我给你们解读一下IDA的伪代码看理解的对与不对?
// bad sp value at call has been detected, the output may be wrong!
// positive sp value has been detected, the output may be wrong!
int __usercall sub_4E83B0@<eax>(int a1@<eax>, int a2@<edx>, int a3@<edi>, int a4@<esi>, int a5)
{
char v5; // bl
int v6; // edx
Getitactionsbase *v7; // ecx
struct _EXCEPTION_REGISTRATION_RECORD *ExceptionList; // BYREF
void *v10; //
int *v11; //
unsigned int v12; //
int v13; // BYREF
Getitactionsbase *v14; // BYREF
bool v15; // BYREF
int v16; //
int v17; // BYREF
int savedregs; // BYREF
v13 = 0;
v12 = 0;
v17 = a1;
((void (__fastcall *)(int, int, _DWORD, int, int))System::__linkproc__ IntfAddRef)(a1, a2, 0, a4, a3);
v11 = &savedregs;
v10 = &loc_4E84E6;
ExceptionList = NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, (unsigned int)&ExceptionList);
v5 = 0;
if ( (unsigned __int8)((int (__fastcall *)(_DWORD, int, int, int *, void *, struct _EXCEPTION_REGISTRATION_RECORD *))Getitinstallmanager::TGetItInstallManager::ExecuteActions)(
*(_DWORD *)(a5 - 4),
v17,
1,
&savedregs,
&loc_4E84E6,
ExceptionList) )
{
v11 = &savedregs;
v10 = &loc_4E8472;
ExceptionList = NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, (unsigned int)&ExceptionList);
(*(void (__fastcall **)(int, Getitactionsbase **))(*(_DWORD *)v17 + 80))(v17, &v14);
LOBYTE(v6) = 1;
Getitactionsbase::ExpandTemporalVariables(v14, v6, 1, (bool)v15);
(*(void (__fastcall **)(int, _DWORD))(*(_DWORD *)v17 + 232))(v17, *(_DWORD *)v15);
if ( (unsigned __int8)sub_4E81D4(a5) )
{
if ( !v16 )
{
Getitinstallmanager::TGetItInstallManager::CreateGetItService(
*(Getitinstallmanager::TGetItInstallManager **)(a5 - 4),
1);
if ( (*(unsigned __int8 (__fastcall **)(int, int))(*(_DWORD *)v13 + 52))(v13, v17) )
v5 = 1;
}
}
__writefsdword(0, (unsigned int)ExceptionList);
if ( v5 )
((int (__fastcall *)(_DWORD, int, int))Getitinstallmanager::TGetItInstallManager::ExecuteActions)(
*(_DWORD *)(a5 - 4),
v17,
2);
}
v7 = v14;
__writefsdword(0, v12);
v14 = (Getitactionsbase *)&loc_4E84ED;
((void (__fastcall *)(int *, unsigned int, Getitactionsbase *))System::__linkproc__ IntfClear)(&v13, v12, v7);
((void (__fastcall *)(Getitactionsbase **, int))System::__linkproc__ UStrArrayClr)(&v14, 2);
return ((int (__fastcall *)(int *))System::__linkproc__ IntfClear)(&v17);
}
意思就是说前面给了一个正确的授权状态后,就开启一个安装的线程去自动的安装控件;否则挂掉这个线程,并提示注册码无效。
页:
[1]