Unobfuscates memory range 0x0041EB7C-0x004208CE 0x41E183: 8CC9 MOV CX,CS 0x41E185: 32C9 XOR CL,CL 0x41E187: 83F900 CMP ECX,0x0 0x41E18A: 7528 JNE 0x41E1B4 0x41E18C: 64FF3530000000 PUSH DWORD PTR [DWORD PTR FS:[0x30] 0x41E193: 58 POP EAX 0x41E194: 0FB64802 MOVZX ECX,BYTE PTR [EAX+0x2] 0x41E198: 884E0C MOV BYTE PTR [ESI+0xC],CL 0x41E19B: 8B400C MOV EAX,DWORD PTR [EAX+0xC] 0x41E19E: 8B400C MOV EAX,DWORD PTR [EAX+0xC] 0x41E1A1: 8D5820 LEA EBX,DWORD PTR [EAX+0x20] 0x41E1A4: 8D4818 LEA ECX,DWORD PTR [EAX+0x18] 0x41E1A7: 8103C8000000 ADD DWORD PTR [EBX],0xC8 ; adds C8 to the imagesize stored in the module-list. 0x41E1AD: B800000000 MOV EAX,0x0 0x41E1B2: 0101 ADD DWORD PTR [ECX],EAX 0x41E1B4: 33C9 XOR ECX,ECX 0x41E1B6: E800000000 CALL 0x41E1BB 0x41E1BB: 5F POP EDI 0x41E1BC: 81C7C1090000 ADD EDI,0x9C1 0x41E1C2: 0FB60439 MOVZX EAX,DWORD PTR [ECX+EDI] 0x41E1C6: 83F011 XOR EAX,0x11 0x41E1C9: 880439 MOV DWORD PTR [ECX+EDI],AL 0x41E1CC: 41 INC ECX 0x41E1CD: 81F9521D0000 CMP ECX,0x1D52 0x41E1D3: 72ED JB 0x41E1C2 0x41E1D5: EB05 JMP 0x41E1DC before the unpacking: 0x41EB7C: FA CLI 0x41EB7D: 14F9 ADC AL,0xF9 0x41EB7F: FA CLI 0x41EB80: 155111FAEB ADC EAX,0xEBFA1151 0x41EB85: F9 STC 0x41EB86: 1B11 SBB EDX,DWORD PTR [ECX] 0x41EB88: 1111 ADC DWORD PTR [ECX],EDX 0x41EB8A: F9 STC 0x41EB8B: FA CLI 0x41EB8C: 1D1111F9E7 SBB EAX,0xE7F91111 0x41EB91: EE OUT DX,AL 0x41EB92: EE OUT DX,AL 0x41EB93: EE OUT DX,AL after the unpacking: 0x41EB7C: EB05 JMP 0x41EB83 0x41EB7E: E8EB044000 CALL 0x81F06E 0x41EB83: EBFA JMP 0x41EB7F 0x41EB85: E80A000000 CALL 0x41EB94 0x41EB8A: E8EB0C0000 CALL 0x41F87A 0x41EB8F: E8F6FFFFFF CALL 0x41EB8A