summaryrefslogtreecommitdiff
path: root/reversing
diff options
context:
space:
mode:
authorQuietust2012-03-03 14:14:31 -0600
committerQuietust2012-03-03 14:14:31 -0600
commit5cdea79a6f5ca3f389313c332ce40360dfdd76b5 (patch)
tree008da0a4f34d4de76d07ede6679c3666f1186c3f /reversing
parent3ae622b0ffb9002a053664bad9ebb57532515be7 (diff)
downloaddfhack-5cdea79a6f5ca3f389313c332ce40360dfdd76b5.tar.gz
dfhack-5cdea79a6f5ca3f389313c332ce40360dfdd76b5.tar.bz2
dfhack-5cdea79a6f5ca3f389313c332ce40360dfdd76b5.tar.xz
Properly handle the variety of exception handlers that MSVC 2010 generates
Diffstat (limited to 'reversing')
-rw-r--r--reversing/ms_ehseh.idc90
1 files changed, 52 insertions, 38 deletions
diff --git a/reversing/ms_ehseh.idc b/reversing/ms_ehseh.idc
index 31701211..1d25e136 100644
--- a/reversing/ms_ehseh.idc
+++ b/reversing/ms_ehseh.idc
@@ -71,50 +71,64 @@ static ParseCxxHandler(func, handler, fixFunc)
y = x;
z = x;
EHCookieOffset=0; GSCookieOffset=0;
- if (matchBytes(x,"8B5424088D420C"))
- // 8B 54 24 08 mov edx, [esp+8]
- // 8D 42 0C lea eax, [edx+0Ch]
+ // 8B 54 24 08 mov edx, [esp+8]
+ if (matchBytes(x,"8B5424088D02"))
+ x = x+6;
+ // 8D 02 lea eax, [edx]
+ else if (matchBytes(x,"8B5424088D42"))
+ x = x+7;
+ // 8D 42 xx lea eax, [edx+XXh]
+ else if (matchBytes(x,"8B5424088D82"))
+ x = x+10;
+ // 8D 82 xx xx xx xx lea eax, [edx+XXh]
+ else {
+ Message("Function at %08X not recognized as exception handler!\n",x);
+ return;
+ }
+ //EH cookie check:
+ // 8B 4A xx mov ecx, [edx-XXh]
+ // OR
+ // 8B 8A xx xx xx xx mov ecx, [edx-XXh]
+ // 33 C8 xor ecx, eax
+ // E8 xx xx xx xx call __security_check_cookie
+ if (matchBytes(x,"8B4A??33C8E8"))
+ {
+ //byte argument
+ EHCookieOffset = (~Byte(x+2)+1)&0xFF;
+ EHCookieOffset = 12 + EHCookieOffset;
+ x = x+10;
+ }
+ else if (matchBytes(x,"8B8A????????33C8E8"))
+ {
+ //dword argument
+ EHCookieOffset = (~Dword(x+2)+1);
+ EHCookieOffset = 12 + EHCookieOffset;
+ x = x+13;
+ }
+ if (matchBytes(x,"83C0"))
+ x = x + 3;
+ // 8B 4A xx add eax, XXh
+ if (matchBytes(x,"8B4A??33C8E8"))
{
- //EH cookie check:
// 8B 4A xx mov ecx, [edx-XXh]
- // OR
- // 8B 8A xx xx xx xx mov ecx, [edx-XXh]
// 33 C8 xor ecx, eax
// E8 xx xx xx xx call __security_check_cookie
- x = x+7;
- if (matchBytes(x,"8B4A??33C8E8"))
- {
- //byte argument
- EHCookieOffset = (~Byte(x+2)+1)&0xFF;
- EHCookieOffset = 12 + EHCookieOffset;
- x = x+10;
- }
- else if (matchBytes(x,"8B8A????????33C8E8"))
- {
- //dword argument
- EHCookieOffset = (~Dword(x+2)+1);
- EHCookieOffset = 12 + EHCookieOffset;
- x = x+13;
- }
- if (matchBytes(x,"8B4A??33C8E8"))
- {
- // 8B 4A xx mov ecx, [edx-XXh]
- // 33 C8 xor ecx, eax
- // E8 xx xx xx xx call __security_check_cookie
- GSCookieOffset = (~Byte(x+2)+1)&0xFF;
- GSCookieOffset = 12 + GSCookieOffset;
- x = x+10;
- }
- else if (matchBytes(x,"8B8A????????33C8E8"))
- {
- //dword argument
- GSCookieOffset = (~Dword(x+9)+1);
- GSCookieOffset = 12 + GSCookieOffset;
- x = x+13;
- }
- //Message("EH3: EH Cookie=%02X, GSCookie=%02X\n",EHCookieOffset, GSCookieOffset);
+ GSCookieOffset = (~Byte(x+2)+1)&0xFF;
+ GSCookieOffset = 12 + GSCookieOffset;
+ x = x+10;
+ }
+ else if (matchBytes(x,"8B8A????????33C8E8"))
+ {
+ //dword argument
+ GSCookieOffset = (~Dword(x+9)+1);
+ GSCookieOffset = 12 + GSCookieOffset;
+ x = x+13;
}
+
+ //Message("EH3: EH Cookie=%02X, GSCookie=%02X\n",EHCookieOffset, GSCookieOffset);
+
if (Byte(x)==0xB8) {
+ // 8B 4A xx xx xx mov eax, offset FuncInfo
x = Dword(x+1);
}
else {