{"id":7699,"date":"2017-05-18T14:21:15","date_gmt":"2017-05-18T22:21:15","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/05\/18\/news-1484\/"},"modified":"2017-05-18T14:21:15","modified_gmt":"2017-05-18T22:21:15","slug":"news-1484","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/05\/18\/news-1484\/","title":{"rendered":"SSD Advisory \u2013 Bitdefender Code Signing organizationName Buffer Overflow"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Thu, 18 May 2017 05:34:17 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3211\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><\/p>\n<p><script>var obj = jQuery('#a-href-3211');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script>  \t\t<\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerability Summary<\/strong><br \/> The following advisory describes a Buffer Overflow vulnerability found in Bitdefender Engine PE.<\/p>\n<p>Bitdefender provides the Bitdefender &#8220;antimalware&#8221; engine for integration with other security vendors products. The engine is used in Bitdefender&#8217;s own products, for example in Bitdefender Internet Security 2017 and below. The antimalware engine is the core of the product, among other features providing the means to scan potentially malicious portable executables (PEs).<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher, Pagefault, has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program.<\/p>\n<p><strong>Vendor Response<\/strong><br \/> Bitdefender has released patched to address this vulnerability in version 7.71417.<\/p>\n<p><span id=\"more-3211\"><\/span><\/p>\n<p><strong>Vulnerability Details<\/strong><br \/> A PE file can be signed using X.509 certificates. The certificates can ensure that the content of the executable has not been altered and that the executable comes from a trusted source.<\/p>\n<p>Certificates are embedded inside one of the PE data directories defined via IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.<\/p>\n<p>The IMAGE_NT_HEADERS structure inside a PE file starts with the &#8220;PE\u0000\u0000&#8221; signature:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-591e1e59db76e782041609\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> typedef struct _IMAGE_NT_HEADERS {      DWORD Signature; &#8220;PE\u0000\u0000&#8221;      IMAGE_FILE_HEADER FileHeader;      IMAGE_OPTIONAL_HEADER OptionalHeader;  } IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0008 seconds] -->  <\/p>\n<p>The <em>IMAGE_OPTIONAL_HEADER<\/em> structure contains several <em>DataDirectory<\/em> <em>IMAGE_DATA_DIRECTORY<\/em> structures inside its last fields:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-591e1e59db779564320350\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> WORD\t\t\t\t\tMagic  BYTE\t\t\t\t\tMajorLinkerVersion  &#8230;  DWORD\t\t\t\t\tLoaderFlags  DWORD \t\t\t\t\tNumberOfRvaAndSizes  IMAGE_DATA_DIRECTORY \tDataDirectory[16]  &#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;-  typedef struct _IMAGE_DATA_DIRECTORY {      DWORD   VirtualAddress;     \/\/ RVA of the data      DWORD   Size;               \/\/ Size of the data  };<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db779564320350-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db779564320350-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db779564320350-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db779564320350-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db779564320350-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db779564320350-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db779564320350-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db779564320350-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db779564320350-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db779564320350-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db779564320350-11\">11<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-591e1e59db779564320350-1\"><span class=\"crayon-t\">WORD<\/span><span class=\"crayon-h\">\t\t\t\t\t<\/span><span class=\"crayon-e\">Magic<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db779564320350-2\"><span class=\"crayon-t\">BYTE<\/span><span class=\"crayon-h\">\t\t\t\t\t<\/span><span class=\"crayon-i\">MajorLinkerVersion<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db779564320350-3\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db779564320350-4\"><span class=\"crayon-e\">DWORD<\/span><span class=\"crayon-h\">\t\t\t\t\t<\/span><span class=\"crayon-e\">LoaderFlags<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db779564320350-5\"><span class=\"crayon-e\">DWORD<\/span><span class=\"crayon-h\"> \t\t\t\t\t<\/span><span class=\"crayon-e\">NumberOfRvaAndSizes<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db779564320350-6\"><span class=\"crayon-e\">IMAGE_DATA_DIRECTORY<\/span><span class=\"crayon-h\"> \t<\/span><span class=\"crayon-e\">DataDirectory<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db779564320350-7\"><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8212;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db779564320350-8\"><span class=\"crayon-r\">typedef<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">_IMAGE_DATA_DIRECTORY<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db779564320350-9\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">DWORD&nbsp;&nbsp; <\/span><span class=\"crayon-v\">VirtualAddress<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-c\">\/\/ RVA of the data<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db779564320350-10\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">DWORD&nbsp;&nbsp; <\/span><span class=\"crayon-v\">Size<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-c\">\/\/ Size of the data<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db779564320350-11\"><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0021 seconds] -->  <\/p>\n<p><em>DataDirectory<\/em>[4] represents <em>IMAGE_DIRECTORY_ENTRY_SECURITY<\/em>, and points to a list of <em>WIN_CERTIFICATE<\/em> structures. The <em>VirtualAddress<\/em> field is a file offset, rather than an RVA.<\/p>\n<p>The <em>WIN_CERTIFICATE<\/em> structures is defined as follows:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-591e1e59db77f242759748\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> typedef struct _WIN_CERTIFICATE {    DWORD dwLength;    WORD  wRevision;    WORD  wCertificateType;    BYTE  bCertificate[ANYSIZE_ARRAY];  } WIN_CERTIFICATE, *PWIN_CERTIFICATE;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db77f242759748-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db77f242759748-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db77f242759748-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db77f242759748-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db77f242759748-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db77f242759748-6\">6<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-591e1e59db77f242759748-1\"><span class=\"crayon-r\">typedef<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">_WIN_CERTIFICATE<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db77f242759748-2\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">DWORD <\/span><span class=\"crayon-v\">dwLength<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db77f242759748-3\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-t\">WORD<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">wRevision<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db77f242759748-4\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-t\">WORD<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">wCertificateType<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db77f242759748-5\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-t\">BYTE<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">bCertificate<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">ANYSIZE_ARRAY<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db77f242759748-6\"><span class=\"crayon-sy\">}<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">WIN_CERTIFICATE<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">PWIN_CERTIFICATE<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0012 seconds] -->  <\/p>\n<p><em>vsserv.exe<\/em> is the Bitdefender system service. The process scans PEs automatically, analyzing digital signatures through the <em>cevakrnl.rv8<\/em> module. The module is located in a compressed form under &#8220;<em>%ProgramFiles%Common FilesBitdefenderBitdefender Threat ScannerAntivirus_&#8230;Plugins<\/em>&#8220;.<\/p>\n<p><em>cevakrnl.rv8<\/em> is unpacked and loaded as executable code on service startup. <em>cevakrnl.rv8!sub_40ACFF0()<\/em> is called when a signed PE is encountered.<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-591e1e59db784280084426\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> cevakrnl.rv8:040AE691                 lea     eax, [ebp+var_2C]  cevakrnl.rv8:040AE694                 push    eax             ; &amp;(ebp-0x2C) &#8211; object placed on the stack  cevakrnl.rv8:040AE695                 call    sub_40ACFF0     ; call here    cevakrnl.rv8!sub_40ACFF0() extracts the IMAGE_DIRECTORY_ENTRY_SECURITY offset and size fields.    cevakrnl.rv8:040ACFF0 sub_40ACFF0     proc near               ; CODE XREF: sub_40AE5C0+D5p  cevakrnl.rv8:040ACFF0  &#8230;  cevakrnl.rv8:040AD007                 mov     edi, [ebp+arg_0]  &#8230;  cevakrnl.rv8:040AD025                 mov     eax, [edi+4]    ; eax = IMAGE_NT_HEADERS  cevakrnl.rv8:040AD025                                         ; contains at  cevakrnl.rv8:040AD025                                         ; offset  0x0: DWORD Signature (&#8220;PE&#8221;);  cevakrnl.rv8:040AD025                                         ; offset  0x4: IMAGE_FILE_HEADER FileHeader;  cevakrnl.rv8:040AD025                                         ; offset 0x18: IMAGE_OPTIONAL_HEADER32 OptionalHeader;  cevakrnl.rv8:040AD028                 mov     [ebp+arg_0_bkup], edi  cevakrnl.rv8:040AD02E                 mov     [ebp+numofcrcs], ecx  cevakrnl.rv8:040AD034                 mov     [ebp+var_1F0], ecx  cevakrnl.rv8:040AD03A                 mov     esi, [eax+9Ch]  ; attribute certificate size  cevakrnl.rv8:040AD03A                                         ; OptionalHeader.DataDirectory+0x24  cevakrnl.rv8:040AD03A                                         ; = IMAGE_DIRECTORY_ENTRY_SECURITY.Size  cevakrnl.rv8:040AD040                 mov     edx, [eax+98h]  ; attribute certificate offset  cevakrnl.rv8:040AD040                                         ; OptionalHeader.DataDirectory+0x20  cevakrnl.rv8:040AD040                                         ; = IMAGE_DIRECTORY_ENTRY_SECURITY.Offset  cevakrnl.rv8:040AD040                                         ; &#8220;Points to a list of WIN_CERTIFICATE structures, defined in WinTrust.H&#8221;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db784280084426-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db784280084426-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db784280084426-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db784280084426-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db784280084426-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db784280084426-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db784280084426-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db784280084426-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db784280084426-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db784280084426-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db784280084426-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db784280084426-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db784280084426-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db784280084426-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db784280084426-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db784280084426-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db784280084426-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db784280084426-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db784280084426-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db784280084426-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db784280084426-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db784280084426-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db784280084426-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db784280084426-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db784280084426-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db784280084426-26\">26<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-591e1e59db784280084426-1\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AE691<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">lea&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">eax<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">ebp<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">var_2C<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db784280084426-2\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AE694<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">push&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">eax<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ebp<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">0x2C<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">object<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">placed <\/span><span class=\"crayon-e\">on <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-e\">stack<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db784280084426-3\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AE695<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">call&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">sub<\/span><span class=\"crayon-sy\">_<\/span>40ACFF0<span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">call <\/span><span class=\"crayon-e\">here<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db784280084426-4\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db784280084426-5\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">!<\/span><span class=\"crayon-e\">sub_40ACFF0<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">extracts <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-e\">IMAGE_DIRECTORY_ENTRY_SECURITY <\/span><span class=\"crayon-e\">offset <\/span><span class=\"crayon-st\">and<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">size <\/span><span class=\"crayon-v\">fields<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db784280084426-6\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db784280084426-7\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040ACFF0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">sub_40ACFF0&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">proc <\/span><span class=\"crayon-i\">near<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">CODE <\/span><span class=\"crayon-v\">XREF<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sub_40AE5C0<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-e\">D5p<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db784280084426-8\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040ACFF0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db784280084426-9\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db784280084426-10\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD007<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">edi<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">ebp<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">arg_0<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db784280084426-11\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db784280084426-12\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD025<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">eax<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">edi<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">eax<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">IMAGE_NT_HEADERS<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db784280084426-13\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD025<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">contains <\/span><span class=\"crayon-e\">at<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db784280084426-14\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD025<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">offset<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">0x0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">DWORD <\/span><span class=\"crayon-e\">Signature<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;PE&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db784280084426-15\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD025<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">offset<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">0x4<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">IMAGE_FILE_HEADER <\/span><span class=\"crayon-v\">FileHeader<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db784280084426-16\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD025<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">offset<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x18<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">IMAGE_OPTIONAL_HEADER32 <\/span><span class=\"crayon-v\">OptionalHeader<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db784280084426-17\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD028<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-i\">mov<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">ebp<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">arg_0_bkup<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">edi<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db784280084426-18\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD02E<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-i\">mov<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">ebp<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">numofcrcs<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ecx<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db784280084426-19\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD034<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-i\">mov<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">ebp<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">var_1F0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ecx<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db784280084426-20\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD03A<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">esi<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">eax<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">9Ch<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">attribute <\/span><span class=\"crayon-e\">certificate <\/span><span class=\"crayon-e\">size<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db784280084426-21\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD03A<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">OptionalHeader<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">DataDirectory<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x24<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db784280084426-22\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD03A<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">IMAGE_DIRECTORY_ENTRY_SECURITY<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">Size<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db784280084426-23\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD040<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">edx<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">eax<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">98h<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">attribute <\/span><span class=\"crayon-e\">certificate <\/span><span class=\"crayon-e\">offset<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db784280084426-24\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD040<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">OptionalHeader<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">DataDirectory<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x20<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db784280084426-25\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD040<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">IMAGE_DIRECTORY_ENTRY_SECURITY<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">Offset<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db784280084426-26\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD040<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;Points to a list of WIN_CERTIFICATE structures, defined in WinTrust.H&#8221;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0103 seconds] -->  <\/p>\n<p>A maximum number of <em>0x2400<\/em> bytes is then read from the defined offset into a heap buffer.<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-591e1e59db78b147099360\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> cevakrnl.rv8:040AD092                 cmp     esi, 2400h      ; maximum size  cevakrnl.rv8:040AD098                 jbe     short @max  cevakrnl.rv8:040AD09A                 mov     esi, 2400h  cevakrnl.rv8:040AD09F @max:                                   ; CODE XREF: sub_40ACFF0+A8j  &#8230;  cevakrnl.rv8:040AD0C4                 lea     eax, [ebp+var_1C4]  cevakrnl.rv8:040AD0CA                 push    eax             ; int  cevakrnl.rv8:040AD0CB                 push    esi             ; size  cevakrnl.rv8:040AD0CC  cevakrnl.rv8:040AD0CC loc_40AD0CC:                            ; CODE XREF: sub_40ACFF0+CEj  cevakrnl.rv8:040AD0CC                 mov     ebx, [ebp+buf]  cevakrnl.rv8:040AD0D2                 mov     edi, [ebp+arg_0_bkup]  cevakrnl.rv8:040AD0D8                 push    ebx             ; buf  cevakrnl.rv8:040AD0D9                 push    edx             ; offset  cevakrnl.rv8:040AD0DA                 push    edi             ; int  cevakrnl.rv8:040AD0DB                 call    readatoffset    ; read all structures  cevakrnl.rv8:040AD0DB                                         ;   typedef struct _WIN_CERTIFICATE {  cevakrnl.rv8:040AD0DB                                         ;     DWORD dwLength;  cevakrnl.rv8:040AD0DB                                         ;     WORD wRevision;  cevakrnl.rv8:040AD0DB                                         ;     WORD wCertificateType;  cevakrnl.rv8:040AD0DB                                         ;     BYTE bCertificate[ANYSIZE_ARRAY];  cevakrnl.rv8:040AD0DB                                         ;   } WIN_CERTIFICATE,*LPWIN_CERTIFICATE;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db78b147099360-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db78b147099360-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db78b147099360-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db78b147099360-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db78b147099360-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db78b147099360-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db78b147099360-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db78b147099360-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db78b147099360-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db78b147099360-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db78b147099360-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db78b147099360-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db78b147099360-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db78b147099360-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db78b147099360-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db78b147099360-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db78b147099360-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db78b147099360-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db78b147099360-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db78b147099360-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db78b147099360-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db78b147099360-22\">22<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-591e1e59db78b147099360-1\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD092<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">cmp&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">esi<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2400h<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">maximum <\/span><span class=\"crayon-e\">size<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db78b147099360-2\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD098<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">jbe&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-t\">short<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">@<\/span><span class=\"crayon-e\">max<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db78b147099360-3\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD09A<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">esi<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2400h<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db78b147099360-4\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD09F<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">@<\/span><span class=\"crayon-v\">max<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">CODE <\/span><span class=\"crayon-v\">XREF<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sub_40ACFF0<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-i\">A8j<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db78b147099360-5\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db78b147099360-6\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD0C4<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">lea&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">eax<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">ebp<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">var_1C4<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db78b147099360-7\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD0CA<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">push&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">eax<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">int<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db78b147099360-8\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD0CB<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">push&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">esi<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">size<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db78b147099360-9\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD0CC<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db78b147099360-10\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD0CC<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">loc_40AD0CC<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">CODE <\/span><span class=\"crayon-v\">XREF<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sub_40ACFF0<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-e\">CEj<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db78b147099360-11\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD0CC<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">ebx<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">ebp<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">buf<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db78b147099360-12\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD0D2<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">edi<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">ebp<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">arg_0_bkup<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db78b147099360-13\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD0D8<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">push&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">ebx<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">buf<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db78b147099360-14\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD0D9<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">push&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">edx<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">offset<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db78b147099360-15\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD0DA<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">push&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">edi<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">int<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db78b147099360-16\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD0DB<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">call&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">readatoffset<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">read <\/span><span class=\"crayon-e\">all <\/span><span class=\"crayon-e\">structures<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db78b147099360-17\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD0DB<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-r\">typedef<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">_WIN_CERTIFICATE<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db78b147099360-18\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD0DB<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">DWORD <\/span><span class=\"crayon-v\">dwLength<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db78b147099360-19\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD0DB<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-t\">WORD<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">wRevision<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db78b147099360-20\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD0DB<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-t\">WORD<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">wCertificateType<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db78b147099360-21\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD0DB<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-t\">BYTE<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">bCertificate<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">ANYSIZE_ARRAY<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db78b147099360-22\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD0DB<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">WIN_CERTIFICATE<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">LPWIN_CERTIFICATE<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0085 seconds] -->  <\/p>\n<p>After additional irrelevant operations, Bitdefender starts searching for X.509 &#8220;<em>organizationName<\/em>&#8221; attributes in encountered data. The attributes are located by searching for the 0x0A045503 dword, which is the ASN.1 representation of the <em>organizationName<\/em> OID 2.5.4.10.<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-591e1e59db792886668766\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> cevakrnl.rv8:040AD320 @startloop:                             ; CODE XREF: sub_40ACFF0+326j  cevakrnl.rv8:040AD320                                         ; sub_40ACFF0+728j  cevakrnl.rv8:040AD320                 mov     ecx, [ebp+buf]  cevakrnl.rv8:040AD326                 mov     eax, [ecx+esi]  ; current dword  cevakrnl.rv8:040AD329                 lea     ebx, [ecx+esi]  cevakrnl.rv8:040AD32C                 mov     [ebp+var_208], ebx  cevakrnl.rv8:040AD332                 cmp     eax, 0A045503h  ; 55:04:0A = X.509 &#8220;id-at-organizationName&#8221; attribute  cevakrnl.rv8:040AD337                 jz      short @found<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db792886668766-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db792886668766-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db792886668766-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db792886668766-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db792886668766-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db792886668766-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db792886668766-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db792886668766-8\">8<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-591e1e59db792886668766-1\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD320<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">@<\/span><span class=\"crayon-v\">startloop<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">CODE <\/span><span class=\"crayon-v\">XREF<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sub_40ACFF0<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">326j<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db792886668766-2\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD320<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sub_40ACFF0<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">728j<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db792886668766-3\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD320<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">ecx<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">ebp<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">buf<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db792886668766-4\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD326<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">eax<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">ecx<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">esi<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">current <\/span><span class=\"crayon-e\">dword<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db792886668766-5\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD329<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">lea&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">ebx<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">ecx<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">esi<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db792886668766-6\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD32C<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-i\">mov<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">ebp<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">var_208<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ebx<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db792886668766-7\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD332<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">cmp&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">eax<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0A045503h<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">55<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">04<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0A<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">X<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-cn\">509<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;id-at-organizationName&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">attribute<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db792886668766-8\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD337<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">jz&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">short<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">@<\/span><span class=\"crayon-v\">found<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0040 seconds] -->  <\/p>\n<p>When an &#8220;<em>organizationName<\/em>&#8221; is found, its corresponding value string is passed in a call to a CRC32-computing function. The function returns the inverted (bitwise NOT) CRC32 sum of the string.<\/p>\n<p>Please note that only printable ASCII (0x20-0x7E) characters are considered valid in &#8220;<em>organizationName<\/em>&#8220;.<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-591e1e59db797305706797\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> cevakrnl.rv8:040AD3B8 @found:                                 ; CODE XREF: sub_40ACFF0+347j  cevakrnl.rv8:040AD3B8                                         ; sub_40ACFF0+357j  cevakrnl.rv8:040AD3B8                 mov     bl, [ecx+esi+5] ; value string length  cevakrnl.rv8:040AD3BC                 movzx   eax, bl  cevakrnl.rv8:040AD3BF                 mov     [ebp+var_20C], eax  cevakrnl.rv8:040AD3C5                 add     eax, 6  cevakrnl.rv8:040AD3C8                 add     eax, esi  cevakrnl.rv8:040AD3CA                 mov     [ebp+var_1E8], 0  cevakrnl.rv8:040AD3D4                 mov     [ebp+var_40], 0  cevakrnl.rv8:040AD3D8                 mov     [ebp+savedcrc], 0  cevakrnl.rv8:040AD3E2                 mov     [ebp+after_value_string], eax ; offset to next data  &#8230;  cevakrnl.rv8:040AD444                 mov     eax, [ebp+buf]  cevakrnl.rv8:040AD44A                 add     eax, 6  cevakrnl.rv8:040AD44D                 mov     [ebp+edi+var_40], 0  cevakrnl.rv8:040AD452                 add     eax, esi        ; offset + 6  cevakrnl.rv8:040AD452                                         ; points to value string  cevakrnl.rv8:040AD454                 push    edi             ; length of string  cevakrnl.rv8:040AD455                 push    eax             ; Organization in certificate  cevakrnl.rv8:040AD456                 call    crc32           ; crc32  cevakrnl.rv8:040AD45B                 add     esp, 8          ; this returns ~crc32  cevakrnl.rv8:040AD45B                                         ; ~crc32(&#8220;31TZnp&#8221;) = 0xdeadbeef<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db797305706797-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db797305706797-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db797305706797-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db797305706797-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db797305706797-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db797305706797-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db797305706797-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db797305706797-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db797305706797-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db797305706797-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db797305706797-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db797305706797-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db797305706797-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db797305706797-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db797305706797-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db797305706797-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db797305706797-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db797305706797-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db797305706797-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db797305706797-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db797305706797-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db797305706797-22\">22<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-591e1e59db797305706797-1\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD3B8<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">@<\/span><span class=\"crayon-v\">found<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">CODE <\/span><span class=\"crayon-v\">XREF<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sub_40ACFF0<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">347j<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db797305706797-2\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD3B8<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sub_40ACFF0<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">357j<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db797305706797-3\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD3B8<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">bl<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">ecx<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">esi<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">5<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">value <\/span><span class=\"crayon-t\">string<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">length<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db797305706797-4\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD3BC<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">movzx&nbsp;&nbsp; <\/span><span class=\"crayon-v\">eax<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">bl<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db797305706797-5\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD3BF<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-i\">mov<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">ebp<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">var_20C<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">eax<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db797305706797-6\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD3C5<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">add&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">eax<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">6<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db797305706797-7\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD3C8<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">add&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">eax<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">esi<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db797305706797-8\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD3CA<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-i\">mov<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">ebp<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">var_1E8<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db797305706797-9\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD3D4<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-i\">mov<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">ebp<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">var_40<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db797305706797-10\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD3D8<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-i\">mov<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">ebp<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">savedcrc<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db797305706797-11\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD3E2<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-i\">mov<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">ebp<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">after_value_string<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">eax<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">offset <\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">next <\/span><span class=\"crayon-i\">data<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db797305706797-12\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db797305706797-13\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD444<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">eax<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">ebp<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">buf<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db797305706797-14\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD44A<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">add&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">eax<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">6<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db797305706797-15\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD44D<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-i\">mov<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">ebp<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">edi<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">var_40<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db797305706797-16\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD452<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">add&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">eax<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">esi<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">offset<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">6<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db797305706797-17\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD452<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">points <\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">value <\/span><span class=\"crayon-t\">string<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db797305706797-18\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD454<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">push&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">edi<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">length <\/span><span class=\"crayon-e\">of <\/span><span class=\"crayon-t\">string<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db797305706797-19\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD455<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">push&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">eax<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Organization <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">certificate<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db797305706797-20\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD456<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">call&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">crc32<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">crc32<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db797305706797-21\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD45B<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">add&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">esp<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">this<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">returns<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">~<\/span><span class=\"crayon-e\">crc32<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db797305706797-22\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD45B<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">~<\/span><span class=\"crayon-e\">crc32<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;31TZnp&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xdeadbeef<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0096 seconds] -->  <\/p>\n<p>If the CRC was not previously encountered: <\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-591e1e59db79e973289709\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> cevakrnl.rv8:040AD480 @checkduplicate:                        ; CODE XREF: sub_40ACFF0+488j  cevakrnl.rv8:040AD480                                         ; sub_40ACFF0+4A0j  cevakrnl.rv8:040AD480                 cmp     [ebp+ecx*4+crc32results], eax ; array of already saved CRCs  cevakrnl.rv8:040AD487                 jz      @duplicate  cevakrnl.rv8:040AD48D                 inc     ecx  cevakrnl.rv8:040AD48E                 cmp     ecx, ebx  cevakrnl.rv8:040AD490                 jb      short @checkduplicate <\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db79e973289709-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db79e973289709-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db79e973289709-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db79e973289709-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db79e973289709-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db79e973289709-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db79e973289709-7\">7<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-591e1e59db79e973289709-1\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD480<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">@<\/span><span class=\"crayon-v\">checkduplicate<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">CODE <\/span><span class=\"crayon-v\">XREF<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sub_40ACFF0<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">488j<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db79e973289709-2\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD480<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sub_40ACFF0<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">4A0j<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db79e973289709-3\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD480<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-i\">cmp<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">ebp<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-e\">ecx*<\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">crc32results<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">eax<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">array<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">of <\/span><span class=\"crayon-e\">already <\/span><span class=\"crayon-e\">saved <\/span><span class=\"crayon-e\">CRCs<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db79e973289709-4\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD487<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-i\">jz<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">@<\/span><span class=\"crayon-e\">duplicate<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db79e973289709-5\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD48D<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">inc&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">ecx<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db79e973289709-6\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD48E<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">cmp&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">ecx<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ebx<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db79e973289709-7\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD490<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">jb&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">short<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">@<\/span><span class=\"crayon-i\">checkduplicate<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0030 seconds] -->  <\/p>\n<p>its value is placed inside a local stack array of 8 dwords. The index of the array is increased for each unique CRC without checking the array limit. This results in a stack-based buffer overflow if an overly large number of unique &#8220;<em>organizationName<\/em>&#8221; values are encountered.<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-591e1e59db7a3033511374\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> -000001B8 crc32results    dd 8 dup(?)  -00000198 var_198         db 256 dup(?)  &#8230;  cevakrnl.rv8:040AD51E                 mov     eax, [ebp+savedcrc]  cevakrnl.rv8:040AD524                 mov     [ebp+ebx*4+crc32results], eax ; buffer overflow  cevakrnl.rv8:040AD524                                         ; [ebp+ebx*4-0x1B8] = eax  cevakrnl.rv8:040AD52B                 inc     ebx  cevakrnl.rv8:040AD52C                 mov     [ebp+numofcrcs], ebx<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db7a3033511374-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db7a3033511374-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db7a3033511374-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db7a3033511374-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db7a3033511374-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db7a3033511374-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db7a3033511374-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db7a3033511374-8\">8<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-591e1e59db7a3033511374-1\"><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">000001B8<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">crc32results&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">dd<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">dup<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db7a3033511374-2\"><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">00000198<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">var_198&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-i\">db<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">256<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">dup<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db7a3033511374-3\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db7a3033511374-4\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD51E<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">eax<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">ebp<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">savedcrc<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db7a3033511374-5\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD524<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-i\">mov<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">ebp<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-e\">ebx*<\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">crc32results<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">eax<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">buffer <\/span><span class=\"crayon-e\">overflow<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db7a3033511374-6\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD524<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">ebp<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-e\">ebx*<\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">0x1B8<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">eax<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db7a3033511374-7\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD52B<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">inc&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">ebx<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db7a3033511374-8\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD52C<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-i\">mov<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">ebp<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">numofcrcs<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ebx<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0033 seconds] -->  <\/p>\n<p>The vulnerability allows overwriting a large number of stack bytes with arbitrary data. The data written to the stack is arbitrary due to the ability to find an ASCII string for any desired CRC result by reversing the CRC32 algorithm.<\/p>\n<p>Although the vulnerable function contains a cookie check on return, code execution is believed possible due to the use of an object placed on the stack prior to function return.<\/p>\n<p>The object is passed to the vulnerable function as the first argument, and the field at offset 0x1C (changed to 0xdeadbeef via the PoC) is passed to <em>global_function0()<\/em>.<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-591e1e59db7a9245281200\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> cevakrnl.rv8:040AD750                 mov     ebx, [ebp+arg_0_bkup] ; ebx points to the stack of the caller function,   \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t; which is above crc32results  &#8230;  cevakrnl.rv8:040AD785                 push    0  cevakrnl.rv8:040AD787                 push    1  cevakrnl.rv8:040AD789                 push    41C40Eh  cevakrnl.rv8:040AD78E                 push    6  cevakrnl.rv8:040AD790                 push    dword ptr [ebx+1Ch] ; corrupted  cevakrnl.rv8:040AD793                 call    global_function0<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db7a9245281200-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db7a9245281200-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db7a9245281200-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db7a9245281200-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db7a9245281200-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db7a9245281200-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db7a9245281200-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db7a9245281200-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db7a9245281200-9\">9<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-591e1e59db7a9245281200-1\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD750<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">ebx<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">ebp<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">arg_0_bkup<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ebx <\/span><span class=\"crayon-e\">points <\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-e\">stack <\/span><span class=\"crayon-e\">of <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-e\">caller <\/span><span class=\"crayon-t\">function<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db7a9245281200-2\"><span class=\"crayon-h\">\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">which <\/span><span class=\"crayon-st\">is<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">above <\/span><span class=\"crayon-i\">crc32results<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db7a9245281200-3\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db7a9245281200-4\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD785<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-i\">push<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db7a9245281200-5\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD787<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-i\">push<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">1<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db7a9245281200-6\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD789<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-i\">push<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">41C40Eh<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db7a9245281200-7\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD78E<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-i\">push<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">6<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db7a9245281200-8\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD790<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">push&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">dword <\/span><span class=\"crayon-i\">ptr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">ebx<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">1Ch<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">corrupted<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db7a9245281200-9\"><span class=\"crayon-v\">cevakrnl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rv8<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">040AD793<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">call&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">global_function0<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0032 seconds] -->  <\/p>\n<p><em>global_function0()<\/em> calls <em>sub_2F70B90()<\/em>, passing [0xdeadbeef+0x22C] as the current object.<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-591e1e59db7ae340213588\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> seg001:02F5D69F                 mov     ecx, [ecx+22Ch] ; crash here  seg001:02F5D69F                                         ; ecx is controlled  seg001:02F5D6A5                 push    [ebp+arg_4]  seg001:02F5D6A8                 call    sub_2F70B90<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db7ae340213588-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db7ae340213588-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db7ae340213588-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db7ae340213588-4\">4<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-591e1e59db7ae340213588-1\"><span class=\"crayon-v\">seg001<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">02F5D69F<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">ecx<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">ecx<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">22Ch<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">crash <\/span><span class=\"crayon-e\">here<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db7ae340213588-2\"><span class=\"crayon-v\">seg001<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">02F5D69F<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ecx <\/span><span class=\"crayon-st\">is<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">controlled<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db7ae340213588-3\"><span class=\"crayon-v\">seg001<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">02F5D6A5<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-i\">push<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">ebp<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">arg_4<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db7ae340213588-4\"><span class=\"crayon-v\">seg001<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">02F5D6A8<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">call&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">sub_2F70B90<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0015 seconds] -->  <\/p>\n<p><em>sub_2F70B90()<\/em> extracts a dword from the current object pointer<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-591e1e59db7b3119785323\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> seg001:02F70BFA                 mov     edi, [esi+eax*4] ; eax &#8211; fixed offset = 0x560<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db7b3119785323-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-591e1e59db7b3119785323-1\"><span class=\"crayon-v\">seg001<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">02F70BFA<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">edi<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">esi<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-e\">eax*<\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">eax<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">fixed <\/span><span class=\"crayon-v\">offset<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x560<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0010 seconds] -->  <\/p>\n<p>eventually passing it as the current object to <em>sub_2F6F120()<\/em><\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-591e1e59db7b8862292761\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> seg001:02F70D45                 mov     ecx, edi  seg001:02F70D47                 call    sub_2F6F120<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db7b8862292761-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db7b8862292761-2\">2<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-591e1e59db7b8862292761-1\"><span class=\"crayon-v\">seg001<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">02F70D45<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">ecx<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">edi<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db7b8862292761-2\"><span class=\"crayon-v\">seg001<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">02F70D47<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">call&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">sub_2F6F120<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0007 seconds] -->  <\/p>\n<p><em>sub_2F6F120()<\/em> eventually extracts a dword from the potentially arbitrary pointer, resulting in a jump to an arbitrary address.<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-591e1e59db7bc663051317\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> seg001:02F6F132                 mov     eax, [edi+4]  seg001:02F6F135                 push    ebx  seg001:02F6F136                 push    dword ptr [esi+4]  seg001:02F6F139                 push    edi  seg001:02F6F13A                 call    eax<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db7bc663051317-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db7bc663051317-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db7bc663051317-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591e1e59db7bc663051317-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591e1e59db7bc663051317-5\">5<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-591e1e59db7bc663051317-1\"><span class=\"crayon-v\">seg001<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">02F6F132<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">mov&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">eax<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">edi<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db7bc663051317-2\"><span class=\"crayon-v\">seg001<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">02F6F135<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">push&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">ebx<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db7bc663051317-3\"><span class=\"crayon-v\">seg001<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">02F6F136<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">push&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">dword <\/span><span class=\"crayon-i\">ptr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">esi<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591e1e59db7bc663051317-4\"><span class=\"crayon-v\">seg001<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">02F6F139<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">push&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">edi<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591e1e59db7bc663051317-5\"><span class=\"crayon-v\">seg001<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">02F6F13A<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">call&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">eax<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0015 seconds] -->  <\/p>\n<p>The ability to jump to an arbitrary address depends on the ability to place controlled content at a fixed address. Heap spraying could be used for this purpose. This is believed achievable due to the complexity of the Bitdefender engine.<\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/pf-button.gif\" alt=\"Print Friendly\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3211\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/pf-button.gif\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Thu, 18 May 2017 05:34:17 +0000<\/strong><\/p>\n<p>Vulnerability Summary The following advisory describes a Buffer Overflow vulnerability found in Bitdefender Engine PE. Bitdefender provides the Bitdefender &#8220;antimalware&#8221; engine for integration with other security vendors products. The engine is used in Bitdefender&#8217;s own products, for example in Bitdefender Internet Security 2017 and below. The antimalware engine is the core of the product, among &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3211\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 Bitdefender Code Signing organizationName Buffer Overflow<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[12033,10757],"class_list":["post-7699","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-buffer-overflow","tag-securiteam-secure-disclosure"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7699","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=7699"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7699\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=7699"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=7699"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=7699"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}