This is the second part of the Bit Twiddling series. For your convenience you can find other parts in the table of contents in Par 1 — Modifying Android application on a binary level
Word of warning: if you come to this post to find the solution only and you are not interested in the explanation how to do it then scroll down to the last section. I don’t expect any non-Polish speaker to do it so that section is not in English. And now the same warning in Polish:
Uwaga! Jeżeli interesuje Cię jak dałoby się uruchomić program Profesor Klaus Intensywny Kurs bez mikrofonu, to przewiń do ostatniej sekcji tego wpisu. Większość informacji tutaj dotyczy czegoś innego. Wpis ma charakter edukacyjny i nie jest nakłanianiem do modyfikowania aplikacji, łamania licencji lub ingerencji w oprogramowanie w jakikolwiek inny sposób.
Also, this post is only for education purposes. I am not encouraging anyone to modify the application or break the license agreements.
Today a short Reverse Engineering story to fix the application Profesor Klaus Intensywny Kurs. That’s a Polish application for learning German language. It checks for the microphone at start and shuts down when it’s not available. Microphone is not needed at all, however. Since I was using it in a remote desktop scenario without Remote Desktop Session Host (in Administrator licensing mode on Windows Server) I was looking for some workaround.
Table of Contents
Reverse engineering the application
And another word of warning: I am not a reverse engineer and I don’t do it in an optimal way. There are probably better tools and approaches. If you are looking for best practices — that’s probably not the right place.
Okay, let’s go. The only thing I knew about the application is that it checks for the microphone when started and then exits if it cannot find one. So let’s launch API Monitor and see what it does. Start the API Monitor, select “Audio and Video” APIs, add breakpoint on waveInGetNumDevs and run the application, like this:
it immediately shows this:
Okay, so there is some API called. Let’s continue a few times and then the message dialog appears saying that application won’t run.
Let’s try it again. This time, let’s attach WinDBG on the first time Audio API is called. Let’s run it and then see this:
|
1 2 3 4 5 6 7 8 9 10 11 |
0:003> g (3068.18e4): Unknown exception - code 0eedfade (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** WARNING: Unable to verify checksum for C:\Program Files (x86)\Profesor Klaus - Intensywny kurs\Intensywny_kurs.exe *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files (x86)\Profesor Klaus - Intensywny kurs\Intensywny_kurs.exe eax=0018fa80 ebx=03c635c0 ecx=00000007 edx=00000000 esi=00000002 edi=03c8c4d0 eip=75414e28 esp=0018fa80 ebp=0018fadc iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 KERNELBASE!RaiseException+0x48: 75414e28 8b4c2454 mov ecx,dword ptr [esp+54h] ss:002b:0018fad4=47b481ba |
We have some exception with code 0eedfade. This is a well-known code for Delphi language exceptions. Let’s start the application again and catch the exception:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 |
0:001> sxe 0eedfade 0:001> g (23a0.3210): Unknown exception - code 0eedfade (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** WARNING: Unable to verify checksum for C:\Program Files (x86)\Profesor Klaus - Intensywny kurs\Intensywny_kurs.exe *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files (x86)\Profesor Klaus - Intensywny kurs\Intensywny_kurs.exe eax=0018fa80 ebx=03ad35c0 ecx=00000007 edx=00000000 esi=00000002 edi=03afc4d0 eip=75414e28 esp=0018fa80 ebp=0018fadc iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 KERNELBASE!RaiseException+0x48: 75414e28 8b4c2454 mov ecx,dword ptr [esp+54h] ss:002b:0018fad4=01acbcce 0:000> ~0s eax=0018fa80 ebx=03ad35c0 ecx=00000007 edx=00000000 esi=00000002 edi=03afc4d0 eip=75414e28 esp=0018fa80 ebp=0018fadc iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 KERNELBASE!RaiseException+0x48: 75414e28 8b4c2454 mov ecx,dword ptr [esp+54h] ss:002b:0018fad4=01acbcce 0:000> kb ChildEBP RetAddr Args to Child 0018fadc 0055309c 0eedfade 00000001 00000007 KERNELBASE!RaiseException+0x48 WARNING: Stack unwind information not available. Following frames may be wrong. 0018fb2c 005533f6 0018fb58 00404f1d 0018fb50 Intensywny_kurs+0x15309c 0018fb50 006f5142 0018fb64 006f5155 0018fda8 Intensywny_kurs+0x1533f6 0018fda8 0047527b 0018fde0 00475285 0018fdcc Intensywny_kurs+0x2f5142 0018fdcc 00474ed3 006f3d60 006f3d60 00404f6c Intensywny_kurs+0x7527b 0018fdfc 00474ea9 0018ff34 00404f1d 0018ff2c Intensywny_kurs+0x74ed3 0018ff2c 0047e805 0018ff40 0047e80f 0018ff60 Intensywny_kurs+0x74ea9 0018ff60 006fbce5 006fbba0 7ffde000 00007ff8 Intensywny_kurs+0x7e805 0018ff80 76d96a14 7ffde000 76d969f0 344884a0 Intensywny_kurs+0x2fbce5 0018ff94 7778adcf 7ffde000 11fdba68 00000000 KERNEL32!BaseThreadInitThunk+0x24 0018ffdc 7778ad9a ffffffff 7777011e 00000000 ntdll!__RtlUserThreadStart+0x2f 0018ffec 00000000 006fbba0 7ffde000 00000000 ntdll!_RtlUserThreadStart+0x1b 0:000> u Intensywny_kurs+0x15309c-5 Intensywny_kurs+0x153097: 00553097 e86c24ebff call Intensywny_kurs+0x5508 (00405508) 0055309c 6a20 push 20h 0055309e 8b431c mov eax,dword ptr [ebx+1Ch] 005530a1 50 push eax 005530a2 8b4304 mov eax,dword ptr [ebx+4] 005530a5 85c0 test eax,eax 005530a7 7905 jns Intensywny_kurs+0x1530ae (005530ae) 005530a9 e8aa19ebff call Intensywny_kurs+0x4a58 (00404a58) |
Okay, now we have the line where the method was called. What is this method doing? Let’s restart, add a breakpoint and see:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 |
0:001> sxe 0eedfade 0:001> bp 00553097 *** WARNING: Unable to verify checksum for C:\Program Files (x86)\Profesor Klaus - Intensywny kurs\Intensywny_kurs.exe *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files (x86)\Profesor Klaus - Intensywny kurs\Intensywny_kurs.exe 0:001> g Breakpoint 0 hit eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=00552d8c esi=00000002 edi=03cac4d0 eip=00553097 esp=0018fb10 ebp=0018fb2c iopl=0 nv up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216 Intensywny_kurs+0x153097: 00553097 e86c24ebff call Intensywny_kurs+0x5508 (00405508) 0:000> t eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=00552d8c esi=00000002 edi=03cac4d0 eip=00405508 esp=0018fb0c ebp=0018fb2c iopl=0 nv up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216 Intensywny_kurs+0x5508: 00405508 09c0 or eax,eax 0:000> t eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=00552d8c esi=00000002 edi=03cac4d0 eip=0040550a esp=0018fb0c ebp=0018fb2c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 Intensywny_kurs+0x550a: 0040550a 750a jne Intensywny_kurs+0x5516 (00405516) [br=1] 0:000> t eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=00552d8c esi=00000002 edi=03cac4d0 eip=00405516 esp=0018fb0c ebp=0018fb2c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 Intensywny_kurs+0x5516: 00405516 5a pop edx 0:000> t eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0 eip=00405517 esp=0018fb10 ebp=0018fb2c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 Intensywny_kurs+0x5517: 00405517 54 push esp 0:000> t eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0 eip=00405518 esp=0018fb0c ebp=0018fb2c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 Intensywny_kurs+0x5518: 00405518 55 push ebp 0:000> t eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0 eip=00405519 esp=0018fb08 ebp=0018fb2c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 Intensywny_kurs+0x5519: 00405519 57 push edi 0:000> t eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0 eip=0040551a esp=0018fb04 ebp=0018fb2c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 Intensywny_kurs+0x551a: 0040551a 56 push esi 0:000> t eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0 eip=0040551b esp=0018fb00 ebp=0018fb2c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 Intensywny_kurs+0x551b: 0040551b 53 push ebx 0:000> t eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0 eip=0040551c esp=0018fafc ebp=0018fb2c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 Intensywny_kurs+0x551c: 0040551c 50 push eax 0:000> t eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0 eip=0040551d esp=0018faf8 ebp=0018fb2c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 Intensywny_kurs+0x551d: 0040551d 52 push edx 0:000> t eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0 eip=0040551e esp=0018faf4 ebp=0018fb2c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 Intensywny_kurs+0x551e: 0040551e 54 push esp 0:000> t eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0 eip=0040551f esp=0018faf0 ebp=0018fb2c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 Intensywny_kurs+0x551f: 0040551f 6a07 push 7 0:000> t eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0 eip=00405521 esp=0018faec ebp=0018fb2c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 Intensywny_kurs+0x5521: 00405521 6a01 push 1 0:000> t eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0 eip=00405523 esp=0018fae8 ebp=0018fb2c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 Intensywny_kurs+0x5523: 00405523 68defaed0e push 0EEDFADEh 0:000> t eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0 eip=00405528 esp=0018fae4 ebp=0018fb2c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 Intensywny_kurs+0x5528: 00405528 52 push edx 0:000> t eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0 eip=00405529 esp=0018fae0 ebp=0018fb2c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 Intensywny_kurs+0x5529: 00405529 ff2514f07000 jmp dword ptr [Intensywny_kurs+0x30f014 (0070f014)] ds:002b:0070f014=00401488 0:000> t eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0 eip=00401488 esp=0018fae0 ebp=0018fb2c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 Intensywny_kurs+0x1488: 00401488 ff25506c8a00 jmp dword ptr [Intensywny_kurs+0x4a6c50 (008a6c50)] ds:002b:008a6c50={KERNEL32!RaiseExceptionStub (76d9a7a0)} 0:000> t eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0 eip=76d9a7a0 esp=0018fae0 ebp=0018fb2c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 KERNEL32!RaiseExceptionStub: 76d9a7a0 ff250c03e076 jmp dword ptr [KERNEL32!_imp__RaiseException (76e0030c)] ds:002b:76e0030c={KERNELBASE!RaiseException (75414de0)} 0:000> t eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0 eip=75414de0 esp=0018fae0 ebp=0018fb2c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 KERNELBASE!RaiseException: 75414de0 8bff mov edi,edi 0:000> t eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0 eip=75414de2 esp=0018fae0 ebp=0018fb2c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 KERNELBASE!RaiseException+0x2: 75414de2 55 push ebp 0:000> t eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0 eip=75414de3 esp=0018fadc ebp=0018fb2c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 KERNELBASE!RaiseException+0x3: 75414de3 8bec mov ebp,esp 0:000> t eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0 eip=75414de5 esp=0018fadc ebp=0018fadc iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 KERNELBASE!RaiseException+0x5: 75414de5 83e4f8 and esp,0FFFFFFF8h 0:000> t eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0 eip=75414de8 esp=0018fad8 ebp=0018fadc iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206 KERNELBASE!RaiseException+0x8: 75414de8 83ec58 sub esp,58h 0:000> t eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0 eip=75414deb esp=0018fa80 ebp=0018fadc iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 KERNELBASE!RaiseException+0xb: 75414deb a1683b4a75 mov eax,dword ptr [KERNELBASE!__security_cookie (754a3b68)] ds:002b:754a3b68=3ef023d9 0:000> t eax=3ef023d9 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0 eip=75414df0 esp=0018fa80 ebp=0018fadc iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 KERNELBASE!RaiseException+0x10: 75414df0 33c4 xor eax,esp 0:000> t eax=3ee8d959 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0 eip=75414df2 esp=0018fa80 ebp=0018fadc iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206 KERNELBASE!RaiseException+0x12: 75414df2 89442454 mov dword ptr [esp+54h],eax ss:002b:0018fad4=0018fae8 0:000> t eax=3ee8d959 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0 eip=75414df6 esp=0018fa80 ebp=0018fadc iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206 KERNELBASE!RaiseException+0x16: 75414df6 8b4508 mov eax,dword ptr [ebp+8] ss:002b:0018fae4=0eedfade 0:000> t eax=0eedfade ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0 eip=75414df9 esp=0018fa80 ebp=0018fadc iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206 KERNELBASE!RaiseException+0x19: 75414df9 8b4d14 mov ecx,dword ptr [ebp+14h] ss:002b:0018faf0=0018faf4 0:000> t eax=0eedfade ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0 eip=75414dfc esp=0018fa80 ebp=0018fadc iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206 KERNELBASE!RaiseException+0x1c: 75414dfc 8364240800 and dword ptr [esp+8],0 ss:002b:0018fa88=20715b61 0:000> t eax=0eedfade ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0 eip=75414e01 esp=0018fa80 ebp=0018fadc iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 KERNELBASE!RaiseException+0x21: 75414e01 890424 mov dword ptr [esp],eax ss:002b:0018fa80={winmm!waveInGetErrorTextAStub (7459fe10)} 0:000> t eax=0eedfade ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0 eip=75414e04 esp=0018fa80 ebp=0018fadc iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 KERNELBASE!RaiseException+0x24: 75414e04 8b450c mov eax,dword ptr [ebp+0Ch] ss:002b:0018fae8=00000001 0:000> t eax=00000001 ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0 eip=75414e07 esp=0018fa80 ebp=0018fadc iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 KERNELBASE!RaiseException+0x27: 75414e07 83e001 and eax,1 0:000> t eax=00000001 ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0 eip=75414e0a esp=0018fa80 ebp=0018fadc iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 KERNELBASE!RaiseException+0x2a: 75414e0a c744240ce04d4175 mov dword ptr [esp+0Ch],offset KERNELBASE!RaiseException (75414de0) ss:002b:0018fa8c=bb1f255f 0:000> t eax=00000001 ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0 eip=75414e12 esp=0018fa80 ebp=0018fadc iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 KERNELBASE!RaiseException+0x32: 75414e12 89442404 mov dword ptr [esp+4],eax ss:002b:0018fa84=0024eaf0 0:000> t eax=00000001 ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0 eip=75414e16 esp=0018fa80 ebp=0018fadc iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 KERNELBASE!RaiseException+0x36: 75414e16 85c9 test ecx,ecx 0:000> t eax=00000001 ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0 eip=75414e18 esp=0018fa80 ebp=0018fadc iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 KERNELBASE!RaiseException+0x38: 75414e18 751f jne KERNELBASE!RaiseException+0x59 (75414e39) [br=1] 0:000> t eax=00000001 ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0 eip=75414e39 esp=0018fa80 ebp=0018fadc iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 KERNELBASE!RaiseException+0x59: 75414e39 8b4510 mov eax,dword ptr [ebp+10h] ss:002b:0018faec=00000007 0:000> t eax=00000007 ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0 eip=75414e3c esp=0018fa80 ebp=0018fadc iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 KERNELBASE!RaiseException+0x5c: 75414e3c 83f80f cmp eax,0Fh 0:000> t eax=00000007 ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0 eip=75414e3f esp=0018fa80 ebp=0018fadc iopl=0 nv up ei ng nz ac po cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293 KERNELBASE!RaiseException+0x5f: 75414e3f 7718 ja KERNELBASE!RaiseException+0x79 (75414e59) [br=0] 0:000> t eax=00000007 ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0 eip=75414e41 esp=0018fa80 ebp=0018fadc iopl=0 nv up ei ng nz ac po cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293 KERNELBASE!RaiseException+0x61: 75414e41 89442410 mov dword ptr [esp+10h],eax ss:002b:0018fa90=3f24940b 0:000> t eax=00000007 ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0 eip=75414e45 esp=0018fa80 ebp=0018fadc iopl=0 nv up ei ng nz ac po cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293 KERNELBASE!RaiseException+0x65: 75414e45 c1e002 shl eax,2 0:000> t eax=0000001c ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0 eip=75414e48 esp=0018fa80 ebp=0018fadc iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 KERNELBASE!RaiseException+0x68: 75414e48 50 push eax 0:000> t eax=0000001c ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0 eip=75414e49 esp=0018fa7c ebp=0018fadc iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 KERNELBASE!RaiseException+0x69: 75414e49 51 push ecx 0:000> t eax=0000001c ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0 eip=75414e4a esp=0018fa78 ebp=0018fadc iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 KERNELBASE!RaiseException+0x6a: 75414e4a 8d44241c lea eax,[esp+1Ch] 0:000> t eax=0018fa94 ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0 eip=75414e4e esp=0018fa78 ebp=0018fadc iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 KERNELBASE!RaiseException+0x6e: 75414e4e 50 push eax 0:000> t eax=0018fa94 ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0 eip=75414e4f esp=0018fa74 ebp=0018fadc iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 KERNELBASE!RaiseException+0x6f: 75414e4f e8b7a2fdff call KERNELBASE!memcpy (753ef10b) 0:000> t eax=0018fa94 ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0 eip=753ef10b esp=0018fa70 ebp=0018fadc iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 KERNELBASE!memcpy: 753ef10b ff2524694a75 jmp dword ptr [KERNELBASE!_imp__memcpy (754a6924)] ds:002b:754a6924={ntdll!memcpy (77757c00)} 0:000> t eax=0018fa94 ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0 eip=77757c00 esp=0018fa70 ebp=0018fadc iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 ntdll!memcpy: 77757c00 55 push ebp 0:000> t eax=0018fa94 ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0 eip=77757c01 esp=0018fa6c ebp=0018fadc iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 ntdll!memcpy+0x1: 77757c01 8bec mov ebp,esp 0:000> t eax=0018fa94 ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0 eip=77757c03 esp=0018fa6c ebp=0018fa6c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 ntdll!memcpy+0x3: 77757c03 57 push edi 0:000> t eax=0018fa94 ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0 eip=77757c04 esp=0018fa68 ebp=0018fa6c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 ntdll!memcpy+0x4: 77757c04 56 push esi 0:000> t eax=0018fa94 ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0 eip=77757c05 esp=0018fa64 ebp=0018fa6c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 ntdll!memcpy+0x5: 77757c05 8b750c mov esi,dword ptr [ebp+0Ch] ss:002b:0018fa78=0018faf4 0:000> t eax=0018fa94 ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=0018faf4 edi=03cac4d0 eip=77757c08 esp=0018fa64 ebp=0018fa6c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 ntdll!memcpy+0x8: 77757c08 8b4d10 mov ecx,dword ptr [ebp+10h] ss:002b:0018fa7c=0000001c 0:000> t eax=0018fa94 ebx=03c835c0 ecx=0000001c edx=0055309c esi=0018faf4 edi=03cac4d0 eip=77757c0b esp=0018fa64 ebp=0018fa6c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 ntdll!memcpy+0xb: 77757c0b 8b7d08 mov edi,dword ptr [ebp+8] ss:002b:0018fa74=0018fa94 0:000> t eax=0018fa94 ebx=03c835c0 ecx=0000001c edx=0055309c esi=0018faf4 edi=0018fa94 eip=77757c0e esp=0018fa64 ebp=0018fa6c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 ntdll!memcpy+0xe: 77757c0e 8bc1 mov eax,ecx 0:000> t eax=0000001c ebx=03c835c0 ecx=0000001c edx=0055309c esi=0018faf4 edi=0018fa94 eip=77757c10 esp=0018fa64 ebp=0018fa6c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 ntdll!memcpy+0x10: 77757c10 8bd1 mov edx,ecx 0:000> t eax=0000001c ebx=03c835c0 ecx=0000001c edx=0000001c esi=0018faf4 edi=0018fa94 eip=77757c12 esp=0018fa64 ebp=0018fa6c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 ntdll!memcpy+0x12: 77757c12 03c6 add eax,esi 0:000> t eax=0018fb10 ebx=03c835c0 ecx=0000001c edx=0000001c esi=0018faf4 edi=0018fa94 eip=77757c14 esp=0018fa64 ebp=0018fa6c iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!memcpy+0x14: 77757c14 3bfe cmp edi,esi 0:000> t eax=0018fb10 ebx=03c835c0 ecx=0000001c edx=0000001c esi=0018faf4 edi=0018fa94 eip=77757c16 esp=0018fa64 ebp=0018fa6c iopl=0 nv up ei ng nz na pe cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000287 ntdll!memcpy+0x16: 77757c16 7608 jbe ntdll!memcpy+0x20 (77757c20) [br=1] 0:000> t eax=0018fb10 ebx=03c835c0 ecx=0000001c edx=0000001c esi=0018faf4 edi=0018fa94 eip=77757c20 esp=0018fa64 ebp=0018fa6c iopl=0 nv up ei ng nz na pe cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000287 ntdll!memcpy+0x20: 77757c20 f7c703000000 test edi,3 0:000> t eax=0018fb10 ebx=03c835c0 ecx=0000001c edx=0000001c esi=0018faf4 edi=0018fa94 eip=77757c26 esp=0018fa64 ebp=0018fa6c iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 ntdll!memcpy+0x26: 77757c26 7514 jne ntdll!memcpy+0x3c (77757c3c) [br=0] 0:000> t eax=0018fb10 ebx=03c835c0 ecx=0000001c edx=0000001c esi=0018faf4 edi=0018fa94 eip=77757c28 esp=0018fa64 ebp=0018fa6c iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 ntdll!memcpy+0x28: 77757c28 c1e902 shr ecx,2 0:000> t eax=0018fb10 ebx=03c835c0 ecx=00000007 edx=0000001c esi=0018faf4 edi=0018fa94 eip=77757c2b esp=0018fa64 ebp=0018fa6c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 ntdll!memcpy+0x2b: 77757c2b 83e203 and edx,3 0:000> t eax=0018fb10 ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018faf4 edi=0018fa94 eip=77757c2e esp=0018fa64 ebp=0018fa6c iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 ntdll!memcpy+0x2e: 77757c2e 83f908 cmp ecx,8 0:000> t eax=0018fb10 ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018faf4 edi=0018fa94 eip=77757c31 esp=0018fa64 ebp=0018fa6c iopl=0 nv up ei ng nz ac pe cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297 ntdll!memcpy+0x31: 77757c31 7229 jb ntdll!memcpy+0x5c (77757c5c) [br=1] 0:000> t eax=0018fb10 ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018faf4 edi=0018fa94 eip=77757c5c esp=0018fa64 ebp=0018fa6c iopl=0 nv up ei ng nz ac pe cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297 ntdll!memcpy+0x5c: 77757c5c ff248de07c7577 jmp dword ptr ntdll!memcpy+0xe0 (77757ce0)[ecx*4] ds:002b:77757cfc=77757d00 0:000> t eax=0018fb10 ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018faf4 edi=0018fa94 eip=77757d00 esp=0018fa64 ebp=0018fa6c iopl=0 nv up ei ng nz ac pe cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297 ntdll!memcpy+0x100: 77757d00 8b448ee4 mov eax,dword ptr [esi+ecx*4-1Ch] ds:002b:0018faf4=0055309c 0:000> t eax=0055309c ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018faf4 edi=0018fa94 eip=77757d04 esp=0018fa64 ebp=0018fa6c iopl=0 nv up ei ng nz ac pe cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297 ntdll!memcpy+0x104: 77757d04 89448fe4 mov dword ptr [edi+ecx*4-1Ch],eax ds:002b:0018fa94=2fbf78eb 0:000> t eax=0055309c ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018faf4 edi=0018fa94 eip=77757d08 esp=0018fa64 ebp=0018fa6c iopl=0 nv up ei ng nz ac pe cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297 ntdll!memcpy+0x108: 77757d08 8b448ee8 mov eax,dword ptr [esi+ecx*4-18h] ds:002b:0018faf8=03ca58d0 0:000> t eax=03ca58d0 ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018faf4 edi=0018fa94 eip=77757d0c esp=0018fa64 ebp=0018fa6c iopl=0 nv up ei ng nz ac pe cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297 ntdll!memcpy+0x10c: 77757d0c 89448fe8 mov dword ptr [edi+ecx*4-18h],eax ds:002b:0018fa98=01d5f9a0 0:000> t eax=03ca58d0 ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018faf4 edi=0018fa94 eip=77757d10 esp=0018fa64 ebp=0018fa6c iopl=0 nv up ei ng nz ac pe cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297 ntdll!memcpy+0x110: 77757d10 8b448eec mov eax,dword ptr [esi+ecx*4-14h] ds:002b:0018fafc=03c835c0 0:000> t eax=03c835c0 ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018faf4 edi=0018fa94 eip=77757d14 esp=0018fa64 ebp=0018fa6c iopl=0 nv up ei ng nz ac pe cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297 ntdll!memcpy+0x114: 77757d14 89448fec mov dword ptr [edi+ecx*4-14h],eax ds:002b:0018fa9c=000002bb 0:000> t eax=03c835c0 ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018faf4 edi=0018fa94 eip=77757d18 esp=0018fa64 ebp=0018fa6c iopl=0 nv up ei ng nz ac pe cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297 ntdll!memcpy+0x118: 77757d18 8b448ef0 mov eax,dword ptr [esi+ecx*4-10h] ds:002b:0018fb00=00000002 0:000> t eax=00000002 ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018faf4 edi=0018fa94 eip=77757d1c esp=0018fa64 ebp=0018fa6c iopl=0 nv up ei ng nz ac pe cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297 ntdll!memcpy+0x11c: 77757d1c 89448ff0 mov dword ptr [edi+ecx*4-10h],eax ds:002b:0018faa0=00000000 0:000> t eax=00000002 ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018faf4 edi=0018fa94 eip=77757d20 esp=0018fa64 ebp=0018fa6c iopl=0 nv up ei ng nz ac pe cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297 ntdll!memcpy+0x120: 77757d20 8b448ef4 mov eax,dword ptr [esi+ecx*4-0Ch] ds:002b:0018fb04=03cac4d0 0:000> t eax=03cac4d0 ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018faf4 edi=0018fa94 eip=77757d24 esp=0018fa64 ebp=0018fa6c iopl=0 nv up ei ng nz ac pe cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297 ntdll!memcpy+0x124: 77757d24 89448ff4 mov dword ptr [edi+ecx*4-0Ch],eax ds:002b:0018faa4=7b21d95f 0:000> t eax=03cac4d0 ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018faf4 edi=0018fa94 eip=77757d28 esp=0018fa64 ebp=0018fa6c iopl=0 nv up ei ng nz ac pe cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297 ntdll!memcpy+0x128: 77757d28 8b448ef8 mov eax,dword ptr [esi+ecx*4-8] ds:002b:0018fb08=0018fb2c 0:000> t eax=0018fb2c ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018faf4 edi=0018fa94 eip=77757d2c esp=0018fa64 ebp=0018fa6c iopl=0 nv up ei ng nz ac pe cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297 ntdll!memcpy+0x12c: 77757d2c 89448ff8 mov dword ptr [edi+ecx*4-8],eax ds:002b:0018faa8=000002bb 0:000> t eax=0018fb2c ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018faf4 edi=0018fa94 eip=77757d30 esp=0018fa64 ebp=0018fa6c iopl=0 nv up ei ng nz ac pe cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297 ntdll!memcpy+0x130: 77757d30 8b448efc mov eax,dword ptr [esi+ecx*4-4] ds:002b:0018fb0c=0018fb10 0:000> t eax=0018fb10 ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018faf4 edi=0018fa94 eip=77757d34 esp=0018fa64 ebp=0018fa6c iopl=0 nv up ei ng nz ac pe cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297 ntdll!memcpy+0x134: 77757d34 89448ffc mov dword ptr [edi+ecx*4-4],eax ds:002b:0018faac=7b21d32e 0:000> t eax=0018fb10 ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018faf4 edi=0018fa94 eip=77757d38 esp=0018fa64 ebp=0018fa6c iopl=0 nv up ei ng nz ac pe cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297 ntdll!memcpy+0x138: 77757d38 8d048d00000000 lea eax,[ecx*4] 0:000> t eax=0000001c ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018faf4 edi=0018fa94 eip=77757d3f esp=0018fa64 ebp=0018fa6c iopl=0 nv up ei ng nz ac pe cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297 ntdll!memcpy+0x13f: 77757d3f 03f0 add esi,eax 0:000> t eax=0000001c ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018fb10 edi=0018fa94 eip=77757d41 esp=0018fa64 ebp=0018fa6c iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!memcpy+0x141: 77757d41 03f8 add edi,eax 0:000> t eax=0000001c ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018fb10 edi=0018fab0 eip=77757d43 esp=0018fa64 ebp=0018fa6c iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!memcpy+0x143: 77757d43 ff24954c7d7577 jmp dword ptr ntdll!memcpy+0x14c (77757d4c)[edx*4] ds:002b:77757d4c=77757d5c 0:000> t eax=0000001c ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018fb10 edi=0018fab0 eip=77757d5c esp=0018fa64 ebp=0018fa6c iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!memcpy+0x15c: 77757d5c 8b4508 mov eax,dword ptr [ebp+8] ss:002b:0018fa74=0018fa94 0:000> t eax=0018fa94 ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018fb10 edi=0018fab0 eip=77757d5f esp=0018fa64 ebp=0018fa6c iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!memcpy+0x15f: 77757d5f 5e pop esi 0:000> t eax=0018fa94 ebx=03c835c0 ecx=00000007 edx=00000000 esi=00000002 edi=0018fab0 eip=77757d60 esp=0018fa68 ebp=0018fa6c iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!memcpy+0x160: 77757d60 5f pop edi 0:000> t eax=0018fa94 ebx=03c835c0 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=77757d61 esp=0018fa6c ebp=0018fa6c iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!memcpy+0x161: 77757d61 c9 leave 0:000> t eax=0018fa94 ebx=03c835c0 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=77757d62 esp=0018fa70 ebp=0018fadc iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!memcpy+0x162: 77757d62 c3 ret 0:000> t eax=0018fa94 ebx=03c835c0 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=75414e54 esp=0018fa74 ebp=0018fadc iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 KERNELBASE!RaiseException+0x74: 75414e54 83c40c add esp,0Ch 0:000> t eax=0018fa94 ebx=03c835c0 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=75414e57 esp=0018fa80 ebp=0018fadc iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 KERNELBASE!RaiseException+0x77: 75414e57 ebc5 jmp KERNELBASE!RaiseException+0x3e (75414e1e) 0:000> t eax=0018fa94 ebx=03c835c0 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=75414e1e esp=0018fa80 ebp=0018fadc iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 KERNELBASE!RaiseException+0x3e: 75414e1e 8d0424 lea eax,[esp] 0:000> t eax=0018fa80 ebx=03c835c0 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=75414e21 esp=0018fa80 ebp=0018fadc iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 KERNELBASE!RaiseException+0x41: 75414e21 50 push eax 0:000> t eax=0018fa80 ebx=03c835c0 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=75414e22 esp=0018fa7c ebp=0018fadc iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 KERNELBASE!RaiseException+0x42: 75414e22 ff152c634a75 call dword ptr [KERNELBASE!_imp__RtlRaiseException (754a632c)] ds:002b:754a632c={ntdll!RtlRaiseException (777707c0)} 0:000> t eax=0018fa80 ebx=03c835c0 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=777707c0 esp=0018fa78 ebp=0018fadc iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlRaiseException: 777707c0 55 push ebp 0:000> t eax=0018fa80 ebx=03c835c0 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=777707c1 esp=0018fa74 ebp=0018fadc iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlRaiseException+0x1: 777707c1 8bec mov ebp,esp 0:000> t eax=0018fa80 ebx=03c835c0 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=777707c3 esp=0018fa74 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlRaiseException+0x3: 777707c3 8da42430fdffff lea esp,[esp-2D0h] 0:000> t eax=0018fa80 ebx=03c835c0 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=777707ca esp=0018f7a4 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlRaiseException+0xa: 777707ca 54 push esp 0:000> t eax=0018fa80 ebx=03c835c0 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=777707cb esp=0018f7a0 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlRaiseException+0xb: 777707cb e84ff8ffff call ntdll!RtlCaptureContext (7777001f) 0:000> t eax=0018fa80 ebx=03c835c0 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=7777001f esp=0018f79c ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlCaptureContext: 7777001f 53 push ebx 0:000> t eax=0018fa80 ebx=03c835c0 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=77770020 esp=0018f798 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlCaptureContext+0x1: 77770020 8b5c2408 mov ebx,dword ptr [esp+8] ss:002b:0018f7a0=0018f7a4 0:000> t eax=0018fa80 ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=77770024 esp=0018f798 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlCaptureContext+0x5: 77770024 8983b0000000 mov dword ptr [ebx+0B0h],eax ds:002b:0018f854=00000000 0:000> t eax=0018fa80 ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=7777002a esp=0018f798 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlCaptureContext+0xb: 7777002a 898bac000000 mov dword ptr [ebx+0ACh],ecx ds:002b:0018f850=00002000 0:000> t eax=0018fa80 ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=77770030 esp=0018f798 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlCaptureContext+0x11: 77770030 8993a8000000 mov dword ptr [ebx+0A8h],edx ds:002b:0018f84c=00040000 0:000> t eax=0018fa80 ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=77770036 esp=0018f798 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlCaptureContext+0x17: 77770036 8b0424 mov eax,dword ptr [esp] ss:002b:0018f798=03c835c0 0:000> t eax=03c835c0 ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=77770039 esp=0018f798 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlCaptureContext+0x1a: 77770039 8983a4000000 mov dword ptr [ebx+0A4h],eax ds:002b:0018f848=00000002 0:000> t eax=03c835c0 ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=7777003f esp=0018f798 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlCaptureContext+0x20: 7777003f 89b3a0000000 mov dword ptr [ebx+0A0h],esi ds:002b:0018f844=04660000 0:000> t eax=03c835c0 ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=77770045 esp=0018f798 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlCaptureContext+0x26: 77770045 89bb9c000000 mov dword ptr [ebx+9Ch],edi ds:002b:0018f840=03365e68 0:000> t eax=03c835c0 ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=7777004b esp=0018f798 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlCaptureContext+0x2c: 7777004b eb43 jmp ntdll!RtlpCaptureContext+0x41 (77770090) 0:000> t eax=03c835c0 ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=77770090 esp=0018f798 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlpCaptureContext+0x41: 77770090 8c8bbc000000 mov word ptr [ebx+0BCh],cs ds:002b:0018f860=046600b8 0:000> t eax=03c835c0 ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=77770096 esp=0018f798 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlpCaptureContext+0x47: 77770096 8c9b98000000 mov word ptr [ebx+98h],ds ds:002b:0018f83c=00000000 0:000> t eax=03c835c0 ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=7777009c esp=0018f798 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlpCaptureContext+0x4d: 7777009c 8c8394000000 mov word ptr [ebx+94h],es ds:002b:0018f838=04660001 0:000> t eax=03c835c0 ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=777700a2 esp=0018f798 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlpCaptureContext+0x53: 777700a2 8ca390000000 mov word ptr [ebx+90h],fs ds:002b:0018f834=046603c0 0:000> t eax=03c835c0 ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=777700a8 esp=0018f798 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlpCaptureContext+0x59: 777700a8 8cab8c000000 mov word ptr [ebx+8Ch],gs ds:002b:0018f830=6fcddf33 0:000> t eax=03c835c0 ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=777700ae esp=0018f798 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlpCaptureContext+0x5f: 777700ae 8c93c8000000 mov word ptr [ebx+0C8h],ss ds:002b:0018f86c=00000001 0:000> t eax=03c835c0 ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=777700b4 esp=0018f798 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlpCaptureContext+0x65: 777700b4 9c pushfd 0:000> t eax=03c835c0 ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=777700b5 esp=0018f794 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlpCaptureContext+0x66: 777700b5 8f83c0000000 pop dword ptr [ebx+0C0h] ds:002b:0018f864=00000000 0:000> t eax=03c835c0 ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=777700bb esp=0018f798 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlpCaptureContext+0x6c: 777700bb 8b4504 mov eax,dword ptr [ebp+4] ss:002b:0018fa78=75414e28 0:000> t eax=75414e28 ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=777700be esp=0018f798 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlpCaptureContext+0x6f: 777700be 8983b8000000 mov dword ptr [ebx+0B8h],eax ds:002b:0018f85c=04660200 0:000> t eax=75414e28 ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=777700c4 esp=0018f798 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlpCaptureContext+0x75: 777700c4 8b4500 mov eax,dword ptr [ebp] ss:002b:0018fa74=0018fadc 0:000> t eax=0018fadc ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=777700c7 esp=0018f798 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlpCaptureContext+0x78: 777700c7 8983b4000000 mov dword ptr [ebx+0B4h],eax ds:002b:0018f858=00000000 0:000> t eax=0018fadc ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=777700cd esp=0018f798 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlpCaptureContext+0x7e: 777700cd 8d4508 lea eax,[ebp+8] 0:000> t eax=0018fa7c ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=777700d0 esp=0018f798 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlpCaptureContext+0x81: 777700d0 8983c4000000 mov dword ptr [ebx+0C4h],eax ds:002b:0018f868=046601b0 0:000> t eax=0018fa7c ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=777700d6 esp=0018f798 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlpCaptureContext+0x87: 777700d6 c70307000100 mov dword ptr [ebx],10007h ds:002b:0018f7a4=6fcdd017 0:000> t eax=0018fa7c ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=777700dc esp=0018f798 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlpCaptureContext+0x8d: 777700dc 5b pop ebx 0:000> t eax=0018fa7c ebx=03c835c0 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=777700dd esp=0018f79c ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlpCaptureContext+0x8e: 777700dd c20400 ret 4 0:000> t eax=0018fa7c ebx=03c835c0 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=777707d0 esp=0018f7a4 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlRaiseException+0x10: 777707d0 8b5504 mov edx,dword ptr [ebp+4] ss:002b:0018fa78=75414e28 0:000> t eax=0018fa7c ebx=03c835c0 ecx=00000007 edx=75414e28 esi=00000002 edi=03cac4d0 eip=777707d3 esp=0018f7a4 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlRaiseException+0x13: 777707d3 8b4508 mov eax,dword ptr [ebp+8] ss:002b:0018fa7c=0018fa80 0:000> t eax=0018fa80 ebx=03c835c0 ecx=00000007 edx=75414e28 esi=00000002 edi=03cac4d0 eip=777707d6 esp=0018f7a4 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlRaiseException+0x16: 777707d6 838424c400000004 add dword ptr [esp+0C4h],4 ss:002b:0018f868=0018fa7c 0:000> t eax=0018fa80 ebx=03c835c0 ecx=00000007 edx=75414e28 esi=00000002 edi=03cac4d0 eip=777707de esp=0018f7a4 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlRaiseException+0x1e: 777707de 89500c mov dword ptr [eax+0Ch],edx ds:002b:0018fa8c={KERNELBASE!RaiseException (75414de0)} 0:000> t eax=0018fa80 ebx=03c835c0 ecx=00000007 edx=75414e28 esi=00000002 edi=03cac4d0 eip=777707e1 esp=0018f7a4 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlRaiseException+0x21: 777707e1 c7042407000100 mov dword ptr [esp],10007h ss:002b:0018f7a4=00010007 0:000> t eax=0018fa80 ebx=03c835c0 ecx=00000007 edx=75414e28 esi=00000002 edi=03cac4d0 eip=777707e8 esp=0018f7a4 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlRaiseException+0x28: 777707e8 8bcc mov ecx,esp 0:000> t eax=0018fa80 ebx=03c835c0 ecx=0018f7a4 edx=75414e28 esi=00000002 edi=03cac4d0 eip=777707ea esp=0018f7a4 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlRaiseException+0x2a: 777707ea 6a01 push 1 0:000> t eax=0018fa80 ebx=03c835c0 ecx=0018f7a4 edx=75414e28 esi=00000002 edi=03cac4d0 eip=777707ec esp=0018f7a0 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlRaiseException+0x2c: 777707ec 51 push ecx 0:000> t eax=0018fa80 ebx=03c835c0 ecx=0018f7a4 edx=75414e28 esi=00000002 edi=03cac4d0 eip=777707ed esp=0018f79c ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlRaiseException+0x2d: 777707ed ff7508 push dword ptr [ebp+8] ss:002b:0018fa7c=0018fa80 0:000> t eax=0018fa80 ebx=03c835c0 ecx=0018f7a4 edx=75414e28 esi=00000002 edi=03cac4d0 eip=777707f0 esp=0018f798 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!RtlRaiseException+0x30: 777707f0 e8abcfffff call ntdll!NtRaiseException (7776d7a0) 0:000> t eax=0018fa80 ebx=03c835c0 ecx=0018f7a4 edx=75414e28 esi=00000002 edi=03cac4d0 eip=7776d7a0 esp=0018f794 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!NtRaiseException: 7776d7a0 b846010000 mov eax,146h 0:000> t eax=00000146 ebx=03c835c0 ecx=0018f7a4 edx=75414e28 esi=00000002 edi=03cac4d0 eip=7776d7a5 esp=0018f794 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 ntdll!NtRaiseException+0x5: 7776d7a5 64ff15c0000000 call dword ptr fs:[0C0h] fs:0053:000000c0=776d1218 0:000> t eax=00000146 ebx=03c835c0 ecx=0018f7a4 edx=75414e28 esi=00000002 edi=03cac4d0 eip=776d1218 esp=0018f790 ebp=0018fa74 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 776d1218 ea841d6d773300 jmp 0033:776D1D84 0:000> t eax=00000000 ebx=00000622 ecx=00000000 edx=00000000 esi=00000000 edi=0018fa54 eip=7776c64c esp=0018fa1c ebp=0018fa38 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 ntdll!NtQueryPerformanceCounter+0xc: 7776c64c c20800 ret 8 0:000> t (22f4.25a8): Unknown exception - code 0eedfade (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0018fa80 ebx=03c835c0 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0 eip=75414e28 esp=0018fa80 ebp=0018fadc iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 KERNELBASE!RaiseException+0x48: 75414e28 8b4c2454 mov ecx,dword ptr [esp+54h] ss:002b:0018fad4=3ee8d959 |
Well, that’s long. However, we see that almost immediately (line 95) we load the constant identifying the exception type. So it looks like call Intensywny_kurs+0x5508 (00405508) calls some well known procedure for throwing the exception.
What can we do now? Well, let’s see what arguments we pass to the method (and if any). However, this is x86 architecture so we don’t know what the previous instruction was. We cant just start decoding because instructions have different lengths. Let’s give it a try:
|
1 2 3 4 5 6 7 8 9 10 |
0:000> u Intensywny_kurs+0x15309c-20 Intensywny_kurs+0x15307c: 0055307c e8372febff call Intensywny_kurs+0x5fb8 (00405fb8) 00553081 50 push eax 00553082 56 push esi 00553083 e854cdf3ff call Intensywny_kurs+0x8fddc (0048fddc) 00553088 8b4dfc mov ecx,dword ptr [ebp-4] 0055308b b201 mov dl,1 0055308d a1402d5500 mov eax,dword ptr [Intensywny_kurs+0x152d40 (00552d40)] 00553092 e8f5d1ebff call Intensywny_kurs+0x1028c (0041028c) |
I have no idea if that’s the code which is actually executed. It looks kind of plausible, but cannot be sure. However, let’s give it a go.
We know there is some method called which throws the exception. Exception is probably prepared at this point. How about just not throwing it? Let’s restart the application and remove the call with no ops:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
0:000> u 00553097 Intensywny_kurs+0x153097: 00553097 e86c24ebff call Intensywny_kurs+0x5508 (00405508) 0055309c 6a20 push 20h 0055309e 8b431c mov eax,dword ptr [ebx+1Ch] 005530a1 50 push eax 005530a2 8b4304 mov eax,dword ptr [ebx+4] 005530a5 85c0 test eax,eax 005530a7 7905 jns Intensywny_kurs+0x1530ae (005530ae) 005530a9 e8aa19ebff call Intensywny_kurs+0x4a58 (00404a58) 0:000> a 00553097 00553097 nop nop 00553098 nop nop 00553099 nop nop 0055309a nop nop 0055309b nop nop 0055309c 0:000> u 00553097 Intensywny_kurs+0x153097: 00553097 90 nop 00553098 90 nop 00553099 90 nop 0055309a 90 nop 0055309b 90 nop 0055309c 6a20 push 20h |
So we check the code initially, modify it, and then check again. Let’s now resume the application and see it works.
Okay, now the tricky part. We’d like to remove that code forever to be able to just run the application normally.
To do that we need a hexeditor. I used Frhed. Open the exe file and look for the following:
|
1 |
<bh:e8><bh:6c><bh:24><bh:eb><bh:ff> |
Luckily enough, there is only one occurrence:
If you check bytes after the pattern we can see they match our instructions. So it looks like that’s the code. Modify it with series of nops and it works!
And now solution for Polish speakers.
Uruchomienie Profesor Klaus Intensywny Kurs bez mikrofonu
Uwaga: Ta sekcja tłumaczy jak wyglądałaby zmodyfikowana aplikacja, która nie sprawdzałaby mikrofonu przy starcie. Oczywiście nie zachęcam do modyfikowania aplikacji, co jest sprzeczne z licencją, nie załączam też żadnych plików należących do autorów. Cały wpis ma charakter edukacyjny.
Uwaga 2: Wszystkie modyfikacje dotyczą wersji 1.1.0.103 pliku wykonywalnego. Jeżeli masz inną wersję, rozwiązanie poniżej może nie działać.
Uwaga 3: Modyfikowanie aplikacji jest niebezpieczne i może spowodować jej trwałe uszkodzenie. Zrób kopię zapasową, a jeżeli nie rozumiesz poniższego opisu, to poproś o pomoc kogoś bardziej doświadczonego.
Rozwiązanie automatyczne
Otwórz PowerShell z uprawnieniami administratora i przejdź do katalogu z plikiem Intensywny_kurs.exe (najprawdopodobniej w C:\Edgard\Profesor Klaus - Intensywny kurs):
|
1 |
cd "C:\Edgard\Profesor Klaus - Intensywny kurs" |
A następnie skopiuj i wykonaj ten kod:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
$code = @" using System; using System.IO; namespace KlausReplacer { public class Program { public static void Main(){ var bytes = File.ReadAllBytes("Intensywny_kurs.exe"); var instruction = new byte[]{0xe8, 0x6c, 0x24, 0xeb, 0xff}; for(int i=0;i<bytes.Length - instruction.Length;++i){ bool found = true; for(int j=0;j<instruction.Length;++j){ found &= bytes[i+j] == instruction[j]; } if(found){ Console.WriteLine("Found at " + i); for(int j=0;j<instruction.Length;++j){ bytes[i+j] = 0x90; } } } File.WriteAllBytes("Intensywny_kurs_bez_mikrofonu.exe", bytes); } } } "@ Add-Type -TypeDefinition $code -Language CSharp iex "[KlausReplacer.Program]::Main()" |
To utworzy plik Intensywny_kurs_bez_mikrofonu.exe. Jeżeli po wykonaniu ostatniej komendy zobaczyłeś wynik
|
1 |
Found at 1385623 |
to wszystko zakończyło się poprawnie.
Rozwiązanie ręczne
Na początku potrzebujemy edytora binarnego Frhed (nie jestem w żaden sposób powiązany z autorami tej aplikacji).
Po instalacji edytora, uruchom go jako administrator i otwórz plik przez File -> Open.... Wybierz plik Intensywny_kurs.exe (najprawdopodobniej z lokalizacji C:\Edgard\Profesor Klaus - Intensywny kurs.
Wciśnij CTRL + F aby otworzyć okno szukania, a następnie poszukaj tego ciągu:
|
1 |
<bh:e8><bh:6c><bh:24><bh:eb><bh:ff> |
Powinno być tylko jedno wystąpienie, jak poniżej:
Znaleziony ciąg musisz zastąpić wartościami
|
1 |
9090909090 |
jak poniżej:
Zapisz plik przez CTRL + S, zamknij edytor, a następnie uruchom Profesora Klausa.