【求助】OD逆向后,发现都用esp而不用ebp堆栈寻址,怎么调试啊??
主要是 esp+xxx 很难知道表示啥内容
部分代码如下:
0047619D |> 85DB TEST EBX,EBX
0047619F |. 74 09 JE SHORT pdoc.004761AA
004761A1 |. 6A 01 PUSH 1 ; /How = SD_SEND
004761A3 |. 53 PUSH EBX ; |Socket
004761A4 |. FF15 04FE4700 CALL DWORD PTR DS:[<&WS2_32.#22>] ; \shutdown
004761AA |> 8B45 18 MOV EAX,DWORD PTR SS:[EBP+18]
004761AD |. C700 01000000 MOV DWORD PTR DS:[EAX],1
004761B3 |. C74424 10 000>MOV DWORD PTR SS:[ESP+10],0
004761BB |. E9 E1010000 JMP pdoc.004763A1
004761C0 |> FF15 FCFD4700 CALL DWORD PTR DS:[<&WS2_32.#111>] ; [WSAGetLastError
004761C6 |. 2D 01000100 SUB EAX,10001 ; Switch (cases 10001..10002)
004761CB |. 74 10 JE SHORT pdoc.004761DD
004761CD |. 48 DEC EAX
004761CE |. 75 30 JNZ SHORT pdoc.00476200
004761D0 |. C74424 10 060>MOV DWORD PTR SS:[ESP+10],6 ; Case 10002 of switch 004761C6
004761D8 |. E9 C4010000 JMP pdoc.004763A1
004761DD |> 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] ; Case 10001 of switch 004761C6
004761E0 |. 8B51 04 MOV EDX,DWORD PTR DS:[ECX+4]
004761E3 |. 6A 00 PUSH 0 ; /Timeout = 0. ms
004761E5 |. 52 PUSH EDX ; |hObject
004761E6 |. FF15 0CF14700 CALL DWORD PTR DS:[<&KERNEL32.WaitForSin>; \WaitForSingleObject
004761EC |. 3D 02010000 CMP EAX,102
004761F1 |. 75 0D JNZ SHORT pdoc.00476200
004761F3 |. C74424 10 050>MOV DWORD PTR SS:[ESP+10],5
004761FB |. E9 A1010000 JMP pdoc.004763A1
00476200 |> 8B45 18 MOV EAX,DWORD PTR SS:[EBP+18] ; Default case of switch 004761C6
00476203 |. C700 01000000 MOV DWORD PTR DS:[EAX],1
00476209 |. C74424 10 020>MOV DWORD PTR SS:[ESP+10],2
00476211 |. E9 8B010000 JMP pdoc.004763A1
00476216 |> 8B4C24 14 MOV ECX,DWORD PTR SS:[ESP+14]
0047621A |. 85C9 TEST ECX,ECX
0047621C |. C74424 10 000>MOV DWORD PTR SS:[ESP+10],0
00476224 |. 0F84 06010000 JE pdoc.00476330
0047622A |. 83F8 07 CMP EAX,7
0047622D |. 0F82 DD000000 JB pdoc.00476310
00476233 |. 8B9424 440700>MOV EDX,DWORD PTR SS:[ESP+744]
0047623A |. 8D78 FA LEA EDI,DWORD PTR DS:[EAX-6]
0047623D |. 0FB7F7 MOVZX ESI,DI
00476240 |. 8BC6 MOV EAX,ESI
00476242 |. 8D8C24 460700>LEA ECX,DWORD PTR SS:[ESP+746]
00476249 |. 895424 14 MOV DWORD PTR SS:[ESP+14],EDX
0047624D |. E8 9EF7FFFF CALL pdoc.004759F0
00476252 |. 8B4C24 18 MOV ECX,DWORD PTR SS:[ESP+18]
00476256 |. 66:0FB611 MOVZX DX,BYTE PTR DS:[ECX]
0047625A |. 8B8C24 440700>MOV ECX,DWORD PTR SS:[ESP+744]
00476261 |. 03D1 ADD EDX,ECX
00476263 |. 03C2 ADD EAX,EDX
00476265 |. 66:398424 420>CMP WORD PTR SS:[ESP+742],AX
0047626D |. 0F85 9D000000 JNZ pdoc.00476310
00476273 |. 66:3BCF CMP CX,DI
00476276 |. 0F87 94000000 JA pdoc.00476310
0047627C |. 8D4C24 28 LEA ECX,DWORD PTR SS:[ESP+28]
00476280 |. 8DBC24 400700>LEA EDI,DWORD PTR SS:[ESP+740]
00476287 |. E8 D40E0000 CALL pdoc.00477160
0047628C |. 8B4424 18 MOV EAX,DWORD PTR SS:[ESP+18]
00476290 |. 6A 01 PUSH 1
00476292 |. 6A 10 PUSH 10
00476294 |. 50 PUSH EAX
00476295 |. 56 PUSH ESI
00476296 |. 8D8C24 560700>LEA ECX,DWORD PTR SS:[ESP+756]
0047629D |. 51 PUSH ECX
0047629E |. 8BD7 MOV EDX,EDI
004762A0 |. 52 PUSH EDX
004762A1 |. 8D4C24 40 LEA ECX,DWORD PTR SS:[ESP+40]
004762A5 |. C78424 6C0701>MOV DWORD PTR SS:[ESP+1076C],0
004762B0 |. E8 9B160000 CALL pdoc.00477950
004762B5 |. 84C0 TEST AL,AL
004762B7 |. 75 37 JNZ SHORT pdoc.004762F0
004762B9 |. 85DB TEST EBX,EBX
004762BB |. 74 09 JE SHORT pdoc.004762C6
004762BD |. 6A 01 PUSH 1 ; /How = SD_SEND
004762BF |. 53 PUSH EBX ; |Socket
004762C0 |. FF15 04FE4700 CALL DWORD PTR DS:[<&WS2_32.#22>] ; \shutdown
004762C6 |> 8B45 18 MOV EAX,DWORD PTR SS:[EBP+18]
004762C9 |. 8D4C24 28 LEA ECX,DWORD PTR SS:[ESP+28]
004762CD |. C700 01000000 MOV DWORD PTR DS:[EAX],1
004762D3 |. C74424 10 020>MOV DWORD PTR SS:[ESP+10],2
004762DB |. C78424 540701>MOV DWORD PTR SS:[ESP+10754],-1
004762E6 |. E8 850E0000 CALL pdoc.00477170
004762EB |. E9 B1000000 JMP pdoc.004763A1
004762F0 |> 8B4424 18 MOV EAX,DWORD PTR SS:[ESP+18]
004762F4 |. FE00 INC BYTE PTR DS:[EAX]
004762F6 |. 8D4C24 28 LEA ECX,DWORD PTR SS:[ESP+28]
004762FA |. C78424 540701>MOV DWORD PTR SS:[ESP+10754],-1
00476305 |. E8 660E0000 CALL pdoc.00477170
0047630A |. 8B4424 14 MOV EAX,DWORD PTR SS:[ESP+14]
0047630E |. EB 4F JMP SHORT pdoc.0047635F
00476310 |> 85DB TEST EBX,EBX
00476312 |. 74 09 JE SHORT pdoc.0047631D
00476314 |. 6A 01 PUSH 1 ; /How = SD_SEND
00476316 |. 53 PUSH EBX ; |Socket
00476317 |. FF15 04FE4700 CALL DWORD PTR DS:[<&WS2_32.#22>] ; \shutdown
0047631D |> 8B4D 18 MOV ECX,DWORD PTR SS:[EBP+18]
00476320 |. C701 01000000 MOV DWORD PTR DS:[ECX],1
00476326 |. C74424 10 020>MOV DWORD PTR SS:[ESP+10],2
0047632E |. EB 71 JMP SHORT pdoc.004763A1
00476330 |> 83F8 03 CMP EAX,3
00476333 |. 73 20 JNB SHORT pdoc.00476355
00476335 |. 85DB TEST EBX,EBX
00476337 |. 74 09 JE SHORT pdoc.00476342
00476339 |. 6A 01 PUSH 1 ; /How = SD_SEND
0047633B |. 53 PUSH EBX ; |Socket
0047633C |. FF15 04FE4700 CALL DWORD PTR DS:[<&WS2_32.#22>] ; \shutdown
00476342 |> 8B55 18 MOV EDX,DWORD PTR SS:[EBP+18]
00476345 |. C702 01000000 MOV DWORD PTR DS:[EDX],1
0047634B |. C74424 10 020>MOV DWORD PTR SS:[ESP+10],2
00476353 |. EB 4C JMP SHORT pdoc.004763A1
00476355 |> 8DBC24 420700>LEA EDI,DWORD PTR SS:[ESP+742]
0047635C |. 83C0 FE ADD EAX,-2
0047635F |> 66:3D 0200 CMP AX,2
00476363 |. 8B4D 18 MOV ECX,DWORD PTR SS:[EBP+18]
00476366 |. 66:8B17 MOV DX,WORD PTR DS:[EDI]
00476369 |. C701 00000000 MOV DWORD PTR DS:[ECX],0
0047636F |. 8B4D 1C MOV ECX,DWORD PTR SS:[EBP+1C]
00476372 |. 66:8911 MOV WORD PTR DS:[ECX],DX
00476375 |. 75 0B JNZ SHORT pdoc.00476382
00476377 |. 8B55 24 MOV EDX,DWORD PTR SS:[EBP+24]
[培训]内核驱动高级班,冲击BAT一流互联网大厂工
作,每周日13:00-18:00直播授课
...........
