我研究了ntdll!RtlDecodePointer的disasm，并能够编写以下WinDBG表达式：

r $t0 = 86aaaa40`0007ff77 // put value to decoded here
r $t1 = dwo(ntdll!`RtlpGetCookieValue'::`2'::CookieValue)
r $t2 = @$t1 & 3f
r $t3 = (@$t0 >> (0x40 - @$t2)) | (@$t0 << @$t2)
.printf "Decoded pointer: %p\n", @$t3 ^ @$t1

或者，作为一行程序：

r $t0 = 86aaaa40`0007ff77 // put value to decoded here
r $t1 = dwo(ntdll!`RtlpGetCookieValue'::`2'::CookieValue); r $t2 = @$t1 & 3f; r $t3 = (@$t0 >> (0x40 - @$t2)) | (@$t0 << @$t2); .printf "Decoded pointer: %p\n", @$t3 ^ @$t1

即使在没有满内存的小型转储上，这也能很好地工作。