00401760 > $ 55 push ebp
00401761 . 8BEC mov ebp,esp
00401763 . 6A FF push -0x1
00401765 . 68 B8204000 push 复件_(2).004020B8
0040176A . 68 60194000 push <jmp.&MSVCRT._except_handler3> ; SE 处理程序安装
0040176F . 64:A1 00000000 mov eax,dword ptr fs:[0]
00401775 . 50 push eax
00401776 . 64:8925 000000>mov dword ptr fs:[0],esp
0040177D . 83C4 98 add esp,-0x68
00401780 . 53 push ebx
00401781 . 56 push esi
00401782 . 57 push edi
00401783 . 8965 E8 mov dword ptr ss:[ebp-0x18],esp
00401786 . C745 FC 000000>mov dword ptr ss:[ebp-0x4],0x0
0040178D . 6A 02 push 0x2
0040178F . FF15 48204000 call dword ptr ds:[<&MSVCRT.__set_app_type>] ; MSVCRT.__set_app_type
00401795 . 83C4 04 add esp,0x4
00401798 . C705 F4354000 >mov dword ptr ds:[0x4035F4],-0x1
004017A2 . C705 F8354000 >mov dword ptr ds:[0x4035F8],-0x1
004017AC . FF15 4C204000 call dword ptr ds:[<&MSVCRT.__p__fmode>] ; MSVCRT.__p__fmode
004017B2 . 8B0D A4314000 mov ecx,dword ptr ds:[0x4031A4]
004017B8 . 8908 mov dword ptr ds:[eax],ecx
004017BA . FF15 5C204000 call dword ptr ds:[<&MSVCRT.__p__commode>] ; MSVCRT.__p__commode
004017C0 . 8B15 A0314000 mov edx,dword ptr ds:[0x4031A0]
004017C6 . 8910 mov dword ptr ds:[eax],edx
004017C8 . A1 50204000 mov eax,dword ptr ds:[<&MSVCRT._adjust_fdiv>]
004017CD . 8B08 mov ecx,dword ptr ds:[eax]
004017CF . 890D FC354000 mov dword ptr ds:[0x4035FC],ecx
004017D5 . E8 76010000 call 复件_(2).00401950
004017DA . A1 80304000 mov eax,dword ptr ds:[0x403080]
004017DF . 85C0 test eax,eax
004017E1 . 75 0E jnz X复件_(2).004017F1
004017E3 . 68 40194000 push 复件_(2).00401940
004017E8 . FF15 60204000 call dword ptr ds:[<&MSVCRT.__setusermatherr>] ; MSVCRT.__setusermatherr
004017EE . 83C4 04 add esp,0x4
004017F1 > E8 2A010000 call 复件_(2).00401920
004017F6 . 68 0C304000 push 复件_(2).0040300C
004017FB . 68 08304000 push 复件_(2).00403008
00401800 . E8 11010000 call <jmp.&MSVCRT._initterm>
00401805 . 83C4 08 add esp,0x8
00401808 . 8B15 9C314000 mov edx,dword ptr ds:[0x40319C]
0040180E . 8955 94 mov dword ptr ss:[ebp-0x6C],edx
00401811 . 8D45 94 lea eax,dword ptr ss:[ebp-0x6C]
00401814 . 50 push eax
00401815 . 8B0D 98314000 mov ecx,dword ptr ds:[0x403198]
0040181B . 51 push ecx
0040181C . 8D55 9C lea edx,dword ptr ss:[ebp-0x64]
0040181F . 52 push edx
00401820 . 8D45 90 lea eax,dword ptr ss:[ebp-0x70]
00401823 . 50 push eax
00401824 . 8D4D A0 lea ecx,dword ptr ss:[ebp-0x60]
00401827 . 51 push ecx
00401828 . FF15 68204000 call dword ptr ds:[<&MSVCRT.__getmainargs>] ; MSVCRT.__getmainargs
0040182E . 83C4 14 add esp,0x14
00401831 . 68 04304000 push 复件_(2).00403004
00401836 . 68 00304000 push 复件_(2).00403000
0040183B . E8 D6000000 call <jmp.&MSVCRT._initterm>
00401840 . 83C4 08 add esp,0x8
00401843 . FF15 6C204000 call dword ptr ds:[<&MSVCRT.__p__acmdln>] ; MSVCRT.__p__acmdln
00401849 . 8B30 mov esi,dword ptr ds:[eax]
0040184B . 8975 8C mov dword ptr ss:[ebp-0x74],esi
0040184E . 803E 22 cmp byte ptr ds:[esi],0x22
00401851 . 0F85 A8000000 jnz 复件_(2).004018FF
00401857 > 46 inc esi
00401858 . 8975 8C mov dword ptr ss:[ebp-0x74],esi
0040185B . 8A06 mov al,byte ptr ds:[esi]
0040185D . 84C0 test al,al
0040185F . 74 04 je X复件_(2).00401865
00401861 . 3C 22 cmp al,0x22
00401863 .^ 75 F2 jnz X复件_(2).00401857
00401865 > 803E 22 cmp byte ptr ds:[esi],0x22
00401868 . 75 04 jnz X复件_(2).0040186E
0040186A . 46 inc esi
0040186B . 8975 8C mov dword ptr ss:[ebp-0x74],esi
0040186E > 8A06 mov al,byte ptr ds:[esi]
00401870 . 84C0 test al,al
00401872 . 74 0A je X复件_(2).0040187E
00401874 . 3C 20 cmp al,0x20
00401876 . 77 06 ja X复件_(2).0040187E
00401878 . 46 inc esi
00401879 . 8975 8C mov dword ptr ss:[ebp-0x74],esi
0040187C .^ EB F0 jmp X复件_(2).0040186E
0040187E > C745 D0 000000>mov dword ptr ss:[ebp-0x30],0x0
00401885 . 8D55 A4 lea edx,dword ptr ss:[ebp-0x5C]
00401888 . 52 push edx ; /pStartupinfo
00401889 . FF15 10204000 call dword ptr ds:[<&KERNEL32.GetStartupInfoA>] ; \GetStartupInfoA
0040188F . F645 D0 01 test byte ptr ss:[ebp-0x30],0x1
00401893 . 74 0A je X复件_(2).0040189F
00401895 . 8B45 D4 mov eax,dword ptr ss:[ebp-0x2C]
00401898 . 25 FFFF0000 and eax,0xFFFF
0040189D . EB 05 jmp X复件_(2).004018A4
0040189F > B8 0A000000 mov eax,0xA
004018A4 > 50 push eax
004018A5 . 56 push esi
004018A6 . 6A 00 push 0x0
004018A8 . 6A 00 push 0x0 ; /pModule = NULL
004018AA . FF15 14204000 call dword ptr ds:[<&KERNEL32.GetModuleHandleA>] ; \GetModuleHandleA
004018B0 . 50 push eax
004018B1 . E8 B8FBFFFF call 复件_(2).0040146E
004018B6 . 8945 98 mov dword ptr ss:[ebp-0x68],eax
004018B9 . 50 push eax ; /status
004018BA . FF15 70204000 call dword ptr ds:[<&MSVCRT.exit>] ; \exit
004018C0 . EB 22 jmp X复件_(2).004018E4
004018C2 . 8B45 EC mov eax,dword ptr ss:[ebp-0x14]
004018C5 . 8B08 mov ecx,dword ptr ds:[eax]
004018C7 . 8B09 mov ecx,dword ptr ds:[ecx]
004018C9 . 894D 88 mov dword ptr ss:[ebp-0x78],ecx
004018CC . 50 push eax
004018CD . 51 push ecx
004018CE . E8 3D000000 call <jmp.&MSVCRT._XcptFilter>
004018D3 . 83C4 08 add esp,0x8
004018D6 . C3 retn
004018D7 . 8B65 E8 mov esp,dword ptr ss:[ebp-0x18]
004018DA . 8B55 88 mov edx,dword ptr ss:[ebp-0x78]
004018DD . 52 push edx ; /status
004018DE . FF15 78204000 call dword ptr ds:[<&MSVCRT._exit>] ; \_exit
004018E4 > 83C4 04 add esp,0x4
004018E7 . C745 FC FFFFFF>mov dword ptr ss:[ebp-0x4],-0x1
004018EE . 8B4D F0 mov ecx,dword ptr ss:[ebp-0x10]
004018F1 . 64:890D 000000>mov dword ptr fs:[0],ecx
004018F8 . 5F pop edi
004018F9 . 5E pop esi
004018FA . 5B pop ebx
004018FB . 8BE5 mov esp,ebp
004018FD . 5D pop ebp
004018FE . C3 retn
004018FF > 803E 20 cmp byte ptr ds:[esi],0x20
00401902 .^ 0F86 66FFFFFF jbe 复件_(2).0040186E
00401908 . 46 inc esi
00401909 . 8975 8C mov dword ptr ss:[ebp-0x74],esi
0040190C .^ EB F1 jmp X复件_(2).004018FF
0040190E 90 nop
0040190F 90 nop
00401910 $- FF25 74204000 jmp dword ptr ds:[<&MSVCRT._XcptFilter>] ; MSVCRT._XcptFilter
00401916 $- FF25 64204000 jmp dword ptr ds:[<&MSVCRT._initterm>] ; MSVCRT._initterm
0040191C CC int3
0040191D CC int3
0040191E CC int3
0040191F CC int3
00401920 /$ 68 00000300 push 0x30000 ; /CWmask = 30000
00401925 |. 68 00000100 push 0x10000 ; |CWnew = 10000
0040192A |. E8 37000000 call <jmp.&MSVCRT._controlfp> ; \_controlfp
0040192F |. 83C4 08 add esp,0x8
00401932 \. C3 retn
00401933 90 nop
00401934 90 nop
00401935 90 nop
00401936 90 nop
00401937 90 nop
00401938 90 nop
00401939 90 nop
0040193A 90 nop
0040193B 90 nop
0040193C 90 nop
0040193D 90 nop
0040193E 90 nop
0040193F 90 nop
00401940 . 33C0 xor eax,eax
00401942 . C3 retn
00401943 90 nop
00401944 90 nop
00401945 90 nop
00401946 90 nop
00401947 90 nop
00401948 90 nop
00401949 90 nop
0040194A 90 nop
0040194B 90 nop
0040194C 90 nop
0040194D 90 nop
0040194E 90 nop
0040194F 90 nop
00401950 $ C3 retn
00401951 90 nop
00401952 90 nop
00401953 90 nop
00401954 90 nop
00401955 90 nop
00401956 90 nop
00401957 90 nop
00401958 90 nop
00401959 90 nop
0040195A 90 nop
0040195B 90 nop
0040195C 90 nop
0040195D 90 nop
0040195E 90 nop
0040195F 90 nop
00401960 $- FF25 9C204000 jmp dword ptr ds:[<&MSVCRT._except_handler3>] ; MSVCRT._except_handler3; 结构异常处理程序
00401966 $- FF25 54204000 jmp dword ptr ds:[<&MSVCRT._controlfp>] ; MSVCRT._controlfp
0040196C 00 db 00
0040196D 00 db 00
0040196E 00 db 00
[课程]Android-CTF解题方法汇总!