1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
|
# The script to dump rich4.exe to assembly
# SHA256(rich4.exe): 5a90aee28ee5f7a5c3ba5cb935c9e55751a529c25fcd91208748a66293569550
from dumpbin_pe import R2PEDumper
import r2pipe
import sys
if __name__ == "__main__":
if len(sys.argv) > 1:
r2dumpbin = R2PEDumper(r2pipe.open(sys.argv[1]))
else:
r2dumpbin = R2PEDumper()
# call back functions
r2dumpbin.mark_function(0x401010)
r2dumpbin.mark_function(0x4019dd)
r2dumpbin.mark_function(0x401f98)
# parameter of fcn_004018e7 (register_wait_callback)
callbacks = [0x40257a, 0x40363a, 0x4039c2, 0x404e44, 0x4060e9,
0x406b14, 0x40a801, 0x4103a3, 0x410ac3, 0x411122,
0x414858, 0x414bbc, 0x414fcd, 0x41dda9, 0x423cf3,
0x4258c1, 0x42608f, 0x4267a4, 0x426c2e, 0x42704e,
0x427c21, 0x429d65, 0x42aaff, 0x42b2ec, 0x42b3eb,
0x42d37f, 0x42d73f, 0x42f7fc, 0x43010c, 0x4325c2,
0x433088, 0x434492, 0x435062, 0x436034, 0x436ef8,
0x437e61, 0x43a2dd, 0x43caab, 0x43da27, 0x43fae4,
0x43ff56, 0x4402d7, 0x4413ec, 0x4416f0, 0x445e4d,
0x445c14, 0x446774, 0x44e40b, 0x45156f, 0x452c02,
0x45367e]
# fcn_00457e6c callbacks
callbacks += [0x4079f9, 0x42bed0, 0x42d0ef]
# fcn_0045ae76 callbacks
callbacks += [0x458d9e]
# SetUnhandledExceptionFilter callbacks
callbacks += [0x45a758]
callbacks += [0x45a98b]
for f in callbacks:
r2dumpbin.mark_function(f)
# jump table functions
# 0x402566
r2dumpbin.mark_function(0x40274c)
r2dumpbin.mark_function(0x40264d)
r2dumpbin.mark_function(0x4026e2)
# 0x408289
r2dumpbin.mark_function(0x409419)
r2dumpbin.mark_function(0x409426)
r2dumpbin.mark_function(0x409434)
r2dumpbin.mark_function(0x409442)
r2dumpbin.mark_function(0x409449)
# 0x40e023
r2dumpbin.mark_function(0x40e04d)
r2dumpbin.mark_function(0x40e059)
r2dumpbin.mark_function(0x40e065)
r2dumpbin.mark_function(0x40e071)
# 0x40ea9b
call_tab = [0x0040ec14, 0x0040ecf1, 0x0040ed8f, 0x0040ee50, 0x0040ef1b,
0x0040efe4, 0x0040f083, 0x0040f155, 0x0040f205, 0x0040f258,
0x0040ece6, 0x0040f2a0, 0x0040ece6, 0x0040ece6, 0x0040f2eb]
# 0x41034b
call_tab += [0x00410537, 0x00410572, 0x004105b9, 0x004105f4, 0x004105f4,
0x004105f4, 0x00410668, 0x004106c1, 0x004106c1, 0x00410745,
0x0041076e, 0x0041079c, 0x004107d8, 0x004107f3, 0x004107f3,
0x004107f3]
# 0x41038b
call_tab += [0x00410838, 0x00410838, 0x00410838, 0x004104a5, 0x0041095b,
0x00410969]
# 0x474d5c
call_tab += [0x4119e3, 0x411a86, 0x411a96]
# 0x475324
call_tab += [0x0041e6fe, 0x0041e779, 0x0041e9e2, 0x0041eae2,
0x0041e6e3, 0x0041e6e3, 0x0041ed3e, 0x0041ef26,
0x0041f037, 0x0041f1b3, 0x0041f400, 0x0041f6a9,
0x0041f901, 0x0041facc, 0x0041fe4e, 0x0041fe6f,
0x0041fe6f, 0x0041e6e3, 0x0041e6e3, 0x0041e6e3,
0x0041e6e3, 0x0041ff77, 0x0041fff8, 0x00420055,
0x004200ea, 0x004202d2, 0x0042040e, 0x0042062b,
0x004207cc]
# 0x475d5c
call_tab += [0x004420d8, 0x004421b4, 0x00442325, 0x00442622,
0x00442b02, 0x00442f4d, 0x0044309b, 0x00443225,
0x004434c0, 0x004436e0, 0x00443917, 0x00443b0f,
0x00443e3d, 0x00443f80, 0x004440ea, 0x004441dc,
0x004444bf, 0x004420d5, 0x004420d5, 0x004420d5,
0x004420d5, 0x00444c45, 0x00444e1a, 0x00444f25,
0x0044503f, 0x004451f0, 0x0044542d, 0x00445593,
0x00445710, 0x004458df]
# 0x475dd8 (begins at 0x475dd9)
call_tab += [0x00446afb, 0x00446baa, 0x00446c88, 0x00446d69,
0x00446e4a, 0x00446f05, 0x00446fbc, 0x004470f8,
0x00447295, 0x00447387, 0x00447428, 0x004479d2,
0x00447ace, 0x00447c00 ]
# 0x4898ca
call_tab += [0x457dda, 0x459c0c, 0x459ce1, 0x45bc21, 0x45c914,
0x45adb0, 0x45c50b, 0x45ce17, 0x45d00b, 0x457ddb,
0x45bcb1, 0x45a4c0]
# 0x489728
r2dumpbin.mark_function(0x45f7e8)
# endloc: references jump table 0x48998c
r2dumpbin.mark_function(0x45f133)
# referenced at fcn_0045a3a0
callbacks = [0x45a15e, 0x45a170, 0x45a182, 0x45a190, 0x45a142,
0x45a150, 0x45a1d5, 0x45a1df, 0x45a0b3, 0x45a11b,
0x45a087, 0x45a1b6, 0x45a1c4, 0x45a1bd, 0x45a1ce,
0x45a1f3, 0x45a378, 0x45a1e9, 0x45a1fd]
# referenced at fcn_0045ce17
callbacks += [0x45cdac, 0x45cdf0]
# CreateThread
callbacks += [0x45f738]
# SetConsoleCtrlHandler
callbacks += [0x45cb60]
# fcn_0045cdac
callbacks += [0x45cb3c, 0x45cd2a]
# fcn_00459bd3
callbacks += [0x459bc2, 0x459bcb]
for f in callbacks:
r2dumpbin.mark_function(f)
for f in call_tab:
r2dumpbin.mark_function(f)
r2dumpbin.run_tool()
|