自己写了一个小程序,功能是按button1,m_value自增,button2,m_value自减,编译运行通过,关键代码如下:
void CTestDlg::Onplus()
{
// TODO: Add your control notification handler code here
m_value++;
UpdateData(false);
}void CTestDlg::OnButton2()
{
// TODO: Add your control notification handler code here
m_value--;
UpdateData(false);
}
然后用OD找到了Onplus函数的CALL,00401c20,但是,用代码注入器注入call 00401c20后,目标程序发生错误崩溃,调试发现如下信息:
Loaded 'C:\Windows\System32\ntdll.dll', no matching symbolic information found.
Loaded 'C:\Windows\System32\kernel32.dll', no matching symbolic information found.
Loaded 'C:\Windows\System32\KernelBase.dll', no matching symbolic information found.
Loaded symbols for 'C:\Windows\System32\MFC42D.DLL'
Loaded symbols for 'C:\Windows\System32\MSVCRTD.DLL'
Loaded 'C:\Windows\System32\gdi32.dll', no matching symbolic information found.
Loaded 'C:\Windows\System32\user32.dll', no matching symbolic information found.
Loaded 'C:\Windows\System32\lpk.dll', no matching symbolic information found.
Loaded 'C:\Windows\System32\usp10.dll', no matching symbolic information found.
Loaded 'C:\Windows\System32\msvcrt.dll', no matching symbolic information found.
Loaded symbols for 'C:\Windows\System32\MFCO42D.DLL'
Loaded 'C:\Windows\System32\imm32.dll', no matching symbolic information found.
Loaded 'C:\Windows\System32\msctf.dll', no matching symbolic information found.
Loaded 'C:\Windows\System32\MFC42LOC.DLL', no matching symbolic information found.
Loaded 'C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7600.16661_none_ebfb56996c72aefc\comctl32.dll', no matching symbolic information found.
Loaded 'C:\Windows\System32\advapi32.dll', no matching symbolic information found.
Loaded 'C:\Windows\System32\sechost.dll', no matching symbolic information found.
Loaded 'C:\Windows\System32\rpcrt4.dll', no matching symbolic information found.
Loaded 'C:\Windows\System32\uxtheme.dll', no matching symbolic information found.
Loaded 'C:\Windows\System32\dwmapi.dll', no matching symbolic information found.
Loaded 'C:\Windows\System32\ole32.dll', no matching symbolic information found.
Loaded 'C:\Windows\System32\cryptbase.dll', no matching symbolic information found.
Loaded 'C:\Windows\System32\oleaut32.dll', no matching symbolic information found.
The thread 0xA44 has exited with code 0 (0x0).
程序出错的地方在 m_value++,其中发现this指针指向的地址为0x00000000,CDialog,m_value,m_hIcon为CXX0030:Error: expression cannot be evaluated,百思不得其解,求大侠指点一二~~
void CTestDlg::Onplus()
{
// TODO: Add your control notification handler code here
m_value++;
UpdateData(false);
}void CTestDlg::OnButton2()
{
// TODO: Add your control notification handler code here
m_value--;
UpdateData(false);
}
然后用OD找到了Onplus函数的CALL,00401c20,但是,用代码注入器注入call 00401c20后,目标程序发生错误崩溃,调试发现如下信息:
Loaded 'C:\Windows\System32\ntdll.dll', no matching symbolic information found.
Loaded 'C:\Windows\System32\kernel32.dll', no matching symbolic information found.
Loaded 'C:\Windows\System32\KernelBase.dll', no matching symbolic information found.
Loaded symbols for 'C:\Windows\System32\MFC42D.DLL'
Loaded symbols for 'C:\Windows\System32\MSVCRTD.DLL'
Loaded 'C:\Windows\System32\gdi32.dll', no matching symbolic information found.
Loaded 'C:\Windows\System32\user32.dll', no matching symbolic information found.
Loaded 'C:\Windows\System32\lpk.dll', no matching symbolic information found.
Loaded 'C:\Windows\System32\usp10.dll', no matching symbolic information found.
Loaded 'C:\Windows\System32\msvcrt.dll', no matching symbolic information found.
Loaded symbols for 'C:\Windows\System32\MFCO42D.DLL'
Loaded 'C:\Windows\System32\imm32.dll', no matching symbolic information found.
Loaded 'C:\Windows\System32\msctf.dll', no matching symbolic information found.
Loaded 'C:\Windows\System32\MFC42LOC.DLL', no matching symbolic information found.
Loaded 'C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7600.16661_none_ebfb56996c72aefc\comctl32.dll', no matching symbolic information found.
Loaded 'C:\Windows\System32\advapi32.dll', no matching symbolic information found.
Loaded 'C:\Windows\System32\sechost.dll', no matching symbolic information found.
Loaded 'C:\Windows\System32\rpcrt4.dll', no matching symbolic information found.
Loaded 'C:\Windows\System32\uxtheme.dll', no matching symbolic information found.
Loaded 'C:\Windows\System32\dwmapi.dll', no matching symbolic information found.
Loaded 'C:\Windows\System32\ole32.dll', no matching symbolic information found.
Loaded 'C:\Windows\System32\cryptbase.dll', no matching symbolic information found.
Loaded 'C:\Windows\System32\oleaut32.dll', no matching symbolic information found.
The thread 0xA44 has exited with code 0 (0x0).
程序出错的地方在 m_value++,其中发现this指针指向的地址为0x00000000,CDialog,m_value,m_hIcon为CXX0030:Error: expression cannot be evaluated,百思不得其解,求大侠指点一二~~
如果是成员函数,那么对象实例指针也需要通过栈传递或其他方式传递!
你可以先用反汇编工具看一下,程序中其他地方对OnPlus是如何调用的,即如何传对象指针的;
然后如法炮制即可
void CTestDlg::OnButton2()
{
_asm{
mov eax,eax
mov eax,eax
}
CTestDlg::Onplus();
_asm{
mov eax,eax
mov eax,eax
}
}然后用OD下断,看到了OD中,函数是这样调用的 :
00401CA0 >/> \55 push ebp
00401CA1 |. 8BEC mov ebp,esp
00401CA3 |. 83EC 44 sub esp,44
00401CA6 |. 53 push ebx
00401CA7 |. 56 push esi
00401CA8 |. 57 push edi
00401CA9 |. 51 push ecx
00401CAA |. 8D7D BC lea edi,[local.17]
00401CAD |. B9 11000000 mov ecx,11
00401CB2 |. B8 CCCCCCCC mov eax,CCCCCCCC
00401CB7 |. F3:AB rep stos dword ptr es:[edi]
00401CB9 |. 59 pop ecx
00401CBA |. 894D FC mov [local.1],ecx
00401CBD |. 8BC0 mov eax,eax
00401CBF |? 8BC0 mov eax,eax
00401CC1 |? 8B4D FC mov ecx,[local.1] //调用OnPlus
00401CC4 |? E8 D2F3FFFF call test.0040109B //调用OnPlus
00401CC9 |. 8BC0 mov eax,eax
00401CCB |? 8BC0 mov eax,eax
00401CCD |? 5F pop edi
00401CCE |. 5E pop esi
00401CCF |? 5B pop ebx
00401CD0 |? 83C4 44 add esp,44
00401CD3 |? 3BEC cmp ebp,esp
00401CD5 |? E8 AA020000 call test._chkesp ; jmp 到 MSVCRTD._chkesp
00401CDA |? 8BE5 mov esp,ebp
00401CDC |. 5D pop ebp
00401CDD |? C3 retn
00401CDE |. CC int3
00401CDF |? CC int3
00401CE0 |? CC int3
00401CE1 |? CC int3
00401CE2 |? CC int3
00401CE3 |. CC int3
00401CE4 |? CC int3
00401CE5 |. CC int3
00401CE6 \. CC int3然后注入代码如下:
mov ecx,[local.1]
call 40109b程序还是出错,this指针为空,请问问什么呢? 还有,local.1代表什么呢?