一、学习目标:EncryptPE V2.2007.4.11 主程序
二、使用工具:OllyDbg v1.10,ImportREC 1.6 Final,LordPE
三、联系作者:DarkBull#126.com
四、具体过程:
1.寻找OEP
用OD载入,EP如下:
EncryptP.> 60 PUSHAD
00501001 9C PUSHFD
00501002 64:FF35 000>PUSH DWORD PTR FS:[0]
00501009 E8 1B020000 CALL EncryptP.00501229
0050100E 0000 ADD BYTE PTR DS:[EAX],AL
00501010 0000 ADD BYTE PTR DS:[EAX],AL
下断点BP LoadLibraryA,拦截后堆栈内容如下:
0012FF94 00501338 /CALL to LoadLibraryA from EncryptP.00501336
0012FF98 005010FB \FileName = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\V220070411.EPE"
再分析一下V220070411.EPE是用UPX加的壳,OEP如下:
<V2200704> 55 PUSH EBP
71205DA1 8BEC MOV EBP,ESP
71205DA3 83C4 C4 ADD ESP,-3C
71205DA6 B8 305A2071 MOV EAX,V2200704.71205A30
71205DAB E8 3C13F2FF CALL V2200704.711270EC
71205DB0 E8 EFEBF1FF CALL V2200704.711249A4
71205DB5 8D40 00 LEA EAX,DWORD PTR DS:[EAX]
下断BP SetWindowsHookExA,拦截后堆栈内容如下:
0012F784 711F1FF6 /CALL to SetWindowsHookExA from V2200704.711F1FF1
0012F788 00000004 |HookType = WH_CALLWNDPROC
0012F78C 711F601C |Hookproc = V2200704.711F601C
0012F790 71120000 |hModule = 71120000 (V2200704)
0012F794 00000770 \ThreadID = 770 ; Explorer.exe中"PROGMAN"窗口的线程ID.
设置一个远程基于"PROGMAN"窗口线程的钩子。此时下断BP SendMessage,拦截后堆栈内容如下:
0012F784 711F2050 /CALL to SendMessageA from V2200704.711F204B
0012F788 00040054 |hWnd = 40054
0012F78C 0000C1E4 |Message = MSG(C1E4)
0012F790 00001BC8 |wParam = 1BC8
0012F794 00000000 \lParam = 0
此时用OD附加于Explorer.exe,下断点BP CreateProcessA,F9运行EncryptPE.exe,拦截后代码如下:
711F8141 > C745 F0 0>MOV DWORD PTR SS:[EBP-10],10002 ; DBG_CONTINUE
711F8148 . C785 44FE>MOV DWORD PTR SS:[EBP-1BC],10007 ; ContextFlags
711F8152 . 8B85 10FF>MOV EAX,DWORD PTR SS:[EBP-F0]
711F8158 . 83F8 08 CMP EAX,8 ; Switch (cases 1..8) Of ExceptionCode
711F815B . 0F87 F211>JA V2200704.711F9353
711F8161 . FF2485 68>JMP NEAR DWORD PTR DS:[EAX*4+711F816>; V2200704.711F818C
711F8168 . 53931F71 DD V2200704.711F9353 ; JMP Table
711F816C . 87821F71 DD V2200704.711F8287
711F8170 . 18821F71 DD V2200704.711F8218
711F8174 . 8C811F71 DD V2200704.711F818C
711F8178 . 5D821F71 DD V2200704.711F825D
711F817C . 01821F71 DD V2200704.711F8201
711F8180 . F0811F71 DD V2200704.711F81F0
711F8184 . 53931F71 DD V2200704.711F9353
711F8188 . DD921F71 DD V2200704.711F92DD
711F818C . 8B85 24FF>MOV EAX,DWORD PTR SS:[EBP-DC]
711F8192 . 33D2 XOR EDX,EDX
711F8194 . 52 PUSH EDX
711F8195 . 50 PUSH EAX
711F8196 . 8D85 68FC>LEA EAX,DWORD PTR SS:[EBP-398]
711F819C . E8 6317F3>CALL <V2200704.IToA>
711F81A1 . 8B85 68FC>MOV EAX,DWORD PTR SS:[EBP-398]
711F81A7 . 50 PUSH EAX
711F81A8 . 8B85 18FF>MOV EAX,DWORD PTR SS:[EBP-E8]
711F81AE . 33D2 XOR EDX,EDX
711F81B0 . 52 PUSH EDX
711F81B1 . 50 PUSH EAX
711F81B2 . 8D85 64FC>LEA EAX,DWORD PTR SS:[EBP-39C]
711F81B8 . E8 4717F3>CALL <V2200704.IToA>
711F81BD . 8B95 64FC>MOV EDX,DWORD PTR SS:[EBP-39C]
711F81C3 . 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
711F81C6 . 59 POP ECX
711F81C7 . E8 0C6EF4>CALL V2200704.7113EFD8
711F81CC . 8B85 1CFF>MOV EAX,DWORD PTR SS:[EBP-E4]
711F81D2 . 50 PUSH EAX ; /hObject
711F81D3 . E8 48F1F2>CALL V2200704.71127320 ; \CloseHandle
711F81D8 . 8B85 20FF>MOV EAX,DWORD PTR SS:[EBP-E0]
711F81DE . 50 PUSH EAX ; /hObject
711F81DF . E8 3CF1F2>CALL V2200704.71127320 ; \CloseHandle
711F81E4 . C605 A4DC>MOV BYTE PTR DS:[7121DCA4],1
711F81EB . E9 631100>JMP V2200704.711F9353
711F81F0 . 8B85 1CFF>MOV EAX,DWORD PTR SS:[EBP-E4] ; Case 6 of switch 711F8158
711F81F6 . 50 PUSH EAX ; /hObject
711F81F7 . E8 24F1F2>CALL V2200704.71127320 ; \CloseHandle
711F81FC . E9 521100>JMP V2200704.711F9353
711F8201 . 8B85 14FF>MOV EAX,DWORD PTR SS:[EBP-EC] ; Case 5 of switch 711F8158
711F8207 . 3B85 78FF>CMP EAX,DWORD PTR SS:[EBP-88]
711F820D . 0F84 6D11>JE V2200704.711F9380
711F8213 . E9 3B1100>JMP V2200704.711F9353
711F8218 . 8B85 1CFF>MOV EAX,DWORD PTR SS:[EBP-E4] ; Case 2 of switch 711F8158
711F821E . 33D2 XOR EDX,EDX
711F8220 . 52 PUSH EDX
711F8221 . 50 PUSH EAX
711F8222 . 8D85 60FC>LEA EAX,DWORD PTR SS:[EBP-3A0]
711F8228 . E8 D716F3>CALL <V2200704.IToA>
711F822D . 8B85 60FC>MOV EAX,DWORD PTR SS:[EBP-3A0]
711F8233 . 50 PUSH EAX
711F8234 . 8B85 18FF>MOV EAX,DWORD PTR SS:[EBP-E8]
711F823A . 33D2 XOR EDX,EDX
711F823C . 52 PUSH EDX
711F823D . 50 PUSH EAX
711F823E . 8D85 5CFC>LEA EAX,DWORD PTR SS:[EBP-3A4]
711F8244 . E8 BB16F3>CALL <V2200704.IToA>
711F8249 . 8B95 5CFC>MOV EDX,DWORD PTR SS:[EBP-3A4]
711F824F . 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
711F8252 . 59 POP ECX
711F8253 . E8 806DF4>CALL V2200704.7113EFD8
711F8258 . E9 F61000>JMP V2200704.711F9353
711F825D . 8B85 18FF>MOV EAX,DWORD PTR SS:[EBP-E8] ; Case 4 of switch 711F8158
711F8263 . 33D2 XOR EDX,EDX
711F8265 . 52 PUSH EDX
711F8266 . 50 PUSH EAX
711F8267 . 8D85 58FC>LEA EAX,DWORD PTR SS:[EBP-3A8]
711F826D . E8 9216F3>CALL <V2200704.IToA>
711F8272 . 8B95 58FC>MOV EDX,DWORD PTR SS:[EBP-3A8]
711F8278 . 33C9 XOR ECX,ECX
711F827A . 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
711F827D . E8 566DF4>CALL V2200704.7113EFD8
711F8282 . E9 CC1000>JMP V2200704.711F9353
711F8287 . 807D FF 0>CMP BYTE PTR SS:[EBP-1],0 ; Case 1 of switch 711F8158
711F828B . 75 07 JNZ SHORT V2200704.711F8294
711F828D . C745 F0 0>MOV DWORD PTR SS:[EBP-10],80010001 ; DBG_EXCEPTION_NOT_HANDLED
711F8294 > C645 FF 0>MOV BYTE PTR SS:[EBP-1],0
711F8298 . 83BD 6CFF>CMP DWORD PTR SS:[EBP-94],0
711F829F . 0F85 7001>JNZ V2200704.711F8415
711F82A5 . E8 A230F3>CALL V2200704.7112B34C
711F82AA . 83C4 F8 ADD ESP,-8
711F82AD . DD1C24 FSTP QWORD PTR SS:[ESP]
711F82B0 . 9B WAIT
711F82B1 . 8D85 54FC>LEA EAX,DWORD PTR SS:[EBP-3AC]
711F82B7 . E8 A43CF3>CALL V2200704.7112BF60
711F82BC . FFB5 54FC>PUSH DWORD PTR SS:[EBP-3AC]
711F82C2 . 68 AC941F>PUSH V2200704.711F94AC ; ASCII ",ExceptionAddress:0x"
711F82C7 . 8B85 28FF>MOV EAX,DWORD PTR SS:[EBP-D8]
711F82CD . 33D2 XOR EDX,EDX
711F82CF . 52 PUSH EDX
711F82D0 . 50 PUSH EAX
711F82D1 . 8D95 50FC>LEA EDX,DWORD PTR SS:[EBP-3B0]
711F82D7 . B8 080000>MOV EAX,8
711F82DC . E8 9316F3>CALL <V2200704.Printf>
711F82E1 . FFB5 50FC>PUSH DWORD PTR SS:[EBP-3B0]
711F82E7 . 68 CC941F>PUSH V2200704.711F94CC ; ASCII ",ExceptionCode:0x"
711F82EC . 8B85 1CFF>MOV EAX,DWORD PTR SS:[EBP-E4]
711F82F2 . 33D2 XOR EDX,EDX
711F82F4 . 52 PUSH EDX
711F82F5 . 50 PUSH EAX
711F82F6 . 8D95 4CFC>LEA EDX,DWORD PTR SS:[EBP-3B4]
711F82FC . B8 080000>MOV EAX,8
711F8301 . E8 6E16F3>CALL <V2200704.Printf>
711F8306 . FFB5 4CFC>PUSH DWORD PTR SS:[EBP-3B4]
711F830C . 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
711F830F . BA 050000>MOV EDX,5
711F8314 . E8 77CBF2>CALL <V2200704.StrCatN>
711F8319 . 81BD 1CFF>CMP DWORD PTR SS:[EBP-E4],C0000005
711F8323 . 75 5A JNZ SHORT V2200704.711F837F
711F8325 . 83BD 30FF>CMP DWORD PTR SS:[EBP-D0],0
711F832C . 75 0F JNZ SHORT V2200704.711F833D
711F832E . 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
711F8331 . BA E8941F>MOV EDX,V2200704.711F94E8 ; ASCII ",Read"
711F8336 . E8 9DCAF2>CALL <V2200704.StrCat>
711F833B . EB 0D JMP SHORT V2200704.711F834A
711F833D > 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
711F8340 . BA F8941F>MOV EDX,V2200704.711F94F8 ; ASCII ",Write"
711F8345 . E8 8ECAF2>CALL <V2200704.StrCat>
711F834A > FF75 E8 PUSH DWORD PTR SS:[EBP-18]
711F834D . 68 08951F>PUSH V2200704.711F9508 ; ASCII ",0x"
711F8352 . 8B85 34FF>MOV EAX,DWORD PTR SS:[EBP-CC]
711F8358 . 33D2 XOR EDX,EDX
711F835A . 52 PUSH EDX
711F835B . 50 PUSH EAX
711F835C . 8D95 48FC>LEA EDX,DWORD PTR SS:[EBP-3B8]
711F8362 . B8 080000>MOV EAX,8
711F8367 . E8 0816F3>CALL <V2200704.Printf>
711F836C . FFB5 48FC>PUSH DWORD PTR SS:[EBP-3B8]
711F8372 . 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
711F8375 . BA 030000>MOV EDX,3
711F837A . E8 11CBF2>CALL <V2200704.StrCatN>
711F837F > 8B55 C4 MOV EDX,DWORD PTR SS:[EBP-3C]
711F8382 . 8D85 78FC>LEA EAX,DWORD PTR SS:[EBP-388]
711F8388 . E8 57AAF2>CALL V2200704.71122DE4
711F838D . 8B45 C4 MOV EAX,DWORD PTR SS:[EBP-3C]
711F8390 . E8 EF19F3>CALL V2200704.71129D84
711F8395 . 84C0 TEST AL,AL
711F8397 . 74 12 JE SHORT V2200704.711F83AB
711F8399 . 8D85 78FC>LEA EAX,DWORD PTR SS:[EBP-388]
711F839F . E8 DCA7F2>CALL V2200704.71122B80
711F83A4 . E8 7BA5F2>CALL V2200704.71122924
711F83A9 . EB 10 JMP SHORT V2200704.711F83BB
711F83AB > 8D85 78FC>LEA EAX,DWORD PTR SS:[EBP-388]
711F83B1 . E8 BEA7F2>CALL V2200704.71122B74
711F83B6 . E8 69A5F2>CALL V2200704.71122924
711F83BB > 33C0 XOR EAX,EAX
711F83BD . 55 PUSH EBP
711F83BE . 68 FB831F>PUSH V2200704.711F83FB
711F83C3 . 64:FF30 PUSH DWORD PTR FS:[EAX]
711F83C6 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
711F83C9 . 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18]
711F83CC . 8D85 78FC>LEA EAX,DWORD PTR SS:[EBP-388]
711F83D2 . E8 E1CDF2>CALL V2200704.711251B8
711F83D7 . E8 24B3F2>CALL V2200704.71123700
711F83DC . E8 43A5F2>CALL V2200704.71122924
711F83E1 . 8D85 78FC>LEA EAX,DWORD PTR SS:[EBP-388]
711F83E7 . E8 A8AAF2>CALL V2200704.71122E94
711F83EC . E8 33A5F2>CALL V2200704.71122924
711F83F1 . 33C0 XOR EAX,EAX
711F83F3 . 5A POP EDX
711F83F4 . 59 POP ECX
711F83F5 . 59 POP ECX
711F83F6 . 64:8910 MOV DWORD PTR FS:[EAX],EDX
711F83F9 . EB 0A JMP SHORT V2200704.711F8405
711F83FB .- E9 80BDF2>JMP V2200704.71124180
711F8400 . E8 E3C0F2>CALL V2200704.711244E8
711F8405 > 8D85 78FC>LEA EAX,DWORD PTR SS:[EBP-388]
711F840B . E8 50ABF2>CALL V2200704.71122F60
711F8410 . E8 0FA5F2>CALL V2200704.71122924
711F8415 > 8B85 14FF>MOV EAX,DWORD PTR SS:[EBP-EC]
711F841B . 3B85 78FF>CMP EAX,DWORD PTR SS:[EBP-88]
711F8421 . 0F85 670E>JNZ V2200704.711F928E
711F8427 . 8B85 18FF>MOV EAX,DWORD PTR SS:[EBP-E8]
711F842D . 33D2 XOR EDX,EDX
711F842F . 52 PUSH EDX
711F8430 . 50 PUSH EAX
711F8431 . 8D85 40FC>LEA EAX,DWORD PTR SS:[EBP-3C0]
711F8437 . E8 C814F3>CALL <V2200704.IToA>
711F843C . 8B95 40FC>MOV EDX,DWORD PTR SS:[EBP-3C0]
711F8442 . 8D8D 44FC>LEA ECX,DWORD PTR SS:[EBP-3BC]
711F8448 . 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
711F844B . E8 B064F4>CALL V2200704.7113E900
711F8450 . 83BD 44FC>CMP DWORD PTR SS:[EBP-3BC],0
711F8457 . 0F84 310E>JE V2200704.711F928E
711F845D . 8D85 44FE>LEA EAX,DWORD PTR SS:[EBP-1BC]
711F8463 . 50 PUSH EAX
711F8464 . 8B85 18FF>MOV EAX,DWORD PTR SS:[EBP-E8]
711F846A . 33D2 XOR EDX,EDX
711F846C . 52 PUSH EDX
711F846D . 50 PUSH EAX
711F846E . 8D85 38FC>LEA EAX,DWORD PTR SS:[EBP-3C8]
711F8474 . E8 8B14F3>CALL <V2200704.IToA>
711F8479 . 8B95 38FC>MOV EDX,DWORD PTR SS:[EBP-3C8]
711F847F . 8D8D 3CFC>LEA ECX,DWORD PTR SS:[EBP-3C4]
711F8485 . 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
711F8488 . E8 7364F4>CALL V2200704.7113E900
711F848D . 8B85 3CFC>MOV EAX,DWORD PTR SS:[EBP-3C4]
711F8493 . E8 1C15F3>CALL V2200704.711299B4
711F8498 . 50 PUSH EAX ; |hThread
711F8499 . E8 5AF1F2>CALL V2200704.711275F8 ; \GetThreadContext
711F849E . 85C0 TEST EAX,EAX
711F84A0 . 0F84 E80D>JE V2200704.711F928E
711F84A6 . 81BD 1CFF>CMP DWORD PTR SS:[EBP-E4],80000003
711F84B0 . 0F85 240D>JNZ V2200704.711F91DA
711F84B6 . 33FF XOR EDI,EDI
711F84B8 > 8B85 14FF>MOV EAX,DWORD PTR SS:[EBP-EC]
711F84BE . 50 PUSH EAX ; /ProcessId
711F84BF . 6A 00 PUSH 0 ; |Inheritable = FALSE
711F84C1 . 68 FF0F1F>PUSH 1F0FFF ; |Access = PROCESS_ALL_ACCESS
711F84C6 . E8 95F2F2>CALL V2200704.71127760 ; \OpenProcess
711F84CB . 8BF8 MOV EDI,EAX
711F84CD . 85FF TEST EDI,EDI
711F84CF .^ 74 E7 JE SHORT V2200704.711F84B8
711F84D1 . 85FF TEST EDI,EDI
711F84D3 . 0F86 010D>JBE V2200704.711F91DA
711F84D9 . 807D FE 0>CMP BYTE PTR SS:[EBP-2],0
711F84DD . 74 57 JE SHORT V2200704.711F8536
711F84DF . B8 FF0000>MOV EAX,0FF
711F84E4 . E8 87ACF2>CALL V2200704.71123170
711F84E9 . 83F8 1E CMP EAX,1E
711F84EC . 7D 48 JGE SHORT V2200704.711F8536
711F84EE . 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
711F84F1 . 52 PUSH EDX ; /pBytesWritten
711F84F2 . 8B15 0419>MOV EDX,DWORD PTR DS:[71231904] ; |
711F84F8 . 52 PUSH EDX ; |BytesToWrite => 5F1C (24348.)
711F84F9 . A1 001923>MOV EAX,DWORD PTR DS:[71231900] ; |
711F84FE . 50 PUSH EAX ; |Buffer => V2200704.711F20E0
711F84FF . 50 PUSH EAX ; |Address => 711F20E0
711F8500 . 57 PUSH EDI ; |hProcess
711F8501 . E8 A2F3F2>CALL V2200704.711278A8 ; \WriteProcessMemory
711F8506 . 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
711F8509 . 52 PUSH EDX ; /pBytesWritten
711F850A . 8B15 0C19>MOV EDX,DWORD PTR DS:[7123190C] ; |
711F8510 . 52 PUSH EDX ; |BytesToWrite => 7418 (29720.)
711F8511 . A1 081923>MOV EAX,DWORD PTR DS:[71231908] ; |
711F8516 . 50 PUSH EAX ; |Buffer => <V2200704.GetMID1>
711F8517 . 50 PUSH EAX ; |Address => 711FC0D0
711F8518 . 57 PUSH EDI ; |hProcess
711F8519 . E8 8AF3F2>CALL V2200704.711278A8 ; \WriteProcessMemory
711F851E . 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
711F8521 . 52 PUSH EDX ; /pBytesWritten
711F8522 . 8B15 1419>MOV EDX,DWORD PTR DS:[71231914] ; |
711F8528 . 52 PUSH EDX ; |BytesToWrite => 1D34 (7476.)
711F8529 . A1 101923>MOV EAX,DWORD PTR DS:[71231910] ; |
711F852E . 50 PUSH EAX ; |Buffer => V2200704.71203A70
711F852F . 50 PUSH EAX ; |Address => 71203A70
711F8530 . 57 PUSH EDI ; |hProcess
711F8531 . E8 72F3F2>CALL V2200704.711278A8 ; \WriteProcessMemory
711F8536 > 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
711F8539 . BA 050000>MOV EDX,5
711F853E . E8 11CCF2>CALL <V2200704.AllocBuffer>
711F8543 . 33C0 XOR EAX,EAX
711F8545 . 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
711F8548 . 837D EC 0>CMP DWORD PTR SS:[EBP-14],5
711F854C . 73 22 JNB SHORT V2200704.711F8570
711F854E > 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
711F8551 . 50 PUSH EAX
711F8552 . 6A 05 PUSH 5
711F8554 . 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
711F8557 . E8 C4CAF2>CALL <V2200704.StrCpyN>
711F855C . 50 PUSH EAX ; |Buffer
711F855D . 8B85 28FF>MOV EAX,DWORD PTR SS:[EBP-D8] ; |
711F8563 . 50 PUSH EAX ; |pBaseAddress
711F8564 . 57 PUSH EDI ; |hProcess
711F8565 . E8 2EF2F2>CALL V2200704.71127798 ; \ReadProcessMemory
711F856A . 837D EC 0>CMP DWORD PTR SS:[EBP-14],5
711F856E .^ 72 DE JB SHORT V2200704.711F854E
711F8570 > 837D EC 0>CMP DWORD PTR SS:[EBP-14],5
711F8574 . 0F85 5A0C>JNZ V2200704.711F91D4
711F857A . 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
711F857D . E8 9ECAF2>CALL <V2200704.StrCpyN>
711F8582 . 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
711F8585 . 807D FE 0>CMP BYTE PTR SS:[EBP-2],0
711F8589 . 75 3F JNZ SHORT V2200704.711F85CA
711F858B . 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
711F858E . 8B00 MOV EAX,DWORD PTR DS:[EAX]
711F8590 . 3D CCCCCC>CMP EAX,CCCCCCCC
711F8595 . 74 0E JE SHORT V2200704.711F85A5
711F8597 . 3D CCCCCC>CMP EAX,0CCCCCC
711F859C . 74 07 JE SHORT V2200704.711F85A5
711F859E . 3D CCCCCC>CMP EAX,1CCCCCC
711F85A3 . 75 25 JNZ SHORT V2200704.711F85CA
711F85A5 > 8B85 FCFE>MOV EAX,DWORD PTR SS:[EBP-104]
711F85AB . 3B05 1019>CMP EAX,DWORD PTR DS:[71231910] ; V2200704.71203A70
711F85B1 . 72 17 JB SHORT V2200704.711F85CA
711F85B3 . A1 101923>MOV EAX,DWORD PTR DS:[71231910]
711F85B8 . 0305 1419>ADD EAX,DWORD PTR DS:[71231914]
711F85BE . 3B85 FCFE>CMP EAX,DWORD PTR SS:[EBP-104]
711F85C4 . 76 04 JBE SHORT V2200704.711F85CA
711F85C6 . C645 FE 0>MOV BYTE PTR SS:[EBP-2],1
711F85CA > 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
711F85CD . 8B00 MOV EAX,DWORD PTR DS:[EAX]
711F85CF . 2D CCCCCC>SUB EAX,CCCCCCCC ; Switch (cases CCCCCC..CCCCCCCC)
711F85D4 . 74 1B JE SHORT V2200704.711F85F1
711F85D6 . 2D 000000>SUB EAX,34000000
711F85DB . 0F84 6E02>JE V2200704.711F884F
711F85E1 . 2D 000000>SUB EAX,1000000
711F85E6 . 0F84 3207>JE V2200704.711F8D1E
711F85EC . E9 E30B00>JMP V2200704.711F91D4
711F85F1 > 8B85 18FF>MOV EAX,DWORD PTR SS:[EBP-E8] ; Case CCCCCCCC of switch 711F85CF
711F85F7 . 33D2 XOR EDX,EDX
711F85F9 . 52 PUSH EDX
711F85FA . 50 PUSH EAX
711F85FB . 8D85 30FC>LEA EAX,DWORD PTR SS:[EBP-3D0]
711F8601 . E8 FE12F3>CALL <V2200704.IToA>
711F8606 . 8D85 30FC>LEA EAX,DWORD PTR SS:[EBP-3D0]
711F860C . 50 PUSH EAX
711F860D . 8D8D 2CFC>LEA ECX,DWORD PTR SS:[EBP-3D4]
711F8613 . BA 010000>MOV EDX,1
711F8618 . B8 260000>MOV EAX,26
711F861D . E8 72BFFF>CALL V2200704.711F4594
711F8622 . 8B95 2CFC>MOV EDX,DWORD PTR SS:[EBP-3D4]
711F8628 . 58 POP EAX
711F8629 . E8 AAC7F2>CALL <V2200704.StrCat>
711F862E . 8B95 30FC>MOV EDX,DWORD PTR SS:[EBP-3D0]
711F8634 . 8D8D 34FC>LEA ECX,DWORD PTR SS:[EBP-3CC]
711F863A . 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
711F863D . E8 BE62F4>CALL V2200704.7113E900
711F8642 . 83BD 34FC>CMP DWORD PTR SS:[EBP-3CC],0
711F8649 . 0F84 DC01>JE V2200704.711F882B
711F864F . A1 18F721>MOV EAX,DWORD PTR DS:[7121F718]
711F8654 . 8B40 3C MOV EAX,DWORD PTR DS:[EAX+3C]
711F8657 . 0305 18F7>ADD EAX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F865D . 8A50 28 MOV DL,BYTE PTR DS:[EAX+28]
711F8660 . 80F2 60 XOR DL,60
711F8663 . 80F2 64 XOR DL,64
711F8666 . 81E2 FF00>AND EDX,0FF
711F866C . 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
711F866F . E8 E0CAF2>CALL <V2200704.AllocBuffer>
711F8674 . 8B85 18FF>MOV EAX,DWORD PTR SS:[EBP-E8]
711F867A . 33D2 XOR EDX,EDX
711F867C . 52 PUSH EDX
711F867D . 50 PUSH EAX
711F867E . 8D85 24FC>LEA EAX,DWORD PTR SS:[EBP-3DC]
711F8684 . E8 7B12F3>CALL <V2200704.IToA>
711F8689 . 8D85 24FC>LEA EAX,DWORD PTR SS:[EBP-3DC]
711F868F . 50 PUSH EAX
711F8690 . 8D8D 20FC>LEA ECX,DWORD PTR SS:[EBP-3E0]
711F8696 . BA 010000>MOV EDX,1
711F869B . B8 260000>MOV EAX,26
711F86A0 . E8 EFBEFF>CALL V2200704.711F4594
711F86A5 . 8B95 20FC>MOV EDX,DWORD PTR SS:[EBP-3E0]
711F86AB . 58 POP EAX
711F86AC . E8 27C7F2>CALL <V2200704.StrCat>
711F86B1 . 8B95 24FC>MOV EDX,DWORD PTR SS:[EBP-3DC]
711F86B7 . 8D8D 28FC>LEA ECX,DWORD PTR SS:[EBP-3D8]
711F86BD . 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
711F86C0 . E8 3B62F4>CALL V2200704.7113E900
711F86C5 . 8B85 28FC>MOV EAX,DWORD PTR SS:[EBP-3D8]
711F86CB . E8 E412F3>CALL V2200704.711299B4
711F86D0 . 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
711F86D3 . 33C0 XOR EAX,EAX
711F86D5 . 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
711F86D8 . EB 32 JMP SHORT V2200704.711F870C
711F86DA > 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
711F86DD . 50 PUSH EAX
711F86DE . A1 18F721>MOV EAX,DWORD PTR DS:[7121F718]
711F86E3 . 8B40 3C MOV EAX,DWORD PTR DS:[EAX+3C]
711F86E6 . 0305 18F7>ADD EAX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F86EC . 8A40 28 MOV AL,BYTE PTR DS:[EAX+28]
711F86EF . 34 60 XOR AL,60
711F86F1 . 34 64 XOR AL,64
711F86F3 . 25 FF0000>AND EAX,0FF
711F86F8 . 50 PUSH EAX
711F86F9 . 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
711F86FC . E8 1FC9F2>CALL <V2200704.StrCpyN>
711F8701 . 50 PUSH EAX ; |Buffer
711F8702 . 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] ; |
711F8705 . 50 PUSH EAX ; |pBaseAddress
711F8706 . 57 PUSH EDI ; |hProcess
711F8707 . E8 8CF0F2>CALL V2200704.71127798 ; \ReadProcessMemory
711F870C > A1 18F721>MOV EAX,DWORD PTR DS:[7121F718]
711F8711 . 8B40 3C MOV EAX,DWORD PTR DS:[EAX+3C]
711F8714 . 0305 18F7>ADD EAX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F871A . 8A40 28 MOV AL,BYTE PTR DS:[EAX+28]
711F871D . 34 60 XOR AL,60
711F871F . 34 64 XOR AL,64
711F8721 . 25 FF0000>AND EAX,0FF
711F8726 . 3B45 EC CMP EAX,DWORD PTR SS:[EBP-14]
711F8729 .^ 77 AF JA SHORT V2200704.711F86DA
711F872B . A1 18F721>MOV EAX,DWORD PTR DS:[7121F718]
711F8730 . 8B40 3C MOV EAX,DWORD PTR DS:[EAX+3C]
711F8733 . 0305 18F7>ADD EAX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F8739 . 8A40 28 MOV AL,BYTE PTR DS:[EAX+28]
711F873C . 34 60 XOR AL,60
711F873E . 34 64 XOR AL,64
711F8740 . 25 FF0000>AND EAX,0FF
711F8745 . 3B45 EC CMP EAX,DWORD PTR SS:[EBP-14]
711F8748 . 0F85 860A>JNZ V2200704.711F91D4
711F874E . 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
711F8751 . E8 CAC8F2>CALL <V2200704.StrCpyN>
711F8756 . 83C0 04 ADD EAX,4
711F8759 . 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
711F875C . 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
711F875F . 8B00 MOV EAX,DWORD PTR DS:[EAX]
711F8761 . 8985 E0FE>MOV DWORD PTR SS:[EBP-120],EAX
711F8767 . 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
711F876A . E8 B1C8F2>CALL <V2200704.StrCpyN>
711F876F . 83C0 08 ADD EAX,8
711F8772 . 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
711F8775 . 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
711F8778 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
711F877A . 8985 E4FE>MOV DWORD PTR SS:[EBP-11C],EAX
711F8780 . 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
711F8783 . E8 98C8F2>CALL <V2200704.StrCpyN>
711F8788 . 83C0 0C ADD EAX,0C
711F878B . 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
711F878E . 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
711F8791 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
711F8793 . 8985 F8FE>MOV DWORD PTR SS:[EBP-108],EAX
711F8799 . 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
711F879C . E8 7FC8F2>CALL <V2200704.StrCpyN>
711F87A1 . 83C0 10 ADD EAX,10
711F87A4 . 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
711F87A7 . 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
711F87AA . 8B00 MOV EAX,DWORD PTR DS:[EAX]
711F87AC . 8985 08FF>MOV DWORD PTR SS:[EBP-F8],EAX
711F87B2 . 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
711F87B5 . E8 66C8F2>CALL <V2200704.StrCpyN>
711F87BA . 83C0 14 ADD EAX,14
711F87BD . 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
711F87C0 . 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
711F87C3 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
711F87C5 . 8985 E8FE>MOV DWORD PTR SS:[EBP-118],EAX
711F87CB . 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
711F87CE . E8 4DC8F2>CALL <V2200704.StrCpyN>
711F87D3 . 83C0 18 ADD EAX,18
711F87D6 . 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
711F87D9 . 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
711F87DC . 8B00 MOV EAX,DWORD PTR DS:[EAX]
711F87DE . 8985 ECFE>MOV DWORD PTR SS:[EBP-114],EAX
711F87E4 . 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
711F87E7 . E8 34C8F2>CALL <V2200704.StrCpyN>
711F87EC . 83C0 1C ADD EAX,1C
711F87EF . 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
711F87F2 . 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
711F87F5 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
711F87F7 . 8985 F0FE>MOV DWORD PTR SS:[EBP-110],EAX
711F87FD . 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
711F8800 . E8 1BC8F2>CALL <V2200704.StrCpyN>
711F8805 . 83C0 20 ADD EAX,20
711F8808 . 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
711F880B . 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
711F880E . 8B00 MOV EAX,DWORD PTR DS:[EAX]
711F8810 . 83F0 FF XOR EAX,FFFFFFFF
711F8813 . 8985 FCFE>MOV DWORD PTR SS:[EBP-104],EAX
711F8819 . 8985 F4FE>MOV DWORD PTR SS:[EBP-10C],EAX
711F881F . C745 F0 0>MOV DWORD PTR SS:[EBP-10],10002 ; DBG_CONTINUE
711F8826 . E9 A90900>JMP V2200704.711F91D4
711F882B > 8B85 28FF>MOV EAX,DWORD PTR SS:[EBP-D8]
711F8831 . 83C0 05 ADD EAX,5
711F8834 . 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18]
711F8837 . 0FB652 04 MOVZX EDX,BYTE PTR DS:[EDX+4]
711F883B . 03C2 ADD EAX,EDX
711F883D . 8985 FCFE>MOV DWORD PTR SS:[EBP-104],EAX
711F8843 . C745 F0 0>MOV DWORD PTR SS:[EBP-10],10002 ; DBG_CONTINUE
711F884A . E9 850900>JMP V2200704.711F91D4
711F884F > 66:C745 C>MOV WORD PTR SS:[EBP-38],0FFFF ; Case CCCCCC of switch 711F85CF
711F8855 . 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
711F8858 . BA 180000>MOV EDX,18
711F885D . E8 F2C8F2>CALL <V2200704.AllocBuffer>
711F8862 . 33C0 XOR EAX,EAX
711F8864 . 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
711F8867 . 837D EC 1>CMP DWORD PTR SS:[EBP-14],18
711F886B . 73 22 JNB SHORT V2200704.711F888F
711F886D > 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
711F8870 . 50 PUSH EAX
711F8871 . 6A 18 PUSH 18
711F8873 . 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
711F8876 . E8 A5C7F2>CALL <V2200704.StrCpyN>
711F887B . 50 PUSH EAX ; |Buffer
711F887C . 8B85 08FF>MOV EAX,DWORD PTR SS:[EBP-F8] ; |
711F8882 . 50 PUSH EAX ; |pBaseAddress
711F8883 . 57 PUSH EDI ; |hProcess
711F8884 . E8 0FEFF2>CALL V2200704.71127798 ; \ReadProcessMemory
711F8889 . 837D EC 1>CMP DWORD PTR SS:[EBP-14],18
711F888D .^ 72 DE JB SHORT V2200704.711F886D
711F888F > 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
711F8892 . E8 89C7F2>CALL <V2200704.StrCpyN>
711F8897 . 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
711F889A . 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
711F889D . 8B00 MOV EAX,DWORD PTR DS:[EAX]
711F889F . 8985 F8FE>MOV DWORD PTR SS:[EBP-108],EAX
711F88A5 . 8B1D 18F7>MOV EBX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F88AB . 8B43 3C MOV EAX,DWORD PTR DS:[EBX+3C]
711F88AE . 0305 18F7>ADD EAX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F88B4 . 0FB740 06 MOVZX EAX,WORD PTR DS:[EAX+6]
711F88B8 . 8BD0 MOV EDX,EAX
711F88BA . 0355 E4 ADD EDX,DWORD PTR SS:[EBP-1C]
711F88BD . 42 INC EDX
711F88BE . 8955 E4 MOV DWORD PTR SS:[EBP-1C],EDX
711F88C1 . 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C]
711F88C4 . 8B12 MOV EDX,DWORD PTR DS:[EDX]
711F88C6 . 8995 FCFE>MOV DWORD PTR SS:[EBP-104],EDX
711F88CC . 8BD0 MOV EDX,EAX
711F88CE . 0355 E4 ADD EDX,DWORD PTR SS:[EBP-1C]
711F88D1 . 42 INC EDX
711F88D2 . 8955 E4 MOV DWORD PTR SS:[EBP-1C],EDX
711F88D5 . 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C]
711F88D8 . 8A12 MOV DL,BYTE PTR DS:[EDX]
711F88DA . 8855 CB MOV BYTE PTR SS:[EBP-35],DL
711F88DD . 0345 E4 ADD EAX,DWORD PTR SS:[EBP-1C]
711F88E0 . 40 INC EAX
711F88E1 . 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
711F88E4 . 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
711F88E7 . E8 2CC2F2>CALL <V2200704.ZeroLocal>
711F88EC . 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
711F88EF . 8338 00 CMP DWORD PTR DS:[EAX],0
711F88F2 . 0F86 C800>JBE V2200704.711F89C0
711F88F8 . 8B43 3C MOV EAX,DWORD PTR DS:[EBX+3C]
711F88FB . 0305 18F7>ADD EAX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F8901 . 66:8B50 2>MOV DX,WORD PTR DS:[EAX+28]
711F8905 . 66:81F2 6>XOR DX,4260
711F890A . 66:81F2 4>XOR DX,9C40
711F890F . 0FB7D2 MOVZX EDX,DX
711F8912 . 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
711F8915 . E8 3AC8F2>CALL <V2200704.AllocBuffer>
711F891A . 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
711F891D . E8 FEC6F2>CALL <V2200704.StrCpyN>
711F8922 . 8B15 18F7>MOV EDX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F8928 . 8B52 3C MOV EDX,DWORD PTR DS:[EDX+3C]
711F892B . 0315 18F7>ADD EDX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F8931 . 66:8B52 2>MOV DX,WORD PTR DS:[EDX+28]
711F8935 . 66:81F2 6>XOR DX,4260
711F893A . 66:81F2 4>XOR DX,9C40
711F893F . 0FB7D2 MOVZX EDX,DX
711F8942 . E8 71F9F2>CALL V2200704.711282B8
711F8947 . A1 18F721>MOV EAX,DWORD PTR DS:[7121F718]
711F894C . 8B40 3C MOV EAX,DWORD PTR DS:[EAX+3C]
711F894F . 0305 18F7>ADD EAX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F8955 . 8A40 28 MOV AL,BYTE PTR DS:[EAX+28]
711F8958 . 34 60 XOR AL,60
711F895A . 34 BF XOR AL,0BF
711F895C . 8BF0 MOV ESI,EAX
711F895E . 81E6 FF00>AND ESI,0FF
711F8964 . 85F6 TEST ESI,ESI
711F8966 . 76 46 JBE SHORT V2200704.711F89AE
711F8968 . BB 010000>MOV EBX,1
711F896D > 33C0 XOR EAX,EAX
711F896F . 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
711F8972 . 837D EC 0>CMP DWORD PTR SS:[EBP-14],1
711F8976 . 73 28 JNB SHORT V2200704.711F89A0
711F8978 > 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
711F897B . 50 PUSH EAX
711F897C . 6A 01 PUSH 1
711F897E . 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
711F8981 . E8 9AC6F2>CALL <V2200704.StrCpyN>
711F8986 . 8D4418 FF LEA EAX,DWORD PTR DS:[EAX+EBX-1] ; |
711F898A . 50 PUSH EAX ; |Buffer
711F898B . 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] ; |
711F898E . 8B00 MOV EAX,DWORD PTR DS:[EAX] ; |
711F8990 . 03C3 ADD EAX,EBX ; |
711F8992 . 48 DEC EAX ; |
711F8993 . 50 PUSH EAX ; |pBaseAddress
711F8994 . 57 PUSH EDI ; |hProcess
711F8995 . E8 FEEDF2>CALL V2200704.71127798 ; \ReadProcessMemory
711F899A . 837D EC 0>CMP DWORD PTR SS:[EBP-14],1
711F899E .^ 72 D8 JB SHORT V2200704.711F8978
711F89A0 > 8B45 CC MOV EAX,DWORD PTR SS:[EBP-34]
711F89A3 . 807C18 FF>CMP BYTE PTR DS:[EAX+EBX-1],0
711F89A8 . 74 04 JE SHORT V2200704.711F89AE
711F89AA . 43 INC EBX
711F89AB . 4E DEC ESI
711F89AC .^ 75 BF JNZ SHORT V2200704.711F896D
711F89AE > 8B45 CC MOV EAX,DWORD PTR SS:[EBP-34]
711F89B1 . E8 12C6F2>CALL <V2200704.StrCpyN>
711F89B6 . 8BD0 MOV EDX,EAX
711F89B8 . 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
711F89BB . E8 48C3F2>CALL <V2200704.StrCpy>
711F89C0 > 8B1D 18F7>MOV EBX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F89C6 . 8B43 3C MOV EAX,DWORD PTR DS:[EBX+3C]
711F89C9 . 0305 18F7>ADD EAX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F89CF . 0FB740 06 MOVZX EAX,WORD PTR DS:[EAX+6]
711F89D3 . 0345 E4 ADD EAX,DWORD PTR SS:[EBP-1C]
711F89D6 . 40 INC EAX
711F89D7 . 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
711F89DA . 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
711F89DD . E8 36C1F2>CALL <V2200704.ZeroLocal>
711F89E2 . 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
711F89E5 . 8338 00 CMP DWORD PTR DS:[EAX],0
711F89E8 . 0F86 C800>JBE V2200704.711F8AB6
711F89EE . 8B43 3C MOV EAX,DWORD PTR DS:[EBX+3C]
711F89F1 . 0305 18F7>ADD EAX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F89F7 . 66:8B50 2>MOV DX,WORD PTR DS:[EAX+28]
711F89FB . 66:81F2 6>XOR DX,4260
711F8A00 . 66:81F2 4>XOR DX,9C40
711F8A05 . 0FB7D2 MOVZX EDX,DX
711F8A08 . 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
711F8A0B . E8 44C7F2>CALL <V2200704.AllocBuffer>
711F8A10 . 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
711F8A13 . E8 08C6F2>CALL <V2200704.StrCpyN>
711F8A18 . 8B15 18F7>MOV EDX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F8A1E . 8B52 3C MOV EDX,DWORD PTR DS:[EDX+3C]
711F8A21 . 0315 18F7>ADD EDX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F8A27 . 66:8B52 2>MOV DX,WORD PTR DS:[EDX+28]
711F8A2B . 66:81F2 6>XOR DX,4260
711F8A30 . 66:81F2 4>XOR DX,9C40
711F8A35 . 0FB7D2 MOVZX EDX,DX
711F8A38 . E8 7BF8F2>CALL V2200704.711282B8
711F8A3D . A1 18F721>MOV EAX,DWORD PTR DS:[7121F718]
711F8A42 . 8B40 3C MOV EAX,DWORD PTR DS:[EAX+3C]
711F8A45 . 0305 18F7>ADD EAX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F8A4B . 8A40 28 MOV AL,BYTE PTR DS:[EAX+28]
711F8A4E . 34 60 XOR AL,60
711F8A50 . 34 BF XOR AL,0BF
711F8A52 . 8BF0 MOV ESI,EAX
711F8A54 . 81E6 FF00>AND ESI,0FF
711F8A5A . 85F6 TEST ESI,ESI
711F8A5C . 76 46 JBE SHORT V2200704.711F8AA4
711F8A5E . BB 010000>MOV EBX,1
711F8A63 > 33C0 XOR EAX,EAX
711F8A65 . 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
711F8A68 . 837D EC 0>CMP DWORD PTR SS:[EBP-14],1
711F8A6C . 73 28 JNB SHORT V2200704.711F8A96
711F8A6E > 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
711F8A71 . 50 PUSH EAX
711F8A72 . 6A 01 PUSH 1
711F8A74 . 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
711F8A77 . E8 A4C5F2>CALL <V2200704.StrCpyN>
711F8A7C . 8D4418 FF LEA EAX,DWORD PTR DS:[EAX+EBX-1] ; |
711F8A80 . 50 PUSH EAX ; |Buffer
711F8A81 . 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] ; |
711F8A84 . 8B00 MOV EAX,DWORD PTR DS:[EAX] ; |
711F8A86 . 03C3 ADD EAX,EBX ; |
711F8A88 . 48 DEC EAX ; |
711F8A89 . 50 PUSH EAX ; |pBaseAddress
711F8A8A . 57 PUSH EDI ; |hProcess
711F8A8B . E8 08EDF2>CALL V2200704.71127798 ; \ReadProcessMemory
711F8A90 . 837D EC 0>CMP DWORD PTR SS:[EBP-14],1
711F8A94 .^ 72 D8 JB SHORT V2200704.711F8A6E
711F8A96 > 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30]
711F8A99 . 807C18 FF>CMP BYTE PTR DS:[EAX+EBX-1],0
711F8A9E . 74 04 JE SHORT V2200704.711F8AA4
711F8AA0 . 43 INC EBX
711F8AA1 . 4E DEC ESI
711F8AA2 .^ 75 BF JNZ SHORT V2200704.711F8A63
711F8AA4 > 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30]
711F8AA7 . E8 1CC5F2>CALL <V2200704.StrCpyN>
711F8AAC . 8BD0 MOV EDX,EAX
711F8AAE . 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
711F8AB1 . E8 52C2F2>CALL <V2200704.StrCpy>
711F8AB6 > A1 18F721>MOV EAX,DWORD PTR DS:[7121F718]
711F8ABB . 8B40 3C MOV EAX,DWORD PTR DS:[EAX+3C]
711F8ABE . 0305 18F7>ADD EAX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F8AC4 . 0FB750 06 MOVZX EDX,WORD PTR DS:[EAX+6]
711F8AC8 . 0355 E4 ADD EDX,DWORD PTR SS:[EBP-1C]
711F8ACB . 42 INC EDX
711F8ACC . 8955 E4 MOV DWORD PTR SS:[EBP-1C],EDX
711F8ACF . 8A40 28 MOV AL,BYTE PTR DS:[EAX+28]
711F8AD2 . 34 60 XOR AL,60
711F8AD4 . 34 BF XOR AL,0BF
711F8AD6 . 25 FF0000>AND EAX,0FF
711F8ADB . 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C]
711F8ADE . 2302 AND EAX,DWORD PTR DS:[EDX]
711F8AE0 . 0F9745 D7 SETA BYTE PTR SS:[EBP-29] ; Non-standard form of command
711F8AE4 . 83BD F4FE>CMP DWORD PTR SS:[EBP-10C],0
711F8AEB . 0F86 F601>JBE V2200704.711F8CE7
711F8AF1 . 83BD ECFE>CMP DWORD PTR SS:[EBP-114],0
711F8AF8 . 0F86 E901>JBE V2200704.711F8CE7
711F8AFE . 8B85 ECFE>MOV EAX,DWORD PTR SS:[EBP-114]
711F8B04 . 8945 DC MOV DWORD PTR SS:[EBP-24],EAX
711F8B07 . 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
711F8B0A . 8B55 DC MOV EDX,DWORD PTR SS:[EBP-24]
711F8B0D . E8 42C6F2>CALL <V2200704.AllocBuffer>
711F8B12 . 33C0 XOR EAX,EAX
711F8B14 . 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
711F8B17 . EB 21 JMP SHORT V2200704.711F8B3A
711F8B19 > 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
711F8B1C . 50 PUSH EAX
711F8B1D . 8B85 ECFE>MOV EAX,DWORD PTR SS:[EBP-114]
711F8B23 . 50 PUSH EAX
711F8B24 . 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
711F8B27 . E8 F4C4F2>CALL <V2200704.StrCpyN>
711F8B2C . 50 PUSH EAX ; |Buffer
711F8B2D . 8B85 F4FE>MOV EAX,DWORD PTR SS:[EBP-10C] ; |
711F8B33 . 50 PUSH EAX ; |pBaseAddress
711F8B34 . 57 PUSH EDI ; |hProcess
711F8B35 . E8 5EECF2>CALL V2200704.71127798 ; \ReadProcessMemory
711F8B3A > 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
711F8B3D . 3B85 ECFE>CMP EAX,DWORD PTR SS:[EBP-114]
711F8B43 .^ 72 D4 JB SHORT V2200704.711F8B19
711F8B45 . 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
711F8B48 . E8 CBBFF2>CALL <V2200704.ZeroLocal>
711F8B4D . 83BD F0FE>CMP DWORD PTR SS:[EBP-110],0
711F8B54 . 0F86 CE00>JBE V2200704.711F8C28
711F8B5A . A1 18F721>MOV EAX,DWORD PTR DS:[7121F718]
711F8B5F . 8B40 3C MOV EAX,DWORD PTR DS:[EAX+3C]
711F8B62 . 0305 18F7>ADD EAX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F8B68 . 66:8B50 2>MOV DX,WORD PTR DS:[EAX+28]
711F8B6C . 66:81F2 6>XOR DX,4260
711F8B71 . 66:81F2 4>XOR DX,9C40
711F8B76 . 0FB7D2 MOVZX EDX,DX
711F8B79 . 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
711F8B7C . E8 D3C5F2>CALL <V2200704.AllocBuffer>
711F8B81 . 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
711F8B84 . E8 97C4F2>CALL <V2200704.StrCpyN>
711F8B89 . 8B15 18F7>MOV EDX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F8B8F . 8B52 3C MOV EDX,DWORD PTR DS:[EDX+3C]
711F8B92 . 0315 18F7>ADD EDX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F8B98 . 66:8B52 2>MOV DX,WORD PTR DS:[EDX+28]
711F8B9C . 66:81F2 6>XOR DX,4260
711F8BA1 . 66:81F2 4>XOR DX,9C40
711F8BA6 . 0FB7D2 MOVZX EDX,DX
711F8BA9 . E8 0AF7F2>CALL V2200704.711282B8
711F8BAE . A1 18F721>MOV EAX,DWORD PTR DS:[7121F718]
711F8BB3 . 8B40 3C MOV EAX,DWORD PTR DS:[EAX+3C]
711F8BB6 . 0305 18F7>ADD EAX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F8BBC . 8A40 28 MOV AL,BYTE PTR DS:[EAX+28]
711F8BBF . 34 60 XOR AL,60
711F8BC1 . 34 BF XOR AL,0BF
711F8BC3 . 8BF0 MOV ESI,EAX
711F8BC5 . 81E6 FF00>AND ESI,0FF
711F8BCB . 85F6 TEST ESI,ESI
711F8BCD . 76 47 JBE SHORT V2200704.711F8C16
711F8BCF . BB 010000>MOV EBX,1
711F8BD4 > 33C0 XOR EAX,EAX
711F8BD6 . 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
711F8BD9 . 837D EC 0>CMP DWORD PTR SS:[EBP-14],1
711F8BDD . 73 29 JNB SHORT V2200704.711F8C08
711F8BDF > 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
711F8BE2 . 50 PUSH EAX
711F8BE3 . 6A 01 PUSH 1
711F8BE5 . 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
711F8BE8 . E8 33C4F2>CALL <V2200704.StrCpyN>
711F8BED . 8D4418 FF LEA EAX,DWORD PTR DS:[EAX+EBX-1] ; |
711F8BF1 . 50 PUSH EAX ; |Buffer
711F8BF2 . 8B85 F0FE>MOV EAX,DWORD PTR SS:[EBP-110] ; |
711F8BF8 . 03C3 ADD EAX,EBX ; |
711F8BFA . 48 DEC EAX ; |
711F8BFB . 50 PUSH EAX ; |pBaseAddress
711F8BFC . 57 PUSH EDI ; |hProcess
711F8BFD . E8 96EBF2>CALL V2200704.71127798 ; \ReadProcessMemory
711F8C02 . 837D EC 0>CMP DWORD PTR SS:[EBP-14],1
711F8C06 .^ 72 D7 JB SHORT V2200704.711F8BDF
711F8C08 > 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28]
711F8C0B . 807C18 FF>CMP BYTE PTR DS:[EAX+EBX-1],0
711F8C10 . 74 04 JE SHORT V2200704.711F8C16
711F8C12 . 43 INC EBX
711F8C13 . 4E DEC ESI
711F8C14 .^ 75 BE JNZ SHORT V2200704.711F8BD4
711F8C16 > 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28]
711F8C19 . E8 AAC3F2>CALL <V2200704.StrCpyN>
711F8C1E . 8BD0 MOV EDX,EAX
711F8C20 . 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
711F8C23 . E8 E0C0F2>CALL <V2200704.StrCpy>
711F8C28 > 68 14951F>PUSH V2200704.711F9514
711F8C2D . 8B85 18FF>MOV EAX,DWORD PTR SS:[EBP-E8]
711F8C33 . 33D2 XOR EDX,EDX
711F8C35 . 52 PUSH EDX
711F8C36 . 50 PUSH EAX
711F8C37 . 8D95 18FC>LEA EDX,DWORD PTR SS:[EBP-3E8]
711F8C3D . B8 080000>MOV EAX,8
711F8C42 . E8 2D0DF3>CALL <V2200704.Printf>
711F8C47 . FFB5 18FC>PUSH DWORD PTR SS:[EBP-3E8]
711F8C4D . 68 20951F>PUSH V2200704.711F9520
711F8C52 . 8D85 1CFC>LEA EAX,DWORD PTR SS:[EBP-3E4]
711F8C58 . BA 030000>MOV EDX,3
711F8C5D . E8 2EC2F2>CALL <V2200704.StrCatN>
711F8C62 . 8B85 1CFC>MOV EAX,DWORD PTR SS:[EBP-3E4]
711F8C68 . 8B15 F818>MOV EDX,DWORD PTR DS:[712318F8]
711F8C6E . E8 99C4F2>CALL <V2200704.FindString>
711F8C73 . 85C0 TEST EAX,EAX
711F8C75 . 7E 16 JLE SHORT V2200704.711F8C8D
711F8C77 . B2 01 MOV DL,1
711F8C79 . 33C0 XOR EAX,EAX
711F8C7B . E8 FC98FF>CALL V2200704.711F257C
711F8C80 . 33D2 XOR EDX,EDX
711F8C82 . 8B85 18FF>MOV EAX,DWORD PTR SS:[EBP-E8]
711F8C88 . E8 EF98FF>CALL V2200704.711F257C
711F8C8D > 8A45 D7 MOV AL,BYTE PTR SS:[EBP-29]
711F8C90 . 50 PUSH EAX
711F8C91 . 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30]
711F8C94 . 50 PUSH EAX
711F8C95 . 8B45 CC MOV EAX,DWORD PTR SS:[EBP-34]
711F8C98 . 50 PUSH EAX
711F8C99 . 8A45 CB MOV AL,BYTE PTR SS:[EBP-35]
711F8C9C . 50 PUSH EAX
711F8C9D . 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
711F8CA0 . E8 7BC3F2>CALL <V2200704.StrCpyN>
711F8CA5 . 8B4D D8 MOV ECX,DWORD PTR SS:[EBP-28]
711F8CA8 . 8B55 DC MOV EDX,DWORD PTR SS:[EBP-24]
711F8CAB . E8 ACE1FF>CALL <V2200704.CRC16>
711F8CB0 . 66:8945 C>MOV WORD PTR SS:[EBP-38],AX
711F8CB4 . 33C0 XOR EAX,EAX
711F8CB6 . 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
711F8CB9 . EB 21 JMP SHORT V2200704.711F8CDC
711F8CBB > 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
711F8CBE . 50 PUSH EAX
711F8CBF . 8B85 ECFE>MOV EAX,DWORD PTR SS:[EBP-114]
711F8CC5 . 50 PUSH EAX
711F8CC6 . 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
711F8CC9 . E8 52C3F2>CALL <V2200704.StrCpyN>
711F8CCE . 50 PUSH EAX ; |Buffer
711F8CCF . 8B85 F4FE>MOV EAX,DWORD PTR SS:[EBP-10C] ; |
711F8CD5 . 50 PUSH EAX ; |Address
711F8CD6 . 57 PUSH EDI ; |hProcess
711F8CD7 . E8 CCEBF2>CALL V2200704.711278A8 ; \WriteProcessMemory
711F8CDC > 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
711F8CDF . 3B85 ECFE>CMP EAX,DWORD PTR SS:[EBP-114]
711F8CE5 .^ 72 D4 JB SHORT V2200704.711F8CBB
711F8CE7 > 0FB745 C8 MOVZX EAX,WORD PTR SS:[EBP-38]
711F8CEB . 8985 F4FE>MOV DWORD PTR SS:[EBP-10C],EAX
711F8CF1 . A1 18F721>MOV EAX,DWORD PTR DS:[7121F718]
711F8CF6 . 8B40 3C MOV EAX,DWORD PTR DS:[EAX+3C]
711F8CF9 . 0305 18F7>ADD EAX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F8CFF . 0FB740 06 MOVZX EAX,WORD PTR DS:[EAX+6]
711F8D03 . 0385 08FF>ADD EAX,DWORD PTR SS:[EBP-F8]
711F8D09 . 83C0 15 ADD EAX,15
711F8D0C . 8985 08FF>MOV DWORD PTR SS:[EBP-F8],EAX
711F8D12 . C745 F0 0>MOV DWORD PTR SS:[EBP-10],10002 ; DBG_CONTINUE
711F8D19 . E9 B60400>JMP V2200704.711F91D4
711F8D1E > 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18] ; Case 1CCCCCC of switch 711F85CF
711F8D21 . BA 180000>MOV EDX,18
711F8D26 . E8 29C4F2>CALL <V2200704.AllocBuffer>
711F8D2B . 33C0 XOR EAX,EAX
711F8D2D . 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
711F8D30 . 837D EC 1>CMP DWORD PTR SS:[EBP-14],18
711F8D34 . 73 22 JNB SHORT V2200704.711F8D58
711F8D36 > 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
711F8D39 . 50 PUSH EAX
711F8D3A . 6A 18 PUSH 18
711F8D3C . 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
711F8D3F . E8 DCC2F2>CALL <V2200704.StrCpyN>
711F8D44 . 50 PUSH EAX ; |Buffer
711F8D45 . 8B85 08FF>MOV EAX,DWORD PTR SS:[EBP-F8] ; |
711F8D4B . 50 PUSH EAX ; |pBaseAddress
711F8D4C . 57 PUSH EDI ; |hProcess
711F8D4D . E8 46EAF2>CALL V2200704.71127798 ; \ReadProcessMemory
711F8D52 . 837D EC 1>CMP DWORD PTR SS:[EBP-14],18
711F8D56 .^ 72 DE JB SHORT V2200704.711F8D36
711F8D58 > 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
711F8D5B . E8 C0C2F2>CALL <V2200704.StrCpyN>
711F8D60 . 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
711F8D63 . 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
711F8D66 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
711F8D68 . 8985 F8FE>MOV DWORD PTR SS:[EBP-108],EAX
711F8D6E . 8B1D 18F7>MOV EBX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F8D74 . 8B43 3C MOV EAX,DWORD PTR DS:[EBX+3C]
711F8D77 . 0305 18F7>ADD EAX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F8D7D . 0FB740 06 MOVZX EAX,WORD PTR DS:[EAX+6]
711F8D81 . 8BD0 MOV EDX,EAX
711F8D83 . 0355 E4 ADD EDX,DWORD PTR SS:[EBP-1C]
711F8D86 . 42 INC EDX
711F8D87 . 8955 E4 MOV DWORD PTR SS:[EBP-1C],EDX
711F8D8A . 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C]
711F8D8D . 8B12 MOV EDX,DWORD PTR DS:[EDX]
711F8D8F . 8995 FCFE>MOV DWORD PTR SS:[EBP-104],EDX
711F8D95 . 8BD0 MOV EDX,EAX
711F8D97 . 0355 E4 ADD EDX,DWORD PTR SS:[EBP-1C]
711F8D9A . 42 INC EDX
711F8D9B . 8955 E4 MOV DWORD PTR SS:[EBP-1C],EDX
711F8D9E . 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C]
711F8DA1 . 8A12 MOV DL,BYTE PTR DS:[EDX]
711F8DA3 . 8855 CB MOV BYTE PTR SS:[EBP-35],DL
711F8DA6 . 0345 E4 ADD EAX,DWORD PTR SS:[EBP-1C]
711F8DA9 . 40 INC EAX
711F8DAA . 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
711F8DAD . 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
711F8DB0 . E8 63BDF2>CALL <V2200704.ZeroLocal>
711F8DB5 . 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
711F8DB8 . 8338 00 CMP DWORD PTR DS:[EAX],0
711F8DBB . 0F86 C800>JBE V2200704.711F8E89
711F8DC1 . 8B43 3C MOV EAX,DWORD PTR DS:[EBX+3C]
711F8DC4 . 0305 18F7>ADD EAX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F8DCA . 66:8B50 2>MOV DX,WORD PTR DS:[EAX+28]
711F8DCE . 66:81F2 6>XOR DX,4260
711F8DD3 . 66:81F2 4>XOR DX,9C40
711F8DD8 . 0FB7D2 MOVZX EDX,DX
711F8DDB . 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
711F8DDE . E8 71C3F2>CALL <V2200704.AllocBuffer>
711F8DE3 . 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
711F8DE6 . E8 35C2F2>CALL <V2200704.StrCpyN>
711F8DEB . 8B15 18F7>MOV EDX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F8DF1 . 8B52 3C MOV EDX,DWORD PTR DS:[EDX+3C]
711F8DF4 . 0315 18F7>ADD EDX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F8DFA . 66:8B52 2>MOV DX,WORD PTR DS:[EDX+28]
711F8DFE . 66:81F2 6>XOR DX,4260
711F8E03 . 66:81F2 4>XOR DX,9C40
711F8E08 . 0FB7D2 MOVZX EDX,DX
711F8E0B . E8 A8F4F2>CALL V2200704.711282B8
711F8E10 . A1 18F721>MOV EAX,DWORD PTR DS:[7121F718]
711F8E15 . 8B40 3C MOV EAX,DWORD PTR DS:[EAX+3C]
711F8E18 . 0305 18F7>ADD EAX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F8E1E . 8A40 28 MOV AL,BYTE PTR DS:[EAX+28]
711F8E21 . 34 60 XOR AL,60
711F8E23 . 34 BF XOR AL,0BF
711F8E25 . 8BF0 MOV ESI,EAX
711F8E27 . 81E6 FF00>AND ESI,0FF
711F8E2D . 85F6 TEST ESI,ESI
711F8E2F . 76 46 JBE SHORT V2200704.711F8E77
711F8E31 . BB 010000>MOV EBX,1
711F8E36 > 33C0 XOR EAX,EAX
711F8E38 . 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
711F8E3B . 837D EC 0>CMP DWORD PTR SS:[EBP-14],1
711F8E3F . 73 28 JNB SHORT V2200704.711F8E69
711F8E41 > 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
711F8E44 . 50 PUSH EAX
711F8E45 . 6A 01 PUSH 1
711F8E47 . 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
711F8E4A . E8 D1C1F2>CALL <V2200704.StrCpyN>
711F8E4F . 8D4418 FF LEA EAX,DWORD PTR DS:[EAX+EBX-1] ; |
711F8E53 . 50 PUSH EAX ; |Buffer
711F8E54 . 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] ; |
711F8E57 . 8B00 MOV EAX,DWORD PTR DS:[EAX] ; |
711F8E59 . 03C3 ADD EAX,EBX ; |
711F8E5B . 48 DEC EAX ; |
711F8E5C . 50 PUSH EAX ; |pBaseAddress
711F8E5D . 57 PUSH EDI ; |hProcess
711F8E5E . E8 35E9F2>CALL V2200704.71127798 ; \ReadProcessMemory
711F8E63 . 837D EC 0>CMP DWORD PTR SS:[EBP-14],1
711F8E67 .^ 72 D8 JB SHORT V2200704.711F8E41
711F8E69 > 8B45 CC MOV EAX,DWORD PTR SS:[EBP-34]
711F8E6C . 807C18 FF>CMP BYTE PTR DS:[EAX+EBX-1],0
711F8E71 . 74 04 JE SHORT V2200704.711F8E77
711F8E73 . 43 INC EBX
711F8E74 . 4E DEC ESI
711F8E75 .^ 75 BF JNZ SHORT V2200704.711F8E36
711F8E77 > 8B45 CC MOV EAX,DWORD PTR SS:[EBP-34]
711F8E7A . E8 49C1F2>CALL <V2200704.StrCpyN>
711F8E7F . 8BD0 MOV EDX,EAX
711F8E81 . 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
711F8E84 . E8 7FBEF2>CALL <V2200704.StrCpy>
711F8E89 > 8B1D 18F7>MOV EBX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F8E8F . 8B43 3C MOV EAX,DWORD PTR DS:[EBX+3C]
711F8E92 . 0305 18F7>ADD EAX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F8E98 . 0FB740 06 MOVZX EAX,WORD PTR DS:[EAX+6]
711F8E9C . 0345 E4 ADD EAX,DWORD PTR SS:[EBP-1C]
711F8E9F . 40 INC EAX
711F8EA0 . 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
711F8EA3 . 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
711F8EA6 . E8 6DBCF2>CALL <V2200704.ZeroLocal>
711F8EAB . 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
711F8EAE . 8338 00 CMP DWORD PTR DS:[EAX],0
711F8EB1 . 0F86 C800>JBE V2200704.711F8F7F
711F8EB7 . 8B43 3C MOV EAX,DWORD PTR DS:[EBX+3C]
711F8EBA . 0305 18F7>ADD EAX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F8EC0 . 66:8B50 2>MOV DX,WORD PTR DS:[EAX+28]
711F8EC4 . 66:81F2 6>XOR DX,4260
711F8EC9 . 66:81F2 4>XOR DX,9C40
711F8ECE . 0FB7D2 MOVZX EDX,DX
711F8ED1 . 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
711F8ED4 . E8 7BC2F2>CALL <V2200704.AllocBuffer>
711F8ED9 . 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
711F8EDC . E8 3FC1F2>CALL <V2200704.StrCpyN>
711F8EE1 . 8B15 18F7>MOV EDX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F8EE7 . 8B52 3C MOV EDX,DWORD PTR DS:[EDX+3C]
711F8EEA . 0315 18F7>ADD EDX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F8EF0 . 66:8B52 2>MOV DX,WORD PTR DS:[EDX+28]
711F8EF4 . 66:81F2 6>XOR DX,4260
711F8EF9 . 66:81F2 4>XOR DX,9C40
711F8EFE . 0FB7D2 MOVZX EDX,DX
711F8F01 . E8 B2F3F2>CALL V2200704.711282B8
711F8F06 . A1 18F721>MOV EAX,DWORD PTR DS:[7121F718]
711F8F0B . 8B40 3C MOV EAX,DWORD PTR DS:[EAX+3C]
711F8F0E . 0305 18F7>ADD EAX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F8F14 . 8A40 28 MOV AL,BYTE PTR DS:[EAX+28]
711F8F17 . 34 60 XOR AL,60
711F8F19 . 34 BF XOR AL,0BF
711F8F1B . 8BF0 MOV ESI,EAX
711F8F1D . 81E6 FF00>AND ESI,0FF
711F8F23 . 85F6 TEST ESI,ESI
711F8F25 . 76 46 JBE SHORT V2200704.711F8F6D
711F8F27 . BB 010000>MOV EBX,1
711F8F2C > 33C0 XOR EAX,EAX
711F8F2E . 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
711F8F31 . 837D EC 0>CMP DWORD PTR SS:[EBP-14],1
711F8F35 . 73 28 JNB SHORT V2200704.711F8F5F
711F8F37 > 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
711F8F3A . 50 PUSH EAX
711F8F3B . 6A 01 PUSH 1
711F8F3D . 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
711F8F40 . E8 DBC0F2>CALL <V2200704.StrCpyN>
711F8F45 . 8D4418 FF LEA EAX,DWORD PTR DS:[EAX+EBX-1] ; |
711F8F49 . 50 PUSH EAX ; |Buffer
711F8F4A . 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] ; |
711F8F4D . 8B00 MOV EAX,DWORD PTR DS:[EAX] ; |
711F8F4F . 03C3 ADD EAX,EBX ; |
711F8F51 . 48 DEC EAX ; |
711F8F52 . 50 PUSH EAX ; |pBaseAddress
711F8F53 . 57 PUSH EDI ; |hProcess
711F8F54 . E8 3FE8F2>CALL V2200704.71127798 ; \ReadProcessMemory
711F8F59 . 837D EC 0>CMP DWORD PTR SS:[EBP-14],1
711F8F5D .^ 72 D8 JB SHORT V2200704.711F8F37
711F8F5F > 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30]
711F8F62 . 807C18 FF>CMP BYTE PTR DS:[EAX+EBX-1],0
711F8F67 . 74 04 JE SHORT V2200704.711F8F6D
711F8F69 . 43 INC EBX
711F8F6A . 4E DEC ESI
711F8F6B .^ 75 BF JNZ SHORT V2200704.711F8F2C
711F8F6D > 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30]
711F8F70 . E8 53C0F2>CALL <V2200704.StrCpyN>
711F8F75 . 8BD0 MOV EDX,EAX
711F8F77 . 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
711F8F7A . E8 89BDF2>CALL <V2200704.StrCpy>
711F8F7F > A1 18F721>MOV EAX,DWORD PTR DS:[7121F718]
711F8F84 . 8B40 3C MOV EAX,DWORD PTR DS:[EAX+3C]
711F8F87 . 0305 18F7>ADD EAX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F8F8D . 0FB750 06 MOVZX EDX,WORD PTR DS:[EAX+6]
711F8F91 . 0355 E4 ADD EDX,DWORD PTR SS:[EBP-1C]
711F8F94 . 42 INC EDX
711F8F95 . 8955 E4 MOV DWORD PTR SS:[EBP-1C],EDX
711F8F98 . 8A40 28 MOV AL,BYTE PTR DS:[EAX+28]
711F8F9B . 34 60 XOR AL,60
711F8F9D . 34 BF XOR AL,0BF
711F8F9F . 25 FF0000>AND EAX,0FF
711F8FA4 . 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C]
711F8FA7 . 2302 AND EAX,DWORD PTR DS:[EDX]
711F8FA9 . 0F9745 D7 SETA BYTE PTR SS:[EBP-29] ; Non-standard form of command
711F8FAD . 83BD F4FE>CMP DWORD PTR SS:[EBP-10C],0
711F8FB4 . 0F86 F201>JBE V2200704.711F91AC
711F8FBA . 83BD ECFE>CMP DWORD PTR SS:[EBP-114],0
711F8FC1 . 0F86 E501>JBE V2200704.711F91AC
711F8FC7 . 8B85 ECFE>MOV EAX,DWORD PTR SS:[EBP-114]
711F8FCD . 8945 DC MOV DWORD PTR SS:[EBP-24],EAX
711F8FD0 . 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
711F8FD3 . 8B55 DC MOV EDX,DWORD PTR SS:[EBP-24]
711F8FD6 . E8 79C1F2>CALL <V2200704.AllocBuffer>
711F8FDB . 33C0 XOR EAX,EAX
711F8FDD . 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
711F8FE0 . EB 21 JMP SHORT V2200704.711F9003
711F8FE2 > 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
711F8FE5 . 50 PUSH EAX
711F8FE6 . 8B85 ECFE>MOV EAX,DWORD PTR SS:[EBP-114]
711F8FEC . 50 PUSH EAX
711F8FED . 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
711F8FF0 . E8 2BC0F2>CALL <V2200704.StrCpyN>
711F8FF5 . 50 PUSH EAX ; |Buffer
711F8FF6 . 8B85 F4FE>MOV EAX,DWORD PTR SS:[EBP-10C] ; |
711F8FFC . 50 PUSH EAX ; |pBaseAddress
711F8FFD . 57 PUSH EDI ; |hProcess
711F8FFE . E8 95E7F2>CALL V2200704.71127798 ; \ReadProcessMemory
711F9003 > 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
711F9006 . 3B85 ECFE>CMP EAX,DWORD PTR SS:[EBP-114]
711F900C .^ 72 D4 JB SHORT V2200704.711F8FE2
711F900E . 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
711F9011 . E8 02BBF2>CALL <V2200704.ZeroLocal>
711F9016 . 83BD F0FE>CMP DWORD PTR SS:[EBP-110],0
711F901D . 0F86 CE00>JBE V2200704.711F90F1
711F9023 . A1 18F721>MOV EAX,DWORD PTR DS:[7121F718]
711F9028 . 8B40 3C MOV EAX,DWORD PTR DS:[EAX+3C]
711F902B . 0305 18F7>ADD EAX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F9031 . 66:8B50 2>MOV DX,WORD PTR DS:[EAX+28]
711F9035 . 66:81F2 6>XOR DX,4260
711F903A . 66:81F2 4>XOR DX,9C40
711F903F . 0FB7D2 MOVZX EDX,DX
711F9042 . 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
711F9045 . E8 0AC1F2>CALL <V2200704.AllocBuffer>
711F904A . 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
711F904D . E8 CEBFF2>CALL <V2200704.StrCpyN>
711F9052 . 8B15 18F7>MOV EDX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F9058 . 8B52 3C MOV EDX,DWORD PTR DS:[EDX+3C]
711F905B . 0315 18F7>ADD EDX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F9061 . 66:8B52 2>MOV DX,WORD PTR DS:[EDX+28]
711F9065 . 66:81F2 6>XOR DX,4260
711F906A . 66:81F2 4>XOR DX,9C40
711F906F . 0FB7D2 MOVZX EDX,DX
711F9072 . E8 41F2F2>CALL V2200704.711282B8
711F9077 . A1 18F721>MOV EAX,DWORD PTR DS:[7121F718]
711F907C . 8B40 3C MOV EAX,DWORD PTR DS:[EAX+3C]
711F907F . 0305 18F7>ADD EAX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F9085 . 8A40 28 MOV AL,BYTE PTR DS:[EAX+28]
711F9088 . 34 60 XOR AL,60
711F908A . 34 BF XOR AL,0BF
711F908C . 8BF0 MOV ESI,EAX
711F908E . 81E6 FF00>AND ESI,0FF
711F9094 . 85F6 TEST ESI,ESI
711F9096 . 76 47 JBE SHORT V2200704.711F90DF
711F9098 . BB 010000>MOV EBX,1
711F909D > 33C0 XOR EAX,EAX
711F909F . 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
711F90A2 . 837D EC 0>CMP DWORD PTR SS:[EBP-14],1
711F90A6 . 73 29 JNB SHORT V2200704.711F90D1
711F90A8 > 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
711F90AB . 50 PUSH EAX
711F90AC . 6A 01 PUSH 1
711F90AE . 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
711F90B1 . E8 6ABFF2>CALL <V2200704.StrCpyN>
711F90B6 . 8D4418 FF LEA EAX,DWORD PTR DS:[EAX+EBX-1] ; |
711F90BA . 50 PUSH EAX ; |Buffer
711F90BB . 8B85 F0FE>MOV EAX,DWORD PTR SS:[EBP-110] ; |
711F90C1 . 03C3 ADD EAX,EBX ; |
711F90C3 . 48 DEC EAX ; |
711F90C4 . 50 PUSH EAX ; |pBaseAddress
711F90C5 . 57 PUSH EDI ; |hProcess
711F90C6 . E8 CDE6F2>CALL V2200704.71127798 ; \ReadProcessMemory
711F90CB . 837D EC 0>CMP DWORD PTR SS:[EBP-14],1
711F90CF .^ 72 D7 JB SHORT V2200704.711F90A8
711F90D1 > 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28]
711F90D4 . 807C18 FF>CMP BYTE PTR DS:[EAX+EBX-1],0
711F90D9 . 74 04 JE SHORT V2200704.711F90DF
711F90DB . 43 INC EBX
711F90DC . 4E DEC ESI
711F90DD .^ 75 BE JNZ SHORT V2200704.711F909D
711F90DF > 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28]
711F90E2 . E8 E1BEF2>CALL <V2200704.StrCpyN>
711F90E7 . 8BD0 MOV EDX,EAX
711F90E9 . 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
711F90EC . E8 17BCF2>CALL <V2200704.StrCpy>
711F90F1 > 68 14951F>PUSH V2200704.711F9514
711F90F6 . 8B85 18FF>MOV EAX,DWORD PTR SS:[EBP-E8]
711F90FC . 33D2 XOR EDX,EDX
711F90FE . 52 PUSH EDX
711F90FF . 50 PUSH EAX
711F9100 . 8D95 10FC>LEA EDX,DWORD PTR SS:[EBP-3F0]
711F9106 . B8 080000>MOV EAX,8
711F910B . E8 6408F3>CALL <V2200704.Printf>
711F9110 . FFB5 10FC>PUSH DWORD PTR SS:[EBP-3F0]
711F9116 . 68 20951F>PUSH V2200704.711F9520
711F911B . 8D85 14FC>LEA EAX,DWORD PTR SS:[EBP-3EC]
711F9121 . BA 030000>MOV EDX,3
711F9126 . E8 65BDF2>CALL <V2200704.StrCatN>
711F912B . 8B85 14FC>MOV EAX,DWORD PTR SS:[EBP-3EC]
711F9131 . 8B15 F818>MOV EDX,DWORD PTR DS:[712318F8]
711F9137 . E8 D0BFF2>CALL <V2200704.FindString>
711F913C . 85C0 TEST EAX,EAX
711F913E . 7E 16 JLE SHORT V2200704.711F9156
711F9140 . B2 01 MOV DL,1
711F9142 . 33C0 XOR EAX,EAX
711F9144 . E8 3394FF>CALL V2200704.711F257C
711F9149 . 33D2 XOR EDX,EDX
711F914B . 8B85 18FF>MOV EAX,DWORD PTR SS:[EBP-E8]
711F9151 . E8 2694FF>CALL V2200704.711F257C
711F9156 > 8A45 D7 MOV AL,BYTE PTR SS:[EBP-29]
711F9159 . 50 PUSH EAX
711F915A . 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30]
711F915D . 50 PUSH EAX
711F915E . 8B45 CC MOV EAX,DWORD PTR SS:[EBP-34]
711F9161 . 50 PUSH EAX
711F9162 . 8A45 CB MOV AL,BYTE PTR SS:[EBP-35]
711F9165 . 50 PUSH EAX
711F9166 . 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
711F9169 . E8 B2BEF2>CALL <V2200704.StrCpyN>
711F916E . 8B4D D8 MOV ECX,DWORD PTR SS:[EBP-28]
711F9171 . 8B55 DC MOV EDX,DWORD PTR SS:[EBP-24]
711F9174 . E8 1BDFFF>CALL V2200704.711F7094
711F9179 . 33C0 XOR EAX,EAX
711F917B . 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
711F917E . EB 21 JMP SHORT V2200704.711F91A1
711F9180 > 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
711F9183 . 50 PUSH EAX
711F9184 . 8B85 ECFE>MOV EAX,DWORD PTR SS:[EBP-114]
711F918A . 50 PUSH EAX
711F918B . 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
711F918E . E8 8DBEF2>CALL <V2200704.StrCpyN>
711F9193 . 50 PUSH EAX ; |Buffer
711F9194 . 8B85 F4FE>MOV EAX,DWORD PTR SS:[EBP-10C] ; |
711F919A . 50 PUSH EAX ; |Address
711F919B . 57 PUSH EDI ; |hProcess
711F919C . E8 07E7F2>CALL V2200704.711278A8 ; \WriteProcessMemory
711F91A1 > 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
711F91A4 . 3B85 ECFE>CMP EAX,DWORD PTR SS:[EBP-114]
711F91AA .^ 72 D4 JB SHORT V2200704.711F9180
711F91AC > A1 18F721>MOV EAX,DWORD PTR DS:[7121F718]
711F91B1 . 8B40 3C MOV EAX,DWORD PTR DS:[EAX+3C]
711F91B4 . 0305 18F7>ADD EAX,DWORD PTR DS:[7121F718] ; V2200704.71120000
711F91BA . 0FB740 06 MOVZX EAX,WORD PTR DS:[EAX+6]
711F91BE . 0385 08FF>ADD EAX,DWORD PTR SS:[EBP-F8]
711F91C4 . 83C0 15 ADD EAX,15
711F91C7 . 8985 08FF>MOV DWORD PTR SS:[EBP-F8],EAX
711F91CD . C745 F0 0>MOV DWORD PTR SS:[EBP-10],10002 ; DBG_CONTINUE
711F91D4 > 57 PUSH EDI ; /hObject; Default case of switch 711F85CF
711F91D5 . E8 46E1F2>CALL V2200704.71127320 ; \CloseHandle
711F91DA > 8B85 04FF>MOV EAX,DWORD PTR SS:[EBP-FC]
711F91E0 . 25 000100>AND EAX,100
711F91E5 . 3D 000100>CMP EAX,100
711F91EA . 74 25 JE SHORT V2200704.711F9211
711F91EC . 813D 18F7>CMP DWORD PTR DS:[7121F718],V2200704>; ASCII "MZP"
711F91F6 . 75 2B JNZ SHORT V2200704.711F9223
711F91F8 . A1 881822>MOV EAX,DWORD PTR DS:[71221888]
711F91FD . 0305 8C18>ADD EAX,DWORD PTR DS:[7122188C]
711F9203 . 0305 9018>ADD EAX,DWORD PTR DS:[71221890]
711F9209 . 3B05 8418>CMP EAX,DWORD PTR DS:[71221884]
711F920F . 74 12 JE SHORT V2200704.711F9223
711F9211 > B8 FFFFFF>MOV EAX,7FFFFFFF
711F9216 . E8 559FF2>CALL V2200704.71123170
711F921B . 8985 FCFE>MOV DWORD PTR SS:[EBP-104],EAX
711F9221 . EB 2A JMP SHORT V2200704.711F924D
711F9223 > 33C0 XOR EAX,EAX
711F9225 . 8985 48FE>MOV DWORD PTR SS:[EBP-1B8],EAX
711F922B . 33C0 XOR EAX,EAX
711F922D . 8985 4CFE>MOV DWORD PTR SS:[EBP-1B4],EAX
711F9233 . 33C0 XOR EAX,EAX
711F9235 . 8985 50FE>MOV DWORD PTR SS:[EBP-1B0],EAX
711F923B . 33C0 XOR EAX,EAX
711F923D . 8985 54FE>MOV DWORD PTR SS:[EBP-1AC],EAX
711F9243 . C785 5CFE>MOV DWORD PTR SS:[EBP-1A4],155
711F924D > 8D85 44FE>LEA EAX,DWORD PTR SS:[EBP-1BC]
711F9253 . 50 PUSH EAX
711F9254 . 8B85 18FF>MOV EAX,DWORD PTR SS:[EBP-E8]
711F925A . 33D2 XOR EDX,EDX
711F925C . 52 PUSH EDX
711F925D . 50 PUSH EAX
711F925E . 8D85 08FC>LEA EAX,DWORD PTR SS:[EBP-3F8]
711F9264 . E8 9B06F3>CALL <V2200704.IToA>
711F9269 . 8B95 08FC>MOV EDX,DWORD PTR SS:[EBP-3F8]
711F926F . 8D8D 0CFC>LEA ECX,DWORD PTR SS:[EBP-3F4]
711F9275 . 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
711F9278 . E8 8356F4>CALL V2200704.7113E900
711F927D . 8B85 0CFC>MOV EAX,DWORD PTR SS:[EBP-3F4]
711F9283 . E8 2C07F3>CALL V2200704.711299B4
711F9288 . 50 PUSH EAX ; |hThread
711F9289 . E8 6AE5F2>CALL V2200704.711277F8 ; \SetThreadContext
711F928E > 8B85 18FF>MOV EAX,DWORD PTR SS:[EBP-E8]
711F9294 . 33D2 XOR EDX,EDX
711F9296 . 52 PUSH EDX
711F9297 . 50 PUSH EAX
711F9298 . 8D85 04FC>LEA EAX,DWORD PTR SS:[EBP-3FC]
711F929E . E8 6106F3>CALL <V2200704.IToA>
711F92A3 . 8D85 04FC>LEA EAX,DWORD PTR SS:[EBP-3FC]
711F92A9 . 50 PUSH EAX
711F92AA . 8D8D 00FC>LEA ECX,DWORD PTR SS:[EBP-400]
711F92B0 . BA 010000>MOV EDX,1
711F92B5 . B8 260000>MOV EAX,26
711F92BA . E8 D5B2FF>CALL V2200704.711F4594
711F92BF . 8B95 00FC>MOV EDX,DWORD PTR SS:[EBP-400]
711F92C5 . 58 POP EAX
711F92C6 . E8 0DBBF2>CALL <V2200704.StrCat>
711F92CB . 8B95 04FC>MOV EDX,DWORD PTR SS:[EBP-3FC]
711F92D1 . 33C9 XOR ECX,ECX
711F92D3 . 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
711F92D6 . E8 FD5CF4>CALL V2200704.7113EFD8
711F92DB . EB 76 JMP SHORT V2200704.711F9353
711F92DD . 8B85 14FF>MOV EAX,DWORD PTR SS:[EBP-EC] ; Case 8 of switch 711F8158
711F92E3 . 3B85 78FF>CMP EAX,DWORD PTR SS:[EBP-88]
711F92E9 . 75 68 JNZ SHORT V2200704.711F9353
711F92EB . 8B85 18FF>MOV EAX,DWORD PTR SS:[EBP-E8]
711F92F1 . 33D2 XOR EDX,EDX
711F92F3 . 52 PUSH EDX
711F92F4 . 50 PUSH EAX
711F92F5 . 8D85 FCFB>LEA EAX,DWORD PTR SS:[EBP-404]
711F92FB . E8 0406F3>CALL <V2200704.IToA>
711F9300 . 8D85 FCFB>LEA EAX,DWORD PTR SS:[EBP-404]
711F9306 . 50 PUSH EAX
711F9307 . 8D8D F8FB>LEA ECX,DWORD PTR SS:[EBP-408]
711F930D . BA 010000>MOV EDX,1
711F9312 . B8 260000>MOV EAX,26
711F9317 . E8 78B2FF>CALL V2200704.711F4594
711F931C . 8B95 F8FB>MOV EDX,DWORD PTR SS:[EBP-408]
711F9322 . 58 POP EAX
711F9323 . E8 B0BAF2>CALL <V2200704.StrCat>
711F9328 . 8B85 FCFB>MOV EAX,DWORD PTR SS:[EBP-404]
711F932E . 50 PUSH EAX
711F932F . 8B85 1CFF>MOV EAX,DWORD PTR SS:[EBP-E4]
711F9335 . 33D2 XOR EDX,EDX
711F9337 . 52 PUSH EDX
711F9338 . 50 PUSH EAX
711F9339 . 8D85 F4FB>LEA EAX,DWORD PTR SS:[EBP-40C]
711F933F . E8 C005F3>CALL <V2200704.IToA>
711F9344 . 8B8D F4FB>MOV ECX,DWORD PTR SS:[EBP-40C]
711F934A . 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
711F934D . 5A POP EDX
711F934E . E8 855CF4>CALL V2200704.7113EFD8
711F9353 > 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10] ; Default case of switch 711F8158
711F9356 . 50 PUSH EAX ; /ContinueStatus
711F9357 . 8B85 18FF>MOV EAX,DWORD PTR SS:[EBP-E8] ; |
711F935D . 50 PUSH EAX ; |ThreadId
711F935E . 8B85 14FF>MOV EAX,DWORD PTR SS:[EBP-EC] ; |
711F9364 . 50 PUSH EAX ; |ProcessId
711F9365 . E8 CEDFF2>CALL V2200704.71127338 ; \ContinueDebugEvent
711F936A > 6A FF PUSH -1 ; /Timeout = INFINITE
711F936C . 8D85 10FF>LEA EAX,DWORD PTR SS:[EBP-F0] ; |
711F9372 . 50 PUSH EAX ; |pDebugEvent
711F9373 . E8 08E5F2>CALL V2200704.71127880 ; \WaitForDebugEvent
711F9378 . 85C0 TEST EAX,EAX
711F937A .^ 0F85 C1ED>JNZ V2200704.711F8141
在SetThreadContext入口+5处下条件断点CONTEXT.regEsp==0012FFC4,就可以找到OEP为004D045C,然后DUMP整个进程。
2.修复IAT
HookIAT的代码如下:
<V2200704>/. /74 04 JE SHORT V2200704.711F479E
711F479A |. |75 02 JNZ SHORT V2200704.711F479E
711F479C |. |90 NOP
711F479D |. |90 NOP
711F479E |> \9C PUSHFD
711F479F |. 60 PUSHAD
711F47A0 |. 74 03 JE SHORT V2200704.711F47A5
711F47A2 |. 75 01 JNZ SHORT V2200704.711F47A5
711F47A4 |. 90 NOP
711F47A5 |> 9C PUSHFD
711F47A6 |. 58 POP EAX
711F47A7 |. A3 941822>MOV DWORD PTR DS:[71221894],EAX
711F47AC |. 74 04 JE SHORT V2200704.711F47B2
711F47AE |. 75 02 JNZ SHORT V2200704.711F47B2
711F47B0 |. 90 NOP
711F47B1 |. 90 NOP
711F47B2 |> E8 710000>CALL V2200704.711F4828
711F47B7 |. 31C0 XOR EAX,EAX
711F47B9 |. A0 B01822>MOV AL,BYTE PTR DS:[<IsDebug>]
711F47BE |. 83F8 00 CMP EAX,0
711F47C1 |. 75 5F JNZ SHORT V2200704.711F4822
711F47C3 |. 8B4424 24 MOV EAX,DWORD PTR SS:[ESP+24]
711F47C7 |. 89C3 MOV EBX,EAX
711F47C9 |. 83C0 02 ADD EAX,2
711F47CC |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
711F47CE |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
711F47D0 |. 31D8 XOR EAX,EBX
711F47D2 |. 83F8 00 CMP EAX,0
711F47D5 |. 75 24 JNZ SHORT V2200704.711F47FB
711F47D7 |. 8B4424 24 MOV EAX,DWORD PTR SS:[ESP+24]
711F47DB |. 83C0 02 ADD EAX,2
711F47DE |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
711F47E0 |. 31C9 XOR ECX,ECX
711F47E2 |. 8A48 10 MOV CL,BYTE PTR DS:[EAX+10]
711F47E5 |. 51 PUSH ECX
711F47E6 |. 8B48 0C MOV ECX,DWORD PTR DS:[EAX+C]
711F47E9 |. 8B50 08 MOV EDX,DWORD PTR DS:[EAX+8]
711F47EC |. 8B40 04 MOV EAX,DWORD PTR DS:[EAX+4]
711F47EF |. E8 FCE2FF>CALL <V2200704.MyGetProcAddress> ; GetProcAddress
711F47F4 |. 31D8 XOR EAX,EBX
711F47F6 |. 8943 06 MOV DWORD PTR DS:[EBX+6],EAX
711F47F9 |. 31D8 XOR EAX,EBX
711F47FB |> 89C3 MOV EBX,EAX
711F47FD |. 894424 24 MOV DWORD PTR SS:[ESP+24],EAX
711F4801 |. 8B03 MOV EAX,DWORD PTR DS:[EBX]
711F4803 |. 3C CC CMP AL,0CC ; Is Int3
711F4805 |. 74 14 JE SHORT V2200704.711F481B
711F4807 |. 80FC CC CMP AH,0CC
711F480A |. 74 0F JE SHORT V2200704.711F481B
711F480C |. C1E8 10 SHR EAX,10
711F480F |. 3C CC CMP AL,0CC
711F4811 |. 74 08 JE SHORT V2200704.711F481B
711F4813 |. 80FC CC CMP AH,0CC
711F4816 |. 74 03 JE SHORT V2200704.711F481B
711F4818 |. EB 08 JMP SHORT V2200704.711F4822
711F481A | 90 NOP
711F481B |> C605 B018>MOV BYTE PTR DS:[<IsDebug>],1
711F4822 |> 61 POPAD
711F4823 |. 9D POPFD
711F4824 \. C3 RET ; Function Address
通过观察发现IAT从004D6168至004D6880。Hook的基址是012E0000,每一项大小为1D字节。修复方法是将返回时得到函数地址,写回IAT。
有二个函数是用来与壳通信的:OpenFileMappingA,SendMessageA。
3.修复CodeReplace
DUMP后的程序有很多被替换的代码,CodeReplace过程如下:
<V2200704>/. 9C PUSHFD
711F4BA9 |. 60 PUSHAD
711F4BAA |. E8 050000>CALL <V2200704.DeCode1>
711F4BAF |. 61 POPAD
711F4BB0 |. 9D POPFD
711F4BB1 \. C3 RET ; Stolen Code
DeCode1的过程较长,这里省略。壳替换了6个字节,每一项大小为2C字节。修复方法是把返回时得到的替换代码写回原处。
程序中被替换的代码主要有四种:
CALL Ev FF15 XXXXXXXX
JMP Ev FF25 XXXXXXXX
MOV Ev,Gv 89XX XXXXXXXX
MOV Gv,Ev 8BXX XXXXXXXX
4.修复EmbedCode
主程序在开发时嵌入了许多“EB 04 45 50 45 25”,加壳后加密随后的原程序代码,解密字节过程如下:
<V2200704>/. 9C PUSHFD
711F4935 |. 60 PUSHAD
711F4936 |. E8 050000>CALL <V2200704.DeCode2>
711F493B |. 61 POPAD
711F493C |. 9D POPFD
711F493D \. C3 RET ; Encrypt Code
DeCode2的过程较长,这里省略。在加密字节前添加了6个字节,每一项大小为20字节。修复方法是当壳解密字节后,将原程序中添加的6个字节NOP掉。
后记:感谢老王老师给偶等菜鸟提供了一个很好的学习机会,由于水平太菜,壳的SDK有很多功能还搞不清楚,有时间一定要好好学习SDK。
2007-07-22