我正在尝试对名为__CxxFrameHandler3的Visual C ++ 2008 SEH处理程序进行逆向工程,以提供一个可以将结果委托给__CxxFrameHandler msvcrt.dll中msvcrt.dll的旧版本的实现
(This page和this page详细了解msvcrt_winxp.obj和SEH。)
注意: msvcrt_win2003.obj(32位)和msvcrt_winxp.obj(64位)已经做同样的事情 - 它们是一部分的Windows Driver Kit 7.1。但是,它们还捆绑了许多其他代码,这会混淆我的链接器。
我成功地反汇编了32位版本(__CxxFrameHandler3),解压缩msvcrt_win2003.obj,并创建了提供相应实现的替代方案。
但是,我遇到了64位版本(.386
.model flat, c
option dotname
extern __CxxFrameHandler: PROC
.code
includelib msvcrt.lib
public __CxxFrameHandler3
__CxxFrameHandler3:
push ebp
mov ebp,esp
sub esp,28h
push ebx
push esi
push edi
cld
mov dword ptr [ebp-4],eax
mov esi,dword ptr [ebp-4]
push 9
pop ecx
lea edi,[ebp-28h]
rep movs dword ptr es:[edi],dword ptr [esi]
mov eax,dword ptr [ebp-28h]
and eax,0F9930520h
or eax,019930520h
mov dword ptr [ebp-28h],eax
lea eax,[ebp-28h]
mov dword ptr [ebp-4],eax
push dword ptr [ebp+14h]
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+8]
mov eax,dword ptr [ebp-4]
call __CxxFrameHandler
add esp,10h
pop edi
pop esi
pop ebx
mov esp,ebp
pop ebp
ret
end
)的问题:
尽管我的64位实现看起来完全一样,但它不起作用 - 但微软提供的实际工作确实有效。
这是32位版本(正常工作):
;; Compiled with:
;; ml64.exe /Fo"$(InputName).obj" /c /nologo /W3 /Zi /Ta "$(InputPath)"
option dotname
extern __CxxFrameHandler: PROC
extern __imp___CxxFrameHandler: PROC
extern __imp_VirtualProtect: PROC
extern __imp_Sleep: PROC
extern __imp_GetVersion: PROC
.data
ProtectFlag dd ?
.code
includelib kernel32.lib
includelib msvcrt.lib
public __CxxFrameHandler3
__CxxFrameHandler3:
mov rax,rsp
mov qword ptr [rax+8],rbx
mov qword ptr [rax+10h],rbp
mov qword ptr [rax+18h],rsi
push rdi
push r12
push r13
sub rsp,30h
mov dword ptr [rax+20h],40h
mov rax,qword ptr [r9+38h]
mov rdi,r9
mov ebx,dword ptr [rax]
mov rsi,r8
mov rbp,rdx
add rbx,qword ptr [r9+8]
mov r12,rcx
mov eax,dword ptr [rbx]
and eax,1FFFFFFFh
cmp eax,19930520h
je L140001261
mov r13d,1
mov eax,r13d
lock xadd dword ptr [ProtectFlag],eax
add eax,r13d
cmp eax,r13d
je L140001217
L1400011F0:
lock add dword ptr [ProtectFlag],0FFFFFFFFh
mov ecx,0Ah
call qword ptr [__imp_Sleep]
mov r11d,r13d
lock xadd dword ptr [ProtectFlag],r11d
add r11d,r13d
cmp r11d,r13d
jne L1400011F0
L140001217:
mov r8d,dword ptr [rsp+68h]
mov r13d,4
lea r9,[rsp+20h]
mov rdx,r13
mov rcx,rbx
call qword ptr [__imp_VirtualProtect]
test eax,eax
je L140001259
and dword ptr [rbx],0F9930520h
or dword ptr [rbx],19930520h
mov r8d,dword ptr [rsp+20h]
lea r9,[rsp+68h]
mov rdx,r13
mov rcx,rbx
call qword ptr [__imp_VirtualProtect]
L140001259:
lock add dword ptr [ProtectFlag],0FFFFFFFFh
L140001261:
mov r9,rdi
mov r8,rsi
mov rdx,rbp
mov rcx,r12
call qword ptr [__imp___CxxFrameHandler]
mov rbx,qword ptr [rsp+50h]
mov rbp,qword ptr [rsp+58h]
mov rsi,qword ptr [rsp+60h]
add rsp,30h
pop r13
pop r12
pop rdi
ret
end
这是(有问题的)64位版本:
DumpBin Microsoft的实现(在lib\wnet\amd64\msvcrt_win2003.obj上使用__CxxFrameHandler3:
0x0000: 48 8B C4 mov rax,rsp
0x0003: 48 89 58 08 mov qword ptr [rax+8],rbx
0x0007: 48 89 68 10 mov qword ptr [rax+10h],rbp
0x000B: 48 89 70 18 mov qword ptr [rax+18h],rsi
0x000F: 57 push rdi
0x0010: 41 54 push r12
0x0012: 41 55 push r13
0x0014: 48 83 EC 30 sub rsp,30h
0x0018: C7 40 20 40 00 00 mov dword ptr [rax+20h],40h
00
0x001F: 49 8B 41 38 mov rax,qword ptr [r9+38h]
0x0023: 49 8B F9 mov rdi,r9
0x0026: 8B 18 mov ebx,dword ptr [rax]
0x0028: 49 8B F0 mov rsi,r8
0x002B: 48 8B EA mov rbp,rdx
0x002E: 49 03 59 08 add rbx,qword ptr [r9+8]
0x0032: 4C 8B E1 mov r12,rcx
0x0035: 8B 03 mov eax,dword ptr [rbx]
0x0037: 25 FF FF FF 1F and eax,1FFFFFFFh
0x003C: 3D 20 05 93 19 cmp eax,19930520h
0x0041: 0F 84 8A 00 00 00 je 0x00D1
0x0047: 41 BD 01 00 00 00 mov r13d,1
0x004D: 41 8B C5 mov eax,r13d
0x0050: F0 0F C1 05 00 00 lock xadd dword ptr [?ProtectFlag@?1??__CxxFrameHandler3@@9@9],eax
00 00
0x0058: 41 03 C5 add eax,r13d
0x005B: 41 3B C5 cmp eax,r13d
0x005E: 74 27 je 0x0087
0x0060: F0 83 05 00 00 00 lock add dword ptr [?ProtectFlag@?1??__CxxFrameHandler3@@9@9],0FFFFFFFFh
00 FF
0x0068: B9 0A 00 00 00 mov ecx,0Ah
0x006D: FF 15 00 00 00 00 call qword ptr [__imp_Sleep]
0x0073: 45 8B DD mov r11d,r13d
0x0076: F0 44 0F C1 1D 00 lock xadd dword ptr [?ProtectFlag@?1??__CxxFrameHandler3@@9@9],r11d
00 00 00
0x007F: 45 03 DD add r11d,r13d
0x0082: 45 3B DD cmp r11d,r13d
0x0085: 75 D9 jne 0x0060
0x0087: 44 8B 44 24 68 mov r8d,dword ptr [rsp+68h]
0x008C: 41 BD 04 00 00 00 mov r13d,4
0x0092: 4C 8D 4C 24 20 lea r9,[rsp+20h]
0x0097: 49 8B D5 mov rdx,r13
0x009A: 48 8B CB mov rcx,rbx
0x009D: FF 15 00 00 00 00 call qword ptr [__imp_VirtualProtect]
0x00A3: 85 C0 test eax,eax
0x00A5: 74 22 je 0x00C9
0x00A7: 81 23 20 05 93 F9 and dword ptr [rbx],0F9930520h
0x00AD: 81 0B 20 05 93 19 or dword ptr [rbx],19930520h
0x00B3: 44 8B 44 24 20 mov r8d,dword ptr [rsp+20h]
0x00B8: 4C 8D 4C 24 68 lea r9,[rsp+68h]
0x00BD: 49 8B D5 mov rdx,r13
0x00C0: 48 8B CB mov rcx,rbx
0x00C3: FF 15 00 00 00 00 call qword ptr [__imp_VirtualProtect]
0x00C9: F0 83 05 00 00 00 lock add dword ptr [?ProtectFlag@?1??__CxxFrameHandler3@@9@9],0FFFFFFFFh
00 FF
0x00D1: 4C 8B CF mov r9,rdi
0x00D4: 4C 8B C6 mov r8,rsi
0x00D7: 48 8B D5 mov rdx,rbp
0x00DA: 49 8B CC mov rcx,r12
0x00DD: FF 15 00 00 00 00 call qword ptr [__imp___CxxFrameHandler]
0x00E3: 48 8B 5C 24 50 mov rbx,qword ptr [rsp+50h]
0x00E8: 48 8B 6C 24 58 mov rbp,qword ptr [rsp+58h]
0x00ED: 48 8B 74 24 60 mov rsi,qword ptr [rsp+60h]
0x00F2: 48 83 C4 30 add rsp,30h
0x00F6: 41 5D pop r13
0x00F8: 41 5C pop r12
0x00FA: 5F pop rdi
0x00FB: C3 ret
提取)是:
push r12当我尝试调试这两种格式时,当我到达的行__CxxFrameHandler时,Visual Studio中的调用堆栈在我的版本中变得混乱 (指向无效地址的表面条目在堆栈帧之间弹出),但它在Microsoft版本的同一点上完全正常。
事实上,当我允许执行继续时,我的程序在我的版本int main()
{
try
{
// Dummy condition to prevent any optimizations.
// Always throws.
if (GetVersion() != 0)
throw 1;
}
catch (...) { }
if (GetVersion() != 0) { _tprintf(_T("Hi!\n")); }
return 0;
}
内崩溃,但在微软的版本中完全正常。
我正在测试两个来源的程序是:
/MD /GS- /Od使用适当的编译器标志(msvcrt)。
因此我无法弄清楚:
为什么我的代码(完全>与提供的实现相同)导致__CxxFrameHandler TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADNS1fHiSo5lIkqOZSJKjmU/7dClIsqOZSJKjiUgSo5lIBSqpSKKjmUgFK9lIsqOZSAUqyUiCo5lIBSqJSIKjmUUmljaIkqOZQAAAAAAAAAAFBFAABkhgQAtkwrTwAAAAAAAAAA8AAjAAsCCQAAAgAAAAgAAAAAAAAAEAAAABAAAAAAAEABAAAAABAAAAACAAAFAAIAAAAAAAUAAgAAAAAAAFAAAAAEAAAAAAAAAwAAgAAAEAAAAAAAABAAAAAAAAAAABAAAAAAAAAQAAAAAAAAAAAAABAAAAAAAAAAAAAAAPwhAAA8AAAAAAAAAAAAAAAAQAAAJAAAAAAAAAAAAAAAAAAAAAAAAABQIAAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAArQEAAAAQAAAAAgAAAAQAAAAAAAAAAAAAAAAAACAAAGAucmRhdGEAACYDAAAAIAAAAAQAAAAGAAAAAAAAAAAAAAAAAABAAABALmRhdGEAAAAkAAAAADAAAAACAAAACgAAAAAAAAAAAAAAAAAAQAAAwC5wZGF0YQAAJAAAAABAAAAAAgAAAAwAAAAAAAAAAAAAAAAAAEAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEiD7DhIx0QkKP7/////FfUPAACFwHQax0QkIAEAAABIjRWCEQAASI1MJCDoHAEAAJD/FdEPAACFwHQNSI0NLhAAAP8V+A8AADPASIPEOMPMSIvESIlYCEiJaBBIiXAYV0FUQVVIg+wwx0AgQAAAAEmLQThJi/mLGEmL8EiL6kkDWQhMi+GLAyX///8fPSAFkxkPhIoAAABBvQEAAABBi8XwD8EFeB8AAEEDxUE7xXQn8IMFaB8AAP+5CgAAAP8VTQ8AAEWL3fBED8EdUR8AAEUD3UU73XXZRItEJGhBvQQAAABMjUwkIEmL1UiLy/8VDQ8AAIXAdCKBIyAFk/mBCyAFkxlEi0QkIEyNTCRoSYvVSIvL/xXnDgAA8IMF/x4AAP9Mi89Mi8ZIi9VJi8z/Fe0OAABIi1wkUEiLbCRYSIt0JGBIg8QwQV1BXF/D/yXWDgAAzMxIiVwkCFdIg+wgi9pIi/n/FccOAAD2wwF0CEiLz+gOAAAASIvHSItcJDBIg8QgX8P/Ja4OAADMzMzMzMxIiVQkEFVIg+wgSIvqSI0Fjf7//+sASIPEIF3DzAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/iIAAAAAAADwIgAAAAAAABAjAAAAAAAAAAAAAAAAAACoIgAAAAAAAJIiAAAAAAAA2CIAAAAAAADIIgAAAAAAAIgiAAAAAAAAAAAAAAAAAAAAAAAAtkwrTwAAAAACAAAAcQAAALAgAACwBgAAAAAAAEgAaQAhAAoAAAAAAAAAAAAiBZMZAgAAACQhAAABAAAASCEAAAQAAAB8IQAAKAAAAAAAAAABAAAAVBEAQAEAAABSU0RTc7+xwtuLCUaAlir7sdahtB4AAABkOlxNZWhyZGFkXFZpc3VhbCBTdHVkaW8gUHJvamVjdHNcVmlzdWFsIEMrK1xUZXN0RXhjZXB0aW9uXHg2NFxSZWxlYXNlXFRlc3RFeGNlcHRpb24ucGRi
AAAAAP////8AAAAA/////wAAAABAAAAAAAAAAAAAAACQEQAAOAAAAAAAAAAAAAAAAQAAAAEAAAA0IQAAGQ0BAARiAABQEAAAgCAAABkKAgAKMgZQUBAAAIAgAAAAEAAA/////w0QAAAAAAAAMRAAAP////+QEQAAAAAAAAEKBAAKNAYACjIGcAAAAAAAAAAAAAAAAMghAAAAAAAAAAAAAAAAAAAAAAAAAQAAANghAAAAAAAAAAAAAAEAAAAAMAAAAAAAAP////8AAAAABAAAAAAAAAAAAAAAAAAAAFgiAAAAAAAAAAAAALwiAAAgIAAAOCIAAAAAAAAAAAAAGCMAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP4iAAAAAAAA8CIAAAAAAAAQIwAAAAAAAAAAAAAAAAAAqCIAAAAAAACSIgAAAAAAANgiAAAAAAAAyCIAAAAAAACIIgAAAAAAAAAAAAAAAAAADgV3cHJpbnRmAEwAX0N4eFRocm93RXhjZXB0aW9uAABVAF9fQ3h4RnJhbWVIYW5kbGVyAG1zdmNydC5kbGwAABUAPz8zQFlBWFBFQVhAWgASAD8/MXR5cGVfaW5mb0BAVUVBQUBYWgDqAUdldFZlcnNpb24AAI0DVmlydHVhbFByb3RlY3QAAF0DU2xlZXAAS0VSTkVMMzIuZGxsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKggAEABAAAAAAAAAAAAAAAuSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAE8QAABcIQAAVBEAAIQRAACcIQAAkBEAAK0RAABsIQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
内的访问冲突?
这里有程序的base64编码,因此您可以看到生成的实际二进制文件。
我的糟糕版本:
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACIW0OjzDot8Mw6LfDMOi3wuqdW8Mg6LfDFQrjwzTot8MVCrvD+Oi3wzDos8Ig6LfDFQr7wzzot8MVCqfDcOi3w6/xT8M06LfDFQrzwzTot8FJpY2jMOi3wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUEUAAGSGBACQTCtPAAAAAAAAAADwACMACwIJAAAEAAAAEgAAAAAAAAAQAAAAEAAAAAAAQAEAAAAAEAAAAAIAAAUAAgAAAAAABQACAAAAAAAAUAAAAAQAAAAAAAADAACAAAAQAAAAAAAAEAAAAAAAAAAAEAAAAAAAABAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAzCIAAFAAAAAAAAAAAAAAAABAAAA8AAAAAAAAAAAAAAAAAAAAAAAAAJAgAAAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAACQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAAAdAwAAABAAAAAEAAAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAA/AQAAAAgAAAABgAAAAgAAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAKAIAAAAMAAAAAQAAAAOAAAAAAAAAAAAAAAAAABAAADALnBkYXRhAAA8AAAAAEAAAAACAAAAEgAAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEiD7DhIx0QkKP7/////FfUPAACFwHQax0QkIAEAAABIjRVSEgAASI1MJCDoHAEAAJD/FdEPAACFwHQNSI0NbhAAAP8VGBAAADPASIPEOMPMSIvESIlYCEiJaBBIiXAYV0FUQVVIg+wwx0AgQAAAAEmLQThJi/mLGEmL8EiL6kkDWQhMi+GLAyX///8fPSAFkxkPhIoAAABBvQEAAABBi8XwD8EFeCIAAEEDxUE7xXQn8IMFaCIAAP+5CgAAAP8VbQ8AAEWL3fBED8EdUSIAAEUD3UU73XXZRItEJGhBvQQAAABMjUwkIEmL1UiLy/8VDQ8AAIXAdCKBIyAFk/mBCyAFkxlEi0QkIEyNTCRoSYvVSIvL/xXnDgAA8IMF/yEAAP9Mi89Mi8ZIi9VJi8z/FR0PAABIi1wkUEiLbCRYSIt0JGBIg8QwQV1BXF/D/yUGDwAAzMxIiVwkCFdIg+wgi9pIi/n/Fd8OAAD2wwF0CEiLz+hKAAAASIvHSItcJDBIg8QgX8PMzMzMzMzMzMzMzMzMzMzMzMxmZg8fhAAAAAAASDsNcR4AAHUSSMHBEGb3wf//dQPCAABIwckQ6QgAAAD/JXoOAADMzEiJTCQISIHsiAAAAEiNDfUhAAD/FY8OAABMix3gIgAATIlcJFhFM8BIjVQkYEiLTCRY6PEAAABIiUQkUEiDfCRQAHRBSMdEJDgAAAAASI1EJEhIiUQkMEiNRCRASIlEJChIjQWgIQAASIlEJCBMi0wkUEyLRCRYSItUJGAzyeifAAAA6yJIi4QkiAAAAEiJBWwiAABIjYQkiAAAAEiDwAhIiQX5IQAASIsFUiIAAEiJBcMgAABIi4QkkAAAAEiJBcQhAADHBZogAAAJBADAxwWUIAAAAQAAAEiLBXEdAABIiUQkaEiLBW0dAABIiUQkcDPJ/xVoDQAASI0NKQ4AAP8VUw0AAP8VRQ0AALoJBADASIvI/xUvDQAASIHEiAAAAMPM/yWQDQAA/yWCDQAAzMzMzMzMzMzMzEiJVCQQVUiD7CBIi+pIjQUd/f//6wBIg8QgXcPMAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAByJAAAAAAAAGQkAAAAAAAAjCQAAAAAAACgJAAAAAAAALQkAAAAAAAA0CQAAAAAAACEJAAAAAAAAAAAAAAAAAAA8CMAAAAAAAAAJAAAAAAAANAjAAAAAAAAuiMAAAAAAACwIwAAAAAAAAAAAAAAAAAARiQAAAAAAAAsJAAAAAAAABgkAAAAAAAAAAAAAAAAAAAAAAAAkEwrTwAAAAACAAAAcQAAAFwhAABcCQAAAAAAAEgAaQAhAAoAAAAAAAAAAAAiBZMZAgAAANAhAAABAAAA9CEAAAQAAAAoIgAAKAAAAAAAAAABAAAAVBEAQAEAAAAwMwBAAQAAANAzAEABAAAABoCAhoCBgAAAEAOGgIaCgBQFBUVFRYWFhQUAADAwgFCAgAAIACgnOFBXgAAHADcwMFBQiAAAACAogIiAgAAAAGBgYGhoaAgIB3hwcHdwcAgIAAAIAAgABwgAAABSU0RTc7+xwtuLCUaAlir7sdahtBwAAABkOlxNZWhyZGFkXFZpc3VhbCBTdHVkaW8gUHJvamVjdHNcVmlzdWFsIEMrK1xUZXN0RXhjZXB0aW9uXHg2NFxSZWxlYXNlXFRlc3RFeGNlcHRpb24ucGRiAAAAAP////8AAAAA/////wAAAABAAAAAAAAAAAAAAAAAEwAAOAAAAAAAAAAAAAAAAQAAAAEAAADgIQAAGQ0BAARiAABQEAAAwCAAABkKAgAKMgZQUBAAAMAgAAAAEAAA/////w0QAAAAAAAAMRAAAP////8AEwAAAAAAAAEYCgAYZAwAGFQLABg0CgAYUhTQEsAQcAEKBAAKNAYACjIGcAEMAgAMAREAAAAAAAAAAAAAAAAAAAAAAJgiAAAAAAAAAAAAAAAAAAAAAAAAAQAAAKgiAAAAAAAAAAAAAAEAAAAAMAAA
AAAAAP////8AAAAABAAAAAAAAAAAAAAAAAAAAGAjAAAAAAAAAAAAAOQjAABAIAAAkCMAAAAAAAAAAAAAWiQAAHAgAAAgIwAAAAAAAAAAAADuJAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHIkAAAAAAAAZCQAAAAAAACMJAAAAAAAAKAkAAAAAAAAtCQAAAAAAADQJAAAAAAAAIQkAAAAAAAAAAAAAAAAAADwIwAAAAAAAAAkAAAAAAAA0CMAAAAAAAC6IwAAAAAAALAjAAAAAAAAAAAAAAAAAABGJAAAAAAAACwkAAAAAAAAGCQAAAAAAAAAAAAAAAAAAA4Fd3ByaW50ZgBMAF9DeHhUaHJvd0V4Y2VwdGlvbgAAVQBfX0N4eEZyYW1lSGFuZGxlcgBtc3ZjcnQuZGxsAAAVAD8/M0BZQVhQRUFYQFoAEgA/PzF0eXBlX2luZm9AQFVFQUFAWFoAnwNSdGxWaXJ0dWFsVW53aW5kAADtAlJ0bExvb2t1cEZ1bmN0aW9uRW50cnkAANUBUnRsQ2FwdHVyZUNvbnRleHQAbnRkbGwuZGxsAOoBR2V0VmVyc2lvbgAAjQNWaXJ0dWFsUHJvdGVjdAAAXQNTbGVlcABlA1Rlcm1pbmF0ZVByb2Nlc3MAAEUBR2V0Q3VycmVudFByb2Nlc3MAdQNVbmhhbmRsZWRFeGNlcHRpb25GaWx0ZXIAAFEDU2V0VW5oYW5kbGVkRXhjZXB0aW9uRmlsdGVyAEtFUk5FTDMyLmRsbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADoIABAAQAAAAAAAAAAAAAALkgAAAAAAAAyot8tmSsAAM1dINJm1P//dZgAAAAAAAAABAAAAfz//zUAAAALAAAA
QAAAAP8DAACAAAAAgf///xgAAAAIAAAAIAAAAH8AAAAAAAAAAAAAAACgAkAAAAAAAAAAAADIBUAAAAAAAAAAAAD6CEAAAAAAAAAAAECcDEAAAAAAAAAAAFDDD0AAAAAAAAAAACT0EkAAAAAAAAAAgJaYFkAAAAAAAAAAILy+GUAAAAAAAAS/yRuONEAAAACh7czOG8LTTkAg8J61cCuorcWdaUDQXf0l5RqOTxnrg0BxlteVQw4FjSmvnkD5v6BE7YESj4GCuUC/PNWmz/9JH3jC00BvxuCM6YDJR7qTqEG8hWtVJzmN93DgfEK83Y7e+Z37636qUUOh5nbjzPIpL4SBJkQoEBeq+K4Q48XE+kTrp9Tz9+vhSnqVz0VlzMeRDqauoBnjo0YNZRcMdYGGdXbJSE1YQuSnkzk7Nbiy7VNNp+VdPcVdO4ueklr/XabwoSDAVKWMN2HR/Ytai9glXYn522eqlfjzJ7+iyF3dgG5MyZuXIIoCUmDEJXUAAAAAzczNzMzMzMzMzPs/cT0K16NwPQrXo/g/WmQ730+Nl24Sg/U/w9MsZRniWBe30fE/0A8jhEcbR6zFp+4/QKa2aWyvBb03hus/Mz28Qnrl1ZS/1uc/wv39zmGEEXfMq+Q/L0xb4U3EvpSV5sk/ksRTO3VEzRS+mq8/3me6lDlFrR6xz5Q/JCPG4ry6OzFhi3o/YVVZwX6xU3wSu18/1+4vjQa+koUV+0Q/JD+l6TmlJ+p/qCo/fayh5LxkfEbQ3VU+Y3sGzCNUd4P/kYE9kfo6GXpjJUMxwKw8IYnROIJHl7gA/dc73IhYCBux6OOGpgM7xoRFQge2mXU32y46M3Ec0iPbMu5JkFo5poe+wFfapYKmorUy4miyEadSn0RZtxAsJUnkLTY0T1Ouzmslj1kEpMDewn376MYenueIWleRPL9QgyIYTktlYv2Dj68GlH0R5C3en87SyATdptgKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAE8QAAAIIgAAUBAAAEwRAABIIgAAVBEAAIQRAABgIgAAyBEAAOkSAABsIgAAABMAAB0TAAAYIgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
微软的版本:
__CxxFrameHandler3:
mov rax,rsp
mov qword ptr [rax+8],rbx
mov qword ptr [rax+10h],rbp
mov qword ptr [rax+18h],rsi
push rdi
push r12
push r13
sub rsp,30h
mov dword ptr
; more code
对于那些好奇的人,我找到了解决方案,感谢Raymond的链接。
原来我需要更换
__CxxFrameHandler3 proc frame
mov rax,rsp
mov qword ptr [rax+8],rbx
.savereg rbx, 50h
mov qword ptr [rax+10h],rbp
.savereg rbp, 58h
mov qword ptr [rax+18h],rsi
.savereg rsi, 60h
push rdi
.pushreg rdi
push r12
.pushreg r12
push r13
.pushreg r13
sub rsp,30h
.allocstack 30h
.endprolog
mov dword ptr
; more code
__CxxFrameHandler3 endp
与
{{1}}