源汇编,目的就是想把[0058818F]这句给跳过去,从[0058818D]直接到[00588194]:
005A62C3 6A 06 push 6
005A62C5 56 push esi
005A62C6 8B49 20 mov ecx, dword ptr [ecx+20]
005A62C9 E8 A21EFEFF call 00588170 //--->下面↓↓
005A62CE 56 push esi
005A62CF E8 1CD41400 call 006F36F0
005A62D4 83C4 04 add esp, 4
005A62D7 5E pop esi00588170 6A FF push -1 ////--->这里开始
00588172 68 A8218300 push 008321A8
00588177 64:A1 00000000 mov eax, dword ptr fs:[0]
0058817D 50 push eax
0058817E 64:8925 0000000>mov dword ptr fs:[0], esp
00588185 83EC 18 sub esp, 18
00588188 53 push ebx
00588189 56 push esi
0058818A 57 push edi
0058818B 6A 07 push 7
0058818D 8BF9 mov edi, ecx
0058818F E8 FC040D00 call 00658690 //重点!就是把这句给跳过去!!!!!!!
00588194 33DB xor ebx, ebx
00588196 33C0 xor eax, eax
00588198 83C4 04 add esp, 4
0058819B 894424 18 mov dword ptr [esp+18], eax
0058819F 895C24 1C mov dword ptr [esp+1C], ebx
005881A3 895C24 20 mov dword ptr [esp+20], ebx
005881A7 C74424 14 2CDC8>mov dword ptr [esp+14], 0084DC2C ; ASCII "0KC"
005881AF C74424 0C 28958>mov dword ptr [esp+C], 00859528
005881B7 C74424 10 22000>mov dword ptr [esp+10], 22
005881BF 8B7424 38 mov esi, dword ptr [esp+38]
005881C3 895C24 2C mov dword ptr [esp+2C], ebx
005881C7 3BF3 cmp esi, ebx
005881C9 76 2D jbe short 005881F8
005881CB 8D46 FF lea eax, dword ptr [esi-1]
005881CE B9 02000000 mov ecx, 2
005881D3 D1E8 shr eax, 1
005881D5 894C24 20 mov dword ptr [esp+20], ecx
005881D9 74 0A je short 005881E5
005881DB 03C9 add ecx, ecx
005881DD D1E8 shr eax, 1
005881DF ^ 75 FA jnz short 005881DB
005881E1 894C24 20 mov dword ptr [esp+20], ecx
005881E5 51 push ecx
005881E6 53 push ebx
005881E7 FF15 4CC48400 call dword ptr [<&MSVCRT.realloc>] ; MSVCRT.realloc
005881ED 83C4 08 add esp, 8
005881F0 894424 18 mov dword ptr [esp+18], eax
005881F4 894424 1C mov dword ptr [esp+1C], eax
005881F8 8B4C24 34 mov ecx, dword ptr [esp+34]
005881FC 56 push esi
005881FD 51 push ecx
005881FE 50 push eax
005881FF FF15 24C48400 call dword ptr [<&MSVCRT.memmove>] ; MSVCRT.memmove
00588205 8B5424 24 mov edx, dword ptr [esp+24]
00588209 83C4 0C add esp, 0C
0058820C 8D4424 0C lea eax, dword ptr [esp+C]
00588210 03D6 add edx, esi
00588212 53 push ebx
00588213 50 push eax
00588214 8BCF mov ecx, edi
00588216 895424 24 mov dword ptr [esp+24], edx
0058821A E8 61DEFFFF call 00586080
0058821F 8B4C24 18 mov ecx, dword ptr [esp+18]
00588223 8AD8 mov bl, al
00588225 51 push ecx
00588226 C74424 18 2CDC8>mov dword ptr [esp+18], 0084DC2C ; ASCII "0KC"
0058822E FF15 44C48400 call dword ptr [<&MSVCRT.free>] ; MSVCRT.free
00588234 8B4C24 28 mov ecx, dword ptr [esp+28]
00588238 83C4 04 add esp, 4
0058823B 8AC3 mov al, bl
0058823D 64:890D 0000000>mov dword ptr fs:[0], ecx
00588244 5F pop edi
00588245 5E pop esi
00588246 5B pop ebx
00588247 83C4 24 add esp, 24
0058824A C2 0800 retn 8
实际代码如下:
begin
address2:=Pointer($00588194);
asm
pushad
push 6
push esi
MOV ECX,DWORD PTR DS:[ECX+$20]
call @@the
@@the:
push $-1
push $008321A8
mov eax, dword ptr fs:[0]
push eax
mov dword ptr fs:[0], esp
sub esp, $18
push ebx
push esi
push edi
push $7
mov edi, ecx
//call address //[0058818F E8 FC040D00 call 00658690]
jmp address2 popad
end;
end;结果执行的时候出现了如下的错误提示:到这行去看看:
77C172E3 F3:A5 rep movs dword ptr es:[edi], dword p>
1C11A000 也是空的搞不懂是怎么回事,高人救命啊!!!!
解决方案 »
- delphi与vb之间怎么进行通信? 比如把vb当中的某个变量值传到delphi里
- 关于treeview的问题
- 请问query,adoquery 和table ,adotable对字段的是分别怎么操作的
- 不知如何下手:MDI程序的调用产生的窗口层次问题。
- ************高分求购免费的128C条形码字体!!!!***************
- 怎样通过编程实现将本地的DBF数据导入到远程SQL SERVER 服务器中的表内?
- 进度条如何用(小问题)?
- 如何改變Delphi的默認字體﹖
- 以下代码,运行结果,百思不得其解,请教高手、大虾!!!!(up有分)
- 如何连接远程数据库?
- 可以动态改变CHART的图形样式吗,
- 销售单的单身的控件?
前边这些push最好也一并注释掉,这些是函数的参数,既然不需要调用这个函数,那么把参数压栈的操作也不是必须的。
push ebx
push esi
push edi
push $7
mov edi, ecx
//call address //[0058818F E8 FC040D00 call 00658690]
资料有限,没有验证,仅供参考
77C172A5 CC int3
77C172A6 CC int3
77C172A7 CC int3
77C172A8 CC int3
77C172A9 CC int3
77C172AA CC int3
77C172AB CC int3
77C172AC CC int3
77C172AD CC int3
77C172AE CC int3
77C172AF CC int3
77C172B0 > 55 push ebp
77C172B1 8BEC mov ebp, esp
77C172B3 57 push edi
77C172B4 56 push esi
77C172B5 8B75 0C mov esi, dword ptr [ebp+C]
77C172B8 8B4D 10 mov ecx, dword ptr [ebp+10]
77C172BB 8B7D 08 mov edi, dword ptr [ebp+8]
77C172BE 8BC1 mov eax, ecx
77C172C0 8BD1 mov edx, ecx
77C172C2 03C6 add eax, esi
77C172C4 3BFE cmp edi, esi
77C172C6 76 08 jbe short 77C172D0
77C172C8 3BF8 cmp edi, eax
77C172CA 0F82 78010000 jb 77C17448
77C172D0 F7C7 03000000 test edi, 3
77C172D6 75 14 jnz short 77C172EC
77C172D8 C1E9 02 shr ecx, 2
77C172DB 83E2 03 and edx, 3
77C172DE 83F9 08 cmp ecx, 8
77C172E1 72 29 jb short 77C1730C
77C172E3 F3:A5 rep movs dword ptr es:[edi], dword p>
77C172E5 FF2495 F873C177 jmp dword ptr [edx*4+77C173F8]
77C172EC 8BC7 mov eax, edi
77C172EE BA 03000000 mov edx, 3
77C172F3 83E9 04 sub ecx, 4
77C172F6 72 0C jb short 77C17304
77C172F8 83E0 03 and eax, 3
77C172FB 03C8 add ecx, eax
77C172FD FF2485 1073C177 jmp dword ptr [eax*4+77C17310]
77C17304 FF248D 0874C177 jmp dword ptr [ecx*4+77C17408]
77C1730B 90 nop
77C1730C FF248D 8C73C177 jmp dword ptr [ecx*4+77C1738C]
77C17313 90 nop
77C17314 2073 C1 and byte ptr [ebx-3F], dh
77C17317 77 4C ja short 77C17365
77C17319 ^ 73 C1 jnb short 77C172DC
77C1731B 77 70 ja short 77C1738D
77C1731D ^ 73 C1 jnb short 77C172E0
77C1731F 77 23 ja short 77C17344
77C17321 D18A 0688078A ror dword ptr [edx+8A078806], 1
77C17327 46 inc esi
77C17328 0188 47018A46 add dword ptr [eax+468A0147], ecx
77C1732E 02C1 add al, cl
77C17330 - E9 02884702 jmp 7A08FB37
77C17335 83C6 03 add esi, 3
77C17338 83C7 03 add edi, 3
77C1733B 83F9 08 cmp ecx, 8
77C1733E ^ 72 CC jb short 77C1730C
77C17340 F3:A5 rep movs dword ptr es:[edi], dword p>
77C17342 FF2495 F873C177 jmp dword ptr [edx*4+77C173F8]
77C17349 8D49 00 lea ecx, dword ptr [ecx]
77C1734C 23D1 and edx, ecx
77C1734E 8A06 mov al, byte ptr [esi]
77C17350 8807 mov byte ptr [edi], al
77C17352 8A46 01 mov al, byte ptr [esi+1]
77C17355 C1E9 02 shr ecx, 2
77C17358 8847 01 mov byte ptr [edi+1], al
77C1735B 83C6 02 add esi, 2
77C1735E 83C7 02 add edi, 2
77C17361 83F9 08 cmp ecx, 8
77C17364 ^ 72 A6 jb short 77C1730C
77C17366 F3:A5 rep movs dword ptr es:[edi], dword p>
77C17368 FF2495 F873C177 jmp dword ptr [edx*4+77C173F8]
77C1736F 90 nop
77C17370 23D1 and edx, ecx
77C17372 8A06 mov al, byte ptr [esi]
77C17374 8807 mov byte ptr [edi], al
77C17376 46 inc esi
77C17377 C1E9 02 shr ecx, 2
77C1737A 47 inc edi
77C1737B 83F9 08 cmp ecx, 8
77C1737E ^ 72 8C jb short 77C1730C
77C17380 F3:A5 rep movs dword ptr es:[edi], dword p>
77C17382 FF2495 F873C177 jmp dword ptr [edx*4+77C173F8]
77C17389 8D49 00 lea ecx, dword ptr [ecx]
77C1738C EF out dx, eax
77C1738D ^ 73 C1 jnb short 77C17350
77C1738F ^ 77 DC ja short 77C1736D
77C17391 ^ 73 C1 jnb short 77C17354
77C17393 ^ 77 D4 ja short 77C17369
77C17395 ^ 73 C1 jnb short 77C17358
77C17397 ^ 77 CC ja short 77C17365
77C17399 ^ 73 C1 jnb short 77C1735C
77C1739B ^ 77 C4 ja short 77C17361
77C1739D ^ 73 C1 jnb short 77C17360
77C1739F ^ 77 BC ja short 77C1735D
77C173A1 ^ 73 C1 jnb short 77C17364
77C173A3 ^ 77 B4 ja short 77C17359
77C173A5 ^ 73 C1 jnb short 77C17368
77C173A7 ^ 77 AC ja short 77C17355
77C173A9 ^ 73 C1 jnb short 77C1736C
77C173AB ^ 77 8B ja short 77C17338
77C173AD 44 inc esp
77C173AE 8EE4 mov fs, sp
77C173B0 89448F E4 mov dword ptr [edi+ecx*4-1C], eax
77C173B4 8B448E E8 mov eax, dword ptr [esi+ecx*4-18]
77C173B8 89448F E8 mov dword ptr [edi+ecx*4-18], eax
77C173BC 8B448E EC mov eax, dword ptr [esi+ecx*4-14]
77C173C0 89448F EC mov dword ptr [edi+ecx*4-14], eax
77C173C4 8B448E F0 mov eax, dword ptr [esi+ecx*4-10]
77C173C8 89448F F0 mov dword ptr [edi+ecx*4-10], eax
77C173CC 8B448E F4 mov eax, dword ptr [esi+ecx*4-C]
77C173D0 89448F F4 mov dword ptr [edi+ecx*4-C], eax
77C173D4 8B448E F8 mov eax, dword ptr [esi+ecx*4-8]
77C173D8 89448F F8 mov dword ptr [edi+ecx*4-8], eax
77C173DC 8B448E FC mov eax, dword ptr [esi+ecx*4-4]
77C173E0 89448F FC mov dword ptr [edi+ecx*4-4], eax
77C173E4 8D048D 00000000 lea eax, dword ptr [ecx*4]
77C173EB 03F0 add esi, eax
77C173ED 03F8 add edi, eax
77C173EF FF2495 F873C177 jmp dword ptr [edx*4+77C173F8]
77C173F6 8BFF mov edi, edi
77C173F8 0874C1 77 or byte ptr [ecx+eax*8+77], dh
77C173FC 1074C1 77 adc byte ptr [ecx+eax*8+77], dh
77C17400 1C 74 sbb al, 74
77C17402 C177 30 74 sal dword ptr [edi+30], 74
77C17406 C177 8B 45 sal dword ptr [edi-75], 45
77C1740A 085E 5F or byte ptr [esi+5F], bl
77C1740D C9 leave
77C1740E C3 retn另外一个错误提示:
@@the:
//push $-1
//push $008321A8
mov eax, dword ptr fs:[0]
//push eax
mov dword ptr fs:[0], esp
sub esp, $18
//push ebx
//push esi
//push edi
//push $7
mov edi, ecx
//call address //[0058818F E8 FC040D00 call 00658690]
jmp address2
如果把push给注释掉,那么程序就没有抱错直接退出了...
77C172E3 F3:A5 rep movs dword ptr es:[edi],dword p>
edi代表了什么?
感觉是movs的过程中出现了越界一类的错误,才引起的AV错误。
005A62C5 56 push esi
005A62C6 8B49 20 mov ecx, dword ptr [ecx+20]
005A62C9 E8 A21EFEFF call 00588170 //--->下面↓↓
005A62CE 56 push esi
005A62CF E8 1CD41400 call 006F36F0
005A62D4 83C4 04 add esp, 4
005A62D7 5E pop esi
如果这样直接call进去就不会出错
address:=Pointer($006F36F0);
asm
pushad
push 6
push esi
MOV ECX,DWORD PTR DS:[ECX+$20]
call address但是写成这样,即使原文照抄不省略那个[call 00658690],也会出错
address2:=Pointer($00588194);
address:=Pointer($00658690);
asm
pushad
push 6
push esi
MOV ECX,DWORD PTR DS:[ECX+$20]
call @@the
@@the:
push $-1
push $008321A8
mov eax, dword ptr fs:[0]
push eax
mov dword ptr fs:[0], esp
sub esp, $18
push ebx
push esi
push edi
push $7
mov edi, ecx
call address //[0058818F E8 FC040D00 call 00658690] <!!!!!!!>
jmp address2 popad
end;
end;
005A62C5 56 push esi //这里的esi应该是个字符串的,所以实际我在程序里实际写的是(P:Pointer)mov esi,p;push esi;不过感觉好像是多此一举,直接push p也一样
005A62C6 8B49 20 mov ecx, dword ptr [ecx+20]
005A62C9 E8 A21EFEFF call 00588170
005A62CE 56 push esi
005A62CF E8 1CD41400 call 006F36F0
005A62D4 83C4 04 add esp, 4
005A62D7 5E pop esi
0058818D 8BF9 mov edi, ecx
0058818F E8 FC040D00 call 00658690
00588194 33DB xor ebx, ebx
00588196 33C0 xor eax, eax
00588198 83C4 04 add esp, 4
据我的推测,将这部分汇编代码跳过去,或者改为nop
call @@the
@@the:
就知道你想读取EIP?
PUSH和POP都要注意堆栈对齐的~自己搞去,小事情
call @@the
@@the:
push $-1
push $008321A8
mov eax, dword ptr fs:[0]
push eax
mov dword ptr fs:[0], esp
sub esp, $18
push ebx
push esi
push edi
//push $7
//mov edi, ecx
//call address
jmp address2 改完之后程序也是直接退出了eip?我好像没处理它-.-
不用看了~是你的堆栈问题,自己排查,俺懒得看
00658690 55 push ebp
00658691 8BEC mov ebp, esp
00658693 68 B8039100 push 009103B8
00658698 FF15 6CC28400 call dword ptr [<&KERNEL32.EnterCriti>; ntdll.RtlEnterCriticalSection
0065869E 8B45 08 mov eax, dword ptr [ebp+8]
006586A1 C1E0 05 shl eax, 5
006586A4 05 D0039100 add eax, 009103D0
006586A9 8338 00 cmp dword ptr [eax], 0
006586AC 74 08 je short 006586B6
006586AE 8945 08 mov dword ptr [ebp+8], eax
006586B1 8B45 08 mov eax, dword ptr [ebp+8]
006586B4 FF10 call dword ptr [eax]
006586B6 68 B8039100 push 009103B8
006586BB FF15 78C28400 call dword ptr [<&KERNEL32.LeaveCriti>; ntdll.RtlLeaveCriticalSection
006586C1 5D pop ebp
006586C2 C3 retn