1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
|
37491b1b85fdf3969c45e83aa2d205ed = md5(plus/Cronos.exe)
dump -o 0x314f7b -4 -l 0x810 plus/Cronos.exe
0x100000000-0x1947A71E = 0xE6B858E2
add 4C27824Bh
sub 47878428h
sub 1DE7A541h
seg000:00401000 start proc near
seg000:00401000 push offset loc_F82001
seg000:00401005 call nullsub_1
seg000:0040100A retn
seg000:0040100B nullsub_1:
seg000:0040100B retn
.data:00F82001
.data:00F82001 loc_F82001: ; DATA XREF: start↑o
.data:00F82001 60 pusha
.data:00F82002 E8 03 00 00 00 call loc_F8200A
.data:00F82008 EB 04 jmp short loc_F8200E
.data:00F8200A
.data:00F8200A loc_F8200A: ; CODE XREF: .data:00F82002↑j
.data:00F8200A 5D pop ebp
.data:00F8200B 45 inc ebp
.data:00F8200C 55 push ebp ; skips '0xE9' at 00F82007
.data:00F8200D C3 retn
.data:00F8200E
.data:00F8200E loc_F8200E: ; CODE XREF: .data:00F82008↑j
.data:00F8200E E8 01 00 00 00 call loc_F82014
.data:00F82014
.data:00F82014 loc_F82014: ; CODE XREF: .data:loc_F8200E↑j
.data:00F82014 5D pop ebp
.data:00F82015 BB ED FF FF FF mov ebx, -13h
.data:00F8201A 03 DD add ebx, ebp ; -> ebx = 0xf82000
.data:00F8201C 81 EB 00 20 B8 00 sub ebx, 0B82000h ; -> 0x400000
.data:00F82022 80 7D 4D 01 cmp ss:(byte_F82060 - 0F82013h)[ebp], 1
.data:00F82026 75 0C jnz short loc_F82034
.data:00F82028 8B 74 24 28 mov esi, [esp+28h]
.data:00F8202C 83 FE 01 cmp esi, 1
.data:00F8202F 89 5D 4E mov ss:(dword_F82061 - 0F82013h)[ebp], ebx
.data:00F82032 75 31 jnz short loc_F82065
.data:00F82034
.data:00F82034 loc_F82034: ; CODE XREF: .data:00F82026↑j
.data:00F82034 8D 45 53 lea eax, (loc_F82065+1 - 0F82013h)[ebp]
.data:00F82037 50 push eax
.data:00F82038 53 push ebx
.data:00F82039 FF B5 E9 09 00 00 push ss:(GetModuleHandleA - 0F82013h)[ebp]
.data:00F8203F 8D 45 35 lea eax, (dword_F82048 - 0F82013h)[ebp]
.data:00F82042 50 push eax
.data:00F82043 E9 82 00 00 00 jmp loc_F820CA
.data:00F820CA
.data:00F820CA loc_F820CA: ; CODE XREF: .data:00F82043↑j
.data:00F820CA 66 8B F8 mov di, ax ; ----- ignore
.data:00F820CD E8 13 00 00 00 call loc_F820E5
.data:00F820E5
.data:00F820E5 loc_F820E5: ; CODE XREF: .data:00F820CD↑p
.data:00F820E5 E9 0D 00 00 00 jmp loc_F820F7
.data:00F820F7
.data:00F820F7 loc_F820F7: ; CODE XREF: .data:loc_F820E5↑j
.data:00F820F7 59 pop ecx ; -> 00F820D2
.data:00F820F8 66 8B D6 mov dx, si ; ----------- ignore
.data:00F820FB
.data:00F820FB loc_F820FB: ; CODE XREF: .data:00F8211A↓j
.data:00F820FB 81 C1 AF 08 00 00 add ecx, 8AFh ; -> 00F82981
.data:00F82101 68 FF 01 00 00 push 1FFh
.data:00F82106 58 pop eax
.data:00F82107 E8 14 00 00 00 call loc_F82120 ; ecx = ptr = caller+0x8af, eax = size = 0x1ff
.data:00F82107 ;
.data:00F82107 ; caller = 00F820D2 -> data is at 00F82981
.data:00F82107 ;
.data:00F82107 ; 00F82185-00F82981 file: 00315781
.data:00F82120
.data:00F82120 loc_F82120: ; CODE XREF: .data:00F82107↑p
.data:00F82120 5A pop edx ; -> 00F8210C
.data:00F82121
.data:00F82121 loc_F82121: ; CODE XREF: .data:loc_F82176↓j
.data:00F82121 8B 19 mov ebx, [ecx]
.data:00F82123 0F BF F1 movsx esi, cx ; ----- ignore
.data:00F82126 81 C3 4B 82 27 4C add ebx, 4C27824Bh
.data:00F8212C 81 EB 28 84 87 47 sub ebx, 47878428h
.data:00F82132 0F B7 D2 movzx edx, dx ; ----- ignore
.data:00F82135 81 EB 41 A5 E7 1D sub ebx, 1DE7A541h ; -0x627F3C40
.data:00F8213B 66 81 E2 D5 9C and dx, 9CD5h ; ----- ignore
.data:00F82140 89 19 mov [ecx], ebx
.data:00F82142 80 D2 B7 adc dl, 0B7h ; '·' ; ----- ignore
.data:00F82145 81 E9 8D 91 24 67 sub ecx, 6724918Dh
.data:00F8214B 66 8B F1 mov si, cx ; ----- ignore
.data:00F8214E 81 C1 89 91 24 67 add ecx, 67249189h ; -4
.data:00F82154 0F BF F8 movsx edi, ax ; ----- ignore
.data:00F82157 83 E8 01 sub eax, 1
.data:00F8215A 0F 85 0E 00 00 00 jnz loc_F8216E
.data:00F82160 8B D0 mov edx, eax
.data:00F82162 E9 22 00 00 00 jmp near ptr unk_F82189
.data:00F8216E
.data:00F8216E loc_F8216E: ; CODE XREF: .data:00F8215A↑j
.data:00F8216E 0F 80 02 00 00 00 jo loc_F82176
.data:00F82174 53 push ebx
.data:00F82175 5E pop esi
.data:00F82176
.data:00F82176 loc_F82176: ; CODE XREF: .data:loc_F8216E↑j
.data:00F82176 E9 A6 FF FF FF jmp loc_F82121
.data:00F82048 00 00 00 00 dword_F82048 dd 0 ; DATA XREF: .data:00F8203F↑o
.data:00F82048 ; .data:00F8209B↓r ...
.data:00F8204C 00 00 00 00 dd 0
.data:00F82050 00 00 00 00 dword_F82050 dd 0 ; DATA XREF: .data:00F820B1↓r
.data:00F82054 00 00 00 00 dword_F82054 dd 0 ; DATA XREF: .data:00F82092↓r
.data:00F82058 00 00 00 00 dd 0
.data:00F8205C 00 00 00 00 dd 0
.data:00F82060 00 byte_F82060 db 0 ; DATA XREF: .data:00F82022↑r
.data:00F82061 00 00 00 00 dword_F82061 dd 0 ; DATA XREF: .data:00F8202F↑w
.data:00F82061 ; .data:00F8206C↓r ...
.data:00F82065
.data:00F82065 loc_F82065: ; CODE XREF: .data:00F82032↑j
.data:00F82065 ; DATA XREF: .data:loc_F82034↑o
.data:00F82065 B8 F8 C0 A5 23 mov eax, 23A5C0F8h
.data:00F8206A 50 push eax
.data:00F8206B 50 push eax
.data:00F8206C 03 45 4E add eax, ss:(dword_F82061 - 0F82013h)[ebp]
.data:00F8206F 5B pop ebx
.data:00F82070 85 C0 test eax, eax
.data:00F82072 74 1C jz short loc_F82090
.data:00F82074 EB 01 jmp short loc_F82077
.data:00F82077
.data:00F82077 loc_F82077: ; CODE XREF: .data:00F82074↑j
.data:00F82077 81 FB F8 C0 A5 23 cmp ebx, 23A5C0F8h
.data:00F8207D 74 35 jz short loc_F820B4
.data:00F8207F 33 D2 xor edx, edx
.data:00F82081 56 push esi
.data:00F82082 6A 00 push 0
.data:00F82084 56 push esi
.data:00F82085 FF 75 4E push ss:(dword_F82061 - 0F82013h)[ebp]
.data:00F82088 FF D0 call eax
.data:00F8208A 5E pop esi
.data:00F8208B 83 FE 00 cmp esi, 0
.data:00F8208E 75 24 jnz short loc_F820B4
.data:00F82090
.data:00F82090 loc_F82090: ; CODE XREF: .data:00F82072↑j
.data:00F82090 33 D2 xor edx, edx
.data:00F82092 8B 45 41 mov eax, ss:(dword_F82054 - 0F82013h)[ebp]
.data:00F82095 85 C0 test eax, eax
.data:00F82097 74 07 jz short loc_F820A0
.data:00F82099 52 push edx
.data:00F8209A 52 push edx
.data:00F8209B FF 75 35 push ss:(dword_F82048 - 0F82013h)[ebp]
.data:00F8209E FF D0 call eax
.data:00F820A0
.data:00F820A0 loc_F820A0: ; CODE XREF: .data:00F82097↑j
.data:00F820A0 8B 45 35 mov eax, ss:(dword_F82048 - 0F82013h)[ebp]
.data:00F820A3 85 C0 test eax, eax
.data:00F820A5 74 0D jz short loc_F820B4
.data:00F820A7 68 00 80 00 00 push 8000h
.data:00F820AC 6A 00 push 0
.data:00F820AE FF 75 35 push ss:(dword_F82048 - 0F82013h)[ebp]
.data:00F820B1 FF 55 3D call ss:(dword_F82050 - 0F82013h)[ebp]
.data:00F820B4
.data:00F820B4 loc_F820B4: ; CODE XREF: .data:00F8207D↑j
.data:00F820B4 ; .data:00F8208E↑j ...
.data:00F820B4 5B pop ebx
.data:00F820B5 0B DB or ebx, ebx
.data:00F820B7 61 popa
.data:00F820B8 75 06 jnz short loc_F820C0
.data:00F820BA 6A 01 push 1
.data:00F820BC 58 pop eax
.data:00F820BD C2 0C 00 retn 0Ch
.data:00F820C0
.data:00F820C0 loc_F820C0: ; CODE XREF: .data:00F820B8↑j
.data:00F820C0 33 C0 xor eax, eax
.data:00F820C2 F7 D8 neg eax
.data:00F820C4 1B C0 sbb eax, eax
.data:00F820C6 40 inc eax
.data:00F820C7 C2 0C 00 retn 0Ch
.data:00F82007 E9 db 0E9h ; é
.data:00F82013 EB db 0EBh ; ë
.data:00F82076 E8 db 0E8h ; è
.data:00F820D2 1F db 1Fh
.data:00F820D3 6C db 6Ch ; l
.data:00F820D4 35 db 35h ; 5
.data:00F820D5 CA db 0CAh ; Ê
.data:00F820D6 3B db 3Bh ; ;
.data:00F820D7 58 db 58h ; X
.data:00F820D8 B1 db 0B1h ; ±
.data:00F820D9 96 db 96h ; –
.data:00F820DA 17 db 17h
.data:00F820DB 04 db 4
.data:00F820DC ED db 0EDh ; í
.data:00F820DD 22 db 22h ; "
.data:00F820DE B3 db 0B3h ; ³
.data:00F820DF 70 db 70h ; p
.data:00F820E0 E9 db 0E9h ; é
.data:00F820E1 6E db 6Eh ; n
.data:00F820E2 0F db 0Fh
.data:00F820E3 9C db 9Ch ; œ
.data:00F820E4 A5 db 0A5h ; ¥
.data:00F820EA 21 db 21h ; !
.data:00F820EB 46 db 46h ; F
.data:00F820EC 07 db 7
.data:00F820ED 34 db 34h ; 4
.data:00F820EE 5D db 5Dh ; ]
.data:00F820EF D2 db 0D2h ; Ò
.data:00F820F0 A3 db 0A3h ; £
.data:00F820F1 A0 db 0A0h ;
.data:00F820F2 59 db 59h ; Y
.data:00F820F3 1E db 1Eh
.data:00F820F4 FF db 0FFh ; ÿ
.data:00F820F5 CC db 0CCh ; Ì
.data:00F820F6 15 db 15h
.data:00F8210C FC db 0FCh ; ü
.data:00F8210D 85 db 85h ; …
.data:00F8210E DA db 0DAh ; Ú
.data:00F8210F 0B db 0Bh
.data:00F82110 E8 db 0E8h ; è
.data:00F82111 01 db 1
.data:00F82112 A6 db 0A6h ; ¦
.data:00F82113 E7 db 0E7h ; ç
.data:00F82114 94 db 94h ; ”
.data:00F82115 3D db 3Dh ; =
.data:00F82116 32 db 32h ; 2
.data:00F82117 83 db 83h ; ƒ
.data:00F82118 00 db 0
.data:00F82119 39 db 39h ; 9
.data:00F8211A 7E db 7Eh ; ~
.data:00F8211B DF db 0DFh ; ß
.data:00F8211C 2C db 2Ch ; ,
.data:00F8211D F5 db 0F5h ; õ
.data:00F8211E 8A db 8Ah ; Š
.data:00F8211F FB db 0FBh ; û
.data:00F82167 43 db 43h ; C
.data:00F82168 C0 db 0C0h ; À
.data:00F82169 F9 db 0F9h ; ù
.data:00F8216A 3E db 3Eh ; >
.data:00F8216B 9F db 9Fh ; Ÿ
.data:00F8216C EC db 0ECh ; ì
.data:00F8216D B5 db 0B5h ; µ
.data:00F8217B EE db 0EEh ; î
.data:00F8217C 8F db 8Fh
.data:00F8217D 1C db 1Ch
.data:00F8217E 25 db 25h ; %
.data:00F8217F FA db 0FAh ; ú
.data:00F82180 AB db 0ABh ; «
.data:00F82181 08 db 8
.data:00F82182 A1 db 0A1h ; ¡
.data:00F82183 C6 db 0C6h ; Æ
.data:00F82184 87 db 87h ; ‡
.data:00F82185 B4 db 0B4h ; ´
.data:00F82186 DD db 0DDh ; Ý
.data:00F82187 52 db 52h ; R
.data:00F82188 23 db 23h ; #
.data:00F82189 84 unk_F82189 db 84h ; „ ; CODE XREF: .data:00F82162↑j
.data:00F8218A 28 db 28h ; (
----------------
wWinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, PWSTR pCmdLine, int nCmdShow);
[esp+2c] arg: pCmdLine
[esp+28] arg: nCmdShow
[esp+24] caller address
[esp+20] EAX
[esp+1c] ECX
[esp+18] EDX
[esp+14] EBX
[esp+10] ESP == esp+20
[esp+c] EBP
[esp+8] ESI
[esp+4] EDI
[esp]
loc_F82001: ; DATA XREF: start↑o
pusha
call loc_F82014
loc_F82014: ; CODE XREF: .data:loc_F8200E↑j
pop ebp
mov ebx, -13h
add ebx, ebp ; -> ebx = 0xf82000
sub ebx, 0B82000h ; -> 0x400000
cmp ss:(byte_F82060 - 0F82013h)[ebp], 1
jnz short loc_F82034
mov esi, [esp+28h]
cmp esi, 1
mov ss:(dword_F82061 - 0F82013h)[ebp], ebx
jnz short loc_F82065
loc_F82034: ; CODE XREF: .data:00F82026↑j
lea eax, (loc_F82065+1 - 0F82013h)[ebp]
push eax
push ebx
push ss:(GetModuleHandleA - 0F82013h)[ebp]
lea eax, (dword_F82048 - 0F82013h)[ebp]
push eax
lea ecx, 00F820D2h
add ecx, 8AFh ; -> 00F82981
push 1FFh
pop eax
; ecx = ptr = caller+0x8af, eax = size = 0x1ff
;
; caller = 00F820D2 -> data is at 00F82981
;
; 00F82185-00F82981 file: 00315781
lea edx, 00F8210Ch
loc_F82121: ; CODE XREF: .data:loc_F82176↓j
mov ebx, [ecx]
add ebx, 4C27824Bh
sub ebx, 47878428h
sub ebx, 1DE7A541h ; -0x627F3C40
mov [ecx], ebx
sub ecx, 6724918Dh
add ecx, 67249189h ; -4
sub eax, 1
jnz loc_F8216E
mov edx, eax
jmp near ptr unk_F82189
loc_F8216E: ; CODE XREF: .data:00F8215A↑j
jo loc_F82176
push ebx
pop esi
loc_F82176: ; CODE XREF: .data:loc_F8216E↑j
jmp loc_F82121
dword_F82048 dd 0 ; DATA XREF: .data:00F8203F↑o
; .data:00F8209B↓r ...
dd 0
dword_F82050 dd 0 ; DATA XREF: .data:00F820B1↓r
dword_F82054 dd 0 ; DATA XREF: .data:00F82092↓r
dd 0
dd 0
byte_F82060 db 0 ; DATA XREF: .data:00F82022↑r
dword_F82061 dd 0 ; DATA XREF: .data:00F8202F↑w
; .data:00F8206C↓r ...
loc_F82065: ; CODE XREF: .data:00F82032↑j
; DATA XREF: .data:loc_F82034↑o
mov eax, 23A5C0F8h
push eax
push eax
add eax, ss:(dword_F82061 - 0F82013h)[ebp]
pop ebx
test eax, eax
jz short loc_F82090
jmp short loc_F82077
loc_F82077: ; CODE XREF: .data:00F82074↑j
cmp ebx, 23A5C0F8h
jz short loc_F820B4
xor edx, edx
push esi
push 0
push esi
push ss:(dword_F82061 - 0F82013h)[ebp]
call eax
pop esi
cmp esi, 0
jnz short loc_F820B4
loc_F82090: ; CODE XREF: .data:00F82072↑j
xor edx, edx
mov eax, ss:(dword_F82054 - 0F82013h)[ebp]
test eax, eax
jz short loc_F820A0
push edx
push edx
push ss:(dword_F82048 - 0F82013h)[ebp]
call eax
loc_F820A0: ; CODE XREF: .data:00F82097↑j
mov eax, ss:(dword_F82048 - 0F82013h)[ebp]
test eax, eax
jz short loc_F820B4
push 8000h
push 0
push ss:(dword_F82048 - 0F82013h)[ebp]
call ss:(dword_F82050 - 0F82013h)[ebp]
loc_F820B4: ; CODE XREF: .data:00F8207D↑j
; .data:00F8208E↑j ...
pop ebx
or ebx, ebx
popa
jnz short loc_F820C0
push 1
pop eax
retn 0Ch
loc_F820C0: ; CODE XREF: .data:00F820B8↑j
xor eax, eax
neg eax
sbb eax, eax
inc eax
retn 0Ch
|
