关于OD找CALL问题

xtcel963 · 发表于 2012-5-10 18:02:00

本帖最后由 xtcel963 于 2012-5-10 18:06 编辑

008A28FA    90          NOP
008A28FB    90          NOP
008A28FC    90          NOP
008A28FD    90          NOP
008A28FE    90          NOP
008A28FF    90          NOP
008A2900 .  81EC 94000000 SUB ESP,94
008A2906 .  53          PUSH EBX
008A2907 .  55          PUSH EBP
008A2908 .  56          PUSH ESI
008A2909 .  57          PUSH EDI
008A290A .  8BF1       MOV ESI,ECX
008A290C .  E8 4F27FDFF CALL elementc.00875060
008A2911 .  8B9C24 A80000>MOV EBX,DWORD PTR SS:[ESP+A8]
008A2918 .  C74424 14 000>MOV DWORD PTR SS:[ESP+14],0
008A2920 .  895C24 10    MOV DWORD PTR SS:[ESP+10],EBX
008A2924 .  8BE8       MOV EBP,EAX
008A2926 .  DF6C24 10    FILD QWORD PTR SS:[ESP+10]
008A292A .  8B46 10    MOV EAX,DWORD PTR DS:[ESI+10]
008A292D .  896C24 1C    MOV DWORD PTR SS:[ESP+1C],EBP
008A2931 .  D80D 14AFB100 FMUL DWORD PTR DS:[B1AF14]
008A2937 .  8B88 EC010000 MOV ECX,DWORD PTR DS:[EAX+1EC]
008A293D .  8B86 94010000 MOV EAX,DWORD PTR DS:[ESI+194]
008A2943 .  85C0       TEST EAX,EAX
008A2945 .  894C24 24    MOV DWORD PTR SS:[ESP+24],ECX
008A2949 .  894424 10    MOV DWORD PTR SS:[ESP+10],EAX
008A294D .  D95C24 20    FSTP DWORD PTR SS:[ESP+20]
008A2951 .  74 4D       JE SHORT elementc.008A29A0
008A2953 .  8DAE 90010000 LEA EBP,DWORD PTR DS:[ESI+190]
008A2959 >  8D5424 10    LEA EDX,DWORD PTR SS:[ESP+10]
008A295D .  8BCD       MOV ECX,EBP
008A295F .  52          PUSH EDX
008A2960 .  8BD8       MOV EBX,EAX
008A2962 .  E8 69AEB9FF CALL elementc.0043D7D0
008A2967 .  8B38       MOV EDI,DWORD PTR DS:[EAX]
008A2969 .  D94424 20    FLD DWORD PTR SS:[ESP+20]
008A296D .  D807       FADD DWORD PTR DS:[EDI]
008A296F .  D85F 04    FCOMP DWORD PTR DS:[EDI+4]
008A2972 .  DFE0       FSTSW AX
008A2974 .  F6C4 01    TEST AH,1
008A2977 .  75 1C       JNZ SHORT elementc.008A2995
008A2979 .  53          PUSH EBX
008A297A .  8BCD       MOV ECX,EBP
008A297C .  E8 BFADB9FF CALL elementc.0043D740
008A2981 .  57          PUSH EDI
008A2982 .  8D8E B0010000 LEA ECX,DWORD PTR DS:[ESI+1B0]
008A2988 .  E8 13ADB9FF CALL elementc.0043D6A0
008A298D .  8B4424 10    MOV EAX,DWORD PTR SS:[ESP+10]
008A2991 .  85C0       TEST EAX,EAX
008A2993 .^ 75 C4       JNZ SHORT elementc.008A2959
008A2995 >  8B9C24 A80000>MOV EBX,DWORD PTR SS:[ESP+A8]
008A299C .  8B6C24 1C    MOV EBP,DWORD PTR SS:[ESP+1C]
008A29A0 >  53          PUSH EBX
008A29A1 .  8BCE       MOV ECX,ESI
008A29A3 .  E8 F823FDFF CALL elementc.00874DA0
008A29A8 .  84C0       TEST AL,AL
008A29AA .  75 0D       JNZ SHORT elementc.008A29B9
008A29AC .  5F          POP EDI
008A29AD .  5E          POP ESI
008A29AE .  5D          POP EBP
008A29AF .  5B          POP EBX
008A29B0 .  81C4 94000000 ADD ESP,94
008A29B6 .  C2 0400    RETN 4
008A29B9 >  8D4424 38    LEA EAX,DWORD PTR SS:[ESP+38]
008A29BD .  8D4E 20    LEA ECX,DWORD PTR DS:[ESI+20]
008A29C0 .  50          PUSH EAX
008A29C1 .  E8 9A170000 CALL elementc.008A4160
008A29C6 .  84C0       TEST AL,AL
008A29C8 .  74 6C       JE SHORT elementc.008A2A36
008A29CA .  8B8E C4000000 MOV ECX,DWORD PTR DS:[ESI+C4]
008A29D0 .  85C9       TEST ECX,ECX
008A29D2 .  74 62       JE SHORT elementc.008A2A36
008A29D4 .  8D5424 70    LEA EDX,DWORD PTR SS:[ESP+70]
008A29D8 .  52          PUSH EDX
008A29D9 .  E8 52A2FEFF CALL elementc.0088CC30
008A29DE .  84C0       TEST AL,AL
008A29E0 .  74 54       JE SHORT elementc.008A2A36
008A29E2 .  8A86 57010000 MOV AL,BYTE PTR DS:[ESI+157]
008A29E8 .  84C0       TEST AL,AL
008A29EA .  74 10       JE SHORT elementc.008A29FC
008A29EC .  8D4424 70    LEA EAX,DWORD PTR SS:[ESP+70]
008A29F0 .  8D4C24 38    LEA ECX,DWORD PTR SS:[ESP+38]
008A29F4 .  50          PUSH EAX
008A29F5 .  E8 269BFEFF CALL elementc.0088C520
008A29FA .  EB 3A       JMP SHORT elementc.008A2A36
008A29FC >  8D4C24 70    LEA ECX,DWORD PTR SS:[ESP+70]
008A2A00 .  51          PUSH ECX
008A2A01 .  8D4C24 3C    LEA ECX,DWORD PTR SS:[ESP+3C]
008A2A05 .  E8 6673B6FF CALL elementc.00409D70
008A2A0A .  8B9424 840000>MOV EDX,DWORD PTR SS:[ESP+84]
008A2A11 .  8B8424 880000>MOV EAX,DWORD PTR SS:[ESP+88]
008A2A18 .  8B8C24 8C0000>MOV ECX,DWORD PTR SS:[ESP+8C]
008A2A1F .  895424 4C    MOV DWORD PTR SS:[ESP+4C],EDX
008A2A23 .  8B9424 900000>MOV EDX,DWORD PTR SS:[ESP+90]
008A2A2A .  894424 50    MOV DWORD PTR SS:[ESP+50],EAX
008A2A2E .  894C24 54    MOV DWORD PTR SS:[ESP+54],ECX
008A2A32 .  895424 58    MOV DWORD PTR SS:[ESP+58],EDX
008A2A36 >  8B4424 44    MOV EAX,DWORD PTR SS:[ESP+44]
008A2A3A .  8B8E 68010000 MOV ECX,DWORD PTR DS:[ESI+168]
008A2A40 .  C1E8 18    SHR EAX,18
008A2A43 .  894424 1C    MOV DWORD PTR SS:[ESP+1C],EAX
008A2A47 .  8DBE E0010000 LEA EDI,DWORD PTR DS:[ESI+1E0]
008A2A4D .  DB4424 1C    FILD DWORD PTR SS:[ESP+1C]
008A2A51 .  D80D 9CE1B300 FMUL DWORD PTR DS:[B3E19C]
008A2A57 .  D999 8C000000 FSTP DWORD PTR DS:[ECX+8C]
008A2A5D .  8B4424 48    MOV EAX,DWORD PTR SS:[ESP+48]
008A2A61 .  8BCF       MOV ECX,EDI
008A2A63 .  50          PUSH EAX
008A2A64 .  50          PUSH EAX
008A2A65 .  50          PUSH EAX
008A2A66 .  E8 35EA0D00 CALL elementc.009814A0
008A2A6B .  8B8E 68010000 MOV ECX,DWORD PTR DS:[ESI+168]
008A2A71 .  8A81 85000000 MOV AL,BYTE PTR DS:[ECX+85]
008A2A77 .  84C0       TEST AL,AL
008A2A79 .  74 47       JE SHORT elementc.008A2AC2
008A2A7B .  D94424 48    FLD DWORD PTR SS:[ESP+48]
008A2A7F .  D84C24 24    FMUL DWORD PTR SS:[ESP+24]
008A2A83 .  8B11       MOV EDX,DWORD PTR DS:[ECX]
008A2A85 .  51          PUSH ECX
008A2A86 .  D91C24       FSTP DWORD PTR SS:[ESP]
008A2A89 .  FF52 24    CALL DWORD PTR DS:[EDX+24]
008A2A8C .  8A86 68020000 MOV AL,BYTE PTR DS:[ESI+268]
008A2A92 .  8B7C24 20    MOV EDI,DWORD PTR SS:[ESP+20]
008A2A96 .  84C0       TEST AL,AL
008A2A98 .  74 08       JE SHORT elementc.008A2AA2
008A2A9A .  57          PUSH EDI
008A2A9B .  8BCE       MOV ECX,ESI
008A2A9D .  E8 2EB5FFFF CALL elementc.0089DFD0
008A2AA2 >  53          PUSH EBX
008A2AA3 .  57          PUSH EDI
008A2AA4 .  8BCE       MOV ECX,ESI
008A2AA6 .  E8 55BDFFFF CALL elementc.0089E800
008A2AAB .  53          PUSH EBX
008A2AAC .  8BCE       MOV ECX,ESI
008A2AAE .  E8 1D020000 CALL elementc.008A2CD0
008A2AB3 .  5F          POP EDI
008A2AB4 .  5E          POP ESI
008A2AB5 .  5D          POP EBP
008A2AB6 .  B0 01       MOV AL,1
008A2AB8 .  5B          POP EBX
008A2AB9 .  81C4 94000000 ADD ESP,94
008A2ABF .  C2 0400    RETN 4
008A2AC2 >  8A86 20020000 MOV AL,BYTE PTR DS:[ESI+220]
008A2AC8 .  84C0       TEST AL,AL
008A2ACA .  8D4424 38    LEA EAX,DWORD PTR SS:[ESP+38]
008A2ACE .  50          PUSH EAX
008A2ACF .  74 27       JE SHORT elementc.008A2AF8
008A2AD1 .  8D8C24 9C0000>LEA ECX,DWORD PTR SS:[ESP+9C]
008A2AD8 .  55          PUSH EBP
008A2AD9 .  51          PUSH ECX
008A2ADA .  E8 61DE0D00 CALL elementc.00980940
008A2ADF .  8B10       MOV EDX,DWORD PTR DS:[EAX]
008A2AE1 .  83C4 0C    ADD ESP,0C
008A2AE4 .  895424 10    MOV DWORD PTR SS:[ESP+10],EDX
008A2AE8 .  8B48 04    MOV ECX,DWORD PTR DS:[EAX+4]
008A2AEB .  894C24 14    MOV DWORD PTR SS:[ESP+14],ECX
008A2AEF .  8B50 08    MOV EDX,DWORD PTR DS:[EAX+8]
008A2AF2 .  895424 18    MOV DWORD PTR SS:[ESP+18],EDX
008A2AF6 .  EB 31       JMP SHORT elementc.008A2B29
008A2AF8 >  8D8C24 9C0000>LEA ECX,DWORD PTR SS:[ESP+9C]
008A2AFF .  57          PUSH EDI
008A2B00 .  51          PUSH ECX
008A2B01 .  E8 3ADE0D00 CALL elementc.00980940
008A2B06 .  50          PUSH EAX
008A2B07 .  8D5424 70    LEA EDX,DWORD PTR SS:[ESP+70]
008A2B0B .  55          PUSH EBP
008A2B0C .  52          PUSH EDX
008A2B0D .  E8 2EDE0D00 CALL elementc.00980940
008A2B12 .  8B08       MOV ECX,DWORD PTR DS:[EAX]
各位大大们，小弟今天用OD找走路CALL，遇到了图1中的问题，注释1那里是我之前用CE找到的内存地址，用DD命令，到的这里。我要找ECX的值，但上面就2个MOV ECX语句，我不知道该走那一步，望指点
还有我这个OD分析出来的代码头，为什么是SUB这个？我一下断，游戏也暂停咯！里面也控制不了了

xtcel963 · 发表于 2012-5-10 18:07:35

008A2B14 .  83C4 18    ADD ESP,18
008A2B17 .  894C24 10    MOV DWORD PTR SS:[ESP+10],ECX
008A2B1B .  8B50 04    MOV EDX,DWORD PTR DS:[EAX+4]
008A2B1E .  895424 14    MOV DWORD PTR SS:[ESP+14],EDX
008A2B22 .  8B40 08    MOV EAX,DWORD PTR DS:[EAX+8]
008A2B25 .  894424 18    MOV DWORD PTR SS:[ESP+18],EAX
008A2B29 >  8BCE       MOV ECX,ESI
008A2B2B .  E8 8025FDFF CALL elementc.008750B0
008A2B30 .  D94424 58    FLD DWORD PTR SS:[ESP+58]
008A2B34 .  D848 0C    FMUL DWORD PTR DS:[EAX+C]
008A2B37 .  D94424 4C    FLD DWORD PTR SS:[ESP+4C]
008A2B3B .  D808       FMUL DWORD PTR DS:[EAX]
008A2B3D .  DEE9       FSUBP ST(1),ST(0)
008A2B3F .  D94424 50    FLD DWORD PTR SS:[ESP+50]
008A2B43 .  D848 04    FMUL DWORD PTR DS:[EAX+4]
008A2B46 .  DEE9       FSUBP ST(1),ST(0)
008A2B48 .  D94424 54    FLD DWORD PTR SS:[ESP+54]
008A2B4C .  D848 08    FMUL DWORD PTR DS:[EAX+8]
008A2B4F .  DEE9       FSUBP ST(1),ST(0)
008A2B51 .  D95C24 6C    FSTP DWORD PTR SS:[ESP+6C]
008A2B55 .  D94424 58    FLD DWORD PTR SS:[ESP+58]
008A2B59 .  D808       FMUL DWORD PTR DS:[EAX]
008A2B5B .  D94424 54    FLD DWORD PTR SS:[ESP+54]
008A2B5F .  D848 04    FMUL DWORD PTR DS:[EAX+4]
008A2B62 .  DEC1       FADDP ST(1),ST(0)
008A2B64 .  D94424 4C    FLD DWORD PTR SS:[ESP+4C]
008A2B68 .  D848 0C    FMUL DWORD PTR DS:[EAX+C]
008A2B6B .  DEC1       FADDP ST(1),ST(0)
008A2B6D .  D94424 50    FLD DWORD PTR SS:[ESP+50]
008A2B71 .  D848 08    FMUL DWORD PTR DS:[EAX+8]

008A2B74 .  DEE9       FSUBP ST(1),ST(0)
008A2B76 .  D95C24 60    FSTP DWORD PTR SS:[ESP+60]
008A2B7A .  D94424 4C    FLD DWORD PTR SS:[ESP+4C]
008A2B7E .  D848 08    FMUL DWORD PTR DS:[EAX+8]
008A2B81 .  D94424 50    FLD DWORD PTR SS:[ESP+50]
008A2B85 .  D848 0C    FMUL DWORD PTR DS:[EAX+C]
008A2B88 .  8B4C24 60    MOV ECX,DWORD PTR SS:[ESP+60]
008A2B8C .  DEC1       FADDP ST(1),ST(0)
008A2B8E .  D94424 58    FLD DWORD PTR SS:[ESP+58]
008A2B92 .  D848 04    FMUL DWORD PTR DS:[EAX+4]
008A2B95 .  DEC1       FADDP ST(1),ST(0)
008A2B97 .  D94424 54    FLD DWORD PTR SS:[ESP+54]
008A2B9B .  D808       FMUL DWORD PTR DS:[EAX]
008A2B9D .  DEE9       FSUBP ST(1),ST(0)
008A2B9F .  D95C24 64    FSTP DWORD PTR SS:[ESP+64]
008A2BA3 .  D94424 50    FLD DWORD PTR SS:[ESP+50]
008A2BA7 .  D808       FMUL DWORD PTR DS:[EAX]
008A2BA9 .  D94424 58    FLD DWORD PTR SS:[ESP+58]
008A2BAD .  D848 08    FMUL DWORD PTR DS:[EAX+8]
008A2BB0 .  8B5424 64    MOV EDX,DWORD PTR SS:[ESP+64]
008A2BB4 .  DEC1       FADDP ST(1),ST(0)
008A2BB6 .  D94424 54    FLD DWORD PTR SS:[ESP+54]
008A2BBA .  D848 0C    FMUL DWORD PTR DS:[EAX+C]
008A2BBD .  DEC1       FADDP ST(1),ST(0)
008A2BBF .  D94424 4C    FLD DWORD PTR SS:[ESP+4C]
008A2BC3 .  D848 04    FMUL DWORD PTR DS:[EAX+4]
008A2BC6 .  894C24 28    MOV DWORD PTR SS:[ESP+28],ECX
008A2BCA .  8B4C24 6C    MOV ECX,DWORD PTR SS:[ESP+6C]
008A2BCE .  894C24 34    MOV DWORD PTR SS:[ESP+34],ECX
008A2BD2 .  8B8E 68010000 MOV ECX,DWORD PTR DS:[ESI+168]
008A2BD8 .  DEE9       FSUBP ST(1),ST(0)
008A2BDA .  895424 2C    MOV DWORD PTR SS:[ESP+2C],EDX
008A2BDE .  8B5424 10    MOV EDX,DWORD PTR SS:[ESP+10]
008A2BE2 .  D95C24 68    FSTP DWORD PTR SS:[ESP+68]
008A2BE6 .  8B4424 68    MOV EAX,DWORD PTR SS:[ESP+68]
008A2BEA .  894424 30    MOV DWORD PTR SS:[ESP+30],EAX
008A2BEE .  8951 68    MOV DWORD PTR DS:[ECX+68],EDX          ;  1

雨夜 · 发表于 2012-5-11 18:35:26

008A2BEE . 8951 68 MOV DWORD PTR DS:[ECX+68],EDX ; 1
向上找EDX的来源，遇到这样的
MOV EDX,DWORD PTR SS:[ESP+10] 需要返回到上一层中。

函数参数入栈开始处：
参数1：esp+4;参数2：esp+8;参数3:esp+c;参数4：esp+10
执行push ecx后：参数1：esp+8;参数2：esp+c;参数3：esp+10;参数4：esp+14
执行push ebx后：参数1：esp+c;参数2：esp+10;参数3：esp+14;参数4:esp+18
执行push esi后：参数1：esp+10;参数2：esp+14;参数3：esp+18;参数4:esp+1c

		自动登录	找回密码
密码			注册账号