0045D530 >/$ BF 01000000 mov edi,1
0045D535 |. 68 665E5300 push A.00535E66
0045D53A |. 68 555E5300 push A.00535E55
0045D53F |. BE 11000000 mov esi,11
0045D544 |. 41 inc ecx
0045D545 |. E8 D1880D00 call A.00535E1B
0045D54A |. 90 nop
0045D54B |. 90 nop
下面是call A.00535E1B 的汇编代码
00535E1B /$ 8B5424 04 mov edx,dword ptr ss:[esp+4]
00535E1F |. 57 push edi
00535E20 |. 8B7C24 0C mov edi,dword ptr ss:[esp+C]
00535E24 |. 3BD7 cmp edx,edi
00535E26 |. 73 26 jnb short A.00535E4E
00535E28 |. 56 push esi
00535E29 |. 8BFF mov edi,edi
00535E2B |> 8A02 /mov al,byte ptr ds:[edx]
00535E2D |. 3201 |xor al,byte ptr ds:[ecx]
00535E2F |. 66:0FB671 01 |movzx si,byte ptr ds:[ecx+1]
00535E34 |. 0FB6C0 |movzx eax,al
00535E37 |. 66:8931 |mov word ptr ds:[ecx],si
00535E3A |. 66:3E:8B0445 >|mov ax,word ptr ds:[eax*2+535C10]
00535E43 |. 66:33C6 |xor ax,si
00535E46 |. 42 |inc edx
00535E47 |. 66:8901 |mov word ptr ds:[ecx],ax
00535E4A |. 3BD7 |cmp edx,edi
00535E4C |.^ 72 DD \jb short A.00535E2B
00535E4E |> 5E pop esi
00535E4F |. 5F pop edi
00535E50 \. C2 0800 retn 8
从汇编来看,call 00535E1B 有两个参数(前面不是有两个push吗), 但是为什么用IDA F5后,函数变成三个参数呢。 求解释一下,小弟对c语言不是很懂。下面是IDA F5之后的call 00535E1B代码
__int16 __thiscall sub_535E1B(int this, unsigned int a2, unsigned int a3)
{
unsigned int i; // edx@1
__int16 v4; // si@2
int v5; // eax@2
__int16 result; // ax@2
for ( i = a2; i < a3; *(_WORD *)this = result )
{
v4 = *(_BYTE *)(this + 1);
v5 = (unsigned __int8)(*(_BYTE *)this ^ *(_BYTE *)i);
*(_WORD *)this = v4;
result = v4 ^ word_535C10[v5];
++i;
}
return result;
}
[课程]FART 脱壳王!加量不加价!FART作者讲授!