diff --git a/cfg_parser.py b/cfg_parser.py deleted file mode 100644 index 8b04ffd..0000000 --- a/cfg_parser.py +++ /dev/null @@ -1,40 +0,0 @@ -def parse_wave_nodes(cfg, wave: int) -> list: - return list(filter(lambda node: node["wave"] == wave, cfg["nodes"])) - - -def parse_procaddr_calls(cfg, wave: int) -> list: - res = [] - wave_nodes: list[dict] = parse_wave_nodes(cfg, wave) - for node in wave_nodes: - if "syscalls" in node.keys(): - for syscall in node["syscalls"]: - if syscall["name"] == "KERNEL32.DLL!GetProcAddress": - funcname = syscall["arguments"][-1].split('"')[1] - func_addr = syscall["return"] - res.append({"name": funcname, "addr": func_addr}) - return res - - -def parse_syscalls(cfg, wave: int) -> list[dict[str, str]]: - res: list[dict[str, str]] = [] - wave_nodes: list[dict] = parse_wave_nodes(cfg, wave) - no_repeat = [] - for node in wave_nodes: - if "syscalls" in node.keys(): - for syscall in node["syscalls"]: - if node["last_instr"] in no_repeat: - continue - adress = node["last_instr"] # call is at the end of the basic block - name = syscall["name"] - # current_instruction = node["instructions"][-1]["mnemonic"] - no_repeat.append(adress) - res.append({"adress": adress, "name": name}) - return res - - -def parse_wave_entrypoint(cfg, wave: int) -> int: - return int(parse_wave_nodes(cfg, wave)[0]["start"], 16) - - -def parse_bb_registers(cfg, wave: int, n_bb: int) -> dict[str, str]: - return parse_wave_nodes(cfg, wave)[n_bb]["registers"] diff --git a/iat.py b/iat.py index 94da5a8..ae668d0 100644 --- a/iat.py +++ b/iat.py @@ -1,18 +1,29 @@ -import argparse import json import lief -import cfg_parser -import patch -import reginit -import utils - lief.disable_leak_warning() # warnings to disable for the callback with open("lib/WindowsDllsExport/win10-19043-exports.json", "rb") as f: api_info = json.load(f) +dump_path = "rsc/wave-0001.dump" +# dump_path = "rsc/wave-0002.dump" +iat_json_path = "rsc/upx-hostname.exe.bin_iat_wave1.json" +# iat_json_path = "rsc/000155f2e0360f6ff6cd.exe_iat_wave2.json" + + +def hex_address_to_memory_representation(hex_addr: str, is_32b: bool, is_little_endian: bool) -> list[int]: + adress_size = 4 if is_32b else 8 + mem_value = [0x00] * adress_size + hex_addr = hex_addr[::-1][:-2] # reversing order and stripping zero + for i in range(0, adress_size): + byte_str = hex_addr[i * 2 : (i + 1) * 2][::-1] + mem_value[i] += int(byte_str, 16) + if not is_little_endian: + mem_value = mem_value[::-1] # reverse byte order for big endian + return mem_value + # Retrives all unique DLL names being imported def get_used_dlls(calls: list[dict[str, str]]) -> set[str]: @@ -31,27 +42,112 @@ def get_used_functions_from_dll(dllname, calls): return res -def link_func_to_dll(func_list): +def patch_direct_adress_call(pe: lief.PE.Binary, rva: int, instruction_offset: int): + # We can manually patch the instruction here: FF 15 08 10 00 01 represents `call [0x01001080]` + new_value = hex_address_to_memory_representation( + hex(rva + pe.imagebase), + pe.abstract.header.is_32, + pe.abstract.header.endianness == lief.Header.ENDIANNESS.LITTLE, + ) + pe.patch_address(instruction_offset, [0xFF, 0x15] + new_value, lief.Binary.VA_TYPES.RVA) + + +def patch_direct_adress_jump(pe: lief.PE.Binary, rva: int, instruction_offset: int): + # We can manually patch the instruction here: FF 15 08 10 00 01 represents `call [0x01001080]` + new_value = hex_address_to_memory_representation( + hex(rva + pe.imagebase), + pe.abstract.header.is_32, + pe.abstract.header.endianness == lief.Header.ENDIANNESS.LITTLE, + ) + pe.patch_address(instruction_offset, [0xFF, 0x25] + new_value, lief.Binary.VA_TYPES.RVA) + + +def patch_instr_to_new_IAT_entry(pe: lief.PE.Binary, call: dict[str, str], rva: int): + base = pe.imagebase + instruction_offset = int(call["adress"], 16) - base + memview = pe.get_content_from_virtual_address(instruction_offset, 2) + if [memview[0], memview[1]] == [0xFF, 0x15]: + patch_direct_adress_call(pe, rva, instruction_offset) + elif [memview[0], memview[1]] == [0xFF, 0x25]: + patch_direct_adress_jump(pe, rva, instruction_offset) + + +def patch_addr_found_in_mem(pe: lief.PE.Binary, rva: int, old_addr: str): + is_32 = pe.abstract.header.is_32 + little_endian = pe.abstract.header.endianness == lief.Header.ENDIANNESS.LITTLE + # scan memory for reference to old addr + old_addr_mem_repr = hex_address_to_memory_representation( + old_addr, + is_32, + pe.abstract.header.endianness == lief.Header.ENDIANNESS.LITTLE, + ) + new_addr = hex_address_to_memory_representation( + hex(rva + pe.imagebase), + is_32, + little_endian, + ) + adresses_to_patch = [] + for section in pe.sections: + for i in range(len(section.content)): + found = True + for j in range(len(old_addr_mem_repr)): + if i + j >= len(section.content) or section.content[i + j] != old_addr_mem_repr[j]: + found = False + break + if found: + old_addr_ref = hex_address_to_memory_representation( + hex( + section.virtual_address + i + pe.imagebase, + ), + is_32, + little_endian, + ) + for section in pe.sections: + for k in range(len(section.content)): + foundxref = True + for L in range(len(old_addr_ref)): + if k + L < len(section.content) and section.content[k + L] != old_addr_ref[L]: + foundxref = False + break + if foundxref: + adresses_to_patch.append(section.virtual_address + k) + for addr in adresses_to_patch: + print(f"patched {hex(addr)}") + pe.patch_address(addr, new_addr, lief.Binary.VA_TYPES.RVA) + + +def patch_to_new_IAT(pe: lief.PE.Binary, imp: lief.PE.Import, entry: lief.PE.ImportEntry, rva: int): + # print(f"{imp.name}!{entry.name}: 0x{rva:010x}") + for call in filter(lambda x: x["name"] == f"{imp.name.upper()}!{entry.name}", calls): + patch_instr_to_new_IAT_entry(pe, call, rva) + # patch additional non-call related info + print(entry.name) + for func in filter(lambda x: x["name"] == entry.name and x["dll"] == imp.name, procaddr_list): + # print(func["name"]) + patch_addr_found_in_mem(pe, rva, func["addr"]) + + +def get_list_of_procaddr_functions(prevwave_info): res = [] - for func in func_list: + for call in prevwave_info: # first only including imported dlls res_new = {} for export in api_info: - if export["dllname"] in func and export["exportname"] == func["name"]: + if export["dllname"] in dll_calls_list and export["exportname"] == call["function"]: res_new = { "name": export["exportname"], "dll": export["dllname"], - "addr": func["addr"], + "addr": call["func_addr"], } break if res_new == {}: # try adding a new dll for export in api_info: - if export["exportname"] == func["name"]: + if export["exportname"] == call["function"]: res_new = { "name": export["exportname"], "dll": export["dllname"], - "addr": func["addr"], + "addr": call["func_addr"], } break if res_new != {}: @@ -59,122 +155,111 @@ def link_func_to_dll(func_list): return res -def main(): - parser = argparse.ArgumentParser( - prog="iat.py", - description="Create a patched PE from a binary dump and a traceCFG file.", - formatter_class=argparse.ArgumentDefaultsHelpFormatter, +# wave dump file to patch +with open(dump_path, "rb") as f: + pe = lief.parse(f) + assert isinstance(pe, lief.PE.Binary) + +# JSON generated with the python reader files +with open(iat_json_path, "r") as iat_json_input: + iat_data = json.load(iat_json_input) +calls: list[dict[str, str]] = iat_data["calls"] +wave_entry = int(iat_data["entry"], 16) + +# create new section +patch_section = lief.PE.Section(".iatpatch") +content = [] + +# initiate registry values +reg_to_inst_code = { + "EAX": 0xC0, + "EBX": 0xC3, + "ECX": 0xC1, + "EDX": 0xC2, + "ESI": 0xC6, + "EDI": 0xC7, + "EBP": 0xC5, + # "ESP": 0xC4, +} +for reg in iat_data["entry_reg_values"].keys(): + if reg not in reg_to_inst_code: + continue + new_instruction = [ + 0xC7, + reg_to_inst_code[reg], + ] + hex_address_to_memory_representation( + iat_data["entry_reg_values"][reg].strip(), + pe.abstract.header.is_32, + pe.abstract.header.endianness == lief.Header.ENDIANNESS.LITTLE, + ) + for byte in new_instruction: + content.append(byte) + + +# add ret to actual OEP + +content += [0x68] + hex_address_to_memory_representation( + hex(wave_entry), + pe.abstract.header.is_32, + pe.abstract.header.endianness == lief.Header.ENDIANNESS.LITTLE, +) + +content += [0xC3] + +patch_section.content = content + +# add new section to PE +pe.add_section(patch_section) + +# patch entrypoint +# entrypoint_format = int(hex(pe.get_section(".iatpatch").virtual_address)[-4:], 16) +entrypoint_format = int(hex(pe.get_section(".iatpatch").virtual_address)[-4:], 16) +pe.optional_header.addressof_entrypoint = entrypoint_format + +# remove all current imports +pe.remove_all_imports() + +# recreate all DLL imports from calls detected +dll_calls_list = [] +imported_dll_list = [] +func_calls_list = [] +for dll in get_used_dlls(calls): + dll_calls_list.append(dll.lower()) + imported_dll = pe.add_import(dll.lower()) + imported_dll_list.append(imported_dll) + # recreate all function calls related to that dll import + for func in get_used_functions_from_dll(dll, calls): + func_calls_list.append(func) + imported_dll.add_entry(func) + +# get list of functions called with getprocaddr +procaddr_list = get_list_of_procaddr_functions(iat_data["prevwave_getprocaddr"]) +for func in procaddr_list: + if func["name"] in func_calls_list: # call already added + continue + if func["dll"] in dll_calls_list: # dll already added + imported_dll_list[dll_calls_list.index(func["dll"])].add_entry(func["name"]) + else: # we need to import the new DLL + dll_calls_list.append(func["dll"]) + imported_dll = pe.add_import(func["dll"]) + imported_dll_list.append(imported_dll) + func_calls_list.append(func["name"]) + imported_dll.add_entry(func["name"]) + +# At this point, the new IAT will only be constructed when the PE is written. We therefore need to make a callback function to patch calls afterwards. + +# Define all sections as writeable, to help with some weird stuff we're seeing +for section in pe.sections: + section.characteristics = ( + lief.PE.Section.CHARACTERISTICS.MEM_WRITE.value + + lief.PE.Section.CHARACTERISTICS.MEM_READ.value + + lief.PE.Section.CHARACTERISTICS.MEM_EXECUTE.value + + lief.PE.Section.CHARACTERISTICS.CNT_INITIALIZED_DATA.value ) - # Input arguments - parser.add_argument("dump", type=str, help="The path to the wave dump file (usually ends with .dump)") - parser.add_argument("trace", type=str, help="The path to the traceCFG file (.json)") - - # Additional arguments - parser.add_argument("-o", "--output", type=str, default="patched.exe", help="Specify an output filepath for the patched PE.") - parser.add_argument("-w", "--wave", type=int, help="Specify the wave number for the binary dump (if it can't be inferred from the filename)") - parser.add_argument("-v", "--verbose", action="store_true", help="Output additional debug info") - - args = parser.parse_args() - utils.set_verbose(args.verbose) - - # open wave dump file - with open(args.dump, "rb") as f: - pe = lief.parse(f) - assert isinstance(pe, lief.PE.Binary) - utils.print_debug(f"Opened file {args.dump} as the binary dump") - - # open traceCFG json - with open(args.trace, "r") as f: - cfg = json.load(f) - utils.print_debug(f"Opened file {args.trace} as the TraceCFG JSON") - - # determine target wave - if args.wave is None and args.dump[-5:] == ".dump": - wave = int(args.dump[-9:-5]) - else: - wave = args.wave - utils.print_debug(f"Determined wave to be {wave}") - - calls = cfg_parser.parse_syscalls(cfg, wave) - wave_entry = cfg_parser.parse_wave_entrypoint(cfg, wave) - - # create new section - iatpatch_section = lief.PE.Section(".iatpatch") - iatpatch_content = [] - - # registers initiation - iatpatch_content += reginit.generate_reg_init_code(cfg, pe, wave, wave_entry) - - # write patch section code - iatpatch_section.content = iatpatch_content # pyright: ignore[reportAttributeAccessIssue] - - # add new section to PE - pe.add_section(iatpatch_section) - - # patch entrypoint - entrypoint_format = int(hex(pe.get_section(".iatpatch").virtual_address)[-4:], 16) - pe.optional_header.addressof_entrypoint = entrypoint_format - - # remove all current imports - pe.remove_all_imports() - - # recreate all DLL imports from calls detected - dll_calls_list = [] - imported_dll_list = [] - func_calls_list = [] - for dll in get_used_dlls(calls): - dll_calls_list.append(dll.lower()) - imported_dll = pe.add_import(dll.lower()) - imported_dll_list.append(imported_dll) - # recreate all function calls related to that dll import - for func in get_used_functions_from_dll(dll, calls): - func_calls_list.append(func) - imported_dll.add_entry(func) - - # get list of functions called with getprocaddr in previous wave - func_list = cfg_parser.parse_procaddr_calls(cfg, wave - 1) - func_dll_list = link_func_to_dll(func_list) - for func in func_dll_list: - if func["name"] in func_calls_list: # call already added - continue - if func["dll"] in dll_calls_list: # dll already added - imported_dll_list[dll_calls_list.index(func["dll"])].add_entry(func["name"]) - else: # we need to import the new DLL - dll_calls_list.append(func["dll"]) - imported_dll = pe.add_import(func["dll"]) - imported_dll_list.append(imported_dll) - func_calls_list.append(func["name"]) - imported_dll.add_entry(func["name"]) - - # Define all sections as writeable, to prevent permission issues. - # Ideally, we would like to have the actual permitions from Goatracer at some point in the future - for section in pe.sections: - section.characteristics = ( - lief.PE.Section.CHARACTERISTICS.MEM_WRITE.value - + lief.PE.Section.CHARACTERISTICS.MEM_READ.value - + lief.PE.Section.CHARACTERISTICS.MEM_EXECUTE.value - + lief.PE.Section.CHARACTERISTICS.CNT_INITIALIZED_DATA.value - ) - - # At this point, the new IAT will only be constructed when the PE is written. We therefore need to make a callback function to patch calls afterwards. - def patching_callback(pe: lief.PE.Binary, imp: lief.PE.Import, entry: lief.PE.ImportEntry, rva: int): - utils.print_debug(f"Now trying to patch {entry.name}!{imp.name}...") - for call in filter(lambda x: x["name"] == f"{imp.name.upper()}!{entry.name}", calls): - patch.patch_instr_to_new_IAT_entry(pe, call, rva) - # patch additional non-call related info - for func in filter(lambda x: x["name"] == entry.name and x["dll"] == imp.name, func_dll_list): - patch.patch_addr_found_in_mem(pe, rva, func["addr"]) - utils.print_debug("Done!\n") - - # write result - config = lief.PE.Builder.config_t() - config.imports = True # allows the config of the writer to write a new IAT - config.resolved_iat_cbk = patching_callback # Define the callback - output_path = args.output - pe.write(output_path, config) - print(f"Wrote the patched executable as {output_path}") - - -if __name__ == "__main__": - main() +# write result +config = lief.PE.Builder.config_t() +config.imports = True # allows the config of the writer to write a new IAT +config.resolved_iat_cbk = patch_to_new_IAT # callback after the IAT has been written +pe.write("patched.exe", config) +print("Wrote the patched executable as patched.exe") diff --git a/patch.py b/patch.py deleted file mode 100644 index be4f17a..0000000 --- a/patch.py +++ /dev/null @@ -1,72 +0,0 @@ -import lief - -import utils -from utils import Instructions, hex_address_to_memory_representation, is_32b, is_little_endian - - -def patch_direct_adress_call(pe: lief.PE.Binary, rva: int, instruction_offset: int): - # We can manually patch the instruction here: FF 15 08 10 00 01 represents `call [0x01001080]` - new_value = hex_address_to_memory_representation( - hex(rva + pe.imagebase), - is_32b(pe), - is_little_endian(pe), - ) - pe.patch_address(instruction_offset, Instructions.CALL_ADDR + new_value, lief.Binary.VA_TYPES.RVA) - utils.print_debug(f" Patched a call at addr {hex(pe.imagebase + instruction_offset)}") - - -def patch_direct_adress_jump(pe: lief.PE.Binary, rva: int, instruction_offset: int): - # We can manually patch the instruction here: FF 15 08 10 00 01 represents `call [0x01001080]` - new_value = hex_address_to_memory_representation(hex(rva + pe.imagebase), is_32b(pe), is_little_endian(pe)) - pe.patch_address(instruction_offset, Instructions.JUMP_ADDR + new_value, lief.Binary.VA_TYPES.RVA) - utils.print_debug(f" Patched a jump at addr {hex(pe.imagebase + instruction_offset)}") - - -def patch_instr_to_new_IAT_entry(pe: lief.PE.Binary, call: dict[str, str], rva: int): - base = pe.imagebase - instruction_offset = int(call["adress"], 16) - base - memview = pe.get_content_from_virtual_address(instruction_offset, 2) - if [memview[0], memview[1]] == Instructions.CALL_ADDR: - patch_direct_adress_call(pe, rva, instruction_offset) - elif [memview[0], memview[1]] == Instructions.JUMP_ADDR: - patch_direct_adress_jump(pe, rva, instruction_offset) - - -def patch_addr_found_in_mem(pe: lief.PE.Binary, rva: int, old_addr: str): - is_32 = pe.abstract.header.is_32 - little_endian = pe.abstract.header.endianness == lief.Header.ENDIANNESS.LITTLE - # scan memory for reference to old addr - old_addr_mem_repr = hex_address_to_memory_representation(old_addr, is_32b(pe), is_little_endian(pe)) - new_addr = hex_address_to_memory_representation(hex(rva + pe.imagebase), is_32, little_endian) - found_ref_addr = [] - found_xref_addr = [] - for section in pe.sections: - for i in range(len(section.content)): - found = True - for j in range(len(old_addr_mem_repr)): - if i + j >= len(section.content) or section.content[i + j] != old_addr_mem_repr[j]: - found = False - break - if found: - ref_addr = hex_address_to_memory_representation( - hex( - section.virtual_address + i + pe.imagebase, - ), - is_32, - little_endian, - ) - found_ref_addr.append(ref_addr) - - for section in pe.sections: - for ref_addr in found_ref_addr: - for k in range(len(section.content) - len(ref_addr)): - foundxref = True - for L in range(len(ref_addr)): - if section.content[k + L] != ref_addr[L]: - foundxref = False - break - if foundxref: - found_xref_addr.append(section.virtual_address + k) - for addr in found_xref_addr: - pe.patch_address(addr, new_addr, lief.Binary.VA_TYPES.RVA) - utils.print_debug(f" Patched an xref to old IAT at {hex(pe.imagebase + addr)}") diff --git a/reginit.py b/reginit.py deleted file mode 100644 index 0d253ec..0000000 --- a/reginit.py +++ /dev/null @@ -1,43 +0,0 @@ -from enum import IntEnum - -import lief - -import cfg_parser -from utils import Instructions, hex_address_to_memory_representation, is_32b, is_little_endian - - -class Registers(IntEnum): - EAX = 0xC0 - EBX = 0xC3 - ECX = 0xC1 - EDX = 0xC2 - ESI = 0xC6 - EDI = 0xC7 - EBP = 0xC5 - # ESP = 0xC4 - - -def generate_reg_init_code(cfg, pe: lief.PE.Binary, wave: int, wave_entry: int) -> list[int]: - code = [] - reg_values = cfg_parser.parse_bb_registers(cfg, wave, 0) - for reg in reg_values: - if reg not in Registers.__members__: - continue - new_instruction = ( - Instructions.MOV_REG - + [Registers[reg]] - + hex_address_to_memory_representation( - reg_values[reg].strip(), - is_32b(pe), - is_little_endian(pe), - ) - ) - for byte in new_instruction: - code.append(byte) - - # add ret to actual OEP - code += Instructions.PUSH + hex_address_to_memory_representation(hex(wave_entry), is_32b(pe), is_little_endian(pe)) # push addr - - code += Instructions.RET - - return code diff --git a/rsc/000155f2e0360f6ff6cd.exe_iat_wave2.json b/rsc/000155f2e0360f6ff6cd.exe_iat_wave2.json new file mode 100644 index 0000000..8a1c93e --- /dev/null +++ b/rsc/000155f2e0360f6ff6cd.exe_iat_wave2.json @@ -0,0 +1 @@ +{"entry": "0x40835b", "calls": [{"adress": "0x408269", "name": "KERNEL32.DLL!GetVersion"}, {"adress": "0x40c329", "name": "KERNEL32.DLL!HeapCreate"}, {"adress": "0x40d1fd", "name": "NTDLL.DLL!RtlAllocateHeap"}, {"adress": "0x40b00c", "name": "NTDLL.DLL!RtlInitializeCriticalSection"}, {"adress": "0x40b014", "name": "NTDLL.DLL!RtlInitializeCriticalSection"}, {"adress": "0x40b01c", "name": "NTDLL.DLL!RtlInitializeCriticalSection"}, {"adress": "0x40b024", "name": "NTDLL.DLL!RtlInitializeCriticalSection"}, {"adress": "0x40adc2", "name": "KERNEL32.DLL!TlsAlloc"}, {"adress": "0x40d8e9", "name": "NTDLL.DLL!RtlAllocateHeap"}, {"adress": "0x40d903", "name": "KERNEL32.DLL!VirtualAlloc"}, {"adress": "0x40d98f", "name": "KERNEL32.DLL!VirtualAlloc"}, {"adress": "0x40b102", "name": "NTDLL.DLL!RtlLeaveCriticalSection"}, {"adress": "0x40adea", "name": "KERNEL32.DLL!TlsSetValue"}, {"adress": "0x40adfb", "name": "KERNEL32.DLL!GetCurrentThreadId"}, {"adress": "0x4082c0", "name": "KERNEL32.DLL!GetCommandLineA"}, {"adress": "0x40c201", "name": "KERNEL32.DLL!GetEnvironmentStringsW"}, {"adress": "0x40c279", "name": "KERNEL32.DLL!WideCharToMultiByte"}, {"adress": "0x408cc1", "name": "NTDLL.DLL!RtlAllocateHeap"}, {"adress": "0x40c29b", "name": "KERNEL32.DLL!WideCharToMultiByte"}, {"adress": "0x40c2b4", "name": "KERNEL32.DLL!FreeEnvironmentStringsW"}, {"adress": "0x40bd2e", "name": "KERNEL32.DLL!GetStartupInfoA"}, {"adress": "0x40be4a", "name": "KERNEL32.DLL!GetFileType"}, {"adress": "0x40be3c", "name": "KERNEL32.DLL!GetStdHandle"}, {"adress": "0x40be81", "name": "KERNEL32.DLL!SetHandleCount"}, {"adress": "0x40b0d1", "name": "NTDLL.DLL!RtlInitializeCriticalSection"}, {"adress": "0x40b0ec", "name": "NTDLL.DLL!RtlEnterCriticalSection"}, {"adress": "0x409ef9", "name": "KERNEL32.DLL!GetACP"}, {"adress": "0x409d6e", "name": "KERNEL32.DLL!GetCPInfo"}, {"adress": "0x409f84", "name": "KERNEL32.DLL!GetCPInfo"}, {"adress": "0x40d067", "name": "KERNEL32.DLL!GetStringTypeW"}, {"adress": "0x40d0ed", "name": "KERNEL32.DLL!MultiByteToWideChar"}, {"adress": "0x40d143", "name": "KERNEL32.DLL!MultiByteToWideChar"}, {"adress": "0x40d155", "name": "KERNEL32.DLL!GetStringTypeW"}, {"adress": "0x40b9ed", "name": "KERNEL32.DLL!LCMapStringW"}, {"adress": "0x40ba8a", "name": "KERNEL32.DLL!MultiByteToWideChar"}, {"adress": "0x40bae2", "name": "KERNEL32.DLL!MultiByteToWideChar"}, {"adress": "0x40baf8", "name": "KERNEL32.DLL!LCMapStringW"}, {"adress": "0x40bb93", "name": "KERNEL32.DLL!LCMapStringW"}, {"adress": "0x40bbb8", "name": "KERNEL32.DLL!WideCharToMultiByte"}, {"adress": "0x40bfbc", "name": "KERNEL32.DLL!GetModuleFileNameA"}, {"adress": "0x408d0a", "name": "KERNEL32.DLL!HeapFree"}, {"adress": "0x40b3d1", "name": "KERNEL32.DLL!GetModuleHandleA"}, {"adress": "0x40b3e1", "name": "KERNEL32.DLL!GetProcAddress"}, {"adress": "0x40b3ed", "name": "KERNEL32.DLL!IsProcessorFeaturePresent"}, {"adress": "0x40de75", "name": "NTDLL.DLL!RtlAllocateHeap"}, {"adress": "0x40d1bc", "name": "KERNEL32.DLL!SetUnhandledExceptionFilter"}, {"adress": "0x406e40", "name": "NTDLL.DLL!RtlInitializeCriticalSection"}, {"adress": "0x417c47", "name": "NTDLL.DLL!RtlInitializeCriticalSection"}, {"adress": "0x418173", "name": "USER32.DLL!GetCursorPos"}, {"adress": "0x4183eb", "name": "KERNEL32.DLL!TlsAlloc"}, {"adress": "0x418401", "name": "NTDLL.DLL!RtlInitializeCriticalSection"}, {"adress": "0x418471", "name": "NTDLL.DLL!RtlEnterCriticalSection"}, {"adress": "0x4184c6", "name": "KERNEL32.DLL!GlobalAlloc"}, {"adress": "0x41851d", "name": "KERNEL32.DLL!GlobalLock"}, {"adress": "0x418566", "name": "NTDLL.DLL!RtlLeaveCriticalSection"}, {"adress": "0x41839e", "name": "KERNEL32.DLL!LocalAlloc"}, {"adress": "0x4185dc", "name": "KERNEL32.DLL!TlsGetValue"}, {"adress": "0x41862b", "name": "NTDLL.DLL!RtlEnterCriticalSection"}, {"adress": "0x41863e", "name": "NTDLL.DLL!RtlLeaveCriticalSection"}, {"adress": "0x418654", "name": "KERNEL32.DLL!LocalAlloc"}, {"adress": "0x4186a2", "name": "KERNEL32.DLL!TlsSetValue"}, {"adress": "0x418f2b", "name": "KERNEL32.DLL!GetVersion"}, {"adress": "0x418f50", "name": "NTDLL.DLL!RtlInitializeCriticalSection"}, {"adress": "0x418fe6", "name": "NTDLL.DLL!RtlEnterCriticalSection"}, {"adress": "0x418ff8", "name": "NTDLL.DLL!RtlInitializeCriticalSection"}, {"adress": "0x419001", "name": "NTDLL.DLL!RtlLeaveCriticalSection"}, {"adress": "0x419033", "name": "NTDLL.DLL!RtlLeaveCriticalSection"}, {"adress": "0x418666", "name": "KERNEL32.DLL!LocalReAlloc"}, {"adress": "0x417e13", "name": "KERNEL32.DLL!GetCurrentThread"}, {"adress": "0x417e1c", "name": "KERNEL32.DLL!GetCurrentThreadId"}, {"adress": "0x418849", "name": "KERNEL32.DLL!TlsGetValue"}, {"adress": "0x413cce", "name": "USER32.DLL!RegisterClipboardFormatA"}, {"adress": "0x4194a6", "name": "KERNEL32.DLL!GetVersion"}, {"adress": "0x4194e3", "name": "KERNEL32.DLL!GetProcessVersion"}, {"adress": "0x416321", "name": "USER32.DLL!GetSystemMetrics"}, {"adress": "0x416328", "name": "USER32.DLL!GetSystemMetrics"}, {"adress": "0x419461", "name": "USER32.DLL!GetSystemMetrics"}, {"adress": "0x41946b", "name": "USER32.DLL!GetSystemMetrics"}, {"adress": "0x416341", "name": "USER32.DLL!GetDC"}, {"adress": "0x416352", "name": "GDI32.DLL!GetDeviceCaps"}, {"adress": "0x41635a", "name": "GDI32.DLL!GetDeviceCaps"}, {"adress": "0x416362", "name": "USER32.DLL!ReleaseDC"}, {"adress": "0x4162dc", "name": "USER32.DLL!GetSysColor"}, {"adress": "0x4162e3", "name": "USER32.DLL!GetSysColor"}, {"adress": "0x4162ea", "name": "USER32.DLL!GetSysColor"}, {"adress": "0x4162f1", "name": "USER32.DLL!GetSysColor"}, {"adress": "0x4162f8", "name": "USER32.DLL!GetSysColor"}, {"adress": "0x416305", "name": "USER32.DLL!GetSysColorBrush"}, {"adress": "0x41630c", "name": "USER32.DLL!GetSysColorBrush"}, {"adress": "0x419511", "name": "USER32.DLL!LoadCursorA"}, {"adress": "0x41951c", "name": "USER32.DLL!LoadCursorA"}, {"adress": "0x41960b", "name": "KERNEL32.DLL!GetOEMCP"}, {"adress": "0x419612", "name": "KERNEL32.DLL!GetCPInfo"}, {"adress": "0x418d4b", "name": "KERNEL32.DLL!SetErrorMode"}, {"adress": "0x418d52", "name": "KERNEL32.DLL!SetErrorMode"}, {"adress": "0x418dd6", "name": "KERNEL32.DLL!GetModuleFileNameA"}, {"adress": "0x418f0b", "name": "KERNEL32.DLL!lstrcpyn"}, {"adress": "0x413b53", "name": "USER32.DLL!LoadStringA"}, {"adress": "0x418e77", "name": "KERNEL32.DLL!lstrcpy"}, {"adress": "0x418ea4", "name": "KERNEL32.DLL!lstrcat"}, {"adress": "0x419013", "name": "NTDLL.DLL!RtlEnterCriticalSection"}, {"adress": "0x410d4c", "name": "WS2_32.DLL!WSAStartup"}, {"adress": "0x4186df", "name": "NTDLL.DLL!RtlEnterCriticalSection"}, {"adress": "0x41870d", "name": "NTDLL.DLL!RtlLeaveCriticalSection"}, {"adress": "0x4083cf", "name": "NTDLL.DLL!ntdll_Offset_39930"}, {"adress": "0x4187b9", "name": "NTDLL.DLL!RtlEnterCriticalSection"}, {"adress": "0x4183c0", "name": "KERNEL32.DLL!LocalFree"}, {"adress": "0x418775", "name": "NTDLL.DLL!RtlEnterCriticalSection"}, {"adress": "0x418785", "name": "NTDLL.DLL!RtlLeaveCriticalSection"}, {"adress": "0x41878e", "name": "KERNEL32.DLL!LocalFree"}, {"adress": "0x4187a4", "name": "KERNEL32.DLL!TlsSetValue"}, {"adress": "0x4187ff", "name": "NTDLL.DLL!RtlLeaveCriticalSection"}, {"adress": "0x418f83", "name": "NTDLL.DLL!RtlDeleteCriticalSection"}, {"adress": "0x418f95", "name": "NTDLL.DLL!RtlDeleteCriticalSection"}, {"adress": "0x418417", "name": "KERNEL32.DLL!TlsFree"}, {"adress": "0x41843f", "name": "KERNEL32.DLL!GlobalHandle"}, {"adress": "0x418448", "name": "KERNEL32.DLL!GlobalUnlock"}, {"adress": "0x41844f", "name": "KERNEL32.DLL!GlobalFree"}, {"adress": "0x418459", "name": "NTDLL.DLL!RtlDeleteCriticalSection"}, {"adress": "0x406e68", "name": "NTDLL.DLL!RtlEnterCriticalSection"}, {"adress": "0x406e7f", "name": "NTDLL.DLL!RtlLeaveCriticalSection"}, {"adress": "0x406e58", "name": "NTDLL.DLL!RtlDeleteCriticalSection"}, {"adress": "0x417ca8", "name": "NTDLL.DLL!RtlDeleteCriticalSection"}, {"adress": "0x40d1ce", "name": "KERNEL32.DLL!SetUnhandledExceptionFilter"}, {"adress": "0x40b05c", "name": "NTDLL.DLL!RtlDeleteCriticalSection"}, {"adress": "0x40b077", "name": "NTDLL.DLL!RtlDeleteCriticalSection"}, {"adress": "0x40b07f", "name": "NTDLL.DLL!RtlDeleteCriticalSection"}, {"adress": "0x40b087", "name": "NTDLL.DLL!RtlDeleteCriticalSection"}, {"adress": "0x40b08f", "name": "NTDLL.DLL!RtlDeleteCriticalSection"}, {"adress": "0x40ae20", "name": "KERNEL32.DLL!TlsFree"}, {"adress": "0x40c382", "name": "KERNEL32.DLL!VirtualFree"}, {"adress": "0x40c38d", "name": "KERNEL32.DLL!VirtualFree"}, {"adress": "0x40c39a", "name": "KERNEL32.DLL!HeapFree"}, {"adress": "0x40c3b8", "name": "KERNEL32.DLL!HeapFree"}, {"adress": "0x40c3c0", "name": "KERNEL32.DLL!HeapDestroy"}]} \ No newline at end of file diff --git a/rsc/upx-hostname.exe.bin_iat_wave1.json b/rsc/upx-hostname.exe.bin_iat_wave1.json new file mode 100644 index 0000000..fd637b7 --- /dev/null +++ b/rsc/upx-hostname.exe.bin_iat_wave1.json @@ -0,0 +1,54 @@ +{ + "entry": "0x10011d7", + "calls": [ + { "adress": "0x10011e6", "name": "KERNEL32.DLL!GetModuleHandleA" }, + { "adress": "0x1001243", "name": "MSVCRT.DLL!__set_app_type" }, + { "adress": "0x1001258", "name": "MSVCRT.DLL!__p__fmode" }, + { "adress": "0x1001266", "name": "MSVCRT.DLL!__p__commode" }, + { "adress": "0x10013be", "name": "MSVCRT.DLL!_controlfp" }, + { "adress": "0x1001358", "name": "MSVCRT.DLL!_initterm" }, + { "adress": "0x10012cb", "name": "MSVCRT.DLL!__getmainargs" }, + { "adress": "0x10010f2", "name": "WS2_32.DLL!WSAStartup" }, + { "adress": "0x1001160", "name": "WS2_32.DLL!gethostname" }, + { "adress": "0x10011ba", "name": "USER32.DLL!CharToOemBuffA" }, + { "adress": "0x10011c7", "name": "MSVCRT.DLL!puts" }, + { "adress": "0x10011d0", "name": "MSVCRT.DLL!exit" } + ], + "entry_reg_values": { + "EAX": "0x000cff0c ", + "EBX": "0x7efde000 ", + "ECX": "0x00000000 ", + "EDX": "0x010058c0", + "ESI": "0x00000000 ", + "EDI": "0x00000000 ", + "EBP": "0x000cff94 ", + "ESP": "0x000cff8c", + "eflags": "0x00000203" + }, + "prevwave_getprocaddr": [ + { "function": "FormatMessageA", "func_addr": "0x75985fbd" }, + { "function": "LocalFree", "func_addr": "0x75962d3c" }, + { "function": "GetModuleHandleA", "func_addr": "0x75961245" }, + { "function": "GetLastError", "func_addr": "0x759611c0" }, + { "function": "__p__commode", "func_addr": "0x752c27c3" }, + { "function": "__p__fmode", "func_addr": "0x752c27ce" }, + { "function": "__set_app_type", "func_addr": "0x752c2804" }, + { "function": "_controlfp", "func_addr": "0x752be1e1" }, + { "function": "_cexit", "func_addr": "0x752c37d4" }, + { "function": "_adjust_fdiv", "func_addr": "0x753532ec" }, + { "function": "_except_handler3", "func_addr": "0x752dd770" }, + { "function": "_XcptFilter", "func_addr": "0x752ddc75" }, + { "function": "_exit", "func_addr": "0x7531b2c0" }, + { "function": "_c_exit", "func_addr": "0x7531b2db" }, + { "function": "__setusermatherr", "func_addr": "0x753477ad" }, + { "function": "_initterm", "func_addr": "0x752bc151" }, + { "function": "__getmainargs", "func_addr": "0x752c2bc0" }, + { "function": "__initenv", "func_addr": "0x753504e8" }, + { "function": "_write", "func_addr": "0x752c4078" }, + { "function": "strchr", "func_addr": "0x752bdbeb" }, + { "function": "puts", "func_addr": "0x75328d04" }, + { "function": "exit", "func_addr": "0x752c36aa" }, + { "function": "s_perror", "func_addr": "0x6c8a1be4" }, + { "function": "CharToOemBuffA", "func_addr": "0x76aeb1b0" } + ] +} diff --git a/testfiles/upx-hostname/wave-0001.dump b/rsc/wave-0001.dump similarity index 100% rename from testfiles/upx-hostname/wave-0001.dump rename to rsc/wave-0001.dump diff --git a/rsc/wave-0002.dump b/rsc/wave-0002.dump new file mode 100644 index 0000000..02d5480 Binary files /dev/null and b/rsc/wave-0002.dump differ diff --git a/testfiles/upx-hostname/upx-hostname.exe.bin_traceCFG.json b/testfiles/upx-hostname/upx-hostname.exe.bin_traceCFG.json deleted file mode 100644 index 2a60714..0000000 --- a/testfiles/upx-hostname/upx-hostname.exe.bin_traceCFG.json +++ /dev/null @@ -1,2975 +0,0 @@ -{ - "nodes": [ - { - "index": 0, - "start": "0x10058c0", - "end": "0x10058d1", - "last_instr": "0x10058d0", - "wave": 0, - "instructions": [ - { "offset": 0, "opcode": "60", "mnemonic": "pushal " }, - { - "offset": 1, - "opcode": "be00500001", - "mnemonic": "mov esi, 0x1005000" - }, - { - "offset": 6, - "opcode": "8dbe00c0ffff", - "mnemonic": "lea edi, [esi - 0x4000]" - }, - { "offset": 12, "opcode": "57", "mnemonic": "push edi" }, - { "offset": 13, "opcode": "83cdff", "mnemonic": "or ebp, 0xffffffff" }, - { "offset": 16, "opcode": "eb10", "mnemonic": "jmp 0x10058e2" } - ], - "registers": { - "EAX": "0x759633b8 ", - "EBX": "0x7efde000 ", - "ECX": "0x00000000 ", - "EDX": "0x010058c0", - "ESI": "0x00000000 ", - "EDI": "0x00000000 ", - "EBP": "0x000cff94 ", - "ESP": "0x000cff8c", - "eflags": "0x00000246" - }, - "type": "jmp" - }, - { - "index": 1, - "start": "0x10058e2", - "end": "0x10058e8", - "last_instr": "0x10058e7", - "wave": 0, - "instructions": [ - { - "offset": 0, - "opcode": "8b1e", - "mnemonic": "mov ebx, dword ptr [esi]" - }, - { "offset": 2, "opcode": "83eefc", "mnemonic": "sub esi, -4" }, - { "offset": 5, "opcode": "11db", "mnemonic": "adc ebx, ebx" } - ], - "type": "seq" - }, - { - "index": 2, - "start": "0x10058d8", - "end": "0x10058dd", - "last_instr": "0x10058dd", - "wave": 0, - "instructions": [ - { "offset": 0, "opcode": "8a06", "mnemonic": "mov al, byte ptr [esi]" }, - { "offset": 2, "opcode": "46", "mnemonic": "inc esi" }, - { "offset": 3, "opcode": "8807", "mnemonic": "mov byte ptr [edi], al" }, - { "offset": 5, "opcode": "47", "mnemonic": "inc edi" } - ], - "type": "seq" - }, - { - "index": 3, - "start": "0x10058e9", - "end": "0x10058ea", - "last_instr": "0x10058e9", - "wave": 0, - "instructions": [ - { "offset": 0, "opcode": "72ed", "mnemonic": "jb 0x10058d8" } - ], - "type": "jcc" - }, - { - "index": 4, - "start": "0x10058eb", - "end": "0x10058ef", - "last_instr": "0x10058eb", - "wave": 0, - "instructions": [ - { "offset": 0, "opcode": "b801000000", "mnemonic": "mov eax, 1" } - ], - "type": "seq" - }, - { - "index": 5, - "start": "0x1005901", - "end": "0x1005902", - "last_instr": "0x1005901", - "wave": 0, - "instructions": [ - { "offset": 0, "opcode": "7509", "mnemonic": "jne 0x100590c" } - ], - "registers": { - "EAX": "0x00000002 ", - "EBX": "0x0881f9b8 ", - "ECX": "0x00000000 ", - "EDX": "0x010058c0", - "ESI": "0x01005005 ", - "EDI": "0x01001001 ", - "EBP": "0xffffffff ", - "ESP": "0x000cff68", - "eflags": "0x00000a17" - }, - "type": "jcc" - }, - { - "index": 6, - "start": "0x100590c", - "end": "0x1005912", - "last_instr": "0x1005911", - "wave": 0, - "instructions": [ - { "offset": 0, "opcode": "31c9", "mnemonic": "xor ecx, ecx" }, - { "offset": 2, "opcode": "83e803", "mnemonic": "sub eax, 3" }, - { "offset": 5, "opcode": "720d", "mnemonic": "jb 0x1005920" } - ], - "registers": { - "EAX": "0x00000002 ", - "EBX": "0x0881f9b8 ", - "ECX": "0x00000000 ", - "EDX": "0x010058c0", - "ESI": "0x01005005 ", - "EDI": "0x01001001 ", - "EBP": "0xffffffff ", - "ESP": "0x000cff68", - "eflags": "0x00000a17" - }, - "type": "jcc" - }, - { - "index": 7, - "start": "0x100593c", - "end": "0x100593c", - "last_instr": "0x100593c", - "wave": 0, - "instructions": [{ "offset": 0, "opcode": "41", "mnemonic": "inc ecx" }], - "type": "seq" - }, - { - "index": 8, - "start": "0x100594e", - "end": "0x100594f", - "last_instr": "0x100594e", - "wave": 0, - "instructions": [ - { "offset": 0, "opcode": "7509", "mnemonic": "jne 0x1005959" } - ], - "registers": { - "EAX": "0xffffffff ", - "EBX": "0xf9b80000 ", - "ECX": "0x000000a8 ", - "EDX": "0x010058c0", - "ESI": "0x01005005 ", - "EDI": "0x01001001 ", - "EBP": "0xffffffff ", - "ESP": "0x000cff68", - "eflags": "0x00000287" - }, - "type": "jcc" - }, - { - "index": 9, - "start": "0x1005959", - "end": "0x100595b", - "last_instr": "0x1005959", - "wave": 0, - "instructions": [ - { "offset": 0, "opcode": "83c102", "mnemonic": "add ecx, 2" } - ], - "type": "seq" - }, - { - "index": 10, - "start": "0x100596d", - "end": "0x1005975", - "last_instr": "0x1005974", - "wave": 0, - "instructions": [ - { "offset": 0, "opcode": "8a02", "mnemonic": "mov al, byte ptr [edx]" }, - { "offset": 2, "opcode": "42", "mnemonic": "inc edx" }, - { "offset": 3, "opcode": "8807", "mnemonic": "mov byte ptr [edi], al" }, - { "offset": 5, "opcode": "47", "mnemonic": "inc edi" }, - { "offset": 6, "opcode": "49", "mnemonic": "dec ecx" }, - { "offset": 7, "opcode": "75f7", "mnemonic": "jne 0x100596d" } - ], - "registers": { - "EAX": "0xffffffff ", - "EBX": "0xf9b80000 ", - "ECX": "0x000000ab ", - "EDX": "0x01001000", - "ESI": "0x01005005 ", - "EDI": "0x01001001 ", - "EBP": "0xffffffff ", - "ESP": "0x000cff68", - "eflags": "0x00000206" - }, - "type": "jcc" - }, - { - "index": 11, - "start": "0x1005976", - "end": "0x100597a", - "last_instr": "0x1005976", - "wave": 0, - "instructions": [ - { "offset": 0, "opcode": "e963ffffff", "mnemonic": "jmp 0x10058de" } - ], - "registers": { - "EAX": "0xffffff00 ", - "EBX": "0xf9b80000 ", - "ECX": "0x00000000 ", - "EDX": "0x010010ab", - "ESI": "0x01005005 ", - "EDI": "0x010010ac ", - "EBP": "0xffffffff ", - "ESP": "0x000cff68", - "eflags": "0x00000246" - }, - "type": "jmp" - }, - { - "index": 12, - "start": "0x1005913", - "end": "0x100591d", - "last_instr": "0x100591c", - "wave": 0, - "instructions": [ - { "offset": 0, "opcode": "c1e008", "mnemonic": "shl eax, 8" }, - { "offset": 3, "opcode": "8a06", "mnemonic": "mov al, byte ptr [esi]" }, - { "offset": 5, "opcode": "46", "mnemonic": "inc esi" }, - { "offset": 6, "opcode": "83f0ff", "mnemonic": "xor eax, 0xffffffff" }, - { "offset": 9, "opcode": "7474", "mnemonic": "je 0x1005992" } - ], - "registers": { - "EAX": "0x00000000 ", - "EBX": "0xbdff37e0 ", - "ECX": "0x00000000 ", - "EDX": "0x010010b3", - "ESI": "0x01005013 ", - "EDI": "0x010010b9 ", - "EBP": "0xffffffff ", - "ESP": "0x000cff68", - "eflags": "0x00000246" - }, - "type": "jcc" - }, - { - "index": 13, - "start": "0x100591e", - "end": "0x100591f", - "last_instr": "0x100591e", - "wave": 0, - "instructions": [ - { "offset": 0, "opcode": "89c5", "mnemonic": "mov ebp, eax" } - ], - "type": "seq" - }, - { - "index": 14, - "start": "0x100597c", - "end": "0x100598a", - "last_instr": "0x1005989", - "wave": 0, - "instructions": [ - { - "offset": 0, - "opcode": "8b02", - "mnemonic": "mov eax, dword ptr [edx]" - }, - { "offset": 2, "opcode": "83c204", "mnemonic": "add edx, 4" }, - { - "offset": 5, - "opcode": "8907", - "mnemonic": "mov dword ptr [edi], eax" - }, - { "offset": 7, "opcode": "83c704", "mnemonic": "add edi, 4" }, - { "offset": 10, "opcode": "83e904", "mnemonic": "sub ecx, 4" }, - { "offset": 13, "opcode": "77f1", "mnemonic": "ja 0x100597c" } - ], - "registers": { - "EAX": "0xfffffffc ", - "EBX": "0xf7fcdf80 ", - "ECX": "0x00000003 ", - "EDX": "0x010010b5", - "ESI": "0x01005014 ", - "EDI": "0x010010b9 ", - "EBP": "0xfffffffc ", - "ESP": "0x000cff68", - "eflags": "0x00000246" - }, - "type": "jcc" - }, - { - "index": 15, - "start": "0x100598b", - "end": "0x1005991", - "last_instr": "0x100598d", - "wave": 0, - "instructions": [ - { "offset": 0, "opcode": "01cf", "mnemonic": "add edi, ecx" }, - { "offset": 2, "opcode": "e94cffffff", "mnemonic": "jmp 0x10058de" } - ], - "registers": { - "EAX": "0x2c010013 ", - "EBX": "0xf7fcdf80 ", - "ECX": "0xffffffff ", - "EDX": "0x010010b9", - "ESI": "0x01005014 ", - "EDI": "0x010010bd ", - "EBP": "0xfffffffc ", - "ESP": "0x000cff68", - "eflags": "0x00000297" - }, - "type": "jmp" - }, - { - "index": 16, - "start": "0x10058de", - "end": "0x10058e1", - "last_instr": "0x10058e0", - "wave": 0, - "instructions": [ - { "offset": 0, "opcode": "01db", "mnemonic": "add ebx, ebx" }, - { "offset": 2, "opcode": "7507", "mnemonic": "jne 0x10058e9" } - ], - "type": "jcc" - }, - { - "index": 17, - "start": "0x10058f4", - "end": "0x10058fa", - "last_instr": "0x10058f9", - "wave": 0, - "instructions": [ - { - "offset": 0, - "opcode": "8b1e", - "mnemonic": "mov ebx, dword ptr [esi]" - }, - { "offset": 2, "opcode": "83eefc", "mnemonic": "sub esi, -4" }, - { "offset": 5, "opcode": "11db", "mnemonic": "adc ebx, ebx" } - ], - "type": "seq" - }, - { - "index": 18, - "start": "0x10058fb", - "end": "0x1005900", - "last_instr": "0x10058ff", - "wave": 0, - "instructions": [ - { "offset": 0, "opcode": "11c0", "mnemonic": "adc eax, eax" }, - { "offset": 2, "opcode": "01db", "mnemonic": "add ebx, ebx" }, - { "offset": 4, "opcode": "73ef", "mnemonic": "jae 0x10058f0" } - ], - "type": "jcc" - }, - { - "index": 19, - "start": "0x1005950", - "end": "0x1005958", - "last_instr": "0x1005957", - "wave": 0, - "instructions": [ - { - "offset": 0, - "opcode": "8b1e", - "mnemonic": "mov ebx, dword ptr [esi]" - }, - { "offset": 2, "opcode": "83eefc", "mnemonic": "sub esi, -4" }, - { "offset": 5, "opcode": "11db", "mnemonic": "adc ebx, ebx" }, - { "offset": 7, "opcode": "73e4", "mnemonic": "jae 0x100593d" } - ], - "registers": { - "EAX": "0xffffffff ", - "EBX": "0x00000000 ", - "ECX": "0x00000005 ", - "EDX": "0x01001105", - "ESI": "0x010050ae ", - "EDI": "0x01001173 ", - "EBP": "0xffffff93 ", - "ESP": "0x000cff68", - "eflags": "0x00000a47" - }, - "type": "jcc" - }, - { - "index": 20, - "start": "0x1005924", - "end": "0x100592a", - "last_instr": "0x1005929", - "wave": 0, - "instructions": [ - { - "offset": 0, - "opcode": "8b1e", - "mnemonic": "mov ebx, dword ptr [esi]" - }, - { "offset": 2, "opcode": "83eefc", "mnemonic": "sub esi, -4" }, - { "offset": 5, "opcode": "11db", "mnemonic": "adc ebx, ebx" } - ], - "type": "seq" - }, - { - "index": 21, - "start": "0x100592b", - "end": "0x1005930", - "last_instr": "0x100592f", - "wave": 0, - "instructions": [ - { "offset": 0, "opcode": "11c9", "mnemonic": "adc ecx, ecx" }, - { "offset": 2, "opcode": "01db", "mnemonic": "add ebx, ebx" }, - { "offset": 4, "opcode": "7507", "mnemonic": "jne 0x1005938" } - ], - "type": "jcc" - }, - { - "index": 22, - "start": "0x1005931", - "end": "0x1005937", - "last_instr": "0x1005936", - "wave": 0, - "instructions": [ - { - "offset": 0, - "opcode": "8b1e", - "mnemonic": "mov ebx, dword ptr [esi]" - }, - { "offset": 2, "opcode": "83eefc", "mnemonic": "sub esi, -4" }, - { "offset": 5, "opcode": "11db", "mnemonic": "adc ebx, ebx" } - ], - "type": "seq" - }, - { - "index": 23, - "start": "0x1005938", - "end": "0x100593b", - "last_instr": "0x100593a", - "wave": 0, - "instructions": [ - { "offset": 0, "opcode": "11c9", "mnemonic": "adc ecx, ecx" }, - { "offset": 2, "opcode": "7520", "mnemonic": "jne 0x100595c" } - ], - "type": "jcc" - }, - { - "index": 24, - "start": "0x1005903", - "end": "0x100590b", - "last_instr": "0x100590a", - "wave": 0, - "instructions": [ - { - "offset": 0, - "opcode": "8b1e", - "mnemonic": "mov ebx, dword ptr [esi]" - }, - { "offset": 2, "opcode": "83eefc", "mnemonic": "sub esi, -4" }, - { "offset": 5, "opcode": "11db", "mnemonic": "adc ebx, ebx" }, - { "offset": 7, "opcode": "73e4", "mnemonic": "jae 0x10058f0" } - ], - "registers": { - "EAX": "0x00000002 ", - "EBX": "0x00000000 ", - "ECX": "0xfffffffd ", - "EDX": "0x010011bf", - "ESI": "0x010050dd ", - "EDI": "0x010011ca ", - "EBP": "0xfffffff3 ", - "ESP": "0x000cff68", - "eflags": "0x00000a47" - }, - "type": "jcc" - }, - { - "index": 25, - "start": "0x10058f0", - "end": "0x10058f3", - "last_instr": "0x10058f2", - "wave": 0, - "instructions": [ - { "offset": 0, "opcode": "01db", "mnemonic": "add ebx, ebx" }, - { "offset": 2, "opcode": "7507", "mnemonic": "jne 0x10058fb" } - ], - "type": "jcc" - }, - { - "index": 26, - "start": "0x1005941", - "end": "0x1005947", - "last_instr": "0x1005946", - "wave": 0, - "instructions": [ - { - "offset": 0, - "opcode": "8b1e", - "mnemonic": "mov ebx, dword ptr [esi]" - }, - { "offset": 2, "opcode": "83eefc", "mnemonic": "sub esi, -4" }, - { "offset": 5, "opcode": "11db", "mnemonic": "adc ebx, ebx" } - ], - "type": "seq" - }, - { - "index": 27, - "start": "0x1005948", - "end": "0x100594d", - "last_instr": "0x100594c", - "wave": 0, - "instructions": [ - { "offset": 0, "opcode": "11c9", "mnemonic": "adc ecx, ecx" }, - { "offset": 2, "opcode": "01db", "mnemonic": "add ebx, ebx" }, - { "offset": 4, "opcode": "73ef", "mnemonic": "jae 0x100593d" } - ], - "type": "jcc" - }, - { - "index": 28, - "start": "0x100593d", - "end": "0x1005940", - "last_instr": "0x100593f", - "wave": 0, - "instructions": [ - { "offset": 0, "opcode": "01db", "mnemonic": "add ebx, ebx" }, - { "offset": 2, "opcode": "7507", "mnemonic": "jne 0x1005948" } - ], - "type": "jcc" - }, - { - "index": 29, - "start": "0x1005920", - "end": "0x1005923", - "last_instr": "0x1005922", - "wave": 0, - "instructions": [ - { "offset": 0, "opcode": "01db", "mnemonic": "add ebx, ebx" }, - { "offset": 2, "opcode": "7507", "mnemonic": "jne 0x100592b" } - ], - "type": "jcc" - }, - { - "index": 30, - "start": "0x100595c", - "end": "0x100596c", - "last_instr": "0x100596b", - "wave": 0, - "instructions": [ - { - "offset": 0, - "opcode": "81fd00f3ffff", - "mnemonic": "cmp ebp, 0xfffff300" - }, - { "offset": 6, "opcode": "83d101", "mnemonic": "adc ecx, 1" }, - { "offset": 9, "opcode": "8d142f", "mnemonic": "lea edx, [edi + ebp]" }, - { "offset": 12, "opcode": "83fdfc", "mnemonic": "cmp ebp, -4" }, - { "offset": 15, "opcode": "760f", "mnemonic": "jbe 0x100597c" } - ], - "type": "jcc" - }, - { - "index": 31, - "start": "0x1005992", - "end": "0x100599e", - "last_instr": "0x100599d", - "wave": 0, - "instructions": [ - { "offset": 0, "opcode": "5e", "mnemonic": "pop esi" }, - { "offset": 1, "opcode": "89f7", "mnemonic": "mov edi, esi" }, - { "offset": 3, "opcode": "b913000000", "mnemonic": "mov ecx, 0x13" }, - { "offset": 8, "opcode": "8a07", "mnemonic": "mov al, byte ptr [edi]" }, - { "offset": 10, "opcode": "47", "mnemonic": "inc edi" }, - { "offset": 11, "opcode": "2ce8", "mnemonic": "sub al, 0xe8" } - ], - "type": "seq" - }, - { - "index": 32, - "start": "0x10059a3", - "end": "0x10059a7", - "last_instr": "0x10059a6", - "wave": 0, - "instructions": [ - { - "offset": 0, - "opcode": "803f01", - "mnemonic": "cmp byte ptr [edi], 1" - }, - { "offset": 3, "opcode": "75f2", "mnemonic": "jne 0x100599a" } - ], - "registers": { - "EAX": "0x00000000 ", - "EBX": "0x10000000 ", - "ECX": "0x00000013 ", - "EDX": "0x01003e20", - "ESI": "0x01001000 ", - "EDI": "0x0100110a ", - "EBP": "0xfffffb47 ", - "ESP": "0x000cff6c", - "eflags": "0x00000297" - }, - "type": "jcc" - }, - { - "index": 33, - "start": "0x10059a8", - "end": "0x10059c5", - "last_instr": "0x10059c4", - "wave": 0, - "instructions": [ - { - "offset": 0, - "opcode": "8b07", - "mnemonic": "mov eax, dword ptr [edi]" - }, - { - "offset": 2, - "opcode": "8a5f04", - "mnemonic": "mov bl, byte ptr [edi + 4]" - }, - { "offset": 5, "opcode": "66c1e808", "mnemonic": "shr ax, 8" }, - { "offset": 9, "opcode": "c1c010", "mnemonic": "rol eax, 0x10" }, - { "offset": 12, "opcode": "86c4", "mnemonic": "xchg ah, al" }, - { "offset": 14, "opcode": "29f8", "mnemonic": "sub eax, edi" }, - { "offset": 16, "opcode": "80ebe8", "mnemonic": "sub bl, 0xe8" }, - { "offset": 19, "opcode": "01f0", "mnemonic": "add eax, esi" }, - { - "offset": 21, - "opcode": "8907", - "mnemonic": "mov dword ptr [edi], eax" - }, - { "offset": 23, "opcode": "83c705", "mnemonic": "add edi, 5" }, - { "offset": 26, "opcode": "88d8", "mnemonic": "mov al, bl" }, - { "offset": 28, "opcode": "e2d9", "mnemonic": "loop 0x100599f" } - ], - "registers": { - "EAX": "0x00000000 ", - "EBX": "0x10000000 ", - "ECX": "0x00000013 ", - "EDX": "0x01003e20", - "ESI": "0x01001000 ", - "EDI": "0x0100110a ", - "EBP": "0xfffffb47 ", - "ESP": "0x000cff6c", - "eflags": "0x00000246" - }, - "type": "jcc" - }, - { - "index": 34, - "start": "0x100599f", - "end": "0x10059a2", - "last_instr": "0x10059a1", - "wave": 0, - "instructions": [ - { "offset": 0, "opcode": "3c01", "mnemonic": "cmp al, 1" }, - { "offset": 2, "opcode": "77f7", "mnemonic": "ja 0x100599a" } - ], - "type": "jcc" - }, - { - "index": 35, - "start": "0x10059c6", - "end": "0x10059cb", - "last_instr": "0x10059c6", - "wave": 0, - "instructions": [ - { - "offset": 0, - "opcode": "8dbe00300000", - "mnemonic": "lea edi, [esi + 0x3000]" - } - ], - "type": "seq" - }, - { - "index": 36, - "start": "0x10059d2", - "end": "0x10059e7", - "last_instr": "0x10059e2", - "wave": 0, - "instructions": [ - { - "offset": 0, - "opcode": "8b5f04", - "mnemonic": "mov ebx, dword ptr [edi + 4]" - }, - { - "offset": 3, - "opcode": "8d84301c540000", - "mnemonic": "lea eax, [eax + esi + 0x541c]" - }, - { "offset": 10, "opcode": "01f3", "mnemonic": "add ebx, esi" }, - { "offset": 12, "opcode": "50", "mnemonic": "push eax" }, - { "offset": 13, "opcode": "83c708", "mnemonic": "add edi, 8" }, - { - "offset": 16, - "opcode": "ff9694540000", - "mnemonic": "call dword ptr [esi + 0x5494]" - } - ], - "registers": { - "EAX": "0x000000b4 ", - "EBX": "0x100000df ", - "ECX": "0x00000000 ", - "EDX": "0x01003e20", - "ESI": "0x01001000 ", - "EDI": "0x01004000 ", - "EBP": "0xfffffb47 ", - "ESP": "0x000cff6c", - "eflags": "0x00000206" - }, - "type": "call", - "syscalls": [ - { - "name": "KERNEL32.DLL!LoadLibraryA", - "timestamp": 19.825597, - "arguments": ["_IN_ (LPCTSTR) [0x000cff68] \"KERNEL32.DLL\""], - "return": "0x75950000", - "output": [] - }, - { - "name": "KERNEL32.DLL!LoadLibraryA", - "timestamp": 19.913203, - "arguments": ["_IN_ (LPCTSTR) [0x000cff68] \"msvcrt.dll\""], - "return": "0x752b0000", - "output": [] - }, - { - "name": "KERNEL32.DLL!LoadLibraryA", - "timestamp": 19.913203, - "arguments": ["_IN_ (LPCTSTR) [0x000cff68] \"MSWSOCK.dll\""], - "return": "0x6c880000", - "output": [] - }, - { - "name": "KERNEL32.DLL!LoadLibraryA", - "timestamp": 19.913203, - "arguments": ["_IN_ (LPCTSTR) [0x000cff68] \"USER32.dll\""], - "return": "0x76ac0000", - "output": [] - }, - { - "name": "KERNEL32.DLL!LoadLibraryA", - "timestamp": 19.913203, - "arguments": ["_IN_ (LPCTSTR) [0x000cff68] \"WS2_32.dll\""], - "return": "0x76e60000", - "output": [] - } - ] - }, - { - "index": 37, - "start": "0x10059e8", - "end": "0x10059e8", - "last_instr": "0x10059e8", - "wave": 0, - "instructions": [ - { "offset": 0, "opcode": "95", "mnemonic": "xchg eax, ebp" } - ], - "type": "seq" - }, - { - "index": 38, - "start": "0x10059f0", - "end": "0x10059f3", - "last_instr": "0x10059f2", - "wave": 0, - "instructions": [ - { "offset": 0, "opcode": "89f9", "mnemonic": "mov ecx, edi" }, - { "offset": 2, "opcode": "7907", "mnemonic": "jns 0x10059fb" } - ], - "registers": { - "EAX": "0xfffffb01 ", - "EBX": "0x01001000 ", - "ECX": "0x00000002 ", - "EDX": "0x00000001", - "ESI": "0x01001000 ", - "EDI": "0x01004009 ", - "EBP": "0x75950000 ", - "ESP": "0x000cff6c", - "eflags": "0x00000202" - }, - "type": "jcc" - }, - { - "index": 39, - "start": "0x1005a06", - "end": "0x1005a09", - "last_instr": "0x1005a08", - "wave": 0, - "instructions": [ - { "offset": 0, "opcode": "09c0", "mnemonic": "or eax, eax" }, - { "offset": 2, "opcode": "7407", "mnemonic": "je 0x1005a11" } - ], - "registers": { - "EAX": "0x75985fbd ", - "EBX": "0x01001000 ", - "ECX": "0x75950000 ", - "EDX": "0x75950000", - "ESI": "0x01001000 ", - "EDI": "0x01004018 ", - "EBP": "0x75950000 ", - "ESP": "0x000cff6c", - "eflags": "0x00000206" - }, - "type": "jcc" - }, - { - "index": 40, - "start": "0x1005a0a", - "end": "0x1005a10", - "last_instr": "0x1005a0f", - "wave": 0, - "instructions": [ - { - "offset": 0, - "opcode": "8903", - "mnemonic": "mov dword ptr [ebx], eax" - }, - { "offset": 2, "opcode": "83c304", "mnemonic": "add ebx, 4" }, - { "offset": 5, "opcode": "ebd8", "mnemonic": "jmp 0x10059e9" } - ], - "registers": { - "EAX": "0x75985fbd ", - "EBX": "0x01001000 ", - "ECX": "0x75950000 ", - "EDX": "0x75950000", - "ESI": "0x01001000 ", - "EDI": "0x01004018 ", - "EBP": "0x75950000 ", - "ESP": "0x000cff6c", - "eflags": "0x00000206" - }, - "type": "jmp" - }, - { - "index": 41, - "start": "0x10059e9", - "end": "0x10059ef", - "last_instr": "0x10059ee", - "wave": 0, - "instructions": [ - { "offset": 0, "opcode": "8a07", "mnemonic": "mov al, byte ptr [edi]" }, - { "offset": 2, "opcode": "47", "mnemonic": "inc edi" }, - { "offset": 3, "opcode": "08c0", "mnemonic": "or al, al" }, - { "offset": 5, "opcode": "74dc", "mnemonic": "je 0x10059cc" } - ], - "type": "jcc" - }, - { - "index": 42, - "start": "0x10059cc", - "end": "0x10059d1", - "last_instr": "0x10059d0", - "wave": 0, - "instructions": [ - { - "offset": 0, - "opcode": "8b07", - "mnemonic": "mov eax, dword ptr [edi]" - }, - { "offset": 2, "opcode": "09c0", "mnemonic": "or eax, eax" }, - { "offset": 4, "opcode": "7445", "mnemonic": "je 0x1005a17" } - ], - "type": "jcc" - }, - { - "index": 43, - "start": "0x10059f4", - "end": "0x1005a05", - "last_instr": "0x1005a00", - "wave": 0, - "instructions": [ - { - "offset": 0, - "opcode": "0fb707", - "mnemonic": "movzx eax, word ptr [edi]" - }, - { "offset": 3, "opcode": "47", "mnemonic": "inc edi" }, - { "offset": 4, "opcode": "50", "mnemonic": "push eax" }, - { "offset": 5, "opcode": "47", "mnemonic": "inc edi" }, - { - "offset": 6, - "opcode": "b95748f2ae", - "mnemonic": "mov ecx, 0xaef24857" - }, - { "offset": 11, "opcode": "55", "mnemonic": "push ebp" }, - { - "offset": 12, - "opcode": "ff9698540000", - "mnemonic": "call dword ptr [esi + 0x5498]" - } - ], - "registers": { - "EAX": "0x76ac00ff ", - "EBX": "0x01001024 ", - "ECX": "0x01004150 ", - "EDX": "0x004c34a4", - "ESI": "0x01001000 ", - "EDI": "0x01004150 ", - "EBP": "0x76e60000 ", - "ESP": "0x000cff6c", - "eflags": "0x00000286" - }, - "type": "call", - "syscalls": [ - { - "name": "KERNEL32.DLL!GetProcAddress", - "timestamp": 19.875559, - "arguments": [ - "_IN_ (HMODULE) [0x000cff64] 0x75950000", - "_IN_ (LPCSTR) [0x000cff68] \"FormatMessageA\"" - ], - "return": "0x75985fbd", - "output": [] - }, - { - "name": "KERNEL32.DLL!GetProcAddress", - "timestamp": 19.905854, - "arguments": [ - "_IN_ (HMODULE) [0x000cff64] 0x75950000", - "_IN_ (LPCSTR) [0x000cff68] \"LocalFree\"" - ], - "return": "0x75962d3c", - "output": [] - }, - { - "name": "KERNEL32.DLL!GetProcAddress", - "timestamp": 19.905854, - "arguments": [ - "_IN_ (HMODULE) [0x000cff64] 0x75950000", - "_IN_ (LPCSTR) [0x000cff68] \"GetModuleHandleA\"" - ], - "return": "0x75961245", - "output": [] - }, - { - "name": "KERNEL32.DLL!GetProcAddress", - "timestamp": 19.905854, - "arguments": [ - "_IN_ (HMODULE) [0x000cff64] 0x75950000", - "_IN_ (LPCSTR) [0x000cff68] \"GetLastError\"" - ], - "return": "0x759611c0", - "output": [] - }, - { - "name": "KERNEL32.DLL!GetProcAddress", - "timestamp": 19.913203, - "arguments": [ - "_IN_ (HMODULE) [0x000cff64] 0x752b0000", - "_IN_ (LPCSTR) [0x000cff68] \"__p__commode\"" - ], - "return": "0x752c27c3", - "output": [] - }, - { - "name": "KERNEL32.DLL!GetProcAddress", - "timestamp": 19.913203, - "arguments": [ - "_IN_ (HMODULE) [0x000cff64] 0x752b0000", - "_IN_ (LPCSTR) [0x000cff68] \"__p__fmode\"" - ], - "return": "0x752c27ce", - "output": [] - }, - { - "name": "KERNEL32.DLL!GetProcAddress", - "timestamp": 19.913203, - "arguments": [ - "_IN_ (HMODULE) [0x000cff64] 0x752b0000", - "_IN_ (LPCSTR) [0x000cff68] \"__set_app_type\"" - ], - "return": "0x752c2804", - "output": [] - }, - { - "name": "KERNEL32.DLL!GetProcAddress", - "timestamp": 19.913203, - "arguments": [ - "_IN_ (HMODULE) [0x000cff64] 0x752b0000", - "_IN_ (LPCSTR) [0x000cff68] \"_controlfp\"" - ], - "return": "0x752be1e1", - "output": [] - }, - { - "name": "KERNEL32.DLL!GetProcAddress", - "timestamp": 19.913203, - "arguments": [ - "_IN_ (HMODULE) [0x000cff64] 0x752b0000", - "_IN_ (LPCSTR) [0x000cff68] \"_cexit\"" - ], - "return": "0x752c37d4", - "output": [] - }, - { - "name": "KERNEL32.DLL!GetProcAddress", - "timestamp": 19.913203, - "arguments": [ - "_IN_ (HMODULE) [0x000cff64] 0x752b0000", - "_IN_ (LPCSTR) [0x000cff68] \"_adjust_fdiv\"" - ], - "return": "0x753532ec", - "output": [] - }, - { - "name": "KERNEL32.DLL!GetProcAddress", - "timestamp": 19.913203, - "arguments": [ - "_IN_ (HMODULE) [0x000cff64] 0x752b0000", - "_IN_ (LPCSTR) [0x000cff68] \"_except_handler3\"" - ], - "return": "0x752dd770", - "output": [] - }, - { - "name": "KERNEL32.DLL!GetProcAddress", - "timestamp": 19.913203, - "arguments": [ - "_IN_ (HMODULE) [0x000cff64] 0x752b0000", - "_IN_ (LPCSTR) [0x000cff68] \"_XcptFilter\"" - ], - "return": "0x752ddc75", - "output": [] - }, - { - "name": "KERNEL32.DLL!GetProcAddress", - "timestamp": 19.913203, - "arguments": [ - "_IN_ (HMODULE) [0x000cff64] 0x752b0000", - "_IN_ (LPCSTR) [0x000cff68] \"_exit\"" - ], - "return": "0x7531b2c0", - "output": [] - }, - { - "name": "KERNEL32.DLL!GetProcAddress", - "timestamp": 19.913203, - "arguments": [ - "_IN_ (HMODULE) [0x000cff64] 0x752b0000", - "_IN_ (LPCSTR) [0x000cff68] \"_c_exit\"" - ], - "return": "0x7531b2db", - "output": [] - }, - { - "name": "KERNEL32.DLL!GetProcAddress", - "timestamp": 19.913203, - "arguments": [ - "_IN_ (HMODULE) [0x000cff64] 0x752b0000", - "_IN_ (LPCSTR) [0x000cff68] \"__setusermatherr\"" - ], - "return": "0x753477ad", - "output": [] - }, - { - "name": "KERNEL32.DLL!GetProcAddress", - "timestamp": 19.913203, - "arguments": [ - "_IN_ (HMODULE) [0x000cff64] 0x752b0000", - "_IN_ (LPCSTR) [0x000cff68] \"_initterm\"" - ], - "return": "0x752bc151", - "output": [] - }, - { - "name": "KERNEL32.DLL!GetProcAddress", - "timestamp": 19.913203, - "arguments": [ - "_IN_ (HMODULE) [0x000cff64] 0x752b0000", - "_IN_ (LPCSTR) [0x000cff68] \"__getmainargs\"" - ], - "return": "0x752c2bc0", - "output": [] - }, - { - "name": "KERNEL32.DLL!GetProcAddress", - "timestamp": 19.913203, - "arguments": [ - "_IN_ (HMODULE) [0x000cff64] 0x752b0000", - "_IN_ (LPCSTR) [0x000cff68] \"__initenv\"" - ], - "return": "0x753504e8", - "output": [] - }, - { - "name": "KERNEL32.DLL!GetProcAddress", - "timestamp": 19.913203, - "arguments": [ - "_IN_ (HMODULE) [0x000cff64] 0x752b0000", - "_IN_ (LPCSTR) [0x000cff68] \"_write\"" - ], - "return": "0x752c4078", - "output": [] - }, - { - "name": "KERNEL32.DLL!GetProcAddress", - "timestamp": 19.913203, - "arguments": [ - "_IN_ (HMODULE) [0x000cff64] 0x752b0000", - "_IN_ (LPCSTR) [0x000cff68] \"strchr\"" - ], - "return": "0x752bdbeb", - "output": [] - }, - { - "name": "KERNEL32.DLL!GetProcAddress", - "timestamp": 19.913203, - "arguments": [ - "_IN_ (HMODULE) [0x000cff64] 0x752b0000", - "_IN_ (LPCSTR) [0x000cff68] \"puts\"" - ], - "return": "0x75328d04", - "output": [] - }, - { - "name": "KERNEL32.DLL!GetProcAddress", - "timestamp": 19.913203, - "arguments": [ - "_IN_ (HMODULE) [0x000cff64] 0x752b0000", - "_IN_ (LPCSTR) [0x000cff68] \"exit\"" - ], - "return": "0x752c36aa", - "output": [] - }, - { - "name": "KERNEL32.DLL!GetProcAddress", - "timestamp": 19.913203, - "arguments": [ - "_IN_ (HMODULE) [0x000cff64] 0x6c880000", - "_IN_ (LPCSTR) [0x000cff68] \"s_perror\"" - ], - "return": "0x6c8a1be4", - "output": [] - }, - { - "name": "KERNEL32.DLL!GetProcAddress", - "timestamp": 19.913203, - "arguments": [ - "_IN_ (HMODULE) [0x000cff64] 0x76ac0000", - "_IN_ (LPCSTR) [0x000cff68] \"CharToOemBuffA\"" - ], - "return": "0x76aeb1b0", - "output": [] - }, - { - "name": "KERNEL32.DLL!GetProcAddressOrdinal", - "timestamp": 19.942805, - "arguments": [ - "_IN_ (HMODULE) [0x000cff64] 0x76e60000", - "_IN_ (USHORT) [0x000cff68] 0x00000039" - ], - "return": "0x76e6a05b", - "output": [] - }, - { - "name": "KERNEL32.DLL!GetProcAddressOrdinal", - "timestamp": 19.942805, - "arguments": [ - "_IN_ (HMODULE) [0x000cff64] 0x76e60000", - "_IN_ (USHORT) [0x000cff68] 0x00000073" - ], - "return": "0x76e63ab2", - "output": [] - } - ] - }, - { - "index": 44, - "start": "0x1005a17", - "end": "0x1005a2f", - "last_instr": "0x1005a2e", - "wave": 0, - "instructions": [ - { - "offset": 0, - "opcode": "8bae9c540000", - "mnemonic": "mov ebp, dword ptr [esi + 0x549c]" - }, - { - "offset": 6, - "opcode": "8dbe00f0ffff", - "mnemonic": "lea edi, [esi - 0x1000]" - }, - { "offset": 12, "opcode": "bb00100000", "mnemonic": "mov ebx, 0x1000" }, - { "offset": 17, "opcode": "50", "mnemonic": "push eax" }, - { "offset": 18, "opcode": "54", "mnemonic": "push esp" }, - { "offset": 19, "opcode": "6a04", "mnemonic": "push 4" }, - { "offset": 21, "opcode": "53", "mnemonic": "push ebx" }, - { "offset": 22, "opcode": "57", "mnemonic": "push edi" }, - { "offset": 23, "opcode": "ffd5", "mnemonic": "call ebp" } - ], - "registers": { - "EAX": "0x00000000 ", - "EBX": "0x0100102c ", - "ECX": "0x76e60000 ", - "EDX": "0x00001725", - "ESI": "0x01001000 ", - "EDI": "0x01004156 ", - "EBP": "0x76e60000 ", - "ESP": "0x000cff6c", - "eflags": "0x00000246" - }, - "type": "call", - "syscalls": [ - { - "name": "KERNEL32.DLL!VirtualProtect", - "timestamp": 19.950966, - "arguments": [ - "_IN_ (LPVOID) [0x000cff58] 0x01000000", - "_IN_ (SIZE_T) [0x000cff5c] 0x00001000", - "_IN_ (DWORD) [0x000cff60] 0x00000004", - "_OUT_ (PDWORD) [0x000cff64] 0x000cff68" - ], - "return": "TRUE", - "output": ["[0x000cff68] 0x00000002"] - } - ] - }, - { - "index": 45, - "start": "0x1005a30", - "end": "0x1005a44", - "last_instr": "0x1005a43", - "wave": 0, - "instructions": [ - { - "offset": 0, - "opcode": "8d87f7010000", - "mnemonic": "lea eax, [edi + 0x1f7]" - }, - { - "offset": 6, - "opcode": "80207f", - "mnemonic": "and byte ptr [eax], 0x7f" - }, - { - "offset": 9, - "opcode": "8060287f", - "mnemonic": "and byte ptr [eax + 0x28], 0x7f" - }, - { "offset": 13, "opcode": "58", "mnemonic": "pop eax" }, - { "offset": 14, "opcode": "50", "mnemonic": "push eax" }, - { "offset": 15, "opcode": "54", "mnemonic": "push esp" }, - { "offset": 16, "opcode": "50", "mnemonic": "push eax" }, - { "offset": 17, "opcode": "53", "mnemonic": "push ebx" }, - { "offset": 18, "opcode": "57", "mnemonic": "push edi" }, - { "offset": 19, "opcode": "ffd5", "mnemonic": "call ebp" } - ], - "registers": { - "EAX": "0x00000001 ", - "EBX": "0x00001000 ", - "ECX": "0x7a280000 ", - "EDX": "0x0008e3c8", - "ESI": "0x01001000 ", - "EDI": "0x01000000 ", - "EBP": "0x7596435f ", - "ESP": "0x000cff68", - "eflags": "0x00000202" - }, - "type": "call", - "syscalls": [ - { - "name": "KERNEL32.DLL!VirtualProtect", - "timestamp": 19.966595, - "arguments": [ - "_IN_ (LPVOID) [0x000cff58] 0x01000000", - "_IN_ (SIZE_T) [0x000cff5c] 0x00001000", - "_IN_ (DWORD) [0x000cff60] 0x00000002", - "_OUT_ (PDWORD) [0x000cff64] 0x000cff68" - ], - "return": "TRUE", - "output": ["[0x000cff68] 0x00000004"] - } - ] - }, - { - "index": 46, - "start": "0x1005a45", - "end": "0x1005a4a", - "last_instr": "0x1005a47", - "wave": 0, - "instructions": [ - { "offset": 0, "opcode": "58", "mnemonic": "pop eax" }, - { "offset": 1, "opcode": "61", "mnemonic": "popal " }, - { - "offset": 2, - "opcode": "8d442480", - "mnemonic": "lea eax, [esp - 0x80]" - } - ], - "type": "seq" - }, - { - "index": 47, - "start": "0x1005a51", - "end": "0x1005a58", - "last_instr": "0x1005a54", - "wave": 0, - "instructions": [ - { "offset": 0, "opcode": "83ec80", "mnemonic": "sub esp, -0x80" }, - { "offset": 3, "opcode": "e97eb7ffff", "mnemonic": "jmp 0x10011d7" } - ], - "registers": { - "EAX": "0x000cff0c ", - "EBX": "0x7efde000 ", - "ECX": "0x00000000 ", - "EDX": "0x010058c0", - "ESI": "0x00000000 ", - "EDI": "0x00000000 ", - "EBP": "0x000cff94 ", - "ESP": "0x000cff0c", - "eflags": "0x00000246" - }, - "type": "jmp" - }, - { - "index": 48, - "start": "0x10011d7", - "end": "0x10011e2", - "last_instr": "0x10011de", - "wave": 1, - "instructions": [ - { "offset": 0, "opcode": "6a28", "mnemonic": "push 0x28" }, - { "offset": 2, "opcode": "68b0100001", "mnemonic": "push 0x10010b0" }, - { "offset": 7, "opcode": "e891010000", "mnemonic": "call 0x1001374" } - ], - "registers": { - "EAX": "0x000cff0c ", - "EBX": "0x7efde000 ", - "ECX": "0x00000000 ", - "EDX": "0x010058c0", - "ESI": "0x00000000 ", - "EDI": "0x00000000 ", - "EBP": "0x000cff94 ", - "ESP": "0x000cff8c", - "eflags": "0x00000203" - }, - "type": "call" - }, - { - "index": 49, - "start": "0x1001374", - "end": "0x10013ac", - "last_instr": "0x10013ac", - "wave": 1, - "instructions": [ - { "offset": 0, "opcode": "68c4130001", "mnemonic": "push 0x10013c4" }, - { - "offset": 5, - "opcode": "64a100000000", - "mnemonic": "mov eax, dword ptr fs:[0]" - }, - { "offset": 11, "opcode": "50", "mnemonic": "push eax" }, - { - "offset": 12, - "opcode": "64892500000000", - "mnemonic": "mov dword ptr fs:[0], esp" - }, - { - "offset": 19, - "opcode": "8b442410", - "mnemonic": "mov eax, dword ptr [esp + 0x10]" - }, - { - "offset": 23, - "opcode": "896c2410", - "mnemonic": "mov dword ptr [esp + 0x10], ebp" - }, - { - "offset": 27, - "opcode": "8d6c2410", - "mnemonic": "lea ebp, [esp + 0x10]" - }, - { "offset": 31, "opcode": "2be0", "mnemonic": "sub esp, eax" }, - { "offset": 33, "opcode": "53", "mnemonic": "push ebx" }, - { "offset": 34, "opcode": "56", "mnemonic": "push esi" }, - { "offset": 35, "opcode": "57", "mnemonic": "push edi" }, - { - "offset": 36, - "opcode": "8b45f8", - "mnemonic": "mov eax, dword ptr [ebp - 8]" - }, - { - "offset": 39, - "opcode": "8965e8", - "mnemonic": "mov dword ptr [ebp - 0x18], esp" - }, - { "offset": 42, "opcode": "50", "mnemonic": "push eax" }, - { - "offset": 43, - "opcode": "8b45fc", - "mnemonic": "mov eax, dword ptr [ebp - 4]" - }, - { - "offset": 46, - "opcode": "c745fcffffffff", - "mnemonic": "mov dword ptr [ebp - 4], 0xffffffff" - }, - { - "offset": 53, - "opcode": "8945f8", - "mnemonic": "mov dword ptr [ebp - 8], eax" - }, - { "offset": 56, "opcode": "c3", "mnemonic": "ret " } - ], - "registers": { - "EAX": "0x000cff0c ", - "EBX": "0x7efde000 ", - "ECX": "0x00000000 ", - "EDX": "0x010058c0", - "ESI": "0x00000000 ", - "EDI": "0x00000000 ", - "EBP": "0x000cff94 ", - "ESP": "0x000cff80", - "eflags": "0x00000203" - }, - "type": "ret" - }, - { - "index": 50, - "start": "0x10011e3", - "end": "0x10011eb", - "last_instr": "0x10011e6", - "wave": 1, - "instructions": [ - { "offset": 0, "opcode": "33ff", "mnemonic": "xor edi, edi" }, - { "offset": 2, "opcode": "57", "mnemonic": "push edi" }, - { - "offset": 3, - "opcode": "ff1508100001", - "mnemonic": "call dword ptr [0x1001008]" - } - ], - "registers": { - "EAX": "0x010010b0 ", - "EBX": "0x7efde000 ", - "ECX": "0x00000000 ", - "EDX": "0x010058c0", - "ESI": "0x00000000 ", - "EDI": "0x00000000 ", - "EBP": "0x000cff88 ", - "ESP": "0x000cff44", - "eflags": "0x00000206" - }, - "type": "call", - "syscalls": [ - { - "name": "KERNEL32.DLL!GetModuleHandleA", - "timestamp": 20.007819, - "arguments": ["_IN_ (LPCTSTR) [0x000cff40] \"\""], - "return": "0x01000000", - "output": [] - } - ] - }, - { - "index": 51, - "start": "0x10011ec", - "end": "0x10011f2", - "last_instr": "0x10011f1", - "wave": 1, - "instructions": [ - { - "offset": 0, - "opcode": "6681384d5a", - "mnemonic": "cmp word ptr [eax], 0x5a4d" - }, - { "offset": 5, "opcode": "751f", "mnemonic": "jne 0x1001212" } - ], - "registers": { - "EAX": "0x01000000 ", - "EBX": "0x7efde000 ", - "ECX": "0x00000000 ", - "EDX": "0x010058c0", - "ESI": "0x00000000 ", - "EDI": "0x00000000 ", - "EBP": "0x000cff88 ", - "ESP": "0x000cff44", - "eflags": "0x00000246" - }, - "type": "jcc" - }, - { - "index": 52, - "start": "0x10011f3", - "end": "0x10011ff", - "last_instr": "0x10011fe", - "wave": 1, - "instructions": [ - { - "offset": 0, - "opcode": "8b483c", - "mnemonic": "mov ecx, dword ptr [eax + 0x3c]" - }, - { "offset": 3, "opcode": "03c8", "mnemonic": "add ecx, eax" }, - { - "offset": 5, - "opcode": "813950450000", - "mnemonic": "cmp dword ptr [ecx], 0x4550" - }, - { "offset": 11, "opcode": "7512", "mnemonic": "jne 0x1001212" } - ], - "registers": { - "EAX": "0x01000000 ", - "EBX": "0x7efde000 ", - "ECX": "0x00000000 ", - "EDX": "0x010058c0", - "ESI": "0x00000000 ", - "EDI": "0x00000000 ", - "EBP": "0x000cff88 ", - "ESP": "0x000cff44", - "eflags": "0x00000246" - }, - "type": "jcc" - }, - { - "index": 53, - "start": "0x1001200", - "end": "0x100120a", - "last_instr": "0x1001209", - "wave": 1, - "instructions": [ - { - "offset": 0, - "opcode": "0fb74118", - "mnemonic": "movzx eax, word ptr [ecx + 0x18]" - }, - { "offset": 4, "opcode": "3d0b010000", "mnemonic": "cmp eax, 0x10b" }, - { "offset": 9, "opcode": "741f", "mnemonic": "je 0x100122a" } - ], - "registers": { - "EAX": "0x01000000 ", - "EBX": "0x7efde000 ", - "ECX": "0x010000d8 ", - "EDX": "0x010058c0", - "ESI": "0x00000000 ", - "EDI": "0x00000000 ", - "EBP": "0x000cff88 ", - "ESP": "0x000cff44", - "eflags": "0x00000246" - }, - "type": "jcc" - }, - { - "index": 54, - "start": "0x100122a", - "end": "0x100122f", - "last_instr": "0x100122e", - "wave": 1, - "instructions": [ - { - "offset": 0, - "opcode": "8379740e", - "mnemonic": "cmp dword ptr [ecx + 0x74], 0xe" - }, - { "offset": 4, "opcode": "76e2", "mnemonic": "jbe 0x1001212" } - ], - "registers": { - "EAX": "0x0000010b ", - "EBX": "0x7efde000 ", - "ECX": "0x010000d8 ", - "EDX": "0x010058c0", - "ESI": "0x00000000 ", - "EDI": "0x00000000 ", - "EBP": "0x000cff88 ", - "ESP": "0x000cff44", - "eflags": "0x00000246" - }, - "type": "jcc" - }, - { - "index": 55, - "start": "0x1001230", - "end": "0x1001248", - "last_instr": "0x1001243", - "wave": 1, - "instructions": [ - { "offset": 0, "opcode": "33c0", "mnemonic": "xor eax, eax" }, - { - "offset": 2, - "opcode": "39b9e8000000", - "mnemonic": "cmp dword ptr [ecx + 0xe8], edi" - }, - { "offset": 8, "opcode": "0f95c0", "mnemonic": "setne al" }, - { - "offset": 11, - "opcode": "8945e4", - "mnemonic": "mov dword ptr [ebp - 0x1c], eax" - }, - { - "offset": 14, - "opcode": "897dfc", - "mnemonic": "mov dword ptr [ebp - 4], edi" - }, - { "offset": 17, "opcode": "6a01", "mnemonic": "push 1" }, - { - "offset": 19, - "opcode": "ff1538100001", - "mnemonic": "call dword ptr [0x1001038]" - } - ], - "registers": { - "EAX": "0x0000010b ", - "EBX": "0x7efde000 ", - "ECX": "0x010000d8 ", - "EDX": "0x010058c0", - "ESI": "0x00000000 ", - "EDI": "0x00000000 ", - "EBP": "0x000cff88 ", - "ESP": "0x000cff44", - "eflags": "0x00000212" - }, - "type": "call", - "syscalls": [ - { - "name": "MSVCRT.DLL!__set_app_type", - "timestamp": 20.042519, - "arguments": ["_IN_ (INT) [0x000cff40] 0x00000001"], - "return": "", - "output": [] - } - ] - }, - { - "index": 56, - "start": "0x1001249", - "end": "0x100125d", - "last_instr": "0x1001258", - "wave": 1, - "instructions": [ - { "offset": 0, "opcode": "59", "mnemonic": "pop ecx" }, - { - "offset": 1, - "opcode": "830dd0210001ff", - "mnemonic": "or dword ptr [0x10021d0], 0xffffffff" - }, - { - "offset": 8, - "opcode": "830dd4210001ff", - "mnemonic": "or dword ptr [0x10021d4], 0xffffffff" - }, - { - "offset": 15, - "opcode": "ff1534100001", - "mnemonic": "call dword ptr [0x1001034]" - } - ], - "registers": { - "EAX": "0x00000001 ", - "EBX": "0x7efde000 ", - "ECX": "0x00000001 ", - "EDX": "0x000000d8", - "ESI": "0x00000000 ", - "EDI": "0x00000000 ", - "EBP": "0x000cff88 ", - "ESP": "0x000cff40", - "eflags": "0x00000202" - }, - "type": "call", - "syscalls": [ - { - "name": "MSVCRT.DLL!__p__fmode", - "timestamp": 20.060264, - "arguments": [], - "return": "0x753531f4", - "output": [] - } - ] - }, - { - "index": 57, - "start": "0x100125e", - "end": "0x100126b", - "last_instr": "0x1001266", - "wave": 1, - "instructions": [ - { - "offset": 0, - "opcode": "8b0d2c200001", - "mnemonic": "mov ecx, dword ptr [0x100202c]" - }, - { - "offset": 6, - "opcode": "8908", - "mnemonic": "mov dword ptr [eax], ecx" - }, - { - "offset": 8, - "opcode": "ff1530100001", - "mnemonic": "call dword ptr [0x1001030]" - } - ], - "registers": { - "EAX": "0x753531f4 ", - "EBX": "0x7efde000 ", - "ECX": "0x00000001 ", - "EDX": "0x000000d8", - "ESI": "0x00000000 ", - "EDI": "0x00000000 ", - "EBP": "0x000cff88 ", - "ESP": "0x000cff44", - "eflags": "0x00000286" - }, - "type": "call", - "syscalls": [ - { - "name": "MSVCRT.DLL!__p__commode", - "timestamp": 20.066232, - "arguments": [], - "return": "0x753531fc", - "output": [] - } - ] - }, - { - "index": 58, - "start": "0x100126c", - "end": "0x1001284", - "last_instr": "0x1001280", - "wave": 1, - "instructions": [ - { - "offset": 0, - "opcode": "8b0d28200001", - "mnemonic": "mov ecx, dword ptr [0x1002028]" - }, - { - "offset": 6, - "opcode": "8908", - "mnemonic": "mov dword ptr [eax], ecx" - }, - { - "offset": 8, - "opcode": "a144100001", - "mnemonic": "mov eax, dword ptr [0x1001044]" - }, - { - "offset": 13, - "opcode": "8b00", - "mnemonic": "mov eax, dword ptr [eax]" - }, - { - "offset": 15, - "opcode": "a3d8210001", - "mnemonic": "mov dword ptr [0x10021d8], eax" - }, - { "offset": 20, "opcode": "e8eb000000", "mnemonic": "call 0x1001370" } - ], - "registers": { - "EAX": "0x753531fc ", - "EBX": "0x7efde000 ", - "ECX": "0x00000000 ", - "EDX": "0x000000d8", - "ESI": "0x00000000 ", - "EDI": "0x00000000 ", - "EBP": "0x000cff88 ", - "ESP": "0x000cff44", - "eflags": "0x00000286" - }, - "type": "call" - }, - { - "index": 59, - "start": "0x1001370", - "end": "0x1001372", - "last_instr": "0x1001372", - "wave": 1, - "instructions": [ - { "offset": 0, "opcode": "33c0", "mnemonic": "xor eax, eax" }, - { "offset": 2, "opcode": "c3", "mnemonic": "ret " } - ], - "registers": { - "EAX": "0x00000000 ", - "EBX": "0x7efde000 ", - "ECX": "0x00000000 ", - "EDX": "0x000000d8", - "ESI": "0x00000000 ", - "EDI": "0x00000000 ", - "EBP": "0x000cff88 ", - "ESP": "0x000cff40", - "eflags": "0x00000286" - }, - "type": "ret" - }, - { - "index": 60, - "start": "0x1001285", - "end": "0x100128c", - "last_instr": "0x100128b", - "wave": 1, - "instructions": [ - { - "offset": 0, - "opcode": "393d00200001", - "mnemonic": "cmp dword ptr [0x1002000], edi" - }, - { "offset": 6, "opcode": "750c", "mnemonic": "jne 0x1001299" } - ], - "registers": { - "EAX": "0x00000000 ", - "EBX": "0x7efde000 ", - "ECX": "0x00000000 ", - "EDX": "0x000000d8", - "ESI": "0x00000000 ", - "EDI": "0x00000000 ", - "EBP": "0x000cff88 ", - "ESP": "0x000cff44", - "eflags": "0x00000246" - }, - "type": "jcc" - }, - { - "index": 61, - "start": "0x1001299", - "end": "0x100129d", - "last_instr": "0x1001299", - "wave": 1, - "instructions": [ - { "offset": 0, "opcode": "e8c0000000", "mnemonic": "call 0x100135e" } - ], - "registers": { - "EAX": "0x00000000 ", - "EBX": "0x7efde000 ", - "ECX": "0x00000000 ", - "EDX": "0x000000d8", - "ESI": "0x00000000 ", - "EDI": "0x00000000 ", - "EBP": "0x000cff88 ", - "ESP": "0x000cff44", - "eflags": "0x00000202" - }, - "type": "call" - }, - { - "index": 62, - "start": "0x100135e", - "end": "0x100136c", - "last_instr": "0x1001368", - "wave": 1, - "instructions": [ - { "offset": 0, "opcode": "6800000300", "mnemonic": "push 0x30000" }, - { "offset": 5, "opcode": "6800000100", "mnemonic": "push 0x10000" }, - { "offset": 10, "opcode": "e851000000", "mnemonic": "call 0x10013be" } - ], - "registers": { - "EAX": "0x00000000 ", - "EBX": "0x7efde000 ", - "ECX": "0x00000000 ", - "EDX": "0x000000d8", - "ESI": "0x00000000 ", - "EDI": "0x00000000 ", - "EBP": "0x000cff88 ", - "ESP": "0x000cff40", - "eflags": "0x00000202" - }, - "type": "call", - "obfuscations": [ - { - "type": "callstack tampering : call", - "description": "No ret instruction corresponding to the call" - } - ] - }, - { - "index": 63, - "start": "0x10013be", - "end": "0x10013c3", - "last_instr": "0x10013be", - "wave": 1, - "instructions": [ - { - "offset": 0, - "opcode": "ff253c100001", - "mnemonic": "jmp dword ptr [0x100103c]" - } - ], - "registers": { - "EAX": "0x00000000 ", - "EBX": "0x7efde000 ", - "ECX": "0x00000000 ", - "EDX": "0x000000d8", - "ESI": "0x00000000 ", - "EDI": "0x00000000 ", - "EBP": "0x000cff88 ", - "ESP": "0x000cff34", - "eflags": "0x00000202" - }, - "type": "jmp", - "syscalls": [ - { - "name": "MSVCRT.DLL!_controlfp", - "timestamp": 20.101722, - "arguments": [], - "return": "", - "output": [] - } - ] - }, - { - "index": 64, - "start": "0x100136d", - "end": "0x100136f", - "last_instr": "0x100136f", - "wave": 1, - "instructions": [ - { "offset": 0, "opcode": "59", "mnemonic": "pop ecx" }, - { "offset": 1, "opcode": "59", "mnemonic": "pop ecx" }, - { "offset": 2, "opcode": "c3", "mnemonic": "ret " } - ], - "registers": { - "EAX": "0x0009001f ", - "EBX": "0x7efde000 ", - "ECX": "0x00010000 ", - "EDX": "0x0008001f", - "ESI": "0x00000000 ", - "EDI": "0x00000000 ", - "EBP": "0x000cff88 ", - "ESP": "0x000cff38", - "eflags": "0x00000246" - }, - "type": "ret" - }, - { - "index": 65, - "start": "0x100129e", - "end": "0x10012ac", - "last_instr": "0x10012a8", - "wave": 1, - "instructions": [ - { "offset": 0, "opcode": "6888100001", "mnemonic": "push 0x1001088" }, - { "offset": 5, "opcode": "6884100001", "mnemonic": "push 0x1001084" }, - { "offset": 10, "opcode": "e8ab000000", "mnemonic": "call 0x1001358" } - ], - "registers": { - "EAX": "0x0009001f ", - "EBX": "0x7efde000 ", - "ECX": "0x00030000 ", - "EDX": "0x0008001f", - "ESI": "0x00000000 ", - "EDI": "0x00000000 ", - "EBP": "0x000cff88 ", - "ESP": "0x000cff44", - "eflags": "0x00000246" - }, - "type": "call", - "obfuscations": [ - { - "type": "callstack tampering : call", - "description": "No ret instruction corresponding to the call" - } - ] - }, - { - "index": 66, - "start": "0x1001358", - "end": "0x100135d", - "last_instr": "0x1001358", - "wave": 1, - "instructions": [ - { - "offset": 0, - "opcode": "ff255c100001", - "mnemonic": "jmp dword ptr [0x100105c]" - } - ], - "registers": { - "EAX": "0x0009001f ", - "EBX": "0x7efde000 ", - "ECX": "0x00030000 ", - "EDX": "0x0008001f", - "ESI": "0x00000000 ", - "EDI": "0x00000000 ", - "EBP": "0x000cff88 ", - "ESP": "0x000cff38", - "eflags": "0x00000246" - }, - "type": "jmp", - "syscalls": [ - { - "name": "MSVCRT.DLL!_initterm", - "timestamp": 20.12734, - "arguments": [], - "return": "", - "output": [] - }, - { - "name": "MSVCRT.DLL!_initterm", - "timestamp": 20.150398, - "arguments": [], - "return": "", - "output": [] - } - ] - }, - { - "index": 67, - "start": "0x10012ad", - "end": "0x10012d0", - "last_instr": "0x10012cb", - "wave": 1, - "instructions": [ - { - "offset": 0, - "opcode": "a124200001", - "mnemonic": "mov eax, dword ptr [0x1002024]" - }, - { - "offset": 5, - "opcode": "8945e0", - "mnemonic": "mov dword ptr [ebp - 0x20], eax" - }, - { - "offset": 8, - "opcode": "8d45e0", - "mnemonic": "lea eax, [ebp - 0x20]" - }, - { "offset": 11, "opcode": "50", "mnemonic": "push eax" }, - { - "offset": 12, - "opcode": "ff3520200001", - "mnemonic": "push dword ptr [0x1002020]" - }, - { - "offset": 18, - "opcode": "8d45dc", - "mnemonic": "lea eax, [ebp - 0x24]" - }, - { "offset": 21, "opcode": "50", "mnemonic": "push eax" }, - { - "offset": 22, - "opcode": "8d45d8", - "mnemonic": "lea eax, [ebp - 0x28]" - }, - { "offset": 25, "opcode": "50", "mnemonic": "push eax" }, - { - "offset": 26, - "opcode": "8d45d4", - "mnemonic": "lea eax, [ebp - 0x2c]" - }, - { "offset": 29, "opcode": "50", "mnemonic": "push eax" }, - { - "offset": 30, - "opcode": "ff1560100001", - "mnemonic": "call dword ptr [0x1001060]" - } - ], - "registers": { - "EAX": "0x00000000 ", - "EBX": "0x7efde000 ", - "ECX": "0x00030000 ", - "EDX": "0x0008001f", - "ESI": "0x00000000 ", - "EDI": "0x00000000 ", - "EBP": "0x000cff88 ", - "ESP": "0x000cff3c", - "eflags": "0x00000246" - }, - "type": "call", - "syscalls": [ - { - "name": "MSVCRT.DLL!__getmainargs", - "timestamp": 20.132675, - "arguments": [], - "return": "", - "output": [] - } - ] - }, - { - "index": 68, - "start": "0x10012d1", - "end": "0x10012e2", - "last_instr": "0x10012de", - "wave": 1, - "instructions": [ - { - "offset": 0, - "opcode": "8945d0", - "mnemonic": "mov dword ptr [ebp - 0x30], eax" - }, - { "offset": 3, "opcode": "6880100001", "mnemonic": "push 0x1001080" }, - { "offset": 8, "opcode": "687c100001", "mnemonic": "push 0x100107c" }, - { "offset": 13, "opcode": "e875000000", "mnemonic": "call 0x1001358" } - ], - "registers": { - "EAX": "0x00000000 ", - "EBX": "0x7efde000 ", - "ECX": "0x000cff64 ", - "EDX": "0x002115a8", - "ESI": "0x00000000 ", - "EDI": "0x00000000 ", - "EBP": "0x000cff88 ", - "ESP": "0x000cff28", - "eflags": "0x00000246" - }, - "type": "call", - "obfuscations": [ - { - "type": "callstack tampering : call", - "description": "No ret instruction corresponding to the call" - } - ] - }, - { - "index": 69, - "start": "0x10012e3", - "end": "0x10012fb", - "last_instr": "0x10012f7", - "wave": 1, - "instructions": [ - { - "offset": 0, - "opcode": "8b45dc", - "mnemonic": "mov eax, dword ptr [ebp - 0x24]" - }, - { - "offset": 3, - "opcode": "8b0d64100001", - "mnemonic": "mov ecx, dword ptr [0x1001064]" - }, - { - "offset": 9, - "opcode": "8901", - "mnemonic": "mov dword ptr [ecx], eax" - }, - { - "offset": 11, - "opcode": "ff75dc", - "mnemonic": "push dword ptr [ebp - 0x24]" - }, - { - "offset": 14, - "opcode": "ff75d8", - "mnemonic": "push dword ptr [ebp - 0x28]" - }, - { - "offset": 17, - "opcode": "ff75d4", - "mnemonic": "push dword ptr [ebp - 0x2c]" - }, - { "offset": 20, "opcode": "e8e0fdffff", "mnemonic": "call 0x10010dc" } - ], - "registers": { - "EAX": "0x00000000 ", - "EBX": "0x7efde000 ", - "ECX": "0x000cff64 ", - "EDX": "0x002115a8", - "ESI": "0x00000000 ", - "EDI": "0x00000000 ", - "EBP": "0x000cff88 ", - "ESP": "0x000cff20", - "eflags": "0x00000246" - }, - "type": "call", - "obfuscations": [ - { - "type": "callstack tampering : call", - "description": "No ret instruction corresponding to the call" - } - ] - }, - { - "index": 70, - "start": "0x10010dc", - "end": "0x10010f7", - "last_instr": "0x10010f2", - "wave": 1, - "instructions": [ - { "offset": 0, "opcode": "55", "mnemonic": "push ebp" }, - { "offset": 1, "opcode": "8bec", "mnemonic": "mov ebp, esp" }, - { "offset": 3, "opcode": "81ec00040000", "mnemonic": "sub esp, 0x400" }, - { "offset": 9, "opcode": "53", "mnemonic": "push ebx" }, - { "offset": 10, "opcode": "56", "mnemonic": "push esi" }, - { "offset": 11, "opcode": "57", "mnemonic": "push edi" }, - { "offset": 12, "opcode": "6840200001", "mnemonic": "push 0x1002040" }, - { "offset": 17, "opcode": "6801010000", "mnemonic": "push 0x101" }, - { - "offset": 22, - "opcode": "ff1528100001", - "mnemonic": "call dword ptr [0x1001028]" - } - ], - "registers": { - "EAX": "0x002115a8 ", - "EBX": "0x7efde000 ", - "ECX": "0x753504e8 ", - "EDX": "0x002115a8", - "ESI": "0x00000000 ", - "EDI": "0x00000000 ", - "EBP": "0x000cff88 ", - "ESP": "0x000cff10", - "eflags": "0x00000246" - }, - "type": "call", - "syscalls": [ - { - "name": "WS2_32.DLL!WSAStartup", - "timestamp": 20.166225, - "arguments": [ - "_IN_ (WORD) [0x000cfaf8] 0x00000101", - "_OUT_ (LPWSADATA) [0x000cfafc] 0x01002040" - ], - "return": "0x00000000", - "output": [ - "[LPWSADATA]", - "[0x01002040] 0x00000101", - "[0x01002042] 0x00000202", - "[0x01002044] \"WinSock 2.0\"", - "[0x0100204f] \"\"", - "[0x0100204f] 0x00000000", - "[0x01002051] 0x00000000", - "[0x01002053] \"\"" - ] - } - ] - }, - { - "index": 71, - "start": "0x10010f8", - "end": "0x10010fc", - "last_instr": "0x10010fb", - "wave": 1, - "instructions": [ - { "offset": 0, "opcode": "83f8ff", "mnemonic": "cmp eax, -1" }, - { "offset": 3, "opcode": "7511", "mnemonic": "jne 0x100110e" } - ], - "registers": { - "EAX": "0x00000000 ", - "EBX": "0x7efde000 ", - "ECX": "0x76e63beb ", - "EDX": "0x00080002", - "ESI": "0x00000000 ", - "EDI": "0x00000000 ", - "EBP": "0x000cff0c ", - "ESP": "0x000cfb00", - "eflags": "0x00000246" - }, - "type": "jcc" - }, - { - "index": 72, - "start": "0x100110e", - "end": "0x1001119", - "last_instr": "0x1001118", - "wave": 1, - "instructions": [ - { - "offset": 0, - "opcode": "8b7d0c", - "mnemonic": "mov edi, dword ptr [ebp + 0xc]" - }, - { "offset": 3, "opcode": "33db", "mnemonic": "xor ebx, ebx" }, - { - "offset": 5, - "opcode": "beac100001", - "mnemonic": "mov esi, 0x10010ac" - }, - { "offset": 10, "opcode": "eb07", "mnemonic": "jmp 0x1001121" } - ], - "registers": { - "EAX": "0x00000000 ", - "EBX": "0x7efde000 ", - "ECX": "0x76e63beb ", - "EDX": "0x00080002", - "ESI": "0x00000000 ", - "EDI": "0x00000000 ", - "EBP": "0x000cff0c ", - "ESP": "0x000cfb00", - "eflags": "0x00000213" - }, - "type": "jmp" - }, - { - "index": 73, - "start": "0x1001121", - "end": "0x100112a", - "last_instr": "0x1001126", - "wave": 1, - "instructions": [ - { "offset": 0, "opcode": "56", "mnemonic": "push esi" }, - { "offset": 1, "opcode": "57", "mnemonic": "push edi" }, - { - "offset": 2, - "opcode": "ff7508", - "mnemonic": "push dword ptr [ebp + 8]" - }, - { "offset": 5, "opcode": "e84a030000", "mnemonic": "call 0x1001475" } - ], - "registers": { - "EAX": "0x00000000 ", - "EBX": "0x00000000 ", - "ECX": "0x76e63beb ", - "EDX": "0x00080002", - "ESI": "0x010010ac ", - "EDI": "0x00211120 ", - "EBP": "0x000cff0c ", - "ESP": "0x000cfb00", - "eflags": "0x00000246" - }, - "type": "call" - }, - { - "index": 74, - "start": "0x1001475", - "end": "0x100148b", - "last_instr": "0x100148a", - "wave": 1, - "instructions": [ - { "offset": 0, "opcode": "56", "mnemonic": "push esi" }, - { - "offset": 1, - "opcode": "8b3504200001", - "mnemonic": "mov esi, dword ptr [0x1002004]" - }, - { - "offset": 7, - "opcode": "3b742408", - "mnemonic": "cmp esi, dword ptr [esp + 8]" - }, - { - "offset": 11, - "opcode": "c705dc21000134200001", - "mnemonic": "mov dword ptr [0x10021dc], 0x1002034" - }, - { "offset": 21, "opcode": "7c08", "mnemonic": "jl 0x1001494" } - ], - "registers": { - "EAX": "0x00000000 ", - "EBX": "0x00000000 ", - "ECX": "0x76e63beb ", - "EDX": "0x00080002", - "ESI": "0x010010ac ", - "EDI": "0x00211120 ", - "EBP": "0x000cff0c ", - "ESP": "0x000cfaf0", - "eflags": "0x00000246" - }, - "type": "jcc" - }, - { - "index": 75, - "start": "0x100148c", - "end": "0x1001493", - "last_instr": "0x100148f", - "wave": 1, - "instructions": [ - { "offset": 0, "opcode": "83c8ff", "mnemonic": "or eax, 0xffffffff" }, - { "offset": 3, "opcode": "e9c8000000", "mnemonic": "jmp 0x100155c" } - ], - "registers": { - "EAX": "0x00000000 ", - "EBX": "0x00000000 ", - "ECX": "0x76e63beb ", - "EDX": "0x00080002", - "ESI": "0x00000001 ", - "EDI": "0x00211120 ", - "EBP": "0x000cff0c ", - "ESP": "0x000cfaec", - "eflags": "0x00000246" - }, - "type": "jmp" - }, - { - "index": 76, - "start": "0x100155c", - "end": "0x100155f", - "last_instr": "0x100155d", - "wave": 1, - "instructions": [ - { "offset": 0, "opcode": "5e", "mnemonic": "pop esi" }, - { "offset": 1, "opcode": "c20c00", "mnemonic": "ret 0xc" } - ], - "registers": { - "EAX": "0xffffffff ", - "EBX": "0x00000000 ", - "ECX": "0x76e63beb ", - "EDX": "0x00080002", - "ESI": "0x00000001 ", - "EDI": "0x00211120 ", - "EBP": "0x000cff0c ", - "ESP": "0x000cfaec", - "eflags": "0x00000286" - }, - "type": "ret" - }, - { - "index": 77, - "start": "0x100112b", - "end": "0x100112f", - "last_instr": "0x100112e", - "wave": 1, - "instructions": [ - { "offset": 0, "opcode": "83f8ff", "mnemonic": "cmp eax, -1" }, - { "offset": 3, "opcode": "75ea", "mnemonic": "jne 0x100111a" } - ], - "registers": { - "EAX": "0xffffffff ", - "EBX": "0x00000000 ", - "ECX": "0x76e63beb ", - "EDX": "0x00080002", - "ESI": "0x010010ac ", - "EDI": "0x00211120 ", - "EBP": "0x000cff0c ", - "ESP": "0x000cfb00", - "eflags": "0x00000286" - }, - "type": "jcc" - }, - { - "index": 78, - "start": "0x1001130", - "end": "0x100113a", - "last_instr": "0x1001139", - "wave": 1, - "instructions": [ - { - "offset": 0, - "opcode": "a104200001", - "mnemonic": "mov eax, dword ptr [0x1002004]" - }, - { - "offset": 5, - "opcode": "833c8700", - "mnemonic": "cmp dword ptr [edi + eax*4], 0" - }, - { "offset": 9, "opcode": "7419", "mnemonic": "je 0x1001154" } - ], - "registers": { - "EAX": "0xffffffff ", - "EBX": "0x00000000 ", - "ECX": "0x76e63beb ", - "EDX": "0x00080002", - "ESI": "0x010010ac ", - "EDI": "0x00211120 ", - "EBP": "0x000cff0c ", - "ESP": "0x000cfb00", - "eflags": "0x00000246" - }, - "type": "jcc" - }, - { - "index": 79, - "start": "0x1001154", - "end": "0x1001165", - "last_instr": "0x1001160", - "wave": 1, - "instructions": [ - { "offset": 0, "opcode": "6800040000", "mnemonic": "push 0x400" }, - { - "offset": 5, - "opcode": "8d8500fcffff", - "mnemonic": "lea eax, [ebp - 0x400]" - }, - { "offset": 11, "opcode": "50", "mnemonic": "push eax" }, - { - "offset": 12, - "opcode": "ff1524100001", - "mnemonic": "call dword ptr [0x1001024]" - } - ], - "registers": { - "EAX": "0x00000001 ", - "EBX": "0x00000000 ", - "ECX": "0x76e63beb ", - "EDX": "0x00080002", - "ESI": "0x010010ac ", - "EDI": "0x00211120 ", - "EBP": "0x000cff0c ", - "ESP": "0x000cfb00", - "eflags": "0x00000246" - }, - "type": "call", - "syscalls": [ - { - "name": "WS2_32.DLL!gethostname", - "timestamp": 20.295551, - "arguments": [ - "_OUT_ (CHAR*) [0x000cfaf8] 0x000cfb0c", - "_IN_ (INT) [0x000cfafc] 0x00000400" - ], - "return": "", - "output": [] - } - ] - }, - { - "index": 80, - "start": "0x1001166", - "end": "0x1001169", - "last_instr": "0x1001168", - "wave": 1, - "instructions": [ - { "offset": 0, "opcode": "85c0", "mnemonic": "test eax, eax" }, - { "offset": 2, "opcode": "7d13", "mnemonic": "jge 0x100117d" } - ], - "registers": { - "EAX": "0x00000000 ", - "EBX": "0x00000000 ", - "ECX": "0xb2ac322f ", - "EDX": "0x00000000", - "ESI": "0x010010ac ", - "EDI": "0x00211120 ", - "EBP": "0x000cff0c ", - "ESP": "0x000cfb00", - "eflags": "0x00000246" - }, - "type": "jcc" - }, - { - "index": 81, - "start": "0x100117d", - "end": "0x1001180", - "last_instr": "0x100117f", - "wave": 1, - "instructions": [ - { "offset": 0, "opcode": "85db", "mnemonic": "test ebx, ebx" }, - { "offset": 2, "opcode": "7418", "mnemonic": "je 0x1001199" } - ], - "registers": { - "EAX": "0x00000000 ", - "EBX": "0x00000000 ", - "ECX": "0xb2ac322f ", - "EDX": "0x00000000", - "ESI": "0x010010ac ", - "EDI": "0x00211120 ", - "EBP": "0x000cff0c ", - "ESP": "0x000cfb00", - "eflags": "0x00000246" - }, - "type": "jcc" - }, - { - "index": 82, - "start": "0x1001199", - "end": "0x10011a1", - "last_instr": "0x100119f", - "wave": 1, - "instructions": [ - { - "offset": 0, - "opcode": "8d8500fcffff", - "mnemonic": "lea eax, [ebp - 0x400]" - }, - { "offset": 6, "opcode": "8d5001", "mnemonic": "lea edx, [eax + 1]" } - ], - "type": "seq" - }, - { - "index": 83, - "start": "0x10011a9", - "end": "0x10011bf", - "last_instr": "0x10011ba", - "wave": 1, - "instructions": [ - { "offset": 0, "opcode": "2bc2", "mnemonic": "sub eax, edx" }, - { "offset": 2, "opcode": "50", "mnemonic": "push eax" }, - { - "offset": 3, - "opcode": "8d8500fcffff", - "mnemonic": "lea eax, [ebp - 0x400]" - }, - { "offset": 9, "opcode": "50", "mnemonic": "push eax" }, - { - "offset": 10, - "opcode": "8d8500fcffff", - "mnemonic": "lea eax, [ebp - 0x400]" - }, - { "offset": 16, "opcode": "50", "mnemonic": "push eax" }, - { - "offset": 17, - "opcode": "ff151c100001", - "mnemonic": "call dword ptr [0x100101c]" - } - ], - "registers": { - "EAX": "0x000cfb14 ", - "EBX": "0x00000000 ", - "ECX": "0xb2ac3200 ", - "EDX": "0x000cfb0d", - "ESI": "0x010010ac ", - "EDI": "0x00211120 ", - "EBP": "0x000cff0c ", - "ESP": "0x000cfb00", - "eflags": "0x00000246" - }, - "type": "call", - "syscalls": [ - { - "name": "USER32.DLL!CharToOemBuffA", - "timestamp": 20.458695, - "arguments": [ - "_IN_ (LPCTSTR) [0x000cfaf4] \"lhs-PC1\"", - "_OUT_ (LPSTR) [0x000cfaf8] 0x000cfb0c", - "_IN_ (DWORD) [0x000cfafc] 0x00000007" - ], - "return": "TRUE", - "output": ["[0x000cfb0c] \"lhs-PC1\""] - } - ] - }, - { - "index": 84, - "start": "0x10011c0", - "end": "0x10011cc", - "last_instr": "0x10011c7", - "wave": 1, - "instructions": [ - { - "offset": 0, - "opcode": "8d8500fcffff", - "mnemonic": "lea eax, [ebp - 0x400]" - }, - { "offset": 6, "opcode": "50", "mnemonic": "push eax" }, - { - "offset": 7, - "opcode": "ff1570100001", - "mnemonic": "call dword ptr [0x1001070]" - } - ], - "registers": { - "EAX": "0x00000001 ", - "EBX": "0x00000000 ", - "ECX": "0x000cfb13 ", - "EDX": "0x00000031", - "ESI": "0x010010ac ", - "EDI": "0x00211120 ", - "EBP": "0x000cff0c ", - "ESP": "0x000cfb00", - "eflags": "0x00000202" - }, - "type": "call", - "syscalls": [ - { - "name": "MSVCRT.DLL!puts", - "timestamp": 20.469856, - "arguments": ["_IN_ (CHAR*) [0x000cfafc] \"lhs-PC1\""], - "return": "0x00000000", - "output": [] - } - ] - }, - { - "index": 85, - "start": "0x10011cd", - "end": "0x10011d5", - "last_instr": "0x10011d0", - "wave": 1, - "instructions": [ - { "offset": 0, "opcode": "59", "mnemonic": "pop ecx" }, - { "offset": 1, "opcode": "6a00", "mnemonic": "push 0" }, - { - "offset": 3, - "opcode": "ff1574100001", - "mnemonic": "call dword ptr [0x1001074]" - } - ], - "registers": { - "EAX": "0x00000000 ", - "EBX": "0x00000000 ", - "ECX": "0x75328e62 ", - "EDX": "0x0008e3c8", - "ESI": "0x010010ac ", - "EDI": "0x00211120 ", - "EBP": "0x000cff0c ", - "ESP": "0x000cfafc", - "eflags": "0x00000246" - }, - "type": "call", - "syscalls": [ - { - "name": "MSVCRT.DLL!exit", - "timestamp": 20.499071, - "arguments": ["_IN_ (INT) [0x000cfafc] 0x00000000"], - "return": "", - "output": [] - } - ] - }, - { - "index": 86, - "start": "0x1005a4b", - "end": "0x1005a50", - "last_instr": "0x1005a4f", - "wave": 0, - "instructions": [ - { "offset": 0, "opcode": "6a00", "mnemonic": "push 0" }, - { "offset": 2, "opcode": "39c4", "mnemonic": "cmp esp, eax" }, - { "offset": 4, "opcode": "75fa", "mnemonic": "jne 0x1005a4b" } - ], - "type": "jcc" - }, - { - "index": 87, - "start": "0x10011a2", - "end": "0x10011a8", - "last_instr": "0x10011a7", - "wave": 1, - "instructions": [ - { "offset": 0, "opcode": "8a08", "mnemonic": "mov cl, byte ptr [eax]" }, - { "offset": 2, "opcode": "40", "mnemonic": "inc eax" }, - { "offset": 3, "opcode": "84c9", "mnemonic": "test cl, cl" }, - { "offset": 5, "opcode": "75f9", "mnemonic": "jne 0x10011a2" } - ], - "type": "jcc" - }, - { - "index": 88, - "start": "0x0", - "end": "0x0", - "wave": 0, - "type": "scall", - "function_identifier": "KERNEL32.DLL!LoadLibraryA" - }, - { - "index": 89, - "start": "0x0", - "end": "0x0", - "wave": 0, - "type": "scall", - "function_identifier": "KERNEL32.DLL!GetProcAddress" - }, - { - "index": 90, - "start": "0x0", - "end": "0x0", - "wave": 0, - "type": "scall", - "function_identifier": "KERNEL32.DLL!GetProcAddressOrdinal" - }, - { - "index": 91, - "start": "0x0", - "end": "0x0", - "wave": 0, - "type": "scall", - "function_identifier": "KERNEL32.DLL!VirtualProtect" - }, - { - "index": 92, - "start": "0x0", - "end": "0x0", - "wave": 0, - "type": "scall", - "function_identifier": "KERNEL32.DLL!GetModuleHandleA" - }, - { - "index": 93, - "start": "0x0", - "end": "0x0", - "wave": 0, - "type": "scall", - "function_identifier": "MSVCRT.DLL!__set_app_type" - }, - { - "index": 94, - "start": "0x0", - "end": "0x0", - "wave": 0, - "type": "scall", - "function_identifier": "MSVCRT.DLL!__p__fmode" - }, - { - "index": 95, - "start": "0x0", - "end": "0x0", - "wave": 0, - "type": "scall", - "function_identifier": "MSVCRT.DLL!__p__commode" - }, - { - "index": 96, - "start": "0x0", - "end": "0x0", - "wave": 0, - "type": "scall", - "function_identifier": "MSVCRT.DLL!_controlfp" - }, - { - "index": 97, - "start": "0x0", - "end": "0x0", - "wave": 0, - "type": "scall", - "function_identifier": "MSVCRT.DLL!_initterm" - }, - { - "index": 98, - "start": "0x0", - "end": "0x0", - "wave": 0, - "type": "scall", - "function_identifier": "MSVCRT.DLL!__getmainargs" - }, - { - "index": 99, - "start": "0x0", - "end": "0x0", - "wave": 0, - "type": "scall", - "function_identifier": "WS2_32.DLL!WSAStartup" - }, - { - "index": 100, - "start": "0x0", - "end": "0x0", - "wave": 0, - "type": "scall", - "function_identifier": "WS2_32.DLL!gethostname" - }, - { - "index": 101, - "start": "0x0", - "end": "0x0", - "wave": 0, - "type": "scall", - "function_identifier": "USER32.DLL!CharToOemBuffA" - }, - { - "index": 102, - "start": "0x0", - "end": "0x0", - "wave": 0, - "type": "scall", - "function_identifier": "MSVCRT.DLL!puts" - }, - { - "index": 103, - "start": "0x0", - "end": "0x0", - "wave": 0, - "type": "scall", - "function_identifier": "MSVCRT.DLL!exit" - } - ], - "edges": [ - { "src": 0, "dest": 1, "type": "child" }, - { "src": 1, "dest": 3, "type": "child" }, - { "src": 2, "dest": 16, "type": "child" }, - { "src": 3, "dest": 4, "type": "child" }, - { "src": 3, "dest": 2, "type": "child" }, - { "src": 4, "dest": 25, "type": "child" }, - { "src": 5, "dest": 24, "type": "child" }, - { "src": 5, "dest": 6, "type": "child" }, - { "src": 6, "dest": 12, "type": "child" }, - { "src": 6, "dest": 29, "type": "child" }, - { "src": 7, "dest": 28, "type": "child" }, - { "src": 8, "dest": 19, "type": "child" }, - { "src": 8, "dest": 9, "type": "child" }, - { "src": 9, "dest": 30, "type": "child" }, - { "src": 10, "dest": 11, "type": "child" }, - { "src": 10, "dest": 10, "type": "child" }, - { "src": 11, "dest": 16, "type": "child" }, - { "src": 12, "dest": 13, "type": "child" }, - { "src": 12, "dest": 31, "type": "child" }, - { "src": 13, "dest": 29, "type": "child" }, - { "src": 14, "dest": 15, "type": "child" }, - { "src": 14, "dest": 14, "type": "child" }, - { "src": 15, "dest": 16, "type": "child" }, - { "src": 16, "dest": 1, "type": "child" }, - { "src": 16, "dest": 3, "type": "child" }, - { "src": 17, "dest": 18, "type": "child" }, - { "src": 18, "dest": 5, "type": "child" }, - { "src": 18, "dest": 25, "type": "child" }, - { "src": 19, "dest": 9, "type": "child" }, - { "src": 19, "dest": 28, "type": "child" }, - { "src": 20, "dest": 21, "type": "child" }, - { "src": 21, "dest": 22, "type": "child" }, - { "src": 21, "dest": 23, "type": "child" }, - { "src": 22, "dest": 23, "type": "child" }, - { "src": 23, "dest": 7, "type": "child" }, - { "src": 23, "dest": 30, "type": "child" }, - { "src": 24, "dest": 6, "type": "child" }, - { "src": 24, "dest": 25, "type": "child" }, - { "src": 25, "dest": 17, "type": "child" }, - { "src": 25, "dest": 18, "type": "child" }, - { "src": 26, "dest": 27, "type": "child" }, - { "src": 27, "dest": 8, "type": "child" }, - { "src": 27, "dest": 28, "type": "child" }, - { "src": 28, "dest": 26, "type": "child" }, - { "src": 28, "dest": 27, "type": "child" }, - { "src": 29, "dest": 20, "type": "child" }, - { "src": 29, "dest": 21, "type": "child" }, - { "src": 30, "dest": 10, "type": "child" }, - { "src": 30, "dest": 14, "type": "child" }, - { "src": 31, "dest": 34, "type": "child" }, - { "src": 32, "dest": 33, "type": "child" }, - { "src": 33, "dest": 35, "type": "child" }, - { "src": 33, "dest": 34, "type": "child" }, - { "src": 34, "dest": 32, "type": "child" }, - { "src": 35, "dest": 42, "type": "child" }, - { "src": 36, "dest": 88, "type": "child" }, - { "src": 37, "dest": 41, "type": "child" }, - { "src": 38, "dest": 43, "type": "child" }, - { "src": 39, "dest": 40, "type": "child" }, - { "src": 40, "dest": 41, "type": "child" }, - { "src": 41, "dest": 38, "type": "child" }, - { "src": 41, "dest": 42, "type": "child" }, - { "src": 42, "dest": 36, "type": "child" }, - { "src": 42, "dest": 44, "type": "child" }, - { "src": 43, "dest": 89, "type": "child" }, - { "src": 43, "dest": 90, "type": "child" }, - { "src": 44, "dest": 91, "type": "child" }, - { "src": 45, "dest": 91, "type": "child" }, - { "src": 46, "dest": 86, "type": "child" }, - { "src": 47, "dest": 48, "type": "child" }, - { "src": 48, "dest": 49, "type": "child" }, - { "src": 49, "dest": 50, "type": "child" }, - { "src": 50, "dest": 92, "type": "child" }, - { "src": 51, "dest": 52, "type": "child" }, - { "src": 52, "dest": 53, "type": "child" }, - { "src": 53, "dest": 54, "type": "child" }, - { "src": 54, "dest": 55, "type": "child" }, - { "src": 55, "dest": 93, "type": "child" }, - { "src": 56, "dest": 94, "type": "child" }, - { "src": 57, "dest": 95, "type": "child" }, - { "src": 58, "dest": 59, "type": "child" }, - { "src": 59, "dest": 60, "type": "child" }, - { "src": 60, "dest": 61, "type": "child" }, - { "src": 61, "dest": 62, "type": "child" }, - { "src": 62, "dest": 63, "type": "child" }, - { "src": 63, "dest": 96, "type": "child" }, - { "src": 64, "dest": 65, "type": "child" }, - { "src": 65, "dest": 66, "type": "child" }, - { "src": 66, "dest": 97, "type": "child" }, - { "src": 67, "dest": 98, "type": "child" }, - { "src": 68, "dest": 66, "type": "child" }, - { "src": 69, "dest": 70, "type": "child" }, - { "src": 70, "dest": 99, "type": "child" }, - { "src": 71, "dest": 72, "type": "child" }, - { "src": 72, "dest": 73, "type": "child" }, - { "src": 73, "dest": 74, "type": "child" }, - { "src": 74, "dest": 75, "type": "child" }, - { "src": 75, "dest": 76, "type": "child" }, - { "src": 76, "dest": 77, "type": "child" }, - { "src": 77, "dest": 78, "type": "child" }, - { "src": 78, "dest": 79, "type": "child" }, - { "src": 79, "dest": 100, "type": "child" }, - { "src": 80, "dest": 81, "type": "child" }, - { "src": 81, "dest": 82, "type": "child" }, - { "src": 82, "dest": 87, "type": "child" }, - { "src": 83, "dest": 101, "type": "child" }, - { "src": 84, "dest": 102, "type": "child" }, - { "src": 85, "dest": 103, "type": "child" }, - { "src": 86, "dest": 47, "type": "child" }, - { "src": 86, "dest": 86, "type": "child" }, - { "src": 87, "dest": 83, "type": "child" }, - { "src": 87, "dest": 87, "type": "child" }, - { "src": 88, "dest": 37, "type": "child" }, - { "src": 89, "dest": 39, "type": "child" }, - { "src": 90, "dest": 39, "type": "child" }, - { "src": 91, "dest": 45, "type": "child" }, - { "src": 91, "dest": 46, "type": "child" }, - { "src": 92, "dest": 51, "type": "child" }, - { "src": 93, "dest": 56, "type": "child" }, - { "src": 94, "dest": 57, "type": "child" }, - { "src": 95, "dest": 58, "type": "child" }, - { "src": 96, "dest": 64, "type": "child" }, - { "src": 97, "dest": 67, "type": "child" }, - { "src": 97, "dest": 69, "type": "child" }, - { "src": 98, "dest": 68, "type": "child" }, - { "src": 99, "dest": 71, "type": "child" }, - { "src": 100, "dest": 80, "type": "child" }, - { "src": 101, "dest": 84, "type": "child" }, - { "src": 102, "dest": 85, "type": "child" } - ] -} diff --git a/utils.py b/utils.py deleted file mode 100644 index 4f45633..0000000 --- a/utils.py +++ /dev/null @@ -1,44 +0,0 @@ -from enum import Enum - -import lief - - -class Instructions(list[int], Enum): - RET = [0xC3] - PUSH = [0x68] - MOV_REG = [0xC7] - CALL_ADDR = [0xFF, 0x15] - JUMP_ADDR = [0xFF, 0x25] - - -def is_32b(pe: lief.PE.Binary): - return pe.abstract.header.is_32 - - -def is_little_endian(pe: lief.PE.Binary): - return pe.abstract.header.endianness == lief.Header.ENDIANNESS.LITTLE - - -def hex_address_to_memory_representation(hex_addr: str, is_32b: bool, is_little_endian: bool) -> list[int]: - adress_size = 4 if is_32b else 8 - mem_value = [0x00] * adress_size - hex_addr = hex_addr[::-1][:-2] # reversing order and stripping zero - for i in range(0, adress_size): - byte_str = hex_addr[i * 2 : (i + 1) * 2][::-1] - mem_value[i] += int(byte_str, 16) - if not is_little_endian: - mem_value = mem_value[::-1] # reverse byte order for big endian - return mem_value - - -verbose = False - - -def print_debug(msg: str): - if verbose: - print(msg) - - -def set_verbose(value: bool): - global verbose - verbose = value