UninstallTool portable 3.7.4 分析记录
UninstallTool portable 3.7.4 分析记录
目录
文件信息
UninstallToolPortable.exe ==> 启动器
UninstallTool_x64.dat ==>程序主体,pe 文件,x64
UninstallToolHelper.exe ==> 注册验证程序,加壳execryptor
2024/04/22 16:27 <DIR> languages
2024/04/22 16:27 44 RemoveService.cmd
2024/04/22 16:27 474,720 UninstallToolHelper.exe
2024/04/22 16:27 381,928 UninstallToolPortable.exe
2024/04/22 16:27 49 UninstallToolWebsite.url
2024/04/22 16:27 5,836,776 UninstallTool_x64.dat
2024/04/22 16:27 4,809,192 UninstallTool_x86.dat
分析的主要目标为UninstallTool_x64.dat
PE64
操作系统: Windows(Vista)[AMD64, 64 位, GUI]
链接程序: Microsoft linker(14.29.30152)
编译器: Visual C/C++(19.29.30152)[C++]
语言: C/C++
工具: Microsoft Visual Studio(2019 version 16.11)
资源: PE64[偏移=0x0057bf68,大小=0xe038]
操作系统: Windows(10)[AMD64, 64 位, 驱动]
链接程序: Microsoft linker(14.29.30140)
编译器: Visual C/C++(19.29.30140)[C]
语言: C/C++
工具: Microsoft Visual Studio(2019 version 16.11)
(Heur)保护器: Generic[High entropy]
调试数据: Binary[偏移=0x00417894,大小=0x4b]
调试数据: PDB file link(7.0)
附加: Binary[偏移=0x0058c000,大小=0x4fe8]
证书: Windows Authenticode(2.0)[PKCS #7]
资源文件中夹带一个‘追踪安装’驱动,(CisUtMonitor.sys ,不做分析,网上有提及在win11存在bug,可能蓝屏,未分析)
PE64
操作系统: Windows(10)[AMD64, 64 位, 驱动]
链接程序: Microsoft linker(14.29.30140)
编译器: Visual C/C++(19.29.30140)[C]
语言: C/C++
工具: Microsoft Visual Studio(2019 version 16.11)
(Heur)保护器: Generic[High entropy]
调试数据: Binary[偏移=0x3998,大小=0x51]
调试数据: PDB file link(7.0)
附加: Binary[偏移=0x5000,大小=0x9038]
证书: Windows Authenticode(2.0)[PKCS #7]
languages 文件夹下xml对应语言,在程序中通过标签获取对应文本。
UninstallTool_x64.dat mfc程序
CEnterKeyDlg
CEnterKeyDlg__GetMessageMap
.text:00000001400301B4 CEnterKeyDlg__GetMessageMap_1400301B4 proc near
.text:00000001400301B4 ; CODE XREF: CEnterKeyDlg__GetMessageMap_1400301AC↑j
.text:00000001400301B4 lea rax, CEnterKeyDlg_AFX_MSGMAP_140359A40
.text:00000001400301BB retn
.text:00000001400301BB CEnterKeyDlg__GetMessageMap_1400301B4 endp
.rdata:0000000140359A40 ; AFX_MSGMAP CEnterKeyDlg_AFX_MSGMAP_140359A40
.rdata:0000000140359A40 CEnterKeyDlg_AFX_MSGMAP_140359A40 AFX_MSGMAP <offset sub_140031F80, offset stru_1403599C0>
.rdata:00000001403599C0 ; AFX_MSGMAP_ENTRY stru_1403599C0
.rdata:00000001403599C0 stru_1403599C0 dd MY_WM_COMMAND ; nMessage
.rdata:00000001403599C0 ; DATA XREF: .rdata:CEnterKeyDlg_AFX_MSGMAP_140359A40↓o
.rdata:00000001403599C4 dd 0 ; nCode
.rdata:00000001403599C8 dd 430h ; NID
.rdata:00000001403599CC dd 430h ; nLastID
.rdata:00000001403599D0 dd 3Ah ; NSIG
.rdata:00000001403599D4 db 4 dup(0)
.rdata:00000001403599D8 dq offset CEnterKeyDlg_ok_0_14003086C; PFN
.rdata:00000001403599E0 dd MY_WM_COMMAND ; nMessage
.rdata:00000001403599E4 dd 300h ; nCode
.rdata:00000001403599E8 dd 40Dh ; NID
.rdata:00000001403599EC dd 40Dh ; nLastID
.rdata:00000001403599F0 dd 3Ah ; NSIG
.rdata:00000001403599F4 db 4 dup(0)
.rdata:00000001403599F8 dq offset CEnterKeyDlg_enableok_300_140030AE0; PFN
.rdata:0000000140359A00 dd MY_WM_COMMAND ; nMessage
.rdata:0000000140359A04 dd 300h ; nCode
.rdata:0000000140359A08 dd 40Fh ; NID
.rdata:0000000140359A0C dd 40Fh ; nLastID
.rdata:0000000140359A10 dd 3Ah ; NSIG
.rdata:0000000140359A14 db 4 dup(0)
.rdata:0000000140359A18 dq offset CEnterKeyDlg_enableok_300_140030AE0; PFN
.rdata:0000000140359A20 dd MY_WM_NULL ; nMessage
.rdata:0000000140359A24 dd 0 ; nCode
.rdata:0000000140359A28 dd 0 ; NID
.rdata:0000000140359A2C dd 0 ; nLastID
.rdata:0000000140359A30 dd 0 ; NSIG
.rdata:0000000140359A34 db 4 dup(0)
.rdata:0000000140359A38 dq 0 ; PFN
DoDataExchange
void __fastcall DoDataExchange_140030140(CEnterKeyDlg *a1, CWnd **a2)
{
// name
DDX_14025E4E0(a2, 1037u, (HWND *)&a1->name_CEdit_130);
// code
DDX_14025E4E0(a2, 1039u, (HWND *)&a1->code_CEdit_218);
// icon
DDX_14025E4E0(a2, 1073u, (HWND *)&a1->icon_CStaticWhite_300);
DDX_14025E4E0(a2, 1147u, (HWND *)&a1->info__7E0);
}
CEnterKeyDlg__OnInitDialog_1400301BC
初始化
CEnterKeyDlg__OnOk_14003086C
ok 按钮事件,仅是将name和code写入注册表,然后重启程序,所以验证逻辑在程序启动时
RN==>base64enc(name xor 0x89)
RC==>base64enc(codexor 0x89)
__int64 __fastcall CEnterKeyDlg_ok_0_14003086C(CEnterKeyDlg *this)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v2 = sub_14025F27C();
if ( !v2 )
unknown_libname_676(0x80004005);
name = ((__int64 (__fastcall *)(void ***))(*v2)[3])(v2) + 0x18;
v3 = sub_14025F27C();
if ( !v3 )
unknown_libname_676(0x80004005);
code = (wchar_t *)(((__int64 (__fastcall *)(void ***))(*v3)[3])(v3) + 0x18);
CWnd::GetWindowTextW(&this->name_CEdit_130, &name);
CWnd::GetWindowTextW(&this->code_CEdit_218, &code);
if ( *(_DWORD *)(name - 0x10) && *((_DWORD *)code + 0xFFFFFFFC) )
{
get_lic_info_14002A384((__int64)&UToolApp_140478C30);
v4 = get_lic_info_14002A384((__int64)&UToolApp_140478C30);
set_reg_RN_14003CB98(v4, (wchar_t *)&name);
v5 = get_lic_info_14002A384((__int64)&UToolApp_140478C30);
set_reg_RC_14003CADC(v5, &code);
key.u._Ptr = 0i64;
key._Mysize = 0i64;
key._Myres = 0xFi64;
string_140023FD0(&key, 30ui64, 0i64, "Messages/msgRegRestartRequired");
// 要完成注册您必须重新启动程序。 \n\n您要立即执行该操作吗?
str_1400F9430 = (const wchar_t *)xml_find_str_1400F9430(outstr, &key);
if ( *((_QWORD *)str_1400F9430 + 3) >= 8ui64 )
str_1400F9430 = *(const wchar_t **)str_1400F9430;
v7 = cstring_140025F10(&v19, str_1400F9430);
if ( this )
v8 = *(_QWORD *)&this->gap2A[0x14];
else
v8 = 0i64;
v9 = info_dialog_14002B0A4((__int64)&UToolApp_140478C30, v8, *v7, (__int64)L"Uninstall Tool", 0x24u);
v10 = (_QWORD *)(v19 - 0x18);
if ( _InterlockedExchangeAdd((volatile signed __int32 *)(v19 - 0x18 + 0x10), 0xFFFFFFFF) <= 1 )
(*(void (__fastcall **)(_QWORD))(*(_QWORD *)*v10 + 8i64))(*v10);
unknown_libname_4(outstr);
if ( key._Myres >= 0x10 )
{
Ptr = key.u._Ptr;
if ( key._Myres + 1 >= 0x1000 )
{
Ptr = (char *)*((_QWORD *)key.u._Ptr + 0xFFFFFFFF);
if ( (unsigned __int64)(key.u._Ptr - Ptr - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(Ptr);
}
// spy++ 查看窗口确定控件id6==》 yes
if ( v9 == 6 )
{
sub_14002C094((__int64)&UToolApp_140478C30, 0);
sub_140249930(&UToolApp_140478C30);
}
CDialog::EndDialog((CDialog *)this, v9);
}
v12 = code + 0xFFFFFFF4;
if ( _InterlockedExchangeAdd((volatile signed __int32 *)code + 0x7FFFFFFE, 0xFFFFFFFF) <= 1 )
(*(void (__fastcall **)(_QWORD))(**(_QWORD **)v12 + 8i64))(*(_QWORD *)v12);
v13 = (_QWORD *)(name - 0x18);
v14 = _InterlockedExchangeAdd((volatile signed __int32 *)(name - 0x18 + 0x10), 0xFFFFFFFF);
v15 = v14 <= 1;
result = (unsigned int)(v14 - 1);
if ( v15 )
return (*(__int64 (__fastcall **)(_QWORD))(*(_QWORD *)*v13 + 8i64))(*v13);
return result;
}
CMainDialog::OnInitDialog_14004B1A4
检查主窗口 init,关键点在CLicenseManager::CheckRegistration_1400397D8(v5);和xthread_14003C754(v11, *((_QWORD *)this + 8));中
__int64 __fastcall CMainDialog::OnInitDialog_14004B1A4(CWnd *this)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
sub_14024C1C0(&unk_140479388, "TrayIcon_Show", 0i64);
v2 = 1;
sub_14016F630((char *)this + 0x130, 1i64);
if ( (unsigned int)sub_14002AE88(&UToolApp_140478C30) )
*((_DWORD *)this + 0xAA) = 0;
sub_140032184(this);
sub_1401A2310(3i64);
SendMessageW(*((HWND *)this + 8), 0x80u, 1ui64, *((_QWORD *)this + 0x56));
SendMessageW(*((HWND *)this + 8), 0x80u, 0i64, *((_QWORD *)this + 0x57));
sub_14002973C(&UToolApp_140478C30, (char *)this + 0x298);
sub_140049104(this);
(*(void (__fastcall **)(CWnd *, char **))(*(_QWORD *)this + 0x320i64))(this, &off_14038BC60);
sub_14004921C(this);
sub_140048824(this);
sub_1400488D8(this);
sub_14002FC30(*(_QWORD *)(*((_QWORD *)this + 0xC0) + (byte_140479358 != 0 ? 8 : 0)));
sub_14004AC18(this);
sub_140046458(this);
*((_DWORD *)this + 0x18C) = 1;
sub_14004CB5C(this);
v3 = (const WCHAR *)sub_140249AD0(&UToolApp_140478C30);
sub_140269238((__int64)this, v3);
sub_14004CE48(this);
v4 = sub_14025F27C();
if ( !v4 )
unknown_libname_676(0x80004005);
v20 = ((__int64 (__fastcall *)(void ***))(*v4)[3])(v4) + 0x18;
if ( (unsigned int)sub_14002AE58((__int64)&UToolApp_140478C30, (__int64)&v20) )
{
v5 = (HINSTANCE)get_lic_info_14002A384((__int64)&UToolApp_140478C30);
CLicenseManager::CheckRegistration_1400397D8(v5);
v6 = get_lic_info_14002A384((__int64)&UToolApp_140478C30);
sub_14003C498(v6);
v7 = get_lic_info_14002A384((__int64)&UToolApp_140478C30);
if ( (unsigned __int8)sub_14003BE28(v7) )
{
sub_14002C094((__int64)&UToolApp_140478C30, 1);
}
else
{
v8 = (_QWORD *)*((_QWORD *)this + 0xC0);
if ( *((_QWORD *)this + 0xC1) - (_QWORD)v8 >= 8ui64 )
(*(void (__fastcall **)(_QWORD, __int64 *, WPARAM))(*(_QWORD *)*v8 + 0x88i64))(*v8, &v20, wParam);
}
if ( !IsWindowVisible(*((HWND *)this + 8)) )
{
sub_14004BCA4(this);
v2 = 0;
goto LABEL_24;
}
v9 = sub_14025F27C();
if ( !v9 )
unknown_libname_676(0x80004005);
v21 = ((__int64 (__fastcall *)(void ***))(*v9)[3])(v9) + 0x18;
sub_14002C070(&UToolApp_140478C30, &v21);
v10 = (_QWORD *)(v21 - 0x18);
if ( _InterlockedDecrement((volatile signed __int32 *)(v21 - 0x18 + 0x10)) <= 0 )
(*(void (__fastcall **)(_QWORD))(*(_QWORD *)*v10 + 8i64))(*v10);
}
v11 = (_QWORD *)get_lic_info_14002A384((__int64)&UToolApp_140478C30);
// CLicenseManager::CheckRegistrationThread
xthread_14003C754(v11, *((_QWORD *)this + 8));//CheckRegistrationThread_14003BAE8
if ( (unsigned int)sub_14024B6D0(&unk_140479388, "CheckForBetaVersions") )
{
sub_140025E14(&v22, "update/utool_beta.txt");
v12 = cstring_140025F10(v19, L"https://crystalidea.com/");
v13 = sub_1400263AC(&v23, v12, &v22);
sub_140252E00((char *)this + 0x4A8, v13);
v14 = (_QWORD *)(v23 - 0x18);
if ( _InterlockedDecrement((volatile signed __int32 *)(v23 - 0x18 + 0x10)) <= 0 )
(*(void (__fastcall **)(_QWORD))(*(_QWORD *)*v14 + 8i64))(*v14);
v15 = (_QWORD *)(v19[0] - 0x18);
if ( _InterlockedDecrement((volatile signed __int32 *)(v19[0] - 0x18 + 0x10)) <= 0 )
(*(void (__fastcall **)(_QWORD))(*(_QWORD *)*v15 + 8i64))(*v15);
v16 = (_QWORD *)(v22 - 0x18);
if ( _InterlockedDecrement((volatile signed __int32 *)(v22 - 0x18 + 0x10)) <= 0 )
(*(void (__fastcall **)(_QWORD))(*(_QWORD *)*v16 + 8i64))(*v16);
}
if ( (unsigned int)sub_14024B6D0(&unk_140479388, "Startup_CheckForUpdates") )
sub_140252390((char *)this + 0x4A8);
sub_140055ECC(*((HWND *)this + 8));
byte_140479418 = 1;
LABEL_24:
v17 = (_QWORD *)(v20 - 0x18);
if ( _InterlockedDecrement((volatile signed __int32 *)(v20 - 0x18 + 0x10)) <= 0 )
(*(void (__fastcall **)(_QWORD))(*(_QWORD *)*v17 + 8i64))(*v17);
return v2;
}
CLicenseManager::CheckRegistration_1400397D8
license.dat 文件存在时==》VerifySerialNumberW_14003C490
j_IsRegistered_1400092B0
void __fastcall CLicenseManager::CheckRegistration_1400397D8(HINSTANCE a1)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v91 = 0;
if ( !_InterlockedExchangeAdd((volatile signed __int32 *)a1 + 0x5A, 0) )
{
*((_DWORD *)a1 + 0x63) = 0x1E;
VersionMJ.u._Ptr = 0i64;
VersionMJ._Mysize = 0i64;
VersionMJ._Myres = 7i64;
versionMN.u._Ptr = 0i64;
versionMN._Mysize = 0i64;
versionMN._Myres = 7i64;
// version 高
get_reg_14003C2D0((__int64)a1, L"VH", &VersionMJ);
get_reg_14003C2D0((__int64)a1, L"VL", &versionMN);
v189 = 0i64;
v192 = 0xFi64;
v191 = 0xCi64;
memmove(&v189, "SimpleLogger", 0xCui64);
v190 = 0;
get_SimpleLogger_1400E9B50((__int64)&v103);
if ( v192 >= 0x10 )
{
v2 = v189;
if ( v192 + 1 >= 0x1000 )
{
v2 = (_BYTE *)*((_QWORD *)v189 + 0xFFFFFFFF);
if ( (unsigned __int64)((_BYTE *)v189 - v2 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v2);
}
v191 = 0i64;
v192 = 0xFi64;
LOBYTE(v189) = 0;
v3 = "G:\\Projects\\uninstall-tool\\UninstallTool\\LicenseManager\\LicenseManager.cpp";
v4 = "CLicenseManager::CheckRegistration";
if ( v103 )
{
p_VersionMJ = &VersionMJ;
if ( VersionMJ._Myres >= 8 )
p_VersionMJ = (std_wstring *)VersionMJ.u._Ptr;
v99[1] = (wchar_t *)p_VersionMJ;
*(_QWORD *)&v102 = L"VersionMJ {}";
*((_QWORD *)&v102 + 1) = 0xCi64;
*(_QWORD *)&v92 = "G:\\Projects\\uninstall-tool\\UninstallTool\\LicenseManager\\LicenseManager.cpp";
DWORD2(v92) = 0xC1;
*(_QWORD *)&X = "CLicenseManager::CheckRegistration";
v137 = v102;
v149[1] = v92;
v150 = "CLicenseManager::CheckRegistration";
log_140037400(COERCE_DOUBLE("CLicenseManager::CheckRegistration"));
}
v6 = v104;
if ( v104 )
{
if ( _InterlockedExchangeAdd(v104 + 2, 0xFFFFFFFF) == 1 )
{
(**(void (__fastcall ***)(volatile signed __int32 *, const char *, const char *))v6)(v6, v3, v4);
if ( _InterlockedExchangeAdd(v6 + 3, 0xFFFFFFFF) == 1 )
(*(void (__fastcall **)(volatile signed __int32 *))(*(_QWORD *)v6 + 8i64))(v6);
}
}
v193 = 0i64;
v196 = 0xFi64;
v195 = 0xCi64;
memmove(&v193, "SimpleLogger", 0xCui64);
v194 = 0;
get_SimpleLogger_1400E9B50((__int64)&v106);
if ( v196 >= 0x10 )
{
v7 = v193;
if ( v196 + 1 >= 0x1000 )
{
v7 = (_BYTE *)*((_QWORD *)v193 + 0xFFFFFFFF);
if ( (unsigned __int64)((_BYTE *)v193 - v7 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v7);
}
v195 = 0i64;
v196 = 0xFi64;
LOBYTE(v193) = 0;
if ( v106 )
{
p_versionMN = &versionMN;
if ( versionMN._Myres >= 8 )
p_versionMN = (std_wstring *)versionMN.u._Ptr;
v99[2] = (wchar_t *)p_versionMN;
*(_QWORD *)&v105 = L"versionMN {}";
*((_QWORD *)&v105 + 1) = 0xCi64;
*(_QWORD *)&v92 = "G:\\Projects\\uninstall-tool\\UninstallTool\\LicenseManager\\LicenseManager.cpp";
DWORD2(v92) = 0xC2;
*(_QWORD *)&X = "CLicenseManager::CheckRegistration";
v138 = v105;
v151 = v92;
v152 = "CLicenseManager::CheckRegistration";
log_140037400(COERCE_DOUBLE("CLicenseManager::CheckRegistration"));
}
v9 = v107;
if ( v107 )
{
if ( _InterlockedExchangeAdd(v107 + 2, 0xFFFFFFFF) == 1 )
{
(**(void (__fastcall ***)(volatile signed __int32 *))v9)(v9);
if ( _InterlockedExchangeAdd(v9 + 3, 0xFFFFFFFF) == 1 )
(*(void (__fastcall **)(volatile signed __int32 *))(*(_QWORD *)v9 + 8i64))(v9);
}
}
v10 = 0;
if ( VersionMJ._Mysize && versionMN._Mysize )
{
Ptr = &VersionMJ;
if ( VersionMJ._Myres >= 8 )
Ptr = (std_wstring *)VersionMJ.u._Ptr;
v12 = j_unknown_libname_182((__int64)Ptr);
v13 = &versionMN;
if ( versionMN._Myres >= 8 )
v13 = (std_wstring *)versionMN.u._Ptr;
v14 = j_unknown_libname_182((__int64)v13);
if ( v12 == (unsigned int)get_version_hight_140249DD0((__int64)&UToolApp_140478C30)
&& v14 < (unsigned int)get_version_low_140249DF0((__int64)&UToolApp_140478C30) )
{
v10 = 1;
}
if ( v12 < (unsigned int)get_version_hight_140249DD0((__int64)&UToolApp_140478C30) )
v10 = 1;
}
else
{
v10 = 1;
v197 = 0i64;
v200 = 0xFi64;
v199 = 0xCi64;
memmove(&v197, "SimpleLogger", 0xCui64);
v198 = 0;
get_SimpleLogger_1400E9B50((__int64)&v109);
if ( v200 >= 0x10 )
{
v15 = v197;
if ( v200 + 1 >= 0x1000 )
{
v15 = (_BYTE *)*((_QWORD *)v197 + 0xFFFFFFFF);
if ( (unsigned __int64)((_BYTE *)v197 - v15 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v15);
}
v199 = 0i64;
v200 = 0xFi64;
LOBYTE(v197) = 0;
if ( v109 )
{
*(_QWORD *)&v108 = "FirstRun";
*((_QWORD *)&v108 + 1) = 8i64;
*(_QWORD *)&v92 = "G:\\Projects\\uninstall-tool\\UninstallTool\\LicenseManager\\LicenseManager.cpp";
DWORD2(v92) = 0xCC;
*(_QWORD *)&X = "CLicenseManager::CheckRegistration";
v139 = v108;
v153 = v92;
v154 = "CLicenseManager::CheckRegistration";
sub_1400067A0(v109, (__int64)&v153, 2, &v139);
}
v16 = v110;
if ( v110 )
{
if ( _InterlockedExchangeAdd(v110 + 2, 0xFFFFFFFF) == 1 )
{
(**(void (__fastcall ***)(volatile signed __int32 *))v16)(v16);
if ( _InterlockedExchangeAdd(v16 + 3, 0xFFFFFFFF) == 1 )
(*(void (__fastcall **)(volatile signed __int32 *))(*(_QWORD *)v16 + 8i64))(v16);
}
}
}
// 3
version_hight_140249DD0 = get_version_hight_140249DD0((__int64)&UToolApp_140478C30);
tohexstr_140036878((std_wstring *)v244, version_hight_140249DD0);
set_reg_xor89_14003C3CC((__int64)a1, L"VH", (__int64)v244);
unknown_libname_4(v244);
// 7
version_low_140249DF0 = get_version_low_140249DF0((__int64)&UToolApp_140478C30);
tohexstr_140036878((std_wstring *)v245, version_low_140249DF0);
v19 = 0xF0;
v91 = 0xF0;
set_reg_xor89_14003C3CC((__int64)a1, L"VL", (__int64)v245);
unknown_libname_4(v245);
name.u._Ptr = 0i64;
name._Mysize = 0i64;
name._Myres = 7i64;
code.u._Ptr = 0i64;
code._Mysize = 0i64;
code._Myres = 7i64;
get_reg_14003C2D0((__int64)a1, L"RN", &name);
get_reg_14003C2D0((__int64)a1, L"RC", &code);
v201 = 0i64;
v204 = 0xFi64;
v203 = 0xCi64;
memmove(&v201, "SimpleLogger", 0xCui64);
v202 = 0;
get_SimpleLogger_1400E9B50((__int64)&v112);
if ( v204 >= 0x10 )
{
v20 = v201;
if ( v204 + 1 >= 0x1000 )
{
v20 = (_BYTE *)*((_QWORD *)v201 + 0xFFFFFFFF);
if ( (unsigned __int64)((_BYTE *)v201 - v20 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v20);
}
v203 = 0i64;
v204 = 0xFi64;
LOBYTE(v201) = 0;
v21 = v112;
if ( v112 )
{
if ( name._Mysize )
{
w_name.u._Ptr = 0i64;
w_name._Mysize = 0i64;
w_name._Myres = 0i64;
wstring_14000A190(&w_name, &name);
p_w_name = &w_name;
v19 = 0xF1;
}
else
{
v222.u._Ptr = 0i64;
v222._Mysize = 0i64;
v222._Myres = 7i64;
wstring_140024560(&v222, L"[empty]", 7ui64);
p_w_name = &v222;
v19 = 0xF2;
}
v91 = v19;
*(_QWORD *)&v111 = L"Name {}";
*((_QWORD *)&v111 + 1) = 7i64;
*(_QWORD *)&v92 = "G:\\Projects\\uninstall-tool\\UninstallTool\\LicenseManager\\LicenseManager.cpp";
DWORD2(v92) = 0xEB;
*(_QWORD *)&X = "CLicenseManager::CheckRegistration";
v140 = v111;
v155 = v92;
v156 = "CLicenseManager::CheckRegistration";
xlog_1400376EC(v21, (__int64)&v155, 2, (__int64)&v140, p_w_name);
if ( (v19 & 2) != 0 )
{
v19 &= ~2u;
v91 = v19;
if ( v222._Myres >= 8 )
{
v23 = v222.u._Ptr;
if ( 2 * v222._Myres + 2 >= 0x1000 )
{
v23 = (wchar_t *)*((_QWORD *)v222.u._Ptr + 0xFFFFFFFF);
if ( (unsigned __int64)((char *)v222.u._Ptr - (char *)v23 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v23);
}
v222._Mysize = 0i64;
v222._Myres = 7i64;
v222.u._Buf[0] = 0;
}
if ( (v19 & 1) != 0 )
{
v19 &= ~1u;
v91 = v19;
if ( w_name._Myres >= 8 )
{
v24 = w_name.u._Ptr;
if ( 2 * w_name._Myres + 2 >= 0x1000 )
{
v24 = (wchar_t *)*((_QWORD *)w_name.u._Ptr + 0xFFFFFFFF);
if ( (unsigned __int64)((char *)w_name.u._Ptr - (char *)v24 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v24);
}
}
}
v25 = v113;
if ( v113 )
{
if ( _InterlockedExchangeAdd(v113 + 2, 0xFFFFFFFF) == 1 )
{
(**(void (__fastcall ***)(volatile signed __int32 *))v25)(v25);
if ( _InterlockedExchangeAdd(v25 + 3, 0xFFFFFFFF) == 1 )
(*(void (__fastcall **)(volatile signed __int32 *))(*(_QWORD *)v25 + 8i64))(v25);
}
v19 = v91;
}
v205 = 0i64;
v208 = 0xFi64;
v207 = 0xCi64;
memmove(&v205, "SimpleLogger", 0xCui64);
v206 = 0;
get_SimpleLogger_1400E9B50((__int64)&v115);
if ( v208 >= 0x10 )
{
v26 = v205;
if ( v208 + 1 >= 0x1000 )
{
v26 = (_BYTE *)*((_QWORD *)v205 + 0xFFFFFFFF);
if ( (unsigned __int64)((_BYTE *)v205 - v26 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v26);
}
v207 = 0i64;
v208 = 0xFi64;
LOBYTE(v205) = 0;
v27 = v115;
if ( v115 )
{
if ( code._Mysize <= 0xA )
{
v223.u._Ptr = 0i64;
v223._Mysize = 0i64;
v223._Myres = 7i64;
wstring_140024560(&v223, L"[empty]", 7ui64);
v28 = &v223;
v29 = v19 | 8;
}
else
{
v28 = sub_140036F58((std_wstring *)v246, (__int64)&code, 0xAui64);
v29 = v19 | 4;
}
v91 = v29;
*(_QWORD *)&v114 = L"Code {}";
*((_QWORD *)&v114 + 1) = 7i64;
*(_QWORD *)&v92 = "G:\\Projects\\uninstall-tool\\UninstallTool\\LicenseManager\\LicenseManager.cpp";
DWORD2(v92) = 0xEC;
*(_QWORD *)&X = "CLicenseManager::CheckRegistration";
v141 = v114;
v157 = v92;
v158 = "CLicenseManager::CheckRegistration";
xlog_1400376EC(v27, (__int64)&v157, 2, (__int64)&v141, v28);
if ( (v29 & 8) != 0 )
{
v29 &= ~8u;
v91 = v29;
if ( v223._Myres >= 8 )
{
v30 = v223.u._Ptr;
if ( 2 * v223._Myres + 2 >= 0x1000 )
{
v30 = (wchar_t *)*((_QWORD *)v223.u._Ptr + 0xFFFFFFFF);
if ( (unsigned __int64)((char *)v223.u._Ptr - (char *)v30 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v30);
}
v223._Mysize = 0i64;
v223._Myres = 7i64;
v223.u._Buf[0] = 0;
}
if ( (v29 & 4) != 0 )
unknown_libname_4(v246);
}
v31 = v116;
if ( v116 )
{
if ( _InterlockedExchangeAdd(v116 + 2, 0xFFFFFFFF) == 1 )
{
(**(void (__fastcall ***)(volatile signed __int32 *))v31)(v31);
if ( _InterlockedExchangeAdd(v31 + 3, 0xFFFFFFFF) == 1 )
(*(void (__fastcall **)(volatile signed __int32 *))(*(_QWORD *)v31 + 8i64))(v31);
}
}
if ( !name._Mysize && !code._Mysize )
{
memset(String, 0, sizeof(String));
memset(v250, 0, sizeof(v250));
xml_get_14003C3C4((__int64)a1, (__int64)L"RegName", String);
xml_get_14003C3C4((__int64)a1, (__int64)L"SerialNum", (wchar_t *)v250);
if ( lstrlenW(String) )
{
if ( lstrlenW((LPCWSTR)v250) )
{
cstring_140025F10(&v97, String);
set_reg_RN_14003CB98((__int64)a1, (wchar_t *)&v97);
v32 = (_QWORD *)(v97 - 0x18);
if ( _InterlockedDecrement((volatile signed __int32 *)(v97 - 0x18 + 0x10)) <= 0 )
(*(void (__fastcall **)(_QWORD))(*(_QWORD *)*v32 + 8i64))(*v32);
cstring_140025F10(&v98, (const wchar_t *)v250);
set_reg_RC_14003CADC((__int64)a1, &v98);
v33 = v98 + 0xFFFFFFF4;
if ( _InterlockedDecrement((volatile signed __int32 *)v98 + 0x7FFFFFFE) <= 0 )
(*(void (__fastcall **)(_QWORD))(**(_QWORD **)v33 + 8i64))(*(_QWORD *)v33);
v34 = 0xFFFFFFFFFFFFFFFFui64;
do
++v34;
while ( String[v34] );
wstring_140024560(&name, String, v34);
v35 = 0xFFFFFFFFFFFFFFFFui64;
do
++v35;
while ( v250[v35] );
wstring_140024560(&code, (wchar_t *)v250, v35);
v209 = 0i64;
v212 = 0xFi64;
v211 = 0xCi64;
memmove(&v209, "SimpleLogger", 0xCui64);
v210 = 0;
get_SimpleLogger_1400E9B50((__int64)&v118);
if ( v212 >= 0x10 )
{
v36 = v209;
if ( v212 + 1 >= 0x1000 )
{
v36 = (_BYTE *)*((_QWORD *)v209 + 0xFFFFFFFF);
if ( (unsigned __int64)((_BYTE *)v209 - v36 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v36);
}
v211 = 0i64;
v212 = 0xFi64;
LOBYTE(v209) = 0;
if ( v118 )
{
*(_QWORD *)&v117 = "legacy reg name/code loaded";
*((_QWORD *)&v117 + 1) = 0x1Bi64;
*(_QWORD *)&v92 = "G:\\Projects\\uninstall-tool\\UninstallTool\\LicenseManager\\LicenseManager.cpp";
DWORD2(v92) = 0x102;
*(_QWORD *)&X = "CLicenseManager::CheckRegistration";
v142 = v117;
v159 = v92;
v160 = "CLicenseManager::CheckRegistration";
sub_1400067A0(v118, (__int64)&v159, 2, &v142);
}
v37 = v119;
if ( v119 )
{
if ( _InterlockedExchangeAdd(v119 + 2, 0xFFFFFFFF) == 1 )
{
(**(void (__fastcall ***)(volatile signed __int32 *))v37)(v37);
if ( _InterlockedExchangeAdd(v37 + 3, 0xFFFFFFFF) == 1 )
(*(void (__fastcall **)(volatile signed __int32 *))(*(_QWORD *)v37 + 8i64))(v37);
}
}
}
}
}
Src[0] = 0i64;
v180 = 0i64;
v181 = 7i64;
v177.u._Ptr = 0i64;
v177._Mysize = 0i64;
v177._Myres = 7i64;
//license.dat
_14003BF0C = file_read_14003BF0C((__int64)a1, (__int64)Src, (__int64)&v177);
memset(v243, 0, 0x16ui64);
if ( v180 && v177._Mysize )
{
if ( sub_14003E0A0(&v177) )
{
std::wstring::append(&v177);
v10 = 1;
}
v39 = &v177;
if ( v177._Myres >= 8 )
v39 = (std_string *)v177.u._Ptr;
v40 = Src;
if ( v181 >= 8 )
v40 = (void **)Src[0];
VerifySerialNumberW_14003C490(a1, (HINSTANCE)v40, (LPWSTR)v39, (int)v243);
}
if ( (unsigned int)j_IsRegistered_1400092B0((__int64)a1) == 3 )
{
v46 = Src;
if ( v181 >= 8 )
v46 = (void **)Src[0];
if ( v180 > name._Myres )
{
LOBYTE(v41) = 0;
sub_140024470((void **)&name, v180, v41, v46);
}
else
{
p_name = &name;
if ( name._Myres >= 8 )
p_name = (std_wstring *)name.u._Ptr;
name._Mysize = v180;
v48 = v180;
memmove(p_name, v46, 2 * v180);
p_name->u._Buf[v48] = 0;
}
v50 = &v177;
if ( v177._Myres >= 8 )
v50 = (std_string *)v177.u._Ptr;
if ( v177._Mysize > code._Myres )
{
LOBYTE(v49) = 0;
sub_140024470((void **)&code, v177._Mysize, v49, v50);
}
else
{
p_code = &code;
if ( code._Myres >= 8 )
p_code = (std_wstring *)code.u._Ptr;
code._Mysize = v177._Mysize;
Mysize = v177._Mysize;
memmove(p_code, v50, 2 * v177._Mysize);
p_code->u._Buf[Mysize] = 0;
}
}
else
{
_14003BF0C = 0;
if ( name._Mysize && code._Mysize )
{
if ( sub_14003E0A0((std_string *)&code) )
{
std::wstring::append(&code);
v10 = 1;
v42 = &code;
if ( code._Myres >= 8 )
v42 = (std_wstring *)code.u._Ptr;
cstring_140025F10(v99, v42->u._Buf);
set_reg_RC_14003CADC((__int64)a1, v99);
v43 = v99[0] + 0xFFFFFFF4;
if ( _InterlockedExchangeAdd((volatile signed __int32 *)v99[0] + 0x7FFFFFFE, 0xFFFFFFFF) <= 1 )
(*(void (__fastcall **)(_QWORD))(**(_QWORD **)v43 + 8i64))(*(_QWORD *)v43);
}
v44 = &code;
if ( code._Myres >= 8 )
v44 = (std_wstring *)code.u._Ptr;
v45 = &name;
if ( name._Myres >= 8 )
v45 = (std_wstring *)name.u._Ptr;
VerifySerialNumberW_14003C490(a1, (HINSTANCE)v45, v44->u._Buf, (int)v243);
}
}
if ( (unsigned int)j_IsRegistered_1400092B0((__int64)a1) == 3 )
{
v53 = &name;
if ( name._Myres >= 8 )
v53 = (std_wstring *)name.u._Ptr;
if ( v53 )
v54 = wcslen(v53->u._Buf);
else
v54 = 0;
ATL::CSimpleStringT<wchar_t,0>::SetString(a1 + 0x5C, v53, v54);
v55 = &code;
if ( code._Myres >= 8 )
v55 = (std_wstring *)code.u._Ptr;
if ( v55 )
v56 = wcslen(v55->u._Buf);
else
v56 = 0;
ATL::CSimpleStringT<wchar_t,0>::SetString(a1 + 0x5E, v55, v56);
v57 = ATL::CStringT<wchar_t,StrTraitMFC<wchar_t,ATL::ChTraitsCRT<wchar_t>>>::TrimRight(a1 + 0x5E);
ATL::CStringT<wchar_t,StrTraitMFC<wchar_t,ATL::ChTraitsCRT<wchar_t>>>::TrimLeft(v57);
v58 = v243[1];
*(_DWORD *)(a1 + 0x62) = v243[1];
if ( !v58 )
*((_DWORD *)a1 + 0x62) = 1;
if ( v58 == 0x3E7 && _14003BF0C )
{
v94[0] = 1;
v59 = (_BYTE *)sub_1400068F0((__int64)(a1 + 0x64));
*v59 = sub_1400366F4((__int64)v94);
}
}
else
{
SystemTime = 0i64;
GetSystemTime(&SystemTime);
if ( SystemTime.wYear >= 0x76Cu )
{
ATL::CTime::CTime(
(ATL::CTime *)&v100,
SystemTime.wYear,
SystemTime.wMonth,
SystemTime.wDay,
SystemTime.wHour,
SystemTime.wMinute,
SystemTime.wSecond,
0xFFFFFFFF);
v96 = v100;
}
else
{
v96 = 0i64;
}
if ( v10 )
{
v213 = 0i64;
v216 = 0xFi64;
v215 = 0xCi64;
memmove(&v213, "SimpleLogger", 0xCui64);
v214 = 0;
get_SimpleLogger_1400E9B50((__int64)&v121);
if ( v216 >= 0x10 )
{
v60 = v213;
if ( v216 + 1 >= 0x1000 )
{
v60 = (_BYTE *)*((_QWORD *)v213 + 0xFFFFFFFF);
if ( (unsigned __int64)((_BYTE *)v213 - v60 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v60);
}
v215 = 0i64;
v216 = 0xFi64;
LOBYTE(v213) = 0;
if ( v121 )
{
*(_QWORD *)&v120 = "SetFirstRunTime";
*((_QWORD *)&v120 + 1) = 0xFi64;
*(_QWORD *)&v92 = "G:\\Projects\\uninstall-tool\\UninstallTool\\LicenseManager\\LicenseManager.cpp";
DWORD2(v92) = 0x145;
*(_QWORD *)&X = "CLicenseManager::CheckRegistration";
v143 = v120;
v161 = v92;
v162 = "CLicenseManager::CheckRegistration";
sub_1400067A0(v121, (__int64)&v161, 2, &v143);
}
v61 = v122;
if ( v122 )
{
if ( _InterlockedExchangeAdd(v122 + 2, 0xFFFFFFFF) == 1 )
{
(**(void (__fastcall ***)(volatile signed __int32 *))v61)(v61);
if ( _InterlockedExchangeAdd(v61 + 3, 0xFFFFFFFF) == 1 )
(*(void (__fastcall **)(volatile signed __int32 *))(*(_QWORD *)v61 + 8i64))(v61);
}
}
sub_14003C584(a1, &v96);
}
else
{
v236.u._Ptr = 0i64;
v236._Mysize = 0i64;
v236._Myres = 7i64;
v184.u._Ptr = 0i64;
v184._Mysize = 0i64;
v184._Myres = 7i64;
reg_14003C2D0 = get_reg_14003C2D0((__int64)a1, L"RF", &v236);
LOBYTE(v95) = get_reg_14003C2D0((__int64)a1, L"RL", &v184);
v217 = 0i64;
v220 = 0xFi64;
v219 = 0xCi64;
memmove(&v217, "SimpleLogger", 0xCui64);
v218 = 0;
get_SimpleLogger_1400E9B50((__int64)&v124);
if ( v220 >= 0x10 )
{
v62 = v217;
if ( v220 + 1 >= 0x1000 )
{
v62 = (_BYTE *)*((_QWORD *)v217 + 0xFFFFFFFF);
if ( (unsigned __int64)((_BYTE *)v217 - v62 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v62);
}
v219 = 0i64;
v220 = 0xFi64;
LOBYTE(v217) = 0;
if ( v124 )
{
*(_QWORD *)&v123 = "sr1: {}";
*((_QWORD *)&v123 + 1) = 7i64;
*(_QWORD *)&v92 = "G:\\Projects\\uninstall-tool\\UninstallTool\\LicenseManager\\LicenseManager.cpp";
DWORD2(v92) = 0x152;
*(_QWORD *)&X = "CLicenseManager::CheckRegistration";
v144 = v123;
v163 = v92;
v164 = "CLicenseManager::CheckRegistration";
sub_1400371D4(v124, (unsigned int)&v163, 2, (unsigned int)&v144, (__int64)®_14003C2D0);
}
v63 = v125;
if ( v125 )
{
if ( _InterlockedExchangeAdd(v125 + 2, 0xFFFFFFFF) == 1 )
{
(**(void (__fastcall ***)(volatile signed __int32 *))v63)(v63);
if ( _InterlockedExchangeAdd(v63 + 3, 0xFFFFFFFF) == 1 )
(*(void (__fastcall **)(volatile signed __int32 *))(*(_QWORD *)v63 + 8i64))(v63);
}
}
v185 = 0i64;
v188 = 0xFi64;
v187 = 0xCi64;
memmove(&v185, "SimpleLogger", 0xCui64);
v186 = 0;
get_SimpleLogger_1400E9B50((__int64)&v127);
if ( v188 >= 0x10 )
{
v64 = v185;
if ( v188 + 1 >= 0x1000 )
{
v64 = (_BYTE *)*((_QWORD *)v185 + 0xFFFFFFFF);
if ( (unsigned __int64)((_BYTE *)v185 - v64 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v64);
}
v187 = 0i64;
v188 = 0xFi64;
LOBYTE(v185) = 0;
if ( v127 )
{
*(_QWORD *)&v126 = "sr2: {}";
*((_QWORD *)&v126 + 1) = 7i64;
*(_QWORD *)&v92 = "G:\\Projects\\uninstall-tool\\UninstallTool\\LicenseManager\\LicenseManager.cpp";
DWORD2(v92) = 0x153;
*(_QWORD *)&X = "CLicenseManager::CheckRegistration";
v145 = v126;
v165 = v92;
v166 = "CLicenseManager::CheckRegistration";
sub_1400371D4(v127, (unsigned int)&v165, 2, (unsigned int)&v145, (__int64)&v95);
}
v65 = v128;
if ( v128 )
{
if ( _InterlockedExchangeAdd(v128 + 2, 0xFFFFFFFF) == 1 )
{
(**(void (__fastcall ***)(volatile signed __int32 *))v65)(v65);
if ( _InterlockedExchangeAdd(v65 + 3, 0xFFFFFFFF) == 1 )
(*(void (__fastcall **)(volatile signed __int32 *))(*(_QWORD *)v65 + 8i64))(v65);
}
}
if ( !reg_14003C2D0 )
{
v224 = 0i64;
v225 = 0i64;
v226 = 0xFi64;
sub_14000A250((void **)&v224, "SimpleLogger");
get_SimpleLogger_1400E9B50((__int64)v130);
if ( v226 >= 0x10 )
{
v66 = v224;
if ( v226 + 1 >= 0x1000 )
{
v66 = (_BYTE *)v224[0xFFFFFFFF];
if ( (unsigned __int64)((char *)v224 - v66 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v66);
}
v225 = 0i64;
v226 = 0xFi64;
LOBYTE(v224) = 0;
if ( v130[0] )
{
*(_QWORD *)&v129 = "No RF !";
*((_QWORD *)&v129 + 1) = 7i64;
*(_QWORD *)&v92 = "G:\\Projects\\uninstall-tool\\UninstallTool\\LicenseManager\\LicenseManager.cpp";
DWORD2(v92) = 0x157;
*(_QWORD *)&X = "CLicenseManager::CheckRegistration";
v146 = v129;
v167 = v92;
v168 = "CLicenseManager::CheckRegistration";
sub_1400067A0(v130[0], (__int64)&v167, 2, &v146);
}
wWinMain_474_0(v130);
sub_14003C584(a1, &v96);
}
if ( v236._Mysize && v184._Mysize )
{
v67 = &v236;
if ( v236._Myres >= 8 )
v67 = (std_wstring *)v236.u._Ptr;
v68 = sub_1402BD7F0(v67);
v69 = &v184;
if ( v184._Myres >= 8 )
v69 = (std_wstring *)v184.u._Ptr;
v70 = sub_1402BD7F0(v69);
if ( v68 && v70 )
{
v71 = a1 + 0x63;
if ( v70 <= v96 )
{
*(_DWORD *)v71 = 0x1E - ((int)v96 - (int)v68) / 0x15180;
v230 = 0i64;
v231 = 0i64;
v232 = 0xFi64;
sub_14000A250((void **)&v230, "SimpleLogger");
get_SimpleLogger_1400E9B50((__int64)v134);
if ( v232 >= 0x10 )
{
v74 = v230;
if ( v232 + 1 >= 0x1000 )
{
v74 = (_BYTE *)v230[0xFFFFFFFF];
if ( (unsigned __int64)((char *)v230 - v74 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v74);
}
v231 = 0i64;
v232 = 0xFi64;
LOBYTE(v230) = 0;
if ( v134[0] )
{
*(_QWORD *)&v133 = "CLCK DS LT {}";
*((_QWORD *)&v133 + 1) = 0xDi64;
*(_QWORD *)&v92 = "G:\\Projects\\uninstall-tool\\UninstallTool\\LicenseManager\\LicenseManager.cpp";
DWORD2(v92) = 0x170;
*(_QWORD *)&X = "CLicenseManager::CheckRegistration";
v148 = v133;
v171 = v92;
v172 = "CLicenseManager::CheckRegistration";
sub_140036FA8(v134[0], (unsigned int)&v171, 2, (unsigned int)&v148, (__int64)(a1 + 0x63));
}
v73 = v134;
}
else
{
*(_DWORD *)v71 = 0xFFFFFFFF;
v227 = 0i64;
v228 = 0i64;
v229 = 0xFi64;
sub_14000A250((void **)&v227, "SimpleLogger");
get_SimpleLogger_1400E9B50((__int64)v132);
if ( v229 >= 0x10 )
{
v72 = v227;
if ( v229 + 1 >= 0x1000 )
{
v72 = (_BYTE *)v227[0xFFFFFFFF];
if ( (unsigned __int64)((char *)v227 - v72 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v72);
}
v228 = 0i64;
v229 = 0xFi64;
LOBYTE(v227) = 0;
if ( v132[0] )
{
*(_QWORD *)&v131 = "CLCK MVD BCK";
*((_QWORD *)&v131 + 1) = 0xCi64;
*(_QWORD *)&v92 = "G:\\Projects\\uninstall-tool\\UninstallTool\\LicenseManager\\LicenseManager.cpp";
DWORD2(v92) = 0x16A;
*(_QWORD *)&X = "CLicenseManager::CheckRegistration";
v147 = v131;
v169 = v92;
v170 = "CLicenseManager::CheckRegistration";
sub_1400067A0(v132[0], (__int64)&v169, 2, &v147);
}
v73 = v132;
}
wWinMain_474_0(v73);
if ( *((int *)a1 + 0x63) <= 0 )
{
*((_DWORD *)a1 + 0x63) = 0;
*((_BYTE *)a1 + 0x16C) = 1;
}
}
else
{
v233 = 0i64;
v234 = 0i64;
v235 = 0xFi64;
sub_14000A250((void **)&v233, "SimpleLogger");
get_SimpleLogger_1400E9B50((__int64)v136);
if ( v235 >= 0x10 )
{
v75 = v233;
if ( v235 + 1 >= 0x1000 )
{
v75 = (_BYTE *)v233[0xFFFFFFFF];
if ( (unsigned __int64)((char *)v233 - v75 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v75);
}
v234 = 0i64;
v235 = 0xFi64;
LOBYTE(v233) = 0;
if ( v136[0] )
{
*(_QWORD *)&v135 = "_atoi64 in LCMGR failed";
*((_QWORD *)&v135 + 1) = 0x17i64;
*(_QWORD *)&v92 = "G:\\Projects\\uninstall-tool\\UninstallTool\\LicenseManager\\LicenseManager.cpp";
DWORD2(v92) = 0x17C;
*(_QWORD *)&X = "CLicenseManager::CheckRegistration";
v149[0] = v135;
v173 = v92;
v174 = "CLicenseManager::CheckRegistration";
sub_1400067A0(v136[0], (__int64)&v173, 2, v149);
}
wWinMain_474_0(v136);
}
}
if ( v184._Myres >= 8 )
{
v76 = v184.u._Ptr;
if ( 2 * v184._Myres + 2 >= 0x1000 )
{
v76 = (wchar_t *)*((_QWORD *)v184.u._Ptr + 0xFFFFFFFF);
if ( (unsigned __int64)((char *)v184.u._Ptr - (char *)v76 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v76);
}
v184._Mysize = 0i64;
v184._Myres = 7i64;
v184.u._Buf[0] = 0;
if ( v236._Myres >= 8 )
{
v77 = v236.u._Ptr;
if ( 2 * v236._Myres + 2 >= 0x1000 )
{
v77 = (wchar_t *)*((_QWORD *)v236.u._Ptr + 0xFFFFFFFF);
if ( (unsigned __int64)((char *)v236.u._Ptr - (char *)v77 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v77);
}
}
sub_14003C66C(a1, &v96);
}
_InterlockedExchange((volatile __int32 *)a1 + 0x5A, 1);
if ( !sub_1400089E0((__int64)a1) )
{
*((_BYTE *)a1 + 0x16C) = 1;
*((_DWORD *)a1 + 0x63) = 0;
v237[0] = 0i64;
v238 = 0i64;
v239 = 0xFi64;
// 无法启动 'UninstallToolHelper.exe' 进程。 \n\n请重新安装软件。
sub_14000A250(v237, "Messages/msgCannotStartHelper");
str_1400F9430 = (const wchar_t *)xml_find_str_1400F9430(v247, v237);
if ( *((_QWORD *)str_1400F9430 + 3) >= 8ui64 )
str_1400F9430 = *(const wchar_t **)str_1400F9430;
v79 = (wchar_t *)*cstring_140025F10(&v101, str_1400F9430);
v221.u._Ptr = 0i64;
v221._Mysize = 0i64;
v221._Myres = 7i64;
v80 = 0xFFFFFFFFFFFFFFFFui64;
do
++v80;
while ( v79[v80] );
wstring_140024560(&v221, v79, v80);
v81 = (_QWORD *)(v101 - 0x18);
if ( _InterlockedDecrement((volatile signed __int32 *)(v101 - 0x18 + 0x10)) <= 0 )
(*(void (__fastcall **)(_QWORD))(*(_QWORD *)*v81 + 8i64))(*v81);
unknown_libname_4(v247);
if ( v239 >= 0x10 )
{
v82 = v237[0];
if ( v239 + 1 >= 0x1000 )
{
v82 = (void *)*((_QWORD *)v237[0] + 0xFFFFFFFF);
if ( (unsigned __int64)(v237[0] - v82 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v82);
}
v238 = 0i64;
v239 = 0xFi64;
LOBYTE(v237[0]) = 0;
v240.u._Ptr = 0i64;
v240._Mysize = 0i64;
v240._Myres = 0i64;
wstring_14000A190(&v240, (std_wstring *)(a1 + 0x16));
if ( v240._Mysize )
{
v241.u._Ptr = 0i64;
v241._Mysize = 0i64;
v241._Myres = 7i64;
wstring_140024560(&v241, (wchar_t *)L"\n\n", 2ui64);
sub_140036680(v248, &v241);
std::wstring::append(&v221);
unknown_libname_4(v248);
if ( v241._Myres >= 8 )
{
v83 = v241.u._Ptr;
if ( 2 * v241._Myres + 2 >= 0x1000 )
{
v83 = (wchar_t *)*((_QWORD *)v241.u._Ptr + 0xFFFFFFFF);
if ( (unsigned __int64)((char *)v241.u._Ptr - (char *)v83 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v83);
}
}
v84 = &v221;
if ( v221._Myres >= 8 )
v84 = (std_wstring *)v221.u._Ptr;
info_dialog_14002B0A4(
(__int64)&UToolApp_140478C30,
*((_QWORD *)a1 + 0x2C),
(__int64)v84,
(__int64)L"Uninstall Tool",
0x30u);
CurrentProcess = GetCurrentProcess();
TerminateProcess(CurrentProcess, 0);
if ( v240._Myres >= 8 )
{
v86 = v240.u._Ptr;
if ( 2 * v240._Myres + 2 >= 0x1000 )
{
v86 = (wchar_t *)*((_QWORD *)v240.u._Ptr + 0xFFFFFFFF);
if ( (unsigned __int64)((char *)v240.u._Ptr - (char *)v86 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v86);
}
v240._Mysize = 0i64;
v240._Myres = 7i64;
v240.u._Buf[0] = 0;
if ( v221._Myres >= 8 )
{
v87 = v221.u._Ptr;
if ( 2 * v221._Myres + 2 >= 0x1000 )
{
v87 = (wchar_t *)*((_QWORD *)v221.u._Ptr + 0xFFFFFFFF);
if ( (unsigned __int64)((char *)v221.u._Ptr - (char *)v87 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v87);
}
}
if ( v177._Myres >= 8 )
{
v88 = v177.u._Ptr;
if ( 2 * v177._Myres + 2 >= 0x1000 )
{
v88 = (char *)*((_QWORD *)v177.u._Ptr + 0xFFFFFFFF);
if ( (unsigned __int64)(v177.u._Ptr - v88 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v88);
}
v177._Mysize = 0i64;
v177._Myres = 7i64;
*(_WORD *)v177.u._Buf = 0;
if ( v181 >= 8 )
{
v89 = Src[0];
if ( 2 * v181 + 2 >= 0x1000 )
{
v89 = (void *)*((_QWORD *)Src[0] + 0xFFFFFFFF);
if ( (unsigned __int64)(Src[0] - v89 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v89);
}
v180 = 0i64;
v181 = 7i64;
LOWORD(Src[0]) = 0;
if ( code._Myres >= 8 )
std::allocator<wchar_t>::deallocate(&code, code.u._Ptr, code._Myres + 1);
code._Mysize = 0i64;
code._Myres = 7i64;
code.u._Buf[0] = 0;
if ( name._Myres >= 8 )
std::allocator<wchar_t>::deallocate(&name, name.u._Ptr, name._Myres + 1);
name._Mysize = 0i64;
name._Myres = 7i64;
name.u._Buf[0] = 0;
if ( versionMN._Myres >= 8 )
std::allocator<wchar_t>::deallocate(&versionMN, versionMN.u._Ptr, versionMN._Myres + 1);
versionMN._Mysize = 0i64;
versionMN._Myres = 7i64;
versionMN.u._Buf[0] = 0;
if ( VersionMJ._Myres >= 8 )
std::allocator<wchar_t>::deallocate(&VersionMJ, VersionMJ.u._Ptr, VersionMJ._Myres + 1);
}
}
CLicenseManager::CheckRegistrationThread_14003BAE8
关键函数is_register_14003BEE0
struct CWinThread *__fastcall xthread_14003C754(_QWORD *a1, __int64 a2)
{
a1[0x2C] = a2;
return AfxBeginThread(
(unsigned int (__stdcall *)(void *))CLicenseManager::CheckRegistrationThread_14003BAE8,
a1,
0,
0,
0,
0i64);
}
__int64 __fastcall CLicenseManager::CheckRegistrationThread_14003BAE8(HINSTANCE a1)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
CLicenseManager::CheckRegistration_1400397D8(a1);
sub_14003C498(a1);
if ( (unsigned __int8)sub_14002D6F8(0xAi64, 0i64, 0i64) )
{
v2 = (HMODULE)sub_140104D00();
v3 = sub_1401050B0(v31, v2);
v4 = sub_14003F1F4(v3);
unknown_libname_4(v31);
if ( !v4 )
{
v11[0] = 1;
v5 = (_BYTE *)sub_1400068F0((char *)a1 + 0x191);
*v5 = sub_1400366F4(v11);
}
}
if ( !(unsigned __int8)is_register_14003BEE0(a1) )
return (unsigned __int8)is_register_14003BEE0(a1);
v25 = 0i64;
v28 = 0xFi64;
v27 = 0xCi64;
memmove(&v25, "SimpleLogger", 0xCui64);
v26 = 0;
get_SimpleLogger_1400E9B50(&v15, &v25);
if ( v28 >= 0x10 )
{
v6 = v25;
if ( v28 + 1 >= 0x1000 )
{
v6 = (_BYTE *)*((_QWORD *)v25 + 0xFFFFFFFF);
if ( (unsigned __int64)(v25 - v6 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v6);
}
v27 = 0i64;
v28 = 0xFi64;
LOBYTE(v25) = 0;
if ( v15 )
{
*(_QWORD *)&v12 = "startLicenseCheck";
*((_QWORD *)&v12 + 1) = 0x11i64;
*(_QWORD *)&v13 = "G:\\Projects\\uninstall-tool\\UninstallTool\\LicenseManager\\LicenseManager.cpp";
DWORD2(v13) = 0x1F7;
v14 = "CLicenseManager::CheckRegistrationThread";
v21 = v12;
v23 = v13;
v24 = "CLicenseManager::CheckRegistrationThread";
sub_1400067A0(v15, &v23, 2i64, &v21);
}
v7 = v16;
if ( v16 )
{
if ( _InterlockedExchangeAdd(v16 + 2, 0xFFFFFFFF) == 1 )
{
(**(void (__fastcall ***)(volatile signed __int32 *))v7)(v7);
if ( _InterlockedExchangeAdd(v7 + 3, 0xFFFFFFFF) == 1 )
(*(void (__fastcall **)(volatile signed __int32 *))(*(_QWORD *)v7 + 8i64))(v7);
}
}
sub_14003DFA0(a1, v29);
if ( v29[2] )
{
v8 = sub_1400EEA10(v22, a1 + 0x66);
sub_14003EBE0(a1 + 0x6E, v8);
v20 = 0i64;
if ( (unsigned __int8)sub_1400068A0(v31) )
{
v17[0] = (__int64)&___7___Func_impl_no_alloc_V___Binder_U_Unforced_std__P8CLicenseManager__EAAXU__pair_W4verify_php_code_license__V__basic_string_DU__char_traits_D_std__V__allocator_D_2__std___2__ZAEAPEAV3_AEBU___Ph__00_2__std__XU__pair_W4verify_php_code_license__V__basic_string_DU__char_traits_D_std__V__allocator_D_2__std___2__std__6B_;
v17[1] = (__int64)CLicenseManager::license_verify_callback_14003E150;
v18 = v31[8];
v19 = a1;
v20 = v17;
}
sub_140141B40(a1 + 0x6E, v29, v17);
}
if ( v30 < 0x10 )
return (unsigned __int8)is_register_14003BEE0(a1);
v9 = (void *)v29[0];
if ( v30 + 1 >= 0x1000 )
{
v9 = *(void **)(v29[0] - 8);
if ( (unsigned __int64)(v29[0] - (_QWORD)v9 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v9);
return (unsigned __int8)is_register_14003BEE0(a1);
}
VerifySerialNumberW_14003C490
通过execryptor sdk 进行验证
// __declspec(dllexport) TVerifyResult __stdcall EXECryptor_VerifySerialNumberW(const wchar_t *RegistrationName,
// const wchar_t *SerialNumber, TSerialNumberInfo *SNInfo = NULL, const wchar_t *HardwareID = NULL);
// attributes: thunk
int __stdcall VerifySerialNumberW_14003C490(
const wchar_t *RegistrationName,
const wchar_t *SerialNumber,
void *SNInfo,
const wchar_t *HardwareID)
{
return VerifySerialNumberW_140009350(RegistrationName, SerialNumber, SNInfo, HardwareID);
}
__int64 __fastcall VerifySerialNumberW_140009350(
const wchar_t *RegistrationName,
const wchar_t *SerialNumber,
void *SNInfo,
const wchar_t *HardwareID)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v8 = 0;
v9 = sub_1400254C0("VerifySerialNumberW");
sub_1400F5E10(v43, SerialNumber);
sub_1400F5E10(v41, (const WCHAR *)SNInfo);
v10 = v43;
if ( v44 >= 0x10 )
v10 = (__int64 *)v43[0];
v11 = sub_1400F0810((__int64)v9, 0i64);
if ( v11 )
{
v12 = sub_1400F0710(v11, "name");
sub_1400F3010(v12, (__int64)v10);
}
v13 = v41;
if ( v42 >= 0x10 )
v13 = (__int64 *)v41[0];
v14 = sub_1400F0810((__int64)v9, 0i64);
if ( v14 )
{
v15 = sub_1400F0710(v14, "code");
sub_1400F3010(v15, (__int64)v13);
}
v16 = EXECryptorHelper::ExecuteXMLRequest_140008A00((__int64)RegistrationName, (__int64)v9);
v17 = (__int64)v16;
if ( v16 )
{
v18 = sub_1400F0810((__int64)v16, 0i64);
if ( v18 && sub_1400F00E0(v18, "result", 0i64) )
{
v8 = unknown_libname_183();
if ( v8 == 3 )
{
v19 = sub_1400F0810(v17, 0i64);
if ( v19 && sub_1400F00E0(v19, "ExpiryMonth", 0i64) )
v20 = unknown_libname_183();
else
v20 = 0;
*((_DWORD *)HardwareID + 2) = v20;
v21 = sub_1400F0810(v17, 0i64);
if ( v21 && sub_1400F00E0(v21, "ExpiryYear", 0i64) )
v22 = unknown_libname_183();
else
v22 = 0;
*((_DWORD *)HardwareID + 3) = v22;
v23 = sub_1400F0810(v17, 0i64);
if ( v23 && sub_1400F00E0(v23, "F1", 0i64) )
v24 = unknown_libname_183();
else
v24 = 0;
*((_BYTE *)HardwareID + 0x10) = v24 != 0;
v25 = sub_1400F0810(v17, 0i64);
if ( v25 && sub_1400F00E0(v25, "F2", 0i64) )
v26 = unknown_libname_183();
else
v26 = 0;
*((_BYTE *)HardwareID + 0x11) = v26 != 0;
v27 = sub_1400F0810(v17, 0i64);
if ( v27 && sub_1400F00E0(v27, "F3", 0i64) )
v28 = unknown_libname_183();
else
v28 = 0;
*((_BYTE *)HardwareID + 0x12) = v28 != 0;
v29 = sub_1400F0810(v17, 0i64);
if ( v29 && sub_1400F00E0(v29, "F4", 0i64) )
v30 = unknown_libname_183();
else
v30 = 0;
*((_BYTE *)HardwareID + 0x13) = v30 != 0;
v31 = sub_1400F0810(v17, 0i64);
if ( v31 && sub_1400F00E0(v31, "F5", 0i64) )
v32 = unknown_libname_183();
else
v32 = 0;
*((_BYTE *)HardwareID + 0x14) = v32 != 0;
v33 = sub_1400F0810(v17, 0i64);
if ( v33 && sub_1400F00E0(v33, "F5", 0i64) )
v34 = unknown_libname_183();
else
v34 = 0;
*((_BYTE *)HardwareID + 0x15) = v34 != 0;
v35 = sub_1400F0810(v17, 0i64);
if ( v35 && sub_1400F00E0(v35, "LicType", 0i64) )
v36 = unknown_libname_183();
else
v36 = 0;
*(_DWORD *)HardwareID = v36;
v37 = sub_1400F0810(v17, 0i64);
if ( v37 && sub_1400F00E0(v37, "UserParam", 0i64) )
*((_DWORD *)HardwareID + 1) = unknown_libname_183();
else
*((_DWORD *)HardwareID + 1) = 0;
}
}
else
{
v8 = 0;
}
}
if ( v9 )
(*(void (__fastcall **)(_QWORD *, __int64))(*v9 + 0x78i64))(v9, 1i64);
if ( v17 )
(*(void (__fastcall **)(__int64, __int64))(*(_QWORD *)v17 + 0x78i64))(v17, 1i64);
if ( v42 >= 0x10 )
{
v38 = (void *)v41[0];
if ( v42 + 1 >= 0x1000 )
{
v38 = *(void **)(v41[0] - 8);
if ( (unsigned __int64)(v41[0] - (_QWORD)v38 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v38);
}
v41[2] = 0i64;
v42 = 0xFi64;
LOBYTE(v41[0]) = 0;
if ( v44 < 0x10 )
return v8;
v39 = (void *)v43[0];
if ( v44 + 1 >= 0x1000 )
{
v39 = *(void **)(v43[0] - 8);
if ( (unsigned __int64)(v43[0] - (_QWORD)v39 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v39);
return v8;
}
j_IsRegistered_1400092B0
IsRegistered_1400092B0
返回值enum TVerifyResult { vrInvalid, vrExpired, vrStolen, vrOK }; 3
__int64 __fastcall j_IsRegistered_1400092B0(__int64 a1)
{
return IsRegistered_1400092B0(a1);
}
__int64 __fastcall IsRegistered_1400092B0(__int64 a1)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v2 = 0;
v3 = sub_1400254C0("IsRegistered");
v4 = EXECryptorHelper::ExecuteXMLRequest_140008A00(a1, (__int64)v3);
v5 = v4;
if ( v4 )
{
v6 = sub_1400F0810((__int64)v4, 0i64);
if ( v6 )
{
if ( sub_1400F00E0(v6, "result", 0i64) )
v2 = unknown_libname_183();
}
}
if ( v3 )
(*(void (__fastcall **)(_QWORD *, __int64))(*v3 + 0x78i64))(v3, 1i64);
if ( v5 )
(*(void (__fastcall **)(_QWORD *, __int64))(*v5 + 0x78i64))(v5, 1i64);
return v2;
}
EXECryptorHelper 封装函数
log字符可定位到
.rdata:00000001403F3C10 00000023 C EXECryptorHelper::CreateX86Process
.rdata:00000001403F3C38 0000003A C G:\\Projects\\common\\deploy\\ExeCryptor\\EXECryptorHelper.cpp
.rdata:00000001403F3D78 00000024 C EXECryptorHelper::DestroyX86Process
.rdata:00000001403F3DE8 00000025 C EXECryptorHelper::CreateSharedMemory
.rdata:00000001403F3E50 0000002F C EXECryptorHelper::CreateProcessAndSharedMemory
.rdata:00000001403F3F00 00000032 C EXECryptorHelper::CheckProcessAndReCreateIfNeeded
.rdata:00000001403F4000 00000024 C EXECryptorHelper::ExecuteXMLRequest
EXECryptorHelper::ExecuteXMLRequest_140008A00
验证通过xml 与UninstallToolHelper.exe (EXECRYPTOR )通信。注册验证机制依托于execryptor sdk
本质相当于调用 VerifySerialNumberW、IsRegistered
#pragma pack(push,1)
typedef struct {
int LicType; //0..15
// if LicType = 1 then we get ExpiryMonth/ExpiryYear
// otherwise we get UserParam
int UserParam; //0..1023
int ExpiryMonth,//1..12
ExpiryYear; //2004..2024
bool F1,F2,F3,F4,F5,F6;
} TSerialNumberInfo;
#pragma pack(pop)
__declspec(dllexport) TVerifyResult __stdcall EXECryptor_VerifySerialNumber(const char *RegName,
const char *SerialNumber, TSerialNumberInfo *SNInfo = NULL, const char *HardwareID = NULL);
__declspec(dllexport) TVerifyResult __stdcall EXECryptor_VerifySerialNumberW(const wchar_t *RegistrationName,
const wchar_t *SerialNumber, TSerialNumberInfo *SNInfo = NULL, const wchar_t *HardwareID = NULL);
__declspec(dllexport) TVerifyResult __stdcall EXECryptor_DecodeSerialNumber(const char *RegistrationName,
const char *SerialNumber, TSerialNumberInfo *SNInfo = NULL, const char *HardwareID = NULL);
__declspec(dllexport) TVerifyResult __stdcall EXECryptor_DecodeSerialNumberW(const wchar_t *RegistrationName,
const wchar_t *SerialNumber, TSerialNumberInfo *SNInfo = NULL, const wchar_t *HardwareID = NULL);
#else
__declspec(dllexport) void __stdcall EXECryptor_SetCodeKey(const void *Key, int Size);
#endif
__declspec(dllexport) TVerifyResult __stdcall EXECryptor_IsRegistered();
__declspec(dllexport) DWORD __stdcall EXECryptor_RegConst_0();
__declspec(dllexport) DWORD __stdcall EXECryptor_RegConst_1();
__declspec(dllexport) DWORD __stdcall EXECryptor_RegConst_2();
__declspec(dllexport) DWORD __stdcall EXECryptor_RegConst_3();
__declspec(dllexport) DWORD __stdcall EXECryptor_RegConst_4();
__declspec(dllexport) DWORD __stdcall EXECryptor_RegConst_5();
__declspec(dllexport) DWORD __stdcall EXECryptor_RegConst_6();
__declspec(dllexport) DWORD __stdcall EXECryptor_RegConst_7();
#endif
_QWORD *__fastcall EXECryptorHelper::ExecuteXMLRequest_140008A00(__int64 a1, __int64 a2)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v4 = 0i64;
EnterCriticalSection((LPCRITICAL_SECTION)(a1 + 0x30));
EXECryptorHelper::CreateProcessAndSharedMemory_140008300(a1);
sub_140008730(a1);
if ( *(_QWORD *)(a1 + 8) && *(_QWORD *)(a1 + 0x28) )
{
memset(v32, 0, 0x138ui64);
sub_1400EF1E0(v32, 0i64, 0i64, 0i64);
(*(void (__fastcall **)(__int64, __int64 *))(*(_QWORD *)a2 + 0x70i64))(a2, v32);
v5 = (_BYTE *)v32[0x22];
if ( v32[0x22] )
{
v6 = 0xFFFFFFFFFFFFFFFFui64;
do
++v6;
while ( *(_BYTE *)(v32[0x22] + v6) );
if ( (int)v6 > 0x200 )
{
v31 = 0i64;
v19[0] = 0i64;
v20 = 0i64;
v21 = 0xFi64;
sub_140024100(v19, "SimpleLogger", 0xCui64);
get_SimpleLogger_1400E9B50((__int64)&v31);
if ( v21 >= 0x10 )
{
v14 = (void *)v19[0];
if ( v21 + 1 >= 0x1000 )
{
v14 = *(void **)(v19[0] - 8);
if ( (unsigned __int64)(v19[0] - (_QWORD)v14 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v14);
}
v20 = 0i64;
v21 = 0xFi64;
LOBYTE(v19[0]) = 0;
if ( (_QWORD)v31 )
{
*(_QWORD *)&v22 = "xml size too big";
*((_QWORD *)&v22 + 1) = 0x10i64;
v23 = v22;
*(_QWORD *)&v26 = "G:\\Projects\\common\\deploy\\ExeCryptor\\EXECryptorHelper.cpp";
DWORD2(v26) = 0x133;
v27 = "EXECryptorHelper::ExecuteXMLRequest";
v24 = v26;
v25 = "EXECryptorHelper::ExecuteXMLRequest";
sub_1400067A0(v31, (__int64)&v24, 4, &v23);
}
v13 = (volatile signed __int32 *)*((_QWORD *)&v31 + 1);
if ( !*((_QWORD *)&v31 + 1) )
goto LABEL_40;
}
else
{
memset(*(void **)(a1 + 0x28), 0, 0x200ui64);
v7 = 0xFFFFFFFFFFFFFFFFui64;
do
++v7;
while ( v5[v7] );
memmove(*(void **)(a1 + 0x28), v5, v7);
SetEvent(*(HANDLE *)(a1 + 0x10));
if ( WaitForSingleObject(*(HANDLE *)(a1 + 0x18), 0x1F40u) != 0x102 )
{
v8 = operator new(0x308ui64);
v9 = v8;
*(_QWORD *)&v30 = v8;
if ( v8 )
{
memset(v8, 0, 0x308ui64);
LOBYTE(v10) = 1;
sub_1400EF060(v9, v10, 0i64);
*v9 = &CXmlPacket::`vftable';
v4 = v9;
}
v11 = *(void **)(a1 + 0x28);
if ( v11 )
sub_1400F1800((int)v4, v11, 0xFFFFFFFFFFFFFFFFui64);
LABEL_40:
v32[0] = (__int64)&tinyxml2::XMLPrinter::`vftable';
if ( (__int64 *)v32[0x22] != &v32[0x23] )
j_free((void *)v32[0x22]);
if ( (__int64 *)v32[2] != &v32[3] )
j_free((void *)v32[2]);
goto LABEL_54;
}
v30 = 0i64;
v19[0] = 0i64;
v20 = 0i64;
v21 = 0xFi64;
sub_140024100(v19, "SimpleLogger", 0xCui64);
get_SimpleLogger_1400E9B50((__int64)&v30);
if ( v21 >= 0x10 )
{
v12 = (void *)v19[0];
if ( v21 + 1 >= 0x1000 )
{
v12 = *(void **)(v19[0] - 8);
if ( (unsigned __int64)(v19[0] - (_QWORD)v12 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v12);
}
v20 = 0i64;
v21 = 0xFi64;
LOBYTE(v19[0]) = 0;
if ( (_QWORD)v30 )
{
*(_QWORD *)&v22 = "WaitForSingleObject (m_RequestCompletedEvent) timeout";
*((_QWORD *)&v22 + 1) = 0x35i64;
v23 = v22;
*(_QWORD *)&v26 = "G:\\Projects\\common\\deploy\\ExeCryptor\\EXECryptorHelper.cpp";
DWORD2(v26) = 0x12E;
v27 = "EXECryptorHelper::ExecuteXMLRequest";
v24 = v26;
v25 = "EXECryptorHelper::ExecuteXMLRequest";
sub_1400067A0(v30, (__int64)&v24, 4, &v23);
}
v13 = (volatile signed __int32 *)*((_QWORD *)&v30 + 1);
if ( !*((_QWORD *)&v30 + 1) )
goto LABEL_40;
}
}
else
{
v28 = 0i64;
v19[0] = 0i64;
v20 = 0i64;
v21 = 0xFi64;
sub_140024100(v19, "SimpleLogger", 0xCui64);
get_SimpleLogger_1400E9B50((__int64)&v28);
if ( v21 >= 0x10 )
{
v15 = (void *)v19[0];
if ( v21 + 1 >= 0x1000 )
{
v15 = *(void **)(v19[0] - 8);
if ( (unsigned __int64)(v19[0] - (_QWORD)v15 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v15);
}
v20 = 0i64;
v21 = 0xFi64;
LOBYTE(v19[0]) = 0;
if ( (_QWORD)v28 )
{
*(_QWORD *)&v22 = "xml generation error";
*((_QWORD *)&v22 + 1) = 0x14i64;
v23 = v22;
*(_QWORD *)&v26 = "G:\\Projects\\common\\deploy\\ExeCryptor\\EXECryptorHelper.cpp";
DWORD2(v26) = 0x138;
v27 = "EXECryptorHelper::ExecuteXMLRequest";
v24 = v26;
v25 = "EXECryptorHelper::ExecuteXMLRequest";
sub_1400067A0(v28, (__int64)&v24, 4, &v23);
}
v13 = (volatile signed __int32 *)*((_QWORD *)&v28 + 1);
if ( !*((_QWORD *)&v28 + 1) )
goto LABEL_40;
}
if ( _InterlockedExchangeAdd(v13 + 2, 0xFFFFFFFF) == 1 )
{
(**(void (__fastcall ***)(volatile signed __int32 *))v13)(v13);
if ( _InterlockedExchangeAdd(v13 + 3, 0xFFFFFFFF) == 1 )
(*(void (__fastcall **)(volatile signed __int32 *))(*(_QWORD *)v13 + 8i64))(v13);
}
goto LABEL_40;
}
v26 = 0i64;
v19[0] = 0i64;
v20 = 0i64;
v21 = 0xFi64;
sub_140024100(v19, "SimpleLogger", 0xCui64);
get_SimpleLogger_1400E9B50((__int64)&v26);
if ( v21 >= 0x10 )
{
v16 = (void *)v19[0];
if ( v21 + 1 >= 0x1000 )
{
v16 = *(void **)(v19[0] - 8);
if ( (unsigned __int64)(v19[0] - (_QWORD)v16 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v16);
}
v20 = 0i64;
v21 = 0xFi64;
LOBYTE(v19[0]) = 0;
if ( (_QWORD)v26 )
{
*(_QWORD *)&v22 = "Cannot execute XML request, process not active or shared memory not opened";
*((_QWORD *)&v22 + 1) = 0x4Ai64;
v23 = v22;
*(_QWORD *)&v28 = "G:\\Projects\\common\\deploy\\ExeCryptor\\EXECryptorHelper.cpp";
DWORD2(v28) = 0x13F;
v29 = "EXECryptorHelper::ExecuteXMLRequest";
v24 = v28;
v25 = "EXECryptorHelper::ExecuteXMLRequest";
sub_1400067A0(v26, (__int64)&v24, 4, &v23);
}
v17 = (volatile signed __int32 *)*((_QWORD *)&v26 + 1);
if ( *((_QWORD *)&v26 + 1) )
{
if ( _InterlockedExchangeAdd((volatile signed __int32 *)(*((_QWORD *)&v26 + 1) + 8i64), 0xFFFFFFFF) == 1 )
{
(**(void (__fastcall ***)(volatile signed __int32 *))v17)(v17);
if ( _InterlockedExchangeAdd(v17 + 3, 0xFFFFFFFF) == 1 )
(*(void (__fastcall **)(volatile signed __int32 *))(*(_QWORD *)v17 + 8i64))(v17);
}
}
LABEL_54:
LeaveCriticalSection((LPCRITICAL_SECTION)(a1 + 0x30));
return v4;
}
EXECryptorHelper::CreateProcessAndSharedMemory_140008300
void __fastcall EXECryptorHelper::CreateProcessAndSharedMemory_140008300(__int64 a1)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
if ( byte_14046AEC8 )
{
v2 = EXECryptorHelper::CreateX86Process_140007090();
*(_QWORD *)(a1 + 8) = v2;
if ( v2 )
{
v35 = 0i64;
v12 = 0i64;
v13 = 0i64;
v14 = 0xFi64;
sub_140024100(&v12, "SimpleLogger", 0xCui64);
get_SimpleLogger_1400E9B50((__int64)&v35);
if ( v14 >= 0x10 )
{
v3 = v12;
if ( v14 + 1 >= 0x1000 )
{
v3 = (_BYTE *)*((_QWORD *)v12 + 0xFFFFFFFF);
if ( (unsigned __int64)(v12 - v3 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v3);
}
v13 = 0i64;
v14 = 0xFi64;
LOBYTE(v12) = 0;
if ( (_QWORD)v35 )
{
*(_QWORD *)&v23 = "CreateX86Process OK";
*((_QWORD *)&v23 + 1) = 0x13i64;
v26 = v23;
*(_QWORD *)&v21 = "G:\\Projects\\common\\deploy\\ExeCryptor\\EXECryptorHelper.cpp";
DWORD2(v21) = 0xD5;
v22 = "EXECryptorHelper::CreateProcessAndSharedMemory";
v28 = v21;
v29 = "EXECryptorHelper::CreateProcessAndSharedMemory";
sub_1400067A0(v35, (__int64)&v28, 2, &v26);
}
v4 = (volatile signed __int32 *)*((_QWORD *)&v35 + 1);
if ( *((_QWORD *)&v35 + 1) )
{
if ( _InterlockedExchangeAdd((volatile signed __int32 *)(*((_QWORD *)&v35 + 1) + 8i64), 0xFFFFFFFF) == 1 )
{
(**(void (__fastcall ***)(volatile signed __int32 *))v4)(v4);
if ( _InterlockedExchangeAdd(v4 + 3, 0xFFFFFFFF) == 1 )
(*(void (__fastcall **)(volatile signed __int32 *))(*(_QWORD *)v4 + 8i64))(v4);
}
}
v5 = sub_140007FE0(a1);
*(_QWORD *)(a1 + 0x28) = v5;
if ( v5 )
{
v36 = 0i64;
v15 = 0i64;
v16 = 0i64;
v17 = 0xFi64;
sub_140024100(&v15, "SimpleLogger", 0xCui64);
get_SimpleLogger_1400E9B50((__int64)&v36);
if ( v17 >= 0x10 )
{
v6 = v15;
if ( v17 + 1 >= 0x1000 )
{
v6 = (_BYTE *)*((_QWORD *)v15 + 0xFFFFFFFF);
if ( (unsigned __int64)(v15 - v6 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v6);
}
v16 = 0i64;
v17 = 0xFi64;
LOBYTE(v15) = 0;
if ( (_QWORD)v36 )
{
*(_QWORD *)&v24 = "CreateSharedMemory OK";
*((_QWORD *)&v24 + 1) = 0x15i64;
v27 = v24;
*(_QWORD *)&v10 = "G:\\Projects\\common\\deploy\\ExeCryptor\\EXECryptorHelper.cpp";
DWORD2(v10) = 0xDB;
v11 = "EXECryptorHelper::CreateProcessAndSharedMemory";
v30 = v10;
v31 = "EXECryptorHelper::CreateProcessAndSharedMemory";
sub_1400067A0(v36, (__int64)&v30, 2, &v27);
}
v7 = (volatile signed __int32 *)*((_QWORD *)&v36 + 1);
}
else
{
v34 = 0i64;
v18 = 0i64;
v19 = 0i64;
v20 = 0xFi64;
sub_140024100(&v18, "SimpleLogger", 0xCui64);
get_SimpleLogger_1400E9B50((__int64)&v34);
if ( v20 >= 0x10 )
{
v8 = v18;
if ( v20 + 1 >= 0x1000 )
{
v8 = (_BYTE *)*((_QWORD *)v18 + 0xFFFFFFFF);
if ( (unsigned __int64)(v18 - v8 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v8);
}
v19 = 0i64;
v20 = 0xFi64;
LOBYTE(v18) = 0;
if ( (_QWORD)v34 )
{
LastError = GetLastError();
*(_QWORD *)&v25 = "CreateSharedMemory failed with error {}";
*((_QWORD *)&v25 + 1) = 0x27i64;
*(_QWORD *)&v10 = "G:\\Projects\\common\\deploy\\ExeCryptor\\EXECryptorHelper.cpp";
DWORD2(v10) = 0xDF;
v11 = "EXECryptorHelper::CreateProcessAndSharedMemory";
v21 = v25;
v32 = v10;
v33 = "EXECryptorHelper::CreateProcessAndSharedMemory";
sub_14000C8E0(v34, (unsigned int)&v32, 4, (unsigned int)&v21, (__int64)&LastError);
}
v7 = (volatile signed __int32 *)*((_QWORD *)&v34 + 1);
}
if ( v7 && _InterlockedExchangeAdd(v7 + 2, 0xFFFFFFFF) == 1 )
{
(**(void (__fastcall ***)(volatile signed __int32 *))v7)(v7);
if ( _InterlockedExchangeAdd(v7 + 3, 0xFFFFFFFF) == 1 )
(*(void (__fastcall **)(volatile signed __int32 *))(*(_QWORD *)v7 + 8i64))(v7);
}
}
byte_14046AEC8 = 0;
}
}
EXECryptorHelper::CreateX86Process_140007090
HANDLE __fastcall EXECryptorHelper::CreateX86Process_140007090(__int64 a1)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
hProcess = 0i64;
sub_140006F00(a1, Source);
v3 = (HMODULE)sub_140104D00();
sub_140105230((__int64)v78, v3);
v72 = 0i64;
v73 = 0i64;
v77 = 0i64;
v34[0] = 0i64;
v35 = 0i64;
v36 = 0xFi64;
sub_140024100(v34, "SimpleLogger", 0xCui64);
get_SimpleLogger_1400E9B50((__int64)&v77);
if ( v36 >= 0x10 )
{
v4 = v34[0];
if ( v36 + 1 >= 0x1000 )
{
v4 = (void *)*((_QWORD *)v34[0] + 0xFFFFFFFF);
if ( (unsigned __int64)(v34[0] - v4 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v4);
}
v35 = 0i64;
v36 = 0xFi64;
LOBYTE(v34[0]) = 0;
if ( (_QWORD)v77 )
{
v5 = Source;
if ( v76 >= 8 )
v5 = (wchar_t **)Source[0];
v37[0] = sub_1400FC660(v5);
*(_QWORD *)&v33 = L"{} file size is {}";
*((_QWORD *)&v33 + 1) = 0x12i64;
*(_QWORD *)&v47 = "G:\\Projects\\common\\deploy\\ExeCryptor\\EXECryptorHelper.cpp";
DWORD2(v47) = 0x59;
v48 = "EXECryptorHelper::CreateX86Process";
v50 = v33;
v60 = v47;
v61 = "EXECryptorHelper::CreateX86Process";
sub_14000C340(v77, (unsigned int)&v60, v6, (unsigned int)&v50, a1 + 0xA0, (__int64)v37);
}
v7 = (volatile signed __int32 *)*((_QWORD *)&v77 + 1);
if ( *((_QWORD *)&v77 + 1) )
{
if ( _InterlockedExchangeAdd((volatile signed __int32 *)(*((_QWORD *)&v77 + 1) + 8i64), 0xFFFFFFFF) == 1 )
{
(**(void (__fastcall ***)(volatile signed __int32 *))v7)(v7);
if ( _InterlockedExchangeAdd(v7 + 3, 0xFFFFFFFF) == 1 )
(*(void (__fastcall **)(volatile signed __int32 *))(*(_QWORD *)v7 + 8i64))(v7);
}
}
v8 = (wchar_t *)Source;
if ( v76 >= 8 )
v8 = Source[0];
if ( (unsigned __int8)sub_1400FBB50(v8) )
{
v9 = (char *)v72;
v10 = *((_QWORD *)&v72 + 1) - v72;
v84 = 0i64;
v11 = 0i64;
v85 = 0i64;
v87 = 0x67452301;
v88 = 0xEFCDAB89;
v89 = 0x98BADCFE;
v90 = 0x10325476;
v91 = 0xC3D2E1F0;
if ( *((_QWORD *)&v72 + 1) != (_QWORD)v72 )
{
if ( v10 >= 0x40 )
{
v12 = v10 >> 6;
v10 += 0xFFFFFFFFFFFFFFC0ui64 * (v10 >> 6);
do
{
sub_140024790(&v84, v9);
v9 += 0x40;
v84 += 0x40i64;
--v12;
}
while ( v12 );
v11 = v85;
}
for ( ; v10; --v10 )
{
v86[v11] = *v9;
v11 = ++v85;
++v9;
}
}
sub_140024DA0(&v84, v82);
if ( (unsigned __int8)sub_1400EBE30(v82, a1 + 0xC0) || !*(_BYTE *)(a1 + 0x78) )
{
memset(&StartupInfo, 0, sizeof(StartupInfo));
StartupInfo.cb = 0x68;
StartupInfo.dwFlags = 0x80;
memset(&ProcessInformation, 0, sizeof(ProcessInformation));
v17 = (const wchar_t *)Source;
if ( v76 >= 8 )
v17 = Source[0];
wcscpy_s(sz, 0x800ui64, v17);
PathQuoteSpacesW(sz);
CurrentProcessId = GetCurrentProcessId();
*(_QWORD *)&v54 = L" /pid:{}";
*((_QWORD *)&v54 + 1) = 8i64;
LODWORD(v74) = CurrentProcessId;
v70 = v74;
*(_QWORD *)&v53 = 2i64;
*((_QWORD *)&v53 + 1) = &v70;
v69 = v53;
v68 = v54;
sub_14000C6D0(lpString2);
v19 = (const WCHAR *)lpString2;
if ( v58 >= 8 )
v19 = lpString2[0];
lstrcatW(sz, v19);
if ( v58 >= 8 )
{
v20 = (WCHAR *)lpString2[0];
if ( 2 * v58 + 2 >= 0x1000 )
{
v20 = (WCHAR *)*((_QWORD *)lpString2[0] + 0xFFFFFFFF);
if ( (unsigned __int64)((char *)lpString2[0] - (char *)v20 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v20);
}
lpCurrentDirectory = (const WCHAR *)v78;
if ( v79 >= 8 )
lpCurrentDirectory = v78[0];
if ( CreateProcessW(0i64, sz, 0i64, 0i64, 0, 0x20u, 0i64, lpCurrentDirectory, &StartupInfo, &ProcessInformation) )
{
hProcess = ProcessInformation.hProcess;
CloseHandle(ProcessInformation.hThread);
}
else
{
v74 = 0i64;
v41 = 0i64;
v42 = 0i64;
v43 = 0xFi64;
sub_140024100((void **)&v41, "SimpleLogger", 0xCui64);
get_SimpleLogger_1400E9B50((__int64)&v74);
if ( v43 >= 0x10 )
{
v22 = v41;
if ( v43 + 1 >= 0x1000 )
{
v22 = (_BYTE *)v41[0xFFFFFFFF];
if ( (unsigned __int64)((char *)v41 - v22 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v22);
}
v42 = 0i64;
v43 = 0xFi64;
LOBYTE(v41) = 0;
if ( (_QWORD)v74 )
{
LastError = GetLastError();
*(_QWORD *)&v55 = "Failed to create X86 process, error={}";
*((_QWORD *)&v55 + 1) = 0x26i64;
*(_QWORD *)&v31 = "G:\\Projects\\common\\deploy\\ExeCryptor\\EXECryptorHelper.cpp";
DWORD2(v31) = 0x7A;
v59 = v55;
v64 = v31;
v65 = "EXECryptorHelper::CreateX86Process";
sub_14000C8E0(v74, (unsigned int)&v64, 4, (unsigned int)&v59, (__int64)&LastError);
}
v23 = (volatile signed __int32 *)*((_QWORD *)&v74 + 1);
if ( *((_QWORD *)&v74 + 1) )
{
if ( _InterlockedExchangeAdd((volatile signed __int32 *)(*((_QWORD *)&v74 + 1) + 8i64), 0xFFFFFFFF) == 1 )
{
(**(void (__fastcall ***)(volatile signed __int32 *))v23)(v23);
if ( _InterlockedExchangeAdd(v23 + 3, 0xFFFFFFFF) == 1 )
(*(void (__fastcall **)(volatile signed __int32 *))(*(_QWORD *)v23 + 8i64))(v23);
}
}
}
}
else
{
v80 = 0i64;
v45 = 0i64;
v46 = 0xFi64;
v44 = 0i64;
sub_140024100((void **)&v44, "SimpleLogger", 0xCui64);
get_SimpleLogger_1400E9B50((__int64)&v80);
if ( v46 >= 0x10 )
{
v14 = v44;
if ( v46 + 1 >= 0x1000 )
{
v14 = (_BYTE *)v44[0xFFFFFFFF];
if ( (unsigned __int64)((char *)v44 - v14 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v14);
}
v45 = 0i64;
v46 = 0xFi64;
LOBYTE(v44) = 0;
if ( (_QWORD)v80 )
{
v49 = *((_QWORD *)&v72 + 1) - v72;
*(_QWORD *)&v52 = "Failed to create X86 process, match error, size={}, hash={}";
*((_QWORD *)&v52 + 1) = 0x3Bi64;
*(_QWORD *)&v31 = "G:\\Projects\\common\\deploy\\ExeCryptor\\EXECryptorHelper.cpp";
DWORD2(v31) = 0x7F;
v51 = v52;
v62 = v31;
v63 = "EXECryptorHelper::CreateX86Process";
sub_14000CB30(v80, (unsigned int)&v62, v13, (unsigned int)&v51, (__int64)&v49, (__int64)v82);
}
v15 = (volatile signed __int32 *)*((_QWORD *)&v80 + 1);
if ( *((_QWORD *)&v80 + 1) )
{
if ( _InterlockedExchangeAdd((volatile signed __int32 *)(*((_QWORD *)&v80 + 1) + 8i64), 0xFFFFFFFF) == 1 )
{
(**(void (__fastcall ***)(volatile signed __int32 *))v15)(v15);
if ( _InterlockedExchangeAdd(v15 + 3, 0xFFFFFFFF) == 1 )
(*(void (__fastcall **)(volatile signed __int32 *))(*(_QWORD *)v15 + 8i64))(v15);
}
}
v37[0] = L"Version mismatch ({})";
v37[1] = 0x15i64;
*(_QWORD *)&v51 = *((_QWORD *)&v72 + 1) - v72;
v50 = v51;
*(_QWORD *)&v33 = 4i64;
*((_QWORD *)&v33 + 1) = &v50;
sub_14000C6D0(v34);
sub_140009F10(a1 + 0x58, v34);
if ( v36 >= 8 )
{
v16 = v34[0];
if ( 2 * v36 + 2 >= 0x1000 )
{
v16 = (void *)*((_QWORD *)v34[0] + 0xFFFFFFFF);
if ( (unsigned __int64)(v34[0] - v16 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v16);
}
}
if ( v83 >= 0x10 )
{
v24 = (void *)v82[0];
if ( v83 + 1 >= 0x1000 )
{
v24 = *(void **)(v82[0] - 8);
if ( (unsigned __int64)(v82[0] - (_QWORD)v24 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v24);
}
}
else
{
v81 = 0i64;
v38 = 0i64;
v39 = 0i64;
v40 = 0xFi64;
sub_140024100((void **)&v38, "SimpleLogger", 0xCui64);
get_SimpleLogger_1400E9B50((__int64)&v81);
if ( v40 >= 0x10 )
{
v25 = v38;
if ( v40 + 1 >= 0x1000 )
{
v25 = (_BYTE *)v38[0xFFFFFFFF];
if ( (unsigned __int64)((char *)v38 - v25 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v25);
}
v39 = 0i64;
v40 = 0xFi64;
LOBYTE(v38) = 0;
if ( (_QWORD)v81 )
{
*(_QWORD *)&v56 = "Failed to create X86 process, fileToByteArray failed";
*((_QWORD *)&v56 + 1) = 0x34i64;
v47 = v56;
*(_QWORD *)&v31 = "G:\\Projects\\common\\deploy\\ExeCryptor\\EXECryptorHelper.cpp";
DWORD2(v31) = 0x86;
v66 = v31;
v67 = "EXECryptorHelper::CreateX86Process";
sub_1400067A0(v81, (__int64)&v66, 4, &v47);
}
v26 = (volatile signed __int32 *)*((_QWORD *)&v81 + 1);
if ( *((_QWORD *)&v81 + 1) )
{
if ( _InterlockedExchangeAdd((volatile signed __int32 *)(*((_QWORD *)&v81 + 1) + 8i64), 0xFFFFFFFF) == 1 )
{
(**(void (__fastcall ***)(volatile signed __int32 *))v26)(v26);
if ( _InterlockedExchangeAdd(v26 + 3, 0xFFFFFFFF) == 1 )
(*(void (__fastcall **)(volatile signed __int32 *))(*(_QWORD *)v26 + 8i64))(v26);
}
}
}
v27 = (void *)v72;
if ( (_QWORD)v72 )
{
if ( (unsigned __int64)(v73 - v72) >= 0x1000 )
{
v27 = *(void **)(v72 - 8);
if ( (unsigned __int64)(v72 - (_QWORD)v27 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v27);
v72 = 0i64;
v73 = 0i64;
}
if ( v79 >= 8 )
{
v28 = (WCHAR *)v78[0];
if ( 2 * v79 + 2 >= 0x1000 )
{
v28 = (WCHAR *)*((_QWORD *)v78[0] + 0xFFFFFFFF);
if ( (unsigned __int64)((char *)v78[0] - (char *)v28 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v28);
}
v78[2] = 0i64;
v79 = 7i64;
LOWORD(v78[0]) = 0;
if ( v76 < 8 )
return hProcess;
v29 = Source[0];
if ( 2 * v76 + 2 >= 0x1000 )
{
v29 = (wchar_t *)*((_QWORD *)Source[0] + 0xFFFFFFFF);
if ( (unsigned __int64)((char *)Source[0] - (char *)v29 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v29);
return hProcess;
}
EXECryptorHelper::DestroyX86Process_140007C00
void __fastcall EXECryptorHelper::DestroyX86Process_140007C00(__int64 a1)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v31 = 0i64;
v14 = 0i64;
v15 = 0i64;
v16 = 0xFi64;
sub_140024100((void **)&v14, "SimpleLogger", 0xCui64);
get_SimpleLogger_1400E9B50((__int64)&v31);
if ( v16 >= 0x10 )
{
v2 = v14;
if ( v16 + 1 >= 0x1000 )
{
v2 = (_BYTE *)v14[0xFFFFFFFF];
if ( (unsigned __int64)((char *)v14 - v2 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v2);
}
v15 = 0i64;
v16 = 0xFi64;
LOBYTE(v14) = 0;
v3 = (_QWORD *)v31;
if ( (_QWORD)v31 )
{
*(_QWORD *)&v20 = "DestroyX86Process";
*((_QWORD *)&v20 + 1) = 0x11i64;
*(_QWORD *)&v13 = "G:\\Projects\\common\\deploy\\ExeCryptor\\EXECryptorHelper.cpp";
DWORD2(v13) = 0x8E;
v4 = *(_DWORD *)(v31 + 0x40);
v5 = sub_1400E4EC0(v31 + 0x88);
v6 = v5;
if ( v4 <= 2 || v5 )
{
v23 = v20;
v7 = v3 + 1;
if ( v3[4] >= 0x10ui64 )
v7 = (_QWORD *)v3[1];
*(_QWORD *)&v21 = v7;
*((_QWORD *)&v21 + 1) = v3[3];
v24 = v21;
v26 = v13;
v27 = "EXECryptorHelper::DestroyX86Process";
sub_1400E1C10((__int64)v33, &v26, &v24, 2, &v23);
sub_1400E9E60((__int64)v3, (__int64)v33, v4 <= 2, v6);
}
}
v8 = (volatile signed __int32 *)*((_QWORD *)&v31 + 1);
if ( *((_QWORD *)&v31 + 1) )
{
if ( _InterlockedExchangeAdd((volatile signed __int32 *)(*((_QWORD *)&v31 + 1) + 8i64), 0xFFFFFFFF) == 1 )
{
(**(void (__fastcall ***)(volatile signed __int32 *))v8)(v8);
if ( _InterlockedExchangeAdd(v8 + 3, 0xFFFFFFFF) == 1 )
(*(void (__fastcall **)(volatile signed __int32 *))(*(_QWORD *)v8 + 8i64))(v8);
}
}
if ( *(_QWORD *)(a1 + 8) )
{
v9 = sub_1400254C0();
v10 = EXECryptorHelper::ExecuteXMLRequest_140008A00(a1, (__int64)v9);
if ( v9 )
(*(void (__fastcall **)(_QWORD *, __int64))(*v9 + 0x78i64))(v9, 1i64);
if ( v10 )
(*(void (__fastcall **)(_QWORD *, __int64))(*v10 + 0x78i64))(v10, 1i64);
WaitForSingleObject(*(HANDLE *)(a1 + 8), 0x64u);
ExitCode = 0;
GetExitCodeProcess(*(HANDLE *)(a1 + 8), &ExitCode);
if ( ExitCode == 0x103 )
{
v32 = 0i64;
v17 = 0i64;
v18 = 0i64;
v19 = 0xFi64;
sub_140024100((void **)&v17, "SimpleLogger", 0xCui64);
get_SimpleLogger_1400E9B50((__int64)&v32);
if ( v19 >= 0x10 )
{
v11 = v17;
if ( v19 + 1 >= 0x1000 )
{
v11 = (_BYTE *)v17[0xFFFFFFFF];
if ( (unsigned __int64)((char *)v17 - v11 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v11);
}
v18 = 0i64;
v19 = 0xFi64;
LOBYTE(v17) = 0;
if ( (_QWORD)v32 )
{
*(_QWORD *)&v22 = "TerminateProcess";
*((_QWORD *)&v22 + 1) = 0x10i64;
v25 = v22;
*(_QWORD *)&v13 = "G:\\Projects\\common\\deploy\\ExeCryptor\\EXECryptorHelper.cpp";
DWORD2(v13) = 0xA3;
v28 = v13;
v29 = "EXECryptorHelper::DestroyX86Process";
sub_1400067A0(v32, (__int64)&v28, 2, &v25);
}
v12 = (volatile signed __int32 *)*((_QWORD *)&v32 + 1);
if ( *((_QWORD *)&v32 + 1)
&& _InterlockedExchangeAdd((volatile signed __int32 *)(*((_QWORD *)&v32 + 1) + 8i64), 0xFFFFFFFF) == 1 )
{
(**(void (__fastcall ***)(volatile signed __int32 *))v12)(v12);
if ( _InterlockedExchangeAdd(v12 + 3, 0xFFFFFFFF) == 1 )
(*(void (__fastcall **)(volatile signed __int32 *))(*(_QWORD *)v12 + 8i64))(v12);
}
TerminateProcess(*(HANDLE *)(a1 + 8), 0);
}
*(_QWORD *)(a1 + 8) = 0i64;
}
}
patch
execryptor 是0几年的壳了,其vm已有分析,但还原分析仍然有难度。
其实可以去分析eckegen.dll(github 可得)的相关导出,在了解其逻辑后爆破、替换key或者patch key 后制作注册机。
patch校验函数最为简单,并且可以去除UninstallToolHelper.exe
patch1
CLicenseManager::CheckRegistration_1400397D8
00000001400397D | 48:8BC4 | mov rax,rsp | CLicenseManager::CheckRegistration_1400397D8
patch 后
00000001400397D | C3 | ret | CLicenseManager::CheckRegistration_1400397D8
patch2
许可类型/用户数 3E7
000000014003BDE | 8B81 88010000 | mov eax,dword ptr ds:[rcx+188] | 3e7
000000014003BDE | C3 | ret |
patch 后
000000014003BDE | B8 E7030000 | mov eax,3E7 | 3e7
000000014003BDE | C3 | ret |
//sub_140028368
//通过 “未注册版本” Trial/txtUnregisteredBig 定位到
if ( is_register_14003BEE0(v4) )
{
v5 = sub_14025F27C();
if ( !v5 )
unknown_libname_676(0x80004005);
v32 = ((__int64 (__fastcall *)(void ***))(*v5)[3])(v5) + 0x18;
// a1 + 0x290;
v6 = get_lic_info_14002A384((__int64)&UToolApp_140478C30);
// *(unsigned int *)(a1 + 0x188);
v7 = get_lic_type_14003BDE4(v6); // 188h
v8 = v7;
if ( v7 == 1 )
{
v9 = wcslen(L"Single Computer License");
v10 = L"Single Computer License";
}
else
{
sub_140026D50(&v32, L"%d Computers License", v7);
if ( v8 == 0x3E7 )
{
v9 = wcslen(L"Portable License");
v10 = L"Portable License";
}
else
{
if ( v8 != 0x3E6 )
{
LABEL_16:
v11 = get_lic_info_14002A384((__int64)&UToolApp_140478C30);
v12 = *(_DWORD *)(*(_QWORD *)sub_14003BDB0(v11, &v33) - 0x10i64);
v13 = (_QWORD *)(v33 - 0x18);
if ( _InterlockedDecrement((volatile signed __int32 *)(v33 - 0x18 + 0x10)) <= 0 )
(*(void (__fastcall **)(_QWORD))(*(_QWORD *)*v13 + 8i64))(*v13);
v14 = get_lic_info_14002A384((__int64)&UToolApp_140478C30);
if ( v12 )
{
v15 = sub_14003BDB0(v14, &v38);
v16 = sub_140025E14(&v37, L"/");
v17 = get_lic_info_14002A384((__int64)&UToolApp_140478C30);
v18 = sub_14003BDEC(v17, &v36);
v19 = sub_1400263AC(&v35, v18, v16);
v20 = (__int64 *)sub_1400263AC(&v34, v19, v15);
sub_14002626C(&v31, v20);
v21 = (_QWORD *)(v34 - 0x18);
if ( _InterlockedDecrement((volatile signed __int32 *)(v34 - 0x18 + 0x10)) <= 0 )
(*(void (__fastcall **)(_QWORD))(*(_QWORD *)*v21 + 8i64))(*v21);
v22 = (_QWORD *)(v35 - 0x18);
if ( _InterlockedDecrement((volatile signed __int32 *)(v35 - 0x18 + 0x10)) <= 0 )
(*(void (__fastcall **)(_QWORD))(*(_QWORD *)*v22 + 8i64))(*v22);
v23 = (_QWORD *)(v36 - 0x18);
if ( _InterlockedDecrement((volatile signed __int32 *)(v36 - 0x18 + 0x10)) <= 0 )
(*(void (__fastcall **)(_QWORD))(*(_QWORD *)*v23 + 8i64))(*v23);
v24 = (_QWORD *)(v37 - 0x18);
if ( _InterlockedDecrement((volatile signed __int32 *)(v37 - 0x18 + 0x10)) <= 0 )
(*(void (__fastcall **)(_QWORD))(*(_QWORD *)*v24 + 8i64))(*v24);
v25 = v38;
}
else
{
v26 = (__int64 *)sub_14003BDEC(v14, &v39);
sub_14002626C(&v31, v26);
v25 = v39;
}
v27 = (volatile signed __int32 *)(v25 - 0x18);
if ( _InterlockedDecrement(v27 + 4) <= 0 )
(*(void (__fastcall **)(_QWORD))(**(_QWORD **)v27 + 8i64))(*(_QWORD *)v27);
sub_14002644C(&v31, &word_1403575B8);
v28 = (volatile signed __int32 *)(v32 - 0x18);
ATL::CSimpleStringT<wchar_t,0>::Append(&v31, v32, *(unsigned int *)(v32 - 0x18 + 8));
if ( _InterlockedDecrement(v28 + 4) <= 0 )
(*(void (__fastcall **)(_QWORD, volatile signed __int32 *))(**(_QWORD **)v28 + 8i64))(*(_QWORD *)v28, v28);
goto LABEL_33;
}
v9 = wcslen(L"Corporate License");
v10 = L"Corporate License";
}
}
patch3
nop 线程函数,该函数创建线程调用CLicenseManager::CheckRegistrationThread
nop 该call
000000014004B3F | E8 5913FFFF | call <uninstalltool_x64 - 副本.check_thread> | thread==> CLicenseManager::CheckRegistrationThread
patch4
is_register_14003BEE0
enum TVerifyResult { vrInvalid, vrExpired, vrStolen, vrOK };
000000014003BEE | 40:53 | push rbx | is_register_14003BEE0==>ret 3
patch后
000000014003BEE | B0 03 | mov al,3 | is_register_14003BEE0==>ret 3
000000014003BEE | C3 | ret |
完成patch后UninstallToolHelper.exe 已不再需要
问题:
patch 后程序在安装“跟踪安装”时存在错误:
无法打开 CisUtMonitor 服务。请重新安装本程序
跟踪定位到sub_14007EB10
因为将UninstallTool_x64.dat patch后重命名为.exe,导致程序出错,
重新命名为UninstallTool_x64.dat 使用UninstallToolPortable.exe启动器成功
其实也可以去掉启动器UninstallToolPortable.exe,直接在cmd里执行.dat
other
cmdline
/dbg_log 将在目录下生成.log 文件
parse_cmdline_14002B0C0
.rdata:0000000140358430 aSkipUac: ; DATA XREF: sub_14002B0C0:loc_14002B1E4↑o
.rdata:0000000140358430 text "UTF-16LE", '/skip_uac',0
.rdata:0000000140358444 align 8
.rdata:0000000140358448 aCleanupAll: ; DATA XREF: sub_14002B0C0:loc_14002B41B↑o
.rdata:0000000140358448 text "UTF-16LE", '/cleanup_all',0
.rdata:0000000140358462 align 8
.rdata:0000000140358468 aAddControlPane: ; DATA XREF: sub_14002B0C0+47↑o
.rdata:0000000140358468 text "UTF-16LE", '/add_control_panel_icon',0
.rdata:0000000140358498 aMsixRegister: ; DATA XREF: sub_14002B0C0:loc_14002B237↑o
.rdata:0000000140358498 text "UTF-16LE", '/msix_register',0
.rdata:00000001403584B6 align 8
.rdata:00000001403584B8 aInit: ; DATA XREF: sub_14002B0C0:loc_14002B15B↑o
.rdata:00000001403584B8 text "UTF-16LE", '/init',0
.rdata:00000001403584C4 align 8
.rdata:00000001403584C8 aInstallService: ; DATA XREF: sub_14002B0C0:loc_14002B46B↑o
.rdata:00000001403584C8 text "UTF-16LE", '/install_service_silent',0
.rdata:00000001403584F8 aUninstallServi: ; DATA XREF: sub_14002B0C0:loc_14002B4B8↑o
.rdata:00000001403584F8 text "UTF-16LE", '/uninstall_service',0
.rdata:000000014035851E align 20h
.rdata:0000000140358520 aInstall: ; DATA XREF: sub_14002B0C0:loc_14002BB01↑o
.rdata:0000000140358520 text "UTF-16LE", '/install',0
.rdata:0000000140358532 align 8
.rdata:0000000140358538 aInstallLog: ; DATA XREF: sub_14002B0C0+B19↑o
.rdata:0000000140358538 text "UTF-16LE", '/install_log',0
.rdata:0000000140358552 align 8
.rdata:0000000140358558 aUninstall_2: ; DATA XREF: sub_14002B0C0:loc_14002BC8D↑o
.rdata:0000000140358558 text "UTF-16LE", '/uninstall',0
.rdata:000000014035856E align 10h
.rdata:0000000140358570 aInstallFromTas: ; DATA XREF: sub_14002A39C+72E↑o
.rdata:0000000140358570 ; sub_14002A39C:loc_14002AD52↑o
.rdata:0000000140358570 text "UTF-16LE", '/install_from_task_bar',0
.rdata:000000014035859E align 20h
.rdata:00000001403585A0 aStartupFromTas: ; DATA XREF: sub_14002A39C:loc_14002AC8E↑o
.rdata:00000001403585A0 ; sub_14002B0C0+1F0↑o
.rdata:00000001403585A0 text "UTF-16LE", '/startup_from_task_bar',0
.rdata:00000001403585CE align 10h
.rdata:00000001403585D0 aStartup: ; DATA XREF: sub_14002B0C0:loc_14002B287↑o
.rdata:00000001403585D0 text "UTF-16LE", '/startup',0
.rdata:00000001403585E2 align 8
.rdata:00000001403585E8 aStoreAppsFromT: ; DATA XREF: sub_14002A39C:loc_14002ACDF↑o
.rdata:00000001403585E8 ; sub_14002B0C0:loc_14002B355↑o
.rdata:00000001403585E8 text "UTF-16LE", '/store_apps_from_task_bar',0
.rdata:000000014035861C align 20h
.rdata:0000000140358620 aStoreApps: ; DATA XREF: sub_14002B0C0+2BD↑o
.rdata:0000000140358620 text "UTF-16LE", '/store_apps',0
.rdata:0000000140358638 aDbgLog: ; DATA XREF: sub_14002A39C+60↑o
.rdata:0000000140358638 text "UTF-16LE", '/dbg_log',0
__int64 __fastcall parse_cmdline_14002B0C0(CSmartDockingStandaloneGuideWnd *this)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v2 = 1;
cstring_140025F10(&v79, L"/add_control_panel_icon");
v3 = sub_140249510((__int64)this, &v79);
v4 = (_QWORD *)(v79 - 0x18);
if ( _InterlockedDecrement((volatile signed __int32 *)(v79 - 0x18 + 0x10)) <= 0 )
(*(void (__fastcall **)(_QWORD))(*(_QWORD *)*v4 + 8i64))(*v4);
if ( v3 )
{
sub_14002D434();
return 0;
}
cstring_140025F10(&v80, L"/init");
v5 = sub_140249510((__int64)this, &v80);
v6 = (_QWORD *)(v80 - 0x18);
if ( _InterlockedDecrement((volatile signed __int32 *)(v80 - 0x18 + 0x10)) <= 0 )
(*(void (__fastcall **)(_QWORD))(*(_QWORD *)*v6 + 8i64))(*v6);
if ( v5 )
{
sub_14002CC0C(&stru_140479430);
sub_14006C5D8((char *)this + 0x729);
sub_1400AAB7C(C);
sub_1400ACC40(C);
sub_140055F0C();
v2 = 0;
wWinMain_561_0((int)C);
return v2;
}
cstring_140025F10(&v81, L"/skip_uac");
v8 = sub_140249510((__int64)this, &v81);
v9 = (_QWORD *)(v81 - 0x18);
if ( _InterlockedDecrement((volatile signed __int32 *)(v81 - 0x18 + 0x10)) <= 0 )
(*(void (__fastcall **)(_QWORD))(*(_QWORD *)*v9 + 8i64))(*v9);
if ( v8 )
{
LOBYTE(v7) = 1;
sub_140056328(v7);
return 0;
}
cstring_140025F10(&v82, L"/msix_register");
v10 = sub_140249510((__int64)this, &v82);
v11 = (_QWORD *)(v82 - 0x18);
if ( _InterlockedDecrement((volatile signed __int32 *)(v82 - 0x18 + 0x10)) <= 0 )
(*(void (__fastcall **)(_QWORD))(*(_QWORD *)*v11 + 8i64))(*v11);
if ( v10 )
{
sub_1400D2544();
return 0;
}
cstring_140025F10(&v84, L"/startup");
v12 = 1;
if ( (unsigned int)sub_140249510((__int64)this, &v84)
|| (cstring_140025F10(&v83, L"/startup_from_task_bar"),
v12 = 3,
v13 = 0,
(unsigned int)sub_140249510((__int64)this, &v83)) )
{
v13 = 1;
}
if ( (v12 & 2) != 0 )
{
v14 = (_QWORD *)(v83 - 0x18);
if ( _InterlockedDecrement((volatile signed __int32 *)(v83 - 0x18 + 0x10)) <= 0 )
(*(void (__fastcall **)(_QWORD))(*(_QWORD *)*v14 + 8i64))(*v14);
v12 &= ~2u;
}
if ( (v12 & 1) != 0 )
{
v15 = (_QWORD *)(v84 - 0x18);
if ( _InterlockedDecrement((volatile signed __int32 *)(v84 - 0x18 + 0x10)) <= 0 )
(*(void (__fastcall **)(_QWORD))(*(_QWORD *)*v15 + 8i64))(*v15);
v12 &= ~1u;
}
if ( v13 )
{
*((_BYTE *)this + 0x728) = 1;
return v2;
}
cstring_140025F10(&v86, L"/store_apps_from_task_bar");
v16 = v12 | 4;
v75 = v16;
if ( (unsigned int)sub_140249510((__int64)this, &v86)
|| (cstring_140025F10(&v85, L"/store_apps"),
v16 |= 8u,
v75 = v16,
v17 = 0,
(unsigned int)sub_140249510((__int64)this, &v85)) )
{
v17 = 1;
}
if ( (v16 & 8) != 0 )
{
v75 = v16 & 0xF7;
v18 = (_QWORD *)(v85 - 0x18);
if ( _InterlockedDecrement((volatile signed __int32 *)(v85 - 0x18 + 0x10)) <= 0 )
(*(void (__fastcall **)(_QWORD))(*(_QWORD *)*v18 + 8i64))(*v18);
v16 &= ~8u;
}
if ( (v16 & 4) != 0 )
{
v75 = v16 & 0xFB;
v19 = (_QWORD *)(v86 - 0x18);
if ( _InterlockedDecrement((volatile signed __int32 *)(v86 - 0x18 + 0x10)) <= 0 )
(*(void (__fastcall **)(_QWORD))(*(_QWORD *)*v19 + 8i64))(*v19);
}
if ( v17 )
{
*((_BYTE *)this + 0x288) = 1;
return v2;
}
cstring_140025F10(&v87, L"/cleanup_all");
v20 = sub_140249510((__int64)this, &v87);
v21 = (_QWORD *)(v87 - 0x18);
if ( _InterlockedDecrement((volatile signed __int32 *)(v87 - 0x18 + 0x10)) <= 0 )
(*(void (__fastcall **)(_QWORD))(*(_QWORD *)*v21 + 8i64))(*v21);
if ( v20 )
{
CSmartDockingStandaloneGuideWnd::UpdateLayered(this);
return 0;
}
cstring_140025F10(&v88, L"/install_service_silent");
v22 = sub_140249510((__int64)this, &v88);
v23 = (_QWORD *)(v88 - 0x18);
if ( _InterlockedDecrement((volatile signed __int32 *)(v88 - 0x18 + 0x10)) <= 0 )
(*(void (__fastcall **)(_QWORD))(*(_QWORD *)*v23 + 8i64))(*v23);
if ( v22 )
{
CInstallMonitor::InstallService_14009CFBC();
return 0;
}
cstring_140025F10(&v89, L"/uninstall_service");
v24 = sub_140249510((__int64)this, &v89);
v25 = (_QWORD *)(v89 - 0x18);
if ( _InterlockedDecrement((volatile signed __int32 *)(v89 - 0x18 + 0x10)) <= 0 )
(*(void (__fastcall **)(_QWORD))(*(_QWORD *)*v25 + 8i64))(*v25);
if ( v24 )
{
if ( (unsigned __int8)sub_14009DA14() )
{
v29 = isctype_l_0(v27, v26, v28);
if ( (unsigned __int8)sub_14009DA14() )
{
v40 = sub_14025F27C();
if ( !v40 )
unknown_libname_676(0x80004005);
v77 = ((__int64 (__fastcall *)(void ***))(*v40)[3])(v40) + 0x18;
v104.u._Ptr = 0i64;
v104._Mysize = 0i64;
v104._Myres = 0xFi64;
LOBYTE(v41) = 0;
string_140023FD0(&v104, 0x2Eui64, v41, "Messages/msgTrackingServiceInstallationTimeout");
str_1400F9430 = (const wchar_t *)xml_find_str_1400F9430(v109, &v104);
if ( *((_QWORD *)str_1400F9430 + 3) >= 8ui64 )
str_1400F9430 = *(const wchar_t **)str_1400F9430;
v43 = cstring_140025F10(&v94, str_1400F9430);
sub_140026D50(&v77, *v43, v29);
v44 = (_QWORD *)(v94 - 0x18);
if ( _InterlockedDecrement((volatile signed __int32 *)(v94 - 0x18 + 0x10)) <= 0 )
(*(void (__fastcall **)(_QWORD))(*(_QWORD *)*v44 + 8i64))(*v44);
unknown_libname_4(v109);
if ( v104._Myres >= 0x10 )
{
Ptr = v104.u._Ptr;
if ( v104._Myres + 1 >= 0x1000 )
{
Ptr = (char *)*((_QWORD *)v104.u._Ptr + 0xFFFFFFFF);
if ( (unsigned __int64)(v104.u._Ptr - Ptr - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(Ptr);
}
v105.u._Ptr = 0i64;
v105._Mysize = 0i64;
v105._Myres = 0xFi64;
LOBYTE(v45) = 0;
string_140023FD0(&v105, 0x2Aui64, v45, "InstallTracker/InstallTrackerLocalizedName");
v47 = (const wchar_t *)xml_find_str_1400F9430(v110, &v105);
if ( *((_QWORD *)v47 + 3) >= 8ui64 )
v47 = *(const wchar_t **)v47;
v48 = cstring_140025F10(&v95, v47);
info_dialog_14002B0A4((__int64)&UToolApp_140478C30, 0i64, v77, *v48, 0x30u);
v49 = (_QWORD *)(v95 - 0x18);
if ( _InterlockedDecrement((volatile signed __int32 *)(v95 - 0x18 + 0x10)) <= 0 )
(*(void (__fastcall **)(_QWORD))(*(_QWORD *)*v49 + 8i64))(*v49);
unknown_libname_4(v110);
if ( v105._Myres >= 0x10 )
{
v50 = v105.u._Ptr;
if ( v105._Myres + 1 >= 0x1000 )
{
v50 = (char *)*((_QWORD *)v105.u._Ptr + 0xFFFFFFFF);
if ( (unsigned __int64)(v105.u._Ptr - v50 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v50);
}
v51 = (_QWORD *)(v77 - 0x18);
if ( _InterlockedDecrement((volatile signed __int32 *)(v77 - 0x18 + 0x10)) <= 0 )
(*(void (__fastcall **)(_QWORD))(*(_QWORD *)*v51 + 8i64))(*v51);
return 0;
}
v103.u._Ptr = 0i64;
v103._Mysize = 0i64;
v103._Myres = 0xFi64;
LOBYTE(v30) = 0;
string_140023FD0(&v103, 0x2Aui64, v30, "InstallTracker/InstallTrackerLocalizedName");
v31 = (const wchar_t *)xml_find_str_1400F9430(v108, &v103);
if ( *((_QWORD *)v31 + 3) >= 8ui64 )
v31 = *(const wchar_t **)v31;
v32 = *cstring_140025F10(&v93, v31);
v101.u._Ptr = 0i64;
v101._Mysize = 0i64;
v101._Myres = 0xFi64;
LOBYTE(v33) = 0;
string_140023FD0(&v101, 0x22ui64, v33, "Messages/msgTrackingServiceRemoved");
v34 = (const wchar_t *)xml_find_str_1400F9430(v107, &v101);
if ( *((_QWORD *)v34 + 3) >= 8ui64 )
v34 = *(const wchar_t **)v34;
v35 = cstring_140025F10(&v99, v34);
info_dialog_14002B0A4((__int64)&UToolApp_140478C30, 0i64, *v35, v32, 0x40u);
v36 = (_QWORD *)(v99 - 0x18);
if ( _InterlockedDecrement((volatile signed __int32 *)(v99 - 0x18 + 0x10)) <= 0 )
(*(void (__fastcall **)(_QWORD))(*(_QWORD *)*v36 + 8i64))(*v36);
unknown_libname_4(v107);
if ( v101._Myres >= 0x10 )
{
v37 = v101.u._Ptr;
if ( v101._Myres + 1 >= 0x1000 )
{
v37 = (char *)*((_QWORD *)v101.u._Ptr + 0xFFFFFFFF);
if ( (unsigned __int64)(v101.u._Ptr - v37 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v37);
}
v101._Mysize = 0i64;
v101._Myres = 0xFi64;
v101.u._Buf[0] = 0;
v38 = (_QWORD *)(v93 - 0x18);
if ( _InterlockedDecrement((volatile signed __int32 *)(v93 - 0x18 + 0x10)) <= 0 )
(*(void (__fastcall **)(_QWORD))(*(_QWORD *)*v38 + 8i64))(*v38);
unknown_libname_4(v108);
if ( v103._Myres < 0x10 )
return 0;
v39 = v103.u._Ptr;
if ( v103._Myres + 1 >= 0x1000 )
{
v39 = (char *)*((_QWORD *)v103.u._Ptr + 0xFFFFFFFF);
if ( (unsigned __int64)(v103.u._Ptr - v39 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
}
else
{
v106.u._Ptr = 0i64;
v106._Mysize = 0i64;
v106._Myres = 0xFi64;
LOBYTE(v28) = 0;
string_140023FD0(&v106, 0x2Aui64, (__int64)v28, "InstallTracker/InstallTrackerLocalizedName");
v52 = (const wchar_t *)xml_find_str_1400F9430(v112, &v106);
if ( *((_QWORD *)v52 + 3) >= 8ui64 )
v52 = *(const wchar_t **)v52;
v53 = *cstring_140025F10(&v97, v52);
v102.u._Ptr = 0i64;
v102._Mysize = 0i64;
v102._Myres = 0xFi64;
LOBYTE(v54) = 0;
string_140023FD0(&v102, 0x28ui64, v54, "Messages/msgTrackingServiceNotInstalled3");
v55 = (const wchar_t *)xml_find_str_1400F9430(v111, &v102);
if ( *((_QWORD *)v55 + 3) >= 8ui64 )
v55 = *(const wchar_t **)v55;
v56 = cstring_140025F10(&v96, v55);
info_dialog_14002B0A4((__int64)&UToolApp_140478C30, 0i64, *v56, v53, 0x40u);
v57 = (_QWORD *)(v96 - 0x18);
if ( _InterlockedDecrement((volatile signed __int32 *)(v96 - 0x18 + 0x10)) <= 0 )
(*(void (__fastcall **)(_QWORD))(*(_QWORD *)*v57 + 8i64))(*v57);
unknown_libname_4(v111);
if ( v102._Myres >= 0x10 )
{
v58 = v102.u._Ptr;
if ( v102._Myres + 1 >= 0x1000 )
{
v58 = (char *)*((_QWORD *)v102.u._Ptr + 0xFFFFFFFF);
if ( (unsigned __int64)(v102.u._Ptr - v58 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v58);
}
v102._Mysize = 0i64;
v102._Myres = 0xFi64;
v102.u._Buf[0] = 0;
v59 = (_QWORD *)(v97 - 0x18);
if ( _InterlockedDecrement((volatile signed __int32 *)(v97 - 0x18 + 0x10)) <= 0 )
(*(void (__fastcall **)(_QWORD))(*(_QWORD *)*v59 + 8i64))(*v59);
unknown_libname_4(v112);
if ( v106._Myres < 0x10 )
return 0;
v39 = v106.u._Ptr;
if ( v106._Myres + 1 >= 0x1000 )
{
v39 = (char *)*((_QWORD *)v106.u._Ptr + 0xFFFFFFFF);
if ( (unsigned __int64)(v106.u._Ptr - v39 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
}
j_j_free(v39);
return 0;
}
cstring_140025F10(&v90, L"/install");
v60 = v75 | 0x10;
v76 = v75 | 0x10;
if ( !(unsigned int)sub_140249510((__int64)&UToolApp_140478C30, &v90)
|| (v61 = 1, (unsigned __int64)sub_1402494E0((__int64)&UToolApp_140478C30) < 3) )
{
v61 = 0;
}
if ( (v60 & 0x10) != 0 )
{
v76 = v60 & 0xEF;
v62 = (_QWORD *)(v90 - 0x18);
if ( _InterlockedDecrement((volatile signed __int32 *)(v90 - 0x18 + 0x10)) <= 0 )
(*(void (__fastcall **)(_QWORD))(*(_QWORD *)*v62 + 8i64))(*v62);
LOBYTE(v60) = v60 & 0xEF;
}
if ( !v61 )
{
cstring_140025F10(&v92, L"/uninstall");
v70 = v60 | 0x40;
if ( !(unsigned int)sub_140249510((__int64)this, &v92)
|| (v71 = 1, (unsigned __int64)sub_1402494E0((__int64)&UToolApp_140478C30) < 3) )
{
v71 = 0;
}
if ( (v70 & 0x40) != 0 )
{
v72 = (_QWORD *)(v92 - 0x18);
if ( _InterlockedDecrement((volatile signed __int32 *)(v92 - 0x18 + 0x10)) <= 0 )
(*(void (__fastcall **)(_QWORD))(*(_QWORD *)*v72 + 8i64))(*v72);
}
if ( !v71 )
return v2;
v73 = (__int64 *)sub_140249460(&UToolApp_140478C30, &v78, 2i64);
sub_14002626C((_QWORD *)this + 0xEA, v73);
v69 = (_QWORD *)(v78 - 0x18);
if ( _InterlockedDecrement((volatile signed __int32 *)(v78 - 0x18 + 0x10)) <= 0 )
goto LABEL_136;
return v2;
}
*((_BYTE *)this + 0x739) = 1;
v63 = (__int64 *)sub_140249460(&UToolApp_140478C30, &v98, 2i64);
sub_14002626C((_QWORD *)this + 0xE8, v63);
v64 = (_QWORD *)(v98 - 0x18);
if ( _InterlockedDecrement((volatile signed __int32 *)(v98 - 0x18 + 0x10)) <= 0 )
(*(void (__fastcall **)(_QWORD))(*(_QWORD *)*v64 + 8i64))(*v64);
if ( (unsigned __int64)sub_1402494E0((__int64)&UToolApp_140478C30) >= 5 )
{
v65 = v76;
goto LABEL_121;
}
cstring_140025F10(&v91, L"/install_log");
v65 = v76 | 0x20;
if ( (unsigned int)sub_140249510((__int64)&UToolApp_140478C30, &v91) )
{
LABEL_121:
v66 = 1;
goto LABEL_122;
}
v66 = 0;
LABEL_122:
if ( (v65 & 0x20) != 0 )
{
v67 = (_QWORD *)(v91 - 0x18);
if ( _InterlockedDecrement((volatile signed __int32 *)(v91 - 0x18 + 0x10)) <= 0 )
(*(void (__fastcall **)(_QWORD))(*(_QWORD *)*v67 + 8i64))(*v67);
}
if ( !v66 )
return v2;
v68 = (__int64 *)sub_140249460(&UToolApp_140478C30, &v78, 4i64);
sub_14002626C((_QWORD *)this + 0xE9, v68);
v69 = (_QWORD *)(v78 - 0x18);
if ( _InterlockedDecrement((volatile signed __int32 *)(v78 - 0x18 + 0x10)) <= 0 )
LABEL_136:
(*(void (__fastcall **)(_QWORD))(*(_QWORD *)*v69 + 8i64))(*v69);
return v2;
}
