我的反汇编程序如下:
* Referenced by a CALL at Address:
|:000115B0
|
:00010C52 push ebp
:00010C53 mov ebp, esp
:00010C55 push ecx
:00010C56 push ebx
:00010C57 push esi
:00010C58 push edi
:00010C59 push 00010C2E
* Reference To: ntoskrnl.DbgPrint, Ord:002Dh
:00010C5E Call 00011BC0
:00010C63 mov esi, dword ptr [ebp+08]
:00010C66 mov eax, dword ptr [esi+04]
:00010C69 mov dword ptr [ebp-04], eax
:00010C6C mov eax, dword ptr [esi+08]
:00010C6F sub eax, 00000000
:00010C72 pop ecx
:00010C73 je 00010CCF
:00010C75 dec eax
:00010C76 je 00010CA4
:00010C78 dec eax
:00010C79 jne 00010CF9
:00010C7B push 00000004
:00010C7D pop ebx
:00010C7E lea eax, dword ptr [ebp+08]
:00010C81 push eax
:00010C82 lea eax, dword ptr [ebp-04]
:00010C85 push eax
:00010C86 push ebx
:00010C87 push dword ptr [esi]
:00010C89 call 0001091C
:00010C8E mov edi, eax
:00010C90 test edi, edi
:00010C92 jne 00010D0F
:00010C94 push [esi+0C]
:00010C97 push [ebp-04]
:00010C9A push [ebp+08]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00010C32(C)
|
:00010C9D call 00010A2C
:00010CA2 jmp 00010D03
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00010C76(C)
|
:00010CA4 push 00000002
:00010CA6 pop ebx
:00010CA7 lea eax, dword ptr [ebp+08]
:00010CAA push eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00010C40(C)
|
:00010CAB lea eax, dword ptr [ebp-04]
:00010CAE push eax
:00010CAF push ebx
:00010CB0 push dword ptr [esi]
:00010CB2 call 0001091C
:00010CB7 mov edi, eax
:00010CB9 test edi, edi
:00010CBB jne 00010D0F
:00010CBD mov ax, word ptr [esi+0C]
:00010CC1 push eax
:00010CC2 push [ebp-04]
:00010CC5 push [ebp+08]
:00010CC8 call 00010A0A
:00010CCD jmp 00010D03
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00010C73(C)
|
:00010CCF lea eax, dword ptr [ebp+08]
:00010CD2 push eax
:00010CD3 lea eax, dword ptr [ebp-04]
:00010CD6 xor ebx, ebx
:00010CD8 push eax
:00010CD9 inc ebx
:00010CDA push ebx
:00010CDB push dword ptr [esi]
:00010CDD call 0001091C
:00010CE2 mov edi, eax
:00010CE4 test edi, edi
:00010CE6 jne 00010D0F
:00010CE8 mov al, byte ptr [esi+0C]
:00010CEB push eax
:00010CEC push [ebp-04]
:00010CEF push [ebp+08]
:00010CF2 call 000109E8
:00010CF7 jmp 00010CFF
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00010C79(C)
|
:00010CF9 mov ebx, dword ptr [ebp+08]
:00010CFC mov edi, dword ptr [ebp+08]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00010CF7(U)
|
:00010CFF test edi, edi
:00010D01 jne 00010D0F
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00010CA2(U), :00010CCD(U)
|
:00010D03 push ebx
:00010D04 push [ebp-04]
:00010D07 push [ebp+08]
:00010D0A call 0001097C
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00010C92(C), :00010CBB(C), :00010CE6(C), :00010D01(C)
|
:00010D0F mov eax, edi
:00010D11 pop edi
:00010D12 pop esi
:00010D13 pop ebx
:00010D14 leave
:00010D15 ret 0004
请大虾帮忙看看我逆向的结果是否正确,结果如下:
struct DATA1
{
int a;//+0
int b;//+4
int c;//+8
int d;//+0xc
};
NTSTATUS __stdcall fun2(
DATA1 * SystemBuffer//ebp+0x8
)
{
int i=SystemBuffer->b;//ebp-4
int ret;
DbgPrint((short*)0x10C2E);
switch(SystemBuffer->c)
{
case 0:{
ret=call __stdcall 1091C(SystemBuffer->a,1,&i,&SystemBuffer);
if(!ret)
call __stdcall 1097C(SystemBuffer,i,1);
break;
}
case 1:{
ret=call __stdcall 1091C(SystemBuffer->a,2,&i,&SystemBuffer);
if(!ret)
{
call __stdcall 10A0A(SystemBuffer,i,SystemBuffer->d&0xFFFF);
call __stdcall 1097C(SystemBuffer,i,2);
}
break;
}
case 2:{
ret=call __stdcall 1091C(SystemBuffer->a,4,&i,&SystemBuffer);
if(!ret)
{
call __stdcall 10A2C(SystemBuffer,i,SystemBuffer->d);
call __stdcall 1097C(SystemBuffer,i,4);
}
break;
}
default:
{
if(NULL==(ret=(int)SystemBuffer))
call __stdcall 1097C(SystemBuffer,i,SystemBuffer);
bretk;
}
}
return ret;
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课