本人初涉逆向工程不久,遇到了一个难题。以下代码中的API函数我都了解其功能,但这些代码片段我经常在一些应用程序中发现,却不理解这段代码的实际功能,以及为什么要这么做,还望高手指点一二。
$ ==> >/$ >push esi
$+1 >|. >push dword ptr ds:[7A5914] ; /TlsIndex = F
$+7 >|. >mov esi,dword ptr ds:[<&KERNEL32.TlsGetValu>; |kernel32.TlsGetValue
$+D >|. >call esi ; \TlsGetValue
$+F >|. >test eax,eax
$+11 >|. >je short Luvinia.006FAAB8
$+13 >|. >mov eax,dword ptr ds:[7A5910]
$+18 >|. >cmp eax,-1
$+1B >|. >je short Luvinia.006FAAB8
$+1D >|. >push eax
$+1E >|. >push dword ptr ds:[7A5914] ; /TlsIndex = F
$+24 >|. >call esi ; \TlsGetValue
$+26 >|. >call eax
$+28 >|. >test eax,eax
$+2A >|. >je short Luvinia.006FAAB8
$+2C >|. >mov eax,dword ptr ds:[eax+1F8]
$+32 >|. >jmp short Luvinia.006FAADE
$+34 >|> >push Luvinia.0074455C ; /pModule = "KERNEL32.DLL"
$+39 >|. >call dword ptr ds:[<&KERNEL32.GetModuleHand>; \GetModuleHandleA
$+3F >|. >mov esi,eax
$+41 >|. >test esi,esi
$+43 >|. >je short Luvinia.006FAAEC
$+45 >|. >call Luvinia.006FAA18
$+4A >|. >test eax,eax
$+4C >|. >je short Luvinia.006FAAEC
$+4E >|. >push Luvinia.0074454C ; /ProcNameOrOrdinal = "EncodePointer"
$+53 >|. >push esi ; |hModule
$+54 >|. >call dword ptr ds:[<&KERNEL32.GetProcAddres>; \GetProcAddress
$+5A >|> >test eax,eax
$+5C >|. >je short Luvinia.006FAAEC
$+5E >|. >push dword ptr ss:[esp+8]
$+62 >|. >call eax
$+64 >|. >mov dword ptr ss:[esp+8],eax
$+68 >|> >mov eax,dword ptr ss:[esp+8]
$+6C >|. >pop esi
$+6D >\. >retn
$+6E >/$ >push 0
$+70 >|. >call Luvinia.006FAA84
$+75 >|. >pop ecx
$+76 >\. >retn
$+77 >/$ >push esi
$+78 >|. >push dword ptr ds:[7A5914] ; /TlsIndex = F
$+7E >|. >mov esi,dword ptr ds:[<&KERNEL32.TlsGetValu>; |kernel32.TlsGetValue
$+84 >|. >call esi ; \TlsGetValue
$+86 >|. >test eax,eax
$+88 >|. >je short Luvinia.006FAB2F
$+8A >|. >mov eax,dword ptr ds:[7A5910]
$+8F >|. >cmp eax,-1
$+92 >|. >je short Luvinia.006FAB2F
$+94 >|. >push eax
$+95 >|. >push dword ptr ds:[7A5914] ; /TlsIndex = F
$+9B >|. >call esi ; \TlsGetValue
$+9D >|. >call eax
$+9F >|. >test eax,eax
$+A1 >|. >je short Luvinia.006FAB2F
$+A3 >|. >mov eax,dword ptr ds:[eax+1FC]
$+A9 >|. >jmp short Luvinia.006FAB55
$+AB >|> >push Luvinia.0074455C ; /pModule = "KERNEL32.DLL"
$+B0 >|. >call dword ptr ds:[<&KERNEL32.GetModuleHand>; \GetModuleHandleA
$+B6 >|. >mov esi,eax
$+B8 >|. >test esi,esi
$+BA >|. >je short Luvinia.006FAB63
$+BC >|. >call Luvinia.006FAA18
$+C1 >|. >test eax,eax
$+C3 >|. >je short Luvinia.006FAB63
$+C5 >|. >push Luvinia.0074456C ; /ProcNameOrOrdinal = "DecodePointer"
$+CA >|. >push esi ; |hModule
$+CB >|. >call dword ptr ds:[<&KERNEL32.GetProcAddres>; \GetProcAddress
$+D1 >|> >test eax,eax
$+D3 >|. >je short Luvinia.006FAB63
$+D5 >|. >push dword ptr ss:[esp+8]
$+D9 >|. >call eax
$+DB >|. >mov dword ptr ss:[esp+8],eax
$+DF >|> >mov eax,dword ptr ss:[esp+8]
$+E3 >|. >pop esi
$+E4 >\. >retn
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课