|
|
@ -71,17 +71,26 @@ static ParseCxxHandler(func, handler, fixFunc)
|
|
|
|
y = x;
|
|
|
|
y = x;
|
|
|
|
z = x;
|
|
|
|
z = x;
|
|
|
|
EHCookieOffset=0; GSCookieOffset=0;
|
|
|
|
EHCookieOffset=0; GSCookieOffset=0;
|
|
|
|
if (matchBytes(x,"8B5424088D420C"))
|
|
|
|
|
|
|
|
// 8B 54 24 08 mov edx, [esp+8]
|
|
|
|
// 8B 54 24 08 mov edx, [esp+8]
|
|
|
|
// 8D 42 0C lea eax, [edx+0Ch]
|
|
|
|
if (matchBytes(x,"8B5424088D02"))
|
|
|
|
{
|
|
|
|
x = x+6;
|
|
|
|
|
|
|
|
// 8D 02 lea eax, [edx]
|
|
|
|
|
|
|
|
else if (matchBytes(x,"8B5424088D42"))
|
|
|
|
|
|
|
|
x = x+7;
|
|
|
|
|
|
|
|
// 8D 42 xx lea eax, [edx+XXh]
|
|
|
|
|
|
|
|
else if (matchBytes(x,"8B5424088D82"))
|
|
|
|
|
|
|
|
x = x+10;
|
|
|
|
|
|
|
|
// 8D 82 xx xx xx xx lea eax, [edx+XXh]
|
|
|
|
|
|
|
|
else {
|
|
|
|
|
|
|
|
Message("Function at %08X not recognized as exception handler!\n",x);
|
|
|
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
}
|
|
|
|
//EH cookie check:
|
|
|
|
//EH cookie check:
|
|
|
|
// 8B 4A xx mov ecx, [edx-XXh]
|
|
|
|
// 8B 4A xx mov ecx, [edx-XXh]
|
|
|
|
// OR
|
|
|
|
// OR
|
|
|
|
// 8B 8A xx xx xx xx mov ecx, [edx-XXh]
|
|
|
|
// 8B 8A xx xx xx xx mov ecx, [edx-XXh]
|
|
|
|
// 33 C8 xor ecx, eax
|
|
|
|
// 33 C8 xor ecx, eax
|
|
|
|
// E8 xx xx xx xx call __security_check_cookie
|
|
|
|
// E8 xx xx xx xx call __security_check_cookie
|
|
|
|
x = x+7;
|
|
|
|
|
|
|
|
if (matchBytes(x,"8B4A??33C8E8"))
|
|
|
|
if (matchBytes(x,"8B4A??33C8E8"))
|
|
|
|
{
|
|
|
|
{
|
|
|
|
//byte argument
|
|
|
|
//byte argument
|
|
|
@ -96,6 +105,9 @@ static ParseCxxHandler(func, handler, fixFunc)
|
|
|
|
EHCookieOffset = 12 + EHCookieOffset;
|
|
|
|
EHCookieOffset = 12 + EHCookieOffset;
|
|
|
|
x = x+13;
|
|
|
|
x = x+13;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (matchBytes(x,"83C0"))
|
|
|
|
|
|
|
|
x = x + 3;
|
|
|
|
|
|
|
|
// 8B 4A xx add eax, XXh
|
|
|
|
if (matchBytes(x,"8B4A??33C8E8"))
|
|
|
|
if (matchBytes(x,"8B4A??33C8E8"))
|
|
|
|
{
|
|
|
|
{
|
|
|
|
// 8B 4A xx mov ecx, [edx-XXh]
|
|
|
|
// 8B 4A xx mov ecx, [edx-XXh]
|
|
|
@ -112,9 +124,11 @@ static ParseCxxHandler(func, handler, fixFunc)
|
|
|
|
GSCookieOffset = 12 + GSCookieOffset;
|
|
|
|
GSCookieOffset = 12 + GSCookieOffset;
|
|
|
|
x = x+13;
|
|
|
|
x = x+13;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
//Message("EH3: EH Cookie=%02X, GSCookie=%02X\n",EHCookieOffset, GSCookieOffset);
|
|
|
|
//Message("EH3: EH Cookie=%02X, GSCookie=%02X\n",EHCookieOffset, GSCookieOffset);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (Byte(x)==0xB8) {
|
|
|
|
if (Byte(x)==0xB8) {
|
|
|
|
|
|
|
|
// 8B 4A xx xx xx mov eax, offset FuncInfo
|
|
|
|
x = Dword(x+1);
|
|
|
|
x = Dword(x+1);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
else {
|
|
|
|