summaryrefslogtreecommitdiff
path: root/docs/exe-packer-notes.txt
blob: d1a33a0844246639780c8765708b5b842b6d859d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
37491b1b85fdf3969c45e83aa2d205ed  = md5(plus/Cronos.exe)

dump -o 0x314f7b -4 -l 0x810 plus/Cronos.exe

0x100000000-0x1947A71E = 0xE6B858E2

add 4C27824Bh
sub 47878428h
sub 1DE7A541h


seg000:00401000 start           proc near
seg000:00401000                 push    offset loc_F82001
seg000:00401005                 call    nullsub_1
seg000:0040100A                 retn
seg000:0040100B nullsub_1:
seg000:0040100B                 retn

.data:00F82001
.data:00F82001                   loc_F82001:                             ; DATA XREF: start↑o
.data:00F82001 60                                pusha
.data:00F82002 E8 03 00 00 00                    call    loc_F8200A

.data:00F82008 EB 04                             jmp     short loc_F8200E
.data:00F8200A
.data:00F8200A                   loc_F8200A:                             ; CODE XREF: .data:00F82002↑j
.data:00F8200A 5D                                pop     ebp
.data:00F8200B 45                                inc     ebp
.data:00F8200C 55                                push    ebp             ; skips '0xE9' at 00F82007
.data:00F8200D C3                                retn
.data:00F8200E
.data:00F8200E                   loc_F8200E:                             ; CODE XREF: .data:00F82008↑j
.data:00F8200E E8 01 00 00 00                    call    loc_F82014

.data:00F82014
.data:00F82014                   loc_F82014:                             ; CODE XREF: .data:loc_F8200E↑j
.data:00F82014 5D                                pop     ebp
.data:00F82015 BB ED FF FF FF                    mov     ebx, -13h
.data:00F8201A 03 DD                             add     ebx, ebp        ; -> ebx = 0xf82000
.data:00F8201C 81 EB 00 20 B8 00                 sub     ebx, 0B82000h   ; -> 0x400000
.data:00F82022 80 7D 4D 01                       cmp     ss:(byte_F82060 - 0F82013h)[ebp], 1
.data:00F82026 75 0C                             jnz     short loc_F82034
.data:00F82028 8B 74 24 28                       mov     esi, [esp+28h]
.data:00F8202C 83 FE 01                          cmp     esi, 1
.data:00F8202F 89 5D 4E                          mov     ss:(dword_F82061 - 0F82013h)[ebp], ebx
.data:00F82032 75 31                             jnz     short loc_F82065
.data:00F82034
.data:00F82034                   loc_F82034:                             ; CODE XREF: .data:00F82026↑j
.data:00F82034 8D 45 53                          lea     eax, (loc_F82065+1 - 0F82013h)[ebp]
.data:00F82037 50                                push    eax
.data:00F82038 53                                push    ebx
.data:00F82039 FF B5 E9 09 00 00                 push    ss:(GetModuleHandleA - 0F82013h)[ebp]
.data:00F8203F 8D 45 35                          lea     eax, (dword_F82048 - 0F82013h)[ebp]
.data:00F82042 50                                push    eax
.data:00F82043 E9 82 00 00 00                    jmp     loc_F820CA

.data:00F820CA
.data:00F820CA                   loc_F820CA:                             ; CODE XREF: .data:00F82043↑j
.data:00F820CA 66 8B F8                          mov     di, ax          ; ----- ignore
.data:00F820CD E8 13 00 00 00                    call    loc_F820E5

.data:00F820E5
.data:00F820E5                   loc_F820E5:                             ; CODE XREF: .data:00F820CD↑p
.data:00F820E5 E9 0D 00 00 00                    jmp     loc_F820F7

.data:00F820F7
.data:00F820F7                   loc_F820F7:                             ; CODE XREF: .data:loc_F820E5↑j
.data:00F820F7 59                                pop     ecx             ; -> 00F820D2
.data:00F820F8 66 8B D6                          mov     dx, si          ; ----------- ignore
.data:00F820FB
.data:00F820FB                   loc_F820FB:                             ; CODE XREF: .data:00F8211A↓j
.data:00F820FB 81 C1 AF 08 00 00                 add     ecx, 8AFh       ; -> 00F82981
.data:00F82101 68 FF 01 00 00                    push    1FFh
.data:00F82106 58                                pop     eax
.data:00F82107 E8 14 00 00 00                    call    loc_F82120      ; ecx = ptr = caller+0x8af,  eax = size = 0x1ff
.data:00F82107                                                           ;
.data:00F82107                                                           ; caller = 00F820D2 -> data is at 00F82981
.data:00F82107                                                           ;
.data:00F82107                                                           ; 00F82185-00F82981  file: 00315781


.data:00F82120
.data:00F82120                   loc_F82120:                             ; CODE XREF: .data:00F82107↑p
.data:00F82120 5A                                pop     edx             ; -> 00F8210C
.data:00F82121
.data:00F82121                   loc_F82121:                             ; CODE XREF: .data:loc_F82176↓j
.data:00F82121 8B 19                             mov     ebx, [ecx]
.data:00F82123 0F BF F1                          movsx   esi, cx         ; ----- ignore
.data:00F82126 81 C3 4B 82 27 4C                 add     ebx, 4C27824Bh
.data:00F8212C 81 EB 28 84 87 47                 sub     ebx, 47878428h
.data:00F82132 0F B7 D2                          movzx   edx, dx         ; ----- ignore
.data:00F82135 81 EB 41 A5 E7 1D                 sub     ebx, 1DE7A541h  ; -0x627F3C40
.data:00F8213B 66 81 E2 D5 9C                    and     dx, 9CD5h       ; ----- ignore
.data:00F82140 89 19                             mov     [ecx], ebx
.data:00F82142 80 D2 B7                          adc     dl, 0B7h ; '·'  ; ----- ignore
.data:00F82145 81 E9 8D 91 24 67                 sub     ecx, 6724918Dh
.data:00F8214B 66 8B F1                          mov     si, cx          ; ----- ignore
.data:00F8214E 81 C1 89 91 24 67                 add     ecx, 67249189h  ; -4
.data:00F82154 0F BF F8                          movsx   edi, ax         ; ----- ignore
.data:00F82157 83 E8 01                          sub     eax, 1
.data:00F8215A 0F 85 0E 00 00 00                 jnz     loc_F8216E
.data:00F82160 8B D0                             mov     edx, eax
.data:00F82162 E9 22 00 00 00                    jmp     near ptr unk_F82189

.data:00F8216E
.data:00F8216E                   loc_F8216E:                             ; CODE XREF: .data:00F8215A↑j
.data:00F8216E 0F 80 02 00 00 00                 jo      loc_F82176
.data:00F82174 53                                push    ebx
.data:00F82175 5E                                pop     esi
.data:00F82176
.data:00F82176                   loc_F82176:                             ; CODE XREF: .data:loc_F8216E↑j
.data:00F82176 E9 A6 FF FF FF                    jmp     loc_F82121


.data:00F82048 00 00 00 00       dword_F82048    dd 0                    ; DATA XREF: .data:00F8203F↑o
.data:00F82048                                                           ; .data:00F8209B↓r ...
.data:00F8204C 00 00 00 00                       dd 0
.data:00F82050 00 00 00 00       dword_F82050    dd 0                    ; DATA XREF: .data:00F820B1↓r
.data:00F82054 00 00 00 00       dword_F82054    dd 0                    ; DATA XREF: .data:00F82092↓r
.data:00F82058 00 00 00 00                       dd 0
.data:00F8205C 00 00 00 00                       dd 0
.data:00F82060 00                byte_F82060     db 0                    ; DATA XREF: .data:00F82022↑r
.data:00F82061 00 00 00 00       dword_F82061    dd 0                    ; DATA XREF: .data:00F8202F↑w
.data:00F82061                                                           ; .data:00F8206C↓r ...
.data:00F82065
.data:00F82065                   loc_F82065:                             ; CODE XREF: .data:00F82032↑j
.data:00F82065                                                           ; DATA XREF: .data:loc_F82034↑o
.data:00F82065 B8 F8 C0 A5 23                    mov     eax, 23A5C0F8h
.data:00F8206A 50                                push    eax
.data:00F8206B 50                                push    eax
.data:00F8206C 03 45 4E                          add     eax, ss:(dword_F82061 - 0F82013h)[ebp]
.data:00F8206F 5B                                pop     ebx
.data:00F82070 85 C0                             test    eax, eax
.data:00F82072 74 1C                             jz      short loc_F82090
.data:00F82074 EB 01                             jmp     short loc_F82077

.data:00F82077
.data:00F82077                   loc_F82077:                             ; CODE XREF: .data:00F82074↑j
.data:00F82077 81 FB F8 C0 A5 23                 cmp     ebx, 23A5C0F8h
.data:00F8207D 74 35                             jz      short loc_F820B4
.data:00F8207F 33 D2                             xor     edx, edx
.data:00F82081 56                                push    esi
.data:00F82082 6A 00                             push    0
.data:00F82084 56                                push    esi
.data:00F82085 FF 75 4E                          push    ss:(dword_F82061 - 0F82013h)[ebp]
.data:00F82088 FF D0                             call    eax
.data:00F8208A 5E                                pop     esi
.data:00F8208B 83 FE 00                          cmp     esi, 0
.data:00F8208E 75 24                             jnz     short loc_F820B4
.data:00F82090
.data:00F82090                   loc_F82090:                             ; CODE XREF: .data:00F82072↑j
.data:00F82090 33 D2                             xor     edx, edx
.data:00F82092 8B 45 41                          mov     eax, ss:(dword_F82054 - 0F82013h)[ebp]
.data:00F82095 85 C0                             test    eax, eax
.data:00F82097 74 07                             jz      short loc_F820A0
.data:00F82099 52                                push    edx
.data:00F8209A 52                                push    edx
.data:00F8209B FF 75 35                          push    ss:(dword_F82048 - 0F82013h)[ebp]
.data:00F8209E FF D0                             call    eax
.data:00F820A0
.data:00F820A0                   loc_F820A0:                             ; CODE XREF: .data:00F82097↑j
.data:00F820A0 8B 45 35                          mov     eax, ss:(dword_F82048 - 0F82013h)[ebp]
.data:00F820A3 85 C0                             test    eax, eax
.data:00F820A5 74 0D                             jz      short loc_F820B4
.data:00F820A7 68 00 80 00 00                    push    8000h
.data:00F820AC 6A 00                             push    0
.data:00F820AE FF 75 35                          push    ss:(dword_F82048 - 0F82013h)[ebp]
.data:00F820B1 FF 55 3D                          call    ss:(dword_F82050 - 0F82013h)[ebp]
.data:00F820B4
.data:00F820B4                   loc_F820B4:                             ; CODE XREF: .data:00F8207D↑j
.data:00F820B4                                                           ; .data:00F8208E↑j ...
.data:00F820B4 5B                                pop     ebx
.data:00F820B5 0B DB                             or      ebx, ebx
.data:00F820B7 61                                popa
.data:00F820B8 75 06                             jnz     short loc_F820C0
.data:00F820BA 6A 01                             push    1
.data:00F820BC 58                                pop     eax
.data:00F820BD C2 0C 00                          retn    0Ch
.data:00F820C0
.data:00F820C0                   loc_F820C0:                             ; CODE XREF: .data:00F820B8↑j
.data:00F820C0 33 C0                             xor     eax, eax
.data:00F820C2 F7 D8                             neg     eax
.data:00F820C4 1B C0                             sbb     eax, eax
.data:00F820C6 40                                inc     eax
.data:00F820C7 C2 0C 00                          retn    0Ch




.data:00F82007 E9                                db 0E9h ; é

.data:00F82013 EB                                db 0EBh ; ë

.data:00F82076 E8                                db 0E8h ; è


.data:00F820D2 1F                                db  1Fh
.data:00F820D3 6C                                db  6Ch ; l
.data:00F820D4 35                                db  35h ; 5
.data:00F820D5 CA                                db 0CAh ; Ê
.data:00F820D6 3B                                db  3Bh ; ;
.data:00F820D7 58                                db  58h ; X
.data:00F820D8 B1                                db 0B1h ; ±
.data:00F820D9 96                                db  96h ; –
.data:00F820DA 17                                db  17h
.data:00F820DB 04                                db    4
.data:00F820DC ED                                db 0EDh ; í
.data:00F820DD 22                                db  22h ; "
.data:00F820DE B3                                db 0B3h ; ³
.data:00F820DF 70                                db  70h ; p
.data:00F820E0 E9                                db 0E9h ; é
.data:00F820E1 6E                                db  6Eh ; n
.data:00F820E2 0F                                db  0Fh
.data:00F820E3 9C                                db  9Ch ; œ
.data:00F820E4 A5                                db 0A5h ; ¥



.data:00F820EA 21                                db  21h ; !
.data:00F820EB 46                                db  46h ; F
.data:00F820EC 07                                db    7
.data:00F820ED 34                                db  34h ; 4
.data:00F820EE 5D                                db  5Dh ; ]
.data:00F820EF D2                                db 0D2h ; Ò
.data:00F820F0 A3                                db 0A3h ; £
.data:00F820F1 A0                                db 0A0h ;  
.data:00F820F2 59                                db  59h ; Y
.data:00F820F3 1E                                db  1Eh
.data:00F820F4 FF                                db 0FFh ; ÿ
.data:00F820F5 CC                                db 0CCh ; Ì
.data:00F820F6 15                                db  15h


.data:00F8210C FC                                db 0FCh ; ü
.data:00F8210D 85                                db  85h ; …
.data:00F8210E DA                                db 0DAh ; Ú
.data:00F8210F 0B                                db  0Bh
.data:00F82110 E8                                db 0E8h ; è
.data:00F82111 01                                db    1
.data:00F82112 A6                                db 0A6h ; ¦
.data:00F82113 E7                                db 0E7h ; ç
.data:00F82114 94                                db  94h ; ”
.data:00F82115 3D                                db  3Dh ; =
.data:00F82116 32                                db  32h ; 2
.data:00F82117 83                                db  83h ; ƒ
.data:00F82118 00                                db    0
.data:00F82119 39                                db  39h ; 9
.data:00F8211A 7E                                db  7Eh ; ~
.data:00F8211B DF                                db 0DFh ; ß
.data:00F8211C 2C                                db  2Ch ; ,
.data:00F8211D F5                                db 0F5h ; õ
.data:00F8211E 8A                                db  8Ah ; Š
.data:00F8211F FB                                db 0FBh ; û



.data:00F82167 43                                db  43h ; C
.data:00F82168 C0                                db 0C0h ; À
.data:00F82169 F9                                db 0F9h ; ù
.data:00F8216A 3E                                db  3Eh ; >
.data:00F8216B 9F                                db  9Fh ; Ÿ
.data:00F8216C EC                                db 0ECh ; ì
.data:00F8216D B5                                db 0B5h ; µ

.data:00F8217B EE                                db 0EEh ; î
.data:00F8217C 8F                                db  8Fh
.data:00F8217D 1C                                db  1Ch
.data:00F8217E 25                                db  25h ; %
.data:00F8217F FA                                db 0FAh ; ú
.data:00F82180 AB                                db 0ABh ; «
.data:00F82181 08                                db    8
.data:00F82182 A1                                db 0A1h ; ¡
.data:00F82183 C6                                db 0C6h ; Æ
.data:00F82184 87                                db  87h ; ‡
.data:00F82185 B4                                db 0B4h ; ´
.data:00F82186 DD                                db 0DDh ; Ý
.data:00F82187 52                                db  52h ; R
.data:00F82188 23                                db  23h ; #
.data:00F82189 84                unk_F82189      db  84h ; „             ; CODE XREF: .data:00F82162↑j
.data:00F8218A 28                                db  28h ; (




----------------
wWinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, PWSTR pCmdLine, int nCmdShow);

[esp+2c]     arg: pCmdLine
[esp+28]     arg: nCmdShow
[esp+24]     caller address
[esp+20]     EAX
[esp+1c]     ECX
[esp+18]     EDX
[esp+14]     EBX
[esp+10]     ESP == esp+20
[esp+c]      EBP
[esp+8]      ESI
[esp+4]      EDI
[esp]   


loc_F82001:                             ; DATA XREF: start↑o
                pusha
                call    loc_F82014
loc_F82014:                             ; CODE XREF: .data:loc_F8200E↑j
                pop     ebp
                mov     ebx, -13h
                add     ebx, ebp        ; -> ebx = 0xf82000
                sub     ebx, 0B82000h   ; -> 0x400000
                cmp     ss:(byte_F82060 - 0F82013h)[ebp], 1
                jnz     short loc_F82034
                mov     esi, [esp+28h]
                cmp     esi, 1
                mov     ss:(dword_F82061 - 0F82013h)[ebp], ebx
                jnz     short loc_F82065
                                                                                        
loc_F82034:                             ; CODE XREF: .data:00F82026↑j
                lea     eax, (loc_F82065+1 - 0F82013h)[ebp]
                push    eax
                push    ebx
                push    ss:(GetModuleHandleA - 0F82013h)[ebp]
                lea     eax, (dword_F82048 - 0F82013h)[ebp]
                push    eax

                lea     ecx, 00F820D2h
                add     ecx, 8AFh       ; -> 00F82981
                push    1FFh
                pop     eax
                                 ; ecx = ptr = caller+0x8af,  eax = size = 0x1ff
                                 ;
                                 ; caller = 00F820D2 -> data is at 00F82981
                                 ;
                                 ; 00F82185-00F82981  file: 00315781
                                                                                        
                lea     edx, 00F8210Ch
                                                                                        
loc_F82121:                             ; CODE XREF: .data:loc_F82176↓j
                mov     ebx, [ecx]
                add     ebx, 4C27824Bh
                sub     ebx, 47878428h
                sub     ebx, 1DE7A541h  ; -0x627F3C40
                mov     [ecx], ebx
                sub     ecx, 6724918Dh
                add     ecx, 67249189h  ; -4
                sub     eax, 1
                jnz     loc_F8216E
                mov     edx, eax
                jmp     near ptr unk_F82189
                                                                                        
                                                                                        
loc_F8216E:                             ; CODE XREF: .data:00F8215A↑j
                jo      loc_F82176
                push    ebx
                pop     esi
                                                                                        
loc_F82176:                             ; CODE XREF: .data:loc_F8216E↑j
                jmp     loc_F82121



                                                                                        
dword_F82048    dd 0                    ; DATA XREF: .data:00F8203F↑o
                                        ; .data:00F8209B↓r ...
                dd 0
dword_F82050    dd 0                    ; DATA XREF: .data:00F820B1↓r
dword_F82054    dd 0                    ; DATA XREF: .data:00F82092↓r
                dd 0
                dd 0
byte_F82060     db 0                    ; DATA XREF: .data:00F82022↑r
dword_F82061    dd 0                    ; DATA XREF: .data:00F8202F↑w
                                        ; .data:00F8206C↓r ...
                                                                                        
loc_F82065:                             ; CODE XREF: .data:00F82032↑j
                                        ; DATA XREF: .data:loc_F82034↑o
                mov     eax, 23A5C0F8h
                push    eax
                push    eax
                add     eax, ss:(dword_F82061 - 0F82013h)[ebp]
                pop     ebx
                test    eax, eax
                jz      short loc_F82090
                jmp     short loc_F82077
                                                                                        
                                                                                        
loc_F82077:                             ; CODE XREF: .data:00F82074↑j
                cmp     ebx, 23A5C0F8h
                jz      short loc_F820B4
                xor     edx, edx
                push    esi
                push    0
                push    esi
                push    ss:(dword_F82061 - 0F82013h)[ebp]
                call    eax
                pop     esi
                cmp     esi, 0
                jnz     short loc_F820B4
                                                                                        
loc_F82090:                             ; CODE XREF: .data:00F82072↑j
                xor     edx, edx
                mov     eax, ss:(dword_F82054 - 0F82013h)[ebp]
                test    eax, eax
                jz      short loc_F820A0
                push    edx
                push    edx
                push    ss:(dword_F82048 - 0F82013h)[ebp]
                call    eax
                                                                                        
loc_F820A0:                             ; CODE XREF: .data:00F82097↑j
                mov     eax, ss:(dword_F82048 - 0F82013h)[ebp]
                test    eax, eax
                jz      short loc_F820B4
                push    8000h
                push    0
                push    ss:(dword_F82048 - 0F82013h)[ebp]
                call    ss:(dword_F82050 - 0F82013h)[ebp]
                                                                                        
loc_F820B4:                             ; CODE XREF: .data:00F8207D↑j
                                        ; .data:00F8208E↑j ...
                pop     ebx
                or      ebx, ebx
                popa
                jnz     short loc_F820C0
                push    1
                pop     eax
                retn    0Ch
                                                                                        
loc_F820C0:                             ; CODE XREF: .data:00F820B8↑j
                xor     eax, eax
                neg     eax
                sbb     eax, eax
                inc     eax
                retn    0Ch