+1Ch] [ebp-800Ch] wchar_t *s2;// [esp+801Ch] [ebp-Ch] s2 = (wchar_t *)decrypt(&s, &dword_8048A90...+1Ch] [ebp-1Ch] signed int i; // [esp+20h] [ebp-18h] signed int v6; // [esp+24h] [ebp-14h] signed...int v7; // [esp+28h] [ebp-10h] wchar_t *dest; /...
6d1a4448h+13h = r 6d1a4448h+1fh = s 6d1a4448h+14h = t 6d1a4448h+16h = u 6d1a4448h+2fh = v 6d1a4448h+11h = w 6d1a4448h+2dh = x 6d1a4448h+15h = y 6d1a4448h+2ch = z 6d1a4448h+1ch = enter 6d1a4448h+c8h = up 6d1a4448h+d0h = down 6d1a4448h+cbh = left ...
edx ; 设置参数指向用户层传递的函数参数 mov dword ptr [ebp+8],0BADB0D00h mov dword ptr [ebp],ebx mov dword ptr [ebp+4],edi ; 开启中断标志位 sti ; 通过调用号判定当前是 SSDT 还是 Shadow SSDT 调用 mov edi,eax ; 获取函数的调用号,调用号的组成是 ...
KeReleaseQueuedSpinLockFromDpcLevel (80868cfc) 8086ddac 33c0 xor eax,eax 8086ddae 8ee8 mov gs,ax 8086ddb0 8b4718 mov eax,dword ptr [edi+18h] 8086ddb3 8b6b40 mov ebp,dword ptr [ebx+40h] 8086ddb6 8b4f30 mov ecx,dword ptr [edi+30h] 8086ddb9 89451c mov dword ptr [ebp+1Ch],eax...
.text:004423FF mov [ebp+1Ch], ecx .text:00442402 mov [ebp+20h], edi .text:00442405 mov ebx, dr3 .text:00442408 mov ecx, dr6 .text:0044240B mov edi, dr7 .text:0044240E mov [ebp+24h], ebx .text:00442411 mov [ebp+28h], ecx ...
19 83e8d0f0 55 push ebp 20 83e8d0f1 53 push ebx 21 83e8d0f2 56 push esi 22 83e8d0f3 57 push edi 23 83e8d0f4 648b1d1c000000 mov ebx,dword ptr fs:[1Ch] 24 83e8d0fb 6a3b push 3Bh 25 83e8d0fd 8bb324010000 mov esi,dword ptr [ebx+124h] ...