-
Notifications
You must be signed in to change notification settings - Fork 2
/
CxxFrameHandler.asm
243 lines (232 loc) · 9.45 KB
/
CxxFrameHandler.asm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
; Custom build step (x64): ml64.exe /Fo"$(IntDir)\$(InputName).obj" /D_WIN64 /c /nologo /W3 /Zi /Ta "$(InputPath)"
; Custom build output: $(IntDir)\$(InputName).obj
;
; http://kobyk.wordpress.com/2007/07/20/dynamically-linking-with-msvcrtdll-using-visual-c-2005/
; http://www.openrce.org/articles/full_view/21
; http://blogs.msdn.com/b/freik/archive/2006/01/04/509372.aspx
ifndef _WIN64
.386
.model flat, c
endif
option dotname
extern __CxxFrameHandler: PROC
ifdef _WIN64
extern __imp___CxxFrameHandler: PROC
extern __imp_VirtualProtect: PROC
extern __imp_Sleep: PROC
extern __imp_GetVersion: PROC
endif
.data
ifdef _WIN64
;ProtectFlag EQU ?ProtectFlag@?1??__CxxFrameHandler3@@9@9
ProtectFlag dd ?
endif
.code
ifdef _WIN64
includelib kernel32.lib
endif
;includelib msvcrt.lib
public __CxxFrameHandler3
ifdef _WIN64
__CxxFrameHandler3 proc frame
else
__CxxFrameHandler3 proc
endif
ifndef _WIN64
push ebp
mov ebp,esp
sub esp,28h
push ebx
push esi
push edi
cld
mov dword ptr [ebp-4],eax
mov esi,dword ptr [ebp-4]
push 9
pop ecx
lea edi,[ebp-28h]
rep movs dword ptr es:[edi],dword ptr [esi]
mov eax,dword ptr [ebp-28h]
and eax,0F9930520h
or eax,019930520h
mov dword ptr [ebp-28h],eax
lea eax,[ebp-28h]
mov dword ptr [ebp-4],eax
push dword ptr [ebp+14h]
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+8]
mov eax,dword ptr [ebp-4]
call __CxxFrameHandler
add esp,10h
pop edi
pop esi
pop ebx
mov esp,ebp
pop ebp
ret
else
mov rax,rsp
mov qword ptr [rax+8],rbx
.savereg rbx, 50h
mov qword ptr [rax+10h],rbp
.savereg rbp, 58h
mov qword ptr [rax+18h],rsi
.savereg rsi, 60h
push rdi
.pushreg rdi
push r12
.pushreg r12
push r13
.pushreg r13
sub rsp,30h
.allocstack 30h
.endprolog
mov dword ptr [rax+20h],40h
mov rax,qword ptr [r9+38h]
mov rdi,r9
mov ebx,dword ptr [rax]
mov rsi,r8
mov rbp,rdx
add rbx,qword ptr [r9+8]
mov r12,rcx
mov eax,dword ptr [rbx]
and eax,1FFFFFFFh
cmp eax,19930520h
je L140001261
mov r13d,1
mov eax,r13d
lock xadd dword ptr [ProtectFlag],eax
add eax,r13d
cmp eax,r13d
je L140001217
L1400011F0:
lock add dword ptr [ProtectFlag],0FFFFFFFFh
mov ecx,0Ah
call qword ptr [__imp_Sleep]
mov r11d,r13d
lock xadd dword ptr [ProtectFlag],r11d
add r11d,r13d
cmp r11d,r13d
jne L1400011F0
L140001217:
mov r8d,dword ptr [rsp+68h]
mov r13d,4
lea r9,[rsp+20h]
mov rdx,r13
mov rcx,rbx
call qword ptr [__imp_VirtualProtect]
test eax,eax
je L140001259
and dword ptr [rbx],0F9930520h
or dword ptr [rbx],19930520h
mov r8d,dword ptr [rsp+20h]
lea r9,[rsp+68h]
mov rdx,r13
mov rcx,rbx
call qword ptr [__imp_VirtualProtect]
L140001259:
lock add dword ptr [ProtectFlag],0FFFFFFFFh
L140001261:
mov r9,rdi
mov r8,rsi
mov rdx,rbp
mov rcx,r12
call qword ptr [__imp___CxxFrameHandler]
mov rbx,qword ptr [rsp+50h]
mov rbp,qword ptr [rsp+58h]
mov rsi,qword ptr [rsp+60h]
add rsp,30h
pop r13
pop r12
pop rdi
ret
endif
__CxxFrameHandler3 endp
end
;; ============================================================================
;;
;; Base64 encoding of 32-bit version
;;
;; TAEFAKpsK0+6BAAADgAAAAAAAAAudGV4dAAAAAAAAAAAAAAATAAAANwAAAAoAQAAAAAAAAEAAAAg
;; ADBgLmRhdGEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAwwC5kZWJ1ZyRTAAAAAAAA
;; AAAkAwAAMgEAAFYEAAAAAAAABAAAAEAAEEIuZGVidWckVAAAAAAAAAAAJAAAAH4EAAAAAAAAAAAA
;; AAAAAABAABBCLmRyZWN0dmUAAAAAAAAAABcAAACiBAAAAAAAAAAAAAAAAAAAAAoAAFWL7IPsKFNW
;; V/yJRfyLdfxqCVmNfdjzpYtF2CUgBZP5DSAFkxmJRdiNRdiJRfz/dRT/dRD/dQz/dQiLRfzoAAAA
;; AIPEEF9eW4vlXcM+AAAACwAAABQABAAAAPMAAAAxAAAAAGQ6XE1laHJkYWRcU25pcHBldHNcSGVh
;; ZGVyc1xDeHhGcmFtZUhhbmRsZXIuYXNtAAAAAPQAAAAYAAAAAQAAABAB8DroZFkJrE/xMKPC6oAr
;; tAAA8gAAACABAAAAAAAAAAAAAEwAAAAAAAAAIQAAABQBAAAAAAAALgAAgAAAAAAxAACAAQAAADIA
;; AIADAAAAMwAAgAYAAAA0AACABwAAADUAAIAIAAAANgAAgAkAAAA3AACACgAAADgAAIANAAAAOQAA
;; gBAAAAA6AACAEgAAADsAAIATAAAAPAAAgBYAAAA9AACAGAAAAD4AAIAbAAAAPwAAgCAAAABAAACA
;; JQAAAEEAAIAoAAAAQgAAgCsAAABDAACALgAAAEQAAIAxAAAARQAAgDQAAABGAACANwAAAEcAAIA6
;; AAAASAAAgD0AAABJAACAQgAAAEoAAIBFAAAASwAAgEYAAABMAACARwAAAE0AAIBIAAAATgAAgEoA
;; AABPAACASwAAAFAAAIDxAAAAkgEAAF0AAREAAAAAZDpcTWVocmRhZFxWaXN1YWwgU3R1ZGlvIFBy
;; b2plY3RzXFZpc3VhbCBDKytcVGVzdEV4Y2VwdGlvblxSZWxlYXNlXEN4eEZyYW1lSGFuZGxlci5v
;; YmoANwA8EQMAAAADAAAAAAAAAAAACQAAAAl4AQBNaWNyb3NvZnQgKFIpIE1hY3JvIEFzc2VtYmxl
;; cgAAugA9EQBjd2QAZDpcTWVocmRhZFxWaXN1YWwgU3R1ZGlvIFByb2plY3RzXFZpc3VhbCBDKytc
;; VGVzdEV4Y2VwdGlvbgBleGUAQzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxNaWNyb3NvZnQgVmlzdWFs
;; IFN0dWRpbyA5LjBcVkNcYmluXG1sLmV4ZQBzcmMALi5cLi5cLi5cU25pcHBldHNcSGVhZGVyc1xD
;; eHhGcmFtZUhhbmRsZXIuYXNtAAA4ABARAAAAAAAAAAAAAAAATAAAAAAAAABMAAAAARAAAAAAAAAA
;; AABfX0N4eEZyYW1lSGFuZGxlcjMAAgAGAAAAaAAAAA0AAAALAGwAAAANAAAACgAEAwAADAAAAAsA
;; CAMAAAwAAAAKAAQAAAAGAA4AAADy8Q4ACBADAAAAAAAAAAIQAAAGAAESAAAAAC9ERUZBVUxUTElC
;; Om1zdmNydC5saWIgAEBjb21wLmlkCXiVAP//AAADAC50ZXh0AAAAAAAAAAEAAAADAUwAAAABAAAA
;; AAAAAAAAAAAAAC5kYXRhAAAAAAAAAAIAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5kZWJ1ZyRTAAAA
;; AAMAAAADASQDAAAEAAAAAAAAAAAAAAAAAC5kZWJ1ZyRUAAAAAAQAAAADASQAAAAAAAAAAAAAAAAA
;; AAAAAC5kcmVjdHZlAAAAAAUAAAADARcAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAC
;; AAAAAAAXAAAAAAAAAAEAIAACACQkMDAwMDAwAAAAAAEAAAADACsAAABfX19DeHhGcmFtZUhhbmRs
;; ZXIAX19fQ3h4RnJhbWVIYW5kbGVyMwA=
;;
;; ============================================================================
;;
;; Base64 encoding of 64-bit version
;;
;; ZIYHAClsK09mCAAAHAAAAAAAAAAudGV4dAAAAAAAAAAAAAAA/AAAACwBAAAoAgAAAAAAAAgAAAAg
;; AFBgLmRhdGEAAAAAAAAAAAAAAAQAAAB4AgAAAAAAAAAAAAAAAAAAQABQwC5wZGF0YQAAAAAAAAAA
;; AAAMAAAAfAIAAIgCAAAAAAAAAwAAAEAAMEAueGRhdGEAAAAAAAAAAAAAGAAAAKYCAAAAAAAAAAAA
;; AAAAAABAAEBALmRlYnVnJFMAAAAAAAAAALQEAAC+AgAAcgcAAAAAAAAQAAAAQAAQQi5kZWJ1ZyRU
;; AAAAAAAAAAAkAAAAEggAAAAAAAAAAAAAAAAAAEAAEEIuZHJlY3R2ZQAAAAAAAAAAMAAAADYIAAAA
;; AAAAAAAAAAAAAAAACgAASIvESIlYCEiJaBBIiXAYV0FUQVVIg+wwx0AgQAAAAEmLQThJi/mLGEmL
;; 8EiL6kkDWQhMi+GLAyX///8fPSAFkxkPhIoAAABBvQEAAABBi8XwD8EFAAAAAEEDxUE7xXQn8IMF
;; AAAAAP+5CgAAAP8VAAAAAEWL3fBED8EdAAAAAEUD3UU73XXZRItEJGhBvQQAAABMjUwkIEmL1UiL
;; y/8VAAAAAIXAdCKBIyAFk/mBCyAFkxlEi0QkIEyNTCRoSYvVSIvL/xUAAAAA8IMFAAAAAP9Mi89M
;; i8ZIi9VJi8z/FQAAAABIi1wkUEiLbCRYSIt0JGBIg8QwQV1BXF/DVAAAABQAAAAEAGMAAAAUAAAA
;; BQBvAAAAEgAAAAQAewAAABQAAAAEAJ8AAAARAAAABADFAAAAEQAAAAQAzAAAABQAAAAFAN8AAAAQ
;; AAAABAAAAAAAAAAAAPwAAAAAAAAAAAAAABUAAAADAAQAAAAVAAAAAwAIAAAAFgAAAAMAARgKABhS
;; FNASwBBwD2QMAAtUCwAHNAoABAAAAPMAAAAxAAAAAGQ6XE1laHJkYWRcU25pcHBldHNcSGVhZGVy
;; c1xDeHhGcmFtZUhhbmRsZXIuYXNtAAAAAPQAAAAYAAAAAQAAABABixH/EbiUlt5qSZhuEf+OjgAA
;; 8gAAABgCAAAAAAAAAAAAAPwAAAAAAAAAQAAAAAwCAAAAAAAALAAAgAAAAABSAACAAwAAAFMAAIAH
;; AAAAVQAAgAsAAABXAACADwAAAFkAAIAQAAAAWwAAgBIAAABdAACAFAAAAF8AAIAYAAAAYgAAgB8A
;; AABjAACAIwAAAGQAAIAmAAAAZQAAgCgAAABmAACAKwAAAGcAAIAuAAAAaAAAgDIAAABpAACANQAA
;; AGoAAIA3AAAAawAAgDwAAABsAACAQQAAAG0AAIBHAAAAbgAAgE0AAABvAACAUAAAAHAAAIBYAAAA
;; cQAAgFsAAAByAACAXgAAAHMAAIBgAAAAdQAAgGgAAAB2AACAbQAAAHcAAIBzAAAAeAAAgHYAAAB5
;; AACAfwAAAHoAAICCAAAAewAAgIUAAAB8AACAhwAAAH4AAICMAAAAfwAAgJIAAACAAACAlwAAAIEA
;; AICaAAAAggAAgJ0AAACDAACAowAAAIQAAIClAAAAhQAAgKcAAACGAACArQAAAIcAAICzAAAAiAAA
;; gLgAAACJAACAvQAAAIoAAIDAAAAAiwAAgMMAAACMAACAyQAAAI4AAIDRAAAAkAAAgNQAAACRAACA
;; 1wAAAJIAAIDaAAAAkwAAgN0AAACUAACA4wAAAJUAAIDoAAAAlgAAgO0AAACXAACA8gAAAJgAAID2
;; AAAAmQAAgPgAAACaAACA+gAAAJsAAID7AAAAnAAAgPEAAAAqAgAAYQABEQAAAABkOlxNZWhyZGFk
;; XFZpc3VhbCBTdHVkaW8gUHJvamVjdHNcVmlzdWFsIEMrK1xUZXN0RXhjZXB0aW9uXHg2NFxSZWxl
;; YXNlXEN4eEZyYW1lSGFuZGxlci5vYmoANwA8EQMAAADQAAAAAAAAAAAACQAAAAl4AQBNaWNyb3Nv
;; ZnQgKFIpIE1hY3JvIEFzc2VtYmxlcgAAxAA9EQBjd2QAZDpcTWVocmRhZFxWaXN1YWwgU3R1ZGlv
;; IFByb2plY3RzXFZpc3VhbCBDKytcVGVzdEV4Y2VwdGlvbgBleGUAQzpcUHJvZ3JhbSBGaWxlcyAo
;; eDg2KVxNaWNyb3NvZnQgVmlzdWFsIFN0dWRpbyA5LjBcVkNcYmluXGFtZDY0XG1sNjQuZXhlAHNy
;; YwBkOlxNZWhyZGFkXFNuaXBwZXRzXEhlYWRlcnNcQ3h4RnJhbWVIYW5kbGVyLmFzbQAAOAAQEQAA
;; AAAAAAAAAAAAAPwAAAAYAAAA/AAAAAEQAAAAAAAAAAAAX19DeHhGcmFtZUhhbmRsZXIzABQABREA
;; AAAAAAAATDE0MDAwMTFGMAAUAAURAAAAAAAAAEwxNDAwMDEyMTcAFAAFEQAAAAAAAABMMTQwMDAx
;; MjU5ABQABREAAAAAAAAATDE0MDAwMTI2MQACAAYAGAAMESIAAAAAAAAAAABQcm90ZWN0RmxhZwAW
;; AAwRIAAAAAAAAAAAACR4ZGF0YXN5bQAAAGgAAAAXAAAACwBsAAAAFwAAAAoACgQAABUAAAALAA4E
;; AAAVAAAACgAoBAAAGAAAAAsALAQAABgAAAAKAD4EAAAZAAAACwBCBAAAGQAAAAoAVAQAABoAAAAL
;; AFgEAAAaAAAACgBqBAAAGwAAAAsAbgQAABsAAAAKAIgEAAAUAAAACwCMBAAAFAAAAAoAogQAABYA
;; AAALAKYEAAAWAAAACgAEAAAABgAOAAAA8vEOAAgQAwAAAAAAAAACEAAABgABEgAAAAAvREVGQVVM
;; VExJQjprZXJuZWwzMi5saWIgL0RFRkFVTFRMSUI6bXN2Y3J0LmxpYiBAY29tcC5pZAl4lQD//wAA
;; AwAudGV4dAAAAAAAAAABAAAAAwH8AAAACAAAAAAAAAAAAAAAAAAuZGF0YQAAAAAAAAACAAAAAwEE
;; AAAAAAAAAAAAAAAAAAAAAAAucGRhdGEAAAAAAAADAAAAAwEMAAAAAwAAAAAAAAAAAAAAAAAueGRh
;; dGEAAAAAAAAEAAAAAwEYAAAAAAAAAAAAAAAAAAAAAAAuZGVidWckUwAAAAAFAAAAAwG0BAAAEAAA
;; AAAAAAAAAAAAAAAuZGVidWckVAAAAAAGAAAAAwEkAAAAAAAAAAAAAAAAAAAAAAAuZHJlY3R2ZQAA
;; AAAHAAAAAwEwAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAgAAAAAAFgAAAAAAAAAA
;; AAAAAgAAAAAALgAAAAAAAAAAAAAAAgAAAAAAQwAAAAAAAAAAAAAAAgAAAAAATwAAAAAAAAAAAAAA
;; AgAAAAAAYAAAAAAAAAACAAAAAwAAAAAAbAAAAAAAAAABACAAAgAAAAAAfwAAAAAAAAAEAAAAAwAk
;; JDAwMDAwMAAAAAABAAAAAwAAAAAAiQAAAGAAAAABAAAABgAAAAAAlAAAAIcAAAABAAAABgAAAAAA
;; nwAAAMkAAAABAAAABgAAAAAAqgAAANEAAAABAAAABgC1AAAAX19DeHhGcmFtZUhhbmRsZXIAX19p
;; bXBfX19DeHhGcmFtZUhhbmRsZXIAX19pbXBfVmlydHVhbFByb3RlY3QAX19pbXBfU2xlZXAAX19p
;; bXBfR2V0VmVyc2lvbgBQcm90ZWN0RmxhZwBfX0N4eEZyYW1lSGFuZGxlcjMAJHhkYXRhc3ltAEwx
;; NDAwMDExRjAATDE0MDAwMTIxNwBMMTQwMDAxMjU5AEwxNDAwMDEyNjEA