| $entry =~ s/\[([0-9]+)\]/_$1/g;
$entry =~ s/\[.*$/_$rva/;
$entry =~ s/;.*$//;
$entry =~ s/^\s *//;
next if !$entry;
printf "MakeName(0x%x, \"$entry\");\n", $rva, $entry;
}
print "}\n";
}
1;
有些程序在检验注册码时通过抛出异常等行为确定是否注册成功,关于异常Matt Pietrek有一篇著名文章http://www.microsoft.com/msj/0197/Exception/Exception.aspx值得一读。从汇编代码上看,所有try/catch块都有类似的结构:
CODE:004BDE4C xor eax, eax
CODE:004BDE4E push ebp
CODE:004BDE4F push offset loc_4BDE92
CODE:004BDE54 push dword ptr fs:[eax] ; 保存上一个handler
CODE:004BDE57 mov fs:[eax], esp
CODE:004BDE92 loc_4BDE92:
CODE:004BDE92 jmp _Any2_Handler_DevErr?
CODE:004BDE97 jmp short loc_4BDE89
CODE:004BDEEA pop edx ; 上一个handler
CODE:004BDEEB pop ecx
CODE:004BDEEC pop ecx
CODE:004BDEED mov fs:[eax], edx ; 恢复
注意到4BDE97H处代码未被执行,这是怎么回事呢?原来它是finally对应的块,SEH内核会根据push offset loc_4BDE92自动得到4BDE97H的finally入口地址。因此在调试有异常处理的程序时,有时需要在handler和finally的处理程序处也设置断点。
今天先到这里,可能的话下次再贴。
上一页 [1] [2] | 
