- 注册时间
- 2011-3-10
- 最后登录
- 1970-1-1
该用户从未签到
|
在这里学习了一段时间也算是略有所悟,想开始尝试一下反汇编,但功力浅得很,所以上来请朋友帮忙指点一下如何找出指针。
就以下面的部分代码为例吧,我想知道代码中最后一行的ECX值,按照反推法,ECX=ESP+38,dword ptr [esp+38]在代码中出现好多次,但是经过对该过程的单步跟踪发现ES
P的值是会改变的,这
00604F30 /$ 83EC 24 sub esp, 24
00604F33 |. 53 push ebx
00604F34 |. 55 push ebp
00604F35 |. 8B6C24 30 mov ebp, dword ptr [esp+30]
00604F39 |. 56 push esi
00604F3A |. 57 push edi
00604F3B |. 8BCD mov ecx, ebp
00604F3D |. E8 FE1E0000 call 00606E40
00604F42 |. 84C0 test al, al
00604F44 |. 0F84 A7040000 je 006053F1
00604F4A |. 8B4C24 40 mov ecx, dword ptr [esp+40]
00604F4E |. 83F9 03 cmp ecx, 3
00604F51 |. 0F82 9A040000 jb 006053F1
00604F57 |. 8B7424 3C mov esi, dword ptr [esp+3C]
00604F5B |. C74424 38 000>mov dword ptr [esp+38], 0
00604F63 |. 8A06 mov al, byte ptr [esi]
00604F65 |. 3C 06 cmp al, 6 ; Switch (cases 1..B)
00604F67 |. 0F85 89000000 jnz 00604FF6
00604F6D |. 83F9 07 cmp ecx, 7 ; Case 6 of switch 00604F65
00604F70 |. 0F85 7B040000 jnz 006053F1
00604F76 |. 8B45 00 mov eax, dword ptr [ebp]
00604F79 |. 33FF xor edi, edi
00604F7B |. 66:8B7E 01 mov di, word ptr [esi+1]
00604F7F |. 8BCD mov ecx, ebp
00604F81 |. FF50 04 call dword ptr [eax+4]
00604F84 |. 8A10 mov dl, byte ptr [eax]
00604F86 |. C64424 40 00 mov byte ptr [esp+40], 0
00604F8B |. 84D2 test dl, dl
00604F8D |. 76 53 jbe short 00604FE2
00604F8F |> 8B4C24 40 /mov ecx, dword ptr [esp+40]
00604F93 |. 33ED |xor ebp, ebp
00604F95 |. 8BD9 |mov ebx, ecx
00604F97 |. 81E3 FF000000 |and ebx, 0FF
00604F9D |. C1E3 05 |shl ebx, 5
00604FA0 |. 66:8BAC03 AC0>|mov bp, word ptr [ebx+eax+AC]
00604FA8 |. 3BEF |cmp ebp, edi
00604FAA |. 74 1E |je short 00604FCA
00604FAC |. FEC1 |inc cl
00604FAE |. 3ACA |cmp cl, dl
00604FB0 |. 884C24 40 |mov byte ptr [esp+40], cl
00604FB4 |.^ 72 D9 \jb short 00604F8F
00604FB6 |. 8B4E 03 mov ecx, dword ptr [esi+3]
00604FB9 |. 51 push ecx
00604FBA |. E8 B17F0000 call 0060CF70
00604FBF |. 83C4 04 add esp, 4
00604FC2 |. 5F pop edi
00604FC3 |. 5E pop esi
00604FC4 |. 5D pop ebp
00604FC5 |. 5B pop ebx
00604FC6 |. 83C4 24 add esp, 24
00604FC9 |. C3 retn
00604FCA |> 81E1 FF000000 and ecx, 0FF
00604FD0 |. C1E1 05 shl ecx, 5
00604FD3 |. 8D8C01 AC0000>lea ecx, dword ptr [ecx+eax+AC]
00604FDA |. 85C9 test ecx, ecx
00604FDC |. 74 04 je short 00604FE2
00604FDE |. 8049 06 08 or byte ptr [ecx+6], 8
00604FE2 |> 8B4E 03 mov ecx, dword ptr [esi+3]
00604FE5 |. 51 push ecx
00604FE6 |. E8 857F0000 call 0060CF70
00604FEB |. 83C4 04 add esp, 4
00604FEE |. 5F pop edi
00604FEF |. 5E pop esi
00604FF0 |. 5D pop ebp
00604FF1 |. 5B pop ebx
00604FF2 |. 83C4 24 add esp, 24
00604FF5 |. C3 retn
00604FF6 |> 3C 07 cmp al, 7
00604FF8 |. 75 15 jnz short 0060500F
00604FFA |. 55 push ebp ; Case 7 of switch 00604F65
00604FFB |. E8 10F3FFFF call 00604310
00605000 |. 8BC8 mov ecx, eax
00605002 |. E8 297F0000 call 0060CF30
00605007 |. 5F pop edi
00605008 |. 5E pop esi
00605009 |. 5D pop ebp
0060500A |. 5B pop ebx
0060500B |. 83C4 24 add esp, 24
0060500E |. C3 retn
0060500F |> 3C 01 cmp al, 1
00605011 |. 75 1A jnz short 0060502D
00605013 |. 33D2 xor edx, edx ; Case 1 of switch 00604F65
00605015 |. 66:8B56 01 mov dx, word ptr [esi+1]
00605019 |. 52 push edx
0060501A |. E8 F1F2FFFF call 00604310
0060501F |. 8BC8 mov ecx, eax ; |
00605021 |. E8 EA8A0000 call 0060DB10 ; \elementc.0060DB10
00605026 |. 8BD8 mov ebx, eax
00605028 |. E9 05010000 jmp 00605132
0060502D |> 3C 08 cmp al, 8
0060502F |. 75 27 jnz short 00605058
00605031 |. 83F9 09 cmp ecx, 9 ; Case 8 of switch 00604F65
00605034 |. 0F85 B7030000 jnz 006053F1
0060503A |. 66:8B46 07 mov ax, word ptr [esi+7]
0060503E |. 8B4E 03 mov ecx, dword ptr [esi+3]
00605041 |. 50 push eax
00605042 |. 51 push ecx
00605043 |. 55 push ebp
00605044 |. E8 C7F2FFFF call 00604310
00605049 |. 8BC8 mov ecx, eax
0060504B |. E8 B07B0000 call 0060CC00
00605050 |. 5F pop edi
00605051 |. 5E pop esi
00605052 |. 5D pop ebp
00605053 |. 5B pop ebx
00605054 |. 83C4 24 add esp, 24
00605057 |. C3 retn
00605058 |> 3C 09 cmp al, 9
0060505A |. 75 2F jnz short 0060508B
0060505C |. 83F9 03 cmp ecx, 3 ; Case 9 of switch 00604F65
0060505F |. 0F86 8C030000 jbe 006053F1
00605065 |. 66:837E 01 00 cmp word ptr [esi+1], 0
0060506A |. 0F95C2 setne dl
0060506D |. 83C1 FD add ecx, -3
00605070 |. 52 push edx
00605071 |. 83C6 03 add esi, 3
00605074 |. 51 push ecx
00605075 |. 56 push esi
00605076 |. 55 push ebp
00605077 |. E8 94F2FFFF call 00604310
0060507C |. 8BC8 mov ecx, eax
0060507E |. E8 ED7B0000 call 0060CC70
00605083 |. 5F pop edi
00605084 |. 5E pop esi
00605085 |. 5D pop ebp
00605086 |. 5B pop ebx
00605087 |. 83C4 24 add esp, 24
0060508A |. C3 retn
0060508B |> 3C 0B cmp al, 0B
0060508D |. 75 25 jnz short 006050B4
0060508F |. 81F9 A3000000 cmp ecx, 0A3 ; Case B of switch 00604F65
00605095 |. 0F85 56030000 jnz 006053F1
0060509B |. 83C6 03 add esi, 3
0060509E |. 56 push esi
0060509F |. 55 push ebp
006050A0 |. E8 6BF2FFFF call 00604310
006050A5 |. 8BC8 mov ecx, eax
006050A7 |. E8 247D0000 call 0060CDD0
006050AC |. 5F pop edi
006050AD |. 5E pop esi
006050AE |. 5D pop ebp
006050AF |. 5B pop ebx
006050B0 |. 83C4 24 add esp, 24
006050B3 |. C3 retn
006050B4 |> 3C 0A cmp al, 0A
006050B6 |. 75 21 jnz short 006050D9
006050B8 |. 83F9 0B cmp ecx, 0B ; Case A of switch 00604F65
006050BB |. 0F85 30030000 jnz 006053F1
006050C1 |. 83C6 03 add esi, 3
006050C4 |. 56 push esi
006050C5 |. E8 46F2FFFF call 00604310
006050CA |. 8BC8 mov ecx, eax
006050CC |. E8 1F7D0000 call 0060CDF0
006050D1 |. 5F pop edi
006050D2 |. 5E pop esi
006050D3 |. 5D pop ebp
006050D4 |. 5B pop ebx
006050D5 |. 83C4 24 add esp, 24
006050D8 |. C3 retn
006050D9 |> 8B45 00 mov eax, dword ptr [ebp] ; Default case of switch 00604F65
006050DC |. 8BCD mov ecx, ebp
006050DE |. FF50 04 call dword ptr [eax+4]
006050E1 |. 8A10 mov dl, byte ptr [eax]
006050E3 |. 32DB xor bl, bl
006050E5 |. 84D2 test dl, dl
006050E7 |. 885C24 38 mov byte ptr [esp+38], bl
006050EB |. 0F86 00030000 jbe 006053F1
006050F1 |. 66:8B7E 01 mov di, word ptr [esi+1]
006050F5 |> 8B4C24 38 /mov ecx, dword ptr [esp+38]
006050F9 |. 81E1 FF000000 |and ecx, 0FF
006050FF |. C1E1 05 |shl ecx, 5
00605102 |. 66:39BC01 AC0>|cmp word ptr [ecx+eax+AC], di
0060510A |. 8D8C01 AC0000>|lea ecx, dword ptr [ecx+eax+AC]
00605111 |. 75 06 |jnz short 00605119
00605113 |. 8379 0D 00 |cmp dword ptr [ecx+D], 0
00605117 |. 75 12 |jnz short 0060512B
00605119 |> FEC3 |inc bl
0060511B |. 3ADA |cmp bl, dl
0060511D |. 885C24 38 |mov byte ptr [esp+38], bl
00605121 |.^ 72 D2 \jb short 006050F5
00605123 |. 5F pop edi
00605124 |. 5E pop esi
00605125 |. 5D pop ebp ebp
00605126 |. 5B pop ebx
0060512700605127 |. |. 83C4 24 83C4 24 add add esp, 24 esp, 24
0060512A |. C3 retn
0060512B0060512B |> |> 8B59 0D 8B59 0D mov mov ebx, dword ptr [ecx+D] ebx, dword ptr [ecx+D]
0060512E |. 894C24 38 mov dword ptr [esp+38], ecx
0060513200605132 |> |> 85DB 85DB test test ebx, ebx ebx, ebx
00605134 |. 0F84 B7020000 je 006053F1
0060513A |. B9 09000000 mov ecx, 9
0060513F0060513F |. |. 33C0 33C0 xor xor eax, eax eax, eax
00605141 |. 8D7C24 10 lea edi, dword ptr [esp+10]
0060514500605145 |. |. C683 A4030000>mov C683 A4030000>mov byte ptr [ebx+3A4], 0 byte ptr [ebx+3A4], 0
0060514C |. F3:AB rep stos dword ptr es:[edi]
0060514E0060514E |. |. 8A06 8A06 mov mov al, byte ptr [esi] al, byte ptr [esi]
00605150 |. 48 dec eax ; Switch (cases 1..5)
0060515100605151 |. |. 83F8 04 83F8 04 cmp cmp eax, 4 eax, 4
00605154 |. 0F87 97020000 ja 006053F1
0060515A0060515A |. |. FF2485 FC5360>jmp FF2485 FC5360>jmp dword ptr [eax*4+6053FC] dword ptr [eax*4+6053FC]
00605161 |> 837C24 40 09 cmp dword ptr [esp+40], 9 ; Case 4 of switch 00605150
00605166 |. 0F85 85020000 jnz 006053F1
0060516C0060516C |. |. 83BB E4010000>cmp 83BB E4010000>cmp dword ptr [ebx+1E4], 1 dword ptr [ebx+1E4], 1
00605173 |. 0F85 78020000 jnz 006053F1
0060517900605179 |. |. 8B8B EC010000 mov 8B8B EC010000 mov ecx, dword ptr [ebx+1EC] ecx, dword ptr [ebx+1EC]
0060517F |. 33C0 xor eax, eax
0060518100605181 |. |. 85C9 85C9 test test ecx, ecx ecx, ecx
00605183 |. 0F86 68020000 jbe 006053F1
0060518900605189 |. |. 8B56 03 8B56 03 mov mov edx, dword ptr [esi+3] edx, dword ptr [esi+3]
0060518C |. 8B9B F0010000 mov ebx, dword ptr [ebx+1F0]
0060519200605192 |> |> 3913 3913 /cmp /cmp dword ptr [ebx], edx dword ptr [ebx], edx
00605194 |. 74 10 |je short 006051A6
00605196 |. 40 |inc eax
0060519700605197 |. |. 83C3 16 83C3 16 |add |add ebx, 16 ebx, 16
0060519A |. 3BC1 |cmp eax, ecx
0060519C0060519C |.^ 72 F4 |.^ 72 F4 \jb \jb short 00605192 short 00605192
0060519E |. 5F pop edi
0060519F0060519F |. |. 5E 5E pop pop esi esi
006051A0 |. 5D pop ebp
006051A1006051A1 |. |. 5B 5B pop pop ebx ebx
006051A2 |. 83C4 24 add esp, 24
006051A5006051A5 |. |. C3 C3 retn retn
006051A6 |> 66:8B56 07 mov dx, word ptr [esi+7]
006051AA |. 8B4C24 38 mov ecx, dword ptr [esp+38]
006051AE006051AE |. |. 5F 5F pop pop edi edi
006051AF |. 5E pop esi
006051B0006051B0 |. |. 5D 5D pop pop ebp ebp
006051B1 |. 66:895441 15 mov word ptr [ecx+eax*2+15], dx |
|
发表于 2011-3-10 11:11:05
楼主