siCore.sys逆向分析001

; Section 1. (virtual address 00000300)
; Virtual size                  : 000168A8 (  92328.)
; Section size in file          : 00016900 (  92416.)
; Offset to raw data for section: 00000300
; Flags 68000020: Text Not pageable Executable Readable
; Alignment     : default

; Segment type: Pure code
; Segment permissions: Read/Execute
_text segment para public 'CODE' use32
assume cs:_text
;org 10300h
assume es:GAP, ss:GAP, ds:_data, fs:nothing, gs:nothing



sub_10300 proc near
pusha;将通用寄存器压栈
mov     word ptr dword_27580, ss;把堆栈段寄存器放到全局变量
mov     word_27584, 1Bh
mov     word_27586, 23h ; '#'
mov     eax, BaseAddress
mov     dword_27588, eax
call    sub_10415
call    sub_1097E
call    sub_10735
call    sub_1033F
mov     byte_275A5, al
popa
retn
sub_10300 endp


;整体看来这个函数应该是某个虚拟地址的页表地址的
sub_10415 proc near
pusha
mov     eax, dword_2F760
mov     dword_27590, eax
;提取高20位 * 4，高20位可能是索引，4应该是步长
mov     ecx, dword_2B64C ;ecx==2
shr     eax, 0Ch
shl     eax, cl
;0C0000000h 这个好像是放页表的虚拟地址
add     eax, 0C0000000h
mov     dword_2758C, eax
popa
retn
sub_10415 endp