-Trace into -
004EABA8 /$ 55 PUSH EBP
004EABA9 | 8BEC MOV EBP, ESP
004EABAB | 51 PUSH ECX
004EABAC | B9 04000000 MOV ECX, 4 ==> i = 4
004EABB1 |> 6A 00 /PUSH 0
004EABB3 | 6A 00 |PUSH 0
004EABB5 | 49 |DEC ECX
004EABB6 |.^ 75 F9 \JNZ SHORT unpacked.004EABB1
004EABB8 | 51 PUSH ECX
004EABB9 | 874D FC XCHG [LOCAL.1], ECX
004EABBC | 53 PUSH EBX
004EABBD | 56 PUSH ESI
004EABBE | 57 PUSH EDI
004EABBF | 8BF9 MOV EDI, ECX
004EABC1 | 8955 FC MOV [LOCAL.1], EDX ==> đưa FU vào EDX 004EABC4 | 8B45 FC MOV EAX, [LOCAL.1] ==> đưa FU vào EAX 004EABC7 | E8 78A0F1FF CALL unpacked.00404C44
004EABCC | 33C0 XOR EAX, EAX
004EABCE | 55 PUSH EBP
004EABCF | 68 69AD4E00 PUSH unpacked.004EAD69
004EABD4 | 64:FF30 PUSH DWORD PTR FS:[EAX]
004EABD7 | 64:8920 MOV DWORD PTR FS:[EAX], ESP
004EABDA | 8BC7 MOV EAX, EDI
004EABDC | E8 C39BF1FF CALL unpacked.004047A4
004EABE1 | 8B45 FC MOV EAX, [LOCAL.1]
004EABE4 | E8 739EF1FF CALL unpacked.00404A5C
004EABE9 | 8BF0 MOV ESI, EAX
004EABEB | 85F6 TEST ESI, ESI
004EABED | 7E 26 JLE SHORT unpacked.004EAC15
004EABEF | BB 01000000 MOV EBX, 1
-=============Loop============ -
004EABF4 |> 8D4D EC /LEA ECX, [LOCAL.5]
004EABF7 | 8B45 FC |MOV EAX, [LOCAL.1]
004EABFA | 0FB64418 FF |MOVZX EAX, BYTE PTR DS:[EAX+EBX-1]
==> đưa S[i] của FU vào EAX
004EABFF | 33D2 |XOR EDX, EDX
004EAC01 | E8 76E4F1FF |CALL unpacked.0040907C
Trang 2004EAC06 | 8B55 EC |MOV EDX, [LOCAL.5] ==> đưa S[i] dưới dạng Hexa vào EDX
004EAC09 | 8D45 F8 |LEA EAX, [LOCAL.2]
004EAC0C | E8 539EF1FF |CALL unpacked.00404A64
004EAC11 | 43 |INC EBX ==> tăng EBX lên 1
004EAC12 | 4E |DEC ESI ==> if ESI # 0
004EAC13 |.^ 75 DF \JNZ SHORT unpacked.004EABF4 ==> then continue loop
-End Loop - 004EAC15 |> 8B45 F8 MOV EAX, [LOCAL.2]
004EAC18 | E8 3F9EF1FF CALL unpacked.00404A5C
004EAC1D | 8BF0 MOV ESI, EAX
004EAC1F | 85F6 TEST ESI, ESI
004EAC21 | 7E 2C JLE SHORT unpacked.004EAC4F
004EAC23 | BB 01000000 MOV EBX, 1
-============Loop========== -
004EAC28 |> 8B45 F8 /MOV EAX, [LOCAL.2] ==> đưa FU sau khi đã chuyển sang hệ Hexa vào EAX
004EAC2B | E8 2C9EF1FF |CALL unpacked.00404A5C
004EAC30 | 2BC3 |SUB EAX, EBX
004EAC32 | 8B55 F8 |MOV EDX, [LOCAL.2] ==> đưa FU sau khi đã chuyển sang hệ Hexa vào EDX
004EAC35 | 8A1402 |MOV DL, BYTE PTR DS:[EDX+EAX] ==> đưa S[i’] vào DL
004EAC38 | 8D45 E8 |LEA EAX, [LOCAL.6]
004EAC3B | E8 449DF1FF |CALL unpacked.00404984
004EAC40 | 8B55 E8 |MOV EDX, [LOCAL.6]
004EAC43 | 8D45 F4 |LEA EAX, [LOCAL.3]
004EAC46 | E8 199EF1FF |CALL unpacked.00404A64
004EAC4B | 43 |INC EBX ==> tăng EBX lên 1
004EAC4C | 4E |DEC ESI ==> if ESI # 0
004EAC4D |.^ 75 D9 \JNZ SHORT unpacked.004EAC28 ==> continue loop
-End loop -
004EAC4F |> 8D45 F8 LEA EAX, [LOCAL.2]
004EAC52 | 50 PUSH EAX
004EAC53 | B9 04000000 MOV ECX, 4
004EAC58 | BA 01000000 MOV EDX, 1
004EAC5D | 8B45 F4 MOV EAX, [LOCAL.3] ==> đưa FU dưới dạng Hexa vào EAX nhưng theo thứ tự ngược lại
Trang 3004EAC60 | E8 4FA0F1FF CALL unpacked.00404CB4
004EAC65 | 8D45 F4 LEA EAX, [LOCAL.3]
004EAC68 | 50 PUSH EAX
004EAC69 | B9 04000000 MOV ECX, 4 ==> i = 4
004EAC6E | BA 05000000 MOV EDX, 5
004EAC73 | 8B45 F4 MOV EAX, [LOCAL.3] ==> đưa FU dưới dang Hexa nhưng đảo ngược vào EAX
004EAC76 | E8 39A0F1FF CALL unpacked.00404CB4
004EAC7B | 8B45 F8 MOV EAX, [LOCAL.2] ==> lấy 4 char cuối của
FU này chuyển vào EAX
004EAC7E | E8 D99DF1FF CALL unpacked.00404A5C ==> gọi hàm kiểm tra
004EAC83 | 83F8 04 CMP EAX, 4 ==> if EAX < 4
004EAC86 | 7D 2F JGE SHORT unpacked.004EACB7 ==> then
continue
004EAC88 | 8B45 F8 MOV EAX, [LOCAL.2]
004EAC8B | E8 CC9DF1FF CALL unpacked.00404A5C
004EAC90 | 8BD8 MOV EBX, EAX
004EAC92 | 83FB 03 CMP EBX, 3
004EAC95 | 7F 20 JG SHORT unpacked.004EACB7
004EAC97 |> 8D4D E4 /LEA ECX, [LOCAL.7]
004EAC9A | 8BC3 |MOV EAX, EBX
004EAC9C | C1E0 02 |SHL EAX, 2
004EAC9F | 33D2 |XOR EDX, EDX
004EACA1 | E8 D6E3F1FF |CALL unpacked.0040907C
004EACA6 | 8B55 E4 |MOV EDX, [LOCAL.7]
004EACA9 | 8D45 F8 |LEA EAX, [LOCAL.2]
004EACAC | E8 B39DF1FF |CALL unpacked.00404A64
004EACB1 | 43 |INC EBX
004EACB2 | 83FB 04 |CMP EBX, 4
004EACB5 |.^ 75 E0 \JNZ SHORT unpacked.004EAC97
004EACB7 |> 8B45 F4 MOV EAX, [LOCAL.3] ==> else: lấy 4 char tiếp theo của FU chuyển vào EAX
004EACBA | E8 9D9DF1FF CALL unpacked.00404A5C ==> gọi hàm kiểm tra
004EACBF | 83F8 04 CMP EAX, 4 ==> if EAX < 4
004EACC2 | 7D 2F JGE SHORT unpacked.004EACF3 ==> then
continue
004EACC4 | 8B45 F4 MOV EAX, [LOCAL.3]
004EACC7 | E8 909DF1FF CALL unpacked.00404A5C
Trang 4004EACCC | 8BD8 MOV EBX, EAX
004EACCE | 83FB 03 CMP EBX, 3
004EACD1 | 7F 20 JG SHORT unpacked.004EACF3
004EACD3 |> 8D4D E0 /LEA ECX, [LOCAL.8]
004EACD6 | 8BC3 |MOV EAX, EBX
004EACD8 | C1E0 02 |SHL EAX, 2
004EACDB | 33D2 |XOR EDX, EDX
004EACDD | E8 9AE3F1FF |CALL unpacked.0040907C
004EACE2 | 8B55 E0 |MOV EDX, [LOCAL.8]
004EACE5 | 8D45 F4 |LEA EAX, [LOCAL.3]
004EACE8 | E8 779DF1FF |CALL unpacked.00404A64
004EACED | 43 |INC EBX
004EACEE | 83FB 04 |CMP EBX, 4
004EACF1 |.^ 75 E0 \JNZ SHORT unpacked.004EACD3
004EACF3 |> 8D45 F0 LEA EAX, [LOCAL.4] ==> Else
004EACF6 | BA 80AD4E00 MOV EDX, unpacked.004EAD80 ; ASCII "Picture5s7efu85re" ==> đưa String default vào EDX
004EACFB | E8 3C9BF1FF CALL unpacked.0040483C ==> gọi hàm kiểm tra
004EAD00 | 8D45 DC LEA EAX, [LOCAL.9]
004EAD03 | 50 PUSH EAX
004EAD04 | B9 04000000 MOV ECX, 4
004EAD09 | BA 01000000 MOV EDX, 1
004EAD0E | 8B45 F0 MOV EAX, [LOCAL.4]
004EAD11 | E8 9E9FF1FF CALL unpacked.00404CB4
004EAD16 | FF75 DC PUSH [LOCAL.9] ==> lấy 4 char đầu của String default
004EAD19 | 68 9CAD4E00 PUSH unpacked.004EAD9C
004EAD1E | FF75 F8 PUSH [LOCAL.2] ==> lấy tiếp 4 char hexa đầu của
FU đã được đảo ngược
004EAD21 | 8D45 D8 LEA EAX, [LOCAL.10]
004EAD24 | 50 PUSH EAX
004EAD25 | B9 05000000 MOV ECX, 5
004EAD2A | BA 05000000 MOV EDX, 5
004EAD2F | 8B45 F0 MOV EAX, [LOCAL.4]
004EAD32 | E8 7D9FF1FF CALL unpacked.00404CB4
004EAD37 | FF75 D8 PUSH [LOCAL.10] ==> lấy 4 char tiếp theo của String default
004EAD3A | 68 9CAD4E00 PUSH unpacked.004EAD9C
Trang 5004EAD3F | FF75 F4 PUSH [LOCAL.3] ==> lấy 4 char hexa tiếp theo của
FU đã được đảo ngược
004EAD42 | 8BC7 MOV EAX, EDI
004EAD44 | BA 06000000 MOV EDX, 6
004EAD49 | E8 CE9DF1FF CALL unpacked.00404B1C
-Trace into -
00404B1C $ 53 PUSH EBX
00404B1D 56 PUSH ESI
00404B1E 57 PUSH EDI
00404B1F 52 PUSH EDX
00404B20 50 PUSH EAX
00404B21 89D3 MOV EBX, EDX
00404B23 31FF XOR EDI, EDI
00404B25 8B4C94 14 MOV ECX, DWORD PTR SS:[ESP+EDX*4+14]
==> đưa 4 char đầu của String Default vào ECX
00404B29 85C9 TEST ECX, ECX
00404B2B 74 06 JE SHORT unpacked.00404B33
00404B2D 3908 CMP DWORD PTR DS:[EAX], ECX ==> if lenchar
= 0
00404B2F 75 02 JNZ SHORT unpacked.00404B33 ==> then
00404B31 89C7 MOV EDI, EAX
00404B33 > 31C0 XOR EAX, EAX ==> else EAX=0
00404B35 > 8B4C94 14 MOV ECX, DWORD PTR SS:[ESP+EDX*4+14]
==>
00404B39 85C9 TEST ECX, ECX
00404B3B 74 09 JE SHORT unpacked.00404B46
00404B3D 0341 FC ADD EAX, DWORD PTR DS:[ECX-4]
00404B40 39CF CMP EDI, ECX ==> check lại ECX lần 2
00404B42 75 02 JNZ SHORT unpacked.00404B46
00404B44 31FF XOR EDI, EDI
00404B46 > 4A DEC EDX ==> jump if # 0
00404B47 .^ 75 EC JNZ SHORT unpacked.00404B35
00404B49 85FF TEST EDI, EDI
00404B4B 74 14 JE SHORT unpacked.00404B61
00404B4D 89C2 MOV EDX, EAX
00404B4F 89F8 MOV EAX, EDI
00404B51 8B37 MOV ESI, DWORD PTR DS:[EDI]
00404B53 8B76 FC MOV ESI, DWORD PTR DS:[ESI-4]
00404B56 E8 85020000 CALL unpacked.00404DE0
00404B5B 57 PUSH EDI
Trang 600404B5C 0337 ADD ESI, DWORD PTR DS:[EDI] 00404B5E 4B DEC EBX
00404B5F EB 08 JMP SHORT unpacked.00404B69