(fdc.638): Break instruction exception - code 80000003 (first chance)
eax=7ffdd000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
eip=7c92120e esp=01d0ffcc ebp=01d0fff4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
ntdll!DbgBreakPoint:
7c92120e cc              int     3
0:008> !gflag +hpa
New NtGlobalFlag contents: 0x02000000
    hpa - Place heap allocations at ends of pages
0:008> g
ModLoad: 7cf70000 7d0d9000   C:\WINDOWS\system32\quartz.dll
ModLoad: 75af0000 75b01000   C:\WINDOWS\system32\devenum.dll
ModLoad: 73620000 73627000   C:\WINDOWS\system32\msdmo.dll
ModLoad: 76320000 76367000   C:\WINDOWS\system32\comdlg32.dll
ModLoad: 76d70000 76d92000   C:\WINDOWS\system32\appHelp.dll
ModLoad: 76590000 765de000   C:\WINDOWS\System32\cscui.dll
ModLoad: 76570000 7658c000   C:\WINDOWS\System32\CSCDLL.dll
ModLoad: 75ef0000 75fed000   C:\WINDOWS\system32\browseui.dll
ModLoad: 76960000 76984000   C:\WINDOWS\system32\ntshrui.dll
ModLoad: 76af0000 76b01000   C:\WINDOWS\system32\ATL.DLL
ModLoad: 759d0000 75a7f000   C:\WINDOWS\system32\USERENV.dll
ModLoad: 76950000 76958000   C:\WINDOWS\system32\LINKINFO.dll
ModLoad: 736d0000 7371b000   C:\WINDOWS\system32\DDRAW.dll
ModLoad: 73b30000 73b36000   C:\WINDOWS\system32\DCIMAN32.dll
ModLoad: 738b0000 73980000   C:\WINDOWS\system32\D3DIM700.DLL
ModLoad: 73b70000 73b87000   C:\WINDOWS\system32\iccvid.dll
(fdc.cf4): Access violation - code c0000005 (first chance) <---- 内存访问违例
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00006000 ebx=00140a18 ecx=00000298 edx=0221fd38 esi=00146000 edi=00148000
eip=73b722cc esp=0221fd04 ebp=0221fd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
iccvid!CVDecompress+0x11e:
73b722cc f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
0:015> !address 00148000
Usage:                  <unclassified>
Allocation Base:        00090000
Base Address:           00148000
End Address:            00190000
Region Size:            00048000
Type:                   00020000    MEM_PRIVATE
State:                  00002000    MEM_RESERVE
Protect:                00000000
0:015> kb
ChildEBP RetAddr  Args to Child              
0221fd30 73b7cbf3 00000004 00000000 00000068 iccvid!CVDecompress+0x11e(0x73b722cc当前指令地址)
            ↑------------------------------------------↓
0221fd60 73b766c8 0013abc0 00000000 0013de88 iccvid!Decompress+0x11d(0x73b7cbf3)[73b7cbee call iccvid!CVDecompress (73b721ae)的返回地址]
            ↑------------------------------------------↓
0221fdac 73b41938 0013abc0 00000001 0000400d iccvid!DriverProc+0x1bf(0x73b766c8)[73b766c3 call iccvid!Decompress (73b7cad6)的返回地址]
......

(a1c.630): Break instruction exception - code 80000003 (first chance)
eax=7ffde000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
eip=7c92120e esp=01b6ffcc ebp=01b6fff4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
ntdll!DbgBreakPoint:
7c92120e cc              int     3
0:008> sxe ld:iccvid                                                            ; 在加载iccvid.dll时中断
0:008> g
ModLoad: 73b70000 73b87000   C:\WINDOWS\system32\iccvid.dll
eax=00000001 ebx=00000000 ecx=00000044 edx=00092ee0 esi=00000000 edi=00000000
eip=7c92e4f4 esp=01f6e298 ebp=01f6e38c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!KiFastSystemCallRet:
7c92e4f4 c3              ret
0:005> kb
ChildEBP RetAddr  Args to Child              
01c8e294 7c92d50c 7c93bd03 000004ac ffffffff ntdll!KiFastSystemCallRet
01c8e298 7c93bd03 000004ac ffffffff 01c8e370 ntdll!ZwMapViewOfSection+0xc
01c8e38c 7c93624a 00093cb8 01c8e418 01c8e940 ntdll!LdrpMapDll+0x330
01c8e64c 7c9364b3 00000000 00093cb8 01c8e940 ntdll!LdrpLoadDll+0x1e9
01c8e8f4 7c801bbd 00093cb8 01c8e940 01c8e920 ntdll!LdrLoadDll+0x230
WARNING: Stack unwind information not available. Following frames may be wrong.
01c8e95c 7c80aefc 01c8e988 00000000 00000000 kernel32!LoadLibraryExW+0xc8
01c8e970 76b13384 01c8e988 7c9210e0 76b30160 kernel32!LoadLibraryW+0x11
.......
0:010> lm v m iccvid
start    end        module name
73b70000 73b87000   iccvid     (deferred)                                       ; iccvid.dll加载基址
    Image path: C:\WINDOWS\system32\iccvid.dll
    Image name: iccvid.dll
    Timestamp:        Mon Apr 14 10:12:25 2008 (4802BD89)
    CheckSum:         000219FF
    ImageSize:        00017000
    File version:     1.10.0.12
    Product version:  1.10.0.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        3.8 Driver
    File date:        00000000.00000000
    Translations:     0409.04e4
    CompanyName:      Radius Inc.
    ProductName:      Cinepak for Windows 32
    InternalName:     iccvid
    OriginalFilename: iccvid.drv
    ProductVersion:   1.10.0.0
    FileVersion:      1.10.0.11
    FileDescription:  Cinepak® Codec
    LegalCopyright:   Copyright © 1992-1995 Radius Inc., All Rights Reserved
    LegalTrademarks:  Cinepak® is a trademark of Radius Inc.

0:010> bp 73b7cbee                                                              ; [73b7cbee call iccvid!CVDecompress (73b721ae)]
0:010> bl
 0 e 73b7cbee     0001 (0001)  0:**** iccvid!Decompress+0x118
0:010> g
Breakpoint 0 hit
eax=00000001 ebx=025afd88 ecx=0005e2c0 edx=fffffee0 esi=00127e40 edi=02310050
eip=73b7cbee esp=025afd38 ebp=025afd60 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!Decompress+0x118:
73b7cbee e8bb55ffff      call    iccvid!CVDecompress (73b721ae)
0:013> t
eax=00000001 ebx=025afd88 ecx=0005e2c0 edx=fffffee0 esi=00127e40 edi=02310050
eip=73b721ae esp=025afd34 ebp=025afd60 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress:
73b721ae 8bff            mov     edi,edi
0:013> p
eax=00000001 ebx=025afd88 ecx=0005e2c0 edx=fffffee0 esi=00127e40 edi=02310050
eip=73b721b0 esp=025afd34 ebp=025afd60 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x2:
73b721b0 55              push    ebp
0:013> 
eax=00000001 ebx=025afd88 ecx=0005e2c0 edx=fffffee0 esi=00127e40 edi=02310050
eip=73b721b1 esp=025afd30 ebp=025afd60 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x3:
73b721b1 8bec            mov     ebp,esp
0:013> p
eax=00000001 ebx=025afd88 ecx=0005e2c0 edx=fffffee0 esi=00127e40 edi=02310050
eip=73b721b3 esp=025afd30 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x5:
73b721b3 83ec20          sub     esp,20h
0:013> p
eax=00000001 ebx=025afd88 ecx=0005e2c0 edx=fffffee0 esi=00127e40 edi=02310050
eip=73b721b6 esp=025afd10 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0x8:
73b721b6 53              push    ebx
0:013> p
eax=00000001 ebx=025afd88 ecx=0005e2c0 edx=fffffee0 esi=00127e40 edi=02310050
eip=73b721b7 esp=025afd0c ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0x9:
73b721b7 8b5d08          mov     ebx,dword ptr [ebp+8] ss:0023:025afd38=001535b0    ; ebx = a1 = 0x001535b0
0:013> p
eax=00000001 ebx=001535b0 ecx=0005e2c0 edx=fffffee0 esi=00127e40 edi=02310050
eip=73b721ba esp=025afd0c ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0xc:
73b721ba 56              push    esi
0:013> p
eax=00000001 ebx=001535b0 ecx=0005e2c0 edx=fffffee0 esi=00127e40 edi=02310050
eip=73b721bb esp=025afd08 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0xd:
73b721bb 8b7324          mov     esi,dword ptr [ebx+24h] ds:0023:001535d4=00000000  ; esi = [0x001535b0+0x24] = 0x00000000
0:013> p
eax=00000001 ebx=001535b0 ecx=0005e2c0 edx=fffffee0 esi=00000000 edi=02310050
eip=73b721be esp=025afd08 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0x10:
73b721be 57              push    edi
0:013> p
eax=00000001 ebx=001535b0 ecx=0005e2c0 edx=fffffee0 esi=00000000 edi=02310050
eip=73b721bf esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0x11:
73b721bf 33ff            xor     edi,edi                                        ; edi = 0x00000000
0:013> p
eax=00000001 ebx=001535b0 ecx=0005e2c0 edx=fffffee0 esi=00000000 edi=00000000
eip=73b721c1 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x13:
73b721c1 3bf7            cmp     esi,edi                                        ; 判断esi是否为0
0:013> p
eax=00000001 ebx=001535b0 ecx=0005e2c0 edx=fffffee0 esi=00000000 edi=00000000
eip=73b721c3 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x15:
73b721c3 741c            je      iccvid!CVDecompress+0x33 (73b721e1)     [br=1] ; 为0则跳转，这里跳转
0:013> p
eax=00000001 ebx=001535b0 ecx=0005e2c0 edx=fffffee0 esi=00000000 edi=00000000
eip=73b721e1 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x33:
73b721e1 33c0            xor     eax,eax                                        ; eax = eax^eax = 0x00000000
0:013> p
eax=00000000 ebx=001535b0 ecx=0005e2c0 edx=fffffee0 esi=00000000 edi=00000000
eip=73b721e3 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x35:
73b721e3 837d1020        cmp     dword ptr [ebp+10h],20h ss:0023:025afd40=00000068  ; 判断a3是否小于0x20,a3为“idx1”索引块中读出的数据块的数据长度，与CVID数据长度应相等
0:013> p
eax=00000000 ebx=001535b0 ecx=0005e2c0 edx=fffffee0 esi=00000000 edi=00000000
eip=73b721e7 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0x39:
73b721e7 0f8200020000    jb      iccvid!CVDecompress+0x23f (73b723ed)    [br=0] ; 小于则跳转,这里不跳转
0:013> p
eax=00000000 ebx=001535b0 ecx=0005e2c0 edx=fffffee0 esi=00000000 edi=00000000
eip=73b721ed esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0x3f:
73b721ed 8b750c          mov     esi,dword ptr [ebp+0Ch] ss:0023:025afd3c=00ba68f8  ; esi = a2 = 0x00ba68f8,指向cinepak_codec_data1
0:011> dd 00ba6af8
00ba6af8  68000000 20016001 00101000 00001000
00ba6b08  60000000 00206001 00110000 41411000
00ba6b18  41414141 41414141 00114141 41411000
00ba6b28  41414141 41414141 00114141 41411000
00ba6b38  41414141 41414141 00114141 00411000
00ba6b48  31786469 00000010 63643030 00000010
00ba6b58  00000004 00000068 00000000 00000000
00ba6b68  00000000 00000000 00000000 00000000
0:013> p
eax=00000000 ebx=001535b0 ecx=0005e2c0 edx=fffffee0 esi=00ba68f8 edi=00000000
eip=73b721f0 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0x42:
73b721f0 8a6601          mov     ah,byte ptr [esi+1]        ds:0023:00ba68f9=00 ; ah = 0x00,CVID数据长度的第3个字节
0:013> p
eax=00000000 ebx=001535b0 ecx=0005e2c0 edx=fffffee0 esi=00ba68f8 edi=00000000
eip=73b721f3 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0x45:
73b721f3 0fb64e03        movzx   ecx,byte ptr [esi+3]       ds:0023:00ba68fb=68 ; ecx = 0x00000068,CVID数据长度的第1个字节
0:013> p
eax=00000000 ebx=001535b0 ecx=00000068 edx=fffffee0 esi=00ba68f8 edi=00000000
eip=73b721f7 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0x49:
73b721f7 8a4602          mov     al,byte ptr [esi+2]        ds:0023:00ba68fa=00 ; al = 0x00,CVID数据长度的第2个字节
0:013> p
eax=00000000 ebx=001535b0 ecx=00000068 edx=fffffee0 esi=00ba68f8 edi=00000000
eip=73b721fa esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0x4c:
73b721fa c1e008          shl     eax,8                                          ; eax = 0x00000000,左移8位
0:013> p
eax=00000000 ebx=001535b0 ecx=00000068 edx=fffffee0 esi=00ba68f8 edi=00000000
eip=73b721fd esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x4f:
73b721fd 0bc1            or      eax,ecx                                        ; 以大端读取CVID数据长度(Length of CVID data)
0:013> p
eax=00000068 ebx=001535b0 ecx=00000068 edx=fffffee0 esi=00ba68f8 edi=00000000
eip=73b721ff esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0x51:
73b721ff 394510          cmp     dword ptr [ebp+10h],eax ss:0023:025afd40=00000068 ; a3为从“idx1”索引块中读出的数据块的数据长度,eax为从对应的数据块中读出的数据长度,这里判断它们是否相同
0:013> p
eax=00000068 ebx=001535b0 ecx=00000068 edx=fffffee0 esi=00ba68f8 edi=00000000
eip=73b72202 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x54:
73b72202 0f8cec010000    jl      iccvid!CVDecompress+0x246 (73b723f4)    [br=0] ; 小于则跳转，这里不跳转
0:013> p
eax=00000068 ebx=001535b0 ecx=00000068 edx=fffffee0 esi=00ba68f8 edi=00000000
eip=73b72208 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x5a:
73b72208 8a0e            mov     cl,byte ptr [esi]          ds:0023:00ba68f8=00 ; cl = 0x00,Flags(Frame Header)
0:013> p
eax=00000068 ebx=001535b0 ecx=00000000 edx=fffffee0 esi=00ba68f8 edi=00000000
eip=73b7220a esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x5c:
73b7220a 884d13          mov     byte ptr [ebp+13h],cl      ss:0023:025afd43=00 ; a3的最高字节,a3为“idx1”索引块中读出的数据块的数据长度，Length of CVID data
0:013> p
eax=00000068 ebx=001535b0 ecx=00000000 edx=fffffee0 esi=00ba68f8 edi=00000000
eip=73b7220d esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x5f:
73b7220d 8d4df0          lea     ecx,[ebp-10h]
0:013> p
eax=00000068 ebx=001535b0 ecx=025afd20 edx=fffffee0 esi=00ba68f8 edi=00000000
eip=73b72210 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x62:
73b72210 51              push    ecx                                            ; arg3 = ecx = 0x025afd20,用于保存减去Frame Header的大小后,剩余的数据大小
0:013> p
eax=00000068 ebx=001535b0 ecx=025afd20 edx=fffffee0 esi=00ba68f8 edi=00000000
eip=73b72211 esp=025afd00 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x63:
73b72211 6a0a            push    0Ah                                            ; arg2 = 0xA,Frame Header的大小
0:013> p
eax=00000068 ebx=001535b0 ecx=025afd20 edx=fffffee0 esi=00ba68f8 edi=00000000
eip=73b72213 esp=025afcfc ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x65:
73b72213 50              push    eax                                            ; arg1 = 0x00000068,CVID数据长度
0:013> p
eax=00000068 ebx=001535b0 ecx=025afd20 edx=fffffee0 esi=00ba68f8 edi=00000000
eip=73b72214 esp=025afcf8 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x66:
73b72214 e86dffffff      call    iccvid!ULongSub (73b72186)                     ; 如果arg1>=arg2,则返回0,且计算出减去Frame Header的大小后,剩余的数据大小,否则返回一个负数
0:013> p
eax=00000000 ebx=001535b0 ecx=0000005e edx=025afd20 esi=00ba68f8 edi=00000000
eip=73b72219 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x6b:
73b72219 85c0            test    eax,eax                                        ; eax = 0x0
0:013> p
eax=00000000 ebx=001535b0 ecx=0000005e edx=025afd20 esi=00ba68f8 edi=00000000
eip=73b7221b esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x6d:
73b7221b 0f8cd3010000    jl      iccvid!CVDecompress+0x246 (73b723f4)    [br=0] ; 小于则跳转，这里不跳转
0:013> p
eax=00000000 ebx=001535b0 ecx=0000005e edx=025afd20 esi=00ba68f8 edi=00000000
eip=73b72221 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x73:
73b72221 33c0            xor     eax,eax                                        ; eax = eax^eax = 0x00000000
0:013> p
eax=00000000 ebx=001535b0 ecx=0000005e edx=025afd20 esi=00ba68f8 edi=00000000
eip=73b72223 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x75:
73b72223 8a6608          mov     ah,byte ptr [esi+8]        ds:0023:00ba6900=00 ; ah = 0x00,Number of coded strips的高位字节
0:013> p
eax=00000000 ebx=001535b0 ecx=0000005e edx=025afd20 esi=00ba68f8 edi=00000000
eip=73b72226 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x78:
73b72226 83c60a          add     esi,0Ah                                        ; esi = 0x00ba6902,指向cinepak_codec_data2
0:011> dd 00ba6902 
00ba6902  10000010 00000000 60016000 00000020
00ba6912  10000011 41414141 41414141 41414141
00ba6922  10000011 41414141 41414141 41414141
00ba6932  10000011 41414141 41414141 41414141
00ba6942  10000011 64690041 00103178 30300000
00ba6952  00106364 00040000 00680000 00000000
00ba6962  00000000 00000000 00000000 00000000
00ba6972  00000000 00000000 00000000 00000000
0:013> p
eax=00000000 ebx=001535b0 ecx=0000005e edx=025afd20 esi=00ba6902 edi=00000000
eip=73b72229 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000212
iccvid!CVDecompress+0x7b:
73b72229 897dec          mov     dword ptr [ebp-14h],edi ss:0023:025afd1c=0236f648  ; edi = 0x00000000
0:013> p
eax=00000000 ebx=001535b0 ecx=0000005e edx=025afd20 esi=00ba6902 edi=00000000
eip=73b7222c esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000212
iccvid!CVDecompress+0x7e:
73b7222c 8975e8          mov     dword ptr [ebp-18h],esi ss:0023:025afd18=00000120  ; [ebp-18h] = esi = 0x00ba6902,指向cinepak_codec_data2
0:013> p
eax=00000000 ebx=001535b0 ecx=0000005e edx=025afd20 esi=00ba6902 edi=00000000
eip=73b7222f esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000212
iccvid!CVDecompress+0x81:
73b7222f 8975f4          mov     dword ptr [ebp-0Ch],esi ss:0023:025afd24=00000004 ; [ebp-0Ch] = esi = 0x00ba6902,指向cinepak_codec_data2
0:013> p
eax=00000000 ebx=001535b0 ecx=0000005e edx=025afd20 esi=00ba6902 edi=00000000
eip=73b72232 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000212
iccvid!CVDecompress+0x84:
73b72232 8a46ff          mov     al,byte ptr [esi-1]        ds:0023:00ba6901=10     ; al = 0x10,Number of coded strips的低位字节
0:013> dd 00ba6902 
00ba6902  10000010 00000000 60016000 00000020
00ba6912  10000011 41414141 41414141 41414141
00ba6922  10000011 41414141 41414141 41414141
00ba6932  10000011 41414141 41414141 41414141
00ba6942  10000011 64690041 00103178 30300000
00ba6952  00106364 00040000 00680000 00000000
00ba6962  00000000 00000000 00000000 00000000
00ba6972  00000000 00000000 00000000 00000000
0:013> p
eax=00000010 ebx=001535b0 ecx=0000005e edx=025afd20 esi=00ba6902 edi=00000000
eip=73b72235 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000212
iccvid!CVDecompress+0x87:
73b72235 3bc7            cmp     eax,edi                                        ; 判断Number of coded strips是否大于0
0:013> p
eax=00000010 ebx=001535b0 ecx=0000005e edx=025afd20 esi=00ba6902 edi=00000000
eip=73b72237 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0x89:
73b72237 8945e4          mov     dword ptr [ebp-1Ch],eax ss:0023:025afd14=00000001 ; [ebp-1Ch] = eax = 0x10,Number of coded strips
0:013> p
eax=00000010 ebx=001535b0 ecx=0000005e edx=025afd20 esi=00ba6902 edi=00000000
eip=73b7223a esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0x8c:
73b7223a 0f8eaa010000    jle     iccvid!CVDecompress+0x23c (73b723ea)    [br=0] ; 小于等于则跳转，这里不跳转
0:013> p
eax=00000010 ebx=001535b0 ecx=0000005e edx=025afd20 esi=00ba6902 edi=00000000
eip=73b72240 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0x92:
73b72240 897dfc          mov     dword ptr [ebp-4],edi ss:0023:025afd2c=00000150 ; 局部变量[ebp-4]赋值为0,堆缓冲区指针偏移

----------------------------------------------------------------------------------------------------------------------------

0:013> p
eax=00000010 ebx=001535b0 ecx=0000005e edx=025afd20 esi=00ba6902 edi=00000000
eip=73b72243 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0x95:
73b72243 8b45f0          mov     eax,dword ptr [ebp-10h] ss:0023:025afd20=0000005e ; 未解压缩的数据长度，开始时等于PoC中cinepak_codec_data2和idx_tag字节数之和
0:013> p
eax=0000005e ebx=001535b0 ecx=0000005e edx=025afd20 esi=00ba6902 edi=00000000
eip=73b72246 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0x98:
73b72246 83f816          cmp     eax,16h                                        ; 判断未解压的数据长度是否小于0x16,
0:013> p
eax=0000005e ebx=001535b0 ecx=0000005e edx=025afd20 esi=00ba6902 edi=00000000
eip=73b72249 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0x9b:
73b72249 0f829b010000    jb      iccvid!CVDecompress+0x23c (73b723ea)    [br=0] ; 小于则跳转，这里不跳转
0:013> p
eax=0000005e ebx=001535b0 ecx=0000005e edx=025afd20 esi=00ba6902 edi=00000000
eip=73b7224f esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0xa1:
73b7224f 0fb65603        movzx   edx,byte ptr [esi+3]       ds:0023:00ba6905=10 ; edx = 0x10,Size of strip data的低位字节
0:013> p
eax=0000005e ebx=001535b0 ecx=0000005e edx=00000010 esi=00ba6902 edi=00000000
eip=73b72253 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0xa5:
73b72253 33c9            xor     ecx,ecx                                        ; ecx = ecx^ecx = 0x00000000
0:013> p
eax=0000005e ebx=001535b0 ecx=00000000 edx=00000010 esi=00ba6902 edi=00000000
eip=73b72255 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xa7:
73b72255 8a6e01          mov     ch,byte ptr [esi+1]        ds:0023:00ba6903=00 ; ch = 0x00,Strip CVID ID的低位字节
0:013> p
eax=0000005e ebx=001535b0 ecx=00000000 edx=00000010 esi=00ba6902 edi=00000000
eip=73b72258 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xaa:
73b72258 8a4e02          mov     cl,byte ptr [esi+2]        ds:0023:00ba6904=00 ; cl = 0x00,Size of strip data的高位字节
0:013> p
eax=0000005e ebx=001535b0 ecx=00000000 edx=00000010 esi=00ba6902 edi=00000000
eip=73b7225b esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xad:
73b7225b c1e108          shl     ecx,8                                          ; ecx = 0x00000000,左移8位
0:013> p
eax=0000005e ebx=001535b0 ecx=00000000 edx=00000010 esi=00ba6902 edi=00000000
eip=73b7225e esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xb0:
73b7225e 0bca            or      ecx,edx                                        ; 以大端读取Size of strip data
0:013> p
eax=0000005e ebx=001535b0 ecx=00000010 edx=00000010 esi=00ba6902 edi=00000000
eip=73b72260 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0xb2:
73b72260 3bc1            cmp     eax,ecx                                        ; 判断未解压缩的数据长度是否大于Size of strip data
0:013> p
eax=0000005e ebx=001535b0 ecx=00000010 edx=00000010 esi=00ba6902 edi=00000000
eip=73b72262 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0xb4:
73b72262 894df8          mov     dword ptr [ebp-8],ecx ss:0023:025afd28=00000004 ; [ebp-8] = ecx = 0x10,Size of strip data
0:013> p
eax=0000005e ebx=001535b0 ecx=00000010 edx=00000010 esi=00ba6902 edi=00000000
eip=73b72265 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0xb7:
73b72265 0f827f010000    jb      iccvid!CVDecompress+0x23c (73b723ea)    [br=0] ; 小于则跳转，这里不跳转
0:013> p
eax=0000005e ebx=001535b0 ecx=00000010 edx=00000010 esi=00ba6902 edi=00000000
eip=73b7226b esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0xbd:
73b7226b 8a06            mov     al,byte ptr [esi]          ds:0023:00ba6902=10 ; al = 0x10,Strip CVID ID的高位字节
0:013> p
eax=00000010 ebx=001535b0 ecx=00000010 edx=00000010 esi=00ba6902 edi=00000000
eip=73b7226d esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0xbf:
73b7226d 3c10            cmp     al,10h                                         ; 判断Strip CVID ID的高位字节是否为0x10
0:013> p
eax=00000010 ebx=001535b0 ecx=00000010 edx=00000010 esi=00ba6902 edi=00000000
eip=73b7226f esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xc1:
73b7226f 7408            je      iccvid!CVDecompress+0xcb (73b72279)     [br=1] ; 相等则跳转，这里跳转
0:013> p
eax=00000010 ebx=001535b0 ecx=00000010 edx=00000010 esi=00ba6902 edi=00000000
eip=73b72279 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xcb:
73b72279 8d4508          lea     eax,[ebp+8]                                    ; eax = 0x025afd38,a1地址,a1 = 0x001535b0
0:013> p
eax=025afd38 ebx=001535b0 ecx=00000010 edx=00000010 esi=00ba6902 edi=00000000
eip=73b7227c esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xce:
73b7227c 50              push    eax                                            ; arg3 = eax = 0x025afd38,保存减去Strip Header大小后的数据大小
0:013> p
eax=025afd38 ebx=001535b0 ecx=00000010 edx=00000010 esi=00ba6902 edi=00000000
eip=73b7227d esp=025afd00 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xcf:
73b7227d 6a0c            push    0Ch                                            ; arg2 = 0xC,Strip Header大小
0:013> p
eax=025afd38 ebx=001535b0 ecx=00000010 edx=00000010 esi=00ba6902 edi=00000000
eip=73b7227f esp=025afcfc ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xd1:
73b7227f ff75f8          push    dword ptr [ebp-8]    ss:0023:025afd28=00000010 ; arg1 = 0x10,Size of strip data
0:013> p
eax=025afd38 ebx=001535b0 ecx=00000010 edx=00000010 esi=00ba6902 edi=00000000
eip=73b72282 esp=025afcf8 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xd4:
73b72282 e8fffeffff      call    iccvid!ULongSub (73b72186)                     ; 如果arg1>=arg2,则返回0,且计算出减去Strip Header的大小后,剩余的数据大小,否则返回一个负数
0:013> p
eax=00000000 ebx=001535b0 ecx=00000004 edx=025afd38 esi=00ba6902 edi=00000000
eip=73b72287 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xd9:
73b72287 85c0            test    eax,eax                                        ; eax = 0x0
0:013> p
eax=00000000 ebx=001535b0 ecx=00000004 edx=025afd38 esi=00ba6902 edi=00000000
eip=73b72289 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xdb:
73b72289 0f8c65010000    jl      iccvid!CVDecompress+0x246 (73b723f4)    [br=0] ; 小于则跳转，这里不跳转
0:013> p
eax=00000000 ebx=001535b0 ecx=00000004 edx=025afd38 esi=00ba6902 edi=00000000
eip=73b7228f esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xe1:
73b7228f 33c0            xor     eax,eax                                        ; eax = 0x00000000
0:013> p
eax=00000000 ebx=001535b0 ecx=00000004 edx=025afd38 esi=00ba6902 edi=00000000
eip=73b72291 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xe3:
73b72291 8a6608          mov     ah,byte ptr [esi+8]        ds:0023:00ba690a=00 ; ah = 0x00,Strips bottom Y position的高位字节
0:013> p
eax=00000000 ebx=001535b0 ecx=00000004 edx=025afd38 esi=00ba6902 edi=00000000
eip=73b72294 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xe6:
73b72294 33c9            xor     ecx,ecx                                        ; ecx = ecx^ecx = 0x00000000
0:013> p
eax=00000000 ebx=001535b0 ecx=00000000 edx=025afd38 esi=00ba6902 edi=00000000
eip=73b72296 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xe8:
73b72296 8a6e04          mov     ch,byte ptr [esi+4]        ds:0023:00ba6906=00 ; ch = 0x00,Strips top Y position的高位字节
0:013> p
eax=00000000 ebx=001535b0 ecx=00000000 edx=025afd38 esi=00ba6902 edi=00000000
eip=73b72299 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xeb:
73b72299 8a4609          mov     al,byte ptr [esi+9]        ds:0023:00ba690b=60 ; al = 0x60,Strips bottom Y position的低位字节
0:013> p
eax=00000060 ebx=001535b0 ecx=00000000 edx=025afd38 esi=00ba6902 edi=00000000
eip=73b7229c esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xee:
73b7229c 8a4e05          mov     cl,byte ptr [esi+5]        ds:0023:00ba6907=00 ; cl = 0x00,Strips top Y position的低位字节
0:013> p
eax=00000060 ebx=001535b0 ecx=00000000 edx=025afd38 esi=00ba6902 edi=00000000
eip=73b7229f esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xf1:
73b7229f 2bc1            sub     eax,ecx                                ; (Strips bottom Y position)-(Strips top Y position)
0:013> p
eax=00000060 ebx=001535b0 ecx=00000000 edx=025afd38 esi=00ba6902 edi=00000000
eip=73b722a1 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0xf3:
73b722a1 660faf432e      imul    ax,word ptr [ebx+2Eh]    ds:0023:001535de=0001 ; ebx = a1 = 0x001535b0
0:013> p
eax=00000060 ebx=001535b0 ecx=00000000 edx=025afd38 esi=00ba6902 edi=00000000
eip=73b722a6 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0xf8:
73b722a6 89450c          mov     dword ptr [ebp+0Ch],eax ss:0023:025afd3c=00ba68f8 ; a2 = eax = 0x60 = [(Strips bottom Y position)-(Strips top Y position)]*1
0:013> p
eax=00000060 ebx=001535b0 ecx=00000000 edx=025afd38 esi=00ba6902 edi=00000000
eip=73b722a9 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0xfb:
73b722a9 8b45fc          mov     eax,dword ptr [ebp-4] ss:0023:025afd2c=00000000 ; eax = 0x00000000,堆缓冲区指针偏移
0:013> p
eax=00000000 ebx=001535b0 ecx=00000000 edx=025afd38 esi=00ba6902 edi=00000000
eip=73b722ac esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0xfe:
73b722ac 3bc7            cmp     eax,edi                                        ; 判断局部变量[ebp-4]是否为0
0:013> p
eax=00000000 ebx=001535b0 ecx=00000000 edx=025afd38 esi=00ba6902 edi=00000000
eip=73b722ae esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x100:
73b722ae 7421            je      iccvid!CVDecompress+0x123 (73b722d1)    [br=1] ; 为0则跳转，这里跳转
0:013> p
eax=00000000 ebx=001535b0 ecx=00000000 edx=025afd38 esi=00ba6902 edi=00000000
eip=73b722d1 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x123:
73b722d1 8b7df4          mov     edi,dword ptr [ebp-0Ch] ss:0023:025afd24=00ba6902 ; edi = [ebp-0xC] = 0x00ba6902,指向cinepak_codec_data2
0:013> p
eax=00000000 ebx=001535b0 ecx=00000000 edx=025afd38 esi=00ba6902 edi=00ba6902
eip=73b722d4 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x126:
73b722d4 8b4320          mov     eax,dword ptr [ebx+20h] ds:0023:001535d0=001535f8 ; ebx = a1 = 0x001535b0,eax = 0x001535f8,堆缓冲区数据区域首地址
0:013> p
eax=001535f8 ebx=001535b0 ecx=00000000 edx=025afd38 esi=00ba6902 edi=00ba6902
eip=73b722d7 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x129:
73b722d7 83c70c          add     edi,0Ch                                        ; edi = edi+0xC = 0x00ba690e,指向第1个CVID Chunk ID
0:013> p
eax=001535f8 ebx=001535b0 ecx=00000000 edx=025afd38 esi=00ba6902 edi=00ba690e
eip=73b722da esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0x12c:
73b722da 0345fc          add     eax,dword ptr [ebp-4] ss:0023:025afd2c=00000000 ; eax = 0x001535f8(堆缓冲区数据区域首地址),[ebp-4] = 0x0(堆缓冲区指针偏移)
0:013> p
eax=001535f8 ebx=001535b0 ecx=00000000 edx=025afd38 esi=00ba6902 edi=00ba690e
eip=73b722dd esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0x12f:
73b722dd 8d4e0c          lea     ecx,[esi+0Ch]                                  ; ecx = 0x00ba690e,指向第1个CVID Chunk ID
0:013> p
eax=001535f8 ebx=001535b0 ecx=00ba690e edx=025afd38 esi=00ba6902 edi=00ba690e
eip=73b722e0 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0x132:
73b722e0 894338          mov     dword ptr [ebx+38h],eax ds:0023:001535e8=00000000 ; eax = 0x001535f8,堆缓冲区数据区域首地址
0:013> p
eax=001535f8 ebx=001535b0 ecx=00ba690e edx=025afd38 esi=00ba6902 edi=00ba690e
eip=73b722e3 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0x135:
73b722e3 8b4520          mov     eax,dword ptr [ebp+20h] ss:0023:025afd50=00000540 ; eax = a7 = 0x540
0:013> p
eax=00000540 ebx=001535b0 ecx=00ba690e edx=025afd38 esi=00ba6902 edi=00ba690e
eip=73b722e6 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0x138:
73b722e6 894de8          mov     dword ptr [ebp-18h],ecx ss:0023:025afd18=00ba6902 ; [ebp-18h] = ecx = 0x00ba690e,指向第1个CVID Chunk ID
0:013> p
eax=00000540 ebx=001535b0 ecx=00ba690e edx=025afd38 esi=00ba6902 edi=00ba690e
eip=73b722e9 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0x13b:
73b722e9 89433c          mov     dword ptr [ebx+3Ch],eax ds:0023:001535ec=00000000 ; eax = a7 = 0x540
0:013> p
eax=00000540 ebx=001535b0 ecx=00ba690e edx=025afd38 esi=00ba6902 edi=00ba690e
eip=73b722ec esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0x13e:
73b722ec e9be000000      jmp     iccvid!CVDecompress+0x201 (73b723af)
0:013> p
eax=00000540 ebx=001535b0 ecx=00ba690e edx=025afd38 esi=00ba6902 edi=00ba690e
eip=73b723af esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0x201:
73b723af 837d0804        cmp     dword ptr [ebp+8],4  ss:0023:025afd38=00000004 ; 判断Size of strip data减去Strip Header大小后的数据大小是否大于等于4
0:013> p
eax=00000540 ebx=001535b0 ecx=00ba690e edx=025afd38 esi=00ba6902 edi=00ba690e
eip=73b723b3 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x205:
73b723b3 0f8338ffffff    jae     iccvid!CVDecompress+0x143 (73b722f1)    [br=1] ; 大于等于则跳转，这里跳转
0:013> p
eax=00000540 ebx=001535b0 ecx=00ba690e edx=025afd38 esi=00ba6902 edi=00ba690e
eip=73b722f1 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x143:
73b722f1 0fb64103        movzx   eax,byte ptr [ecx+3]       ds:0023:00ba6911=00 ; ecx = 0x00ba690e,指向第1个CVID Chunk ID,eax = 0x00,Size of chunk data的低位字节
0:013> p
eax=00000000 ebx=001535b0 ecx=00ba690e edx=025afd38 esi=00ba6902 edi=00ba690e
eip=73b722f5 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x147:
73b722f5 33d2            xor     edx,edx                                        ; edx = edx^edx = 0x00000000
0:013> p
eax=00000000 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6902 edi=00ba690e
eip=73b722f7 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x149:
73b722f7 8a7101          mov     dh,byte ptr [ecx+1]        ds:0023:00ba690f=00 ; dh = 0x00,第1个CVID Chunk ID的低位字节
0:013> p
eax=00000000 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6902 edi=00ba690e
eip=73b722fa esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x14c:
73b722fa 8a5102          mov     dl,byte ptr [ecx+2]        ds:0023:00ba6910=00 ; dl = 0x00,Size of chunk data的高位字节
0:013> p
eax=00000000 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6902 edi=00ba690e
eip=73b722fd esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x14f:
73b722fd c1e208          shl     edx,8                                          ; edx = 0x00000000,左移8位
0:013> p
eax=00000000 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6902 edi=00ba690e
eip=73b72300 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x152:
73b72300 0bd0            or      edx,eax                                        ; 以大端读取Size of chunk data
0:013> p
eax=00000000 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6902 edi=00ba690e
eip=73b72302 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x154:
73b72302 395508          cmp     dword ptr [ebp+8],edx ss:0023:025afd38=00000004 ; 判断Size of strip data减去Strip Header大小后的数据大小是否小于Size of chunk data
0:013> p
eax=00000000 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6902 edi=00ba690e
eip=73b72305 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0x157:
73b72305 8955e0          mov     dword ptr [ebp-20h],edx ss:0023:025afd10=00000000 ; [ebp-20h] = edx = 0x00000000,Size of chunk data
0:013> p
eax=00000000 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6902 edi=00ba690e
eip=73b72308 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0x15a:
73b72308 0f82ab000000    jb      iccvid!CVDecompress+0x20b (73b723b9)    [br=0] ; 小于则跳转，这里不跳转
0:013> p
eax=00000000 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6902 edi=00ba690e
eip=73b7230e esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0x160:
73b7230e 0fb601          movzx   eax,byte ptr [ecx]         ds:0023:00ba690e=20 ; eax = 0x00000020,第1个CVID Chunk ID的高位字节
0:013> p
eax=00000020 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6902 edi=00ba690e
eip=73b72311 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0x163:
73b72311 83c0e0          add     eax,0FFFFFFE0h     ; switch cases,0x20+0xFFFFFFE0=0x0,0x32+0xFFFFFFE0=0x12
0:013> p
eax=00000000 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6902 edi=00ba690e
eip=73b72314 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000247
iccvid!CVDecompress+0x166:
73b72314 83f812          cmp     eax,12h                                        ; eax>0x12,则第1个CVID Chunk ID的高位字节大于0x32
0:013> p
eax=00000000 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6902 edi=00ba690e
eip=73b72317 esp=025afd04 ebp=025afd30 iopl=0         nv up ei ng nz ac pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000297
iccvid!CVDecompress+0x169:
73b72317 777d            ja      iccvid!CVDecompress+0x1e8 (73b72396)    [br=0] ; 大于则跳转，default case，这里不跳转
0:013> p
eax=00000000 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6902 edi=00ba690e
eip=73b72319 esp=025afd04 ebp=025afd30 iopl=0         nv up ei ng nz ac pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000297
iccvid!CVDecompress+0x16b:
73b72319 0fb6801024b773  movzx   eax,byte ptr iccvid!CVDecompress+0x262 (73b72410)[eax] ds:0023:73b72410=00 ; indirect table for switch statement
0:013> p
eax=00000000 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6902 edi=00ba690e
eip=73b72320 esp=025afd04 ebp=025afd30 iopl=0         nv up ei ng nz ac pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000297
iccvid!CVDecompress+0x172:
73b72320 ff2485f823b773  jmp     dword ptr iccvid!CVDecompress+0x24a (73b723f8)[eax*4] ds:0023:73b723f8=73b72327 ; jump table for switch statement
0:013> p
eax=00000000 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6902 edi=00ba690e
eip=73b72327 esp=025afd04 ebp=025afd30 iopl=0         nv up ei ng nz ac pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000297
iccvid!CVDecompress+0x179:
73b72327 ff7330          push    dword ptr [ebx+30h]  ds:0023:001535e0=00000000 ; arg4,ebx = a1 = 0x001535b0
0:013> p
eax=00000000 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6902 edi=00ba690e
eip=73b7232a esp=025afd00 ebp=025afd30 iopl=0         nv up ei ng nz ac pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000297
iccvid!CVDecompress+0x17c: 
73b7232a ff7334          push    dword ptr [ebx+34h]  ds:0023:001535e4=001595f8 ; arg3,ebx = a1 = 0x001535b0,0x001595f8为堆块数据区域尾指针
0:013> p
eax=00000000 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6902 edi=00ba690e
eip=73b7232d esp=025afcfc ebp=025afd30 iopl=0         nv up ei ng nz ac pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000297
iccvid!CVDecompress+0x17f:
73b7232d ff7338          push    dword ptr [ebx+38h]  ds:0023:001535e8=001535f8 ; arg2,ebx = a1 = 0x001535b0,0x001535f8为堆块数据区域首指针
0:013> p
eax=00000000 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6902 edi=00ba690e
eip=73b72330 esp=025afcf8 ebp=025afd30 iopl=0         nv up ei ng nz ac pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000297
iccvid!CVDecompress+0x182:
73b72330 57              push    edi                                            ; arg1,edi = 0x00ba690e,指向第1个CVID Chunk ID
0:013> p
eax=00000000 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6902 edi=00ba690e
eip=73b72331 esp=025afcf4 ebp=025afd30 iopl=0         nv up ei ng nz ac pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000297
iccvid!CVDecompress+0x183:
73b72331 ff13            call    dword ptr [ebx]      ds:0023:001535b0={iccvid!ExpandCodeBook32 (73b79f3b)} ; 展开Codebooks
0:013> p
eax=00000000 ebx=001535b0 ecx=00000000 edx=00000000 esi=00ba6902 edi=00ba690e
eip=73b72333 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x185:
73b72333 eb61            jmp     iccvid!CVDecompress+0x1e8 (73b72396)           ; switch代码块之后的代码块
0:013> p
eax=00000000 ebx=001535b0 ecx=00000000 edx=00000000 esi=00ba6902 edi=00ba690e
eip=73b72396 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x1e8:
73b72396 8b55e0          mov     edx,dword ptr [ebp-20h] ss:0023:025afd10=00000000 ; edx = [ebp-20h] = 0x00000000,Size of chunk data
0:013> p
eax=00000000 ebx=001535b0 ecx=00000000 edx=00000000 esi=00ba6902 edi=00ba690e
eip=73b72399 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x1eb:
73b72399 8b4de8          mov     ecx,dword ptr [ebp-18h] ss:0023:025afd18=00ba690e ; ecx = [ebp-18h] = 0x00ba690e,指向第1个CVID Chunk ID
0:013> p
eax=00000000 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6902 edi=00ba690e
eip=73b7239c esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x1ee:
73b7239c 33c0            xor     eax,eax                                        ; eax = eax^eax = 0x00000000
0:013> p
eax=00000000 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6902 edi=00ba690e
eip=73b7239e esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x1f0:
73b7239e 03ca            add     ecx,edx                                        ; ecx指向第1个CVID Chunk ID,edx为Size of chunk data
0:013> p
eax=00000000 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6902 edi=00ba690e
eip=73b723a0 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0x1f2:
73b723a0 40              inc     eax                                            ; eax = eax+1 = 0x1
0:013> p
eax=00000001 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6902 edi=00ba690e
eip=73b723a1 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0x1f3:
73b723a1 03fa            add     edi,edx                                        ; edi指向第1个CVID Chunk ID,edx为Size of chunk data
0:013> p
eax=00000001 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6902 edi=00ba690e
eip=73b723a3 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0x1f5:
73b723a3 3bd0            cmp     edx,eax                                        ; edx为Size of chunk data,判断其是否大于1
0:013> p
eax=00000001 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6902 edi=00ba690e
eip=73b723a5 esp=025afd04 ebp=025afd30 iopl=0         nv up ei ng nz ac pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000297
iccvid!CVDecompress+0x1f7:
73b723a5 894de8          mov     dword ptr [ebp-18h],ecx ss:0023:025afd18=00ba690e ; ecx指向第1个CVID Chunk ID
0:013> p
eax=00000001 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6902 edi=00ba690e
eip=73b723a8 esp=025afd04 ebp=025afd30 iopl=0         nv up ei ng nz ac pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000297
iccvid!CVDecompress+0x1fa:
73b723a8 7602            jbe     iccvid!CVDecompress+0x1fe (73b723ac)    [br=1] ; 小于等于则跳转，这里跳转
0:013> p
eax=00000001 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6902 edi=00ba690e
eip=73b723ac esp=025afd04 ebp=025afd30 iopl=0         nv up ei ng nz ac pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000297
iccvid!CVDecompress+0x1fe:
73b723ac 294508          sub     dword ptr [ebp+8],eax ss:0023:025afd38=00000004 ; 
0:013> p
eax=00000001 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6902 edi=00ba690e
eip=73b723af esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0x201:
73b723af 837d0804        cmp     dword ptr [ebp+8],4  ss:0023:025afd38=00000003 ; 判断(Size of strip data减去Strip Header大小后的数据大小-Size of chunk data)是否大于等于4
0:013> p
eax=00000001 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6902 edi=00ba690e
eip=73b723b3 esp=025afd04 ebp=025afd30 iopl=0         nv up ei ng nz ac pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000297
iccvid!CVDecompress+0x205:
73b723b3 0f8338ffffff    jae     iccvid!CVDecompress+0x143 (73b722f1)    [br=0] ; 大于等于则跳转，这里不跳转
0:013> p
eax=00000001 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6902 edi=00ba690e
eip=73b723b9 esp=025afd04 ebp=025afd30 iopl=0         nv up ei ng nz ac pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000297
iccvid!CVDecompress+0x20b:
73b723b9 0fbf450c        movsx   eax,word ptr [ebp+0Ch]   ss:0023:025afd3c=0060 ; eax = a2 = 0x60 = (Strips bottom Y position)-(Strips top Y position)
0:013> p
eax=00000060 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6902 edi=00ba690e
eip=73b723bd esp=025afd04 ebp=025afd30 iopl=0         nv up ei ng nz ac pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000297
iccvid!CVDecompress+0x20f:
73b723bd 0faf4520        imul    eax,dword ptr [ebp+20h] ss:0023:025afd50=00000540 ; [(Strips bottom Y position)-(Strips top Y position)]*a7
0:013> p
eax=0001f800 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6902 edi=00ba690e
eip=73b723c1 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0x213:
73b723c1 01451c          add     dword ptr [ebp+1Ch],eax ss:0023:025afd4c=02310050 ; [(Strips bottom Y position)-(Strips top Y position)]*a7+a6
0:013> p
eax=0001f800 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6902 edi=00ba690e
eip=73b723c4 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0x216:
73b723c4 ff45ec          inc     dword ptr [ebp-14h]  ss:0023:025afd1c=00000000 ; [ebp-14h]++,coded strip计数器
0:013> p
eax=0001f800 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6902 edi=00ba690e
eip=73b723c7 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0x219:
73b723c7 8145fc00200000  add     dword ptr [ebp-4],2000h ss:0023:025afd2c=00000000 ; [ebp-4] = [ebp-4]+0x2000 = 0+0x2000 = 0x2000,堆缓冲区指针偏移
0:013> p
eax=0001f800 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6902 edi=00ba690e
eip=73b723ce esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0x220:
73b723ce 33ff            xor     edi,edi                                        ; edi = edi^edi = 0x00000000
0:013> p
eax=0001f800 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6902 edi=00000000
eip=73b723d0 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x222:
73b723d0 8b45f8          mov     eax,dword ptr [ebp-8] ss:0023:025afd28=00000010 ; eax = [ebp-8] = 0x10,Size of strip data
0:013> p
eax=00000010 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6902 edi=00000000
eip=73b723d3 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x225:
73b723d3 0145f4          add     dword ptr [ebp-0Ch],eax ss:0023:025afd24=00ba6902 ; [ebp-0xC] = [ebp-0xC]+0x10 = 0x00ba6912,指向第2个Strip Header;[ebp-0xC] = 0x00ba6902,指向第1个Strip Header
0:013> p
eax=00000010 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6902 edi=00000000
eip=73b723d6 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0x228:
73b723d6 2945f0          sub     dword ptr [ebp-10h],eax ss:0023:025afd20=0000005e ; [ebp-10h] = 0x4e,[ebp-10h]为未解压缩的数据长度，开始时等于PoC中cinepak_codec_data2和idx_tag字节数之和,这里算出剩余未解压缩的数据长度
0:013> p
eax=00000010 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6902 edi=00000000
eip=73b723d9 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0x22b:
73b723d9 03f0            add     esi,eax                                        ; esi指向cinepak_codec_data2(指向第1个Strip Header)，eax为Size of strip data，这里移动数据指针,指向第2个Strip Header
0:013> p
eax=00000010 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6912 edi=00000000
eip=73b723db esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0x22d:
73b723db 8b45e4          mov     eax,dword ptr [ebp-1Ch] ss:0023:025afd14=00000010 ; eax = [ebp-1Ch] = 0x10,Number of coded strips
0:013> p
eax=00000010 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6912 edi=00000000
eip=73b723de esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0x230:
73b723de 3945ec          cmp     dword ptr [ebp-14h],eax ss:0023:025afd1c=00000001 ; [ebp-14h]为coded strips计数器,eax为Number of coded strips
0:013> p
eax=00000010 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6912 edi=00000000
eip=73b723e1 esp=025afd04 ebp=025afd30 iopl=0         nv up ei ng nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000283
iccvid!CVDecompress+0x233:
73b723e1 8975e8          mov     dword ptr [ebp-18h],esi ss:0023:025afd18=00ba690e ; [ebp-18h] = esi = 0x00ba6912,指向第2个Strip Header
0:013> p
eax=00000010 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6912 edi=00000000
eip=73b723e4 esp=025afd04 ebp=025afd30 iopl=0         nv up ei ng nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000283
iccvid!CVDecompress+0x236:
73b723e4 0f8c59feffff    jl      iccvid!CVDecompress+0x95 (73b72243)     [br=1] ; 小于则跳转，这里跳转

----------------------------------------------------------------------------------------------------------------------------

0:013> p
eax=00000010 ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6912 edi=00000000
eip=73b72243 esp=025afd04 ebp=025afd30 iopl=0         nv up ei ng nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000283
iccvid!CVDecompress+0x95:
73b72243 8b45f0          mov     eax,dword ptr [ebp-10h] ss:0023:025afd20=0000004e ; [ebp-10h]为剩余未解压缩的数据长度
0:013> p
eax=0000004e ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6912 edi=00000000
eip=73b72246 esp=025afd04 ebp=025afd30 iopl=0         nv up ei ng nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000283
iccvid!CVDecompress+0x98:
73b72246 83f816          cmp     eax,16h                                        ; 判断未解压的数据长度是否小于0x16,
0:013> p
eax=0000004e ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6912 edi=00000000
eip=73b72249 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0x9b:
73b72249 0f829b010000    jb      iccvid!CVDecompress+0x23c (73b723ea)    [br=0] ; 小于则跳转，这里不跳转
0:013> p
eax=0000004e ebx=001535b0 ecx=00ba690e edx=00000000 esi=00ba6912 edi=00000000
eip=73b7224f esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0xa1:
73b7224f 0fb65603        movzx   edx,byte ptr [esi+3]       ds:0023:00ba6915=10 ; edx = 0x10,第2个Size of strip data的低位字节
0:013> p
eax=0000004e ebx=001535b0 ecx=00ba690e edx=00000010 esi=00ba6912 edi=00000000
eip=73b72253 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0xa5:
73b72253 33c9            xor     ecx,ecx                                        ; ecx = ecx^ecx = 0x00000000
0:013> p
eax=0000004e ebx=001535b0 ecx=00000000 edx=00000010 esi=00ba6912 edi=00000000
eip=73b72255 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xa7:
73b72255 8a6e01          mov     ch,byte ptr [esi+1]        ds:0023:00ba6913=00 ; ch = 0x00,第2个Strip CVID ID的低位字节
0:013> p
eax=0000004e ebx=001535b0 ecx=00000000 edx=00000010 esi=00ba6912 edi=00000000
eip=73b72258 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xaa:
73b72258 8a4e02          mov     cl,byte ptr [esi+2]        ds:0023:00ba6914=00 ; cl = 0x00,第2个Size of strip data的高位字节
0:013> p
eax=0000004e ebx=001535b0 ecx=00000000 edx=00000010 esi=00ba6912 edi=00000000
eip=73b7225b esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xad:
73b7225b c1e108          shl     ecx,8                                          ; ecx = 0x00000000,左移8位
0:013> p
eax=0000004e ebx=001535b0 ecx=00000000 edx=00000010 esi=00ba6912 edi=00000000
eip=73b7225e esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xb0:
73b7225e 0bca            or      ecx,edx                                        ; 以大端读取Size of strip data
0:013> p
eax=0000004e ebx=001535b0 ecx=00000010 edx=00000010 esi=00ba6912 edi=00000000
eip=73b72260 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0xb2:
73b72260 3bc1            cmp     eax,ecx                                ; 判断剩余未解压缩的数据长度是否大于Size of strip data
0:013> p
eax=0000004e ebx=001535b0 ecx=00000010 edx=00000010 esi=00ba6912 edi=00000000
eip=73b72262 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0xb4:
73b72262 894df8          mov     dword ptr [ebp-8],ecx ss:0023:025afd28=00000010 ; [ebp-8] = ecx = 0x10,Size of strip data
0:013> p
eax=0000004e ebx=001535b0 ecx=00000010 edx=00000010 esi=00ba6912 edi=00000000
eip=73b72265 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0xb7:
73b72265 0f827f010000    jb      iccvid!CVDecompress+0x23c (73b723ea)    [br=0] ; 小于则跳转，这里不跳转
0:013> p
eax=0000004e ebx=001535b0 ecx=00000010 edx=00000010 esi=00ba6912 edi=00000000
eip=73b7226b esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0xbd:
73b7226b 8a06            mov     al,byte ptr [esi]          ds:0023:00ba6912=11 ; al = 0x11,Strip CVID ID的高位字节
0:013> p
eax=00000011 ebx=001535b0 ecx=00000010 edx=00000010 esi=00ba6912 edi=00000000
eip=73b7226d esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0xbf:
73b7226d 3c10            cmp     al,10h                                         ; 判断Strip CVID ID的高位字节是否为0x10
0:013> p
eax=00000011 ebx=001535b0 ecx=00000010 edx=00000010 esi=00ba6912 edi=00000000
eip=73b7226f esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0xc1:
73b7226f 7408            je      iccvid!CVDecompress+0xcb (73b72279)     [br=0] ; 相等则跳转，这里不跳转
0:013> p
eax=00000011 ebx=001535b0 ecx=00000010 edx=00000010 esi=00ba6912 edi=00000000
eip=73b72271 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0xc3:
73b72271 3c11            cmp     al,11h                                         ; 判断Strip CVID ID的高位字节是否为0x11
0:013> p
eax=00000011 ebx=001535b0 ecx=00000010 edx=00000010 esi=00ba6912 edi=00000000
eip=73b72273 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xc5:
73b72273 0f8557010000    jne     iccvid!CVDecompress+0x222 (73b723d0)    [br=0] ; 不相等则跳转，这里不跳转
0:013> p
eax=00000011 ebx=001535b0 ecx=00000010 edx=00000010 esi=00ba6912 edi=00000000
eip=73b72279 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xcb:
73b72279 8d4508          lea     eax,[ebp+8]                                    ; eax = 0x025afd38,a1地址,a1 = 0x001535b0
0:013> p
eax=025afd38 ebx=001535b0 ecx=00000010 edx=00000010 esi=00ba6912 edi=00000000
eip=73b7227c esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xce:
73b7227c 50              push    eax                                            ; arg3 = eax = 0x025afd38,保存减去Strip Header大小后的数据大小
0:013> p
eax=025afd38 ebx=001535b0 ecx=00000010 edx=00000010 esi=00ba6912 edi=00000000
eip=73b7227d esp=025afd00 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xcf:
73b7227d 6a0c            push    0Ch                                            ; arg2 = 0xC,Strip Header大小
0:013> p
eax=025afd38 ebx=001535b0 ecx=00000010 edx=00000010 esi=00ba6912 edi=00000000
eip=73b7227f esp=025afcfc ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xd1:
73b7227f ff75f8          push    dword ptr [ebp-8]    ss:0023:025afd28=00000010 ; arg1 = 0x10,Size of strip data
0:013> p
eax=025afd38 ebx=001535b0 ecx=00000010 edx=00000010 esi=00ba6912 edi=00000000
eip=73b72282 esp=025afcf8 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xd4:
73b72282 e8fffeffff      call    iccvid!ULongSub (73b72186)                     ; 如果arg1>=arg2,则返回0,且计算出减去Strip Header的大小后,剩余的数据大小,否则返回一个负数
0:013> p
eax=00000000 ebx=001535b0 ecx=00000004 edx=025afd38 esi=00ba6912 edi=00000000
eip=73b72287 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xd9:
73b72287 85c0            test    eax,eax                                        ; eax = 0x0
0:013> p
eax=00000000 ebx=001535b0 ecx=00000004 edx=025afd38 esi=00ba6912 edi=00000000
eip=73b72289 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xdb:
73b72289 0f8c65010000    jl      iccvid!CVDecompress+0x246 (73b723f4)    [br=0] ; 小于则跳转，这里不跳转
0:013> p
eax=00000000 ebx=001535b0 ecx=00000004 edx=025afd38 esi=00ba6912 edi=00000000
eip=73b7228f esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xe1:
73b7228f 33c0            xor     eax,eax                                        ; eax = eax^eax = 0x00000000
0:013> p
eax=00000000 ebx=001535b0 ecx=00000004 edx=025afd38 esi=00ba6912 edi=00000000
eip=73b72291 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xe3:
73b72291 8a6608          mov     ah,byte ptr [esi+8]        ds:0023:00ba691a=41 ; ah = 0x41,Strips bottom Y position的高位字节
0:013> p
eax=00004100 ebx=001535b0 ecx=00000004 edx=025afd38 esi=00ba6912 edi=00000000
eip=73b72294 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xe6:
73b72294 33c9            xor     ecx,ecx                                        ; ecx = ecx^ecx = 0x00000000
0:013> p
eax=00004100 ebx=001535b0 ecx=00000000 edx=025afd38 esi=00ba6912 edi=00000000
eip=73b72296 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xe8:
73b72296 8a6e04          mov     ch,byte ptr [esi+4]        ds:0023:00ba6916=41 ; ch = 0x41,Strips top Y position的高位字节
0:013> p
eax=00004100 ebx=001535b0 ecx=00004100 edx=025afd38 esi=00ba6912 edi=00000000
eip=73b72299 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xeb:
73b72299 8a4609          mov     al,byte ptr [esi+9]        ds:0023:00ba691b=41 ; al = 0x41,Strips bottom Y position的低位字节
0:013> p
eax=00004141 ebx=001535b0 ecx=00004100 edx=025afd38 esi=00ba6912 edi=00000000
eip=73b7229c esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xee:
73b7229c 8a4e05          mov     cl,byte ptr [esi+5]        ds:0023:00ba6917=41 ; cl = 0x41,Strips top Y position的低位字节
0:013> p
eax=00004141 ebx=001535b0 ecx=00004141 edx=025afd38 esi=00ba6912 edi=00000000
eip=73b7229f esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xf1:
73b7229f 2bc1            sub     eax,ecx                                    ; (Strips bottom Y position)-(Strips top Y position)
0:013> p
eax=00000000 ebx=001535b0 ecx=00004141 edx=025afd38 esi=00ba6912 edi=00000000
eip=73b722a1 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xf3:
73b722a1 660faf432e      imul    ax,word ptr [ebx+2Eh]    ds:0023:001535de=0001 ; ebx = a1 = 0x001535b0,[(Strips bottom Y position)-(Strips top Y position)]*1
0:013> p
eax=00000000 ebx=001535b0 ecx=00004141 edx=025afd38 esi=00ba6912 edi=00000000
eip=73b722a6 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0xf8:
73b722a6 89450c          mov     dword ptr [ebp+0Ch],eax ss:0023:025afd3c=00000060 ; a2 = eax = 0x00 = [(Strips bottom Y position)-(Strips top Y position)]*1
0:013> p
eax=00000000 ebx=001535b0 ecx=00004141 edx=025afd38 esi=00ba6912 edi=00000000
eip=73b722a9 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0xfb:
73b722a9 8b45fc          mov     eax,dword ptr [ebp-4] ss:0023:025afd2c=00002000 ; eax = [ebp-4] = 0x2000,堆缓冲区指针偏移
0:013> p
eax=00002000 ebx=001535b0 ecx=00004141 edx=025afd38 esi=00ba6912 edi=00000000
eip=73b722ac esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0xfe:
73b722ac 3bc7            cmp     eax,edi                                        ; 判断局部变量[ebp-4]是否为0
0:013> p
eax=00002000 ebx=001535b0 ecx=00004141 edx=025afd38 esi=00ba6912 edi=00000000
eip=73b722ae esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0x100:
73b722ae 7421            je      iccvid!CVDecompress+0x123 (73b722d1)    [br=0] ; 为0则跳转，这里不跳转
0:013> p
eax=00002000 ebx=001535b0 ecx=00004141 edx=025afd38 esi=00ba6912 edi=00000000
eip=73b722b0 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0x102:
73b722b0 807d1300        cmp     byte ptr [ebp+13h],0       ss:0023:025afd43=00 ; 判断a3(Len_of_CVID_data)的最高字节是否为0,Frame Header的Flags
0:013> p
eax=00002000 ebx=001535b0 ecx=00004141 edx=025afd38 esi=00ba6912 edi=00000000
eip=73b722b4 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x106:
73b722b4 751b            jne     iccvid!CVDecompress+0x123 (73b722d1)    [br=0] ; 不相等则跳转，这里不跳转
0:013> p
eax=00002000 ebx=001535b0 ecx=00004141 edx=025afd38 esi=00ba6912 edi=00000000
eip=73b722b6 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x108:
73b722b6 803e11          cmp     byte ptr [esi],11h         ds:0023:00ba6912=11 ; 判断Strip CVID ID的高位字节是否为0x11
0:013> p
eax=00002000 ebx=001535b0 ecx=00004141 edx=025afd38 esi=00ba6912 edi=00000000
eip=73b722b9 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x10b:
73b722b9 7516            jne     iccvid!CVDecompress+0x123 (73b722d1)    [br=0] ; 不等于则跳转，这里不跳转
0:013> p
eax=00002000 ebx=001535b0 ecx=00004141 edx=025afd38 esi=00ba6912 edi=00000000
eip=73b722bb esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x10d:
73b722bb 8b4b1c          mov     ecx,dword ptr [ebx+1Ch] ds:0023:001535cc=001535f8 ; ebx = a1 = 001535b0,ecx = 0x001535f8,堆块数据区域指针
0:013> p
eax=00002000 ebx=001535b0 ecx=001535f8 edx=025afd38 esi=00ba6912 edi=00000000
eip=73b722be esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x110:
73b722be 8d3c01          lea     edi,[ecx+eax]                                  ; edi = 0x001555f8,堆块数据区域指针增加0x2000
0:013> p
eax=00002000 ebx=001535b0 ecx=001535f8 edx=025afd38 esi=00ba6912 edi=001555f8
eip=73b722c1 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x113:
73b722c1 b900080000      mov     ecx,800h                                       ; ecx = 0x800,复制数据长度0x800*4=0x2000
0:013> p
eax=00002000 ebx=001535b0 ecx=00000800 edx=025afd38 esi=00ba6912 edi=001555f8
eip=73b722c6 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x118:
73b722c6 8db700e0ffff    lea     esi,[edi-2000h]                                ; esi = 0x001535f8,堆块数据区域首指针
0:013> p
eax=00002000 ebx=001535b0 ecx=00000800 edx=025afd38 esi=001535f8 edi=001555f8
eip=73b722cc esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x11e:
73b722cc f3a5            rep movs dword ptr es:[edi],dword ptr [esi]            ; 第1次复制数据
0:013> p
eax=00002000 ebx=001535b0 ecx=00000000 edx=025afd38 esi=001555f8 edi=001575f8
eip=73b722ce esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x120:
73b722ce 8b75e8          mov     esi,dword ptr [ebp-18h] ss:0023:025afd18=00ba6912 ; esi = [ebp-18h] = 0x00ba6912,指向第2个Strip Header
0:013> p
eax=00002000 ebx=001535b0 ecx=00000000 edx=025afd38 esi=00ba6912 edi=001575f8
eip=73b722d1 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x123:
73b722d1 8b7df4          mov     edi,dword ptr [ebp-0Ch] ss:0023:025afd24=00ba6912 ; edi = [ebp-0Ch] = 0x00ba6912,指向第2个Strip Header
0:013> p
eax=00002000 ebx=001535b0 ecx=00000000 edx=025afd38 esi=00ba6912 edi=00ba6912
eip=73b722d4 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x126:
73b722d4 8b4320          mov     eax,dword ptr [ebx+20h] ds:0023:001535d0=001535f8 ; ebx = a1 = 0x001535b0,eax = 0x001535f8,堆块数据区域首指针
0:013> p
eax=001535f8 ebx=001535b0 ecx=00000000 edx=025afd38 esi=00ba6912 edi=00ba6912
eip=73b722d7 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x129:
73b722d7 83c70c          add     edi,0Ch                                        ; edi = edi+0xC = 0x00ba691e,指向第2个CVID Chunk ID
0:013> p
eax=001535f8 ebx=001535b0 ecx=00000000 edx=025afd38 esi=00ba6912 edi=00ba691e
eip=73b722da esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0x12c:
73b722da 0345fc          add     eax,dword ptr [ebp-4] ss:0023:025afd2c=00002000 ; eax = 0x001555f8,堆块数据区域指针增加0x2000
0:013> p
eax=001555f8 ebx=001535b0 ecx=00000000 edx=025afd38 esi=00ba6912 edi=00ba691e
eip=73b722dd esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0x12f:
73b722dd 8d4e0c          lea     ecx,[esi+0Ch]                                  ; ecx = esi+0xC = 0x00ba691e,指向第2个CVID Chunk ID
0:013> p
eax=001555f8 ebx=001535b0 ecx=00ba691e edx=025afd38 esi=00ba6912 edi=00ba691e
eip=73b722e0 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0x132:
73b722e0 894338          mov     dword ptr [ebx+38h],eax ds:0023:001535e8=001535f8 ; [ebx+38h] = eax = 0x001555f8,堆块数据区域指针增加0x2000
0:013> p
eax=001555f8 ebx=001535b0 ecx=00ba691e edx=025afd38 esi=00ba6912 edi=00ba691e
eip=73b722e3 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0x135:
73b722e3 8b4520          mov     eax,dword ptr [ebp+20h] ss:0023:025afd50=00000540 ; eax = a7 = 0x540
0:013> p
eax=00000540 ebx=001535b0 ecx=00ba691e edx=025afd38 esi=00ba6912 edi=00ba691e
eip=73b722e6 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0x138:
73b722e6 894de8          mov     dword ptr [ebp-18h],ecx ss:0023:025afd18=00ba6912 ; [ebp-18h] = ecx = 00ba691e,指向第2个CVID Chunk ID
0:013> p
eax=00000540 ebx=001535b0 ecx=00ba691e edx=025afd38 esi=00ba6912 edi=00ba691e
eip=73b722e9 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0x13b:
73b722e9 89433c          mov     dword ptr [ebx+3Ch],eax ds:0023:001535ec=00000540 ; ebx = a1 = 0x001535b0,[ebx+3Ch] = eax = a7 = 0x540
0:013> p
eax=00000540 ebx=001535b0 ecx=00ba691e edx=025afd38 esi=00ba6912 edi=00ba691e
eip=73b722ec esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0x13e:
73b722ec e9be000000      jmp     iccvid!CVDecompress+0x201 (73b723af)           ; 
0:013> p
eax=00000540 ebx=001535b0 ecx=00ba691e edx=025afd38 esi=00ba6912 edi=00ba691e
eip=73b723af esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0x201:
73b723af 837d0804        cmp     dword ptr [ebp+8],4  ss:0023:025afd38=00000004 ; 判断Size of strip data减去Strip Header大小后的数据大小是否大于等于4
0:013> p
eax=00000540 ebx=001535b0 ecx=00ba691e edx=025afd38 esi=00ba6912 edi=00ba691e
eip=73b723b3 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x205:
73b723b3 0f8338ffffff    jae     iccvid!CVDecompress+0x143 (73b722f1)    [br=1] ; 大于等于则跳转，这里跳转
0:013> p
eax=00000540 ebx=001535b0 ecx=00ba691e edx=025afd38 esi=00ba6912 edi=00ba691e
eip=73b722f1 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x143:
73b722f1 0fb64103        movzx   eax,byte ptr [ecx+3]       ds:0023:00ba6921=41 ; ecx = 0x00ba691e,指向第2个CVID Chunk ID,eax = 0x41,Size of chunk data的低位字节
0:013> p
eax=00000041 ebx=001535b0 ecx=00ba691e edx=025afd38 esi=00ba6912 edi=00ba691e
eip=73b722f5 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x147:
73b722f5 33d2            xor     edx,edx                                        ; edx = edx^edx = 0x00000000
0:013> p
eax=00000041 ebx=001535b0 ecx=00ba691e edx=00000000 esi=00ba6912 edi=00ba691e
eip=73b722f7 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x149:
73b722f7 8a7101          mov     dh,byte ptr [ecx+1]        ds:0023:00ba691f=41 ; dh = 0x41,第2个CVID Chunk ID的低位字节
0:013> p
eax=00000041 ebx=001535b0 ecx=00ba691e edx=00004100 esi=00ba6912 edi=00ba691e
eip=73b722fa esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x14c:
73b722fa 8a5102          mov     dl,byte ptr [ecx+2]        ds:0023:00ba6920=41 ; dl = 0x41,Size of chunk data的高位字节
0:013> p
eax=00000041 ebx=001535b0 ecx=00ba691e edx=00004141 esi=00ba6912 edi=00ba691e
eip=73b722fd esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x14f:
73b722fd c1e208          shl     edx,8                                          ; edx = 0x00414100,左移8位
0:013> p
eax=00000041 ebx=001535b0 ecx=00ba691e edx=00414100 esi=00ba6912 edi=00ba691e
eip=73b72300 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0x152:
73b72300 0bd0            or      edx,eax                                        ; 以大端读取Size of chunk data
0:013> p
eax=00000041 ebx=001535b0 ecx=00ba691e edx=00414141 esi=00ba6912 edi=00ba691e
eip=73b72302 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0x154:
73b72302 395508          cmp     dword ptr [ebp+8],edx ss:0023:025afd38=00000004 ; 判断Size of strip data减去Strip Header大小后的数据大小是否小于Size of chunk data
0:013> p
eax=00000041 ebx=001535b0 ecx=00ba691e edx=00414141 esi=00ba6912 edi=00ba691e
eip=73b72305 esp=025afd04 ebp=025afd30 iopl=0         nv up ei ng nz na pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000287
iccvid!CVDecompress+0x157:
73b72305 8955e0          mov     dword ptr [ebp-20h],edx ss:0023:025afd10=00000000 ; [ebp-20h] = edx = 0x00414141,Size of chunk data
0:013> p
eax=00000041 ebx=001535b0 ecx=00ba691e edx=00414141 esi=00ba6912 edi=00ba691e
eip=73b72308 esp=025afd04 ebp=025afd30 iopl=0         nv up ei ng nz na pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000287
iccvid!CVDecompress+0x15a:
73b72308 0f82ab000000    jb      iccvid!CVDecompress+0x20b (73b723b9)    [br=1] ; 小于则跳转，这里跳转
0:013> p
eax=00000041 ebx=001535b0 ecx=00ba691e edx=00414141 esi=00ba6912 edi=00ba691e
eip=73b723b9 esp=025afd04 ebp=025afd30 iopl=0         nv up ei ng nz na pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000287
iccvid!CVDecompress+0x20b:
73b723b9 0fbf450c        movsx   eax,word ptr [ebp+0Ch]   ss:0023:025afd3c=0000 ; eax = a2 = 0x0000 = (Strips bottom Y position)-(Strips top Y position)
0:013> p
eax=00000000 ebx=001535b0 ecx=00ba691e edx=00414141 esi=00ba6912 edi=00ba691e
eip=73b723bd esp=025afd04 ebp=025afd30 iopl=0         nv up ei ng nz na pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000287
iccvid!CVDecompress+0x20f:
73b723bd 0faf4520        imul    eax,dword ptr [ebp+20h] ss:0023:025afd50=00000540 ; eax = 0x00000000,a7 = 0x540
0:013> p
eax=00000000 ebx=001535b0 ecx=00ba691e edx=00414141 esi=00ba6912 edi=00ba691e
eip=73b723c1 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0x213:
73b723c1 01451c          add     dword ptr [ebp+1Ch],eax ss:0023:025afd4c=0232f850 ; [(Strips bottom Y position)-(Strips top Y position)]*a7+a6,a6 = 0x0232f850
0:013> p
eax=00000000 ebx=001535b0 ecx=00ba691e edx=00414141 esi=00ba6912 edi=00ba691e
eip=73b723c4 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0x216:
73b723c4 ff45ec          inc     dword ptr [ebp-14h]  ss:0023:025afd1c=00000001 ; [ebp-14h]++,coded strip计数器,[ebp-14h] = 0x2
0:013> p
eax=00000000 ebx=001535b0 ecx=00ba691e edx=00414141 esi=00ba6912 edi=00ba691e
eip=73b723c7 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0x219:
73b723c7 8145fc00200000  add     dword ptr [ebp-4],2000h ss:0023:025afd2c=00002000 ; [ebp-4] = [ebp-4]+0x2000 = 0x4000,堆缓冲区指针偏移
0:013> p
eax=00000000 ebx=001535b0 ecx=00ba691e edx=00414141 esi=00ba6912 edi=00ba691e
eip=73b723ce esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0x220:
73b723ce 33ff            xor     edi,edi                                        ; edi = edi^edi = 0x00000000
0:013> p
eax=00000000 ebx=001535b0 ecx=00ba691e edx=00414141 esi=00ba6912 edi=00000000
eip=73b723d0 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x222:
73b723d0 8b45f8          mov     eax,dword ptr [ebp-8] ss:0023:025afd28=00000010 ; eax = [ebp-8] = 0x10,Size of strip data
0:013> p
eax=00000010 ebx=001535b0 ecx=00ba691e edx=00414141 esi=00ba6912 edi=00000000
eip=73b723d3 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x225:
73b723d3 0145f4          add     dword ptr [ebp-0Ch],eax ss:0023:025afd24=00ba6912 ; [ebp-0Ch] = 0x00ba6912+0x10 = 0x00ba6922,指向第3个Strip Header，eax为Size of strip data
0:013> p
eax=00000010 ebx=001535b0 ecx=00ba691e edx=00414141 esi=00ba6912 edi=00000000
eip=73b723d6 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0x228:
73b723d6 2945f0          sub     dword ptr [ebp-10h],eax ss:0023:025afd20=0000004e ; [ebp-10h] = 3e,[ebp-10h]为未解压缩的数据长度，开始时等于PoC中cinepak_codec_data2和idx_tag字节数之和,这里算出剩余未解压缩的数据长度
0:013> p
eax=00000010 ebx=001535b0 ecx=00ba691e edx=00414141 esi=00ba6912 edi=00000000
eip=73b723d9 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0x22b:
73b723d9 03f0            add     esi,eax                                        ; esi指向第2个Strip Header，eax为Size of strip data，这里移动数据指针,指向第3个Strip Header
0:013> p
eax=00000010 ebx=001535b0 ecx=00ba691e edx=00414141 esi=00ba6922 edi=00000000
eip=73b723db esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0x22d:
73b723db 8b45e4          mov     eax,dword ptr [ebp-1Ch] ss:0023:025afd14=00000010 ; eax = [ebp-1Ch] = 0x10,Number of coded strips
0:013> p
eax=00000010 ebx=001535b0 ecx=00ba691e edx=00414141 esi=00ba6922 edi=00000000
eip=73b723de esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0x230:
73b723de 3945ec          cmp     dword ptr [ebp-14h],eax ss:0023:025afd1c=00000002 ; [ebp-14h]为coded strips计数器,eax为Number of coded strips
0:013> p
eax=00000010 ebx=001535b0 ecx=00ba691e edx=00414141 esi=00ba6922 edi=00000000
eip=73b723e1 esp=025afd04 ebp=025afd30 iopl=0         nv up ei ng nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000283
iccvid!CVDecompress+0x233:
73b723e1 8975e8          mov     dword ptr [ebp-18h],esi ss:0023:025afd18=00ba691e ; [ebp-18h] = esi = 0x00ba6922,指向第3个Strip Header
0:013> p
eax=00000010 ebx=001535b0 ecx=00ba691e edx=00414141 esi=00ba6922 edi=00000000
eip=73b723e4 esp=025afd04 ebp=025afd30 iopl=0         nv up ei ng nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000283
iccvid!CVDecompress+0x236:
73b723e4 0f8c59feffff    jl      iccvid!CVDecompress+0x95 (73b72243)     [br=1] ; 小于则跳转，这里跳转

----------------------------------------------------------------------------------------------------------------------------

0:013> p
eax=00000010 ebx=001535b0 ecx=00ba691e edx=00414141 esi=00ba6922 edi=00000000
eip=73b72243 esp=025afd04 ebp=025afd30 iopl=0         nv up ei ng nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000283
iccvid!CVDecompress+0x95:
73b72243 8b45f0          mov     eax,dword ptr [ebp-10h] ss:0023:025afd20=0000003e ; [ebp-10h]为剩余未解压缩的数据长度
0:013> p
eax=0000003e ebx=001535b0 ecx=00ba691e edx=00414141 esi=00ba6922 edi=00000000
eip=73b72246 esp=025afd04 ebp=025afd30 iopl=0         nv up ei ng nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000283
iccvid!CVDecompress+0x98:
73b72246 83f816          cmp     eax,16h                                        ; 判断未解压的数据长度是否小于0x16
0:013> p
eax=0000003e ebx=001535b0 ecx=00ba691e edx=00414141 esi=00ba6922 edi=00000000
eip=73b72249 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0x9b:
73b72249 0f829b010000    jb      iccvid!CVDecompress+0x23c (73b723ea)    [br=0] ; 小于则跳转，这里不跳转
0:013> p
eax=0000003e ebx=001535b0 ecx=00ba691e edx=00414141 esi=00ba6922 edi=00000000
eip=73b7224f esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0xa1:
73b7224f 0fb65603        movzx   edx,byte ptr [esi+3]       ds:0023:00ba6925=10 ; edx = 0x10,第3个Size of strip data的低位字节
0:013> p
eax=0000003e ebx=001535b0 ecx=00ba691e edx=00000010 esi=00ba6922 edi=00000000
eip=73b72253 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0xa5:
73b72253 33c9            xor     ecx,ecx                                        ; ecx = ecx^ecx = 0x00000000
0:013> p
eax=0000003e ebx=001535b0 ecx=00000000 edx=00000010 esi=00ba6922 edi=00000000
eip=73b72255 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xa7:
73b72255 8a6e01          mov     ch,byte ptr [esi+1]        ds:0023:00ba6923=00 ; ch = 0x00,第3个Strip CVID ID的低位字节
0:013> p
eax=0000003e ebx=001535b0 ecx=00000000 edx=00000010 esi=00ba6922 edi=00000000
eip=73b72258 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xaa:
73b72258 8a4e02          mov     cl,byte ptr [esi+2]        ds:0023:00ba6924=00 ; cl = 0x00,第3个Size of strip data的高位字节
0:013> p
eax=0000003e ebx=001535b0 ecx=00000000 edx=00000010 esi=00ba6922 edi=00000000
eip=73b7225b esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xad:
73b7225b c1e108          shl     ecx,8                                          ; ecx = 0x00000000,左移8位
0:013> p
eax=0000003e ebx=001535b0 ecx=00000000 edx=00000010 esi=00ba6922 edi=00000000
eip=73b7225e esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xb0:
73b7225e 0bca            or      ecx,edx                                        ; 以大端读取Size of strip data
0:013> p
eax=0000003e ebx=001535b0 ecx=00000010 edx=00000010 esi=00ba6922 edi=00000000
eip=73b72260 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0xb2:
73b72260 3bc1            cmp     eax,ecx                                        ; 判断剩余未解压缩的数据长度是否大于Size of strip data
0:013> p
eax=0000003e ebx=001535b0 ecx=00000010 edx=00000010 esi=00ba6922 edi=00000000
eip=73b72262 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0xb4:
73b72262 894df8          mov     dword ptr [ebp-8],ecx ss:0023:025afd28=00000010 ; [ebp-8] = ecx = 0x10,Size of strip data
0:013> p
eax=0000003e ebx=001535b0 ecx=00000010 edx=00000010 esi=00ba6922 edi=00000000
eip=73b72265 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0xb7:
73b72265 0f827f010000    jb      iccvid!CVDecompress+0x23c (73b723ea)    [br=0] ; 小于则跳转，这里不跳转
0:013> p
eax=0000003e ebx=001535b0 ecx=00000010 edx=00000010 esi=00ba6922 edi=00000000
eip=73b7226b esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0xbd:
73b7226b 8a06            mov     al,byte ptr [esi]          ds:0023:00ba6922=11 ; al = 0x11,Strip CVID ID的高位字节
0:013> p
eax=00000011 ebx=001535b0 ecx=00000010 edx=00000010 esi=00ba6922 edi=00000000
eip=73b7226d esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0xbf:
73b7226d 3c10            cmp     al,10h                                         ; 判断Strip CVID ID的高位字节是否为0x10
0:013> p
eax=00000011 ebx=001535b0 ecx=00000010 edx=00000010 esi=00ba6922 edi=00000000
eip=73b7226f esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0xc1:
73b7226f 7408            je      iccvid!CVDecompress+0xcb (73b72279)     [br=0] ; 相等则跳转，这里不跳转
0:013> p
eax=00000011 ebx=001535b0 ecx=00000010 edx=00000010 esi=00ba6922 edi=00000000
eip=73b72271 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
iccvid!CVDecompress+0xc3:
73b72271 3c11            cmp     al,11h                                         ; 判断Strip CVID ID的高位字节是否为0x11
0:013> p
eax=00000011 ebx=001535b0 ecx=00000010 edx=00000010 esi=00ba6922 edi=00000000
eip=73b72273 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xc5:
73b72273 0f8557010000    jne     iccvid!CVDecompress+0x222 (73b723d0)    [br=0] ; 不相等则跳转，这里不跳转
0:013> p
eax=00000011 ebx=001535b0 ecx=00000010 edx=00000010 esi=00ba6922 edi=00000000
eip=73b72279 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xcb:
73b72279 8d4508          lea     eax,[ebp+8]                                    ; eax = 0x025afd38,a1地址,a1 = 0x001535b0
0:013> p
eax=025afd38 ebx=001535b0 ecx=00000010 edx=00000010 esi=00ba6922 edi=00000000
eip=73b7227c esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xce:
73b7227c 50              push    eax                                            ; arg3 = eax = 0x025afd38,保存Size of strip data减去Strip Header大小后的数据大小
0:013> p
eax=025afd38 ebx=001535b0 ecx=00000010 edx=00000010 esi=00ba6922 edi=00000000
eip=73b7227d esp=025afd00 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xcf:
73b7227d 6a0c            push    0Ch                                            ; arg2 = 0xC,Strip Header大小
0:013> p
eax=025afd38 ebx=001535b0 ecx=00000010 edx=00000010 esi=00ba6922 edi=00000000
eip=73b7227f esp=025afcfc ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xd1:
73b7227f ff75f8          push    dword ptr [ebp-8]    ss:0023:025afd28=00000010 ; arg1 = 0x10,Size of strip data
0:013> p
eax=025afd38 ebx=001535b0 ecx=00000010 edx=00000010 esi=00ba6922 edi=00000000
eip=73b72282 esp=025afcf8 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xd4:
73b72282 e8fffeffff      call    iccvid!ULongSub (73b72186)                     ; 如果arg1>=arg2,则返回0,且计算出Size of strip data减去Strip Header的大小后,剩余的数据大小,否则返回一个负数
0:013> p
eax=00000000 ebx=001535b0 ecx=00000004 edx=025afd38 esi=00ba6922 edi=00000000
eip=73b72287 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xd9:
73b72287 85c0            test    eax,eax                                        ; eax = 0x0
0:013> p
eax=00000000 ebx=001535b0 ecx=00000004 edx=025afd38 esi=00ba6922 edi=00000000
eip=73b72289 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xdb:
73b72289 0f8c65010000    jl      iccvid!CVDecompress+0x246 (73b723f4)    [br=0] ; 小于则跳转，这里不跳转
0:013> p
eax=00000000 ebx=001535b0 ecx=00000004 edx=025afd38 esi=00ba6922 edi=00000000
eip=73b7228f esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xe1:
73b7228f 33c0            xor     eax,eax                                        ; eax = eax^eax = 0x00000000
0:013> p
eax=00000000 ebx=001535b0 ecx=00000004 edx=025afd38 esi=00ba6922 edi=00000000
eip=73b72291 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xe3:
73b72291 8a6608          mov     ah,byte ptr [esi+8]        ds:0023:00ba692a=41 ; ah = 0x41,Strips bottom Y position的高位字节
0:013> p
eax=00004100 ebx=001535b0 ecx=00000004 edx=025afd38 esi=00ba6922 edi=00000000
eip=73b72294 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xe6:
73b72294 33c9            xor     ecx,ecx                                        ; ecx = ecx^ecx = 0x00000000
0:013> p
eax=00004100 ebx=001535b0 ecx=00000000 edx=025afd38 esi=00ba6922 edi=00000000
eip=73b72296 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xe8:
73b72296 8a6e04          mov     ch,byte ptr [esi+4]        ds:0023:00ba6926=41 ; ch = 0x41,Strips top Y position的高位字节
0:013> p
eax=00004100 ebx=001535b0 ecx=00004100 edx=025afd38 esi=00ba6922 edi=00000000
eip=73b72299 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xeb:
73b72299 8a4609          mov     al,byte ptr [esi+9]        ds:0023:00ba692b=41 ; al = 0x41,Strips bottom Y position的低位字节
0:013> p
eax=00004141 ebx=001535b0 ecx=00004100 edx=025afd38 esi=00ba6922 edi=00000000
eip=73b7229c esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xee:
73b7229c 8a4e05          mov     cl,byte ptr [esi+5]        ds:0023:00ba6927=41 ; cl = 0x41,Strips top Y position的低位字节
0:013> p
eax=00004141 ebx=001535b0 ecx=00004141 edx=025afd38 esi=00ba6922 edi=00000000
eip=73b7229f esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xf1:
73b7229f 2bc1            sub     eax,ecx                        ; (Strips bottom Y position)-(Strips top Y position)
0:013> p
eax=00000000 ebx=001535b0 ecx=00004141 edx=025afd38 esi=00ba6922 edi=00000000
eip=73b722a1 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0xf3:
73b722a1 660faf432e      imul    ax,word ptr [ebx+2Eh]    ds:0023:001535de=0001 ; ebx = a1 = 0x001535b0,[(Strips bottom Y position)-(Strips top Y position)]*1
0:013> p
eax=00000000 ebx=001535b0 ecx=00004141 edx=025afd38 esi=00ba6922 edi=00000000
eip=73b722a6 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0xf8:
73b722a6 89450c          mov     dword ptr [ebp+0Ch],eax ss:0023:025afd3c=00000000 ; a2 = eax = 0x00000000 = [(Strips bottom Y position)-(Strips top Y position)]*1
0:013> p
eax=00000000 ebx=001535b0 ecx=00004141 edx=025afd38 esi=00ba6922 edi=00000000
eip=73b722a9 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206 ; 
iccvid!CVDecompress+0xfb:
73b722a9 8b45fc          mov     eax,dword ptr [ebp-4] ss:0023:025afd2c=00004000 ; eax = [ebp-4] = 0x4000,堆缓冲区指针偏移
0:013> p
eax=00004000 ebx=001535b0 ecx=00004141 edx=025afd38 esi=00ba6922 edi=00000000
eip=73b722ac esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0xfe:
73b722ac 3bc7            cmp     eax,edi                                        ; 判断局部变量[ebp-4]是否为0
0:013> p
eax=00004000 ebx=001535b0 ecx=00004141 edx=025afd38 esi=00ba6922 edi=00000000
eip=73b722ae esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0x100:
73b722ae 7421            je      iccvid!CVDecompress+0x123 (73b722d1)    [br=0] ; 为0则跳转，这里不跳转
0:013> p
eax=00004000 ebx=001535b0 ecx=00004141 edx=025afd38 esi=00ba6922 edi=00000000
eip=73b722b0 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
iccvid!CVDecompress+0x102:
73b722b0 807d1300        cmp     byte ptr [ebp+13h],0       ss:0023:025afd43=00 ; 判断a3(Len_of_CVID_data)的最高字节是否为0,Frame Header的Flags
0:013> p
eax=00004000 ebx=001535b0 ecx=00004141 edx=025afd38 esi=00ba6922 edi=00000000
eip=73b722b4 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x106:
73b722b4 751b            jne     iccvid!CVDecompress+0x123 (73b722d1)    [br=0] ; 不相等则跳转，这里不跳转
0:013> p
eax=00004000 ebx=001535b0 ecx=00004141 edx=025afd38 esi=00ba6922 edi=00000000
eip=73b722b6 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x108:
73b722b6 803e11          cmp     byte ptr [esi],11h         ds:0023:00ba6922=11 ; 判断Strip CVID ID的高位字节是否为0x11
0:013> p
eax=00004000 ebx=001535b0 ecx=00004141 edx=025afd38 esi=00ba6922 edi=00000000
eip=73b722b9 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x10b:
73b722b9 7516            jne     iccvid!CVDecompress+0x123 (73b722d1)    [br=0] ; 不等于则跳转，这里不跳转
0:013> p
eax=00004000 ebx=001535b0 ecx=00004141 edx=025afd38 esi=00ba6922 edi=00000000
eip=73b722bb esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x10d:
73b722bb 8b4b1c          mov     ecx,dword ptr [ebx+1Ch] ds:0023:001535cc=001535f8 ; ebx = a1 = 001535b0,ecx = 0x001535f8,堆块数据区域首指针
0:013> p
eax=00004000 ebx=001535b0 ecx=001535f8 edx=025afd38 esi=00ba6922 edi=00000000
eip=73b722be esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x110:
73b722be 8d3c01          lea     edi,[ecx+eax]                                  ; edi = 0x001575f8,堆块数据区域指针增加0x4000
0:013> p
eax=00004000 ebx=001535b0 ecx=001535f8 edx=025afd38 esi=00ba6922 edi=001575f8
eip=73b722c1 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x113:
73b722c1 b900080000      mov     ecx,800h                                       ; ecx = 0x800,复制数据长度
0:013> p
eax=00004000 ebx=001535b0 ecx=00000800 edx=025afd38 esi=00ba6922 edi=001575f8
eip=73b722c6 esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x118:
73b722c6 8db700e0ffff    lea     esi,[edi-2000h]                                ; esi = 0x001555f8,堆块数据区域指针
0:013> p
eax=00004000 ebx=001535b0 ecx=00000800 edx=025afd38 esi=001555f8 edi=001575f8
eip=73b722cc esp=025afd04 ebp=025afd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x11e:
73b722cc f3a5            rep movs dword ptr es:[edi],dword ptr [esi]            ; 第2次复制数据
0:013> !heap -p -a edi
    address 001575f8 found in
    _HEAP @ 90000
      HEAP_ENTRY Size Prev Flags    UserPtr UserSize - state
        001535f0 0c01 0000  [01]   001535f8    06000 - (busy)