Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Reverse-engineering SEH: Why doesn't my IDENTICAL assembler code work like the original?

I'm trying to reverse-engineer the Visual C++ 2008 SEH handler named __CxxFrameHandler3 to provide an implementation which can delegate the result to (the older version of) __CxxFrameHandler in msvcrt.dll.

(This page and this page have great details about msvcrt.dll and SEH.)

Note: msvcrt_winxp.obj (32-bit) and msvcrt_win2003.obj (64-bit) already do the same thing -- they are part of the Windows Driver Kit 7.1. However, they are also bundled with a lot of other code, which messes up my linker.

I have been successful with disassembling the 32-bit version (msvcrt_winxp.obj), extracting __CxxFrameHandler3, and creating an alternative that provides the appropriate implementation.

However, I have run into a problem with the 64-bit version (msvcrt_win2003.obj):

Even though my 64-bit implementation looks exactly the same, it doesn't work -- but the one provided by Microsoft indeed works.

This is the 32-bit version (which works correctly):

.386
.model flat, c
option dotname
extern __CxxFrameHandler: PROC

.code
includelib msvcrt.lib
public __CxxFrameHandler3

__CxxFrameHandler3:
    push        ebp
    mov         ebp,esp
    sub         esp,28h
    push        ebx
    push        esi
    push        edi
    cld
    mov         dword ptr [ebp-4],eax
    mov         esi,dword ptr [ebp-4]
    push        9
    pop         ecx
    lea         edi,[ebp-28h]
    rep movs    dword ptr es:[edi],dword ptr [esi]
    mov         eax,dword ptr [ebp-28h]
    and         eax,0F9930520h
    or          eax,019930520h
    mov         dword ptr [ebp-28h],eax
    lea         eax,[ebp-28h]
    mov         dword ptr [ebp-4],eax
    push        dword ptr [ebp+14h]
    push        dword ptr [ebp+10h]
    push        dword ptr [ebp+0Ch]
    push        dword ptr [ebp+8]
    mov         eax,dword ptr [ebp-4]
    call        __CxxFrameHandler
    add         esp,10h
    pop         edi
    pop         esi
    pop         ebx
    mov         esp,ebp
    pop         ebp
    ret
end

This is the (problematic) 64-bit version:

;; Compiled with:
;; ml64.exe /Fo"$(InputName).obj" /c /nologo /W3 /Zi /Ta "$(InputPath)"

option dotname

extern __CxxFrameHandler: PROC
extern __imp___CxxFrameHandler: PROC
extern __imp_VirtualProtect: PROC
extern __imp_Sleep: PROC
extern __imp_GetVersion: PROC

.data

ProtectFlag dd ?

.code

includelib kernel32.lib
includelib msvcrt.lib

public __CxxFrameHandler3

__CxxFrameHandler3:
    mov rax,rsp
    mov qword ptr [rax+8],rbx
    mov qword ptr [rax+10h],rbp
    mov qword ptr [rax+18h],rsi
    push    rdi
    push    r12
    push    r13
    sub rsp,30h
    mov dword ptr [rax+20h],40h
    mov rax,qword ptr [r9+38h]
    mov rdi,r9
    mov ebx,dword ptr [rax]
    mov rsi,r8
    mov rbp,rdx
    add rbx,qword ptr [r9+8]
    mov r12,rcx
    mov eax,dword ptr [rbx]
    and eax,1FFFFFFFh
    cmp eax,19930520h
    je  L140001261
    mov r13d,1
    mov eax,r13d
    lock    xadd dword ptr [ProtectFlag],eax
    add eax,r13d
    cmp eax,r13d
    je  L140001217
L1400011F0:
    lock    add dword ptr [ProtectFlag],0FFFFFFFFh
    mov ecx,0Ah
    call    qword ptr [__imp_Sleep]
    mov r11d,r13d
    lock    xadd dword ptr [ProtectFlag],r11d
    add r11d,r13d
    cmp r11d,r13d
    jne L1400011F0
L140001217:
    mov r8d,dword ptr [rsp+68h]
    mov r13d,4
    lea r9,[rsp+20h]
    mov rdx,r13
    mov rcx,rbx
    call    qword ptr [__imp_VirtualProtect]
    test    eax,eax
    je  L140001259
    and dword ptr [rbx],0F9930520h
    or  dword ptr [rbx],19930520h
    mov r8d,dword ptr [rsp+20h]
    lea r9,[rsp+68h]
    mov rdx,r13
    mov rcx,rbx
    call    qword ptr [__imp_VirtualProtect]
L140001259:
    lock    add dword ptr [ProtectFlag],0FFFFFFFFh
L140001261:
    mov r9,rdi
    mov r8,rsi
    mov rdx,rbp
    mov rcx,r12
    call    qword ptr [__imp___CxxFrameHandler]
    mov rbx,qword ptr [rsp+50h]
    mov rbp,qword ptr [rsp+58h]
    mov rsi,qword ptr [rsp+60h]
    add rsp,30h
    pop r13
    pop r12
    pop rdi
    ret
end

Microsoft's implementation (extracted with DumpBin on lib\wnet\amd64\msvcrt_win2003.obj) is:

__CxxFrameHandler3:
  0x0000: 48 8B C4           mov         rax,rsp
  0x0003: 48 89 58 08        mov         qword ptr [rax+8],rbx
  0x0007: 48 89 68 10        mov         qword ptr [rax+10h],rbp
  0x000B: 48 89 70 18        mov         qword ptr [rax+18h],rsi
  0x000F: 57                 push        rdi
  0x0010: 41 54              push        r12
  0x0012: 41 55              push        r13
  0x0014: 48 83 EC 30        sub         rsp,30h
  0x0018: C7 40 20 40 00 00  mov         dword ptr [rax+20h],40h
            00
  0x001F: 49 8B 41 38        mov         rax,qword ptr [r9+38h]
  0x0023: 49 8B F9           mov         rdi,r9
  0x0026: 8B 18              mov         ebx,dword ptr [rax]
  0x0028: 49 8B F0           mov         rsi,r8
  0x002B: 48 8B EA           mov         rbp,rdx
  0x002E: 49 03 59 08        add         rbx,qword ptr [r9+8]
  0x0032: 4C 8B E1           mov         r12,rcx
  0x0035: 8B 03              mov         eax,dword ptr [rbx]
  0x0037: 25 FF FF FF 1F     and         eax,1FFFFFFFh
  0x003C: 3D 20 05 93 19     cmp         eax,19930520h
  0x0041: 0F 84 8A 00 00 00  je          0x00D1
  0x0047: 41 BD 01 00 00 00  mov         r13d,1
  0x004D: 41 8B C5           mov         eax,r13d
  0x0050: F0 0F C1 05 00 00  lock xadd   dword ptr [?ProtectFlag@?1??__CxxFrameHandler3@@9@9],eax
            00 00
  0x0058: 41 03 C5           add         eax,r13d
  0x005B: 41 3B C5           cmp         eax,r13d
  0x005E: 74 27              je          0x0087
  0x0060: F0 83 05 00 00 00  lock add    dword ptr [?ProtectFlag@?1??__CxxFrameHandler3@@9@9],0FFFFFFFFh
            00 FF
  0x0068: B9 0A 00 00 00     mov         ecx,0Ah
  0x006D: FF 15 00 00 00 00  call        qword ptr [__imp_Sleep]
  0x0073: 45 8B DD           mov         r11d,r13d
  0x0076: F0 44 0F C1 1D 00  lock xadd   dword ptr [?ProtectFlag@?1??__CxxFrameHandler3@@9@9],r11d
            00 00 00
  0x007F: 45 03 DD           add         r11d,r13d
  0x0082: 45 3B DD           cmp         r11d,r13d
  0x0085: 75 D9              jne         0x0060
  0x0087: 44 8B 44 24 68     mov         r8d,dword ptr [rsp+68h]
  0x008C: 41 BD 04 00 00 00  mov         r13d,4
  0x0092: 4C 8D 4C 24 20     lea         r9,[rsp+20h]
  0x0097: 49 8B D5           mov         rdx,r13
  0x009A: 48 8B CB           mov         rcx,rbx
  0x009D: FF 15 00 00 00 00  call        qword ptr [__imp_VirtualProtect]
  0x00A3: 85 C0              test        eax,eax
  0x00A5: 74 22              je          0x00C9
  0x00A7: 81 23 20 05 93 F9  and         dword ptr [rbx],0F9930520h
  0x00AD: 81 0B 20 05 93 19  or          dword ptr [rbx],19930520h
  0x00B3: 44 8B 44 24 20     mov         r8d,dword ptr [rsp+20h]
  0x00B8: 4C 8D 4C 24 68     lea         r9,[rsp+68h]
  0x00BD: 49 8B D5           mov         rdx,r13
  0x00C0: 48 8B CB           mov         rcx,rbx
  0x00C3: FF 15 00 00 00 00  call        qword ptr [__imp_VirtualProtect]
  0x00C9: F0 83 05 00 00 00  lock add    dword ptr [?ProtectFlag@?1??__CxxFrameHandler3@@9@9],0FFFFFFFFh
            00 FF
  0x00D1: 4C 8B CF           mov         r9,rdi
  0x00D4: 4C 8B C6           mov         r8,rsi
  0x00D7: 48 8B D5           mov         rdx,rbp
  0x00DA: 49 8B CC           mov         rcx,r12
  0x00DD: FF 15 00 00 00 00  call        qword ptr [__imp___CxxFrameHandler]
  0x00E3: 48 8B 5C 24 50     mov         rbx,qword ptr [rsp+50h]
  0x00E8: 48 8B 6C 24 58     mov         rbp,qword ptr [rsp+58h]
  0x00ED: 48 8B 74 24 60     mov         rsi,qword ptr [rsp+60h]
  0x00F2: 48 83 C4 30        add         rsp,30h
  0x00F6: 41 5D              pop         r13
  0x00F8: 41 5C              pop         r12
  0x00FA: 5F                 pop         rdi
  0x00FB: C3                 ret

When I try debugging both formats, as soon as I reach the line that says push r12, the call stack in Visual Studio becomes messed up in my version (superficial entries pointing to invalid addresses pop up in between stack frames), but it's completely fine at the same point in Microsoft's version.

And indeed, when I allow execution to continue, my program crashes inside __CxxFrameHandler with my version, but works completely fine with Microsoft's version.

The program I'm testing both sources with is:

int main()
{
    try
    {
        // Dummy condition to prevent any optimizations.
        // Always throws.

        if (GetVersion() != 0)
        throw 1;
    }
    catch (...) { }
    if (GetVersion() != 0) { _tprintf(_T("Hi!\n")); }
    return 0;
}

with the appropriate compiler flags (/MD /GS- /Od).

Therefore I can't figure out:

Why would my code, which is supposed to be exactly the same as the provided implementation, cause an access violation inside msvcrt's __CxxFrameHandler?


A base64 encoding of the programs is here, so that you can see the actual binaries generated.

My bad version:

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADNS1fHiSo5lIkqOZSJKjmU/7dClIsqOZSJKjiUgSo5lIBSqpSKKjmUgFK9lIsqOZSAUqyUiCo5lIBSqJSIKjmUUmljaIkqOZQAAAAAAAAAAFBFAABkhgQAtkwrTwAAAAAAAAAA8AAjAAsCCQAAAgAAAAgAAAAAAAAAEAAAABAAAAAAAEABAAAAABAAAAACAAAFAAIAAAAAAAUAAgAAAAAAAFAAAAAEAAAAAAAAAwAAgAAAEAAAAAAAABAAAAAAAAAAABAAAAAAAAAQAAAAAAAAAAAAABAAAAAAAAAAAAAAAPwhAAA8AAAAAAAAAAAAAAAAQAAAJAAAAAAAAAAAAAAAAAAAAAAAAABQIAAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAArQEAAAAQAAAAAgAAAAQAAAAAAAAAAAAAAAAAACAAAGAucmRhdGEAACYDAAAAIAAAAAQAAAAGAAAAAAAAAAAAAAAAAABAAABALmRhdGEAAAAkAAAAADAAAAACAAAACgAAAAAAAAAAAAAAAAAAQAAAwC5wZGF0YQAAJAAAAABAAAAAAgAAAAwAAAAAAAAAAAAAAAAAAEAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEiD7DhIx0QkKP7/////FfUPAACFwHQax0QkIAEAAABIjRWCEQAASI1MJCDoHAEAAJD/FdEPAACFwHQNSI0NLhAAAP8V+A8AADPASIPEOMPMSIvESIlYCEiJaBBIiXAYV0FUQVVIg+wwx0AgQAAAAEmLQThJi/mLGEmL8EiL6kkDWQhMi+GLAyX///8fPSAFkxkPhIoAAABBvQEAAABBi8XwD8EFeB8AAEEDxUE7xXQn8IMFaB8AAP+5CgAAAP8VTQ8AAEWL3fBED8EdUR8AAEUD3UU73XXZRItEJGhBvQQAAABMjUwkIEmL1UiLy/8VDQ8AAIXAdCKBIyAFk/mBCyAFkxlEi0QkIEyNTCRoSYvVSIvL/xXnDgAA8IMF/x4AAP9Mi89Mi8ZIi9VJi8z/Fe0OAABIi1wkUEiLbCRYSIt0JGBIg8QwQV1BXF/D/yXWDgAAzMxIiVwkCFdIg+wgi9pIi/n/FccOAAD2wwF0CEiLz+gOAAAASIvHSItcJDBIg8QgX8P/Ja4OAADMzMzMzMxIiVQkEFVIg+wgSIvqSI0Fjf7//+sASIPEIF3DzAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/iIAAAAAAADwIgAAAAAAABAjAAAAAAAAAAAAAAAAAACoIgAAAAAAAJIiAAAAAAAA2CIAAAAAAADIIgAAAAAAAIgiAAAAAAAAAAAAAAAAAAAAAAAAtkwrTwAAAAACAAAAcQAAALAgAACwBgAAAAAAAEgAaQAhAAoAAAAAAAAAAAAiBZMZAgAAACQhAAABAAAASCEAAAQAAAB8IQAAKAAAAAAAAAABAAAAVBEAQAEAAABSU0RTc7+xwtuLCUaAlir7sdahtB4AAABkOlxNZWhyZGFkXFZpc3VhbCBTdHVkaW8gUHJvamVjdHNcVmlzdWFsIEMrK1xUZXN0RXhjZXB0aW9uXHg2NFxSZWxlYXNlXFRlc3RFeGNlcHRpb24ucGRi
AAAAAP////8AAAAA/////wAAAABAAAAAAAAAAAAAAACQEQAAOAAAAAAAAAAAAAAAAQAAAAEAAAA0IQAAGQ0BAARiAABQEAAAgCAAABkKAgAKMgZQUBAAAIAgAAAAEAAA/////w0QAAAAAAAAMRAAAP////+QEQAAAAAAAAEKBAAKNAYACjIGcAAAAAAAAAAAAAAAAMghAAAAAAAAAAAAAAAAAAAAAAAAAQAAANghAAAAAAAAAAAAAAEAAAAAMAAAAAAAAP////8AAAAABAAAAAAAAAAAAAAAAAAAAFgiAAAAAAAAAAAAALwiAAAgIAAAOCIAAAAAAAAAAAAAGCMAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP4iAAAAAAAA8CIAAAAAAAAQIwAAAAAAAAAAAAAAAAAAqCIAAAAAAACSIgAAAAAAANgiAAAAAAAAyCIAAAAAAACIIgAAAAAAAAAAAAAAAAAADgV3cHJpbnRmAEwAX0N4eFRocm93RXhjZXB0aW9uAABVAF9fQ3h4RnJhbWVIYW5kbGVyAG1zdmNydC5kbGwAABUAPz8zQFlBWFBFQVhAWgASAD8/MXR5cGVfaW5mb0BAVUVBQUBYWgDqAUdldFZlcnNpb24AAI0DVmlydHVhbFByb3RlY3QAAF0DU2xlZXAAS0VSTkVMMzIuZGxsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKggAEABAAAAAAAAAAAAAAAuSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAE8QAABcIQAAVBEAAIQRAACcIQAAkBEAAK0RAABsIQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

Microsoft's version:

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACIW0OjzDot8Mw6LfDMOi3wuqdW8Mg6LfDFQrjwzTot8MVCrvD+Oi3wzDos8Ig6LfDFQr7wzzot8MVCqfDcOi3w6/xT8M06LfDFQrzwzTot8FJpY2jMOi3wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUEUAAGSGBACQTCtPAAAAAAAAAADwACMACwIJAAAEAAAAEgAAAAAAAAAQAAAAEAAAAAAAQAEAAAAAEAAAAAIAAAUAAgAAAAAABQACAAAAAAAAUAAAAAQAAAAAAAADAACAAAAQAAAAAAAAEAAAAAAAAAAAEAAAAAAAABAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAzCIAAFAAAAAAAAAAAAAAAABAAAA8AAAAAAAAAAAAAAAAAAAAAAAAAJAgAAAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAACQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAAAdAwAAABAAAAAEAAAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAA/AQAAAAgAAAABgAAAAgAAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAKAIAAAAMAAAAAQAAAAOAAAAAAAAAAAAAAAAAABAAADALnBkYXRhAAA8AAAAAEAAAAACAAAAEgAAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEiD7DhIx0QkKP7/////FfUPAACFwHQax0QkIAEAAABIjRVSEgAASI1MJCDoHAEAAJD/FdEPAACFwHQNSI0NbhAAAP8VGBAAADPASIPEOMPMSIvESIlYCEiJaBBIiXAYV0FUQVVIg+wwx0AgQAAAAEmLQThJi/mLGEmL8EiL6kkDWQhMi+GLAyX///8fPSAFkxkPhIoAAABBvQEAAABBi8XwD8EFeCIAAEEDxUE7xXQn8IMFaCIAAP+5CgAAAP8VbQ8AAEWL3fBED8EdUSIAAEUD3UU73XXZRItEJGhBvQQAAABMjUwkIEmL1UiLy/8VDQ8AAIXAdCKBIyAFk/mBCyAFkxlEi0QkIEyNTCRoSYvVSIvL/xXnDgAA8IMF/yEAAP9Mi89Mi8ZIi9VJi8z/FR0PAABIi1wkUEiLbCRYSIt0JGBIg8QwQV1BXF/D/yUGDwAAzMxIiVwkCFdIg+wgi9pIi/n/Fd8OAAD2wwF0CEiLz+hKAAAASIvHSItcJDBIg8QgX8PMzMzMzMzMzMzMzMzMzMzMzMxmZg8fhAAAAAAASDsNcR4AAHUSSMHBEGb3wf//dQPCAABIwckQ6QgAAAD/JXoOAADMzEiJTCQISIHsiAAAAEiNDfUhAAD/FY8OAABMix3gIgAATIlcJFhFM8BIjVQkYEiLTCRY6PEAAABIiUQkUEiDfCRQAHRBSMdEJDgAAAAASI1EJEhIiUQkMEiNRCRASIlEJChIjQWgIQAASIlEJCBMi0wkUEyLRCRYSItUJGAzyeifAAAA6yJIi4QkiAAAAEiJBWwiAABIjYQkiAAAAEiDwAhIiQX5IQAASIsFUiIAAEiJBcMgAABIi4QkkAAAAEiJBcQhAADHBZogAAAJBADAxwWUIAAAAQAAAEiLBXEdAABIiUQkaEiLBW0dAABIiUQkcDPJ/xVoDQAASI0NKQ4AAP8VUw0AAP8VRQ0AALoJBADASIvI/xUvDQAASIHEiAAAAMPM/yWQDQAA/yWCDQAAzMzMzMzMzMzMzEiJVCQQVUiD7CBIi+pIjQUd/f//6wBIg8QgXcPMAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAByJAAAAAAAAGQkAAAAAAAAjCQAAAAAAACgJAAAAAAAALQkAAAAAAAA0CQAAAAAAACEJAAAAAAAAAAAAAAAAAAA8CMAAAAAAAAAJAAAAAAAANAjAAAAAAAAuiMAAAAAAACwIwAAAAAAAAAAAAAAAAAARiQAAAAAAAAsJAAAAAAAABgkAAAAAAAAAAAAAAAAAAAAAAAAkEwrTwAAAAACAAAAcQAAAFwhAABcCQAAAAAAAEgAaQAhAAoAAAAAAAAAAAAiBZMZAgAAANAhAAABAAAA9CEAAAQAAAAoIgAAKAAAAAAAAAABAAAAVBEAQAEAAAAwMwBAAQAAANAzAEABAAAABoCAhoCBgAAAEAOGgIaCgBQFBUVFRYWFhQUAADAwgFCAgAAIACgnOFBXgAAHADcwMFBQiAAAACAogIiAgAAAAGBgYGhoaAgIB3hwcHdwcAgIAAAIAAgABwgAAABSU0RTc7+xwtuLCUaAlir7sdahtBwAAABkOlxNZWhyZGFkXFZpc3VhbCBTdHVkaW8gUHJvamVjdHNcVmlzdWFsIEMrK1xUZXN0RXhjZXB0aW9uXHg2NFxSZWxlYXNlXFRlc3RFeGNlcHRpb24ucGRiAAAAAP////8AAAAA/////wAAAABAAAAAAAAAAAAAAAAAEwAAOAAAAAAAAAAAAAAAAQAAAAEAAADgIQAAGQ0BAARiAABQEAAAwCAAABkKAgAKMgZQUBAAAMAgAAAAEAAA/////w0QAAAAAAAAMRAAAP////8AEwAAAAAAAAEYCgAYZAwAGFQLABg0CgAYUhTQEsAQcAEKBAAKNAYACjIGcAEMAgAMAREAAAAAAAAAAAAAAAAAAAAAAJgiAAAAAAAAAAAAAAAAAAAAAAAAAQAAAKgiAAAAAAAAAAAAAAEAAAAAMAAA
AAAAAP////8AAAAABAAAAAAAAAAAAAAAAAAAAGAjAAAAAAAAAAAAAOQjAABAIAAAkCMAAAAAAAAAAAAAWiQAAHAgAAAgIwAAAAAAAAAAAADuJAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHIkAAAAAAAAZCQAAAAAAACMJAAAAAAAAKAkAAAAAAAAtCQAAAAAAADQJAAAAAAAAIQkAAAAAAAAAAAAAAAAAADwIwAAAAAAAAAkAAAAAAAA0CMAAAAAAAC6IwAAAAAAALAjAAAAAAAAAAAAAAAAAABGJAAAAAAAACwkAAAAAAAAGCQAAAAAAAAAAAAAAAAAAA4Fd3ByaW50ZgBMAF9DeHhUaHJvd0V4Y2VwdGlvbgAAVQBfX0N4eEZyYW1lSGFuZGxlcgBtc3ZjcnQuZGxsAAAVAD8/M0BZQVhQRUFYQFoAEgA/PzF0eXBlX2luZm9AQFVFQUFAWFoAnwNSdGxWaXJ0dWFsVW53aW5kAADtAlJ0bExvb2t1cEZ1bmN0aW9uRW50cnkAANUBUnRsQ2FwdHVyZUNvbnRleHQAbnRkbGwuZGxsAOoBR2V0VmVyc2lvbgAAjQNWaXJ0dWFsUHJvdGVjdAAAXQNTbGVlcABlA1Rlcm1pbmF0ZVByb2Nlc3MAAEUBR2V0Q3VycmVudFByb2Nlc3MAdQNVbmhhbmRsZWRFeGNlcHRpb25GaWx0ZXIAAFEDU2V0VW5oYW5kbGVkRXhjZXB0aW9uRmlsdGVyAEtFUk5FTDMyLmRsbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADoIABAAQAAAAAAAAAAAAAALkgAAAAAAAAyot8tmSsAAM1dINJm1P//dZgAAAAAAAAABAAAAfz//zUAAAALAAAA
QAAAAP8DAACAAAAAgf///xgAAAAIAAAAIAAAAH8AAAAAAAAAAAAAAACgAkAAAAAAAAAAAADIBUAAAAAAAAAAAAD6CEAAAAAAAAAAAECcDEAAAAAAAAAAAFDDD0AAAAAAAAAAACT0EkAAAAAAAAAAgJaYFkAAAAAAAAAAILy+GUAAAAAAAAS/yRuONEAAAACh7czOG8LTTkAg8J61cCuorcWdaUDQXf0l5RqOTxnrg0BxlteVQw4FjSmvnkD5v6BE7YESj4GCuUC/PNWmz/9JH3jC00BvxuCM6YDJR7qTqEG8hWtVJzmN93DgfEK83Y7e+Z37636qUUOh5nbjzPIpL4SBJkQoEBeq+K4Q48XE+kTrp9Tz9+vhSnqVz0VlzMeRDqauoBnjo0YNZRcMdYGGdXbJSE1YQuSnkzk7Nbiy7VNNp+VdPcVdO4ueklr/XabwoSDAVKWMN2HR/Ytai9glXYn522eqlfjzJ7+iyF3dgG5MyZuXIIoCUmDEJXUAAAAAzczNzMzMzMzMzPs/cT0K16NwPQrXo/g/WmQ730+Nl24Sg/U/w9MsZRniWBe30fE/0A8jhEcbR6zFp+4/QKa2aWyvBb03hus/Mz28Qnrl1ZS/1uc/wv39zmGEEXfMq+Q/L0xb4U3EvpSV5sk/ksRTO3VEzRS+mq8/3me6lDlFrR6xz5Q/JCPG4ry6OzFhi3o/YVVZwX6xU3wSu18/1+4vjQa+koUV+0Q/JD+l6TmlJ+p/qCo/fayh5LxkfEbQ3VU+Y3sGzCNUd4P/kYE9kfo6GXpjJUMxwKw8IYnROIJHl7gA/dc73IhYCBux6OOGpgM7xoRFQge2mXU32y46M3Ec0iPbMu5JkFo5poe+wFfapYKmorUy4miyEadSn0RZtxAsJUnkLTY0T1Ouzmslj1kEpMDewn376MYenueIWleRPL9QgyIYTktlYv2Dj68GlH0R5C3en87SyATdptgKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAE8QAAAIIgAAUBAAAEwRAABIIgAAVBEAAIQRAABgIgAAyBEAAOkSAABsIgAAABMAAB0TAAAYIgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

Edit:

For those curious, I found the solution, thanks to Raymond's link.

It turned out that I needed to replace

__CxxFrameHandler3:
    mov rax,rsp
    mov qword ptr [rax+8],rbx
    mov qword ptr [rax+10h],rbp
    mov qword ptr [rax+18h],rsi
    push    rdi
    push    r12
    push    r13
    sub rsp,30h
    mov dword ptr
; more code

with

__CxxFrameHandler3 proc frame
    mov rax,rsp
    mov qword ptr [rax+8],rbx
    .savereg    rbx, 50h
    mov qword ptr [rax+10h],rbp
    .savereg    rbp, 58h
    mov qword ptr [rax+18h],rsi
    .savereg    rsi, 60h
    push    rdi
    .pushreg    rdi
    push    r12
    .pushreg    r12
    push    r13
    .pushreg    r13
    sub rsp,30h
    .allocstack 30h
    .endprolog
    mov dword ptr
; more code
__CxxFrameHandler3 endp
like image 419
user541686 Avatar asked Feb 03 '12 02:02

user541686


1 Answers

There's more to a structured exception handler than just the code. There's also data.

like image 62
Raymond Chen Avatar answered Nov 07 '22 08:11

Raymond Chen