|
1.> unpack ida.wll (aspack 2.12)
2.>.text:1001C7C9 00C 8B 7D 10 mov edi, [ebp+n]
.text:1001C7CC 00C 8B 4D 08 mov ecx, [ebp+s1]
.text:1001C7CF 00C 8B 75 0C mov esi, [ebp+s2] ----> blacklist
.text:1001C7D2
.text:1001C7D2 loc_1001C7D2: ----->md5 compare
_memcmp+45�j
.text:1001C7D2 00C 83 FF 04 cmp edi, 4
.text:1001C7D5 00C 7C 34 jl short loc_1001C80B
.text:1001C7D7 00C 8A 01 mov al, [ecx]
.text:1001C7D9 00C 8A 16 mov dl, [esi]
.text:1001C7DB 00C 3A D0 cmp dl, al
.text:1001C7DD 00C 75 2C jnz short loc_1001C80B
.text:1001C7DF 00C 8A 41 01 mov al, [ecx+1]
.text:1001C7E2 00C 8A 56 01 mov dl, [esi+1]
.text:1001C7E5 00C 3A D0 cmp dl, al
.text:1001C7E7 00C 75 22 jnz short loc_1001C80B
.text:1001C7E9 00C 8A 41 02 mov al, [ecx+2]
.text:1001C7EC 00C 8A 56 02 mov dl, [esi+2]
.text:1001C7EF 00C 3A D0 cmp dl, al
.text:1001C7F1 00C 75 18 jnz short loc_1001C80B
.text:1001C7F3 00C 8A 41 03 mov al, [ecx+3]
.text:1001C7F6 00C 8A 56 03 mov dl, [esi+3]
.text:1001C7F9 00C 3A D0 cmp dl, al
.text:1001C7FB 00C 75 0E jnz short loc_1001C80B
.text:1001C7FD 00C 83 EF 04 sub edi, 4
.text:1001C800 00C 83 C1 04 add ecx, 4
.text:1001C803 00C 83 C6 04 add esi, 4
.text:1001C806 00C 83 FF 04 cmp edi, 4
.text:1001C809 00C 7D C7 jge short loc_1001C7D2
.text:1001C80B
.text:1001C80B loc_1001C80B: ; CODE XREF: _memcmp+11�j
.text:1001C80B ; _memcmp+19�j ...
.text:1001C80B 00C 85 FF test edi, edi
.text:1001C80D 00C 75 04 jnz short loc_1001C813
.text:1001C80F 00C 33 C0 xor eax, eax -----> found in blacklist
.text:1001C811 00C EB 19 jmp short loc_1001C82C
bp at 1001C80F to get blacklist md5 16-byte, search and zero them in ida.wll
done...............
hope it will help
|