braincipher_yara.asm

// 8B75 0C mov esi,dword ptr ss:[ebp+C]
// AD lodsd
// 35 FF5F0310 xor eax,10035FFF
// 50 push eax
// E8 6FFEFFFF call 00B85C24
// 85C0 test eax,eax
// 0F84 23010000 je 00B85EE0
// 8B7D 08 mov edi,dword ptr ss:[ebp+8]
// 83C7 04 add edi,4

$1 = { 8b 75 0c ad 35 ff 5f 03 10 50 e8 6f fe ff ff 85 c0 0f 84 23 01 00
00 8b 7d 08 83 c7 04 }
// 83C4 F4 add esp,FFFFFFF4
// 56 push esi
// C745 FC 00000000 mov dword ptr ss:[ebp-4],0
// C745 F8 00000000 mov dword ptr ss:[ebp-8],0
// E8 46EDFEFF call 00B81640
// 8BC8 mov ecx,eax
// 8D45 F4 lea eax,dword ptr ss:[ebp-C]
// 50 push eax
// 51 push ecx
// FF15 2C57BA00 call dword ptr ds:[BA572C]
// 8945 F8 mov dword ptr ss:[ebp-8],eax
// 837D F8 00 cmp dword ptr ss:[ebp-8],0
// 74 2B je 00B9293B
// 837D F4 02 cmp dword ptr ss:[ebp-C],2
// 72 25 jb 00B9293B
// 8B75 F8 mov esi,dword ptr ss:[ebp-8]

$2 = { 83 c4 f4 56 c7 45 fc 00 00 00 00 c7 45 f8 00 00 00 00 e8 46 ed fe
ff 8b c8 8d 45 f4 50 51 ff 15 2c 57 42 00 89 45 f8 83 7d f8 00 74 2b 83 7d f4 02
72 25 8b 75 f8 }
// 8BC1 mov eax,ecx
// 33D2 xor edx,edx
// F7F6 div esi
// 8AC1 mov al,cl
// 8A1417 mov dl,byte ptr ds:[edi+edx]
// 025405 00 add dl,byte ptr ss:[ebp+eax]
// 02D3 add dl,bl
// 8A5C15 00 mov bl,byte ptr ss:[ebp+edx]
// 8A541D 00 mov dl,byte ptr ss:[ebp+ebx]
// 865405 00 xchg byte ptr ss:[ebp+eax],dl
// 88541D 00 mov byte ptr ss:[ebp+ebx],dl
// 41 inc ecx
// 81F9 00030000 cmp ecx,300
// 75 D6 jne 00B993AE

// 5D pop ebp
// 33C9 xor ecx,ecx
// 8B7D 0C mov edi,dword ptr ss:[ebp+C]
// BE 40000000 mov esi,40
// 55 push ebp
// 8B6D 10 mov ebp,dword ptr ss:[ebp+10]
// 33C9 xor ecx,ecx
// 8B7D 0C mov edi,dword ptr ss:[ebp+C]
// BE 40000000 mov esi,40
// 55 push ebp
// 8B6D 10 mov ebp,dword ptr ss:[ebp+10]
$3 = { 8b c1 33 d2 f7 f6 8a c1 8a 14 17 02 54 05 00 02 d3 8a 5c 15 00 8a
54 1d 00 86 54 05 00 88 54 1d 00 41 81 f9 00 03 00 00 75 d6 5d 33 c9 8b 7d 0c be
40 00 00 00 55 8b 6d 10 }


;* mov esi, dword ptr ss:[ebp+C]: Move the value at address ebp+0xC to esi.;
;* lodsd: Load the double word at esi into eax and increment esi.;
;* xor eax, 0x10035FFF: XOR eax with 0x10035FFF.;
;* push eax: Push eax onto the stack.;
;* call 00B85C24: Call the function at address 0x00B85C24.;
;* test eax, eax: Test if eax is zero.;
;* je 00B85EE0: Jump to 0x00B85EE0 if eax is zero.;
;* mov edi, dword ptr ss:[ebp+8]: Move the value at address ebp+8 to edi.;
;* add edi, 4: Add 4 to edi.;
;;
;* $1 = { 8b 75 0c ad 35 ff 5f 03 10 50 e8 6f fe ff ff 85 c0 0f 84 23 01 00;
;00 8b 7d 08 83 c7 04 };
;* add esp, FFFFFFF4: Adjust the stack pointer.;
;* push esi: Push esi onto the stack.;
;* mov dword ptr ss:[ebp-4], 0: Set the value at ebp-4 to 0.;
;* mov dword ptr ss:[ebp-8], 0: Set the value at ebp-8 to 0.;
;* call 00B81640: Call the function at address 0x00B81640.;
;* mov ecx, eax: Move the value in eax to ecx.;
;* lea eax, dword ptr ss:[ebp-C]: Load the effective address of ebp-C into eax.;
;* push eax: Push eax onto the stack.;
;* push ecx: Push ecx onto the stack.;
;* call dword ptr ds:[BA572C]: Call the function at the address stored at ds:[BA572C].;
;* mov dword ptr ss:[ebp-8], eax: Move the value in eax to ebp-8.;
;* cmp dword ptr ss:[ebp-8], 0: Compare the value at ebp-8 with 0.;
;* je 00B9293B: Jump if equal to 0x00B9293B.;
;* cmp dword ptr ss:[ebp-C], 2: Compare the value at ebp-C with 2.;
;* jb 00B9293B: Jump if below to 0x00B9293B.;
;* mov esi, dword ptr ss:[ebp-8]: Move the value at ebp-8 to esi.;
;;
;* $2 = { 83 c4 f4 56 c7 45 fc 00 00 00 00 c7 45 f8 00 00 00 00 e8 46 ed fe;
;ff 8b c8 8d 45 f4 50 51 ff 15 2c 57 42 00 89 45 f8 83 7d f8 00 74 2b 83 7d f4 02;
;72 25 8b 75 f8 };
;* mov eax, ecx: Move the value in ecx to eax.;
;* xor edx, edx: Set edx to 0.;
;* div esi: Divide eax by esi, storing quotient in eax and remainder in edx.;
;* mov al, cl: Move the value in cl to al.;
;* mov dl, byte ptr ds:[edi+edx]: Move the byte at address edi+edx to dl.;
;* add dl, byte ptr ss:[ebp+eax]: Add the byte at ebp+eax to dl.;
;* add dl, bl: Add bl to dl.;
;* mov bl, byte ptr ss:[ebp+edx]: Move the byte at ebp+edx to bl.;
;* mov dl, byte ptr ss:[ebp+ebx]: Move the byte at ebp+ebx to dl.;
;* xchg byte ptr ss:[ebp+eax], dl: Exchange the byte at ebp+eax with dl.;
;* mov byte ptr ss:[ebp+ebx], dl: Move dl to ebp+ebx.;
;* inc ecx: Increment ecx.;
;* cmp ecx, 300: Compare ecx with 300.;
;* jne 00B993AE: Jump if not equal to 0x00B993AE.;
;;
;* pop ebp: Pop the top of the stack into ebp.;
;* xor ecx, ecx: Set ecx to 0.;
;* mov edi, dword ptr ss:[ebp+C]: Move the value at ebp+C to edi.;
;* mov esi, 40: Move 40 to esi.;
;* push ebp: Push ebp onto the stack.;
;* mov ebp, dword ptr ss:[ebp+10]: Move the value at ebp+10 to ebp.;
;* xor ecx,ecx : This instruction performs a bitwise XOR operation between the ECX register and itself, effectively setting ECX to zero. This is often used to clear a register.;
;* mov edi,dword ptr ss:[ebp+C]: This instruction moves a double word (32 bits) from the address in the stack segment (ss) pointed to by EBP + 0xC (12 in decimal) into the EDI register. In other words, it sets EDI equal to the value at the memory location pointed to by EBP + 12.;
;* mov esi,40: This instruction moves the immediate value 0x40 (64 in decimal) into the ESI register.;
;* push ebp: This instruction pushes the value in the EBP register onto the stack. This is typically done when calling a function to preserve the value of EBP.;
;* mov ebp,dword ptr ss:[ebp+10]: This instruction moves a double word from the address in the stack segment pointed to by EBP + 0x10 (16 in decimal) into the EBP register. In other words, it sets EBP equal to the value at the memory location pointed to by EBP + 16.;
;*$3 = { 8b c1 33 d2 f7 f6 8a c1 8a 14 17 02 54 05 00 02 d3 8a 5c 15 00 8a;
;54 1d 00 86 54 05 00 88 54 1d 00 41 81 f9 00 03 00 00 75 d6 5d 33 c9 8b 7d 0c be;
;40 00 00 00 55 8b 6d 10 };