Hi tusk,
that code just gets the location of main executable path (GetModuleFileName) and checks for the existence of Vectir.Core <n>.dll files (where <n> is 2, 3 or 4). As you already know this check is performed by Vectir.Core1.dll.
Code:
// <Module>
// Token: 0x06000021 RID: 33 RVA: 0x00003B68 File Offset: 0x00002F68
internal unsafe static void Win32Test()
{
int num = (int)stackalloc byte[<Module>.__CxxQueryExceptionSize()];
try
{
$ArrayType$$$BY0BAE@_W $ArrayType$$$BY0BAE@_W;
<Module>.GetModuleFileNameW(null, (char*)(&$ArrayType$$$BY0BAE@_W), 260);
char* ptr = <Module>.wcsrchr((char*)(&$ArrayType$$$BY0BAE@_W), '\\');
if (ptr == null)
{
*(ref $ArrayType$$$BY0BAE@_W + 4) = 0;
}
else
{
*ptr = '\0';
}
sbyte* ptr2 = <Module>.malloc(260u);
uint count;
<Module>.wcstombs_s(&count, ptr2, 260u, (char*)(&$ArrayType$$$BY0BAE@_W), 260u);
basic_string<char,std::char_traits<char>,std::allocator<char>\u0020> basic_string<char,std::char_traits<char>,std::allocator<char>\u0020>;
<Module>.std.basic_string<char,std::char_traits<char>,std::allocator<char>\u0020>.{ctor}(ref basic_string<char,std::char_traits<char>,std::allocator<char>\u0020>, (sbyte*)ptr2, count);
try
{
basic_string<char,std::char_traits<char>,std::allocator<char>\u0020> basic_string<char,std::char_traits<char>,std::allocator<char>\u0020>2;
<Module>.std.basic_string<char,std::char_traits<char>,std::allocator<char>\u0020>.{ctor}(ref basic_string<char,std::char_traits<char>,std::allocator<char>\u0020>2, (sbyte*)(&<Module>.??_C@_04OJGJKDCG@?2bin?$AA@));
try
{
uint num2 = <Module>.std.basic_string<char,std::char_traits<char>,std::allocator<char>\u0020>.find(ref basic_string<char,std::char_traits<char>,std::allocator<char>\u0020>, ref basic_string<char,std::char_traits<char>,std::allocator<char>\u0020>2, 0u);
$ArrayType$$$BY0BAE@D $ArrayType$$$BY0BAE@D;
*(ref $ArrayType$$$BY0BAE@D + 8) = 67; // "C"
*(ref $ArrayType$$$BY0BAE@D + 10) = 114; // "r"
$ArrayType$$$BY0BAE@D = 92; // "\"
*(ref $ArrayType$$$BY0BAE@D + 2) = 101; // "e"
*(ref $ArrayType$$$BY0BAE@D + 4) = 116; // "t"
*(ref $ArrayType$$$BY0BAE@D + 5) = 105; // "i"
*(ref $ArrayType$$$BY0BAE@D + 14) = 100; // "d"
*(ref $ArrayType$$$BY0BAE@D + 12) = 51; // "3"
*(ref $ArrayType$$$BY0BAE@D + 6) = 114; // "r"
*(ref $ArrayType$$$BY0BAE@D + 9) = 111; // "o"
*(ref $ArrayType$$$BY0BAE@D + 11) = 101; // "e"
*(ref $ArrayType$$$BY0BAE@D + 13) = 46; // "."
*(ref $ArrayType$$$BY0BAE@D + 17) = 0; // ""
*(ref $ArrayType$$$BY0BAE@D + 3) = 99; // "c"
*(ref $ArrayType$$$BY0BAE@D + 15) = 108; // "l"
*(ref $ArrayType$$$BY0BAE@D + 1) = 86; // "V"
*(ref $ArrayType$$$BY0BAE@D + 7) = 46; // "."
*(ref $ArrayType$$$BY0BAE@D + 16) = 108; // "l" --> In order: "\Vectir.Core3.dll"
$ArrayType$$$BY0BAE@D $ArrayType$$$BY0BAE@D2;
<Module>.strcpy_s<260>(ref $ArrayType$$$BY0BAE@D2, (sbyte*)ptr2);
<Module>.strcat_s<260>(ref $ArrayType$$$BY0BAE@D2, (sbyte*)(&$ArrayType$$$BY0BAE@D));
// internal unsafe static basic_ifstream<char,std::char_traits<char>\u0020>* {ctor}(basic_ifstream<char,std::char_traits<char>\u0020>* ptr, sbyte* _Filename, int _Mode, int _Prot, int num)
basic_ifstream<char,std::char_traits<char>\u0020> basic_ifstream<char,std::char_traits<char>\u0020>;
<Module>.std.basic_ifstream<char,std::char_traits<char>\u0020>.{ctor}(ref basic_ifstream<char,std::char_traits<char>\u0020>, (sbyte*)(&$ArrayType$$$BY0BAE@D2), 1, 64, 1);
try
{
if (<Module>.std.ios_base..PAX(*(basic_ifstream<char,std::char_traits<char>\u0020> + 4) + ref basic_ifstream<char,std::char_traits<char>\u0020>) != null && num2 == 4294967295u)
{
<Module>.ExitProcess(0u);
}
*(ref $ArrayType$$$BY0BAE@D + 7) = 46; // "."
*(ref $ArrayType$$$BY0BAE@D + 12) = 50; // "2"
*(ref $ArrayType$$$BY0BAE@D + 10) = 114; // "r"
*(ref $ArrayType$$$BY0BAE@D + 2) = 101; // "e"
*(ref $ArrayType$$$BY0BAE@D + 13) = 46; // "."
*(ref $ArrayType$$$BY0BAE@D + 3) = 99; // "c"
*(ref $ArrayType$$$BY0BAE@D + 15) = 108; // "l"
*(ref $ArrayType$$$BY0BAE@D + 4) = 116; // "t"
*(ref $ArrayType$$$BY0BAE@D + 6) = 114; // "r"
$ArrayType$$$BY0BAE@D = 92; // "\"
*(ref $ArrayType$$$BY0BAE@D + 9) = 111; // "o"
*(ref $ArrayType$$$BY0BAE@D + 16) = 108; // "l"
*(ref $ArrayType$$$BY0BAE@D + 11) = 101; // "e"
*(ref $ArrayType$$$BY0BAE@D + 14) = 100; // "d"
*(ref $ArrayType$$$BY0BAE@D + 17) = 0; // ""
*(ref $ArrayType$$$BY0BAE@D + 1) = 86; // "V"
*(ref $ArrayType$$$BY0BAE@D + 8) = 67; // "C"
*(ref $ArrayType$$$BY0BAE@D + 5) = 105; // "i" --> In order: "\Vectir.Core2.dll"
<Module>.strcpy_s<260>(ref $ArrayType$$$BY0BAE@D2, (sbyte*)ptr2);
<Module>.strcat_s<260>(ref $ArrayType$$$BY0BAE@D2, (sbyte*)(&$ArrayType$$$BY0BAE@D));
basic_ifstream<char,std::char_traits<char>\u0020> basic_ifstream<char,std::char_traits<char>\u0020>2;
<Module>.std.basic_ifstream<char,std::char_traits<char>\u0020>.{ctor}(ref basic_ifstream<char,std::char_traits<char>\u0020>2, (sbyte*)(&$ArrayType$$$BY0BAE@D2), 1, 64, 1);
try
{
if (<Module>.std.ios_base..PAX(*(basic_ifstream<char,std::char_traits<char>\u0020>2 + 4) + ref basic_ifstream<char,std::char_traits<char>\u0020>2) != null && num2 == 4294967295u)
{
<Module>.ExitProcess(0u);
}
*(ref $ArrayType$$$BY0BAE@D + 5) = 105; // "i"
*(ref $ArrayType$$$BY0BAE@D + 14) = 100; // "d"
*(ref $ArrayType$$$BY0BAE@D + 12) = 52; // "4"
*(ref $ArrayType$$$BY0BAE@D + 9) = 111; // "o"
*(ref $ArrayType$$$BY0BAE@D + 4) = 116; // "t"
*(ref $ArrayType$$$BY0BAE@D + 11) = 101; // "e"
*(ref $ArrayType$$$BY0BAE@D + 7) = 46; // "."
$ArrayType$$$BY0BAE@D = 92; // "\"
*(ref $ArrayType$$$BY0BAE@D + 1) = 86; // "V"
*(ref $ArrayType$$$BY0BAE@D + 2) = 101; // "e"
*(ref $ArrayType$$$BY0BAE@D + 8) = 67; // "C"
*(ref $ArrayType$$$BY0BAE@D + 17) = 0; // ""
*(ref $ArrayType$$$BY0BAE@D + 10) = 114; // "r"
*(ref $ArrayType$$$BY0BAE@D + 13) = 46; // "."
*(ref $ArrayType$$$BY0BAE@D + 3) = 99; // "c"
*(ref $ArrayType$$$BY0BAE@D + 6) = 114; // "r"
*(ref $ArrayType$$$BY0BAE@D + 15) = 108; // "l"
*(ref $ArrayType$$$BY0BAE@D + 16) = 108; // "l" --> In order: "\Vectir.Core4.dll"
<Module>.strcpy_s<260>(ref $ArrayType$$$BY0BAE@D2, (sbyte*)ptr2);
<Module>.strcat_s<260>(ref $ArrayType$$$BY0BAE@D2, (sbyte*)(&$ArrayType$$$BY0BAE@D));
basic_ifstream<char,std::char_traits<char>\u0020> basic_ifstream<char,std::char_traits<char>\u0020>3;
<Module>.std.basic_ifstream<char,std::char_traits<char>\u0020>.{ctor}(ref basic_ifstream<char,std::char_traits<char>\u0020>3, (sbyte*)(&$ArrayType$$$BY0BAE@D2), 1, 64, 1);
try
{
if (<Module>.std.ios_base..PAX(*(basic_ifstream<char,std::char_traits<char>\u0020>3 + 4) + ref basic_ifstream<char,std::char_traits<char>\u0020>3) != null && num2 == 4294967295u)
{
<Module>.ExitProcess(0u);
}
<Module>.free((void*)ptr2);
}
catch
{
<Module>.___CxxCallUnwindDtor(ldftn(std.basic_ifstream<char,std::char_traits<char>\u0020>.__vbaseDtor), (void*)(&basic_ifstream<char,std::char_traits<char>\u0020>3));
throw;
}
:
:
}
"nulling" the Win32Test routine (say replacing its code with a ret) is not enough because, if you debug the application with OllyDbg (for example) you'll see it checks for those files elsewhere (I'm still trying to understand where's the exact location).
Code:
08668A20 $ 55 PUSH EBP
08668A21 . 8BEC MOV EBP,ESP
08668A23 . 57 PUSH EDI
08668A24 . 56 PUSH ESI
08668A25 . 81EC 8C060000 SUB ESP,0x68C
08668A2B . 33C0 XOR EAX,EAX
08668A2D . 8945 E8 MOV DWORD PTR SS:[EBP-0x18],EAX
08668A30 . 8965 F4 MOV DWORD PTR SS:[EBP-0xC],ESP
08668A33 . C745 D8 87EC2FAF MOV DWORD PTR SS:[EBP-0x28],0xAF2FEC87
08668A3A . 898D 8CFBFFFF MOV DWORD PTR SS:[EBP-0x474],ECX
08668A40 . E8 97EFFFFF CALL 086679DC
08668A45 . 85C0 TEST EAX,EAX
08668A47 . 74 21 JE SHORT 08668A6A
08668A49 . 83C0 03 ADD EAX,0x3
08668A4C . 83E0 FC AND EAX,0xFFFFFFFC
08668A4F . F7D8 NEG EAX
08668A51 . 03C4 ADD EAX,ESP
08668A53 . 72 02 JB SHORT 08668A57
08668A55 . 33C0 XOR EAX,EAX
08668A57 > 852424 TEST DWORD PTR SS:[ESP],ESP
08668A5A . 8BD4 MOV EDX,ESP
08668A5C . 81EA 00100000 SUB EDX,0x1000
08668A62 . 8BE2 MOV ESP,EDX
08668A64 . 3BE0 CMP ESP,EAX
08668A66 .^ 73 EF JNB SHORT 08668A57
08668A68 . 8BE0 MOV ESP,EAX
08668A6A > 8965 F4 MOV DWORD PTR SS:[EBP-0xC],ESP
08668A6D . 8985 84FBFFFF MOV DWORD PTR SS:[EBP-0x47C],EAX
08668A73 . 68 04010000 PUSH 0x104
08668A78 . 8D95 90FBFFFF LEA EDX,DWORD PTR SS:[EBP-0x470]
08668A7E . 33C9 XOR ECX,ECX
08668A80 . E8 63EFFFFF CALL 086679E8
08668A85 . 8D8D 90FBFFFF LEA ECX,DWORD PTR SS:[EBP-0x470]
08668A8B . BA 5C000000 MOV EDX,0x5C
08668A90 . E8 5FEFFFFF CALL 086679F4
08668A95 . 85C0 TEST EAX,EAX
08668A97 . 75 0B JNZ SHORT 08668AA4
08668A99 . 66:C785 94FBFFFF 0000 MOV WORD PTR SS:[EBP-0x46C],0x0
08668AA2 . EB 05 JMP SHORT 08668AA9
08668AA4 > 66:C700 0000 MOV WORD PTR DS:[EAX],0x0
08668AA9 > B9 04010000 MOV ECX,0x104
08668AAE . E8 4DEFFFFF CALL 08667A00
08668AB3 . 8BF0 MOV ESI,EAX
08668AB5 . 68 04010000 PUSH 0x104
08668ABA . 8D85 90FBFFFF LEA EAX,DWORD PTR SS:[EBP-0x470]
08668AC0 . 50 PUSH EAX
08668AC1 . 68 04010000 PUSH 0x104
08668AC6 . 8D8D 80FBFFFF LEA ECX,DWORD PTR SS:[EBP-0x480]
08668ACC . 8BD6 MOV EDX,ESI
08668ACE . E8 39EFFFFF CALL 08667A0C
08668AD3 . FFB5 80FBFFFF PUSH DWORD PTR SS:[EBP-0x480]
08668AD9 . 8D8D 98FDFFFF LEA ECX,DWORD PTR SS:[EBP-0x268]
08668ADF . 8BD6 MOV EDX,ESI
08668AE1 . FF15 3855D207 CALL DWORD PTR DS:[0x7D25538] ; f.08669218
08668AE7 . C785 C8FDFFFF 0F000000 MOV DWORD PTR SS:[EBP-0x238],0xF
08668AF1 . 33D2 XOR EDX,EDX
08668AF3 . 8995 C4FDFFFF MOV DWORD PTR SS:[EBP-0x23C],EDX
08668AF9 . 8895 B4FDFFFF MOV BYTE PTR SS:[EBP-0x24C],DL
08668AFF . B8 34F48158 MOV EAX,0x5881F434 ; ASCII "\\bin"
08668B04 . 803D 34F48158 00 CMP BYTE PTR DS:[0x5881F434],0x0
08668B0B . 74 06 JE SHORT 08668B13
08668B0D > 40 INC EAX
08668B0E . 8038 00 CMP BYTE PTR DS:[EAX],0x0
08668B11 .^ 75 FA JNZ SHORT 08668B0D
08668B13 > 05 CC0B7EA7 ADD EAX,0xA77E0BCC
08668B18 . 50 PUSH EAX ; /Arg1 = 00000000
08668B19 . 8D8D B4FDFFFF LEA ECX,DWORD PTR SS:[EBP-0x24C] ; |
08668B1F . BA 34F48158 MOV EDX,0x5881F434 ; |ASCII "\\bin"
08668B24 . FF15 4C56D207 CALL DWORD PTR DS:[0x7D2564C] ; \f.08669250
08668B2A . 8B8D C4FDFFFF MOV ECX,DWORD PTR SS:[EBP-0x23C]
08668B30 . 83BD C8FDFFFF 10 CMP DWORD PTR SS:[EBP-0x238],0x10
08668B37 . 72 08 JB SHORT 08668B41
08668B39 . 8B95 B4FDFFFF MOV EDX,DWORD PTR SS:[EBP-0x24C]
08668B3F . EB 06 JMP SHORT 08668B47
08668B41 > 8D95 B4FDFFFF LEA EDX,DWORD PTR SS:[EBP-0x24C]
08668B47 > 6A 00 PUSH 0x0 ; /Arg2 = 00000000
08668B49 . 51 PUSH ECX ; |Arg1 = 7E6CF000
08668B4A . 8D8D 98FDFFFF LEA ECX,DWORD PTR SS:[EBP-0x268] ; |
08668B50 . FF15 8856D207 CALL DWORD PTR DS:[0x7D25688] ; \f.08669A88
08668B56 . 8BF8 MOV EDI,EAX
08668B58 . C685 D8FDFFFF 43 MOV BYTE PTR SS:[EBP-0x228],0x43
08668B5F . C685 DAFDFFFF 72 MOV BYTE PTR SS:[EBP-0x226],0x72
08668B66 . C685 D0FDFFFF 5C MOV BYTE PTR SS:[EBP-0x230],0x5C
08668B6D . C685 D2FDFFFF 65 MOV BYTE PTR SS:[EBP-0x22E],0x65
08668B74 . C685 D4FDFFFF 74 MOV BYTE PTR SS:[EBP-0x22C],0x74
08668B7B . C685 D5FDFFFF 69 MOV BYTE PTR SS:[EBP-0x22B],0x69
08668B82 . C685 DEFDFFFF 64 MOV BYTE PTR SS:[EBP-0x222],0x64
08668B89 . C685 DCFDFFFF 33 MOV BYTE PTR SS:[EBP-0x224],0x33
08668B90 . C685 D6FDFFFF 72 MOV BYTE PTR SS:[EBP-0x22A],0x72
08668B97 . C685 D9FDFFFF 6F MOV BYTE PTR SS:[EBP-0x227],0x6F
08668B9E . C685 DBFDFFFF 65 MOV BYTE PTR SS:[EBP-0x225],0x65
08668BA5 . C685 DDFDFFFF 2E MOV BYTE PTR SS:[EBP-0x223],0x2E
08668BAC . C685 E1FDFFFF 00 MOV BYTE PTR SS:[EBP-0x21F],0x0
08668BB3 . C685 D3FDFFFF 63 MOV BYTE PTR SS:[EBP-0x22D],0x63
08668BBA . C685 DFFDFFFF 6C MOV BYTE PTR SS:[EBP-0x221],0x6C
08668BC1 . C685 D1FDFFFF 56 MOV BYTE PTR SS:[EBP-0x22F],0x56
08668BC8 . C685 D7FDFFFF 2E MOV BYTE PTR SS:[EBP-0x229],0x2E
08668BCF . C685 E0FDFFFF 6C MOV BYTE PTR SS:[EBP-0x220],0x6C
08668BD6 . 56 PUSH ESI
08668BD7 . 8D8D D4FEFFFF LEA ECX,DWORD PTR SS:[EBP-0x12C]
08668BDD . BA 04010000 MOV EDX,0x104
08668BE2 . E8 31EEFFFF CALL 08667A18
08668BE7 . 8D85 D0FDFFFF LEA EAX,DWORD PTR SS:[EBP-0x230]
08668BED . 50 PUSH EAX
08668BEE . 8D8D D4FEFFFF LEA ECX,DWORD PTR SS:[EBP-0x12C]
08668BF4 . BA 04010000 MOV EDX,0x104
08668BF9 . E8 26EEFFFF CALL 08667A24
08668BFE . 6A 01 PUSH 0x1
08668C00 . 6A 40 PUSH 0x40
08668C02 . 6A 01 PUSH 0x1
08668C04 . 8D8D 70F9FFFF LEA ECX,DWORD PTR SS:[EBP-0x690]
08668C0A . 8D95 D4FEFFFF LEA EDX,DWORD PTR SS:[EBP-0x12C]
08668C10 . FF15 6855D207 CALL DWORD PTR DS:[0x7D25568] ; f.08669D38
08668C16 . 8B85 70F9FFFF MOV EAX,DWORD PTR SS:[EBP-0x690] ; Keyboard.5881F42C
08668C1C . 8B48 04 MOV ECX,DWORD PTR DS:[EAX+0x4]
08668C1F . 8D85 70F9FFFF LEA EAX,DWORD PTR SS:[EBP-0x690]
08668C25 . 03C8 ADD ECX,EAX
08668C27 . E8 04EEFFFF CALL 08667A30
08668C2C $ 85C0 TEST EAX,EAX
08668C2E . 74 0C JE SHORT 08668C3C
08668C30 . 83FF FF CMP EDI,-0x1
08668C33 . 75 07 JNZ SHORT 08668C3C
08668C35 . 33C9 XOR ECX,ECX
08668C37 . E8 00EEFFFF CALL <doExit>
08668C3C > C685 D7FDFFFF 2E MOV BYTE PTR SS:[EBP-0x229],0x2E
08668C43 . C685 DCFDFFFF 32 MOV BYTE PTR SS:[EBP-0x224],0x32
08668C4A . C685 DAFDFFFF 72 MOV BYTE PTR SS:[EBP-0x226],0x72
08668C51 . C685 D2FDFFFF 65 MOV BYTE PTR SS:[EBP-0x22E],0x65
08668C58 . C685 DDFDFFFF 2E MOV BYTE PTR SS:[EBP-0x223],0x2E
08668C5F . C685 D3FDFFFF 63 MOV BYTE PTR SS:[EBP-0x22D],0x63
08668C66 . C685 DFFDFFFF 6C MOV BYTE PTR SS:[EBP-0x221],0x6C
08668C6D . C685 D4FDFFFF 74 MOV BYTE PTR SS:[EBP-0x22C],0x74
08668C74 . C685 D6FDFFFF 72 MOV BYTE PTR SS:[EBP-0x22A],0x72
08668C7B . C685 D0FDFFFF 5C MOV BYTE PTR SS:[EBP-0x230],0x5C
08668C82 . C685 D9FDFFFF 6F MOV BYTE PTR SS:[EBP-0x227],0x6F
08668C89 . C685 E0FDFFFF 6C MOV BYTE PTR SS:[EBP-0x220],0x6C
08668C90 . C685 DBFDFFFF 65 MOV BYTE PTR SS:[EBP-0x225],0x65
08668C97 . C685 DEFDFFFF 64 MOV BYTE PTR SS:[EBP-0x222],0x64
08668C9E . C685 E1FDFFFF 00 MOV BYTE PTR SS:[EBP-0x21F],0x0
08668CA5 . C685 D1FDFFFF 56 MOV BYTE PTR SS:[EBP-0x22F],0x56
08668CAC . C685 D8FDFFFF 43 MOV BYTE PTR SS:[EBP-0x228],0x43
08668CB3 . C685 D5FDFFFF 69 MOV BYTE PTR SS:[EBP-0x22B],0x69
08668CBA . 56 PUSH ESI
08668CBB . 8D8D D4FEFFFF LEA ECX,DWORD PTR SS:[EBP-0x12C]
08668CC1 . BA 04010000 MOV EDX,0x104
08668CC6 . E8 4DEDFFFF CALL 08667A18
08668CCB . 8D85 D0FDFFFF LEA EAX,DWORD PTR SS:[EBP-0x230]
08668CD1 . 50 PUSH EAX
08668CD2 . 8D8D D4FEFFFF LEA ECX,DWORD PTR SS:[EBP-0x12C]
08668CD8 . BA 04010000 MOV EDX,0x104
08668CDD . E8 42EDFFFF CALL 08667A24
08668CE2 . 6A 01 PUSH 0x1
08668CE4 . 6A 40 PUSH 0x40
08668CE6 . 6A 01 PUSH 0x1
08668CE8 . 8D8D 20FAFFFF LEA ECX,DWORD PTR SS:[EBP-0x5E0]
08668CEE . 8D95 D4FEFFFF LEA EDX,DWORD PTR SS:[EBP-0x12C]
08668CF4 . FF15 6855D207 CALL DWORD PTR DS:[0x7D25568] ; f.08669D38
08668CFA . 8B85 20FAFFFF MOV EAX,DWORD PTR SS:[EBP-0x5E0] ; clr.639756E2
08668D00 . 8B48 04 MOV ECX,DWORD PTR DS:[EAX+0x4]
08668D03 . 8D85 20FAFFFF LEA EAX,DWORD PTR SS:[EBP-0x5E0]
08668D09 . 03C8 ADD ECX,EAX
08668D0B . E8 20EDFFFF CALL 08667A30
08668D10 . 85C0 TEST EAX,EAX
08668D12 . 74 0C JE SHORT 08668D20
08668D14 . 83FF FF CMP EDI,-0x1
08668D17 . 75 07 JNZ SHORT 08668D20
08668D19 . 33C9 XOR ECX,ECX
08668D1B . E8 1CEDFFFF CALL <doExit>
08668D20 > C685 D5FDFFFF 69 MOV BYTE PTR SS:[EBP-0x22B],0x69
08668D27 . C685 DEFDFFFF 64 MOV BYTE PTR SS:[EBP-0x222],0x64
08668D2E . C685 DCFDFFFF 34 MOV BYTE PTR SS:[EBP-0x224],0x34
08668D35 . C685 D9FDFFFF 6F MOV BYTE PTR SS:[EBP-0x227],0x6F
08668D3C . C685 D4FDFFFF 74 MOV BYTE PTR SS:[EBP-0x22C],0x74
08668D43 . C685 DBFDFFFF 65 MOV BYTE PTR SS:[EBP-0x225],0x65
08668D4A . C685 D7FDFFFF 2E MOV BYTE PTR SS:[EBP-0x229],0x2E
08668D51 . C685 D0FDFFFF 5C MOV BYTE PTR SS:[EBP-0x230],0x5C
08668D58 . C685 D1FDFFFF 56 MOV BYTE PTR SS:[EBP-0x22F],0x56
08668D5F . C685 D2FDFFFF 65 MOV BYTE PTR SS:[EBP-0x22E],0x65
08668D66 . C685 D8FDFFFF 43 MOV BYTE PTR SS:[EBP-0x228],0x43
08668D6D . C685 E1FDFFFF 00 MOV BYTE PTR SS:[EBP-0x21F],0x0
08668D74 . C685 DAFDFFFF 72 MOV BYTE PTR SS:[EBP-0x226],0x72
08668D7B . C685 DDFDFFFF 2E MOV BYTE PTR SS:[EBP-0x223],0x2E
08668D82 . C685 D3FDFFFF 63 MOV BYTE PTR SS:[EBP-0x22D],0x63
08668D89 . C685 D6FDFFFF 72 MOV BYTE PTR SS:[EBP-0x22A],0x72
08668D90 . C685 DFFDFFFF 6C MOV BYTE PTR SS:[EBP-0x221],0x6C
08668D97 . C685 E0FDFFFF 6C MOV BYTE PTR SS:[EBP-0x220],0x6C
08668D9E . 56 PUSH ESI
08668D9F . 8D8D D4FEFFFF LEA ECX,DWORD PTR SS:[EBP-0x12C]
08668DA5 . BA 04010000 MOV EDX,0x104
08668DAA . E8 69ECFFFF CALL 08667A18
08668DAF . 8D85 D0FDFFFF LEA EAX,DWORD PTR SS:[EBP-0x230]
08668DB5 . 50 PUSH EAX
08668DB6 . 8D8D D4FEFFFF LEA ECX,DWORD PTR SS:[EBP-0x12C]
08668DBC . BA 04010000 MOV EDX,0x104
08668DC1 . E8 5EECFFFF CALL 08667A24
08668DC6 . 6A 01 PUSH 0x1
08668DC8 . 6A 40 PUSH 0x40
08668DCA . 6A 01 PUSH 0x1
08668DCC . 8D8D D0FAFFFF LEA ECX,DWORD PTR SS:[EBP-0x530]
08668DD2 . 8D95 D4FEFFFF LEA EDX,DWORD PTR SS:[EBP-0x12C]
08668DD8 . FF15 6855D207 CALL DWORD PTR DS:[0x7D25568] ; f.08669D38
08668DDE . 8B85 D0FAFFFF MOV EAX,DWORD PTR SS:[EBP-0x530]
08668DE4 . 8B48 04 MOV ECX,DWORD PTR DS:[EAX+0x4]
08668DE7 . 8D85 D0FAFFFF LEA EAX,DWORD PTR SS:[EBP-0x530]
08668DED . 03C8 ADD ECX,EAX
08668DEF . E8 3CECFFFF CALL 08667A30
08668DF4 . 85C0 TEST EAX,EAX
08668DF6 . 74 0C JE SHORT 08668E04
08668DF8 . 83FF FF CMP EDI,-0x1
08668DFB . 75 07 JNZ SHORT 08668E04
08668DFD . 33C9 XOR ECX,ECX
08668DFF . E8 38ECFFFF CALL <doExit>
08668E04 > 8BCE MOV ECX,ESI
08668E06 . E8 3DECFFFF CALL 08667A48
08668E0B . EB 13 JMP SHORT 08668E20
08668E0D . 8D95 D0FAFFFF LEA EDX,DWORD PTR SS:[EBP-0x530]
08668E13 . B9 C0796608 MOV ECX,086679C0
08668E18 . E8 DBDDFFFF CALL 08666BF8
08668E1D . 58 POP EAX ; 02B1DA94
08668E1E . FFE0 JMP EAX
08668E20 > 8D8D D0FAFFFF LEA ECX,DWORD PTR SS:[EBP-0x530]
08668E26 . FF15 2C55D207 CALL DWORD PTR DS:[0x7D2552C] ; f.08666661
08668E2C . EB 13 JMP SHORT 08668E41
08668E2E . 8D95 20FAFFFF LEA EDX,DWORD PTR SS:[EBP-0x5E0]
08668E34 . B9 C0796608 MOV ECX,086679C0
08668E39 . E8 BADDFFFF CALL 08666BF8
08668E3E . 58 POP EAX ; 02B1DA94
08668E3F . FFE0 JMP EAX
08668E41 > 8D8D 20FAFFFF LEA ECX,DWORD PTR SS:[EBP-0x5E0]
08668E47 . FF15 2C55D207 CALL DWORD PTR DS:[0x7D2552C] ; f.08666661
08668E4D . EB 13 JMP SHORT 08668E62
08668E4F . 8D95 70F9FFFF LEA EDX,DWORD PTR SS:[EBP-0x690]
08668E55 . B9 C0796608 MOV ECX,086679C0
08668E5A . E8 99DDFFFF CALL 08666BF8
08668E5F . 58 POP EAX ; 02B1DA94
08668E60 . FFE0 JMP EAX
08668E62 > 8D8D 70F9FFFF LEA ECX,DWORD PTR SS:[EBP-0x690]
08668E68 . FF15 2C55D207 CALL DWORD PTR DS:[0x7D2552C] ; f.08666661
08668E6E . EB 13 JMP SHORT 08668E83
08668E70 . 8D95 B4FDFFFF LEA EDX,DWORD PTR SS:[EBP-0x24C]
08668E76 . B9 D0796608 MOV ECX,086679D0
08668E7B . E8 78DDFFFF CALL 08666BF8
08668E80 . 58 POP EAX ; 02B1DA94
08668E81 . FFE0 JMP EAX
08668E83 > 8D8D B4FDFFFF LEA ECX,DWORD PTR SS:[EBP-0x24C]
08668E89 . FF15 5055D207 CALL DWORD PTR DS:[0x7D25550] ; f.0866666D
08668E8F . EB 13 JMP SHORT 08668EA4
08668E91 . 8D95 98FDFFFF LEA EDX,DWORD PTR SS:[EBP-0x268]
08668E97 . B9 D0796608 MOV ECX,086679D0
08668E9C . E8 57DDFFFF CALL 08666BF8
08668EA1 . 58 POP EAX ; 02B1DA94
08668EA2 . FFE0 JMP EAX
08668EA4 > 8D8D 98FDFFFF LEA ECX,DWORD PTR SS:[EBP-0x268]
08668EAA . FF15 5055D207 CALL DWORD PTR DS:[0x7D25550] ; f.0866666D
08668EB0 . E9 A4000000 JMP 08668F59
08668EB5 . E8 1A7D5F5B CALL clr.63C60BD4
08668EBA . 8BC8 MOV ECX,EAX
08668EBC . 6A 00 PUSH 0x0
08668EBE . 6A 00 PUSH 0x0
08668EC0 . BA 54048458 MOV EDX,0x58840454
08668EC5 . E8 8AEBFFFF CALL 08667A54
08668ECA . C3 RETN
08668ECB . 33D2 XOR EDX,EDX
08668ECD . 8995 88FBFFFF MOV DWORD PTR SS:[EBP-0x478],EDX
08668ED3 . E8 FC7C5F5B CALL clr.63C60BD4
08668ED8 . 8BC8 MOV ECX,EAX
08668EDA . 8B95 84FBFFFF MOV EDX,DWORD PTR SS:[EBP-0x47C]
08668EE0 . E8 7BEBFFFF CALL 08667A60
08668EE5 . C745 E0 00000000 MOV DWORD PTR SS:[EBP-0x20],0x0
08668EEC . C745 E4 FC000000 MOV DWORD PTR SS:[EBP-0x1C],0xFC
08668EF3 . 68 748F6608 PUSH 08668F74
08668EF8 . EB 3B JMP SHORT 08668F35
08668EFA . E8 D57C5F5B CALL clr.63C60BD4
08668EFF . 8BC8 MOV ECX,EAX
08668F01 . E8 66EBFFFF CALL 08667A6C
08668F06 . 8985 88FBFFFF MOV DWORD PTR SS:[EBP-0x478],EAX
08668F0C . C3 RETN
08668F0D . E8 77852F5B CALL clr.63961489
08668F12 . 83BD 88FBFFFF 00 CMP DWORD PTR SS:[EBP-0x478],0x0
08668F19 . 74 05 JE SHORT 08668F20
08668F1B . E8 6D97395B CALL clr.63A0268D
08668F20 > C745 E0 00000000 MOV DWORD PTR SS:[EBP-0x20],0x0
08668F27 . C745 E4 FC000000 MOV DWORD PTR SS:[EBP-0x1C],0xFC
08668F2E . 68 508F6608 PUSH 08668F50
08668F33 . EB 00 JMP SHORT 08668F35
08668F35 > 8B8D 84FBFFFF MOV ECX,DWORD PTR SS:[EBP-0x47C]
08668F3B . 8B95 88FBFFFF MOV EDX,DWORD PTR SS:[EBP-0x478]
08668F41 . E8 32EBFFFF CALL 08667A78
08668F46 . 58 POP EAX ; 02B1DA94
08668F47 . FFE0 JMP EAX
08668F49 > E8 3B852F5B CALL clr.63961489
08668F4E . EB 09 JMP SHORT 08668F59
08668F50 . C745 E4 00000000 MOV DWORD PTR SS:[EBP-0x1C],0x0
08668F57 .^ EB F0 JMP SHORT 08668F49
08668F59 > 8B85 8CFBFFFF MOV EAX,DWORD PTR SS:[EBP-0x474]
08668F5F . 817D D8 87EC2FAF CMP DWORD PTR SS:[EBP-0x28],0xAF2FEC87
08668F66 . 74 05 JE SHORT 08668F6D
08668F68 . E8 2933625B CALL clr.63C8C296
08668F6D > 8D65 F8 LEA ESP,DWORD PTR SS:[EBP-0x8]
08668F70 . 5E POP ESI ; 02B1DA94
08668F71 . 5F POP EDI ; 02B1DA94
08668F72 . 5D POP EBP ; 02B1DA94
08668F73 . C3 RETN
At a first look it seems it's something related to .NET remoting ... but I'm not sure enough of that, so don't take it for granted. I'll let you know if I'll come up with something useful 
I agree with SKiLLa ... really interesting. 
Best Regards,
Tony
[EDIT]
There's also some AES checking (Analyze RijndaelManaged class ) so probably there are integrity checks in place too.
Regards,
Tony
__________________
Want to learn unpacking ... but I'm too stupid 
Last edited by tonyweb; 02-11-2017 at 19:17.
Reason: AES checking info
|