Topic created on: April 22, 2009 12:39 CDT by charlie .

Hey guys,
i was trying to understand the aspack unpacking .
i was able to spot decompression routine , decoding using e8 and e9 etc but i was not clear what this bit was doing.
Can any unpacking gurus gimme some hint.
Thx in advance.

pls find the ida extract below.


loc_1013209: ; CODE XREF: .aspack:01013253j
.aspack:01013209 mov bx, [esi] ; i think esi is pointing to decompressed code
.aspack:0101320C shr ebx, 0Ch ; keep only most significant nibble
.aspack:0101320F cmp ebx, 1 ; not sure why he's comparing and what he's trying to achieve
.aspack:01013212 jz short loc_1013220
.aspack:01013214 cmp ebx, 2 ; ?
.aspack:01013217 jz short loc_101322F
.aspack:01013219 cmp ebx, 3 ; ?
.aspack:0101321C jz short loc_101323E
.aspack:0101321E jmp short loc_101324C
.aspack:01013220 ; ---------------------------------------------------------------------------
.aspack:01013220
.aspack:01013220 loc_1013220: ; CODE XREF: .aspack:01013212j
.aspack:01013220 mov bx, [esi] ;move lower byte into bx
.aspack:01013223 and ebx, 0FFFh ; zero out the most significant nibble
.aspack:01013229 add [edi+ebx], ax ; i think edi is pointing to Imagebas at this point, pls correct me if i'm wrong
.aspack:0101322D jmp short loc_101324C
.aspack:0101322F ; ---------------------------------------------------------------------------
.aspack:0101322F
.aspack:0101322F loc_101322F: ; CODE XREF: .aspack:01013217j
.aspack:0101322F mov bx, [esi] ;same as previous
.aspack:01013232 and ebx, 0FFFh
.aspack:01013238 add [edi+ebx], dx ; why move only a word ?
.aspack:0101323C jmp short loc_101324C
.aspack:0101323E ; ---------------------------------------------------------------------------
.aspack:0101323E
.aspack:0101323E loc_101323E: ; CODE XREF: .aspack:0101321Cj
.aspack:0101323E mov bx, [esi]
.aspack:01013241 and ebx, 0FFFh
.aspack:01013247 add [edi+ebx], edx ; mov dword ?
.aspack:0101324A jmp short $+2
.aspack:0101324C

Charlie