Disassembly of False Positives for Microsoft Word
under SCRAP
We evaluated Word application of Microsoft Office 2010 Suite using a 54 KiB
docu-ment [1] under the SCRAP configuration
S
7,4for one billion instructions. Following is the
disassembly of functions where false positives occur, grouped into different Dynamic-link
Libraries (DLLs). Exact lines are marked with an arrow.
Our anaylsis is limited for Office libraries because their debugging symbols are not
pub-licly avaliable.
•
The first six false positives in
kernel32.dll,
ntdll.dll, and
gdi32.dll
are about
the way DLL Imports are handled, either with a jump stub or an indirect call, both
using the Import Address Table (IAT) [2]. Note that this is very similar to the
Proce-dure Linkage Table (PLT) and Global Offset Table (GOT) structures found in Linux
systems.
•
The next two libraries with false positives (comdlg32.dll,
msctf.dll) are almost
identical, again loading an address from the IAT to a register and calling it a dozen
times every 2-3 instructions. Note that, the symbol name starts with
imp
prefix,
which means that it resides in the IAT [3].
•
MSO.DLL
has one case that uses IAT and four cases that use a variant of call/jump
table (two cases are using calls, two remaining cases are using jumps). No symbols are
publicly available, so we were unable to identify more details.
•
WWLIB.DLL
also behaves similar to
comdlg32.dll
and
msctf.dll. Specifically, it loads
an address, possibly from IAT, and then repeatedly calls it. Again, no symbols are
available.
•
The last library (combase.dll) appears to be using a function pointer inside a loop
(probably for a data structure of a generic type)
In summary, the majority of the false positives (possibly only with the exception of
the last one) can be simply discarded if the address was from the IAT. Going forward,
the handling of the dynamic linking can be altered to either not generate such gadget-like
sequences (note that the ones from
comdlg32.dll
and
msctf.dll
look very much like real
attack codes) or possibly patch the instructions themselves and not use indirect jumps/calls
for imported functions.
Module: kernel32.dll Module Address: 75340000-75480000
Description: Most of the Win32 base APIs, such as memory management, input/output operations, process and thread creation, and synchronization functions. Many of these are implemented within KERNEL32.DLL by calling
corresponding functions in the native API, exposed by NTDLL.DLL _DuplicateHandle@28:
->753683E8 jmp dword ptr [__imp__DuplicateHandle@28 (753C0494h)]
753683EE int 3 753683EF int 3 753683F0 int 3 753683F1 int 3 753683F2 int 3 753683F3 int 3 _TlsAllocStub@0: ->7535D1F5 jmp dword ptr [__imp__TlsAlloc@0 (753C08BCh)] 7535D1FB int 3 7535D1FC int 3 7535D1FD int 3 7535D1FE int 3 7535D1FF int 3 Module: ntdll.dll
Module Address: 777E0000-77948000
Description: Windows Native API. The Native API is the interface used by user-mode components of the operating system that must run without support from Win32 or other API subsystems. Most of this API is implemented in NTDLL.DLL and at the upper edge of ntoskrnl.exe (and its variants); the majority of exported symbols within these libraries are prefixed Nt, e.g., NtDisplayString. Native APIs are also used to implement many of the "kernel APIs" or "base APIs" exported by KERNEL32.DLL. The large majority of Windows applications do not call NTDLL.DLL directly.
_NtOpenProcessToken@12:
7781C6E0 mov eax,10Eh
->7781C6E5 call dword ptr fs:[0C0h]
7781C6EC ret 0Ch 7781C6EF nop _NtReleaseMutant@8: 7781B7F0 mov eax,7001Fh ->7781B7F5 call dword ptr fs:[0C0h] 7781B7FC ret 8 7781B7FF nop _ZwSetEvent@8: 7781B6D0 mov eax,7000Dh ->7781B6D5 call dword ptr fs:[0C0h] 7781B6DC ret 8 7781B6DF nop
Module: gdi32.dll
Module Address: 76B70000-76C78000
Description: Graphics Device Interface (GDI) functions that perform primitive drawing functions for output to video displays and printers. Applications call GDI functions directly to perform low-level drawing, text output, font management, and similar functions.
_NtGdiGetNearestColor@8:
76BAC48D mov eax,71072h
->76BAC492 call dword ptr fs:[0C0h]
76BAC499 ret 8
76BAC49C nop
Module: comdlg32.dll
Module Address: 75590000-75617000 Description: Common Dialog Boxes FInitFile:
755917FD mov edi,edi
755917FF push esi
75591800 push 13h
75591802 call dword ptr [__imp__GetSystemMetrics@4 (755F31F0h)]
75591808 mov esi,dword ptr [__imp__RegisterWindowMessageA@4 (755F3220h)]
7559180E mov dword ptr [_bMouse (755EF264h)],eax
75591813 mov eax,0A0Ah
75591818 push offset szmsgWOWLFCHANGE (755EF764h)
7559181D mov word ptr [_wWinVer (755EF20Ch)],ax
75591823 call esi
75591825 push offset szmsgWOWDIRCHANGE (755EF77Ch)
7559182A mov dword ptr [_msgWOWLFCHANGE (755EF2C8h)],eax
7559182F call esi
75591831 push offset szmsgWOWCHOOSEFONT_GETLOGFONT (755EF804h) 75591836 mov dword ptr [_msgWOWDIRCHANGE (755EF2A0h)],eax
7559183B call esi
7559183D push offset szmsgLBCHANGEA (755EF83Ch)
75591842 mov dword ptr [_msgWOWCHOOSEFONT_GETLOGFONT (755EF2C4h)],eax
75591847 call esi
75591849 push offset szmsgSHAREVIOLATIONA (755EF7D4h) 7559184E mov dword ptr [_msgLBCHANGEA (755EF24Ch)],eax
75591853 call esi
75591855 push offset szmsgFILEOKA (755EF7ACh)
7559185A mov dword ptr [_msgSHAREVIOLATIONA (755EF260h)],eax
7559185F call esi
75591861 push offset szmsgCOLOROKA (755EF79Ch)
75591866 mov dword ptr [_msgFILEOKA (755EF26Ch)],eax
7559186B call esi
7559186D push offset szmsgSETRGBA (755EF7C0h)
75591872 mov dword ptr [_msgCOLOROKA (755EF274h)],eax
75591877 call esi
75591879 mov esi, dword ptr [__imp__RegisterWindowMessageW@4 (755F32BCh)] 7559187F push offset szmsgLBCHANGEW (755EF8F8h)
75591884 mov dword ptr [_msgSETRGBA (755EF278h)],eax
75591889 call esi
7559188B push offset szmsgSHAREVIOLATIONW (755EF8C8h) 75591890 mov dword ptr [_msgLBCHANGEW (755EF268h)],eax
75591895 call esi
75591897 push offset szmsgFILEOKW (755EF878h)
7559189C mov dword ptr [_msgSHAREVIOLATIONW (755EF250h)],eax
755918A1 call esi
755918A3 push offset szmsgCOLOROKW (755EF858h)
755918A8 mov dword ptr [_msgFILEOKW (755EF270h)],eax
755918AD call esi
755918AF push offset szmsgSETRGBW (755EF8A0h)
755918B4 mov dword ptr [_msgCOLOROKW (755EF298h)],eax
->755918B9 call esi
755918BB mov dword ptr [_msgSETRGBW (755EF254h)],eax
755918C0 pop esi 755918C1 ret 755918C2 nop 755918C3 nop 755918C4 nop 755918C5 nop 755918C6 nop Module: msctf.dll Module Address: 76D00000-76DF7000
Description: Microsoft Text Service Module RegisterMSIMEMessage:
76D19767 mov edi,edi
76D19769 push ebx
76D1976A push edi
76D1976B mov ebx,offset g_cs (76DA91BCh)
76D19770 xor edi,edi
76D19772 push ebx
76D19773 inc edi
76D19774 call dword ptr [__imp__EnterCriticalSection@4 (76DAB0F8h)] 76D1977A cmp dword ptr [CUIFSystemInfo::m_fInitialized+4 (76DA9160h)],0
76D19781 jne RegisterMSIMEMessage+0FBh (76D19862h)
76D19787 push esi
76D19788 mov esi,dword ptr [__imp__RegisterWindowMessageW@4 (76DAB3D8h)] 76D1978E push offset string L"MSIMEService" (76D19874h)
76D19793 call esi
76D19795 push offset string L"MSIMEUIReady" (76D19890h) 76D1979A mov dword ptr [WM_MSIME_SERVICE (76DA90C0h)],eax
76D1979F call esi
76D197A1 push offset string L"MSIMEReconvertReques"... (76D198ACh) 76D197A6 mov dword ptr [WM_MSIME_UIREADY (76DA90B8h)],eax
76D197AB call esi
76D197AD push offset string L"MSIMEReconvert" (76D198D8h)
76D197B2 mov dword ptr [WM_MSIME_RECONVERTREQUEST (76DA90BCh)],eax
76D197B7 call esi
76D197B9 push offset string L"MSIMEDocumentFeed" (76D198F8h) 76D197BE mov dword ptr [WM_MSIME_RECONVERT (76DA90B0h)],eax
->76D197C3 call esi
76D197C5 push offset string L"MSIMEQueryPosition" (76D1991Ch) 76D197CA mov dword ptr [WM_MSIME_DOCUMENTFEED (76DA90B4h)],eax
->76D197CF call esi
76D197D1 push offset string L"MSIMEModeBias" (76D19944h)
76D197D6 mov dword ptr [WM_MSIME_QUERYPOSITION (76DA90A8h)],eax
->76D197DB call esi
76D197DD push offset string L"MSIMEShowImePad" (76D19960h) 76D197E2 mov dword ptr [WM_MSIME_MODEBIAS (76DA909Ch)],eax
->76D197E7 call esi
76D197E9 push offset string L"MSIMEMouseOperation" (76D19980h) 76D197EE mov dword ptr [WM_MSIME_SHOWIMEPAD (76DA90ACh)],eax
->76D197F3 call esi
76D197F5 push offset string L"MSIMEKeyMap" (76D199A8h) 76D197FA mov dword ptr [WM_MSIME_MOUSE (76DA90A0h)],eax
->76D197FF call esi
76D19801 cmp dword ptr [WM_MSIME_SERVICE (76DA90C0h)],0 76D19808 mov dword ptr [WM_MSIME_KEYMAP (76DA90A4h)],eax
76D1980D pop esi
76D1980E je RegisterMSIMEMessage+107h (76D1986Eh)
76D19810 cmp dword ptr [WM_MSIME_UIREADY (76DA90B8h)],0
76D19817 je RegisterMSIMEMessage+107h (76D1986Eh)
76D19819 cmp dword ptr [WM_MSIME_RECONVERTREQUEST (76DA90BCh)],0
76D19820 je RegisterMSIMEMessage+107h (76D1986Eh)
76D19822 cmp dword ptr [WM_MSIME_RECONVERT (76DA90B0h)],0
76D19829 je RegisterMSIMEMessage+107h (76D1986Eh)
76D1982B cmp dword ptr [WM_MSIME_DOCUMENTFEED (76DA90B4h)],0
76D19832 je RegisterMSIMEMessage+107h (76D1986Eh)
76D19834 cmp dword ptr [WM_MSIME_QUERYPOSITION (76DA90A8h)],0
76D1983B je RegisterMSIMEMessage+107h (76D1986Eh)
76D1983D cmp dword ptr [WM_MSIME_MODEBIAS (76DA909Ch)],0
76D19844 je RegisterMSIMEMessage+107h (76D1986Eh)
76D19846 cmp dword ptr [WM_MSIME_SHOWIMEPAD (76DA90ACh)],0
76D1984D je RegisterMSIMEMessage+107h (76D1986Eh)
76D1984F cmp dword ptr [WM_MSIME_MOUSE (76DA90A0h)],0
76D19856 je RegisterMSIMEMessage+107h (76D1986Eh)
76D19858 test eax,eax
76D1985A je RegisterMSIMEMessage+107h (76D1986Eh)
76D1985C mov dword ptr [CUIFSystemInfo::m_fInitialized+4 (76DA9160h)],edi
76D19862 push ebx
76D19863 call dword ptr [__imp__LeaveCriticalSection@4 (76DAB0E8h)]
76D19869 mov eax,edi
76D1986B pop edi
76D1986C pop ebx
76D1986D ret
76D1986E xor edi,edi
76D19870 jmp RegisterMSIMEMessage+0FBh (76D19862h)
76D19872 nop 76D19873 nop
Module: MSO.DLL (Symbols not available)
Module Address: 60EB0000-61FFD000
612C569B push ebp
612C569C mov ebp,esp
612C569E mov eax,dword ptr [ebp+0Ch]
612C56A1 push esi
612C56A2 cmp eax,1
612C56A5 jne 612C56F5
612C56A7 call dword ptr ds:[60EB1A34h] (_GetCurrentThreadId@0@kernel32.dll)
612C56AD push 2
612C56AF xor esi,esi
612C56B1 push esi
612C56B2 push esi
612C56B3 mov esi,dword ptr ds:[60EB1A10h] (_GetCurrentProcess@0@kernel32.dll)
612C56B9 push 61E7F978h
612C56BE mov dword ptr ds:[61E7F974h],eax
612C56C3 call esi
612C56C5 push eax
612C56C6 call dword ptr ds:[60EB1A0Ch]
612C56CC push eax
612C56CD call esi
612C56CF push eax
612C56D0 call dword ptr ds:[60EB194Ch] (_DuplicateHandle@28@kernel32.dll) ->612C56D6 call dword ptr ds:[60EB19CCh] (_TlsAllocStub@0@kernel32.dll)
612C56DC mov dword ptr ds:[61E3968Ch],eax
612C56E1 call 612C57E6
612C56E6 mov ecx,61E7F428h
612C56EB call 612C5823 612B83B8 push ebp 612B83B9 mov ebp,esp 612B83BB cmp dword ptr [ebp+0Ch],0 612B83BF jne 612B83C5 612B83C1 mov al,1 612B83C3 jmp 612B83E7 612B83C5 push esi
612B83C6 mov esi,dword ptr [ebp+8]
612B83C9 jmp 612B83E0
612B83CB mov eax,dword ptr [esi]
612B83CD mov ecx,esi
->612B83CF call dword ptr [eax+0Ch]
612B83D2 cmp eax,dword ptr [ebp+0Ch]
612B83D5 je 612B83EB
612B83D7 mov eax,dword ptr [esi]
612B83D9 mov ecx,esi
->612B83DB call dword ptr [eax+2Ch]
612B83DE mov esi,eax
612B83E0 test esi,esi
612B83E2 jne 612B83CB
612B83E4 xor al,al
612B83E6 pop esi
612B83E7 pop ebp
612B83E8 ret 8
6132E06B mov ebp,esp
6132E06D push ecx
6132E06E push ecx
6132E06F push ebx
6132E070 push esi
6132E071 mov ebx,40C0000Ah
6132E076 push edi
6132E077 mov esi,ecx
6132E079 cmp dword ptr [ebp+8],ebx
6132E07C jne 6132E229
6132E082 call 613333C5
6132E087 test al,al
6132E089 jne 6132E241
6132E08F and dword ptr [ebp+8],0
6132E093 lea eax,[ebp+8]
6132E096 push eax
6132E097 push 1
6132E099 call 61299A7D
6132E09E cmp dword ptr [esi+50h],0
6132E0A2 je 6132E0B0
6132E0A4 lea eax,[ebp+8]
6132E0A7 push eax
6132E0A8 push ebx
6132E0A9 mov ecx,esi
6132E0AB call 61343AA6
6132E0B0 mov eax,dword ptr [ebp+8]
6132E0B3 cmp byte ptr [eax+8],0
6132E0B7 je 6132E0CB
6132E0B9 test byte ptr [esi+5Dh],1
6132E0BD je 6132E0CB
6132E0BF lea eax,[ebp+8]
6132E0C2 push eax
6132E0C3 push ebx
6132E0C4 mov ecx,esi
6132E0C6 call 61646DAB
6132E0CB mov eax,dword ptr [ebp+8]
6132E0CE cmp byte ptr [eax+8],0
6132E0D2 je 6132E106
6132E0D4 lea edi,[esi+38h]
6132E0D7 mov eax,dword ptr [edi]
6132E0D9 push ebx
6132E0DA mov ecx,edi
6132E0DC call dword ptr [eax+10h]
6132E0DF test al,al
6132E0E1 je 6132E106
6132E0E3 mov eax,dword ptr [edi]
6132E0E5 lea ecx,[ebp+8]
6132E0E8 push ecx
6132E0E9 push ebx
6132E0EA mov ecx,edi
6132E0EC call dword ptr [eax+14h]
6132E0EF test al,al
6132E0F1 jne 6132E106
6132E0F6 test ecx,ecx
6132E0F8 je 6132E0FF
6132E0FA call 61299906
6132E0FF xor al,al
6132E101 jmp 6132E24E
6132E106 mov eax,dword ptr [ebp+8]
6132E109 cmp byte ptr [eax+8],0
6132E10D je 6132E1B4
6132E113 lea edi,[esi+40h]
6132E116 mov eax,dword ptr [edi]
6132E118 mov ecx,edi
6132E11A call dword ptr [eax+4Ch]
6132E11D mov dword ptr [ebp-4],eax
6132E120 cmp eax,1
6132E123 jne 6132E12E
6132E125 mov dword ptr [ebp-4],3014h
6132E12C jmp 6132E149
6132E12E push eax
6132E12F call 613333FD
6132E134 test al,al
6132E136 jne 6132E20D
6132E13C cmp dword ptr [ebp-4],41F0h
6132E143 je 6132E20D
6132E149 mov al,byte ptr [esi+5Ch]
6132E14C shr al,6
6132E14F test al,1
6132E151 je 6132E172
6132E153 push dword ptr [ebp+0Ch]
6132E156 push 0
6132E158 call 61299A7D
6132E15D mov ecx,dword ptr [ebp+8]
6132E160 mov bl,al
6132E162 test ecx,ecx
6132E164 je 6132E16B
6132E166 call 61299906
6132E16B mov al,bl
6132E16D jmp 6132E24E
6132E172 mov eax,dword ptr [edi]
6132E174 mov ecx,edi
6132E176 call dword ptr [eax+44h]
6132E179 test eax,eax
6132E17B je 6132E1B4
6132E17D mov eax,dword ptr [edi]
6132E17F mov ecx,edi
6132E181 call dword ptr [eax+44h]
6132E184 mov edx,dword ptr [eax]
6132E186 mov ecx,eax
6132E188 call dword ptr [edx+10h]
6132E18B mov ecx,dword ptr [esi+44h]
6132E18E mov ebx,eax
6132E190 mov eax,dword ptr [ecx]
6132E192 mov edi,dword ptr [ebx]
6132E194 call dword ptr [eax+60h]
6132E198 push dword ptr [ebp-4]
6132E19B mov ecx,ebx
->6132E19D call dword ptr [edi+1Ch]
6132E1A0 test al,al
6132E1A2 jne 6132E1AF
6132E1A4 lea eax,[ebp+8]
6132E1A7 push eax
6132E1A8 push 0
6132E1AA call 61299A7D
6132E1AF mov ebx,40C0000Ah
6132E1B4 mov eax,dword ptr [ebp+8]
6132E1B7 cmp byte ptr [eax+8],0
6132E1BB je 6132E20D
6132E1BD mov eax,dword ptr [esi]
6132E1BF lea ecx,[ebp-4]
6132E1C2 push ecx
6132E1C3 xor edi,edi
6132E1C5 mov ecx,esi
6132E1C7 mov dword ptr [ebp-4],edi
6132E1CA call dword ptr [eax+50h]
6132E1CD test al,al
6132E1CF je 6132E1FD
6132E1D1 mov ecx,dword ptr [ebp-4]
6132E1D4 lea edx,[ebp-8]
6132E1D7 push edx
6132E1D8 mov dword ptr [ebp-8],edi
6132E1DB mov eax,dword ptr [ecx]
6132E1DD push ebx
6132E1DE call dword ptr [eax+14h]
6132E1E1 test al,al
6132E1E3 je 6132E1F1
6132E1E5 lea eax,[ebp-8]
6132E1E8 push eax
6132E1E9 lea ecx,[ebp+8]
6132E1EC call 612F1C47
6132E1F1 mov ecx,dword ptr [ebp-8]
6132E1F4 cmp ecx,edi
6132E1F6 je 6132E1FD
6132E1F8 call 61299906
6132E1FD mov eax,dword ptr [ebp-4]
6132E200 mov dword ptr [ebp-4],edi
6132E203 cmp eax,edi
6132E205 je 6132E20D
6132E207 mov ecx,dword ptr [eax]
6132E209 push eax
6132E20A call dword ptr [ecx+8]
6132E20D mov ecx,dword ptr [ebp+0Ch]
6132E210 lea eax,[ebp+8]
6132E213 push eax
6132E214 call 612F1C47
6132E219 mov ecx,dword ptr [ebp+8]
6132E21C test ecx,ecx
6132E21E je 6132E225
6132E225 mov al,1
6132E227 jmp 6132E24E
6132E229 cmp dword ptr [ebp+8],3Dh
6132E22D jne 6132E241
6132E22F test byte ptr [esi+64h],1
6132E233 jne 6132E241
6132E235 push dword ptr [ebp+0Ch]
6132E238 push 0
6132E23A call 612EC0C4
6132E23F jmp 6132E24E
6132E241 push dword ptr [ebp+0Ch]
6132E244 mov ecx,esi
6132E246 push dword ptr [ebp+8]
6132E249 call 6132E255
6132E24E pop edi
6132E24F pop esi
6132E250 pop ebx
6132E251 leave
6132E252 ret 8
6133AB45 mov ecx,dword ptr [ecx+14h]
6133AB48 mov eax,dword ptr [ecx]
6133AB4A jmp dword ptr [eax+24h]
6133AB4D mov ecx,dword ptr [ecx+14h]
6133AB50 mov eax,dword ptr [ecx]
->6133AB52 jmp dword ptr [eax+18h]
6133AB55 push ebp
6133AB56 mov ebp,esp
6133AB58 mov eax,dword ptr [ebp+8]
6133AB5B and dword ptr [eax+3Ch],0
6133AB5F push eax
6133AB60 call 6130E8F4
6133AB65 pop ebp
6133AB66 ret 4
6129A08F push ebp
6129A090 mov ebp,esp
6129A092 mov eax,dword ptr [ebp+8]
6129A095 test eax,eax
6129A097 je 6129A0CE
6129A099 cmp eax,29h
6129A09C jle 6129A0E4
6129A09E cmp eax,2Bh
6129A0A1 jle 6129A0CE
6129A0A3 cmp eax,40000004h
6129A0A8 je 6129A0BB
6129A0AA cmp eax,40C0000Ah
6129A0AF jne 6129A0E4
6129A0B1 push dword ptr [ebp+0Ch]
6129A0B4 mov eax,dword ptr [ecx]
6129A0B6 call dword ptr [eax+48h]
6129A0B9 jmp 6129A0C3
6129A0BB push dword ptr [ebp+0Ch]
6129A0C0 call dword ptr [eax+44h]
6129A0C3 movzx eax,al
6129A0C6 push eax
6129A0C7 call 61299A7D
6129A0CC jmp 6129A0EA
6129A0CE cmp dword ptr [ecx+8],0
6129A0D2 je 6129A0E8
6129A0D4 push dword ptr [ebp+0Ch]
6129A0D7 mov ecx,dword ptr [ecx+8]
6129A0DA mov edx,dword ptr [ecx]
6129A0DC push eax
6129A0DD call dword ptr [edx+14h]
6129A0E0 test al,al
6129A0E2 jne 6129A0E8
6129A0E4 xor al,al
6129A0E6 jmp 6129A0EA
6129A0E8 mov al,1
6129A0EA pop ebp
6129A0EB ret 8
6129A0EE mov al,byte ptr [ecx+54h]
6129A0F1 and al,1
6129A0F3 ret
6129A0F4 push 1
6129A0F6 add ecx,0FFFFFFCCh
6129A0F9 call 6133E8BD
6129A0FE ret
6129A0FF mov eax,dword ptr [ecx]
6129A101 call dword ptr [eax+0Ch]
6129A104 mov al,1
6129A106 ret
6129A107 xor eax,eax
6129A109 cmp dword ptr [ecx+8],eax
6129A10C je 6129A116
6129A10E mov ecx,dword ptr [ecx+8]
6129A111 mov eax,dword ptr [ecx]
->6129A113 jmp dword ptr [eax+4Ch] 6129A116 ret
Module: WWLIB.DLL
Module Address: 63E30000-650AA000
Description: (Microsoft Office\Office14\WWLIB.DLL)
63E446A7 push ebp
63E446A8 mov ebp,esp
63E446AA push ebx
63E446AB mov ebx,dword ptr [ebp+8]
63E446AE push esi
63E446AF mov esi,dword ptr ds:[63E310C0h]
63E446B5 push edi
63E446B6 mov edi,dword ptr [ebp+0Ch]
63E446B9 push dword ptr [edi+0F8h]
63E446BF push ebx
63E446C2 push dword ptr [edi+0FCh]
63E446C8 mov dword ptr [edi+0F8h],eax
63E446CE push ebx
63E446CF call esi
63E446D1 push dword ptr [edi+11Ch]
63E446D7 mov dword ptr [edi+0FCh],eax
63E446DD push ebx
63E446DE call esi
63E446E0 push dword ptr [edi+120h]
63E446E6 mov dword ptr [edi+11Ch],eax
63E446EC push ebx
63E446ED call esi
63E446EF push dword ptr [edi+100h]
63E446F5 mov dword ptr [edi+120h],eax
63E446FB push ebx
->63E446FC call esi
63E446FE push dword ptr [edi+108h]
63E44704 mov dword ptr [edi+100h],eax
63E4470A push ebx
->63E4470B call esi
63E4470D push dword ptr [edi+104h]
63E44713 mov dword ptr [edi+108h],eax
63E44719 push ebx
->63E4471A call esi
63E4471C push dword ptr [edi+110h]
63E44722 mov dword ptr [edi+104h],eax
63E44728 push ebx
->63E44729 call esi
63E4472B push dword ptr [edi+114h]
63E44731 mov dword ptr [edi+110h],eax
63E44737 push ebx
->63E44738 call esi
63E4473A push dword ptr [edi+10Ch]
63E44740 mov dword ptr [edi+114h],eax
63E44746 push ebx
->63E44747 call esi
63E44749 push dword ptr [edi+130h]
63E4474F mov dword ptr [edi+10Ch],eax
63E44755 xor eax,eax
63E44757 cmp dword ptr [edi+108h],0FFFFFFh
63E44761 push ebx
63E44762 sete al
63E44765 xor eax,dword ptr [edi]
63E44767 and eax,1
63E4476A xor dword ptr [edi],eax
63E4476C call esi
63E4476E push dword ptr [edi+134h]
63E44774 mov dword ptr [edi+130h],eax
63E4477A push ebx
63E4477B call esi
63E4477D push dword ptr [edi+124h]
63E44783 mov dword ptr [edi+134h],eax
63E44789 push ebx
63E4478C push dword ptr [edi+128h]
63E44792 mov dword ptr [edi+124h],eax
63E44798 push ebx
63E44799 call esi
63E4479B push dword ptr [edi+12Ch]
63E447A1 mov dword ptr [edi+128h],eax
63E447A7 push ebx
->63E447A8 call esi
63E447AA mov dword ptr [edi+12Ch],eax
63E447B0 add edi,144h
63E447B6 push dword ptr [edi]
63E447B8 push ebx
->63E447B9 call esi
63E447BB mov dword ptr [edi],eax
63E447BD pop edi
63E447BE pop esi
63E447BF pop ebx
63E447C0 pop ebp
63E447C1 ret 8
Module: combase.dll
Module Address: 77590000-776DE000
Description: Microsoft COM for Windows ‘vector destructor iterator’:
775B771A mov edi,edi
775B771C push ebp 775B771D mov ebp,esp 775B771F push ebx 775B7720 push esi 775B7721 mov ebx,edx 775B7723 push edi
775B7724 mov edi,dword ptr [ebp+8]
775B7727 mov esi,ebx
775B7729 imul esi,edi
775B772C add esi,ecx
775B772E dec edi
775B772F js ‘vector destructor iterator’+20h (775B773Ah)
775B7731 sub esi,ebx
775B7733 mov ecx,esi
->775B7735 call dword ptr [ebp+0Ch]
775B7738 jmp ‘vector destructor iterator’+1Dh (775B772Eh)
775B773A pop edi
775B773B pop esi
775B773C pop ebx
775B773D pop ebp
