7C924E59 SHR ECX,2
7C924E5C LEA EDI,DWORD PTR [EBX+18]
7C924E5F REP MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI]
7C924E61 MOV ECX,EAX
7C924E63 AND ECX,3
7C924E66 REP MOVS BYTE PTR ES:[EDI],BYTE PTR [ESI]
7C924E68 PUSH EBX
7C924E69 CALL ntdll.RtlSplay
7C924E6E MOV ECX,DWORD PTR [EBP+8]
7C924E71 MOV DWORD PTR [ECX],EAX
7C924E73 MOV EAX,DWORD PTR [EBP+14]
7C924E76 TEST EAX,EAX
7C924E78 JNZ ntdll.7C935D4F
7C924E7E LEA EAX,DWORD PTR [EBX+18]
7C924E81 POP EDI
7C924E82 POP ESI
7C924E83 POP EBX
7C924E84 POP EBP
7C924E85 RET 18
7C924E88 MOV DWORD PTR [ESI],EBX
7C924E8A JMP SHORT ntdll.7C924E52
7C924E8C XOR EAX,EAX
7C924E8E JMP ntdll.7C9214B6Listing 5.7 (continued)
Like the function at Listing 5.6, this one also starts with that dummy MOV
EDI, EDIinstruction. However, unlike the previous function, this one doesn’t
seem to receive any parameters through registers, indicating that it was proba-
bly not defined using the statickeyword. This function starts out by checking
the value of the SearchResultparameter (the last parameter it takes), and
making one of those remote, out of function jumps if SearchResult == 1.
We’ll deal with this condition later.
For now, here’s the code that gets executed when that condition isn’t satisfied.
7C924E02 MOV EDI,DWORD PTR [EBP+10]
7C924E05 MOV ESI,DWORD PTR [EBP+8]
7C924E08 LEA EAX,DWORD PTR [EDI+18]
7C924E0B PUSH EAX
7C924E0C PUSH ESI
7C924E0D CALL DWORD PTR [ESI+1C]It seems that the TABLEdata structure contains another callback pointer. Off-
set +1c appears to be another callback function that takes two parameters. Let’s
examine those parameters and try to figure out what the callback does. The first
parameter comes from ESIand is quite clearly the TABLEpointer. What does
Beyond the Documentation 181