(and possibly to other functions that traverse the list) would require as few
iterations as possible. This code then proceeds into ntdll.7C962554, which
you’ve already looked at. ntdll.7C962554skips the element’s header by
adding 12 and returns that pointer to the caller.
You’ve now established the basics of how this function works, and a little bit
about how a generic table is laid out. Let’s proceed with the other major cases
that were skipped over earlier.
Let’s start with the case where the condition ESI < EBXis satisfied (the
actual check is for ESI≤EBX, but you could never be here if ESI == EBX). Here
is the code that executes in this case.
7C96252B MOV EDI,EBX
7C96252D SUB EDX,EBX
7C96252F SUB EDI,ESI
7C962531 INC EDX
7C962532 CMP EDI,EDX
7C962534 JA SHORT ntdll.7C962541
7C962536 TEST EDI,EDI
7C962538 JE SHORT ntdll.7C96254EThis code performs EDX = (Table->TotalElements – ElementToGet
- 1and EDI = ElementToGet+ 1 – LastIndexFound. In plain
English, EDXnow has the distance (in elements) from the element you’re look-
ing for to the end of the list, and EDIhas the distance from the element you’re
looking for to the last index found.
- 1and EDI = ElementToGet+ 1 – LastIndexFound. In plain
Search Loop 2
Having calculated the two distances above, you now reach an important junc-
tion in which you enter one of two search loops. Let’s start by looking at the
first conditional branch that jumps to ntdll.7C962541if EDI > EDX.
7C962541 TEST EDX,EDX
7C962543 LEA EAX,DWORD PTR [ECX+4]
7C962546 JE SHORT ntdll.7C96254E
7C962548 DEC EDX
7C962549 MOV EAX,DWORD PTR [EAX+4]
7C96254C JNZ SHORT ntdll.7C962548This snippet checks that EDX != 0, and starts looping on elements starting
with the element pointed by offset +4 of the root table data structure. Like the
previous loop you’ve seen, this loop also traverses the elements using offset +4
in each element. The difference with this loop is the starting pointer. The pre-
vious loop you saw started with offset + c in the root data structure, which is a
Beyond the Documentation 163