Module four inside packed sample with SHA1: 37f6f1f59bf7952fd7182deeb07d4cd0d367dd59
The below dissassembly output is part of the blog:
Hancitor packer demystified
If you landed here via Google, you probably want to go to the
home page
instead
.text:004015D8 .text:004015D8
loc_4015D8
:
; CODE XREF: my_module_five+30↑j
.text:004015D8
; my_module_five+45↑j ...
.text:004015D8
6A 00
push 0
.text:004015DA
FF 15 14 20 40 00
call
ds
:
off_402014
; exitprocess
.text:004015E0
8B E5
mov
esp
,
ebp
.text:004015E2
5D
pop
ebp
.text:004015E3
C3
retn
.text:004015E3
my_module_five
endp .text:004015E3 .text:004015E3
; ---------------------------------------------------------------------------
.text:004015E4
CC CC CC CC
dd
0CCCCCCCCh .text:004015E8
CC CC CC CC
dd
0CCCCCCCCh .text:004015EC
CC CC CC CC
dd
0CCCCCCCCh
.text:004015F0 .text:004015F0
; =============== S U B R O U T I N E =======================================
.text:004015F0 .text:004015F0
; Attributes: bp-based frame
.text:004015F0 .text:004015F0
my_module_four
proc near
; DATA XREF: debug028:00230B0D↑o
.text:004015F0
; .text:004092AE↓o
.text:004015F0
55
push
ebp
.text:004015F1 .text:004015F1
loc_4015F1
:
.text:004015F1
8B EC
mov
ebp
,
esp
.text:004015F3
6A 01
push 1
.text:004015F5
E8 F6 FB FF FF
call
sub_4011F0
.text:004015FA
83 C4 04
add
esp
,
4
.text:004015FD
E8 0E 00 00 00
call
near ptr
my_register_callback_function
.text:00401602
6A 00
push 0
.text:00401604
FF 15 14 20 40 00
call
ds
:
off_402014
; exitprocess
.text:0040160A
5D
pop
ebp
.text:0040160B
C3
retn
.text:0040160B
my_module_four
endp .text:0040160B .text:0040160B
; ---------------------------------------------------------------------------
.text:0040160C
CC CC CC CC
dd
0CCCCCCCCh
.text:00401610 .text:00401610
; =============== S U B R O U T I N E =======================================
.text:00401610 .text:00401610
; Attributes: bp-based frame
.text:00401610 .text:00401610
my_register_callback_function
proc far
; CODE XREF: my_module_four+D↑p
.text:00401610 .text:00401610
var_50
=
dword ptr
-50h
.text:00401610
var_48
=
dword ptr
-48h
.text:00401610
var_3C
=
dword ptr
-3Ch
.text:00401610
var_28
=
dword ptr
-28h
.text:00401610
var_20
=
byte ptr
-20h
.text:00401610
var_4
=
dword ptr
-4
.text:00401610 .text:00401610
55
push
ebp
.text:00401611
8B EC
mov
ebp
,
esp
.text:00401613
83 EC 50
sub
esp
,
50h
.text:00401616
6A 30
push 30h
.text:00401618
6A 00
push 0
.text:0040161A
8D 45 B0
lea
eax
, [
ebp
+
var_50
]
.text:0040161D
50
push
eax
.text:0040161E
E8 9D FA FF FF
call
sub_4010C0
.text:00401623
83 C4 0C
add
esp
,
0Ch
.text:00401626
C7 45 B0 30 00 00 00
mov
[
ebp
+
var_50
],
30h
.text:0040162D
C7 45 B8 D0 16 40 00
mov
[
ebp
+
var_48
],
offset
my_callback_function
.text:00401634
C7 45 C4 00 00 00 00
mov
[
ebp
+
var_3C
],
0
.text:0040163B
C7 45 D8 88 6A 40 00
mov
[
ebp
+
var_28
],
offset
aMainwnd
; "MainWnd"
.text:00401642
8D 4D B0
lea
ecx
, [
ebp
+
var_50
]
.text:00401645
51
push
ecx
.text:00401646
FF 15 34 20 40 00
call
ds
:
off_402034
; user32_RegisterClassExA
.text:0040164C
0F B7 D0
movzx
edx
,
ax
.text:0040164F
85 D2
test
edx
,
edx
.text:00401651
75 02
jnz
short
loc_401655
.text:00401653
EB 69
jmp
short
loc_4016BE
.text:00401655
; ---------------------------------------------------------------------------
.text:00401655 .text:00401655
loc_401655
:
; CODE XREF: my_register_callback_function+41↑j
.text:00401655
6A 00
push 0
.text:00401657
6A 00
push 0
.text:00401659
6A 00
push 0
.text:0040165B
6A FD
push 0FFFFFFFDh
.text:0040165D
6A 00
push 0
.text:0040165F
6A 00
push 0
.text:00401661
6A 00
push 0
.text:00401663
6A 00
push 0
.text:00401665
6A 00
push 0
.text:00401667
6A 00
push 0
.text:00401669
68 90 6A 40 00
push
offset
aMainwnd_0
; "MainWnd"
.text:0040166E
6A 00
push 0
.text:00401670 .text:00401670
loc_401670
:
; CreateWindowExA
.text:00401670
FF 15 38 20 40 00
call
ds
:
off_402038
.text:00401676
89 45 FC
mov
[
ebp
+
var_4
],
eax
.text:00401679
83 7D FC 00
cmp
[
ebp
+
var_4
],
0
.text:0040167D .text:0040167D
loc_40167D
:
.text:0040167D
75 02
jnz
short
loc_401681
.text:0040167F .text:0040167F
loc_40167F
:
.text:0040167F
EB 3D
jmp
short
loc_4016BE
.text:00401681
; ---------------------------------------------------------------------------
.text:00401681 .text:00401681
loc_401681
:
; CODE XREF: my_register_callback_function:loc_40167D↑j
.text:00401681
6A 00
push 0
.text:00401683
6A 64
push 64h
.text:00401685
68 E8 03 00 00
push 3E8h
.text:0040168A
8B 45 FC
mov
eax
, [
ebp
+
var_4
]
.text:0040168D
50
push
eax
.text:0040168E
FF 15 20 20 40 00
call
ds
:
off_402020
; user32_SetTimer
.text:00401694 .text:00401694
loc_401694
:
; CODE XREF: my_register_callback_function+AC↓j
.text:00401694
6A 00
push 0
.text:00401696
6A 00
push 0
.text:00401698
6A 00
push 0
.text:0040169A
8D 4D E0
lea
ecx
, [
ebp
+
var_20
]
.text:0040169D
51
push
ecx
.text:0040169E
FF 15 24 20 40 00
call
ds
:
off_402024
; user32_GetMessageA
.text:004016A4
85 C0
test
eax
,
eax
.text:004016A6
7E 16
jle
short
loc_4016BE
.text:004016A8
8D 55 E0
lea
edx
, [
ebp
+
var_20
]
.text:004016AB .text:004016AB
loc_4016AB
:
.text:004016AB
52
push
edx
.text:004016AC
FF 15 28 20 40 00
call
ds
:
off_402028
; user32_TranslateMessage
.text:004016B2
8D 45 E0
lea
eax
, [
ebp
+
var_20
]
.text:004016B5
50
push
eax
.text:004016B6
FF 15 2C 20 40 00
call
ds
:
off_40202C
; user32_DispatchMessageA
.text:004016BC
EB D6
jmp
short
loc_401694
.text:004016BE
; ---------------------------------------------------------------------------
.text:004016BE .text:004016BE
loc_4016BE
:
; CODE XREF: my_register_callback_function+43↑j
.text:004016BE
; my_register_callback_function:loc_40167F↑j ...
.text:004016BE
8B E5
mov
esp
,
ebp
.text:004016C0
5D
pop
ebp
.text:004016C1
C3
retn
.text:004016C1
; ---------------------------------------------------------------------------
.text:004016C2
CC CC CC CC
dd
0CCCCCCCCh .text:004016C2
my_register_callback_function
endp .text:004016C2 .text:004016C6
CC CC CC CC
dd
0CCCCCCCCh .text:004016CA
CC CC CC CC
dd
0CCCCCCCCh .text:004016CE
CC CC
dw
0CCCCh
.text:004016D0 .text:004016D0
; =============== S U B R O U T I N E =======================================
.text:004016D0 .text:004016D0
; Attributes: bp-based frame
.text:004016D0 .text:004016D0
my_callback_function
proc near
; DATA XREF: my_register_callback_function+1D↑o
.text:004016D0 .text:004016D0
var_4
=
dword ptr
-4
.text:004016D0
arg_0
=
dword ptr
8
.text:004016D0
arg_4
=
dword ptr
0Ch
.text:004016D0
arg_8
=
dword ptr
10h
.text:004016D0
arg_C
=
dword ptr
14h
.text:004016D0 .text:004016D0
55
push
ebp
.text:004016D1
8B EC
mov
ebp
,
esp
.text:004016D3
51
push
ecx
.text:004016D4
8B 45 0C
mov
eax
, [
ebp
+
arg_4
]
.text:004016D7
89 45 FC
mov
[
ebp
+
var_4
],
eax
.text:004016DA
81 7D FC 13 01 00 00
cmp
[
ebp
+
var_4
],
113h
.text:004016E1
74 02
jz
short
loc_4016E5
.text:004016E3
EB 24
jmp
short
loc_401709
.text:004016E5
; ---------------------------------------------------------------------------
.text:004016E5 .text:004016E5
loc_4016E5
:
; CODE XREF: my_callback_function+11↑j
.text:004016E5
8B 0D 30 70 40 00
mov
ecx
,
ds
:
dword_407030
.text:004016EB
83 C1 01
add
ecx
,
1
.text:004016EE
89 0D 30 70 40 00
mov
ds
:
dword_407030
,
ecx
.text:004016F4
81 3D 30 70 40 00 C8 00 00 00
cmp
ds
:
dword_407030
,
0C8h
.text:004016FE
75 05
jnz
short
loc_401705
.text:00401700
E8 1B FE FF FF
call
my_module_five
.text:00401705 .text:00401705
loc_401705
:
; CODE XREF: my_callback_function+2E↑j
.text:00401705
33 C0
xor
eax
,
eax
.text:00401707
EB 16
jmp
short
loc_40171F
.text:00401709
; ---------------------------------------------------------------------------
.text:00401709 .text:00401709
loc_401709
:
; CODE XREF: my_callback_function+13↑j
.text:00401709
8B 55 14
mov
edx
, [
ebp
+
arg_C
]
.text:0040170C
52
push
edx
.text:0040170D
8B 45 10
mov
eax
, [
ebp
+
arg_8
]
.text:00401710
50
push
eax
.text:00401711
8B 4D 0C
mov
ecx
, [
ebp
+
arg_4
]
.text:00401714
51
push
ecx
.text:00401715 .text:00401715
loc_401715
:
.text:00401715
8B 55 08
mov
edx
, [
ebp
+
arg_0
]
.text:00401718
52
push
edx
.text:00401719
FF 15 30 20 40 00
call
ds
:
off_402030
; ntdll_NtdllDefWindowProc_A
.text:0040171F .text:0040171F
loc_40171F
:
; CODE XREF: my_callback_function+37↑j
.text:0040171F
8B E5
mov
esp
,
ebp
.text:00401721
5D
pop
ebp
.text:00401722
C2 10 00
retn 10h
.text:00401722
my_callback_function
endp
; sp-analysis failed
.text:00401722 .text:00401722
; ---------------------------------------------------------------------------
.text:00401725
CC CC CC CC
dd
0CCCCCCCCh
.text:00401729
CC CC CC CC
dd
0CCCCCCCCh