|
变速齿轮是通过HOOK GetTickCount、GetMessageTime、QueryPerformanceCounter、SetTimer、timeSetEvent、timeGetTime来达到变速的效果
遂分为3段进行发布
以下是HOOK前后的代码比较
; GetTickCount Hook前
kernel32.> BA 0000FE7F MOV EDX,7FFE0000 ; 7FFE0000=KUSER_SHARED_DATA
7C80934F 8B02 MOV EAX,DWORD PTR DS:[EDX]
7C809351 F762 04 MUL DWORD PTR DS:[EDX+4]
7C809354 0FACD0 18 SHRD EAX,EDX,18
7C809358 C3 RETN
; GetTickCount Hook后
kernel32.>- E9 C182A784 JMP GearNtKe.01281610
{
01281610 A1 E4C52901 MOV EAX,DWORD PTR DS:[hMutexObj]
01281615 56 PUSH ESI
01281616 6A FF PUSH -1
01281618 50 PUSH EAX
01281619 FF15 10302901 CALL DWORD PTR DS:[<&KERNEL32.WaitForSin>; kernel32.WaitForSingleObject
0128161F E8 BCFAFFFF CALL GearNtKe.012810E0
{
012810E0 BA 0000FE7F MOV EDX,7FFE0000 ; 7FFE0000=KUSER_SHARED_DATA结构体
012810E5 - E9 6582587B JMP kernel32.7C80934F ; \ 调用原始的GetTickCount函数流程
{ ; |
7C80934F 8B02 MOV EAX,DWORD PTR DS:[EDX] ; | KUSER_SHARED_DATA.TickCountLow
7C809351 F762 04 MUL DWORD PTR DS:[EDX+4] ; | KUSER_SHARED_DATA.TickCountMultiplier
7C809354 0FACD0 18 SHRD EAX,EDX,18 ; |
7C809358 C3 RETN ; |
} ; /
}
01281624 2B05 08F02901 SUB EAX,DWORD PTR DS:[oldTickCount] ; DLL注入后第一次调用GetTickCount的数值
0128162A 50 PUSH EAX ; EAX=差值
0128162B E8 80FEFFFF CALL GearNtKe.012814B0 ; 计算加速的数值
{
012814B0 A1 20F02901 MOV EAX,DWORD PTR DS:[nSpeed] ; 129F020=速度值(默认为0x00400000)
012814B5 F76424 04 MUL DWORD PTR SS:[ESP+4] ; GetTickCount差值
012814B9 0FACD0 16 SHRD EAX,EDX,16
012814BD C1EA 16 SHR EDX,16
012814C0 C3 RETN
}
01281630 8B0D E4C52901 MOV ECX,DWORD PTR DS:[hMutexObj]
01281636 83C4 04 ADD ESP,4
01281639 8BF0 MOV ESI,EAX
0128163B 0335 0CF02901 ADD ESI,DWORD PTR DS:[129F00C] ; SetSpeed() 129F00C=timeGetTime计算后的结果
01281641 51 PUSH ECX ; ECX=Mutex对象
01281642 FF15 0C302901 CALL DWORD PTR DS:[<&KERNEL32.ReleaseMut>; kernel32.ReleaseMutex
01281648 8BC6 MOV EAX,ESI
0128164A 5E POP ESI
0128164B C3 RETN
}
; GetMessageTime Hook前
user32.Ge> 6A 0B PUSH 0B
77D29DE2 E8 BFFAFFFF CALL user32.77D298A6
{
77D298A6 B8 B3110000 MOV EAX,11B3
77D298AB BA 0003FE7F MOV EDX,7FFE0300
77D298B0 FF12 CALL DWORD PTR DS:[EDX]
{
ntdll.KiF> 8BD4 MOV EDX,ESP
7C92E512 0F34 SYSENTER
ntdll.KiF> C3 RETN
}
77D298B2 C2 0400 RETN 4
}
77D29DE7 C3 RETN
; GetMessageTime Hook后
user32.Ge>- E9 EB775589 JMP GearNtKe.012815D0
{
012815D0 . A1 E4C52901 MOV EAX,DWORD PTR DS:[hMutexObj]
012815D5 . 56 PUSH ESI
012815D6 . 6A FF PUSH -1 ; /Timeout = INFINITE
012815D8 . 50 PUSH EAX ; |hObject => 000000C8 (window)
012815D9 . FF15 10302901 CALL DWORD PTR DS:[<&KERNEL32.WaitForSingleObject>>; \WaitForSingleObject
012815DF . E8 CCFAFFFF CALL GearNtKe.012810B0 ; \ 调用原始的GetMessageTime
{ ; |
012810B0 $ 6A 0B PUSH 0B ; |
012810B2 . E8 EF87AA76 CALL user32.77D298A6 ; |
{ ; |
77D298A6 B8 B3110000 MOV EAX,11B3 ; |
77D298AB BA 0003FE7F MOV EDX,7FFE0300 ; |
77D298B0 FF12 CALL DWORD PTR DS:[EDX] ; |
77D298B2 C2 0400 RETN 4 ; |
} ; |
012810B7 .- E9 2B8DAA76 JMP user32.77D29DE7 ; |
{ ; |
77D29DE7 C3 RETN ; |
} ; |
} ; /
012815E4 . 2B05 08F02901 SUB EAX,DWORD PTR DS:[oldTimeCount] ; oldTimeCount=DLL注入时候第一次调用GetTimeCount的数值
012815EA . 50 PUSH EAX
012815EB . E8 C0FEFFFF CALL GearNtKe.012814B0 ; 再次调用原始的GetMessageTime,同上
012815F0 . 8B0D E4C52901 MOV ECX,DWORD PTR DS:[hMutexObj]
012815F6 . 83C4 04 ADD ESP,4
012815F9 . 8BF0 MOV ESI,EAX
012815FB . 0335 0CF02901 ADD ESI,DWORD PTR DS:[129F00C] ; 129F00C=timeGetTime计算后的结果
01281601 . 51 PUSH ECX ; /hMutex => 000000C8 (window)
01281602 . FF15 0C302901 CALL DWORD PTR DS:[<&KERNEL32.ReleaseMutex>] ; \ReleaseMutex
01281608 . 8BC6 MOV EAX,ESI
0128160A . 5E POP ESI
0128160B . C3 RETN
}
typedef struct _KUSER_SHARED_DATA
{
ULONG TickCountLowDeprecated;
ULONG TickCountMultiplier;
KSYSTEM_TIME InterruptTime;
KSYSTEM_TIME SystemTime;
KSYSTEM_TIME TimeZoneBias;
WORD ImageNumberLow;
WORD ImageNumberHigh;
WCHAR NtSystemRoot[260];
ULONG MaxStackTraceDepth;
ULONG CryptoExponent;
ULONG TimeZoneId;
ULONG LargePageMinimum;
ULONG Reserved2[7];
NT_PRODUCT_TYPE NtProductType;
UCHAR ProductTypeIsValid;
ULONG NtMajorVersion;
ULONG NtMinorVersion;
UCHAR ProcessorFeatures[64];
ULONG Reserved1;
ULONG Reserved3;
ULONG TimeSlip;
ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture;
LARGE_INTEGER SystemExpirationDate;
ULONG SuiteMask;
UCHAR KdDebuggerEnabled;
UCHAR NXSupportPolicy;
ULONG ActiveConsoleId;
ULONG DismountCount;
ULONG ComPlusPackage;
ULONG LastSystemRITEventTickCount;
ULONG NumberOfPhysicalPages;
UCHAR SafeBootMode;
ULONG SharedDataFlags;
ULONG DbgErrorPortPresent: 1;
ULONG DbgElevationEnabled: 1;
ULONG DbgVirtEnabled: 1;
ULONG DbgInstallerDetectEnabled: 1;
ULONG SystemDllRelocated: 1;
ULONG SpareBits: 27;
UINT64 TestRetInstruction;
ULONG SystemCall;
ULONG SystemCallReturn;
UINT64 SystemCallPad[3];
union
{
KSYSTEM_TIME TickCount;
UINT64 TickCountQuad;
};
ULONG Cookie;
INT64 ConsoleSessionForegroundProcessId;
ULONG Wow64SharedInformation[16];
WORD UserModeGlobalLogger[8];
ULONG HeapTracingPid[2];
ULONG CritSecTracingPid[2];
ULONG ImageFileExecutionOptions;
union
{
UINT64 AffinityPad;
ULONG ActiveProcessorAffinity;
};
UINT64 InterruptTimeBias;
} KUSER_SHARED_DATA, *PKUSER_SHARED_DATA;
变速齿轮原理简单分析(2)
QueryPerformanceCounter和SetTimer
; QueryPerformanceCounter Hook前
kernel32.> 8BFF MOVEDI,EDI
7C80A4C9 55 PUSH EBP
7C80A4CA 8BEC MOVEBP,ESP
7C80A4CC 51 PUSH ECX
7C80A4CD 51 PUSH ECX
7C80A4CE 8D45 F8 LEA EAX,DWORD PTRSS:[EBP-8]
7C80A4D1 50 PUSH EAX
7C80A4D2 FF75 08 PUSH DWORD PTRSS:[EBP+8]
7C80A4D5 FF15 DC13807C CALL DWORD PTR DS:[<&ntdll.NtQueryPerformanceCounter>] ; ntdll.ZwQueryPerformanceCounter
7C80A4DB 85C0 TESTEAX,EAX
7C80A4DD 0F8C AB750300 JL kernel32.7C841A8E
7C80A4E3 837D F8 00 CMP DWORD PTR SS:[EBP-8],0
7C80A4E7 0F84 AB750300 JE kernel32.7C841A98
7C80A4ED 33C0 XOREAX,EAX
7C80A4EF 40 INC EAX
7C80A4F0 C9 LEAVE
7C80A4F1 C2 0400 RETN 4
; QueryPerformanceCounter Hook后
kernel32.>-E9 646FA784 JMP GearNtKe.01281430
{
01281430 /$ A1 E4C52901 MOV EAX,DWORD PTRDS:[<hMutexObj>]
01281435 |. 83EC 08 SUB ESP,8
01281438 |. 56 PUSH ESI
01281439 |. 6A FF PUSH-1 ; /Timeout = INFINITE
0128143B |. 50 PUSHEAX ; |hObject => 000000C8 (window)
0128143C |. FF15 10302901 CALL DWORD PTRDS:[<&KERNEL32.WaitForSingleObject>] ; \WaitForSingleObject
01281442 |. 8D4C24 04 LEA ECX,DWORD PTR SS:[ESP+4]
01281446 |. 51 PUSH ECX
01281447 |. E8 C4FFFFFF CALL GearNtKe.01281410
{
01281410 $ 8BFF MOV EDI,EDI
01281412 . 55 PUSH EBP
01281413 ? 8BEC MOV EBP,ESP
01281415 ?- E9 B290587B JMPkernel32.7C80A4CC ; \ 调用原始的QueryPerformanceCounter
{ ; |
7C80A4CC 51 PUSHECX ; |
7C80A4CD 51 PUSHECX ; |
7C80A4CE 8D45F8 LEA EAX,DWORD PTRSS:[EBP-8] ; |
7C80A4D1 50 PUSHEAX ; |
7C80A4D2 FF7508 PUSH DWORD PTRSS:[EBP+8] ; |
7C80A4D5 FF15 DC13807C CALL DWORD PTRDS:[<&ntdll.NtQueryPerformanceCounter>] ; | ntdll.ZwQueryPerformanceCounter
7C80A4DB 85C0 TESTEAX,EAX ; |
7C80A4DD 0F8C AB750300 JLkernel32.7C841A8E ; |
7C80A4E3 837D F8 00 CMP DWORDPTRSS:[EBP-8],0 ; |
7C80A4E7 0F84 AB750300 JEkernel32.7C841A98 ; |
7C80A4ED 33C0 XOREAX,EAX ; |
7C80A4EF 40 INCEAX ; |
7C80A4F0 C9 LEAVE ; |
7C80A4F1 C2 0400 RETN4 ; |
} ; |
} ; /
0128144C |. 8B5424 04 MOV EDX,DWORD PTRSS:[ESP+4]
01281450 |. 2B15 10F02901 SUB EDX,DWORD PTRDS:[oldPerformanceCount.LowPart] ; 注入后第一次调用QueryPerformanceCounter的数值
01281456 |. 8B0D 20F02901 MOV ECX,DWORD PTR DS:[<nSpeed>]
0128145C |. 8BF0 MOV ESI,EAX
0128145E |. 8B4424 08 MOV EAX,DWORD PTRSS:[ESP+8]
01281462 |. 1B05 14F02901 SBB EAX,DWORD PTRDS:[oldPerformanceCount.HighPart]
01281468 |. 6A 00 PUSH 0
0128146A |. 51 PUSH ECX
0128146B |. 50 PUSH EAX
0128146C |. 52 PUSH EDX
0128146D |. E8 3E1C0000 CALLGearNtKe.012830B0 ; call __allmul()
01281472 |. 0FACD0 16 SHRD EAX,EDX,16
01281476 |. C1EA 16 SHR EDX,16
01281479 |. 8BC8 MOV ECX,EAX
0128147B |. 030D 18F02901 ADD ECX,DWORD PTRDS:[129F018] ; SetSpeed() PerformanceCounter.LowPart计算后的结果
01281481 |. 8B4424 10 MOV EAX,DWORD PTRSS:[ESP+10]
01281485 |. 1315 1CF02901 ADC EDX,DWORD PTRDS:[129F01C] ; SetSpeed() PerformanceCounter.HighPart计算后的结果
0128148B |. 8908 MOV DWORD PTRDS:[EAX],ECX
0128148D |. 8950 04 MOV DWORDPTR DS:[EAX+4],EDX
01281490 |. 8B15 E4C52901 MOV EDX,DWORD PTR DS:[<hMutexObj>]
01281496 |. 52 PUSHEDX ; /hMutex => 000000C8 (window)
01281497 |. FF15 0C302901 CALL DWORD PTR DS:[<&KERNEL32.ReleaseMutex>] ; \ReleaseMutex
0128149D |. 8BC6 MOV EAX,ESI
0128149F |. 5E POP ESI
012814A0 |. 83C4 08 ADD ESP,8
012814A3 \. C2 0400 RETN 4
}
; SetTimer Hook前
user32.Se> B8 1E120000 MOV EAX,121E
77D18C33 BA 0003FE7F MOV EDX,7FFE0300
77D18C38 FF12 CALLDWORD PTR DS:[EDX]
{
ntdll.KiF> 8BD4 MOVEDX,ESP
7C92E512 0F34 SYSENTER
ntdll.KiF> C3 RETN
}
77D18C3A C2 1000 RETN 10
; SetTimer Hook后
user32.Se>-E9 FD845689 JMP GearNtKe.01281130
{
01281130 . A1 E4C52901 MOV EAX,DWORD PTRDS:[<hMutexObj>]
01281135 . 56 PUSH ESI
01281136 . 6AFF PUSH-1 ; /Timeout = INFINITE
01281138 . 50 PUSHEAX ; |hObject => 000000C8 (window)
01281139 . FF15 10302901 CALL DWORD PTRDS:[<&KERNEL32.WaitForSingleObject>] ; \WaitForSingleObject
0128113F . 8B4C24 14 MOV ECX,DWORDPTR SS:[ESP+14]
01281143 . 8B5424 10 MOV EDX,DWORDPTR SS:[ESP+10]
01281147 . 51 PUSH ECX
01281148 . 52 PUSH EDX
01281149 . E8 B2FEFFFF CALL GearNtKe.01281000
{
01281000 /$ 8B4424 04 MOV EAX,DWORD PTRSS:[ESP+4]
01281004 |. B9 00004000 MOV ECX,400000
01281009 |. F7E1 MUL ECX
0128100B |. 8B0D 20F02901 MOV ECX,DWORD PTR DS:[<nSpeed>]
01281011 |. 6A 00 PUSH 0
01281013 |. 51 PUSH ECX
01281014 |. 52 PUSH EDX
01281015 |. 50 PUSH EAX
01281016 |. E8 15200000 CALLGearNtKe.01283030 ; __aulldiv
0128101B \. C3 RETN
}
0128114E . 8B4C24 10 MOV ECX,DWORDPTR SS:[ESP+10]
01281152 . 83C4 04 ADDESP,4
01281155 . 50 PUSH EAX
01281156 . 8B4424 14 MOV EAX,DWORDPTR SS:[ESP+14]
0128115A . 50 PUSH EAX
0128115B . 51 PUSH ECX
0128115C . E8 AFFFFFFF CALL GearNtKe.OldSetTimer
{
GearNtKe.> $ B8 1E120000 MOVEAX,121E ; \ 调用原始的SetTimer
01281115 ?- E9 197BA976 JMPuser32.77D18C33 ; |
{ ; |
77D18C33 BA 0003FE7F MOVEDX,7FFE0300 ; |
77D18C38 FF12 CALLDWORD PTRDS:[EDX] ; |
77D18C3A C21000 RETN10 ; |
} ; /
}
01281161 . 8B15 E4C52901 MOV EDX,DWORD PTRDS:[<hMutexObj>]
01281167 . 52 PUSHEDX ; /hMutex => 000000C8 (window)
01281168 . 8BF0 MOVESI,EAX ; |
0128116A . FF15 0C302901 CALL DWORD PTRDS:[<&KERNEL32.ReleaseMutex>] ; \ReleaseMutex
01281170 . 8BC6 MOV EAX,ESI
01281172 . 5E POP ESI
01281173 . C2 1000 RETN10
变速齿轮原理简单分析(3)
变速齿轮进行Hook的WINMM API
////////////////////////////// WINMM API //////////////////////////////
; timeGetTime Hook前
WINMM.tim> 833D 1400B376 0>CMP DWORD PTR DS:[76B30014],0
76B14E56 0F85 97770000 JNZ <JMP.&KERNEL32.GetTickCount>
76B14E5C E8 A8DCFFFF CALL WINMM.76B12B09
{
76B12B09 8BFF MOV EDI,EDI
76B12B0B 8B15 0C00FE7F MOV EDX,DWORD PTR DS:[7FFE000C] ; KUSER_SHARED_DATA.InterruptTime.High1Time
76B12B11 A1 0800FE7F MOV EAX,DWORD PTR DS:[7FFE0008] ; KUSER_SHARED_DATA.InterruptTime.LowPart
76B12B16 3B15 1000FE7F CMP EDX,DWORD PTR DS:[7FFE0010] ; KUSER_SHARED_DATA.InterruptTime.High2Time
76B12B1C ^ 75 ED JNZ SHORT WINMM.76B12B0B
76B12B1E C3 RETN
}
76B14E61 2B05 1800B376 SUB EAX,DWORD PTR DS:[76B30018]
76B14E67 6A 00 PUSH 0
76B14E69 1B15 1C00B376 SBB EDX,DWORD PTR DS:[76B3001C]
76B14E6F 68 10270000 PUSH 2710
76B14E74 52 PUSH EDX
76B14E75 50 PUSH EAX
76B14E76 E8 07000000 CALL WINMM.76B14E82
76B14E7B 0305 2000B376 ADD EAX,DWORD PTR DS:[76B30020]
76B14E81 C3 RETN
; timeGetTime Hook后
WINMM.tim>- E9 3CC7168C JMP GearNtKe.02C81590
{
02C81590 A1 E4C5C902 MOV EAX,DWORD PTR DS:[<hMutexObj>]
02C81595 56 PUSH ESI
02C81596 6A FF PUSH -1
02C81598 50 PUSH EAX
02C81599 FF15 1030C902 CALL DWORD PTR DS:[<&KERNEL32.WaitForSin>; kernel32.WaitForSingleObject
02C8159F E8 DCFAFFFF CALL GearNtKe.02C81080 ; \ 调用原始的timeGetTime
{ ; |
02C81080 833D 1400B376 0>CMP DWORD PTR DS:[76B30014],0 ; |
02C81087 - E9 CA3DE973 JMP WINMM.76B14E56 ; |
} ; /
02C815A4 2B05 08F0C902 SUB EAX,DWORD PTR DS:[oldTickCount]
02C815AA 50 PUSH EAX
02C815AB E8 00FFFFFF CALL GearNtKe.02C814B0
{
02C814B0 A1 20F0C902 MOV EAX,DWORD PTR DS:[nSpeed] ; 速度值
02C814B5 F76424 04 MUL DWORD PTR SS:[ESP+4]
02C814B9 0FACD0 16 SHRD EAX,EDX,16
02C814BD C1EA 16 SHR EDX,16
02C814C0 C3 RETN
}
02C815B0 8B0D E4C5C902 MOV ECX,DWORD PTR DS:[<hMutexObj>]
02C815B6 83C4 04 ADD ESP,4
02C815B9 8BF0 MOV ESI,EAX
02C815BB 0335 0CF0C902 ADD ESI,DWORD PTR DS:[2C9F00C] ; 2C9F00C=SetSpeed 更改的timeGetTime数值
02C815C1 51 PUSH ECX
02C815C2 FF15 0C30C902 CALL DWORD PTR DS:[<&KERNEL32.ReleaseMut>; kernel32.ReleaseMutex
02C815C8 8BC6 MOV EAX,ESI
02C815CA 5E POP ESI
02C815CB C3 RETN
}
; timeSetEvent Hook前
WINMM.tim> 8BFF MOV EDI,EDI
76B2B092 55 PUSH EBP
76B2B093 8BEC MOV EBP,ESP
76B2B095 F745 18 0EFEFFF>TEST DWORD PTR SS:[EBP+18],FFFFFE0E
76B2B09C 74 04 JE SHORT WINMM.76B2B0A2
76B2B09E 33C0 XOR EAX,EAX
76B2B0A0 EB 16 JMP SHORT WINMM.76B2B0B8
76B2B0A2 6A 00 PUSH 0
76B2B0A4 FF75 18 PUSH DWORD PTR SS:[EBP+18]
76B2B0A7 FF75 14 PUSH DWORD PTR SS:[EBP+14]
76B2B0AA FF75 10 PUSH DWORD PTR SS:[EBP+10]
76B2B0AD FF75 0C PUSH DWORD PTR SS:[EBP+C]
76B2B0B0 FF75 08 PUSH DWORD PTR SS:[EBP+8]
76B2B0B3 E8 F8FEFFFF CALL WINMM.76B2AFB0
76B2B0B8 5D POP EBP
76B2B0B9 C2 1400 RETN 14
; timeSetEvent Hook后
WINMM.tim>- E9 1B61158C JMP GearNtKe.02C811B0
{
02C811B0 A1 E4C5C902 MOV EAX,DWORD PTR DS:[<hMutexObj>]
02C811B5 56 PUSH ESI
02C811B6 6A FF PUSH -1
02C811B8 50 PUSH EAX
02C811B9 FF15 1030C902 CALL DWORD PTR DS:[<&KERNEL32.WaitForSin>; kernel32.WaitForSingleObject
02C811BF 8B4C24 18 MOV ECX,DWORD PTR SS:[ESP+18]
02C811C3 8B5424 14 MOV EDX,DWORD PTR SS:[ESP+14]
02C811C7 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10]
02C811CB 51 PUSH ECX
02C811CC 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
02C811D0 52 PUSH EDX
02C811D1 8B5424 10 MOV EDX,DWORD PTR SS:[ESP+10]
02C811D5 50 PUSH EAX
02C811D6 51 PUSH ECX
02C811D7 52 PUSH EDX
02C811D8 E8 23FEFFFF CALL GearNtKe.02C81000 ; 进行变速处理
{
02C81000 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
02C81004 B9 00004000 MOV ECX,400000
02C81009 F7E1 MUL ECX
02C8100B 8B0D 20F0C902 MOV ECX,DWORD PTR DS:[2C9F020]
02C81011 6A 00 PUSH 0
02C81013 51 PUSH ECX
02C81014 52 PUSH EDX
02C81015 50 PUSH EAX
02C81016 E8 15200000 CALL GearNtKe.02C83030 ; __aulldiv
02C8101B C3 RETN
}
02C811DD 83C4 04 ADD ESP,4
02C811E0 50 PUSH EAX ; uDelay
02C811E1 E8 AAFFFFFF CALL GearNtKe.02C81190 ; \ 调用原始的timeSetEvent
{ ; |
02C81190 8BFF MOV EDI,EDI ; |
02C81192 55 PUSH EBP ; |
02C81193 8BEC MOV EBP,ESP ; |
02C81195 - E9 FB9EEA73 JMP WINMM.76B2B095 ; /
}
02C811E6 8BF0 MOV ESI,EAX
02C811E8 A1 E4C5C902 MOV EAX,DWORD PTR DS:[<hMutexObj>]
02C811ED 50 PUSH EAX
02C811EE FF15 0C30C902 CALL DWORD PTR DS:[<&KERNEL32.ReleaseMut>; kernel32.ReleaseMutex
02C811F4 8BC6 MOV EAX,ESI
02C811F6 5E POP ESI
02C811F7 C2 1400 RETN 14
}
|
|