{ "nodes": [ { "index": 0, "start": "0x10058c0", "end": "0x10058d1", "last_instr": "0x10058d0", "wave": 0, "instructions": [ { "offset": 0, "opcode": "60", "mnemonic": "pushal " }, { "offset": 1, "opcode": "be00500001", "mnemonic": "mov esi, 0x1005000" }, { "offset": 6, "opcode": "8dbe00c0ffff", "mnemonic": "lea edi, [esi - 0x4000]" }, { "offset": 12, "opcode": "57", "mnemonic": "push edi" }, { "offset": 13, "opcode": "83cdff", "mnemonic": "or ebp, 0xffffffff" }, { "offset": 16, "opcode": "eb10", "mnemonic": "jmp 0x10058e2" } ], "registers": { "EAX": "0x759633b8 ", "EBX": "0x7efde000 ", "ECX": "0x00000000 ", "EDX": "0x010058c0", "ESI": "0x00000000 ", "EDI": "0x00000000 ", "EBP": "0x000cff94 ", "ESP": "0x000cff8c", "eflags": "0x00000246" }, "type": "jmp" }, { "index": 1, "start": "0x10058e2", "end": "0x10058e8", "last_instr": "0x10058e7", "wave": 0, "instructions": [ { "offset": 0, "opcode": "8b1e", "mnemonic": "mov ebx, dword ptr [esi]" }, { "offset": 2, "opcode": "83eefc", "mnemonic": "sub esi, -4" }, { "offset": 5, "opcode": "11db", "mnemonic": "adc ebx, ebx" } ], "type": "seq" }, { "index": 2, "start": "0x10058d8", "end": "0x10058dd", "last_instr": "0x10058dd", "wave": 0, "instructions": [ { "offset": 0, "opcode": "8a06", "mnemonic": "mov al, byte ptr [esi]" }, { "offset": 2, "opcode": "46", "mnemonic": "inc esi" }, { "offset": 3, "opcode": "8807", "mnemonic": "mov byte ptr [edi], al" }, { "offset": 5, "opcode": "47", "mnemonic": "inc edi" } ], "type": "seq" }, { "index": 3, "start": "0x10058e9", "end": "0x10058ea", "last_instr": "0x10058e9", "wave": 0, "instructions": [ { "offset": 0, "opcode": "72ed", "mnemonic": "jb 0x10058d8" } ], "type": "jcc" }, { "index": 4, "start": "0x10058eb", "end": "0x10058ef", "last_instr": "0x10058eb", "wave": 0, "instructions": [ { "offset": 0, "opcode": "b801000000", "mnemonic": "mov eax, 1" } ], "type": "seq" }, { "index": 5, "start": "0x1005901", "end": "0x1005902", "last_instr": "0x1005901", "wave": 0, "instructions": [ { "offset": 0, "opcode": "7509", "mnemonic": "jne 0x100590c" } ], "registers": { "EAX": "0x00000002 ", "EBX": "0x0881f9b8 ", "ECX": "0x00000000 ", "EDX": "0x010058c0", "ESI": "0x01005005 ", "EDI": "0x01001001 ", "EBP": "0xffffffff ", "ESP": "0x000cff68", "eflags": "0x00000a17" }, "type": "jcc" }, { "index": 6, "start": "0x100590c", "end": "0x1005912", "last_instr": "0x1005911", "wave": 0, "instructions": [ { "offset": 0, "opcode": "31c9", "mnemonic": "xor ecx, ecx" }, { "offset": 2, "opcode": "83e803", "mnemonic": "sub eax, 3" }, { "offset": 5, "opcode": "720d", "mnemonic": "jb 0x1005920" } ], "registers": { "EAX": "0x00000002 ", "EBX": "0x0881f9b8 ", "ECX": "0x00000000 ", "EDX": "0x010058c0", "ESI": "0x01005005 ", "EDI": "0x01001001 ", "EBP": "0xffffffff ", "ESP": "0x000cff68", "eflags": "0x00000a17" }, "type": "jcc" }, { "index": 7, "start": "0x100593c", "end": "0x100593c", "last_instr": "0x100593c", "wave": 0, "instructions": [{ "offset": 0, "opcode": "41", "mnemonic": "inc ecx" }], "type": "seq" }, { "index": 8, "start": "0x100594e", "end": "0x100594f", "last_instr": "0x100594e", "wave": 0, "instructions": [ { "offset": 0, "opcode": "7509", "mnemonic": "jne 0x1005959" } ], "registers": { "EAX": "0xffffffff ", "EBX": "0xf9b80000 ", "ECX": "0x000000a8 ", "EDX": "0x010058c0", "ESI": "0x01005005 ", "EDI": "0x01001001 ", "EBP": "0xffffffff ", "ESP": "0x000cff68", "eflags": "0x00000287" }, "type": "jcc" }, { "index": 9, "start": "0x1005959", "end": "0x100595b", "last_instr": "0x1005959", "wave": 0, "instructions": [ { "offset": 0, "opcode": "83c102", "mnemonic": "add ecx, 2" } ], "type": "seq" }, { "index": 10, "start": "0x100596d", "end": "0x1005975", "last_instr": "0x1005974", "wave": 0, "instructions": [ { "offset": 0, "opcode": "8a02", "mnemonic": "mov al, byte ptr [edx]" }, { "offset": 2, "opcode": "42", "mnemonic": "inc edx" }, { "offset": 3, "opcode": "8807", "mnemonic": "mov byte ptr [edi], al" }, { "offset": 5, "opcode": "47", "mnemonic": "inc edi" }, { "offset": 6, "opcode": "49", "mnemonic": "dec ecx" }, { "offset": 7, "opcode": "75f7", "mnemonic": "jne 0x100596d" } ], "registers": { "EAX": "0xffffffff ", "EBX": "0xf9b80000 ", "ECX": "0x000000ab ", "EDX": "0x01001000", "ESI": "0x01005005 ", "EDI": "0x01001001 ", "EBP": "0xffffffff ", "ESP": "0x000cff68", "eflags": "0x00000206" }, "type": "jcc" }, { "index": 11, "start": "0x1005976", "end": "0x100597a", "last_instr": "0x1005976", "wave": 0, "instructions": [ { "offset": 0, "opcode": "e963ffffff", "mnemonic": "jmp 0x10058de" } ], "registers": { "EAX": "0xffffff00 ", "EBX": "0xf9b80000 ", "ECX": "0x00000000 ", "EDX": "0x010010ab", "ESI": "0x01005005 ", "EDI": "0x010010ac ", "EBP": "0xffffffff ", "ESP": "0x000cff68", "eflags": "0x00000246" }, "type": "jmp" }, { "index": 12, "start": "0x1005913", "end": "0x100591d", "last_instr": "0x100591c", "wave": 0, "instructions": [ { "offset": 0, "opcode": "c1e008", "mnemonic": "shl eax, 8" }, { "offset": 3, "opcode": "8a06", "mnemonic": "mov al, byte ptr [esi]" }, { "offset": 5, "opcode": "46", "mnemonic": "inc esi" }, { "offset": 6, "opcode": "83f0ff", "mnemonic": "xor eax, 0xffffffff" }, { "offset": 9, "opcode": "7474", "mnemonic": "je 0x1005992" } ], "registers": { "EAX": "0x00000000 ", "EBX": "0xbdff37e0 ", "ECX": "0x00000000 ", "EDX": "0x010010b3", "ESI": "0x01005013 ", "EDI": "0x010010b9 ", "EBP": "0xffffffff ", "ESP": "0x000cff68", "eflags": "0x00000246" }, "type": "jcc" }, { "index": 13, "start": "0x100591e", "end": "0x100591f", "last_instr": "0x100591e", "wave": 0, "instructions": [ { "offset": 0, "opcode": "89c5", "mnemonic": "mov ebp, eax" } ], "type": "seq" }, { "index": 14, "start": "0x100597c", "end": "0x100598a", "last_instr": "0x1005989", "wave": 0, "instructions": [ { "offset": 0, "opcode": "8b02", "mnemonic": "mov eax, dword ptr [edx]" }, { "offset": 2, "opcode": "83c204", "mnemonic": "add edx, 4" }, { "offset": 5, "opcode": "8907", "mnemonic": "mov dword ptr [edi], eax" }, { "offset": 7, "opcode": "83c704", "mnemonic": "add edi, 4" }, { "offset": 10, "opcode": "83e904", "mnemonic": "sub ecx, 4" }, { "offset": 13, "opcode": "77f1", "mnemonic": "ja 0x100597c" } ], "registers": { "EAX": "0xfffffffc ", "EBX": "0xf7fcdf80 ", "ECX": "0x00000003 ", "EDX": "0x010010b5", "ESI": "0x01005014 ", "EDI": "0x010010b9 ", "EBP": "0xfffffffc ", "ESP": "0x000cff68", "eflags": "0x00000246" }, "type": "jcc" }, { "index": 15, "start": "0x100598b", "end": "0x1005991", "last_instr": "0x100598d", "wave": 0, "instructions": [ { "offset": 0, "opcode": "01cf", "mnemonic": "add edi, ecx" }, { "offset": 2, "opcode": "e94cffffff", "mnemonic": "jmp 0x10058de" } ], "registers": { "EAX": "0x2c010013 ", "EBX": "0xf7fcdf80 ", "ECX": "0xffffffff ", "EDX": "0x010010b9", "ESI": "0x01005014 ", "EDI": "0x010010bd ", "EBP": "0xfffffffc ", "ESP": "0x000cff68", "eflags": "0x00000297" }, "type": "jmp" }, { "index": 16, "start": "0x10058de", "end": "0x10058e1", "last_instr": "0x10058e0", "wave": 0, "instructions": [ { "offset": 0, "opcode": "01db", "mnemonic": "add ebx, ebx" }, { "offset": 2, "opcode": "7507", "mnemonic": "jne 0x10058e9" } ], "type": "jcc" }, { "index": 17, "start": "0x10058f4", "end": "0x10058fa", "last_instr": "0x10058f9", "wave": 0, "instructions": [ { "offset": 0, "opcode": "8b1e", "mnemonic": "mov ebx, dword ptr [esi]" }, { "offset": 2, "opcode": "83eefc", "mnemonic": "sub esi, -4" }, { "offset": 5, "opcode": "11db", "mnemonic": "adc ebx, ebx" } ], "type": "seq" }, { "index": 18, "start": "0x10058fb", "end": "0x1005900", "last_instr": "0x10058ff", "wave": 0, "instructions": [ { "offset": 0, "opcode": "11c0", "mnemonic": "adc eax, eax" }, { "offset": 2, "opcode": "01db", "mnemonic": "add ebx, ebx" }, { "offset": 4, "opcode": "73ef", "mnemonic": "jae 0x10058f0" } ], "type": "jcc" }, { "index": 19, "start": "0x1005950", "end": "0x1005958", "last_instr": "0x1005957", "wave": 0, "instructions": [ { "offset": 0, "opcode": "8b1e", "mnemonic": "mov ebx, dword ptr [esi]" }, { "offset": 2, "opcode": "83eefc", "mnemonic": "sub esi, -4" }, { "offset": 5, "opcode": "11db", "mnemonic": "adc ebx, ebx" }, { "offset": 7, "opcode": "73e4", "mnemonic": "jae 0x100593d" } ], "registers": { "EAX": "0xffffffff ", "EBX": "0x00000000 ", "ECX": "0x00000005 ", "EDX": "0x01001105", "ESI": "0x010050ae ", "EDI": "0x01001173 ", "EBP": "0xffffff93 ", "ESP": "0x000cff68", "eflags": "0x00000a47" }, "type": "jcc" }, { "index": 20, "start": "0x1005924", "end": "0x100592a", "last_instr": "0x1005929", "wave": 0, "instructions": [ { "offset": 0, "opcode": "8b1e", "mnemonic": "mov ebx, dword ptr [esi]" }, { "offset": 2, "opcode": "83eefc", "mnemonic": "sub esi, -4" }, { "offset": 5, "opcode": "11db", "mnemonic": "adc ebx, ebx" } ], "type": "seq" }, { "index": 21, "start": "0x100592b", "end": "0x1005930", "last_instr": "0x100592f", "wave": 0, "instructions": [ { "offset": 0, "opcode": "11c9", "mnemonic": "adc ecx, ecx" }, { "offset": 2, "opcode": "01db", "mnemonic": "add ebx, ebx" }, { "offset": 4, "opcode": "7507", "mnemonic": "jne 0x1005938" } ], "type": "jcc" }, { "index": 22, "start": "0x1005931", "end": "0x1005937", "last_instr": "0x1005936", "wave": 0, "instructions": [ { "offset": 0, "opcode": "8b1e", "mnemonic": "mov ebx, dword ptr [esi]" }, { "offset": 2, "opcode": "83eefc", "mnemonic": "sub esi, -4" }, { "offset": 5, "opcode": "11db", "mnemonic": "adc ebx, ebx" } ], "type": "seq" }, { "index": 23, "start": "0x1005938", "end": "0x100593b", "last_instr": "0x100593a", "wave": 0, "instructions": [ { "offset": 0, "opcode": "11c9", "mnemonic": "adc ecx, ecx" }, { "offset": 2, "opcode": "7520", "mnemonic": "jne 0x100595c" } ], "type": "jcc" }, { "index": 24, "start": "0x1005903", "end": "0x100590b", "last_instr": "0x100590a", "wave": 0, "instructions": [ { "offset": 0, "opcode": "8b1e", "mnemonic": "mov ebx, dword ptr [esi]" }, { "offset": 2, "opcode": "83eefc", "mnemonic": "sub esi, -4" }, { "offset": 5, "opcode": "11db", "mnemonic": "adc ebx, ebx" }, { "offset": 7, "opcode": "73e4", "mnemonic": "jae 0x10058f0" } ], "registers": { "EAX": "0x00000002 ", "EBX": "0x00000000 ", "ECX": "0xfffffffd ", "EDX": "0x010011bf", "ESI": "0x010050dd ", "EDI": "0x010011ca ", "EBP": "0xfffffff3 ", "ESP": "0x000cff68", "eflags": "0x00000a47" }, "type": "jcc" }, { "index": 25, "start": "0x10058f0", "end": "0x10058f3", "last_instr": "0x10058f2", "wave": 0, "instructions": [ { "offset": 0, "opcode": "01db", "mnemonic": "add ebx, ebx" }, { "offset": 2, "opcode": "7507", "mnemonic": "jne 0x10058fb" } ], "type": "jcc" }, { "index": 26, "start": "0x1005941", "end": "0x1005947", "last_instr": "0x1005946", "wave": 0, "instructions": [ { "offset": 0, "opcode": "8b1e", "mnemonic": "mov ebx, dword ptr [esi]" }, { "offset": 2, "opcode": "83eefc", "mnemonic": "sub esi, -4" }, { "offset": 5, "opcode": "11db", "mnemonic": "adc ebx, ebx" } ], "type": "seq" }, { "index": 27, "start": "0x1005948", "end": "0x100594d", "last_instr": "0x100594c", "wave": 0, "instructions": [ { "offset": 0, "opcode": "11c9", "mnemonic": "adc ecx, ecx" }, { "offset": 2, "opcode": "01db", "mnemonic": "add ebx, ebx" }, { "offset": 4, "opcode": "73ef", "mnemonic": "jae 0x100593d" } ], "type": "jcc" }, { "index": 28, "start": "0x100593d", "end": "0x1005940", "last_instr": "0x100593f", "wave": 0, "instructions": [ { "offset": 0, "opcode": "01db", "mnemonic": "add ebx, ebx" }, { "offset": 2, "opcode": "7507", "mnemonic": "jne 0x1005948" } ], "type": "jcc" }, { "index": 29, "start": "0x1005920", "end": "0x1005923", "last_instr": "0x1005922", "wave": 0, "instructions": [ { "offset": 0, "opcode": "01db", "mnemonic": "add ebx, ebx" }, { "offset": 2, "opcode": "7507", "mnemonic": "jne 0x100592b" } ], "type": "jcc" }, { "index": 30, "start": "0x100595c", "end": "0x100596c", "last_instr": "0x100596b", "wave": 0, "instructions": [ { "offset": 0, "opcode": "81fd00f3ffff", "mnemonic": "cmp ebp, 0xfffff300" }, { "offset": 6, "opcode": "83d101", "mnemonic": "adc ecx, 1" }, { "offset": 9, "opcode": "8d142f", "mnemonic": "lea edx, [edi + ebp]" }, { "offset": 12, "opcode": "83fdfc", "mnemonic": "cmp ebp, -4" }, { "offset": 15, "opcode": "760f", "mnemonic": "jbe 0x100597c" } ], "type": "jcc" }, { "index": 31, "start": "0x1005992", "end": "0x100599e", "last_instr": "0x100599d", "wave": 0, "instructions": [ { "offset": 0, "opcode": "5e", "mnemonic": "pop esi" }, { "offset": 1, "opcode": "89f7", "mnemonic": "mov edi, esi" }, { "offset": 3, "opcode": "b913000000", "mnemonic": "mov ecx, 0x13" }, { "offset": 8, "opcode": "8a07", "mnemonic": "mov al, byte ptr [edi]" }, { "offset": 10, "opcode": "47", "mnemonic": "inc edi" }, { "offset": 11, "opcode": "2ce8", "mnemonic": "sub al, 0xe8" } ], "type": "seq" }, { "index": 32, "start": "0x10059a3", "end": "0x10059a7", "last_instr": "0x10059a6", "wave": 0, "instructions": [ { "offset": 0, "opcode": "803f01", "mnemonic": "cmp byte ptr [edi], 1" }, { "offset": 3, "opcode": "75f2", "mnemonic": "jne 0x100599a" } ], "registers": { "EAX": "0x00000000 ", "EBX": "0x10000000 ", "ECX": "0x00000013 ", "EDX": "0x01003e20", "ESI": "0x01001000 ", "EDI": "0x0100110a ", "EBP": "0xfffffb47 ", "ESP": "0x000cff6c", "eflags": "0x00000297" }, "type": "jcc" }, { "index": 33, "start": "0x10059a8", "end": "0x10059c5", "last_instr": "0x10059c4", "wave": 0, "instructions": [ { "offset": 0, "opcode": "8b07", "mnemonic": "mov eax, dword ptr [edi]" }, { "offset": 2, "opcode": "8a5f04", "mnemonic": "mov bl, byte ptr [edi + 4]" }, { "offset": 5, "opcode": "66c1e808", "mnemonic": "shr ax, 8" }, { "offset": 9, "opcode": "c1c010", "mnemonic": "rol eax, 0x10" }, { "offset": 12, "opcode": "86c4", "mnemonic": "xchg ah, al" }, { "offset": 14, "opcode": "29f8", "mnemonic": "sub eax, edi" }, { "offset": 16, "opcode": "80ebe8", "mnemonic": "sub bl, 0xe8" }, { "offset": 19, "opcode": "01f0", "mnemonic": "add eax, esi" }, { "offset": 21, "opcode": "8907", "mnemonic": "mov dword ptr [edi], eax" }, { "offset": 23, "opcode": "83c705", "mnemonic": "add edi, 5" }, { "offset": 26, "opcode": "88d8", "mnemonic": "mov al, bl" }, { "offset": 28, "opcode": "e2d9", "mnemonic": "loop 0x100599f" } ], "registers": { "EAX": "0x00000000 ", "EBX": "0x10000000 ", "ECX": "0x00000013 ", "EDX": "0x01003e20", "ESI": "0x01001000 ", "EDI": "0x0100110a ", "EBP": "0xfffffb47 ", "ESP": "0x000cff6c", "eflags": "0x00000246" }, "type": "jcc" }, { "index": 34, "start": "0x100599f", "end": "0x10059a2", "last_instr": "0x10059a1", "wave": 0, "instructions": [ { "offset": 0, "opcode": "3c01", "mnemonic": "cmp al, 1" }, { "offset": 2, "opcode": "77f7", "mnemonic": "ja 0x100599a" } ], "type": "jcc" }, { "index": 35, "start": "0x10059c6", "end": "0x10059cb", "last_instr": "0x10059c6", "wave": 0, "instructions": [ { "offset": 0, "opcode": "8dbe00300000", "mnemonic": "lea edi, [esi + 0x3000]" } ], "type": "seq" }, { "index": 36, "start": "0x10059d2", "end": "0x10059e7", "last_instr": "0x10059e2", "wave": 0, "instructions": [ { "offset": 0, "opcode": "8b5f04", "mnemonic": "mov ebx, dword ptr [edi + 4]" }, { "offset": 3, "opcode": "8d84301c540000", "mnemonic": "lea eax, [eax + esi + 0x541c]" }, { "offset": 10, "opcode": "01f3", "mnemonic": "add ebx, esi" }, { "offset": 12, "opcode": "50", "mnemonic": "push eax" }, { "offset": 13, "opcode": "83c708", "mnemonic": "add edi, 8" }, { "offset": 16, "opcode": "ff9694540000", "mnemonic": "call dword ptr [esi + 0x5494]" } ], "registers": { "EAX": "0x000000b4 ", "EBX": "0x100000df ", "ECX": "0x00000000 ", "EDX": "0x01003e20", "ESI": "0x01001000 ", "EDI": "0x01004000 ", "EBP": "0xfffffb47 ", "ESP": "0x000cff6c", "eflags": "0x00000206" }, "type": "call", "syscalls": [ { "name": "KERNEL32.DLL!LoadLibraryA", "timestamp": 19.825597, "arguments": ["_IN_ (LPCTSTR) [0x000cff68] \"KERNEL32.DLL\""], "return": "0x75950000", "output": [] }, { "name": "KERNEL32.DLL!LoadLibraryA", "timestamp": 19.913203, "arguments": ["_IN_ (LPCTSTR) [0x000cff68] \"msvcrt.dll\""], "return": "0x752b0000", "output": [] }, { "name": "KERNEL32.DLL!LoadLibraryA", "timestamp": 19.913203, "arguments": ["_IN_ (LPCTSTR) [0x000cff68] \"MSWSOCK.dll\""], "return": "0x6c880000", "output": [] }, { "name": "KERNEL32.DLL!LoadLibraryA", "timestamp": 19.913203, "arguments": ["_IN_ (LPCTSTR) [0x000cff68] \"USER32.dll\""], "return": "0x76ac0000", "output": [] }, { "name": "KERNEL32.DLL!LoadLibraryA", "timestamp": 19.913203, "arguments": ["_IN_ (LPCTSTR) [0x000cff68] \"WS2_32.dll\""], "return": "0x76e60000", "output": [] } ] }, { "index": 37, "start": "0x10059e8", "end": "0x10059e8", "last_instr": "0x10059e8", "wave": 0, "instructions": [ { "offset": 0, "opcode": "95", "mnemonic": "xchg eax, ebp" } ], "type": "seq" }, { "index": 38, "start": "0x10059f0", "end": "0x10059f3", "last_instr": "0x10059f2", "wave": 0, "instructions": [ { "offset": 0, "opcode": "89f9", "mnemonic": "mov ecx, edi" }, { "offset": 2, "opcode": "7907", "mnemonic": "jns 0x10059fb" } ], "registers": { "EAX": "0xfffffb01 ", "EBX": "0x01001000 ", "ECX": "0x00000002 ", "EDX": "0x00000001", "ESI": "0x01001000 ", "EDI": "0x01004009 ", "EBP": "0x75950000 ", "ESP": "0x000cff6c", "eflags": "0x00000202" }, "type": "jcc" }, { "index": 39, "start": "0x1005a06", "end": "0x1005a09", "last_instr": "0x1005a08", "wave": 0, "instructions": [ { "offset": 0, "opcode": "09c0", "mnemonic": "or eax, eax" }, { "offset": 2, "opcode": "7407", "mnemonic": "je 0x1005a11" } ], "registers": { "EAX": "0x75985fbd ", "EBX": "0x01001000 ", "ECX": "0x75950000 ", "EDX": "0x75950000", "ESI": "0x01001000 ", "EDI": "0x01004018 ", "EBP": "0x75950000 ", "ESP": "0x000cff6c", "eflags": "0x00000206" }, "type": "jcc" }, { "index": 40, "start": "0x1005a0a", "end": "0x1005a10", "last_instr": "0x1005a0f", "wave": 0, "instructions": [ { "offset": 0, "opcode": "8903", "mnemonic": "mov dword ptr [ebx], eax" }, { "offset": 2, "opcode": "83c304", "mnemonic": "add ebx, 4" }, { "offset": 5, "opcode": "ebd8", "mnemonic": "jmp 0x10059e9" } ], "registers": { "EAX": "0x75985fbd ", "EBX": "0x01001000 ", "ECX": "0x75950000 ", "EDX": "0x75950000", "ESI": "0x01001000 ", "EDI": "0x01004018 ", "EBP": "0x75950000 ", "ESP": "0x000cff6c", "eflags": "0x00000206" }, "type": "jmp" }, { "index": 41, "start": "0x10059e9", "end": "0x10059ef", "last_instr": "0x10059ee", "wave": 0, "instructions": [ { "offset": 0, "opcode": "8a07", "mnemonic": "mov al, byte ptr [edi]" }, { "offset": 2, "opcode": "47", "mnemonic": "inc edi" }, { "offset": 3, "opcode": "08c0", "mnemonic": "or al, al" }, { "offset": 5, "opcode": "74dc", "mnemonic": "je 0x10059cc" } ], "type": "jcc" }, { "index": 42, "start": "0x10059cc", "end": "0x10059d1", "last_instr": "0x10059d0", "wave": 0, "instructions": [ { "offset": 0, "opcode": "8b07", "mnemonic": "mov eax, dword ptr [edi]" }, { "offset": 2, "opcode": "09c0", "mnemonic": "or eax, eax" }, { "offset": 4, "opcode": "7445", "mnemonic": "je 0x1005a17" } ], "type": "jcc" }, { "index": 43, "start": "0x10059f4", "end": "0x1005a05", "last_instr": "0x1005a00", "wave": 0, "instructions": [ { "offset": 0, "opcode": "0fb707", "mnemonic": "movzx eax, word ptr [edi]" }, { "offset": 3, "opcode": "47", "mnemonic": "inc edi" }, { "offset": 4, "opcode": "50", "mnemonic": "push eax" }, { "offset": 5, "opcode": "47", "mnemonic": "inc edi" }, { "offset": 6, "opcode": "b95748f2ae", "mnemonic": "mov ecx, 0xaef24857" }, { "offset": 11, "opcode": "55", "mnemonic": "push ebp" }, { "offset": 12, "opcode": "ff9698540000", "mnemonic": "call dword ptr [esi + 0x5498]" } ], "registers": { "EAX": "0x76ac00ff ", "EBX": "0x01001024 ", "ECX": "0x01004150 ", "EDX": "0x004c34a4", "ESI": "0x01001000 ", "EDI": "0x01004150 ", "EBP": "0x76e60000 ", "ESP": "0x000cff6c", "eflags": "0x00000286" }, "type": "call", "syscalls": [ { "name": "KERNEL32.DLL!GetProcAddress", "timestamp": 19.875559, "arguments": [ "_IN_ (HMODULE) [0x000cff64] 0x75950000", "_IN_ (LPCSTR) [0x000cff68] \"FormatMessageA\"" ], "return": "0x75985fbd", "output": [] }, { "name": "KERNEL32.DLL!GetProcAddress", "timestamp": 19.905854, "arguments": [ "_IN_ (HMODULE) [0x000cff64] 0x75950000", "_IN_ (LPCSTR) [0x000cff68] \"LocalFree\"" ], "return": "0x75962d3c", "output": [] }, { "name": "KERNEL32.DLL!GetProcAddress", "timestamp": 19.905854, "arguments": [ "_IN_ (HMODULE) [0x000cff64] 0x75950000", "_IN_ (LPCSTR) [0x000cff68] \"GetModuleHandleA\"" ], "return": "0x75961245", "output": [] }, { "name": "KERNEL32.DLL!GetProcAddress", "timestamp": 19.905854, "arguments": [ "_IN_ (HMODULE) [0x000cff64] 0x75950000", "_IN_ (LPCSTR) [0x000cff68] \"GetLastError\"" ], "return": "0x759611c0", "output": [] }, { "name": "KERNEL32.DLL!GetProcAddress", "timestamp": 19.913203, "arguments": [ "_IN_ (HMODULE) [0x000cff64] 0x752b0000", "_IN_ (LPCSTR) [0x000cff68] \"__p__commode\"" ], "return": "0x752c27c3", "output": [] }, { "name": "KERNEL32.DLL!GetProcAddress", "timestamp": 19.913203, "arguments": [ "_IN_ (HMODULE) [0x000cff64] 0x752b0000", "_IN_ (LPCSTR) [0x000cff68] \"__p__fmode\"" ], "return": "0x752c27ce", "output": [] }, { "name": "KERNEL32.DLL!GetProcAddress", "timestamp": 19.913203, "arguments": [ "_IN_ (HMODULE) [0x000cff64] 0x752b0000", "_IN_ (LPCSTR) [0x000cff68] \"__set_app_type\"" ], "return": "0x752c2804", "output": [] }, { "name": "KERNEL32.DLL!GetProcAddress", "timestamp": 19.913203, "arguments": [ "_IN_ (HMODULE) [0x000cff64] 0x752b0000", "_IN_ (LPCSTR) [0x000cff68] \"_controlfp\"" ], "return": "0x752be1e1", "output": [] }, { "name": "KERNEL32.DLL!GetProcAddress", "timestamp": 19.913203, "arguments": [ "_IN_ (HMODULE) [0x000cff64] 0x752b0000", "_IN_ (LPCSTR) [0x000cff68] \"_cexit\"" ], "return": "0x752c37d4", "output": [] }, { "name": "KERNEL32.DLL!GetProcAddress", "timestamp": 19.913203, "arguments": [ "_IN_ (HMODULE) [0x000cff64] 0x752b0000", "_IN_ (LPCSTR) [0x000cff68] \"_adjust_fdiv\"" ], "return": "0x753532ec", "output": [] }, { "name": "KERNEL32.DLL!GetProcAddress", "timestamp": 19.913203, "arguments": [ "_IN_ (HMODULE) [0x000cff64] 0x752b0000", "_IN_ (LPCSTR) [0x000cff68] \"_except_handler3\"" ], "return": "0x752dd770", "output": [] }, { "name": "KERNEL32.DLL!GetProcAddress", "timestamp": 19.913203, "arguments": [ "_IN_ (HMODULE) [0x000cff64] 0x752b0000", "_IN_ (LPCSTR) [0x000cff68] \"_XcptFilter\"" ], "return": "0x752ddc75", "output": [] }, { "name": "KERNEL32.DLL!GetProcAddress", "timestamp": 19.913203, "arguments": [ "_IN_ (HMODULE) [0x000cff64] 0x752b0000", "_IN_ (LPCSTR) [0x000cff68] \"_exit\"" ], "return": "0x7531b2c0", "output": [] }, { "name": "KERNEL32.DLL!GetProcAddress", "timestamp": 19.913203, "arguments": [ "_IN_ (HMODULE) [0x000cff64] 0x752b0000", "_IN_ (LPCSTR) [0x000cff68] \"_c_exit\"" ], "return": "0x7531b2db", "output": [] }, { "name": "KERNEL32.DLL!GetProcAddress", "timestamp": 19.913203, "arguments": [ "_IN_ (HMODULE) [0x000cff64] 0x752b0000", "_IN_ (LPCSTR) [0x000cff68] \"__setusermatherr\"" ], "return": "0x753477ad", "output": [] }, { "name": "KERNEL32.DLL!GetProcAddress", "timestamp": 19.913203, "arguments": [ "_IN_ (HMODULE) [0x000cff64] 0x752b0000", "_IN_ (LPCSTR) [0x000cff68] \"_initterm\"" ], "return": "0x752bc151", "output": [] }, { "name": "KERNEL32.DLL!GetProcAddress", "timestamp": 19.913203, "arguments": [ "_IN_ (HMODULE) [0x000cff64] 0x752b0000", "_IN_ (LPCSTR) [0x000cff68] \"__getmainargs\"" ], "return": "0x752c2bc0", "output": [] }, { "name": "KERNEL32.DLL!GetProcAddress", "timestamp": 19.913203, "arguments": [ "_IN_ (HMODULE) [0x000cff64] 0x752b0000", "_IN_ (LPCSTR) [0x000cff68] \"__initenv\"" ], "return": "0x753504e8", "output": [] }, { "name": "KERNEL32.DLL!GetProcAddress", "timestamp": 19.913203, "arguments": [ "_IN_ (HMODULE) [0x000cff64] 0x752b0000", "_IN_ (LPCSTR) [0x000cff68] \"_write\"" ], "return": "0x752c4078", "output": [] }, { "name": "KERNEL32.DLL!GetProcAddress", "timestamp": 19.913203, "arguments": [ "_IN_ (HMODULE) [0x000cff64] 0x752b0000", "_IN_ (LPCSTR) [0x000cff68] \"strchr\"" ], "return": "0x752bdbeb", "output": [] }, { "name": "KERNEL32.DLL!GetProcAddress", "timestamp": 19.913203, "arguments": [ "_IN_ (HMODULE) [0x000cff64] 0x752b0000", "_IN_ (LPCSTR) [0x000cff68] \"puts\"" ], "return": "0x75328d04", "output": [] }, { "name": "KERNEL32.DLL!GetProcAddress", "timestamp": 19.913203, "arguments": [ "_IN_ (HMODULE) [0x000cff64] 0x752b0000", "_IN_ (LPCSTR) [0x000cff68] \"exit\"" ], "return": "0x752c36aa", "output": [] }, { "name": "KERNEL32.DLL!GetProcAddress", "timestamp": 19.913203, "arguments": [ "_IN_ (HMODULE) [0x000cff64] 0x6c880000", "_IN_ (LPCSTR) [0x000cff68] \"s_perror\"" ], "return": "0x6c8a1be4", "output": [] }, { "name": "KERNEL32.DLL!GetProcAddress", "timestamp": 19.913203, "arguments": [ "_IN_ (HMODULE) [0x000cff64] 0x76ac0000", "_IN_ (LPCSTR) [0x000cff68] \"CharToOemBuffA\"" ], "return": "0x76aeb1b0", "output": [] }, { "name": "KERNEL32.DLL!GetProcAddressOrdinal", "timestamp": 19.942805, "arguments": [ "_IN_ (HMODULE) [0x000cff64] 0x76e60000", "_IN_ (USHORT) [0x000cff68] 0x00000039" ], "return": "0x76e6a05b", "output": [] }, { "name": "KERNEL32.DLL!GetProcAddressOrdinal", "timestamp": 19.942805, "arguments": [ "_IN_ (HMODULE) [0x000cff64] 0x76e60000", "_IN_ (USHORT) [0x000cff68] 0x00000073" ], "return": "0x76e63ab2", "output": [] } ] }, { "index": 44, "start": "0x1005a17", "end": "0x1005a2f", "last_instr": "0x1005a2e", "wave": 0, "instructions": [ { "offset": 0, "opcode": "8bae9c540000", "mnemonic": "mov ebp, dword ptr [esi + 0x549c]" }, { "offset": 6, "opcode": "8dbe00f0ffff", "mnemonic": "lea edi, [esi - 0x1000]" }, { "offset": 12, "opcode": "bb00100000", "mnemonic": "mov ebx, 0x1000" }, { "offset": 17, "opcode": "50", "mnemonic": "push eax" }, { "offset": 18, "opcode": "54", "mnemonic": "push esp" }, { "offset": 19, "opcode": "6a04", "mnemonic": "push 4" }, { "offset": 21, "opcode": "53", "mnemonic": "push ebx" }, { "offset": 22, "opcode": "57", "mnemonic": "push edi" }, { "offset": 23, "opcode": "ffd5", "mnemonic": "call ebp" } ], "registers": { "EAX": "0x00000000 ", "EBX": "0x0100102c ", "ECX": "0x76e60000 ", "EDX": "0x00001725", "ESI": "0x01001000 ", "EDI": "0x01004156 ", "EBP": "0x76e60000 ", "ESP": "0x000cff6c", "eflags": "0x00000246" }, "type": "call", "syscalls": [ { "name": "KERNEL32.DLL!VirtualProtect", "timestamp": 19.950966, "arguments": [ "_IN_ (LPVOID) [0x000cff58] 0x01000000", "_IN_ (SIZE_T) [0x000cff5c] 0x00001000", "_IN_ (DWORD) [0x000cff60] 0x00000004", "_OUT_ (PDWORD) [0x000cff64] 0x000cff68" ], "return": "TRUE", "output": ["[0x000cff68] 0x00000002"] } ] }, { "index": 45, "start": "0x1005a30", "end": "0x1005a44", "last_instr": "0x1005a43", "wave": 0, "instructions": [ { "offset": 0, "opcode": "8d87f7010000", "mnemonic": "lea eax, [edi + 0x1f7]" }, { "offset": 6, "opcode": "80207f", "mnemonic": "and byte ptr [eax], 0x7f" }, { "offset": 9, "opcode": "8060287f", "mnemonic": "and byte ptr [eax + 0x28], 0x7f" }, { "offset": 13, "opcode": "58", "mnemonic": "pop eax" }, { "offset": 14, "opcode": "50", "mnemonic": "push eax" }, { "offset": 15, "opcode": "54", "mnemonic": "push esp" }, { "offset": 16, "opcode": "50", "mnemonic": "push eax" }, { "offset": 17, "opcode": "53", "mnemonic": "push ebx" }, { "offset": 18, "opcode": "57", "mnemonic": "push edi" }, { "offset": 19, "opcode": "ffd5", "mnemonic": "call ebp" } ], "registers": { "EAX": "0x00000001 ", "EBX": "0x00001000 ", "ECX": "0x7a280000 ", "EDX": "0x0008e3c8", "ESI": "0x01001000 ", "EDI": "0x01000000 ", "EBP": "0x7596435f ", "ESP": "0x000cff68", "eflags": "0x00000202" }, "type": "call", "syscalls": [ { "name": "KERNEL32.DLL!VirtualProtect", "timestamp": 19.966595, "arguments": [ "_IN_ (LPVOID) [0x000cff58] 0x01000000", "_IN_ (SIZE_T) [0x000cff5c] 0x00001000", "_IN_ (DWORD) [0x000cff60] 0x00000002", "_OUT_ (PDWORD) [0x000cff64] 0x000cff68" ], "return": "TRUE", "output": ["[0x000cff68] 0x00000004"] } ] }, { "index": 46, "start": "0x1005a45", "end": "0x1005a4a", "last_instr": "0x1005a47", "wave": 0, "instructions": [ { "offset": 0, "opcode": "58", "mnemonic": "pop eax" }, { "offset": 1, "opcode": "61", "mnemonic": "popal " }, { "offset": 2, "opcode": "8d442480", "mnemonic": "lea eax, [esp - 0x80]" } ], "type": "seq" }, { "index": 47, "start": "0x1005a51", "end": "0x1005a58", "last_instr": "0x1005a54", "wave": 0, "instructions": [ { "offset": 0, "opcode": "83ec80", "mnemonic": "sub esp, -0x80" }, { "offset": 3, "opcode": "e97eb7ffff", "mnemonic": "jmp 0x10011d7" } ], "registers": { "EAX": "0x000cff0c ", "EBX": "0x7efde000 ", "ECX": "0x00000000 ", "EDX": "0x010058c0", "ESI": "0x00000000 ", "EDI": "0x00000000 ", "EBP": "0x000cff94 ", "ESP": "0x000cff0c", "eflags": "0x00000246" }, "type": "jmp" }, { "index": 48, "start": "0x10011d7", "end": "0x10011e2", "last_instr": "0x10011de", "wave": 1, "instructions": [ { "offset": 0, "opcode": "6a28", "mnemonic": "push 0x28" }, { "offset": 2, "opcode": "68b0100001", "mnemonic": "push 0x10010b0" }, { "offset": 7, "opcode": "e891010000", "mnemonic": "call 0x1001374" } ], "registers": { "EAX": "0x000cff0c ", "EBX": "0x7efde000 ", "ECX": "0x00000000 ", "EDX": "0x010058c0", "ESI": "0x00000000 ", "EDI": "0x00000000 ", "EBP": "0x000cff94 ", "ESP": "0x000cff8c", "eflags": "0x00000203" }, "type": "call" }, { "index": 49, "start": "0x1001374", "end": "0x10013ac", "last_instr": "0x10013ac", "wave": 1, "instructions": [ { "offset": 0, "opcode": "68c4130001", "mnemonic": "push 0x10013c4" }, { "offset": 5, "opcode": "64a100000000", "mnemonic": "mov eax, dword ptr fs:[0]" }, { "offset": 11, "opcode": "50", "mnemonic": "push eax" }, { "offset": 12, "opcode": "64892500000000", "mnemonic": "mov dword ptr fs:[0], esp" }, { "offset": 19, "opcode": "8b442410", "mnemonic": "mov eax, dword ptr [esp + 0x10]" }, { "offset": 23, "opcode": "896c2410", "mnemonic": "mov dword ptr [esp + 0x10], ebp" }, { "offset": 27, "opcode": "8d6c2410", "mnemonic": "lea ebp, [esp + 0x10]" }, { "offset": 31, "opcode": "2be0", "mnemonic": "sub esp, eax" }, { "offset": 33, "opcode": "53", "mnemonic": "push ebx" }, { "offset": 34, "opcode": "56", "mnemonic": "push esi" }, { "offset": 35, "opcode": "57", "mnemonic": "push edi" }, { "offset": 36, "opcode": "8b45f8", "mnemonic": "mov eax, dword ptr [ebp - 8]" }, { "offset": 39, "opcode": "8965e8", "mnemonic": "mov dword ptr [ebp - 0x18], esp" }, { "offset": 42, "opcode": "50", "mnemonic": "push eax" }, { "offset": 43, "opcode": "8b45fc", "mnemonic": "mov eax, dword ptr [ebp - 4]" }, { "offset": 46, "opcode": "c745fcffffffff", "mnemonic": "mov dword ptr [ebp - 4], 0xffffffff" }, { "offset": 53, "opcode": "8945f8", "mnemonic": "mov dword ptr [ebp - 8], eax" }, { "offset": 56, "opcode": "c3", "mnemonic": "ret " } ], "registers": { "EAX": "0x000cff0c ", "EBX": "0x7efde000 ", "ECX": "0x00000000 ", "EDX": "0x010058c0", "ESI": "0x00000000 ", "EDI": "0x00000000 ", "EBP": "0x000cff94 ", "ESP": "0x000cff80", "eflags": "0x00000203" }, "type": "ret" }, { "index": 50, "start": "0x10011e3", "end": "0x10011eb", "last_instr": "0x10011e6", "wave": 1, "instructions": [ { "offset": 0, "opcode": "33ff", "mnemonic": "xor edi, edi" }, { "offset": 2, "opcode": "57", "mnemonic": "push edi" }, { "offset": 3, "opcode": "ff1508100001", "mnemonic": "call dword ptr [0x1001008]" } ], "registers": { "EAX": "0x010010b0 ", "EBX": "0x7efde000 ", "ECX": "0x00000000 ", "EDX": "0x010058c0", "ESI": "0x00000000 ", "EDI": "0x00000000 ", "EBP": "0x000cff88 ", "ESP": "0x000cff44", "eflags": "0x00000206" }, "type": "call", "syscalls": [ { "name": "KERNEL32.DLL!GetModuleHandleA", "timestamp": 20.007819, "arguments": ["_IN_ (LPCTSTR) [0x000cff40] \"\""], "return": "0x01000000", "output": [] } ] }, { "index": 51, "start": "0x10011ec", "end": "0x10011f2", "last_instr": "0x10011f1", "wave": 1, "instructions": [ { "offset": 0, "opcode": "6681384d5a", "mnemonic": "cmp word ptr [eax], 0x5a4d" }, { "offset": 5, "opcode": "751f", "mnemonic": "jne 0x1001212" } ], "registers": { "EAX": "0x01000000 ", "EBX": "0x7efde000 ", "ECX": "0x00000000 ", "EDX": "0x010058c0", "ESI": "0x00000000 ", "EDI": "0x00000000 ", "EBP": "0x000cff88 ", "ESP": "0x000cff44", "eflags": "0x00000246" }, "type": "jcc" }, { "index": 52, "start": "0x10011f3", "end": "0x10011ff", "last_instr": "0x10011fe", "wave": 1, "instructions": [ { "offset": 0, "opcode": "8b483c", "mnemonic": "mov ecx, dword ptr [eax + 0x3c]" }, { "offset": 3, "opcode": "03c8", "mnemonic": "add ecx, eax" }, { "offset": 5, "opcode": "813950450000", "mnemonic": "cmp dword ptr [ecx], 0x4550" }, { "offset": 11, "opcode": "7512", "mnemonic": "jne 0x1001212" } ], "registers": { "EAX": "0x01000000 ", "EBX": "0x7efde000 ", "ECX": "0x00000000 ", "EDX": "0x010058c0", "ESI": "0x00000000 ", "EDI": "0x00000000 ", "EBP": "0x000cff88 ", "ESP": "0x000cff44", "eflags": "0x00000246" }, "type": "jcc" }, { "index": 53, "start": "0x1001200", "end": "0x100120a", "last_instr": "0x1001209", "wave": 1, "instructions": [ { "offset": 0, "opcode": "0fb74118", "mnemonic": "movzx eax, word ptr [ecx + 0x18]" }, { "offset": 4, "opcode": "3d0b010000", "mnemonic": "cmp eax, 0x10b" }, { "offset": 9, "opcode": "741f", "mnemonic": "je 0x100122a" } ], "registers": { "EAX": "0x01000000 ", "EBX": "0x7efde000 ", "ECX": "0x010000d8 ", "EDX": "0x010058c0", "ESI": "0x00000000 ", "EDI": "0x00000000 ", "EBP": "0x000cff88 ", "ESP": "0x000cff44", "eflags": "0x00000246" }, "type": "jcc" }, { "index": 54, "start": "0x100122a", "end": "0x100122f", "last_instr": "0x100122e", "wave": 1, "instructions": [ { "offset": 0, "opcode": "8379740e", "mnemonic": "cmp dword ptr [ecx + 0x74], 0xe" }, { "offset": 4, "opcode": "76e2", "mnemonic": "jbe 0x1001212" } ], "registers": { "EAX": "0x0000010b ", "EBX": "0x7efde000 ", "ECX": "0x010000d8 ", "EDX": "0x010058c0", "ESI": "0x00000000 ", "EDI": "0x00000000 ", "EBP": "0x000cff88 ", "ESP": "0x000cff44", "eflags": "0x00000246" }, "type": "jcc" }, { "index": 55, "start": "0x1001230", "end": "0x1001248", "last_instr": "0x1001243", "wave": 1, "instructions": [ { "offset": 0, "opcode": "33c0", "mnemonic": "xor eax, eax" }, { "offset": 2, "opcode": "39b9e8000000", "mnemonic": "cmp dword ptr [ecx + 0xe8], edi" }, { "offset": 8, "opcode": "0f95c0", "mnemonic": "setne al" }, { "offset": 11, "opcode": "8945e4", "mnemonic": "mov dword ptr [ebp - 0x1c], eax" }, { "offset": 14, "opcode": "897dfc", "mnemonic": "mov dword ptr [ebp - 4], edi" }, { "offset": 17, "opcode": "6a01", "mnemonic": "push 1" }, { "offset": 19, "opcode": "ff1538100001", "mnemonic": "call dword ptr [0x1001038]" } ], "registers": { "EAX": "0x0000010b ", "EBX": "0x7efde000 ", "ECX": "0x010000d8 ", "EDX": "0x010058c0", "ESI": "0x00000000 ", "EDI": "0x00000000 ", "EBP": "0x000cff88 ", "ESP": "0x000cff44", "eflags": "0x00000212" }, "type": "call", "syscalls": [ { "name": "MSVCRT.DLL!__set_app_type", "timestamp": 20.042519, "arguments": ["_IN_ (INT) [0x000cff40] 0x00000001"], "return": "", "output": [] } ] }, { "index": 56, "start": "0x1001249", "end": "0x100125d", "last_instr": "0x1001258", "wave": 1, "instructions": [ { "offset": 0, "opcode": "59", "mnemonic": "pop ecx" }, { "offset": 1, "opcode": "830dd0210001ff", "mnemonic": "or dword ptr [0x10021d0], 0xffffffff" }, { "offset": 8, "opcode": "830dd4210001ff", "mnemonic": "or dword ptr [0x10021d4], 0xffffffff" }, { "offset": 15, "opcode": "ff1534100001", "mnemonic": "call dword ptr [0x1001034]" } ], "registers": { "EAX": "0x00000001 ", "EBX": "0x7efde000 ", "ECX": "0x00000001 ", "EDX": "0x000000d8", "ESI": "0x00000000 ", "EDI": "0x00000000 ", "EBP": "0x000cff88 ", "ESP": "0x000cff40", "eflags": "0x00000202" }, "type": "call", "syscalls": [ { "name": "MSVCRT.DLL!__p__fmode", "timestamp": 20.060264, "arguments": [], "return": "0x753531f4", "output": [] } ] }, { "index": 57, "start": "0x100125e", "end": "0x100126b", "last_instr": "0x1001266", "wave": 1, "instructions": [ { "offset": 0, "opcode": "8b0d2c200001", "mnemonic": "mov ecx, dword ptr [0x100202c]" }, { "offset": 6, "opcode": "8908", "mnemonic": "mov dword ptr [eax], ecx" }, { "offset": 8, "opcode": "ff1530100001", "mnemonic": "call dword ptr [0x1001030]" } ], "registers": { "EAX": "0x753531f4 ", "EBX": "0x7efde000 ", "ECX": "0x00000001 ", "EDX": "0x000000d8", "ESI": "0x00000000 ", "EDI": "0x00000000 ", "EBP": "0x000cff88 ", "ESP": "0x000cff44", "eflags": "0x00000286" }, "type": "call", "syscalls": [ { "name": "MSVCRT.DLL!__p__commode", "timestamp": 20.066232, "arguments": [], "return": "0x753531fc", "output": [] } ] }, { "index": 58, "start": "0x100126c", "end": "0x1001284", "last_instr": "0x1001280", "wave": 1, "instructions": [ { "offset": 0, "opcode": "8b0d28200001", "mnemonic": "mov ecx, dword ptr [0x1002028]" }, { "offset": 6, "opcode": "8908", "mnemonic": "mov dword ptr [eax], ecx" }, { "offset": 8, "opcode": "a144100001", "mnemonic": "mov eax, dword ptr [0x1001044]" }, { "offset": 13, "opcode": "8b00", "mnemonic": "mov eax, dword ptr [eax]" }, { "offset": 15, "opcode": "a3d8210001", "mnemonic": "mov dword ptr [0x10021d8], eax" }, { "offset": 20, "opcode": "e8eb000000", "mnemonic": "call 0x1001370" } ], "registers": { "EAX": "0x753531fc ", "EBX": "0x7efde000 ", "ECX": "0x00000000 ", "EDX": "0x000000d8", "ESI": "0x00000000 ", "EDI": "0x00000000 ", "EBP": "0x000cff88 ", "ESP": "0x000cff44", "eflags": "0x00000286" }, "type": "call" }, { "index": 59, "start": "0x1001370", "end": "0x1001372", "last_instr": "0x1001372", "wave": 1, "instructions": [ { "offset": 0, "opcode": "33c0", "mnemonic": "xor eax, eax" }, { "offset": 2, "opcode": "c3", "mnemonic": "ret " } ], "registers": { "EAX": "0x00000000 ", "EBX": "0x7efde000 ", "ECX": "0x00000000 ", "EDX": "0x000000d8", "ESI": "0x00000000 ", "EDI": "0x00000000 ", "EBP": "0x000cff88 ", "ESP": "0x000cff40", "eflags": "0x00000286" }, "type": "ret" }, { "index": 60, "start": "0x1001285", "end": "0x100128c", "last_instr": "0x100128b", "wave": 1, "instructions": [ { "offset": 0, "opcode": "393d00200001", "mnemonic": "cmp dword ptr [0x1002000], edi" }, { "offset": 6, "opcode": "750c", "mnemonic": "jne 0x1001299" } ], "registers": { "EAX": "0x00000000 ", "EBX": "0x7efde000 ", "ECX": "0x00000000 ", "EDX": "0x000000d8", "ESI": "0x00000000 ", "EDI": "0x00000000 ", "EBP": "0x000cff88 ", "ESP": "0x000cff44", "eflags": "0x00000246" }, "type": "jcc" }, { "index": 61, "start": "0x1001299", "end": "0x100129d", "last_instr": "0x1001299", "wave": 1, "instructions": [ { "offset": 0, "opcode": "e8c0000000", "mnemonic": "call 0x100135e" } ], "registers": { "EAX": "0x00000000 ", "EBX": "0x7efde000 ", "ECX": "0x00000000 ", "EDX": "0x000000d8", "ESI": "0x00000000 ", "EDI": "0x00000000 ", "EBP": "0x000cff88 ", "ESP": "0x000cff44", "eflags": "0x00000202" }, "type": "call" }, { "index": 62, "start": "0x100135e", "end": "0x100136c", "last_instr": "0x1001368", "wave": 1, "instructions": [ { "offset": 0, "opcode": "6800000300", "mnemonic": "push 0x30000" }, { "offset": 5, "opcode": "6800000100", "mnemonic": "push 0x10000" }, { "offset": 10, "opcode": "e851000000", "mnemonic": "call 0x10013be" } ], "registers": { "EAX": "0x00000000 ", "EBX": "0x7efde000 ", "ECX": "0x00000000 ", "EDX": "0x000000d8", "ESI": "0x00000000 ", "EDI": "0x00000000 ", "EBP": "0x000cff88 ", "ESP": "0x000cff40", "eflags": "0x00000202" }, "type": "call", "obfuscations": [ { "type": "callstack tampering : call", "description": "No ret instruction corresponding to the call" } ] }, { "index": 63, "start": "0x10013be", "end": "0x10013c3", "last_instr": "0x10013be", "wave": 1, "instructions": [ { "offset": 0, "opcode": "ff253c100001", "mnemonic": "jmp dword ptr [0x100103c]" } ], "registers": { "EAX": "0x00000000 ", "EBX": "0x7efde000 ", "ECX": "0x00000000 ", "EDX": "0x000000d8", "ESI": "0x00000000 ", "EDI": "0x00000000 ", "EBP": "0x000cff88 ", "ESP": "0x000cff34", "eflags": "0x00000202" }, "type": "jmp", "syscalls": [ { "name": "MSVCRT.DLL!_controlfp", "timestamp": 20.101722, "arguments": [], "return": "", "output": [] } ] }, { "index": 64, "start": "0x100136d", "end": "0x100136f", "last_instr": "0x100136f", "wave": 1, "instructions": [ { "offset": 0, "opcode": "59", "mnemonic": "pop ecx" }, { "offset": 1, "opcode": "59", "mnemonic": "pop ecx" }, { "offset": 2, "opcode": "c3", "mnemonic": "ret " } ], "registers": { "EAX": "0x0009001f ", "EBX": "0x7efde000 ", "ECX": "0x00010000 ", "EDX": "0x0008001f", "ESI": "0x00000000 ", "EDI": "0x00000000 ", "EBP": "0x000cff88 ", "ESP": "0x000cff38", "eflags": "0x00000246" }, "type": "ret" }, { "index": 65, "start": "0x100129e", "end": "0x10012ac", "last_instr": "0x10012a8", "wave": 1, "instructions": [ { "offset": 0, "opcode": "6888100001", "mnemonic": "push 0x1001088" }, { "offset": 5, "opcode": "6884100001", "mnemonic": "push 0x1001084" }, { "offset": 10, "opcode": "e8ab000000", "mnemonic": "call 0x1001358" } ], "registers": { "EAX": "0x0009001f ", "EBX": "0x7efde000 ", "ECX": "0x00030000 ", "EDX": "0x0008001f", "ESI": "0x00000000 ", "EDI": "0x00000000 ", "EBP": "0x000cff88 ", "ESP": "0x000cff44", "eflags": "0x00000246" }, "type": "call", "obfuscations": [ { "type": "callstack tampering : call", "description": "No ret instruction corresponding to the call" } ] }, { "index": 66, "start": "0x1001358", "end": "0x100135d", "last_instr": "0x1001358", "wave": 1, "instructions": [ { "offset": 0, "opcode": "ff255c100001", "mnemonic": "jmp dword ptr [0x100105c]" } ], "registers": { "EAX": "0x0009001f ", "EBX": "0x7efde000 ", "ECX": "0x00030000 ", "EDX": "0x0008001f", "ESI": "0x00000000 ", "EDI": "0x00000000 ", "EBP": "0x000cff88 ", "ESP": "0x000cff38", "eflags": "0x00000246" }, "type": "jmp", "syscalls": [ { "name": "MSVCRT.DLL!_initterm", "timestamp": 20.12734, "arguments": [], "return": "", "output": [] }, { "name": "MSVCRT.DLL!_initterm", "timestamp": 20.150398, "arguments": [], "return": "", "output": [] } ] }, { "index": 67, "start": "0x10012ad", "end": "0x10012d0", "last_instr": "0x10012cb", "wave": 1, "instructions": [ { "offset": 0, "opcode": "a124200001", "mnemonic": "mov eax, dword ptr [0x1002024]" }, { "offset": 5, "opcode": "8945e0", "mnemonic": "mov dword ptr [ebp - 0x20], eax" }, { "offset": 8, "opcode": "8d45e0", "mnemonic": "lea eax, [ebp - 0x20]" }, { "offset": 11, "opcode": "50", "mnemonic": "push eax" }, { "offset": 12, "opcode": "ff3520200001", "mnemonic": "push dword ptr [0x1002020]" }, { "offset": 18, "opcode": "8d45dc", "mnemonic": "lea eax, [ebp - 0x24]" }, { "offset": 21, "opcode": "50", "mnemonic": "push eax" }, { "offset": 22, "opcode": "8d45d8", "mnemonic": "lea eax, [ebp - 0x28]" }, { "offset": 25, "opcode": "50", "mnemonic": "push eax" }, { "offset": 26, "opcode": "8d45d4", "mnemonic": "lea eax, [ebp - 0x2c]" }, { "offset": 29, "opcode": "50", "mnemonic": "push eax" }, { "offset": 30, "opcode": "ff1560100001", "mnemonic": "call dword ptr [0x1001060]" } ], "registers": { "EAX": "0x00000000 ", "EBX": "0x7efde000 ", "ECX": "0x00030000 ", "EDX": "0x0008001f", "ESI": "0x00000000 ", "EDI": "0x00000000 ", "EBP": "0x000cff88 ", "ESP": "0x000cff3c", "eflags": "0x00000246" }, "type": "call", "syscalls": [ { "name": "MSVCRT.DLL!__getmainargs", "timestamp": 20.132675, "arguments": [], "return": "", "output": [] } ] }, { "index": 68, "start": "0x10012d1", "end": "0x10012e2", "last_instr": "0x10012de", "wave": 1, "instructions": [ { "offset": 0, "opcode": "8945d0", "mnemonic": "mov dword ptr [ebp - 0x30], eax" }, { "offset": 3, "opcode": "6880100001", "mnemonic": "push 0x1001080" }, { "offset": 8, "opcode": "687c100001", "mnemonic": "push 0x100107c" }, { "offset": 13, "opcode": "e875000000", "mnemonic": "call 0x1001358" } ], "registers": { "EAX": "0x00000000 ", "EBX": "0x7efde000 ", "ECX": "0x000cff64 ", "EDX": "0x002115a8", "ESI": "0x00000000 ", "EDI": "0x00000000 ", "EBP": "0x000cff88 ", "ESP": "0x000cff28", "eflags": "0x00000246" }, "type": "call", "obfuscations": [ { "type": "callstack tampering : call", "description": "No ret instruction corresponding to the call" } ] }, { "index": 69, "start": "0x10012e3", "end": "0x10012fb", "last_instr": "0x10012f7", "wave": 1, "instructions": [ { "offset": 0, "opcode": "8b45dc", "mnemonic": "mov eax, dword ptr [ebp - 0x24]" }, { "offset": 3, "opcode": "8b0d64100001", "mnemonic": "mov ecx, dword ptr [0x1001064]" }, { "offset": 9, "opcode": "8901", "mnemonic": "mov dword ptr [ecx], eax" }, { "offset": 11, "opcode": "ff75dc", "mnemonic": "push dword ptr [ebp - 0x24]" }, { "offset": 14, "opcode": "ff75d8", "mnemonic": "push dword ptr [ebp - 0x28]" }, { "offset": 17, "opcode": "ff75d4", "mnemonic": "push dword ptr [ebp - 0x2c]" }, { "offset": 20, "opcode": "e8e0fdffff", "mnemonic": "call 0x10010dc" } ], "registers": { "EAX": "0x00000000 ", "EBX": "0x7efde000 ", "ECX": "0x000cff64 ", "EDX": "0x002115a8", "ESI": "0x00000000 ", "EDI": "0x00000000 ", "EBP": "0x000cff88 ", "ESP": "0x000cff20", "eflags": "0x00000246" }, "type": "call", "obfuscations": [ { "type": "callstack tampering : call", "description": "No ret instruction corresponding to the call" } ] }, { "index": 70, "start": "0x10010dc", "end": "0x10010f7", "last_instr": "0x10010f2", "wave": 1, "instructions": [ { "offset": 0, "opcode": "55", "mnemonic": "push ebp" }, { "offset": 1, "opcode": "8bec", "mnemonic": "mov ebp, esp" }, { "offset": 3, "opcode": "81ec00040000", "mnemonic": "sub esp, 0x400" }, { "offset": 9, "opcode": "53", "mnemonic": "push ebx" }, { "offset": 10, "opcode": "56", "mnemonic": "push esi" }, { "offset": 11, "opcode": "57", "mnemonic": "push edi" }, { "offset": 12, "opcode": "6840200001", "mnemonic": "push 0x1002040" }, { "offset": 17, "opcode": "6801010000", "mnemonic": "push 0x101" }, { "offset": 22, "opcode": "ff1528100001", "mnemonic": "call dword ptr [0x1001028]" } ], "registers": { "EAX": "0x002115a8 ", "EBX": "0x7efde000 ", "ECX": "0x753504e8 ", "EDX": "0x002115a8", "ESI": "0x00000000 ", "EDI": "0x00000000 ", "EBP": "0x000cff88 ", "ESP": "0x000cff10", "eflags": "0x00000246" }, "type": "call", "syscalls": [ { "name": "WS2_32.DLL!WSAStartup", "timestamp": 20.166225, "arguments": [ "_IN_ (WORD) [0x000cfaf8] 0x00000101", "_OUT_ (LPWSADATA) [0x000cfafc] 0x01002040" ], "return": "0x00000000", "output": [ "[LPWSADATA]", "[0x01002040] 0x00000101", "[0x01002042] 0x00000202", "[0x01002044] \"WinSock 2.0\"", "[0x0100204f] \"\"", "[0x0100204f] 0x00000000", "[0x01002051] 0x00000000", "[0x01002053] \"\"" ] } ] }, { "index": 71, "start": "0x10010f8", "end": "0x10010fc", "last_instr": "0x10010fb", "wave": 1, "instructions": [ { "offset": 0, "opcode": "83f8ff", "mnemonic": "cmp eax, -1" }, { "offset": 3, "opcode": "7511", "mnemonic": "jne 0x100110e" } ], "registers": { "EAX": "0x00000000 ", "EBX": "0x7efde000 ", "ECX": "0x76e63beb ", "EDX": "0x00080002", "ESI": "0x00000000 ", "EDI": "0x00000000 ", "EBP": "0x000cff0c ", "ESP": "0x000cfb00", "eflags": "0x00000246" }, "type": "jcc" }, { "index": 72, "start": "0x100110e", "end": "0x1001119", "last_instr": "0x1001118", "wave": 1, "instructions": [ { "offset": 0, "opcode": "8b7d0c", "mnemonic": "mov edi, dword ptr [ebp + 0xc]" }, { "offset": 3, "opcode": "33db", "mnemonic": "xor ebx, ebx" }, { "offset": 5, "opcode": "beac100001", "mnemonic": "mov esi, 0x10010ac" }, { "offset": 10, "opcode": "eb07", "mnemonic": "jmp 0x1001121" } ], "registers": { "EAX": "0x00000000 ", "EBX": "0x7efde000 ", "ECX": "0x76e63beb ", "EDX": "0x00080002", "ESI": "0x00000000 ", "EDI": "0x00000000 ", "EBP": "0x000cff0c ", "ESP": "0x000cfb00", "eflags": "0x00000213" }, "type": "jmp" }, { "index": 73, "start": "0x1001121", "end": "0x100112a", "last_instr": "0x1001126", "wave": 1, "instructions": [ { "offset": 0, "opcode": "56", "mnemonic": "push esi" }, { "offset": 1, "opcode": "57", "mnemonic": "push edi" }, { "offset": 2, "opcode": "ff7508", "mnemonic": "push dword ptr [ebp + 8]" }, { "offset": 5, "opcode": "e84a030000", "mnemonic": "call 0x1001475" } ], "registers": { "EAX": "0x00000000 ", "EBX": "0x00000000 ", "ECX": "0x76e63beb ", "EDX": "0x00080002", "ESI": "0x010010ac ", "EDI": "0x00211120 ", "EBP": "0x000cff0c ", "ESP": "0x000cfb00", "eflags": "0x00000246" }, "type": "call" }, { "index": 74, "start": "0x1001475", "end": "0x100148b", "last_instr": "0x100148a", "wave": 1, "instructions": [ { "offset": 0, "opcode": "56", "mnemonic": "push esi" }, { "offset": 1, "opcode": "8b3504200001", "mnemonic": "mov esi, dword ptr [0x1002004]" }, { "offset": 7, "opcode": "3b742408", "mnemonic": "cmp esi, dword ptr [esp + 8]" }, { "offset": 11, "opcode": "c705dc21000134200001", "mnemonic": "mov dword ptr [0x10021dc], 0x1002034" }, { "offset": 21, "opcode": "7c08", "mnemonic": "jl 0x1001494" } ], "registers": { "EAX": "0x00000000 ", "EBX": "0x00000000 ", "ECX": "0x76e63beb ", "EDX": "0x00080002", "ESI": "0x010010ac ", "EDI": "0x00211120 ", "EBP": "0x000cff0c ", "ESP": "0x000cfaf0", "eflags": "0x00000246" }, "type": "jcc" }, { "index": 75, "start": "0x100148c", "end": "0x1001493", "last_instr": "0x100148f", "wave": 1, "instructions": [ { "offset": 0, "opcode": "83c8ff", "mnemonic": "or eax, 0xffffffff" }, { "offset": 3, "opcode": "e9c8000000", "mnemonic": "jmp 0x100155c" } ], "registers": { "EAX": "0x00000000 ", "EBX": "0x00000000 ", "ECX": "0x76e63beb ", "EDX": "0x00080002", "ESI": "0x00000001 ", "EDI": "0x00211120 ", "EBP": "0x000cff0c ", "ESP": "0x000cfaec", "eflags": "0x00000246" }, "type": "jmp" }, { "index": 76, "start": "0x100155c", "end": "0x100155f", "last_instr": "0x100155d", "wave": 1, "instructions": [ { "offset": 0, "opcode": "5e", "mnemonic": "pop esi" }, { "offset": 1, "opcode": "c20c00", "mnemonic": "ret 0xc" } ], "registers": { "EAX": "0xffffffff ", "EBX": "0x00000000 ", "ECX": "0x76e63beb ", "EDX": "0x00080002", "ESI": "0x00000001 ", "EDI": "0x00211120 ", "EBP": "0x000cff0c ", "ESP": "0x000cfaec", "eflags": "0x00000286" }, "type": "ret" }, { "index": 77, "start": "0x100112b", "end": "0x100112f", "last_instr": "0x100112e", "wave": 1, "instructions": [ { "offset": 0, "opcode": "83f8ff", "mnemonic": "cmp eax, -1" }, { "offset": 3, "opcode": "75ea", "mnemonic": "jne 0x100111a" } ], "registers": { "EAX": "0xffffffff ", "EBX": "0x00000000 ", "ECX": "0x76e63beb ", "EDX": "0x00080002", "ESI": "0x010010ac ", "EDI": "0x00211120 ", "EBP": "0x000cff0c ", "ESP": "0x000cfb00", "eflags": "0x00000286" }, "type": "jcc" }, { "index": 78, "start": "0x1001130", "end": "0x100113a", "last_instr": "0x1001139", "wave": 1, "instructions": [ { "offset": 0, "opcode": "a104200001", "mnemonic": "mov eax, dword ptr [0x1002004]" }, { "offset": 5, "opcode": "833c8700", "mnemonic": "cmp dword ptr [edi + eax*4], 0" }, { "offset": 9, "opcode": "7419", "mnemonic": "je 0x1001154" } ], "registers": { "EAX": "0xffffffff ", "EBX": "0x00000000 ", "ECX": "0x76e63beb ", "EDX": "0x00080002", "ESI": "0x010010ac ", "EDI": "0x00211120 ", "EBP": "0x000cff0c ", "ESP": "0x000cfb00", "eflags": "0x00000246" }, "type": "jcc" }, { "index": 79, "start": "0x1001154", "end": "0x1001165", "last_instr": "0x1001160", "wave": 1, "instructions": [ { "offset": 0, "opcode": "6800040000", "mnemonic": "push 0x400" }, { "offset": 5, "opcode": "8d8500fcffff", "mnemonic": "lea eax, [ebp - 0x400]" }, { "offset": 11, "opcode": "50", "mnemonic": "push eax" }, { "offset": 12, "opcode": "ff1524100001", "mnemonic": "call dword ptr [0x1001024]" } ], "registers": { "EAX": "0x00000001 ", "EBX": "0x00000000 ", "ECX": "0x76e63beb ", "EDX": "0x00080002", "ESI": "0x010010ac ", "EDI": "0x00211120 ", "EBP": "0x000cff0c ", "ESP": "0x000cfb00", "eflags": "0x00000246" }, "type": "call", "syscalls": [ { "name": "WS2_32.DLL!gethostname", "timestamp": 20.295551, "arguments": [ "_OUT_ (CHAR*) [0x000cfaf8] 0x000cfb0c", "_IN_ (INT) [0x000cfafc] 0x00000400" ], "return": "", "output": [] } ] }, { "index": 80, "start": "0x1001166", "end": "0x1001169", "last_instr": "0x1001168", "wave": 1, "instructions": [ { "offset": 0, "opcode": "85c0", "mnemonic": "test eax, eax" }, { "offset": 2, "opcode": "7d13", "mnemonic": "jge 0x100117d" } ], "registers": { "EAX": "0x00000000 ", "EBX": "0x00000000 ", "ECX": "0xb2ac322f ", "EDX": "0x00000000", "ESI": "0x010010ac ", "EDI": "0x00211120 ", "EBP": "0x000cff0c ", "ESP": "0x000cfb00", "eflags": "0x00000246" }, "type": "jcc" }, { "index": 81, "start": "0x100117d", "end": "0x1001180", "last_instr": "0x100117f", "wave": 1, "instructions": [ { "offset": 0, "opcode": "85db", "mnemonic": "test ebx, ebx" }, { "offset": 2, "opcode": "7418", "mnemonic": "je 0x1001199" } ], "registers": { "EAX": "0x00000000 ", "EBX": "0x00000000 ", "ECX": "0xb2ac322f ", "EDX": "0x00000000", "ESI": "0x010010ac ", "EDI": "0x00211120 ", "EBP": "0x000cff0c ", "ESP": "0x000cfb00", "eflags": "0x00000246" }, "type": "jcc" }, { "index": 82, "start": "0x1001199", "end": "0x10011a1", "last_instr": "0x100119f", "wave": 1, "instructions": [ { "offset": 0, "opcode": "8d8500fcffff", "mnemonic": "lea eax, [ebp - 0x400]" }, { "offset": 6, "opcode": "8d5001", "mnemonic": "lea edx, [eax + 1]" } ], "type": "seq" }, { "index": 83, "start": "0x10011a9", "end": "0x10011bf", "last_instr": "0x10011ba", "wave": 1, "instructions": [ { "offset": 0, "opcode": "2bc2", "mnemonic": "sub eax, edx" }, { "offset": 2, "opcode": "50", "mnemonic": "push eax" }, { "offset": 3, "opcode": "8d8500fcffff", "mnemonic": "lea eax, [ebp - 0x400]" }, { "offset": 9, "opcode": "50", "mnemonic": "push eax" }, { "offset": 10, "opcode": "8d8500fcffff", "mnemonic": "lea eax, [ebp - 0x400]" }, { "offset": 16, "opcode": "50", "mnemonic": "push eax" }, { "offset": 17, "opcode": "ff151c100001", "mnemonic": "call dword ptr [0x100101c]" } ], "registers": { "EAX": "0x000cfb14 ", "EBX": "0x00000000 ", "ECX": "0xb2ac3200 ", "EDX": "0x000cfb0d", "ESI": "0x010010ac ", "EDI": "0x00211120 ", "EBP": "0x000cff0c ", "ESP": "0x000cfb00", "eflags": "0x00000246" }, "type": "call", "syscalls": [ { "name": "USER32.DLL!CharToOemBuffA", "timestamp": 20.458695, "arguments": [ "_IN_ (LPCTSTR) [0x000cfaf4] \"lhs-PC1\"", "_OUT_ (LPSTR) [0x000cfaf8] 0x000cfb0c", "_IN_ (DWORD) [0x000cfafc] 0x00000007" ], "return": "TRUE", "output": ["[0x000cfb0c] \"lhs-PC1\""] } ] }, { "index": 84, "start": "0x10011c0", "end": "0x10011cc", "last_instr": "0x10011c7", "wave": 1, "instructions": [ { "offset": 0, "opcode": "8d8500fcffff", "mnemonic": "lea eax, [ebp - 0x400]" }, { "offset": 6, "opcode": "50", "mnemonic": "push eax" }, { "offset": 7, "opcode": "ff1570100001", "mnemonic": "call dword ptr [0x1001070]" } ], "registers": { "EAX": "0x00000001 ", "EBX": "0x00000000 ", "ECX": "0x000cfb13 ", "EDX": "0x00000031", "ESI": "0x010010ac ", "EDI": "0x00211120 ", "EBP": "0x000cff0c ", "ESP": "0x000cfb00", "eflags": "0x00000202" }, "type": "call", "syscalls": [ { "name": "MSVCRT.DLL!puts", "timestamp": 20.469856, "arguments": ["_IN_ (CHAR*) [0x000cfafc] \"lhs-PC1\""], "return": "0x00000000", "output": [] } ] }, { "index": 85, "start": "0x10011cd", "end": "0x10011d5", "last_instr": "0x10011d0", "wave": 1, "instructions": [ { "offset": 0, "opcode": "59", "mnemonic": "pop ecx" }, { "offset": 1, "opcode": "6a00", "mnemonic": "push 0" }, { "offset": 3, "opcode": "ff1574100001", "mnemonic": "call dword ptr [0x1001074]" } ], "registers": { "EAX": "0x00000000 ", "EBX": "0x00000000 ", "ECX": "0x75328e62 ", "EDX": "0x0008e3c8", "ESI": "0x010010ac ", "EDI": "0x00211120 ", "EBP": "0x000cff0c ", "ESP": "0x000cfafc", "eflags": "0x00000246" }, "type": "call", "syscalls": [ { "name": "MSVCRT.DLL!exit", "timestamp": 20.499071, "arguments": ["_IN_ (INT) [0x000cfafc] 0x00000000"], "return": "", "output": [] } ] }, { "index": 86, "start": "0x1005a4b", "end": "0x1005a50", "last_instr": "0x1005a4f", "wave": 0, "instructions": [ { "offset": 0, "opcode": "6a00", "mnemonic": "push 0" }, { "offset": 2, "opcode": "39c4", "mnemonic": "cmp esp, eax" }, { "offset": 4, "opcode": "75fa", "mnemonic": "jne 0x1005a4b" } ], "type": "jcc" }, { "index": 87, "start": "0x10011a2", "end": "0x10011a8", "last_instr": "0x10011a7", "wave": 1, "instructions": [ { "offset": 0, "opcode": "8a08", "mnemonic": "mov cl, byte ptr [eax]" }, { "offset": 2, "opcode": "40", "mnemonic": "inc eax" }, { "offset": 3, "opcode": "84c9", "mnemonic": "test cl, cl" }, { "offset": 5, "opcode": "75f9", "mnemonic": "jne 0x10011a2" } ], "type": "jcc" }, { "index": 88, "start": "0x0", "end": "0x0", "wave": 0, "type": "scall", "function_identifier": "KERNEL32.DLL!LoadLibraryA" }, { "index": 89, "start": "0x0", "end": "0x0", "wave": 0, "type": "scall", "function_identifier": "KERNEL32.DLL!GetProcAddress" }, { "index": 90, "start": "0x0", "end": "0x0", "wave": 0, "type": "scall", "function_identifier": "KERNEL32.DLL!GetProcAddressOrdinal" }, { "index": 91, "start": "0x0", "end": "0x0", "wave": 0, "type": "scall", "function_identifier": "KERNEL32.DLL!VirtualProtect" }, { "index": 92, "start": "0x0", "end": "0x0", "wave": 0, "type": "scall", "function_identifier": "KERNEL32.DLL!GetModuleHandleA" }, { "index": 93, "start": "0x0", "end": "0x0", "wave": 0, "type": "scall", "function_identifier": "MSVCRT.DLL!__set_app_type" }, { "index": 94, "start": "0x0", "end": "0x0", "wave": 0, "type": "scall", "function_identifier": "MSVCRT.DLL!__p__fmode" }, { "index": 95, "start": "0x0", "end": "0x0", "wave": 0, "type": "scall", "function_identifier": "MSVCRT.DLL!__p__commode" }, { "index": 96, "start": "0x0", "end": "0x0", "wave": 0, "type": "scall", "function_identifier": "MSVCRT.DLL!_controlfp" }, { "index": 97, "start": "0x0", "end": "0x0", "wave": 0, "type": "scall", "function_identifier": "MSVCRT.DLL!_initterm" }, { "index": 98, "start": "0x0", "end": "0x0", "wave": 0, "type": "scall", "function_identifier": "MSVCRT.DLL!__getmainargs" }, { "index": 99, "start": "0x0", "end": "0x0", "wave": 0, "type": "scall", "function_identifier": "WS2_32.DLL!WSAStartup" }, { "index": 100, "start": "0x0", "end": "0x0", "wave": 0, "type": "scall", "function_identifier": "WS2_32.DLL!gethostname" }, { "index": 101, "start": "0x0", "end": "0x0", "wave": 0, "type": "scall", "function_identifier": "USER32.DLL!CharToOemBuffA" }, { "index": 102, "start": "0x0", "end": "0x0", "wave": 0, "type": "scall", "function_identifier": "MSVCRT.DLL!puts" }, { "index": 103, "start": "0x0", "end": "0x0", "wave": 0, "type": "scall", "function_identifier": "MSVCRT.DLL!exit" } ], "edges": [ { "src": 0, "dest": 1, "type": "child" }, { "src": 1, "dest": 3, "type": "child" }, { "src": 2, "dest": 16, "type": "child" }, { "src": 3, "dest": 4, "type": "child" }, { "src": 3, "dest": 2, "type": "child" }, { "src": 4, "dest": 25, "type": "child" }, { "src": 5, "dest": 24, "type": "child" }, { "src": 5, "dest": 6, "type": "child" }, { "src": 6, "dest": 12, "type": "child" }, { "src": 6, "dest": 29, "type": "child" }, { "src": 7, "dest": 28, "type": "child" }, { "src": 8, "dest": 19, "type": "child" }, { "src": 8, "dest": 9, "type": "child" }, { "src": 9, "dest": 30, "type": "child" }, { "src": 10, "dest": 11, "type": "child" }, { "src": 10, "dest": 10, "type": "child" }, { "src": 11, "dest": 16, "type": "child" }, { "src": 12, "dest": 13, "type": "child" }, { "src": 12, "dest": 31, "type": "child" }, { "src": 13, "dest": 29, "type": "child" }, { "src": 14, "dest": 15, "type": "child" }, { "src": 14, "dest": 14, "type": "child" }, { "src": 15, "dest": 16, "type": "child" }, { "src": 16, "dest": 1, "type": "child" }, { "src": 16, "dest": 3, "type": "child" }, { "src": 17, "dest": 18, "type": "child" }, { "src": 18, "dest": 5, "type": "child" }, { "src": 18, "dest": 25, "type": "child" }, { "src": 19, "dest": 9, "type": "child" }, { "src": 19, "dest": 28, "type": "child" }, { "src": 20, "dest": 21, "type": "child" }, { "src": 21, "dest": 22, "type": "child" }, { "src": 21, "dest": 23, "type": "child" }, { "src": 22, "dest": 23, "type": "child" }, { "src": 23, "dest": 7, "type": "child" }, { "src": 23, "dest": 30, "type": "child" }, { "src": 24, "dest": 6, "type": "child" }, { "src": 24, "dest": 25, "type": "child" }, { "src": 25, "dest": 17, "type": "child" }, { "src": 25, "dest": 18, "type": "child" }, { "src": 26, "dest": 27, "type": "child" }, { "src": 27, "dest": 8, "type": "child" }, { "src": 27, "dest": 28, "type": "child" }, { "src": 28, "dest": 26, "type": "child" }, { "src": 28, "dest": 27, "type": "child" }, { "src": 29, "dest": 20, "type": "child" }, { "src": 29, "dest": 21, "type": "child" }, { "src": 30, "dest": 10, "type": "child" }, { "src": 30, "dest": 14, "type": "child" }, { "src": 31, "dest": 34, "type": "child" }, { "src": 32, "dest": 33, "type": "child" }, { "src": 33, "dest": 35, "type": "child" }, { "src": 33, "dest": 34, "type": "child" }, { "src": 34, "dest": 32, "type": "child" }, { "src": 35, "dest": 42, "type": "child" }, { "src": 36, "dest": 88, "type": "child" }, { "src": 37, "dest": 41, "type": "child" }, { "src": 38, "dest": 43, "type": "child" }, { "src": 39, "dest": 40, "type": "child" }, { "src": 40, "dest": 41, "type": "child" }, { "src": 41, "dest": 38, "type": "child" }, { "src": 41, "dest": 42, "type": "child" }, { "src": 42, "dest": 36, "type": "child" }, { "src": 42, "dest": 44, "type": "child" }, { "src": 43, "dest": 89, "type": "child" }, { "src": 43, "dest": 90, "type": "child" }, { "src": 44, "dest": 91, "type": "child" }, { "src": 45, "dest": 91, "type": "child" }, { "src": 46, "dest": 86, "type": "child" }, { "src": 47, "dest": 48, "type": "child" }, { "src": 48, "dest": 49, "type": "child" }, { "src": 49, "dest": 50, "type": "child" }, { "src": 50, "dest": 92, "type": "child" }, { "src": 51, "dest": 52, "type": "child" }, { "src": 52, "dest": 53, "type": "child" }, { "src": 53, "dest": 54, "type": "child" }, { "src": 54, "dest": 55, "type": "child" }, { "src": 55, "dest": 93, "type": "child" }, { "src": 56, "dest": 94, "type": "child" }, { "src": 57, "dest": 95, "type": "child" }, { "src": 58, "dest": 59, "type": "child" }, { "src": 59, "dest": 60, "type": "child" }, { "src": 60, "dest": 61, "type": "child" }, { "src": 61, "dest": 62, "type": "child" }, { "src": 62, "dest": 63, "type": "child" }, { "src": 63, "dest": 96, "type": "child" }, { "src": 64, "dest": 65, "type": "child" }, { "src": 65, "dest": 66, "type": "child" }, { "src": 66, "dest": 97, "type": "child" }, { "src": 67, "dest": 98, "type": "child" }, { "src": 68, "dest": 66, "type": "child" }, { "src": 69, "dest": 70, "type": "child" }, { "src": 70, "dest": 99, "type": "child" }, { "src": 71, "dest": 72, "type": "child" }, { "src": 72, "dest": 73, "type": "child" }, { "src": 73, "dest": 74, "type": "child" }, { "src": 74, "dest": 75, "type": "child" }, { "src": 75, "dest": 76, "type": "child" }, { "src": 76, "dest": 77, "type": "child" }, { "src": 77, "dest": 78, "type": "child" }, { "src": 78, "dest": 79, "type": "child" }, { "src": 79, "dest": 100, "type": "child" }, { "src": 80, "dest": 81, "type": "child" }, { "src": 81, "dest": 82, "type": "child" }, { "src": 82, "dest": 87, "type": "child" }, { "src": 83, "dest": 101, "type": "child" }, { "src": 84, "dest": 102, "type": "child" }, { "src": 85, "dest": 103, "type": "child" }, { "src": 86, "dest": 47, "type": "child" }, { "src": 86, "dest": 86, "type": "child" }, { "src": 87, "dest": 83, "type": "child" }, { "src": 87, "dest": 87, "type": "child" }, { "src": 88, "dest": 37, "type": "child" }, { "src": 89, "dest": 39, "type": "child" }, { "src": 90, "dest": 39, "type": "child" }, { "src": 91, "dest": 45, "type": "child" }, { "src": 91, "dest": 46, "type": "child" }, { "src": 92, "dest": 51, "type": "child" }, { "src": 93, "dest": 56, "type": "child" }, { "src": 94, "dest": 57, "type": "child" }, { "src": 95, "dest": 58, "type": "child" }, { "src": 96, "dest": 64, "type": "child" }, { "src": 97, "dest": 67, "type": "child" }, { "src": 97, "dest": 69, "type": "child" }, { "src": 98, "dest": 68, "type": "child" }, { "src": 99, "dest": 71, "type": "child" }, { "src": 100, "dest": 80, "type": "child" }, { "src": 101, "dest": 84, "type": "child" }, { "src": 102, "dest": 85, "type": "child" } ] }