A custom ECL opcode that can display a popup window. Syntax: ins_720(int a, string)
if the string contains %d, it will get replaced by the int a
"ins_720_code": {
"code": "6A 00 89 F9 E8 ED 0B F9 FF 50 83 C6 18 56 31 C0 8A 0E 46 40 84 C9 75 F8 83 C0 0A 50 E8 2C 0B FF FF 83 C4 04 50 6A 00 6A 00 68 50 AE 4A 00 FF 15 30 71 49 00 68 70 AE 4A 00 50 FF 15 D8 70 49 00 FF D0 6A 00 68 80 AE 4A 00 FF 74 24 08 6A 00 FF 15 08 72 49 00 83 C4 0C E9 6F DB F8 FF",
"addr": "Rx96f9a"
},
"ins_720_strings": {
"addr": "Rxaae50",
"code": "6E 00 74 00 64 00 6C 00 6C 00 2E 00 64 00 6C 00 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 73 70 72 69 6E 74 66 00 00 00 00 00 00 00 00 00 45 43 4C 20 4D 65 73 73 61 67 65"
},
"ins_720_addr": {
"addr": "Rx24e34",
"code": "9a6f4900"
}
0x496F9A
push 0
mov ecx,edi
call <th17.local_var_handle> ; 0x427B90
push eax
add esi,18
push esi
xor eax,eax
mov cl,byte ptr ds:[esi]
inc esi
inc eax
test cl,cl
jne th17.496FAA ; jumps to mov cl, [esi]
add eax,A
push eax
call <th17._malloc> ; 0x487AE7
add esp,4
push eax
push 0
push 0
push th17.4AAE50 ; L"ntdll.dll"
call dword ptr ds:[<&LoadLibraryExW>]
push th17.4AAE70 ; "sprintf"
push eax
call dword ptr ds:[<&GetProcAddress>]
call eax ; call to ntdll sprintf
push 0
push th17.4AAE80 ; "ECL Message"
push dword ptr ss:[esp+8]
push 0
call dword ptr ds:[<&sub_71833CB0>] ; call to MessageBoxA
add esp,C
jmp <th17.ecl_ret> ; 0x424B66