edx c

Use the cpuid Assembly command (machine code: 0fh a2h, if your compiler does not support cpuid command, only emit machine code), this command can be recognized by the following CPU: More than 486 of Intel CPUs, CPU above cyrix M1, CPU above amd am486 (1) obtain the cpu oem string to determine the CPU vendor Let eax = 0 first, then call cpuid InEl CPU will return: EBX: 756e6547h 'genu'EdX: 49656e69h 'inei'ECX: 6c65746eh 'ntel'EBX, EDX, and ECX

ptr [ebp + 14 h]77D55EBC push dword ptr [ebp + 10 h]77D55EBF push 277D55EC1 push ecx77D55EC2 push esi77D55EC3 call _ ObjectFromDIBResource @ 24 (77D5298Dh); This is whatWe want it to call The two important parts abve are:1. The code at 77D55E9D. Which copies the address of the bmp file stringInto ecx. 2. The code at 77D55EA8. This checks if the hinst parameter passedLoadImage is NULL. If we jump to the code at address 77D57C6E becuase of thisLine: 77D55EB0 je _ LoadBmp @ 20 + 21 h (77D57C6Eh);

as a black box, analysis of the program's approximate process is as follows: 00441706 |. 8d55 FC Lea edx,[local.1]00441709 |. 8b83 C8020000 mov eax,dword ptr ds:[ebx+0x2c8]0044170f |. E8 901AFEFF call fireworx.004231a4; ; Calculates the length of the serial 00441714 |. 8b45 FC mov eax,[local.1]00441717 |. Push eax00441718 |. 8d55 F4 Lea edx,[local.3]0044171b |. 8b83 C4020000 mov eax,dword ptr

then cancel breakpointsThen you can follow the steps and you will reach Oep4 same set BP VirtualFree first set breakpointsThen, two times shift+f9.Then, cancel the breakpoint. Alt+f9 and executes to user codeThen step away, and you'll reach Oep.5.1, after loading the program, you will find the first line has an address0040a86d > B8 74de4500 mov eax,qqspirit.0045de742, at the address of the next breakpoint BP 0045de743. Then shift+f9 run, and cancel breakpoint4, we are in the Retn next line set

program, but later in this article, after reading this article, understand that the program is not a problem. At the moment just clear the program used to output the CPU ID of the vendor's string. The source program entry is _start. As follows:Cpuid2.s # Cpuid2.s file.section. DataOutput: . Asciz "CPUID is '%s ' \ n". Section. BSS . Lcomm Buffer, 12. Section. Text.globl _start_start: NOP movl $,%eax cpuid movl $buffer,%edi movl%ebx, (%edi) MOVL%

If the assembly language to achieve the following C language functions, the compilation environment Ubuntu14.04 (32-bit).#include voidSwapint*p,int*q) { intTMP = *p; *p = *Q; *q =tmp;}intMain () {intA[] = {3,0,5,1,4,6,2,9,8,7}; intI, J; for(i =0; I Ten; i++) { for(j = i +1; J Ten; j + +) { if(A[i] >A[j]) {Swap (a[i], A[j]); } } } intK; for(k =0; K Ten; k++) {printf ("%d\n", A[k]); } return 0;} Assembly Code SORT.S . Section.

Linux Kernel Analysis Course summaryName: Wang ZhaoxianStudy No.: 20135114Note: Original works reproduced please specify the source + "Linux kernel analysis" MOOC course http://mooc.study.163.com/course/USTC-1000029000First, how the computer works 个人理解：计算机就是通过和用户进行交互，执行用户的指令，这些指令存放在内存中，通过寄存器存储，堆栈变化，来一步步顺序执行。Second, the storage program computer working model1.冯诺依曼体系结构—存储程序计算机 硬件角度（主板）：通过cpu中IP寄存器指向一个代码段运行某些指令；寄存区，指向内存的某一块区域（代码段） 程序员角度：将cpu抽象为一个for循环，只是执行下一条指令，从内存中取到下一条指令的内容。内存保存指令和数据，cpu

Introduction EFS Web server is a software that can manage server files over a Web side, and sending a GET request too long can trigger a buffer overflow vulnerabilityAnalysis Source: https://www.exploit-db.com/exploits/39008/ Experimental Environment WinXP SP3 Chinese versionEFS Web Server7.2Immunity DebuggerWinDbgIdaMona Vulnerability Analysis Because the author uses the address of the overlay Seh program in ImageLoad.dll, no ASLR, so the use of more stable, open on the pop-up calculator We w

command can perform atomic operations. In SMP cases, the locking technology is used to perform atomic operations."Jns 1f \ n "\"Call" # fail_fn "\ n "\"1: \ n "\: "= A" (dummy) \ # assign the value of the count atomic variable to dummy when the mutex lock fails to be obtained, and use void (*) (atomic_t *) put the function in the waiting queue. so that the next thread can obtain the mutex lock in sequence.: "A" (count) \ # parameter variable count: "Memory", "ecx", "

have been learning about Windows kernel recently, write a blog for memo.The specific process of Windows system call in the Pan teacher's "Windows kernel Principle and implementation" in the 8th chapter has been written very clearly, first read the picture given in the.Take CreateFile as an example, after some parameter checking in Ring3 's CreateFile, the final call is NtCreateFile in Ntdll. There are also zwcreatefile, but their addresses point to the same area, so they are essentially the same

. You can use other standard sections or add custom sections as needed, but at least one ELF executable program should have one. text section. The following is our first assembler, In the ATT assembly language format: Example 1. ATT format # Hello. s . Data # data Segment Declaration Msg:. string "Hello, world! \ N "# string to be output Len =.-msg # String Length . Text # code snippet Declaration . Global _ start # specify the entry function _ Start: # display a string on the screen Movl

is being analyzed.3.2. Vulnerability Analysis:I first use IDA to obtain a rough source code.There are many variables ............. (Dozens of rows)Omitted again ........ (Dozens of rows)The key point is to understand several points. www.2cto.comFirst: 00407D29 |. C785 00D4FFFF> | mov dword ptr [ebp-2C00], 0; the initial value of the loop00407D33 |> 8B85 04D4FFFF |/mov eax, dword ptr [ebp-2BFC]00407D39 |. C1E0 0C | shl eax, 0C; left shift00407D3C |. 0385 00D4FFFF | add eax, dword ptr [ebp-2C00]0

, Trw2000 intercepts the program. Run the following command bd * // breakpoint in the barrier Command pmodule // jump directly to the program's airspace Press F10 to run the following command:................. 015F: 0048CCB1 PUSH EBX015F: 0048CCB2 mov ebx, EAX015F: 0048CCB4 xor eax, EAX015F: 0048CCB6 PUSH EBP015F: 0048CCB7 push dword 0048CD6C015F: 0048 ccbc push dword [FS: EAX]015F: 0048 ccbf mov [FS: EAX], ESP015F: 0048CCC2 lea eax, [EBP-04]015F: 0048CCC5 PUSH EAX015F: 0048CCC6 mov ecx, [EBX +

49 DEC ECX005357C1 ^ 75 F9 jnz short tk.005357BC005357C3 53 PUSH EBX005357C4 56 PUSH ESI005357C5 57 PUSH EDI005357C6 8BF8 mov edi, EAX005357C8 33C0 xor eax, EAX005357CA 55 PUSH EBP005357CB 68 955C5300 PUSH tk.00535C95005357D0 64: FF30 push dword ptr fs: [EAX]005357D3 64: 8920 mov dword ptr fs: [EAX], ESP005357D6 8D55 D0 lea edx, dword ptr ss: [EBP-30]005357D9 8B87 F0020000 mov eax, dword ptr ds: [EDI + 2F0]005357DF E8 1464F1FF CALL tk.0044BBF8;005357

zfxmatrix M) const{Zfxvector vcresult;If (! G_bsse){Vcresult. x = x * M. _ 11 + y * M. _ 21 + z * M. _ 31 + M. _ 41;Vcresult. Y = x * M. _ 12 + y * M. _ 22 + z * M. _ 32 + M. _ 42;Vcresult. z = x * M. _ 13 + y * M. _ 23 + z * M. _ 33 + M. _ 43;Vcresult. W = x * M. _ 14 + y * M. _ 24 + z * M. _ 34 + M. _ 44;Vcresult. x = vcresult. X/vcresult. W;Vcresult. Y = vcresult. Y/vcresult. W;Vcresult. z = vcresult. Z/vcresult. W;Vcresult. W = 1.0f}Else{Float * ptrret = (float *) vcresult;_ ASM {MoV ECx,

write_record . Type write_record, @ Function Write_record: Pushl % EBP Movl % ESP, % EBP Pushl % EBX Movl $ sys_write, % eax Movl st_filedes (% EBP), % EBX Movl st_write_buffer (% EBP), % ECx Movl $ record_size, % edX Int $ linux_syscall # Note-% eax has the return value, which we will # Give back to our calling program Popl % EBX Movl % EBP, % ESP Popl % EBP RET File write-records.s: . Include "Linux. s" . Include "record-def.s" . Section. Data #

preparation of webseizer software (which has been downloaded from the sky software station), POS cannot meet the requirements. On the one hand, when processing strings in a Web page, it must be case insensitive, that is, the meaning of Function rightpos (const substr, S: string): integer;VaRIPOs: integer;Tmpstr: string;BeginTmpstr: = s;IPOs: = pos (substr, tmpstr); Result: = 0;// Find the location where substr appears for the first timeWhile IPOs BeginDelete (tmpstr, 1, IPOs + Length (substr)-

1) classic comparison, usually at the registration code (by programhunter)1MoV eax [] can be an address or another register.MoV edX [] the preceding two addresses usually store important information.Call 00 ??????Test eaxJZ (jnz)2MoV eax [] can be an address or another register.MoV edX [] the preceding two addresses usually store important information.Call 00 ??????JNE (JE)3MoV eax []MoV

, ADDR buffer1, 128 Invoke wsprintf, ADDR buffer, ADDR template, wparam Invoke lstrcmpi, ADDR buffer, ADDR buffer1 . If eax! = 0 Invoke setdlgitemtext, hdlg, idc_handle, ADDR Buffer . Endif Invoke getdlgitemtext, hdlg, idc_classname, ADDR buffer1, 128 Invoke getclassname, wparam, ADDR buffer, 128 Invoke lstrcmpi, ADDR buffer, ADDR buffer1 . If eax! = 0 Invoke setdlgitemtext, hdlg, idc_classname, ADDR Buffer . Endif Invoke getdlgitemtext, hdlg, idc_wndproc, ADDR buffer1, 128 Invoke getclasslong,

can see, as the n gets bigger, the gap between the two is becoming more and more obvious (not many computer tests, only through their own test, the magic is not much difference in Ubuntu, the problem is said later), and then I compile, look at their assembly code, found a mysterious thing I do not understand. The following are the assembly codes for the If-else and three mesh operations respectively. 37:if (a>b) 00401079 mov ecx,dword ptr [ebp-10h] 0040107C cmp ecx,dword ptr [ebp-14h] 0040107F