我有这样一行代码
push ff
push 0
push 0
push offset "this is a test"
push offset "Hello world!" ; string in hex: 48656C6C6F20776F726C6421
push 0
CALL FUNCTION 1
MOV EDI,EDI
PUSH EBP
MOV EBP,ESP
PUSH ECX
PUSH ECX
PUSH ESI
PUSH EDI
XOR EDI,EDI
OR ESI,FFFFFFFF
MOV DWORD PTR SS:[EBP-4],EDI
MOV DWORD PTR SS:[EBP-8],EDI
CMP DWORD PTR SS:[EBP+0C],EDI
JE SHORT ; jump is taken
现在在函数中的操作列表中
PUSH EBP
PUSH ECX
PUSH ECX
PUSH ESI
PUSH EDI
XOR EDI,EDI ; will clear the edi register, it's zero now
OR ESI,FFFFFFFF ; esi will hold value ffffffff
MOV DWORD PTR SS:[EBP-4],EDI ; copies edi to ecx
MOV DWORD PTR SS:[EBP-8],EDI ; copies edi to 2nd ecx
现在这是我不明白的部分
CMP DWORD PTR SS:[EBP+0C],EDI
它正在将值为零的 edi 与?
push offset "Hello world!" 48656C6C6F20776F726C6421
它比较什么?JE 命令状态跳转。什么没有在这里加起来......我在代码中进一步查看,我没有看到任何重要的东西,如果字符串与 0 进行比较,为什么它会跳跃
编辑#1
这是整个代码,从起点开始,也许你可以找出我做错了什么
程序开始
00401000 6A 00 PUSH 0
00401002 68 00304000 PUSH OFFSET 00403000 ; ASCII "this is a test"
00401007 68 17304000 PUSH OFFSET 00403017 ; ASCII "Hello world!"
0040100C 6A 00 PUSH 0
0040100E FF15 70204000 CALL DWORD PTR DS:[402070]
调用 user32
750AFD1E /$ 8BFF MOV EDI,EDI ; ID_X user32.MessageBoxA
750AFD20 |. 55 PUSH EBP
750AFD21 |. 8BEC MOV EBP,ESP
750AFD23 |. 6A 00 PUSH 0 ; /LanguageID = LANG_NEUTRAL
750AFD25 |. FF75 14 PUSH DWORD PTR SS:[EBP+14] ; |Type
750AFD28 |. FF75 10 PUSH DWORD PTR SS:[EBP+10] ; |Caption
750AFD2B |. FF75 0C PUSH DWORD PTR SS:[EBP+0C] ; |Text
750AFD2E |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hOwner
750AFD31 |. E8 A0FFFFFF CALL MessageBoxExA ; \USER32.MessageBoxExA
750AFD36 |. 5D POP EBP
750AFD37 \. C2 1000 RETN 10
调用 MessageBoxExA
750AFCD6 /$ 8BFF MOV EDI,EDI ; ID_X user32.MessageBoxExA
750AFCD8 |. 55 PUSH EBP
750AFCD9 |. 8BEC MOV EBP,ESP
750AFCDB |. 6A FF PUSH -1 ; /Arg6 = -1
750AFCDD |. FF75 18 PUSH DWORD PTR SS:[EBP+18] ; |Arg5
750AFCE0 |. FF75 14 PUSH DWORD PTR SS:[EBP+14] ; |Arg4
750AFCE3 |. FF75 10 PUSH DWORD PTR SS:[EBP+10] ; |Arg3
750AFCE6 |. FF75 0C PUSH DWORD PTR SS:[EBP+0C] ; |Arg2
750AFCE9 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |Arg1
750AFCEC |. E8 37FEFFFF CALL MessageBoxTimeoutA
750AFCF1 |. 5D POP EBP
750AFCF2 \. C2 1400 RETN 14
调用 MessageBoxTimeoutA
750AFB28 /$ 8BFF MOV EDI,EDI ; user32.MessageBoxTimeoutA
750AFB2A |. 55 PUSH EBP
750AFB2B |. 8BEC MOV EBP,ESP
750AFB2D |. 51 PUSH ECX
750AFB2E |. 51 PUSH ECX
750AFB2F |. 56 PUSH ESI
750AFB30 |. 57 PUSH EDI
750AFB31 |. 33FF XOR EDI,EDI
750AFB33 |. 83CE FF OR ESI,FFFFFFFF
750AFB36 |. 897D FC MOV DWORD PTR SS:[EBP-4],EDI
750AFB39 |. 897D F8 MOV DWORD PTR SS:[EBP-8],EDI
750AFB3C |. 397D 0C CMP DWORD PTR SS:[EBP+0C],EDI
750AFB3F |.- 74 19 JE SHORT 750AFB5A <----- ollydbg states jump is taken
750AFB41 |. 6A 01 PUSH 1 ; /Arg6 = 1
750AFB43 |. 56 PUSH ESI ; |Arg5
750AFB44 |. 8D45 FC LEA EAX,[EBP-4] ; |
750AFB47 |. 50 PUSH EAX ; |Arg4
750AFB48 |. 56 PUSH ESI ; |Arg3
750AFB49 |. FF75 0C PUSH DWORD PTR SS:[EBP+0C] ; |Arg2
750AFB4C |. 57 PUSH EDI ; |Arg1
750AFB4D |. E8 72D5FAFF CALL MBToWCSEx ; \USER32.MBToWCSEx
750AFB52 |. 85C0 TEST EAX,EAX
750AFB54 |.- 75 04 JNZ SHORT 750AFB5A
750AFB56 |> 33C0 XOR EAX,EAX
750AFB58 |.- EB 6C JMP SHORT 750AFBC6
750AFB5A |> 397D 10 CMP DWORD PTR SS:[EBP+10],EDI <----- jumps here
750AFB5D |.- 74 27 JE SHORT 750AFB86 <----- jump is taken again
750AFB5F |. 6A 01 PUSH 1 ; /Arg6 = 1
750AFB61 |. 56 PUSH ESI ; |Arg5
750AFB62 |. 8D45 F8 LEA EAX,[EBP-8] ; |
750AFB65 |. 50 PUSH EAX ; |Arg4
750AFB66 |. 56 PUSH ESI ; |Arg3
750AFB67 |. FF75 10 PUSH DWORD PTR SS:[EBP+10] ; |Arg2
750AFB6A |. 57 PUSH EDI ; |Arg1
750AFB6B |. E8 54D5FAFF CALL MBToWCSEx ; \USER32.MBToWCSEx
750AFB70 |. 85C0 TEST EAX,EAX
750AFB72 |.- 75 12 JNZ SHORT 750AFB86
750AFB74 |. FF75 FC PUSH DWORD PTR SS:[EBP-4] ; /pMem
750AFB77 |. 57 PUSH EDI ; |Flags
750AFB78 |. FF35 0C010C75 PUSH DWORD PTR DS:[750C010C] ; |Heap = 00350000
750AFB7E |. FF15 14000575 CALL DWORD PTR DS:[<&ntdll.RtlFreeHeap>] ; \NTDLL.RtlFreeHeap
750AFB84 |.- EB D0 JMP SHORT 750AFB56
750AFB86 |> 53 PUSH EBX <--------- jumps here
750AFB87 |. FF75 1C PUSH DWORD PTR SS:[EBP+1C] ; /Arg6
750AFB8A |. FF75 18 PUSH DWORD PTR SS:[EBP+18] ; |Arg5
750AFB8D |. FF75 14 PUSH DWORD PTR SS:[EBP+14] ; |Arg4
750AFB90 |. FF75 F8 PUSH DWORD PTR SS:[EBP-8] ; |Arg3
750AFB93 |. FF75 FC PUSH DWORD PTR SS:[EBP-4] ; |Arg2
750AFB96 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |Arg1
750AFB99 |. E8 2FFFFFFF CALL MessageBoxTimeoutW
750AFB9E |. FF75 FC PUSH DWORD PTR SS:[EBP-4] ; /pMem
750AFBA1 |. 8B35 14000575 MOV ESI,DWORD PTR DS:[<&ntdll.RtlFreeHea ; |
750AFBA7 |. 57 PUSH EDI ; |Flags
750AFBA8 |. FF35 0C010C75 PUSH DWORD PTR DS:[750C010C] ; |Heap = 00350000
750AFBAE |. 8BD8 MOV EBX,EAX ; |
750AFBB0 |. FFD6 CALL ESI ; \NTDLL.RtlFreeHeap
750AFBB2 |. 397D F8 CMP DWORD PTR SS:[EBP-8],EDI
750AFBB5 |.- 74 0C JE SHORT 750AFBC3
750AFBB7 |. FF75 F8 PUSH DWORD PTR SS:[EBP-8]
750AFBBA |. 57 PUSH EDI
750AFBBB |. FF35 0C010C75 PUSH DWORD PTR DS:[750C010C]
750AFBC1 |. FFD6 CALL ESI
750AFBC3 |> 8BC3 MOV EAX,EBX
750AFBC5 |. 5B POP EBX
750AFBC6 |> 5F POP EDI
750AFBC7 |. 5E POP ESI
750AFBC8 |. C9 LEAVE
750AFBC9 \. C2 1800 RETN 18
是不是调试器以某种方式让我失望了?比如说第一次它 cmps 它不相等,所以它不会跳转,执行一些操作,然后再次尝试,这会导致跳转?
编辑#2
我解决了这个问题,这很愚蠢,毕竟没有执行跳转,我运行了跟踪,它说没有像我知道的那样执行命令跳转。但显然我只是单击每个命令而不是按 f7 来跟踪它:S 这很愚蠢......不过感谢您的帮助,我很快就会发布更多问题。