[求助]求教简单汇编代码的ESP栈值-付费问答-看雪-安全社区|安全招聘|kanxue.com

[旧帖] [求助]求教简单汇编代码的ESP栈值 0.00雪花

发表于: 2010-4-1 14:15 1326

[旧帖] [求助]求教简单汇编代码的ESP栈值 0.00雪花

nxinjian

活跃值

2010-4-1 14:15

1326

望大牛帮我看解答下我以下一个ESP是哪来的?

00401130  /$ 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00401136  |. 6A FF       PUSH -1
00401138  |. 68 D6AC4000 PUSH pwpack.0040ACD6
0040113D  |. 50          PUSH EAX
0040113E  |. 64:8925 000000>MOV DWORD PTR FS:[0],ESP
00401145  |. 81EC 5C030000  SUB ESP,35C
0040114B  |. 53          PUSH EBX
0040114C  |. 8BD9          MOV EBX,ECX
0040114E  |. 8B03          MOV EAX,DWORD PTR DS:[EBX]
00401150  |. 85C0          TEST EAX,EAX
00401152  |. 56          PUSH ESI
00401153  |. 57          PUSH EDI
00401154  |. 74 0A       JE SHORT pwpack.00401160
00401156  |. 50          PUSH EAX                               ; /stream
00401157  |. FF15 44B04000  CALL DWORD PTR DS:[<&MSVCR71.fclose>]    ; \fclose
0040115D  |. 83C4 04       ADD ESP,4
00401160  |> 8B43 10       MOV EAX,DWORD PTR DS:[EBX+10]
00401163  |. 8B30          MOV ESI,DWORD PTR DS:[EAX]
00401165  |. 3BF0          CMP ESI,EAX
00401167  |. 8D7B 10       LEA EDI,DWORD PTR DS:[EBX+10]
0040116A  |. 74 17       JE SHORT pwpack.00401183
0040116C  |. 8D6424 00    LEA ESP,DWORD PTR SS:[ESP]
00401170  |> 8BC6          /MOV EAX,ESI
00401172  |. 8B36          |MOV ESI,DWORD PTR DS:[ESI]
00401174  |. 50          |PUSH EAX
00401175  |. E8 02950000 |CALL <JMP.&MSVCR71.??3@YAXPAX@Z>
0040117A  |. 8B07          |MOV EAX,DWORD PTR DS:[EDI]
0040117C  |. 83C4 04       |ADD ESP,4
0040117F  |. 3BF0          |CMP ESI,EAX
00401181  |.^75 ED       \JNZ SHORT pwpack.00401170
00401183  |> 8B07          MOV EAX,DWORD PTR DS:[EDI]
00401185  |. 8900          MOV DWORD PTR DS:[EAX],EAX
00401187  |. 8B07          MOV EAX,DWORD PTR DS:[EDI]
00401189  |. 8940 04       MOV DWORD PTR DS:[EAX+4],EAX
0040118C  |. 8B8424 7803000>MOV EAX,DWORD PTR SS:[ESP+378]
00401193  |. 68 68EA4000 PUSH pwpack.0040EA68                   ; /mode = "rb"
00401198  |. 50          PUSH EAX                               ; |path
00401199  |. C703 00000000  MOV DWORD PTR DS:[EBX],0                ; |
0040119F  |. FF15 DCB04000  CALL DWORD PTR DS:[<&MSVCR71._wfopen>] ; \_wfopen
004011A5  |. 83C4 08       ADD ESP,8
004011A8  |. 85C0          TEST EAX,EAX
004011AA  |. 8903          MOV DWORD PTR DS:[EBX],EAX
004011AC  |. 75 0A       JNZ SHORT pwpack.004011B8
004011AE  |. B8 01000000 MOV EAX,1
004011B3  |. E9 48020000 JMP pwpack.00401400
004011B8  |> 55          PUSH EBP
004011B9  |. 8B2D 20B04000  MOV EBP,DWORD PTR DS:[<&MSVCR71.fread>] ;  MSVCR71.fread
004011BF  |. 50          PUSH EAX                               ; /stream
004011C0  |. 6A 01       PUSH 1                                  ; |n = 1
004011C2  |. 8D4C24 44    LEA ECX,DWORD PTR SS:[ESP+44]          ; |
004011C6  |. 6A 0C       PUSH 0C                                  ; |size = C (12.)
004011C8  |. 51          PUSH ECX                               ; |ptr
004011C9  |. FFD5          CALL EBP                               ; \fread
004011CB  |. 8B4424 4C    MOV EAX,DWORD PTR SS:[ESP+4C]
004011CF  |. 83C4 10       ADD ESP,10
004011D2  |. 3D EF23CA4D CMP EAX,4DCA23EF
004011D7  |. 0F85 1D020000  JNZ pwpack.004013FA
004011DD  |. 817C24 44 B789>CMP DWORD PTR SS:[ESP+44],56A089B7
004011E5  |. 0F85 0F020000  JNZ pwpack.004013FA
004011EB  |. 8B13          MOV EDX,DWORD PTR DS:[EBX]
004011ED  |. 8B35 3CB04000  MOV ESI,DWORD PTR DS:[<&MSVCR71.fseek>] ;  MSVCR71.fseek
004011F3  |. 6A 02       PUSH 2                                  ; /whence = SEEK_END
004011F5  |. 6A F8       PUSH -8                                  ; |offset = FFFFFFF8 (-8.)
004011F7  |. 52          PUSH EDX                               ; |stream
004011F8  |. FFD6          CALL ESI                               ; \fseek
004011FA  |. 8B03          MOV EAX,DWORD PTR DS:[EBX]
004011FC  |. 50          PUSH EAX
004011FD  |. 6A 01       PUSH 1
004011FF  |. 8D4C24 2C    LEA ECX,DWORD PTR SS:[ESP+2C]
00401203  |. 6A 04       PUSH 4
00401205  |. 51          PUSH ECX
00401206  |. FFD5          CALL EBP
00401208  |. 8B13          MOV EDX,DWORD PTR DS:[EBX]
0040120A  |. 52          PUSH EDX
0040120B  |. 6A 01       PUSH 1
0040120D  |. 8D4424 5C    LEA EAX,DWORD PTR SS:[ESP+5C]
00401211  |. 6A 04       PUSH 4
00401213  |. 50          PUSH EAX
00401214  |. FFD5          CALL EBP
00401216  |. 8B4424 64    MOV EAX,DWORD PTR SS:[ESP+64]
0040121A  |. 83C4 2C       ADD ESP,2C
0040121D  |. 3D 02000200 CMP EAX,20002
00401222  |. 0F85 D2010000  JNZ pwpack.004013FA
00401228  |. 8B0B          MOV ECX,DWORD PTR DS:[EBX]
0040122A  |. 6A 02       PUSH 2
0040122C  |. 68 E8FEFFFF PUSH -118
00401231  |. 51          PUSH ECX
00401232  |. FFD6          CALL ESI
00401234  |. 8B13          MOV EDX,DWORD PTR DS:[EBX]
00401236  |. 52          PUSH EDX
00401237  |. 6A 01       PUSH 1
00401239  |. 8D4424 5C    LEA EAX,DWORD PTR SS:[ESP+5C]
0040123D  |. 68 10010000 PUSH 110
00401242  |. 50          PUSH EAX
00401243  |. FFD5          CALL EBP
00401245  |. 8B4424 64    MOV EAX,DWORD PTR SS:[ESP+64] ;//这个值是哪里来的?
00401249  |. 83C4 1C       ADD ESP,1C
0040124C  |. 3D EEFEFDFD CMP EAX,FDFDFEEE
00401251  |. 0F85 78010000  JNZ pwpack.004013CF
00401257  |. 81BC24 5401000>CMP DWORD PTR SS:[ESP+154],F00DBEEF
00401262  |. 0F85 67010000  JNZ pwpack.004013CF
00401268  |. 8B4424 50    MOV EAX,DWORD PTR SS:[ESP+50]
0040126C  |. 8B0B          MOV ECX,DWORD PTR DS:[EBX]
0040126E  |. 35 627493A8 XOR EAX,A8937462
00401273  |. 6A 00       PUSH 0
00401275  |. 50          PUSH EAX
00401276  |. 51          PUSH ECX
00401277  |. 894424 5C    MOV DWORD PTR SS:[ESP+5C],EAX
0040127B  |. FFD6          CALL ESI
0040127D  |. 83C4 0C       ADD ESP,0C
00401280  |. 8BC7          MOV EAX,EDI
00401282  |. E8 C9190000 CALL pwpack.00402C50
00401287  |. 33F6          XOR ESI,ESI
00401289  |. 33FF          XOR EDI,EDI
0040128B  |. 897C24 2C    MOV DWORD PTR SS:[ESP+2C],EDI
0040128F  |. 897424 30    MOV DWORD PTR SS:[ESP+30],ESI  ;//
00401293  |. 897424 34    MOV DWORD PTR SS:[ESP+34],ESI  ;//
00401297  |. 89B424 7403000>MOV DWORD PTR SS:[ESP+374],ESI;//这几句是什么意思?值是哪来的
0040129E  |. 897424 20    MOV DWORD PTR SS:[ESP+20],ESI;//
004012A6  |. 897424 28    MOV DWORD PTR SS:[ESP+28],ESI
004012AA  |. C68424 7403000>MOV BYTE PTR SS:[ESP+374],1
004012B2  |. 397424 18    CMP DWORD PTR SS:[ESP+18],ESI
004012B6  |. 897424 14    MOV DWORD PTR SS:[ESP+14],ESI
004012BA  |. 0F86 BF000000  JBE pwpack.0040137F
004012C0  |> 8B13          /MOV EDX,DWORD PTR DS:[EBX]
004012C2  |. 52          |PUSH EDX
004012C3  |. 6A 01       |PUSH 1
004012C5  |. 8D4424 24    |LEA EAX,DWORD PTR SS:[ESP+24]
004012C9  |. 6A 04       |PUSH 4
004012CB  |. 50          |PUSH EAX
004012CC  |. FFD5          |CALL EBP
004012CE  |. 8B0B          |MOV ECX,DWORD PTR DS:[EBX]
004012D0  |. 51          |PUSH ECX
004012D1  |. 6A 01       |PUSH 1
004012D3  |. 8D5424 28    |LEA EDX,DWORD PTR SS:[ESP+28]
004012D7  |. 6A 04       |PUSH 4
004012D9  |. 52          |PUSH EDX
004012DA  |. FFD5          |CALL EBP
004012DC  |. 8B5424 3C    |MOV EDX,DWORD PTR SS:[ESP+3C]
004012E0  |. 8B4424 30    |MOV EAX,DWORD PTR SS:[ESP+30]
004012E4  |. 81F2 627493A8  |XOR EDX,A8937462
004012EA  |. 35 5336A4F1 |XOR EAX,F1A43653
004012EF  |. 83C4 20       |ADD ESP,20
004012F2  |. 3BD0          |CMP EDX,EAX
004012F4  |. 895424 1C    |MOV DWORD PTR SS:[ESP+1C],EDX
004012F8  |. 894424 10    |MOV DWORD PTR SS:[ESP+10],EAX
004012FC  |. 0F85 AF000000  |JNZ pwpack.004013B1
00401302  |. 8D7C24 2C    |LEA EDI,DWORD PTR SS:[ESP+2C]
00401306  |. E8 E5160000 |CALL pwpack.004029F0
0040130B  |. 8B0B          |MOV ECX,DWORD PTR DS:[EBX]
0040130D  |. 8B4424 2C    |MOV EAX,DWORD PTR SS:[ESP+2C]
00401311  |. 8B7424 30    |MOV ESI,DWORD PTR SS:[ESP+30]
00401315  |. 51          |PUSH ECX
00401316  |. 2BF0          |SUB ESI,EAX
00401318  |. 6A 01       |PUSH 1
0040131A  |. 56          |PUSH ESI
0040131B  |. 50          |PUSH EAX
0040131C  |. FFD5          |CALL EBP
0040131E  |. 83C4 10       |ADD ESP,10
00401321  |. BA 14010000 |MOV EDX,114
00401326  |. 8D7C24 20    |LEA EDI,DWORD PTR SS:[ESP+20]
0040132A  |. E8 C1160000 |CALL pwpack.004029F0
0040132F  |. 56          |PUSH ESI                               ; /Arg2
00401330  |. 8B7424 30    |MOV ESI,DWORD PTR SS:[ESP+30]          ; |
00401334  |. 56          |PUSH ESI                               ; |Arg1
00401335  |. 8D4C24 28    |LEA ECX,DWORD PTR SS:[ESP+28]          ; |
00401339  |. E8 E2000000 |CALL pwpack.00401420                   ; \pwpack.00401420
0040133E  |. 85C0          |TEST EAX,EAX
00401340  |. 894424 10    |MOV DWORD PTR SS:[ESP+10],EAX
00401344  |. 0F85 8C000000  |JNZ pwpack.004013D6
0040134A  |. 8B5424 20    |MOV EDX,DWORD PTR SS:[ESP+20]
0040134E  |. 8DB424 5801000>|LEA ESI,DWORD PTR SS:[ESP+158]
00401355  |. E8 D6060000 |CALL pwpack.00401A30
0040135A  |. 8BCE          |MOV ECX,ESI
0040135C  |. 8D43 10       |LEA EAX,DWORD PTR DS:[EBX+10]
0040135F  |. E8 CC150000 |CALL pwpack.00402930
00401364  |. 8B4424 14    |MOV EAX,DWORD PTR SS:[ESP+14]
00401368  |. 8B4C24 18    |MOV ECX,DWORD PTR SS:[ESP+18]
0040136C  |. 8B7C24 2C    |MOV EDI,DWORD PTR SS:[ESP+2C]
00401370  |. 40          |INC EAX
00401371  |. 33F6          |XOR ESI,ESI
00401373  |. 3BC1          |CMP EAX,ECX
00401375  |. 894424 14    |MOV DWORD PTR SS:[ESP+14],EAX
00401379  |.^0F82 41FFFFFF  \JB pwpack.004012C0
0040137F  |> 8B9424 7C03000>MOV EDX,DWORD PTR SS:[ESP+37C]
00401386  |. 83C3 04       ADD EBX,4
00401389  |. 53          PUSH EBX
0040138A  |. E8 71150000 CALL pwpack.00402900
0040138F  |. 8B4424 20    MOV EAX,DWORD PTR SS:[ESP+20]
00401393  |. 3BC6          CMP EAX,ESI
00401395  |. 74 09       JE SHORT pwpack.004013A0
00401397  |. 50          PUSH EAX
00401398  |. E8 DF920000 CALL <JMP.&MSVCR71.??3@YAXPAX@Z>
0040139D  |. 83C4 04       ADD ESP,4
004013A0  |> 3BFE          CMP EDI,ESI
004013A2  |. 74 09       JE SHORT pwpack.004013AD
004013A4  |. 57          PUSH EDI
004013A5  |. E8 D2920000 CALL <JMP.&MSVCR71.??3@YAXPAX@Z>
004013AA  |. 83C4 04       ADD ESP,4
004013AD  |> 33C0          XOR EAX,EAX
004013AF  |. EB 4E       JMP SHORT pwpack.004013FF
004013B1  |> 8B4424 20    MOV EAX,DWORD PTR SS:[ESP+20]
004013B5  |. 3BC6          CMP EAX,ESI
004013B7  |. 74 09       JE SHORT pwpack.004013C2
004013B9  |. 50          PUSH EAX
004013BA  |. E8 BD920000 CALL <JMP.&MSVCR71.??3@YAXPAX@Z>
004013BF  |. 83C4 04       ADD ESP,4
004013C2  |> 3BFE          CMP EDI,ESI
004013C4  |. 74 09       JE SHORT pwpack.004013CF
004013C6  |. 57          PUSH EDI
004013C7  |. E8 B0920000 CALL <JMP.&MSVCR71.??3@YAXPAX@Z>
004013CC  |. 83C4 04       ADD ESP,4
004013CF  |> B8 03000000 MOV EAX,3
004013D4  |. EB 29       JMP SHORT pwpack.004013FF
004013D6  |> 8BF8          MOV EDI,EAX
004013D8  |. 8B4424 20    MOV EAX,DWORD PTR SS:[ESP+20]
004013DC  |. 85C0          TEST EAX,EAX
004013DE  |. 74 09       JE SHORT pwpack.004013E9
004013E0  |. 50          PUSH EAX
004013E1  |. E8 96920000 CALL <JMP.&MSVCR71.??3@YAXPAX@Z>
004013E6  |. 83C4 04       ADD ESP,4
004013E9  |> 85F6          TEST ESI,ESI
004013EB  |. 74 09       JE SHORT pwpack.004013F6
004013ED  |. 56          PUSH ESI
004013EE  |. E8 89920000 CALL <JMP.&MSVCR71.??3@YAXPAX@Z>
004013F3  |. 83C4 04       ADD ESP,4
004013F6  |> 8BC7          MOV EAX,EDI
004013F8  |. EB 05       JMP SHORT pwpack.004013FF
004013FA  |> B8 02000000 MOV EAX,2
004013FF  |> 5D          POP EBP
00401400  |> 8B8C24 6803000>MOV ECX,DWORD PTR SS:[ESP+368]
00401407  |. 5F          POP EDI
00401408  |. 5E          POP ESI
00401409  |. 5B          POP EBX
0040140A  |. 64:890D 000000>MOV DWORD PTR FS:[0],ECX
00401411  |. 81C4 68030000  ADD ESP,368
00401417  \. C2 0400       RETN 4

望大牛能帮助解答，谢谢

[培训]《安卓高级研修班(网课)》月薪三万计划，掌握调试、分析还原ollvm、vmp的方法，定制art虚拟机自动化脱壳的方法

收藏・0

免费・0

支持

分享

最新回复 (3)
nxinjian 雪币： 40 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 12 回帖 21 粉丝 0 关注私信	nxinjian 2 楼望大牛能帮忙解答 2010-4-1 20:23 0
sippey 雪币： 34 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 12 粉丝 0 关注私信	sippey 3 楼 ESP call 函数的时候就有啊很多编译器出来的代码不用EBP+偏移指向local变量的直接用ESP 同时跟踪ESP的变化，如果有push xxx，同样的local变量在不同位置出现偏移也不同 2010-4-2 02:52 0
bitt 雪币： 435 活跃值： (1212) 能力值： ( LV13，RANK：388 ) 在线值：发帖 27 回帖 634 粉丝 18 关注私信	bitt 5 4 楼 ls正解一般局部变量都是ebp做基址针的，变量都是ebp-X的形式，这样比较直观，容易管理不过有时候会用esp做指针，形式都是esp+X，而且市场有esp-X来释放无用变量这个事编译器决定的，你不必关心，分清谁是谁就好 2010-4-2 11:28 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

返回

nxinjian

发帖

回帖

RANK

他的文章

看雪公众号

专注于PC、移动、智能设备安全研究及逆向工程的开发者社区

//