21,459
社区成员
发帖
与我相关
我的任务
分享很短的几行汇编,是一个dll里面一个函数的,谁帮我分析下这个函数的输入参数跟返回类型。
100C55F0 >/$ 53 PUSH EBX
100C55F1 |. 8B5C24 08 MOV EBX,DWORD PTR SS:[ESP+8]
100C55F5 |. 85DB TEST EBX,EBX
100C55F7 75 05 JNZ SHORT iTunesMo.100C55FE
100C55F9 |. 8D43 03 LEA EAX,DWORD PTR DS:[EBX+3]
100C55FC |. 5B POP EBX
100C55FD |. C3 RETN
100C55FE |> 57 PUSH EDI
100C55FF |. 8B7C24 10 MOV EDI,DWORD PTR SS:[ESP+10]
100C5603 |. 85FF TEST EDI,EDI
100C5605 |. 75 06 JNZ SHORT iTunesMo.100C560D
100C5607 |. 8D47 03 LEA EAX,DWORD PTR DS:[EDI+3]
100C560A |. 5F POP EDI
100C560B |. 5B POP EBX
100C560C |. C3 RETN
100C560D |> A1 D82A1210 MOV EAX,DWORD PTR DS:[10122AD8]
100C5612 |. 85C0 TEST EAX,EAX
100C5614 |. 75 08 JNZ SHORT iTunesMo.100C561E
100C5616 |. 5F POP EDI
100C5617 |. B8 02000000 MOV EAX,2
100C561C |. 5B POP EBX
100C561D |. C3 RETN
100C561E |> 56 PUSH ESI
100C561F |. 8B35 30320D10 MOV ESI,DWORD PTR DS:[<&CoreFoundation.__CFStri>; CoreFoun.__CFStringMakeConstantString
100C5625 |. 50 PUSH EAX
100C5626 |. 68 C02F1010 PUSH iTunesMo.10102FC0 ; ASCII "AMSSyncToolPathKey"
100C562B |. FFD6 CALL ESI ; <&CoreFoundation.__CFStringMakeConstantString>
100C562D |. 83C4 04 ADD ESP,4
100C5630 |. 50 PUSH EAX
100C5631 |. 57 PUSH EDI
100C5632 |. 68 AC2F1010 PUSH iTunesMo.10102FAC ; ASCII "AMSDisplayNameKey"
100C5637 |. FFD6 CALL ESI
100C5639 |. 83C4 04 ADD ESP,4
100C563C |. 50 PUSH EAX
100C563D |. 53 PUSH EBX
100C563E |. 68 9C2E1010 PUSH iTunesMo.10102E9C ; ASCII "AMSTargetIdentifierKey"
100C5643 |. FFD6 CALL ESI
100C5645 |. 83C4 04 ADD ESP,4
100C5648 |. 50 PUSH EAX
100C5649 |. 6A 03 PUSH 3
100C564B |. 68 702F1010 PUSH iTunesMo.10102F70 ; ASCII "AMSRegisterClientWithTargetIdentifierAndDisplayNameRequest"
100C5650 |. FFD6 CALL ESI
100C5652 |. 83C4 04 ADD ESP,4
100C5655 |. 50 PUSH EAX
100C5656 |. E8 A5EAFFFF CALL iTunesMo.100C4100
100C565B |. 8BF0 MOV ESI,EAX
100C565D |. A1 E42A1210 MOV EAX,DWORD PTR DS:[10122AE4]
100C5662 |. 56 PUSH ESI
100C5663 |. 50 PUSH EAX
100C5664 |. E8 97480000 CALL iTunesMo.100C9F00
100C5669 |. 56 PUSH ESI
100C566A |. 8B35 34320D10 MOV ESI,DWORD PTR DS:[<&CoreFoundation.CFReleas>; CoreFoun.CFRelease
100C5670 |. 8BF8 MOV EDI,EAX
100C5672 |. FFD6 CALL ESI ; <&CoreFoundation.CFRelease>
100C5674 |. 83C4 2C ADD ESP,2C
100C5677 |. 85FF TEST EDI,EDI
100C5679 |. 75 07 JNZ SHORT iTunesMo.100C5682
100C567B |. 5E POP ESI
100C567C |. 8D47 03 LEA EAX,DWORD PTR DS:[EDI+3]
100C567F |. 5F POP EDI
100C5680 |. 5B POP EBX
100C5681 |. C3 RETN
100C5682 |> 57 PUSH EDI
100C5683 |. FFD6 CALL ESI
100C5685 |. 83C4 04 ADD ESP,4
100C5688 |. 5E POP ESI
100C5689 |. 5F POP EDI
100C568A |. 33C0 XOR EAX,EAX
100C568C |. 5B POP EBX
100C568D \. C3 RETN
是用OllyDBG弄出来的,谁帮我看看。
100C55F1 |. 8B5C24 08 MOV EBX,DWORD PTR SS:[ESP+8]
100C55F5 |. 85DB TEST EBX,EBX
100C55F7 75 05 JNZ SHORT iTunesMo.100C55FE
100C55F9 |. 8D43 03 LEA EAX,DWORD PTR DS:[EBX+3]
100C55FC |. 5B POP EBX
100C55FD |. C3 RETN
100C55FE |> 57 PUSH EDI
100C55FF |. 8B7C24 10 MOV EDI,DWORD PTR SS:[ESP+10]
100C5603 |. 85FF TEST EDI,EDI
100C5605 |. 75 06 JNZ SHORT iTunesMo.100C560D
100C5607 |. 8D47 03 LEA EAX,DWORD PTR DS:[EDI+3]
100C560A |. 5F POP EDI
100C560B |. 5B POP EBX
100C560C |. C3 RETN
100C560D |> A1 D82A1210 MOV EAX,DWORD PTR DS:[10122AD8]
100C5612 |. 85C0 TEST EAX,EAX
100C5614 |. 75 08 JNZ SHORT iTunesMo.100C561E
100C5616 |. 5F POP EDI
100C5617 |. B8 02000000 MOV EAX,2
100C561C |. 5B POP EBX
100C561D |. C3 RETN
100C561E |> 56 PUSH ESI
100C561F |. 8B35 30320D10 MOV ESI,DWORD PTR DS:[<&CoreFoundation.__CFStri>; CoreFoun.__CFStringMakeConstantString
100C5625 |. 50 PUSH EAX
100C5626 |. 68 C02F1010 PUSH iTunesMo.10102FC0 ; ASCII "AMSSyncToolPathKey"
100C562B |. FFD6 CALL ESI ; <&CoreFoundation.__CFStringMakeConstantString>
100C562D |. 83C4 04 ADD ESP,4
100C5630 |. 50 PUSH EAX
100C5631 |. 57 PUSH EDI
100C5632 |. 68 AC2F1010 PUSH iTunesMo.10102FAC ; ASCII "AMSDisplayNameKey"
100C5637 |. FFD6 CALL ESI
100C5639 |. 83C4 04 ADD ESP,4
100C563C |. 50 PUSH EAX
100C563D |. 53 PUSH EBX
100C563E |. 68 9C2E1010 PUSH iTunesMo.10102E9C ; ASCII "AMSTargetIdentifierKey"
100C5643 |. FFD6 CALL ESI
100C5645 |. 83C4 04 ADD ESP,4
100C5648 |. 50 PUSH EAX
100C5649 |. 6A 03 PUSH 3
100C564B |. 68 702F1010 PUSH iTunesMo.10102F70 ; ASCII "AMSRegisterClientWithTargetIdentifierAndDisplayNameRequest"
100C5650 |. FFD6 CALL ESI
100C5652 |. 83C4 04 ADD ESP,4
100C5655 |. 50 PUSH EAX
100C5656 |. E8 A5EAFFFF CALL iTunesMo.100C4100
100C565B |. 8BF0 MOV ESI,EAX
100C565D |. A1 E42A1210 MOV EAX,DWORD PTR DS:[10122AE4]
100C5662 |. 56 PUSH ESI
100C5663 |. 50 PUSH EAX
100C5664 |. E8 97480000 CALL iTunesMo.100C9F00
100C5669 |. 56 PUSH ESI
100C566A |. 8B35 34320D10 MOV ESI,DWORD PTR DS:[<&CoreFoundation.CFReleas>; CoreFoun.CFRelease
100C5670 |. 8BF8 MOV EDI,EAX
100C5672 |. FFD6 CALL ESI ; <&CoreFoundation.CFRelease>
100C5674 |. 83C4 2C ADD ESP,2C
100C5677 |. 85FF TEST EDI,EDI
100C5679 |. 75 07 JNZ SHORT iTunesMo.100C5682
100C567B |. 5E POP ESI
100C567C |. 8D47 03 LEA EAX,DWORD PTR DS:[EDI+3]
100C567F |. 5F POP EDI
100C5680 |. 5B POP EBX
100C5681 |. C3 RETN
100C5682 |> 57 PUSH EDI
100C5683 |. FFD6 CALL ESI
100C5685 |. 83C4 04 ADD ESP,4
100C5688 |. 5E POP ESI
100C5689 |. 5F POP EDI
100C568A |. 33C0 XOR EAX,EAX
100C568C |. 5B POP EBX
100C568D \. C3 RETN
是用OllyDBG弄出来的,谁帮我看看。
...全文
请发表友善的回复…
发表回复
everlost 2010-11-03
- 打赏
- 举报
看代码,貌似是2个参数,其中任何一个参数为0,则返回标志值3。
若不为0则看全局变量[10122AD8],如果这个变量为0(假)则返回2。
否则再调用一系列函数。根据调用成功与否,返回0或3。
具体你自己调一下看看。
若不为0则看全局变量[10122AD8],如果这个变量为0(假)则返回2。
否则再调用一系列函数。根据调用成功与否,返回0或3。
具体你自己调一下看看。
everlost 2010-11-03
- 打赏
- 举报
从代码里面看,输入参数还需要你帖出调用该过程的语句。因为这应该不是一个__stdcall(好久不搞忘记怎么拼了)类型的函数,平衡堆栈由调用者来负责。
调用这个函数的语句后面,应该有一个add esp,xxx之类的语句。
调用这个函数的语句后面,应该有一个add esp,xxx之类的语句。
2benjemin 2010-11-03
- 打赏
- 举报
100C55F0 >/$ 53 PUSH EBX 程序开始
100C55F1 |. 8B5C24 08 MOV EBX,DWORD PTR SS:[ESP+8] 载入第一个参数到EBX
100C55F5 |. 85DB TEST EBX,EBX 判断是否0
100C55F7 |. 75 05 JNZ SHORT iTunesMo.100C55FE
100C55F9 |. 8D43 03 LEA EAX,DWORD PTR DS:[EBX+3] 0返回3
100C55FC |. 5B POP EBX
100C55FD |. C3 RETN
100C55FE |> 57 PUSH EDI
100C55FF |. 8B7C24 10 MOV EDI,DWORD PTR SS:[ESP+10] 第二个参数放入EDI
100C5603 |. 85FF TEST EDI,EDI 判断是否0
100C5605 |. 75 06 JNZ SHORT iTunesMo.100C560D
100C5607 |. 8D47 03 LEA EAX,DWORD PTR DS:[EDI+3] 0返回3
100C560A |. 5F POP EDI
100C560B |. 5B POP EBX
100C560C |. C3 RETN
100C560D |> A1 D82A1210 MOV EAX,DWORD PTR DS:[10122AD8] 全局变量地址10122AD8 放入EAX//根据分析这个全局变量应该是个字典
100C5612 |. 85C0 TEST EAX,EAX 判断这个全局变量是否是0
100C5614 |. 75 08 JNZ SHORT iTunesMo.100C561E
100C5616 |. 5F POP EDI
100C5617 |. B8 02000000 MOV EAX,2
100C561C |. 5B POP EBX
100C561D |. C3 RETN 0返回2
100C561E |> 56 PUSH ESI
100C561F |. 8B35 30320D10 MOV ESI,DWORD PTR DS:[<&CoreFoundation.__CFStri>; CoreFoun.__CFStringMakeConstantString
100C5625 |. 50 PUSH EAX
100C5626 |. 68 C02F1010 PUSH iTunesMo.10102FC0 ; ASCII "AMSSyncToolPathKey"
100C562B |. FFD6 CALL ESI ; <&CoreFoundation.__CFStringMakeConstantString> //调用函数 2参数1个为刚才的全局变量,一个是字符串
100C562D |. 83C4 04 ADD ESP,4
100C5630 |. 50 PUSH EAX
100C5631 |. 57 PUSH EDI
100C5632 |. 68 AC2F1010 PUSH iTunesMo.10102FAC ; ASCII "AMSDisplayNameKey"//同上
100C5637 |. FFD6 CALL ESI
100C5639 |. 83C4 04 ADD ESP,4
100C563C |. 50 PUSH EAX
100C563D |. 53 PUSH EBX
100C563E |. 68 9C2E1010 PUSH iTunesMo.10102E9C ; ASCII "AMSTargetIdentifierKey"//同上
100C5643 |. FFD6 CALL ESI
100C5645 |. 83C4 04 ADD ESP,4
100C5648 |. 50 PUSH EAX
100C5649 |. 6A 03 PUSH 3
100C564B |. 68 702F1010 PUSH iTunesMo.10102F70 ; ASCII "AMSRegisterClientWithTargetIdentifierAndDisplayNameRequest"//同上
100C5650 |. FFD6 CALL ESI
100C5652 |. 83C4 04 ADD ESP,4
100C5655 |. 50 PUSH EAX
100C5656 |. E8 A5EAFFFF CALL iTunesMo.100C4100 调用地址100C4100 参数是EAX //看100C4100处的函数好像是创建一个字典然后把值填进去。私有函数
100C565B |. 8BF0 MOV ESI,EAX
100C565D |. A1 E42A1210 MOV EAX,DWORD PTR DS:[10122AE4] 又一个全局变量。。
100C5662 |. 56 PUSH ESI
100C5663 |. 50 PUSH EAX
100C5664 |. E8 97480000 CALL iTunesMo.100C9F00 调用地址100C9F00参数是2全局变量 分析猜测:100C9F00函数应是将displayname同步到手机上 这是个私有函数
100C5669 |. 56 PUSH ESI
100C566A |. 8B35 34320D10 MOV ESI,DWORD PTR DS:[<&CoreFoundation.CFReleas>; CoreFoun.CFRelease
100C5670 |. 8BF8 MOV EDI,EAX
100C5672 |. FFD6 CALL ESI ; <&CoreFoundation.CFRelease> //然后调用一些释放内存之类的函数
100C5674 |. 83C4 2C ADD ESP,2C
100C5677 |. 85FF TEST EDI,EDI
100C5679 |. 75 07 JNZ SHORT iTunesMo.100C5682
100C567B |. 5E POP ESI
100C567C |. 8D47 03 LEA EAX,DWORD PTR DS:[EDI+3]
100C567F |. 5F POP EDI
100C5680 |. 5B POP EBX
100C5681 |. C3 RETN
100C5682 |> 57 PUSH EDI
100C5683 |. FFD6 CALL ESI
100C5685 |. 83C4 04 ADD ESP,4
100C5688 |. 5E POP ESI
100C5689 |. 5F POP EDI
100C568A |. 33C0 XOR EAX,EAX
100C568C |. 5B POP EBX
100C568D \. C3 RETN
100C568E CC INT3
100C568F CC INT3
100C55F1 |. 8B5C24 08 MOV EBX,DWORD PTR SS:[ESP+8] 载入第一个参数到EBX
100C55F5 |. 85DB TEST EBX,EBX 判断是否0
100C55F7 |. 75 05 JNZ SHORT iTunesMo.100C55FE
100C55F9 |. 8D43 03 LEA EAX,DWORD PTR DS:[EBX+3] 0返回3
100C55FC |. 5B POP EBX
100C55FD |. C3 RETN
100C55FE |> 57 PUSH EDI
100C55FF |. 8B7C24 10 MOV EDI,DWORD PTR SS:[ESP+10] 第二个参数放入EDI
100C5603 |. 85FF TEST EDI,EDI 判断是否0
100C5605 |. 75 06 JNZ SHORT iTunesMo.100C560D
100C5607 |. 8D47 03 LEA EAX,DWORD PTR DS:[EDI+3] 0返回3
100C560A |. 5F POP EDI
100C560B |. 5B POP EBX
100C560C |. C3 RETN
100C560D |> A1 D82A1210 MOV EAX,DWORD PTR DS:[10122AD8] 全局变量地址10122AD8 放入EAX//根据分析这个全局变量应该是个字典
100C5612 |. 85C0 TEST EAX,EAX 判断这个全局变量是否是0
100C5614 |. 75 08 JNZ SHORT iTunesMo.100C561E
100C5616 |. 5F POP EDI
100C5617 |. B8 02000000 MOV EAX,2
100C561C |. 5B POP EBX
100C561D |. C3 RETN 0返回2
100C561E |> 56 PUSH ESI
100C561F |. 8B35 30320D10 MOV ESI,DWORD PTR DS:[<&CoreFoundation.__CFStri>; CoreFoun.__CFStringMakeConstantString
100C5625 |. 50 PUSH EAX
100C5626 |. 68 C02F1010 PUSH iTunesMo.10102FC0 ; ASCII "AMSSyncToolPathKey"
100C562B |. FFD6 CALL ESI ; <&CoreFoundation.__CFStringMakeConstantString> //调用函数 2参数1个为刚才的全局变量,一个是字符串
100C562D |. 83C4 04 ADD ESP,4
100C5630 |. 50 PUSH EAX
100C5631 |. 57 PUSH EDI
100C5632 |. 68 AC2F1010 PUSH iTunesMo.10102FAC ; ASCII "AMSDisplayNameKey"//同上
100C5637 |. FFD6 CALL ESI
100C5639 |. 83C4 04 ADD ESP,4
100C563C |. 50 PUSH EAX
100C563D |. 53 PUSH EBX
100C563E |. 68 9C2E1010 PUSH iTunesMo.10102E9C ; ASCII "AMSTargetIdentifierKey"//同上
100C5643 |. FFD6 CALL ESI
100C5645 |. 83C4 04 ADD ESP,4
100C5648 |. 50 PUSH EAX
100C5649 |. 6A 03 PUSH 3
100C564B |. 68 702F1010 PUSH iTunesMo.10102F70 ; ASCII "AMSRegisterClientWithTargetIdentifierAndDisplayNameRequest"//同上
100C5650 |. FFD6 CALL ESI
100C5652 |. 83C4 04 ADD ESP,4
100C5655 |. 50 PUSH EAX
100C5656 |. E8 A5EAFFFF CALL iTunesMo.100C4100 调用地址100C4100 参数是EAX //看100C4100处的函数好像是创建一个字典然后把值填进去。私有函数
100C565B |. 8BF0 MOV ESI,EAX
100C565D |. A1 E42A1210 MOV EAX,DWORD PTR DS:[10122AE4] 又一个全局变量。。
100C5662 |. 56 PUSH ESI
100C5663 |. 50 PUSH EAX
100C5664 |. E8 97480000 CALL iTunesMo.100C9F00 调用地址100C9F00参数是2全局变量 分析猜测:100C9F00函数应是将displayname同步到手机上 这是个私有函数
100C5669 |. 56 PUSH ESI
100C566A |. 8B35 34320D10 MOV ESI,DWORD PTR DS:[<&CoreFoundation.CFReleas>; CoreFoun.CFRelease
100C5670 |. 8BF8 MOV EDI,EAX
100C5672 |. FFD6 CALL ESI ; <&CoreFoundation.CFRelease> //然后调用一些释放内存之类的函数
100C5674 |. 83C4 2C ADD ESP,2C
100C5677 |. 85FF TEST EDI,EDI
100C5679 |. 75 07 JNZ SHORT iTunesMo.100C5682
100C567B |. 5E POP ESI
100C567C |. 8D47 03 LEA EAX,DWORD PTR DS:[EDI+3]
100C567F |. 5F POP EDI
100C5680 |. 5B POP EBX
100C5681 |. C3 RETN
100C5682 |> 57 PUSH EDI
100C5683 |. FFD6 CALL ESI
100C5685 |. 83C4 04 ADD ESP,4
100C5688 |. 5E POP ESI
100C5689 |. 5F POP EDI
100C568A |. 33C0 XOR EAX,EAX
100C568C |. 5B POP EBX
100C568D \. C3 RETN
100C568E CC INT3
100C568F CC INT3
2benjemin 2010-11-03
- 打赏
- 举报
[Quote=引用 2 楼 usbdev 的回复:]
看代码,貌似是2个参数,其中任何一个参数为0,则返回标志值3。
若不为0则看全局变量[10122AD8],如果这个变量为0(假)则返回2。
否则再调用一系列函数。根据调用成功与否,返回0或3。
具体你自己调一下看看。
[/Quote]
根据你的描述我大概写了下函数原型 unsigned int AMSRegisterClientWithTargetIdentifierAndDisplayName(struct afc_connection *conn, char *DisplayName)是不是这样?第一个参数可能是个保存连接信息的结构指针。第二个是个字符指针。
其实这个函数就是iTunes用来改iPhone设备名的函数。我先调试看看能不能通过
看代码,貌似是2个参数,其中任何一个参数为0,则返回标志值3。
若不为0则看全局变量[10122AD8],如果这个变量为0(假)则返回2。
否则再调用一系列函数。根据调用成功与否,返回0或3。
具体你自己调一下看看。
[/Quote]
根据你的描述我大概写了下函数原型 unsigned int AMSRegisterClientWithTargetIdentifierAndDisplayName(struct afc_connection *conn, char *DisplayName)是不是这样?第一个参数可能是个保存连接信息的结构指针。第二个是个字符指针。
其实这个函数就是iTunes用来改iPhone设备名的函数。我先调试看看能不能通过
