闲得无聊搜集的一些OEP和Section,希望能对研究脱壳的朋友们帮上一点小忙。 ********************************************************************** Borland C++ 1999 .text .data .tls .rdata .idata .edata .rsrc .reloc 00401000 Find> $ /EB 10 jmp short Finder33.00401012 00401002 |66 db 66 ; CHAR 'f' 00401003 |62 db 62 ; CHAR 'b' 00401004 |3A db 3A ; CHAR ':' 00401005 |43 db 43 ; CHAR 'C' 00401006 |2B db 2B ; CHAR '+' 00401007 |2B db 2B ; CHAR '+' 00401008 |48 db 48 ; CHAR 'H' 00401009 |4F db 4F ; CHAR 'O' 0040100A |4F db 4F ; CHAR 'O' 0040100B |4B db 4B ; CHAR 'K' 0040100C |90 nop 0040100D |E9 db E9 0040100E . |AC lods byte ptr ds:[esi] 0040100F . |2348 00 and ecx,dword ptr ds:[eax] 00401012 > \A1 9F234800 mov eax,dword ptr ds:[48239F] 00401017 . C1E0 02 shl eax,2 0040101A . A3 A3234800 mov dword ptr ds:[4823A3],eax 0040101F . 52 push edx ; ntdll.KiFastSystemCallRet 00401020 . 6A 00 push 0 ; /pModule = NULL 00401022 . E8 79010800 call <jmp.&KERNEL32.GetModuleHandleA> ; \GetModuleHandleA 00401027 . 8BD0 mov edx,eax 00401029 . E8 F64F0700 call Finder33.00476024 0040102E . 5A pop edx ; kernel32.7C816FD7 0040102F . E8 544F0700 call Finder33.00475F88 00401034 . E8 2B500700 call Finder33.00476064 00401039 . 6A 00 push 0 ; /Arg1 = 00000000 0040103B . E8 48620700 call Finder33.00477288 ; \Finder33.00477288 00401040 . 59 pop ecx ; kernel32.7C816FD7 00401041 . 68 48234800 push Finder33.00482348 00401046 . 6A 00 push 0 ; /pModule = NULL 00401048 . E8 53010800 call <jmp.&KERNEL32.GetModuleHandleA> ; \GetModuleHandleA 0040104D . A3 A7234800 mov dword ptr ds:[4823A7],eax 00401052 . 6A 00 push 0 00401054 . E9 0BB40700 jmp Finder33.0047C464 00401059 Find> $ E9 76620700 jmp Finder33.004772D4 0040105E . 33C0 xor eax,eax 00401060 . A0 91234800 mov al,byte ptr ds:[482391] 00401065 . C3 retn EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B 90 E9 AC 23 48 00 A1 9F 23 48 00 C1 E0 02 A3 A3 23 48 00 52 6A 00 E8 79 01 08 00 8B D0 E8 F6 4F 07 00 5A E8 54 4F 07 00 E8 2B 50 07 00 6A 00 E8 48 62 07 00 59 68 48 23 48 00 6A 00 E8 53 01 08 00 A3 A7 23 48 00 6A 00 E9 0B B4 07 00 E9 76 62 07 00 33 C0 A0 91 23 48 00 C3 ********************************************************************** Borland C++ CODE DATA .INIT .idata .edata .reloc .rsrc 00401000 BCW.> $ A1 59B05000 mov eax,dword ptr ds:[50B059] 00401005 . C1E0 02 shl eax,2 00401008 . A3 5DB05000 mov dword ptr ds:[50B05D],eax 0040100D . 57 push edi ; ntdll.7C930738 0040100E . 51 push ecx 0040100F . 33C0 xor eax,eax 00401011 . BF 84665400 mov edi,BCW.00546684 00401016 . B9 8C345500 mov ecx,BCW.0055348C 0040101B . 3BCF cmp ecx,edi ; ntdll.7C930738 0040101D . 76 05 jbe short BCW.00401024 0040101F . 2BCF sub ecx,edi ; ntdll.7C930738 00401021 . FC cld 00401022 . F3:AA rep stos byte ptr es:[edi] 00401024 > 59 pop ecx ; kernel32.7C816FD7 00401025 . 5F pop edi ; kernel32.7C816FD7 00401026 . 64:67:8B16 0400 mov edx,dword ptr fs:[4] 0040102C . 8B42 F8 mov eax,dword ptr ds:[edx-8] 0040102F . A3 61B05000 mov dword ptr ds:[50B061],eax 00401034 . 8B42 FC mov eax,dword ptr ds:[edx-4] 00401037 . A3 65B05000 mov dword ptr ds:[50B065],eax 0040103C . 83EA 04 sub edx,4 0040103F . 8915 80345500 mov dword ptr ds:[553480],edx ; ntdll.KiFastSystemCallRet 00401045 . 83EA 04 sub edx,4 00401048 . 3BD4 cmp edx,esp 0040104A . 73 02 jnb short BCW.0040104E 0040104C . 8BE2 mov esp,edx ; ntdll.KiFastSystemCallRet 0040104E > 6A 00 push 0 ; /Arg1 = 00000000 00401050 . E8 45100000 call BCW.0040209A ; \BCW.0040209A 00401055 . 59 pop ecx ; kernel32.7C816FD7 00401056 . 68 2CB05000 push BCW.0050B02C 0040105B . 6A 00 push 0 ; /pModule = NULL 0040105D . E8 73821000 call <jmp.&KERNEL32.GetModuleHandleA> ; \GetModuleHandleA 00401062 . A3 6AB05000 mov dword ptr ds:[50B06A],eax 00401067 . 6A 00 push 0 00401069 . E9 93801000 jmp <jmp.&cw3220mt.__startup> 0040106E BCW.> $ E9 09110000 jmp BCW.0040217C 00401073 00 db 00 00401074 00 db 00 00401075 00 db 00 00401076 00 db 00 00401077 00 db 00 00401078 /$ 55 push ebp 00401079 |. 8BEC mov ebp,esp 0040107B |. 53 push ebx 0040107C |. 56 push esi 0040107D |. 57 push edi ; ntdll.7C930738 0040107E |. 8B75 0C mov esi,dword ptr ss:[ebp+C] 00401081 |. 6A 00 push 0 ; /pDefaultCharUsed = NULL 00401083 |. 6A 00 push 0 ; |pDefaultChar = NULL 00401085 |. 6A 00 push 0 ; |MultiByteCount = 0 00401087 |. 6A 00 push 0 ; |MultiByteStr = NULL 00401089 |. 56 push esi ; |WideCharCount = FFFFFFFF (-1.) 0040108A |. FF75 08 push dword ptr ss:[ebp+8] ; |WideCharStr = "?",82,"???",82,"?,87,"??暄T偎",86,"",85,"?盏????,A1,"",96,"v?",04,"???P???P?漾",B8,"?,86,"",85,"?,85,"????j?",10,"",89,"?",82,"?,98,"旦Q?,10,"",99,"{",82,"?,98,"?肓",10,"?",11,"" 0040108D |. 6A 00 push 0 ; |Options = 0 0040108F |. 6A 00 push 0 ; |CodePage = CP_ACP 00401091 |. E8 99821000 call <jmp.&KERNEL32.WideCharToMultiByte> ; \WideCharToMultiByte 00401096 |. 8BD8 mov ebx,eax 00401098 |. 83FE FF cmp esi,-1 0040109B |. 0F95C0 setne al 0040109E |. 83E0 01 and eax,1 004010A1 |. 03C3 add eax,ebx 004010A3 |. 50 push eax 004010A4 |. E8 A47F1000 call <jmp.&cw3220mt.@$bnwa$qui> 004010A9 |. 59 pop ecx ; kernel32.7C816FD7 004010AA |. 8BF8 mov edi,eax 004010AC |. 6A 00 push 0 ; /pDefaultCharUsed = NULL 004010AE |. 6A 00 push 0 ; |pDefaultChar = NULL 004010B0 |. 53 push ebx ; |MultiByteCount = 7FFDF000 (2147348480.) 004010B1 |. 57 push edi ; |MultiByteStr = ntdll.7C930738 004010B2 |. 56 push esi ; |WideCharCount = FFFFFFFF (-1.) 004010B3 |. FF75 08 push dword ptr ss:[ebp+8] ; |WideCharStr = "?",82,"???",82,"?,87,"??暄T偎",86,"",85,"?盏????,A1,"",96,"v?",04,"???P???P?漾",B8,"?,86,"",85,"?,85,"????j?",10,"",89,"?",82,"?,98,"旦Q?,10,"",99,"{",82,"?,98,"?肓",10,"?",11,"" 004010B6 |. 6A 00 push 0 ; |Options = 0 004010B8 |. 6A 00 push 0 ; |CodePage = CP_ACP 004010BA |. E8 70821000 call <jmp.&KERNEL32.WideCharToMultiByte> ; \WideCharToMultiByte 004010BF |. 8BD8 mov ebx,eax 004010C1 |. 83FE FF cmp esi,-1 004010C4 |. 74 04 je short BCW.004010CA 004010C6 |. C6041F 00 mov byte ptr ds:[edi+ebx],0 004010CA |> 8BC7 mov eax,edi ; ntdll.7C930738 004010CC |. 5F pop edi ; kernel32.7C816FD7 004010CD |. 5E pop esi ; kernel32.7C816FD7 004010CE |. 5B pop ebx ; kernel32.7C816FD7 004010CF |. 5D pop ebp ; kernel32.7C816FD7 004010D0 \. C3 retn A1 59 B0 50 00 C1 E0 02 A3 5D B0 50 00 57 51 33 C0 BF 84 66 54 00 B9 8C 34 55 00 3B CF 76 05 2B CF FC F3 AA 59 5F 64 67 8B 16 04 00 8B 42 F8 A3 61 B0 50 00 8B 42 FC A3 65 B0 50 00 83 EA 04 89 15 80 34 55 00 83 EA 04 3B D4 73 02 8B E2 6A 00 E8 45 10 00 00 59 68 2C B0 50 00 6A 00 E8 73 82 10 00 A3 6A B0 50 00 6A 00 E9 93 80 10 00 E9 09 11 00 00 00 00 00 00 00 55 8B EC 53 56 57 8B 75 0C 6A 00 6A 00 6A 00 6A 00 56 FF 75 08 6A 00 6A 00 E8 99 82 10 00 8B D8 83 FE FF 0F 95 C0 83 E0 01 03 C3 50 E8 A4 7F 10 00 59 8B F8 6A 00 6A 00 53 57 56 FF 75 08 6A 00 6A 00 E8 70 82 10 00 8B D8 83 FE FF 74 04 C6 04 1F 00 8B C7 5F 5E 5B 5D C3 ********************************************************************** Borland Delphi 2.0 CODE DATA BSS .idata .tls .rdata .reloc .rsrc 00433D9C htes> 55 push ebp 00433D9D 8BEC mov ebp,esp 00433D9F 83C4 F4 add esp,-0C 00433DA2 E8 F1F4FCFF call htest.00403298 00433DA7 E8 940AFDFF call htest.00404840 00433DAC E8 CF3AFDFF call htest.00407880 00433DB1 E8 92A4FDFF call htest.0040E248 00433DB6 E8 D1A5FDFF call htest.0040E38C 00433DBB E8 28C5FDFF call htest.004102E8 00433DC0 E8 633CFEFF call htest.00417A28 00433DC5 E8 CE0BFFFF call htest.00424998 00433DCA E8 2956FFFF call htest.004293F8 00433DCF E8 1474FFFF call htest.0042B1E8 00433DD4 E8 C3A2FFFF call htest.0042E09C 00433DD9 E8 4ED3FFFF call htest.0043112C 00433DDE E8 A5E2FFFF call htest.00432088 00433DE3 A1 28664300 mov eax,dword ptr ds:[436628] 00433DE8 E8 1302FFFF call htest.00424000 00433DED BA 2C3E4300 mov edx,htest.00433E2C ; ASCII "MP3-2-EXE Player" 00433DF2 A1 28664300 mov eax,dword ptr ds:[436628] 00433DF7 E8 20FFFEFF call htest.00423D1C 00433DFC B9 A4664300 mov ecx,htest.004366A4 00433E01 BA 04254300 mov edx,htest.00432504 00433E06 A1 28664300 mov eax,dword ptr ds:[436628] 00433E0B E8 0002FFFF call htest.00424010 00433E10 A1 28664300 mov eax,dword ptr ds:[436628] 00433E15 E8 8602FFFF call htest.004240A0 00433E1A E8 2904FDFF call htest.00404248 00433E1F 8BE5 mov esp,ebp 00433E21 5D pop ebp ; kernel32.7C816FD7 00433E22 C3 retn 55 8B EC 83 C4 F4 E8 F1 F4 FC FF E8 94 0A FD FF E8 CF 3A FD FF E8 92 A4 FD FF E8 D1 A5 FD FF E8 28 C5 FD FF E8 63 3C FE FF E8 CE 0B FF FF E8 29 56 FF FF E8 14 74 FF FF E8 C3 A2 FF FF E8 4E D3 FF FF E8 A5 E2 FF FF A1 28 66 43 00 E8 13 02 FF FF BA 2C 3E 43 00 A1 28 66 43 00 E8 20 FF FE FF B9 A4 66 43 00 BA 04 25 43 00 A1 28 66 43 00 E8 00 02 FF FF A1 28 66 43 00 E8 86 02 FF FF E8 29 04 FD FF 8B E5 5D C3 ********************************************************************** Borland Delphi 3.0 CODE DATA BSS .idata .tls .rdata .reloc .rsrc 004ABA30 ResH> 55 push ebp 004ABA31 8BEC mov ebp,esp 004ABA33 83C4 F0 add esp,-10 004ABA36 33C0 xor eax,eax 004ABA38 8945 F0 mov dword ptr ss:[ebp-10],eax 004ABA3B B8 60B84A00 mov eax,ResHacke.004AB860 004ABA40 E8 B79CF5FF call ResHacke.004056FC 004ABA45 33C0 xor eax,eax 004ABA47 55 push ebp 004ABA48 68 40BB4A00 push ResHacke.004ABB40 004ABA4D 64:FF30 push dword ptr fs:[eax] 004ABA50 64:8920 mov dword ptr fs:[eax],esp 004ABA53 A1 60DC4A00 mov eax,dword ptr ds:[4ADC60] 004ABA58 8B00 mov eax,dword ptr ds:[eax] 004ABA5A E8 856EF8FF call ResHacke.004328E4 004ABA5F A1 60DC4A00 mov eax,dword ptr ds:[4ADC60] 004ABA64 8B00 mov eax,dword ptr ds:[eax] 004ABA66 BA 54BB4A00 mov edx,ResHacke.004ABB54 ; ASCII "Resource Hacker" 004ABA6B E8 8C6BF8FF call ResHacke.004325FC 004ABA70 A1 60DC4A00 mov eax,dword ptr ds:[4ADC60] 004ABA75 8B00 mov eax,dword ptr ds:[eax] 004ABA77 C640 3F 00 mov byte ptr ds:[eax+3F],0 004ABA7B 8B0D D8DA4A00 mov ecx,dword ptr ds:[4ADAD8] ; ResHacke.004AE81C 004ABA81 A1 60DC4A00 mov eax,dword ptr ds:[4ADC60] 004ABA86 8B00 mov eax,dword ptr ds:[eax] 004ABA88 8B15 DCE44900 mov edx,dword ptr ds:[49E4DC] ; ResHacke.0049E51C 004ABA8E E8 696EF8FF call ResHacke.004328FC 004ABA93 E8 786DF5FF call ResHacke.00402810 004ABA98 48 dec eax 004ABA99 7E 78 jle short ResHacke.004ABB13 004ABA9B 8D55 F0 lea edx,dword ptr ss:[ebp-10] 004ABA9E B8 01000000 mov eax,1 004ABAA3 E8 C86DF5FF call ResHacke.00402870 004ABAA8 8B45 F0 mov eax,dword ptr ss:[ebp-10] 004ABAAB 8038 2D cmp byte ptr ds:[eax],2D 004ABAAE 75 63 jnz short ResHacke.004ABB13 004ABAB0 B2 01 mov dl,1 004ABAB2 A1 88AE4800 mov eax,dword ptr ds:[48AE88] 004ABAB7 E8 B872F5FF call ResHacke.00402D74 004ABABC A3 84E84A00 mov dword ptr ds:[4AE884],eax 004ABAC1 33C0 xor eax,eax 004ABAC3 55 push ebp 004ABAC4 68 F9BA4A00 push ResHacke.004ABAF9 004ABAC9 64:FF30 push dword ptr fs:[eax] 004ABACC 64:8920 mov dword ptr fs:[eax],esp 004ABACF 8B15 D8DA4A00 mov edx,dword ptr ds:[4ADAD8] ; ResHacke.004AE81C 004ABAD5 8B12 mov edx,dword ptr ds:[edx] 004ABAD7 A1 84E84A00 mov eax,dword ptr ds:[4AE884] 004ABADC E8 8BF5FDFF call ResHacke.0048B06C 004ABAE1 33C0 xor eax,eax 004ABAE3 5A pop edx ; kernel32.7C816FD7 004ABAE4 59 pop ecx ; kernel32.7C816FD7 004ABAE5 59 pop ecx ; kernel32.7C816FD7 004ABAE6 64:8910 mov dword ptr fs:[eax],edx ; ntdll.KiFastSystemCallRet 004ABAE9 68 00BB4A00 push ResHacke.004ABB00 004ABAEE A1 84E84A00 mov eax,dword ptr ds:[4AE884] 004ABAF3 E8 A472F5FF call ResHacke.00402D9C 004ABAF8 C3 retn 004ABAF9 ^ E9 6A78F5FF jmp ResHacke.00403368 004ABAFE ^ EB EE jmp short ResHacke.004ABAEE 004ABB00 A1 D8DA4A00 mov eax,dword ptr ds:[4ADAD8] 004ABB05 8B00 mov eax,dword ptr ds:[eax] 004ABB07 E8 304DF8FF call ResHacke.0043083C 004ABB0C E8 837CF5FF call ResHacke.00403794 004ABB11 EB 0B jmp short ResHacke.004ABB1E 004ABB13 A1 60DC4A00 mov eax,dword ptr ds:[4ADC60] 004ABB18 8B00 mov eax,dword ptr ds:[eax] 004ABB1A C640 3F 01 mov byte ptr ds:[eax+3F],1 004ABB1E A1 60DC4A00 mov eax,dword ptr ds:[4ADC60] 004ABB23 8B00 mov eax,dword ptr ds:[eax] 004ABB25 E8 5E6EF8FF call ResHacke.00432988 004ABB2A 33C0 xor eax,eax 004ABB2C 5A pop edx ; kernel32.7C816FD7 004ABB2D 59 pop ecx ; kernel32.7C816FD7 004ABB2E 59 pop ecx ; kernel32.7C816FD7 004ABB2F 64:8910 mov dword ptr fs:[eax],edx ; ntdll.KiFastSystemCallRet 004ABB32 68 47BB4A00 push ResHacke.004ABB47 004ABB37 8D45 F0 lea eax,dword ptr ss:[ebp-10] 004ABB3A E8 097EF5FF call ResHacke.00403948 004ABB3F C3 retn 55 8B EC 83 C4 F0 33 C0 89 45 F0 B8 60 B8 4A 00 E8 B7 9C F5 FF 33 C0 55 68 40 BB 4A 00 64 FF 30 64 89 20 A1 60 DC 4A 00 8B 00 E8 85 6E F8 FF A1 60 DC 4A 00 8B 00 BA 54 BB 4A 00 E8 8C 6B F8 FF A1 60 DC 4A 00 8B 00 C6 40 3F 00 8B 0D D8 DA 4A 00 A1 60 DC 4A 00 8B 00 8B 15 DC E4 49 00 E8 69 6E F8 FF E8 78 6D F5 FF 48 7E 78 8D 55 F0 B8 01 00 00 00 E8 C8 6D F5 FF 8B 45 F0 80 38 2D 75 63 B2 01 A1 88 AE 48 00 E8 B8 72 F5 FF A3 84 E8 4A 00 33 C0 55 68 F9 BA 4A 00 64 FF 30 64 89 20 8B 15 D8 DA 4A 00 8B 12 A1 84 E8 4A 00 E8 8B F5 FD FF 33 C0 5A 59 59 64 89 10 68 00 BB 4A 00 A1 84 E8 4A 00 E8 A4 72 F5 FF C3 E9 6A 78 F5 FF EB EE A1 D8 DA 4A 00 8B 00 E8 30 4D F8 FF E8 83 7C F5 FF EB 0B A1 60 DC 4A 00 8B 00 C6 40 3F 01 A1 60 DC 4A 00 8B 00 E8 5E 6E F8 FF 33 C0 5A 59 59 64 89 10 68 47 BB 4A 00 8D 45 F0 E8 09 7E F5 FF C3 ********************************************************************** Borland Delphi 4.0 - 5.0 CODE DATA BSS .idata .tls .rdata .reloc .rsrc 00457E00 YUCE> 55 push ebp 00457E01 8BEC mov ebp,esp 00457E03 83C4 F4 add esp,-0C 00457E06 B8 C87C4500 mov eax,YUCE.00457CC8 00457E0B E8 44E4FAFF call YUCE.00406254 00457E10 A1 048F4500 mov eax,dword ptr ds:[458F04] 00457E15 8B00 mov eax,dword ptr ds:[eax] 00457E17 BA 547E4500 mov edx,YUCE.00457E54 00457E1C E8 83DEFEFF call YUCE.00445CA4 00457E21 8B0D 688D4500 mov ecx,dword ptr ds:[458D68] ; YUCE.0045A878 00457E27 A1 048F4500 mov eax,dword ptr ds:[458F04] 00457E2C 8B00 mov eax,dword ptr ds:[eax] 00457E2E 8B15 C85B4500 mov edx,dword ptr ds:[455BC8] ; YUCE.00455C14 00457E34 E8 2FE2FEFF call YUCE.00446068 00457E39 A1 048F4500 mov eax,dword ptr ds:[458F04] 00457E3E 8B00 mov eax,dword ptr ds:[eax] 00457E40 E8 A3E2FEFF call YUCE.004460E8 00457E45 E8 F6B8FAFF call YUCE.00403740 00457E4A 0000 add byte ptr ds:[eax],al 00457E4C FFFF ??? ; Unknown command 00457E4E FFFF ??? ; Unknown command 00457E50 0C 00 or al,0 00457E52 0000 add byte ptr ds:[eax],al 00457E54 C9 leave 00457E55 FA cli 00457E56 C3 retn 55 8B EC 83 C4 F4 B8 C8 7C 45 00 E8 44 E4 FA FF A1 04 8F 45 00 8B 00 BA 54 7E 45 00 E8 83 DE FE FF 8B 0D 68 8D 45 00 A1 04 8F 45 00 8B 00 8B 15 C8 5B 45 00 E8 2F E2 FE FF A1 04 8F 45 00 8B 00 E8 A3 E2 FE FF E8 F6 B8 FA FF 00 00 FF FF FF FF 0C 00 00 00 C9 FA C3 ********************************************************************** Borland Delphi 6.0 - 7.0 CODE DATA BSS .idata .tls .rdata .reloc .rsrc 0047845C pymf> 55 push ebp 0047845D 8BEC mov ebp,esp 0047845F 83C4 E8 add esp,-18 00478462 33C0 xor eax,eax 00478464 8945 EC mov dword ptr ss:[ebp-14],eax 00478467 8945 E8 mov dword ptr ss:[ebp-18],eax 0047846A B8 6C824700 mov eax,pymf.0047826C 0047846F E8 94E3F8FF call pymf.00406808 00478474 33C0 xor eax,eax 00478476 55 push ebp 00478477 68 21854700 push pymf.00478521 0047847C 64:FF30 push dword ptr fs:[eax] 0047847F 64:8920 mov dword ptr fs:[eax],esp 00478482 E8 0DD5FFFF call pymf.00475994 00478487 84C0 test al,al 00478489 75 18 jnz short pymf.004784A3 0047848B 6A 24 push 24 0047848D 68 30854700 push pymf.00478530 ; ASCII "Error" 00478492 68 38854700 push pymf.00478538 ; ASCII "YMF7x4 driver is not found. Start the program anyway?" 00478497 6A 00 push 0 00478499 E8 C2ECF8FF call <jmp.&user32.MessageBoxA> 0047849E 83F8 06 cmp eax,6 004784A1 75 63 jnz short pymf.00478506 004784A3 8D55 E8 lea edx,dword ptr ss:[ebp-18] 004784A6 B8 01000000 mov eax,1 004784AB E8 BCA5F8FF call pymf.00402A6C 004784B0 8B45 E8 mov eax,dword ptr ss:[ebp-18] 004784B3 8D55 EC lea edx,dword ptr ss:[ebp-14] 004784B6 E8 3900F9FF call pymf.004084F4 004784BB 8B45 EC mov eax,dword ptr ss:[ebp-14] 004784BE BA 78854700 mov edx,pymf.00478578 ; ASCII "-clean" 004784C3 E8 5CC3F8FF call pymf.00404824 004784C8 75 07 jnz short pymf.004784D1 004784CA E8 B1C7FFFF call pymf.00474C80 004784CF EB 35 jmp short pymf.00478506 004784D1 A1 E8B24700 mov eax,dword ptr ds:[47B2E8] 004784D6 8B00 mov eax,dword ptr ds:[eax] 004784D8 E8 A75BFEFF call pymf.0045E084 004784DD 8B0D 00B14700 mov ecx,dword ptr ds:[47B100] ; pymf.0047CDC0 004784E3 A1 E8B24700 mov eax,dword ptr ds:[47B2E8] 004784E8 8B00 mov eax,dword ptr ds:[eax] 004784EA 8B15 F85B4700 mov edx,dword ptr ds:[475BF8] ; pymf.00475C44 004784F0 E8 A75BFEFF call pymf.0045E09C 004784F5 A1 E8B24700 mov eax,dword ptr ds:[47B2E8] 004784FA 8B00 mov eax,dword ptr ds:[eax] 004784FC E8 1B5CFEFF call pymf.0045E11C 00478501 E8 5ED6FFFF call pymf.00475B64 00478506 33C0 xor eax,eax 00478508 5A pop edx ; kernel32.7C816FD7 00478509 59 pop ecx ; kernel32.7C816FD7 0047850A 59 pop ecx ; kernel32.7C816FD7 0047850B 64:8910 mov dword ptr fs:[eax],edx ; ntdll.KiFastSystemCallRet 0047850E 68 28854700 push pymf.00478528 00478513 8D45 E8 lea eax,dword ptr ss:[ebp-18] 00478516 BA 02000000 mov edx,2 0047851B E8 2CBFF8FF call pymf.0040444C 00478520 C3 retn 55 8B EC 83 C4 E8 33 C0 89 45 EC 89 45 E8 B8 6C 82 47 00 E8 94 E3 F8 FF 33 C0 55 68 21 85 47 00 64 FF 30 64 89 20 E8 0D D5 FF FF 84 C0 75 18 6A 24 68 30 85 47 00 68 38 85 47 00 6A 00 E8 C2 EC F8 FF 83 F8 06 75 63 8D 55 E8 B8 01 00 00 00 E8 BC A5 F8 FF 8B 45 E8 8D 55 EC E8 39 00 F9 FF 8B 45 EC BA 78 85 47 00 E8 5C C3 F8 FF 75 07 E8 B1 C7 FF FF EB 35 A1 E8 B2 47 00 8B 00 E8 A7 5B FE FF 8B 0D 00 B1 47 00 A1 E8 B2 47 00 8B 00 8B 15 F8 5B 47 00 E8 A7 5B FE FF A1 E8 B2 47 00 8B 00 E8 1B 5C FE FF E8 5E D6 FF FF 33 C0 5A 59 59 64 89 10 68 28 85 47 00 8D 45 E8 BA 02 00 00 00 E8 2C BF F8 FF C3 ********************************************************************** MASM32 / TASM32 .text .rdata .data .rsrc 00401000 RVA.>/$ 6A 00 push 0 ; /pModule = NULL 00401002 |. E8 830A0000 call <jmp.&KERNEL32.GetModuleHandleA> ; \GetModuleHandleA 00401007 |. A3 07304000 mov dword ptr ds:[403007],eax 0040100C |. 6A 00 push 0 ; /lParam = NULL 0040100E |. 68 6C104000 push RVA.0040106C ; |DlgProc = RVA.0040106C 00401013 |. 6A 00 push 0 ; |hOwner = NULL 00401015 |. 68 00304000 push RVA.00403000 ; |pTemplate = "DIALOG" 0040101A |. FF35 07304000 push dword ptr ds:[403007] ; |hInst = NULL 00401020 |. E8 F9090000 call <jmp.&USER32.DialogBoxParamA> ; \DialogBoxParamA 00401025 |. 50 push eax ; /ExitCode = 0 00401026 \. E8 4D0A0000 call <jmp.&KERNEL32.ExitProcess> ; \ExitProcess 0040102B /. 55 push ebp 0040102C |. 8BEC mov ebp,esp 0040102E |. 837D 0C 10 cmp dword ptr ss:[ebp+C],10 00401032 |. 75 0C jnz short RVA.00401040 00401034 |. 6A 00 push 0 ; /Result = 0 00401036 |. FF75 08 push dword ptr ss:[ebp+8] ; |hWnd = 00401000 00401039 |. E8 EC090000 call <jmp.&USER32.EndDialog> ; \EndDialog 0040103E |. EB 26 jmp short RVA.00401066 00401040 |> 817D 0C 11010000 cmp dword ptr ss:[ebp+C],111 00401047 |. 75 1D jnz short RVA.00401066 00401049 |. 8B45 10 mov eax,dword ptr ss:[ebp+10] 0040104C |. 66:3D B80B cmp ax,0BB8 00401050 |. 75 14 jnz short RVA.00401066 00401052 |. C1E8 10 shr eax,10 00401055 |. 66:0BC0 or ax,ax 00401058 |. 75 0A jnz short RVA.00401064 0040105A |. 6A 00 push 0 ; /Result = 0 0040105C |. FF75 08 push dword ptr ss:[ebp+8] ; |hWnd = 00401000 0040105F |. E8 C6090000 call <jmp.&USER32.EndDialog> ; \EndDialog 00401064 |> EB 00 jmp short RVA.00401066 00401066 |> 33C0 xor eax,eax 00401068 |. C9 leave 00401069 \. C2 1000 retn 10 6A 00 E8 83 0A 00 00 A3 07 30 40 00 6A 00 68 6C 10 40 00 6A 00 68 00 30 40 00 FF 35 07 30 40 00 E8 F9 09 00 00 50 E8 4D 0A 00 00 55 8B EC 83 7D 0C 10 75 0C 6A 00 FF 75 08 E8 EC 09 00 00 EB 26 81 7D 0C 11 01 00 00 75 1D 8B 45 10 66 3D B8 0B 75 14 C1 E8 10 66 0B C0 75 0A 6A 00 FF 75 08 E8 C6 09 00 00 EB 00 33 C0 C9 C2 10 00 ********************************************************************** Microsoft Visual Basic 5.0 / 6.0 .text .data .rsrc 00402360 Kill>/$ 68 2C4D4000 push KillBox.00404D2C ; ASCII "VB5!6&*" 00402365 |. E8 EEFFFFFF call <jmp.&MSVBVM60.#100> 0040236A |. 0000 add byte ptr ds:[eax],al 0040236C |. 0000 add byte ptr ds:[eax],al 0040236E |. 0000 add byte ptr ds:[eax],al 00402370 |. 3000 xor byte ptr ds:[eax],al 00402372 |. 0000 add byte ptr ds:[eax],al 00402374 |. 3800 cmp byte ptr ds:[eax],al 00402376 |. 0000 add byte ptr ds:[eax],al 00402378 |. 0000 add byte ptr ds:[eax],al 0040237A |. 0000 add byte ptr ds:[eax],al 0040237C |. 4F dec edi ; ntdll.7C930738 0040237D \. C2 F150 retn 50F1 68 2C 4D 40 00 E8 EE FF FF FF 00 00 00 00 00 00 30 00 00 00 38 00 00 00 00 00 00 00 4F C2 F1 50 ********************************************************************** Microsoft Visual C++ 4.x .text .rdata .data .idata .reloc 00401CC0 memt> $ 64:A1 00000000 mov eax,dword ptr fs:[0] 00401CC6 . 55 push ebp 00401CC7 . 8BEC mov ebp,esp 00401CC9 . 6A FF push -1 00401CCB . 68 28804000 push memtest.00408028 00401CD0 . 68 001B4000 push memtest.00401B00 00401CD5 . 50 push eax 00401CD6 . 64:8925 00000000 mov dword ptr fs:[0],esp 00401CDD . 83EC 60 sub esp,60 00401CE0 . 53 push ebx 00401CE1 . 56 push esi 00401CE2 . 57 push edi ; ntdll.7C930738 00401CE3 . 8965 E8 mov dword ptr ss:[ebp-18],esp 00401CE6 . FF15 30D14000 call near dword ptr ds:[<&KERNEL32.GetVersion>] ; kernel32.GetVersion 00401CEC . A3 B89A4000 mov dword ptr ds:[409AB8],eax 00401CF1 . 33C0 xor eax,eax 00401CF3 . A0 B99A4000 mov al,byte ptr ds:[409AB9] 00401CF8 . A3 C49A4000 mov dword ptr ds:[409AC4],eax 00401CFD . A1 B89A4000 mov eax,dword ptr ds:[409AB8] 00401D02 . C12D B89A4000 10 shr dword ptr ds:[409AB8],10 00401D09 . 25 FF000000 and eax,0FF 00401D0E . A3 C09A4000 mov dword ptr ds:[409AC0],eax 00401D13 . C1E0 08 shl eax,8 00401D16 . 0305 C49A4000 add eax,dword ptr ds:[409AC4] 00401D1C . A3 BC9A4000 mov dword ptr ds:[409ABC],eax 00401D21 . E8 6A010000 call memtest.00401E90 00401D26 . 85C0 test eax,eax 00401D28 . 75 0A jnz short memtest.00401D34 00401D2A . 6A 1C push 1C 00401D2C . E8 2F010000 call memtest.00401E60 00401D31 . 83C4 04 add esp,4 00401D34 > C745 FC 00000000 mov dword ptr ss:[ebp-4],0 00401D3B . E8 00260000 call memtest.00404340 00401D40 . E8 EB250000 call memtest.00404330 00401D45 . FF15 2CD14000 call near dword ptr ds:[<&KERNEL32.GetCommandLineA>] ; [GetCommandLineA 00401D4B . A3 80CD4000 mov dword ptr ds:[40CD80],eax 00401D50 . E8 8B210000 call memtest.00403EE0 00401D55 . A3 3C924000 mov dword ptr ds:[40923C],eax 00401D5A . 85C0 test eax,eax 00401D5C . 74 09 je short memtest.00401D67 00401D5E . 833D 80CD4000 00 cmp dword ptr ds:[40CD80],0 00401D65 . 75 0A jnz short memtest.00401D71 00401D67 > 6A FF push -1 00401D69 . E8 021B0000 call memtest.00403870 00401D6E . 83C4 04 add esp,4 00401D71 > E8 EA1E0000 call memtest.00403C60 00401D76 . E8 F51D0000 call memtest.00403B70 00401D7B . E8 C01A0000 call memtest.00403840 00401D80 . 8B35 80CD4000 mov esi,dword ptr ds:[40CD80] 00401D86 . 8A06 mov al,byte ptr ds:[esi] 00401D88 . 3C 22 cmp al,22 00401D8A . 74 0C je short memtest.00401D98 00401D8C . 3C 20 cmp al,20 00401D8E . 76 35 jbe short memtest.00401DC5 00401D90 > 46 inc esi 00401D91 . 803E 20 cmp byte ptr ds:[esi],20 00401D94 .^ 77 FA ja short memtest.00401D90 00401D96 . EB 2D jmp short memtest.00401DC5 00401D98 > 46 inc esi 00401D99 . 803E 22 cmp byte ptr ds:[esi],22 00401D9C . 74 26 je short memtest.00401DC4 00401D9E . 8A5D D8 mov bl,byte ptr ss:[ebp-28] 00401DA1 > 8A1E mov bl,byte ptr ds:[esi] 00401DA3 . 84DB test bl,bl 00401DA5 . 74 18 je short memtest.00401DBF 00401DA7 . 33C0 xor eax,eax 00401DA9 . 8AC3 mov al,bl 00401DAB . 50 push eax 00401DAC . E8 5F1D0000 call memtest.00403B10 00401DB1 . 83C4 04 add esp,4 00401DB4 . 85C0 test eax,eax 00401DB6 . 74 01 je short memtest.00401DB9 00401DB8 . 46 inc esi 00401DB9 > 46 inc esi 00401DBA . 803E 22 cmp byte ptr ds:[esi],22 00401DBD .^ 75 E2 jnz short memtest.00401DA1 00401DBF > 803E 22 cmp byte ptr ds:[esi],22 00401DC2 . 75 01 jnz short memtest.00401DC5 00401DC4 > 46 inc esi 00401DC5 > 803E 00 cmp byte ptr ds:[esi],0 00401DC8 . 74 0B je short memtest.00401DD5 00401DCA > 803E 20 cmp byte ptr ds:[esi],20 00401DCD . 77 06 ja short memtest.00401DD5 00401DCF . 46 inc esi 00401DD0 . 803E 00 cmp byte ptr ds:[esi],0 00401DD3 .^ 75 F5 jnz short memtest.00401DCA 00401DD5 > C745 BC 00000000 mov dword ptr ss:[ebp-44],0 00401DDC . 8D45 90 lea eax,dword ptr ss:[ebp-70] 00401DDF . 50 push eax ; /pStartupinfo = NULL 00401DE0 . FF15 28D14000 call near dword ptr ds:[<&KERNEL32.GetStartupInfoA>] ; \GetStartupInfoA 00401DE6 . F645 BC 01 test byte ptr ss:[ebp-44],1 00401DEA . B8 0A000000 mov eax,0A 00401DEF . 74 08 je short memtest.00401DF9 00401DF1 . 8B45 C0 mov eax,dword ptr ss:[ebp-40] ; ntdll.7C92E64E 00401DF4 . 25 FFFF0000 and eax,0FFFF 00401DF9 > 50 push eax ; /Arg4 = 00000000 00401DFA . 56 push esi ; |Arg3 = FFFFFFFF 00401DFB . 6A 00 push 0 ; |Arg2 = 00000000 00401DFD . 6A 00 push 0 ; |/pModule = NULL 00401DFF . FF15 24D14000 call near dword ptr ds:[<&KERNEL32.GetModuleHandleA>] ; |\GetModuleHandleA 00401E05 . 50 push eax ; |Arg1 = 00000000 00401E06 . E8 F5F1FFFF call memtest.00401000 ; \memtest.00401000 00401E0B . 50 push eax 00401E0C . E8 5F1A0000 call memtest.00403870 00401E11 . EB 27 jmp short memtest.00401E3A 00401E13 . 8B45 EC mov eax,dword ptr ss:[ebp-14] 00401E16 . 8B00 mov eax,dword ptr ds:[eax] 00401E18 . 8B00 mov eax,dword ptr ds:[eax] 00401E1A . 8945 E0 mov dword ptr ss:[ebp-20],eax 00401E1D . 8B45 EC mov eax,dword ptr ss:[ebp-14] 00401E20 . 50 push eax 00401E21 . 8B45 E0 mov eax,dword ptr ss:[ebp-20] 00401E24 . 50 push eax 00401E25 . E8 561B0000 call memtest.00403980 00401E2A . 83C4 08 add esp,8 00401E2D . C3 retn 64 A1 00 00 00 00 55 8B EC 6A FF 68 28 80 40 00 68 00 1B 40 00 50 64 89 25 00 00 00 00 83 EC 60 53 56 57 89 65 E8 FF 15 30 D1 40 00 A3 B8 9A 40 00 33 C0 A0 B9 9A 40 00 A3 C4 9A 40 00 A1 B8 9A 40 00 C1 2D B8 9A 40 00 10 25 FF 00 00 00 A3 C0 9A 40 00 C1 E0 08 03 05 C4 9A 40 00 A3 BC 9A 40 00 E8 6A 01 00 00 85 C0 75 0A 6A 1C E8 2F 01 00 00 83 C4 04 C7 45 FC 00 00 00 00 E8 00 26 00 00 E8 EB 25 00 00 FF 15 2C D1 40 00 A3 80 CD 40 00 E8 8B 21 00 00 A3 3C 92 40 00 85 C0 74 09 83 3D 80 CD 40 00 00 75 0A 6A FF E8 02 1B 00 00 83 C4 04 E8 EA 1E 00 00 E8 F5 1D 00 00 E8 C0 1A 00 00 8B 35 80 CD 40 00 8A 06 3C 22 74 0C 3C 20 76 35 46 80 3E 20 77 FA EB 2D 46 80 3E 22 74 26 8A 5D D8 8A 1E 84 DB 74 18 33 C0 8A C3 50 E8 5F 1D 00 00 83 C4 04 85 C0 74 01 46 46 80 3E 22 75 E2 80 3E 22 75 01 46 80 3E 00 74 0B 80 3E 20 77 06 46 80 3E 00 75 F5 C7 45 BC 00 00 00 00 8D 45 90 50 FF 15 28 D1 40 00 F6 45 BC 01 B8 0A 00 00 00 74 08 8B 45 C0 25 FF FF 00 00 50 56 6A 00 6A 00 FF 15 24 D1 40 00 50 E8 F5 F1 FF FF 50 E8 5F 1A 00 00 EB 27 8B 45 EC 8B 00 8B 00 89 45 E0 8B 45 EC 50 8B 45 E0 50 E8 56 1B 00 00 83 C4 08 C3 ********************************************************************** Microsoft Visual C++ 5.0 .text .rdata .data .rsrc 0040B060 HEdi> $ 55 push ebp 0040B061 . 8BEC mov ebp,esp 0040B063 . 6A FF push -1 0040B065 . 68 C8264400 push HEdit.004426C8 0040B06A . 68 38E24000 push HEdit.0040E238 ; SE handler installation 0040B06F . 64:A1 00000000 mov eax,dword ptr fs:[0] 0040B075 . 50 push eax 0040B076 . 64:8925 00000000 mov dword ptr fs:[0],esp 0040B07D . 83C4 A8 add esp,-58 0040B080 . 53 push ebx 0040B081 . 56 push esi 0040B082 . 57 push edi ; ntdll.7C930738 0040B083 . 8965 E8 mov dword ptr ss:[ebp-18],esp 0040B086 . FF15 F0C14300 call near dword ptr ds:[<&KERNEL32.GetVersion>] ; kernel32.GetVersion 0040B08C . 33D2 xor edx,edx ; ntdll.KiFastSystemCallRet 0040B08E . 8AD4 mov dl,ah 0040B090 . 8915 A0174500 mov dword ptr ds:[4517A0],edx ; ntdll.KiFastSystemCallRet 0040B096 . 8BC8 mov ecx,eax 0040B098 . 81E1 FF000000 and ecx,0FF 0040B09E . 890D 9C174500 mov dword ptr ds:[45179C],ecx 0040B0A4 . C1E1 08 shl ecx,8 0040B0A7 . 03CA add ecx,edx ; ntdll.KiFastSystemCallRet 0040B0A9 . 890D 98174500 mov dword ptr ds:[451798],ecx 0040B0AF . C1E8 10 shr eax,10 0040B0B2 . A3 94174500 mov dword ptr ds:[451794],eax 0040B0B7 . E8 F45C0000 call HEdit.00410DB0 0040B0BC . 85C0 test eax,eax 0040B0BE . 75 0A jnz short HEdit.0040B0CA 0040B0C0 . 6A 1C push 1C 0040B0C2 . E8 79010000 call HEdit.0040B240 0040B0C7 . 83C4 04 add esp,4 0040B0CA > E8 11290000 call HEdit.0040D9E0 0040B0CF . 85C0 test eax,eax 0040B0D1 . 75 0A jnz short HEdit.0040B0DD 0040B0D3 . 6A 10 push 10 0040B0D5 . E8 66010000 call HEdit.0040B240 0040B0DA . 83C4 04 add esp,4 0040B0DD > C745 FC 00000000 mov dword ptr ss:[ebp-4],0 0040B0E4 . E8 B75A0000 call HEdit.00410BA0 0040B0E9 . E8 821B0000 call HEdit.0040CC70 0040B0EE . FF15 70C24300 call near dword ptr ds:[<&KERNEL32.GetCommandLineA>] ; [GetCommandLineA 0040B0F4 . A3 D02E4500 mov dword ptr ds:[452ED0],eax 0040B0F9 . E8 42590000 call HEdit.00410A40 0040B0FE . A3 DC174500 mov dword ptr ds:[4517DC],eax 0040B103 . 85C0 test eax,eax 0040B105 . 74 09 je short HEdit.0040B110 0040B107 . A1 D02E4500 mov eax,dword ptr ds:[452ED0] 0040B10C . 85C0 test eax,eax 0040B10E . 75 0A jnz short HEdit.0040B11A 0040B110 > 6A FF push -1 0040B112 . E8 C9F7FFFF call HEdit.0040A8E0 0040B117 . 83C4 04 add esp,4 0040B11A > E8 71560000 call HEdit.00410790 0040B11F . E8 7C550000 call HEdit.004106A0 0040B124 . E8 87F7FFFF call HEdit.0040A8B0 0040B129 . 8B35 D02E4500 mov esi,dword ptr ds:[452ED0] 0040B12F . 8975 9C mov dword ptr ss:[ebp-64],esi 0040B132 . 803E 22 cmp byte ptr ds:[esi],22 0040B135 . 0F85 BE000000 jnz HEdit.0040B1F9 0040B13B > 46 inc esi 0040B13C . 8975 9C mov dword ptr ss:[ebp-64],esi 0040B13F . 8A06 mov al,byte ptr ds:[esi] 0040B141 . 3C 22 cmp al,22 0040B143 . 74 1C je short HEdit.0040B161 0040B145 . 84C0 test al,al 0040B147 . 74 18 je short HEdit.0040B161 0040B149 . 25 FF000000 and eax,0FF 0040B14E . 50 push eax 0040B14F . E8 EC540000 call HEdit.00410640 0040B154 . 83C4 04 add esp,4 0040B157 . 85C0 test eax,eax 0040B159 .^ 74 E0 je short HEdit.0040B13B 0040B15B . 46 inc esi 0040B15C . 8975 9C mov dword ptr ss:[ebp-64],esi 0040B15F .^ EB DA jmp short HEdit.0040B13B 0040B161 > 803E 22 cmp byte ptr ds:[esi],22 0040B164 . 75 04 jnz short HEdit.0040B16A 0040B166 . 46 inc esi 0040B167 . 8975 9C mov dword ptr ss:[ebp-64],esi 0040B16A > 8A06 mov al,byte ptr ds:[esi] 0040B16C . 84C0 test al,al 0040B16E . 74 0A je short HEdit.0040B17A 0040B170 . 3C 20 cmp al,20 0040B172 . 77 06 ja short HEdit.0040B17A 0040B174 . 46 inc esi 0040B175 . 8975 9C mov dword ptr ss:[ebp-64],esi 0040B178 .^ EB F0 jmp short HEdit.0040B16A 0040B17A > C745 D0 00000000 mov dword ptr ss:[ebp-30],0 0040B181 . 8D45 A4 lea eax,dword ptr ss:[ebp-5C] 0040B184 . 50 push eax ; /pStartupinfo = NULL 0040B185 . FF15 68C24300 call near dword ptr ds:[<&KERNEL32.GetStartupInfoA>] ; \GetStartupInfoA 0040B18B . F645 D0 01 test byte ptr ss:[ebp-30],1 0040B18F . 74 0A je short HEdit.0040B19B 0040B191 . 8B45 D4 mov eax,dword ptr ss:[ebp-2C] ; kernel32.7C816FD7 0040B194 . 25 FFFF0000 and eax,0FFFF 0040B199 . EB 05 jmp short HEdit.0040B1A0 0040B19B > B8 0A000000 mov eax,0A 0040B1A0 > 50 push eax 0040B1A1 . 56 push esi 0040B1A2 . 6A 00 push 0 0040B1A4 . 6A 00 push 0 ; /pModule = NULL 0040B1A6 . FF15 78C24300 call near dword ptr ds:[<&KERNEL32.GetModuleHandleA>] ; \GetModuleHandleA 0040B1AC . 50 push eax 0040B1AD . E8 B5FC0000 call HEdit.0041AE67 0040B1B2 . 8945 A0 mov dword ptr ss:[ebp-60],eax 0040B1B5 . 50 push eax 0040B1B6 . E8 25F7FFFF call HEdit.0040A8E0 0040B1BB . EB 21 jmp short HEdit.0040B1DE 0040B1BD . 8B45 EC mov eax,dword ptr ss:[ebp-14] 0040B1C0 . 8B08 mov ecx,dword ptr ds:[eax] 0040B1C2 . 8B09 mov ecx,dword ptr ds:[ecx] ; ntdll.7C92E64E 0040B1C4 . 894D 98 mov dword ptr ss:[ebp-68],ecx 0040B1C7 . 50 push eax 0040B1C8 . 51 push ecx 0040B1C9 . E8 22520000 call HEdit.004103F0 0040B1CE . 83C4 08 add esp,8 0040B1D1 . C3 retn 55 8B EC 6A FF 68 C8 26 44 00 68 38 E2 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 C4 A8 53 56 57 89 65 E8 FF 15 F0 C1 43 00 33 D2 8A D4 89 15 A0 17 45 00 8B C8 81 E1 FF 00 00 00 89 0D 9C 17 45 00 C1 E1 08 03 CA 89 0D 98 17 45 00 C1 E8 10 A3 94 17 45 00 E8 F4 5C 00 00 85 C0 75 0A 6A 1C E8 79 01 00 00 83 C4 04 E8 11 29 00 00 85 C0 75 0A 6A 10 E8 66 01 00 00 83 C4 04 C7 45 FC 00 00 00 00 E8 B7 5A 00 00 E8 82 1B 00 00 FF 15 70 C2 43 00 A3 D0 2E 45 00 E8 42 59 00 00 A3 DC 17 45 00 85 C0 74 09 A1 D0 2E 45 00 85 C0 75 0A 6A FF E8 C9 F7 FF FF 83 C4 04 E8 71 56 00 00 E8 7C 55 00 00 E8 87 F7 FF FF 8B 35 D0 2E 45 00 89 75 9C 80 3E 22 0F 85 BE 00 00 00 46 89 75 9C 8A 06 3C 22 74 1C 84 C0 74 18 25 FF 00 00 00 50 E8 EC 54 00 00 83 C4 04 85 C0 74 E0 46 89 75 9C EB DA 80 3E 22 75 04 46 89 75 9C 8A 06 84 C0 74 0A 3C 20 77 06 46 89 75 9C EB F0 C7 45 D0 00 00 00 00 8D 45 A4 50 FF 15 68 C2 43 00 F6 45 D0 01 74 0A 8B 45 D4 25 FF FF 00 00 EB 05 B8 0A 00 00 00 50 56 6A 00 6A 00 FF 15 78 C2 43 00 50 E8 B5 FC 00 00 89 45 A0 50 E8 25 F7 FF FF EB 21 8B 45 EC 8B 08 8B 09 89 4D 98 50 51 E8 22 52 00 00 83 C4 08 C3 ********************************************************************** Microsoft Visual C++ 6.0 [Debug] .text .rdata .data .rsrc 005522F3 Baby>/$ 55 push ebp 005522F4 |. 8BEC mov ebp,esp 005522F6 |. 6A FF push -1 005522F8 |. 68 58235800 push Babylon.00582358 005522FD |. 68 6C5B5500 push Babylon.00555B6C ; SE handler installation 00552302 |. 64:A1 00000000 mov eax,dword ptr fs:[0] 00552308 |. 50 push eax 00552309 |. 64:8925 00000000 mov dword ptr fs:[0],esp 00552310 |. 83EC 58 sub esp,58 00552313 |. 53 push ebx 00552314 |. 56 push esi 00552315 |. 57 push edi ; ntdll.7C930738 00552316 |. 8965 E8 mov dword ptr ss:[ebp-18],esp 00552319 |. FF15 00635700 call near dword ptr ds:[<&KERNEL32.GetVersion>] ; kernel32.GetVersion 0055231F |. 33D2 xor edx,edx ; ntdll.KiFastSystemCallRet 00552321 |. 8AD4 mov dl,ah 00552323 |. 8915 00BF5D00 mov dword ptr ds:[5DBF00],edx ; ntdll.KiFastSystemCallRet 00552329 |. 8BC8 mov ecx,eax 0055232B |. 81E1 FF000000 and ecx,0FF 00552331 |. 890D FCBE5D00 mov dword ptr ds:[5DBEFC],ecx 00552337 |. C1E1 08 shl ecx,8 0055233A |. 03CA add ecx,edx ; ntdll.KiFastSystemCallRet 0055233C |. 890D F8BE5D00 mov dword ptr ds:[5DBEF8],ecx 00552342 |. C1E8 10 shr eax,10 00552345 |. A3 F4BE5D00 mov dword ptr ds:[5DBEF4],eax 0055234A |. 6A 01 push 1 0055234C |. E8 391D0000 call Babylon.0055408A 00552351 |. 59 pop ecx ; kernel32.7C816FD7 00552352 |. 85C0 test eax,eax 00552354 |. 75 08 jnz short Babylon.0055235E 00552356 |. 6A 1C push 1C 00552358 |. E8 C3000000 call Babylon.00552420 0055235D |. 59 pop ecx ; kernel32.7C816FD7 0055235E |> E8 99350000 call Babylon.005558FC 00552363 |. 85C0 test eax,eax 00552365 |. 75 08 jnz short Babylon.0055236F 00552367 |. 6A 10 push 10 00552369 |. E8 B2000000 call Babylon.00552420 0055236E |. 59 pop ecx ; kernel32.7C816FD7 0055236F |> 33F6 xor esi,esi 00552371 |. 8975 FC mov dword ptr ss:[ebp-4],esi 00552374 |. E8 1B840000 call Babylon.0055A794 00552379 |. FF15 0C625700 call near dword ptr ds:[<&KERNEL32.GetCommandLineA>] ; [GetCommandLineA 0055237F |. A3 08D85D00 mov dword ptr ds:[5DD808],eax 00552384 |. E8 1B8C0000 call Babylon.0055AFA4 00552389 |. A3 7CBE5D00 mov dword ptr ds:[5DBE7C],eax 0055238E |. E8 C4890000 call Babylon.0055AD57 00552393 |. E8 06890000 call Babylon.0055AC9E 00552398 |. E8 A7380000 call Babylon.00555C44 0055239D |. 8975 D0 mov dword ptr ss:[ebp-30],esi 005523A0 |. 8D45 A4 lea eax,dword ptr ss:[ebp-5C] 005523A3 |. 50 push eax ; /pStartupinfo = NULL 005523A4 |. FF15 18625700 call near dword ptr ds:[<&KERNEL32.GetStartupInfoA>] ; \GetStartupInfoA 005523AA |. E8 97880000 call Babylon.0055AC46 005523AF |. 8945 9C mov dword ptr ss:[ebp-64],eax 005523B2 |. F645 D0 01 test byte ptr ss:[ebp-30],1 005523B6 |. 74 06 je short Babylon.005523BE 005523B8 |. 0FB745 D4 movzx eax,word ptr ss:[ebp-2C] 005523BC |. EB 03 jmp short Babylon.005523C1 005523BE |> 6A 0A push 0A 005523C0 |. 58 pop eax ; kernel32.7C816FD7 005523C1 |> 50 push eax ; /Arg4 = 00000000 005523C2 |. FF75 9C push dword ptr ss:[ebp-64] ; |Arg3 = 00000001 005523C5 |. 56 push esi ; |Arg2 = FFFFFFFF 005523C6 |. 56 push esi ; |/pModule = FFFFFFFF ??? 005523C7 |. FF15 68645700 call near dword ptr ds:[<&KERNEL32.GetModuleHandleA>] ; |\GetModuleHandleA 005523CD |. 50 push eax ; |Arg1 = 00000000 005523CE |. E8 2DC0EBFF call Babylon.0040E400 ; \Babylon.0040E400 005523D3 |. 8945 A0 mov dword ptr ss:[ebp-60],eax 005523D6 |. 50 push eax 005523D7 |. E8 95380000 call Babylon.00555C71 005523DC |. 8B45 EC mov eax,dword ptr ss:[ebp-14] 005523DF |. 8B08 mov ecx,dword ptr ds:[eax] 005523E1 |. 8B09 mov ecx,dword ptr ds:[ecx] ; ntdll.7C92E64E 005523E3 |. 894D 98 mov dword ptr ss:[ebp-68],ecx 005523E6 |. 50 push eax 005523E7 |. 51 push ecx 005523E8 |. E8 68550000 call Babylon.00557955 005523ED |. 59 pop ecx ; kernel32.7C816FD7 005523EE |. 59 pop ecx ; kernel32.7C816FD7 005523EF \. C3 retn 55 8B EC 6A FF 68 58 23 58 00 68 6C 5B 55 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 00 63 57 00 33 D2 8A D4 89 15 00 BF 5D 00 8B C8 81 E1 FF 00 00 00 89 0D FC BE 5D 00 C1 E1 08 03 CA 89 0D F8 BE 5D 00 C1 E8 10 A3 F4 BE 5D 00 6A 01 E8 39 1D 00 00 59 85 C0 75 08 6A 1C E8 C3 00 00 00 59 E8 99 35 00 00 85 C0 75 08 6A 10 E8 B2 00 00 00 59 33 F6 89 75 FC E8 1B 84 00 00 FF 15 0C 62 57 00 A3 08 D8 5D 00 E8 1B 8C 00 00 A3 7C BE 5D 00 E8 C4 89 00 00 E8 06 89 00 00 E8 A7 38 00 00 89 75 D0 8D 45 A4 50 FF 15 18 62 57 00 E8 97 88 00 00 89 45 9C F6 45 D0 01 74 06 0F B7 45 D4 EB 03 6A 0A 58 50 FF 75 9C 56 56 FF 15 68 64 57 00 50 E8 2D C0 EB FF 89 45 A0 50 E8 95 38 00 00 8B 45 EC 8B 08 8B 09 89 4D 98 50 51 E8 68 55 00 00 59 59 C3 ********************************************************************** Microsoft Visual C++ 6.0 .text .rdata .data .tls .rsrc 004AD06E ACDS>/$ 55 push ebp 004AD06F |. 8BEC mov ebp,esp 004AD071 |. 6A FF push -1 004AD073 |. 68 28014E00 push ACDSee.004E0128 004AD078 |. 68 9C0C4B00 push ACDSee.004B0C9C ; SE handler installation 004AD07D |. 64:A1 00000000 mov eax,dword ptr fs:[0] 004AD083 |. 50 push eax 004AD084 |. 64:8925 00000000 mov dword ptr fs:[0],esp 004AD08B |. 83EC 58 sub esp,58 004AD08E |. 53 push ebx 004AD08F |. 56 push esi 004AD090 |. 57 push edi ; ntdll.7C930738 004AD091 |. 8965 E8 mov dword ptr ss:[ebp-18],esp 004AD094 |. FF15 A8744D00 call near dword ptr ds:[<&KERNEL32.GetVersion>] ; kernel32.GetVersion 004AD09A |. 33D2 xor edx,edx ; ntdll.KiFastSystemCallRet 004AD09C |. 8AD4 mov dl,ah 004AD09E |. 8915 F4584F00 mov dword ptr ds:[4F58F4],edx ; ntdll.KiFastSystemCallRet 004AD0A4 |. 8BC8 mov ecx,eax 004AD0A6 |. 81E1 FF000000 and ecx,0FF 004AD0AC |. 890D F0584F00 mov dword ptr ds:[4F58F0],ecx 004AD0B2 |. C1E1 08 shl ecx,8 004AD0B5 |. 03CA add ecx,edx ; ntdll.KiFastSystemCallRet 004AD0B7 |. 890D EC584F00 mov dword ptr ds:[4F58EC],ecx 004AD0BD |. C1E8 10 shr eax,10 004AD0C0 |. A3 E8584F00 mov dword ptr ds:[4F58E8],eax 004AD0C5 |. 6A 01 push 1 004AD0C7 |. E8 C12D0000 call ACDSee.004AFE8D 004AD0CC |. 59 pop ecx ; kernel32.7C816FD7 004AD0CD |. 85C0 test eax,eax 004AD0CF |. 75 08 jnz short ACDSee.004AD0D9 004AD0D1 |. 6A 1C push 1C 004AD0D3 |. E8 C3000000 call ACDSee.004AD19B 004AD0D8 |. 59 pop ecx ; kernel32.7C816FD7 004AD0D9 |> E8 4E230000 call ACDSee.004AF42C 004AD0DE |. 85C0 test eax,eax 004AD0E0 |. 75 08 jnz short ACDSee.004AD0EA 004AD0E2 |. 6A 10 push 10 004AD0E4 |. E8 B2000000 call ACDSee.004AD19B 004AD0E9 |. 59 pop ecx ; kernel32.7C816FD7 004AD0EA |> 33F6 xor esi,esi 004AD0EC |. 8975 FC mov dword ptr ss:[ebp-4],esi 004AD0EF |. E8 42510000 call ACDSee.004B2236 004AD0F4 |. FF15 7C724D00 call near dword ptr ds:[<&KERNEL32.GetCommandLineA>] ; [GetCommandLineA 004AD0FA |. A3 58704F00 mov dword ptr ds:[4F7058],eax 004AD0FF |. E8 00500000 call ACDSee.004B2104 004AD104 |. A3 D8584F00 mov dword ptr ds:[4F58D8],eax 004AD109 |. E8 A94D0000 call ACDSee.004B1EB7 004AD10E |. E8 EB4C0000 call ACDSee.004B1DFE 004AD113 |. E8 EF080000 call ACDSee.004ADA07 004AD118 |. 8975 D0 mov dword ptr ss:[ebp-30],esi 004AD11B |. 8D45 A4 lea eax,dword ptr ss:[ebp-5C] 004AD11E |. 50 push eax ; /pStartupinfo = NULL 004AD11F |. FF15 74724D00 call near dword ptr ds:[<&KERNEL32.GetStartupInfoA>] ; \GetStartupInfoA 004AD125 |. E8 7C4C0000 call ACDSee.004B1DA6 004AD12A |. 8945 9C mov dword ptr ss:[ebp-64],eax 004AD12D |. F645 D0 01 test byte ptr ss:[ebp-30],1 004AD131 |. 74 06 je short ACDSee.004AD139 004AD133 |. 0FB745 D4 movzx eax,word ptr ss:[ebp-2C] 004AD137 |. EB 03 jmp short ACDSee.004AD13C 004AD139 |> 6A 0A push 0A 004AD13B |. 58 pop eax ; kernel32.7C816FD7 004AD13C |> 50 push eax 004AD13D |. FF75 9C push dword ptr ss:[ebp-64] 004AD140 |. 56 push esi 004AD141 |. 56 push esi ; /pModule = FFFFFFFF ??? 004AD142 |. FF15 90744D00 call near dword ptr ds:[<&KERNEL32.GetModuleHandleA>] ; \GetModuleHandleA 004AD148 |. 50 push eax 004AD149 |. E8 F9E50000 call ACDSee.004BB747 004AD14E |. 8945 A0 mov dword ptr ss:[ebp-60],eax 004AD151 |. 50 push eax 004AD152 |. E8 DD080000 call ACDSee.004ADA34 004AD157 |. 8B45 EC mov eax,dword ptr ss:[ebp-14] 004AD15A |. 8B08 mov ecx,dword ptr ds:[eax] 004AD15C |. 8B09 mov ecx,dword ptr ds:[ecx] ; ntdll.7C92E64E 004AD15E |. 894D 98 mov dword ptr ss:[ebp-68],ecx 004AD161 |. 50 push eax 004AD162 |. 51 push ecx 004AD163 |. E8 B3390000 call ACDSee.004B0B1B 004AD168 |. 59 pop ecx ; kernel32.7C816FD7 004AD169 |. 59 pop ecx ; kernel32.7C816FD7 004AD16A \. C3 retn 55 8B EC 6A FF 68 28 01 4E 00 68 9C 0C 4B 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 A8 74 4D 00 33 D2 8A D4 89 15 F4 58 4F 00 8B C8 81 E1 FF 00 00 00 89 0D F0 58 4F 00 C1 E1 08 03 CA 89 0D EC 58 4F 00 C1 E8 10 A3 E8 58 4F 00 6A 01 E8 C1 2D 00 00 59 85 C0 75 08 6A 1C E8 C3 00 00 00 59 E8 4E 23 00 00 85 C0 75 08 6A 10 E8 B2 00 00 00 59 33 F6 89 75 FC E8 42 51 00 00 FF 15 7C 72 4D 00 A3 58 70 4F 00 E8 00 50 00 00 A3 D8 58 4F 00 E8 A9 4D 00 00 E8 EB 4C 00 00 E8 EF 08 00 00 89 75 D0 8D 45 A4 50 FF 15 74 72 4D 00 E8 7C 4C 00 00 89 45 9C F6 45 D0 01 74 06 0F B7 45 D4 EB 03 6A 0A 58 50 FF 75 9C 56 56 FF 15 90 74 4D 00 50 E8 F9 E5 00 00 89 45 A0 50 E8 DD 08 00 00 8B 45 EC 8B 08 8B 09 89 4D 98 50 51 E8 B3 39 00 00 59 59 C3 ********************************************************************** Microsoft Visual C++ 7.0 [Debug] .text .rdata .data .rsrc 004079A3 eMul> $ 6A 60 push 60 004079A5 . 68 B0244200 push eMuleUpd.004224B0 004079AA . E8 F5E1FFFF call eMuleUpd.00405BA4 004079AF . BF 94000000 mov edi,94 004079B4 . 8BC7 mov eax,edi ; ntdll.7C930738 004079B6 . E8 65FCFFFF call eMuleUpd.00407620 004079BB . 8965 E8 mov dword ptr ss:[ebp-18],esp 004079BE . 8BF4 mov esi,esp 004079C0 . 893E mov dword ptr ds:[esi],edi ; ntdll.7C930738 004079C2 . 56 push esi ; /pVersionInformation = FFFFFFFF 004079C3 . FF15 70024200 call near dword ptr ds:[<&KERNEL32.GetVersionExA>] ; \GetVersionExA 004079C9 . 8B4E 10 mov ecx,dword ptr ds:[esi+10] 004079CC . 890D 28BB4200 mov dword ptr ds:[42BB28],ecx 004079D2 . 8B46 04 mov eax,dword ptr ds:[esi+4] 004079D5 . A3 34BB4200 mov dword ptr ds:[42BB34],eax 004079DA . 8B56 08 mov edx,dword ptr ds:[esi+8] 004079DD . 8915 38BB4200 mov dword ptr ds:[42BB38],edx ; ntdll.KiFastSystemCallRet 004079E3 . 8B76 0C mov esi,dword ptr ds:[esi+C] 004079E6 . 81E6 FF7F0000 and esi,7FFF 004079EC . 8935 2CBB4200 mov dword ptr ds:[42BB2C],esi 004079F2 . 83F9 02 cmp ecx,2 004079F5 . 74 0C je short eMuleUpd.00407A03 004079F7 . 81CE 00800000 or esi,8000 004079FD . 8935 2CBB4200 mov dword ptr ds:[42BB2C],esi 00407A03 > C1E0 08 shl eax,8 00407A06 . 03C2 add eax,edx ; ntdll.KiFastSystemCallRet 00407A08 . A3 30BB4200 mov dword ptr ds:[42BB30],eax 00407A0D . 33F6 xor esi,esi 00407A0F . 56 push esi ; /pModule = FFFFFFFF ??? 00407A10 . 8B3D 88014200 mov edi,dword ptr ds:[<&KERNEL32.GetModuleHandleA>] ; |kernel32.GetModuleHandleA 00407A16 . FFD7 call near edi ; \GetModuleHandleA 00407A18 . 66:8138 4D5A cmp word ptr ds:[eax],5A4D 00407A1D . 75 1F jnz short eMuleUpd.00407A3E 00407A1F . 8B48 3C mov ecx,dword ptr ds:[eax+3C] 00407A22 . 03C8 add ecx,eax 00407A24 . 8139 50450000 cmp dword ptr ds:[ecx],4550 00407A2A . 75 12 jnz short eMuleUpd.00407A3E 00407A2C . 0FB741 18 movzx eax,word ptr ds:[ecx+18] 00407A30 . 3D 0B010000 cmp eax,10B 00407A35 . 74 1F je short eMuleUpd.00407A56 00407A37 . 3D 0B020000 cmp eax,20B 00407A3C . 74 05 je short eMuleUpd.00407A43 00407A3E > 8975 E4 mov dword ptr ss:[ebp-1C],esi 00407A41 . EB 27 jmp short eMuleUpd.00407A6A 00407A43 > 83B9 84000000 0E cmp dword ptr ds:[ecx+84],0E 00407A4A .^ 76 F2 jbe short eMuleUpd.00407A3E 00407A4C . 33C0 xor eax,eax 00407A4E . 39B1 F8000000 cmp dword ptr ds:[ecx+F8],esi 00407A54 . EB 0E jmp short eMuleUpd.00407A64 00407A56 > 8379 74 0E cmp dword ptr ds:[ecx+74],0E 00407A5A .^ 76 E2 jbe short eMuleUpd.00407A3E 00407A5C . 33C0 xor eax,eax 00407A5E . 39B1 E8000000 cmp dword ptr ds:[ecx+E8],esi 00407A64 > 0F95C0 setne al 00407A67 . 8945 E4 mov dword ptr ss:[ebp-1C],eax 00407A6A > 6A 01 push 1 00407A6C . E8 A3550000 call eMuleUpd.0040D014 00407A71 . 59 pop ecx ; kernel32.7C816FD7 00407A72 . 85C0 test eax,eax 00407A74 . 75 08 jnz short eMuleUpd.00407A7E 00407A76 . 6A 1C push 1C 00407A78 . E8 02FFFFFF call eMuleUpd.0040797F 00407A7D . 59 pop ecx ; kernel32.7C816FD7 00407A7E > E8 572A0000 call eMuleUpd.0040A4DA 00407A83 . 85C0 test eax,eax 00407A85 . 75 08 jnz short eMuleUpd.00407A8F 00407A87 . 6A 10 push 10 00407A89 . E8 F1FEFFFF call eMuleUpd.0040797F 00407A8E . 59 pop ecx ; kernel32.7C816FD7 00407A8F > E8 756A0000 call eMuleUpd.0040E509 00407A94 . 8975 FC mov dword ptr ss:[ebp-4],esi 00407A97 . E8 6F680000 call eMuleUpd.0040E30B 00407A9C . 85C0 test eax,eax 00407A9E . 7D 08 jge short eMuleUpd.00407AA8 00407AA0 . 6A 1B push 1B 00407AA2 . E8 B3FEFFFF call eMuleUpd.0040795A 00407AA7 . 59 pop ecx ; kernel32.7C816FD7 00407AA8 > FF15 0C024200 call near dword ptr ds:[<&KERNEL32.GetCommandLineA>] ; [GetCommandLineA 00407AAE . A3 10D44200 mov dword ptr ds:[42D410],eax 00407AB3 . E8 31670000 call eMuleUpd.0040E1E9 00407AB8 . A3 14BB4200 mov dword ptr ds:[42BB14],eax 00407ABD . E8 85660000 call eMuleUpd.0040E147 00407AC2 . 85C0 test eax,eax 00407AC4 . 7D 08 jge short eMuleUpd.00407ACE 00407AC6 . 6A 08 push 8 00407AC8 . E8 8DFEFFFF call eMuleUpd.0040795A 00407ACD . 59 pop ecx ; kernel32.7C816FD7 00407ACE > E8 41640000 call eMuleUpd.0040DF14 00407AD3 . 85C0 test eax,eax 00407AD5 . 7D 08 jge short eMuleUpd.00407ADF 00407AD7 . 6A 09 push 9 00407AD9 . E8 7CFEFFFF call eMuleUpd.0040795A 00407ADE . 59 pop ecx ; kernel32.7C816FD7 00407ADF > 6A 01 push 1 00407AE1 . E8 72030000 call eMuleUpd.00407E58 00407AE6 . 59 pop ecx ; kernel32.7C816FD7 00407AE7 . 8945 D8 mov dword ptr ss:[ebp-28],eax 00407AEA . 3BC6 cmp eax,esi 00407AEC . 74 07 je short eMuleUpd.00407AF5 00407AEE . 50 push eax 00407AEF . E8 66FEFFFF call eMuleUpd.0040795A 00407AF4 . 59 pop ecx ; kernel32.7C816FD7 00407AF5 > 8975 BC mov dword ptr ss:[ebp-44],esi 00407AF8 . 8D45 90 lea eax,dword ptr ss:[ebp-70] 00407AFB . 50 push eax ; /pStartupinfo = NULL 00407AFC . FF15 B4004200 call near dword ptr ds:[<&KERNEL32.GetStartupInfoA>] ; \GetStartupInfoA 00407B02 . E8 B0630000 call eMuleUpd.0040DEB7 00407B07 . 8945 E0 mov dword ptr ss:[ebp-20],eax 00407B0A . F645 BC 01 test byte ptr ss:[ebp-44],1 00407B0E . 74 06 je short eMuleUpd.00407B16 00407B10 . 0FB745 C0 movzx eax,word ptr ss:[ebp-40] 00407B14 . EB 03 jmp short eMuleUpd.00407B19 00407B16 > 6A 0A push 0A 00407B18 . 58 pop eax ; kernel32.7C816FD7 00407B19 > 50 push eax 00407B1A . FF75 E0 push dword ptr ss:[ebp-20] 00407B1D . 56 push esi 00407B1E . 56 push esi 00407B1F . FFD7 call near edi ; ntdll.7C930738 00407B21 . 50 push eax 00407B22 . E8 33B50000 call eMuleUpd.0041305A 00407B27 . 8BF8 mov edi,eax 00407B29 . 897D D4 mov dword ptr ss:[ebp-2C],edi ; ntdll.7C930738 00407B2C . 3975 E4 cmp dword ptr ss:[ebp-1C],esi 00407B2F . 75 06 jnz short eMuleUpd.00407B37 00407B31 . 57 push edi ; ntdll.7C930738 00407B32 . E8 4E040000 call eMuleUpd.00407F85 00407B37 > E8 6B040000 call eMuleUpd.00407FA7 00407B3C . EB 2B jmp short eMuleUpd.00407B69 00407B3E . 8B45 EC mov eax,dword ptr ss:[ebp-14] 00407B41 . 8B08 mov ecx,dword ptr ds:[eax] 00407B43 . 8B09 mov ecx,dword ptr ds:[ecx] ; ntdll.7C92E64E 00407B45 . 894D DC mov dword ptr ss:[ebp-24],ecx 00407B48 . 50 push eax 00407B49 . 51 push ecx 00407B4A . E8 04620000 call eMuleUpd.0040DD53 00407B4F . 59 pop ecx ; kernel32.7C816FD7 00407B50 . 59 pop ecx ; kernel32.7C816FD7 00407B51 . C3 retn 6A 60 68 B0 24 42 00 E8 F5 E1 FF FF BF 94 00 00 00 8B C7 E8 65 FC FF FF 89 65 E8 8B F4 89 3E 56 FF 15 70 02 42 00 8B 4E 10 89 0D 28 BB 42 00 8B 46 04 A3 34 BB 42 00 8B 56 08 89 15 38 BB 42 00 8B 76 0C 81 E6 FF 7F 00 00 89 35 2C BB 42 00 83 F9 02 74 0C 81 CE 00 80 00 00 89 35 2C BB 42 00 C1 E0 08 03 C2 A3 30 BB 42 00 33 F6 56 8B 3D 88 01 42 00 FF D7 66 81 38 4D 5A 75 1F 8B 48 3C 03 C8 81 39 50 45 00 00 75 12 0F B7 41 18 3D 0B 01 00 00 74 1F 3D 0B 02 00 00 74 05 89 75 E4 EB 27 83 B9 84 00 00 00 0E 76 F2 33 C0 39 B1 F8 00 00 00 EB 0E 83 79 74 0E 76 E2 33 C0 39 B1 E8 00 00 00 0F 95 C0 89 45 E4 6A 01 E8 A3 55 00 00 59 85 C0 75 08 6A 1C E8 02 FF FF FF 59 E8 57 2A 00 00 85 C0 75 08 6A 10 E8 F1 FE FF FF 59 E8 75 6A 00 00 89 75 FC E8 6F 68 00 00 85 C0 7D 08 6A 1B E8 B3 FE FF FF 59 FF 15 0C 02 42 00 A3 10 D4 42 00 E8 31 67 00 00 A3 14 BB 42 00 E8 85 66 00 00 85 C0 7D 08 6A 08 E8 8D FE FF FF 59 E8 41 64 00 00 85 C0 7D 08 6A 09 E8 7C FE FF FF 59 6A 01 E8 72 03 00 00 59 89 45 D8 3B C6 74 07 50 E8 66 FE FF FF 59 89 75 BC 8D 45 90 50 FF 15 B4 00 42 00 E8 B0 63 00 00 89 45 E0 F6 45 BC 01 74 06 0F B7 45 C0 EB 03 6A 0A 58 50 FF 75 E0 56 56 FF D7 50 E8 33 B5 00 00 8B F8 89 7D D4 39 75 E4 75 06 57 E8 4E 04 00 00 E8 6B 04 00 00 EB 2B 8B 45 EC 8B 08 8B 09 89 4D DC 50 51 E8 04 62 00 00 59 59 C3 ********************************************************************** Microsoft Visual C++ 7.0 Method2 [Debug] .text .data .rsrc 0100739D note> 6A 70 push 70 0100739F 68 98180001 push notepad.01001898 010073A4 E8 BF010000 call notepad.01007568 010073A9 33DB xor ebx,ebx 010073AB 53 push ebx 010073AC 8B3D CC100001 mov edi,dword ptr ds:[<&KERNEL32.GetModuleHandleA>] ; kernel32.GetModuleHandleA 010073B2 FFD7 call near edi ; ntdll.7C930738 010073B4 66:8138 4D5A cmp word ptr ds:[eax],5A4D 010073B9 75 1F jnz short notepad.010073DA 010073BB 8B48 3C mov ecx,dword ptr ds:[eax+3C] 010073BE 03C8 add ecx,eax 010073C0 8139 50450000 cmp dword ptr ds:[ecx],4550 010073C6 75 12 jnz short notepad.010073DA 010073C8 0FB741 18 movzx eax,word ptr ds:[ecx+18] 010073CC 3D 0B010000 cmp eax,10B 010073D1 74 1F je short notepad.010073F2 010073D3 3D 0B020000 cmp eax,20B 010073D8 74 05 je short notepad.010073DF 010073DA 895D E4 mov dword ptr ss:[ebp-1C],ebx 010073DD EB 27 jmp short notepad.01007406 010073DF 83B9 84000000 0E cmp dword ptr ds:[ecx+84],0E 010073E6 ^ 76 F2 jbe short notepad.010073DA 010073E8 33C0 xor eax,eax 010073EA 3999 F8000000 cmp dword ptr ds:[ecx+F8],ebx 010073F0 EB 0E jmp short notepad.01007400 010073F2 8379 74 0E cmp dword ptr ds:[ecx+74],0E 010073F6 ^ 76 E2 jbe short notepad.010073DA 010073F8 33C0 xor eax,eax 010073FA 3999 E8000000 cmp dword ptr ds:[ecx+E8],ebx 01007400 0F95C0 setne al 01007403 8945 E4 mov dword ptr ss:[ebp-1C],eax 01007406 895D FC mov dword ptr ss:[ebp-4],ebx 01007409 6A 02 push 2 0100740B FF15 38130001 call near dword ptr ds:[<&msvcrt.__set_app_type>] ; msvcrt.__set_app_type 01007411 59 pop ecx ; kernel32.7C816FD7 01007412 830D 9CAB0001 FF or dword ptr ds:[100AB9C],FFFFFFFF 01007419 830D A0AB0001 FF or dword ptr ds:[100ABA0],FFFFFFFF 01007420 FF15 34130001 call near dword ptr ds:[<&msvcrt.__p__fmode>] ; msvcrt.__p__fmode 01007426 8B0D B89A0001 mov ecx,dword ptr ds:[1009AB8] 0100742C 8908 mov dword ptr ds:[eax],ecx 0100742E FF15 30130001 call near dword ptr ds:[<&msvcrt.__p__commode>] ; msvcrt.__p__commode 01007434 8B0D B49A0001 mov ecx,dword ptr ds:[1009AB4] 0100743A 8908 mov dword ptr ds:[eax],ecx 0100743C A1 2C130001 mov eax,dword ptr ds:[<&msvcrt._adjust_fdiv>] 01007441 8B00 mov eax,dword ptr ds:[eax] 01007443 A3 A4AB0001 mov dword ptr ds:[100ABA4],eax 01007448 E8 A7010000 call notepad.010075F4 0100744D 391D 08960001 cmp dword ptr ds:[1009608],ebx 01007453 75 0C jnz short notepad.01007461 01007455 68 F4750001 push notepad.010075F4 ; Entry address 0100745A FF15 28130001 call near dword ptr ds:[<&msvcrt.__setusermatherr>] ; msvcrt.__setusermatherr 01007460 59 pop ecx ; kernel32.7C816FD7 01007461 E8 77010000 call notepad.010075DD 01007466 68 10900001 push notepad.01009010 0100746B 68 0C900001 push notepad.0100900C 01007470 E8 5D010000 call <jmp.&msvcrt._initterm> 01007475 A1 B09A0001 mov eax,dword ptr ds:[1009AB0] 0100747A 8945 DC mov dword ptr ss:[ebp-24],eax 0100747D 8D45 DC lea eax,dword ptr ss:[ebp-24] 01007480 50 push eax 01007481 FF35 AC9A0001 push dword ptr ds:[1009AAC] 01007487 8D45 D4 lea eax,dword ptr ss:[ebp-2C] 0100748A 50 push eax 0100748B 8D45 D0 lea eax,dword ptr ss:[ebp-30] 0100748E 50 push eax 0100748F 8D45 CC lea eax,dword ptr ss:[ebp-34] 01007492 50 push eax 01007493 FF15 20130001 call near dword ptr ds:[<&msvcrt.__getmainargs>] ; msvcrt.__getmainargs 01007499 8945 C8 mov dword ptr ss:[ebp-38],eax 0100749C 68 08900001 push notepad.01009008 010074A1 68 00900001 push notepad.01009000 010074A6 E8 27010000 call <jmp.&msvcrt._initterm> 010074AB 83C4 24 add esp,24 010074AE A1 1C130001 mov eax,dword ptr ds:[<&msvcrt._acmdln>] 010074B3 8B30 mov esi,dword ptr ds:[eax] 010074B5 8975 E0 mov dword ptr ss:[ebp-20],esi 010074B8 803E 22 cmp byte ptr ds:[esi],22 010074BB 75 3A jnz short notepad.010074F7 010074BD 46 inc esi 010074BE 8975 E0 mov dword ptr ss:[ebp-20],esi 010074C1 8A06 mov al,byte ptr ds:[esi] 010074C3 3AC3 cmp al,bl 010074C5 74 04 je short notepad.010074CB 010074C7 3C 22 cmp al,22 010074C9 ^ 75 F2 jnz short notepad.010074BD 010074CB 803E 22 cmp byte ptr ds:[esi],22 010074CE 75 04 jnz short notepad.010074D4 010074D0 46 inc esi 010074D1 8975 E0 mov dword ptr ss:[ebp-20],esi 010074D4 8A06 mov al,byte ptr ds:[esi] 010074D6 3AC3 cmp al,bl 010074D8 74 04 je short notepad.010074DE 010074DA 3C 20 cmp al,20 010074DC ^ 76 F2 jbe short notepad.010074D0 010074DE 895D AC mov dword ptr ss:[ebp-54],ebx 010074E1 8D45 80 lea eax,dword ptr ss:[ebp-80] 010074E4 50 push eax 010074E5 FF15 D0100001 call near dword ptr ds:[<&KERNEL32.GetStartupInfoA>] ; kernel32.GetStartupInfoA 010074EB F645 AC 01 test byte ptr ss:[ebp-54],1 010074EF 74 11 je short notepad.01007502 010074F1 0FB745 B0 movzx eax,word ptr ss:[ebp-50] 010074F5 EB 0E jmp short notepad.01007505 010074F7 803E 20 cmp byte ptr ds:[esi],20 010074FA ^ 76 D8 jbe short notepad.010074D4 010074FC 46 inc esi 010074FD 8975 E0 mov dword ptr ss:[ebp-20],esi 01007500 ^ EB F5 jmp short notepad.010074F7 01007502 6A 0A push 0A 01007504 58 pop eax ; kernel32.7C816FD7 01007505 50 push eax 01007506 56 push esi 01007507 53 push ebx 01007508 53 push ebx 01007509 FFD7 call near edi ; ntdll.7C930738 0100750B 50 push eax 0100750C E8 25B4FFFF call notepad.01002936 01007511 8BF0 mov esi,eax 01007513 8975 C4 mov dword ptr ss:[ebp-3C],esi 01007516 395D E4 cmp dword ptr ss:[ebp-1C],ebx 01007519 75 07 jnz short notepad.01007522 0100751B 56 push esi 0100751C FF15 18130001 call near dword ptr ds:[<&msvcrt.exit>] ; msvcrt.exit 01007522 FF15 00130001 call near dword ptr ds:[<&msvcrt._cexit>] ; msvcrt._cexit 01007528 EB 2D jmp short notepad.01007557 0100752A 8B45 EC mov eax,dword ptr ss:[ebp-14] 0100752D 8B08 mov ecx,dword ptr ds:[eax] 0100752F 8B09 mov ecx,dword ptr ds:[ecx] ; ntdll.7C92E64E 01007531 894D D8 mov dword ptr ss:[ebp-28],ecx 01007534 50 push eax 01007535 51 push ecx 01007536 E8 8B000000 call <jmp.&msvcrt._XcptFilter> 0100753B 59 pop ecx ; kernel32.7C816FD7 0100753C 59 pop ecx ; kernel32.7C816FD7 0100753D C3 retn 6A 70 68 98 18 00 01 E8 BF 01 00 00 33 DB 53 8B 3D CC 10 00 01 FF D7 66 81 38 4D 5A 75 1F 8B 48 3C 03 C8 81 39 50 45 00 00 75 12 0F B7 41 18 3D 0B 01 00 00 74 1F 3D 0B 02 00 00 74 05 89 5D E4 EB 27 83 B9 84 00 00 00 0E 76 F2 33 C0 39 99 F8 00 00 00 EB 0E 83 79 74 0E 76 E2 33 C0 39 99 E8 00 00 00 0F 95 C0 89 45 E4 89 5D FC 6A 02 FF 15 38 13 00 01 59 83 0D 9C AB 00 01 FF 83 0D A0 AB 00 01 FF FF 15 34 13 00 01 8B 0D B8 9A 00 01 89 08 FF 15 30 13 00 01 8B 0D B4 9A 00 01 89 08 A1 2C 13 00 01 8B 00 A3 A4 AB 00 01 E8 A7 01 00 00 39 1D 08 96 00 01 75 0C 68 F4 75 00 01 FF 15 28 13 00 01 59 E8 77 01 00 00 68 10 90 00 01 68 0C 90 00 01 E8 5D 01 00 00 A1 B0 9A 00 01 89 45 DC 8D 45 DC 50 FF 35 AC 9A 00 01 8D 45 D4 50 8D 45 D0 50 8D 45 CC 50 FF 15 20 13 00 01 89 45 C8 68 08 90 00 01 68 00 90 00 01 E8 27 01 00 00 83 C4 24 A1 1C 13 00 01 8B 30 89 75 E0 80 3E 22 75 3A 46 89 75 E0 8A 06 3A C3 74 04 3C 22 75 F2 80 3E 22 75 04 46 89 75 E0 8A 06 3A C3 74 04 3C 20 76 F2 89 5D AC 8D 45 80 50 FF 15 D0 10 00 01 F6 45 AC 01 74 11 0F B7 45 B0 EB 0E 80 3E 20 76 D8 46 89 75 E0 EB F5 6A 0A 58 50 56 53 53 FF D7 50 E8 25 B4 FF FF 8B F0 89 75 C4 39 5D E4 75 07 56 FF 15 18 13 00 01 FF 15 00 13 00 01 EB 2D 8B 45 EC 8B 08 8B 09 89 4D D8 50 51 E8 8B 00 00 00 59 59 C3 ********************************************************************** Microsoft Visual C++ 7.0 .text .rdata .data .rsrc 004A5D0A BitB> $ 6A 60 push 60 004A5D0C . 68 D07A4C00 push BitBuddy.004C7AD0 004A5D11 . E8 7A060000 call BitBuddy.004A6390 004A5D16 . BF 94000000 mov edi,94 004A5D1B . 8BC7 mov eax,edi ; ntdll.7C930738 004A5D1D . E8 CEE6FFFF call BitBuddy.004A43F0 004A5D22 . 8965 E8 mov dword ptr ss:[ebp-18],esp 004A5D25 . 8BF4 mov esi,esp 004A5D27 . 893E mov dword ptr ds:[esi],edi ; ntdll.7C930738 004A5D29 . 56 push esi ; /pVersionInformation = FFFFFFFF 004A5D2A . FF15 8CF24B00 call near dword ptr ds:[<&KERNEL32.GetVersionExA>] ; \GetVersionExA 004A5D30 . 8B4E 10 mov ecx,dword ptr ds:[esi+10] 004A5D33 . 890D 78614E00 mov dword ptr ds:[4E6178],ecx 004A5D39 . 8B46 04 mov eax,dword ptr ds:[esi+4] 004A5D3C . A3 84614E00 mov dword ptr ds:[4E6184],eax 004A5D41 . 8B56 08 mov edx,dword ptr ds:[esi+8] 004A5D44 . 8915 88614E00 mov dword ptr ds:[4E6188],edx ; ntdll.KiFastSystemCallRet 004A5D4A . 8B76 0C mov esi,dword ptr ds:[esi+C] 004A5D4D . 81E6 FF7F0000 and esi,7FFF 004A5D53 . 8935 7C614E00 mov dword ptr ds:[4E617C],esi 004A5D59 . 83F9 02 cmp ecx,2 004A5D5C . 74 0C je short BitBuddy.004A5D6A 004A5D5E . 81CE 00800000 or esi,8000 004A5D64 . 8935 7C614E00 mov dword ptr ds:[4E617C],esi 004A5D6A > C1E0 08 shl eax,8 004A5D6D . 03C2 add eax,edx ; ntdll.KiFastSystemCallRet 004A5D6F . A3 80614E00 mov dword ptr ds:[4E6180],eax 004A5D74 . 33F6 xor esi,esi 004A5D76 . 56 push esi ; /pModule = FFFFFFFF ??? 004A5D77 . 8B3D 08F24B00 mov edi,dword ptr ds:[<&KERNEL32.GetModuleHandleA>] ; |kernel32.GetModuleHandleA 004A5D7D . FFD7 call near edi ; \GetModuleHandleA 004A5D7F . 66:8138 4D5A cmp word ptr ds:[eax],5A4D 004A5D84 . 75 1F jnz short BitBuddy.004A5DA5 004A5D86 . 8B48 3C mov ecx,dword ptr ds:[eax+3C] 004A5D89 . 03C8 add ecx,eax 004A5D8B . 8139 50450000 cmp dword ptr ds:[ecx],4550 004A5D91 . 75 12 jnz short BitBuddy.004A5DA5 004A5D93 . 0FB741 18 movzx eax,word ptr ds:[ecx+18] 004A5D97 . 3D 0B010000 cmp eax,10B 004A5D9C . 74 1F je short BitBuddy.004A5DBD 004A5D9E . 3D 0B020000 cmp eax,20B 004A5DA3 . 74 05 je short BitBuddy.004A5DAA 004A5DA5 > 8975 E4 mov dword ptr ss:[ebp-1C],esi 004A5DA8 . EB 27 jmp short BitBuddy.004A5DD1 004A5DAA > 83B9 84000000 0E cmp dword ptr ds:[ecx+84],0E 004A5DB1 .^ 76 F2 jbe short BitBuddy.004A5DA5 004A5DB3 . 33C0 xor eax,eax 004A5DB5 . 39B1 F8000000 cmp dword ptr ds:[ecx+F8],esi 004A5DBB . EB 0E jmp short BitBuddy.004A5DCB 004A5DBD > 8379 74 0E cmp dword ptr ds:[ecx+74],0E 004A5DC1 .^ 76 E2 jbe short BitBuddy.004A5DA5 004A5DC3 . 33C0 xor eax,eax 004A5DC5 . 39B1 E8000000 cmp dword ptr ds:[ecx+E8],esi 004A5DCB > 0F95C0 setne al 004A5DCE . 8945 E4 mov dword ptr ss:[ebp-1C],eax 004A5DD1 > 6A 01 push 1 004A5DD3 . E8 6C340000 call BitBuddy.004A9244 004A5DD8 . 59 pop ecx ; kernel32.7C816FD7 004A5DD9 . 85C0 test eax,eax 004A5DDB . 75 08 jnz short BitBuddy.004A5DE5 004A5DDD . 6A 1C push 1C 004A5DDF . E8 02FFFFFF call BitBuddy.004A5CE6 004A5DE4 . 59 pop ecx ; kernel32.7C816FD7 004A5DE5 > E8 EE300000 call BitBuddy.004A8ED8 004A5DEA . 85C0 test eax,eax 004A5DEC . 75 08 jnz short BitBuddy.004A5DF6 004A5DEE . 6A 10 push 10 004A5DF0 . E8 F1FEFFFF call BitBuddy.004A5CE6 004A5DF5 . 59 pop ecx ; kernel32.7C816FD7 004A5DF6 > E8 EA6F0000 call BitBuddy.004ACDE5 004A5DFB . 8975 FC mov dword ptr ss:[ebp-4],esi 004A5DFE . E8 BC630000 call BitBuddy.004AC1BF 004A5E03 . 85C0 test eax,eax 004A5E05 . 7D 08 jge short BitBuddy.004A5E0F 004A5E07 . 6A 1B push 1B 004A5E09 . E8 B3FEFFFF call BitBuddy.004A5CC1 004A5E0E . 59 pop ecx ; kernel32.7C816FD7 004A5E0F > FF15 54F14B00 call near dword ptr ds:[<&KERNEL32.GetCommandLineA>] ; [GetCommandLineA 004A5E15 . A3 F4784E00 mov dword ptr ds:[4E78F4],eax 004A5E1A . E8 A46E0000 call BitBuddy.004ACCC3 004A5E1F . A3 D85F4E00 mov dword ptr ds:[4E5FD8],eax 004A5E24 . E8 F86D0000 call BitBuddy.004ACC21 004A5E29 . 85C0 test eax,eax 004A5E2B . 7D 08 jge short BitBuddy.004A5E35 004A5E2D . 6A 08 push 8 004A5E2F . E8 8DFEFFFF call BitBuddy.004A5CC1 004A5E34 . 59 pop ecx ; kernel32.7C816FD7 004A5E35 > E8 B46B0000 call BitBuddy.004AC9EE 004A5E3A . 85C0 test eax,eax 004A5E3C . 7D 08 jge short BitBuddy.004A5E46 004A5E3E . 6A 09 push 9 004A5E40 . E8 7CFEFFFF call BitBuddy.004A5CC1 004A5E45 . 59 pop ecx ; kernel32.7C816FD7 004A5E46 > 6A 01 push 1 004A5E48 . E8 42290000 call BitBuddy.004A878F 004A5E4D . 59 pop ecx ; kernel32.7C816FD7 004A5E4E . 8945 D8 mov dword ptr ss:[ebp-28],eax 004A5E51 . 3BC6 cmp eax,esi 004A5E53 . 74 07 je short BitBuddy.004A5E5C 004A5E55 . 50 push eax 004A5E56 . E8 66FEFFFF call BitBuddy.004A5CC1 004A5E5B . 59 pop ecx ; kernel32.7C816FD7 004A5E5C > 8975 BC mov dword ptr ss:[ebp-44],esi 004A5E5F . 8D45 90 lea eax,dword ptr ss:[ebp-70] 004A5E62 . 50 push eax ; /pStartupinfo = NULL 004A5E63 . FF15 58F14B00 call near dword ptr ds:[<&KERNEL32.GetStartupInfoA>] ; \GetStartupInfoA 004A5E69 . E8 236B0000 call BitBuddy.004AC991 004A5E6E . 8945 E0 mov dword ptr ss:[ebp-20],eax 004A5E71 . F645 BC 01 test byte ptr ss:[ebp-44],1 004A5E75 . 74 06 je short BitBuddy.004A5E7D 004A5E77 . 0FB745 C0 movzx eax,word ptr ss:[ebp-40] 004A5E7B . EB 03 jmp short BitBuddy.004A5E80 004A5E7D > 6A 0A push 0A 004A5E7F . 58 pop eax ; kernel32.7C816FD7 004A5E80 > 50 push eax 004A5E81 . FF75 E0 push dword ptr ss:[ebp-20] 004A5E84 . 56 push esi 004A5E85 . 56 push esi 004A5E86 . FFD7 call near edi ; ntdll.7C930738 004A5E88 . 50 push eax ; |Arg1 = 00000000 004A5E89 . E8 620BF8FF call BitBuddy.004269F0 ; \BitBuddy.004269F0 004A5E8E . 8BF8 mov edi,eax 004A5E90 . 897D D4 mov dword ptr ss:[ebp-2C],edi ; ntdll.7C930738 004A5E93 . 3975 E4 cmp dword ptr ss:[ebp-1C],esi 004A5E96 . 75 06 jnz short BitBuddy.004A5E9E 004A5E98 . 57 push edi ; ntdll.7C930738 004A5E99 . E8 1E2A0000 call BitBuddy.004A88BC 004A5E9E > E8 3B2A0000 call BitBuddy.004A88DE 004A5EA3 . EB 2B jmp short BitBuddy.004A5ED0 004A5EA5 . 8B45 EC mov eax,dword ptr ss:[ebp-14] 004A5EA8 . 8B08 mov ecx,dword ptr ds:[eax] 004A5EAA . 8B09 mov ecx,dword ptr ds:[ecx] ; ntdll.7C92E64E 004A5EAC . 894D DC mov dword ptr ss:[ebp-24],ecx 004A5EAF . 50 push eax 004A5EB0 . 51 push ecx 004A5EB1 . E8 77690000 call BitBuddy.004AC82D 004A5EB6 . 59 pop ecx ; kernel32.7C816FD7 004A5EB7 . 59 pop ecx ; kernel32.7C816FD7 004A5EB8 . C3 retn 6A 60 68 D0 7A 4C 00 E8 7A 06 00 00 BF 94 00 00 00 8B C7 E8 CE E6 FF FF 89 65 E8 8B F4 89 3E 56 FF 15 8C F2 4B 00 8B 4E 10 89 0D 78 61 4E 00 8B 46 04 A3 84 61 4E 00 8B 56 08 89 15 88 61 4E 00 8B 76 0C 81 E6 FF 7F 00 00 89 35 7C 61 4E 00 83 F9 02 74 0C 81 CE 00 80 00 00 89 35 7C 61 4E 00 C1 E0 08 03 C2 A3 80 61 4E 00 33 F6 56 8B 3D 08 F2 4B 00 FF D7 66 81 38 4D 5A 75 1F 8B 48 3C 03 C8 81 39 50 45 00 00 75 12 0F B7 41 18 3D 0B 01 00 00 74 1F 3D 0B 02 00 00 74 05 89 75 E4 EB 27 83 B9 84 00 00 00 0E 76 F2 33 C0 39 B1 F8 00 00 00 EB 0E 83 79 74 0E 76 E2 33 C0 39 B1 E8 00 00 00 0F 95 C0 89 45 E4 6A 01 E8 6C 34 00 00 59 85 C0 75 08 6A 1C E8 02 FF FF FF 59 E8 EE 30 00 00 85 C0 75 08 6A 10 E8 F1 FE FF FF 59 E8 EA 6F 00 00 89 75 FC E8 BC 63 00 00 85 C0 7D 08 6A 1B E8 B3 FE FF FF 59 FF 15 54 F1 4B 00 A3 F4 78 4E 00 E8 A4 6E 00 00 A3 D8 5F 4E 00 E8 F8 6D 00 00 85 C0 7D 08 6A 08 E8 8D FE FF FF 59 E8 B4 6B 00 00 85 C0 7D 08 6A 09 E8 7C FE FF FF 59 6A 01 E8 42 29 00 00 59 89 45 D8 3B C6 74 07 50 E8 66 FE FF FF 59 89 75 BC 8D 45 90 50 FF 15 58 F1 4B 00 E8 23 6B 00 00 89 45 E0 F6 45 BC 01 74 06 0F B7 45 C0 EB 03 6A 0A 58 50 FF 75 E0 56 56 FF D7 50 E8 62 0B F8 FF 8B F8 89 7D D4 39 75 E4 75 06 57 E8 1E 2A 00 00 E8 3B 2A 00 00 EB 2B 8B 45 EC 8B 08 8B 09 89 4D DC 50 51 E8 77 69 00 00 59 59 C3 ********************************************************************** VC8 -> Microsoft Corporation * .text .rdata .data .rsrc 00495FCE > /6A 60 push 60 00495FD0 . |68 387B4C00 push foobar20.004C7B38 00495FD5 . |E8 A60C0000 call foobar20.00496C80 00495FDA . |8365 FC 00 and dword ptr ss:[ebp-4],0 00495FDE . |8D45 90 lea eax,dword ptr ss:[ebp-70] 00495FE1 . |50 push eax ; /pStartupinfo = 535C08DE 00495FE2 . |FF15 14414B00 call near dword ptr ds:[<&KERNEL32.GetStartupInfoW>] ; \GetStartupInfoW 00495FE8 . |C745 FC FEFFFFFF mov dword ptr ss:[ebp-4],-2 00495FEF . |BF 94000000 mov edi,94 00495FF4 . |57 push edi ; /HeapSize = 7C930738 (2090010424.) 00495FF5 . |6A 00 push 0 ; |Flags = 0 00495FF7 . |8B1D 10414B00 mov ebx,dword ptr ds:[<&KERNEL32.GetProcessHeap>] ; |kernel32.GetProcessHeap 00495FFD . |FFD3 call near ebx ; |[GetProcessHeap 00495FFF . |50 push eax ; |hHeap = 535C08DE 00496000 . |FF15 08414B00 call near dword ptr ds:[<&KERNEL32.HeapAlloc>] ; \HeapAlloc 00496006 . |8BF0 mov esi,eax 00496008 . |85F6 test esi,esi 0049600A . |75 0D jnz short foobar20.00496019 0049600C . |6A 12 push 12 0049600E . |E8 56FFFFFF call foobar20.00495F69 00496013 . |59 pop ecx ; kernel32.7C816FD7 00496014 . |E9 89010000 jmp foobar20.004961A2 00496019 > |893E mov dword ptr ds:[esi],edi ; ntdll.7C930738 0049601B . |56 push esi ; /pVersionInformation = FFFFFFFF 0049601C . |FF15 0C414B00 call near dword ptr ds:[<&KERNEL32.GetVersionExA>] ; \GetVersionExA 00496022 . |56 push esi 00496023 . |6A 00 push 0 00496025 . |85C0 test eax,eax 00496027 . |75 0E jnz short foobar20.00496037 00496029 . |FFD3 call near ebx 0049602B . |50 push eax ; |hHeap = 535C08DE 0049602C . |FF15 C8414B00 call near dword ptr ds:[<&KERNEL32.HeapFree>] ; \HeapFree 00496032 . |E9 6B010000 jmp foobar20.004961A2 00496037 > |8B46 10 mov eax,dword ptr ds:[esi+10] 0049603A . |8945 E0 mov dword ptr ss:[ebp-20],eax 0049603D . |8B46 04 mov eax,dword ptr ds:[esi+4] 00496040 . |8945 DC mov dword ptr ss:[ebp-24],eax 00496043 . |8B46 08 mov eax,dword ptr ds:[esi+8] 00496046 . |8945 D8 mov dword ptr ss:[ebp-28],eax 00496049 . |8B7E 0C mov edi,dword ptr ds:[esi+C] 0049604C . |81E7 FF7F0000 and edi,7FFF 00496052 . |FFD3 call near ebx 00496054 . |50 push eax ; |hHeap = 535C08DE 00496055 . |FF15 C8414B00 call near dword ptr ds:[<&KERNEL32.HeapFree>] ; \HeapFree 0049605B . |8B75 E0 mov esi,dword ptr ss:[ebp-20] 0049605E . |83FE 02 cmp esi,2 00496061 . |74 06 je short foobar20.00496069 00496063 . |81CF 00800000 or edi,8000 00496069 > |8B4D DC mov ecx,dword ptr ss:[ebp-24] 0049606C . |8BC1 mov eax,ecx 0049606E . |C1E0 08 shl eax,8 00496071 . |8B55 D8 mov edx,dword ptr ss:[ebp-28] ; ntdll.7C930738 00496074 . |03C2 add eax,edx ; ntdll.KiFastSystemCallRet 00496076 . |8935 CC084E00 mov dword ptr ds:[4E08CC],esi 0049607C . |A3 D4084E00 mov dword ptr ds:[4E08D4],eax 00496081 . |890D D8084E00 mov dword ptr ds:[4E08D8],ecx 00496087 . |8915 DC084E00 mov dword ptr ds:[4E08DC],edx ; ntdll.KiFastSystemCallRet 0049608D . |893D D0084E00 mov dword ptr ds:[4E08D0],edi ; ntdll.7C930738 00496093 . |E8 F5FEFFFF call foobar20.00495F8D 00496098 . |8945 E0 mov dword ptr ss:[ebp-20],eax 0049609B . |33DB xor ebx,ebx 0049609D . |43 inc ebx 0049609E . |53 push ebx 0049609F . |E8 8C100000 call foobar20.00497130 004960A4 . |59 pop ecx ; kernel32.7C816FD7 004960A5 . |85C0 test eax,eax 004960A7 . |75 08 jnz short foobar20.004960B1 004960A9 . |6A 1C push 1C 004960AB . |E8 B9FEFFFF call foobar20.00495F69 004960B0 . |59 pop ecx ; kernel32.7C816FD7 004960B1 > |E8 C5050000 call foobar20.0049667B 004960B6 . |85C0 test eax,eax 004960B8 . |75 08 jnz short foobar20.004960C2 004960BA . |6A 10 push 10 004960BC . |E8 A8FEFFFF call foobar20.00495F69 004960C1 . |59 pop ecx ; kernel32.7C816FD7 004960C2 > |E8 80790000 call foobar20.0049DA47 004960C7 . |895D FC mov dword ptr ss:[ebp-4],ebx 004960CA . |E8 38770000 call foobar20.0049D807 004960CF . |85C0 test eax,eax 004960D1 . |7D 08 jge short foobar20.004960DB 004960D3 . |6A 1B push 1B 004960D5 . |E8 9B080000 call foobar20.00496975 004960DA . |59 pop ecx ; kernel32.7C816FD7 004960DB > |E8 88760000 call foobar20.0049D768 004960E0 . |A3 9C544E00 mov dword ptr ds:[4E549C],eax 004960E5 . |E8 1D750000 call foobar20.0049D607 004960EA . |A3 AC084E00 mov dword ptr ds:[4E08AC],eax 004960EF . |E8 68740000 call foobar20.0049D55C 004960F4 . |85C0 test eax,eax 004960F6 . |7D 08 jge short foobar20.00496100 004960F8 . |6A 08 push 8 004960FA . |E8 76080000 call foobar20.00496975 004960FF . |59 pop ecx ; kernel32.7C816FD7 00496100 > |E8 31720000 call foobar20.0049D336 00496105 . |85C0 test eax,eax 00496107 . |7D 08 jge short foobar20.00496111 00496109 . |6A 09 push 9 0049610B . |E8 65080000 call foobar20.00496975 00496110 . |59 pop ecx ; kernel32.7C816FD7 00496111 > |53 push ebx 00496112 . |E8 7A090000 call foobar20.00496A91 00496117 . |59 pop ecx ; kernel32.7C816FD7 00496118 . |85C0 test eax,eax 0049611A . |74 07 je short foobar20.00496123 0049611C . |50 push eax 0049611D . |E8 53080000 call foobar20.00496975 00496122 . |59 pop ecx ; kernel32.7C816FD7 00496123 > |E8 C8710000 call foobar20.0049D2F0 00496128 . |845D BC test byte ptr ss:[ebp-44],bl 0049612B . |74 06 je short foobar20.00496133 0049612D . |0FB74D C0 movzx ecx,word ptr ss:[ebp-40] 00496131 . |EB 03 jmp short foobar20.00496136 00496133 > |6A 0A push 0A 00496135 . |59 pop ecx ; kernel32.7C816FD7 00496136 > |51 push ecx 00496137 . |50 push eax 00496138 . |6A 00 push 0 0049613A . |68 00004000 push foobar20.00400000 0049613F . |E8 8EAAF9FF call foobar20.00430BD2 00496144 . |8945 E4 mov dword ptr ss:[ebp-1C],eax 00496147 . |837D E0 00 cmp dword ptr ss:[ebp-20],0 0049614B . |75 06 jnz short foobar20.00496153 0049614D . |50 push eax 0049614E . |E8 9E0A0000 call foobar20.00496BF1 00496153 > |E8 BB0A0000 call foobar20.00496C13 00496158 . |EB 2E jmp short foobar20.00496188 0049615A . |8B45 EC mov eax,dword ptr ss:[ebp-14] 0049615D . |8B08 mov ecx,dword ptr ds:[eax] 0049615F . |8B09 mov ecx,dword ptr ds:[ecx] ; ntdll.7C92E10E 00496161 . |894D D4 mov dword ptr ss:[ebp-2C],ecx 00496164 . |50 push eax 00496165 . |51 push ecx 00496166 . |E8 16700000 call foobar20.0049D181 0049616B . |59 pop ecx ; kernel32.7C816FD7 0049616C . |59 pop ecx ; kernel32.7C816FD7 0049616D . |C3 retn 0049616E . |8B65 E8 mov esp,dword ptr ss:[ebp-18] 00496171 . |8B45 D4 mov eax,dword ptr ss:[ebp-2C] ; kernel32.7C816FD7 00496174 . |8945 E4 mov dword ptr ss:[ebp-1C],eax 00496177 . |837D E0 00 cmp dword ptr ss:[ebp-20],0 0049617B . |75 06 jnz short foobar20.00496183 0049617D . |50 push eax 0049617E . |E8 7F0A0000 call foobar20.00496C02 00496183 > |E8 9A0A0000 call foobar20.00496C22 00496188 > |C745 FC FEFFFFFF mov dword ptr ss:[ebp-4],-2 0049618F . |8B45 E4 mov eax,dword ptr ss:[ebp-1C] 00496192 . |EB 13 jmp short foobar20.004961A7 00496194 . |33C0 xor eax,eax 00496196 . |40 inc eax 00496197 . |C3 retn 00496198 . |8B65 E8 mov esp,dword ptr ss:[ebp-18] 0049619B . |C745 FC FEFFFFFF mov dword ptr ss:[ebp-4],-2 004961A2 > |B8 FF000000 mov eax,0FF 004961A7 > |E8 190B0000 call foobar20.00496CC5 004961AC . |C3 retn 004961AD foob> $ |E8 DD780000 call foobar20.0049DA8F 004961B2 .^\E9 17FEFFFF jmp foobar20.00495FCE 004961B7 $ 3B0D B0CC4D00 cmp ecx,dword ptr ds:[4DCCB0] 004961BD . 75 02 jnz short foobar20.004961C1 004961BF . F3: prefix rep: 004961C0 . C3 retn 6A 60 68 38 7B 4C 00 E8 A6 0C 00 00 83 65 FC 00 8D 45 90 50 FF 15 14 41 4B 00 C7 45 FC FE FF FF FF BF 94 00 00 00 57 6A 00 8B 1D 10 41 4B 00 FF D3 50 FF 15 08 41 4B 00 8B F0 85 F6 75 0D 6A 12 E8 56 FF FF FF 59 E9 89 01 00 00 89 3E 56 FF 15 0C 41 4B 00 56 6A 00 85 C0 75 0E FF D3 50 FF 15 C8 41 4B 00 E9 6B 01 00 00 8B 46 10 89 45 E0 8B 46 04 89 45 DC 8B 46 08 89 45 D8 8B 7E 0C 81 E7 FF 7F 00 00 FF D3 50 FF 15 C8 41 4B 00 8B 75 E0 83 FE 02 74 06 81 CF 00 80 00 00 8B 4D DC 8B C1 C1 E0 08 8B 55 D8 03 C2 89 35 CC 08 4E 00 A3 D4 08 4E 00 89 0D D8 08 4E 00 89 15 DC 08 4E 00 89 3D D0 08 4E 00 E8 F5 FE FF FF 89 45 E0 33 DB 43 53 E8 8C 10 00 00 59 85 C0 75 08 6A 1C E8 B9 FE FF FF 59 E8 C5 05 00 00 85 C0 75 08 6A 10 E8 A8 FE FF FF 59 E8 80 79 00 00 89 5D FC E8 38 77 00 00 85 C0 7D 08 6A 1B E8 9B 08 00 00 59 E8 88 76 00 00 A3 9C 54 4E 00 E8 1D 75 00 00 A3 AC 08 4E 00 E8 68 74 00 00 85 C0 7D 08 6A 08 E8 76 08 00 00 59 E8 31 72 00 00 85 C0 7D 08 6A 09 E8 65 08 00 00 59 53 E8 7A 09 00 00 59 85 C0 74 07 50 E8 53 08 00 00 59 E8 C8 71 00 00 84 5D BC 74 06 0F B7 4D C0 EB 03 6A 0A 59 51 50 6A 00 68 00 00 40 00 E8 8E AA F9 FF 89 45 E4 83 7D E0 00 75 06 50 E8 9E 0A 00 00 E8 BB 0A 00 00 EB 2E 8B 45 EC 8B 08 8B 09 89 4D D4 50 51 E8 16 70 00 00 59 59 C3 8B 65 E8 8B 45 D4 89 45 E4 83 7D E0 00 75 06 50 E8 7F 0A 00 00 E8 9A 0A 00 00 C7 45 FC FE FF FF FF 8B 45 E4 EB 13 33 C0 40 C3 8B 65 E8 C7 45 FC FE FF FF FF B8 FF 00 00 00 E8 19 0B 00 00 C3 E8 DD 78 00 00 E9 17 FE FF FF 3B 0D B0 CC 4D 00 75 02 F3 C3 |