Tips: About getting the running address by God
Code self-positioning is a common thing for viruses. Common formats are as follows Call @ 4: POP EBX Some people say that they can replace the two statements above, they can get the same effect. It is actually different. The above is to be obtained directly. The one below is the compiler. It is a static thing.
Tips: Environmental Protection BY TXJ_KILLER
I encountered a problem to debug a half-day discovery that the readprocessMemory function changed the value of the ECX register, put it here, remember to protect the scene when you call this function:) AOGO Supplement: Generally, the GDI function does not destroy EBX / ESI / EDI three registers, strings, or memory operation functions generally rewrite ESI / EDI / ECX, or even all, so, good ways are before calling if the function is not determining whether the function will destroy a register. Set the value of a register, then display the value of this register after calling, see if you can confirm it before calling. Of course, if the function modifies this register, just like the value you set, hey, you are suffering.
Tips: get the actual address of somewhere when running by ipoz
Call @ 4 @ 4: POP EBX knowing that the CALL instruction presses the address of the next instruction into the top, so when @ 4 is executed, SS: [ESP] is the address of @ 4! In this way, POP EBX will enter the address of @ 4 into EBX.
Tips: About the actual address of "small skills to get a certain place in somewhere" BY ghost dragon dance
Call @ 4 @ 4: POP EBX knowing that the CALL instruction presses the address of the next instruction into the top, so when @ 4 is executed, SS: [ESP] is the address of @ 4! In this way, POP EBX will "bounce" into EBX if I don't understand the wrong, with @ 4: MOV EBX, $, can get the same effects.
Tips: Supplementation "Reix" by the actual address of somewhere "" by Forgot "
Quote Original: ----------------------------------------------- ----------------- Call @ 4 @ 4: POP EBX knows that the CALL instruction presses the address of the next instruction into the top, so when it is executed, when @ 4 is executed, SS: [ESP] is the address of @ 4! In this way, POP EBX will enter the address "bomb" of @ 4 into EBX. If I don't understand the wrong, I will replace the above 2 statements, using @ 4: MOV EBX, $, can get the same effect - -------------------------------------------------- ------------- Using MOV EBX, $ will get @ 4 OFFSET, if you cannot be loaded into a predetermined address by the system loader, the content operation of EBX will be erroneous.
Tips: Pop up the menu while popping up the menu by Aogo
This is a problem that has always been controversial and there is no perfect implementation. Some people write classes themselves. Some people write window simulations. In fact, it is really simple, what extent? No tricks, as long as the TPM_Recurse or TPM_RightButton flag is on the Flags flag of the TrackPopUpMenuex function, everything can even pop up another menu immediately on this menu. Simple is very.
Tips: Some of the issues in Win32 message processing by AOGO Everyone is handling a message with some bytes assembled, it must be shifted with instructions such as SHR. Here is a small problem, pay attention to: such as WM_MOUSEWHEEL message, Its WPARAM's high byte saves the direction of the current mouse scroll. -120 indicates that the up scroll, 120 indicates down scrolling, at this time, this is wrong: MOV EAX, WParamShr Eax, 16.if Eax == - 120 ... .. Why? Since the shift instruction is shifted, the highest bit is also moved. At this time, the symbol bit is the highest bit of AX. It is determined that Eax is always positive. At this time, the AX should be judged directly, or the expansion instruction should be used. Such as: .... if ax == - 120, this is usually only noted if the high or low position will be noticed, because the EAX is still rows after the positive digitization.
Tips: BUG BY AOGO in Mac Macro
I am a metaphor
When using getCareTPOS to get the current cursor position, suppose it is a negative number, I need to know if it is less than 0, the result:
.IF P.Y <0
... ... ;1
.ELSEIF P.Y> EAX
... ... ;2
.endif
Results You guess how? 1 will never be executed, because the compiler compiles .IF P.Y <= 0 into:
CMP P.Y, 0
JB xxx
As a result, it is understood that P.Y is a negative number, and it will be positive according to the number of unsigned numbers, such as -100, become 65435, natural mistakes. This is a bug of MASM.
So, remind everyone, try to use negative comparisons when you encounter a symbolic number, or write judgment code yourself, such as negative comparison:
.IF P.Y <= - 1 equivalent .IF P.Y <0
The above code compiler will automatically select JGE / JLE / JL / JG series instructions.
I judge myself:
CMP EAX, 0
Jle xxx
...
JMP @f
XXX:
CMP P.Y, EAX
Jle @f
...
@@:
At the same time, other macros have this error bug like .While.
I don't want to pay attention to the number of symbols. Otherwise, there will be an inexplicable mistake, but I can't find an error.
correct:
This can't be a bug, a forum netizen reminds me that in fact, when doing this comparison, you can temporarily use a symbol number to let MASM, such as:
.IF SDWORD PTR P.Y <0
...
Yes. Similarly, it can be converted to SWORD SBYTE, and the front of the front represents a symbol.
