让我们来看MessageBoxA的函数代码(WinXp sp2):
008F058A > 8BFF MOV EDI,EDI
008F058C /. 55 PUSH EBP
008F058D |. 8BEC MOV EBP,ESP
008F058F |. 833D BC049100>CMP DWORD PTR DS:[9104BC],0
008F0596 |. 74 24 JE SHORT user32_1.008F05BC
008F0598 |. 64:A1 1800000>MOV EAX,DWORD PTR FS:[18]
008F059E |. 6A 00 PUSH 0
008F05A0 |. FF70 24 PUSH DWORD PTR DS:[EAX+24]
008F05A3 |. 68 240B9100 PUSH user32_1.00910B24
008F05A8 |. FF15 C8128B00 CALL DWORD PTR DS:[<&KERNEL32.Interlocke>; kernel32.InterlockedCompareExchange
008F05AE |. 85C0 TEST EAX,EAX
008F05B0 |. 75 0A JNZ SHORT user32_1.008F05BC
008F05B2 |. C705 200B9100>MOV DWORD PTR DS:[910B20],1
008F05BC |> 6A 00 PUSH 0 ; /LanguageID = 0 (LANG_NEUTRAL)
008F05BE |. FF75 14 PUSH DWORD PTR SS:[EBP+14] ; |Style
008F05C1 |. FF75 10 PUSH DWORD PTR SS:[EBP+10] ; |Title
008F05C4 |. FF75 0C PUSH DWORD PTR SS:[EBP+C] ; |Text
008F05C7 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hOwner
008F05CA |. E8 2D000000 CALL user32_1.MessageBoxExA ; \MessageBoxExA
008F05CF |. 5D POP EBP
008F05D0 \. C2 1000 RETN 10
通过最后的RETN 10H可以知道是四个参数.在程序中可以动态取得,KsSuperSword就用的这种方法.