在網路上找到 Win32Program Disassembler 工具,反組譯了一個小程式:
#include <stdio.h>
int main(){
int a=0;
while(a>-1)
printf("%dn",a++);
return 0;
}發現程式載入了二個 DLL 檔:
+++++++++++++++++++ IMPORTED FUNCTIONS +++++++++++++++++++
Number of Imported Modules = 2 (decimal)
Import Module 001: KERNEL32.dll
Import Module 002: msvcrt.dll
+++++++++++++++++++ IMPORT MODULE DETAILS +++++++++++++++++
Import Module 001: KERNEL32.dll
Addr:00005104 hint(0001) Name: AddAtomA
Addr:00005110 hint(009B) Name: ExitProcess
Addr:00005120 hint(00AF) Name: FindAtomA
Addr:0000512C hint(00DC) Name: GetAtomNameA
Addr:0000513C hint(02DF) Name: SetUnhandledExceptionFilter
Import Module 002: msvcrt.dll
Addr:0000515C hint(0027) Name: __getmainargs
Addr:0000516C hint(003C) Name: __p__environ
Addr:0000517C hint(003E) Name: __p__fmode
Addr:0000518C hint(0050) Name: __set_app_type
Addr:000051A0 hint(0079) Name: _cexit
Addr:000051AC hint(00E9) Name: _iob
Addr:000051B4 hint(015E) Name: _onexit
Addr:000051C0 hint(0184) Name: _setmode
Addr:000051CC hint(0215) Name: abort
Addr:000051D4 hint(021C) Name: atexit
Addr:000051E0 hint(0230) Name: fflush
Addr:000051EC hint(0239) Name: fprintf
Addr:000051F8 hint(023F) Name: free
Addr:00005200 hint(0272) Name: malloc
Addr:0000520C hint(027F) Name: printf
Addr:00005218 hint(0290) Name: signal
看起來這個就是 OS 提供的 system calls,其中包括記憶體配置和一些 IO 函式。另外,找到了 while 迴圈所在的程式片段:
:004012B0 895C2404 mov dword[esp+04], ebx
:004012B4 43 inc ebx
:004012B5 C7042400304000 mov dword[esp+esp], 00403000
(StringData)"%d "
:004012BC E83F050000 call 00401800
;;call msvcrt.printf
:004012C1 83FBFF cmp ebx, -00000001
:004012C4 7FEA jg 004012B0 可以用 UltraEdit 把 004012C4 這個指令給成 nop,這樣就會跳出迴圈結束程式。