Groebert Automatic - Identification.of - Cryptographic.primitives - In.software

Ruhr-University Bochum, Germany
Department of Electrical Engineering and Information Sciences

Chair for Network and Data Security
Automatic Identication of Cryptographic Primitives in Software
Diploma Thesis of Felix Grbert
First Examiner: Prof. Dr. Jrg Schwenk (Ruhr-University Bochum)
Second Examiner: Prof. Dr. Felix C. Freiling (University of Mannheim)
Supervisors: Dr. Thorsten Holz (Vienna University of Technology) and
Dipl. Inform. Carsten Willems (University of Mannheim)
February 7, 2010
Declaration / Erklrung
I hereby declare that the work presented in this thesis is my own work and that to
the best of my knowledge it is original, except where indicated by references to other
authors.
Hiermit versichere ich, dass ich meine Diplomarbeit eigenstndig verfasst und keine
anderen als die angegebenen Quellen und Hilfsmittel benutzt, sowie Zitate kenntlich
gemacht habe.
This work is 2009 Felix Grbert <felix@groebert.org> and licensed under the Creative
Commons Attribution-No Derivative Works 3.0 Germany license. Refer to http://
creativecommons.org/licenses/by-nd/3.0/de/ to view a copy of the full license.
Bochum, February 7, 2010
Felix Grbert
Contents
Contents i
List of Figures v
List of Tables vii
List of Code Listings ix
List of Algorithms xi
Acknowledgements xiii
Abstract / Zusammenfassung 1
1. Introduction 3
1.1. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3. Assumptions and Limitations . . . . . . . . . . . . . . . . . . . . . . . . 7
1.4. Contributions of this Work . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.5. Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2. Related Work 9
2.1. Static Approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2. Finding Keys in Binary Data . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.3. Dynamic Approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.4. Frameworks for Execution Tracing . . . . . . . . . . . . . . . . . . . . . 15
2.4.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.4.2. Virtualization and Emulation . . . . . . . . . . . . . . . . . . . . 16
2.4.3. Dynamic Binary Instrumentation . . . . . . . . . . . . . . . . . . 17
2.4.4. Pin-focused Work . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.5. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3. Prerequisites 19
3.1. Cryptographic Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.1.1. Algorithmic Denition . . . . . . . . . . . . . . . . . . . . . . . . 19
3.1.2. Implemented Code . . . . . . . . . . . . . . . . . . . . . . . . . . 21
i
3.1.3. Compiled Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.1.4. Algorithmic Composition . . . . . . . . . . . . . . . . . . . . . . 22
3.2. Execution Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.2.1. Data Reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.2.2. Required Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.3. Basic Block Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.4. Loop Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3.5. Control Flow Graph Generation . . . . . . . . . . . . . . . . . . . . . . . 30
3.6. Memory Reconstruction . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3.7. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
4. Observations and Methods 35
4.1. Reducing of Code Search Space . . . . . . . . . . . . . . . . . . . . . . . 35
4.2. Type of Identication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
4.2.1. Signature-based Identication . . . . . . . . . . . . . . . . . . . 36
4.2.2. Generic Identication . . . . . . . . . . . . . . . . . . . . . . . . 36
4.3. Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
4.4. Identication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4.4.1. Signature-based . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
4.4.2. Generic Bitwise Arithmetic-based . . . . . . . . . . . . . . . . . 44
4.4.3. Generic Loop-based . . . . . . . . . . . . . . . . . . . . . . . . . 46
4.4.4. Generic Memory-based . . . . . . . . . . . . . . . . . . . . . . . 50
4.5. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
5. System Implementation 53
5.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
5.2. Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
5.3. Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
5.3.1. Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
5.3.2. Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
5.4. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
6. Experimental Evaluation 65
6.1. Evaluation Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
6.2. Testing Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
6.2.1. Published Methods . . . . . . . . . . . . . . . . . . . . . . . . . . 68
6.2.2. Signature-based Methods . . . . . . . . . . . . . . . . . . . . . . 70
6.2.3. Generic Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
6.3. Off-the-Shelf Application . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
6.4. Modied Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
6.5. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
7. Conclusions 83
7.1. Evaluation Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
ii
7.2. Further Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
7.3. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Bibliography 87
A. Digital Attachments 95
B. Static Tools 97
iii
List of Figures
1.1. Auguste Kerckhoffs 1835 1903 . . . . . . . . . . . . . . . . . . . . . 4
2.1. Cipher-block chaining mode . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.1. Control ow graph generated for the XOR application . . . . . . . . . . 31
3.2. Sliding window over candidate keys . . . . . . . . . . . . . . . . . . . . 34
4.1. OpenSSL implementation of DES . . . . . . . . . . . . . . . . . . . . . . 37
4.2. Beecrypt, Cryptopp, and OpenSSL implementations of MD5 . . . . . . 38
4.3. Composition of sequence sets . . . . . . . . . . . . . . . . . . . . . . . . 40
4.4. Composition of (mnemonic, constant)-tuple datasets . . . . . . . . . . . 42
4.5. Three-dimensional view of the loop differ . . . . . . . . . . . . . . . . . 47
4.6. Verication of the algorithmic relation . . . . . . . . . . . . . . . . . . . 51
5.1. Overview of the stages . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
5.2. Displaying an overview of implementation stage 1 . . . . . . . . . . . . 54
5.3. Displaying an overview of implementation stage 2 . . . . . . . . . . . . 55
5.4. Initialization of objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
6.1. Analysis and trace time/size costs, logarithmic scaled . . . . . . . . . . 66
6.2. Cumulative entropy for all testing applications . . . . . . . . . . . . . . 70
6.3. Memory constant identication method for all testing applications . . 72
6.4. Results of the signature matching using (mnemonic, constant)-tuples . 72
6.5. Results of the implementation signatures . . . . . . . . . . . . . . . . . 73
6.6. Results of the unique signatures . . . . . . . . . . . . . . . . . . . . . . . 74
6.7. The core XOR encryption packed with ASPack . . . . . . . . . . . . . . 81
v
List of Tables
2.1. Publicly available static tools . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2. Detection performance among the static tools . . . . . . . . . . . . . . . 11
2.3. False-positives among the static tools . . . . . . . . . . . . . . . . . . . . 11
2.4. Matches of the static tools for whole cryptographic libraries . . . . . . 11
2.5. Distinguishing between decryption and other routines by Wang et al. . 13
3.1. Pseudo trace for example in Listing 3.1 . . . . . . . . . . . . . . . . . . . 29
3.2. Detected loops for the XOR test application . . . . . . . . . . . . . . . . 29
3.3. Shows an example for the memory block search algorithm . . . . . . . 34
6.1. Overview of testing applications . . . . . . . . . . . . . . . . . . . . . . 67
6.2. Parameter size of testing applications . . . . . . . . . . . . . . . . . . . 67
6.3. Analysis and trace time/size costs . . . . . . . . . . . . . . . . . . . . . 68
6.4. Analysis performance for the published methods . . . . . . . . . . . . . 69
6.5. Analysis performance for the signature-based identication methods . 71
6.6. Analysis performance for the generic identication methods . . . . . . 76
6.7. Analysis performance for the Curl trace . . . . . . . . . . . . . . . . . . 78
vii
List of Code Listings
3.1. Sample loop code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
4.1. API signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
4.2. Loop differ check for XOR relations . . . . . . . . . . . . . . . . . . . . . 48
4.3. Entropy calculation for the loop differ . . . . . . . . . . . . . . . . . . . 48
4.4. Entropy check of the loop differ . . . . . . . . . . . . . . . . . . . . . . . 49
4.5. Sample output of the XOR check . . . . . . . . . . . . . . . . . . . . . . 50
5.1. Running the Pintool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
5.2. Example of the trace le . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
5.3. Running the analysis tool . . . . . . . . . . . . . . . . . . . . . . . . . . 58
5.4. Sample output of the analysis tool . . . . . . . . . . . . . . . . . . . . . 59
5.5. Sample experimentation session using the analysis console . . . . . . . 59
6.1. Intersecting constants of the implementations . . . . . . . . . . . . . . . 71
6.2. Excerpt of found counters . . . . . . . . . . . . . . . . . . . . . . . . . . 75
6.3. Command line options for tracing Curl . . . . . . . . . . . . . . . . . . 77
6.4. Decrypted HTTPS client request . . . . . . . . . . . . . . . . . . . . . . 78
6.5. Detected function symbols in Curl . . . . . . . . . . . . . . . . . . . . . 79
6.6. Sample output for the XOR check . . . . . . . . . . . . . . . . . . . . . . 80
ix
List of Algorithms
3.1. Basic block detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.2. Loop detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.3. Control ow graph generation . . . . . . . . . . . . . . . . . . . . . . . 30
3.4. Memory reconstruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
3.5. Recursive memory block search . . . . . . . . . . . . . . . . . . . . . . . 33
4.1. Comparison of (mnemonic, constant)-tuple signatures . . . . . . . . . . 43
4.2. Wang et al. cumulative bitwise percentage method . . . . . . . . . . . . 45
xi
Acknowledgements
First, I would like to thank Jrg Schwenk and Felix Freiling for giving me the opportu-
nity to write this thesis. I also would like to thank Carsten Willems and Thorsten Holz
for their endless support during endless conference calls. Without their knowledge
this work would not been possible.
Special thanks go to my parents and my girlfriend, who supported my studies and al-
ways believed in me. Finally, I would like to thank my fellow students for our fruitful
discussions.
xiii
Abstract / Zusammenfassung
In this thesis we research and implement methods to detect cryptographic algorithms
and their parameters in software. Based on our observations on cryptographic code,
we point out several inherent characteristics to design signature-based and generic
identication methods. Using dynamic binary instrumentation, we record instruc-
tions of a program during runtime and create a ne-grained trace. We implement a
trace analysis tool, which also provides methods to reconstruct high-level informa-
tion from a trace, for example control ow graphs or loops, to detect cryptographic
algorithms and their parameters. Using the results of this work, encrypted data, sent
by a program for example, may be decrypted and used by an analyst to gain further
insight on the behavior of the analyzed binary executable.
Diese Arbeit erforscht und implementiert Methoden zur Erkennung kryptographis-
cher Algorithmen und deren Parameter in Software. Die bei der Untersuchung kryp-
tographischer Programme festgestellten inhrenten Charakteristika dienen als Grund-
lage fr die Entwicklung verschiedener signaturbasierter und generischer Identika-
tionsmethoden. Mittels dynamic binary instrumentation werden zuerst die Instruk-
tionen eines Programms whrend der Laufzeit aufgezeichnet und ein fein-granuliertes
Protokoll erstellt. Die Identikationsmethoden werden dann durch ein Analysetool,
das auch Strukturen wie Kontrollussgraphen oder Schleifen rekonstruiert, auf das
Protokoll angewandt, um die ausgefhrten kryptographischen Algorithmen zu erken-
nen. Die Ergebnisse dieser Arbeit erleichtern es einem Softwareanalyst verschlssel-
ten Daten, welche beispielsweise durch ein Programm verschickt werden, automa-
tisch zu entschlsseln, um weitere Einblicke in das Verhalten des Programms zu er-
langen.
Keywords: Code Analysis, Dynamic Binary Analysis, Instrumentation, Code Heuris-
tics, Code Signatures, Applied Cryptography
Bibtex:
1 @mastersthesis{groebert2010,
2 Author = {Felix Gr{\"o}bert},
3 Title = {{Automatic Identification of Cryptographic Primitives in Software}},
4 School = {Ruhr-University Bochum, Germany},
5 Type = {Diplomarbeit},
6 Year = {2010}}
1
1
Chapter 1.
Introduction
In this chapter we rst motivate the thesis objective from a historical perspective.
We formulate a thesis and assumptions to further dene the primary objective and
conclude with the core contributions of the work. In the last section we describe the
structure of the document.
1.1. Motivation
In 1883 the dutch cryptographer Auguste Kerckhoffs wrote the article La cryptogra-
phie militaire [39] and proposed a core principle of modern cryptography:
Acryptosystem should be secure even if everything about the system, except
the key, is public knowledge.
For an encryption scheme, it means that the algorithm should be known to the adver-
sary without yielding an advantage. This threat scenario is the common base of civil-
ian cryptanalysis. Using peer-review, researchers evaluate the security of algorithms.
Following Kerckhoffs principle, researchers are not only able to determine weak-
nesses of algorithms, but also can rule out that an algorithm contains backdoors.
Since the 1970s, we have seen a constant development of cryptographic primitives
like symmetric block and stream ciphers, asymmetric encryption schemes, and hash
algorithms. While cryptographic primitives are used to fulll the need for conden-
tiality, integrity, and authentication, they are also composed to more complex struc-
tures, i.e., cryptographic protocols, implemented in nearly all modern software prod-
3
Figure 1.1.: Auguste Kerckhoffs 1835 1903
ucts. To verify the correct composition of primitives, one has to determine the protocol
design and its implementation.
In the 1940s Claude Shannon rephrased Kerckhoffs principle to:
The enemy knows the system.
As the system encompasses the design and the implementation, we can see that the
security relies on both parts: a correct design and a correct implementation. This
applies to primitives and protocols, but is also analogous to the security of software:
When security requirements of software in a networked world grew, Eric S. Raymond
extended [64] Kerckhoffs principle in 2004:
Any security software design that doesnt assume the enemy possesses the
source code is already untrustworthy.
With the improvements in reverse code engineering, i.e., the technique to uncover
software functionality in binaries, we can broaden Raymonds principle to:
Any security software design that doesnt assume the enemy is able to re-
verse engineer the source code is already untrustworthy.
4
As stated above, most security design goals heavily rely on cryptographic protocols,
which are built from cryptographic primitives. Thus, for a successful assessment of
the design goals, the analyst must determine, which cryptographic primitives are
used, where they are implemented in code, how they are concatenated, what their
parameters are, and when they are used. If a software can be subjected to dynamic
analysis, the primitives to achieve a security goal can be executed in a monitored man-
ner. In this case, we deduce that the automatic detection of cryptographic primitives
is benecial to uncover a security design and to verify the correctness of the imple-
mentation.
This analysis can be applied to off-the-shelf software and also to malicious software
(malware). For example, modern malware has to evade detection in order to circum-
vent its analysis, blocking, or removal. Therefore, cryptographic algorithms have been
employed in malware, which establish encrypted communication, asymmetrically en-
crypt and hold local les for ransom, encrypt registry keys, or authenticate command-
and-control servers.
In the recent past, there have been the following examples of cryptography in real-
world malware:
Oscar Vermaas and Daan de Graaf from the High Tech Crime Unit of the Dutch
Police showed that the ShadowBot malware uses its own implementation of
MD5 [79]. For obfuscation XOR is used, with a static key of 8 bit.
Tillmann Werner and Felix Leder from the University of Bonn analyzed the Con-
cker malware and found usage of the OpenSSL implementation of SHA1 and a
reference implementation of MD6, which was later patched in a malware update
to x a buffer overow in the MD6 reference implementation [44]. Furthermore,
the malware authors use RSA with 1024 bits for signature verication [60], in
newer versions with 4096 bits.
Werner and Leder also analyzed the Waledac malware [83]. Of 4000 functions in
Waledac 1000 have been from OpenSSL. AES in CBC Mode with an IV of zero is
used. The self-signed RSAclient certicates are used in a key exchange protocol.
Unfortunately, for the malware authors, the protocol is vulnerable to a man-in-
the-middle attack and the key chosen by the server is not random but static. For
obfuscation of executables embedded inside a JPEG, a XOR with the key 0xED
is used.
Andreas Greulich, of Switzerlands MELANI center, analyzed Mebroot, Torpig,
and Sinowal [29]. Besides BASE64 XOR for obfuscation, the malware uses its
self-designed 58-round Feistel network for symmetric encryption with an effec-
tive key size of 32 bits. Furthermore, a hashing algorithm based on the encryp-
5
tion algorithm and using constants from SHA1 is used.
Wang et al. [82] analyzed a sample of the Agobot malware, which uses SSL to
establish an IRC connection to a pre-specied server.
In their technical report, Caballero et al. [12] show that the MegaD malware,
which communicates with a custom protocol over TCP port 443, uses encryption
to evade network-level analysis.
Stewart analyzed the algorithms used by the Storm Worm malware [76]. The
P2P and Fast-Flux communicating malware uses static XOR for subnode au-
thentication and a RSA key with 56 bits [34].
The Nugache Malware uses a variable-length RSA key exchange to seed 256-
bit AES session keys [21]. The botnet controllers commands are passed to the
MD5 hashing algorithm and the resulting hash sum is signed with a 4096-bit
RSA public/private key pair. Attached to each command is also a nonce to mit-
igate multiple executions of the same command as it traverses the custom P2P
network. This also prevents any replay or modication of commands. To gain
further robustness the P2P C&C protocol establishes a network topology with
minimum neuralgic points.
In reaction to these cryptovirology [89] attempts, a malware analyst has to manually
identify the cryptographic algorithms and their usage to decipher the malicious ac-
tions. If this task can be automated, a faster analysis of malware would be possible,
thus enabling security teams to response quickly to emerging Internet threats and
protect vulnerable assets.
1.2. Thesis
Our thesis is as follows:
Given a program executing cryptographic primitives there exists an heuris-
tic algorithm to identify the type of cryptographic primitives. If a standard-
ized cryptographic primitive with its input and output is present in an ex-
ecution trace, an algorithm exists to identify and verify the instance of the
primitive including its parameters.
The purpose of this work is to investigate the above thesis and attempt to discover
and implement a satisfying technique to solve the problem. Due to the sheer number
6
of ways a cryptographic primitive can be executed, it is necessary to limit our research
to several assumptions and a subset of algorithms.
1.3. Assumptions and Limitations
Although a working implementation can be very well suited to analyze malware, the
technique is rst developed for regular software. This regular software is a selection
of small applications, which each use a single cryptographic primitive, also called
cryptographic algorithm or just algorithm, from an open-source implementation. For
an overview of the testing applications refer to Table 6.1.
Since the modes of operation
1
do not directly modify the cipher, but rather its in- and
output, we do not identify the mode because it is part of the algorithmic composition.
Nevertheless, given an analyst has a set of used cipher instances with their parameters,
it is possible to determine the mode of operation by comparing input, keys, and output
of each instance manually. Similar to the modes of operation, we also do not identify
plaintext encodings, padding, or compression, because they are dependent on the
higher cryptographic composition.
In Table 6.1, we also list the XOR algorithm as a cryptographic primitive and as a test-
ing application. Hereby we mean the encryption using bitwise exclusive disjunction.
XOR is often used to obfuscate a binary or to encrypt data before it is send over the
network and is not a real protection mechanism. Given a XOR-key is only used once,
the algorithm is also known as an One-Time-Pad.
The systems implementation is developed on Microsoft Windows XP SP3 32bit and
is thus focused on the Intel Architecture. Although an intermediate language can be
well suited for heuristical identication, this is out of the scope of this work. Also,
we do not analyze cryptographic code executed by code interpreters, e.g., Python or
Perl. We rather focus on compiled C/C++ code, because we analyze on a ne-grained
instruction-level scope, where the actual instructions would be distorted by code in-
terpreter instructions.
We do not consider code-protection, obfuscation, and encryption, although the tech-
niques are widely deployed among malware. The focus of this work is general soft-
ware and coping with anti-analysis techniques is left to the tracing framework. Nev-
ertheless, we evaluate our implementation against a packer in Chapter 6.
1
The modes of operation, e.g., ECB, CBC, etc., dene how multiple cipher inputs and outputs are
chained together, because large les require multiple cipher operations. The mode of operation
circumvents the deterministic characteristic of block ciphers: otherwise it may enable an attacker
to identify identical encrypted blocks inside a le.
7
Furthermore, we assume that a software, which is subjected to the analysis of our
system, does not utilize evasion methods specically targeted against our identica-
tion techniques. Thus, we assume that the traced executable actually runs the cryp-
tographic code. We also assume that the cryptographic code needs a nite amount
of instructions, because we buffer instructions and the FIFO queue is bound to the
amount of system memory. The default FIFO size and other computational require-
ments are shown in Chapter 6. We consider runtime speed of the implementation as
a minor design objective.
1.4. Contributions of this Work
The thesis makes the following primary contributions:
We summarize existing, and describe novel identication techniques for crypto-
graphic primitives in software that help reducing the time for a software analyst
to determine the underlying security design. We also point out the inherent
characteristics of cryptographic code.
We have implemented a system that allows the automatic application of our
technique by utilizing a dynamic binary instrumentation framework to generate
an execution trace. The system then conducts the cryptographic identication
on the trace and summarizes the results of the different identication methods.
We present an evaluation where our system was used to uncover cryptographic
primitives and their usage in testing, off-the-shelf, and packed applications.
1.5. Outline
In Chapter 2, we give an overview of related work in the eld of cryptographic code
detection and software tracing frameworks. In Chapter 3 we describe a code analysis
terminology and the utilized software analysis algorithms. The identication meth-
ods and the observation on which they are based are presented in Chapter 4 and their
implementation in Chapter 5. We evaluate our implementation in Chapter 6 and draw
the conclusions from the implementation and its evaluation in the last chapter, Chap-
ter 7.
8
2
Chapter 2.
Related Work
There have been approaches to ease the nding of cryptographic primitives inside
software binaries. They can be distinguished between static and dynamic methods.
Static tools analyze the binary stream of the given software without executing it. Dy-
namic tools run the software and analyze the stream of executed instructions and data
accesses.
2.1. Static Approaches
All static tools in Table 2.1 use signatures to determine whether a particular, compiled
implementation of a cryptographic primitive is present in a software binary. A signa-
ture can match a x86 assembly code snippet, magic constants of the algorithm, s-box
structures, or the string for an import of a cryptographic function call. If a signature is
found, the tools print the name of the primitive, e.g., DES, and optionally the imple-
mentation, e.g., OpenSSL. Refer to Appendix B for download URLs and SHA1 sums
of the tools.
Name Author(s) Platform Version
Krypto Analyzer (KANAL) Several PEiD 2.92
Findcrypt plugin Ilfak Guilfanov IDA Pro 2
SnD Crypto Scanner Loki OllyDBG 0.5b
Crypto Searcher x3chun standalone 2004.05.19
Hash & Crypto Detector (HCD) Mr Paradox, AT4RE standalone 1.1
DRACA Ilya O. Levin standalone 0.5.7b
Table 2.1.: Publicly available static tools
9
The tools mainly differ in the amount and quality of signatures and the support plat-
form, e.g., PEiD, OllyDBG, IDA Pro, or standalone. Some tools offer the functionality
to display the compiler of the binary [30], e.g., Visual Ccompiler version 8, and contain
signatures for compression functions, e.g., zlib, and encoding functions, e.g., base64.
One tool contains a specic signature for cryptographic libraries and thereby can dif-
ferentiate between the use of OpenSSL DES or Delphis DES implementation. Since
the tools statically analyze the binary stream, the binary must be rst unpacked, de-
obfuscated and unprotected if necessary. Furthermore, if the cryptographic code is
dynamically loaded, the analysis will only be successful if the memory of the process
containing the loaded cryptographic code is dumped. In contrast, our approach of dy-
namically analyzing program execution enables us to skip deobfuscation and handle
dynamically created code.
We evaluated the six publicly available tools using the set of target testing applications
presented in Section 6.2. Our aim was to discover whether the actually used primitive
is displayed by the analysis tool. Neither tool was able to identify the Beecrypt testing
applications, because they were dynamically linked, or the XOR testing application,
because no XOR signatures exist.
In Table 2.2 we summarize the performance of the tools on the x-axis and the test ap-
plications on the y-axis. A + sign denotes that the tool has found the applicationss
algorithm. A - sign denotes that the tool has not found the specic algorithm. The
numbers in Table 2.3 denote the count of false-positives. For example if a tool de-
tects DES, SHA1, SHA256, and SHA512 for a DES application, the notation would be
3, otherwise if a tool detects SHA1 and SHA512 for a DES application, the notation
would be 2. We can make the following observations:
Every tool is able to detect MD5 with false-positives 1.
None of the tools is able to detect RSA or XOR.
RC4 is only detected once.
To enumerate the amount of signatures and algorithms we applied the static tools for
whole cryptographic libraries. The results in Table 2.4 show that KANAL contains a
large set of signatures optimized for OpenSSL. Note that DRACA summarizes and
displays several signatures for one algorithm as one single match.
This short review shows the effectiveness and limitations of signature-based static
search. Since static analysis is based on the static disassembly of the binary executable,
we do not know whether any, or which, of the available algorithms are actually used
during runtime.
10
KANAL Findcrypt SnD x3chun HCD DRACA
Gladman AES + - + - + -
Cryptopp AES + - + + + -
OpenSSL AES + + + + - -
Cryptopp DES + + + + - +
OpenSSL DES + - + + - -
Cryptopp RC4 - - + - - -
OpenSSL RC4 - - - - - -
Cryptopp MD5 + + + + + +
OpenSSL MD5 + + + + + +
OpenSSL RSA - - - - - -
Cryptopp RSA - - - - - -
XOR - - - - - -
Table 2.2.: Detection performance among the static tools
Gladman AES
Cryptopp AES 2 2 2 1
OpenSSL AES 6 3 1 3 6 1
Cryptopp DES 3 2 3 2 1
OpenSSL DES
Cryptopp RC4 3
OpenSSL RC4
Cryptopp MD5 1 1 1
OpenSSL MD5 1 1
OpenSSL RSA
Cryptopp RSA 4 3 3 4 1
XOR
Table 2.3.: False-positives among the static tools
beecrypt.dll 11 18 7 5 7 4
libeay.dll 126 14 17 13 20 7
Table 2.4.: Matches of the static tools for whole cryptographic libraries
11
2.2. Finding Keys in Binary Data
Shamir and Van Someren [73] propose a method to efciently locate RSAand arbitrary
keys inside a bit string. Their algebraic method to nd RSAprivate keys requires that
the attacker posses the corresponding public key and a ciphertext. This scenario does
not apply to our preconditions. To nd arbitrary keys the authors exploit the obser-
vation that keys have a higher entropy density than patterned data. The proposed
methods were rened and implemented by Janssens [35] and Janssens et al. [36]. Sim-
ilar work based on searching for ASNand DERencodings has been published by Klein
[40].
For forensic investigation Halderman et al. [32] propose a strategic search for relations
between key scheduling stages, because the key representation changes during the
algorithm in a predened manner. Maartmann-Moe et al. [50] summarize the research
in this eld and provide an open-source implementation to nd RSA, AES, Serpent,
and Twosh keys. In [33], the authors show that only 27 % of random private key
bits are sufcient to recover the private exponent. The approach goes along the lines
of our method to search for parameters in memory. Although, we need to note that
this approach is only possible if we search for public known algorithms, which are
veriable with a reference implementation.
A somewhat related approach by Stevens [75] targets any le, not only executable
les. His open-source software can be used to nd encoded shellcode in a PDF le for
example. It nds XOR, ROL, and ROT keys in the le and searches whether a possible
payload has been encoded using this key. A similar approach is OfceMalScanner
by Boldewin [9].
2.3. Dynamic Approaches
The rst paper, to our knowledge, which addresses the problem of revealing the cryp-
tographic algorithms in a program during runtime is by Wang et al. [82]. The authors
refer to the task of automatic protocol reverse engineering [47, 11, 86] and motivate the
need for automatic decryption of network messages, because the methods for proto-
col reversing are only suitable for plaintext messages. In order to receive the plaintext
analogue for an encrypted protocol message, they use two main observations:
1. Areceived message will go through two processing phases: decryption and nor-
mal protocol processing.
2. The instructions used for message decryption are signicantly different from
12
the normal protocol processing phase, as shown by Table 2.5. During personal
correspondence with the authors, we learnt that the table does only contain in-
structions, which modify tainted data. Therefore the tables elds do not consider
mov or call instructions.
Routine Total Instructions
Bitwise
Arithmetic
Instructions Message Bytes
DES 69112 99.72% 2K
CAST 21225 89.13% 2K
RC4 3042 89.05% 2K
AES 8475 81.32% 2K
HTTP request 3227 13.29% 107
FTP port 5898 7.14% 28
DNS response 1687 13.22% 46
RPC bind 2342 7.94% 164
JPEG 12898 8.62% 3224
BMP 956 23.95% 3126
Table 2.5.: Distinguishing between decryption and other routines by Wang et al.
The authors utilize data lifetime analysis, including data tainting, and dynamic bi-
nary instrumentation to determine the turning point between ciphertext and plain-
text, i.e., message decryption and message processing phase. Then, their Valgrind-
based [54] tool is able to pinpoint the memory locations that contain the decrypted
message. Thus, previous methods for protocol reversing can be naturally applied to
the plaintext message.
Wang et al. underline their work with an evaluation of their implementation against
four standard protocols, HTTPS, IRC, MIME, and an unknown one used by the Ago-
bot [1] malware. In their tests, they are able to decipher all encrypted messages using
their implementation.
We can draw a core observation from the paper and Table 2.5:
The percentages of arithmetic and bitwise instructions on tainted data in
typical implementations of decryption algorithms differ vastly to normal
instructions.
As a followup paper, Caballero et al. [12], [13] rened the methods of Wang et al. [82].
For the protocol reverse engineering of the MegaD malware, the authors rst tried to
adapt the methods from Wang et al., but ran into the problem that the MegaD mal-
ware does not use a single turning point between decryption and message processing.
13
MegaD rather decrypts a block from a message, processes it, and continues with the
next block.
Wang et al. use a cumulative percentage of bitwise arithmetic instructions and ob-
serve leaf routines
1
bitwiseness to determine the turning point between encrypted
and decrypted data. However, Caballero et al. use a different method to identify in-
stances of encryption routines and parameters. They still rely on the intuition that
the encryption routines use a high percentage of bitwise arithmetic instructions, but
remove the cumulative metric, the tainting, and the concept of leaf routines.
For each instance of a function executed by their Dispatcher tool, they compute the
ratio of bitwise arithmetic instructions. If the functions is executed for at least 20 times
and the ratio is higher that 55%, the function is agged as an encryption/decryption
function. For their implementation and the MegaD malware, this method reveals all
relevant cryptographic routines. To identify the parameters of the routine, for exam-
ple the unencrypted data before it gets encrypted, the authors evaluate the read set of
the agged function. To distinguish the plaintext from the key and other data used by
the encryption function, they compare the read set to the read sets of other instances
of the same function. As only the plaintext varies, the authors are able to identify the
plaintext data.
Caballero et al. also cite Lutz [49] on the intuition, that cryptographic routines use a
high ratio of bitwise arithmetic instructions. For his master thesis No Lutz developed
a tool to automatically reveal encrypted messages and demonstrated its effectiveness
against the Kraken malware. Lutz bases his Wine/Valgrind-based tool on three obser-
vations: rst, loops are a core component of cryptographic algorithms. Second, cryp-
tographic algorithms heavily use integer arithmetic, and third, the decryption process
decreases information entropy of tainted memory. A core method of the tool is to use
taint-tracking and determine whether a buffer has been decrypted by measuring its
entropy.
The main problem of relying on the entropy as a measure for the decryption process, is
the possibility of false-positives depending on the mode of operation. If we consider
for example the cipher-block chaining mode in Figure 2.1, we can note that the input
to the encryption algorithm is the latest ciphertext xored with the current plaintext.
Thus, the input to the algorithm will have a similar entropy as its output, because
the xor operation composing the input will incorporate pseudo random data from
the latest output of the cipher. Therefore, the outputs entropy propagates to the next
input and a difference in entropy is not measurable.
1
A leaf routine contains contiguous instructions belonging to the same routine. Thus, if a parent
routine calls a child routine and there is no routine called in the child routine, we will have three leaf
routines: the instructions of the parent routine before the call, the child routine, and the instructions
of the parent routine, after the the child routine returned.
14
Block Cipher
Encryption
Block Cipher
Encryption
Plaintext
Ciphertext
Key Key
Plaintext
Ciphertext
Initialization
Vector
Figure 2.1.: Cipher-block chaining mode
In comparison to Lutzs work, we also research the identication of a larger set of al-
gorithms (hash algorithms and asymmetric cryptography) and the identication and
verication of input, output, and key material.
2.4. Frameworks for Execution Tracing
When discussion execution frameworks, we have to keep in mind, that the design
goal of unobtrusiveness is hardly satisable. A system which perfectly emulates the
original system is a reimplementation of the original system. Thus, choosing an execu-
tion framework can only be based on a tradeoff between usability and detectability.
In the following sections we give a short overview of available dynamic execution
frameworks.
2.4.1. Overview
Concerning dynamic software tracing frameworks two authors give an overview, Rey-
naud [65] with focus on malware and R ock [70] with focus on operating systems. Rck
lists the follow dynamic operating system instrumentation frameworks: Pin [48], Pin-
OS [10], DTrace, KProbes, SystemTap, and JIFL. Besides the listed dynamic binary in-
strumentation frameworks there also exists secuBT by Payer [59], Valgrind by Nether-
cote and Seward [54], and DynamoRIO used by Zhao et al. [90].
Reynaud distinguishes between virtualization (VMWare, Xen, Parallels, VirtualPC,
etc.) and emulation (Bochs, QEMU [6], etc.). Furthermore, he addresses current dif-
culties in the arms-race between the malware authors and analysts. To our knowledge
15
recent papers in this eld are on Anti-Virtualization[27, 85, 24, 66], Anti-Emulation[63,
57, 58] Anti-Taint-Tracking [15], and Anti-Unpacker tricks [25].
To generate a trace of a program the framework should have the following features [78]:
Process identication and handling
Syscall/API call registration
Memory read and write recording
Instruction tracing
Further useful techniques are general taint-tracking [72, 41, 81, 51] and memory trac-
ing [3]. The execution of adjacent code paths is a difcult challenge in dynamic anal-
ysis and is addressed by Moser et al. [52]. The difculties of creating and maintaing a
large trace are investigated by Bhansali et al. [7].
2.4.2. Virtualization and Emulation
Frameworks leveraging the virtualization extensions of AMDand Intel are the hyper-
visor-based approaches by Murakami [53], the MAVMMplatform, based on TVMM,
by Godiyal et al. [28], the unpacker Azure by Royal and Damballa [71], the Xen-based
Ether by Dinaburg et al. [20], and VMware ReTrace [74]. QEMU-based tools are the
K-Tracer tool for behavioral analysis by Lanzi et al. [43], the BHO Spyware analyzer
by Egele et al. [22], TTAnalyze by Bayer et al. [4], Argos by Portokalidis et al. [61],
and Panorama by Yin et al. [88]. An unpacker based on BitBlazes TEMU is Renovo
by Kang et al. [37]. An API-hooking-based approach is CWSandbox by Willems et al.
[84].
An abstraction-layer to virtualization applications is the libvirt framework, which pro-
vides VM-independent access to Xen, KVM, QEMU, VirtualBox, VMWare and func-
tions to modify running guest virtual machines. It is utilized for example by eKimono
by Nguyen Anh Quynh [55] to scan memory for malware.
The Bochs-based frameworks, Pandoras Bochs by B ohne [8] and Zynamics Bochs
by Carrera [14], are used for unpacking. Both extend Bochs with the Python scripting
language. Another Bochs-based framework, TaintBochs by Chow et al. [16], uses data
tainting to analyze critical data lifetime.
16
2.4.3. Dynamic Binary Instrumentation
Two security research elds heavily utilize dynamic binary instrumentation (DBI):
unpackers and protocol reversing. Protocol reversing has been shown in Autoformat,
a Valgrind-based tool by Lin et al. [47], as well as on the iDNA-based [7] Tupni by Cui
et al. [18]. Polyglot by Caballero et al. [11] also uses DBI to extract protocol message
formats.
Unpackers which use DBI are, for example, Uncover by Wu et al. [87], which uses DLL
injection, and MmmBop by Bania [2], implementing its own DBI engine. Furthermore,
binary instrumentation is used by Dytan, a generic dynamic taint analysis framework
by Clause et al. [17], and SPiKE, a malware analysis tool using unobtrusive binary-
instrumentation, by Vasudevan and Yerraballi [78] based on (VAMPiRE).
2.4.4. Pin-focused Work
The Saffron unpacker by Quist and Valsmith [62] successfully uses Pin to unpack vari-
ous executables. In September 2009 Daniel Reynaud used Pin on a malware corpus of
approximately 60000 samples [67]. His tests showed that about 10000 errors were gen-
erated by the samples. In Guizani et al. [31] the authors report a 81.28 % success rate
using Pin on binaries collected from a honeypot. In Bania [2, Section 3.2] the author
states that Pin and Saffron are unable to instrument the loaders tElock and PESpin.
2.5. Summary
We can summarize that there are some research efforts which search for cryptographic
primitives. Some tools utilize static analysis, others inspect the target during runtime.
We can identify limitations in both categories of tools, and thus, we can conclude that
further research is needed in this area.
17
3
Chapter 3.
Prerequisites
In this chapter we clarify the cryptographic and software analysis terminology. We
also introduce different representations of cryptographic algorithms, software tracing,
and dynamic software analysis methods.
3.1. Cryptographic Algorithms
An algorithm can be examined in different representations: the formal algorithmic
denition from the paper, the implemented source code, the compiled representa-
tion, and mixed cases of the later two. In the next sections, we describe the different
characteristics for each representation.
3.1.1. Algorithmic Denition
Cryptographic algorithm denitions can either be known to the public or kept secret.
Although, certain methods described in this work can be used to identify the exis-
tence of unknown cryptographic algorithms, we only consider the following publicly-
known algorithms in this thesis and our analysis implementation.
RSA
RSA [69] is an algorithm for public-key cryptography. Based on the problem of ef-
ciently factoring large numbers, the RSA algorithm enables the encrypting and sign-
19
ing of messages using public and private key pairs. The private key and the public
modulus are commonly integers with a length of 1024, 2048, or 4096 bits depending
on the security level.
MD5
MD5 [68] is a message digest, or hash algorithm, to generate a static length hash sum
for an arbitrary length input. The hash sum has 128 bits and is computed within
four rounds, each with 16 operations of either exclusive or, logical conjunction, logical
disjunction, and negation.
XOR
When we refer to the XOR algorithm, we thereby mean the bitwise exclusive disjunc-
tion of the plaintext i and the key k to create the ciphertext o using the xor operation:
o = i k. The parameters i, k, and o must be of equal, but can be of arbritary length.
Common lengths are one or multiple of eight bits. Given a XOR-key is only used once,
the algorithm is also known as an One-Time-Pad, although in our evaluation we reuse
key material.
DES
The Data Encryption Standard (DES) [56] is a block cipher with a xed key size of
56 bits and a block size of 64 bits. The structure of the cipher is a Feistel network
1
with 16 rounds. The core Feistel function consists of a 32 to 48 bit expansion box,
eight substitution boxes
2
, and a permutation box
3
. The round key is integrated using
a XOR operation.
1
A Feistel network is a symmetric structure for the construction of block ciphers. The network sepa-
rates data into two blocks L
i
, R
i
and applies a round function f, using a round key K
i
, to one block
in each round: R
i
= L
i1
f(R
i1
, K
i
). Then, the blocks are exchanged afterwards: L
i
= R
i1
.
2
A substitution box, or s-box, takes a number of bits and transforms them into a number of output
bits.
3
A permutation box, or p-box, shufes input bits to create diffusion.
20
AES
The Advanced Encryption Standard (AES) [19] is a block cipher, originally known as
Rijndael. The successor to DES supports key sizes of 128, 192, or 256 bits and uses a
block size of 128 bits. The design of the cipher is based on a substitution-permutation
network. The cipher operates on a 4 4 array of bytes. Depending on the key size,
10, 12, or 14 rounds are used. In the majority of rounds substitution and permutation
steps are committed to the internal state. In implementations these steps are com-
monly performed using lookup tables, which perform a trade-off between memory
space and computational time.
RC4
RC4 [38] is a stream cipher consisting of a key scheduling algorithm (KSA) and a
pseudo-random generation algorithm (PRGA) to generate a stream of bits, which is
commonly xored on the plaintext to generate the ciphertext. The KSA prepares an
internal state array using a variable length key, typically between 64 and 256 bits.
The PRGA uses and modies the internal state to generate the stream of bits. Both
algorithms, i.e., KSA and PRGA, only use bitwise arithmetic addition modulus the
key size and substitution or lookup operations inside the internal state.
3.1.2. Implemented Code
The next representation of a cryptographic algorithm is its implementation. It con-
forms to the denition, but can be realized in many different ways. Several modica-
tions to the internal functions of cryptographic algorithms can be performed, mostly
to gain a space or time advantage. A very common form is a lookup table, which
can be employed instead of bitwise addition and shifting. Another common pro-
gramming technique is loop unrolling to avoid the ushing of the CPUs instruction
pipeline and to save the loops control instructions, e.g., JMP, INC.
Since the correct and efcient implementation of cryptographic algorithms is a non-
trivial task, many public code libraries exist to support application developers. A
majority of cryptographic code is reused from cryptographic libraries, e.g., OpenSSL,
Cryptopp, or interfaces, e.g., MSCrypto API.
21
3.1.3. Compiled Code
The third representation of an algorithm is the compiled form of the high-level de-
scription language. Here we consider mainly C/C++ compiled code. Our testing
applications are created using two different compilers, because each compiler has a
different approach towards optimizing the assembly code and thus produces different
results. The results also heavily depend on the used compiler settings.
Independent of the code generation is the code linkage. If the cryptographic code has
been compiled as a library, and thus is dynamically linked to executable, we also need
to inspect the library. Otherwise, cryptographic code can also be statically embedded
into the executable and no further precautions need to be taken.
A special case is introduced by interpreted code and just-in-time generated code. In
order to analyze such code, we need to mask the interpreter code sections. As such
a scenario needs a specialized approach, we do not consider it here. Analogously,
we do not consider code obfuscation and protection, because we also would need to
normalize the code and remove the obfuscation.
3.1.4. Algorithmic Composition
Usually, cryptographic primitives are composed to more complex cryptographic sys-
tems and thus are slightly modied concerning their parameters. For example, pad-
ding, to nish a block to be enciphered, may be added to a plaintext. Depending on
the mode of operation, the plaintext may never be introduced to the cryptographic
algorithm, but rather xored into the ciphertext, e.g., in cipher feedback mode (CFB),
as illustrated in Figure 2.1.
Since the composition varies depending on the higher protocol, we do not consider the
modications to the inputs before, or to the outputs after, the cryptographic algorithm
has been invoked. Therefore, we dene the plaintext as the input to the algorithm and
the plaintext may already include a padding, compression, or encoding. We rather fo-
cus on the identication of atomic cryptographic primitives, because they constitute
the least common denominator of cryptographic software. If we have knowledge of
the used cryptographic primitives, we could reconstruct or identify the higher cryp-
tographic protocol from their composition, as described in Section 7.2.
22
3.2. Execution Tracing
Under execution tracing, or generally tracing, we understand the process of analyzing
a binary executable during runtime to generate a protocol, describing the instructions
executed and the data accessed by the executable.
This process has several requirements and constraints. A major requirement is the
correctness of the trace, meaning that the trace should contain all information to re-
construct each system state the executable encountered during its execution. An ex-
ecutable should not be able to escape the tracing or to render it incorrect. Secondary
requirements are the efciency and the unobtrusiveness of the tracing system. As
reviewed in Section 2.4, several frameworks exist and each has different advantages
and drawbacks. We use the Pin dynamic binary instrumentation (DBI) framework to
conduct the trace. We choose Pin because of the available API, which enables us to
create ne-grained traces. Also, the previous applications of Pin for malware analysis,
referenced in Chapter 2, and the good support and ongoing development are positive
criteria for the choice of the Pin dynamic binary instrumentation framework.
Instrumentation is the technique that inserts extra code into an arbitrary program
to collect runtime information. Since Pin uses dynamic instrumentation, there is no
need to recompile or relink the program. Pin discovers code at runtime, including
dynamically-generated code, and instruments it as specied by the Pintool.
Using the Pin API, a Pintool has access to context information such as register contents
or debug symbols. The Pin framework deals with the dynamic code injection, code
integrity, and restoring of registers which were modied by the Pintool. Pin differ-
entiates between two modications to program code: instrumentation routines and
analysis routines. Instrumentation routines detect where instrumentation should be
inserted, e.g., before each instruction, and then modify the code accordingly. The in-
strumentation routines occur the rst time a new instruction is executed. On the other
hand, analysis routines dene what actions are performed when the instrumentation
is activated, e.g., writing to the trace le. They occur every time an instrumented
instruction is executed. A core Pin paradigm is to lter using instrumentation rou-
tines and to keep the count of invoked analysis routines small. The instrumentation
can be performed on three different granularity levels: instruction, basic block (sin-
gle entry, single exit), and trace (single entry, multiple unconditional control ow
changes/exits). Trace instrumentation is an instrumentation technique specied by
Pin and should not be confound with our method of runtime tracing. Because we
need to record on a ne-grained level, as explained in Section 3.2.2, we instrument on
instruction-level.
Naturally, dynamic analysis has the general constraint that if code is not executed,
it cannot be analyzed. Thus, we rely on the fact that the binary executable uncon-
23
ditionally executes the code we want to analyze. Otherwise, the code would not be
incorporated in the trace and cannot be used in later identication methods.
3.2.1. Data Reduction
In order to minimize the size of the logle, we utilize two lter methods. On the
one hand, we lter libraries of which we have a-priori knowledge that they do not
contain cryptographic code. Using a DLL whitelist, we are able to circumvent large
code portions, for example of pseudo random number generation. This is especially
useful to reduce the trace time and le size. On the other hand, we can lter by thread
ID and are also able to start the trace after a certain number of instruction already
occurred, for example to skip an unpacker.
3.2.2. Required Data
For the analysis we need to record the following information on an instruction-level
granularity:
Current Instruction pointer
Optional debug information, e.g., DLL module, function symbol, offset to func-
tion symbol
Current Thread ID
Instruction disassembly
Involved registers and their data
Accessed memory values, before and after the instruction, including mode (read
or write), size, and address
Using this information, we are able to conduct the next step: the analysis of the trace.
The analysis, which is performed after or in parallel to the trace, is divided into two
kinds of procedures. At rst, high-level information, e.g., the control ow graph, is
generated from the trace. Next, the cryptographic code identication methods are ex-
ecuted upon the high-level representation. The high-level reconstructing procedures
are described in the following sections, the cryptographic code identication methods
are described in the next chapter.
24
3.3. Basic Block Detection
A basic block is dened as a sequence of instructions, which always will be executed
in the given order. Thus, each instruction in a basic block will always be executed
before its next instruction. Each basic block has a single entry and single exit point.
Since the basic blocks are generated dynamically from a trace, the result of the basic
block detection algorithm may differ from a static detection algorithm [80]. The ba-
sic blocks are generated from the dynamic trace, thus non-executed code will not be
considered by the detection algorithm, because it is not incorporated in the trace. Nev-
ertheless, an advantage of dynamic tracing is the ability to monitor indirect branches
and thus we are able to incorporate their result into the basic block detection algo-
rithm.
Algorithm 3.1 Basic block detection
Require: ordered list of executed instructions I
1. for all instructions i in I do
2. if i is a call, return, or jump then
3. save, that i ends a basic block
4. else if i is the next instruction after call, return, or jump then
5. save, that i starts a basic block
6. save, that at the address of i a basic block is started
7. end if
8. end for
9. initialize list of basic blocks B
10. initialize temporary basic block b
12. if i does not start a basic block and at the address of i a basic block is started and
b is not empty then
13. append b to B
14. empty b
15. end if
16. append i to b
17. if i ends a basic block then
18. append b to B
19. empty b
20. end if
21. end for
22. return B
If a basic block is changed by self-modifying code, the change is noticed when the new
code is rst executed. A modied basic block is therefore registered as a new basic
block, because the new blocks instructions are different from the old block.
25
Given a trace, the basic blocks are generated as follows. A start of a basic block is
denoted by the target of a jump or a call. An end of a basic block is marked by either
a return, a call, or a branch (unconditional or conditional, direct or indirect branch).
Therefore, a jump into a previously registered basic block divides the basic block into
two blocks. Dividing jumps are detected in Algorithm 3.1 (line 12) by also saving
addresses that constitute a new basic block (line 6).
Our method is shown in Algorithm 3.1. The algorithm generates the list of executed
basic blocks by iterating two times over the traced instructions. In the rst iteration,
the algorithm saves which instruction starts or ends a basic block. Also, the algorithm
saves which address starts a basic block in order to detect jumps in the middle of a
basic block. To generate the nal list of basic blocks, the second iteration is started.
There, the algorithm uses a current basic block to temporary gather instructions. The
current basic block is saved and emptied in two cases: either the current instruction
ends a basic block, or at the current address a new basic block is started.
3.4. Loop Detection
Loops are dened as the repeated execution of the same instructions, commonly with
different data. To perform the detection of loops, we follow the approach fromTubella
and Gonz alez [77]. Although we may use the dominant relationship in the ow graphs,
for example the Lengauer and Tarjan [46] algorithm, it does not recover the same
amount of information as [77], because it operates on a control ow graph, and there-
fore does not convey in which order control edges are taken during execution. How-
ever, using the Tubella and Gonzlez algorithm, we are able to determine the hierar-
chy of loops and the exact amount of executions and iterations of each loop body.
The algorithm detects a loop by multiple executions of the same code addresses. A
loop execution is completed if there is no jump back to the beginning of the loop
body, a jump outside of the loop body, or a return instruction executed inside the
loop body.
To track the current progress in the nesting of loops, the algorithm uses a current loop
stack, denoted by L in Algorithm3.2. For each instruction in the trace, the algorithm
rst checks whether the instruction is a jump. If the target address of the jump t is not
inside the loop stack, the (target address t, current address i)-tuple is pushed on the
loop stack and a new execution of this loop is recorded. If the target address is on the
loop stack, we check whether the jump to the beginning of the loop body is actually
taken. If it is taken, we record a new iteration for the loop body denoted by (t, i),
clear the stack above the current loop body entry, because these loops have nished,
and optionally update the loop bodys end i in (t, i). If the jump is not taken and the
26
execution at i continues outside the loop body, i.e., i b for (a, b) in L where t = a
(line 12), the loop iteration and its execution has been nished and thus it is cleared
from the stack, including all loops above on the stack.
Algorithm 3.2 Loop detection
1. initialize loop stack L
2. for all instructions i and their next instruction t in I do
3. if i is a call, return, or jump and target t is not in L then
4. record a new execution of (t, i)
5. push (t, i) on L
6. end if
7. if i is a call, return, or jump and target t is in L then
8. if the jump from i to t is taken then
9. record a nished iteration for (t, i)
10. pop L above (t, i)
11. update i for (a, b) in L where i > b and t = a
12. else if i b for (a, b) in L where t = a then
13. record a nished iteration and a nished execution for (t, i)
14. pop L above and including (t, i)
15. end if
16. end if
17. for all (t
, i
) in L do
18. if t
i i
and (t < t
or t > i
) then
19. record a nished iteration and a nished execution for (t
, i
)
20. delete (t
, i
) from L
21. end if
22. if t
i i
and i is a return then

23. record a nished execution for (t
, i
)
24. delete (t
, i
) from L
25. end if
26. end for
27. end for
At every instruction the algorithm also checks the integrity of the loop stack in line 17-
26. Therefore, it iterates over the loop stack and checks whether the current instruction
address is inside a currently running loop. If it is and the current instruction is a
return instruction, the particular loops execution is nished and the loop is removed
from the stack. Also, if the target of a current jump points outside the body of the
current loop, then the execution of the loop is nished and the loop is removed from
the stack.
For the example in Listing 3.1, we generated the following pseudo trace in Table 3.1.
The loop stack illustrates the number of currently executing loops using squares. The
27
number of iterations per loop is demonstrated using the corresponding number in the
square of the loop.
The results of the loop detection algorithm for the given example would be the fol-
lowing:
The outer loop is executed one time and has two iterations. The loop body begins
with c=c+1 and ends with i<2?.
From the outer loop, the inner loop is executed two times: rst with one, then
with two iterations. The inner loop begins with j%5<3? and ends with j<i?.
During each inner loop iteration a call to dosomething() is issued and therefore
the call is recorded as an own loop execution, with one iteration each.
If we search for the loops of the XOR testing application from Section 6.2, illustrated
in Figure 3.1, the loop detection algorithm generates the results in Table 3.2. We can
note that both inner and outer loops of the algorithm are detected. The rst row in the
table shows the inner loop, which is executed 32 times with 128 iterations each. The
second row illustrates the outer loop, which is executed once and launches the inner
loop 32 times.
Loop detection, with the ne granularity presented here, is a clear advantage of dy-
namic analysis. Otherwise, with static analysis, no information would be available
concerning how many iterations or executions a particular loop is executed. The iden-
tication methods using the loop detection are discussed in detail in the next chap-
ter.
Acommon optimization technique for cryptographic code is the unrolling of loops to
save the instructions needed for the loop control, e.g., counters, compare, and jump
1 for(i = 1; i < 2; i++)
2 {
3 c = c + i;
4 for(j = 0; j < i; j++)
5 {
6 if(j % 5 < 3)
7 {
8 dosomething(c,j);
9 }
10 }
11 }
Listing 3.1: Sample loop code
28
Operation Loop Stack Comment
i=1 1
c=c+1 1 outer loop started
j=0 1
j%5<3? 1 1 inner loop started
dosomething() 1 1 1 temporary loop for dosomething()
j++ 1 1 dosomething() returned
j<i? 1 1
i++ 1 inner loop nished
i<2? 1
c=c+i 2 second iteration for outer loop
j=0 2
j%5<3? 2 1
dosomething() 2 1 1
j++ 2 1
j<i? 2 1
j%5<3? 2 2 second iteration for inner loop
dosomething() 2 2 1
j++ 2 2
j<i? 2 2
i++ 2 inner loop nished with two iterations
i<2? 2 outer loop nished
nished example
Table 3.1.: Pseudo trace for example in Listing 3.1
instructions, and to mitigate the risk of clearing the instruction pipeline by a falsely-
predicted jump. While many implementations discussed here partially unroll loops,
no implementation unrolls every loop. Therefore, we nd a lot of looped crypto-
graphic code and can still rely on this analysis observation elaborated in the next
chapter.
Address Iterations per Execution Total
Start End Executions Minimum Average Maximum Iterations
0x401130 0x401145 32 128 128 128 4096
0x401123 0x401169 1 32 32 32 32
Table 3.2.: Detected loops for the XOR test application
29
3.5. Control Flow Graph Generation
We build our control ow graph generation algorithm upon the the basic block de-
tection algorithm. Given the list of executed basic blocks, we need to nd the control
ow changes, i.e., which basic block jumps to which block. In order to generate the
control ow graph [26] from the list of basic blocks we use a key-value data structure
(dictionary). The algorithm in Listing 3.3 iterates over the executed basic blocks. It
generates an unique set of basic blocks using the unique keys of the dictionary. For
each basic block the next executed basic block is recorded to denote the directed edge
between the two blocks. The nal dictionary will hold a unique set of basic blocks,
representing the vertices, as keys. The dictionarys values will hold the directed edges
going away from the respective vertex in an array.
Algorithm 3.3 Control ow graph generation
Require: ordered list of executed basic blocks B
1. initialize (key, value) dictionary C
2. last 0
3. for all basic blocks b in B do
4. insert b as key into C
5. if last = 0 then
6. append b to the value of key last in C
7. end if
8. last b
9. end for
10. return C
If we consider the generated control ow graph for the XOR test application, depicted
in Figure 3.1, we can clearly identify the loops shown in Table 3.2. The core XOR
operation takes place in the third basic block from the top (BBL 0x401130) during its
second instruction.
For visual verication and usage in this thesis we generated PDF les from the control
ow graphs. Therefore, we transformed the algorithms output into the Graphviz dot
description language [23] and converted it to a PDF le using the dot tools.
3.6. Memory Reconstruction
To further analyze the data incorporated in a trace, we need to reassemble the memory
contents, i.e., generate memory dumps from the trace at different points in time. This
is especially important because cryptographic keys are larger, e.g., 128 or 256 bit, than
30
BBL 0x401940 __securty_nt_cooke (2):
test ebx, es
|nz 0x40194b
BBL 0x40194b __securty_nt_cooke (8):
mov dword ptr ds:|0x403000|, es
not es
pop es
pop ed
pop ebx
eave
ret
BBL 0x40144b manCRTStartup (1):
|mp 0x4011ef
BBL 0x4018fa __securty_nt_cooke (4):
push es
ea eax, ptr |ebp-0x8|
push eax
ca dword ptr ds:|0x402030|
mov es, dword ptr ss:|ebp-0x4|
xor es, dword ptr ss:|ebp-0x8|
xor es, eax
BBL 0x401147 man (6):
push ed
push eax
ea eax, ptr |esp+0x118|
push 0x1
push eax
ca ebx
BBL 0x401155 man (6):
push es
push 0x80
ea ecx, ptr |esp+0x28|
push 0x1
push ecx
ca ebp
32
BBL 0x401164 man (3):
add esp, 0x20
test eax, eax
|ne 0x401123
32
BBL 0x401129 man (1):
ea esp, ptr |esp|
BBL 0x401130 man (6):
mov d, byte ptr ss:|esp+ecx*1+0x10|
xor d, byte ptr ss:|esp+ecx*1+0x90|
nc ecx
cmp ecx, eax
mov byte ptr ss:|esp+ecx*1+0x10f|, d
| 0x401130
32
32
4064
BBL 0x4013d1 pre_c_nt (2):
push 0xff
ca dword ptr ds:|0x40204c|
pop ecx
pop ecx
mov dword ptr ds:|0x40337c|, eax
mov dword ptr ds:|0x403380|, eax
BBL 0x4013eb pre_c_nt (3):
mov ecx, dword ptr ds:|0x403368|
mov dword ptr ds:|eax|, ecx
BBL 0x401668 _RTC_Intaze (8):
mov ed, ed
push es
mov eax, 0x402208
mov es, 0x402208
push ed
mov ed, eax
cmp eax, es
|nb 0x40168b
BBL 0x40168b _RTC_Intaze (3):
pop ed
pop es
ret
BBL 0x401412 pre_c_nt (1):
ca 0x4018c5
BBL 0x4010e0 man (4):
mov ecx, dword ptr ds:|ed+0xc|
push 0x402158
push ecx
ca ebx
BBL 0x4010eb man (4):
mov ed, eax
add esp, 0x8
test ed, ed
|nz 0x401107
BBL 0x401107 man (6):
push es
push 0x80
ea edx, ptr |esp+0x18|
push 0x1
push edx
ca ebp
BBL 0x401417 pre_c_nt (2):
cmp dword ptr ds:|0x403014|, 0x0
|nz 0x40142c
BBL 0x40142c pre_c_nt (1):
ca 0x40189a
BBL 0x40189a _setdefautprecson (7):
mov ed, ed
push es
push 0x30000
push 0x10000
xor es, es
push es
ca 0x401988
BBL 0x401598 __CxxSetUnhandedExceptonFter (2):
push 0x401556
BBL 0x4015a3 __CxxSetUnhandedExceptonFter (2):
xor eax, eax
ret
BBL 0x40126b __tmanCRTStartup (4):
pop ecx
pop ecx
test eax, eax
|z 0x401288
BBL 0x4011ef __tmanCRTStartup (3):
push 0x10
push 0x402218
ca 0x40181c
BBL 0x401291 __tmanCRTStartup (3):
push 0x4020c0
push 0x4020b8
ca 0x40180e
BBL 0x40180e __ntterm (1):
|mp dword ptr ds:|0x402080|
BBL 0x4011a4 pre_cpp_nt (2):
push 0x40168e
ca 0x401651
xor es, eax
xor es, eax
push eax
BBL 0x40192d __securty_nt_cooke (5):
mov eax, dword ptr ss:|ebp-0xc|
xor eax, dword ptr ss:|ebp-0x10|
xor es, eax
cmp es, ed
|nz 0x401940
BBL 0x4015ac _onext (3):
push 0x14
push 0x402238
ca 0x40181c
BBL 0x40181c __SEH_proog4 (21):
push 0x401875
push dword ptr fs:|0x0|
mov eax, dword ptr ss:|esp+0x10|
mov dword ptr ss:|esp+0x10|, ebp
ea ebp, ptr |esp+0x10|
sub esp, eax
push ebx
push es
push ed
mov eax, dword ptr ds:|0x403000|
xor dword ptr ss:|ebp-0x4|, eax
xor eax, ebp
push eax
mov dword ptr ss:|ebp-0x18|, esp
push dword ptr ss:|ebp-0x8|
mov eax, dword ptr ss:|ebp-0x4|
mov dword ptr ss:|ebp-0x4|, 0xfffffffe
mov dword ptr ss:|ebp-0x8|, eax
mov dword ptr fs:|0x0|, eax
ret
BBL 0x4011fb __tmanCRTStartup (10):
xor ebx, ebx
mov dword ptr ss:|ebp-0x4|, ebx
mov eax, dword ptr fs:|0x18|
mov es, dword ptr ds:|eax+0x4|
mov dword ptr ss:|ebp-0x1c|, ebx
mov ed, 0x403378
push ebx
push es
push ed
BBL 0x4015b8 _onext (3):
push dword ptr ds:|0x403380|
mov es, dword ptr ds:|0x402070|
ca es
push 0x4020d0
push 0x4020c4
ca 0x401814
BBL 0x401814 __ntterm_e (1):
BBL 0x401365 pre_c_nt (3):
mov eax, 0x5a4d
cmp word ptr ds:|0x400000|, ax
|z 0x401377
BBL 0x401195 __securty_check_cooke (2):
cmp ecx, dword ptr ds:|0x403000|
|nz 0x40119f
BBL 0x40119d __securty_check_cooke (1):
ret
BBL 0x40118e man (2):
add esp, 0x184
ret
BBL 0x4015cf _onext (2):
push dword ptr ss:|ebp+0x8|
BBL 0x4015d8 _onext (2):
pop ecx
|mp 0x401642
BBL 0x401642 _onext (1):
ca 0x401861
BBL 0x40138a pre_c_nt (3):
movzx ecx, word ptr ds:|eax+0x18|
cmp ecx, 0x10b
|z 0x4013b1
BBL 0x4013b1 pre_c_nt (2):
cmp dword ptr ds:|eax+0x74|, 0xe
|be 0x401373
xor ecx, ecx
cmp dword ptr ds:|eax+0xe8|, ecx
setnz c
mov eax, ecx
push 0x1
BBL 0x401377 pre_c_nt (4):
mov eax, dword ptr ds:|0x40003c|
ea eax, ptr |eax+0x400000|
cmp dword ptr ds:|eax|, 0x4550
|nz 0x401373
BBL 0x401647 _onext (1):
ret
BBL 0x40165e atext (7):
neg eax
sbb eax, eax
neg eax
pop ecx
dec eax
pop ebp
ret
BBL 0x4011ae pre_cpp_nt (8):
mov dword ptr ss:|esp|, 0x40302c
push dword ptr ds:|0x40335c|
push 0x40301c
push 0x403020
push 0x403018
BBL 0x4011ee pre_cpp_nt (1):
ret
BBL 0x4012a0 __tmanCRTStartup (5):
pop ecx
pop ecx
mov dword ptr ds:|0x403374|, 0x2
cmp dword ptr ss:|ebp-0x1c|, ebx
|nz 0x4012b9
BBL 0x4012b1 __tmanCRTStartup (3):
push ebx
push ed
BBL 0x401116 man (3):
add esp, 0x10
test eax, eax
|e 0x40116b
BBL 0x4012da __tmanCRTStartup (7):
mov dword ptr ds:|ecx|, eax
ca 0x401000
BBL 0x401000 man (8):
sub esp, 0x184
xor eax, esp
mov dword ptr ss:|esp+0x180|, eax
cmp dword ptr ss:|esp+0x188|, 0x4
push ed
mov ed, dword ptr ss:|esp+0x190|
|n 0x40104d
BBL 0x40104d man (7):
mov eax, dword ptr ds:|ed+0x4|
push ebx
mov ebx, dword ptr ds:|0x4020ac|
push es
push 0x402128
push eax
ca ebx
BBL 0x401096 man (8):
push ebp
mov ebp, dword ptr ds:|0x4020a8|
push es
push 0x80
push 0x1
push edx
ca ebp
BBL 0x4010af man (2):
push es
ca dword ptr ds:|0x4020a4|
BBL 0x4010b6 man (4):
push 0x402128
push eax
ca ebx
BBL 0x4018c8 __securty_nt_cooke (13):
mov ed, ed
push ebp
mov ebp, esp
sub esp, 0x10
and dword ptr ss:|ebp-0x8|, 0x0
push ebx
push ed
mov ed, 0xbb40e64e
mov ebx, 0xffff0000
cmp eax, ed
|z 0x4018fa
BBL 0x401123 man (3):
xor ecx, ecx
test eax, eax
|e 0x401147
32
BBL 0x4013f9 pre_c_nt (6):
mov eax, dword ptr ds:|eax|
ca 0x401668
BBL 0x40111d man (1):
mov ebx, dword ptr ds:|0x4020a0|
BBL 0x4018c5 _setargv (2):
xor eax, eax
ret
BBL 0x401988 __controfp_s (1):
|mp dword ptr ds:|0x40207c|
BBL 0x4018af _setdefautprecson (3):
add esp, 0xc
test eax, eax
|z 0x4018c3
BBL 0x4018c3 _setdefautprecson (2):
pop es
ret
BBL 0x401443 pre_c_nt (2):
xor eax, eax
ret
cmp eax, es
|nz 0x4012ac
BBL 0x4012fe __tmanCRTStartup (4):
add esp, 0xc
cmp dword ptr ds:|0x403024|, ebx
|nz 0x401345
BBL 0x401651 atext (5):
mov ed, ed
push ebp
mov ebp, esp
ca 0x4015ac
BBL 0x40124d __tmanCRTStartup (3):
test eax, eax
|nz 0x401282
BBL 0x401177 man (9):
add esp, 0x8
xor eax, eax
mov ecx, dword ptr ss:|esp+0x190|
pop ebp
pop es
pop ebx
pop ed
xor ecx, esp
ca 0x401195
BBL 0x4015c6 _onext (4):
pop ecx
mov dword ptr ss:|ebp-0x1c|, eax
cmp eax, 0xff
|nz 0x4015db
BBL 0x40130e __tmanCRTStartup (2):
push eax
BBL 0x40168e _RTC_Termnate (8):
mov ed, ed
push es
mov eax, 0x402210
mov es, 0x402210
push ed
mov ed, eax
cmp eax, es
|nb 0x4016b1
BBL 0x401861 __SEH_epog4 (11):
mov ecx, dword ptr ss:|ebp-0x10|
mov dword ptr fs:|0x0|, ecx
pop ecx
pop ed
pop ed
pop es
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
BBL 0x4011da pre_cpp_nt (4):
add esp, 0x14
test eax, eax
|n 0x4011ee
BBL 0x401060 man (4):
mov es, eax
add esp, 0x8
test es, es
|nz 0x401096
BBL 0x40121a __tmanCRTStartup (2):
cmp eax, ebx
|z 0x401237
BBL 0x401446 manCRTStartup (1):
ca 0x4018c8
31
BBL 0x40116b man (3):
push es
mov es, dword ptr ds:|0x4020a4|
ca es
BBL 0x401174 man (2):
push ed
ca es
BBL 0x401431 pre_c_nt (2):
cmp dword ptr ds:|0x403010|, 0xff
|nz 0x401443
xor es, es
nc es
cmp eax, es
|nz 0x40124d
BBL 0x4010c1 man (4):
mov es, eax
add esp, 0x1c
test es, es
|nz 0x4010e0
|z 0x4012da
BBL 0x4016b1 _RTC_Termnate (3):
pop ed
pop es
ret
Figure 3.1.: Control ow graph generated for the XOR application
31
the word size of the architecture, e.g., 32 bit. Thus, a cryptographic primitive can
extend over several words in memory and has to be accessed by multiple operations.
To reconstruct such a primitive, we need to consider and combine multiple operations.
As we do not conduct taint tracking [42, 5], we need to reassemble the memory based
on its addresses.
If an instruction involves a memory access, we record the following information to
the trace:
Memory Address
Size of access, e.g., 8 bit
Actual data read or written
Mode of operation, i.e., read or write
From this information, which is attached to several instructions in the trace, we need
to reconstruct the memory content. Since data at an address can change during the
trace, we may have several values for the same address. Thus, instead of dumping
the memory for a particular point in time, we instead reconstruct blocks of memory
that have a semantic relationship. For example, a read of 128 bit cryptographic key
material may occur in four 32 bit reads. Then, later a 8 bit write operations to the same
memory region may destroy the key in a memory reconstruction. Therefore, we try
to separate the 8 bit writes from the 128 bit key block.
For this method, we rely on a few characteristics of the memory block, i.e., the inter-
connected memory composed of several words. At rst, we distinguish between read
or write blocks and thus separate the traced memory accesses based on their mode.
Next, we assume that a block is accessed in a sequential order. Thus, we save the last
n memory accesses, which occurred before the current memory access. In our exper-
iments n = 6 showed to be a reliable threshold. As a third characteristic, we use the
size of the access to distinguish between multiple accesses at the same address.
Algorithm 3.4 Memory reconstruction
Require: address-ordered list of memory accesses M
1. for all memory accesses M
at address a in M do
2. for all memory access min M
do
3. if memory access mis not tagged processed then
4. launch recursive memory block search with (M, m, a)
5. end if
6. end for
7. end for
32
The algorithm is shown in Listing 3.4. It calls the recursive function in Listing 3.5,
which is applied to every value in memory and traverses the memory. The recursive
function rst generates a set of the memory accesses to the current address. Also, a
precomputed set is prepared that holds all memory accesses which appeared nearby
the current memory access in the trace. Then, in line 9 of Listing 3.5 the next address
is computed using n = a +bytesize(v). If the next address contains a memory access,
which has been used nearby the current access, the block search continues in line 18-
19. Also, if the next address contains the same structured memory values, e.g., a 8 bit
read and two 32 bit reads, the search continues in line 21-23. Aspecial case is handled
in line 12: if multiple nearby memory accesses are found the recursive search is split
and continued for each of the multiple accesses.
Algorithm 3.5 Recursive memory block search
Require: address-ordered list of memory accesses M, current memory access m and
the address a
1. M
= set of memory accesses to a in M

2. A = 6 nearby memory accesses from the trace, where the access to a occurred
3. if memory access mis not tagged processed then
4. append data value v of mto current block
5. else
6. return current block
7. end if
8. tag current memory access mas processed
9. next address n = a +bytesize(v)
10. N = the set of memory accesses at address n in M
11. if N is not empty then
12. if |N A| > 1 then
13. for all memory accesses m
in N A do
14. duplicate current block
15. launch recursive memory block search with (M, m
, n)
16. end for
17. else if |N A| = 1 then
18. m
= N A
, n)
20. else if |N A| = 0 and the structure of set N is the same as M
then
21. o = offset(m) in M
22. m
= value in set N with offset o

, n)
24. end if
25. end if
26. return current block
If we search for a 128 bit key for example, and we traced the memory layout shown
in Table 3.3, then the algorithm starts at address 001a0000 and concatenates 31313131 to
33
32323232 because of a sequential layout in the memory. At address 001a0010 the algo-
rithm encounters two different values during the trace. Then, the algorithm relates
35353535 to the current block due the similar memory layout (32 bit read) and also due
to the nearby usage of 34343434 in the trace.
Address Values read
001a0000 31313131
001a0004 32323232
001a0008 33333333
001a000c 34343434
001a0010 35353535 01
001a0011 02
001a0012 03
001a0013 04 05 60
001a0014 36363636 05 08
001a0015 06 0d
001a0016 07 15
Table 3.3.: Shows an example for the memory block search algorithm
When we acquired the blocks and search for a 128 bit key for example, we rst discard
blocks without sufcient size. Larger blocks are then divided by a sliding window
algorithm to contain exactly 128 bit. For the example Figure 3.2, the block of 192 bits
is divided into three blocks of 128 bit each.
31313131 32323232 33333333 34343434 35353535 36363636
31313131 32323232 33333333 34343434 35353535 36363636
31313131 32323232 33333333 34343434 35353535 36363636
Candidate 1
Candidate 2
Candidate 3
Figure 3.2.: Sliding window over candidate keys
3.7. Summary
In this chapter we presented several methods for reconstructing high-level structures
from a trace. The structures are used in the following chapter to build the identi-
cation methods. We also claried software analysis terminology and methods. For
completeness, we described the cryptographic algorithms and their different repre-
sentations.
34
4
Chapter 4.
Observations and Methods
In this chapter we discuss the different properties of cryptographic code and elabo-
rate on the implemented methods to detect the cryptographic code and its primitives.
First we give an overview of the identication methodology and then, based on code
observations we make, we explain the developed identication methods. In order to
successfully identify the cryptographic primitives we have to algorithmically solve
the following questions: which cryptographic primitives are used, where they are
implemented in code, what their parameters are, and when they are used.
4.1. Reducing of Code Search Space
In order to reduce the code search space we heavily rely on the algorithms described
in Chapter 3. Using the generated high-level representation of the trace, we are able
to generically build the identication methods upon the representation. For example,
if we search for specic code properties, we do not need to analyze the complete trace,
possibly with duplicate basic blocks, but rather we are able to only search the unique
set of basic blocks.
Furthermore, if a-priori knowledge of the analysis target is available, we can lter
out certain code blocks. We can lter based on the name of the module, in which a
particular instruction resides, to exclude system libraries. Also, we can only inspect
a specic thread of the process. In order to trace certain malware samples, we could
skip a number of instruction before we begin the trace, for example to circumvent
code deobfuscation.
35
4.2. Type of Identication
We distinguish between two classes of identication algorithms: signature-based and
generic. The main differentiation is the knowledge needed for the identication algo-
rithm. For signature-based identication, we need a-priori knowledge about the spe-
cic cryptographic algorithm or implementation. On the other hand, for generic iden-
tication we use characteristics common to all cryptographic algorithms and therefore
do not need specic knowledge.
4.2.1. Signature-based Identication
A signature-based identication algorithm uses a-priori knowledge of the crypto-
graphic code in order to determine its application. For example using patterns, we
are able to identify implementations of cryptographic code based on the sequence of
mnemonics. A drawback of signature-based identication algorithms is that the sig-
nature or the signature matching algorithm may be evaded by modications to the
cryptographic code. The modications could be either intentional, e.g., code obfusca-
tion, or unintentional, e.g., compiler optimizations. An advantage of signature-based
identication is the fast generation of new signatures and the simplicity of the match-
ing algorithms.
4.2.2. Generic Identication
A generic identication algorithm exploits characteristics of the cryptographic code,
for example the number of certain instructions. It counts and weights their existence
in the given trace and compares the result to a threshold. The threshold is commonly
determined by empiric means. If the result outweighs the threshold, the algorithm has
determined the existence of the cryptographic code. Using the results of a threshold
decision, we can also drop false-positives by an excluding characteristic. For example,
if a threshold indicates a cryptographic algorithm in a slice of the trace, then we can
check whether the data referenced in that slice contains cryptographic parameters and
verify them with a reference implementation.
In general, generic identication algorithms have a higher probability of false-positives
compared to signature algorithms. Nevertheless, they offer the possibility of detect-
ing cryptographic code without a-priori knowledge about the code, but rather with
a-priori knowledge about the characteristics of the code.
36
4.3. Observations
In this section, we point out four important features of cryptographic code, which we
found and conrmed during the course of this work. Some observations were already
mentioned in Chapter 2.
Observation 1
Cryptographic code makes excessive use of bitwise arithmetic instructions.
Due to the computations inherent in cryptographic algorithms many arithmetic in-
structions occur. Especially for substitutions and permutations, the compiled imple-
mentations make extensive use of bitwise arithmetic instructions. Also, many crypto-
graphic algorithms are optimized for modern computing architectures: for example,
contemporary algorithms like AES are speed-optimized for the Intel 32 bit architec-
ture and use the available bitwise instructions.
BBL 0x404825 pre_c_nt (4):
|nz 0x404821
BBL 0x404838 pre_c_nt (3):
cmp ecx, 0x10b
|z 0x40485f
BBL 0x40485f pre_c_nt (2):
|be 0x404821
BBL 0x4050ea __securty_nt_cooke (4):
push es
push eax
BBL 0x4050f5 __securty_nt_cooke (3):
xor es, eax
BBL 0x40487f pre_c_nt (2):
push 0xff
BBL 0x404887 pre_c_nt (5):
pop ecx
pop ecx
mov dword ptr ds:|0x416ed0|, eax
mov dword ptr ds:|0x416ed4|, eax
BBL 0x404899 pre_c_nt (3):
mov ecx, dword ptr ds:|0x416eb8|
BBL 0x405205 __sse2_avaabe_nt (3):
mov dword ptr ds:|0x416ec0|, eax
xor eax, eax
ret
BBL 0x404d80 __CxxSetUnhandedExceptonFter (2):
push 0x404d3e
BBL 0x404d8b __CxxSetUnhandedExceptonFter (2):
xor eax, eax
ret
BBL 0x401d45 _DES_encrypt1 (47):
ror eax, 0x3
ror ecx, 0x3
mov edx, ecx
shr edx, 0x1
xor edx, eax
and edx, 0x55555555
xor eax, edx
add edx, edx
xor ecx, edx
mov edx, eax
shr edx, 0x8
xor edx, ecx
and edx, 0xff00ff
xor ecx, edx
sh edx, 0x8
xor eax, edx
mov edx, ecx
shr edx, 0x2
xor edx, eax
and edx, 0x33333333
xor eax, edx
add edx, edx
add edx, edx
xor ecx, edx
mov edx, eax
shr edx, 0x10
xor edx, ecx
and edx, 0xffff
xor ecx, edx
sh edx, 0x10
xor eax, edx
mov edx, ecx
shr edx, 0x4
xor edx, eax
and edx, 0xf0f0f0f
mov es, edx
xor es, eax
pop ed
mov dword ptr ds:|eax|, es
pop es
sh edx, 0x4
xor edx, ecx
pop ebp
mov dword ptr ds:|eax+0x4|, edx
pop ebx
ret
BBL 0x40128a _DES_ecb_encrypt (29):
mov ecx, dword ptr ss:|esp+0xc|
mov eax, dword ptr ss:|esp+0x1c|
mov byte ptr ds:|eax|, c
nc eax
mov edx, ecx
shr edx, 0x8
mov byte ptr ds:|eax|, d
nc eax
mov edx, ecx
shr edx, 0x10
nc eax
shr ecx, 0x18
nc eax
mov edx, ecx
shr edx, 0x8
nc eax
mov edx, ecx
nc eax
shr edx, 0x10
shr ecx, 0x18
mov byte ptr ds:|eax+0x1|, c
add esp, 0x14
ret
16
BBL 0x40119f man (6):
push ebx
push es
ea ecx, ptr |esp+0xbc|
push 0x1
push ecx
16
BBL 0x404e50 _RTC_Intaze (8):
mov ed, ed
push es
mov eax, 0x40c3b8
mov es, 0x40c3b8
push ed
mov ed, eax
cmp eax, es
|nb 0x404e73
BBL 0x404e73 _RTC_Intaze (3):
pop ed
pop es
ret
BBL 0x4048c0 pre_c_nt (1):
ca 0x4050b5
BBL 0x4011c4 man (4):
mov es, eax
add esp, 0x30
test es, es
|ne 0x401180
BBL 0x401180 man (9):
push eax
ea ecx, ptr |esp+0x1c|
push ecx
ea edx, ptr |esp+0xac|
push edx
ea eax, ptr |esp+0xa8|
push eax
ca 0x401220
15
BBL 0x4011cd man (3):
push ed
ca es
BBL 0x401220 _DES_ecb_encrypt (2):
mov eax, 0x8
ca 0x404900
16
BBL 0x4011d6 man (2):
push ebx
ca es
BBL 0x404da0 _onext (3):
push dword ptr ds:|0x416ed4|
mov es, dword ptr ds:|0x4060c8|
ca es
BBL 0x404dae _onext (4):
pop ecx
cmp eax, 0xff
|nz 0x404dc3
BBL 0x404db7 _onext (2):
ca dword ptr ds:|0x4060c4|
BBL 0x4011d9 man (8):
add esp, 0x8
xor eax, eax
pop ed
pop es
pop ebx
mov ecx, dword ptr ss:|esp+0xa8|
xor ecx, esp
ca 0x40462b
BBL 0x40462b __securty_check_cooke (2):
|nz 0x404635
BBL 0x4011b1 man (6):
push ed
push 0x8
ea edx, ptr |esp+0xc4|
push 0x1
push edx
16
BBL 0x40509f _setdefautprecson (3):
add esp, 0xc
test eax, eax
|z 0x4050b3
BBL 0x4050b3 _setdefautprecson (2):
pop es
ret
BBL 0x4048df pre_c_nt (2):
|nz 0x4048f1
BBL 0x404e2a _onext (1):
ca 0x405051
BBL 0x405051 __SEH_epog4 (11):
pop ecx
pop ed
pop ed
pop es
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
BBL 0x404e2f _onext (1):
ret
BBL 0x40519d has_osfxsr_set (1):
ret
BBL 0x4013f0 _DES_set_key_unchecked (4):
sh es, 0x1b
shr ecx, 0x1
sh ebx, 0x1b
shr ed, 0x1
BBL 0x4013fa _DES_set_key_unchecked (74):
or ebx, ed
or es, ecx
and es, 0xfffffff
mov edx, es
shr edx, 0x1
mov ecx, edx
and ecx, 0x7000000
mov ed, es
and ed, 0xc00000
or ecx, ed
shr ecx, 0x1
mov ed, es
and ed, 0x100000
or ecx, ed
mov ed, edx
and ed, 0x60000
shr ecx, 0x14
mov ecx, dword ptr ds:|ecx*4+0x406e48|
mov dword ptr ss:|esp+0x1c|, edx
and edx, 0xf00
mov ebp, es
and ebp, 0x1e000
or ed, ebp
shr ed, 0xd
or ecx, dword ptr ds:|ed*4+0x406d48|
mov ed, es
and ed, 0xc0
or edx, ed
shr edx, 0x6
or ecx, dword ptr ds:|edx*4+0x406c48|
and ebx, 0xfffffff
mov edx, es
and edx, 0x3f
or ecx, dword ptr ds:|edx*4+0x406b48|
mov edx, ebx
shr edx, 0x1
mov ed, edx
and ed, 0x6000000
mov dword ptr ss:|esp+0x18|, edx
mov ebp, ebx
and ebp, 0x1e00000
or ed, ebp
mov ebp, edx
shr ed, 0x15
and ebp, 0x1e00
mov edx, ebx
and edx, 0x180
or ebp, edx
mov edx, dword ptr ds:|ed*4+0x407248|
shr ebp, 0x7
or edx, dword ptr ds:|ebp*4+0x407048|
mov ed, ebx
shr ed, 0xf
and ed, 0x3f
or edx, dword ptr ds:|ed*4+0x407148|
mov ed, ebx
and ed, 0x3f
or edx, dword ptr ds:|ed*4+0x406f48|
movzx ed, cx
mov ebp, edx
sh ebp, 0x10
or ed, ebp
shr ecx, 0x10
ror ed, 0x1e
and edx, 0xffff0000
mov dword ptr ds:|eax|, ed
add eax, 0x4
or ecx, edx
ror ecx, 0x1a
add eax, 0x4
cmp dword ptr ds:|ecx|, 0x0
|z 0x40151b
2
BBL 0x401505 _DES_set_key_unchecked (9):
mov ed, es
mov ebp, ebx
sh ed, 0x1a
shr es, 0x2
sh ebp, 0x1a
shr ebx, 0x2
or ed, es
or ebp, ebx
|mp 0x40152d
3
BBL 0x40151b _DES_set_key_unchecked (6):
sh es, 0x1b
or es, dword ptr ss:|esp+0x1c|
sh ebx, 0x1b
or ebx, dword ptr ss:|esp+0x18|
mov ed, es
mov ebp, ebx
BBL 0x40465c pre_cpp_nt (8):
mov eax, dword ptr ds:|0x416eb0|
mov dword ptr ss:|esp|, 0x416b78
push dword ptr ds:|0x416eac|
mov dword ptr ds:|0x416b78|, eax
push 0x416b68
push 0x416b6c
push 0x416b64
BBL 0x404688 pre_cpp_nt (4):
add esp, 0x14
test eax, eax
|n 0x40469c
ret
mov es, ed
mov ebx, ebp
sh es, 0x1a
shr ed, 0x2
sh ebx, 0x1a
shr ebp, 0x2
or es, ed
or ebx, ebp
|mp 0x40165d
BBL 0x40165d _DES_set_key_unchecked (72):
and es, 0xfffffff
mov edx, es
shr edx, 0x1
mov ecx, edx
and ecx, 0x7000000
mov ed, es
and ed, 0xc00000
or ecx, ed
shr ecx, 0x1
mov ed, es
and ed, 0x100000
or ecx, ed
mov ed, edx
and ed, 0x60000
shr ecx, 0x14
and edx, 0xf00
mov ebp, es
and ebp, 0x1e000
or ed, ebp
shr ed, 0xd
or ecx, dword ptr ds:|ed*4+0x406d48|
mov ed, es
and ed, 0xc0
or edx, ed
shr edx, 0x6
and ebx, 0xfffffff
mov edx, es
and edx, 0x3f
mov edx, ebx
shr edx, 0x1
mov ed, edx
and ed, 0x6000000
mov ebp, ebx
and ebp, 0x1e00000
or ed, ebp
mov ebp, edx
shr ed, 0x15
and ebp, 0x1e00
mov edx, ebx
and edx, 0x180
or ebp, edx
mov edx, dword ptr ds:|ed*4+0x407248|
shr ebp, 0x7
or edx, dword ptr ds:|ebp*4+0x407048|
mov ed, ebx
shr ed, 0xf
and ed, 0x3f
or edx, dword ptr ds:|ed*4+0x407148|
mov ed, ebx
and ed, 0x3f
or edx, dword ptr ds:|ed*4+0x406f48|
movzx ed, cx
mov ebp, edx
sh ebp, 0x10
or ed, ebp
shr ecx, 0x10
ror ed, 0x1e
and edx, 0xffff0000
add eax, 0x4
or ecx, edx
ror ecx, 0x1a
add eax, 0x4
cmp dword ptr ds:|ecx+0x8|, 0x0
|z 0x40177b
4
mov ecx, es
mov ed, ebx
sh ecx, 0x1a
shr es, 0x2
sh ed, 0x1a
shr ebx, 0x2
or ecx, es
or ed, ebx
|mp 0x40178d
3
BBL 0x40177b _DES_set_key_unchecked (6):
sh es, 0x1b
or es, dword ptr ss:|esp+0x1c|
sh ebx, 0x1b
or ebx, dword ptr ss:|esp+0x18|
mov ecx, es
mov ed, ebx
BBL 0x401933 _DES_encrypt1 (139):
mov edx, dword ptr ds:|es-0x4|
mov ed, dword ptr ds:|es-0x8|
xor ed, ecx
xor edx, ecx
ror edx, 0x4
mov ebx, edx
shr ebx, 0x12
and ebx, 0x3f
mov ebx, dword ptr ds:|ebx*4+0x406670|
mov ebp, edx
shr ebp, 0xa
and ebp, 0x3f
xor ebx, dword ptr ds:|ebp*4+0x406470|
mov ebp, edx
shr ebp, 0x2
and ebp, 0x3f
mov ebp, ed
shr ebp, 0x12
and ebp, 0x3f
mov ebp, ed
shr ebp, 0xa
and ebp, 0x3f
mov ebp, ed
shr ebp, 0x2
and ebp, 0x3f
shr edx, 0x1a
xor ebx, dword ptr ds:|edx*4+0x406870|
mov edx, dword ptr ds:|es+0x4|
shr ed, 0x1a
xor ebx, dword ptr ds:|ed*4+0x406770|
mov ed, dword ptr ds:|es|
xor eax, ebx
xor ed, eax
xor edx, eax
ror edx, 0x4
mov ebx, edx
shr ebx, 0x12
and ebx, 0x3f
mov ebp, edx
shr ebp, 0xa
and ebp, 0x3f
mov ebp, edx
shr ebp, 0x2
and ebp, 0x3f
mov ebp, ed
shr ebp, 0x12
and ebp, 0x3f
mov ebp, ed
shr ebp, 0xa
and ebp, 0x3f
mov ebp, ed
shr ebp, 0x2
and ebp, 0x3f
shr edx, 0x1a
mov edx, dword ptr ds:|es+0xc|
shr ed, 0x1a
mov ed, dword ptr ds:|es+0x8|
xor ecx, ebx
xor edx, ecx
xor ed, ecx
ror edx, 0x4
mov ebx, edx
shr ebx, 0x12
mov ebp, edx
and ebx, 0x3f
shr ebp, 0xa
and ebp, 0x3f
mov ebp, edx
shr ebp, 0x2
and ebp, 0x3f
mov ebp, ed
shr ebp, 0x12
and ebp, 0x3f
mov ebp, ed
shr ebp, 0xa
and ebp, 0x3f
mov ebp, ed
shr ebp, 0x2
and ebp, 0x3f
shr edx, 0x1a
shr ed, 0x1a
mov ed, dword ptr ds:|es+0x10|
xor eax, ebx
xor ed, eax
xor edx, eax
ror edx, 0x4
mov ebx, edx
shr ebx, 0x12
and ebx, 0x3f
mov ebp, edx
shr ebp, 0xa
and ebp, 0x3f
mov ebp, edx
shr ebp, 0x2
and ebp, 0x3f
mov ebp, ed
shr ebp, 0x12
and ebp, 0x3f
mov ebp, ed
shr ebp, 0xa
and ebp, 0x3f
mov ebp, ed
shr ebp, 0x2
and ebp, 0x3f
shr edx, 0x1a
shr ed, 0x1a
add es, 0x20
xor ecx, ebx
sub dword ptr ss:|esp+0x18|, 0x1
|nz 0x401933
48
BBL 0x401b34 _DES_encrypt1 (1):
|mp 0x401d45
16
16
BBL 0x40475f __tmanCRTStartup (3):
push ebx
push ed
cmp dword ptr ds:|0x416ed8|, ebx
|z 0x404788
mov eax, dword ptr ds:|0x416b68|
push dword ptr ds:|0x416b68|
push dword ptr ds:|0x416b6c|
push dword ptr ds:|0x416b64|
ca 0x401000
BBL 0x40104f man (4):
mov es, dword ptr ds:|ed+0x4|
mov ecx, 0x40c288
mov eax, es
ea esp, ptr |esp|
BBL 0x401060 man (3):
mov d, byte ptr ds:|eax|
cmp d, byte ptr ds:|ecx|
|nz 0x401080
BBL 0x401066 man (2):
test d, d
|z 0x40107c
2
BBL 0x401072 man (4):
add eax, 0x2
add ecx, 0x2
test d, d
|nz 0x401060
BBL 0x401085 man (2):
test eax, eax
|nz 0x401093
BBL 0x401089 man (2):
mov dword ptr ss:|esp+0x10|, 0x1
|mp 0x4010d1
BBL 0x4010d1 man (5):
mov ebx, dword ptr ds:|0x40610c|
push 0x40c2c8
push eax
ca ebx
BBL 0x40111c man (2):
push ed
BBL 0x401123 man (5):
ea edx, ptr |esp+0x1c|
push edx
ea eax, ptr |esp+0xb4|
push eax
ca 0x4012d0
BBL 0x4012d0 _DES_set_key_unchecked (2):
mov eax, 0x4
ca 0x404900
BBL 0x4010f5 man (7):
push ed
push 0x8
ea ecx, ptr |esp+0xb4|
push 0x1
push ecx
ca es
BBL 0x40110a man (3):
add esp, 0x10
cmp eax, 0x8
|nb 0x40111c
BBL 0x404900 _chkstk (10):
push ecx
sub ecx, eax
sbb eax, eax
not eax
and ecx, eax
mov eax, esp
and eax, 0xfffff000
cmp ecx, eax
|b 0x404922
BBL 0x404918 _chkstk (6):
mov eax, ecx
pop ecx
xchg esp, eax
mov dword ptr ss:|esp|, eax
ret
17
BBL 0x404e39 atext (5):
mov ed, ed
push ebp
mov ebp, esp
ca 0x404d94
BBL 0x404d94 _onext (3):
push 0x14
push 0x40c3e8
ca 0x40500c
push 0x405065
sub esp, eax
push ebx
push es
push ed
xor eax, ebp
push eax
ret
BBL 0x4013d8 _DES_set_key_unchecked (4):
cmp dword ptr ds:|edx-0x4|, 0x0
mov es, ecx
mov ebx, ed
|z 0x4013f0
2
BBL 0x4013e2 _DES_set_key_unchecked (5):
sh es, 0x1a
shr ecx, 0x2
sh ebx, 0x1a
shr ed, 0x2
|mp 0x4013fa
2
2
BBL 0x4011ef man (3):
mov esp, ebp
pop ebp
ret
BBL 0x4047ac __tmanCRTStartup (4):
add esp, 0xc
mov dword ptr ds:|0x416b7c|, eax
cmp dword ptr ds:|0x416b70|, ebx
|nz 0x4047f3
BBL 0x4047bc __tmanCRTStartup (2):
push eax
xor es, eax
cmp es, ed
|nz 0x405130
test ebx, es
|nz 0x40513b
not es
pop es
pop ed
pop ebx
eave
ret
BBL 0x4048f1 pre_c_nt (2):
xor eax, eax
ret
BBL 0x405200 __sse2_avaabe_nt (1):
ca 0x40519e
BBL 0x40519e _get_sse2_nfo (20):
mov ed, ed
push ebp
mov ebp, esp
sub esp, 0x18
xor eax, eax
push ebx
mov dword ptr ss:|ebp-0xc|, eax
push ebx
pushfd
pop eax
mov ecx, eax
xor eax, 0x200000
push eax
popfd
pushfd
pop edx
sub edx, ecx
|z 0x4051e3
BBL 0x401135 man (5):
mov edx, dword ptr ds:|ecx+0xc|
push 0x40c2c8
push edx
ca ebx
BBL 0x401144 man (4):
mov ed, eax
add esp, 0x14
test ed, ed
|nz 0x401157
BBL 0x401157 man (5):
mov ecx, dword ptr ds:|eax+0x10|
push 0x40c314
push ecx
ca ebx
BBL 0x404865 pre_c_nt (7):
xor ecx, ecx
setnz c
mov eax, ecx
push 0x1
ca dword ptr ds:|0x4060ac|
BBL 0x4010e2 man (4):
mov ed, eax
add esp, 0x8
test ed, ed
|nz 0x4010f5
BBL 0x4051ed _get_sse2_nfo (1):
ca 0x40514e
BBL 0x40514e has_osfxsr_set (3):
push 0xc
push 0x40c428
ca 0x40500c
BBL 0x401177 man (4):
mov es, eax
add esp, 0x18
test es, es
|e 0x4011cd
BBL 0x4046e5 __tmanCRTStartup (5):
xor es, es
nc es
mov eax, dword ptr ds:|0x416ec8|
cmp eax, es
|nz 0x4046fb
BBL 0x4046fb __tmanCRTStartup (3):
test eax, eax
|nz 0x404730
mov dword ptr ds:|0x416ec8|, es
push 0x40614c
push 0x40613c
ca 0x405004
BBL 0x40518e has_osfxsr_set (3):
mov eax, dword ptr ss:|ebp-0x1c|
ca 0x405051
BBL 0x404813 pre_c_nt (3):
mov eax, 0x5a4d
|z 0x404825
ret
pop ecx
pop ecx
test eax, eax
|z 0x404736
cmp eax, es
|nz 0x40475a
BBL 0x404ffe __ntterm (1):
push 0x404e76
ca 0x404e39
BBL 0x4050b5 _setargv (2):
xor eax, eax
ret
BBL 0x4048c5 pre_c_nt (2):
|nz 0x4048da
BBL 0x4048da pre_c_nt (1):
ca 0x40508a
BBL 0x4048a7 pre_c_nt (6):
mov ecx, dword ptr ds:|0x416eb4|
mov dword ptr ds:|0x416ec4|, eax
ca 0x404e50
BBL 0x404e46 atext (7):
neg eax
sbb eax, eax
neg eax
pop ecx
dec eax
pop ebp
ret
and ed, 0xfffffff
mov edx, ed
shr edx, 0x1
mov ecx, edx
and ecx, 0x7000000
mov es, ed
and es, 0xc00000
or ecx, es
shr ecx, 0x1
mov es, ed
and es, 0x100000
or ecx, es
mov es, edx
and es, 0x60000
shr ecx, 0x14
and edx, 0xf00
mov ebx, ed
and ebx, 0x1e000
or es, ebx
shr es, 0xd
or ecx, dword ptr ds:|es*4+0x406d48|
mov es, ed
and es, 0xc0
or edx, es
shr edx, 0x6
and ebp, 0xfffffff
mov edx, ed
and edx, 0x3f
mov edx, ebp
shr edx, 0x1
mov es, edx
and es, 0x6000000
mov ebx, ebp
and ebx, 0x1e00000
or es, ebx
mov ebx, edx
shr es, 0x15
and ebx, 0x1e00
mov edx, ebp
and edx, 0x180
or ebx, edx
mov edx, dword ptr ds:|es*4+0x407248|
shr ebx, 0x7
or edx, dword ptr ds:|ebx*4+0x407048|
mov es, ebp
shr es, 0xf
and es, 0x3f
or edx, dword ptr ds:|es*4+0x407148|
mov es, ebp
and es, 0x3f
or edx, dword ptr ds:|es*4+0x406f48|
movzx es, cx
mov ebx, edx
sh ebx, 0x10
or es, ebx
shr ecx, 0x10
ror es, 0x1e
and edx, 0xffff0000
mov dword ptr ds:|eax|, es
add eax, 0x4
or ecx, edx
ror ecx, 0x1a
add eax, 0x4
cmp dword ptr ds:|ecx+0x4|, 0x0
|z 0x40164b
4
mov ed, ed
push es
push 0x30000
push 0x10000
xor es, es
push es
ca 0x40523e
BBL 0x40474e __tmanCRTStartup (5):
pop ecx
pop ecx
mov dword ptr ds:|0x416ec8|, 0x2
|nz 0x404767
and ecx, 0xfffffff
mov es, ecx
shr es, 0x1
mov edx, es
and edx, 0x7000000
mov ebx, ecx
and ebx, 0xc00000
or edx, ebx
shr edx, 0x1
mov ebx, ecx
and ebx, 0x100000
or edx, ebx
mov ebx, es
and ebx, 0x60000
shr edx, 0x14
mov edx, dword ptr ds:|edx*4+0x406e48|
and es, 0xf00
mov ebp, ecx
and ebp, 0x1e000
or ebx, ebp
shr ebx, 0xd
or edx, dword ptr ds:|ebx*4+0x406d48|
mov ebx, ecx
and ebx, 0xc0
or es, ebx
shr es, 0x6
or edx, dword ptr ds:|es*4+0x406c48|
and ed, 0xfffffff
mov es, ecx
and es, 0x3f
or edx, dword ptr ds:|es*4+0x406b48|
mov ebx, ed
shr ebx, 0x1
mov es, ebx
and es, 0x6000000
and ebx, 0x1e00
mov ebp, ed
and ebp, 0x1e00000
or es, ebp
shr es, 0x15
mov es, dword ptr ds:|es*4+0x407248|
mov ebp, ed
and ebp, 0x180
or ebx, ebp
shr ebx, 0x7
or es, dword ptr ds:|ebx*4+0x407048|
mov ebx, ed
shr ebx, 0xf
and ebx, 0x3f
or es, dword ptr ds:|ebx*4+0x407148|
mov ebx, ed
and ebx, 0x3f
or es, dword ptr ds:|ebx*4+0x406f48|
movzx ebx, dx
mov ebp, es
sh ebp, 0x10
or ebx, ebp
shr edx, 0x10
ror ebx, 0x1e
and es, 0xffff0000
or edx, es
mov dword ptr ds:|eax|, ebx
add eax, 0x4
ror edx, 0x1a
mov dword ptr ds:|eax|, edx
mov edx, dword ptr ss:|esp+0x10|
add edx, 0x10
add eax, 0x4
cmp edx, 0x40d04c
| 0x4013d8
3
pop ed
pop es
pop ebp
pop ebx
pop ecx
ret
BBL 0x401000 man (14):
push ebp
mov ebp, esp
and esp, 0xf8
sub esp, 0xac
xor eax, esp
mov dword ptr ss:|esp+0xa8|, eax
cmp dword ptr ss:|ebp+0x8|, 0x5
push ebx
push es
push ed
mov ed, dword ptr ss:|ebp+0xc|
mov dword ptr ss:|esp+0x14|, ed
|n 0x40104f
3
BBL 0x40107c man (2):
xor eax, eax
|mp 0x401085
BBL 0x40473f __tmanCRTStartup (3):
push 0x406138
push 0x406130
ca 0x404ffe
BBL 0x4012da _DES_set_key_unchecked (91):
movzx ecx, byte ptr ds:|edx|
push ebx
push ebp
push es
ea es, ptr |edx+0x1|
movzx edx, byte ptr ds:|es|
nc es
nc es
nc es
sh edx, 0x8
or ecx, edx
movzx edx, byte ptr ds:|es-0x2|
nc es
nc es
sh edx, 0x10
or ecx, edx
push ed
movzx ed, byte ptr ds:|es-0x1|
sh edx, 0x18
or ecx, edx
sh ed, 0x8
or edx, ed
movzx ed, byte ptr ds:|es+0x1|
movzx es, byte ptr ds:|es|
sh ed, 0x8
or ed, es
sh ed, 0x10
or edx, ed
mov es, edx
shr es, 0x4
xor es, ecx
and es, 0xf0f0f0f
xor ecx, es
sh es, 0x4
xor edx, es
mov es, ecx
sh es, 0x12
xor es, ecx
and es, 0xcccc0000
mov ed, es
shr ed, 0x12
xor ed, es
mov es, edx
sh es, 0x12
xor es, edx
and es, 0xcccc0000
xor ecx, ed
mov ed, es
shr ed, 0x12
xor ed, es
xor edx, ed
mov es, edx
shr es, 0x1
xor es, ecx
and es, 0x55555555
xor ecx, es
add es, es
xor edx, es
mov es, ecx
shr es, 0x8
xor es, edx
and es, 0xff00ff
xor edx, es
sh es, 0x8
xor ecx, es
mov es, edx
shr es, 0x1
xor es, ecx
and es, 0x55555555
xor ecx, es
add es, es
xor edx, es
mov ed, edx
shr ed, 0xc
and ed, 0xff0
mov es, ecx
and es, 0xf000000f
or ed, es
movzx es, d
shr ed, 0x4
sh es, 0x10
and edx, 0xff00
or ed, es
or ed, edx
mov edx, 0x40d00c
and ecx, 0xfffffff
xor es, eax
push eax
BBL 0x404e76 _RTC_Termnate (8):
mov ed, ed
push es
mov eax, 0x40c3c0
mov es, 0x40c3c0
push ed
mov ed, eax
cmp eax, es
|nb 0x404e99
BBL 0x404e99 _RTC_Termnate (3):
pop ed
pop es
ret
BBL 0x4048f9 manCRTStartup (1):
|mp 0x40469d
push 0x10
push 0x40c3c8
ca 0x40500c
BBL 0x401166 man (7):
push ed
push 0x8
ea edx, ptr |esp+0xac|
push 0x1
push edx
mov ebx, eax
ca es
BBL 0x4046c8 __tmanCRTStartup (2):
cmp eax, ebx
|z 0x4046e5
BBL 0x40515a has_osfxsr_set (4):
movapd xmm0, xmm1
mov dword ptr ss:|ebp-0x1c|, 0x1
|mp 0x40518e
BBL 0x405004 __ntterm_e (1):
BBL 0x40106a man (3):
mov d, byte ptr ds:|eax+0x1|
cmp d, byte ptr ds:|ecx+0x1|
|nz 0x401080
xor ebx, ebx
mov ed, 0x416ecc
push ebx
push es
push ed
BBL 0x40122a _DES_ecb_encrypt (36):
mov eax, dword ptr ss:|esp+0xc|
movzx ecx, byte ptr ds:|eax|
movzx edx, byte ptr ds:|eax+0x1|
nc eax
sh edx, 0x8
or ecx, edx
nc eax
sh edx, 0x10
or ecx, edx
nc eax
sh edx, 0x18
or ecx, edx
nc eax
mov dword ptr ss:|esp|, ecx
movzx ecx, byte ptr ds:|eax|
nc eax
sh edx, 0x8
or ecx, edx
nc eax
movzx eax, byte ptr ds:|eax|
sh edx, 0x8
or edx, eax
sh edx, 0x10
or edx, ecx
push ecx
push edx
push eax
ca 0x4018a0
16
16
BBL 0x40523e __controfp_s (1):
|mp dword ptr ds:|0x4060d4|
BBL 0x404dc0 _onext (2):
pop ecx
|mp 0x404e2a
3
BBL 0x4050b8 __securty_nt_cooke (13):
mov ed, ed
push ebp
mov ebp, esp
sub esp, 0x10
push ebx
push ed
mov ed, 0xbb40e64e
mov ebx, 0xffff0000
cmp eax, ed
|z 0x4050ea
BBL 0x4051f2 _get_sse2_nfo (2):
test eax, eax
|z 0x4051fb
BBL 0x4051f6 _get_sse2_nfo (3):
xor eax, eax
nc eax
|mp 0x4051fd
BBL 0x4051fd _get_sse2_nfo (3):
pop ebx
eave
ret
BBL 0x4018a0 _DES_encrypt1 (49):
push ebx
push ebp
push es
push ed
mov edx, dword ptr ds:|ecx+0x4|
mov eax, dword ptr ds:|ecx|
mov ecx, edx
shr ecx, 0x4
xor ecx, eax
and ecx, 0xf0f0f0f
xor eax, ecx
sh ecx, 0x4
xor edx, ecx
mov ecx, eax
shr ecx, 0x10
xor ecx, edx
and ecx, 0xffff
xor edx, ecx
sh ecx, 0x10
xor eax, ecx
mov ecx, edx
shr ecx, 0x2
xor ecx, eax
and ecx, 0x33333333
xor eax, ecx
add ecx, ecx
add ecx, ecx
xor edx, ecx
mov ecx, eax
shr ecx, 0x8
xor ecx, edx
and ecx, 0xff00ff
xor edx, ecx
sh ecx, 0x8
xor eax, ecx
mov es, edx
shr es, 0x1
xor es, eax
and es, 0x55555555
mov ecx, es
xor ecx, eax
ea eax, ptr |es+es*1|
mov es, dword ptr ss:|esp+0x18|
xor eax, edx
ror ecx, 0x1d
ror eax, 0x1d
cmp dword ptr ss:|esp+0x1c|, 0x0
|z 0x401b39
16
BBL 0x4051c4 _get_sse2_nfo (15):
push ecx
popfd
xor eax, eax
cpud
mov dword ptr ss:|ebp-0x14|, edx
mov dword ptr ss:|ebp-0x10|, ecx
mov eax, 0x1
cpud
pop ebx
test dword ptr ss:|ebp-0x4|, 0x4000000
|z 0x4051fb
BBL 0x401928 _DES_encrypt1 (2):
add es, 0x8
mov dword ptr ss:|esp+0x18|, 0x4
16
16
16
BBL 0x4048f4 manCRTStartup (1):
ca 0x4050b8
xor es, eax
Figure 4.1.: OpenSSL implementation of DES
In Figure 4.1 we show Observation 1 for a part of the OpenSSL DES implementation
and in Figure 4.2 we show this observation for three different MD5 implementations.
37
We can recognize 16 bitwise of 25 total instructions for the DES example. This repro-
duces the results fromWang et al. [82] and the percentages in Table 2.5. Spot checks by
us and Wang et al. show that non-cryptographic code has a lower bitwise arithmetic
percentage than cryptographic code. For example, the BMP image processing routine
has a percentage of 23.95%. Therefore, we can conclude that the opposite of the obser-
vation, i.e., non-cryptographic code contains a low percentage of bitwise arithmetic
instructions, is veried empirically.
BBL 0x40486e unnamedImageEntryPont (1):
ret
BBL 0x404882 unnamedImageEntryPont (7):
neg eax
sbb eax, eax
neg eax
pop ecx
dec eax
pop ebp
ret
5
BBL 0x40fbaa unnamedImageEntryPont (2):
pop ecx
ret
BBL 0x40fbda unnamedImageEntryPont (2):
pop ecx
ret
mov eax, 0x410124
mov dword ptr ss:|esp|, 0x410138
ca 0x4095bb
BBL 0x40fbcb unnamedImageEntryPont (2):
pop ecx
ret
BBL 0x40fbf0 unnamedImageEntryPont (2):
pop ecx
ret
BBL 0x408c56 unnamedImageEntryPont (3):
pop ed
pop es
ret
BBL 0x4044ba .text (2):
test eax, eax
|nz 0x4044c6
BBL 0x4044c6 .text (1):
ca 0x40a248
add eax, 0x10
push eax
ca 0x40a4d6
BBL 0x40a4d6 unnamedImageEntryPont (8):
mov ed, ed
push ebp
mov ebp, esp
mov eax, dword ptr ss:|ebp+0x8|
push es
ea es, ptr |eax*8+0x4146b8|
cmp dword ptr ds:|es|, 0x0
|nz 0x40a4fe
5
BBL 0x40a4fe unnamedImageEntryPont (2):
push dword ptr ds:|es|
31
BBL 0x408adc unnamedImageEntryPont (2):
test eax, eax
|nz 0x408ae7
BBL 0x408ae7 unnamedImageEntryPont (3):
mov ed, eax
test ed, ed
|z 0x408c4f
BBL 0x408af1 unnamedImageEntryPont (4):
push 0x4103d8
push ed
ca es
push 0x0
ca 0x4086bc
BBL 0x4086bc unnamedImageEntryPont (7):
mov ed, ed
push ebp
mov ebp, esp
push es
mov es, dword ptr ds:|0x41006c|
ca es
11
BBL 0x4086d0 unnamedImageEntryPont (2):
test eax, eax
|z 0x4086f5
38
pop es
pop ed
eave
ret
BBL 0x404224 .text (2):
add esp, 0xc
|mp 0x4041ea
5
BBL 0x401a24 .text (2):
add esp, 0xc
|mp 0x4019e5
4
BBL 0x40358a .text (6):
sub dword ptr ds:|es+0x4|, ed
add dword ptr ds:|es|, ed
add esp, 0xc
sub ebx, ed
add dword ptr ss:|ebp-0x4|, ed
|mp 0x4035e8
BBL 0x4041ea .text (2):
xor eax, eax
|mp 0x404253
6
BBL 0x4019e5 .text (9):
pop ecx
pop ed
pop es
pop ebp
pop ebx
add esp, 0x5c
ret 0x8
4
BBL 0x4035e8 .text (2):
mov ed, dword ptr ss:|ebp-0xc|
|mp 0x403616
BBL 0x40cfa8 unnamedImageEntryPont (2):
push 0xd
ca 0x40a3fc
BBL 0x40a3fc unnamedImageEntryPont (6):
mov ed, ed
push ebp
mov ebp, esp
push dword ptr ds:|eax*8+0x4146b8|
BBL 0x40a411 unnamedImageEntryPont (2):
pop ebp
ret
31
BBL 0x40cff3 unnamedImageEntryPont (2):
mov dword ptr ds:|0x415f40|, 0x1
ca dword ptr ds:|0x4100f4|
|mp 0x40cfe0
BBL 0x40cfe0 unnamedImageEntryPont (2):
cmp byte ptr ss:|ebp-0x4|, b
|z 0x40d02a
BBL 0x4095b0 unnamedImageEntryPont (2):
pop ecx
ret
BBL 0x40484a unnamedImageEntryPont (3):
ca 0x40474e
5
mov ed, ed
push ebp
mov ebp, esp
push ecx
push ebx
push es
push ed
push dword ptr ds:|0x4161e8|
ca 0x408737
5
BBL 0x40cfe5 unnamedImageEntryPont (3):
and dword ptr ds:|ecx+0x70|, 0xfd
|mp 0x40d02a
BBL 0x40d02a unnamedImageEntryPont (3):
pop ebx
eave
ret
BBL 0x408cdd unnamedImageEntryPont (2):
push 0x408c59
ca 0x4086bc
BBL 0x40ec81 unnamedImageEntryPont (3):
push ebx
ca 0x40e1d7
BBL 0x40e1d7 unnamedImageEntryPont (6):
mov ed, ed
push ebp
mov ebp, esp
test eax, eax
|z 0x40e1f5
BBL 0x40e1e3 unnamedImageEntryPont (3):
sub eax, 0x8
cmp dword ptr ds:|eax|, 0xdddd
|nz 0x40e1f5
5
BBL 0x40974d unnamedImageEntryPont (3):
push 0x410164
mov eax, 0x410158
ca 0x4095bb
BBL 0x4095bb unnamedImageEntryPont (6):
mov ed, ed
push ebp
mov ebp, esp
push es
mov es, eax
|mp 0x4095d0
cmp es, dword ptr ss:|ebp+0x8|
|b 0x4095c5
3
BBL 0x402003 .text (8):
mov ecx, dword ptr ss:|esp+0xe4|
pop ecx
pop ed
pop es
pop ebx
add esp, 0xe0
ret
BBL 0x401ab2 .text (4):
mov eax, dword ptr ds:|ed|
mov edx, dword ptr ds:|eax+0x58|
mov ecx, ed
ca edx
BBL 0x402d20 .text (2):
mov eax, dword ptr ds:|ecx+0x5c|
ret
BBL 0x4031aa .text (4):
add esp, 0x8
cmp dword ptr ss:|ebp-0x18|, 0x0
|nz 0x4031cb
BBL 0x4031cb .text (2):
ea ecx, ptr |ebp-0xc8|
ca 0x402bc0
BBL 0x402bc0 .text (32):
push 0xff
push 0x40fa50
push eax
xor eax, esp
push eax
mov eax, ecx
xor ecx, ecx
mov dword ptr ds:|eax+0x4|, ecx
mov dword ptr ds:|eax+0x58|, 0x10
ea ecx, ptr |eax+0x10|
mov dword ptr ds:|ecx+0x4c|, ecx
mov d, 0x1
mov byte ptr ds:|ecx+0x41|, d
mov dword ptr ds:|ecx+0x48|, 0x10
mov byte ptr ds:|ecx+0x41|, d
mov dword ptr ds:|ecx+0x4c|, ecx
mov ecx, dword ptr ds:|eax+0xac|
mov dword ptr ds:|ecx|, 0x67452301
mov dword ptr ds:|ecx+0x4|, 0xefcdab89
mov dword ptr ds:|ecx+0x8|, 0x98badcfe
mov dword ptr ds:|ecx+0xc|, 0x10325476
pop ecx
add esp, 0xc
ret
mov ecx, 0x7fffffff
cmp ecx, dword ptr ss:|ebp+0x10|
sbb ecx, ecx
nc ecx
|nz 0x407372
push eax
ca 0x40b8c9
2
BBL 0x40b8c9 unnamedImageEntryPont (3):
push 0xc
push 0x412978
ca 0x406858
2
BBL 0x40df4f unnamedImageEntryPont (2):
cmp ebx, ed
|nz 0x40dfb4
BBL 0x40df53 unnamedImageEntryPont (4):
push es
push 0x8
push dword ptr ds:|0x415dc4|
47
mov ebx, eax
cmp ebx, ed
|nz 0x40dfb4
47
BBL 0x404151 .text (4):
ea eax, ptr |ecx-0x4|
sub eax, ecx
ret
BBL 0x409bb9 unnamedImageEntryPont (2):
pop ecx
ea es, ptr |es+eax*1+0x1|
7
BBL 0x409bea unnamedImageEntryPont (5):
mov ebx, eax
nc ebx
cmp byte ptr ds:|es|, 0x3d
pop ecx
|z 0x409c24
7
BBL 0x409bbe unnamedImageEntryPont (3):
mov a, byte ptr ds:|es|
test a, a
|nz 0x409bae
43
add es, ebx
BBL 0x409bf3 unnamedImageEntryPont (3):
push 0x1
push ebx
ca 0x40b0b5
42
test a, 0x2
|z 0x406c35
or eax, 0x1
mov dword ptr ds:|es+0xc|, eax
test eax, 0x10c
|nz 0x406c4b
2
BBL 0x406c4b unnamedImageEntryPont (2):
mov eax, dword ptr ds:|es+0x8|
mov dword ptr ds:|es|, eax
push es
ca 0x40b42d
BBL 0x409f2c unnamedImageEntryPont (4):
nc eax
nc eax
cmp word ptr ds:|eax|, bx
|nz 0x409f2c
1333
BBL 0x409f33 unnamedImageEntryPont (4):
nc eax
nc eax
cmp word ptr ds:|eax|, bx
|nz 0x409f2c
43 42
BBL 0x409f3a unnamedImageEntryPont (14):
push ebx
push ebx
push ebx
sub eax, ed
push ebx
sar eax, 0x1
nc eax
push eax
push ed
push ebx
push ebx
ca es
BBL 0x406ba2 unnamedImageEntryPont (2):
ca 0x40689d
pop ecx
pop ed
pop ed
pop es
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
2
5
BBL 0x40cbaf unnamedImageEntryPont (1):
ret
20
BBL 0x40dfbb unnamedImageEntryPont (1):
ret
47
ret
ret
BBL 0x40cf46 unnamedImageEntryPont (1):
ret
BBL 0x40d3ab unnamedImageEntryPont (1):
ret
ret
4
ret
BBL 0x40b05e unnamedImageEntryPont (1):
ret
5
BBL 0x40a4cc unnamedImageEntryPont (1):
ret
4
ret
2
ret
2
ret
2
BBL 0x403b2c .text (1):
ret
2
BBL 0x40b95a unnamedImageEntryPont (1):
ret
5
ret
2
BBL 0x403a14 .text (1):
ret
5
BBL 0x406baa unnamedImageEntryPont (1):
ret
2
BBL 0x403788 .text (1):
ret
2
BBL 0x403684 .text (1):
ret
BBL 0x4060e0 unnamedImageEntryPont (1):
ret
ret
BBL 0x40393f .text (2):
test ebx, ebx
|nz 0x40385d
BBL 0x40385d .text (2):
test dword ptr ds:|es+0xc|, 0x10c
|z 0x4038aa
BBL 0x403947 .text (2):
|mp 0x4037f7
4
BBL 0x4038aa .text (2):
cmp ebx, dword ptr ss:|ebp-0xc|
|b 0x403917
BBL 0x403866 .text (3):
test eax, eax
|z 0x4038aa
5
BBL 0x4037f7 .text (5):
pop ed
pop es
pop ebx
eave
ret
4
BBL 0x40e7af unnamedImageEntryPont (2):
mov dword ptr ds:|0x415fe8|, ed
|mp 0x40e7cc
BBL 0x40e7cc unnamedImageEntryPont (2):
cmp dword ptr ss:|ebp+0x14|, ebx
|e 0x40e7f3
mov ecx, dword ptr ss:|ebp+0x14|
2
BBL 0x40cdfb unnamedImageEntryPont (11):
push 0x0
push dword ptr ds:|es+0xc|
push dword ptr ds:|es+0x4|
push eax
push ed
push eax
push 0x1
push 0x0
ca 0x40ed17
BBL 0x40ed17 unnamedImageEntryPont (7):
mov ed, ed
push ebp
mov ebp, esp
sub esp, 0x10
ea ecx, ptr |ebp-0x10|
ca 0x4079f7
mov ed, ed
push ebp
mov ebp, esp
push es
mov es, ecx
mov byte ptr ds:|es+0xc|, 0x0
test eax, eax
|nz 0x407a6d
BBL 0x401a90 .text (6):
xor eax, eax
mov dword ptr ds:|ecx+0x8|, eax
|mp edx
BBL 0x402c60 .text (6):
mov eax, dword ptr ds:|ecx+0xac|
mov dword ptr ds:|eax|, 0x67452301
mov dword ptr ds:|eax+0x4|, 0xefcdab89
mov dword ptr ds:|eax+0x8|, 0x98badcfe
mov dword ptr ds:|eax+0xc|, 0x10325476
ret
BBL 0x401b56 .text (6):
pop ed
pop es
pop ebp
pop ebx
pop ecx
ret 0x8
BBL 0x40356a .text (3):
test eax, eax
|z 0x403599
BBL 0x403571 .text (1):
| 0x403626
BBL 0x403577 .text (3):
mov ed, ebx
cmp ebx, eax
|b 0x40357f
BBL 0x403846 .text (3):
|mp 0x403855
BBL 0x403855 .text (2):
test ed, ed
|z 0x403947
4
5
BBL 0x40322d .text (3):
push eax
ca 0x40373a
BBL 0x40373a .text (3):
push 0xc
push 0x412520
ca 0x406858
push 0x4068c0
sub esp, eax
push ebx
push es
push ed
xor eax, ebp
push eax
ret
2
BBL 0x409de1 unnamedImageEntryPont (3):
mov byte ptr ds:|edx|, 0x0
nc edx
mov dword ptr ss:|ebp+0xc|, edx
nc dword ptr ds:|ed|
|mp 0x409d00
2
cmp byte ptr ds:|es|, 0x0
|z 0x409df2
4
BBL 0x40e7f0 unnamedImageEntryPont (4):
mov dword ptr ss:|ebp+0x14|, eax
mov eax, dword ptr ds:|0x415fe8|
cmp eax, 0x2
|z 0x40e9ad
cmp eax, ebx
|z 0x40e9ad
2
cmp eax, 0x1
|nz 0x40e9de
2
BBL 0x401cad .text (7):
sub eax, ecx
add ebp, ebx
cmp eax, ecx
|nb 0x401c70
BBL 0x401c70 .text (4):
cmp byte ptr ss:|esp+0x13|, 0x0
mov eax, dword ptr ds:|es|
mov ecx, es
|z 0x401c7e
60
BBL 0x401cc1 .text (6):
pop ed
pop es
pop ebp
pop ebx
add esp, 0xc
ret 0x8
5
BBL 0x401c7b .text (2):
push ebp
|mp 0x401ca8
65
BBL 0x401a06 .text (10):
sub ebx, eax
add dword ptr ss:|esp+0x74|, ebx
mov ebx, dword ptr ss:|esp+0x78|
push ebx
push ecx
push eax
ca 0x4062b0
4
BBL 0x401b30 .text (3):
mov ebx, dword ptr ss:|esp+0x1c|
test b, 0x3
|nz 0x401b5e
BBL 0x403a54 .text (2):
pop ecx
ret
BBL 0x403a47 .text (2):
|mp 0x403a0f
5
BBL 0x403a0f .text (1):
ca 0x40689d
5
BBL 0x409e4d unnamedImageEntryPont (7):
mov edx, dword ptr ss:|ebp-0x4|
push eax
push ebx
push ebx
ea ed, ptr |ebp-0xc|
ca 0x409c68
mov ed, ed
push ebp
mov ebp, esp
push ecx
push ebx
xor eax, eax
push es
mov dword ptr ds:|ed|, eax
mov es, edx
mov edx, dword ptr ss:|ebp+0xc|
mov dword ptr ds:|ecx|, 0x1
cmp dword ptr ss:|ebp+0x8|, eax
|z 0x409c90
mov ebx, dword ptr ss:|ebp+0x8|
add dword ptr ss:|ebp+0x8|, 0x4
mov dword ptr ds:|ebx|, edx
cmp eax, 0xfe
|z 0x40e241
pop es
ret
BBL 0x4095cd unnamedImageEntryPont (1):
add es, 0x4
push 0xc
push 0x4125c0
ca 0x406858
4
BBL 0x406af4 unnamedImageEntryPont (3):
cmp eax, 0xfe
|nz 0x406b17
2
movapd xmm0, xmm1
|mp 0x40906e
BBL 0x40cb5c unnamedImageEntryPont (4):
push dword ptr ss:|ebp+0xc|
ca dword ptr ds:|0x4100ec|
20
BBL 0x40d21e unnamedImageEntryPont (2):
or dword ptr ss:|ebp-0x20|, 0xff
ca 0x408983
BBL 0x40601b unnamedImageEntryPont (3):
cmp eax, 0xfe
|nz 0x40603e
ca 0x408983
BBL 0x403a7f .text (8):
xor ebx, ebx
xor eax, eax
mov ed, dword ptr ss:|ebp+0x8|
cmp ed, ebx
setnz a
cmp eax, ebx
|nz 0x403aae
2
xor es, es
mov dword ptr ss:|ebp-0x1c|, es
xor eax, eax
cmp ed, es
setnz a
cmp eax, es
|nz 0x40c6c6
2
ca 0x4095a9
5
BBL 0x40deaa unnamedImageEntryPont (4):
xor ed, ed
cmp ecx, ed
|be 0x40dee1
47
xor ed, ed
mov dword ptr ss:|ebp-0x4|, ed
push eax
BBL 0x40882f unnamedImageEntryPont (3):
mov es, 0x41038c
push es
BBL 0x40364d .text (3):
xor es, es
cmp dword ptr ss:|ebp+0xc|, es
|z 0x40367d
BBL 0x4072df unnamedImageEntryPont (3):
cmp eax, 0xfe
|nz 0x407302
2
xor ebx, ebx
xor ed, ed
mov dword ptr ss:|ebp-0x1c|, ed
push 0x1
ca 0x40a4d6
2
BBL 0x40b99c unnamedImageEntryPont (5):
or dword ptr ss:|ebp-0x1c|, 0xff
xor ed, ed
push 0xb
ca 0x40a413
2
BBL 0x40b8d5 unnamedImageEntryPont (11):
mov eax, ed
sar eax, 0x5
mov es, ed
and es, 0x1f
sh es, 0x6
add es, dword ptr ds:|eax*4+0x4160e0|
xor ebx, ebx
cmp dword ptr ds:|es+0x8|, ebx
|nz 0x40b930
5
BBL 0x40a41f unnamedImageEntryPont (6):
xor ed, ed
nc ed
xor ebx, ebx
cmp dword ptr ds:|0x415dc4|, ebx
|nz 0x40a447
4
BBL 0x4039cc .text (4):
xor es, es
cmp dword ptr ss:|ebp+0x10|, es
|z 0x403a0d
5
BBL 0x40afd9 unnamedImageEntryPont (7):
xor eax, eax
mov ebx, dword ptr ss:|ebp+0x8|
xor ed, ed
cmp ebx, ed
setnz a
cmp eax, ed
|nz 0x40b006
5
push 0x8
ca 0x40a4d6
xor ed, ed
push 0x1
ca 0x40a4d6
BBL 0x403746 .text (8):
or dword ptr ss:|ebp-0x1c|, 0xff
xor eax, eax
mov es, dword ptr ss:|ebp+0x8|
xor ed, ed
cmp es, ed
setnz a
cmp eax, ed
|nz 0x403777
2
BBL 0x404457 .text (3):
mov eax, 0x5a4d
|nz 0x40449d
test es, es
|z 0x40462f
4
nc dword ptr ds:|es+0x8|
|mp 0x40a217
nc ebx
cmp ebx, 0x3
| 0x40a188
3
mov es, ebx
sh es, 0x6
add es, dword ptr ds:|0x4160e0|
cmp eax, 0xff
|z 0x40a1a5
2
push dword ptr ds:|0x4160dc|
BBL 0x403416 .text (2):
test eax, eax
|nz 0x403433
BBL 0x40341a .text (2):
push es
mov es, 0x415588
BBL 0x403420 .text (2):
push es
ca 0x40349f
pop ecx
pop ecx
test eax, eax
|nz 0x40a4ad
2
pop ecx
pop ecx
test eax, eax
|z 0x40a23f
3
pop ecx
pop ecx
test eax, eax
|nz 0x40ba2f
pop ecx
pop ecx
test eax, eax
|z 0x40a399
14
BBL 0x40b0cb unnamedImageEntryPont (4):
mov ed, eax
add esp, 0xc
test ed, ed
|nz 0x40b0fb
47
BBL 0x408c3c unnamedImageEntryPont (3):
pop ecx
pop ecx
BBL 0x4044d4 .text (2):
test eax, eax
|n 0x4044e0
mov ebx, dword ptr ds:|ed+0x68|
ca 0x40cfb1
BBL 0x40d3bc unnamedImageEntryPont (2):
pop ecx
mov dword ptr ds:|0x4161ec|, 0x1
pop ecx
ret
BBL 0x406bd1 unnamedImageEntryPont (9):
and dword ptr ds:|es+0xc|, 0xfffffbf7
xor eax, eax
pop ecx
mov dword ptr ds:|es+0x8|, eax
pop es
pop ebp
ret
2
and dword ptr ds:|0x415600|, 0x0
and dword ptr ds:|ed|, 0x0
mov dword ptr ds:|0x4161e0|, 0x1
xor eax, eax
pop ecx
pop ebx
pop ed
pop es
ret
test eax, eax
|z 0x4090db
mov ed, eax
ea eax, ptr |ebx+0x4|
pop ecx
cmp ed, eax
|nb 0x4047e2
5
BBL 0x40b9ac unnamedImageEntryPont (3):
pop ecx
test eax, eax
|nz 0x40b9b9
2
pop ecx
test eax, eax
|z 0x407797
2
BBL 0x403acc .text (3):
cmp eax, ebx
|nz 0x403ae0
2
cmp eax, 0xff
|nz 0x40c179
2
add esp, 0x18
pop ebp
ret
2
BBL 0x403b49 .text (3):
add esp, 0xc
pop ebp
ret
2
pop ecx
mov eax, dword ptr ds:|ebx|
test byte ptr ds:|eax+es*1+0x4|, 0x1
|z 0x4060b6
pop ecx
test byte ptr ds:|eax+es*1+0x4|, 0x1
|z 0x406b87
2
pop ecx
mov dword ptr ss:|ebp-0x4|, es
test byte ptr ds:|eax+ed*1+0x4|, 0x1
|z 0x40739b
2
add esp, 0xc
cmp eax, ed
|z 0x406cfa
2
BBL 0x403a6e .text (3):
add esp, 0x14
pop ebp
ret
5
BBL 0x403713 .text (3):
add esp, 0x10
test eax, eax
|n 0x40371f
2
BBL 0x403236 .text (5):
add esp, 0x4
mov edx, dword ptr ss:|ebp-0xc8|
mov eax, dword ptr ds:|edx+0x1c|
ca eax
BBL 0x4032a3 .text (5):
add esp, 0x4
mov dword ptr ss:|ebp-0x4e4|, 0x0
mov dword ptr ss:|ebp-0x4|, 0xffffffff
ca 0x4024f0
BBL 0x403294 .text (4):
add esp, 0x10
mov edx, dword ptr ss:|ebp-0x4e0|
push edx
ca 0x40373a
add esp, 0xc
cmp eax, ed
|nz 0x40616e
BBL 0x4062ae unnamedImageEntryPont (2):
pop ecx
ret
and dword ptr ds:|ed+0xc|, 0x8000
mov dword ptr ds:|ed+0x4|, ebx
mov dword ptr ds:|ed+0x8|, ebx
mov dword ptr ds:|ed|, ebx
mov dword ptr ds:|ed+0x1c|, ebx
or dword ptr ds:|ed+0x10|, 0xff
ca 0x4077c8
push 0x1
ca 0x40a3fc
2
2
BBL 0x409da7 unnamedImageEntryPont (3):
pop ecx
test eax, eax
|z 0x409db9
BBL 0x409db9 unnamedImageEntryPont (5):
mov ecx, dword ptr ss:|ebp+0xc|
nc dword ptr ss:|ebp+0xc|
mov byte ptr ds:|ecx|, a
|mp 0x409dd2
34
BBL 0x409dd2 unnamedImageEntryPont (4):
nc es
|mp 0x409d33
34
BBL 0x40e7dc unnamedImageEntryPont (3):
nc eax
cmp ecx, ebx
|nz 0x40e7d7
dec ecx
cmp byte ptr ds:|eax|, b
|z 0x40e7e4
510
BBL 0x40e7e1 unnamedImageEntryPont (6):
or ecx, 0xff
sub eax, ecx
dec eax
cmp eax, dword ptr ss:|ebp+0x14|
|n 0x40e7f0
2
512
2
cmp a, 0x20
|z 0x409d13
4
pop es
pop ebx
test eax, eax
|z 0x409dfe
2
BBL 0x409d0f unnamedImageEntryPont (2):
cmp a, 0x9
|nz 0x409d19
4
nc es
|mp 0x409d09
2
BBL 0x409dfe unnamedImageEntryPont (3):
nc dword ptr ds:|ecx|
eave
ret
BBL 0x409dfb unnamedImageEntryPont (1):
and dword ptr ds:|eax|, 0x0
BBL 0x40c6e9 unnamedImageEntryPont (9):
ea eax, ptr |ebp-0x1c|
push eax
mov eax, ed
ca 0x40bf6d
BBL 0x40bf6d unnamedImageEntryPont (15):
mov ed, ed
push ebp
mov ebp, esp
sub esp, 0x30
push ebx
xor ebx, ebx
test byte ptr ss:|ebp+0x10|, 0x80
push es
push ed
mov es, eax
mov byte ptr ss:|ebp-0x2|, b
mov dword ptr ss:|ebp-0x30|, 0xc
|z 0x40bf9b
2
BBL 0x40bf9b unnamedImageEntryPont (5):
mov dword ptr ss:|ebp-0x28|, 0x1
mov byte ptr ss:|ebp-0x1|, b
push eax
ca 0x40e52a
2
add ed, 0x4
42
|nz 0x409be4
43
BBL 0x406dc4 unnamedImageEntryPont (2):
test c, 0x2
|nz 0x4072cc
BBL 0x406dcd unnamedImageEntryPont (2):
cmp dword ptr ss:|ebp+0xc|, ebx
|z 0x406e09
2
BBL 0x406dd2 unnamedImageEntryPont (9):
mov a, byte ptr ds:|eax+0x24|
add a, a
sar a, 0x1
mov byte ptr ss:|ebp-0x2|, a
movsx eax, a
dec eax
push 0x4
pop ecx
|z 0x406e01
2
mov eax, dword ptr ds:|ed+0xc0|
test eax, eax
|z 0x40d55b
BBL 0x40d55b unnamedImageEntryPont (2):
ea ebx, ptr |ed+0x50|
mov dword ptr ss:|ebp+0x8|, 0x6
cmp dword ptr ds:|ebx-0x8|, 0x414d18
|z 0x40d577
BBL 0x40b9b9 unnamedImageEntryPont (2):
push 0xb
ca 0x40a4d6
2
BBL 0x403530 .text (7):
mu ed, dword ptr ss:|ebp+0x10|
mov dword ptr ss:|ebp-0xc|, ed
mov ebx, ed
|z 0x403550
BBL 0x403550 .text (3):
test ed, ed
|z 0x40361e
BBL 0x40355f .text (3):
mov ecx, dword ptr ds:|es+0xc|
and ecx, 0x108
|z 0x403599
|z 0x409df2
4
2
BBL 0x40ba4b unnamedImageEntryPont (2):
test byte ptr ds:|es+0x4|, 0x1
|z 0x40ba6c
BBL 0x40ba6c unnamedImageEntryPont (2):
|nz 0x40ba58
2
mov byte ptr ds:|es+0x4|, 0x1
or dword ptr ds:|es|, 0xff
sub es, dword ptr ds:|ed*4+0x4160e0|
sar es, 0x6
mov eax, ed
sh eax, 0x5
add es, eax
cmp dword ptr ss:|ebp-0x1c|, 0xff
|nz 0x40bb0c
2
mov ed, eax
ca 0x4087b2
mov ed, ed
push es
117
mov es, eax
test es, es
|nz 0x4087e2
117
BBL 0x40d0c1 unnamedImageEntryPont (5):
push 0x101
ea eax, ptr |ebx+0x1c|
push es
push eax
ca 0x404160
BBL 0x404160 .text (4):
mov edx, dword ptr ss:|esp+0xc|
test edx, edx
|z 0x4041d5
BBL 0x40416c .text (4):
xor eax, eax
mov a, byte ptr ss:|esp+0x8|
test a, a
|nz 0x40418c
5
BBL 0x40d35c unnamedImageEntryPont (3):
mov dword ptr ds:|0x414c18|, ebx
push ebx
ca ed
ca 0x40d373
push 0xd
ca 0x40a3fc
cmp es, ebx
|nz 0x409493
mov edx, ecx
42
mov byte ptr ds:|edx|, a
nc edx
nc es
cmp a, b
|z 0x4094a2
42
|z 0x40de6e
BBL 0x40de6e unnamedImageEntryPont (3):
xor eax, eax
test eax, eax
|z 0x40de77
110
cmp byte ptr ss:|ebp-0x4|, 0x0
|z 0x40de84
110
mov edx, eax
and eax, 0x1f
sar edx, 0x5
pop ecx
sh eax, 0x6
pop ecx
mov c, byte ptr ss:|ebp-0x1|
or c, 0x1
mov byte ptr ds:|edx+eax*1+0x4|, c
mov edx, eax
and eax, 0x1f
sar edx, 0x5
sh eax, 0x6
ea eax, ptr |edx+eax*1+0x24|
and byte ptr ds:|eax|, 0x80
mov byte ptr ss:|ebp-0x3|, c
and byte ptr ss:|ebp-0x3|, 0x48
mov byte ptr ss:|ebp-0x1|, c
|nz 0x40c34d
BBL 0x40c2cd unnamedImageEntryPont (2):
test c, 0x80
|z 0x40c587
2
mov ecx, eax
sar ecx, 0x5
and eax, 0x1f
sh eax, 0x6
ea eax, ptr |ecx+eax*1+0x24|
mov c, byte ptr ds:|eax|
xor c, byte ptr ss:|ebp-0x2|
and c, 0x7f
xor byte ptr ds:|eax|, c
mov ecx, eax
sar ecx, 0x5
and eax, 0x1f
sh eax, 0x6
ea eax, ptr |ecx+eax*1+0x24|
mov d, byte ptr ds:|eax|
shr ecx, 0x10
sh c, 0x7
and d, 0x7f
or c, d
|nz 0x40c5f9
2
mov dword ptr ds:|0x415628|, 0x4087a9
cmp eax, 0xff
|z 0x408c54
push eax
ca es
BBL 0x40ba3b unnamedImageEntryPont (2):
|nz 0x40ba58
ea ebx, ptr |es+0xc|
push ebx
2
2
BBL 0x40fbd0 unnamedImageEntryPont (2):
push 0x40fc60
ca 0x404875
mov ed, ed
push ebp
mov ebp, esp
ca 0x404839
push 0xc
push 0x412600
ca 0x406858
5
mov dword ptr ds:|es+0x1fc|, eax
mov dword ptr ds:|es+0x70|, ed
mov byte ptr ds:|es+0xc8|, 0x43
mov byte ptr ds:|es+0x14b|, 0x43
mov dword ptr ds:|es+0x68|, 0x4147f0
push 0xd
ca 0x40a4d6
BBL 0x40b9d0 unnamedImageEntryPont (3):
mov es, dword ptr ds:|ed*4+0x4160e0|
test es, es
|z 0x40ba99
BBL 0x40b9df unnamedImageEntryPont (5):
mov eax, dword ptr ds:|ed*4+0x4160e0|
add eax, 0x800
cmp es, eax
|nb 0x40ba8d
2
BBL 0x40b9f6 unnamedImageEntryPont (2):
|nz 0x40ba58
8
mov es, ebx
ca 0x40cd7a
BBL 0x40cd7a unnamedImageEntryPont (13):
mov ed, ed
push ebp
mov ebp, esp
sub esp, 0x51c
xor eax, ebp
push ebx
push ed
push eax
BBL 0x40cda1 unnamedImageEntryPont (3):
mov ed, 0x100
test eax, eax
|z 0x40cea9
BBL 0x409dc5 unnamedImageEntryPont (1):
ca 0x40de86
mov ed, ed
push ebp
mov ebp, esp
push 0x4
push 0x0
push 0x0
ca 0x40de33
34
mov ed, ed
push ebp
mov ebp, esp
sub esp, 0x10
ca 0x4079f7
110
cmp eax, dword ptr ds:|0x4160dc|
|nb 0x40b8a0
mov ecx, eax
and eax, 0x1f
sar ecx, 0x5
sh eax, 0x6
add eax, ecx
test byte ptr ds:|eax+0x4|, 0x1
|nz 0x40b8c4
4
pop es
pop ebp
ret
4
BBL 0x40418c .text (4):
push ed
mov ed, ecx
cmp edx, 0x4
|b 0x4041c5
BBL 0x404194 .text (3):
neg ecx
and ecx, 0x3
|z 0x4041a7
5
BBL 0x4041a7 .text (10):
mov ecx, eax
sh eax, 0x8
add eax, ecx
mov ecx, eax
sh eax, 0x10
add eax, ecx
mov ecx, edx
and edx, 0x3
shr ecx, 0x2
|z 0x4041c5
4
BBL 0x40419b .text (1):
sub edx, ecx
BBL 0x4036f3 .text (2):
test byte ptr ds:|es+0xc|, 0x83
|z 0x403730
BBL 0x4036f9 .text (2):
push es
ca 0x40611d
2
mov ed, ed
push ebp
mov ebp, esp
push ebx
push es
mov eax, dword ptr ds:|es+0xc|
mov ecx, eax
and c, 0x3
xor ebx, ebx
cmp c, 0x2
|nz 0x406176
2
mov ecx, eax
sar ecx, 0x5
ea ebx, ptr |ecx*4+0x4160e0|
mov es, eax
and es, 0x1f
sh es, 0x6
mov ecx, dword ptr ds:|ebx|
movsx ecx, byte ptr ds:|ecx+es*1+0x4|
and ecx, 0x1
|z 0x40604c
push eax
ca 0x40b8c9
nc es
|mp 0x4061ee
BBL 0x4061ee unnamedImageEntryPont (3):
cmp es, dword ptr ds:|0x417200|
|n 0x406280
512
BBL 0x4061fd unnamedImageEntryPont (4):
mov eax, dword ptr ds:|0x4161fc|
ea eax, ptr |eax+es*4|
cmp dword ptr ds:|eax|, ed
|z 0x406267
512
ca 0x40629e
BBL 0x4041bf .text (3):
rep stosd
test edx, edx
|z 0x4041cf
5
BBL 0x40419d .text (4):
mov byte ptr ds:|ed|, a
add ed, 0x1
sub ecx, 0x1
|nz 0x40419d
|nz 0x409ca8
2
cmp ed, ebx
|nz 0x4094b6
xor eax, eax
pop ed
pop es
pop ebx
pop ebp
ret
42
add esp, 0xc
test eax, eax
|z 0x409c21
42
BBL 0x40a1b2 unnamedImageEntryPont (5):
mov eax, ebx
dec eax
neg eax
sbb eax, eax
add eax, 0xf5
BBL 0x40a1bc unnamedImageEntryPont (2):
push eax
2
BBL 0x40a1c3 unnamedImageEntryPont (3):
mov ed, eax
cmp ed, 0xff
|z 0x40a20d
3
pop ecx
ret
cmp eax, es
|z 0x40c71f
2
BBL 0x40c71f unnamedImageEntryPont (1):
ca 0x40689d
2
add esp, 0x14
test eax, eax
|z 0x407674
2
BBL 0x40344c .text (2):
push es
ca 0x4034af
BBL 0x4034af .text (5):
mov ed, ed
push ebp
mov ebp, esp
4
BBL 0x4034bd .text (2):
pop ebp
ret
4
pop ecx
ret
BBL 0x4097ff unnamedImageEntryPont (3):
mov es, eax
push es
ca 0x40570b
BBL 0x4096fb unnamedImageEntryPont (2):
cmp dword ptr ds:|es|, eax
|z 0x4096ec
5
ca ed
5
mov ed, ed
push ebp
mov ebp, esp
pop ebp
ret
cmp es, ed
|b 0x40974d
5
BBL 0x40fc61 unnamedImageEntryPont (2):
mov ecx, 0x4155e8
|mp 0x403437
ret
cmp dword ptr ds:|0x4150a0|, 0x10
|b 0x40fc47
|b 0x40fc17
BBL 0x40a26e unnamedImageEntryPont (8):
mov ed, ed
push es
mov eax, 0x412460
mov es, 0x412460
push ed
mov ed, eax
cmp eax, es
|nb 0x40a291
push 0x4103a8
push eax
test eax, eax
|z 0x4087a3
2
ca eax
29
BBL 0x4058eb unnamedImageEntryPont (11):
xor eax, ebp
mov eax, dword ptr ss:|ebp+0xc|
push es
xor es, es
mov dword ptr ss:|ebp-0x1acc|, eax
mov dword ptr ss:|ebp-0x1ac8|, es
mov dword ptr ss:|ebp-0x1ad0|, es
|nz 0x405919
cmp eax, es
|nz 0x405944
push ebx
push ed
mov eax, ed
sar eax, 0x5
ea es, ptr |eax*4+0x4160e0|
and ed, 0x1f
sh ed, 0x6
add eax, ed
mov b, byte ptr ds:|eax+0x24|
add b, b
sar b, 0x1
mov dword ptr ss:|ebp-0x1ad8|, es
mov byte ptr ss:|ebp-0x1ad9|, b
cmp b, 0x2
|z 0x40597c
BBL 0x40c0ee unnamedImageEntryPont (4):
mov dword ptr ss:|ebp-0xc|, 0x80
test ed, eax
|z 0x40c112
test a, 0x40
|z 0x40c128
BBL 0x40c0fc unnamedImageEntryPont (5):
mov ecx, dword ptr ds:|0x41596c|
not ecx
and ecx, dword ptr ss:|ebp+0x18|
test c, c
|s 0x40c112
test eax, 0x1000
|z 0x40c132
2
BBL 0x405f5a unnamedImageEntryPont (2):
test eax, eax
|z 0x405f73
BBL 0x405f5e unnamedImageEntryPont (4):
mov eax, dword ptr ss:|ebp-0x1ad4|
and dword ptr ss:|ebp-0x1ac0|, 0x0
mov dword ptr ss:|ebp-0x1ac8|, eax
|mp 0x405f7f
BBL 0x405f7f unnamedImageEntryPont (2):
cmp dword ptr ss:|ebp-0x1ac8|, 0x0
|nz 0x405ff4
or dword ptr ds:|es+0xc|, 0x8000
pop ecx
|mp 0x4067b5
pop es
pop ebp
ret
8
BBL 0x40368d .text (7):
pop ecx
ca 0x4034df
BBL 0x40378f .text (4):
pop ecx
push es
ca 0x4036c3
2
BBL 0x403a1d .text (8):
pop ecx
ca 0x4037b6
5
BBL 0x404552 .text (2):
push eax
ca 0x4097ad
BBL 0x4097ad unnamedImageEntryPont (7):
mov ed, ed
push ebp
mov ebp, esp
push 0x0
push 0x0
ca 0x409681
push 0x18
push 0x4128d8
ca 0x406858
BBL 0x401e2a .text (5):
push edx
push ecx
push edx
push eax
ca 0x4041da
BBL 0x4041da .text (9):
mov ed, ed
push ebp
mov ebp, esp
push es
push ed
xor ed, ed
cmp es, ed
|nz 0x4041ee
BBL 0x4041ee .text (2):
cmp dword ptr ss:|ebp+0x8|, ed
|nz 0x40420e
6
BBL 0x408acc unnamedImageEntryPont (6):
mov ed, ed
push es
push ed
mov es, 0x41038c
push es
BBL 0x401596 .text (1):
|be 0x4015ee
BBL 0x401598 .text (5):
mov ecx, dword ptr ds:|es+0x18|
push ebx
ea ebx, ptr |es+0x4|
cmp ecx, 0x10
|b 0x4015d0
BBL 0x4015d0 .text (6):
mov eax, ebx
push ed
push ebp
push ecx
push eax
ca 0x4041da
or dword ptr ds:|es+0x4|, 0xff
xor eax, eax
nc eax
|mp 0x408c56
cmp eax, 0xff
|z 0x406cfa
BBL 0x406c7a unnamedImageEntryPont (2):
|nz 0x406ccf
push es
ca 0x4060eb
push ecx
sub ecx, eax
sbb eax, eax
not eax
and ecx, eax
mov eax, esp
and eax, 0xfffff000
cmp ecx, eax
|b 0x40b742
6
sub eax, 0x1000
test dword ptr ds:|eax|, eax
|mp 0x40b734
2
mov eax, ecx
pop ecx
xchg esp, eax
ret
6
rep movsd
|mp dword ptr ds:|edx*4+0x406424|
ca 0x40cfa8
BBL 0x40cfee unnamedImageEntryPont (2):
cmp es, 0xfd
|nz 0x40d005
cmp es, 0xfc
|nz 0x40d01c
|z 0x40d028
BBL 0x404001 .text (1):
ret
eave
ret
BBL 0x40eb16 unnamedImageEntryPont (2):
eave
ret
2
BBL 0x40cf0b unnamedImageEntryPont (2):
eave
ret
eave
ret
eave
ret
BBL 0x4032dd .text (5):
mov esp, ebp
pop ebp
mov esp, ebx
pop ebx
ret
add esp, 0x1c
|z 0x40ed57
BBL 0x40eb4b unnamedImageEntryPont (3):
add esp, 0x20
|z 0x40eb5b
2
BBL 0x40d1a3 unnamedImageEntryPont (1):
|mp 0x40d05f
pop ecx
pop ecx
test eax, eax
|nz 0x40d37e
add esp, 0xc
|mp 0x4060cc
BBL 0x404546 .text (4):
add esp, 0xc
cmp dword ptr ss:|ebp-0x1c|, 0x0
|nz 0x404558
BBL 0x40ce80 unnamedImageEntryPont (2):
test c, 0x2
|z 0x40ce9a
BBL 0x40ce9a unnamedImageEntryPont (1):
mov byte ptr ds:|es+eax*1+0x11d|, 0x0
131
or byte ptr ds:|es+eax*1+0x1d|, 0x20
mov c, byte ptr ss:|ebp+eax*1-0x304|
65
BBL 0x40cea2 unnamedImageEntryPont (3):
nc eax
cmp eax, ed
|b 0x40ce65
131
mov byte ptr ds:|es+eax*1+0x11d|, c
|mp 0x40cea2
65
mov es, eax
mov eax, es
ca 0x40689d
5
cmp eax, ed
|z 0x40c0bf
BBL 0x40c0a0 unnamedImageEntryPont (2):
cmp eax, 0x200
|z 0x40c13f
BBL 0x40c0ab unnamedImageEntryPont (2):
cmp eax, 0x300
|nz 0x40bff6
BBL 0x403437 .text (2):
push 0x414030
BBL 0x403442 .text (2):
test eax, eax
|n 0x40345f
BBL 0x403274 .text (9):
add esp, 0x8
mov dword ptr ss:|ebp-0x4e0|, eax
mov eax, dword ptr ss:|ebp-0x4e0|
push eax
push 0x10
push 0x1
ea ecx, ptr |ebp-0x4dc|
push ecx
ca 0x403641
BBL 0x403641 .text (3):
push 0xc
push 0x412500
ca 0x406858
pop ecx
cmp ed, 0x40
|n 0x40bb0c
2
BBL 0x40e99b unnamedImageEntryPont (3):
pop ecx
push dword ptr ss:|ebp-0xc|
ca 0x40e1d7
2
BBL 0x40defb unnamedImageEntryPont (2):
cmp dword ptr ds:|0x4160d8|, 0x3
|nz 0x40df4f
47
mov ed, ed
push ebp
mov ebp, esp
mov dword ptr ds:|0x415fbc|, eax
mov dword ptr ds:|0x415fc0|, eax
pop ebp
ret
push es
ca 0x409a29
ret
xor ed, ed
cmp eax, ed
| 0x406b25
2
BBL 0x406b1d unnamedImageEntryPont (2):
|b 0x406b46
2
xor eax, eax
cmp eax, 0x101
|n 0x40d31d
mov c, byte ptr ds:|eax+ebx*1+0x1c|
mov byte ptr ds:|eax+0x414a10|, c
nc eax
|mp 0x40d306
257
BBL 0x40d31d unnamedImageEntryPont (1):
xor eax, eax
mov eax, ed
cmp word ptr ds:|ed|, bx
|z 0x409f3a
pop ecx
ret
2
BBL 0x404253 .text (4):
pop ed
pop es
pop ebp
ret
6
BBL 0x40392d .text (7):
nc dword ptr ss:|ebp-0x8|
mov byte ptr ds:|ecx|, a
dec ebx
dec dword ptr ss:|ebp-0x4|
BBL 0x40367f .text (1):
ca 0x40689d
xor eax, eax
ret
add es, 0x4
cmp es, dword ptr ss:|ebp+0xc|
|b 0x4095e5
6
9
BBL 0x403210 .text (1):
|mp 0x40322d
BBL 0x408aff unnamedImageEntryPont (4):
push 0x4103cc
push ed
ca es
test dword ptr ss:|ebp+0xc|, 0xc000
|nz 0x407579
or dword ptr ss:|ebp+0xc|, 0x8000
|mp 0x407584
2
nc es
cmp a, b
|nz 0x407459
2
BBL 0x40b0af unnamedImageEntryPont (5):
mov eax, ed
pop ed
pop es
pop ebp
ret
pop ecx
cmp eax, ebx
|z 0x409f88
pop ecx
mov ebx, eax
test ebx, ebx
|z 0x40d3a3
mov es, eax
pop ecx
cmp es, ebx
|z 0x409eb5
pop ecx
mov ed, eax
cmp ed, ebx
|nz 0x40a476
2
pop ecx
test eax, eax
|z 0x40b45a
2
push ebx
push ebx
push eax
push ed
push ebx
push ebx
ca es
mov ecx, 0x88
mov ed, ebx
rep movsd
and dword ptr ds:|ebx|, 0x0
push ebx
ca 0x40d02d
BBL 0x409e8c unnamedImageEntryPont (8):
push eax
add ed, es
push ed
push es
ea ed, ptr |ebp-0xc|
ca 0x409c68
push 0xa
ca 0x40a4d6
2
or dword ptr ds:|ecx+0xc|, 0x8
mov dword ptr ds:|ecx+0x18|, 0x1000
|mp 0x40b46b
2
mov dword ptr ds:|0x4161f8|, eax
xor eax, eax
ret
BBL 0x403917 .text (2):
push es
ca 0x406be6
2
BBL 0x406be6 unnamedImageEntryPont (9):
mov ed, ed
push ebp
mov ebp, esp
push es
push ed
xor ed, ed
cmp es, ed
|nz 0x406c13
2
mov dword ptr ds:|eax|, 0xcccc
|mp 0x40e88c
add eax, 0x8
|mp 0x40e897
2
cmp dword ptr ss:|ebp-0xc|, ebx
|z 0x40e9de
2
ca 0x4045a7
BBL 0x40ec8a unnamedImageEntryPont (3):
pop ecx
|mp 0x40ed05
ea esp, ptr |ebp-0x14|
pop ed
pop es
pop ebx
xor ecx, ebp
ca 0x403ff9
BBL 0x403ff9 .text (2):
|nz 0x404003
BBL 0x403406 .text (5):
mov ed, ed
push ed
push 0x414030
mov ed, ecx
BBL 0x403707 .text (2):
push es
ca 0x4060eb
BBL 0x4060eb unnamedImageEntryPont (8):
mov ed, ed
push ebp
mov ebp, esp
push es
xor es, es
cmp eax, es
|nz 0x406117
2
mov eax, dword ptr ds:|eax+0x10|
pop es
pop ebp
ret
10
mov ed, ed
push ebp
mov ebp, esp
push es
push ed
xor es, es
ca 0x404684
mov ed, ed
push ebp
mov ebp, esp
push es
cmp es, 0xe0
|nbe 0x404737
7
push ebx
push ed
mov ed, dword ptr ds:|0x410030|
cmp dword ptr ds:|0x415dc4|, 0x0
|nz 0x4046bf
7
test eax, eax
|z 0x408770
mov es, 0x41038c
push es
mov eax, dword ptr ds:|eax+0x1fc|
|mp 0x408797
27
BBL 0x40877c unnamedImageEntryPont (2):
test eax, eax
|nz 0x40878b
2
27
492
test byte ptr ds:|eax+0xc|, 0x83
|z 0x406267
20
push 0x1
ca 0x40a3fc
and dword ptr ds:|eax+0xc|, 0xffff7fff
add ecx, 0x10
push ecx
ca 0x40a3fc
3
BBL 0x40c6da unnamedImageEntryPont (6):
and eax, 0xfffffe7f
neg eax
sbb eax, eax
nc eax
|z 0x40c6ab
2
cmp edx, ebx
|z 0x4072cc
2
mov eax, dword ptr ds:|ed+0xb4|
test eax, eax
|z 0x40d54e
test eax, eax
|nz 0x40d2a3
cmp eax, 0x4147f0
|z 0x40d2a3
BBL 0x403523 .text (5):
or eax, 0xff
xor edx, edx
dv dword ptr ss:|ebp+0xc|
|nbe 0x4034fd
push ebp
mov ebp, esp
push ed
push es
mov es, dword ptr ss:|ebp+0xc|
mov eax, ecx
mov edx, ecx
add eax, es
cmp ed, es
|be 0x4062d0
4
cmp ecx, 0x100
|b 0x4062f7
5
cmp ed, eax
|b 0x406474
6
BBL 0x4036c3 .text (11):
mov ed, ed
push ebp
mov ebp, esp
push ebx
push es
push ed
xor ed, ed
or ebx, 0xff
cmp es, ed
|nz 0x4036f3
2
test eax, eax
|nz 0x4095f9
6
pop es
pop ebp
ret
mov ecx, dword ptr ds:|es|
test ecx, ecx
|z 0x4095f1
6
pop ecx
pop ecx
test eax, eax
|nz 0x40967f
BBL 0x40c0b6 unnamedImageEntryPont (2):
|mp 0x40c0ee
test eax, eax
|nz 0x40d35c
xor eax, eax
cmp dword ptr ss:|ebp-0x4|, eax
mov b, 0x22
setz a
nc es
|mp 0x409ce4
4
BBL 0x409ca8 unnamedImageEntryPont (3):
test edx, edx
|z 0x409cb6
42
|nz 0x409c93
4
BBL 0x409cae unnamedImageEntryPont (4):
mov byte ptr ds:|edx|, a
nc edx
mov dword ptr ss:|ebp+0xc|, edx
21
BBL 0x409cb6 unnamedImageEntryPont (5):
mov b, byte ptr ds:|es|
movzx eax, b
push eax
nc es
ca 0x40de86
21
BBL 0x40a1ce unnamedImageEntryPont (2):
push ed
test eax, eax
|z 0x40a20d
3
mov dword ptr ds:|es|, ed
and eax, 0xff
cmp eax, 0x2
|nz 0x40a1eb
3
ca 0x408737
xor eax, eax
mov dword ptr ds:|0x4150a0|, 0xf
mov byte ptr ds:|0x41508c|, a
ret
xor eax, eax
mov dword ptr ds:|0x415084|, 0xf
mov byte ptr ds:|0x415070|, a
ret
pop ed
pop es
ret
pop ed
pop es
pop ebp
ret
2
BBL 0x4047ea unnamedImageEntryPont (4):
add es, 0x4
push es
ca 0x4086bc
5
|z 0x408b50
BBL 0x40ba6a unnamedImageEntryPont (2):
pop ecx
ret
mov dword ptr ds:|es+0x1f8|, eax
push 0x4103a8
push dword ptr ss:|ebp-0x1c|
ca ebx
movzx ecx, word ptr ss:|ebp+eax*2-0x504|
test c, 0x1
|z 0x40ce80
255
BBL 0x40cea7 unnamedImageEntryPont (1):
|mp 0x40ceff
movsx eax, a
push eax
test edx, edx
|z 0x409dc5
34
BBL 0x409da2 unnamedImageEntryPont (1):
ca 0x40de86
34
34
|z 0x40c0c8
cmp eax, ebx
|z 0x40c0c8
2
BBL 0x40c0c8 unnamedImageEntryPont (2):
|mp 0x40c0ee
BBL 0x40417e .text (2):
cmp dword ptr ds:|0x4161f8|, 0x0
|z 0x40418c
2
cmp eax, ebx
|nz 0x40c264
cmp eax, 0x2
|nz 0x40c26f
2
cmp eax, 0x3
|nz 0x40c278
2
ca 0x4066a0
mov eax, 0x414200
ret
add eax, 0x20
cmp es, eax
|z 0x405809
add eax, 0x40
cmp es, eax
|nz 0x405816
pop ed
mov eax, ebx
pop ebx
|mp 0x40474b
pop es
pop ebp
ret
7
mov ed, eax
pop ecx
test ed, ed
|nz 0x40b0af
7
BBL 0x4037a9 .text (1):
|mp 0x403780
BBL 0x403780 .text (2):
ca 0x40689d
2
2
mov dword ptr ds:|es+0x5c|, 0x4109d8
xor ed, ed
nc ed
test eax, eax
|z 0x408881
push 0x41037c
push eax
mov ebx, dword ptr ds:|0x410068|
ca ebx
BBL 0x40a2af unnamedImageEntryPont (3):
mov dword ptr ds:|0x415dc4|, eax
test eax, eax
|nz 0x40a2ba
BBL 0x40a2ba unnamedImageEntryPont (5):
xor eax, eax
nc eax
mov dword ptr ds:|0x4160d8|, eax
pop ebp
ret
BBL 0x4044a8 .text (3):
pop ecx
test eax, eax
|nz 0x4044b5
|mp 0x40444b
BBL 0x40444b .text (3):
push 0x14
push 0x4125a0
ca 0x406858
test eax, eax
|z 0x40eb9e
mov dword ptr ds:|0x415fec|, es
|mp 0x40ebd2
BBL 0x40ebd2 unnamedImageEntryPont (3):
|nz 0x40ebe2
BBL 0x40a2f6 unnamedImageEntryPont (4):
push es
push eax
ca dword ptr ds:|0x4100bc|
BBL 0x40a30d unnamedImageEntryPont (2):
xor es, eax
257
cmp eax, 0x100
|n 0x40d339
pop es
pop ebp
ret
11 5
pop ecx
ret
add esp, 0x24
mov dword ptr ds:|0x4145a0|, eax
pop es
ret
ca 0x4086bc
ca 0x4086bc
BBL 0x408bc9 unnamedImageEntryPont (3):
ca 0x4086bc
BBL 0x408bd9 unnamedImageEntryPont (3):
add esp, 0x10
ca 0x40a35a
add ed, 0x4
pop ecx
cmp ed, 0x28
|b 0x40d6f5
10
add esp, 0xc
mov dword ptr ds:|0x4161e8|, eax
test es, es
|nz 0x404832
pop ecx
pop ecx
|mp 0x404803
5
push 0x4097c3
ca 0x4086bc
ca 0x4086bc
BBL 0x40a35a unnamedImageEntryPont (5):
mov ed, ed
push es
push ed
xor es, es
mov ed, 0x415dc8
BBL 0x40d6f5 unnamedImageEntryPont (3):
ea es, ptr |ed+0x414e08|
ca 0x4086bc
9
pop ed
pop es
ret
and dword ptr ds:|es|, 0x0
xor eax, eax
pop es
ret
pop ed
pop es
pop ebx
eave
ret
5
2
xor es, eax
cmp es, ed
|nz 0x40a33c
BBL 0x40a33c unnamedImageEntryPont (2):
test ebx, es
|nz 0x40a347
not es
pop es
pop ed
pop ebx
eave
ret
test a, 0x20
|z 0x40c148
test a, 0x10
|z 0x40c153
2
ca 0x40b990
2
BBL 0x40b7cc unnamedImageEntryPont (10):
mov ed, ed
push ebp
mov ebp, esp
push ebx
xor ebx, ebx
cmp ecx, ebx
push es
push ed
| 0x40b838
BBL 0x40b7dd unnamedImageEntryPont (2):
cmp ecx, dword ptr ds:|0x4160dc|
|nb 0x40b838
2
BBL 0x40b7e5 unnamedImageEntryPont (10):
mov eax, ecx
sar eax, 0x5
mov es, ecx
ea ed, ptr |eax*4+0x4160e0|
and es, 0x1f
sh es, 0x6
add eax, es
|z 0x40b838
2
BBL 0x4015a8 .text (2):
test ed, ed
|nz 0x401596
push es
ca 0x4060eb
push ebx
xor ebx, ebx
cmp es, ebx
| 0x406d57
cmp es, dword ptr ds:|0x4160dc|
|b 0x406d7e
2
mov eax, es
sar eax, 0x5
push ed
and es, 0x1f
sh es, 0x6
add eax, es
mov c, byte ptr ds:|eax+0x4|
test c, 0x1
|nz 0x406db1
2
BBL 0x4039ac .text (5):
mov eax, ed
sub eax, ebx
xor edx, edx
dv dword ptr ss:|ebp+0x10|
|mp 0x4037f7
BBL 0x403a35 .text (4):
add esp, 0x14
ca 0x403a4c
5
push dword ptr ds:|0x4161fc|
ca 0x4045a7
BBL 0x40cf4e unnamedImageEntryPont (6):
pop ecx
cmp es, dword ptr ds:|0x414c18|
|z 0x40cf97
BBL 0x40cfc5 unnamedImageEntryPont (3):
mov dword ptr ds:|0x415f40|, ebx
cmp es, 0xfe
|nz 0x40cfee
2
ea eax, ptr |ed+ed*1|
push eax
push 0x0
push ebx
ca 0x404160
cmp byte ptr ds:|0x415994|, 0x0
|z 0x40676a
BBL 0x40ebe2 unnamedImageEntryPont (12):
xor eax, eax
push ebx
push ebx
setnz a
ea eax, ptr |eax*8+0x1|
push eax
ca es
push es
ca 0x408cdd
BBL 0x40def1 unnamedImageEntryPont (4):
xor ebx, ebx
cmp es, 0xe0
|nbe 0x40df64
47
test a, 0x83
|z 0x406d0a
BBL 0x406c1e unnamedImageEntryPont (2):
test a, 0x40
|nz 0x406d0a
2
2
cmp ed, ebx
|nz 0x409f25
mov a, byte ptr ds:|es+0x1|
mov byte ptr ds:|ed+0x1|, a
pop es
pop ed
eave
ret
BBL 0x403927 .text (2):
|z 0x40397b
BBL 0x403879 .text (1):
mov ed, eax
BBL 0x40387b .text (2):
cmp ed, dword ptr ss:|ebp-0x4|
|nbe 0x40394f
BBL 0x403884 .text (5):
push ed
ca 0x4041da
4
BBL 0x4036b4 .text (2):
|mp 0x40367f
BBL 0x402d10 .text (2):
xor eax, eax
ret
BBL 0x401c4f .text (6):
test eax, eax
mov ecx, es
setz byte ptr ss:|esp+0x13|
ca edx
5
BBL 0x401ade .text (4):
mov es, eax
ea eax, ptr |ebx-0x8|
push eax
ca 0x401bb0
5
BBL 0x401bb0 .text (7):
push ebx
push ebp
push es
mov ecx, ed
ca edx
mov ecx, dword ptr ds:|ed|
add ecx, es
test byte ptr ds:|ecx+0x4|, 0x48
|z 0x406f00
push ebx
push ecx
push eax
push dword ptr ds:|es+eax*1|
2
test eax, eax
|z 0x407297
2
5
BBL 0x40e1f5 unnamedImageEntryPont (2):
pop ebp
ret
2
BBL 0x40e9a4 unnamedImageEntryPont (3):
pop ecx
|mp 0x40eb06
2
ea esp, ptr |ebp-0x20|
pop ed
pop es
pop ebx
xor ecx, ebp
ca 0x403ff9
2
BBL 0x40fbdc unnamedImageEntryPont (2):
mov ecx, 0x4155e8
ca 0x403406
BBL 0x401bcd .text (6):
mov ebx, eax
mov byte ptr ds:|ebx+es*1|, 0x80
nc es
cmp es, eax
|nbe 0x401bf2
BBL 0x401bdc .text (6):
sub eax, es
push eax
add ebx, es
push 0x0
push ebx
ca 0x404160
BBL 0x4032c2 .text (7):
mov eax, dword ptr ss:|ebp-0x4e4|
mov ecx, dword ptr ss:|ebp-0xc|
pop ecx
xor ecx, ebp
ca 0x403ff9
7
ca eax
28
2
test edx, edx
|z 0x409cfc
BBL 0x409cfc unnamedImageEntryPont (1):
mov byte ptr ds:|edx-0x1|, 0x0
2
ca 0x4058dc
BBL 0x4058dc unnamedImageEntryPont (5):
mov ed, ed
push ebp
mov ebp, esp
mov eax, 0x1ae4
ca 0x40b720
BBL 0x409e7f unnamedImageEntryPont (2):
push eax
ca 0x40b070
cmp edx, 0x7fffffff
|nbe 0x406e09
2
push 0x8
ca 0x40a3fc
5
test eax, eax
|z 0x40d541
BBL 0x40351c .text (3):
cmp ecx, ed
|z 0x4034fd
BBL 0x401b39 .text (6):
push eax
push es
mov edx, ebx
ca 0x401e00
mov ed, eax
|mp 0x407797
cmp ed, ebx
|z 0x4077b1
2
2
push 0x4
nc ed
push ed
ca 0x40b0b5
BBL 0x409bae unnamedImageEntryPont (2):
cmp a, 0x3d
|z 0x409bb3
43
ca 0x40a2c4
mov ed, ed
push ebp
mov ebp, esp
sub esp, 0x10
push ebx
push ed
mov ed, 0xbb40e64e
mov ebx, 0xffff0000
cmp eax, ed
|z 0x40a2f6
mov ed, ed
push ebp
mov ebp, esp
push es
xor eax, eax
|mp 0x4095f4
cmp dword ptr ss:|ebp-0x10|, ebx
|z 0x40762f
|z 0x40762e
2
cmp byte ptr ds:|es|, b
|z 0x407652
2
mov ed, ed
push es
ca 0x40890a
mov ed, ed
push es
push ed
117
117
BBL 0x40197b .text (3):
test ed, ed
|z 0x4019d3
BBL 0x4019d3 .text (2):
cmp ebx, ebp
|b 0x401a18
4
BBL 0x4019d7 .text (3):
cmp ecx, eax
|nz 0x4019fb
4
ca 0x40689d
BBL 0x40d6ef unnamedImageEntryPont (4):
mov ed, ed
push es
push ed
xor ed, ed
10
cmp ed, ebx
|nbe 0x409488
42
BBL 0x40b7a8 unnamedImageEntryPont (5):
mov dword ptr ds:|es+eax*1|, ebx
xor eax, eax
pop ebx
|mp 0x40b7c8
2
BBL 0x401af8 .text (11):
mov ecx, eax
mov eax, ebx
shr eax, 0x2
ea edx, ptr |eax+es*1|
mov dword ptr ss:|ebp+edx*4-0x8|, ecx
mov edx, dword ptr ds:|ed+0x4|
mov ecx, dword ptr ds:|ed+0x8|
shr edx, 0x1d
ea ecx, ptr |edx+ecx*8|
test es, es
|z 0x401b18
BBL 0x401b18 .text (6):
sub eax, es
mov dword ptr ss:|ebp+eax*4-0x4|, ecx
mov ebx, dword ptr ds:|ed|
mov eax, dword ptr ds:|ebx+0x20|
mov ecx, ed
ca eax
BBL 0x402d00 .text (2):
mov eax, 0x40
ret
push 0x4103b8
push ed
ca es
xor eax, eax
|mp 0x40d203
pop ed
pop es
xor ecx, ebp
pop ebx
ca 0x403ff9
ca 0x40689d
4
xor es, eax
ca dword ptr ds:|0x4100b8|
xor es, eax
push eax
test ebx, ebx
|z 0x409dd7
68
mov ed, ed
push ebp
mov ebp, esp
cmp eax, 0xfe
|nz 0x40b877
push es
xor es, es
cmp eax, es
| 0x40b8a0
4
4
nc es
|mp 0x4076b9
cmp es, dword ptr ds:|0x417200|
|n 0x407797
6
ea eax, ptr |eax+es*4|
cmp dword ptr ds:|eax|, ebx
|z 0x40772f
8
BBL 0x4072ce unnamedImageEntryPont (5):
pop ed
pop ebx
pop es
eave
ret
add esp, 0xc
|mp 0x4073b1
2
ca 0x4073c6
2
BBL 0x40de7d unnamedImageEntryPont (4):
eave
ret
110
add esp, 0x10
pop ebp
ret
110
xor ed, ed
cmp eax, ed
| 0x40604c
|b 0x40606d
BBL 0x40345e .text (2):
pop es
ret
mov ed, ed
push ebp
mov ebp, esp
push es
ca es
5
BBL 0x403685 .text (2):
ca 0x406777
mov ed, ed
push ebp
mov ebp, esp
push es
mov eax, 0x414200
cmp es, eax
|b 0x4067ab
cmp es, 0x414460
|nbe 0x4067ab
8
BBL 0x4057aa unnamedImageEntryPont (2):
test a, 0x40
|z 0x4057bb
BBL 0x4057bb unnamedImageEntryPont (4):
push ebx
xor ebx, ebx
test a, 0x1
|z 0x4057d8
and eax, 0xef
or eax, 0x2
mov dword ptr ds:|es+0x4|, ebx
test eax, 0x10c
|nz 0x40581d
BBL 0x4041c5 .text (4):
add ed, 0x1
sub edx, 0x1
|nz 0x4041c5
BBL 0x4041cf .text (3):
pop ed
ret
4
add esp, 0xc
dec eax
xor eax, eax
|mp 0x409eb8
pop ed
pop es
pop ebx
eave
ret
BBL 0x4044fa .text (2):
test eax, eax
|n 0x404506
|nz 0x409d96
cmp a, 0x20
|z 0x409ddd
70
BBL 0x409ddd unnamedImageEntryPont (2):
test edx, edx
|z 0x409de8
2
cmp a, 0x9
|z 0x409ddd
68
BBL 0x4037ae .text (2):
push es
ca 0x4067ea
BBL 0x4067ea unnamedImageEntryPont (7):
mov ed, ed
push ebp
mov ebp, esp
mov ecx, 0x414200
cmp eax, ecx
|b 0x40681a
2
BBL 0x4067fb unnamedImageEntryPont (2):
cmp eax, 0x414460
|nbe 0x40681a
10
2
BBL 0x403446 .text (2):
push es
mov es, 0x415588
ca eax
38
mov eax, ebx
|mp 0x409fef
BBL 0x409fef unnamedImageEntryPont (5):
pop ed
pop es
pop ebx
eave
ret
BBL 0x4044f0 .text (2):
ca 0x409e02
ca 0x4062a7
push 0x1
ca 0x4061cd
push 0x14
push 0x412780
ca 0x406858
ca 0x40b969
mov ed, ed
push ebp
mov ebp, esp
mov ecx, eax
and eax, 0x1f
sar ecx, 0x5
sh eax, 0x6
ea eax, ptr |ecx+eax*1+0xc|
push eax
pop ebp
ret
7
BBL 0x401581 .text (3):
cmp eax, ed
|nb 0x4015a8
pop ecx
cmp eax, 0xff
|z 0x406cba
push 0x40a26e
ca 0x404875
BBL 0x40ba2f unnamedImageEntryPont (3):
nc dword ptr ds:|es+0x8|
ca 0x40ba63
push 0xa
ca 0x40a3fc
xor edx, edx
mov ecx, 0x414200
|mp 0x406704
mov dword ptr ds:|edx+eax*1|, ecx
add ecx, 0x20
add edx, 0x4
cmp ecx, 0x414480
| 0x4066ff
19
push 0xfe
pop es
xor edx, edx
mov ecx, 0x414210
push ed
mov eax, es
pop es
pop ebp
ret 0x4
2
BBL 0x40ed2a unnamedImageEntryPont (9):
push dword ptr ss:|ebp+0x1c|
ca 0x40eb5d
BBL 0x40eb2b unnamedImageEntryPont (10):
ca 0x40e773
2
movzx eax, byte ptr ss:|ebp+0xc|
mov d, byte ptr ss:|ebp+0x14|
test byte ptr ds:|ecx+eax*1+0x1d|, d
|nz 0x40de74
110
BBL 0x40eb5d unnamedImageEntryPont (16):
mov ed, ed
push ebp
mov ebp, esp
push ecx
push ecx
xor eax, ebp
mov eax, dword ptr ds:|0x415fec|
push ebx
push es
xor ebx, ebx
push ed
mov ed, ecx
cmp eax, ebx
|nz 0x40ebb8
mov ed, ed
push ebp
mov ebp, esp
sub esp, 0x14
xor eax, ebp
push ebx
push es
xor ebx, ebx
push ed
mov es, ecx
cmp dword ptr ds:|0x415fe8|, ebx
|nz 0x40e7cc
2 110
add eax, 0x8
mov ebx, eax
test ebx, ebx
|z 0x40ecba
BBL 0x40cb6c unnamedImageEntryPont (2):
|mp 0x40cba0
20
BBL 0x40cba0 unnamedImageEntryPont (3):
ca 0x40689d
20
BBL 0x401f00 .text (19):
push 0xff
push 0x40fb46
push eax
sub esp, 0xd4
push ebx
push es
push ed
xor eax, esp
push eax
ea eax, ptr |esp+0xe4|
mov ed, ecx
mov es, edx
mov edx, dword ptr ds:|eax+0x1c|
mov ecx, es
ca edx
BBL 0x402bb0 .text (2):
mov eax, 0x10
ret
BBL 0x40324a .text (7):
push eax
ea ecx, ptr |ebp-0x4dc|
push ecx
mov edx, dword ptr ss:|ebp-0xc8|
mov eax, dword ptr ds:|edx+0x38|
ca eax
BBL 0x401f39 .text (2):
cmp ed, eax
|be 0x402003
BBL 0x40a4cd unnamedImageEntryPont (2):
push 0xa
ca 0x40a3fc
2
push 0x18
ca 0x40b070
2
BBL 0x409e5e unnamedImageEntryPont (4):
add esp, 0xc
cmp eax, 0x3fffffff
|nb 0x409eb5
cmp ecx, 0xff
|nb 0x409eb5
mov ed, eax
sh ed, 0x2
ea eax, ptr |ed+ecx*1|
cmp eax, ecx
|b 0x409eb5
BBL 0x403b2d .text (2):
ca 0x4067ea
2
sub eax, ecx
|z 0x40c069
sub eax, ecx
|z 0x40c060
2
|mp 0x40c07e
2
2
BBL 0x409ee3 unnamedImageEntryPont (2):
mov dword ptr ds:|0x415dc0|, 0x1
|mp 0x409f12
6
BBL 0x40391d .text (3):
pop ecx
cmp eax, 0xff
|z 0x4039ac
BBL 0x403601 .text (6):
nc dword ptr ss:|ebp-0x4|
dec ebx
test eax, eax
|ne 0x403616
BBL 0x403616 .text (2):
test ebx, ebx
|nz 0x40355f
BBL 0x40361e .text (2):
|mp 0x403517
mov ed, ed
push ebp
mov ebp, esp
sub esp, 0x18
xor eax, eax
push ebx
push ebx
pushfd
pop eax
mov ecx, eax
xor eax, 0x200000
push eax
popfd
pushfd
pop edx
sub edx, ecx
|z 0x4090c3
push ecx
popfd
xor eax, eax
cpud
mov eax, 0x1
cpud
pop ebx
test dword ptr ss:|ebp-0x4|, 0x4000000
|z 0x4090db
ca 0x40902e
BBL 0x406cfa unnamedImageEntryPont (7):
neg eax
sbb eax, eax
and eax, 0x10
add eax, 0x10
or dword ptr ds:|es+0xc|, eax
or eax, 0xff
pop ed
pop es
pop ebp
ret
5
BBL 0x4095cb unnamedImageEntryPont (1):
ca eax
BBL 0x40fba0 unnamedImageEntryPont (2):
push 0x40fc00
ca 0x404875
BBL 0x40fbb0 unnamedImageEntryPont (4):
push 0x3
push 0x411d04
mov ecx, 0x415088
ca 0x401520
mov eax, dword ptr ds:|0x414e34|
push es
cmp eax, 0xff
|z 0x40e22f
BBL 0x401520 .text (7):
push ebp
mov ebp, dword ptr ss:|esp+0x8|
push es
push ed
mov es, ecx
test ebp, ebp
|z 0x401573
cmp eax, 0xfe
|z 0x40e22f
2
2
push 0xa
ca 0x40a4d6
BBL 0x403452 .text (4):
add es, 0x18
cmp es, 0x4155e8
pop ecx
| 0x40344c
3
BBL 0x40c6c6 unnamedImageEntryPont (6):
or dword ptr ds:|ed|, 0xff
xor eax, eax
setnz a
cmp eax, es
|z 0x40c6ab
BBL 0x40c6d5 unnamedImageEntryPont (2):
cmp dword ptr ss:|ebp+0x1c|, es
|z 0x40c6e9
2
2
2
test eax, eax
|z 0x40d534
BBL 0x4073bd unnamedImageEntryPont (2):
ca 0x40689d
2
BBL 0x401c5f .text (6):
shr ebx, 0x2
add ebx, ebx
add ebx, ebx
mov ed, eax
mov dword ptr ss:|esp+0x14|, ebx
5
BBL 0x404147 .text (4):
sub eax, ecx
ret
16 16
cmp dword ptr ss:|ebp-0x20|, eax
|z 0x409748
mov ed, dword ptr ss:|ebp-0x28|
|mp 0x4096ec
5
BBL 0x4096ec unnamedImageEntryPont (4):
sub es, 0x4
cmp es, ed
|b 0x40974d
5
test eax, eax
|z 0x40958f
pop ebp
ret
pop ecx
ca 0x40d6ef
mov ed, ed
push ebp
mov ebp, esp
push ebx
xor ebx, ebx
push es
push ed
cmp ecx, ebx
|z 0x40946d
42
BBL 0x406aa4 unnamedImageEntryPont (2):
test eax, eax
|nz 0x406ab2
BBL 0x406ab2 unnamedImageEntryPont (3):
xor ed, ed
push es
ca 0x40b7cc
2
2
push 0xe0
xor edx, edx
pop eax
dv ed
cmp eax, 0x2
|b 0x40e894
ea eax, ptr |ed+ed*1+0x8|
cmp eax, 0x400
|nbe 0x40e87b
2
ca 0x40f3e0
2
cmp a, 0x61
|z 0x407437
BBL 0x4073fe unnamedImageEntryPont (2):
cmp a, 0x72
|z 0x40742e
2
cmp a, 0x77
|z 0x407425
or dword ptr ss:|ebp-0x4|, 0x1
mov dword ptr ss:|ebp+0xc|, ebx
|mp 0x407442
push es
ca 0x4060eb
2
BBL 0x409cda unnamedImageEntryPont (4):
test b, b
|z 0x409d16
42
42
BBL 0x409cea unnamedImageEntryPont (2):
cmp b, 0x20
|z 0x409cf4
4
BBL 0x401969 .text (7):
mov edx, dword ptr ds:|es|
mov ebp, eax
ea ed, ptr |ebp-0x1|
and ed, dword ptr ss:|esp+0x14|
mov ecx, es
ca eax
4
4 5
BBL 0x401abb .text (5):
mov ebp, eax
mov ecx, ed
ca edx
196
or byte ptr ds:|es+eax*1+0x1d|, 0x10
mov c, byte ptr ss:|ebp+eax*1-0x204|
|mp 0x40ce91
60
60
|b 0x407331
mov ecx, eax
sar ecx, 0x5
mov ed, eax
and ed, 0x1f
sh ed, 0x6
movsx ecx, byte ptr ds:|ecx+ed*1+0x4|
and ecx, 0x1
|z 0x407310
2
2
ca 0x40b476
mov ed, ed
push ebp
mov ebp, esp
cmp eax, 0xfe
|nz 0x40b492
push es
xor es, es
cmp eax, es
| 0x40b4a1
BBL 0x404176 .text (2):
cmp edx, 0x100
|b 0x40418c
5
3
2
pop ecx
ret
ret
5
ca 0x40689d
5
BBL 0x403659 .text (5):
xor eax, eax
setnz a
cmp eax, es
|nz 0x403685
push es
ca 0x408737
test eax, eax
|z 0x408770
29
BBL 0x402540 .text (556):
sub esp, 0x3c
mov edx, dword ptr ds:|eax+0xc|
mov ecx, dword ptr ds:|eax|
push ebx
push ebp
push es
mov ebp, edx
xor ebp, es
push ed
mov ed, dword ptr ds:|eax+0x4|
and ebp, ed
xor ebp, edx
mov ebx, dword ptr ds:|eax|
add ebp, ebx
ea ecx, ptr |ecx+ebp*1-0x28955b88|
ro ecx, 0x7
add ecx, ed
mov ebp, es
xor ebp, ed
and ebp, ecx
xor ebp, es
mov ebx, dword ptr ds:|eax+0x4|
add ebp, ebx
ea edx, ptr |edx+ebp*1-0x173848aa|
ro edx, 0xc
add edx, ecx
mov ebp, ed
xor ebp, ecx
and ebp, edx
xor ebp, ed
add ebp, ebx
ea es, ptr |es+ebp*1+0x242070db|
ro es, 0x11
add es, edx
mov ebp, edx
xor ebp, ecx
and ebp, es
xor ebp, ecx
mov ebx, dword ptr ds:|eax+0xc|
add ebp, ebx
ea ed, ptr |ed+ebp*1-0x3e423112|
ro ed, 0x16
add ed, es
mov ebp, edx
xor ebp, es
and ebp, ed
xor ebp, edx
add ebp, ebx
ea ecx, ptr |ecx+ebp*1-0xa83f051|
ro ecx, 0x7
add ecx, ed
mov ebp, es
xor ebp, ed
and ebp, ecx
xor ebp, es
add ebp, ebx
ea edx, ptr |edx+ebp*1+0x4787c62a|
ro edx, 0xc
add edx, ecx
mov ebp, ed
xor ebp, ecx
and ebp, edx
xor ebp, ed
add ebp, ebx
ea es, ptr |es+ebp*1-0x57cfb9ed|
ro es, 0x11
mov ebx, dword ptr ds:|eax+0x1c|
add es, edx
mov ebp, edx
xor ebp, ecx
and ebp, es
xor ebp, ecx
add ebp, ebx
ea ed, ptr |ed+ebp*1-0x2b96aff|
ro ed, 0x16
add ed, es
mov ebp, edx
xor ebp, es
and ebp, ed
xor ebp, edx
add ebp, ebx
ea ecx, ptr |ecx+ebp*1+0x698098d8|
ro ecx, 0x7
add ecx, ed
mov ebp, es
xor ebp, ed
and ebp, ecx
xor ebp, es
add ebp, ebx
ea edx, ptr |edx+ebp*1-0x74bb0851|
ro edx, 0xc
add edx, ecx
mov ebp, ed
xor ebp, ecx
and ebp, edx
xor ebp, ed
add ebp, ebx
ea es, ptr |es+ebp*1-0xa44f|
ro es, 0x11
add es, edx
mov ebp, edx
xor ebp, ecx
and ebp, es
xor ebp, ecx
mov dword ptr ss:|esp+0x1c|, ebx
add ebp, ebx
ea ed, ptr |ed+ebp*1-0x76a32842|
ro ed, 0x16
add ed, es
mov ebp, edx
xor ebp, es
and ebp, ed
xor ebp, edx
add ebp, ebx
ea ecx, ptr |ecx+ebp*1+0x6b901122|
ro ecx, 0x7
add ecx, ed
mov ebp, es
xor ebp, ed
and ebp, ecx
xor ebp, es
add ebp, ebx
ea edx, ptr |edx+ebp*1-0x2678e6d|
ro edx, 0xc
add edx, ecx
mov ebp, ed
xor ebp, ecx
and ebp, edx
xor ebp, ed
mov eax, dword ptr ds:|eax+0x3c|
add ebp, ebx
ea es, ptr |es+ebp*1-0x5986bc72|
ro es, 0x11
add es, edx
mov ebp, edx
xor ebp, ecx
and ebp, es
xor ebp, ecx
add ebp, eax
ea ed, ptr |ed+ebp*1+0x49b40821|
ro ed, 0x16
add ed, es
mov ebp, es
xor ebp, ed
and ebp, edx
xor ebp, es
add ebp, dword ptr ss:|esp+0x20|
ea ecx, ptr |ecx+ebp*1-0x9e1da9e|
ro ecx, 0x5
add ecx, ed
mov ebp, ed
xor ebp, ecx
and ebp, es
xor ebp, ed
ea edx, ptr |edx+ebp*1-0x3fbf4cc0|
ro edx, 0x9
add edx, ecx
mov ebp, edx
xor ebp, ecx
and ebp, ed
xor ebp, ecx
ea es, ptr |es+ebp*1+0x265e5a51|
ro es, 0xe
add es, edx
mov ebp, edx
xor ebp, es
and ebp, ecx
xor ebp, edx
ea ed, ptr |ed+ebp*1-0x16493856|
ro ed, 0x14
add ed, es
mov ebp, es
xor ebp, ed
and ebp, edx
xor ebp, es
ea ecx, ptr |ecx+ebp*1-0x29d0efa3|
ro ecx, 0x5
add ecx, ed
mov ebp, ed
xor ebp, ecx
and ebp, es
xor ebp, ed
add ebp, dword ptr ss:|esp+0x1c|
ea edx, ptr |edx+ebp*1+0x2441453|
ro edx, 0x9
add edx, ecx
mov ebp, edx
xor ebp, ecx
and ebp, ed
xor ebp, ecx
add ebp, eax
ea es, ptr |es+ebp*1-0x275e197f|
ro es, 0xe
add es, edx
mov eax, edx
xor eax, es
and eax, ecx
xor eax, edx
add eax, dword ptr ss:|esp+0x30|
ea ed, ptr |eax+ed*1-0x182c0438|
ro ed, 0x14
add ed, es
mov eax, es
xor eax, ed
and eax, edx
xor eax, es
ea ecx, ptr |eax+ecx*1+0x21e1cde6|
ro ecx, 0x5
add ecx, ed
mov eax, ed
xor eax, ecx
and eax, es
xor eax, ed
add eax, ebx
ea edx, ptr |eax+edx*1-0x3cc8f82a|
ro edx, 0x9
add edx, ecx
mov eax, edx
xor eax, ecx
and eax, ed
xor eax, ecx
ea es, ptr |eax+es*1-0xb2af279|
ro es, 0xe
add es, edx
mov eax, edx
xor eax, es
and eax, ecx
xor eax, edx
ea ed, ptr |eax+ed*1+0x455a14ed|
ro ed, 0x14
add ed, es
mov eax, es
xor eax, ed
and eax, edx
xor eax, es
add eax, dword ptr ss:|esp+0x2c|
ea ecx, ptr |eax+ecx*1-0x561c16fb|
ro ecx, 0x5
add ecx, ed
mov eax, ed
xor eax, ecx
and eax, es
xor eax, ed
ea edx, ptr |eax+edx*1-0x3105c08|
ro edx, 0x9
add edx, ecx
mov eax, edx
xor eax, ecx
and eax, ed
xor eax, ecx
mov ebx, edx
ea es, ptr |eax+es*1+0x676f02d9|
ro es, 0xe
add es, edx
xor ebx, es
mov eax, ebx
and eax, ecx
xor eax, edx
ea ed, ptr |eax+ed*1-0x72d5b376|
ro ed, 0x14
add ed, es
xor ebx, ed
add ebx, dword ptr ss:|esp+0x14|
mov eax, es
ea ecx, ptr |ebx+ecx*1-0x5c6be|
xor eax, ed
ro ecx, 0x4
add ecx, ed
xor eax, ecx
ea ebx, ptr |eax+edx*1-0x788e097f|
ro ebx, 0xb
add ebx, ecx
mov edx, ebx
xor edx, ed
xor edx, ecx
add edx, dword ptr ss:|esp+0x34|
mov eax, ebx
ea es, ptr |edx+es*1+0x6d9d6122|
ro es, 0x10
add es, ebx
xor eax, es
mov edx, eax
xor edx, ecx
add edx, dword ptr ss:|esp+0x44|
ea edx, ptr |edx+ed*1-0x21ac7f4|
ro edx, 0x17
add edx, es
xor eax, edx
ea ecx, ptr |eax+ecx*1-0x5b4115bc|
ro ecx, 0x4
add ecx, edx
mov eax, es
xor eax, edx
xor eax, ecx
ea ed, ptr |eax+ebx*1+0x4bdecfa9|
ro ed, 0xb
add ed, ecx
mov eax, ed
xor eax, edx
xor eax, ecx
ea es, ptr |eax+es*1-0x944b4a0|
ro es, 0x10
add es, ed
mov eax, ed
xor eax, es
mov ebx, eax
xor ebx, ecx
add ebx, dword ptr ss:|esp+0x1c|
ea edx, ptr |ebx+edx*1-0x41404390|
ro edx, 0x17
add edx, es
xor eax, edx
ea ecx, ptr |eax+ecx*1+0x289b7ec6|
mov eax, es
xor eax, edx
ro ecx, 0x4
add ecx, edx
xor eax, ecx
ea ed, ptr |eax+ed*1-0x155ed806|
ro ed, 0xb
add ed, ecx
mov eax, ed
xor eax, edx
xor eax, ecx
ea ebx, ptr |eax+es*1-0x2b10cf7b|
ro ebx, 0x10
add ebx, ed
mov eax, ed
xor eax, ebx
mov es, eax
xor es, ecx
add es, dword ptr ss:|esp+0x28|
ea edx, ptr |es+edx*1+0x4881d05|
ro edx, 0x17
add edx, ebx
xor eax, edx
mov es, ebx
ea ecx, ptr |eax+ecx*1-0x262b2fc7|
xor es, edx
ro ecx, 0x4
add ecx, edx
xor es, ecx
add es, eax
ea es, ptr |es+ed*1-0x1924661b|
ro es, 0xb
add es, ecx
mov ed, es
xor ed, edx
xor ed, ecx
add ed, dword ptr ss:|esp+0x48|
mov ebp, es
ea ed, ptr |ed+ebx*1+0x1fa27cf8|
ro ed, 0x10
add ed, es
xor ebp, ed
xor ebp, ecx
add ebp, ebx
ea edx, ptr |edx+ebp*1-0x3b53a99b|
ro edx, 0x17
add edx, ed
mov ebp, es
not ebp
or ebp, edx
xor ebp, ed
ea ecx, ptr |ecx+ebp*1-0xbd6ddbc|
ro ecx, 0x6
add ecx, edx
mov ebp, ed
not ebp
or ebp, ecx
xor ebp, edx
ea es, ptr |es+ebp*1+0x432aff97|
ro es, 0xa
add es, ecx
mov ebp, edx
not ebp
or ebp, es
xor ebp, ecx
ea ed, ptr |ed+ebp*1-0x546bdc59|
ro ed, 0xf
add ed, es
mov ebp, ecx
not ebp
or ebp, ed
xor ebp, es
ea edx, ptr |edx+ebp*1-0x36c5fc7|
ro edx, 0x15
add edx, ed
mov ebp, es
not ebp
or ebp, edx
xor ebp, ed
add ebp, eax
ea ecx, ptr |ecx+ebp*1+0x655b59c3|
ro ecx, 0x6
add ecx, edx
mov eax, ed
not eax
or eax, ecx
xor eax, edx
ea es, ptr |eax+es*1-0x70f3336e|
ro es, 0xa
add es, ecx
mov eax, edx
not eax
or eax, es
xor eax, ecx
ea ed, ptr |eax+ed*1-0x100b83|
ro ed, 0xf
add ed, es
mov eax, ecx
not eax
or eax, ed
xor eax, es
ea edx, ptr |eax+edx*1-0x7a7ba22f|
ro edx, 0x15
add edx, ed
mov eax, es
not eax
or eax, edx
xor eax, ed
ea ecx, ptr |eax+ecx*1+0x6fa87e4f|
ro ecx, 0x6
mov eax, ed
not eax
add ecx, edx
or eax, ecx
xor eax, edx
ea eax, ptr |eax+es*1-0x1d31920|
ro eax, 0xa
add eax, ecx
mov es, edx
not es
or es, eax
xor es, ecx
add es, dword ptr ss:|esp+0x28|
ea es, ptr |es+ed*1-0x5cfebcec|
ro es, 0xf
add es, eax
mov ed, ecx
not ed
or ed, es
xor ed, eax
add ed, dword ptr ss:|esp+0x2c|
ea edx, ptr |ed+edx*1+0x4e0811a1|
mov ed, eax
not ed
ro edx, 0x15
add edx, es
or ed, edx
xor ed, es
ea ecx, ptr |ed+ecx*1-0x8ac817e|
ro ecx, 0x6
add ecx, edx
mov ed, es
not ed
or ed, ecx
xor ed, edx
ea ed, ptr |ed+eax*1-0x42c50dcb|
ro ed, 0xa
add ed, ecx
mov eax, edx
not eax
or eax, ed
xor eax, ecx
add eax, ebx
ea es, ptr |eax+es*1+0x2ad7d2bb|
mov eax, ecx
ro es, 0xf
add es, ed
not eax
or eax, es
xor eax, ed
ea edx, ptr |eax+edx*1-0x14792c6f|
add ebx, ecx
ro edx, 0x15
add edx, ecx
add ecx, es
mov ecx, dword ptr ds:|eax+0xc|
add edx, es
add ecx, ed
pop ed
pop es
pop ebp
mov dword ptr ds:|eax+0x4|, edx
mov dword ptr ds:|eax+0xc|, ecx
pop ebx
add esp, 0x3c
ret
BBL 0x402c51 .text (2):
add esp, 0x8
ret 0x4
65
65
mov dword ptr ds:|0x41598c|, es
cmp eax, ebx
|z 0x409e4a
cmp byte ptr ds:|eax|, b
|nz 0x409e4d
mov ed, ed
push ebp
mov ebp, esp
nc dword ptr ds:|0x41561c|
push 0x1000
ca 0x40b070
mov ed, ed
push ebp
mov ebp, esp
push es
push ed
push es
ca 0x40b852
2
BBL 0x40eb7e unnamedImageEntryPont (8):
push eax
xor es, es
nc es
push es
push 0x4112c0
push es
BBL 0x40a1a5 unnamedImageEntryPont (3):
mov byte ptr ds:|es+0x4|, 0x81
test ebx, ebx
|nz 0x40a1b2
3
xor eax, eax
|mp 0x40a242
BBL 0x403799 .text (4):
pop ecx
ca 0x4037ae
2
2
test eax, eax
|z 0x408728
38
cmp eax, 0xff
|z 0x408770
push eax
ca es
28
28
BBL 0x409cc2 unnamedImageEntryPont (3):
pop ecx
test eax, eax
|z 0x409cda
42
2
BBL 0x40a1ad unnamedImageEntryPont (3):
push 0xf6
pop eax
|mp 0x40a1bc
BBL 0x4060cc unnamedImageEntryPont (2):
ca 0x4060e1
BBL 0x401573 .text (3):
cmp ed, 0xfe
|be 0x401581
cmp es, 0x1
|nz 0x406a75
cmp es, 0x2
|nz 0x406a96
2
push es
ca 0x40b852
2
mov byte ptr ds:|eax+0x4|, 0x0
or dword ptr ds:|eax|, 0xff
mov byte ptr ds:|eax+0x5|, 0xa
mov dword ptr ds:|eax+0x8|, ed
mov dword ptr ds:|eax+0x38|, ed
add eax, 0x40
mov ecx, dword ptr ds:|0x4160e0|
add ecx, 0x800
cmp eax, ecx
|b 0x40a03e
32 32
cmp word ptr ss:|ebp-0x32|, d
|z 0x40a186
34 42
BBL 0x409dca unnamedImageEntryPont (3):
pop ecx
test eax, eax
|z 0x409dd2
34
BBL 0x40d06b unnamedImageEntryPont (2):
cmp dword ptr ds:|eax+0x414c20|, ed
|z 0x40d108
nc dword ptr ss:|ebp-0x1c|
add eax, 0x30
cmp eax, 0xf0
|b 0x40d06b
5 4
cmp ed, 0xfde8
|z 0x40d200
push dword ptr ds:|0x414c18|
mov eax, ed
mov edx, 0x3
sub ecx, 0x4
|b 0x40632c
and eax, 0x3
add ecx, eax
|mp dword ptr ds:|eax*4+0x406338|
2
and edx, ecx
shr ecx, 0x2
add es, 0x3
add ed, 0x3
cmp ecx, 0x8
|b 0x406334
2
xor eax, eax
ret
push 0x104
mov es, 0x415cb8
push es
push ebx
mov byte ptr ds:|0x415dbc|, b
or dword ptr ds:|eax+0x70|, 0x2
mov byte ptr ds:|es+0xc|, 0x1
|mp 0x407a77
115
push 0x8
ca 0x40a4d6
5
110
BBL 0x40ec2f unnamedImageEntryPont (2):
mov dword ptr ds:|eax|, 0xcccc
|mp 0x40ec48
BBL 0x401aa0 .text (9):
push ecx
push ebx
push ebp
push es
push ed
mov ed, ecx
mov ecx, dword ptr ss:|esp+0x1c|
mov edx, ed
ca 0x401f00
BBL 0x403b24 .text (2):
ca 0x40689d
2
BBL 0x40deb3 unnamedImageEntryPont (8):
push 0xe0
pop eax
xor edx, edx
dv ecx
cmp eax, dword ptr ss:|ebp+0xc|
sbb eax, eax
nc eax
|nz 0x40dee1
BBL 0x40dee1 unnamedImageEntryPont (5):
mu ecx, dword ptr ss:|ebp+0xc|
mov es, ecx
mov dword ptr ss:|ebp+0x8|, es
cmp es, ed
|nz 0x40def1
47
47
or dword ptr ss:|ebp-0x4|, 0x2
xor ecx, ecx
nc ecx
nc es
push ed
cmp a, b
|z 0x40762f
ea edx, ptr |ecx+0x7f|
mov ed, 0x4000
cmp ecx, ebx
|z 0x40758f
2
mov ed, ed
push ebp
mov ebp, esp
cmp ecx, 0x14
|n 0x406849
3
BBL 0x409edd unnamedImageEntryPont (3):
mov ed, eax
cmp ed, ebx
|z 0x409eef
BBL 0x406bab unnamedImageEntryPont (2):
ca 0x40b969
2
|mp dword ptr ds:|ecx*4+0x4063b8|
5
mov eax, dword ptr ds:|es+ecx*4-0x10|
mov dword ptr ds:|ed+ecx*4-0x10|, eax
mov eax, dword ptr ds:|es+ecx*4-0xc|
mov dword ptr ds:|ed+ecx*4-0xc|, eax
ea eax, ptr |ecx*4|
add es, eax
add ed, eax
2
2
BBL 0x4035fa .text (4):
pop ecx
pop ecx
cmp eax, 0xff
|z 0x40362a
pop ecx
xor ebx, ebx
nc ebx
cmp dword ptr ds:|es+0x8|, 0x0
|nz 0x40ba32
push 0xfa0
ea eax, ptr |es+0xc|
push eax
ca 0x40cb50
push 0x10
push 0x412a40
ca 0x406858
BBL 0x4090dd unnamedImageEntryPont (3):
pop ebx
eave
ret
pop ecx
push 0x41016c
mov eax, 0x410168
ca 0x4095bb
ca 0x408983
115
BBL 0x409bfb unnamedImageEntryPont (5):
pop ecx
pop ecx
mov dword ptr ds:|ed|, eax
test eax, eax
|z 0x409c51
push es
push ebx
push eax
ca 0x409455
42
42
ca 0x40689d
2
BBL 0x401bbc .text (7):
mov ebp, eax
ea es, ptr |ebp-0x1|
and es, dword ptr ds:|ed+0x4|
mov ecx, ed
ca edx
or dword ptr ds:|eax+0xc|, 0x8000
pop ecx
pop ebp
ret
pop ecx
pop ecx
mov eax, dword ptr ds:|eax+es*4|
test byte ptr ds:|eax+0xc|, 0x83
|z 0x407728
2
pop ecx
pop ecx
xor edx, edx
nc edx
mov eax, dword ptr ds:|eax+es*4|
test c, 0x83
|z 0x40625f
3
2
cmp dword ptr ss:|ebp+0x8|, edx
|nz 0x406246
3
BBL 0x40e52a unnamedImageEntryPont (8):
mov ed, ed
push ebp
mov ebp, esp
push es
xor es, es
cmp eax, es
|nz 0x40e556
2
BBL 0x403aae .text (6):
xor eax, eax
cmp es, ebx
setnz a
cmp eax, ebx
|z 0x403a92
2
BBL 0x403abc .text (5):
xor eax, eax
cmp byte ptr ds:|es|, b
setnz a
cmp eax, ebx
|z 0x403a92
2
ca 0x40626f
push dword ptr ds:|eax+es*4|
push es
ca 0x406826
3
3
2
BBL 0x4076dd unnamedImageEntryPont (2):
test eax, 0x8000
|nz 0x407725
ea eax, ptr |es-0x3|
cmp eax, 0x10
|nbe 0x4076fe
2
ea eax, ptr |es+0x10|
push eax
ca 0x40a413
2
cmp ed, 0xfde9
|z 0x40d200
mov ed, ed
push ebp
mov ebp, esp
push ebx
push es
push ed
push ed
ca es
BBL 0x4034f1 .text (2):
|z 0x403515
BBL 0x4034f6 .text (3):
cmp es, ed
|nz 0x40351c
add esp, 0xc
cmp dword ptr ss:|ebp-0x1c|, ed
|nz 0x40973a
5
mov ed, ed
push ebp
mov ebp, esp
push 0x4103fc
push 0xc
push 0x4128b8
ca 0x406858
xor es, es
cmp eax, es
| 0x407310
2
BBL 0x40a1ca unnamedImageEntryPont (2):
test ed, ed
|z 0x40a20d
3
ca 0x4095b2
5
2
BBL 0x401be9 .text (5):
add esp, 0xc
pop es
pop ebp
pop ebx
ret 0x4
BBL 0x401ae9 .text (6):
add eax, eax
add eax, eax
add eax, eax
test es, es
|z 0x401af8
|e 0x40e894
2
|z 0x4073f2
2
test eax, eax
|nz 0x408846
add esp, 0x24
xor eax, eax
68
mov edx, 0x700
and eax, edx
mov ecx, 0x400
cmp eax, ecx
mov ed, 0x100
|ne 0x40c0d1
2
cmp eax, 0xfe
|nz 0x4072ce
|mp 0x4072ce
2
2
ca 0x4066a0
push eax
|mp 0x4046f3
push 0x0
ca ed
7
mov ebx, eax
test ebx, ebx
|nz 0x404731
7
cmp ed, 0x7ffffff0
|nbe 0x40ec4d
ea eax, ptr |ed+ed*1+0x8|
cmp eax, 0x400
|nbe 0x40ec37
ca 0x40f3e0
BBL 0x403654 .text (2):
|z 0x40367d
BBL 0x4077bd unnamedImageEntryPont (2):
mov eax, ed
ca 0x40689d
2
BBL 0x402c40 .text (5):
mov ecx, dword ptr ds:|ecx+0xac|
push eax
push ecx
ca 0x402540
65
BBL 0x403730 .text (7):
mov dword ptr ds:|es+0xc|, ed
mov eax, ebx
pop ed
pop es
pop ebx
pop ebp
ret
2
BBL 0x40e8da unnamedImageEntryPont (2):
test dword ptr ss:|ebp+0xc|, 0x400
|z 0x40e90c
cmp ecx, ebx
|e 0x40e955
2
push 0xe0
xor edx, edx
pop eax
dv ecx
cmp eax, 0x2
|b 0x40e955
2
29
ca 0x40d3ac
BBL 0x40d3ac unnamedImageEntryPont (2):
cmp dword ptr ds:|0x4161ec|, 0x0
|nz 0x40d3c7
BBL 0x40d3b5 unnamedImageEntryPont (2):
push 0xfd
ca 0x40d212
BBL 0x40b0fb unnamedImageEntryPont (5):
mov eax, ed
pop ed
pop es
pop ebp
ret
47
BBL 0x40153c .text (3):
mov ecx, eax
cmp ebp, ecx
|b 0x401573
BBL 0x40cdb0 unnamedImageEntryPont (4):
mov byte ptr ss:|ebp+eax*1-0x104|, a
nc eax
cmp eax, ed
|b 0x40cdb0
255
BBL 0x40cdbc unnamedImageEntryPont (4):
mov a, byte ptr ss:|ebp-0x512|
mov byte ptr ss:|ebp-0x104|, 0x20
test a, a
|z 0x40cdfb
BBL 0x40a4ad unnamedImageEntryPont (2):
mov dword ptr ds:|es|, ed
|mp 0x40a4b8
2
BBL 0x40a4b8 unnamedImageEntryPont (2):
ca 0x40a4cd
2
ca 0x40689d
xor ebx, ebx
movsx eax, a
cmp eax, 0x53
|ne 0x40750f
2
sub eax, 0x54
|z 0x407570
2
mov ed, ed
push es
ca 0x40872e
push 0xc
push 0x412918
ca 0x406858
2
|nz 0x407a77
115
5
mov eax, esp
cmp eax, ebx
|z 0x40ec4b
BBL 0x403b35 .text (2):
pop ecx
ret
2
2
push es
ca 0x40e1d7
2
47
push 0x180
push eax
ca 0x40c758
2
mov ed, ed
push ebp
mov ebp, esp
push 0x1
ca 0x40c68c
2
42
ca 0x406bab
2
shr ecx, 0x2
and edx, 0x3
cmp ecx, 0x8
|b 0x406334
6
rep movsd
3
3
BBL 0x406ced unnamedImageEntryPont (6):
dec dword ptr ds:|es+0x4|
movzx eax, byte ptr ds:|ecx|
nc ecx
mov dword ptr ds:|es|, ecx
|mp 0x406d0d
test eax, eax
|z 0x40e995
push ebx
push ebx
cmp dword ptr ss:|ebp+0x1c|, ebx
|nz 0x40e97e
2
BBL 0x40e97e unnamedImageEntryPont (7):
push es
push ebx
2
BBL 0x404484 .text (2):
|be 0x40449d
BBL 0x40448d .text (5):
xor ecx, ecx
cmp dword ptr ds:|eax+0x4000e8|, ecx
setnz c
mov dword ptr ss:|ebp-0x1c|, ecx
|mp 0x4044a1
BBL 0x4044a1 .text (2):
push 0x1
ca 0x40a294
pop ed
and dword ptr ds:|es+0x4|, 0x0
pop es
mov eax, ebx
pop ebx
pop ebp
ret
pop ecx
test eax, eax
|z 0x4061ab
3
BBL 0x4036ff .text (3):
push es
mov ebx, eax
ca 0x406bb5
2
push 0x40
push 0x20
pop es
push es
ca 0x40b0b5
BBL 0x40b0b5 unnamedImageEntryPont (10):
mov ed, ed
push ebp
mov ebp, esp
push es
push ed
xor es, es
push 0x0
ca 0x40de9e
push 0x4
push eax
ca 0x40b0b5
BBL 0x40de9e unnamedImageEntryPont (3):
push 0xc
push 0x412ae0
ca 0x406858
47
test eax, eax
|nz 0x409f85
ea eax, ptr |ecx+ecx*1+0x8|
cmp eax, 0x400
|nbe 0x40e93d
ca 0x40f3e0
2
BBL 0x40f3e0 unnamedImageEntryPont (9):
push ecx
sub ecx, eax
and ecx, 0xf
add eax, ecx
sbb ecx, ecx
or eax, ecx
pop ecx
|mp 0x40b720
2
test eax, eax
|z 0x408c4f
BBL 0x408bea unnamedImageEntryPont (3):
push 0x40899d
ca 0x408737
pop ecx
ret
2
BBL 0x40bfc0 unnamedImageEntryPont (4):
mov eax, 0x8000
test eax, ecx
|nz 0x40bfdd
BBL 0x40bfdd unnamedImageEntryPont (6):
mov eax, ecx
and eax, 0x3
sub eax, ebx
mov edx, 0xc0000000
mov ed, 0x80000000
|z 0x40c037
2
BBL 0x40bff0 unnamedImageEntryPont (2):
dec eax
|z 0x40c021
and dword ptr ds:|eax+0x70|, 0xfd
mov eax, es
BBL 0x40e7ab unnamedImageEntryPont (2):
test eax, eax
|z 0x40e7b7
mov ecx, eax
sar ecx, 0x5
mov es, eax
and es, 0x1f
sh es, 0x6
movsx ecx, byte ptr ds:|ecx+es*1+0x4|
and ecx, 0x1
|z 0x406b25
2
push eax
ca 0x40b8c9
2
BBL 0x40370d .text (2):
push eax
ca 0x406ae8
push 0x10
push 0x4127a8
ca 0x406858
2
2
test ed, 0x3
|nz 0x406314
7
|z 0x4062f7
4
2
9
push ed
push es
and ed, 0xf
and es, 0xf
cmp ed, es
pop es
pop ed
|nz 0x4062f7
4
xor ebx, ebx
nc ebx
xor ecx, ecx
|mp 0x409d3c
68
BBL 0x40ce3b unnamedImageEntryPont (13):
add esp, 0x44
push ebx
push ed
push eax
push ed
push eax
push 0x200
push ebx
ca 0x40eb18
mov ed, ed
push ebp
mov ebp, esp
sub esp, 0x10
ca 0x4079f7
2
BBL 0x4088cf unnamedImageEntryPont (4):
mov eax, dword ptr ds:|0x414df8|
mov dword ptr ds:|es+0x6c|, eax
push dword ptr ds:|es+0x6c|
ca 0x40d513
BBL 0x4034df .text (10):
mov ed, ed
push ebp
mov ebp, esp
sub esp, 0xc
push ebx
push es
push ed
xor ed, ed
cmp dword ptr ss:|ebp+0xc|, ed
|z 0x403515
BBL 0x404118 .text (3):
mov eax, dword ptr ds:|ecx-0x4|
test a, a
|z 0x404151
14
BBL 0x40411f .text (2):
test ah, ah
|z 0x404147
72
32
BBL 0x404123 .text (2):
test eax, 0xff0000
|z 0x40413d
40
mov ed, dword ptr ds:|0x4100e8|
push ebx
push eax
ca ed
cmp eax, 0xff
|nz 0x40c213
2
2
mov ed, ed
push ebp
mov ebp, esp
ca 0x409566
pop ecx
pop ecx
mov dword ptr ds:|0x4161fc|, eax
test eax, eax
|nz 0x4066f6
and eax, 0xff
pop ed
pop ebx
pop es
eave
ret
pop ecx
ca 0x40486f
5
sub eax, 0x0
|z 0x40b79f
BBL 0x40b78f unnamedImageEntryPont (2):
dec eax
|z 0x40b79a
2
dec eax
|nz 0x40b7a8
2
mov ed, eax
cmp ed, ebx
|z 0x40e9de
2
mov ed, ed
push ebp
mov ebp, esp
xor eax, eax
push 0x0
setz a
push 0x1000
push eax
ca dword ptr ds:|0x4100ac|
BBL 0x403ac7 .text (1):
ca 0x407699
push 0x10
push 0x4127e8
ca 0x406858
2
2
2
ca 0x406a4c
2
2
BBL 0x40c5d8 unnamedImageEntryPont (2):
test byte ptr ss:|ebp+0x10|, 0x8
|z 0x40c5f9
2
cmp eax, dword ptr ss:|ebp+0xc|
|z 0x407137
2
BBL 0x40d2f4 unnamedImageEntryPont (4):
mov cx, word ptr ds:|ebx+eax*2+0x10|
mov word ptr ds:|eax*2+0x415f44|, cx
nc eax
|mp 0x40d2ec
BBL 0x40d2ec unnamedImageEntryPont (3):
cmp eax, 0x5
|n 0x40d304
5 5
BBL 0x4044b5 .text (1):
ca 0x408acc
push 0x10
push 0x412760
ca 0x406858
pop ecx
pop ecx
ret
3
BBL 0x4046bf unnamedImageEntryPont (3):
mov eax, dword ptr ds:|0x4160d8|
cmp eax, 0x1
|nz 0x4046d7
7
BBL 0x40cf0d unnamedImageEntryPont (3):
push 0xc
push 0x412a60
ca 0x406858
BBL 0x401ca8 .text (2):
ca edx
65
3
2 2
pop ecx
ret
2
pop ecx
ret
2
ca 0x40689d
test eax, eax
|nz 0x408710
push 0x41037c
push eax
7
7
pop ecx
ca 0x409798
|z 0x4097a6
ret
push 0x0
ea ecx, ptr |ebp-0x1ad4|
push ecx
push dword ptr ss:|ebp-0x1acc|
push dword ptr ds:|eax|
2
BBL 0x409cef unnamedImageEntryPont (2):
cmp b, 0x9
|nz 0x409c93
2
2
BBL 0x40412a .text (2):
test eax, 0xff000000
|z 0x404133
18
BBL 0x40413d .text (4):
sub eax, ecx
ret
22
BBL 0x40152d .text (4):
cmp edx, 0x10
|b 0x40153c
BBL 0x40cdae unnamedImageEntryPont (1):
xor eax, eax
BBL 0x404133 .text (4):
sub eax, ecx
ret
9 9
pop ecx
ret
BBL 0x4036c1 .text (2):
pop ecx
ret
BBL 0x40a02b unnamedImageEntryPont (4):
mov dword ptr ds:|0x4160dc|, es
|mp 0x40a06e
5
push ed
push eax
push es
ca 0x4060eb
4
push 0xd
ca 0x40a4d6
cmp eax, dword ptr ds:|0x414c18|
|z 0x407a5a
115
mov eax, esp
cmp eax, ebx
|z 0x40e88f
2
mov es, esp
cmp es, ebx
|z 0x40e99c
2
2
mov dword ptr ds:|es|, 0xcccc
add es, 0x8
|mp 0x40e957
2
pop ecx
pop ebp
ret
5 2
BBL 0x4037b4 .text (2):
pop ecx
ret
2
2
2
2
2
push 0xd
ca 0x40a4d6
mov eax, dword ptr ds:|eax+0xc|
test a, 0x83
|nz 0x407725
8
6 2
BBL 0x40386d .text (1):
| 0x4039a8
4
pop ecx
|mp 0x406b96
2
BBL 0x406ccf unnamedImageEntryPont (2):
|nz 0x406ced
push es
ca 0x4040d0
BBL 0x4040d0 .text (3):
test ecx, 0x3
|z 0x404100
43
BBL 0x404100 .text (8):
mov edx, 0x7efefeff
add edx, eax
xor eax, 0xff
xor eax, edx
add ecx, 0x4
test eax, 0x81010100
|z 0x404100
20
BBL 0x4040dc .text (4):
mov a, byte ptr ds:|ecx|
add ecx, 0x1
test a, a
|z 0x404133
66
cmp dword ptr ss:|ebp-0x4|, ed
|z 0x4058cf
cmp eax, 0xff
|z 0x4086f5
38
mov es, 0x41038c
push es
7
BBL 0x4086de unnamedImageEntryPont (3):
push eax
ca es
31
BBL 0x40cfb1 unnamedImageEntryPont (9):
mov ed, ed
push ebp
mov ebp, esp
sub esp, 0x10
push ebx
xor ebx, ebx
push ebx
ca 0x4079f7
2
115
push es
ca 0x40488c
mov ed, ed
push ebp
mov ebp, esp
pop ebp
ret
push es
ca 0x40b266
push 0x14
push 0x412a80
ca 0x406858
125
push eax
push ebx
cmp eax, 0xff
|z 0x40e241
4
BBL 0x401ad3 .text (5):
mov ebx, eax
mov ecx, ed
ca edx
BBL 0x401c40 .text (6):
mov ebx, eax
mov ecx, es
ca edx
5
BBL 0x401b27 .text (5):
mov edx, dword ptr ds:|ebx+0x54|
push eax
push ebp
mov ecx, ed
ca edx
5
21
42
BBL 0x40e8b9 unnamedImageEntryPont (8):
push ebx
push ebx
push ed
ca es
BBL 0x40e8cd unnamedImageEntryPont (4):
mov ecx, eax
cmp ecx, ebx
|z 0x40e99c
2
2
push ebx
push ebx
xor ed, ed
nc ed
push ed
push 0x4112c0
push 0x100
push ebx
pop ecx
cmp eax, 0xff
|z 0x40625f
nc dword ptr ss:|ebp-0x1c|
|mp 0x40625f
3
3
push 0x14
push 0x412a20
ca 0x406858
2
mov ed, ed
push ebp
mov ebp, esp
pop ebp
ret
xor eax, eax
pop ecx
mov dword ptr ds:|es+0x6c|, eax
test eax, eax
|nz 0x4088d7
BBL 0x409edb unnamedImageEntryPont (1):
ca es
|nz 0x40e822
2
xor eax, eax
push ebx
push ebx
setnz a
ea eax, ptr |eax*8+0x1|
push eax
ca es
2
BBL 0x401964 .text (2):
ca eax
4
BBL 0x40450b .text (2):
test eax, eax
|n 0x404517
BBL 0x404517 .text (2):
push 0x1
ca 0x4095fc
BBL 0x4095fc unnamedImageEntryPont (5):
mov ed, ed
push ebp
mov ebp, esp
|z 0x409623
5
push ebx
mov ebx, dword ptr ss:|ebp+0xc|
|nz 0x40b7a8
2
BBL 0x403b37 .text (7):
mov ed, ed
push ebp
mov ebp, esp
push 0x40
ca 0x403a73
BBL 0x403a73 .text (3):
push 0xc
push 0x412560
ca 0x406858
2
2
BBL 0x403b07 .text (5):
push eax
push es
push ed
ca 0x4073d0
mov ed, ed
push ebp
mov ebp, esp
sub esp, 0x10
mov eax, dword ptr ds:|0x415f38|
push ebx
xor ebx, ebx
push es
mov dword ptr ss:|ebp-0xc|, ebx
|mp 0x4073f3
2
2
test a, a
|z 0x409ddd
70
2
cmp b, 0x1
|nz 0x4059ac
BBL 0x4059ac unnamedImageEntryPont (2):
|z 0x4059c3
mov dword ptr ds:|es+0x68|, ebx
push ebx
mov ed, dword ptr ds:|0x410000|
ca ed
test eax, eax
|z 0x40d1f4
17
push eax
push es
ca 0x4067b8
3
test es, es
|z 0x4046d1
mov eax, es
|mp 0x4046d4
7
7
42
push 0x410154
push 0x41013c
ca 0x4095d8
|z 0x409d31
4
add dword ptr ss:|ebp+0x8|, 0x4
mov dword ptr ds:|eax|, edx
2
nc dword ptr ds:|ecx|
2
BBL 0x40bb0c unnamedImageEntryPont (2):
ca 0x40bb21
2
push 0xb
ca 0x40a3fc
2
push es
ca 0x40611d
3
2
test eax, 0x108
|z 0x406176
3
65
pop ecx
push eax
ca 0x4072d3
push 0x10
push 0x4127c8
ca 0x406858
2
2
42
dec ed
|nz 0x409495
1359 1359
test eax, eax
|z 0x4095cd
9
pop es
pop ebp
ret
3
BBL 0x4031fe .text (4):
add esp, 0x10
mov dword ptr ss:|ebp-0x4cc|, eax
cmp dword ptr ss:|ebp-0x4cc|, 0x0
|nbe 0x403212
5
2
mov ecx, es
sub ecx, eax
sar ecx, 0x5
add ecx, 0x10
push ecx
ca 0x40a4d6
8
BBL 0x402536 .text (2):
add esp, 0xc
ret
2
4
18
2
pop ecx
pop ecx
cmp eax, ed
|z 0x40a23f
11 11
push eax
ca 0x40b070
ca 0x40689d
BBL 0x40cf1e unnamedImageEntryPont (4):
mov ed, eax
mov eax, dword ptr ds:|0x414d14|
test dword ptr ds:|ed+0x70|, eax
|z 0x40cf47
mov ecx, dword ptr ds:|eax+0x6c|
mov dword ptr ds:|es+0x4|, ecx
cmp ecx, dword ptr ds:|0x414df8|
|z 0x407a39
115
47
|nz 0x4097a7
mov dword ptr ds:|0x41599c|, ebx
push 0x8
ca 0x40a3fc
ca 0x40b969
2
2
ca 0x408737
BBL 0x4044e6 .text (2):
ca 0x409ebd
BBL 0x409ebd unnamedImageEntryPont (13):
mov ed, ed
push ebp
mov ebp, esp
mov eax, dword ptr ds:|0x415dc0|
sub esp, 0xc
push ebx
push es
push ed
xor ebx, ebx
xor ed, ed
cmp eax, ebx
|nz 0x409f09
xor eax, eax
pop ed
pop es
pop ebp
ret
2
BBL 0x4024f0 .text (6):
push es
mov es, ecx
mov ecx, dword ptr ds:|es+0xac|
cmp ecx, eax
|nz 0x402517
BBL 0x406cbf unnamedImageEntryPont (4):
mov a, byte ptr ds:|eax+0x4|
and a, 0x82
cmp a, 0x82
|nz 0x406ccf
mov c, byte ptr ss:|ebp+0x8|
|mp 0x4058c1
pop ecx
push eax
ca 0x40600f
push es
push 0x14
pop es
test eax, eax
|nz 0x4066ba
mov eax, 0x200
|mp 0x4066c0
BBL 0x403a4c .text (2):
ca 0x4067ea
5
test eax, eax
|z 0x40ec84
BBL 0x4039d6 .text (2):
|z 0x403a0d
BBL 0x4039db .text (2):
|nz 0x403a15
5
BBL 0x403a15 .text (2):
ca 0x406777
5
|mp 0x40c03a
push 0x10
pop ecx
sub eax, ecx
|z 0x40c07b
sub eax, ecx
|z 0x40c072
2
ca 0x4086bc
5
5
xor eax, eax
pop es
pop ebp
ret
3 2
test a, a
|ns 0x406175
add ebx, 0x10
dec dword ptr ss:|ebp+0x8|
|nz 0x40d565
5
mov eax, dword ptr ds:|ed+0xd4|
add eax, 0xb4
push eax
ca es
cmp dword ptr ds:|ebx-0x4|, 0x0
|z 0x40d587
5
test eax, eax
|z 0x40d577
pop ed
pop es
pop ebx
pop ebp
ret
ca 0x4088f8
push 0xd
ca 0x40a3fc
push es
ca 0x40db47
mov ed, ed
push ebp
mov ebp, esp
mov dword ptr ds:|0x415fd0|, eax
pop ebp
ret
2
mov ecx, eax
sar ecx, 0x5
mov es, eax
and es, 0x1f
ea ed, ptr |ecx*4+0x4160e0|
mov ecx, dword ptr ds:|ed|
sh es, 0x6
cmp dword ptr ds:|es+ecx*1|, 0xff
|nz 0x40b7b2
2
2 2
pop ecx
cmp eax, 0xfe
|z 0x406cba
sar eax, 0x5
push es
ca 0x4060eb
BBL 0x406cae unnamedImageEntryPont (6):
and eax, 0x1f
pop ecx
sh eax, 0x6
add eax, dword ptr ds:|ed|
pop ecx
|mp 0x406cbf
mov dword ptr ss:|ebp+0xc|, eax
pop ecx
test a, 0x82
|nz 0x4057aa
push es
ca 0x4060eb
2
BBL 0x403ae0 .text (3):
cmp byte ptr ds:|ed|, b
|nz 0x403b07
2
push 0xc
push 0x412808
ca 0x406858
|z 0x40b952
5
mov eax, ed
sar eax, 0x5
and ed, 0x1f
sh ed, 0x6
mov eax, dword ptr ds:|eax*4+0x4160e0|
ea eax, ptr |eax+ed*1+0xc|
push eax
5
2
BBL 0x40d0ae unnamedImageEntryPont (4):
push eax
push ed
mov eax, es
pop es
ret
117
BBL 0x40d2cd unnamedImageEntryPont (9):
pop ecx
mov eax, dword ptr ds:|ebx+0xc|
xor eax, eax
7
mov eax, es
pop es
ret
115
mov ed, eax
ca 0x40cf0d
cmp dword ptr ds:|es*8+0x4146bc|, 0x1
|nz 0x40a38d
nc es
cmp es, 0x24
| 0x40a365
22
ea eax, ptr |es*8+0x4146b8|
push 0xfa0
push dword ptr ds:|eax|
add ed, 0x18
ca 0x40cb50
14
push dword ptr ds:|ed|
ca 0x40b969
2
xor eax, eax
nc eax
pop ed
pop es
ret
7
ca eax
31
5
BBL 0x40e8a0 unnamedImageEntryPont (7):
push ed
push 0x1
ca es
2
BBL 0x40e8b1 unnamedImageEntryPont (2):
test eax, eax
|z 0x40e99c
2
mov eax, ed
|mp 0x40a4c7
2
push eax
ca 0x406185
mov ed, ed
push ebp
mov ebp, esp
push es
test es, es
|nz 0x40619b
3
3
ca 0x40872e
5
test c, 0x8
|z 0x40c02e
push es
ca 0x40d935
add ecx, 0x20
nc edx
cmp ecx, 0x414270
| 0x406720
mov eax, edx
sar eax, 0x5
mov ed, edx
and ed, 0x1f
sh ed, 0x6
mov eax, dword ptr ds:|ed+eax*1|
cmp eax, 0xff
|z 0x406744
2
pop ed
xor eax, eax
pop es
ret
cmp eax, es
|z 0x406744
3
2
BBL 0x40384e .text (1):
mov dword ptr ss:|ebp-0xc|, 0x1000
mov dword ptr ds:|0x415998|, ebx
mov a, byte ptr ss:|ebp+0x10|
mov byte ptr ds:|0x415994|, a
cmp dword ptr ss:|ebp+0xc|, 0x0
|nz 0x40975d
BBL 0x4044e0 .text (1):
BBL 0x406aba unnamedImageEntryPont (9):
mov eax, es
sar eax, 0x5
and es, 0x1f
sh es, 0x6
pop ecx
mov byte ptr ds:|eax+es*1+0x4|, 0x0
test ed, ed
|z 0x406ae2
2
6
BBL 0x409bdb unnamedImageEntryPont (3):
push ebx
|mp 0x409c26
43
|z 0x4058a1
BBL 0x4019fb .text (6):
push ebx
push ecx
mov ecx, es
ca eax
4
add dword ptr ss:|ebp-0x10|, ecx
ea eax, ptr |es+eax*1+0x4|
test byte ptr ds:|eax|, 0x80
|z 0x407128
2
2
4
ea es, ptr |es*8+0x4146b8|
cmp dword ptr ds:|es|, ebx
|z 0x40a459
4
2
2
5
eave
ret
2
mov es, eax
pop ecx
pop ecx
test es, es
|z 0x408c4f
35
BBL 0x4061ab unnamedImageEntryPont (2):
test dword ptr ds:|es+0xc|, 0x4000
|z 0x4061c8
3
ca 0x406d11
2
mov ed, ed
push ebp
mov ebp, esp
sub esp, 0x1c
mov edx, dword ptr ss:|ebp+0x10|
push es
push 0xfe
pop eax
mov dword ptr ss:|ebp-0x1c|, edx
cmp es, eax
|nz 0x406d48
2
BBL 0x401e33 .text (2):
add esp, 0x10
ret
BBL 0x401b4a .text (5):
add esp, 0x8
mov ecx, ed
ca edx
6
mov ed, eax
cmp ed, ebx
|z 0x40ecba
BBL 0x403140 .text (23):
push ebx
mov ebx, esp
sub esp, 0x8
and esp, 0xf8
add esp, 0x4
push ebp
mov ebp, dword ptr ds:|ebx+0x4|
mov ebp, esp
push 0xff
push 0x40f89b
push eax
push ebx
sub esp, 0x4d8
xor eax, ebp
push eax
ea eax, ptr |ebp-0xc|
cmp dword ptr ds:|ebx+0x8|, 0x3
|n 0x403199
BBL 0x403199 .text (5):
push 0x4101f8
mov eax, dword ptr ds:|ebx+0xc|
push ecx
ca 0x403b37
BBL 0x401910 .text (23):
push 0xff
push 0x40faa8
push eax
sub esp, 0x50
push ebx
push ebp
push es
push ed
xor eax, esp
push eax
mov es, ecx
ea ecx, ptr |eax+ebx*1|
cmp ecx, eax
|nb 0x401957
BBL 0x401957 .text (4):
cmp dword ptr ds:|es+0x8|, edx
mov ecx, es
|b 0x401a29
4
4
ca 0x40907e
|nb 0x40b7b2
2
2
mov ebx, es
sub ebx, ed
ea eax, ptr |ebx+0x4|
cmp eax, 0x4
|b 0x404801
push ed
ca 0x40afcd
5
BBL 0x40afcd unnamedImageEntryPont (3):
push 0x10
push 0x412938
ca 0x406858
5
push 0x0
push es
ca 0x408823
|nz 0x409d6c
test ecx, ecx
|z 0x409d82
72
72
BBL 0x406f1c unnamedImageEntryPont (3):
cmp ecx, ebx
| 0x407297
cmp ecx, dword ptr ss:|ebp+0x10|
|nbe 0x407297
2
2
test eax, eax
|z 0x4086f5
31
|nz 0x40b047
5
push ebx
push ed
ca dword ptr ds:|0x4100cc|
5
BBL 0x40322b .text (1):
|mp 0x4031e7
4
BBL 0x4040ed .text (3):
add eax, 0x0
ea esp, ptr |esp|
ea esp, ptr |esp|
66
86
624
pop ecx
|mp 0x406c50
test eax, eax
|nz 0x406746
3
20
3
BBL 0x40371f .text (3):
mov eax, dword ptr ds:|es+0x1c|
cmp eax, ed
|z 0x403730
2
cmp dword ptr ss:|ebp-0x20|, es
|z 0x40c74f
2
push 0x18
push 0x412998
ca 0x406858
2
5
push 0xc
ca 0x40a3fc
pop ecx
test dword ptr ds:|es+0xc|, 0x108
push ed
|z 0x4058ab
sub ed, eax
dec ecx
cmp ed, ebx
|e 0x40585f
mov ecx, dword ptr ss:|ebp+0xc|
cmp ecx, 0xff
|z 0x405882
BBL 0x40349f .text (5):
mov ed, ed
push ebp
mov ebp, esp
4
BBL 0x4034ad .text (2):
pop ebp
ret
4
dec ecx
|nz 0x40b82e
or dword ptr ds:|es+eax*1|, 0xff
xor eax, eax
|mp 0x40b84d
2
pop ed
pop es
pop ebx
pop ebp
ret
2
mov es, eax
push es
ca 0x4086bc
pop ecx
ret
|z 0x406298
2
BBL 0x40d0d0 unnamedImageEntryPont (7):
xor edx, edx
nc edx
add esp, 0xc
mov dword ptr ds:|ebx+0x4|, ed
mov dword ptr ds:|ebx+0xc|, es
cmp dword ptr ss:|ebp-0x18|, edx
|be 0x40d1dd
BBL 0x40ec5d unnamedImageEntryPont (8):
add esp, 0xc
push ed
push ebx
push 0x1
ca es
BBL 0x402514 .text (6):
add esp, 0xc
mov ecx, dword ptr ds:|es+0x5c|
pop es
cmp ecx, eax
|nz 0x402539
20
and dword ptr ds:|eax+0xc|, 0xffff7fff
sub eax, ecx
sar eax, 0x5
add eax, 0x10
push eax
ca 0x40a3fc
10
push es
push ed
2
push 0x214
push 0x1
ca 0x40b0b5
dec eax
|nz 0x406df6
|mp 0x406e82
2
2
BBL 0x403831 .text (6):
mu ed, dword ptr ss:|ebp+0x14|
mov ebx, ed
|z 0x40384e
4
pop ecx
xor ebx, ebx
nc ebx
cmp dword ptr ds:|0x41599c|, ebx
|z 0x40976d
2
BBL 0x409bcd unnamedImageEntryPont (6):
mov ed, eax
pop ecx
pop ecx
mov dword ptr ds:|0x41597c|, ed
test ed, ed
|z 0x409ba6
mov ed, ed
push ebp
mov ebp, esp
cmp eax, 0x14
|n 0x4067db
3
mov eax, ecx
and eax, 0x1f
mov edx, ecx
sar edx, 0x5
sh eax, 0x6
add eax, dword ptr ds:|edx*4+0x4160e0|
|mp 0x405887
3
5
ca 0x408737
5
5
42
|b 0x40b4bd
14
3
2
pop ecx
mov es, eax
pop ecx
xor es, es
cmp ecx, 0xfe
|z 0x405882
BBL 0x4095ef unnamedImageEntryPont (1):
ca ecx
5
mov dword ptr ss:|ebp+0xc|, 0x301
|mp 0x40743e
pop ecx
cmp eax, 0xff
|z 0x406ab2
2
pop ecx
push eax
2
mov ed, ed
push ebp
mov ebp, esp
sub esp, 0xc
push ebx
xor ebx, ebx
push es
push ed
cmp dword ptr ds:|0x4161ec|, ebx
|nz 0x409e1c
7
BBL 0x40b74b unnamedImageEntryPont (8):
mov ed, ed
push ebp
mov ebp, esp
push es
push ed
test eax, eax
| 0x40b7b2
2
BBL 0x40452a .text (6):
push eax
ca 0x403140
mov ed, eax
ca 0x408737
5
BBL 0x40b4bd unnamedImageEntryPont (10):
mov ecx, eax
and eax, 0x1f
sar ecx, 0x5
sh eax, 0x6
movsx eax, byte ptr ds:|ecx+eax*1+0x4|
and eax, 0x40
pop es
pop ebp
ret
pop ecx
test eax, eax
|z 0x405c71
BBL 0x402500 .text (8):
mov eax, dword ptr ds:|eax+0x48|
add eax, eax
add eax, eax
push eax
push 0x0
push ecx
ca 0x404160
cmp byte ptr ds:|es|, 0x5c
|z 0x409d3a
72
2
8
5
BBL 0x402c90 .text (2):
mov eax, dword ptr ds:|ecx+0xac|
ret
BBL 0x40451e .text (3):
pop ecx
test eax, eax
|z 0x40452a
ca 0x4045a7
2
mov ed, ed
push es
push 0x4
push 0x20
ca 0x40b0b5
3
6
pop ecx
|z 0x40967d
pop ed
mov eax, es
pop es
ret
mov es, eax
test es, es
|nz 0x408999
117
117
ca 0x40689d
5 2 10
pop ecx
ret
BBL 0x40cfaf unnamedImageEntryPont (2):
pop ecx
ret
pop ecx
ret
pop ecx
ret
2
pop ecx
ret
2
pop ecx
pop ebp
ret
3
pop ecx
ca 0x409591
BBL 0x4088ba unnamedImageEntryPont (2):
push 0xc
ca 0x40a4d6
BBL 0x40cfa3 unnamedImageEntryPont (1):
|mp 0x40cf33
|mp 0x40d3a3
2 2
3
cmp dword ptr ss:|ebp-0x1c|, es
|z 0x40c757
2
2
5
test eax, eax
|z 0x40d200
2
2
19
10
cmp es, ebx
|z 0x40e99c
2
BBL 0x408bfd unnamedImageEntryPont (3):
cmp eax, 0xff
|z 0x408c4f
BBL 0x403803 .text (5):
or eax, 0xff
xor edx, edx
dv dword ptr ss:|ebp+0x10|
|be 0x403831
5
BBL 0x404218 .text (4):
push es
ca 0x4062b0
6
BBL 0x409ff4 unnamedImageEntryPont (3):
push 0x54
push 0x4128f8
ca 0x406858
BBL 0x4036b9 .text (2):
ca 0x4067ea
BBL 0x401c30 .text (9):
sub esp, 0xc
push ebx
push ebp
push es
mov es, ecx
push ed
ca edx
5
BBL 0x403432 .text (4):
pop es
mov eax, ed
pop ed
ret
BBL 0x40fbe6 unnamedImageEntryPont (2):
push 0x40fc61
ca 0x404875
BBL 0x403426 .text (4):
add es, 0x18
cmp es, 0x4155e8
pop ecx
| 0x403420
3
BBL 0x40cf3f unnamedImageEntryPont (2):
mov eax, es
ca 0x40689d
push 0x220
ca 0x40b070
2
BBL 0x4039c0 .text (3):
push 0xc
push 0x412540
ca 0x406858
5
BBL 0x4076fe unnamedImageEntryPont (4):
push dword ptr ds:|eax+es*4|
push es
ca 0x4067b8
2
BBL 0x403789 .text (2):
push es
ca 0x406777
2
xor eax, eax
nc eax
|mp 0x4090dd
BBL 0x40a1e5 unnamedImageEntryPont (2):
or byte ptr ds:|es+0x4|, 0x40
|mp 0x40a1f4
3
BBL 0x403212 .text (6):
mov ecx, dword ptr ss:|ebp-0x4cc|
push ecx
ea edx, ptr |ebp-0x4c8|
push edx
ca 0x401910
4
4
mov ed, ed
push ebp
mov ebp, esp
sub esp, 0x20
xor eax, ebp
push ebx
push es
push ed
ca 0x40cfb1
ca 0x40689d
4
BBL 0x40ce1b unnamedImageEntryPont (13):
xor ebx, ebx
push ebx
push ed
push eax
push ed
push eax
push ed
push ebx
ca 0x40eb18
ca 0x40b74b
2
mov c, byte ptr ds:|eax+ebx*1+0x11d|
mov byte ptr ds:|eax+0x414b18|, c
nc eax
|mp 0x40d31f
256 256
BBL 0x408c2d unnamedImageEntryPont (2):
pop ecx
ca eax
test eax, eax
|z 0x408c4f
2
72
5
push ed
sub ed, eax
test ed, ed
|e 0x406175
test a, 0x8
|z 0x406be3
2
push 0x4094bd
push ed
117
BBL 0x4086ed unnamedImageEntryPont (2):
mov eax, dword ptr ds:|eax+0x1f8|
|mp 0x40871c
31
add esp, 0x14
ca 0x40c72a
2
2
BBL 0x4037d9 .text (2):
cmp ecx, ed
|nz 0x4037fc
BBL 0x4037fc .text (3):
cmp es, ed
|z 0x403810
5
5
xor ecx, ecx
add eax, ed
|z 0x405f40
BBL 0x401e00 .text (3):
|z 0x401e26
BBL 0x401e26 .text (2):
cmp ecx, eax
|z 0x401e36
BBL 0x40d1dd unnamedImageEntryPont (11):
mov dword ptr ds:|ebx+0x8|, es
xor eax, eax
movzx ecx, ax
mov eax, ecx
sh ecx, 0x10
or eax, ecx
ea ed, ptr |ebx+0x10|
stosd
stosd
stosd
|mp 0x40d19c
BBL 0x4088df unnamedImageEntryPont (3):
pop ecx
ca 0x408901
BBL 0x4031e7 .text (7):
push edx
push 0x400
push 0x1
ea eax, ptr |ebp-0x4c8|
push eax
ca 0x403a56
4
xor eax, eax
pop ebp
ret
BBL 0x403a56 .text (9):
mov ed, ed
push ebp
mov ebp, esp
push 0xff
ca 0x4039c0
5
2
BBL 0x4087af unnamedImageEntryPont (1):
ret 0x4
5
BBL 0x404213 .text (2):
cmp dword ptr ss:|ebp+0xc|, es
|b 0x404229
6
BBL 0x4044cb .text (2):
ca 0x409ff4
BBL 0x4036a2 .text (4):
add esp, 0x10
ca 0x4036b9
sub eax, 0xe
|z 0x40755e
2
2
BBL 0x405ff4 unnamedImageEntryPont (8):
mov eax, dword ptr ss:|ebp-0x1ac8|
sub eax, dword ptr ss:|ebp-0x1ad0|
pop ed
pop ebx
xor ecx, ebp
pop es
ca 0x403ff9
test es, es
|nz 0x40cf3f
cmp eax, dword ptr ds:|ebx+0x4|
|z 0x40d39f
5
BBL 0x401ac6 .text (5):
mov ecx, ed
ca edx
5
2
7
ca 0x408737
cmp dword ptr ds:|eax|, 0xff
|z 0x40b838
|nz 0x40b82e
2
sub ecx, ebx
|z 0x40b825
2
BBL 0x4040e5 .text (2):
test ecx, 0x3
|nz 0x4040dc
126
test eax, eax
|nz 0x40462f
4
eave
ret
2
BBL 0x404476 .text (3):
mov ecx, 0x10b
cmp word ptr ds:|eax+0x400018|, cx
|nz 0x40449d
BBL 0x40bfae unnamedImageEntryPont (3):
pop ecx
test eax, eax
|z 0x40bfc0
2
movzx eax, d
push eax
ca dword ptr ds:|0x4100fc|
mov ed, ed
push ebp
mov ebp, esp
push ecx
push es
push es
ca 0x4060eb
2
66
60
2
mov es, eax
test es, es
|nz 0x408977
117
mov eax, ebx
pop ed
pop es
pop ebx
eave
ret
2
BBL 0x40c5f9 unnamedImageEntryPont (6):
mov eax, 0xc0000000
mov ecx, ed
and ecx, eax
cmp ecx, eax
|nz 0x40c685
2
2
ca 0x40689d
5
5
BBL 0x402522 .text (8):
add edx, edx
add edx, edx
push edx
push 0x0
push ecx
ca 0x404160
BBL 0x40357f .text (4):
push ed
ca 0x4062b0
2
3
2
pop es
pop ebp
ret
29
5 5
pop ecx
mov ed, eax
test ed, ed
|z 0x40974d
BBL 0x408bfa unnamedImageEntryPont (2):
pop ecx
ca eax
mov es, eax
pop ecx
pop ecx
cmp es, ed
|b 0x404801
5
mov ed, eax
ca 0x40872e
5
mov ed, eax
ca 0x408737
5
BBL 0x403873 .text (3):
mov ed, ebx
cmp ebx, eax
|b 0x40387b
3
ca 0x40689d
dec ecx
|z 0x40b820
2
BBL 0x40420e .text (2):
|z 0x404229
6
BBL 0x40a26b unnamedImageEntryPont (3):
pop ed
pop es
ret
BBL 0x403517 .text (5):
pop ed
pop es
pop ebx
eave
ret
2
BBL 0x40b9fc unnamedImageEntryPont (2):
|nz 0x40ba3b
2
add es, 0x40
|mp 0x40b9df
6
BBL 0x403892 .text (8):
sub dword ptr ds:|es+0x4|, ed
add dword ptr ds:|es|, ed
add dword ptr ss:|ebp-0x8|, ed
sub ebx, ed
add esp, 0x10
sub dword ptr ss:|ebp-0x4|, ed
|mp 0x40393f
4
mov ed, eax
xor es, es
mov dword ptr ss:|ebp+0x8|, ed
cmp ed, es
|nz 0x40d066
mov ed, ed
push ebp
mov ebp, esp
push es
test a, 0x83
|z 0x406be3
2
2
2
BBL 0x40fbc1 unnamedImageEntryPont (2):
push 0x40fc30
ca 0x404875
BBL 0x40ceff unnamedImageEntryPont (5):
pop ed
xor ecx, ebp
pop ebx
ca 0x403ff9
push es
ca 0x4040d0
43
BBL 0x403777 .text (2):
|z 0x403789
2
push 0x4103c0
push ed
ca es
2
push es
push 0x0
4
mov ecx, dword ptr ds:|0x415ff4|
xor eax, eax
pop es
pop ebp
ret
2
2
test byte ptr ds:|0x414d14|, 0x1
|nz 0x40d3a3
BBL 0x4035ed .text (5):
movsx eax, byte ptr ds:|eax|
push es
push eax
ca 0x405778
cmp eax, ebx
|z 0x409f88
2
31
ca 0x4097f7
pop ecx
BBL 0x404506 .text (1):
ca 0x409b8a
cmp dword ptr ds:|0x4161ec|, 0x0
|nz 0x409b98
push es
push ed
xor ed, ed
test es, es
|nz 0x409bbe
2
BBL 0x403263 .text (5):
push 0x410170
mov ecx, dword ptr ds:|ebx+0xc|
mov edx, dword ptr ds:|ecx+0x8|
push edx
ca 0x403b37
|e 0x40ec4d
BBL 0x403b12 .text (4):
add esp, 0x10
ca 0x403b2d
2
mov ed, ed
push ebp
mov ebp, esp
mov dword ptr ds:|0x415f3c|, eax
pop ebp
ret
BBL 0x4037d4 .text (2):
|z 0x4037f5
5
2
6
mov ed, ed
push es
mov eax, 0x412458
mov es, 0x412458
push ed
mov ed, eax
cmp eax, es
|nb 0x40a26b
BBL 0x4031d6 .text (2):
mov dword ptr ss:|ebp-0xc8|, 0x41017c
6
BBL 0x4015e9 .text (7):
mov byte ptr ds:|ebx+ed*1|, 0x0
pop ebx
pop ed
mov eax, es
pop es
pop ebp
ret 0x8
4
nc ed
42
42
2
mov ebx, dword ptr ss:|ebp-0x4|
push ed
push es
ca 0x40b42d
ca eax
117
BBL 0x4045ba unnamedImageEntryPont (2):
|nz 0x404606
4
4
5
BBL 0x404465 .text (3):
cmp dword ptr ds:|eax+0x400000|, 0x4550
|nz 0x40449d
4
BBL 0x40b46b unnamedImageEntryPont (5):
mov eax, dword ptr ds:|ecx+0x8|
and dword ptr ds:|ecx+0x4|, 0x0
pop ebp
ret
2
BBL 0x40d2af unnamedImageEntryPont (2):
|nz 0x40d3a3
BBL 0x403599 .text (2):
cmp ebx, dword ptr ss:|ebp-0x8|
|b 0x4035ed
BBL 0x40a1f4 unnamedImageEntryPont (4):
push 0xfa0
ea eax, ptr |es+0xc|
push eax
ca 0x40cb50
3
14
test eax, eax
|z 0x408c54
5
pop es
pop ebp
ret
5 8 2 5
pop ecx
xor es, es
2
pop ecx
cmp dword ptr ds:|es|, ebx
|nz 0x40a4b1
2
2
push 0xfa0
push ed
ca 0x40cb50
2
nc dword ptr ds:|0x41561c|
mov dword ptr ds:|eax+0x4|, ebx
mov dword ptr ds:|eax+0x8|, ebx
mov dword ptr ds:|eax+0x1c|, ebx
pop ed
pop es
pop ebx
eave
ret
2
2
push es
ca 0x40cb41
5
2
BBL 0x4037b6 .text (14):
mov ed, ed
push ebp
mov ebp, esp
sub esp, 0x10
push ebx
push es
push ed
xor ed, ed
|z 0x4037f5
5
4
BBL 0x4015db .text (4):
add esp, 0x10
|b 0x4015e9
5
BBL 0x40dfb4 unnamedImageEntryPont (2):
mov eax, ebx
ca 0x40689d
47
47
117
5
2
2
2
2
2
3
31
4
2
4
5
34
4
BBL 0x100082f0 md5Update (3):
mov ed, 0x40
sub ed, eax
|mp 0x100082fb
BBL 0x100082fb md5Update (6):
push ed
mov edx, eax
ea eax, ptr |edx+es*1+0x10|
push ebp
push eax
ca 0x1001004a
63
BBL 0x1001004a _memcpy (1):
|mp dword ptr ds:|0x100110f0|
64
BBL 0x401928 __controfp_s (1):
BBL 0x40184f _setdefautprecson (3):
add esp, 0xc
test eax, eax
|z 0x401863
BBL 0x401863 _setdefautprecson (2):
pop es
ret
BBL 0x4010d2 man (3):
add esp, 0x1c
test eax, eax
|ne 0x4010b0
BBL 0x4010d9 man (4):
pop ebx
mov ed, dword ptr ds:|0x40209c|
push es
ca ed
BBL 0x4010e3 man (5):
ea eax, ptr |esp+0x6c|
push eax
push ecx
sub eax, 0x1000
|mp 0x401944
cmp ecx, eax
|b 0x401952
4 4
mov eax, ecx
pop ecx
xchg esp, eax
ret
BBL 0x4013e5 pre_c_nt (2):
xor eax, eax
ret
BBL 0x40153a __CxxSetUnhandedExceptonFter (2):
push 0x4014f8
BBL 0x401545 __CxxSetUnhandedExceptonFter (2):
xor eax, eax
ret
BBL 0x10007ca0 md5Process (536):
mov edx, dword ptr ds:|eax+0xc|
push ebx
push ebp
push es
mov ebp, edx
xor ebp, es
push ed
mov ed, dword ptr ds:|eax+0x4|
and ebp, ed
xor ebp, edx
add ebp, ebx
ea ecx, ptr |ecx+ebp*1-0x28955b88|
ro ecx, 0x7
add ecx, ed
mov ebp, es
xor ebp, ed
and ebp, ecx
xor ebp, es
add ebp, ebx
ea edx, ptr |edx+ebp*1-0x173848aa|
ro edx, 0xc
add edx, ecx
mov ebp, ed
xor ebp, ecx
and ebp, edx
xor ebp, ed
add ebp, ebx
ea es, ptr |es+ebp*1+0x242070db|
ro es, 0x11
add es, edx
mov ebp, edx
xor ebp, ecx
and ebp, es
xor ebp, ecx
add ebp, ebx
ea ed, ptr |ed+ebp*1-0x3e423112|
ro ed, 0x16
add ed, es
mov ebp, edx
xor ebp, es
and ebp, ed
xor ebp, edx
add ebp, ebx
ea ecx, ptr |ecx+ebp*1-0xa83f051|
ro ecx, 0x7
add ecx, ed
mov ebp, es
xor ebp, ed
and ebp, ecx
xor ebp, es
add ebp, ebx
ea edx, ptr |edx+ebp*1+0x4787c62a|
ro edx, 0xc
add edx, ecx
mov ebp, ed
xor ebp, ecx
and ebp, edx
xor ebp, ed
add ebp, ebx
ea es, ptr |es+ebp*1-0x57cfb9ed|
ro es, 0x11
add es, edx
mov ebp, edx
xor ebp, ecx
and ebp, es
xor ebp, ecx
add ebp, ebx
ea ed, ptr |ed+ebp*1-0x2b96aff|
ro ed, 0x16
add ed, es
mov ebp, edx
xor ebp, es
and ebp, ed
xor ebp, edx
add ebp, ebx
ea ecx, ptr |ecx+ebp*1+0x698098d8|
ro ecx, 0x7
add ecx, ed
mov ebp, es
xor ebp, ed
and ebp, ecx
xor ebp, es
add ebp, ebx
ea edx, ptr |edx+ebp*1-0x74bb0851|
ro edx, 0xc
add edx, ecx
mov ebp, ed
xor ebp, ecx
and ebp, edx
xor ebp, ed
add ebp, ebx
ea es, ptr |es+ebp*1-0xa44f|
ro es, 0x11
add es, edx
mov ebp, edx
xor ebp, ecx
and ebp, es
xor ebp, ecx
add ebp, ebx
ea ed, ptr |ed+ebp*1-0x76a32842|
ro ed, 0x16
add ed, es
mov ebp, edx
xor ebp, es
and ebp, ed
xor ebp, edx
add ebp, ebx
ea ecx, ptr |ecx+ebp*1+0x6b901122|
ro ecx, 0x7
add ecx, ed
mov ebp, es
xor ebp, ed
and ebp, ecx
xor ebp, es
add ebp, ebx
ea edx, ptr |edx+ebp*1-0x2678e6d|
ro edx, 0xc
add edx, ecx
mov ebp, ed
xor ebp, ecx
and ebp, edx
xor ebp, ed
add ebp, ebx
ea es, ptr |es+ebp*1-0x5986bc72|
ro es, 0x11
add es, edx
mov ebp, edx
xor ebp, ecx
and ebp, es
xor ebp, ecx
add ebp, ebx
ea ed, ptr |ed+ebp*1+0x49b40821|
ro ed, 0x16
add ed, es
mov ebx, es
xor ebx, ed
and ebx, edx
xor ebx, es
add ebx, dword ptr ds:|eax+0x14|
ea ecx, ptr |ebx+ecx*1-0x9e1da9e|
ro ecx, 0x5
add ecx, ed
mov ebx, ed
xor ebx, ecx
and ebx, es
xor ebx, ed
ea edx, ptr |ebx+edx*1-0x3fbf4cc0|
ro edx, 0x9
add edx, ecx
mov ebx, edx
xor ebx, ecx
and ebx, ed
xor ebx, ecx
add ebx, dword ptr ds:|eax+0x3c|
ea es, ptr |ebx+es*1+0x265e5a51|
ro es, 0xe
add es, edx
mov ebx, edx
xor ebx, es
and ebx, ecx
xor ebx, edx
ea ed, ptr |ebx+ed*1-0x16493856|
ro ed, 0x14
add ed, es
mov ebx, es
xor ebx, ed
and ebx, edx
xor ebx, es
ea ecx, ptr |ebx+ecx*1-0x29d0efa3|
ro ecx, 0x5
add ecx, ed
mov ebx, ed
xor ebx, ecx
and ebx, es
xor ebx, ed
ea edx, ptr |ebx+edx*1+0x2441453|
ro edx, 0x9
add edx, ecx
mov ebx, edx
xor ebx, ecx
and ebx, ed
xor ebx, ecx
ea es, ptr |ebx+es*1-0x275e197f|
ro es, 0xe
add es, edx
mov ebx, edx
xor ebx, es
and ebx, ecx
xor ebx, edx
ea ed, ptr |ebx+ed*1-0x182c0438|
ro ed, 0x14
add ed, es
mov ebx, es
xor ebx, ed
and ebx, edx
xor ebx, es
ea ecx, ptr |ebx+ecx*1+0x21e1cde6|
ro ecx, 0x5
add ecx, ed
mov ebx, ed
xor ebx, ecx
and ebx, es
xor ebx, ed
ea edx, ptr |ebx+edx*1-0x3cc8f82a|
ro edx, 0x9
add edx, ecx
mov ebx, edx
xor ebx, ecx
and ebx, ed
xor ebx, ecx
ea es, ptr |ebx+es*1-0xb2af279|
ro es, 0xe
add es, edx
mov ebx, edx
xor ebx, es
and ebx, ecx
xor ebx, edx
ea ed, ptr |ebx+ed*1+0x455a14ed|
ro ed, 0x14
add ed, es
mov ebx, es
xor ebx, ed
and ebx, edx
xor ebx, es
ea ecx, ptr |ebx+ecx*1-0x561c16fb|
ro ecx, 0x5
add ecx, ed
mov ebx, ed
xor ebx, ecx
and ebx, es
xor ebx, ed
ea edx, ptr |ebx+edx*1-0x3105c08|
ro edx, 0x9
add edx, ecx
mov ebx, edx
xor ebx, ecx
and ebx, ed
xor ebx, ecx
ea es, ptr |ebx+es*1+0x676f02d9|
ro es, 0xe
add es, edx
mov ebx, edx
xor ebx, es
and ebx, ecx
xor ebx, edx
ea ed, ptr |ebx+ed*1-0x72d5b376|
ro ed, 0x14
add ed, es
xor ebx, ed
ea ecx, ptr |ebx+ecx*1-0x5c6be|
ro ecx, 0x4
add ecx, ed
mov ebx, es
xor ebx, ed
xor ebx, ecx
ea edx, ptr |ebx+edx*1-0x788e097f|
ro edx, 0xb
add edx, ecx
mov ebx, edx
xor ebx, ed
xor ebx, ecx
mov ebp, edx
ea ebx, ptr |ebx+es*1+0x6d9d6122|
ro ebx, 0x10
add ebx, edx
xor ebp, ebx
mov es, ebp
xor es, ecx
add es, dword ptr ds:|eax+0x48|
ea es, ptr |es+ed*1-0x21ac7f4|
ro es, 0x17
add es, ebx
xor ebp, es
add ebp, dword ptr ds:|eax+0x14|
mov ed, ebx
ea ecx, ptr |ecx+ebp*1-0x5b4115bc|
xor ed, es
ro ecx, 0x4
add ecx, es
xor ed, ecx
add ed, dword ptr ds:|eax+0x20|
ea ed, ptr |ed+edx*1+0x4bdecfa9|
ro ed, 0xb
add ed, ecx
mov edx, ed
xor edx, es
xor edx, ecx
add edx, dword ptr ds:|eax+0x2c|
mov ebp, ed
ea ebx, ptr |edx+ebx*1-0x944b4a0|
ro ebx, 0x10
add ebx, ed
xor ebp, ebx
mov edx, ebp
xor edx, ecx
add edx, dword ptr ds:|eax+0x38|
ea edx, ptr |edx+es*1-0x41404390|
ro edx, 0x17
add edx, ebx
xor ebp, edx
mov es, ebx
ea ecx, ptr |ecx+ebp*1+0x289b7ec6|
xor es, edx
ro ecx, 0x4
add ecx, edx
xor es, ecx
ea es, ptr |es+ed*1-0x155ed806|
ro es, 0xb
add es, ecx
mov ed, es
xor ed, edx
xor ed, ecx
add ed, dword ptr ds:|eax+0x1c|
ea ed, ptr |ed+ebx*1-0x2b10cf7b|
ro ed, 0x10
add ed, es
mov ebx, es
xor ebx, ed
mov ebp, ebx
xor ebp, ecx
ea edx, ptr |edx+ebp*1+0x4881d05|
ro edx, 0x17
add edx, ed
xor ebx, edx
ea ecx, ptr |ebx+ecx*1-0x262b2fc7|
ro ecx, 0x4
add ecx, edx
mov ebx, ed
xor ebx, edx
xor ebx, ecx
ea es, ptr |ebx+es*1-0x1924661b|
ro es, 0xb
add es, ecx
mov ebx, es
xor ebx, edx
xor ebx, ecx
mov ebp, es
ea ed, ptr |ebx+ed*1+0x1fa27cf8|
ro ed, 0x10
add ed, es
xor ebp, ed
xor ebp, ecx
add ebp, ebx
ea edx, ptr |edx+ebp*1-0x3b53a99b|
ro edx, 0x17
add edx, ed
mov ebp, es
not ebp
or ebp, edx
xor ebp, ed
ea ecx, ptr |ecx+ebp*1-0xbd6ddbc|
ro ecx, 0x6
mov ebp, ed
not ebp
add ecx, edx
or ebp, ecx
xor ebp, edx
add ebp, dword ptr ds:|eax+0x2c|
ea es, ptr |es+ebp*1+0x432aff97|
ro es, 0xa
add es, ecx
mov ebp, edx
not ebp
or ebp, es
xor ebp, ecx
ea ed, ptr |ed+ebp*1-0x546bdc59|
ro ed, 0xf
add ed, es
mov ebp, ecx
not ebp
or ebp, ed
xor ebp, es
ea edx, ptr |edx+ebp*1-0x36c5fc7|
ro edx, 0x15
add edx, ed
mov ebp, es
not ebp
or ebp, edx
xor ebp, ed
ea ecx, ptr |ecx+ebp*1+0x655b59c3|
ro ecx, 0x6
add ecx, edx
mov ebp, ed
not ebp
or ebp, ecx
xor ebp, edx
ea es, ptr |es+ebp*1-0x70f3336e|
ro es, 0xa
add es, ecx
mov ebp, edx
not ebp
or ebp, es
xor ebp, ecx
ea ed, ptr |ed+ebp*1-0x100b83|
ro ed, 0xf
add ed, es
mov ebp, ecx
not ebp
or ebp, ed
xor ebp, es
ea edx, ptr |edx+ebp*1-0x7a7ba22f|
ro edx, 0x15
add edx, ed
mov ebp, es
not ebp
or ebp, edx
xor ebp, ed
ea ecx, ptr |ecx+ebp*1+0x6fa87e4f|
ro ecx, 0x6
add ecx, edx
mov ebp, ed
not ebp
or ebp, ecx
xor ebp, edx
ea es, ptr |es+ebp*1-0x1d31920|
ro es, 0xa
add es, ecx
mov ebp, edx
not ebp
or ebp, es
xor ebp, ecx
ea ed, ptr |ed+ebp*1-0x5cfebcec|
ro ed, 0xf
mov ebp, ecx
not ebp
add ed, es
or ebp, ed
xor ebp, es
ea edx, ptr |edx+ebp*1+0x4e0811a1|
ro edx, 0x15
add edx, ed
mov ebp, es
not ebp
or ebp, edx
xor ebp, ed
ea ecx, ptr |ecx+ebp*1-0x8ac817e|
ro ecx, 0x6
add ecx, edx
mov ebp, ed
not ebp
or ebp, ecx
xor ebp, edx
ea es, ptr |es+ebp*1-0x42c50dcb|
ro es, 0xa
add es, ecx
mov ebp, edx
not ebp
or ebp, es
xor ebp, ecx
add ebp, ebx
mov ebx, ecx
ea ed, ptr |ed+ebp*1+0x2ad7d2bb|
not ebx
ro ed, 0xf
add ed, es
or ebx, ed
xor ebx, es
ea edx, ptr |ebx+edx*1-0x14792c6f|
add ebx, ecx
ro edx, 0x15
add edx, ed
add ecx, edx
add ecx, ed
pop ed
add ecx, es
pop es
pop ebp
pop ebx
ret
BBL 0x1000831f md5Update (4):
add esp, 0x4
mov dword ptr ds:|es+0x58|, 0x0
test ebx, ebx
|nbe 0x100082e5
64
BBL 0x100083e5 md5Fnsh (4):
add esp, 0x4
pop ed
ret
BBL 0x100082e5 md5Update (4):
ea ecx, ptr |eax+ebx*1|
cmp ecx, 0x40
|be 0x100082f9
63
BBL 0x1000832d md5Update (7):
pop ed
pop ebp
pop es
xor eax, eax
pop ebx
add esp, 0x8
ret
BBL 0x1000840a md5Dgest (50):
movzx ecx, byte ptr ds:|es|
mov eax, dword ptr ss:|esp+0xc|
shr edx, 0x8
mov byte ptr ds:|eax+0x1|, d
movzx ecx, byte ptr ds:|es+0x2|
movzx edx, byte ptr ds:|es+0x3|
shr edx, 0x8
shr edx, 0x8
movzx ecx, byte ptr ds:|es+0xa|
mov byte ptr ds:|eax+0xa|, c
movzx edx, byte ptr ds:|es+0xb|
mov byte ptr ds:|eax+0xb|, d
movzx ecx, byte ptr ds:|es+0xc|
mov byte ptr ds:|eax+0xc|, c
mov edx, dword ptr ds:|es+0xc|
shr edx, 0x8
mov byte ptr ds:|eax+0xd|, d
movzx ecx, byte ptr ds:|es+0xe|
mov byte ptr ds:|eax+0xe|, c
movzx edx, byte ptr ds:|es+0xf|
mov byte ptr ds:|eax+0xf|, d
mov edx, dword ptr ds:|0x10017344|
push 0x40
mov dword ptr ds:|es+0x8|, edx
ea ecx, ptr |es+0x10|
push 0x0
push ecx
ca 0x10010060
BBL 0x401102 man (7):
mov es, eax
push es
push 0x10
push 0x1
push eax
BBL 0x401117 man (2):
push es
ca ed
BBL 0x40111a man (8):
mov ecx, dword ptr ss:|esp+0x40a0|
add esp, 0x28
pop ed
pop es
pop ebp
xor ecx, esp
xor eax, eax
ca 0x401137
BBL 0x40100a man (7):
xor eax, esp
mov dword ptr ss:|esp+0x406c|, eax
push ebp
mov ebp, dword ptr ss:|esp+0x407c|
|n 0x401050
BBL 0x401050 man (6):
push es
push ed
push 0x40215c
push eax
BBL 0x40113f __securty_check_cooke (1):
ret
BBL 0x401130 man (2):
add esp, 0x4070
ret
add esp, 0xc
|nz 0x4012e7
BBL 0x401078 man (3):
ea ecx, ptr |esp+0xc|
push ecx
BBL 0x10007c50 md5Reset (15):
push es
mov edx, dword ptr ds:|0x10017344|
push 0x40
mov dword ptr ds:|es+0x8|, edx
ea ecx, ptr |es+0x10|
push 0x0
push ecx
ca 0x10010060
BBL 0x10010060 _memset (1):
BBL 0x4017b4 __ntterm_e (1):
BBL 0x401307 pre_c_nt (3):
mov eax, 0x5a4d
|z 0x401319
BBL 0x401319 pre_c_nt (4):
|nz 0x401315
BBL 0x401630 _RTC_Termnate (8):
mov ed, ed
push es
mov eax, 0x402230
mov es, 0x402230
push ed
mov ed, eax
cmp eax, es
|nb 0x401653
BBL 0x401653 _RTC_Termnate (3):
pop ed
pop es
ret
BBL 0x401568 _onext (4):
pop ecx
cmp eax, 0xff
|nz 0x40157d
BBL 0x401571 _onext (2):
BBL 0x40157a _onext (2):
pop ecx
|mp 0x4015e4
BBL 0x4010f3 man (4):
mov edx, dword ptr ss:|ebp+0x8|
push 0x40217c
push edx
|nz 0x4013e5
BBL 0x100091a7 mpshft (5):
pop ed
pop ebx
pop es
pop ecx
ret
BBL 0x100082c4 md5Update (7):
mov es, dword ptr ss:|esp+0x2c|
push edx
push eax
push 0x2
ca 0x1000b750
BBL 0x1000b750 _mpadd (8):
push ed
push es
mov ecx, dword ptr ss:|esp+0xc|
xor edx, edx
dec ecx
ea ecx, ptr |ecx|
63
BBL 0x100082f9 md5Update (1):
mov ed, ebx
BBL 0x4018c1 __securty_nt_cooke (4):
xor es, eax
push eax
BBL 0x4018cd __securty_nt_cooke (5):
xor es, eax
cmp es, ed
|nz 0x4018e0
BBL 0x4018e0 __securty_nt_cooke (2):
test ebx, es
|nz 0x4018eb
BBL 0x10008340 md5Fnsh (11):
ea eax, ptr |ecx+es*1+0x10|
nc ecx
push ed
mov byte ptr ds:|eax|, 0x80
mov ed, 0x1
add eax, ed
cmp ecx, 0x38
|be 0x10008387
BBL 0x10008387 md5Fnsh (4):
ea eax, ptr |ecx+es*1+0x10|
cmp ecx, 0x38
|nb 0x100083a1
BBL 0x10008393 md5Fnsh (5):
add dword ptr ds:|es+0x58|, ed
mov byte ptr ds:|eax|, 0x0
add eax, ed
|b 0x10008393
BBL 0x100083a1 md5Fnsh (21):
shr edx, 0x8
shr edx, 0x8
push es
ca 0x10007ca0
BBL 0x4013ed manCRTStartup (1):
|mp 0x401191
push 0x10
push 0x402238
ca 0x4017bc
BBL 0x4017bc __SEH_proog4 (21):
push 0x401815
sub esp, eax
push ebx
push es
push ed
xor eax, ebp
push eax
ret
BBL 0x4011bc __tmanCRTStartup (2):
cmp eax, ebx
|z 0x4011d9
BBL 0x4011d9 __tmanCRTStartup (5):
xor es, es
nc es
cmp eax, es
|nz 0x4011ef
BBL 0x4011ef __tmanCRTStartup (3):
test eax, eax
|nz 0x401224
|nz 0x401141
BBL 0x401083 man (7):
mov ed, dword ptr ds:|0x4020a4|
push es
push 0x4000
push 0x1
push edx
ca ed
BBL 0x40109b man (3):
add esp, 0x14
test eax, eax
|e 0x4010da
BBL 0x4010a2 man (9):
push ebx
mov ebx, dword ptr ds:|0x4020bc|
ea esp, ptr |esp|
push eax
push eax
push ecx
ca ebx
BBL 0x401353 pre_c_nt (2):
|be 0x401315
BBL 0x401359 pre_c_nt (7):
xor ecx, ecx
setnz c
mov eax, ecx
push 0x1
BBL 0x401373 pre_c_nt (2):
push 0xff
BBL 0x401801 __SEH_epog4 (11):
pop ecx
pop ed
pop ed
pop es
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
BBL 0x4015e9 _onext (1):
ret
BBL 0x401600 atext (7):
neg eax
sbb eax, eax
neg eax
pop ecx
dec eax
pop ebp
ret
BBL 0x10008db9 mpsetw (12):
push es
mov es, dword ptr ss:|esp+0xc|
push ed
xor eax, eax
mov ed, es
mov ecx, edx
rep stosd
pop ed
mov dword ptr ds:|es+edx*4|, eax
pop es
ret
BBL 0x100082b6 md5Update (5):
push 0x3
push ecx
push 0x2
ca 0x10009120
BBL 0x10009120 mpshft (8):
push ecx
push es
mov es, eax
shr es, 0x5
cmp es, edx
|nb 0x100091ac
BBL 0x40138d pre_c_nt (3):
BBL 0x40139b pre_c_nt (6):
ca 0x40160a
BBL 0x40160a _RTC_Intaze (8):
mov ed, ed
push es
mov eax, 0x402228
mov es, 0x402228
push ed
mov ed, eax
cmp eax, es
|nb 0x40162d
add esp, 0x14
test eax, eax
|n 0x401190
ret
pop ecx
pop ecx
|nz 0x40125b
BBL 0x1000917e mpshft (4):
pop ebp
test es, es
|z 0x100091a7
ca 0x401865
BBL 0x401865 _setargv (2):
xor eax, eax
ret
|nz 0x4013ce
BBL 0x40125b __tmanCRTStartup (2):
|z 0x40127c
BBL 0x40127c __tmanCRTStartup (7):
ca 0x401000
BBL 0x401000 man (2):
mov eax, 0x4070
ca 0x401930
BBL 0x100082df md5Update (3):
push ebp
mov ebp, dword ptr ss:|esp+0x1c|
push ed
mov ed, ed
push es
push 0x30000
push 0x10000
xor es, es
push es
ca 0x401928
BBL 0x4010c0 man (6):
push es
push 0x4000
push 0x1
push edx
ca ed
BBL 0x10008400 md5Dgest (3):
push es
ca 0x10008340
pop ecx
pop ecx
test eax, eax
|z 0x40122a
BBL 0x40122a __tmanCRTStartup (3):
cmp eax, es
|nz 0x40124e
push 0x4020d0
push 0x4020c8
ca 0x4017ae
push eax
BBL 0x40155a _onext (3):
ca es
push 0x403024
push 0x403028
push 0x403020
BBL 0x10007c8e md5Reset (5):
add esp, 0x14
xor eax, eax
pop es
ret
BBL 0x10008db0 mpsetw (3):
sub edx, 0x1
|z 0x10008dd1
push 0x401630
ca 0x4015f3
BBL 0x4015f3 atext (5):
mov ed, ed
push ebp
mov ebp, esp
ca 0x40154e
BBL 0x40154e _onext (3):
push 0x14
push 0x402258
ca 0x4017bc
xor es, eax
xor es, eax
BBL 0x100082d8 md5Update (3):
add esp, 0x24
test ebx, ebx
|be 0x1000832f
BBL 0x4018a5 __securty_nt_cooke (3):
BBL 0x100084bc md5Dgest (5):
add esp, 0x14
xor eax, eax
pop es
ret
push ebx
push ed
BBL 0x4018eb __securty_nt_cooke (8):
not es
pop es
pop ed
pop ebx
eave
ret
xor ebx, ebx
mov ed, 0x40337c
push ebx
push es
push ed
BBL 0x10007c83 md5Reset (4):
ea edx, ptr |es+0x50|
push edx
push 0x2
ca 0x1000b6a0
BBL 0x1000b6a0 _mpzero (7):
push ed
mov ed, dword ptr ss:|esp+0xc|
xor eax, eax
rep stosd
pop ed
ret
BBL 0x40132c pre_c_nt (3):
cmp ecx, 0x10b
|z 0x401353
BBL 0x4015e4 _onext (1):
ca 0x401801
BBL 0x100082a0 md5Update (9):
sub esp, 0x8
push ebx
push es
push ebx
ea eax, ptr |esp+0xc|
push eax
push 0x2
ca 0x10008db0
BBL 0x40137b pre_c_nt (5):
pop ecx
pop ecx
BBL 0x10009160 mpshft (12):
mov eax, dword ptr ds:|ed+edx*4-0x4|
dec edx
mov ebp, eax
sh ebp, c
shr eax, c
or ebp, ebx
mov dword ptr ds:|ed+edx*4|, ebp
mov ebx, eax
cmp edx, es
|nbe 0x10009160
BBL 0x40162d _RTC_Intaze (3):
pop ed
pop es
ret
BBL 0x1000b772 _mpadd (5):
sbb eax, eax
neg eax
pop es
pop ed
ret
push ecx
sub ecx, eax
sbb eax, eax
not eax
and ecx, eax
mov eax, esp
and eax, 0xfffff000
BBL 0x10008319 md5Update (2):
push es
ca 0x10007ca0
64
BBL 0x401061 man (4):
mov es, eax
add esp, 0x8
test es, es
|nz 0x401078
BBL 0x4017ae __ntterm (1):
54
BBL 0x10009151 mpshft (6):
cwde
movsx ecx, cx
mov dword ptr ss:|esp+0x1c|, eax
mov dword ptr ss:|esp+0xc|, ecx
push ebp
mov ed, ed
BBL 0x10008309 md5Update (6):
add esp, 0xc
sub ebx, ed
add ebp, ed
|nz 0x10008329
64
BBL 0x100084b1 md5Dgest (4):
ea edx, ptr |es+0x50|
push edx
push 0x2
ca 0x1000b6a0
BBL 0x4011f8 __tmanCRTStartup (4):
push 0x4020e0
push 0x4020d4
ca 0x4017b4
BBL 0x4013e8 manCRTStartup (1):
ca 0x401868
mov ed, ed
push ebp
mov ebp, esp
sub esp, 0x10
push ebx
push ed
mov ed, 0xbb40e64e
mov ebx, 0xffff0000
cmp eax, ed
|z 0x40189a
BBL 0x40189a __securty_nt_cooke (4):
push es
push eax
BBL 0x4013ce pre_c_nt (1):
ca 0x40183a
BBL 0x10009141 mpshft (6):
mov ecx, 0x20
sub ecx, eax
xor ebx, ebx
movzx ecx, cx
cmp edx, es
|be 0x10009183
BBL 0x1000b764 _mpadd (6):
mov eax, dword ptr ds:|es+ecx*4|
mov edx, dword ptr ds:|ed+ecx*4|
adc edx, eax
mov dword ptr ds:|ed+ecx*4|, edx
dec ecx
|ns 0x1000b764
64
BBL 0x10009133 mpshft (6):
push ebx
and eax, 0x1f
push ed
test ax, ax
|z 0x10009183
BBL 0x401bc8 pre_cpp_nt (8):
push 0x404024
push 0x404028
push 0x404020
BBL 0x401bf4 pre_cpp_nt (4):
add esp, 0x14
test eax, eax
|n 0x401c08
BBL 0x401c08 pre_cpp_nt (1):
ret
push eax
BBL 0x4020a8 _RTC_Termnate (8):
mov ed, ed
push es
mov eax, 0x403230
mov es, 0x403230
push ed
mov ed, eax
cmp eax, es
|nb 0x4020cb
BBL 0x4020cb _RTC_Termnate (3):
pop ed
pop es
ret
BBL 0x401ccb __tmanCRTStartup (3):
push ebx
push ed
BBL 0x401cd3 __tmanCRTStartup (2):
|z 0x401cf4
BBL 0x401cf4 __tmanCRTStartup (7):
ca 0x401000
BBL 0x4017f8 _MD5_Update (8):
mov edx, dword ptr ds:|ed+0x58|
mov eax, es
shr eax, 0x1d
add dword ptr ds:|ed+0x14|, eax
push ebp
mov dword ptr ds:|ed+0x10|, ecx
test edx, edx
|z 0x4018a6
BBL 0x4018a6 _MD5_Update (4):
mov ebp, es
shr ebp, 0x6
test ebp, ebp
|be 0x4018c1
BBL 0x4018af _MD5_Update (4):
push ebp
push ebx
push ed
ca 0x401160
xor es, eax
xor es, eax
push eax
xor es, eax
cmp es, ed
|nz 0x402360
BBL 0x402061 _onext (1):
ret
BBL 0x402078 atext (7):
neg eax
sbb eax, eax
neg eax
pop ecx
dec eax
pop ebp
ret
xor ebx, ebx
mov ed, 0x40437c
push ebx
push es
push ed
cmp eax, ebx
|z 0x401c51
xor es, es
nc es
cmp eax, es
|nz 0x401c67
BBL 0x401bb0 __securty_check_cooke (1):
ret
BBL 0x401122 man (2):
add esp, 0x4014
ret
add esp, 0xc
|nz 0x401d5f
push 0x4030d4
push 0x4030c8
ca 0x402234
BBL 0x402234 __ntterm_e (1):
BBL 0x401d7f pre_c_nt (3):
mov eax, 0x5a4d
|z 0x401d91
BBL 0x401da4 pre_c_nt (3):
cmp ecx, 0x10b
|z 0x401dcb
BBL 0x401dcb pre_c_nt (2):
|be 0x401d8d
BBL 0x401dd1 pre_c_nt (7):
xor ecx, ecx
setnz c
mov eax, ecx
push 0x1
BBL 0x401df3 pre_c_nt (5):
pop ecx
pop ecx
ca 0x402082
BBL 0x4020a5 _RTC_Intaze (3):
pop ed
pop es
ret
BBL 0x401e2c pre_c_nt (1):
ca 0x4022e5
BBL 0x4022e5 _setargv (2):
xor eax, eax
ret
BBL 0x401080 man (3):
mov es, eax
push es
ca 0x401130
BBL 0x401130 _MD5_Int (11):
xor ecx, ecx
mov dword ptr ds:|eax+0x4|, 0xefcdab89
mov dword ptr ds:|eax+0x8|, 0x98badcfe
mov dword ptr ds:|eax+0xc|, 0x10325476
ea eax, ptr |ecx+0x1|
ret
BBL 0x401088 man (7):
mov ebx, dword ptr ds:|0x4030ac|
push ed
push 0x4000
push 0x1
push ecx
ca ebx
BBL 0x4018b7 _MD5_Update (6):
sh ebp, 0x6
add esp, 0xc
add ebx, ebp
sub es, ebp
test es, es
|z 0x401932
BBL 0x401932 _MD5_Update (2):
pop ebp
pop ed
BBL 0x401934 _MD5_Update (4):
pop es
mov eax, 0x1
pop ebx
ret
ca 0x4022ba
BBL 0x4022ba _setdefautprecson (7):
mov ed, ed
push es
push 0x30000
push 0x10000
xor es, es
push es
ca 0x4023a8
BBL 0x4023a8 __controfp_s (1):
BBL 0x4010bf man (3):
add esp, 0x1c
test eax, eax
|ne 0x4010a4
BBL 0x4010c6 man (3):
push ed
mov ed, dword ptr ds:|0x4030a4|
ca ed
BBL 0x4010cf man (5):
push 0x0
push ecx
push es
ca 0x4017d0
BBL 0x4022e3 _setdefautprecson (2):
pop es
ret
BBL 0x401e4b pre_c_nt (2):
|nz 0x401e5d
BBL 0x401e5d pre_c_nt (2):
xor eax, eax
ret
xor es, eax
test ebx, es
|nz 0x40236b
not es
pop es
pop ed
pop ebx
eave
ret
|mp 0x401c09
BBL 0x401fbd __CxxSetUnhandedExceptonFter (2):
xor eax, eax
ret
pop ecx
pop ecx
test eax, eax
|z 0x401ca2
BBL 0x401ca2 __tmanCRTStartup (3):
cmp eax, es
|nz 0x401cc6
BBL 0x401a98 _MD5_Fna (1):
|mp dword ptr ds:|ecx*4+0x401b98|
BBL 0x401a9f _MD5_Fna (17):
mov edx, 0x80
mov ed, 0x4030fd
movzx ecx, byte ptr ds:|ed|
sh ecx, 0x8
or edx, ecx
nc ed
sh ecx, 0x10
or edx, ecx
nc ed
sh ecx, 0x18
or edx, ecx
mov dword ptr ds:|ebx+eax*4|, edx
nc eax
cmp eax, 0xe
|e 0x401ae8
BBL 0x401ae8 _MD5_Fna (1):
|n 0x401af8
BBL 0x40222e __ntterm (1):
BBL 0x401bbe pre_cpp_nt (2):
push 0x4020a8
ca 0x40206b
BBL 0x40206b atext (5):
mov ed, ed
push ebp
mov ebp, esp
ca 0x401fc6
BBL 0x401cba __tmanCRTStartup (5):
pop ecx
pop ecx
|nz 0x401cd3
BBL 0x401b0d _MD5_Fna (62):
nc eax
mov edx, ecx
shr edx, 0x8
nc eax
mov edx, ecx
shr edx, 0x10
nc eax
nc eax
shr ecx, 0x18
mov byte ptr ds:|eax-0x1|, c
nc eax
mov edx, ecx
shr edx, 0x8
nc eax
mov edx, ecx
shr edx, 0x10
nc eax
shr ecx, 0x18
nc eax
nc eax
mov edx, ecx
shr edx, 0x8
nc eax
mov edx, ecx
shr edx, 0x10
nc eax
shr ecx, 0x18
mov ecx, dword ptr ds:|es+0xc|
nc eax
mov edx, ecx
nc eax
shr edx, 0x8
mov edx, ecx
nc eax
add esp, 0xc
shr edx, 0x10
shr ecx, 0x18
pop ed
pop es
mov eax, 0x1
pop ebx
ret
BBL 0x4010e7 man (4):
push 0x40317c
push eax
BBL 0x4010f6 man (7):
mov es, eax
push es
push 0x10
push 0x1
push ecx
BBL 0x401ff2 _onext (2):
pop ecx
|mp 0x40205c
BBL 0x40205c _onext (1):
ca 0x402281
BBL 0x402281 __SEH_epog4 (11):
pop ecx
pop ed
pop ed
pop es
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
BBL 0x4010a4 man (5):
push eax
push edx
push es
ca 0x4017d0
BBL 0x4017d0 _MD5_Update (6):
push ebx
mov ebx, dword ptr ss:|esp+0xc|
push es
test es, es
|z 0x401934
BBL 0x4017e2 _MD5_Update (7):
push ed
ea ecx, ptr |eax+es*8|
mov dword ptr ss:|esp+0x18|, ecx
cmp ecx, eax
|nb 0x4017f8
BBL 0x40110b man (9):
add esp, 0x34
pop ed
pop es
pop ebx
pop ebp
xor ecx, esp
xor eax, eax
ca 0x401ba8
BBL 0x401ba8 __securty_check_cooke (2):
|nz 0x401bb2
BBL 0x401160 _md5_bock_host_order (9):
cmp dword ptr ss:|esp+0xc|, 0x0
push ebx
mov ebx, dword ptr ds:|ecx+0x8|
push ebp
mov ebp, dword ptr ds:|ecx+0x4|
push es
mov es, dword ptr ds:|ecx+0xc|
|z 0x4017ca
BBL 0x40117b _md5_bock_host_order (3):
add eax, 0x38
push ed
2
BBL 0x4023c4 _chkstk (2):
cmp ecx, eax
|b 0x4023d2
BBL 0x4023d2 _chkstk (3):
sub eax, 0x1000
|mp 0x4023c4
4
BBL 0x4023c8 _chkstk (6):
mov eax, ecx
pop ecx
xchg esp, eax
ret
4
BBL 0x40100a man (7):
xor eax, esp
push ebp
|n 0x401050
push 0x402295
sub esp, eax
push ebx
push es
push ed
xor eax, ebp
push eax
ret
BBL 0x401fd2 _onext (3):
ca es
BBL 0x401fe0 _onext (4):
pop ecx
cmp eax, 0xff
|nz 0x401ff5
|nz 0x401d8d
BBL 0x401deb pre_c_nt (2):
push 0xff
BBL 0x401050 man (7):
push ebx
push es
push ed
push 0x40315c
push eax
BBL 0x401062 man (4):
mov ed, eax
add esp, 0x8
test ed, ed
|nz 0x401079
BBL 0x401079 man (2):
push 0x5c
ca 0x401bb8
BBL 0x402082 _RTC_Intaze (8):
mov ed, ed
push es
mov eax, 0x403228
mov es, 0x403228
push ed
mov ed, eax
cmp eax, es
|nb 0x4020a5
BBL 0x401183 _md5_bock_host_order (536):
mov ed, dword ptr ds:|eax-0x38|
dec dword ptr ss:|esp+0x1c|
mov edx, es
xor edx, ebx
and edx, ebp
xor edx, es
add edx, ed
mov es, edx
mov edx, dword ptr ds:|ecx|
ea edx, ptr |es+edx*1-0x28955b88|
mov es, dword ptr ds:|eax-0x34|
ro edx, 0x7
add edx, ebp
mov ed, ebx
xor ed, ebp
and ed, edx
xor ed, ebx
add ed, es
ea es, ptr |ed+es*1-0x173848aa|
mov ed, ebp
xor ed, edx
ro es, 0xc
add es, edx
and ed, es
xor ed, ebp
add ed, dword ptr ds:|eax-0x30|
mov ebp, es
xor ebp, edx
ea ed, ptr |ed+ebx*1+0x242070db|
mov ebx, dword ptr ds:|eax-0x2c|
ro ed, 0x11
add ed, es
and ebp, ed
xor ebp, edx
add ebp, ebx
ea ebx, ptr |ebx+ebp*1-0x3e423112|
ro ebx, 0x16
add ebx, ed
mov ebp, es
xor ebp, ed
and ebp, ebx
xor ebp, es
add ebp, dword ptr ds:|eax-0x28|
ea edx, ptr |edx+ebp*1-0xa83f051|
ro edx, 0x7
add edx, ebx
mov ebp, ed
xor ebp, ebx
and ebp, edx
xor ebp, ed
ea es, ptr |es+ebp*1+0x4787c62a|
mov ebp, ebx
xor ebp, edx
ro es, 0xc
add es, edx
and ebp, es
xor ebp, ebx
mov ebx, dword ptr ds:|eax-0x1c|
ea ed, ptr |ed+ebp*1-0x57cfb9ed|
ro ed, 0x11
add ed, es
mov ebp, es
xor ebp, edx
and ebp, ed
xor ebp, edx
add ebp, ebx
ea ebx, ptr |ebx+ebp*1-0x2b96aff|
ro ebx, 0x16
add ebx, ed
mov ebp, es
xor ebp, ed
and ebp, ebx
xor ebp, es
ea edx, ptr |edx+ebp*1+0x698098d8|
ro edx, 0x7
add edx, ebx
mov ebp, ed
xor ebp, ebx
and ebp, edx
xor ebp, ed
ea es, ptr |es+ebp*1-0x74bb0851|
ro es, 0xc
add es, edx
mov ebp, ebx
xor ebp, edx
and ebp, es
xor ebp, ebx
mov ebx, dword ptr ds:|eax-0xc|
ea ed, ptr |ed+ebp*1-0xa44f|
ro ed, 0x11
add ed, es
mov ebp, es
xor ebp, edx
and ebp, ed
xor ebp, edx
add ebp, ebx
ea ebx, ptr |ebx+ebp*1-0x76a32842|
ro ebx, 0x16
add ebx, ed
mov ebp, es
xor ebp, ed
and ebp, ebx
xor ebp, es
ea edx, ptr |edx+ebp*1+0x6b901122|
ro edx, 0x7
add edx, ebx
mov ebp, ed
xor ebp, ebx
and ebp, edx
xor ebp, ed
ea es, ptr |es+ebp*1-0x2678e6d|
ro es, 0xc
add es, edx
mov ebp, ebx
xor ebp, edx
and ebp, es
xor ebp, ebx
add ebp, dword ptr ds:|eax|
ea ed, ptr |ed+ebp*1-0x5986bc72|
mov ebp, es
xor ebp, edx
ro ed, 0x11
add ed, es
and ebp, ed
xor ebp, edx
add ebp, ebx
ea ebx, ptr |ebx+ebp*1+0x49b40821|
ro ebx, 0x16
add ebx, ed
mov ebp, ed
xor ebp, ebx
and ebp, es
xor ebp, ed
mov dword ptr ss:|esp+0x14|, es
ea edx, ptr |edx+ebp*1-0x9e1da9e|
ro edx, 0x5
add edx, ebx
mov es, ebx
xor es, edx
and es, ed
xor es, ebx
add es, dword ptr ds:|eax-0x20|
ea es, ptr |es+ebp*1-0x3fbf4cc0|
ro es, 0x9
add es, edx
xor es, edx
and es, ebx
xor es, edx
add es, dword ptr ds:|eax-0xc|
ea ed, ptr |es+ed*1+0x265e5a51|
mov ebp, es
ro ed, 0xe
add ed, es
xor ebp, ed
and ebp, edx
xor ebp, es
mov es, ed
ea ebx, ptr |ebx+ebp*1-0x16493856|
ro ebx, 0x14
add ebx, ed
xor es, ebx
and es, dword ptr ss:|esp+0x14|
xor es, ed
ea edx, ptr |es+edx*1-0x29d0efa3|
ro edx, 0x5
add edx, ebx
mov es, ebx
xor es, edx
and es, ed
xor es, ebx
ea es, ptr |es+ebp*1+0x2441453|
ro es, 0x9
add es, edx
xor es, edx
and es, ebx
xor es, edx
ea ed, ptr |es+ed*1-0x275e197f|
mov ebp, es
ro ed, 0xe
add ed, es
xor ebp, ed
and ebp, edx
xor ebp, es
mov es, ed
ea ebx, ptr |ebx+ebp*1-0x182c0438|
ro ebx, 0x14
add ebx, ed
xor es, ebx
xor es, ed
ea edx, ptr |es+edx*1+0x21e1cde6|
ro edx, 0x5
add edx, ebx
mov es, ebx
xor es, edx
and es, ed
xor es, ebx
add es, dword ptr ds:|eax|
ea es, ptr |es+ebp*1-0x3cc8f82a|
ro es, 0x9
add es, edx
xor es, edx
and es, ebx
xor es, edx
add es, dword ptr ds:|eax-0x2c|
ea ed, ptr |es+ed*1-0xb2af279|
ro ed, 0xe
add ed, es
mov ebp, es
xor ebp, ed
and ebp, edx
xor ebp, es
mov es, ed
ea ebx, ptr |ebx+ebp*1+0x455a14ed|
ro ebx, 0x14
add ebx, ed
xor es, ebx
xor es, ed
ea edx, ptr |es+edx*1-0x561c16fb|
ro edx, 0x5
add edx, ebx
mov es, ebx
xor es, edx
and es, ed
xor es, ebx
ea es, ptr |es+ebp*1-0x3105c08|
ro es, 0x9
add es, edx
xor es, edx
and es, ebx
xor es, edx
add es, dword ptr ds:|eax-0x1c|
ea ed, ptr |es+ed*1+0x676f02d9|
mov ebp, es
ro ed, 0xe
add ed, es
xor ebp, ed
and ebp, edx
xor ebp, es
ea ebx, ptr |ebx+ebp*1-0x72d5b376|
ro ebx, 0x14
add ebx, ed
xor es, ebx
ea edx, ptr |es+edx*1-0x5c6be|
ro edx, 0x4
add edx, ebx
mov es, ed
xor es, ebx
xor es, edx
ea ebp, ptr |es+ebp*1-0x788e097f|
ro ebp, 0xb
add ebp, edx
mov es, ebp
xor es, ebx
xor es, edx
add es, dword ptr ds:|eax-0xc|
ea ed, ptr |es+ed*1+0x6d9d6122|
ro ed, 0x10
add ed, ebp
mov es, ebp
xor es, ed
xor es, edx
add es, dword ptr ds:|eax|
ea es, ptr |es+ebx*1-0x21ac7f4|
ro es, 0x17
add es, ed
xor ebx, es
add ebx, dword ptr ds:|eax-0x34|
ea edx, ptr |ebx+edx*1-0x5b4115bc|
ro edx, 0x4
mov ebx, ed
add edx, es
xor ebx, es
xor ebx, edx
ea ebp, ptr |ebx+ebp*1+0x4bdecfa9|
ro ebp, 0xb
add ebp, edx
mov ebx, ebp
xor ebx, es
xor ebx, edx
add ebx, dword ptr ds:|eax-0x1c|
ea ed, ptr |ebx+ed*1-0x944b4a0|
ro ed, 0x10
add ed, ebp
mov ebx, ebp
xor ebx, ed
xor ebx, edx
ea es, ptr |ebx+es*1-0x41404390|
ro es, 0x17
add es, ed
xor ebx, es
ea edx, ptr |ebx+edx*1+0x289b7ec6|
ro edx, 0x4
add edx, es
mov ebx, ed
xor ebx, es
xor ebx, edx
ea ebp, ptr |ebx+ebp*1-0x155ed806|
ro ebp, 0xb
add ebp, edx
mov ebx, ebp
xor ebx, es
xor ebx, edx
add ebx, dword ptr ds:|eax-0x2c|
ea ed, ptr |ebx+ed*1-0x2b10cf7b|
ro ed, 0x10
add ed, ebp
mov ebx, ebp
xor ebx, ed
xor ebx, edx
mov dword ptr ss:|esp+0x14|, ed
ea es, ptr |ebx+es*1+0x4881d05|
ro es, 0x17
add es, ed
xor ebx, es
xor ed, es
ea edx, ptr |ebx+edx*1-0x262b2fc7|
ro edx, 0x4
add edx, es
xor ed, edx
add ed, dword ptr ds:|eax-0x8|
ea ed, ptr |ed+ebp*1-0x1924661b|
ro ed, 0xb
add ed, edx
mov ebx, ed
xor ebx, es
xor ebx, edx
ea ebx, ptr |ebx+ebp*1+0x1fa27cf8|
ro ebx, 0x10
add ebx, ed
mov ebp, ed
xor ebp, ebx
xor ebp, edx
ea es, ptr |es+ebp*1-0x3b53a99b|
ro es, 0x17
add es, ebx
mov ebx, ed
not ebx
or ebx, es
xor ebx, dword ptr ss:|esp+0x14|
ea edx, ptr |ebx+edx*1-0xbd6ddbc|
ro edx, 0x6
add edx, es
mov ebp, ebx
not ebp
or ebp, edx
xor ebp, es
add ebp, dword ptr ds:|eax-0x1c|
ea ed, ptr |ed+ebp*1+0x432aff97|
ro ed, 0xa
add ed, edx
mov ebp, es
not ebp
or ebp, ed
xor ebp, edx
add ebp, dword ptr ds:|eax|
ea ebx, ptr |ebx+ebp*1-0x546bdc59|
ro ebx, 0xf
add ebx, ed
mov ebp, edx
not ebp
or ebp, ebx
xor ebp, ed
ea es, ptr |es+ebp*1-0x36c5fc7|
ro es, 0x15
add es, ebx
mov ebp, ed
not ebp
or ebp, es
xor ebp, ebx
ea edx, ptr |edx+ebp*1+0x655b59c3|
ro edx, 0x6
add edx, es
mov ebp, ebx
not ebp
or ebp, edx
xor ebp, es
ea ed, ptr |ed+ebp*1-0x70f3336e|
ro ed, 0xa
add ed, edx
mov ebp, es
not ebp
or ebp, ed
xor ebp, edx
ea ebx, ptr |ebx+ebp*1-0x100b83|
ro ebx, 0xf
add ebx, ed
mov ebp, edx
not ebp
or ebp, ebx
xor ebp, ed
ea es, ptr |es+ebp*1-0x7a7ba22f|
ro es, 0x15
add es, ebx
mov ebp, ed
not ebp
or ebp, es
xor ebp, ebx
ea edx, ptr |edx+ebp*1+0x6fa87e4f|
ro edx, 0x6
add edx, es
mov ebp, ebx
not ebp
or ebp, edx
xor ebp, es
ea ed, ptr |ed+ebp*1-0x1d31920|
ro ed, 0xa
mov ebp, es
not ebp
add ed, edx
or ebp, ed
xor ebp, edx
ea ebx, ptr |ebx+ebp*1-0x5cfebcec|
ro ebx, 0xf
add ebx, ed
mov ebp, edx
not ebp
or ebp, ebx
xor ebp, ed
add eax, 0x40
ea es, ptr |es+ebp*1+0x4e0811a1|
ro es, 0x15
add es, ebx
mov ebp, ed
not ebp
or ebp, es
xor ebp, ebx
ea edx, ptr |edx+ebp*1-0x8ac817e|
ro edx, 0x6
add edx, es
mov ebp, ebx
not ebp
or ebp, edx
xor ebp, es
ea ed, ptr |ed+ebp*1-0x42c50dcb|
mov ebp, es
not ebp
ro ed, 0xa
add ed, edx
or ebp, ed
xor ebp, edx
ea ebx, ptr |ebx+ebp*1+0x2ad7d2bb|
ro ebx, 0xf
add ebx, ed
mov ebp, edx
not ebp
or ebp, ebx
xor ebp, ed
add dword ptr ds:|ecx+0x8|, ebx
add dword ptr ds:|ecx+0xc|, ed
add dword ptr ds:|ecx|, edx
ea es, ptr |es+ebp*1-0x14792c6f|
ro es, 0x15
add es, ebx
add dword ptr ds:|ecx+0x4|, es
cmp dword ptr ss:|esp+0x1c|, 0x0
mov ebp, dword ptr ds:|ecx+0x4|
|nz 0x401183
2
BBL 0x4017c9 _md5_bock_host_order (5):
pop ed
pop es
pop ebp
pop ebx
ret
|nz 0x401e46
BBL 0x4010b0 man (6):
push ed
push 0x4000
push 0x1
push eax
ca ebx
BBL 0x4022cf _setdefautprecson (3):
add esp, 0xc
test eax, eax
|z 0x4022e3
BBL 0x4022e8 __securty_nt_cooke (13):
mov ed, ed
push ebp
mov ebp, esp
sub esp, 0x10
push ebx
push ed
mov ed, 0xbb40e64e
mov ebx, 0xffff0000
cmp eax, ed
|z 0x40231a
BBL 0x40231a __securty_nt_cooke (4):
push es
push eax
BBL 0x401bb8 ??2@YAPAXI@Z (1):
|mp dword ptr ds:|0x4030a0|
BBL 0x401fb2 __CxxSetUnhandedExceptonFter (2):
push 0x401f70
BBL 0x401a8c _MD5_Fna (2):
xor edx, edx
|mp 0x401a98
BBL 0x401cab __tmanCRTStartup (3):
push 0x4030c4
push 0x4030bc
ca 0x40222e
BBL 0x401aea _MD5_Fna (13):
mov ecx, 0xe
ea ed, ptr |ebx+eax*4|
sub ecx, eax
xor eax, eax
rep stosd
push 0x1
mov dword ptr ds:|ebx+0x38|, edx
push ebx
push es
mov dword ptr ds:|ebx+0x3c|, eax
ca 0x401160
BBL 0x401fc6 _onext (3):
push 0x14
push 0x403258
ca 0x40223c
BBL 0x401fe9 _onext (2):
BBL 0x401108 man (2):
push es
ca ed
2
63
BBL 0x40109d man (3):
add esp, 0x18
test eax, eax
|e 0x4010c6
BBL 0x401000 man (2):
mov eax, 0x4014
ca 0x4023b0
BBL 0x4023b0 _chkstk (8):
push ecx
sub ecx, eax
sbb eax, eax
not eax
and ecx, eax
mov eax, esp
and eax, 0xfffff000
push 0x10
push 0x403238
ca 0x40223c
test eax, eax
|nz 0x401c9c
ca 0x4022e8
BBL 0x4010dc man (4):
push es
push edx
ca 0x401a70
BBL 0x401a70 _MD5_Fna (11):
push ebx
push es
mov eax, ecx
shr eax, 0x2
and ecx, 0x3
push ed
mov ed, 0x4030fc
ea ebx, ptr |es+0x18|
|nz 0x401a90
Figure 4.2.: Beecrypt, Cryptopp, and OpenSSL implementations of MD5
Observation 2
Constants and sequences of mnemonics indicate the type of cryptographic algorithm.
As shown by Figures 4.1 and 4.2 the implementation and the algorithm has a charac-
teristic set of constants and mnemonics. The OpenSSL DES gure has very distinctive
constants, e.g., 0x33333333 and 0xf0f0f0f0, which are also found in the Cryptopp imple-
mentations. If we compare the sequence of mnemonics in the MD5 implements, we
clearly see an analogy for the rst six instructions: ROL, ADD, MOV, XOR, AND, XOR. Also, the
sequence of mnemonics in OpenSSL DES can be partially found in Cryptopp DES.
In order to verify that the above sequence is inherent to MD5, we searched for it in
all testing applications, including cryptographic and system libraries. The only oc-
currences of the sequence can be found in the traces of the MD5 testing applications.
Although this nding does not verify the non-existence of false-positives, but it shows
that mnemonic sequence signatures may constitute a sound identication method.
Observation 3
Cryptographic code contains loops.
38
While substitutions and permutations modify the internal data representation, they
are applied multiple times commonly with modications to the data, e.g., the round
key. We can recognize, even in the unrolled code of Figure 4.1, that the basic blocks of
cryptographic code are executed multiple times. Another example is the XOR testing
application in Figure 3.1 which shows the loops around the XOR operation.
Solely for an identication method the Observation 3 is insufcient. The observa-
tion rather has to be combined with other methods to provide a sound identication,
because loops are inherent in all modern software. Although the number of encryp-
tion rounds is unique to each algorithm and may be used for an identication, this is
not the case for unrolled algorithms, where the original number of rounds cannot be
found in the majority of unrolled testing applications which we investigated.
Observation 4
Input and output to cryptographic code have a predened, veriable relation.
The cryptographic algorithms which we consider in this thesis are deterministic. There-
fore, for any input the corresponding output will be constant over multiple executions.
Given a cryptographic primitive was executed during the trace, the input and out-
put parameters contained in the trace will conform to the deterministic relation of the
cryptographic algorithm. Thus, if we can extract possible input and output candidates
for a cryptographic algorithm, we can verify whether a reference algorithm generates
the same output for the given input. Thereby, we cannot only verify which crypto-
graphic algorithm has been traced, but we can also determine what cryptographic
parameters have been used. Of course, this observation can only utilized with a ref-
erence implementation: if the software program contains a proprietary algorithm, we
cannot verify it.
4.4. Identication Methods
Based on our observations detailed before, we developed and implemented several
identication methods. The effectiveness of the methods is evaluated in Chapter 6.
39
4.4.1. Signature-based
We implemented several signature-based identication methods. One is based on
the sequence of instructions. The sequence of instructions is dened as the ordered
concatenation of all mnemonics in a basic block. For identication, an unknown sam-
ples sequence is created and compared to the set of existing sequences in the pattern
database. If the sequence can be found, a cryptographic implementation has been
detected.
We prepared the pattern database with different open-source cryptographic imple-
mentations. To differentiate between sequences dening an algorithm and sequences
dening an implementation, we generated multiple datasets for each algorithm and
each implementation. Thereby, we can identify implementations and algorithms in
different levels of granularity and compare the effectiveness of the different patterns.
We created the following sequence patterns:
sequences for an implementation, a set dened by a single implementation of a
single algorithm
unique sequences for an implementation, as above, but subtracted with all other
implementation sets
sequences for an algorithm, the union of all implementation sets composing the
specic algorithm
unique sequences for an algorithm, as above, but with all other algorithm sets
subtracted
OpenSSL AES
Beecrypt AES
AES
Unique AES
OpenSSL RSA
Unique OpenSSL AES
Figure 4.3.: Composition of sequence sets
40
An example for the composition of the different sequences is given in Figure 4.3.
Each set consists of multiple sequences, dening the algorithm or implementation.
For the example in Figure 4.3, we generate two distinctive sets for each algorithm
and implementation. At rst, we generate the set describing the implementation of
an algorithm, .e.g., the blue OpenSSL AES in Figure 4.3. Then we subtract all other
implementations from this set and save the result as the unique set for the specic
implementations, e.g., the blue, dotted unique OpenSSL AES set. A third set is the al-
gorithm set, e.g., AES, which is composed by the intersection of all implementations
of the specic algorithm. If we subtract all other algorithm sets from this set, we get
the unique set, e.g., unique AES. When we inspect a software sample for the signa-
tures, we rst derive all mnemonic sequences for the given trace. Then, we compare
the given sequences with the signature sequences using intersection. The resulting
match value is computed by the division of the length of the signature and the length
of the intersection. Thereby, we get a predication to what percentage the signature
has been found in the trace.
A second, signature-based, identication method searches for constants in memory.
As noted in Section 3.1, multiple implementations of cryptographic algorithms use
lookup tables to increase the speed of substitution boxes in algorithms. The lookup
tables reside in memory and can be identied by their denite value. An example for
such a memory value is 0xc66363a5, which is the rst value of the unrolled lookup table
for AES implementations. A quick code search
1
determined that this value is used in
up to 500 software projects
2
. The constant can also be found in Beecrypt, Cryptopp,
and OpenSSL. However, it is not included in Vincent Rijmens reference implemen-
tation and Brian Gladmans optimized implementation of AES, because both imple-
mentations use different lookup tables.
We manually determined about 4000 constants for MD5, AES, and DES. To collect the
constants, we used the scripting interface of our implementations interactive console,
as described in Section 5.3. Based on these signatures we search the trace for memory
containing such constants. If the number of found constants surpasses an empirically-
determined threshold of 70%, we can record the existence of the cryptographic code.
A third identication method is based on the combination of instructions and con-
stants. As shown in Figure 4.2, every MD5 implementation contains a ROL 0x7 and
a ROL 0xC instruction. Based on this observation we developed a third identication
method, which employs a dataset based on (mnemonic, constant)-tuples. For every
implementation we generate a set of bitwise instructions and their corresponding con-
stants, e.g., ROL 0x7.
1
See under http://www.google.com/codesearch?as_q=0xc66363a5.
2
For example, Cryptopp, OpenSSL, Filezilla, WPA Supplicant, QEmu, GNUTLS, Plan 9, MySQL,
Berkeley-DB, Tor, SVN, Beecrypt, Mozilla libnss.
41
Then, as in the rst signature-based method, we form different datasets using union,
intersection, and subtraction. We create the datasets:
For each implementation of an algorithm
For each algorithm, based on the intersection of all implementations of the par-
ticular algorithm
An unique dataset for each algorithm, based on the subtraction with other algo-
rithms
cryptopp aes
beecrypt md5
(cmp, 56)
(cmp, 24)
(and, 255)
openssl rc4
openssl md5
(shr, 2)
(rol, 20)
(add, 16404)
(dec, 4)
(or, 1)
cryptopp md5
intersection md5
(and, 4)
(xor, 4)
unique md5
(rol, 4)
(rol, 6)
Figure 4.4.: Composition of (mnemonic, constant)-tuple datasets
An example for the datasets is given in Figure 4.4. For a given set of (mnemonic,
constant)-tuples from a trace, we can therefore measure to which percentage the tu-
ples from a signature dataset are included in the trace. We observed that the unique
and intersection datasets have a stronger relation to the algorithm. Implementation
datasets have a looser connection to the traced implementation and pose a higher risk
of generating false-positives.
The number of tuples per testing application varies between 40 and 454 and the mean
value is 165 tuples. Without detailing the results described in Chapter 6, we can note
the following characteristics of the generated signature database:
42
AES has no unique set, because other implementations also use its (mnemonic,
constant)-tuples.
The RC4 unique set only has two entries and therefore does not describe RC4
very well. Accordingly, we cannot use this dataset because it generates false-
positives for RC4 with a higher probability.
RSA, MD5, and DES have very well dened unique sets, and also the intersec-
tion and implementation sets show a good performance in Chapter 6.
We could further modify the signatures, based on our ndings in Chapter 6, to elim-
inate the risk of generating false-positives, e.g., with a set of only two elements. We
may also weight the unique datasets to represent their expressiveness, compared to
the intersection and implementation datasets.
The comparison is implemented as noted in Algorithm 4.1. At rst we generate the
set of (mnemonic, constant)-tuples found in the trace. Using this trace-set we check
for each of the a-priori-known pattern datasets to which percentage the trace-set in-
tersects the signature-set. If the percentage is above the threshold of 70%, we report a
positive identication. The threshold was empirically determined during the devel-
opment process by testing.
Algorithm 4.1 Comparison of (mnemonic, constant)-tuple signatures
1. T empty array
3. if i is a bitwise arithmetic instruction and i contains a constant in its disassembly
then
4. m mnemonic of i
5. c constant in the disassembly of i
6. T append (m, c)
7. end if
8. end for
9. for all tuples-signatures S in (unique, intersect, implementations) do
10. I S T
11. p
|I|
|S|
12. print match for signature S is p %
13. end for
A fourth signature-based identication method is the use of debug symbols to deter-
mine a cryptographic function. We manually created a small database of common
cryptographic functions. Two sample entries of 19 total entries are shown in List-
ing 4.1.
43
1 # function symbol : description
2 'FGIntRSA' : 'Delphi RSA (FGIntRSA)',
3 'CryptDecrypt' : 'MS Crypto API Cipher (CryptDecrypt RC2,RC4)',
Listing 4.1: API signatures
Using the debug strings incorporated in the trace, we match whether an entry in the
signature database is included in the function symbol of executed code. Although
this simple symbol based approach is ineffective against stripped-symbol software
and malware, common software uses debug symbols extensively.
All signature-based methods have in common that they do not detect cryptographic
parameters. Many perform well for the detection of the cryptographic algorithm and
sometimes also detect the type of implementation. To detect cryptographic parame-
ters we developed a further method which is described in the next subsection. For the
performance of all identication methods please refer to Chapter 6.
4.4.2. Generic Bitwise Arithmetic-based
A simple identication method is built upon Observation 1 and Caballero et al. [12].
We evaluate basic blocks and determine whether the percentage of bitwise instruc-
tions is above a certain threshold. If the percentage is above the empirically-determined
threshold of 55%, then we have identied cryptographic code. The calculation of the
bitwise percentage skips operations which do not directly modify data, i.e., move in-
structions like LEA and MOV. We determine the type of instructions using an x86 instruc-
tion reference [45]. We summarize the categories logical, shftrot, bit, binary, arith
in [45] as bitwise arithmetic instructions. Thus, these instructions include, but are not
limited to, AND, DEC, IMUL, ROL, SHL, XOR, and also PADDQ (SIMD), or FMUL (FPU).
To eradicate false-positives, we use a minimum instructions per basic block threshold
3
of 20. Therefore, common, small basic blocks with three bitwise instructions out of ve
do not yield a false-positive result.
Following the work from Wang et al. [82], we also implemented a cumulative mea-
surement of the bitwise arithmetic instructions. Instead of measuring the bitwise per-
centage for basic blocks or function names, we update the percentage of bitwise in-
structions as we traverse the trace.
3
The threshold of a minimum basic block instructions of 20 is determined by Caballero et al. and
proved to be successful in our experiments.
44
For better understanding we describe the approach from Wang et al. here. The al-
gorithms goal is to nd the transition function, i.e., the point where the plaintext is
encrypted to ciphertext and vice versa. Therefore, the algorithm follows the steps
shown in Algorithm4.2.
Algorithm 4.2 Wang et al. cumulative bitwise percentage method
1. b 0 // Step 1
2. t 0
3. C empty array
5. if i is a bitwise arithmetic instruction then
6. b b + 1
7. end if
8. if i is not a mov instruction then
9. t t + 1
10. save the current cumulative bitwise arithmetic percentage
b
t
to C
11. end if
12. end for
13. x max(C) // Step 2
14. y min(Cstarting fromx)
15. l length of longest leaf routine // Step 3
16. X function symbol at x
17. Y function symbol at y
18. for i = 1 to l do
19. if x i has a different function symbol than X then
20. break
21. end if
22. end for
23. x x i + 1
24. for i = 1 to l do
25. if y + i has a different function symbol than Y then
26. break
27. end if
28. end for
29. y y + i 1
30. for all leaf routines l in the interval [x, y] of the trace I do
31. if the bitwise percentage of l > 50% then
32. return the transition point is l // Step 4
33. end if
34. end for
At rst the cumulative percentage is calculated for every instruction in the trace. In
a second step we determine the minimum and maximum percentage, because Wang
45
et al. suppose that the decryption process occurs in between them. Although, this
assumption is insufcient for larger protocols, as shown by Caballero et al., because
larger protocols contain several different cryptographic algorithms and execute them
in an arbitrary order. In these cases, the cumulative percentage over the complete
trace may identify the rst algorithm, but miss later executed cryptographic code.
Next, we determine the longest leaf routine
4
. Beginning from the maximum and mini-
mum percentage, we traverse the trace backwards and forwards for at least the length
of the longest leaf routine. Thereby we adjust the x and y indices to the beginning and
end of a leaf routine. Thus, we extend the interval created in step two to the beginning
and end of the respective leaf routines.
At last we iterate over the trace interval which is dened by [x, y]. If the bitwise arith-
metic percentage of the leafs in the interval is above the threshold of 50%
5
, we record
the leaf routine as the transition point.
4.4.3. Generic Loop-based
We instrumented our loop detection routine to conduct further checks based on the
loop information deduced from a trace le. On an experimental basis we partially
reproduced the approach from Lutz [49], who tries to detect cryptographic code by
measuring entropy changes of data in loops. Since we did not implement a taint-
tracking algorithm, the results of the entropy-based approach are not evaluated. Fur-
thermore, we see the problem that input/output-entropy is constant in certain modes
of operation, as described in Section 2.3. Nevertheless, we encountered similar results
as described by Lutz [49].
Our loop-based identication methods are based on a technique which we call loop
differ. The loop differ differentiates between data values in between loop executions,
iterations, and bodies. A schematic view is presented in Figure 4.5. Each cube in the
three-dimensional space represents a memory access and is placed according to its
position in the loop body (green in Figure 4.5), iteration (blue), and execution axis
(yellow).
The loop differ utilizes the cubic structure and processes through the executions, iter-
ations, and loop bodies. For each memory access, the loop differ determines the axis
for the current execution (yellow), iteration (blue) and body (green).
4
A leaf routine is dened as the uninterrupted sequence of instructions with the same function sym-
bol. If a function calls an inner function, it will therefore be broken in two leaf routines, the one
before the call and the one after the called function returned. Also, the callee will be a leaf routine
in between the caller.
5
Empirically determined threshold by Wang et al.
46
Figure 4.5.: Three-dimensional view of the loop differ
Using this method we are able to compare the values of a specic instruction, e.g., INC
increment, over time, in each axis. We execute different analysis methods on the or-
dered set of data available for each axis:
1. We search for counters by observing decrements or increments in an axis. If the
axis contains at least ve data values and at least 90% of the deltas between each
value are one, we test whether the subtraction of the rst and last value of the
axis is equals the length of axis. If it is, then we detected a counter value. If the
rst value in the axis is greater than the last value, it is a downward, otherwise
an upward counter. Although a deterministic identication of a counter may be
possible, we use a threshold of 90% to mask a counter, which may be later, in the
remaining 10%, used for another non-counter calculation.
2. On an experimental basis, we search for relations in algorithms. We imple-
mented a search for the permutation box in DES, which takes a 32 bit input and
outputs a 32 bit permuted value.
Given an axis, we check for all combinations in this axis whether the hamming
weight percentage is in between 20% and 80%. The hamming weight of an in-
teger is dened as the number of non-zero symbols in the (bit) integer. The
hamming weight percentage for an integer i is thus the division of the hamming
weight by the bit length log
2
(i). If the percentage is in the given range, we can
be certain that the permutation will have a signicant, measurable effect. Oth-
47
erwise, if axis
input
would contain only zeros in the bit representation, the p
box
permutation result would also always be zero, and thus yield false-positives
with a higher probability.
We evaluate the DES permutation box for all memory values in the given axis. If
axis
output
= p
box
(axis
input
) holds, we have found an instance of a DES encryption
or decryption round. This approach can be applied to every relation contained
in an algorithm. Although the hamming weight check is necessary to evade
false-positives, especially for permutation boxes.
3. Using the values of an axis, we also check whether the XOR relation holds for
combinations of any three values. Therefore, we use the Python itertools pack-
age to create every possible combination of three values in the given axis. For
each of the combinations, we verify whether an XOR relation is valid for the
three values, as shown in Listing 4.2.
1 for combo in itertools.combinations(data, 3):
2 if combo[0] combo[1] == combo[2]:
3 logging.debug('found xor relation %d %d == %d' % combo)
Listing 4.2: Loop differ check for XOR relations
4. A fourth check, which we implemented for the loop differ, searches for changes
in entropy. Given an axis, we rst separate read from write values. We follow
the approach from Lutz and calculate the number of unique bytes, the number
of different bytes, and the entropy for reads and writes.
The entropy calculation is normalized, so that the result is in the range [0, 1] for
up to 256 input bytes. The exact formula of the entropy H() for the byte array a
of length n is
H(a) =

i=1
256
a
i
n
log
2
a
i
n
log
2
(min(n, 256))
and due to the normalization gives better comparable results for arbitrary length
arrays. Furthermore, we implemented the functions to determine the number
of unique and different bytes, as shown in Listing 4.3.
1 def calcEntropy(buf):
2 s = 0.0
3 n = float(len(buf))
4
5 assert(n > 1)
6 for i in buf:
48
7 assert(i <= 255 and i >= 0)
8
9 for i in range(256):
10 div = buf.count(i)/n
11 if div != 0:
12 s += div*math.log(div,2)
13 return -s/math.log(min([n, 256]), 2)
14
15 def numUniqueBytes(buf):
16 d = {}
17 for c in buf:
18 if d.has_key(c):
19 d[c] += 1
20 else:
21 d[c] = 1
22 return d.values().count(1)
23
24 def numDifferentBytes(buf):
25 return len(set(buf))
Listing 4.3: Entropy calculation for the loop differ
When the three functions above are applied to the reads and writes, as shown
in Listing 4.4, we check whether the change between the functions outputs of
the reads and writes differs. Our experiments have shown that a changeThresho-
ld = 0.15 detects several entropy changes, but for the exact performance we refer
to Chapter 6. The threshold is taken from the paper [49].
1 uniqueIn = numUniqueBytes(reads)/float(len(reads))
2 differentIn = numDifferentBytes(reads)/float(len(reads))
3 entropyIn = calcEntropy(reads)
4
5 uniqueOut = numUniqueBytes(writes)/float(len(writes))
6 differentOut = numDifferentBytes(writes)/float(len(writes))
7 entropyOut = calcEntropy(writes)
8
9 if min(abs(uniqueIn-uniqueOut), \
10 abs(entropyIn-entropyOut), \
11 abs(differentIn-differentOut)) > changeThreshold:
12 # success ...
Listing 4.4: Entropy check of the loop differ
Besides the loop differs XOR check, we also developed a special method for XOR
encryption. The identication method is based on three facts. First if a XOR instruction
occurs, it is often used to zero a register, for example xor eax, eax. In contrast to that,
XOR used in encryption writes a zero to the target register in the minority of cases.
Thus, we search for XOR instructions in the trace, which do write out zeros in at most
60% of the executions. The threshold of 60% is a heuristic value, which we determined
49
during development. The probability, that during an XOR encryption the resulting
value is zero, is at most 1 : 256 0.39% for a 8 bit value and assuming a randomly
chosen XOR encryption key. On the other hand, a xor eax, eax returns zero in 100% of
the executions. A threshold of at most 60% zero results thus is about in the middle
of both extreme values. Instead of 50% we use 60% to shift the probability between
false-negative and false-positive towards false-negatives, because a non-random XOR
key may easily create 50% zero XOR outputs. Although, a higher threshold of up to
95% may still work well, given that xor eax, eax returns zeros in 100% of all cases.
Furthermore, the same XOR instruction will be executed multiple times in an encryption
or decryption. Thus, we use a threshold of a minimum number of 16 executions of the
XOR instruction. The malware protocols in Chapter 1 and the related work in Chapter 2
describe several XOR encryption protocols, which at minimum use encryption blocks
of 16 bytes. Therefore, we chose a threshold of minimum 16 executions.
The second observation which we use, is the fact that usually a MOV instruction oc-
curs nearby the XOR instruction. Although, the MOV instruction should share the same
register as the XOR instruction, we do not verify it due to the lack of taint-tracking.
Nevertheless, we exclude further candidates based on missing MOV instruction near
the XOR instruction. Near is dened here as an interval of instructions around the XOR
instruction, by default 5 instructions.
As a third rule, we use the fact that we can verify the XOR relation using a reference
XOR test in the XOR instructions encompassing loop. Therefore, we check whether the
XOR relation holds for all combinations of data values used in the loop body for each
iteration. A sample output of the detection is shown in Listing 4.5.
1 [DEBUG] assumption holds for 100 % of values
2 [DEBUG] xor key = 'u \xa6\xd1\x1b\x19\xaa\x' ...
3 [DEBUG] xor plaintext = 'DDDD3333DDDD3333DDDD33' ...
4 [DEBUG] xor ciphertext = '1\xe2\x95\x1a(*\x99\xf5' ...
5 $ xxd io/rand.0128 # the random XOR key file used by the testing application
6 0000000: 75a6 d15e 1b19 aac6 49be 6b2c 80d4 f49e u......I.k,....
Listing 4.5: Sample output of the XOR check
4.4.4. Generic Memory-based
The nal identication method, which we developed, is focused on memory data. As
mentioned above, we are using veriers to conrm an XOR encryption or a relation-
ship between the input and output of a permutation box. Using the memory recon-
struction method described in Section 3.6, we are able to verify complete instances of
a cryptographic algorithm using plaintext, key, and ciphertext residing in memory.
50
As the memory reconstruction method reassembles cryptographic data of any length,
we are able to reconstruct a set of possible key, plaintext, and ciphertext candidates.
These candidates are then passed to a reference implementation of the particular algo-
rithm. If the output of the algorithm matches the output in memory, we have success-
fully identied an instance of the algorithm including its parameters. The process is
illustrated in Figure 4.6, where dotted lines indicate further candidates to be checked.
The main limitation of the method is the premise that the algorithm is public and our
system contains a reference implementation to verify the input-output relation.
Optionally, we can reduce the set of candidates using previous identication meth-
ods. For example, if a signature has detected AES code, we can reduce the memory
reconstruction to this code section, instead of the complete trace. Furthermore, we
only need to check for 128, 192, and 256 bit keys and 128 bit input/output blocks,
based on the previous identication of AES.
Trace
AES Code
AES reference
implementation
Key
equals?
8 bit Read
256 bit Read
128 bit Read
128 bit Read
32 bit Read
128 bit Write
128 bit Write
32 bit Read
32 bit Read
AES
detected
no AES
detected
Plaintext
Ciphertext
yes no
Figure 4.6.: Verication of the algorithmic relation
We do not specically have to consider and distinguish between encryption or de-
cryption, because the encryption and decryption are commonly the same algorithms
for stream and block ciphers. The efciency of this approach is bound to the amount
of candidates. If we can identify specic cryptographic code using other identica-
tion methods before, the efciency is highly increased, since less candidates need to
be checked. Of course, the reference implementation has to be optimized to be fast.
Interestingly, this method isolates the cryptographic values from further modica-
tions. Since we only verify and test using the reference implementation, further mod-
ications, i.e., padding, encoding, or compression, can be separated and we detect
the exact parameters to the cryptographic algorithm. Because of this soundness of
51
the method, we already can note that we do not encounter false-positives using this
method, as shown in the evaluation.
4.5. Summary
In this chapter we presented several observations upon which our identication meth-
ods are built. The identication can be categorized by the type of identication method,
signature or generic, but also by the used high-level structure from Chapter 3, for ex-
ample loop-based or memory-based. The different methods and their parameters,
especially their thresholds, are further evaluated in Chapter 6.
52
5
Chapter 5.
System Implementation
In this chapter we present the implementation of the system. First we give an overview
and then detail the trace and analysis implementations separately.
5.1. Overview
The system implementation is divided in two stages, which are performed for each
analysis of a software sample. A schematic overview of the stages is shown in Fig-
ure 5.1.
Software
Analysis
Stage
Signatures and
Heutristics on
Code and Data
Trace
Stage
Fine-grained
Binary
Instrumentation
Trace Report
Figure 5.1.: Overview of the stages
In the rst stage of Figure 5.2, during controlled execution of the target binary pro-
gram, dynamic binary instrumentation traces the execution to gain insight on the pro-
gram ow and also monitor the accessed memory.
53
monitored Execution
Software
Algorithm
Key
Plaintext Ciphertext
Write File
Function
Software
Trace
Data
Data
Data
Instruction
Instruction
Instruction
State
State
State
Figure 5.2.: Displaying an overview of implementation stage 1
For the dynamic analysis, we build upon the existing software framework Pin
1
. The
framework supports ne-grained instruction-level tracing of a single process. Our
implemented Pintool creates a run trace of a software sample to gather the relevant
data for the second stage.
In the second stage, the instruction and data trace is used to detect employed crypto-
graphic algorithms, e.g., RC4, MD5, or XOR, and their parameters, e.g., keys or plain-
text. An overview of the second stage is shown in Figure 5.3.
To detect the algorithms and their parameters, the analysis methods described in
Chapter 3 elevate the trace to high-level structured representations, i.e., loops, graphs,
and basic blocks. Then, the identication methods described in Chapter 4 are executed
and utilize the high-level representation of the trace to inspect the execution for cryp-
tographic primitives. Based on the ndings of the cryptographic algorithms, a report
is generated, which displays the results, especially the identied algorithms and their
data.
A main design goal is to split the tracing from the analysis tool. Thereby we are able
to independently choose different tracing frameworks and exchange them, if neces-
sary, for the Pin based approach described below. But this design decision also poses
disadvantages. The main problem is the increased space and time overhead for cre-
ating a complete trace le, because the tracing cannot lter and process the trace in
real-time and has to save the trace to disk. Acore paradigm when creating a Pintool is
to lter using the Pin framework and keep the analysis small and efcient. We ignore
this paradigm, trace everything and migrate the analysis to another software, in order
to exibly choose between tracing frameworks.
1
See http://pintool.org/.
54
Analysis
Trace
Data
Data
Data
Instruction
Instruction
Instruction
State
State
State
Report
Data
Data
Data
Instruction
Instruction
Algorithm
State
State
Debug Info
Parser
Filter
Queue
Structure
Analysis
Identication
Methods
Figure 5.3.: Displaying an overview of implementation stage 2
We chose this approach to be independent of the characteristics of the tracing frame-
work, because the successful runtime tracing depends on the features of the frame-
work. If the program cannot be run under Pin, because it contains anti-debugging
code, we can still use another framework with available tracing functionality.
5.2. Tracing
As mentioned before, the software sample is traced using the Pin dynamic binary in-
strumentation framework [48]. Pin is distributed by Intel free of charge and provides
a rich API to develop instrumentation tools, called Pintools. We developed a Pintool
to conduct the trace. It is written in 632 lines / 464 sloc
2
of C++ code.
Pin supports tracing spawned processes by using the -follow_execv command line
switch. Although we did not fully evaluate the performance of this switch, we recog-
nized the problem that it is not able to follow started services, malware-manipulated
processes, or out-of-process COM objects. Therefore, we focus on a single process.
This limitation could be removed in future work, because a different tracing solution
may follow the in-system-propagation of malware.
To conduct a runtime trace of a software sample, we launch the target executable using
Pin and our custom Pintool kerckhoffr.dll:
1 pin.exe -t kerckhoffr.dll -- target.exe
Listing 5.1: Running the Pintool
2
According to SLOCCount 2.26 (http://www.dwheeler.com/sloccount/).
55
Pin itself supports multiple command line options. For example, -follow_execv, to fol-
low spawned processes, and -smc_strict, to handle self-modifying code. The double
hyphen -- in Listing 5.1 separates Pin command line parsing from the target.exe com-
mand line. Additionally, our Pintool is adjustable using the following options:
-mw denes the module whitelist to only include the listed modules. The switch
can be specied multiple times. If the switch has been specied, modules, which
are not in the whitelist, are not traced. Thereby, we reduce the needed disk/mem-
ory space.
-o species the output le name of the trace.
-istart sets the number of instructions, that should be skipped, before the in-
strumentation starts. Furthermore, -istop species after which number of in-
structions the instrumentation should stop. Both switches are useful to select a
specic time frame of the target executable. Thereby, we can skip the process
starting phase, for example unpacking, and terminate the process after the nec-
essary trace data has been recorded.
-watch_thread determines whether a specic thread should be traced. If it is not
specied, all threads are traced.
After launching the command in Listing 5.1 Pin loads the target program and the Pin-
tool starts. It then generates a trace le without further user interaction and quits.
In the following pages we provide an overview of the Pintools implementation. For
code details, please refer to Appendix A. In the main function the Pintool rst initial-
izes Pin, then the whitelist, and at last the -istart and -istop alarms. Then it species
the main instrumentation function, the PIN_AddFiniFunction() handler and starts the
target program using PIN_StartProgram().
The instrumentation function handles the newly discovered code, which is encoun-
tered by Pin for the rst time. Therefore, it iterates over a TRACE instance using TRACE_BblHe-
ad() and BBL_Next() to check whether the module is contained in the whitelist. The
module is determined by IMG_Name(IMG_FindByAddress(BBL_Address(bbl))). The whitelist
is implemented using a std::set<std::string>. If the module is in the whitelist, or the
whitelist has not been specied, we traverse through the BBL using BBL_InsHead() and
INS_Next() to call two functions for each instruction: MemoryTrace() and InstructionTra-
ce(). Each of them prepares the analysis code, which is executed every time this par-
ticular instruction is executed. Both functions prepare the trace string which is written
to the trace le, as shown in Listing 5.2.
The rst analysis function, MemoryTrace(), formats the trace string for a memory access.
56
Depending on whether an instruction triggers one or two reads before it is executed,
and whether it does a memory write after it is executed, the MemoryTrace() is called.
The function uses INS_InsertPredicatedCall() to prepend and append analysis code to
the instruction in order to emit the trace string for the memory access. The memory
values are copied using PIN_SafeCopy().
The second analysis function, InstructionTrace(), formats the trace string for an in-
struction. It determines the current EIP using INS_Address() and debug symbols with
IMG_Name(IMG_FindByAddress()) and RTN_Name(). The debug symbols, i.e., module and
function name, are compressed as detailed below. Thereby, we can reduce the disk
space of the trace le. In InstructionTrace(), we also emit the current thread ID with
PIN_ThreadId() and a disassembly of the current instruction using INS_Disassemble(). We
also print the registers modied by the instruction.
The trace syntax is shown in Listing 5.2. Each line beginning with R or W denotes a
memory access. Lines beginning with 0x describe instructions. The pipe character, |,
is a delimiter.
1 R|32|0022F948=0x22f9a4
2 0x7c9111f3|@1|@2|0x0016|0|mov esi, dword ptr [ebp+0x8]|esi=0x22f9a4
Listing 5.2: Example of the trace le
The memory access in line one is a read access (R instead of W for write) and reads 32
bits starting for the address 0022F948. The literal, which was read, is 0x22f9a4.
The memory access belongs to the instruction in line two of Listing 5.2. In this line, the
rst eld separated by the delimiter denotes the current instruction pointer, 0x7c9111f3.
The second and third eld contain compressed debug information. The compressed
elds describe the current module @1 and the current function @2. Module and func-
tion information is compressed using the syntax @1@C:\WINDOWS\system32\ntdll.dll or
@2@RtlDeactivateActivationContextUnsafeFast. The compression occurs when an unknown
symbol is encountered for the rst time. Afterwards, if we parse a compressed mod-
ule denoted by @1 in the trace, we can decompress it by looking up @1 in a dictionary
which then resolves to the value ntdll.dll. The compression is helpful to decrease
the trace size, because an uncompressed trace would list the full debug information
for every instruction. For a trace with 100 instructions with the above exemplary
debug information, the compressed size would be composed by the length of the
compression (3 + 28 + 3 + 40 = 74) and 99 compressed module and function elds
(99 2 2 = 396). An uncompressed trace would contain the full string in both elds
for 100 times (40 100 + 28 100 = 6800). In this example we can decrease the le size
by the factor 14.46
6800
396+74
.
The fourth eld, 0x0016, describes the offset to the start of the current function. The fth
57
eld is the current thread ID, 0, then follows the disassembly of the current instruction,
mov esi, dword ptr [ebp+0x8]. In the next elds we store an arbitrary length delimited
list of modied registers. For example, if XOR modies eax and eflags, we parse a trace
string like xor eax, eax|eax=0|eflags=0x246.
5.3. Analysis
In this section we describe the general architecture of the analysis. Please refer to
Chapter 3 and 4, and Appendix A for the exact implementation.
We developed the analysis as a Python tool. Python was chosen because the author is
most familiar with it and it allowed us to exibly implement the analysis, i.e., easily
adjust class denitions during development and use dynamic typing on instance at-
tributes. Using the interactive console, it also proved to be a exible experimentation
environment, and we were able to try new analysis methods interactively. The tool
consists of 3598 lines or 2204 sloc of Python code. It is based on Python 2.6.4 and uti-
lizes two external Python packages
3 4
and the following standard Python packages:
logging, os, sys, re, itertools, struct, hashlib, math, struct, and time.
The analysis tool is started from the command line and shows the usage in List-
ing 5.3:
1 # python kerckhoffr/
2 Usage: python kerckhoffr/ <single|full|debug|cfg|parse> <inputfile1> <inputfile2>..
Listing 5.3: Running the analysis tool
The tool accepts multiple modes of operation:
single, to rst parse the trace and then analyze it in sequence,
full, to parse the trace le and analyze it in parallel, threaded mode,
debug, to parse a trace le and launch an interactive console to manually inspect
the trace,
cfg, to generate a control ow graph PDF from the trace, and
parse, to test the syntax parsing of trace les.
3
Crypto.Cipher - PyCrypto The Python Cryptography Toolkit http://www.pycrypto.org/.
4
IPython.Shell - IPython: an interactive computing environment http://ipython.scipy.org.
58
When launched in single or full mode, the analysis tool will parse, lter and process
the trace using the code analysis and cryptographic identication methods. The out-
put will contain logging information on several levels, including debug information
on the analysis algorithms and results from the identication methods. An example
is shown in Listing 5.4, although we shorten the output of the analysis tool in further
listings and remove the date and le information.
1 2010-01-31 20:19:05,578 __main__.py:<module>@58 [INFO] running single (non-threaded)
mode on file log-small/kerck-cryptopp_aes.out...
2 2010-01-31 20:19:05,893 Parser.py:run@64 [INFO] 6 % <Instructions with 6832 elements
, 6832 total, maxsize 750000>
3 [...]
4 2010-01-31 20:19:12,368 Parser.py:run@64 [INFO] 95 % <Instructions with 102347
elements, 102347 total, maxsize 750000>
5 2010-01-31 20:19:12,968 Parser.py:run@90 [DEBUG] parsing finished (EOF).
6 2010-01-31 20:19:12,968 Analysis.py:analyze@44 [DEBUG] running analysis on <
Instructions with 106764 elements, 106764 total, maxsize 750000>
7 2010-01-31 20:19:14,129 Analysis.py:wang@279 [INFO] wang reformat transistion
function (0.618059) unnamedImageEntryPoint
8 [...]
Listing 5.4: Sample output of the analysis tool
When launched in debug mode, we are able to manually inspect the trace. We can use
the software analysis functions to interact with the parsed trace. For the example in
Listing 5.5, we use the API to search for basic blocks, which have at least six instruc-
tions and a bitwise percentage of at least 60%, and print the results (user input in line
6-8). The result is one basic block, shown in line 16.
1 # python kerckhoffr/ debug log/kerck-xor256.out
2 [INFO] running debug mode with ipython on file log/kerck-xor256.out...
3 [DEBUG] parsing finished (EOF).
4
5
6 In [2]: for bbl in instructions.getUniqueBBLs():
7 ...: if bbl.isBitwiseArithPercentage() > 0.6 and len(bbl) > 5:
8 ...: print repr(bbl)
9 ...:
10 [DEBUG] creating BBLs step 1
11 [DEBUG] creating BBLs step 2
12 [DEBUG] creating BBLs finished <353 BBLs (executed) first starting with instruction
<Instruction 0x401446 z:\2_dev\exe\xor256.exe:mainCRTStartup+0x0 'call 0x4018c8'
<Register esp=0x12ffc0> <Write (32) 0x12ffc0=0x40144b>>>
13 [DEBUG] creating CFG step 1: unique bbls, instruction data array
14 [DEBUG] creating CFG step 2: create edges
15 <Instructions 0x401130 main (6): <mov dl, byte ptr ss:[esp+ecx*1+0x10]> <xor dl,
byte ptr ss:[esp+ecx*1+0x90]> <inc ecx> <cmp ecx, eax> <mov byte ptr ss:[esp+ecx
*1+0x10f], dl> <jl 0x401130> >
Listing 5.5: Sample experimentation session using the analysis console
59
5.3.1. Architecture
In the following pages, we describe the architecture of the analysis tool. The classes
are distributed among several les and the tool is arranged to a Python package with
following submodules and subpackages:
kerckhoffr/ denotes the main package and contains all other subpackages.
kerckhoffr/Analysis.py implements the cryptographic identication in methods
of the Analysis class. The analysis methods, caballero(), chains(), constmemory(),
constmnemonic(), lutz(), sigAPI(), wang(), xorNotNullAndMov(), loopDiffer(), andsymme-
tricCipherDataTester(), implement the identication methods described in Sec-
tion 4.4.
kerckhoffr/CryptoReport.py implements the CryptoReport class for report genera-
tion. The result of an identication method can be saved as an instance of Crypto-
Result, dened in kerckhoffr/CryptoResult.py. The instances are then appended to
the list Instruction.cryptoResults.
kerckhoffr/Instruction.py implements the class for an Instruction. Each instruc-
tion contains several dening attributes, e.g., eip, data, or disasm. If an instruction
has been executed multiple times, different InstructionData instances are saved to
the multiData attribute. The class also implements several methods, for example,
disConst(), to determine constants in the disassembly,
mnemonic(), to extract the mnemonic from the disassembly,
isBitwiseArith(), isMov(), and isBranch(), to determine the type of instruc-
tion, or
modulefile(), to determine the le name of the module.
kerckhoffr/InstructionData.py. Each register and memory value accessed by an
instruction is modeled as an instance of InstructionData. Therefore, the Instru-
ctionData class contains the attributes: addr, the target address of the memory
access, data, the memory value which was read or written, size, the amount of
bits read or written, and mode, dening whether the access was a read or write.
Besides helper methods like isMemoryWrite(), the class denes the method data-
2bytes, which converts the hex-string based memory value from the trace le to
a byte-string. For example, '0xdead' will be converted to '\xde\xad'.
kerckhoffr/InstructionTypes.py implements the mapping of mnemonics to instruc-
60
tion types using a table generated from [45] as described in Section 4.4.2. To
query the mapping, the methods ins2type() and type2desc() are implemented.
kerckhoffr/Instructions.py contains the classes Instructions, for generic encapsu-
lation of a sequence of instructions, BBLs, for basic block generation, Loops, for
loop detection, RTNs, for extracting instructions belonging to a single function,
leafRTNs, for detection of leaf routines, and CFG, for control ow graph genera-
tion.
The Instructions class implements a sequence of instructions. It can be either
used as a rst-in-rst-out (FIFO) queue or as a static sequence of instructions.
The class is used by several other classes in this le, e.g., to describe basic blocks.
An object is initialized with either insertInstruction() or importInstructionList().
It contains 37 methods to inspect, modify, and evaluate the instructions. For
example, the method instructionTypes() determines the distribution of differ-
ent types of instructions among the Instructions. The method getNearbyBlocks()
implements the memory reconstruction method described in Section 3.6. The
mnemonic signature generation is implemented inmnemonicChain(). Furthermore,
the Instructions class also contains interfaces to generate the high-level struc-
tures and caches them, so that they only need to be generated once.
The analysis methods from Section3.3, 3.4, and3.5 are implemented in the classes
BBLs, Loops, and CFG respectively. The classes initialization resolves the instruc-
tions, which builds the base for the high-level structures, from the calling Instru-
ctions instance. Furthermore, we provide access to executed functions using RTNs
and leaf routines using leafRTNs, as described in Section 4.4.2.
kerckhoffr/Math.py contains shared utilities for the analysis methods. The meth-
ods are: hammingOnePercentage(), for determining the hamming weight, calcEntro-
pyLutz() and calcEntropy(), for calculating the normalized and common entropy,
numUniqueBytes() and numDifferentBytes(), for counting the number of unique re-
spectively different bytes in a list.
kerckhoffr/Parser.py implements the parsing of the trace le. The process is de-
scribed in detail below.
kerckhoffr/__init__.py is the obligatory le dening a Python package.
kerckhoffr/__main__.py implements the command line parsing and initializes com-
mon objects, as described below.
kerckhoffr/signatures/ is a subpackage containing several signatures for the iden-
tication methods described in Section 4.4.1: api.py, chainsForImplementation.pkl,
memory.py, memoryreadnowrites.py, mnemonicchains.py, and mnemonicconst.py.
61
kerckhoffr/verifier/ is a second subpackage providing interfaces to the reference
implementations of the listed algorithms: aes.py, des.py, md5.py, rc4.py, rsa.py,
and xor.py. The modules partially depend on reference implementations from
Crypto.Cipher and hashlib.
5.3.2. Process
When the analysis tool is started, the __main__ module parses the command line, con-
gures the logging module, initializes an instance of Instructions as the main queue
(step one in Figure 5.4) and passes the instance to the instantiation of Parser and Ana-
lysis (step two and three). Depending on the command line mode, whether the pars-
ing and analysis should be threaded or not, the __main__ module starts two threads in
step four and ve, or iteratively calls the respective functions, i.e., run(). Since the pars-
ing and the analysis are concurrent methods, which may be run in parallel, the option
to run the tool in threaded mode is given to the user. Acomplete parallel processing is
not yet feasible, because both concurrent methods share the same data, i.e., the Instru-
ctions instance. Thus, the analysis method locks the Instructions instance, so that the
parsing method does not modify the instance during analysis.
__main__
Parser
__init__()
run()
Analysis
__init__()
run()
Instructions
__init__() 1
2
3
4
5
Figure 5.4.: Initialization of objects
Implemented in Parser.py, the method Parser.run() opens the trace le and associates
memory and instruction entries for each contained line. It then calls Parser.generate-
Instruction() to create an instance of Instruction and appends it to the target queue:
Instructions.insertInstruction(). Parser.generateInstruction() uses the method Parse-
r.lookup() to expand compressed symbol information. If the module name does not
match the specied lter, the instruction can be discarded. Also, Parser.generate-
Instruction() calls Parser.checkBufferSize() to verify whether it can still ll the queue,
or otherwise has to call pauseParsing() to pause the parsing of new lines.
The restriction of the queue is due to the memory constraints and the pauseParsing()
62
functionality assures that the queue is rst analyzed, before it will be relled again.
To thwart a cropping of the trace queue at an unfavorable position, i.e., inside a cryp-
tographic function, the FIFO queue is not fully ushed before a new analysis session
is started. The analysis is already called when 75% of the queue is relled. This leads
to an overlapping of 125,000 instructions for the default FIFO queue size of 500,000
instructions
5
, which is sufcient for most cryptographic functions, as shown by the
instructions column in Table 6.3.
When the parsing is nished or the FIFO queue triggered pauseParsing(), the analysis
starts. The method Analysis.run() then calls the identication methods listed above,
which have access to the Instructions queue using the attribute Analysis.target. When
the analysis is done and the results have been recorded, the tool either quits or con-
tinues parsing and analyzing the next block.
5.4. Summary
In this chapter, we described a system implementation composed by a Pintool and a
Python analysis tool. We also discussed the design decisions encountered during the
development. The system could be extended and exchanged in several parts, but we
show in the next chapter, that it performs well for a variety of software.
5
The default size is suitable for the development and evaluation system described in Section 6.1.
63
6
Chapter 6.
Experimental Evaluation
In this chapter we evaluate the performance of the previously described methods and
their implementation. First, we give an overview of the testing environment and then
describe the systems performance for the testing applications, an off-the-shelf appli-
cation, and a packed testing application.
6.1. Evaluation Environment
The tracing is performed in a Sun VirtualBox 3.1.2 running Windows XP SP3 which
is hosted on Mac OS X 10.6.2. The Pin version is 2.7-31933. The virtual machine is
congured to have 1024 MB of RAMand operates with a single core of the host com-
puter. The trace is written to the disk of the host computer through a VirtualBox
shared folder.
The host computer, on which the analysis runs, provides a 2.4 GHz Intel Core 2 Duo
with 4 GB of RAM. The FIFO queue size of the analysis is by default 500,000 instruc-
tions. With a fully loaded queue the analysis process uses about 1.9 GB of RAM.
6.2. Testing Applications
For the evaluation, we developed 14 testing applications. The testing applications
consist of 1102 lines or 835 sloc of C code in total. The applications take input pa-
rameters, e.g., two les holding plaintext and key, on the command line. The mode
of operation, i.e., encryption or decryption, and the output le are also specied on
65
the command line. Then, the testing applications process the input les, initialize the
cryptographic library including the algorithm, and encrypt or decrypt the plaintext
le. Finally, the result is written to the output le. An overview of the cryptographic
libraries versions, used compilers and mode of operation is given in Table 6.1. We
illustrate the sizes of the parameters in Table 6.2.
The compilers used were the Microsoft C/C++ Compiler version 15.00.21022.08 and
the MinGWport of GCC version 3.4.2. Some cryptographic libraries were linked stat-
ically, others dynamically, to test the Pintools handling of dynamically loaded li-
braries.
We created a batch job launching the Pintool to generate the trace les of the testing
applications. The duration of the Pintool instrumenting the different testing appli-
cations depends on the command line conguration. Our Pintools module whitelist
contained only the executable and, if dynamically linked, also the DLLs of the crypto-
graphic library, e.g., beecrypt.dll and LIBEAY32.dll. Otherwise, if we would also trace
Windows libraries like ntdll.dll, the tracing time and size would increase.
For example, if we trace the OpenSSL RSA encryption and do not enable the module
whitelisting, we would generate trace of about 20 GB in le size with 97% of traced
code in rsaenh.dll. This is due to the random number generation of the OpenSSL
PRNG implementation in crypto/rand/rand_win.c. There, OpenSSL calls CryptAcquire-
ContextW and CryptGenRandom of rsaenh.dll and thereby increases the trace size and time.
For the XOR testing application with a 256 byte input/output, the difference between
an unltered and ltered trace is an increase of factor 29 in size (137 KB versus 4 MB),
factor 23 in time (2 versus 46 seconds), and factor 28 in instructions (1935 versus 54585
instructions).
number of instructions
trace size (kilobytes)
trace time (seconds)
analysis time (seconds)
number of
instructions
trace size
(kilobytes)
trace time
(seconds)
analysis time
(seconds)
OpenSSL RC4
Beecrypt AES
Gladman AES
OpenSSL AES
OpenSSL DES
Custom XOR
OpenSSL MD5
Beecrypt MD5
Crypto++ RC4
Crypto++ AES
Crypto++ MD5
Crypto++ DES
Crypto++ RSA
OpenSSL RSA
6201 431 6 18
6342 497 12 216
7913 611 7 180
13449 962 14 69
14104 1011 14 51
25545 1843 30 72
35455 2662 31 815
37460 2662 22 1119
90695 5836 145 739
106764 6860 102 3604
114759 7546 137 1515
126929 8192 132 2463
731430 50176 701 17029
1437457 98304 1158 41392
1
10
100
1000
10000
100000
1000000
10000000
O
p
e
n
S
S
L

R
C
4
B
e
e
c
r
y
p
t

A
E
S
G
l
a
d
m
a
n

A
E
S
O
p
e
n
S
S
L

A
E
S
O
p
e
n
S
S
L

D
E
S
C
u
s
t
o
m

X
O
R
O
p
e
n
S
S
L

M
D
5
B
e
e
c
r
y
p
t

M
D
5
C
r
y
p
t
o
+
+

R
C
4
C
r
y
p
t
o
+
+

A
E
S
C
r
y
p
t
o
+
+

M
D
5
C
r
y
p
t
o
+
+

D
E
S
C
r
y
p
t
o
+
+

R
S
A
O
p
e
n
S
S
L

R
S
A
1
10
100
1000
10000
100000
1
10
100
1000
10000
100000
1000000
10000000
O
p
e
n
S
S
L

R
C
4
B
e
e
c
r
y
p
t

A
E
S
G
l
a
d
m
a
n

A
E
S
O
p
e
n
S
S
L

A
E
S
O
p
e
n
S
S
L

D
E
S
C
u
s
t
o
m

X
O
R
O
p
e
n
S
S
L

M
D
5
B
e
e
c
r
y
p
t

M
D
5
C
r
y
p
t
o
+
+

R
C
4
C
r
y
p
t
o
+
+

A
E
S
C
r
y
p
t
o
+
+

M
D
5
C
r
y
p
t
o
+
+

D
E
S
C
r
y
p
t
o
+
+

R
S
A
O
p
e
n
S
S
L

R
S
A
1
10
100
1000
10000
100000
number of instructions
trace size (kilobytes)
trace time (seconds)
analysis time (seconds)
Figure 6.1.: Analysis and trace time/size costs, logarithmic scaled
The duration and trace le sizes of the ltered tracing are shown in Table 6.3. Hours
are abbreviated by h, minutes by m, and seconds by s in the duration elds. We plot
66
Implementation Algorithm Version Compiler Mode
Beecrypt AES 4.1.2 VC dynamic ECB encryption
Brian Gladman AES 07-10-08 VC static CBC encryption
Cryptopp AES 5.6.0 VC static CFB encryption
OpenSSL AES 0.9.8g MinGWstatic CFB encryption
Cryptopp DES 5.6.0 VC static CFB encryption
OpenSSL DES 0.9.8g MinGWstatic ECB encryption
Cryptopp RC4 5.6.0 VC static encryption
OpenSSL RC4 0.9.8g MinGWstatic encryption
Beecrypt MD5 4.1.2 VC dynamic
Cryptopp MD5 5.6.0 VC static
OpenSSL MD5 0.9.8g MinGWstatic
Cryptopp RSA 5.6.0 VC static OAEP SHA1
OpenSSL RSA 1.0.0-beta3 VC dynamic PKCS1.5
Custom XOR 1.0 VC static
Table 6.1.: Overview of testing applications
Implementation Algorithm Keysize Inputsize Outputsize
Beecrypt AES 128 bit 128 bit 128 bit
Brian Gladman AES 128 bit 128 bit 128 bit
Cryptopp AES 128 bit 128 bit 128 bit
OpenSSL AES 256 bit 128 bit 128 bit
Cryptopp DES 128 bit 128 bit 128 bit
OpenSSL DES 128 bit 128 bit 128 bit
Cryptopp RC4 128 byte 128 byte 128 byte
OpenSSL RC4 128 byte 128 byte 128 byte
Beecrypt MD5 - 4096 byte 128 bit
Cryptopp MD5 - 4096 byte 128 bit
OpenSSL MD5 - 4096 byte 128 bit
Cryptopp RSA 1024 bit 128 byte 128 byte
OpenSSL RSA 512 bit 128 byte 144 byte
Custom XOR 128 byte 4096 byte 4096 byte
Table 6.2.: Parameter size of testing applications
67
Implementation Algorithm
Trace
size
Trace
duration
Number of
Instructions
Analysis
duration
Beecrypt AES 497 KB 12s 6342 3m36s
Brian Gladman AES 611 KB 7s 7913 3m
Cryptopp AES 6.7 MB 1m42s 106764 46m4s
OpenSSL AES 962 KB 14s 13449 1m9s
Cryptopp DES 8.0 MB 2m12s 126929 41m3s
OpenSSL DES 1011 KB 14s 14104 51s
Cryptopp RC4 5.7 MB 1m25s 90695 12m19s
OpenSSL RC4 431 KB 6s 6201 18s
Beecrypt MD5 2.6 MB 22s 37460 18m39s
Cryptopp MD5 7.3 MB 1m17s 114759 25m15s
OpenSSL MD5 2.6 MB 31s 35455 13m35s
Cryptopp RSA 49 MB 11m41s 731430 4h43m49s
OpenSSL RSA 96 MB 19m18s 1437457 11h38m52s
Custom XOR 1.8 MB 30s 25545 1m12s
Table 6.3.: Analysis and trace time/size costs
the results in Figure 6.1, where we convert the size in kilobytes and the analysis du-
ration in seconds. Also, we illustrate the duration of the analysis with almost all
1
identication methods enabled. The large analysis duration is partially due to the
fully enabled analysis methods. Especially the loopDiffer() is very time intensive and
is responsible for about 90% of the analysis duration in the RSA cases.
The performance of the analysis is rated by the successful identication of the cryp-
tographic algorithm and parameters. Therefore, we analyze each trace of a testing
application and review which identication method has identied the correct crypto-
graphic algorithm.
6.2.1. Published Methods
At rst, we evaluate the identication methods from the related work: caballero(), lu-
tz(), and wang(). Although, one has to keep in mind that we did not exactly implement
Lutzs identication method due to the lack of a taint-tracking functionality. Table 6.4
shows the results of the identication methods. False-positives are abbreviated as
FP and basic blocks as BBL. The results of the identication were compared with the
source code and control ow graphs of the testing application in order to rate the
performance of the methods.
1
Excluding the symmetricCipherDataTester() because the high time duration of the memory recon-
struction.
68
Implementation Algorithm caballero lutz wang
Beecrypt AES success found BBL no result
Brian Gladman AES success only FP no result
Cryptopp AES partial found BBL error
OpenSSL AES success found BBL success OPENSSL_cleanse
Cryptopp DES success found BBL error
OpenSSL DES success key schedule success DES_ecb_encrypt
Cryptopp RC4 partial only FP error
OpenSSL RC4 success no results no result
Beecrypt MD5 success found BBL success md5Process
Cryptopp MD5 success found BBL error
OpenSSL MD5 success partial success MD5_Final
Cryptopp RSA success & FP only FP error
OpenSSL RSA no success & FP only FP no result
Custom XOR n/a n/a n/a
Table 6.4.: Analysis performance for the published methods
Generally, the method of Caballero et al. has a good success rate despite its simplic-
ity. It always identies the cryptographic basic blocks of the cipher and the hash
implementations. It also identies the key scheduling basic blocks and we rate this
as a successful identication, because key scheduling is a core part of cryptographic
algorithms. For example, for the OpenSSL DES testing application, the caballero()
method enumerates 13 basic blocks from the functions _DES_ecb_encrypt, _DES_encrypt1,
and _DES_set_key_unchecked. For two Cryptopp applications, the method only partially
identies the set of basic blocks: it misses parts of the key scheduling and the encryp-
tion phase. In case of the Cryptopp RSA testing application, the method successfully
identies the asymmetric encryption, but also lists several false-positive basic blocks.
For the OpenSSL RSA implementations, the method only identies false-positive ba-
sic blocks from the functions SHA1_Final, SHA512, and EVP_DecodeBlock. The XOR encryp-
tion basic block is not found, because it only contains one bitwise arithmetic instruc-
tions amount six total instructions, as shown in Figure 3.1.
The method of Lutz [49] cannot be completely evaluated, because we did not imple-
ment the taint-tracking needed for it. However, we can note, that using data com-
parison without taint-tracking, the method is still able to identify cryptographic code.
For the AES and DES testing applications, it identies encryption basic blocks or key
schedule blocks, due to entropy changes in the data. Also for the MD5 applications, it
identies the core MD5 functions. Although, with each successful identication, there
is also a high rate of false-positives. For testing applications with few loops, i.e., XOR
and OpenSSL RC4, the method shows no results, because the loop bodies or iterations
are to small. In all results, the identication of plaintext or ciphertext is not success-
ful.
69
openssl_rsa cryptopp_rsa cryptopp_rc4 openssl_rc4 cryptopp_md5 beecrypt_md5 openssl_md5 cryptopp_des openssl_des gladman_aes openssl_aes cryptopp_aes beecrypt_aes xor
0,0 0,0 0,0 0,0 0,0 0,0 0,0 0,0 0,0 0,0 0,0 0,0 0,0 0,0
0,293 0,211 0,365 0,5 0,341 0,464 0,444 0,329 0,4 0,6 0,444 0,368 0,5 0,421
0,391 0,247 0,281 0,5 0,235 0,346 0,346 0,217 0,380 0,4 0,421 0,248 0,5 0,333
0,441 0,279 0,213 0,333 0,205 0,363 0,351 0,202 0,406 0,4 0,448 0,203 0,333 0,34
0,473 0,347 0,198 0,388 0,193 0,31 0,311 0,197 0,325 0,380 0,333 0,193 0,388 0,347
0,503 0,453 0,193 0,409 0,196 0,291 0,309 0,204 0,346 0,444 0,340 0,198 0,409 0,333
0,518 0,516 0,200 0,444 0,207 0,273 0,283 0,209 0,362 0,406 0,320 0,202 0,444 0,313
0,496 0,556 0,204 0,406 0,212 0,265 0,267 0,208 0,343 0,333 0,349 0,212 0,406 0,309
0,502 0,585 0,210 0,342 0,214 0,301 0,280 0,215 0,358 0,325 0,356 0,210 0,342 0,289
0,493 0,606 0,211 0,341 0,217 0,302 0,308 0,215 0,333 0,340 0,341 0,215 0,341 0,268
0,480 0,622 0,215 0,347 0,217 0,292 0,297 0,217 0,311 0,346 0,325 0,217 0,347 0,272
0,500 0,635 0,217 0,340 0,217 0,278 0,300 0,242 0,311 0,326 0,322 0,220 0,340 0,271
0,530 0,625 0,217 0,346 0,235 0,296 0,327 0,252 0,322 0,362 0,314 0,219 0,346 0,258
0,545 0,619 0,219 0,320 0,247 0,299 0,378 0,248 0,312 0,349 0,319 0,239 0,320 0,265
0,568 0,619 0,217 0,362 0,248 0,306 0,423 0,251 0,303 0,343 0,312 0,247 0,362 0,299
0,586 0,613 0,228 0,354 0,242 0,331 0,460 0,247 0,294 0,351 0,305 0,248 0,354 0,325
0,602 0,617 0,250 0,343 0,250 0,372 0,492 0,257 0,300 0,358 0,298 0,242 0,343 0,348
0,618 0,612 0,252 0,352 0,253 0,408 0,522 0,273 0,287 0,337 0,298 0,251 0,352 0,369
0,625 0,615 0,247 0,368 0,261 0,440 0,548 0,289 0,289 0,333 0,292 0,247 0,368 0,390
0,639 0,618 0,242 0,35 0,276 0,471 0,572 0,303 0,284 0,321 0,289 0,257 0,35 0,409
0,643 0,611 0,251 0,337 0,290 0,5 0,593 0,306 0,267 0,311 0,287 0,270 0,337 0,426
0,655 0,605 0,247 0,333 0,303 0,524 0,612 0,308 0,271 0,313 0,277 0,284 0,333 0,440
0,668 0,600 0,252 0,325 0,305 0,547 0,628 0,315 0,266 0,311 0,268 0,296 0,325 0,452
0,672 0,595 0,264 0,318 0,309 0,567 0,644 0,342 0,253 0,318 0,270 0,307 0,318 0,464
0,682 0,592 0,275 0,319 0,307 0,584 0,660 0,367 0,258 0,308 0,262 0,309 0,319 0,476
0,684 0,589 0,286 0,313 0,332 0,601 0,674 0,388 0,258 0,309 0,258 0,309 0,313 0,487
0,692 0,587 0,297 0,314 0,356 0,618 0,688 0,407 0,259 0,297 0,256 0,312 0,314 0,497
0,698 0,585 0,307 0,315 0,376 0,633 0,697 0,424 0,261 0,282 0,257 0,335 0,315 0,506
0,704 0,583 0,306 0,308 0,395 0,646 0,708 0,440 0,276 0,281 0,260 0,356 0,308 0,513
0,711 0,574 0,308 0,312 0,411 0,647 0,717 0,454 0,276 0,287 0,261 0,375 0,312 0,520
0,712 0,565 0,306 0,3 0,427 0,643 0,727 0,467 0,279 0,283 0,276 0,393 0,3 0,528
0,718 0,557 0,319 0,288 0,440 0,654 0,735 0,479 0,280 0,279 0,276 0,408 0,288 0,536
0,718 0,550 0,339 0,282 0,453 0,664 0,743 0,490 0,282 0,270 0,273 0,423 0,282 0,543
0,724 0,544 0,357 0,286 0,465 0,674 0,751 0,5 0,298 0,260 0,271 0,436 0,286 0,549
0,730 0,538 0,373 0,287 0,476 0,683 0,759 0,509 0,309 0,273 0,269 0,449 0,287 0,553
0,731 0,532 0,388 0,283 0,486 0,693 0,765 0,517 0,331 0,267 0,264 0,460 0,283 0,558
0,737 0,526 0,402 0,281 0,495 0,702 0,771 0,526 0,351 0,269 0,263 0,470 0,281 0,564
0,734 0,521 0,415 0,273 0,504 0,710 0,778 0,533 0,370 0,265 0,257 0,480 0,273 0,569
0,738 0,516 0,427 0,265 0,512 0,718 0,783 0,540 0,387 0,265 0,253 0,489 0,265 0,574
0,742 0,511 0,438 0,267 0,520 0,725 0,789 0,546 0,400 0,269 0,258 0,498 0,267 0,579
0,742 0,507 0,448 0,271 0,527 0,732 0,795 0,553 0,413 0,272 0,260 0,506 0,271 0,582
0,746 0,503 0,458 0,265 0,534 0,739 0,800 0,558 0,427 0,270 0,258 0,513 0,265 0,586
0,746 0,498 0,467 0,269 0,540 0,746 0,804 0,564 0,438 0,272 0,257 0,520 0,269 0,590
0,749 0,494 0,475 0,267 0,546 0,752 0,808 0,569 0,451 0,273 0,266 0,527 0,267 0,594
0,754 0,490 0,484 0,267 0,552 0,752 0,812 0,574 0,461 0,271 0,270 0,533 0,267 0,594
0,754 0,487 0,491 0,260 0,557 0,745 0,816 0,579 0,470 0,282 0,273 0,539 0,265 0,591
0,750 0,483 0,498 0,271 0,562 0,750 0,820 0,583 0,480 0,289 0,272 0,545 0,271 0,594
0,754 0,479 0,505 0,269 0,567 0,755 0,824 0,587 0,492 0,3 0,270 0,550 0,268 0,597
0,757 0,476 0,511 0,269 0,571 0,760 0,828 0,591 0,501 0,296 0,273 0,555 0,271 0,600
0,756 0,473 0,517 0,268 0,576 0,765 0,831 0,595 0,510 0,306 0,275 0,560 0,284 0,603
0,76 0,470 0,523 0,262 0,580 0,770 0,835 0,599 0,516 0,312 0,275 0,564 0,287 0,606
0,759 0,467 0,529 0,259 0,584 0,775 0,838 0,602 0,525 0,319 0,278 0,569 0,289 0,609
0,762 0,465 0,534 0,256 0,587 0,779 0,841 0,605 0,533 0,324 0,279 0,573 0,284 0,612
0,765 0,462 0,539 0,263 0,591 0,784 0,844 0,608 0,541 0,322 0,276 0,577 0,288 0,614
0,765 0,460 0,544 0,274 0,594 0,788 0,846 0,611 0,549 0,333 0,274 0,581 0,286 0,616
0,762 0,457 0,548 0,278 0,598 0,791 0,849 0,614 0,556 0,335 0,272 0,584 0,283 0,619
0,763 0,455 0,553 0,289 0,601 0,795 0,852 0,617 0,562 0,342 0,276 0,588 0,279 0,621
0,759 0,453 0,557 0,292 0,604 0,799 0,855 0,620 0,568 0,340 0,280 0,591 0,278 0,624
0,761 0,451 0,561 0,302 0,607 0,803 0,857 0,622 0,575 0,350 0,284 0,594 0,282 0,626
0,756 0,449 0,565 0,305 0,610 0,804 0,859 0,625 0,583 0,352 0,295 0,597 0,277 0,627
0,759 0,448 0,568 0,315 0,612 0,797 0,861 0,627 0,588 0,357 0,304 0,600 0,285 0,629
0,762 0,452 0,572 0,318 0,615 0,799 0,864 0,629 0,595 0,361 0,315 0,603 0,285 0,631
0,759 0,456 0,575 0,327 0,617 0,802 0,866 0,632 0,597 0,360 0,322 0,606 0,288 0,633
0,761 0,461 0,579 0,329 0,620 0,805 0,868 0,634 0,603 0,366 0,333 0,608 0,293 0,635
0,762 0,465 0,582 0,338 0,622 0,808 0,870 0,636 0,609 0,373 0,340 0,611 0,303 0,637
0,764 0,468 0,585 0,340 0,624 0,811 0,872 0,638 0,614 0,375 0,349 0,613 0,313 0,638
0,767 0,471 0,588 0,348 0,626 0,815 0,874 0,640 0,620 0,377 0,353 0,616 0,323 0,640
0,763 0,473 0,591 0,350 0,628 0,817 0,875 0,640 0,624 0,382 0,361 0,618 0,328 0,642
0,765 0,475 0,593 0,358 0,631 0,820 0,877 0,634 0,627 0,385 0,369 0,620 0,333 0,643
0,768 0,477 0,596 0,36 0,632 0,823 0,879 0,628 0,631 0,389 0,375 0,622 0,342 0,645
0,768 0,478 0,599 0,367 0,634 0,825 0,881 0,624 0,637 0,386 0,384 0,625 0,348 0,647
0,770 0,479 0,601 0,368 0,636 0,828 0,883 0,619 0,641 0,391 0,388 0,626 0,357 0,647
0,767 0,480 0,603 0,375 0,638 0,830 0,884 0,618 0,645 0,394 0,395 0,628 0,367 0,649
0,769 0,481 0,606 0,377 0,640 0,833 0,885 0,618 0,648 0,398 0,402 0,630 0,374 0,650
0,772 0,482 0,608 0,383 0,640 0,835 0,887 0,618 0,652 0,397 0,406 0,632 0,377 0,652
0,771 0,483 0,610 0,385 0,635 0,829 0,888 0,619 0,656 0,402 0,414 0,634 0,383 0,653
0,773 0,484 0,612 0,391 0,630 0,829 0,890 0,619 0,661 0,407 0,419 0,636 0,389 0,649
0,772 0,486 0,614 0,392 0,625 0,831 0,891 0,620 0,664 0,409 0,424 0,637 0,399 0,650
0,773 0,488 0,616 0,398 0,621 0,833 0,893 0,620 0,668 0,409 0,430 0,639 0,406 0,651
0,775 0,490 0,618 0,4 0,619 0,835 0,894 0,621 0,670 0,413 0,434 0,640 0,412 0,652
0,774 0,492 0,620 0,405 0,617 0,837 0,895 0,621 0,674 0,413 0,440 0,638 0,414 0,653
0,776 0,494 0,622 0,406 0,618 0,839 0,897 0,619 0,677 0,418 0,446 0,633 0,420 0,655
0,776 0,495 0,624 0,412 0,618 0,841 0,898 0,616 0,681 0,417 0,450 0,628 0,425 0,656
0,776 0,496 0,625 0,413 0,619 0,843 0,899 0,612 0,685 0,420 0,456 0,624 0,435 0,657
0,777 0,498 0,627 0,418 0,619 0,845 0,900 0,611 0,688 0,420 0,459 0,621 0,440 0,658
0,776 0,498 0,629 0,419 0,620 0,847 0,901 0,611 0,689 0,425 0,465 0,619 0,442 0,659
0,778 0,499 0,630 0,424 0,620 0,849 0,903 0,612 0,693 0,426 0,470 0,617 0,448 0,660
0,779 0,499 0,632 0,425 0,621 0,851 0,904 0,613 0,696 0,425 0,473 0,618 0,452 0,661
0,778 0,499 0,633 0,430 0,621 0,852 0,904 0,614 0,699 0,428 0,479 0,618 0,458 0,662
0,779 0,500 0,635 0,430 0,621 0,854 0,905 0,614 0,702 0,430 0,482 0,619 0,465 0,663
0,779 0,500 0,636 0,435 0,617 0,850 0,906 0,615 0,705 0,433 0,487 0,619 0,470 0,664
0,780 0,501 0,638 0,436 0,615 0,849 0,907 0,616 0,706 0,431 0,492 0,620 0,471 0,664
0,782 0,501 0,639 0,440 0,612 0,850 0,908 0,616 0,709 0,434 0,494 0,620 0,476 0,666
0,780 0,503 0,640 0,441 0,611 0,852 0,909 0,617 0,712 0,436 0,499 0,621 0,480 0,667
0,781 0,504 0,639 0,445 0,611 0,853 0,910 0,617 0,715 0,439 0,503 0,621 0,486 0,668
0,782 0,503 0,635 0,446 0,612 0,855 0,911 0,618 0,717 0,441 0,507 0,621 0,492 0,668
0,783 0,501 0,631 0,450 0,613 0,856 0,912 0,618 0,720 0,438 0,512 0,620 0,496 0,669
0,785 0,499 0,627 0,450 0,613 0,858 0,913 0,616 0,721 0,442 0,513 0,617 0,497 0,670
0,782 0,495 0,624 0,454 0,614 0,859 0,914 0,612 0,723 0,443 0,512 0,615 0,501 0,671
0,783 0,492 0,620 0,455 0,615 0,861 0,915 0,612 0,726 0,446 0,508 0,611 0,504 0,672
0,785 0,490 0,619 0,459 0,615 0,862 0,916 0,612 0,729 0,444 0,505 0,611 0,512 0,672
0,785 0,487 0,618 0,459 0,616 0,864 0,916 0,613 0,730 0,447 0,501 0,611 0,515 0,673
0,786 0,486 0,618 0,463 0,616 0,865 0,917 0,614 0,732 0,450 0,500 0,612 0,516 0,674
0,784 0,484 0,618 0,463 0,617 0,866 0,918 0,614 0,734 0,452 0,496 0,613 0,521 0,674
0,785 0,483 0,618 0,467 0,617 0,868 0,919 0,615 0,736 0,451 0,492 0,613 0,523 0,675
0,787 0,481 0,619 0,467 0,618 0,866 0,919 0,615 0,739 0,454 0,491 0,614 0,528 0,676
0,786 0,480 0,619 0,471 0,618 0,863 0,920 0,616 0,741 0,455 0,492 0,614 0,533 0,677
0,788 0,478 0,620 0,471 0,617 0,864 0,921 0,616 0,743 0,457 0,488 0,615 0,536 0,675
0,787 0,477 0,620 0,474 0,614 0,865 0,921 0,617 0,743 0,454 0,493 0,615 0,537 0,674
0,787 0,474 0,620 0,475 0,612 0,866 0,922 0,617 0,745 0,457 0,498 0,616 0,540 0,674
0,788 0,473 0,621 0,478 0,612 0,868 0,923 0,618 0,747 0,458 0,503 0,617 0,543 0,675
0,788 0,474 0,621 0,478 0,613 0,869 0,924 0,618 0,749 0,460 0,508 0,617 0,548 0,676
0,789 0,475 0,621 0,481 0,613 0,870 0,924 0,616 0,751 0,462 0,512 0,618 0,552 0,676
0,789 0,476 0,620 0,481 0,614 0,871 0,925 0,614 0,753 0,461 0,516 0,618 0,555 0,677
0,789 0,477 0,617 0,485 0,614 0,872 0,926 0,613 0,754 0,463 0,521 0,618 0,556 0,678
0,790 0,478 0,616 0,485 0,615 0,874 0,926 0,612 0,755 0,464 0,523 0,617 0,559 0,678
0,789 0,479 0,613 0,488 0,615 0,875 0,927 0,611 0,757 0,466 0,527 0,614 0,561 0,679
0,790 0,478 0,610 0,488 0,616 0,876 0,927 0,610 0,759 0,465 0,531 0,611 0,567 0,679
0,791 0,476 0,611 0,491 0,616 0,877 0,928 0,609 0,761 0,467 0,535 0,612 0,570 0,680
0,790 0,476 0,611 0,491 0,617 0,878 0,928 0,608 0,762 0,468 0,539 0,613 0,569 0,681
0,791 0,477 0,612 0,494 0,617 0,877 0,929 0,607 0,763 0,469 0,543 0,613 0,566 0,681
0,790 0,478 0,612 0,494 0,618 0,873 0,930 0,606 0,765 0,470 0,546 0,614 0,565 0,681
0,791 0,479 0,613 0,497 0,618 0,874 0,930 0,605 0,766 0,470 0,550 0,614 0,563 0,682
0,793 0,480 0,614 0,497 0,617 0,875 0,931 0,604 0,768 0,471 0,554 0,614 0,558 0,683
0,791 0,481 0,614 0,5 0,615 0,876 0,931 0,603 0,769 0,473 0,558 0,615 0,556 0,683
0,792 0,481 0,614 0,5 0,614 0,877 0,932 0,602 0,771 0,473 0,560 0,615 0,555 0,684
0,792 0,479 0,615 0,502 0,613 0,878 0,932 0,602 0,772 0,474 0,564 0,616 0,555 0,684
0,793 0,478 0,615 0,502 0,612 0,879 0,933 0,601 0,774 0,474 0,567 0,616 0,555 0,685
0,794 0,478 0,616 0,505 0,611 0,880 0,933 0,600 0,775 0,476 0,570 0,617 0,552 0,685
0,792 0,478 0,616 0,505 0,611 0,881 0,934 0,599 0,777 0,477 0,574 0,617 0,551 0,686
0,793 0,479 0,617 0,507 0,609 0,882 0,934 0,598 0,778 0,476 0,577 0,618 0,549 0,686
0,794 0,480 0,617 0,507 0,608 0,883 0,935 0,597 0,775 0,478 0,580 0,618 0,550 0,687
0,794 0,481 0,618 0,510 0,607 0,884 0,935 0,596 0,771 0,479 0,583 0,618 0,553 0,687
0,795 0,481 0,618 0,510 0,606 0,885 0,936 0,595 0,767 0,481 0,586 0,616 0,557 0,688
0,793 0,482 0,618 0,512 0,606 0,886 0,936 0,594 0,764 0,478 0,589 0,614 0,560 0,688
0,794 0,481 0,617 0,512 0,605 0,885 0,936 0,594 0,762 0,480 0,591 0,614 0,561 0,689
0,795 0,479 0,615 0,514 0,604 0,882 0,937 0,593 0,761 0,481 0,594 0,613 0,565 0,689
0,795 0,479 0,613 0,514 0,603 0,883 0,937 0,593 0,761 0,482 0,597 0,612 0,569 0,690
0,796 0,479 0,612 0,517 0,603 0,883 0,938 0,592 0,758 0,484 0,601 0,611 0,572 0,690
0,795 0,478 0,612 0,517 0,602 0,884 0,938 0,592 0,760 0,483 0,603 0,610 0,575 0,687
0,795 0,476 0,612 0,519 0,601 0,885 0,939 0,591 0,762 0,484 0,606 0,609 0,578 0,687
0,796 0,475 0,613 0,519 0,600 0,886 0,939 0,591 0,763 0,487 0,609 0,608 0,582 0,688
0,795 0,475 0,613 0,521 0,599 0,887 0,940 0,591 0,764 0,485 0,611 0,607 0,584 0,688
0,797 0,476 0,614 0,521 0,598 0,888 0,940 0,590 0,766 0,487 0,615 0,606 0,587 0,689
0,796 0,477 0,614 0,523 0,597 0,888 0,940 0,590 0,768 0,488 0,616 0,606 0,589 0,689
0,796 0,478 0,615 0,523 0,597 0,889 0,941 0,589 0,769 0,488 0,619 0,605 0,592 0,690
0,797 0,478 0,615 0,525 0,596 0,890 0,941 0,589 0,771 0,489 0,621 0,604 0,594 0,690
0,796 0,479 0,615 0,525 0,595 0,891 0,942 0,588 0,772 0,487 0,624 0,603 0,598 0,690
0,797 0,479 0,616 0,527 0,594 0,891 0,942 0,588 0,774 0,490 0,627 0,603 0,601 0,691
0,798 0,477 0,616 0,527 0,594 0,892 0,942 0,588 0,776 0,490 0,629 0,602 0,604 0,691
0,797 0,477 0,616 0,529 0,593 0,893 0,942 0,587 0,777 0,491 0,631 0,601 0,606 0,692
0,797 0,478 0,617 0,529 0,593 0,889 0,943 0,587 0,778 0,489 0,634 0,601 0,609 0,692
0,797 0,478 0,617 0,531 0,592 0,889 0,943 0,587 0,780 0,492 0,636 0,600 0,612 0,692
0,798 0,479 0,618 0,530 0,592 0,890 0,944 0,586 0,781 0,492 0,639 0,599 0,614 0,692
0,799 0,480 0,618 0,532 0,592 0,890 0,944 0,586 0,783 0,493 0,640 0,598 0,617 0,693
0,797 0,480 0,618 0,532 0,591 0,891 0,944 0,585 0,784 0,494 0,642 0,597 0,618 0,693
0,798 0,481 0,617 0,534 0,591 0,892 0,945 0,585 0,786 0,493 0,645 0,597 0,620 0,694
0,798 0,480 0,615 0,534 0,591 0,893 0,945 0,585 0,787 0,495 0,647 0,596 0,623 0,694
0,799 0,479 0,614 0,536 0,590 0,893 0,945 0,584 0,788 0,495 0,649 0,596 0,625 0,694
0,800 0,479 0,614 0,536 0,590 0,894 0,946 0,584 0,790 0,496 0,652 0,594 0,627 0,695
0,798 0,479 0,613 0,538 0,589 0,895 0,946 0,584 0,791 0,495 0,653 0,594 0,630 0,695
0,799 0,480 0,612 0,537 0,589 0,895 0,946 0,583 0,792 0,497 0,656 0,593 0,633 0,695
0,799 0,480 0,611 0,539 0,589 0,896 0,947 0,583 0,793 0,497 0,658 0,593 0,634 0,696
0,799 0,481 0,611 0,539 0,588 0,897 0,947 0,581 0,795 0,497 0,660 0,593 0,637 0,696
0,800 0,482 0,610 0,541 0,588 0,897 0,947 0,580 0,796 0,499 0,661 0,592 0,639 0,696
0,799 0,482 0,609 0,540 0,588 0,898 0,947 0,578 0,797 0,498 0,663 0,592 0,641 0,697
0,799 0,481 0,608 0,542 0,587 0,895 0,948 0,577 0,798 0,499 0,665 0,592 0,643 0,697
0,800 0,480 0,607 0,542 0,587 0,894 0,948 0,575 0,8 0,501 0,667 0,591 0,645 0,697
0,800 0,479 0,607 0,544 0,587 0,895 0,948 0,574 0,801 0,5 0,669 0,591 0,648 0,698
0,801 0,478 0,606 0,544 0,586 0,896 0,949 0,572 0,802 0,501 0,671 0,590 0,650 0,698
0,800 0,477 0,606 0,545 0,586 0,896 0,949 0,571 0,803 0,501 0,673 0,590 0,652 0,697
0,800 0,477 0,605 0,545 0,585 0,897 0,949 0,569 0,804 0,502 0,675 0,590 0,654 0,696
0,801 0,476 0,604 0,547 0,585 0,897 0,950 0,568 0,805 0,502 0,677 0,589 0,657 0,696
0,800 0,476 0,604 0,546 0,585 0,898 0,950 0,566 0,806 0,501 0,678 0,589 0,658 0,696
0,801 0,475 0,603 0,548 0,584 0,899 0,950 0,565 0,807 0,503 0,680 0,589 0,660 0,697
0,801 0,475 0,602 0,548 0,584 0,899 0,950 0,563 0,808 0,503 0,681 0,588 0,661 0,697
0,801 0,474 0,602 0,549 0,584 0,900 0,951 0,562 0,810 0,504 0,683 0,588 0,663 0,697
0,801 0,474 0,601 0,549 0,583 0,900 0,951 0,561 0,811 0,503 0,684 0,588 0,666 0,698
0,801 0,473 0,601 0,551 0,583 0,901 0,951 0,559 0,812 0,504 0,686 0,587 0,668 0,698
0,802 0,473 0,600 0,550 0,583 0,902 0,952 0,558 0,813 0,506 0,687 0,587 0,669 0,698
0,802 0,473 0,599 0,552 0,582 0,902 0,952 0,556 0,814 0,506 0,689 0,587 0,671 0,699
0,801 0,472 0,598 0,552 0,580 0,900 0,952 0,555 0,814 0,506 0,689 0,586 0,674 0,699
0,802 0,472 0,598 0,553 0,579 0,899 0,952 0,554 0,815 0,506 0,689 0,586 0,675 0,699
0,801 0,471 0,597 0,553 0,577 0,899 0,952 0,553 0,817 0,505 0,690 0,586 0,677 0,699
0,802 0,471 0,597 0,555 0,576 0,900 0,953 0,552 0,815 0,504 0,691 0,585 0,678 0,699
0,803 0,471 0,596 0,554 0,575 0,900 0,953 0,551 0,816 0,503 0,691 0,585 0,680 0,700
0,802 0,470 0,596 0,556 0,573 0,901 0,953 0,550 0,816 0,502 0,692 0,585 0,681 0,700
0,802 0,470 0,594 0,555 0,572 0,902 0,953 0,549 0,811 0,501 0,692 0,584 0,684 0,701
0,802 0,469 0,594 0,557 0,571 0,902 0,954 0,547 0,809 0,499 0,693 0,584 0,685 0,701
0,803 0,469 0,594 0,557 0,569 0,903 0,954 0,546 0,808 0,498 0,693 0,584 0,687 0,701
0,804 0,469 0,593 0,558 0,568 0,903 0,954 0,545 0,806 0,497 0,694 0,584 0,689 0,701
0,802 0,468 0,593 0,558 0,567 0,904 0,954 0,544 0,806 0,499 0,695 0,583 0,691 0,701
0,803 0,468 0,593 0,559 0,565 0,904 0,954 0,543 0,803 0,502 0,695 0,583 0,692 0,702
0,803 0,468 0,592 0,559 0,564 0,905 0,955 0,542 0,803 0,504 0,696 0,583 0,694 0,702
0,803 0,467 0,592 0,560 0,563 0,905 0,955 0,541 0,805 0,505 0,696 0,581 0,695 0,702
0,804 0,467 0,592 0,560 0,561 0,906 0,955 0,540 0,806 0,507 0,697 0,580 0,696 0,702
0,803 0,466 0,591 0,561 0,560 0,905 0,955 0,539 0,806 0,509 0,697 0,579 0,698 0,702
0,803 0,466 0,591 0,561 0,559 0,903 0,955 0,538 0,807 0,511 0,698 0,577 0,7 0,703
0,804 0,466 0,591 0,562 0,558 0,903 0,956 0,537 0,808 0,513 0,698 0,576 0,701 0,703
0,804 0,465 0,590 0,562 0,556 0,904 0,956 0,536 0,809 0,514 0,699 0,575 0,703 0,703
0,804 0,465 0,590 0,564 0,555 0,904 0,956 0,535 0,810 0,517 0,700 0,573 0,704 0,704
0,804 0,465 0,590 0,563 0,554 0,905 0,956 0,534 0,811 0,518 0,697 0,572 0,706 0,704
0,804 0,464 0,590 0,565 0,553 0,905 0,957 0,533 0,812 0,519 0,697 0,571 0,707 0,702
0,804 0,464 0,589 0,564 0,552 0,906 0,957 0,532 0,813 0,521 0,696 0,570 0,708 0,702
0,804 0,464 0,589 0,566 0,551 0,906 0,957 0,531 0,814 0,524 0,697 0,568 0,710 0,702
0,805 0,463 0,589 0,565 0,550 0,906 0,957 0,530 0,815 0,525 0,699 0,567 0,711 0,702
0,804 0,463 0,588 0,567 0,549 0,907 0,957 0,529 0,815 0,526 0,700 0,566 0,713 0,703
0,804 0,463 0,588 0,566 0,548 0,907 0,958 0,528 0,816 0,529 0,702 0,565 0,714 0,703
0,805 0,462 0,588 0,568 0,547 0,908 0,958 0,527 0,817 0,530 0,703 0,563 0,715 0,703
0,804 0,462 0,588 0,567 0,546 0,908 0,958 0,526 0,818 0,532 0,705 0,562 0,717 0,703
0,805 0,462 0,587 0,568 0,545 0,909 0,958 0,525 0,819 0,533 0,706 0,561 0,718 0,703
0,805 0,461 0,587 0,568 0,544 0,908 0,958 0,524 0,820 0,536 0,707 0,560 0,720 0,704
0,805 0,461 0,587 0,569 0,543 0,906 0,958 0,524 0,821 0,537 0,708 0,559 0,721 0,704
0,805 0,461 0,586 0,569 0,542 0,906 0,959 0,523 0,822 0,538 0,709 0,558 0,722 0,704
0,805 0,460 0,586 0,570 0,541 0,907 0,959 0,522 0,822 0,540 0,711 0,556 0,724 0,704
0,805 0,460 0,586 0,570 0,540 0,907 0,959 0,521 0,823 0,542 0,712 0,555 0,725 0,704
0,806 0,460 0,586 0,571 0,539 0,908 0,959 0,520 0,824 0,543 0,714 0,554 0,726 0,705
0,805 0,459 0,585 0,571 0,538 0,908 0,959 0,519 0,824 0,544 0,715 0,553 0,727 0,705
0,805 0,459 0,585 0,572 0,537 0,908 0,96 0,518 0,825 0,546 0,716 0,552 0,728 0,705
0,805 0,459 0,585 0,572 0,536 0,909 0,960 0,517 0,826 0,548 0,717 0,551 0,730 0,705
0,806 0,458 0,585 0,573 0,536 0,909 0,960 0,516 0,827 0,549 0,719 0,550 0,731 0,705
0,806 0,458 0,584 0,573 0,535 0,910 0,960 0,516 0,828 0,551 0,719 0,550 0,732 0,706
0,805 0,458 0,584 0,574 0,534 0,910 0,960 0,515 0,828 0,553 0,721 0,549 0,733 0,706
0,806 0,458 0,584 0,574 0,533 0,911 0,960 0,514 0,829 0,554 0,722 0,548 0,734 0,706
0,806 0,457 0,584 0,574 0,532 0,911 0,961 0,513 0,830 0,555 0,723 0,547 0,735 0,706
0,806 0,457 0,583 0,574 0,531 0,911 0,961 0,513 0,831 0,557 0,724 0,546 0,735 0,707
0,807 0,457 0,583 0,574 0,530 0,912 0,961 0,512 0,831 0,559 0,725 0,545 0,736 0,707
0,805 0,456 0,583 0,575 0,529 0,909 0,961 0,511 0,832 0,560 0,727 0,544 0,737 0,707
0,806 0,456 0,582 0,575 0,529 0,909 0,961 0,510 0,833 0,561 0,728 0,543 0,739 0,707
0,807 0,456 0,581 0,577 0,528 0,910 0,961 0,509 0,833 0,559 0,729 0,542 0,739 0,707
0,806 0,456 0,580 0,576 0,527 0,910 0,961 0,509 0,834 0,558 0,730 0,542 0,739 0,708
0,807 0,455 0,578 0,577 0,526 0,910 0,962 0,508 0,835 0,557 0,731 0,540 0,741 0,708
0,806 0,455 0,577 0,577 0,525 0,911 0,962 0,507 0,836 0,554 0,732 0,539 0,742 0,708
0,807 0,455 0,576 0,578 0,524 0,911 0,962 0,506 0,836 0,556 0,733 0,539 0,742 0,707
0,807 0,454 0,575 0,578 0,523 0,911 0,962 0,506 0,837 0,557 0,734 0,538 0,743 0,706
0,807 0,454 0,574 0,580 0,523 0,912 0,962 0,505 0,838 0,556 0,735 0,537 0,744 0,706
0,807 0,454 0,573 0,579 0,522 0,912 0,962 0,504 0,838 0,554 0,736 0,536 0,743 0,707
0,807 0,454 0,572 0,580 0,521 0,913 0,963 0,503 0,839 0,551 0,738 0,536 0,742 0,707
0,807 0,453 0,571 0,580 0,520 0,913 0,963 0,503 0,839 0,550 0,739 0,535 0,740 0,707
0,807 0,453 0,570 0,581 0,519 0,913 0,963 0,502 0,838 0,548 0,740 0,534 0,737 0,707
0,807 0,453 0,568 0,581 0,518 0,914 0,963 0,501 0,838 0,547 0,740 0,533 0,734 0,707
0,807 0,453 0,568 0,583 0,518 0,914 0,963 0,500 0,837 0,546 0,741 0,532 0,734 0,707
0,808 0,452 0,567 0,582 0,517 0,912 0,963 0,500 0,834 0,546 0,742 0,531 0,733 0,708
0,807 0,452 0,566 0,583 0,516 0,912 0,963 0,499 0,832 0,544 0,744 0,531 0,733 0,708
0,807 0,452 0,564 0,583 0,515 0,912 0,963 0,498 0,831 0,545 0,745 0,530 0,730 0,708
0,807 0,452 0,563 0,584 0,515 0,912 0,964 0,497 0,830 0,546 0,746 0,529 0,729 0,708
0,808 0,451 0,563 0,584 0,514 0,913 0,964 0,497 0,830 0,547 0,747 0,528 0,728 0,708
0,808 0,451 0,561 0,585 0,513 0,913 0,964 0,496 0,828 0,547 0,748 0,527 0,728 0,708
0,807 0,451 0,560 0,584 0,512 0,913 0,964 0,495 0,828 0,548 0,749 0,527 0,729 0,709
0,808 0,451 0,559 0,586 0,511 0,914 0,964 0,495 0,829 0,548 0,750 0,526 0,730 0,709
0,808 0,450 0,559 0,585 0,511 0,914 0,964 0,494 0,829 0,548 0,750 0,525 0,732 0,709
0,808 0,450 0,558 0,586 0,510 0,914 0,964 0,493 0,830 0,549 0,751 0,524 0,732 0,709
0,809 0,449 0,556 0,587 0,509 0,915 0,965 0,493 0,831 0,550 0,752 0,524 0,733 0,709
0,807 0,449 0,556 0,587 0,508 0,915 0,965 0,492 0,831 0,550 0,753 0,523 0,734 0,709
0,808 0,448 0,555 0,588 0,508 0,915 0,965 0,491 0,832 0,551 0,754 0,522 0,736 0,710
0,808 0,448 0,554 0,588 0,507 0,916 0,965 0,490 0,833 0,551 0,755 0,521 0,736 0,710
0,808 0,447 0,553 0,588 0,506 0,916 0,965 0,490 0,833 0,551 0,756 0,521 0,738 0,710
0,809 0,447 0,552 0,589 0,505 0,915 0,965 0,489 0,834 0,551 0,757 0,520 0,739 0,710
0,808 0,446 0,551 0,589 0,504 0,914 0,965 0,488 0,835 0,552 0,758 0,519 0,740 0,710
0,808 0,446 0,551 0,590 0,504 0,914 0,965 0,488 0,835 0,553 0,758 0,518 0,741 0,710
0,809 0,445 0,550 0,590 0,503 0,914 0,965 0,487 0,836 0,554 0,759 0,518 0,742 0,710
0,808 0,445 0,549 0,591 0,502 0,915 0,966 0,486 0,836 0,554 0,760 0,517 0,742 0,711
0,809 0,444 0,548 0,591 0,502 0,915 0,966 0,486 0,837 0,555 0,761 0,516 0,743 0,711
0,808 0,443 0,547 0,592 0,501 0,915 0,966 0,485 0,838 0,553 0,762 0,515 0,745 0,711
0,809 0,443 0,546 0,592 0,500 0,916 0,966 0,484 0,838 0,555 0,763 0,515 0,745 0,711
0,809 0,442 0,546 0,592 0,500 0,916 0,966 0,484 0,839 0,556 0,764 0,514 0,747 0,709
0,809 0,442 0,545 0,593 0,499 0,916 0,966 0,483 0,839 0,556 0,765 0,513 0,748 0,710
0,809 0,441 0,544 0,593 0,498 0,917 0,966 0,482 0,840 0,556 0,765 0,513 0,749 0,710
0,809 0,441 0,543 0,594 0,498 0,917 0,966 0,482 0,841 0,556 0,766 0,512 0,75 0,710
0,809 0,441 0,543 0,593 0,497 0,917 0,967 0,481 0,841 0,557 0,767 0,512 0,750 0,710
0,809 0,440 0,542 0,595 0,497 0,918 0,967 0,480 0,842 0,554 0,767 0,511 0,752 0,710
0,809 0,440 0,541 0,595 0,496 0,918 0,967 0,480 0,842 0,553 0,768 0,510 0,752 0,710
0,809 0,440 0,540 0,595 0,495 0,917 0,967 0,480 0,843 0,552 0,769 0,509 0,753 0,710
0,809 0,439 0,539 0,595 0,494 0,916 0,967 0,479 0,843 0,551 0,769 0,509 0,754 0,711
0,809 0,439 0,539 0,596 0,494 0,916 0,967 0,479 0,844 0,550 0,770 0,508 0,755 0,711
0,809 0,439 0,538 0,595 0,494 0,916 0,967 0,478 0,845 0,550 0,771 0,507 0,756 0,711
0,809 0,438 0,537 0,597 0,493 0,917 0,967 0,478 0,845 0,551 0,772 0,507 0,757 0,711
0,809 0,438 0,537 0,596 0,492 0,917 0,967 0,477 0,846 0,550 0,771 0,506 0,757 0,711
0,810 0,438 0,536 0,597 0,492 0,917 0,968 0,477 0,846 0,551 0,771 0,506 0,758 0,711
0,809 0,437 0,535 0,598 0,491 0,917 0,968 0,476 0,847 0,551 0,771 0,505 0,759 0,711
0,809 0,437 0,535 0,598 0,491 0,918 0,968 0,476 0,847 0,551 0,771 0,504 0,760 0,712
0,809 0,437 0,534 0,598 0,490 0,918 0,968 0,475 0,848 0,552 0,771 0,504 0,761 0,712
0,810 0,436 0,533 0,599 0,489 0,918 0,968 0,475 0,848 0,550 0,772 0,503 0,762 0,712
0,810 0,436 0,532 0,598 0,489 0,919 0,968 0,474 0,849 0,550 0,772 0,503 0,763 0,712
0,809 0,436 0,532 0,6 0,489 0,919 0,968 0,473 0,849 0,550 0,772 0,502 0,763 0,712
0,810 0,435 0,531 0,599 0,488 0,919 0,968 0,473 0,850 0,549 0,772 0,501 0,764 0,712
0,810 0,435 0,530 0,600 0,487 0,919 0,968 0,472 0,850 0,549 0,772 0,501 0,765 0,712
0,810 0,435 0,530 0,600 0,487 0,919 0,969 0,472 0,851 0,551 0,772 0,500 0,766 0,713
0,810 0,434 0,529 0,601 0,486 0,917 0,969 0,472 0,851 0,553 0,772 0,500 0,767 0,713
0,809 0,434 0,528 0,600 0,486 0,918 0,969 0,471 0,852 0,554 0,772 0,499 0,768 0,713
0,810 0,433 0,527 0,602 0,485 0,918 0,969 0,471 0,852 0,556 0,772 0,498 0,768 0,713
0,810 0,433 0,527 0,601 0,485 0,918 0,969 0,470 0,852 0,557 0,772 0,498 0,769 0,713
0,810 0,433 0,526 0,602 0,484 0,918 0,969 0,470 0,853 0,558 0,772 0,497 0,770 0,713
0,811 0,432 0,525 0,602 0,484 0,919 0,969 0,469 0,852 0,560 0,772 0,497 0,771 0,713
0,810 0,432 0,525 0,603 0,483 0,919 0,969 0,469 0,852 0,561 0,772 0,496 0,772 0,713
0,810 0,432 0,525 0,602 0,483 0,919 0,969 0,468 0,852 0,563 0,772 0,495 0,772 0,713
0,811 0,431 0,524 0,604 0,482 0,920 0,969 0,468 0,849 0,564 0,773 0,495 0,773 0,712
0,810 0,431 0,523 0,603 0,482 0,920 0,969 0,467 0,848 0,565 0,771 0,494 0,774 0,712
0,811 0,431 0,523 0,604 0,481 0,920 0,970 0,467 0,847 0,566 0,770 0,494 0,775 0,712
0,810 0,431 0,522 0,604 0,480 0,920 0,970 0,467 0,846 0,568 0,770 0,493 0,775 0,712
0,810 0,430 0,521 0,605 0,480 0,921 0,970 0,466 0,845 0,569 0,771 0,492 0,776 0,713
0,811 0,430 0,521 0,605 0,480 0,921 0,970 0,466 0,843 0,570 0,771 0,492 0,777 0,713
0,810 0,430 0,520 0,606 0,479 0,921 0,970 0,465 0,844 0,572 0,772 0,491 0,777 0,713
0,811 0,429 0,519 0,605 0,479 0,919 0,970 0,465 0,844 0,573 0,773 0,491 0,778 0,713
0,811 0,429 0,519 0,606 0,478 0,919 0,970 0,464 0,845 0,575 0,774 0,490 0,779 0,713
0,810 0,429 0,518 0,606 0,478 0,919 0,970 0,464 0,845 0,576 0,774 0,490 0,780 0,713
0,811 0,429 0,517 0,607 0,477 0,920 0,970 0,464 0,845 0,577 0,775 0,489 0,781 0,713
0,810 0,428 0,517 0,607 0,477 0,920 0,970 0,463 0,846 0,578 0,775 0,488 0,781 0,713
0,811 0,428 0,516 0,607 0,476 0,920 0,970 0,463 0,846 0,579 0,776 0,488 0,782 0,713
0,811 0,428 0,516 0,608 0,476 0,920 0,970 0,462 0,847 0,581 0,777 0,487 0,783 0,714
0,810 0,427 0,515 0,608 0,476 0,921 0,971 0,462 0,847 0,582 0,778 0,486 0,784 0,714
0,811 0,427 0,514 0,608 0,476 0,921 0,971 0,461 0,848 0,583 0,778 0,486 0,784 0,714
0,811 0,427 0,514 0,608 0,477 0,921 0,971 0,461 0,848 0,584 0,779 0,485 0,784 0,714
0,811 0,427 0,513 0,609 0,478 0,921 0,971 0,460 0,849 0,585 0,780 0,485 0,785 0,714
0,811 0,426 0,513 0,609 0,479 0,922 0,971 0,460 0,849 0,587 0,780 0,484 0,786 0,714
0,811 0,426 0,512 0,610 0,480 0,922 0,971 0,460 0,850 0,588 0,781 0,484 0,787 0,714
0,811 0,426 0,512 0,609 0,480 0,922 0,971 0,459 0,850 0,589 0,781 0,483 0,787 0,714
0,811 0,426 0,511 0,610 0,481 0,922 0,971 0,459 0,851 0,590 0,782 0,483 0,788 0,715
0,811 0,425 0,510 0,611 0,482 0,921 0,971 0,459 0,851 0,591 0,783 0,482 0,789 0,715
0,812 0,425 0,510 0,611 0,482 0,921 0,971 0,458 0,851 0,592 0,783 0,482 0,789 0,715
0,811 0,425 0,509 0,611 0,483 0,921 0,971 0,458 0,852 0,594 0,784 0,481 0,790 0,715
0,811 0,425 0,509 0,611 0,484 0,921 0,971 0,457 0,852 0,595 0,785 0,480 0,791 0,715
0,812 0,424 0,508 0,611 0,484 0,921 0,972 0,457 0,853 0,596 0,785 0,480 0,791 0,715
0,811 0,424 0,507 0,612 0,485 0,921 0,972 0,457 0,853 0,597 0,786 0,480 0,792 0,715
0,812 0,424 0,507 0,611 0,486 0,922 0,972 0,456 0,854 0,598 0,787 0,479 0,793 0,715
0,811 0,424 0,507 0,612 0,486 0,922 0,972 0,456 0,854 0,599 0,787 0,479 0,793 0,715
0,811 0,423 0,506 0,612 0,487 0,922 0,972 0,455 0,854 0,600 0,788 0,479 0,794 0,715
0,812 0,423 0,505 0,613 0,488 0,922 0,972 0,455 0,855 0,601 0,788 0,478 0,795 0,716
0,811 0,423 0,505 0,612 0,489 0,923 0,972 0,454 0,855 0,602 0,789 0,478 0,795 0,714
0,812 0,423 0,504 0,614 0,490 0,923 0,972 0,454 0,856 0,604 0,790 0,477 0,796 0,714
0,812 0,422 0,504 0,613 0,491 0,923 0,972 0,454 0,856 0,605 0,790 0,477 0,796 0,714
0,812 0,422 0,503 0,614 0,491 0,923 0,972 0,453 0,857 0,606 0,791 0,476 0,797 0,715
0,812 0,422 0,503 0,614 0,492 0,924 0,972 0,453 0,857 0,607 0,791 0,476 0,798 0,715
0,812 0,422 0,502 0,614 0,493 0,922 0,972 0,453 0,857 0,608 0,792 0,476 0,798 0,715
0,812 0,421 0,501 0,614 0,494 0,922 0,972 0,452 0,858 0,609 0,793 0,475 0,799 0,715
0,812 0,421 0,501 0,615 0,494 0,922 0,972 0,452 0,858 0,610 0,793 0,475 0,799 0,715
0,812 0,421 0,500 0,615 0,495 0,922 0,973 0,452 0,859 0,611 0,793 0,474 0,800 0,715
0,812 0,421 0,500 0,615 0,495 0,922 0,973 0,451 0,859 0,612 0,794 0,474 0,800 0,715
0,812 0,420 0,499 0,615 0,496 0,923 0,973 0,451 0,859 0,613 0,795 0,473 0,801 0,715
0,812 0,420 0,499 0,616 0,496 0,923 0,973 0,451 0,860 0,615 0,795 0,473 0,801 0,715
0,812 0,420 0,498 0,616 0,497 0,923 0,973 0,452 0,860 0,616 0,796 0,472 0,802 0,715
0,812 0,420 0,497 0,616 0,497 0,923 0,973 0,453 0,861 0,617 0,797 0,472 0,802 0,716
0,812 0,419 0,497 0,616 0,498 0,924 0,973 0,453 0,861 0,617 0,797 0,472 0,802 0,716
0,812 0,419 0,497 0,617 0,498 0,924 0,973 0,454 0,861 0,619 0,798 0,471 0,803 0,716
0,812 0,419 0,496 0,617 0,499 0,924 0,973 0,455 0,862 0,620 0,798 0,471 0,803 0,716
0,813 0,419 0,495 0,617 0,500 0,924 0,973 0,456 0,862 0,621 0,798 0,471 0,803 0,716
0,812 0,419 0,495 0,617 0,500 0,925 0,973 0,456 0,862 0,621 0,799 0,470 0,804 0,716
0,812 0,418 0,494 0,618 0,501 0,925 0,973 0,457 0,862 0,623 0,800 0,470 0,804 0,716
0,812 0,418 0,494 0,618 0,501 0,924 0,974 0,458 0,862 0,623 0,800 0,469 0,804 0,716
0,812 0,418 0,493 0,619 0,501 0,923 0,973 0,458 0,862 0,625 0,801 0,469 0,805 0,716
0,813 0,418 0,493 0,618 0,502 0,923 0,974 0,459 0,861 0,625 0,801 0,469 0,805 0,716
0,812 0,417 0,492 0,619 0,501 0,923 0,974 0,460 0,859 0,626 0,802 0,468 0,805 0,716
0,812 0,417 0,492 0,619 0,502 0,924 0,974 0,460 0,858 0,627 0,802 0,468 0,804 0,717
0,813 0,417 0,491 0,619 0,502 0,924 0,974 0,461 0,857 0,628 0,803 0,467 0,803 0,717
0,812 0,417 0,491 0,620 0,502 0,924 0,974 0,462 0,856 0,629 0,804 0,467 0,801 0,717
0,813 0,417 0,490 0,620 0,503 0,924 0,974 0,463 0,856 0,631 0,804 0,467 0,799 0,717
0,812 0,416 0,490 0,620 0,503 0,924 0,974 0,464 0,854 0,631 0,804 0,466 0,798 0,717
0,813 0,416 0,489 0,621 0,504 0,925 0,974 0,465 0,855 0,632 0,805 0,466 0,798 0,717
0,813 0,416 0,489 0,620 0,503 0,925 0,974 0,465 0,855 0,633 0,805 0,466 0,797 0,717
0,813 0,416 0,489 0,621 0,504 0,925 0,974 0,466 0,855 0,634 0,806 0,465 0,796 0,716
0,813 0,415 0,488 0,621 0,504 0,925 0,974 0,467 0,855 0,635 0,807 0,465 0,794 0,716
0,813 0,415 0,488 0,621 0,505 0,926 0,974 0,468 0,856 0,636 0,807 0,465 0,794 0,716
0,813 0,415 0,487 0,622 0,505 0,926 0,974 0,468 0,856 0,637 0,808 0,464 0,793 0,716
0,813 0,415 0,487 0,621 0,505 0,925 0,974 0,469 0,857 0,638 0,808 0,464 0,793 0,716
0,813 0,415 0,486 0,622 0,505 0,924 0,974 0,469 0,857 0,639 0,809 0,463 0,794 0,716
0,813 0,414 0,486 0,622 0,505 0,924 0,974 0,470 0,857 0,640 0,809 0,463 0,794 0,716
0,813 0,414 0,485 0,622 0,506 0,924 0,975 0,470 0,858 0,640 0,809 0,463 0,795 0,717
0,813 0,414 0,485 0,622 0,506 0,925 0,975 0,471 0,858 0,641 0,809 0,462 0,795 0,717
0,813 0,414 0,485 0,623 0,506 0,925 0,975 0,472 0,859 0,642 0,810 0,462 0,796 0,717
0,813 0,414 0,484 0,622 0,506 0,925 0,975 0,472 0,859 0,643 0,810 0,462 0,796 0,717
0,813 0,413 0,484 0,624 0,507 0,925 0,975 0,473 0,859 0,644 0,811 0,461 0,797 0,717
0,813 0,413 0,483 0,623 0,507 0,925 0,975 0,474 0,860 0,645 0,811 0,461 0,798 0,717
0,813 0,413 0,483 0,624 0,507 0,926 0,975 0,474 0,860 0,646 0,812 0,460 0,798 0,717
0,813 0,413 0,483 0,624 0,507 0,926 0,975 0,475 0,860 0,647 0,811 0,460 0,799 0,717
0,813 0,413 0,482 0,624 0,507 0,926 0,975 0,475 0,861 0,648 0,811 0,460 0,799 0,717
0,813 0,412 0,482 0,624 0,508 0,926 0,975 0,475 0,861 0,647 0,811 0,460 0,800 0,717
0,814 0,412 0,482 0,625 0,507 0,926 0,975 0,475 0,861 0,646 0,811 0,459 0,800 0,717
0,813 0,412 0,481 0,624 0,508 0,927 0,975 0,475 0,862 0,645 0,810 0,459 0,801 0,717
0,813 0,412 0,481 0,625 0,508 0,926 0,975 0,476 0,862 0,644 0,810 0,459 0,801 0,718
0,813 0,412 0,480 0,625 0,508 0,925 0,975 0,476 0,862 0,644 0,811 0,458 0,802 0,718
0,813 0,411 0,480 0,625 0,508 0,925 0,975 0,477 0,863 0,642 0,811 0,458 0,802 0,718
0,814 0,411 0,480 0,625 0,508 0,925 0,975 0,478 0,863 0,642 0,811 0,458 0,803 0,718
0,813 0,411 0,479 0,626 0,508 0,926 0,975 0,477 0,863 0,642 0,810 0,457 0,804 0,718
0,813 0,411 0,479 0,625 0,508 0,926 0,976 0,478 0,864 0,642 0,810 0,457 0,804 0,718
0,814 0,411 0,479 0,626 0,508 0,926 0,976 0,478 0,864 0,642 0,810 0,457 0,805 0,718
0,813 0,410 0,478 0,626 0,509 0,926 0,976 0,479 0,864 0,641 0,810 0,456 0,805 0,718
0,814 0,410 0,478 0,626 0,509 0,926 0,976 0,479 0,865 0,641 0,810 0,456 0,805 0,718
0,813 0,410 0,477 0,627 0,508 0,926 0,976 0,479 0,865 0,641 0,810 0,455 0,806 0,718
0,813 0,410 0,477 0,627 0,509 0,927 0,976 0,479 0,866 0,640 0,810 0,455 0,806 0,718
0,814 0,410 0,477 0,627 0,509 0,927 0,976 0,479 0,866 0,639 0,810 0,455 0,807 0,718
0,813 0,410 0,476 0,627 0,509 0,927 0,976 0,480 0,866 0,639 0,810 0,454 0,807 0,719
0,814 0,409 0,476 0,627 0,509 0,927 0,976 0,480 0,866 0,639 0,810 0,454 0,808 0,717
0,814 0,409 0,475 0,628 0,510 0,927 0,976 0,480 0,867 0,639 0,810 0,454 0,808 0,718
0,813 0,409 0,475 0,628 0,509 0,928 0,976 0,481 0,867 0,639 0,809 0,454 0,809 0,718
0,814 0,409 0,475 0,628 0,509 0,926 0,976 0,481 0,867 0,640 0,807 0,453 0,809 0,718
0,813 0,409 0,474 0,628 0,510 0,926 0,976 0,481 0,868 0,641 0,808 0,453 0,810 0,718
0,814 0,408 0,474 0,629 0,510 0,926 0,976 0,481 0,868 0,642 0,808 0,452 0,810 0,718
0,814 0,408 0,474 0,628 0,510 0,926 0,976 0,482 0,868 0,643 0,809 0,452 0,811 0,718
0,814 0,408 0,473 0,629 0,510 0,927 0,976 0,482 0,869 0,644 0,809 0,452 0,811 0,718
0,814 0,408 0,473 0,629 0,510 0,927 0,976 0,482 0,869 0,644 0,810 0,452 0,812 0,718
0,814 0,408 0,473 0,629 0,511 0,927 0,976 0,482 0,869 0,645 0,810 0,451 0,812 0,718
0,814 0,408 0,472 0,629 0,510 0,927 0,977 0,483 0,869 0,646 0,811 0,451 0,813 0,718
0,814 0,407 0,472 0,63 0,511 0,927 0,977 0,482 0,869 0,647 0,811 0,451 0,813 0,718
0,814 0,407 0,472 0,630 0,511 0,927 0,977 0,483 0,869 0,648 0,811 0,451 0,814 0,718
0,814 0,407 0,471 0,630 0,511 0,928 0,977 0,483 0,869 0,649 0,812 0,452 0,814 0,719
0,814 0,407 0,471 0,630 0,512 0,928 0,977 0,483 0,867 0,649 0,812 0,452 0,815 0,719
0,814 0,407 0,471 0,630 0,512 0,928 0,977 0,483 0,865 0,650 0,813 0,453 0,815 0,719
0,814 0,406 0,470 0,631 0,511 0,928 0,977 0,484 0,865 0,651 0,813 0,454 0,815 0,719
0,814 0,406 0,470 0,631 0,512 0,928 0,977 0,483 0,864 0,652 0,814 0,454 0,816 0,719
0,814 0,406 0,470 0,631 0,511 0,927 0,977 0,484 0,863 0,653 0,814 0,455 0,816 0,719
0,814 0,406 0,469 0,631 0,512 0,927 0,977 0,484 0,862 0,654 0,814 0,456 0,817 0,719
0,814 0,406 0,469 0,632 0,512 0,927 0,977 0,484 0,862 0,654 0,815 0,456 0,817 0,719
0,814 0,406 0,468 0,632 0,512 0,927 0,977 0,484 0,862 0,655 0,815 0,457 0,818 0,719
0,814 0,405 0,468 0,632 0,512 0,927 0,977 0,484 0,863 0,656 0,815 0,457 0,818 0,719
0,814 0,405 0,468 0,632 0,512 0,928 0,977 0,484 0,863 0,656 0,816 0,458 0,819 0,719
0,814 0,405 0,467 0,632 0,513 0,928 0,977 0,484 0,863 0,657 0,816 0,458 0,819 0,719
0,814 0,406 0,467 0,632 0,513 0,928 0,977 0,485 0,864 0,658 0,817 0,459 0,819 0,719
0,814 0,407 0,467 0,633 0,513 0,928 0,977 0,485 0,864 0,659 0,817 0,459 0,820 0,719
0,814 0,409 0,466 0,632 0,513 0,928 0,977 0,485 0,864 0,659 0,818 0,460 0,820 0,719
0,814 0,410 0,466 0,633 0,513 0,928 0,977 0,485 0,865 0,660 0,818 0,461 0,821 0,720
0,814 0,412 0,466 0,633 0,513 0,929 0,977 0,486 0,865 0,661 0,819 0,461 0,821 0,720
0,814 0,413 0,465 0,633 0,513 0,929 0,978 0,486 0,865 0,661 0,819 0,462 0,822 0,720
0,815 0,415 0,465 0,633 0,513 0,929 0,978 0,486 0,865 0,662 0,819 0,463 0,822 0,719
0,814 0,416 0,465 0,634 0,514 0,929 0,978 0,486 0,866 0,663 0,82 0,464 0,822 0,719
0,814 0,418 0,464 0,633 0,514 0,928 0,978 0,487 0,866 0,664 0,820 0,464 0,823 0,719
0,814 0,419 0,464 0,634 0,515 0,928 0,978 0,487 0,866 0,665 0,820 0,465 0,823 0,719
0,814 0,421 0,464 0,633 0,516 0,928 0,978 0,487 0,867 0,665 0,821 0,466 0,824 0,719
0,815 0,422 0,463 0,634 0,516 0,928 0,978 0,487 0,867 0,666 0,821 0,466 0,824 0,719
0,815 0,424 0,463 0,634 0,516 0,928 0,978 0,487 0,867 0,667 0,822 0,467 0,824 0,719
0,814 0,425 0,463 0,635 0,516 0,928 0,978 0,487 0,867 0,668 0,822 0,468 0,825 0,719
0,815 0,427 0,463 0,634 0,516 0,928 0,978 0,487 0,868 0,668 0,823 0,468 0,825 0,719
0,814 0,428 0,464 0,635 0,517 0,929 0,978 0,488 0,868 0,669 0,823 0,469 0,826 0,719
0,815 0,429 0,464 0,634 0,517 0,929 0,978 0,488 0,868 0,669 0,823 0,469 0,826 0,719
0,815 0,430 0,465 0,635 0,517 0,929 0,978 0,488 0,869 0,670 0,823 0,470 0,827 0,719
0,814 0,432 0,465 0,635 0,518 0,929 0,978 0,488 0,869 0,671 0,824 0,470 0,827 0,720
0,815 0,433 0,466 0,635 0,518 0,929 0,978 0,489 0,869 0,672 0,824 0,470 0,827 0,720
0,814 0,433 0,467 0,635 0,518 0,929 0,978 0,489 0,869 0,672 0,825 0,471 0,828 0,720
0,815 0,433 0,467 0,636 0,519 0,930 0,978 0,489 0,870 0,673 0,825 0,471 0,828 0,720
0,815 0,433 0,468 0,635 0,519 0,930 0,978 0,489 0,870 0,674 0,825 0,472 0,829 0,720
0,814 0,432 0,468 0,636 0,519 0,929 0,978 0,489 0,870 0,674 0,826 0,472 0,829 0,720
0,815 0,432 0,469 0,636 0,520 0,928 0,978 0,489 0,871 0,675 0,826 0,473 0,829 0,720
0,815 0,432 0,469 0,636 0,520 0,928 0,978 0,490 0,871 0,676 0,826 0,474 0,830 0,720
0,815 0,432 0,470 0,636 0,520 0,929 0,978 0,490 0,871 0,676 0,827 0,474 0,830 0,720
0,815 0,431 0,470 0,637 0,521 0,929 0,978 0,491 0,872 0,677 0,827 0,475 0,831 0,720
0,814 0,431 0,471 0,636 0,521 0,929 0,978 0,492 0,872 0,678 0,827 0,474 0,831 0,720
0,815 0,431 0,471 0,637 0,521 0,929 0,979 0,491 0,872 0,679 0,828 0,475 0,831 0,720
0,815 0,432 0,472 0,637 0,521 0,929 0,979 0,492 0,872 0,679 0,828 0,475 0,832 0,720
0,815 0,433 0,472 0,637 0,521 0,929 0,979 0,492 0,872 0,680 0,829 0,475 0,832 0,720
0,815 0,433 0,473 0,637 0,521 0,930 0,979 0,493 0,873 0,681 0,829 0,475 0,832 0,720
0,815 0,434 0,473 0,637 0,522 0,930 0,979 0,493 0,873 0,681 0,829 0,476 0,833 0,720
0,815 0,435 0,474 0,638 0,522 0,930 0,979 0,493 0,873 0,682 0,830 0,476 0,833 0,721
0,815 0,436 0,474 0,638 0,522 0,930 0,979 0,494 0,874 0,683 0,830 0,477 0,833 0,721
0,815 0,437 0,475 0,638 0,522 0,930 0,979 0,494 0,874 0,683 0,830 0,477 0,834 0,721
0,815 0,438 0,476 0,638 0,522 0,930 0,979 0,494 0,874 0,684 0,831 0,478 0,834 0,721
0,815 0,440 0,477 0,638 0,522 0,930 0,979 0,495 0,874 0,684 0,831 0,477 0,834 0,720
0,815 0,441 0,477 0,638 0,523 0,929 0,979 0,495 0,874 0,685 0,831 0,478 0,834 0,720
0,815 0,442 0,478 0,639 0,522 0,929 0,979 0,495 0,875 0,686 0,832 0,478 0,835 0,720
0,815 0,443 0,478 0,638 0,523 0,929 0,979 0,496 0,874 0,686 0,832 0,478 0,835 0,720
0,815 0,444 0,479 0,639 0,523 0,929 0,979 0,496 0,874 0,687 0,832 0,479 0,835 0,720
0,815 0,444 0,479 0,639 0,524 0,930 0,979 0,496 0,873 0,688 0,833 0,479 0,835 0,720
0,815 0,444 0,480 0,639 0,523 0,930 0,979 0,497 0,872 0,688 0,833 0,479 0,835 0,720
0,815 0,444 0,481 0,639 0,523 0,930 0,979 0,497 0,871 0,689 0,833 0,479 0,836 0,720
0,815 0,444 0,481 0,640 0,524 0,930 0,979 0,497 0,870 0,689 0,833 0,479 0,836 0,720
0,815 0,444 0,481 0,639 0,524 0,930 0,979 0,497 0,869 0,690 0,834 0,480 0,836 0,720
0,815 0,444 0,482 0,640 0,524 0,930 0,979 0,498 0,869 0,691 0,834 0,480 0,836 0,720
0,815 0,445 0,482 0,639 0,524 0,931 0,979 0,498 0,868 0,692 0,834 0,480 0,836 0,720
0,815 0,446 0,483 0,640 0,524 0,931 0,979 0,498 0,868 0,692 0,834 0,480 0,837 0,721
0,815 0,445 0,483 0,640 0,524 0,931 0,979 0,498 0,869 0,692 0,835 0,481 0,837 0,721
0,815 0,446 0,483 0,640 0,524 0,931 0,979 0,499 0,869 0,693 0,835 0,481 0,835 0,721
0,816 0,447 0,484 0,640 0,525 0,931 0,979 0,499 0,869 0,694 0,834 0,481 0,835 0,721
0,815 0,447 0,484 0,641 0,524 0,930 0,980 0,499 0,869 0,694 0,834 0,481 0,833 0,721
0,815 0,447 0,485 0,640 0,525 0,930 0,979 0,499 0,869 0,695 0,834 0,481 0,831 0,721
0,815 0,448 0,485 0,641 0,525 0,930 0,980 0,499 0,870 0,696 0,834 0,482 0,830 0,721
0,815 0,449 0,486 0,641 0,525 0,930 0,980 0,500 0,870 0,696 0,834 0,482 0,830 0,721
0,816 0,448 0,486 0,641 0,525 0,930 0,980 0,500 0,870 0,697 0,834 0,482 0,830 0,721
0,815 0,449 0,487 0,641 0,525 0,930 0,980 0,500 0,871 0,697 0,834 0,482 0,829 0,721
0,815 0,450 0,487 0,642 0,525 0,930 0,980 0,500 0,871 0,698 0,834 0,482 0,828 0,721
0,815 0,450 0,488 0,641 0,525 0,931 0,980 0,500 0,871 0,698 0,834 0,483 0,827 0,721
0,815 0,450 0,488 0,642 0,525 0,931 0,980 0,501 0,871 0,699 0,834 0,482 0,826 0,721
0,816 0,451 0,487 0,641 0,525 0,931 0,980 0,501 0,871 0,700 0,834 0,483 0,827 0,721
0,815 0,452 0,488 0,642 0,525 0,931 0,980 0,501 0,872 0,700 0,833 0,483 0,827 0,721
0,816 0,452 0,489 0,642 0,525 0,931 0,980 0,501 0,872 0,700 0,833 0,483 0,828 0,721
0,816 0,452 0,488 0,642 0,525 0,931 0,980 0,501 0,872 0,699 0,833 0,483 0,828 0,721
0,816 0,453 0,488 0,642 0,525 0,932 0,980 0,501 0,873 0,699 0,833 0,483 0,828 0,722
0,816 0,453 0,489 0,643 0,525 0,932 0,980 0,501 0,873 0,698 0,833 0,483 0,829 0,722
0,816 0,453 0,489 0,642 0,525 0,931 0,980 0,502 0,873 0,697 0,833 0,483 0,829 0,721
0,816 0,454 0,489 0,643 0,525 0,930 0,980 0,502 0,873 0,696 0,833 0,483 0,829 0,721
0,816 0,455 0,490 0,643 0,525 0,930 0,980 0,502 0,874 0,696 0,833 0,484 0,830 0,721
0,816 0,455 0,490 0,643 0,524 0,931 0,980 0,502 0,874 0,695 0,832 0,484 0,830 0,721
0,816 0,455 0,491 0,643 0,525 0,931 0,980 0,502 0,874 0,695 0,831 0,484 0,830 0,721
0,816 0,456 0,490 0,643 0,525 0,931 0,980 0,502 0,874 0,695 0,830 0,484 0,831 0,721
0,817 0,456 0,490 0,643 0,524 0,931 0,980 0,502 0,874 0,694 0,831 0,484 0,831 0,721
0,816 0,456 0,491 0,644 0,525 0,931 0,980 0,502 0,875 0,694 0,831 0,484 0,831 0,721
0,817 0,456 0,491 0,643 0,525 0,931 0,980 0,502 0,875 0,694 0,832 0,484 0,832 0,721
0,817 0,455 0,491 0,644 0,525 0,931 0,980 0,502 0,875 0,693 0,832 0,485 0,832 0,721
0,817 0,455 0,492 0,644 0,525 0,932 0,980 0,502 0,875 0,692 0,832 0,485 0,832 0,721
0,817 0,455 0,492 0,644 0,525 0,932 0,980 0,502 0,876 0,692 0,833 0,485 0,833 0,721
0,817 0,455 0,492 0,644 0,525 0,932 0,980 0,502 0,876 0,692 0,833 0,485 0,833 0,721
0,817 0,454 0,492 0,644 0,525 0,932 0,980 0,502 0,876 0,691 0,833 0,485 0,833 0,721
0,817 0,454 0,492 0,644 0,525 0,932 0,981 0,502 0,876 0,692 0,833 0,486 0,834 0,721
0,817 0,454 0,492 0,644 0,526 0,931 0,981 0,502 0,877 0,692 0,834 0,486 0,834 0,722
0,817 0,454 0,493 0,645 0,525 0,931 0,981 0,502 0,877 0,693 0,834 0,486 0,834 0,722
0,817 0,454 0,493 0,645 0,525 0,931 0,981 0,502 0,877 0,693 0,834 0,486 0,835 0,722
0,817 0,453 0,493 0,645 0,526 0,931 0,981 0,502 0,877 0,694 0,835 0,486 0,835 0,722
0,817 0,453 0,493 0,645 0,526 0,931 0,981 0,503 0,877 0,695 0,835 0,487 0,835 0,722
0,817 0,453 0,493 0,645 0,526 0,931 0,981 0,503 0,878 0,695 0,835 0,487 0,835 0,722
0,817 0,453 0,494 0,646 0,526 0,932 0,981 0,503 0,878 0,696 0,836 0,487 0,836 0,722
0,818 0,453 0,494 0,645 0,526 0,932 0,981 0,503 0,878 0,696 0,836 0,487 0,836 0,722
0,818 0,452 0,494 0,645 0,525 0,932 0,981 0,503 0,878 0,697 0,836 0,487 0,837 0,722
0,818 0,452 0,494 0,646 0,525 0,932 0,981 0,503 0,878 0,697 0,836 0,487 0,837 0,722
0,818 0,452 0,494 0,646 0,525 0,932 0,981 0,503 0,879 0,698 0,837 0,487 0,837 0,722
0,818 0,452 0,494 0,646 0,525 0,932 0,981 0,503 0,878 0,698 0,837 0,487 0,838 0,722
0,818 0,452 0,495 0,646 0,526 0,932 0,981 0,503 0,878 0,699 0,837 0,488 0,838 0,722
0,818 0,451 0,495 0,646 0,526 0,933 0,981 0,503 0,878 0,7 0,838 0,487 0,838 0,722
0,818 0,451 0,494 0,646 0,525 0,933 0,981 0,504 0,876 0,700 0,838 0,488 0,838 0,722
0,818 0,451 0,495 0,646 0,526 0,932 0,981 0,504 0,875 0,701 0,838 0,488 0,839 0,722
0,817 0,451 0,495 0,646 0,526 0,931 0,981 0,504 0,875 0,701 0,839 0,488 0,839 0,722
0,818 0,451 0,495 0,647 0,526 0,932 0,981 0,504 0,874 0,702 0,839 0,489 0,839 0,722
0,817 0,451 0,495 0,646 0,527 0,932 0,981 0,504 0,874 0,702 0,839 0,489 0,840 0,722
0,818 0,450 0,495 0,647 0,527 0,932 0,981 0,504 0,873 0,703 0,839 0,489 0,840 0,722
0,818 0,450 0,495 0,646 0,527 0,932 0,981 0,504 0,873 0,703 0,840 0,489 0,840 0,722
0,818 0,450 0,496 0,647 0,527 0,932 0,981 0,504 0,873 0,704 0,840 0,489 0,841 0,722
0,818 0,450 0,496 0,647 0,527 0,932 0,981 0,504 0,873 0,704 0,840 0,489 0,841 0,722
0,818 0,450 0,495 0,647 0,527 0,932 0,981 0,504 0,873 0,705 0,840 0,489 0,841 0,722
0,818 0,449 0,496 0,647 0,528 0,932 0,981 0,504 0,874 0,705 0,841 0,489 0,842 0,722
0,818 0,449 0,496 0,648 0,528 0,933 0,981 0,504 0,874 0,706 0,841 0,490 0,842 0,722
0,818 0,449 0,496 0,647 0,528 0,933 0,981 0,505 0,874 0,706 0,841 0,491 0,842 0,722
0,818 0,449 0,496 0,648 0,528 0,933 0,981 0,505 0,874 0,707 0,841 0,491 0,843 0,722
0,818 0,449 0,496 0,648 0,528 0,933 0,981 0,505 0,875 0,707 0,842 0,492 0,843 0,722
0,818 0,448 0,496 0,648 0,528 0,933 0,981 0,505 0,875 0,708 0,842 0,491 0,843 0,722
0,818 0,448 0,497 0,648 0,528 0,933 0,981 0,505 0,875 0,708 0,842 0,492 0,843 0,722
0,818 0,448 0,496 0,648 0,528 0,932 0,982 0,506 0,875 0,709 0,843 0,492 0,844 0,722
0,819 0,448 0,496 0,648 0,528 0,932 0,982 0,506 0,876 0,710 0,843 0,492 0,844 0,722
0,819 0,448 0,497 0,648 0,527 0,932 0,982 0,506 0,876 0,710 0,843 0,493 0,844 0,722
0,819 0,448 0,497 0,648 0,527 0,932 0,982 0,506 0,876 0,711 0,843 0,493 0,845 0,722
0,819 0,447 0,497 0,649 0,526 0,932 0,982 0,506 0,876 0,711 0,844 0,493 0,845 0,723
0,819 0,447 0,497 0,649 0,526 0,933 0,982 0,507 0,876 0,712 0,844 0,494 0,845 0,722
0,819 0,447 0,497 0,649 0,525 0,933 0,982 0,507 0,877 0,712 0,844 0,494 0,846 0,723
0,819 0,447 0,497 0,648 0,525 0,933 0,982 0,506 0,877 0,713 0,844 0,494 0,846 0,723
0,819 0,447 0,498 0,649 0,525 0,933 0,982 0,507 0,877 0,713 0,845 0,495 0,846 0,723
0,819 0,447 0,498 0,649 0,525 0,933 0,982 0,507 0,877 0,714 0,845 0,495 0,846 0,723
0,819 0,446 0,497 0,649 0,525 0,933 0,982 0,506 0,877 0,714 0,845 0,495 0,847 0,723
0,819 0,446 0,498 0,649 0,524 0,933 0,982 0,506 0,878 0,715 0,846 0,495 0,847 0,723
0,819 0,446 0,498 0,649 0,524 0,933 0,982 0,505 0,878 0,715 0,846 0,496 0,847 0,723
0,819 0,446 0,498 0,650 0,523 0,934 0,982 0,505 0,878 0,715 0,846 0,496 0,847 0,723
0,819 0,445 0,498 0,650 0,522 0,933 0,982 0,504 0,878 0,716 0,846 0,496 0,848 0,723
0,820 0,445 0,498 0,649 0,522 0,932 0,982 0,504 0,878 0,716 0,846 0,497 0,848 0,723
0,819 0,445 0,498 0,650 0,521 0,932 0,982 0,504 0,879 0,717 0,847 0,497 0,848 0,723
0,820 0,445 0,499 0,650 0,520 0,933 0,982 0,504 0,879 0,717 0,847 0,497 0,849 0,722
0,819 0,445 0,499 0,650 0,520 0,933 0,982 0,504 0,879 0,718 0,847 0,497 0,849 0,722
0,820 0,445 0,499 0,650 0,519 0,933 0,982 0,504 0,879 0,718 0,848 0,497 0,849 0,722
0,820 0,445 0,499 0,650 0,519 0,933 0,982 0,503 0,879 0,719 0,848 0,498 0,849 0,722
0,820 0,445 0,499 0,650 0,518 0,933 0,982 0,503 0,880 0,720 0,848 0,498 0,850 0,722
0,820 0,446 0,499 0,651 0,518 0,933 0,982 0,502 0,880 0,720 0,848 0,498 0,850 0,723
0,820 0,446 0,499 0,650 0,517 0,933 0,982 0,501 0,880 0,720 0,849 0,498 0,850 0,723
0,820 0,446 0,499 0,651 0,517 0,933 0,982 0,501 0,880 0,721 0,849 0,498 0,850 0,723
0,820 0,446 0,499 0,651 0,516 0,934 0,982 0,500 0,880 0,721 0,849 0,498 0,851 0,723
0,820 0,446 0,499 0,651 0,515 0,934 0,982 0,500 0,881 0,722 0,849 0,499 0,851 0,723
0,820 0,446 0,500 0,651 0,515 0,934 0,982 0,499 0,881 0,722 0,849 0,499 0,851 0,723
0,820 0,446 0,500 0,651 0,515 0,934 0,982 0,499 0,881 0,723 0,850 0,499 0,852 0,723
0,820 0,446 0,500 0,651 0,514 0,934 0,982 0,498 0,881 0,723 0,850 0,499 0,852 0,723
0,820 0,446 0,500 0,651 0,514 0,933 0,982 0,498 0,881 0,724 0,850 0,499 0,852 0,723
0,820 0,446 0,500 0,651 0,514 0,933 0,982 0,497 0,882 0,724 0,850 0,500 0,852 0,723
0,821 0,446 0,500 0,651 0,513 0,933 0,982 0,497 0,882 0,724 0,850 0,500 0,853 0,723
0,820 0,446 0,501 0,652 0,513 0,933 0,982 0,496 0,882 0,725 0,850 0,500 0,853 0,723
0,821 0,447 0,501 0,651 0,512 0,933 0,982 0,495 0,882 0,725 0,850 0,500 0,853 0,723
0,820 0,447 0,501 0,652 0,512 0,933 0,982 0,495 0,881 0,726 0,850 0,500 0,853 0,723
0,821 0,447 0,501 0,651 0,512 0,933 0,982 0,494 0,882 0,726 0,850 0,500 0,854 0,723
0,821 0,447 0,501 0,652 0,511 0,934 0,982 0,494 0,881 0,727 0,849 0,501 0,854 0,723
0,821 0,447 0,501 0,652 0,511 0,934 0,983 0,494 0,880 0,727 0,849 0,501 0,854 0,723
0,821 0,447 0,501 0,652 0,511 0,934 0,983 0,493 0,879 0,728 0,849 0,501 0,854 0,723
0,821 0,447 0,501 0,652 0,510 0,934 0,983 0,492 0,878 0,728 0,849 0,501 0,854 0,723
0,821 0,447 0,501 0,653 0,510 0,934 0,983 0,492 0,878 0,728 0,849 0,501 0,854 0,723
0,821 0,447 0,502 0,652 0,510 0,934 0,983 0,492 0,877 0,729 0,849 0,501 0,854 0,723
0,821 0,448 0,502 0,652 0,509 0,934 0,983 0,492 0,876 0,729 0,849 0,501 0,855 0,723
0,821 0,448 0,503 0,652 0,509 0,934 0,983 0,491 0,877 0,730 0,849 0,501 0,855 0,724
0,821 0,448 0,503 0,653 0,509 0,934 0,983 0,491 0,877 0,730 0,849 0,501 0,855 0,724
0,821 0,448 0,504 0,652 0,509 0,933 0,983 0,490 0,877 0,731 0,849 0,502 0,855 0,724
0,821 0,448 0,504 0,653 0,510 0,933 0,983 0,490 0,877 0,731 0,849 0,502 0,855 0,724
0,821 0,448 0,504 0,653 0,511 0,934 0,983 0,490 0,877 0,732 0,848 0,502 0,855 0,724
0,821 0,448 0,504 0,653 0,512 0,934 0,983 0,489 0,878 0,732 0,848 0,502 0,855 0,723
0,821 0,448 0,504 0,653 0,512 0,934 0,983 0,489 0,878 0,732 0,848 0,502 0,856 0,723
0,821 0,449 0,504 0,653 0,513 0,934 0,983 0,489 0,878 0,733 0,848 0,502 0,856 0,723
0,821 0,449 0,505 0,653 0,513 0,934 0,983 0,489 0,878 0,733 0,848 0,502 0,855 0,723
0,821 0,449 0,505 0,653 0,514 0,934 0,983 0,488 0,878 0,734 0,847 0,502 0,854 0,723
0,821 0,449 0,505 0,653 0,515 0,934 0,983 0,488 0,879 0,734 0,847 0,502 0,854 0,723
0,821 0,449 0,505 0,654 0,516 0,934 0,983 0,488 0,879 0,735 0,846 0,502 0,852 0,723
0,821 0,449 0,506 0,653 0,516 0,934 0,983 0,487 0,879 0,735 0,846 0,502 0,850 0,723
0,820 0,449 0,506 0,654 0,517 0,935 0,983 0,487 0,879 0,734 0,847 0,502 0,850 0,723
0,821 0,449 0,506 0,654 0,517 0,935 0,983 0,487 0,879 0,733 0,847 0,502 0,850 0,723
0,820 0,449 0,506 0,654 0,518 0,935 0,983 0,487 0,880 0,732 0,847 0,502 0,850 0,723
0,820 0,450 0,507 0,654 0,519 0,934 0,983 0,486 0,880 0,732 0,847 0,502 0,848 0,723
0,820 0,450 0,507 0,654 0,519 0,934 0,983 0,486 0,880 0,731 0,848 0,502 0,848 0,723
0,820 0,450 0,507 0,654 0,520 0,934 0,983 0,486 0,880 0,730 0,848 0,502 0,847 0,723
0,820 0,450 0,508 0,654 0,521 0,934 0,983 0,485 0,880 0,730 0,848 0,502 0,847 0,724
0,820 0,450 0,508 0,654 0,521 0,934 0,983 0,485 0,881 0,730 0,848 0,502 0,847 0,724
0,820 0,450 0,508 0,654 0,522 0,934 0,983 0,485 0,881 0,729 0,849 0,502 0,848 0,724
0,820 0,450 0,508 0,655 0,523 0,934 0,983 0,485 0,881 0,729 0,849 0,502 0,848 0,724
0,820 0,450 0,508 0,655 0,523 0,934 0,983 0,484 0,881 0,729 0,849 0,502 0,848 0,724
0,820 0,450 0,509 0,655 0,524 0,934 0,983 0,484 0,881 0,728 0,849 0,503 0,848 0,724
0,820 0,451 0,509 0,655 0,525 0,935 0,983 0,484 0,881 0,728 0,850 0,503 0,849 0,724
0,820 0,451 0,509 0,655 0,525 0,935 0,983 0,484 0,882 0,727 0,850 0,502 0,849 0,724
0,820 0,451 0,509 0,655 0,526 0,935 0,983 0,484 0,882 0,727 0,850 0,503 0,849 0,724
0,820 0,451 0,509 0,655 0,526 0,935 0,983 0,483 0,882 0,726 0,850 0,503 0,849 0,724
0,820 0,451 0,510 0,655 0,527 0,935 0,983 0,483 0,882 0,726 0,850 0,503 0,850 0,724
0,820 0,451 0,510 0,655 0,528 0,935 0,983 0,483 0,882 0,726 0,851 0,503 0,850 0,724
0,820 0,451 0,510 0,655 0,529 0,935 0,983 0,483 0,883 0,727 0,851 0,503 0,850 0,724
0,820 0,451 0,510 0,656 0,529 0,934 0,983 0,482 0,883 0,727 0,851 0,503 0,850 0,724
0,820 0,451 0,510 0,656 0,529 0,934 0,983 0,482 0,883 0,728 0,851 0,503 0,850 0,724
0,819 0,450 0,510 0,656 0,530 0,934 0,983 0,482 0,883 0,728 0,852 0,503 0,851 0,724
0,820 0,450 0,510 0,656 0,531 0,934 0,983 0,482 0,883 0,728 0,852 0,503 0,851 0,724
0,820 0,450 0,511 0,656 0,532 0,934 0,983 0,481 0,883 0,729 0,852 0,504 0,851 0,724
0,819 0,450 0,511 0,656 0,532 0,935 0,983 0,481 0,884 0,729 0,852 0,504 0,852 0,724
0,819 0,450 0,511 0,656 0,533 0,935 0,984 0,481 0,884 0,730 0,852 0,504 0,852 0,724
0,820 0,450 0,511 0,656 0,533 0,935 0,984 0,480 0,884 0,730 0,853 0,504 0,852 0,724
0,819 0,450 0,511 0,656 0,534 0,935 0,984 0,480 0,884 0,730 0,853 0,504 0,852 0,724
0,819 0,450 0,511 0,656 0,535 0,935 0,984 0,480 0,884 0,731 0,853 0,504 0,853 0,724
0,819 0,451 0,511 0,656 0,535 0,935 0,984 0,480 0,884 0,731 0,853 0,504 0,853 0,724
0,819 0,452 0,512 0,656 0,536 0,935 0,984 0,479 0,884 0,732 0,854 0,504 0,853 0,724
0,819 0,452 0,512 0,657 0,536 0,935 0,984 0,479 0,885 0,732 0,854 0,504 0,853 0,724
0,819 0,452 0,511 0,656 0,537 0,935 0,984 0,479 0,884 0,732 0,854 0,504 0,853 0,724
0,819 0,453 0,512 0,657 0,538 0,935 0,984 0,479 0,884 0,733 0,854 0,504 0,854 0,724
0,819 0,453 0,512 0,656 0,538 0,934 0,984 0,478 0,884 0,733 0,854 0,504 0,854 0,724
0,819 0,454 0,512 0,657 0,539 0,935 0,984 0,478 0,883 0,734 0,854 0,504 0,854 0,724
0,819 0,454 0,512 0,656 0,539 0,935 0,984 0,478 0,882 0,734 0,855 0,504 0,854 0,724
0,819 0,454 0,513 0,657 0,540 0,935 0,984 0,478 0,882 0,735 0,855 0,505 0,855 0,724
0,819 0,455 0,513 0,657 0,541 0,935 0,984 0,477 0,881 0,735 0,855 0,505 0,855 0,724
0,819 0,455 0,513 0,657 0,541 0,935 0,984 0,477 0,881 0,735 0,855 0,505 0,855 0,724
0,819 0,455 0,513 0,657 0,542 0,935 0,984 0,477 0,880 0,736 0,856 0,505 0,855 0,724
0,819 0,456 0,513 0,657 0,542 0,935 0,984 0,477 0,880 0,736 0,856 0,505 0,856 0,724
0,819 0,456 0,513 0,657 0,543 0,935 0,984 0,476 0,880 0,736 0,856 0,505 0,856 0,724
0,819 0,457 0,513 0,657 0,544 0,935 0,984 0,476 0,880 0,737 0,856 0,506 0,856 0,724
0,819 0,457 0,513 0,657 0,544 0,935 0,984 0,476 0,880 0,737 0,856 0,506 0,856 0,724
0,819 0,457 0,513 0,658 0,545 0,936 0,984 0,476 0,880 0,738 0,857 0,506 0,856 0,724
0,819 0,458 0,513 0,657 0,545 0,936 0,984 0,476 0,881 0,738 0,857 0,506 0,857 0,724
0,819 0,458 0,513 0,658 0,546 0,936 0,984 0,476 0,881 0,738 0,857 0,506 0,857 0,724
0,819 0,459 0,513 0,658 0,547 0,936 0,984 0,476 0,881 0,739 0,857 0,506 0,857 0,724
0,818 0,459 0,513 0,658 0,547 0,935 0,984 0,476 0,881 0,739 0,857 0,507 0,857 0,725
0,819 0,459 0,513 0,658 0,547 0,935 0,984 0,477 0,881 0,740 0,858 0,507 0,858 0,725
0,819 0,459 0,514 0,658 0,548 0,935 0,984 0,477 0,881 0,740 0,858 0,506 0,858 0,725
0,818 0,460 0,514 0,658 0,549 0,935 0,984 0,478 0,882 0,740 0,858 0,507 0,858 0,725
0,819 0,460 0,513 0,658 0,549 0,935 0,984 0,478 0,882 0,741 0,858 0,507 0,858 0,725
0,819 0,461 0,513 0,658 0,550 0,935 0,984 0,478 0,882 0,741 0,858 0,506 0,858 0,725
0,818 0,461 0,514 0,658 0,550 0,935 0,984 0,479 0,882 0,741 0,859 0,506 0,859 0,724
0,819 0,461 0,513 0,658 0,551 0,935 0,984 0,479 0,882 0,742 0,859 0,506 0,859 0,724
0,818 0,462 0,513 0,658 0,552 0,936 0,984 0,479 0,882 0,742 0,859 0,506 0,859 0,724
0,818 0,462 0,514 0,659 0,552 0,936 0,984 0,480 0,883 0,743 0,859 0,505 0,859 0,724
0,819 0,463 0,514 0,659 0,553 0,936 0,984 0,480 0,883 0,743 0,859 0,505 0,860 0,724
0,818 0,463 0,514 0,659 0,553 0,936 0,984 0,480 0,883 0,743 0,860 0,504 0,860 0,724
0,818 0,464 0,514 0,659 0,554 0,936 0,984 0,481 0,883 0,744 0,860 0,504 0,860 0,724
0,818 0,464 0,514 0,659 0,554 0,936 0,984 0,481 0,883 0,744 0,860 0,504 0,860 0,724
0,818 0,464 0,514 0,659 0,555 0,936 0,984 0,481 0,884 0,744 0,860 0,504 0,860 0,724
0,818 0,464 0,514 0,659 0,556 0,935 0,984 0,482 0,884 0,745 0,860 0,504 0,861 0,724
0,818 0,465 0,514 0,659 0,556 0,935 0,984 0,482 0,884 0,745 0,860 0,504 0,861 0,724
0,818 0,465 0,514 0,659 0,556 0,935 0,984 0,483 0,884 0,746 0,861 0,504 0,861 0,724
0,818 0,465 0,513 0,659 0,557 0,935 0,984 0,483 0,884 0,746 0,861 0,503 0,861 0,724
0,818 0,466 0,514 0,659 0,558 0,935 0,984 0,483 0,884 0,746 0,861 0,503 0,862 0,725
0,818 0,466 0,514 0,659 0,558 0,936 0,984 0,484 0,884 0,747 0,861 0,502 0,862 0,725
0,818 0,467 0,514 0,660 0,558 0,936 0,984 0,484 0,885 0,747 0,861 0,502 0,862 0,725
0,818 0,467 0,513 0,659 0,558 0,936 0,984 0,484 0,885 0,747 0,861 0,501 0,862 0,725
0,818 0,467 0,514 0,660 0,557 0,936 0,984 0,485 0,885 0,748 0,861 0,501 0,862 0,725
0,818 0,468 0,514 0,659 0,557 0,936 0,984 0,485 0,885 0,748 0,861 0,500 0,862 0,725
0,818 0,468 0,514 0,660 0,557 0,936 0,985 0,485 0,885 0,748 0,861 0,500 0,863 0,725
0,818 0,468 0,514 0,660 0,558 0,936 0,985 0,486 0,885 0,749 0,860 0,499 0,863 0,725
0,818 0,469 0,514 0,660 0,558 0,936 0,985 0,486 0,886 0,749 0,860 0,499 0,863 0,725
0,818 0,469 0,514 0,660 0,559 0,936 0,985 0,486 0,886 0,75 0,860 0,498 0,863 0,725
0,818 0,469 0,514 0,660 0,560 0,936 0,985 0,487 0,886 0,750 0,860 0,498 0,864 0,725
0,818 0,470 0,514 0,660 0,560 0,936 0,985 0,487 0,886 0,750 0,860 0,498 0,864 0,725
0,818 0,470 0,514 0,660 0,560 0,935 0,985 0,487 0,886 0,751 0,860 0,497 0,864 0,725
0,818 0,470 0,514 0,660 0,561 0,936 0,985 0,488 0,886 0,751 0,860 0,497 0,864 0,725
0,817 0,471 0,514 0,660 0,562 0,936 0,985 0,488 0,887 0,751 0,860 0,496 0,864 0,725
0,818 0,471 0,515 0,660 0,562 0,936 0,985 0,488 0,887 0,752 0,860 0,496 0,865 0,725
0,818 0,471 0,514 0,661 0,563 0,936 0,985 0,489 0,887 0,752 0,860 0,495 0,865 0,725
0,817 0,472 0,514 0,660 0,563 0,936 0,985 0,489 0,887 0,752 0,860 0,495 0,865 0,725
0,818 0,472 0,515 0,661 0,564 0,936 0,985 0,489 0,887 0,753 0,860 0,494 0,865 0,725
0,818 0,472 0,515 0,660 0,564 0,936 0,985 0,490 0,886 0,753 0,860 0,494 0,865 0,725
0,817 0,473 0,515 0,661 0,565 0,936 0,985 0,490 0,887 0,753 0,859 0,494 0,866 0,725
0,818 0,473 0,515 0,661 0,565 0,936 0,985 0,490 0,886 0,754 0,859 0,493 0,866 0,725
0,817 0,474 0,515 0,661 0,566 0,936 0,985 0,491 0,885 0,754 0,859 0,493 0,866 0,725
0,817 0,474 0,515 0,661 0,566 0,936 0,985 0,491 0,884 0,754 0,859 0,492 0,866 0,725
0,818 0,474 0,515 0,661 0,567 0,937 0,985 0,491 0,884 0,755 0,858 0,492 0,866 0,725
0,817 0,475 0,515 0,661 0,568 0,937 0,985 0,492 0,883 0,755 0,857 0,492 0,867 0,725
0,817 0,475 0,515 0,661 0,568 0,936 0,985 0,492 0,883 0,755 0,857 0,491 0,867 0,725
0,818 0,475 0,515 0,661 0,568 0,936 0,985 0,492 0,882 0,756 0,858 0,491 0,867 0,725
0,817 0,476 0,514 0,661 0,569 0,936 0,985 0,493 0,882 0,756 0,858 0,491 0,867 0,725
0,817 0,476 0,515 0,661 0,569 0,936 0,985 0,493 0,883 0,756 0,858 0,491 0,867 0,725
0,817 0,476 0,515 0,661 0,570 0,936 0,985 0,493 0,883 0,757 0,858 0,490 0,867 0,725
0,817 0,476 0,515 0,661 0,570 0,936 0,985 0,494 0,883 0,757 0,858 0,490 0,867 0,725
0,817 0,476 0,515 0,661 0,571 0,936 0,985 0,494 0,883 0,757 0,859 0,490 0,867 0,725
0,817 0,476 0,515 0,661 0,571 0,936 0,985 0,494 0,883 0,758 0,859 0,490 0,868 0,725
0,817 0,476 0,515 0,662 0,572 0,936 0,985 0,495 0,883 0,758 0,859 0,489 0,868 0,725
0,817 0,477 0,515 0,662 0,573 0,936 0,985 0,495 0,884 0,758 0,859 0,489 0,868 0,725
0,817 0,477 0,516 0,662 0,573 0,937 0,985 0,495 0,884 0,759 0,859 0,489 0,868 0,725
0,817 0,477 0,516 0,662 0,573 0,937 0,985 0,496 0,884 0,759 0,860 0,489 0,868 0,725
0,817 0,478 0,516 0,662 0,574 0,937 0,985 0,496 0,884 0,759 0,860 0,488 0,868 0,725
0,817 0,478 0,516 0,662 0,574 0,937 0,985 0,496 0,884 0,758 0,860 0,488 0,868 0,725
0,817 0,478 0,516 0,662 0,575 0,937 0,985 0,497 0,884 0,757 0,860 0,488 0,868 0,725
0,817 0,477 0,516 0,662 0,575 0,937 0,985 0,497 0,884 0,756 0,860 0,487 0,868 0,725
0,817 0,477 0,516 0,662 0,576 0,936 0,985 0,497 0,885 0,756 0,861 0,487 0,868 0,725
0,817 0,477 0,517 0,662 0,576 0,936 0,985 0,497 0,885 0,755 0,861 0,487 0,868 0,725
0,817 0,477 0,517 0,662 0,577 0,936 0,985 0,498 0,885 0,755 0,861 0,487 0,867 0,725
0,817 0,477 0,517 0,663 0,577 0,936 0,985 0,498 0,885 0,755 0,861 0,487 0,866 0,726
0,817 0,477 0,517 0,663 0,578 0,936 0,985 0,498 0,885 0,754 0,861 0,486 0,865 0,726
0,817 0,477 0,518 0,662 0,578 0,936 0,985 0,499 0,885 0,754 0,861 0,486 0,864 0,726
0,817 0,476 0,517 0,662 0,579 0,937 0,985 0,499 0,886 0,753 0,862 0,486 0,864 0,726
0,817 0,476 0,517 0,663 0,579 0,937 0,985 0,499 0,886 0,753 0,862 0,486 0,863 0,725
0,816 0,476 0,517 0,662 0,580 0,937 0,985 0,500 0,886 0,753 0,862 0,486 0,863 0,725
0,817 0,476 0,518 0,663 0,580 0,937 0,985 0,500 0,886 0,752 0,862 0,485 0,862 0,725
0,817 0,476 0,517 0,663 0,581 0,937 0,985 0,500 0,886 0,752 0,862 0,485 0,862 0,725
0,816 0,476 0,517 0,663 0,581 0,937 0,985 0,501 0,886 0,751 0,862 0,485 0,861 0,725
0,817 0,476 0,518 0,663 0,582 0,937 0,985 0,501 0,886 0,751 0,862 0,485 0,861 0,725
0,817 0,476 0,518 0,663 0,582 0,937 0,985 0,501 0,887 0,751 0,863 0,484 0,861 0,725
0,816 0,476 0,517 0,663 0,582 0,937 0,985 0,501 0,887 0,751 0,863 0,484 0,861 0,725
0,817 0,475 0,517 0,663 0,583 0,936 0,985 0,502 0,887 0,751 0,863 0,484 0,861 0,725
0,817 0,475 0,516 0,663 0,583 0,936 0,985 0,502 0,887 0,752 0,863 0,484 0,862 0,725
0,816 0,475 0,516 0,663 0,584 0,936 0,985 0,502 0,887 0,752 0,863 0,484 0,862 0,725
0,817 0,475 0,516 0,663 0,585 0,937 0,985 0,503 0,887 0,752 0,864 0,483 0,862 0,725
0,816 0,475 0,515 0,663 0,585 0,937 0,985 0,503 0,887 0,753 0,864 0,483 0,862 0,725
0,816 0,475 0,515 0,663 0,585 0,937 0,985 0,503 0,888 0,753 0,864 0,483 0,862 0,725
0,817 0,474 0,515 0,664 0,586 0,937 0,985 0,504 0,888 0,753 0,864 0,483 0,863 0,725
0,816 0,474 0,515 0,663 0,586 0,937 0,985 0,504 0,888 0,754 0,864 0,483 0,863 0,725
0,816 0,474 0,515 0,664 0,587 0,937 0,986 0,504 0,888 0,754 0,864 0,482 0,863 0,726
0,816 0,474 0,515 0,663 0,587 0,937 0,986 0,504 0,888 0,754 0,865 0,482 0,863 0,725
0,816 0,475 0,514 0,664 0,588 0,937 0,986 0,505 0,888 0,755 0,865 0,482 0,863 0,726
0,816 0,475 0,514 0,664 0,588 0,937 0,986 0,505 0,888 0,755 0,865 0,482 0,864 0,726
0,816 0,475 0,514 0,664 0,589 0,937 0,986 0,505 0,889 0,755 0,865 0,482 0,864 0,726
0,816 0,475 0,513 0,664 0,589 0,937 0,986 0,506 0,889 0,756 0,865 0,482 0,864 0,726
0,816 0,475 0,513 0,663 0,590 0,938 0,986 0,506 0,889 0,756 0,866 0,481 0,864 0,726
0,816 0,476 0,512 0,662 0,590 0,937 0,986 0,506 0,889 0,756 0,866 0,481 0,864 0,726
0,816 0,475 0,512 0,661 0,590 0,937 0,986 0,507 0,888 0,757 0,866 0,481 0,865 0,726
0,816 0,475 0,511 0,660 0,591 0,937 0,986 0,507 0,888 0,757 0,866 0,480 0,865 0,726
0,816 0,475 0,511 0,660 0,591 0,937 0,986 0,507 0,889 0,757 0,866 0,480 0,865 0,726
0,816 0,476 0,510 0,659 0,592 0,937 0,986 0,507 0,887 0,758 0,866 0,480 0,865 0,726
0,816 0,476 0,510 0,659 0,592 0,937 0,986 0,508 0,887 0,758 0,866 0,480 0,865 0,726
0,816 0,476 0,510 0,659 0,593 0,937 0,986 0,508 0,886 0,758 0,867 0,480 0,865 0,726
0,816 0,477 0,509 0,659 0,593 0,937 0,986 0,508 0,886 0,759 0,867 0,479 0,866 0,726
0,816 0,477 0,509 0,659 0,594 0,937 0,986 0,509 0,885 0,759 0,867 0,479 0,866 0,726
0,816 0,477 0,509 0,659 0,594 0,937 0,986 0,509 0,885 0,759 0,867 0,479 0,866 0,725
0,815 0,477 0,508 0,659 0,594 0,937 0,986 0,509 0,885 0,759 0,867 0,479 0,866 0,725
0,814 0,478 0,508 0,660 0,595 0,937 0,986 0,509 0,885 0,760 0,867 0,479 0,866 0,725
0,814 0,478 0,507 0,660 0,595 0,938 0,986 0,510 0,885 0,760 0,868 0,479 0,867 0,725
0,813 0,478 0,507 0,660 0,596 0,938 0,986 0,510 0,885 0,760 0,868 0,478 0,867 0,725
0,813 0,478 0,506 0,661 0,596 0,938 0,986 0,510 0,885 0,761 0,868 0,478 0,867 0,725
0,812 0,479 0,506 0,661 0,596 0,937 0,986 0,511 0,885 0,761 0,868 0,478 0,867 0,726
0,812 0,479 0,506 0,661 0,596 0,937 0,986 0,511 0,885 0,761 0,868 0,478 0,867 0,726
0,811 0,479 0,506 0,661 0,595 0,937 0,986 0,511 0,886 0,762 0,868 0,478 0,867 0,726
0,811 0,479 0,505 0,662 0,595 0,937 0,986 0,512 0,886 0,762 0,869 0,477 0,868 0,726
0,810 0,480 0,505 0,662 0,595 0,937 0,986 0,512 0,886 0,762 0,869 0,477 0,868 0,726
0,810 0,479 0,505 0,662 0,596 0,937 0,986 0,512 0,886 0,762 0,869 0,477 0,868 0,726
0,809 0,480 0,505 0,662 0,596 0,937 0,986 0,512 0,886 0,763 0,869 0,477 0,868 0,726
0,809 0,481 0,504 0,663 0,597 0,937 0,986 0,513 0,886 0,763 0,869 0,477 0,868 0,726
0,808 0,480 0,504 0,663 0,597 0,937 0,986 0,513 0,886 0,763 0,869 0,476 0,869 0,726
0,808 0,481 0,504 0,663 0,597 0,938 0,986 0,513 0,887 0,764 0,869 0,476 0,869 0,726
0,808 0,481 0,503 0,663 0,598 0,938 0,986 0,513 0,887 0,764 0,869 0,476 0,869 0,726
0,807 0,481 0,503 0,664 0,598 0,938 0,986 0,514 0,887 0,764 0,869 0,476 0,869 0,726
0,807 0,481 0,503 0,664 0,599 0,938 0,986 0,514 0,887 0,765 0,869 0,475 0,869 0,726
0,806 0,482 0,503 0,664 0,599 0,938 0,986 0,514 0,887 0,765 0,869 0,475 0,869 0,726
0,806 0,482 0,502 0,664 0,600 0,938 0,986 0,515 0,887 0,765 0,869 0,475 0,870 0,726
0,805 0,482 0,502 0,665 0,600 0,938 0,986 0,515 0,887 0,765 0,869 0,475 0,870 0,726
0,805 0,482 0,502 0,665 0,601 0,937 0,986 0,515 0,888 0,766 0,869 0,475 0,870 0,726
0,804 0,482 0,502 0,665 0,601 0,937 0,986 0,515 0,888 0,766 0,869 0,476 0,870 0,726
0,804 0,481 0,501 0,665 0,601 0,937 0,986 0,516 0,888 0,766 0,868 0,476 0,870 0,726
0,803 0,481 0,501 0,666 0,602 0,937 0,986 0,516 0,888 0,767 0,868 0,476 0,870 0,726
0,803 0,481 0,501 0,666 0,602 0,937 0,986 0,516 0,888 0,767 0,868 0,477 0,871 0,726
0,802 0,481 0,501 0,666 0,603 0,937 0,986 0,516 0,888 0,767 0,868 0,477 0,871 0,726
0,802 0,481 0,501 0,666 0,603 0,938 0,986 0,517 0,888 0,768 0,868 0,478 0,871 0,726
0,801 0,481 0,500 0,666 0,604 0,938 0,986 0,517 0,888 0,768 0,868 0,478 0,871 0,726
0,801 0,481 0,500 0,667 0,604 0,938 0,986 0,517 0,889 0,768 0,868 0,479 0,871 0,726
0,800 0,480 0,500 0,667 0,604 0,938 0,986 0,518 0,889 0,768 0,868 0,479 0,871 0,726
0,800 0,480 0,500 0,667 0,605 0,938 0,986 0,518 0,889 0,769 0,868 0,480 0,872 0,726
0,800 0,480 0,499 0,667 0,605 0,938 0,986 0,518 0,889 0,769 0,868 0,480 0,872 0,726
0,800 0,480 0,499 0,668 0,606 0,938 0,986 0,518 0,889 0,769 0,868 0,481 0,872 0,726
0,800 0,480 0,499 0,668 0,606 0,938 0,986 0,519 0,889 0,769 0,868 0,481 0,872 0,726
0,799 0,480 0,499 0,668 0,606 0,938 0,986 0,519 0,889 0,770 0,868 0,482 0,872 0,726
0,799 0,479 0,499 0,668 0,607 0,937 0,986 0,519 0,889 0,770 0,867 0,482 0,872 0,726
0,799 0,479 0,498 0,669 0,607 0,937 0,986 0,519 0,890 0,770 0,867 0,483 0,873 0,726
0,799 0,479 0,498 0,669 0,608 0,937 0,986 0,520 0,890 0,771 0,866 0,484 0,873 0,726
0,799 0,479 0,498 0,669 0,608 0,938 0,986 0,520 0,890 0,771 0,866 0,484 0,873 0,726
0,798 0,479 0,498 0,669 0,608 0,938 0,986 0,520 0,890 0,771 0,866 0,485 0,873 0,726
0,798 0,479 0,498 0,670 0,609 0,938 0,986 0,521 0,890 0,771 0,866 0,485 0,873 0,726
0,798 0,478 0,497 0,670 0,609 0,938 0,986 0,521 0,890 0,772 0,866 0,486 0,873 0,726
0,798 0,478 0,497 0,670 0,610 0,938 0,986 0,521 0,890 0,772 0,866 0,486 0,874 0,726
0,798 0,478 0,497 0,670 0,610 0,938 0,986 0,521 0,890 0,772 0,867 0,487 0,874 0,726
0,798 0,478 0,497 0,671 0,610 0,938 0,986 0,522 0,890 0,772 0,867 0,487 0,874 0,726
0,798 0,478 0,497 0,671 0,611 0,938 0,986 0,522 0,890 0,773 0,867 0,488 0,874 0,726
0,798 0,478 0,497 0,671 0,611 0,938 0,986 0,522 0,890 0,773 0,867 0,488 0,874 0,726
0,798 0,477 0,496 0,671 0,612 0,938 0,986 0,522 0,890 0,773 0,867 0,489 0,874 0,726
0,797 0,477 0,496 0,672 0,612 0,938 0,986 0,523 0,889 0,774 0,867 0,489 0,875 0,726
0,797 0,477 0,496 0,672 0,612 0,938 0,986 0,523 0,888 0,774 0,867 0,490 0,875 0,726
0,797 0,477 0,495 0,672 0,613 0,938 0,987 0,523 0,888 0,774 0,868 0,490 0,875 0,726
0,797 0,477 0,495 0,672 0,613 0,938 0,987 0,524 0,887 0,774 0,868 0,491 0,875 0,726
0,797 0,477 0,495 0,672 0,614 0,938 0,987 0,524 0,887 0,775 0,868 0,491 0,875 0,726
0,797 0,476 0,495 0,673 0,614 0,938 0,987 0,524 0,886 0,775 0,868 0,492 0,875 0,726
0,797 0,476 0,495 0,673 0,614 0,938 0,987 0,524 0,887 0,775 0,868 0,492 0,875 0,726
0,797 0,476 0,494 0,673 0,615 0,938 0,987 0,524 0,887 0,775 0,868 0,493 0,876 0,727
0,797 0,476 0,494 0,673 0,615 0,938 0,987 0,525 0,887 0,776 0,868 0,493 0,876 0,727
0,796 0,476 0,494 0,674 0,616 0,938 0,987 0,525 0,887 0,776 0,869 0,494 0,876 0,727
0,796 0,476 0,494 0,674 0,616 0,938 0,987 0,525 0,887 0,776 0,869 0,494 0,876 0,727
0,796 0,476 0,494 0,674 0,616 0,938 0,987 0,526 0,887 0,777 0,869 0,495 0,876 0,727
0,796 0,475 0,494 0,674 0,617 0,938 0,987 0,526 0,887 0,777 0,869 0,495 0,877 0,727
0,796 0,475 0,494 0,674 0,617 0,938 0,987 0,526 0,887 0,777 0,869 0,496 0,876 0,726
0,796 0,475 0,494 0,675 0,618 0,938 0,987 0,526 0,888 0,776 0,869 0,496 0,876 0,726
0,796 0,475 0,495 0,675 0,618 0,939 0,987 0,527 0,888 0,775 0,870 0,497 0,877 0,726
0,796 0,475 0,495 0,675 0,618 0,939 0,987 0,527 0,888 0,775 0,870 0,497 0,877 0,726
0,796 0,475 0,495 0,675 0,619 0,938 0,987 0,527 0,888 0,774 0,870 0,498 0,877 0,726
0,795 0,474 0,495 0,676 0,619 0,938 0,987 0,527 0,888 0,773 0,870 0,498 0,877 0,726
0,795 0,474 0,495 0,676 0,619 0,938 0,987 0,527 0,888 0,773 0,870 0,499 0,877 0,726
0,795 0,474 0,495 0,676 0,620 0,938 0,987 0,527 0,888 0,773 0,870 0,499 0,877 0,726
0,795 0,474 0,496 0,676 0,620 0,938 0,987 0,526 0,888 0,772 0,870 0,500 0,877 0,726
0,795 0,474 0,496 0,676 0,620 0,938 0,987 0,526 0,889 0,772 0,871 0,500 0,877 0,726
0,795 0,474 0,496 0,677 0,621 0,938 0,987 0,526 0,889 0,772 0,871 0,501 0,877 0,726
0,795 0,474 0,496 0,677 0,621 0,938 0,987 0,526 0,889 0,772 0,871 0,501 0,877 0,726
0,795 0,473 0,496 0,677 0,622 0,938 0,987 0,526 0,889 0,771 0,871 0,502 0,877 0,726
0,795 0,473 0,496 0,677 0,622 0,938 0,987 0,526 0,889 0,771 0,871 0,502 0,877 0,726
0,795 0,473 0,497 0,678 0,622 0,938 0,987 0,525 0,889 0,770 0,871 0,503 0,877 0,726
0,794 0,473 0,497 0,678 0,623 0,939 0,987 0,525 0,889 0,770 0,871 0,503 0,876 0,726
0,794 0,473 0,497 0,678 0,623 0,939 0,987 0,526 0,889 0,769 0,871 0,504 0,876 0,726
0,794 0,473 0,497 0,678 0,623 0,939 0,987 0,526 0,890 0,769 0,872 0,504 0,875 0,727
0,794 0,473 0,497 0,678 0,624 0,939 0,987 0,527 0,890 0,769 0,872 0,504 0,874 0,727
0,794 0,474 0,497 0,679 0,624 0,938 0,987 0,527 0,890 0,770 0,872 0,505 0,873 0,727
0,794 0,474 0,497 0,679 0,625 0,938 0,987 0,528 0,890 0,770 0,872 0,505 0,873 0,727
0,794 0,474 0,498 0,679 0,625 0,938 0,987 0,528 0,890 0,770 0,872 0,506 0,873 0,727
0,794 0,473 0,498 0,679 0,625 0,938 0,987 0,527 0,890 0,771 0,872 0,506 0,872 0,727
0,794 0,473 0,498 0,68 0,626 0,938 0,987 0,527 0,890 0,771 0,873 0,507 0,872 0,727
0,793 0,473 0,498 0,680 0,626 0,938 0,987 0,527 0,891 0,771 0,873 0,507 0,871 0,727
0,793 0,473 0,498 0,680 0,626 0,938 0,987 0,526 0,891 0,771 0,873 0,508 0,871 0,727
0,793 0,474 0,498 0,680 0,627 0,938 0,987 0,526 0,891 0,772 0,873 0,508 0,871 0,727
0,793 0,474 0,498 0,680 0,627 0,939 0,987 0,526 0,891 0,772 0,873 0,509 0,871 0,727
0,793 0,474 0,498 0,680 0,627 0,939 0,987 0,526 0,891 0,772 0,873 0,509 0,871 0,727
0,793 0,474 0,499 0,681 0,626 0,939 0,987 0,525 0,891 0,772 0,873 0,508 0,871 0,727
0,793 0,474 0,499 0,681 0,626 0,939 0,987 0,525 0,891 0,773 0,873 0,508 0,872 0,727
0,793 0,474 0,499 0,681 0,626 0,939 0,987 0,525 0,891 0,773 0,874 0,508 0,872 0,727
0,793 0,474 0,499 0,681 0,626 0,939 0,987 0,525 0,891 0,773 0,874 0,508 0,872 0,726
0,793 0,474 0,499 0,681 0,626 0,939 0,987 0,525 0,892 0,773 0,874 0,507 0,872 0,726
0,792 0,474 0,499 0,682 0,627 0,939 0,987 0,526 0,892 0,774 0,874 0,507 0,872 0,726
0,792 0,474 0,499 0,682 0,627 0,938 0,987 0,526 0,892 0,774 0,874 0,508 0,872 0,726
0,792 0,474 0,500 0,682 0,628 0,938 0,987 0,527 0,892 0,774 0,874 0,507 0,872 0,726
0,792 0,474 0,500 0,682 0,628 0,938 0,987 0,527 0,892 0,775 0,874 0,507 0,873 0,727
0,792 0,474 0,500 0,683 0,628 0,938 0,987 0,527 0,892 0,775 0,875 0,507 0,873 0,727
0,792 0,474 0,500 0,683 0,629 0,938 0,987 0,527 0,892 0,775 0,875 0,506 0,873 0,727
0,792 0,474 0,500 0,683 0,629 0,939 0,987 0,528 0,892 0,775 0,875 0,506 0,873 0,727
0,792 0,474 0,500 0,683 0,629 0,939 0,987 0,529 0,891 0,775 0,875 0,506 0,873 0,727
0,792 0,474 0,500 0,683 0,630 0,939 0,987 0,529 0,890 0,776 0,875 0,507 0,873 0,727
0,791 0,475 0,500 0,683 0,630 0,939 0,987 0,530 0,890 0,776 0,875 0,507 0,874 0,727
0,791 0,475 0,501 0,684 0,630 0,939 0,987 0,530 0,889 0,776 0,875 0,507 0,874 0,727
0,791 0,475 0,501 0,684 0,631 0,939 0,987 0,530 0,889 0,776 0,875 0,507 0,874 0,727
0,790 0,475 0,501 0,684 0,631 0,939 0,987 0,531 0,888 0,777 0,875 0,507 0,874 0,727
0,790 0,475 0,501 0,684 0,631 0,939 0,987 0,531 0,888 0,777 0,875 0,507 0,874 0,727
0,790 0,475 0,501 0,685 0,632 0,939 0,987 0,532 0,888 0,777 0,876 0,507 0,874 0,727
0,790 0,475 0,501 0,685 0,632 0,939 0,987 0,532 0,888 0,777 0,876 0,507 0,874 0,727
0,790 0,475 0,501 0,685 0,633 0,938 0,987 0,532 0,889 0,778 0,876 0,506 0,875 0,727
0,790 0,475 0,502 0,685 0,633 0,938 0,987 0,532 0,889 0,778 0,876 0,506 0,875 0,727
0,790 0,475 0,502 0,685 0,633 0,938 0,987 0,533 0,889 0,778 0,875 0,506 0,875 0,727
0,789 0,475 0,502 0,685 0,633 0,939 0,987 0,533 0,889 0,778 0,875 0,505 0,875 0,727
0,789 0,475 0,502 0,686 0,634 0,939 0,987 0,534 0,889 0,779 0,875 0,505 0,875 0,727
0,789 0,475 0,502 0,686 0,634 0,939 0,987 0,535 0,889 0,779 0,875 0,505 0,875 0,727
0,789 0,475 0,502 0,686 0,635 0,939 0,987 0,535 0,889 0,779 0,875 0,505 0,875 0,727
0,789 0,475 0,502 0,686 0,635 0,939 0,987 0,535 0,889 0,779 0,875 0,505 0,876 0,727
0,789 0,475 0,502 0,687 0,635 0,939 0,987 0,535 0,890 0,780 0,875 0,504 0,876 0,727
0,789 0,475 0,503 0,687 0,636 0,939 0,987 0,536 0,890 0,780 0,875 0,504 0,876 0,727
0,788 0,475 0,503 0,687 0,636 0,939 0,987 0,536 0,890 0,780 0,875 0,504 0,876 0,727
0,788 0,476 0,503 0,687 0,636 0,939 0,987 0,537 0,890 0,780 0,875 0,504 0,876 0,727
0,788 0,476 0,503 0,687 0,637 0,939 0,987 0,537 0,890 0,781 0,874 0,504 0,876 0,727
0,788 0,476 0,503 0,687 0,637 0,939 0,987 0,537 0,890 0,781 0,874 0,504 0,876 0,727
0,788 0,476 0,503 0,688 0,637 0,939 0,987 0,538 0,890 0,781 0,874 0,504 0,877 0,727
0,788 0,476 0,502 0,688 0,638 0,939 0,987 0,538 0,890 0,781 0,874 0,504 0,877 0,727
0,788 0,476 0,502 0,688 0,638 0,939 0,987 0,539 0,890 0,782 0,874 0,504 0,877 0,727
0,788 0,476 0,502 0,688 0,638 0,939 0,987 0,539 0,891 0,782 0,874 0,504 0,877 0,727
0,788 0,476 0,502 0,689 0,639 0,939 0,987 0,540 0,891 0,782 0,874 0,504 0,877 0,727
0,788 0,476 0,502 0,689 0,639 0,939 0,987 0,540 0,891 0,782 0,874 0,504 0,877 0,727
0,787 0,476 0,501 0,689 0,639 0,939 0,987 0,540 0,891 0,783 0,874 0,504 0,877 0,727
0,787 0,476 0,501 0,689 0,640 0,939 0,987 0,541 0,891 0,783 0,873 0,504 0,878 0,727
0,787 0,476 0,501 0,689 0,640 0,939 0,987 0,541 0,891 0,783 0,872 0,505 0,878 0,727
0,787 0,476 0,501 0,690 0,640 0,939 0,987 0,542 0,891 0,783 0,871 0,505 0,878 0,727
0,787 0,475 0,501 0,690 0,641 0,939 0,987 0,542 0,891 0,783 0,870 0,505 0,878 0,727
0,787 0,475 0,501 0,690 0,641 0,939 0,988 0,542 0,891 0,784 0,870 0,505 0,878 0,727
0,787 0,475 0,501 0,690 0,641 0,939 0,988 0,542 0,892 0,784 0,869 0,505 0,878 0,727
0,787 0,475 0,501 0,690 0,642 0,939 0,988 0,542 0,892 0,784 0,868 0,505 0,878 0,727
0,787 0,475 0,501 0,690 0,642 0,939 0,988 0,541 0,892 0,784 0,868 0,505 0,879 0,727
0,787 0,475 0,501 0,690 0,642 0,940 0,988 0,541 0,892 0,785 0,868 0,505 0,879 0,727
0,787 0,475 0,501 0,691 0,643 0,939 0,988 0,541 0,892 0,785 0,868 0,505 0,879 0,727
0,787 0,475 0,501 0,691 0,643 0,939 0,988 0,541 0,892 0,785 0,867 0,505 0,879 0,727
0,786 0,475 0,502 0,691 0,643 0,939 0,988 0,540 0,892 0,785 0,867 0,505 0,879 0,727
0,786 0,476 0,502 0,691 0,644 0,939 0,988 0,540 0,892 0,786 0,867 0,505 0,879 0,727
0,786 0,476 0,502 0,691 0,644 0,939 0,988 0,541 0,892 0,786 0,867 0,505 0,879 0,727
0,786 0,476 0,502 0,692 0,644 0,939 0,988 0,541 0,893 0,786 0,867 0,504 0,880 0,727
0,786 0,476 0,502 0,692 0,645 0,939 0,988 0,542 0,893 0,786 0,867 0,504 0,880 0,727
0,786 0,477 0,502 0,692 0,645 0,939 0,988 0,542 0,893 0,786 0,867 0,504 0,880 0,727
0,786 0,477 0,502 0,692 0,645 0,939 0,988 0,543 0,893 0,787 0,867 0,504 0,880 0,727
0,786 0,477 0,503 0,692 0,646 0,939 0,988 0,543 0,893 0,787 0,867 0,504 0,880 0,727
0,786 0,477 0,503 0,693 0,646 0,939 0,988 0,543 0,893 0,787 0,867 0,503 0,880 0,727
0,786 0,478 0,503 0,693 0,646 0,939 0,988 0,544 0,893 0,787 0,867 0,503 0,880 0,727
0,786 0,478 0,503 0,693 0,646 0,940 0,988 0,544 0,893 0,788 0,867 0,503 0,880 0,727
0,785 0,478 0,503 0,693 0,647 0,940 0,988 0,544 0,893 0,788 0,867 0,503 0,881 0,727
0,785 0,478 0,503 0,693 0,647 0,940 0,988 0,545 0,893 0,788 0,867 0,504 0,881 0,727
0,785 0,479 0,504 0,694 0,647 0,939 0,988 0,545 0,892 0,788 0,867 0,504 0,881 0,727
0,785 0,479 0,504 0,694 0,648 0,939 0,988 0,545 0,892 0,788 0,866 0,504 0,881 0,727
0,785 0,479 0,504 0,694 0,648 0,939 0,988 0,546 0,891 0,789 0,866 0,504 0,881 0,727
0,785 0,479 0,504 0,694 0,648 0,939 0,988 0,546 0,891 0,789 0,866 0,504 0,881 0,727
0,785 0,480 0,504 0,694 0,649 0,939 0,988 0,547 0,890 0,789 0,866 0,504 0,881 0,727
0,785 0,480 0,504 0,694 0,649 0,939 0,988 0,547 0,890 0,789 0,866 0,504 0,882 0,727
0,785 0,480 0,504 0,695 0,649 0,939 0,988 0,547 0,890 0,790 0,866 0,504 0,882 0,727
0,785 0,480 0,505 0,695 0,650 0,939 0,988 0,548 0,890 0,790 0,866 0,504 0,882 0,727
0,785 0,481 0,505 0,695 0,650 0,939 0,988 0,548 0,890 0,790 0,866 0,504 0,882 0,727
0,785 0,481 0,505 0,695 0,650 0,939 0,988 0,549 0,890 0,790 0,866 0,504 0,882 0,727
0,785 0,481 0,505 0,695 0,651 0,940 0,988 0,549 0,890 0,790 0,866 0,504 0,882 0,727
0,784 0,481 0,505 0,696 0,651 0,940 0,988 0,549 0,890 0,790 0,866 0,504 0,882 0,727
0,784 0,482 0,505 0,696 0,651 0,940 0,988 0,550 0,890 0,790 0,866 0,504 0,882 0,727
0,784 0,482 0,505 0,696 0,651 0,940 0,988 0,550 0,890 0,789 0,866 0,504 0,883 0,727
0,784 0,482 0,506 0,696 0,652 0,940 0,988 0,550 0,890 0,789 0,866 0,504 0,883 0,727
0,784 0,482 0,506 0,696 0,652 0,939 0,988 0,551 0,891 0,788 0,865 0,504 0,883 0,727
0,784 0,483 0,505 0,696 0,653 0,939 0,988 0,551 0,891 0,788 0,865 0,505 0,883 0,727
0,784 0,483 0,505 0,697 0,653 0,939 0,988 0,552 0,891 0,787 0,865 0,504 0,883 0,727
0,784 0,483 0,505 0,697 0,652 0,939 0,988 0,552 0,891 0,787 0,865 0,505 0,883 0,727
0,784 0,483 0,505 0,697 0,652 0,939 0,988 0,552 0,891 0,787 0,865 0,505 0,883 0,727
0,784 0,484 0,505 0,697 0,652 0,939 0,988 0,552 0,891 0,786 0,865 0,505 0,883 0,727
0,784 0,484 0,504 0,697 0,651 0,939 0,988 0,553 0,891 0,786 0,865 0,505 0,883 0,727
0,783 0,484 0,504 0,697 0,651 0,939 0,988 0,553 0,891 0,786 0,865 0,505 0,884 0,727
0,783 0,484 0,504 0,698 0,651 0,940 0,988 0,554 0,891 0,785 0,865 0,504 0,884 0,728
0,783 0,485 0,504 0,698 0,650 0,940 0,988 0,554 0,892 0,785 0,865 0,504 0,884 0,728
0,783 0,485 0,504 0,698 0,650 0,940 0,988 0,554 0,892 0,784 0,865 0,504 0,884 0,728
0,783 0,485 0,503 0,698 0,650 0,940 0,988 0,555 0,892 0,784 0,865 0,504 0,884 0,728
0,782 0,485 0,503 0,698 0,649 0,940 0,988 0,555 0,892 0,784 0,865 0,504 0,884 0,728
0,782 0,485 0,503 0,698 0,649 0,940 0,988 0,556 0,892 0,784 0,865 0,503 0,884 0,728
0,782 0,486 0,503 0,699 0,649 0,940 0,988 0,556 0,892 0,784 0,864 0,503 0,884 0,728
0,782 0,486 0,503 0,699 0,649 0,940 0,988 0,556 0,892 0,784 0,864 0,503 0,884 0,728
0,782 0,486 0,502 0,699 0,649 0,939 0,988 0,556 0,892 0,784 0,864 0,503 0,884 0,727
0,782 0,486 0,502 0,699 0,650 0,939 0,988 0,557 0,892 0,784 0,864 0,503 0,884 0,727
0,783 0,486 0,502 0,699 0,650 0,939 0,988 0,557 0,893 0,785 0,864 0,503 0,884 0,727
0,782 0,487 0,502 0,7 0,650 0,939 0,988 0,558 0,893 0,785 0,864 0,502 0,884 0,727
0,782 0,487 0,502 0,700 0,650 0,939 0,988 0,558 0,893 0,785 0,864 0,502 0,884 0,727
0,782 0,487 0,502 0,700 0,650 0,940 0,988 0,558 0,893 0,785 0,864 0,502 0,883 0,727
0,782 0,487 0,501 0,700 0,649 0,940 0,988 0,558 0,893 0,785 0,864 0,502 0,883 0,727
0,782 0,488 0,501 0,700 0,649 0,940 0,988 0,558 0,893 0,786 0,864 0,502 0,882 0,727
0,781 0,488 0,501 0,700 0,649 0,940 0,988 0,558 0,893 0,786 0,864 0,501 0,881 0,727
0,781 0,488 0,501 0,700 0,648 0,940 0,988 0,557 0,893 0,786 0,864 0,501 0,881 0,727
0,781 0,489 0,501 0,701 0,648 0,940 0,988 0,557 0,893 0,786 0,864 0,501 0,880 0,727
0,781 0,489 0,501 0,701 0,648 0,940 0,988 0,557 0,893 0,787 0,864 0,501 0,880 0,727
0,781 0,489 0,500 0,701 0,648 0,940 0,988 0,557 0,894 0,787 0,864 0,501 0,879 0,728
0,781 0,489 0,500 0,701 0,647 0,940 0,988 0,557 0,894 0,787 0,864 0,501 0,879 0,727
0,781 0,489 0,500 0,701 0,647 0,940 0,988 0,556 0,894 0,787 0,863 0,500 0,879 0,727
0,781 0,490 0,499 0,701 0,646 0,939 0,988 0,556 0,894 0,787 0,863 0,500 0,878 0,728
0,781 0,490 0,499 0,702 0,646 0,939 0,988 0,556 0,894 0,788 0,863 0,500 0,878 0,728
0,781 0,490 0,499 0,702 0,646 0,940 0,988 0,556 0,894 0,788 0,863 0,499 0,879 0,728
0,781 0,490 0,498 0,702 0,646 0,940 0,988 0,555 0,894 0,788 0,863 0,499 0,879 0,728
0,781 0,490 0,498 0,702 0,645 0,940 0,988 0,555 0,894 0,788 0,863 0,499 0,879 0,728
0,780 0,491 0,498 0,702 0,645 0,940 0,988 0,555 0,894 0,788 0,863 0,498 0,879 0,728
0,780 0,491 0,497 0,702 0,644 0,940 0,988 0,555 0,894 0,789 0,863 0,498 0,879 0,728
0,780 0,491 0,497 0,703 0,644 0,940 0,988 0,554 0,894 0,789 0,863 0,498 0,879 0,728
0,780 0,491 0,497 0,703 0,644 0,940 0,988 0,554 0,894 0,789 0,863 0,497 0,879 0,728
0,780 0,492 0,496 0,703 0,644 0,940 0,988 0,554 0,893 0,789 0,863 0,497 0,880 0,728
0,780 0,492 0,496 0,703 0,643 0,940 0,988 0,554 0,893 0,789 0,863 0,497 0,880 0,728
0,780 0,492 0,496 0,703 0,643 0,940 0,988 0,553 0,892 0,790 0,863 0,496 0,880 0,728
0,780 0,492 0,496 0,703 0,642 0,940 0,988 0,553 0,892 0,790 0,863 0,496 0,880 0,728
0,780 0,492 0,495 0,704 0,642 0,940 0,988 0,553 0,892 0,790 0,863 0,496 0,880 0,728
0,780 0,492 0,495 0,704 0,641 0,940 0,988 0,552 0,891 0,790 0,862 0,495 0,880 0,728
0,780 0,492 0,495 0,704 0,641 0,940 0,988 0,552 0,891 0,791 0,862 0,495 0,880 0,728
0,780 0,492 0,495 0,704 0,640 0,940 0,988 0,551 0,891 0,791 0,862 0,495 0,880 0,728
0,780 0,493 0,495 0,704 0,640 0,940 0,988 0,551 0,891 0,791 0,862 0,495 0,880 0,727
0,780 0,493 0,495 0,704 0,639 0,940 0,988 0,551 0,891 0,791 0,862 0,494 0,881 0,727
0,779 0,493 0,495 0,705 0,639 0,940 0,988 0,550 0,891 0,791 0,862 0,494 0,881 0,727
0,779 0,493 0,495 0,705 0,638 0,940 0,988 0,550 0,891 0,792 0,862 0,494 0,881 0,728
0,779 0,493 0,495 0,705 0,638 0,940 0,988 0,549 0,892 0,792 0,862 0,494 0,881 0,728
0,779 0,493 0,495 0,705 0,638 0,940 0,988 0,549 0,892 0,792 0,862 0,494 0,881 0,728
0,779 0,493 0,495 0,705 0,637 0,940 0,988 0,549 0,892 0,792 0,862 0,494 0,881 0,728
0,779 0,492 0,495 0,705 0,637 0,940 0,988 0,548 0,892 0,792 0,862 0,494 0,881 0,728
0,779 0,492 0,495 0,705 0,637 0,940 0,988 0,548 0,892 0,793 0,862 0,494 0,881 0,728
0,779 0,492 0,495 0,706 0,637 0,940 0,988 0,548 0,892 0,793 0,862 0,494 0,882 0,728
0,779 0,492 0,495 0,706 0,637 0,940 0,988 0,547 0,892 0,793 0,862 0,494 0,882 0,728
0,779 0,492 0,495 0,706 0,637 0,940 0,988 0,547 0,892 0,793 0,862 0,494 0,882 0,728
0,779 0,492 0,495 0,706 0,636 0,940 0,988 0,547 0,892 0,793 0,862 0,494 0,882 0,728
0,779 0,492 0,495 0,706 0,636 0,940 0,988 0,547 0,892 0,794 0,862 0,494 0,882 0,728
0,779 0,492 0,495 0,706 0,636 0,940 0,988 0,547 0,893 0,794 0,861 0,494 0,882 0,728
0,778 0,492 0,495 0,706 0,636 0,940 0,988 0,547 0,893 0,794 0,861 0,494 0,882 0,728
0,778 0,491 0,495 0,707 0,636 0,940 0,988 0,547 0,893 0,794 0,861 0,494 0,882 0,728
0,778 0,491 0,495 0,707 0,636 0,940 0,988 0,547 0,893 0,794 0,861 0,494 0,883 0,728
0,778 0,491 0,495 0,707 0,636 0,940 0,988 0,547 0,893 0,795 0,861 0,494 0,883 0,728
0,778 0,491 0,495 0,707 0,635 0,940 0,988 0,547 0,893 0,795 0,861 0,494 0,883 0,728
0,778 0,491 0,495 0,707 0,635 0,940 0,988 0,547 0,893 0,795 0,861 0,494 0,883 0,728
0,778 0,491 0,495 0,707 0,635 0,940 0,988 0,547 0,893 0,795 0,861 0,494 0,883 0,728
0,778 0,491 0,495 0,708 0,635 0,940 0,988 0,547 0,893 0,795 0,861 0,494 0,883 0,728
0,778 0,491 0,495 0,708 0,635 0,940 0,989 0,547 0,893 0,796 0,861 0,494 0,883 0,728
0,778 0,491 0,495 0,708 0,635 0,940 0,989 0,546 0,894 0,796 0,861 0,494 0,883 0,728
0,778 0,490 0,495 0,708 0,635 0,940 0,989 0,546 0,894 0,796 0,861 0,494 0,884 0,728
0,778 0,490 0,495 0,708 0,635 0,941 0,989 0,546 0,894 0,796 0,861 0,494 0,884 0,728
0,778 0,490 0,495 0,708 0,634 0,941 0,989 0,546 0,894 0,796 0,861 0,494 0,884 0,728
0,778 0,490 0,495 0,709 0,634 0,940 0,989 0,546 0,894 0,797 0,861 0,494 0,884 0,728
0,777 0,490 0,495 0,709 0,634 0,940 0,989 0,546 0,894 0,797 0,861 0,494 0,884 0,728
0,777 0,489 0,495 0,709 0,634 0,939 0,989 0,546 0,894 0,797 0,860 0,494 0,884 0,728
0,777 0,489 0,495 0,709 0,634 0,939 0,989 0,546 0,894 0,797 0,860 0,494 0,884 0,728
0,777 0,489 0,495 0,709 0,634 0,939 0,989 0,546 0,894 0,797 0,860 0,494 0,884 0,728
0,777 0,488 0,495 0,709 0,634 0,939 0,989 0,546 0,894 0,798 0,860 0,494 0,885 0,728
0,777 0,488 0,495 0,709 0,634 0,938 0,988 0,546 0,895 0,798 0,860 0,494 0,885 0,728
0,777 0,488 0,495 0,710 0,633 0,938 0,987 0,546 0,895 0,798 0,860 0,494 0,885 0,728
0,777 0,487 0,495 0,710 0,633 0,938 0,987 0,546 0,895 0,798 0,860 0,494 0,885 0,728
0,777 0,487 0,495 0,710 0,633 0,938 0,986 0,546 0,895 0,798 0,860 0,494 0,885 0,728
0,777 0,487 0,495 0,710 0,633 0,938 0,986 0,546 0,895 0,799 0,860 0,494 0,885 0,728
0,777 0,487 0,495 0,710 0,633 0,938 0,986 0,546 0,895 0,799 0,860 0,494 0,885 0,728
0,777 0,487 0,495 0,710 0,633 0,938 0,986 0,546 0,895 0,799 0,860 0,494 0,885 0,728
0,777 0,488 0,495 0,711 0,633 0,938 0,986 0,546 0,895 0,799 0,860 0,494 0,885 0,728
0,776 0,488 0,495 0,711 0,633 0,938 0,986 0,546 0,895 0,799 0,860 0,494 0,886 0,728
0,495 0,711 0,633 0,938 0,987 0,546 0,895 0,799 0,860 0,494 0,886 0,728
0,495 0,711 0,632 0,938 0,987 0,546 0,895 0,800 0,860 0,494 0,886 0,728
0,495 0,711 0,632 0,938 0,987 0,546 0,895 0,800 0,860 0,494 0,886 0,728
0,495 0,711 0,632 0,938 0,987 0,546 0,895 0,800 0,860 0,494 0,886 0,728
0,495 0,711 0,632 0,938 0,987 0,546 0,894 0,800 0,860 0,494 0,886 0,728
0,495 0,712 0,632 0,938 0,987 0,545 0,893 0,800 0,859 0,494 0,886 0,728
0,495 0,712 0,938 0,987 0,545 0,893 0,801 0,859 0,493 0,886 0,728
0,712 0,938 0,987 0,801 0,859 0,886 0,728
0,712 0,938 0,987 0,801 0,859 0,887 0,728
0,712 0,938 0,986 0,801 0,859 0,887 0,728
0,712 0,937 0,986 0,801 0,859 0,887 0,728
0,712 0,937 0,986 0,801 0,859 0,887 0,728
0,712 0,801 0,859 0,887 0,728
0,713 0,801 0,859 0,887 0,728
0,713 0,800 0,859 0,887 0,728
0,713 0,799 0,859 0,887 0,728
0,713 0,799 0,859 0,887 0,728
0,713 0,799 0,859 0,888 0,728
0,713 0,798 0,859 0,888 0,728
0,714 0,798 0,859 0,888 0,728
0,714 0,798 0,859 0,888 0,727
0,714 0,797 0,859 0,888
0,714 0,797 0,859 0,888
0,713 0,797 0,858 0,888
0,712 0,797 0,858 0,888
0,712 0,796 0,858 0,888
0,711 0,796 0,858 0,889
0,710 0,795 0,858 0,889
0,710 0,795 0,857 0,889
0,710 0,795 0,857 0,889
0,709 0,795 0,856 0,889
0,709 0,795 0,855 0,889
0,708 0,796 0,854 0,889
0,796 0,854 0,889
0,796 0,889
0!%
20!%
40!%
60!%
80!%
100!%
openssl_rsa cryptopp_rsa
cryptopp_rc4 openssl_rc4
0!%
20!%
40!%
60!%
80!%
100!%
cryptopp_md5 beecrypt_md5
openssl_md5 cryptopp_des
openssl_des
0!%
20!%
40!%
60!%
80!%
100!%
gladman_aes openssl_aes
cryptopp_aes beecrypt_aes
xor
Figure 6.2.: Cumulative entropy for all testing applications
The cumulative bitwise percentage method by Wang et al. shows a good success rate
for the testing applications with debug symbols. The method is based on the iden-
tication of functions by their debug symbols, therefore it yields false-positive or no
results for the testing applications without debug symbols: the Cryptopp applications
and Gladmans AES implementation do not contain debug symbols. Nevertheless, for
the Beecrypt and OpenSSL applications the success rate is 57%.
The transition functions were veried using the source code and the control ow
graphs and are shown in the result table. The cumulative bitwise arithmetic percent-
ages for all testing applications are shown in Figure 6.2. In most cases one can visually
identify the point where the encryption starts. Some implementations share a similar
progression, e.g., Cryptopp DES and MD5. Over the progression, we can also iden-
tify cryptographic rounds by small edges, e.g., for the OpenSSL DES or Beecrypt MD5
applications.
6.2.2. Signature-based Methods
Next, we evaluate the signature-based identication methods: chains(), constmemory(),
constmnemonic(), and sigAPI(). The results of the evaluation are shown in Table 6.5.
Empty cells indicate no results. We would like to note that the XORtesting application
70
was not detected by a signature, because we did not create signatures for it. The XOR
encryption does not contain algorithm-specic constants or mnemonic sequences and
also most implementations do not provide a dedicated function for it. Therefore, a
signature-based identication is not feasible for XOR encryption.
Implementation Algorithm sigAPI constmemory constmnemonic chains
Beecrypt AES success success success
Brian Gladman AES success success
Cryptopp AES success success success
OpenSSL AES success success success success
Cryptopp DES success success success
OpenSSL DES success success success
Cryptopp RC4 success success
OpenSSL RC4 success success success
Beecrypt MD5 success success success
Cryptopp MD5 success success
OpenSSL MD5 success success success
Cryptopp RSA FP success success
OpenSSL RSA success success success & FP
Custom XOR n/a n/a n/a n/a
Table 6.5.: Analysis performance for the signature-based identication methods
The nave sigAPI() method, to check for cryptographic function symbols, is only ef-
cient when symbol information is included in the code. If we presume this fact, we
can also argue that an manual identication by a strings command would yield the
same information.
The performance of the constmemory() identication method is only moderate, because
of the loose connection of the constants to the algorithm. To verify this deduction, we
inspected the constants in the traces:
1 AES = '10', '20', '1', '0', '5', '65', '1d'
2 DES = '10', '20', '22', '7a', '33', '1', '0', '2d', '5', '4', '8', '7c817074', '65'
3 MD5 = '10', '0', '10b', '1', '7c8099c0', '4', '7c817074'
Listing 6.1: Intersecting constants of the implementations
The results from Listing 6.1 suggest that the set of intersecting constants of the AES,
DES, and MD5 algorithm is (a) very small, (b) not verify descriptive due to common
numbers, e.g., 10, and (c) overlapping between the algorithms. Thus, we conclude
that the method is not sufcient for an identication. This conclusion is underlined
by Figure 6.3, which shows the performance of the method using signatures derived
from the static tools from Section 2.1. In the gure all values are percentages. We can
71
note that the AES constants have a moderate identication rate, but also yield false-
negatives. The MD5 and DES constants have a high false-positive rate and are not
usable.
beecrypt beecrypt cryptopp cryptopp cryptopp cryptopp cryptopp gladman openssl openssl openssl openssl openssl custom
aes md5 aes des md5 rc4 rsa aes aes des md5 rc4 rsa xor
aes t1
aes t2
aes t3
aes t4
aes t5
aes t6
aes t7
aes t8
aes t9
aes t10
md5 t1
md5 t2
md5 t3
des all
des spbox
0 % 30 % 0 % 0 % 0 % 11 % 80 % 0 % 0 % 0 % 0 % 0 %
0 % 60 % 0 % 0 % 0 % 26 % 69 % 0 % 0 % 0 % 0 % 0 %
0 % 57 % 0 % 0 % 0 % 27 % 33 % 0 % 0 % 0 % 0 % 0 %
0 % 58 % 0 % 0 % 0 % 24 % 80 % 0 % 0 % 0 % 0 % 0 %
1 % 1 % 0 % 1 % 0 % 0 % 0 % 1 % 0 % 0 % 0 %
0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 %
0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 %
0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 %
0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 %
1 % 1 % 0 % 1 % 0 % 0 % 0 % 1 % 0 % 0 % 0 %
46 % 13 % 0 % 0 % 0 % 60 % 53 % 53 % 33 % 13 % 20 % 0 % 33 %
0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 %
0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 %
18 % 7 % 0 % 0 % 0 % 0 % 44 % 46 % 13 % 9 % 12 % 0 % 50 %
7 % 4 % 17 % 77 % 13 % 12 % 0 % 8 % 9 % 17 % 4 % 4 % 11 % 5 %
Figure 6.3.: Memory constant identication method for all testing applications
The mnemonic sequences used by the chains() method have a similar problem. Since
the signatures are partially generated from the testing applications, their matching
performance seems successful in the evaluation. But if we evaluate against slightly
different code, we assume that the detection rate decreases. Therefore, a fuzzy match-
ing algorithm for the mnemonic sequence comparison could mitigate the problem.
beecrypt beecrypt cryptopp cryptopp cryptopp cryptopp cryptopp gladman openssl openssl openssl openssl openssl
aes md5 aes des md5 rc4 rsa aes aes des md5 rc4 rsa xor256 xor4096
rc4 unique
des unique
rsa unique
md5 unique
rc4 intersect
aes intersect
des intersect
rsa intersect
md5 intersect
rc4 cryptopp
rc4 openssl
aes beecrypt
aes gladman
aes cryptopp
aes openssl
des cryptopp
des openssl
rsa cryptopp
rsa openssl
md5 beecrypt
md5 cryptopp
md5 openssl
0!% 0!% 100!% 100!% 100!% 100!% 100!% 0!% 50!% 0!% 0!% 100!% 0!% 0!% 0!%
0!% 0!% 44!% 100!% 44!% 44!% 44!% 22!% 33!% 100!% 11!% 0!% 0!% 0!% 0!%
22!% 8!% 58!% 61!% 50!% 46!% 89!% 34!% 18!% 1!% 7!% 1!% 89!% 0!% 0!%
0!% 100!% 6!% 29!% 100!% 6!% 12!% 0!% 0!% 0!% 100!% 0!% 0!% 0!% 0!%
68!% 68!% 100!% 100!% 100!% 100!% 95!% 64!% 77!% 77!% 68!% 100!% 68!% 59!% 59!%
100!% 82!% 100!% 100!% 82!% 82!% 94!% 100!% 100!% 88!% 88!% 71!% 88!% 59!% 59!%
56!% 51!% 87!% 100!% 77!% 77!% 82!% 51!% 74!% 100!% 64!% 46!% 64!% 38!% 38!%
34!% 28!% 71!% 71!% 63!% 57!% 93!% 41!% 35!% 24!% 29!% 16!% 92!% 12!% 12!%
40!% 100!% 60!% 67!% 100!% 52!% 62!% 26!% 45!% 43!% 100!% 38!% 52!% 36!% 36!%
13!% 14!% 83!% 82!% 82!% 100!% 57!% 16!% 17!% 16!% 15!% 11!% 31!% 8!% 8!%
60!% 58!% 68!% 63!% 58!% 55!% 65!% 38!% 55!% 53!% 50!% 100!% 45!% 53!% 53!%
100!% 33!% 35!% 34!% 27!% 27!% 58!% 62!% 41!% 29!% 27!% 26!% 40!% 24!% 24!%
41!% 12!% 27!% 28!% 23!% 22!% 45!% 100!% 21!% 17!% 13!% 11!% 32!% 8!% 8!%
12!% 13!% 100!% 73!% 64!% 62!% 59!% 15!% 16!% 14!% 14!% 10!% 29!% 6!% 6!%
52!% 34!% 56!% 55!% 47!% 47!% 62!% 40!% 100!% 45!% 37!% 30!% 52!% 26!% 26!%
12!% 14!% 74!% 100!% 65!% 62!% 53!% 15!% 15!% 15!% 15!% 10!% 29!% 6!% 6!%
26!% 22!% 36!% 38!% 29!% 30!% 36!% 22!% 32!% 100!% 29!% 20!% 27!% 17!% 17!%
12!% 9!% 48!% 43!% 39!% 36!% 72!% 14!% 11!% 9!% 9!% 6!% 23!% 4!% 4!%
22!% 19!% 47!% 47!% 42!% 38!% 62!% 28!% 23!% 17!% 20!% 11!% 91!% 8!% 8!%
45!% 100!% 50!% 56!% 74!% 41!% 58!% 26!% 38!% 35!% 73!% 35!% 47!% 33!% 33!%
11!% 22!% 74!% 76!% 100!% 72!% 57!% 14!% 15!% 13!% 23!% 10!% 30!% 7!% 7!%
34!% 66!% 49!% 53!% 71!% 41!% 55!% 25!% 37!% 41!% 100!% 27!% 45!% 26!% 26!%
Figure 6.4.: Results of the signature matching using (mnemonic, constant)-tuples
However, for the chains() method the performance is overall good, if we consider the
unique-signatures. However, the chains-for-implementation and chains-for-algorithm
signatures produce a higher rate of false-positives, for example the chains-for-algorithm
72
matches for Beecrypt AES are 9%AES, 2% RSA, 8% DES, 10% RC4, and 10% MD5.
Nevertheless, the chains-for-algorithm-unique signature only identies AES for the
Beecrypt AES application.
If we take a look at the performance of the (mnemonic, constant)-tuple matching
method implemented in constmnemonic(), we can see it is the most successful of the
signature identication methods. The details of the results are presented in Figure 6.4.
There, the signatures are displayed on the y-axis and the testing applications are shown
on the x-axis. Each highlighted eld links the testing application to the respective
signature. We can note that if we apply the threshold of 70%, most of the implemen-
tations are correctly identied. The XOR testing application naturally does not have
(mnemonic, constant)-tuple signatures. Although, we can also note that they do not
yield a false-positive, because their percentage is always below 70%.
Figure 6.5.: Results of the implementation signatures
If we plot the x- and y-axis of Figure 6.4 around a circle and interconnect the axes if the
threshold is above 70%, we get the image shown in Figure 6.5. Each part of the circle
is annotated by a testing application, e.g., beecrypt md5, or a signature, e.g., s aes -
beecrypt. The signatures displayed in this image are the implementation signatures
73
as described in Section 4.4.1 and Figure 4.4.
We can point out two aspects of Figure 6.5: the turquoise Beecrypt AES signature at 8
oclock matches only the Beecrypt AES testing application, which is a positive result
without false-positives. The s md5 cryptopp signature is representing the implemen-
tation of MD5 by Cryptopp and is shown in blue at 12 oclock. The signature matches
the Cryptopp testing application of MD5, which is positive result, but also with a
smaller connection line RC4, AES, and DES, which represent false-positive results,
although the thickness of the lines indicate a matching value of less than 100%. For
the intersect signatures, we can note that while some signatures, e.g., s md5 intersect,
have a good performance, others have a high rate of false-positives, e.g., s aes intersect.
The intersect signatures and their performance are enhanced by the the unique signa-
tures.
Figure 6.6.: Results of the unique signatures
The unique signatures are shown in Figure 6.6. At rst we can recognize that the
RC4 signature at 2 oclock yields three false-positives. This is due to the small size of
the RC4 unique signature with only two values, as described in Section 4.4.1. Never-
theless, the RC4 signature can be used to successfully identify the RC4 implemen-
74
tations of OpenSSL and Cryptopp. Furthermore, we can note that the RSA, DES,
and MD5 signatures correctly identify their respective implementations without false-
positives.
In summary, the signature identication methods work most successful if multiple
characteristics are combined and compiled to a signature. Acombination of all charac-
teristics to a (mnemonic, disassembly constant, adjacent memory value)-tuple-sequences
signature with a fuzzy matching algorithm could constitute a good method.
6.2.3. Generic Methods
At last, we evaluate the identication methods which also target the cryptographic
parameters: xorNotNullAndMov(), loopDiffer(), and symmetricCipherDataTester(). In terms
of computational requirements, the three methods are the most expensive.
Table 6.6 shows the performance of the generic identication methods. Empty cells
indicate no results. At rst, we would like to note that the xorNotNullAndMov() method
successfully found the XOR encryption. Although it is only a single example of a
XOR encryption, the method also identied the XOR operations in the cipher-block
chaining (CBC) and cipher feedback mode (CFB) encryptions. There, the XOR opera-
tion is used to merge the initialization vector or encryption output with the plaintext.
Therefore, we conclude that the xorNotNullAndMov() method is well suited to nd XOR
encryptions.
Secondly, we investigate the performance of the loopDiffer(). The method performs
several searches: for counters, for xor relations, for entropy changes, and for the DES
p-box. Because some of the searches are still experimental, we only evaluate the search
for counters and the DES p-box. As shown in Table 6.6, the counter search success-
fully determined several counters in most of the implementations. Although some
false-positive counters existed, for example when incrementing memory addresses in
Listing 6.2, most found counters seem plausible.
1 [DEBUG] upward counter from 27672868 to 27672894, distance 26
2 [DEBUG] upward counter from 1 to 128, distance 127
Listing 6.2: Excerpt of found counters
The search for the DES p-box in the loopDiffer() is not as successful. It neither nds a
p-box relation for the DES testing applications, nor does it nd a false-positive result in
the other testing applications. Areason for the missing p-box relation may be that the
p-box is merged with the preliminary s-box in the DES implementation and therefore
we do not encounter the intermediate value in the trace. If the p-box input value is not
75
Implementation Algorithm xorNotNull loopDiffer symmetric
Beecrypt AES success
Brian Gladman AES CBC XOR only counters no success
Cryptopp AES partial CFB XOR only counters success
OpenSSL AES partial CFB XOR only counters success
Cryptopp DES partial CFB XOR only counters success
OpenSSL DES success
Cryptopp RC4 only counters success
OpenSSL RC4 only counters success
Beecrypt MD5 only counters
Cryptopp MD5 only counters
OpenSSL MD5 only counters
Cryptopp RSA only counters
OpenSSL RSA only counters
Custom XOR success only counters
Table 6.6.: Analysis performance for the generic identication methods
calculated in the cryptographic implementation, we cannot verify the p-box relation
due to the missing value.
The third generic identication method is the symmetricCipherDataTester(). This method
is the most successful identication method, which also veries the existence, and the
parameters of a symmetric encryption. Table 6.6 shows that the method is able to
detect nearly every instance of the symmetric encryption algorithms. The only unde-
tected trace is Gladmans AES implementation. Naturally, the method does not yield
false-positive results. The success of the symmetricCipherDataTester() method is closely
bound to the memory reconstruction method described in Section 3.6. In case of the
Gladman AES implementation, the memory reconstruction method is unable to recon-
struct the cryptographic parameters. Thus, the symmetricCipherDataTester() method has
no success. Although the memory reconstruction often leads up to 2000 candidates
for encryption key, plaintext, and ciphertext each, the time for the candidate check is
feasible. For AES, our non-optimized AES candidate check function is able to conduct
400,000 checks per second. In the extreme case of 2000 candidates for each parameter,
the verication of all the candidates would only need
2000
2
400000
= 10 seconds.
6.3. O-the-Shelf Application
To show the generic usage of our approaches, we tested our system implementation
against off-the-shelf software. We traced and analyzed a SSL session of the Curl HTTP
client. Curl is available on many systems and embedded as a HTTP client library
76
in PHP for example. Curl itself utilizes the OpenSSL library for establishing a SSL
connection.
In the testing environment we setup Curl version 7.19.7 with OpenSSL version 0.9.8l.
Then, we generated the trace using the following command line options:
1 pin.exe -t kerckhoffr.dll -watch_thread 0 -mw libeay32.dll -istart 300000000 --
curl.exe -k -s -o out.html https://www.ssllabs.com
Listing 6.3: Command line options for tracing Curl
Since we knew that the encryption is performed by OpenSSL, we only traced this DLL
using -mw libeay32.dll. Also, we congured our Pintool to only watch the main thread
with the switch -watch_thread 0 and to start after 300 million instructions with -ista-
rt 300000000. We determined the thread and the instruction count using tests, which
we made with our Pintool. Precisely, we rst generated a complete trace, starting from
instruction zero, with all threads and libraries included. In the complete trace of 13
GB, we found that the OpenSSL library is used in the last 2% of the trace. Thus, we
could congure a smaller trace, as shown in Listing 6.3, which took 7 minutes and 38
seconds to nish and generated a trace le with 583,417 instructions (45 MB).
The Curl options instructed it to skip the X509 certicate verication (-k), to suppress
console output (-s), and to save the retrieved HTML to a le (-o out.html). The re-
trieved HTML le was the starting page of https://www.ssllabs.com, although any
other HTTPS site could have been used as well. The retrieved le contained 5136
bytes. We also recorded the runtime of the Curl executable using procmon.exe and an-
alyzed its network communication with tcpdump and Wireshark. We observed that
the remote SSL server and the Curl client negotiated the SLL cipher suite setting
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
2
. Thus, we knew that the analysis should at least de-
tect the RSA and AES invocation. After the secure channel had been established, the
selected cipher was used to encrypt three packets of SSL application data. Obviously,
the rst packet was the client HTTP request of 160 encrypted bytes, and then followed
the server response with 272 bytes for the HTTP header and 5168 bytes of content.
The analysis tool took 2 hours 34 minutes to nish, although the xorNotNullAndMov()
identication method was the most time consuming method with 2 hours 25 min-
utes runtime. The complete results of the analysis are summarized in Table 6.7. The
xorNotNullAndMov() method was also the method with the highest rate of possible false-
positives: of 90674 veried XOR relations found, we were not able to manually con-
rm a relation as part of the cipher-block chaining mode XOR. Therefore, we guess
that the found XOR relations are part of the inner computation of the AES or Curl.
2
The cipher suite species Dife-Hellman Key Exchange, with RSAcerticates, symmetric encrypted
by AES in CBC mode with 256 bit keys, and integrity checked by SHA1.
77
Method Results
xorNotNullAndMov() only false-positives / unknown results
symmetricCipherDataTester() detected 94% of AES instances including parameters
loopDiffer() detected AES counters, some false-positives
sigAPI() detected cryptographic functions
constmemory() detected AES, one false-positive
chains() detected AES and RSA, including implementation
constmnemonic() detected AES implementation, one false-positive
wang() no results
caballero() detected core AES basic blocks
lutz() detected core AES loops
Table 6.7.: Analysis performance for the Curl trace
The symmetricCipherDataTester() identication method performed very good. Of the
350 blocks of encrypted AES data, which we recorded using tcpdump, the identication
method was able to nd and verify the plaintext, key, and corresponding ciphertext
of 331 blocks (success rate of 94.57%). Using the AES reference implementation the
method checked whether 3395 candidate keys and 4205 candidate plaintexts corre-
spond to one of 8037 candidate ciphertexts. The method took 46 minutes to nish,
although the majority of time consumption is due to the memory reconstruction algo-
rithm. The missed 5.43% of AES primitives were also caused by the memory recon-
struction method, because the identication method only uses data from the recon-
struction and veries it using the reference implementation. Thus, the missing data
has not been reconstructed and therefore could not be veried.
We manually compared the results of the identication method with the recorded
tcpdump le. We conrmed that the memory-generated ciphertexts correspond to the
network-generated tcpdump le. In order to decrypt the CBC mode
3
, we wrote a script,
which xors adjacent input/output blocks and thereby reveals the plaintext of the SSL
application data. In Listing 6.4 we reveal the plaintext of the client request. We can
clearly recognize the encoded end of the request by \x03\x03\x03\x03 and the 20 byte
SHA1 sum before that.
1 position 48:144 = '7.19.7 OpenSSL/0.9.8l zlib/1.2.3\r\n'+\
2 'Host: www.ssllabs.com\r\n'+\
3 'Accept: */*\r\n'+\
4 '\r\n'+\
5 '\x9f\xda*\x1d\xca\xc1\x0eEh!\n\x1a\x1d\xed_K\xc3&#\xef'+\
6 '\x03\x03\x03\x03'
Listing 6.4: Decrypted HTTPS client request
The loopDiffer() method detected 427 counters of which 345 were an upward counter
3
For an illustration of CBC mode refer to Figure 2.1.
78
from 1 to 15. Since AES-256 is executed with 14 rounds, the counters may relate to
the 350 AES computations. The permutation box test of the loopDiffer() showed no
results because DES was not used by Curl.
The signature-based identication methods revealed similar results as in the previous
section. Since the OpenSSL library was build with debug symbols sigAPI() detected
the following functions in Listing 6.5:
1 AES_set_encrypt_key
2 RSA_PKCS1_SSLeay
3 AES_cbc_encrypt
4 AES_decrypt
5 RSA_free
6 AES_encrypt
7 EVP_aes_192_ecb
8 MD5_Update
9 EVP_aes_256_cfb8
10 AES_set_decrypt_key
Listing 6.5: Detected function symbols in Curl
The constmemory() method, which searches for cryptographic constants in memory, de-
tected several AES constants and concluded with a 56% match for AES (2560 constants
in signature). Yet, it also found MD5 constants with 33% (91 constants in signature)
and DES with 57% (186 constants in signature). This result shows that either the con-
stants have to be further extended or the length of the signature should be incorpo-
rated into the match.
The chains() method, which compares mnemonic sequences, determined many false-
positives for the non-unique signatures (for implementation and for algorithm). How-
ever, the unique signatures detected both AES and RSAwithout false-positives. Also,
the correct implementation was detected by the implementation-unique signatures
without a false-positive match.
An interesting result was revealed by the signature-based identication method co-
nstmnemonic(). Since we were not able to generate an unique or intersecting set for the
AES algorithm, as described in Section 4.4.1, we only had the implementation signa-
ture for OpenSSL AES to match the trace. Among the implementation signatures, the
OpenSSL AES signature had a relatively low match of 49%, compared to the previ-
ous section. Nevertheless, other implementation signatures followed at about 20-30%
and OpenSSL AES still stood out among them. The intersect and unique signatures
(available only for DES, RSA, MD5) detected one high false-positive (intersecting DES
with 56%) and some lower false-positives around 35%.
The previously published identication methods by Lutz, Caballero et al., and Wang
et al. also performed similar to Section 6.2. Wangs method generated no results,
79
probably due to the fact that the trace did not start at the beginning of the applica-
tion. Caballeros method successfully detected 19 basic blocks in the encryption and
key scheduling functions AES_decrypt, AES_encrypt, AES_set_decrypt_key, and AES_set_e-
ncrypt_key. The method of Lutz, without taint-tracking, revealed 2121 entropy changes
in 26 loop bodies corresponding to 22 functions, for example in the AES encryption
and decryption functions, in the SHA1_Update function, but also in false-positive func-
tions like OBJ_NAME_do_all_sorted, ASN1_OBJECT_it, or OPENSSL_cleanse.
6.4. Modied Application
In order to test the identication performance against binary modication, e.g., anti-
analysis and obfuscation, we packed a testing application and analyzed it using our
system. The used packer was ASPack in version 2.12 and the testing application was
the XOR application with an input/output of 4096 bytes. Although the trace size
increased by factor 17 and the analysis took longer, but the analysis tool in Listing 6.6
was still able to identify all blocks of XOR encrypted text:
1 [DEBUG] assumption holds for 100 % of values
2 [DEBUG] xor key = 'u \xa6\xd1\x1b\x19\xaa\x' ...
3 [DEBUG] xor plaintext = 'DDDD3333DDDD3333DDDD33' ...
4 [DEBUG] xor ciphertext = '1\xe2\x95\x1a(*\x99\xf5' ...
5 $ xxd io/rand.0128
6 0000000: 75a6 d15e 1b19 aac6 49be 6b2c 80d4 f49e u......I.k,....
Listing 6.6: Sample output for the XOR check
Interestingly, the packer introduced 24 new loops, but the loop analysis was still able
to point out the original XOR encryption loop, which was also found in the original
testing application. The packed loop still had 32 executions, with 128 iterations each,
to encrypt the totaling 4096 bytes. The control ow graph for the loop is shown in
Figure 6.7 for comparison with Figure 3.1.
6.5. Summary
In the evaluation we tested our methods and their implementation against several ap-
plications. Where applicable, we detailed advantages and drawbacks of methods or
their implementation. We elaborate on the evaluations conclusion in the next chap-
ter.
80
BBL 0x40144b EMPTY (1):
jmp 0x4011ef
BBL 0x4011ef EMPTY (3):
push 0x10
push 0x402218
call 0x40181c
BBL 0x40181c EMPTY (21):
push 0x401875
push dword ptr fs:[0x0]
mov eax, dword ptr ss:[esp+0x10]
mov dword ptr ss:[esp+0x10], ebp
lea ebp, ptr [esp+0x10]
sub esp, eax
push ebx
push esi
push edi
mov eax, dword ptr ds:[0x403000]
xor dword ptr ss:[ebp-0x4], eax
xor eax, ebp
push eax
mov dword ptr ss:[ebp-0x18], esp
push dword ptr ss:[ebp-0x8]
mov eax, dword ptr ss:[ebp-0x4]
mov dword ptr ss:[ebp-0x4], 0xfffffffe
mov dword ptr ss:[ebp-0x8], eax
lea eax, ptr [ebp-0x10]
mov dword ptr fs:[0x0], eax
ret
BBL 0x401107 EMPTY (6):
push esi
push 0x80
lea edx, ptr [esp+0x18]
push 0x1
push edx
call ebp
BBL 0x401116 EMPTY (3):
add esp, 0x10
test eax, eax
jle 0x40116b
BBL 0x40111d EMPTY (1):
mov ebx, dword ptr ds:[0x4020a0]
BBL 0x406954 EMPTY (8):
push ecx
push ebx
push esi
mov esi, ecx
push edi
mov eax, dword ptr ds:[esi]
cmp dword ptr ds:[eax+0x4], 0x8
jb 0x406992
BBL 0x406992 EMPTY (9):
mov edx, dword ptr ds:[eax+0x4]
mov eax, dword ptr ds:[eax+0x8]
mov ecx, 0x8
sub ecx, edx
shr eax, cl
mov ecx, dword ptr ds:[esi+0x24]
and eax, 0xfffe00
cmp eax, ecx
jnb 0x4069c1
1189
BBL 0x406962 EMPTY (17):
mov ecx, dword ptr ds:[eax]
mov dl, byte ptr ds:[ecx]
inc ecx
mov byte ptr ss:[esp+0xc], dl
mov dword ptr ds:[eax], ecx
mov ecx, dword ptr ds:[eax+0x8]
mov edx, dword ptr ss:[esp+0xc]
shl ecx, 0x8
and edx, 0xff
or ecx, edx
mov edx, dword ptr ds:[eax+0x4]
add edx, 0xf8
mov dword ptr ds:[eax+0x8], ecx
mov ecx, edx
mov dword ptr ds:[eax+0x4], edx
cmp ecx, 0x8
jnb 0x406962
1878
BBL 0x4069c1 EMPTY (2):
cmp eax, dword ptr ds:[esi+0x2c]
jnb 0x4069d0
460
BBL 0x4069ad EMPTY (7):
mov edx, dword ptr ds:[esi+0x8c]
mov ecx, eax
shr ecx, 0x10
xor ebx, ebx
mov bl, byte ptr ds:[ecx+edx*1]
mov edx, ebx
jmp 0x4069fc
2607
1878
58
BBL 0x406e77 EMPTY (12):
mov edx, dword ptr ds:[esi+0x8]
mov eax, dword ptr ds:[esi+0xc]
mov ecx, 0x8
sub ecx, edx
add edx, edi
shr eax, cl
mov ecx, 0x18
mov dword ptr ds:[esi+0x8], edx
sub ecx, edi
and eax, 0xffffff
shr eax, cl
add ebx, eax
BBL 0x406e9b EMPTY (2):
cmp ebx, 0x3
jnb 0x406eba
493
BBL 0x406eba EMPTY (5):
mov eax, dword ptr ds:[esi+0x254]
lea ecx, ptr [ebx-0x3]
mov dword ptr ds:[esi+0x258], eax
483
BBL 0x406ea0 EMPTY (3):
mov ecx, dword ptr ds:[esi+ebx*4+0x250]
test ebx, ebx
jz 0x406edb
149
BBL 0x4013eb EMPTY (3):
mov ecx, dword ptr ds:[0x403368]
call dword ptr ds:[0x402044]
BBL 0x4013f9 EMPTY (6):
mov eax, dword ptr ds:[eax]
mov dword ptr ds:[0x403370], eax
call 0x401668
BBL 0x401668 EMPTY (8):
mov edi, edi
push esi
mov eax, 0x402208
mov esi, 0x402208
push edi
mov edi, eax
cmp eax, esi
jnb 0x40168b
BBL 0x40121a EMPTY (2):
cmp eax, ebx
jz 0x401237
BBL 0x401237 EMPTY (5):
xor esi, esi
inc esi
cmp eax, esi
jnz 0x40124d
test eax, eax
jnz 0x401282
BBL 0x406aa6 EMPTY (23):
mov edx, ecx
mov ecx, dword ptr ss:[esp+0x4]
push edi
mov dword ptr ds:[edx], eax
lea eax, ptr [edx+0x4]
mov dword ptr ds:[eax+0x4], 0x20
mov dword ptr ds:[edx+0x10], eax
mov dword ptr ds:[edx+0xa0], eax
mov dword ptr ds:[edx+0x1c0], eax
xor eax, eax
mov ecx, 0xbd
mov edi, dword ptr ds:[edx+0x260]
mov dword ptr ds:[edx+0x25c], eax
rep stosd
mov ecx, edx
stosb
call 0x406b07
BBL 0x406b07 EMPTY (10):
sub esp, 0x30c
push ebx
mov ebx, ecx
push ebp
push esi
lea ebp, ptr [ebx+0x4]
push edi
push 0x1
mov ecx, ebp
call 0x406748
4
BBL 0x406748 EMPTY (7):
push ecx
mov edx, ecx
push esi
mov ecx, 0x8
push edi
cmp dword ptr ds:[edx+0x4], ecx
jb 0x40678c
4
BBL 0x406cd8 EMPTY (8):
mov ecx, dword ptr ds:[esi]
mov byte ptr ds:[ecx], al
inc ecx
inc edi
mov dword ptr ds:[esi], ecx
mov dword ptr ss:[esp+0x10], edi
jmp 0x406f14
BBL 0x406f14 EMPTY (2):
cmp edi, dword ptr ss:[esp+0x28]
jb 0x406cc9
1426
BBL 0x406cc9 EMPTY (2):
lea ecx, ptr [esi+0x10]
call 0x406954
2054
BBL 0x406f1e EMPTY (9):
mov eax, dword ptr ss:[esp+0x2c]
mov dword ptr ds:[eax], edi
pop edi
pop esi
pop ebp
mov al, 0x1
pop ebx
add esp, 0x14
ret 0x8
4
test al, al
jnz 0x406c56
mov byte ptr ds:[ebx+0x264], 0x0
xor eax, eax
4
BBL 0x406c5f EMPTY (2):
cmp byte ptr ss:[esp+eax*1+0x311], 0x3
jnz 0x406c71
4
BBL 0x406138 EMPTY (1):
jmp 0x40613a
cmp al, 0xe9
jz 0x406142
2374
BBL 0x406142 EMPTY (2):
jmp 0x406146
6
BBL 0x40613e EMPTY (3):
inc ebx
dec ecx
jmp 0x40612d
2368
BBL 0x401123 EMPTY (3):
xor ecx, ecx
test eax, eax
jle 0x401147
BBL 0x401129 EMPTY (1):
lea esp, ptr [esp]
32
BBL 0x406b9c EMPTY (2):
cmp esi, 0x2f5
jnl 0x406bf6
BBL 0x406ba4 EMPTY (6):
mov cl, byte ptr ss:[esp+esi*1+0x23]
dec eax
mov byte ptr ss:[esp+esi*1+0x24], cl
inc esi
test eax, eax
jnle 0x406b9c
31 22
BBL 0x406bb2 EMPTY (1):
jmp 0x406bea
9
BBL 0x406ed5 EMPTY (1):
mov dword ptr ds:[esi+0x250], ecx
BBL 0x406edb EMPTY (7):
mov edi, dword ptr ss:[esp+0x14]
inc ecx
lea edx, ptr [eax+edi*1]
cmp eax, edx
mov dword ptr ds:[esi], edx
jnb 0x406efb
517
BBL 0x406eeb EMPTY (8):
mov edx, eax
sub edx, ecx
inc eax
mov dl, byte ptr ds:[edx]
mov byte ptr ds:[eax-0x1], dl
mov edx, dword ptr ds:[esi]
cmp eax, edx
jb 0x406eeb
632
BBL 0x40615f EMPTY (4):
pop ebx
pop esi
pop ecx
pop eax
BBL 0x406163 EMPTY (1):
jmp 0x40616d
mov ecx, eax
mov edi, dword ptr ds:[esi]
add edi, dword ptr ss:[ebp+0x422]
mov esi, dword ptr ss:[ebp+0x152]
sar ecx, 0x2
rep movsd
mov ecx, eax
and ecx, 0x3
rep movsb
pop esi
push 0x8000
push 0x0
push dword ptr ss:[ebp+0x152]
call dword ptr ss:[ebp+0x551]
4
BBL 0x401174 EMPTY (2):
push edi
call esi
BBL 0x401177 EMPTY (9):
add esp, 0x8
xor eax, eax
pop ebp
pop esi
pop ebx
pop edi
xor ecx, esp
call 0x401195
BBL 0x401195 EMPTY (2):
cmp ecx, dword ptr ds:[0x403000]
jnz 0x40119f
cmp dword ptr ds:[eax+0x74], 0xe
jbe 0x401373
xor ecx, ecx
cmp dword ptr ds:[eax+0xe8], ecx
setnz cl
mov eax, ecx
push 0x1
BBL 0x4013d1 EMPTY (2):
push 0xff
call dword ptr ds:[0x40204c]
BBL 0x406808 EMPTY (9):
xor ecx, ecx
mov cl, byte ptr ds:[eax+edi*1]
mov ebx, dword ptr ss:[esp+ecx*4+0x28]
lea ecx, ptr [esp+ecx*4+0x28]
inc ebx
inc eax
cmp eax, ebp
mov dword ptr ds:[ecx], ebx
jb 0x406808
3088
mov ecx, 0x17
mov dword ptr ss:[esp+0x28], esi
mov dword ptr ds:[edx+0x4], esi
xor edi, edi
mov dword ptr ss:[esp+0x1c], esi
mov dword ptr ss:[esp+0x10], 0x1
mov dword ptr ss:[esp+0x18], ecx
lea ebp, ptr [edx+0x8]
16
BBL 0x406849 EMPTY (6):
mov eax, dword ptr ss:[esp+esi*1+0x2c]
shl eax, cl
add edi, eax
cmp edi, 0x1000000
jnbe 0x4068ef
16
pop edi
pop esi
ret
BBL 0x401412 EMPTY (1):
call 0x4018c5
BBL 0x406a6b EMPTY (4):
push eax
push 0x1c
lea ecx, ptr [edi+0xa0]
call 0x4067b3
mov edx, dword ptr ss:[esp+0x8]
mov dword ptr ds:[ecx+0x84], eax
mov dword ptr ds:[ecx+0x88], edx
lea eax, ptr [edx+eax*4]
mov dword ptr ds:[ecx+0x8c], eax
add eax, 0x100
ret 0x8
4 4
BBL 0x406a87 EMPTY (4):
push eax
push 0x13
lea ecx, ptr [edi+0x1c0]
call 0x4067b3
4
push eax
push 0x8
lea ecx, ptr [edi+0x130]
call 0x4067b3
4
mov dword ptr ds:[edi+0x260], eax
pop edi
pop esi
add eax, 0x2f5
pop ebx
ret 0x4
4
mov ecx, edi
call 0x406954
829
BBL 0x406066 EMPTY (3):
mov dword ptr ss:[ebp+0x551], eax
lea eax, ptr [ebp+0x77]
jmp eax
mov ebx, dword ptr ss:[ebp+0x531]
or ebx, ebx
jz 0x40609e
lea esi, ptr [ebp+0x569]
cmp dword ptr ds:[esi], 0x0
jz 0x4061ce
BBL 0x406d1e EMPTY (4):
xor ebx, ebx
push esi
call 0x406c96
call 0x406c9c
41
BBL 0x406c9c EMPTY (3):
pop esi
sub esi, 0x4445cb
ret
946
4
xor eax, eax
ret
BBL 0x401417 EMPTY (2):
cmp dword ptr ds:[0x403014], 0x0
jnz 0x40142c
cmp eax, dword ptr ds:[esi+0x28]
sbb edx, edx
add edx, 0xa
jmp 0x4069fc
BBL 0x4069fc EMPTY (18):
mov edi, dword ptr ds:[ecx+0x4]
add edi, edx
mov dword ptr ds:[ecx+0x4], edi
mov ebx, dword ptr ds:[esi+edx*4]
mov ecx, 0x18
sub eax, ebx
sub ecx, edx
pop edi
shr eax, cl
mov ecx, dword ptr ds:[esi+edx*4+0x44]
add eax, ecx
pop esi
pop ebx
mov eax, dword ptr ds:[ecx+eax*4]
pop ecx
ret
460
41
BBL 0x406cd1 EMPTY (2):
cmp eax, 0x100
jnb 0x406ceb
2058
cmp eax, 0x10
jnb 0x406b8a
829
add eax, ebx
lea ebx, ptr [eax+edi*8]
jmp 0x406e9b
139
add eax, 0x10e
push 0x4
push 0x1000
push eax
push 0x0
call dword ptr ss:[ebp+0x54d]
BBL 0x4060df EMPTY (9):
push esi
mov ebx, dword ptr ds:[esi]
add ebx, dword ptr ss:[ebp+0x422]
push dword ptr ds:[esi+0x4]
push eax
push ebx
call 0x40666c
4
mov edi, dword ptr ds:[esi+0x8]
mov edx, dword ptr ds:[esi+0xc]
mov ecx, 0x8
sub ecx, edi
add edi, ebx
shr edx, cl
mov ecx, 0x18
mov dword ptr ds:[esi+0x8], edi
sub ecx, ebx
and edx, 0xffffff
shr edx, cl
xor ecx, ecx
push esi
call 0x406c96
41
BBL 0x406257 EMPTY (4):
mov edx, dword ptr ss:[ebp+0x422]
or esi, esi
jz 0x406278
BBL 0x406278 EMPTY (3):
mov esi, 0x2274
add esi, edx
BBL 0x406285 EMPTY (3):
mov eax, dword ptr ds:[esi+0xc]
test eax, eax
jz 0x40639a
BBL 0x406b8a EMPTY (1):
jnz 0x406bb4
cmp eax, 0x11
jnz 0x406bc7
86
push 0x2
mov ecx, ebp
call 0x406748
9
push 0x3
mov ecx, ebp
call 0x406748
59
BBL 0x406bc7 EMPTY (3):
push 0x7
mov ecx, ebp
call 0x406748
27
9
mov edi, edi
push esi
push 0x30000
push 0x10000
xor esi, esi
push esi
call 0x401988
BBL 0x401988 EMPTY (1):
jmp dword ptr ds:[0x40207c]
BBL 0x4018af EMPTY (3):
add esp, 0xc
test eax, eax
jz 0x4018c3
push ebx
push esi
push edi
mov edi, ecx
xor edx, edx
xor eax, eax
lea esi, ptr [edi+0x268]
mov dword ptr ds:[esi], edx
push esi
call 0x406c96
4
232
pop edi
ret 0x8
BBL 0x406699 EMPTY (2):
test al, al
jnz 0x4066a7
4
lea eax, ptr [esp]
push eax
push ecx
lea ecx, ptr [esp+0xc]
call 0x406ca4
4
mov eax, dword ptr ds:[edx]
mov bl, byte ptr ds:[eax]
inc eax
mov byte ptr ss:[esp+0xc], bl
mov dword ptr ds:[edx], eax
mov eax, dword ptr ds:[edx+0x8]
mov edi, dword ptr ss:[esp+0xc]
shl eax, 0x8
and edi, 0xff
or eax, edi
add edi, esi
mov eax, edi
mov dword ptr ds:[edx+0x4], edi
cmp eax, ecx
jnb 0x40675d
12
pop ebx
81
mov esi, dword ptr ds:[edx+0x4]
sub ecx, esi
shr eax, cl
mov ecx, 0x18
sub ecx, edi
and eax, 0xffffff
shr eax, cl
add esi, edi
pop edi
pop esi
pop ecx
ret 0x4
81
BBL 0x401431 EMPTY (2):
cmp dword ptr ds:[0x403010], 0xff
jnz 0x401443
BBL 0x401443 EMPTY (2):
xor eax, eax
ret
BBL 0x401598 EMPTY (2):
push 0x401556
BBL 0x406a3f EMPTY (9):
mov cl, byte ptr ds:[eax+esi*1+0x44403e]
pop esi
mov ebx, 0x1
add esi, 0x4
shl ebx, cl
add edx, ebx
inc eax
cmp eax, 0x3a
jb 0x406a37
228
lea ecx, ptr [edi+0x10]
push eax
push 0x2d1
call 0x4067b3
4
4
test ebx, 0x80000000
jnz 0x4062ee
BBL 0x4062ea EMPTY (8):
add ebx, edx
inc ebx
inc ebx
push ebx
and ebx, 0x7fffffff
push ebx
call dword ptr ss:[ebp+0xf49]
44
BBL 0x406302 EMPTY (3):
test eax, eax
pop ebx
jnz 0x406376
44
BBL 0x4068fe EMPTY (4):
xor ecx, ecx
test eax, eax
jbe 0x406945
mov esi, dword ptr ss:[esp+0xac]
16
BBL 0x406911 EMPTY (3):
mov al, byte ptr ds:[ecx+esi*1]
test al, al
jz 0x40693a
16
BBL 0x406b1f EMPTY (2):
test eax, eax
jnz 0x406b31
4
mov byte ptr ss:[esp+esi*1+0x10], al
inc esi
cmp esi, 0x13
jb 0x406b33
76
BBL 0x406bc2 EMPTY (2):
add eax, 0x3
jmp 0x406bd3
59
BBL 0x406bd0 EMPTY (1):
add eax, 0xb
27
add eax, 0x3
test eax, eax
jle 0x406bea
9
pop ecx
pop ecx
test eax, eax
jz 0x401288
BBL 0x401288 EMPTY (3):
cmp eax, esi
jnz 0x4012ac
BBL 0x401291 EMPTY (3):
push 0x4020c0
push 0x4020b8
call 0x40180e
BBL 0x406861 EMPTY (8):
mov eax, dword ptr ss:[esp+esi*1+0x28]
mov dword ptr ss:[ebp], edi
mov ebx, dword ptr ss:[ebp+0x3c]
add eax, ebx
cmp ecx, 0x10
mov dword ptr ss:[esp+esi*1+0x6c], eax
jl 0x4068c6
240
add esi, 0x4
inc eax
dec ecx
add ebp, 0x4
cmp ecx, 0x9
mov dword ptr ss:[esp+0x10], eax
mov dword ptr ss:[esp+0x18], ecx
jnl 0x406849
112
BBL 0x406879 EMPTY (25):
mov esi, dword ptr ss:[ebp]
mov ebx, dword ptr ss:[esp+0x1c]
mov edi, dword ptr ds:[edx+0x8c]
shr esi, 0x10
mov ecx, esi
and eax, 0xff
sub ecx, ebx
add edi, ebx
mov bl, al
mov edx, ecx
mov bh, bl
mov dword ptr ss:[esp+0x1c], esi
mov eax, ebx
mov esi, dword ptr ss:[esp+0x14]
shl eax, 0x10
mov ax, bx
shr ecx, 0x2
rep stosd
mov ecx, edx
and ecx, 0x3
rep stosb
128
push 0x4
mov ecx, ebp
call 0x406748
76
94
BBL 0x406757 EMPTY (2):
push ebx
mov esi, 0xfffffff8
81
push 0x40168e
call 0x401651
BBL 0x401651 EMPTY (5):
mov edi, edi
push ebp
mov ebp, esp
call 0x4015ac
BBL 0x4015ac EMPTY (3):
push 0x14
push 0x402238
call 0x40181c
2058
BBL 0x4066bc EMPTY (2):
test al, al
jnz 0x4066ca
4
push esi
mov esi, dword ptr ds:[0x4020a4]
call esi
3998
BBL 0x406efb EMPTY (5):
add eax, edi
mov edi, eax
jmp 0x406f14
632
632
BBL 0x4061ce EMPTY (4):
mov eax, dword ptr ss:[ebp+0x52d]
sub edx, eax
jz 0x406257
ret
add esp, 0x184
ret
add esp, 0xc
cmp dword ptr ds:[0x403024], ebx
jnz 0x401345
BBL 0x401642 EMPTY (1):
call 0x401861
BBL 0x401861 EMPTY (11):
mov ecx, dword ptr ss:[ebp-0x10]
mov dword ptr fs:[0x0], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
BBL 0x401647 EMPTY (1):
ret
mov edi, dword ptr ds:[ebx+0x260]
mov ecx, 0xbd
rep stosd
stosb
xor esi, esi
4
72
lea edi, ptr [ebx+0x1c0]
lea eax, ptr [esp+0x10]
push eax
mov ecx, edi
call 0x4067d8
4
test eax, eax
jle 0x406bea
59 27 9
BBL 0x406e0b EMPTY (13):
mov edi, dword ptr ds:[esi+0xc]
mov ecx, 0x8
sub ecx, eax
add eax, ebp
shr edi, cl
mov ecx, 0x18
sub ecx, ebp
and edi, 0xffffff
shr edi, cl
lea ecx, ptr [esi+0x130]
call 0x406954
139
BBL 0x401256 EMPTY (4):
mov dword ptr ds:[0x403374], esi
push 0x4020d0
push 0x4020c4
call 0x401814
BBL 0x401814 EMPTY (1):
jmp dword ptr ds:[0x402058]
BBL 0x401365 EMPTY (3):
mov eax, 0x5a4d
cmp word ptr ds:[0x400000], ax
jz 0x401377
BBL 0x406dca EMPTY (2):
cmp edi, 0x3
jb 0x406e40
cmp dword ptr ds:[esi+0x8], 0x8
jb 0x406e77
105
BBL 0x406dcf EMPTY (4):
lea ebp, ptr [edi-0x3]
cmp eax, 0x8
jb 0x406e0b
139
79
shl edx, 0x8
mov cl, byte ptr ds:[eax]
inc eax
mov byte ptr ss:[esp+0x20], cl
and eax, 0xff
add ecx, 0xf8
or edx, eax
mov eax, ecx
cmp eax, 0x8
mov dword ptr ds:[esi+0xc], edx
jnb 0x406e46
414
27
BBL 0x406dda EMPTY (17):
shl edx, 0x8
mov cl, byte ptr ds:[eax]
inc eax
mov byte ptr ss:[esp+0x1c], cl
and eax, 0xff
add ecx, 0xf8
or edx, eax
mov eax, ecx
cmp eax, 0x8
mov dword ptr ds:[esi+0xc], edx
jnb 0x406dda
112
mov edi, edi
push esi
mov eax, 0x402210
mov esi, 0x402210
push edi
mov edi, eax
cmp eax, esi
jnb 0x4016b1
pop edi
pop esi
ret
BBL 0x4011ae EMPTY (8):
mov dword ptr ss:[esp], 0x40302c
push dword ptr ds:[0x40335c]
mov dword ptr ds:[0x40302c], eax
push 0x40301c
push 0x403020
push 0x403018
BBL 0x4011da EMPTY (4):
add esp, 0x14
test eax, eax
jnl 0x4011ee
BBL 0x4011ee EMPTY (1):
ret
BBL 0x406ca4 EMPTY (13):
sub esp, 0x14
push ebx
push ebp
push esi
mov dword ptr ds:[eax], 0x0
push edi
xor edi, edi
test eax, eax
mov esi, ecx
jbe 0x406f24
4
pop ecx
pop ecx
mov dword ptr ds:[0x403374], 0x2
cmp dword ptr ss:[ebp-0x1c], ebx
jnz 0x4012b9
push ebx
push edi
cmp dword ptr ds:[0x403384], ebx
jz 0x4012da
BBL 0x406131 EMPTY (1):
js 0x40615f
BBL 0x406133 EMPTY (3):
lodsb
cmp al, 0xe8
jz 0x406142
2414
2374
40
mov edi, edi
push ebp
mov ebp, esp
sub esp, 0x10
and dword ptr ss:[ebp-0x8], 0x0
and dword ptr ss:[ebp-0x4], 0x0
push ebx
push edi
mov edi, 0xbb40e64e
mov ebx, 0xffff0000
cmp eax, edi
jz 0x4018fa
BBL 0x4018fa EMPTY (4):
push esi
push eax
BBL 0x401905 EMPTY (3):
mov esi, dword ptr ss:[ebp-0x4]
xor esi, dword ptr ss:[ebp-0x8]
BBL 0x401000 EMPTY (8):
sub esp, 0x184
xor eax, esp
cmp dword ptr ss:[esp+0x188], 0x4
push edi
jnl 0x40104d
mov eax, dword ptr ds:[edi+0x4]
push ebx
mov ebx, dword ptr ds:[0x4020ac]
push esi
push 0x402128
push eax
call ebx
BBL 0x401060 EMPTY (4):
mov esi, eax
add esp, 0x8
test esi, esi
jnz 0x401096
483
115
BBL 0x406eab EMPTY (3):
mov dword ptr ds:[esi+ebx*4+0x250], edx
jmp 0x406ed5
34
BBL 0x401919 EMPTY (2):
xor esi, eax
BBL 0x401921 EMPTY (4):
xor esi, eax
push eax
mov eax, dword ptr ss:[ebp-0xc]
xor eax, dword ptr ss:[ebp-0x10]
xor esi, eax
cmp esi, edi
jnz 0x401940
460
BBL 0x4010af EMPTY (2):
push esi
call dword ptr ds:[0x4020a4]
mov eax, dword ptr ds:[edi+0x8]
push 0x402128
push eax
call ebx
mov esi, eax
add esp, 0x1c
test esi, esi
jnz 0x4010e0
BBL 0x406290 EMPTY (4):
add eax, edx
mov ebx, eax
push eax
call dword ptr ss:[ebp+0xf4d]
test eax, eax
jnz 0x4062a6
2
mov dword ptr ss:[ebp+0x549], 0x0
2
414
14
BBL 0x4066ca EMPTY (3):
mov eax, dword ptr ss:[esp]
add esp, 0x354
ret 0x10
4
mov bl, 0x1
cmp bl, 0x0
jnz 0x406163
3
mov bl, 0x0
cmp bl, 0x0
jnz 0x406163
not esi
pop esi
pop edi
pop ebx
leave
ret
BBL 0x4010eb EMPTY (4):
mov edi, eax
add esp, 0x8
test edi, edi
jnz 0x401107
3
BBL 0x401000 EMPTY (1):
ret
pop dword ptr ds:[edi]
push eax
push ecx
push esi
push ebx
mov ecx, eax
sub ecx, 0x6
xor ebx, ebx
or ecx, ecx
jz 0x40615f
BBL 0x4011fb EMPTY (10):
xor ebx, ebx
mov dword ptr ss:[ebp-0x4], ebx
mov eax, dword ptr fs:[0x18]
mov esi, dword ptr ds:[eax+0x4]
mov dword ptr ss:[ebp-0x1c], ebx
mov edi, 0x403378
push ebx
push esi
push edi
BBL 0x401130 EMPTY (6):
mov dl, byte ptr ss:[esp+ecx*1+0x10]
xor dl, byte ptr ss:[esp+ecx*1+0x90]
inc ecx
cmp ecx, eax
mov byte ptr ss:[esp+ecx*1+0x10f], dl
jl 0x401130
32
BBL 0x406146 EMPTY (2):
cmp byte ptr ds:[esi], 0x1
jnz 0x40613e
46
test al, al
jnz 0x406c12
lea eax, ptr [esp+0x2f5]
lea ecx, ptr [ebx+0xa0]
push eax
call 0x4067d8
4
sub esp, 0x98
push ebx
push ebp
push esi
mov edx, ecx
push edi
mov ecx, 0xf
mov ebp, dword ptr ds:[edx+0x84]
xor eax, eax
lea edi, ptr [esp+0x2c]
xor esi, esi
rep stosd
mov edi, dword ptr ss:[esp+0xac]
cmp ebp, esi
mov dword ptr ss:[esp+0x20], edx
jbe 0x40681d
4
BBL 0x406014 EMPTY (7):
pop ebp
mov ebx, 0xffffffed
add ebx, ebp
sub ebx, 0x6000
cmp dword ptr ss:[ebp+0x422], 0x0
mov dword ptr ss:[ebp+0x422], ebx
jnz 0x40639a
BBL 0x406035 EMPTY (3):
lea eax, ptr [ebp+0x42e]
push eax
call dword ptr ss:[ebp+0xf4d]
BBL 0x406042 EMPTY (6):
mov edi, eax
lea ebx, ptr [ebp+0x5e]
push ebx
push eax
inc eax
cmp eax, 0x8
jb 0x406c5f
8
BBL 0x406c6f EMPTY (1):
jmp 0x406c78
9
mov byte ptr ds:[ebx+0x264], 0x1
3
mov edi, dword ptr ds:[ebx+0x260]
lea esi, ptr [esp+0x24]
mov ecx, 0x2f5
rep movsb
pop edi
pop esi
pop ebp
mov al, 0x1
pop ebx
add esp, 0x30c
ret
movzx ecx, word ptr ds:[eax+0x18]
cmp ecx, 0x10b
jz 0x4013b1
call 0x406014
16
add esi, 0x8
cmp dword ptr ds:[esi], 0x0
jnz 0x4060c7
3
push 0x8000
push 0x0
call dword ptr ss:[ebp+0x551]
BBL 0x4061bc EMPTY (3):
mov ebx, dword ptr ss:[ebp+0x531]
or ebx, ebx
jz 0x4061ce
xor esi, esi
4
BBL 0x406055 EMPTY (5):
mov dword ptr ss:[ebp+0x54d], eax
lea ebx, ptr [ebp+0x6b]
push ebx
push edi
mov bl, byte ptr ds:[eax+esi*1+0x444022]
pop esi
cmp ecx, 0x8
jb 0x406d68
24
mov dl, byte ptr ds:[ecx]
inc ecx
mov byte ptr ss:[esp+0x18], dl
mov ecx, dword ptr ds:[esi+0xc]
shl ecx, 0x8
and edx, 0xff
or ecx, edx
add edx, 0xf8
mov dword ptr ds:[esi+0xc], ecx
mov ecx, edx
cmp ecx, 0x8
jnb 0x406d36
17
17
2607
push eax
BBL 0x4060ad EMPTY (5):
push 0x4
push 0x1000
push 0x1800
push 0x0
call dword ptr ss:[ebp+0x54d]
cmp esi, 0x2f5
jnl 0x406bf6
86
BBL 0x406bf6 EMPTY (4):
lea ecx, ptr [ebx+0x10]
push edx
call 0x4067d8
4
BBL 0x406680 EMPTY (6):
mov ecx, dword ptr ss:[esp+0x35c]
push ecx
push edx
lea ecx, ptr [esp+0xc]
call 0x406aa6
4
BBL 0x406bea EMPTY (2):
cmp esi, 0x2f5
jl 0x406b69
825 4
pop ecx
pop ecx
mov dword ptr ds:[0x40337c], eax
sub esp, 0x354
lea ecx, ptr [esp+0x4]
push eax
call 0x406a28
4
mov cl, byte ptr ds:[eax+esi*1+0x444006]
pop esi
add ecx, edx
add eax, ecx
BBL 0x406da7 EMPTY (5):
mov al, byte ptr ds:[esi+0x264]
mov ebx, dword ptr ds:[esi+ebp*4+0x268]
xor edx, edx
push esi
call 0x406c96
41
632
81
pop esi
ret
232 41 41
BBL 0x406dbc EMPTY (5):
mov dl, byte ptr ss:[ebp+esi*1+0x44403e]
pop esi
test al, al
mov edi, edx
jz 0x406e40
632
244
388
4 112
3
xor eax, eax
ret
BBL 0x406376 EMPTY (3):
mov dword ptr ds:[edi], eax
add dword ptr ss:[ebp+0x549], 0x4
jmp 0x4062b6
test eax, eax
jnz 0x4062c5
44
add eax, edx
add eax, dword ptr ss:[ebp+0x549]
mov ebx, dword ptr ds:[eax]
mov edi, dword ptr ds:[esi+0x10]
add edi, edx
test ebx, ebx
jz 0x406384
46
BBL 0x406bdf EMPTY (5):
mov byte ptr ss:[esp+esi*1+0x24], 0x0
inc esi
dec eax
test eax, eax
jnle 0x406bd7
86
21772263
jmp dword ptr ds:[0x402080]
224
cmp edi, 0x1000000
jz 0x4068fe
16
16
4
call 0x40189a
BBL 0x401377 EMPTY (4):
mov eax, dword ptr ds:[0x40003c]
lea eax, ptr [eax+0x400000]
cmp dword ptr ds:[eax], 0x4550
jnz 0x401373
pop ecx
jmp 0x401642
neg eax
sbb eax, eax
neg eax
pop ecx
dec eax
pop ebp
ret
and al, 0x0
rol eax, 0x18
sub eax, ebx
mov dword ptr ds:[esi], eax
add ebx, 0x5
add esi, 0x4
sub ecx, 0x5
jmp 0x40612d
35 11
35 2379
4
4
BBL 0x401446 EMPTY (1):
call 0x4018c8
BBL 0x4012da EMPTY (7):
mov eax, dword ptr ds:[0x40301c]
mov dword ptr ds:[ecx], eax
push dword ptr ds:[0x40301c]
push dword ptr ds:[0x403020]
call 0x401000
2
mov eax, 0x1446
push eax
add eax, dword ptr ss:[ebp+0x422]
pop ecx
or ecx, ecx
mov dword ptr ss:[ebp+0x3a8], eax
popad
jnz 0x4063ba
BBL 0x4063ba EMPTY (2):
push 0x401446
ret
BBL 0x401911 EMPTY (2):
xor esi, eax
BBL 0x401096 EMPTY (8):
push ebp
mov ebp, dword ptr ds:[0x4020a8]
push esi
push 0x80
push 0x1
push edx
call ebp
4
mov esi, dword ptr ds:[0x402070]
call esi
pop ecx
mov dword ptr ss:[ebp-0x1c], eax
cmp eax, 0xff
jnz 0x4015db
BBL 0x4015cf EMPTY (2):
BBL 0x401940 EMPTY (2):
test ebx, esi
jnz 0x40194b
mov ecx, dword ptr ds:[edi+0xc]
push 0x402158
push ecx
call ebx
9
BBL 0x406105 EMPTY (6):
inc byte ptr ss:[ebp+0xec]
mov edi, dword ptr ds:[esi]
push dword ptr ds:[edi]
mov byte ptr ds:[edi], 0xc3
call edi
BBL 0x406001 EMPTY (2):
pushad
call 0x40600a
pop ebp
inc ebp
push ebp
ret
BBL 0x406008 EMPTY (1):
jmp 0x40600e
2414
BBL 0x401164 EMPTY (3):
add esp, 0x20
test eax, eax
jnle 0x401123
31
44
BBL 0x406384 EMPTY (6):
mov dword ptr ds:[esi], eax
mov dword ptr ds:[esi+0xc], eax
add esi, 0x14
jmp 0x406285
2
1426
BBL 0x406ceb EMPTY (2):
cmp eax, 0x2d0
jnb 0x406f09
632
BBL 0x406cf6 EMPTY (8):
add eax, 0xffffff00
mov ebp, eax
and eax, 0x7
shr ebp, 0x3
lea edx, ptr [eax+0x2]
cmp eax, 0x7
mov dword ptr ss:[esp+0x14], edx
jnz 0x406da7
632
4
95
mov ecx, dword ptr ds:[ebx+0x260]
mov dl, byte ptr ds:[ecx+esi*1]
add dl, al
and dl, 0xf
mov byte ptr ss:[esp+esi*1+0x24], dl
inc esi
jmp 0x406bea
734 139
34
734
4
4
59
2
inc ecx
cmp ecx, eax
jb 0x406911
3088
BBL 0x406945 EMPTY (7):
pop edi
pop esi
pop ebp
mov al, 0x1
pop ebx
add esp, 0x98
ret 0x4
16
2474
BBL 0x406918 EMPTY (10):
and eax, 0xff
mov eax, dword ptr ss:[esp+eax*4+0x68]
mov dword ptr ds:[edi+eax*4], ecx
xor eax, eax
mov al, byte ptr ds:[ecx+esi*1]
mov edi, dword ptr ss:[esp+eax*4+0x68]
lea eax, ptr [esp+eax*4+0x68]
inc edi
mov dword ptr ds:[eax], edi
630
4 4
test al, al
jnz 0x406b67
4
test al, al
jnz 0x406c34
4
44
128
lea ecx, ptr [esi+0xa0]
call 0x406954
41
591 41
630
3
4064
BBL 0x401147 EMPTY (6):
push edi
push eax
lea eax, ptr [esp+0x118]
push 0x1
push eax
call ebx
32
push ecx
lea ecx, ptr [ebx+0x130]
call 0x4067d8
4
BBL 0x401155 EMPTY (6):
push esi
push 0x80
push 0x1
push ecx
call ebp
32
2
32
4
4
27
Figure 6.7.: The core XOR encryption packed with ASPack
81
7
Chapter 7.
Conclusions
In this chapter we draw the conclusions from the evaluation and the previous chap-
ters. We also point out shortcomings of the current solution and describe means to
improve it.
7.1. Evaluation Performance
In the previous chapter we evaluated our identication methods and their implemen-
tation against multiple programs. The used testing environment is based on consumer
computing hardware and our system implementation only depends on free and open-
source software.
The 14 testing applications were successfully traced using our Pintool in a short time
frame. Also, the analysis tool was able to perform the identication methods in an ac-
ceptable time frame. The identication method by Caballero et al. successfully found
cryptographic basic blocks in 92% of the testing applications. This shows that a sim-
ple heuristic based on bitwise arithmetic instructions can yield a good identication
method. The method by Wang et al. provides an interesting measurement for nding
the turning point of a single encryption in a complete trace. Yet, it was only success-
ful in 28% of the testing applications. Although we did not completely implement the
taint-tracking of Lutzs method, we evaluated his entropy-based method. We found
that for 57% of the testing applications the method was fully or partially successful.
In 28% of the tests it generated false-positives and in 14% it returned no results.
Our signature-based methods provided good results for the testing applications. If
given, the debug symbols were identied by the sigAPI() method in 100% of the cases.
The (constant, mnemonic)-tuple method generated successful results for 100% of the
83
cryptographic applications. Also the mnemonic-sequence method found 100% of the
cryptographic algorithms and implementations, although it returned false-positives
in one case. The most ineffective signature-based identication method was the memory-
constant method. It only had success in 21% of the testing applications and generated
one false-positive, because not all algorithms can uniquely identied by only con-
stants, and therefore a combination of characteristics yields the best results.
The generic loop differ method provided only moderate results. Although it detected
counters for most of the testing applications, its other tests for entropy, XOR, and
permutation boxes are still too experimental. The xorNotNullAndMov() method was suc-
cessful for the XOR testing application and also provided satisfactory results for the
CBC and CFB mode block ciphers. However, the best performing generic identica-
tion method was the symmetricCipherDataTester(), which was able to identify the cryp-
tographic algorithm, plaintext, key, and corresponding ciphertext in 87% of the sym-
metric cipher testing applications.
The Curl HTTPS evaluation was also successful, because we were able to discover the
actually used algorithms and their implementation including plaintexts and cipher-
texts of the secure channel. Furthermore, we uncovered the SSL session keys used for
the encryption and decryption of application data, using the symmetricCipherDataTeste-
r() method.
On an experimental basis, the packing of the XOR application with ASPack showed
that the analysis algorithms presented in Chapter 3 are robust and stable. Also the
tracing and analysis implementation generated successful results for the packed test-
ing application.
The evaluation shows that the most successful identication methods are the constmne-
monic() and the symmetricCipherDataTester() methods. For special algorithms, like XOR,
other methods are more suitable, but generally a combination of a signature-based and
a generic approach works well. We were able to identify the majority of cryptographic
algorithms, including their parameters, and thereby prove the thesis which is stated
in Section 1.2.
7.2. Further Work
With the results of the evaluation, we see two areas of further work: (a) the research
for other identication methods and (b) the improvement of the existing system, en-
hancing the most successful identication methods from above.
The most promising method for the identication of cryptographic keys is the symme-
84
tricCipherDataTester() method based on Observation 4. Further research is necessary
to optimize the generation and ltering of candidate keys from a trace. The optimiza-
tion could utilize known cryptographic code and its API. Thereby we could enhance
the extraction of the cryptographic parameters due to the known positioning. Also,
the methods fromHalderman et al. [32] should be further investigated and combined
with the methods of Observation 4. Another challenging task is the development of
an identication method, which is able to generically identify custom cryptographic
code, for example the custom Feistel network found in malware by Greulich [29]. This
generic discovery of cryptographic parameters without a reference implementation is
an open problem.
The signature-based identication methods could be enhanced to allow fuzzy match-
ing. For example, we could tolerate wrong sample mnemonics in a mnemonic se-
quence signature to a certain level. We could use abstract interpretation, either in the
native or an intermediate language, in combination with symbolic execution to ex-
tract relations from the executed code and thereby determine parts of a cryptographic
algorithm.
Depending on the application of the analysis, methods could be developed to iden-
tify the padding, encoding, and compression of the plaintext. Also, a sound analysis
tool may be used to recompose the cryptographic protocol ow and graph the cryp-
tographic composition. Therefore, an identication of the mode of operation must be
done, although this seems trivial given all input/output parameters of all blocks.
To develop an efcient system implementation, we need to reconsider the design de-
cision of separating tracing and analysis. A better interconnection between tracing
and analysis would at least discard the overhead of the trace sizes. Using a solution
with named pipes, i.e., writing the trace directly to the analysis tools memory, may
be a good start. On the other hand, the syntax and thereby the size of the trace les
can be easily enhanced. The Nirvana/iDNA paper [7] points to several methods for
reducing the trace size. Instead of an ASCII trace, we could write a binary trace, which
would radically decrease the trace size. Also, the trace should only contain changing
values, e.g., we should only log the current thread ID if it has changed.
Depending on the type of software to be analyzed, we also need to reconsider other
tracing frameworks from Chapter 2. In general, the tracing should be more exible
and further options could be developed to lter the tracing target. For example, a
trigger instruction, e.g., int3, could be used to start the trace. The attachment of the
instrumentation to a running target could be also supported. A restriction of the in-
strumentation to certain memory address ranges may also yield better, ltered results.
In the analysis tool, the reporting needs to be enhanced and abstracted to better dis-
tinguish between debugging and result output.
85
7.3. Conclusion
In this thesis we presented several methods to identify cryptographic code in arbitrary
programs. We pointed out the relatively small amount of related work in this area and
evaluated available signature-based static tools. To underpin our dynamic approach,
we described several software analysis methods, including control ow graph gen-
eration and loop detection. We characterized cryptographic implementations and
observed dedicated attributes, on which we developed and implemented our iden-
tication methods. The implemented system was evaluated and we concluded with
possible improvements.
In 2009, the research community has reported several aws in a variety of software
solutions. The aws include wrong cryptographic compositions, static-key protocols,
and fraudulent cryptographic implementations. We show that an automated analysis
for cryptographic software usage is possible and we believe that the interest in security
analysis of cryptographic code will increase.
86
Bibliography
[1] P. B acher, T. Holz, M. K otter, and G. Wicherski. Know your enemy: Tracking
botnets. The Honeynet Project and Research Alliance, March, 2005.
[2] P. Bania. Generic Unpacking of Self-modifying, Aggressive, Packed Binary Pro-
grams. 2009.
[3] Y. Bao, M. Chen, Y. Ruan, L. Liu, J. Fan, Q. Yuan, B. Song, and J. Xu. HMTT: A
Platform Independent Full-System Memory Trace Monitoring System. In Z. Liu,
V. Misra, and P. J. Shenoy, editors, SIGMETRICS, pages 229240. ACM, 2008.
ISBN 978-1-60558-005-0.
[4] U. Bayer, C. Kruegel, and E. Kirda. TTAnalyze: A Tool for Analyzing Malware.
In 15th Annual Conference of the European Institute for Computer Antivirus Research
(EICAR), 2006.
[5] P. Beaucamps and E. Filiol. On the possibility of practically obfuscating programs
Towards a unied perspective of code protection. Journal in Computer Virology, 3
(1):321, 2007.
[6] F. Bellard. QEMU, a Fast and Portable Dynamic Translator. In USENIX Annual
Technical Conference, FREENIX Track, pages 4146. USENIX, 2005.
[7] S. Bhansali, W. Chen, S. De Jong, A. Edwards, R. Murray, M. Drinic, D. Mihocka,
and J. Chau. Framework for instruction-level tracing and analysis of program
executions. In Proceedings of the 2nd international conference on Virtual execution
environments, page 163. ACM, 2006.
[8] L. B ohne. Pandoras Bochs: Automatic Unpacking of Malware. Masters thesis,
RWTH Aachen University, 2008.
[9] F. Boldewin. Analyzing MSOfce malware with OfceMalScanner. Technical
report, reconstructer.org, 2009.
[10] P. P. Bungale and C.-K. Luk. PinOS: a programmable framework for whole-
system dynamic instrumentation. In C. Krintz, S. Hand, and D. Tarditi, edi-
87
tors, Proceedings of the 3rd international conference on Virtual execution environments,
pages 137147. ACM, 2007. ISBN 978-1-59593-630-1.
[11] J. Caballero, H. Yin, Z. Liang, and D. X. Song. Polyglot: automatic extraction of
protocol message format using dynamic binary analysis. Proceedings of the 2007
ACMConference on Computer and Communications Security, CCS 2007, Alexandria,
Virginia, USA, October 28-31, 2007, pages 317329, 2007.
[12] J. Caballero, P. Poosankam, C. Kreibich, and D. Song. Bidirectional Protocol Re-
verse Engineering: Message Format Extraction and Field Semantics Inference.
Technical report, University of California at Berkeley, 2009.
[13] J. Caballero, P. Poosankam, C. Kreibich, and D. Song. Dispatcher: Enabling Ac-
tive Botnet Inltration using Automatic Protocol Reverse-Engineering. In ACM
Conference on Computer and Communications Security, 2009.
[14] E. Carrera. Bochs python. LaCon Proceedings, 2008.
[15] L. Cavallaro, P. Saxena, and R. Sekar. Anti-taint-analysis: Practical evasion tech-
niques against information ow based malware defense. Technical report, Stony
Brook University, 2007.
[16] J. Chow, B. Pfaff, T. Garnkel, K. Christopher, and M. Rosenblum. Understanding
Data Lifetime via Whole System Simulation. In USENIX Security Symposium,
pages 321336. USENIX, 2004.
[17] J. A. Clause, W. Li, and A. Orso. Dytan: a generic dynamic taint analysis frame-
work. In D. S. Rosenblum and S. G. Elbaum, editors, Proceedings of the 2007 inter-
national Symposium on Software Testing and Analysis, pages 196206. ACM, 2007.
ISBN 978-1-59593-734-6.
[18] W. Cui, M. Peinado, K. Chen, H. Wang, and L. Irun-Briz. Tupni: Automatic
Reverse Engineering of Input Formats. In Proceedings of the 15th ACMconference
on Computer and communications security, pages 391402. ACM New York, NY,
USA, 2008.
[19] J. Daemen and V. Rijmen. AES proposal: Rijndael. Proceedings from the First
Advanced Encryption Standard Candidate Conference, National Institute of Standards
and Technology (NIST), 1998.
[20] A. Dinaburg, P. Royal, M. I. Sharif, and W. Lee. Ether: Malware Analysis via
Hardware Virtualization Extensions. In P. Ning, P. F. Syverson, and S. Jha, editors,
ACM Conference on Computer and Communications Security, pages 5162. ACM,
2008. ISBN 978-1-59593-810-7.
88
[21] D. Dittrich and S. Dietrich. P2P as botnet command and control: a deeper in-
sight. In Proceedings of the 3rd International Conference on Malicious and Unwanted
Software, pages 4663, 2008.
[22] M. Egele, C. Kruegel, E. Kirda, H. Yin, and D. X. Song. Dynamic Spyware Anal-
ysis. In USENIX Annual Technical Conference, pages 233246. USENIX, 2007.
[23] J. Ellson, E. Gansner, L. Koutsoos, S. North, and G. Woodhull. Graphviz-open
source graph drawing tools. Lecture Notes in Computer Science, pages 483484,
2002.
[24] P. Ferrie. Attacks on virtual machine emulators. Symantec Security Response, 2006.
[25] P. Ferrie. Anti-unpacker tricks. In Proceedings of the 2nd International CAROWork-
shop, 2008.
[26] H. Flake. More fun with graphs. Proceedings of BlackHat Federal, 2003.
[27] J. Franklin, M. Luk, and J. M. McCune. Detecting the Presence of a VMMthrough
Side-Effect Analysis. Technical report, Carnegie Mellon University, 2005.
[28] A. Godiyal, A. Nguyen, and N. Schear. A Lightweight Hypervisor for Malware
Analysis. Technical report, University of Illinois at Urbana-Champaign, 2008.
[29] A. Greulich. Mebroot / Torpig / Sinowal. InBot, 2009.
[30] I. Guilfanov. Fast Library Identication and Recognition Technology, 1997. URL
http://www.hex-rays.com/idapro/flirt.htm.
[31] W. Guizani, J. Marion, and D. Reynaud-Plantey. Server-Side Dynamic Code
Analysis. In 4th International Conference on Malicious and Unwanted Software, pages
5562, 2009.
[32] J. Halderman, S. Schoen, N. Heninger, W. Clarkson, W. Paul, J. Calandrino,
A. Feldman, J. Appelbaum, and E. Felten. Lest We Remember: Cold Boot At-
tacks on Encryption Keys. In USENIX Security Symposium, pages 4560, 2008.
[33] N. Heninger and H. Shacham. Reconstructing RSA private keys from random
key bits. In Advances in Cryptology (CRYPTO), 2009.
[34] T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling. Measurements and Mit-
igation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm. In First
USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2008.
89
[35] D. Janssens. Heuristic methods for Locating Cryptographic Keys Inside Computer Sys-
tems. PhD thesis, Katholieke Universiteit Leuven, 1999.
[36] D. Janssens, R. Bjones, and J. Claessens. KeyGrab TOO - The search for keys
continues...,. Whitepaper, Utimaco Safeware AG, KU Leuven, 2000.
[37] M. Kang, P. Poosankam, and H. Yin. Renovo: A hidden code extractor for
packed executables. In Proceedings of the 2007 ACM workshop on Recurring mal-
code, page 53. ACM, 2007.
[38] K. Kaukonen and R. Thayer. A Stream Cipher Encryption Algorithm Arcfour.
The Internet Society, 1999.
[39] A. Kerckhoffs. La Cryptographie Militaire. Journal des sciences militaires, 1883.
[40] T. Klein. All your private keys are belong to us. Technical report, 2006.
[41] J. Kong, C. Zou, and H. Zhou. Improving Software Security via Runtime
Instruction-Level Taint Checking. In Proceedings of the 1st workshop on Architec-
tural and system support for improving software dependability, pages 1824. ACM
New York, NY, USA, 2006.
[42] C. Kruegel, D. Balzarotti, W. K. Robertson, and G. Vigna. Improving Signature
Testing through Dynamic Data Flow Analysis. In Proceedings of the Annual Com-
puter Security Applications Conference (ACSAC), pages 5363. IEEE Computer So-
ciety, 2007.
[43] A. Lanzi, M. I. Sharif, and W. Lee. K-Tracer: A System for Extracting Kernel
Malware Behavior. Proceedings of the 16th Annual Network and Distributed System
Security Symposium (NDSS), 2009.
[44] F. Leder and T. Werner. Know your enemy: Containing concker - to tame a
malware. Know Your Enemy Series of the Honeynet Project, 2009.
[45] K. Lejska. X86 Opcode and Instruction Reference. URL http://ref.x86asm.net/.
[46] T. Lengauer and R. Tarjan. A fast algorithm for nding dominators in a ow-
graph. ACMTransactions on Programming Languages and Systems (TOPLAS), pages
121141, 1979.
[47] Z. Lin, X. Jiang, D. Xu, and X. Zhang. Automatic Protocol Format Reverse En-
gineering through Context-Aware Monitored Execution. Proceedings of the 15th
Annual Network and Distributed System Security Symposium (NDSS), 2008.
90
[48] C. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. Reddi,
and K. Hazelwood. Pin: Building Customized Program Analysis Tools with Dy-
namic Instrumentation. In Proceedings of the 2005 ACM SIGPLAN conference on
Programming language design and implementation, pages 190200. ACMNew York,
NY, USA, 2005.
[49] N. Lutz. Towards Revealing Attackers Intent by Automatically Decrypting Net-
work Trafc. Masters thesis, ETH Z urich, 2008.
[50] C. Maartmann-Moe, S. Thorkildsen, and A.

Arnes. The persistence of memory:
Forensic identication and extraction of cryptographic keys. Digital Investigation,
6:132140, 2009.
[51] S. McCamant and M. Ernst. Quantitative Information-Flow Tracking for C and
Related Languages. Computer Science and Articial Intelligence Laboratory Technical
Report, MIT, MIT-CSAILTR-2006-076, 2006.
[52] A. Moser, C. Kruegel, and E. Kirda. Exploring Multiple Execution Paths for Mal-
ware Analysis. In Proceedings of IEEE Symposium on Security and Privacy, pages
231245, 2007.
[53] J. Murakami. AHypervisor IPS based on Hardware assisted Virtualization Tech-
nology. Black Hat USA, 2008.
[54] N. Nethercote and J. Seward. Valgrind: AFramework for Heavyweight Dynamic
Binary Instrumentation. Proceedings of the 2007 ACMSIGPLAN conference on Pro-
gramming language design and implementation, pages 89100, 2007.
[55] R. A. Nguyen Anh Quynh, Kuniyasu Suzaki. eKimono: a Malware Scanner for
Virtual Machines. Hack In The Box Kuala Lumpur, 2009.
[56] NIST. FIPS 46-3: Data Encryption Standard. 1977.
[57] T. Ormandy. An Empirical Study into the Security Exposure to Hosts of Hostile
Virtualized Environments. CanSecWest, 2007.
[58] R. Paleari, L. Martignoni, G. Roglia, and D. Bruschi. A stful of red-pills: How
to automatically generate procedures to detect CPU emulators. In Proceedings of
3rd USENIX Workshop on Offensive Technologies (WOOT), 2009.
[59] M. Payer. secuBT: Hacking the Hackers with User-Space Virtualization. In Pro-
ceedings of the 26c3, pages 157163, 2009.
91
[60] P. Porras, H. Saidi, and V. Yegneswaran. Concker C P2P Protocol and Imple-
mentation. Technical report, SRI International, 2009.
[61] G. Portokalidis, A. Slowinska, and H. Bos. Argos: an Emulator for Fingerprint-
ing Zero-Day Attacks. In Proceedings of the 1st ACM SIGOPS/EuroSys European
Conference on Computer Systems, pages 1527, 2006.
[62] D. Quist and Valsmith. Covert Debugging Circumventing Software Armoring
Techniques. Black Hat Briengs USA, 2007.
[63] T. Raffetseder, C. Kr ugel, and E. Kirda. Detecting System Emulators. Lecture
Notes in Computer Science, 4779:118, 2007.
[64] E. S. Raymond. If Cisco ignored Kerckhoffss Law, users will pay the price, 2004.
URL http://lwn.net/Articles/85958/.
[65] D. Reynaud. A Survey on Virtual Machines for Malware Analysis. 3rd Interna-
tional Workshop on the Theory of Computer Viruses, 2008.
[66] D. Reynaud. A look at anti-virtualization in malware sam-
ples, 2009. URL http://indefinitestudies.org/2009/09/21/
a-look-at-anti-virtualization-in-malware-samples/.
[67] D. Reynaud. Large bunch of pin.log les, 2009. URL http://tech.groups.yahoo.
com/group/pinheads/message/4153.
[68] R. Rivest. RFC1321: The MD5 message-digest algorithm. Request for Comments,
1992.
[69] R. Rivest, A. Shamir, and L. Adleman. Cryptographic communications system
and method (RSA), 1983. US Patent 4,405,829.
[70] H. R ock. Survey of Dynamic Instrumentation of Operating Systems. Technical
report, University of Salzburg, 2007.
[71] P. Royal and I. Damballa. Alternative Medicine: The Malware Analysts Blue
Pill. Black Hat USA, 2008.
[72] P. Saxena, R. Sekar, and V. Puranik. Efcient Fine-Grained Binary Instrumenta-
tion with Applications to Taint-Tracking. Proc. of the 2008 International Sym. on
Code Generation and Optimization (CGO), 2008.
[73] A. Shamir and N. Van Someren. Playing Hide and Seek with Stored Keys. Lecture
Notes in Computer Science, 1999.
92
[74] M. Sheldon, G. Weissman, and V. Inc. ReTrace: Collecting Execution Trace with
Virtual Machine Deterministic Replay. In Proceedings of the Third Annual Workshop
on Modeling, Benchmarking and Simulation (MoBS), 2007.
[75] D. Stevens. XORSearch, 2009. URL http://blog.didierstevens.com/programs/
xorsearch/.
[76] J. Stewart. Inside the Storm: Protocols and Encryption of the Storm Botnet. Black
Hat USA, 2008.
[77] J. Tubella and A. Gonz alez. Control Speculation in Multithreaded Processors
through Dynamic Loop Detection. In Proceedings of the 4th International Sympo-
sium on High-Performance Computer Architecture, 1998.
[78] A. Vasudevan and R. Yerraballi. SPiKE: Engineering Malware Analysis Tools
using Unobtrusive Binary-Instrumentation. Proceedings of the 29th Australasian
Computer Science Conference, 2006.
[79] O. Vermaas and D. de Graaf. Operation ShadowBot: Case study in a botnet in-
vestigation. InBot, 2009.
[80] G. Vigna. Static Disassembly and Code Analysis. Malware Detection, 2006.
[81] P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross-
Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In
Proceeding of the Network and Distributed System Security Symposium (NDSS), 2007.
[82] Z. Wang, X. Jiang, W. Cui, and X. Wang. ReFormat: Automatic Reverse Engi-
neering of Encrypted Messages. Technical report, NC State University, 2008.
[83] T. Werner and F. Leder. Waledac Isnt Good Either! InBot, 2009.
[84] C. Willems, T. Holz, and F. Freiling. Toward Automated Dynamic Malware Anal-
ysis Using CWSandbox. IEEE Security & Privacy, 5(2):3239, 2007.
[85] R. Wojtczuk. Subverting the Xen hypervisor. Black Hat USA, 2008.
[86] G. Wondracek, P. Comparetti, C. Kruegel, E. Kirda, and S. Anna. Automatic Net-
work Protocol Analysis. In Proceedings of the 15th Annual Network and Distributed
System Security Symposium (NDSS), 2008.
[87] Y. Wu, T. Chiueh, and C. Zhao. Efcient and Automatic Instrumentation for
Packed Binaries. In Proceedings of the 3rd International Conference and Workshops on
Advances in Information Security and Assurance, page 316. Springer, 2009.
93
[88] H. Yin, D. X. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: Capturing
System-wide Information Flow for Malware Detection and Analysis. Proceedings
of the 2007 ACMConference on Computer and Communications Security (CCS), pages
116127, 2007.
[89] A. Young and M. Yung. Cryptovirology: Extortion-Based Security Threats and
Countermeasures. In IEEE Symposium on Security and Privacy, pages 129141,
1996.
[90] Q. Zhao, R. Rabbah, S. Amarasinghe, L. Rudolph, and W. Wong. How to do a
million watchpoints: Efcient Debugging using Dynamic Instrumentation. Lec-
ture Notes in Computer Science, 4959:147, 2008.
94
A
Appendix A.
Digital Attachments
The contents of the attached DVD are the following:
The Python analysis tool kerckhoffr/
The Pintool source, and compiled its compiled form kerckhoffr.dll
The current Pin release
The compiled testing applications with source
This thesis including graphics and bibliography
Gathered traces of the testing applications
Generated control ow graph PDFs of the testing applications
Papers from the bibliography
Slides of intermediate talks on the progress of the thesis
The static tools from Appendix B
95
B
Appendix B.
Static Tools
All URLs and SHA1 sums were last checked September 19, 2009.
Krypto Analyzer (KANAL) Version 2.92
http://www.peid.info/files/PEiD-0.95-20081103.zip
f04ebf471ebcf1598949af5a1aff11279e41da70 PEiD-0.95-20081103.zip
Findcrypt plugin Version 2
http://www.hexblog.com/ida_pro/files/findcrypt2.zip
361db4090396a24599bff9a2254dd5b7c2dd2f22 findcrypt2.zip
SnD Crypto Scanner Version 0.5b
http://www.tuts4you.com/request.php?2222
5fbcbf1739f1b167c5941084e4fd3716efbc696c CryptoScanner 0.5b.rar
Crypto Searcher by x3chun Version 2004.05.19
http://quequero.org/uicwiki/images/Cryptosearcher_2004_05_19.zip
735627196a3e573134b69f75351a0bca036b8014 cryptosearcher.exe
Hash & Crypto Detector (HCD) Version 1.1
http://www.woodmann.com/collaborative/tools/images/Bin_Hash_%26_Crypto_Detector_
2009-2-8_1.0_Hash_%26_Crypto_Detector_v1.1.rar
098515422fed76ccd1a5c5e85413c6ae2baf1fdc HCD.rar
DRACA Version 0.5.7b
http://www.literatecode.com/get/draca.zip
6f32e1e6207c136240a5de9ea3857e4a3c9dae99 draca.zip
97

Groebert Automatic - Identification.of - Cryptographic.primitives - In.software

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Groebert Automatic - Identification.of - Cryptographic.primitives - In.software

Uploaded by

Copyright:

Available Formats

Ruhr-University Bochum, Germany

Department of Electrical Engineering and Information Sciences

and i is a return then

= set of memory accesses to a in M

= value in set N with offset o

You might also like