Module 0

Module zero inside packed Hancitor sample with SHA1: 37f6f1f59bf7952fd7182deeb07d4cd0d367dd59
The below dissassembly output is part of the blog: Hancitor packer demystified If you landed here via Google, you probably want to go to the home page instead

.text:0040266D .text:0040266D ; =============== S U B R O U T I N E ======================================= .text:0040266D .text:0040266D ; Attributes: bp-based frame .text:0040266D .text:0040266D public start .text:0040266D start proc near .text:0040266D .text:0040266D var_34 = dword ptr -34h .text:0040266D var_30 = dword ptr -30h .text:0040266D var_24 = dword ptr -24h .text:0040266D var_20 = dword ptr -20h .text:0040266D var_1C = dword ptr -1Ch .text:0040266D var_18 = dword ptr -18h .text:0040266D var_10 = dword ptr -10h .text:0040266D var_C = dword ptr -0Ch .text:0040266D var_8 = dword ptr -8 .text:0040266D var_4 = dword ptr -4 .text:0040266D .text:0040266D 55 push ebp .text:0040266E 8B EC mov ebp, esp .text:00402670 83 EC 34 sub esp, 34h .text:00402673 53 push ebx .text:00402674 C7 05 E4 E4 40 00 06 00 00 00 mov dword_40E4E4, 6 .text:0040267E A1 44 C6 40 00 mov eax, ds:dword_40C644 .text:00402683 83 C0 03 add eax, 3 .text:00402686 89 45 E0 mov [ebp+var_20], eax .text:00402689 C7 05 F8 E2 40 00 3D 00 00 00 mov dword_40E2F8, 3Dh .text:00402693 C7 45 F0 F4 C3 40 00 mov [ebp+var_10], offset unk_40C3F4 .text:0040269A C7 45 DC 63 00 00 00 mov [ebp+var_24], 63h .text:004026A1 83 3D F0 C2 40 00 00 cmp ds:dword_40C2F0, 0 .text:004026A8 75 09 jnz short loc_4026B3 .text:004026AA C7 45 E4 F4 C8 40 00 mov [ebp+var_1C], offset unk_40C8F4 .text:004026B1 EB 08 jmp short loc_4026BB .text:004026B3 ; --------------------------------------------------------------------------- .text:004026B3 .text:004026B3 loc_4026B3: ; CODE XREF: start+3B↑j .text:004026B3 A1 38 E3 40 00 mov eax, dword_40E338 .text:004026B8 89 45 E4 mov [ebp+var_1C], eax .text:004026BB .text:004026BB loc_4026BB: ; CODE XREF: start+44↑j .text:004026BB C7 45 F4 80 C2 40 00 mov [ebp+var_C], offset unk_40C280 .text:004026C2 83 65 E8 00 and [ebp+var_18], 0 .text:004026C6 83 65 D0 00 and [ebp+var_30], 0 .text:004026CA EB 07 jmp short loc_4026D3 .text:004026CC ; --------------------------------------------------------------------------- .text:004026CC .text:004026CC loc_4026CC: ; CODE XREF: start+90↓j .text:004026CC 8B 45 D0 mov eax, [ebp+var_30] .text:004026CF 40 inc eax .text:004026D0 89 45 D0 mov [ebp+var_30], eax .text:004026D3 .text:004026D3 loc_4026D3: ; CODE XREF: start+5D↑j .text:004026D3 81 7D D0 31 00 8B 00 cmp [ebp+var_30], 8B0031h .text:004026DA 7D 23 jge short loc_4026FF .text:004026DC A1 F8 E3 40 00 mov eax, dword_40E3F8 .text:004026E1 83 E8 0A sub eax, 0Ah .text:004026E4 A3 F8 E3 40 00 mov dword_40E3F8, eax .text:004026E9 8B 45 D0 mov eax, [ebp+var_30] .text:004026EC 99 cdq .text:004026ED 6A 0D push 0Dh .text:004026EF 59 pop ecx .text:004026F0 F7 F9 idiv ecx .text:004026F2 03 05 D0 E0 40 00 add eax, dword_40E0D0 .text:004026F8 A3 D0 E0 40 00 mov dword_40E0D0, eax .text:004026FD EB CD jmp short loc_4026CC .text:004026FF ; --------------------------------------------------------------------------- .text:004026FF .text:004026FF loc_4026FF: ; CODE XREF: start+6D↑j .text:004026FF FF 15 F0 C1 40 00 call ds:GetCommandLineA .text:00402705 85 C0 test eax, eax .text:00402707 75 1B jnz short loc_402724 .text:00402709 8B 45 E0 mov eax, [ebp+var_20] .text:0040270C 83 C0 62 add eax, 62h .text:0040270F 89 45 E0 mov [ebp+var_20], eax .text:00402712 8B 45 F4 mov eax, [ebp+var_C] .text:00402715 48 dec eax .text:00402716 89 45 F4 mov [ebp+var_C], eax .text:00402719 8B 45 E8 mov eax, [ebp+var_18] .text:0040271C 03 45 F0 add eax, [ebp+var_10] .text:0040271F 89 45 E8 mov [ebp+var_18], eax .text:00402722 EB 0D jmp short loc_402731 .text:00402724 ; --------------------------------------------------------------------------- .text:00402724 .text:00402724 loc_402724: ; CODE XREF: start+9A↑j .text:00402724 A1 C4 E3 40 00 mov eax, dword_40E3C4 .text:00402729 03 45 DC add eax, [ebp+var_24] .text:0040272C A3 C4 E3 40 00 mov dword_40E3C4, eax .text:00402731 .text:00402731 loc_402731: ; CODE XREF: start+B5↑j .text:00402731 8B 45 E4 mov eax, [ebp+var_1C] .text:00402734 40 inc eax .text:00402735 89 45 E4 mov [ebp+var_1C], eax .text:00402738 FF 15 AC C1 40 00 call ds:GetACP .text:0040273E 85 C0 test eax, eax .text:00402740 75 17 jnz short loc_402759 .text:00402742 8B 45 F0 mov eax, [ebp+var_10] .text:00402745 03 45 E0 add eax, [ebp+var_20] .text:00402748 89 45 F0 mov [ebp+var_10], eax .text:0040274B B9 33 11 DD A4 mov ecx, 0A4DD1133h .text:00402750 8B 45 F4 mov eax, [ebp+var_C] .text:00402753 40 inc eax .text:00402754 89 45 F4 mov [ebp+var_C], eax .text:00402757 EB 1B jmp short loc_402774 .text:00402759 ; --------------------------------------------------------------------------- .text:00402759 .text:00402759 loc_402759: ; CODE XREF: start+D3↑j .text:00402759 A1 24 E1 40 00 mov eax, dword_40E124 .text:0040275E 03 45 F0 add eax, [ebp+var_10] .text:00402761 A3 24 E1 40 00 mov dword_40E124, eax .text:00402766 B9 33 11 DD A4 mov ecx, 0A4DD1133h .text:0040276B 8B 45 F0 mov eax, [ebp+var_10] .text:0040276E 83 C0 24 add eax, 24h .text:00402771 89 45 F0 mov [ebp+var_10], eax .text:00402774 .text:00402774 loc_402774: ; CODE XREF: start+EA↑j .text:00402774 6A 00 push 0 ; lpName .text:00402776 6A 00 push 0 ; bInitialOwner .text:00402778 6A 00 push 0 ; lpMutexAttributes .text:0040277A FF 15 08 C2 40 00 call ds:CreateMutexA .text:00402780 C7 45 F8 F7 C3 E4 FF mov [ebp+var_8], 0FFE4C3F7h .text:00402787 83 3D DC E1 40 00 00 cmp dword_40E1DC, 0 .text:0040278E 74 23 jz short loc_4027B3 .text:00402790 8B 45 F0 mov eax, [ebp+var_10] .text:00402793 03 05 70 C4 40 00 add eax, ds:dword_40C470 .text:00402799 89 45 F0 mov [ebp+var_10], eax .text:0040279C 8B 45 F4 mov eax, [ebp+var_C] .text:0040279F 83 C0 04 add eax, 4 .text:004027A2 89 45 F4 mov [ebp+var_C], eax .text:004027A5 8B 45 DC mov eax, [ebp+var_24] .text:004027A8 03 05 08 C5 40 00 add eax, ds:dword_40C508 .text:004027AE 89 45 DC mov [ebp+var_24], eax .text:004027B1 EB 12 jmp short loc_4027C5 .text:004027B3 ; --------------------------------------------------------------------------- .text:004027B3 .text:004027B3 loc_4027B3: ; CODE XREF: start+121↑j .text:004027B3 8B 45 F0 mov eax, [ebp+var_10] .text:004027B6 03 45 E8 add eax, [ebp+var_18] .text:004027B9 89 45 F0 mov [ebp+var_10], eax .text:004027BC 8B 45 E0 mov eax, [ebp+var_20] .text:004027BF 83 C0 05 add eax, 5 .text:004027C2 89 45 E0 mov [ebp+var_20], eax .text:004027C5 .text:004027C5 loc_4027C5: ; CODE XREF: start+144↑j .text:004027C5 89 4D FC mov [ebp+var_4], ecx .text:004027C8 8B 45 E8 mov eax, [ebp+var_18] .text:004027CB 03 45 F0 add eax, [ebp+var_10] .text:004027CE 89 45 E8 mov [ebp+var_18], eax .text:004027D1 A1 D0 E0 40 00 mov eax, dword_40E0D0 .text:004027D6 05 15 02 00 00 add eax, 215h .text:004027DB A3 D0 E0 40 00 mov dword_40E0D0, eax .text:004027E0 81 7D FC 33 11 DD A4 cmp [ebp+var_4], 0A4DD1133h .text:004027E7 74 75 jz short loc_40285E .text:004027E9 A1 C4 E3 40 00 mov eax, dword_40E3C4 .text:004027EE 03 45 DC add eax, [ebp+var_24] .text:004027F1 A3 C4 E3 40 00 mov dword_40E3C4, eax .text:004027F6 83 65 CC 00 and [ebp+var_34], 0 .text:004027FA EB 07 jmp short loc_402803 .text:004027FC ; --------------------------------------------------------------------------- .text:004027FC .text:004027FC loc_4027FC: ; CODE XREF: start:loc_40285C↓j .text:004027FC 8B 45 CC mov eax, [ebp+var_34] .text:004027FF 40 inc eax .text:00402800 89 45 CC mov [ebp+var_34], eax .text:00402803 .text:00402803 loc_402803: ; CODE XREF: start+18D↑j .text:00402803 81 7D CC A9 1D DF 02 cmp [ebp+var_34], 2DF1DA9h .text:0040280A 7D 52 jge short loc_40285E .text:0040280C A1 F8 E3 40 00 mov eax, dword_40E3F8 .text:00402811 2D C8 00 00 00 sub eax, 0C8h .text:00402816 A3 F8 E3 40 00 mov dword_40E3F8, eax .text:0040281B 8B 45 CC mov eax, [ebp+var_34] .text:0040281E 99 cdq .text:0040281F 6A 03 push 3 .text:00402821 59 pop ecx .text:00402822 F7 F9 idiv ecx .text:00402824 03 05 D0 E0 40 00 add eax, dword_40E0D0 .text:0040282A A3 D0 E0 40 00 mov dword_40E0D0, eax .text:0040282F 81 7D CC 70 CB 2D 00 cmp [ebp+var_34], 2DCB70h .text:00402836 75 0C jnz short loc_402844 .text:00402838 8B 4D F8 mov ecx, [ebp+var_8] .text:0040283B BB 00 00 00 00 mov ebx, 0 .text:00402840 03 D9 add ebx, ecx .text:00402842 FF D3 call ebx ; JUMP TO MODULE ONE .text:00402844 .text:00402844 loc_402844: ; CODE XREF: start+1C9↑j .text:00402844 8B 45 CC mov eax, [ebp+var_34] .text:00402847 99 cdq .text:00402848 B9 40 42 0F 00 mov ecx, 0F4240h .text:0040284D F7 F9 idiv ecx .text:0040284F 85 D2 test edx, edx .text:00402851 75 09 jnz short loc_40285C .text:00402853 8B 45 F8 mov eax, [ebp+var_8] .text:00402856 03 45 CC add eax, [ebp+var_34] .text:00402859 89 45 F8 mov [ebp+var_8], eax .text:0040285C .text:0040285C loc_40285C: ; CODE XREF: start+1E4↑j .text:0040285C EB 9E jmp short loc_4027FC .text:0040285E ; --------------------------------------------------------------------------- .text:0040285E .text:0040285E loc_40285E: ; CODE XREF: start+17A↑j .text:0040285E ; start+19D↑j .text:0040285E 33 C0 xor eax, eax .text:00402860 5B pop ebx .text:00402861 C9 leave .text:00402862 C3 retn .text:00402862 start endp .text:00402862 .text:00402862 ; ---------------------------------------------------------------------------