bp kernel32!FormatMessageA断下后

0:003> kv 3
ChildEBP RetAddr  Args to Child              
0552dad4 06eec811 00000004 00000000 0552dafc kernel32!FormatMessageA
WARNING: Stack unwind information not available. Following frames may be wrong.
0552db00 06eec893 0552db0c 00000818 00000004 ext!obja+0x3f1
0552dc64 06eec967 06dbd5e8 00000004 00000000 ext!obja+0x473

这个时候直接看堆栈
0:003> dd esp
0552da78  06ff0504 00001200 00000000 00000004
0552da88  00000000 0705a298 00000400 00000000
0552da98  0552daa8 778c56f7 04f657f0 00000000
0552daa8  06e0e950 07059eac 00000000 00000000
0552dab8  06e0e950 00000000 00001000 00000000
0552dac8  00000000 0705a298 00000000 0552db00
0552dad8  06eec811 00000004 00000000 0552dafc
0552dae8  0552daf8 00000001 00000000 06dbd59c

0:003> r
eax=00000004 ebx=00000000 ecx=00000000 edx=00001200 esi=00000000 edi=00000000
eip=75d98875 esp=0552da78 ebp=0552dad4 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
kernel32!FormatMessageA:
75d98875 ff25ac1bd375    jmp     dword ptr [kernel32!_imp__FormatMessageA (75d31bac)] ds:0023:75d31bac={KERNELBASE!FormatMessageA (75b8ec17)}

正确的返回地址应该是06ff0504， 前3个参数是00001200 00000000 00000004
而kv获得的返回地址是06eec811， 前3个参数是00000004 00000000 0552dafc
windbg似乎是按照当前的ebp去追溯堆栈了，但是ebp在这里其实没有被使用

[课程]Android-CTF解题方法汇总！