<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"></SPAN> </P>: h+ D/ M0 X l" a `# r' m5 C9 t
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">有时如果你对<SPAN lang=EN-US>SICE,TRW或者其他调试器显示的信息有所怀疑的话,你可以用seh显示一些信息作为简单的调试手段,当然,单步跟踪的用途远不止于此.首先回忆一下我们以前了解的单步的概念,当EFLAGS的TF位为1的话执行完某条指令后CPU将产生单步异常,与执行软指令int1类似.注意产生单步陷阱后eip已经指向下一条指令.但进入单步异常处理程序后cpu自动清除TF,以便下条指令正常执行.</SPAN></SPAN></P>3 _2 S9 Y+ z" K
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN></SPAN></P>
; v4 m7 ]/ Q! W+ Z<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 30pt; mso-char-indent-count: 3.0; mso-char-indent-size: 10.0pt"><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">我们要作的就是在<SPAN lang=EN-US>seh例程中继续置TF位为1,以便下一条指令执行完毕后继续产生单步陷阱实现跟踪功能,直到遇到popfd指令为止,当然你也可以随便检测其他指令或者用记数器来终止单步.</SPAN></SPAN></P>( c$ ~* }' Y. P5 ^9 q
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"></SPAN> </P>
! R5 k# I9 D6 W: ~<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">下面例子中如果没有单步跟踪<SPAN lang=EN-US>eax的最后结果是3,由于有了单步自跟踪,在seh处理例程中我们每中断一次要加1,所以最后的结果是7,呵呵.请看下面的例子.</SPAN></SPAN></P>
5 z" `" |- I1 J0 Y( i3 u<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">;-----------------------------------------</SPAN></P>- U# D2 r3 f' k# d5 ]: B% ~
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">;Ex7,演示利用seh单步自跟踪 by Hume,2002</SPAN></P>
2 Z4 s$ S* P& G5 K8 i5 q- C7 _<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">;humewen@21cn.com </SPAN></P>
2 T' Q$ Y4 Q& x) e1 D" G* d<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">;hume.longcity.net</SPAN></P>, Y1 V7 y4 r/ z; m
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">;-----------------------------------------</SPAN></P>
, Y- K8 t5 o/ l) c# H. X<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">.586</SPAN></P>
0 U) ^6 Y3 M- }! j* z+ _$ }<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">.model flat, stdcall</SPAN></P>. Q1 L2 @$ \$ E( h) f( {1 r
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">option casemap :none<SPAN style="mso-spacerun: yes"> </SPAN>; case sensitive</SPAN></P>
l2 t. U# y, b* }' _<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">include hd.h</SPAN></P>
- C9 ]- f2 z! z9 B* Z<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">include mac.h</SPAN></P>; j/ K" p5 f4 ^, A6 K
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"></SPAN> </P>6 X2 U# k2 W% M4 U$ @+ F3 F6 Q9 }
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">singlestep_xHandler<SPAN style="mso-tab-count: 1"> </SPAN><SPAN style="mso-tab-count: 1"> </SPAN>proto C :DWORD,:DWORD,:DWORD,:DWORD</SPAN></P>
, j/ ^3 F) Z* E. t, j7 l8 Z! X<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">;;--------------</SPAN></P>
% q: T% ?2 z. ?/ R& U7 w3 i$ t<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">.data</SPAN></P>: \$ i* G% A5 L
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">count<SPAN style="mso-spacerun: yes"> </SPAN>dd<SPAN style="mso-spacerun: yes"> </SPAN>0</SPAN></P>
, p) j2 a x1 w' o2 o) X7 X9 O<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">Msg0<SPAN style="mso-spacerun: yes"> </SPAN>db<SPAN style="mso-spacerun: yes"> </SPAN>"Eax=="</SPAN></P>, K; b. |. E3 n4 H
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">DispEAX dd<SPAN style="mso-spacerun: yes"> </SPAN><SPAN style="mso-spacerun: yes"> </SPAN>0,0</SPAN></P>
+ X( x; q, I) }; U7 ?" N6 c% ^2 C<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">;;-----------------------------------------</SPAN></P>% k9 `7 \& W6 N& S. x+ F6 a
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">.CODE</SPAN></P>* O" J. F% r4 M! W
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">_Start:</SPAN></P>- ^% R- K# ~$ p
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>assume fs:nothing</SPAN></P>
1 p+ \. A5 t- k( ?0 F7 b<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">push<SPAN style="mso-spacerun: yes"> </SPAN>offset singlestep_xHandler</SPAN></P>; O9 K m, g1 i
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>push<SPAN style="mso-spacerun: yes"> </SPAN>fs:[0]</SPAN></P>
) ~. E, x, H/ ?! m<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>mov<SPAN style="mso-spacerun: yes"> </SPAN>fs:[0],esp</SPAN></P>7 B/ h, p! z% a3 Y# G1 Q
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>;------------------</SPAN></P>. R a( b0 a8 r, d$ T8 ?# T% f
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>xor<SPAN style="mso-spacerun: yes"> </SPAN>eax,eax</SPAN></P>
2 b# c5 H1 k9 i" c2 ~<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>pushfd</SPAN></P>; P) D2 ]: f( K
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>pushfd</SPAN></P>; v- d. |" A [
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN><SPAN style="mso-spacerun: yes"> </SPAN>or<SPAN style="mso-spacerun: yes"> </SPAN>dword ptr[esp],100h<SPAN style="mso-spacerun: yes"> </SPAN></SPAN></P>6 x6 I5 G/ A, ~, |
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>popfd<SPAN style="mso-spacerun: yes"> </SPAN>;置TF标志进入单步状态</SPAN></P>. x2 g5 D+ S3 K
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"></SPAN> </P>
, r1 I" A' t _% D0 Q' m6 w, E; g/ W4 X<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>nop<SPAN style="mso-spacerun: yes"> </SPAN>; nop执行完后单步异常引发<SPAN style="mso-spacerun: yes"> </SPAN></SPAN></P>) Q9 P0 x% e- z7 t$ o) Q9 U
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>inc<SPAN style="mso-spacerun: yes"> </SPAN>eax<SPAN style="mso-spacerun: yes"> </SPAN>; eip指向,nop后面的指令,就是这里</SPAN></P>5 I+ R$ k c5 Z( u
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>inc<SPAN style="mso-spacerun: yes"> </SPAN>eax<SPAN style="mso-spacerun: yes"> </SPAN><SPAN style="mso-spacerun: yes"> </SPAN>; 单步执行</SPAN></P>6 `3 k4 V- F6 Y& D
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>inc<SPAN style="mso-spacerun: yes"> </SPAN>eax<SPAN style="mso-spacerun: yes"> </SPAN>; normal eax==3,but infact eax==7</SPAN></P>& o; c* Q! O/ s) K& }
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"></SPAN> </P>
. c8 a( o0 ]: E: |6 d$ ~<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>popfd</SPAN></P>7 C# V% _: y2 z8 R5 E% Z7 d# U- r! \
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>;------------------ </SPAN></P>
8 i2 U/ w4 ~% U% x) ?<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>add<SPAN style="mso-spacerun: yes"> </SPAN>eax,30h<SPAN style="mso-spacerun: yes"> </SPAN>;convert to ASCIIZ</SPAN></P>2 H, ?- K f1 G: {. M
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>mov<SPAN style="mso-spacerun: yes"> </SPAN>DispEAX,eax</SPAN></P>
[# F) r5 `4 Z2 `8 W& f4 L; C<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>invoke<SPAN style="mso-tab-count: 1"> </SPAN>MessageBox,0,addr Msg0,ddd("The Eax equal to..."),0</SPAN></P>" V: s" W4 S( {+ G
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN></SPAN></P>
9 e" h$ d& w( H<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>pop<SPAN style="mso-spacerun: yes"> </SPAN>fs:[0]</SPAN></P>
. a; ]2 G. M$ d7 |: W$ E" F- E L- x<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>add<SPAN style="mso-spacerun: yes"> </SPAN>esp,4</SPAN></P>
7 }6 I1 i- r$ U! h9 B5 J<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>invoke<SPAN style="mso-tab-count: 1"> </SPAN>ExitProcess,0</SPAN></P>8 G2 o9 ~) a1 G- N. \/ H) w4 v d8 e
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">;-----------------------------------------</SPAN></P>- j: |/ J8 e/ E3 Y1 H
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">singlestep_xHandler PROC C pExcept:DWORD,pFrame:DWORD,pContext:DWORD,pDispatch:DWORD</SPAN></P>
- a. P& J: v" t- v<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>pushad<SPAN style="mso-spacerun: yes"> </SPAN></SPAN></P>' _6 x! [8 l; T
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">assume<SPAN style="mso-spacerun: yes"> </SPAN>edi:ptr CONTEXT</SPAN></P>
8 A3 O! Q2 D, {- @+ B<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">assume<SPAN style="mso-spacerun: yes"> </SPAN>esi:ptr EXCEPTION_RECORD</SPAN></P>
- o3 p% U2 W9 N: y6 b<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN></SPAN></P>
, J, A1 q/ d/ i2 k* @<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>mov<SPAN style="mso-spacerun: yes"> </SPAN>esi,pExcept</SPAN></P>1 s* ?4 M+ G0 U( m6 h
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>mov<SPAN style="mso-spacerun: yes"> </SPAN>edi,pContext<SPAN style="mso-spacerun: yes"> </SPAN></SPAN></P>3 g/ ^% y% H# h5 A; g
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN></SPAN></P>
4 U, L: p( G# \; l; U" H9 Y! p7 @<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>test<SPAN style="mso-spacerun: yes"> </SPAN>dword ptr[esi+4],1<SPAN style="mso-spacerun: yes"> </SPAN>;Exception flags test common stuff</SPAN></P>: [+ F+ W2 I3 s! L4 [( P" Z! n
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>jnz<SPAN style="mso-spacerun: yes"> </SPAN>@f<SPAN style="mso-spacerun: yes"> </SPAN><SPAN style="mso-spacerun: yes"> </SPAN></SPAN></P>) [ w% A5 o8 [- b
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>test<SPAN style="mso-spacerun: yes"> </SPAN>dword ptr[esi+4],6</SPAN></P>
" M& J3 O& o8 t( u* m2 x" ^<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>jnz<SPAN style="mso-spacerun: yes"> </SPAN>@f</SPAN></P>
9 `/ a4 I. ~1 D+ t& T<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>cmp<SPAN style="mso-spacerun: yes"> </SPAN>dword ptr[esi],80000004h<SPAN style="mso-spacerun: yes"> </SPAN>;是否为单步异常标志</SPAN></P>
1 P7 O: U c$ }. }) n: t! h4 O8 y<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>jnz<SPAN style="mso-spacerun: yes"> </SPAN>@f</SPAN></P>- h$ L7 w) h$ @" M
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"></SPAN> </P>
& O/ H3 E: _8 U/ H" B<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>inc<SPAN style="mso-spacerun: yes"> </SPAN>[edi].regEax </SPAN></P>
4 G7 v0 ]1 @1 _: g<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>mov<SPAN style="mso-spacerun: yes"> </SPAN>ebx,[edi].regEip</SPAN></P> l& L" A# B5 R; [+ O6 T2 \
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>cmp<SPAN style="mso-spacerun: yes"> </SPAN>byte ptr[ebx],9Dh<SPAN style="mso-spacerun: yes"> </SPAN>;是否是popfd,因为目的是取消</SPAN></P>0 [2 g$ w# ^; B
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>jz<SPAN style="mso-spacerun: yes"> </SPAN>@finish_singlestep<SPAN style="mso-spacerun: yes"> </SPAN>;单步状态,所以这时就不应该重置TF</SPAN></P>; Z9 Z. }; y' Y8 k* s
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>or<SPAN style="mso-spacerun: yes"> </SPAN>[edi].regFlag,100h<SPAN style="mso-spacerun: yes"> </SPAN>;否则,重置TF<SPAN style="mso-spacerun: yes"> </SPAN></SPAN></P>
# V# g" k T y- f" T! C5 Y<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>;每单步中断一次,eax加1</SPAN></P>
) u* n: d) g6 }% R6 c) Z' b0 ]<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>;所以eax最后不等于3,而是</SPAN></P> S9 Z; t1 Y" v& S8 K; X) b7 P$ D
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>;中断4次后,eax==7<SPAN style="mso-spacerun: yes"> </SPAN></SPAN></P>9 o" E% X/ d" G7 d' L( M3 c' w. H2 A
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">@finish_singlestep:<SPAN style="mso-spacerun: yes"> </SPAN></SPAN></P>
9 X1 K$ R) W/ b. b* c* m+ z<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN></SPAN></P>& K( N" P2 h. _8 i' @. ]# N
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>mov<SPAN style="mso-spacerun: yes"> </SPAN>dword ptr[esp+7*4],0<SPAN style="mso-spacerun: yes"> </SPAN>;eax==0<SPAN style="mso-spacerun: yes"> </SPAN>hehe...</SPAN></P>
. \3 ]! C6 b. j2 W<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>popad<SPAN style="mso-spacerun: yes"> </SPAN>;研究一下pushad指令就明白了</SPAN></P>
$ G- | _: l0 G* O9 |6 h<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>ret</SPAN></P>+ P* L) s3 X2 V! D
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">@@:</SPAN></P>
7 u r( m9 `$ `( Y4 b! F& b<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>mov<SPAN style="mso-spacerun: yes"> </SPAN>dword ptr[esp+7*4],1<SPAN style="mso-spacerun: yes"> </SPAN>;eax==1</SPAN></P>
6 n4 }; N6 v' b% o<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>popad<SPAN style="mso-spacerun: yes"> </SPAN></SPAN></P>, z& K1 ?! J3 Z; G- U+ \% F+ @
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"><SPAN style="mso-spacerun: yes"> </SPAN>ret</SPAN></P>0 P6 j e# x9 Y
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt"></SPAN> </P>6 L( R/ Y; W. G' o7 N
<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">singlestep_xHandler ENDP</SPAN></P>
1 v. S, F9 I8 |* Y$ ]<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">;-----------------------------------------</SPAN></P>
+ K# I) g: O" y( ]( u% b<P class=MsoNormal style="LAYOUT-GRID-MODE: char; TEXT-INDENT: 20pt; mso-char-indent-count: 2.0; mso-char-indent-size: 10.0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">END<SPAN style="mso-tab-count: 1"> </SPAN>_Start</SPAN></P> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:36:42
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡