gxs edi

by axis 2007-03-28 http://www.ph4nt0m.org Simplified Chinese Windows Universal Jump Address: (2K/XP/2K3) 0X7FFA45F3 jmp ecx \xff\xe1 0x7ffa4967 jmp EBP \xff\xe5 0X7FFA4A1B jmp ebx \xff\xe3 0x7ffa6773 push Ebx,retn \x53\xc3 (0x7ffa6772 is pop edx) 0x7ffd1769--0x7ffd1779 jmp eax \xff\xe0 0x7ffc01b0 Pop Esi,retn \x5e\xc3 0X7FFA54CF 0x7ffaf780 jmp edx \xff\xe2 7ffa1571 POP EAX 7ffa1572 BF 58c058c2 MOV edi,c258c058 7ffa1577 POP EAX 7ffa1578 C3 RETN KR

in the operation, such as Movl $foo,%eax equivalent to Intel's mov eax, word ptr foo Long jumps and calls are different in format, att for ljmp $section, $offset, while Intel is JMP Section:offset The main difference is these, the other details are many, here is a concrete example to illustrate #cpuid. S Sample Program . Section. Data Output . ASCII "The processor vendor ID is ' xxxxxxxxxxxx '/n ' . section. Text . globl _start _start: MOVL $,%eax Cpuid MOVL $output,%

ptr [ebp-4]14.013b1059 Add Eax,esi15.013b105b Add Eax,edx16.013B105D mov edx,dword ptr [__imp_std::endl (13B204CH)]17.013b1063 Add Ecx,eax//The top 3 Add instructions add Ebx,ecx,edx,edi to ECX, that is, the ECX is the cumulative result Visible compiler generated code is the best code, eliminate the intermediate variable i, reduce the number of cycles, eliminate the CPU can not be disorderly execution of the factors. BTW: One might have a question: i

loadRetDllentry ENDP To convert the value in Edx:eax to a decimal output form string, which is familiar, as in the previous example!OUTEDXEAX proc \; For example: edx=0,eax=01234567h, the converted string is:Uses ebx esi edi,lpstring; -> ' 19088743 ', 0mov edi,lpstring; point to address where results are storedMOV esi,lpstring mov ecx,10; convert to Decimal. While eax!=0 | | Edx!=0Push EAXMOV Eax,edxXOR

1 parameter passing (default calling convention) Use VC6.0 to create a new empty console application, create a new source file Main.c, write the following code, pay attention to debug compile, do not use release, lest the code by VC optimization, disassembly does not correspond. int addint (int a, int b) { int c = a+b; return c; } int main () { int x = AddInt (1, 3); return 0; } In the main function into the braces down, press F5 run, the program is broken, then press the combination of

this limit//run: Run.exe automatically compiles pm16.c and pm32.c and then generates an IMG and calls Bochs to run the program// Hint: Please first compile run.c file with yc09, generate Run.exe Program//After modify PM16.C and pm32.c code, can run Run.exe view effect directly, click Enter again compile run//author: Miao//Time: 2010-2-8 #define Ycbit 32//Tell the compiler to compile the program in 32-bit format #define ycorg 0x0//This value generates an address base offset for variable function

Assembly language: Movsb,movsw,movsdTransferred from: http://blog.csdn.net/zhenyongyuan123/article/details/8364011Currently, the 80386 series of processors provide several sets of instructions for handling byte, Word, and double-word values, although these directives become basic string directives, but their usage is not limited to character arrays.Instructions:MOVSB, MOVSW, Movsd Describe:Moves the string data, copying the data at the memory address addressed by the ESI register to the memory a

Paste the source code first#include Another example#include Another one.#include Disassembly analysis1:void Main () 2: {00401010 push ebp00401011 mov ebp,esp00401013 sub esp,68h00401016 p Ush ebx00401017 push esi00401018 push edi00401019 Lea EDI,[EBP-68H]0040101C mov ECX,1AH00401021 mov eax,0cccccccch00401026 rep stos dword ptr [Edi]3:int narray[5] = {1, 2, 3 , 4, 5};00401028 mov dword ptr [ebp-14h]

1111 //Program Description: Output multi-line content, the content is as follows2 /*3 *4 ***5 *****6 *******7 *****8 ***9 *Ten */ One#include A using namespacestd; - intMain () - { thecout " *"Endl; -cout " ***"Endl; -cout " *****"Endl; -cout "*******"Endl; +cout " *****"Endl; -cout " ***"Endl; +cout " *"Endl; ASystem"Pause"); at return 0; -}Debug version of Disassembly codeintMain () {00f55e70 push ebp //Enter function after first thing, save stack bottom pointer ebp, Exi

by http://tmdnet.nothave.com NtGodModex.exe http://www.xfocus.net/tools/200804/1272.html NtGodMode.exe 9.00 KB (9,216 bytes) UPX shell, directly with ollydbg shelling, the process slightly Ntgodmode~.exe mb (123,392 bytes) view with PE tool, Delphi write 00403220 > PUSH EBP 00403221 8BEC MOV Ebp,esp 00403223 B9 0d000000 MOV ecx,0d 00403228 6A PUSH 0 0040322A 6A PUSH 0 0040322C DEC ECX 0040322D ^ F9 jnz short ntgodmod.00403228 0040322F I PUSH ECX 00403230 PUSH EBX 00403231 PUSH ESI 00403232 PUS

))LSet L = bIp2long = L.valEnd Function It's good and powerful to copy mybytes type variables to MyLong type variables with LSet. Look at the generated assembly code: Copy Code code as follows: 00401A0E Lea eax, DWORD ptr [ebp-0x20]; Address of variable B 00401A11 push EAX 00401a12 Lea eax, DWORD ptr [ebp-0x14]; The address of the variable L 00401A15 push EAX 00401A16 Push 0x4 00401a18 call __vbacopybytes; JMP to Msvbvm60.__vbacopybytes Called is the __v

The usage of "[]" has been described in "FAQ" and is cited as follows: 1, push DWORD ptr [024c1100] pressure stack 024c1100 value of two words2, CMP eax,[ebp+14] eax-ebp+14 valid value, does not retain the value, mainly looks at the sign bit3, CMP byte ptr [eax],46 byte type eax-46, see sign bit4, Lea eax,[edx-02] edx-02 valid value (an address value) to EAX5, MOV ecx,[edx+08] edx+8 value as the address, this address points to the value of ECX I am going to add a few more examples of what I have

strings : 00401089 e80e010000 Call 0040119C : 0040108E 894618 mov dword ptr [esi+18], eax : 00401091 FF7604 push [esi+04]; =71a20000h : 00401094 68D909F5AD push adf509d9; Custom encoding for Wsasocketa strings : 00401099 e8fe000000 Call 0040119C : 0040109E 89461C mov dword ptr [esi+1c], eax : 004010a1 FF7604 push [esi+04]; =71a20000h : 004010a4 68a41a70c7 push c7701aa4; Bind string's Custom encoding : 004010a9 e8ee000000 Call 0040119C : 004010AE 894620 mov dword ptr [esi+20], eax : 004010b1

Push EDI 00401029 Lea Edi,[ebp-4ch] 0040102C mov ecx,13h 00401031 mov eax,0cccccccch 00401036 Rep stos dword ptr [edi] 4:int var1 = param1; 00401038 mov eax,dword ptr [ebp+8] 0040103B mov dword ptr [Ebp-4],eax; Note the order in which the VAR1,VAR2,VAR3 is pressed into the stack! 5:int var2 = param2; 0040103E mov ecx,dword ptr [ebp+0ch] 00401041 mov dw

. Data? hfile HANDLE? Sizereadwrite DWORD? . Code Start: mov eax, offset ring0proc mov [ourgate], Ax; Put the offset words shr eax, 16; into our descriptor mov [ourgate+6], ax Sidt Fword ptr IDTR mov ebx, DWORD ptr [idtr+2]; Load IDT Base Address add ebx, 8*3; Address of int 3 descriptor in EBX mov edi, offset savedgate mov esi, ebx Movsd; Save the old descriptor Movsd; Into Savedgate mov edi, ebx mov

=65eb2270 edi=072fa3c8eip=66201739 esp=072fa3a4 ebp=072fa3b4 iopl=0 nv up ei pl nz na pe nccs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200206MSHTML!CImgElement::CImgElement:66201739 8bff mov edi,edi0:009> kvn # ChildEBP RetAddr Args to Child 00 072fa3a0 66201718 0000003d 06a08000 662016f0 MSHTML!CImgElement::CImgElement (FPO: [Non-Fpo])01 072fa

|. 50 push eax004011DA |. 8B4424 3C mov eax, dword ptr [esp + 3C]004011DE |. 6A 02 push 2004011E0 |. 8B48 04 mov ecx, dword ptr [eax + 4]004011E3 |. 8D4C0C 40 lea ecx, dword ptr [esp + ecx + 40]004011E7 |. E8 54020000 call 004011EC> |> B9 0A000000 mov ecx, 0A004011F1 |. 8BF5 mov esi, ebp; The ebp here points to the data we just read from the key file.004011F3 |. 8DBC24 C80000> lea edi, dword ptr [esp + C8]; buffer004011FA |. F3: A5 rep movs dword ptr