I'm trying to reverse-engineer the Visual C++ 2008 SEH handler named __CxxFrameHandler3
to provide an implementation which can delegate the result to (the older version of) __CxxFrameHandler
in msvcrt.dll
.
(This page and this page have great details about msvcrt.dll
and SEH.)
Note: msvcrt_winxp.obj
(32-bit) and msvcrt_win2003.obj
(64-bit) already do the same thing -- they are part of the Windows Driver Kit 7.1. However, they are also bundled with a lot of other code, which messes up my linker.
I have been successful with disassembling the 32-bit version (msvcrt_winxp.obj
), extracting __CxxFrameHandler3
, and creating an alternative that provides the appropriate implementation.
However, I have run into a problem with the 64-bit version (msvcrt_win2003.obj
):
Even though my 64-bit implementation looks exactly the same, it doesn't work -- but the one provided by Microsoft indeed works.
This is the 32-bit version (which works correctly):
.386
.model flat, c
option dotname
extern __CxxFrameHandler: PROC
.code
includelib msvcrt.lib
public __CxxFrameHandler3
__CxxFrameHandler3:
push ebp
mov ebp,esp
sub esp,28h
push ebx
push esi
push edi
cld
mov dword ptr [ebp-4],eax
mov esi,dword ptr [ebp-4]
push 9
pop ecx
lea edi,[ebp-28h]
rep movs dword ptr es:[edi],dword ptr [esi]
mov eax,dword ptr [ebp-28h]
and eax,0F9930520h
or eax,019930520h
mov dword ptr [ebp-28h],eax
lea eax,[ebp-28h]
mov dword ptr [ebp-4],eax
push dword ptr [ebp+14h]
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+8]
mov eax,dword ptr [ebp-4]
call __CxxFrameHandler
add esp,10h
pop edi
pop esi
pop ebx
mov esp,ebp
pop ebp
ret
end
This is the (problematic) 64-bit version:
;; Compiled with:
;; ml64.exe /Fo"$(InputName).obj" /c /nologo /W3 /Zi /Ta "$(InputPath)"
option dotname
extern __CxxFrameHandler: PROC
extern __imp___CxxFrameHandler: PROC
extern __imp_VirtualProtect: PROC
extern __imp_Sleep: PROC
extern __imp_GetVersion: PROC
.data
ProtectFlag dd ?
.code
includelib kernel32.lib
includelib msvcrt.lib
public __CxxFrameHandler3
__CxxFrameHandler3:
mov rax,rsp
mov qword ptr [rax+8],rbx
mov qword ptr [rax+10h],rbp
mov qword ptr [rax+18h],rsi
push rdi
push r12
push r13
sub rsp,30h
mov dword ptr [rax+20h],40h
mov rax,qword ptr [r9+38h]
mov rdi,r9
mov ebx,dword ptr [rax]
mov rsi,r8
mov rbp,rdx
add rbx,qword ptr [r9+8]
mov r12,rcx
mov eax,dword ptr [rbx]
and eax,1FFFFFFFh
cmp eax,19930520h
je L140001261
mov r13d,1
mov eax,r13d
lock xadd dword ptr [ProtectFlag],eax
add eax,r13d
cmp eax,r13d
je L140001217
L1400011F0:
lock add dword ptr [ProtectFlag],0FFFFFFFFh
mov ecx,0Ah
call qword ptr [__imp_Sleep]
mov r11d,r13d
lock xadd dword ptr [ProtectFlag],r11d
add r11d,r13d
cmp r11d,r13d
jne L1400011F0
L140001217:
mov r8d,dword ptr [rsp+68h]
mov r13d,4
lea r9,[rsp+20h]
mov rdx,r13
mov rcx,rbx
call qword ptr [__imp_VirtualProtect]
test eax,eax
je L140001259
and dword ptr [rbx],0F9930520h
or dword ptr [rbx],19930520h
mov r8d,dword ptr [rsp+20h]
lea r9,[rsp+68h]
mov rdx,r13
mov rcx,rbx
call qword ptr [__imp_VirtualProtect]
L140001259:
lock add dword ptr [ProtectFlag],0FFFFFFFFh
L140001261:
mov r9,rdi
mov r8,rsi
mov rdx,rbp
mov rcx,r12
call qword ptr [__imp___CxxFrameHandler]
mov rbx,qword ptr [rsp+50h]
mov rbp,qword ptr [rsp+58h]
mov rsi,qword ptr [rsp+60h]
add rsp,30h
pop r13
pop r12
pop rdi
ret
end
Microsoft's implementation (extracted with DumpBin
on lib\wnet\amd64\msvcrt_win2003.obj
) is:
__CxxFrameHandler3:
0x0000: 48 8B C4 mov rax,rsp
0x0003: 48 89 58 08 mov qword ptr [rax+8],rbx
0x0007: 48 89 68 10 mov qword ptr [rax+10h],rbp
0x000B: 48 89 70 18 mov qword ptr [rax+18h],rsi
0x000F: 57 push rdi
0x0010: 41 54 push r12
0x0012: 41 55 push r13
0x0014: 48 83 EC 30 sub rsp,30h
0x0018: C7 40 20 40 00 00 mov dword ptr [rax+20h],40h
00
0x001F: 49 8B 41 38 mov rax,qword ptr [r9+38h]
0x0023: 49 8B F9 mov rdi,r9
0x0026: 8B 18 mov ebx,dword ptr [rax]
0x0028: 49 8B F0 mov rsi,r8
0x002B: 48 8B EA mov rbp,rdx
0x002E: 49 03 59 08 add rbx,qword ptr [r9+8]
0x0032: 4C 8B E1 mov r12,rcx
0x0035: 8B 03 mov eax,dword ptr [rbx]
0x0037: 25 FF FF FF 1F and eax,1FFFFFFFh
0x003C: 3D 20 05 93 19 cmp eax,19930520h
0x0041: 0F 84 8A 00 00 00 je 0x00D1
0x0047: 41 BD 01 00 00 00 mov r13d,1
0x004D: 41 8B C5 mov eax,r13d
0x0050: F0 0F C1 05 00 00 lock xadd dword ptr [?ProtectFlag@?1??__CxxFrameHandler3@@9@9],eax
00 00
0x0058: 41 03 C5 add eax,r13d
0x005B: 41 3B C5 cmp eax,r13d
0x005E: 74 27 je 0x0087
0x0060: F0 83 05 00 00 00 lock add dword ptr [?ProtectFlag@?1??__CxxFrameHandler3@@9@9],0FFFFFFFFh
00 FF
0x0068: B9 0A 00 00 00 mov ecx,0Ah
0x006D: FF 15 00 00 00 00 call qword ptr [__imp_Sleep]
0x0073: 45 8B DD mov r11d,r13d
0x0076: F0 44 0F C1 1D 00 lock xadd dword ptr [?ProtectFlag@?1??__CxxFrameHandler3@@9@9],r11d
00 00 00
0x007F: 45 03 DD add r11d,r13d
0x0082: 45 3B DD cmp r11d,r13d
0x0085: 75 D9 jne 0x0060
0x0087: 44 8B 44 24 68 mov r8d,dword ptr [rsp+68h]
0x008C: 41 BD 04 00 00 00 mov r13d,4
0x0092: 4C 8D 4C 24 20 lea r9,[rsp+20h]
0x0097: 49 8B D5 mov rdx,r13
0x009A: 48 8B CB mov rcx,rbx
0x009D: FF 15 00 00 00 00 call qword ptr [__imp_VirtualProtect]
0x00A3: 85 C0 test eax,eax
0x00A5: 74 22 je 0x00C9
0x00A7: 81 23 20 05 93 F9 and dword ptr [rbx],0F9930520h
0x00AD: 81 0B 20 05 93 19 or dword ptr [rbx],19930520h
0x00B3: 44 8B 44 24 20 mov r8d,dword ptr [rsp+20h]
0x00B8: 4C 8D 4C 24 68 lea r9,[rsp+68h]
0x00BD: 49 8B D5 mov rdx,r13
0x00C0: 48 8B CB mov rcx,rbx
0x00C3: FF 15 00 00 00 00 call qword ptr [__imp_VirtualProtect]
0x00C9: F0 83 05 00 00 00 lock add dword ptr [?ProtectFlag@?1??__CxxFrameHandler3@@9@9],0FFFFFFFFh
00 FF
0x00D1: 4C 8B CF mov r9,rdi
0x00D4: 4C 8B C6 mov r8,rsi
0x00D7: 48 8B D5 mov rdx,rbp
0x00DA: 49 8B CC mov rcx,r12
0x00DD: FF 15 00 00 00 00 call qword ptr [__imp___CxxFrameHandler]
0x00E3: 48 8B 5C 24 50 mov rbx,qword ptr [rsp+50h]
0x00E8: 48 8B 6C 24 58 mov rbp,qword ptr [rsp+58h]
0x00ED: 48 8B 74 24 60 mov rsi,qword ptr [rsp+60h]
0x00F2: 48 83 C4 30 add rsp,30h
0x00F6: 41 5D pop r13
0x00F8: 41 5C pop r12
0x00FA: 5F pop rdi
0x00FB: C3 ret
When I try debugging both formats, as soon as I reach the line that says push r12
, the call stack in Visual Studio becomes messed up in my version (superficial entries pointing to invalid addresses pop up in between stack frames), but it's completely fine at the same point in Microsoft's version.
And indeed, when I allow execution to continue, my program crashes inside __CxxFrameHandler
with my version, but works completely fine with Microsoft's version.
The program I'm testing both sources with is:
int main()
{
try
{
// Dummy condition to prevent any optimizations.
// Always throws.
if (GetVersion() != 0)
throw 1;
}
catch (...) { }
if (GetVersion() != 0) { _tprintf(_T("Hi!\n")); }
return 0;
}
with the appropriate compiler flags (/MD /GS- /Od
).
Therefore I can't figure out:
Why would my code, which is supposed to be exactly the same as the provided implementation, cause an access violation inside msvcrt
's __CxxFrameHandler
?
A base64 encoding of the programs is here, so that you can see the actual binaries generated.
My bad version:
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADNS1fHiSo5lIkqOZSJKjmU/7dClIsqOZSJKjiUgSo5lIBSqpSKKjmUgFK9lIsqOZSAUqyUiCo5lIBSqJSIKjmUUmljaIkqOZQAAAAAAAAAAFBFAABkhgQAtkwrTwAAAAAAAAAA8AAjAAsCCQAAAgAAAAgAAAAAAAAAEAAAABAAAAAAAEABAAAAABAAAAACAAAFAAIAAAAAAAUAAgAAAAAAAFAAAAAEAAAAAAAAAwAAgAAAEAAAAAAAABAAAAAAAAAAABAAAAAAAAAQAAAAAAAAAAAAABAAAAAAAAAAAAAAAPwhAAA8AAAAAAAAAAAAAAAAQAAAJAAAAAAAAAAAAAAAAAAAAAAAAABQIAAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAArQEAAAAQAAAAAgAAAAQAAAAAAAAAAAAAAAAAACAAAGAucmRhdGEAACYDAAAAIAAAAAQAAAAGAAAAAAAAAAAAAAAAAABAAABALmRhdGEAAAAkAAAAADAAAAACAAAACgAAAAAAAAAAAAAAAAAAQAAAwC5wZGF0YQAAJAAAAABAAAAAAgAAAAwAAAAAAAAAAAAAAAAAAEAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEiD7DhIx0QkKP7/////FfUPAACFwHQax0QkIAEAAABIjRWCEQAASI1MJCDoHAEAAJD/FdEPAACFwHQNSI0NLhAAAP8V+A8AADPASIPEOMPMSIvESIlYCEiJaBBIiXAYV0FUQVVIg+wwx0AgQAAAAEmLQThJi/mLGEmL8EiL6kkDWQhMi+GLAyX///8fPSAFkxkPhIoAAABBvQEAAABBi8XwD8EFeB8AAEEDxUE7xXQn8IMFaB8AAP+5CgAAAP8VTQ8AAEWL3fBED8EdUR8AAEUD3UU73XXZRItEJGhBvQQAAABMjUwkIEmL1UiLy/8VDQ8AAIXAdCKBIyAFk/mBCyAFkxlEi0QkIEyNTCRoSYvVSIvL/xXnDgAA8IMF/x4AAP9Mi89Mi8ZIi9VJi8z/Fe0OAABIi1wkUEiLbCRYSIt0JGBIg8QwQV1BXF/D/yXWDgAAzMxIiVwkCFdIg+wgi9pIi/n/FccOAAD2wwF0CEiLz+gOAAAASIvHSItcJDBIg8QgX8P/Ja4OAADMzMzMzMxIiVQkEFVIg+wgSIvqSI0Fjf7//+sASIPEIF3DzAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/iIAAAAAAADwIgAAAAAAABAjAAAAAAAAAAAAAAAAAACoIgAAAAAAAJIiAAAAAAAA2CIAAAAAAADIIgAAAAAAAIgiAAAAAAAAAAAAAAAAAAAAAAAAtkwrTwAAAAACAAAAcQAAALAgAACwBgAAAAAAAEgAaQAhAAoAAAAAAAAAAAAiBZMZAgAAACQhAAABAAAASCEAAAQAAAB8IQAAKAAAAAAAAAABAAAAVBEAQAEAAABSU0RTc7+xwtuLCUaAlir7sdahtB4AAABkOlxNZWhyZGFkXFZpc3VhbCBTdHVkaW8gUHJvamVjdHNcVmlzdWFsIEMrK1xUZXN0RXhjZXB0aW9uXHg2NFxSZWxlYXNlXFRlc3RFeGNlcHRpb24ucGRi
AAAAAP////8AAAAA/////wAAAABAAAAAAAAAAAAAAACQEQAAOAAAAAAAAAAAAAAAAQAAAAEAAAA0IQAAGQ0BAARiAABQEAAAgCAAABkKAgAKMgZQUBAAAIAgAAAAEAAA/////w0QAAAAAAAAMRAAAP////+QEQAAAAAAAAEKBAAKNAYACjIGcAAAAAAAAAAAAAAAAMghAAAAAAAAAAAAAAAAAAAAAAAAAQAAANghAAAAAAAAAAAAAAEAAAAAMAAAAAAAAP////8AAAAABAAAAAAAAAAAAAAAAAAAAFgiAAAAAAAAAAAAALwiAAAgIAAAOCIAAAAAAAAAAAAAGCMAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP4iAAAAAAAA8CIAAAAAAAAQIwAAAAAAAAAAAAAAAAAAqCIAAAAAAACSIgAAAAAAANgiAAAAAAAAyCIAAAAAAACIIgAAAAAAAAAAAAAAAAAADgV3cHJpbnRmAEwAX0N4eFRocm93RXhjZXB0aW9uAABVAF9fQ3h4RnJhbWVIYW5kbGVyAG1zdmNydC5kbGwAABUAPz8zQFlBWFBFQVhAWgASAD8/MXR5cGVfaW5mb0BAVUVBQUBYWgDqAUdldFZlcnNpb24AAI0DVmlydHVhbFByb3RlY3QAAF0DU2xlZXAAS0VSTkVMMzIuZGxsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKggAEABAAAAAAAAAAAAAAAuSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAE8QAABcIQAAVBEAAIQRAACcIQAAkBEAAK0RAABsIQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
Microsoft's version:
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACIW0OjzDot8Mw6LfDMOi3wuqdW8Mg6LfDFQrjwzTot8MVCrvD+Oi3wzDos8Ig6LfDFQr7wzzot8MVCqfDcOi3w6/xT8M06LfDFQrzwzTot8FJpY2jMOi3wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUEUAAGSGBACQTCtPAAAAAAAAAADwACMACwIJAAAEAAAAEgAAAAAAAAAQAAAAEAAAAAAAQAEAAAAAEAAAAAIAAAUAAgAAAAAABQACAAAAAAAAUAAAAAQAAAAAAAADAACAAAAQAAAAAAAAEAAAAAAAAAAAEAAAAAAAABAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAzCIAAFAAAAAAAAAAAAAAAABAAAA8AAAAAAAAAAAAAAAAAAAAAAAAAJAgAAAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAACQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAAAdAwAAABAAAAAEAAAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAA/AQAAAAgAAAABgAAAAgAAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAKAIAAAAMAAAAAQAAAAOAAAAAAAAAAAAAAAAAABAAADALnBkYXRhAAA8AAAAAEAAAAACAAAAEgAAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEiD7DhIx0QkKP7/////FfUPAACFwHQax0QkIAEAAABIjRVSEgAASI1MJCDoHAEAAJD/FdEPAACFwHQNSI0NbhAAAP8VGBAAADPASIPEOMPMSIvESIlYCEiJaBBIiXAYV0FUQVVIg+wwx0AgQAAAAEmLQThJi/mLGEmL8EiL6kkDWQhMi+GLAyX///8fPSAFkxkPhIoAAABBvQEAAABBi8XwD8EFeCIAAEEDxUE7xXQn8IMFaCIAAP+5CgAAAP8VbQ8AAEWL3fBED8EdUSIAAEUD3UU73XXZRItEJGhBvQQAAABMjUwkIEmL1UiLy/8VDQ8AAIXAdCKBIyAFk/mBCyAFkxlEi0QkIEyNTCRoSYvVSIvL/xXnDgAA8IMF/yEAAP9Mi89Mi8ZIi9VJi8z/FR0PAABIi1wkUEiLbCRYSIt0JGBIg8QwQV1BXF/D/yUGDwAAzMxIiVwkCFdIg+wgi9pIi/n/Fd8OAAD2wwF0CEiLz+hKAAAASIvHSItcJDBIg8QgX8PMzMzMzMzMzMzMzMzMzMzMzMxmZg8fhAAAAAAASDsNcR4AAHUSSMHBEGb3wf//dQPCAABIwckQ6QgAAAD/JXoOAADMzEiJTCQISIHsiAAAAEiNDfUhAAD/FY8OAABMix3gIgAATIlcJFhFM8BIjVQkYEiLTCRY6PEAAABIiUQkUEiDfCRQAHRBSMdEJDgAAAAASI1EJEhIiUQkMEiNRCRASIlEJChIjQWgIQAASIlEJCBMi0wkUEyLRCRYSItUJGAzyeifAAAA6yJIi4QkiAAAAEiJBWwiAABIjYQkiAAAAEiDwAhIiQX5IQAASIsFUiIAAEiJBcMgAABIi4QkkAAAAEiJBcQhAADHBZogAAAJBADAxwWUIAAAAQAAAEiLBXEdAABIiUQkaEiLBW0dAABIiUQkcDPJ/xVoDQAASI0NKQ4AAP8VUw0AAP8VRQ0AALoJBADASIvI/xUvDQAASIHEiAAAAMPM/yWQDQAA/yWCDQAAzMzMzMzMzMzMzEiJVCQQVUiD7CBIi+pIjQUd/f//6wBIg8QgXcPMAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAByJAAAAAAAAGQkAAAAAAAAjCQAAAAAAACgJAAAAAAAALQkAAAAAAAA0CQAAAAAAACEJAAAAAAAAAAAAAAAAAAA8CMAAAAAAAAAJAAAAAAAANAjAAAAAAAAuiMAAAAAAACwIwAAAAAAAAAAAAAAAAAARiQAAAAAAAAsJAAAAAAAABgkAAAAAAAAAAAAAAAAAAAAAAAAkEwrTwAAAAACAAAAcQAAAFwhAABcCQAAAAAAAEgAaQAhAAoAAAAAAAAAAAAiBZMZAgAAANAhAAABAAAA9CEAAAQAAAAoIgAAKAAAAAAAAAABAAAAVBEAQAEAAAAwMwBAAQAAANAzAEABAAAABoCAhoCBgAAAEAOGgIaCgBQFBUVFRYWFhQUAADAwgFCAgAAIACgnOFBXgAAHADcwMFBQiAAAACAogIiAgAAAAGBgYGhoaAgIB3hwcHdwcAgIAAAIAAgABwgAAABSU0RTc7+xwtuLCUaAlir7sdahtBwAAABkOlxNZWhyZGFkXFZpc3VhbCBTdHVkaW8gUHJvamVjdHNcVmlzdWFsIEMrK1xUZXN0RXhjZXB0aW9uXHg2NFxSZWxlYXNlXFRlc3RFeGNlcHRpb24ucGRiAAAAAP////8AAAAA/////wAAAABAAAAAAAAAAAAAAAAAEwAAOAAAAAAAAAAAAAAAAQAAAAEAAADgIQAAGQ0BAARiAABQEAAAwCAAABkKAgAKMgZQUBAAAMAgAAAAEAAA/////w0QAAAAAAAAMRAAAP////8AEwAAAAAAAAEYCgAYZAwAGFQLABg0CgAYUhTQEsAQcAEKBAAKNAYACjIGcAEMAgAMAREAAAAAAAAAAAAAAAAAAAAAAJgiAAAAAAAAAAAAAAAAAAAAAAAAAQAAAKgiAAAAAAAAAAAAAAEAAAAAMAAA
AAAAAP////8AAAAABAAAAAAAAAAAAAAAAAAAAGAjAAAAAAAAAAAAAOQjAABAIAAAkCMAAAAAAAAAAAAAWiQAAHAgAAAgIwAAAAAAAAAAAADuJAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHIkAAAAAAAAZCQAAAAAAACMJAAAAAAAAKAkAAAAAAAAtCQAAAAAAADQJAAAAAAAAIQkAAAAAAAAAAAAAAAAAADwIwAAAAAAAAAkAAAAAAAA0CMAAAAAAAC6IwAAAAAAALAjAAAAAAAAAAAAAAAAAABGJAAAAAAAACwkAAAAAAAAGCQAAAAAAAAAAAAAAAAAAA4Fd3ByaW50ZgBMAF9DeHhUaHJvd0V4Y2VwdGlvbgAAVQBfX0N4eEZyYW1lSGFuZGxlcgBtc3ZjcnQuZGxsAAAVAD8/M0BZQVhQRUFYQFoAEgA/PzF0eXBlX2luZm9AQFVFQUFAWFoAnwNSdGxWaXJ0dWFsVW53aW5kAADtAlJ0bExvb2t1cEZ1bmN0aW9uRW50cnkAANUBUnRsQ2FwdHVyZUNvbnRleHQAbnRkbGwuZGxsAOoBR2V0VmVyc2lvbgAAjQNWaXJ0dWFsUHJvdGVjdAAAXQNTbGVlcABlA1Rlcm1pbmF0ZVByb2Nlc3MAAEUBR2V0Q3VycmVudFByb2Nlc3MAdQNVbmhhbmRsZWRFeGNlcHRpb25GaWx0ZXIAAFEDU2V0VW5oYW5kbGVkRXhjZXB0aW9uRmlsdGVyAEtFUk5FTDMyLmRsbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADoIABAAQAAAAAAAAAAAAAALkgAAAAAAAAyot8tmSsAAM1dINJm1P//dZgAAAAAAAAABAAAAfz//zUAAAALAAAA
QAAAAP8DAACAAAAAgf///xgAAAAIAAAAIAAAAH8AAAAAAAAAAAAAAACgAkAAAAAAAAAAAADIBUAAAAAAAAAAAAD6CEAAAAAAAAAAAECcDEAAAAAAAAAAAFDDD0AAAAAAAAAAACT0EkAAAAAAAAAAgJaYFkAAAAAAAAAAILy+GUAAAAAAAAS/yRuONEAAAACh7czOG8LTTkAg8J61cCuorcWdaUDQXf0l5RqOTxnrg0BxlteVQw4FjSmvnkD5v6BE7YESj4GCuUC/PNWmz/9JH3jC00BvxuCM6YDJR7qTqEG8hWtVJzmN93DgfEK83Y7e+Z37636qUUOh5nbjzPIpL4SBJkQoEBeq+K4Q48XE+kTrp9Tz9+vhSnqVz0VlzMeRDqauoBnjo0YNZRcMdYGGdXbJSE1YQuSnkzk7Nbiy7VNNp+VdPcVdO4ueklr/XabwoSDAVKWMN2HR/Ytai9glXYn522eqlfjzJ7+iyF3dgG5MyZuXIIoCUmDEJXUAAAAAzczNzMzMzMzMzPs/cT0K16NwPQrXo/g/WmQ730+Nl24Sg/U/w9MsZRniWBe30fE/0A8jhEcbR6zFp+4/QKa2aWyvBb03hus/Mz28Qnrl1ZS/1uc/wv39zmGEEXfMq+Q/L0xb4U3EvpSV5sk/ksRTO3VEzRS+mq8/3me6lDlFrR6xz5Q/JCPG4ry6OzFhi3o/YVVZwX6xU3wSu18/1+4vjQa+koUV+0Q/JD+l6TmlJ+p/qCo/fayh5LxkfEbQ3VU+Y3sGzCNUd4P/kYE9kfo6GXpjJUMxwKw8IYnROIJHl7gA/dc73IhYCBux6OOGpgM7xoRFQge2mXU32y46M3Ec0iPbMu5JkFo5poe+wFfapYKmorUy4miyEadSn0RZtxAsJUnkLTY0T1Ouzmslj1kEpMDewn376MYenueIWleRPL9QgyIYTktlYv2Dj68GlH0R5C3en87SyATdptgKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAE8QAAAIIgAAUBAAAEwRAABIIgAAVBEAAIQRAABgIgAAyBEAAOkSAABsIgAAABMAAB0TAAAYIgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
Edit:
For those curious, I found the solution, thanks to Raymond's link.
It turned out that I needed to replace
__CxxFrameHandler3:
mov rax,rsp
mov qword ptr [rax+8],rbx
mov qword ptr [rax+10h],rbp
mov qword ptr [rax+18h],rsi
push rdi
push r12
push r13
sub rsp,30h
mov dword ptr
; more code
with
__CxxFrameHandler3 proc frame
mov rax,rsp
mov qword ptr [rax+8],rbx
.savereg rbx, 50h
mov qword ptr [rax+10h],rbp
.savereg rbp, 58h
mov qword ptr [rax+18h],rsi
.savereg rsi, 60h
push rdi
.pushreg rdi
push r12
.pushreg r12
push r13
.pushreg r13
sub rsp,30h
.allocstack 30h
.endprolog
mov dword ptr
; more code
__CxxFrameHandler3 endp
msvcrt_win2003.obj
, or something else?) The version provided by Microsoft seems to perform a translation of the SEH exception handling info just fine (the exact same compiler and the exact same flags), so why wouldn't mine work? (The only thing I can imagine might be different is the ProtectFlag, but I've looked at every PE segment feature/flag that I could thing of, and I haven't seen any difference...) – Horology