seliaste/lief-iat-reconstruction
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
lief-iat-reconstruction/testfiles/upx-hostname/upx-hostname.exe.bin_traceCFG.json

2975 lines
84 KiB
JSON
Raw Blame History

{
"nodes": [
{
"index": 0,
"start": "0x10058c0",
"end": "0x10058d1",
"last_instr": "0x10058d0",
"wave": 0,
"instructions": [
{ "offset": 0, "opcode": "60", "mnemonic": "pushal " },
{
"offset": 1,
"opcode": "be00500001",
"mnemonic": "mov esi, 0x1005000"
},
{
"offset": 6,
"opcode": "8dbe00c0ffff",
"mnemonic": "lea edi, [esi - 0x4000]"
},
{ "offset": 12, "opcode": "57", "mnemonic": "push edi" },
{ "offset": 13, "opcode": "83cdff", "mnemonic": "or ebp, 0xffffffff" },
{ "offset": 16, "opcode": "eb10", "mnemonic": "jmp 0x10058e2" }
],
"registers": {
"EAX": "0x759633b8 ",
"EBX": "0x7efde000 ",
"ECX": "0x00000000 ",
"EDX": "0x010058c0",
"ESI": "0x00000000 ",
"EDI": "0x00000000 ",
"EBP": "0x000cff94 ",
"ESP": "0x000cff8c",
"eflags": "0x00000246"
},
"type": "jmp"
},
{
"index": 1,
"start": "0x10058e2",
"end": "0x10058e8",
"last_instr": "0x10058e7",
"wave": 0,
"instructions": [
{
"offset": 0,
"opcode": "8b1e",
"mnemonic": "mov ebx, dword ptr [esi]"
},
{ "offset": 2, "opcode": "83eefc", "mnemonic": "sub esi, -4" },
{ "offset": 5, "opcode": "11db", "mnemonic": "adc ebx, ebx" }
],
"type": "seq"
},
{
"index": 2,
"start": "0x10058d8",
"end": "0x10058dd",
"last_instr": "0x10058dd",
"wave": 0,
"instructions": [
{ "offset": 0, "opcode": "8a06", "mnemonic": "mov al, byte ptr [esi]" },
{ "offset": 2, "opcode": "46", "mnemonic": "inc esi" },
{ "offset": 3, "opcode": "8807", "mnemonic": "mov byte ptr [edi], al" },
{ "offset": 5, "opcode": "47", "mnemonic": "inc edi" }
],
"type": "seq"
},
{
"index": 3,
"start": "0x10058e9",
"end": "0x10058ea",
"last_instr": "0x10058e9",
"wave": 0,
"instructions": [
{ "offset": 0, "opcode": "72ed", "mnemonic": "jb 0x10058d8" }
],
"type": "jcc"
},
{
"index": 4,
"start": "0x10058eb",
"end": "0x10058ef",
"last_instr": "0x10058eb",
"wave": 0,
"instructions": [
{ "offset": 0, "opcode": "b801000000", "mnemonic": "mov eax, 1" }
],
"type": "seq"
},
{
"index": 5,
"start": "0x1005901",
"end": "0x1005902",
"last_instr": "0x1005901",
"wave": 0,
"instructions": [
{ "offset": 0, "opcode": "7509", "mnemonic": "jne 0x100590c" }
],
"registers": {
"EAX": "0x00000002 ",
"EBX": "0x0881f9b8 ",
"ECX": "0x00000000 ",
"EDX": "0x010058c0",
"ESI": "0x01005005 ",
"EDI": "0x01001001 ",
"EBP": "0xffffffff ",
"ESP": "0x000cff68",
"eflags": "0x00000a17"
},
"type": "jcc"
},
{
"index": 6,
"start": "0x100590c",
"end": "0x1005912",
"last_instr": "0x1005911",
"wave": 0,
"instructions": [
{ "offset": 0, "opcode": "31c9", "mnemonic": "xor ecx, ecx" },
{ "offset": 2, "opcode": "83e803", "mnemonic": "sub eax, 3" },
{ "offset": 5, "opcode": "720d", "mnemonic": "jb 0x1005920" }
],
"registers": {
"EAX": "0x00000002 ",
"EBX": "0x0881f9b8 ",
"ECX": "0x00000000 ",
"EDX": "0x010058c0",
"ESI": "0x01005005 ",
"EDI": "0x01001001 ",
"EBP": "0xffffffff ",
"ESP": "0x000cff68",
"eflags": "0x00000a17"
},
"type": "jcc"
},
{
"index": 7,
"start": "0x100593c",
"end": "0x100593c",
"last_instr": "0x100593c",
"wave": 0,
"instructions": [{ "offset": 0, "opcode": "41", "mnemonic": "inc ecx" }],
"type": "seq"
},
{
"index": 8,
"start": "0x100594e",
"end": "0x100594f",
"last_instr": "0x100594e",
"wave": 0,
"instructions": [
{ "offset": 0, "opcode": "7509", "mnemonic": "jne 0x1005959" }
],
"registers": {
"EAX": "0xffffffff ",
"EBX": "0xf9b80000 ",
"ECX": "0x000000a8 ",
"EDX": "0x010058c0",
"ESI": "0x01005005 ",
"EDI": "0x01001001 ",
"EBP": "0xffffffff ",
"ESP": "0x000cff68",
"eflags": "0x00000287"
},
"type": "jcc"
},
{
"index": 9,
"start": "0x1005959",
"end": "0x100595b",
"last_instr": "0x1005959",
"wave": 0,
"instructions": [
{ "offset": 0, "opcode": "83c102", "mnemonic": "add ecx, 2" }
],
"type": "seq"
},
{
"index": 10,
"start": "0x100596d",
"end": "0x1005975",
"last_instr": "0x1005974",
"wave": 0,
"instructions": [
{ "offset": 0, "opcode": "8a02", "mnemonic": "mov al, byte ptr [edx]" },
{ "offset": 2, "opcode": "42", "mnemonic": "inc edx" },
{ "offset": 3, "opcode": "8807", "mnemonic": "mov byte ptr [edi], al" },
{ "offset": 5, "opcode": "47", "mnemonic": "inc edi" },
{ "offset": 6, "opcode": "49", "mnemonic": "dec ecx" },
{ "offset": 7, "opcode": "75f7", "mnemonic": "jne 0x100596d" }
],
"registers": {
"EAX": "0xffffffff ",
"EBX": "0xf9b80000 ",
"ECX": "0x000000ab ",
"EDX": "0x01001000",
"ESI": "0x01005005 ",
"EDI": "0x01001001 ",
"EBP": "0xffffffff ",
"ESP": "0x000cff68",
"eflags": "0x00000206"
},
"type": "jcc"
},
{
"index": 11,
"start": "0x1005976",
"end": "0x100597a",
"last_instr": "0x1005976",
"wave": 0,
"instructions": [
{ "offset": 0, "opcode": "e963ffffff", "mnemonic": "jmp 0x10058de" }
],
"registers": {
"EAX": "0xffffff00 ",
"EBX": "0xf9b80000 ",
"ECX": "0x00000000 ",
"EDX": "0x010010ab",
"ESI": "0x01005005 ",
"EDI": "0x010010ac ",
"EBP": "0xffffffff ",
"ESP": "0x000cff68",
"eflags": "0x00000246"
},
"type": "jmp"
},
{
"index": 12,
"start": "0x1005913",
"end": "0x100591d",
"last_instr": "0x100591c",
"wave": 0,
"instructions": [
{ "offset": 0, "opcode": "c1e008", "mnemonic": "shl eax, 8" },
{ "offset": 3, "opcode": "8a06", "mnemonic": "mov al, byte ptr [esi]" },
{ "offset": 5, "opcode": "46", "mnemonic": "inc esi" },
{ "offset": 6, "opcode": "83f0ff", "mnemonic": "xor eax, 0xffffffff" },
{ "offset": 9, "opcode": "7474", "mnemonic": "je 0x1005992" }
],
"registers": {
"EAX": "0x00000000 ",
"EBX": "0xbdff37e0 ",
"ECX": "0x00000000 ",
"EDX": "0x010010b3",
"ESI": "0x01005013 ",
"EDI": "0x010010b9 ",
"EBP": "0xffffffff ",
"ESP": "0x000cff68",
"eflags": "0x00000246"
},
"type": "jcc"
},
{
"index": 13,
"start": "0x100591e",
"end": "0x100591f",
"last_instr": "0x100591e",
"wave": 0,
"instructions": [
{ "offset": 0, "opcode": "89c5", "mnemonic": "mov ebp, eax" }
],
"type": "seq"
},
{
"index": 14,
"start": "0x100597c",
"end": "0x100598a",
"last_instr": "0x1005989",
"wave": 0,
"instructions": [
{
"offset": 0,
"opcode": "8b02",
"mnemonic": "mov eax, dword ptr [edx]"
},
{ "offset": 2, "opcode": "83c204", "mnemonic": "add edx, 4" },
{
"offset": 5,
"opcode": "8907",
"mnemonic": "mov dword ptr [edi], eax"
},
{ "offset": 7, "opcode": "83c704", "mnemonic": "add edi, 4" },
{ "offset": 10, "opcode": "83e904", "mnemonic": "sub ecx, 4" },
{ "offset": 13, "opcode": "77f1", "mnemonic": "ja 0x100597c" }
],
"registers": {
"EAX": "0xfffffffc ",
"EBX": "0xf7fcdf80 ",
"ECX": "0x00000003 ",
"EDX": "0x010010b5",
"ESI": "0x01005014 ",
"EDI": "0x010010b9 ",
"EBP": "0xfffffffc ",
"ESP": "0x000cff68",
"eflags": "0x00000246"
},
"type": "jcc"
},
{
"index": 15,
"start": "0x100598b",
"end": "0x1005991",
"last_instr": "0x100598d",
"wave": 0,
"instructions": [
{ "offset": 0, "opcode": "01cf", "mnemonic": "add edi, ecx" },
{ "offset": 2, "opcode": "e94cffffff", "mnemonic": "jmp 0x10058de" }
],
"registers": {
"EAX": "0x2c010013 ",
"EBX": "0xf7fcdf80 ",
"ECX": "0xffffffff ",
"EDX": "0x010010b9",
"ESI": "0x01005014 ",
"EDI": "0x010010bd ",
"EBP": "0xfffffffc ",
"ESP": "0x000cff68",
"eflags": "0x00000297"
},
"type": "jmp"
},
{
"index": 16,
"start": "0x10058de",
"end": "0x10058e1",
"last_instr": "0x10058e0",
"wave": 0,
"instructions": [
{ "offset": 0, "opcode": "01db", "mnemonic": "add ebx, ebx" },
{ "offset": 2, "opcode": "7507", "mnemonic": "jne 0x10058e9" }
],
"type": "jcc"
},
{
"index": 17,
"start": "0x10058f4",
"end": "0x10058fa",
"last_instr": "0x10058f9",
"wave": 0,
"instructions": [
{
"offset": 0,
"opcode": "8b1e",
"mnemonic": "mov ebx, dword ptr [esi]"
},
{ "offset": 2, "opcode": "83eefc", "mnemonic": "sub esi, -4" },
{ "offset": 5, "opcode": "11db", "mnemonic": "adc ebx, ebx" }
],
"type": "seq"
},
{
"index": 18,
"start": "0x10058fb",
"end": "0x1005900",
"last_instr": "0x10058ff",
"wave": 0,
"instructions": [
{ "offset": 0, "opcode": "11c0", "mnemonic": "adc eax, eax" },
{ "offset": 2, "opcode": "01db", "mnemonic": "add ebx, ebx" },
{ "offset": 4, "opcode": "73ef", "mnemonic": "jae 0x10058f0" }
],
"type": "jcc"
},
{
"index": 19,
"start": "0x1005950",
"end": "0x1005958",
"last_instr": "0x1005957",
"wave": 0,
"instructions": [
{
"offset": 0,
"opcode": "8b1e",
"mnemonic": "mov ebx, dword ptr [esi]"
},
{ "offset": 2, "opcode": "83eefc", "mnemonic": "sub esi, -4" },
{ "offset": 5, "opcode": "11db", "mnemonic": "adc ebx, ebx" },
{ "offset": 7, "opcode": "73e4", "mnemonic": "jae 0x100593d" }
],
"registers": {
"EAX": "0xffffffff ",
"EBX": "0x00000000 ",
"ECX": "0x00000005 ",
"EDX": "0x01001105",
"ESI": "0x010050ae ",
"EDI": "0x01001173 ",
"EBP": "0xffffff93 ",
"ESP": "0x000cff68",
"eflags": "0x00000a47"
},
"type": "jcc"
},
{
"index": 20,
"start": "0x1005924",
"end": "0x100592a",
"last_instr": "0x1005929",
"wave": 0,
"instructions": [
{
"offset": 0,
"opcode": "8b1e",
"mnemonic": "mov ebx, dword ptr [esi]"
},
{ "offset": 2, "opcode": "83eefc", "mnemonic": "sub esi, -4" },
{ "offset": 5, "opcode": "11db", "mnemonic": "adc ebx, ebx" }
],
"type": "seq"
},
{
"index": 21,
"start": "0x100592b",
"end": "0x1005930",
"last_instr": "0x100592f",
"wave": 0,
"instructions": [
{ "offset": 0, "opcode": "11c9", "mnemonic": "adc ecx, ecx" },
{ "offset": 2, "opcode": "01db", "mnemonic": "add ebx, ebx" },
{ "offset": 4, "opcode": "7507", "mnemonic": "jne 0x1005938" }
],
"type": "jcc"
},
{
"index": 22,
"start": "0x1005931",
"end": "0x1005937",
"last_instr": "0x1005936",
"wave": 0,
"instructions": [
{
"offset": 0,
"opcode": "8b1e",
"mnemonic": "mov ebx, dword ptr [esi]"
},
{ "offset": 2, "opcode": "83eefc", "mnemonic": "sub esi, -4" },
{ "offset": 5, "opcode": "11db", "mnemonic": "adc ebx, ebx" }
],
"type": "seq"
},
{
"index": 23,
"start": "0x1005938",
"end": "0x100593b",
"last_instr": "0x100593a",
"wave": 0,
"instructions": [
{ "offset": 0, "opcode": "11c9", "mnemonic": "adc ecx, ecx" },
{ "offset": 2, "opcode": "7520", "mnemonic": "jne 0x100595c" }
],
"type": "jcc"
},
{
"index": 24,
"start": "0x1005903",
"end": "0x100590b",
"last_instr": "0x100590a",
"wave": 0,
"instructions": [
{
"offset": 0,
"opcode": "8b1e",
"mnemonic": "mov ebx, dword ptr [esi]"
},
{ "offset": 2, "opcode": "83eefc", "mnemonic": "sub esi, -4" },
{ "offset": 5, "opcode": "11db", "mnemonic": "adc ebx, ebx" },
{ "offset": 7, "opcode": "73e4", "mnemonic": "jae 0x10058f0" }
],
"registers": {
"EAX": "0x00000002 ",
"EBX": "0x00000000 ",
"ECX": "0xfffffffd ",
"EDX": "0x010011bf",
"ESI": "0x010050dd ",
"EDI": "0x010011ca ",
"EBP": "0xfffffff3 ",
"ESP": "0x000cff68",
"eflags": "0x00000a47"
},
"type": "jcc"
},
{
"index": 25,
"start": "0x10058f0",
"end": "0x10058f3",
"last_instr": "0x10058f2",
"wave": 0,
"instructions": [
{ "offset": 0, "opcode": "01db", "mnemonic": "add ebx, ebx" },
{ "offset": 2, "opcode": "7507", "mnemonic": "jne 0x10058fb" }
],
"type": "jcc"
},
{
"index": 26,
"start": "0x1005941",
"end": "0x1005947",
"last_instr": "0x1005946",
"wave": 0,
"instructions": [
{
"offset": 0,
"opcode": "8b1e",
"mnemonic": "mov ebx, dword ptr [esi]"
},
{ "offset": 2, "opcode": "83eefc", "mnemonic": "sub esi, -4" },
{ "offset": 5, "opcode": "11db", "mnemonic": "adc ebx, ebx" }
],
"type": "seq"
},
{
"index": 27,
"start": "0x1005948",
"end": "0x100594d",
"last_instr": "0x100594c",
"wave": 0,
"instructions": [
{ "offset": 0, "opcode": "11c9", "mnemonic": "adc ecx, ecx" },
{ "offset": 2, "opcode": "01db", "mnemonic": "add ebx, ebx" },
{ "offset": 4, "opcode": "73ef", "mnemonic": "jae 0x100593d" }
],
"type": "jcc"
},
{
"index": 28,
"start": "0x100593d",
"end": "0x1005940",
"last_instr": "0x100593f",
"wave": 0,
"instructions": [
{ "offset": 0, "opcode": "01db", "mnemonic": "add ebx, ebx" },
{ "offset": 2, "opcode": "7507", "mnemonic": "jne 0x1005948" }
],
"type": "jcc"
},
{
"index": 29,
"start": "0x1005920",
"end": "0x1005923",
"last_instr": "0x1005922",
"wave": 0,
"instructions": [
{ "offset": 0, "opcode": "01db", "mnemonic": "add ebx, ebx" },
{ "offset": 2, "opcode": "7507", "mnemonic": "jne 0x100592b" }
],
"type": "jcc"
},
{
"index": 30,
"start": "0x100595c",
"end": "0x100596c",
"last_instr": "0x100596b",
"wave": 0,
"instructions": [
{
"offset": 0,
"opcode": "81fd00f3ffff",
"mnemonic": "cmp ebp, 0xfffff300"
},
{ "offset": 6, "opcode": "83d101", "mnemonic": "adc ecx, 1" },
{ "offset": 9, "opcode": "8d142f", "mnemonic": "lea edx, [edi + ebp]" },
{ "offset": 12, "opcode": "83fdfc", "mnemonic": "cmp ebp, -4" },
{ "offset": 15, "opcode": "760f", "mnemonic": "jbe 0x100597c" }
],
"type": "jcc"
},
{
"index": 31,
"start": "0x1005992",
"end": "0x100599e",
"last_instr": "0x100599d",
"wave": 0,
"instructions": [
{ "offset": 0, "opcode": "5e", "mnemonic": "pop esi" },
{ "offset": 1, "opcode": "89f7", "mnemonic": "mov edi, esi" },
{ "offset": 3, "opcode": "b913000000", "mnemonic": "mov ecx, 0x13" },
{ "offset": 8, "opcode": "8a07", "mnemonic": "mov al, byte ptr [edi]" },
{ "offset": 10, "opcode": "47", "mnemonic": "inc edi" },
{ "offset": 11, "opcode": "2ce8", "mnemonic": "sub al, 0xe8" }
],
"type": "seq"
},
{
"index": 32,
"start": "0x10059a3",
"end": "0x10059a7",
"last_instr": "0x10059a6",
"wave": 0,
"instructions": [
{
"offset": 0,
"opcode": "803f01",
"mnemonic": "cmp byte ptr [edi], 1"
},
{ "offset": 3, "opcode": "75f2", "mnemonic": "jne 0x100599a" }
],
"registers": {
"EAX": "0x00000000 ",
"EBX": "0x10000000 ",
"ECX": "0x00000013 ",
"EDX": "0x01003e20",
"ESI": "0x01001000 ",
"EDI": "0x0100110a ",
"EBP": "0xfffffb47 ",
"ESP": "0x000cff6c",
"eflags": "0x00000297"
},
"type": "jcc"
},
{
"index": 33,
"start": "0x10059a8",
"end": "0x10059c5",
"last_instr": "0x10059c4",
"wave": 0,
"instructions": [
{
"offset": 0,
"opcode": "8b07",
"mnemonic": "mov eax, dword ptr [edi]"
},
{
"offset": 2,
"opcode": "8a5f04",
"mnemonic": "mov bl, byte ptr [edi + 4]"
},
{ "offset": 5, "opcode": "66c1e808", "mnemonic": "shr ax, 8" },
{ "offset": 9, "opcode": "c1c010", "mnemonic": "rol eax, 0x10" },
{ "offset": 12, "opcode": "86c4", "mnemonic": "xchg ah, al" },
{ "offset": 14, "opcode": "29f8", "mnemonic": "sub eax, edi" },
{ "offset": 16, "opcode": "80ebe8", "mnemonic": "sub bl, 0xe8" },
{ "offset": 19, "opcode": "01f0", "mnemonic": "add eax, esi" },
{
"offset": 21,
"opcode": "8907",
"mnemonic": "mov dword ptr [edi], eax"
},
{ "offset": 23, "opcode": "83c705", "mnemonic": "add edi, 5" },
{ "offset": 26, "opcode": "88d8", "mnemonic": "mov al, bl" },
{ "offset": 28, "opcode": "e2d9", "mnemonic": "loop 0x100599f" }
],
"registers": {
"EAX": "0x00000000 ",
"EBX": "0x10000000 ",
"ECX": "0x00000013 ",
"EDX": "0x01003e20",
"ESI": "0x01001000 ",
"EDI": "0x0100110a ",
"EBP": "0xfffffb47 ",
"ESP": "0x000cff6c",
"eflags": "0x00000246"
},
"type": "jcc"
},
{
"index": 34,
"start": "0x100599f",
"end": "0x10059a2",
"last_instr": "0x10059a1",
"wave": 0,
"instructions": [
{ "offset": 0, "opcode": "3c01", "mnemonic": "cmp al, 1" },
{ "offset": 2, "opcode": "77f7", "mnemonic": "ja 0x100599a" }
],
"type": "jcc"
},
{
"index": 35,
"start": "0x10059c6",
"end": "0x10059cb",
"last_instr": "0x10059c6",
"wave": 0,
"instructions": [
{
"offset": 0,
"opcode": "8dbe00300000",
"mnemonic": "lea edi, [esi + 0x3000]"
}
],
"type": "seq"
},
{
"index": 36,
"start": "0x10059d2",
"end": "0x10059e7",
"last_instr": "0x10059e2",
"wave": 0,
"instructions": [
{
"offset": 0,
"opcode": "8b5f04",
"mnemonic": "mov ebx, dword ptr [edi + 4]"
},
{
"offset": 3,
"opcode": "8d84301c540000",
"mnemonic": "lea eax, [eax + esi + 0x541c]"
},
{ "offset": 10, "opcode": "01f3", "mnemonic": "add ebx, esi" },
{ "offset": 12, "opcode": "50", "mnemonic": "push eax" },
{ "offset": 13, "opcode": "83c708", "mnemonic": "add edi, 8" },
{
"offset": 16,
"opcode": "ff9694540000",
"mnemonic": "call dword ptr [esi + 0x5494]"
}
],
"registers": {
"EAX": "0x000000b4 ",
"EBX": "0x100000df ",
"ECX": "0x00000000 ",
"EDX": "0x01003e20",
"ESI": "0x01001000 ",
"EDI": "0x01004000 ",
"EBP": "0xfffffb47 ",
"ESP": "0x000cff6c",
"eflags": "0x00000206"
},
"type": "call",
"syscalls": [
{
"name": "KERNEL32.DLL!LoadLibraryA",
"timestamp": 19.825597,
"arguments": ["_IN_ (LPCTSTR) [0x000cff68] \"KERNEL32.DLL\""],
"return": "0x75950000",
"output": []
},
{
"name": "KERNEL32.DLL!LoadLibraryA",
"timestamp": 19.913203,
"arguments": ["_IN_ (LPCTSTR) [0x000cff68] \"msvcrt.dll\""],
"return": "0x752b0000",
"output": []
},
{
"name": "KERNEL32.DLL!LoadLibraryA",
"timestamp": 19.913203,
"arguments": ["_IN_ (LPCTSTR) [0x000cff68] \"MSWSOCK.dll\""],
"return": "0x6c880000",
"output": []
},
{
"name": "KERNEL32.DLL!LoadLibraryA",
"timestamp": 19.913203,
"arguments": ["_IN_ (LPCTSTR) [0x000cff68] \"USER32.dll\""],
"return": "0x76ac0000",
"output": []
},
{
"name": "KERNEL32.DLL!LoadLibraryA",
"timestamp": 19.913203,
"arguments": ["_IN_ (LPCTSTR) [0x000cff68] \"WS2_32.dll\""],
"return": "0x76e60000",
"output": []
}
]
},
{
"index": 37,
"start": "0x10059e8",
"end": "0x10059e8",
"last_instr": "0x10059e8",
"wave": 0,
"instructions": [
{ "offset": 0, "opcode": "95", "mnemonic": "xchg eax, ebp" }
],
"type": "seq"
},
{
"index": 38,
"start": "0x10059f0",
"end": "0x10059f3",
"last_instr": "0x10059f2",
"wave": 0,
"instructions": [
{ "offset": 0, "opcode": "89f9", "mnemonic": "mov ecx, edi" },
{ "offset": 2, "opcode": "7907", "mnemonic": "jns 0x10059fb" }
],
"registers": {
"EAX": "0xfffffb01 ",
"EBX": "0x01001000 ",
"ECX": "0x00000002 ",
"EDX": "0x00000001",
"ESI": "0x01001000 ",
"EDI": "0x01004009 ",
"EBP": "0x75950000 ",
"ESP": "0x000cff6c",
"eflags": "0x00000202"
},
"type": "jcc"
},
{
"index": 39,
"start": "0x1005a06",
"end": "0x1005a09",
"last_instr": "0x1005a08",
"wave": 0,
"instructions": [
{ "offset": 0, "opcode": "09c0", "mnemonic": "or eax, eax" },
{ "offset": 2, "opcode": "7407", "mnemonic": "je 0x1005a11" }
],
"registers": {
"EAX": "0x75985fbd ",
"EBX": "0x01001000 ",
"ECX": "0x75950000 ",
"EDX": "0x75950000",
"ESI": "0x01001000 ",
"EDI": "0x01004018 ",
"EBP": "0x75950000 ",
"ESP": "0x000cff6c",
"eflags": "0x00000206"
},
"type": "jcc"
},
{
"index": 40,
"start": "0x1005a0a",
"end": "0x1005a10",
"last_instr": "0x1005a0f",
"wave": 0,
"instructions": [
{
"offset": 0,
"opcode": "8903",
"mnemonic": "mov dword ptr [ebx], eax"
},
{ "offset": 2, "opcode": "83c304", "mnemonic": "add ebx, 4" },
{ "offset": 5, "opcode": "ebd8", "mnemonic": "jmp 0x10059e9" }
],
"registers": {
"EAX": "0x75985fbd ",
"EBX": "0x01001000 ",
"ECX": "0x75950000 ",
"EDX": "0x75950000",
"ESI": "0x01001000 ",
"EDI": "0x01004018 ",
"EBP": "0x75950000 ",
"ESP": "0x000cff6c",
"eflags": "0x00000206"
},
"type": "jmp"
},
{
"index": 41,
"start": "0x10059e9",
"end": "0x10059ef",
"last_instr": "0x10059ee",
"wave": 0,
"instructions": [
{ "offset": 0, "opcode": "8a07", "mnemonic": "mov al, byte ptr [edi]" },
{ "offset": 2, "opcode": "47", "mnemonic": "inc edi" },
{ "offset": 3, "opcode": "08c0", "mnemonic": "or al, al" },
{ "offset": 5, "opcode": "74dc", "mnemonic": "je 0x10059cc" }
],
"type": "jcc"
},
{
"index": 42,
"start": "0x10059cc",
"end": "0x10059d1",
"last_instr": "0x10059d0",
"wave": 0,
"instructions": [
{
"offset": 0,
"opcode": "8b07",
"mnemonic": "mov eax, dword ptr [edi]"
},
{ "offset": 2, "opcode": "09c0", "mnemonic": "or eax, eax" },
{ "offset": 4, "opcode": "7445", "mnemonic": "je 0x1005a17" }
],
"type": "jcc"
},
{
"index": 43,
"start": "0x10059f4",
"end": "0x1005a05",
"last_instr": "0x1005a00",
"wave": 0,
"instructions": [
{
"offset": 0,
"opcode": "0fb707",
"mnemonic": "movzx eax, word ptr [edi]"
},
{ "offset": 3, "opcode": "47", "mnemonic": "inc edi" },
{ "offset": 4, "opcode": "50", "mnemonic": "push eax" },
{ "offset": 5, "opcode": "47", "mnemonic": "inc edi" },
{
"offset": 6,
"opcode": "b95748f2ae",
"mnemonic": "mov ecx, 0xaef24857"
},
{ "offset": 11, "opcode": "55", "mnemonic": "push ebp" },
{
"offset": 12,
"opcode": "ff9698540000",
"mnemonic": "call dword ptr [esi + 0x5498]"
}
],
"registers": {
"EAX": "0x76ac00ff ",
"EBX": "0x01001024 ",
"ECX": "0x01004150 ",
"EDX": "0x004c34a4",
"ESI": "0x01001000 ",
"EDI": "0x01004150 ",
"EBP": "0x76e60000 ",
"ESP": "0x000cff6c",
"eflags": "0x00000286"
},
"type": "call",
"syscalls": [
{
"name": "KERNEL32.DLL!GetProcAddress",
"timestamp": 19.875559,
"arguments": [
"_IN_ (HMODULE) [0x000cff64] 0x75950000",
"_IN_ (LPCSTR) [0x000cff68] \"FormatMessageA\""
],
"return": "0x75985fbd",
"output": []
},
{
"name": "KERNEL32.DLL!GetProcAddress",
"timestamp": 19.905854,
"arguments": [
"_IN_ (HMODULE) [0x000cff64] 0x75950000",
"_IN_ (LPCSTR) [0x000cff68] \"LocalFree\""
],
"return": "0x75962d3c",
"output": []
},
{
"name": "KERNEL32.DLL!GetProcAddress",
"timestamp": 19.905854,
"arguments": [
"_IN_ (HMODULE) [0x000cff64] 0x75950000",
"_IN_ (LPCSTR) [0x000cff68] \"GetModuleHandleA\""
],
"return": "0x75961245",
"output": []
},
{
"name": "KERNEL32.DLL!GetProcAddress",
"timestamp": 19.905854,
"arguments": [
"_IN_ (HMODULE) [0x000cff64] 0x75950000",
"_IN_ (LPCSTR) [0x000cff68] \"GetLastError\""
],
"return": "0x759611c0",
"output": []
},
{
"name": "KERNEL32.DLL!GetProcAddress",
"timestamp": 19.913203,
"arguments": [
"_IN_ (HMODULE) [0x000cff64] 0x752b0000",
"_IN_ (LPCSTR) [0x000cff68] \"__p__commode\""
],
"return": "0x752c27c3",
"output": []
},
{
"name": "KERNEL32.DLL!GetProcAddress",
"timestamp": 19.913203,
"arguments": [
"_IN_ (HMODULE) [0x000cff64] 0x752b0000",
"_IN_ (LPCSTR) [0x000cff68] \"__p__fmode\""
],
"return": "0x752c27ce",
"output": []
},
{
"name": "KERNEL32.DLL!GetProcAddress",
"timestamp": 19.913203,
"arguments": [
"_IN_ (HMODULE) [0x000cff64] 0x752b0000",
"_IN_ (LPCSTR) [0x000cff68] \"__set_app_type\""
],
"return": "0x752c2804",
"output": []
},
{
"name": "KERNEL32.DLL!GetProcAddress",
"timestamp": 19.913203,
"arguments": [
"_IN_ (HMODULE) [0x000cff64] 0x752b0000",
"_IN_ (LPCSTR) [0x000cff68] \"_controlfp\""
],
"return": "0x752be1e1",
"output": []
},
{
"name": "KERNEL32.DLL!GetProcAddress",
"timestamp": 19.913203,
"arguments": [
"_IN_ (HMODULE) [0x000cff64] 0x752b0000",
"_IN_ (LPCSTR) [0x000cff68] \"_cexit\""
],
"return": "0x752c37d4",
"output": []
},
{
"name": "KERNEL32.DLL!GetProcAddress",
"timestamp": 19.913203,
"arguments": [
"_IN_ (HMODULE) [0x000cff64] 0x752b0000",
"_IN_ (LPCSTR) [0x000cff68] \"_adjust_fdiv\""
],
"return": "0x753532ec",
"output": []
},
{
"name": "KERNEL32.DLL!GetProcAddress",
"timestamp": 19.913203,
"arguments": [
"_IN_ (HMODULE) [0x000cff64] 0x752b0000",
"_IN_ (LPCSTR) [0x000cff68] \"_except_handler3\""
],
"return": "0x752dd770",
"output": []
},
{
"name": "KERNEL32.DLL!GetProcAddress",
"timestamp": 19.913203,
"arguments": [
"_IN_ (HMODULE) [0x000cff64] 0x752b0000",
"_IN_ (LPCSTR) [0x000cff68] \"_XcptFilter\""
],
"return": "0x752ddc75",
"output": []
},
{
"name": "KERNEL32.DLL!GetProcAddress",
"timestamp": 19.913203,
"arguments": [
"_IN_ (HMODULE) [0x000cff64] 0x752b0000",
"_IN_ (LPCSTR) [0x000cff68] \"_exit\""
],
"return": "0x7531b2c0",
"output": []
},
{
"name": "KERNEL32.DLL!GetProcAddress",
"timestamp": 19.913203,
"arguments": [
"_IN_ (HMODULE) [0x000cff64] 0x752b0000",
"_IN_ (LPCSTR) [0x000cff68] \"_c_exit\""
],
"return": "0x7531b2db",
"output": []
},
{
"name": "KERNEL32.DLL!GetProcAddress",
"timestamp": 19.913203,
"arguments": [
"_IN_ (HMODULE) [0x000cff64] 0x752b0000",
"_IN_ (LPCSTR) [0x000cff68] \"__setusermatherr\""
],
"return": "0x753477ad",
"output": []
},
{
"name": "KERNEL32.DLL!GetProcAddress",
"timestamp": 19.913203,
"arguments": [
"_IN_ (HMODULE) [0x000cff64] 0x752b0000",
"_IN_ (LPCSTR) [0x000cff68] \"_initterm\""
],
"return": "0x752bc151",
"output": []
},
{
"name": "KERNEL32.DLL!GetProcAddress",
"timestamp": 19.913203,
"arguments": [
"_IN_ (HMODULE) [0x000cff64] 0x752b0000",
"_IN_ (LPCSTR) [0x000cff68] \"__getmainargs\""
],
"return": "0x752c2bc0",
"output": []
},
{
"name": "KERNEL32.DLL!GetProcAddress",
"timestamp": 19.913203,
"arguments": [
"_IN_ (HMODULE) [0x000cff64] 0x752b0000",
"_IN_ (LPCSTR) [0x000cff68] \"__initenv\""
],
"return": "0x753504e8",
"output": []
},
{
"name": "KERNEL32.DLL!GetProcAddress",
"timestamp": 19.913203,
"arguments": [
"_IN_ (HMODULE) [0x000cff64] 0x752b0000",
"_IN_ (LPCSTR) [0x000cff68] \"_write\""
],
"return": "0x752c4078",
"output": []
},
{
"name": "KERNEL32.DLL!GetProcAddress",
"timestamp": 19.913203,
"arguments": [
"_IN_ (HMODULE) [0x000cff64] 0x752b0000",
"_IN_ (LPCSTR) [0x000cff68] \"strchr\""
],
"return": "0x752bdbeb",
"output": []
},
{
"name": "KERNEL32.DLL!GetProcAddress",
"timestamp": 19.913203,
"arguments": [
"_IN_ (HMODULE) [0x000cff64] 0x752b0000",
"_IN_ (LPCSTR) [0x000cff68] \"puts\""
],
"return": "0x75328d04",
"output": []
},
{
"name": "KERNEL32.DLL!GetProcAddress",
"timestamp": 19.913203,
"arguments": [
"_IN_ (HMODULE) [0x000cff64] 0x752b0000",
"_IN_ (LPCSTR) [0x000cff68] \"exit\""
],
"return": "0x752c36aa",
"output": []
},
{
"name": "KERNEL32.DLL!GetProcAddress",
"timestamp": 19.913203,
"arguments": [
"_IN_ (HMODULE) [0x000cff64] 0x6c880000",
"_IN_ (LPCSTR) [0x000cff68] \"s_perror\""
],
"return": "0x6c8a1be4",
"output": []
},
{
"name": "KERNEL32.DLL!GetProcAddress",
"timestamp": 19.913203,
"arguments": [
"_IN_ (HMODULE) [0x000cff64] 0x76ac0000",
"_IN_ (LPCSTR) [0x000cff68] \"CharToOemBuffA\""
],
"return": "0x76aeb1b0",
"output": []
},
{
"name": "KERNEL32.DLL!GetProcAddressOrdinal",
"timestamp": 19.942805,
"arguments": [
"_IN_ (HMODULE) [0x000cff64] 0x76e60000",
"_IN_ (USHORT) [0x000cff68] 0x00000039"
],
"return": "0x76e6a05b",
"output": []
},
{
"name": "KERNEL32.DLL!GetProcAddressOrdinal",
"timestamp": 19.942805,
"arguments": [
"_IN_ (HMODULE) [0x000cff64] 0x76e60000",
"_IN_ (USHORT) [0x000cff68] 0x00000073"
],
"return": "0x76e63ab2",
"output": []
}
]
},
{
"index": 44,
"start": "0x1005a17",
"end": "0x1005a2f",
"last_instr": "0x1005a2e",
"wave": 0,
"instructions": [
{
"offset": 0,
"opcode": "8bae9c540000",
"mnemonic": "mov ebp, dword ptr [esi + 0x549c]"
},
{
"offset": 6,
"opcode": "8dbe00f0ffff",
"mnemonic": "lea edi, [esi - 0x1000]"
},
{ "offset": 12, "opcode": "bb00100000", "mnemonic": "mov ebx, 0x1000" },
{ "offset": 17, "opcode": "50", "mnemonic": "push eax" },
{ "offset": 18, "opcode": "54", "mnemonic": "push esp" },
{ "offset": 19, "opcode": "6a04", "mnemonic": "push 4" },
{ "offset": 21, "opcode": "53", "mnemonic": "push ebx" },
{ "offset": 22, "opcode": "57", "mnemonic": "push edi" },
{ "offset": 23, "opcode": "ffd5", "mnemonic": "call ebp" }
],
"registers": {
"EAX": "0x00000000 ",
"EBX": "0x0100102c ",
"ECX": "0x76e60000 ",
"EDX": "0x00001725",
"ESI": "0x01001000 ",
"EDI": "0x01004156 ",
"EBP": "0x76e60000 ",
"ESP": "0x000cff6c",
"eflags": "0x00000246"
},
"type": "call",
"syscalls": [
{
"name": "KERNEL32.DLL!VirtualProtect",
"timestamp": 19.950966,
"arguments": [
"_IN_ (LPVOID) [0x000cff58] 0x01000000",
"_IN_ (SIZE_T) [0x000cff5c] 0x00001000",
"_IN_ (DWORD) [0x000cff60] 0x00000004",
"_OUT_ (PDWORD) [0x000cff64] 0x000cff68"
],
"return": "TRUE",
"output": ["[0x000cff68] 0x00000002"]
}
]
},
{
"index": 45,
"start": "0x1005a30",
"end": "0x1005a44",
"last_instr": "0x1005a43",
"wave": 0,
"instructions": [
{
"offset": 0,
"opcode": "8d87f7010000",
"mnemonic": "lea eax, [edi + 0x1f7]"
},
{
"offset": 6,
"opcode": "80207f",
"mnemonic": "and byte ptr [eax], 0x7f"
},
{
"offset": 9,
"opcode": "8060287f",
"mnemonic": "and byte ptr [eax + 0x28], 0x7f"
},
{ "offset": 13, "opcode": "58", "mnemonic": "pop eax" },
{ "offset": 14, "opcode": "50", "mnemonic": "push eax" },
{ "offset": 15, "opcode": "54", "mnemonic": "push esp" },
{ "offset": 16, "opcode": "50", "mnemonic": "push eax" },
{ "offset": 17, "opcode": "53", "mnemonic": "push ebx" },
{ "offset": 18, "opcode": "57", "mnemonic": "push edi" },
{ "offset": 19, "opcode": "ffd5", "mnemonic": "call ebp" }
],
"registers": {
"EAX": "0x00000001 ",
"EBX": "0x00001000 ",
"ECX": "0x7a280000 ",
"EDX": "0x0008e3c8",
"ESI": "0x01001000 ",
"EDI": "0x01000000 ",
"EBP": "0x7596435f ",
"ESP": "0x000cff68",
"eflags": "0x00000202"
},
"type": "call",
"syscalls": [
{
"name": "KERNEL32.DLL!VirtualProtect",
"timestamp": 19.966595,
"arguments": [
"_IN_ (LPVOID) [0x000cff58] 0x01000000",
"_IN_ (SIZE_T) [0x000cff5c] 0x00001000",
"_IN_ (DWORD) [0x000cff60] 0x00000002",
"_OUT_ (PDWORD) [0x000cff64] 0x000cff68"
],
"return": "TRUE",
"output": ["[0x000cff68] 0x00000004"]
}
]
},
{
"index": 46,
"start": "0x1005a45",
"end": "0x1005a4a",
"last_instr": "0x1005a47",
"wave": 0,
"instructions": [
{ "offset": 0, "opcode": "58", "mnemonic": "pop eax" },
{ "offset": 1, "opcode": "61", "mnemonic": "popal " },
{
"offset": 2,
"opcode": "8d442480",
"mnemonic": "lea eax, [esp - 0x80]"
}
],
"type": "seq"
},
{
"index": 47,
"start": "0x1005a51",
"end": "0x1005a58",
"last_instr": "0x1005a54",
"wave": 0,
"instructions": [
{ "offset": 0, "opcode": "83ec80", "mnemonic": "sub esp, -0x80" },
{ "offset": 3, "opcode": "e97eb7ffff", "mnemonic": "jmp 0x10011d7" }
],
"registers": {
"EAX": "0x000cff0c ",
"EBX": "0x7efde000 ",
"ECX": "0x00000000 ",
"EDX": "0x010058c0",
"ESI": "0x00000000 ",
"EDI": "0x00000000 ",
"EBP": "0x000cff94 ",
"ESP": "0x000cff0c",
"eflags": "0x00000246"
},
"type": "jmp"
},
{
"index": 48,
"start": "0x10011d7",
"end": "0x10011e2",
"last_instr": "0x10011de",
"wave": 1,
"instructions": [
{ "offset": 0, "opcode": "6a28", "mnemonic": "push 0x28" },
{ "offset": 2, "opcode": "68b0100001", "mnemonic": "push 0x10010b0" },
{ "offset": 7, "opcode": "e891010000", "mnemonic": "call 0x1001374" }
],
"registers": {
"EAX": "0x000cff0c ",
"EBX": "0x7efde000 ",
"ECX": "0x00000000 ",
"EDX": "0x010058c0",
"ESI": "0x00000000 ",
"EDI": "0x00000000 ",
"EBP": "0x000cff94 ",
"ESP": "0x000cff8c",
"eflags": "0x00000203"
},
"type": "call"
},
{
"index": 49,
"start": "0x1001374",
"end": "0x10013ac",
"last_instr": "0x10013ac",
"wave": 1,
"instructions": [
{ "offset": 0, "opcode": "68c4130001", "mnemonic": "push 0x10013c4" },
{
"offset": 5,
"opcode": "64a100000000",
"mnemonic": "mov eax, dword ptr fs:[0]"
},
{ "offset": 11, "opcode": "50", "mnemonic": "push eax" },
{
"offset": 12,
"opcode": "64892500000000",
"mnemonic": "mov dword ptr fs:[0], esp"
},
{
"offset": 19,
"opcode": "8b442410",
"mnemonic": "mov eax, dword ptr [esp + 0x10]"
},
{
"offset": 23,
"opcode": "896c2410",
"mnemonic": "mov dword ptr [esp + 0x10], ebp"
},
{
"offset": 27,
"opcode": "8d6c2410",
"mnemonic": "lea ebp, [esp + 0x10]"
},
{ "offset": 31, "opcode": "2be0", "mnemonic": "sub esp, eax" },
{ "offset": 33, "opcode": "53", "mnemonic": "push ebx" },
{ "offset": 34, "opcode": "56", "mnemonic": "push esi" },
{ "offset": 35, "opcode": "57", "mnemonic": "push edi" },
{
"offset": 36,
"opcode": "8b45f8",
"mnemonic": "mov eax, dword ptr [ebp - 8]"
},
{
"offset": 39,
"opcode": "8965e8",
"mnemonic": "mov dword ptr [ebp - 0x18], esp"
},
{ "offset": 42, "opcode": "50", "mnemonic": "push eax" },
{
"offset": 43,
"opcode": "8b45fc",
"mnemonic": "mov eax, dword ptr [ebp - 4]"
},
{
"offset": 46,
"opcode": "c745fcffffffff",
"mnemonic": "mov dword ptr [ebp - 4], 0xffffffff"
},
{
"offset": 53,
"opcode": "8945f8",
"mnemonic": "mov dword ptr [ebp - 8], eax"
},
{ "offset": 56, "opcode": "c3", "mnemonic": "ret " }
],
"registers": {
"EAX": "0x000cff0c ",
"EBX": "0x7efde000 ",
"ECX": "0x00000000 ",
"EDX": "0x010058c0",
"ESI": "0x00000000 ",
"EDI": "0x00000000 ",
"EBP": "0x000cff94 ",
"ESP": "0x000cff80",
"eflags": "0x00000203"
},
"type": "ret"
},
{
"index": 50,
"start": "0x10011e3",
"end": "0x10011eb",
"last_instr": "0x10011e6",
"wave": 1,
"instructions": [
{ "offset": 0, "opcode": "33ff", "mnemonic": "xor edi, edi" },
{ "offset": 2, "opcode": "57", "mnemonic": "push edi" },
{
"offset": 3,
"opcode": "ff1508100001",
"mnemonic": "call dword ptr [0x1001008]"
}
],
"registers": {
"EAX": "0x010010b0 ",
"EBX": "0x7efde000 ",
"ECX": "0x00000000 ",
"EDX": "0x010058c0",
"ESI": "0x00000000 ",
"EDI": "0x00000000 ",
"EBP": "0x000cff88 ",
"ESP": "0x000cff44",
"eflags": "0x00000206"
},
"type": "call",
"syscalls": [
{
"name": "KERNEL32.DLL!GetModuleHandleA",
"timestamp": 20.007819,
"arguments": ["_IN_ (LPCTSTR) [0x000cff40] \"\""],
"return": "0x01000000",
"output": []
}
]
},
{
"index": 51,
"start": "0x10011ec",
"end": "0x10011f2",
"last_instr": "0x10011f1",
"wave": 1,
"instructions": [
{
"offset": 0,
"opcode": "6681384d5a",
"mnemonic": "cmp word ptr [eax], 0x5a4d"
},
{ "offset": 5, "opcode": "751f", "mnemonic": "jne 0x1001212" }
],
"registers": {
"EAX": "0x01000000 ",
"EBX": "0x7efde000 ",
"ECX": "0x00000000 ",
"EDX": "0x010058c0",
"ESI": "0x00000000 ",
"EDI": "0x00000000 ",
"EBP": "0x000cff88 ",
"ESP": "0x000cff44",
"eflags": "0x00000246"
},
"type": "jcc"
},
{
"index": 52,
"start": "0x10011f3",
"end": "0x10011ff",
"last_instr": "0x10011fe",
"wave": 1,
"instructions": [
{
"offset": 0,
"opcode": "8b483c",
"mnemonic": "mov ecx, dword ptr [eax + 0x3c]"
},
{ "offset": 3, "opcode": "03c8", "mnemonic": "add ecx, eax" },
{
"offset": 5,
"opcode": "813950450000",
"mnemonic": "cmp dword ptr [ecx], 0x4550"
},
{ "offset": 11, "opcode": "7512", "mnemonic": "jne 0x1001212" }
],
"registers": {
"EAX": "0x01000000 ",
"EBX": "0x7efde000 ",
"ECX": "0x00000000 ",
"EDX": "0x010058c0",
"ESI": "0x00000000 ",
"EDI": "0x00000000 ",
"EBP": "0x000cff88 ",
"ESP": "0x000cff44",
"eflags": "0x00000246"
},
"type": "jcc"
},
{
"index": 53,
"start": "0x1001200",
"end": "0x100120a",
"last_instr": "0x1001209",
"wave": 1,
"instructions": [
{
"offset": 0,
"opcode": "0fb74118",
"mnemonic": "movzx eax, word ptr [ecx + 0x18]"
},
{ "offset": 4, "opcode": "3d0b010000", "mnemonic": "cmp eax, 0x10b" },
{ "offset": 9, "opcode": "741f", "mnemonic": "je 0x100122a" }
],
"registers": {
"EAX": "0x01000000 ",
"EBX": "0x7efde000 ",
"ECX": "0x010000d8 ",
"EDX": "0x010058c0",
"ESI": "0x00000000 ",
"EDI": "0x00000000 ",
"EBP": "0x000cff88 ",
"ESP": "0x000cff44",
"eflags": "0x00000246"
},
"type": "jcc"
},
{
"index": 54,
"start": "0x100122a",
"end": "0x100122f",
"last_instr": "0x100122e",
"wave": 1,
"instructions": [
{
"offset": 0,
"opcode": "8379740e",
"mnemonic": "cmp dword ptr [ecx + 0x74], 0xe"
},
{ "offset": 4, "opcode": "76e2", "mnemonic": "jbe 0x1001212" }
],
"registers": {
"EAX": "0x0000010b ",
"EBX": "0x7efde000 ",
"ECX": "0x010000d8 ",
"EDX": "0x010058c0",
"ESI": "0x00000000 ",
"EDI": "0x00000000 ",
"EBP": "0x000cff88 ",
"ESP": "0x000cff44",
"eflags": "0x00000246"
},
"type": "jcc"
},
{
"index": 55,
"start": "0x1001230",
"end": "0x1001248",
"last_instr": "0x1001243",
"wave": 1,
"instructions": [
{ "offset": 0, "opcode": "33c0", "mnemonic": "xor eax, eax" },
{
"offset": 2,
"opcode": "39b9e8000000",
"mnemonic": "cmp dword ptr [ecx + 0xe8], edi"
},
{ "offset": 8, "opcode": "0f95c0", "mnemonic": "setne al" },
{
"offset": 11,
"opcode": "8945e4",
"mnemonic": "mov dword ptr [ebp - 0x1c], eax"
},
{
"offset": 14,
"opcode": "897dfc",
"mnemonic": "mov dword ptr [ebp - 4], edi"
},
{ "offset": 17, "opcode": "6a01", "mnemonic": "push 1" },
{
"offset": 19,
"opcode": "ff1538100001",
"mnemonic": "call dword ptr [0x1001038]"
}
],
"registers": {
"EAX": "0x0000010b ",
"EBX": "0x7efde000 ",
"ECX": "0x010000d8 ",
"EDX": "0x010058c0",
"ESI": "0x00000000 ",
"EDI": "0x00000000 ",
"EBP": "0x000cff88 ",
"ESP": "0x000cff44",
"eflags": "0x00000212"
},
"type": "call",
"syscalls": [
{
"name": "MSVCRT.DLL!__set_app_type",
"timestamp": 20.042519,
"arguments": ["_IN_ (INT) [0x000cff40] 0x00000001"],
"return": "",
"output": []
}
]
},
{
"index": 56,
"start": "0x1001249",
"end": "0x100125d",
"last_instr": "0x1001258",
"wave": 1,
"instructions": [
{ "offset": 0, "opcode": "59", "mnemonic": "pop ecx" },
{
"offset": 1,
"opcode": "830dd0210001ff",
"mnemonic": "or dword ptr [0x10021d0], 0xffffffff"
},
{
"offset": 8,
"opcode": "830dd4210001ff",
"mnemonic": "or dword ptr [0x10021d4], 0xffffffff"
},
{
"offset": 15,
"opcode": "ff1534100001",
"mnemonic": "call dword ptr [0x1001034]"
}
],
"registers": {
"EAX": "0x00000001 ",
"EBX": "0x7efde000 ",
"ECX": "0x00000001 ",
"EDX": "0x000000d8",
"ESI": "0x00000000 ",
"EDI": "0x00000000 ",
"EBP": "0x000cff88 ",
"ESP": "0x000cff40",
"eflags": "0x00000202"
},
"type": "call",
"syscalls": [
{
"name": "MSVCRT.DLL!__p__fmode",
"timestamp": 20.060264,
"arguments": [],
"return": "0x753531f4",
"output": []
}
]
},
{
"index": 57,
"start": "0x100125e",
"end": "0x100126b",
"last_instr": "0x1001266",
"wave": 1,
"instructions": [
{
"offset": 0,
"opcode": "8b0d2c200001",
"mnemonic": "mov ecx, dword ptr [0x100202c]"
},
{
"offset": 6,
"opcode": "8908",
"mnemonic": "mov dword ptr [eax], ecx"
},
{
"offset": 8,
"opcode": "ff1530100001",
"mnemonic": "call dword ptr [0x1001030]"
}
],
"registers": {
"EAX": "0x753531f4 ",
"EBX": "0x7efde000 ",
"ECX": "0x00000001 ",
"EDX": "0x000000d8",
"ESI": "0x00000000 ",
"EDI": "0x00000000 ",
"EBP": "0x000cff88 ",
"ESP": "0x000cff44",
"eflags": "0x00000286"
},
"type": "call",
"syscalls": [
{
"name": "MSVCRT.DLL!__p__commode",
"timestamp": 20.066232,
"arguments": [],
"return": "0x753531fc",
"output": []
}
]
},
{
"index": 58,
"start": "0x100126c",
"end": "0x1001284",
"last_instr": "0x1001280",
"wave": 1,
"instructions": [
{
"offset": 0,
"opcode": "8b0d28200001",
"mnemonic": "mov ecx, dword ptr [0x1002028]"
},
{
"offset": 6,
"opcode": "8908",
"mnemonic": "mov dword ptr [eax], ecx"
},
{
"offset": 8,
"opcode": "a144100001",
"mnemonic": "mov eax, dword ptr [0x1001044]"
},
{
"offset": 13,
"opcode": "8b00",
"mnemonic": "mov eax, dword ptr [eax]"
},
{
"offset": 15,
"opcode": "a3d8210001",
"mnemonic": "mov dword ptr [0x10021d8], eax"
},
{ "offset": 20, "opcode": "e8eb000000", "mnemonic": "call 0x1001370" }
],
"registers": {
"EAX": "0x753531fc ",
"EBX": "0x7efde000 ",
"ECX": "0x00000000 ",
"EDX": "0x000000d8",
"ESI": "0x00000000 ",
"EDI": "0x00000000 ",
"EBP": "0x000cff88 ",
"ESP": "0x000cff44",
"eflags": "0x00000286"
},
"type": "call"
},
{
"index": 59,
"start": "0x1001370",
"end": "0x1001372",
"last_instr": "0x1001372",
"wave": 1,
"instructions": [
{ "offset": 0, "opcode": "33c0", "mnemonic": "xor eax, eax" },
{ "offset": 2, "opcode": "c3", "mnemonic": "ret " }
],
"registers": {
"EAX": "0x00000000 ",
"EBX": "0x7efde000 ",
"ECX": "0x00000000 ",
"EDX": "0x000000d8",
"ESI": "0x00000000 ",
"EDI": "0x00000000 ",
"EBP": "0x000cff88 ",
"ESP": "0x000cff40",
"eflags": "0x00000286"
},
"type": "ret"
},
{
"index": 60,
"start": "0x1001285",
"end": "0x100128c",
"last_instr": "0x100128b",
"wave": 1,
"instructions": [
{
"offset": 0,
"opcode": "393d00200001",
"mnemonic": "cmp dword ptr [0x1002000], edi"
},
{ "offset": 6, "opcode": "750c", "mnemonic": "jne 0x1001299" }
],
"registers": {
"EAX": "0x00000000 ",
"EBX": "0x7efde000 ",
"ECX": "0x00000000 ",
"EDX": "0x000000d8",
"ESI": "0x00000000 ",
"EDI": "0x00000000 ",
"EBP": "0x000cff88 ",
"ESP": "0x000cff44",
"eflags": "0x00000246"
},
"type": "jcc"
},
{
"index": 61,
"start": "0x1001299",
"end": "0x100129d",
"last_instr": "0x1001299",
"wave": 1,
"instructions": [
{ "offset": 0, "opcode": "e8c0000000", "mnemonic": "call 0x100135e" }
],
"registers": {
"EAX": "0x00000000 ",
"EBX": "0x7efde000 ",
"ECX": "0x00000000 ",
"EDX": "0x000000d8",
"ESI": "0x00000000 ",
"EDI": "0x00000000 ",
"EBP": "0x000cff88 ",
"ESP": "0x000cff44",
"eflags": "0x00000202"
},
"type": "call"
},
{
"index": 62,
"start": "0x100135e",
"end": "0x100136c",
"last_instr": "0x1001368",
"wave": 1,
"instructions": [
{ "offset": 0, "opcode": "6800000300", "mnemonic": "push 0x30000" },
{ "offset": 5, "opcode": "6800000100", "mnemonic": "push 0x10000" },
{ "offset": 10, "opcode": "e851000000", "mnemonic": "call 0x10013be" }
],
"registers": {
"EAX": "0x00000000 ",
"EBX": "0x7efde000 ",
"ECX": "0x00000000 ",
"EDX": "0x000000d8",
"ESI": "0x00000000 ",
"EDI": "0x00000000 ",
"EBP": "0x000cff88 ",
"ESP": "0x000cff40",
"eflags": "0x00000202"
},
"type": "call",
"obfuscations": [
{
"type": "callstack tampering : call",
"description": "No ret instruction corresponding to the call"
}
]
},
{
"index": 63,
"start": "0x10013be",
"end": "0x10013c3",
"last_instr": "0x10013be",
"wave": 1,
"instructions": [
{
"offset": 0,
"opcode": "ff253c100001",
"mnemonic": "jmp dword ptr [0x100103c]"
}
],
"registers": {
"EAX": "0x00000000 ",
"EBX": "0x7efde000 ",
"ECX": "0x00000000 ",
"EDX": "0x000000d8",
"ESI": "0x00000000 ",
"EDI": "0x00000000 ",
"EBP": "0x000cff88 ",
"ESP": "0x000cff34",
"eflags": "0x00000202"
},
"type": "jmp",
"syscalls": [
{
"name": "MSVCRT.DLL!_controlfp",
"timestamp": 20.101722,
"arguments": [],
"return": "",
"output": []
}
]
},
{
"index": 64,
"start": "0x100136d",
"end": "0x100136f",
"last_instr": "0x100136f",
"wave": 1,
"instructions": [
{ "offset": 0, "opcode": "59", "mnemonic": "pop ecx" },
{ "offset": 1, "opcode": "59", "mnemonic": "pop ecx" },
{ "offset": 2, "opcode": "c3", "mnemonic": "ret " }
],
"registers": {
"EAX": "0x0009001f ",
"EBX": "0x7efde000 ",
"ECX": "0x00010000 ",
"EDX": "0x0008001f",
"ESI": "0x00000000 ",
"EDI": "0x00000000 ",
"EBP": "0x000cff88 ",
"ESP": "0x000cff38",
"eflags": "0x00000246"
},
"type": "ret"
},
{
"index": 65,
"start": "0x100129e",
"end": "0x10012ac",
"last_instr": "0x10012a8",
"wave": 1,
"instructions": [
{ "offset": 0, "opcode": "6888100001", "mnemonic": "push 0x1001088" },
{ "offset": 5, "opcode": "6884100001", "mnemonic": "push 0x1001084" },
{ "offset": 10, "opcode": "e8ab000000", "mnemonic": "call 0x1001358" }
],
"registers": {
"EAX": "0x0009001f ",
"EBX": "0x7efde000 ",
"ECX": "0x00030000 ",
"EDX": "0x0008001f",
"ESI": "0x00000000 ",
"EDI": "0x00000000 ",
"EBP": "0x000cff88 ",
"ESP": "0x000cff44",
"eflags": "0x00000246"
},
"type": "call",
"obfuscations": [
{
"type": "callstack tampering : call",
"description": "No ret instruction corresponding to the call"
}
]
},
{
"index": 66,
"start": "0x1001358",
"end": "0x100135d",
"last_instr": "0x1001358",
"wave": 1,
"instructions": [
{
"offset": 0,
"opcode": "ff255c100001",
"mnemonic": "jmp dword ptr [0x100105c]"
}
],
"registers": {
"EAX": "0x0009001f ",
"EBX": "0x7efde000 ",
"ECX": "0x00030000 ",
"EDX": "0x0008001f",
"ESI": "0x00000000 ",
"EDI": "0x00000000 ",
"EBP": "0x000cff88 ",
"ESP": "0x000cff38",
"eflags": "0x00000246"
},
"type": "jmp",
"syscalls": [
{
"name": "MSVCRT.DLL!_initterm",
"timestamp": 20.12734,
"arguments": [],
"return": "",
"output": []
},
{
"name": "MSVCRT.DLL!_initterm",
"timestamp": 20.150398,
"arguments": [],
"return": "",
"output": []
}
]
},
{
"index": 67,
"start": "0x10012ad",
"end": "0x10012d0",
"last_instr": "0x10012cb",
"wave": 1,
"instructions": [
{
"offset": 0,
"opcode": "a124200001",
"mnemonic": "mov eax, dword ptr [0x1002024]"
},
{
"offset": 5,
"opcode": "8945e0",
"mnemonic": "mov dword ptr [ebp - 0x20], eax"
},
{
"offset": 8,
"opcode": "8d45e0",
"mnemonic": "lea eax, [ebp - 0x20]"
},
{ "offset": 11, "opcode": "50", "mnemonic": "push eax" },
{
"offset": 12,
"opcode": "ff3520200001",
"mnemonic": "push dword ptr [0x1002020]"
},
{
"offset": 18,
"opcode": "8d45dc",
"mnemonic": "lea eax, [ebp - 0x24]"
},
{ "offset": 21, "opcode": "50", "mnemonic": "push eax" },
{
"offset": 22,
"opcode": "8d45d8",
"mnemonic": "lea eax, [ebp - 0x28]"
},
{ "offset": 25, "opcode": "50", "mnemonic": "push eax" },
{
"offset": 26,
"opcode": "8d45d4",
"mnemonic": "lea eax, [ebp - 0x2c]"
},
{ "offset": 29, "opcode": "50", "mnemonic": "push eax" },
{
"offset": 30,
"opcode": "ff1560100001",
"mnemonic": "call dword ptr [0x1001060]"
}
],
"registers": {
"EAX": "0x00000000 ",
"EBX": "0x7efde000 ",
"ECX": "0x00030000 ",
"EDX": "0x0008001f",
"ESI": "0x00000000 ",
"EDI": "0x00000000 ",
"EBP": "0x000cff88 ",
"ESP": "0x000cff3c",
"eflags": "0x00000246"
},
"type": "call",
"syscalls": [
{
"name": "MSVCRT.DLL!__getmainargs",
"timestamp": 20.132675,
"arguments": [],
"return": "",
"output": []
}
]
},
{
"index": 68,
"start": "0x10012d1",
"end": "0x10012e2",
"last_instr": "0x10012de",
"wave": 1,
"instructions": [
{
"offset": 0,
"opcode": "8945d0",
"mnemonic": "mov dword ptr [ebp - 0x30], eax"
},
{ "offset": 3, "opcode": "6880100001", "mnemonic": "push 0x1001080" },
{ "offset": 8, "opcode": "687c100001", "mnemonic": "push 0x100107c" },
{ "offset": 13, "opcode": "e875000000", "mnemonic": "call 0x1001358" }
],
"registers": {
"EAX": "0x00000000 ",
"EBX": "0x7efde000 ",
"ECX": "0x000cff64 ",
"EDX": "0x002115a8",
"ESI": "0x00000000 ",
"EDI": "0x00000000 ",
"EBP": "0x000cff88 ",
"ESP": "0x000cff28",
"eflags": "0x00000246"
},
"type": "call",
"obfuscations": [
{
"type": "callstack tampering : call",
"description": "No ret instruction corresponding to the call"
}
]
},
{
"index": 69,
"start": "0x10012e3",
"end": "0x10012fb",
"last_instr": "0x10012f7",
"wave": 1,
"instructions": [
{
"offset": 0,
"opcode": "8b45dc",
"mnemonic": "mov eax, dword ptr [ebp - 0x24]"
},
{
"offset": 3,
"opcode": "8b0d64100001",
"mnemonic": "mov ecx, dword ptr [0x1001064]"
},
{
"offset": 9,
"opcode": "8901",
"mnemonic": "mov dword ptr [ecx], eax"
},
{
"offset": 11,
"opcode": "ff75dc",
"mnemonic": "push dword ptr [ebp - 0x24]"
},
{
"offset": 14,
"opcode": "ff75d8",
"mnemonic": "push dword ptr [ebp - 0x28]"
},
{
"offset": 17,
"opcode": "ff75d4",
"mnemonic": "push dword ptr [ebp - 0x2c]"
},
{ "offset": 20, "opcode": "e8e0fdffff", "mnemonic": "call 0x10010dc" }
],
"registers": {
"EAX": "0x00000000 ",
"EBX": "0x7efde000 ",
"ECX": "0x000cff64 ",
"EDX": "0x002115a8",
"ESI": "0x00000000 ",
"EDI": "0x00000000 ",
"EBP": "0x000cff88 ",
"ESP": "0x000cff20",
"eflags": "0x00000246"
},
"type": "call",
"obfuscations": [
{
"type": "callstack tampering : call",
"description": "No ret instruction corresponding to the call"
}
]
},
{
"index": 70,
"start": "0x10010dc",
"end": "0x10010f7",
"last_instr": "0x10010f2",
"wave": 1,
"instructions": [
{ "offset": 0, "opcode": "55", "mnemonic": "push ebp" },
{ "offset": 1, "opcode": "8bec", "mnemonic": "mov ebp, esp" },
{ "offset": 3, "opcode": "81ec00040000", "mnemonic": "sub esp, 0x400" },
{ "offset": 9, "opcode": "53", "mnemonic": "push ebx" },
{ "offset": 10, "opcode": "56", "mnemonic": "push esi" },
{ "offset": 11, "opcode": "57", "mnemonic": "push edi" },
{ "offset": 12, "opcode": "6840200001", "mnemonic": "push 0x1002040" },
{ "offset": 17, "opcode": "6801010000", "mnemonic": "push 0x101" },
{
"offset": 22,
"opcode": "ff1528100001",
"mnemonic": "call dword ptr [0x1001028]"
}
],
"registers": {
"EAX": "0x002115a8 ",
"EBX": "0x7efde000 ",
"ECX": "0x753504e8 ",
"EDX": "0x002115a8",
"ESI": "0x00000000 ",
"EDI": "0x00000000 ",
"EBP": "0x000cff88 ",
"ESP": "0x000cff10",
"eflags": "0x00000246"
},
"type": "call",
"syscalls": [
{
"name": "WS2_32.DLL!WSAStartup",
"timestamp": 20.166225,
"arguments": [
"_IN_ (WORD) [0x000cfaf8] 0x00000101",
"_OUT_ (LPWSADATA) [0x000cfafc] 0x01002040"
],
"return": "0x00000000",
"output": [
"[LPWSADATA]",
"[0x01002040] 0x00000101",
"[0x01002042] 0x00000202",
"[0x01002044] \"WinSock 2.0\"",
"[0x0100204f] \"\"",
"[0x0100204f] 0x00000000",
"[0x01002051] 0x00000000",
"[0x01002053] \"\""
]
}
]
},
{
"index": 71,
"start": "0x10010f8",
"end": "0x10010fc",
"last_instr": "0x10010fb",
"wave": 1,
"instructions": [
{ "offset": 0, "opcode": "83f8ff", "mnemonic": "cmp eax, -1" },
{ "offset": 3, "opcode": "7511", "mnemonic": "jne 0x100110e" }
],
"registers": {
"EAX": "0x00000000 ",
"EBX": "0x7efde000 ",
"ECX": "0x76e63beb ",
"EDX": "0x00080002",
"ESI": "0x00000000 ",
"EDI": "0x00000000 ",
"EBP": "0x000cff0c ",
"ESP": "0x000cfb00",
"eflags": "0x00000246"
},
"type": "jcc"
},
{
"index": 72,
"start": "0x100110e",
"end": "0x1001119",
"last_instr": "0x1001118",
"wave": 1,
"instructions": [
{
"offset": 0,
"opcode": "8b7d0c",
"mnemonic": "mov edi, dword ptr [ebp + 0xc]"
},
{ "offset": 3, "opcode": "33db", "mnemonic": "xor ebx, ebx" },
{
"offset": 5,
"opcode": "beac100001",
"mnemonic": "mov esi, 0x10010ac"
},
{ "offset": 10, "opcode": "eb07", "mnemonic": "jmp 0x1001121" }
],
"registers": {
"EAX": "0x00000000 ",
"EBX": "0x7efde000 ",
"ECX": "0x76e63beb ",
"EDX": "0x00080002",
"ESI": "0x00000000 ",
"EDI": "0x00000000 ",
"EBP": "0x000cff0c ",
"ESP": "0x000cfb00",
"eflags": "0x00000213"
},
"type": "jmp"
},
{
"index": 73,
"start": "0x1001121",
"end": "0x100112a",
"last_instr": "0x1001126",
"wave": 1,
"instructions": [
{ "offset": 0, "opcode": "56", "mnemonic": "push esi" },
{ "offset": 1, "opcode": "57", "mnemonic": "push edi" },
{
"offset": 2,
"opcode": "ff7508",
"mnemonic": "push dword ptr [ebp + 8]"
},
{ "offset": 5, "opcode": "e84a030000", "mnemonic": "call 0x1001475" }
],
"registers": {
"EAX": "0x00000000 ",
"EBX": "0x00000000 ",
"ECX": "0x76e63beb ",
"EDX": "0x00080002",
"ESI": "0x010010ac ",
"EDI": "0x00211120 ",
"EBP": "0x000cff0c ",
"ESP": "0x000cfb00",
"eflags": "0x00000246"
},
"type": "call"
},
{
"index": 74,
"start": "0x1001475",
"end": "0x100148b",
"last_instr": "0x100148a",
"wave": 1,
"instructions": [
{ "offset": 0, "opcode": "56", "mnemonic": "push esi" },
{
"offset": 1,
"opcode": "8b3504200001",
"mnemonic": "mov esi, dword ptr [0x1002004]"
},
{
"offset": 7,
"opcode": "3b742408",
"mnemonic": "cmp esi, dword ptr [esp + 8]"
},
{
"offset": 11,
"opcode": "c705dc21000134200001",
"mnemonic": "mov dword ptr [0x10021dc], 0x1002034"
},
{ "offset": 21, "opcode": "7c08", "mnemonic": "jl 0x1001494" }
],
"registers": {
"EAX": "0x00000000 ",
"EBX": "0x00000000 ",
"ECX": "0x76e63beb ",
"EDX": "0x00080002",
"ESI": "0x010010ac ",
"EDI": "0x00211120 ",
"EBP": "0x000cff0c ",
"ESP": "0x000cfaf0",
"eflags": "0x00000246"
},
"type": "jcc"
},
{
"index": 75,
"start": "0x100148c",
"end": "0x1001493",
"last_instr": "0x100148f",
"wave": 1,
"instructions": [
{ "offset": 0, "opcode": "83c8ff", "mnemonic": "or eax, 0xffffffff" },
{ "offset": 3, "opcode": "e9c8000000", "mnemonic": "jmp 0x100155c" }
],
"registers": {
"EAX": "0x00000000 ",
"EBX": "0x00000000 ",
"ECX": "0x76e63beb ",
"EDX": "0x00080002",
"ESI": "0x00000001 ",
"EDI": "0x00211120 ",
"EBP": "0x000cff0c ",
"ESP": "0x000cfaec",
"eflags": "0x00000246"
},
"type": "jmp"
},
{
"index": 76,
"start": "0x100155c",
"end": "0x100155f",
"last_instr": "0x100155d",
"wave": 1,
"instructions": [
{ "offset": 0, "opcode": "5e", "mnemonic": "pop esi" },
{ "offset": 1, "opcode": "c20c00", "mnemonic": "ret 0xc" }
],
"registers": {
"EAX": "0xffffffff ",
"EBX": "0x00000000 ",
"ECX": "0x76e63beb ",
"EDX": "0x00080002",
"ESI": "0x00000001 ",
"EDI": "0x00211120 ",
"EBP": "0x000cff0c ",
"ESP": "0x000cfaec",
"eflags": "0x00000286"
},
"type": "ret"
},
{
"index": 77,
"start": "0x100112b",
"end": "0x100112f",
"last_instr": "0x100112e",
"wave": 1,
"instructions": [
{ "offset": 0, "opcode": "83f8ff", "mnemonic": "cmp eax, -1" },
{ "offset": 3, "opcode": "75ea", "mnemonic": "jne 0x100111a" }
],
"registers": {
"EAX": "0xffffffff ",
"EBX": "0x00000000 ",
"ECX": "0x76e63beb ",
"EDX": "0x00080002",
"ESI": "0x010010ac ",
"EDI": "0x00211120 ",
"EBP": "0x000cff0c ",
"ESP": "0x000cfb00",
"eflags": "0x00000286"
},
"type": "jcc"
},
{
"index": 78,
"start": "0x1001130",
"end": "0x100113a",
"last_instr": "0x1001139",
"wave": 1,
"instructions": [
{
"offset": 0,
"opcode": "a104200001",
"mnemonic": "mov eax, dword ptr [0x1002004]"
},
{
"offset": 5,
"opcode": "833c8700",
"mnemonic": "cmp dword ptr [edi + eax*4], 0"
},
{ "offset": 9, "opcode": "7419", "mnemonic": "je 0x1001154" }
],
"registers": {
"EAX": "0xffffffff ",
"EBX": "0x00000000 ",
"ECX": "0x76e63beb ",
"EDX": "0x00080002",
"ESI": "0x010010ac ",
"EDI": "0x00211120 ",
"EBP": "0x000cff0c ",
"ESP": "0x000cfb00",
"eflags": "0x00000246"
},
"type": "jcc"
},
{
"index": 79,
"start": "0x1001154",
"end": "0x1001165",
"last_instr": "0x1001160",
"wave": 1,
"instructions": [
{ "offset": 0, "opcode": "6800040000", "mnemonic": "push 0x400" },
{
"offset": 5,
"opcode": "8d8500fcffff",
"mnemonic": "lea eax, [ebp - 0x400]"
},
{ "offset": 11, "opcode": "50", "mnemonic": "push eax" },
{
"offset": 12,
"opcode": "ff1524100001",
"mnemonic": "call dword ptr [0x1001024]"
}
],
"registers": {
"EAX": "0x00000001 ",
"EBX": "0x00000000 ",
"ECX": "0x76e63beb ",
"EDX": "0x00080002",
"ESI": "0x010010ac ",
"EDI": "0x00211120 ",
"EBP": "0x000cff0c ",
"ESP": "0x000cfb00",
"eflags": "0x00000246"
},
"type": "call",
"syscalls": [
{
"name": "WS2_32.DLL!gethostname",
"timestamp": 20.295551,
"arguments": [
"_OUT_ (CHAR*) [0x000cfaf8] 0x000cfb0c",
"_IN_ (INT) [0x000cfafc] 0x00000400"
],
"return": "",
"output": []
}
]
},
{
"index": 80,
"start": "0x1001166",
"end": "0x1001169",
"last_instr": "0x1001168",
"wave": 1,
"instructions": [
{ "offset": 0, "opcode": "85c0", "mnemonic": "test eax, eax" },
{ "offset": 2, "opcode": "7d13", "mnemonic": "jge 0x100117d" }
],
"registers": {
"EAX": "0x00000000 ",
"EBX": "0x00000000 ",
"ECX": "0xb2ac322f ",
"EDX": "0x00000000",
"ESI": "0x010010ac ",
"EDI": "0x00211120 ",
"EBP": "0x000cff0c ",
"ESP": "0x000cfb00",
"eflags": "0x00000246"
},
"type": "jcc"
},
{
"index": 81,
"start": "0x100117d",
"end": "0x1001180",
"last_instr": "0x100117f",
"wave": 1,
"instructions": [
{ "offset": 0, "opcode": "85db", "mnemonic": "test ebx, ebx" },
{ "offset": 2, "opcode": "7418", "mnemonic": "je 0x1001199" }
],
"registers": {
"EAX": "0x00000000 ",
"EBX": "0x00000000 ",
"ECX": "0xb2ac322f ",
"EDX": "0x00000000",
"ESI": "0x010010ac ",
"EDI": "0x00211120 ",
"EBP": "0x000cff0c ",
"ESP": "0x000cfb00",
"eflags": "0x00000246"
},
"type": "jcc"
},
{
"index": 82,
"start": "0x1001199",
"end": "0x10011a1",
"last_instr": "0x100119f",
"wave": 1,
"instructions": [
{
"offset": 0,
"opcode": "8d8500fcffff",
"mnemonic": "lea eax, [ebp - 0x400]"
},
{ "offset": 6, "opcode": "8d5001", "mnemonic": "lea edx, [eax + 1]" }
],
"type": "seq"
},
{
"index": 83,
"start": "0x10011a9",
"end": "0x10011bf",
"last_instr": "0x10011ba",
"wave": 1,
"instructions": [
{ "offset": 0, "opcode": "2bc2", "mnemonic": "sub eax, edx" },
{ "offset": 2, "opcode": "50", "mnemonic": "push eax" },
{
"offset": 3,
"opcode": "8d8500fcffff",
"mnemonic": "lea eax, [ebp - 0x400]"
},
{ "offset": 9, "opcode": "50", "mnemonic": "push eax" },
{
"offset": 10,
"opcode": "8d8500fcffff",
"mnemonic": "lea eax, [ebp - 0x400]"
},
{ "offset": 16, "opcode": "50", "mnemonic": "push eax" },
{
"offset": 17,
"opcode": "ff151c100001",
"mnemonic": "call dword ptr [0x100101c]"
}
],
"registers": {
"EAX": "0x000cfb14 ",
"EBX": "0x00000000 ",
"ECX": "0xb2ac3200 ",
"EDX": "0x000cfb0d",
"ESI": "0x010010ac ",
"EDI": "0x00211120 ",
"EBP": "0x000cff0c ",
"ESP": "0x000cfb00",
"eflags": "0x00000246"
},
"type": "call",
"syscalls": [
{
"name": "USER32.DLL!CharToOemBuffA",
"timestamp": 20.458695,
"arguments": [
"_IN_ (LPCTSTR) [0x000cfaf4] \"lhs-PC1\"",
"_OUT_ (LPSTR) [0x000cfaf8] 0x000cfb0c",
"_IN_ (DWORD) [0x000cfafc] 0x00000007"
],
"return": "TRUE",
"output": ["[0x000cfb0c] \"lhs-PC1\""]
}
]
},
{
"index": 84,
"start": "0x10011c0",
"end": "0x10011cc",
"last_instr": "0x10011c7",
"wave": 1,
"instructions": [
{
"offset": 0,
"opcode": "8d8500fcffff",
"mnemonic": "lea eax, [ebp - 0x400]"
},
{ "offset": 6, "opcode": "50", "mnemonic": "push eax" },
{
"offset": 7,
"opcode": "ff1570100001",
"mnemonic": "call dword ptr [0x1001070]"
}
],
"registers": {
"EAX": "0x00000001 ",
"EBX": "0x00000000 ",
"ECX": "0x000cfb13 ",
"EDX": "0x00000031",
"ESI": "0x010010ac ",
"EDI": "0x00211120 ",
"EBP": "0x000cff0c ",
"ESP": "0x000cfb00",
"eflags": "0x00000202"
},
"type": "call",
"syscalls": [
{
"name": "MSVCRT.DLL!puts",
"timestamp": 20.469856,
"arguments": ["_IN_ (CHAR*) [0x000cfafc] \"lhs-PC1\""],
"return": "0x00000000",
"output": []
}
]
},
{
"index": 85,
"start": "0x10011cd",
"end": "0x10011d5",
"last_instr": "0x10011d0",
"wave": 1,
"instructions": [
{ "offset": 0, "opcode": "59", "mnemonic": "pop ecx" },
{ "offset": 1, "opcode": "6a00", "mnemonic": "push 0" },
{
"offset": 3,
"opcode": "ff1574100001",
"mnemonic": "call dword ptr [0x1001074]"
}
],
"registers": {
"EAX": "0x00000000 ",
"EBX": "0x00000000 ",
"ECX": "0x75328e62 ",
"EDX": "0x0008e3c8",
"ESI": "0x010010ac ",
"EDI": "0x00211120 ",
"EBP": "0x000cff0c ",
"ESP": "0x000cfafc",
"eflags": "0x00000246"
},
"type": "call",
"syscalls": [
{
"name": "MSVCRT.DLL!exit",
"timestamp": 20.499071,
"arguments": ["_IN_ (INT) [0x000cfafc] 0x00000000"],
"return": "",
"output": []
}
]
},
{
"index": 86,
"start": "0x1005a4b",
"end": "0x1005a50",
"last_instr": "0x1005a4f",
"wave": 0,
"instructions": [
{ "offset": 0, "opcode": "6a00", "mnemonic": "push 0" },
{ "offset": 2, "opcode": "39c4", "mnemonic": "cmp esp, eax" },
{ "offset": 4, "opcode": "75fa", "mnemonic": "jne 0x1005a4b" }
],
"type": "jcc"
},
{
"index": 87,
"start": "0x10011a2",
"end": "0x10011a8",
"last_instr": "0x10011a7",
"wave": 1,
"instructions": [
{ "offset": 0, "opcode": "8a08", "mnemonic": "mov cl, byte ptr [eax]" },
{ "offset": 2, "opcode": "40", "mnemonic": "inc eax" },
{ "offset": 3, "opcode": "84c9", "mnemonic": "test cl, cl" },
{ "offset": 5, "opcode": "75f9", "mnemonic": "jne 0x10011a2" }
],
"type": "jcc"
},
{
"index": 88,
"start": "0x0",
"end": "0x0",
"wave": 0,
"type": "scall",
"function_identifier": "KERNEL32.DLL!LoadLibraryA"
},
{
"index": 89,
"start": "0x0",
"end": "0x0",
"wave": 0,
"type": "scall",
"function_identifier": "KERNEL32.DLL!GetProcAddress"
},
{
"index": 90,
"start": "0x0",
"end": "0x0",
"wave": 0,
"type": "scall",
"function_identifier": "KERNEL32.DLL!GetProcAddressOrdinal"
},
{
"index": 91,
"start": "0x0",
"end": "0x0",
"wave": 0,
"type": "scall",
"function_identifier": "KERNEL32.DLL!VirtualProtect"
},
{
"index": 92,
"start": "0x0",
"end": "0x0",
"wave": 0,
"type": "scall",
"function_identifier": "KERNEL32.DLL!GetModuleHandleA"
},
{
"index": 93,
"start": "0x0",
"end": "0x0",
"wave": 0,
"type": "scall",
"function_identifier": "MSVCRT.DLL!__set_app_type"
},
{
"index": 94,
"start": "0x0",
"end": "0x0",
"wave": 0,
"type": "scall",
"function_identifier": "MSVCRT.DLL!__p__fmode"
},
{
"index": 95,
"start": "0x0",
"end": "0x0",
"wave": 0,
"type": "scall",
"function_identifier": "MSVCRT.DLL!__p__commode"
},
{
"index": 96,
"start": "0x0",
"end": "0x0",
"wave": 0,
"type": "scall",
"function_identifier": "MSVCRT.DLL!_controlfp"
},
{
"index": 97,
"start": "0x0",
"end": "0x0",
"wave": 0,
"type": "scall",
"function_identifier": "MSVCRT.DLL!_initterm"
},
{
"index": 98,
"start": "0x0",
"end": "0x0",
"wave": 0,
"type": "scall",
"function_identifier": "MSVCRT.DLL!__getmainargs"
},
{
"index": 99,
"start": "0x0",
"end": "0x0",
"wave": 0,
"type": "scall",
"function_identifier": "WS2_32.DLL!WSAStartup"
},
{
"index": 100,
"start": "0x0",
"end": "0x0",
"wave": 0,
"type": "scall",
"function_identifier": "WS2_32.DLL!gethostname"
},
{
"index": 101,
"start": "0x0",
"end": "0x0",
"wave": 0,
"type": "scall",
"function_identifier": "USER32.DLL!CharToOemBuffA"
},
{
"index": 102,
"start": "0x0",
"end": "0x0",
"wave": 0,
"type": "scall",
"function_identifier": "MSVCRT.DLL!puts"
},
{
"index": 103,
"start": "0x0",
"end": "0x0",
"wave": 0,
"type": "scall",
"function_identifier": "MSVCRT.DLL!exit"
}
],
"edges": [
{ "src": 0, "dest": 1, "type": "child" },
{ "src": 1, "dest": 3, "type": "child" },
{ "src": 2, "dest": 16, "type": "child" },
{ "src": 3, "dest": 4, "type": "child" },
{ "src": 3, "dest": 2, "type": "child" },
{ "src": 4, "dest": 25, "type": "child" },
{ "src": 5, "dest": 24, "type": "child" },
{ "src": 5, "dest": 6, "type": "child" },
{ "src": 6, "dest": 12, "type": "child" },
{ "src": 6, "dest": 29, "type": "child" },
{ "src": 7, "dest": 28, "type": "child" },
{ "src": 8, "dest": 19, "type": "child" },
{ "src": 8, "dest": 9, "type": "child" },
{ "src": 9, "dest": 30, "type": "child" },
{ "src": 10, "dest": 11, "type": "child" },
{ "src": 10, "dest": 10, "type": "child" },
{ "src": 11, "dest": 16, "type": "child" },
{ "src": 12, "dest": 13, "type": "child" },
{ "src": 12, "dest": 31, "type": "child" },
{ "src": 13, "dest": 29, "type": "child" },
{ "src": 14, "dest": 15, "type": "child" },
{ "src": 14, "dest": 14, "type": "child" },
{ "src": 15, "dest": 16, "type": "child" },
{ "src": 16, "dest": 1, "type": "child" },
{ "src": 16, "dest": 3, "type": "child" },
{ "src": 17, "dest": 18, "type": "child" },
{ "src": 18, "dest": 5, "type": "child" },
{ "src": 18, "dest": 25, "type": "child" },
{ "src": 19, "dest": 9, "type": "child" },
{ "src": 19, "dest": 28, "type": "child" },
{ "src": 20, "dest": 21, "type": "child" },
{ "src": 21, "dest": 22, "type": "child" },
{ "src": 21, "dest": 23, "type": "child" },
{ "src": 22, "dest": 23, "type": "child" },
{ "src": 23, "dest": 7, "type": "child" },
{ "src": 23, "dest": 30, "type": "child" },
{ "src": 24, "dest": 6, "type": "child" },
{ "src": 24, "dest": 25, "type": "child" },
{ "src": 25, "dest": 17, "type": "child" },
{ "src": 25, "dest": 18, "type": "child" },
{ "src": 26, "dest": 27, "type": "child" },
{ "src": 27, "dest": 8, "type": "child" },
{ "src": 27, "dest": 28, "type": "child" },
{ "src": 28, "dest": 26, "type": "child" },
{ "src": 28, "dest": 27, "type": "child" },
{ "src": 29, "dest": 20, "type": "child" },
{ "src": 29, "dest": 21, "type": "child" },
{ "src": 30, "dest": 10, "type": "child" },
{ "src": 30, "dest": 14, "type": "child" },
{ "src": 31, "dest": 34, "type": "child" },
{ "src": 32, "dest": 33, "type": "child" },
{ "src": 33, "dest": 35, "type": "child" },
{ "src": 33, "dest": 34, "type": "child" },
{ "src": 34, "dest": 32, "type": "child" },
{ "src": 35, "dest": 42, "type": "child" },
{ "src": 36, "dest": 88, "type": "child" },
{ "src": 37, "dest": 41, "type": "child" },
{ "src": 38, "dest": 43, "type": "child" },
{ "src": 39, "dest": 40, "type": "child" },
{ "src": 40, "dest": 41, "type": "child" },
{ "src": 41, "dest": 38, "type": "child" },
{ "src": 41, "dest": 42, "type": "child" },
{ "src": 42, "dest": 36, "type": "child" },
{ "src": 42, "dest": 44, "type": "child" },
{ "src": 43, "dest": 89, "type": "child" },
{ "src": 43, "dest": 90, "type": "child" },
{ "src": 44, "dest": 91, "type": "child" },
{ "src": 45, "dest": 91, "type": "child" },
{ "src": 46, "dest": 86, "type": "child" },
{ "src": 47, "dest": 48, "type": "child" },
{ "src": 48, "dest": 49, "type": "child" },
{ "src": 49, "dest": 50, "type": "child" },
{ "src": 50, "dest": 92, "type": "child" },
{ "src": 51, "dest": 52, "type": "child" },
{ "src": 52, "dest": 53, "type": "child" },
{ "src": 53, "dest": 54, "type": "child" },
{ "src": 54, "dest": 55, "type": "child" },
{ "src": 55, "dest": 93, "type": "child" },
{ "src": 56, "dest": 94, "type": "child" },
{ "src": 57, "dest": 95, "type": "child" },
{ "src": 58, "dest": 59, "type": "child" },
{ "src": 59, "dest": 60, "type": "child" },
{ "src": 60, "dest": 61, "type": "child" },
{ "src": 61, "dest": 62, "type": "child" },
{ "src": 62, "dest": 63, "type": "child" },
{ "src": 63, "dest": 96, "type": "child" },
{ "src": 64, "dest": 65, "type": "child" },
{ "src": 65, "dest": 66, "type": "child" },
{ "src": 66, "dest": 97, "type": "child" },
{ "src": 67, "dest": 98, "type": "child" },
{ "src": 68, "dest": 66, "type": "child" },
{ "src": 69, "dest": 70, "type": "child" },
{ "src": 70, "dest": 99, "type": "child" },
{ "src": 71, "dest": 72, "type": "child" },
{ "src": 72, "dest": 73, "type": "child" },
{ "src": 73, "dest": 74, "type": "child" },
{ "src": 74, "dest": 75, "type": "child" },
{ "src": 75, "dest": 76, "type": "child" },
{ "src": 76, "dest": 77, "type": "child" },
{ "src": 77, "dest": 78, "type": "child" },
{ "src": 78, "dest": 79, "type": "child" },
{ "src": 79, "dest": 100, "type": "child" },
{ "src": 80, "dest": 81, "type": "child" },
{ "src": 81, "dest": 82, "type": "child" },
{ "src": 82, "dest": 87, "type": "child" },
{ "src": 83, "dest": 101, "type": "child" },
{ "src": 84, "dest": 102, "type": "child" },
{ "src": 85, "dest": 103, "type": "child" },
{ "src": 86, "dest": 47, "type": "child" },
{ "src": 86, "dest": 86, "type": "child" },
{ "src": 87, "dest": 83, "type": "child" },
{ "src": 87, "dest": 87, "type": "child" },
{ "src": 88, "dest": 37, "type": "child" },
{ "src": 89, "dest": 39, "type": "child" },
{ "src": 90, "dest": 39, "type": "child" },
{ "src": 91, "dest": 45, "type": "child" },
{ "src": 91, "dest": 46, "type": "child" },
{ "src": 92, "dest": 51, "type": "child" },
{ "src": 93, "dest": 56, "type": "child" },
{ "src": 94, "dest": 57, "type": "child" },
{ "src": 95, "dest": 58, "type": "child" },
{ "src": 96, "dest": 64, "type": "child" },
{ "src": 97, "dest": 67, "type": "child" },
{ "src": 97, "dest": 69, "type": "child" },
{ "src": 98, "dest": 68, "type": "child" },
{ "src": 99, "dest": 71, "type": "child" },
{ "src": 100, "dest": 80, "type": "child" },
{ "src": 101, "dest": 84, "type": "child" },
{ "src": 102, "dest": 85, "type": "child" }
]
}
Reference in a new issue View git blame Copy permalink