出问题的代码:
.text:BF80EE53 ; int __stdcall NtUserMessageCall(int, int, int UnicodeString, PVOID Address, int, int, int)
.text:BF80EE53 _NtUserMessageCall@28 proc near ; DATA XREF: .data:BF99D730o
.text:BF80EE53
.text:BF80EE53 var_C = dword ptr -0Ch
.text:BF80EE53 var_8 = dword ptr -8
.text:BF80EE53 arg_0 = dword ptr 8
.text:BF80EE53 arg_4 = dword ptr 0Ch
.text:BF80EE53 UnicodeString = dword ptr 10h
.text:BF80EE53 Address = dword ptr 14h
.text:BF80EE53 arg_10 = dword ptr 18h
.text:BF80EE53 arg_14 = dword ptr 1Ch
.text:BF80EE53 arg_18 = dword ptr 20h
.text:BF80EE53
.text:BF80EE53 ; FUNCTION CHUNK AT .text:BF80EE21 SIZE 0000002D BYTES
.text:BF80EE53
.text:BF80EE53 mov edi, edi
.text:BF80EE55 push ebp
.text:BF80EE56 mov ebp, esp
.text:BF80EE58 sub esp, 0Ch
.text:BF80EE5B push esi
.text:BF80EE5C push edi
.text:BF80EE5D call _EnterCrit@0 ; EnterCrit()
.text:BF80EE62 mov ecx, [ebp+arg_0]
.text:BF80EE65 call @ValIDAteHwnd@4 ; ValidateHwnd(x) //句柄在后边作为指针访问。
.text:BF80EE6A mov ecx, [ebp+arg_14]
.text:BF80EE6D mov esi, eax
.text:BF80EE6F test esi, esi
.text:BF80EE71 jz short loc_BF80EE38
.text:BF80EE73 mov eax, _gptiCurrent
.text:BF80EE78 mov edx, [eax+28h]
.text:BF80EE7B mov [ebp+var_C], edx
.text:BF80EE7E lea edx, [ebp+var_C]
.text:BF80EE81 mov [eax+28h], edx
.text:BF80EE84 mov [ebp+var_8], esi
.text:BF80EE87 inc dword ptr [esi+4]
.text:BF80EE8A
.text:BF80EE8A loc_BF80EE8A: ; CODE XREF: NtUserMessageCall(x,x,x,x,x,x,x)-7j
.text:BF80EE8A mov eax, [ebp+arg_4]
.text:BF80EE8D and eax, 1FFFFh
.text:BF80EE92 cmp eax, 400h
.text:BF80EE97 jnb short loc_BF80EED4
.text:BF80EE99 push [ebp+arg_18] ; int
.text:BF80EE9C movzx eax, ds:_MessageTable[eax]
.text:BF80EEA3 push ecx ; int
.text:BF80EEA4 push [ebp+arg_10] ; int
.text:BF80EEA7 and eax, 3Fh
.text:BF80EEAA push [ebp+Address] ; Address
.text:BF80EEAD push [ebp+UnicodeString] ; int
.text:BF80EEB0 push [ebp+arg_4] ; int
.text:BF80EEB3 push esi ; int
.text:BF80EEB4 call ds:_gapfnMessageCall[eax*4] ; NtUserfnINSTRINGNULL(x,x,x,x,x,x,x)// 进入
.text:BF9147C9 ; __stdcall NtUserfnINOUTLPPOINT5(x, x, x, x, x, x, x)
.text:BF9147C9 _NtUserfnINOUTLPPOINT5@28 proc near ; CODE XREF: xxxDefWindowProc(x,x,x,x)+96p
.text:BF9147C9 ; NtUserMessageCall(x,x,x,x,x,x,x)+61p ...
.text:BF9147C9
.text:BF9147C9 var_44 = byte ptr -44h
.text:BF9147C9 var_1C = dword ptr -1Ch
.text:BF9147C9 ms_exc = CPPEH_RECORD ptr -18h
.text:BF9147C9 VUL = dword ptr 8
.text:BF9147C9 arg_4 = dword ptr 0Ch
.text:BF9147C9 arg_8 = dword ptr 10h
.text:BF9147C9 arg_C = dword ptr 14h
.text:BF9147C9 arg_10 = dword ptr 18h
.text:BF9147C9 arg_14 = dword ptr 1Ch
.text:BF9147C9
.text:BF9147C9 push 34h
.text:BF9147CB push offset stru_BF990E40
.text:BF9147D0 call __SEH_prolog
.text:BF9147D5 and [ebp+ms_exc.disabled], 0
.text:BF9147D9 mov ebx, [ebp+arg_C]
.text:BF9147DC mov eax, _Win32UserProbeAddress
.text:BF9147E1 cmp ebx, eax
.text:BF9147E3 jb short loc_BF9147EB
.text:BF9147E5 mov dword ptr [eax], 0
.text:BF9147EB
.text:BF9147EB loc_BF9147EB: ; CODE XREF: NtUserfnINOUTLPPOINT5(x,x,x,x,x,x,x)+1Aj
.text:BF9147EB push 0Ah
.text:BF9147ED pop ecx
.text:BF9147EE mov esi, ebx
.text:BF9147F0 mov edi, ebx
.text:BF9147F2 rep movsd
.text:BF9147F4 push 0Ah
.text:BF9147F6 pop ecx
.text:BF9147F7 mov esi, ebx
.text:BF9147F9 lea edi, [ebp+var_44]
.text:BF9147FC rep movsd
.text:BF9147FE or [ebp+ms_exc.disabled], 0FFFFFFFFh
.text:BF914802 mov eax, [ebp+arg_14]
.text:BF914805 add eax, 6
.text:BF914808 and eax, 1Fh
.text:BF91480B push [ebp+arg_10]
.text:BF91480E lea ecx, [ebp+var_44]
.text:BF914811 push ecx
.text:BF914812 push [ebp+arg_8]
.text:BF914815 push [ebp+arg_4]
.text:BF914818 push [ebp+VUL]
.text:BF91481B mov ecx, _gpsi
.text:BF914821 call dword ptr [ecx+eax*4+0Ch] // 进入
.text:BF932C40 ; __stdcall fnHkINLPCWPRETEXSTRUCT(x, x, x, x, x)
.text:BF932C40 _fnHkINLPCWPRETEXSTRUCT@20 proc near ; DATA XREF: InitFunctionTables()+100o
.text:BF932C40
.text:BF932C40 var_18 = dword ptr -18h
.text:BF932C40 var_14 = dword ptr -14h
.text:BF932C40 var_10 = dword ptr -10h
.text:BF932C40 var_C = dword ptr -0Ch
.text:BF932C40 var_8 = dword ptr -8
.text:BF932C40 var_4 = dword ptr -4
.text:BF932C40 vul = dword ptr 8
.text:BF932C40 arg_4 = dword ptr 0Ch
.text:BF932C40 arg_8 = dword ptr 10h
.text:BF932C40 arg_C = dword ptr 14h
.text:BF932C40
.text:BF932C40 mov edi, edi
.text:BF932C42 push ebp
.text:BF932C43 mov ebp, esp
.text:BF932C45 sub esp, 18h
.text:BF932C48 call ds:__imp__PsGetCurrentThread@0 ; PsGetCurrentThread()
.text:BF932C4E push eax
.text:BF932C4F call ds:__imp__PsGetThreadWin32Thread@4 ; PsGetThreadWin32Thread(x)
.text:BF932C55 mov ecx, [ebp+vul]
.text:BF932C58 mov eax, [eax+44h]
.text:BF932C5B xor edx, edx
.text:BF932C5D cmp ecx, edx
.text:BF932C5F jnz short loc_BF932C66
.text:BF932C61 mov [ebp+var_8], edx
.text:BF932C64 jmp short loc_BF932C6B
.text:BF932C66 ; ---------------------------------------------------------------------------
.text:BF932C66
.text:BF932C66 loc_BF932C66: ; CODE XREF: fnHkINLPCWPRETEXSTRUCT(x,x,x,x,x)+1Fj
.text:BF932C66 mov ecx, [ecx]
.text:BF932C68 mov [ebp+var_8], ecx
.text:BF932C6B
.text:BF932C6B loc_BF932C6B: ; CODE XREF: fnHkINLPCWPRETEXSTRUCT(x,x,x,x,x)+24j
.text:BF932C6B mov ecx, [ebp+arg_4]
.text:BF932C6E mov [ebp+var_C], ecx
.text:BF932C71 mov ecx, [ebp+arg_8]
.text:BF932C74 mov [ebp+var_10], ecx
.text:BF932C77 mov ecx, [ebp+arg_C]
.text:BF932C7A mov [ebp+var_14], ecx
.text:BF932C7D mov ecx, [eax+40h]
.text:BF932C80 mov [ebp+var_18], ecx
.text:BF932C83 mov [ebp+var_4], edx
.text:BF932C86 mov eax, [eax]
.text:BF932C88 lea ecx, [ebp+var_18]
.text:BF932C8B shr eax, 4
.text:BF932C8E push ecx
.text:BF932C8F and eax, 1
.text:BF932C92 push eax
.text:BF932C93 push edx
.text:BF932C94 call sub_BF8F5DC2 // 进入
.text:BF8F5DC2 sub_BF8F5DC2 proc near ; CODE XREF: NtUserCallNextHookEx(x,x,x,x)-F5726p
.text:BF8F5DC2 ; NtUserfnHkINLPMSG(x,x,x,x)+35p ...
.text:BF8F5DC2
.text:BF8F5DC2 arg_0 = dword ptr 8
.text:BF8F5DC2 arg_4 = dword ptr 0Ch
.text:BF8F5DC2 vul_handle = dword ptr 10h
.text:BF8F5DC2
.text:BF8F5DC2 mov edi, edi
.text:BF8F5DC4 push ebp
.text:BF8F5DC5 mov ebp, esp
.text:BF8F5DC7 mov eax, _gptiCurrent
.text:BF8F5DCC mov eax, [eax+9Ch]
.text:BF8F5DD2 test eax, eax
.text:BF8F5DD4 jz short loc_BF8F5DEF
.text:BF8F5DD6 lea ecx, [ebp+vul_handle]
.text:BF8F5DD9 push ecx
.text:BF8F5DDA push [ebp+vul_handle]
.text:BF8F5DDD push [ebp+arg_4]
.text:BF8F5DE0 push [ebp+arg_0]
.text:BF8F5DE3 push eax
.text:BF8F5DE4 call _PhkNextValid@4 ; PhkNextValid(x)
.text:BF8F5DE9 push eax
.text:BF8F5DEA call _xxxCallHook2@20 ; xxxCallHook2(x,x,x,x,x)//step into
...
.text:BF8326A2 loc_BF8326A2: ; CODE XREF: xxxCallHook2(x,x,x,x,x)+125j
.text:BF8326A2 push [ebp+vul_handle]
.text:BF8326A5 push [ebp+arg_8]
.text:BF8326A8 push [ebp+arg_4]
.text:BF8326AB push edi
.text:BF8326AC call _xxxHkCallHook@16 ; xxxHkCallHook(x,x,x,x)// 进入
...
.text:BF800556 loc_BF800556: ; CODE XREF: ttfdQueryFontData(x,x,x,x,x,x)+71j
.text:BF800556 cmp ebx, 6
.text:BF800559 ja loc_BF83D539
.text:BF80055F jmp loc_BF83D54B
.text:BF80055F ; END OF FUNCTION CHUNK FOR _ttfdQueryFontData@24
.text:BF800564 ; ---------------------------------------------------------------------------
.text:BF800564 ; START OF FUNCTION CHUNK FOR _xxxHkCallHook@16
.text:BF800564
.text:BF800564 loc_BF800564: ; CODE XREF: xxxHkCallHook(x,x,x,x)+131j
.text:BF800564 test byte ptr [eax+24h], 5 //eax中就是传入的句柄,访问违例导致崩溃。
just for fun