Module two inside packed sample with SHA1: 37f6f1f59bf7952fd7182deeb07d4cd0d367dd59
The below dissassembly output is part of the blog:
Hancitor packer demystified
If you landed here via Google, you probably want to go to the
home page
instead
.text:004087A1 .text:004087A1
; =============== S U B R O U T I N E =======================================
.text:004087A1 .text:004087A1
; Attributes: bp-based frame
.text:004087A1 .text:004087A1
my_module_two
proc near .text:004087A1 .text:004087A1
var_108
=
dword ptr
-108h
.text:004087A1
var_104
=
dword ptr
-104h
.text:004087A1
var_100
=
dword ptr
-100h
.text:004087A1
var_F8
=
dword ptr
-0F8h
.text:004087A1
var_F4
=
dword ptr
-0F4h
.text:004087A1
ntdll_string
=
dword ptr
-0F0h
.text:004087A1
var_E8
=
dword ptr
-0E8h
.text:004087A1
var_E0
=
dword ptr
-0E0h
.text:004087A1
var_D8
=
dword ptr
-0D8h
.text:004087A1
var_D0
=
dword ptr
-0D0h
.text:004087A1
var_CC
=
dword ptr
-0CCh
.text:004087A1
var_C8
=
dword ptr
-0C8h
.text:004087A1
var_C0
=
dword ptr
-0C0h
.text:004087A1
var_B8
=
dword ptr
-0B8h
.text:004087A1
var_B4
=
dword ptr
-0B4h
.text:004087A1
var_B0
=
dword ptr
-0B0h
.text:004087A1
var_AC
=
dword ptr
-0ACh
.text:004087A1
var_A8
=
dword ptr
-0A8h
.text:004087A1
var_A4
=
dword ptr
-0A4h
.text:004087A1
var_A0
=
dword ptr
-0A0h
.text:004087A1
var_9C
=
dword ptr
-9Ch
.text:004087A1
addr_getModuleHandleA
=
dword ptr
-90h
.text:004087A1
var_8C
=
dword ptr
-8Ch
.text:004087A1
var_88
=
dword ptr
-88h
.text:004087A1
var_addr_ntdll
=
dword ptr
-78h
.text:004087A1
var_70
=
dword ptr
-70h
.text:004087A1
var_68
=
word ptr
-68h
.text:004087A1
var_60
=
dword ptr
-60h
.text:004087A1
var_addr_allocated_region
=
dword ptr
-5Ch
.text:004087A1
var_50
=
dword ptr
-50h
.text:004087A1
var_4C
=
dword ptr
-4Ch
.text:004087A1
var_addr_virtualloc
=
dword ptr
-48h
.text:004087A1
var_addr_memcpy
=
dword ptr
-30h
.text:004087A1
var_addr_getProcAddr
=
dword ptr
-28h
.text:004087A1
var_21
=
byte ptr
-21h
.text:004087A1
var_1C
=
dword ptr
-1Ch
.text:004087A1
var_addr_kernel_32
=
dword ptr
-10h
.text:004087A1
var_4
=
dword ptr
-4
.text:004087A1 .text:004087A1
55
push
ebp
.text:004087A2
8B EC
mov
ebp
,
esp
.text:004087A4
81 EC 08 02 00 00
sub
esp
,
208h
.text:004087AA
53
push
ebx
.text:004087AB
56
push
esi
.text:004087AC
57
push
edi
.text:004087AD
60
pusha
.text:004087AE
FC
cld
.text:004087AF
33 D2
xor
edx
,
edx
.text:004087B1
64 8B 15 30 00 00 00
mov
edx
,
large
fs
:
30h
.text:004087B8
8B 52 0C
mov
edx
, [
edx
+
0Ch
]
.text:004087BB
8B 52 14
mov
edx
, [
edx
+
14h
]
.text:004087BE .text:004087BE
loc_4087BE
:
; CODE XREF: my_module_two+40↓j
.text:004087BE
8B 72 28
mov
esi
, [
edx
+
28h
]
.text:004087C1
6A 18
push 18h
.text:004087C3
59
pop
ecx
.text:004087C4
33 FF
xor
edi
,
edi
.text:004087C6 .text:004087C6
loc_4087C6
:
; CODE XREF: my_module_two+33↓j
.text:004087C6
33 C0
xor
eax
,
eax
.text:004087C8
AC
lodsb
.text:004087C9
3C 61
cmp
al
,
61h
.text:004087CB
7C 02
jl
short
loc_4087CF
.text:004087CD .text:004087CD
loc_4087CD
:
.text:004087CD
2C 20
sub
al
,
20h
.text:004087CF .text:004087CF
loc_4087CF
:
; CODE XREF: my_module_two+2A↑j
.text:004087CF
C1 CF 0D
ror
edi
,
0Dh
.text:004087D2
03 F8
add
edi
,
eax
.text:004087D4
E2 F0
loop
loc_4087C6
.text:004087D6
81 FF 5B BC 4A 6A
cmp
edi
,
6A4ABC5Bh
.text:004087DC
8B 5A 10
mov
ebx
, [
edx
+
10h
]
.text:004087DF
8B 12
mov
edx
, [
edx
]
.text:004087E1
75 DB
jnz
short
loc_4087BE
.text:004087E3
89 5D F0
mov
[
ebp
+
var_addr_kernel_32
],
ebx
.text:004087E6
61
popa
.text:004087E7
8B 45 F0
mov
eax
, [
ebp
+
var_addr_kernel_32
]
.text:004087EA
8B 4D F0
mov
ecx
, [
ebp
+
var_addr_kernel_32
]
.text:004087ED
03 48 3C
add
ecx
, [
eax
+
3Ch
]
.text:004087F0
89 8D 30 FF FF FF
mov
[
ebp
+
var_D0
],
ecx
.text:004087F6
BA 08 00 00 00
mov
edx
,
8
.text:004087FB
6B C2 00
imul
eax
,
edx
,
0
.text:004087FE
8B 8D 30 FF FF FF
mov
ecx
, [
ebp
+
var_D0
]
.text:00408804
8B 54 01 78
mov
edx
, [
ecx
+
eax
+
78h
]
.text:00408808
89 95 28 FF FF FF
mov
[
ebp
+
var_D8
],
edx
.text:0040880E
8B 85 28 FF FF FF
mov
eax
, [
ebp
+
var_D8
]
.text:00408814
03 45 F0
add
eax
, [
ebp
+
var_addr_kernel_32
]
.text:00408817
89 45 B4
mov
[
ebp
+
var_4C
],
eax
.text:0040881A
8B 4D B4
mov
ecx
, [
ebp
+
var_4C
]
.text:0040881D
8B 51 10
mov
edx
, [
ecx
+
10h
]
.text:00408820
89 95 20 FF FF FF
mov
[
ebp
+
var_E0
],
edx
.text:00408826
8B 45 B4
mov
eax
, [
ebp
+
var_4C
]
.text:00408829
8B 48 20
mov
ecx
, [
eax
+
20h
]
.text:0040882C
03 4D F0
add
ecx
, [
ebp
+
var_addr_kernel_32
]
.text:0040882F
89 8D 58 FF FF FF
mov
[
ebp
+
var_A8
],
ecx
.text:00408835
8B 55 B4
mov
edx
, [
ebp
+
var_4C
]
.text:00408838
8B 42 1C
mov
eax
, [
edx
+
1Ch
]
.text:0040883B
03 45 F0
add
eax
, [
ebp
+
var_addr_kernel_32
]
.text:0040883E
89 85 08 FF FF FF
mov
[
ebp
+
var_F8
],
eax
.text:00408844
8B 4D B4
mov
ecx
, [
ebp
+
var_4C
]
.text:00408847
8B 51 24
mov
edx
, [
ecx
+
24h
]
.text:0040884A
03 55 F0
add
edx
, [
ebp
+
var_addr_kernel_32
]
.text:0040884D
89 95 50 FF FF FF
mov
[
ebp
+
var_B0
],
edx
.text:00408853
50
push
eax
.text:00408854
E8 00 00 00 00
call
$+
5
.text:00408859
58
pop
eax
.text:0040885A
EB 0F
jmp
short
loc_40886B
.text:0040885A
; ---------------------------------------------------------------------------
.text:0040885C
47 65 74 50 72 6F 63 41 64 64+
aGetprocaddress
db 'GetProcAddress'
,
0
.text:0040886B
; ---------------------------------------------------------------------------
.text:0040886B .text:0040886B
loc_40886B
:
; CODE XREF: my_module_two+B9↑j
.text:0040886B
83 C0 03
add
eax
,
3
.text:0040886E
89 85 00 FF FF FF
mov
[
ebp
+
var_100
],
eax
.text:00408874
58
pop
eax
.text:00408875
C7 45 FC 00 00 00 00
mov
[
ebp
+
var_4
],
0
.text:0040887C
EB 09
jmp
short
loc_408887
.text:0040887E
; ---------------------------------------------------------------------------
.text:0040887E .text:0040887E
loc_40887E
:
; CODE XREF: my_module_two:loc_408936↓j
.text:0040887E
8B 45 FC
mov
eax
, [
ebp
+
var_4
]
.text:00408881
83 C0 01
add
eax
,
1
.text:00408884
89 45 FC
mov
[
ebp
+
var_4
],
eax
.text:00408887 .text:00408887
loc_408887
:
; CODE XREF: my_module_two+DB↑j
.text:00408887
8B 4D FC
mov
ecx
, [
ebp
+
var_4
]
.text:0040888A
8B 95 58 FF FF FF
mov
edx
, [
ebp
+
var_A8
]
.text:00408890
8B 04 8A
mov
eax
, [
edx
+
ecx
*4]
.text:00408893
03 45 F0
add
eax
, [
ebp
+
var_addr_kernel_32
]
.text:00408896 .text:00408896
loc_408896
:
.text:00408896
89 85 78 FF FF FF
mov
[
ebp
+
var_88
],
eax
.text:0040889C
C6 45 DF 01
mov
[
ebp
+
var_21
],
1
.text:004088A0
C7 45 E4 00 00 00 00
mov
[
ebp
+
var_1C
],
0
.text:004088A7
EB 09
jmp
short
loc_4088B2
.text:004088A9
; ---------------------------------------------------------------------------
.text:004088A9 .text:004088A9
loc_4088A9
:
; CODE XREF: my_module_two:loc_4088E8↓j
.text:004088A9
8B 4D E4
mov
ecx
, [
ebp
+
var_1C
]
.text:004088AC
83 C1 01
add
ecx
,
1
.text:004088AF
89 4D E4
mov
[
ebp
+
var_1C
],
ecx
.text:004088B2 .text:004088B2
loc_4088B2
:
; CODE XREF: my_module_two+106↑j
.text:004088B2
83 7D E4 0E
cmp
[
ebp
+
var_1C
],
0Eh
.text:004088B6
73 32
jnb
short
loc_4088EA
.text:004088B8
8B 95 78 FF FF FF
mov
edx
, [
ebp
+
var_88
]
.text:004088BE
03 55 E4
add
edx
, [
ebp
+
var_1C
]
.text:004088C1
0F BE 02
movsx
eax
,
byte ptr
[
edx
]
.text:004088C4
85 C0
test
eax
,
eax
.text:004088C6
74 1C
jz
short
loc_4088E4
.text:004088C8
8B 8D 78 FF FF FF
mov
ecx
, [
ebp
+
var_88
]
.text:004088CE
03 4D E4
add
ecx
, [
ebp
+
var_1C
]
.text:004088D1
0F BE 11
movsx
edx
,
byte ptr
[
ecx
]
.text:004088D4
8B 85 00 FF FF FF
mov
eax
, [
ebp
+
var_100
]
.text:004088DA
03 45 E4
add
eax
, [
ebp
+
var_1C
]
.text:004088DD
0F BE 08
movsx
ecx
,
byte ptr
[
eax
]
.text:004088E0
3B D1
cmp
edx
,
ecx
.text:004088E2
74 04
jz
short
loc_4088E8
.text:004088E4 .text:004088E4
loc_4088E4
:
; CODE XREF: my_module_two+125↑j
.text:004088E4
C6 45 DF 00
mov
[
ebp
+
var_21
],
0
.text:004088E8 .text:004088E8
loc_4088E8
:
; CODE XREF: my_module_two+141↑j
.text:004088E8
EB BF
jmp
short
loc_4088A9
.text:004088EA
; ---------------------------------------------------------------------------
.text:004088EA .text:004088EA
loc_4088EA
:
; CODE XREF: my_module_two+115↑j
.text:004088EA
0F B6 55 DF
movzx
edx
, [
ebp
+
var_21
]
.text:004088EE
85 D2
test
edx
,
edx
.text:004088F0
74 44
jz
short
loc_408936
.text:004088F2
8B 45 FC
mov
eax
, [
ebp
+
var_4
]
.text:004088F5
8B 8D 50 FF FF FF
mov
ecx
, [
ebp
+
var_B0
]
.text:004088FB
66 8B 14 41
mov
dx
, [
ecx
+
eax
*2]
.text:004088FF
66 89 55 98
mov
[
ebp
+
var_68
],
dx
.text:00408903
0F B7 45 98
movzx
eax
, [
ebp
+
var_68
]
.text:00408907
0F B7 8D 20 FF FF FF
movzx
ecx
,
word ptr
[
ebp
+
var_E0
]
.text:0040890E
2B C1
sub
eax
,
ecx
.text:00408910
83 C0 01
add
eax
,
1
.text:00408913
89 85 48 FF FF FF
mov
[
ebp
+
var_B8
],
eax
.text:00408919
8B 95 48 FF FF FF
mov
edx
, [
ebp
+
var_B8
]
.text:0040891F
8B 85 08 FF FF FF
mov
eax
, [
ebp
+
var_F8
]
.text:00408925
8B 0C 90
mov
ecx
, [
eax
+
edx
*4]
.text:00408928
89 4D A0
mov
[
ebp
+
var_60
],
ecx
.text:0040892B
8B 55 A0
mov
edx
, [
ebp
+
var_60
]
.text:0040892E
03 55 F0
add
edx
, [
ebp
+
var_addr_kernel_32
]
.text:00408931
89 55 A0
mov
[
ebp
+
var_60
],
edx
.text:00408934
EB 05
jmp
short
loc_40893B
.text:00408936
; ---------------------------------------------------------------------------
.text:00408936 .text:00408936
loc_408936
:
; CODE XREF: my_module_two+14F↑j
.text:00408936
E9 43 FF FF FF
jmp
loc_40887E
.text:0040893B
; ---------------------------------------------------------------------------
.text:0040893B .text:0040893B
loc_40893B
:
; CODE XREF: my_module_two+193↑j
.text:0040893B
8B 45 A0
mov
eax
, [
ebp
+
var_60
]
.text:0040893E
89 45 D8
mov
[
ebp
+
var_addr_getProcAddr
],
eax
.text:00408941
50
push
eax
.text:00408942
E8 00 00 00 00
call
$+
5
.text:00408947
58
pop
eax
.text:00408948
EB 11
jmp
short
loc_40895B
.text:00408948
; ---------------------------------------------------------------------------
.text:0040894A
47 65 74 4D 6F 64 75 6C 65 48+
aGetmodulehandl
db 'GetModuleHandleA'
,
0
.text:0040895B
; ---------------------------------------------------------------------------
.text:0040895B .text:0040895B
loc_40895B
:
; CODE XREF: my_module_two+1A7↑j
.text:0040895B
83 C0 03
add
eax
,
3
.text:0040895E
89 85 40 FF FF FF
mov
[
ebp
+
var_C0
],
eax
.text:00408964
58
pop
eax
.text:00408965
8B 8D 40 FF FF FF
mov
ecx
, [
ebp
+
var_C0
]
.text:0040896B
51
push
ecx
.text:0040896C
8B 55 F0
mov
edx
, [
ebp
+
var_addr_kernel_32
]
.text:0040896F
52
push
edx
.text:00408970
FF 55 D8
call
[
ebp
+
var_addr_getProcAddr
]
.text:00408973
89 85 70 FF FF FF
mov
[
ebp
+
addr_getModuleHandleA
],
eax
.text:00408979
50
push
eax
.text:0040897A
E8 00 00 00 00
call
$+
5
.text:0040897F
58
pop
eax
.text:00408980
EB 0D
jmp
short
loc_40898F
.text:00408980
; ---------------------------------------------------------------------------
.text:00408982
4C 6F 61 64 4C 69 62 72 61 72+
aLoadlibrarya
db 'LoadLibraryA'
,
0
.text:0040898F
; ---------------------------------------------------------------------------
.text:0040898F .text:0040898F
loc_40898F
:
; CODE XREF: my_module_two+1DF↑j
.text:0040898F
83 C0 03
add
eax
,
3
.text:00408992
89 85 18 FF FF FF
mov
[
ebp
+
var_E8
],
eax
.text:00408998
58
pop
eax
.text:00408999 .text:00408999
loc_408999
:
.text:00408999
8B 85 18 FF FF FF
mov
eax
, [
ebp
+
var_E8
]
.text:0040899F
50
push
eax
.text:004089A0
8B 4D F0
mov
ecx
, [
ebp
+
var_addr_kernel_32
]
.text:004089A3
51
push
ecx
.text:004089A4
FF 55 D8
call
[
ebp
+
var_addr_getProcAddr
]
.text:004089A7
89 85 34 FF FF FF
mov
[
ebp
+
var_CC
],
eax
.text:004089AD
50
push
eax
.text:004089AE .text:004089AE
loc_4089AE
:
.text:004089AE
E8 00 00 00 00
call
$+
5
.text:004089B3
58
pop
eax
.text:004089B4
EB 0D
jmp
short
loc_4089C3
.text:004089B4
; ---------------------------------------------------------------------------
.text:004089B6
56 69 72 74 75 61 6C 41 6C 6C+
aVirtualalloc
db 'VirtualAlloc'
,
0
.text:004089C3
; ---------------------------------------------------------------------------
.text:004089C3 .text:004089C3
loc_4089C3
:
; CODE XREF: my_module_two+213↑j
.text:004089C3
83 C0 03
add
eax
,
3
.text:004089C6
89 85 38 FF FF FF
mov
[
ebp
+
var_C8
],
eax
.text:004089CC
58
pop
eax
.text:004089CD .text:004089CD
loc_4089CD
:
.text:004089CD
8B 95 38 FF FF FF
mov
edx
, [
ebp
+
var_C8
]
.text:004089D3
52
push
edx
.text:004089D4
8B 45 F0
mov
eax
, [
ebp
+
var_addr_kernel_32
]
.text:004089D7
50
push
eax
.text:004089D8
FF 55 D8
call
[
ebp
+
var_addr_getProcAddr
]
.text:004089DB
89 45 B8
mov
[
ebp
+
var_addr_virtualloc
],
eax
.text:004089DE
50
push
eax
.text:004089DF
E8 00 00 00 00
call
$+
5
.text:004089E4
58
pop
eax
.text:004089E5
EB 0C
jmp
short
loc_4089F3
.text:004089E5
; ---------------------------------------------------------------------------
.text:004089E7
56 69 72 74 75 61 6C 46 72 65+
aVirtualfree
db 'VirtualFree'
,
0
.text:004089F3
; ---------------------------------------------------------------------------
.text:004089F3 .text:004089F3
loc_4089F3
:
.text:004089F3
83 C0 03
add
eax
,
3
.text:004089F6 .text:004089F6
loc_4089F6
:
.text:004089F6
89 85 FC FE FF FF
mov
[
ebp
+
var_104
],
eax
.text:004089FC
58
pop
eax
.text:004089FD .text:004089FD
loc_4089FD
:
.text:004089FD
8B 8D FC FE FF FF
mov
ecx
, [
ebp
+
var_104
]
.text:00408A03
51
push
ecx
.text:00408A04
8B 55 F0
mov
edx
, [
ebp
+
var_addr_kernel_32
]
.text:00408A07
52
push
edx
.text:00408A08
FF 55 D8
call
[
ebp
+
var_addr_getProcAddr
]
.text:00408A0B
89 45 B0
mov
[
ebp
+
var_50
],
eax
.text:00408A0E
50
push
eax
.text:00408A0F
E8 00 00 00 00
call
$+
5
.text:00408A14
58
pop
eax
.text:00408A15
EB 13
jmp
short
loc_408A2A
.text:00408A15
; ---------------------------------------------------------------------------
.text:00408A17
4F 75 74 70 75 74 44 65 62 75+
aOutputdebugstr
db 'OutputDebugStringA'
,
0
.text:00408A2A
; ---------------------------------------------------------------------------
.text:00408A2A .text:00408A2A
loc_408A2A
:
; CODE XREF: my_module_two+274↑j
.text:00408A2A
83 C0 03
add
eax
,
3
.text:00408A2D
89 85 64 FF FF FF
mov
[
ebp
+
var_9C
],
eax
.text:00408A33
58
pop
eax
.text:00408A34 .text:00408A34
loc_408A34
:
.text:00408A34
8B 85 64 FF FF FF
mov
eax
, [
ebp
+
var_9C
]
.text:00408A3A
50
push
eax
.text:00408A3B
8B 4D F0
mov
ecx
, [
ebp
+
var_addr_kernel_32
]
.text:00408A3E
51
push
ecx
.text:00408A3F
FF 55 D8
call
[
ebp
+
var_addr_getProcAddr
]
.text:00408A42
89 85 0C FF FF FF
mov
[
ebp
+
var_F4
],
eax
.text:00408A48
50
push
eax
.text:00408A49 .text:00408A49
loc_408A49
:
.text:00408A49
E8 00 00 00 00
call
$+
5
.text:00408A4E
58
pop
eax
.text:00408A4F
EB 0A
jmp
short
loc_408A5B
.text:00408A4F
; ---------------------------------------------------------------------------
.text:00408A51
6E 74 64 6C 6C 2E 64 6C 6C 00
aNtdllDll
db 'ntdll.dll'
,
0
.text:00408A5B
; ---------------------------------------------------------------------------
.text:00408A5B .text:00408A5B
loc_408A5B
:
; CODE XREF: my_module_two+2AE↑j
.text:00408A5B
83 C0 03
add
eax
,
3
.text:00408A5E
89 85 10 FF FF FF
mov
[
ebp
+
ntdll_string
],
eax
.text:00408A64
58
pop
eax
.text:00408A65
8B 95 10 FF FF FF
mov
edx
, [
ebp
+
ntdll_string
]
.text:00408A6B
52
push
edx
.text:00408A6C
FF 95 70 FF FF FF
call
[
ebp
+
addr_getModuleHandleA
]
.text:00408A72
89 45 88
mov
[
ebp
+
var_addr_ntdll
],
eax
.text:00408A75
50
push
eax
.text:00408A76
E8 00 00 00 00
call
$+
5
.text:00408A7B
58
pop
eax
.text:00408A7C
EB 09
jmp
short
loc_408A87
.text:00408A7C
; ---------------------------------------------------------------------------
.text:00408A7E
5F 73 74 72 69 63 6D 70 00
aStricmp
db '_stricmp'
,
0
.text:00408A87
; ---------------------------------------------------------------------------
.text:00408A87 .text:00408A87
loc_408A87
:
; CODE XREF: my_module_two+2DB↑j
.text:00408A87
83 C0 03
add
eax
,
3
.text:00408A8A
89 85 60 FF FF FF
mov
[
ebp
+
var_A0
],
eax
.text:00408A90
58
pop
eax
.text:00408A91
8B 85 60 FF FF FF
mov
eax
, [
ebp
+
var_A0
]
.text:00408A97
50
push
eax
.text:00408A98
8B 4D 88
mov
ecx
, [
ebp
+
var_addr_ntdll
]
.text:00408A9B
51
push
ecx
.text:00408A9C
FF 55 D8
call
[
ebp
+
var_addr_getProcAddr
]
.text:00408A9F
89 85 F8 FE FF FF
mov
[
ebp
+
var_108
],
eax
.text:00408AA5
50
push
eax
.text:00408AA6
E8 00 00 00 00
call
$+
5
.text:00408AAB
58
pop
eax
.text:00408AAC
EB 07
jmp
short
loc_408AB5
.text:00408AAC
; ---------------------------------------------------------------------------
.text:00408AAE
6D 65 6D 73 65 74 00
aMemset
db 'memset'
,
0
.text:00408AB5
; ---------------------------------------------------------------------------
.text:00408AB5 .text:00408AB5
loc_408AB5
:
; CODE XREF: my_module_two+30B↑j
.text:00408AB5
83 C0 03
add
eax
,
3
.text:00408AB8
89 85 5C FF FF FF
mov
[
ebp
+
var_A4
],
eax
.text:00408ABE
58
pop
eax
.text:00408ABF
8B 95 5C FF FF FF
mov
edx
, [
ebp
+
var_A4
]
.text:00408AC5
52
push
edx
.text:00408AC6
8B 45 88
mov
eax
, [
ebp
+
var_addr_ntdll
]
.text:00408AC9
50
push
eax
.text:00408ACA
FF 55 D8
call
[
ebp
+
var_addr_getProcAddr
]
.text:00408ACD
89 85 74 FF FF FF
mov
[
ebp
+
var_8C
],
eax
.text:00408AD3
50
push
eax
.text:00408AD4
E8 00 00 00 00
call
$+
5
.text:00408AD9
58
pop
eax
.text:00408ADA
EB 07
jmp
short
loc_408AE3
.text:00408ADA
; ---------------------------------------------------------------------------
.text:00408ADC
6D 65 6D 63 70 79 00
aMemcpy
db 'memcpy'
,
0
.text:00408AE3
; ---------------------------------------------------------------------------
.text:00408AE3 .text:00408AE3
loc_408AE3
:
; CODE XREF: my_module_two+339↑j
.text:00408AE3
83 C0 03
add
eax
,
3
.text:00408AE6
89 85 54 FF FF FF
mov
[
ebp
+
var_AC
],
eax
.text:00408AEC
58
pop
eax
.text:00408AED
8B 8D 54 FF FF FF
mov
ecx
, [
ebp
+
var_AC
]
.text:00408AF3
51
push
ecx
.text:00408AF4
8B 55 88
mov
edx
, [
ebp
+
var_addr_ntdll
]
.text:00408AF7
52
push
edx
.text:00408AF8
FF 55 D8
call
[
ebp
+
var_addr_getProcAddr
]
.text:00408AFB
89 45 D0
mov
[
ebp
+
var_addr_memcpy
],
eax
.text:00408AFE
6A 40
push 40h
.text:00408B00
68 00 10 00 00
push 1000h
.text:00408B05
68 80 0C 00 00
push 0C80h
.text:00408B0A
6A 00
push 0
.text:00408B0C
FF 55 B8
call
[
ebp
+
var_addr_virtualloc
]
.text:00408B0F
89 45 A4
mov
[
ebp
+
var_addr_allocated_region
],
eax
.text:00408B12
68 80 0C 00 00
push 0C80h
; arg: number of bytes to copy
.text:00408B17
B8 A1 87 00 00
mov
eax
,
87A1h
.text:00408B1C
05 00 00 40 00
add
eax
,
offset
dword_400000
.text:00408B21
50
push
eax
; 0x004087A1 (start decrypted_function). Arg: source
.text:00408B22
8B 4D A4
mov
ecx
, [
ebp
+
var_addr_allocated_region
]
.text:00408B25
51
push
ecx
; 0x00230000 (arg: destination)
.text:00408B26
FF 55 D0
call
[
ebp
+
var_addr_memcpy
]
.text:00408B29
83 C4 0C
add
esp
,
0Ch
.text:00408B2C
C7 45 90 00 00 00 00
mov
[
ebp
+
var_70
],
0
.text:00408B33
C7 45 FC 00 00 00 00
mov
[
ebp
+
var_4
],
0
.text:00408B3A
EB 09
jmp
short
loc_408B45
.text:00408B3C
; ---------------------------------------------------------------------------
.text:00408B3C .text:00408B3C
loc_408B3C
:
; CODE XREF: my_module_two:loc_408B76↓j
.text:00408B3C
8B 55 FC
mov
edx
, [
ebp
+
var_4
]
.text:00408B3F
83 C2 01
add
edx
,
1
.text:00408B42
89 55 FC
mov
[
ebp
+
var_4
],
edx
.text:00408B45 .text:00408B45
loc_408B45
:
; CODE XREF: my_module_two+399↑j
.text:00408B45
8B 45 A4
mov
eax
, [
ebp
+
var_addr_allocated_region
]
.text:00408B48
03 45 FC
add
eax
, [
ebp
+
var_4
]
.text:00408B4B
81 38 88 BA C5 70
cmp
dword ptr
[
eax
],
70C5BA88h
.text:00408B51
75 23
jnz
short
loc_408B76
.text:00408B53
83 7D 90 00
cmp
[
ebp
+
var_70
],
0
.text:00408B57
75 0B
jnz
short
loc_408B64
.text:00408B59
8B 4D 90
mov
ecx
, [
ebp
+
var_70
]
.text:00408B5C
83 C1 01
add
ecx
,
1
.text:00408B5F
89 4D 90
mov
[
ebp
+
var_70
],
ecx
.text:00408B62
EB 12
jmp
short
loc_408B76
.text:00408B64
; ---------------------------------------------------------------------------
.text:00408B64 .text:00408B64
loc_408B64
:
; CODE XREF: my_module_two+3B6↑j
.text:00408B64
8B 55 FC
mov
edx
, [
ebp
+
var_4
]
.text:00408B67
8B 45 A4
mov
eax
, [
ebp
+
var_addr_allocated_region
]
.text:00408B6A
8D 4C 10 04
lea
ecx
, [
eax
+
edx
+
4
]
.text:00408B6E
89 8D 4C FF FF FF
mov
[
ebp
+
var_B4
],
ecx
.text:00408B74
EB 02
jmp
short
loc_408B78
.text:00408B76
; ---------------------------------------------------------------------------
.text:00408B76 .text:00408B76
loc_408B76
:
; CODE XREF: my_module_two+3B0↑j
.text:00408B76
; my_module_two+3C1↑j
.text:00408B76
EB C4
jmp
short
loc_408B3C
.text:00408B78
; ---------------------------------------------------------------------------
.text:00408B78 .text:00408B78
loc_408B78
:
; CODE XREF: my_module_two+3D3↑j
.text:00408B78
50
push
eax
.text:00408B79
8B 85 4C FF FF FF
mov
eax
, [
ebp
+
var_B4
]
.text:00408B7F
FF E0
jmp
eax
.text:00408B7F
my_module_two
endp .text:00408B7F .text:00408B7F
; ---------------------------------------------------------------------------
.text:00408B81
88 BA C5 70
dd
70C5BA88h
.text:00408B85
; ---------------------------------------------------------------------------
.text:00408B85
58
pop
eax
.text:00408B86
68 14 05 00 00
push 514h
.text:00408B8B
BA B6 B3 00 00
mov
edx
,
0B3B6h
.text:00408B90
81 C2 00 00 40 00
add
edx
,
offset
dword_400000
.text:00408B96
52
push
edx
.text:00408B97
B8 6D 26 00 00
mov
eax
,
266Dh
.text:00408B9C
05 00 00 40 00
add
eax
,
offset
dword_400000
.text:00408BA1
50
push
eax
.text:00408BA2
FF 55 D0
call
dword ptr
[
ebp
-
30h
]