我已经尝试了:
;# As you have already noticed, the compiler wants to align the stack;# pointer on a 16 byte boundary before it pushes anything. That's;# because certain instructions' memory access needs to be aligned;# that way.;# So in order to first save the original offset of esp (+4), it;# executes the first instruction:lea ecx,[esp+0x4];# Now alignment can happen. Without the previous insn the next one;# would have made the original esp unrecoverable:and esp,0xfffffff0;# Next it pushes the return addresss and creates a stack frame. I;# assume it now wants to make the stack look like a normal;# subroutine call:push DWORD PTR [ecx-0x4]push ebpmov ebp,esp;# Remember that ecx is still the only value that can restore the;# original esp. Since ecx may be garbled by any subroutine calls,;# it has to save it somewhere:push ecx
