前天写的。修改函数的ret控制函数流程,编译通过,VC6测试,和标准C99编译器测试通过
无警告,标准C,release通过
#include<windows.h>
void _stdcall Engine(void *Addr);
void _stdcall AddressA(void)
{
MessageBox(NULL,"222","函数2",MB_OK);
}
void _stdcall Address(void)
{
MessageBox(NULL,"222","函数1",MB_OK);
Engine(AddressA);
}
void _stdcall Engine(void *Addr) //重点照顾对象
{
unsigned int A=2;
unsigned int B=0;局部变量
unsigned int *c=&A;局部变量。
c=c+2;定位到EBP+4,EBP+4就是一个CALL函数返回地址保存的地方
B=0xe7ED4F3A9;垃圾开始,这些是迷惑的垃圾
A^=(unsigned int)&B;
*(unsigned int*)c=A;
B=(unsigned int)*(unsigned int*)c;
*(unsigned int*)c^=*(unsigned int*)B;
A=(unsigned int)*(unsigned int*)c;
*(unsigned int*)c=A^B;
B=(unsigned int)*(unsigned int*)c;
*(unsigned int*)c=B^A;
B=*(unsigned int*)c^A;
A=B^A;
*(unsigned int*)c=*(unsigned int*)A;垃圾结束
*(unsigned int*)c=(unsigned int)Addr;这个句关键,现在C是指向函数的返回地址了,函数地址,保存到这个函数的返回地址,实现函数中转
}
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd)
{
MessageBox(NULL,"222","函数1",MB_OK);
Engine(Address);
return 0;
}
[课程]FART 脱壳王!加量不加价!FART作者讲授!