Обратный инжиниринг SEH: почему мой код ассемблера IDENTICAL не работает так, как оригинал?

Я пытаюсь перепроектировать обработчик Visual C++ 2008 SEH с именем __CxxFrameHandler3 обеспечить реализацию, которая может делегировать результат (более старая версия) __CxxFrameHandler в msvcrt.dll,

( Эта страница и эта страница содержат подробные сведения о msvcrt.dll и SEH.)

Замечания: msvcrt_winxp.obj (32-разрядный) и msvcrt_win2003.obj (64-разрядные) уже делают то же самое - они являются частью Windows Driver Kit 7.1. Тем не менее, они также связаны с большим количеством другого кода, который портит мой компоновщик.

Я успешно разбирал 32-битную версию (msvcrt_winxp.obj), извлекающий __CxxFrameHandler3и создание альтернативы, обеспечивающей соответствующую реализацию.

Однако я столкнулся с проблемой с 64-битной версией (msvcrt_win2003.obj):

Несмотря на то, что моя 64-битная реализация выглядит точно так же, она не работает, но та, что предоставлена ​​Microsoft, действительно работает.

Это 32-битная версия (которая работает правильно):

.386
.model flat, c
option dotname
extern __CxxFrameHandler: PROC

.code
includelib msvcrt.lib
public __CxxFrameHandler3

__CxxFrameHandler3:
    push        ebp
    mov         ebp,esp
    sub         esp,28h
    push        ebx
    push        esi
    push        edi
    cld
    mov         dword ptr [ebp-4],eax
    mov         esi,dword ptr [ebp-4]
    push        9
    pop         ecx
    lea         edi,[ebp-28h]
    rep movs    dword ptr es:[edi],dword ptr [esi]
    mov         eax,dword ptr [ebp-28h]
    and         eax,0F9930520h
    or          eax,019930520h
    mov         dword ptr [ebp-28h],eax
    lea         eax,[ebp-28h]
    mov         dword ptr [ebp-4],eax
    push        dword ptr [ebp+14h]
    push        dword ptr [ebp+10h]
    push        dword ptr [ebp+0Ch]
    push        dword ptr [ebp+8]
    mov         eax,dword ptr [ebp-4]
    call        __CxxFrameHandler
    add         esp,10h
    pop         edi
    pop         esi
    pop         ebx
    mov         esp,ebp
    pop         ebp
    ret
end

Это (проблемная) 64-битная версия:

;; Compiled with:
;; ml64.exe /Fo"$(InputName).obj" /c /nologo /W3 /Zi /Ta "$(InputPath)"

option dotname

extern __CxxFrameHandler: PROC
extern __imp___CxxFrameHandler: PROC
extern __imp_VirtualProtect: PROC
extern __imp_Sleep: PROC
extern __imp_GetVersion: PROC

.data

ProtectFlag dd ?

.code

includelib kernel32.lib
includelib msvcrt.lib

public __CxxFrameHandler3

__CxxFrameHandler3:
    mov rax,rsp
    mov qword ptr [rax+8],rbx
    mov qword ptr [rax+10h],rbp
    mov qword ptr [rax+18h],rsi
    push    rdi
    push    r12
    push    r13
    sub rsp,30h
    mov dword ptr [rax+20h],40h
    mov rax,qword ptr [r9+38h]
    mov rdi,r9
    mov ebx,dword ptr [rax]
    mov rsi,r8
    mov rbp,rdx
    add rbx,qword ptr [r9+8]
    mov r12,rcx
    mov eax,dword ptr [rbx]
    and eax,1FFFFFFFh
    cmp eax,19930520h
    je  L140001261
    mov r13d,1
    mov eax,r13d
    lock    xadd dword ptr [ProtectFlag],eax
    add eax,r13d
    cmp eax,r13d
    je  L140001217
L1400011F0:
    lock    add dword ptr [ProtectFlag],0FFFFFFFFh
    mov ecx,0Ah
    call    qword ptr [__imp_Sleep]
    mov r11d,r13d
    lock    xadd dword ptr [ProtectFlag],r11d
    add r11d,r13d
    cmp r11d,r13d
    jne L1400011F0
L140001217:
    mov r8d,dword ptr [rsp+68h]
    mov r13d,4
    lea r9,[rsp+20h]
    mov rdx,r13
    mov rcx,rbx
    call    qword ptr [__imp_VirtualProtect]
    test    eax,eax
    je  L140001259
    and dword ptr [rbx],0F9930520h
    or  dword ptr [rbx],19930520h
    mov r8d,dword ptr [rsp+20h]
    lea r9,[rsp+68h]
    mov rdx,r13
    mov rcx,rbx
    call    qword ptr [__imp_VirtualProtect]
L140001259:
    lock    add dword ptr [ProtectFlag],0FFFFFFFFh
L140001261:
    mov r9,rdi
    mov r8,rsi
    mov rdx,rbp
    mov rcx,r12
    call    qword ptr [__imp___CxxFrameHandler]
    mov rbx,qword ptr [rsp+50h]
    mov rbp,qword ptr [rsp+58h]
    mov rsi,qword ptr [rsp+60h]
    add rsp,30h
    pop r13
    pop r12
    pop rdi
    ret
end

Реализация Microsoft (извлечено с DumpBin на lib\wnet\amd64\msvcrt_win2003.obj) является:

__CxxFrameHandler3:
  0x0000: 48 8B C4           mov         rax,rsp
  0x0003: 48 89 58 08        mov         qword ptr [rax+8],rbx
  0x0007: 48 89 68 10        mov         qword ptr [rax+10h],rbp
  0x000B: 48 89 70 18        mov         qword ptr [rax+18h],rsi
  0x000F: 57                 push        rdi
  0x0010: 41 54              push        r12
  0x0012: 41 55              push        r13
  0x0014: 48 83 EC 30        sub         rsp,30h
  0x0018: C7 40 20 40 00 00  mov         dword ptr [rax+20h],40h
            00
  0x001F: 49 8B 41 38        mov         rax,qword ptr [r9+38h]
  0x0023: 49 8B F9           mov         rdi,r9
  0x0026: 8B 18              mov         ebx,dword ptr [rax]
  0x0028: 49 8B F0           mov         rsi,r8
  0x002B: 48 8B EA           mov         rbp,rdx
  0x002E: 49 03 59 08        add         rbx,qword ptr [r9+8]
  0x0032: 4C 8B E1           mov         r12,rcx
  0x0035: 8B 03              mov         eax,dword ptr [rbx]
  0x0037: 25 FF FF FF 1F     and         eax,1FFFFFFFh
  0x003C: 3D 20 05 93 19     cmp         eax,19930520h
  0x0041: 0F 84 8A 00 00 00  je          0x00D1
  0x0047: 41 BD 01 00 00 00  mov         r13d,1
  0x004D: 41 8B C5           mov         eax,r13d
  0x0050: F0 0F C1 05 00 00  lock xadd   dword ptr [?ProtectFlag@?1??__CxxFrameHandler3@@9@9],eax
            00 00
  0x0058: 41 03 C5           add         eax,r13d
  0x005B: 41 3B C5           cmp         eax,r13d
  0x005E: 74 27              je          0x0087
  0x0060: F0 83 05 00 00 00  lock add    dword ptr [?ProtectFlag@?1??__CxxFrameHandler3@@9@9],0FFFFFFFFh
            00 FF
  0x0068: B9 0A 00 00 00     mov         ecx,0Ah
  0x006D: FF 15 00 00 00 00  call        qword ptr [__imp_Sleep]
  0x0073: 45 8B DD           mov         r11d,r13d
  0x0076: F0 44 0F C1 1D 00  lock xadd   dword ptr [?ProtectFlag@?1??__CxxFrameHandler3@@9@9],r11d
            00 00 00
  0x007F: 45 03 DD           add         r11d,r13d
  0x0082: 45 3B DD           cmp         r11d,r13d
  0x0085: 75 D9              jne         0x0060
  0x0087: 44 8B 44 24 68     mov         r8d,dword ptr [rsp+68h]
  0x008C: 41 BD 04 00 00 00  mov         r13d,4
  0x0092: 4C 8D 4C 24 20     lea         r9,[rsp+20h]
  0x0097: 49 8B D5           mov         rdx,r13
  0x009A: 48 8B CB           mov         rcx,rbx
  0x009D: FF 15 00 00 00 00  call        qword ptr [__imp_VirtualProtect]
  0x00A3: 85 C0              test        eax,eax
  0x00A5: 74 22              je          0x00C9
  0x00A7: 81 23 20 05 93 F9  and         dword ptr [rbx],0F9930520h
  0x00AD: 81 0B 20 05 93 19  or          dword ptr [rbx],19930520h
  0x00B3: 44 8B 44 24 20     mov         r8d,dword ptr [rsp+20h]
  0x00B8: 4C 8D 4C 24 68     lea         r9,[rsp+68h]
  0x00BD: 49 8B D5           mov         rdx,r13
  0x00C0: 48 8B CB           mov         rcx,rbx
  0x00C3: FF 15 00 00 00 00  call        qword ptr [__imp_VirtualProtect]
  0x00C9: F0 83 05 00 00 00  lock add    dword ptr [?ProtectFlag@?1??__CxxFrameHandler3@@9@9],0FFFFFFFFh
            00 FF
  0x00D1: 4C 8B CF           mov         r9,rdi
  0x00D4: 4C 8B C6           mov         r8,rsi
  0x00D7: 48 8B D5           mov         rdx,rbp
  0x00DA: 49 8B CC           mov         rcx,r12
  0x00DD: FF 15 00 00 00 00  call        qword ptr [__imp___CxxFrameHandler]
  0x00E3: 48 8B 5C 24 50     mov         rbx,qword ptr [rsp+50h]
  0x00E8: 48 8B 6C 24 58     mov         rbp,qword ptr [rsp+58h]
  0x00ED: 48 8B 74 24 60     mov         rsi,qword ptr [rsp+60h]
  0x00F2: 48 83 C4 30        add         rsp,30h
  0x00F6: 41 5D              pop         r13
  0x00F8: 41 5C              pop         r12
  0x00FA: 5F                 pop         rdi
  0x00FB: C3                 ret

Когда я пытаюсь отладить оба формата, как только я достигаю строки, которая говорит push r12в моей версии стек вызовов в Visual Studio портится (между кадрами стека всплывают поверхностные записи, указывающие на недопустимые адреса), но в тот же момент в версии Microsoft это совершенно нормально.

И действительно, когда я разрешаю выполнение продолжить, моя программа падает внутри __CxxFrameHandler с моей версией, но прекрасно работает с версией Microsoft.

Программа, с которой я тестирую оба источника:

int main()
{
    try
    {
        // Dummy condition to prevent any optimizations.
        // Always throws.

        if (GetVersion() != 0)
        throw 1;
    }
    catch (...) { }
    if (GetVersion() != 0) { _tprintf(_T("Hi!\n")); }
    return 0;
}

с соответствующими флагами компилятора (/MD /GS- /Od).

Поэтому я не могу понять:

Почему мой код, который должен быть точно таким же, как предоставленная реализация, вызывает нарушение доступа внутри msvcrt"s __CxxFrameHandler?


Здесь есть кодировка base64 программ, так что вы можете увидеть реальные сгенерированные двоичные файлы.

Моя плохая версия:

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADNS1fHiSo5lIkqOZSJKjmU/7dClIsqOZSJKjiUgSo5lIBSqpSKKjmUgFK9lIsqOZSAUqyUiCo5lIBSqJSIKjmUUmljaIkqOZQAAAAAAAAAAFBFAABkhgQAtkwrTwAAAAAAAAAA8AAjAAsCCQAAAgAAAAgAAAAAAAAAEAAAABAAAAAAAEABAAAAABAAAAACAAAFAAIAAAAAAAUAAgAAAAAAAFAAAAAEAAAAAAAAAwAAgAAAEAAAAAAAABAAAAAAAAAAABAAAAAAAAAQAAAAAAAAAAAAABAAAAAAAAAAAAAAAPwhAAA8AAAAAAAAAAAAAAAAQAAAJAAAAAAAAAAAAAAAAAAAAAAAAABQIAAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAArQEAAAAQAAAAAgAAAAQAAAAAAAAAAAAAAAAAACAAAGAucmRhdGEAACYDAAAAIAAAAAQAAAAGAAAAAAAAAAAAAAAAAABAAABALmRhdGEAAAAkAAAAADAAAAACAAAACgAAAAAAAAAAAAAAAAAAQAAAwC5wZGF0YQAAJAAAAABAAAAAAgAAAAwAAAAAAAAAAAAAAAAAAEAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEiD7DhIx0QkKP7/////FfUPAACFwHQax0QkIAEAAABIjRWCEQAASI1MJCDoHAEAAJD/FdEPAACFwHQNSI0NLhAAAP8V+A8AADPASIPEOMPMSIvESIlYCEiJaBBIiXAYV0FUQVVIg+wwx0AgQAAAAEmLQThJi/mLGEmL8EiL6kkDWQhMi+GLAyX///8fPSAFkxkPhIoAAABBvQEAAABBi8XwD8EFeB8AAEEDxUE7xXQn8IMFaB8AAP+5CgAAAP8VTQ8AAEWL3fBED8EdUR8AAEUD3UU73XXZRItEJGhBvQQAAABMjUwkIEmL1UiLy/8VDQ8AAIXAdCKBIyAFk/mBCyAFkxlEi0QkIEyNTCRoSYvVSIvL/xXnDgAA8IMF/x4AAP9Mi89Mi8ZIi9VJi8z/Fe0OAABIi1wkUEiLbCRYSIt0JGBIg8QwQV1BXF/D/yXWDgAAzMxIiVwkCFdIg+wgi9pIi/n/FccOAAD2wwF0CEiLz+gOAAAASIvHSItcJDBIg8QgX8P/Ja4OAADMzMzMzMxIiVQkEFVIg+wgSIvqSI0Fjf7//+sASIPEIF3DzAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/iIAAAAAAADwIgAAAAAAABAjAAAAAAAAAAAAAAAAAACoIgAAAAAAAJIiAAAAAAAA2CIAAAAAAADIIgAAAAAAAIgiAAAAAAAAAAAAAAAAAAAAAAAAtkwrTwAAAAACAAAAcQAAALAgAACwBgAAAAAAAEgAaQAhAAoAAAAAAAAAAAAiBZMZAgAAACQhAAABAAAASCEAAAQAAAB8IQAAKAAAAAAAAAABAAAAVBEAQAEAAABSU0RTc7+xwtuLCUaAlir7sdahtB4AAABkOlxNZWhyZGFkXFZpc3VhbCBTdHVkaW8gUHJvamVjdHNcVmlzdWFsIEMrK1xUZXN0RXhjZXB0aW9uXHg2NFxSZWxlYXNlXFRlc3RFeGNlcHRpb24ucGRi
AAAAAP////8AAAAA/////wAAAABAAAAAAAAAAAAAAACQEQAAOAAAAAAAAAAAAAAAAQAAAAEAAAA0IQAAGQ0BAARiAABQEAAAgCAAABkKAgAKMgZQUBAAAIAgAAAAEAAA/////w0QAAAAAAAAMRAAAP////+QEQAAAAAAAAEKBAAKNAYACjIGcAAAAAAAAAAAAAAAAMghAAAAAAAAAAAAAAAAAAAAAAAAAQAAANghAAAAAAAAAAAAAAEAAAAAMAAAAAAAAP////8AAAAABAAAAAAAAAAAAAAAAAAAAFgiAAAAAAAAAAAAALwiAAAgIAAAOCIAAAAAAAAAAAAAGCMAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP4iAAAAAAAA8CIAAAAAAAAQIwAAAAAAAAAAAAAAAAAAqCIAAAAAAACSIgAAAAAAANgiAAAAAAAAyCIAAAAAAACIIgAAAAAAAAAAAAAAAAAADgV3cHJpbnRmAEwAX0N4eFRocm93RXhjZXB0aW9uAABVAF9fQ3h4RnJhbWVIYW5kbGVyAG1zdmNydC5kbGwAABUAPz8zQFlBWFBFQVhAWgASAD8/MXR5cGVfaW5mb0BAVUVBQUBYWgDqAUdldFZlcnNpb24AAI0DVmlydHVhbFByb3RlY3QAAF0DU2xlZXAAS0VSTkVMMzIuZGxsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKggAEABAAAAAAAAAAAAAAAuSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAE8QAABcIQAAVBEAAIQRAACcIQAAkBEAAK0RAABs

Версия Microsoft:

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACIW0OjzDot8Mw6LfDMOi3wuqdW8Mg6LfDFQrjwzTot8MVCrvD+Oi3wzDos8Ig6LfDFQr7wzzot8MVCqfDcOi3w6/xT8M06LfDFQrzwzTot8FJpY2jMOi3wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUEUAAGSGBACQTCtPAAAAAAAAAADwACMACwIJAAAEAAAAEgAAAAAAAAAQAAAAEAAAAAAAQAEAAAAAEAAAAAIAAAUAAgAAAAAABQACAAAAAAAAUAAAAAQAAAAAAAADAACAAAAQAAAAAAAAEAAAAAAAAAAAEAAAAAAAABAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAzCIAAFAAAAAAAAAAAAAAAABAAAA8AAAAAAAAAAAAAAAAAAAAAAAAAJAgAAAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAACQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAAAdAwAAABAAAAAEAAAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAA/AQAAAAgAAAABgAAAAgAAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAKAIAAAAMAAAAAQAAAAOAAAAAAAAAAAAAAAAAABAAADALnBkYXRhAAA8AAAAAEAAAAACAAAAEgAAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEiD7DhIx0QkKP7/////FfUPAACFwHQax0QkIAEAAABIjRVSEgAASI1MJCDoHAEAAJD/FdEPAACFwHQNSI0NbhAAAP8VGBAAADPASIPEOMPMSIvESIlYCEiJaBBIiXAYV0FUQVVIg+wwx0AgQAAAAEmLQThJi/mLGEmL8EiL6kkDWQhMi+GLAyX///8fPSAFkxkPhIoAAABBvQEAAABBi8XwD8EFeCIAAEEDxUE7xXQn8IMFaCIAAP+5CgAAAP8VbQ8AAEWL3fBED8EdUSIAAEUD3UU73XXZRItEJGhBvQQAAABMjUwkIEmL1UiLy/8VDQ8AAIXAdCKBIyAFk/mBCyAFkxlEi0QkIEyNTCRoSYvVSIvL/xXnDgAA8IMF/yEAAP9Mi89Mi8ZIi9VJi8z/FR0PAABIi1wkUEiLbCRYSIt0JGBIg8QwQV1BXF/D/yUGDwAAzMxIiVwkCFdIg+wgi9pIi/n/Fd8OAAD2wwF0CEiLz+hKAAAASIvHSItcJDBIg8QgX8PMzMzMzMzMzMzMzMzMzMzMzMxmZg8fhAAAAAAASDsNcR4AAHUSSMHBEGb3wf//dQPCAABIwckQ6QgAAAD/JXoOAADMzEiJTCQISIHsiAAAAEiNDfUhAAD/FY8OAABMix3gIgAATIlcJFhFM8BIjVQkYEiLTCRY6PEAAABIiUQkUEiDfCRQAHRBSMdEJDgAAAAASI1EJEhIiUQkMEiNRCRASIlEJChIjQWgIQAASIlEJCBMi0wkUEyLRCRYSItUJGAzyeifAAAA6yJIi4QkiAAAAEiJBWwiAABIjYQkiAAAAEiDwAhIiQX5IQAASIsFUiIAAEiJBcMgAABIi4QkkAAAAEiJBcQhAADHBZogAAAJBADAxwWUIAAAAQAAAEiLBXEdAABIiUQkaEiLBW0dAABIiUQkcDPJ/xVoDQAASI0NKQ4AAP8VUw0AAP8VRQ0AALoJBADASIvI/xUvDQAASIHEiAAAAMPM/yWQDQAA/yWCDQAAzMzMzMzMzMzMzEiJVCQQVUiD7CBIi+pIjQUd/f//6wBIg8QgXcPMAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAByJAAAAAAAAGQkAAAAAAAAjCQAAAAAAACgJAAAAAAAALQkAAAAAAAA0CQAAAAAAACEJAAAAAAAAAAAAAAAAAAA8CMAAAAAAAAAJAAAAAAAANAjAAAAAAAAuiMAAAAAAACwIwAAAAAAAAAAAAAAAAAARiQAAAAAAAAsJAAAAAAAABgkAAAAAAAAAAAAAAAAAAAAAAAAkEwrTwAAAAACAAAAcQAAAFwhAABcCQAAAAAAAEgAaQAhAAoAAAAAAAAAAAAiBZMZAgAAANAhAAABAAAA9CEAAAQAAAAoIgAAKAAAAAAAAAABAAAAVBEAQAEAAAAwMwBAAQAAANAzAEABAAAABoCAhoCBgAAAEAOGgIaCgBQFBUVFRYWFhQUAADAwgFCAgAAIACgnOFBXgAAHADcwMFBQiAAAACAogIiAgAAAAGBgYGhoaAgIB3hwcHdwcAgIAAAIAAgABwgAAABSU0RTc7+xwtuLCUaAlir7sdahtBwAAABkOlxNZWhyZGFkXFZpc3VhbCBTdHVkaW8gUHJvamVjdHNcVmlzdWFsIEMrK1xUZXN0RXhjZXB0aW9uXHg2NFxSZWxlYXNlXFRlc3RFeGNlcHRpb24ucGRiAAAAAP////8AAAAA/////wAAAABAAAAAAAAAAAAAAAAAEwAAOAAAAAAAAAAAAAAAAQAAAAEAAADgIQAAGQ0BAARiAABQEAAAwCAAABkKAgAKMgZQUBAAAMAgAAAAEAAA/////w0QAAAAAAAAMRAAAP////8AEwAAAAAAAAEYCgAYZAwAGFQLABg0CgAYUhTQEsAQcAEKBAAKNAYACjIGcAEMAgAMAREAAAAAAAAAAAAAAAAAAAAAAJgiAAAAAAAAAAAAAAAAAAAAAAAAAQAAAKgiAAAAAAAAAAAAAAEAAAAAMAAA
AAAAAP////8AAAAABAAAAAAAAAAAAAAAAAAAAGAjAAAAAAAAAAAAAOQjAABAIAAAkCMAAAAAAAAAAAAAWiQAAHAgAAAgIwAAAAAAAAAAAADuJAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHIkAAAAAAAAZCQAAAAAAACMJAAAAAAAAKAkAAAAAAAAtCQAAAAAAADQJAAAAAAAAIQkAAAAAAAAAAAAAAAAAADwIwAAAAAAAAAkAAAAAAAA0CMAAAAAAAC6IwAAAAAAALAjAAAAAAAAAAAAAAAAAABGJAAAAAAAACwkAAAAAAAAGCQAAAAAAAAAAAAAAAAAAA4Fd3ByaW50ZgBMAF9DeHhUaHJvd0V4Y2VwdGlvbgAAVQBfX0N4eEZyYW1lSGFuZGxlcgBtc3ZjcnQuZGxsAAAVAD8/M0BZQVhQRUFYQFoAEgA/PzF0eXBlX2luZm9AQFVFQUFAWFoAnwNSdGxWaXJ0dWFsVW53aW5kAADtAlJ0bExvb2t1cEZ1bmN0aW9uRW50cnkAANUBUnRsQ2FwdHVyZUNvbnRleHQAbnRkbGwuZGxsAOoBR2V0VmVyc2lvbgAAjQNWaXJ0dWFsUHJvdGVjdAAAXQNTbGVlcABlA1Rlcm1pbmF0ZVByb2Nlc3MAAEUBR2V0Q3VycmVudFByb2Nlc3MAdQNVbmhhbmRsZWRFeGNlcHRpb25GaWx0ZXIAAFEDU2V0VW5oYW5kbGVkRXhjZXB0aW9uRmlsdGVyAEtFUk5FTDMyLmRsbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADoIABAAQAAAAAAAAAAAAAALkgAAAAAAAAyot8tmSsAAM1dINJm1P//dZgAAAAAAAAABAAAAfz//zUAAAALAAAA
QAAAAP8DAACAAAAAgf///xgAAAAIAAAAIAAAAH8AAAAAAAAAAAAAAACgAkAAAAAAAAAAAADIBUAAAAAAAAAAAAD6CEAAAAAAAAAAAECcDEAAAAAAAAAAAFDDD0AAAAAAAAAAACT0EkAAAAAAAAAAgJaYFkAAAAAAAAAAILy+GUAAAAAAAAS/yRuONEAAAACh7czOG8LTTkAg8J61cCuorcWdaUDQXf0l5RqOTxnrg0BxlteVQw4FjSmvnkD5v6BE7YESj4GCuUC/PNWmz/9JH3jC00BvxuCM6YDJR7qTqEG8hWtVJzmN93DgfEK83Y7e+Z37636qUUOh5nbjzPIpL4SBJkQoEBeq+K4Q48XE+kTrp9Tz9+vhSnqVz0VlzMeRDqauoBnjo0YNZRcMdYGGdXbJSE1YQuSnkzk7Nbiy7VNNp+VdPcVdO4ueklr/XabwoSDAVKWMN2HR/Ytai9glXYn522eqlfjzJ7+iyF3dgG5MyZuXIIoCUmDEJXUAAAAAzczNzMzMzMzMzPs/cT0K16NwPQrXo/g/WmQ730+Nl24Sg/U/w9MsZRniWBe30fE/0A8jhEcbR6zFp+4/QKa2aWyvBb03hus/Mz28Qnrl1ZS/1uc/wv39zmGEEXfMq+Q/L0xb4U3EvpSV5sk/ksRTO3VEzRS+mq8/3me6lDlFrR6xz5Q/JCPG4ry6OzFhi3o/YVVZwX6xU3wSu18/1+4vjQa+koUV+0Q/JD+l6TmlJ+p/qCo/fayh5LxkfEbQ3VU+Y3sGzCNUd4P/kYE9kfo6GXpjJUMxwKw8IYnROIJHl7gA/dc73IhYCBux6OOGpgM7xoRFQge2mXU32y46M3Ec0iPbMu5JkFo5poe+wFfapYKmorUy4miyEadSn0RZtxAsJUnkLTY0T1Ouzmslj1kEpMDewn376MYenueIWleRPL9QgyIYTktlYv2Dj68GlH0R5C3en87SyATdptgKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAE8QAAAIIgAAUBAAAEwRAABIIgAAVBEAAIQRAABgIgAAyBEAAOkSAABsIgAAABMAAB0TAAAYIg

Редактировать:

Для любопытных я нашел решение, благодаря ссылке Раймонда.

Оказалось, что мне нужно было заменить

__CxxFrameHandler3:
    mov rax,rsp
    mov qword ptr [rax+8],rbx
    mov qword ptr [rax+10h],rbp
    mov qword ptr [rax+18h],rsi
    push    rdi
    push    r12
    push    r13
    sub rsp,30h
    mov dword ptr
; more code

с

__CxxFrameHandler3 proc frame
    mov rax,rsp
    mov qword ptr [rax+8],rbx
    .savereg    rbx, 50h
    mov qword ptr [rax+10h],rbp
    .savereg    rbp, 58h
    mov qword ptr [rax+18h],rsi
    .savereg    rsi, 60h
    push    rdi
    .pushreg    rdi
    push    r12
    .pushreg    r12
    push    r13
    .pushreg    r13
    sub rsp,30h
    .allocstack 30h
    .endprolog
    mov dword ptr
; more code
__CxxFrameHandler3 endp

1 ответ

Решение

В обработчике исключений есть нечто большее, чем просто код. Там также данные.

Другие вопросы по тегам