0044307F 8B85 95334000 MOV EAX,DWORD PTR SS:[EBP+403395]
00443085 8B9D 9A334000 MOV EBX,DWORD PTR SS:[EBP+40339A]
0044308B 03C3 ADD EAX,EBX
...
00443093 FFE0 JMP EAX --------------- OEP
|
00443000 > 53 PUSH EBX
00443001 51 PUSH ECX
00443002 52 PUSH EDX
00443003 56 PUSH ESI
00443004 57 PUSH EDI
00443005 55 PUSH EBP
00443006 E8 00000000 CALL $+5
0044300B 5D POP EBP ;ebp=eip
0044300C 8BD5 MOV EDX,EBP
0044300E 81ED A2304000 SUB EBP,4030A2
00443014 2B95 91334000 SUB EDX,DWORD PTR SS:[EBP+403391]
0044301A 81EA 0B000000 SUB EDX,0B
00443020 8995 9A334000 MOV DWORD PTR SS:[EBP+40339A],EDX
00443026 80BD 99334000 00 CMP BYTE PTR SS:[EBP+403399],0
0044302D 74 50 JE SHORT 0044307F
0044302F E8 02010000 CALL 00443136 ----Load ptrs to Virtual Alloc/Free
00443034 8BFD MOV EDI,EBP
deryptNextSection:
00443036 8D9D 9A334000 LEA EBX,DWORD PTR SS:[EBP+40339A]
0044303C 8B1B MOV EBX,DWORD PTR DS:[EBX]
0044303E 8D87 9E334000 LEA EAX,DWORD PTR DS:[EDI+40339E]
00443044 8B00 MOV EAX,DWORD PTR DS:[EAX]
00443046 03D8 ADD EBX,EAX
00443048 8D8F A2334000 LEA ECX,DWORD PTR DS:[EDI+4033A2]
0044304E 8B09 MOV ECX,DWORD PTR DS:[ECX]
00443050 66:8B85 8F334000 MOV AX,WORD PTR SS:[EBP+40338F]
00443057 8003 10 ADD BYTE PTR DS:[EBX],10 ----
0044305A 3003 XOR BYTE PTR DS:[EBX],AL |
0044305C 3023 XOR BYTE PTR DS:[EBX],AH |
0044305E 8003 AA ADD BYTE PTR DS:[EBX],0AA +--Demunge sect
00443061 66:C1C0 03 ROL AX,3 |
00443065 86E0 XCHG AL,AH |
00443067 43 INC EBX |
00443068 ^E2 ED LOOPD SHORT 00443057 ----
0044306A E8 FF000000 CALL 0044316E ;decrypt section to mem copyback to sect
0044306F 83C7 08 ADD EDI,8
00443072 FE8D 99334000 DEC BYTE PTR SS:[EBP+403399]
00443078 ^75 BC JNZ SHORT 00443036 ----deryptNextSection
0044307A E8 16000000 CALL 00443095 --- restore IAT Stuff
0044307F 8B85 95334000 MOV EAX,DWORD PTR SS:[EBP+403395] ;OEP offset
00443085 8B9D 9A334000 MOV EBX,DWORD PTR SS:[EBP+40339A] ;400000
0044308B 03C3 ADD EAX,EBX
0044308D 5D POP EBP
0044308E 5F POP EDI
0044308F 5E POP ESI
00443090 5A POP EDX
00443091 59 POP ECX
00443092 5B POP EBX
00443093 FFE0 JMP EAX ---------------jmp OEP |
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}