004028A2 sub eax,0
004028A5 mov esi,ecx
004028A7 je 004028FB
004028A9 sub eax,1
004028AC je 004028DA
004028AE sub eax,1
004028B1 jne 00402887
004028B3 mov eax,dword ptr [esp+10h]
004028B7 test eax,eax
004028B9 ja 004028D0
004028BB push 0
004028BD push esi
004028BE push 0
004028C0 push ebx
004028C1 mov dword ptr [ecx+14h],1
004028C8 call dword ptr ds:[437030h]
004028CE jmp 00402887
004028D0 mov edx,dword ptr [ecx]
004028D2 push eax
004028D3 mov eax,dword ptr [edx+14h]
004028D6 call eax
004028D8 jmp 00402887
004028DA mov edx,dword ptr [ecx]
004028DC mov eax,dword ptr [edx+10h]
004028DF call eax
004028E1 mov ecx,dword ptr [esi+18h]
004028E4 push ecx
004028E5 call dword ptr ds:[4371C0h]
004028EB call 00401200
004028F0 push esi
004028F1 call 00419DAF
004028F6 add esp,4
004028F9 jmp 00402887
004028FB mov edx,dword ptr [ecx+18h]
004028FE push 0
00402900 push ecx
00402901 lea edi,[ecx+18h]
00402904 push ebx
00402905 push edx
00402906 call dword ptr ds:[437020h]
0040290C test eax,eax
0040290E jne 0040292C
00402910 mov eax,dword ptr [edi]
00402912 push eax
00402913 call dword ptr ds:[4371C0h]
00402919 call 00401200
0040291E push esi
0040291F call 00419DAF
00402924 add esp,4
00402927 jmp 00402887
0040292C mov edx,dword ptr [esi]
情况是这样:
已知:
跳转:004028A7 je 004028FB 已成功
跳转:0040290E jne 0040292C 已成功
这里:00402906 call dword ptr ds:[437020h] 是调用API CreateIoCompletionPort
在这里: 004028A5 mov esi,ecx 执行完之后 esi不可能为0
但是在这里:0040292C mov edx,dword ptr [esi] 的时候 esi 为0
偶然现象,看不出来,esi在哪里可能被改变,也没有发现可能被其它线程更改的可能
因为一共只有4个线程,其它三个线程都很简单,基本处于等待状态。