format PE GUI 4.0 entry start include 'win32ax.inc' section '.data' data readable writeable file_input db "hidden_code.mem",0 ; compressed data is here file_output db "unpacked.bin",0 ; the unpacked binary will be here hwnd_file_input dd ? hwnd_file_output dd ? size_file_input dd ? size_file_output dd 0xA400 ; unpacked binary size (see appendix A) hmem_file_input dd ? hmem_file_output dd ? nNumberOfBytesToRW dd ? section '.code' code readable executable start: invoke CreateFile,file_input,GENERIC_READ,0,NULL,\ OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL mov [hwnd_file_input],eax invoke GetFileSize,[hwnd_file_input],NULL mov [size_file_input],eax invoke GlobalAlloc,GPTR,[size_file_input] mov [hmem_file_input],eax invoke ReadFile,[hwnd_file_input],[hmem_file_input],\ [size_file_input],nNumberOfBytesToRW,NULL invoke CloseHandle,[hwnd_file_input] invoke GlobalAlloc,GPTR,[size_file_output] mov [hmem_file_output],eax ; Begin of uncompress routine pushad mov esi,[hmem_file_input] mov edi,[hmem_file_output] cld mov dl,0x80 xor ebx,ebx label_0083013B: movs byte[edi],byte[esi] mov bl,0x02 label_0083013E: call func_008301B0 jnb label_0083013B xor ecx,ecx call func_008301B0 jnb label_0083016A xor eax,eax call func_008301B0 jnb label_0083017A mov bl,0x02 inc ecx mov al,0x10 label_0083015C: call func_008301B0 adc al,al jnb label_0083015C jnz label_008301A6 stos byte[edi] jmp label_0083013E label_0083016A: call func_008301BC sub ecx,ebx jnz lable_00830183 call func_008301BA jmp label_008301A2 label_0083017A: lods byte[esi] shr eax,0x01 je label_008301CC adc ecx,ecx jmp label_0083019F lable_00830183: xchg eax,ecx dec eax shl eax,0x08 lods byte[esi] call func_008301BA cmp eax,0x7D00 jnb label_0083019F cmp ah,0x05 jnb label_008301A0 cmp eax,0x7F ja label_008301A1 label_0083019F: inc ECX label_008301A0: inc ECX label_008301A1: xchg eax,ebp label_008301A2: mov eax,ebp mov bl,0x01 label_008301A6: push esi mov esi,edi sub esi,eax rep movs byte[edi],byte[esi] pop esi jmp label_0083013E label_008301CC: popad ; end invoke CreateFile,file_output,GENERIC_WRITE,FILE_SHARE_WRITE,NULL,\ CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL mov [hwnd_file_output],eax invoke WriteFile,[hwnd_file_output],[hmem_file_output],\ [size_file_output],nNumberOfBytesToRW,NULL invoke CloseHandle,[hwnd_file_output] invoke GlobalFree,[hmem_file_output] invoke GlobalFree,[hmem_file_input] invoke ExitProcess,0 func_008301B0: add dl,dl jnz label_008301B9 mov dl,byte[esi] inc esi adc dl,dl label_008301B9: retn func_008301BA: xor ecx,ecx func_008301BC: inc ecx label_008301BD: call func_008301B0 adc ecx,ecx call func_008301B0 jb label_008301BD retn data import library kernel32,'KERNEL32.DLL',\ user32,'USER32.DLL' include 'api\kernel32.inc' include 'api\user32.inc' end data