Module one inside packed Hancitor sample with SHA1: 37f6f1f59bf7952fd7182deeb07d4cd0d367dd59
The below dissassembly output is part of the blog: Hancitor packer demystified If you landed here via Google, you probably want to go to the home page instead
.text:00405177 ; --------------------------------------------------------------------------- .text:00405177 E9 C5 00 00 00 jmp loc_405241 .text:0040517C ; --------------------------------------------------------------------------- .text:0040517C .text:0040517C loc_40517C: ; CODE XREF: .text:004051EA↓j .text:0040517C 6A 40 push 40h .text:0040517E 0F 81 88 01 00 00 jno loc_40530C .text:00405184 04 F3 add al, 0F3h .text:00405184 ; --------------------------------------------------------------------------- .text:00405186 00 3C dw 3C00h .text:00405188 ; --------------------------------------------------------------------------- .text:00405188 .text:00405188 location_increase_xor_loop_counter_part_1: .text:00405188 ; CODE XREF: .text:004051C6↓j .text:00405188 41 inc ecx .text:00405189 0F 81 B5 01 00 00 jno my_increase_xor_loop_counter_part_2 .text:00405189 ; --------------------------------------------------------------------------- .text:0040518F 51 2A 89 40 dd 40892A51h .text:00405193 ; --------------------------------------------------------------------------- .text:00405193 .text:00405193 location_build_XOR_loop_length_part_1: ; CODE XREF: .text:loc_4051B5↓j .text:00405193 BE 54 03 00 00 mov esi, 354h .text:00405198 0F 81 E2 00 00 00 jno location_build_xor_loop_length_part_2 .text:00405198 ; --------------------------------------------------------------------------- .text:0040519E 87 00 7D 40 dd 407D0087h .text:004051A2 00 89 00 40 dd 40008900h .text:004051A6 1C C8 dw 0C81Ch .text:004051A8 40 db 40h .text:004051A9 ; --------------------------------------------------------------------------- .text:004051A9 .text:004051A9 loc_4051A9: ; CODE XREF: .text:00405311↓j .text:004051A9 05 22 A7 00 00 add eax, 0A722h .text:004051AE E9 0F 01 00 00 jmp loc_4052C2 .text:004051AE ; --------------------------------------------------------------------------- .text:004051B3 61 01 dw 161h .text:004051B5 ; --------------------------------------------------------------------------- .text:004051B5 .text:004051B5 loc_4051B5: ; CODE XREF: .text:004051D3↓j .text:004051B5 71 DC jno short location_build_XOR_loop_length_part_1 .text:004051B5 ; --------------------------------------------------------------------------- .text:004051B7 61 db 61h ; a .text:004051B8 7C 20 DC 74 dd 74DC207Ch .text:004051BC 00 35 41 40 dd 40413500h .text:004051C0 EA A4 36 D2 dd 0D236A4EAh .text:004051C4 ; --------------------------------------------------------------------------- .text:004051C4 .text:004051C4 location_decode_the_code: ; CODE XREF: .text:loc_40520C↓j .text:004051C4 ; .text:00405221↓j .text:004051C4 30 07 xor [edi], al .text:004051C6 71 C0 jno short location_increase_xor_loop_counter_part_1 .text:004051C6 ; --------------------------------------------------------------------------- .text:004051C8 49 8D 15 A7 dd 0A7158D49h .text:004051CC 4D 04 E3 00 dd 0E3044Dh .text:004051D0 03 00 dw 3 .text:004051D2 ; --------------------------------------------------------------------------- .text:004051D2 .text:004051D2 loc_4051D2: ; CODE XREF: .text:00405300↓j .text:004051D2 57 push edi .text:004051D3 71 E0 jno short loc_4051B5 .text:004051D3 ; --------------------------------------------------------------------------- .text:004051D5 6E 0B DE 00 dd 0DE0B6Eh .text:004051D9 ; --------------------------------------------------------------------------- .text:004051D9 .text:004051D9 loc_4051D9: ; CODE XREF: .text:00405345↓j .text:004051D9 39 F1 cmp ecx, esi .text:004051DB EB 2F jmp short loc_40520C .text:004051DB ; --------------------------------------------------------------------------- .text:004051DD 09 db 9 .text:004051DE 5A db 5Ah ; Z .text:004051DF ; --------------------------------------------------------------------------- .text:004051DF .text:004051DF loc_4051DF: ; CODE XREF: .text:004052C3↓j .text:004051DF B8 54 D4 03 00 mov eax, 3D454h .text:004051E4 71 14 jno short loc_4051FA .text:004051E6 00 40 CF add [eax-31h], al .text:004051E9 .text:004051E9 loc_4051E9: ; CODE XREF: .text:004052AE↓j .text:004051E9 54 push esp .text:004051EA EB 90 jmp short loc_40517C .text:004051EA ; --------------------------------------------------------------------------- .text:004051EC 40 db 40h ; @ .text:004051ED 40 db 40h ; @ .text:004051EE 40 db 40h ; @ .text:004051EF 40 db 40h ; @ .text:004051F0 00 db 0 .text:004051F1 00 db 0 .text:004051F2 00 db 0 .text:004051F3 E1 db 0E1h ; á .text:004051F4 C9 db 0C9h ; É .text:004051F5 40 db 40h ; @ .text:004051F6 9C db 9Ch ; œ .text:004051F7 00 db 0 .text:004051F8 E4 db 0E4h ; ä .text:004051F9 00 db 0 .text:004051FA ; --------------------------------------------------------------------------- .text:004051FA .text:004051FA loc_4051FA: ; CODE XREF: .text:004051E4↑j .text:004051FA 05 AC 2B 3C 00 add eax, 3C2BACh .text:004051FF E9 B0 00 00 00 jmp loc_4052B4 .text:004051FF ; --------------------------------------------------------------------------- .text:00405204 E0 db 0E0h ; à .text:00405205 2B db 2Bh ; + .text:00405206 40 db 40h ; @ .text:00405207 00 db 0 .text:00405208 4E db 4Eh ; N .text:00405209 6C db 6Ch ; l .text:0040520A 57 db 57h ; W .text:0040520B 5F db 5Fh ; _ .text:0040520C ; --------------------------------------------------------------------------- .text:0040520C .text:0040520C loc_40520C: ; CODE XREF: .text:004051DB↑j .text:0040520C 72 B6 jb short location_decode_the_code .text:0040520E 0F 81 D7 00 00 00 jno loc_4052EB .text:0040520E ; --------------------------------------------------------------------------- .text:00405214 00 db 0 .text:00405215 00 db 0 .text:00405216 03 db 3 .text:00405217 40 db 40h ; @ .text:00405218 8E db 8Eh ; Ž .text:00405219 40 db 40h ; @ .text:0040521A 71 db 71h ; q .text:0040521B 4C db 4Ch ; L .text:0040521C ; --------------------------------------------------------------------------- .text:0040521C .text:0040521C loc_40521C: ; CODE XREF: .text:00405256↓j .text:0040521C B8 14 31 19 04 mov eax, 4193114h .text:00405221 EB A1 jmp short location_decode_the_code .text:00405221 ; --------------------------------------------------------------------------- .text:00405223 00 db 0 .text:00405224 00 db 0 .text:00405225 AD db 0ADh ; ­ .text:00405226 40 db 40h ; @ .text:00405227 CA db 0CAh ; Ê .text:00405228 CD db 0CDh ; Í .text:00405229 6D db 6Dh ; m .text:0040522A ; --------------------------------------------------------------------------- .text:0040522A .text:0040522A loc_40522A: ; CODE XREF: .text:loc_405332↓j .text:0040522A BF 0F A0 28 00 mov edi, 28A00Fh .text:0040522F E9 C6 00 00 00 jmp loc_4052FA .text:0040522F ; --------------------------------------------------------------------------- .text:00405234 C8 db 0C8h ; È .text:00405235 00 db 0 .text:00405236 00 db 0 .text:00405237 6C db 6Ch ; l .text:00405238 7A db 7Ah ; z .text:00405239 40 db 40h ; @ .text:0040523A DF db 0DFh ; ß .text:0040523B 03 db 3 .text:0040523C 40 db 40h ; @ .text:0040523D 40 db 40h ; @ .text:0040523E 4E db 4Eh ; N .text:0040523F 00 db 0 .text:00405240 3A db 3Ah ; : .text:00405241 ; --------------------------------------------------------------------------- .text:00405241 .text:00405241 loc_405241: ; CODE XREF: .text:00405177↑j .text:00405241 89 EC mov esp, ebp .text:00405243 E9 95 00 00 00 jmp loc_4052DD .text:00405243 ; --------------------------------------------------------------------------- .text:00405248 40 db 40h ; @ .text:00405249 61 db 61h ; a .text:0040524A 00 db 0 .text:0040524B DC db 0DCh ; Ü .text:0040524C 24 db 24h ; $ .text:0040524D 40 db 40h ; @ .text:0040524E 40 db 40h ; @ .text:0040524F 40 db 40h ; @ .text:00405250 43 db 43h ; C .text:00405251 ; --------------------------------------------------------------------------- .text:00405251 .text:00405251 loc_405251: ; CODE XREF: .text:loc_40531E↓j .text:00405251 B9 00 00 00 00 mov ecx, 0 .text:00405256 71 C4 jno short loc_40521C .text:00405258 6C insb .text:00405259 40 inc eax .text:0040525A .text:0040525A loc_40525A: ; CODE XREF: .text:004052D5↓j .text:0040525A 05 C0 CB 1E 00 add eax, offset unk_1ECBC0 .text:0040525F 71 09 jno short loc_40526A .text:0040525F ; --------------------------------------------------------------------------- .text:00405261 8F db 8Fh .text:00405262 73 db 73h ; s .text:00405263 DF db 0DFh ; ß .text:00405264 E0 db 0E0h ; à .text:00405265 E4 db 0E4h ; ä .text:00405266 39 db 39h ; 9 .text:00405267 40 db 40h ; @ .text:00405268 FB db 0FBh ; û .text:00405269 E9 db 0E9h ; é .text:0040526A ; --------------------------------------------------------------------------- .text:0040526A .text:0040526A loc_40526A: ; CODE XREF: .text:0040525F↑j .text:0040526A 8B 00 mov eax, [eax] .text:0040526C 0F 81 DD 00 00 00 jno loc_40534F ; call virtualprotect .text:00405272 57 push edi .text:00405273 30 40 99 xor [eax-67h], al .text:00405276 08 00 or [eax], al .text:00405278 E7 76 out 76h, eax ; CMOS Memory/RTC Index Register (Extended RAM) .text:0040527A 00 08 add [eax], cl .text:0040527C 2B 40 16 sub eax, [eax+16h] .text:0040527F 40 inc eax .text:00405280 .text:00405280 location_build_xor_loop_length_part_2: ; CODE XREF: .text:00405198↑j .text:00405280 81 C6 2C 09 00 00 add esi, 92Ch .text:00405286 71 0C jno short loc_405294 .text:00405288 4E dec esi .text:00405289 00 48 00 add [eax+0], cl .text:0040528C A8 27 test al, 27h .text:0040528E CE into .text:0040528F CE into .text:00405290 40 inc eax .text:00405291 4D dec ebp .text:00405291 ; --------------------------------------------------------------------------- .text:00405292 00 db 0 .text:00405293 00 db 0 .text:00405294 ; --------------------------------------------------------------------------- .text:00405294 .text:00405294 loc_405294: ; CODE XREF: .text:00405286↑j .text:00405294 71 16 jno short loc_4052AC .text:00405296 00 79 40 add [ecx+40h], bh .text:00405299 89 6A 00 mov [edx+0], ebp .text:00405299 ; --------------------------------------------------------------------------- .text:0040529C 00 db 0 .text:0040529D 00 db 0 .text:0040529E ; --------------------------------------------------------------------------- .text:0040529E .text:0040529E loc_40529E: ; CODE XREF: .text:004052E2↓j .text:0040529E FF E0 jmp eax ; jump to decrypted code .text:0040529E ; --------------------------------------------------------------------------- .text:004052A0 AD db 0ADh ; ­ .text:004052A1 06 db 6 .text:004052A2 6E db 6Eh ; n .text:004052A3 4B db 4Bh ; K .text:004052A4 15 db 15h .text:004052A5 00 db 0 .text:004052A6 89 db 89h ; ‰ .text:004052A7 74 db 74h ; t .text:004052A8 EE db 0EEh ; î .text:004052A9 A7 db 0A7h ; § .text:004052AA 00 db 0 .text:004052AB 29 db 29h ; ) .text:004052AC ; --------------------------------------------------------------------------- .text:004052AC .text:004052AC loc_4052AC: ; CODE XREF: .text:loc_405294↑j .text:004052AC 6A 00 push 0 .text:004052AE 0F 81 35 FF FF FF jno loc_4051E9 .text:004052B4 .text:004052B4 loc_4052B4: ; CODE XREF: .text:004051FF↑j .text:004052B4 50 push eax .text:004052B5 71 19 jno short loc_4052D0 .text:004052B7 CD AB int 0ABh ; used by BASIC while in interpreter .text:004052B9 DB 9C E8 00 00 00 AC fistp dword ptr [eax+ebp*8-54000000h] .text:004052C0 4E dec esi .text:004052C1 41 inc ecx .text:004052C2 .text:004052C2 loc_4052C2: ; CODE XREF: .text:004051AE↑j .text:004052C2 50 push eax .text:004052C3 0F 81 16 FF FF FF jno loc_4051DF .text:004052C9 00 CD add ch, cl .text:004052C9 ; --------------------------------------------------------------------------- .text:004052CB 00 db 0 .text:004052CC 00 db 0 .text:004052CD 79 db 79h ; y .text:004052CE AE db 0AEh ; ® .text:004052CF 84 db 84h ; „ .text:004052D0 ; --------------------------------------------------------------------------- .text:004052D0 .text:004052D0 loc_4052D0: ; CODE XREF: .text:004052B5↑j .text:004052D0 B8 24 F6 21 00 mov eax, offset unk_21F624 .text:004052D5 71 83 jno short loc_40525A .text:004052D7 EF out dx, eax .text:004052D7 ; --------------------------------------------------------------------------- .text:004052D8 00 db 0 .text:004052D9 00 db 0 .text:004052DA 40 db 40h ; @ .text:004052DB 40 db 40h ; @ .text:004052DC EA db 0EAh ; ê .text:004052DD ; --------------------------------------------------------------------------- .text:004052DD .text:004052DD loc_4052DD: ; CODE XREF: .text:00405243↑j .text:004052DD 5D pop ebp .text:004052DE 71 52 jno short loc_405332 .text:004052E0 60 pusha .text:004052E1 .text:004052E1 loc_4052E1: ; CODE XREF: .text:loc_4052EB↓j .text:004052E1 58 pop eax .text:004052E2 71 BA jno short loc_40529E ; jump to decrypted code .text:004052E4 db 2Eh .text:004052E4 2E 00 C3 add bl, al .text:004052E7 40 inc eax .text:004052E8 7C 40 jl short loc_40532A .text:004052E8 ; --------------------------------------------------------------------------- .text:004052EA 00 db 0 .text:004052EB ; --------------------------------------------------------------------------- .text:004052EB .text:004052EB loc_4052EB: ; CODE XREF: .text:0040520E↑j .text:004052EB 71 F4 jno short loc_4052E1 .text:004052ED 00 42 6B add [edx+6Bh], al .text:004052F0 40 inc eax .text:004052F1 4D dec ebp .text:004052F2 B8 40 EE 64 00 mov eax, 64EE40h .text:004052F7 D9 17 fst dword ptr [edi] .text:004052F9 91 xchg eax, ecx .text:004052FA .text:004052FA loc_4052FA: ; CODE XREF: .text:0040522F↑j .text:004052FA 81 C7 92 E7 17 00 add edi, 17E792h .text:00405300 E9 CD FE FF FF jmp loc_4051D2 .text:00405300 ; --------------------------------------------------------------------------- .text:00405305 00 db 0 .text:00405306 19 db 19h .text:00405307 6F db 6Fh ; o .text:00405308 68 db 68h ; h .text:00405309 73 db 73h ; s .text:0040530A 52 db 52h ; R .text:0040530B 00 db 0 .text:0040530C ; --------------------------------------------------------------------------- .text:0040530C .text:0040530C loc_40530C: ; CODE XREF: .text:0040517E↑j .text:0040530C B8 DE 48 00 00 mov eax, 48DEh .text:00405311 0F 81 92 FE FF FF jno loc_4051A9 .text:00405317 EC in al, dx .text:00405318 40 inc eax .text:00405319 D8 00 fadd dword ptr [eax] .text:0040531B E6 59 out 59h, al .text:0040531D 6D insd .text:0040531E .text:0040531E loc_40531E: ; CODE XREF: .text:00405361↓j .text:0040531E 0F 81 2D FF FF FF jno loc_405251 .text:00405324 69 E4 D6 40 00 00 imul esp, 40D6h .text:0040532A .text:0040532A loc_40532A: ; CODE XREF: .text:004052E8↑j .text:0040532A 04 5F add al, 5Fh .text:0040532C ED in eax, dx .text:0040532D CE into .text:0040532E 00 53 00 add [ebx+0], dl .text:0040532E ; --------------------------------------------------------------------------- .text:00405331 D8 db 0D8h ; Ø .text:00405332 ; --------------------------------------------------------------------------- .text:00405332 .text:00405332 loc_405332: ; CODE XREF: .text:004052DE↑j .text:00405332 0F 81 F2 FE FF FF jno loc_40522A .text:00405338 db 36h .text:00405338 36 40 inc eax .text:0040533A 87 18 xchg ebx, [eax] .text:0040533C 40 inc eax .text:0040533D 09 00 or [eax], eax .text:0040533F 40 inc eax .text:00405340 00 45 40 add [ebp+40h], al .text:00405340 ; --------------------------------------------------------------------------- .text:00405343 B2 db 0B2h .text:00405344 ; --------------------------------------------------------------------------- .text:00405344 .text:00405344 my_increase_xor_loop_counter_part_2: ; CODE XREF: .text:00405189↑j .text:00405344 47 inc edi .text:00405345 E9 8F FE FF FF jmp loc_4051D9 .text:00405345 ; --------------------------------------------------------------------------- .text:0040534A 84 00 00 4C dd 4C000084h .text:0040534E 40 db 40h .text:0040534F ; --------------------------------------------------------------------------- .text:0040534F .text:0040534F loc_40534F: ; CODE XREF: .text:0040526C↑j .text:0040534F FF D0 call eax ; call virtualprotect .text:00405351 71 0D jno short loc_405360 .text:00405351 ; --------------------------------------------------------------------------- .text:00405353 00 db 0 .text:00405354 00 db 0 .text:00405355 00 db 0 .text:00405356 6E db 6Eh ; n .text:00405357 40 db 40h ; @ .text:00405358 40 db 40h ; @ .text:00405359 14 db 14h .text:0040535A 00 db 0 .text:0040535B 4C db 4Ch ; L .text:0040535C D8 db 0D8h ; Ø .text:0040535D 00 db 0 .text:0040535E D1 db 0D1h ; Ñ .text:0040535F 40 db 40h ; @ .text:00405360 ; --------------------------------------------------------------------------- .text:00405360 .text:00405360 loc_405360: ; CODE XREF: .text:00405351↑j .text:00405360 58 pop eax .text:00405361 71 BB jno short loc_40531E .text:00405363 40 inc eax .text:00405364 4C dec esp .text:00405365 B7 98 mov bh, 98h .text:00405367 23 6B 00 and ebp, [ebx+0] .text:0040536A 5E pop esi .text:0040536A ; --------------------------------------------------------------------------- .text:0040536B 00 db 0 .text:0040536C 00 db 0