esi = 0057a3e8
004E1782 |> \8D86 9C000000 lea eax,dword ptr ds:[esi+9C]
004E1788 |. 50 push eax ; /Arg4 = 0057A484
004E1789 |. 8D9E 98000000 lea ebx,dword ptr ds:[esi+98] ; |
004E178F |. 53 push ebx ; |Arg3 = 0057a480
004E1790 |. FFB6 A4000000 push dword ptr ds:[esi+A4] ; |Arg2 = 0057a48c
004E1796 |. BF 788A5700 mov edi,Conquer2.00578A78 ; |
004E179B |. FFB6 A0000000 push dword ptr ds:[esi+A0] ; |Arg1 = 0057a488
004E17A1 |. 8BCF mov ecx,edi ; |
004E17A3 |. E8 B8B7FBFF call Conquer2.0049CF60 ; \Conquer2.0049CF60
上面这段好解释,就是把4个内存地址做为参数,调用函数0049CF60
执行到 004E17A3 时各寄存器和堆栈的值如下:
EAX 0057A484 Conquer2.0057A484
ECX 00578A78 Conquer2.00578A78
EDX 0000003C
EBX 0057A480 Conquer2.0057A480
ESP 0012F974
EBP 0012F9AC
ESI 0057A3E8 Conquer2.0057A3E8
EDI 00578A78 Conquer2.00578A78
EIP 004E17A3 Conquer2.004E17A3
C 0 ES 0023 32bit 0(FFFFFFFF)
P 1 CS 001B 32bit 0(FFFFFFFF)
A 0 SS 0023 32bit 0(FFFFFFFF)
Z 1 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 003B 32bit 7FFDD000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00000246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty -??? FFFF 00000002 00000002
ST1 empty -??? FFFF 0000000F 0000000F
ST2 empty -??? FFFF 00000000 00000000
ST3 empty -??? FFFF 00000007 00000006
ST4 empty -1.0000000000000000000
ST5 empty 559.00000000000000000
ST6 empty 0.0
ST7 empty 1.0000000000000000000
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 掩码 1 1 1 1 1 1
0012F974 00008B20
0012F978 00003B60
0012F97C 0057A480 Conquer2.0057A480
0012F980 0057A484 Conquer2.0057A484
0012F984 00DE42B0
0012F988 00000000
0012F98C 0057A3E8 Conquer2.0057A3E8
0012F990 00000000
0012F994 00000000
0012F998 FFFFFFFF
0012F99C 0012F934
0012F9A0 0012FFB0
0012F9A4 003037BF
0012F9A8 FFFFFFFF
0012F9AC /0012FAE0
0012F9B0 |004DE3FC 返回到 Conquer2.004DE3FC
0012F9B4 |00DE42B0
0012F9B8 |0057A3E8 Conquer2.0057A3E8
0012F9BC |000004DE
0012F9C0 |00000000
0012F9C4 |00000000
0012F9C8 |00000000
0012F9CC |00000000
0012F9D0 |00000000
0012F9D4 |00000000
0012F9D8 |00000000
0012F9DC |00000000
0012F9E0 |00000000
0012F9E4 |00000000
0012F9E8 |00000000
0012F9EC |00000000
现在就是调用函数0049CF60了,此函数的代码如下:
0049CF60 /$ 83EC 10 sub esp,10
0049CF63 |. 8B4424 14 mov eax,dword ptr ss:[esp+14]
0049CF67 |. 8B51 48 mov edx,dword ptr ds:[ecx+48]
0049CF6A |. 2BC2 sub eax,edx
0049CF6C |. 8B5424 18 mov edx,dword ptr ss:[esp+18]
0049CF70 |. 894424 14 mov dword ptr ss:[esp+14],eax
0049CF74 |. 8B41 4C mov eax,dword ptr ds:[ecx+4C]
0049CF77 |. DB4424 14 fild dword ptr ss:[esp+14]
0049CF7B |. 2BD0 sub edx,eax
0049CF7D |. 83EC 08 sub esp,8
0049CF80 |. 895424 1C mov dword ptr ss:[esp+1C],edx 把edx放到[esp+1c]
0049CF84 |. DB4424 1C fild dword ptr ss:[esp+1C] 把[esp+1c]装入到st(0)
0049CF88 |. DC0D 20005500 fmul qword ptr ds:[550020] 把[550020]与st(0)相乘
0049CF8E |. DD5C24 08 fstp qword ptr ss:[esp+8] 把st(0)放到[esp+8],st出栈
0049CF92 |. DC0D 18005500 fmul qword ptr ds:[550018] 把[550018]与st(0)相乘
0049CF98 |. DD5424 10 fst qword ptr ss:[esp+10] 保存实数st(0)到[esp+10]
0049CF9C |. DC4424 08 fadd qword ptr ss:[esp+8] st(0)加上[esp+8]
0049CFA0 |. DD1C24 fstp qword ptr ss:[esp] st(0) 放到 [esp]
0049CFA3 |. E8 58BCFDFF call Conquer2.00478C00 调用函数 00478c00
0049CFA8 |. DD4424 08 fld qword ptr ss:[esp+8] 装入实数[esp+8]到st(0)
0049CFAC |. DC6424 10 fsub qword ptr ss:[esp+10] 把st(0)减掉[esp+10]
0049CFB0 |. 8B4C24 24 mov ecx,dword ptr ss:[esp+24] [esp+24]放到ecx (得到坐标x位置)
0049CFB4 |. DD1C24 fstp qword ptr ss:[esp] 把st(0)放到[esp]
0049CFB7 8901 mov dword ptr ds:[ecx],eax 把eax放到 [ecx] (修正坐标x)
0049CFB9 |. E8 42BCFDFF call Conquer2.00478C00 调用函数 00478c00
0049CFBE |. 8B5424 28 mov edx,dword ptr ss:[esp+28] [esp+28]放到 edx (得到坐标y位置)
0049CFC2 |. 8902 mov dword ptr ds:[edx],eax eax放到[edx] (修正坐标 y)
0049CFC4 |. 83C4 18 add esp,18 esp加18
0049CFC7 \. C2 1000 retn 10
调用的函数00478c00
00478C00 /$ DD4424 04 fld qword ptr ss:[esp+4]
00478C04 |. 56 push esi
00478C05 |. E8 D6C60800 call Conquer2.005052E0
00478C0A |. DD4424 08 fld qword ptr ss:[esp+8]
00478C0E |. DC05 00FF5400 fadd qword ptr ds:[54FF00]
00478C14 |. 8BF0 mov esi,eax
00478C16 |. E8 C5C60800 call Conquer2.005052E0
00478C1B |. 3BC6 cmp eax,esi
00478C1D |. 8D46 01 lea eax,dword ptr ds:[esi+1]
00478C20 |. 7F 02 jg short Conquer2.00478C24
00478C22 |. 8BC6 mov eax,esi
00478C24 |> 5E pop esi
00478C25 \. C3 retn
调用的函数005052E0
005052E0 /$ 55 push ebp
005052E1 |. 8BEC mov ebp,esp
005052E3 |. 83C4 F4 add esp,-0C
005052E6 |. 9B wait
005052E7 |. D97D FE fstcw word ptr ss:[ebp-2] 将 FPU 的控制字保存到 dest
005052EA |. 9B wait
005052EB |. 66:8B45 FE mov ax,word ptr ss:[ebp-2]
005052EF |. 80CC 0C or ah,0C
005052F2 |. 66:8945 FC mov word ptr ss:[ebp-4],ax
005052F6 |. D96D FC fldcw word ptr ss:[ebp-4] 从 src 装入 FPU 的控制字
005052F9 |. DF7D F4 fistp qword ptr ss:[ebp-C] dest <- st(0) (mem16/mem32/mem64)
;然后再执行一次出栈操作
005052FC |. D96D FE fldcw word ptr ss:[ebp-2] 从 src 装入 FPU 的控制字
005052FF |. 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00505302 |. 8B55 F8 mov edx,dword ptr ss:[ebp-8]
00505305 |. C9 leave
00505306 \. C3 retn
求助函数0049CF60的解释,其中有大量的80x87浮点指令,看不懂,各位大虾帮忙啊
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
