逆向
今天遇到一个call,研究了很久,测试软件上没问题,使用java代码编写的时候游戏老是崩溃了
汇编一
004905F4 68 20564800 push woool.00485620
004905F9 03C2 add eax,edx
004905FB 50 push eax
004905FC 56 push esi
004905FD 57 push edi
004905FE E8 4DFAFFFF call woool.00490050
00490603 83C4 10 add esp,0x10
00490606 5F pop edi ; 1124AF0D
00490607 5E pop esi ; 1124AF0D
00490608 C2 0800 retn 0x8java代码
asm._PUSH(0x485620);
asm._PUSH(0x3c);asm._MOV_EDI(ediAddress);
asm._PUSH_EDI();
asm._MOV_ESI(eaxAddress);
asm._PUSH_ESI();asm._MOV_EAX(0x490050);
asm._CALL_EAX();
asm._ADD_ESP(0x10);
代码二
00490083 8B7424 24 mov esi,dword ptr ss:[esp+0x24]
00490087 85F6 test esi,esi
00490089 0F8E B7000000 jle woool.00490146
0049008F 55 push ebp
00490090 57 push edi
00490091 8D4424 18 lea eax,dword ptr ss:[esp+0x18]
00490095 53 push ebx
00490096 50 push eax
00490097 E8 24FBFFFF call woool.0048FBC0
0049009C 8BC6 mov eax,esi
0049009E 99 cdq
0049009F 2BC2 sub eax,edx
004900A1 D1F8 sar eax,1
004900A3 8BF0 mov esi,eax其中call woool.0048FBC0是return 0java代码一
有问题
asm._PUSH(0x485620);
asm._PUSH(ediAddress);
asm._PUSH(eaxAddress);
asm._PUSH(0x19EFB4);
asm._MOV_EAX(0x48FBC0);
asm._CALL_EAX();
asm._ADD_ESP(0x10);java代码二
直接崩溃
asm._PUSH_EBP(0x485620);
asm._PUSH_EDI(ediAddress);
asm._PUSH_EBX(eaxAddress);
asm._PUSH_EAX(0x19EFB4);asm._MOV_EAX(0x48FBC0);
asm._CALL_EAX();
asm._ADD_ESP(0x10);java代码三
无问题
asm._MOV_EBP(0x485620);
asm._PUSH_EBP();
asm._MOV_EDI(ediAddress);
asm._PUSH_EDI();
asm._MOV_EBX(eaxAddress);
asm._PUSH_EBX();
asm._MOV_EAX(0x19EFB4);
asm._PUSH_EAX();
asm._MOV_EAX(0x48FBC0);
asm._CALL_EAX();
asm._ADD_ESP(0x10);代码四
直接崩溃
asm._PUSH(0x485620);
asm._PUSH(ediAddress);
asm._PUSH(eaxAddress);
asm._PUSH(0x19EFB4);asm._MOV_EAX(0x490050);
asm._CALL_EAX();asm._ADD_ESP(0x10);
总结,堆栈平衡一定要记住,不然浪费时间;另外,ecs是否也是需要考虑的。同时,如果是汇编代码中直接是push 常数,则java使用asm._PUSH(xxxx),如果是push ebp,则先使用mov,然后push,参照代码三。
发布评论