線程-有人能看懂這段代碼嗎，他是怎麼改變esp的 坐等大牛

有人能看懂這段代碼嗎，他是怎麼改變esp的 坐等大牛

 #include "stdio.h"
#include "conio.h"
#include "windows.h"

char Msg[] = "Hello C++! I Love you forever!";

int __stdcall RelocThread(int Param)
{
    int Addr = 0;
    char *pMsg = NULL;
    if (!Param)
    {
        Addr = ((int(__stdcall*)(void))RelocThread)();
        Addr = 5 + Addr + *(int*)(Addr + 1);
        pMsg = (char*)(Addr + (int)&Msg - (int)&RelocThread);

        printf("In RelocThread:\n");
        printf("I can Found My start address myself=0x%08X\nand Global Value Msg=0x%X\n", Addr, pMsg);
        printf("%s\n", pMsg);

        ExitThread(0);
    }
    return (*(int*)((int)&Param - 4)) - 5;
}

void main(void)
{
    HANDLE hThread = CreateRemoteThread(GetCurrentProcess(), NULL, 0, (LPTHREAD_START_ROUTINE)RelocThread, 0, 0, NULL);
    WaitForSingleObject(hThread, INFINITE);
    printf("In function main:\nRelocThread=0x%08X,Msg=0x%08X\n", RelocThread, Msg);
    getch();
}

他是怎麼改變esp的

最佳回答：

堆棧上有函數的返回地址，通過故意越界的地址強行改寫，當函數清棧退出的時候，就自動會將esp設置為這個返回地址（已經被改寫）