CRYPT32!CryptMsgUpdate函数分析两次CRYPT32!PkiAsn1Decode的作用

第一部分：

1: kd> kc
#
00 CRYPT32!CryptMsgUpdate
01 WINTRUST!_GetMessage
02 WINTRUST!SoftpubLoadMessage
03 WINTRUST!_VerifyTrust
04 WINTRUST!WinVerifyTrust
05 sfc_os!SfcValidateFileSignature
06 sfc_os!SfcGetValidationData
07 sfc_os!SfcValidateDLL
08 sfc_os!SfcQueueValidationThread
09 kernel32!BaseThreadStart
1: kd> dv
hCryptMsg = 0x016e7290
pbData = 0x01e00020 "0???"
cbData = 0x96934
fFinal = 0n1
dwError = 0xffffffff
fRet = 0n0
pci = 0x75c6fc74
Asn1Err = 0n272 (No matching enumerant)
cb = 0x75c9d114
pDec = 0x007cffdc
pb = 0x75c25e20 "???"
lth = 0n8186136
1: kd> dt CRYPT_MSG_INFO 0x016e7290
CRYPT32!CRYPT_MSG_INFO
+0x000 CriticalSection  : _RTL_CRITICAL_SECTION
+0x018 fInitializedCriticalSection : 0n1
+0x01c lRefCnt          : 0n1
+0x020 hCryptProv       : 0x1232758
+0x024 fDefaultCryptProv : 0n1
+0x028 dwKeySpec        : 0
+0x02c dwEncodingType   : 0x10001
+0x030 dwMsgType        : 0
+0x034 dwFlags          : 0
+0x038 pvMsg            : (null)
+0x03c fEncoding        : 0n0
+0x040 dwPhase          : 2
+0x044 pszInnerContentObjID : (null)
+0x048 psdi             : (null)
+0x04c fDetached        : 0n0
+0x050 pHashList        : (null)
+0x054 cSignerEncodeDataInfo : 0
+0x058 rgSignerEncodeDataInfo : (null)
+0x05c hkeyContentCrypt : 0
+0x060 hCryptProvContentCrypt : 0
+0x064 Plaintext        : _CRYPTOAPI_BLOB
+0x06c dwDecryptedRecipientIndex : 0
+0x070 dwDecryptedRecipientEncryptedKeyIndex : 0
+0x074 pStreamInfo      : (null)
+0x078 aflStream        : 0
+0x07c aflDecode        : 0
+0x080 fStreamCallbackOutput : 0n0
+0x084 fStreamContentExtracted : 0n0
+0x088 bufDecode        : _ICM_BUFFER
+0x098 bufEncode        : _ICM_BUFFER
+0x0a8 bufOutput        : _ICM_BUFFER
+0x0b8 bufCrypt         : _ICM_BUFFER
+0x0c8 bufPendingCrypt  : _ICM_BUFFER
+0x0d8 cbBlockSize      : 0
+0x0dc fBlockCipher     : 0n0
+0x0e0 cEndNullPairs    : 0
+0x0e4 cInnerNullPairs  : 0
+0x0e8 cLevelIndefiniteInner : 0
+0x0ec cbDefiniteRemain : 0
+0x0f0 cbContentInfo    : 0
+0x0f4 pooid            : (null)
+0x0f8 aflOuter         : 0
+0x0fc aflInner         : 0
+0x100 plDecodeInfo     : (null)
+0x104 pCertificateList : (null)
+0x108 pCrlList         : (null)
+0x10c pFreeList        : (null)

        if ((PHASE_FIRST_FINAL == pcmi->dwPhase) &&
(0 == pcmi->dwMsgType)) {
if (0 != (Asn1Err = PkiAsn1Decode(
pDec,
(void **)&pci,
ContentInfoNC_PDU,
pbData,
cbData)))

1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((CRYPT32!ASN1decoding_s *)0x12337d0)
((CRYPT32!ASN1decoding_s *)0x12337d0)                 : 0x12337d0 [Type: ASN1decoding_s *]
[+0x000] magic            : 0x44434544 [Type: unsigned long]
[+0x004] version          : 0x0 [Type: unsigned long]
[+0x008] module           : 0x75788 [Type: tagASN1module_t *]
[+0x00c] buf              : 0x16cdde1 : 0x30 [Type: unsigned char *]
[+0x010] size             : 0xb [Type: unsigned long]
[+0x014] len              : 0xb [Type: unsigned long]
[+0x018] err              : ASN1_SUCCESS (0) [Type: tagASN1error_e]
[+0x01c] bit              : 0x0 [Type: unsigned long]
[+0x020] pos              : 0x16cddec : 0xa0 [Type: unsigned char *]
[+0x024] eRule            : ASN1_BER_RULE_DER (1024) [Type: ASN1encodingrule_e]
[+0x028] dwFlags          : 0x1000 [Type: unsigned long]

1: kd> db 0x16cdde1
016cdde1  30 09 06 05 2b 0e 03 02-1a 05 00 a0 81 af 30 18  0...+.........0.
016cddf1  06 09 2a 86 48 86 f7 0d-01 09 03 31 0b 06 09 2b  ..*.H......1...+
016cde01  06 01 04 01 82 37 0a 01-30 1c 06 0a 2b 06 01 04  .....7..0...+...

1: kd> g
Breakpoint 35 hit
CRYPT32!PkiAsn1Decode:
001b:75c9af0c 55              push    ebp
1: kd> dv
pDec = 0x012337d0
ppvAsn1Info = 0x007ce944
id = 0x13
pbEncoded = 0x01e00020 "0???"
cbEncoded = 0x96934

1: kd> g
Breakpoint 36 hit
MSASN1!ASN1_Decode:
001b:75bf7d82 55              push    ebp
1: kd> g
Breakpoint 40 hit
MSASN1!ASN1_Decode+0xe8:
001b:75bf7e6a ffd1            call    ecx
1: kd> r
eax=0007e950 ebx=00000000 ecx=75c7bc73 edx=0000004c esi=012337d0 edi=007ce944
eip=75bf7e6a esp=007ce8c4 ebp=007ce8dc iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
MSASN1!ASN1_Decode+0xe8:
001b:75bf7e6a ffd1            call    ecx {CRYPT32!ASN1Dec_ContentInfoNC (75c7bc73)}

1: kd> dv
dec = 0x012337d0
valref = 0x007ce944
id = 0x13
flags = 0x4c
pbBuf = 0x01e00020 "0???"
cbBufSize = 0x96934
1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((MSASN1!ASN1decoding_s *)0x12337d0)
((MSASN1!ASN1decoding_s *)0x12337d0)                 : 0x12337d0 [Type: ASN1decoding_s *]
[+0x000] magic            : 0x44434544 [Type: unsigned long]
[+0x004] version          : 0x0 [Type: unsigned long]
[+0x008] module           : 0x75788 [Type: tagASN1module_t *]
[+0x00c] buf              : 0x1e00020 : 0x30 [Type: unsigned char *]
[+0x010] size             : 0x96934 [Type: unsigned long]
[+0x014] len              : 0x0 [Type: unsigned long]
[+0x018] err              : ASN1_SUCCESS (0) [Type: tagASN1error_e]
[+0x01c] bit              : 0x0 [Type: unsigned long]
[+0x020] pos              : 0x1e00020 : 0x30 [Type: unsigned char *]
[+0x024] eRule            : ASN1_BER_RULE_DER (1024) [Type: ASN1encodingrule_e]
[+0x028] dwFlags          : 0x1000 [Type: unsigned long]

1: kd> ?0x96934
Evaluate expression: 616756 = 00096934

0000: 30 83 09 69 2f                            ; SEQUENCE (9692f Bytes)
0005:    06 09   

1: kd> t
Breakpoint 38 hit
CRYPT32!ASN1Dec_ContentInfoNC:
001b:75c7bc73 55              push    ebp
1: kd> dv
dec = 0x012337d0
tag = 0
val = 0x0007e950
di0 = 0x00000040 "--- memory read error at address 0x00000040 ---"
t = 0x50
dd = 0x00000000
di = 0x75bf8654 "???"
dd0 = 0x007ce944
1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((CRYPT32!ContentInfoNC *)0x7e950)
((CRYPT32!ContentInfoNC *)0x7e950)                 : 0x7e950 [Type: ContentInfoNC *]
[+0x000] bit_mask         : 0x0 [Type: unsigned short]
[+0x000] o                [Type: unsigned char [1]]
[+0x004] contentType      [Type: tagASN1objectidentifier2_t]
[+0x048] content          [Type: tagASN1open_t]
1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((CRYPT32!ASN1decoding_s *)0x12337d0)
((CRYPT32!ASN1decoding_s *)0x12337d0)                 : 0x12337d0 [Type: ASN1decoding_s *]
[+0x000] magic            : 0x44434544 [Type: unsigned long]
[+0x004] version          : 0x0 [Type: unsigned long]
[+0x008] module           : 0x75788 [Type: tagASN1module_t *]
[+0x00c] buf              : 0x1e00020 : 0x30 [Type: unsigned char *]
[+0x010] size             : 0x96934 [Type: unsigned long]
[+0x014] len              : 0x0 [Type: unsigned long]
[+0x018] err              : ASN1_SUCCESS (0) [Type: tagASN1error_e]
[+0x01c] bit              : 0x0 [Type: unsigned long]
[+0x020] pos              : 0x1e00020 : 0x30 [Type: unsigned char *]
[+0x024] eRule            : ASN1_BER_RULE_DER (1024) [Type: ASN1encodingrule_e]
[+0x028] dwFlags          : 0x1000 [Type: unsigned long]

1: kd> gu
Breakpoint 41 hit
MSASN1!ASN1_Decode+0xea:
001b:75bf7e6c 85c0            test    eax,eax
1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((CRYPT32!ContentInfoNC *)0x7e950)
((CRYPT32!ContentInfoNC *)0x7e950)                 : 0x7e950 [Type: ContentInfoNC *]
[+0x000] bit_mask         : 0x80 [Type: unsigned short]
[+0x000] o                [Type: unsigned char [1]]
[+0x004] contentType      [Type: tagASN1objectidentifier2_t]
[+0x048] content          [Type: tagASN1open_t]

1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 (*((CRYPT32!tagASN1objectidentifier2_t *)0x7e954))
(*((CRYPT32!tagASN1objectidentifier2_t *)0x7e954))                 [Type: tagASN1objectidentifier2_t]
[+0x000] count            : 0x7 [Type: unsigned short]
[+0x004] value            [Type: unsigned long [16]]
1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 (*((CRYPT32!unsigned long (*)[16])0x7e958))
(*((CRYPT32!unsigned long (*)[16])0x7e958))                 [Type: unsigned long [16]]
[0]              : 0x1 [Type: unsigned long]
[1]              : 0x2 [Type: unsigned long]
[2]              : 0x348 [Type: unsigned long]
[3]              : 0x1bb8d [Type: unsigned long]
[4]              : 0x1 [Type: unsigned long]
[5]              : 0x7 [Type: unsigned long]
[6]              : 0x2 [Type: unsigned long]
[7]              : 0x0 [Type: unsigned long]
[8]              : 0x0 [Type: unsigned long]
[9]              : 0x0 [Type: unsigned long]

1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 (*((CRYPT32!tagASN1open_t *)0x7e998))
(*((CRYPT32!tagASN1open_t *)0x7e998))                 [Type: tagASN1open_t]
[+0x000] length           : 0x9691f [Type: unsigned long]
[+0x004] encoded          : 0x1e00035 [Type: void *]
[+0x004] value            : 0x1e00035 [Type: void *]
1: kd> db 0x1e00035
01e00035  30 83 09 69 1a 02 01 01-31 0b 30 09 06 05 2b 0e  0..i....1.0...+.
01e00045  03 02 1a 05 00 30 83 09-57 31 06 09 2b 06 01 04  .....0..W1..+...
01e00055  01 82 37 0a 01 a0 83 09-57 21 30 83 09 57 1c 30  ..7.....W!0..W.0
01e00065  0c 06 0a 2b 06 01 04 01-82 37 0c 01 01 04 10 bb  ...+.....7......
01e00075  fd 30 fb 6f a3 d9 40 82-26 85 87 87 cd 89 4b 17  .0.o..@.&.....K.
01e00085  0d 32 34 30 39 31 35 30-33 34 35 30 36 5a 30 0e  .240915034506Z0.
01e00095  06 0a 2b 06 01 04 01 82-37 0c 01 02 05 00 30 83  ..+.....7.....0.
01e000a5  09 56 a0 30 82 01 1e 04-52 30 00 30 00 32 00 45  .V.0....R0.0.2.E

1: kd> ?0x9691f
Evaluate expression: 616735 = 0009691f

968b1: 04 81 80                                 ; OCTET_STRING (80 Bytes)
968b4:    04 a8 e6 96 c0 a2 40 f0  5c f0 6e 19 9e cb 8c da  ; ......@.\.n.....
968c4:    5d 0b b6 5d 1b 5e 77 e8  05 bb 8d 0c 1e a2 b0 3e  ; ]..].^w........>
968d4:    af 4b 0a 98 fc 14 1c 75  54 92 5a bb ef 40 98 ff  ; .K.....uT.Z..@..
968e4:    51 9b 0f f4 34 25 53 1e  5a da c9 05 62 57 91 90  ; Q...4%S.Z...bW..
968f4:    fe 6b 2d 5c 62 8c 8a df  97 98 c7 85 0a ba 10 d2  ; .k-\b...........
96904:    00 e7 93 96 ef ca 8f 49  e8 5d a4 16 8d 62 92 4d  ; .......I.]...b.M
96914:    9f 68 ff 48 3c b1 f3 a8  bc 14 c5 40 d2 e1 49 7b  ; .h.H<......@..I{
96924:    48 8e 35 1b 71 2e 79 ff  f3 20 67 87 4b fc 5b b4  ; H.5.q.y.. g.K.[.

1: kd> db 0x1e00035+0x9691f
01e96954  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
01e96964  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
01e96974  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
01e96984  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
01e96994  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
01e969a4  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
01e969b4  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
01e969c4  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
1: kd> db 0x1e00035+0x9691f-80
01e968d4  04 a8 e6 96 c0 a2 40 f0-5c f0 6e 19 9e cb 8c da  ......@.\.n.....
01e968e4  5d 0b b6 5d 1b 5e 77 e8-05 bb 8d 0c 1e a2 b0 3e  ]..].^w........>
01e968f4  af 4b 0a 98 fc 14 1c 75-54 92 5a bb ef 40 98 ff  .K.....uT.Z..@..
01e96904  51 9b 0f f4 34 25 53 1e-5a da c9 05 62 57 91 90  Q...4%S.Z...bW..
01e96914  fe 6b 2d 5c 62 8c 8a df-97 98 c7 85 0a ba 10 d2  .k-\b...........
01e96924  00 e7 93 96 ef ca 8f 49-e8 5d a4 16 8d 62 92 4d  .......I.]...b.M
01e96934  9f 68 ff 48 3c b1 f3 a8-bc 14 c5 40 d2 e1 49 7b  .h.H<......@..I{
01e96944  48 8e 35 1b 71 2e 79 ff-f3 20 67 87 4b fc 5b b4  H.5.q.y.. g.K.[.

开始：0x1e00020
结束：0x1e00035+0x9691f

第二部分：

1: kd> gu
CRYPT32!PkiAsn1Decode+0x1e:
001b:75c9af2a 85c0            test    eax,eax
1: kd> dv
pDec = 0x012337d0
ppvAsn1Info = 0x007ce944
id = 0x13
pbEncoded = 0x01e00020 "0???"
cbEncoded = 0x96934

if ((PHASE_FIRST_FINAL == pcmi->dwPhase) &&
(0 == pcmi->dwMsgType)) {
if (0 != (Asn1Err = PkiAsn1Decode(
pDec,
(void **)&pci,
ContentInfoNC_PDU,
pbData,
cbData)))        //返回到这里：

1: kd> dt CRYPT_MSG_INFO 0x016e7290
CRYPT32!CRYPT_MSG_INFO
+0x000 CriticalSection  : _RTL_CRITICAL_SECTION
+0x018 fInitializedCriticalSection : 0n1
+0x01c lRefCnt          : 0n1
+0x020 hCryptProv       : 0x1232758
+0x024 fDefaultCryptProv : 0n1
+0x028 dwKeySpec        : 0
+0x02c dwEncodingType   : 0x10001
+0x030 dwMsgType        : 0

            if (0 == (lth = ICM_ObjIdToIndex( &pci->contentType)))    //关键代码1
goto InvalidMsgType;
pcmi->dwMsgType = (DWORD)lth;                //关键代码2

LONG
WINAPI
ICM_ObjIdToIndex(
IN ObjectID *poi)
{
LONG    i;
LONG    j;

    for (i=COUNTOF_aoidMessages; i>0; i--) {
if (aoidMessages[i-1].count == poi->count) {
for (j=poi->count; j>0; j--)
if (poi->value[j-1] != aoidMessages[i-1].value[j-1])
goto next;
break;
}
next:
;
}

    return i;
}

1: kd> p
CRYPT32!CryptMsgUpdate+0x1ff:
001b:75c79e19 894630          mov     dword ptr [esi+30h],eax
1: kd> r
eax=00000002

1: kd> x CRYPT32!aoidMessages
75ca73b8          CRYPT32!aoidMessages = struct tagASN1objectidentifier2_t [7]
1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 (*((CRYPT32!tagASN1objectidentifier2_t (*)[7])0x75ca73b8))
(*((CRYPT32!tagASN1objectidentifier2_t (*)[7])0x75ca73b8))                 [Type: tagASN1objectidentifier2_t [7]]
[0]              [Type: tagASN1objectidentifier2_t]
[1]              [Type: tagASN1objectidentifier2_t]
[2]              [Type: tagASN1objectidentifier2_t]
[3]              [Type: tagASN1objectidentifier2_t]
[4]              [Type: tagASN1objectidentifier2_t]
[5]              [Type: tagASN1objectidentifier2_t]
[6]              [Type: tagASN1objectidentifier2_t]
1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 (*((CRYPT32!tagASN1objectidentifier2_t *)0x75ca73b8))
(*((CRYPT32!tagASN1objectidentifier2_t *)0x75ca73b8))                 [Type: tagASN1objectidentifier2_t]
[+0x000] count            : 0x7 [Type: unsigned short]
[+0x004] value            [Type: unsigned long [16]]
1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 (*((CRYPT32!unsigned long (*)[16])0x75ca73bc))
(*((CRYPT32!unsigned long (*)[16])0x75ca73bc))                 [Type: unsigned long [16]]
[0]              : 0x1 [Type: unsigned long]
[1]              : 0x2 [Type: unsigned long]
[2]              : 0x348 [Type: unsigned long]
[3]              : 0x1bb8d [Type: unsigned long]
[4]              : 0x1 [Type: unsigned long]
[5]              : 0x7 [Type: unsigned long]
[6]              : 0x1 [Type: unsigned long]
[7]              : 0x0 [Type: unsigned long]
[8]              : 0x0 [Type: unsigned long]
[9]              : 0x0 [Type: unsigned long]
[10]             : 0x0 [Type: unsigned long]
[11]             : 0x0 [Type: unsigned long]
[12]             : 0x0 [Type: unsigned long]
[13]             : 0x0 [Type: unsigned long]
[14]             : 0x0 [Type: unsigned long]
[15]             : 0x0 [Type: unsigned long]
1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 (*((CRYPT32!tagASN1objectidentifier2_t *)0x75ca73fc))
(*((CRYPT32!tagASN1objectidentifier2_t *)0x75ca73fc))                 [Type: tagASN1objectidentifier2_t]
[+0x000] count            : 0x7 [Type: unsigned short]
[+0x004] value            [Type: unsigned long [16]]
1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 (*((CRYPT32!unsigned long (*)[16])0x75ca7400))
(*((CRYPT32!unsigned long (*)[16])0x75ca7400))                 [Type: unsigned long [16]]
[0]              : 0x1 [Type: unsigned long]
[1]              : 0x2 [Type: unsigned long]
[2]              : 0x348 [Type: unsigned long]
[3]              : 0x1bb8d [Type: unsigned long]
[4]              : 0x1 [Type: unsigned long]
[5]              : 0x7 [Type: unsigned long]
[6]              : 0x2 [Type: unsigned long]
[7]              : 0x0 [Type: unsigned long]
[8]              : 0x0 [Type: unsigned long]
[9]              : 0x0 [Type: unsigned long]
[10]             : 0x0 [Type: unsigned long]
[11]             : 0x0 [Type: unsigned long]
[12]             : 0x0 [Type: unsigned long]
[13]             : 0x0 [Type: unsigned long]
[14]             : 0x0 [Type: unsigned long]
[15]             : 0x0 [Type: unsigned long]
1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 (*((CRYPT32!tagASN1objectidentifier2_t *)0x75ca7440))
(*((CRYPT32!tagASN1objectidentifier2_t *)0x75ca7440))                 [Type: tagASN1objectidentifier2_t]
[+0x000] count            : 0x7 [Type: unsigned short]
[+0x004] value            [Type: unsigned long [16]]
1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 (*((CRYPT32!unsigned long (*)[16])0x75ca7444))
(*((CRYPT32!unsigned long (*)[16])0x75ca7444))                 [Type: unsigned long [16]]
[0]              : 0x1 [Type: unsigned long]
[1]              : 0x2 [Type: unsigned long]
[2]              : 0x348 [Type: unsigned long]
[3]              : 0x1bb8d [Type: unsigned long]
[4]              : 0x1 [Type: unsigned long]
[5]              : 0x7 [Type: unsigned long]
[6]              : 0x3 [Type: unsigned long]
[7]              : 0x0 [Type: unsigned long]
[8]              : 0x0 [Type: unsigned long]
[9]              : 0x0 [Type: unsigned long]
[10]             : 0x0 [Type: unsigned long]
[11]             : 0x0 [Type: unsigned long]

1: kd> dv
hCryptMsg = 0x016e7290
pbData = 0x01e00020 "0???"
cbData = 0x96934
fFinal = 0n1
dwError = 0
fRet = 0n0
pci = 0x0007e950
Asn1Err = ASN1_SUCCESS (0n0)
cb = 0x75c9d114
pDec = 0x012337d0
pb = 0x75c25e20 "???"
lth = 0n2

            pb = (PBYTE)pci->content.value;
cb = pci->content.length;

1: kd> dv
hCryptMsg = 0x016e7290
pbData = 0x01e00020 "0???"
cbData = 0x96934
fFinal = 0n1
dwError = 0
fRet = 0n0
pci = 0x0007e950
Asn1Err = ASN1_SUCCESS (0n0)
cb = 0x9691f            cb = 0x9691f
pDec = 0x012337d0
pb = 0x01e00035 "0???"        pb = 0x01e00035    
lth = 0n2

switch (pcmi->dwMsgType) {
case CMSG_DATA:
fRet = ICM_UpdateDecodingData( pcmi, pb, cb);
break;
case CMSG_SIGNED:
fRet = ICM_UpdateDecodingSignedData( pcmi, pb, cb);
break;

D:\srv03rtm\public/sdk/inc/wincrypt.h:4883:#define CMSG_SIGNED                  2

第三部分：

1: kd> p
CRYPT32!CryptMsgUpdate+0x28b:
001b:75c79ea5 e8f1faffff      call    CRYPT32!ICM_UpdateDecodingSignedData (75c7999b)
1: kd> t
CRYPT32!ICM_UpdateDecodingSignedData:
001b:75c7999b 6a2c            push    2Ch
1: kd> kc
#
00 CRYPT32!ICM_UpdateDecodingSignedData
01 CRYPT32!CryptMsgUpdate
02 WINTRUST!_GetMessage
03 WINTRUST!SoftpubLoadMessage
04 WINTRUST!_VerifyTrust
05 WINTRUST!WinVerifyTrust
06 sfc_os!SfcValidateFileSignature
07 sfc_os!SfcGetValidationData
08 sfc_os!SfcValidateDLL
09 sfc_os!SfcQueueValidationThread
0a kernel32!BaseThreadStart
1: kd> dv
pcmi = 0x016e7290
pbData = 0x01e00035 "0???"
cbData = 0x9691f

if (PHASE_FIRST_FINAL == pcmi->dwPhase) {
if (0 != (Asn1Err = PkiAsn1Decode(
pDec,
(void **)&psdb,
SignedDataWithBlobs_PDU,
pbData,
cbData)))

1: kd> t
Breakpoint 35 hit
CRYPT32!PkiAsn1Decode:
001b:75c9af0c 55              push    ebp
1: kd> kc
#
00 CRYPT32!PkiAsn1Decode
01 CRYPT32!ICM_UpdateDecodingSignedData
02 CRYPT32!CryptMsgUpdate
03 WINTRUST!_GetMessage
04 WINTRUST!SoftpubLoadMessage
05 WINTRUST!_VerifyTrust
06 WINTRUST!WinVerifyTrust
07 sfc_os!SfcValidateFileSignature
08 sfc_os!SfcGetValidationData
09 sfc_os!SfcValidateDLL
0a sfc_os!SfcQueueValidationThread
0b kernel32!BaseThreadStart
1: kd> dv
pDec = 0x012337d0
ppvAsn1Info = 0x007ce8e0
id = 0x2a
pbEncoded = 0x01e00035 "0???"
cbEncoded = 0x9691f

1: kd> g
Breakpoint 36 hit
MSASN1!ASN1_Decode:
001b:75bf7d82 55              push    ebp
1: kd> dv
dec = 0x012337d0
valref = 0x007ce8e0
id = 0x2a
flags = 8
pbBuf = 0x01e00035 "0???"
cbBufSize = 0x9691f
1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((MSASN1!ASN1decoding_s *)0x12337d0)
((MSASN1!ASN1decoding_s *)0x12337d0)                 : 0x12337d0 [Type: ASN1decoding_s *]
[+0x000] magic            : 0x44434544 [Type: unsigned long]
[+0x004] version          : 0x0 [Type: unsigned long]
[+0x008] module           : 0x75788 [Type: tagASN1module_t *]
[+0x00c] buf              : 0x1e00020 : 0x30 [Type: unsigned char *]
[+0x010] size             : 0x96934 [Type: unsigned long]
[+0x014] len              : 0x96934 [Type: unsigned long]
[+0x018] err              : ASN1_SUCCESS (0) [Type: tagASN1error_e]
[+0x01c] bit              : 0x0 [Type: unsigned long]
[+0x020] pos              : 0x1e96954 : 0x0 [Type: unsigned char *]
[+0x024] eRule            : ASN1_BER_RULE_DER (1024) [Type: ASN1encodingrule_e]
[+0x028] dwFlags          : 0x1000 [Type: unsigned long]

1: kd> g
Breakpoint 40 hit
MSASN1!ASN1_Decode+0xe8:
001b:75bf7e6a ffd1            call    ecx
1: kd> r
eax=0007ea60 ebx=00000000 ecx=75c7d29a edx=000000a8 esi=012337d0 edi=007ce8e0
eip=75bf7e6a esp=007ce868 ebp=007ce880 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
MSASN1!ASN1_Decode+0xe8:
001b:75bf7e6a ffd1            call    ecx {CRYPT32!ASN1Dec_SignedDataWithBlobs (75c7d29a)}

1: kd> dv
dec = 0x012337d0
tag = 0
val = 0x0007ea60

1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((CRYPT32!SignedDataWithBlobs *)0x7ea60)
((CRYPT32!SignedDataWithBlobs *)0x7ea60)                 : 0x7ea60 [Type: SignedDataWithBlobs *]
[+0x000] bit_mask         : 0x0 [Type: unsigned short]
[+0x000] o                [Type: unsigned char [1]]
[+0x004] version          : 0 [Type: long]
[+0x008] digestAlgorithms [Type: DigestAlgorithmIdentifiersNC]
[+0x010] contentInfo      [Type: ContentInfoNC]
[+0x060] certificates     [Type: CertificatesNC]
[+0x068] crls             [Type: CrlsNC]
[+0x070] signerInfos      [Type: SignerInfosNC]

1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((CRYPT32!SignedDataWithBlobs *)0x7ea60)
((CRYPT32!SignedDataWithBlobs *)0x7ea60)                 : 0x7ea60 [Type: SignedDataWithBlobs *]
[+0x000] bit_mask         : 0x0 [Type: unsigned short]
[+0x000] o                [Type: unsigned char [1]]
[+0x004] version          : 0 [Type: long]
[+0x008] digestAlgorithms [Type: DigestAlgorithmIdentifiersNC]

1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 (*((CRYPT32!DigestAlgorithmIdentifiersNC *)0x7ea68))
(*((CRYPT32!DigestAlgorithmIdentifiersNC *)0x7ea68))                 [Type: DigestAlgorithmIdentifiersNC]
[+0x000] count            : 0x1 [Type: unsigned long]
[+0x004] value            : 0x12308d0 [Type: tagASN1open_t *]
1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((CRYPT32!tagASN1open_t *)0x12308d0)
((CRYPT32!tagASN1open_t *)0x12308d0)                 : 0x12308d0 [Type: tagASN1open_t *]
[+0x000] length           : 0xb [Type: unsigned long]
[+0x004] encoded          : 0x1e0003f [Type: void *]
[+0x004] value            : 0x1e0003f [Type: void *]
1: kd> db 0x1e0003f
01e0003f  30 09 06 05 2b 0e 03 02-1a 05 00 30 83 09 57 31  0...+.            "sha1 (1.3.14.3.2.26)"

0000: 30 83 09 69 2f                            ; SEQUENCE (9692f Bytes)
0005:    06 09                                  ; OBJECT_IDENTIFIER (9 Bytes)
0007:    |  2a 86 48 86 f7 0d 01 07  02
|     ; "PKCS 7 已签名 (1.2.840.113549.1.7.2)"
0010:    a0 83 09 69 1f                         ; CONTEXT_SPECIFIC (0) (9691f Bytes)
0015:       30 83 09 69 1a                      ; SEQUENCE (9691a Bytes)
001a:          02 01                            ; INTEGER (1 Bytes)
001c:          |  01
001d:          31 0b                            ; SET (b Bytes)
001f:          |  30 09                         ; SEQUENCE (9 Bytes)
0021:          |     06 05                      ; OBJECT_IDENTIFIER (5 Bytes)
0023:          |     |  2b 0e 03 02 1a
|     |     ; "sha1 (1.3.14.3.2.26)"
0028:          |     05 00                      ; NULL (0 Bytes)
002a:          30 83 09 57 31                   ; SEQUENCE (95731 Bytes)

1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((CRYPT32!ASN1decoding_s *)0x730d0)
((CRYPT32!ASN1decoding_s *)0x730d0)                 : 0x730d0 [Type: ASN1decoding_s *]
[+0x000] magic            : 0x44434544 [Type: unsigned long]
[+0x004] version          : 0x0 [Type: unsigned long]
[+0x008] module           : 0x75788 [Type: tagASN1module_t *]
[+0x00c] buf              : 0x1e0003a : 0x2 [Type: unsigned char *]
[+0x010] size             : 0x9691a [Type: unsigned long]
[+0x014] len              : 0x0 [Type: unsigned long]
[+0x018] err              : ASN1_SUCCESS (0) [Type: tagASN1error_e]
[+0x01c] bit              : 0x0 [Type: unsigned long]
[+0x020] pos              : 0x1e0004a : 0x30 [Type: unsigned char *]
[+0x024] eRule            : ASN1_BER_RULE_DER (1024) [Type: ASN1encodingrule_e]
[+0x028] dwFlags          : 0x1008 [Type: unsigned long]

1: kd> dd 0x7ea60
0007ea60  00000000 00000001 00000001 012308d0
0007ea70  00000000 00000000 00000000 00000000
0007ea80  00000000 00000000 00000000 00000000
0007ea90  00000000 00000000 00000000 00000000
0007eaa0  00000000 00000000 00000000 00000000
0007eab0  00000000 00000000 00000000 00000000
0007eac0  00000000 00000000 00000000 00000000
0007ead0  00000000 00000000 0010000a 00000000