Ok Guys Enoughhhhhhhhh
// C Programm
BOOLEAN DumbFunction ( IN PWCHAR pszFileName, IN HANDLE *phHandle )
{
RtlInitUnicodeString(&UnicodeFileName, pszFileName, TRUE);
if ( !UnicodeFileName.Buffer )
return ( FALSE );
return ( FALSE );
}
// Dis-Assemble Part
BOOLEAN DumbFunction ( IN PWCHAR pszFileName, IN HANDLE *phHandle )
{
PUSH EBP
MOV EBP,ESP
PUSH FF
PUSH ED259258
PUSH ntoskrnl!_except_handler3
MOV EAX, FS:[00000000]
PUSH EAX
MOV FS:[00000000],ESP
SUB ESP,10
PUSH EBX
PUSH ESI
PUSH EDI
AND DWORD PTR [EBP-04],00
PUSH 01
PUSH DWORD PTR [EBP+08]
LEA EAX,[EBP-20]
PUSH EAX
CALL [ntoskrnl!RtlinitUnicodeString]
CMP DWORD PTR [EBP-1C],00
PUSH FF
LEA EAX, [EBP-10]
PUSH EAX
CALL ntoskrnl!_local_unwind32
POP ECX
POP ECX
XOR AL,AL
MOV ECX,[EBP-10]
MOV FS:[00000000],ECX
POP EDI
POP ESI
POP EBX
LEAVE
RET 0008
}
// Dis-assembly part. This is DDK Library Function
VOID RtlInitUnicodeString( IN OUT PUNICODE_STRING DestinationString, IN
PCWSTR SourceString )
{
PUSH EDI
MOV EDI,[ESP+0C]
MOV EDX,[ESP+08]
MOV DWORD PTR [EDX],00000000
MOV [EDX+04], EDI
OR EDI,EDI
JZ 80401B14
0R ECX,-01
XOR EAX,EAX
REPNZ SCASW
NOT ECX
SHL ECX,1
MOV [EDX+02],CX
DEC ECX
DEC ECX
MOV [EDX],CX
POP EDI
RET 0008
}
Here nobody is reducing Stack.
I am offiline now in this topic
Regards,
Satish K.S
Ok guys, enough already… Ever heard of function overloading? The C
compiler
will do an extra push and not do any pops because it doesn’t unload the
stack that way. It subtracts the correct amount fron the esp to accomplish
the same thing as a whole bunch of pop,pop,pop, ‘s’.
Offline with this dribble I say!
Dennis
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com