[[遍历基址]+8]=遍历头
[[[[[[[[[[[[[[[[遍历基址]+8]+0]+0]+0]+0]+4]+8]+4]+8]+4]+14]+20]+c]+14]+50]+14 =非言女
[[[[[[[[[[[[[[遍历基址]+8]+0]+0]+0]+4]+8]+4]+8]+4]+14]+20]+c]+14]+50]+14 =村长
[[[[[[[[[[[[[[遍历基址]+8]+0]+0]+4]+8]+4]+8]+4]+14]+20]+c]+14]+50]+14 =非言女
[[[[[[[[[[[[[遍历基址]+8]+0]+4]+8]+4]+8]+4]+14]+20]+c]+14]+50]+14 =村长
[[[[[[[[[[[0D02D020]+4]+8]+4]+8]+4]+14]+20]+c]+14]+50]+14=非言女
以下是逆向分析过程:
1113B8D0 - 8B 30 - mov esi,[eax]
0D559980
1113B920 - 8B 46 04 - mov eax,[esi+04] <<
229238E0
1113B901 - 8B 46 08 - mov eax,[esi+08] <<
0AE11868
1113B920 - 8B 46 04 - mov eax,[esi+04] <<
ESI=0DE7B3D0
1113B901 - 8B 46 08 - mov eax,[esi+08]
ESI=0AE11868
1113B920 - 8B 46 04 - mov eax,[esi+04]
0DE7B3D0
1113B8D6 |> /8B46 14 /mov eax, dword ptr [esi+0x14]
0AE11868
115123C6 - 89 7E 38 - mov [esi+38],edi
ESI=22852330
以下是完整二叉树遍历汇编代码:
1113B890 /$ 6A FF push -0x1
1113B892 |. 68 C8ACBF11 push 11BFACC8
1113B897 |. 64:A1 0000000>mov eax, dword ptr fs:[0]
1113B89D |. 50 push eax
1113B89E |. 83EC 18 sub esp, 0x18
1113B8A1 |. 53 push ebx
1113B8A2 |. 55 push ebp
1113B8A3 |. 56 push esi
1113B8A4 |. 57 push edi
1113B8A5 |. A1 30638712 mov eax, dword ptr [0x12876330]
1113B8AA |. 33C4 xor eax, esp
1113B8AC |. 50 push eax
1113B8AD |. 8D4424 2C lea eax, dword ptr [esp+0x2C]
1113B8B1 |. 64:A3 0000000>mov dword ptr fs:[0], eax
1113B8B7 |. 8BE9 mov ebp, ecx
1113B8B9 |. 33DB xor ebx, ebx
1113B8BB |. 895C24 20 mov dword ptr [esp+0x20], ebx
1113B8BF |. 895C24 24 mov dword ptr [esp+0x24], ebx
1113B8C3 |. 895C24 28 mov dword ptr [esp+0x28], ebx
1113B8C7 |. 895C24 34 mov dword ptr [esp+0x34], ebx
1113B8CB |. 8B45 08 mov eax, dword ptr [ebp+0x8]
1113B8CE |. 8B00 mov eax, dword ptr [eax]
1113B8D0 |. 8B30 mov esi, dword ptr [eax]
1113B8D2 |. 3BF0 cmp esi, eax
1113B8D4 |. 74 77 je short 1113B94D
1113B8D6 |> 8B46 14 /mov eax, dword ptr [esi+0x14]
1113B8D9 |. 8078 18 00 |cmp byte ptr [eax+0x18], 0x0
1113B8DD |. 74 15 |je short 1113B8F4
1113B8DF |. 8378 10 00 |cmp dword ptr [eax+0x10], 0x0
1113B8E3 |. 75 0F |jnz short 1113B8F4
1113B8E5 |. 8D46 10 |lea eax, dword ptr [esi+0x10]
1113B8E8 |. 50 |push eax
1113B8E9 |. 8D4C24 24 |lea ecx, dword ptr [esp+0x24]
1113B8ED |. E8 7E070000 |call 1113C070
1113B8F2 |. EB 07 |jmp short 1113B8FB
1113B8F4 |> C740 14 00000>|mov dword ptr [eax+0x14], 0x0
1113B8FB |> 807E 0D 00 |cmp byte ptr [esi+0xD], 0x0
1113B8FF |. 75 41 |jnz short 1113B942
1113B901 |. 8B46 08 |mov eax, dword ptr [esi+0x8] ; 这句
1113B904 |. 8078 0D 00 |cmp byte ptr [eax+0xD], 0x0
1113B908 |. 75 16 |jnz short 1113B920
1113B90A |. 8BF0 |mov esi, eax
1113B90C |. 8B06 |mov eax, dword ptr [esi] ; 2266E7E8
1113B90E |. 8078 0D 00 |cmp byte ptr [eax+0xD], 0x0
1113B912 |. 75 2E |jnz short 1113B942
1113B914 |> 8BF0 |/mov esi, eax
1113B916 |. 8B06 ||mov eax, dword ptr [esi]
1113B918 |. 8078 0D 00 ||cmp byte ptr [eax+0xD], 0x0
1113B91C |.^ 74 F6 |\je short 1113B914
1113B91E |. EB 22 |jmp short 1113B942
1113B920 |> 8B46 04 |mov eax, dword ptr [esi+0x4] ; 这句
1113B923 |. 8078 0D 00 |cmp byte ptr [eax+0xD], 0x0
1113B927 |. 75 17 |jnz short 1113B940
1113B929 |. 8DA424 000000>|lea esp, dword ptr [esp]
1113B930 |> 3B70 08 |/cmp esi, dword ptr [eax+0x8]
1113B933 |. 75 0B ||jnz short 1113B940
1113B935 |. 8BF0 ||mov esi, eax
1113B937 |. 8B40 04 ||mov eax, dword ptr [eax+0x4]
1113B93A |. 8078 0D 00 ||cmp byte ptr [eax+0xD], 0x0
1113B93E |.^ 74 F0 |\je short 1113B930
1113B940 |> 8BF0 |mov esi, eax
1113B942 |> 8B45 08 |mov eax, dword ptr [ebp+0x8]
1113B945 |. 3B30 |cmp esi, dword ptr [eax]
1113B947 |.^ 75 8D \jnz short 1113B8D6 ; 2266E7E8
1113B949 |. 8B5C24 20 mov ebx, dword ptr [esp+0x20]
1113B94D |> 8BFB mov edi, ebx
1113B94F |. 3B5C24 24 cmp ebx, dword ptr [esp+0x24]
1113B953 |. 74 77 je short 1113B9CC
1113B955 |. 8B5C24 24 mov ebx, dword ptr [esp+0x24]
1113B959 |. 8DA424 000000>lea esp, dword ptr [esp]
1113B960 |> 8B45 08 /mov eax, dword ptr [ebp+0x8]
1113B963 |. 8B30 |mov esi, dword ptr [eax]
1113B965 |. 8BCE |mov ecx, esi
1113B967 |. 8B46 04 |mov eax, dword ptr [esi+0x4]
1113B96A |. 8078 0D 00 |cmp byte ptr [eax+0xD], 0x0
1113B96E |. 75 16 |jnz short 1113B986
1113B970 |. 8B17 |mov edx, dword ptr [edi]
1113B972 |> 3950 10 |/cmp dword ptr [eax+0x10], edx
1113B975 |. 7D 05 ||jge short 1113B97C
1113B977 |. 8B40 08 ||mov eax, dword ptr [eax+0x8]
1113B97A |. EB 04 ||jmp short 1113B980
1113B97C |> 8BC8 ||mov ecx, eax
1113B97E |. 8B00 ||mov eax, dword ptr [eax]
1113B980 |> 8078 0D 00 ||cmp byte ptr [eax+0xD], 0x0
1113B984 |.^ 74 EC |\je short 1113B972
1113B986 |> 3BCE |cmp ecx, esi
1113B988 |. 74 11 |je short 1113B99B
1113B98A |. 8B07 |mov eax, dword ptr [edi]
1113B98C |. 3B41 10 |cmp eax, dword ptr [ecx+0x10]
1113B98F |. 7C 0A |jl short 1113B99B
1113B991 |. 894C24 14 |mov dword ptr [esp+0x14], ecx
1113B995 |. 8D7424 14 |lea esi, dword ptr [esp+0x14]
1113B999 |. EB 08 |jmp short 1113B9A3
1113B99B |> 897424 18 |mov dword ptr [esp+0x18], esi
1113B99F |. 8D7424 18 |lea esi, dword ptr [esp+0x18]
1113B9A3 |> 8B36 |mov esi, dword ptr [esi]
1113B9A5 |. 8B4E 14 |mov ecx, dword ptr [esi+0x14]
1113B9A8 |. 85C9 |test ecx, ecx
1113B9AA |. 74 07 |je short 1113B9B3
1113B9AC |. 8B01 |mov eax, dword ptr [ecx]
1113B9AE |. 6A 01 |push 0x1
1113B9B0 |. FF50 04 |call dword ptr [eax+0x4]
1113B9B3 |> 8B4D 08 |mov ecx, dword ptr [ebp+0x8]
1113B9B6 |. 8D4424 1C |lea eax, dword ptr [esp+0x1C]
1113B9BA |. 56 |push esi
1113B9BB |. 50 |push eax
1113B9BC |. E8 BF070000 |call 1113C180
1113B9C1 |. 83C7 04 |add edi, 0x4
1113B9C4 |. 3BFB |cmp edi, ebx
1113B9C6 |.^ 75 98 \jnz short 1113B960
1113B9C8 |. 8B5C24 20 mov ebx, dword ptr [esp+0x20]
1113B9CC |> 85DB test ebx, ebx
1113B9CE |. 74 09 je short 1113B9D9
1113B9D0 |. 53 push ebx
1113B9D1 |. E8 9E159100 call 11A4CF74
1113B9D6 |. 83C4 04 add esp, 0x4
1113B9D9 |> 8B4C24 2C mov ecx, dword ptr [esp+0x2C]
1113B9DD |. 64:890D 00000>mov dword ptr fs:[0], ecx
1113B9E4 |. 59 pop ecx
1113B9E5 |. 5F pop edi
1113B9E6 |. 5E pop esi
1113B9E7 |. 5D pop ebp
1113B9E8 |. 5B pop ebx
1113B9E9 |. 83C4 24 add esp, 0x24
1113B9EC \. C3 retn
[招生]系统0day安全班,企业级设备固件漏洞挖掘,Linux平台漏洞挖掘!
最后于 2020-12-21 15:44
被虞宙(James)编辑
,原因:
