MetzNet
/
dfhack
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Properly handle the variety of exception handlers that MSVC 2010 generates

develop
Quietust 2012-03-03 14:14:31 -06:00
parent 3ae622b0ff
commit 5cdea79a6f
1 changed files with 52 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

90
reversing/ms_ehseh.idc
Unescape Escape View File

@ -71,50 +71,64 @@ static ParseCxxHandler(func, handler, fixFunc)
y = x; y = x;
z = x; z = x;
EHCookieOffset=0; GSCookieOffset=0; EHCookieOffset=0; GSCookieOffset=0;
if (matchBytes(x,"8B5424088D420C")) // 8B 54 24 08 mov edx, [esp+8]
// 8B 54 24 08 mov edx, [esp+8] if (matchBytes(x,"8B5424088D02"))
// 8D 42 0C lea eax, [edx+0Ch] x = x+6;
// 8D 02 lea eax, [edx]
else if (matchBytes(x,"8B5424088D42"))
x = x+7;
// 8D 42 xx lea eax, [edx+XXh]
else if (matchBytes(x,"8B5424088D82"))
x = x+10;
// 8D 82 xx xx xx xx lea eax, [edx+XXh]
else {
Message("Function at %08X not recognized as exception handler!\n",x);
return;
}
//EH cookie check:
// 8B 4A xx mov ecx, [edx-XXh]
// OR
// 8B 8A xx xx xx xx mov ecx, [edx-XXh]
// 33 C8 xor ecx, eax
// E8 xx xx xx xx call __security_check_cookie
if (matchBytes(x,"8B4A??33C8E8"))
{
//byte argument
EHCookieOffset = (~Byte(x+2)+1)&0xFF;
EHCookieOffset = 12 + EHCookieOffset;
x = x+10;
}
else if (matchBytes(x,"8B8A????????33C8E8"))
{
//dword argument
EHCookieOffset = (~Dword(x+2)+1);
EHCookieOffset = 12 + EHCookieOffset;
x = x+13;
}
if (matchBytes(x,"83C0"))
x = x + 3;
// 8B 4A xx add eax, XXh
if (matchBytes(x,"8B4A??33C8E8"))
{ {
//EH cookie check:
// 8B 4A xx mov ecx, [edx-XXh] // 8B 4A xx mov ecx, [edx-XXh]
// OR
// 8B 8A xx xx xx xx mov ecx, [edx-XXh]
// 33 C8 xor ecx, eax // 33 C8 xor ecx, eax
// E8 xx xx xx xx call __security_check_cookie // E8 xx xx xx xx call __security_check_cookie
x = x+7; GSCookieOffset = (~Byte(x+2)+1)&0xFF;
if (matchBytes(x,"8B4A??33C8E8")) GSCookieOffset = 12 + GSCookieOffset;
{ x = x+10;
//byte argument }
EHCookieOffset = (~Byte(x+2)+1)&0xFF; else if (matchBytes(x,"8B8A????????33C8E8"))
EHCookieOffset = 12 + EHCookieOffset; {
x = x+10; //dword argument
} GSCookieOffset = (~Dword(x+9)+1);
else if (matchBytes(x,"8B8A????????33C8E8")) GSCookieOffset = 12 + GSCookieOffset;
{ x = x+13;
//dword argument
EHCookieOffset = (~Dword(x+2)+1);
EHCookieOffset = 12 + EHCookieOffset;
x = x+13;
}
if (matchBytes(x,"8B4A??33C8E8"))
{
// 8B 4A xx mov ecx, [edx-XXh]
// 33 C8 xor ecx, eax
// E8 xx xx xx xx call __security_check_cookie
GSCookieOffset = (~Byte(x+2)+1)&0xFF;
GSCookieOffset = 12 + GSCookieOffset;
x = x+10;
}
else if (matchBytes(x,"8B8A????????33C8E8"))
{
//dword argument
GSCookieOffset = (~Dword(x+9)+1);
GSCookieOffset = 12 + GSCookieOffset;
x = x+13;
}
//Message("EH3: EH Cookie=%02X, GSCookie=%02X\n",EHCookieOffset, GSCookieOffset);
} }
//Message("EH3: EH Cookie=%02X, GSCookie=%02X\n",EHCookieOffset, GSCookieOffset);
if (Byte(x)==0xB8) { if (Byte(x)==0xB8) {
// 8B 4A xx xx xx mov eax, offset FuncInfo
x = Dword(x+1); x = Dword(x+1);
} }
else { else {