USE32 ; Brought to you by the sk3wl of r3v3rsing section .text global func_4:function func_4: len EQU 8 s EQU 0Ch push ebp mov ebp, esp sub esp, 4 finit ; need to reset fpu state before each attempt push ebx ; lets be nice and save ebx so Macs don't crash :) ;note that the loop to decode .yermom has been removed ;because yermom is already decoded below. ; test the state of the flipping function cmp byte [loc_8049DA3+1], 0x3E jz .nope ; restore the state if it was flipped call sub_8049D6F .nope xor edx, edx mov ecx, [ebp+len] mov [ebp - 4], ecx mov ecx, 24 ; ecx always starts at 24 w/ kenshoto version mov esi, [ebp+s] mov edi, [ebp+s] mov eax, 0x08049CF0 ; need to make sure eax starts where it does with KS version loc_8049D10: lodsb mov ebx, eax and ebx, 1Fh call [func_4_table + ebx*4] stosb dec dword [ebp - 4] jz .return loop loc_8049D10 .return mov eax, 1 pop ebx mov esp, ebp pop ebp retn ;func_4 endp ; need an executable data section section .data progbits alloc exec write align=4 ; --------------------------------------------------------------------------- dd 5A5A5A5Ah ; --------------------------------------------------------------------------- ret_33: mov eax, 0x08049D33 ; mimic KS behavior retn ; --------------------------------------------------------------------------- htonl: bswap eax retn ; --------------------------------------------------------------------------- loc_8049D38: dec eax retn ; --------------------------------------------------------------------------- nop_1: mov ebx, eax bsr ebx, eax retn ; -------------------------------------- nop_5: push nop_1 retn ; -------------------------------------- illegal: db 0Fh db 0Bh ; -------------------------------------- nop_2: mov edx, eax bsr edx, eax retn ; -------------------------------------- loc_8049D4E: or ebx, ecx mov eax, ebx retn ; -------------------------------------- xor_count: xor ebx, ebx jz short loc_8049D58 ; --------------------------------------------------------------------------- db 0Ah ; --------------------------------------------------------------------------- loc_8049D58: xor eax, ecx retn ; ------------------------------------------ loc_8049D5B: movzx eax, al retn ; ------------------------------------------ loc_8049D5F: push eax fild dword [esp] fist dword [esp] pop eax retn ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame nop_3: push ebp mov ebp, esp test eax, edx pop ebp retn ;nop_3 endp ; =============== S U B R O U T I N E ======================================= sub_8049D6F: push ecx push esi push edi xor edx, edx mov ebx, xor_bytes mov ecx, 0Eh mov esi, loc_8049DA3 mov edi, loc_8049DA3 loc_8049D88: lodsb xor al, [ebx+edx] stosb inc edx dec ecx jnz loc_8049D88 pop edi pop esi pop ecx retn ;sub_8049D6F endp ; ---------------------------------------- loc_8049D95: push eax fild dword [esp] fcos fist dword [esp] pop eax retn ; =============== S U B R O U T I N E ==== ; Attributes: bp-based frame sub_8049DA0: ;proc near push ebp mov ebp, esp loc_8049DA3: mov edx, 3Eh shr eax, 1 jz short loc_8049DB1 xor eax, edx sbb ax, cx loc_8049DB1: pop ebp retn ;sub_8049DA0 endp ; ------------------------------------------ loc_8049DB3: neg ah retn ; ------------------------------------------ loc_8049DB6: lea eax, [eax+ecx*2] retn ; ------------------------------------------ loc_8049DBA: imul dx retn ; ------------------------------------------ loc_8049DBE: push eax fild dword [esp] fsin fist dword [esp] pop eax retn ; ------------------------------------------ loc_8049DC9: push eax push ebx movhpd xmm1, [esp] movlpd xmm1, [esp] push ecx push edx movhpd xmm2, [esp] movlpd xmm2, [esp] movupd [esp], xmm1 mov eax, [esp+4] add esp, 10h retn ; ------------------------------------------ loc_8049DF1: inc eax retn ; ------------------------------------------ loc_8049DF3: mov edx, eax add edx, ecx loc_8049DF7: xor al, dl shr edx, 8 jnz short loc_8049DF7 retn ; --------------------------------------------------------------------------- loc_8049DFF: push eax fild dword [esp] push ecx fild dword [esp] fyl2x fist dword [esp] pop eax add esp, 4 retn ; ----------------------------------------- nop_4: push ebp mov esp, esp jnz short loc_8049E1B ; --------------------------------------------------------------------------- db 0FFh db 0FEh ; ¦ ; --------------------------------------------------------------------------- loc_8049E1B: pop ebp retn ; ----------------------------------------- loc_8049E1D: xor eax, ebx jmp nop_2 ; ----------------------------------------- db 0C3h ; + ; ----------------------------------------- nop_6: nop retn func_4_table: dd nop_1 dd htonl dd nop_2 dd nop_3 dd nop_4 dd ret_33 dd nop_5 dd xor_count dd loc_8049E1D dd loc_8049D4E dd loc_8049DB3 dd nop_6 dd loc_8049D5B dd loc_8049DF3 dd loc_8049DBA dd loc_8049D5F dd illegal ; op 16 = 10000 = 0x10 dd loc_8049DB6 dd loc_8049DBE dd loc_8049D95 dd sub_8049D6F dd xor_count dd illegal ; op 22 = 10110 = 0x16 dd loc_8049DC9 dd loc_8049DFF dd loc_8049DBE dd loc_8049DF1 dd loc_8049DBA dd loc_8049D38 dd ret_33 dd nop_5 dd sub_8049DA0 xor_bytes: db 0x00, 0xDD, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x18, 0x00, 0x28, 0x18