我有一行像这样的代码
push ff
push 0
push 0
push offset "this is a test"
push offset "Hello world!" ; string in hex: 48656C6C6F20776F726C6421
push 0
CALL FUNCTION 1
MOV EDI,EDI
PUSH EBP
MOV EBP,ESP
PUSH ECX
PUSH ECX
PUSH ESI
PUSH EDI
XOR EDI,EDI
OR ESI,FFFFFFFF
MOV DWORD PTR SS:[EBP-4],EDI
MOV DWORD PTR SS:[EBP-8],EDI
CMP DWORD PTR SS:[EBP+0C],EDI
JE SHORT ; jump is taken
现在进入函数
中的操作列表PUSH EBP
PUSH ECX
PUSH ECX
PUSH ESI
PUSH EDI
XOR EDI,EDI ; will clear the edi register, it's zero now
OR ESI,FFFFFFFF ; esi will hold value ffffffff
MOV DWORD PTR SS:[EBP-4],EDI ; copies edi to ecx
MOV DWORD PTR SS:[EBP-8],EDI ; copies edi to 2nd ecx
现在是我没有得到的部分
CMP DWORD PTR SS:[EBP+0C],EDI
它正在比较edi,其值为零?
push offset "Hello world!" 48656C6C6F20776F726C6421
编辑#1
这里是整个代码,从起点开始,也许你可以找出我做错了什么
开始计划
00401000 6A 00 PUSH 0
00401002 68 00304000 PUSH OFFSET 00403000 ; ASCII "this is a test"
00401007 68 17304000 PUSH OFFSET 00403017 ; ASCII "Hello world!"
0040100C 6A 00 PUSH 0
0040100E FF15 70204000 CALL DWORD PTR DS:[402070]
调用user32
750AFD1E /$ 8BFF MOV EDI,EDI ; ID_X user32.MessageBoxA
750AFD20 |. 55 PUSH EBP
750AFD21 |. 8BEC MOV EBP,ESP
750AFD23 |. 6A 00 PUSH 0 ; /LanguageID = LANG_NEUTRAL
750AFD25 |. FF75 14 PUSH DWORD PTR SS:[EBP+14] ; |Type
750AFD28 |. FF75 10 PUSH DWORD PTR SS:[EBP+10] ; |Caption
750AFD2B |. FF75 0C PUSH DWORD PTR SS:[EBP+0C] ; |Text
750AFD2E |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hOwner
750AFD31 |. E8 A0FFFFFF CALL MessageBoxExA ; \USER32.MessageBoxExA
750AFD36 |. 5D POP EBP
750AFD37 \. C2 1000 RETN 10
调用MessageBoxExA
750AFCD6 /$ 8BFF MOV EDI,EDI ; ID_X user32.MessageBoxExA
750AFCD8 |. 55 PUSH EBP
750AFCD9 |. 8BEC MOV EBP,ESP
750AFCDB |. 6A FF PUSH -1 ; /Arg6 = -1
750AFCDD |. FF75 18 PUSH DWORD PTR SS:[EBP+18] ; |Arg5
750AFCE0 |. FF75 14 PUSH DWORD PTR SS:[EBP+14] ; |Arg4
750AFCE3 |. FF75 10 PUSH DWORD PTR SS:[EBP+10] ; |Arg3
750AFCE6 |. FF75 0C PUSH DWORD PTR SS:[EBP+0C] ; |Arg2
750AFCE9 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |Arg1
750AFCEC |. E8 37FEFFFF CALL MessageBoxTimeoutA
750AFCF1 |. 5D POP EBP
750AFCF2 \. C2 1400 RETN 14
调用MessageBoxTimeoutA
750AFB28 /$ 8BFF MOV EDI,EDI ; user32.MessageBoxTimeoutA
750AFB2A |. 55 PUSH EBP
750AFB2B |. 8BEC MOV EBP,ESP
750AFB2D |. 51 PUSH ECX
750AFB2E |. 51 PUSH ECX
750AFB2F |. 56 PUSH ESI
750AFB30 |. 57 PUSH EDI
750AFB31 |. 33FF XOR EDI,EDI
750AFB33 |. 83CE FF OR ESI,FFFFFFFF
750AFB36 |. 897D FC MOV DWORD PTR SS:[EBP-4],EDI
750AFB39 |. 897D F8 MOV DWORD PTR SS:[EBP-8],EDI
750AFB3C |. 397D 0C CMP DWORD PTR SS:[EBP+0C],EDI
750AFB3F |.- 74 19 JE SHORT 750AFB5A <----- ollydbg states jump is taken
750AFB41 |. 6A 01 PUSH 1 ; /Arg6 = 1
750AFB43 |. 56 PUSH ESI ; |Arg5
750AFB44 |. 8D45 FC LEA EAX,[EBP-4] ; |
750AFB47 |. 50 PUSH EAX ; |Arg4
750AFB48 |. 56 PUSH ESI ; |Arg3
750AFB49 |. FF75 0C PUSH DWORD PTR SS:[EBP+0C] ; |Arg2
750AFB4C |. 57 PUSH EDI ; |Arg1
750AFB4D |. E8 72D5FAFF CALL MBToWCSEx ; \USER32.MBToWCSEx
750AFB52 |. 85C0 TEST EAX,EAX
750AFB54 |.- 75 04 JNZ SHORT 750AFB5A
750AFB56 |> 33C0 XOR EAX,EAX
750AFB58 |.- EB 6C JMP SHORT 750AFBC6
750AFB5A |> 397D 10 CMP DWORD PTR SS:[EBP+10],EDI <----- jumps here
750AFB5D |.- 74 27 JE SHORT 750AFB86 <----- jump is taken again
750AFB5F |. 6A 01 PUSH 1 ; /Arg6 = 1
750AFB61 |. 56 PUSH ESI ; |Arg5
750AFB62 |. 8D45 F8 LEA EAX,[EBP-8] ; |
750AFB65 |. 50 PUSH EAX ; |Arg4
750AFB66 |. 56 PUSH ESI ; |Arg3
750AFB67 |. FF75 10 PUSH DWORD PTR SS:[EBP+10] ; |Arg2
750AFB6A |. 57 PUSH EDI ; |Arg1
750AFB6B |. E8 54D5FAFF CALL MBToWCSEx ; \USER32.MBToWCSEx
750AFB70 |. 85C0 TEST EAX,EAX
750AFB72 |.- 75 12 JNZ SHORT 750AFB86
750AFB74 |. FF75 FC PUSH DWORD PTR SS:[EBP-4] ; /pMem
750AFB77 |. 57 PUSH EDI ; |Flags
750AFB78 |. FF35 0C010C75 PUSH DWORD PTR DS:[750C010C] ; |Heap = 00350000
750AFB7E |. FF15 14000575 CALL DWORD PTR DS:[<&ntdll.RtlFreeHeap>] ; \NTDLL.RtlFreeHeap
750AFB84 |.- EB D0 JMP SHORT 750AFB56
750AFB86 |> 53 PUSH EBX <--------- jumps here
750AFB87 |. FF75 1C PUSH DWORD PTR SS:[EBP+1C] ; /Arg6
750AFB8A |. FF75 18 PUSH DWORD PTR SS:[EBP+18] ; |Arg5
750AFB8D |. FF75 14 PUSH DWORD PTR SS:[EBP+14] ; |Arg4
750AFB90 |. FF75 F8 PUSH DWORD PTR SS:[EBP-8] ; |Arg3
750AFB93 |. FF75 FC PUSH DWORD PTR SS:[EBP-4] ; |Arg2
750AFB96 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |Arg1
750AFB99 |. E8 2FFFFFFF CALL MessageBoxTimeoutW
750AFB9E |. FF75 FC PUSH DWORD PTR SS:[EBP-4] ; /pMem
750AFBA1 |. 8B35 14000575 MOV ESI,DWORD PTR DS:[<&ntdll.RtlFreeHea ; |
750AFBA7 |. 57 PUSH EDI ; |Flags
750AFBA8 |. FF35 0C010C75 PUSH DWORD PTR DS:[750C010C] ; |Heap = 00350000
750AFBAE |. 8BD8 MOV EBX,EAX ; |
750AFBB0 |. FFD6 CALL ESI ; \NTDLL.RtlFreeHeap
750AFBB2 |. 397D F8 CMP DWORD PTR SS:[EBP-8],EDI
750AFBB5 |.- 74 0C JE SHORT 750AFBC3
750AFBB7 |. FF75 F8 PUSH DWORD PTR SS:[EBP-8]
750AFBBA |. 57 PUSH EDI
750AFBBB |. FF35 0C010C75 PUSH DWORD PTR DS:[750C010C]
750AFBC1 |. FFD6 CALL ESI
750AFBC3 |> 8BC3 MOV EAX,EBX
750AFBC5 |. 5B POP EBX
750AFBC6 |> 5F POP EDI
750AFBC7 |. 5E POP ESI
750AFBC8 |. C9 LEAVE
750AFBC9 \. C2 1800 RETN 18
是否可能以某种方式调试器让我失望?比方说,例如第一次cmps它不相等,所以它不会跳转,执行一些操作,然后再次尝试,这会导致跳转?
编辑#2
我解决了问题,这是愚蠢的,毕竟没有采取跳跃,我跑了踪迹,它说命令跳跃不像我所知道的那样。但显然我只是点击每个命令而不是按f7来追踪它:S很傻......感谢你的帮助,我会有更多的问题很快发布。
答案 0 :(得分:1)
除非我弄错了,你想知道的比较是将EDI(0为0)与第二个参数(一个字符串指针)进行比较。它正在检查字符串是否为空。
这是你的MessageBoxExA:
750AFCD6 /$ 8BFF MOV EDI,EDI ; ID_X user32.MessageBoxExA
750AFCD8 |. 55 PUSH EBP
750AFCD9 |. 8BEC MOV EBP,ESP
750AFCDB |. 6A FF PUSH -1 ; /Arg6 = -1
750AFCDD |. FF75 18 PUSH DWORD PTR SS:[EBP+18] ; |Arg5
750AFCE0 |. FF75 14 PUSH DWORD PTR SS:[EBP+14] ; |Arg4
750AFCE3 |. FF75 10 PUSH DWORD PTR SS:[EBP+10] ; |Arg3
750AFCE6 |. FF75 0C PUSH DWORD PTR SS:[EBP+0C] ; |Arg2
750AFCE9 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |Arg1
750AFCEC |. E8 37FEFFFF CALL MessageBoxTimeoutA
750AFCF1 |. 5D POP EBP
750AFCF2 \. C2 1400 RETN 14
MessageBoxTimeoutA的开头:
750AFB28 /$ 8BFF MOV EDI,EDI ; user32.MessageBoxTimeoutA
750AFB2A |. 55 PUSH EBP
750AFB2B |. 8BEC MOV EBP,ESP
750AFB2D |. 51 PUSH ECX
750AFB2E |. 51 PUSH ECX
750AFB2F |. 56 PUSH ESI
750AFB30 |. 57 PUSH EDI
750AFB31 |. 33FF XOR EDI,EDI
750AFB33 |. 83CE FF OR ESI,FFFFFFFF
750AFB36 |. 897D FC MOV DWORD PTR SS:[EBP-4],EDI
750AFB39 |. 897D F8 MOV DWORD PTR SS:[EBP-8],EDI
750AFB3C |. 397D 0C CMP DWORD PTR SS:[EBP+0C],EDI
750AFB3F |.- 74 19 JE SHORT 750AFB5A <----- ollydbg states jump is taken
在输入MessageBoxTimeoutA后,它会推送EBP,然后设置EBP=ESP。
所以你在堆栈上的东西是:
[EBP+0C] Arg2
[EBP+08] Arg1
[EBP+04] Return address
[EBP+00] Previous EBP
至少,这就是它的样子。但是你说跳过了,如果你没有将null作为text参数传递,那就很奇怪了。