Manually trying to decompile the easy part of that function gets
Code:
void HeapFreeWrap(LPVOID lpMem)
{
if(0 == lpMem)
return;
if(0 != HeapFree(globalHeapHandle, 0, lpMem) // if success just return
return;
_asm{ // Error logging
CALL 6F5C5E97
MOV ESI,EAX
CALL DWORD PTR DS:[<&KERNEL32.GetLastErr ; [KERNEL32.GetLastError
PUSH EAX ; /Arg1
CALL 6F5C5E55 ; \test_exe.6F5C5E55
POP ECX
MOV DWORD PTR DS:[ESI],EAX
}
return;
}
I'm unsure how to 'decompile' the asm stub. The pop ecx confuses me. The three instructions in the middle can be converted to sub_6F5C5E55(GetLastError()), I believe, and the return value is stored in the address return by function sub_6F5C5E97(), I think. Best guess (I know this is not correct)
Code:
void HeapFreeWrap(LPVOID lpMem)
{
if(0 == lpMem)
return;
if(0 != HeapFree(globalHeapHandle, 0, lpMem) // if success just return
return;
// Error logging
int *pInt = sub_6F5C5E97()
*pInt = sub_6F5C5E55(GetLastError());
return;
}
The function does not appear to be very interesting and there is no reference to fs:[30] anywhere. If nothing is wrong it just calls HeapFree. Thats it!
Can you explain why you chose to show this function?
Bookmarks