则成功 00427B03 |. BB 4E61BC00 mov ebx, 0BC614E ;//ebx值是 关键 00427B08 |. EB 05 jmp short 00427B0F ; // 达到此处则成功 00427B0A |> BB 91D61200 mov ebx, 12D691 ; //ebx重新赋值 ,此值最终导致失败 00427B0F |> 33C0 xor eax, eax 00427B11 |. 5A pop edx 00427B12 |. 59 pop ecx 00427B13 |. 59 pop ecx 00427B14 |. 64:8910 mov dword ptr fs:[eax], edx 00427B17 |. 68 317B4200 push 00427B31 00427B1C |> 8D45 F0 lea eax, dword ptr [ebp-10] ;//将 ebx 的值转给eax 00427B1F |. BA 04000000 mov edx, 4 00427B24 |. E8 2FBAFDFF call 00403558 00427B29 \. C3 retn 00427B2A .^ E9 A9B4FDFF jmp 00402FD8 00427B2F .^ EB EB jmp short 00427B1C 00427B31 . 8BC3 mov eax, ebx ; // 将 ebx值赋给 eax 00427B33 . 5E pop esi 00427B34 . 5B pop ebx 00427B35 . 8BE5 mov esp, ebp 00427B37 . 5D pop ebp 00427B38 . C3 retn //关键 call1 结束 继续进入关键call2进行分析,重点是分析call2调用后返回值eax的值 //关键 call2 ; 004038C0 /$ 53 push ebx 004038C1 |. 56 push esi 004038C2 |. 57 push edi 004038C3 |. 89C6 mov esi, eax //esi赋值为 eax 004038C5 |. 89D7 mov edi, edx 004038C7 |. 39D0 cmp eax, edx 004038C9 |. 0F84 8F000000 je 0040395E 004038CF |. 85F6 test esi, esi 004038D1 |. 74 68 je short 0040393B 004038D3 |. 85FF test edi, edi 004038D5 |. 74 6B je short 00403942 004038D7 |. 8B46 FC mov eax, dword ptr [esi-4] ; 该地 |
