MS17-013の解析 (gdi32.dll)
なぜか、Microsoft が MS17-013 向けの更新プログラム
gdi32.dll 5.1.2600.7209
usb10.dll 1.420.2600.7209
gdiplus.dll 5.2.6002.24064
のパッケージしたものを日本時間の 2017/6/14 7時ごろリリースしたので、それに合わせて
Windows 2000向け 未リリースの gdi32.dll の解析を行いました
比較対象は
gdi32.dll 5.1.2600.7090
新版
| mov ecx,[esi+2Ch] imul ecx,[ebp-04h] shl ecx,02h push ecx push eax push [ebp+08h] mov ecx,esi call SUB_L77EED0F9 |
Windows 2000
| 77F6E7BB 0FAF462C imul eax,[esi+2Ch] shl eax,2 77F6E7BF 50 push eax |
旧版
| L77F0762E: xor eax,eax mov al,[ebx] push eax push [ebp+08h] call [KERNEL32.dll!IsDBCSLeadByteEx] inc ebx test eax,eax mov eax,[edi] mov [esi],eax jz L77F0764D add edi,00000004h mov eax,[edi] inc ebx add [esi],eax |
新版
| L77F0763A: dec eax cmp ebx,eax jnc L77F07660 xor eax,eax mov al,[ebx] push eax push [ebp+08h] call [KERNEL32.dll!IsDBCSLeadByteEx] test eax,eax jz L77F07660 mov eax,[edi] add edi,00000004h inc ebx mov [esi],eax mov eax,[edi] inc ebx add [esi],eax jmp L77F07665 L77F07660: mov eax,[edi] inc ebx mov [esi],eax |
Win2000
| L77F630AB: dec eax cmp ebx,eax jnc 77F630CA xor eax,eax 77F630AB 8A03 mov al,[ebx] 77F630AD 50 push eax 77F630AE FF7508 push [ebp+08h] |
なぜか、Win2000版は最適化されてたので後半は不要 ・ω・
旧版
| L77F07664: xor eax,eax mov al,[ebx] push eax push [ebp+08h] call [KERNEL32.dll!IsDBCSLeadByteEx] inc ebx test eax,eax mov eax,[edi] mov [esi],eax mov eax,[edi+04h] mov [esi+04h],eax jz L77F0768F add edi,00000008h |
新版
| L77F0767C: dec eax cmp ebx,eax jnc L77F076AE xor eax,eax mov al,[ebx] push eax push [ebp+08h] call [KERNEL32.dll!IsDBCSLeadByteEx] test eax,eax jz L77F076AE mov eax,[edi] &nbs p; mov [esi],eax mov eax,[edi+04h] add edi,00000008h mov [esi+04h],eax mov eax,[edi] add [esi],eax mov eax,[edi+04h] inc ebx inc ebx add [esi+04h],eax jmp L77F076B9 |
Win2000
| L77F630F1: dec eax cmp ebx,eax jnc 77F6311C xor eax,eax 77F630F1 8A03 mov al,[ebx] 77F630F3 50 push eax 77F630F4 FF7508 push [ebp+08h] 77F630F7 FF15B410F477 call [KERNEL32.dll!IsDBCSLeadByteEx] |
こっちも、Win2000版は最適化されてたので後半は不要 ・ω・
旧版
| L77F10DC6: mov eax,[ebx+18h] mov [ebp-14h],eax mov eax,[ebx+1Ch] mov [ebp-10h],eax push 00000001h lea eax,[ebp-14h] push eax push [esi+000002A4h] call LPtoDP test eax,eax jz L77F10E0F lea eax,[esi+0000028Ch] push eax push [ebp+08h] call SetWorldTransform test eax,eax jz L77F10E0F push [ebx+40h] mov ecx,ebx push [ebx+34h] push [ebx+30h] push edi call SUB_L77F100F4 test eax,eax jnz L77F10E16 |
新版
| L77F10DFB: mov eax,[ebx+18h] mov [ebp-0Ch],eax mov eax,[ebx+1Ch] mov [ebp-08h],eax push 00000001h lea eax,[ebp-0Ch] push eax mov eax,[ebp+0Ch] push [eax+000002A4h] call LPtoDP test eax,eax jz L77F10E96 mov eax,[ebp+0Ch] add eax,0000028Ch push eax push [ebp+08h] call SetWorldTransform test eax,eax jz L77F10E96 mov ecx,[ebx+34h] test ecx,ecx jz L77F10E59 mov eax,[ebx+3Ch] test eax,eax jz L77F10E59 push [ebx+40h] push eax push [ebx+38h] push ecx push [ebx+30h] mov ecx,ebx push edi call SUB_L77F101A8 test eax,eax jz L77F10E96 L77F10E59: mov eax,[ebx+34h] test eax,eax jz L77F10E79 cmp dword ptr [ebx+3Ch],00000000h jnz L77F10E79 push ; [ebx+40h] mov ecx,ebx push eax push [ebx+30h] push edi call SUB_L77F10124 test eax,eax jz L77F10E96 L77F10E79: cmp dword ptr [ebx+34h],00000000h jnz L77F10E9D mov eax,[ebx+3Ch] test eax,eax jz L77F10E9D push eax push [ebx+38h] mov ecx,ebx push edi call SUB_L77EED0F9 test eax,eax jnz L77F10E9D |
Windows 2000
| 77F715A6 L77F715A6: 77F715A6 8B4318 mov eax,[ebx+18h] 77F715A9 6A01 push 00000001h 77F715AB 8945EC mov [ebp-14h],eax 77F715AE 8B431C mov eax,[ebx+1Ch] 77F715B1 8945F0 mov [ebp-10h],eax 77F715B4 8D45EC lea eax,[ebp-14h] 77F715B7 50 push eax 77F715B8 FFB660020000 push [esi+00000260h] 77F715BE E8F169FDFF call LPtoDP 77F715C3 85C0 test eax,eax 77F715C5 7425 jz L77F715EC 77F715C7 8D8648020000 lea eax,[esi+00000248h] 77F715CD 50 push eax 77F715CE FF7508 push [ebp+08h] 77F715D1 E88828FEFF call SetWorldTransform 77F715D6 85C0 test eax,eax 77F715D8 7412 jz L77F715EC mov ecx,[ebx+34h] 77F715DA FF7334 push [ebx+34h] X2: mov ecx,[ebx+34h] |
Win2000用追加コード
| SUB_L77F101A8: push ebp mov ebp,esp push ecx push esi mov esi,ecx mov eax,[ebp+0xc] cmp eax,[esi+04h] jnc L77F70C64 push 00460000h mov eax,[ebp+8] push eax call SUB_L77F48C84 test eax,eax jz L77F70C64 push [ebp+0xc] mov ecx,eax push esi call SUB_L77F69731 test eax,eax jz L77F70C64 push [ebp+0x18] mov ecx,esi push [ebp+0x14] push [ebp+8]//ebx call SUB_L77F6A145 test eax,eax jz L77F70C64 mov eax,esi add eax,[ebp+0xc] push eax call GdiGetBitmapBitsSize cmp [ebp+0x18],eax jc L77F70C64 xor eax,eax inc eax leave retn 0x18 L77F70C64: xor eax,eax leave retn 0x18 |
旧版
| L77F10E6B: mov [eax+08h],ecx mov ecx,[ebx+3Ch] mov [eax+14h],ecx cmp [ebx+3Ch],esi jz L77F10E9A push [ebx+3Ch] mov ecx,ebx push [ebx+38h] push [ebp+0Ch] call SUB_L77EED0F9 test eax,eax mov eax,[ebp-04h] jz L77F10ED2 cmp [ebx+3Ch],esi jz L77F10E9A mov esi,[ebx+38h] add esi,ebx |
新版
| L77F10EEE: mov [eax+08h],ecx mov ecx,[ebx+3Ch] mov [eax+14h],ecx cmp [ebx+3Ch],esi jz L77F10F01 mov esi,[ebx+38h] add esi,ebx |
Win2000
| 77F7162D L77F7162D: 77F7162D 894808 mov [eax+08h],ecx 77F71630 8B4B3C mov ecx,[ebx+3Ch] 77F71633 894814 mov [eax+14h],ecx 77F71636 8B4B3C mov ecx,[ebx+3Ch] 77F71639 3BCE cmp ecx,esi 77F7163B 7415 jz L77F71652->5C 77F7163E 8BCB mov ecx,ebx 77F71640 FF7338 push [ebx+38h] 77F71643 FF750C push [ebp+0Ch] 77F71646 E8FA8AFFFF call SUB_L77F6A145 77F7164B 85C0 test eax,eax 77F7164D 744B jz L77F7169A 77F7164F 8B45FC mov eax,[ebp-04h] 77F71652 L77F71652: 77F71652 39733C cmp [ebx+3Ch],esi 77F71655 7405 jz L77F7165C 77F7165A 03F3 add esi,ebx 77F7165C L77F7165C: 77F7165C 8B4B2C mov ecx,[ebx+2Ch] 77F7165F 8B5328 mov edx,[ebx+28h] |
こんな感じ ・ω・
Translate
Comments