|
|
#8
02-11-2017, 18:59
|
|||
|
|||
|
Hi tusk,
that code just gets the location of main executable path (GetModuleFileName) and checks for the existence of Vectir.Core<n>.dll files (where <n> is 2, 3 or 4). As you already know this check is performed by Vectir.Core1.dll. Code:
// <Module>
// Token: 0x06000021 RID: 33 RVA: 0x00003B68 File Offset: 0x00002F68
internal unsafe static void Win32Test()
{
int num = (int)stackalloc byte[<Module>.__CxxQueryExceptionSize()];
try
{
$ArrayType$$$BY0BAE@_W $ArrayType$$$BY0BAE@_W;
<Module>.GetModuleFileNameW(null, (char*)(&$ArrayType$$$BY0BAE@_W), 260);
char* ptr = <Module>.wcsrchr((char*)(&$ArrayType$$$BY0BAE@_W), '\\');
if (ptr == null)
{
*(ref $ArrayType$$$BY0BAE@_W + 4) = 0;
}
else
{
*ptr = '\0';
}
sbyte* ptr2 = <Module>.malloc(260u);
uint count;
<Module>.wcstombs_s(&count, ptr2, 260u, (char*)(&$ArrayType$$$BY0BAE@_W), 260u);
basic_string<char,std::char_traits<char>,std::allocator<char>\u0020> basic_string<char,std::char_traits<char>,std::allocator<char>\u0020>;
<Module>.std.basic_string<char,std::char_traits<char>,std::allocator<char>\u0020>.{ctor}(ref basic_string<char,std::char_traits<char>,std::allocator<char>\u0020>, (sbyte*)ptr2, count);
try
{
basic_string<char,std::char_traits<char>,std::allocator<char>\u0020> basic_string<char,std::char_traits<char>,std::allocator<char>\u0020>2;
<Module>.std.basic_string<char,std::char_traits<char>,std::allocator<char>\u0020>.{ctor}(ref basic_string<char,std::char_traits<char>,std::allocator<char>\u0020>2, (sbyte*)(&<Module>.??_C@_04OJGJKDCG@?2bin?$AA@));
try
{
uint num2 = <Module>.std.basic_string<char,std::char_traits<char>,std::allocator<char>\u0020>.find(ref basic_string<char,std::char_traits<char>,std::allocator<char>\u0020>, ref basic_string<char,std::char_traits<char>,std::allocator<char>\u0020>2, 0u);
$ArrayType$$$BY0BAE@D $ArrayType$$$BY0BAE@D;
*(ref $ArrayType$$$BY0BAE@D + 8) = 67; // "C"
*(ref $ArrayType$$$BY0BAE@D + 10) = 114; // "r"
$ArrayType$$$BY0BAE@D = 92; // "\"
*(ref $ArrayType$$$BY0BAE@D + 2) = 101; // "e"
*(ref $ArrayType$$$BY0BAE@D + 4) = 116; // "t"
*(ref $ArrayType$$$BY0BAE@D + 5) = 105; // "i"
*(ref $ArrayType$$$BY0BAE@D + 14) = 100; // "d"
*(ref $ArrayType$$$BY0BAE@D + 12) = 51; // "3"
*(ref $ArrayType$$$BY0BAE@D + 6) = 114; // "r"
*(ref $ArrayType$$$BY0BAE@D + 9) = 111; // "o"
*(ref $ArrayType$$$BY0BAE@D + 11) = 101; // "e"
*(ref $ArrayType$$$BY0BAE@D + 13) = 46; // "."
*(ref $ArrayType$$$BY0BAE@D + 17) = 0; // ""
*(ref $ArrayType$$$BY0BAE@D + 3) = 99; // "c"
*(ref $ArrayType$$$BY0BAE@D + 15) = 108; // "l"
*(ref $ArrayType$$$BY0BAE@D + 1) = 86; // "V"
*(ref $ArrayType$$$BY0BAE@D + 7) = 46; // "."
*(ref $ArrayType$$$BY0BAE@D + 16) = 108; // "l" --> In order: "\Vectir.Core3.dll"
$ArrayType$$$BY0BAE@D $ArrayType$$$BY0BAE@D2;
<Module>.strcpy_s<260>(ref $ArrayType$$$BY0BAE@D2, (sbyte*)ptr2);
<Module>.strcat_s<260>(ref $ArrayType$$$BY0BAE@D2, (sbyte*)(&$ArrayType$$$BY0BAE@D));
// internal unsafe static basic_ifstream<char,std::char_traits<char>\u0020>* {ctor}(basic_ifstream<char,std::char_traits<char>\u0020>* ptr, sbyte* _Filename, int _Mode, int _Prot, int num)
basic_ifstream<char,std::char_traits<char>\u0020> basic_ifstream<char,std::char_traits<char>\u0020>;
<Module>.std.basic_ifstream<char,std::char_traits<char>\u0020>.{ctor}(ref basic_ifstream<char,std::char_traits<char>\u0020>, (sbyte*)(&$ArrayType$$$BY0BAE@D2), 1, 64, 1);
try
{
if (<Module>.std.ios_base..PAX(*(basic_ifstream<char,std::char_traits<char>\u0020> + 4) + ref basic_ifstream<char,std::char_traits<char>\u0020>) != null && num2 == 4294967295u)
{
<Module>.ExitProcess(0u);
}
*(ref $ArrayType$$$BY0BAE@D + 7) = 46; // "."
*(ref $ArrayType$$$BY0BAE@D + 12) = 50; // "2"
*(ref $ArrayType$$$BY0BAE@D + 10) = 114; // "r"
*(ref $ArrayType$$$BY0BAE@D + 2) = 101; // "e"
*(ref $ArrayType$$$BY0BAE@D + 13) = 46; // "."
*(ref $ArrayType$$$BY0BAE@D + 3) = 99; // "c"
*(ref $ArrayType$$$BY0BAE@D + 15) = 108; // "l"
*(ref $ArrayType$$$BY0BAE@D + 4) = 116; // "t"
*(ref $ArrayType$$$BY0BAE@D + 6) = 114; // "r"
$ArrayType$$$BY0BAE@D = 92; // "\"
*(ref $ArrayType$$$BY0BAE@D + 9) = 111; // "o"
*(ref $ArrayType$$$BY0BAE@D + 16) = 108; // "l"
*(ref $ArrayType$$$BY0BAE@D + 11) = 101; // "e"
*(ref $ArrayType$$$BY0BAE@D + 14) = 100; // "d"
*(ref $ArrayType$$$BY0BAE@D + 17) = 0; // ""
*(ref $ArrayType$$$BY0BAE@D + 1) = 86; // "V"
*(ref $ArrayType$$$BY0BAE@D + 8) = 67; // "C"
*(ref $ArrayType$$$BY0BAE@D + 5) = 105; // "i" --> In order: "\Vectir.Core2.dll"
<Module>.strcpy_s<260>(ref $ArrayType$$$BY0BAE@D2, (sbyte*)ptr2);
<Module>.strcat_s<260>(ref $ArrayType$$$BY0BAE@D2, (sbyte*)(&$ArrayType$$$BY0BAE@D));
basic_ifstream<char,std::char_traits<char>\u0020> basic_ifstream<char,std::char_traits<char>\u0020>2;
<Module>.std.basic_ifstream<char,std::char_traits<char>\u0020>.{ctor}(ref basic_ifstream<char,std::char_traits<char>\u0020>2, (sbyte*)(&$ArrayType$$$BY0BAE@D2), 1, 64, 1);
try
{
if (<Module>.std.ios_base..PAX(*(basic_ifstream<char,std::char_traits<char>\u0020>2 + 4) + ref basic_ifstream<char,std::char_traits<char>\u0020>2) != null && num2 == 4294967295u)
{
<Module>.ExitProcess(0u);
}
*(ref $ArrayType$$$BY0BAE@D + 5) = 105; // "i"
*(ref $ArrayType$$$BY0BAE@D + 14) = 100; // "d"
*(ref $ArrayType$$$BY0BAE@D + 12) = 52; // "4"
*(ref $ArrayType$$$BY0BAE@D + 9) = 111; // "o"
*(ref $ArrayType$$$BY0BAE@D + 4) = 116; // "t"
*(ref $ArrayType$$$BY0BAE@D + 11) = 101; // "e"
*(ref $ArrayType$$$BY0BAE@D + 7) = 46; // "."
$ArrayType$$$BY0BAE@D = 92; // "\"
*(ref $ArrayType$$$BY0BAE@D + 1) = 86; // "V"
*(ref $ArrayType$$$BY0BAE@D + 2) = 101; // "e"
*(ref $ArrayType$$$BY0BAE@D + 8) = 67; // "C"
*(ref $ArrayType$$$BY0BAE@D + 17) = 0; // ""
*(ref $ArrayType$$$BY0BAE@D + 10) = 114; // "r"
*(ref $ArrayType$$$BY0BAE@D + 13) = 46; // "."
*(ref $ArrayType$$$BY0BAE@D + 3) = 99; // "c"
*(ref $ArrayType$$$BY0BAE@D + 6) = 114; // "r"
*(ref $ArrayType$$$BY0BAE@D + 15) = 108; // "l"
*(ref $ArrayType$$$BY0BAE@D + 16) = 108; // "l" --> In order: "\Vectir.Core4.dll"
<Module>.strcpy_s<260>(ref $ArrayType$$$BY0BAE@D2, (sbyte*)ptr2);
<Module>.strcat_s<260>(ref $ArrayType$$$BY0BAE@D2, (sbyte*)(&$ArrayType$$$BY0BAE@D));
basic_ifstream<char,std::char_traits<char>\u0020> basic_ifstream<char,std::char_traits<char>\u0020>3;
<Module>.std.basic_ifstream<char,std::char_traits<char>\u0020>.{ctor}(ref basic_ifstream<char,std::char_traits<char>\u0020>3, (sbyte*)(&$ArrayType$$$BY0BAE@D2), 1, 64, 1);
try
{
if (<Module>.std.ios_base..PAX(*(basic_ifstream<char,std::char_traits<char>\u0020>3 + 4) + ref basic_ifstream<char,std::char_traits<char>\u0020>3) != null && num2 == 4294967295u)
{
<Module>.ExitProcess(0u);
}
<Module>.free((void*)ptr2);
}
catch
{
<Module>.___CxxCallUnwindDtor(ldftn(std.basic_ifstream<char,std::char_traits<char>\u0020>.__vbaseDtor), (void*)(&basic_ifstream<char,std::char_traits<char>\u0020>3));
throw;
}
:
:
}
Code:
08668A20 $ 55 PUSH EBP 08668A21 . 8BEC MOV EBP,ESP 08668A23 . 57 PUSH EDI 08668A24 . 56 PUSH ESI 08668A25 . 81EC 8C060000 SUB ESP,0x68C 08668A2B . 33C0 XOR EAX,EAX 08668A2D . 8945 E8 MOV DWORD PTR SS:[EBP-0x18],EAX 08668A30 . 8965 F4 MOV DWORD PTR SS:[EBP-0xC],ESP 08668A33 . C745 D8 87EC2FAF MOV DWORD PTR SS:[EBP-0x28],0xAF2FEC87 08668A3A . 898D 8CFBFFFF MOV DWORD PTR SS:[EBP-0x474],ECX 08668A40 . E8 97EFFFFF CALL 086679DC 08668A45 . 85C0 TEST EAX,EAX 08668A47 . 74 21 JE SHORT 08668A6A 08668A49 . 83C0 03 ADD EAX,0x3 08668A4C . 83E0 FC AND EAX,0xFFFFFFFC 08668A4F . F7D8 NEG EAX 08668A51 . 03C4 ADD EAX,ESP 08668A53 . 72 02 JB SHORT 08668A57 08668A55 . 33C0 XOR EAX,EAX 08668A57 > 852424 TEST DWORD PTR SS:[ESP],ESP 08668A5A . 8BD4 MOV EDX,ESP 08668A5C . 81EA 00100000 SUB EDX,0x1000 08668A62 . 8BE2 MOV ESP,EDX 08668A64 . 3BE0 CMP ESP,EAX 08668A66 .^ 73 EF JNB SHORT 08668A57 08668A68 . 8BE0 MOV ESP,EAX 08668A6A > 8965 F4 MOV DWORD PTR SS:[EBP-0xC],ESP 08668A6D . 8985 84FBFFFF MOV DWORD PTR SS:[EBP-0x47C],EAX 08668A73 . 68 04010000 PUSH 0x104 08668A78 . 8D95 90FBFFFF LEA EDX,DWORD PTR SS:[EBP-0x470] 08668A7E . 33C9 XOR ECX,ECX 08668A80 . E8 63EFFFFF CALL 086679E8 08668A85 . 8D8D 90FBFFFF LEA ECX,DWORD PTR SS:[EBP-0x470] 08668A8B . BA 5C000000 MOV EDX,0x5C 08668A90 . E8 5FEFFFFF CALL 086679F4 08668A95 . 85C0 TEST EAX,EAX 08668A97 . 75 0B JNZ SHORT 08668AA4 08668A99 . 66:C785 94FBFFFF 0000 MOV WORD PTR SS:[EBP-0x46C],0x0 08668AA2 . EB 05 JMP SHORT 08668AA9 08668AA4 > 66:C700 0000 MOV WORD PTR DS:[EAX],0x0 08668AA9 > B9 04010000 MOV ECX,0x104 08668AAE . E8 4DEFFFFF CALL 08667A00 08668AB3 . 8BF0 MOV ESI,EAX 08668AB5 . 68 04010000 PUSH 0x104 08668ABA . 8D85 90FBFFFF LEA EAX,DWORD PTR SS:[EBP-0x470] 08668AC0 . 50 PUSH EAX 08668AC1 . 68 04010000 PUSH 0x104 08668AC6 . 8D8D 80FBFFFF LEA ECX,DWORD PTR SS:[EBP-0x480] 08668ACC . 8BD6 MOV EDX,ESI 08668ACE . E8 39EFFFFF CALL 08667A0C 08668AD3 . FFB5 80FBFFFF PUSH DWORD PTR SS:[EBP-0x480] 08668AD9 . 8D8D 98FDFFFF LEA ECX,DWORD PTR SS:[EBP-0x268] 08668ADF . 8BD6 MOV EDX,ESI 08668AE1 . FF15 3855D207 CALL DWORD PTR DS:[0x7D25538] ; f.08669218 08668AE7 . C785 C8FDFFFF 0F000000 MOV DWORD PTR SS:[EBP-0x238],0xF 08668AF1 . 33D2 XOR EDX,EDX 08668AF3 . 8995 C4FDFFFF MOV DWORD PTR SS:[EBP-0x23C],EDX 08668AF9 . 8895 B4FDFFFF MOV BYTE PTR SS:[EBP-0x24C],DL 08668AFF . B8 34F48158 MOV EAX,0x5881F434 ; ASCII "\\bin" 08668B04 . 803D 34F48158 00 CMP BYTE PTR DS:[0x5881F434],0x0 08668B0B . 74 06 JE SHORT 08668B13 08668B0D > 40 INC EAX 08668B0E . 8038 00 CMP BYTE PTR DS:[EAX],0x0 08668B11 .^ 75 FA JNZ SHORT 08668B0D 08668B13 > 05 CC0B7EA7 ADD EAX,0xA77E0BCC 08668B18 . 50 PUSH EAX ; /Arg1 = 00000000 08668B19 . 8D8D B4FDFFFF LEA ECX,DWORD PTR SS:[EBP-0x24C] ; | 08668B1F . BA 34F48158 MOV EDX,0x5881F434 ; |ASCII "\\bin" 08668B24 . FF15 4C56D207 CALL DWORD PTR DS:[0x7D2564C] ; \f.08669250 08668B2A . 8B8D C4FDFFFF MOV ECX,DWORD PTR SS:[EBP-0x23C] 08668B30 . 83BD C8FDFFFF 10 CMP DWORD PTR SS:[EBP-0x238],0x10 08668B37 . 72 08 JB SHORT 08668B41 08668B39 . 8B95 B4FDFFFF MOV EDX,DWORD PTR SS:[EBP-0x24C] 08668B3F . EB 06 JMP SHORT 08668B47 08668B41 > 8D95 B4FDFFFF LEA EDX,DWORD PTR SS:[EBP-0x24C] 08668B47 > 6A 00 PUSH 0x0 ; /Arg2 = 00000000 08668B49 . 51 PUSH ECX ; |Arg1 = 7E6CF000 08668B4A . 8D8D 98FDFFFF LEA ECX,DWORD PTR SS:[EBP-0x268] ; | 08668B50 . FF15 8856D207 CALL DWORD PTR DS:[0x7D25688] ; \f.08669A88 08668B56 . 8BF8 MOV EDI,EAX 08668B58 . C685 D8FDFFFF 43 MOV BYTE PTR SS:[EBP-0x228],0x43 08668B5F . C685 DAFDFFFF 72 MOV BYTE PTR SS:[EBP-0x226],0x72 08668B66 . C685 D0FDFFFF 5C MOV BYTE PTR SS:[EBP-0x230],0x5C 08668B6D . C685 D2FDFFFF 65 MOV BYTE PTR SS:[EBP-0x22E],0x65 08668B74 . C685 D4FDFFFF 74 MOV BYTE PTR SS:[EBP-0x22C],0x74 08668B7B . C685 D5FDFFFF 69 MOV BYTE PTR SS:[EBP-0x22B],0x69 08668B82 . C685 DEFDFFFF 64 MOV BYTE PTR SS:[EBP-0x222],0x64 08668B89 . C685 DCFDFFFF 33 MOV BYTE PTR SS:[EBP-0x224],0x33 08668B90 . C685 D6FDFFFF 72 MOV BYTE PTR SS:[EBP-0x22A],0x72 08668B97 . C685 D9FDFFFF 6F MOV BYTE PTR SS:[EBP-0x227],0x6F 08668B9E . C685 DBFDFFFF 65 MOV BYTE PTR SS:[EBP-0x225],0x65 08668BA5 . C685 DDFDFFFF 2E MOV BYTE PTR SS:[EBP-0x223],0x2E 08668BAC . C685 E1FDFFFF 00 MOV BYTE PTR SS:[EBP-0x21F],0x0 08668BB3 . C685 D3FDFFFF 63 MOV BYTE PTR SS:[EBP-0x22D],0x63 08668BBA . C685 DFFDFFFF 6C MOV BYTE PTR SS:[EBP-0x221],0x6C 08668BC1 . C685 D1FDFFFF 56 MOV BYTE PTR SS:[EBP-0x22F],0x56 08668BC8 . C685 D7FDFFFF 2E MOV BYTE PTR SS:[EBP-0x229],0x2E 08668BCF . C685 E0FDFFFF 6C MOV BYTE PTR SS:[EBP-0x220],0x6C 08668BD6 . 56 PUSH ESI 08668BD7 . 8D8D D4FEFFFF LEA ECX,DWORD PTR SS:[EBP-0x12C] 08668BDD . BA 04010000 MOV EDX,0x104 08668BE2 . E8 31EEFFFF CALL 08667A18 08668BE7 . 8D85 D0FDFFFF LEA EAX,DWORD PTR SS:[EBP-0x230] 08668BED . 50 PUSH EAX 08668BEE . 8D8D D4FEFFFF LEA ECX,DWORD PTR SS:[EBP-0x12C] 08668BF4 . BA 04010000 MOV EDX,0x104 08668BF9 . E8 26EEFFFF CALL 08667A24 08668BFE . 6A 01 PUSH 0x1 08668C00 . 6A 40 PUSH 0x40 08668C02 . 6A 01 PUSH 0x1 08668C04 . 8D8D 70F9FFFF LEA ECX,DWORD PTR SS:[EBP-0x690] 08668C0A . 8D95 D4FEFFFF LEA EDX,DWORD PTR SS:[EBP-0x12C] 08668C10 . FF15 6855D207 CALL DWORD PTR DS:[0x7D25568] ; f.08669D38 08668C16 . 8B85 70F9FFFF MOV EAX,DWORD PTR SS:[EBP-0x690] ; Keyboard.5881F42C 08668C1C . 8B48 04 MOV ECX,DWORD PTR DS:[EAX+0x4] 08668C1F . 8D85 70F9FFFF LEA EAX,DWORD PTR SS:[EBP-0x690] 08668C25 . 03C8 ADD ECX,EAX 08668C27 . E8 04EEFFFF CALL 08667A30 08668C2C $ 85C0 TEST EAX,EAX 08668C2E . 74 0C JE SHORT 08668C3C 08668C30 . 83FF FF CMP EDI,-0x1 08668C33 . 75 07 JNZ SHORT 08668C3C 08668C35 . 33C9 XOR ECX,ECX 08668C37 . E8 00EEFFFF CALL <doExit> 08668C3C > C685 D7FDFFFF 2E MOV BYTE PTR SS:[EBP-0x229],0x2E 08668C43 . C685 DCFDFFFF 32 MOV BYTE PTR SS:[EBP-0x224],0x32 08668C4A . C685 DAFDFFFF 72 MOV BYTE PTR SS:[EBP-0x226],0x72 08668C51 . C685 D2FDFFFF 65 MOV BYTE PTR SS:[EBP-0x22E],0x65 08668C58 . C685 DDFDFFFF 2E MOV BYTE PTR SS:[EBP-0x223],0x2E 08668C5F . C685 D3FDFFFF 63 MOV BYTE PTR SS:[EBP-0x22D],0x63 08668C66 . C685 DFFDFFFF 6C MOV BYTE PTR SS:[EBP-0x221],0x6C 08668C6D . C685 D4FDFFFF 74 MOV BYTE PTR SS:[EBP-0x22C],0x74 08668C74 . C685 D6FDFFFF 72 MOV BYTE PTR SS:[EBP-0x22A],0x72 08668C7B . C685 D0FDFFFF 5C MOV BYTE PTR SS:[EBP-0x230],0x5C 08668C82 . C685 D9FDFFFF 6F MOV BYTE PTR SS:[EBP-0x227],0x6F 08668C89 . C685 E0FDFFFF 6C MOV BYTE PTR SS:[EBP-0x220],0x6C 08668C90 . C685 DBFDFFFF 65 MOV BYTE PTR SS:[EBP-0x225],0x65 08668C97 . C685 DEFDFFFF 64 MOV BYTE PTR SS:[EBP-0x222],0x64 08668C9E . C685 E1FDFFFF 00 MOV BYTE PTR SS:[EBP-0x21F],0x0 08668CA5 . C685 D1FDFFFF 56 MOV BYTE PTR SS:[EBP-0x22F],0x56 08668CAC . C685 D8FDFFFF 43 MOV BYTE PTR SS:[EBP-0x228],0x43 08668CB3 . C685 D5FDFFFF 69 MOV BYTE PTR SS:[EBP-0x22B],0x69 08668CBA . 56 PUSH ESI 08668CBB . 8D8D D4FEFFFF LEA ECX,DWORD PTR SS:[EBP-0x12C] 08668CC1 . BA 04010000 MOV EDX,0x104 08668CC6 . E8 4DEDFFFF CALL 08667A18 08668CCB . 8D85 D0FDFFFF LEA EAX,DWORD PTR SS:[EBP-0x230] 08668CD1 . 50 PUSH EAX 08668CD2 . 8D8D D4FEFFFF LEA ECX,DWORD PTR SS:[EBP-0x12C] 08668CD8 . BA 04010000 MOV EDX,0x104 08668CDD . E8 42EDFFFF CALL 08667A24 08668CE2 . 6A 01 PUSH 0x1 08668CE4 . 6A 40 PUSH 0x40 08668CE6 . 6A 01 PUSH 0x1 08668CE8 . 8D8D 20FAFFFF LEA ECX,DWORD PTR SS:[EBP-0x5E0] 08668CEE . 8D95 D4FEFFFF LEA EDX,DWORD PTR SS:[EBP-0x12C] 08668CF4 . FF15 6855D207 CALL DWORD PTR DS:[0x7D25568] ; f.08669D38 08668CFA . 8B85 20FAFFFF MOV EAX,DWORD PTR SS:[EBP-0x5E0] ; clr.639756E2 08668D00 . 8B48 04 MOV ECX,DWORD PTR DS:[EAX+0x4] 08668D03 . 8D85 20FAFFFF LEA EAX,DWORD PTR SS:[EBP-0x5E0] 08668D09 . 03C8 ADD ECX,EAX 08668D0B . E8 20EDFFFF CALL 08667A30 08668D10 . 85C0 TEST EAX,EAX 08668D12 . 74 0C JE SHORT 08668D20 08668D14 . 83FF FF CMP EDI,-0x1 08668D17 . 75 07 JNZ SHORT 08668D20 08668D19 . 33C9 XOR ECX,ECX 08668D1B . E8 1CEDFFFF CALL <doExit> 08668D20 > C685 D5FDFFFF 69 MOV BYTE PTR SS:[EBP-0x22B],0x69 08668D27 . C685 DEFDFFFF 64 MOV BYTE PTR SS:[EBP-0x222],0x64 08668D2E . C685 DCFDFFFF 34 MOV BYTE PTR SS:[EBP-0x224],0x34 08668D35 . C685 D9FDFFFF 6F MOV BYTE PTR SS:[EBP-0x227],0x6F 08668D3C . C685 D4FDFFFF 74 MOV BYTE PTR SS:[EBP-0x22C],0x74 08668D43 . C685 DBFDFFFF 65 MOV BYTE PTR SS:[EBP-0x225],0x65 08668D4A . C685 D7FDFFFF 2E MOV BYTE PTR SS:[EBP-0x229],0x2E 08668D51 . C685 D0FDFFFF 5C MOV BYTE PTR SS:[EBP-0x230],0x5C 08668D58 . C685 D1FDFFFF 56 MOV BYTE PTR SS:[EBP-0x22F],0x56 08668D5F . C685 D2FDFFFF 65 MOV BYTE PTR SS:[EBP-0x22E],0x65 08668D66 . C685 D8FDFFFF 43 MOV BYTE PTR SS:[EBP-0x228],0x43 08668D6D . C685 E1FDFFFF 00 MOV BYTE PTR SS:[EBP-0x21F],0x0 08668D74 . C685 DAFDFFFF 72 MOV BYTE PTR SS:[EBP-0x226],0x72 08668D7B . C685 DDFDFFFF 2E MOV BYTE PTR SS:[EBP-0x223],0x2E 08668D82 . C685 D3FDFFFF 63 MOV BYTE PTR SS:[EBP-0x22D],0x63 08668D89 . C685 D6FDFFFF 72 MOV BYTE PTR SS:[EBP-0x22A],0x72 08668D90 . C685 DFFDFFFF 6C MOV BYTE PTR SS:[EBP-0x221],0x6C 08668D97 . C685 E0FDFFFF 6C MOV BYTE PTR SS:[EBP-0x220],0x6C 08668D9E . 56 PUSH ESI 08668D9F . 8D8D D4FEFFFF LEA ECX,DWORD PTR SS:[EBP-0x12C] 08668DA5 . BA 04010000 MOV EDX,0x104 08668DAA . E8 69ECFFFF CALL 08667A18 08668DAF . 8D85 D0FDFFFF LEA EAX,DWORD PTR SS:[EBP-0x230] 08668DB5 . 50 PUSH EAX 08668DB6 . 8D8D D4FEFFFF LEA ECX,DWORD PTR SS:[EBP-0x12C] 08668DBC . BA 04010000 MOV EDX,0x104 08668DC1 . E8 5EECFFFF CALL 08667A24 08668DC6 . 6A 01 PUSH 0x1 08668DC8 . 6A 40 PUSH 0x40 08668DCA . 6A 01 PUSH 0x1 08668DCC . 8D8D D0FAFFFF LEA ECX,DWORD PTR SS:[EBP-0x530] 08668DD2 . 8D95 D4FEFFFF LEA EDX,DWORD PTR SS:[EBP-0x12C] 08668DD8 . FF15 6855D207 CALL DWORD PTR DS:[0x7D25568] ; f.08669D38 08668DDE . 8B85 D0FAFFFF MOV EAX,DWORD PTR SS:[EBP-0x530] 08668DE4 . 8B48 04 MOV ECX,DWORD PTR DS:[EAX+0x4] 08668DE7 . 8D85 D0FAFFFF LEA EAX,DWORD PTR SS:[EBP-0x530] 08668DED . 03C8 ADD ECX,EAX 08668DEF . E8 3CECFFFF CALL 08667A30 08668DF4 . 85C0 TEST EAX,EAX 08668DF6 . 74 0C JE SHORT 08668E04 08668DF8 . 83FF FF CMP EDI,-0x1 08668DFB . 75 07 JNZ SHORT 08668E04 08668DFD . 33C9 XOR ECX,ECX 08668DFF . E8 38ECFFFF CALL <doExit> 08668E04 > 8BCE MOV ECX,ESI 08668E06 . E8 3DECFFFF CALL 08667A48 08668E0B . EB 13 JMP SHORT 08668E20 08668E0D . 8D95 D0FAFFFF LEA EDX,DWORD PTR SS:[EBP-0x530] 08668E13 . B9 C0796608 MOV ECX,086679C0 08668E18 . E8 DBDDFFFF CALL 08666BF8 08668E1D . 58 POP EAX ; 02B1DA94 08668E1E . FFE0 JMP EAX 08668E20 > 8D8D D0FAFFFF LEA ECX,DWORD PTR SS:[EBP-0x530] 08668E26 . FF15 2C55D207 CALL DWORD PTR DS:[0x7D2552C] ; f.08666661 08668E2C . EB 13 JMP SHORT 08668E41 08668E2E . 8D95 20FAFFFF LEA EDX,DWORD PTR SS:[EBP-0x5E0] 08668E34 . B9 C0796608 MOV ECX,086679C0 08668E39 . E8 BADDFFFF CALL 08666BF8 08668E3E . 58 POP EAX ; 02B1DA94 08668E3F . FFE0 JMP EAX 08668E41 > 8D8D 20FAFFFF LEA ECX,DWORD PTR SS:[EBP-0x5E0] 08668E47 . FF15 2C55D207 CALL DWORD PTR DS:[0x7D2552C] ; f.08666661 08668E4D . EB 13 JMP SHORT 08668E62 08668E4F . 8D95 70F9FFFF LEA EDX,DWORD PTR SS:[EBP-0x690] 08668E55 . B9 C0796608 MOV ECX,086679C0 08668E5A . E8 99DDFFFF CALL 08666BF8 08668E5F . 58 POP EAX ; 02B1DA94 08668E60 . FFE0 JMP EAX 08668E62 > 8D8D 70F9FFFF LEA ECX,DWORD PTR SS:[EBP-0x690] 08668E68 . FF15 2C55D207 CALL DWORD PTR DS:[0x7D2552C] ; f.08666661 08668E6E . EB 13 JMP SHORT 08668E83 08668E70 . 8D95 B4FDFFFF LEA EDX,DWORD PTR SS:[EBP-0x24C] 08668E76 . B9 D0796608 MOV ECX,086679D0 08668E7B . E8 78DDFFFF CALL 08666BF8 08668E80 . 58 POP EAX ; 02B1DA94 08668E81 . FFE0 JMP EAX 08668E83 > 8D8D B4FDFFFF LEA ECX,DWORD PTR SS:[EBP-0x24C] 08668E89 . FF15 5055D207 CALL DWORD PTR DS:[0x7D25550] ; f.0866666D 08668E8F . EB 13 JMP SHORT 08668EA4 08668E91 . 8D95 98FDFFFF LEA EDX,DWORD PTR SS:[EBP-0x268] 08668E97 . B9 D0796608 MOV ECX,086679D0 08668E9C . E8 57DDFFFF CALL 08666BF8 08668EA1 . 58 POP EAX ; 02B1DA94 08668EA2 . FFE0 JMP EAX 08668EA4 > 8D8D 98FDFFFF LEA ECX,DWORD PTR SS:[EBP-0x268] 08668EAA . FF15 5055D207 CALL DWORD PTR DS:[0x7D25550] ; f.0866666D 08668EB0 . E9 A4000000 JMP 08668F59 08668EB5 . E8 1A7D5F5B CALL clr.63C60BD4 08668EBA . 8BC8 MOV ECX,EAX 08668EBC . 6A 00 PUSH 0x0 08668EBE . 6A 00 PUSH 0x0 08668EC0 . BA 54048458 MOV EDX,0x58840454 08668EC5 . E8 8AEBFFFF CALL 08667A54 08668ECA . C3 RETN 08668ECB . 33D2 XOR EDX,EDX 08668ECD . 8995 88FBFFFF MOV DWORD PTR SS:[EBP-0x478],EDX 08668ED3 . E8 FC7C5F5B CALL clr.63C60BD4 08668ED8 . 8BC8 MOV ECX,EAX 08668EDA . 8B95 84FBFFFF MOV EDX,DWORD PTR SS:[EBP-0x47C] 08668EE0 . E8 7BEBFFFF CALL 08667A60 08668EE5 . C745 E0 00000000 MOV DWORD PTR SS:[EBP-0x20],0x0 08668EEC . C745 E4 FC000000 MOV DWORD PTR SS:[EBP-0x1C],0xFC 08668EF3 . 68 748F6608 PUSH 08668F74 08668EF8 . EB 3B JMP SHORT 08668F35 08668EFA . E8 D57C5F5B CALL clr.63C60BD4 08668EFF . 8BC8 MOV ECX,EAX 08668F01 . E8 66EBFFFF CALL 08667A6C 08668F06 . 8985 88FBFFFF MOV DWORD PTR SS:[EBP-0x478],EAX 08668F0C . C3 RETN 08668F0D . E8 77852F5B CALL clr.63961489 08668F12 . 83BD 88FBFFFF 00 CMP DWORD PTR SS:[EBP-0x478],0x0 08668F19 . 74 05 JE SHORT 08668F20 08668F1B . E8 6D97395B CALL clr.63A0268D 08668F20 > C745 E0 00000000 MOV DWORD PTR SS:[EBP-0x20],0x0 08668F27 . C745 E4 FC000000 MOV DWORD PTR SS:[EBP-0x1C],0xFC 08668F2E . 68 508F6608 PUSH 08668F50 08668F33 . EB 00 JMP SHORT 08668F35 08668F35 > 8B8D 84FBFFFF MOV ECX,DWORD PTR SS:[EBP-0x47C] 08668F3B . 8B95 88FBFFFF MOV EDX,DWORD PTR SS:[EBP-0x478] 08668F41 . E8 32EBFFFF CALL 08667A78 08668F46 . 58 POP EAX ; 02B1DA94 08668F47 . FFE0 JMP EAX 08668F49 > E8 3B852F5B CALL clr.63961489 08668F4E . EB 09 JMP SHORT 08668F59 08668F50 . C745 E4 00000000 MOV DWORD PTR SS:[EBP-0x1C],0x0 08668F57 .^ EB F0 JMP SHORT 08668F49 08668F59 > 8B85 8CFBFFFF MOV EAX,DWORD PTR SS:[EBP-0x474] 08668F5F . 817D D8 87EC2FAF CMP DWORD PTR SS:[EBP-0x28],0xAF2FEC87 08668F66 . 74 05 JE SHORT 08668F6D 08668F68 . E8 2933625B CALL clr.63C8C296 08668F6D > 8D65 F8 LEA ESP,DWORD PTR SS:[EBP-0x8] 08668F70 . 5E POP ESI ; 02B1DA94 08668F71 . 5F POP EDI ; 02B1DA94 08668F72 . 5D POP EBP ; 02B1DA94 08668F73 . C3 RETN  I agree with SKiLLa ... really interesting.  Best Regards, Tony [EDIT] There's also some AES checking (Analyze RijndaelManaged class ) so probably there are integrity checks in place too.Regards, Tony
__________________
Want to learn unpacking ... but I'm too stupid 
Last edited by tonyweb; 02-11-2017 at 19:17. Reason: AES checking info 
|
| The Following User Says Thank You to tonyweb For This Useful Post: | ||
tusk (02-12-2017) | ||
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| dnSpyEx + LLM Plugin for Deobfuscation & Code Analysis | dotdll | Community Tools | 0 | 07-17-2025 22:10 |
| Deobfuscation Helper | Z-Rantom | Community Tools | 0 | 09-11-2015 21:03 |
Threaded Mode