Code: Select all
mov cl,[eax]
add cl,0xB0
sub cl,08h
jc L0048224A //58 pop eax
sub cl,10h
jz L00482252 //68 push 0xyyyyyyyy
sub cl,23h
jz L00482239 //8b [mov ]
sub cl,5Eh
[i] jnz L00482257[/i]
mov edx,00000005h //e9
mov eax,edx
retn
L00482239:
mov al,[eax+01h]
add al,40h
sub al,40h
[i] jnc L00482257
[/i] mov edx,00000002h
mov eax,edx
retn
L00482257:
mov eax,edx
retn
It only supports "pop eax = 1" "push xxxxxxxx = 5" "mov xx,xx =2 or indefinite edx register value" "jmp xxxxxxxx = 5".
otherwise assume indefinite edx register value.
It seems not to initialize return result value, doesn't it ?
the return value depends previous GetProcAddress function edx value. (It may be too huge value)
So, when any security application or game guard application hook CreateActCtxW, the excutable may crash.