summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/exe-packer-notes.txt436
1 files changed, 436 insertions, 0 deletions
diff --git a/docs/exe-packer-notes.txt b/docs/exe-packer-notes.txt
new file mode 100644
index 0000000..d1a33a0
--- /dev/null
+++ b/docs/exe-packer-notes.txt
@@ -0,0 +1,436 @@
137491b1b85fdf3969c45e83aa2d205ed = md5(plus/Cronos.exe)
2
3dump -o 0x314f7b -4 -l 0x810 plus/Cronos.exe
4
50x100000000-0x1947A71E = 0xE6B858E2
6
7add 4C27824Bh
8sub 47878428h
9sub 1DE7A541h
10
11
12seg000:00401000 start proc near
13seg000:00401000 push offset loc_F82001
14seg000:00401005 call nullsub_1
15seg000:0040100A retn
16seg000:0040100B nullsub_1:
17seg000:0040100B retn
18
19.data:00F82001
20.data:00F82001 loc_F82001: ; DATA XREF: start↑o
21.data:00F82001 60 pusha
22.data:00F82002 E8 03 00 00 00 call loc_F8200A
23
24.data:00F82008 EB 04 jmp short loc_F8200E
25.data:00F8200A
26.data:00F8200A loc_F8200A: ; CODE XREF: .data:00F82002↑j
27.data:00F8200A 5D pop ebp
28.data:00F8200B 45 inc ebp
29.data:00F8200C 55 push ebp ; skips '0xE9' at 00F82007
30.data:00F8200D C3 retn
31.data:00F8200E
32.data:00F8200E loc_F8200E: ; CODE XREF: .data:00F82008↑j
33.data:00F8200E E8 01 00 00 00 call loc_F82014
34
35.data:00F82014
36.data:00F82014 loc_F82014: ; CODE XREF: .data:loc_F8200E↑j
37.data:00F82014 5D pop ebp
38.data:00F82015 BB ED FF FF FF mov ebx, -13h
39.data:00F8201A 03 DD add ebx, ebp ; -> ebx = 0xf82000
40.data:00F8201C 81 EB 00 20 B8 00 sub ebx, 0B82000h ; -> 0x400000
41.data:00F82022 80 7D 4D 01 cmp ss:(byte_F82060 - 0F82013h)[ebp], 1
42.data:00F82026 75 0C jnz short loc_F82034
43.data:00F82028 8B 74 24 28 mov esi, [esp+28h]
44.data:00F8202C 83 FE 01 cmp esi, 1
45.data:00F8202F 89 5D 4E mov ss:(dword_F82061 - 0F82013h)[ebp], ebx
46.data:00F82032 75 31 jnz short loc_F82065
47.data:00F82034
48.data:00F82034 loc_F82034: ; CODE XREF: .data:00F82026↑j
49.data:00F82034 8D 45 53 lea eax, (loc_F82065+1 - 0F82013h)[ebp]
50.data:00F82037 50 push eax
51.data:00F82038 53 push ebx
52.data:00F82039 FF B5 E9 09 00 00 push ss:(GetModuleHandleA - 0F82013h)[ebp]
53.data:00F8203F 8D 45 35 lea eax, (dword_F82048 - 0F82013h)[ebp]
54.data:00F82042 50 push eax
55.data:00F82043 E9 82 00 00 00 jmp loc_F820CA
56
57.data:00F820CA
58.data:00F820CA loc_F820CA: ; CODE XREF: .data:00F82043↑j
59.data:00F820CA 66 8B F8 mov di, ax ; ----- ignore
60.data:00F820CD E8 13 00 00 00 call loc_F820E5
61
62.data:00F820E5
63.data:00F820E5 loc_F820E5: ; CODE XREF: .data:00F820CD↑p
64.data:00F820E5 E9 0D 00 00 00 jmp loc_F820F7
65
66.data:00F820F7
67.data:00F820F7 loc_F820F7: ; CODE XREF: .data:loc_F820E5↑j
68.data:00F820F7 59 pop ecx ; -> 00F820D2
69.data:00F820F8 66 8B D6 mov dx, si ; ----------- ignore
70.data:00F820FB
71.data:00F820FB loc_F820FB: ; CODE XREF: .data:00F8211A↓j
72.data:00F820FB 81 C1 AF 08 00 00 add ecx, 8AFh ; -> 00F82981
73.data:00F82101 68 FF 01 00 00 push 1FFh
74.data:00F82106 58 pop eax
75.data:00F82107 E8 14 00 00 00 call loc_F82120 ; ecx = ptr = caller+0x8af, eax = size = 0x1ff
76.data:00F82107 ;
77.data:00F82107 ; caller = 00F820D2 -> data is at 00F82981
78.data:00F82107 ;
79.data:00F82107 ; 00F82185-00F82981 file: 00315781
80
81
82.data:00F82120
83.data:00F82120 loc_F82120: ; CODE XREF: .data:00F82107↑p
84.data:00F82120 5A pop edx ; -> 00F8210C
85.data:00F82121
86.data:00F82121 loc_F82121: ; CODE XREF: .data:loc_F82176↓j
87.data:00F82121 8B 19 mov ebx, [ecx]
88.data:00F82123 0F BF F1 movsx esi, cx ; ----- ignore
89.data:00F82126 81 C3 4B 82 27 4C add ebx, 4C27824Bh
90.data:00F8212C 81 EB 28 84 87 47 sub ebx, 47878428h
91.data:00F82132 0F B7 D2 movzx edx, dx ; ----- ignore
92.data:00F82135 81 EB 41 A5 E7 1D sub ebx, 1DE7A541h ; -0x627F3C40
93.data:00F8213B 66 81 E2 D5 9C and dx, 9CD5h ; ----- ignore
94.data:00F82140 89 19 mov [ecx], ebx
95.data:00F82142 80 D2 B7 adc dl, 0B7h ; '·' ; ----- ignore
96.data:00F82145 81 E9 8D 91 24 67 sub ecx, 6724918Dh
97.data:00F8214B 66 8B F1 mov si, cx ; ----- ignore
98.data:00F8214E 81 C1 89 91 24 67 add ecx, 67249189h ; -4
99.data:00F82154 0F BF F8 movsx edi, ax ; ----- ignore
100.data:00F82157 83 E8 01 sub eax, 1
101.data:00F8215A 0F 85 0E 00 00 00 jnz loc_F8216E
102.data:00F82160 8B D0 mov edx, eax
103.data:00F82162 E9 22 00 00 00 jmp near ptr unk_F82189
104
105.data:00F8216E
106.data:00F8216E loc_F8216E: ; CODE XREF: .data:00F8215A↑j
107.data:00F8216E 0F 80 02 00 00 00 jo loc_F82176
108.data:00F82174 53 push ebx
109.data:00F82175 5E pop esi
110.data:00F82176
111.data:00F82176 loc_F82176: ; CODE XREF: .data:loc_F8216E↑j
112.data:00F82176 E9 A6 FF FF FF jmp loc_F82121
113
114
115.data:00F82048 00 00 00 00 dword_F82048 dd 0 ; DATA XREF: .data:00F8203F↑o
116.data:00F82048 ; .data:00F8209B↓r ...
117.data:00F8204C 00 00 00 00 dd 0
118.data:00F82050 00 00 00 00 dword_F82050 dd 0 ; DATA XREF: .data:00F820B1↓r
119.data:00F82054 00 00 00 00 dword_F82054 dd 0 ; DATA XREF: .data:00F82092↓r
120.data:00F82058 00 00 00 00 dd 0
121.data:00F8205C 00 00 00 00 dd 0
122.data:00F82060 00 byte_F82060 db 0 ; DATA XREF: .data:00F82022↑r
123.data:00F82061 00 00 00 00 dword_F82061 dd 0 ; DATA XREF: .data:00F8202F↑w
124.data:00F82061 ; .data:00F8206C↓r ...
125.data:00F82065
126.data:00F82065 loc_F82065: ; CODE XREF: .data:00F82032↑j
127.data:00F82065 ; DATA XREF: .data:loc_F82034↑o
128.data:00F82065 B8 F8 C0 A5 23 mov eax, 23A5C0F8h
129.data:00F8206A 50 push eax
130.data:00F8206B 50 push eax
131.data:00F8206C 03 45 4E add eax, ss:(dword_F82061 - 0F82013h)[ebp]
132.data:00F8206F 5B pop ebx
133.data:00F82070 85 C0 test eax, eax
134.data:00F82072 74 1C jz short loc_F82090
135.data:00F82074 EB 01 jmp short loc_F82077
136
137.data:00F82077
138.data:00F82077 loc_F82077: ; CODE XREF: .data:00F82074↑j
139.data:00F82077 81 FB F8 C0 A5 23 cmp ebx, 23A5C0F8h
140.data:00F8207D 74 35 jz short loc_F820B4
141.data:00F8207F 33 D2 xor edx, edx
142.data:00F82081 56 push esi
143.data:00F82082 6A 00 push 0
144.data:00F82084 56 push esi
145.data:00F82085 FF 75 4E push ss:(dword_F82061 - 0F82013h)[ebp]
146.data:00F82088 FF D0 call eax
147.data:00F8208A 5E pop esi
148.data:00F8208B 83 FE 00 cmp esi, 0
149.data:00F8208E 75 24 jnz short loc_F820B4
150.data:00F82090
151.data:00F82090 loc_F82090: ; CODE XREF: .data:00F82072↑j
152.data:00F82090 33 D2 xor edx, edx
153.data:00F82092 8B 45 41 mov eax, ss:(dword_F82054 - 0F82013h)[ebp]
154.data:00F82095 85 C0 test eax, eax
155.data:00F82097 74 07 jz short loc_F820A0
156.data:00F82099 52 push edx
157.data:00F8209A 52 push edx
158.data:00F8209B FF 75 35 push ss:(dword_F82048 - 0F82013h)[ebp]
159.data:00F8209E FF D0 call eax
160.data:00F820A0
161.data:00F820A0 loc_F820A0: ; CODE XREF: .data:00F82097↑j
162.data:00F820A0 8B 45 35 mov eax, ss:(dword_F82048 - 0F82013h)[ebp]
163.data:00F820A3 85 C0 test eax, eax
164.data:00F820A5 74 0D jz short loc_F820B4
165.data:00F820A7 68 00 80 00 00 push 8000h
166.data:00F820AC 6A 00 push 0
167.data:00F820AE FF 75 35 push ss:(dword_F82048 - 0F82013h)[ebp]
168.data:00F820B1 FF 55 3D call ss:(dword_F82050 - 0F82013h)[ebp]
169.data:00F820B4
170.data:00F820B4 loc_F820B4: ; CODE XREF: .data:00F8207D↑j
171.data:00F820B4 ; .data:00F8208E↑j ...
172.data:00F820B4 5B pop ebx
173.data:00F820B5 0B DB or ebx, ebx
174.data:00F820B7 61 popa
175.data:00F820B8 75 06 jnz short loc_F820C0
176.data:00F820BA 6A 01 push 1
177.data:00F820BC 58 pop eax
178.data:00F820BD C2 0C 00 retn 0Ch
179.data:00F820C0
180.data:00F820C0 loc_F820C0: ; CODE XREF: .data:00F820B8↑j
181.data:00F820C0 33 C0 xor eax, eax
182.data:00F820C2 F7 D8 neg eax
183.data:00F820C4 1B C0 sbb eax, eax
184.data:00F820C6 40 inc eax
185.data:00F820C7 C2 0C 00 retn 0Ch
186
187
188
189
190.data:00F82007 E9 db 0E9h ; é
191
192.data:00F82013 EB db 0EBh ; ë
193
194.data:00F82076 E8 db 0E8h ; è
195
196
197.data:00F820D2 1F db 1Fh
198.data:00F820D3 6C db 6Ch ; l
199.data:00F820D4 35 db 35h ; 5
200.data:00F820D5 CA db 0CAh ; Ê
201.data:00F820D6 3B db 3Bh ; ;
202.data:00F820D7 58 db 58h ; X
203.data:00F820D8 B1 db 0B1h ; ±
204.data:00F820D9 96 db 96h ; –
205.data:00F820DA 17 db 17h
206.data:00F820DB 04 db 4
207.data:00F820DC ED db 0EDh ; í
208.data:00F820DD 22 db 22h ; "
209.data:00F820DE B3 db 0B3h ; ³
210.data:00F820DF 70 db 70h ; p
211.data:00F820E0 E9 db 0E9h ; é
212.data:00F820E1 6E db 6Eh ; n
213.data:00F820E2 0F db 0Fh
214.data:00F820E3 9C db 9Ch ; œ
215.data:00F820E4 A5 db 0A5h ; ¥
216
217
218
219.data:00F820EA 21 db 21h ; !
220.data:00F820EB 46 db 46h ; F
221.data:00F820EC 07 db 7
222.data:00F820ED 34 db 34h ; 4
223.data:00F820EE 5D db 5Dh ; ]
224.data:00F820EF D2 db 0D2h ; Ò
225.data:00F820F0 A3 db 0A3h ; £
226.data:00F820F1 A0 db 0A0h ;  
227.data:00F820F2 59 db 59h ; Y
228.data:00F820F3 1E db 1Eh
229.data:00F820F4 FF db 0FFh ; ÿ
230.data:00F820F5 CC db 0CCh ; Ì
231.data:00F820F6 15 db 15h
232
233
234.data:00F8210C FC db 0FCh ; ü
235.data:00F8210D 85 db 85h ; …
236.data:00F8210E DA db 0DAh ; Ú
237.data:00F8210F 0B db 0Bh
238.data:00F82110 E8 db 0E8h ; è
239.data:00F82111 01 db 1
240.data:00F82112 A6 db 0A6h ; ¦
241.data:00F82113 E7 db 0E7h ; ç
242.data:00F82114 94 db 94h ; ”
243.data:00F82115 3D db 3Dh ; =
244.data:00F82116 32 db 32h ; 2
245.data:00F82117 83 db 83h ; ƒ
246.data:00F82118 00 db 0
247.data:00F82119 39 db 39h ; 9
248.data:00F8211A 7E db 7Eh ; ~
249.data:00F8211B DF db 0DFh ; ß
250.data:00F8211C 2C db 2Ch ; ,
251.data:00F8211D F5 db 0F5h ; õ
252.data:00F8211E 8A db 8Ah ; Š
253.data:00F8211F FB db 0FBh ; û
254
255
256
257.data:00F82167 43 db 43h ; C
258.data:00F82168 C0 db 0C0h ; À
259.data:00F82169 F9 db 0F9h ; ù
260.data:00F8216A 3E db 3Eh ; >
261.data:00F8216B 9F db 9Fh ; Ÿ
262.data:00F8216C EC db 0ECh ; ì
263.data:00F8216D B5 db 0B5h ; µ
264
265.data:00F8217B EE db 0EEh ; î
266.data:00F8217C 8F db 8Fh
267.data:00F8217D 1C db 1Ch
268.data:00F8217E 25 db 25h ; %
269.data:00F8217F FA db 0FAh ; ú
270.data:00F82180 AB db 0ABh ; «
271.data:00F82181 08 db 8
272.data:00F82182 A1 db 0A1h ; ¡
273.data:00F82183 C6 db 0C6h ; Æ
274.data:00F82184 87 db 87h ; ‡
275.data:00F82185 B4 db 0B4h ; ´
276.data:00F82186 DD db 0DDh ; Ý
277.data:00F82187 52 db 52h ; R
278.data:00F82188 23 db 23h ; #
279.data:00F82189 84 unk_F82189 db 84h ; „ ; CODE XREF: .data:00F82162↑j
280.data:00F8218A 28 db 28h ; (
281
282
283
284
285----------------
286wWinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, PWSTR pCmdLine, int nCmdShow);
287
288[esp+2c] arg: pCmdLine
289[esp+28] arg: nCmdShow
290[esp+24] caller address
291[esp+20] EAX
292[esp+1c] ECX
293[esp+18] EDX
294[esp+14] EBX
295[esp+10] ESP == esp+20
296[esp+c] EBP
297[esp+8] ESI
298[esp+4] EDI
299[esp]
300
301
302loc_F82001: ; DATA XREF: start↑o
303 pusha
304 call loc_F82014
305loc_F82014: ; CODE XREF: .data:loc_F8200E↑j
306 pop ebp
307 mov ebx, -13h
308 add ebx, ebp ; -> ebx = 0xf82000
309 sub ebx, 0B82000h ; -> 0x400000
310 cmp ss:(byte_F82060 - 0F82013h)[ebp], 1
311 jnz short loc_F82034
312 mov esi, [esp+28h]
313 cmp esi, 1
314 mov ss:(dword_F82061 - 0F82013h)[ebp], ebx
315 jnz short loc_F82065
316
317loc_F82034: ; CODE XREF: .data:00F82026↑j
318 lea eax, (loc_F82065+1 - 0F82013h)[ebp]
319 push eax
320 push ebx
321 push ss:(GetModuleHandleA - 0F82013h)[ebp]
322 lea eax, (dword_F82048 - 0F82013h)[ebp]
323 push eax
324
325 lea ecx, 00F820D2h
326 add ecx, 8AFh ; -> 00F82981
327 push 1FFh
328 pop eax
329 ; ecx = ptr = caller+0x8af, eax = size = 0x1ff
330 ;
331 ; caller = 00F820D2 -> data is at 00F82981
332 ;
333 ; 00F82185-00F82981 file: 00315781
334
335 lea edx, 00F8210Ch
336
337loc_F82121: ; CODE XREF: .data:loc_F82176↓j
338 mov ebx, [ecx]
339 add ebx, 4C27824Bh
340 sub ebx, 47878428h
341 sub ebx, 1DE7A541h ; -0x627F3C40
342 mov [ecx], ebx
343 sub ecx, 6724918Dh
344 add ecx, 67249189h ; -4
345 sub eax, 1
346 jnz loc_F8216E
347 mov edx, eax
348 jmp near ptr unk_F82189
349
350
351loc_F8216E: ; CODE XREF: .data:00F8215A↑j
352 jo loc_F82176
353 push ebx
354 pop esi
355
356loc_F82176: ; CODE XREF: .data:loc_F8216E↑j
357 jmp loc_F82121
358
359
360
361
362dword_F82048 dd 0 ; DATA XREF: .data:00F8203F↑o
363 ; .data:00F8209B↓r ...
364 dd 0
365dword_F82050 dd 0 ; DATA XREF: .data:00F820B1↓r
366dword_F82054 dd 0 ; DATA XREF: .data:00F82092↓r
367 dd 0
368 dd 0
369byte_F82060 db 0 ; DATA XREF: .data:00F82022↑r
370dword_F82061 dd 0 ; DATA XREF: .data:00F8202F↑w
371 ; .data:00F8206C↓r ...
372
373loc_F82065: ; CODE XREF: .data:00F82032↑j
374 ; DATA XREF: .data:loc_F82034↑o
375 mov eax, 23A5C0F8h
376 push eax
377 push eax
378 add eax, ss:(dword_F82061 - 0F82013h)[ebp]
379 pop ebx
380 test eax, eax
381 jz short loc_F82090
382 jmp short loc_F82077
383
384
385loc_F82077: ; CODE XREF: .data:00F82074↑j
386 cmp ebx, 23A5C0F8h
387 jz short loc_F820B4
388 xor edx, edx
389 push esi
390 push 0
391 push esi
392 push ss:(dword_F82061 - 0F82013h)[ebp]
393 call eax
394 pop esi
395 cmp esi, 0
396 jnz short loc_F820B4
397
398loc_F82090: ; CODE XREF: .data:00F82072↑j
399 xor edx, edx
400 mov eax, ss:(dword_F82054 - 0F82013h)[ebp]
401 test eax, eax
402 jz short loc_F820A0
403 push edx
404 push edx
405 push ss:(dword_F82048 - 0F82013h)[ebp]
406 call eax
407
408loc_F820A0: ; CODE XREF: .data:00F82097↑j
409 mov eax, ss:(dword_F82048 - 0F82013h)[ebp]
410 test eax, eax
411 jz short loc_F820B4
412 push 8000h
413 push 0
414 push ss:(dword_F82048 - 0F82013h)[ebp]
415 call ss:(dword_F82050 - 0F82013h)[ebp]
416
417loc_F820B4: ; CODE XREF: .data:00F8207D↑j
418 ; .data:00F8208E↑j ...
419 pop ebx
420 or ebx, ebx
421 popa
422 jnz short loc_F820C0
423 push 1
424 pop eax
425 retn 0Ch
426
427loc_F820C0: ; CODE XREF: .data:00F820B8↑j
428 xor eax, eax
429 neg eax
430 sbb eax, eax
431 inc eax
432 retn 0Ch
433
434
435
436
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-28 09:10:23 +0000