在 2026-3-4 03:53, Pali Rohár 写道:
Hello, I did not look into that source code as I do not think it is a good idea.
(sorry sent prematurely.) Right. However nobody (even Microsoft) has withdrawn or disable it, at least for now. It can't be denied. Analyzing such code for nonprofit purposes is fair use, unless it would cause damage or something.
7c50abac <BaseAttachCompleteThunk>: 7c50abac: 89 84 24 b4 00 00 00 movl %eax, 0xb4(%esp) 7c50abb3: 89 ac 24 b8 00 00 00 movl %ebp, 0xb8(%esp) 7c50abba: e8 f3 33 00 00 calll 0x7c50dfb2 7c50abbf: 90 nop (anonymous function): 7c50dfb2: 55 pushl %ebp 7c50dfb3: 8b ec movl %esp, %ebp 7c50dfb5: 51 pushl %ecx
The first piece of code is
_BaseAttachCompleteThunk PROC PUBLIC PROTO STDCALL, parmcount:0
mov [esp+4].CsEax, eax
mov [esp.4].CsEbp, ebp
call _BaseAttachComplete@4
_BaseAttachCompleteThunk ENDP
... which doesn't return. The second piece of code is a different function which takes 12 bytes of
arguments, which explains `@12` in the comments in our DEF.
`[esp+4].CsEax` is weird but valid alternative for `[esp + 4 + CsEax]`. `esp + 4` points into the incoming argument area, so this looks like the 'argument' is sort of context structure that is passed by value, and the function stores EAX and EBP into individual fields of that argument.
The function itself is declared stdcall with no argument. -- Best regards, LIU Hao
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ Mingw-w64-public mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/mingw-w64-public
