10 Python Libraries for Malware Analysis and Reverse Engineering

You can fin more details from the original post in my blog

1 - Pefile

In [140]:
# pip install pefile
import pefile

exefile = "calc.exe"
exe = pefile.PE(exefile)
print(exe.__doc__)
A Portable Executable representation.

    This class provides access to most of the information in a PE file.

    It expects to be supplied the name of the file to load or PE data
    to process and an optional argument 'fast_load' (False by default)
    which controls whether to load all the directories information,
    which can be quite time consuming.

    pe = pefile.PE('module.dll')
    pe = pefile.PE(name='module.dll')

    would load 'module.dll' and process it. If the data is already
    available in a buffer the same can be achieved with:

    pe = pefile.PE(data=module_dll_data)

    The "fast_load" can be set to a default by setting its value in the
    module itself by means, for instance, of a "pefile.fast_load = True".
    That will make all the subsequent instances not to load the
    whole PE structure. The "full_load" method can be used to parse
    the missing data at a later stage.

    Basic headers information will be available in the attributes:

    DOS_HEADER
    NT_HEADERS
    FILE_HEADER
    OPTIONAL_HEADER

    All of them will contain among their attributes the members of the
    corresponding structures as defined in WINNT.H

    The raw data corresponding to the header (from the beginning of the
    file up to the start of the first section) will be available in the
    instance's attribute 'header' as a string.

    The sections will be available as a list in the 'sections' attribute.
    Each entry will contain as attributes all the structure's members.

    Directory entries will be available as attributes (if they exist):
    (no other entries are processed at this point)

    DIRECTORY_ENTRY_IMPORT (list of ImportDescData instances)
    DIRECTORY_ENTRY_EXPORT (ExportDirData instance)
    DIRECTORY_ENTRY_RESOURCE (ResourceDirData instance)
    DIRECTORY_ENTRY_DEBUG (list of DebugData instances)
    DIRECTORY_ENTRY_BASERELOC (list of BaseRelocationData instances)
    DIRECTORY_ENTRY_TLS
    DIRECTORY_ENTRY_BOUND_IMPORT (list of BoundImportData instances)

    The following dictionary attributes provide ways of mapping different
    constants. They will accept the numeric value and return the string
    representation and the opposite, feed in the string and get the
    numeric constant:

    DIRECTORY_ENTRY
    IMAGE_CHARACTERISTICS
    SECTION_CHARACTERISTICS
    DEBUG_TYPE
    SUBSYSTEM_TYPE
    MACHINE_TYPE
    RELOCATION_TYPE
    RESOURCE_TYPE
    LANG
    SUBLANG
    

2 - Pelief

In [141]:
# pip install lief

import lief

# ELF
#binary = lief.parse("/usr/bin/ls")
#print(binary)

# PE
binary = lief.parse("calc.exe")
print(binary.__doc__)
      Class which represents a PE binary which is the main interface
      to manage and modify a PE executable.

      This object can be instantiated through :func:`lief.parse` or :func:`lief.PE.parse` while
      the constructor of this object can be used to craft a binary from scratch (see: :ref:`02-pe-from-scratch`)
      

3 - Capstone

In [34]:
#pip install capstone

from capstone import *

exefile = "calc.exe"
exe = pefile.PE(exefile)

entry_point = exe.OPTIONAL_HEADER.AddressOfEntryPoint
data = exe.get_memory_mapped_image()[entry_point:]
cs = Cs(CS_ARCH_X86, CS_MODE_32)
rdbin = cs.disasm(data, 0x1000)

for i in rdbin:
    print("0x%x:\t%s\t%s" %(i.address, i.mnemonic, i.op_str))
0x1000:	dec	eax
0x1001:	sub	esp, 0x28
0x1004:	call	0xa24
0x1009:	dec	eax
0x100a:	add	esp, 0x28
0x100d:	jmp	0xd80
0x1012:	int3	
0x1013:	int3	
0x1014:	int3	
0x1015:	int3	
0x1016:	int3	
0x1017:	int3	
0x1018:	jno	0xfad
0x101a:	rcl	dword ptr [edx], cl
0x101c:	sar	dword ptr [edi], 0xc1
0x101f:	jecxz	0x1069
0x1021:	sub	esp, 0x28
0x1024:	dec	eax
0x1025:	mov	eax, dword ptr [ecx]
0x1027:	cmp	dword ptr [eax], 0xe06d7363
0x102d:	jne	0x1052
0x102f:	cmp	dword ptr [eax + 0x18], 4
0x1033:	jne	0x1052
0x1035:	mov	ecx, dword ptr [eax + 0x20]
0x1038:	lea	eax, [ecx - 0x19930520]
0x103e:	cmp	eax, 2
0x1041:	jbe	0x104b
0x1043:	cmp	ecx, 0x1994000
0x1049:	jne	0x1052
0x104b:	call	dword ptr [0xaaf]
0x1051:	int3	
0x1052:	xor	eax, eax
0x1054:	dec	eax
0x1055:	add	esp, 0x28
0x1058:	ret	
0x1059:	int3	
0x105a:	int3	
0x105b:	int3	
0x105c:	int3	
0x105d:	int3	
0x105e:	int3	
0x105f:	int3	
0x1060:	int3	
0x1061:	int3	
0x1062:	int3	
0x1063:	int3	
0x1064:	int3	
0x1065:	int3	
0x1066:	int3	
0x1067:	int3	
0x1068:	jno	0x109a
0x106a:	push	edx
0x106b:	pop	esi
0x106c:	inc	edi
0x106d:	daa	
0x106e:	add	eax, 0xec8348d3
0x1073:	sub	byte ptr [eax - 0x73], cl
0x1076:	or	eax, 0xffffffa5
0x107b:	call	dword ptr [0x9df]
0x1081:	xor	eax, eax
0x1083:	dec	eax
0x1084:	add	esp, 0x28
0x1087:	ret	
0x1088:	int3	
0x1089:	int3	
0x108a:	int3	
0x108b:	int3	
0x108c:	int3	
0x108d:	int3	
0x108e:	jmp	dword ptr [0xa8c]
0x1094:	int3	
0x1095:	int3	
0x1096:	int3	
0x1097:	int3	
0x1098:	int3	
0x1099:	int3	
0x109a:	int3	
0x109b:	int3	
0x109c:	dec	eax
0x109d:	sub	esp, 0x18
0x10a0:	xor	edx, edx
0x10a2:	dec	eax
0x10a3:	lea	eax, [ecx - 1]
0x10a6:	dec	eax
0x10a7:	cmp	eax, -3
0x10aa:	ja	0x10e8
0x10ac:	mov	eax, 0x5a4d
0x10b1:	cmp	word ptr [ecx], ax
0x10b4:	jne	0x10e0
0x10b6:	cmp	dword ptr [ecx + 0x3c], edx
0x10b9:	jl	0x10e0
0x10bb:	cmp	dword ptr [ecx + 0x3c], 0x10000000
0x10c2:	jae	0x10e0
0x10c4:	dec	eax
0x10c5:	arpl	word ptr [ecx + 0x3c], ax
0x10c8:	dec	eax
0x10c9:	add	eax, ecx
0x10cb:	dec	eax
0x10cc:	mov	dword ptr [esp], eax
0x10cf:	cmp	dword ptr [eax], 0x4550
0x10d5:	dec	eax
0x10d6:	cmovne	eax, edx
0x10d9:	dec	eax
0x10da:	mov	edx, eax
0x10dc:	dec	eax
0x10dd:	mov	dword ptr [esp], eax
0x10e0:	jmp	0x10e8
0x10e2:	xor	edx, edx
0x10e4:	dec	eax
0x10e5:	mov	dword ptr [esp], edx
0x10e8:	dec	eax
0x10e9:	mov	eax, edx
0x10eb:	dec	eax
0x10ec:	add	esp, 0x18
0x10ef:	ret	
0x10f0:	int3	
0x10f1:	int3	
0x10f2:	int3	
0x10f3:	int3	
0x10f4:	int3	
0x10f5:	int3	
0x10f6:	int3	
0x10f7:	int3	
0x10f8:	inc	eax
0x10f9:	push	ebx
0x10fa:	dec	eax
0x10fb:	sub	esp, 0x20
0x10fe:	mov	ebx, ecx
0x1100:	xor	ecx, ecx
0x1102:	call	dword ptr [0x998]
0x1108:	dec	eax
0x1109:	test	eax, eax
0x110b:	je	0x1135
0x110d:	dec	eax
0x110e:	mov	ecx, eax
0x1110:	call	0x109c
0x1115:	dec	eax
0x1116:	test	eax, eax
0x1118:	je	0x1135
0x111a:	mov	ecx, 2
0x111f:	cmp	word ptr [eax + 0x5c], cx
0x1123:	jne	0x1129
0x1125:	mov	eax, ecx
0x1127:	jmp	0x1137
0x1129:	cmp	word ptr [eax + 0x5c], 3
0x112e:	mov	eax, 1
0x1133:	je	0x1137
0x1135:	mov	eax, ebx
0x1137:	dec	eax
0x1138:	add	esp, 0x20
0x113b:	pop	ebx
0x113c:	ret	
0x113d:	int3	
0x113e:	int3	
0x113f:	int3	
0x1140:	int3	
0x1141:	int3	
0x1142:	int3	
0x1143:	jmp	dword ptr [0x9cf]
0x1149:	int3	
0x114a:	int3	
0x114b:	int3	
0x114c:	int3	
0x114d:	int3	
0x114e:	int3	
0x114f:	int3	
0x1150:	xor	eax, eax
0x1152:	ret	
0x1153:	int3	
0x1154:	int3	
0x1155:	int3	
0x1156:	int3	
0x1157:	int3	
0x1158:	int3	
0x1159:	int3	
0x115a:	int3	
0x115b:	int3	
0x115c:	int3	
0x115d:	int3	
0x115e:	int3	
0x115f:	int3	
0x1160:	dec	esp
0x1161:	arpl	word ptr [ecx + 0x3c], ax
0x1164:	inc	ebp
0x1165:	xor	ecx, ecx
0x1167:	dec	esp
0x1168:	add	eax, ecx
0x116a:	dec	esp
0x116b:	mov	edx, edx
0x116d:	inc	ecx
0x116e:	movzx	eax, word ptr [eax + 0x14]
0x1172:	inc	ebp
0x1173:	movzx	ebx, word ptr [eax + 6]
0x1177:	dec	eax
0x1178:	add	eax, 0x18
0x117b:	dec	ecx
0x117c:	add	eax, eax
0x117e:	inc	ebp
0x117f:	test	ebx, ebx
0x1181:	je	0x11a1
0x1183:	mov	edx, dword ptr [eax + 0xc]
0x1186:	dec	esp
0x1187:	cmp	edx, edx
0x1189:	jb	0x1195
0x118b:	mov	ecx, dword ptr [eax + 8]
0x118e:	add	ecx, edx
0x1190:	dec	esp
0x1191:	cmp	edx, ecx
0x1193:	jb	0x11a3
0x1195:	inc	ecx
0x1196:	inc	ecx
0x1198:	dec	eax
0x1199:	add	eax, 0x28
0x119c:	inc	ebp
0x119d:	cmp	ecx, ebx
0x119f:	jb	0x1183
0x11a1:	xor	eax, eax
0x11a3:	ret	
0x11a4:	int3	
0x11a5:	int3	
0x11a6:	int3	
0x11a7:	int3	
0x11a8:	int3	
0x11a9:	int3	
0x11aa:	int3	
0x11ab:	int3	
0x11ac:	int3	
0x11ad:	int3	
0x11ae:	int3	
0x11af:	int3	
0x11b0:	dec	eax
0x11b1:	mov	dword ptr [esp + 8], ebx
0x11b5:	push	edi
0x11b6:	dec	eax
0x11b7:	sub	esp, 0x20
0x11ba:	dec	eax
0x11bb:	mov	ebx, ecx
0x11bd:	dec	eax
0x11be:	lea	edi, [0xffffe6fc]
0x11c4:	dec	eax
0x11c5:	mov	ecx, edi
0x11c7:	call	0x1210
0x11cc:	test	eax, eax
0x11ce:	je	0x11f2
0x11d0:	dec	eax
0x11d1:	sub	ebx, edi
0x11d3:	dec	eax
0x11d4:	mov	edx, ebx
0x11d6:	dec	eax
0x11d7:	mov	ecx, edi
0x11d9:	call	0x1160
0x11de:	dec	eax
0x11df:	test	eax, eax
0x11e1:	je	0x11f2
0x11e3:	mov	eax, dword ptr [eax + 0x24]
0x11e6:	shr	eax, 0x1f
0x11e9:	not	eax
0x11eb:	and	eax, 1
0x11ee:	jmp	0x11f2
0x11f0:	xor	eax, eax
0x11f2:	dec	eax
0x11f3:	mov	ebx, dword ptr [esp + 0x30]
0x11f7:	dec	eax
0x11f8:	add	esp, 0x20
0x11fb:	pop	edi
0x11fc:	ret	
0x11fd:	int3	
0x11fe:	int3	
0x11ff:	int3	
0x1200:	int3	
0x1201:	int3	
0x1202:	int3	
0x1203:	int3	
0x1204:	int3	
0x1205:	int3	
0x1206:	int3	
0x1207:	int3	
0x1208:	int3	
0x1209:	int3	
0x120a:	int3	
0x120b:	int3	
0x120c:	int3	
0x120d:	int3	
0x120e:	int3	
0x120f:	int3	
0x1210:	mov	eax, 0x5a4d
0x1215:	cmp	word ptr [ecx], ax
0x1218:	jne	0x123a
0x121a:	dec	eax
0x121b:	arpl	word ptr [ecx + 0x3c], ax
0x121e:	dec	eax
0x121f:	add	eax, ecx
0x1221:	cmp	dword ptr [eax], 0x4550
0x1227:	jne	0x123a
0x1229:	mov	ecx, 0x20b
0x122e:	cmp	word ptr [eax + 0x18], cx
0x1232:	jne	0x123a
0x1234:	mov	eax, 1
0x1239:	ret	
0x123a:	xor	eax, eax
0x123c:	ret	
0x123d:	int3	
0x123e:	int3	
0x123f:	int3	
0x1240:	int3	
0x1241:	int3	
0x1242:	int3	
0x1243:	int3	
0x1244:	int3	
0x1245:	int3	
0x1246:	int3	
0x1247:	int3	
0x1248:	jno	0x12bb
0x124a:	push	esp
0x124b:	pop	eax
0x124c:	out	7, al
0x124e:	mov	al, bl
0x1250:	xor	eax, eax
0x1252:	ret	
0x1253:	int3	
0x1254:	int3	
0x1255:	int3	
0x1256:	int3	
0x1257:	int3	
0x1258:	int3	
0x1259:	jmp	dword ptr [0x879]
0x125f:	int3	
0x1260:	int3	
0x1261:	int3	
0x1262:	int3	
0x1263:	int3	
0x1264:	int3	
0x1265:	jmp	dword ptr [0x875]
0x126b:	int3	
0x126c:	int3	
0x126d:	int3	
0x126e:	int3	
0x126f:	int3	
0x1270:	int3	
0x1271:	int3	
0x1272:	int3	
0x1273:	int3	
0x1274:	int3	
0x1275:	int3	
0x1276:	int3	
0x1277:	int3	
0x1278:	int3	
0x1279:	int3	
0x127a:	int3	
0x127b:	int3	
0x127c:	int3	
0x127d:	int3	
0x127e:	int3	
0x127f:	int3	
0x1280:	ret	0
0x1283:	int3	
0x1284:	int3	
0x1285:	int3	
0x1286:	int3	
0x1287:	int3	
0x1288:	int3	
0x1289:	int3	
0x128a:	int3	
0x128b:	int3	
0x128c:	int3	
0x128d:	int3	
0x128e:	int3	
0x128f:	int3	
0x1290:	int3	
0x1291:	int3	
0x1292:	int3	
0x1293:	int3	
0x1294:	int3	
0x1295:	int3	
0x1296:	int3	
0x1297:	int3	
0x1298:	nop	
0x129a:	ret	
0x129b:	int3	
0x129c:	int3	
0x129d:	int3	
0x129e:	int3	
0x129f:	int3	
0x12a0:	int3	
0x12a1:	int3	
0x12a2:	int3	
0x12a3:	int3	
0x12a4:	dec	eax
0x12a5:	sub	esp, 0x88
0x12ab:	dec	eax
0x12ac:	mov	eax, dword ptr [0x164e]
0x12b2:	dec	eax
0x12b3:	xor	eax, esp
0x12b5:	dec	eax
0x12b6:	mov	dword ptr [esp + 0x70], eax
0x12ba:	dec	eax
0x12bb:	cmp	dword ptr [0x161e], 0
0x12c2:	dec	eax
0x12c3:	mov	eax, dword ptr [0x15ff]
0x12c9:	movups	xmm0, xmmword ptr [eax - 0x10]
0x12cd:	movdqu	xmmword ptr [esp + 0x30], xmm0
0x12d3:	je	0x12dc
0x12d5:	mov	ecx, 5
0x12da:	int	0x29
0x12dc:	xorps	xmm0, xmm0
0x12df:	dec	esp
0x12e0:	lea	ecx, [0x15fa]
0x12e6:	dec	esp
0x12e7:	lea	eax, [0x15d3]
0x12ed:	dec	eax
0x12ee:	lea	edx, [0xfffff5dc]
0x12f4:	dec	eax
0x12f5:	lea	ecx, [esp + 0x30]
0x12f9:	movdqu	xmmword ptr [0x15e7], xmm0
0x1301:	dec	eax
0x1302:	call	dword ptr [0x710]
0x1308:	nop	dword ptr [eax + eax]
0x130d:	test	eax, eax
0x130f:	jne	0x1332
0x1311:	dec	esp
0x1312:	mov	eax, dword ptr [0x15b0]
0x1318:	lea	edx, [eax + 2]
0x131b:	dec	eax
0x131c:	mov	ecx, dword ptr [0x15be]
0x1322:	inc	ebp
0x1323:	movzx	ecx, word ptr [eax]
0x1326:	dec	eax
0x1327:	call	dword ptr [0x6db]
0x132d:	nop	dword ptr [eax + eax]
0x1332:	cmp	dword ptr [0x1587], 5
0x1339:	jbe	0x13a5
0x133b:	dec	eax
0x133c:	mov	ecx, 0
0x1341:	add	byte ptr [eax], al
0x1343:	add	al, byte ptr [eax]
0x1345:	dec	eax
0x1346:	test	dword ptr [0x1584], ecx
0x134c:	je	0x13a5
0x134e:	dec	eax
0x134f:	mov	eax, dword ptr [0x1583]
0x1355:	dec	eax
0x1356:	and	eax, ecx
0x1358:	dec	eax
0x1359:	cmp	eax, dword ptr [0x1579]
0x135f:	jne	0x13a5
0x1361:	and	dword ptr [esp + 0x6c], 0
0x1366:	dec	eax
0x1367:	lea	eax, [0x883]
0x136d:	dec	eax
0x136e:	mov	dword ptr [esp + 0x60], eax
0x1372:	dec	eax
0x1373:	lea	edx, [0x918]
0x1379:	dec	eax
0x137a:	lea	eax, [esp + 0x40]
0x137e:	mov	dword ptr [esp + 0x68], 0x12
0x1386:	dec	eax
0x1387:	mov	dword ptr [esp + 0x28], eax
0x138b:	dec	eax
0x138c:	lea	ecx, [0x152e]
0x1392:	inc	ebp
0x1393:	xor	ecx, ecx
0x1395:	mov	dword ptr [esp + 0x20], 3
0x139d:	inc	ebp
0x139e:	xor	eax, eax
0x13a0:	call	0x958
0x13a5:	mov	dword ptr [esp + 0x28], 1
0x13ad:	dec	esp
0x13ae:	lea	eax, [0x854]
0x13b4:	dec	eax
0x13b5:	and	dword ptr [esp + 0x20], 0
0x13ba:	inc	ebp
0x13bb:	xor	ecx, ecx
0x13bd:	xor	edx, edx
0x13bf:	xor	ecx, ecx
0x13c1:	dec	eax
0x13c2:	call	dword ptr [0x6c8]
0x13c8:	nop	dword ptr [eax + eax]
0x13cd:	xor	eax, eax
0x13cf:	dec	eax
0x13d0:	mov	ecx, dword ptr [esp + 0x70]
0x13d4:	dec	eax
0x13d5:	xor	ecx, esp
0x13d7:	call	0xa00
0x13dc:	dec	eax
0x13dd:	add	esp, 0x88
0x13e3:	ret	
0x13e4:	int3	
0x13e5:	int3	
0x13e6:	int3	
0x13e7:	int3	
0x13e8:	int3	
0x13e9:	int3	
0x13ea:	int3	
0x13eb:	int3	
0x13ec:	dec	eax
0x13ed:	sub	esp, 0x28
0x13f0:	dec	ebp
0x13f1:	mov	eax, dword ptr [ecx + 0x38]
0x13f4:	dec	eax
0x13f5:	mov	ecx, edx
0x13f7:	dec	ecx
0x13f8:	mov	edx, ecx
0x13fa:	call	0x1410
0x13ff:	mov	eax, 1
0x1404:	dec	eax
0x1405:	add	esp, 0x28
0x1408:	ret	
0x1409:	int3	
0x140a:	int3	
0x140b:	int3	
0x140c:	int3	
0x140d:	int3	
0x140e:	int3	
0x140f:	int3	
0x1410:	inc	eax
0x1411:	push	ebx
0x1412:	inc	ebp
0x1413:	mov	ebx, dword ptr [eax]
0x1415:	dec	eax
0x1416:	mov	ebx, edx
0x1418:	inc	ecx
0x1419:	and	ebx, 0xfffffff8
0x141c:	dec	esp
0x141d:	mov	ecx, ecx
0x141f:	inc	ecx
0x1420:	test	byte ptr [eax], 4
0x1423:	dec	esp
0x1424:	mov	edx, ecx
0x1426:	je	0x143b
0x1428:	inc	ecx
0x1429:	mov	eax, dword ptr [eax + 8]
0x142c:	dec	ebp
0x142d:	arpl	word ptr [eax + 4], dx
0x1430:	neg	eax
0x1432:	dec	esp
0x1433:	add	edx, ecx
0x1435:	dec	eax
0x1436:	arpl	ax, cx
0x1438:	dec	esp
0x1439:	and	edx, ecx
0x143b:	dec	ecx
0x143c:	arpl	bx, ax
0x143e:	dec	edx
0x143f:	mov	edx, dword ptr [eax + edx]
0x1442:	dec	eax
0x1443:	mov	eax, dword ptr [ebx + 0x10]
0x1446:	mov	ecx, dword ptr [eax + 8]
0x1449:	dec	eax
0x144a:	mov	eax, dword ptr [ebx + 8]
0x144d:	test	byte ptr [ecx + eax + 3], 0xf
0x1452:	je	0x145f
0x1454:	movzx	eax, byte ptr [ecx + eax + 3]
0x1459:	and	eax, 0xfffffff0
0x145c:	dec	esp
0x145d:	add	ecx, eax
0x145f:	dec	esp
0x1460:	xor	ecx, edx
0x1462:	dec	ecx
0x1463:	mov	ecx, ecx
0x1465:	pop	ebx
0x1466:	jmp	0xa00
0x146b:	int3	
0x146c:	int3	
0x146d:	int3	
0x146e:	int3	
0x146f:	int3	
0x1470:	int3	
0x1471:	int3	
0x1472:	int3	
0x1473:	int3	
0x1474:	int3	
0x1475:	int3	
0x1476:	nop	word ptr [eax + eax]
0x1480:	jmp	eax
0x1482:	int3	
0x1483:	int3	
0x1484:	int3	
0x1485:	int3	
0x1486:	int3	
0x1487:	int3	
0x1488:	int3	
0x1489:	int3	
0x148a:	int3	
0x148b:	int3	
0x148c:	int3	
0x148d:	int3	
0x148e:	int3	
0x148f:	int3	
0x1490:	int3	
0x1491:	int3	
0x1492:	int3	
0x1493:	int3	
0x1494:	int3	
0x1495:	int3	
0x1496:	nop	word ptr [eax + eax]
0x14a0:	jmp	dword ptr [0x6aa]
0x14a6:	int3	
0x14a7:	int3	
0x14a8:	int3	
0x14a9:	int3	
0x14aa:	int3	
0x14ab:	int3	
0x14ac:	int3	
0x14ad:	int3	
0x14ae:	int3	
0x14af:	int3	
0x14b0:	inc	eax
0x14b1:	push	ebp
0x14b2:	dec	eax
0x14b3:	sub	esp, 0x20
0x14b6:	dec	eax
0x14b7:	mov	ebp, edx
0x14b9:	dec	eax
0x14ba:	mov	eax, dword ptr [ecx]
0x14bc:	dec	eax
0x14bd:	mov	edx, ecx
0x14bf:	mov	ecx, dword ptr [eax]
0x14c1:	call	0x108e
0x14c6:	nop	
0x14c7:	dec	eax
0x14c8:	add	esp, 0x20
0x14cb:	pop	ebp
0x14cc:	ret	
0x14cd:	int3	
0x14ce:	int3	
0x14cf:	int3	
0x14d0:	int3	
0x14d1:	int3	
0x14d2:	int3	
0x14d3:	int3	
0x14d4:	int3	
0x14d5:	int3	
0x14d6:	int3	
0x14d7:	int3	
0x14d8:	int3	
0x14d9:	int3	
0x14da:	int3	
0x14db:	int3	
0x14dc:	int3	
0x14dd:	int3	
0x14de:	int3	
0x14df:	int3	
0x14e0:	inc	eax
0x14e1:	push	ebp
0x14e2:	dec	eax
0x14e3:	sub	esp, 0x20
0x14e6:	dec	eax
0x14e7:	mov	ebp, edx
0x14e9:	dec	eax
0x14ea:	mov	eax, dword ptr [ecx]
0x14ec:	xor	ecx, ecx
0x14ee:	cmp	dword ptr [eax], 0xc0000005
0x14f4:	sete	cl
0x14f7:	mov	eax, ecx
0x14f9:	dec	eax
0x14fa:	add	esp, 0x20
0x14fd:	pop	ebp
0x14fe:	ret	
0x14ff:	int3	
0x1500:	add	byte ptr [eax], al
0x1502:	add	byte ptr [eax], al
0x1504:	add	byte ptr [eax], al
0x1506:	add	byte ptr [eax], al
0x1508:	add	byte ptr [eax], al
0x150a:	add	byte ptr [eax], al
0x150c:	add	byte ptr [eax], al
0x150e:	add	byte ptr [eax], al
0x1510:	add	byte ptr [eax], al
0x1512:	add	byte ptr [eax], al
0x1514:	add	byte ptr [eax], al
0x1516:	add	byte ptr [eax], al
0x1518:	add	byte ptr [eax], al
0x151a:	add	byte ptr [eax], al
0x151c:	add	byte ptr [eax], al
0x151e:	add	byte ptr [eax], al
0x1520:	add	byte ptr [eax], al
0x1522:	add	byte ptr [eax], al
0x1524:	add	byte ptr [eax], al
0x1526:	add	byte ptr [eax], al
0x1528:	add	byte ptr [eax], al
0x152a:	add	byte ptr [eax], al
0x152c:	add	byte ptr [eax], al
0x152e:	add	byte ptr [eax], al
0x1530:	add	byte ptr [eax], al
0x1532:	add	byte ptr [eax], al
0x1534:	add	byte ptr [eax], al
0x1536:	add	byte ptr [eax], al
0x1538:	add	byte ptr [eax], al
0x153a:	add	byte ptr [eax], al
0x153c:	add	byte ptr [eax], al
0x153e:	add	byte ptr [eax], al
0x1540:	add	byte ptr [eax], al
0x1542:	add	byte ptr [eax], al
0x1544:	add	byte ptr [eax], al
0x1546:	add	byte ptr [eax], al
0x1548:	add	byte ptr [eax], al
0x154a:	add	byte ptr [eax], al
0x154c:	add	byte ptr [eax], al
0x154e:	add	byte ptr [eax], al
0x1550:	add	byte ptr [eax], al
0x1552:	add	byte ptr [eax], al
0x1554:	add	byte ptr [eax], al
0x1556:	add	byte ptr [eax], al
0x1558:	add	byte ptr [eax], al
0x155a:	add	byte ptr [eax], al
0x155c:	add	byte ptr [eax], al
0x155e:	add	byte ptr [eax], al
0x1560:	add	byte ptr [eax], al
0x1562:	add	byte ptr [eax], al
0x1564:	add	byte ptr [eax], al
0x1566:	add	byte ptr [eax], al
0x1568:	add	byte ptr [eax], al
0x156a:	add	byte ptr [eax], al
0x156c:	add	byte ptr [eax], al
0x156e:	add	byte ptr [eax], al
0x1570:	add	byte ptr [eax], al
0x1572:	add	byte ptr [eax], al
0x1574:	add	byte ptr [eax], al
0x1576:	add	byte ptr [eax], al
0x1578:	add	byte ptr [eax], al
0x157a:	add	byte ptr [eax], al
0x157c:	add	byte ptr [eax], al
0x157e:	add	byte ptr [eax], al
0x1580:	add	byte ptr [eax], al
0x1582:	add	byte ptr [eax], al
0x1584:	add	byte ptr [eax], al
0x1586:	add	byte ptr [eax], al
0x1588:	add	byte ptr [eax], al
0x158a:	add	byte ptr [eax], al
0x158c:	add	byte ptr [eax], al
0x158e:	add	byte ptr [eax], al
0x1590:	add	byte ptr [eax], al
0x1592:	add	byte ptr [eax], al
0x1594:	add	byte ptr [eax], al
0x1596:	add	byte ptr [eax], al
0x1598:	add	byte ptr [eax], al
0x159a:	add	byte ptr [eax], al
0x159c:	add	byte ptr [eax], al
0x159e:	add	byte ptr [eax], al
0x15a0:	add	byte ptr [eax], al
0x15a2:	add	byte ptr [eax], al
0x15a4:	add	byte ptr [eax], al
0x15a6:	add	byte ptr [eax], al
0x15a8:	add	byte ptr [eax], al
0x15aa:	add	byte ptr [eax], al
0x15ac:	add	byte ptr [eax], al
0x15ae:	add	byte ptr [eax], al
0x15b0:	add	byte ptr [eax], al
0x15b2:	add	byte ptr [eax], al
0x15b4:	add	byte ptr [eax], al
0x15b6:	add	byte ptr [eax], al
0x15b8:	add	byte ptr [eax], al
0x15ba:	add	byte ptr [eax], al
0x15bc:	add	byte ptr [eax], al
0x15be:	add	byte ptr [eax], al
0x15c0:	add	byte ptr [eax], al
0x15c2:	add	byte ptr [eax], al
0x15c4:	add	byte ptr [eax], al
0x15c6:	add	byte ptr [eax], al
0x15c8:	add	byte ptr [eax], al
0x15ca:	add	byte ptr [eax], al
0x15cc:	add	byte ptr [eax], al
0x15ce:	add	byte ptr [eax], al
0x15d0:	add	byte ptr [eax], al
0x15d2:	add	byte ptr [eax], al
0x15d4:	add	byte ptr [eax], al
0x15d6:	add	byte ptr [eax], al
0x15d8:	add	byte ptr [eax], al
0x15da:	add	byte ptr [eax], al
0x15dc:	add	byte ptr [eax], al
0x15de:	add	byte ptr [eax], al
0x15e0:	add	byte ptr [eax], al
0x15e2:	add	byte ptr [eax], al
0x15e4:	add	byte ptr [eax], al
0x15e6:	add	byte ptr [eax], al
0x15e8:	add	byte ptr [eax], al
0x15ea:	add	byte ptr [eax], al
0x15ec:	add	byte ptr [eax], al
0x15ee:	add	byte ptr [eax], al
0x15f0:	add	byte ptr [eax], al
0x15f2:	add	byte ptr [eax], al
0x15f4:	add	byte ptr [eax], al
0x15f6:	add	byte ptr [eax], al
0x15f8:	add	byte ptr [eax], al
0x15fa:	add	byte ptr [eax], al
0x15fc:	add	byte ptr [eax], al
0x15fe:	add	byte ptr [eax], al
0x1600:	add	byte ptr [eax], al
0x1602:	add	byte ptr [eax], al
0x1604:	add	byte ptr [eax], al
0x1606:	add	byte ptr [eax], al
0x1608:	add	byte ptr [eax], al
0x160a:	add	byte ptr [eax], al
0x160c:	add	byte ptr [eax], al
0x160e:	add	byte ptr [eax], al
0x1610:	add	byte ptr [eax], al
0x1612:	add	byte ptr [eax], al
0x1614:	add	byte ptr [eax], al
0x1616:	add	byte ptr [eax], al
0x1618:	add	byte ptr [eax], al
0x161a:	add	byte ptr [eax], al
0x161c:	add	byte ptr [eax], al
0x161e:	add	byte ptr [eax], al
0x1620:	add	byte ptr [eax], al
0x1622:	add	byte ptr [eax], al
0x1624:	add	byte ptr [eax], al
0x1626:	add	byte ptr [eax], al
0x1628:	add	byte ptr [eax], al
0x162a:	add	byte ptr [eax], al
0x162c:	add	byte ptr [eax], al
0x162e:	add	byte ptr [eax], al
0x1630:	add	byte ptr [eax], al
0x1632:	add	byte ptr [eax], al
0x1634:	add	byte ptr [eax], al
0x1636:	add	byte ptr [eax], al
0x1638:	add	byte ptr [eax], al
0x163a:	add	byte ptr [eax], al
0x163c:	add	byte ptr [eax], al
0x163e:	add	byte ptr [eax], al
0x1640:	add	byte ptr [eax], al
0x1642:	add	byte ptr [eax], al
0x1644:	add	byte ptr [eax], al
0x1646:	add	byte ptr [eax], al
0x1648:	add	byte ptr [eax], al
0x164a:	add	byte ptr [eax], al
0x164c:	add	byte ptr [eax], al
0x164e:	add	byte ptr [eax], al
0x1650:	add	byte ptr [eax], al
0x1652:	add	byte ptr [eax], al
0x1654:	add	byte ptr [eax], al
0x1656:	add	byte ptr [eax], al
0x1658:	add	byte ptr [eax], al
0x165a:	add	byte ptr [eax], al
0x165c:	add	byte ptr [eax], al
0x165e:	add	byte ptr [eax], al
0x1660:	add	byte ptr [eax], al
0x1662:	add	byte ptr [eax], al
0x1664:	add	byte ptr [eax], al
0x1666:	add	byte ptr [eax], al
0x1668:	add	byte ptr [eax], al
0x166a:	add	byte ptr [eax], al
0x166c:	add	byte ptr [eax], al
0x166e:	add	byte ptr [eax], al
0x1670:	add	byte ptr [eax], al
0x1672:	add	byte ptr [eax], al
0x1674:	add	byte ptr [eax], al
0x1676:	add	byte ptr [eax], al
0x1678:	add	byte ptr [eax], al
0x167a:	add	byte ptr [eax], al
0x167c:	add	byte ptr [eax], al
0x167e:	add	byte ptr [eax], al
0x1680:	add	byte ptr [eax], al
0x1682:	add	byte ptr [eax], al
0x1684:	add	byte ptr [eax], al
0x1686:	add	byte ptr [eax], al
0x1688:	add	byte ptr [eax], al
0x168a:	add	byte ptr [eax], al
0x168c:	add	byte ptr [eax], al
0x168e:	add	byte ptr [eax], al
0x1690:	add	byte ptr [eax], al
0x1692:	add	byte ptr [eax], al
0x1694:	add	byte ptr [eax], al
0x1696:	add	byte ptr [eax], al
0x1698:	add	byte ptr [eax], al
0x169a:	add	byte ptr [eax], al
0x169c:	add	byte ptr [eax], al
0x169e:	add	byte ptr [eax], al
0x16a0:	add	byte ptr [eax], al
0x16a2:	add	byte ptr [eax], al
0x16a4:	add	byte ptr [eax], al
0x16a6:	add	byte ptr [eax], al
0x16a8:	add	byte ptr [eax], al
0x16aa:	add	byte ptr [eax], al
0x16ac:	add	byte ptr [eax], al
0x16ae:	add	byte ptr [eax], al
0x16b0:	add	byte ptr [eax], al
0x16b2:	add	byte ptr [eax], al
0x16b4:	add	byte ptr [eax], al
0x16b6:	add	byte ptr [eax], al
0x16b8:	add	byte ptr [eax], al
0x16ba:	add	byte ptr [eax], al
0x16bc:	add	byte ptr [eax], al
0x16be:	add	byte ptr [eax], al
0x16c0:	add	byte ptr [eax], al
0x16c2:	add	byte ptr [eax], al
0x16c4:	add	byte ptr [eax], al
0x16c6:	add	byte ptr [eax], al
0x16c8:	add	byte ptr [eax], al
0x16ca:	add	byte ptr [eax], al
0x16cc:	add	byte ptr [eax], al
0x16ce:	add	byte ptr [eax], al
0x16d0:	add	byte ptr [eax], al
0x16d2:	add	byte ptr [eax], al
0x16d4:	add	byte ptr [eax], al
0x16d6:	add	byte ptr [eax], al
0x16d8:	add	byte ptr [eax], al
0x16da:	add	byte ptr [eax], al
0x16dc:	add	byte ptr [eax], al
0x16de:	add	byte ptr [eax], al
0x16e0:	add	byte ptr [eax], al
0x16e2:	add	byte ptr [eax], al
0x16e4:	add	byte ptr [eax], al
0x16e6:	add	byte ptr [eax], al
0x16e8:	add	byte ptr [eax], al
0x16ea:	add	byte ptr [eax], al
0x16ec:	add	byte ptr [eax], al
0x16ee:	add	byte ptr [eax], al
0x16f0:	add	byte ptr [eax], al
0x16f2:	add	byte ptr [eax], al
0x16f4:	add	byte ptr [eax], al
0x16f6:	add	byte ptr [eax], al
0x16f8:	add	byte ptr [eax], al
0x16fa:	add	byte ptr [eax], al
0x16fc:	add	byte ptr [eax], al
0x16fe:	add	byte ptr [eax], al
0x1700:	add	byte ptr [eax], al
0x1702:	add	byte ptr [eax], al
0x1704:	add	byte ptr [eax], al
0x1706:	add	byte ptr [eax], al
0x1708:	add	byte ptr [eax], al
0x170a:	add	byte ptr [eax], al
0x170c:	add	byte ptr [eax], al
0x170e:	add	byte ptr [eax], al
0x1710:	add	byte ptr [eax], al
0x1712:	add	byte ptr [eax], al
0x1714:	add	byte ptr [eax], al
0x1716:	add	byte ptr [eax], al
0x1718:	add	byte ptr [eax], al
0x171a:	add	byte ptr [eax], al
0x171c:	add	byte ptr [eax], al
0x171e:	add	byte ptr [eax], al
0x1720:	add	byte ptr [eax], al
0x1722:	add	byte ptr [eax], al
0x1724:	add	byte ptr [eax], al
0x1726:	add	byte ptr [eax], al
0x1728:	add	byte ptr [eax], al
0x172a:	add	byte ptr [eax], al
0x172c:	add	byte ptr [eax], al
0x172e:	add	byte ptr [eax], al
0x1730:	add	byte ptr [eax], al
0x1732:	add	byte ptr [eax], al
0x1734:	add	byte ptr [eax], al
0x1736:	add	byte ptr [eax], al
0x1738:	add	byte ptr [eax], al
0x173a:	add	byte ptr [eax], al
0x173c:	add	byte ptr [eax], al
0x173e:	add	byte ptr [eax], al
0x1740:	add	byte ptr [eax], al
0x1742:	add	byte ptr [eax], al
0x1744:	add	byte ptr [eax], al
0x1746:	add	byte ptr [eax], al
0x1748:	add	byte ptr [eax], al
0x174a:	add	byte ptr [eax], al
0x174c:	add	byte ptr [eax], al
0x174e:	add	byte ptr [eax], al
0x1750:	add	byte ptr [eax], al
0x1752:	add	byte ptr [eax], al
0x1754:	add	byte ptr [eax], al
0x1756:	add	byte ptr [eax], al
0x1758:	add	byte ptr [eax], al
0x175a:	add	byte ptr [eax], al
0x175c:	add	byte ptr [eax], al
0x175e:	add	byte ptr [eax], al
0x1760:	add	byte ptr [eax], al
0x1762:	add	byte ptr [eax], al
0x1764:	add	byte ptr [eax], al
0x1766:	add	byte ptr [eax], al
0x1768:	add	byte ptr [eax], al
0x176a:	add	byte ptr [eax], al
0x176c:	add	byte ptr [eax], al
0x176e:	add	byte ptr [eax], al
0x1770:	add	byte ptr [eax], al
0x1772:	add	byte ptr [eax], al
0x1774:	add	byte ptr [eax], al
0x1776:	add	byte ptr [eax], al
0x1778:	add	byte ptr [eax], al
0x177a:	add	byte ptr [eax], al
0x177c:	add	byte ptr [eax], al
0x177e:	add	byte ptr [eax], al
0x1780:	add	byte ptr [eax], al
0x1782:	add	byte ptr [eax], al
0x1784:	add	byte ptr [eax], al
0x1786:	add	byte ptr [eax], al
0x1788:	add	byte ptr [eax], al
0x178a:	add	byte ptr [eax], al
0x178c:	add	byte ptr [eax], al
0x178e:	add	byte ptr [eax], al
0x1790:	add	byte ptr [eax], al
0x1792:	add	byte ptr [eax], al
0x1794:	add	byte ptr [eax], al
0x1796:	add	byte ptr [eax], al
0x1798:	add	byte ptr [eax], al
0x179a:	add	byte ptr [eax], al
0x179c:	add	byte ptr [eax], al
0x179e:	add	byte ptr [eax], al
0x17a0:	add	byte ptr [eax], al
0x17a2:	add	byte ptr [eax], al
0x17a4:	add	byte ptr [eax], al
0x17a6:	add	byte ptr [eax], al
0x17a8:	add	byte ptr [eax], al
0x17aa:	add	byte ptr [eax], al
0x17ac:	add	byte ptr [eax], al
0x17ae:	add	byte ptr [eax], al
0x17b0:	add	byte ptr [eax], al
0x17b2:	add	byte ptr [eax], al
0x17b4:	add	byte ptr [eax], al
0x17b6:	add	byte ptr [eax], al
0x17b8:	add	byte ptr [eax], al
0x17ba:	add	byte ptr [eax], al
0x17bc:	add	byte ptr [eax], al
0x17be:	add	byte ptr [eax], al
0x17c0:	add	byte ptr [eax], al
0x17c2:	add	byte ptr [eax], al
0x17c4:	add	byte ptr [eax], al
0x17c6:	add	byte ptr [eax], al
0x17c8:	add	byte ptr [eax], al
0x17ca:	add	byte ptr [eax], al
0x17cc:	add	byte ptr [eax], al
0x17ce:	add	byte ptr [eax], al
0x17d0:	add	byte ptr [eax], al
0x17d2:	add	byte ptr [eax], al
0x17d4:	add	byte ptr [eax], al
0x17d6:	add	byte ptr [eax], al
0x17d8:	add	byte ptr [eax], al
0x17da:	add	byte ptr [eax], al
0x17dc:	add	byte ptr [eax], al
0x17de:	add	byte ptr [eax], al
0x17e0:	add	byte ptr [eax], al
0x17e2:	add	byte ptr [eax], al
0x17e4:	add	byte ptr [eax], al
0x17e6:	add	byte ptr [eax], al
0x17e8:	add	byte ptr [eax], al
0x17ea:	add	byte ptr [eax], al
0x17ec:	add	byte ptr [eax], al
0x17ee:	add	byte ptr [eax], al
0x17f0:	add	byte ptr [eax], al
0x17f2:	add	byte ptr [eax], al
0x17f4:	add	byte ptr [eax], al
0x17f6:	add	byte ptr [eax], al
0x17f8:	add	byte ptr [eax], al
0x17fa:	add	byte ptr [eax], al
0x17fc:	add	byte ptr [eax], al
0x17fe:	add	byte ptr [eax], al
0x1800:	add	byte ptr [eax], al
0x1802:	add	byte ptr [eax], al
0x1804:	add	byte ptr [eax], al
0x1806:	add	byte ptr [eax], al
0x1808:	add	byte ptr [eax], al
0x180a:	add	byte ptr [eax], al
0x180c:	add	byte ptr [eax], al
0x180e:	add	byte ptr [eax], al
0x1810:	add	byte ptr [eax], al
0x1812:	add	byte ptr [eax], al
0x1814:	add	byte ptr [eax], al
0x1816:	add	byte ptr [eax], al
0x1818:	add	byte ptr [eax], al
0x181a:	add	byte ptr [eax], al
0x181c:	add	byte ptr [eax], al
0x181e:	add	byte ptr [eax], al
0x1820:	add	byte ptr [eax], al
0x1822:	add	byte ptr [eax], al
0x1824:	add	byte ptr [eax], al
0x1826:	add	byte ptr [eax], al
0x1828:	add	byte ptr [eax], al
0x182a:	add	byte ptr [eax], al
0x182c:	add	byte ptr [eax], al
0x182e:	add	byte ptr [eax], al
0x1830:	add	byte ptr [eax], al
0x1832:	add	byte ptr [eax], al
0x1834:	add	byte ptr [eax], al
0x1836:	add	byte ptr [eax], al
0x1838:	add	byte ptr [eax], al
0x183a:	add	byte ptr [eax], al
0x183c:	add	byte ptr [eax], al
0x183e:	add	byte ptr [eax], al
0x1840:	add	byte ptr [eax], al
0x1842:	add	byte ptr [eax], al
0x1844:	add	byte ptr [eax], al
0x1846:	add	byte ptr [eax], al
0x1848:	add	byte ptr [eax], al
0x184a:	add	byte ptr [eax], al
0x184c:	add	byte ptr [eax], al
0x184e:	add	byte ptr [eax], al
0x1850:	add	byte ptr [eax], al
0x1852:	add	byte ptr [eax], al
0x1854:	add	byte ptr [eax], al
0x1856:	add	byte ptr [eax], al
0x1858:	add	byte ptr [eax], al
0x185a:	add	byte ptr [eax], al
0x185c:	add	byte ptr [eax], al
0x185e:	add	byte ptr [eax], al
0x1860:	add	byte ptr [eax], al
0x1862:	add	byte ptr [eax], al
0x1864:	add	byte ptr [eax], al
0x1866:	add	byte ptr [eax], al
0x1868:	add	byte ptr [eax], al
0x186a:	add	byte ptr [eax], al
0x186c:	add	byte ptr [eax], al
0x186e:	add	byte ptr [eax], al
0x1870:	add	byte ptr [eax], al
0x1872:	add	byte ptr [eax], al
0x1874:	add	byte ptr [eax], al
0x1876:	add	byte ptr [eax], al
0x1878:	add	byte ptr [eax], al
0x187a:	add	byte ptr [eax], al
0x187c:	add	byte ptr [eax], al
0x187e:	add	byte ptr [eax], al
0x1880:	add	byte ptr [eax], al
0x1882:	add	byte ptr [eax], al
0x1884:	add	byte ptr [eax], al
0x1886:	add	byte ptr [eax], al
0x1888:	add	byte ptr [eax], al
0x188a:	add	byte ptr [eax], al
0x188c:	add	byte ptr [eax], al
0x188e:	add	byte ptr [eax], al
0x1890:	add	byte ptr [eax], al
0x1892:	add	byte ptr [eax], al
0x1894:	add	byte ptr [eax], al
0x1896:	add	byte ptr [eax], al
0x1898:	add	byte ptr [eax], al
0x189a:	add	byte ptr [eax], al
0x189c:	add	byte ptr [eax], al
0x189e:	add	byte ptr [eax], al
0x18a0:	add	byte ptr [eax], al
0x18a2:	add	byte ptr [eax], al
0x18a4:	add	byte ptr [eax], al
0x18a6:	add	byte ptr [eax], al
0x18a8:	add	byte ptr [eax], al
0x18aa:	add	byte ptr [eax], al
0x18ac:	add	byte ptr [eax], al
0x18ae:	add	byte ptr [eax], al
0x18b0:	add	byte ptr [eax], al
0x18b2:	add	byte ptr [eax], al
0x18b4:	add	byte ptr [eax], al
0x18b6:	add	byte ptr [eax], al
0x18b8:	add	byte ptr [eax], al
0x18ba:	add	byte ptr [eax], al
0x18bc:	add	byte ptr [eax], al
0x18be:	add	byte ptr [eax], al
0x18c0:	pushal	
0x18c1:	xor	byte ptr [eax], al
0x18c3:	inc	eax
0x18c4:	add	dword ptr [eax], eax
0x18c6:	add	byte ptr [eax], al
0x18c8:	add	byte ptr [ecx], dh
0x18ca:	add	byte ptr [eax + 1], al
0x18cd:	add	byte ptr [eax], al
0x18cf:	add	byte ptr [eax], bh
0x18d1:	add	dword ptr [eax], eax
0x18d3:	add	byte ptr [eax], al
0x18d5:	add	byte ptr [eax], al
0x18d7:	add	byte ptr [eax], al
0x18d9:	add	byte ptr [eax], al
0x18db:	add	byte ptr [eax], al
0x18dd:	add	byte ptr [eax], al
0x18df:	add	byte ptr [eax], al
0x18e1:	add	byte ptr [eax], al
0x18e3:	add	byte ptr [eax], al
0x18e5:	add	byte ptr [eax], al
0x18e7:	add	byte ptr [eax], al
0x18e9:	add	byte ptr [eax], al
0x18eb:	add	byte ptr [eax], al
0x18ed:	add	byte ptr [eax], al
0x18ef:	add	byte ptr [eax], al
0x18f1:	add	byte ptr [eax], al
0x18f3:	add	byte ptr [eax], al
0x18f5:	add	byte ptr [eax], al
0x18f7:	add	byte ptr [eax], al
0x18f9:	add	byte ptr [eax], al
0x18fb:	add	byte ptr [eax], al
0x18fd:	add	byte ptr [eax], al
0x18ff:	add	byte ptr [eax], al
0x1901:	add	byte ptr [eax], al
0x1903:	add	byte ptr [eax], al
0x1905:	add	byte ptr [eax], al
0x1907:	add	byte ptr [eax], al
0x1909:	add	byte ptr [eax], al
0x190b:	add	byte ptr [eax], al
0x190d:	add	byte ptr [eax], al
0x190f:	add	byte ptr [eax], al
0x1911:	add	byte ptr [eax], al
0x1913:	add	byte ptr [eax], al
0x1915:	add	byte ptr [eax], al
0x1917:	add	byte ptr [eax], al
0x1919:	add	byte ptr [eax], al
0x191b:	add	byte ptr [eax], al
0x191d:	add	byte ptr [eax], al
0x191f:	add	byte ptr [eax], al
0x1921:	add	byte ptr [eax], al
0x1923:	add	byte ptr [eax], al
0x1925:	add	byte ptr [eax], al
0x1927:	add	byte ptr [eax + 0x30], al
0x192a:	add	byte ptr [eax + 1], al
0x192d:	add	byte ptr [eax], al
0x192f:	add	byte ptr [eax], al
0x1931:	add	byte ptr [eax], al
0x1933:	add	byte ptr [eax], al
0x1935:	add	byte ptr [eax], al
0x1937:	add	byte ptr [eax], al
0x1939:	add	byte ptr [eax], al
0x193b:	add	byte ptr [eax], al
0x193d:	add	byte ptr [eax], al
0x193f:	add	byte ptr [eax + 0x1400022], cl
0x1945:	add	byte ptr [eax], al
0x1947:	add	byte ptr [eax + 0x1400022], dl
0x194d:	add	byte ptr [eax], al
0x194f:	add	al, bh
0x1951:	and	al, byte ptr [eax]
0x1953:	inc	eax
0x1954:	add	dword ptr [eax], eax
0x1956:	add	byte ptr [eax], al
0x1958:	or	dword ptr [eax], eax
0x195a:	add	byte ptr [eax], al
0x195c:	add	byte ptr [eax], al
0x195e:	add	byte ptr [eax], al
0x1960:	add	byte ptr [ebp - 0x3f], dh
0x1963:	adc	byte ptr [eax], al
0x1965:	add	byte ptr [eax], al
0x1967:	add	byte ptr [eax], al
0x1969:	add	byte ptr [eax], al
0x196b:	add	byte ptr [eax], al
0x196d:	add	byte ptr [eax], al
0x196f:	add	byte ptr [eax], al
0x1971:	add	byte ptr [eax], al
0x1973:	add	byte ptr [eax], al
0x1975:	add	byte ptr [eax], al
0x1977:	add	byte ptr [eax], al
0x1979:	add	byte ptr [eax], al
0x197b:	add	byte ptr [eax], al
0x197d:	add	byte ptr [eax], al
0x197f:	add	byte ptr [eax], al
0x1981:	add	byte ptr [eax], al
0x1983:	add	byte ptr [eax], al
0x1985:	add	byte ptr [eax], al
0x1987:	add	byte ptr [eax], al
0x1989:	add	byte ptr [eax], al
0x198b:	add	byte ptr [eax], al
0x198d:	add	byte ptr [eax], al
0x198f:	add	byte ptr [eax], al
0x1991:	add	byte ptr [eax], al
0x1993:	add	byte ptr [eax], al
0x1995:	add	byte ptr [eax], al
0x1997:	add	byte ptr [eax], al
0x1999:	add	byte ptr [eax], al
0x199b:	add	byte ptr [eax], al
0x199d:	add	byte ptr [eax], al
0x199f:	add	byte ptr [eax], al
0x19a1:	add	byte ptr [eax], al
0x19a3:	add	byte ptr [eax], al
0x19a5:	add	byte ptr [eax], al
0x19a7:	add	byte ptr [eax], al
0x19a9:	add	byte ptr [eax], al
0x19ab:	add	byte ptr [eax], al
0x19ad:	add	byte ptr [eax], al
0x19af:	add	byte ptr [eax], al
0x19b1:	add	byte ptr [eax], al
0x19b3:	add	byte ptr [eax], al
0x19b5:	add	byte ptr [eax], al
0x19b7:	add	byte ptr [eax], al
0x19b9:	add	byte ptr [eax], al
0x19bb:	add	byte ptr [eax], al
0x19bd:	add	byte ptr [eax], al
0x19bf:	add	byte ptr [eax], al
0x19c1:	add	byte ptr [eax], al
0x19c3:	add	byte ptr [eax], al
0x19c5:	add	byte ptr [eax], al
0x19c7:	add	byte ptr [eax], al
0x19c9:	add	byte ptr [eax], al
0x19cb:	add	byte ptr [eax], al
0x19cd:	add	byte ptr [eax], al
0x19cf:	add	byte ptr [eax], al
0x19d1:	add	byte ptr [eax], al
0x19d3:	add	byte ptr [eax], al
0x19d5:	add	byte ptr [eax], al
0x19d7:	add	al, ch
0x19d9:	and	al, byte ptr [eax]
0x19db:	inc	eax
0x19dc:	add	dword ptr [eax], eax
0x19de:	add	byte ptr [eax], al
0x19e0:	add	eax, dword ptr [eax]
0x19e2:	add	byte ptr [eax], al
0x19e4:	add	byte ptr [eax], al
0x19e6:	add	byte ptr [eax], al
0x19e8:	cwde	
0x19e9:	and	al, byte ptr [eax]
0x19eb:	inc	eax
0x19ec:	add	dword ptr [eax], eax
0x19ee:	add	byte ptr [eax], al
0x19f0:	mov	al, byte ptr [0x1400022]
0x19f5:	add	byte ptr [eax], al
0x19f7:	add	byte ptr [eax + 0x1400022], ch
0x19fd:	add	byte ptr [eax], al
0x19ff:	add	byte ptr [eax], al
0x1a01:	add	byte ptr [eax], al
0x1a03:	add	byte ptr [eax], al
0x1a05:	add	byte ptr [eax], al
0x1a07:	add	byte ptr [eax], al
0x1a09:	sub	al, 0
0x1a0b:	add	byte ptr [eax], al
0x1a0d:	add	byte ptr [eax], al
0x1a0f:	add	byte ptr [esi], dl
0x1a11:	sub	al, 0
0x1a13:	add	byte ptr [eax], al
0x1a15:	add	byte ptr [eax], al
0x1a17:	add	al, dh
0x1a19:	sub	eax, dword ptr [eax]
0x1a1b:	add	byte ptr [eax], al
0x1a1d:	add	byte ptr [eax], al
0x1a1f:	add	byte ptr [eax], al
0x1a21:	add	byte ptr [eax], al
0x1a23:	add	byte ptr [eax], al
0x1a25:	add	byte ptr [eax], al
0x1a27:	add	byte ptr [edx + ebp], ch
0x1a2a:	add	byte ptr [eax], al
0x1a2c:	add	byte ptr [eax], al
0x1a2e:	add	byte ptr [eax], al
0x1a30:	inc	edx
0x1a31:	sub	al, byte ptr [eax]
0x1a33:	add	byte ptr [eax], al
0x1a35:	add	byte ptr [eax], al
0x1a37:	add	byte ptr [edx + ebp], bl
0x1a3b:	add	byte ptr [eax], al
0x1a3d:	add	byte ptr [eax], al
0x1a3f:	add	byte ptr [edx + ebp], ch
0x1a43:	add	byte ptr [eax], al
0x1a45:	add	byte ptr [eax], al
0x1a47:	add	byte ptr [esi], dl
0x1a49:	sub	al, byte ptr [eax]
0x1a4b:	add	byte ptr [eax], al
0x1a4d:	add	byte ptr [eax], al
0x1a4f:	add	byte ptr [edx + 0x2a], bl
0x1a55:	add	byte ptr [eax], al
0x1a57:	add	byte ptr [esi + 0x2a], ch
0x1a5d:	add	byte ptr [eax], al
0x1a5f:	add	dl, cl
0x1a61:	sub	al, byte ptr [eax]
0x1a63:	add	byte ptr [eax], al
0x1a65:	add	byte ptr [eax], al
0x1a67:	add	al, ch
0x1a69:	sub	al, byte ptr [eax]
0x1a6b:	add	byte ptr [eax], al
0x1a6d:	add	byte ptr [eax], al
0x1a6f:	add	ah, bh
0x1a71:	sub	al, byte ptr [eax]
0x1a73:	add	byte ptr [eax], al
0x1a75:	add	byte ptr [eax], al
0x1a77:	add	ah, bh
0x1a79:	sub	dword ptr [eax], eax
0x1a7b:	add	byte ptr [eax], al
0x1a7d:	add	byte ptr [eax], al
0x1a7f:	add	byte ptr [eax + 0x2a], al
0x1a85:	add	byte ptr [eax], al
0x1a87:	add	byte ptr [eax], al
0x1a89:	add	byte ptr [eax], al
0x1a8b:	add	byte ptr [eax], al
0x1a8d:	add	byte ptr [eax], al
0x1a8f:	add	al, ah
0x1a91:	sub	dword ptr [eax], eax
0x1a93:	add	byte ptr [eax], al
0x1a95:	add	byte ptr [eax], al
0x1a97:	add	byte ptr [eax], al
0x1a99:	add	byte ptr [eax], al
0x1a9b:	add	byte ptr [eax], al
0x1a9d:	add	byte ptr [eax], al
0x1a9f:	add	byte ptr [esp + ebp], dl
0x1aa3:	add	byte ptr [eax], al
0x1aa5:	add	byte ptr [eax], al
0x1aa7:	add	byte ptr [eax], al
0x1aa9:	add	byte ptr [eax], al
0x1aab:	add	byte ptr [eax], al
0x1aad:	add	byte ptr [eax], al
0x1aaf:	add	byte ptr [edx + 0x2c], al
0x1ab2:	add	byte ptr [eax], al
0x1ab4:	add	byte ptr [eax], al
0x1ab6:	add	byte ptr [eax], al
0x1ab8:	add	byte ptr [eax], al
0x1aba:	add	byte ptr [eax], al
0x1abc:	add	byte ptr [eax], al
0x1abe:	add	byte ptr [eax], al
0x1ac0:	cmp	ch, byte ptr [eax + eax]
0x1ac3:	add	byte ptr [eax], al
0x1ac5:	add	byte ptr [eax], al
0x1ac7:	add	byte ptr [eax], al
0x1ac9:	add	byte ptr [eax], al
0x1acb:	add	byte ptr [eax], al
0x1acd:	add	byte ptr [eax], al
0x1acf:	add	byte ptr [eax + 0x2b], bh
0x1ad2:	add	byte ptr [eax], al
0x1ad4:	add	byte ptr [eax], al
0x1ad6:	add	byte ptr [eax], al
0x1ad8:	mov	word ptr [ebx], gs
0x1ada:	add	byte ptr [eax], al
0x1adc:	add	byte ptr [eax], al
0x1ade:	add	byte ptr [eax], al
0x1ae0:	cwde	
0x1ae1:	sub	eax, dword ptr [eax]
0x1ae3:	add	byte ptr [eax], al
0x1ae5:	add	byte ptr [eax], al
0x1ae7:	add	byte ptr [eax + 0x2b], dh
0x1aed:	add	byte ptr [eax], al
0x1aef:	add	byte ptr [edx + 0x2b], bh
0x1af5:	add	byte ptr [eax], al
0x1af7:	add	ah, al
0x1af9:	sub	eax, dword ptr [eax]
0x1afb:	add	byte ptr [eax], al
0x1afd:	add	byte ptr [eax], al
0x1aff:	add	ah, bl
0x1b01:	sub	eax, dword ptr [eax]
0x1b03:	add	byte ptr [eax], al
0x1b05:	add	byte ptr [eax], al
0x1b07:	add	byte ptr [esi + 0x2b], ch
0x1b0a:	add	byte ptr [eax], al
0x1b0c:	add	byte ptr [eax], al
0x1b0e:	add	byte ptr [eax], al
0x1b10:	cmp	ch, byte ptr [ebx]
0x1b12:	add	byte ptr [eax], al
0x1b14:	add	byte ptr [eax], al
0x1b16:	add	byte ptr [eax], al
0x1b18:	sub	al, 0x2b
0x1b1a:	add	byte ptr [eax], al
0x1b1c:	add	byte ptr [eax], al
0x1b1e:	add	byte ptr [eax], al
0x1b20:	push	ds
0x1b21:	sub	eax, dword ptr [eax]
0x1b23:	add	byte ptr [eax], al
0x1b25:	add	byte ptr [eax], al
0x1b27:	add	byte ptr [esi + 0x2b], bl
0x1b2a:	add	byte ptr [eax], al
0x1b2c:	add	byte ptr [eax], al
0x1b2e:	add	byte ptr [eax], al
0x1b30:	dec	esp
0x1b31:	sub	eax, dword ptr [eax]
0x1b33:	add	byte ptr [eax], al
0x1b35:	add	byte ptr [eax], al
0x1b37:	add	byte ptr [esi + 0x2b], ah
0x1b3a:	add	byte ptr [eax], al
0x1b3c:	add	byte ptr [eax], al
0x1b3e:	add	byte ptr [eax], al
0x1b40:	add	byte ptr [eax], al
0x1b42:	add	byte ptr [eax], al
0x1b44:	add	byte ptr [eax], al
0x1b46:	add	byte ptr [eax], al
0x1b48:	rcr	byte ptr [ecx], 0
0x1b4b:	inc	eax
0x1b4c:	add	dword ptr [eax], eax
0x1b4e:	add	byte ptr [eax], al
0x1b50:	rcr	byte ptr [ebx], 0
0x1b53:	inc	eax
0x1b54:	add	dword ptr [eax], eax
0x1b56:	add	byte ptr [eax], al
0x1b58:	rcr	byte ptr [ecx], 0
0x1b5b:	inc	eax
0x1b5c:	add	dword ptr [eax], eax
0x1b5e:	add	byte ptr [eax], al
0x1b60:	loopne	0x1b7d
0x1b62:	add	byte ptr [eax + 1], al
0x1b65:	add	byte ptr [eax], al
0x1b67:	add	al, ah
0x1b69:	sbb	eax, dword ptr [eax]
0x1b6b:	inc	eax
0x1b6c:	add	dword ptr [eax], eax
0x1b6e:	add	byte ptr [eax], al
0x1b70:	add	byte ptr [eax], al
0x1b72:	add	byte ptr [eax], al
0x1b74:	add	byte ptr [eax], al
0x1b76:	add	byte ptr [eax], al
0x1b78:	jo	0x1b8e
0x1b7a:	add	byte ptr [eax + 1], al
0x1b7d:	add	byte ptr [eax], al
0x1b7f:	add	byte ptr [eax], al
0x1b81:	add	byte ptr [eax], al
0x1b83:	add	byte ptr [eax], al
0x1b85:	add	byte ptr [eax], al
0x1b87:	add	byte ptr [eax], al
0x1b89:	add	byte ptr [eax], al
0x1b8b:	add	byte ptr [eax], al
0x1b8d:	add	byte ptr [eax], al
0x1b8f:	add	byte ptr [eax + 0x1400013], dl
0x1b95:	add	byte ptr [eax], al
0x1b97:	add	byte ptr [eax + 0x1400017], dh
0x1b9d:	add	byte ptr [eax], al
0x1b9f:	add	byte ptr [eax], al
0x1ba1:	add	byte ptr [eax], al
0x1ba3:	add	byte ptr [eax], al
0x1ba5:	add	byte ptr [eax], al
0x1ba7:	add	ch, ch
0x1ba9:	push	ss
0x1baa:	add	byte ptr [eax], al
0x1bac:	add	byte ptr [edx], ah
0x1bae:	sbb	byte ptr [eax], al
0x1bb0:	add	byte ptr [eax], al
0x1bb2:	xor	byte ptr [ecx], bl
0x1bb4:	add	byte ptr [eax], al
0x1bb6:	add	byte ptr [eax], al
0x1bb8:	adc	byte ptr [eax], dl
0x1bba:	add	byte ptr [eax], al
0x1bbc:	or	byte ptr [eax + 0x12], al
0x1bbf:	add	byte ptr [eax], al
0x1bc1:	or	byte ptr [eax + 0x8000013], dl
0x1bc7:	jo	0x1bdd
0x1bc9:	add	byte ptr [eax], al
0x1bcb:	or	byte ptr [eax + 0x17], al
0x1bce:	add	byte ptr [eax], al
0x1bd0:	or	byte ptr [eax + 0x17], ah
0x1bd3:	add	byte ptr [eax], al
0x1bd5:	or	byte ptr [eax + 0x8000017], dh
0x1bdb:	nop	
0x1bdc:	sbb	dword ptr [eax], eax
0x1bde:	add	byte ptr [eax], cl
0x1be0:	rcr	byte ptr [ecx], 0
0x1be3:	add	byte ptr [eax], al
0x1be5:	add	byte ptr [eax], al
0x1be7:	add	byte ptr [eax], al
0x1be9:	add	byte ptr [eax], al
0x1beb:	add	byte ptr [eax], al
0x1bed:	add	byte ptr [eax], al
0x1bef:	add	byte ptr [ebx + 0x61], al
0x1bf2:	insb	byte ptr es:[edi], dx
0x1bf3:	arpl	word ptr [ebp + 0x6c], si
0x1bf6:	popal	
0x1bf7:	je	0x1c68
0x1bf9:	jb	0x1c4e
0x1bfb:	je	0x1c5e
0x1bfd:	jb	0x1c73
0x1bff:	add	byte ptr fs:[eax], al
0x1c03:	add	byte ptr [eax], al
0x1c05:	add	byte ptr [eax], al
0x1c07:	add	byte ptr [ebp], ch
0x1c0a:	jae	0x1c0c
0x1c0c:	sub	eax, 0x61006300
0x1c11:	add	byte ptr [eax + eax + 0x63], ch
0x1c15:	add	byte ptr [ebp], dh
0x1c18:	insb	byte ptr es:[edi], dx
0x1c19:	add	byte ptr [ecx], ah
0x1c1c:	je	0x1c1e
0x1c1e:	outsd	dx, dword ptr [esi]
0x1c1f:	add	byte ptr [edx], dh
0x1c22:	cmp	al, byte ptr [eax]
0x1c24:	add	byte ptr [eax], al
0x1c26:	add	byte ptr [eax], al
0x1c28:	add	byte ptr [eax], al
0x1c2a:	add	byte ptr [eax], al
0x1c2c:	in	al, 0xfb
0x1c2e:	mov	eax, ds
0x1c30:	add	byte ptr [eax], al
0x1c32:	add	byte ptr [eax], al
0x1c34:	add	al, byte ptr [eax]
0x1c36:	add	byte ptr [eax], al
0x1c38:	and	dword ptr [eax], eax
0x1c3a:	add	byte ptr [eax], al
0x1c3c:	inc	esp
0x1c3d:	and	al, 0
0x1c3f:	add	byte ptr [esp], al
0x1c43:	add	byte ptr [eax], al
0x1c45:	add	byte ptr [eax], al
0x1c47:	add	ah, ah
0x1c49:	sti	
0x1c4a:	mov	eax, ds
0x1c4c:	add	byte ptr [eax], al
0x1c4e:	add	byte ptr [eax], al
0x1c50:	or	eax, 0x88000000
0x1c55:	add	al, byte ptr [eax]
0x1c57:	add	byte ptr [eax + 0x24], ch
0x1c5a:	add	byte ptr [eax], al
0x1c5c:	push	0x24
0x1c61:	add	byte ptr [eax], al
0x1c63:	add	ah, ah
0x1c65:	sti	
0x1c66:	mov	eax, ds
0x1c68:	add	byte ptr [eax], al
0x1c6a:	add	byte ptr [eax], al
0x1c6c:	adc	byte ptr [eax], al
0x1c6e:	add	byte ptr [eax], al
0x1c70:	and	al, 0
0x1c72:	add	byte ptr [eax], al
0x1c74:	lock add	byte ptr es:[eax], al
0x1c78:	lock add	byte ptr es:[eax], al
0x1c7c:	add	byte ptr [eax], al
0x1c7e:	add	byte ptr [eax], al
0x1c80:	inc	ebp
0x1c81:	push	esp
0x1c82:	push	edi
0x1c83:	xor	byte ptr [eax], dl
0x1c85:	add	byte ptr [eax], al
0x1c87:	add	dword ptr [esi + 0x2b88040e], eax
0x1c8d:	add	eax, 0xb06bb8a
0x1c92:	add	eax, 0
0x1c97:	add	byte ptr [eax], al
0x1c99:	add	byte ptr [edx], al
0x1c9b:	add	byte ptr [edx], ch
0x1c9d:	add	byte ptr [eax], al
0x1c9f:	inc	ebx
0x1ca0:	popal	
0x1ca1:	insb	byte ptr es:[edi], dx
0x1ca2:	arpl	word ptr [ebp + 0x6c], si
0x1ca5:	popal	
0x1ca6:	je	0x1d17
0x1ca8:	jb	0x1d01
0x1caa:	imul	ebp, dword ptr [esi + 0x4d], 0x6e6961
0x1cb1:	and	al, byte ptr [ebx + 0x61]
0x1cb4:	insb	byte ptr es:[edi], dx
0x1cb5:	arpl	word ptr [ebp + 0x6c], si
0x1cb8:	popal	
0x1cb9:	je	0x1d2a
0x1cbb:	jb	0x1d10
0x1cbd:	je	0x1d20
0x1cbf:	jb	0x1d35
0x1cc1:	and	al, byte ptr fs:[eax]
0x1cc5:	add	al, byte ptr [ecx + ecx]
0x1cc8:	retf	0x905
0x1ccb:	push	cs
0x1ccc:	popal	
0x1ccd:	push	ds
0x1cce:	inc	eax
0x1ccf:	mov	dh, 0x50
0x1cd1:	das	
0x1cd2:	and	dword ptr [ecx], ebp
0x1cd4:	cmp	byte ptr [ecx + 0x4d0029e0], 0x69
0x1cdb:	arpl	word ptr [edx + 0x6f], si
0x1cde:	jae	0x1d4f
0x1ce0:	je	0x1d26
0x1ce3:	popal	
0x1ce4:	insb	byte ptr es:[edi], dx
0x1ce5:	arpl	word ptr [ebp + 0x6c], si
0x1ce8:	popal	
0x1ce9:	je	0x1d5a
0x1ceb:	jb	0x1ced
0x1ced:	adc	eax, dword ptr [eax]
0x1cef:	add	dword ptr [edx], ebx
0x1cf1:	jae	0x1d43
0x1cf3:	dec	edi
0x1cf4:	iretd	
0x1cf5:	mov	dword ptr [edx - 0x231f4cb9], eax
0x1cfb:	call	0xba7621c9
0x1d00:	add	dword ptr [eax], eax
0x1d02:	add	byte ptr [eax], al
0x1d04:	push	edx
0x1d05:	push	ebx
0x1d06:	inc	esp
0x1d07:	push	ebx
0x1d08:	mov	al, byte ptr [0x7910c5d4]
0x1d0d:	sbb	dword ptr [edi + 0x9023434], 0x8ff5192e
0x1d17:	test	byte ptr [ecx], al
0x1d19:	add	byte ptr [eax], al
0x1d1b:	add	byte ptr [ebx + 0x61], ah
0x1d1e:	insb	byte ptr es:[edi], dx
0x1d1f:	arpl	word ptr [esi], bp
0x1d21:	jo	0x1d87
0x1d23:	bound	eax, qword ptr [eax]
0x1d25:	add	byte ptr [eax], al
0x1d27:	add	byte ptr [edi + 0x43], al
0x1d2a:	push	esp
0x1d2b:	dec	esp
0x1d2c:	add	byte ptr [eax], dl
0x1d2e:	add	byte ptr [eax], al
0x1d30:	xor	byte ptr [ecx], al
0x1d32:	add	byte ptr [eax], al
0x1d34:	je	0x1d9c
0x1d37:	js	0x1dad
0x1d39:	add	byte ptr [eax], al
0x1d3b:	add	byte ptr [eax], dh
0x1d3d:	adc	dword ptr [eax], eax
0x1d3f:	add	byte ptr [eax + 0x2e00000a], al
0x1d45:	je	0x1dac
0x1d47:	js	0x1dbd
0x1d49:	and	al, 0x6d
0x1d4b:	outsb	dx, byte ptr [esi]
0x1d4c:	add	byte ptr [eax], al
0x1d4e:	add	byte ptr [eax], al
0x1d50:	mov	al, 0x1b
0x1d52:	add	byte ptr [eax], al
0x1d54:	inc	eax
0x1d55:	add	byte ptr [eax], al
0x1d57:	add	byte ptr [esi], ch
0x1d59:	je	0x1dc0
0x1d5b:	js	0x1dd1
0x1d5d:	and	al, 0x6d
0x1d5f:	outsb	dx, byte ptr [esi]
0x1d60:	and	al, 0x30
0x1d62:	xor	byte ptr [eax], al

4 - Unicorn

In [16]:
# pip install unicorn

from unicorn import *
from unicorn.x86_const import *

# code to be emulated
X86_CODE32 = b"\x41\x4a" # INC ecx; DEC edx

# memory address where emulation starts
ADDRESS = 0x1000000

print("Emulate i386 code")
try:
    # Initialize emulator in X86-32bit mode
    mu = Uc(UC_ARCH_X86, UC_MODE_32)

    # map 2MB memory for this emulation
    mu.mem_map(ADDRESS, 2 * 1024 * 1024)

    # write machine code to be emulated to memory
    mu.mem_write(ADDRESS, X86_CODE32)

    # initialize machine registers
    mu.reg_write(UC_X86_REG_ECX, 0x1234)
    mu.reg_write(UC_X86_REG_EDX, 0x7890)

    # emulate code in infinite time & unlimited instructions
    mu.emu_start(ADDRESS, ADDRESS + len(X86_CODE32))

    # now print out some registers
    print("Emulation done. Below is the CPU context")

    r_ecx = mu.reg_read(UC_X86_REG_ECX)
    r_edx = mu.reg_read(UC_X86_REG_EDX)
    print(">>> ECX = 0x%x" %r_ecx)
    print(">>> EDX = 0x%x" %r_edx)

except UcError as e:
    print("ERROR: %s" % e)
Emulate i386 code
Emulation done. Below is the CPU context
>>> ECX = 0x1235
>>> EDX = 0x788f

5 - rzpipe

In [143]:
import rzpipe

pipe = rzpipe.open("calc.exe")
pipe.cmd('aa')

print(pipe.cmd("afl"))
print(pipe.cmdj("aflj"))            # evaluates JSON and returns an object
print(pipe.cmdj("ij").core.format)  # shows file format

pipe.quit()

6 - Frida Python

pip install frida
In [25]:
from __future__ import print_function
import frida
import sys
import psutil


def checkIfProcessRunning(processName):
    '''
    Check if there is any running process that contains the given name processName.
    '''
    #Iterate over the all the running process
    for proc in psutil.process_iter():
        try:
            # Check if process name contains the given name string.
            if processName.lower() in proc.name().lower():
                return True
        except (psutil.NoSuchProcess, psutil.AccessDenied, psutil.ZombieProcess):
            pass
    return False;
	

def on_message(message, data):
    print(message)
	

def main(proc):
    if checkIfProcessRunning(proc):
        print('[+] Process %s is running!' % proc)
        session = frida.attach(proc)

    else:
        print('[!] Process %s was not running!' % proc)
        print('[+] Running process %s!' % proc)
        session = frida.spawn(proc)
        session = frida.attach(proc)


    '''print(type(session))'''
    script = session.create_script("""
	
					   var Mutex_addr = Module.findExportByName("kernel32.dll", "CreateMutexA")
					   console.log('[+] CreateMutex addr: ' + Mutex_addr);
					   Interceptor.attach(Mutex_addr,
					   {
							onEnter: function (args) 
							{
								console.log("[+] Entering to createMutex")
								console.log('[+] lpName: ' + Memory.readUtf8String(args[2]));
							
							},
							onLeave: function (retval)
							{
							
							}
						});
 
                  """)

    script.on('message', on_message)
    script.load()
    try:
        frida.resume(proc)
    except:
        pass
    sys.stdin.read()


if __name__ == "__main__":

    try:
        target_process = int(sys.argv[1])
    except ValueError:
        target_process = "calc.exe"

    main(target_process)
[!] Process calc.exe was not running!
[+] Running process calc.exe!
[+] CreateMutex addr: 0x7ffc76952ce0

7 - Qiling

In [ ]:
# pip3 install qiling
from qiling import *
from qiling.const import *
import sys
import pefile
from capstone import *


# Load PE with capstone
def loader_pe(pe):
    entry_point = pe.OPTIONAL_HEADER.AddressOfEntryPoint
    data = pe.get_memory_mapped_image()[entry_point:]
    cs = Cs(CS_ARCH_X86, CS_MODE_32)
    cs.detail = True
    rdbin = cs.disasm(data, 0x10000)
    return rdbin


# check architecture
def check_arch(pe):
    if pe.FILE_HEADER.Machine == 0x14c:
        bit = 32
        # print(bit)
    elif pe.FILE_HEADER.Machine == 0x8664:
        bit = 64
        # print(bit)
    print("[+] Sample is %s bit" % bit)
    return bit


# Hook for GetProcAddress
def GetProcAddress(ql, addr, params):
    print(params)
    return addr, params


# stop exec at the given address
def stop(ql):
    ql.nprint("[+] Address found")
    ql.console = False
    ql.emu_stop()


# sandbox to emulate the EXE
def my_sandbox(path, rootfs):
    # setup Qiling engine
    ql = Qiling(path, rootfs)  # , output = "debug")

    # Patch address
    # ql.patch(0x0042B726, b'\x90\x90\x90')

    # Hook address
    ql.hook_address(stop, 0x0042B726)

    # hook GetProcAddress() on exit
    ql.set_api("GetProcAddress", GetProcAddress, QL_INTERCEPT.EXIT)

    # disable strace logs
    ql.filter = []
    # now emulate the EXE
    ql.run()


if __name__ == "__main__":

    exefile = sys.argv[1]
    try:
        exe = pefile.PE(exefile)
    except OSError as e:
        print(e)
        sys.exit()
    except pefile.PEFormatError as e:
        print(module.config.R + "[-] PEFormatError: %s" % e.value)
        print(module.config.R + "[!] The file is not a valid PE")
        sys.exit()

    rdbin = loader_pe(exe)
    check_arch(exe)

    # Run the execution
    my_sandbox([exefile], "examples/rootfs/x86_windows")
In [ ]:
[=]     Initiate stack address at 0x7ffffffde000
[=]     Loading calc.exe to 0x140000000
[=]     PE entry point at 0x140001740
[=]     TEB is at 0x6000000
[=]     PEB is at 0x60001f0
[=]     LDR is at 0x60009c0
[!]     Failed to resolve api-ms-win-core-synch-l1-2-0.dll
[!]     Failed to resolve api-ms-win-core-processthreads-l1-1-0.dll
[!]     Failed to resolve api-ms-win-core-libraryloader-l1-2-0.dll
[x]     CPU Context:
[x]     ah      : 0x0
[x]     al      : 0x0
[x]     ch      : 0xcf
[x]     cl      : 0xe8
[x]     dh      : 0x0
[x]     dl      : 0x0
[x]     bh      : 0xa2
[x]     bl      : 0x32
[x]     ax      : 0x0
[x]     cx      : 0xcfe8
[x]     dx      : 0x0
[x]     bx      : 0xa232
[x]     sp      : 0xcfa0
[x]     bp      : 0xcfc8
[x]     si      : 0x0
[x]     di      : 0x0
[x]     ip      : 0x2a42
[x]     eax     : 0x0
[x]     ecx     : 0x1cfe8
[x]     edx     : 0x0
[x]     ebx     : 0x2ddfa232
[x]     esp     : 0x1cfa0
[x]     ebp     : 0x1cfc8
[x]     esi     : 0x0
[x]     edi     : 0x0
[x]     eip     : 0x2a42
[x]     rax     : 0x0
[x]     rbx     : 0x2b992ddfa232
[x]     rcx     : 0x80000001cfe8
[x]     rdx     : 0x0
[x]     rsi     : 0x0
[x]     rdi     : 0x0
[x]     rbp     : 0x80000001cfc8
[x]     rsp     : 0x80000001cfa0
[x]     r8      : 0x0
[x]     r9      : 0x0
[x]     r10     : 0x0
[x]     r11     : 0x0
[x]     r12     : 0x0
[x]     r13     : 0x0
[x]     r14     : 0x0
[x]     r15     : 0x0
[x]     rip     : 0x2a42
[x]     cr0     : 0x11
[x]     cr1     : 0x0
[x]     cr2     : 0x0
[x]     cr3     : 0x0
[x]     cr4     : 0x0
[x]     cr8     : 0x0
[x]     st0     : 0x0
[x]     st1     : 0x0
[x]     st2     : 0x0
[x]     st3     : 0x0
[x]     st4     : 0x0
[x]     st5     : 0x0
[x]     st6     : 0x0
[x]     st7     : 0x0
[x]     eflags  : 0x46
[x]     cs      : 0x33
[x]     ss      : 0x28
[x]     ds      : 0x0
[x]     es      : 0x0
[x]     fs      : 0x0
[x]     gs      : 0x0
[x]     r8b     : 0x0
[x]     r9b     : 0x0
[x]     r10b    : 0x0
[x]     r11b    : 0x0
[x]     r12b    : 0x0
[x]     r13b    : 0x0
[x]     r14b    : 0x0
[x]     r15b    : 0x0
[x]     r8w     : 0x0
[x]     r9w     : 0x0
[x]     r10w    : 0x0
[x]     r11w    : 0x0
[x]     r12w    : 0x0
[x]     r13w    : 0x0
[x]     r14w    : 0x0
[x]     r15w    : 0x0
[x]     r8d     : 0x0
[x]     r9d     : 0x0
[x]     r10d    : 0x0
[x]     r11d    : 0x0
[x]     r12d    : 0x0
[x]     r13d    : 0x0
[x]     r14d    : 0x0
[x]     r15d    : 0x0
[x]     fsbase  : 0x6000
[x]     gsbase  : 0x6000000
[x]     xmm0    : 0x0
[x]     xmm1    : 0x0
[x]     xmm2    : 0x0
[x]     xmm3    : 0x0
[x]     xmm4    : 0x0
[x]     xmm5    : 0x0
[x]     xmm6    : 0x0
[x]     xmm7    : 0x0
[x]     xmm8    : 0x0
[x]     xmm9    : 0x0
[x]     xmm10   : 0x0
[x]     xmm11   : 0x0
[x]     xmm12   : 0x0
[x]     xmm13   : 0x0
[x]     xmm14   : 0x0
[x]     xmm15   : 0x0
[x]     xmm16   : 0x0
[x]     xmm17   : 0x0
[x]     xmm18   : 0x0
[x]     xmm19   : 0x0
[x]     xmm20   : 0x0
[x]     xmm21   : 0x0
[x]     xmm22   : 0x0
[x]     xmm23   : 0x0
[x]     xmm24   : 0x0
[x]     xmm25   : 0x0
[x]     xmm26   : 0x0
[x]     xmm27   : 0x0
[x]     xmm28   : 0x0
[x]     xmm29   : 0x0
[x]     xmm30   : 0x0
[x]     xmm31   : 0x0
[x]     ymm0    : 0x0
[x]     ymm1    : 0x0
[x]     ymm2    : 0x0
[x]     ymm3    : 0x0
[x]     ymm4    : 0x0
[x]     ymm5    : 0x0
[x]     ymm6    : 0x0
[x]     ymm7    : 0x0
[x]     ymm8    : 0x0
[x]     ymm9    : 0x0
[x]     ymm10   : 0x0
[x]     ymm11   : 0x0
[x]     ymm12   : 0x0
[x]     ymm13   : 0x0
[x]     ymm14   : 0x0
[x]     ymm15   : 0x0
[x]     ymm16   : 0x0
[x]     ymm17   : 0x0
[x]     ymm18   : 0x0
[x]     ymm19   : 0x0
[x]     ymm20   : 0x0
[x]     ymm21   : 0x0
[x]     ymm22   : 0x0
[x]     ymm23   : 0x0
[x]     ymm24   : 0x0
[x]     ymm25   : 0x0
[x]     ymm26   : 0x0
[x]     ymm27   : 0x0
[x]     ymm28   : 0x0
[x]     ymm29   : 0x0
[x]     ymm30   : 0x0
[x]     ymm31   : 0x0
[x]     zmm0    : 0x0
[x]     zmm1    : 0x0
[x]     zmm2    : 0x0
[x]     zmm3    : 0x0
[x]     zmm4    : 0x0
[x]     zmm5    : 0x0
[x]     zmm6    : 0x0
[x]     zmm7    : 0x0
[x]     zmm8    : 0x0
[x]     zmm9    : 0x0
[x]     zmm10   : 0x0
[x]     zmm11   : 0x0
[x]     zmm12   : 0x0
[x]     zmm13   : 0x0
[x]     zmm14   : 0x0
[x]     zmm15   : 0x0
[x]     zmm16   : 0x0
[x]     zmm17   : 0x0
[x]     zmm18   : 0x0
[x]     zmm19   : 0x0
[x]     zmm20   : 0x0
[x]     zmm21   : 0x0
[x]     zmm22   : 0x0
[x]     zmm23   : 0x0
[x]     zmm24   : 0x0
[x]     zmm25   : 0x0
[x]     zmm26   : 0x0
[x]     zmm27   : 0x0
[x]     zmm28   : 0x0
[x]     zmm29   : 0x0
[x]     zmm30   : 0x0
[x]     zmm31   : 0x0
[x]     PC = 0x0000000000002a42 (unreachable)

[x]     Memory map:
[x]     Start            End              Perm    Label        Image
[x]     00000000006000 - 0000000000c000   rwx     [FS]
[x]     00000000030000 - 00000000031000   rwx     [GDT]
[x]     00000006000000 - 00000007400000   rwx     [GS]
[x]     00000140000000 - 0000014000b000   rwx     [calc.exe]   /calc.exe
[x]     00000500000000 - 00000500001000   rwx     [heap]
[x]     007ffffffde000 - 0080000001e000   rwx     [stack]
unicorn.unicorn.UcError: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED)
[=]     Initiate stack address at 0x7ffffffde000
[=]     Loading calc.exe to 0x140000000
[=]     PE entry point at 0x140001740
[=]     TEB is at 0x6000000
[=]     PEB is at 0x60001f0
[=]     LDR is at 0x60009c0
[=]     Loading ntdll.dll ...
[=]     Done loading ntdll.dll
[=]     Loading kernel32.dll ...
[=]     Loading kernelbase.dll ...
[=]     Done loading kernelbase.dll
[=]     Done loading kernel32.dll
[=]     Loading ucrtbase.dll ...
[=]     Calling ucrtbase.dll DllMain at 0x180665e30
[=]     GetSystemTimeAsFileTime(lpSystemTimeAsFileTime = 0x80000001cfb8)
[x]     Error encountered while running ucrtbase.dll DllMain, bailing
[=]     Done loading ucrtbase.dll
[=]     Loading msvcrt.dll ...
[=]     Calling msvcrt.dll DllMain at 0x110107af0
[=]     GetSystemTimeAsFileTime(lpSystemTimeAsFileTime = 0x80000001cfb8)
[x]     Error encountered while running msvcrt.dll DllMain, bailing
[=]     Done loading msvcrt.dll
[=]     Loading advapi32.dll ...
[!]     Failed to resolve api-ms-win-eventing-controller-l1-1-0.dll
[!]     Failed to resolve api-ms-win-eventing-consumer-l1-1-0.dll
[!]     Failed to resolve api-ms-win-eventing-consumer-l1-1-1.dll
[!]     Failed to resolve api-ms-win-service-core-l1-1-0.dll
[!]     Failed to resolve api-ms-win-service-core-l1-1-1.dll
[!]     Failed to resolve api-ms-win-service-core-l1-1-2.dll
[!]     Failed to resolve api-ms-win-service-management-l1-1-0.dll
[!]     Failed to resolve api-ms-win-service-management-l2-1-0.dll
[!]     Failed to resolve api-ms-win-service-private-l1-1-4.dll
[!]     Failed to resolve api-ms-win-service-private-l1-1-2.dll
[!]     Failed to resolve api-ms-win-service-private-l1-1-3.dll
[!]     Failed to resolve api-ms-win-service-private-l1-1-0.dll
[!]     Failed to resolve api-ms-win-service-winsvc-l1-1-0.dll

8 - Ctype

In [54]:
import sys
from ctypes import *

WORD = c_ushort
DWORD = c_ulong
LPBYTE = POINTER(c_ubyte)
LPTSTR = POINTER(c_char)
HANDLE = c_void_p


# Specifies the window station, desktop, standard handles, and appearance 
# of the main window for a process at creation time.
class STARTUPINFO(Structure):
    _fields_ = [
        ('cb', DWORD),
        ('lpReserved', LPTSTR),
        ('lpDesktop', LPTSTR),
        ('lpTitle', LPTSTR),
        ('dwX', DWORD),
        ('dwY', DWORD),
        ('dwXSize', DWORD),
        ('dwYSize', DWORD),
        ('dwXCountChars', DWORD),
        ('dwYCountChars', DWORD),
        ('dwFillAttribute', DWORD),
        ('dwFlags', DWORD),
        ('wShowWindow', WORD),
        ('cbReserved2', WORD),
        ('lpReserved2', LPBYTE),
        ('hStdInput', HANDLE),
        ('hStdOutput', HANDLE),
        ('hStdError', HANDLE),
    ]

# Contains information about a newly created process and its primary thread. 
class PROCESS_INFORMATION(Structure):
    _fields_ = [
        ('hProcess', HANDLE),
        ('hThread', HANDLE),
        ('dwProcessId', DWORD),
        ('dwThreadId', DWORD),
    ]


# Process to create
exe = "C:\\Windows\\System32\\calc.exe"

# Import the kernel32 lib
kernel32 = windll.kernel32

# creation flag
CREATE_NEW_CONSOLE = 0x00000010
CREATE_SUSPENDED = 0x00000004
creation_flags = CREATE_NEW_CONSOLE | CREATE_SUSPENDED

startupinfo = STARTUPINFO()
processinfo = PROCESS_INFORMATION()
startupinfo.cb = sizeof(startupinfo)

try: 	
    kernel32.CreateProcessA(None, exe, None, None, None, creation_flags, None, None, byref(startupinfo), byref(processinfo))
    print("Process started as PID: {}".format(processinfo.dwProcessId))
    kernel32.CloseHandle(processinfo.hProcess)
    kernel32.CloseHandle(processinfo.hThread)
except Exception as e:
    print(e)
    kernel32.GetLastError()
Process started as PID: 0
In [ ]:
# setup Qiling engine
ql = Qiling("file.exe", "place/of/Windows/dll/")#, output = "debug")
# disable strace logs
ql.filter = []
# now emulate the EXE
ql.run()

9 - Struct

In [112]:
import struct
  
# 4s -> four char to pack
# i -> integer
# f -> float
# l -> long

pack = struct.pack('4s i f l', b'test', 5, 3.14, 255)
print(pack)
  
# struct.unpack() return a tuples
unpack = struct.unpack('4s i f l', pack)
print(unpack)
b'test\x05\x00\x00\x00\xc3\xf5H@\xff\x00\x00\x00'
(b'test', 5, 3.140000104904175, 255)
In [41]:
# importing the struct module
import struct
# converting into bytes
converted_bytes = struct.pack('14s i', b'Tutorialspoint', 2020)
# converting into Python data types
print(struct.unpack('14s i', converted_bytes))
(b'Tutorialspoint', 2020)

10 - Yara-Python

In [55]:
import yara
rule = yara.compile(source='rule foo: bar {strings: $a = "lmn" condition: $a}')
matches = rule.match(data='abcdefgjiklmnoprstuvwxyz')
print(matches)
print(matches[0].rule)
print(matches[0].tags)
print(matches[0].strings)
[foo]
foo
['bar']
[(10, '$a', b'lmn')]
In [59]:
# Request to the Unprotect API
import requests
import json
response = requests.get("https://search.unprotect.it/api/")
jsonData = response.json()

def get_techniques_desc(url, tech):
    response2 = requests.get(url)   
    techniques = response2.json()
    if techniques['next'] != None:
        for technique in techniques["results"]:
            if technique['name'] == tech:
                print("Technique Name: " + technique['name'] + "\n")
                print("Description: " + technique['description']+ "\n")
                yarar = json.dumps(technique['detection_rules'][2]['rule'], indent=4)
                sigmar = json.dumps(technique['detection_rules'][0]['rule'], indent=4)
                capar = json.dumps(technique['detection_rules'][1]['rule'], indent=4)
                #for i in technique['snippets']:
                #    print(i["plain_code"] + "\n")
                return(yarar, sigmar, capar)
        get_techniques_desc(techniques['next'], "Kill Process")

yarar, sigmar, capar = get_techniques_desc("https://search.unprotect.it/api/techniques/", "Kill Process")
Technique Name: Kill Process

Description: Malware can kill processes such as AV process or monitoring process. For example, "wireshark.exe", "ida.exe", "procmon.exe" or any other process related to malware analysis tools in order to avoid the investigation.

In [145]:
#Using Yara against a file
import yara

rule = yara.compile(source = json.loads(yarar))
filename = "killprocess.exe"

matches = rule.match(filename)
if matches:
    print(matches)
[UNPROTECT_disable_process]