Author: smidgeonsoft

# Views: 76268

Printer Friendly ...

  0x41A416: XOR      EAX,EAX
  0x41A418: MOVZX    EAX,DWORD PTR [EAX]

  0x42836C: XOR      EBX,EBX
  0x42836E: MOV      EBX,DWORD PTR [EBX]

  0xF9CC21EB: ENTER    0x4ABB,0x1

  0x41B782: MOV      ESP,DWORD PTR [ESP+0x8]
  0x41B786: POP      DWORD PTR FS:[0x0]

  0x41F52B: ADD      DWORD PTR [ESP],0x9CA
  0x41F532: PUSH     DWORD PTR [DWORD PTR FS:[0x0]
  0x41F539: MOV      DWORD PTR FS:[0x0],ESP

  0x41C137: RDTSC
  0x41C139: SUB      EAX,DWORD PTR [ESP]
  0x41C13C: ADD      ESP,0x4
  0x41C13F: CMP      EAX,0x12345678
  0x41C144: JBE      0x41C14B
  0x41C146: JMP      0x42505E

  0x419A52: RDTSC
  0x419A54: PUSH     EAX
  0x419A55: CALL     0x419A5A
  0x419A5A: ADD      DWORD PTR [ESP],0x136F
  0x419A61: PUSH     DWORD PTR [DWORD PTR FS:[0x0]
  0x419A68 MOV      DWORD PTR FS:[0x0],ESP
  0x419A6F: JMP      0x419A76

  0x41CB83: CMP      BYTE PTR [EDI],0xCC
  0x41CB86: JNE      0x41CB91
  0x41CB88: XOR      ECX,ECX
  0x41CB8A: XOR      EDI,EDI
  0x41CB8C: JMP      0x419A52

Inside KERNEL32:
    OutputDebugStringA
    GetCommandLineA
    CreateFileA
    GetCurrentProcessId
    OpenProcess
    CreateThread
    LoadLibraryA

USER32
NTDLL

Inside USER32:
    MessageBoxA

Inside KERNEL32:
    SetUnhandledExceptionFilter
    DebugBreak

Inside NTDLL:
    NtQueryInformationProcess

Inside KERNEL32:
    GetModuleHandleA

  0x420A2B: ADD      ESP,0x4
  0x420A2E: POP      EAX
  0x420A2F: POP      ESI
  0x420A30: MOV      BYTE PTR [ESI+0xD],CL
  0x420A33: JMP      0x420A3A

  0x4213DA: CALL     0x4213E4
  0x4213DF: AND      EAX,0x732573
  0x4213E4: CALL     DWORD PTR [ESI+0x14]
  0x4213E7: JMP      0x4213EE

PID: 0x574 TID: 0x9CC %s%s

GetCommandLineA
CreateFileA

  0x424EF2: CMP      BYTE PTR [ESI+0xD],0x0
  0x424EF6: JNE      0x4190AB
  0x424EFC: JE       0x424F02

  0x424F05: CMP      BYTE PTR [ESI+0xE],0x0
  0x424F09: JNE      0x4190AB
  0x424F0F: CALL     0x424F1E

  0x424F23: ADD      ESP,0x8
  0x424F26: CMP      BYTE PTR [ESI+0xF],0x0
  0x424F2A: JNE      0x4190AB
  0x424F30: PUSH     EAX
  0x424F31: CALL     0x424F38
  0x424F36: SUB      DWORD PTR [EDX+0x58],EBX
  0x424F39: IMUL     EAX,EAX,0x3
  0x424F3C: CALL     0x424F43

  0x424F4D: EB01           JMP      0x424F50
  0x424F50: EB02           JMP      0x424F54
  0x424F54: EB01           JMP      0x424F57

  0x425024: SUB      DWORD PTR [ECX+0x39],EBX

  0x42505B: PUSH     0x9B10B5

  0x42505B: PUSH    0x405B76

  0x405B76: MOV      DWORD PTR [EAX],ECX

  0x425059: XOR      EAX,EAX

0x42505B: PUSH    0x405B76

  0x418EB0: MOV      EAX,0xF0417D5A
  0x418EB5: LEA      ECX,DWORD PTR [EAX+0x10001179]
  0x418EBB: MOV      DWORD PTR [ECX+0x1],EAX
  0x418EBE: MOV      EDX,DWORD PTR [ESP+0x4]
  0x418EC2: MOV      EDX,DWORD PTR [EDX+0xC]
  0x418EC5: MOV      BYTE PTR [EDX],0xE9
  0x418EC8: ADD      EDX,0x5
  0x418ECB: SUB      ECX,EDX
  0x418ECD: MOV      DWORD PTR [EDX-0x4],ECX
  0x418ED0: XOR      EAX,EAX
  0x418ED2: RET

  0x418ED3: MOV      EAX,0x12345678

  0x418EB0: MOV      EAX,0xF0417D5A

  0x405B76: MOV      DWORD PTR [EAX],ECX

  0x405B76: JMP      0x418ED3

NeoLite Executable File Compressor
Copyright (c) 1998,1999 NeoWorx Inc.
Portions Copyright (c) 1997-1999 Lee Hasiuk
All Rights Reserved

  0x418F7B: JMP      EAX

__try
{
	void *p = NULL
	*p = 0;
}
__except( EXCEPTION_EXECUTE_HANDLER )
{
	ANTI-SINGLE-STEPPING MACRO
	... do some work ...
	ANTI-SINGLE-STEPPING MACRO
	... do some more work ...
	etc.
}