|
|
此段代码对于上面分配的TextLineObj设置opaqueBackground属性,触发分配BackGroundObject。如何从上面的jitcode跟到这里,其实有很多方法,比如最简单的单步过来,或者对arrary下访问读断点之后单步返回到jitcode领空Jitcode098c8331 83ec0c sub esp,0Ch098c8334 53 push ebx098c8335 e846c931fe call Flash32_18_0_0_203!IAEModule_IAEKernel_UnloadModule+0x1ee5c0 (07be4c80)098c833a 83c40c add esp,0Ch/ /return textline obj getproperty.... 098c8374 ffb514ffffff push dword ptr [ebp-0ECh]098c837a 6a0e push 0Eh098c837c 53 push ebx098c837d 68e0c63109 push 931C6E0h098c8382 ffd0 call eax {Flash32_18_0_0_203!IAEModule_IAEKernel_UnloadModule+0x206590 (07bfcc50)}// setproperty opaqueBackgroundavmplus::setprop_miss -- avmplus::setprop_setter – …….. - sub_1025DD12 如果加载了avmplus sig的话可以看到一些符号路径void __thiscall set_opaqueBackground(int textline_obj, unsigned int a2) // 1025DD12{ int v2; // ebp@1 int v3; // edi@1 int buf; // eax@2 int v5; // esi@2 signed int v6; // eax@7 v2 = textline_obj; v3 = *(_DWORD *)(textline_obj + 0x24); if ( v3 ) { buf = sub_10021F6D(v3); v5 = buf; if ( a2 > 4 ) { if ( !buf ) v5 = sub_1025DC52((void *)v2); // 分配0x390 BackgroudObj avmplus::AvmCore::integer(a2); // 对参数进行转换 调用valueOf函数 *(_DWORD *)(v5 + 0x30C) |= 4u; *(_BYTE *)(sub_102B7B16(v2) + 2144) = 1; *(_BYTE *)(v5 + 0x322) = v6 >> 16; *(_BYTE *)(v5 + 0x320) = v6; *(_BYTE *)(v5 + 0x321) = BYTE1(v6); } else if ( buf ) { *(_DWORD *)(buf + 0x30C) &= 0xFFFFFFFB; } sub_10104280(1, 0); if ( v5 ) *(_BYTE *)(v5 + 0x1E0) = 1; *(_DWORD *)(v3 + 0x20) |= 4u; }}set_opaqueBackground函数首先判断BackGroudObj是否存在,不存在则调用1025DC52分配0x390大小的Object,随后调用avmplus::AvmCore::integer对写入的参数进行转换,这里如果传入的是Object 会调用相应的valueOf函数。通过设置如下断点 即可打印所有的分配
 |
|
发表于 2022-5-8 17:18:21
