Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Friday, April 03 2020 @ 07:23 AM CEST

ACProtect 1.09 - manually unpacking

   

TutorialsLevel : intermediate

=======================
ACProtect 1.09 - manually unpacking
=======================


ACProtect is not bad protector. It has some dumb things , but it also has some good features. This tutorial will explain unpacking of version 1.09 altough at first look his version looks like 1.41. I guess that they are all very simular.

Target can be found at :
http://tuts4you.com/unpackme/ACProtect/ACProtect%201.09g/UnPackMe_ACProtect1.09g.a.exe


Problems that we have to solve:

- Find OEP,
- Avoid IsDebuggerPresent check,
- Avoid CreateToolhep32Snapshot check,
- Restore stolen OEP bytes,
- Fix imports,
- Fix stolen code.




1. Avoid debugger tricks and find OEP

Use some plugin to hide olly from IsDebuggerPresent api.


Then go to CreateToolhelp32Snapshot:

77E999A6 > 55 PUSH EBP
77E999A7 8BEC MOV EBP,ESP
77E999A9 83EC 0C SUB ESP,0C
77E999AC 56 PUSH ESI
77E999AD 8B75 0C MOV ESI,DWORD PTR SS:[EBP+C]
77E999B0 85F6 TEST ESI,ESI
77E999B2 0F84 52E60000 JE kernel32.77EA800A
77E999B8 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
77E999BB 50 PUSH EAX
77E999BC 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
77E999BF 50 PUSH EAX
...
...

And patch it:

77E999A6 > 33C0 XOR EAX,EAX
77E999A8 90 NOP
77E999A9 90 NOP
77E999AA 90 NOP
77E999AB 90 NOP
...
...
77E99A15 90 NOP
77E99A16 90 NOP
77E99A17 C2 0800 RETN 8 <------- Place bp here.

This api retrieves snapshot of all processes, heaps and threads (depends of parameters). If EAX=0, protector will think that there are no processes running. Smart protector :)


Place bp's and run. You will two times break on bp. When you break second time, check in memory map first section (select disassemble view):

00401000 56 PUSH ESI
00401001 57 PUSH EDI
00401002 8BF1 MOV ESI,ECX
00401004 E8 996A0300 CALL UnPackMe.00437AA2
00401009 8D7E 3C LEA EDI,DWORD PTR DS:[ESI+3C]
0040100C C706 74B14400 MOV DWORD PTR DS:[ESI],UnPackMe.0044B174 ; ASCII "IMD"
00401012 8BCF MOV ECX,EDI
00401014 E8 68070000 CALL UnPackMe.00401781
00401019 6A 0F PUSH 0F
0040101B C706 ACB04400 MOV DWORD PTR DS:[ESI],UnPackMe.0044B0AC ; ASCII "IMD"
00401021 C707 9CB04400 MOV DWORD PTR DS:[EDI],UnPackMe.0044B09C
00401027 FF15 800E4600 CALL DWORD PTR DS:[460E80]
0040102D 50 PUSH EAX
0040102E 8BCF MOV ECX,EDI
00401030 E8 4A080000 CALL UnPackMe.0040187F
00401035 8BC6 MOV EAX,ESI
00401037 5F POP EDI
...
...



Code is decrypted! ACProtector desn't encrypt sections, it only has packing option. If target is not packed, you can make inline patch imidialtey, but I don't remember anymore if there was some CRC checks.



Place memory bp on access on first section and run. You will break on false OEP:

004271B5 . 68 600E4500 PUSH UnPackMe.00450E60
004271BA . 68 C8924200 PUSH UnPackMe.004292C8 ; SE handler installation
004271BF . 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
004271C5 . 50 PUSH EAX
004271C6 . 64:8925 000000>MOV DWORD PTR FS:[0],ESP
004271CD . 83C4 A8 ADD ESP,-58
004271D0 . 53 PUSH EBX
004271D1 . 56 PUSH ESI
004271D2 . 57 PUSH EDI ; ntdll.77F5164E
004271D3 . 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
004271D6 . FF15 DC0A4600 CALL DWORD PTR DS:[460ADC] ; UnPackMe.0046B492
004271DC . 33D2 XOR EDX,EDX
004271DE . 8AD4 MOV DL,AH
004271E0 . 8915 34E64500 MOV DWORD PTR DS:[45E634],EDX
004271E6 . 8BC8 MOV ECX,EAX
004271E8 . 81E1 FF000000 AND ECX,0FF
004271EE . 890D 30E64500 MOV DWORD PTR DS:[45E630],ECX
004271F4 . C1E1 08 SHL ECX,8
004271F7 . 03CA ADD ECX,EDX
004271F9 . 890D 2CE64500 MOV DWORD PTR DS:[45E62C],ECX
004271FF . C1E8 10 SHR EAX,10
...
...


This looks like some VC++ 5-6. Scroll up and you'll see that five bytes are destroyed:

004271B0 4B DB 4B ; CHAR 'K'
004271B1 81 DB 81
004271B2 73 DB 73 ; CHAR 's'
004271B3 F2 DB F2
004271B4 19 DB 19

Just 5 bytes missing, you probably already know what one goes there, but we will lates talk about this.





2. Imports problem


You can also see that imports are obfuscated, check this call which should lead to GetVersion:

004271D6 . FF15 DC0A4600 CALL DWORD PTR DS:[460ADC] ; UnPackMe.0046B492

Instead it jumps to protector section at:

0046B492 68 DECED170 PUSH 70D1CEDE
0046B497 813424 4B1E3607 XOR DWORD PTR SS:[ESP],7361E4B
0046B49E C3 RETN

Easy, 70D1CEDE XOR 7361E4B = GetVersion address.

You will notice whole table of this jumps. We could easy write script for olly that would fix all these jumps and XOR-ing. But we will later see that we can just prevent this jump redirection.




3. Stolen code


This is at first look heavy problem. Below import table, you can find new redirection table:

0046C0F4 00FF ADD BH,BH
0046C0F6 25 605A1600 AND EAX,165A60
0046C0FB -FF25 645A1600 JMP DWORD PTR DS:[165A64]
0046C101 -FF25 685A1600 JMP DWORD PTR DS:[165A68]
0046C107 -FF25 6C5A1600 JMP DWORD PTR DS:[165A6C]
...
...
0046D841 -FF25 E8691600 JMP DWORD PTR DS:[1669E8]
0046D847 -FF25 EC691600 JMP DWORD PTR DS:[1669EC]
0046D84D -FF25 F0691600 JMP DWORD PTR DS:[1669F0]
0046D853 -FF25 F4691600 JMP DWORD PTR DS:[1669F4]
0046D859 -FF25 F8691600 JMP DWORD PTR DS:[1669F8]
0046D85F -FF25 FC691600 JMP DWORD PTR DS:[1669FC]


This jumps points to new table:

00166A00 8BF1 MOV ESI,ECX
00166A02 8B4E 34 MOV ECX,DWORD PTR DS:[ESI+34]
00166A05 C3 RETN
00166A06 8BF1 MOV ESI,ECX
00166A08 8B4E 38 MOV ECX,DWORD PTR DS:[ESI+38]
00166A0B C3 RETN
00166A0C 8BF1 MOV ESI,ECX
00166A0E 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C]
00166A11 C3 RETN
...
...
001672BE 33DB XOR EBX,EBX
001672C0 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C]
001672C3 C3 RETN
001672C4 8948 0C MOV DWORD PTR DS:[EAX+C],ECX
001672C7 8B0F MOV ECX,DWORD PTR DS:[EDI]
001672C9 C3 RETN
001672CA 8BF1 MOV ESI,ECX
001672CC 8B46 5C MOV EAX,DWORD PTR DS:[ESI+5C]
001672CF C3 RETN
001672D0 03C1 ADD EAX,ECX
001672D2 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] ; ntdll.77F5164E
001672D5 C3 RETN

Ths can be easy fixed too.






4. Deprotecting target


Now we going to restart unpackme again and fix all our problems.



4.1. Fixing imports


First we need to fix import problems. Remember where GetVersion should be? At 460ADC. Go in dump and place hw bp on access there. Run and you should break here:

004743D3 8907 MOV DWORD PTR DS:[EDI],EAX
004743D5 8385 24404000 04 ADD DWORD PTR SS:[EBP+404024],4 <-------- You are here!

You are in procedure that fu**s imports. In below snippet I wrote what needs to be patched in order to prevent redirecting:


00474309 58 POP EAX
0047430A 5F POP EDI
0047430B 5E POP ESI
0047430C 81E3 FFFFFF0F AND EBX,0FFFFFFF
00474312 53 PUSH EBX
00474313 FFB5 20404000 PUSH DWORD PTR SS:[EBP+404020]
00474319 FF95 68C24100 CALL DWORD PTR SS:[EBP+41C268] ; kernel32.GetProcAddress
0047431F 3B9D 28404000 CMP EBX,DWORD PTR SS:[EBP+404028]
00474325 7C 0F JL SHORT UnPackMe.00474336
00474327 90 NOP
00474328 90 NOP
00474329 90 NOP
0047432A 90 NOP
0047432B 60 PUSHAD
0047432C 2BC0 SUB EAX,EAX
0047432E 8803 MOV BYTE PTR DS:[EBX],AL
00474330 43 INC EBX
00474331 3803 CMP BYTE PTR DS:[EBX],AL
00474333 ^75 F9 JNZ SHORT UnPackMe.0047432E
00474335 61 POPAD
00474336 0BC0 OR EAX,EAX ; kernel32.MulDiv
00474338 ^0F84 2EFFFFFF JE UnPackMe.0047426C
0047433E 3B85 78C24100 CMP EAX,DWORD PTR SS:[EBP+41C278] ; USER32.MessageBoxA
00474344 75 0A JNZ SHORT UnPackMe.00474350 <------------------------ Patch to JMP!!!
00474346 90 NOP
00474347 90 NOP
00474348 90 NOP
00474349 90 NOP
0047434A 8D85 CB454000 LEA EAX,DWORD PTR SS:[EBP+4045CB]
00474350 56 PUSH ESI ; UnPackMe.00460014
00474351 FFB5 20404000 PUSH DWORD PTR SS:[EBP+404020] ; kernel32.77E60000
00474357 5E POP ESI ; UnPackMe.0047891A
00474358 39B5 E9204000 CMP DWORD PTR SS:[EBP+4020E9],ESI ; UnPackMe.00460014
0047435E 74 15 JE SHORT UnPackMe.00474375
00474360 90 NOP
00474361 90 NOP

00474362 90 NOP
00474363 90 NOP
00474364 39B5 ED204000 CMP DWORD PTR SS:[EBP+4020ED],ESI ; UnPackMe.00460014
0047436A 74 09 JE SHORT UnPackMe.00474375
0047436C 90 NOP
0047436D 90 NOP
0047436E 90 NOP
0047436F 90 NOP
00474370 EB 60 JMP SHORT UnPackMe.004743D2
00474372 90 NOP
00474373 90 NOP
00474374 90 NOP
00474375 80BD 87A34000 00 CMP BYTE PTR SS:[EBP+40A387],0
0047437C 74 54 JE SHORT UnPackMe.004743D2 <------------ Patch to JMP!!!
0047437E 90 NOP
0047437F 90 NOP
00474380 90 NOP
00474381 90 NOP
00474382 EB 07 JMP SHORT UnPackMe.0047438B
00474384 90 NOP
00474385 90 NOP
00474386 90 NOP
00474387 0100 ADD DWORD PTR DS:[EAX],EAX ; kernel32.MulDiv
00474389 0000 ADD BYTE PTR DS:[EAX],AL
0047438B 8BB5 ED404000 MOV ESI,DWORD PTR SS:[EBP+4040ED] ; UnPackMe.0046B49F
00474391 83C6 0D ADD ESI,0D
00474394 81EE C71F4000 SUB ESI,UnPackMe.00401FC7
0047439A 2BF5 SUB ESI,EBP
0047439C 83FE 00 CMP ESI,0
0047439F 7F 31 JG SHORT UnPackMe.004743D2 <------------ Patch to JMP!!!
004743A1 90 NOP
004743A2 90 NOP
004743A3 90 NOP
004743A4 90 NOP
004743A5 8BB5 ED404000 MOV ESI,DWORD PTR SS:[EBP+4040ED] ; UnPackMe.0046B49F
004743AB 53 PUSH EBX ; UnPackMe.00461298
004743AC 50 PUSH EAX ; kernel32.MulDiv
004743AD 0F31 RDTSC
004743AF 8BD8 MOV EBX,EAX ; kernel32.MulDiv
004743B1 58 POP EAX ; UnPackMe.0047891A
004743B2 33C3 XOR EAX,EBX ; UnPackMe.00461298
004743B4 C606 68 MOV BYTE PTR DS:[ESI],68
004743B7 8946 01 MOV DWORD PTR DS:[ESI+1],EAX ; kernel32.MulDiv
004743BA C746 05 81342400 MOV DWORD PTR DS:[ESI+5],243481
004743C1 895E 08 MOV DWORD PTR DS:[ESI+8],EBX ; UnPackMe.00461298
004743C4 C646 0C C3 MOV BYTE PTR DS:[ESI+C],0C3
004743C8 5B POP EBX ; UnPackMe.0047891A
004743C9 8BC6 MOV EAX,ESI ; UnPackMe.00460014
004743CB 8385 ED404000 0D ADD DWORD PTR SS:[EBP+4040ED],0D
004743D2 5E POP ESI ; UnPackMe.0047891A
004743D3 8907 MOV DWORD PTR DS:[EDI],EAX ; kernel32.MulDiv
004743D5 8385 24404000 04 ADD DWORD PTR SS:[EBP+404024],4
004743DC ^E9 D6FEFFFF JMP UnPackMe.004742B7
004743E1 83C6 14 ADD ESI,14
004743E4 8B95 28404000 MOV EDX,DWORD PTR SS:[EBP+404028] ; UnPackMe.00400000
004743EA ^E9 38FEFFFF JMP UnPackMe.00474227
004743EF 60 PUSHAD
004743F0 E8 00000000 CALL UnPackMe.004743F5
004743F5 5E POP ESI ; UnPackMe.0047891A
004743F6 83EE 06 SUB ESI,6
004743F9 B9 F2010000 MOV ECX,1F2
004743FE 29CE SUB ESI,ECX ; ntdll.77F532FA
00474400 BA FDD5D6E3 MOV EDX,E3D6D5FD
00474405 C1E9 02 SHR ECX,2
00474408 83E9 02 SUB ECX,2
0047440B 83F9 00 CMP ECX,0
0047440E 7C 1A JL SHORT UnPackMe.0047442A
00474410 8B048E MOV EAX,DWORD PTR DS:[ESI+ECX*4]
00474413 8B5C8E 04 MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]
00474417 33C3 XOR EAX,EBX ; UnPackMe.00461298
00474419 C1C8 06 ROR EAX,6
0047441C 33C2 XOR EAX,EDX ; ntdll.77FC306C
0047441E 81F2 356E723B XOR EDX,3B726E35
00474424 89048E MOV DWORD PTR DS:[ESI+ECX*4],EAX ; kernel32.MulDiv
00474427 49 DEC ECX ; ntdll.77F532FA
00474428 ^EB E1 JMP SHORT UnPackMe.0047440B
0047442A 61 POPAD
0047442B 61 POPAD
0047442C E8 2DA7FFFF CALL UnPackMe.0046EB5E
00474431 C3 RETN


If you patch all those jumps, there won't be redirection. Firts jump is if api is MessageBoxA, that api is always redirected (for some internal purpose probably). Two others needs to be patched too. I forgot to say, you need place hv bp on execution on some line in that procedure, like on

00474319 FF95 68C24100 CALL DWORD PTR SS:[EBP+41C268]

and restart target to find this again before every single import is redirected. Then patch jumps, place bp on first section and run. You will land on false OEP , but imports are OK, see:

004271B5 . 68 600E4500 PUSH UnPackMe.00450E60
004271BA . 68 C8924200 PUSH UnPackMe.004292C8 ; SE handler installation
004271BF . 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
004271C5 . 50 PUSH EAX
004271C6 . 64:8925 000000>MOV DWORD PTR FS:[0],ESP
004271CD . 83C4 A8 ADD ESP,-58
004271D0 . 53 PUSH EBX
004271D1 . 56 PUSH ESI
004271D2 . 57 PUSH EDI
004271D3 . 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
004271D6 . FF15 DC0A4600 CALL DWORD PTR DS:[460ADC] ; kernel32.GetVersion
...
...



4.2. Fixing stolen code


Remember our jumps:

0046C0F5 -FF25 605A1600 JMP DWORD PTR DS:[165A60]
0046C0FB -FF25 645A1600 JMP DWORD PTR DS:[165A64]
0046C101 -FF25 685A1600 JMP DWORD PTR DS:[165A68]
...
...
...
0046D853 -FF25 F4691600 JMP DWORD PTR DS:[1669F4]
0046D859 -FF25 F8691600 JMP DWORD PTR DS:[1669F8]
0046D85F -FF25 FC691600 JMP DWORD PTR DS:[1669FC]

Follow first jump and you will see that it points to first obfuscation pattern in table. Every jump points to single pattern in table. All jumps are 6-bytes opcode and all patterns in table are 6-byte opcodes too:

00166A00 8BF1 MOV ESI,ECX
00166A02 8B4E 34 MOV ECX,DWORD PTR DS:[ESI+34]
00166A05 C3 RETN
00166A06 8BF1 MOV ESI,ECX
00166A08 8B4E 38 MOV ECX,DWORD PTR DS:[ESI+38]
00166A0B C3 RETN
00166A0C 8BF1 MOV ESI,ECX
00166A0E 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C]
00166A11 C3 RETN
...
...
...
001672C4 8948 0C MOV DWORD PTR DS:[EAX+C],ECX
001672C7 8B0F MOV ECX,DWORD PTR DS:[EDI]
001672C9 C3 RETN
001672CA 8BF1 MOV ESI,ECX
001672CC 8B46 5C MOV EAX,DWORD PTR DS:[ESI+5C]
001672CF C3 RETN
001672D0 03C1 ADD EAX,ECX
001672D2 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
001672D5 C3 RETN

So I will just binary copy-paste whole onfuscation table and replace jumps:

0046C0F5 8BF1 MOV ESI,ECX
0046C0F7 8B4E 34 MOV ECX,DWORD PTR DS:[ESI+34]
0046C0FA C3 RETN
0046C0FB 8BF1 MOV ESI,ECX
0046C0FD 8B4E 38 MOV ECX,DWORD PTR DS:[ESI+38]
0046C100 C3 RETN
...
...
0046C9BF 8BF1 MOV ESI,ECX
0046C9C1 8B46 5C MOV EAX,DWORD PTR DS:[ESI+5C]
0046C9C4 C3 RETN
0046C9C5 03C1 ADD EAX,ECX
0046C9C7 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
0046C9CA C3 RETN
0046C9CB -FF25 44601600 JMP DWORD PTR DS:[166044]
0046C9D1 -FF25 48601600 JMP DWORD PTR DS:[166048]
0046C9D7 -FF25 4C601600 JMP DWORD PTR DS:[16604C]
0046C9DD -FF25 50601600 JMP DWORD PTR DS:[166050]
0046C9E3 -FF25 54601600 JMP DWORD PTR DS:[166054]
...
...
0046D859 -FF25 F8691600 JMP DWORD PTR DS:[1669F8]
0046D85F -FF25 FC691600 JMP DWORD PTR DS:[1669FC]


But we can see that there are mush more jumps that obfuscation patterns! Rest of jumps are probably just leftover with no purpose.




4.3. Dumping


We will dump target now, but stolen OEP we will solve later. I just dumped it with LordPE. I used ImpREC to find imports and it found all of them, about 441. Neither one invalid. I fixed dump and run it, file worked OK without stolen OEP.




4.4. Finding stolen OEP bytes


Ah, this is pain in the ass. We need to trace whole day to find where it hide those bytes because ACProtect has encryption layer under layer. I made small script that will pass this layers ( script just finds jmp that jumps backwards, place bp below it and run, then again). Stolen code is here:

00485AF2 61 POPAD
00485AF3 55 PUSH EBP <------------- Stolen.
00485AF4 8BEC MOV EBP,ESP <---------- Stolen.
00485AF6 6A FF PUSH -1 <-------------- Stolen.
00485AF8 90 NOP
00485AF9 60 PUSHAD
00485AFA 60 PUSHAD
00485AFB E8 00000000 CALL UnPackMe.00485B00
00485B00 5E POP ESI ; ntdll.77F5164E
00485B01 83EE 06 SUB ESI,6
00485B04 B9 35000000 MOV ECX,35
00485B09 29CE SUB ESI,ECX
00485B0B BA FDD5D6E3 MOV EDX,E3D6D5FD
00485B10 C1E9 02 SHR ECX,2
00485B13 83E9 02 SUB ECX,2
00485B16 83F9 00 CMP ECX,0
00485B19 7C 1A JL SHORT UnPackMe.00485B35
00485B1B 8B048E MOV EAX,DWORD PTR DS:[ESI+ECX*4]
00485B1E 8B5C8E 04 MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]
00485B22 33C3 XOR EAX,EBX
00485B24 C1C8 06 ROR EAX,6
00485B27 33C2 XOR EAX,EDX
00485B29 81F2 356E723B XOR EDX,3B726E35
00485B2F 89048E MOV DWORD PTR DS:[ESI+ECX*4],EAX
00485B32 49 DEC ECX
00485B33 ^EB E1 JMP SHORT UnPackMe.00485B16
00485B35 61 POPAD

In newer versions of ACProtect there are lots of this caves with stolen code and we cannot find original bytes. But we can fix that by just attaching whole this code to main image and placng oep there. But in this example I will just restore these bytes. Before:

004271B0 4B DB 4B ; CHAR 'K'
004271B1 81 DB 81
004271B2 73 DB 73 ; CHAR 's'
004271B3 F2 DB F2
004271B4 19 DB 19
004271B5 > $ 68 600E4500 PUSH dumped_.00450E60
004271BA . 68 C8924200 PUSH dumped_.004292C8 ; SE handler installation
004271BF . 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
004271C5 . 50 PUSH EAX
004271C6 . 64:8925 000000>MOV DWORD PTR FS:[0],ESP

After:

004271B0 55 PUSH EBP
004271B1 8BEC MOV EBP,ESP
004271B3 6A FF PUSH -1
004271B5 > $ 68 600E4500 PUSH dumped_.00450E60
004271BA . 68 C8924200 PUSH dumped_.004292C8 ; SE handler installation
004271BF . 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
004271C5 . 50 PUSH EAX
004271C6 . 64:8925 000000>MOV DWORD PTR FS:[0],ESP

Now just with LordPE set OEP to 4271B0-400000=271B0 and that's it!


Here is script for passing layers:

/////////////// Start /////////////////
LABEL01:
find eip,#0F85????FFFF#
add $RESULT,6
bp $RESULT
esto
bc eip
msgyn "One more layer?"
cmp $RESULT,0
jne LABEL01
ret
////////////// End /////////////////////



haggar 2005




What's Related

Story Options

ACProtect 1.09 - manually unpacking | 2 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
ACProtect 1.09 - manually unpacking
Authored by: Human on Tuesday, December 20 2005 @ 01:57 PM CET
well you dont have to trace whole day or use script to find stolen oep bytes, F7 on pushad goto esp
hardware bp on dword write or access and run, and we land on popad and we have stolen bytes right in front our eyes:)
enjoy.
good work on other tuts, they are really interesting,especially codesplicing before there was arminline:)
ACProtect 1.09 - manually unpacking
Authored by: haggar on Tuesday, December 20 2005 @ 10:33 PM CET
Yep but where to find right pushad? There are many of them since ACP has layer after layer and between them parts that doing job, I didn't notice that it can be done such simple.
 Copyright © 2020 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 0.79 seconds