dll函数asm代码:
10123148 68 C4 26 32 10 push offset aSurfaceprop ; "$surfaceprop"
1012314D 8B CF mov ecx, edi
1012314F FF D2 call edx
10123151 80 7D FF 00 cmp [ebp+var_1], 0
10123155 74 33 jz short loc_1012318A
10123157 8B 10 mov edx, [eax]
10123159 8B C8 mov ecx, eax
1012315B 8B 42 18 mov eax, [edx+18h]
1012315E FF D0 call eax
10123160 8B 0D B0 70 61 10 mov ecx, dword_106170B0
10123166 8B 11 mov edx, [ecx]
10123168 89 45 D8 mov [ebp+var_28], eax
1012316B 50 push eax
1012316C 8B 42 0C mov eax, [edx+0Ch]
1012316F FF D0 call eax
10123171 66 89 46 6C mov [esi+6Ch], ax
10123175 8B 0D B0 70 61 10 mov ecx, dword_106170B0
1012317B 8B 11 mov edx, [ecx]
1012317D 8B 45 D8 mov eax, [ebp+var_28]
10123180 8B 52 0C mov edx, [edx+0Ch]
10123183 50 push eax
10123184 FF D2 call edx
10123186 66 89 46 6E mov [esi+6Eh], ax
1012318A
1012318A loc_1012318A: ; CODE XREF: sub_10122A50+705j
1012318A 8B 07 mov eax, [edi]
1012318C 8B 50 2C mov edx, [eax+2Ch]
1012318F 6A 00 push 0
10123191 8D 4D FF lea ecx, [ebp+var_1]
10123194 51 push ecx
10123195 68 9C 29 32 10 push offset aSurfaceprop2 ; "$surfaceprop2"
1012319A 8B CF mov ecx, edi
1012319C FF D2 call edx
1012319E 80 7D FF 00 cmp [ebp+var_1], 0
101231A2 74 1B jz short loc_101231BF
101231A4 8B 10 mov edx, [eax]
101231A6 8B C8 mov ecx, eax
101231A8 8B 42 18 mov eax, [edx+18h]
101231AB FF D0 call eax
101231AD 8B 0D B0 70 61 10 mov ecx, dword_106170B0
101231B3 8B 11 mov edx, [ecx]
101231B5 50 push eax
101231B6 8B 42 0C mov eax, [edx+0Ch]
101231B9 FF D0 call eax
101231BB 66 89 46 6E mov [esi+6Eh], ax
我没有源代码,但我设法获得了这个函数的伪代码:
if ( !(unsigned __int8)(*(int (__thiscall **)(int))(*(_DWORD *)v63 + 168))(v63) )
{
v64 = (*(int (__thiscall **)(int, _DWORD, char *, _DWORD))(*(_DWORD *)v63 + 44))(v63,"$surfaceprop",&v140,0);
if ( v140 )
{
v65 = (*(int (__thiscall **)(int))(*(_DWORD *)v64 + 24))(v64);
v66 = *(_DWORD *)dword_106170B0; //physprop
v131 = v65;
*(_WORD *)(v54 + 108) = (*(int (__stdcall **)(int))(v66 + 12))(v65);
*(_WORD *)(v54 + 110) = (*(int (__stdcall **)(int))(v66 + 12))(v131); //v131 == v65;
}
v67 = (*(int (__thiscall **)(int, _DWORD, char *, _DWORD))(*(_DWORD *)v63 + 44))(v63,"$surfaceprop2",&v140,0);
if ( v140 )
{
v68 = (*(int (__thiscall **)(int))(*(_DWORD *)v67 + 24))(v67);
*(_WORD *)(v54 + 110) = (*(int (__stdcall **)(int))(*(_DWORD *)dword_106170B0 + 12))(v68); // physprop == *(_DWORD *)dword_106170B0
}
}
变量v64 v65 v67 v68包含我需要知道的指针。
所以,我的问题是:变量(v64 v65 v67 v68)存储在汇编代码(行和寄存器名称)中的位置?我不懂汇编代码,如果有精明的人,请帮助。
答案 0 :(得分:1)
这些是应该存储这些变量的行:
...
10123157 mov edx, [eax] ; edx -> v64, after executing this instruction
...
10123168 mov [ebp+var_28], eax ; eax -> v65
...
101231A4 mov edx, [eax] ; edx -> v67, after executing this instruction
...
101231B5 push eax ; eax -> v68
...
你可以在这些地址设置断点来检查值,确保在第一次和第三次执行指令后检查寄存器。