Meh*_*dad 6 assembly winapi msvcrt seh visual-c++
我正在尝试对名为的Visual C++ 2008 SEH处理程序进行逆向工程,__CxxFrameHandler3以提供可以将结果委托给(旧版本)__CxxFrameHandler的实现msvcrt.dll.
(此页面和此页面包含有关msvcrt.dllSEH的详细信息.)
注意: msvcrt_winxp.obj(32位)和msvcrt_win2003.obj(64位)已经做同样的事情 - 它们是Windows Driver Kit 7.1的一部分.但是,它们还捆绑了许多其他代码,这会混淆我的链接器.
我成功地拆解了32位版本(msvcrt_winxp.obj),提取__CxxFrameHandler3并创建了一个提供适当实现的替代方案.
但是,我遇到了64位版本(msvcrt_win2003.obj)的问题:
即使我的64位实现看起来完全相同,但它不起作用 - 但微软提供的实际工作确实有效.
这是32位版本(可正常工作):
.386
.model flat, c
option dotname
extern __CxxFrameHandler: PROC
.code
includelib msvcrt.lib
public __CxxFrameHandler3
__CxxFrameHandler3:
push ebp
mov ebp,esp
sub esp,28h
push ebx
push esi
push edi
cld
mov dword ptr [ebp-4],eax
mov esi,dword ptr [ebp-4]
push 9
pop ecx
lea edi,[ebp-28h]
rep movs dword ptr es:[edi],dword ptr [esi]
mov eax,dword ptr [ebp-28h]
and eax,0F9930520h
or eax,019930520h
mov dword ptr [ebp-28h],eax
lea eax,[ebp-28h]
mov dword ptr [ebp-4],eax
push dword ptr [ebp+14h]
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+8]
mov eax,dword ptr [ebp-4]
call __CxxFrameHandler
add esp,10h
pop edi
pop esi
pop ebx
mov esp,ebp
pop ebp
ret
end
这是(有问题的)64位版本:
;; Compiled with:
;; ml64.exe /Fo"$(InputName).obj" /c /nologo /W3 /Zi /Ta "$(InputPath)"
option dotname
extern __CxxFrameHandler: PROC
extern __imp___CxxFrameHandler: PROC
extern __imp_VirtualProtect: PROC
extern __imp_Sleep: PROC
extern __imp_GetVersion: PROC
.data
ProtectFlag dd ?
.code
includelib kernel32.lib
includelib msvcrt.lib
public __CxxFrameHandler3
__CxxFrameHandler3:
mov rax,rsp
mov qword ptr [rax+8],rbx
mov qword ptr [rax+10h],rbp
mov qword ptr [rax+18h],rsi
push rdi
push r12
push r13
sub rsp,30h
mov dword ptr [rax+20h],40h
mov rax,qword ptr [r9+38h]
mov rdi,r9
mov ebx,dword ptr [rax]
mov rsi,r8
mov rbp,rdx
add rbx,qword ptr [r9+8]
mov r12,rcx
mov eax,dword ptr [rbx]
and eax,1FFFFFFFh
cmp eax,19930520h
je L140001261
mov r13d,1
mov eax,r13d
lock xadd dword ptr [ProtectFlag],eax
add eax,r13d
cmp eax,r13d
je L140001217
L1400011F0:
lock add dword ptr [ProtectFlag],0FFFFFFFFh
mov ecx,0Ah
call qword ptr [__imp_Sleep]
mov r11d,r13d
lock xadd dword ptr [ProtectFlag],r11d
add r11d,r13d
cmp r11d,r13d
jne L1400011F0
L140001217:
mov r8d,dword ptr [rsp+68h]
mov r13d,4
lea r9,[rsp+20h]
mov rdx,r13
mov rcx,rbx
call qword ptr [__imp_VirtualProtect]
test eax,eax
je L140001259
and dword ptr [rbx],0F9930520h
or dword ptr [rbx],19930520h
mov r8d,dword ptr [rsp+20h]
lea r9,[rsp+68h]
mov rdx,r13
mov rcx,rbx
call qword ptr [__imp_VirtualProtect]
L140001259:
lock add dword ptr [ProtectFlag],0FFFFFFFFh
L140001261:
mov r9,rdi
mov r8,rsi
mov rdx,rbp
mov rcx,r12
call qword ptr [__imp___CxxFrameHandler]
mov rbx,qword ptr [rsp+50h]
mov rbp,qword ptr [rsp+58h]
mov rsi,qword ptr [rsp+60h]
add rsp,30h
pop r13
pop r12
pop rdi
ret
end
Microsoft的实现(用DumpBinon 提取lib\wnet\amd64\msvcrt_win2003.obj)是:
__CxxFrameHandler3:
0x0000: 48 8B C4 mov rax,rsp
0x0003: 48 89 58 08 mov qword ptr [rax+8],rbx
0x0007: 48 89 68 10 mov qword ptr [rax+10h],rbp
0x000B: 48 89 70 18 mov qword ptr [rax+18h],rsi
0x000F: 57 push rdi
0x0010: 41 54 push r12
0x0012: 41 55 push r13
0x0014: 48 83 EC 30 sub rsp,30h
0x0018: C7 40 20 40 00 00 mov dword ptr [rax+20h],40h
00
0x001F: 49 8B 41 38 mov rax,qword ptr [r9+38h]
0x0023: 49 8B F9 mov rdi,r9
0x0026: 8B 18 mov ebx,dword ptr [rax]
0x0028: 49 8B F0 mov rsi,r8
0x002B: 48 8B EA mov rbp,rdx
0x002E: 49 03 59 08 add rbx,qword ptr [r9+8]
0x0032: 4C 8B E1 mov r12,rcx
0x0035: 8B 03 mov eax,dword ptr [rbx]
0x0037: 25 FF FF FF 1F and eax,1FFFFFFFh
0x003C: 3D 20 05 93 19 cmp eax,19930520h
0x0041: 0F 84 8A 00 00 00 je 0x00D1
0x0047: 41 BD 01 00 00 00 mov r13d,1
0x004D: 41 8B C5 mov eax,r13d
0x0050: F0 0F C1 05 00 00 lock xadd dword ptr [?ProtectFlag@?1??__CxxFrameHandler3@@9@9],eax
00 00
0x0058: 41 03 C5 add eax,r13d
0x005B: 41 3B C5 cmp eax,r13d
0x005E: 74 27 je 0x0087
0x0060: F0 83 05 00 00 00 lock add dword ptr [?ProtectFlag@?1??__CxxFrameHandler3@@9@9],0FFFFFFFFh
00 FF
0x0068: B9 0A 00 00 00 mov ecx,0Ah
0x006D: FF 15 00 00 00 00 call qword ptr [__imp_Sleep]
0x0073: 45 8B DD mov r11d,r13d
0x0076: F0 44 0F C1 1D 00 lock xadd dword ptr [?ProtectFlag@?1??__CxxFrameHandler3@@9@9],r11d
00 00 00
0x007F: 45 03 DD add r11d,r13d
0x0082: 45 3B DD cmp r11d,r13d
0x0085: 75 D9 jne 0x0060
0x0087: 44 8B 44 24 68 mov r8d,dword ptr [rsp+68h]
0x008C: 41 BD 04 00 00 00 mov r13d,4
0x0092: 4C 8D 4C 24 20 lea r9,[rsp+20h]
0x0097: 49 8B D5 mov rdx,r13
0x009A: 48 8B CB mov rcx,rbx
0x009D: FF 15 00 00 00 00 call qword ptr [__imp_VirtualProtect]
0x00A3: 85 C0 test eax,eax
0x00A5: 74 22 je 0x00C9
0x00A7: 81 23 20 05 93 F9 and dword ptr [rbx],0F9930520h
0x00AD: 81 0B 20 05 93 19 or dword ptr [rbx],19930520h
0x00B3: 44 8B 44 24 20 mov r8d,dword ptr [rsp+20h]
0x00B8: 4C 8D 4C 24 68 lea r9,[rsp+68h]
0x00BD: 49 8B D5 mov rdx,r13
0x00C0: 48 8B CB mov rcx,rbx
0x00C3: FF 15 00 00 00 00 call qword ptr [__imp_VirtualProtect]
0x00C9: F0 83 05 00 00 00 lock add dword ptr [?ProtectFlag@?1??__CxxFrameHandler3@@9@9],0FFFFFFFFh
00 FF
0x00D1: 4C 8B CF mov r9,rdi
0x00D4: 4C 8B C6 mov r8,rsi
0x00D7: 48 8B D5 mov rdx,rbp
0x00DA: 49 8B CC mov rcx,r12
0x00DD: FF 15 00 00 00 00 call qword ptr [__imp___CxxFrameHandler]
0x00E3: 48 8B 5C 24 50 mov rbx,qword ptr [rsp+50h]
0x00E8: 48 8B 6C 24 58 mov rbp,qword ptr [rsp+58h]
0x00ED: 48 8B 74 24 60 mov rsi,qword ptr [rsp+60h]
0x00F2: 48 83 C4 30 add rsp,30h
0x00F6: 41 5D pop r13
0x00F8: 41 5C pop r12
0x00FA: 5F pop rdi
0x00FB: C3 ret
When I try debugging both formats, as soon as I reach the line that says push r12, the call stack in Visual Studio becomes messed up in my version (superficial entries pointing to invalid addresses pop up in between stack frames), but it's completely fine at the same point in Microsoft's version.
And indeed, when I allow execution to continue, my program crashes inside __CxxFrameHandler with my version, but works completely fine with Microsoft's version.
The program I'm testing both sources with is:
int main()
{
try
{
// Dummy condition to prevent any optimizations.
// Always throws.
if (GetVersion() != 0)
throw 1;
}
catch (...) { }
if (GetVersion() != 0) { _tprintf(_T("Hi!\n")); }
return 0;
}
with the appropriate compiler flags (/MD /GS- /Od).
Therefore I can't figure out:
为什么我的代码,这应该是完全相同一样提供的实现,会导致访问冲突内msvcrt的__CxxFrameHandler?
这里是程序的base64编码,因此您可以看到生成的实际二进制文件.
我的坏版本:
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADNS1fHiSo5lIkqOZSJKjmU/7dClIsqOZSJKjiUgSo5lIBSqpSKKjmUgFK9lIsqOZSAUqyUiCo5lIBSqJSIKjmUUmljaIkqOZQAAAAAAAAAAFBFAABkhgQAtkwrTwAAAAAAAAAA8AAjAAsCCQAAAgAAAAgAAAAAAAAAEAAAABAAAAAAAEABAAAAABAAAAACAAAFAAIAAAAAAAUAAgAAAAAAAFAAAAAEAAAAAAAAAwAAgAAAEAAAAAAAABAAAAAAAAAAABAAAAAAAAAQAAAAAAAAAAAAABAAAAAAAAAAAAAAAPwhAAA8AAAAAAAAAAAAAAAAQAAAJAAAAAAAAAAAAAAAAAAAAAAAAABQIAAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAArQEAAAAQAAAAAgAAAAQAAAAAAAAAAAAAAAAAACAAAGAucmRhdGEAACYDAAAAIAAAAAQAAAAGAAAAAAAAAAAAAAAAAABAAABALmRhdGEAAAAkAAAAADAAAAACAAAACgAAAAAAAAAAAAAAAAAAQAAAwC5wZGF0YQAAJAAAAABAAAAAAgAAAAwAAAAAAAAAAAAAAAAAAEAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEiD7DhIx0QkKP7/////FfUPAACFwHQax0QkIAEAAABIjRWCEQAASI1MJCDoHAEAAJD/FdEPAACFwHQNSI0NLhAAAP8V+A8AADPASIPEOMPMSIvESIlYCEiJaBBIiXAYV0FUQVVIg+wwx0AgQAAAAEmLQThJi/mLGEmL8EiL6kkDWQhMi+GLAyX///8fPSAFkxkPhIoAAABBvQEAAABBi8XwD8EFeB8AAEEDxUE7xXQn8IMFaB8AAP+5CgAAAP8VTQ8AAEWL3fBED8EdUR8AAEUD3UU73XXZRItEJGhBvQQAAABMjUwkIEmL1UiLy/8VDQ8AAIXAdCKBIyAFk/mBCyAFkxlEi0QkIEyNTCRoSYvVSIvL/xXnDgAA8IMF/x4AAP9Mi89Mi8ZIi9VJi8z/Fe0OAABIi1wkUEiLbCRYSIt0JGBIg8QwQV1BXF/D/yXWDgAAzMxIiVwkCFdIg+wgi9pIi/n/FccOAAD2wwF0CEiLz+gOAAAASIvHSItcJDBIg8QgX8P/Ja4OAADMzMzMzMxIiVQkEFVIg+wgSIvqSI0Fjf7//+sASIPEIF3DzAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/iIAAAAAAADwIgAAAAAAABAjAAAAAAAAAAAAAAAAAACoIgAAAAAAAJIiAAAAAAAA2CIAAAAAAADIIgAAAAAAAIgiAAAAAAAAAAAAAAAAAAAAAAAAtkwrTwAAAAACAAAAcQAAALAgAACwBgAAAAAAAEgAaQAhAAoAAAAAAAAAAAAiBZMZAgAAACQhAAABAAAASCEAAAQAAAB8IQAAKAAAAAAAAAABAAAAVBEAQAEAAABSU0RTc7+xwtuLCUaAlir7sdahtB4AAABkOlxNZWhyZGFkXFZpc3VhbCBTdHVkaW8gUHJvamVjdHNcVmlzdWFsIEMrK1xUZXN0RXhjZXB0aW9uXHg2NFxSZWxlYXNlXFRlc3RFeGNlcHRpb24ucGRi
AAAAAP////8AAAAA/////wAAAABAAAAAAAAAAAAAAACQEQAAOAAAAAAAAAAAAAAAAQAAAAEAAAA0IQAAGQ0BAARiAABQEAAAgCAAABkKAgAKMgZQUBAAAIAgAAAAEAAA/////w0QAAAAAAAAMRAAAP////+QEQAAAAAAAAEKBAAKNAYACjIGcAAAAAAAAAAAAAAAAMghAAAAAAAAAAAAAAAAAAAAAAAAAQAAANghAAAAAAAAAAAAAAEAAAAAMAAAAAAAAP////8AAAAABAAAAAAAAAAAAAAAAAAAAFgiAAAAAAAAAAAAALwiAAAgIAAAOCIAAAAAAAAAAAAAGCMAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP4iAAAAAAAA8CIAAAAAAAAQIwAAAAAAAAAAAAAAAAAAqCIAAAAAAACSIgAAAAAAANgiAAAAAAAAyCIAAAAAAACIIgAAAAAAAAAAAAAAAAAADgV3cHJpbnRmAEwAX0N4eFRocm93RXhjZXB0aW9uAABVAF9fQ3h4RnJhbWVIYW5kbGVyAG1zdmNydC5kbGwAABUAPz8zQFlBWFBFQVhAWgASAD8/MXR5cGVfaW5mb0BAVUVBQUBYWgDqAUdldFZlcnNpb24AAI0DVmlydHVhbFByb3RlY3QAAF0DU2xlZXAAS0VSTkVMMzIuZGxsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKggAEABAAAAAAAAAAAAAAAuSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAE8QAABcIQAAVBEAAIQRAACcIQAAkBEAAK0RAABsIQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
微软的版本:
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACIW0OjzDot8Mw6LfDMOi3wuqdW8Mg6LfDFQrjwzTot8MVCrvD+Oi3wzDos8Ig6LfDFQr7wzzot8MVCqfDcOi3w6/xT8M06LfDFQrzwzTot8FJpY2jMOi3wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUEUAAGSGBACQTCtPAAAAAAAAAADwACMACwIJAAAEAAAAEgAAAAAAAAAQAAAAEAAAAAAAQAEAAAAAEAAAAAIAAAUAAgAAAAAABQACAAAAAAAAUAAAAAQAAAAAAAADAACAAAAQAAAAAAAAEAAAAAAAAAAAEAAAAAAAABAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAzCIAAFAAAAAAAAAAAAAAAABAAAA8AAAAAAAAAAAAAAAAAAAAAAAAAJAgAAAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAACQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAAAdAwAAABAAAAAEAAAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAA/AQAAAAgAAAABgAAAAgAAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAKAIAAAAMAAAAAQAAAAOAAAAAAAAAAAAAAAAAABAAADALnBkYXRhAAA8AAAAAEAAAAACAAAAEgAAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEiD7DhIx0QkKP7/////FfUPAACFwHQax0QkIAEAAABIjRVSEgAASI1MJCDoHAEAAJD/FdEPAACFwHQNSI0NbhAAAP8VGBAAADPASIPEOMPMSIvESIlYCEiJaBBIiXAYV0FUQVVIg+wwx0AgQAAAAEmLQThJi/mLGEmL8EiL6kkDWQhMi+GLAyX///8fPSAFkxkPhIoAAABBvQEAAABBi8XwD8EFeCIAAEEDxUE7xXQn8IMFaCIAAP+5CgAAAP8VbQ8AAEWL3fBED8EdUSIAAEUD3UU73XXZRItEJGhBvQQAAABMjUwkIEmL1UiLy/8VDQ8AAIXAdCKBIyAFk/mBCyAFkxlEi0QkIEyNTCRoSYvVSIvL/xXnDgAA8IMF/yEAAP9Mi89Mi8ZIi9VJi8z/FR0PAABIi1wkUEiLbCRYSIt0JGBIg8QwQV1BXF/D/yUGDwAAzMxIiVwkCFdIg+wgi9pIi/n/Fd8OAAD2wwF0CEiLz+hKAAAASIvHSItcJDBIg8QgX8PMzMzMzMzMzMzMzMzMzMzMzMxmZg8fhAAAAAAASDsNcR4AAHUSSMHBEGb3wf//dQPCAABIwckQ6QgAAAD/JXoOAADMzEiJTCQISIHsiAAAAEiNDfUhAAD/FY8OAABMix3gIgAATIlcJFhFM8BIjVQkYEiLTCRY6PEAAABIiUQkUEiDfCRQAHRBSMdEJDgAAAAASI1EJEhIiUQkMEiNRCRASIlEJChIjQWgIQAASIlEJCBMi0wkUEyLRCRYSItUJGAzyeifAAAA6yJIi4QkiAAAAEiJBWwiAABIjYQkiAAAAEiDwAhIiQX5IQAASIsFUiIAAEiJBcMgAABIi4QkkAAAAEiJBcQhAADHBZogAAAJBADAxwWUIAAAAQAAAEiLBXEdAABIiUQkaEiLBW0dAABIiUQkcDPJ/xVoDQAASI0NKQ4AAP8VUw0AAP8VRQ0AALoJBADASIvI/xUvDQAASIHEiAAAAMPM/yWQDQAA/yWCDQAAzMzMzMzMzMzMzEiJVCQQVUiD7CBIi+pIjQUd/f//6wBIg8QgXcPMAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAByJAAAAAAAAGQkAAAAAAAAjCQAAAAAAACgJAAAAAAAALQkAAAAAAAA0CQAAAAAAACEJAAAAAAAAAAAAAAAAAAA8CMAAAAAAAAAJAAAAAAAANAjAAAAAAAAuiMAAAAAAACwIwAAAAAAAAAAAAAAAAAARiQAAAAAAAAsJAAAAAAAABgkAAAAAAAAAAAAAAAAAAAAAAAAkEwrTwAAAAACAAAAcQAAAFwhAABcCQAAAAAAAEgAaQAhAAoAAAAAAAAAAAAiBZMZAgAAANAhAAABAAAA9CEAAAQAAAAoIgAAKAAAAAAAAAABAAAAVBEAQAEAAAAwMwBAAQAAANAzAEABAAAABoCAhoCBgAAAEAOGgIaCgBQFBUVFRYWFhQUAADAwgFCAgAAIACgnOFBXgAAHADcwMFBQiAAAACAogIiAgAAAAGBgYGhoaAgIB3hwcHdwcAgIAAAIAAgABwgAAABSU0RTc7+xwtuLCUaAlir7sdahtBwAAABkOlxNZWhyZGFkXFZpc3VhbCBTdHVkaW8gUHJvamVjdHNcVmlzdWFsIEMrK1xUZXN0RXhjZXB0aW9uXHg2NFxSZWxlYXNlXFRlc3RFeGNlcHRpb24ucGRiAAAAAP////8AAAAA/////wAAAABAAAAAAAAAAAAAAAAAEwAAOAAAAAAAAAAAAAAAAQAAAAEAAADgIQAAGQ0BAARiAABQEAAAwCAAABkKAgAKMgZQUBAAAMAgAAAAEAAA/////w0QAAAAAAAAMRAAAP////8AEwAAAAAAAAEYCgAYZAwAGFQLABg0CgAYUhTQEsAQcAEKBAAKNAYACjIGcAEMAgAMAREAAAAAAAAAAAAAAAAAAAAAAJgiAAAAAAAAAAAAAAAAAAAAAAAAAQAAAKgiAAAAAAAAAAAAAAEAAAAAMAAA
AAAAAP////8AAAAABAAAAAAAAAAAAAAAAAAAAGAjAAAAAAAAAAAAAOQjAABAIAAAkCMAAAAAAAAAAAAAWiQAAHAgAAAgIwAAAAAAAAAAAADuJAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHIkAAAAAAAAZCQAAAAAAACMJAAAAAAAAKAkAAAAAAAAtCQAAAAAAADQJAAAAAAAAIQkAAAAAAAAAAAAAAAAAADwIwAAAAAAAAAkAAAAAAAA0CMAAAAAAAC6IwAAAAAAALAjAAAAAAAAAAAAAAAAAABGJAAAAAAAACwkAAAAAAAAGCQAAAAAAAAAAAAAAAAAAA4Fd3ByaW50ZgBMAF9DeHhUaHJvd0V4Y2VwdGlvbgAAVQBfX0N4eEZyYW1lSGFuZGxlcgBtc3ZjcnQuZGxsAAAVAD8/M0BZQVhQRUFYQFoAEgA/PzF0eXBlX2luZm9AQFVFQUFAWFoAnwNSdGxWaXJ0dWFsVW53aW5kAADtAlJ0bExvb2t1cEZ1bmN0aW9uRW50cnkAANUBUnRsQ2FwdHVyZUNvbnRleHQAbnRkbGwuZGxsAOoBR2V0VmVyc2lvbgAAjQNWaXJ0dWFsUHJvdGVjdAAAXQNTbGVlcABlA1Rlcm1pbmF0ZVByb2Nlc3MAAEUBR2V0Q3VycmVudFByb2Nlc3MAdQNVbmhhbmRsZWRFeGNlcHRpb25GaWx0ZXIAAFEDU2V0VW5oYW5kbGVkRXhjZXB0aW9uRmlsdGVyAEtFUk5FTDMyLmRsbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADoIABAAQAAAAAAAAAAAAAALkgAAAAAAAAyot8tmSsAAM1dINJm1P//dZgAAAAAAAAABAAAAfz//zUAAAALAAAA
QAAAAP8DAACAAAAAgf///xgAAAAIAAAAIAAAAH8AAAAAAAAAAAAAAACgAkAAAAAAAAAAAADIBUAAAAAAAAAAAAD6CEAAAAAAAAAAAECcDEAAAAAAAAAAAFDDD0AAAAAAAAAAACT0EkAAAAAAAAAAgJaYFkAAAAAAAAAAILy+GUAAAAAAAAS/yRuONEAAAACh7czOG8LTTkAg8J61cCuorcWdaUDQXf0l5RqOTxnrg0BxlteVQw4FjSmvnkD5v6BE7YESj4GCuUC/PNWmz/9JH3jC00BvxuCM6YDJR7qTqEG8hWtVJzmN93DgfEK83Y7e+Z37636qUUOh5nbjzPIpL4SBJkQoEBeq+K4Q48XE+kTrp9Tz9+vhSnqVz0VlzMeRDqauoBnjo0YNZRcMdYGGdXbJSE1YQuSnkzk7Nbiy7VNNp+VdPcVdO4ueklr/XabwoSDAVKWMN2HR/Ytai9glXYn522eqlfjzJ7+iyF3dgG5MyZuXIIoCUmDEJXUAAAAAzczNzMzMzMzMzPs/cT0K16NwPQrXo/g/WmQ730+Nl24Sg/U/w9MsZRniWBe30fE/0A8jhEcbR6zFp+4/QKa2aWyvBb03hus/Mz28Qnrl1ZS/1uc/wv39zmGEEXfMq+Q/L0xb4U3EvpSV5sk/ksRTO3VEzRS+mq8/3me6lDlFrR6xz5Q/JCPG4ry6OzFhi3o/YVVZwX6xU3wSu18/1+4vjQa+koUV+0Q/JD+l6TmlJ+p/qCo/fayh5LxkfEbQ3VU+Y3sGzCNUd4P/kYE9kfo6GXpjJUMxwKw8IYnROIJHl7gA/dc73IhYCBux6OOGpgM7xoRFQge2mXU32y46M3Ec0iPbMu5JkFo5poe+wFfapYKmorUy4miyEadSn0RZtxAsJUnkLTY0T1Ouzmslj1kEpMDewn376MYenueIWleRPL9QgyIYTktlYv2Dj68GlH0R5C3en87SyATdptgKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAE8QAAAIIgAAUBAAAEwRAABIIgAAVBEAAIQRAABgIgAAyBEAAOkSAABsIgAAABMAAB0TAAAYIgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
对于那些好奇的人,我找到了解决方案,感谢Raymond的链接.
原来我需要更换
__CxxFrameHandler3:
mov rax,rsp
mov qword ptr [rax+8],rbx
mov qword ptr [rax+10h],rbp
mov qword ptr [rax+18h],rsi
push rdi
push r12
push r13
sub rsp,30h
mov dword ptr
; more code
同
__CxxFrameHandler3 proc frame
mov rax,rsp
mov qword ptr [rax+8],rbx
.savereg rbx, 50h
mov qword ptr [rax+10h],rbp
.savereg rbp, 58h
mov qword ptr [rax+18h],rsi
.savereg rsi, 60h
push rdi
.pushreg rdi
push r12
.pushreg r12
push r13
.pushreg r13
sub rsp,30h
.allocstack 30h
.endprolog
mov dword ptr
; more code
__CxxFrameHandler3 endp
| 归档时间: |
|
| 查看次数: |
1948 次 |
| 最近记录: |