out1.asm

当前支持 16-bit, 32-bit and 64-bit 的二进制文件

; out1.asm
; Diassembly of test.exe (decompilable procedures)

; Entrypoint name: .Start

; --- procedure at 41100f ---

; consists of 2 basic blocks.
; return depth: 0 bytes
; This procedure calls/invokes:
; - ?hello@@YAXXZ (direct)
; - __RTC_CheckEsp (direct)

fn_41100f:
  jmp  dword _wmain

_wmain:  ; loc_411400
  push  ebp
  mov  ebp,esp
  sub  esp,0x000000c0
  push  ebx
  push  esi
  push  edi
  lea  edi,[ebp+0xffffff40]
  mov  ecx,0x00000030
  mov  eax,0xcccccccc
  rep stosd
  call  dword fn_411028
  xor  eax,eax
  pop  edi
  pop  esi
  pop  ebx
  add  esp,0x000000c0
  cmp  ebp,esp
  call  dword fn_411140
  mov  esp,ebp
  pop  ebp
  ret

; --- procedure at 41101e ---

; consists of 8 basic blocks.
; return depth: 0 bytes
; This procedure calls/invokes:
; - __crt_debugger_hook (direct)
; - KERNEL32.GetCurrentProcess (import)
; - KERNEL32.IsDebuggerPresent (import)
; - KERNEL32.SetUnhandledExceptionFilter (import)
; - KERNEL32.TerminateProcess (import)
; - KERNEL32.UnhandledExceptionFilter (import)

fn_41101e:
  jmp  dword @__security_check_cookie@4

loc_41109b:
  jmp  dword ___report_gsfailure

@__security_check_cookie@4:  ; loc_4132e0
  cmp  ecx,[___security_cookie]
  jnz  loc_4132ea

loc_4132e8:
  ret

loc_4132ea:
  jmp  dword loc_41109b

___report_gsfailure:  ; loc_413320
  push  ebp
  mov  ebp,esp
  sub  esp,0x00000328
  mov  [0x004172d8],eax
  mov  [0x004172d4],ecx
  mov  [0x004172d0],edx
  mov  [0x004172cc],ebx
  mov  [0x004172c8],esi
  mov  [0x004172c4],edi
  mov  word [0x004172f0],ss
  mov  word [0x004172e4],cs
  mov  word [0x004172c0],ds
  mov  word [0x004172bc],es
  mov  word [0x004172b8],fs
  mov  word [0x004172b4],gs
  pushfd
  pop  dword [0x004172e8]
  mov  eax,[ebp+0x00]
  mov  [0x004172dc],eax
  mov  eax,[ebp+0x04]
  mov  [0x004172e0],eax
  lea  eax,[ebp+0x08]
  mov  [0x004172ec],eax
  mov  eax,[ebp+0xfffffce0]
  mov  dword [0x00417228],0x00010001
  mov  eax,[0x004172e0]
  mov  [0x004171dc],eax
  mov  dword [0x004171d0],0xc0000409
  mov  dword [0x004171d4],0x00000001
  mov  ecx,[___security_cookie]
  mov  [ebp+0xfffffcd8],ecx
  mov  edx,[___security_cookie_complement]
  mov  [ebp+0xfffffcdc],edx
  call  dword near [KERNEL32.IsDebuggerPresent]
  mov  [0x00417220],eax
  push  byte +0x01
  call  dword fn_4110e1
  add  esp,byte +0x04
  push  byte +0x00
  call  dword near [KERNEL32.SetUnhandledExceptionFilter]
  push  dword 0x00416160
  call  dword near [KERNEL32.UnhandledExceptionFilter]
  cmp  dword [0x00417220],byte +0x00
  jnz  loc_413416

loc_41340c:
  push  byte +0x01
  call  dword fn_4110e1
  add  esp,byte +0x04

loc_413416:
  push  dword 0xc0000409
  call  dword near [KERNEL32.GetCurrentProcess]
  push  eax
  call  dword near [KERNEL32.TerminateProcess]
  mov  esp,ebp
  pop  ebp
  ret

; --- procedure at 411028 ---

; consists of 2 basic blocks.
; return depth: 0 bytes
; This procedure calls/invokes:
; - __RTC_CheckEsp (direct)
; - MSVCR80D.printf (import)

fn_411028:
  jmp  dword ?hello@@YAXXZ

?hello@@YAXXZ:  ; loc_4113a0
  push  ebp
  mov  ebp,esp
  sub  esp,0x000000c0
  push  ebx
  push  esi
  push  edi
  lea  edi,[ebp+0xffffff40]
  mov  ecx,0x00000030
  mov  eax,0xcccccccc
  rep stosd
  mov  esi,esp
  push  dword 0x0041563c
  call  dword near [MSVCR80D.printf]
  add  esp,byte +0x04
  cmp  esi,esp
  call  dword fn_411140
  pop  edi
  pop  esi
  pop  ebx
  add  esp,0x000000c0
  cmp  ebp,esp
  call  dword fn_411140
  mov  esp,ebp
  pop  ebp
  ret

; --- procedure at 41103c ---

; consists of 2 basic blocks.
; return depth: 0 bytes

fn_41103c:
  jmp  dword ?_RTC_GetErrorFuncW@@YAP6AHHPB_WH00ZZPBX@Z

?_RTC_GetErrorFuncW@@YAP6AHHPB_WH00ZZPBX@Z:  ; loc_412640
  mov  eax,[0x004171ac]
  ret

; --- procedure at 411055 ---

; consists of 12 basic blocks.
; return depth: 0 bytes
; This procedure calls/invokes:
; - KERNEL32.FatalAppExitA (import)
; - KERNEL32.GetCurrentProcessId (import)
; - KERNEL32.GetCurrentThreadId (import)
; - KERNEL32.GetSystemTimeAsFileTime (import)
; - KERNEL32.GetTickCount (import)
; - KERNEL32.QueryPerformanceCounter (import)

fn_411055:
  jmp  dword ___security_init_cookie

___security_init_cookie:  ; loc_412900
  push  ebp
  mov  ebp,esp
  sub  esp,byte +0x18
  mov  dword [ebp-0x08],0x00000000
  mov  dword [ebp-0x04],0x00000000
  cmp  dword [___security_cookie],0xbb40e64e
  jz  loc_41293f

loc_412920:
  mov  eax,[___security_cookie]
  and  eax,0xffff0000
  jz  loc_41293f

loc_41292c:
  mov  ecx,[___security_cookie]
  not  ecx
  mov  [___security_cookie_complement],ecx
  jmp  dword loc_412a16

loc_41293f:
  mov  edx,[fs:0x00000000]
  mov  [ebp-0x10],edx
  jmp  short loc_412953

loc_41294b:
  mov  eax,[ebp-0x10]
  mov  ecx,[eax]
  mov  [ebp-0x10],ecx

loc_412953:
  cmp  dword [ebp-0x10],byte -0x01
  jz  loc_412980

loc_412959:
  mov  edx,[ebp-0x10]
  cmp  dword [edx+0x04],0x00411087
  jnz  loc_412972

loc_412965:
  push  dword 0x00415f88
  push  byte +0x00
  call  dword near [KERNEL32.FatalAppExitA]

loc_412972:
  mov  eax,[ebp-0x10]
  mov  ecx,[ebp-0x10]
  cmp  ecx,[eax]
  jc  loc_41297e

loc_41297c:
  jmp  short loc_412980

loc_41297e:
  jmp  short loc_41294b

loc_412980:
  lea  edx,[ebp-0x08]
  push  edx
  call  dword near [KERNEL32.GetSystemTimeAsFileTime]
  mov  eax,[ebp-0x08]
  mov  [ebp-0x0c],eax
  mov  ecx,[ebp-0x0c]
  xor  ecx,[ebp-0x04]
  mov  [ebp-0x0c],ecx
  call  dword near [KERNEL32.GetCurrentProcessId]
  xor  eax,[ebp-0x0c]
  mov  [ebp-0x0c],eax
  call  dword near [KERNEL32.GetCurrentThreadId]
  xor  eax,[ebp-0x0c]
  mov  [ebp-0x0c],eax
  call  dword near [KERNEL32.GetTickCount]
  xor  eax,[ebp-0x0c]
  mov  [ebp-0x0c],eax
  lea  edx,[ebp-0x18]
  push  edx
  call  dword near [KERNEL32.QueryPerformanceCounter]
  mov  eax,[ebp-0x0c]
  xor  eax,[ebp-0x18]
  mov  [ebp-0x0c],eax
  mov  ecx,[ebp-0x0c]
  xor  ecx,[ebp-0x14]
  mov  [ebp-0x0c],ecx
  cmp  dword [ebp-0x0c],0xbb40e64e
  jnz  loc_4129eb

loc_4129e2:
  mov  dword [ebp-0x0c],0xbb40e64f
  jmp  short loc_412a02

loc_4129eb:
  mov  edx,[ebp-0x0c]
  and  edx,0xffff0000
  jnz  loc_412a02

loc_4129f6:
  mov  eax,[ebp-0x0c]
  shl  eax,0x10
  or  eax,[ebp-0x0c]
  mov  [ebp-0x0c],eax

loc_412a02:
  mov  ecx,[ebp-0x0c]
  mov  [___security_cookie],ecx
  mov  edx,[ebp-0x0c]
  not  edx
  mov  [___security_cookie_complement],edx

loc_412a16:
  mov  esp,ebp
  pop  ebp
  ret

; --- procedure at 411082 ---

; consists of 2 basic blocks.
; return depth: 0 bytes
; This procedure calls/invokes:
; - ___security_init_cookie (direct)
; - fn_411800 (direct)

.Start:  ; fn_411082
  jmp  dword _wmainCRTStartup

_wmainCRTStartup:  ; loc_4117e0
  push  ebp
  mov  ebp,esp
  call  dword fn_411055
  call  dword fn_411800
  pop  ebp
  ret

; --- procedure at 4110aa ---

; consists of 2 basic blocks.
; This procedure calls/invokes:
; - MSVCR80D._initterm (import)

fn_4110aa:
  jmp  dword __initterm

__initterm:  ; loc_412cea
  jmp  dword near [MSVCR80D._initterm]

; --- procedure at 4110c3 ---

; consists of a basic blocks.
; return depth: 0 bytes

fn_4110c3:
  jmp  dword __FindPESection

__FindPESection:  ; loc_412b00
  push  ebp
  mov  ebp,esp
  sub  esp,byte +0x0c
  mov  eax,[ebp+0x08]
  mov  ecx,[ebp+0x08]
  add  ecx,[eax+0x3c]
  mov  [ebp-0x04],ecx
  mov  dword [ebp-0x08],0x00000000
  mov  edx,[ebp-0x04]
  movzx  eax,word [edx+0x14]
  mov  ecx,[ebp-0x04]
  lea  edx,[ecx+eax+0x18]
  mov  [ebp-0x0c],edx
  jmp  short loc_412b3e

loc_412b2c:
  mov  eax,[ebp-0x08]
  add  eax,byte +0x01
  mov  [ebp-0x08],eax
  mov  ecx,[ebp-0x0c]
  add  ecx,byte +0x28
  mov  [ebp-0x0c],ecx

loc_412b3e:
  mov  edx,[ebp-0x04]
  movzx  eax,word [edx+0x06]
  cmp  [ebp-0x08],eax
  jnc  loc_412b6d

loc_412b4a:
  mov  ecx,[ebp-0x0c]
  mov  edx,[ebp+0x0c]
  cmp  edx,[ecx+0x0c]
  jc  loc_412b6b

loc_412b55:
  mov  eax,[ebp-0x0c]
  mov  ecx,[eax+0x0c]
  mov  edx,[ebp-0x0c]
  add  ecx,[edx+0x08]
  cmp  [ebp+0x0c],ecx
  jnc  loc_412b6b

loc_412b66:
  mov  eax,[ebp-0x0c]
  jmp  short loc_412b6f

loc_412b6b:
  jmp  short loc_412b2c

loc_412b6d:
  xor  eax,eax

loc_412b6f:
  mov  esp,ebp
  pop  ebp
  ret

; --- procedure at 4110e1 ---

; consists of 2 basic blocks.
; This procedure calls/invokes:
; - MSVCR80D._crt_debugger_hook (import)

fn_4110e1:
  jmp  dword __crt_debugger_hook

__crt_debugger_hook:  ; loc_413470
  jmp  dword near [MSVCR80D._crt_debugger_hook]

; --- procedure at 4110e6 ---

; consists of 9 basic blocks.
; return depth: 0 bytes

fn_4110e6:
  jmp  dword __ValidateImageBase

__ValidateImageBase:  ; loc_412a80
  push  ebp
  mov  ebp,esp
  sub  esp,byte +0x0c
  mov  eax,[ebp+0x08]
  mov  [ebp-0x08],eax
  mov  ecx,[ebp-0x08]
  movzx  edx,word [ecx]
  cmp  edx,0x00005a4d
  jz  loc_412a9e

loc_412a9a:
  xor  eax,eax
  jmp  short loc_412ad9

loc_412a9e:
  mov  eax,[ebp-0x08]
  mov  ecx,[ebp-0x08]
  add  ecx,[eax+0x3c]
  mov  [ebp-0x0c],ecx
  mov  edx,[ebp-0x0c]
  cmp  dword [edx],0x00004550
  jz  loc_412ab9

loc_412ab5:
  xor  eax,eax
  jmp  short loc_412ad9

loc_412ab9:
  mov  eax,[ebp-0x0c]
  add  eax,byte +0x18
  mov  [ebp-0x04],eax
  mov  ecx,[ebp-0x04]
  movzx  edx,word [ecx]
  cmp  edx,0x0000010b
  jz  loc_412ad4

loc_412ad0:
  xor  eax,eax
  jmp  short loc_412ad9

loc_412ad4:
  mov  eax,0x00000001

loc_412ad9:
  mov  esp,ebp
  pop  ebp
  ret

; --- procedure at 411104 ---

; consists of 2 basic blocks.
; return depth: 0 bytes

fn_411104:
  jmp  dword _NtCurrentTeb

_NtCurrentTeb:  ; loc_411ae0
  push  ebp
  mov  ebp,esp
  mov  eax,[fs:0x00000018]
  pop  ebp
  ret

; --- procedure at 411140 ---

; consists of 4 basic blocks.
; return depth: 0 bytes
; This procedure calls/invokes:
; - ?_RTC_Failure@@YAXPAXH@Z (direct)

fn_411140:
  jmp  dword __RTC_CheckEsp

__RTC_CheckEsp:  ; loc_411450
  jnz  loc_411453

loc_411452:
  ret

loc_411453:
  push  ebp
  mov  ebp,esp
  sub  esp,byte +0x00
  push  eax
  push  edx
  push  ebx
  push  esi
  push  edi
  mov  eax,[ebp+0x04]
  push  byte +0x00
  push  eax
  call  dword fn_4111a4
  add  esp,byte +0x08
  pop  edi
  pop  esi
  pop  ebx
  pop  edx
  pop  eax
  mov  esp,ebp
  pop  ebp
  ret

; --- procedure at 41115e ---

; consists of 31 basic blocks.
; return depth: 0 bytes
; This procedure calls/invokes:
; - fn_4130b0 (direct)
; - KERNEL32.GetModuleFileNameW (import)
; - KERNEL32.GetProcAddress (import)
; - KERNEL32.GetProcessHeap (import)
; - KERNEL32.HeapFree (import)
; - KERNEL32.VirtualQuery (import)
; - NTDLL.RtlAllocateHeap (import)

fn_41115e:
  jmp  dword ?_RTC_GetSrcLine@@YAHPAEPA_WKPAH1K@Z

?_RTC_GetSrcLine@@YAHPAEPA_WKPAH1K@Z:  ; loc_412d30
  push  ebp
  mov  ebp,esp
  mov  eax,[ebp+0x14]
  mov  ecx,[ebp+0x0c]
  sub  esp,byte +0x44
  push  esi
  mov  esi,[ebp+0x08]
  push  byte +0x1c
  lea  edx,[ebp-0x44]
  push  edx
  sub  esi,byte +0x01
  mov  dword [eax],0x00000000
  push  esi
  mov  word [ecx],0x0000
  call  dword near [KERNEL32.VirtualQuery]
  test  eax,eax
  jnz  loc_412d66

loc_412d5f:
  xor  eax,eax
  pop  esi
  mov  esp,ebp
  pop  ebp
  ret

loc_412d66:
  mov  eax,[ebp+0x1c]
  mov  ecx,[ebp+0x18]
  mov  edx,[ebp-0x40]
  push  eax
  push  ecx
  push  edx
  call  dword near [KERNEL32.GetModuleFileNameW]
  test  eax,eax
  jz  loc_412d5f

loc_412d7c:
  mov  edx,[ebp-0x40]
  cmp  word [edx],0x5a4d
  jnz  loc_412d5f

loc_412d86:
  mov  eax,[edx+0x3c]
  test  eax,eax
  jle  loc_412d5f

loc_412d8d:
  add  eax,edx
  cmp  dword [eax],0x00004550
  jnz  loc_412d5f

loc_412d97:
  movzx  ecx,word [eax+0x06]
  push  ebx
  push  edi
  movzx  edi,word [eax+0x14]
  lea  eax,[edi+eax+0x18]
  sub  esi,edx
  xor  edi,edi
  xor  ebx,ebx
  test  ecx,ecx
  jbe  loc_412dcb

loc_412daf:
  add  eax,byte +0x0c

loc_412db2:
  mov  edx,[eax]
  cmp  esi,edx
  jc  loc_412dc1

loc_412db8:
  mov  edi,esi
  sub  edi,edx
  cmp  esi,[eax-0x04]
  jc  loc_412dcb

loc_412dc1: