From a9886b9d52c3bce0a4b58805b5597efccc55225a Mon Sep 17 00:00:00 2001 From: itsme Date: Tue, 6 Jul 2021 19:26:42 +0200 Subject: initial commit --- docs/exe-packer-notes.txt | 436 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 436 insertions(+) create mode 100644 docs/exe-packer-notes.txt (limited to 'docs') diff --git a/docs/exe-packer-notes.txt b/docs/exe-packer-notes.txt new file mode 100644 index 0000000..d1a33a0 --- /dev/null +++ b/docs/exe-packer-notes.txt @@ -0,0 +1,436 @@ +37491b1b85fdf3969c45e83aa2d205ed = md5(plus/Cronos.exe) + +dump -o 0x314f7b -4 -l 0x810 plus/Cronos.exe + +0x100000000-0x1947A71E = 0xE6B858E2 + +add 4C27824Bh +sub 47878428h +sub 1DE7A541h + + +seg000:00401000 start proc near +seg000:00401000 push offset loc_F82001 +seg000:00401005 call nullsub_1 +seg000:0040100A retn +seg000:0040100B nullsub_1: +seg000:0040100B retn + +.data:00F82001 +.data:00F82001 loc_F82001: ; DATA XREF: start↑o +.data:00F82001 60 pusha +.data:00F82002 E8 03 00 00 00 call loc_F8200A + +.data:00F82008 EB 04 jmp short loc_F8200E +.data:00F8200A +.data:00F8200A loc_F8200A: ; CODE XREF: .data:00F82002↑j +.data:00F8200A 5D pop ebp +.data:00F8200B 45 inc ebp +.data:00F8200C 55 push ebp ; skips '0xE9' at 00F82007 +.data:00F8200D C3 retn +.data:00F8200E +.data:00F8200E loc_F8200E: ; CODE XREF: .data:00F82008↑j +.data:00F8200E E8 01 00 00 00 call loc_F82014 + +.data:00F82014 +.data:00F82014 loc_F82014: ; CODE XREF: .data:loc_F8200E↑j +.data:00F82014 5D pop ebp +.data:00F82015 BB ED FF FF FF mov ebx, -13h +.data:00F8201A 03 DD add ebx, ebp ; -> ebx = 0xf82000 +.data:00F8201C 81 EB 00 20 B8 00 sub ebx, 0B82000h ; -> 0x400000 +.data:00F82022 80 7D 4D 01 cmp ss:(byte_F82060 - 0F82013h)[ebp], 1 +.data:00F82026 75 0C jnz short loc_F82034 +.data:00F82028 8B 74 24 28 mov esi, [esp+28h] +.data:00F8202C 83 FE 01 cmp esi, 1 +.data:00F8202F 89 5D 4E mov ss:(dword_F82061 - 0F82013h)[ebp], ebx +.data:00F82032 75 31 jnz short loc_F82065 +.data:00F82034 +.data:00F82034 loc_F82034: ; CODE XREF: .data:00F82026↑j +.data:00F82034 8D 45 53 lea eax, (loc_F82065+1 - 0F82013h)[ebp] +.data:00F82037 50 push eax +.data:00F82038 53 push ebx +.data:00F82039 FF B5 E9 09 00 00 push ss:(GetModuleHandleA - 0F82013h)[ebp] +.data:00F8203F 8D 45 35 lea eax, (dword_F82048 - 0F82013h)[ebp] +.data:00F82042 50 push eax +.data:00F82043 E9 82 00 00 00 jmp loc_F820CA + +.data:00F820CA +.data:00F820CA loc_F820CA: ; CODE XREF: .data:00F82043↑j +.data:00F820CA 66 8B F8 mov di, ax ; ----- ignore +.data:00F820CD E8 13 00 00 00 call loc_F820E5 + +.data:00F820E5 +.data:00F820E5 loc_F820E5: ; CODE XREF: .data:00F820CD↑p +.data:00F820E5 E9 0D 00 00 00 jmp loc_F820F7 + +.data:00F820F7 +.data:00F820F7 loc_F820F7: ; CODE XREF: .data:loc_F820E5↑j +.data:00F820F7 59 pop ecx ; -> 00F820D2 +.data:00F820F8 66 8B D6 mov dx, si ; ----------- ignore +.data:00F820FB +.data:00F820FB loc_F820FB: ; CODE XREF: .data:00F8211A↓j +.data:00F820FB 81 C1 AF 08 00 00 add ecx, 8AFh ; -> 00F82981 +.data:00F82101 68 FF 01 00 00 push 1FFh +.data:00F82106 58 pop eax +.data:00F82107 E8 14 00 00 00 call loc_F82120 ; ecx = ptr = caller+0x8af, eax = size = 0x1ff +.data:00F82107 ; +.data:00F82107 ; caller = 00F820D2 -> data is at 00F82981 +.data:00F82107 ; +.data:00F82107 ; 00F82185-00F82981 file: 00315781 + + +.data:00F82120 +.data:00F82120 loc_F82120: ; CODE XREF: .data:00F82107↑p +.data:00F82120 5A pop edx ; -> 00F8210C +.data:00F82121 +.data:00F82121 loc_F82121: ; CODE XREF: .data:loc_F82176↓j +.data:00F82121 8B 19 mov ebx, [ecx] +.data:00F82123 0F BF F1 movsx esi, cx ; ----- ignore +.data:00F82126 81 C3 4B 82 27 4C add ebx, 4C27824Bh +.data:00F8212C 81 EB 28 84 87 47 sub ebx, 47878428h +.data:00F82132 0F B7 D2 movzx edx, dx ; ----- ignore +.data:00F82135 81 EB 41 A5 E7 1D sub ebx, 1DE7A541h ; -0x627F3C40 +.data:00F8213B 66 81 E2 D5 9C and dx, 9CD5h ; ----- ignore +.data:00F82140 89 19 mov [ecx], ebx +.data:00F82142 80 D2 B7 adc dl, 0B7h ; '·' ; ----- ignore +.data:00F82145 81 E9 8D 91 24 67 sub ecx, 6724918Dh +.data:00F8214B 66 8B F1 mov si, cx ; ----- ignore +.data:00F8214E 81 C1 89 91 24 67 add ecx, 67249189h ; -4 +.data:00F82154 0F BF F8 movsx edi, ax ; ----- ignore +.data:00F82157 83 E8 01 sub eax, 1 +.data:00F8215A 0F 85 0E 00 00 00 jnz loc_F8216E +.data:00F82160 8B D0 mov edx, eax +.data:00F82162 E9 22 00 00 00 jmp near ptr unk_F82189 + +.data:00F8216E +.data:00F8216E loc_F8216E: ; CODE XREF: .data:00F8215A↑j +.data:00F8216E 0F 80 02 00 00 00 jo loc_F82176 +.data:00F82174 53 push ebx +.data:00F82175 5E pop esi +.data:00F82176 +.data:00F82176 loc_F82176: ; CODE XREF: .data:loc_F8216E↑j +.data:00F82176 E9 A6 FF FF FF jmp loc_F82121 + + +.data:00F82048 00 00 00 00 dword_F82048 dd 0 ; DATA XREF: .data:00F8203F↑o +.data:00F82048 ; .data:00F8209B↓r ... +.data:00F8204C 00 00 00 00 dd 0 +.data:00F82050 00 00 00 00 dword_F82050 dd 0 ; DATA XREF: .data:00F820B1↓r +.data:00F82054 00 00 00 00 dword_F82054 dd 0 ; DATA XREF: .data:00F82092↓r +.data:00F82058 00 00 00 00 dd 0 +.data:00F8205C 00 00 00 00 dd 0 +.data:00F82060 00 byte_F82060 db 0 ; DATA XREF: .data:00F82022↑r +.data:00F82061 00 00 00 00 dword_F82061 dd 0 ; DATA XREF: .data:00F8202F↑w +.data:00F82061 ; .data:00F8206C↓r ... +.data:00F82065 +.data:00F82065 loc_F82065: ; CODE XREF: .data:00F82032↑j +.data:00F82065 ; DATA XREF: .data:loc_F82034↑o +.data:00F82065 B8 F8 C0 A5 23 mov eax, 23A5C0F8h +.data:00F8206A 50 push eax +.data:00F8206B 50 push eax +.data:00F8206C 03 45 4E add eax, ss:(dword_F82061 - 0F82013h)[ebp] +.data:00F8206F 5B pop ebx +.data:00F82070 85 C0 test eax, eax +.data:00F82072 74 1C jz short loc_F82090 +.data:00F82074 EB 01 jmp short loc_F82077 + +.data:00F82077 +.data:00F82077 loc_F82077: ; CODE XREF: .data:00F82074↑j +.data:00F82077 81 FB F8 C0 A5 23 cmp ebx, 23A5C0F8h +.data:00F8207D 74 35 jz short loc_F820B4 +.data:00F8207F 33 D2 xor edx, edx +.data:00F82081 56 push esi +.data:00F82082 6A 00 push 0 +.data:00F82084 56 push esi +.data:00F82085 FF 75 4E push ss:(dword_F82061 - 0F82013h)[ebp] +.data:00F82088 FF D0 call eax +.data:00F8208A 5E pop esi +.data:00F8208B 83 FE 00 cmp esi, 0 +.data:00F8208E 75 24 jnz short loc_F820B4 +.data:00F82090 +.data:00F82090 loc_F82090: ; CODE XREF: .data:00F82072↑j +.data:00F82090 33 D2 xor edx, edx +.data:00F82092 8B 45 41 mov eax, ss:(dword_F82054 - 0F82013h)[ebp] +.data:00F82095 85 C0 test eax, eax +.data:00F82097 74 07 jz short loc_F820A0 +.data:00F82099 52 push edx +.data:00F8209A 52 push edx +.data:00F8209B FF 75 35 push ss:(dword_F82048 - 0F82013h)[ebp] +.data:00F8209E FF D0 call eax +.data:00F820A0 +.data:00F820A0 loc_F820A0: ; CODE XREF: .data:00F82097↑j +.data:00F820A0 8B 45 35 mov eax, ss:(dword_F82048 - 0F82013h)[ebp] +.data:00F820A3 85 C0 test eax, eax +.data:00F820A5 74 0D jz short loc_F820B4 +.data:00F820A7 68 00 80 00 00 push 8000h +.data:00F820AC 6A 00 push 0 +.data:00F820AE FF 75 35 push ss:(dword_F82048 - 0F82013h)[ebp] +.data:00F820B1 FF 55 3D call ss:(dword_F82050 - 0F82013h)[ebp] +.data:00F820B4 +.data:00F820B4 loc_F820B4: ; CODE XREF: .data:00F8207D↑j +.data:00F820B4 ; .data:00F8208E↑j ... +.data:00F820B4 5B pop ebx +.data:00F820B5 0B DB or ebx, ebx +.data:00F820B7 61 popa +.data:00F820B8 75 06 jnz short loc_F820C0 +.data:00F820BA 6A 01 push 1 +.data:00F820BC 58 pop eax +.data:00F820BD C2 0C 00 retn 0Ch +.data:00F820C0 +.data:00F820C0 loc_F820C0: ; CODE XREF: .data:00F820B8↑j +.data:00F820C0 33 C0 xor eax, eax +.data:00F820C2 F7 D8 neg eax +.data:00F820C4 1B C0 sbb eax, eax +.data:00F820C6 40 inc eax +.data:00F820C7 C2 0C 00 retn 0Ch + + + + +.data:00F82007 E9 db 0E9h ; é + +.data:00F82013 EB db 0EBh ; ë + +.data:00F82076 E8 db 0E8h ; è + + +.data:00F820D2 1F db 1Fh +.data:00F820D3 6C db 6Ch ; l +.data:00F820D4 35 db 35h ; 5 +.data:00F820D5 CA db 0CAh ; Ê +.data:00F820D6 3B db 3Bh ; ; +.data:00F820D7 58 db 58h ; X +.data:00F820D8 B1 db 0B1h ; ± +.data:00F820D9 96 db 96h ; – +.data:00F820DA 17 db 17h +.data:00F820DB 04 db 4 +.data:00F820DC ED db 0EDh ; í +.data:00F820DD 22 db 22h ; " +.data:00F820DE B3 db 0B3h ; ³ +.data:00F820DF 70 db 70h ; p +.data:00F820E0 E9 db 0E9h ; é +.data:00F820E1 6E db 6Eh ; n +.data:00F820E2 0F db 0Fh +.data:00F820E3 9C db 9Ch ; œ +.data:00F820E4 A5 db 0A5h ; ¥ + + + +.data:00F820EA 21 db 21h ; ! +.data:00F820EB 46 db 46h ; F +.data:00F820EC 07 db 7 +.data:00F820ED 34 db 34h ; 4 +.data:00F820EE 5D db 5Dh ; ] +.data:00F820EF D2 db 0D2h ; Ò +.data:00F820F0 A3 db 0A3h ; £ +.data:00F820F1 A0 db 0A0h ;   +.data:00F820F2 59 db 59h ; Y +.data:00F820F3 1E db 1Eh +.data:00F820F4 FF db 0FFh ; ÿ +.data:00F820F5 CC db 0CCh ; Ì +.data:00F820F6 15 db 15h + + +.data:00F8210C FC db 0FCh ; ü +.data:00F8210D 85 db 85h ; … +.data:00F8210E DA db 0DAh ; Ú +.data:00F8210F 0B db 0Bh +.data:00F82110 E8 db 0E8h ; è +.data:00F82111 01 db 1 +.data:00F82112 A6 db 0A6h ; ¦ +.data:00F82113 E7 db 0E7h ; ç +.data:00F82114 94 db 94h ; ” +.data:00F82115 3D db 3Dh ; = +.data:00F82116 32 db 32h ; 2 +.data:00F82117 83 db 83h ; ƒ +.data:00F82118 00 db 0 +.data:00F82119 39 db 39h ; 9 +.data:00F8211A 7E db 7Eh ; ~ +.data:00F8211B DF db 0DFh ; ß +.data:00F8211C 2C db 2Ch ; , +.data:00F8211D F5 db 0F5h ; õ +.data:00F8211E 8A db 8Ah ; Š +.data:00F8211F FB db 0FBh ; û + + + +.data:00F82167 43 db 43h ; C +.data:00F82168 C0 db 0C0h ; À +.data:00F82169 F9 db 0F9h ; ù +.data:00F8216A 3E db 3Eh ; > +.data:00F8216B 9F db 9Fh ; Ÿ +.data:00F8216C EC db 0ECh ; ì +.data:00F8216D B5 db 0B5h ; µ + +.data:00F8217B EE db 0EEh ; î +.data:00F8217C 8F db 8Fh +.data:00F8217D 1C db 1Ch +.data:00F8217E 25 db 25h ; % +.data:00F8217F FA db 0FAh ; ú +.data:00F82180 AB db 0ABh ; « +.data:00F82181 08 db 8 +.data:00F82182 A1 db 0A1h ; ¡ +.data:00F82183 C6 db 0C6h ; Æ +.data:00F82184 87 db 87h ; ‡ +.data:00F82185 B4 db 0B4h ; ´ +.data:00F82186 DD db 0DDh ; Ý +.data:00F82187 52 db 52h ; R +.data:00F82188 23 db 23h ; # +.data:00F82189 84 unk_F82189 db 84h ; „ ; CODE XREF: .data:00F82162↑j +.data:00F8218A 28 db 28h ; ( + + + + +---------------- +wWinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, PWSTR pCmdLine, int nCmdShow); + +[esp+2c] arg: pCmdLine +[esp+28] arg: nCmdShow +[esp+24] caller address +[esp+20] EAX +[esp+1c] ECX +[esp+18] EDX +[esp+14] EBX +[esp+10] ESP == esp+20 +[esp+c] EBP +[esp+8] ESI +[esp+4] EDI +[esp] + + +loc_F82001: ; DATA XREF: start↑o + pusha + call loc_F82014 +loc_F82014: ; CODE XREF: .data:loc_F8200E↑j + pop ebp + mov ebx, -13h + add ebx, ebp ; -> ebx = 0xf82000 + sub ebx, 0B82000h ; -> 0x400000 + cmp ss:(byte_F82060 - 0F82013h)[ebp], 1 + jnz short loc_F82034 + mov esi, [esp+28h] + cmp esi, 1 + mov ss:(dword_F82061 - 0F82013h)[ebp], ebx + jnz short loc_F82065 + +loc_F82034: ; CODE XREF: .data:00F82026↑j + lea eax, (loc_F82065+1 - 0F82013h)[ebp] + push eax + push ebx + push ss:(GetModuleHandleA - 0F82013h)[ebp] + lea eax, (dword_F82048 - 0F82013h)[ebp] + push eax + + lea ecx, 00F820D2h + add ecx, 8AFh ; -> 00F82981 + push 1FFh + pop eax + ; ecx = ptr = caller+0x8af, eax = size = 0x1ff + ; + ; caller = 00F820D2 -> data is at 00F82981 + ; + ; 00F82185-00F82981 file: 00315781 + + lea edx, 00F8210Ch + +loc_F82121: ; CODE XREF: .data:loc_F82176↓j + mov ebx, [ecx] + add ebx, 4C27824Bh + sub ebx, 47878428h + sub ebx, 1DE7A541h ; -0x627F3C40 + mov [ecx], ebx + sub ecx, 6724918Dh + add ecx, 67249189h ; -4 + sub eax, 1 + jnz loc_F8216E + mov edx, eax + jmp near ptr unk_F82189 + + +loc_F8216E: ; CODE XREF: .data:00F8215A↑j + jo loc_F82176 + push ebx + pop esi + +loc_F82176: ; CODE XREF: .data:loc_F8216E↑j + jmp loc_F82121 + + + + +dword_F82048 dd 0 ; DATA XREF: .data:00F8203F↑o + ; .data:00F8209B↓r ... + dd 0 +dword_F82050 dd 0 ; DATA XREF: .data:00F820B1↓r +dword_F82054 dd 0 ; DATA XREF: .data:00F82092↓r + dd 0 + dd 0 +byte_F82060 db 0 ; DATA XREF: .data:00F82022↑r +dword_F82061 dd 0 ; DATA XREF: .data:00F8202F↑w + ; .data:00F8206C↓r ... + +loc_F82065: ; CODE XREF: .data:00F82032↑j + ; DATA XREF: .data:loc_F82034↑o + mov eax, 23A5C0F8h + push eax + push eax + add eax, ss:(dword_F82061 - 0F82013h)[ebp] + pop ebx + test eax, eax + jz short loc_F82090 + jmp short loc_F82077 + + +loc_F82077: ; CODE XREF: .data:00F82074↑j + cmp ebx, 23A5C0F8h + jz short loc_F820B4 + xor edx, edx + push esi + push 0 + push esi + push ss:(dword_F82061 - 0F82013h)[ebp] + call eax + pop esi + cmp esi, 0 + jnz short loc_F820B4 + +loc_F82090: ; CODE XREF: .data:00F82072↑j + xor edx, edx + mov eax, ss:(dword_F82054 - 0F82013h)[ebp] + test eax, eax + jz short loc_F820A0 + push edx + push edx + push ss:(dword_F82048 - 0F82013h)[ebp] + call eax + +loc_F820A0: ; CODE XREF: .data:00F82097↑j + mov eax, ss:(dword_F82048 - 0F82013h)[ebp] + test eax, eax + jz short loc_F820B4 + push 8000h + push 0 + push ss:(dword_F82048 - 0F82013h)[ebp] + call ss:(dword_F82050 - 0F82013h)[ebp] + +loc_F820B4: ; CODE XREF: .data:00F8207D↑j + ; .data:00F8208E↑j ... + pop ebx + or ebx, ebx + popa + jnz short loc_F820C0 + push 1 + pop eax + retn 0Ch + +loc_F820C0: ; CODE XREF: .data:00F820B8↑j + xor eax, eax + neg eax + sbb eax, eax + inc eax + retn 0Ch + + + + -- cgit v1.2.3