|
反汇编了内核中的CmpCopyCompressedName函数。这是一个STDCALL调用约定的函数,按照规范,应该从栈上取参数, 但该函数直接使用了 shr eax,1,变成了用eax传递参数。求大神指点迷津。
PAGE:0061EC90 ; __stdcall CmpCopyCompressedName(x, x, x, x) PAGE:0061EC90 _CmpCopyCompressedName@16 proc near ; CODE XREF: CmpParseCacheAddSymbolicLink(x)+95�p PAGE:0061EC90 ; CmpInitializeKeyNameString(x,x,x)+29�p ... PAGE:0061EC90 PAGE:0061EC90 arg_0 = dword ptr 8 PAGE:0061EC90 arg_4 = dword ptr 0Ch PAGE:0061EC90 PAGE:0061EC90 mov edi, edi PAGE:0061EC92 push ebp PAGE:0061EC93 mov ebp, esp PAGE:0061EC95 shr eax, 1 PAGE:0061EC97 cmp eax, ecx PAGE:0061EC99 jnb short loc_61EC9D PAGE:0061EC9B mov ecx, eax PAGE:0061EC9D loc_61EC9D: ; CODE XREF: CmpCopyCompressedName(x,x,x,x)+9�j PAGE:0061EC9D xor eax, eax PAGE:0061EC9F test ecx, ecx PAGE:0061ECA1 jbe short loc_61ECB9 PAGE:0061ECA3 push esi
|