liaison edi

What is the code after this code Disassembly? # Include Long test (int a, int B){A = a + 3;B = B + 5;Return a + B;} Int main (int argc, char * argv []){Printf ("% d", test (10, 90 ));Return 0;} Let's look at an overview. 16: int main (int argc, char * argv [])17 :{00401070 push ebp00401071 mov ebp, esp00401073 sub esp, 40 h00401076 push ebx00401077 push esi00401078 push edi00401079 lea edi, [ebp-40h]00401_c mov ecx, 10 h00401081 mov eax, 0 CCCCCCCCh0

variables, such as esp=esp-0x00e4 in the Foo function, (depending on the candle fall's test on other compiled environments, you may also use the Push command to assign an address, There is no difference in nature, it is hereby stated):Figure 5Oddly, in debug mode, the compiler allocates more space for local variables than is actually needed, and the address between local variables is not contiguous (as I observe, always 8 bytes apart) as shown:Figure 6I don't know why the compiler designed this

Program Description: Output multi-line content, the content is as follows:*************************1#include 2 using namespacestd;3 intMain ()4 {5cout " *"Endl;6cout " ***"Endl;7cout " *****"Endl;8cout "*******"Endl;9cout " *****"Endl;Tencout " ***"Endl; Onecout " *"Endl; A -System"Pause"); - return 0; the}Debug Disassembly CodeintMain () {00ff5e00 push ebp //Enter function after the first thing, save the bottom pointer, used to exit the function to restore the bottom of the stack. 00

The usage of "[]" has been explained in the "FAQ" and is quoted as follows:1, push DWORD ptr [024c1100] stack 024c1100 value double word2, CMP eax,[ebp+14] eax-ebp+14 valid values, do not retain the value, mainly see the flag bit3. CMP byte ptr [eax],46 byte type eax-46, see flag bit4. Lea EAX,[EDX-02] give the valid value of edx-02 (an address value) to EAX5, MOV ecx,[edx+08] edx+8 value as the address, this address points to the value to ECXI will add a few more examples of the situation I hav

!=invalid_handle_value to determine if the file is turned on properlyMOV hfile, eax; save file handleInvoke CreateFileMapping, \ Creates file-mapping object for the specified file.hfile, \ Identifies the file from which to create a mapping objectNULL, \; ignoredPage_readwrite, \; access0, \ high-order bits of the maximum size0, \ low-order bits of the maximum sizeNULL; The mapping object is created without a name. if Eax!=null;MOV Hmap,eax The return value are a handle to the File-mapping object

Let's talk about stack. What is it? We have already talked about it. You won't forget it. It's a piece of memory. If you forget, I --! I want to talk about the stack. I want to talk about some compilation knowledge. I want to know more about these dishes, yido doesn't press it down. If you will be woodworking, electrician, steel engineer, and welder, you will not do welders in the summer, for the other three, you may have to consider which one you want to give more money and which one you want t

booted /NODEBUG. This is not supposed to happen as developers should never have hardcoded breakpoints in retail code, but ... If this happens, make sure a debugger gets connected, and the system is booted /DEBUG. This will let us see why this breakpoint is happening. Arguments: Arg1: 80000003, The exception code that was not handled Arg2: 84289848, The address that the exception occurred at Arg3: 8d389614, Exception Record Address Arg4: 8d3891f0, Context Record Address Debugging Details: ------

[Article Title]: Let's talk about the mathematical principle of a CrackMe decryption algorithm.[Author]: kaien[Author mailbox]: kkaien@hotmail.com[Software name]: echapcmd.exe[Shelling method]: No shell[Use tools]: OllyDbg, calculator and VC (for writing Registration) provided by winxp)[Operating platform]: winxp--------------------------------------------------------------------------------[Detailed process]Yesterday, I saw a Cracked article titled "A CrackMe attack on the Therefore, I cannot h

mainly to determine whether to enter the registration code and check whether the entered registration code is legal, it is successful if it is legal, it fails if it is illegal. In this case, let's take a look at the key call. The next breakpoint at the key call is followed by the interruption.00411610 E8 B59F0200 call 00411615 8D4C24 14 lea ecx, dword ptr ss: [esp + 14]00411619 E8 F2DE0000 call unpacked.0041F510;00400001e 8D4C24 10 lea ecx, dword ptr ss: [esp + 10]00411622 C74424 2C 0000> mov d

finally calls. In this case, let's take a look at what is followed by so many 41414141. Pay attention to the stack growth direction from high address to low address. From the perspective of 41414141, 00000000 01b8a000001b99fe8 should be ebx esi and edi. Continue to see ffffffff 0012e3bc. (Why, because this is obviously not the return address. 0012e3bc is within the range of the stack where the function fails, and it cannot be the return address.)

injected in a very much way5. Counter-debug technology anti-virtual machine detection Flower Instruction solution IDC Script network data analysis debugging method6. A certain compilation of knowledge1.mov edi,ediis a two-byte NOP, which is the same as NOP in the program.Then why use MOV edi,edi not two NOP?Because NOP CPU clock cycle is longer than with MOV

First, through the anti-assembly language, let's look at the simplest recursive function and the relationship between the stack.How to get anti-assembly language, in Visual Studio 2008, in the debug environment, you can view the post-disassembly languages in debug/windows/disassembly. Now let's take a look at factorial n! The implementationIts C language implementation code is as follows[CPP]View Plaincopy #include int factorial (int n); int main (void) { int fact; Fact = factor

..Parameter Pass Order1. Right-to-left in the stack: __stdcall,__cdecl,__thiscall,__fastcall2. From left to right into the stack: __pascalMain description __stdcall and __cdecl difference1...__stdcall The called function itself is responsible for stack balancing2...__CDECL Call function is responsible for the stack balance of the functionThe __stdcall function itself is responsible for stack balancing *********************////////////////Int__stdcalla (intv1,intxx) {return5;} Intmain () {intt=a

009616a9 push EDI 009616aa Lea EDI, [ebp-1E8h] 009616b0 mov ECx, 77 H 009616b5 mov eax, 0 cccccccch 009616ba rep STOs dword ptr es: [EDI] 009616bc mov eax, dword ptr [___ security_cookie (96a0a8h)] 009616c1 XOR eax, EBP 009616c3 push eax 009616c4 Lea eax, [ebp-0Ch] 009616c7 mov dword ptr fs: [00000000 H], eax Ivtbl * pvtbl = NULL; 009616cd

", "O" -- indicates the memory unit "R" -- indicates any register "Q" -- indicates the registers eax, EBX, ECx, one of edX's "I" and "H" -- represents the direct operands "E" and "F" -- represents the floating point "G" -- represents any "A", "B ", "C", "D" -- indicate that registers eax, EBX, ECx, and EDX "S" are required ", "D" -- requires the use of register ESI or EDI "I" -- represents a constant (0-31) In addition, if an operand requires the sam

The ustring macro in the Dialog. inc file in MASM32 is faulty. As a result, a problem occurs when a Dialog box containing Chinese characters is displayed using a macro related to the Dialog box. The original code is as follows: ; ------------------------------------------------ ; write unicode string at current location in EDI ; ------------------------------------------------ ustring MACRO quoted_text LOCAL asc_txt .data

most cases, \ n is followed by a \ t, where \ n is for line feed, \ t is to empty a tab width space) to separate them. For example: _ ASM _ ("movl % eax, % EBXSTIPopl % EDISubl % ECx, % EBX "); _ ASM _ ("movl % eax, % EBX; STIPopl % EDI; subl % ECx, % EBX "); _ ASM _ ("movl % eax, % EBX; STI \ n \ t popl % EDISubl % ECx, % EBX "); All are legal statements. If you place the instruction in multiple pair quotation marks, a semicolon (;) or (\ n) must be

commands can only be used in specific registers. For example, the in and out commands are hardware-fixed and can only be used in the eax registers. ECx is used for cyclic counters, and EDI and ESI are used for index commands and string commands. The addressing mode can only be used in specific registers. The i-386 family has six General registers, eax, EBX, ECx, EDX, EDI, ESI. each register starts with t

], 4 );Move (XX, a [0], 4 );End; By the way, explain the Pascal source code of move (Windows XP SP2 DELPHI6 + update2 ): Procedure move (const source; var DEST; count: integer );{$ Ifdef purepascal}VaRS, D: pchar;I: integer;BeginS: = pchar (@ source );D: = pchar (@ DEST );If S = d then exit;If Cardinal (d)> Cardinal (s) Then // essence 1: Be careful, don't overwrite SourceFor I: = count-1 downto 0 doD [I]: = s [I]ElseFor I: = 0 to count-1 doD [I]: = s [I];End; {$ Else}ASM{-> Eax pointer to sourc

called Based on the address of the System Service stored in this SSDT item. For example, the system service corresponding to the address stored in the KeServiceDescriptorTable [105 h] is called, that is, NtQuerySystemInformation under Ring0. Differences between Zw and Nt functions in the kernel Lkd> u ZwQuerySystemInformation Nt! ZwQuerySystemInformation: 84456c38 b805010000 mov eax, 105 h // put 105 h into Register eax 84456c3d 8d542404 lea edx, [esp + 4] 84456c41 9c pushfd 84456c42 6a08 pus