dkbza

• Main
• Python projects
• Projects/Publications
• Old
  • idb2reml
  • pyreml
  • iPaq
• About Me

pyreml is a module allowing to load REML files and process the data easily in Python, mixes well with an interactive Python interpreter for nice research purposes. It supports Intel x86 and ARM and provides such abstraction that there's no need to care about which architecture is being dealt with.

Documentation:

The README file accompanying the release can be read here.

The module documentation has been put together using pydoc and can be found here.

Download:

pyreml can be downloaded from here.

Usage:

I have used pyreml together with idb2reml and pydot to generate some of the call graphs you can see in pydot's page.

As a basic usage example, the following code:

import pyreml

bin = pyreml.load('Test App.reml')

for f in bin.get_functions():

  print '> Function [%s]' % f.name
  print '> called from %s' % repr([x.name for x in   f.get_caller_functions()])

  for i in f.get_instructions():

    cmmt = ''
    if i.comment:
      cmmt = i.comment
    if i.operands:
      ops = repr(i.operands)
    else:
      ops = ''

    print '\t[%08x] %-10s %s %s' % (i.address, i.data, i.mnemonic, ops)

 

will do for the test application introduced in the idb2reml page something like:

> Function [}}00]
> called from []
[00401000] 55 push [(0, 1, u'ebp')]
[00401001] 89e5 mov [(0, 1, u'ebp'), (1, 1, u'esp')]
[00401003] 83ec18 sub [(0, 1, u'esp'), (1, 5, u'24')]
[00401006] 895df8 mov [(0, 4, u'[ebp+var_8]'), (1, 1, u'ebx')]
[00401009] 8b5508 mov [(0, 1, u'edx'), (1, 4, u'[ebp+arg_0]')]
[0040100c] 31db xor [(0, 1, u'ebx'), (1, 1, u'ebx')]
[0040100e] 8975fc mov [(0, 4, u'[ebp+var_4]'), (1, 1, u'esi')]
[00401011] 8b02 mov [(0, 1, u'eax'), (1, 3, u'[edx]')]
[00401013] 31f6 xor [(0, 1, u'esi'), (1, 1, u'esi')]
[00401015] 8b00 mov [(0, 1, u'eax'), (1, 3, u'[eax]')]
[00401017] 3d910000c0 cmp [(0, 1, u'eax'), (1, 5, u'-1073741679')]
[0040101c] 7743 ja [(0, 7, u'4198497')]
[0040101e] 3d8d0000c0 cmp [(0, 1, u'eax'), (1, 5, u'-1073741683')]
[00401023] 725b jb [(0, 7, u'4198528')]
[00401025] be01000000 mov [(0, 1, u'esi'), (1, 5, u'1')]
[0040102a] c7042408000000 mov [(0, 3, u'[esp+18h+var_18]'), (1, 5, u'8')]
[00401031] 31c0 xor [(0, 1, u'eax'), (1, 1, u'eax')]
[00401033] 89442404 mov [(0, 4, u'[esp+18h+var_14]'), (1, 1, u'eax')]
[00401037] e884070000 call [(0, 7, u'4200384')]
[0040103c] 83f801 cmp [(0, 1, u'eax'), (1, 5, u'1')]
[0040103f] 746c jz [(0, 7, u'4198573')]
[00401041] 85c0 test [(0, 1, u'eax'), (1, 1, u'eax')]
[00401043] 742a jz [(0, 7, u'4198511')]
[00401045] c7042408000000 mov [(0, 3, u'[esp+18h+var_18]'), (1, 5, u'8')]
[0040104c] ffd0 call [(0, 1, u'eax')]
[0040104e] bbffffffff mov [(0, 1, u'ebx'), (1, 5, u'-1')]
[00401053] 89d8 mov [(0, 1, u'eax'), (1, 1, u'ebx')]
[00401055] 8b75fc mov [(0, 1, u'esi'), (1, 4, u'[ebp+var_4]')]
[00401058] 8b5df8 mov [(0, 1, u'ebx'), (1, 4, u'[ebp+var_8]')]
[0040105b] 89ec mov [(0, 1, u'esp'), (1, 1, u'ebp')]
[0040105d] 5d pop [(0, 1, u'ebp')]
[0040105e] c20400 retn [(0, 5, u'4')]
[00401061] 3d930000c0 cmp [(0, 1, u'eax'), (1, 5, u'-1073741677')]
[00401066] 74bd jz [(0, 7, u'4198437')]
[00401068] 3d940000c0 cmp [(0, 1, u'eax'), (1, 5, u'-1073741676')]
[0040106d] 74bb jz [(0, 7, u'4198442')]
[0040106f] 89d8 mov [(0, 1, u'eax'), (1, 1, u'ebx')]
[00401071] 8b75fc mov [(0, 1, u'esi'), (1, 4, u'[ebp+var_4]')]
[00401074] 8b5df8 mov [(0, 1, u'ebx'), (1, 4, u'[ebp+var_8]')]
[00401077] 89ec mov [(0, 1, u'esp'), (1, 1, u'ebp')]
[00401079] 5d pop [(0, 1, u'ebp')]
[0040107a] c20400 retn [(0, 5, u'4')]
[00401080] 3d050000c0 cmp [(0, 1, u'eax'), (1, 5, u'-1073741819')]
[00401085] 75e8 jnz [(0, 7, u'4198511')]
[00401087] c704240b000000 mov [(0, 3, u'dword ptr [esp+0]'), (1, 5, u'11')]
[0040108e] 31f6 xor [(0, 1, u'esi'), (1, 1, u'esi')]
[00401090] 89742404 mov [(0, 4, u'[esp+1Ch+var_18]'), (1, 1, u'esi')]
[00401094] e827070000 call [(0, 7, u'4200384')]
[00401099] 83f801 cmp [(0, 1, u'eax'), (1, 5, u'1')]
[0040109c] 7434 jz [(0, 7, u'4198610')]
[0040109e] 85c0 test [(0, 1, u'eax'), (1, 1, u'eax')]
[004010a0] 74cd jz [(0, 7, u'4198511')]
[004010a2] c704240b000000 mov [(0, 3, u'dword ptr [esp+0]'), (1, 5, u'11')]
[004010a9] ffd0 call [(0, 1, u'eax')]
[004010ab] eba1 jmp [(0, 7, u'4198478')]
[004010ad] c7042408000000 mov [(0, 3, u'dword ptr [esp+0]'), (1, 5, u'8')]
[004010b4] bb01000000 mov [(0, 1, u'ebx'), (1, 5, u'1')]
[004010b9] 895c2404 mov [(0, 4, u'[esp+4]'), (1, 1, u'ebx')]
[004010bd] e8fe060000 call [(0, 7, u'4200384')]
[004010c2] 85f6 test [(0, 1, u'esi'), (1, 1, u'esi')]
[004010c4] 7488 jz [(0, 7, u'4198478')]
[004010c6] e835020000 call [(0, 7, u'4199168')]
[004010cb] bbffffffff mov [(0, 1, u'ebx'), (1, 5, u'-1')]
[004010d0] eb81 jmp [(0, 7, u'4198483')]
[004010d2] c704240b000000 mov [(0, 3, u'dword ptr [esp+0]'), (1, 5, u'11')]
[004010d9] b901000000 mov [(0, 1, u'ecx'), (1, 5, u'1')]
[004010de] bbffffffff mov [(0, 1, u'ebx'), (1, 5, u'-1')]
[004010e3] 894c2404 mov [(0, 4, u'[esp+4]'), (1, 1, u'ecx')]
[004010e7] e8d4060000 call [(0, 7, u'4200384')]
[004010ec] e962ffffff jmp [(0, 7, u'4198483')]
> Function [}}00]
> called from [u'start']
[00401100] 55 push [(0, 1, u'ebp')]
[00401101] 89e5 mov [(0, 1, u'ebp'), (1, 1, u'esp')]
[00401103] 53 push [(0, 1, u'ebx')]
[00401104] 83ec24 sub [(0, 1, u'esp'), (1, 5, u'36')]
[00401107] 8d5df8 lea [(0, 1, u'ebx'), (1, 4, u'[ebp+var_8]')]
[0040110a] c7042400104000 mov [(0, 3, u'[esp+28h+var_28]'), (1, 5, u'4198400')]
[00401111] e84a070000 call [(0, 7, u'4200544')]
[00401116] 83ec04 sub [(0, 1, u'esp'), (1, 5, u'4')]
[00401119] e8e2010000 call [(0, 7, u'4199168')]
[0040111e] c745f800000000 mov [(0, 4, u'[ebp+var_8]'), (1, 5, u'0')]
[00401125] b800404000 mov [(0, 1, u'eax'), (1, 5, u'4210688')]
[0040112a] 8d55f4 lea [(0, 1, u'edx'), (1, 4, u'[ebp+var_C]')]
[0040112d] 895c2410 mov [(0, 4, u'[esp+28h+var_18]'), (1, 1, u'ebx')]
[00401131] 8b0d00204000 mov [(0, 1, u'ecx'), (1, 2, u'65535')]
[00401137] 89442404 mov [(0, 4, u'[esp+28h+var_24]'), (1, 1, u'eax')]
[0040113b] 89542408 mov [(0, 4, u'[esp+28h+var_20]'), (1, 1, u'edx')]
[0040113f] 894c240c mov [(0, 4, u'[esp+28h+var_1C]'), (1, 1, u'ecx')]
[00401143] c7042404404000 mov [(0, 3, u'[esp+28h+var_28]'), (1, 5, u'4210692')]
[0040114a] e8a1060000 call [(0, 7, u'4200432')]
[0040114f] a110404000 mov [(0, 1, u'eax'), (1, 2, u'0')]
[00401154] 85c0 test [(0, 1, u'eax'), (1, 1, u'eax')]
[00401156] 7458 jz [(0, 7, u'4198832')]
[00401158] a310204000 mov [(0, 2, u'0'), (1, 1, u'eax')]
[0040115d] 8b15d4504000 mov [(0, 1, u'edx'), (1, 2, u'0')]
[00401163] 85d2 test [(0, 1, u'edx'), (1, 1, u'edx')]
[00401165] 0f858b000000 jnz [(0, 7, u'4198902')]
[0040116b] 83fae0 cmp [(0, 1, u'edx'), (1, 5, u'-32')]
[0040116e] 7420 jz [(0, 7, u'4198800')]
[00401170] a110404000 mov [(0, 1, u'eax'), (1, 2, u'0')]
[00401175] 89442404 mov [(0, 4, u'[esp+28h+var_24]'), (1, 1, u'eax')]
[00401179] 8b1dd4504000 mov [(0, 1, u'ebx'), (1, 2, u'0')]
[0040117f] 8b4b30 mov [(0, 1, u'ecx'), (1, 4, u'[ebx+30h]')]
[00401182] 890c24 mov [(0, 3, u'[esp+28h+var_28]'), (1, 1, u'ecx')]
[00401185] e856060000 call [(0, 7, u'4200416')]
[0040118a] 8b15d4504000 mov [(0, 1, u'edx'), (1, 2, u'0')]
[00401190] 83fac0 cmp [(0, 1, u'edx'), (1, 5, u'-64')]
[00401193] 741b jz [(0, 7, u'4198832')]
[00401195] 8b1d10404000 mov [(0, 1, u'ebx'), (1, 2, u'0')]
[0040119b] 895c2404 mov [(0, 4, u'[esp+28h+var_24]'), (1, 1, u'ebx')]
[0040119f] 8b0dd4504000 mov [(0, 1, u'ecx'), (1, 2, u'0')]
[004011a5] 8b5150 mov [(0, 1, u'edx'), (1, 4, u'[ecx+50h]')]
[004011a8] 891424 mov [(0, 3, u'[esp+28h+var_28]'), (1, 1, u'edx')]
[004011ab] e830060000 call [(0, 7, u'4200416')]
[004011b0] e81b060000 call [(0, 7, u'4200400')]
[004011b5] 8b1d10204000 mov [(0, 1, u'ebx'), (1, 2, u'0')]
[004011bb] 8918 mov [(0, 3, u'[eax]'), (1, 1, u'ebx')]
[004011bd] e80e010000 call [(0, 7, u'4199120')]
[004011c2] 83e4f0 and [(0, 1, u'esp'), (1, 5, u'-16')]
[004011c5] e8e6050000 call [(0, 7, u'4200368')]
[004011ca] 8b08 mov [(0, 1, u'ecx'), (1, 3, u'[eax]')]
[004011cc] 894c2408 mov [(0, 4, u'[esp+28h+var_20]'), (1, 1, u'ecx')]
[004011d0] 8b1500404000 mov [(0, 1, u'edx'), (1, 2, u'0')]
[004011d6] 89542404 mov [(0, 4, u'[esp+28h+var_24]'), (1, 1, u'edx')]
[004011da] a104404000 mov [(0, 1, u'eax'), (1, 2, u'0')]
[004011df] 890424 mov [(0, 3, u'[esp+28h+var_28]'), (1, 1, u'eax')]
[004011e2] e8a9000000 call [(0, 7, u'4199056')]
[004011e7] 89c3 mov [(0, 1, u'ebx'), (1, 1, u'eax')]
[004011e9] e8b2050000 call [(0, 7, u'4200352')]
[004011ee] 891c24 mov [(0, 3, u'[esp+28h+var_28]'), (1, 1, u'ebx')]
[004011f1] e87a060000 call [(0, 7, u'4200560')]
[004011f6] 89442404 mov [(0, 4, u'[esp+24h+var_20]'), (1, 1, u'eax')]
[004011fa] 8b15d4504000 mov [(0, 1, u'edx'), (1, 2, u'0')]
[00401200] 8b4210 mov [(0, 1, u'eax'), (1, 4, u'[edx+10h]')]
[00401203] 890424 mov [(0, 3, u'[esp+24h+var_24]'), (1, 1, u'eax')]
[00401206] e8d5050000 call [(0, 7, u'4200416')]
[0040120b] 8b15d4504000 mov [(0, 1, u'edx'), (1, 2, u'0')]
[00401211] e955ffffff jmp [(0, 7, u'4198763')]
> Function [start]
> called from []
[00401220] 55 push [(0, 1, u'ebp')]
[00401221] 89e5 mov [(0, 1, u'ebp'), (1, 1, u'esp')]
[00401223] 83ec08 sub [(0, 1, u'esp'), (1, 5, u'8')]
[00401226] c7042401000000 mov [(0, 3, u'[esp+8+var_8]'), (1, 5, u'1')]
[0040122d] ff15cc504000 call [(0, 2, u'0')]
[00401233] e8c8feffff call [(0, 7, u'4198656')]
[00401238] 90 nop
[00401239] 8db42600000000 lea [(0, 1, u'esi'), (1, 4, u'[esi+0]')]
[00401240] 55 push [(0, 1, u'ebp')]
[00401241] 89e5 mov [(0, 1, u'ebp'), (1, 1, u'esp')]
[00401243] 83ec08 sub [(0, 1, u'esp'), (1, 5, u'8')]
[00401246] c7042402000000 mov [(0, 3, u'dword ptr [esp+0]'), (1, 5, u'2')]
[0040124d] ff15cc504000 call [(0, 2, u'0')]
[00401253] e8a8feffff call [(0, 7, u'4198656')]
[00401258] 90 nop
[00401259] 8db42600000000 lea [(0, 1, u'esi'), (1, 4, u'[esi+0]')]
> Function [sub_401260]
> called from [u'sub_4013B0']
[00401260] 55 push [(0, 1, u'ebp')]
[00401261] 8b0de4504000 mov [(0, 1, u'ecx'), (1, 2, u'0')]
[00401267] 89e5 mov [(0, 1, u'ebp'), (1, 1, u'esp')]
[00401269] 5d pop [(0, 1, u'ebp')]
[0040126a] ffe1 jmp [(0, 1, u'ecx')]
> Function [main]
> called from [u'}}00']
[00401290] 55 push [(0, 1, u'ebp')]
[00401291] 89e5 mov [(0, 1, u'ebp'), (1, 1, u'esp')]
[00401293] 83ec08 sub [(0, 1, u'esp'), (1, 5, u'8')]
[00401296] 83e4f0 and [(0, 1, u'esp'), (1, 5, u'-16')]
[00401299] b800000000 mov [(0, 1, u'eax'), (1, 5, u'0')]
[0040129e] 83c00f add [(0, 1, u'eax'), (1, 5, u'15')]
[004012a1] 83c00f add [(0, 1, u'eax'), (1, 5, u'15')]
[004012a4] c1e804 shr [(0, 1, u'eax'), (1, 5, u'4')]
[004012a7] c1e004 shl [(0, 1, u'eax'), (1, 5, u'4')]
[004012aa] 8945fc mov [(0, 4, u'[ebp+var_4]'), (1, 1, u'eax')]
[004012ad] 8b45fc mov [(0, 1, u'eax'), (1, 4, u'[ebp+var_4]')]
[004012b0] e85b040000 call [(0, 7, u'4200208')]
[004012b5] e8f6000000 call [(0, 7, u'4199344')]
[004012ba] c7042400304000 mov [(0, 3, u'[esp+8+var_8]'), (1, 5, u'4206592')]
[004012c1] e83a050000 call [(0, 7, u'4200448')]
[004012c6] c9 leave
[004012c7] c3 retn
> Function [sub_4012D0]
> called from [u'}}00']
[004012d0] 55 push [(0, 1, u'ebp')]
[004012d1] b9f0304000 mov [(0, 1, u'ecx'), (1, 5, u'4206832')]
[004012d6] 89e5 mov [(0, 1, u'ebp'), (1, 1, u'esp')]
[004012d8] eb14 jmp [(0, 7, u'4199150')]
[004012e0] 8b5104 mov [(0, 1, u'edx'), (1, 4, u'[ecx+4]')]
[004012e3] 8b01 mov [(0, 1, u'eax'), (1, 3, u'[ecx]')]
[004012e5] 83c108 add [(0, 1, u'ecx'), (1, 5, u'8')]
[004012e8] 018200004000 add [(0, 4, u'[edx+400000h]'), (1, 1, u'eax')]
[004012ee] 81f9f0304000 cmp [(0, 1, u'ecx'), (1, 5, u'4206832')]
[004012f4] 72ea jb [(0, 7, u'4199136')]
[004012f6] 5d pop [(0, 1, u'ebp')]
[004012f7] c3 retn
> Function [sub_401300]
> called from [u'}}00', u'}}00']
[00401300] 55 push [(0, 1, u'ebp')]
[00401301] 89e5 mov [(0, 1, u'ebp'), (1, 1, u'esp')]
[00401303] dbe3 fninit [(0, 11, u'')]
[00401305] 5d pop [(0, 1, u'ebp')]
[00401306] c3 retn
> Function [sub_401310]
> called from []
[00401310] 55 push [(0, 1, u'ebp')]
[00401311] 89e5 mov [(0, 1, u'ebp'), (1, 1, u'esp')]
[00401313] 83ec08 sub [(0, 1, u'esp'), (1, 5, u'8')]
[00401316] a120204000 mov [(0, 1, u'eax'), (1, 2, u'0')]
[0040131b] 8b08 mov [(0, 1, u'ecx'), (1, 3, u'[eax]')]
[0040131d] 85c9 test [(0, 1, u'ecx'), (1, 1, u'ecx')]
[0040131f] 7426 jz [(0, 7, u'4199239')]
[00401321] eb0d jmp [(0, 7, u'4199216')]
[00401330] ff10 call [(0, 3, u'dword ptr [eax]')]
[00401332] 8b0d20204000 mov [(0, 1, u'ecx'), (1, 2, u'0')]
[00401338] 8b5104 mov [(0, 1, u'edx'), (1, 4, u'[ecx+4]')]
[0040133b] 8d4104 lea [(0, 1, u'eax'), (1, 4, u'[ecx+4]')]
[0040133e] a320204000 mov [(0, 2, u'0'), (1, 1, u'eax')]
[00401343] 85d2 test [(0, 1, u'edx'), (1, 1, u'edx')]
[00401345] 75e9 jnz [(0, 7, u'4199216')]
[00401347] c9 leave
[00401348] c3 retn
> Function [sub_4013B0]
> called from [u'main']
[004013b0] 55 push [(0, 1, u'ebp')]
[004013b1] 89e5 mov [(0, 1, u'ebp'), (1, 1, u'esp')]
[004013b3] 53 push [(0, 1, u'ebx')]
[004013b4] 83ec04 sub [(0, 1, u'esp'), (1, 5, u'4')]
[004013b7] a120404000 mov [(0, 1, u'eax'), (1, 2, u'0')]
[004013bc] 85c0 test [(0, 1, u'eax'), (1, 1, u'eax')]
[004013be] 7536 jnz [(0, 7, u'4199414')]
[004013c0] a1c0184000 mov [(0, 1, u'eax'), (1, 2, u'65535')]
[004013c5] bb01000000 mov [(0, 1, u'ebx'), (1, 5, u'1')]
[004013ca] 891d20404000 mov [(0, 2, u'0'), (1, 1, u'ebx')]
[004013d0] 83f8ff cmp [(0, 1, u'eax'), (1, 5, u'-1')]
[004013d3] 7425 jz [(0, 7, u'4199418')]
[004013d5] 85c0 test [(0, 1, u'eax'), (1, 1, u'eax')]
[004013d7] 89c3 mov [(0, 1, u'ebx'), (1, 1, u'eax')]
[004013d9] 740f jz [(0, 7, u'4199402')]
[004013db] 90 nop
[004013dc] 8d742600 lea [(0, 1, u'esi'), (1, 4, u'[esi+0]')]
[004013e0] ff149dc0184000 call [(0, 2, u'0')]
[004013e7] 4b dec [(0, 1, u'ebx')]
[004013e8] 75f6 jnz [(0, 7, u'4199392')]
[004013ea] c7042410134000 mov [(0, 3, u'dword ptr [esp+0]'), (1, 5, u'4199184')]
[004013f1] e86afeffff call [(0, 7, u'4199008')]
[004013f6] 5b pop [(0, 1, u'ebx')]
[004013f7] 5b pop [(0, 1, u'ebx')]
[004013f8] 5d pop [(0, 1, u'ebp')]
[004013f9] c3 retn
[004013fa] 8b0dc4184000 mov [(0, 1, u'ecx'), (1, 2, u'6320')]
[00401400] 31c0 xor [(0, 1, u'eax'), (1, 1, u'eax')]
[00401402] 85c9 test [(0, 1, u'ecx'), (1, 1, u'ecx')]
[00401404] eb0a jmp [(0, 7, u'4199440')]
[00401406] 40 inc [(0, 1, u'eax')]
[00401407] 8b1485c4184000 mov [(0, 1, u'edx'), (1, 2, u'0')]
[0040140e] 85d2 test [(0, 1, u'edx'), (1, 1, u'edx')]
[00401410] 75f4 jnz [(0, 7, u'4199430')]
[00401412] ebc1 jmp [(0, 7, u'4199381')]
> Function [sub_401420]
> called from []
[00401420] 55 push [(0, 1, u'ebp')]
[00401421] a170404000 mov [(0, 1, u'eax'), (1, 2, u'0')]
[00401426] 89e5 mov [(0, 1, u'ebp'), (1, 1, u'esp')]
[00401428] 5d pop [(0, 1, u'ebp')]
[00401429] 8b4804 mov [(0, 1, u'ecx'), (1, 4, u'[eax+4]')]
[0040142c] ffe1 jmp [(0, 1, u'ecx')]
> Function [sub_401430]
> called from []
[00401430] 55 push [(0, 1, u'ebp')]
[00401431] ba42000000 mov [(0, 1, u'edx'), (1, 5, u'66')]
[00401436] 89e5 mov [(0, 1, u'ebp'), (1, 1, u'esp')]
[00401438] 53 push [(0, 1, u'ebx')]
[00401439] 0fb7c0 movzx [(0, 1, u'eax'), (1, 1, u'ax')]
[0040143c] 83ec64 sub [(0, 1, u'esp'), (1, 5, u'100')]
[0040143f] 89542408 mov [(0, 4, u'[esp+68h+var_60]'), (1, 1, u'edx')]
[00401443] 8d55a8 lea [(0, 1, u'edx'), (1, 4, u'[ebp+var_58]')]
[00401446] 31db xor [(0, 1, u'ebx'), (1, 1, u'ebx')]
[00401448] 89542404 mov [(0, 4, u'[esp+68h+var_64]'), (1, 1, u'edx')]
[0040144c] 890424 mov [(0, 3, u'[esp+68h+var_68]'), (1, 1, u'eax')]
[0040144f] ff15b0504000 call [(0, 2, u'0')]
[00401455] ba1f000000 mov [(0, 1, u'edx'), (1, 5, u'31')]
[0040145a] b901000000 mov [(0, 1, u'ecx'), (1, 5, u'1')]
[0040145f] 83ec0c sub [(0, 1, u'esp'), (1, 5, u'12')]
[00401462] 85c0 test [(0, 1, u'eax'), (1, 1, u'eax')]
[00401464] 7507 jnz [(0, 7, u'4199533')]
[00401466] eb46 jmp [(0, 7, u'4199598')]
[00401468] 01c9 add [(0, 1, u'ecx'), (1, 1, u'ecx')]
[0040146a] 4a dec [(0, 1, u'edx')]
[0040146b] 780e js [(0, 7, u'4199547')]
[0040146d] 807c2aa841 cmp [(0, 4, u'byte ptr [edx+ebp-58h]'), (1, 5, u'65')]
[00401472] 75f4 jnz [(0, 7, u'4199528')]
[00401474] 09cb or [(0, 1, u'ebx'), (1, 1, u'ecx')]
[00401476] 01c9 add [(0, 1, u'ecx'), (1, 1, u'ecx')]
[00401478] 4a dec [(0, 1, u'edx')]
[00401479] 79f2 jns [(0, 7, u'4199533')]
[0040147b] 833b3c cmp [(0, 3, u'dword ptr [ebx]'), (1, 5, u'60')]
[0040147e] 7507 jnz [(0, 7, u'4199559')]
[00401480] 89d8 mov [(0, 1, u'eax'), (1, 1, u'ebx')]
[00401482] 8b5dfc mov [(0, 1, u'ebx'), (1, 4, u'[ebp+var_4]')]
[00401485] c9 leave
[00401486] c3 retn
[00401487] b934304000 mov [(0, 1, u'ecx'), (1, 5, u'4206644')]
[0040148c] baea000000 mov [(0, 1, u'edx'), (1, 5, u'234')]
[00401491] 894c240c mov [(0, 4, u'[esp+0Ch]'), (1, 1, u'ecx')]
[00401495] 89542408 mov [(0, 4, u'[esp+8]'), (1, 1, u'edx')]
[00401499] c7042461304000 mov [(0, 3, u'dword ptr [esp+0]'), (1, 5, u'4206689')]
[004014a0] b880304000 mov [(0, 1, u'eax'), (1, 5, u'4206720')]
[004014a5] 89442404 mov [(0, 4, u'[esp+4]'), (1, 1, u'eax')]
[004014a9] e892020000 call [(0, 7, u'4200256')]
[004014ae] b8ac304000 mov [(0, 1, u'eax'), (1, 5, u'4206764')]
[004014b3] bbe4000000 mov [(0, 1, u'ebx'), (1, 5, u'228')]
[004014b8] 8944240c mov [(0, 4, u'[esp+0Ch]'), (1, 1, u'eax')]
[004014bc] 895c2408 mov [(0, 4, u'[esp+8]'), (1, 1, u'ebx')]
[004014c0] ebd7 jmp [(0, 7, u'4199577')]
> Function [sub_401710]
> called from [u'main']
[00401710] 51 push [(0, 1, u'ecx')]
[00401711] 89e1 mov [(0, 1, u'ecx'), (1, 1, u'esp')]
[00401713] 83c108 add [(0, 1, u'ecx'), (1, 5, u'8')]
[00401716] 3d00100000 cmp [(0, 1, u'eax'), (1, 5, u'4096')]
[0040171b] 7210 jb [(0, 7, u'4200237')]
[0040171d] 81e900100000 sub [(0, 1, u'ecx'), (1, 5, u'4096')]
[00401723] 830900 or [(0, 3, u'dword ptr [ecx]'), (1, 5, u'0')]
[00401726] 2d00100000 sub [(0, 1, u'eax'), (1, 5, u'4096')]
[0040172b] ebe9 jmp [(0, 7, u'4200214')]
[0040172d] 29c1 sub [(0, 1, u'ecx'), (1, 1, u'eax')]
[0040172f] 830900 or [(0, 3, u'dword ptr [ecx]'), (1, 5, u'0')]
[00401732] 89e0 mov [(0, 1, u'eax'), (1, 1, u'esp')]
[00401734] 89cc mov [(0, 1, u'esp'), (1, 1, u'ecx')]
[00401736] 8b08 mov [(0, 1, u'ecx'), (1, 3, u'[eax]')]
[00401738] 8b4004 mov [(0, 1, u'eax'), (1, 4, u'[eax+4]')]
[0040173b] ffe0 jmp [(0, 1, u'eax')]
> Function [sub_401740]
> called from [u'sub_401430']
[00401740] 55 push [(0, 1, u'ebp')]
[00401741] 89e5 mov [(0, 1, u'ebp'), (1, 1, u'esp')]
[00401743] 83ec18 sub [(0, 1, u'esp'), (1, 5, u'24')]
[00401746] 8b4514 mov [(0, 1, u'eax'), (1, 4, u'[ebp+arg_C]')]
[00401749] 89442410 mov [(0, 4, u'[esp+18h+var_8]'), (1, 1, u'eax')]
[0040174d] 8b4510 mov [(0, 1, u'eax'), (1, 4, u'[ebp+arg_8]')]
[00401750] 8944240c mov [(0, 4, u'[esp+18h+var_C]'), (1, 1, u'eax')]
[00401754] 8b450c mov [(0, 1, u'eax'), (1, 4, u'[ebp+arg_4]')]
[00401757] 89442408 mov [(0, 4, u'[esp+18h+var_10]'), (1, 1, u'eax')]
[0040175b] 8b4508 mov [(0, 1, u'eax'), (1, 4, u'[ebp+arg_0]')]
[0040175e] 89442404 mov [(0, 4, u'[esp+18h+var_14]'), (1, 1, u'eax')]
[00401762] a1d4504000 mov [(0, 1, u'eax'), (1, 2, u'0')]
[00401767] 83c040 add [(0, 1, u'eax'), (1, 5, u'64')]
[0040176a] 890424 mov [(0, 3, u'[esp+18h+var_18]'), (1, 1, u'eax')]
[0040176d] e8de000000 call [(0, 7, u'4200528')]
[00401772] a1d4504000 mov [(0, 1, u'eax'), (1, 2, u'0')]
[00401777] 83c040 add [(0, 1, u'eax'), (1, 5, u'64')]
[0040177a] 890424 mov [(0, 3, u'[esp+18h+var_18]'), (1, 1, u'eax')]
[0040177d] e8be000000 call [(0, 7, u'4200512')]
[00401782] e8a9000000 call [(0, 7, u'4200496')]
[00401787] 90 nop
[00401788] 90 nop
[00401789] 90 nop
[0040178a] 90 nop
[0040178b] 90 nop
[0040178c] 90 nop
[0040178d] 90 nop
[0040178e] 90 nop
[0040178f] 90 nop
[00401790] ff25cc504000 jmp [(0, 2, u'0')]
> Function [_cexit]
> called from [u'}}00']
[004017a0] ff25d0504000 jmp [(0, 2, u'0')]
> Function [__p__environ]
> called from [u'}}00']
[004017b0] ff25c4504000 jmp [(0, 2, u'0')]
> Function [signal]
> called from [u'}}00']
[004017c0] ff25fc504000 jmp [(0, 2, u'0')]
> Function [__p__fmode]
> called from [u'}}00']
[004017d0] ff25c8504000 jmp [(0, 2, u'0')]
> Function [_setmode]
> called from [u'}}00']
[004017e0] ff25dc504000 jmp [(0, 2, u'0')]
> Function [__getmainargs]
> called from [u'}}00']
[004017f0] ff25c0504000 jmp [(0, 2, u'0')]
> Function [printf]
> called from [u'main']
[00401800] ff25f8504000 jmp [(0, 2, u'0')]
> Function [free]
> called from []
[00401810] ff25f0504000 jmp [(0, 2, u'0')]
> Function [malloc]
> called from []
[00401820] ff25f4504000 jmp [(0, 2, u'0')]
> Function [abort]
> called from [u'sub_401740']
[00401830] ff25e0504000 jmp [(0, 2, u'0')]
> Function [fflush]
> called from [u'sub_401740']
[00401840] ff25e8504000 jmp [(0, 2, u'0')]
> Function [fprintf]
> called from [u'sub_401740']
[00401850] ff25ec504000 jmp [(0, 2, u'0')]
> Function [SetUnhandledExceptionFilter]
> called from [u'}}00']
[00401860] ff25b4504000 jmp [(0, 2, u'0')]
> Function [ExitProcess]
> called from [u'}}00']
[00401870] ff25a8504000 jmp [(0, 2, u'0')]
> Function [__set_app_type]
> called from [u'start', u'sub_401740']
[004050cc]
> Function [__imp___p__fmode]
> called from [u'__p__fmode']
[004050c8]
> Function [__imp__setmode]
> called from [u'_setmode']
[004050dc]
> Function [GetAtomNameA]
> called from [u'sub_401430']
[004050b0]
> Function [__imp___getmainargs]
> called from [u'__getmainargs']
[004050c0]
> Function [dword_4018C0]
> called from [u'sub_4013B0']
[004018c0]
> Function [__imp_printf]
> called from [u'printf']
[004050f8]
> Function []
> called from [u'sub_401260', u'sub_401420', u'sub_401710']
[00000000]
> Function [__imp_SetUnhandledExceptionFilter]
> called from [u'SetUnhandledExceptionFilter']
[004050b4]
> Function [__imp_fprintf]
> called from [u'fprintf']
[004050ec]
> Function [__imp_abort]
> called from [u'abort']
[004050e0]
> Function [__imp_malloc]
> called from [u'malloc']
[004050f4]
> Function [__imp_ExitProcess]
> called from [u'ExitProcess']
[004050a8]
> Function [__imp_free]
> called from [u'free']
[004050f0]
> Function [__imp___p__environ]
> called from [u'__p__environ']
[004050c4]
> Function [__imp_signal]
> called from [u'signal']
[004050fc]
> Function [__imp__cexit]
> called from [u'_cexit']
[004050d0]
> Function [__imp_fflush]
> called from [u'fflush']
[004050e8]