From a9886b9d52c3bce0a4b58805b5597efccc55225a Mon Sep 17 00:00:00 2001 From: itsme Date: Tue, 6 Jul 2021 19:26:42 +0200 Subject: initial commit --- README.md | 19 ++ crodump.py | 160 +++++++++++++++++ docs/exe-packer-notes.txt | 436 ++++++++++++++++++++++++++++++++++++++++++++++ hexdump.py | 27 +++ koddecoder.py | 32 ++++ 5 files changed, 674 insertions(+) create mode 100644 README.md create mode 100644 crodump.py create mode 100644 docs/exe-packer-notes.txt create mode 100644 hexdump.py create mode 100644 koddecoder.py diff --git a/README.md b/README.md new file mode 100644 index 0000000..6119860 --- /dev/null +++ b/README.md @@ -0,0 +1,19 @@ +# crodump + +`crodump.py` is a script which can analyse cronos databases. + +There is the `kodump` option, which does low level deobfuscation at arbitrary offsets, +optionally deobfuscating with all possible `shift` values. + +Then the `crodump` option which reads .tad + .dat file pairs, and prints the records found. + + +## supporting modules + + * hexdump.py + * koddecoder.py + +# packer notes + +see docs/exe-packer-notes.txt, notes on the binary packer used by Cronos.exe + diff --git a/crodump.py b/crodump.py new file mode 100644 index 0000000..a2a94a1 --- /dev/null +++ b/crodump.py @@ -0,0 +1,160 @@ +import os.path +import struct +from binascii import b2a_hex +from hexdump import hexdump, asasc, tohex +from koddecoder import kodecode +""" +python3 crodump.py crodump chechnya_proverki_ul_2012 +python3 crodump.py kodump -s 6 -o 0x4cc9 -e 0x5d95 chechnya_proverki_ul_2012/CroStru.dat +""" + +class Datafile: + def __init__(self, dat, tad): + self.dat = dat + self.tad = tad + + self.readtad() + + def readtad(self): + self.tad.seek(0) + hdrdata = self.tad.read(2*4) + self.tadhdr = struct.unpack("<2L", hdrdata) + indexdata = self.tad.read() + self.tadidx = [ struct.unpack_from("<3L", indexdata, 12*_) for _ in range(len(indexdata)//12) ] + + def readdata(self, ofs, size): + self.dat.seek(ofs) + return self.dat.read(size) + + def dump(self, args, dokodecode=False, plainbytes=0): + print("tadhdr: %08x %08x" % tuple(self.tadhdr)) + for i, (ofs, ln, chk) in enumerate(self.tadidx): + if ln==0xFFFFFFFF: + print("%5d: %08x %08x %08x" % (i, ofs, ln, chk)) + continue + flags = ln>>24 + ln &= 0xFFFFFFF + dat = self.readdata(ofs, ln) + plain = b'' + if dokodecode and not args.nokod: + plain = dat[:plainbytes] + dat = kodecode(i+1, dat[plainbytes:]) + if args.ascdump: + print("%5d: %08x-%08x: (%02x:%08x) %s %s" % (i, ofs, ofs+ln, flags, chk, tohex(plain), asasc(dat))) + else: + print("%5d: %08x-%08x: (%02x:%08x) %s %s" % (i, ofs, ofs+ln, flags, chk, tohex(plain), tohex(dat))) + +class Database: + def __init__(self, dbdir): + self.dbdir = dbdir + + self.stru = self.getfile("Stru") + self.index = self.getfile("Index") + self.bank = self.getfile("Bank") + self.sys = self.getfile("Sys") + + def getfile(self, name): + try: + return Datafile(open(self.getname(name, "dat"), "rb"), open(self.getname(name, "tad"), "rb")) + except IOError: + return + + def getname(self, name, ext): + return os.path.join(self.dbdir, "Cro%s.%s" % (name, ext)) + + +def decode_kod(args, data): + """ + various methods of hexdumping KOD decoded data. + """ + if args.nokod: + # plain hexdump, no KOD decode + hexdump(args.offset, data) + elif args.shift: + # explicitly specified shift. + args.shift = int(args.shift, 0) + enc = kodecode(args.shift, data) + hexdump(args.offset, enc) + else: + # output with all possible 'shift' values. + for s in range(256): + enc = kodecode(s, data) + if args.ascdump: + print("%02x: %s" % (s, asasc(enc))) + else: + print("%02x: %s" % (s, tohex(enc))) + + + +def kod_hexdump(args): + """ + KOD decode a section of a data file + """ + args.offset = int(args.offset, 0) + if args.length: + args.length = int(args.length, 0) + elif args.endofs: + args.endofs = int(args.endofs, 0) + args.length = args.endofs - args.offset + + if args.filename: + with open(args.filename, "rb") as fh: + fh.seek(args.offset) + data = fh.read(args.length) + decode_kod(args, data) + else: + # no filename -> read from stdin. + import sys + data = sys.stdin.buffer.read() + decode_kod(args, data) + + +def cro_dump(args): + db = Database(args.dbdir) + + if db.stru: + print("stru") + db.stru.dump(args, dokodecode=True) + if db.index: + print("index") + db.index.dump(args) + if db.bank: + print("bank") + db.bank.dump(args) + if db.sys: + print("sys") + db.sys.dump(args, dokodecode=True, plainbytes=8) + + +def main(): + import argparse + parser = argparse.ArgumentParser(description='CRO hexdumper') + subparsers = parser.add_subparsers() + parser.set_defaults(handler=None) + + ko = subparsers.add_parser('kodump', help='KOD dumper') + ko.add_argument('--offset', '-o', type=str, default="0") + ko.add_argument('--length', '-l', type=str) + ko.add_argument('--endofs', '-e', type=str) + ko.add_argument('--shift', '-s', type=str) + ko.add_argument('--ascdump', '-a', action='store_true') + ko.add_argument('--nokod', '-n', action='store_true') + ko.add_argument('filename', type=str, nargs='?') + ko.set_defaults(handler=kod_hexdump) + + cro = subparsers.add_parser('crodump', help='CROdumper') + cro.add_argument('--kodecode', '-k', action='store_true') + cro.add_argument('--ascdump', '-a', action='store_true') + cro.add_argument('--nokod', '-n', action='store_true') + cro.add_argument('dbdir', type=str) + cro.set_defaults(handler=cro_dump) + + args = parser.parse_args() + + if args.handler: + args.handler(args) + + +if __name__=='__main__': + main() + diff --git a/docs/exe-packer-notes.txt b/docs/exe-packer-notes.txt new file mode 100644 index 0000000..d1a33a0 --- /dev/null +++ b/docs/exe-packer-notes.txt @@ -0,0 +1,436 @@ +37491b1b85fdf3969c45e83aa2d205ed = md5(plus/Cronos.exe) + +dump -o 0x314f7b -4 -l 0x810 plus/Cronos.exe + +0x100000000-0x1947A71E = 0xE6B858E2 + +add 4C27824Bh +sub 47878428h +sub 1DE7A541h + + +seg000:00401000 start proc near +seg000:00401000 push offset loc_F82001 +seg000:00401005 call nullsub_1 +seg000:0040100A retn +seg000:0040100B nullsub_1: +seg000:0040100B retn + +.data:00F82001 +.data:00F82001 loc_F82001: ; DATA XREF: start↑o +.data:00F82001 60 pusha +.data:00F82002 E8 03 00 00 00 call loc_F8200A + +.data:00F82008 EB 04 jmp short loc_F8200E +.data:00F8200A +.data:00F8200A loc_F8200A: ; CODE XREF: .data:00F82002↑j +.data:00F8200A 5D pop ebp +.data:00F8200B 45 inc ebp +.data:00F8200C 55 push ebp ; skips '0xE9' at 00F82007 +.data:00F8200D C3 retn +.data:00F8200E +.data:00F8200E loc_F8200E: ; CODE XREF: .data:00F82008↑j +.data:00F8200E E8 01 00 00 00 call loc_F82014 + +.data:00F82014 +.data:00F82014 loc_F82014: ; CODE XREF: .data:loc_F8200E↑j +.data:00F82014 5D pop ebp +.data:00F82015 BB ED FF FF FF mov ebx, -13h +.data:00F8201A 03 DD add ebx, ebp ; -> ebx = 0xf82000 +.data:00F8201C 81 EB 00 20 B8 00 sub ebx, 0B82000h ; -> 0x400000 +.data:00F82022 80 7D 4D 01 cmp ss:(byte_F82060 - 0F82013h)[ebp], 1 +.data:00F82026 75 0C jnz short loc_F82034 +.data:00F82028 8B 74 24 28 mov esi, [esp+28h] +.data:00F8202C 83 FE 01 cmp esi, 1 +.data:00F8202F 89 5D 4E mov ss:(dword_F82061 - 0F82013h)[ebp], ebx +.data:00F82032 75 31 jnz short loc_F82065 +.data:00F82034 +.data:00F82034 loc_F82034: ; CODE XREF: .data:00F82026↑j +.data:00F82034 8D 45 53 lea eax, (loc_F82065+1 - 0F82013h)[ebp] +.data:00F82037 50 push eax +.data:00F82038 53 push ebx +.data:00F82039 FF B5 E9 09 00 00 push ss:(GetModuleHandleA - 0F82013h)[ebp] +.data:00F8203F 8D 45 35 lea eax, (dword_F82048 - 0F82013h)[ebp] +.data:00F82042 50 push eax +.data:00F82043 E9 82 00 00 00 jmp loc_F820CA + +.data:00F820CA +.data:00F820CA loc_F820CA: ; CODE XREF: .data:00F82043↑j +.data:00F820CA 66 8B F8 mov di, ax ; ----- ignore +.data:00F820CD E8 13 00 00 00 call loc_F820E5 + +.data:00F820E5 +.data:00F820E5 loc_F820E5: ; CODE XREF: .data:00F820CD↑p +.data:00F820E5 E9 0D 00 00 00 jmp loc_F820F7 + +.data:00F820F7 +.data:00F820F7 loc_F820F7: ; CODE XREF: .data:loc_F820E5↑j +.data:00F820F7 59 pop ecx ; -> 00F820D2 +.data:00F820F8 66 8B D6 mov dx, si ; ----------- ignore +.data:00F820FB +.data:00F820FB loc_F820FB: ; CODE XREF: .data:00F8211A↓j +.data:00F820FB 81 C1 AF 08 00 00 add ecx, 8AFh ; -> 00F82981 +.data:00F82101 68 FF 01 00 00 push 1FFh +.data:00F82106 58 pop eax +.data:00F82107 E8 14 00 00 00 call loc_F82120 ; ecx = ptr = caller+0x8af, eax = size = 0x1ff +.data:00F82107 ; +.data:00F82107 ; caller = 00F820D2 -> data is at 00F82981 +.data:00F82107 ; +.data:00F82107 ; 00F82185-00F82981 file: 00315781 + + +.data:00F82120 +.data:00F82120 loc_F82120: ; CODE XREF: .data:00F82107↑p +.data:00F82120 5A pop edx ; -> 00F8210C +.data:00F82121 +.data:00F82121 loc_F82121: ; CODE XREF: .data:loc_F82176↓j +.data:00F82121 8B 19 mov ebx, [ecx] +.data:00F82123 0F BF F1 movsx esi, cx ; ----- ignore +.data:00F82126 81 C3 4B 82 27 4C add ebx, 4C27824Bh +.data:00F8212C 81 EB 28 84 87 47 sub ebx, 47878428h +.data:00F82132 0F B7 D2 movzx edx, dx ; ----- ignore +.data:00F82135 81 EB 41 A5 E7 1D sub ebx, 1DE7A541h ; -0x627F3C40 +.data:00F8213B 66 81 E2 D5 9C and dx, 9CD5h ; ----- ignore +.data:00F82140 89 19 mov [ecx], ebx +.data:00F82142 80 D2 B7 adc dl, 0B7h ; '·' ; ----- ignore +.data:00F82145 81 E9 8D 91 24 67 sub ecx, 6724918Dh +.data:00F8214B 66 8B F1 mov si, cx ; ----- ignore +.data:00F8214E 81 C1 89 91 24 67 add ecx, 67249189h ; -4 +.data:00F82154 0F BF F8 movsx edi, ax ; ----- ignore +.data:00F82157 83 E8 01 sub eax, 1 +.data:00F8215A 0F 85 0E 00 00 00 jnz loc_F8216E +.data:00F82160 8B D0 mov edx, eax +.data:00F82162 E9 22 00 00 00 jmp near ptr unk_F82189 + +.data:00F8216E +.data:00F8216E loc_F8216E: ; CODE XREF: .data:00F8215A↑j +.data:00F8216E 0F 80 02 00 00 00 jo loc_F82176 +.data:00F82174 53 push ebx +.data:00F82175 5E pop esi +.data:00F82176 +.data:00F82176 loc_F82176: ; CODE XREF: .data:loc_F8216E↑j +.data:00F82176 E9 A6 FF FF FF jmp loc_F82121 + + +.data:00F82048 00 00 00 00 dword_F82048 dd 0 ; DATA XREF: .data:00F8203F↑o +.data:00F82048 ; .data:00F8209B↓r ... +.data:00F8204C 00 00 00 00 dd 0 +.data:00F82050 00 00 00 00 dword_F82050 dd 0 ; DATA XREF: .data:00F820B1↓r +.data:00F82054 00 00 00 00 dword_F82054 dd 0 ; DATA XREF: .data:00F82092↓r +.data:00F82058 00 00 00 00 dd 0 +.data:00F8205C 00 00 00 00 dd 0 +.data:00F82060 00 byte_F82060 db 0 ; DATA XREF: .data:00F82022↑r +.data:00F82061 00 00 00 00 dword_F82061 dd 0 ; DATA XREF: .data:00F8202F↑w +.data:00F82061 ; .data:00F8206C↓r ... +.data:00F82065 +.data:00F82065 loc_F82065: ; CODE XREF: .data:00F82032↑j +.data:00F82065 ; DATA XREF: .data:loc_F82034↑o +.data:00F82065 B8 F8 C0 A5 23 mov eax, 23A5C0F8h +.data:00F8206A 50 push eax +.data:00F8206B 50 push eax +.data:00F8206C 03 45 4E add eax, ss:(dword_F82061 - 0F82013h)[ebp] +.data:00F8206F 5B pop ebx +.data:00F82070 85 C0 test eax, eax +.data:00F82072 74 1C jz short loc_F82090 +.data:00F82074 EB 01 jmp short loc_F82077 + +.data:00F82077 +.data:00F82077 loc_F82077: ; CODE XREF: .data:00F82074↑j +.data:00F82077 81 FB F8 C0 A5 23 cmp ebx, 23A5C0F8h +.data:00F8207D 74 35 jz short loc_F820B4 +.data:00F8207F 33 D2 xor edx, edx +.data:00F82081 56 push esi +.data:00F82082 6A 00 push 0 +.data:00F82084 56 push esi +.data:00F82085 FF 75 4E push ss:(dword_F82061 - 0F82013h)[ebp] +.data:00F82088 FF D0 call eax +.data:00F8208A 5E pop esi +.data:00F8208B 83 FE 00 cmp esi, 0 +.data:00F8208E 75 24 jnz short loc_F820B4 +.data:00F82090 +.data:00F82090 loc_F82090: ; CODE XREF: .data:00F82072↑j +.data:00F82090 33 D2 xor edx, edx +.data:00F82092 8B 45 41 mov eax, ss:(dword_F82054 - 0F82013h)[ebp] +.data:00F82095 85 C0 test eax, eax +.data:00F82097 74 07 jz short loc_F820A0 +.data:00F82099 52 push edx +.data:00F8209A 52 push edx +.data:00F8209B FF 75 35 push ss:(dword_F82048 - 0F82013h)[ebp] +.data:00F8209E FF D0 call eax +.data:00F820A0 +.data:00F820A0 loc_F820A0: ; CODE XREF: .data:00F82097↑j +.data:00F820A0 8B 45 35 mov eax, ss:(dword_F82048 - 0F82013h)[ebp] +.data:00F820A3 85 C0 test eax, eax +.data:00F820A5 74 0D jz short loc_F820B4 +.data:00F820A7 68 00 80 00 00 push 8000h +.data:00F820AC 6A 00 push 0 +.data:00F820AE FF 75 35 push ss:(dword_F82048 - 0F82013h)[ebp] +.data:00F820B1 FF 55 3D call ss:(dword_F82050 - 0F82013h)[ebp] +.data:00F820B4 +.data:00F820B4 loc_F820B4: ; CODE XREF: .data:00F8207D↑j +.data:00F820B4 ; .data:00F8208E↑j ... +.data:00F820B4 5B pop ebx +.data:00F820B5 0B DB or ebx, ebx +.data:00F820B7 61 popa +.data:00F820B8 75 06 jnz short loc_F820C0 +.data:00F820BA 6A 01 push 1 +.data:00F820BC 58 pop eax +.data:00F820BD C2 0C 00 retn 0Ch +.data:00F820C0 +.data:00F820C0 loc_F820C0: ; CODE XREF: .data:00F820B8↑j +.data:00F820C0 33 C0 xor eax, eax +.data:00F820C2 F7 D8 neg eax +.data:00F820C4 1B C0 sbb eax, eax +.data:00F820C6 40 inc eax +.data:00F820C7 C2 0C 00 retn 0Ch + + + + +.data:00F82007 E9 db 0E9h ; é + +.data:00F82013 EB db 0EBh ; ë + +.data:00F82076 E8 db 0E8h ; è + + +.data:00F820D2 1F db 1Fh +.data:00F820D3 6C db 6Ch ; l +.data:00F820D4 35 db 35h ; 5 +.data:00F820D5 CA db 0CAh ; Ê +.data:00F820D6 3B db 3Bh ; ; +.data:00F820D7 58 db 58h ; X +.data:00F820D8 B1 db 0B1h ; ± +.data:00F820D9 96 db 96h ; – +.data:00F820DA 17 db 17h +.data:00F820DB 04 db 4 +.data:00F820DC ED db 0EDh ; í +.data:00F820DD 22 db 22h ; " +.data:00F820DE B3 db 0B3h ; ³ +.data:00F820DF 70 db 70h ; p +.data:00F820E0 E9 db 0E9h ; é +.data:00F820E1 6E db 6Eh ; n +.data:00F820E2 0F db 0Fh +.data:00F820E3 9C db 9Ch ; œ +.data:00F820E4 A5 db 0A5h ; ¥ + + + +.data:00F820EA 21 db 21h ; ! +.data:00F820EB 46 db 46h ; F +.data:00F820EC 07 db 7 +.data:00F820ED 34 db 34h ; 4 +.data:00F820EE 5D db 5Dh ; ] +.data:00F820EF D2 db 0D2h ; Ò +.data:00F820F0 A3 db 0A3h ; £ +.data:00F820F1 A0 db 0A0h ;   +.data:00F820F2 59 db 59h ; Y +.data:00F820F3 1E db 1Eh +.data:00F820F4 FF db 0FFh ; ÿ +.data:00F820F5 CC db 0CCh ; Ì +.data:00F820F6 15 db 15h + + +.data:00F8210C FC db 0FCh ; ü +.data:00F8210D 85 db 85h ; … +.data:00F8210E DA db 0DAh ; Ú +.data:00F8210F 0B db 0Bh +.data:00F82110 E8 db 0E8h ; è +.data:00F82111 01 db 1 +.data:00F82112 A6 db 0A6h ; ¦ +.data:00F82113 E7 db 0E7h ; ç +.data:00F82114 94 db 94h ; ” +.data:00F82115 3D db 3Dh ; = +.data:00F82116 32 db 32h ; 2 +.data:00F82117 83 db 83h ; ƒ +.data:00F82118 00 db 0 +.data:00F82119 39 db 39h ; 9 +.data:00F8211A 7E db 7Eh ; ~ +.data:00F8211B DF db 0DFh ; ß +.data:00F8211C 2C db 2Ch ; , +.data:00F8211D F5 db 0F5h ; õ +.data:00F8211E 8A db 8Ah ; Š +.data:00F8211F FB db 0FBh ; û + + + +.data:00F82167 43 db 43h ; C +.data:00F82168 C0 db 0C0h ; À +.data:00F82169 F9 db 0F9h ; ù +.data:00F8216A 3E db 3Eh ; > +.data:00F8216B 9F db 9Fh ; Ÿ +.data:00F8216C EC db 0ECh ; ì +.data:00F8216D B5 db 0B5h ; µ + +.data:00F8217B EE db 0EEh ; î +.data:00F8217C 8F db 8Fh +.data:00F8217D 1C db 1Ch +.data:00F8217E 25 db 25h ; % +.data:00F8217F FA db 0FAh ; ú +.data:00F82180 AB db 0ABh ; « +.data:00F82181 08 db 8 +.data:00F82182 A1 db 0A1h ; ¡ +.data:00F82183 C6 db 0C6h ; Æ +.data:00F82184 87 db 87h ; ‡ +.data:00F82185 B4 db 0B4h ; ´ +.data:00F82186 DD db 0DDh ; Ý +.data:00F82187 52 db 52h ; R +.data:00F82188 23 db 23h ; # +.data:00F82189 84 unk_F82189 db 84h ; „ ; CODE XREF: .data:00F82162↑j +.data:00F8218A 28 db 28h ; ( + + + + +---------------- +wWinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, PWSTR pCmdLine, int nCmdShow); + +[esp+2c] arg: pCmdLine +[esp+28] arg: nCmdShow +[esp+24] caller address +[esp+20] EAX +[esp+1c] ECX +[esp+18] EDX +[esp+14] EBX +[esp+10] ESP == esp+20 +[esp+c] EBP +[esp+8] ESI +[esp+4] EDI +[esp] + + +loc_F82001: ; DATA XREF: start↑o + pusha + call loc_F82014 +loc_F82014: ; CODE XREF: .data:loc_F8200E↑j + pop ebp + mov ebx, -13h + add ebx, ebp ; -> ebx = 0xf82000 + sub ebx, 0B82000h ; -> 0x400000 + cmp ss:(byte_F82060 - 0F82013h)[ebp], 1 + jnz short loc_F82034 + mov esi, [esp+28h] + cmp esi, 1 + mov ss:(dword_F82061 - 0F82013h)[ebp], ebx + jnz short loc_F82065 + +loc_F82034: ; CODE XREF: .data:00F82026↑j + lea eax, (loc_F82065+1 - 0F82013h)[ebp] + push eax + push ebx + push ss:(GetModuleHandleA - 0F82013h)[ebp] + lea eax, (dword_F82048 - 0F82013h)[ebp] + push eax + + lea ecx, 00F820D2h + add ecx, 8AFh ; -> 00F82981 + push 1FFh + pop eax + ; ecx = ptr = caller+0x8af, eax = size = 0x1ff + ; + ; caller = 00F820D2 -> data is at 00F82981 + ; + ; 00F82185-00F82981 file: 00315781 + + lea edx, 00F8210Ch + +loc_F82121: ; CODE XREF: .data:loc_F82176↓j + mov ebx, [ecx] + add ebx, 4C27824Bh + sub ebx, 47878428h + sub ebx, 1DE7A541h ; -0x627F3C40 + mov [ecx], ebx + sub ecx, 6724918Dh + add ecx, 67249189h ; -4 + sub eax, 1 + jnz loc_F8216E + mov edx, eax + jmp near ptr unk_F82189 + + +loc_F8216E: ; CODE XREF: .data:00F8215A↑j + jo loc_F82176 + push ebx + pop esi + +loc_F82176: ; CODE XREF: .data:loc_F8216E↑j + jmp loc_F82121 + + + + +dword_F82048 dd 0 ; DATA XREF: .data:00F8203F↑o + ; .data:00F8209B↓r ... + dd 0 +dword_F82050 dd 0 ; DATA XREF: .data:00F820B1↓r +dword_F82054 dd 0 ; DATA XREF: .data:00F82092↓r + dd 0 + dd 0 +byte_F82060 db 0 ; DATA XREF: .data:00F82022↑r +dword_F82061 dd 0 ; DATA XREF: .data:00F8202F↑w + ; .data:00F8206C↓r ... + +loc_F82065: ; CODE XREF: .data:00F82032↑j + ; DATA XREF: .data:loc_F82034↑o + mov eax, 23A5C0F8h + push eax + push eax + add eax, ss:(dword_F82061 - 0F82013h)[ebp] + pop ebx + test eax, eax + jz short loc_F82090 + jmp short loc_F82077 + + +loc_F82077: ; CODE XREF: .data:00F82074↑j + cmp ebx, 23A5C0F8h + jz short loc_F820B4 + xor edx, edx + push esi + push 0 + push esi + push ss:(dword_F82061 - 0F82013h)[ebp] + call eax + pop esi + cmp esi, 0 + jnz short loc_F820B4 + +loc_F82090: ; CODE XREF: .data:00F82072↑j + xor edx, edx + mov eax, ss:(dword_F82054 - 0F82013h)[ebp] + test eax, eax + jz short loc_F820A0 + push edx + push edx + push ss:(dword_F82048 - 0F82013h)[ebp] + call eax + +loc_F820A0: ; CODE XREF: .data:00F82097↑j + mov eax, ss:(dword_F82048 - 0F82013h)[ebp] + test eax, eax + jz short loc_F820B4 + push 8000h + push 0 + push ss:(dword_F82048 - 0F82013h)[ebp] + call ss:(dword_F82050 - 0F82013h)[ebp] + +loc_F820B4: ; CODE XREF: .data:00F8207D↑j + ; .data:00F8208E↑j ... + pop ebx + or ebx, ebx + popa + jnz short loc_F820C0 + push 1 + pop eax + retn 0Ch + +loc_F820C0: ; CODE XREF: .data:00F820B8↑j + xor eax, eax + neg eax + sbb eax, eax + inc eax + retn 0Ch + + + + diff --git a/hexdump.py b/hexdump.py new file mode 100644 index 0000000..c119b16 --- /dev/null +++ b/hexdump.py @@ -0,0 +1,27 @@ +import struct +from binascii import b2a_hex +""" +Simple hexdump, 16 bytes per line with offset. +""" + +def ashex(line): + return " ".join("%02x" % _ for _ in line) +def aschr(b): + if 32<=b<0x7f: + return "%c" % b + elif 0x80<=b<=0xff: + try: + c = struct.pack("