-
-
求助,找一个数据的基址
-
2013-3-17 20:17
3261
-
这里要用到ESI的地址,这个ESI里面有个值。请问:这个ESI的基址能不能找到的。如果找不到的话,能不能自定义一个内存空间,然后把值放进去,来代替ESI
0053A152 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
0053A155 50 PUSH EAX
0053A156 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
0053A159 50 PUSH EAX
0053A15A 56 PUSH ESI //就是这个数值,[ESI]=1
0053A15B 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
0053A15E 50 PUSH EAX
0053A15F 6A 00 PUSH 0
0053A161 6A 00 PUSH 0
0053A163 6A 00 PUSH 0
0053A165 6A 00 PUSH 0
0053A167 A1 0CC15900 MOV EAX,DWORD PTR DS:[59C10C]
0053A16C 8B00 MOV EAX,DWORD PTR DS:[EAX]
0053A16E 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
0053A171 66:BA C90B MOV DX,0BC9
0053A175 E8 76610300 CALL 005702F0
往上找,发现ESI是EAX传来的,要找EAX的出处,进入上面的CALL
0053A0BD E8 AE8EECFF CALL 00402F70
0053A0C2 8BF0 MOV ESI,EAX
CALL 00402f70这里来的,CALL里面:
00401A7B C3 RETN
00401A7C 8D50 03 LEA EDX,DWORD PTR DS:[EAX+3]
00401A7F C1EA 03 SHR EDX,3
00401A82 3D 2C0A0000 CMP EAX,0A2C
00401A87 53 PUSH EBX
00401A88 8A0D 4DD05900 MOV CL,BYTE PTR DS:[59D04D]
00401A8E 0F87 48020000 JA mir3.00401CDC
00401A94 84C9 TEST CL,CL
00401A96 0FB682 C0D55900 MOVZX EAX,BYTE PTR DS:[EDX+59D5C0]
00401A9D 8D1CC5 48105900 LEA EBX,DWORD PTR DS:[EAX*8+591048] EAX:=8
00401AA4 75 56 JNZ SHORT mir3.00401AFC
00401AA6 8B53 04 MOV EDX,DWORD PTR DS:[EBX+4]
00401AA9 8B42 08 MOV EAX,DWORD PTR DS:[EDX+8] ; EAX的值来自[EDX+8]即[[591048+0x8*0x8+4]+8]
00401AAC B9 F8FFFFFF MOV ECX,-8
00401AB1 39DA CMP EDX,EBX
00401AB3 74 17 JE SHORT mir3.00401ACC
00401AB5 8342 0C 01 ADD DWORD PTR DS:[EDX+C],1
00401AB9 2348 FC AND ECX,DWORD PTR DS:[EAX-4]
00401ABC 894A 08 MOV DWORD PTR DS:[EDX+8],ECX ; 这行,把[EAX+8]存放的值改了
00401ABF 8950 FC MOV DWORD PTR DS:[EAX-4],EDX
00401AC2 74 28 JE SHORT mir3.00401AEC
00401AC4 C603 00 MOV BYTE PTR DS:[EBX],0
00401AC7 5B POP EBX
00401AC8 C3 RETN
请教一下,这个值上面的基址怎么找?
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
