Seh In addition to 0 exception handling and value passing, reference passing assembly talking about

Share notes
Filter function (called by __except (filtered expression) after an exception occurs)

  DWORD Filters (DWORD code, Pexception_pointers exceptioninfo) {/* This is just a test that captures what type of exception (depending on the situation) is determined by the condition, except for the 0 exception.    Switch (Code) {//Memory access exception case Exception_access_violation:break;        Except for 0 exception case Status_integer_divide_by_zero: {int a = 10; 012C44E1 mov dword ptr[ebp-0ch], 0AH//change the address of the ECX pexception_pointers structure record the abnormal environment exceptioninfo-& Gt        CONTEXTRECORD->ECX = (DWORD) &a; 012C44E8 mov eax, DWORD PTR[EBP + 0Ch]//012C44EB mov ecx, DWORD Ptr[eax + 4]//012C4 4EE Lea edx, [ebp-0ch]//012C44F1 mov DWORD ptr[ecx + 000000ACh], edx//above understanding not thorough hope to understand old iron    The explanation is basically found [ecx + 000000ACh], local variable 10 address substitution} break; }//Continue to execute the command of the production exception, at the time of execution [ECX] access to the local variable 10, so the normal execution//012C44F7 or EAX, 0FFFFFFFFh return Exception_continu e_execution;}  

// 除法（异常）函数int* Div(int *a, int  *b){    int c = *a / *b;    /*     汇编代码：        1. 为int c开辟一个空间            013642F5  mov         dword ptr [ebp-4],eax         2. 入栈的是地址 保存的第一个参数的地址[ebp+8] 根据函数调用约定 右->左入栈            013642F8  mov         eax,dword ptr [ebp+8]     3. 十进制：10              013642FB  mov         ecx,dword ptr [ebp+0Ch]   4. 十进制： 0        5. 会发现除法也好 加法也好总会先保存到一个寄存器中（一般是指令默认操作寄存器）            013642FE  mov         eax,dword ptr [eax]          6. 数据扩展指令,将双字数据扩展为四字类型            01364300  cdq          7. 有符号除法指令 结果保存到eax中            01364301  idiv        eax,dword ptr [ecx]        8. 因为是除0 会出现异常处理 原因是因为[ecx]中保存数值为0    */    // 这时候b没有变 变得只是寄存器里面的地址把b的地址替换成了自定义的局部变量int a = 10的地址    // 所以正常运行 返回 10 / 10 = 1    return &c;    //  warning C4172 : 返回局部变量或临时变量的地址 EAX寄存器保存}

Main function

int main (int argc, char** argv) {//seh:struct Except Handler Structured exception handling a mechanism of Microsoft handling exceptions __try {int a = 10;              int b = 0;        int *p = Div (&a, &b); /* Description: Add ESP from the balanced stack, the 8 function takes the Cdcel c calling convention, into the stack order right to the left, and can know that the argument goes in is two parameters balance stack size 8 bytes (There is a fun call stack backtracking, find the caller function) 1.        function prototypes: int Div (int a, int b);            2. Call: Div (&a, &b); 1.1 Second parameter address in stack 0 01386240 Lea eax,[ebp-30h] 01386243 push EAX 1.2 second parameter            Address into the stack 01386244 lea ECX, [ebp-24h] 01386247 push ecx 1.3 Call function div 01386248 call Div (01381483H) 1.4 Caller Balance Stack 0138624D add esp, 8 ======== ================================================== 1.        function prototypes: int Div (int a, int b);        2. Call: Div (A, B). 3. You can find that each parameter into the stack of the assembly instructions are two instructions, the difference is the stack address and the number of immediately into the stack 002e617d mov eax, DWORD ptr[ebp-2ch] 002E6180 PU   SH eax         002E6181 mov ecx, DWORD ptr[ebp-20h] 002E6184 push ecx 002E6185 Call        002E14BF 002e618a Add ESP, 8 ==========================================================        1. function prototype int Div (int &a, int &b); 2. Call: Div (A, b); Reference in the assembly of the time of the argument how 00126180 Lea eax,[ebp-30h] 00126183 push eax 00126184 le   A ecx,[ebp-24h] 00126187 push ecx 00126188 call 001214c4 0012618D            Add esp,8 Conclusion: In fact, the reference and pointer in the function of the argument, the assembly to see no difference, but the syntax is actually constrained to see again: int ncount = 1;        int &nvar = ncount; The assembly is as follows: 00c76172 mov dword ptr [ebp-24h],1 00c76179 Lea eax,[ebp-24h] 00C        7617C mov dword ptr [Ebp-30h],eax refers to the address of the referenced variable that is saved in the memory that it opens.    */cout << "normal execution of A/b:" << *p << Endl; }//Catch exception filter expression atDaniel here is a function//00059135 call 000510D7//0f963922 call ECX//0f969263 call 0f963912/ /76FF34BF calls ECX//76ff348e call 76ff349b//probably after the level RET returns to Div return where the function __exce is not seen by vs    PT (Filters (GetExceptionCode (), GetExceptionInformation ())) {cout << "anomaly block" << Endl;    } system ("Pause"); return 0;}

Some notes about pointers vs. type offsets
C + + code:

    char Arrnumber[][2] = { "1", "2", "3", "4", };    int* p = (int *)Arrnumber;    p += 1;    char* p1 = Arrnumber[0];    p1 += 1;    short* p2 = (short *)Arrnumber;    p2 += 1;

Control assembly:

Note: A two-dimensional array is slightly more complex from the data segment ds: Take 2 bytes into the AX register (16-bit), after the EBP operation (you can simply understand the local variables put into the function stack) c/d: char arrnumber[][2] = {"1", "2", "3", "4"    , };         00FD2C68 mov ax,word ptr ds:[00fdda88h] 00fd2c6e mov word ptr [ebp-10h],ax 00fd2c72 mov Ax,word ptr ds:[00fddad0h] 00fd2c78 mov word ptr [ebp-0eh],ax 00fd2c7c mov ax,word ptr ds:[ 00FDDAE4H] 00FD2C82 mov word ptr [ebp-0ch],ax 00fd2c86 mov ax,word ptr ds:[00fddb00h] 00F    D2C8C mov word ptr [Ebp-0ah],ax c/C: int* p = (int *) Arrnumber; NOTE: "Ebp-10" is the first element in the storage array 1 memory units, Lea gets the unit address into the EAX register          00FD2C90 Lea eax,[ebp-10h] Note: eax Save the address, DWORD PTR is to declare a few bytes (double word), the address of element 1 is transferred to the "ebp-1ch" memory unit, in fact, [P] 00fd2c93 mov DWORD ptr [Ebp-1ch],eax Note: The address of element 1 is given from the unit eax, ready to do addition operation 00FD2C96 mov eax,dword ptr [ebp-1ch] C/C: p + = 1; note    Release: Add eax, 4 00fd2c99 add eax,4 Note: EAX is the value after add, in the memory unit that is sent back to P. 00FD2C9C mov dword ptr [ebp-1ch],eax above completed p + = 1;Offset from the data type; The following are the same 00fd2c9f mov eax,2 00fd2ca4 imul ecx,eax,0 00fd2ca7 Lea      EDX,[EBP+ECX-10H] 00fd2cab mov dword ptr [ebp-28h],edx 00fd2cae mov eax,dword ptr [ebp-28h]       00FD2CB1 add eax,1 00FD2CB4 mov dword ptr [Ebp-28h],eax 00fd2cb7 Lea eax,[ebp-10h]         00FD2CBA mov dword ptr [ebp-34h],eax 00FD2CBD mov eax,dword ptr [ebp-34h] 00fd2cc0 add eax,2 00FD2CC3 mov dword ptr [Ebp-34h],eax is much less than a one-dimensional array initialization operation Assembly instruction, the direct immediate number is transferred to the local variable but is the same when the pointer is additive. C + + Source: Initialize the array one dimension: char arrnumber[] = {1, 2, 3, 4,}; control assembly 00192C68 mov byte ptr [ebp-0ch],1 001 92C6C mov byte ptr [ebp-0bh],2 00192C70 mov byte ptr [ebp-0ah],3 00192c74 mov byte pt          R [ebp-9],4 00192c78 Lea eax,[ebp-0ch] 00192c7b mov dword ptr [EBP-18H],EAX 00192c7e mov Eax,dword ptr [EBP-18H] 00192c81 add eax,4 00192c84 mov dword ptr [ebp-18h],eax 00192c87 Lea eax,[ EBP-0CH] 00192C8A mov dword ptr [ebp-24h],eax 00192c8d mov eax,dword ptr [ebp-24h] 00192C + Add eax,1 00192c93 mov dword ptr [Ebp-24h],eax 00192c96 Lea Eax,[ebp-0ch] 001 92c99 mov dword ptr [ebp-30h],eax 00192c9c mov eax,dword ptr [ebp-30h] 00192c9f add E  ax,2 00192CA2 mov dword ptr [Ebp-30h],eax

Citation: "The Secret of C + + disassembly and reverse analysis technology" P34 the pointer addressing formula for the page:
p + N Destination address = First address + sizeof (pointer type) * n;

Seh In addition to 0 exception handling and value passing, reference passing assembly talking about