006C0231 |. 55 push ebp
006C0232 |. 68 52036C00 push Person.006C0352
006C0237 |. 64:FF30 push dword ptr fs:[eax]
006C023A |. 64:8920 mov fs:[eax], esp
006C023D |. 8D55 FC lea edx, [local.1]
006C0240 |. 8B83 10030000 mov eax, ds:[ebx+310]
006C0246 |. E8 9176DCFF call Person.004878DC
006C024B |. 8B45 FC mov eax, [local.1]
006C024E |. 50 push eax
006C024F |. 8D45 F4 lea eax, [local.3]
006C0252 |. E8 7DE6FFFF call Person.006BE8D4
006C0257 |. 8B45 F4 mov eax, [local.3]
006C025A 8D55 F8 lea edx, ss:[ebp-8] ; 这里是机器码
006C025D |. E8 56E7FFFF call Person.006BE9B8 ;关键跳转
006C0262 |. 8B55 F8 mov edx, [local.2]
006C0265 |. 58 pop eax ; ;这里就是真码了
006C0266 |. E8 B94BD4FF call Person.00404E24
006C026B |. 75 33 jnz short Person.006C02A0
006C026D |. 8D55 F0 lea edx, [local.4]
006C0270 |. 8B83 10030000 mov eax, ds:[ebx+310]
006C0276 |. E8 6176DCFF call Person.004878DC
006C027B |. 8B55 F0 mov edx, [local.4]
006C027E |. B8 68036C00 mov eax, Person.006C0368 ; person
006C0283 |. E8 3CE5FFFF call Person.006BE7C4
006C0288 |. B8 78036C00 mov eax, Person.006C0378 ;注册成功,按确定退出程序,请再启动
――――――――――――――――――――――――
――――――――――006BE9B8的跳转
006BE9B8 /$ 55 push ebp
006BE9B9 |. 8BEC mov ebp, esp
006BE9BB 83C4 F8 add esp, -8
006BE9BE 53 push ebx
006BE9BF 33C9 xor ecx, ecx
006BE9C1 |. 894D F8 mov [local.2], ecx
006BE9C4 |. 8BDA mov ebx, edx
006BE9C6 |. 8945 FC mov [local.1], eax
006BE9C9 |. 8B45 FC mov eax, [local.1]
006BE9CC |. E8 F764D4FF call Person.00404EC8
006BE9D1 |. 33C0 xor eax, eax
006BE9D3 |. 55 push ebp
006BE9D4 |. 68 1DEA6B00 push Person.006BEA1D
006BE9D9 |. 64:FF30 push dword ptr fs:[eax]
006BE9DC |. 64:8920 mov fs:[eax], esp
006BE9DF |. 53 push ebx
006BE9E0 |. 8D4D F8 lea ecx, [local.2]
006BE9E3 |. BA 34EA6B00 mov edx, Person.006BEA34 ; ASCII "person"
006BE9E8 |. 8B45 FC mov eax, [local.1]
006BE9EB |. E8 A8F9FFFF call Person.006BE398
006BE9F0 |. 8B45 F8 mov eax, [local.2]
006BE9F3 |. B9 0C000000 mov ecx, 0C
006BE9F8 |. BA 01000000 mov edx, 1
006BE9FD |. E8 3665D4FF call Person.00404F38
006BEA02 |. 33C0 xor eax, eax
006BEA04 |. 5A pop edx
006BEA05 |. 59 pop ecx
006BEA06 |. 59 pop ecx
006BEA07 |. 64:8910 mov fs:[eax], edx
006BEA0A |. 68 24EA6B00 push Person.006BEA24
006BEA0F |> 8D45 F8 lea eax, [local.2]
006BEA12 |. BA 02000000 mov edx, 2
006BEA17 |. E8 2060D4FF call Person.00404A3C
006BEA1C \. C3 retn
――――――――――――――――――――――――
――――――――――006BE398的跳转
006BE398 /$ 55 push ebp
006BE399 |. 8BEC mov ebp, esp
006BE39B |. 83C4 E4 add esp, -1C
006BE39E |. 53 push ebx
006BE39F |. 56 push esi
006BE3A0 |. 57 push edi
006BE3A1 |. 33DB xor ebx, ebx
006BE3A3 |. 895D F4 mov [local.3], ebx
006BE3A6 |. 895D F0 mov [local.4], ebx
006BE3A9 |. 895D EC mov [local.5], ebx
006BE3AC |. 8BF9 mov edi, ecx
006BE3AE |. 8955 F8 mov [local.2], edx
006BE3B1 |. 8945 FC mov [local.1], eax
006BE3B4 |. 8B45 FC mov eax, [local.1]
006BE3B7 |. E8 0C6BD4FF call Person.00404EC8
006BE3BC |. 8B45 F8 mov eax, [local.2]
006BE3BF |. E8 046BD4FF call Person.00404EC8
006BE3C4 |. 33C0 xor eax, eax
006BE3C6 |. 55 push ebp
006BE3C7 |. 68 6AE46B00 push Person.006BE46A
006BE3CC |. 64:FF30 push dword ptr fs:[eax]
006BE3CF |. 64:8920 mov fs:[eax], esp
006BE3D2 |. 8D4D F0 lea ecx, [local.4]
006BE3D5 |. 8B55 F8 mov edx, [local.2]
006BE3D8 |. 8B45 FC mov eax, [local.1]
006BE3DB |. E8 40FCFFFF call Person.006BE020
006BE3E0 |. 8D45 F4 lea eax, [local.3]
006BE3E3 |. E8 3066D4FF call Person.00404A18
006BE3E8 |. 8B45 F0 mov eax, [local.4]
006BE3EB |. E8 E868D4FF call Person.00404CD8
006BE3F0 |. 8BD8 mov ebx, eax
006BE3F2 |. 4B dec ebx
006BE3F3 |. 85DB test ebx, ebx
006BE3F5 |. 7C 4E jl short Person.006BE445
006BE3F7 |. 43 inc ebx
006BE3F8 |. 33F6 xor esi, esi
006BE3FA |> 8D45 EC /lea eax, [local.5]
006BE3FD |. 50 |push eax ; /Arg1
006BE3FE |. 8B45 F0 |mov eax, [local.4] ; |
006BE401 |. 0FB60430 |movzx eax, byte ptr ds:[eax+esi] ; |
006BE405 |. 8945 E4 |mov [local.7], eax ; |
006BE408 |. C645 E8 00 |mov byte ptr ss:[ebp-18], 0 ; |
006BE40C |. 8D55 E4 |lea edx, [local.7] ; |
006BE40F |. 33C9 |xor ecx, ecx ; |
006BE411 |. B8 80E46B00 |mov eax, Person.006BE480 ; |ASCII "%x"
006BE416 |. E8 79CAD4FF |call Person.0040AE94 ; \Person.0040AE94
006BE41B |. 8B45 EC |mov eax, [local.5]
006BE41E |. E8 B568D4FF |call Person.00404CD8
006BE423 |. 48 |dec eax
006BE424 |. 75 10 |jnz short Person.006BE436
006BE426 |. 8D45 EC |lea eax, [local.5]
006BE429 |. 8B4D EC |mov ecx, [local.5]
006BE42C |. BA 8CE46B00 |mov edx, Person.006BE48C
006BE431 |. E8 EE68D4FF |call Person.00404D24
006BE436 |> 8D45 F4 |lea eax, [local.3]
006BE439 |. 8B55 EC |mov edx, [local.5]
006BE43C |. E8 9F68D4FF |call Person.00404CE0
006BE441 |. 46 |inc esi
006BE442 |. 4B |dec ebx
006BE443 |.^ 75 B5 \jnz short Person.006BE3FA
006BE445 |> 8BC7 mov eax, edi
006BE447 |. 8B55 F4 mov edx, [local.3]
006BE44A |. E8 1D66D4FF call Person.00404A6C
006BE44F |. 33C0 xor eax, eax
006BE451 |. 5A pop edx
006BE452 |. 59 pop ecx
006BE453 |. 59 pop ecx
006BE454 |. 64:8910 mov fs:[eax], edx
006BE457 |. 68 71E46B00 push Person.006BE471
006BE45C |> 8D45 EC lea eax, [local.5]
006BE45F |. BA 05000000 mov edx, 5
006BE464 |. E8 D365D4FF call Person.00404A3C
006BE469 \. C3 retn
[课程]Android-CTF解题方法汇总!