD,\
:DWORD

6 <

31 . !

.d
CallWindowProc PROTO lpPrevWndFunc
hWnd
Msg
wParam
lParam

dwNewLong

. ! SetWindowLong 5.

!T R U . !

. 32 !

T 7!)b /

. CallWindowProc 5.

. GWL_WNDPROC !

1 .d

!) ! ( < T CB <

:GWL_WNDPROC
:GWL_HINSTANCE

6 (! ,

.)! ) ) G !) ! .! / # S ' Uc> /

:GWL_STYLE

6 8

6 7!)b

.( < T

. /

:GWL_EXSTYLE

V .)! ) ) G

/ !) ) 6
#

CB <

)
T

563

E
. /

a d-

()

> )

AB"

O /E +/

g 3 ! ( < T CB <
( <T <
.d

T . /

> .+ . / /7@;2

T 7!)b lpPrevWndFunc
- R ,-

CallWindowProc 5.

4) f )

! T ! o[

. '! B R ,- . ! o b

.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\comctl32.inc
includelib \masm32\lib\comctl32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
WinMain PROTO :DWORD,:DWORD,:DWORD,:DWORD
EditWndProc PROTO :DWORD,:DWORD,:DWORD,:DWORD
.data
ClassName db "SubclassWinClass",0
AppName
db "Subclassing Demo",0
EditClass db "EDIT",0
Message db "You pressed Enter in the text box!",0
.data?
hInstance HINSTANCE ?
hwndEdit dd ?
OldWndProc dd ?
.code
start:
invoke GetModuleHandle, NULL
mov
hInstance,eax
invoke WinMain, hInstance,NULL,NULL, SW_SHOWDEFAULT
invoke ExitProcess,eax
WinMain proc
hInst:HINSTANCE,hPrevInst:HINSTANCE,CmdLine:LPSTR,CmdShow:DWORD
LOCAL wc:WNDCLASSEX
LOCAL msg:MSG
LOCAL hwnd:HWND
mov
wc.cbSize,SIZEOF WNDCLASSEX
mov
wc.style, CS_HREDRAW or CS_VREDRAW
mov
wc.lpfnWndProc, OFFSET WndProc
mov
wc.cbClsExtra,NULL
mov
wc.cbWndExtra,NULL
push hInst
pop
wc.hInstance
mov
wc.hbrBackground,COLOR_APPWORKSPACE
mov
wc.lpszMenuName,NULL
mov
wc.lpszClassName,OFFSET ClassName
invoke LoadIcon,NULL,IDI_APPLICATION
mov
wc.hIcon,eax

)3

. +/ 0 1. ( 2,

- Crack

564

mov
wc.hIconSm,eax
invoke LoadCursor,NULL,IDC_ARROW
mov
wc.hCursor,eax
invoke RegisterClassEx, addr wc
invoke CreateWindowEx, WS_EX_CLIENTEDGE,\
ADDR ClassName,\
ADDR AppName,\
WS_OVERLAPPED + WS_CAPTION +\
WS_SYSMENU + WS_MINIMIZEBOX +\
WS_MAXIMIZEBOX + WS_VISIBLE,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
350,\
200,\
NULL,\
NULL,\
hInst,\
NULL
mov
hwnd,eax
.while TRUE
invoke GetMessage, ADDR msg,NULL,0,0
.BREAK .IF (!eax)
invoke TranslateMessage, ADDR msg
invoke DispatchMessage, ADDR msg
.endw
mov eax,msg.wParam
ret
WinMain endp
WndProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
.if uMsg==WM_CREATE
invoke CreateWindowEx,WS_EX_CLIENTEDGE,\
ADDR EditClass,\
NULL,\
WS_CHILD + WS_VISIBLE + WS_BORDER ,\
20,\
20,\
300,\
25,\
hWnd,\
NULL,\
hInstance,\
NULL
mov hwndEdit,eax
invoke SetFocus,eax
;----------------------------------------; Subclass it!
;----------------------------------------invoke SetWindowLong,hwndEdit,GWL_WNDPROC,addr EditWndProc
mov OldWndProc,eax
.elseif uMsg==WM_DESTROY
invoke PostQuitMessage,NULL
.else

565

> )

AB"

O /E +/

> .+ . / /7@;2

invoke DefWindowProc,hWnd,uMsg,wParam,lParam
ret
.endif
xor eax,eax
ret
WndProc endp
EditWndProc PROC hEdit:DWORD,uMsg:DWORD,wParam:DWORD,lParam:DWORD
.if uMsg==WM_CHAR
mov eax,wParam
.if (al >= "0" && al <= "9") || \
(al >= "A" && al <= "F") || \
(al>="a" && al<="f")
|| \
al==VK_BACK
.if al >= "a" && al <= "f"
sub al,20h
.endif
invoke CallWindowProc,OldWndProc,hEdit,uMsg,eax,lParam
ret
.endif
.elseif uMsg==WM_KEYDOWN
mov eax,wParam
.if al==VK_RETURN
invoke MessageBox,hEdit,\
addr Message,\
addr AppName,\
MB_OK + MB_ICONINFORMATION
invoke SetFocus,hEdit
.else
invoke CallWindowProc,OldWndProc,\
hEdit,\
uMsg,\
wParam,\
lParam
ret
.endif
.else
invoke CallWindowProc,OldWndProc,hEdit,uMsg,wParam,lParam
ret
.endif
xor eax,eax
ret
EditWndProc endp

.d ) T

.V

-/

! . .Q=

invoke SetWindowLong,hwndEdit,GWL_WNDPROC,addr EditWndProc

mov OldWndProc,eax

)3

- Crack

. +/ 0 1. ( 2,

T 7!)b SetWindowLong 5.

b( <T <
. !

CB

566

<

T 7!)b / d

/0
.d /

() *
.d /

. a Edit Q
V "f 6

/ )<

6 <

uT
T 7!)b

( Gm CallWindowProc 5. !) () *

.if uMsg==WM_CHAR
mov eax,wParam
.if (al>="0" && al<="9") || \
(al>="A" && al<="F") || \
(al>="a" && al<="f") || \
al==VK_BACK
.if al>="a" && al<="f"
sub al,20h
.endif
invoke CallWindowProc,OldWndProc,hEdit,uMsg,eax,lParam
ret
.endif

/! / /
Y =
/

/ ! / 1 .d

! B !)
! ) .
.

C # ! WM_CHAR

! B !) .d /
.d /

0T

b CB <

T . % W T R)

A 8 \!". Y = .

= !)

() ) R 3

# ,
/

CB <
<

o W T EditWndProc 5. AG ) !)

b 20h !
T .

- /! /

# . a ) . a-f

R) / # S . a ) .
b ) 8 Q 84 )!

n " [ .! / 1 <

.elseif uMsg==WM_KEYDOWN
mov eax,wParam
.if al==VK_RETURN
invoke MessageBox,hEdit,\
addr Message,\
addr AppName,\
MB_OK + MB_ICONINFORMATION
invoke SetFocus,hEdit
.else
invoke CallWindowProc,OldWndProc,\
hEdit,\
uMsg,\
wParam,\
lParam
ret
.end

0-9 ) !
) !
!) .d

[ /
/! /

567
R

E
() 3# '! B !)

/ () *

"

-( <T

> )

AB"

O /E +/

> .+ . / /7@;2

[ ! WM_KEYDOWN % W T EditWndProc <

. -)

p , ! MessageBox
!Q

/)< ! O

(VK_RETURN) Enter C/

. Subclassing

)3

- Crack

. +/ 0 1. ( 2,

568

Superclassing
.

) 6

, ,S CD !) , 4 V

.] .

-A #

-/

SourceCodes\Asm32\Chapter19
!) Superclassing

( k V ,- . G b - G
.) / d - G
. /

)Q

! . -Q

) Edit Q / () .

.)! ) ) 6 Y - V

(! .!) ! 8 i AF# V !)

!7 / #

. ! Tab C/

W
i

. !) & , =

V , Q x R U . . !)
.R

. *C

"6

/V

V .)! )

.] .
)

) ;

5.

C/ ) .

! / . d-

! O )!

() *

Superclassing

) G

-Q

- G ! 8<

/ uD

( /

o. Q ^ ! .

! .!/V %<

v
)!

. o

/ -2

() *

-3

'

( < T 7c/ !) ) 6
.

1 (!

'! B !)

' Uc> R)! b

5. V . -) % < Rb
() / # !) ) !

PU

!)

,/ ) ;

.^ !

() *

! . ! ^ ! V A=

! ! Superclassing A,U

G # -1

- G

! T R U . ! WNDCLASSEX )! /!
' Uc> a

Q x V !) .WNDCLASSEX 7c/ PU
.) ) d - G

.) ) d - G ! 4 PU V !) !

. 8

. ^ ! V !) . /
6 7c/

.) ) - G ! 4 Rb !) ! O )!
7c/ V

.) G

. GetClassInfoEx 5.

.Q ^ !

% )^ !.
7 ./

.d
.) / d - G

-Q

G!

1 V !) .

() / ) < ( < T 7c/ !) ! O )!

7c/ R ) G -1

.Superclassing ^ !
! -Q

o- ! . / # !) ! ) U + #

. / ) < ! O )!
. / Subclass ! o b % ,

() *

) (! , :hInstance

#
W -2
W

. !
!)

569

.) ) d - G ! 4 PU V !) !
d - G ! 4 PU V !) ( < T

> )

6 7c/ %
6 <

AB"

O /E +/

> .+ . / /7@;2

:lpszClassName

. 1 (!
T . 1 (!

:lpfnWndProc
.) )

. #
.
^ !V

o.

)R

W )! /! R) /
6 7c/

' B FG . Q

!
)

6! -3

( <T)<
) ;

-4

- G
. / () *

.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
WM_SUPERCLASS equ WM_USER+5
WinMain PROTO :DWORD,:DWORD,:DWORD,:DWORD
EditWndProc PROTO :DWORD,:DWORD,:DWORD,:DWORD
.data
ClassName db "SuperclassWinClass",0
AppName
db "Superclassing Demo",0
EditClass db "EDIT",0
OurClass
db "SUPEREDITCLASS",0
Message
db "You pressed the Enter key in the text box!",0
.data?
hInstance dd ?
hwndEdit dd 6 dup(?)
OldWndProc dd ?
.code
start:
invoke GetModuleHandle, NULL
mov
hInstance,eax
invoke WinMain, hInstance,NULL,NULL, SW_SHOWDEFAULT
invoke ExitProcess,eax
WinMain proc
hInst:HINSTANCE,hPrevInst:HINSTANCE,CmdLine:LPSTR,CmdShow:DWORD
LOCAL wc:WNDCLASSEX
LOCAL msg:MSG
LOCAL hwnd:HWND
mov wc.cbSize,SIZEOF WNDCLASSEX
mov wc.style, CS_HREDRAW or CS_VREDRAW

)3

. +/ 0 1. ( 2,

- Crack

570

mov wc.lpfnWndProc, OFFSET WndProc

mov wc.cbClsExtra,NULL
mov wc.cbWndExtra,NULL
push hInst
pop wc.hInstance
mov wc.hbrBackground,COLOR_APPWORKSPACE
mov wc.lpszMenuName,NULL
mov wc.lpszClassName,OFFSET ClassName
invoke LoadIcon,NULL,IDI_APPLICATION
mov wc.hIcon,eax
mov wc.hIconSm,eax
invoke LoadCursor,NULL,IDC_ARROW
mov wc.hCursor,eax
invoke RegisterClassEx, addr wc
invoke CreateWindowEx, WS_EX_CLIENTEDGE + WS_EX_CONTROLPARENT,\
ADDR ClassName,\
ADDR AppName,\
WS_OVERLAPPED + WS_CAPTION +\
WS_SYSMENU + WS_MINIMIZEBOX +\
WS_MAXIMIZEBOX + WS_VISIBLE,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
350,\
220,\
NULL,\
NULL,\
hInst,\
NULL
mov hwnd,eax
.while TRUE
invoke GetMessage, ADDR msg,NULL,0,0
.BREAK .IF (!eax)
invoke TranslateMessage, ADDR msg
invoke DispatchMessage, ADDR msg
.endw
mov eax,msg.wParam
ret
WinMain endp
WndProc proc uses ebx edi hWnd:HWND, uMsg:UINT, wParam:WPARAM,
lParam:LPARAM
LOCAL wc:WNDCLASSEX
.if uMsg==WM_CREATE
mov wc.cbSize,sizeof WNDCLASSEX
invoke GetClassInfoEx,NULL,addr EditClass,addr wc
push wc.lpfnWndProc
pop OldWndProc
mov wc.lpfnWndProc, OFFSET EditWndProc
push hInstance
pop wc.hInstance
mov wc.lpszClassName,OFFSET OurClass
invoke RegisterClassEx, addr wc
xor ebx,ebx

571

> )

AB"

O /E +/

> .+ . / /7@;2

mov edi,20
.while ebx<6
invoke CreateWindowEx,WS_EX_CLIENTEDGE,\
ADDR OurClass,\
NULL,\
WS_CHILD + WS_VISIBLE +
WS_BORDER,\
20,\
edi,\
300,\
25,\
hWnd,\
ebx,\
hInstance,\
NULL
mov dword ptr [hwndEdit+4*ebx],eax
add edi,25
inc ebx
.endw
invoke SetFocus,hwndEdit
.elseif uMsg==WM_DESTROY
invoke PostQuitMessage,NULL
.else
invoke DefWindowProc,hWnd,uMsg,wParam,lParam
ret
.endif
xor eax,eax
ret
WndProc endp
EditWndProc PROC hEdit:DWORD,uMsg:DWORD,wParam:DWORD,lParam:DWORD
.if uMsg==WM_CHAR
mov eax,wParam
.if (al>="0" && al<="9") || \
(al>="A" && al<="F") || \
(al>="a" && al<="f") || \
al==VK_BACK
.if al>="a" && al<="f"
sub al,20h
.endif
invoke CallWindowProc,OldWndProc,hEdit,uMsg,eax,lParam
ret
.endif
.elseif uMsg==WM_KEYDOWN
mov eax,wParam
.if al==VK_RETURN
invoke MessageBox,hEdit,\
addr Message,\
addr AppName,\
MB_OK + MB_ICONINFORMATION
invoke SetFocus,hEdit
.elseif al==VK_TAB
invoke GetKeyState,VK_SHIFT

)3

- Crack

. +/ 0 1. ( 2,

572

test eax,80000000
.if ZERO?
invoke GetWindow,hEdit,GW_HWNDNEXT
.if eax==NULL
invoke GetWindow,hEdit,GW_HWNDFIRST
.endif
.else
invoke GetWindow,hEdit,GW_HWNDPREV
.if eax==NULL
invoke GetWindow,hEdit,GW_HWNDLAST
.endif
.endif
invoke SetFocus,eax
xor eax,eax
ret
.else
invoke CallWindowProc,OldWndProc,\
hEdit,\
uMsg,\
wParam,\
lParam
ret
.endif
.else
invoke CallWindowProc,OldWndProc,hEdit,uMsg,wParam,lParam
ret
.endif
xor eax,eax
ret
EditWndProc endp
end start

.d ) T
-Q

/V . /

)<

p . Q x !) /

'

! / i !) #
W )< . !Qx V

W Edit Q
= !) . /

.V
/p

-/

. ()

! . .Q=

( <T

Q 84 ! 16

8 !) ) U + #
.d () / ) < A84

.if uMsg==WM_CREATE
mov wc.cbSize,sizeof WNDCLASSEX
invoke GetClassInfoEx,NULL,addr EditClass,addr wc

A,U d - G
5.

G #

/
A84 /

c/ !) ) 6
.

' Uc> . ! WNDCLASSEX )! /!

) > G . .d / T a d -) % < Rb

. !)

! ! Superclassing

573

> )

AB"

! WNDCLASSEX )! /!

!) . / -) !

"

WC )! /! a 5.

31 .

O /E +/

> .+ . / /7@;2

cbSize PU

. GetClassInfoEx

uT .) / - G # !) ! F4 ' Uc> & , = '! B V

.

- G T

6 7c/ ) <

. % & ' Uc> .

push wc.lpfnWndProc
pop OldWndProc
mov wc.lpfnWndProc, OFFSET EditWndProc
push hInstance
pop wc.hInstance
mov wc.lpszClassName,OFFSET OurClass

!) G( <T <
5. +

T d ! ) F4
.

/' * V

!)

b 7!)b

,-

6 7c/

d-

. ! hInstance !
. /9

() *

) G

G #

P;.

T .

b CallWindowProc
! WNDCLASSEX

n !) .d -)

lpsClassName :

6 7c/

.R /

T CB <

R . ,

'! B V

. hInstance

PU

. a d -)

V .d /

W SetWindowLong 5.

6! !

) (! ,

Subclassing

PU ) .d -)
V .d /

d / ( Gm

W ! WC

A ) . .d -)

."

! f)

! 8U PU )

. () / V "f 6 ) G

invoke RegisterClassEx, addr wc

.d / ) < ! - ( < T Rb

T .d

d () /

6! ! 7c/ Q =

xor ebx,ebx
mov edi,20
.while ebx<6
invoke CreateWindowEx,WS_EX_CLIENTEDGE,\
ADDR OurClass,\
NULL,\
WS_CHILD + WS_VISIBLE + WS_BORDER,\
20,\
edi,\
300,\
25,\
hWnd,\
ebx,\
hInstance,\
NULL
mov dword ptr [hwndEdit+4*ebx],eax
add edi,25
inc ebx
.endw
invoke SetFocus,hwndEdit

)3

. +/ 0 1. ( 2,
. " edi

(! ,

a)

)<

.d /

- Crack
() *

)<

)<

( <T /

- ( <T %,

-( <T) ;

f - .d /

/p

( ! , R U . eax

() *

-( <T'F

( Gm DWORD

.)

!) ) U + # / d ! ) Edit Q
- / ! / R) /

574

C=

V !) .d /

C # * : A84 p . Q x

R) / - ,-

!b !) Rb

( <TV

,- ( < T <

T. /

. !7 / #
Q 84 ! 16

.)! ) ( oU . ! ) !
ob

! . / = ' C,U a -) ! 4 u/ . \

() / A

! ! / V . -)

-) ! 4 ()

! . ! - Q / 1 Q ,; ! > .

/ . ! 7 / # Tab C/ / '! B V

;. Q

Dialog Box

( <T

! . !) G

Q x V !) . -) % <

/ . ! 7 / # Shift+Tab

C84 Q
-Q

'! B Tab C/ +

. .) 1

/ 1

.) 1

( oU .

o b R) / Subclass . ! ! / V R ) G ) .

d () / Superclass ! o b % , c84

d / Subclass ! - Q
.d

) ob

- C/
Manager

- G ! 8< a

! "/

/
Q /

.elseif al==VK_TAB
invoke GetKeyState,VK_SHIFT
test eax,80000000
.if ZERO?
invoke GetWindow,hEdit,GW_HWNDNEXT
.if eax==NULL
invoke GetWindow,hEdit,GW_HWNDFIRST
.endif
.else
invoke GetWindow,hEdit,GW_HWNDPREV
.if eax==NULL
invoke GetWindow,hEdit,GW_HWNDLAST
.endif
.endif
invoke SetFocus,eax
xor eax,eax
ret

! . ! Tab

C/ R

G # Shift C/
!) .

() 3#

, 4V .

;S V # 1

() ) ! 3# O )!

[ 80000000h . !
.

31 . !
Shift+Tab

EditWndClass <

, 4 &. /

. ! GetKeyState 5. R) . 8x '! B !) () /
C/ b / /
uT . /
- C/ R

g 3 5. V
! eax

31 . !

. /

High bit R) . 8x '! B

() 3# f 3 !

)V

.d /

575

E
) (! , R)! b

.
Q /V

) (! ,
; a

# !)

AB"

O /E +/

. ! GetWindow 5. a
. GW_HWNDNEXT C#

) 1 . ! Null !

Q / . GW_HWNDFIRST C#
.d -)

> )

5. V

. () ! Tab C/ o
.d /

G #

! B !) .d /

GetWindow 5.

% < ! )!

> .+ . / /7@;2

() *

() *
. uT

V u U . Shift+Tab )!

!) .d ) 1

.! / 1
;. Q

;. Q

/ V Gb
.Q

)3

- Crack

. +/ 0 1. ( 2,

576

Bitmap
.

, ,S CD !) , 4 V

) 6

.] .

oC #

-/

SourceCodes\Asm32\Chapter20
.
#

D /

! .

+#q #pT! > .

58

oC # a -

F ( Gm

!) ) 6 ! / V

() *

. (! V

()

. 3

. )

-^ !

8 3T (Bitmap)

. /

.)! ) ) 6 ^ ! ) ! / V % <
/ # ; (.rc) 58 A # !) !

:Q x R U .
#define IDB_MYBITMAP
IDB_MYBITMAP BITMAP

100
"c:\project\example.bmp"

() *

. e Q +G .)

. . E 6!
/

. .eV
C D / .

100 !

.
/

. 58

MyBitMap

. 3
-

^ ! V !)

2 ; ! IDB_MYBITMAP

;. +G .d /
. /

. / () *

..

, R U . .e

!) / /

# ; !

() *

T </

. !)

! ;4 bmp A #

, R U .%

BITMAP "c:\project\example.bmp"

.d /
, ) G ( oU .

MyBitmap

() *

/ () *

p , ) G % # ! / i !)

/
b

o
/

. . E 6!

! / . G . ! /0 ^ ! ) -

. a d ) / # ; 58 A # !) !
.d /

. ^ ! V !)

Q8) !

A=

. /Q=.
!/V

.
. .d -)

577

!) .d /

G #

> )

. .

AB"

O /E +/

. ! LoadBitmap 5.

) (! , V # 1
. /

> .+ . / /7@;2

( - 3 ! 5. V ! G

-1
a

LoadBitmap proto hInstance:HINSTANCE, lpBitmapName:LPSTR

) (! ,
c84 /
() / () *

hInstance . ) 1

.%

! .

. ! O )!

. / () *

E 6!

. .

lpBitmapName . /

1 (!

. . E 6!

. .e

R3

1)

First Method:
.386
.model flat, stdcall
................
.const
IDB_MYBITMAP
equ 100
...............
.data?
hInstance dd ?
..............
.code
.............
invoke GetModuleHandle,NULL
mov hInstance,eax
............
invoke LoadBitmap,hInstance,IDB_MYBITMAP
...........
Second Method:
.386
.model flat, stdcall
................
.data
BitmapName db "MyBitMap",0
...............
.data?
hInstance dd ?
..............
.code
.............
invoke GetModuleHandle,NULL

5. V

g 3 ! ,

1 .( # ; % ) ^ !)

. Rb !
. -)

) (! ,

() / # ;

a (IDB_MYBITMAP

. ! ! / A=

;. (

/Qx

)3

- Crack

. +/ 0 1. ( 2,

578

mov hInstance,eax
............
invoke LoadBitmap,hInstance,addr BitmapName
...........

. GetDC 5.

.d ! b
.d /

) < A84 C=

DC . R

k uD

() / ) <

. R 3/

p .V (
.

b'

. ! (DC) ! ". .

() *

! *

Ak V .d / D/ a

-2

. DC O# =

'F 3
. *

) (! ,

Ak

-3

. /

p , k*B / CB DC

. / ) < CreateCompatibleDC 5.
CreateCompatibleDC

proto

hdc:HDC

. ! DC O# = .

! ". . O# = V . ) 1

*1 Double_Buffering a

/)

) (! ,

F p , ^ !V
.

Rb

!
!)

() / 9

b ! G

proto

!1

! )! G . "

() / ) < ! *

/ !/ o
T

) (! ,

( 3/ DC *

p , k*B / 6 G C

. !)) 6 ! /V
A ) V ,- . . /

6 G

) ;. .

6 G

&. U

!/ V . 3 .
. /

( -3

/) 1

) !

! T ) 5. V

O# =
! . !

. BitBlt StretchBlt A 84
D/ F

DC .

! .
F /
)

() 3#

F C=
5.

V !) -5

.d / D/ "

W R . ! 8 DC '

( 3/ !

. .

d -) % <

.
.i

'! B !)

k*B / Q = -4

.
.

hdc:HDC, hGdiObject:DWORD

DC O# = .

f)

..

'! B SelectObject 5. +

/ ) 1

SelectObject

(! ,

5. a

k % , BitBlt
! )! G . "

&.

StretchBlt
.

579

. /

( - 3 ! 5. V ! G

BitBlt

proto

!) .d /

. /
.)! ) 4 Rb R !)

F R

O /E +/

() *

BitBlt

> .+ . / /7@;2
1)

g 3 ! F DC .

V ; ! 6 G i

. /

AB"

. Q x V !)

hdcDest :DWORD,\
nxDest
:DWORD,\
nyDest
:DWORD,\
nWidth
:DWORD,\
nHeight :DWORD,\
hdcSrc
:DWORD,\
nxSrc
:DWORD,\
nySrc
:DWORD,\
dwROP
:DWORD

. /
. /

> )

& . [ ,

1'F

g 3 !

Qx R U .. /

O !) R . D/ ' C,U / d - G

F 58

g 3 ! 58 DC .
& . [ ,

g 3 ! F
54

nyDest nxDest

q U nHeight nWidth

g 3 ! 6 G i E*!
F / /

x/ !)

hdcDest

) (! ,

1'F

. 58

hdcSrc

) (! ,

of ! v /

nySrc nxSrc
^ ! dwROP

.) / (AND) v /

. ! 8

.) f. '! B F ! V # 1
b DeleteObject 5.

() *

%,

. .R !/

-6

. / ! G O# =
.d !
.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\gdi32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\gdi32.lib
WinMain proto :DWORD,:DWORD,:DWORD,:DWORD
IDB_MAIN
equ 1

p .V Qx

.Q=

)3

. +/ 0 1. ( 2,

- Crack

.data
ClassName db "SimpleWin32ASMBitmapClass",0
AppName
db "Win32ASM Simple Bitmap Example",0
.data?
hInstance
HINSTANCE ?
CommandLine LPSTR ?
hBitmap
dd ?
.code
start:
invoke GetModuleHandle, NULL
mov
hInstance,eax
invoke GetCommandLine
mov
CommandLine,eax
invoke WinMain, hInstance,NULL,CommandLine, SW_SHOWDEFAULT
invoke ExitProcess,eax
WinMain proc
hInst:HINSTANCE,hPrevInst:HINSTANCE,CmdLine:LPSTR,CmdShow:DWORD
LOCAL wc:WNDCLASSEX
LOCAL msg:MSG
LOCAL hwnd:HWND
mov
wc.cbSize,SIZEOF WNDCLASSEX
mov
wc.style, CS_HREDRAW or CS_VREDRAW
mov
wc.lpfnWndProc, OFFSET WndProc
mov
wc.cbClsExtra,NULL
mov
wc.cbWndExtra,NULL
push hInstance
pop
wc.hInstance
mov
wc.hbrBackground,COLOR_WINDOW+1
mov
wc.lpszMenuName,NULL
mov
wc.lpszClassName,OFFSET ClassName
invoke LoadIcon,NULL,IDI_APPLICATION
mov
wc.hIcon,eax
mov
wc.hIconSm,eax
invoke LoadCursor,NULL,IDC_ARROW
mov
wc.hCursor,eax
invoke RegisterClassEx, addr wc
INVOKE CreateWindowEx,NULL,\
ADDR ClassName,\
ADDR AppName,\
WS_OVERLAPPEDWINDOW,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
NULL,\
NULL,\
hInst,\
NULL
mov
hwnd,eax
invoke ShowWindow, hwnd,SW_SHOWNORMAL
invoke UpdateWindow, hwnd
.while TRUE

580

581

> )

AB"

O /E +/

> .+ . / /7@;2

invoke GetMessage, ADDR msg,NULL,0,0

.break .if (!eax)
invoke TranslateMessage, ADDR msg
invoke DispatchMessage, ADDR msg
.endw
mov
eax,msg.wParam
ret
WinMain endp
WndProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
LOCAL ps:PAINTSTRUCT
LOCAL hdc:HDC
LOCAL hMemDC:HDC
LOCAL rect:RECT
.if uMsg==WM_CREATE
invoke LoadBitmap,hInstance,IDB_MAIN
mov hBitmap,eax
.elseif uMsg==WM_PAINT
invoke BeginPaint,hWnd,addr ps
mov
hdc,eax
invoke CreateCompatibleDC,hdc
mov
hMemDC,eax
invoke SelectObject,hMemDC,hBitmap
invoke GetClientRect,hWnd,addr rect
invoke BitBlt,hdc,\
0,\
0,\
rect.right,\
rect.bottom,\
hMemDC,\
0,\
0,\
SRCCOPY
invoke DeleteDC,hMemDC
invoke EndPaint,hWnd,addr ps
.elseif uMsg==WM_DESTROY
invoke DeleteObject,hBitmap
invoke PostQuitMessage,NULL
.ELSE
invoke DefWindowProc,hWnd,uMsg,wParam,lParam
ret
.ENDIF
xor eax,eax
ret
WndProc endp
end start

)3

- Crack

. +/ 0 1. ( 2,

582

;------------------------------------------------------------------;
The resource script
;-----------------------------------------------------------------#define IDB_MAIN 1
IDB_MAIN BITMAP "tweety78.bmp"

.d ) T

p .V

- / A Ck

"< . Q =

.if uMsg==WM_CREATE
invoke LoadBitmap,hInstance,IDB_MAIN
mov hBitmap,eax

58

(! , 5. a

! 01! .
#

. ! LoadBitmap 5.

'! B !) .d /

!T

() /

G #

.) ) - G ! 4 eax !) 6 G R U . !

. .

.d 3 . ) G % # ! / i

Rb . !

WM_CREATE % W T . T !)

)!

bd

! 01! .

. /Q=

.elseif uMsg==WM_PAINT
invoke BeginPaint,hWnd,addr ps
mov
hdc,eax
invoke CreateCompatibleDC,hdc
mov
hMemDC,eax
invoke SelectObject,hMemDC,hBitmap
invoke GetClientRect,hWnd,addr rect
invoke BitBlt,hdc,\
0,\
0,\
rect.right,\
rect.bottom,\
hMemDC,\
0,\
0,\
SRCCOPY
invoke DeleteDC,hMemDC
invoke EndPaint,hWnd,addr ps

. ! BeginPaint 5.
5.

a % #

V !) . /

!/

. .d 3 . (! . ) !
i

) ;. V # 1

D/ RECT ! G

. .d /

. WM_PAINT % W T . T !)
G # F

!) ! % # ) ;. / d /

() *

! ". DC V # 1
GetClientRect

583

. uD .
.d /

!/
D/ a

> )

i E * ! ( / g 3 Bottom
( <T !/

# . R U . / 8 6 DC .

Gb !) .d /

%cU !

O /E +/

f)a

() *

b d!

k BitBlt 5.

!R T .

F R 3/ ! / R T EndPaint 5.

DeleteObject 5.

> .+ . / /7@;2

q U ( / g 3 Right ! G

. ! 8 DC '

/ F

# 1 O# =
! G O# =

AB"

() *
. .

G #

F [ /Q=
. uT d !

d) .

f ) R [ d.d /

)3

- Crack

. +/ 0 1. ( 2,

584

(1 RK/) Win32 Debug API

.

, ,S CD !) , 4 V

) 6

.] .

oC #

-/

SourceCodes\Asm32\Chapter21
.) ) d - G ! 4
! .

. +G . +G

-)
.
. -)

6 . {& ,;

. ! !/ V R

W )<

!)" !'

:
AF

6 Q = !)

.
-

8G . ...

\8) /

a)

\8) /

) < R) / \ 8 ) ! O

Process
.

= Debuggee 1 .)
,

. ."

DEBUG_PROCESS C#

) v/

4) !

-)

Process !) !

Process

() *

\8)
.

)<

Debuggee
.

. Process V ) < ! O

6 Process /
-)

) !)

k Win32 Debug API

CreateProcess 5.

%cU

! )!

!) do ' Uc> "

. )<

-)

uT Debuggee
a

. ' Uc>

A 84

24

! ob .] .

! ) Win32

. !

^ ! ) . .)

. o

. ! Debuggee

*1 Debugger

Win32 Debug API 5.

DEBUG_PROCESS C#

. C# V . / () *

;S

. QF

Process .)

6 Process

- W

! . ! Win32 Debug API . ! / A=

. / ) < Debuggee
.. /)< \8)

.\8)

API 5. V [

) 2B

6 Q = !) Process
.

) 2B , G E

.) / d - G
!) % 4 V

'! B o 8e

. . i. ! !)

. / ) < ) G '!

() *

6 'c 3 5#!

() / ! 01! . R) / \ 8 )

- dll ! 01! . a ' !

Q B p . V !)

. V {& ,; .)
/

.
.

= >

. . .) 1

ob+

. ! b
.

. . ! R) / debug

! Debugger

! . )!

% U '! B !)

-1

585
R

E
()

AB"

O /E +/

> .+ . / /7@;2

a CreateProcess 5. !) DEBUG_ONLY_THIS_PROCESS
. /

1 C6

6 Q = !) Process

AF

> )

- Process . ] .

. DebugActiveProcess 5.

-%WT

() *

.
.

24

) 2B Debuggee ) <

Rb CB ' !

G # ! WaitForDebugEvent 5.

a /
/

) 2B

5. V

-)

. !O

. /

24

f)

,- 5. V . -)

A,U WaitForXXX 5.

= V !) . /

! 5. V ! G

uT .\ 8 )

24

g 3 )

!) .

!R

()

() /

# \8)

(
)

G #

-)

-2

! O

( -3

WaitForDebugEvent proto lpDebugEvent:DWORD, dwMilliseconds:DWORD

\ 8 ) )!

!)

DEBUG_EVENT )! /! .

Uc> . /

.)
R

1 .

\8)

-)

! O

5. V

T -)

! . !!
. - . Rb .

!-

.R T .

DEBUG_EVENT )! /! ' K"6

.d ) T

! Debuggee !) /
x/ = dwMilliseconds

.) / - G 31 . 5. a - ! )

DEBUG_EVENT STRUCT
dwDebugEventCode
dwProcessId
dwThreadId
u DEBUGSTRUCT
DEBUG_EVENT ENDS

lpDebugEvent

1 (!

! . .Q=

dd ?
dd ?
dd ?
<>

.. /
T [

g 3 !)
() # y *

!E
!E

dwDebugEventCode
[ / -) g 3
:

V .
AF

Process ) < ( / g 3
6 Q = !) Process

! 8U V ,

CREATE_PROCESS_DEBUG_EVENT
. /

f-

Process ) < R

!) )

)3

. +/ 0 1. ( 2,

# !) ,

- Crack

. /

586

!V

!V

= !) .)) 1

)< a)
.- G

%cU ! Process ! / % , EXIT_PROCESS_DEBUG_EVENT

. /
!) ' !
! )

) 2B
! V

CB ' !

EXIT_THREAD_DEBUG_EVENT

g 3

) 2B

. ,

. .

T , G Debuggee

() /

.) / 6 '!
.

) 2B

g 3 CREATE_THREAD_DEBUG_EVENT

/ /

6 Q = !) Process

AF

# !) ! )

# !)

. ,

) < Debuggee !)

! V a )

) < Debuggee !)

(
CB ' !

) 2B /

f-

.) / dll A # Debuggee /

!
.

oC # ! 01! . /

LOAD_DLL_DEBUG_EVENT

g 3

# !)

! LoadLibrary 5. Debuggee

f- !)

!V .

() / ! 4 . ] 8 !

() / ! 01! .
- dll . ! . V
. /

!) l G

*4

X x
.

g 3 UNLOAD_DLL_DEBUG_EVENT

/ /

! !)

G #

iG

V , X x

V .

() ) ! Debuggee
\8)

!) G!

Debuggee /

)V

) 1 . Debuggee

5.
!/ V

.. /

f-

!) *4 V .

- G

. (int 3h)

! B !) . /

G # DBG_CONTINUE C# . ! ContinueDebugEvent

'! B V !) R [

() *

Win9X

;S V !)

- G!/

y*

!) . A U d

DBG_EXCEPTION_NOT_HANDLED C#
-

!) . NT

V !) Debuggee

!) Debuggee
AK 4 C# ) V V .

.
*
.) /

5.
.

Debuggee
() /
.

g 3

OUTPUT_DEBUG_STRING_EVENT

G # ,

. .%WT

R) / \ 8 )

! !) ,

R)

. ! DebugOutputString
. ( / g 3 RIP_EVENT

587

- '!

) 2B

. CreateProcess 5.
! '!
C#

) 2B
() *

-)

! V. " ,

(! ,

1 /d /

! b) .

!)

O /E +/

a
. ! b

Debuggee

! 01! .

PROCESS_INFO

)! /!

/ () *
.

-)

DEBUG_ONLY_THIS_PROCESS

dwThreadId

() # y * Rb !) \ 8 )

. / () *
!

> .+ . / /7@;2

R ,- dwProcessId

(! ,

'! B

AB"

Process

Process
%U

> )

\8)
.

Value in dwDebugEventCode

-)
.

! )!

!)

-)! /!

- Process Debuggee
3 . ' Uc>

= U

dwDebugEventCode

Interpretation of u

CREATE_PROCESS_DEBUG_EVENT

A CREATE_PROCESS_DEBUG_INFO
structure named CreateProcessInfo

EXIT_PROCESS_DEBUG_EVENT

An EXIT_PROCESS_DEBUG_INFO
structure named ExitProcess

CREATE_THREAD_DEBUG_EVENT

A CREATE_THREAD_DEBUG_INFO
structure named CreateThread

EXIT_THREAD_DEBUG_EVENT

An EXIT_THREAD_DEBUG_EVENT
structure named ExitThread

LOAD_DLL_DEBUG_EVENT

A LOAD_DLL_DEBUG_INFO structure
named LoadDll

UNLOAD_DLL_DEBUG_EVENT

An UNLOAD_DLL_DEBUG_INFO
structure named UnloadDll

EXCEPTION_DEBUG_EVENT

An EXCEPTION_DEBUG_INFO
structure named Exception

OUTPUT_DEBUG_STRING_EVENT

An OUTPUT_DEBUG_STRING_INFO
structure named DebugString

RIP_EVENT

A RIP_INFO structure named RipInfo

)3

. +/ 0 1. ( 2,

! 4

. WaitForDebugEvent 5.

! . a d -) % <
! u

588

! CREATE-PROCESS_DEBUG_INFO )! /! + # p . V !)

! . )!

PU V !

- Crack

1 Qx R U ..

!)

PU

!) CreateProcessInfo %

!E

31 .

uT / ! / V

.) ) d - G

. dwDebugEventCode !

V ; ! O

CREATE_PROCESS_DEBUG_EVENT . .

CREATE_PROCESS_DEBUG_INFO E

) Rb .

)! /!

'! F.

# 1 O

U.CreateProcessInfo.<member name>

\8))

. -) % < \ 8 )

. WaitForDebugEvent 5. a
( < T -)

! \ 8 ) )
a

!
)

! .
/

% , O )!

) G!/

! . T !) ! O )!

.R T .!O

1 T
. -)

,-

. Q = .)) 1

4) ! / V . -) ! 4 "< )!

) !) G

! . , !/ /

' C,U -3

() ) ! Debuggee !)

. ! dwDebugEventCode !) ) 6

C,; u U
.

-)

4 . /

! / -) ( 6 Debuggee . -4

! Debuggee

24

. ! Debuggee , ContinueDebugEvent 5.

a -)

() *

.
. /

. /

( - 3 ! 5. V ! G

!)

ContinueDebugEvent proto dwProcessId

:DWORD,\
dwThreadId
:DWORD,\
dwContinueStatus :DWORD

g 3 ! '!

) 2B

. .

g 3 ! '!

) ! DBG_CONTINUE

! / C# ) V -)
!) a X x
.

R) )

# 1( ) !
() *

V '! F

!R
b'!

. ! '!
n !) a

(! ,

dwProcessId

. DEBUG_EVENT )! /!

. ! b
)

Process

)V . /

f f[ dwContinueStatus

!) EXCEPTION_DEBUG_EVENT )

!) .

'!

) 2B a

. () / 5#!

!!

DBG_EXCEPTION_NOT_HANDLE !

)!

) 2B

) 2B

dwThreadId

/ () *

A84

. ,

() ) ! 4

) 2B ! /

) R ,- /

-)

DBG_CONNTINUE C#
. '! F
! . )!

!) . -)

!X x

! "6
%< !

! B

) ) G!/
) 1 . C# V

589

> )

AB"

O /E +/

DBG_EXCEPTION_NOT_HANDLED C#

() *

..

) G

# 1 -

( oU . ! X x

> .+ . / /7@;2
- G!

/ /

d- . X x

%cU

. ,

C#

! B !) + # V . . . -) T Rb . q # p T '! B . () ) % < ! ! / V

o .

. () . V .

!X x

d- Rb

. CU ,

. /

EXCEPTION_BREAKPOINT !

. )! ) ! ) G !

)V

( int 3h )

24

= V !) .

3 ,-

!)

ExceptionCode PU !)

6 F4 Debuggee

*1 / ! >R ,-

54 !) / ) / - G # !) ! X x

DBG_EXCEPTION_NOT_HANDLED C# . ! ContinueDebugEvent 5.

= V !) uT . )
.

%WT

C=

. /

,! .

/ () *

EXCEPTION_DEBUG_EVENT

= /

.
,

DBG_CONTINUE

/ () *

DBG_CONTINUE C#

/ () *

Debuggee

- G

'!

) 2B ! /

. Debuggee
o

G #

. DBG_CONTINUE C#

3 ,-

) Debuggee , G

. . -)

!) ! Debuggee , G

. C=

NT

! G [V

;S a ( < T <

( - 3 ! C= V

-5

T !)

C/ ! G

!)

.while TRUE
invoke WaitForDebugEvent, addr DebugEvent, INFINITE
.break .if DebugEvent.dwDebugEventCode==EXIT_PROCESS_DEBUG_EVENT
<Handle the debug events>
invoke ContinueDebugEvent, DebugEvent.dwProcessId,\
DebugEvent.dwThreadId,\
DBG_EXCEPTION_NOT_HANDLED
.endw

.V
.d /

R . BcG '! F. ! ! / A=

R) / \ 8 )

Q=.

. 6 Q = !) Process

6 Rb

) 6

\8)

-)
-)

!
! .

) 2B

.!O
1 T
6

.
, G

Process ) <

.QF

Debuggee !) ' !

)3

. +/ 0 1. ( 2,

- Crack
. .

590

, G Debuggee Process

G [V

.d !
) (! ,

,o ' Uc>

p .V Qx

() / \ 8 ) ! Win32
. -)

.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\comdlg32.inc
include \masm32\include\user32.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\comdlg32.lib
includelib \masm32\lib\user32.lib
.data
AppName db "Win32 Debug Example no.1",0
ofn OPENFILENAME <>
FilterString db "Executable Files",0,"*.exe",0
db "All Files",0,"*.*",0,0
ExitProc db "The Debuggee exits",0
NewThread db "A new thread is created",0
EndThread db "A thread is destroyed",0
ProcessInfo db "File Handle: %lx ",0dh,0Ah
db "Process Handle: %lx",0Dh,0Ah
db "Thread Handle: %lx",0Dh,0Ah
db "Image Base: %lx",0Dh,0Ah
db "Start Address: %lx",0
.data?
buffer db 512 dup(?)
startinfo STARTUPINFO <>
pi PROCESS_INFORMATION <>
DBEvent DEBUG_EVENT <>
.code
start:
mov ofn.lStructSize,sizeof ofn
mov ofn.lpstrFilter, offset FilterString
mov ofn.lpstrFile, offset buffer
mov ofn.nMaxFile,512
mov ofn.Flags, OFN_FILEMUSTEXIST or \
OFN_PATHMUSTEXIST or \
OFN_LONGNAMES or \
OFN_EXPLORER or \
OFN_HIDEREADONLY
invoke GetOpenFileName, ADDR ofn
.if eax==TRUE

)
.Q=
Qx V

R 3 ! .... Process

591

> )

AB"

O /E +/

> .+ . / /7@;2

invoke GetStartupInfo,addr startinfo

invoke CreateProcess, addr buffer,\
NULL,\
NULL,\
NULL,\
FALSE,\
DEBUG_PROCESS + DEBUG_ONLY_THIS_PROCESS,\
NULL,\
NULL,\
addr startinfo,\
addr pi
.while TRUE
invoke WaitForDebugEvent, addr DBEvent, INFINITE
.if DBEvent.dwDebugEventCode==EXIT_PROCESS_DEBUG_EVENT
invoke MessageBox,0,\
addr ExitProc,\
addr AppName,\
MB_OK+MB_ICONINFORMATION
.break
.elseif DBEvent.dwDebugEventCode==CREATE_PROCESS_DEBUG_EVENT
invoke wsprintf, addr buffer,\
addr ProcessInfo,\
DBEvent.u.CreateProcessInfo.hFile,\
DBEvent.u.CreateProcessInfo.hProcess,\
DBEvent.u.CreateProcessInfo.hThread,\
DBEvent.u.CreateProcessInfo.lpBaseOfImage,\
DBEvent.u.CreateProcessInfo.lpStartAddress
invoke MessageBox,0,\
addr buffer,\
addr AppName,\
MB_OK+MB_ICONINFORMATION
.elseif DBEvent.dwDebugEventCode==EXCEPTION_DEBUG_EVENT
.if DBEvent.u.Exception.pExceptionRecord.ExceptionCode ==
EXCEPTION_BREAKPOINT
invoke ContinueDebugEvent, DBEvent.dwProcessId,\
DBEvent.dwThreadId,\
DBG_CONTINUE
.continue
.endif
.elseif DBEvent.dwDebugEventCode == CREATE_THREAD_DEBUG_EVENT
invoke MessageBox,0,\
addr NewThread,\
addr AppName,\
MB_OK+MB_ICONINFORMATION
.elseif DBEvent.dwDebugEventCode==EXIT_THREAD_DEBUG_EVENT
invoke MessageBox,0,\
addr EndThread,\
addr AppName,\
MB_OK+MB_ICONINFORMATION
.endif
invoke ContinueDebugEvent, DBEvent.dwProcessId,\
DBEvent.dwThreadId,\

)3

. +/ 0 1. ( 2,

- Crack

592
DBG_EXCEPTION_NOT_HANDLED

.endw
invoke CloseHandle,pi.hProcess
invoke CloseHandle,pi.hThread
.endif
invoke ExitProcess, 0
end start

! GetOpenFileName 5.
uT .

/9

! OPENFILENAME )! /!

() / -)!

! ) G O )!

. / d -) ( 6 .! / .

. ! GetStartupInfo 5. a ) / 9

-) !
.d /

G #aR ) G

. !) o b )

\8)

PU

. !)

d /

G #

. !

. .! /

. STARTUPINFO )! /!

PU

invoke GetStartupInfo,addr startinfo

invoke CreateProcess, addr buffer,\
NULL,\
NULL,\
NULL,\
FALSE,\
DEBUG_PROCESS + DEBUG_ONLY_THIS_PROCESS,\
NULL,\
NULL,\
addr startinfo,\
addr pi
.while TRUE
invoke WaitForDebugEvent, addr DBEvent, INFINITE

5.

31 . )
!)

\8)
!

f-.d

-% W T
!

C= )!

5. V . d /
# 1 O !) Rb % )

Uc> . DBEvent )! /! )) 1

!T

! 01! . Debuggee

G # ! WaitForDebugEvent
. ! INFINITY !

R [

. WaitForDebugEvent 5. a * . y * \ 8 )
.)

T ! /0 )

.if DBEvent.dwDebugEventCode==EXIT_PROCESS_DEBUG_EVENT
invoke MessageBox, 0, \
addr ExitProc,\
addr AppName,\
MB_OK+MB_ICONINFORMATION
.break

! )!

593

! B !) . d -

! 4

, G Messagebox

> )

AB"

O /E +/

> .+ . / /7@;2

! dwDebugEventCode

! . )!

PU , 4 V !)

. EXIT_PROCESS _DEBUG_EVENT . . Rb

.d

() / %cU ! Debuggee

! G o W T C=

.elseif DBEvent.dwDebugEventCode==CREATE_PROCESS_DEBUG_EVENT
invoke wsprintf, addr buffer,\
addr ProcessInfo,\
DBEvent.u.CreateProcessInfo.hFile,\
DBEvent.u.CreateProcessInfo.hProcess,\
DBEvent.u.CreateProcessInfo.hThread,\
DBEvent.u.CreateProcessInfo.lpBaseOfImage,\
DBEvent.u.CreateProcessInfo.lpStartAddress
invoke MessageBox,0,\
addr buffer,\
addr AppName,\
MB_OK+MB_ICONINFORMATION

CREATE_PROCESS_DEBUG_EVENT . . dwDebugEventCode !
! i ,- . ) ) d - G p , Debuggee )!

! ' Uc> V

CREATE_PROCESS_DEBVG_INFO E

..
.

Uc> MessageBox

!) !

. u.CreateProcessInfo )! /!

. )! b d - G
/ ;6

Win32 API Reference .

! B!)
+
a

*1

)! /! CreateProcessInfo

)! /! V )!

!) 3 . ' Uc>

# !)

.elseif DBEvent.dwDebugEventCode==EXCEPTION_DEBUG_EVENT
.if DBEvent.u.Exception.pExceptionRecord.ExceptionCode ==
EXCEPTION_BREAKPOINT
invoke ContinueDebugEvent, DBEvent.dwProcessId,\
DBEvent.dwThreadId,\
DBG_CONTINUE
.continue
.endif

.a

. EXCEPTION_DEBUG_EVENT . . dwDebugEventCode !

! . . & . '! F.

! X x

. d -) ! 4

() . EXCEPTION_BREAKPOINT . . PU V !
R

!) /

24

Debuggee

. /

. 1 .

i R ,- X x

24

X x

V
(

/d
)<

. V,i

1 .
<

! . )!

! X x

/ V ; ExceptionCode
. () ) ! ! . V

Debuggee !

( int 3h ) 24

)V

6
i

)3

. +/ 0 1. ( 2,

- Crack

ContinueDebugEvent 5.
) G

594
uT .

Rb E 4 R

! / -) ( 6 Debggee . () /

. d ,.

;. )

! . .

" f)

G # DBG_CONTINUE C# . !
! O

.!/V

uT . / Q 8 ) !

.elseif DBEvent.dwDebugEventCode == CREATE_THREAD_DEBUG_EVENT

invoke MessageBox,0,\
addr NewThread,\
addr AppName,\
MB_OK+MB_ICONINFORMATION
.elseif DBEvent.dwDebugEventCode==EXIT_THREAD_DEBUG_EVENT
invoke MessageBox,0,\
addr EndThread,\
addr AppName,\
MB_OK+MB_ICONINFORMATION
.endif

CRATE_THREAD_DEBUG_EVENT
^! "1 ! - )

! V MessageBox +

. . dwDebugEventCode !

. EXIT_THREAD_DEBUG_EVENT
.d -)

invoke ContinueDebugEvent, DBEvent.dwProcessId,\

DBEvent.dwThreadId,\
DBG_EXCEPTION_NOT_HANDLED
.endw

Debuggee . 31 .

. o =

. !) a EXCEPTION_DEBUG_EVENT

= "6 .

DBG_EXCEPTION_NOT_HANDLED C# . ! ContinueDebugEvent 5.
.

.
G #

invoke CloseHandle,pi.hProcess
invoke CloseHandle,pi.hThread

.d .

b'!

) 2B Process

) (! , a Debuggee , G .

595

> )

AB"

O /E +/

> .+ . / /7@;2

( 2RK/)Win32 Debug API

.

, ,S CD !) , 4 V

) 6

.] .

-A #

-/

SourceCodes\Asm32\Chapter22
!) '

W )<

f f[

! . .

) ! Win32 Debug API zk8 p . V !)

() )

Debuggee

.d ) T
-)

! () /

! 01 ! . R

\8)

/ ) < Debuggee !)

V a

!) / )! ) ) 6 API !

. !

f[ /

)V [! O V

.
..

b . ] .

. * ,

.) / d - G R . o b )!
.

# lFG

O# = / -)

\8)

, -)

!) ! 8 i p . V

. 5. V : ReadprocessMemory

( 6 ,
.

# 1 ) A84 AF# !)

'! F. 5. V ! G

. ! Process

ReadProcessMemory proto hProcess :DWORD,\

lpBaseAddress
:DWORD,\
lpBuffer
:DWORD,\
nSize
:DWORD,\
lpNumberOfBytesRead
:DWORD

. /
.4

- G

1 Qx R U . .

. -) ! 4 401000h !

!T!

g 3 !E

g 3 !(

,- " 4) 5.

! T . -)

# . 7!)b lpBuffer

. d ! ) F4 /

/ () *

ReadProcessMemory 5. A.

! Debuggee O# =

. ) ; nSize

o . ;4 ) ; lpNumberOfBytesRead

.
,

7!)b lpBaseAddress

G ' Uc> /
.d

'! B !) .

) (! , hProcess

. 401000h 7!)b

.a

( Gm Rb !) Process

.)

Process

g 3 ! O )!

! O )!
.

Null !
i

%U

WriteProcessMemory

Process O# =

- ReadProcessMemory 5.

! . V
-

!T

)3

- Crack

. +/ 0 1. ( 2,

596
. !)

= V !) . ! ) R
! ! /0 2B

aR

!/V %<
.

!) !
V %,

A84 . -)

pT

. [

. . -)

6 R

Context " U ,< -

6! !) (

( Gm

( .

) 2B - .

;. 2B . () / 24

6! !) ) 6

oC U d

3. /

( Gm ! 2B Rb

;. API 5.

lFG

6 ( 6 )! ) !

31 . % f - !)

-m

. / ) < (! . ) ! C84

;S
.

! Debuggee

() / 24
V,i

- G Debuggee

! . . G!

Context !) /

a EIP

6! !
!) -! /
.

/ ob

- G

W .
f %<

b Context

( Gm

4!

) 6

/A

( - 3 ! GetThreadContext 5. ! G

. 5.

< ! !)

)V

, .
)

) i

!) .

. . -)

Q x R U . . )) - G R 3 ! ) G e
/

. !)

() / # !) GetThreadContext

( Gm
-

f-a

W R . Rb Context /

() *

A84 ! (

. /

- G 4.
() *

.Q

. 6 . Debuggee

W )) 1

! \ 8 ) )

Debuggee

24

W ! o b SetThreadContext 5.

. -)

a -)

! Context V

5. +

)<

. () /

- . !

0T R

)U

GetThreadContext proto hThread:DWORD, lpContext:DWORD

b Context ! ) F4 / /

g 3 ! O )!

hThread

) 2B (! ,

. ! b
- G T -

6! )!

!)

Context )! /! .

Uc> . /

1 (!

lpContext
.

GetThreadContext

,- " 4) "

SetThreadContext 5.

. d -)

! 4

! . )!

!T

! G

! Context )! /! Q =

597

> )

AB"

O /E +/

> .+ . / /7@;2

CONTEXT STRUCT
ContextFlags dd ?
iDr0 dd ?
iDr1 dd ?
iDr2 dd ?
iDr3 dd ?
iDr6 dd ?
iDr7 dd ?
;-----------------------------------------------------------------; This section is returned if ContextFlags contains the value
CONTEXT_FLOATING_POINT
;------------------------------------------------------------------FloatSave FLOATING_SAVE_AREA <>
;-----------------------------------------------------------------; This section is returned if ContextFlags contains the value
CONTEXT_SEGMENTS
;------------------------------------------------------------------regGs dd ?
regFs dd ?
regEs dd ?
regDs dd ?
;-----------------------------------------------------------------; This section is returned if ContextFlags contains the value
CONTEXT_INTEGER
;------------------------------------------------------------------regEdi dd ?
regEsi dd ?
regEbx dd ?
regEdx dd ?
regEcx dd ?
regEax dd ?
;-----------------------------------------------------------------; This section is returned if ContextFlags contains the value
CONTEXT_CONTROL
;------------------------------------------------------------------dd ?
egEbp
dd ? regEip
dd ?
regCs
dd ?
regFlag
dd ? regEsp
dd ?
regSs
;-----------------------------------------------------------------; This section is returned if ContextFlags contains the value
CONTEXT_EXTENDED_REGISTERS
;------------------------------------------------------------------ExtendedRegisters db MAXIMUM_SUPPORTED_EXTENSION dup(?) CONTEXT ENDS

)3

- Crack

. +/ 0 1. ( 2,
) < CPU ;4

6!

g 3 ContextFlags PU +
!

PU V

. a

598
C

! O )!

/ () *

regFlags , regCs , regEip , regEbp

.

. )! /! V

( 1

() *

pT.
/

- . CONTEXT_FULL

.a

regSs

/ () *

7!)b /

V . ) / - G # !) ! iCn ' Uc> NT

/ ! i ,-

. 1 Qx R U . .

+ # / ! ) F4 1

. O# = !) Context )! /! E

( -3

. )! /! V

6! ,-

8. ! / . ! CONTEXT_CONTROL !

. *B

PU a /

! b)

!) '! F
. d -)

regEsp ,
. /
. DWORD

n !) .
%<

'! F. . ! ! /

align dword
MyContext CONTEXT <>

.d !
/Y -

. . ) ) - G R 3 ! DebugActiveProcess 5.

)! a )! 0f. p , . ! ) G ( < T
Process . ! ) G
. C=

p .V

Win.exe

.V .
.a

A84

/ 6 !Q Qx
W V . . -)
. -)

() *

.V .

/ 6 !

;. C=

!) . )

b /

o x

, 4

.Q=

^ !Q Qx
Win.exe Rb %
o

. C=

( 8 [ Win.exe

p , !) G( <T (

! G

599

> )

AB"

O /E +/

> .+ . / /7@;2

.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\comdlg32.inc
include \masm32\include\user32.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\comdlg32.lib
includelib \masm32\lib\user32.lib
.data
db "Win32 Debug Example no.2",0
AppName
db "SimpleWinClass",0
ClassName
db "Cannot find the target process",0 SearchFail
db "Target patched!",0
TargetPatched
dw 9090h
buffer
.data?
DEBUG_EVENT <>
dd ?
ProcessId
dd ?
ThreadId
dword
align
CONTEXT <>

DBEvent

context

.code
start:
invoke FindWindow, addr ClassName, NULL
.if eax!=NULL
invoke GetWindowThreadProcessId, eax, addr ProcessId
mov ThreadId, eax
invoke DebugActiveProcess, ProcessId
.while TRUE
invoke WaitForDebugEvent, addr DBEvent, INFINITE
.break .if DBEvent.dwDebugEventCode==EXIT_PROCESS_DEBUG_EVENT
.if DBEvent.dwDebugEventCode==CREATE_PROCESS_DEBUG_EVENT
mov context.ContextFlags, CONTEXT_CONTROL
invoke GetThreadContext,\
DBEvent.u.CreateProcessInfo.hThread,\
addr context
invoke WriteProcessMemory,
DBEvent.u.CreateProcessInfo.hProcess,\
context.regEip,\
addr buffer,\
2,\
NULL
invoke MessageBox, 0,\
addr TargetPatched,\
addr AppName,\
MB_OK + MB_ICONINFORMATION

)3

. +/ 0 1. ( 2,

- Crack

600

.elseif DBEvent.dwDebugEventCode==EXCEPTION_DEBUG_EVENT
.if DBEvent.u.Exception.pExceptionRecord.ExceptionCode\
==EXCEPTION_BREAKPOINT
invoke ContinueDebugEvent, DBEvent.dwProcessId,\
DBEvent.dwThreadId,\
DBG_CONTINUE
.continue
.endif
.endif
invoke ContinueDebugEvent, DBEvent.dwProcessId,\
DBEvent.dwThreadId,
DBG_EXCEPTION_NOT_HANDLED
.endw
.else
invoke MessageBox, 0,\
addr SearchFail,\
addr AppName,\
MB_OK+MB_ICONERROR
.endif
invoke ExitProcess, 0
end start
mov wc.hIconSm,eax
invoke LoadCursor,NULL,IDC_ARROW
mov wc.hCursor,eax
invoke RegisterClassEx, addr wc
INVOKE CreateWindowEx,NULL,\
ADDR ClassName,\
ADDR AppName,\
WS_OVERLAPPEDWINDOW,CW_USEDEFAULT,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
NULL,\
NULL,\
hInst,\
NULL
mov hwnd,eax
jmp $
invoke ShowWindow, hwnd,SW_SHOWNORMAL
invoke UpdateWindow, hwnd
.while TRUE
invoke GetMessage, ADDR msg,NULL,0,0
.break .if (!eax)
invoke TranslateMessage, ADDR msg
invoke DispatchMessage, ADDR msg
.endw
mov eax,msg.wParam
ret
WinMain endp

601

Debuggee

. / AF
5.

() *

% V

!
) (! ,

) ..

! b

7c/ Rb

O /E +/

() *

) (! ,

. Null

5.

. uT . )! )

a FindWindow 5. +

. GetWindowThreadProcessId

. ) G 5. V . ! b

) (! ,
( <T-

> .+ . / /7@;2

Debuggee

V . )! )

. ! ( <T

)< ( <T .

AB"

. ! ) G DebugActiveProcess 5.

R U .( <T

> )

) !

O )!

31 . !

1 . ! b

!T

( < T 7c/

. ! 7c/ Rb
.

( 3 )<

.if eax!=NULL
invoke GetWindowThreadProcessId, eax, addr ProcessId
mov ThreadId, eax
invoke DebugActiveProcess, ProcessId

G # ! DebugActivePrpcess 5. a d ! b
.d

. ! Process

! O

uT

\ 8 ) C= )! uD . d /

.if DBEvent.dwDebugEventCode==CREATE_PROCESS_DEBUG_EVENT
mov context.ContextFlags, CONTEXT_CONTROL
invoke GetThreadContext,\
DBEvent.u.CreateProcessInfo.hThread,\
addr context

Debuggee 24

Q= .
( Jmp $ )

. C= !

" Jmp$ " !

) /

f 3 CREATE_PROCESS_DEBUG_INFO % W T

) Q x V !) . d / ) < Process !) ! O )!
.

) 6

. ) / d - G V "f 6 (90 h) NOP !

. EBh FEh

AF

Debuggee .

) G !) !

O )!

.
!

Context Flags PU .
5.

uD

d -)

f-.d! b

) 7!)b eip uT .
. !/V
!

'

..d! b

! 8U /

. ! " Jmp $ " !

o

W d
) ) . !

A 3
) 7!)b

. )
.

. C= !) Debuggee a )
. ! eip !

CONTEXT_CONTROL !

. uT . )! )

CONTEXT )! /!

)3

- Crack

. +/ 0 1. ( 2,

Q /

6! a ! / V % <

602
G # ! GetThreadCcontext

= !) . d /

T ! context )! /!

.d /

invoke WriteProcessMemory,\
DBEvent.u.CreateProcessInfo.hProcess,\
context.regEip,\
addr buffer,\
2,\
NULL

aWriteProcessMemory 5.
.!/V %<
. !

() *

.d

. ! NOP

= !) . d /

WTa!/V %<

uT . )

G # Debuggee
p , !) G( <T

) 1
(

. ! EIP !

a d ()! b

! G

-!

) " Jmp $ " !

C=

/d /

! G

C=

! .

,/ Debuggee

. ! ContinueDebugEvent 5.

/Q=

() ) p ,

Debuggee ! / V % <

.! /

uT . d /
. -)

. /

! G

. C=

! Debuggee

f)^ !

() *

. ;. Q x

.......
.......
.if DBEvent.dwDebugEventCode==CREATE_PROCESS_DEBUG_EVENT
mov context.ContextFlags, CONTEXT_CONTROL
invoke GetThreadContext,DBEvent.u.CreateProcessInfo.hThread,\
addr context
add context.regEip,2
invoke SetThreadContext,DBEvent.u.CreateProcessInfo.hThread,\
addr context
invoke MessageBox, 0,\
addr LoopSkipped,\
addr AppName,\
MB_OK+MB_ICONINFORMATION
.......
.......

.d /
. 2(

() *

GetThreadContext 5.
. ! EIP

6! !

EIP !

a " Jmp$ " !

R)! b
)

. " Q x V !)
.

6 .!.V

603

Jmp "
6

;. !

.) 1

. 2(

/)< !

W "

/ ) < (Break Point) 24

O /E +/

[ /^ T

> .+ . / /7@;2

= !)

. 2 " Jmp $ " !

.
V ,- .

AB"

uT Debuggee a ! / V % < . . d -)

! 6 a 31 .

'! B C6 .

> )

f)
i

6! !)

)(

p "#
) " $

-)
/

'! B !)

Rb !) a Debuggee !) int 3h R) / )!

)3

. +/ 0 1. ( 2,

- Crack

604

(3 RK/) Win32 Debug API

.

, ,S CD !) , 4 V

) 6

.] .

-A #

-/

SourceCodes\Asm32\Chapter23
"c84 1 . d ) T
. /
)

( Tracing )

6 ( k

b R) / Trace ( k . a

f - . !) # /
! .( 6 ,

. +G . +G

. (

24

) -

! . . AF# V !)

uT

.a

. -)
. CPU ' B FG

!,
a

.V
-

aX x

-) !

'! B !) . )

uT CPU '! B V !) .

V )<

uT .

-! / V a Win32 !) . ) 1

6 Single-Step

*B !

GetThreadContext 5.

6!

CB %

= !)
. CPU

= !) !
X x

a!

_ T ! /) G '! B . Trap-Flag

. V , 3- . b

) < ( Debug Exception ) \ 8 )

.

() *

! O# =

Trap-Flag , Flag ' 8e

Trace !

( Single_Stepping ) A,U V

- Debugger

. () / () *

% < API 5.

( - 3 ! 5.

a ( regflag ) Flag ' 8e !

() *
R)! b

" ,

A=

!)

. -1

.d /
.d /

CONTEXT )! /!

G # ! GetThreadContext 5.

.d /
6 Single_Step

/ regflag !) ! Trap Bit -2

PU

= !) Debugee . d

\8)

. ! EXCEPTION_DEBUG_EVENT )

!a!

-)
) -

EXCEPTION_SINGLE_STEP

!)

! O
6

-3

Q ,; j8> -4
uT

(
!

. ) / d - G # !) a u.Exception.pExceptionRecord.ExceptionCode
.d /

(! . ) ! Trap bit !

!
.d !

. a % " '! B !) -5
p .V Qx

.Q=

605

> )

AB"

O /E +/

> .+ . / /7@;2

.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\comdlg32.inc
include \masm32\include\user32.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\comdlg32.lib
includelib \masm32\lib\user32.lib
.data
AppName db "Win32 Debug Example no.4",0
ofn OPENFILENAME <>
FilterString db "Executable Files",0,"*.exe",0
db "All Files",0,"*.*",0,0
ExitProc
db "The Debugee exits",0Dh,0Ah
db "Total Instructions executed : %lu",0
TotalInstruction dd 0
.data?
buffer db 512 dup(?)
startinfo STARTUPINFO <>
pi PROCESS_INFORMATION <>
DBEvent DEBUG_EVENT <>
context CONTEXT <>
.code
start:
mov ofn.lStructSize,SIZEOF ofn
mov ofn.lpstrFilter, OFFSET FilterString
mov ofn.lpstrFile, OFFSET buffer
mov ofn.nMaxFile,512
mov ofn.Flags, OFN_FILEMUSTEXIST or OFN_PATHMUSTEXIST or
OFN_LONGNAMES or OFN_EXPLORER or OFN_HIDEREADONLY
invoke GetOpenFileName, ADDR ofn
.if eax==TRUE
invoke GetStartupInfo,addr startinfo
invoke CreateProcess, addr buffer,\
NULL,\
NULL,\
NULL,\
FALSE,\
DEBUG_PROCESS+ DEBUG_ONLY_THIS_PROCESS,\
NULL,\
NULL,\
addr startinfo,\
addr pi
.while TRUE
invoke WaitForDebugEvent, addr DBEvent, INFINITE

)3

. +/ 0 1. ( 2,

- Crack

606

.if DBEvent.dwDebugEventCode==EXIT_PROCESS_DEBUG_EVENT
invoke wsprintf, addr buffer,\
addr ExitProc,\
TotalInstruction
invoke MessageBox, 0,\
addr buffer,\
addr AppName,\
MB_OK + MB_ICONINFORMATION
.break
.elseif DBEvent.dwDebugEventCode==EXCEPTION_DEBUG_EVENT
.if DBEvent.u.Exception.pExceptionRecord.ExceptionCode ==\
EXCEPTION_BREAKPOINT
mov context.ContextFlags, CONTEXT_CONTROL
invoke GetThreadContext, pi.hThread, addr context
or context.regFlag,100h
invoke SetThreadContext,pi.hThread, addr context
invoke ContinueDebugEvent, DBEvent.dwProcessId,\
DBEvent.dwThreadId,\
DBG_CONTINUE
.continue
.elseif DBEvent.u.Exception.pExceptionRecord.ExceptionCode
==\
EXCEPTION_SINGLE_STEP
inc TotalInstruction
invoke GetThreadContext,pi.hThread,\
addr context or
context.regFlag,\
100h
invoke SetThreadContext,pi.hThread, addr context
invoke ContinueDebugEvent, DBEvent.dwProcessId,\
DBEvent.dwThreadId,\
DBG_CONTINUE
.continue
.endif
.endif
invoke ContinueDebugEvent, DBEvent.dwProcessId,\
DBEvent.dwThreadId,\
DBG_EXCEPTION_NOT_HANDLED
.endw
.endif
invoke CloseHandle,pi.hProcess
invoke CloseHandle,pi.hThread
invoke ExitProcess, 0
end start

607

b a .! / +
. )! ,

6 A #9
Rb , G

!(

> )

uT

AB"

O /E +/

.d ) T

> .+ . / /7@;2

- / A Ck

() ) p , ! OpenFile \

6 '!

)) ;

() / 6 C=

"< . Q =

. C=

'! F.

.elseif DBEvent.dwDebugEventCode==EXCEPTION_DEBUG_EVENT
.if DBEvent.u.Exception.pExceptionRecord.ExceptionCode ==\
EXCEPTION_BREAKPOINT

.)

6 C=

. C=

'! B .

! a Debugee !

) V

. O )!

. /d /

g 3 p . V !)

pT

/ ! i ,-

. /

) < ! EXCEPTION_BREAKPOINT

mov context.ContextFlags, CONTEXT_CONTROL

invoke GetThreadContext, pi.hThread, addr context

G # a - ' 8e C;#

. CONTEXT ) /! R) / T

. ! GetThreadContent 5.
.d /

or context.regFlag,100h

.d /

! trap bit !

invoke SetThreadContext,pi.hThread, addr context

invoke ContinueDebugEvent, DBEvent.dwProcessId,\
DBEvent.dwThreadId,\
DBG_CONTINUE
.continue

() /

G # CONTEXT )! /! !)

DBG_CONTINUE C#

6 )

ContinueDebugEvent 5.

. ! SetThreadContent 5.
a Debugee ! /

.d /
.elseif DBEvent.u.Exception.pExceptionRecord.ExceptionCode ==\
EXCEPTION_SINGLE_STEP
inc TotalInstruction

.
() *

)3

. +/ 0 1. ( 2,

- Crack

608

# !) EXCEPTION_DEBVG_EVENT )

a Debugee !) !

BEvent.u.Exception.pExceptionRecord.ExceptionCode !
. EXCEPTION_SINGLE_STEP !

a
=

! TotalInstruction

W !

) -

. '! F

!) / d /

! B !) . d -) ! 4

6 !

6 .

! . )!

( /g 3
. d -)

p "#

invoke GetThreadContext,pi.hThread,\
addr context or context.regFlag,\
100h
invoke SetThreadContext,pi.hThread, addr context
invoke ContinueDebugEvent, DBEvent.dwProcessId,\
DBEvent.dwThreadId,\
DBG_CONTINUE
.continue

. C=

6 .

- G

_ T Trap bit X x

! B !) . )
.

() *

\!".

b (! . )

p . V Q x R) /
.

,. O

. /
R

'

- )<
. a -)
.
! 8<

uT
) C=
) 6
V ,

609

> )

AB"

O /E +/

> .+ . / /7@;2

(1RK/) > # ( A> ) @G

.) ) d - G ! 4
6
n
.
. !

# /

! oC # V f) f
b uT a
!)

!)

oC # C/ ! G

(Portable Executable) A,= A. 4

# /

C/ !) oC # V

() /
V

oC # CB

! . )!

) T . O )!

; V

V !)
(f )
PE

oC # ! 01! . .
V ,

() *

oC # ) C,U ( k

6 A #

. R) . A,= A. 4 * .

) 6

!)
! G

. 8

. PE

Win32 !)

R
.a /

p . V !)

oC #
,

. 32
() *

ob

C/ . / ! / Intel
)

#
. /)< ,

. d -)

! 4

! . )!

DOS MZ header
DOS stub
PE header
Section table
Section 1
Section 2
Section ...
Section n

! B #V

C/ ! G

Q=

)3

- Crack

. +/ 0 1. ( 2,
! B !) .

Dos MZ ()

bA Ud

610

/)

zU .

"& ,; p . V .

) () /

9u

Dos A /

."

"& ,;

21 *4

/)

.
#S

/
T

PE Header

f) %
- C#

3.

b )! /! V

! PE Header E

. ;.

() *

! 4 () *

<

Section / )

! PE A #

o. ! F

,- - Section a Boot Sector

.

) 6

' C,U 7
' *B

V
.

..

. *C

Data

() *

" R U . ! Section

Section V +

QW

;..

=)! /! - .
Qx R U ..

)d-

do . o b

. / 3

. Read-Only *B

a
/ O# =

/ C. .

,- PE Header

!) ...

ob

) -

/ C. - G

f -. -) ! 4 Read-Only
! . )!
! O )!
)

b'F 3
'F 3 a
,- PE

!) # / Ec>

# 1
-a

# 1 ! 4 Section Table a header

!b ) G /
)!

."

! ) - () )

() ) ! 4

) !) oC # V # 1 ! 4 Ak )!

-)! /!
Section

,- oC #

!) d- .

86 o

,- - Section Boot Sector

PE p .

!) - () ) R) ) ! 4 /

f[ /

. -)
oC #

/ C. "6 " [

oC # V .

! 01! . O# = . ! Section - PE ! 01 ! . /

. a /
(

!)

f. O !) " Data " R U . ! f ) Section " Code

1 Q x R U . . ! ) ! 01 %
*B . Section

/ PE Header

f. O !)

. Section
Code

6 A # CB

!)

f. ! 4 Section

8 .

Section

' B FG

!) . ) / - G

. - () )

,- PE header , 4 .

o b _ 3 ' *B 7

!) o b 1 .

*B

PE ! "1! .

Dos MZ

o/ C. .

_ 3

;. p .

)!

6 R

A # CB

..

![

!) . /

.) .a
Section .

O )!

k IMAGE_NT_HEADERS

# 1 ( ) ! Dos Stub p .

6 .
'! B

PE Header

PE ! 01 ! . a

7!)b

6 A #R U

'! B . C D /

=!) . )! ) %

- p . !) .

C/

6 A #

p .V

6 A # .

= )! /! V . )

oC #

! Dos Stub

. /
)! /!

8;

!) p , . " This Program Requires Windows"

6 Dos + k !)

V a)

"& ,; . / 6 ! Dos Stub p . R !) ' !

!)

. Win32 !)

<

#b a

#b a ' *B A 84

Uc>

611

p . . ) . - G )! /! T A
PU
.a(
! G

"

- . # 1 O !)
*1 v i . . )
V ' K"6 ;.

> )

AB"

O /E +/

. Section T A

!b V a

) !) 3 ! ! / )
9

o3 . !) . ) /

CB G
T

> .+ . / /7@;2

,- R

PE A #

! Section table

. ) ! 7!)b "
b

!)

6 A #

. ))d - G ! 4

!b V

"#! G
! . )!

)3

- Crack

. +/ 0 1. ( 2,

612

(2 RK/) > # ( A> ) @G

.

) 6

, ,S CD !) , 4 V

.] .

oC #

-/

SourceCodes\Asm32\Chapter25
.d ) T
A 3 Q
AG )

V T
-)! /! % ,

. A,U !) .
f)

8;

6 A #

6 A #

! G

g 3
!) a A #

Q x R U . . )! ) ,

/ */ ob

/g 3 !

o
6 A #

! . .

)! /! 54
.d ) T

!)

PE Header .

)! /! V ! G

CB

6 A #

-)! /!

-)! /!
b!8U

f[

. f .

! . )!

84 A. 4 =

PE Header )! /! a d -) g 3

) !) /

4) R "

-) ! 4

!8U

! . . AF# V !)

/ d -) g 3

O )!

.
.

f f[

! .

! . .
. /

)! /! V

do

G ) T d - G Rb ' K"6

! .

IMAGE_NT_HEADERS

! . .Q=.

IMAGE_NT_HEADERS STRUCT
Signature
dd ?
FileHeader
IMAGE_FILE_HEADER <>
OptionalHeader
IMAGE_OPTIONAL_HEADER32 <>
IMAGE_NT_HEADERS ENDS

..

50h , 45h , 00h , 00h !

.
6 A #

*B ) ( ,- . " PE "

= !) PU V .
.d /

6 A #

"#! G

. ... )
6 A #

! G

() *

(! .!)
6 Rb

(! .!)

dword E

= /

Rb

Uc>

Signature

!A

f ) '! 8U

A #!8U g 3

. /

)! /! FileHeader

= /

D / E a - Section ) ;

!A # /

Uc>

= /

)! /!

Optional Header
.

IMAGE_NT_HEADER )! /!
8; (

! .

6 A # /d

Signature PU !
f. <

1 .

g 3

Y -R /

. *B ) ( ,- . "PE" . . .

613

! IMAGE_NT_SIGNATURE %

! ob

!) . ) / d - G () *

- .eV

> )
.e

AB"

O /E +/

> .+ . / /7@;2

54

Rb

() / 2 ;
.

IMAGE_DOS_SIGNATURE
IMAGE_OS2_SIGNATURE
IMAGE_OS2_SIGNATURE_LE
IMAGE_VXD_SIGNATURE
IMAGE_NT_SIGNATURE

V T.d /

DOS
V

equ
equ
equ
equ
equ

( -3

f[ /

;. Q

= !) . )! ) ) G !) ! PE Header 7!)b a DOS MZ Header )! /! .

e_Ifanew PU /

IMAGE_DOS_HEADER E
.

.
.

b Q

. 2 !

BcG

R)! b

. e_Ifanew !

()

)! /! MZ Header

A # !) PE Header 7!)b

= )! /!

'! B . ! / A=

a DOS MZ Header ! 8 U V ;

<
. -1

IMAGE_DOS_HEADER

.d /

a DOS MZ Header R) . 8 ; '! B !) -2

PE

Header7!)b
.d /

!) . d /
.

5A4Dh
454Eh
454Ch
454Ch
4550h

T A # !) ! PE Header )! /! 7!)b

!) .

8;

IMAGE_NT_HEADER . ! PE Header
6 A #

O )!

A #d

<

a!

Q
)V

() *
. )!
. . '! B

-3

!)

)3

. +/ 0 1. ( 2,

- Crack

614

.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\comdlg32.inc
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\comdlg32.lib
SEH struct
PrevLink dd ?
CurrentHandler dd ?
SafeOffset dd ?
PrevEsp dd ?
PrevEbp dd ?
SEH ends
.data
AppName db "PE tutorial no.2",0
ofn OPENFILENAME <>
FilterString db "Executable Files (*.exe, *.dll)",\
0,\
"*.exe;*.dll",\
0,\
"All Files",\
0,\
"*.*",\
0,\
0
db "Cannot open the file for reading",0
FileOpenError
FileOpenMappingError db "Cannot open the file for memory mapping",0
db "Cannot map the file into memory",0
FileMappingError
db "This file is a valid PE",0
FileValidPE
db "This file is not a valid PE",0
FileInValidPE
.data?
buffer db 512 dup(?)
hFile dd ?
hMapping dd ?
pMapping dd ?
ValidPE dd ?
.code
start proc
LOCAL seh:SEH
mov ofn.lStructSize,SIZEOF ofn
mov ofn.lpstrFilter, OFFSET FilterString
mov ofn.lpstrFile, OFFSET buffer

615

> )

AB"

O /E +/

> .+ . / /7@;2

mov ofn.nMaxFile,512
mov ofn.Flags, OFN_FILEMUSTEXIST or \
OFN_PATHMUSTEXIST or \
OFN_LONGNAMES or \
OFN_EXPLORER or \
OFN_HIDEREADONLY
invoke GetOpenFileName, ADDR ofn
.if eax==TRUE
invoke CreateFile, addr buffer,\
GENERIC_READ,\
FILE_SHARE_READ,\
NULL,\
OPEN_EXISTING,\
FILE_ATTRIBUTE_NORMAL,\
NULL
.if eax!=INVALID_HANDLE_VALUE
mov hFile, eax
invoke CreateFileMapping, hFile, NULL, PAGE_READONLY,0,0,0
.if eax!=NULL
mov hMapping, eax
invoke MapViewOfFile,hMapping,FILE_MAP_READ,0,0,0
.if eax!=NULL
mov pMapping,eax
assume fs:nothing
push fs:[0]
pop seh.PrevLink
mov seh.CurrentHandler,offset SEHHandler
mov seh.SafeOffset,offset FinalExit
lea eax,seh
mov fs:[0], eax
mov seh.PrevEsp,esp
mov seh.PrevEbp,ebp
mov edi, pMapping
assume edi:ptr IMAGE_DOS_HEADER
.if [edi].e_magic==IMAGE_DOS_SIGNATURE
add edi, [edi].e_lfanew
assume edi:ptr IMAGE_NT_HEADERS
.if [edi].Signature==IMAGE_NT_SIGNATURE
mov ValidPE, TRUE
.else
mov ValidPE, FALSE
.endif
.else
mov ValidPE,FALSE
.endif
FinalExit:
.if ValidPE==TRUE
invoke MessageBox, 0,\
addr FileValidPE,\
addr AppName,\
MB_OK + MB_ICONINFORMATION

)3

. +/ 0 1. ( 2,

- Crack

.else
invoke MessageBox, 0,\
addr FileInValidPE,\
addr AppName,\
MB_OK + MB_ICONINFORMATION
.endif
push seh.PrevLink
pop fs:[0]
invoke UnmapViewOfFile, pMapping
.else
invoke MessageBox, 0,\
addr FileMappingError,\
addr AppName,\
MB_OK + MB_ICONERROR
.endif
invoke CloseHandle,hMapping
.else
invoke MessageBox, 0,\
addr FileOpenMappingError,\
addr AppName,\
MB_OK + MB_ICONERROR
.endif
invoke CloseHandle, hFile
.else
invoke MessageBox, 0,\
addr FileOpenError,\
addr AppName,\
MB_OK + MB_ICONERROR
.endif
.endif
invoke ExitProcess, 0
start endp
SEHHandler proc C uses edx pExcept:DWORD, pFrame:DWORD,
pContext:DWORD, pDispatch:DWORD
mov edx,pFrame
assume edx:ptr SEH
mov eax,pContext
assume eax:ptr CONTEXT
push [edx].SafeOffset
pop [eax].regEip
push [edx].PrevEsp
pop [eax].regEsp
push [edx].PrevEbp
pop [eax].regEbp
mov ValidPE, FALSE
mov eax,ExceptionContinueExecution
ret
SEHHandler endp
end start

616

617

> )

AB"

O /E +/

.d ) T
8 ; '! B !) . /
Q x V !)

b DOS Header ! 8 U

g 3

'! B !) d /

! ."
.

&.

O )!

O )!

A # /d

f. <

.
)!

f ) '! F

() / A

6 A # / -)

p .

f. <

- iG

A84 . /

R) . 8 ;

iG /

! B !) . d /

. .

8;

6 A #

() / . ! A # uD . / 9

( ! ! (SEH) - iG

.d /

() ) p , ! Open File \

f O# = .

*1 (Exception Handling

!) . )

!) ' Uc>

( 6 .! / .

uT

. a DOS Header R) .

84 A. 4 Q , = . -) !
!

"< . Q =

. a A # R) / .

A # /d

Structured ) SEH Rb . ! F G . / d () / () *
! . ! - iG C/ /

- / A Ck

#! PE Header

b!8U

6 A #

> .+ . / /7@;2

ad

.
! O

.A #

assume fs:nothing
push fs:[0]
pop seh.PrevLink
mov seh.CurrentHandler,offset SEHHandler
mov seh.SafeOffset,offset FinalExit
lea eax,seh
mov fs:[0], eax
mov seh.PrevEsp,esp
mov seh.PrevEbp,ebp

! O

Masm

. ' 8e V

6!

. ! C84 SEHHandler 7!)b uD . /

() *
. V #! .

o 8e

. ) G C84

;. C=

!) . / Q 8 )

= . ! Stack

;S d

( k Q !

( b) 6 .

) .

- iG

() / ( Gm ) G )! /! !)

. a iG R b ) 6 . '! B !) / d /

esp

.d ) 1

() *

() *

Rb V "f 6 ! ) G SEHHandler 7!)b

!) . d /
ebp

W ! fs

d -)

g 3 !/V

. !) G!/a(
. 31 . 54

!)

g 3 7!)b
d /

( Gm !

mov edi, pMapping

assume edi:ptr IMAGE_DOS_HEADER
.if [edi].e_magic==IMAGE_DOS_SIGNATURE

)!
R

A #
R b

.V
..

7!)b

. .d !

A #

DOS MZ Header )! /!

. a SEH

.V

/d"!

(!

uT

edi !) ! O

)3

- Crack

. +/ 0 1. ( 2,

618

# ; IMAGE_DOS_HEADER )! /! .
%

. Windows.inc A # !) / " MZ "

! . ! Dos Header

. . '! B !) . d /
False !

. d -)

R U . ! edi a

1 (!

a
ValidPE

. ) uD .d /

8e IMAGE_DOS_SIGNITURE

(
W

' C,U

. '! B V

PH header

n !) d !

add edi, [edi].e_lfanew

assume edi:ptr IMAGE_NT_HEADERS
.if [edi].Signature==IMAGE_NT_SIGNATURE
mov ValidPE, TRUE
.else
mov ValidPE, FALSE
.endif

DOS Header

. d !)

!) . )! ) ) 6

iG

e_Ifanew PU !

.Q,= /

. e_Ifanew !

. a PE Header 7!)b . .

6 R ,- <

V , a

8;

. ! e_Ifanew !

. ! PE Header )! /!

6 A # a O )!

. )a

IMAGE_NT_SIGNITURE %
)!

A # /d

f. <

%<

. G" 8

R ,> . a

bQ

/ SEHHandler / -)

6 uD .

. ) G C84
.)

iG a
;S
A

. 8;
. ! -

! B

! B !)

,- 1 . d /
" PE "

. . '! B !) .
8;

8e

6 A #

Stack

! B !)
# 1

Final Exit p . . SEHHandler+

FinalExit:
.if ValidPE==TRUE
invoke MessageBox, 0,\
addr FileValidPE,\
addr AppName,\
MB_OK + MB_ICONINFORMATION
.else
invoke MessageBox, 0,\
addr FileInValidPE,\
addr AppName,\
MB_OK + MB_ICONINFORMATION
.endif

e_Ifanew !
6!

.i A #

. Windows.inc A # !) / d /

) 1

. )!

.
.

A # /

SEH

d ) . ! 8< a d ) / , () *

! 4 edi !) ! !

. d -)
.

A #(

619

E
. -)

p , .! / . ! v

> )

AB"

% W T () /

O /E +/

> .+ . / /7@;2

! . ! ValidPE

W !

&. /

push seh.PrevLink
pop fs:[0]

.d ) 1

. ) G C84

= .

bad!

SEH .

f)

CU . d- Gb !)

)3

- Crack

. +/ 0 1. ( 2,

620

File Header (3 RK/) > # ( A> ) @G

. G b d - G 8 i PE Header

File Header p . )!
.d /

2 ;

IMAGE_DOS_HEADER E
: !)

!) AF# V !)

! A84 AF# v i

)! /! R U . Dos MZ Header
,-

. < !) Rb PU ) o
" MZ "

/ e_magic : 1

!A

. )! ) ) G !) ! PE Header 7!)b / e_Ifanew : 2

.d /

Dos Header ! 8 U

() *
.d /

V !
!

e_Ifanew !

() *

. *B ) ( ,- . " PE "

PE Header . .
. PE Header

!A

8;

6 A #

O )!

A # /d

. G b d - G PE Header )!
/

IMAGE_NT_HEADER E

a ) .R

3 . v i AF# V !)

)! /! 54 !) PE Header
.d /

. ! dword
<

!) !

dword V

IMAGE_NT_SIGNITURE !

) - 1 . d /
.

. e_magic !

! .

R . f)!.

b! G

/ ! i ,! b)

IMAGE_NT_HEADERS STRUCT
Signature
dd ?
FileHeader
IMAGE_FILE_HEADER <>
OptionalHeader IMAGE_OPTIONAL_HEADER32 <>
IMAGE_NT_HEADERS ENDS

. *B ) ( ,- . " PE "
. /
6 A # R !)

g 3 !
i ! G

6 A #
(! .!)

Uc>

"#'F 3
= /

6 A #
/

Signature

)! /! File Header
)! /! Optional Header
.

621

E
File Header

"

PU

AB"

O /E +/

> .+ . / /7@;2

)! ) ! 4 Optional Header p . !) ' Uc> V

G .

G b d - G File Header )!

!)

> )

!) ! 8 i AF# V !) . ) . - G

. #! d - G Optional Header
.
IMAGE_FILE_HEADER STRUCT
Machine
NumberOfSections
TimeDateStamp
PointerToSymbolTable
NumberOfSymbols
SizeOfOptionalHeader
Characteristics
IMAGE_FILE_HEADER ENDS

. /

. Windows.inc A # !) /
<

g 3 !

n )

! B !) . /
. -)

)!

. /

.)

!)

;. " 4) / /

.a

)!

/ /

. PU V

1 C6 A #

- Section ) ; NumberOfSections
# S A # . Section

/ d/

!) o

R) / \ 8 ) R

Machine

) TQ

- 1 ^ ) T

PointerToSymbolTable

PU V

!) o "

- G

! TimeDateStamp

g 3 !A #)< R

R) / \ 8 ) R

() *

!)

2 ; IMAGE_FILE_MACHINE_1386

g 3 ! A # !) ) 6

() *

14Ch . . Intel

W ! PU V !

.)

'! B !) .
.

?
?
?
?
?
?
?

6 A # '!

() *
.

WORD
WORD
dd
dd
dd
WORD
WORD

.
. ;. AF#

( - 3 ! File Header ! G

,o

PU V

g 3 ! OptionalHeader )! /! (

NumberOfSymbols
SizeOfOptionalHeader

. )! ) ! 4 File Header )! /!
exe Q x

.. /

g 3 !

6 A #E

C#

Characteristics
. dll

() *

Number Of Sections !
.d ) T

. Section Table . ! / % f - /
Section Table

) 6

! . . BcG ! > . Q = .

)3

Section
!

- Crack

. +/ 0 1. ( 2,
)!

. 6

!)

PU % , / d
6

PU

1 .d /

! NumberOfSections
. /

= )! /! - /

. . ) . - G

- Section ) ;
*B Rb

Uc>

622

!b ,d
!

. )! /! .
Rk

C 3 -R . !A #

G .

'c 3 !

V V # 1 ( ) '! F !)

) Section 3 1 uT .
NumberOfSections

!b B U ) ; d
d -)
..

) ! obR
/

() *

/ ) - G
/ ,

Gd

ad

^ !V

8 5Ci
.

-) ! 4 Rb ;4 !

f. ( ) ! NumberOfSections !

- C D /

!b Section Table

-)! /!

.
3.

-) 6 V .

U! ! *B )! /! . -)! /! , G
.) / - G)< ,

. ! )

623

> )

AB"

O /E +/

> .+ . / /7@;2

Optional Header (4 RK/) > # ( A> ) @G

.

PE Header

G b !

Optional Header

PU

Dos Header (! .!)

G .

PE Header PU V

,o

01

oCF# !)

1!". (! .!) d - G

R /

.d /R . ! 8 i
/ )

k IMAGE_NT_HEADERS PU V Gb Optional Header )! /!

PU 31 A

(! .!) !

)! /! V .

kS

6 A #

d ! ) F4 p . V !)

i ! G

- ! )! G .

(! .!)

3.

Uc>

,-

ob

G .

. d / R . X PU V
.d ) T
RVA

Rb h S

= !) . )! )
.

% o*

Relative Virtual Address 2*

R . !

. O# =

<

. O# =

P#

) f. ! 4

!) ! .....

f)

G #a o

T A 84

()
P#

E 6! )!

1)

56

. -)
. -)

7!)b 1 /

PE ! 01! . a

. ! O# = !) Section - E

. ( 1000 h ) 4096 . . . PU V !
1 .)

f ) 7!)b

,C/ . -) ! 4

4096

6 A #

. O# =

P#

7!)b AddressOfEntryPoint

)V

/E

)!

Section V

k kB 9! P

. PE ! 01! .

A 3 !

- G

1 Qx

400000 h 7!)b

. O# =
.(

QW

"c84 O

7!)b SectionAlignment

1 Qx R U ..
k kB 9 P

= ImageBase

!)b

f ) 7!)b !) ! A # PE ! 01! . a

! 4 O# =

6 A #)Q

. 400000 h . . . PU V !

."k6

; V

6 A # .

1 f ) R . . . / h kF

6 A # PE ! 01! . " k 6

! 4 < b !) !

. -)

6 A #!
.a

A,U

/ h kF ! " [ PE ! 01! . /

6 A #

W ! PU V !

!) ! A # / /
)!

g 3 !

. /

.)
! B !) . /

) 6
() *

. 1

RVA
CB # R "

- 6 !)

%, %,

zU . RVA

*C

E 6! )!

RVA

/ () *

. O# =

P#

. RVA /

Ck

A # ! 01! . ' C,U R

. " ,C

2C

()

,- " 4) / /

#b

) !) / ) / - G )! G . RVA ,C/ . ' k S !)

a Section - E

) k

7!)b

)3

- Crack

. +/ 0 1. ( 2,

7!)b

;. Section a

.
.

,. () *

624
. 10 Rb "

c. 7!)b ) V V . O# =

g 3 A # !) ! - Section

401000 h 7!)b

P# 1

=)

402000 h

V # 1 ! 4 f f[ PU V FileAlignment
. )! ) C84 PU . 3

- Header E ,<

g 3 ! O# = !)

d- ! / !) Section Alignment PU +

6 A # C/ (

g 3 V

) C,U /

SizeOfImage
- Section

4 . /
.

g 3 ! Section Table ( ,- . - Header A/ d<= SizeOfHeaders

! > .. /
.

- Section d<=
.

)! /! - /
.

# 1! 4

/ () *

A # C/ d<= . . !
6 A # !) Section V

IMAGE_DATA_DIRECTORY )! /!

Import Address Table

6 A #

do )! /!

BcG
#b R U

!b Data Directory
.] .

RVA

625

> )

Section Table
.

AB"

O /E +/

(5 RK/) > # ( A> ) @G

, ,S CD !) , 4 V

) 6

> .+ . / /7@;2

.] .

oC #

-/

SourceCodes\Asm32\Chapter28
# 1 ! 4 PE Header
File Header )! /!

;. " 4) /

/ Number Of Sections +

PU

- IMAGE_SECTION_HEADER E

!b V
.

IMAGE_SIZEOF_SHORT_NAME equ 8
IMAGE_SECTION_HEADER STRUCT
Name1
db
union Misc
PhysicalAddress
dd
VirtualSize
dd
ends
VirtualAddress
dd
SizeOfRawData
dd
PointerToRawData
PointerToRelocations
dd
PointerToLinenumbers
dd
NumberOfRelocations
dw
NumberOfLinenumbers
dw
Characteristics
dd
IMAGE_SECTION_HEADER ENDS

.d /
MASM
/

! . a ! )! G .
C/ Y =

-)! /! . )
/

g 3 a

( -3

b! G

!) /

?
?
dd ?

?
?
?
?
?

,-

PU V . d /
"6

() *

. / ! )! /! V

PU

Name a PU V

CB % Name1

Name1 ,C/

"[% V .

Rb

g 3 ! Section - . ] .
. /

() *

G .Q=

6 .a

. 8 Rb Q > x/ = /
.)

f % f - PE ! 01! . . /

?
?

A ) .

v [ .

!b V X PU ) ; .

IMAGE_SIZEOF_SHORT_NAME dup(?)

3.

,C/ V

V ; ! Section %
! -

!b 54 !) Section Table

-)! /!

! -

RVA Virtual Address

V

a O# = . Section -

)3
!

. +/ 0 1. ( 2,

- Crack
6 A # !) Section +

V # 1 O !) . !

. /

626

! . .a

PU

G a A # !) Section Table E

.)

.d /

(
G A #

!) !

) ;

7!)b R U . SizeOfHeaders !
A

%<

! . / = .
. -)

!b

! . -3

)! /! -

. uD

.)

. -4
A

< 7!)b R)! b

# S ImageBase !

a d ()! b

.
!b

-2

7!)b Rb . A # 1 (!

. O# = !) o b
-)! /!
.d !

' Uc> Section Table

. -1

V ; IMAGE_FILE_HEADER

a O# = !) Section E

bd

/ Q=

Section

!) # / ' Uc> / Q = . )

f O# = .

8 i

PE ! 01! . ) C,U

SizeOfRawData R "

.)

.] .

Characteristics

.d ) T

# 1 PointerToRawData !

G VirtualAddress !

- Section )!

Ak

7!)b PointerToRawData

! . Rb PU - () / / = -)! /!

#b Rb . A # 1 (!
.

g 3 FileAlignment

ofC# A

.)

. /

G b IMAGE_SECTION_HEADER )! /! )!

.)
(

P# SizeOfRawData

' B FG /

NumberOfSections

)! /!

QW

6 A # !) ! Section E

g 3

g 3 ! Section E

. /

() /

.
1! 4

. A,U V
p .V Qx

. !

p , ListView Q

6 A #
/

-5
.Q=

Q x V !)

!) ! - Section

627

> )

AB"

O /E +/

> .+ . / /7@;2

.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\comdlg32.inc
include \masm32\include\user32.inc
include \masm32\include\comctl32.inc
includelib \masm32\lib\comctl32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\comdlg32.lib
IDD_SECTIONTABLE equ 104
IDC_SECTIONLIST equ 1001
SEH struct
dd ? ; the address of the previous seh structure
PrevLink
CurrentHandler dd ? ; the address of the new exception handler
dd ? ; The offset where it's safe to continue execution SafeOffset
dd ? ; the old value in esp
PrevEsp
dd ? ; The old value in ebp
PrevEbp
SEH ends
.data
db "PE tutorial no.5",0
AppName
OPENFILENAME <>
ofn
FilterString
db "Executable Files (*.exe, *.dll)",\
0,\
"*.exe;*.dll",\
0,\
"All Files",\
0,\
"*.*",\
0,\
0
db "Cannot open the file for reading",0
FileOpenError
FileOpenMappingError db "Cannot open the file for memory mapping",0
db "Cannot map the file into memory",0
FileMappingError
db "This file is not a valid PE",0
FileInValidPE
db "%08lx",0
template
db "Section",0
SectionName
db "V.Size",0
VirtualSize
db "V.Address",0 VirtualAddress
db "Raw Size",0
SizeOfRawData
db "Raw Offset",0
RawOffset
db "Characteristics",0
Characteristics
.data?
dd ?

hInstance

)3
db
dd
dd
dd
dd
dd

. +/ 0 1. ( 2,

- Crack

628

512 dup(?)
buffer
?
hFile
?
hMapping
?
pMapping
?
ValidPE
?
NumberOfSections

.code
start proc
LOCAL seh:SEH
invoke GetModuleHandle,NULL
mov hInstance,eax
mov ofn.lStructSize,SIZEOF ofn
mov ofn.lpstrFilter, OFFSET FilterString
mov ofn.lpstrFile, OFFSET buffer
mov ofn.nMaxFile,512
mov ofn.Flags, OFN_FILEMUSTEXIST or \
OFN_PATHMUSTEXIST or \
OFN_LONGNAMES or \
OFN_EXPLORER or \
OFN_HIDEREADONLY
invoke GetOpenFileName, ADDR ofn
.if eax==TRUE
invoke CreateFile, addr buffer,\
GENERIC_READ,\
FILE_SHARE_READ,\
NULL,\
OPEN_EXISTING,\
FILE_ATTRIBUTE_NORMAL,\
NULL
.if eax!=INVALID_HANDLE_VALUE
mov hFile, eax
invoke CreateFileMapping, hFile, NULL, PAGE_READONLY,0,0,0
.if eax!=NULL
mov hMapping, eax
invoke MapViewOfFile,hMapping,FILE_MAP_READ,0,0,0
.if eax!=NULL
mov pMapping,eax
assume fs:nothing
push fs:[0]
pop seh.PrevLink
mov seh.CurrentHandler,offset SEHHandler
mov seh.SafeOffset,offset FinalExit
lea eax,seh
mov fs:[0], eax
mov seh.PrevEsp,esp
mov seh.PrevEbp,ebp
mov edi, pMapping
assume edi:ptr IMAGE_DOS_HEADER
.if [edi].e_magic==IMAGE_DOS_SIGNATURE
add edi, [edi].e_lfanew
assume edi:ptr IMAGE_NT_HEADERS

629

> )

AB"

O /E +/

> .+ . / /7@;2

.if [edi].Signature==IMAGE_NT_SIGNATURE
mov ValidPE, TRUE
.else
mov ValidPE, FALSE
.endif
.else
mov ValidPE,FALSE
.endif
FinalExit:
push seh.PrevLink
pop fs:[0]
.if ValidPE==TRUE
call ShowSectionInfo
.else
invoke MessageBox, 0,\
addr FileInValidPE,\
addr AppName,\
MB_OK + MB_ICONINFORMATION
.endif
invoke UnmapViewOfFile, pMapping
.else
invoke MessageBox, 0,\
addr FileMappingError,\
addr AppName,\
MB_OK + MB_ICONERROR
.endif
invoke CloseHandle,hMapping
.else
invoke MessageBox, 0,\
addr FileOpenMappingError,\
addr AppName,\
MB_OK + MB_ICONERROR
.endif
invoke CloseHandle, hFile
.else
invoke MessageBox, 0,\
addr FileOpenError,\
addr AppName,\
MB_OK + MB_ICONERROR
.endif
.endif
invoke ExitProcess, 0
invoke InitCommonControls
start endp
SEHHandler proc C uses
pExcept:DWORD,pFrame:DWORD,pContext:DWORD,pDispatch:DWORD
mov edx,pFrame
assume edx:ptr SEH
mov eax,pContext
assume eax:ptr CONTEXT
push [edx].SafeOffset

)3

. +/ 0 1. ( 2,

- Crack

pop [eax].regEip
push [edx].PrevEsp
pop [eax].regEsp
push [edx].PrevEbp
pop [eax].regEbp
mov ValidPE, FALSE
mov eax,ExceptionContinueExecution
ret
SEHHandler endp
DlgProc proc uses edi esi hDlg:DWORD, uMsg:DWORD, wParam:DWORD,
lParam:DWORD
LOCAL lvc:LV_COLUMN
LOCAL lvi:LV_ITEM
.if uMsg==WM_INITDIALOG
mov esi, lParam
mov lvc.imask,LVCF_FMT or \
LVCF_TEXT or \
LVCF_WIDTH or \
LVCF_SUBITEM
mov lvc.fmt,LVCFMT_LEFT
mov lvc.lx,80
mov lvc.iSubItem,0
mov lvc.pszText,offset SectionName
invoke SendDlgItemMessage, hDlg,\
IDC_SECTIONLIST,\
LVM_INSERTCOLUMN,\
0,\
addr lvc
inc lvc.iSubItem
mov lvc.fmt,LVCFMT_RIGHT
mov lvc.pszText,offset VirtualSize
invoke SendDlgItemMessage, hDlg,\
IDC_SECTIONLIST,\
LVM_INSERTCOLUMN,\
1,\
addr lvc
inc lvc.iSubItem
mov lvc.pszText,offset VirtualAddress
invoke SendDlgItemMessage, hDlg,\
IDC_SECTIONLIST,\
LVM_INSERTCOLUMN,\
2,\
addr lvc
inc lvc.iSubItem
mov lvc.pszText,offset SizeOfRawData
invoke SendDlgItemMessage, hDlg,\
IDC_SECTIONLIST,\
LVM_INSERTCOLUMN,\
3,\
addr lvc

630

631

> )

AB"

O /E +/

> .+ . / /7@;2

inc lvc.iSubItem
mov lvc.pszText,offset RawOffset
invoke SendDlgItemMessage, hDlg,\
IDC_SECTIONLIST,\
LVM_INSERTCOLUMN,\
4,\
addr lvc
inc lvc.iSubItem
mov lvc.pszText,offset Characteristics
invoke SendDlgItemMessage, hDlg,\
IDC_SECTIONLIST,\
LVM_INSERTCOLUMN,\
5,\
addr lvc
mov ax, NumberOfSections
movzx eax,ax
mov edi,eax
mov lvi.imask,LVIF_TEXT
mov lvi.iItem,0
assume esi:ptr IMAGE_SECTION_HEADER
.while edi>0
mov lvi.iSubItem,0
invoke RtlZeroMemory,addr buffer,9
invoke lstrcpyn,addr buffer,addr [esi].Name1,8
lea eax,buffer
mov lvi.pszText,eax
invoke SendDlgItemMessage, hDlg,\
IDC_SECTIONLIST,\
LVM_INSERTITEM,\
0,\
addr lvi
invoke wsprintf,addr buffer,\
addr template,\
[esi].Misc.VirtualSize
lea eax,buffer
mov lvi.pszText,eax
inc lvi.iSubItem
invoke SendDlgItemMessage, hDlg,\
IDC_SECTIONLIST,\
LVM_SETITEM,\
0,\
addr lvi
invoke wsprintf,addr buffer,\
addr template,\
[esi].VirtualAddress
lea eax,buffer
mov lvi.pszText,eax
inc lvi.iSubItem
invoke SendDlgItemMessage, hDlg,\
IDC_SECTIONLIST,\

)3

. +/ 0 1. ( 2,

- Crack

LVM_SETITEM,\
0,\
addr lvi
invoke wsprintf,addr buffer,\
addr template,\
[esi].SizeOfRawData
lea eax,buffer
mov lvi.pszText,eax
inc lvi.iSubItem
invoke SendDlgItemMessage, hDlg,\
IDC_SECTIONLIST,\
LVM_SETITEM,\
0,\
addr lvi
invoke wsprintf,addr buffer,\
addr template,\
[esi].PointerToRawData
lea eax,buffer
mov lvi.pszText,eax
inc lvi.iSubItem
invoke SendDlgItemMessage, hDlg,\
IDC_SECTIONLIST,\
LVM_SETITEM,\
0,\
addr lvi
invoke wsprintf,addr buffer,\
addr template,\
[esi].Characteristics
lea eax,buffer
mov lvi.pszText,eax
inc lvi.iSubItem
invoke SendDlgItemMessage, hDlg,\
IDC_SECTIONLIST,\
LVM_SETITEM,\
0,\
addr lvi
inc lvi.iItem
dec edi
add esi, sizeof IMAGE_SECTION_HEADER
.endw
.elseif
uMsg==WM_CLOSE
invoke EndDialog,hDlg,NULL
.else
mov eax,FALSE
ret
.endif
mov eax,TRUE
ret
DlgProc endp

632

633

> )

AB"

O /E +/

> .+ . / /7@;2

ShowSectionInfo proc uses edi

mov edi, pMapping
assume edi:ptr IMAGE_DOS_HEADER
add edi, [edi].e_lfanew
assume edi:ptr IMAGE_NT_HEADERS
mov ax,[edi].FileHeader.NumberOfSections
movzx eax,ax
mov NumberOfSections,eax
add edi,sizeof IMAGE_NT_HEADERS
invoke DialogBoxParam, hInstance,\
IDD_SECTIONTABLE,\
NULL,\
addr DlgProc,\
edi
ret
ShowSectionInfo endp
end start

uD

() / () *

O )!

6 A #!8U

! .

.2p .

- /

. Qx V

G # ! ShowSectionInfo 5.

. /
ShowSectionInfo proc uses edi
mov edi, pMapping
assume edi:ptr IMAGE_DOS_HEADER
add edi, [edi].e_lfanew
assume edi:ptr IMAGE_NT_HEADERS

!) / PMapping .
7!)b .
.

() / () *
!) .d /

. ;. C=

PE Header 7!)b

R U . edi

6 A # !) - () ) . 1 (!
-) !

= edi Q = . d /

Dos Header 7!)b

5,6 Rb . ! e_Ifanew !

a PE Header

mov ax,[edi].FileHeader.NumberOfSections
mov NumberOfSections,ax

PU +
PU V

- Section ) ;

/ d !)
/

#.

. a Section Table

V ; File Header )! /!

! .

NumberOfSections
.

add edi,sizeof IMAGE_NT_HEADERS

/ =
word E

)3

. +/ 0 1. ( 2,

- Crack

b a PE Header (

.A 8

634

R) / # S <

PE Header 7!)b

!) .

Section Table .

. /

= edi
1 (!

invoke DialogBoxParam, hInstance,\

IDD_SECTIONTABLE,\
NULL,\
addr DlgProc,\
edi

) 6

.d /

% f - !) / d

G #
#

.)

Q / uD

5. V
A

lParam !

. u/ . \

! T R U . ! Section Table 7!)b /

. a Gb
) <

T . lParam +

# !)

() / ( Gm edi !) ! - Section ) ;

Section - . ] .

' Uc>

C=

)!

a WM_INITDIALOG )

aWM_INITDIALOG % W T

. ! DialogBoxParram 5.

)p ,

. a\

<

T !)

esi !) ! ( Section Table 7!)b)

;. C=

T ! ListView

!) . d /
.d /

#S

. !

.while edi>0
mov lvi.iSubItem,0

. d -)

! 4

i V

!) ! O )!

invoke RtlZeroMemory,addr buffer,9

invoke lstrcpyn,addr buffer,addr [esi].Name1,8
lea eax,buffer
mov lvi.pszText,eax

.d /

*B . %

ASCII

.A 8

. a Section % R) ) R 3

invoke SendDlgItemMessag hDlg,\

IDC_SECTIONLIST,\
LVM_INSERTITEM,\
0,\
addr lvi

.d !

;. Section

. () / # S

. ! O )!

635

> )

AB"

O /E +/

> .+ . / /7@;2

dec edi
add esi, sizeof IMAGE_SECTION_HEADER
.endw

() / d/ edi !

)! /! . esi ! / V % <

..d /

a )! /!

- ^ ) T

# S esi . ! IMAGE_SECTION_HEADER
;. IMAGE_SECTION_HEADER

. ) / - G (!

. ? ,4

&+

&&4 >

. O )!

/(@3 & . / = >

6 A # ! 8 U g 3 -1

. PE Header
. File Header !) NumberOfSections PU
.

uT

- Section ) ; R)! b

SizeofHeaders . ImageBase R) / # S . Section Table

;. " 4) Section Table ) . PE Header (

. . V #! -2
. -3

. . V #! -4

. PE Header 7!)b R) / # S
.()! ) ! 4 PE Header

Setfilepointer 5.

() *

. ! A # 1 (!

/ , () *
.

/A

.IMAGE_SECTION_HEADER

A #

Section table .
-)! /! ^ ) T -5

)3

- Crack

. +/ 0 1. ( 2,

636

Import Table (6 RK/) > # ( A> ) @G

.

, ,S CD !) , 4 V

) 6

.] .

oC #

-/

SourceCodes\Asm32\Chapter29
.d / R . ! 8 i ( Import Table ) ) ! Q 6 (! .!) d ! ) F4 p . V !)
! 4

6 A # !) /

+#

/ C #

! 4 dll A # [

5. %

) ! 5. .
!) ) ! 5.

! 8U ' Uc> V . )

, 4 % / !) ' Uc> V

.)

( Gm

/ d ,o*. d

[ ) ! 5.

! b)

' Uc>

# 1 ! 4 Rb!) O )!

Data Directory

# 1! 4
.Q

)!

6 A # !) o b . ] .

f[ Q = .

.Q=.d !

G # Rb +

.
. (! . ) - f

5.

6 A #
. T

PE Header ! G

.d
IMAGE_NT_HEADERS STRUCT
Signature
dd ?
FileHeader
IMAGE_FILE_HEADER <>
OptionalHeader
IMAGE_OPTIONAL_HEADER <>
IMAGE_NT_HEADERS ENDS

16

!b ) G / .

Optional Header )! /!
.

PU V Gb Data Directory

IMAGE_DATA_DIRECTORY

IMAGE_OPTIONAL_HEADER32 STRUCT
....
LoaderFlags
NumberOfRvaAndSizes
DataDirectory
IMAGE_DATA_DIRECTORY 16 dup(<>)
IMAGE_OPTIONAL_HEADER32 ENDS

!) () ) )! /!

(! .!) ,o ' Uc>

-)! /!

dd ?
dd ?

= IMAGE_DATA_DIRECTORY )! /! .

6 A #

637

> )

AB"

O /E +/

> .+ . / /7@;2

Member

Info inside

Export symbols

Import symbols

Resources

Exception

Security

Base relocation

Debug

Copyright string

Unknown

Thread

local

storage
(TLS)

10

Load configuration

11

Bound Import

12

Import Address Table

13

Delay Import

14

COM descriptor

.d ) T
IMAGE_DATA_DIRECTORY E

)! /! V

K"6

)! /! Data Directory
.

IMAGE_DATA_DIRECTORY STRUCT
VirtualAddress
dd ?
isize
dd ?
IMAGE_DATA_DIRECTORY ENDS

PU

( -3

! . .Q=
PU

b! G

!) /

)3

. +/ 0 1. ( 2,

- Crack

)! /! V

1 Qx R U . .

.] .

638

() ) )! /! RVA 54

IMAGE_IMPORT_DESCRIPTOR

!b RVA

!) VirtualAddress
. ImportSymbols

= C#V a

.
. /
.d /

! . d- . !

6 A # !) do () )

9 S O )!

. Optional Header

! Data Directory E

7!)b -2

- G

-3

! B !) Q x R U . . d /

8 / ) IMAGE_DATA_DIRECTORY )! /! (

!) ! (

-1

!) ! IMAGE_DATA_DIRECTORY )! /! (

PU u

5Ci Import Symbols V # 1 ! 4 Ak

9 S

-)! /! R) / T C/ ^ ! Q =

PE Header . Dos Header +

.d !
.d! b

isize

g 3 ! () ) )! /! (

a
.d /

5,6 Data Directory E

.d /
!) ! O )!

IMAGE_DATA_DIRECTORY )! /! 7!)b ,

PU . ] .
.

O )!

() ) )! /! )!

!)

Virtual Address p . !) Import Table 7!)b . d !

- )! /!

!b 54

dll

/
/ () *

g 3

(! .!)
2C

dll 10

*B )! /!

7!)b . ! AB = -4

Uc>

= / !)! G

Import Table

!) Import Table . )! ) ! 4 Data Directory

Uc>

- /

6 A #
."

!b

.Q=

!b % ) PU

IMAGE_IMPORT_DESCRIPTOR

1 Qx R U .. /
o

Q=

) - G) 6

() *

Rb

6 A #

PU 10

!b V !) a
.)

639

> )

AB"

O /E +/

.d ) T
IMAGE_IMPORT_DESCRIPTOR STRUCT
union
Characteristics
OriginalFirstThunk
ends
TimeDateStamp
ForwarderChain
Name1
FirstThunk
IMAGE_IMPORT_DESCRIPTOR ENDS

OriginalFirstThunk
!b RVA
union

. !;

dd
dd
dd
dd

)! / )

1 (!

) ; /

. Characteristics

) 6

.d

)! /!

g 3

. Q= .

(! .!)

PU V

!) . /

V ;

dword (

O !) IMAGE_IMPORT_BY_NAME
IMAGE_IMPORT_BY_NAME

R) ) ! 4 . () / ( Gm

! 4 OriginalFirstThunk !) ! (

) ! 5.

)! /! V
<

b "& ,;

b , G a *B )! /!

- . d -)

! . .Q=

IMAGE_THUNK_DATA )! /!

IMAGE_THUNK_DATA) o b RVA / )! ) ) 6
.d /

union

= !) /

R U

K"6

?
?
?
?

IMAGE_THUNK_DATA .

)! /!

)! /! V

dd ?
dd ?

= PU V .

> .+ . / /7@;2

f)

!b !) ! (

!b RVA Q =

)<

= IMAGE_IMPORT_BY_NAME

Uc>

.d ) T

)! /! V

! .

IMAGE_IMPORT_BY_NAME STRUCT
Hint
dw ?
Name1
db ?
IMAGE_IMPORT_BY_NAME ENDS

)! ) ! 4 Rb !) 5.

. -)
. /

g 3

dll ( export table ) 6 G Q 6

! 4 *B
*B . %

b!

- Linker
!

G . )!

= : Hint
)

'! F. ! ) ! 5. %

,- !

V .

: Namel

)3

- Crack

. +/ 0 1. ( 2,

!b RVA

= /

OriginalFirstThunk

First Thunk

D/

640

IMAGE_THUNK_DATA

f)R . ..
. d () /

T(

OriginalFirstThunk

" 4) : First Thunk

b "c84 /

! .

*1 v i

-)! /!

Original First Thunk

o. ! F

IMAGE_IMPORT_BY_NAME

. -f .

FirstThunk

IMAGE_THUNK_DATA

-->

Function 1

<--

IMAGE_THUNK_DATA

IMAGE_THUNK_DATA

-->

Function 2

<--

IMAGE_THUNK_DATA

IMAGE_THUNK_DATA

-->

Function 3

<--

IMAGE_THUNK_DATA

IMAGE_THUNK_DATA

-->

Function 4

<--

IMAGE_THUNK_DATA

...

-->

...

<--

...

IMAGE_THUNK_DATA

-->

Function n

<--

IMAGE_THUNK_DATA

A # / )! ) ;.
R !) 5.

10

) ;

. f . First Thunk

6 A #

1 Qx R U . .

IMAGE_IMPORT_DESCRIPTOR )! /!
E

PU

10 A

Original First Thunk

!b

)!

dll A #

Name1 PU a / () *
Kernel32. dll

() .

PU ) ;

6
Kernel32.dll
RVA

. ) . - G IMAGE_THUNK_DATA
d / () *
!b () *
)!
A #

5.

. PE ! 01! .

. aA #

7!)b IMAGE_THUNK_DATA
6 . < !) . -)

! 4 First Thunk

!b )

6 %f- /

. [ /
.

.Q

;. Q
V

. T !)

IMAGE_IMPORT_BY_NAME
!b !) ! o b () / g 3 !
. b

!)

'! F. A84 A

641

OriginalFirstT
hunk

> )

AB"

O /E +/

> .+ . / /7@;2

IMAGE_IMPORT_BY_N
AME

FirstThunk

-->

Function 1

IMAGE_THUNK_DATA

-->

Function 2

IMAGE_THUNK_DATA

-->

Function 3

Address of Function 3

IMAGE_THUNK_DATA

-->

Function 4

Address of Function 4

...

-->

...

IMAGE_THUNK_DATA

-->

Function n

IMAGE_THUNK_DATA

()
A3

t > V !) .) / () *

V .
f)
Rb

OriginalFirstThunk /
R

= V !) . )
6 .

Rb ^ ! T

Rb

(! ,
() *

) -

+
Rb

) 6

. () . 5. (! ,

Address of Function 2

...
Address of Function n

!) & . A

) ! 5.

o 5.
;4

Address of Function 1

V ;

G . /

a 5. %

Rb

() *

. 6

,/ .
'! B !)

)! ) ) 6

6 . /

[ /
; R .

IMAGE_IMPORT_BY_NAME %

)! /!

= Low word , 4 !) IMAGE_THUNK_DATA

.

( MSB)

) - G1!

IMAGE_THUNK_DATA !

a 1234h (! ,

. 5.

80000000 h !

. R) /

. . ) . - G 80001234 h 5. Rb

^ ! T

2 ; IMAGE_ORDINAL_FLAG32 %

R) / g 3

.Qx R U .

. Windows.inc A # !) / d /

() *
.

)3

- Crack

. +/ 0 1. ( 2,
.d /

C=

. C=

642
'! F. !

6 A #

) ! 5.
.

V ; A=

6 A # ! 8 U g 3 -1

. PE Header . Dos Header

. Optional Header
. Virtual Address !

Data Directory PU V

.IMAGE_IMPORT_DESCRIPTOR)! /! V
!) ! - RVA a ) 8 *B !
!

Rb

6 . a ) . *B Rb !

oC # - Linker

G .
.

. .!

. .

) 6

) < OriginalFirstThunk !)

*B !

[ !^ ! T

^ (! , +

! 5. %

() / () *

() )

/d

f. <

) *B )! /! . R

.!

g 3

*B )! /! . / -)! /!

. -7
.

!b B U % ,

1 (!

. ! & . ' C,U -9

;. dll A #

-)! /!
!b

! B !) -8

Name1 PU +

. )! /! V
!

IMAGE_IMPORT_BY_NAME )! /! .

IMAGE_IMPORT_DESCRIPTOR

) )

. !

Low word , 4 !) 5. (! ,

.d !
() / !

R) / [ -6

!b PU -

. *B . . ^ ! T
.d! b

. R T !)

.!

5.

. )! ) ! 4 PU Rb
PU !

-5

First Thunk

() *

! B !) . d /

() *

Q 8 ) OriginulFirstThunk

d /

. -3

) . V #! -4

.y #!

.d /

'! B V !) . )

R U . O )!

! B !) .OriginulFirstThunk !

V #! -2

Data Directory 7!)b R)! b

V ;

Q=

. !9
.R

6 A=

-10

!!/V
. d -)

.d !
PU

. -)

( ,- . !

) ! 5.

p , Edit Q /

C/

() /

p .V Qx
. !

6 A #

!) a IMAGE_IMPORT_DESCRIPTOR

.Q=
Qx V
-)! /!

643

> )

AB"

O /E +/

> .+ . / /7@;2

.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\comdlg32.inc
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\comdlg32.lib
equ
equ
equ
equ

101
1000
40001
40003

proto
proto
proto
proto

IDD_MAINDLG
IDC_EDIT
IDM_OPEN
IDM_EXIT

:DWORD,:DWORD,:DWORD,:DWORD
:DWORD
ShowImportFunctions
:DWORD,:DWORD
ShowTheFunctions
:DWORD,:DWORD
AppendText

DlgProc

SEH struct
dd ? ; the address of the previous seh structure
PrevLink
CurrentHandler dd ? ; the address of the new exception handler
dd ? ; The offset where it's safe to continue execution SafeOffset
dd ? ; the old value in esp
PrevEsp
dd ? ; The old value in ebp
PrevEbp
SEH ends
.data
AppName db "PE tutorial no.6",0
ofn OPENFILENAME <>
FilterString db "Executable Files (*.exe, *.dll)",\
0,\
"*.exe;*.dll",\
0,\
"All Files",\
0,\
"*.*",\
0,\
0
db "Cannot open the file for reading",0
FileOpenError
FileOpenMappingError db "Cannot open the file for memory mapping",0
db "Cannot map the file into memory",0
FileMappingError
db "This file is not a valid PE",0
NotValidPE
db 0Dh,0Ah,0
CRLF
db 0Dh,0Ah,"===[ IMAGE_IMPORT_DESCRIPTOR ]===",0
ImportDescriptor
db "OriginalFirstThunk = %lX",0Dh,0Ah
db "TimeDateStamp = %lX",0Dh,0Ah
db "ForwarderChain = %lX",0Dh,0Ah

IDTemplate

)3
db
db
db
db
db
db

. +/ 0 1. ( 2,

- Crack

"Name = %s",0Dh,0Ah
"FirstThunk = %lX",0
0Dh,0Ah,"Hint Function",0Dh,0Ah
"------------------------------",0
"%u %s",0
NameTemplate
"%u (ord.)",0
OrdinalTemplate

644

NameHeader

.data?
db 512 dup(?) buffer
dd ?
hFile
hMapping dd ?
pMapping dd ?
dd ?
ValidPE
.code
start:
invoke GetModuleHandle,NULL
invoke DialogBoxParam, eax, IDD_MAINDLG,NULL,addr DlgProc, 0
invoke ExitProcess, 0
DlgProc proc hDlg:DWORD, uMsg:DWORD, wParam:DWORD, lParam:DWORD
.if uMsg==WM_INITDIALOG
invoke SendDlgItemMessage,hDlg,IDC_EDIT,EM_SETLIMITTEXT,0,0
.elseif uMsg==WM_CLOSE
invoke EndDialog,hDlg,0
.elseif uMsg==WM_COMMAND
.if lParam==0
mov eax,wParam
.if ax==IDM_OPEN
invoke ShowImportFunctions,hDlg
.else ; IDM_EXIT
invoke SendMessage,hDlg,WM_CLOSE,0,0
.endif
.endif
.else
mov eax,FALSE
ret
.endif
mov eax,TRUE
ret
DlgProc endp
SEHHandler proc C pExcept:DWORD, pFrame:DWORD, pContext:DWORD,
pDispatch:DWORD
mov edx,pFrame
assume edx:ptr SEH
mov eax,pContext
assume eax:ptr CONTEXT
push [edx].SafeOffset
pop [eax].regEip
push [edx].PrevEsp
pop [eax].regEsp

645

> )

AB"

O /E +/

> .+ . / /7@;2

push [edx].PrevEbp
pop [eax].regEbp
mov ValidPE, FALSE
mov eax,ExceptionContinueExecution
ret
SEHHandler endp
ShowImportFunctions proc uses edi hDlg:DWORD
LOCAL seh:SEH
mov ofn.lStructSize,SIZEOF
ofn mov ofn.lpstrFilter, OFFSET FilterString
mov ofn.lpstrFile, OFFSET buffer
mov ofn.nMaxFile,512
mov ofn.Flags,OFN_FILEMUSTEXIST or \
OFN_PATHMUSTEXIST or \
OFN_LONGNAMES or \
OFN_EXPLORER or \
OFN_HIDEREADONLY
invoke GetOpenFileName, ADDR ofn
.if eax==TRUE
invoke CreateFile, addr buffer,\
GENERIC_READ,\
FILE_SHARE_READ,\
NULL,\
OPEN_EXISTING,\
FILE_ATTRIBUTE_NORMAL,\
NULL
.if eax!=INVALID_HANDLE_VALUE
mov hFile, eax
invoke CreateFileMapping, hFile, NULL, PAGE_READONLY,0,0,0
.if eax!=NULL
mov hMapping, eax
invoke MapViewOfFile,hMapping,FILE_MAP_READ,0,0,0
.if eax!=NULL
mov pMapping,eax
assume fs:nothing
push fs:[0]
pop seh.PrevLink
mov seh.CurrentHandler,offset SEHHandler
mov seh.SafeOffset,offset FinalExit
lea eax,seh
mov fs:[0], eax
mov seh.PrevEsp,esp
mov seh.PrevEbp,ebp
mov edi, pMapping
assume edi:ptr IMAGE_DOS_HEADER
.if [edi].e_magic==IMAGE_DOS_SIGNATURE
add edi, [edi].e_lfanew
assume edi:ptr IMAGE_NT_HEADERS
.if [edi].Signature==IMAGE_NT_SIGNATURE
mov ValidPE, TRUE
.else

)3

. +/ 0 1. ( 2,

- Crack

646

mov ValidPE, FALSE

.endif
.else
mov ValidPE,FALSE
.endif
FinalExit:
push seh.PrevLink
pop fs:[0]
.if ValidPE==TRUE
invoke ShowTheFunctions, hDlg, edi
.else
invoke MessageBox,0,\
addr NotValidPE,\
addr AppName,\
MB_OK + MB_ICONERROR
.endif
invoke UnmapViewOfFile, pMapping
.else
invoke MessageBox, 0,\
addr FileMappingError,\
addr AppName,\
MB_OK + MB_ICONERROR
.endif
invoke CloseHandle,hMapping
.else
invoke MessageBox, 0,\
addr FileOpenMappingError,\
addr AppName,\
MB_OK + MB_ICONERROR
.endif
invoke CloseHandle, hFile
.else
invoke MessageBox, 0,\
addr FileOpenError,\
addr AppName,\
MB_OK + MB_ICONERROR
.endif
.endif
ret
ShowImportFunctions endp
AppendText proc hDlg:DWORD,pText:DWORD
invoke SendDlgItemMessage,hDlg,IDC_EDIT,EM_REPLACESEL,0,pText
invoke SendDlgItemMessage,hDlg,IDC_EDIT,EM_REPLACESEL,0,addr CRLF
invoke SendDlgItemMessage,hDlg,IDC_EDIT,EM_SETSEL,-1,0
ret
AppendText endp
RVAToOffset PROC uses edi esi edx ecx pFileMap:DWORD,RVA:DWORD
mov esi,pFileMap
assume esi:ptr IMAGE_DOS_HEADER

647

> )

AB"

O /E +/

> .+ . / /7@;2

add esi,[esi].e_lfanew
assume esi:ptr IMAGE_NT_HEADERS
mov edi,RVA ; edi == RVA
mov edx,esi
add edx,sizeof IMAGE_NT_HEADERS
mov cx,[esi].FileHeader.NumberOfSections
movzx ecx,cx
assume edx:ptr IMAGE_SECTION_HEADER
.while ecx>0 ; check all sections
.if edi>=[edx].VirtualAddress
mov eax,[edx].VirtualAddress
add eax,[edx].SizeOfRawData
.if edi<eax ; The address is in this section
mov eax,[edx].VirtualAddress
sub edi,eax
mov eax,[edx].PointerToRawData
add eax,edi ; eax == file offset
ret
.endif
.endif
add edx,sizeof IMAGE_SECTION_HEADER
dec ecx
.endw
assume edx:nothing
assume esi:nothing
mov eax,edi
ret
RVAToOffset endp
ShowTheFunctions proc uses esi ecx ebx hDlg:DWORD, pNTHdr:DWORD
LOCAL temp[512]:BYTE
invoke SetDlgItemText,hDlg,IDC_EDIT,0
invoke AppendText,hDlg,addr buffer
mov edi,pNTHdr
assume edi:ptr IMAGE_NT_HEADERS
mov edi, [edi].OptionalHeader.DataDirectory[sizeof
IMAGE_DATA_DIRECTORY].VirtualAddress
invoke RVAToOffset,pMapping,edi
mov edi,eax
add edi,pMapping
assume edi:ptr IMAGE_IMPORT_DESCRIPTOR
.while !([edi].OriginalFirstThunk==0 && \
[edi].TimeDateStamp==0 && \
[edi].ForwarderChain==0 && \
[edi].Name1==0 && \
[edi].FirstThunk==0)
invoke AppendText,hDlg,addr ImportDescriptor
invoke RVAToOffset,pMapping, [edi].Name1
mov edx,eax
add edx,pMapping
invoke wsprintf, addr temp,\
addr IDTemplate,\

)3

. +/ 0 1. ( 2,

- Crack
[edi].OriginalFirstThunk,\
[edi].TimeDateStamp,\
[edi].ForwarderChain,edx,[edi].FirstThunk

invoke AppendText,hDlg,addr temp

.if [edi].OriginalFirstThunk==0
mov esi,[edi].FirstThunk
.else
mov esi,[edi].OriginalFirstThunk
.endif
invoke RVAToOffset,pMapping,esi
add eax,pMapping
mov esi,eax
invoke AppendText,hDlg,addr NameHeader
.while dword ptr [esi]!=0
test dword ptr [esi],IMAGE_ORDINAL_FLAG32
jnz ImportByOrdinal
invoke RVAToOffset,pMapping,dword ptr [esi]
mov edx,eax
add edx,pMapping
assume edx:ptr IMAGE_IMPORT_BY_NAME
mov cx, [edx].Hint
movzx ecx,cx
invoke wsprintf,addr temp,\
addr NameTemplate,\
ecx,\
addr [edx].Name1
jmp ShowTheText
ImportByOrdinal:
mov edx,dword ptr [esi]
and edx,0FFFFh
invoke wsprintf,addr temp,addr OrdinalTemplate,edx
ShowTheText:
invoke AppendText,hDlg,addr temp
add esi,4
.endw
add edi,sizeof IMAGE_IMPORT_DESCRIPTOR
.endw
ret
ShowTheFunctions endp
end start

648

649

> )

AB"

O /E +/

> .+ . / /7@;2

.d ) T
6 A # a Open File \

a () / g 3 ! .! / O )!
G # ShowTheFunctions 5.
O )!

6 A #

) ! 5.

;. C=
.] .

!) . -)

! 4

. !)

! . )!

' Uc> p ,

! . .Q=
.

b ! 8 U uD

# !) Rb * :

/)
.

ShowTheFunctions proc uses esi ecx ebx hDlg:DWORD, pNTHdr:DWORD

LOCAL temp[512]:BYTE

. d -)

lFG -

! . ! / ' C,U

. 512

. ! 3T

invoke SetDlgItemText,hDlg,IDC_EDIT,0

.d /

_ T ! Edit Q

/ !) ) 6

invoke AppendText,hDlg,addr buffer

EM_REPLACE % W T
%WT
Rb

5. V
o

.V

AppendText 5. . d -)
.

) 6

/Q

! 4 Edit Q

Edit Q / . V

() *

. lParam = 0

/ !) !

wParam = 1

;S

6 A #%

R) / # S

. EM_SETSEL
. /

() *

. C=

V !)

mov edi,pNTHdr
assume edi:ptr IMAGE_NT_HEADERS
mov edi, [edi].OptionalHeader.DataDirectory[sizeof
IMAGE_DATA_DIRECTORY].VirtualAddress

uD

# 1 ! Data Directory

ImportSymbols
.d! b

, 4 RVA

b VirtualAddress PU

invoke RVAToOffset,pMapping,edi
mov edi,eax
add edi,pMapping

; . i

!) o

O# = . ! A # a Q x V !) .

RVA
.(

- RVA '! F.

oC # !) - 7!)b x/

! 01! . O# = . PE ! 01! . +

6 A #

)3

- Crack

. +/ 0 1. ( 2,
. <

!) .

' *

650

"c / PE ! 01! .

f .a

f ( k

. d / A 8 File Offset . ! o b
- Section , G

PU !
File

RVA . 6

. 5. V

f A # . 1 (!

! 8U / )! ) ) ! !

.) 1

! 4 eax !) / ) / - G g 3 ! File Offset a 5.

() *

. ! ;. ! O V
BcG ! > .

. ! RVA a IMAGE_SECTION_HEADER )! /!

. - RVA

! . ! 5. V ' K"6 . d () / ) < RVAToOffset %

d-

d /

.
) /

PointerToRawData
A 8 Offset

) 5. V . /

RVA

6 G . O )!

assume edi:ptr IMAGE_IMPORT_DESCRIPTOR

.while !([edi].OriginalFirstThunk==0 && \
[edi].TimeDateStamp==0 && \
[edi].ForwarderChain==0 && \
[edi].Name1==0 && \
[edi].FirstThunk==0)

B UQ=. /

(!

IMAGE_IMPORT_DESCRIPTOR )! /! V
.d /

. edi R /

! . *B )! /! . R

!b

invoke AppendText,hDlg,addr ImportDescriptor

invoke RVAToOffset,pMapping, [edi].Name1
mov edx,eax
add edx,pMapping

p ,
."

Edit Q
b

/ !) ! IMAGE_IMPORT_DESCRIPTOR )! /!

. uT .

dll A # %

RVA

)! ) y # X PU

d- G

. . Name1 . d -)

. d / A 8 File Offset
invoke wsprintf, addr temp,\
addr IDTemplate, [edi].OriginalFirstThunk,\
[edi].TimeDateStamp,\
[edi].ForwarderChain,\
edx,[edi].FirstThunk
invoke AppendText,hDlg,addr temp

. d -)

p , ! IMAGE_IMPORT_DESCRIPTOR C;# !

651

> )

AB"

O /E +/

> .+ . / /7@;2

.if [edi].OriginalFirstThunk==0
mov esi,[edi].FirstThunk
.else
mov esi,[edi].OriginalFirstThunk
.endif

() b IMAGE_THUNK_DATA

Q ,; ! > . . d
- Linker

!
!)

() /

First

! .
!b

G .

A ) .

b !

. '! F

.Q=
!b

OriginalFirstThunk

() *

n !) . d /

! . / =

OriginalFirstThunk

d / () *

. a

!b

() *

Rb

.
. *B

. *B 2

! B
Thunk

. d / () *
invoke RVAToOffset,pMapping,esi
add eax,pMapping
mov esi,eax

- RVA '! B . First Thunk

OriginalFirstThunk

/ ! >R ,-

. d / A 8 File Offset . ! o b

invoke AppendText,hDlg,addr NameHeader

.while dword ptr [esi]!=0

!b V

B Ud

d
.d /

- () b IMAGE_THUNK_DATA
o ! () *

)!

dll

!b

-A #

! .

.Q=

() /

! . !

test dword ptr [esi],IMAGE_ORDINAL_FLAG32

jnz ImportByOrdinal

. ! IMAGE_THUNK_DATA !
^ !
a

T
.

. !
. . .

! (! , V d

= !)
.V !
)

d -) % <

!/ V

IMAGE_ORDINAL_FLAG32

V . d /
! B !) .

^ (! , +

[ ! IMAGE_THUNK_DATA
O )!
.d! b

invoke RVAToOffset,pMapping,dword ptr [esi]

mov edx,eax

5.

/d

<

. Low word , 4

)3

- Crack

. +/ 0 1. ( 2,

652

add edx,pMapping
assume edx:ptr IMAGE_IMPORT_BY_NAME

!
File

. *B . . IMAGE_THUNK_DATA ^ ! T

V a
.

.!

IMAGE_IMPORT_BY_NAME )! /! . ] .

. /

! B !)

RVA

. d / A 8 Offset
mov cx, [edx].Hint
movzx ecx,cx
invoke wsprintf,addr temp,\
addr NameTemplate,\
ecx,\
addr [edx].Name1
jmp ShowTheText

A 8 dword E

. a wsprintf 5.
.d /

. Rb R)
[ Edit Q

Word E

. /

/ !) ! 5. %

Hint

Hint uD . d /

ImportByOrdinal:
mov edx,dword ptr [esi]
and edx,0FFFFh
invoke wsprintf,addr temp,addr OrdinalTemplate,edx

(! ,

() / *B ! High word , 4 a )

^ (! , +

5.

. d -)

= !)
p , !

ShowTheText:
invoke AppendText,hDlg,addr temp
add esi,4

IMAGE_THUNK_DATA

. a Edit Q

/ !) 5. %

.endw
add edi,sizeof IMAGE_IMPORT_DESCRIPTOR

(! , R) / )!

uT

.d !

;.

653

. ad ) /
! . )!
.

!
/

! . !
;. dll

() *

!b

> )

O /E +/

> .+ . / /7@;2

- IMAGE_THUNK_DATA % ,

) ! 5.

dll V [

AB"

#!
6

;. IMAGE_IMPORT_DESCRIPTOR

oC # "& ,;

) 6

.d -)

! 4

)3

- Crack

. +/ 0 1. ( 2,

654

Export Table (7RK/) > # ( A> ) @G

(

Q 6 Q = . d G b Import Table . i. ! !) ! 8 i A84 AF# !)

!) B 5.

.) ) d - G ! 4
. Rb
! ) ! 5.
!)

.] .

)!

Export a /
PE A #

- dll

)!

. PE ! 01! . /

6 !

' Uc> uD . -)

5.

7!)b

() *

-A #

Q 6 !) ^ ! ) . PE

!) ! 5.

-A #

() *

. a 5.
o

) G

_ iG

-(! ,
-

. !) / ! ;.
.

Data

. -f . a

(! ,

. 16 ) U

. ob

n^ !V

A #% R [

5.

A/ ) ; !

() *

A #V

A 3 .R b

/q U

! S!

!) B %

NumberOfFunctions !

.) 6

. ;. - /

.( 3 g 3 ! B

5.

. !

c 3

/
() / () *

. C#V .

Data Directory
G

;4 % : nName

PE ! 01! .

CG ) % V

Q=

Directory

) ) PU 11 )! /! V .)

/ ;.
() *

g 3

! . .d- G

. Export )! /! .

!) B A # V +
V .

. /

.) / - G () *
.

() *

P;. + #

dll A #

= !) (! , V

8. T Export Table V # 1 ! 4 Ak

- do

. . -) ! 4 (Export Table)

,- . d ) D. Export )! /!

) ! Q 6

G . CB

W '! B !) .)! b - G ) 6

IMAGE_EXPORT_DIRECTORY %
.

() /

() *

R ,> A. 4

- G o6

Export Table .

PU V

dll A # V

() / ! 01 . "

. ! ) G CG ) 5.

'! B . /

- dll ! of !)

P# !)

/m / ! i ,-

K"6 p . V .)! ) % Table

/! G

. (! ,
l G dll A #

f-a

. PE ! 01! . / Ck .) ) T

< 6

k PE

! 4 Rb 7!)b

< 6 . ob

E 6! < b . 5.

.)

6 G 5.

! (Export Table) -dll

! . )!

= V !)

A/ ) ; : NumberOfFunctions

. / ;.

) ; : NumberOfNames

A/ ) ; . R) . T
! B !) /

. .
.

A # !) ) 6
) 6

. /

.) . - G *B Data Directory !) Export Table . ] .

[ !
7!)b

655

E
- RVA

CG ) 5.

!b E

> )

AB"

O /E +/
RVA

7!)b . /
. /

.] .

/! /

! 7!)b

> .+ . / /7@;2

= /

: AddressOfFunctions
PE A # Y >

(!

.] .

-(! ,

= /

!) B 5.

V-m !) ! Export Table ;4

7!)b

.Q

A,U V . / () *

1)

PU ) ; . /
! ) G 5.
) 6
) G%

. PE ! 01! .

. Rb

40 Q

P;. 1 Q = .

/m / ! > R ,- . /

() *

NumberOfNames !) o b ) ;
)! ) ! 5.
-%

" [ . uT .)!
-u

%
(fba

!b

() .

6 !) ! ) G
%<

) 6

! O V

!b V E

AddressOf

!b !) 5.

!b V
.

()

!) f

!b

= AddressOfNames C #

7!)b

# PE ! 01! . ) C,U ( k . Q = .)
) . ! 5.

!) f

V 7!)b

> .

!b ) V V . > 8 ! -

a -7!)b

. PE ! 01 . . / ) < ! o b 7!)b

5.

54 (AddressOfNames) -%

!b

13 u

.
f)

% V. >8!
7!)b / /

!) Test %

= AddressOfOrdinals

7!)b u

. / !) B

. PE A # a

1 Q x R U . .)! )! 4 AddressOfNameOrdinals !) Rb E
.(

!) B

!b C

!b !)

= ! . PE ! 01! .

! ) PE A # .)! b

!b )

. Export Table

! ob%

!b Rb

PE ! 01! . . /

/ d !)
() *

<

/ !) f

'kS

= NumberOfFunctions .

. 40 !

!) ! o b % RVA a PE A # . / ! ) f "
a

()

() *

Rb . AddressOfFunctions +

(!

!b !) 5.

! ) f NumberOfFunctions PU !)

1 uT .)

. 5.

Rb . AddressOfFunctions C # / )

(!

PU 40 a)

! ! % o*

) < PE ! 01! . +

&.

V , &. v i R

.) , - G V
5.

: AddressOfNameOrdinals

!b . 1(!

.
. / )<

!) B

: AddressOfNames

!b . 1(!
.

!) B 5.

!b

PU

.) . - G Names
!) vCi V u U
d

5.

. E 6!

7!)b

. f ) R . . .)

+#

!) B %

+#%

- /

[ .
.d

) 6

7!)b
.

)!;

-%

)3

- Crack

. +/ 0 1. ( 2,

656

AddressOfNames

AddressOfNameOrdinals

RVA of Name 1

Index of Name 1

RVA of Name 2

Index of Name 2

RVA of Name 3

Index of Name 3

RVA of Name 4

Index of Name 4

...

...

...

RVA of Name N

!/ V

. .d /

T"

Index of Name N

b 7!)b d

.d

) !

!) B 5.

. d -) % < v

. !

1
-% 1

.PE Header . V #! -1
.Data Directory

Export Table . ] .

.NumberOfNames R)! b

Virtual Address R

) . Export Table . V #! -3

1 .AddressOfNamesOrdinals AddressOf Names

!b

"

FU V

PU !) ! O )!

) *- F U !) ) 6

. a )! b

F U Rb ) 6

FU
.

V ,< T
,

O )!

1 Qx
.

a) .

5. RVA

! .
T

/ = -4
O )!

) . AddressOfNames

!b d *- ) *-

. " ! AddressOf Ordinals

. . / () *
5

. AddressOfNameOrdinals

R U . AddressOfNameOrdinals

!b . u

. a

. . ! b
.

!b

!b )

FU !

% RVA 1 Q x

G -2

. .
= /

!b !) ) 6

!b d *!

AddressOfFunctions

AddressOfNameOrdinals
. ! AddressOfFunctions

-5

NT 9

( 2E

> ) 2) > )

8>

> .+ . /
NT F

> () "

/ ()

7@
. 32 ! ,; !) Process -

p . ) .
00000000
....

-7!)b
-! G

User 7!)b

a -() ) R , G

ad

A` ( 3#

. f 1 4 JO# = a

P# O# = V T
X "6

. f)

.G

/ ! >R ,-

. f 1 ) .)

. f 1 ) .7FFFFFFF
.) !

! . . BcG ! > .

) !) /

.d

[ . User hi

!/ .
- b #

. G) Td - G o b
. System 32 JG

!) / Logon

. :System Support Processes -1

b #Qx

.
JG

!) System32 JG

!) / Spool Service Q x
.
:

Winlogon.exe %
. :Service Process -2

Spoolsv.exe A # %

. Windows

:User Application -3

E 5

. OS/2 (5 Posix (4 MS-Dos (3 Win 3.1 (2 Win 32 (1

/ = Environment Subsystems
. Csrss.exe %

. Win 32

..

V
.

: Environment Subsystems
System32 JG

!) o

-. /

)3

- Crack

. +/ 0 1. ( 2,

;. XP

!) .

660

OS2ss.exe %

. OS/2

. Psxss.exe %

) . OS/2 Posix Rb

:( b
a - Thread

.)! ) ( oU . ! ....
JG

!) A # V .)! ) ( oU . ! - iG R)

- b #

!) Kernel-mode X 6
: Executive

a O# =

- *4 a Thread

. Posix

.R

.)! ) ! 4 Ntoskrnl.exe %
.

A #

"< ! "#

-d
E

8
! C84 p .

-! !) a ! "#

K! !

. System32

-! !) : Device Driver

' ;i4

ap . V : (HAL) Hardware Abstraction Layer

.)! ) ! 4 hal.dll %

A #V . /

: Kernel

. System32 JG

!) () /

-Q / : Windows and Graphic System

# 1 .! / +

.)! ) ! 4 Win32k.sys %
. /

( -3

. System32 JG
!) ! (

R .v i

!)
C/

NT F

661

. G ( 2E

> ) 2) > )

8>

> .+ . / / 7 .

+@ 2
(Ring *B hi
hi

. /

() *

Compaq Alpha Ax
7!)b

.! /

8 3T /

P# )! ) ! 4 .! /
) hi V

!) /

V T !) - b # V

7!)b

, o b . !) d

) F4

.) / - G 24

.] .

, '!

24

. a) f. '! B - ) k V V

P#

# 1 O !) _ iG !

.d

hi

!)
,

!01
6

- /

. !

- b # V .)

-! G

) hi

6
n

.f14

P# & . ,

. .! /

! 01! .

) k {c /

P#

b # (
-

- b #
,

) V ,- . ! ) ! CPU ' !

-() ) . ) k

# 1 O !) V,i '! B .
R U . - Driver .

V,i ! ".
- G
!) V ,

-! / % ,

-! / % <

CG ) 5.

P# !)

A Ud

! !)

6 d
# 1 O d

. ) k
-

'! 4 )

V (! o a !) d

R ,> A. 4

()

7!)b
J -

{ 8

p .

)
5.

P# !) /

# 1 O !)

-! !) ) k

= > 1 uT .) f. ! 4 () *
/

- b #

() ) , G > .

O# k JO# =

) k

. ! ) ! "#
(

' " o<

d- (Ring 0) /

() *

! "#

T! O

. /
.)

-() ) . d

) ! ) G O# =

ob y =

(Ring 3)

..

. 0)

-2B .)! ) ) G . l F

-)7!)b

) T ! ,;

O !) !

c >I

P;. /

'!

1 Qx

-(

hi

b # - . # 1

b #

! Rb { ;

. Rb %

-! "#

) a -2B V . / 6 ! CPU
d

) hi 4 a X86 A

2 ; !

CU . /

> /) 5

- /

R U.
-

Kernel

) . ! ) -) % <
)!

.! /

-() ) R , G

!/ V . /

! 01! . d
.)

d
7!)b
8 3T

)3

. +/ 0 1. ( 2,

- Crack

NT F
-( 1 . R

662

> ) 2 Device Driver

.G(2E

! ob / /

8 3T ! -! !) E

1 hi NT

()

:) / d
/) 5 M
(VDD) (E
! 4 () *

)!

MS-Dos

. ' * {c / ! G

. 16
/

VXD

() *

8 ( 2 Device Drivers

. /

( 2) > )

.! /

-! !)

! ".

[ 1 .) 1

. ! ) Windows95/98
: r9
,6 Printer ' !

. /

) . !

# 1 ! ".

-! !)
( 2) > )

G!)

+@ 2

(2) >)

File System Driver

. /

K! A #

-d

R 1

-)!

Legacy Drives
Windows NT
.

. -Driver V . /

- 6 A. 4 Windows NT/2000/2003 !)

/ ! ! "#

;i4

W R ." R /

.(

Streaming Drivers
.
8 . /Q
)<

- G

< '! B .
PE

/ ! ;i4

sys
-A #

T .

.
/
.

B '! / Ax
.

/ /

! "#

;i4

"6 " [ Device Driver

# .A #

(Device Driver) ' ;i4

. obQ

! [ ' ;i4

8 3T

Device Driver %

% C;
O )!

;i4 /

! G

-! !) . dll

exe

ob' * o

.)
-A #
! 01! .

! 86
(
Ax { 4)
-

!)

' * {c /

NT F

663

> ) 2) > )

Device Driver . d

! Rb ' Uc>

I/O manager .

+k

. G ( 2E

8>

)d

> .+ . / / 7 .

I/O manager a o b . ] 8 ! ! O
.)! b

<

. V , ( ! o .d

*4

- *4

!(

) T ob.

..

V# 1

.d

G . j=

&.

-A Ud
! "# %

. *4

d- # -! !)

(IRQL) Interrupt Request Level +1]

6! G R

!) ' *

)
.

G) |

"6

! "#

- *4

) . - *4 . /

Qx R U .)

# 1 O !) B G
.)! ) ! V T

! - *4

Interrupt Request Level %

.) U V .

&.

. *4 ` -)R 3

. ! - *4

1!". ) U . -)
.

Macro Assembler ) 2) > )

() *

-! !)

)!

t >
R 3 31

*B

IRQL ! F G

8> ( / E . )

( 2) 3/

-! ". % , A

Kmdkit
Masm

) 6

, ,S CD !) ! ". V
Tools\Kmdkit

(Services) 2}>
A84 . ! ) f .
! Rb uD

d / vF
.d ) T

-! !) . .! /
b

-u

f[ /

. a d / ! 4 . ] 8 ! Device Driver

ob'>8!

f f[

-u

/ v<;
.d

V ,
.

! . . , 4 V !) .d / 6

)3

- Crack

. +/ 0 1. ( 2,

664
Services

. (

# 1 O !) f )

'! B .

-! "# %

d- -u

.'

A &) .

vCi V !) . /
! 4

! . )!

5.

6 (Startup) E

!/ .! O

- -u

^ ! . !

p . V !) .d

/ ! >R ,- . - Device Driver

. ! ". E

% f - !)

(Manual)

. -Device Driver O V

-! !)

.! /

# 1 O !) -u

-u

- Device Driver

. d- / ) 1

/ + #

, 4 V !)
-u

/m
VG

SCM :(SCM) Service Control Manager -1

6 Q

.
) !

. -u

! ) -Service x/

.)! ) ) 6 Windows NT
! 4 .

O !) Q) ; ! Driver Service V

. d- )

. /

(User Interface) .! / +

.
.

C;

G K! ! O

! / . SCM . ] 8 !

. SCP : Service Control Program -2

! 4 .

. . R T

Rb . ] 8 !

[ (

u
6

[ / %cU
: Service Program -3

- /A

(SCM) Service Control Manager

b #

/ )! ) ! 4 \%Systemroot%\System32\Services.exe 7!)b !) SCM

, 4 !) /

3.'

C/ -

. > .

;. . /

) !
..

. -)

'

() ) ( f T !) ! > .

.] .

!T

.
! . )!
.d

vF

-u

vF

# 1 O !) ! beeper.sys %

<b
.% &

. ! !)

-() )
-u

Rb (! .!)
/ ;6

( -3

Services p . )!

! Device Driver

, A

. ! Registry Editor

k .HKLM\SYSTEM\CurrentControlSet\Services\

Administrative Tools , 4 (

! 4

' . % f - !) Win logon

! 4 -u

(%SystemRoot%\regedit.exe) () /

b ad

! )! ) ! 4 HKLM\SYSTEM\CurrentControlSet\Services\

() ) ( f T !)

' Uc> R)! b

3.
, 4

.. / . ! , 4

/9

! Control Panel

!T V

,/ d - G

Q=

Q x !) / ! >R ,- .d -)

NT F

665

1 .)

() *

. G ( 2E

.! / +

O !) Rb % R U . .)! ) ! 4

> ) 2) > )

. +

8>

> .+ . / / 7 .

: DisplayName

6! C/ !) / u

% R ,- ) 3 () ) B F G
.

SCM a)
!

A 3

.E

! 01! . A=

1 : Error Control

!) ! !)

) .) ) - G R 3 A,; u U ( b ) 6 .

iG .

a , 4V

:
!

# 1 ( ) ! () # y *

iG I/O

# ;

. SCM a)

() ) p , .! / . ! ! iG

Beeper ! !) Q x R U . . / ( - 3
. iG (! ,

uD

. Error Control !
%<

O )!

) !) G

. (System Event Log) d

AdministrativeTools>EventViewer 9
V.

. !)
O )!

() ) % <

-)
!

. C=

)! G .

! ( / 8e !) iG

.] .

'kS

! . R) / Double-Click

!) ! ) G

. -) % < ! B G ! /

, R [

)!

) 1

' C,U % ,

. O# =

SERVICE_ERROR_IGNORE . . Beeper . ] .

8e - uT

g 3 ! ! !) A #

! !) Q 8 ) . \%SystemRoot%\Driver

!) I/O Manager

.!

) .)

[ /

! 01! .

' C,U
.d /

: Image Path

.v

.)) 1

%<

V #!
! !)

.)
g 3 !

. ! !) 1 : SERVICE_ERROR_NORMAL (1)

!.
..

. 6

: SERVICE_ERROR_IGNORE (0)
. -)

C 3

- G # 1

.( 3

g 3 : Start

! . / )! ) ) 6

!T

)3

- Crack

. +/ 0 1. ( 2,

6 Boot A=

V [ .)
f)

-! !) . ! !)

666

Q > !) ! !) : SERVICE_AUTO_START (2)

1 .

Auto_Start

-u

-! !)

.) 1 - G 6 " ! ! !) Rb SCM ,
.! / !

) . T !)

o ad ! ) ! /
.
R

- !) a

! ".

SCM +

! !) :T (3)4 SERVICE_DEMAND_STAR

-! !) . + #

R [

g 3

! u

SERVICE_KERNEL_DRIVER (1) d / () *
( 3 2 ; SCM () ) ( f T !) / d / E

.)

: Type

d
!

/ !
! !) d -

. 1

.d -) % < ! ! / V (Service Control Program) SCP ,/ . d

Service Control Program
-! !)
!v
- GQ

-u
5.

Q /! O
() ) % < SCM '! O

/ ! Beeper.sys ! !) /

, 4V

k ! ) G ' C,U C/
SCP . ] .

T Rb %

/ ! >R ,-

, 4 V .)

/ , 4 V .) / - G

() *
G #
.) /

) 6

, ,S CD !) , 4 V

.] .

-A #

-/

SourceCodes\NTDriver
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;
;

Service Control Program for beeper driver

;
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.386
.model flat, stdcall
option casemap:none
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;
I N C L U D E
F I L E S
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
include \masm32\include\windows.inc

NT F

667

. G ( 2E

> ) 2) > )

8>

> .+ . / / 7 .

include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include \masm32\include\advapi32.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\advapi32.lib
include \masm32\Macros\StRings.mac
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;
C O D E
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.code
start proc
local hSCManager:HANDLE
local hService:HANDLE
local acDriverPath[MAX_PATH]:CHAR
invoke OpenSCManager, NULL, NULL, SC_MANAGER_CREATE_SERVICE
.if eax != NULL
mov hSCManager, eax
push eax
invoke GetFullPathName, $CTA0("beeper.sys"),\
sizeof acDriverPath,\
addr acDriverPath,\
esp
pop eax
invoke CreateService, hSCManager,\
$CTA0("beeper"),\
$CTA0("Nice Melody Beeper"), \
SERVICE_START + DELETE,\
SERVICE_KERNEL_DRIVER,\
SERVICE_DEMAND_START, \
SERVICE_ERROR_IGNORE,\
addr acDriverPath,\
NULL,\
NULL,\
NULL,\
NULL,\
NULL
.if eax != NULL
mov hService, eax
invoke StartService, hService, 0, NULL
invoke DeleteService, hService
invoke CloseServiceHandle, hService

)3

. +/ 0 1. ( 2,

- Crack

668

.else
invoke MessageBox, NULL,\
$CTA0("Can't register driver."),\
NULL,\
MB_ICONSTOP
.endif
invoke CloseServiceHandle, hSCManager
.else
invoke MessageBox, NULL,\
$CTA0("Can't connect to Service Control Manager."),\
NULL,\
MB_ICONSTOP
.endif
invoke ExitProcess, 0
start endp
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:
;
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:
end start

SCM / W B-) () ] /
5.

SCM
G # C;#

. ]8!

! 4 .

D /

! . O )!

d -) % <

R) /

.! O

!/ V

. ! OpenSCManager
.d /

OpenSCManager proto lpMachineName:LPSTR,\

lpDatabaseName:LPSTR,\
dwDesiredAccess:DWORD

!Y -

D /%

D / . 5. a / (!

/ /

(!

GJ !

*B . %
.

J !

. Null . . !

. : lpMachineName
V

1 . /

g 3

.) / - G ! 4 . ] 8 !
SCM () ) ( f T %
.)

= /

(!

*B . %

Ck

J ! . : lpDatabaseName

. q #p T '! B . ServiceActive () ) ( f T a

. Null

!V

1 .

NT F

669

. G ( 2E

> ) 2) > )

8>

> .+ . / / 7 .

.const
szActiveDatabase db "ServicesActive", 0
SERVICES_ACTIVE_DATABASE equ offset szActiveDatabase

g 3 ! SCM .

!TV . /

) y = : dwDesiredAccess
. /! G !

) E

V .)

V ,

! 4 . : SC_MANAGER_CONNECT

! ]8!
.)

. CreateService 5.

. /

*B !

R)

# . 1)

: SC_MANAGER_CREATE_SERVICE

G # R

.)

g 3

d- # ! () ) ( f T . Rb R

Service

#S

)<

) : SC_MANAGER_ALL_ACCESS

) < ! () ) ( f T . A /

! 4 . ] 8 ! SCM . '! B V . Q =

.d /

invoke OpenSCManager, NULL, NULL, SC_MANAGER_CREATE_SERVICE

.if eax != NULL
mov hSCManager, eax

(! ,

31 . !

() ) ( f T !) d

a -) % <
f ) 5.

#
.!

. ! ) G ' C,U OpenSCManager 5.

V R)

# ..

SCM () ) ( f T .

,; R .! / .

. !) !v

Administrator
) ,

)
W SCM

.d / ) < !
- /

6 ! !)

vF

. q # 6 V !) . / 6 ! > .

> #) >)
+

! ! / V .d / # S Rb () ) ( f T . ! ) G Driver d

13 5. V .d /

! . ! Rb

! T 6 V !) .d -)
.
.SCM () ) ( f T

. SCM

a)

.
4

% < CreateService 5.
- ()

{8

/ )! )

!T

) (! , : hSCManager

)3

- Crack

. +/ 0 1. ( 2,
Service d

- / ! / (\)
6!

=
(/)

C/

670

!V . /

(!

- /! / .

*B . %

/ ! / 256 V , Q > V

!) u

. ] .

. : lpServiceName

J !
3 . .)

! V .

vF

! 4 /

Service d

!) 8 ;
.

. .! / +

.+

/ /

!V .

/ ! / 256

<

*B . %

! V Q > d, "/
.

'! B V

(!

. /

() *

R) / g 3

!) DisplayValue !

6! C/

g 3 !u

. : lpDisplayName

J !

.)

.] .

: dwDesiredAccess

)E

.
.u
E

. Start Service 5.

.u

24

. Control Service 5.

.u
() ) ( f T

! Rb

Y0=

% )

: SERVICE_START

G #

: SERVICE_STOP

G #

. Delete Service 5.

d /E

! T V !) DELETE

) : SERVICE_ALL_ACCESS

.A /

.u

!u

: DELETE

G #

Q .d ! )

SERVICE_START !

"[ ) .+#

V . . .d / Y0= SCM

.d /
SERVICE_KERNEL_DRIVER
.

R ) Gd- G
!

a)

!) Start !

C/

6! C/
1 .)

. Driver 1 .d

+#

. /

.] .

[ / /

" !

Log On Prompt ! o:
.] .

" !

V .d /

A84 ad
() *

V .d /

d /E

!u

(!

.. /

8e
"

.
!

g 3 u
d /

V .d /

() *
() *

!) ! iG

SERVICE_ERROR_NORMAL !
.

6! C/

6!

! . ` k : dwErrorControl

SERVICE_ERROR_IGNORE !
.

;. { 4)

SERVICE_AUTO_START
.

! O

() *

g 3 : dwStartType

! SERVICE_DEMAND_START !

() *

E : dwServiceType

g 3 !u

!) Type !

- iG V # 1 ( )
aV ,

!) Error Control !

- iG
.] .

NT F

671
.A #

= / /

(!

> ) 2) > )

*B . %

6! !) Image Path

/ - 1%
. .)!

. G ( 2E

!V . /

lFG

(!

C/

*B . %

! 4 Null 3 ,- ! Rb

W V . /

.d -)

! 4 Null " !
BG

.] .

d- !

V .

! !)

. : lpLoadOrderGroup

g 3 !

PU Rb !) u

l F G Rb . ! NULL !

)!

. : lpBinaryPathName

J !

B G ( 1 - . -! !) . /

. /

> .+ . / / 7 .

J !

.d -)
!) u

8>

(!

. : lpdwTagId

. 32 W
!TV

-! !)

A )V

< !) . .

lFG ( 1

! T V : lpDependencies

.d -)
Account %

= / /

(!

*B . %

. SERVICE_KERNEL_DRIVER u

6 V !) . /
d

() *

Rb ! 01! .

/ q #p T

. : lpServiceStartName

J !
E

.d

1 .)

/
! !)

6 Rb !)

! !)

% R ,- a > .

. Null

. 3 ,- )

# 1( )
: / 6

/
%

l F G Rb . ! Null !

d -)

. / () *
.

.u

-! !)

) < I/O

. Password : lpPassword

Q 6 .v i R

CreateService

Registry

lpServiceName

Registry subkey name

lpDisplayName

DisplayName

dwServiceType

Type

dwStartType

Start

dwErrorControl

ErrorControl

lpBinaryPathName

ImagePath

!! O

)3

. +/ 0 1. ( 2,

- Crack

672

push eax
invoke GetFullPathName, $CTA0("beeper.sys"),\
sizeof acDriverPath,\
addr acDriverPath,\
esp
pop eax
invoke CreateService, hSCManager,\
$CTA0("beeper"),\
$CTA0("Nice Melody Beeper"),\
SERVICE_START + DELETE,\
SERVICE_KERNEL_DRIVER,\
SERVICE_DEMAND_START,\
SERVICE_ERROR_IGNORE,\
addr acDriverPath,\
NULL,\
NULL,\
NULL,\
NULL,\
NULL
.if eax != NULL
mov hService, eax

5.

. Rb R)

! !) A # A /

# S SCM () ) ( f T . !

. ! GetFullPathName 5.

! !) CreateService 5. .d /

.( / ( f A84 Q 6 .)

V# ! O

6! !

) .

" [ SCM () ) ( f T .

)<

G # CreateService

6! !) ! v

Regxxx
a / #S

- C/

,U API 5.
6! . !

() *
-() )

/
.

. / #S !
Create 5.
!

) G!/

G #
)

.(

) < SCM ( f T () ) !) {c84 O )!

- G GetLastError 5.
. Create Service 5.

G # . .

Device Driver 1
. Service

- G 6

1 .) . - G ERROR_SERVICE_EXISTS

) (! , V .) . - G ! !) .
.

) (! ,
)!

31 . !

! !) .

a -) % <
)! O

. 5.

31 .
#
f)

. !
.

NT F

673

. G ( 2E

> ) 2) > )

8>

> .+ . / / 7 .

) > ) ,> b <

:

StartService

'! B . Rb 2 ; p T /

;. 5.

StartService proto hService:HANDLE,\

dwNumServiceArgs:DWORD,\
lpServiceArgVectors:LPSTR

) `! , R ,- / : hService

! !) .

! T V - Device Driver

*B -

. : dwNumServiceArgs

invoke StartService, hService, 0, NULL

.)
PE

f d
-A #

! !) AG

7!)b

P# . ! !) A #

,- d
uD

F StartService 5.

f O# = !) ) G O )!
() ) % < o b

. ! ) ! Q 6

7!)b . -! !) {& ,;

-7!)b h kF

.)! ) ! 4 DriverEntry Q ! !) AG
! STATUS_SUCCESS !
! StartService uD

DriverEntry Q ! a) 0T % <

. ) 1 - G

. *B n !

G # .

! 01! . ' C,U

V . /
#

G # !

. ! !) # ;

StartService 5.

) 1

.) / - G p T ! ) G ) C ! !) d /

G #

) > ) ,> j[_

invoke DeleteService, hService
invoke CloseServiceHandle, hService
.else
invoke MessageBox, NULL,\
$CTA0("Can't register driver."),\
NULL,\
MB_ICONSTOP
.endif
invoke CloseServiceHandle, hSCManager

2 ; p T .d / _ T SCM () ) ( f T

! ! !) a DeleteService 5.
:

G # .

.Q=

'! B . 5. V

)3

- Crack

. +/ 0 1. ( 2,

674

DeleteService proto hService:HANDLE

)` 6

g 3 !) .V.
.

SCM . /
u

! 01

cU R

_T

-(! , % ,

.
(

: hService

. /
.

) !!/V %<

C. / , _ T ! u

24

V 54 !) 5. V

6 / /

_T

b
.

5.

) (! ,

ad !

! !) . ] 8 !
.d .

! 4 .
V.

+#
.V.
/ Q=

CloseServiceHandle

CloseServiceHandle proto hSCObject:HANDLE

.
5.

) (! , - / Q = . SCM () ) ( f T
G #

; % )
.) .

- G _ T SCM () ) ( f T

G # .
V.

) (! , : hSCObject

! !) .

! SCM () ) ( f T .

a)!

) 6 ! !)

) (! , CloseServiceHandle
+@<) ( 2 5

Read- p . !) ! *B . %

!2 ; ( 6 ,

. /

/
. -)

$CTA0
-() ) Only

NT F

675

. G ( 2E

> ) 2) > )

8>

F
Ring 0 ( 2) > )
! 4 batch A #

V .d -)

y * bat A #

. #

!) ! ! !)

6 % f - !)

A=

> .+ . / / 7 .

) >)

> a 5 F P.

- / {& ,; aA D / ' C,U

*.asm *.bat

-A #

! O

> C

A #

) )

;@echo off
;goto make
.386

; driver's code start

;::::::::::::::::::::::::::::::::
; the rest of the driver's code ;
;::::::::::::::::::::::::::::::::
end DriverEntry

; driver's code end

:make
set drv=drvname
\masm32\bin\ml /nologo /c /coff %drv%.bat
\masm32\bin\link /nologo /driver /base:0x10000 /align:32
/out:%drv%.sys
/subsystem:native %drv%.obj
del %drv%.obj
echo.
pause

batch ' !

) R U .

C D /
`

) T

# 1 O !) Masm C D / +

) 6 V !)

- % o*

C D /

- do# A. 4 batch (

) T

^ T make .

. make
.

.Q

Q
/ .)

gotomake V . ' !
- y # u U . '!

# 0T
) .)! ) ) 6
.

batch

)3

- Crack

. +/ 0 1. ( 2,

A D / f f[ R [

676

U!

.^ !

V .) 1 , O !) ! o b C D /
.)! ) ! 4 / ) G !) R

set drv=drvname

.A #%

3 6 /d /

2 ;

ik

. / ) < ! !)
. -)
. / ) < sys A #
[ /

dll

! 01! . . / )! ) ) 6

6 . / /

6 A #

-! !)

d /

. /

. /

- "1
. : /driver

T 7!)b : /base:0x10000
. : /out:%dvr%.sys

%cU

Win 32 , Posix ) :

4 .d / V ; ! A # v
# ; Win32 ! ) G

6 +k
)!

6 (Native) Ck + k !) o b . !

, 4 PE A # - header !) : /subsystem:native

.(OS/2
A D / !

, 4 V !)

! 4 10000h Q) ; ! ! !)

exe V G

( - 3 ! Device Driver V

()

)!

do !

p . V !) d /
,

- .

) > ) ,>

.] .

/ , 4 V !)

;@echo off
;goto make
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;
; simplest - Simplest possible kernel-mode driver
;
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.386
.model flat, stdcall
option casemap:none

NT F

677

. G ( 2E

> ) 2) > )

8>

> .+ . / / 7 .

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;
I N C L U D E
F I L E S
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
include \masm32\include\w2k\ntstatus.inc
include \masm32\include\w2k\ntddk.inc
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;
C O D E
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.code
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;
DriverEntry
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
DriverEntry proc pDriverObject:PDRIVER_OBJECT,
pusRegistryPath:PUNICODE_STRING
mov eax, STATUS_DEVICE_CONFIGURATION_ERROR
ret
DriverEntry endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
end DriverEntry
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;
B U I L D I N G
D R I V E R
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:make
set drv=simplest
\masm32\bin\ml /nologo /c /coff %drv%.bat
\masm32\bin\link /nologo /driver /base:0x10000 /align:32
/out:%drv%.sys
/subsystem:native %drv%.obj
del %drv%.obj

)3

. +/ 0 1. ( 2,

- Crack

678

echo.
Pause

Driver Entry Routine

(Entry Point) ) ! Q !

" ! !) - a 6 A. 4

Driver Entry Q ! -! !) ) ! Q ! .)
.)! ) ( oU . !

. ' C,U

G #)

-Q

,-

! 01! . O# = !)

() b ' C,U % < J* : Q ! V {& ,; .

. /

( - 3 ! 5. V 2 ; p T a

!)

DriverEntry proto DriverObject:PDRIVER_OBJECT,

RegistryPath:PUNICODE_STRING

A #

PUNICODE_STRING

!)

PDRIVER_OBJECT

() )

2 ; \include\w2k\ntdef.inc \include\w2k\ntddk.inc

. (

PDRIVER_OBJECT typedef PTR DRIVER_OBJECT

PUNICODE_STRING typedef PTR UNICODE_STRING

Rb .

B ! Driver Entry Q ! I/O Manager /

!T ) a

:
NT

A U d
!) ! !)
"6

f - . b!) p ,

" [ ! !) X

Rb .

. /

# ; X

.X

)<

'! B .

b .] .

DriverObject 1(!

)R
.d !

!) ! ! !)

! !) (

() ) R , G

: PDriverObject

. 1(!
."

-! !) uT .

a)

Rb . ! / S = Q = !) . -)

! !) .d ) / zk.
uT ! !) /

!) R [

! B !) . / () *

o Rb

D/

.a

) G

)!
)

- C/

' Uc>
y #

. ! () ) R , G

: pusRegistryPath

. 1(!

6! !) ! !)
.

! 01! . O# =

. /
V

. obhS

DRIVER_OBJECT () ) R , G

/ Unicode J !

C/

g 3

6!

(! .!) A84

, 4 !)

( Gm ! O

. 1(!

. Driver Entry Q ! % ,

NT F

679

. G ( 2E

! /0 Unicode J ! .) . -

,
# .

! .

!) .! /

> ) 2) > )

8>

V Driver Entry Q !

8; !

! / UNICODE_STRING

?
?
?

. *B / ! / V Gb ^! , R . a
.(

. v = .) )

*B . %

!V

(!

! G

UNICODE_STRING () ) R , G

YcG . .

.d /
UNICODE_STRING STRUCT
_Length
WORD
MaximumLength
WORD
Buffer
PWSTR
UNICODE_STRING ENDS

> .+ . / / 7 .

/ # . Q > : Maximum Length

Rb . # . PU +

3 ,- /

) 6

! Q > : Length

. .

.Unicode

: Buffer

! . 1(!

.
Rb Q > V
! !)
V

3.

, 4 V
-)

!) . /

% < ! !) V

a -) , % <
!

1 C6

. / ! 01! .

^ ! V

'

#S '8 k

/ ! / o .) ) d - G ! 4

B G ! / ! !) V

1 . ) 1

! Rb

C;# J ! Q > /

<b

. -)

,o

! 01! . ` 6

. ! STATUS_DEVICE_CONFIGURATION_ERROR
- G

4 . O# = !) ! !) a

6! ! ! !) -

% C;

! Simplest.sys

! . )!
! ) G

/
iG

) 1 . ! STATUS_SUCCESS

KmdManager

AG ( V A/ E F 1@

.+

. / unload

( / () > )

;@echo off
;goto make
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;
;

beeper - Kernel Mode Drive

Makes beep thorough computer speaker

)3

. +/ 0 1. ( 2,

- Crack

680

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.386
.model flat, stdcall
option casemap:none
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;
I N C L U D E
F I L E S
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
include \masm32\include\w2k\ntstatus.inc
include \masm32\include\w2k\ntddk.inc
include \masm32\include\w2k\hal.inc
includelib \masm32\lib\w2k\hal.lib
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;
E Q U A T E S
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
TIMER_FREQUENCY
OCTAVE
multiplier

equ 1193167
equ 2

; 1,193,167 Hz
; octave

PITCH_C
523,25 Hz
PITCH_Cs
554,37 Hz
PITCH_D
587,33 Hz
PITCH_Ds
622,25 Hz
PITCH_E
659,25 Hz
PITCH_F
698,46 Hz
PITCH_Fs
739,99 Hz
PITCH_G
783,99 Hz
PITCH_Gs
830,61 Hz
PITCH_A
880,00 Hz
PITCH_As
987,77 Hz
PITCH_H
1046,50 Hz

equ 523

; C

equ 554

; C#

equ 587

; D

equ 622

; D#

equ 659

; E

equ 698

; F

equ 740

; F#

equ 784

; G

equ 831

; G#

equ 880

; A

equ 988

; B

equ 1047

; H

; We are going to play c-major chord

NT F

681

. G ( 2E

> ) 2) > )

8>

> .+ . / / 7 .

TONE_1
TONE_2
TONE_3
HalMakeBeep

equ TIMER_FREQUENCY/(PITCH_C*OCTAVE)
equ TIMER_FREQUENCY/(PITCH_E*OCTAVE)
equ (PITCH_G*OCTAVE)
; for

DELAY
~800mHz box

equ 1800000h

; for my

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:
;
M A C R O S
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:
DO_DELAY MACRO
mov eax, DELAY
.while eax
dec eax
.endw
ENDM
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:
;
C O D E
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:
.code
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:
;
MakeBeep1
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:
MakeBeep1 proc dwPitch:DWORD
; Direct hardware access
cli
mov al, 10110110y
out 43h, al
mov eax, dwPitch
out 42h, al
mov al, ah

)3

. +/ 0 1. ( 2,

- Crack

682

out 42h, al
; Turn speaker ON
in al, 61h
or al, 11y
out 61h, al
sti
DO_DELAY
cli
; Turn speaker OFF
in al, 61h
and al, 11111100y
out 61h, al
sti
ret
MakeBeep1 endp
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:
;
MakeBeep2
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:
MakeBeep2 proc dwPitch:DWORD
; Hardware access using WRITE_PORT_UCHAR and READ_PORT_UCHAR
; functions from hal.dll
cli
invoke WRITE_PORT_UCHAR, 43h, 10110110y
mov eax, dwPitch
invoke WRITE_PORT_UCHAR, 42h, al
mov eax, dwPitch
invoke WRITE_PORT_UCHAR, 42h, ah
; Turn speaker ON
invoke READ_PORT_UCHAR, 61h
or al, 11y
invoke WRITE_PORT_UCHAR, 61h, al

NT F

683

. G ( 2E

> ) 2) > )

8>

> .+ . / / 7 .

sti
DO_DELAY
cli
; Turn speaker OFF
invoke READ_PORT_UCHAR, 61h
and al, 11111100y
invoke WRITE_PORT_UCHAR, 61h, al
sti
ret
MakeBeep2 endp
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:
;
DriverEntry
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:
DriverEntry proc pDriverObject:PDRIVER_OBJECT,
pusRegistryPath:PUNICODE_STRING
invoke MakeBeep1, TONE_1
invoke MakeBeep2, TONE_2
; Hardware access using hal.dll HalMakeBeep function
invoke HalMakeBeep, TONE_3
DO_DELAY
invoke HalMakeBeep, 0
mov eax, STATUS_DEVICE_CONFIGURATION_ERROR
ret
DriverEntry endp
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:
;
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:
end DriverEntry

)3

- Crack

. +/ 0 1. ( 2,

684

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:
;
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:
:make
set drv=beeper
\masm32\bin\ml /nologo /c /coff %drv%.bat
\masm32\bin\link /nologo /driver /base:0x10000 /align:32
/out:%drv%.sys
/subsystem:native %drv%.obj
del %drv%.obj
echo.
pause

V ! O V
. I/O

.. /

-'! T .

In ' !

B aMother Board CG )

CPU . ] .

Out

O# k NT

. -!

.) . - G

). /

. ^c

!) / )! ) ) 6 ! / V % <

1 C.

() *

() *

. ! !) V

In ' !

! !)

ado 5.

b # d G J"

R U
!) Out

. .! /

. G ) T d - G Rb . ( b
7@
!)
.)
,
!

G
() *
. /

#/+#(

)<

V Rb
) 1
V

! *B . /

. 7 ; ^! , .)

.d /

a)

..

)! ) ) 6 2 : J
/

() *

@5

D / AG ) !) ,

)< 2 ,

% < (! . )
R

Kernell32.dll

makebeep1 Q !

() *

/ #
V

31 . q #p T
Q

*B
b #

V .)

6 V !) d - .

! 1193167 ' *

) ,

! / 1,193,180 Hz u / # . ! c
-u / #

"> -

. ! ) ! 4 Programmable Internal Timer (PIT)

+

. ! 1193180 ;4 !
"

R U . / !) ) 6

nb !

)< !R

V T ,

!) u / # V . /

- ,

.2 ,

g 3

. ,

.)

! c

AG

D /

/d
-()

6 q #p T !

CB
G%,
/

QueryPerformanceFrequency
!

halmakebeep 5. hall.dll !)

. ! BV

6 V !) .d /

() *

NT F

685

. G ( 2E

> ) 2) > )

8>

> .+ . / / 7 .

mov al, 10110110y

out 43h, al

43h '! T !) ! 10110110

.!

!/V

. .d /

! ,

/ ' 8e

.d
mov eax, dwPitch
out 42h, al
mov al, ah
out 42h, al

42h '! T !) ! q #p T !

. &.

V T!

) )

() *

.Q=
.d

in al, 61h
or al, 11y
out 61h, al

! B 1 C. Q = .d /

! ! 1 C. a 61h '! T !)

*B . - . R) /

.Q=

. /

)<

DO_DELAY MACRO
mov eax, DELAY
.while eax
dec eax
.endw
ENDM

.)

() ) -R

P;. !) p T

<

1 C. . DO_DELAY

() *

.Q=

in al, 61h
and al, 11111100y
out 61h, al

.d / *B 61h '! T !) ! )
p

T A. 4
.d /

! "#
)< ! BV

- *4

- . /d !)

. uT

) makebeep2 Q !

5.
() *

1 C. R) / ^
,

. .d

.!/

! (maskeable)

)3

- Crack

. +/ 0 1. ( 2,
() *

<. % ) 5.

!) .

WRITE_PORT_UCHAR
! I/O . ! /
5.

() *

% )

RoT !

! "#

- f .
d /

)<

() . hal.dll A # 5.

) . )

READ_PORT_UCHAR 5.

. ! Rb /

q #p T !

686

in/out

HAL .d /
BV

oC,; !

hal.dll !)

() *

. /

) < HalMakeBeep

5. V .d /

.)!
^

. ad ) / () *

R U . ! *B !

ob
() /

12 a beeper.bat A #

/ )! ) ) 6
G # ! HalMakeBeep 5.

f)!.
.d

. !)

. 1 C. R) /
*. Rb . R

1!b

) >) ) 5 Gb <
d

d- G
*C

Q = .)! ) ) 6

-^ ! . ! / V . /
DeleteService 5.

!
d -)
() )

(!
G # !)

*C

! > . !
/

SERVICE_AUTO_START

V
.

-^ !

/ d )

! !) / d / ! 8<

^ ! V

()

0TR

! SERVICE_DEMAND_START

W SERVICE_ERROR_NORMAL . ! SERVICE_ERROR_IGNORE

. SCP.exe A #
! !) d
p . !)

! !) E

R
/

6
' .

( -3

;. .d /
;. .) . - G
A

f Programs fStart Menu)

() / A D / (! . ) ! SCP.asm

6 {c / u

6! a

6A #
!R T

!) / ! >R ,- .) ) - G % < ! ) G ' C,U beep.sys

. . -! !) `! .!) !

Uc>

Event Log

.(Event ViewerfAdministrative Tools

NT F

687

'! F

n !)

/_T

. G ( 2E

6!

> ) 2) > )

! ! !) . ] .
.

8>

-() )

> .+ . / / 7 .

' Uc> /

- G ! ) C V ad

' .!. - .

CMOS +/
a O# =

.+

T ' Uc> ( Gm
[

. Rb

/ )! ) ) 6 [

.% &

.)

. I/O , 71h 70h '! T .

.)! b

() *

D / )! .!) !)

) .R

! Rb ' Uc>

6!

() *

. ! ' Uc> v

R ,- !) d ! b

. !

)) 1

)
V

mov al, 0Bh

out 70h, al
in al, 71h
push eax
and al, 11111011y
or al, 010y
out 71h, al

- /
.d /

() *
.

. .d /
# ! obR

V ; B

invoke wsprintf, addr acOut,\

)!

' Uc> d

CMOS

)3

. +/ 0 1. ( 2,

- Crack

688

$CTA0("Date:\t%s\nTime:\t%s"),\
addr acDate,\
addr acTime
invoke MessageBox, NULL,\
addr acOut,\
$CTA0("Current Date and Time"),\
MB_OK

:) / - G ( - 3 !

! >R ,- . / 24
6

. 8

"[ ,

ad

R .d /

O# k NT

!) I/O

() 3

- G

K ( 2$) 9+/

b #

d ! 01

p , . ! ' Uc> Q =

) SMOS O# = . d

-'! T .
6 d G zU . .! /

( 2FE #

) ad
!) Out

/0

A84 !) /
In ' !

?- ( /() > )

;@echo off
;goto make
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:
;
;

giveio - Kernel Mode Driver

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:
.386
.model flat, stdcall
option casemap:none

NT F

689

. G ( 2E

> ) 2) > )

8>

> .+ . / / 7 .

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:
;
I N C L U D E
F I L E S
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:
include \masm32\include\w2k\ntstatus.inc
include \masm32\include\w2k\ntddk.inc
include \masm32\include\w2k\ntoskrnl.inc
includelib \masm32\lib\w2k\ntoskrnl.lib
include \masm32\Macros\Strings.mac
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:
;
E Q U A T E S
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:
IOPM_SIZE equ 2000h

; sizeof I/O permission map

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:
;
C O D E
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:
.code
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:
;
DriverEntry
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:
DriverEntry proc pDriverObject:PDRIVER_OBJECT,
pusRegistryPath:PUNICODE_STRING
local
local
local
local
local
local

status:NTSTATUS
oa:OBJECT_ATTRIBUTES
hKey:HANDLE
kvpi:KEY_VALUE_PARTIAL_INFORMATION
pIopm:PVOID
pProcess:LPVOID

invoke DbgPrint, $CTA0("giveio: Entering DriverEntry")

)3

. +/ 0 1. ( 2,

- Crack

690

mov status, STATUS_DEVICE_CONFIGURATION_ERROR

lea ecx, oa
InitializeObjectAttributes ecx, pusRegistryPath, 0, NULL, NULL
invoke ZwOpenKey, addr hKey, KEY_READ, ecx
.if eax == STATUS_SUCCESS
push eax
invoke ZwQueryValueKey,hKey,\
$CCOUNTED_UNICODE_STRING("ProcessId",
4),\
KeyValuePartialInformation,\
addr kvpi,\
sizeof kvpi,\
esp
pop ecx
.if ( eax != STATUS_OBJECT_NAME_NOT_FOUND ) && ( ecx != 0 )
invoke DbgPrint,\
$CTA0("giveio: Process ID: %X"),\
dword ptr (KEY_VALUE_PARTIAL_INFORMATION PTR [kvpi]).Data
; Allocate a buffer for the I/O permission map
invoke MmAllocateNonCachedMemory, IOPM_SIZE
.if eax != NULL
mov pIopm, eax
lea ecx, kvpi
invoke PsLookupProcessByProcessId,\
word ptr (KEY_VALUE_PARTIAL_INFORMATION PTR
[ecx]).Data,\
addr pProcess
.if eax == STATUS_SUCCESS
%08X"),pProcess

invoke DbgPrint, $CTA0("giveio: PTR KPROCESS:

invoke Ke386QueryIoAccessMap, 0, pIopm
.if al != 0
; I/O access for 70h port
mov
add
mov
btr
mov

ecx, pIopm
ecx, 70h / 8
eax, [ecx]
eax, 70h MOD 8
[ecx], eax

NT F

691

. G ( 2E

> ) 2) > )

8>

> .+ . / / 7 .

; I/O access for 71h port

mov
add
mov
btr
mov

ecx, pIopm
ecx, 71h / 8
eax, [ecx]
eax, 71h MOD 8
[ecx], eax

invoke Ke386SetIoAccessMap, 1, pIopm

.if al != 0
invoke Ke386IoSetAccessProcess, \
pProcess,\
1
.if al != 0
invoke DbgPrint, $CTA0("giveio: I/O
permission is successfully given")
.else
invoke DbgPrint, $CTA0("giveio: I/O
permission is failed")
mov status,\
STATUS_IO_PRIVILEGE_FAILED
.endif
.else
mov status, STATUS_IO_PRIVILEGE_FAILED
.endif
.else
mov status, STATUS_IO_PRIVILEGE_FAILED
.endif
invoke ObDereferenceObject, pProcess
.else
mov status, STATUS_OBJECT_TYPE_MISMATCH
.endif
invoke MmFreeNonCachedMemory, pIopm, IOPM_SIZE
.else
invoke DbgPrint, $CTA0("giveio: Call to
MmAllocateNonCachedMemory failed")
mov status, STATUS_INSUFFICIENT_RESOURCES
.endif
.endif
invoke ZwClose, hKey
.endif
invoke DbgPrint, $CTA0("giveio: Leaving DriverEntry")
mov eax, status
ret
DriverEntry endp
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:

)3

. +/ 0 1. ( 2,

- Crack

692

;
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:
end DriverEntry
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:
;
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:
:make
set drv=giveio
\masm32\bin\ml /nologo /c /coff %drv%.bat
\masm32\bin\link /nologo /driver /base:0x10000 /align:32
/out:%drv%.sys
/subsystem:native %drv%.obj
del %drv%.obj
echo.
pause

I/O (
Process
V

. ! I/O
. - .)! ) I/O

E ,
I/O

-7!)b

-'! T .

. J3

-'! T . <
.1

)a
P# .

<

2000h a IOPM 3 (

.V

-) 9 +/

I/O

) '! T Rb .

x/ = a

- -)7!)b A. 4

. J3

( 2FE # )

! !) p . V !)

b # - . -)
-'! T

.
b #a

?-

W lG
.] .

. *B

.V

. 3- I/O '! T 64000

=
.

)! ) ) 6 IOPM ! /

. ntoskrnl.exe A # !) '

R . ( 3 9

5.

. ke386SetIoAccessMap ke386QueryIoAccessMap
Ke386QueryIoAccessMap proto stdcall dwFlag:DWORD, pIopm:PVOID

NT F

693
!) TSS

. G ( 2E

. 2000h Rb `

> ) 2) > )

8>

> .+ . / / 7 .

/ IOPM a ke386QueryIoAccessMap 5.

. /

D/ a /

Rb . PIOPM /

(!

O# =

P#

: dwflag
T 0FF h !

. /

D/ O# = !) TSS

/
V `

/ IOPM / /

- G D/ Rb !)

(!

.
! 4 *B

al ' 8e !) a -) % <

n!
.

-)

! 4 *B ! al !

#
)

/ IOPM : 1

P# . : pIopm

O# =

. 2000h

,/

8 O# =

. ! ) G ' C,U y # 5.

P# : 0

. ! O# =

P#

! B !)

. ' C,U % < !) 1

-)

Ke386SetIoAccessMap proto stdcall dwFlag:DWORD, pIopm:PVOID

O# =

. 2000h (

g 3 IOPM ake386SetIoAccessMap 5.

.(

D/ TSS !) a /

. /

8 O# =
!

D/ ` 6

P# V (

al ' 8e !) a -) % <

- G *B ! al ' 8e a)

.1

Iopm A
#

+#

(!

. ! ) G ' C,U 5. V

. ) G ' C,U

6 !) 1

: dwflag

!TV !

P# . : pIopm

O# =
1 .

R . PIOPM

(!

. 2000h
) 1

,/

! 4 *B n
.) /

6 Iopm . aIopm

! / V . / (!
* !

. 5.

# 1(!

.a

D/ TSS !) Iopm

uT

% < ke386IoSetAccessProcess 5. +

" 5. V .)

ntoskrnl.exe A #

(3 9

Ke386IoSetAccessProcess proto stdcall pProcess:PTR KPROCESS,

dwFlag:DWORD

. -)

b # . ! Iopm

() *

( 6 % U

.) ) d - G h S Rb (! .!) { ;. / /

(!

( 6 ke386IoSet Access Process 5.

KPROCESS )! /! . : pProcess
: dw flag

)3

. +/ 0 1. ( 2,

- Crack

694
. -) , ! I/O

-'! T .

)( 6 :0

! I/O

-'! T .

)( 6 :1

. -)
! 4 al

-)

6! !) *B n !

a -) % <

.) / - G *B ! al !

. ! ) G ' C,U 1 " 5. V

. ) G ' C,U % < !) 1

Y = V {& ,; .
- 3 T ! ) Ntoskrnl A # 5. % , { 8
: +@ .
. /
p Y = Rb
;.
internal ; . /
i ob 3T
5. PsP .
kernel ; . ke .
fastcall ! O / f private ;
.
Memory Management 5. Mm
internal process support

kProcess )! /! . 1(!

pT.

ke386IoSet Access Process 5.

!TV

!) A # V R) ) ! 4 CU .)! ) ! 4 \include\w2k\w2kundoc.inc A # !) )! /! V 2 ;
' *
5.

. Windows NT 2C

Windows XP ! !)

. , v

. ! KPROCESS )! /!

!) ( 3 9

5.

. Rb

IopmOffset

V w2k JG

() *

Qx

. . !)

PU ke386IoSetAccessProcess
. -)

Registry E $ %&' O . G
Process

/ d !)
) / d - G () *
/
R)

. ke386IoSetAccessProcess 5.

G #! O

()

6 V !) .) /

*C

aDatatime.exe A # !)

b #
#

^ !V

1(!

6!

!) DriveEntry Q ! /
! ! !)

. !/V

= V !) .d -)
f - .d /

b # [ d . !) / )!

() *
) 6

) Rb . R
. . Process J

! 4

6! !)

! !) . .! /

- /

. 1(!

d 8. Q = .d /

() *

/
6!

d! b
)!

. !
() / E

pusRegistryPath , DriverEntry Q ! % )
Process

!T

6 System Process Context

-! - )

.
!) ! !) C/

-( !

() *

V#

. Rb
.)

!T
6!

%<

f[ -! / V

NT F

695

. G ( 2E

> ) 2) > )

8>

> .+ . / / 7 .

lea ecx, oa
InitializeObjectAttributes ecx, pusRegistryPath, 0, NULL, NULL

! OBJECT_ATTRIBUTES )! /!
o.
/

.d ) / () *

G # ! ZwOpenKey 5.

.ad /

InitializeObjectAttributes

f b 3 ,- InitializeObjectAttributes
. -) % <

Qx

!/V

!T. ) 1

,-

. hkey !) !

Object Attribute . 1(!

..d / # ;

-) % < R ) G ! ! / V
! ! / V . / , ! #! ! ) ! O

lea ecx, oa
xor eax, eax
assume ecx:ptr OBJECT_ATTRIBUTES
mov [ecx].dwLength, sizeof OBJECT_ATTRIBUTES
mov [ecx].RootDirectory, eax
push pusRegistryPath
pop [ecx].ObjectName
mov [ecx].Attributes, eax
mov [ecx].SecurityDescriptor, eax
mov [ecx].SecurityQualityOfService, eax
assume ecx:nothing

hi % )

A84

; NULL
; 0
; NULL
; NULL

) (! , ZwOpenKey 5.

6! C/ .

= ecx ' 8e /

.. /

V ; !

)!
.

)
(

. C/

invoke ZwOpenKey, addr hKey, KEY_READ, ecx

.if eax == STATUS_SUCCESS
push eax
invoke ZwQueryValueKey, hKey,\
$CCOUNTED_UNICODE_STRING("ProcessId", 4),\
KeyValuePartialInformation,\
addr kvpi,\
sizeof kvpi,\
esp
pop ecx

! O

. 5. V

) 1

. !

6! (
.d /

# 1 O !) O )!

() *

ZwQueryValueKey

C/ !
6!

. /

Process J
. 1(!

% )

V#
!T

)3

. +/ 0 1. ( 2,

- Crack

696

. $CCOUNTED_UNICODE_STRING

)! /! 2 ;
a !

- /

() *

<

!)

UNICODE_STRING

4cU 1 .d ) / () *

. / () *

^ !

usz dw 'U', 'n', 'i', 'c', 'o', 'd', 'e', ' ', 's', 't', 'r', 'i',
'n', 'g', 0
us UNICODE_STRING {sizeof usz - 2, sizeof usz, offset usz}

COUNTED_UNICODE_STRING,

- /

$COUNTED_UNICODE_STRING,
ob

A ) V

&. ^ !

CCOUNTED_UNICODE_STRING,

! (\Macros\Strings.mac) $CCOUNTED_UNICODE_STRING

.d /
.e
d< T
.

KeyValuePartialInformation . /
%! o[
- Rb `

!T .

g 3 !

!T
C8,

KEY_VALUE_PARTIAL_INFORMATION )! /! . 1(!
! O )!

Process

. ZwQueryValueKey 5.

G #

A84 / d

d-

`) ) E

2 ; (\include\w2k\ntddk.inc) !) /

! T V Gb . #

1(!

)!

() *

R
.

..

.d / ! ! Rb
/) 5 ( 2 Process ( 2$) 9 +/ 7 I@

Data PU

)! /! V
31 .
. Stack
@

.) ; .
! !

P#

pE # ( %

.if ( eax != STATUS_OBJECT_NAME_NOT_FOUND ) && ( ecx != 0 )

invoke MmAllocateNonCachedMemory, IOPM_SIZE
.if eax != NULL
mov pIopm, eax

5.

G # . a) ) % <
.d -) l F G Iopm . !

. ! ) G ' C,U ZwQueryValueKey 5.

#
)!

< JO# = MmAllocateNonCachedMemory

lea ecx, kvpi

invoke PsLookupProcessByProcessId, \
dword ptr (KEY_VALUE_PARTIAL_INFORMATION PTR
[ecx]).Data, addr pProcess
.if eax == STATUS_SUCCESS
invoke Ke386QueryIoAccessMap, 0, pIopm

NT F

697
.

. G ( 2E

> ) 2) > )

aPsLookupProcessByProcessId

1(!

5.

!) ! IOPM aKe386QueryIoAccessMap 5. .d /

8>

> .+ . / / 7 .

. ProcessIdentifier R)
PProcess )!
. /

# .

! ProcessObject
T O# =

P#

.if al != 0
mov
add
mov
btr
mov

ecx, pIopm
ecx, 70h / 8
eax, [ecx]
eax, 70h MOD 8
[ecx], eax

mov
add
mov
btr
mov

ecx, pIopm
ecx, 71h / 8
eax, [ecx]
eax, 71h MOD 8
[ecx], eax

invoke Ke386SetIoAccessMap, 1, pIopm

.if al != 0
invoke Ke386IoSetAccessProcess, \
pProcess, 1
.if al != 0
.else
mov status, \
STATUS_IO_PRIVILEGE_FAILED
.endif
.else
mov status, STATUS_IO_PRIVILEGE_FAILED
.endif
.else
mov status, STATUS_IO_PRIVILEGE_FAILED
.endif

(! . ) !

G # I/O .

W IOPM
)

d /

! 4 .

_ T ! 70-71

-'! T . :

. ! ke386SetAccessProcess 5.

- .

Q=

() /

.
.d /

invoke ObDereferenceObject, pProcess

.else
mov status, STATUS_OBJECT_TYPE_MISMATCH
.endif

)3

. +/ 0 1. ( 2,

- Crack

698

Process Object . ' U 6! 1^! ,

PsLookupProcessByProcessId 5.

G # ! ObDereferenceObject 5. a ' U 6! 1^! ,

p- /

C84

. . -)

G #
p "# !
.d /

invoke MmFreeNonCachedMemory, pIopm, IOPM_SIZE

.else
invoke DbgPrint,\
$CTA0("giveio: Call to MmAllocateNonCachedMemory failed")
mov status, STATUS_INSUFFICIENT_RESOURCES
.endif
.endif
invoke ZwClose, hKey

.endif

G # .

() / ) b ! O# =

P# MmFreeNonCachedMemory 5.
.d .

. iG /
) .d
65535 % , .

! !) /
) .! /

f-

b #R /

)` 6 R ) G .

.) .

) (! , ZwClose

6! .

! !) .

f)
V.
= /

%<

O# =
[ /

G # .

O )!

bd
V

' C,U
a ) 1

. .)! ) I/O '! T

. / iU ! '! T

invoke MmAllocateNonCachedMemory, IOPM_SIZE

.if eax != NULL
mov pIopm, eax
invoke RtlZeroMemory, pIopm, IOPM_SIZE
lea ecx, kvpi
invoke PsLookupProcessByProcessId, \
dword ptr (KEY_VALUE_PARTIAL_INFORMATION PTR
[ecx]).Data,\
addr pProcess
.if eax == STATUS_SUCCESS
invoke Ke386SetIoAccessMap, 1, pIopm
.if al != 0
invoke Ke386IoSetAccessProcess, pProcess, 1
.endif
invoke ObDereferenceObject, pProcess
.endif
invoke MmFreeNonCachedMemory, pIopm, IOPM_SIZE
.else
mov status, STATUS_INSUFFICIENT_RESOURCES
.endif

NT F

699
JO# =
.

_ iG

. G ( 2E

Speaker +
I/O

-'! T .

> ) 2) > )

8>

' B R) / p T /
)

. / - ,- .! /

> .+ . / / 7 .
.

) V-m !) 3 ,. CMOS

_ iG # / (
. ! ob

, {

R [

)3

- Crack

. +/ 0 1. ( 2,

700

I/O 7@

>E

I/O manager
ob

G # dll

() /

_ iG !

.)

. d

! 4 .]8!
k I/O 7@

a o b 7!)b
T O

. Rb +
-! ".

.! /

() *

. .! /

-! ".

. . I/O Manager A.

! I/O . ] .
! O

<

' C,U /

- ! 8<

!) . / ) < Device

A4 =

!)

!) .d ) /

() *

A Ud

V . .
V

. V . ] 8 ! I/O Manager .)

8 3T

) /! / f f[ /

G # % , { ,i
.! /

. .! /

I/O Manager -+

V .

. /

1)

()! b d- # ! i

2 ; - Device Driver
-

. ! 5.

!/ V [

/
+

-! !) . ! d
. /

Device

>E

! 4 . ,

-A #

( -3

= !)
()

/
.A

!) ! - Driver

/ # d - G!) A

. 6

- / .) . - G I/O Manager Q

/ k

. ! !)

-) % < ! !)

NT F

701
;4 Device

)<
R .

O# = !)

G!) /

Device

. ! !) [ /

I/O

V I/O Manager

/d

b ' B FG

() / Q ! Device Rb . ! > .
-

> ) 2) > )

. Device ) <

; V

R U . !) G /)
Device 8e . . /

. G ( 2E

) , .! / /

8>
.

< Device

. !V .

/
# ;

> .+ . / / 7 .

V ! O
i Device

"#

o . ) 1
*. v

.( /

8e Q

,
6

G!) . !

Device Driver . ! I/O

(Virtophys) ) > ) ( /
! !) E

G!) I/O Manager aRb # ;

. -)

- G )<

lG

@ 5+ . /

Service Control Program `! .!) , 4 V

. / ! 4 . ] 8 ! ! !) V .

. /

Client

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:
;
; VirtToPhys.asm - Driver Control Program for VirtToPhys driver
;
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:
.386
.model flat, stdcall
option casemap:none
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:
;
I N C L U D E
F I L E S
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include \masm32\include\advapi32.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\advapi32.lib

)3

. +/ 0 1. ( 2,

- Crack

702

include \masm32\include\winioctl.inc
include \masm32\Macros\Strings.mac
include common.inc
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:
;
C O D E
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:
.code
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:
;
BigNumToString
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:
BigNumToString proc uNum:UINT, pszBuf:LPSTR
; This function accepts a number and converts it to a
; string, inserting commas where appropriate.
local acNum[32]:CHAR
local nf:NUMBERFMT
invoke wsprintf, addr acNum, $CTA0("%u"), uNum
and nf.NumDigits, 0
and nf.LeadingZero, FALSE
mov nf.Grouping, 3
mov nf.lpDecimalSep, $CTA0(".")
mov nf.lpThousandSep, $CTA0(" ")
and nf.NegativeOrder, 0
invoke GetNumberFormat, LOCALE_USER_DEFAULT,\
0,\
addr acNum,\
addr nf,\
pszBuf,\
32
ret
BigNumToString endp
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:

NT F

703

. G ( 2E

> ) 2) > )

8>

> .+ . / / 7 .

start

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:
start proc uses esi edi
local
local
local
local
local

hSCManager:HANDLE
hService:HANDLE
acModulePath[MAX_PATH]:CHAR
_ss:SERVICE_STATUS
hDevice:HANDLE

local adwInBuffer[NUM_DATA_ENTRY]:DWORD
local adwOutBuffer[NUM_DATA_ENTRY]:DWORD
local dwBytesReturned:DWORD
local
local
local
local
local

acBuffer[256+64]:CHAR
acThis[64]:CHAR
acKernel[64]:CHAR
acUser[64]:CHAR
acAdvapi[64]:CHAR

local acNumber[32]:CHAR
invoke OpenSCManager, NULL, NULL, SC_MANAGER_ALL_ACCESS
.if eax != NULL
mov hSCManager, eax
push eax
invoke GetFullPathName, $CTA0("VirtToPhys.sys"), \
sizeof acModulePath,\
addr acModulePath,\
esp
pop eax
invoke CreateService, hSCManager,\
$CTA0("VirtToPhys"),\
$CTA0("Virtual To Physical Address
Converter"),\
SERVICE_START + \
SERVICE_STOP + DELETE,\
SERVICE_KERNEL_DRIVER,\
SERVICE_DEMAND_START,\
SERVICE_ERROR_IGNORE,\
addr acModulePath,\
NULL,\
NULL,\
NULL,\
NULL,\
NULL
.if eax != NULL

)3

. +/ 0 1. ( 2,

- Crack

704

mov hService, eax

; Driver's DriverEntry procedure will be called
invoke StartService, hService, 0, NULL
.if eax != 0
; Driver will receive I/O request packet (IRP) of type IRP_MJ_CREATE

invoke CreateFile, $CTA0("\\\\.\\slVirtToPhys"),\

GENERIC_READ + GENERIC_WRITE, \
0,\
NULL,\
OPEN_EXISTING,\
0,\
NULL
.if eax != INVALID_HANDLE_VALUE
mov hDevice, eax
lea esi, adwInBuffer
assume esi:ptr DWORD
invoke GetModuleHandle, NULL
mov [esi][0*(sizeof DWORD)], eax
invoke GetModuleHandle, $CTA0("kernel32.dll",
szKernel32)
mov [esi][1*(sizeof DWORD)], eax
invoke GetModuleHandle, $CTA0("user32.dll",
szUser32)
mov [esi][2*(sizeof DWORD)], eax
invoke GetModuleHandle, $CTA0("advapi32.dll",
szAdvapi32)
mov [esi][3*(sizeof DWORD)], eax
lea edi, adwOutBuffer
assume edi:ptr DWORD
; Driver will receive IRP of type
IRP_MJ_DEVICE_CONTROL
invoke DeviceIoControl, hDevice,\
IOCTL_GET_PHYS_ADDRESS,\
esi,\
sizeof adwInBuffer,\
edi,\
sizeof adwOutBuffer,\
addr dwBytesReturned,\
NULL
.if ( eax != 0 ) && ( dwBytesReturned != 0 )
invoke GetModuleFileName, [esi][0*(sizeof
DWORD)],\
addr acModulePath,\
sizeof acModulePath
lea ecx, acModulePath[eax-5]
.repeat
dec ecx
mov al, [ecx]

705

NT F

. G ( 2E

> ) 2) > )

8>

> .+ . / / 7 .

.until al == '\'
inc ecx
push ecx
CTA0 "%s \t%08Xh\t%08Xh

( %s )\n",

szFmtMod
invoke BigNumToString, [edi][0*(sizeof
DWORD)],\
addr acNumber
pop ecx
invoke wsprintf, addr acThis,\
addr szFmtMod,\
ecx,\
[esi][0*(sizeof DWORD)],\
[edi][0*(sizeof DWORD)],\
addr acNumber
invoke BigNumToString, [edi][1*(sizeof
DWORD)],\
addr acNumber
invoke wsprintf, addr acKernel,\
addr szFmtMod,\
addr szKernel32,\
[esi][1*(sizeof DWORD)],\
[edi][1*(sizeof DWORD)],\
addr acNumber
invoke BigNumToString, [edi][2*(sizeof
DWORD)],\
addr acNumber
invoke wsprintf, addr acUser,\
addr szFmtMod,\
addr szUser32,\
[esi][2*(sizeof DWORD)],\
[edi][2*(sizeof DWORD)],\
addr acNumber
invoke BigNumToString, [edi][3*(sizeof
DWORD)],\
addr acNumber
invoke wsprintf, addr acAdvapi,\
addr szFmtMod,\
addr szAdvapi32,\
[esi][3*(sizeof DWORD)],\
[edi][3*(sizeof DWORD)],\
addr acNumber
invoke wsprintf, addr acBuffer, \
$CTA0("Module:\t\tVirtual:\t\tPhysical:\n\n%s\n%s%s%s"), \
addr acThis,\
addr acKernel,\
addr acUser,\
addr acAdvapi
assume esi:nothing

)3

. +/ 0 1. ( 2,

- Crack

706

assume edi:nothing
invoke MessageBox, NULL,\
addr acBuffer,\
$CTA0("Modules Base Address"),\
MB_OK + MB_ICONINFORMATION
.else
invoke MessageBox, NULL,\
$CTA0("Can't send control code to device."),\
NULL, \
MB_OK + MB_ICONSTOP
.endif
; Driver will receive IRP of type IRP_MJ_CLOSE
invoke CloseHandle, hDevice
.else
invoke MessageBox, NULL,\
$CTA0("Device is not present."),\
NULL,\
MB_ICONSTOP
.endif
; DriverUnload proc in our driver will be called
invoke ControlService, hService,
SERVICE_CONTROL_STOP, addr _ss
.else
invoke MessageBox, NULL,\
$CTA0("Can't start driver."),\
NULL,\
MB_OK + MB_ICONSTOP
.endif
invoke DeleteService, hService
invoke CloseServiceHandle, hService
.else
invoke MessageBox, NULL,\
$CTA0("Can't register driver."),\
NULL,\
MB_OK + MB_ICONSTOP
.endif
invoke CloseServiceHandle, hSCManager
.else
invoke MessageBox, NULL,\
$CTA0("Can't connect to Service Control Manager."),\
NULL, \
MB_OK + MB_ICONSTOP
.endif
invoke ExitProcess, 0
start endp

NT F

707

. G ( 2E

> ) 2) > )

8>

> .+ . / / 7 .

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:
;
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;
:

end start

G # d- Rb
(! ,

)! ) ) 6 Rb !)

/m 5.

0T

P# ` - 3
Windows J

..

. )

)< X

8 !

. Dialog Box

Object Manager %

. . / () *

) 3/

<

! 01 .

;.

P# !) Device

O# k aR) / _ T a) < Q

)
` -3

aVirToPhys ! !)

! 4 Object Manager %

R) / Q 8 )

DeviceIoControl , CreateFile 5.

. Device

Object Manager .) 1

-! ".

*1 ' C,U

1!b R U . ! Device (Handle)

) GR

) < "devVirToPhys" %

% .)

a & . / !) (

CloseHandle

-.
.

6 J

! of Object Manager +

Object Viewer

/ 6 ! VirToPhys ) G

P# !) devVirToPhysdevice X

Object Explorer
D / !) VirToPhys

)3

. +/ 0 1. ( 2,

- Crack

708

devVirtToPhys device

' B FG

) >)
.

Object manager %

# 1 ! 4 \Driver

!) VirtToPhys ! !)

P# !) VirToPhys ! !)

<

NT F

709

. G ( 2E

> ) 2) > )

8>

> .+ . / / 7 .
Symbolic Link Object

"6

. -G

J,- .

Device % q U !) .
= "\??" JG

A. 4 Win32

() *

- R o T .! /

. ob

\Device G

DefineDosDevice
G
JG

!)

) /

T%

Object Manager %

P# !)
.) !

" devVirtToPhys"

W "\??" .

() *

) A. 4
V ,

1 uT V

. /

8 . /

T 1)

! -

(!
. !

CU . / ) . "\DosDevices"

6 AK
01

-! !)

.a

< 6 .! /

"\??"

. " slVirtToPhys" %

)< Q

!)

G Device Handle a S

QueryDosDevice 5.

!)

. Symbolic Link

. -! !) uT .

/ ) < "\??" JG

V % Windows NT !) {c84 . -)

!) 8* v

V !) -

!) Device Object . /

I/O Manager a /

Rb

- G

- /

CG ) %

P# !) l G JG

Device CG ) ;4 %

- Device

Device Object . ! .! /

. Device

"\??" " \BaseNamedObjects"

.) 1 ! 4 Object Manager
.

Win32

8 3T

. .) 1 ! 4

R ,- . / )! ) ) 6 "\DosDevices"
. Symbolic Link

.) . - G " \Device\devVirtToPhys" J ! Rb !

. /

VirToPhys ! !)

) < "\??" JG

!) Device

)3

. +/ 0 1. ( 2,

- Crack

:d ! )

710

Start Service 5.

! G

uT

"\Driver\VirtToPhys"f driver -1
" \Device\devVirtToPhys"f Device -2
" \??\slVirtToPhys"f Symbolic Link -3

> i <
O )!
d !)
. <

-Q ! d - G
(A #
!)

! !)

) (! , ) File Handle
& >!

. 5. V h S

;. d ) 1
.!/V
.d /

.d /

G # Rb

) < CreateFile 5.
.d /

CreateFile proto stdcall

.) GA # / .Q=

*/

lpFileName:LPCSTR,
dwDesiredAccess:DWORD,\
dwShareMode:DWORD,\

)!

() *

!) G
. /

- , 4hS

NT F

711

. G ( 2E

> ) 2) > )

8>

> .+ . / / 7 .

lpSecurityAttributes:LPVOID,\
dwCreationDistribution:DWORD,\
dwFlagsAndAttributes:DWORD,\
hTemplateFile:HANDLE

A #

! . o

. !
.

. /
!

) < {c84 /

# 1 O !)

Device %

/ ! C #

(!

!V . /

d-

)< !X

.R U .

"

*B . %

J !

(!

- Device / , ! /
. : lpFileName

Device Object . Symbolic Link . /

g 3 ! Device .

) . , 4 V !) . /

d- 5. V

g 3 )

.! 4

) E : dwDesiredAccess
:d ! )

Device

O )!

() )

-)

lFG ! R

) : GENERIC_READ

.)
Device !)

() )

-)

! .

-R) /

. ' C,U

! ) ) G Device V

g 3 ! Device V

. /
. Device

v/

V .)

O )!

. f f[ : dwShareMode

01 _
01 _

01 _

) : GENERIC_WRITE

lFG ! V

, Device : 0

- G 6
: / () *

V !)

R) / . ' C,U d

)R

G!) 1 : FILE_SHARE_READ

.
' C,U d

) Device

) 6 % U
.

- G%<

SECURITY_ATTRIBUTES )! /! . 1(!
.d -)

! 4 Null ! !

) 6 '! B !) / /

.) . - G 0 !

V . /

g 3 !

. OPEN_EXISTING 3 ,-

G!) 1 : FILE_SHARE_WRITE

! . V
.

f-.

- G%<

.!

1)
C,U E

R) / .

: lpSecurityAttributes
.d!

B G : *= /

: dwCreationDistribution

V - Device )!

g 3 ! ' B FG

!) .)

%<

.A #

-d[ T : dwFlagsAndAttributes

)3

- Crack

. +/ 0 1. ( 2,
V - Device

. . -)

712

lFG f A # .

: hTemplateFile

) (! ,

. Null 3 ,-

.
Device .

) (! , a -) % <

. ! ) G ' C,U CreateFile 5.

. ! INVALID_HANDLE_VALUE !
.d /

'! B V

n !)

! B !)

) 1

. ! O )!

'! B . ! CreateFile 5. . ) 1 - G

G #

invoke CreateFile, $CTA0("\\\\.\\slVirtToPhys"),\

GENERIC_READ + GENERIC_WRITE,\
0,\
NULL,\
OPEN_EXISTING,\
0,\
NULL

GENERIC_READ v /
d-

% )

Ck

Win32

2EH *4 A,; !
.

. 1(!

D /

Y >
)

k 80x86

System

GENERIC_WRITE
# !) Device

!) Sysenter

-A,; !
6

!Q

NT

) R U . -A,; !

)V

zU . -A,; !

O !)

. ' C,U

G!) '! B . b

- Device . ! . IRP

! . ' C,U R U . ! I/O

< A #
.+

()

I/O Manager
.

( /
,U zU .

) 1 . ! !

- b #

CreateFile 5.

Q 6 !) A # X

)V

.
6

G!) % , A U d

/ !
(

! !) . ^ ) T o6

-(! ,

BcG V . /

! '! B . )

Object Manager a -) % < ! ) G ' C,U

)<

G!) Y >

!)

- hi !) Service

.)
!) .) 1

k Posix

2000

/Q

Uc>

System Service

/ Q ! .)

XP

"\\.\slVirtToPhys"

J - . ) ! Ak

uT u

! . .! / hi !)

! T 5 !) " [ ,-

R [

! T .d /

A Ud

- CPU

! Gb

"\\.\" Win32 !) .

G # 2003

.)

.!;

-d

) 6

*. Device . ! ' Uc> ,- / d ! )

. Symbolic Link %

!T +#

G!) ! !) <

A 8

G /
A84 .

< A #

-() ) C/ .)
.

< A #

b () / ) < IRP_MJ_CREATE E
. ! !) (

2 ; Q ! / ! B !)

. (Handle)

) (! ,

NT F

713
31 . !
%

R U .

P# !)

Process Explorer J

. G ( 2E

)) 1
6 X
.

> ) 2) > )

.vU . E

G #

)<

V [R )

<
.)

8>

> .+ . / / 7 .

) (! , V

( ) 1 . CreateFile 5.

. .) 1 , ! 4 Object Manager
. / () *

File Object

File object properties

)3

- Crack

. +/ 0 1. ( 2,

714

2 Device / W B-) () ] /
.if eax != INVALID_HANDLE_VALUE
mov hDevice, eax

( Gm hDevice
V

!)

b a ) 1 . !

. DeviceIoControl

. ]8!

! 4 .

8;

WriteFile aReadFile 5.

() *

( -3

b2 ; pTa

DeviceIoControl proto stdcall hDevice

dwIoControlCode
lpInBuffer
nInBufferSize
lpOutBuffer
nOutBufferSize
lpBytesReturned
lpOverlapped

! ob

.d

CreateFile

) !) / ) 0T

Q = .d /

3.

- Device

!) .

:HANDLE,\
:DWORD,\
:LPVOID,\
:DWORD,\
:LPVOID,\
:DWORD,\
:LPVOID,\
:LPVOID

! T DeviceIoControl 5.

.) ) d - G ! 4
. Device .
.)
V .

' C,U % <

dwIoControlCode

%<

C,U [ -)
)!

!T +

' Uc>

Rb . lpInBuffer +

g 3

) (! , : hDevice

# . . 1(!

: lPInBuffer

. Null

g 3 ' C,U /

! .

/ / : dwIoControlCode

R3 /

.
(!

DeviceIoControl 5. .d / ! 4 . ] 8 ! Device

,U 5.

. /

)!

CreateFile 5.

) (! ,

!T
) ! `) ) - .

. . ! #. (

: nInBuffer Size
.)

dwIoControlCode (
+

g 3 ' C,U 6 G

g 3 ' C,U /

. Null

-() ) /

# . . 1(!
!T V

: lpOutBuffer
. /

# !) !

6 G `) ) - dwIoControlCode

NT F

715
. /
.)

. G ( 2E

8>

> .+ . / / 7 .

. v = . ! lpoutBuffer # . (

g 3

( Gm # . !) / !

> ) 2) > )

-() ) (

. 1(!

: nOutBufferSize
: lpBytesReturned
. /

Q / .

. )! /! V . Overlapped )! /! . 1(!

,/

DeviceIoControl 5.

! 4 Null ! !

< !) .d -)

. 31 -

V .
.

5.

dwIoControlCode R

O )!
+

- / . # 1 O !)
/ ' C,U R

5.

1!b .

1!b V .

. 32 ) U

)!

! 4 Ntddk.inc Winioctl.inc

;.

/ /. /

-A # !)

@ 5(2 5
! Device Driver

R U .R

# 1!/ .! O V

O )!

b ' C,U

R T . ! !) Q ! /

- G ()
(

: IpOerverlapped

I/O
I/O

# !)

V;

. DeviceIoControl

g 3 ! Rb

f f[

2 ; CTL_CODE

/ V )

/
.)! )

I/O Control Code 6 G

/
#

Device E

. 16 V .

0-7FFFH

6E

R 1 -) ;

/
-! !)

V),

Device E
)

.] .

g 3

o
/

. () b 8000H-0FFFH

. 16 : Device Type
() T !
)

/ ' C,U
(

\include\w2k\ntddk.inc A # !) .

-' 8e

6 V !) .

. /

- #
d-

/ (

! ! )

.d /

() *

! !
-

R ,- -V . . . ! FILE_DEVICE_XXX
FILE_DEVICE_UNKNOWN !
. / 2 ; f ) FILE_DEVICE_XXX

)3

- Crack

. +/ 0 1. ( 2,

! ( /() *

. / d !) V ,

716

)!

)t i

= ! o[ .

. ) p . V : Access

. )V .

A 3

. )

p .V

<b

. /

.d ) T
(

G!) ' C,U ! !)

. -)

= V !) .

Device ! !)

) hi

. .

) hi

.)

6 . 6 Device
%<

) 6

- I/O

B FG

.V ,

= 4 uT

! ! I/O

,U

! 4

O# = !) D/ ' C,U (! .
G #

G!) /

{& ,;

!) d

(! .

=!
. /

VirToPhys ! !) !) .
( -3

() *

^ !a

CTL_CODE MACRO DeviceType:=<0>,\

Function:=<0>,\
Method:=<0>,\

G . / )! b

I/O : METHOD_IN_DIRECT (1)

V {c / (

. /

1d ,F

#.^ !

# . . R) / ! #!

. (4kB) k*B

^ !V

) '! B . ! I/O

-) A 3

g 3 ( ) _!

! ob

) G

-! !)

() *

. #

# . I/O : METHOD_BUFFERED (0)

(! .!) d

ob`

Rb

- /

. 2 p . V : Method

! . )!

.d

#. ^ !

. )p . )V R [. /

.(

. 800H-0FFH V .

-/

. )V .

.d -)

f f[

) hi V .

. 12 p . V : Function

g 3

# . . I/O manager ! #! f f[

Device . O# = # .

O# = # . V . ! ' Uc> Device ! !)

.
. / !

! ' Uc>

) hi : FILE_WRITE_ACCESS

..

C,U [ { 4) / /

0-7FFH V .

G # -+

) hi : FILE-READ_ACCESS or FILE_WRITE-ACCESS

G
. /

O# = # . . Device

. /
.

: FILE_READ_ACCESS

) hi

. /
! ' Uc> ! !)

) (! ,

obR .

3 . : FILE_ANY_ACCESS

) hi V

b Device .

% < ! )! )

V ;

I/O ^ !
/ /

!) . / () *

,/

[ /
.

[ / #.

, .d /
CTL_CODE

() *
/

NT F

717

. G ( 2E

> ) 2) > )

8>

> .+ . / / 7 .

Access:=<0>
EXITM %(((DeviceType) SHL 16) OR \
((Access) SHL 14) OR \
((Function) SHL 2) OR (Method))
ENDM

() ) ! 4 Winioctl. A # !) CTL_CODE

/ d *1 {c84 / ! >R ,-

NUM_DATA_ENTRY
equ 4
DATA_SIZE
equ (sizeof DWORD) * NUM_DATA_ENTRY
IOCTL_GET_PHYS_ADDRESS equ CTL_CODE(FILE_DEVICE_UNKNOWN,\
800h, METHOD_BUFFERED,\
FILE_READ_ACCESS + FILE_WRITE_ACCESS)

2F
.d ) 1

B-

. ! !) / . Q =

lea esi, adwInBuffer

assume esi:ptr DWORD
invoke GetModuleHandle, NULL
mov [esi][0*(sizeof DWORD)], eax
invoke GetModuleHandle, $CTA0("kernel32.dll",
szKernel32)
mov [esi][1*(sizeof DWORD)], eax
invoke GetModuleHandle, $CTA0("user32.dll",
szUser32)
mov [esi][2*(sizeof DWORD)], eax
invoke GetModuleHandle, $CTA0("advapi32.dll",
szAdvapi32)
mov [esi][3*(sizeof DWORD)], eax

.d /

- GA 8 /

lea edi, adwOutBuffer

assume edi:ptr DWORD
invoke DeviceIoControl, hDevice,\
IOCTL_GET_PHYS_ADDRESS,\
esi,\
sizeof adwInBuffer,\
edi,\

< 7!)b . ! adwInBuffer # . 6 V !)

)3

. +/ 0 1. ( 2,

- Crack

718

sizeof adwOutBuffer,\
addr dwBytesReturned,\
NULL

. !

< 7!)b - ! !) .d

! !) . ! # . a DeviceIoControl 5.
. /

A 8

G # .
" # 7!)b

.if ( eax != 0 ) && ( dwBytesReturned != 0 )

invoke GetModuleFileName, [esi][0*(sizeof
DWORD)],\
addr acModulePath,\
sizeof acModulePath
lea ecx, acModulePath[eax-5]
.repeat
dec ecx
mov al, [ecx]
.until al == '\'
inc ecx
push ecx
CTA0 "%s \t%08Xh\t%08Xh

( %s )\n",

szFmtMod
invoke BigNumToString, [edi][0*(sizeof
DWORD)],\
addr acNumber
pop ecx
invoke wsprintf, addr acThis,\
addr szFmtMod,\
ecx,\
[esi][0*(sizeof DWORD)], \
[edi][0*(sizeof DWORD)],\
addr acNumber
invoke BigNumToString, [edi][1*(sizeof
DWORD)],\
addr acNumber
invoke wsprintf, addr acKernel,\
addr szFmtMod,\
addr szKernel32, \
[esi][1*(sizeof DWORD)],\
[edi][1*(sizeof DWORD)],\
addr acNumber
invoke BigNumToString, [edi][2*(sizeof
DWORD)],\
addr acNumber
invoke wsprintf, addr acUser,\
addr szFmtMod,\

NT F

719

. G ( 2E

> ) 2) > )

8>

> .+ . / / 7 .

addr szUser32,\
[esi][2*(sizeof DWORD)],\
[edi][2*(sizeof DWORD)],\
addr acNumber
invoke BigNumToString, [edi][3*(sizeof
DWORD)],\
addr acNumber
invoke wsprintf, addr acAdvapi,\
addr szFmtMod,\
addr szAdvapi32,\
[esi][3*(sizeof DWORD)],\
[edi][3*(sizeof DWORD)],\
addr acNumber
invoke wsprintf, addr acBuffer,\
$CTA0("Module:\t\tVirtual:\t\tPhysical:\n\n%s\n%s%s%s"),\
addr acThis,\
addr acKernel,\
addr acUser,\
addr acAdvapi
assume esi:nothing
assume edi:nothing
invoke MessageBox, NULL,\
addr acBuffer,\
$CTA0("Modules Base
Address"),\
MB_OK + MB_ICONINFORMATION
.else
invoke MessageBox, NULL,\
$CTA0("Can't send control code to device."),\
NULL, \
MB_OK + MB_ICONSTOP
.endif

) ; . . . dwBytesReturned
-)!
.

() /

! !) +
.

# !( b

W !

a 31 .

V .)! ) ! 4 adwOutBuffer
. () )

.Q=.

()

. DeviceIoControl 5.
W

!) /

! / ;. . 6 V

1
.

.)

.d -) R 3 .! /

)3

. +/ 0 1. ( 2,

- Crack

720

VirToPhys.exe

. 6 G

invoke CloseHandle, hDevice

a! / V % <

. .d 8. !

IRP_MJ_CLEANUP a IRP V
;

)
.

IRP_MJ_CLOSE % ) IRP .

! .Q

/
.) /

!
1 C6

-(! ,
#

! / p . V !)

Device ! !) . IRP ) I/O Manager

. () b Device

iG / R ) 1 . . 8 .
) (! , R

. Device

(
R

) (! ,

) (! ,

IRP_MJ_CLEAN UP

80x86

4 +3

80x86 $ ) @
. +8

'!

) [ 1 a

8* Y = v

. '!

) U ,<

7!)b

. addr high G

[ ,

. addr low G

C,U

AF#c.

C,U
(

C,U data G

! ,

. data-high G

[ ,

. data-low G

# !

) ) ; ;.

<. 6 disp G

O# =
8 3T ! l G !

. f

7!)b adder G

;4

. 8 a w = 0 1 ) AF#c.

AF#c.

! ,

7!)b

( 3 ()! b 6 V !) /

= , ,S V

.( 1 a 3 .
O# =

( . 16 a w = 1 1

+% "8

. E 6! reg G
80286

- f

) T
.

aLMSW aLLDT aLIDT aLGDT aLEAVE aLAR aENTER aCLTS aBOUND aARPL
. Fk

'!

) VERW aVERR aSTR aSMSW aSLDT aSIDT aSGDT aLTR aLSL

. ( 3 ()! b 6 V !) " INVLPG WBINVD aINVD a BSWAP ;.

a *4 = IF a o6 = DF a C = CF aV ; = AF :
. *B = ZF

C=

6 = IF a

V ["
cU = SF aR

- d[ T
= PF a

80486 ) #
.

BcG
= OF

)3

- Crack

. +/ 0 1. ( 2,

724
/ ASCII 7 g - : AAA

!"# E
' 8e

. ! o[ V

! ,

AH . =
' 8e

AAA a

. ! o[ V

tcB AL ' 8e !) ! ASCII

1 . /

! ) AF d[ T

.1!

[ , (! ,- !

) . -)

.9

. /
(

7
!) ! AH, AAD . /
AX !)

A84 ! AX !) (%

dO d

) )!

Q= /

() b d

_ T ! AH

A,U

AL !) ! (

AH !) !

4.

T *B . ! AL

. "%

5,6 AL . ! AB = a /

9 S 10

. MUL +

, 4 ! G

C,U R .) AAD .!B

AL !) (

AB = . "%

10 . ! AL , AAM . /

AH

3 ,- AAS .

dO

d/ ! 6 AL

! AL

ASCII

AAS a

*B CF, AF '! B V

. /

;.) j *
.9

_ T AL
(

;. . "%

1!".

! CF, AF

n !). /

/ ASCII 7 g - : AAS

. ) ( SUB
CF 1

( Gm

C,U R .) AAM .!B

v> 1- E
1 . /

/ ASCII 7 g - :AAM

. /

. ! o[ !

) () 3# n BCD !
CB () 3# n BCD !

n BCD d4! ) 9 S

"#

C,U R .) AAA . !B

Q HE
! () 3#

-d[ T

I- E B] ASCII 7 g - : AAD

.(

dO

! ) AL

1!". !

1 . ! CF , AF

. ) E ,< . "%

! [ ,

!
/

,
j *

. ! o[

C,U R .) AAS . !B

80x86 $ ) @

725

+% "8 /+" "H

AI. / !"# : ADC

;. C=
V

. (
/

"!

5,6

,C/

. ! ( 0/1) CF '

C,U V
.(

8. " ! SBB) . /

) ) 5,6 !) {& ,; . "%

k ADC .)

() *

5,6 ADD

'8 k

C,U V

. !

C,U

ADC register / memory , register / memory /immediate .!B

% !"# : ADD

>
' 8e

)
( ;.

5,6 ' 8e

80386)

. AF#c. !

,C/ )

,C/ a

a' 8e a O# =
.

. )

) ) )

. "%

5,6 O# = . ! AF#c.

ADD register / memory , register / memory / immediate .!B

AND : AND

I
) -

. ) -a

C,U ) . -)

C,U ) AND !

) /

i AND A,U

%<

- ( ;.

80386 !))

C,U )

,C/ ) ) . -)

- G *B

. '! B V

n !) a

- G1

C,U V
(.

- .

! . "%

a ,C/ ) -

j 8i f
!)

a1

. .

. ) -

8. " ! TEST XOR a OR)

AND register / memory , register / memory / immediate .!B

( /
a /

p , T [ .

. /
ZF

!A
) 1

80386)
!

/ R> " 9 / A# " +/

! BSF . /

( . 32
C,U ' 8e V

16)

p ,T1

.V

). /

p ,T

;4

A,U a)

T1

.)

/ R> " 9 : BSR/BSF

V#

C,U V

!) ! Rb

*B ZF '! B V

. !

! . [
.

1 .)

. "%
ESR
p ,T

n !) a /

BSF / BSR register , register / memory .!B

!
5

)3

- Crack

. +/ 0 1. ( 2,

726

( /
! . /

D/ CF !) !

!A

. BT )! )

. BTC : /

C,U V

&) Rb

. /

! .

. BTR . /

.) . - G

D/ CF !) ! l F

. /

;4

A,U ^ ! V . Rb

d O { ) < R) / *B . !

/ O 5 , : BT / BTC / BTR/ BTS

80386)

A,

. 32 16 )

C,U V

D/ !

C,U V

. E 6!

.
)

. " '!
!) Rb !

dO

. "%
)

) f). /
R) / 7 ; .

. !

. BTS a /

BT / BTC / BTR / BTC register / memory , register / immediate .58

: CALL

) ,> . G
)" CALL

Q ! 1 . /
! ) CALL

. /

- ,f V . 1 (!
! 4 ! F

. FAR (

# 7!)b IP !) uD a(
. -)

C8,

;. !
-)

-)

! . ! IP

3T

. "%
G #

)" CALL

. -)

! 4 ! F

! IP uD a)! 01

! 4 3T

u U RETF

% < ! y # A=

! )Q !

. NEAR (

! ! CS ! ) CALL

! 4 3T

. -)

)"

G #Q ! 1

) 7!)b) )! 01

# 7!)b IP !)

# !

3T

RETN a 31 . !)

CALL register / memory .!B

+"A5 +/ > / > B- : CBW

.)

cU / C
(.

V . -)

+ . !)

cU ,C/

. ! !)

8. " ! CDQ , VWDE , CWD) /

D/ AH
(

( /
/ C

V . -)
(.

+ .

. 64 ! )

80386) ( +"A5 )
cU !

8. " ! CWDE , CWD , CBW) . /

!) !

cU !

- . !) ! AL !)(7

C,U R .) CBW .!B

+/ ( +"A5
. 32 ! )

> B- : CDQ

cU !

D/ EDX !) ! EAX (31

(

. "%

. "%
.)

C,U R .) CDQ .!B

cU
5

80x86 $ ) @

727

9 O 5 1` : CLC

AI. 7
.(

8. " ! STC) . / , 5,6 ! 1

ADC Q x

C,U R .) CLC .!B

! ' C,U )

v8

9 O 5 1` : CLD

#7
! ^ ) T MOVS

*B ! CF . "%

.. /
(

! . [

+% "8 /+" "H

*B ! DF . "%

a /

8. " ! STD) . -) % <

.(

C,U R . CLD . !B

9 O 5 1` : CLI

+1] 7
8. " ! STI) /

.(

Q ;# n ! p

T A. 4 6! G

C,U R .) CLI .!B

AI. 7
. A 8 *B V . .

- G 7 ; CF

*B ! IF . "%

- *4 a /
(

A 8

.!

9O 5 "

. /

: CMC
! CF . "%

A,
.

- G *B .

C,U R .) CMC . !B

+ > I : CMP

C,U V

) CG ) ! > . CMP . /

C,U ) - . / , ( Gm ! AB =

. ! AF#c. !
a -)

%<

! () ) C # )

a O# = a' 8e
) U

a /

) )'

*B d[ T

CMP .

. ( ;.

CMP) .)! ) a O# = . ! AF#c.

.(

8.

80386)
' 8e

d/ V

,C/ )
R

k . "%
a ,C/

' 8e
. ! CMPS

CMP register / memory , register / memory / immediate .!B

)3

- Crack

. +/ 0 1. ( 2,

728

( +@<) + > I : CMDSD / CMPSW / CMPSB / CMPS

A84 RFPn

3T

a /

! -

. /

! -

{& ,; . /

. CMPSB .

! O# = !) Q > - .
CX !) / Q > x/ = . a) 1

80386) CMPSD

,C/ ) ( ;.

. *B DF 1 .)! ) ! 4 ES:DI !)

a
=

,C/ /

.a =
!

f - REPNE . - /

/
, G
v8

T2
/

C,U V

' C,U a

! CX !

)!

/
. /

/
"#
, G

, G" )

*B CX /

d O ! -d[ T

1 a /

7!)b

! . [

' C,U

- / ! DI , SI
T j#

V Gb .

)!
) -

.
V
a.

! 4

, G

C,U R .) .!B

. !( EAX

' 8e)

C,U V

! ZF

-)

. /

*B ! ZF

! 4 !

C,U V
-)

AX , AL)

C,U V

) CMPXCHG a

! 4

C,U V

) !) !

) . "%
.
C,U V

CMPXCHG register / memory , AL / AX / EAX . !B

1 . /
1 a /

. /

( O# =
! ZF

*B ! ZF

-)

-)

! 4

@ 9) ~> - + > I : CMPXCHG8B

( /
a

80386) ~> - + > I : CMPXCHG

( /
( O# =

C,U V

. REPn . -)

!. -

[REPNN] CMPSB / CMPSW / CMPSD (

1 . /

! 4 '!

= 4 ,C/ ) -

f - REPE a .

;. SI , DI a .

DS:SI !)

) 7!)b

DF 1 a

! . "%

! ' ,C/ CMPSW

. ! DI , SI

. -

[ .

' 8e)

C,U V

C,U V

! 4 EDX:EAX !) !

. ! EDX: EAX

. 64 . "%

!) ! EDX:EAX a CMPXCHG8B
C,U V

CMPXCH8B register / memory (

.CMPXCHG8B a
. 64

C,U

) .!B

8
5

80x86 $ ) @

729

+/ +"A5 > B- : CWD

( +"A5
C

V . -)

+ .!

.)

,C/ ) DX:AX !) ! ! )

cU

. 32

cU

,C/

D/ AX !) ! AX ( 15

.)

V . -)

CDQ , CWD, CBW) . /

,C/ )

cU

!) !

,C/

. 32 %

!)

cU !

D/ ! AX (15

.)

5,6 AL . ! 6 a DAA a
CF 1

AF 1

DAA a

*B CF , AF '! B V
.(

. 99H

8. " ! DAS) .

.9

n !) . /

ADD

;. ! ) 6

1!".

1!". AL !

! ,

AB = . "%

. ! o[ !

! AF

1 auD . /
! CF

8. " !

/ 2 2 7 g - : DAA

!"# E
() / 5,6 ! BCD d4! ) / ADC

cU

C,U R .) CWDE .!B

h kF a

. "%
.(

. /

+/ +"A5 > B- : CWDE

80386) +@ > L / ( +"A5

+ . EAX

. "%

C,U R .) CWD .!B

.(

. / C

8. " ! CDQ, CWDE , CBW)

.(

( /

+% "8 /+" "H

5,6 AL . ! 60H !

h kB ,4! 2 () 3# -) () AB =

AL Q =

C,U R .) DAA .!B

v> 1- ( / 2 2 7 g - : DAS
!) (
AL

AB = a /
! 60H !

AB = A

j * ! () 3# BCD F U ) / SBB

DAS a

AL Q = .

.9

1!".

! ,

*B CF , AF '! B V

.!

1 . /

n !) a /

.( 8. " ! DAA)

SUB

(
.(

;. . "%
h kF ! AL

! CF

d/

h kF () 3# ,4! )
C,U R .) DAS .!B

)3

- Crack

. +/ 0 1. ( 2,

730
R2 5 _ ,> : DEC

-/

O# = ' 8e !) ) 6

8. " ! INC) . /

(.

( ;.

80386 !))

)! G .

,C/ )

cU R . h kB ) U

a ,C/ a

. "%

'! B . Rb !) ) 6

DEC register / memory .!B

I- : DIV

&% O / 7
V

) < v8

DIV . /

*B . d

!)

cU CU%

. *

cU

R U .

. !
) 1

.
:

/m %

j8> . d

cU R . %

O !) .)! )

. "%

.R U . !

- G *B . d

.
*4

8. " ! IDIV)

' C,U 6 V !) .(

DIV register / memory .!B

3> V : ESC
. 3 .

o (}
/

'!

/ 6
.

' C,U % <

.)

)!

o
A / F

o6 !80 87
6
/ Rb

o6 !

C,U

6 .a / ,

- f
!

) T
. f

,/

() *
) T

. "%

,/ aESC

8 3T ! ESC f ) MASM, 6.1

. /

! f

) T ,/

ESC immediate , register / memory .!B

80x86 $ ) @

731

\] R / d- a) . 24
f

= .

) T a -) ! *4
aIRET !

*4

4 . /

(!

31 . !) . /

nb CB HLT

.)

_ O 5 ) : HLT

) T /
!

v8

)! 01

^ ) T )! )

. ! -' 8e 3T

C,U R .) HLT .!B

(M P`) ) @ &% 7
[ ,

.d

. IDIV . /

*4 v8

*B . d

! DIV V [ d-

"

!)
.

.( *

cU %
(

cU CU %
Q >+ .

/m %

. ! !)

= 1 a 8x = 0 )
(

I- : IDIV

cU %

)! G .

. "%

cU R U .

. ! CBW , CWD) .

j8> . d

-' 8e

! . ! IP, CS

3T

. "%

) 7!)b . IP, CS

;. CB #c. !

6 ! *4 V

+% "8 /+" "H

- G *B

' C,U 6 V !) .( / O=c

IDIV register / memory .!B

(M P`) )
,
) 1

. IMUL . /

9 S !

cU

O !) ' C,U V . ( * = 1

MUL) . b

# 9 P
8x = 0) /

) . #9 P v = .(
.

()! b # 9 P (

!) ! ! )
)! G .

cU

&% Q H : IMUL
cU 9 P
.

.A,U
.V

EAX , AX , AL !) 9 P

j8> . 9 S ' C,U 6 V !) .(

[
/

8. " !

)3

. +/ 0 1. ( 2,

- Crack

732

IMUL register / memory ( - f

) T ,- !)) .!B

+"A5 > > / O 5 ) : IN

)U

C,U

'! B . ! ( 1!) . AX . ,C/

AL . ) ! ( 1!)

, / ( IN AX, DX '! B .) DX !)

! B !) .

(. / O=c " ! OUT INS) .

. 256

. "%

(IN AX, port#)

1!". ( 1!) (! ,

.e
DX

/ () *

IN AL , AX , Portno / DX .!B

! O# =
.a /

)! G .

' 8e !) ) 6

( ;.

80386 !))

cU R . h kB ) U
.(

,C/ )

R U . Rb !) ) 6

8. " ! DEC) )

R> 3

_ ,> : INC

a ,C/

.
-)

. "%
p "#

/ INC CX '! B . Q x

INC register/ memory .!B

( /
DX )
) ;

80286 ) ) +@<) O 5 ) INS / INSB / INSW / INSD

-)7!)b ES:DI +
= CX /

REP

j8> . ' C,U a(0/1) DF .

F . /

3 T . INSn
. .(
(.

,C/ )

# !) ( F ) ( 1!)

() *
a ,C/ a

C,U . < .
. '! B .)

8. " ! OUTS IN) . -)

. "%

( 1!) (! ,

# !) B U

p "# ! DI F U (

[REP] INSB / INSW / INSD (

C,U R .) .!B

80x86 $ ) @

733

+% "8 /+" "H

+1] : INT

# a0

,f

/ *4 7!)b 256

. !Q

TF , IF

)! 01

(3) -)

! 4 CS !) ! *4 7!)b 8 ! & . ,C/ )! 01

;.

80386

3T

! .

3T

! ! -d[ T (1) : /

24

A,U V [ INT . /

! ^ ) T . "%
A

.)

,f

. 32 a IP

. 16

,f

.)) 1

nb

! ! CS (2) a /

3T

T *4 7!)b 8 ! V T ,C/ . ! IP )! 01

.. /
. 32

! . ! IP

3T
. 16 IP

. *4 V

!
INT

IRET .)! 01

INT number . !B

_ ) +1] : INTO

.3>)
6 ! INT 44H

OF)

. () ) ! " !

8. " ! INT) .)! ) ! 4 *4 u

.(

- G *4

10H

Q 6

;4

Q ! IRET .)

CS !) ! 3T & . ,C/
u U Q ! V )! 01

= 2 ! SP a)! 01

"#

-d[ T !) ! 3T & . ,C/

,C/ )) IRETD

.(

d- # *4 V

;.
.(

!
IP !)

80386 !) . -)

= 2 ! SP (2) a -)

8. " !) RET . / () *

%<

31 .

3T

5,6 IP . !

8086

.. .

)" ^ T
. / () *

)
C8,

C,U
;.

;. !

80386

. h kB ]

^ ) Ta
. a(

/ ^ ! V !) ! SHORT fC,U

. 32 a IP V

) .

C,U R .) IRET .!B

^ T '!

) ap . V

C,U . (

1 a -)

%< !^ T

1 .)

8 h kB ]
. 127 128)
. ,

! 4

. ! *4 A=

R . BcG ! > . ! >

# ' C,U a

. "%

v = . ^ T : Jcondition

]
d[ T '! B !) / /

) . ! 3T & . ,C/

! .]

C,U R .) .!B

! ! ) 31 .

"#

. "%

;VE / : IRET / IRETD

+1] E
%< !

v8

!) *4 7!)b . /

INTO (

(1) : -)

(32767

.(

. ^ T 80286

32768) ) 1

O !)

)3

- Crack

. +/ 0 1. ( 2,

Jconditonal Label 58

-^ T

' C,U

. disp

.) 1

*B ! - . <

/ . -) ,

- . /

;. a' !

734

)a

! . ! -d[ T ' C,U

=!) |distnnn| --- disp---| '! B . F

V

! 4 () *

j8> . /

W ! ob
!) .
)!

1000

a /

f ) ' C,U

)"

.) 1

. 0111

-^ T

d- . ! V

8 k

- / ,-

;. ' !
! 4 () *

C,U V

)% )
)!

!)
a /

80x86 $ ) @

735

+% "8 /+" "H

1` CX / ECX +5 -) ` ) m 9 : JCXZ / JECXZ

^ T l G 7!)b .
.

/^ T

*B
.) k

80386 !)) ECX

= ( ;.
[ 1 a

. *

C=

CX /
E

! B !) . "%

!) ' C,U V . /

JCXZ/JECXZ label .!B

' <
- 128) (

V , JMP 7!)b . /

)" JMP

.(

( JMP FAR PTR Lable

f) /

,f

)! )^ T

^ T i
!)) ! )
. /
. /

- !) (

s m 9 : JMP

V ; 7!)b . . "%

(q #p T 32K AG ))
V "f 6

)" (+127

# 7!)b . ! IP (

V "f 6 F

AH ) 27
8. " !SAHF) . -)

! 4 AH !) ! d[ T ' 8e
(

,f 7!)b . ! CS:IP

JMP register / memory .!B

.(

9O

) ] : LAHF

! ,

. 8 . "%

C,U R .) LAHF .!B

)3

- Crack

. +/ 0 1. ( 2,

736
"r $ Bq () [V) / : LDS / LES / LFS / LGS / LSS

. /

;. !

) / ! > . /

E 6! ! 1(!

' C,U . /
Qx

gG

E 6! !

. . -)

,f

! 4

8 3T ;.

-) !
a

,U ' 8e -

7!)b

C,U V

! () ) F U
C,U V

' 8e !) !

# 7!)b

O# =

7!)b . "%
)

) Rb

. ! o[

C,U aV

,f ' 8e !) !

LSS , LGS , LFS .() )

80386 +

! )

,f

' 8e

,f 7!)b
; LDS

! 01! .

.
LDS / LES / LFS / LGS / LSS register , memory .!B

) * () [V) /: LEA

q
-)

! 4 ' 8e

!) !

)" (

# ) 7!)b

. "%

LEA register , memory .!B

,f ' 8e ! 01! .: LES / LFS / LGS

#S

8. ! LDS . "%

1] : LOCK

F V)
.)! )

. lG

Ok !) () ) F U

Q f

' C,U .

, /!

V ,

. /

) -

1 C6 ! 6 !

A84
)A,

! - f

80X87 . "%

) T f)

LOCK

3T

A84 () ) () *

) T .

LOCK instruction .!B

( +"A5
! ' C,U

> +"A5 o > / c@<) () [V) / : LODS / LODSB / LODSW / LODSD

LODS [ 1 . /

(LODSB '! B!))

- ( ;.

DS:SI

! 01! . O# =
-' 8e 7!)b )!

80386 !) LODSD '! B!))

,C/ )

. ! f
REP

8 ' 8e . "%

3T .

(LODSW '! B!)) ,C/

80x86 $ ) @

737
2 a(

.)

. *B DF 1 . -)

' C,U a
. /

! 4 EAX

j * ! 4 a2 a1 '! BV

+% "8 /+" "H

AX , AL !) O# =
5,6 SI . ! (

n!) a /

(LODSB/LODSW/LODSD

1 . -/
(!

A84 . /

C= E

. /)

g 3

((

/^ T

;. !

. 32

. / () *

LOOPD

) ; . !V

6 . "%

. ^! , ) ;

C,U 7!)b . LOOP a

) . '! F

= !) ECX

() *

( ,C/)

C,U R .) .!B

o !) ! LOOP .

- : C=

.) !
. /

/(

! CX )

,C/ )) 4

5 +5 . E - +IA_ : LOOP / LOOPW / LOOPD

. <
. CX a C= E

= !) LOOP a ;.

. 16

. 32 . EXC LOOPW

8 *B CX

5,6 IP .

n !) ()

=
# ) )! )

80386

. 16 . CX R) / g 3

LOOPnnlable .!B

: LOOPE / LOOPZ / LOOPEW / LOOPZW / LOOPED / LOOPZD

.
LOOP . 3 LOOPZ LOOPE . /

b "<. a
)

) !

.
;. !

ZF

*B CX

) . ' C,U a'! B V

*B
Q

= !) ECX

LOOPED

CX

. 16

n !) a()

. 16

= !) CX
. LOOPZW

/ !V

! B !) ((

C= !

6 !

/^ T

d O '!
.(

. 32

C,U 7!)b .

) f ) . a *B ]

LOOPEW

80386

+5 . E - +IA_ )

. / () *

ECX

. 32

. LOOPZD

LOOPnnlabel .!B

8. " ! LOOPNE/LOOPNZ)

LOOPZ LOOPE a ;.
. / () *

. "%

- : LOOPNE / LOOPNZ / LOOPNEW / LOOPNZW

.

. 1` >

)3

. +/ 0 1. ( 2,

- Crack

738

LOOP . 3 LOOPNZ

"<.
^ T

))

n !) .()

LOOPNZ a ;.

LOOPNZW
. LOOPNED

g 3

dO

803

. /

/ !V

. *B ZF

C,U 7!)b .

) . ' C,U '! BV

LOOPNE

LOOPNE . /

. .(
. 32

LOOPNZD

CX

. "%

)+

*B n ]

) a((

! LOOPE/LOOPZ) ) !

8. "

() *

6 !

*B CX / ! B !)

f ) '!

= !) ECX

;.

= !) CX

. 16

. LOOPNEW

. 16 R) / g 3

ECX

. / () *

. 32 R) /

LOOPNE / LOOPNZ lable .!B

+@;9

8. ! LDS . "%

I@. : MOV

. () )

. ! AF#c. () )
C,U a /

O# =

' 8e

V.

' 8e ) V . ! -() ) . "%

2 ; ! (4 a2 a1)

.) ; (

E 6! () ) . /

MOVS

;4

)V.

, MOV .

a( / () *

) a O# =

MOVSX/MOVZX) -) % < Q

,f ' 8e .

,f ' 8e

"r $ Bq () [V) / LSS

.

' 8e

O# =

.(

d-

a ,f ' 8e . AF#c.
.(

8. " !

MOV register / memory , register / memory / immediate .!B

+@<) I@. : MOVS / MOVSB / MOVSW / MOVSD

!)
V

REP

3T .~

,U . /

O# =

! -

. MOVSB a) 1

! ' ,C/ MOVSW a /

ES:DI +

[ .
CX

() *

C,U V

.( ;.

! -() ) a' C,U a

4 ' C,U . - /

80386 !)) /

. *B DF 1 .)

! f . . !)! 4

V . ! -() ) . "%
! 4 CX Q >
,C/ ) MOVSD

-)7!)b DS:SI +

. ! CX aREP . - /
V Gb

- ;4

! SI

;. SI DI a .

DI

C,U
/

, G)

A
*B

80x86 $ ) @

739

[REP] MOVSB / MOVSW / MOVSD (

( /
. MOVSX . /

. 32

16 F

C,U . !

T *B . ! - . MOVZX

. /

C,U R .) .!B

&% L / > I@. : MOVSX : MOVZX

80386) 1 L / >
D/

+% "8 /+" "H

. 16

8 58

T [ ,

C,U
- . !) !

MOVSX/MOVZX register / memory, register / memory / immediate .!B

. "%
cU
5

&% O / Q H : MUL
,

. MUL . /

9 S !)

AX , !) ! 9 P ' C,U . /
.(

8. "

! LUML) ) 1

cU

# 9 P !) !

)! G .

cU

O !) # 9 P
.

cU R . 9 P
a () )

! Rb (

()! b # 9 P `

. '! B .
/

. "%
.V

q # EAX

AZ

j8> . 9 S ' C,U < !)

Multiplicand

Multiplier

Size

(Operand 1)

(Operand 2)

Product

8-bit

AL

8-bit

AX

MUL

BL

DX:AZ

MUL

BX

EDX:EAX

MUL

ECX

Example

register/memory
16-bit

AX

16-bit
register/memory

32-bit

EAX

32-bit
register/memory

MUL register/memory .!B

O 5 1 : NEG

)3

NEG . /

2 A,
a

- Crack

. +/ 0 1. ( 2,

. -

7 ;

8x

C,U .)

. *

8. " ! NOT)

.(

740
*

. Rb 5,6
. O# =

' 8e

8x

) )!

. "%

k*B

C,U j * . ! l G

C,U

!) ( ;.

80386 !))

,C/

,C/ )

NEG register memory .!B

A"% : NOP

F . 8.
NOP .)

A,U

() *

. 6

"f 6

. -)

% < XCHG AX , AX

Y0=

a ,C/ a

C,U . /
.(

; u U .

8. " ! NEG)

6 . T

O# =

. !0

- . . "%

' 8e

!) ( ;.

NOT register/memory .!B

I
a ,C/ a
a(

! 6
W

.a

C,U ) - . -)

. *6 . '! B V

. . -)
n !) a

%<
j#
- G

C,U )
. .

- .

! .

. OR / ( ;.
C,U V

.a
.(

80386 !))

OR : OR

i OR ' C,U
.1 ob

NOT : NOT

I
,C/ )

. . "%

C,U R .) NOP .!B

80386 !))

. "%
,C/ )
) - 1

8. " ! XOR AND) . / ,

OR register / memory , register / memory / immediate .!B

+"A5 > > / # G : OUT

80x86 $ ) @

741
) U

C,U

256

( 1!) .

6 G ( 1!) . AX

1!". ( 1!) `! ,

AL

DX !)

.(

8. " ! OUTS IN)

OUT port# , AX : . e ( 1!) .!B

! ,C/

f - DX

/ () *

+% "8 /+" "H

.

. "%
.e

OUT DX , AX : W ( 1!)

80286) +@<) G : OUTS / OUTSB / OUTSW / OUTSD

( /
DX

-)7!)b DS:SI +

= / CX . a

REP

58 .)! )

3 T . OUTSn

! SI ' C,U DF(0/1) .

..

Q ! ( 1!) . ! (58 )

() *

! (

C,U J. < .

,C/ )

a ,C/ a

8. " ! OUTS IN) -)

.(

( 1!) (! ,

. '! B .)

p- /

B U) ;

.(

J,C/ . SP . ,f

01 3T
' 8e

p "# = 2 ! SP
= 4 ESP

)! )

,U ' 8e a O# =

/
&)

! ~c84 / ! ( ;.

lG F

,C/ ) !

80386 !))

,C/ )

-)

;4

C,U
.(

/ : POP

,C/

. "%

a ;.

3T & . ! 6
80386 !) . -)

8. " ! PUSH) .

p "#

POP register / memory .!B

( /

80386 ) ) : POPAD ( /
.)! )

CX , DX , BX , SP , BP , SI , DI !)
EAX , !)

) . !

3T

&.

. 3T

! 4 lG F

. ! Rb POP a)! ) (!
. 32

j8>

C,U R .) .!B

+@;9 ( ) E +"A5 J@<

)! )

p "# F U (

[REP] OUTSB / OUTSW / OUTSD (

!)

. "%

80286 ) ) : POPA
!

,U

-' 8e J,-

) . ! 3T & . ,C/ 3- a POPA . "%

,C/ ) ,C/

3- POPAD . -)

! 4v

. AX

)3

- Crack

. +/ 0 1. ( 2,

.)

! ) ! 01! .

742

;. SP !

! 4 ECX , EDX , ESP , ESI , EDI

. -)

! . ! -' 8e ~c84 PUSHA / PUSHAD

. ()! 01 3T

POPA / POPAD (

+@;9 ( ) E 27
. "#

= 2 ! SP

! 4

. 32 d[ T ' 8e !)

-)

C,U R .) .!B

) . ! 3T & .

/ : POPF/POPFD

9 J@<

80386 !))

POPFD

p "# = 4 ! SP

-)

,C/ ) ( ;.
~& ,; . -)
(

C,U R .) POPF / POPFD .!B

+@;9 ( ) E 27
.)! 01

3T

! ESP

-)

58 . /

.(

! .

;. `) *

o6 ! ( ;.

80386 !))

p- / = 2 ! SP PUSH . /
3T ! 6 & . . l G

8. " ! PUSHF POP)

C,U

. O# =

,C/ )

,C/

) ]( /

. "%

3T & . ! 6 ,C/ . SP ' 8e

(!

! ,C/ ( ))

-)

p- / = 4

a ,f ' 8e a

,U ' 8e

80376) PUSHAD ( /

V ,

) T ,-) .!B

PUSH immediate ( ;.

"% ( 2$ Bq c"2 O

) ] : PUSH

9O

PUSH register / memory ( - f

( ) /

) . ! 3T & . ,C/ POPF . "%

! 4 d[ T ' 8e !)

! ! -d[ T ~c84 PUSHF

01 3T

a ~& ,;

80286)

80286) PUSHA
+@;9

!v

. ! DI

EDX , ECX ,
. -/

SI , BP , SP , BX , DX , CX , AX
-' 8e J,- PUSHAD . -)

= 32 ! SP

-)

! 4 3T

p- / =

! ! EBX

-' 8e ,- PUSHA . "%

16 ! SP

-)

3T

EAX , EDI , ESI , EBP , ESP

. ! -' 8e ~ ;. POPA / POPAP

.)! )

! 4

~& ,;

C,U R .) PUSHA / PUSHAD .!B

80x86 $ ) @

743

9 J@< [V : PUSHF / PUSHFD

+@;9 ( ) E 27
= 2 ! SP
4 ! SP

PUSHF .)! 01

)! 01

3T

3T

! !

;. `) *

o6 ! d[ T ' 8e '

8. " ! PUSH POPF) - /

.(

,C/ )

AF#c. . e

,C/ a
V ,

3 . pG [ ) ;

RCL

. G [

..

[ ,

f ) J,-

- . ' C,U . -)
!

.1

" 31

. )! CF

a ;.

F 0

. - . f ) ,- )

' 8e

. e a8088/86 !) .

' 8e !

!) ! ( ;.
. CL . E 6!

- f

) T !) .) 1

. )! CF )
CF )! 0

CF )!

. aRCR

8. " ! ROR ROL) G [

.(

pG [ CF !) ! - . . "%

[ . O# =

+#

: RCL / RCR

AI. 7]) / +/ RG

C,U . G [

! 4 CL !)
[

) +/ RG

. "%

C,U R .) PUSHF .!B

80386 !))

80386 !)) PUSHFD . - /

. 32 d[ T ' 8e ( ;.

AI. 7]) /

+% "8 /+" "H

! . - .

RCL / RCR register / memory , CL/immediate .!B

+@<) )
/

CX !) 6
-/
;. !

/ OUTS

A84 .()
! CX

REP .)

3T
REP a

6 .^ ) T <
.(

INS , STOS , MOVS

!!
!)

lG) ; .

6 !. !

. "%
)

' C,U

8. " ! REPE/REPZ) REPNE / REPNZ . .

REP string-instruction .!B

+@<) W ; )
.)

! 4 . BG ]
SCAS

! '!

/
)

A84 /

)
5

- : REPE / REPZ / REPNE / REPNZ

BG 8
- .

A84

. . -) ! 4 ! ^! , ) ;
*B CX /

- : REP

! ' C,U
! '!

) ;

. !

! ' C,U

. "%

3 T REPNZ REPNE , REPE

)3

! 4 !!
]

) ;

f)

( *B n /
-/

W ! ZF ' !

' C,U a(R

*B /

) REPNE/REPNZ

*B CX

744

A84 CX !) . -)

ZF /

))

- Crack

. +/ 0 1. ( 2,

*B CX

*B ZF /

/ CMPS

) REPE / REPZ

. . .

! CX ' C,U a

)V

' C,U a(

! 4 .]

. . -)
/ *B

*B/

.)

.)

a
6

REPNE/REPNZ: 1110010 .!B

REPE/REPZ : 1110011
;VE / : RET/RETN/RETF

)E
!) a C8,

.)) 1

. a(

Q ! / ! B !)

)" CALL

)! Rb ! )
)" RET

! 3T & . ,C/ RET a

"

5,6 SP . (RET 4 ~cx )

~ 4) ! ! )

)"

! ) RET
=

) U

31 .

~c84 / Q !

C,U - . "#

IP .

4 ! SP

! B

) FAR v [ .

= 2 ! SP

. . "#

# ; MASM 50 +

. "%

) NEAR v [ . Q !

= !) . /

CS IP . ! 3T & . ,C/ RET a! )

.)

RETF

RETN
.

RET / RETN / RETF [ POP!

) +/ RG
[ . ! O# =
!

' 8e

8088/86 !) .

a ;.

- f

. CL . U 6!

f ) a)

. )!
.V

# pG [

80386 !))

,C/ )

.V

[ , )! 0
. .(

8. "

a ,C/ a

AF#c. . e

! 4 CL !) 1!". pG [

) T !) .) 1

f ) .)
CF )! "

!) ( ;.

> +/ RG

ROL

.
.

RCL) ! ) pG [

!
+# .e

31 x/ =

. aROR !) . ! ) pG [ [ ,

! RCR

- . . "%

C,U . G [

)
..

] .!B

: ROL/ROR

V ,

, /

! ,

.e

. - .
. - .
.)

ROL / ROL register / memory , CL / immediate .!B

80x86 $ ) @

745

9 ) AH $ > @P (E F G0 : SAHE

27
8. " ! LAHF) . /

.(

+% "8 /+" "H

( Gm d[ T ' 8e

- . !) ! AH

! ,

- . . "%

C,U R .) SAHF .!B

) +/ ( B# 1 < > +/ ( B# 1 < : SAL/SAR

. -)

*
.

! . ! O# =

+#

. e a 8088/86 !) .

31 x/ = ' 8e !
!) 0

- .

;.
-)

SAR . /

' 8e

- f

) T !) .

A,U SHL

,C/ a

. ! - .
O !) ! (
1)

BG ) ;

~ 4) SAL . -)

- . . "%

AF#c. !

1 ! 4 CL !)

T [ , !) (0

- . ,- . /

,C/ )

. CL . E 6!

. B G ) ; . ! - . SAR .) 1
() ) *

!)

! 4

1!".

. SAL .

E 6! C #
cU

C,U
)

- ;4

cU /
-)

8 k

*
.

! ,
V.

SAL / SAR register / memory , CL / immediate .!B

7]) / v> 1- : SSB

H
;. . = C=
V

) uD

.(
/

"!

j *
.(

d4! Q

.a

C,U V

,C/

) ) j * !) ~ U

! CF(0/1) '

. SBB )

8. " ! ADC) /

j * SUB

. "%
() *

C,U V

C,U

SBB register / memory , Register / memory / immediate .!B

+@<) R> " 9 : SCAS / SCASB / SCASW / SCASD

!

SCASB

( ;.

V . -)

.. /

80386 !)) SCASD

E 6! )

! 4 CX !) ^! ,
j#

)!

p ,T BG!

V#

p ,T
) ;

V#

AX !) ! !

. REPNE

() *
2

SCAW

. "%

. a -) ! 4 AL !) !

! ES:DI *6 . -) ! 4 EAX !) !

. / ! O# = !)

/)

. ! O# = !) ) 6

REPE/REPNE
)!

V#

3T

.~
. REPE

,U ' C,U
a) 1

)3

- Crack

. +/ 0 1. ( 2,

! DI

p ,T

. -/

! DI

! . [
]

/ *B ! -d[ T

*B

! O# = ' C,U a

p- / ! CX , REP a) 3
.

-) ! (REPE)

T BG]

1 .

- >

. '! BV

) 30 . ( 1

. /

.3

. !

C,U

n !)

dO ]

C,U R .) .!B

v = . !lG

/ )! ) ) 6 SET(N)L

-^ T d O

= SI DI

. ' C,U a

V [Qx

*B . '! BV

. "%

, SET(N)C , SET(N)E
kB (

! .]
. /

dO

CMP AX , BX ; BX,AX R
; SETE CL V/ d O

80386 ) ) > / W ; 7 g - : SETnn

( /
a!

1 . /

;. B U 7!)b

[REPnn] SCASB / SCASW / SCASD (

SET(N)S A

. REPn

!. -

*B CX

, G ' C,U a)

-)

DI 1 . "#

p- / ! CX !

4 . -)

V Gb . .

n !) a)

. *B DF 1 . / () *

! O# = ' C,U a

p , T [ .

(REPNE)
a'! BV

746

*B

. ! CL a

n !)

SETnn register / memory .!B

) +/ I
. -)

[ . ! O# =

. e 8088/86 !) .

V ,

31 x/ = . e a ;.
)! G . () )

- f

' 8e

,C/ )

. CL . U 6!
. . /

a ,C/ a

- . . "%

AF#c. ' 8e

) T !) .) 1 ! 4 CL !)
cU

1 < : SHR / SHL

1 < > +/ I
!)

- *

V ,

C,U

1!". !

SHR

SHL .

.
. /

. !(

. lG ) ;
(

() ) *

- ;4

. ! - . SHR . /
- . ,- . /

-)

A,U SAL
T *B

[ . l G ) ;

. ! - . SHL

~ 4) SHL . /

. . ! [ ,

- .

T *B

- .

-)
.

V.

80x86 $ ) @

747

+% "8 /+" "H

SHL / SHR register / memory , cl / immediate .!B

( /
C,U V

. !)

.)

() ) *

!) /
.

C,U
. /

- .
!

= /

= /

] / 1 < : SHRD / SHLD

80386 ) ) \% h

. '!

) . -)

O# =

(Q

C,U `
CL

AF#c. ' 8e

C,U
;4

. !

. V [ . "%

. 32

16 ' 8e

R ,- .) ' 8e
C,U V

.)

C,U V
() ) *

)
C,U

SHLD / SHRD register / memory , register , CL / immediate .!B

9 O 5 ,> : STC

AI. 7
*B ! C d[ T CLC) /

( /

! ^ ) T MOVS

! ' C,U )

v8

! DF . "%

8. DF R) / *B

.(

9 O 5 ,> : STD

#7
!

! CF . "%

C,U R .) STC .!B

[ .

. ! CLD) . -) % <
C,U R .) STD .!B

STOS / STOSB / STOSW / STOSD

!) ^! , ) ; . REP
. ' C,U V a /
! 4 AL !) ! !

3T
D/ (

' C,U a

STOSD

..

. *B DF 1 .)
.

( Gm O# = !) ! f

g 3 ' ;#) . !

ES:DI *6 . -) ! 4 EAX !) ! !
( Gm ' C,U a

4 . /

DF 1 . "#

O# =

STOSD
( Gm
! DI

.!
) 1

)
=

' C,U a)
R) / _ T

. AX !) ! !
/ -)
%<

8 '

k . "%
CX

() *
O

STOSW

E 6! ! O# = !)
! . [

O# = !)

;#

. a -)
;4

)3

- Crack

. +/ 0 1. ( 2,

! CX !

!. -

748

. REP . - /

! DI

-)

%<

. .

( Gm a[ .

, G ' C,U

. *B

[REP] STOSB / STOSW / STOSD (

a /

j * ' 8e

,C/ )

,C/ a

! AF#c.

O# = a' 8e

j *

V ,

. /

> I v> 1- : SUB

!)

) )

O# =

. "%

! AF#c.

' 8e

8. ! SBB) .( ;.

.(

-/

C,U R .) .!B

>
!)

80386)

SUB register / memory , register / memory / immediate .!B

2
.

C,U ) - . -) ,
V ,

C,U V

. / () *

)a

-d[ T

W ! F
. O# =
! .

C,U
' 8e

. JNE

a -)

%< !

!) ( ;.

80386)

JE

) / : TEST

/
i

AND A,U . "%

,C/ )

V , aRb

a ,C/ a

;. .

6! G *4
,/

/
O

fCB f

,. 4 . ! O
) T .)

. / nb ! ^ ) T TEST

= !)

R ",- f
T

_)
-)

r<E
( 6

) T ,/

cU

# !) .
(

( /
V ,- .)

( Gm F

!) ! AB =

) ] : WAIT

CB f

) T . . "%

-) , G ! 6 f
C,U R .) WAIT .!B

58

58
. ! F

) T
5

: XADD

80486) !"# +H

. / ! O V . a -) !

5,6 d- . ! F
. /

9O

. AF#c.

TEST register / memory , register / memory / immediate .!B

) g@.

C,U . "%
CB !

80x86 $ ) @

749

+% "8 /+" "H

XADD register / memory , register .!B

: XADD

+H
CX , '! B .) O# =

(XCHGAH , BL '! B .) ' 8e ) V . ! -() ) . "%

' 8e V .

S ; XCHG (word

. /

XADD register / memory , register .!B

: XCHG

+H
'! B .) O# =

' 8e

V.

(XCHGAH , BL '! B .)

. e ) V . ! -() ) . "%
S ; XCHG (CX, word

. /

XCHG register / memory , register / memory .!B

> B- : XLAT / XLATB

2 ; !Q 6
. / !
!

AL !)

.a /
.(

A 8 EBCDLC . ASCII a

. /
() *

-) ! 4
Q 6

. 32 `

' * v 4
. EBX

R ;. AL !

XLAT Q) ; XLATB) .)

. ! -

BX !) ! Rb 7!)b a
' C,U . -) ! 4 )

( Gm AL !) ! Rb

XLAT [AL] (

. *6 (

! 6

C,U ) - . -)

%<

C,U )

. . / ! 6 d- . ! - . XOR /
- . 1 a

- G *B
.(

C,U V

8. " ! OR AND)

- .

. ( ;.
.a
- G

! G AL

()
a

. . "%
A 8
Q 6

C,U) .!B

.R
C,U V

P. OR: XOR

! Fk OR

80386)

. "%

,C/ )

a ,C/

) - 1 a(

! 6

.' *

XOR memory , register / memory / immediate register .!B