[讨论]关于_ValidateEH3RN-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[讨论]关于_ValidateEH3RN

发表于: 2007-8-18 03:28 11229

[讨论]关于_ValidateEH3RN

zhzhtst

2007-8-18 03:28

11229

关于 _ValidateEH3RN

Windows XP SP2中对结构化异常处理做了一些改动，在__except_handler3中增加了对_ValidateEH3RN的调用。这个函数的代码非常长，在Visual Studio .NET 2003调试器和IDA Pro的帮助下，我重写了这个函数的源代码。然后我用命令行
“cl /c /Ob1 /Z7 /Zl _ValidateEH3RN.c”进行编译。然后我又用Visual Studio .NET 2003附带的DUMPBIN实用工具反汇编了生成的目标文件以及Microsoft提供的目标文件（其单线程调试版本在crt\src\intel\xst_lib目录中）。当我用Beyond Compare比较生成的两个汇编语言文件时，我惊奇地发现，在生成的308行汇编代码中，前217行两者完全一样，后面的90行代码除了使用的寄存器不同（也就是说，假设其中一个使用的是EAX，另一个使用的可能是EDX）外，两者并无任何差别。结果我写的代码比Microsoft提供的代码大两个字节。我花了许多时间阅读MSDN中与编译器以及调试器相关的文档，但都不能解决这个问题。就连Google也帮不了忙。我将此问题贴在OpenRCE以及MSDN论坛中的Visual C++版块上，可能是因为代码太长的缘故，至今无一人响应。我向Matt Pietrek写信请教这个问题。Matt Pietrek现在在Microsoft Visual Studio调试器工作组。以前向Matt Pietrek请教问题时，可能是由于问题并不复杂，虽然Matt很忙，但总是第二天就能给我答复，可这次却迟迟没有回音。我将这个问题帖在此处，希望高手不吝赐教。

注：可以直接使用附件中提供的文件，可读性比较好。

下面是_ValidateEH3RN.c文件：
// 这个宏的定义是从CRT源代码目录中的makefile中获得的
#define WIN32_LEAN_AND_MEAN

#include <windows.h>

#define TRYLEVEL_NONE -1 // 为了方便

// 以下两个结构是从Visual Studio .NET 2003调试器
// 的“局部变量”窗口中获得的
typedef struct _SCOPETABLE_ENTRY {
DWORD EnclosingLevel;
PVOID FilterFunc;
PVOID HandlerFunc;
} SCOPETABLE_ENTRY, *PSCOPETABLE_ENTRY;

typedef struct _EH3_EXCEPTION_REGISTRATION {
struct _EH3_EXCEPTION_REGISTRATION *Next;
PVOID ExceptionHandler;
PSCOPETABLE_ENTRY ScopeTable;
DWORD TryLevel;
} EH3_EXCEPTION_REGISTRATION, *PEH3_EXCEPTION_REGISTRATION;

// 下面这个函数是从WINNT.H 中复制过来的
// （Windows Server 2003 SP1 DDK\inc\wnet目录）
#define PcTeb 0x18
__inline struct _TEB * NtCurrentTeb( void ) { __asm mov eax, fs:[PcTeb] }

// 全局变量
INT  nValidPages=0;
PVOID rgValidPages[0x10]={NULL};
BOOL lModifying=FALSE;

// 此函数的调用约定是从__except_handler3的反汇编代码
// 中获得的，它的参数是从调试器的“调用堆栈”窗口中获得的
// 局部变量及其顺序是从调试器的“局部变量”窗口中获得的
int __cdecl _ValidateEH3RN(
PEH3_EXCEPTION_REGISTRATION pRN)
{
MEMORY_BASIC_INFORMATION mbi;
PIMAGE_SECTION_HEADER pSection;
PVOID pScopePage;
INT iValid;
UINT iSection;
INT iValid2;
PNT_TIB pTIB;
PSCOPETABLE_ENTRY pScopeTable;
INT nFilters;
PVOID pTmp;
PIMAGE_NT_HEADERS pNTHeader;
PIMAGE_DOS_HEADER pDOSHeader;
PIMAGE_OPTIONAL_HEADER pOptHeader;
DWORD level;
DWORD rvaScopeTable;

pScopeTable = pRN->ScopeTable;

// 是否按DWORD边界对齐
if ((DWORD)pScopeTable & 0x3)
{
  return 0;
}

// 获取TIB
pTIB = (PNT_TIB)NtCurrentTeb();

// 是否超出堆栈界限
if ((PVOID)pScopeTable >= (PVOID)pTIB->StackLimit
  && (PVOID)pScopeTable < (PVOID)pTIB->StackBase)
{
  return 0;
}

if (pRN->TryLevel == TRYLEVEL_NONE)
{
  return 1;
}

// 获取过滤器表达式的数目
for (nFilters=0,level=0;level<=pRN->TryLevel;level++)
{
  DWORD enclosing = pScopeTable[level].EnclosingLevel;
  if (enclosing!=TRYLEVEL_NONE && enclosing>=level)
  {
return 0;
  }

  if (pScopeTable[level].FilterFunc != NULL)
nFilters++;
}

if (nFilters &&

// (pRN-8) -> saved ESP
  ((PVOID)*(PDWORD)((PBYTE)pRN-8)<pTIB->StackLimit ||

  (PVOID)*(PDWORD)((PBYTE)pRN-8) >= (PVOID)pRN))
{
  return 0;
}

// 按4KB页面边界对齐
pScopePage=(PVOID)((DWORD)pScopeTable & 0xFFFFF000);
for (iValid=0; iValid<nValidPages; iValid++)
{
  if (rgValidPages[iValid] == pScopePage)
  {
if (iValid>0 && !InterlockedExchange(&lModifying, 1))
{
if (rgValidPages[iValid] != pScopePage)
{
   for (iValid=nValidPages-1; iValid>=0; iValid--)
   {
   if (rgValidPages[iValid] == pScopePage)
   break;
   }

   if (iValid < 0)
   {
   if (nValidPages < 0x10)
   nValidPages++;

   iValid = nValidPages - 1;
   }
   else
   {
   if (iValid == 0)
   {
   InterlockedExchange(&lModifying, 0);
   return 1;
   }
   }
}

for (iValid2=0; iValid2<=iValid; iValid2++)
{
   // 交换
   pTmp = rgValidPages[iValid2];
   rgValidPages[iValid2] = pScopePage;
   pScopePage = pTmp;
}

InterlockedExchange(&lModifying, 0);
}

return 1;
  }
} /*外层for循环结束 */

// 参考1996年5月的MSJ杂志Win32 Q&A专栏中最后一部分
if (!VirtualQuery((LPCVOID)pScopeTable,&mbi,sizeof(mbi))
   || mbi.Type != MEM_IMAGE)
{
  return -1;
}

if(!(mbi.Protect & (PAGE_READWRITE | PAGE_WRITECOPY |

   PAGE_EXECUTE_READWRITE | PAGE_EXECUTE_WRITECOPY)))
{
  goto exit_success;
}

pDOSHeader=(PIMAGE_DOS_HEADER)mbi.AllocationBase;
if (pDOSHeader->e_magic!=IMAGE_DOS_SIGNATURE)
{
  return -1;
}

pNTHeader=(PIMAGE_NT_HEADERS)((PBYTE)pDOSHeader+

         pDOSHeader->e_lfanew);
if (pNTHeader->Signature!=IMAGE_NT_SIGNATURE)
{
  return -1;
}

pOptHeader= (PIMAGE_OPTIONAL_HEADER)&pNTHeader->OptionalHeader;
if (pOptHeader->Magic!=IMAGE_NT_OPTIONAL_HDR_MAGIC)
{
  return -1;
}

rvaScopeTable=(PBYTE)pScopeTable-(PBYTE)pDOSHeader;
iSection = 0;

// PE-COFF规范中给出的获取节表的正式方法
// IMAGE_FIRST_SECTION宏在WINNT.H中定义
pSection = IMAGE_FIRST_SECTION(pNTHeader);

if(iSection < (UINT)pNTHeader->FileHeader.NumberOfSections)
{
  if (rvaScopeTable >= pSection->VirtualAddress

&& rvaScopeTable < pSection->VirtualAddress + pSection->Misc.VirtualSize
&& pSection->Characteristics & IMAGE_SCN_MEM_WRITE)
  {
return 0;
  }
}
else
{
  return -1;
}

exit_success:

if (InterlockedExchange(&lModifying, 1))
{
  return 1;
}

for (iValid=nValidPages; iValid>0; iValid--)
{
  if (rgValidPages[iValid-1] == pScopePage)
break;
}

if (!iValid)
{
  for (iValid=(nValidPages>0xF)?0xF:nValidPages,

   iValid2=0; iValid2<=iValid; iValid2++)
  {
// 交换
pTmp = rgValidPages[iValid2];
rgValidPages[iValid2] = pScopePage;
pScopePage = pTmp;
  }

  if (nValidPages < 0x10)
nValidPages++;
}

InterlockedExchange(&lModifying, 0);
return 1;
}

下面是DUMPBIN输出的_ValidateEH3RN.obj的反汇编结果：

Microsoft (R) COFF/PE Dumper Version 7.10.3077
Copyright (C) Microsoft Corporation.  All rights reserved.

Dump of file _ValidateEH3RN.obj

File Type: COFF OBJECT

__ValidateEH3RN:
  00000000: 55                push       ebp
  00000001: 8B EC             mov       ebp,esp
  00000003: 83 EC 5C          sub       esp,5Ch
  00000006: 8B 45 08          mov       eax,dword ptr [ebp+8]
  00000009: 8B 48 08          mov       ecx,dword ptr [eax+8]
  0000000C: 89 4D E0          mov       dword ptr [ebp-20h],ecx
  0000000F: 8B 55 E0          mov       edx,dword ptr [ebp-20h]
  00000012: 83 E2 03          and       edx,3
  00000015: 74 07             je       0000001E
  00000017: 33 C0             xor       eax,eax
  00000019: E9 C8 03 00 00    jmp       000003E6
  0000001E: 64 A1 18 00 00 00  mov       eax,dword ptr fs:[00000018h]
  00000024: 89 45 DC          mov       dword ptr [ebp-24h],eax
  00000027: 8B 45 DC          mov       eax,dword ptr [ebp-24h]
  0000002A: 8B 4D E0          mov       ecx,dword ptr [ebp-20h]
  0000002D: 3B 48 08          cmp       ecx,dword ptr [eax+8]
  00000030: 72 12             jb       00000044
  00000032: 8B 55 DC          mov       edx,dword ptr [ebp-24h]
  00000035: 8B 45 E0          mov       eax,dword ptr [ebp-20h]
  00000038: 3B 42 04          cmp       eax,dword ptr [edx+4]
  0000003B: 73 07             jae       00000044
  0000003D: 33 C0             xor       eax,eax
  0000003F: E9 A2 03 00 00    jmp       000003E6
  00000044: 8B 4D 08          mov       ecx,dword ptr [ebp+8]
  00000047: 83 79 0C FF       cmp       dword ptr [ecx+0Ch],0FFFFFFFFh
  0000004B: 75 0A             jne       00000057
  0000004D: B8 01 00 00 00    mov       eax,1
  00000052: E9 8F 03 00 00    jmp       000003E6
  00000057: C7 45 E4 00 00 00  mov       dword ptr [ebp-1Ch],0
         00
  0000005E: C7 45 F8 00 00 00  mov       dword ptr [ebp-8],0
         00
  00000065: EB 09             jmp       00000070
  00000067: 8B 55 F8          mov       edx,dword ptr [ebp-8]
  0000006A: 83 C2 01          add       edx,1
  0000006D: 89 55 F8          mov       dword ptr [ebp-8],edx
  00000070: 8B 45 08          mov       eax,dword ptr [ebp+8]
  00000073: 8B 4D F8          mov       ecx,dword ptr [ebp-8]
  00000076: 3B 48 0C          cmp       ecx,dword ptr [eax+0Ch]
  00000079: 77 3F             ja       000000BA
  0000007B: 8B 55 F8          mov       edx,dword ptr [ebp-8]
  0000007E: 6B D2 0C          imul       edx,edx,0Ch
  00000081: 8B 45 E0          mov       eax,dword ptr [ebp-20h]
  00000084: 8B 0C 10          mov       ecx,dword ptr [eax+edx]
  00000087: 89 4D A8          mov       dword ptr [ebp-58h],ecx
  0000008A: 83 7D A8 FF       cmp       dword ptr [ebp-58h],0FFFFFFFFh
  0000008E: 74 0F             je       0000009F
  00000090: 8B 55 A8          mov       edx,dword ptr [ebp-58h]
  00000093: 3B 55 F8          cmp       edx,dword ptr [ebp-8]
  00000096: 72 07             jb       0000009F
  00000098: 33 C0             xor       eax,eax
  0000009A: E9 47 03 00 00    jmp       000003E6
  0000009F: 8B 45 F8          mov       eax,dword ptr [ebp-8]
  000000A2: 6B C0 0C          imul       eax,eax,0Ch
  000000A5: 8B 4D E0          mov       ecx,dword ptr [ebp-20h]
  000000A8: 83 7C 01 04 00    cmp       dword ptr [ecx+eax+4],0
  000000AD: 74 09             je       000000B8
  000000AF: 8B 55 E4          mov       edx,dword ptr [ebp-1Ch]
  000000B2: 83 C2 01          add       edx,1
  000000B5: 89 55 E4          mov       dword ptr [ebp-1Ch],edx
  000000B8: EB AD             jmp       00000067
  000000BA: 83 7D E4 00       cmp       dword ptr [ebp-1Ch],0
  000000BE: 74 20             je       000000E0
  000000C0: 8B 45 08          mov       eax,dword ptr [ebp+8]
  000000C3: 8B 4D DC          mov       ecx,dword ptr [ebp-24h]
  000000C6: 8B 50 F8          mov       edx,dword ptr [eax-8]
  000000C9: 3B 51 08          cmp       edx,dword ptr [ecx+8]
  000000CC: 72 0B             jb       000000D9
  000000CE: 8B 45 08          mov       eax,dword ptr [ebp+8]
  000000D1: 8B 48 F8          mov       ecx,dword ptr [eax-8]
  000000D4: 3B 4D 08          cmp       ecx,dword ptr [ebp+8]
  000000D7: 72 07             jb       000000E0
  000000D9: 33 C0             xor       eax,eax
  000000DB: E9 06 03 00 00    jmp       000003E6
  000000E0: 8B 55 E0          mov       edx,dword ptr [ebp-20h]
  000000E3: 81 E2 00 F0 FF FF  and       edx,0FFFFF000h
  000000E9: 89 55 CC          mov       dword ptr [ebp-34h],edx
  000000EC: C7 45 D0 00 00 00  mov       dword ptr [ebp-30h],0
         00
  000000F3: EB 09             jmp       000000FE
  000000F5: 8B 45 D0          mov       eax,dword ptr [ebp-30h]
  000000F8: 83 C0 01          add       eax,1
  000000FB: 89 45 D0          mov       dword ptr [ebp-30h],eax
  000000FE: 8B 4D D0          mov       ecx,dword ptr [ebp-30h]
  00000101: 3B 0D 00 00 00 00  cmp       ecx,dword ptr [_nValidPages]
  00000107: 0F 8D 11 01 00 00  jge       0000021E
  0000010D: 8B 55 D0          mov       edx,dword ptr [ebp-30h]
  00000110: 8B 04 95 00 00 00  mov       eax,dword ptr [edx*4]
         00
  00000117: 3B 45 CC          cmp       eax,dword ptr [ebp-34h]
  0000011A: 0F 85 F9 00 00 00  jne       00000219
  00000120: 83 7D D0 00       cmp       dword ptr [ebp-30h],0
  00000124: 0F 8E E5 00 00 00  jle       0000020F
  0000012A: 6A 01             push       1
  0000012C: 68 00 00 00 00    push       offset _lModifying
  00000131: FF 15 00 00 00 00  call       dword ptr [__imp__InterlockedExchange@8]
  00000137: 85 C0             test       eax,eax
  00000139: 0F 85 D0 00 00 00  jne       0000020F
  0000013F: 8B 4D D0          mov       ecx,dword ptr [ebp-30h]
  00000142: 8B 14 8D 00 00 00  mov       edx,dword ptr [ecx*4]
         00
  00000149: 3B 55 CC          cmp       edx,dword ptr [ebp-34h]
  0000014C: 74 78             je       000001C6
  0000014E: A1 00 00 00 00    mov       eax,dword ptr [_nValidPages]
  00000153: 83 E8 01          sub       eax,1
  00000156: 89 45 D0          mov       dword ptr [ebp-30h],eax
  00000159: EB 09             jmp       00000164
  0000015B: 8B 4D D0          mov       ecx,dword ptr [ebp-30h]
  0000015E: 83 E9 01          sub       ecx,1
  00000161: 89 4D D0          mov       dword ptr [ebp-30h],ecx
  00000164: 83 7D D0 00       cmp       dword ptr [ebp-30h],0
  00000168: 7C 13             jl       0000017D
  0000016A: 8B 55 D0          mov       edx,dword ptr [ebp-30h]
  0000016D: 8B 04 95 00 00 00  mov       eax,dword ptr [edx*4]
         00
  00000174: 3B 45 CC          cmp       eax,dword ptr [ebp-34h]
  00000177: 75 02             jne       0000017B
  00000179: EB 02             jmp       0000017D
  0000017B: EB DE             jmp       0000015B
  0000017D: 83 7D D0 00       cmp       dword ptr [ebp-30h],0
  00000181: 7D 26             jge       000001A9
  00000183: 83 3D 00 00 00 00  cmp       dword ptr [_nValidPages],10h
         10
  0000018A: 7D 0F             jge       0000019B
  0000018C: 8B 0D 00 00 00 00  mov       ecx,dword ptr [_nValidPages]
  00000192: 83 C1 01          add       ecx,1
  00000195: 89 0D 00 00 00 00  mov       dword ptr [_nValidPages],ecx
  0000019B: 8B 15 00 00 00 00  mov       edx,dword ptr [_nValidPages]
  000001A1: 83 EA 01          sub       edx,1
  000001A4: 89 55 D0          mov       dword ptr [ebp-30h],edx
  000001A7: EB 1D             jmp       000001C6
  000001A9: 83 7D D0 00       cmp       dword ptr [ebp-30h],0
  000001AD: 75 17             jne       000001C6
  000001AF: 6A 00             push       0
  000001B1: 68 00 00 00 00    push       offset _lModifying
  000001B6: FF 15 00 00 00 00  call       dword ptr [__imp__InterlockedExchange@8]
  000001BC: B8 01 00 00 00    mov       eax,1
  000001C1: E9 20 02 00 00    jmp       000003E6
  000001C6: C7 45 D8 00 00 00  mov       dword ptr [ebp-28h],0
         00
  000001CD: EB 09             jmp       000001D8
  000001CF: 8B 45 D8          mov       eax,dword ptr [ebp-28h]
  000001D2: 83 C0 01          add       eax,1
  000001D5: 89 45 D8          mov       dword ptr [ebp-28h],eax
  000001D8: 8B 4D D8          mov       ecx,dword ptr [ebp-28h]
  000001DB: 3B 4D D0          cmp       ecx,dword ptr [ebp-30h]
  000001DE: 7F 22             jg       00000202
  000001E0: 8B 55 D8          mov       edx,dword ptr [ebp-28h]
  000001E3: 8B 04 95 00 00 00  mov       eax,dword ptr [edx*4]
         00
  000001EA: 89 45 E8          mov       dword ptr [ebp-18h],eax
  000001ED: 8B 4D D8          mov       ecx,dword ptr [ebp-28h]
  000001F0: 8B 55 CC          mov       edx,dword ptr [ebp-34h]
  000001F3: 89 14 8D 00 00 00  mov       dword ptr [ecx*4],edx
         00
  000001FA: 8B 45 E8          mov       eax,dword ptr [ebp-18h]
  000001FD: 89 45 CC          mov       dword ptr [ebp-34h],eax
  00000200: EB CD             jmp       000001CF
  00000202: 6A 00             push       0
  00000204: 68 00 00 00 00    push       offset _lModifying
  00000209: FF 15 00 00 00 00  call       dword ptr [__imp__InterlockedExchange@8]
  0000020F: B8 01 00 00 00    mov       eax,1
  00000214: E9 CD 01 00 00    jmp       000003E6
  00000219: E9 D7 FE FF FF    jmp       000000F5
  0000021E: 6A 1C             push       1Ch
  00000220: 8D 4D AC          lea       ecx,[ebp-54h]
  00000223: 51                push       ecx
  00000224: 8B 55 E0          mov       edx,dword ptr [ebp-20h]
  00000227: 52                push       edx
  00000228: FF 15 00 00 00 00  call       dword ptr [__imp__VirtualQuery@12]
  0000022E: 85 C0             test       eax,eax
  00000230: 74 09             je       0000023B
  00000232: 81 7D C4 00 00 00  cmp       dword ptr [ebp-3Ch],1000000h
         01
  00000239: 74 08             je       00000243
  0000023B: 83 C8 FF          or       eax,0FFFFFFFFh
  0000023E: E9 A3 01 00 00    jmp       000003E6
  00000243: 8B 45 C0          mov       eax,dword ptr [ebp-40h]
  00000246: 25 CC 00 00 00    and       eax,0CCh
  0000024B: 75 05             jne       00000252
  0000024D: E9 C0 00 00 00    jmp       $exit_success$19845
  00000252: 8B 4D B0          mov       ecx,dword ptr [ebp-50h]
  00000255: 89 4D F0          mov       dword ptr [ebp-10h],ecx
  00000258: 8B 55 F0          mov       edx,dword ptr [ebp-10h]
  0000025B: 0F B7 02          movzx    eax,word ptr [edx]
  0000025E: 3D 4D 5A 00 00    cmp       eax,5A4Dh
  00000263: 74 08             je       0000026D
  00000265: 83 C8 FF          or       eax,0FFFFFFFFh
  00000268: E9 79 01 00 00    jmp       000003E6
  0000026D: 8B 4D F0          mov       ecx,dword ptr [ebp-10h]
  00000270: 8B 55 F0          mov       edx,dword ptr [ebp-10h]
  00000273: 03 51 3C          add       edx,dword ptr [ecx+3Ch]
  00000276: 89 55 EC          mov       dword ptr [ebp-14h],edx
  00000279: 8B 45 EC          mov       eax,dword ptr [ebp-14h]
  0000027C: 81 38 50 45 00 00  cmp       dword ptr [eax],4550h
  00000282: 74 08             je       0000028C
  00000284: 83 C8 FF          or       eax,0FFFFFFFFh
  00000287: E9 5A 01 00 00    jmp       000003E6
  0000028C: 8B 4D EC          mov       ecx,dword ptr [ebp-14h]
  0000028F: 83 C1 18          add       ecx,18h
  00000292: 89 4D F4          mov       dword ptr [ebp-0Ch],ecx
  00000295: 8B 55 F4          mov       edx,dword ptr [ebp-0Ch]
  00000298: 0F B7 02          movzx    eax,word ptr [edx]
  0000029B: 3D 0B 01 00 00    cmp       eax,10Bh
  000002A0: 74 08             je       000002AA
  000002A2: 83 C8 FF          or       eax,0FFFFFFFFh
  000002A5: E9 3C 01 00 00    jmp       000003E6
  000002AA: 8B 4D E0          mov       ecx,dword ptr [ebp-20h]
  000002AD: 2B 4D F0          sub       ecx,dword ptr [ebp-10h]
  000002B0: 89 4D FC          mov       dword ptr [ebp-4],ecx
  000002B3: C7 45 D4 00 00 00  mov       dword ptr [ebp-2Ch],0
         00
  000002BA: 8B 55 EC          mov       edx,dword ptr [ebp-14h]
  000002BD: 0F B7 42 14       movzx    eax,word ptr [edx+14h]
  000002C1: 8B 4D EC          mov       ecx,dword ptr [ebp-14h]
  000002C4: 8D 54 01 18       lea       edx,[ecx+eax+18h]
  000002C8: 89 55 C8          mov       dword ptr [ebp-38h],edx
  000002CB: 8B 45 EC          mov       eax,dword ptr [ebp-14h]
  000002CE: 0F B7 48 06       movzx    ecx,word ptr [eax+6]
  000002D2: 39 4D D4          cmp       dword ptr [ebp-2Ch],ecx
  000002D5: 73 33             jae       0000030A
  000002D7: 8B 55 C8          mov       edx,dword ptr [ebp-38h]
  000002DA: 8B 45 FC          mov       eax,dword ptr [ebp-4]
  000002DD: 3B 42 0C          cmp       eax,dword ptr [edx+0Ch]
  000002E0: 72 26             jb       00000308
  000002E2: 8B 4D C8          mov       ecx,dword ptr [ebp-38h]
  000002E5: 8B 51 0C          mov       edx,dword ptr [ecx+0Ch]
  000002E8: 8B 45 C8          mov       eax,dword ptr [ebp-38h]
  000002EB: 03 50 08          add       edx,dword ptr [eax+8]
  000002EE: 39 55 FC          cmp       dword ptr [ebp-4],edx
  000002F1: 73 15             jae       00000308
  000002F3: 8B 4D C8          mov       ecx,dword ptr [ebp-38h]
  000002F6: 8B 51 24          mov       edx,dword ptr [ecx+24h]
  000002F9: 81 E2 00 00 00 80  and       edx,80000000h
  000002FF: 74 07             je       00000308
  00000301: 33 C0             xor       eax,eax
  00000303: E9 DE 00 00 00    jmp       000003E6
  00000308: EB 08             jmp       $exit_success$19845
  0000030A: 83 C8 FF          or       eax,0FFFFFFFFh
  0000030D: E9 D4 00 00 00    jmp       000003E6
$exit_success$19845:
  00000312: 6A 01             push       1
  00000314: 68 00 00 00 00    push       offset _lModifying
  00000319: FF 15 00 00 00 00  call       dword ptr [__imp__InterlockedExchange@8]
  0000031F: 85 C0             test       eax,eax
  00000321: 74 0A             je       0000032D
  00000323: B8 01 00 00 00    mov       eax,1
  00000328: E9 B9 00 00 00    jmp       000003E6
  0000032D: A1 00 00 00 00    mov       eax,dword ptr [_nValidPages]
  00000332: 89 45 D0          mov       dword ptr [ebp-30h],eax
  00000335: EB 09             jmp       00000340
  00000337: 8B 4D D0          mov       ecx,dword ptr [ebp-30h]
  0000033A: 83 E9 01          sub       ecx,1
  0000033D: 89 4D D0          mov       dword ptr [ebp-30h],ecx
  00000340: 83 7D D0 00       cmp       dword ptr [ebp-30h],0
  00000344: 7E 13             jle       00000359
  00000346: 8B 55 D0          mov       edx,dword ptr [ebp-30h]
  00000349: 8B 04 95 FC FF FF  mov       eax,dword ptr [edx*4-4]
         FF
  00000350: 3B 45 CC          cmp       eax,dword ptr [ebp-34h]
  00000353: 75 02             jne       00000357
  00000355: EB 02             jmp       00000359
  00000357: EB DE             jmp       00000337
  00000359: 83 7D D0 00       cmp       dword ptr [ebp-30h],0
  0000035D: 75 75             jne       000003D4
  0000035F: 83 3D 00 00 00 00  cmp       dword ptr [_nValidPages],0Fh
         0F
  00000366: 7E 09             jle       00000371
  00000368: C7 45 A4 0F 00 00  mov       dword ptr [ebp-5Ch],0Fh
         00
  0000036F: EB 09             jmp       0000037A
  00000371: 8B 0D 00 00 00 00  mov       ecx,dword ptr [_nValidPages]
  00000377: 89 4D A4          mov       dword ptr [ebp-5Ch],ecx
  0000037A: 8B 55 A4          mov       edx,dword ptr [ebp-5Ch]
  0000037D: 89 55 D0          mov       dword ptr [ebp-30h],edx
  00000380: C7 45 D8 00 00 00  mov       dword ptr [ebp-28h],0
         00
  00000387: EB 09             jmp       00000392
  00000389: 8B 45 D8          mov       eax,dword ptr [ebp-28h]
  0000038C: 83 C0 01          add       eax,1
  0000038F: 89 45 D8          mov       dword ptr [ebp-28h],eax
  00000392: 8B 4D D8          mov       ecx,dword ptr [ebp-28h]
  00000395: 3B 4D D0          cmp       ecx,dword ptr [ebp-30h]
  00000398: 7F 22             jg       000003BC
  0000039A: 8B 55 D8          mov       edx,dword ptr [ebp-28h]
  0000039D: 8B 04 95 00 00 00  mov       eax,dword ptr [edx*4]
         00
  000003A4: 89 45 E8          mov       dword ptr [ebp-18h],eax
  000003A7: 8B 4D D8          mov       ecx,dword ptr [ebp-28h]
  000003AA: 8B 55 CC          mov       edx,dword ptr [ebp-34h]
  000003AD: 89 14 8D 00 00 00  mov       dword ptr [ecx*4],edx
         00
  000003B4: 8B 45 E8          mov       eax,dword ptr [ebp-18h]
  000003B7: 89 45 CC          mov       dword ptr [ebp-34h],eax
  000003BA: EB CD             jmp       00000389
  000003BC: 83 3D 00 00 00 00  cmp       dword ptr [_nValidPages],10h
         10
  000003C3: 7D 0F             jge       000003D4
  000003C5: 8B 0D 00 00 00 00  mov       ecx,dword ptr [_nValidPages]
  000003CB: 83 C1 01          add       ecx,1
  000003CE: 89 0D 00 00 00 00  mov       dword ptr [_nValidPages],ecx
  000003D4: 6A 00             push       0
  000003D6: 68 00 00 00 00    push       offset _lModifying
  000003DB: FF 15 00 00 00 00  call       dword ptr [__imp__InterlockedExchange@8]
  000003E1: B8 01 00 00 00    mov       eax,1
  000003E6: 8B E5             mov       esp,ebp
  000003E8: 5D                pop       ebp
  000003E9: C3                ret

  Summary

      4C .bss
      6B5 .debug$S
      11A4 .debug$T
      3EA .text

下面是DUMPBIN输出的Microsoft提供的eh3valid.obj的反汇编结果：

Microsoft (R) COFF/PE Dumper Version 7.10.3077
Copyright (C) Microsoft Corporation.  All rights reserved.

Dump of file eh3valid.obj

File Type: COFF OBJECT

__ValidateEH3RN:
  00000000: 55                push       ebp
  00000001: 8B EC             mov       ebp,esp
  00000003: 83 EC 5C          sub       esp,5Ch
  00000006: 8B 45 08          mov       eax,dword ptr [ebp+8]
  00000009: 8B 48 08          mov       ecx,dword ptr [eax+8]
  0000000C: 89 4D E0          mov       dword ptr [ebp-20h],ecx
  0000000F: 8B 55 E0          mov       edx,dword ptr [ebp-20h]
  00000012: 83 E2 03          and       edx,3
  00000015: 74 07             je       0000001E
  00000017: 33 C0             xor       eax,eax
  00000019: E9 C6 03 00 00    jmp       000003E4
  0000001E: 64 A1 18 00 00 00  mov       eax,dword ptr fs:[00000018h]
  00000024: 89 45 DC          mov       dword ptr [ebp-24h],eax
  00000027: 8B 45 DC          mov       eax,dword ptr [ebp-24h]
  0000002A: 8B 4D E0          mov       ecx,dword ptr [ebp-20h]
  0000002D: 3B 48 08          cmp       ecx,dword ptr [eax+8]
  00000030: 72 12             jb       00000044
  00000032: 8B 55 DC          mov       edx,dword ptr [ebp-24h]
  00000035: 8B 45 E0          mov       eax,dword ptr [ebp-20h]
  00000038: 3B 42 04          cmp       eax,dword ptr [edx+4]
  0000003B: 73 07             jae       00000044
  0000003D: 33 C0             xor       eax,eax
  0000003F: E9 A0 03 00 00    jmp       000003E4
  00000044: 8B 4D 08          mov       ecx,dword ptr [ebp+8]
  00000047: 83 79 0C FF       cmp       dword ptr [ecx+0Ch],0FFFFFFFFh
  0000004B: 75 0A             jne       00000057
  0000004D: B8 01 00 00 00    mov       eax,1
  00000052: E9 8D 03 00 00    jmp       000003E4
  00000057: C7 45 E4 00 00 00  mov       dword ptr [ebp-1Ch],0
         00
  0000005E: C7 45 F8 00 00 00  mov       dword ptr [ebp-8],0
         00
  00000065: EB 09             jmp       00000070
  00000067: 8B 55 F8          mov       edx,dword ptr [ebp-8]
  0000006A: 83 C2 01          add       edx,1
  0000006D: 89 55 F8          mov       dword ptr [ebp-8],edx
  00000070: 8B 45 08          mov       eax,dword ptr [ebp+8]
  00000073: 8B 4D F8          mov       ecx,dword ptr [ebp-8]
  00000076: 3B 48 0C          cmp       ecx,dword ptr [eax+0Ch]
  00000079: 77 3F             ja       000000BA
  0000007B: 8B 55 F8          mov       edx,dword ptr [ebp-8]
  0000007E: 6B D2 0C          imul       edx,edx,0Ch
  00000081: 8B 45 E0          mov       eax,dword ptr [ebp-20h]
  00000084: 8B 0C 10          mov       ecx,dword ptr [eax+edx]
  00000087: 89 4D A8          mov       dword ptr [ebp-58h],ecx
  0000008A: 83 7D A8 FF       cmp       dword ptr [ebp-58h],0FFFFFFFFh
  0000008E: 74 0F             je       0000009F
  00000090: 8B 55 A8          mov       edx,dword ptr [ebp-58h]
  00000093: 3B 55 F8          cmp       edx,dword ptr [ebp-8]
  00000096: 72 07             jb       0000009F
  00000098: 33 C0             xor       eax,eax
  0000009A: E9 45 03 00 00    jmp       000003E4
  0000009F: 8B 45 F8          mov       eax,dword ptr [ebp-8]
  000000A2: 6B C0 0C          imul       eax,eax,0Ch
  000000A5: 8B 4D E0          mov       ecx,dword ptr [ebp-20h]
  000000A8: 83 7C 01 04 00    cmp       dword ptr [ecx+eax+4],0
  000000AD: 74 09             je       000000B8
  000000AF: 8B 55 E4          mov       edx,dword ptr [ebp-1Ch]
  000000B2: 83 C2 01          add       edx,1
  000000B5: 89 55 E4          mov       dword ptr [ebp-1Ch],edx
  000000B8: EB AD             jmp       00000067
  000000BA: 83 7D E4 00       cmp       dword ptr [ebp-1Ch],0
  000000BE: 74 20             je       000000E0
  000000C0: 8B 45 08          mov       eax,dword ptr [ebp+8]
  000000C3: 8B 4D DC          mov       ecx,dword ptr [ebp-24h]
  000000C6: 8B 50 F8          mov       edx,dword ptr [eax-8]
  000000C9: 3B 51 08          cmp       edx,dword ptr [ecx+8]
  000000CC: 72 0B             jb       000000D9
  000000CE: 8B 45 08          mov       eax,dword ptr [ebp+8]
  000000D1: 8B 48 F8          mov       ecx,dword ptr [eax-8]
  000000D4: 3B 4D 08          cmp       ecx,dword ptr [ebp+8]
  000000D7: 72 07             jb       000000E0
  000000D9: 33 C0             xor       eax,eax
  000000DB: E9 04 03 00 00    jmp       000003E4
  000000E0: 8B 55 E0          mov       edx,dword ptr [ebp-20h]
  000000E3: 81 E2 00 F0 FF FF  and       edx,0FFFFF000h
  000000E9: 89 55 CC          mov       dword ptr [ebp-34h],edx
  000000EC: C7 45 D0 00 00 00  mov       dword ptr [ebp-30h],0
         00
  000000F3: EB 09             jmp       000000FE
  000000F5: 8B 45 D0          mov       eax,dword ptr [ebp-30h]
  000000F8: 83 C0 01          add       eax,1
  000000FB: 89 45 D0          mov       dword ptr [ebp-30h],eax
  000000FE: 8B 4D D0          mov       ecx,dword ptr [ebp-30h]
  00000101: 3B 0D 00 00 00 00  cmp       ecx,dword ptr [_nValidPages]
  00000107: 0F 8D 11 01 00 00  jge       0000021E
  0000010D: 8B 55 D0          mov       edx,dword ptr [ebp-30h]
  00000110: 8B 04 95 00 00 00  mov       eax,dword ptr [edx*4]
         00
  00000117: 3B 45 CC          cmp       eax,dword ptr [ebp-34h]
  0000011A: 0F 85 F9 00 00 00  jne       00000219
  00000120: 83 7D D0 00       cmp       dword ptr [ebp-30h],0
  00000124: 0F 8E E5 00 00 00  jle       0000020F
  0000012A: 6A 01             push       1
  0000012C: 68 00 00 00 00    push       offset _lModifying
  00000131: FF 15 00 00 00 00  call       dword ptr [__imp__InterlockedExchange@8]
  00000137: 85 C0             test       eax,eax
  00000139: 0F 85 D0 00 00 00  jne       0000020F
  0000013F: 8B 4D D0          mov       ecx,dword ptr [ebp-30h]
  00000142: 8B 14 8D 00 00 00  mov       edx,dword ptr [ecx*4]
         00
  00000149: 3B 55 CC          cmp       edx,dword ptr [ebp-34h]
  0000014C: 74 78             je       000001C6
  0000014E: A1 00 00 00 00    mov       eax,dword ptr [_nValidPages]
  00000153: 83 E8 01          sub       eax,1
  00000156: 89 45 D0          mov       dword ptr [ebp-30h],eax
  00000159: EB 09             jmp       00000164
  0000015B: 8B 4D D0          mov       ecx,dword ptr [ebp-30h]
  0000015E: 83 E9 01          sub       ecx,1
  00000161: 89 4D D0          mov       dword ptr [ebp-30h],ecx
  00000164: 83 7D D0 00       cmp       dword ptr [ebp-30h],0
  00000168: 7C 13             jl       0000017D
  0000016A: 8B 55 D0          mov       edx,dword ptr [ebp-30h]
  0000016D: 8B 04 95 00 00 00  mov       eax,dword ptr [edx*4]
         00
  00000174: 3B 45 CC          cmp       eax,dword ptr [ebp-34h]
  00000177: 75 02             jne       0000017B
  00000179: EB 02             jmp       0000017D
  0000017B: EB DE             jmp       0000015B
  0000017D: 83 7D D0 00       cmp       dword ptr [ebp-30h],0
  00000181: 7D 26             jge       000001A9
  00000183: 83 3D 00 00 00 00  cmp       dword ptr [_nValidPages],10h
         10
  0000018A: 7D 0F             jge       0000019B
  0000018C: 8B 0D 00 00 00 00  mov       ecx,dword ptr [_nValidPages]
  00000192: 83 C1 01          add       ecx,1
  00000195: 89 0D 00 00 00 00  mov       dword ptr [_nValidPages],ecx
  0000019B: 8B 15 00 00 00 00  mov       edx,dword ptr [_nValidPages]
  000001A1: 83 EA 01          sub       edx,1
  000001A4: 89 55 D0          mov       dword ptr [ebp-30h],edx
  000001A7: EB 1D             jmp       000001C6
  000001A9: 83 7D D0 00       cmp       dword ptr [ebp-30h],0
  000001AD: 75 17             jne       000001C6
  000001AF: 6A 00             push       0
  000001B1: 68 00 00 00 00    push       offset _lModifying
  000001B6: FF 15 00 00 00 00  call       dword ptr [__imp__InterlockedExchange@8]
  000001BC: B8 01 00 00 00    mov       eax,1
  000001C1: E9 1E 02 00 00    jmp       000003E4
  000001C6: C7 45 D8 00 00 00  mov       dword ptr [ebp-28h],0
         00
  000001CD: EB 09             jmp       000001D8
  000001CF: 8B 45 D8          mov       eax,dword ptr [ebp-28h]
  000001D2: 83 C0 01          add       eax,1
  000001D5: 89 45 D8          mov       dword ptr [ebp-28h],eax
  000001D8: 8B 4D D8          mov       ecx,dword ptr [ebp-28h]
  000001DB: 3B 4D D0          cmp       ecx,dword ptr [ebp-30h]
  000001DE: 7F 22             jg       00000202
  000001E0: 8B 55 D8          mov       edx,dword ptr [ebp-28h]
  000001E3: 8B 04 95 00 00 00  mov       eax,dword ptr [edx*4]
         00
  000001EA: 89 45 E8          mov       dword ptr [ebp-18h],eax
  000001ED: 8B 4D D8          mov       ecx,dword ptr [ebp-28h]
  000001F0: 8B 55 CC          mov       edx,dword ptr [ebp-34h]
  000001F3: 89 14 8D 00 00 00  mov       dword ptr [ecx*4],edx
         00
  000001FA: 8B 45 E8          mov       eax,dword ptr [ebp-18h]
  000001FD: 89 45 CC          mov       dword ptr [ebp-34h],eax
  00000200: EB CD             jmp       000001CF
  00000202: 6A 00             push       0
  00000204: 68 00 00 00 00    push       offset _lModifying
  00000209: FF 15 00 00 00 00  call       dword ptr [__imp__InterlockedExchange@8]
  0000020F: B8 01 00 00 00    mov       eax,1
  00000214: E9 CB 01 00 00    jmp       000003E4
  00000219: E9 D7 FE FF FF    jmp       000000F5
  0000021E: 6A 1C             push       1Ch
  00000220: 8D 4D AC          lea       ecx,[ebp-54h]
  00000223: 51                push       ecx
  00000224: 8B 55 E0          mov       edx,dword ptr [ebp-20h]
  00000227: 52                push       edx
  00000228: FF 15 00 00 00 00  call       dword ptr [__imp__VirtualQuery@12]
  0000022E: 85 C0             test       eax,eax
  00000230: 74 09             je       0000023B
  00000232: 81 7D C4 00 00 00  cmp       dword ptr [ebp-3Ch],1000000h
         01
  00000239: 74 08             je       00000243
  0000023B: 83 C8 FF          or       eax,0FFFFFFFFh
  0000023E: E9 A1 01 00 00    jmp       000003E4
  00000243: 8B 45 C0          mov       eax,dword ptr [ebp-40h]
  00000246: 25 CC 00 00 00    and       eax,0CCh
  0000024B: 75 05             jne       00000252
  0000024D: E9 C0 00 00 00    jmp       $exit_success$19252
  00000252: 8B 4D B0          mov       ecx,dword ptr [ebp-50h]
  00000255: 89 4D F0          mov       dword ptr [ebp-10h],ecx
  00000258: 8B 55 F0          mov       edx,dword ptr [ebp-10h]
  0000025B: 0F B7 02          movzx    eax,word ptr [edx]
  0000025E: 3D 4D 5A 00 00    cmp       eax,5A4Dh
  00000263: 74 08             je       0000026D
  00000265: 83 C8 FF          or       eax,0FFFFFFFFh
  00000268: E9 77 01 00 00    jmp       000003E4
  0000026D: 8B 4D F0          mov       ecx,dword ptr [ebp-10h]
  00000270: 8B 55 F0          mov       edx,dword ptr [ebp-10h]
  00000273: 03 51 3C          add       edx,dword ptr [ecx+3Ch]
  00000276: 89 55 EC          mov       dword ptr [ebp-14h],edx
  00000279: 8B 45 EC          mov       eax,dword ptr [ebp-14h]
  0000027C: 81 38 50 45 00 00  cmp       dword ptr [eax],4550h
  00000282: 74 08             je       0000028C
  00000284: 83 C8 FF          or       eax,0FFFFFFFFh
  00000287: E9 58 01 00 00    jmp       000003E4
  0000028C: 8B 4D EC          mov       ecx,dword ptr [ebp-14h]
  0000028F: 83 C1 18          add       ecx,18h
  00000292: 89 4D F4          mov       dword ptr [ebp-0Ch],ecx
  00000295: 8B 55 F4          mov       edx,dword ptr [ebp-0Ch]
  00000298: 0F B7 02          movzx    eax,word ptr [edx]
  0000029B: 3D 0B 01 00 00    cmp       eax,10Bh
  000002A0: 74 08             je       000002AA
  000002A2: 83 C8 FF          or       eax,0FFFFFFFFh
  000002A5: E9 3A 01 00 00    jmp       000003E4
  000002AA: 8B 4D E0          mov       ecx,dword ptr [ebp-20h]
  000002AD: 2B 4D F0          sub       ecx,dword ptr [ebp-10h]
  000002B0: 89 4D FC          mov       dword ptr [ebp-4],ecx
  000002B3: C7 45 D4 00 00 00  mov       dword ptr [ebp-2Ch],0
         00
  000002BA: 8B 55 EC          mov       edx,dword ptr [ebp-14h]
  000002BD: 0F B7 42 14       movzx    eax,word ptr [edx+14h]
  000002C1: 8B 4D EC          mov       ecx,dword ptr [ebp-14h]
  000002C4: 8D 54 01 18       lea       edx,[ecx+eax+18h]
  000002C8: 89 55 C8          mov       dword ptr [ebp-38h],edx
  000002CB: 8B 55 EC          mov       edx,dword ptr [ebp-14h]
  000002CE: 0F B7 42 06       movzx    eax,word ptr [edx+6]
  000002D2: 39 45 D4          cmp       dword ptr [ebp-2Ch],eax
  000002D5: 73 33             jae       0000030A
  000002D7: 8B 4D C8          mov       ecx,dword ptr [ebp-38h]
  000002DA: 8B 55 FC          mov       edx,dword ptr [ebp-4]
  000002DD: 3B 51 0C          cmp       edx,dword ptr [ecx+0Ch]
  000002E0: 72 26             jb       00000308
  000002E2: 8B 45 C8          mov       eax,dword ptr [ebp-38h]
  000002E5: 8B 48 0C          mov       ecx,dword ptr [eax+0Ch]
  000002E8: 8B 55 C8          mov       edx,dword ptr [ebp-38h]
  000002EB: 03 4A 08          add       ecx,dword ptr [edx+8]
  000002EE: 39 4D FC          cmp       dword ptr [ebp-4],ecx
  000002F1: 73 15             jae       00000308
  000002F3: 8B 45 C8          mov       eax,dword ptr [ebp-38h]
  000002F6: 8B 48 24          mov       ecx,dword ptr [eax+24h]
  000002F9: 81 E1 00 00 00 80  and       ecx,80000000h
  000002FF: 74 07             je       00000308
  00000301: 33 C0             xor       eax,eax
  00000303: E9 DC 00 00 00    jmp       000003E4
  00000308: EB 08             jmp       $exit_success$19252
  0000030A: 83 C8 FF          or       eax,0FFFFFFFFh
  0000030D: E9 D2 00 00 00    jmp       000003E4
$exit_success$19252:
  00000312: 6A 01             push       1
  00000314: 68 00 00 00 00    push       offset _lModifying
  00000319: FF 15 00 00 00 00  call       dword ptr [__imp__InterlockedExchange@8]
  0000031F: 85 C0             test       eax,eax
  00000321: 74 0A             je       0000032D
  00000323: B8 01 00 00 00    mov       eax,1
  00000328: E9 B7 00 00 00    jmp       000003E4
  0000032D: 8B 15 00 00 00 00  mov       edx,dword ptr [_nValidPages]
  00000333: 89 55 D0          mov       dword ptr [ebp-30h],edx
  00000336: EB 09             jmp       00000341
  00000338: 8B 45 D0          mov       eax,dword ptr [ebp-30h]
  0000033B: 83 E8 01          sub       eax,1
  0000033E: 89 45 D0          mov       dword ptr [ebp-30h],eax
  00000341: 83 7D D0 00       cmp       dword ptr [ebp-30h],0
  00000345: 7E 13             jle       0000035A
  00000347: 8B 4D D0          mov       ecx,dword ptr [ebp-30h]
  0000034A: 8B 14 8D FC FF FF  mov       edx,dword ptr [ecx*4-4]
         FF
  00000351: 3B 55 CC          cmp       edx,dword ptr [ebp-34h]
  00000354: 75 02             jne       00000358
  00000356: EB 02             jmp       0000035A
  00000358: EB DE             jmp       00000338
  0000035A: 83 7D D0 00       cmp       dword ptr [ebp-30h],0
  0000035E: 75 72             jne       000003D2
  00000360: 83 3D 00 00 00 00  cmp       dword ptr [_nValidPages],0Fh
         0F
  00000367: 7E 09             jle       00000372
  00000369: C7 45 A4 0F 00 00  mov       dword ptr [ebp-5Ch],0Fh
         00
  00000370: EB 08             jmp       0000037A
  00000372: A1 00 00 00 00    mov       eax,dword ptr [_nValidPages]
  00000377: 89 45 A4          mov       dword ptr [ebp-5Ch],eax
  0000037A: 8B 4D A4          mov       ecx,dword ptr [ebp-5Ch]
  0000037D: 89 4D D0          mov       dword ptr [ebp-30h],ecx
  00000380: C7 45 D8 00 00 00  mov       dword ptr [ebp-28h],0
         00
  00000387: EB 09             jmp       00000392
  00000389: 8B 55 D8          mov       edx,dword ptr [ebp-28h]
  0000038C: 83 C2 01          add       edx,1
  0000038F: 89 55 D8          mov       dword ptr [ebp-28h],edx
  00000392: 8B 45 D8          mov       eax,dword ptr [ebp-28h]
  00000395: 3B 45 D0          cmp       eax,dword ptr [ebp-30h]
  00000398: 7F 22             jg       000003BC
  0000039A: 8B 4D D8          mov       ecx,dword ptr [ebp-28h]
  0000039D: 8B 14 8D 00 00 00  mov       edx,dword ptr [ecx*4]
         00
  000003A4: 89 55 E8          mov       dword ptr [ebp-18h],edx
  000003A7: 8B 45 D8          mov       eax,dword ptr [ebp-28h]
  000003AA: 8B 4D CC          mov       ecx,dword ptr [ebp-34h]
  000003AD: 89 0C 85 00 00 00  mov       dword ptr [eax*4],ecx
         00
  000003B4: 8B 55 E8          mov       edx,dword ptr [ebp-18h]
  000003B7: 89 55 CC          mov       dword ptr [ebp-34h],edx
  000003BA: EB CD             jmp       00000389
  000003BC: 83 3D 00 00 00 00  cmp       dword ptr [_nValidPages],10h
         10
  000003C3: 7D 0D             jge       000003D2
  000003C5: A1 00 00 00 00    mov       eax,dword ptr [_nValidPages]
  000003CA: 83 C0 01          add       eax,1
  000003CD: A3 00 00 00 00    mov       dword ptr [_nValidPages],eax
  000003D2: 6A 00             push       0
  000003D4: 68 00 00 00 00    push       offset _lModifying
  000003D9: FF 15 00 00 00 00  call       dword ptr [__imp__InterlockedExchange@8]
  000003DF: B8 01 00 00 00    mov       eax,1
  000003E4: 8B E5             mov       esp,ebp
  000003E6: 5D                pop       ebp
  000003E7: C3                ret

  Summary

      4C .bss
      6BE .debug$S
      1164 .debug$T
      3E8 .text

作者：SmartTech       电子信箱：zhzhtst@163.com

登录后可查看完整内容

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)

上传的附件：

__ValidateEH3RN.rar （17.06kb，42次下载）

收藏・2

免费・7

支持

最新回复 (10)
readyu 雪币： 11705 活跃值： (975) 能力值： ( LV12，RANK：779 ) 在线值：发帖 36 回帖 392 粉丝 45 关注私信	readyu 12 2 楼注意到 mov eax,[mem] 比 mov ecx,[mem] mov [mem],eax 比 mov [mem],ecx 的操作码各短了一个字节。 000003C5: A1 00 00 00 00 mov eax,dword ptr [_nValidPages] 000003CA: 83 C0 01 add eax,1 000003CD: A3 00 00 00 00 mov dword ptr [_nValidPages],eax 000003D2: 6A 00 push 0 000003C5: 8B 0D 00 00 00 00 mov ecx,dword ptr [_nValidPages] 000003CB: 83 C1 01 add ecx,1 000003CE: 89 0D 00 00 00 00 mov dword ptr [_nValidPages],ecx 000003D4: 6A 00 push 0 2007-8-18 12:35 0
zhzhtst 雪币： 462 活跃值： (53) 能力值： ( LV9，RANK：460 ) 在线值：发帖 23 回帖 167 粉丝 1 关注私信	zhzhtst 11 3 楼 [QUOTE=readyu;347192]注意到 mov eax,[mem] 比 mov ecx,[mem] mov [mem],eax 比 mov [mem],ecx 的操作码各短了一个字节。 000003C5: A1 00 00 00 00 mov eax,dword ptr [_nValidP...[/QUOTE] 我的意思是说为什么前面那么多行都完全一样，而后面的几十行本身也可以一样，但为什么它们不一样？ 2007-8-18 16:20 0
readyu 雪币： 11705 活跃值： (975) 能力值： ( LV12，RANK：779 ) 在线值：发帖 36 回帖 392 粉丝 45 关注私信	readyu 12 4 楼我分别用VC2003和VC2005的 CL.exe编译，发现结果都和你说的一样。估计原因可能是: 1. MS内部编译器版本和我们用的有点不一样。 2. 分歧是从这一句开始的，这个宏的定义可能有些不一样。 pSection = IMAGE_FIRST_SECTION(pNTHeader); // Defined in WINNT.H 2007-8-18 18:32 0
zhzhtst 雪币： 462 活跃值： (53) 能力值： ( LV9，RANK：460 ) 在线值：发帖 23 回帖 167 粉丝 1 关注私信	zhzhtst 11 5 楼这个问题我已经试过，我最初并不是用的这个宏，而是直接根据反汇编代码写的语句，但结果还是这样，与用不用这个宏没有关系。 2007-8-19 01:01 0
zhzhtst 雪币： 462 活跃值： (53) 能力值： ( LV9，RANK：460 ) 在线值：发帖 23 回帖 167 粉丝 1 关注私信	zhzhtst 11 6 楼我也怀疑是不是Microsoft使用的内部编译器与我们使用的不一样。 2007-8-19 01:03 0
Rinrin 雪币： 267 活跃值： (16) 能力值： ( LV4，RANK：50 ) 在线值：发帖 6 回帖 137 粉丝 1 关注私信	Rinrin 1 7 楼楼主的编译命令是从makefile里查到的嘛？加上/Bd参数看看传给c1.dll和c2.dll的参数是什么？或者用wrk里的cl试一下？ 2007-8-19 12:08 0
zhzhtst 雪币： 462 活跃值： (53) 能力值： ( LV9，RANK：460 ) 在线值：发帖 23 回帖 167 粉丝 1 关注私信	zhzhtst 11 8 楼只有WIN32_LEAN_AND_MEAN这个宏的使用是从makefile文件中查到的，其它的是我自己实验出来的。 2007-8-19 12:55 0
zhzhtst 雪币： 462 活跃值： (53) 能力值： ( LV9，RANK：460 ) 在线值：发帖 23 回帖 167 粉丝 1 关注私信	zhzhtst 11 9 楼 OpenRCE的RolfRolles答复如下： Nice job on the decompilation. My experience diffing patches (noticing that sometimes the only difference between two functions seemed to be register/stack allocation) makes me suspect that MSVC uses a non-deterministic register allocator. I may be wrong, and would be interested to hear the correct answer if so. Register allocation is often formulated as a graph-coloring problem, which is in NP, and therefore there can exist no algorithm to solve it optimally in polynomial time (assuming P != NP). Consequently, approximation algorithms are often used to "solve" problems such as this, and these algorithms often employ the use of random variables. Therefore, in general, there is no guarantee that two successive compilations of the same source code (or a conforming decompilation/recompilation) will see the same variables assigned to the same registers at the same program points. If the only differences between your recompilation and the original binary are register assignments / stack spills, you should consider it a job well-done; I would, anyway. 2007-8-19 12:57 0
zhzhtst 雪币： 462 活跃值： (53) 能力值： ( LV9，RANK：460 ) 在线值：发帖 23 回帖 167 粉丝 1 关注私信	zhzhtst 11 10 楼 RolfRolles提到的寄存器分配问题通常用图着色问题来表示，关于这方面的详细信息，大家可以参考《Advanced Compiler Design and Implementation》（中文译名《高级编译器设计与实现》）第16章。 2007-8-19 13:04 0
zhzhtst 雪币： 462 活跃值： (53) 能力值： ( LV9，RANK：460 ) 在线值：发帖 23 回帖 167 粉丝 1 关注私信	zhzhtst 11 11 楼 http://en.wikipedia.org/wiki/Register_allocation 2007-8-19 13:12 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

zhzhtst

发帖

167

回帖

460

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (10)
readyu 雪币： 11705 活跃值： (975) 能力值： ( LV12，RANK：779 ) 在线值：发帖 36 回帖 392 粉丝 45 关注私信	readyu 12 2 楼注意到 mov eax,[mem] 比 mov ecx,[mem] mov [mem],eax 比 mov [mem],ecx 的操作码各短了一个字节。 000003C5: A1 00 00 00 00 mov eax,dword ptr [_nValidPages] 000003CA: 83 C0 01 add eax,1 000003CD: A3 00 00 00 00 mov dword ptr [_nValidPages],eax 000003D2: 6A 00 push 0 000003C5: 8B 0D 00 00 00 00 mov ecx,dword ptr [_nValidPages] 000003CB: 83 C1 01 add ecx,1 000003CE: 89 0D 00 00 00 00 mov dword ptr [_nValidPages],ecx 000003D4: 6A 00 push 0 2007-8-18 12:35 0
zhzhtst 雪币： 462 活跃值： (53) 能力值： ( LV9，RANK：460 ) 在线值：发帖 23 回帖 167 粉丝 1 关注私信	zhzhtst 11 3 楼 [QUOTE=readyu;347192]注意到 mov eax,[mem] 比 mov ecx,[mem] mov [mem],eax 比 mov [mem],ecx 的操作码各短了一个字节。 000003C5: A1 00 00 00 00 mov eax,dword ptr [_nValidP...[/QUOTE] 我的意思是说为什么前面那么多行都完全一样，而后面的几十行本身也可以一样，但为什么它们不一样？ 2007-8-18 16:20 0
readyu 雪币： 11705 活跃值： (975) 能力值： ( LV12，RANK：779 ) 在线值：发帖 36 回帖 392 粉丝 45 关注私信	readyu 12 4 楼我分别用VC2003和VC2005的 CL.exe编译，发现结果都和你说的一样。估计原因可能是: 1. MS内部编译器版本和我们用的有点不一样。 2. 分歧是从这一句开始的，这个宏的定义可能有些不一样。 pSection = IMAGE_FIRST_SECTION(pNTHeader); // Defined in WINNT.H 2007-8-18 18:32 0
zhzhtst 雪币： 462 活跃值： (53) 能力值： ( LV9，RANK：460 ) 在线值：发帖 23 回帖 167 粉丝 1 关注私信	zhzhtst 11 5 楼这个问题我已经试过，我最初并不是用的这个宏，而是直接根据反汇编代码写的语句，但结果还是这样，与用不用这个宏没有关系。 2007-8-19 01:01 0
zhzhtst 雪币： 462 活跃值： (53) 能力值： ( LV9，RANK：460 ) 在线值：发帖 23 回帖 167 粉丝 1 关注私信	zhzhtst 11 6 楼我也怀疑是不是Microsoft使用的内部编译器与我们使用的不一样。 2007-8-19 01:03 0
Rinrin 雪币： 267 活跃值： (16) 能力值： ( LV4，RANK：50 ) 在线值：发帖 6 回帖 137 粉丝 1 关注私信	Rinrin 1 7 楼楼主的编译命令是从makefile里查到的嘛？加上/Bd参数看看传给c1.dll和c2.dll的参数是什么？或者用wrk里的cl试一下？ 2007-8-19 12:08 0
zhzhtst 雪币： 462 活跃值： (53) 能力值： ( LV9，RANK：460 ) 在线值：发帖 23 回帖 167 粉丝 1 关注私信	zhzhtst 11 8 楼只有WIN32_LEAN_AND_MEAN这个宏的使用是从makefile文件中查到的，其它的是我自己实验出来的。 2007-8-19 12:55 0
zhzhtst 雪币： 462 活跃值： (53) 能力值： ( LV9，RANK：460 ) 在线值：发帖 23 回帖 167 粉丝 1 关注私信	zhzhtst 11 9 楼 OpenRCE的RolfRolles答复如下： Nice job on the decompilation. My experience diffing patches (noticing that sometimes the only difference between two functions seemed to be register/stack allocation) makes me suspect that MSVC uses a non-deterministic register allocator. I may be wrong, and would be interested to hear the correct answer if so. Register allocation is often formulated as a graph-coloring problem, which is in NP, and therefore there can exist no algorithm to solve it optimally in polynomial time (assuming P != NP). Consequently, approximation algorithms are often used to "solve" problems such as this, and these algorithms often employ the use of random variables. Therefore, in general, there is no guarantee that two successive compilations of the same source code (or a conforming decompilation/recompilation) will see the same variables assigned to the same registers at the same program points. If the only differences between your recompilation and the original binary are register assignments / stack spills, you should consider it a job well-done; I would, anyway. 2007-8-19 12:57 0
zhzhtst 雪币： 462 活跃值： (53) 能力值： ( LV9，RANK：460 ) 在线值：发帖 23 回帖 167 粉丝 1 关注私信	zhzhtst 11 10 楼 RolfRolles提到的寄存器分配问题通常用图着色问题来表示，关于这方面的详细信息，大家可以参考《Advanced Compiler Design and Implementation》（中文译名《高级编译器设计与实现》）第16章。 2007-8-19 13:04 0
zhzhtst 雪币： 462 活跃值： (53) 能力值： ( LV9，RANK：460 ) 在线值：发帖 23 回帖 167 粉丝 1 关注私信	zhzhtst 11 11 楼 http://en.wikipedia.org/wiki/Register_allocation 2007-8-19 13:12 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复