Đang chuẩn bị nút TẢI XUỐNG, xin hãy chờ
Tải xuống
Một cách khác để nhìn vào một vòng lặp như một tuyên bố có điều kiện giống hệt với một điều kiện Các hit đầu tiên xuất phát từ một cuộc gọi hệ thống nội bộ được thực hiện bởi advapi32.dll. Phát hành các trình gỡ lỗi sẽ trả nó trở lại ReadFile một lần nữa, | Beyond the Documentation 157 The last two instructions in the current chunk perform another check on that same parameter except that this time the code is using EBX which as you might recall is the incremented version of EDI. Here EBX is compared against EDX and the program jumps to ntdll.7C962559 if EBXis greater. Notice that the jump target address ntdll.7C962559 is the same as the address of the previous conditional jump. This is a strong indication that the two jumps are part of what was a single compound conditional statement in the source code. They are just two conditions tested within a single conditional statement. Another interesting and informative hint you find here is the fact that the conditional jump instruction used is JA jump if above which uses the carry flag CF . This indicates that EBX and EDX are both treated as unsigned values. If they were signed the compiler would have used JG which is the signed version of the instruction. For more information on signed and unsigned conditional codes refer to Appendix A. If you try to put the pieces together you ll discover that this last condition actually reveals an interesting piece of information about the second parameter passed to this function. Recall that EDX was loaded from offset 14 in the structure and that this is the member that stores the total number of elements in the table. This indicates that the second parameter passed to RtlGetElement GenericTable is an index into the table. These last two instructions simply confirm that it is a valid index by comparing it against the total number of elements. This also sheds some light on why the index was incremented. It was done in order to properly compare the two because the index is probably zerobased and the total element count is certainly not. Now that you understand these two conditions and know that they both originated in the same conditional statement you can safely assume that the validation done on the index parameter was done in one line