sourceforge上pyXML0.84只能支援到python2.4,之後沒有更新。搜尋網上,這位仁兄提供了適合python2.7的pyXML0.84 http://www.somethinkodd.com/oddthinking/2009/10/31/windows-installer-for-pyxml-0-8-4-for-python-2-6-x/
下載執行,提示“Pythonversion 2.7required, which was not found in the registry”。可是我明明已經安裝過Python2.7了(我安裝的是Active Python 2.7)。
沒說的,執行OllyDbg開啟PyXML-0.8.4.win32-py2.7.exe除錯。開啟讀取登錄檔的API分別為RegOpenKeyEx和RegQueryValueEx。定位相關程式碼並在004028ED設定斷點。
首先讀取HKEY_LOCAL_MACHINE下的"Software\Python\PythonCore",獲得版本2.7,使用sprintfs合成字串Software\Python\PythonCore\2.7\InstallPath,並讀取,讀取失敗。我開啟登錄檔觀察相應鍵值存在,我意識到win64位下注冊表重定位的可能性。HKEY_LOCAL_MACHINE下的Software重定位到Software\Wow6432Node,Software\Python\PythonCore存在2.7項,但是2.7下面沒有InstallPath項,於是在2.7下新建InstallPath,並設定預設值為C:\Python27(我電腦上python2.7的安裝路徑)。重新執行PyXML-0.8.4.win32-py2.7.exe,安裝成功!
檢驗PyXML安裝
>>>import xml
>>>xml.__version__
'0.8.4'
相應彙編碼
.text:004028ED; int __cdecl sub_4028ED(int, HKEY hKey, int)
.text:004028EDsub_4028ED proc near ; CODE XREF: .text:00402BDBp
.text:004028ED ;.text:00402BF2p
.text:004028ED
.text:004028EDcbData = dword ptr -110h
.text:004028EDvar_10C = dword ptr -10Ch
.text:004028EDvar_108 = dword ptr -108h
.text:004028EDhWnd = dword ptr -104h
.text:004028EDcchName = dword ptr -100h
.text:004028EDdwIndex = dword ptr -0FCh
.text:004028EDphkResult = dword ptr -0F8h
.text:004028EDSubKey = byte ptr -0F4h
.text:004028EDlParam = byte ptr -0A4h
.text:004028EDName = byte ptr -54h
.text:004028EDvar_4 = dword ptr -4
.text:004028EDarg_0 = dword ptr 8
.text:004028EDhKey = dword ptr 0Ch
.text:004028EDarg_8 = dword ptr 10h
.text:004028ED
.text:004028ED push ebp
.text:004028EE lea ebp,[esp-90h]
.text:004028F5 sub esp,110h
.text:004028FB mov eax,dword_42F180
.text:00402900 xor eax,ebp
.text:00402902 mov [ebp+90h+var_4], eax
.text:00402908 mov eax,[ebp+90h+arg_0]
.text:0040290E push ebx
.text:0040290F lea ecx,[ebp+90h+phkResult]
.text:00402912 push ecx ; phkResult
.text:00402913 push 20019h ; samDesired
.text:00402918 xor ebx,ebx
.text:0040291A push ebx ; ulOptions
.text:0040291B mov [ebp+90h+hWnd], eax
.text:0040291E mov eax,[ebp+90h+hKey]
.text:00402924 push offset aSoftwarePyth_1 ; "Software\\Python\\PythonCore"
.text:00402929 push eax ; hKey
.text:0040292A mov [ebp+90h+var_10C], eax
.text:0040292D mov [ebp+90h+dwIndex], ebx
.text:00402930 call ds:RegOpenKeyExA
.text:00402936 test eax,eax
.text:00402938 jz short loc_402941
.text:0040293A xor eax,eax
.text:0040293C jmp loc_402A7E
.text:00402941; ---------------------------------------------------------------------------
.text:00402941
.text:00402941loc_402941: ; CODE XREF: sub_4028ED+4Bj
.text:00402941 push ebx ; lpftLastWriteTime
.text:00402942 push ebx ; lpcchClass
.text:00402943 push ebx ; lpClass
.text:00402944 push ebx ; lpReserved
.text:00402945 lea eax,[ebp+90h+cchName]
.text:00402948 push eax ; lpcchName
.text:00402949 lea eax,[ebp+90h+Name]
.text:0040294C push eax ; lpName
.text:0040294D push ebx ; dwIndex
.text:0040294E push [ebp+90h+phkResult] ; hKey
.text:00402951 mov [ebp+90h+cchName], 50h
.text:00402958 call ds:RegEnumKeyExA
.text:0040295E test eax,eax
.text:00402960 jnz loc_402A72
.text:00402966 push esi
.text:00402967 push edi
.text:00402968 mov edi,ds:SendMessageA
.text:0040296E
.text:0040296Eloc_40296E: ; CODE XREF: sub_4028ED+17Dj
.text:0040296E mov esi,[ebp+90h+arg_8]
.text:00402974 inc [ebp+90h+dwIndex]
.text:00402977 mov [ebp+90h+cchName], 50h
.text:0040297E cmp esi,ebx
.text:00402980 jz short loc_4029B4
.text:00402982 cmp [esi], bl
.text:00402984 jz short loc_4029B4
.text:00402986 lea eax,[ebp+90h+Name]
.text:00402989
.text:00402989loc_402989: ; CODE XREF: sub_4028ED+B4j
.text:00402989 mov cl,[esi]
.text:0040298B cmp cl,[eax]
.text:0040298D jnz shortloc_4029A7
.text:0040298F cmp cl,bl
.text:00402991 jz short loc_4029A3
.text:00402993 mov cl,[esi+1]
.text:00402996 cmp cl,[eax+1]
.text:00402999 jnz shortloc_4029A7
.text:0040299B inc esi
.text:0040299C inc esi
.text:0040299D inc eax
.text:0040299E inc eax
.text:0040299F cmp cl,bl
.text:004029A1 jnz shortloc_402989
.text:004029A3
.text:004029A3loc_4029A3: ; CODE XREF: sub_4028ED+A4j
.text:004029A3 xor eax,eax
.text:004029A5 jmp shortloc_4029AC
.text:004029A7; ---------------------------------------------------------------------------
.text:004029A7
.text:004029A7loc_4029A7: ; CODE XREF: sub_4028ED+A0j
.text:004029A7 ;sub_4028ED+ACj
.text:004029A7 sbb eax,eax
.text:004029A9 sbb eax,0FFFFFFFFh
.text:004029AC
.text:004029ACloc_4029AC: ; CODE XREF: sub_4028ED+B8j
.text:004029AC cmp eax,ebx
.text:004029AE jnz loc_402A50
.text:004029B4
.text:004029B4loc_4029B4: ; CODE XREF: sub_4028ED+93j
.text:004029B4 ;sub_4028ED+97j
.text:004029B4 mov esi,ds:wsprintfA
.text:004029BA lea eax,[ebp+90h+Name]
.text:004029BD push eax
.text:004029BE lea eax,[ebp+90h+lParam]
.text:004029C1 push offset aPythonVersionS ; "Python Version %s (found inregistry)"
.text:004029C6 push eax ; LPSTR
.text:004029C7 call esi ;wsprintfA
.text:004029C9 lea eax,[ebp+90h+Name]
.text:004029CC push eax
.text:004029CD lea eax,[ebp+90h+SubKey]
.text:004029D0 push offset aSoftwarePyth_0 ;"Software\\Python\\PythonCore\\%s\\InstallPa"...
.text:004029D5 push eax ; LPSTR
.text:004029D6 call esi ;wsprintfA
.text:004029D8 add esp,18h
.text:004029DB lea eax,[ebp+90h+var_108]
.text:004029DE push eax ; phkResult
.text:004029DF push 20019h ; samDesired
.text:004029E4 push ebx ; ulOptions
.text:004029E5 lea eax,[ebp+90h+SubKey]
.text:004029E8 push eax ; lpSubKey
.text:004029E9 push [ebp+90h+var_10C] ; hKey
.text:004029EC call ds:RegOpenKeyExA
.text:004029F2 test eax,eax
.text:004029F4 jnz shortloc_402A50
.text:004029F6 push 10Ch ; size_t
.text:004029FB call _malloc
.text:00402A00 mov esi,eax
.text:00402A02 pop ecx
.text:00402A03 mov [ebp+90h+cbData], 105h
.text:00402A0A cmp esi,ebx
.text:00402A0C jz short loc_402A47
.text:00402A0E lea eax,[ebp+90h+cbData]
.text:00402A11 push eax ; lpcbData
.text:00402A12 push esi ; lpData
.text:00402A13 push ebx ; lpType
.text:00402A14 push ebx ; lpReserved
.text:00402A15 push ebx ; lpValueName
.text:00402A16 push [ebp+90h+var_108] ; hKey
.text:00402A19 call ds:RegQueryValueExA
.text:00402A1F test eax,eax
.text:00402A21 jnz shortloc_402A47
.text:00402A23 lea eax,[ebp+90h+lParam]
.text:00402A26 push eax ; lParam
.text:00402A27 push ebx ; wParam
.text:00402A28 push 180h ; Msg
.text:00402A2D push [ebp+90h+hWnd] ; hWnd
.text:00402A30 call edi ;SendMessageA
.text:00402A32 mov ecx,[ebp+90h+var_10C]
.text:00402A35 push esi ; lParam
.text:00402A36 push eax ; wParam
.text:00402A37 push 19Ah ; Msg
.text:00402A3C push [ebp+90h+hWnd] ; hWnd
.text:00402A3F mov [esi+108h], ecx
.text:00402A45 call edi ;SendMessageA
.text:00402A47
.text:00402A47loc_402A47: ; CODE XREF: sub_4028ED+11Fj
.text:00402A47 ;sub_4028ED+134j
.text:00402A47 push [ebp+90h+var_108] ; hKey
.text:00402A4A call ds:RegCloseKey
.text:00402A50
.text:00402A50loc_402A50: ; CODE XREF: sub_4028ED+C1j
.text:00402A50 ;sub_4028ED+107j
.text:00402A50 push ebx ; lpftLastWriteTime
.text:00402A51 push ebx ; lpcchClass
.text:00402A52 push ebx ; lpClass
.text:00402A53 push ebx ; lpReserved
.text:00402A54 lea eax,[ebp+90h+cchName]
.text:00402A57 push eax ; lpcchName
.text:00402A58 lea eax,[ebp+90h+Name]
.text:00402A5B push eax ; lpName
.text:00402A5C push [ebp+90h+dwIndex] ; dwIndex
.text:00402A5F push [ebp+90h+phkResult] ; hKey
.text:00402A62 call ds:RegEnumKeyExA
.text:00402A68 test eax,eax
.text:00402A6A jz loc_40296E
.text:00402A70 pop edi
.text:00402A71 pop esi
.text:00402A72
.text:00402A72loc_402A72: ; CODE XREF: sub_4028ED+73j
.text:00402A72 push [ebp+90h+phkResult] ; hKey
.text:00402A75 call ds:RegCloseKey
.text:00402A7B xor eax,eax
.text:00402A7D inc eax
.text:00402A7E
.text:00402A7Eloc_402A7E: ; CODE XREF: sub_4028ED+4Fj
.text:00402A7E mov ecx,[ebp+90h+var_4]
.text:00402A84 xor ecx,ebp
.text:00402A86 pop ebx
.text:00402A87 call sub_4077A5
.text:00402A8C add ebp,90h
.text:00402A92 leave
.text:00402A93 retn
.text:00402A93sub_4028ED endp
.text:00402A93