Doing a research on internet, and summarize as below:
//
// Runtime Checking
// Small Type Check (/RTCc)
//
/*
003A11F4 jmp _RTC_Check_2_to_1 (3A14A0h)
003A11F9 jmp _RTC_Check_8_to_1 (3A1600h)
003A11FE jmp _RTC_Check_8_to_2 (3A1670h)
003A1203 jmp _RTC_Check_8_to_4 (3A16B0h)
003A1208 jmp _RTC_Check_4_to_1 (3A15D0h)
003A120D jmp _RTC_Check_4_to_2 (3A1640h)
*/
char ch = 0;
short s = 0x101;
ch = s;
[Note]: RTCc is used to check if a data loss is happened when doing a built-in type cast. The above 6 RTC functions do the real job.
//
// Uninitialized Variables (/RTCu)
//
/*
000D14A9 mov byte ptr [ebp-46h],0
000D14AD lea eax,[ch]
000D14B0 push eax
000D14B1 push offset string "%c" (0D5748h)
000D14B6 call dword ptr [__imp__scanf (0D82C0h)]
000D14BC add esp,8
000D14BF movsx eax,byte ptr [ch]
000D14C3 cmp eax,79h
000D14C6 jne wmain+33h (0D14D3h)
000D14C8 mov byte ptr [ebp-46h],1
000D14CC mov dword ptr [a],0Ah
000D14D3 cmp byte ptr [ebp-46h],0
000D14D7 jne wmain+46h (0D14E6h)
000D14D9 push offset (0D1501h)
000D14DE call @ILT+170(__RTC_UninitUse) (0D10AFh)
*/
int a;
char ch;
scanf("%c", &ch);
if (ch == ‘y’)
a = 10;
printf("%d", a);
[Note]: RTCu is used to check if there exists some local variable without initializing before its usage. The principle is directly easy. Set a flag (a hidden local variable) to 0 at the first, and set it to 1 as soon as the variable it watches being initialized. Before using this variable, use cmp to compare the flag with 0. If not equals, __RTC_UninitUse will report to us.
//
// Stack Check (/RTCs)
// Initialize local variables with 0xcc (int 3), if run as code, breakpoint exception will be raised
/*
009314AC lea edi,[ebp-0E4h]
009314B2 mov ecx,39h
009314B7 mov eax,0CCCCCCCCh
009314BC rep stos dword ptr es:[edi]
*/
int a;
int b;
int c;
// Check if esp is messed up
// Check buffer overrun issue
// Using buffer’s location and its length to do the checking. Check if the head and tail of buffer is still 0xcc.
/*
0012154E mov esi,esp
00121550 lea eax,[buffer]
00121553 push eax
00121554 push offset string "%s" (125744h)
00121559 call dword ptr [__imp__scanf (1282C4h)]
0012155F add esp,8
00121562 cmp esi,esp
00121564 call @ILT+345(__RTC_CheckEsp) (12115Eh)
00121569 xor eax,eax
0012156B push edx
0012156C mov ecx,ebp
0012156E push eax
0012156F lea edx,[ (121590h)]
00121575 call @ILT+140(@_RTC_CheckStackVars@8) (121091h)
*/
char buffer[10];
scanf("%s", buffer);
[Note]: cmp is very important here. It checks if stack is balance after calling an extern function. __RTC_CheckEsp will check the result of cmp, if they are not same, __RTC_CheckEsp will use a simple jmp instruction to report the error to us. (prompt a dialog)