引言:__local_unwind2函数是结构化异常处理的局部展开函数. 7C80DF7F int __cdecl _local_unwind2(int argEstablisherFrame, int argTryLevel); CODE XREF: sub_7C80DF44+22p 7C80DF7F ; BasepGetTempPathW(x,x,x)+11Ep ... 7C80DF7F 7C80DF7F varPrevTryLevel = dword ptr -18h 7C80DF7F argEstablisherFrame= dword ptr 4 7C80DF7F argTryLevel = dword ptr 8 7C80DF7F 7C80DF7F ; FUNCTION CHUNK AT .text:7C80DFE1 SIZE 0000000E BYTES 7C80DF7F 7C80DF7F push ebx 7C80DF80 push esi 7C80DF81 push edi 7C80DF82 mov eax, [esp+0Ch+argEstablisherFrame] 7C80DF86 push ebp ; [ebp-00]:ebp 7C80DF87 push eax ; [ebp-04]:trylevel 7C80DF88 push 0FFFFFFFEh ; [ebp-08]:scopetable 7C80DF8A push offset sub_7C80DF44 ; [ebp-0C]:NestedExceptionHandler 7C80DF8F push large dword ptr fs:0 ; [ebp-10]:prev 7C80DF96 mov large fs:0, esp ; 安装新的SEH结构 7C80DF9D 7C80DF9D loc_7C80DF9D: ; CODE XREF: __local_unwind2+4Cj 7C80DF9D ; __NLG_Return2j 7C80DF9D mov eax, [esp+20h+argEstablisherFrame] 7C80DFA1 mov ebx, [eax+8] ; ebx=argEstablisherFrame->scopetable 7C80DFA4 mov esi, [eax+0Ch] ; esi=argEstablisherFrame->trylevel 7C80DFA7 cmp esi, 0FFFFFFFFh ; if