8053e568 89ae34010000 mov dword ptr [esi+134h],ebp//设置当前的TrapFrame 8053e56e fc cld //改变DF标志位 8053e56f 8b5d60 mov ebx,dword ptr [ebp+60h] 8053e572 8b7d68 mov edi,dword ptr [ebp+68h] 8053e575 89550c mov dword ptr [ebp+0Ch],edx//edx指向用户空间的参数 8053e578 c745...
char v8; // [esp+1Ah] [ebp-16h] char v9; // [esp+1Bh] [ebp-15h] char v10; // [esp+1Ch] [ebp-14h] char v11; // [esp+1Dh] [ebp-13h] char v12; // [esp+1Eh] [ebp-12h] char v13; // [esp+1Fh] [ebp-11h] char v14; // [esp+20h] [ebp-10h] char v15;...
fs:nothing ;打开FS寄存器 mov eax,fs:[30h] ;得到PEB结构地址 mov eax,[eax + 0ch] ;得到PEB_LDR_DATA结构地址 mov esi,[eax + 1ch] ;InInitializationOrderModuleList lodsd ;得到KERNEL32.DLL所在LDR_MODULE结构的InInitializationOrderModuleList地址 mov edx,[eax + 8h] ;得到BaseAddress,既Kernel32.dll...
LPSTREAM pStm, const struct _GUID *clsidFrom, void **ppv) { HRESULT result; // eax int v6; // esi int v8; // [esp+4h] [ebp-50h] __int16 v9; // [esp+8h] [ebp-4Ch] MAPDST int v10; // [esp+Ch] [ebp-48h] const wchar_t *v11; // [esp+10h] [ebp-44h] IID *...
23h push edx pushfd push 2 add edx,8 popfd or byte ptr [esp+1],2 push 1Bh push dword ptr ds:[0FFDF0304h] push 0 push ebp push ebx push esi push edi mov ebx,dword ptr fs:[1Ch] ; 指向 KPCR(自己) 的指针 push 3Bh mov esi,dword ptr [ebx+124h] ; 保存 CurrentThread,即当前...
6d1a4448h+2fh = v 6d1a4448h+11h = w 6d1a4448h+2dh = x 6d1a4448h+15h = y 6d1a4448h+2ch = z 6d1a4448h+1ch = enter 6d1a4448h+c8h = up 6d1a4448h+d0h = down 6d1a4448h+cbh = left 6d1a4448h+cdh = right 1. 2. ...
19 83e8d0f0 55 push ebp 20 83e8d0f1 53 push ebx 21 83e8d0f2 56 push esi 22 83e8d0f3 57 push edi 23 83e8d0f4 648b1d1c000000 mov ebx,dword ptr fs:[1Ch] 24 83e8d0fb 6a3b push 3Bh 25 83e8d0fd 8bb324010000 mov esi,dword ptr [ebx+124h] ...