ASM在代码中获取值位置

时间:2013-11-09 18:55:59

标签: assembly x86 disassembly

dll函数asm代码:

10123148 68 C4 26 32 10              push    offset aSurfaceprop ; "$surfaceprop"
1012314D 8B CF                       mov     ecx, edi
1012314F FF D2                       call    edx
10123151 80 7D FF 00                 cmp     [ebp+var_1], 0
10123155 74 33                       jz      short loc_1012318A
10123157 8B 10                       mov     edx, [eax]
10123159 8B C8                       mov     ecx, eax
1012315B 8B 42 18                    mov     eax, [edx+18h]
1012315E FF D0                       call    eax
10123160 8B 0D B0 70 61 10           mov     ecx, dword_106170B0
10123166 8B 11                       mov     edx, [ecx]
10123168 89 45 D8                    mov     [ebp+var_28], eax
1012316B 50                          push    eax
1012316C 8B 42 0C                    mov     eax, [edx+0Ch]
1012316F FF D0                       call    eax
10123171 66 89 46 6C                 mov     [esi+6Ch], ax
10123175 8B 0D B0 70 61 10           mov     ecx, dword_106170B0
1012317B 8B 11                       mov     edx, [ecx]
1012317D 8B 45 D8                    mov     eax, [ebp+var_28]
10123180 8B 52 0C                    mov     edx, [edx+0Ch]
10123183 50                          push    eax
10123184 FF D2                       call    edx
10123186 66 89 46 6E                 mov     [esi+6Eh], ax
1012318A
1012318A                         loc_1012318A: ; CODE XREF: sub_10122A50+705j
1012318A 8B 07                       mov     eax, [edi]
1012318C 8B 50 2C                    mov     edx, [eax+2Ch]
1012318F 6A 00                       push    0
10123191 8D 4D FF                    lea     ecx, [ebp+var_1]
10123194 51                          push    ecx
10123195 68 9C 29 32 10              push    offset aSurfaceprop2 ; "$surfaceprop2"
1012319A 8B CF                       mov     ecx, edi
1012319C FF D2                       call    edx
1012319E 80 7D FF 00                 cmp     [ebp+var_1], 0
101231A2 74 1B                       jz      short loc_101231BF
101231A4 8B 10                       mov     edx, [eax]
101231A6 8B C8                       mov     ecx, eax
101231A8 8B 42 18                    mov     eax, [edx+18h]
101231AB FF D0                       call    eax
101231AD 8B 0D B0 70 61 10           mov     ecx, dword_106170B0
101231B3 8B 11                       mov     edx, [ecx]
101231B5 50                          push    eax
101231B6 8B 42 0C                    mov     eax, [edx+0Ch]
101231B9 FF D0                       call    eax
101231BB 66 89 46 6E                 mov     [esi+6Eh], ax

我没有源代码,但我设法获得了这个函数的伪代码:

if ( !(unsigned __int8)(*(int (__thiscall **)(int))(*(_DWORD *)v63 + 168))(v63) )
{
    v64 = (*(int (__thiscall **)(int, _DWORD, char *, _DWORD))(*(_DWORD *)v63 + 44))(v63,"$surfaceprop",&v140,0);
    if ( v140 )
    {
        v65 = (*(int (__thiscall **)(int))(*(_DWORD *)v64 + 24))(v64);
        v66 = *(_DWORD *)dword_106170B0; //physprop
        v131 = v65;
        *(_WORD *)(v54 + 108) = (*(int (__stdcall **)(int))(v66 + 12))(v65);
        *(_WORD *)(v54 + 110) = (*(int (__stdcall **)(int))(v66 + 12))(v131); //v131 == v65;
    }
    v67 = (*(int (__thiscall **)(int, _DWORD, char *, _DWORD))(*(_DWORD *)v63 + 44))(v63,"$surfaceprop2",&v140,0);
    if ( v140 )
    {
        v68 = (*(int (__thiscall **)(int))(*(_DWORD *)v67 + 24))(v67);
        *(_WORD *)(v54 + 110) = (*(int (__stdcall **)(int))(*(_DWORD *)dword_106170B0 + 12))(v68); // physprop == *(_DWORD *)dword_106170B0  
    }
    }

变量v64 v65 v67 v68包含我需要知道的指针。 所以,我的问题是:变量(v64 v65 v67 v68)存储在汇编代码(行和寄存器名称)中的位置?我不懂汇编代码,如果有精明的人,请帮助。

1 个答案:

答案 0 :(得分:1)

这些是应该存储这些变量的行:

...
10123157 mov  edx, [eax]         ; edx -> v64, after executing this instruction
...
10123168 mov  [ebp+var_28], eax  ; eax -> v65
...
101231A4 mov  edx, [eax]         ; edx -> v67, after executing this instruction
...
101231B5 push eax                ; eax -> v68
...

你可以在这些地址设置断点来检查值,确保在第一次和第三次执行指令后检查寄存器。