edi 845

This article explains the use of assembly language to find the maximum value of a set of numbers, mainly related to the knowledge points have data segments, loops and so on.# Purpose: Find the largest number in the program # # Variable: The purpose of the Register # %edi-Save the data item index being checked # %EBX-the largest item currently found # %EAX-Current Data # # Use the following memory location: # Data_ Items-Contain

closehandle, hfilePop eax. ElseMoV eax, offset g_szfileopenerror. EndifRETGetpefilesize endp Ispefilemap proc pmapping: DWORDIf d_useseh EQ 1Local seh: sehEndif; d_useseh MoV g_dwvalidpe, falseMoV EDI, pmapping If d_useseh EQ 1Assume FS: NothingPush FS: [0]Pop Seh. prevlinkMoV Seh. currenthandler, offset sehhandlerMoV Seh. safeoffset, offset finalexitLea eax, sehMoV FS: [0], eaxMoV Seh. prevesp, ESPMoV Seh. prevebp, EBPEndif; d_useseh Assume

OnlySetInfectedMark 　　 ; Read all virus block tables Mov eax, ebp; read function number Call edi; read the block table to esi (@ 9) 　　 The following is a complete modification to handle the Winzip self-extracting file error. when you open the self-extracting file, The virus will not be infected. First, the virus obtains the ToRawData pointer of the 2nd block tables, Read the data and determine whether the data contains the "WinZip (R )" 　　 Xchg eax,

Here the "string" is not a single string, including all consecutive data (such as arrays); the string command is only used for memory operations. Move string commands: movsb, movsw, and movsd; from ESI-> EDI; after execution, the ESI and EDI address move the corresponding unit comparison string commands: cmpsb, cmpsw, cmpsd; compare ESI and EDI. After exe

functions during memory construction and analysis? Copy to clipboardprint? 74: manager m; 00401268 lea ecx, [ebp-4] 0040126B call @ ILT + 60 (manager: manager) (00401041) 75 :} 00401270 lea ecx, [ebp-4] 00401273 call @ ILT + 0 (manager ::~ Manager) (00401005) 00401278 pop edi 00401279 pop esi 004020.a pop ebx 004010000b add esp, 44 h 0040da-e cmp ebp, esp 00401280 call _ chkesp (00408760) 00401285 mov esp, ebp 00401287 pop ebp 74: manager m; 004012

Linux-0.11 Memory Management module is the source of the more difficult to understand the part, now the author's personal understanding publishedFirst hair Linux-0.11 kernel memory management get_free_page () function analysisHave time to write other functions or files:)/* *author:davidlin *date:2014-11-11pm *email: [email protected] or [email protected] *world:the City of SZ , in China *ver:000.000.001 *history:editor time do 1) Linpeng 2014-11-11 Created this file! 2) */Here is the source code

Loading and execution of programs (iii)--reading notes 23And then the last time the content said.load_relocate_programthe explanation of the process is not over yet, so create a stack segment descriptor and reposition symbol table.Allocating stack space and creating a stack segment descriptor462 ; Creating a program stack segment descriptor463 movecx,[edi+0x0c]; 4KB magnification464 movEbx0x000fffff465 SubEbx,ecxTo get

__stdcall __cdecl __fastcall vc6.0:int __stdcall/__cdecl/__fastcall Add (int x, int y){return x+y;}void Main (){Add (2,3);}1.__stdcall:1:int __stdcall Add (int x, int y)2: {00401020 Push EBP00401021 mov Ebp,esp00401023 Sub esp,40h00401026 push EBX00401027 push ESI00401028 Push EDI00401029 Lea edi,[ebp-40h]0040102C mov ecx,10h00401031 mov eax,0cccccccch00401036 Rep stos dword ptr [edi]3:return X

It's free. Let's take a look.ODLoad directly as follows: 00414000> $ E8 00000000 call 0041400500414005 $ 5B pop ebx // locate the code00414006.81EB05024000 sub ebx, 00400205 // The code segment length, followed by a variable0041400C. 64: 8B3D 30000000 mov edi, dword ptr fs: [30] // FS [30]-> PEB, locate kernel32.dll00414013. 8B7F 0C mov edi, dword ptr [edi + C] /

EAX register to the memory location specified by value. Use the memory location of the variable address. as follows, multi-memory specifies multiple values in one command:values:. int 10,20,30,40,50,60,70this creates a series of data values that are contiguous in memory (similar to an array of high-level languages). When referencing data in an array, you must use the system to determine which memory location you want to access. The memory location is determined by the following expression:base_

If you returned a struct object, what would the return statement do? Here is the test code #include using namespace Std;struct BIG{Char buf[100];int i;Long D;}B,B2;Big Bigfun (Big B){b.i=100;return b;}int main (){B2=bigfun (B);return 0;}To set a breakpoint at the beginning and end of main8:int Main ()19: {004012A0 Push EBP004012A1 mov Ebp,esp004012a3 Sub esp,118hPuzzled at first, and analyzed for a long timeThe original (118h-40h) remaining memory block holds two big variablesLow address put bi

that shellcode will be much larger. At the summit because Flashsky Daniel refused to disclose source code, so had to do their own, ample clothing. This period of time due to review make-up (last semester accidentally hung 4 #_#), so dragged for so long. In fact, the code was written very early, is not bothered to write this document. This morning finally made up my mind to spend the morning to finish this document, it is inevitable that there are some mistakes, I hope you point out. Shellcode

esi, [edx + 0x3c]; Lea ESI, [edx + esi]; mov esi, [esi + 0x78]; Lea ESI, [edx + esi]; mov edi, [esi + 0x1c]; Lea EDI, [edx + edi]; MOV[EBP-0X04], EDI; mov

Everyone knows that to use COM components in a program, you must first call coinitialize. This function is mainly used to initialize the com runtime environment. But does the function scope take the thread as the unit or the process as the unit? Maybe you have figured out the answer through the test program. That's right, it's a thread. Today, we will go into a bit more detail and confirm our ideas by analyzing the specific implementation of coinitialize. Let's take a look at coinitialize compil

]; Lea ESI, [edx + esi]; mov esi, [esi + 0x78]; Lea ESI, [edx + esi]; mov edi, [esi + 0x1c]; Lea EDI, [edx + edi]; MOV[EBP-0X04], EDI; mov edi