调用函数的环境是这样的:
.text:000000018000CAB8 lea r8, [rax-28h] ; unsigned int
.text:000000018000CABC xor r9d, r9d ; unsigned int *
.text:000000018000CABF xor edx, edx ; struct _TOKEN_SECURITY_ATTRIBUTE_V1 *
.text:000000018000CAC1 mov rbp, rcx
.text:000000018000CAC4 call ?GetPackageRelativeApplicationId@SysAppId@ProcessToken@ARI@@YAJPEBU_TOKEN_SECURITY_ATTRIBUTE_V1@@IPEAIPEAG@Z ; ARI::ProcessToken::SysAppId::GetPackageRelativeApplicationId(_TOKEN_SECURITY_ATTRIBUTE_V1 const *,uint,uint *,ushort *)
.text:000000018000CAC9 cmp eax, 7Ah ; 'z'
被调用函数就是这个GetPackageRelativeApplicationId(),展开是这样的:
.text:000000018000CC1C arg_0 = qword ptr 8
.text:000000018000CC1C
.text:000000018000CC1C mov [rsp+arg_0], rbx
.text:000000018000CC21 push rdi
.text:000000018000CC22 sub rsp, 20h
.text:000000018000CC26 mov r10, [rcx+20h]
.text:000000018000CC2A mov rdi, r9
.text:000000018000CC2D movzx ecx, word ptr [r10+10h]
.text:000000018000CC32 shr ecx, 1
.text:000000018000CC34 lea eax, [rcx+1]
.text:000000018000CC37 mov [r8], eax
.text:000000018000CC3A cmp edx, eax
.text:000000018000CC3C jnb short loc_18000CC45
.text:000000018000CC3E mov eax, 7Ah ; 'z'
.text:000000018000CC43 jmp short loc_18000CC5E
.text:000000018000CC45 ; ---------------------------------------------------------------------------
.text:000000018000CC45
.text:000000018000CC45 loc_18000CC45: ; CODE XREF: ARI::ProcessToken::SysAppId::GetPackageRelativeApplicationId(_TOKEN_SECURITY_ATTRIBUTE_V1 const *,uint,uint *,ushort *)+20↑j
.text:000000018000CC45 mov rdx, [r10+18h] ; Src
.text:000000018000CC49 lea rbx, [rcx+rcx]
.text:000000018000CC4D mov r8, rbx ; Size
.text:000000018000CC50 mov rcx, r9 ; void * 这里是不是存在问题?
.text:000000018000CC53 call memcpy_0
.text:000000018000CC58 xor eax, eax
.text:000000018000CC5A mov [rbx+rdi], ax
.text:000000018000CC5E
.text:000000018000CC5E loc_18000CC5E: ; CODE XREF: ARI::ProcessToken::SysAppId::GetPackageRelativeApplicationId(_TOKEN_SECURITY_ATTRIBUTE_V1 const *,uint,uint *,ushort *)+27↑j
.text:000000018000CC5E mov rbx, [rsp+28h+arg_0]
.text:000000018000CC63 add rsp, 20h
.text:000000018000CC67 pop rdi
.text:000000018000CC68 retn
我疑问的地方,就是这个memcpy_0,向r9=0?的地方赋值吗?但是系统所示貌似没有问题,为何?
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)