| | |
| Command | Comments |
| .JGE SHORT 0A729D36 | ; stage1 |
| ./MOV EDX,DWORD PTR SS:[LOCAL.2] | ; set EDX to our 1st stage half decoded buffer |
| .|MOV ECX,DWORD PTR SS:[LOCAL.4] | ; set ECX to our current count/offset |
| .|MOV EAX,DWORD PTR SS:[LOCAL.3] | ; set EAX to our base64 encoded payload |
| .|MOVSX EAX,BYTE PTR DS:[EAX] | ; set EAX to the current value in our base64 payload |
| .|MOV AL,BYTE PTR DS:[EAX+0A841934] | ; set EAX/AL to a hardcoded offset of its value table is at 0a841934 |
| .|MOV BYTE PTR DS:[ECX+EDX],AL | ; ECX = Offset, EDX = start of our half-decoded buffer, write our current byte there |
| .|INC DWORD PTR SS:[LOCAL.4] | ; increment our offset/count |
| .|INC DWORD PTR SS:[LOCAL.3] | ; increment our base64 buffer to next value |
| .|MOV EDX,DWORD PTR SS:[LOCAL.4] | ; set EDX to our counter |
| .|CMP EDX,DWORD PTR SS:[ARG.2] | ; compare EDX (counter) to our total size |
| .\JL SHORT 0A729D13 | ; jump back if we have not finished half decoding our input value |
| .MOV ECX,DWORD PTR SS:[ARG.3] | ; Looks like this will point at our decoded buffer |
| .MOV DWORD PTR SS:[LOCAL.5],ECX | ; set Arg5 to our decoded destination |
| .MOV EAX,DWORD PTR SS:[LOCAL.2] | ; set EAX to our half-decoded buffer |
| .MOV DWORD PTR SS:[LOCAL.3],EAX | ; set arg3 to point at our half-decoded buffer |
| .MOV EDX,DWORD PTR SS:[ARG.4] | ; ???? 1500 decimal |
| .XOR ECX,ECX | ; clear ECX |
| .MOV DWORD PTR DS:[EDX],ECX | ; clear out arg4 value |
| .XOR EAX,EAX | ; clear out EAX |
| .MOV DWORD PTR SS:[LOCAL.6],EAX | ; clear out local.6 |
| .JMP SHORT 0A729DAE | ; JUMP |
| | |
| ./MOV EDX,DWORD PTR SS:[LOCAL.3] | ; move our current half-decoded dword position into EDX |
| .|MOV CL,BYTE PTR DS:[EDX] | ; move our current byte into ECX (CL) (dword[0]) |
| .|SHL ECX,2 | ; shift left 2 dword[0] |
| .|MOV EAX,DWORD PTR SS:[LOCAL.3] | ; move our current dword position into EAX |
| .|MOVSX EDX,BYTE PTR DS:[EAX+1] | ; move our current dword position + 1 (dword[1]) into EDX |
| .|SAR EDX,4 | ; shift right 4 dword[1] |
| .|ADD CL,DL | ; add (shift left 2 dword[0]) + (shift right 4 dword[1]) |
| .|MOV EAX,DWORD PTR SS:[LOCAL.5] | ; set EAX to our current decoded buffer position |
| .|MOV BYTE PTR DS:[EAX],CL | ; write our decoded (dword[0]) value to or decoded buffer |
| .|INC DWORD PTR SS:[LOCAL.5] | ; increment our position in the decoded buffer |
| .|MOV EDX,DWORD PTR SS:[LOCAL.3] | ; set EDX to our current dword position |
| .|MOV CL,BYTE PTR DS:[EDX+1] | ; set ECX to dword[1] |
| .|SHL ECX,4 | ; left shift 4 dword[1] |
| .|MOV EAX,DWORD PTR SS:[LOCAL.3] | ; set EAX to our current dword position |
| .|MOVSX EDX,BYTE PTR DS:[EAX+2] | ; set EDX to dword[2] |
| .|SAR EDX,2 | ; shift right 2 dword[2] |
| .|ADD CL,DL | ; add (left shift 4 dword[1]) + (right shift 2 dword[2]) |
| .|MOV EAX,DWORD PTR SS:[LOCAL.5] | ; set EAX to our next spot in the decoded buffer |
| .|MOV BYTE PTR DS:[EAX],CL | ; write our decoded value into our decoded buffer |
| .|INC DWORD PTR SS:[LOCAL.5] | ; move to the next spot in our decoded buffer |
| .|MOV EDX,DWORD PTR SS:[LOCAL.3] | ; set EDX to our current half-decoded dword |
| .|MOV CL,BYTE PTR DS:[EDX+2] | ; set ECX dword[2] |
| .|SHL ECX,6 | ; shift left 6 dword[2] |
| .|MOV EAX,DWORD PTR SS:[LOCAL.3] | ; set EAX to our current half-decoded dword |
| .|ADD CL,BYTE PTR DS:[EAX+3] | ; add dword[2] + dword[3] |
| .|MOV EDX,DWORD PTR SS:[LOCAL.5] | ; set EDX to point at our next spot in our decoded buffer |
| .|MOV BYTE PTR DS:[EDX],CL | ; write our decoded byte to our decoded buffer |
| .|INC DWORD PTR SS:[LOCAL.5] | ; move to the next spot in our decoded buffer |
| .|ADD DWORD PTR SS:[LOCAL.3],4 | ; increment our encoded buffer to point at our next dword |
| .|MOV ECX,DWORD PTR SS:[ARG.4] | ; set ECX to our current offset? |
| .|ADD DWORD PTR DS:[ECX],3 | ; add 3 to our current offset? |
| .|ADD DWORD PTR SS:[LOCAL.6],4 | ; add 4 to our byte counter?? |
| .|MOV EAX,DWORD PTR SS:[ARG.2] | ; move total size into EAX |
| .|ADD EAX,-4 | ; subtract 4 from total size |
| .|CMP EAX,DWORD PTR SS:[LOCAL.6] | ; compare our total bytes to read bytes |
| .\JG SHORT 0A729D50 | ; jump back if we are not done |
| | |
| .MOV EDX,DWORD PTR SS:[LOCAL.3] | ; set EDX to our last DWORD of encoded buffer |
| .MOVSX ECX,BYTE PTR DS:[EDX+3] | ; set ECX to dword[3] last byte of our half-decoded dword (dword + 3) |
| .INC ECX | ; increment the value of dword[3] |
| .JE SHORT 0A729E1E | |
| .MOV EAX,DWORD PTR SS:[LOCAL.3] | ; set EAX to our current half-decoded dword |
| .MOV DL,BYTE PTR DS:[EAX] | ; set EDX (DL) to dword[0] |
| .SHL EDX,2 | ; shift left 2 dword[0] |
| .MOV ECX,DWORD PTR SS:[LOCAL.3] | ; set ECX to our current encoded dword position |
| .MOVSX EAX,BYTE PTR DS:[ECX+1] | ; set EAX to dword[1] |
| .SAR EAX,4 | ; shift right 4 dword[1] |
| .ADD DL,AL | ; add (shifted left 2 dword[0]) + (shifted right 4 dword[1]) |
| .MOV ECX,DWORD PTR SS:[LOCAL.5] | ; set ECX to point at our next spot in our decoded buffer |
| .MOV BYTE PTR DS:[ECX],DL | ; write our decoded value (EDX/DL) to our decoded buffer |
| .INC DWORD PTR SS:[LOCAL.5] | ; move to the next spot in our decoded buffer |
| .MOV EDX,DWORD PTR SS:[LOCAL.3] | ; set EDX to point at our dword |
| .MOV AL,BYTE PTR DS:[EDX+1] | ; set EAX/AL to dword[1] |
| .SHL EAX,4 | ; shift left 4 dword[1] |
| .MOV EDX,DWORD PTR SS:[LOCAL.3] | ; set EDX to our current dword |
| .MOVSX ECX,BYTE PTR DS:[EDX+2] | ; set ECX to dword[2] |
| .SAR ECX,2 | ; shift right 2 dword[2] |
| .ADD AL,CL | ; add (shifted left 4 dword[1]) + (shifted right 2 dword[2]) |
| .MOV EDX,DWORD PTR SS:[LOCAL.5] | ; set EDX to point at our current spot in our decoded buffer |
| .MOV BYTE PTR DS:[EDX],AL | ; write our decoded value to the decoded buffer |
| .INC DWORD PTR SS:[LOCAL.5] | ; move to the next spot in our decoded buffer |
| .MOV EAX,DWORD PTR SS:[LOCAL.3] | ; set EAX to point at our current dword |
| .MOV CL,BYTE PTR DS:[EAX+2] | ; set ECX/CL to dword[2] |
| .SHL ECX,6 | ; shift left 6 dword[2] |
| .MOV EAX,DWORD PTR SS:[LOCAL.3] | ; point EAX at our current dword |
| .ADD CL,BYTE PTR DS:[EAX+3] | ; add dword[3] + (shifted left 6 dword[2]) |
| .MOV EDX,DWORD PTR SS:[LOCAL.5] | ; point EDX at our current decoded buffer |
| .MOV BYTE PTR DS:[EDX],CL | ; write our decoded value to the decoded buffer |
| .INC DWORD PTR SS:[LOCAL.5] | ; increment our deocded buffer |
| .MOV ECX,DWORD PTR SS:[ARG.4] | ; set ECX to our current offset? |
| .ADD DWORD PTR DS:[ECX],3 | ; add 4 for our current byte counter? |
| .JMP 0A729EA6 | ; jump |
No hay comentarios:
Publicar un comentario
Nota: solo los miembros de este blog pueden publicar comentarios.