37491b1b85fdf3969c45e83aa2d205ed = md5(plus/Cronos.exe) dump -o 0x314f7b -4 -l 0x810 plus/Cronos.exe 0x100000000-0x1947A71E = 0xE6B858E2 add 4C27824Bh sub 47878428h sub 1DE7A541h seg000:00401000 start proc near seg000:00401000 push offset loc_F82001 seg000:00401005 call nullsub_1 seg000:0040100A retn seg000:0040100B nullsub_1: seg000:0040100B retn .data:00F82001 .data:00F82001 loc_F82001: ; DATA XREF: start↑o .data:00F82001 60 pusha .data:00F82002 E8 03 00 00 00 call loc_F8200A .data:00F82008 EB 04 jmp short loc_F8200E .data:00F8200A .data:00F8200A loc_F8200A: ; CODE XREF: .data:00F82002↑j .data:00F8200A 5D pop ebp .data:00F8200B 45 inc ebp .data:00F8200C 55 push ebp ; skips '0xE9' at 00F82007 .data:00F8200D C3 retn .data:00F8200E .data:00F8200E loc_F8200E: ; CODE XREF: .data:00F82008↑j .data:00F8200E E8 01 00 00 00 call loc_F82014 .data:00F82014 .data:00F82014 loc_F82014: ; CODE XREF: .data:loc_F8200E↑j .data:00F82014 5D pop ebp .data:00F82015 BB ED FF FF FF mov ebx, -13h .data:00F8201A 03 DD add ebx, ebp ; -> ebx = 0xf82000 .data:00F8201C 81 EB 00 20 B8 00 sub ebx, 0B82000h ; -> 0x400000 .data:00F82022 80 7D 4D 01 cmp ss:(byte_F82060 - 0F82013h)[ebp], 1 .data:00F82026 75 0C jnz short loc_F82034 .data:00F82028 8B 74 24 28 mov esi, [esp+28h] .data:00F8202C 83 FE 01 cmp esi, 1 .data:00F8202F 89 5D 4E mov ss:(dword_F82061 - 0F82013h)[ebp], ebx .data:00F82032 75 31 jnz short loc_F82065 .data:00F82034 .data:00F82034 loc_F82034: ; CODE XREF: .data:00F82026↑j .data:00F82034 8D 45 53 lea eax, (loc_F82065+1 - 0F82013h)[ebp] .data:00F82037 50 push eax .data:00F82038 53 push ebx .data:00F82039 FF B5 E9 09 00 00 push ss:(GetModuleHandleA - 0F82013h)[ebp] .data:00F8203F 8D 45 35 lea eax, (dword_F82048 - 0F82013h)[ebp] .data:00F82042 50 push eax .data:00F82043 E9 82 00 00 00 jmp loc_F820CA .data:00F820CA .data:00F820CA loc_F820CA: ; CODE XREF: .data:00F82043↑j .data:00F820CA 66 8B F8 mov di, ax ; ----- ignore .data:00F820CD E8 13 00 00 00 call loc_F820E5 .data:00F820E5 .data:00F820E5 loc_F820E5: ; CODE XREF: .data:00F820CD↑p .data:00F820E5 E9 0D 00 00 00 jmp loc_F820F7 .data:00F820F7 .data:00F820F7 loc_F820F7: ; CODE XREF: .data:loc_F820E5↑j .data:00F820F7 59 pop ecx ; -> 00F820D2 .data:00F820F8 66 8B D6 mov dx, si ; ----------- ignore .data:00F820FB .data:00F820FB loc_F820FB: ; CODE XREF: .data:00F8211A↓j .data:00F820FB 81 C1 AF 08 00 00 add ecx, 8AFh ; -> 00F82981 .data:00F82101 68 FF 01 00 00 push 1FFh .data:00F82106 58 pop eax .data:00F82107 E8 14 00 00 00 call loc_F82120 ; ecx = ptr = caller+0x8af, eax = size = 0x1ff .data:00F82107 ; .data:00F82107 ; caller = 00F820D2 -> data is at 00F82981 .data:00F82107 ; .data:00F82107 ; 00F82185-00F82981 file: 00315781 .data:00F82120 .data:00F82120 loc_F82120: ; CODE XREF: .data:00F82107↑p .data:00F82120 5A pop edx ; -> 00F8210C .data:00F82121 .data:00F82121 loc_F82121: ; CODE XREF: .data:loc_F82176↓j .data:00F82121 8B 19 mov ebx, [ecx] .data:00F82123 0F BF F1 movsx esi, cx ; ----- ignore .data:00F82126 81 C3 4B 82 27 4C add ebx, 4C27824Bh .data:00F8212C 81 EB 28 84 87 47 sub ebx, 47878428h .data:00F82132 0F B7 D2 movzx edx, dx ; ----- ignore .data:00F82135 81 EB 41 A5 E7 1D sub ebx, 1DE7A541h ; -0x627F3C40 .data:00F8213B 66 81 E2 D5 9C and dx, 9CD5h ; ----- ignore .data:00F82140 89 19 mov [ecx], ebx .data:00F82142 80 D2 B7 adc dl, 0B7h ; '·' ; ----- ignore .data:00F82145 81 E9 8D 91 24 67 sub ecx, 6724918Dh .data:00F8214B 66 8B F1 mov si, cx ; ----- ignore .data:00F8214E 81 C1 89 91 24 67 add ecx, 67249189h ; -4 .data:00F82154 0F BF F8 movsx edi, ax ; ----- ignore .data:00F82157 83 E8 01 sub eax, 1 .data:00F8215A 0F 85 0E 00 00 00 jnz loc_F8216E .data:00F82160 8B D0 mov edx, eax .data:00F82162 E9 22 00 00 00 jmp near ptr unk_F82189 .data:00F8216E .data:00F8216E loc_F8216E: ; CODE XREF: .data:00F8215A↑j .data:00F8216E 0F 80 02 00 00 00 jo loc_F82176 .data:00F82174 53 push ebx .data:00F82175 5E pop esi .data:00F82176 .data:00F82176 loc_F82176: ; CODE XREF: .data:loc_F8216E↑j .data:00F82176 E9 A6 FF FF FF jmp loc_F82121 .data:00F82048 00 00 00 00 dword_F82048 dd 0 ; DATA XREF: .data:00F8203F↑o .data:00F82048 ; .data:00F8209B↓r ... .data:00F8204C 00 00 00 00 dd 0 .data:00F82050 00 00 00 00 dword_F82050 dd 0 ; DATA XREF: .data:00F820B1↓r .data:00F82054 00 00 00 00 dword_F82054 dd 0 ; DATA XREF: .data:00F82092↓r .data:00F82058 00 00 00 00 dd 0 .data:00F8205C 00 00 00 00 dd 0 .data:00F82060 00 byte_F82060 db 0 ; DATA XREF: .data:00F82022↑r .data:00F82061 00 00 00 00 dword_F82061 dd 0 ; DATA XREF: .data:00F8202F↑w .data:00F82061 ; .data:00F8206C↓r ... .data:00F82065 .data:00F82065 loc_F82065: ; CODE XREF: .data:00F82032↑j .data:00F82065 ; DATA XREF: .data:loc_F82034↑o .data:00F82065 B8 F8 C0 A5 23 mov eax, 23A5C0F8h .data:00F8206A 50 push eax .data:00F8206B 50 push eax .data:00F8206C 03 45 4E add eax, ss:(dword_F82061 - 0F82013h)[ebp] .data:00F8206F 5B pop ebx .data:00F82070 85 C0 test eax, eax .data:00F82072 74 1C jz short loc_F82090 .data:00F82074 EB 01 jmp short loc_F82077 .data:00F82077 .data:00F82077 loc_F82077: ; CODE XREF: .data:00F82074↑j .data:00F82077 81 FB F8 C0 A5 23 cmp ebx, 23A5C0F8h .data:00F8207D 74 35 jz short loc_F820B4 .data:00F8207F 33 D2 xor edx, edx .data:00F82081 56 push esi .data:00F82082 6A 00 push 0 .data:00F82084 56 push esi .data:00F82085 FF 75 4E push ss:(dword_F82061 - 0F82013h)[ebp] .data:00F82088 FF D0 call eax .data:00F8208A 5E pop esi .data:00F8208B 83 FE 00 cmp esi, 0 .data:00F8208E 75 24 jnz short loc_F820B4 .data:00F82090 .data:00F82090 loc_F82090: ; CODE XREF: .data:00F82072↑j .data:00F82090 33 D2 xor edx, edx .data:00F82092 8B 45 41 mov eax, ss:(dword_F82054 - 0F82013h)[ebp] .data:00F82095 85 C0 test eax, eax .data:00F82097 74 07 jz short loc_F820A0 .data:00F82099 52 push edx .data:00F8209A 52 push edx .data:00F8209B FF 75 35 push ss:(dword_F82048 - 0F82013h)[ebp] .data:00F8209E FF D0 call eax .data:00F820A0 .data:00F820A0 loc_F820A0: ; CODE XREF: .data:00F82097↑j .data:00F820A0 8B 45 35 mov eax, ss:(dword_F82048 - 0F82013h)[ebp] .data:00F820A3 85 C0 test eax, eax .data:00F820A5 74 0D jz short loc_F820B4 .data:00F820A7 68 00 80 00 00 push 8000h .data:00F820AC 6A 00 push 0 .data:00F820AE FF 75 35 push ss:(dword_F82048 - 0F82013h)[ebp] .data:00F820B1 FF 55 3D call ss:(dword_F82050 - 0F82013h)[ebp] .data:00F820B4 .data:00F820B4 loc_F820B4: ; CODE XREF: .data:00F8207D↑j .data:00F820B4 ; .data:00F8208E↑j ... .data:00F820B4 5B pop ebx .data:00F820B5 0B DB or ebx, ebx .data:00F820B7 61 popa .data:00F820B8 75 06 jnz short loc_F820C0 .data:00F820BA 6A 01 push 1 .data:00F820BC 58 pop eax .data:00F820BD C2 0C 00 retn 0Ch .data:00F820C0 .data:00F820C0 loc_F820C0: ; CODE XREF: .data:00F820B8↑j .data:00F820C0 33 C0 xor eax, eax .data:00F820C2 F7 D8 neg eax .data:00F820C4 1B C0 sbb eax, eax .data:00F820C6 40 inc eax .data:00F820C7 C2 0C 00 retn 0Ch .data:00F82007 E9 db 0E9h ; é .data:00F82013 EB db 0EBh ; ë .data:00F82076 E8 db 0E8h ; è .data:00F820D2 1F db 1Fh .data:00F820D3 6C db 6Ch ; l .data:00F820D4 35 db 35h ; 5 .data:00F820D5 CA db 0CAh ; Ê .data:00F820D6 3B db 3Bh ; ; .data:00F820D7 58 db 58h ; X .data:00F820D8 B1 db 0B1h ; ± .data:00F820D9 96 db 96h ; – .data:00F820DA 17 db 17h .data:00F820DB 04 db 4 .data:00F820DC ED db 0EDh ; í .data:00F820DD 22 db 22h ; " .data:00F820DE B3 db 0B3h ; ³ .data:00F820DF 70 db 70h ; p .data:00F820E0 E9 db 0E9h ; é .data:00F820E1 6E db 6Eh ; n .data:00F820E2 0F db 0Fh .data:00F820E3 9C db 9Ch ; œ .data:00F820E4 A5 db 0A5h ; ¥ .data:00F820EA 21 db 21h ; ! .data:00F820EB 46 db 46h ; F .data:00F820EC 07 db 7 .data:00F820ED 34 db 34h ; 4 .data:00F820EE 5D db 5Dh ; ] .data:00F820EF D2 db 0D2h ; Ò .data:00F820F0 A3 db 0A3h ; £ .data:00F820F1 A0 db 0A0h ;   .data:00F820F2 59 db 59h ; Y .data:00F820F3 1E db 1Eh .data:00F820F4 FF db 0FFh ; ÿ .data:00F820F5 CC db 0CCh ; Ì .data:00F820F6 15 db 15h .data:00F8210C FC db 0FCh ; ü .data:00F8210D 85 db 85h ; … .data:00F8210E DA db 0DAh ; Ú .data:00F8210F 0B db 0Bh .data:00F82110 E8 db 0E8h ; è .data:00F82111 01 db 1 .data:00F82112 A6 db 0A6h ; ¦ .data:00F82113 E7 db 0E7h ; ç .data:00F82114 94 db 94h ; ” .data:00F82115 3D db 3Dh ; = .data:00F82116 32 db 32h ; 2 .data:00F82117 83 db 83h ; ƒ .data:00F82118 00 db 0 .data:00F82119 39 db 39h ; 9 .data:00F8211A 7E db 7Eh ; ~ .data:00F8211B DF db 0DFh ; ß .data:00F8211C 2C db 2Ch ; , .data:00F8211D F5 db 0F5h ; õ .data:00F8211E 8A db 8Ah ; Š .data:00F8211F FB db 0FBh ; û .data:00F82167 43 db 43h ; C .data:00F82168 C0 db 0C0h ; À .data:00F82169 F9 db 0F9h ; ù .data:00F8216A 3E db 3Eh ; > .data:00F8216B 9F db 9Fh ; Ÿ .data:00F8216C EC db 0ECh ; ì .data:00F8216D B5 db 0B5h ; µ .data:00F8217B EE db 0EEh ; î .data:00F8217C 8F db 8Fh .data:00F8217D 1C db 1Ch .data:00F8217E 25 db 25h ; % .data:00F8217F FA db 0FAh ; ú .data:00F82180 AB db 0ABh ; « .data:00F82181 08 db 8 .data:00F82182 A1 db 0A1h ; ¡ .data:00F82183 C6 db 0C6h ; Æ .data:00F82184 87 db 87h ; ‡ .data:00F82185 B4 db 0B4h ; ´ .data:00F82186 DD db 0DDh ; Ý .data:00F82187 52 db 52h ; R .data:00F82188 23 db 23h ; # .data:00F82189 84 unk_F82189 db 84h ; „ ; CODE XREF: .data:00F82162↑j .data:00F8218A 28 db 28h ; ( ---------------- wWinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, PWSTR pCmdLine, int nCmdShow); [esp+2c] arg: pCmdLine [esp+28] arg: nCmdShow [esp+24] caller address [esp+20] EAX [esp+1c] ECX [esp+18] EDX [esp+14] EBX [esp+10] ESP == esp+20 [esp+c] EBP [esp+8] ESI [esp+4] EDI [esp] loc_F82001: ; DATA XREF: start↑o pusha call loc_F82014 loc_F82014: ; CODE XREF: .data:loc_F8200E↑j pop ebp mov ebx, -13h add ebx, ebp ; -> ebx = 0xf82000 sub ebx, 0B82000h ; -> 0x400000 cmp ss:(byte_F82060 - 0F82013h)[ebp], 1 jnz short loc_F82034 mov esi, [esp+28h] cmp esi, 1 mov ss:(dword_F82061 - 0F82013h)[ebp], ebx jnz short loc_F82065 loc_F82034: ; CODE XREF: .data:00F82026↑j lea eax, (loc_F82065+1 - 0F82013h)[ebp] push eax push ebx push ss:(GetModuleHandleA - 0F82013h)[ebp] lea eax, (dword_F82048 - 0F82013h)[ebp] push eax lea ecx, 00F820D2h add ecx, 8AFh ; -> 00F82981 push 1FFh pop eax ; ecx = ptr = caller+0x8af, eax = size = 0x1ff ; ; caller = 00F820D2 -> data is at 00F82981 ; ; 00F82185-00F82981 file: 00315781 lea edx, 00F8210Ch loc_F82121: ; CODE XREF: .data:loc_F82176↓j mov ebx, [ecx] add ebx, 4C27824Bh sub ebx, 47878428h sub ebx, 1DE7A541h ; -0x627F3C40 mov [ecx], ebx sub ecx, 6724918Dh add ecx, 67249189h ; -4 sub eax, 1 jnz loc_F8216E mov edx, eax jmp near ptr unk_F82189 loc_F8216E: ; CODE XREF: .data:00F8215A↑j jo loc_F82176 push ebx pop esi loc_F82176: ; CODE XREF: .data:loc_F8216E↑j jmp loc_F82121 dword_F82048 dd 0 ; DATA XREF: .data:00F8203F↑o ; .data:00F8209B↓r ... dd 0 dword_F82050 dd 0 ; DATA XREF: .data:00F820B1↓r dword_F82054 dd 0 ; DATA XREF: .data:00F82092↓r dd 0 dd 0 byte_F82060 db 0 ; DATA XREF: .data:00F82022↑r dword_F82061 dd 0 ; DATA XREF: .data:00F8202F↑w ; .data:00F8206C↓r ... loc_F82065: ; CODE XREF: .data:00F82032↑j ; DATA XREF: .data:loc_F82034↑o mov eax, 23A5C0F8h push eax push eax add eax, ss:(dword_F82061 - 0F82013h)[ebp] pop ebx test eax, eax jz short loc_F82090 jmp short loc_F82077 loc_F82077: ; CODE XREF: .data:00F82074↑j cmp ebx, 23A5C0F8h jz short loc_F820B4 xor edx, edx push esi push 0 push esi push ss:(dword_F82061 - 0F82013h)[ebp] call eax pop esi cmp esi, 0 jnz short loc_F820B4 loc_F82090: ; CODE XREF: .data:00F82072↑j xor edx, edx mov eax, ss:(dword_F82054 - 0F82013h)[ebp] test eax, eax jz short loc_F820A0 push edx push edx push ss:(dword_F82048 - 0F82013h)[ebp] call eax loc_F820A0: ; CODE XREF: .data:00F82097↑j mov eax, ss:(dword_F82048 - 0F82013h)[ebp] test eax, eax jz short loc_F820B4 push 8000h push 0 push ss:(dword_F82048 - 0F82013h)[ebp] call ss:(dword_F82050 - 0F82013h)[ebp] loc_F820B4: ; CODE XREF: .data:00F8207D↑j ; .data:00F8208E↑j ... pop ebx or ebx, ebx popa jnz short loc_F820C0 push 1 pop eax retn 0Ch loc_F820C0: ; CODE XREF: .data:00F820B8↑j xor eax, eax neg eax sbb eax, eax inc eax retn 0Ch