diff --git a/cfg_parser.py b/cfg_parser.py new file mode 100644 index 0000000..113fb8e --- /dev/null +++ b/cfg_parser.py @@ -0,0 +1,36 @@ +def parse_wave_nodes(cfg,wave: int) -> list: + return list(filter(lambda node: node["wave"] == wave,cfg["nodes"])) + +def parse_procaddr_calls(cfg,wave:int): + res = [] + wave_nodes:list[dict] = parse_wave_nodes(cfg,wave) + for node in wave_nodes: + if "syscalls" in node.keys(): + for syscall in node["syscalls"]: + if syscall["name"] == "KERNEL32.DLL!GetProcAddress": + funcname = syscall["arguments"][-1].split("\"")[1] + func_addr = syscall["return"] + res.append({"name": funcname, "addr": func_addr}) + return res + +def parse_syscalls(cfg,wave: int) -> list[dict[str, str]]: + res: list[dict[str,str]] = [] + wave_nodes:list[dict] = parse_wave_nodes(cfg,wave) + no_repeat = [] + for node in wave_nodes: + if "syscalls" in node.keys(): + for syscall in node["syscalls"]: + if node["last_instr"] in no_repeat: + continue + adress = node["last_instr"] # call is at the end of the basic block + name = syscall["name"] + current_instruction = node["instructions"][-1]["mnemonic"] + no_repeat.append(adress) + res.append({"adress":adress,"name":name}) + return res + +def parse_wave_entrypoint(cfg,wave: int) -> int: + return int(parse_wave_nodes(cfg,wave)[0]["start"],16) + +def parse_bb_registers(cfg,wave:int,n_bb:int) -> dict[str,str]: + return parse_wave_nodes(cfg,wave)[n_bb]["registers"] diff --git a/iat.py b/iat.py index ae668d0..1ee858d 100644 --- a/iat.py +++ b/iat.py @@ -1,30 +1,15 @@ +import argparse import json - import lief +import patch +import cfg_parser +import reginit lief.disable_leak_warning() # warnings to disable for the callback with open("lib/WindowsDllsExport/win10-19043-exports.json", "rb") as f: api_info = json.load(f) -dump_path = "rsc/wave-0001.dump" -# dump_path = "rsc/wave-0002.dump" -iat_json_path = "rsc/upx-hostname.exe.bin_iat_wave1.json" -# iat_json_path = "rsc/000155f2e0360f6ff6cd.exe_iat_wave2.json" - - -def hex_address_to_memory_representation(hex_addr: str, is_32b: bool, is_little_endian: bool) -> list[int]: - adress_size = 4 if is_32b else 8 - mem_value = [0x00] * adress_size - hex_addr = hex_addr[::-1][:-2] # reversing order and stripping zero - for i in range(0, adress_size): - byte_str = hex_addr[i * 2 : (i + 1) * 2][::-1] - mem_value[i] += int(byte_str, 16) - if not is_little_endian: - mem_value = mem_value[::-1] # reverse byte order for big endian - return mem_value - - # Retrives all unique DLL names being imported def get_used_dlls(calls: list[dict[str, str]]) -> set[str]: res = set() @@ -42,112 +27,27 @@ def get_used_functions_from_dll(dllname, calls): return res -def patch_direct_adress_call(pe: lief.PE.Binary, rva: int, instruction_offset: int): - # We can manually patch the instruction here: FF 15 08 10 00 01 represents `call [0x01001080]` - new_value = hex_address_to_memory_representation( - hex(rva + pe.imagebase), - pe.abstract.header.is_32, - pe.abstract.header.endianness == lief.Header.ENDIANNESS.LITTLE, - ) - pe.patch_address(instruction_offset, [0xFF, 0x15] + new_value, lief.Binary.VA_TYPES.RVA) - - -def patch_direct_adress_jump(pe: lief.PE.Binary, rva: int, instruction_offset: int): - # We can manually patch the instruction here: FF 15 08 10 00 01 represents `call [0x01001080]` - new_value = hex_address_to_memory_representation( - hex(rva + pe.imagebase), - pe.abstract.header.is_32, - pe.abstract.header.endianness == lief.Header.ENDIANNESS.LITTLE, - ) - pe.patch_address(instruction_offset, [0xFF, 0x25] + new_value, lief.Binary.VA_TYPES.RVA) - - -def patch_instr_to_new_IAT_entry(pe: lief.PE.Binary, call: dict[str, str], rva: int): - base = pe.imagebase - instruction_offset = int(call["adress"], 16) - base - memview = pe.get_content_from_virtual_address(instruction_offset, 2) - if [memview[0], memview[1]] == [0xFF, 0x15]: - patch_direct_adress_call(pe, rva, instruction_offset) - elif [memview[0], memview[1]] == [0xFF, 0x25]: - patch_direct_adress_jump(pe, rva, instruction_offset) - - -def patch_addr_found_in_mem(pe: lief.PE.Binary, rva: int, old_addr: str): - is_32 = pe.abstract.header.is_32 - little_endian = pe.abstract.header.endianness == lief.Header.ENDIANNESS.LITTLE - # scan memory for reference to old addr - old_addr_mem_repr = hex_address_to_memory_representation( - old_addr, - is_32, - pe.abstract.header.endianness == lief.Header.ENDIANNESS.LITTLE, - ) - new_addr = hex_address_to_memory_representation( - hex(rva + pe.imagebase), - is_32, - little_endian, - ) - adresses_to_patch = [] - for section in pe.sections: - for i in range(len(section.content)): - found = True - for j in range(len(old_addr_mem_repr)): - if i + j >= len(section.content) or section.content[i + j] != old_addr_mem_repr[j]: - found = False - break - if found: - old_addr_ref = hex_address_to_memory_representation( - hex( - section.virtual_address + i + pe.imagebase, - ), - is_32, - little_endian, - ) - for section in pe.sections: - for k in range(len(section.content)): - foundxref = True - for L in range(len(old_addr_ref)): - if k + L < len(section.content) and section.content[k + L] != old_addr_ref[L]: - foundxref = False - break - if foundxref: - adresses_to_patch.append(section.virtual_address + k) - for addr in adresses_to_patch: - print(f"patched {hex(addr)}") - pe.patch_address(addr, new_addr, lief.Binary.VA_TYPES.RVA) - - -def patch_to_new_IAT(pe: lief.PE.Binary, imp: lief.PE.Import, entry: lief.PE.ImportEntry, rva: int): - # print(f"{imp.name}!{entry.name}: 0x{rva:010x}") - for call in filter(lambda x: x["name"] == f"{imp.name.upper()}!{entry.name}", calls): - patch_instr_to_new_IAT_entry(pe, call, rva) - # patch additional non-call related info - print(entry.name) - for func in filter(lambda x: x["name"] == entry.name and x["dll"] == imp.name, procaddr_list): - # print(func["name"]) - patch_addr_found_in_mem(pe, rva, func["addr"]) - - -def get_list_of_procaddr_functions(prevwave_info): +def link_func_to_dll(func_list): res = [] - for call in prevwave_info: + for func in func_list: # first only including imported dlls res_new = {} for export in api_info: - if export["dllname"] in dll_calls_list and export["exportname"] == call["function"]: + if export["dllname"] in func and export["exportname"] == func["name"]: res_new = { "name": export["exportname"], "dll": export["dllname"], - "addr": call["func_addr"], + "addr": func["addr"], } break if res_new == {}: # try adding a new dll for export in api_info: - if export["exportname"] == call["function"]: + if export["exportname"] == func["name"]: res_new = { "name": export["exportname"], "dll": export["dllname"], - "addr": call["func_addr"], + "addr": func["addr"], } break if res_new != {}: @@ -155,111 +55,108 @@ def get_list_of_procaddr_functions(prevwave_info): return res -# wave dump file to patch -with open(dump_path, "rb") as f: - pe = lief.parse(f) - assert isinstance(pe, lief.PE.Binary) +def main(): + parser = argparse.ArgumentParser(prog="iat.py", description="Create a patched PE from a binary dump and a traceCFG file.") -# JSON generated with the python reader files -with open(iat_json_path, "r") as iat_json_input: - iat_data = json.load(iat_json_input) -calls: list[dict[str, str]] = iat_data["calls"] -wave_entry = int(iat_data["entry"], 16) + # Input arguments + parser.add_argument("dump", type=str, help="The path to the wave dump file") + parser.add_argument("trace", type=str, help="The path to the traceCFG file") -# create new section -patch_section = lief.PE.Section(".iatpatch") -content = [] + # Additional arguments + parser.add_argument("-o", "--output", type=str, help="Specify an output filepath for the patched PE.") + parser.add_argument("-w", "--wave", type=int, help="Specify the wave number for the binary dump (if it can't be inferred from the filename)") -# initiate registry values -reg_to_inst_code = { - "EAX": 0xC0, - "EBX": 0xC3, - "ECX": 0xC1, - "EDX": 0xC2, - "ESI": 0xC6, - "EDI": 0xC7, - "EBP": 0xC5, - # "ESP": 0xC4, -} -for reg in iat_data["entry_reg_values"].keys(): - if reg not in reg_to_inst_code: - continue - new_instruction = [ - 0xC7, - reg_to_inst_code[reg], - ] + hex_address_to_memory_representation( - iat_data["entry_reg_values"][reg].strip(), - pe.abstract.header.is_32, - pe.abstract.header.endianness == lief.Header.ENDIANNESS.LITTLE, - ) - for byte in new_instruction: - content.append(byte) + args = parser.parse_args() + # open wave dump file + with open(args.dump, "rb") as f: + pe = lief.parse(f) + assert isinstance(pe, lief.PE.Binary) -# add ret to actual OEP + # open traceCFG json + with open(args.trace, "r") as f: + cfg = json.load(f) -content += [0x68] + hex_address_to_memory_representation( - hex(wave_entry), - pe.abstract.header.is_32, - pe.abstract.header.endianness == lief.Header.ENDIANNESS.LITTLE, -) + if args.wave == None and args.dump[-5:] == ".dump": + wave = int(args.dump[-9:-5]) + else: + wave = args.wave -content += [0xC3] + calls = cfg_parser.parse_syscalls(cfg,wave) + wave_entry = cfg_parser.parse_wave_entrypoint(cfg,wave) -patch_section.content = content + # create new section + iatpatch_section = lief.PE.Section(".iatpatch") + iatpatch_content = [] -# add new section to PE -pe.add_section(patch_section) + # registers initiation + iatpatch_content += reginit.generate_reg_init_code(cfg,pe,wave,wave_entry) -# patch entrypoint -# entrypoint_format = int(hex(pe.get_section(".iatpatch").virtual_address)[-4:], 16) -entrypoint_format = int(hex(pe.get_section(".iatpatch").virtual_address)[-4:], 16) -pe.optional_header.addressof_entrypoint = entrypoint_format + # write patch section code + iatpatch_section.content = iatpatch_content # pyright: ignore[reportAttributeAccessIssue] -# remove all current imports -pe.remove_all_imports() + # add new section to PE + pe.add_section(iatpatch_section) -# recreate all DLL imports from calls detected -dll_calls_list = [] -imported_dll_list = [] -func_calls_list = [] -for dll in get_used_dlls(calls): - dll_calls_list.append(dll.lower()) - imported_dll = pe.add_import(dll.lower()) - imported_dll_list.append(imported_dll) - # recreate all function calls related to that dll import - for func in get_used_functions_from_dll(dll, calls): - func_calls_list.append(func) - imported_dll.add_entry(func) + # patch entrypoint + entrypoint_format = int(hex(pe.get_section(".iatpatch").virtual_address)[-4:], 16) + pe.optional_header.addressof_entrypoint = entrypoint_format -# get list of functions called with getprocaddr -procaddr_list = get_list_of_procaddr_functions(iat_data["prevwave_getprocaddr"]) -for func in procaddr_list: - if func["name"] in func_calls_list: # call already added - continue - if func["dll"] in dll_calls_list: # dll already added - imported_dll_list[dll_calls_list.index(func["dll"])].add_entry(func["name"]) - else: # we need to import the new DLL - dll_calls_list.append(func["dll"]) - imported_dll = pe.add_import(func["dll"]) + # remove all current imports + pe.remove_all_imports() + + # recreate all DLL imports from calls detected + dll_calls_list = [] + imported_dll_list = [] + func_calls_list = [] + for dll in get_used_dlls(calls): + dll_calls_list.append(dll.lower()) + imported_dll = pe.add_import(dll.lower()) imported_dll_list.append(imported_dll) - func_calls_list.append(func["name"]) - imported_dll.add_entry(func["name"]) + # recreate all function calls related to that dll import + for func in get_used_functions_from_dll(dll, calls): + func_calls_list.append(func) + imported_dll.add_entry(func) -# At this point, the new IAT will only be constructed when the PE is written. We therefore need to make a callback function to patch calls afterwards. + # get list of functions called with getprocaddr in previous wave + func_list = cfg_parser.parse_procaddr_calls(cfg, wave - 1) + func_dll_list = link_func_to_dll(func_list) + for func in func_dll_list: + if func["name"] in func_calls_list: # call already added + continue + if func["dll"] in dll_calls_list: # dll already added + imported_dll_list[dll_calls_list.index(func["dll"])].add_entry(func["name"]) + else: # we need to import the new DLL + dll_calls_list.append(func["dll"]) + imported_dll = pe.add_import(func["dll"]) + imported_dll_list.append(imported_dll) + func_calls_list.append(func["name"]) + imported_dll.add_entry(func["name"]) -# Define all sections as writeable, to help with some weird stuff we're seeing -for section in pe.sections: - section.characteristics = ( - lief.PE.Section.CHARACTERISTICS.MEM_WRITE.value - + lief.PE.Section.CHARACTERISTICS.MEM_READ.value - + lief.PE.Section.CHARACTERISTICS.MEM_EXECUTE.value - + lief.PE.Section.CHARACTERISTICS.CNT_INITIALIZED_DATA.value - ) + # At this point, the new IAT will only be constructed when the PE is written. We therefore need to make a callback function to patch calls afterwards. -# write result -config = lief.PE.Builder.config_t() -config.imports = True # allows the config of the writer to write a new IAT -config.resolved_iat_cbk = patch_to_new_IAT # callback after the IAT has been written -pe.write("patched.exe", config) -print("Wrote the patched executable as patched.exe") + # Define all sections as writeable, to help with some weird stuff we're seeing + for section in pe.sections: + section.characteristics = ( + lief.PE.Section.CHARACTERISTICS.MEM_WRITE.value + + lief.PE.Section.CHARACTERISTICS.MEM_READ.value + + lief.PE.Section.CHARACTERISTICS.MEM_EXECUTE.value + + lief.PE.Section.CHARACTERISTICS.CNT_INITIALIZED_DATA.value + ) + + # write result + config = lief.PE.Builder.config_t() + config.imports = True # allows the config of the writer to write a new IAT + + def patching_callback(pe: lief.PE.Binary, imp: lief.PE.Import, entry: lief.PE.ImportEntry, rva: int): + for call in filter(lambda x: x["name"] == f"{imp.name.upper()}!{entry.name}", calls): + patch.patch_instr_to_new_IAT_entry(pe, call, rva) + # patch additional non-call related info + for func in filter(lambda x: x["name"] == entry.name and x["dll"] == imp.name, func_dll_list): + patch.patch_addr_found_in_mem(pe, rva, func["addr"]) + config.resolved_iat_cbk = patching_callback # callback after the IAT has been written + pe.write("patched.exe" if args.output == None else args.output, config) + print("Wrote the patched executable as patched.exe") + +if __name__ == "__main__": + main() diff --git a/patch.py b/patch.py new file mode 100644 index 0000000..6ff47ac --- /dev/null +++ b/patch.py @@ -0,0 +1,74 @@ +from utils import hex_address_to_memory_representation +import lief + +def patch_direct_adress_call(pe: lief.PE.Binary, rva: int, instruction_offset: int): + # We can manually patch the instruction here: FF 15 08 10 00 01 represents `call [0x01001080]` + new_value = hex_address_to_memory_representation( + hex(rva + pe.imagebase), + pe.abstract.header.is_32, + pe.abstract.header.endianness == lief.Header.ENDIANNESS.LITTLE, + ) + pe.patch_address(instruction_offset, [0xFF, 0x15] + new_value, lief.Binary.VA_TYPES.RVA) + + +def patch_direct_adress_jump(pe: lief.PE.Binary, rva: int, instruction_offset: int): + # We can manually patch the instruction here: FF 15 08 10 00 01 represents `call [0x01001080]` + new_value = hex_address_to_memory_representation( + hex(rva + pe.imagebase), + pe.abstract.header.is_32, + pe.abstract.header.endianness == lief.Header.ENDIANNESS.LITTLE, + ) + pe.patch_address(instruction_offset, [0xFF, 0x25] + new_value, lief.Binary.VA_TYPES.RVA) + + +def patch_instr_to_new_IAT_entry(pe: lief.PE.Binary, call: dict[str, str], rva: int): + base = pe.imagebase + instruction_offset = int(call["adress"], 16) - base + memview = pe.get_content_from_virtual_address(instruction_offset, 2) + if [memview[0], memview[1]] == [0xFF, 0x15]: + patch_direct_adress_call(pe, rva, instruction_offset) + elif [memview[0], memview[1]] == [0xFF, 0x25]: + patch_direct_adress_jump(pe, rva, instruction_offset) + + +def patch_addr_found_in_mem(pe: lief.PE.Binary, rva: int, old_addr: str): + is_32 = pe.abstract.header.is_32 + little_endian = pe.abstract.header.endianness == lief.Header.ENDIANNESS.LITTLE + # scan memory for reference to old addr + old_addr_mem_repr = hex_address_to_memory_representation( + old_addr, + is_32, + pe.abstract.header.endianness == lief.Header.ENDIANNESS.LITTLE, + ) + new_addr = hex_address_to_memory_representation( + hex(rva + pe.imagebase), + is_32, + little_endian, + ) + adresses_to_patch = [] + for section in pe.sections: + for i in range(len(section.content)): + found = True + for j in range(len(old_addr_mem_repr)): + if i + j >= len(section.content) or section.content[i + j] != old_addr_mem_repr[j]: + found = False + break + if found: + old_addr_ref = hex_address_to_memory_representation( + hex( + section.virtual_address + i + pe.imagebase, + ), + is_32, + little_endian, + ) + for section in pe.sections: + for k in range(len(section.content)): + foundxref = True + for L in range(len(old_addr_ref)): + if k + L < len(section.content) and section.content[k + L] != old_addr_ref[L]: + foundxref = False + break + if foundxref: + adresses_to_patch.append(section.virtual_address + k) + for addr in adresses_to_patch: + pe.patch_address(addr, new_addr, lief.Binary.VA_TYPES.RVA) diff --git a/reginit.py b/reginit.py new file mode 100644 index 0000000..c846d6c --- /dev/null +++ b/reginit.py @@ -0,0 +1,42 @@ +import lief +import cfg_parser +from utils import hex_address_to_memory_representation + +def generate_reg_init_code(cfg, pe: lief.PE.Binary,wave:int, wave_entry: int) -> list[int]: + code = [] + # initiate registry values + reg_to_inst_code = { + "EAX": 0xC0, + "EBX": 0xC3, + "ECX": 0xC1, + "EDX": 0xC2, + "ESI": 0xC6, + "EDI": 0xC7, + "EBP": 0xC5, + # "ESP": 0xC4, + } + reg_values = cfg_parser.parse_bb_registers(cfg, wave, 0) + for reg in reg_values: + if reg not in reg_to_inst_code: + continue + new_instruction = [ + 0xC7, + reg_to_inst_code[reg], + ] + hex_address_to_memory_representation( + reg_values[reg].strip(), + pe.abstract.header.is_32, + pe.abstract.header.endianness == lief.Header.ENDIANNESS.LITTLE, + ) + for byte in new_instruction: + code.append(byte) + + # add ret to actual OEP + code += [0x68] + hex_address_to_memory_representation( + hex(wave_entry), + pe.abstract.header.is_32, + pe.abstract.header.endianness == lief.Header.ENDIANNESS.LITTLE, + ) # push addr + + code += [0xC3] # ret + + return code diff --git a/rsc/000155f2e0360f6ff6cd.exe_iat_wave2.json b/rsc/000155f2e0360f6ff6cd.exe_iat_wave2.json deleted file mode 100644 index 8a1c93e..0000000 --- a/rsc/000155f2e0360f6ff6cd.exe_iat_wave2.json +++ /dev/null @@ -1 +0,0 @@ -{"entry": "0x40835b", "calls": [{"adress": "0x408269", "name": "KERNEL32.DLL!GetVersion"}, {"adress": "0x40c329", "name": "KERNEL32.DLL!HeapCreate"}, {"adress": "0x40d1fd", "name": "NTDLL.DLL!RtlAllocateHeap"}, {"adress": "0x40b00c", "name": "NTDLL.DLL!RtlInitializeCriticalSection"}, {"adress": "0x40b014", "name": "NTDLL.DLL!RtlInitializeCriticalSection"}, {"adress": "0x40b01c", "name": "NTDLL.DLL!RtlInitializeCriticalSection"}, {"adress": "0x40b024", "name": "NTDLL.DLL!RtlInitializeCriticalSection"}, {"adress": "0x40adc2", "name": "KERNEL32.DLL!TlsAlloc"}, {"adress": "0x40d8e9", "name": "NTDLL.DLL!RtlAllocateHeap"}, {"adress": "0x40d903", "name": "KERNEL32.DLL!VirtualAlloc"}, {"adress": "0x40d98f", "name": "KERNEL32.DLL!VirtualAlloc"}, {"adress": "0x40b102", "name": "NTDLL.DLL!RtlLeaveCriticalSection"}, {"adress": "0x40adea", "name": "KERNEL32.DLL!TlsSetValue"}, {"adress": "0x40adfb", "name": "KERNEL32.DLL!GetCurrentThreadId"}, {"adress": "0x4082c0", "name": "KERNEL32.DLL!GetCommandLineA"}, {"adress": "0x40c201", "name": "KERNEL32.DLL!GetEnvironmentStringsW"}, {"adress": "0x40c279", "name": "KERNEL32.DLL!WideCharToMultiByte"}, {"adress": "0x408cc1", "name": "NTDLL.DLL!RtlAllocateHeap"}, {"adress": "0x40c29b", "name": "KERNEL32.DLL!WideCharToMultiByte"}, {"adress": "0x40c2b4", "name": "KERNEL32.DLL!FreeEnvironmentStringsW"}, {"adress": "0x40bd2e", "name": "KERNEL32.DLL!GetStartupInfoA"}, {"adress": "0x40be4a", "name": "KERNEL32.DLL!GetFileType"}, {"adress": "0x40be3c", "name": "KERNEL32.DLL!GetStdHandle"}, {"adress": "0x40be81", "name": "KERNEL32.DLL!SetHandleCount"}, {"adress": "0x40b0d1", "name": "NTDLL.DLL!RtlInitializeCriticalSection"}, {"adress": "0x40b0ec", "name": "NTDLL.DLL!RtlEnterCriticalSection"}, {"adress": "0x409ef9", "name": "KERNEL32.DLL!GetACP"}, {"adress": "0x409d6e", "name": "KERNEL32.DLL!GetCPInfo"}, {"adress": "0x409f84", "name": "KERNEL32.DLL!GetCPInfo"}, {"adress": "0x40d067", "name": "KERNEL32.DLL!GetStringTypeW"}, {"adress": "0x40d0ed", "name": "KERNEL32.DLL!MultiByteToWideChar"}, {"adress": "0x40d143", "name": "KERNEL32.DLL!MultiByteToWideChar"}, {"adress": "0x40d155", "name": "KERNEL32.DLL!GetStringTypeW"}, {"adress": "0x40b9ed", "name": "KERNEL32.DLL!LCMapStringW"}, {"adress": "0x40ba8a", "name": "KERNEL32.DLL!MultiByteToWideChar"}, {"adress": "0x40bae2", "name": "KERNEL32.DLL!MultiByteToWideChar"}, {"adress": "0x40baf8", "name": "KERNEL32.DLL!LCMapStringW"}, {"adress": "0x40bb93", "name": "KERNEL32.DLL!LCMapStringW"}, {"adress": "0x40bbb8", "name": "KERNEL32.DLL!WideCharToMultiByte"}, {"adress": "0x40bfbc", "name": "KERNEL32.DLL!GetModuleFileNameA"}, {"adress": "0x408d0a", "name": "KERNEL32.DLL!HeapFree"}, {"adress": "0x40b3d1", "name": "KERNEL32.DLL!GetModuleHandleA"}, {"adress": "0x40b3e1", "name": "KERNEL32.DLL!GetProcAddress"}, {"adress": "0x40b3ed", "name": "KERNEL32.DLL!IsProcessorFeaturePresent"}, {"adress": "0x40de75", "name": "NTDLL.DLL!RtlAllocateHeap"}, {"adress": "0x40d1bc", "name": "KERNEL32.DLL!SetUnhandledExceptionFilter"}, {"adress": "0x406e40", "name": "NTDLL.DLL!RtlInitializeCriticalSection"}, {"adress": "0x417c47", "name": "NTDLL.DLL!RtlInitializeCriticalSection"}, {"adress": "0x418173", "name": "USER32.DLL!GetCursorPos"}, {"adress": "0x4183eb", "name": "KERNEL32.DLL!TlsAlloc"}, {"adress": "0x418401", "name": "NTDLL.DLL!RtlInitializeCriticalSection"}, {"adress": "0x418471", "name": "NTDLL.DLL!RtlEnterCriticalSection"}, {"adress": "0x4184c6", "name": "KERNEL32.DLL!GlobalAlloc"}, {"adress": "0x41851d", "name": "KERNEL32.DLL!GlobalLock"}, {"adress": "0x418566", "name": "NTDLL.DLL!RtlLeaveCriticalSection"}, {"adress": "0x41839e", "name": "KERNEL32.DLL!LocalAlloc"}, {"adress": "0x4185dc", "name": "KERNEL32.DLL!TlsGetValue"}, {"adress": "0x41862b", "name": "NTDLL.DLL!RtlEnterCriticalSection"}, {"adress": "0x41863e", "name": "NTDLL.DLL!RtlLeaveCriticalSection"}, {"adress": "0x418654", "name": "KERNEL32.DLL!LocalAlloc"}, {"adress": "0x4186a2", "name": "KERNEL32.DLL!TlsSetValue"}, {"adress": "0x418f2b", "name": "KERNEL32.DLL!GetVersion"}, {"adress": "0x418f50", "name": "NTDLL.DLL!RtlInitializeCriticalSection"}, {"adress": "0x418fe6", "name": "NTDLL.DLL!RtlEnterCriticalSection"}, {"adress": "0x418ff8", "name": "NTDLL.DLL!RtlInitializeCriticalSection"}, {"adress": "0x419001", "name": "NTDLL.DLL!RtlLeaveCriticalSection"}, {"adress": "0x419033", "name": "NTDLL.DLL!RtlLeaveCriticalSection"}, {"adress": "0x418666", "name": "KERNEL32.DLL!LocalReAlloc"}, {"adress": "0x417e13", "name": "KERNEL32.DLL!GetCurrentThread"}, {"adress": "0x417e1c", "name": "KERNEL32.DLL!GetCurrentThreadId"}, {"adress": "0x418849", "name": "KERNEL32.DLL!TlsGetValue"}, {"adress": "0x413cce", "name": "USER32.DLL!RegisterClipboardFormatA"}, {"adress": "0x4194a6", "name": "KERNEL32.DLL!GetVersion"}, {"adress": "0x4194e3", "name": "KERNEL32.DLL!GetProcessVersion"}, {"adress": "0x416321", "name": "USER32.DLL!GetSystemMetrics"}, {"adress": "0x416328", "name": "USER32.DLL!GetSystemMetrics"}, {"adress": "0x419461", "name": "USER32.DLL!GetSystemMetrics"}, {"adress": "0x41946b", "name": "USER32.DLL!GetSystemMetrics"}, {"adress": "0x416341", "name": "USER32.DLL!GetDC"}, {"adress": "0x416352", "name": "GDI32.DLL!GetDeviceCaps"}, {"adress": "0x41635a", "name": "GDI32.DLL!GetDeviceCaps"}, {"adress": "0x416362", "name": "USER32.DLL!ReleaseDC"}, {"adress": "0x4162dc", "name": "USER32.DLL!GetSysColor"}, {"adress": "0x4162e3", "name": "USER32.DLL!GetSysColor"}, {"adress": "0x4162ea", "name": "USER32.DLL!GetSysColor"}, {"adress": "0x4162f1", "name": "USER32.DLL!GetSysColor"}, {"adress": "0x4162f8", "name": "USER32.DLL!GetSysColor"}, {"adress": "0x416305", "name": "USER32.DLL!GetSysColorBrush"}, {"adress": "0x41630c", "name": "USER32.DLL!GetSysColorBrush"}, {"adress": "0x419511", "name": "USER32.DLL!LoadCursorA"}, {"adress": "0x41951c", "name": "USER32.DLL!LoadCursorA"}, {"adress": "0x41960b", "name": "KERNEL32.DLL!GetOEMCP"}, {"adress": "0x419612", "name": "KERNEL32.DLL!GetCPInfo"}, {"adress": "0x418d4b", "name": "KERNEL32.DLL!SetErrorMode"}, {"adress": "0x418d52", "name": "KERNEL32.DLL!SetErrorMode"}, {"adress": "0x418dd6", "name": "KERNEL32.DLL!GetModuleFileNameA"}, {"adress": "0x418f0b", "name": "KERNEL32.DLL!lstrcpyn"}, {"adress": "0x413b53", "name": "USER32.DLL!LoadStringA"}, {"adress": "0x418e77", "name": "KERNEL32.DLL!lstrcpy"}, {"adress": "0x418ea4", "name": "KERNEL32.DLL!lstrcat"}, {"adress": "0x419013", "name": "NTDLL.DLL!RtlEnterCriticalSection"}, {"adress": "0x410d4c", "name": "WS2_32.DLL!WSAStartup"}, {"adress": "0x4186df", "name": "NTDLL.DLL!RtlEnterCriticalSection"}, {"adress": "0x41870d", "name": "NTDLL.DLL!RtlLeaveCriticalSection"}, {"adress": "0x4083cf", "name": "NTDLL.DLL!ntdll_Offset_39930"}, {"adress": "0x4187b9", "name": "NTDLL.DLL!RtlEnterCriticalSection"}, {"adress": "0x4183c0", "name": "KERNEL32.DLL!LocalFree"}, {"adress": "0x418775", "name": "NTDLL.DLL!RtlEnterCriticalSection"}, {"adress": "0x418785", "name": "NTDLL.DLL!RtlLeaveCriticalSection"}, {"adress": "0x41878e", "name": "KERNEL32.DLL!LocalFree"}, {"adress": "0x4187a4", "name": "KERNEL32.DLL!TlsSetValue"}, {"adress": "0x4187ff", "name": "NTDLL.DLL!RtlLeaveCriticalSection"}, {"adress": "0x418f83", "name": "NTDLL.DLL!RtlDeleteCriticalSection"}, {"adress": "0x418f95", "name": "NTDLL.DLL!RtlDeleteCriticalSection"}, {"adress": "0x418417", "name": "KERNEL32.DLL!TlsFree"}, {"adress": "0x41843f", "name": "KERNEL32.DLL!GlobalHandle"}, {"adress": "0x418448", "name": "KERNEL32.DLL!GlobalUnlock"}, {"adress": "0x41844f", "name": "KERNEL32.DLL!GlobalFree"}, {"adress": "0x418459", "name": "NTDLL.DLL!RtlDeleteCriticalSection"}, {"adress": "0x406e68", "name": "NTDLL.DLL!RtlEnterCriticalSection"}, {"adress": "0x406e7f", "name": "NTDLL.DLL!RtlLeaveCriticalSection"}, {"adress": "0x406e58", "name": "NTDLL.DLL!RtlDeleteCriticalSection"}, {"adress": "0x417ca8", "name": "NTDLL.DLL!RtlDeleteCriticalSection"}, {"adress": "0x40d1ce", "name": "KERNEL32.DLL!SetUnhandledExceptionFilter"}, {"adress": "0x40b05c", "name": "NTDLL.DLL!RtlDeleteCriticalSection"}, {"adress": "0x40b077", "name": "NTDLL.DLL!RtlDeleteCriticalSection"}, {"adress": "0x40b07f", "name": "NTDLL.DLL!RtlDeleteCriticalSection"}, {"adress": "0x40b087", "name": "NTDLL.DLL!RtlDeleteCriticalSection"}, {"adress": "0x40b08f", "name": "NTDLL.DLL!RtlDeleteCriticalSection"}, {"adress": "0x40ae20", "name": "KERNEL32.DLL!TlsFree"}, {"adress": "0x40c382", "name": "KERNEL32.DLL!VirtualFree"}, {"adress": "0x40c38d", "name": "KERNEL32.DLL!VirtualFree"}, {"adress": "0x40c39a", "name": "KERNEL32.DLL!HeapFree"}, {"adress": "0x40c3b8", "name": "KERNEL32.DLL!HeapFree"}, {"adress": "0x40c3c0", "name": "KERNEL32.DLL!HeapDestroy"}]} \ No newline at end of file diff --git a/rsc/upx-hostname.exe.bin_iat_wave1.json b/rsc/upx-hostname.exe.bin_iat_wave1.json deleted file mode 100644 index fd637b7..0000000 --- a/rsc/upx-hostname.exe.bin_iat_wave1.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "entry": "0x10011d7", - "calls": [ - { "adress": "0x10011e6", "name": "KERNEL32.DLL!GetModuleHandleA" }, - { "adress": "0x1001243", "name": "MSVCRT.DLL!__set_app_type" }, - { "adress": "0x1001258", "name": "MSVCRT.DLL!__p__fmode" }, - { "adress": "0x1001266", "name": "MSVCRT.DLL!__p__commode" }, - { "adress": "0x10013be", "name": "MSVCRT.DLL!_controlfp" }, - { "adress": "0x1001358", "name": "MSVCRT.DLL!_initterm" }, - { "adress": "0x10012cb", "name": "MSVCRT.DLL!__getmainargs" }, - { "adress": "0x10010f2", "name": "WS2_32.DLL!WSAStartup" }, - { "adress": "0x1001160", "name": "WS2_32.DLL!gethostname" }, - { "adress": "0x10011ba", "name": "USER32.DLL!CharToOemBuffA" }, - { "adress": "0x10011c7", "name": "MSVCRT.DLL!puts" }, - { "adress": "0x10011d0", "name": "MSVCRT.DLL!exit" } - ], - "entry_reg_values": { - "EAX": "0x000cff0c ", - "EBX": "0x7efde000 ", - "ECX": "0x00000000 ", - "EDX": "0x010058c0", - "ESI": "0x00000000 ", - "EDI": "0x00000000 ", - "EBP": "0x000cff94 ", - "ESP": "0x000cff8c", - "eflags": "0x00000203" - }, - "prevwave_getprocaddr": [ - { "function": "FormatMessageA", "func_addr": "0x75985fbd" }, - { "function": "LocalFree", "func_addr": "0x75962d3c" }, - { "function": "GetModuleHandleA", "func_addr": "0x75961245" }, - { "function": "GetLastError", "func_addr": "0x759611c0" }, - { "function": "__p__commode", "func_addr": "0x752c27c3" }, - { "function": "__p__fmode", "func_addr": "0x752c27ce" }, - { "function": "__set_app_type", "func_addr": "0x752c2804" }, - { "function": "_controlfp", "func_addr": "0x752be1e1" }, - { "function": "_cexit", "func_addr": "0x752c37d4" }, - { "function": "_adjust_fdiv", "func_addr": "0x753532ec" }, - { "function": "_except_handler3", "func_addr": "0x752dd770" }, - { "function": "_XcptFilter", "func_addr": "0x752ddc75" }, - { "function": "_exit", "func_addr": "0x7531b2c0" }, - { "function": "_c_exit", "func_addr": "0x7531b2db" }, - { "function": "__setusermatherr", "func_addr": "0x753477ad" }, - { "function": "_initterm", "func_addr": "0x752bc151" }, - { "function": "__getmainargs", "func_addr": "0x752c2bc0" }, - { "function": "__initenv", "func_addr": "0x753504e8" }, - { "function": "_write", "func_addr": "0x752c4078" }, - { "function": "strchr", "func_addr": "0x752bdbeb" }, - { "function": "puts", "func_addr": "0x75328d04" }, - { "function": "exit", "func_addr": "0x752c36aa" }, - { "function": "s_perror", "func_addr": "0x6c8a1be4" }, - { "function": "CharToOemBuffA", "func_addr": "0x76aeb1b0" } - ] -} diff --git a/rsc/wave-0002.dump b/rsc/wave-0002.dump deleted file mode 100644 index 02d5480..0000000 Binary files a/rsc/wave-0002.dump and /dev/null differ diff --git a/testfiles/upx-hostname/upx-hostname.exe.bin_traceCFG.json b/testfiles/upx-hostname/upx-hostname.exe.bin_traceCFG.json new file mode 100644 index 0000000..2a60714 --- /dev/null +++ b/testfiles/upx-hostname/upx-hostname.exe.bin_traceCFG.json @@ -0,0 +1,2975 @@ +{ + "nodes": [ + { + "index": 0, + "start": "0x10058c0", + "end": "0x10058d1", + "last_instr": "0x10058d0", + "wave": 0, + "instructions": [ + { "offset": 0, "opcode": "60", "mnemonic": "pushal " }, + { + "offset": 1, + "opcode": "be00500001", + "mnemonic": "mov esi, 0x1005000" + }, + { + "offset": 6, + "opcode": "8dbe00c0ffff", + "mnemonic": "lea edi, [esi - 0x4000]" + }, + { "offset": 12, "opcode": "57", "mnemonic": "push edi" }, + { "offset": 13, "opcode": "83cdff", "mnemonic": "or ebp, 0xffffffff" }, + { "offset": 16, "opcode": "eb10", "mnemonic": "jmp 0x10058e2" } + ], + "registers": { + "EAX": "0x759633b8 ", + "EBX": "0x7efde000 ", + "ECX": "0x00000000 ", + "EDX": "0x010058c0", + "ESI": "0x00000000 ", + "EDI": "0x00000000 ", + "EBP": "0x000cff94 ", + "ESP": "0x000cff8c", + "eflags": "0x00000246" + }, + "type": "jmp" + }, + { + "index": 1, + "start": "0x10058e2", + "end": "0x10058e8", + "last_instr": "0x10058e7", + "wave": 0, + "instructions": [ + { + "offset": 0, + "opcode": "8b1e", + "mnemonic": "mov ebx, dword ptr [esi]" + }, + { "offset": 2, "opcode": "83eefc", "mnemonic": "sub esi, -4" }, + { "offset": 5, "opcode": "11db", "mnemonic": "adc ebx, ebx" } + ], + "type": "seq" + }, + { + "index": 2, + "start": "0x10058d8", + "end": "0x10058dd", + "last_instr": "0x10058dd", + "wave": 0, + "instructions": [ + { "offset": 0, "opcode": "8a06", "mnemonic": "mov al, byte ptr [esi]" }, + { "offset": 2, "opcode": "46", "mnemonic": "inc esi" }, + { "offset": 3, "opcode": "8807", "mnemonic": "mov byte ptr [edi], al" }, + { "offset": 5, "opcode": "47", "mnemonic": "inc edi" } + ], + "type": "seq" + }, + { + "index": 3, + "start": "0x10058e9", + "end": "0x10058ea", + "last_instr": "0x10058e9", + "wave": 0, + "instructions": [ + { "offset": 0, "opcode": "72ed", "mnemonic": "jb 0x10058d8" } + ], + "type": "jcc" + }, + { + "index": 4, + "start": "0x10058eb", + "end": "0x10058ef", + "last_instr": "0x10058eb", + "wave": 0, + "instructions": [ + { "offset": 0, "opcode": "b801000000", "mnemonic": "mov eax, 1" } + ], + "type": "seq" + }, + { + "index": 5, + "start": "0x1005901", + "end": "0x1005902", + "last_instr": "0x1005901", + "wave": 0, + "instructions": [ + { "offset": 0, "opcode": "7509", "mnemonic": "jne 0x100590c" } + ], + "registers": { + "EAX": "0x00000002 ", + "EBX": "0x0881f9b8 ", + "ECX": "0x00000000 ", + "EDX": "0x010058c0", + "ESI": "0x01005005 ", + "EDI": "0x01001001 ", + "EBP": "0xffffffff ", + "ESP": "0x000cff68", + "eflags": "0x00000a17" + }, + "type": "jcc" + }, + { + "index": 6, + "start": "0x100590c", + "end": "0x1005912", + "last_instr": "0x1005911", + "wave": 0, + "instructions": [ + { "offset": 0, "opcode": "31c9", "mnemonic": "xor ecx, ecx" }, + { "offset": 2, "opcode": "83e803", "mnemonic": "sub eax, 3" }, + { "offset": 5, "opcode": "720d", "mnemonic": "jb 0x1005920" } + ], + "registers": { + "EAX": "0x00000002 ", + "EBX": "0x0881f9b8 ", + "ECX": "0x00000000 ", + "EDX": "0x010058c0", + "ESI": "0x01005005 ", + "EDI": "0x01001001 ", + "EBP": "0xffffffff ", + "ESP": "0x000cff68", + "eflags": "0x00000a17" + }, + "type": "jcc" + }, + { + "index": 7, + "start": "0x100593c", + "end": "0x100593c", + "last_instr": "0x100593c", + "wave": 0, + "instructions": [{ "offset": 0, "opcode": "41", "mnemonic": "inc ecx" }], + "type": "seq" + }, + { + "index": 8, + "start": "0x100594e", + "end": "0x100594f", + "last_instr": "0x100594e", + "wave": 0, + "instructions": [ + { "offset": 0, "opcode": "7509", "mnemonic": "jne 0x1005959" } + ], + "registers": { + "EAX": "0xffffffff ", + "EBX": "0xf9b80000 ", + "ECX": "0x000000a8 ", + "EDX": "0x010058c0", + "ESI": "0x01005005 ", + "EDI": "0x01001001 ", + "EBP": "0xffffffff ", + "ESP": "0x000cff68", + "eflags": "0x00000287" + }, + "type": "jcc" + }, + { + "index": 9, + "start": "0x1005959", + "end": "0x100595b", + "last_instr": "0x1005959", + "wave": 0, + "instructions": [ + { "offset": 0, "opcode": "83c102", "mnemonic": "add ecx, 2" } + ], + "type": "seq" + }, + { + "index": 10, + "start": "0x100596d", + "end": "0x1005975", + "last_instr": "0x1005974", + "wave": 0, + "instructions": [ + { "offset": 0, "opcode": "8a02", "mnemonic": "mov al, byte ptr [edx]" }, + { "offset": 2, "opcode": "42", "mnemonic": "inc edx" }, + { "offset": 3, "opcode": "8807", "mnemonic": "mov byte ptr [edi], al" }, + { "offset": 5, "opcode": "47", "mnemonic": "inc edi" }, + { "offset": 6, "opcode": "49", "mnemonic": "dec ecx" }, + { "offset": 7, "opcode": "75f7", "mnemonic": "jne 0x100596d" } + ], + "registers": { + "EAX": "0xffffffff ", + "EBX": "0xf9b80000 ", + "ECX": "0x000000ab ", + "EDX": "0x01001000", + "ESI": "0x01005005 ", + "EDI": "0x01001001 ", + "EBP": "0xffffffff ", + "ESP": "0x000cff68", + "eflags": "0x00000206" + }, + "type": "jcc" + }, + { + "index": 11, + "start": "0x1005976", + "end": "0x100597a", + "last_instr": "0x1005976", + "wave": 0, + "instructions": [ + { "offset": 0, "opcode": "e963ffffff", "mnemonic": "jmp 0x10058de" } + ], + "registers": { + "EAX": "0xffffff00 ", + "EBX": "0xf9b80000 ", + "ECX": "0x00000000 ", + "EDX": "0x010010ab", + "ESI": "0x01005005 ", + "EDI": "0x010010ac ", + "EBP": "0xffffffff ", + "ESP": "0x000cff68", + "eflags": "0x00000246" + }, + "type": "jmp" + }, + { + "index": 12, + "start": "0x1005913", + "end": "0x100591d", + "last_instr": "0x100591c", + "wave": 0, + "instructions": [ + { "offset": 0, "opcode": "c1e008", "mnemonic": "shl eax, 8" }, + { "offset": 3, "opcode": "8a06", "mnemonic": "mov al, byte ptr [esi]" }, + { "offset": 5, "opcode": "46", "mnemonic": "inc esi" }, + { "offset": 6, "opcode": "83f0ff", "mnemonic": "xor eax, 0xffffffff" }, + { "offset": 9, "opcode": "7474", "mnemonic": "je 0x1005992" } + ], + "registers": { + "EAX": "0x00000000 ", + "EBX": "0xbdff37e0 ", + "ECX": "0x00000000 ", + "EDX": "0x010010b3", + "ESI": "0x01005013 ", + "EDI": "0x010010b9 ", + "EBP": "0xffffffff ", + "ESP": "0x000cff68", + "eflags": "0x00000246" + }, + "type": "jcc" + }, + { + "index": 13, + "start": "0x100591e", + "end": "0x100591f", + "last_instr": "0x100591e", + "wave": 0, + "instructions": [ + { "offset": 0, "opcode": "89c5", "mnemonic": "mov ebp, eax" } + ], + "type": "seq" + }, + { + "index": 14, + "start": "0x100597c", + "end": "0x100598a", + "last_instr": "0x1005989", + "wave": 0, + "instructions": [ + { + "offset": 0, + "opcode": "8b02", + "mnemonic": "mov eax, dword ptr [edx]" + }, + { "offset": 2, "opcode": "83c204", "mnemonic": "add edx, 4" }, + { + "offset": 5, + "opcode": "8907", + "mnemonic": "mov dword ptr [edi], eax" + }, + { "offset": 7, "opcode": "83c704", "mnemonic": "add edi, 4" }, + { "offset": 10, "opcode": "83e904", "mnemonic": "sub ecx, 4" }, + { "offset": 13, "opcode": "77f1", "mnemonic": "ja 0x100597c" } + ], + "registers": { + "EAX": "0xfffffffc ", + "EBX": "0xf7fcdf80 ", + "ECX": "0x00000003 ", + "EDX": "0x010010b5", + "ESI": "0x01005014 ", + "EDI": "0x010010b9 ", + "EBP": "0xfffffffc ", + "ESP": "0x000cff68", + "eflags": "0x00000246" + }, + "type": "jcc" + }, + { + "index": 15, + "start": "0x100598b", + "end": "0x1005991", + "last_instr": "0x100598d", + "wave": 0, + "instructions": [ + { "offset": 0, "opcode": "01cf", "mnemonic": "add edi, ecx" }, + { "offset": 2, "opcode": "e94cffffff", "mnemonic": "jmp 0x10058de" } + ], + "registers": { + "EAX": "0x2c010013 ", + "EBX": "0xf7fcdf80 ", + "ECX": "0xffffffff ", + "EDX": "0x010010b9", + "ESI": "0x01005014 ", + "EDI": "0x010010bd ", + "EBP": "0xfffffffc ", + "ESP": "0x000cff68", + "eflags": "0x00000297" + }, + "type": "jmp" + }, + { + "index": 16, + "start": "0x10058de", + "end": "0x10058e1", + "last_instr": "0x10058e0", + "wave": 0, + "instructions": [ + { "offset": 0, "opcode": "01db", "mnemonic": "add ebx, ebx" }, + { "offset": 2, "opcode": "7507", "mnemonic": "jne 0x10058e9" } + ], + "type": "jcc" + }, + { + "index": 17, + "start": "0x10058f4", + "end": "0x10058fa", + "last_instr": "0x10058f9", + "wave": 0, + "instructions": [ + { + "offset": 0, + "opcode": "8b1e", + "mnemonic": "mov ebx, dword ptr [esi]" + }, + { "offset": 2, "opcode": "83eefc", "mnemonic": "sub esi, -4" }, + { "offset": 5, "opcode": "11db", "mnemonic": "adc ebx, ebx" } + ], + "type": "seq" + }, + { + "index": 18, + "start": "0x10058fb", + "end": "0x1005900", + "last_instr": "0x10058ff", + "wave": 0, + "instructions": [ + { "offset": 0, "opcode": "11c0", "mnemonic": "adc eax, eax" }, + { "offset": 2, "opcode": "01db", "mnemonic": "add ebx, ebx" }, + { "offset": 4, "opcode": "73ef", "mnemonic": "jae 0x10058f0" } + ], + "type": "jcc" + }, + { + "index": 19, + "start": "0x1005950", + "end": "0x1005958", + "last_instr": "0x1005957", + "wave": 0, + "instructions": [ + { + "offset": 0, + "opcode": "8b1e", + "mnemonic": "mov ebx, dword ptr [esi]" + }, + { "offset": 2, "opcode": "83eefc", "mnemonic": "sub esi, -4" }, + { "offset": 5, "opcode": "11db", "mnemonic": "adc ebx, ebx" }, + { "offset": 7, "opcode": "73e4", "mnemonic": "jae 0x100593d" } + ], + "registers": { + "EAX": "0xffffffff ", + "EBX": "0x00000000 ", + "ECX": "0x00000005 ", + "EDX": "0x01001105", + "ESI": "0x010050ae ", + "EDI": "0x01001173 ", + "EBP": "0xffffff93 ", + "ESP": "0x000cff68", + "eflags": "0x00000a47" + }, + "type": "jcc" + }, + { + "index": 20, + "start": "0x1005924", + "end": "0x100592a", + "last_instr": "0x1005929", + "wave": 0, + "instructions": [ + { + "offset": 0, + "opcode": "8b1e", + "mnemonic": "mov ebx, dword ptr [esi]" + }, + { "offset": 2, "opcode": "83eefc", "mnemonic": "sub esi, -4" }, + { "offset": 5, "opcode": "11db", "mnemonic": "adc ebx, ebx" } + ], + "type": "seq" + }, + { + "index": 21, + "start": "0x100592b", + "end": "0x1005930", + "last_instr": "0x100592f", + "wave": 0, + "instructions": [ + { "offset": 0, "opcode": "11c9", "mnemonic": "adc ecx, ecx" }, + { "offset": 2, "opcode": "01db", "mnemonic": "add ebx, ebx" }, + { "offset": 4, "opcode": "7507", "mnemonic": "jne 0x1005938" } + ], + "type": "jcc" + }, + { + "index": 22, + "start": "0x1005931", + "end": "0x1005937", + "last_instr": "0x1005936", + "wave": 0, + "instructions": [ + { + "offset": 0, + "opcode": "8b1e", + "mnemonic": "mov ebx, dword ptr [esi]" + }, + { "offset": 2, "opcode": "83eefc", "mnemonic": "sub esi, -4" }, + { "offset": 5, "opcode": "11db", "mnemonic": "adc ebx, ebx" } + ], + "type": "seq" + }, + { + "index": 23, + "start": "0x1005938", + "end": "0x100593b", + "last_instr": "0x100593a", + "wave": 0, + "instructions": [ + { "offset": 0, "opcode": "11c9", "mnemonic": "adc ecx, ecx" }, + { "offset": 2, "opcode": "7520", "mnemonic": "jne 0x100595c" } + ], + "type": "jcc" + }, + { + "index": 24, + "start": "0x1005903", + "end": "0x100590b", + "last_instr": "0x100590a", + "wave": 0, + "instructions": [ + { + "offset": 0, + "opcode": "8b1e", + "mnemonic": "mov ebx, dword ptr [esi]" + }, + { "offset": 2, "opcode": "83eefc", "mnemonic": "sub esi, -4" }, + { "offset": 5, "opcode": "11db", "mnemonic": "adc ebx, ebx" }, + { "offset": 7, "opcode": "73e4", "mnemonic": "jae 0x10058f0" } + ], + "registers": { + "EAX": "0x00000002 ", + "EBX": "0x00000000 ", + "ECX": "0xfffffffd ", + "EDX": "0x010011bf", + "ESI": "0x010050dd ", + "EDI": "0x010011ca ", + "EBP": "0xfffffff3 ", + "ESP": "0x000cff68", + "eflags": "0x00000a47" + }, + "type": "jcc" + }, + { + "index": 25, + "start": "0x10058f0", + "end": "0x10058f3", + "last_instr": "0x10058f2", + "wave": 0, + "instructions": [ + { "offset": 0, "opcode": "01db", "mnemonic": "add ebx, ebx" }, + { "offset": 2, "opcode": "7507", "mnemonic": "jne 0x10058fb" } + ], + "type": "jcc" + }, + { + "index": 26, + "start": "0x1005941", + "end": "0x1005947", + "last_instr": "0x1005946", + "wave": 0, + "instructions": [ + { + "offset": 0, + "opcode": "8b1e", + "mnemonic": "mov ebx, dword ptr [esi]" + }, + { "offset": 2, "opcode": "83eefc", "mnemonic": "sub esi, -4" }, + { "offset": 5, "opcode": "11db", "mnemonic": "adc ebx, ebx" } + ], + "type": "seq" + }, + { + "index": 27, + "start": "0x1005948", + "end": "0x100594d", + "last_instr": "0x100594c", + "wave": 0, + "instructions": [ + { "offset": 0, "opcode": "11c9", "mnemonic": "adc ecx, ecx" }, + { "offset": 2, "opcode": "01db", "mnemonic": "add ebx, ebx" }, + { "offset": 4, "opcode": "73ef", "mnemonic": "jae 0x100593d" } + ], + "type": "jcc" + }, + { + "index": 28, + "start": "0x100593d", + "end": "0x1005940", + "last_instr": "0x100593f", + "wave": 0, + "instructions": [ + { "offset": 0, "opcode": "01db", "mnemonic": "add ebx, ebx" }, + { "offset": 2, "opcode": "7507", "mnemonic": "jne 0x1005948" } + ], + "type": "jcc" + }, + { + "index": 29, + "start": "0x1005920", + "end": "0x1005923", + "last_instr": "0x1005922", + "wave": 0, + "instructions": [ + { "offset": 0, "opcode": "01db", "mnemonic": "add ebx, ebx" }, + { "offset": 2, "opcode": "7507", "mnemonic": "jne 0x100592b" } + ], + "type": "jcc" + }, + { + "index": 30, + "start": "0x100595c", + "end": "0x100596c", + "last_instr": "0x100596b", + "wave": 0, + "instructions": [ + { + "offset": 0, + "opcode": "81fd00f3ffff", + "mnemonic": "cmp ebp, 0xfffff300" + }, + { "offset": 6, "opcode": "83d101", "mnemonic": "adc ecx, 1" }, + { "offset": 9, "opcode": "8d142f", "mnemonic": "lea edx, [edi + ebp]" }, + { "offset": 12, "opcode": "83fdfc", "mnemonic": "cmp ebp, -4" }, + { "offset": 15, "opcode": "760f", "mnemonic": "jbe 0x100597c" } + ], + "type": "jcc" + }, + { + "index": 31, + "start": "0x1005992", + "end": "0x100599e", + "last_instr": "0x100599d", + "wave": 0, + "instructions": [ + { "offset": 0, "opcode": "5e", "mnemonic": "pop esi" }, + { "offset": 1, "opcode": "89f7", "mnemonic": "mov edi, esi" }, + { "offset": 3, "opcode": "b913000000", "mnemonic": "mov ecx, 0x13" }, + { "offset": 8, "opcode": "8a07", "mnemonic": "mov al, byte ptr [edi]" }, + { "offset": 10, "opcode": "47", "mnemonic": "inc edi" }, + { "offset": 11, "opcode": "2ce8", "mnemonic": "sub al, 0xe8" } + ], + "type": "seq" + }, + { + "index": 32, + "start": "0x10059a3", + "end": "0x10059a7", + "last_instr": "0x10059a6", + "wave": 0, + "instructions": [ + { + "offset": 0, + "opcode": "803f01", + "mnemonic": "cmp byte ptr [edi], 1" + }, + { "offset": 3, "opcode": "75f2", "mnemonic": "jne 0x100599a" } + ], + "registers": { + "EAX": "0x00000000 ", + "EBX": "0x10000000 ", + "ECX": "0x00000013 ", + "EDX": "0x01003e20", + "ESI": "0x01001000 ", + "EDI": "0x0100110a ", + "EBP": "0xfffffb47 ", + "ESP": "0x000cff6c", + "eflags": "0x00000297" + }, + "type": "jcc" + }, + { + "index": 33, + "start": "0x10059a8", + "end": "0x10059c5", + "last_instr": "0x10059c4", + "wave": 0, + "instructions": [ + { + "offset": 0, + "opcode": "8b07", + "mnemonic": "mov eax, dword ptr [edi]" + }, + { + "offset": 2, + "opcode": "8a5f04", + "mnemonic": "mov bl, byte ptr [edi + 4]" + }, + { "offset": 5, "opcode": "66c1e808", "mnemonic": "shr ax, 8" }, + { "offset": 9, "opcode": "c1c010", "mnemonic": "rol eax, 0x10" }, + { "offset": 12, "opcode": "86c4", "mnemonic": "xchg ah, al" }, + { "offset": 14, "opcode": "29f8", "mnemonic": "sub eax, edi" }, + { "offset": 16, "opcode": "80ebe8", "mnemonic": "sub bl, 0xe8" }, + { "offset": 19, "opcode": "01f0", "mnemonic": "add eax, esi" }, + { + "offset": 21, + "opcode": "8907", + "mnemonic": "mov dword ptr [edi], eax" + }, + { "offset": 23, "opcode": "83c705", "mnemonic": "add edi, 5" }, + { "offset": 26, "opcode": "88d8", "mnemonic": "mov al, bl" }, + { "offset": 28, "opcode": "e2d9", "mnemonic": "loop 0x100599f" } + ], + "registers": { + "EAX": "0x00000000 ", + "EBX": "0x10000000 ", + "ECX": "0x00000013 ", + "EDX": "0x01003e20", + "ESI": "0x01001000 ", + "EDI": "0x0100110a ", + "EBP": "0xfffffb47 ", + "ESP": "0x000cff6c", + "eflags": "0x00000246" + }, + "type": "jcc" + }, + { + "index": 34, + "start": "0x100599f", + "end": "0x10059a2", + "last_instr": "0x10059a1", + "wave": 0, + "instructions": [ + { "offset": 0, "opcode": "3c01", "mnemonic": "cmp al, 1" }, + { "offset": 2, "opcode": "77f7", "mnemonic": "ja 0x100599a" } + ], + "type": "jcc" + }, + { + "index": 35, + "start": "0x10059c6", + "end": "0x10059cb", + "last_instr": "0x10059c6", + "wave": 0, + "instructions": [ + { + "offset": 0, + "opcode": "8dbe00300000", + "mnemonic": "lea edi, [esi + 0x3000]" + } + ], + "type": "seq" + }, + { + "index": 36, + "start": "0x10059d2", + "end": "0x10059e7", + "last_instr": "0x10059e2", + "wave": 0, + "instructions": [ + { + "offset": 0, + "opcode": "8b5f04", + "mnemonic": "mov ebx, dword ptr [edi + 4]" + }, + { + "offset": 3, + "opcode": "8d84301c540000", + "mnemonic": "lea eax, [eax + esi + 0x541c]" + }, + { "offset": 10, "opcode": "01f3", "mnemonic": "add ebx, esi" }, + { "offset": 12, "opcode": "50", "mnemonic": "push eax" }, + { "offset": 13, "opcode": "83c708", "mnemonic": "add edi, 8" }, + { + "offset": 16, + "opcode": "ff9694540000", + "mnemonic": "call dword ptr [esi + 0x5494]" + } + ], + "registers": { + "EAX": "0x000000b4 ", + "EBX": "0x100000df ", + "ECX": "0x00000000 ", + "EDX": "0x01003e20", + "ESI": "0x01001000 ", + "EDI": "0x01004000 ", + "EBP": "0xfffffb47 ", + "ESP": "0x000cff6c", + "eflags": "0x00000206" + }, + "type": "call", + "syscalls": [ + { + "name": "KERNEL32.DLL!LoadLibraryA", + "timestamp": 19.825597, + "arguments": ["_IN_ (LPCTSTR) [0x000cff68] \"KERNEL32.DLL\""], + "return": "0x75950000", + "output": [] + }, + { + "name": "KERNEL32.DLL!LoadLibraryA", + "timestamp": 19.913203, + "arguments": ["_IN_ (LPCTSTR) [0x000cff68] \"msvcrt.dll\""], + "return": "0x752b0000", + "output": [] + }, + { + "name": "KERNEL32.DLL!LoadLibraryA", + "timestamp": 19.913203, + "arguments": ["_IN_ (LPCTSTR) [0x000cff68] \"MSWSOCK.dll\""], + "return": "0x6c880000", + "output": [] + }, + { + "name": "KERNEL32.DLL!LoadLibraryA", + "timestamp": 19.913203, + "arguments": ["_IN_ (LPCTSTR) [0x000cff68] \"USER32.dll\""], + "return": "0x76ac0000", + "output": [] + }, + { + "name": "KERNEL32.DLL!LoadLibraryA", + "timestamp": 19.913203, + "arguments": ["_IN_ (LPCTSTR) [0x000cff68] \"WS2_32.dll\""], + "return": "0x76e60000", + "output": [] + } + ] + }, + { + "index": 37, + "start": "0x10059e8", + "end": "0x10059e8", + "last_instr": "0x10059e8", + "wave": 0, + "instructions": [ + { "offset": 0, "opcode": "95", "mnemonic": "xchg eax, ebp" } + ], + "type": "seq" + }, + { + "index": 38, + "start": "0x10059f0", + "end": "0x10059f3", + "last_instr": "0x10059f2", + "wave": 0, + "instructions": [ + { "offset": 0, "opcode": "89f9", "mnemonic": "mov ecx, edi" }, + { "offset": 2, "opcode": "7907", "mnemonic": "jns 0x10059fb" } + ], + "registers": { + "EAX": "0xfffffb01 ", + "EBX": "0x01001000 ", + "ECX": "0x00000002 ", + "EDX": "0x00000001", + "ESI": "0x01001000 ", + "EDI": "0x01004009 ", + "EBP": "0x75950000 ", + "ESP": "0x000cff6c", + "eflags": "0x00000202" + }, + "type": "jcc" + }, + { + "index": 39, + "start": "0x1005a06", + "end": "0x1005a09", + "last_instr": "0x1005a08", + "wave": 0, + "instructions": [ + { "offset": 0, "opcode": "09c0", "mnemonic": "or eax, eax" }, + { "offset": 2, "opcode": "7407", "mnemonic": "je 0x1005a11" } + ], + "registers": { + "EAX": "0x75985fbd ", + "EBX": "0x01001000 ", + "ECX": "0x75950000 ", + "EDX": "0x75950000", + "ESI": "0x01001000 ", + "EDI": "0x01004018 ", + "EBP": "0x75950000 ", + "ESP": "0x000cff6c", + "eflags": "0x00000206" + }, + "type": "jcc" + }, + { + "index": 40, + "start": "0x1005a0a", + "end": "0x1005a10", + "last_instr": "0x1005a0f", + "wave": 0, + "instructions": [ + { + "offset": 0, + "opcode": "8903", + "mnemonic": "mov dword ptr [ebx], eax" + }, + { "offset": 2, "opcode": "83c304", "mnemonic": "add ebx, 4" }, + { "offset": 5, "opcode": "ebd8", "mnemonic": "jmp 0x10059e9" } + ], + "registers": { + "EAX": "0x75985fbd ", + "EBX": "0x01001000 ", + "ECX": "0x75950000 ", + "EDX": "0x75950000", + "ESI": "0x01001000 ", + "EDI": "0x01004018 ", + "EBP": "0x75950000 ", + "ESP": "0x000cff6c", + "eflags": "0x00000206" + }, + "type": "jmp" + }, + { + "index": 41, + "start": "0x10059e9", + "end": "0x10059ef", + "last_instr": "0x10059ee", + "wave": 0, + "instructions": [ + { "offset": 0, "opcode": "8a07", "mnemonic": "mov al, byte ptr [edi]" }, + { "offset": 2, "opcode": "47", "mnemonic": "inc edi" }, + { "offset": 3, "opcode": "08c0", "mnemonic": "or al, al" }, + { "offset": 5, "opcode": "74dc", "mnemonic": "je 0x10059cc" } + ], + "type": "jcc" + }, + { + "index": 42, + "start": "0x10059cc", + "end": "0x10059d1", + "last_instr": "0x10059d0", + "wave": 0, + "instructions": [ + { + "offset": 0, + "opcode": "8b07", + "mnemonic": "mov eax, dword ptr [edi]" + }, + { "offset": 2, "opcode": "09c0", "mnemonic": "or eax, eax" }, + { "offset": 4, "opcode": "7445", "mnemonic": "je 0x1005a17" } + ], + "type": "jcc" + }, + { + "index": 43, + "start": "0x10059f4", + "end": "0x1005a05", + "last_instr": "0x1005a00", + "wave": 0, + "instructions": [ + { + "offset": 0, + "opcode": "0fb707", + "mnemonic": "movzx eax, word ptr [edi]" + }, + { "offset": 3, "opcode": "47", "mnemonic": "inc edi" }, + { "offset": 4, "opcode": "50", "mnemonic": "push eax" }, + { "offset": 5, "opcode": "47", "mnemonic": "inc edi" }, + { + "offset": 6, + "opcode": "b95748f2ae", + "mnemonic": "mov ecx, 0xaef24857" + }, + { "offset": 11, "opcode": "55", "mnemonic": "push ebp" }, + { + "offset": 12, + "opcode": "ff9698540000", + "mnemonic": "call dword ptr [esi + 0x5498]" + } + ], + "registers": { + "EAX": "0x76ac00ff ", + "EBX": "0x01001024 ", + "ECX": "0x01004150 ", + "EDX": "0x004c34a4", + "ESI": "0x01001000 ", + "EDI": "0x01004150 ", + "EBP": "0x76e60000 ", + "ESP": "0x000cff6c", + "eflags": "0x00000286" + }, + "type": "call", + "syscalls": [ + { + "name": "KERNEL32.DLL!GetProcAddress", + "timestamp": 19.875559, + "arguments": [ + "_IN_ (HMODULE) [0x000cff64] 0x75950000", + "_IN_ (LPCSTR) [0x000cff68] \"FormatMessageA\"" + ], + "return": "0x75985fbd", + "output": [] + }, + { + "name": "KERNEL32.DLL!GetProcAddress", + "timestamp": 19.905854, + "arguments": [ + "_IN_ (HMODULE) [0x000cff64] 0x75950000", + "_IN_ (LPCSTR) [0x000cff68] \"LocalFree\"" + ], + "return": "0x75962d3c", + "output": [] + }, + { + "name": "KERNEL32.DLL!GetProcAddress", + "timestamp": 19.905854, + "arguments": [ + "_IN_ (HMODULE) [0x000cff64] 0x75950000", + "_IN_ (LPCSTR) [0x000cff68] \"GetModuleHandleA\"" + ], + "return": "0x75961245", + "output": [] + }, + { + "name": "KERNEL32.DLL!GetProcAddress", + "timestamp": 19.905854, + "arguments": [ + "_IN_ (HMODULE) [0x000cff64] 0x75950000", + "_IN_ (LPCSTR) [0x000cff68] \"GetLastError\"" + ], + "return": "0x759611c0", + "output": [] + }, + { + "name": "KERNEL32.DLL!GetProcAddress", + "timestamp": 19.913203, + "arguments": [ + "_IN_ (HMODULE) [0x000cff64] 0x752b0000", + "_IN_ (LPCSTR) [0x000cff68] \"__p__commode\"" + ], + "return": "0x752c27c3", + "output": [] + }, + { + "name": "KERNEL32.DLL!GetProcAddress", + "timestamp": 19.913203, + "arguments": [ + "_IN_ (HMODULE) [0x000cff64] 0x752b0000", + "_IN_ (LPCSTR) [0x000cff68] \"__p__fmode\"" + ], + "return": "0x752c27ce", + "output": [] + }, + { + "name": "KERNEL32.DLL!GetProcAddress", + "timestamp": 19.913203, + "arguments": [ + "_IN_ (HMODULE) [0x000cff64] 0x752b0000", + "_IN_ (LPCSTR) [0x000cff68] \"__set_app_type\"" + ], + "return": "0x752c2804", + "output": [] + }, + { + "name": "KERNEL32.DLL!GetProcAddress", + "timestamp": 19.913203, + "arguments": [ + "_IN_ (HMODULE) [0x000cff64] 0x752b0000", + "_IN_ (LPCSTR) [0x000cff68] \"_controlfp\"" + ], + "return": "0x752be1e1", + "output": [] + }, + { + "name": "KERNEL32.DLL!GetProcAddress", + "timestamp": 19.913203, + "arguments": [ + "_IN_ (HMODULE) [0x000cff64] 0x752b0000", + "_IN_ (LPCSTR) [0x000cff68] \"_cexit\"" + ], + "return": "0x752c37d4", + "output": [] + }, + { + "name": "KERNEL32.DLL!GetProcAddress", + "timestamp": 19.913203, + "arguments": [ + "_IN_ (HMODULE) [0x000cff64] 0x752b0000", + "_IN_ (LPCSTR) [0x000cff68] \"_adjust_fdiv\"" + ], + "return": "0x753532ec", + "output": [] + }, + { + "name": "KERNEL32.DLL!GetProcAddress", + "timestamp": 19.913203, + "arguments": [ + "_IN_ (HMODULE) [0x000cff64] 0x752b0000", + "_IN_ (LPCSTR) [0x000cff68] \"_except_handler3\"" + ], + "return": "0x752dd770", + "output": [] + }, + { + "name": "KERNEL32.DLL!GetProcAddress", + "timestamp": 19.913203, + "arguments": [ + "_IN_ (HMODULE) [0x000cff64] 0x752b0000", + "_IN_ (LPCSTR) [0x000cff68] \"_XcptFilter\"" + ], + "return": "0x752ddc75", + "output": [] + }, + { + "name": "KERNEL32.DLL!GetProcAddress", + "timestamp": 19.913203, + "arguments": [ + "_IN_ (HMODULE) [0x000cff64] 0x752b0000", + "_IN_ (LPCSTR) [0x000cff68] \"_exit\"" + ], + "return": "0x7531b2c0", + "output": [] + }, + { + "name": "KERNEL32.DLL!GetProcAddress", + "timestamp": 19.913203, + "arguments": [ + "_IN_ (HMODULE) [0x000cff64] 0x752b0000", + "_IN_ (LPCSTR) [0x000cff68] \"_c_exit\"" + ], + "return": "0x7531b2db", + "output": [] + }, + { + "name": "KERNEL32.DLL!GetProcAddress", + "timestamp": 19.913203, + "arguments": [ + "_IN_ (HMODULE) [0x000cff64] 0x752b0000", + "_IN_ (LPCSTR) [0x000cff68] \"__setusermatherr\"" + ], + "return": "0x753477ad", + "output": [] + }, + { + "name": "KERNEL32.DLL!GetProcAddress", + "timestamp": 19.913203, + "arguments": [ + "_IN_ (HMODULE) [0x000cff64] 0x752b0000", + "_IN_ (LPCSTR) [0x000cff68] \"_initterm\"" + ], + "return": "0x752bc151", + "output": [] + }, + { + "name": "KERNEL32.DLL!GetProcAddress", + "timestamp": 19.913203, + "arguments": [ + "_IN_ (HMODULE) [0x000cff64] 0x752b0000", + "_IN_ (LPCSTR) [0x000cff68] \"__getmainargs\"" + ], + "return": "0x752c2bc0", + "output": [] + }, + { + "name": "KERNEL32.DLL!GetProcAddress", + "timestamp": 19.913203, + "arguments": [ + "_IN_ (HMODULE) [0x000cff64] 0x752b0000", + "_IN_ (LPCSTR) [0x000cff68] \"__initenv\"" + ], + "return": "0x753504e8", + "output": [] + }, + { + "name": "KERNEL32.DLL!GetProcAddress", + "timestamp": 19.913203, + "arguments": [ + "_IN_ (HMODULE) [0x000cff64] 0x752b0000", + "_IN_ (LPCSTR) [0x000cff68] \"_write\"" + ], + "return": "0x752c4078", + "output": [] + }, + { + "name": "KERNEL32.DLL!GetProcAddress", + "timestamp": 19.913203, + "arguments": [ + "_IN_ (HMODULE) [0x000cff64] 0x752b0000", + "_IN_ (LPCSTR) [0x000cff68] \"strchr\"" + ], + "return": "0x752bdbeb", + "output": [] + }, + { + "name": "KERNEL32.DLL!GetProcAddress", + "timestamp": 19.913203, + "arguments": [ + "_IN_ (HMODULE) [0x000cff64] 0x752b0000", + "_IN_ (LPCSTR) [0x000cff68] \"puts\"" + ], + "return": "0x75328d04", + "output": [] + }, + { + "name": "KERNEL32.DLL!GetProcAddress", + "timestamp": 19.913203, + "arguments": [ + "_IN_ (HMODULE) [0x000cff64] 0x752b0000", + "_IN_ (LPCSTR) [0x000cff68] \"exit\"" + ], + "return": "0x752c36aa", + "output": [] + }, + { + "name": "KERNEL32.DLL!GetProcAddress", + "timestamp": 19.913203, + "arguments": [ + "_IN_ (HMODULE) [0x000cff64] 0x6c880000", + "_IN_ (LPCSTR) [0x000cff68] \"s_perror\"" + ], + "return": "0x6c8a1be4", + "output": [] + }, + { + "name": "KERNEL32.DLL!GetProcAddress", + "timestamp": 19.913203, + "arguments": [ + "_IN_ (HMODULE) [0x000cff64] 0x76ac0000", + "_IN_ (LPCSTR) [0x000cff68] \"CharToOemBuffA\"" + ], + "return": "0x76aeb1b0", + "output": [] + }, + { + "name": "KERNEL32.DLL!GetProcAddressOrdinal", + "timestamp": 19.942805, + "arguments": [ + "_IN_ (HMODULE) [0x000cff64] 0x76e60000", + "_IN_ (USHORT) [0x000cff68] 0x00000039" + ], + "return": "0x76e6a05b", + "output": [] + }, + { + "name": "KERNEL32.DLL!GetProcAddressOrdinal", + "timestamp": 19.942805, + "arguments": [ + "_IN_ (HMODULE) [0x000cff64] 0x76e60000", + "_IN_ (USHORT) [0x000cff68] 0x00000073" + ], + "return": "0x76e63ab2", + "output": [] + } + ] + }, + { + "index": 44, + "start": "0x1005a17", + "end": "0x1005a2f", + "last_instr": "0x1005a2e", + "wave": 0, + "instructions": [ + { + "offset": 0, + "opcode": "8bae9c540000", + "mnemonic": "mov ebp, dword ptr [esi + 0x549c]" + }, + { + "offset": 6, + "opcode": "8dbe00f0ffff", + "mnemonic": "lea edi, [esi - 0x1000]" + }, + { "offset": 12, "opcode": "bb00100000", "mnemonic": "mov ebx, 0x1000" }, + { "offset": 17, "opcode": "50", "mnemonic": "push eax" }, + { "offset": 18, "opcode": "54", "mnemonic": "push esp" }, + { "offset": 19, "opcode": "6a04", "mnemonic": "push 4" }, + { "offset": 21, "opcode": "53", "mnemonic": "push ebx" }, + { "offset": 22, "opcode": "57", "mnemonic": "push edi" }, + { "offset": 23, "opcode": "ffd5", "mnemonic": "call ebp" } + ], + "registers": { + "EAX": "0x00000000 ", + "EBX": "0x0100102c ", + "ECX": "0x76e60000 ", + "EDX": "0x00001725", + "ESI": "0x01001000 ", + "EDI": "0x01004156 ", + "EBP": "0x76e60000 ", + "ESP": "0x000cff6c", + "eflags": "0x00000246" + }, + "type": "call", + "syscalls": [ + { + "name": "KERNEL32.DLL!VirtualProtect", + "timestamp": 19.950966, + "arguments": [ + "_IN_ (LPVOID) [0x000cff58] 0x01000000", + "_IN_ (SIZE_T) [0x000cff5c] 0x00001000", + "_IN_ (DWORD) [0x000cff60] 0x00000004", + "_OUT_ (PDWORD) [0x000cff64] 0x000cff68" + ], + "return": "TRUE", + "output": ["[0x000cff68] 0x00000002"] + } + ] + }, + { + "index": 45, + "start": "0x1005a30", + "end": "0x1005a44", + "last_instr": "0x1005a43", + "wave": 0, + "instructions": [ + { + "offset": 0, + "opcode": "8d87f7010000", + "mnemonic": "lea eax, [edi + 0x1f7]" + }, + { + "offset": 6, + "opcode": "80207f", + "mnemonic": "and byte ptr [eax], 0x7f" + }, + { + "offset": 9, + "opcode": "8060287f", + "mnemonic": "and byte ptr [eax + 0x28], 0x7f" + }, + { "offset": 13, "opcode": "58", "mnemonic": "pop eax" }, + { "offset": 14, "opcode": "50", "mnemonic": "push eax" }, + { "offset": 15, "opcode": "54", "mnemonic": "push esp" }, + { "offset": 16, "opcode": "50", "mnemonic": "push eax" }, + { "offset": 17, "opcode": "53", "mnemonic": "push ebx" }, + { "offset": 18, "opcode": "57", "mnemonic": "push edi" }, + { "offset": 19, "opcode": "ffd5", "mnemonic": "call ebp" } + ], + "registers": { + "EAX": "0x00000001 ", + "EBX": "0x00001000 ", + "ECX": "0x7a280000 ", + "EDX": "0x0008e3c8", + "ESI": "0x01001000 ", + "EDI": "0x01000000 ", + "EBP": "0x7596435f ", + "ESP": "0x000cff68", + "eflags": "0x00000202" + }, + "type": "call", + "syscalls": [ + { + "name": "KERNEL32.DLL!VirtualProtect", + "timestamp": 19.966595, + "arguments": [ + "_IN_ (LPVOID) [0x000cff58] 0x01000000", + "_IN_ (SIZE_T) [0x000cff5c] 0x00001000", + "_IN_ (DWORD) [0x000cff60] 0x00000002", + "_OUT_ (PDWORD) [0x000cff64] 0x000cff68" + ], + "return": "TRUE", + "output": ["[0x000cff68] 0x00000004"] + } + ] + }, + { + "index": 46, + "start": "0x1005a45", + "end": "0x1005a4a", + "last_instr": "0x1005a47", + "wave": 0, + "instructions": [ + { "offset": 0, "opcode": "58", "mnemonic": "pop eax" }, + { "offset": 1, "opcode": "61", "mnemonic": "popal " }, + { + "offset": 2, + "opcode": "8d442480", + "mnemonic": "lea eax, [esp - 0x80]" + } + ], + "type": "seq" + }, + { + "index": 47, + "start": "0x1005a51", + "end": "0x1005a58", + "last_instr": "0x1005a54", + "wave": 0, + "instructions": [ + { "offset": 0, "opcode": "83ec80", "mnemonic": "sub esp, -0x80" }, + { "offset": 3, "opcode": "e97eb7ffff", "mnemonic": "jmp 0x10011d7" } + ], + "registers": { + "EAX": "0x000cff0c ", + "EBX": "0x7efde000 ", + "ECX": "0x00000000 ", + "EDX": "0x010058c0", + "ESI": "0x00000000 ", + "EDI": "0x00000000 ", + "EBP": "0x000cff94 ", + "ESP": "0x000cff0c", + "eflags": "0x00000246" + }, + "type": "jmp" + }, + { + "index": 48, + "start": "0x10011d7", + "end": "0x10011e2", + "last_instr": "0x10011de", + "wave": 1, + "instructions": [ + { "offset": 0, "opcode": "6a28", "mnemonic": "push 0x28" }, + { "offset": 2, "opcode": "68b0100001", "mnemonic": "push 0x10010b0" }, + { "offset": 7, "opcode": "e891010000", "mnemonic": "call 0x1001374" } + ], + "registers": { + "EAX": "0x000cff0c ", + "EBX": "0x7efde000 ", + "ECX": "0x00000000 ", + "EDX": "0x010058c0", + "ESI": "0x00000000 ", + "EDI": "0x00000000 ", + "EBP": "0x000cff94 ", + "ESP": "0x000cff8c", + "eflags": "0x00000203" + }, + "type": "call" + }, + { + "index": 49, + "start": "0x1001374", + "end": "0x10013ac", + "last_instr": "0x10013ac", + "wave": 1, + "instructions": [ + { "offset": 0, "opcode": "68c4130001", "mnemonic": "push 0x10013c4" }, + { + "offset": 5, + "opcode": "64a100000000", + "mnemonic": "mov eax, dword ptr fs:[0]" + }, + { "offset": 11, "opcode": "50", "mnemonic": "push eax" }, + { + "offset": 12, + "opcode": "64892500000000", + "mnemonic": "mov dword ptr fs:[0], esp" + }, + { + "offset": 19, + "opcode": "8b442410", + "mnemonic": "mov eax, dword ptr [esp + 0x10]" + }, + { + "offset": 23, + "opcode": "896c2410", + "mnemonic": "mov dword ptr [esp + 0x10], ebp" + }, + { + "offset": 27, + "opcode": "8d6c2410", + "mnemonic": "lea ebp, [esp + 0x10]" + }, + { "offset": 31, "opcode": "2be0", "mnemonic": "sub esp, eax" }, + { "offset": 33, "opcode": "53", "mnemonic": "push ebx" }, + { "offset": 34, "opcode": "56", "mnemonic": "push esi" }, + { "offset": 35, "opcode": "57", "mnemonic": "push edi" }, + { + "offset": 36, + "opcode": "8b45f8", + "mnemonic": "mov eax, dword ptr [ebp - 8]" + }, + { + "offset": 39, + "opcode": "8965e8", + "mnemonic": "mov dword ptr [ebp - 0x18], esp" + }, + { "offset": 42, "opcode": "50", "mnemonic": "push eax" }, + { + "offset": 43, + "opcode": "8b45fc", + "mnemonic": "mov eax, dword ptr [ebp - 4]" + }, + { + "offset": 46, + "opcode": "c745fcffffffff", + "mnemonic": "mov dword ptr [ebp - 4], 0xffffffff" + }, + { + "offset": 53, + "opcode": "8945f8", + "mnemonic": "mov dword ptr [ebp - 8], eax" + }, + { "offset": 56, "opcode": "c3", "mnemonic": "ret " } + ], + "registers": { + "EAX": "0x000cff0c ", + "EBX": "0x7efde000 ", + "ECX": "0x00000000 ", + "EDX": "0x010058c0", + "ESI": "0x00000000 ", + "EDI": "0x00000000 ", + "EBP": "0x000cff94 ", + "ESP": "0x000cff80", + "eflags": "0x00000203" + }, + "type": "ret" + }, + { + "index": 50, + "start": "0x10011e3", + "end": "0x10011eb", + "last_instr": "0x10011e6", + "wave": 1, + "instructions": [ + { "offset": 0, "opcode": "33ff", "mnemonic": "xor edi, edi" }, + { "offset": 2, "opcode": "57", "mnemonic": "push edi" }, + { + "offset": 3, + "opcode": "ff1508100001", + "mnemonic": "call dword ptr [0x1001008]" + } + ], + "registers": { + "EAX": "0x010010b0 ", + "EBX": "0x7efde000 ", + "ECX": "0x00000000 ", + "EDX": "0x010058c0", + "ESI": "0x00000000 ", + "EDI": "0x00000000 ", + "EBP": "0x000cff88 ", + "ESP": "0x000cff44", + "eflags": "0x00000206" + }, + "type": "call", + "syscalls": [ + { + "name": "KERNEL32.DLL!GetModuleHandleA", + "timestamp": 20.007819, + "arguments": ["_IN_ (LPCTSTR) [0x000cff40] \"\""], + "return": "0x01000000", + "output": [] + } + ] + }, + { + "index": 51, + "start": "0x10011ec", + "end": "0x10011f2", + "last_instr": "0x10011f1", + "wave": 1, + "instructions": [ + { + "offset": 0, + "opcode": "6681384d5a", + "mnemonic": "cmp word ptr [eax], 0x5a4d" + }, + { "offset": 5, "opcode": "751f", "mnemonic": "jne 0x1001212" } + ], + "registers": { + "EAX": "0x01000000 ", + "EBX": "0x7efde000 ", + "ECX": "0x00000000 ", + "EDX": "0x010058c0", + "ESI": "0x00000000 ", + "EDI": "0x00000000 ", + "EBP": "0x000cff88 ", + "ESP": "0x000cff44", + "eflags": "0x00000246" + }, + "type": "jcc" + }, + { + "index": 52, + "start": "0x10011f3", + "end": "0x10011ff", + "last_instr": "0x10011fe", + "wave": 1, + "instructions": [ + { + "offset": 0, + "opcode": "8b483c", + "mnemonic": "mov ecx, dword ptr [eax + 0x3c]" + }, + { "offset": 3, "opcode": "03c8", "mnemonic": "add ecx, eax" }, + { + "offset": 5, + "opcode": "813950450000", + "mnemonic": "cmp dword ptr [ecx], 0x4550" + }, + { "offset": 11, "opcode": "7512", "mnemonic": "jne 0x1001212" } + ], + "registers": { + "EAX": "0x01000000 ", + "EBX": "0x7efde000 ", + "ECX": "0x00000000 ", + "EDX": "0x010058c0", + "ESI": "0x00000000 ", + "EDI": "0x00000000 ", + "EBP": "0x000cff88 ", + "ESP": "0x000cff44", + "eflags": "0x00000246" + }, + "type": "jcc" + }, + { + "index": 53, + "start": "0x1001200", + "end": "0x100120a", + "last_instr": "0x1001209", + "wave": 1, + "instructions": [ + { + "offset": 0, + "opcode": "0fb74118", + "mnemonic": "movzx eax, word ptr [ecx + 0x18]" + }, + { "offset": 4, "opcode": "3d0b010000", "mnemonic": "cmp eax, 0x10b" }, + { "offset": 9, "opcode": "741f", "mnemonic": "je 0x100122a" } + ], + "registers": { + "EAX": "0x01000000 ", + "EBX": "0x7efde000 ", + "ECX": "0x010000d8 ", + "EDX": "0x010058c0", + "ESI": "0x00000000 ", + "EDI": "0x00000000 ", + "EBP": "0x000cff88 ", + "ESP": "0x000cff44", + "eflags": "0x00000246" + }, + "type": "jcc" + }, + { + "index": 54, + "start": "0x100122a", + "end": "0x100122f", + "last_instr": "0x100122e", + "wave": 1, + "instructions": [ + { + "offset": 0, + "opcode": "8379740e", + "mnemonic": "cmp dword ptr [ecx + 0x74], 0xe" + }, + { "offset": 4, "opcode": "76e2", "mnemonic": "jbe 0x1001212" } + ], + "registers": { + "EAX": "0x0000010b ", + "EBX": "0x7efde000 ", + "ECX": "0x010000d8 ", + "EDX": "0x010058c0", + "ESI": "0x00000000 ", + "EDI": "0x00000000 ", + "EBP": "0x000cff88 ", + "ESP": "0x000cff44", + "eflags": "0x00000246" + }, + "type": "jcc" + }, + { + "index": 55, + "start": "0x1001230", + "end": "0x1001248", + "last_instr": "0x1001243", + "wave": 1, + "instructions": [ + { "offset": 0, "opcode": "33c0", "mnemonic": "xor eax, eax" }, + { + "offset": 2, + "opcode": "39b9e8000000", + "mnemonic": "cmp dword ptr [ecx + 0xe8], edi" + }, + { "offset": 8, "opcode": "0f95c0", "mnemonic": "setne al" }, + { + "offset": 11, + "opcode": "8945e4", + "mnemonic": "mov dword ptr [ebp - 0x1c], eax" + }, + { + "offset": 14, + "opcode": "897dfc", + "mnemonic": "mov dword ptr [ebp - 4], edi" + }, + { "offset": 17, "opcode": "6a01", "mnemonic": "push 1" }, + { + "offset": 19, + "opcode": "ff1538100001", + "mnemonic": "call dword ptr [0x1001038]" + } + ], + "registers": { + "EAX": "0x0000010b ", + "EBX": "0x7efde000 ", + "ECX": "0x010000d8 ", + "EDX": "0x010058c0", + "ESI": "0x00000000 ", + "EDI": "0x00000000 ", + "EBP": "0x000cff88 ", + "ESP": "0x000cff44", + "eflags": "0x00000212" + }, + "type": "call", + "syscalls": [ + { + "name": "MSVCRT.DLL!__set_app_type", + "timestamp": 20.042519, + "arguments": ["_IN_ (INT) [0x000cff40] 0x00000001"], + "return": "", + "output": [] + } + ] + }, + { + "index": 56, + "start": "0x1001249", + "end": "0x100125d", + "last_instr": "0x1001258", + "wave": 1, + "instructions": [ + { "offset": 0, "opcode": "59", "mnemonic": "pop ecx" }, + { + "offset": 1, + "opcode": "830dd0210001ff", + "mnemonic": "or dword ptr [0x10021d0], 0xffffffff" + }, + { + "offset": 8, + "opcode": "830dd4210001ff", + "mnemonic": "or dword ptr [0x10021d4], 0xffffffff" + }, + { + "offset": 15, + "opcode": "ff1534100001", + "mnemonic": "call dword ptr [0x1001034]" + } + ], + "registers": { + "EAX": "0x00000001 ", + "EBX": "0x7efde000 ", + "ECX": "0x00000001 ", + "EDX": "0x000000d8", + "ESI": "0x00000000 ", + "EDI": "0x00000000 ", + "EBP": "0x000cff88 ", + "ESP": "0x000cff40", + "eflags": "0x00000202" + }, + "type": "call", + "syscalls": [ + { + "name": "MSVCRT.DLL!__p__fmode", + "timestamp": 20.060264, + "arguments": [], + "return": "0x753531f4", + "output": [] + } + ] + }, + { + "index": 57, + "start": "0x100125e", + "end": "0x100126b", + "last_instr": "0x1001266", + "wave": 1, + "instructions": [ + { + "offset": 0, + "opcode": "8b0d2c200001", + "mnemonic": "mov ecx, dword ptr [0x100202c]" + }, + { + "offset": 6, + "opcode": "8908", + "mnemonic": "mov dword ptr [eax], ecx" + }, + { + "offset": 8, + "opcode": "ff1530100001", + "mnemonic": "call dword ptr [0x1001030]" + } + ], + "registers": { + "EAX": "0x753531f4 ", + "EBX": "0x7efde000 ", + "ECX": "0x00000001 ", + "EDX": "0x000000d8", + "ESI": "0x00000000 ", + "EDI": "0x00000000 ", + "EBP": "0x000cff88 ", + "ESP": "0x000cff44", + "eflags": "0x00000286" + }, + "type": "call", + "syscalls": [ + { + "name": "MSVCRT.DLL!__p__commode", + "timestamp": 20.066232, + "arguments": [], + "return": "0x753531fc", + "output": [] + } + ] + }, + { + "index": 58, + "start": "0x100126c", + "end": "0x1001284", + "last_instr": "0x1001280", + "wave": 1, + "instructions": [ + { + "offset": 0, + "opcode": "8b0d28200001", + "mnemonic": "mov ecx, dword ptr [0x1002028]" + }, + { + "offset": 6, + "opcode": "8908", + "mnemonic": "mov dword ptr [eax], ecx" + }, + { + "offset": 8, + "opcode": "a144100001", + "mnemonic": "mov eax, dword ptr [0x1001044]" + }, + { + "offset": 13, + "opcode": "8b00", + "mnemonic": "mov eax, dword ptr [eax]" + }, + { + "offset": 15, + "opcode": "a3d8210001", + "mnemonic": "mov dword ptr [0x10021d8], eax" + }, + { "offset": 20, "opcode": "e8eb000000", "mnemonic": "call 0x1001370" } + ], + "registers": { + "EAX": "0x753531fc ", + "EBX": "0x7efde000 ", + "ECX": "0x00000000 ", + "EDX": "0x000000d8", + "ESI": "0x00000000 ", + "EDI": "0x00000000 ", + "EBP": "0x000cff88 ", + "ESP": "0x000cff44", + "eflags": "0x00000286" + }, + "type": "call" + }, + { + "index": 59, + "start": "0x1001370", + "end": "0x1001372", + "last_instr": "0x1001372", + "wave": 1, + "instructions": [ + { "offset": 0, "opcode": "33c0", "mnemonic": "xor eax, eax" }, + { "offset": 2, "opcode": "c3", "mnemonic": "ret " } + ], + "registers": { + "EAX": "0x00000000 ", + "EBX": "0x7efde000 ", + "ECX": "0x00000000 ", + "EDX": "0x000000d8", + "ESI": "0x00000000 ", + "EDI": "0x00000000 ", + "EBP": "0x000cff88 ", + "ESP": "0x000cff40", + "eflags": "0x00000286" + }, + "type": "ret" + }, + { + "index": 60, + "start": "0x1001285", + "end": "0x100128c", + "last_instr": "0x100128b", + "wave": 1, + "instructions": [ + { + "offset": 0, + "opcode": "393d00200001", + "mnemonic": "cmp dword ptr [0x1002000], edi" + }, + { "offset": 6, "opcode": "750c", "mnemonic": "jne 0x1001299" } + ], + "registers": { + "EAX": "0x00000000 ", + "EBX": "0x7efde000 ", + "ECX": "0x00000000 ", + "EDX": "0x000000d8", + "ESI": "0x00000000 ", + "EDI": "0x00000000 ", + "EBP": "0x000cff88 ", + "ESP": "0x000cff44", + "eflags": "0x00000246" + }, + "type": "jcc" + }, + { + "index": 61, + "start": "0x1001299", + "end": "0x100129d", + "last_instr": "0x1001299", + "wave": 1, + "instructions": [ + { "offset": 0, "opcode": "e8c0000000", "mnemonic": "call 0x100135e" } + ], + "registers": { + "EAX": "0x00000000 ", + "EBX": "0x7efde000 ", + "ECX": "0x00000000 ", + "EDX": "0x000000d8", + "ESI": "0x00000000 ", + "EDI": "0x00000000 ", + "EBP": "0x000cff88 ", + "ESP": "0x000cff44", + "eflags": "0x00000202" + }, + "type": "call" + }, + { + "index": 62, + "start": "0x100135e", + "end": "0x100136c", + "last_instr": "0x1001368", + "wave": 1, + "instructions": [ + { "offset": 0, "opcode": "6800000300", "mnemonic": "push 0x30000" }, + { "offset": 5, "opcode": "6800000100", "mnemonic": "push 0x10000" }, + { "offset": 10, "opcode": "e851000000", "mnemonic": "call 0x10013be" } + ], + "registers": { + "EAX": "0x00000000 ", + "EBX": "0x7efde000 ", + "ECX": "0x00000000 ", + "EDX": "0x000000d8", + "ESI": "0x00000000 ", + "EDI": "0x00000000 ", + "EBP": "0x000cff88 ", + "ESP": "0x000cff40", + "eflags": "0x00000202" + }, + "type": "call", + "obfuscations": [ + { + "type": "callstack tampering : call", + "description": "No ret instruction corresponding to the call" + } + ] + }, + { + "index": 63, + "start": "0x10013be", + "end": "0x10013c3", + "last_instr": "0x10013be", + "wave": 1, + "instructions": [ + { + "offset": 0, + "opcode": "ff253c100001", + "mnemonic": "jmp dword ptr [0x100103c]" + } + ], + "registers": { + "EAX": "0x00000000 ", + "EBX": "0x7efde000 ", + "ECX": "0x00000000 ", + "EDX": "0x000000d8", + "ESI": "0x00000000 ", + "EDI": "0x00000000 ", + "EBP": "0x000cff88 ", + "ESP": "0x000cff34", + "eflags": "0x00000202" + }, + "type": "jmp", + "syscalls": [ + { + "name": "MSVCRT.DLL!_controlfp", + "timestamp": 20.101722, + "arguments": [], + "return": "", + "output": [] + } + ] + }, + { + "index": 64, + "start": "0x100136d", + "end": "0x100136f", + "last_instr": "0x100136f", + "wave": 1, + "instructions": [ + { "offset": 0, "opcode": "59", "mnemonic": "pop ecx" }, + { "offset": 1, "opcode": "59", "mnemonic": "pop ecx" }, + { "offset": 2, "opcode": "c3", "mnemonic": "ret " } + ], + "registers": { + "EAX": "0x0009001f ", + "EBX": "0x7efde000 ", + "ECX": "0x00010000 ", + "EDX": "0x0008001f", + "ESI": "0x00000000 ", + "EDI": "0x00000000 ", + "EBP": "0x000cff88 ", + "ESP": "0x000cff38", + "eflags": "0x00000246" + }, + "type": "ret" + }, + { + "index": 65, + "start": "0x100129e", + "end": "0x10012ac", + "last_instr": "0x10012a8", + "wave": 1, + "instructions": [ + { "offset": 0, "opcode": "6888100001", "mnemonic": "push 0x1001088" }, + { "offset": 5, "opcode": "6884100001", "mnemonic": "push 0x1001084" }, + { "offset": 10, "opcode": "e8ab000000", "mnemonic": "call 0x1001358" } + ], + "registers": { + "EAX": "0x0009001f ", + "EBX": "0x7efde000 ", + "ECX": "0x00030000 ", + "EDX": "0x0008001f", + "ESI": "0x00000000 ", + "EDI": "0x00000000 ", + "EBP": "0x000cff88 ", + "ESP": "0x000cff44", + "eflags": "0x00000246" + }, + "type": "call", + "obfuscations": [ + { + "type": "callstack tampering : call", + "description": "No ret instruction corresponding to the call" + } + ] + }, + { + "index": 66, + "start": "0x1001358", + "end": "0x100135d", + "last_instr": "0x1001358", + "wave": 1, + "instructions": [ + { + "offset": 0, + "opcode": "ff255c100001", + "mnemonic": "jmp dword ptr [0x100105c]" + } + ], + "registers": { + "EAX": "0x0009001f ", + "EBX": "0x7efde000 ", + "ECX": "0x00030000 ", + "EDX": "0x0008001f", + "ESI": "0x00000000 ", + "EDI": "0x00000000 ", + "EBP": "0x000cff88 ", + "ESP": "0x000cff38", + "eflags": "0x00000246" + }, + "type": "jmp", + "syscalls": [ + { + "name": "MSVCRT.DLL!_initterm", + "timestamp": 20.12734, + "arguments": [], + "return": "", + "output": [] + }, + { + "name": "MSVCRT.DLL!_initterm", + "timestamp": 20.150398, + "arguments": [], + "return": "", + "output": [] + } + ] + }, + { + "index": 67, + "start": "0x10012ad", + "end": "0x10012d0", + "last_instr": "0x10012cb", + "wave": 1, + "instructions": [ + { + "offset": 0, + "opcode": "a124200001", + "mnemonic": "mov eax, dword ptr [0x1002024]" + }, + { + "offset": 5, + "opcode": "8945e0", + "mnemonic": "mov dword ptr [ebp - 0x20], eax" + }, + { + "offset": 8, + "opcode": "8d45e0", + "mnemonic": "lea eax, [ebp - 0x20]" + }, + { "offset": 11, "opcode": "50", "mnemonic": "push eax" }, + { + "offset": 12, + "opcode": "ff3520200001", + "mnemonic": "push dword ptr [0x1002020]" + }, + { + "offset": 18, + "opcode": "8d45dc", + "mnemonic": "lea eax, [ebp - 0x24]" + }, + { "offset": 21, "opcode": "50", "mnemonic": "push eax" }, + { + "offset": 22, + "opcode": "8d45d8", + "mnemonic": "lea eax, [ebp - 0x28]" + }, + { "offset": 25, "opcode": "50", "mnemonic": "push eax" }, + { + "offset": 26, + "opcode": "8d45d4", + "mnemonic": "lea eax, [ebp - 0x2c]" + }, + { "offset": 29, "opcode": "50", "mnemonic": "push eax" }, + { + "offset": 30, + "opcode": "ff1560100001", + "mnemonic": "call dword ptr [0x1001060]" + } + ], + "registers": { + "EAX": "0x00000000 ", + "EBX": "0x7efde000 ", + "ECX": "0x00030000 ", + "EDX": "0x0008001f", + "ESI": "0x00000000 ", + "EDI": "0x00000000 ", + "EBP": "0x000cff88 ", + "ESP": "0x000cff3c", + "eflags": "0x00000246" + }, + "type": "call", + "syscalls": [ + { + "name": "MSVCRT.DLL!__getmainargs", + "timestamp": 20.132675, + "arguments": [], + "return": "", + "output": [] + } + ] + }, + { + "index": 68, + "start": "0x10012d1", + "end": "0x10012e2", + "last_instr": "0x10012de", + "wave": 1, + "instructions": [ + { + "offset": 0, + "opcode": "8945d0", + "mnemonic": "mov dword ptr [ebp - 0x30], eax" + }, + { "offset": 3, "opcode": "6880100001", "mnemonic": "push 0x1001080" }, + { "offset": 8, "opcode": "687c100001", "mnemonic": "push 0x100107c" }, + { "offset": 13, "opcode": "e875000000", "mnemonic": "call 0x1001358" } + ], + "registers": { + "EAX": "0x00000000 ", + "EBX": "0x7efde000 ", + "ECX": "0x000cff64 ", + "EDX": "0x002115a8", + "ESI": "0x00000000 ", + "EDI": "0x00000000 ", + "EBP": "0x000cff88 ", + "ESP": "0x000cff28", + "eflags": "0x00000246" + }, + "type": "call", + "obfuscations": [ + { + "type": "callstack tampering : call", + "description": "No ret instruction corresponding to the call" + } + ] + }, + { + "index": 69, + "start": "0x10012e3", + "end": "0x10012fb", + "last_instr": "0x10012f7", + "wave": 1, + "instructions": [ + { + "offset": 0, + "opcode": "8b45dc", + "mnemonic": "mov eax, dword ptr [ebp - 0x24]" + }, + { + "offset": 3, + "opcode": "8b0d64100001", + "mnemonic": "mov ecx, dword ptr [0x1001064]" + }, + { + "offset": 9, + "opcode": "8901", + "mnemonic": "mov dword ptr [ecx], eax" + }, + { + "offset": 11, + "opcode": "ff75dc", + "mnemonic": "push dword ptr [ebp - 0x24]" + }, + { + "offset": 14, + "opcode": "ff75d8", + "mnemonic": "push dword ptr [ebp - 0x28]" + }, + { + "offset": 17, + "opcode": "ff75d4", + "mnemonic": "push dword ptr [ebp - 0x2c]" + }, + { "offset": 20, "opcode": "e8e0fdffff", "mnemonic": "call 0x10010dc" } + ], + "registers": { + "EAX": "0x00000000 ", + "EBX": "0x7efde000 ", + "ECX": "0x000cff64 ", + "EDX": "0x002115a8", + "ESI": "0x00000000 ", + "EDI": "0x00000000 ", + "EBP": "0x000cff88 ", + "ESP": "0x000cff20", + "eflags": "0x00000246" + }, + "type": "call", + "obfuscations": [ + { + "type": "callstack tampering : call", + "description": "No ret instruction corresponding to the call" + } + ] + }, + { + "index": 70, + "start": "0x10010dc", + "end": "0x10010f7", + "last_instr": "0x10010f2", + "wave": 1, + "instructions": [ + { "offset": 0, "opcode": "55", "mnemonic": "push ebp" }, + { "offset": 1, "opcode": "8bec", "mnemonic": "mov ebp, esp" }, + { "offset": 3, "opcode": "81ec00040000", "mnemonic": "sub esp, 0x400" }, + { "offset": 9, "opcode": "53", "mnemonic": "push ebx" }, + { "offset": 10, "opcode": "56", "mnemonic": "push esi" }, + { "offset": 11, "opcode": "57", "mnemonic": "push edi" }, + { "offset": 12, "opcode": "6840200001", "mnemonic": "push 0x1002040" }, + { "offset": 17, "opcode": "6801010000", "mnemonic": "push 0x101" }, + { + "offset": 22, + "opcode": "ff1528100001", + "mnemonic": "call dword ptr [0x1001028]" + } + ], + "registers": { + "EAX": "0x002115a8 ", + "EBX": "0x7efde000 ", + "ECX": "0x753504e8 ", + "EDX": "0x002115a8", + "ESI": "0x00000000 ", + "EDI": "0x00000000 ", + "EBP": "0x000cff88 ", + "ESP": "0x000cff10", + "eflags": "0x00000246" + }, + "type": "call", + "syscalls": [ + { + "name": "WS2_32.DLL!WSAStartup", + "timestamp": 20.166225, + "arguments": [ + "_IN_ (WORD) [0x000cfaf8] 0x00000101", + "_OUT_ (LPWSADATA) [0x000cfafc] 0x01002040" + ], + "return": "0x00000000", + "output": [ + "[LPWSADATA]", + "[0x01002040] 0x00000101", + "[0x01002042] 0x00000202", + "[0x01002044] \"WinSock 2.0\"", + "[0x0100204f] \"\"", + "[0x0100204f] 0x00000000", + "[0x01002051] 0x00000000", + "[0x01002053] \"\"" + ] + } + ] + }, + { + "index": 71, + "start": "0x10010f8", + "end": "0x10010fc", + "last_instr": "0x10010fb", + "wave": 1, + "instructions": [ + { "offset": 0, "opcode": "83f8ff", "mnemonic": "cmp eax, -1" }, + { "offset": 3, "opcode": "7511", "mnemonic": "jne 0x100110e" } + ], + "registers": { + "EAX": "0x00000000 ", + "EBX": "0x7efde000 ", + "ECX": "0x76e63beb ", + "EDX": "0x00080002", + "ESI": "0x00000000 ", + "EDI": "0x00000000 ", + "EBP": "0x000cff0c ", + "ESP": "0x000cfb00", + "eflags": "0x00000246" + }, + "type": "jcc" + }, + { + "index": 72, + "start": "0x100110e", + "end": "0x1001119", + "last_instr": "0x1001118", + "wave": 1, + "instructions": [ + { + "offset": 0, + "opcode": "8b7d0c", + "mnemonic": "mov edi, dword ptr [ebp + 0xc]" + }, + { "offset": 3, "opcode": "33db", "mnemonic": "xor ebx, ebx" }, + { + "offset": 5, + "opcode": "beac100001", + "mnemonic": "mov esi, 0x10010ac" + }, + { "offset": 10, "opcode": "eb07", "mnemonic": "jmp 0x1001121" } + ], + "registers": { + "EAX": "0x00000000 ", + "EBX": "0x7efde000 ", + "ECX": "0x76e63beb ", + "EDX": "0x00080002", + "ESI": "0x00000000 ", + "EDI": "0x00000000 ", + "EBP": "0x000cff0c ", + "ESP": "0x000cfb00", + "eflags": "0x00000213" + }, + "type": "jmp" + }, + { + "index": 73, + "start": "0x1001121", + "end": "0x100112a", + "last_instr": "0x1001126", + "wave": 1, + "instructions": [ + { "offset": 0, "opcode": "56", "mnemonic": "push esi" }, + { "offset": 1, "opcode": "57", "mnemonic": "push edi" }, + { + "offset": 2, + "opcode": "ff7508", + "mnemonic": "push dword ptr [ebp + 8]" + }, + { "offset": 5, "opcode": "e84a030000", "mnemonic": "call 0x1001475" } + ], + "registers": { + "EAX": "0x00000000 ", + "EBX": "0x00000000 ", + "ECX": "0x76e63beb ", + "EDX": "0x00080002", + "ESI": "0x010010ac ", + "EDI": "0x00211120 ", + "EBP": "0x000cff0c ", + "ESP": "0x000cfb00", + "eflags": "0x00000246" + }, + "type": "call" + }, + { + "index": 74, + "start": "0x1001475", + "end": "0x100148b", + "last_instr": "0x100148a", + "wave": 1, + "instructions": [ + { "offset": 0, "opcode": "56", "mnemonic": "push esi" }, + { + "offset": 1, + "opcode": "8b3504200001", + "mnemonic": "mov esi, dword ptr [0x1002004]" + }, + { + "offset": 7, + "opcode": "3b742408", + "mnemonic": "cmp esi, dword ptr [esp + 8]" + }, + { + "offset": 11, + "opcode": "c705dc21000134200001", + "mnemonic": "mov dword ptr [0x10021dc], 0x1002034" + }, + { "offset": 21, "opcode": "7c08", "mnemonic": "jl 0x1001494" } + ], + "registers": { + "EAX": "0x00000000 ", + "EBX": "0x00000000 ", + "ECX": "0x76e63beb ", + "EDX": "0x00080002", + "ESI": "0x010010ac ", + "EDI": "0x00211120 ", + "EBP": "0x000cff0c ", + "ESP": "0x000cfaf0", + "eflags": "0x00000246" + }, + "type": "jcc" + }, + { + "index": 75, + "start": "0x100148c", + "end": "0x1001493", + "last_instr": "0x100148f", + "wave": 1, + "instructions": [ + { "offset": 0, "opcode": "83c8ff", "mnemonic": "or eax, 0xffffffff" }, + { "offset": 3, "opcode": "e9c8000000", "mnemonic": "jmp 0x100155c" } + ], + "registers": { + "EAX": "0x00000000 ", + "EBX": "0x00000000 ", + "ECX": "0x76e63beb ", + "EDX": "0x00080002", + "ESI": "0x00000001 ", + "EDI": "0x00211120 ", + "EBP": "0x000cff0c ", + "ESP": "0x000cfaec", + "eflags": "0x00000246" + }, + "type": "jmp" + }, + { + "index": 76, + "start": "0x100155c", + "end": "0x100155f", + "last_instr": "0x100155d", + "wave": 1, + "instructions": [ + { "offset": 0, "opcode": "5e", "mnemonic": "pop esi" }, + { "offset": 1, "opcode": "c20c00", "mnemonic": "ret 0xc" } + ], + "registers": { + "EAX": "0xffffffff ", + "EBX": "0x00000000 ", + "ECX": "0x76e63beb ", + "EDX": "0x00080002", + "ESI": "0x00000001 ", + "EDI": "0x00211120 ", + "EBP": "0x000cff0c ", + "ESP": "0x000cfaec", + "eflags": "0x00000286" + }, + "type": "ret" + }, + { + "index": 77, + "start": "0x100112b", + "end": "0x100112f", + "last_instr": "0x100112e", + "wave": 1, + "instructions": [ + { "offset": 0, "opcode": "83f8ff", "mnemonic": "cmp eax, -1" }, + { "offset": 3, "opcode": "75ea", "mnemonic": "jne 0x100111a" } + ], + "registers": { + "EAX": "0xffffffff ", + "EBX": "0x00000000 ", + "ECX": "0x76e63beb ", + "EDX": "0x00080002", + "ESI": "0x010010ac ", + "EDI": "0x00211120 ", + "EBP": "0x000cff0c ", + "ESP": "0x000cfb00", + "eflags": "0x00000286" + }, + "type": "jcc" + }, + { + "index": 78, + "start": "0x1001130", + "end": "0x100113a", + "last_instr": "0x1001139", + "wave": 1, + "instructions": [ + { + "offset": 0, + "opcode": "a104200001", + "mnemonic": "mov eax, dword ptr [0x1002004]" + }, + { + "offset": 5, + "opcode": "833c8700", + "mnemonic": "cmp dword ptr [edi + eax*4], 0" + }, + { "offset": 9, "opcode": "7419", "mnemonic": "je 0x1001154" } + ], + "registers": { + "EAX": "0xffffffff ", + "EBX": "0x00000000 ", + "ECX": "0x76e63beb ", + "EDX": "0x00080002", + "ESI": "0x010010ac ", + "EDI": "0x00211120 ", + "EBP": "0x000cff0c ", + "ESP": "0x000cfb00", + "eflags": "0x00000246" + }, + "type": "jcc" + }, + { + "index": 79, + "start": "0x1001154", + "end": "0x1001165", + "last_instr": "0x1001160", + "wave": 1, + "instructions": [ + { "offset": 0, "opcode": "6800040000", "mnemonic": "push 0x400" }, + { + "offset": 5, + "opcode": "8d8500fcffff", + "mnemonic": "lea eax, [ebp - 0x400]" + }, + { "offset": 11, "opcode": "50", "mnemonic": "push eax" }, + { + "offset": 12, + "opcode": "ff1524100001", + "mnemonic": "call dword ptr [0x1001024]" + } + ], + "registers": { + "EAX": "0x00000001 ", + "EBX": "0x00000000 ", + "ECX": "0x76e63beb ", + "EDX": "0x00080002", + "ESI": "0x010010ac ", + "EDI": "0x00211120 ", + "EBP": "0x000cff0c ", + "ESP": "0x000cfb00", + "eflags": "0x00000246" + }, + "type": "call", + "syscalls": [ + { + "name": "WS2_32.DLL!gethostname", + "timestamp": 20.295551, + "arguments": [ + "_OUT_ (CHAR*) [0x000cfaf8] 0x000cfb0c", + "_IN_ (INT) [0x000cfafc] 0x00000400" + ], + "return": "", + "output": [] + } + ] + }, + { + "index": 80, + "start": "0x1001166", + "end": "0x1001169", + "last_instr": "0x1001168", + "wave": 1, + "instructions": [ + { "offset": 0, "opcode": "85c0", "mnemonic": "test eax, eax" }, + { "offset": 2, "opcode": "7d13", "mnemonic": "jge 0x100117d" } + ], + "registers": { + "EAX": "0x00000000 ", + "EBX": "0x00000000 ", + "ECX": "0xb2ac322f ", + "EDX": "0x00000000", + "ESI": "0x010010ac ", + "EDI": "0x00211120 ", + "EBP": "0x000cff0c ", + "ESP": "0x000cfb00", + "eflags": "0x00000246" + }, + "type": "jcc" + }, + { + "index": 81, + "start": "0x100117d", + "end": "0x1001180", + "last_instr": "0x100117f", + "wave": 1, + "instructions": [ + { "offset": 0, "opcode": "85db", "mnemonic": "test ebx, ebx" }, + { "offset": 2, "opcode": "7418", "mnemonic": "je 0x1001199" } + ], + "registers": { + "EAX": "0x00000000 ", + "EBX": "0x00000000 ", + "ECX": "0xb2ac322f ", + "EDX": "0x00000000", + "ESI": "0x010010ac ", + "EDI": "0x00211120 ", + "EBP": "0x000cff0c ", + "ESP": "0x000cfb00", + "eflags": "0x00000246" + }, + "type": "jcc" + }, + { + "index": 82, + "start": "0x1001199", + "end": "0x10011a1", + "last_instr": "0x100119f", + "wave": 1, + "instructions": [ + { + "offset": 0, + "opcode": "8d8500fcffff", + "mnemonic": "lea eax, [ebp - 0x400]" + }, + { "offset": 6, "opcode": "8d5001", "mnemonic": "lea edx, [eax + 1]" } + ], + "type": "seq" + }, + { + "index": 83, + "start": "0x10011a9", + "end": "0x10011bf", + "last_instr": "0x10011ba", + "wave": 1, + "instructions": [ + { "offset": 0, "opcode": "2bc2", "mnemonic": "sub eax, edx" }, + { "offset": 2, "opcode": "50", "mnemonic": "push eax" }, + { + "offset": 3, + "opcode": "8d8500fcffff", + "mnemonic": "lea eax, [ebp - 0x400]" + }, + { "offset": 9, "opcode": "50", "mnemonic": "push eax" }, + { + "offset": 10, + "opcode": "8d8500fcffff", + "mnemonic": "lea eax, [ebp - 0x400]" + }, + { "offset": 16, "opcode": "50", "mnemonic": "push eax" }, + { + "offset": 17, + "opcode": "ff151c100001", + "mnemonic": "call dword ptr [0x100101c]" + } + ], + "registers": { + "EAX": "0x000cfb14 ", + "EBX": "0x00000000 ", + "ECX": "0xb2ac3200 ", + "EDX": "0x000cfb0d", + "ESI": "0x010010ac ", + "EDI": "0x00211120 ", + "EBP": "0x000cff0c ", + "ESP": "0x000cfb00", + "eflags": "0x00000246" + }, + "type": "call", + "syscalls": [ + { + "name": "USER32.DLL!CharToOemBuffA", + "timestamp": 20.458695, + "arguments": [ + "_IN_ (LPCTSTR) [0x000cfaf4] \"lhs-PC1\"", + "_OUT_ (LPSTR) [0x000cfaf8] 0x000cfb0c", + "_IN_ (DWORD) [0x000cfafc] 0x00000007" + ], + "return": "TRUE", + "output": ["[0x000cfb0c] \"lhs-PC1\""] + } + ] + }, + { + "index": 84, + "start": "0x10011c0", + "end": "0x10011cc", + "last_instr": "0x10011c7", + "wave": 1, + "instructions": [ + { + "offset": 0, + "opcode": "8d8500fcffff", + "mnemonic": "lea eax, [ebp - 0x400]" + }, + { "offset": 6, "opcode": "50", "mnemonic": "push eax" }, + { + "offset": 7, + "opcode": "ff1570100001", + "mnemonic": "call dword ptr [0x1001070]" + } + ], + "registers": { + "EAX": "0x00000001 ", + "EBX": "0x00000000 ", + "ECX": "0x000cfb13 ", + "EDX": "0x00000031", + "ESI": "0x010010ac ", + "EDI": "0x00211120 ", + "EBP": "0x000cff0c ", + "ESP": "0x000cfb00", + "eflags": "0x00000202" + }, + "type": "call", + "syscalls": [ + { + "name": "MSVCRT.DLL!puts", + "timestamp": 20.469856, + "arguments": ["_IN_ (CHAR*) [0x000cfafc] \"lhs-PC1\""], + "return": "0x00000000", + "output": [] + } + ] + }, + { + "index": 85, + "start": "0x10011cd", + "end": "0x10011d5", + "last_instr": "0x10011d0", + "wave": 1, + "instructions": [ + { "offset": 0, "opcode": "59", "mnemonic": "pop ecx" }, + { "offset": 1, "opcode": "6a00", "mnemonic": "push 0" }, + { + "offset": 3, + "opcode": "ff1574100001", + "mnemonic": "call dword ptr [0x1001074]" + } + ], + "registers": { + "EAX": "0x00000000 ", + "EBX": "0x00000000 ", + "ECX": "0x75328e62 ", + "EDX": "0x0008e3c8", + "ESI": "0x010010ac ", + "EDI": "0x00211120 ", + "EBP": "0x000cff0c ", + "ESP": "0x000cfafc", + "eflags": "0x00000246" + }, + "type": "call", + "syscalls": [ + { + "name": "MSVCRT.DLL!exit", + "timestamp": 20.499071, + "arguments": ["_IN_ (INT) [0x000cfafc] 0x00000000"], + "return": "", + "output": [] + } + ] + }, + { + "index": 86, + "start": "0x1005a4b", + "end": "0x1005a50", + "last_instr": "0x1005a4f", + "wave": 0, + "instructions": [ + { "offset": 0, "opcode": "6a00", "mnemonic": "push 0" }, + { "offset": 2, "opcode": "39c4", "mnemonic": "cmp esp, eax" }, + { "offset": 4, "opcode": "75fa", "mnemonic": "jne 0x1005a4b" } + ], + "type": "jcc" + }, + { + "index": 87, + "start": "0x10011a2", + "end": "0x10011a8", + "last_instr": "0x10011a7", + "wave": 1, + "instructions": [ + { "offset": 0, "opcode": "8a08", "mnemonic": "mov cl, byte ptr [eax]" }, + { "offset": 2, "opcode": "40", "mnemonic": "inc eax" }, + { "offset": 3, "opcode": "84c9", "mnemonic": "test cl, cl" }, + { "offset": 5, "opcode": "75f9", "mnemonic": "jne 0x10011a2" } + ], + "type": "jcc" + }, + { + "index": 88, + "start": "0x0", + "end": "0x0", + "wave": 0, + "type": "scall", + "function_identifier": "KERNEL32.DLL!LoadLibraryA" + }, + { + "index": 89, + "start": "0x0", + "end": "0x0", + "wave": 0, + "type": "scall", + "function_identifier": "KERNEL32.DLL!GetProcAddress" + }, + { + "index": 90, + "start": "0x0", + "end": "0x0", + "wave": 0, + "type": "scall", + "function_identifier": "KERNEL32.DLL!GetProcAddressOrdinal" + }, + { + "index": 91, + "start": "0x0", + "end": "0x0", + "wave": 0, + "type": "scall", + "function_identifier": "KERNEL32.DLL!VirtualProtect" + }, + { + "index": 92, + "start": "0x0", + "end": "0x0", + "wave": 0, + "type": "scall", + "function_identifier": "KERNEL32.DLL!GetModuleHandleA" + }, + { + "index": 93, + "start": "0x0", + "end": "0x0", + "wave": 0, + "type": "scall", + "function_identifier": "MSVCRT.DLL!__set_app_type" + }, + { + "index": 94, + "start": "0x0", + "end": "0x0", + "wave": 0, + "type": "scall", + "function_identifier": "MSVCRT.DLL!__p__fmode" + }, + { + "index": 95, + "start": "0x0", + "end": "0x0", + "wave": 0, + "type": "scall", + "function_identifier": "MSVCRT.DLL!__p__commode" + }, + { + "index": 96, + "start": "0x0", + "end": "0x0", + "wave": 0, + "type": "scall", + "function_identifier": "MSVCRT.DLL!_controlfp" + }, + { + "index": 97, + "start": "0x0", + "end": "0x0", + "wave": 0, + "type": "scall", + "function_identifier": "MSVCRT.DLL!_initterm" + }, + { + "index": 98, + "start": "0x0", + "end": "0x0", + "wave": 0, + "type": "scall", + "function_identifier": "MSVCRT.DLL!__getmainargs" + }, + { + "index": 99, + "start": "0x0", + "end": "0x0", + "wave": 0, + "type": "scall", + "function_identifier": "WS2_32.DLL!WSAStartup" + }, + { + "index": 100, + "start": "0x0", + "end": "0x0", + "wave": 0, + "type": "scall", + "function_identifier": "WS2_32.DLL!gethostname" + }, + { + "index": 101, + "start": "0x0", + "end": "0x0", + "wave": 0, + "type": "scall", + "function_identifier": "USER32.DLL!CharToOemBuffA" + }, + { + "index": 102, + "start": "0x0", + "end": "0x0", + "wave": 0, + "type": "scall", + "function_identifier": "MSVCRT.DLL!puts" + }, + { + "index": 103, + "start": "0x0", + "end": "0x0", + "wave": 0, + "type": "scall", + "function_identifier": "MSVCRT.DLL!exit" + } + ], + "edges": [ + { "src": 0, "dest": 1, "type": "child" }, + { "src": 1, "dest": 3, "type": "child" }, + { "src": 2, "dest": 16, "type": "child" }, + { "src": 3, "dest": 4, "type": "child" }, + { "src": 3, "dest": 2, "type": "child" }, + { "src": 4, "dest": 25, "type": "child" }, + { "src": 5, "dest": 24, "type": "child" }, + { "src": 5, "dest": 6, "type": "child" }, + { "src": 6, "dest": 12, "type": "child" }, + { "src": 6, "dest": 29, "type": "child" }, + { "src": 7, "dest": 28, "type": "child" }, + { "src": 8, "dest": 19, "type": "child" }, + { "src": 8, "dest": 9, "type": "child" }, + { "src": 9, "dest": 30, "type": "child" }, + { "src": 10, "dest": 11, "type": "child" }, + { "src": 10, "dest": 10, "type": "child" }, + { "src": 11, "dest": 16, "type": "child" }, + { "src": 12, "dest": 13, "type": "child" }, + { "src": 12, "dest": 31, "type": "child" }, + { "src": 13, "dest": 29, "type": "child" }, + { "src": 14, "dest": 15, "type": "child" }, + { "src": 14, "dest": 14, "type": "child" }, + { "src": 15, "dest": 16, "type": "child" }, + { "src": 16, "dest": 1, "type": "child" }, + { "src": 16, "dest": 3, "type": "child" }, + { "src": 17, "dest": 18, "type": "child" }, + { "src": 18, "dest": 5, "type": "child" }, + { "src": 18, "dest": 25, "type": "child" }, + { "src": 19, "dest": 9, "type": "child" }, + { "src": 19, "dest": 28, "type": "child" }, + { "src": 20, "dest": 21, "type": "child" }, + { "src": 21, "dest": 22, "type": "child" }, + { "src": 21, "dest": 23, "type": "child" }, + { "src": 22, "dest": 23, "type": "child" }, + { "src": 23, "dest": 7, "type": "child" }, + { "src": 23, "dest": 30, "type": "child" }, + { "src": 24, "dest": 6, "type": "child" }, + { "src": 24, "dest": 25, "type": "child" }, + { "src": 25, "dest": 17, "type": "child" }, + { "src": 25, "dest": 18, "type": "child" }, + { "src": 26, "dest": 27, "type": "child" }, + { "src": 27, "dest": 8, "type": "child" }, + { "src": 27, "dest": 28, "type": "child" }, + { "src": 28, "dest": 26, "type": "child" }, + { "src": 28, "dest": 27, "type": "child" }, + { "src": 29, "dest": 20, "type": "child" }, + { "src": 29, "dest": 21, "type": "child" }, + { "src": 30, "dest": 10, "type": "child" }, + { "src": 30, "dest": 14, "type": "child" }, + { "src": 31, "dest": 34, "type": "child" }, + { "src": 32, "dest": 33, "type": "child" }, + { "src": 33, "dest": 35, "type": "child" }, + { "src": 33, "dest": 34, "type": "child" }, + { "src": 34, "dest": 32, "type": "child" }, + { "src": 35, "dest": 42, "type": "child" }, + { "src": 36, "dest": 88, "type": "child" }, + { "src": 37, "dest": 41, "type": "child" }, + { "src": 38, "dest": 43, "type": "child" }, + { "src": 39, "dest": 40, "type": "child" }, + { "src": 40, "dest": 41, "type": "child" }, + { "src": 41, "dest": 38, "type": "child" }, + { "src": 41, "dest": 42, "type": "child" }, + { "src": 42, "dest": 36, "type": "child" }, + { "src": 42, "dest": 44, "type": "child" }, + { "src": 43, "dest": 89, "type": "child" }, + { "src": 43, "dest": 90, "type": "child" }, + { "src": 44, "dest": 91, "type": "child" }, + { "src": 45, "dest": 91, "type": "child" }, + { "src": 46, "dest": 86, "type": "child" }, + { "src": 47, "dest": 48, "type": "child" }, + { "src": 48, "dest": 49, "type": "child" }, + { "src": 49, "dest": 50, "type": "child" }, + { "src": 50, "dest": 92, "type": "child" }, + { "src": 51, "dest": 52, "type": "child" }, + { "src": 52, "dest": 53, "type": "child" }, + { "src": 53, "dest": 54, "type": "child" }, + { "src": 54, "dest": 55, "type": "child" }, + { "src": 55, "dest": 93, "type": "child" }, + { "src": 56, "dest": 94, "type": "child" }, + { "src": 57, "dest": 95, "type": "child" }, + { "src": 58, "dest": 59, "type": "child" }, + { "src": 59, "dest": 60, "type": "child" }, + { "src": 60, "dest": 61, "type": "child" }, + { "src": 61, "dest": 62, "type": "child" }, + { "src": 62, "dest": 63, "type": "child" }, + { "src": 63, "dest": 96, "type": "child" }, + { "src": 64, "dest": 65, "type": "child" }, + { "src": 65, "dest": 66, "type": "child" }, + { "src": 66, "dest": 97, "type": "child" }, + { "src": 67, "dest": 98, "type": "child" }, + { "src": 68, "dest": 66, "type": "child" }, + { "src": 69, "dest": 70, "type": "child" }, + { "src": 70, "dest": 99, "type": "child" }, + { "src": 71, "dest": 72, "type": "child" }, + { "src": 72, "dest": 73, "type": "child" }, + { "src": 73, "dest": 74, "type": "child" }, + { "src": 74, "dest": 75, "type": "child" }, + { "src": 75, "dest": 76, "type": "child" }, + { "src": 76, "dest": 77, "type": "child" }, + { "src": 77, "dest": 78, "type": "child" }, + { "src": 78, "dest": 79, "type": "child" }, + { "src": 79, "dest": 100, "type": "child" }, + { "src": 80, "dest": 81, "type": "child" }, + { "src": 81, "dest": 82, "type": "child" }, + { "src": 82, "dest": 87, "type": "child" }, + { "src": 83, "dest": 101, "type": "child" }, + { "src": 84, "dest": 102, "type": "child" }, + { "src": 85, "dest": 103, "type": "child" }, + { "src": 86, "dest": 47, "type": "child" }, + { "src": 86, "dest": 86, "type": "child" }, + { "src": 87, "dest": 83, "type": "child" }, + { "src": 87, "dest": 87, "type": "child" }, + { "src": 88, "dest": 37, "type": "child" }, + { "src": 89, "dest": 39, "type": "child" }, + { "src": 90, "dest": 39, "type": "child" }, + { "src": 91, "dest": 45, "type": "child" }, + { "src": 91, "dest": 46, "type": "child" }, + { "src": 92, "dest": 51, "type": "child" }, + { "src": 93, "dest": 56, "type": "child" }, + { "src": 94, "dest": 57, "type": "child" }, + { "src": 95, "dest": 58, "type": "child" }, + { "src": 96, "dest": 64, "type": "child" }, + { "src": 97, "dest": 67, "type": "child" }, + { "src": 97, "dest": 69, "type": "child" }, + { "src": 98, "dest": 68, "type": "child" }, + { "src": 99, "dest": 71, "type": "child" }, + { "src": 100, "dest": 80, "type": "child" }, + { "src": 101, "dest": 84, "type": "child" }, + { "src": 102, "dest": 85, "type": "child" } + ] +} diff --git a/rsc/wave-0001.dump b/testfiles/upx-hostname/wave-0001.dump similarity index 100% rename from rsc/wave-0001.dump rename to testfiles/upx-hostname/wave-0001.dump diff --git a/utils.py b/utils.py new file mode 100644 index 0000000..9fe3f2b --- /dev/null +++ b/utils.py @@ -0,0 +1,10 @@ +def hex_address_to_memory_representation(hex_addr: str, is_32b: bool, is_little_endian: bool) -> list[int]: + adress_size = 4 if is_32b else 8 + mem_value = [0x00] * adress_size + hex_addr = hex_addr[::-1][:-2] # reversing order and stripping zero + for i in range(0, adress_size): + byte_str = hex_addr[i * 2 : (i + 1) * 2][::-1] + mem_value[i] += int(byte_str, 16) + if not is_little_endian: + mem_value = mem_value[::-1] # reverse byte order for big endian + return mem_value