<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"></SPAN> </P>
/ Q; i9 R; ?. V- T" s<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">有时如果你对<SPAN lang=EN-US>SICE,TRW或者其他调试器显示的信息有所怀疑的话,你可以用seh显示一些信息作为简单的调试手段,当然,单步跟踪的用途远不止于此.首先回忆一下我们以前了解的单步的概念,当EFLAGS的TF位为1的话执行完某条指令后CPU将产生单步异常,与执行软指令int1类似.注意产生单步陷阱后eip已经指向下一条指令.但进入单步异常处理程序后cpu自动清除TF,以便下条指令正常执行.</SPAN></SPAN></P>
@6 V- v/ X0 M" u* u# [9 Z<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN></SPAN></P>5 s+ W8 U* j- r9 ^5 }
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 30pt; mso-char-indent-count: 3.0; mso-char-indent-size: 10.0pt"><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">我们要作的就是在<SPAN lang=EN-US>seh例程中继续置TF位为1,以便下一条指令执行完毕后继续产生单步陷阱实现跟踪功能,直到遇到popfd指令为止,当然你也可以随便检测其他指令或者用记数器来终止单步.</SPAN></SPAN></P>
2 n2 W+ S) O* G& k<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"></SPAN> </P>
* G% a( y7 P: i) A" {% P<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">下面例子中如果没有单步跟踪<SPAN lang=EN-US>eax的最后结果是3,由于有了单步自跟踪,在seh处理例程中我们每中断一次要加1,所以最后的结果是7,呵呵.请看下面的例子.</SPAN></SPAN></P>9 T4 |7 {$ i& S* _4 f
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">;-----------------------------------------</SPAN></P># G4 ?# Z8 Z% d# ?' F" x+ c
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">;Ex7,演示利用seh单步自跟踪 by Hume,2002</SPAN></P>
! `2 P5 |" G5 |8 c# {, m. K2 N<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">;humewen@21cn.com </SPAN></P>
& W$ s( c( Y# d& U<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">;hume.longcity.net</SPAN></P>
; z- m v, L9 Y& R, ~- w4 E<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">;-----------------------------------------</SPAN></P> J- g8 @1 @$ x5 m; {9 O" g
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">.586</SPAN></P>0 r8 D) \1 u4 p$ w& a3 l N
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">.model flat, stdcall</SPAN></P>: a6 Q- D" z B! N' d7 S! E
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">option casemap :none<SPAN style="mso-spacerun: yes"> </SPAN>; case sensitive</SPAN></P>
4 V( _& }, g U3 }; a( O<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">include hd.h</SPAN></P>: l9 B! p3 @, S; t) w1 ~/ x/ p
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">include mac.h</SPAN></P>
2 f4 E8 s4 k! w6 P5 E0 x3 `<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"></SPAN> </P>
2 p, o+ y8 o' F9 z$ w. ^, X<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">singlestep_xHandler<SPAN style="mso-tab-count: 1"> </SPAN><SPAN style="mso-tab-count: 1"> </SPAN>proto C :DWORD,:DWORD,:DWORD,:DWORD</SPAN></P>* n- H9 S% D) @. l& b! ?+ [- R& t
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">;;--------------</SPAN></P>, \/ x/ v N. N( Q
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">.data</SPAN></P>
6 R9 ~. K2 `+ T: \" c<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">count<SPAN style="mso-spacerun: yes"> </SPAN>dd<SPAN style="mso-spacerun: yes"> </SPAN>0</SPAN></P>
" O' ~, y ~" n/ Z<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">Msg0<SPAN style="mso-spacerun: yes"> </SPAN>db<SPAN style="mso-spacerun: yes"> </SPAN>"Eax=="</SPAN></P>1 p& z& l* S! m" V# n6 a
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">DispEAX dd<SPAN style="mso-spacerun: yes"> </SPAN><SPAN style="mso-spacerun: yes"> </SPAN>0,0</SPAN></P>7 ^* t9 E9 W) r5 Q& K0 U9 y3 F8 Q
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">;;-----------------------------------------</SPAN></P>
& R( k1 S5 J# x3 c( \/ i6 @<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">.CODE</SPAN></P>
$ J3 X- X! `' m9 H. w/ F) h6 }<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">_Start:</SPAN></P>2 p9 e/ ?% x) D$ ~5 _
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>assume fs:nothing</SPAN></P>& C# X( r2 `4 O6 }5 i3 @/ G
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">push<SPAN style="mso-spacerun: yes"> </SPAN>offset singlestep_xHandler</SPAN></P> o3 f& _, e K
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>push<SPAN style="mso-spacerun: yes"> </SPAN>fs:[0]</SPAN></P>
: L3 e# ?2 u7 _0 J$ v O' {<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>mov<SPAN style="mso-spacerun: yes"> </SPAN>fs:[0],esp</SPAN></P>
# ?6 I0 k: g! h& u4 v4 O<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>;------------------</SPAN></P>% D k5 t- x' z9 t5 b3 _9 T. d; Q
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>xor<SPAN style="mso-spacerun: yes"> </SPAN>eax,eax</SPAN></P>+ u! c6 I) |* _
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>pushfd</SPAN></P>
# o; k4 p3 d' S! M7 k @4 b$ k3 p<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>pushfd</SPAN></P>: x; |9 o( g4 e; m* C
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN><SPAN style="mso-spacerun: yes"> </SPAN>or<SPAN style="mso-spacerun: yes"> </SPAN>dword ptr[esp],100h<SPAN style="mso-spacerun: yes"> </SPAN></SPAN></P>) _- O. q/ \& @
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>popfd<SPAN style="mso-spacerun: yes"> </SPAN>;置TF标志进入单步状态</SPAN></P>
I) `2 f% `, @& s8 f, [+ k+ c<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"></SPAN> </P>
1 t3 X! h4 p% i4 L+ K" u$ f6 ^<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>nop<SPAN style="mso-spacerun: yes"> </SPAN>; nop执行完后单步异常引发<SPAN style="mso-spacerun: yes"> </SPAN></SPAN></P>4 P. p1 [: `. {( z: Q! F+ c7 W
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>inc<SPAN style="mso-spacerun: yes"> </SPAN>eax<SPAN style="mso-spacerun: yes"> </SPAN>; eip指向,nop后面的指令,就是这里</SPAN></P>; t% w% `" Y7 D
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>inc<SPAN style="mso-spacerun: yes"> </SPAN>eax<SPAN style="mso-spacerun: yes"> </SPAN><SPAN style="mso-spacerun: yes"> </SPAN>; 单步执行</SPAN></P>: b9 l, P% v* i* s! K" ~( [
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>inc<SPAN style="mso-spacerun: yes"> </SPAN>eax<SPAN style="mso-spacerun: yes"> </SPAN>; normal eax==3,but infact eax==7</SPAN></P>8 P. t# _' r" H+ ?. K. O7 u. ~
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"></SPAN> </P>) J. W, N' a- z8 F. t' B% }
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>popfd</SPAN></P>
) K! ^/ w: y' p& U1 q<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>;------------------ </SPAN></P>. r* r1 U% O( b5 ?% c3 [7 m
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>add<SPAN style="mso-spacerun: yes"> </SPAN>eax,30h<SPAN style="mso-spacerun: yes"> </SPAN>;convert to ASCIIZ</SPAN></P>- X* \5 b+ g. v7 ~; c7 i% j5 K' D
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>mov<SPAN style="mso-spacerun: yes"> </SPAN>DispEAX,eax</SPAN></P>
. r* Z1 B q8 m5 G3 \# z<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>invoke<SPAN style="mso-tab-count: 1"> </SPAN>MessageBox,0,addr Msg0,ddd("The Eax equal to..."),0</SPAN></P>! \8 L; [" F: S( ^+ D
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN></SPAN></P>
* T' ^2 j7 @3 ^$ b/ | O' j+ H3 Z- L) T<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>pop<SPAN style="mso-spacerun: yes"> </SPAN>fs:[0]</SPAN></P>
* s) Q/ ~5 I, P<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>add<SPAN style="mso-spacerun: yes"> </SPAN>esp,4</SPAN></P>; ~6 G4 @& T9 M# C4 a
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>invoke<SPAN style="mso-tab-count: 1"> </SPAN>ExitProcess,0</SPAN></P>
x' ^4 n" \( b X- u7 v9 b9 }" f* Q<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">;-----------------------------------------</SPAN></P>
4 ~+ Z# o5 d* I" F% H B, I<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">singlestep_xHandler PROC C pExcept:DWORD,pFrame:DWORD,pContext:DWORD,pDispatch:DWORD</SPAN></P>
% V% Z' U) u8 D<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>pushad<SPAN style="mso-spacerun: yes"> </SPAN></SPAN></P>
2 a6 t3 b/ d6 ]2 \1 O( t7 D<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">assume<SPAN style="mso-spacerun: yes"> </SPAN>edi:ptr CONTEXT</SPAN></P>( b9 Y# R. J$ p0 j. Q
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">assume<SPAN style="mso-spacerun: yes"> </SPAN>esi:ptr EXCEPTION_RECORD</SPAN></P>
, U* B/ j0 K* o8 ?<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN></SPAN></P>
7 t9 T1 d/ q3 ]( U* q- c<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>mov<SPAN style="mso-spacerun: yes"> </SPAN>esi,pExcept</SPAN></P>
2 f$ @' g/ }1 y<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>mov<SPAN style="mso-spacerun: yes"> </SPAN>edi,pContext<SPAN style="mso-spacerun: yes"> </SPAN></SPAN></P>, |' {$ p% J5 @
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN></SPAN></P># X. Z- ` C0 @8 u, @3 h
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>test<SPAN style="mso-spacerun: yes"> </SPAN>dword ptr[esi+4],1<SPAN style="mso-spacerun: yes"> </SPAN>;Exception flags test common stuff</SPAN></P>
+ k( O. @5 W2 E* r8 ]! {<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>jnz<SPAN style="mso-spacerun: yes"> </SPAN>@f<SPAN style="mso-spacerun: yes"> </SPAN><SPAN style="mso-spacerun: yes"> </SPAN></SPAN></P>3 ]1 V* U" d. J& p2 v" i- ]
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>test<SPAN style="mso-spacerun: yes"> </SPAN>dword ptr[esi+4],6</SPAN></P>! N6 O+ v, P# [3 ~
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>jnz<SPAN style="mso-spacerun: yes"> </SPAN>@f</SPAN></P>5 N2 G& U& E; V- L
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>cmp<SPAN style="mso-spacerun: yes"> </SPAN>dword ptr[esi],80000004h<SPAN style="mso-spacerun: yes"> </SPAN>;是否为单步异常标志</SPAN></P>+ e9 }% y- c( [6 h: g6 g, Z! q
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>jnz<SPAN style="mso-spacerun: yes"> </SPAN>@f</SPAN></P>" u2 h: ?+ O6 N3 n/ i: q
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"></SPAN> </P>
& ~; e$ z/ ]! ~4 j; K6 Y4 z<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>inc<SPAN style="mso-spacerun: yes"> </SPAN>[edi].regEax </SPAN></P>
( Z, P7 x+ g0 x( V7 V+ e- e) e<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>mov<SPAN style="mso-spacerun: yes"> </SPAN>ebx,[edi].regEip</SPAN></P>
/ R& _5 e1 H* j. \" b, {<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>cmp<SPAN style="mso-spacerun: yes"> </SPAN>byte ptr[ebx],9Dh<SPAN style="mso-spacerun: yes"> </SPAN>;是否是popfd,因为目的是取消</SPAN></P>
" Z7 l8 B q8 J: u( R% Z6 {<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>jz<SPAN style="mso-spacerun: yes"> </SPAN>@finish_singlestep<SPAN style="mso-spacerun: yes"> </SPAN>;单步状态,所以这时就不应该重置TF</SPAN></P>
, o: D) I3 h6 N" @; T/ p<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>or<SPAN style="mso-spacerun: yes"> </SPAN>[edi].regFlag,100h<SPAN style="mso-spacerun: yes"> </SPAN>;否则,重置TF<SPAN style="mso-spacerun: yes"> </SPAN></SPAN></P>
4 n$ h( N0 `3 [- e7 a7 P( C<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>;每单步中断一次,eax加1</SPAN></P>/ a* p5 y+ e$ q) Q: k2 v- R
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>;所以eax最后不等于3,而是</SPAN></P>
# ]( q# W+ [+ i0 ]0 q( u<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>;中断4次后,eax==7<SPAN style="mso-spacerun: yes"> </SPAN></SPAN></P>
. }( x4 n K6 a) p<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">@finish_singlestep:<SPAN style="mso-spacerun: yes"> </SPAN></SPAN></P>
2 u4 A3 _# j: d' r8 H% V, f# t9 T<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN></SPAN></P>
# d! O' |7 W0 ~; X+ @3 e5 R<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>mov<SPAN style="mso-spacerun: yes"> </SPAN>dword ptr[esp+7*4],0<SPAN style="mso-spacerun: yes"> </SPAN>;eax==0<SPAN style="mso-spacerun: yes"> </SPAN>hehe...</SPAN></P>$ {: S! R' L9 x% Z2 n
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>popad<SPAN style="mso-spacerun: yes"> </SPAN>;研究一下pushad指令就明白了</SPAN></P>
) \% F5 e' n) v! E<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>ret</SPAN></P>
$ L4 K/ [1 A; s9 C& \4 h+ c<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">@@:</SPAN></P>
9 g9 s/ z( U8 H9 ]4 N8 s" H<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>mov<SPAN style="mso-spacerun: yes"> </SPAN>dword ptr[esp+7*4],1<SPAN style="mso-spacerun: yes"> </SPAN>;eax==1</SPAN></P>
0 ~. w1 ?9 v7 K9 @<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>popad<SPAN style="mso-spacerun: yes"> </SPAN></SPAN></P>
6 P0 G1 O6 x$ D<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>ret</SPAN></P>
: Y/ j3 u, w) V k<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"></SPAN> </P>
% A. m! ?$ X' V# a" l O<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">singlestep_xHandler ENDP</SPAN></P>
1 [; Z* ?* b. f# S, q<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">;-----------------------------------------</SPAN></P>7 s! `: j% }8 J. q
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">END<SPAN style="mso-tab-count: 1"> </SPAN>_Start</SPAN></P> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:36:42
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡