JustPaste.it - Share Text & Images the Easy Way

【依頼の目的と内容説明】 shell32.dllの解析
【プロセッサの種類】 x86 【OSの種類】 Win Server 2003 【言語】 C/C++
【報酬金額と送金方法】報酬なし
【アセンブリまたは機械語】
proc Func7C95C607@12 Label_7C95C607
Label_7C95C607:
7C95C607: mov edi, edi
7C95C609: push ebp
7C95C60A: mov ebp, esp
7C95C60C: sub esp, 0x420
7C95C612: mov eax, [0x7cae9764]
7C95C617: push ebx
7C95C618: push edi
7C95C619: mov edi, [ebp+0x8]
7C95C61C: mov [ebp-0x4], eax
7C95C61F: mov eax, [ebp+0xc]
7C95C622: push edi
7C95C623: mov [ebp-0x418], eax
7C95C629: mov ebx, 0x104
7C95C62E: push ebx
7C95C62F: lea eax, [ebp-0x20c]
7C95C635: push eax
7C95C636: mov [ebp-0x41c], edi
7C95C63C: call Func7C92C7B9@12
7C95C641: test eax, eax
7C95C643: jl Label_7C95C776
7C95C649: push esi
7C95C64A: lea eax, [ebp-0x20c]
7C95C650: push eax
7C95C651: call shlwapi.dll!448
7C95C657: lea esi, [ebp-0x20c]
7C95C65D: mov eax, esi
7C95C65F: push eax
7C95C660: call shlwapi.dll!PathFindFileNameW
7C95C666: mov eax, esi
7C95C668: push eax
7C95C669: call shlwapi.dll!PathIsUNCW
7C95C66F: test eax, eax
7C95C671: mov eax, esi
7C95C673: push eax
7C95C674: jnz Label_7C973A87
7C95C67A: mov edi, [0x7c8d20f4]
7C95C680: call edi
7C95C682: cmp eax, 0xffffffff
7C95C685: jz Label_7C973AF1
7C95C68B: push eax
7C95C68C: lea eax, [ebp-0x414]
7C95C692: push eax
7C95C693: call shlwapi.dll!PathBuildRootW
7C95C699: cmp word [ebp-0x208], 0x5c
7C95C6A1: lea esi, [ebp-0x208]
7C95C6A7: jnz Label_7C95C6AF
7C95C6A9: lea esi, [ebp-0x206]
Label_7C95C6AF:
7C95C6AF: lea eax, [ebp-0x414] # jump_from : 7C95C6A7 7C973B4B 7C973B5E
7C95C6B5: push eax
7C95C6B6: call shell32.dll!IsLFNDriveW@4
7C95C6BB: test eax, eax
7C95C6BD: mov [ebp-0x418], eax
7C95C6C3: jz Label_7C973B63
Label_7C95C6C9:
7C95C6C9: lea eax, [ebp-0x414] # jump_from : 7C973B68 7C973B8E
7C95C6CF: push eax
7C95C6D0: push ebx
7C95C6D1: push dword [ebp-0x41c]
7C95C6D7: call Func7C92C7B9@12
7C95C6DC: push dword [ebp-0x41c]
7C95C6E2: call kernel32.dll!lstrlenW
Label_7C95C6E8:
7C95C6E8: mov edi, 0x103 # jump_from : 7C973ADD
7C95C6ED: sub edi, eax
Label_7C95C6EF:
7C95C6EF: mov ebx, [ebp-0x41c] # jump_from : 7C95C762 7C973AA7
Label_7C95C6F5:
7C95C6F5: mov ax, [esi] # jump_from : 7C973BEE 7C973BF5
7C95C6F8: test ax, ax
7C95C6FB: jz Label_7C95C764
7C95C6FD: test edi, edi
7C95C6FF: jle Label_7C95C764
7C95C701: cmp ax, 0x2e
7C95C705: jz Label_7C973B96
Label_7C95C70B:
7C95C70B: push ebx # jump_from : 7C973BC0
7C95C70C: call shlwapi.dll!PathAddBackslashW
7C95C712: test eax, eax
7C95C714: jz Label_7C973BF3
7C95C71A: push ebx
7C95C71B: dec edi
7C95C71C: call kernel32.dll!lstrlenW
7C95C722: cmp dword [ebp-0x418], 0x0
7C95C729: mov cx, [esi]
7C95C72C: lea eax, [ebx+eax*2]
7C95C72F: jz Label_7C973BFA
7C95C735: test cx, cx
7C95C738: jz Label_7C95C75E
Label_7C95C73A:
7C95C73A: cmp cx, 0x5c # jump_from : 7C95C754
7C95C73E: jz Label_7C95C756
7C95C740: test edi, edi
7C95C742: jle Label_7C95C756
7C95C744: mov [eax], cx
7C95C747: dec edi
7C95C748: inc eax
7C95C749: inc eax
7C95C74A: inc esi
7C95C74B: inc esi
7C95C74C: xor ecx, ecx
7C95C74E: mov cx, [esi]
7C95C751: test cx, cx
7C95C754: jnz Label_7C95C73A
Label_7C95C756:
7C95C756: cmp word [esi], 0x0 # jump_from : 7C95C73E 7C95C742 7C973C2E 7C973C36 7C973C61 7C973C69 7C973C98
7C95C75A: jz Label_7C95C75E
7C95C75C: inc esi
7C95C75D: inc esi
Label_7C95C75E:
7C95C75E: and word [eax], 0x0 # jump_from : 7C95C738 7C95C75A 7C973C57
7C95C762: jmp Label_7C95C6EF
Label_7C95C764:
7C95C764: push ebx # jump_from : 7C95C6FB 7C95C6FF 7C973BCC 7C973BE6
7C95C765: call shlwapi.dll!PathRemoveBackslashW
7C95C76B: test byte [ebp+0x10], 0x1
7C95C76F: pop esi
7C95C770: jz Label_7C973CA0
Label_7C95C776:
7C95C776: mov ecx, [ebp-0x4] # jump_from : 7C95C643 7C973CAF 7C973CB9
7C95C779: pop edi
7C95C77A: pop ebx
7C95C77B: call Func7C92EC80@12
7C95C780: leave
7C95C781: ret 0xc
Label_7C973A87:
7C973A87: call shell32.dll!IsLFNDriveW@4 # jump_from : 7C95C674
7C973A8C: xor ebx, ebx
7C973A8E: cmp eax, ebx
7C973A90: mov [ebp-0x418], eax
7C973A96: jz Label_7C973AAC
7C973A98: mov [edi+0x4], bx
Label_7C973A9C:
7C973A9C: mov edi, 0x101 # jump_from : 7C973AEF
7C973AA1: lea esi, [ebp-0x208]
7C973AA7: jmp Label_7C95C6EF
Label_7C973AAC:
7C973AAC: mov esi, [0x7c8d2070] # jump_from : 7C973A96
7C973AB2: push 0x5c
7C973AB4: add edi, 0x4
7C973AB7: push edi
7C973AB8: call esi
7C973ABA: cmp eax, ebx
7C973ABC: jz Label_7C973AE2
7C973ABE: push 0x5c
7C973AC0: add eax, 0x2
7C973AC3: push eax
7C973AC4: call esi
7C973AC6: cmp eax, ebx
7C973AC8: jz Label_7C973AE2
7C973ACA: mov [eax+0x2], bx
7C973ACE: sub eax, [ebp-0x41c]
7C973AD4: sar eax, 1
7C973AD6: lea esi, [ebp+eax*2-0x20c]
7C973ADD: jmp Label_7C95C6E8
Label_7C973AE2:
7C973AE2: mov dword [ebp-0x418], 0x1 # jump_from : 7C973ABC 7C973AC8
7C973AEC: mov [edi], bx
7C973AEF: jmp Label_7C973A9C
Label_7C973AF1:
7C973AF1: cmp dword [ebp-0x418], 0x0 # jump_from : 7C95C685
7C973AF8: jz Label_7C973B11
7C973AFA: push dword [ebp-0x418]
7C973B00: lea eax, [ebp-0x414]
7C973B06: push ebx
7C973B07: push eax
7C973B08: call Func7C92C7B9@12
7C973B0D: test eax, eax
7C973B0F: jge Label_7C973B43
Label_7C973B11:
7C973B11: and word [ebp-0x414], 0x0 # jump_from : 7C973AF8
7C973B19: push ebx
7C973B1A: lea eax, [ebp-0x414]
7C973B20: push eax
7C973B21: call kernel32.dll!GetWindowsDirectoryW
7C973B27: lea eax, [ebp-0x414]
7C973B2D: push eax
7C973B2E: call edi
7C973B30: cmp eax, 0xffffffff
7C973B33: jz Label_7C973B43
7C973B35: push eax
7C973B36: lea eax, [ebp-0x414]
7C973B3C: push eax
7C973B3D: call shlwapi.dll!PathBuildRootW
Label_7C973B43:
7C973B43: cmp word [ebp-0x20c], 0x5c # jump_from : 7C973B0F 7C973B33
7C973B4B: jnz Label_7C95C6AF
7C973B51: lea eax, [ebp-0x414]
7C973B57: push eax
7C973B58: call shlwapi.dll!PathStripToRootW
7C973B5E: jmp Label_7C95C6AF
Label_7C973B63:
7C973B63: cmp [esi], ax # jump_from : 7C95C6C3
7C973B66: mov edi, esi
7C973B68: jz Label_7C95C6C9
Label_7C973B6E:
7C973B6E: xor eax, eax # jump_from : 7C973B94
7C973B70: mov ax, [edi]
7C973B73: push 0x11c
7C973B78: push eax
7C973B79: call shlwapi.dll!456
7C973B7F: test eax, eax
7C973B81: jnz Label_7C973B88
7C973B83: mov word [edi], 0x5f
Label_7C973B88:
7C973B88: inc edi # jump_from : 7C973B81
7C973B89: inc edi
7C973B8A: cmp word [edi], 0x0
7C973B8E: jz Label_7C95C6C9
7C973B94: jmp Label_7C973B6E
Label_7C973B96:
7C973B96: mov cx, [esi+0x2] # jump_from : 7C95C705
7C973B9A: cmp cx, ax
7C973B9D: jnz Label_7C973BB7
7C973B9F: mov ax, [esi+0x4]
7C973BA3: test ax, ax
7C973BA6: jz Label_7C973BAE
7C973BA8: cmp ax, 0x5c
7C973BAC: jnz Label_7C973BB7
Label_7C973BAE:
7C973BAE: push ebx # jump_from : 7C973BA6
7C973BAF: call shlwapi.dll!PathRemoveFileSpecW
7C973BB5: jmp Label_7C973BC6
Label_7C973BB7:
7C973BB7: test cx, cx # jump_from : 7C973B9D 7C973BAC
7C973BBA: jz Label_7C973BC6
7C973BBC: cmp cx, 0x5c
7C973BC0: jnz Label_7C95C70B
Label_7C973BC6:
7C973BC6: mov ax, [esi] # jump_from : 7C973BB5 7C973BBA
7C973BC9: test ax, ax
7C973BCC: jz Label_7C95C764
Label_7C973BD2:
7C973BD2: cmp ax, 0x5c # jump_from : 7C973BE0
7C973BD6: jz Label_7C973BE2
7C973BD8: inc esi
7C973BD9: inc esi
7C973BDA: mov ax, [esi]
7C973BDD: test ax, ax
7C973BE0: jnz Label_7C973BD2
Label_7C973BE2:
7C973BE2: cmp word [esi], 0x0 # jump_from : 7C973BD6
7C973BE6: jz Label_7C95C764
7C973BEC: inc esi
7C973BED: inc esi
7C973BEE: jmp Label_7C95C6F5
Label_7C973BF3:
7C973BF3: xor edi, edi # jump_from : 7C95C714
7C973BF5: jmp Label_7C95C6F5
Label_7C973BFA:
7C973BFA: push 0x8 # jump_from : 7C95C72F
7C973BFC: pop edx
7C973BFD: jmp Label_7C973C25
Label_7C973BFF:
7C973BFF: cmp cx, 0x5c # jump_from : 7C973C28
7C973C03: jz Label_7C973C2A
7C973C05: cmp cx, 0x2f
7C973C09: jz Label_7C973C2A
7C973C0B: cmp cx, 0x2e
7C973C0F: jz Label_7C973C34
7C973C11: test edi, edi
7C973C13: jle Label_7C973C2A
7C973C15: test edx, edx
7C973C17: jle Label_7C973C20
7C973C19: dec edx
7C973C1A: dec edi
7C973C1B: mov [eax], cx
7C973C1E: inc eax
7C973C1F: inc eax
Label_7C973C20:
7C973C20: inc esi # jump_from : 7C973C17
7C973C21: inc esi
7C973C22: mov cx, [esi]
Label_7C973C25:
7C973C25: test cx, cx # jump_from : 7C973BFD
7C973C28: jnz Label_7C973BFF
Label_7C973C2A:
7C973C2A: cmp word [esi], 0x2e # jump_from : 7C973C03 7C973C09 7C973C13
7C973C2E: jnz Label_7C95C756
Label_7C973C34:
7C973C34: test edi, edi # jump_from : 7C973C0F
7C973C36: jle Label_7C95C756
7C973C3C: mov word [eax], 0x2e
7C973C41: inc eax
7C973C42: inc eax
7C973C43: dec edi
7C973C44: inc esi
7C973C45: inc esi
7C973C46: mov cx, [esi]
7C973C49: test cx, cx
7C973C4C: push 0x3
7C973C4E: mov ebx, eax
7C973C50: mov [ebp-0x420], edi
7C973C56: pop edx
7C973C57: jz Label_7C95C75E
Label_7C973C5D:
7C973C5D: cmp cx, 0x5c # jump_from : 7C973C9E
7C973C61: jz Label_7C95C756
7C973C67: test edi, edi
7C973C69: jle Label_7C95C756
7C973C6F: cmp cx, 0x2e
7C973C73: jnz Label_7C973C82
7C973C75: mov edi, [ebp-0x420]
7C973C7B: push 0x3
7C973C7D: inc esi
7C973C7E: pop edx
7C973C7F: mov eax, ebx
7C973C81: inc esi
Label_7C973C82:
7C973C82: test edx, edx # jump_from : 7C973C73
7C973C84: jle Label_7C973C90
7C973C86: mov cx, [esi]
7C973C89: dec edx
7C973C8A: dec edi
7C973C8B: mov [eax], cx
7C973C8E: inc eax
7C973C8F: inc eax
Label_7C973C90:
7C973C90: inc esi # jump_from : 7C973C84
7C973C91: inc esi
7C973C92: mov cx, [esi]
7C973C95: test cx, cx
7C973C98: jz Label_7C95C756
7C973C9E: jmp Label_7C973C5D
Label_7C973CA0:
7C973CA0: push ebx # jump_from : 7C95C770
7C973CA1: call kernel32.dll!lstrlenW
7C973CA7: lea eax, [ebx+eax*2-0x2]
7C973CAB: cmp word [eax], 0x2e
7C973CAF: jnz Label_7C95C776
7C973CB5: and word [eax], 0x0
7C973CB9: jmp Label_7C95C776
end proc

Func7C92C7B9は前述のStringCchCopyW関数です。
Func7C92EC80の引数は不明ですが、戻り値がvoidでecxをチェックすることが分かっています。
shlwapi.dll!448は、VOID WINAPI FixSlashesAndColonW(LPWSTR lpwstr)です。
shlwapi.dll!456は、BOOL WINAPI PathIsValidCharW(WCHAR c, DWORD class)です。
長いですが、解析お願いします。