Skip to content

Instantly share code, notes, and snippets.

@oopsmishap

oopsmishap/ZeusVM_disassembler.py

Last active January 21, 2024 10:23
Show Gist options
  • Save oopsmishap/a275a7cd6552567099c5e8dc43d23e3c to your computer and use it in GitHub Desktop.
Save oopsmishap/a275a7cd6552567099c5e8dc43d23e3c to your computer and use it in GitHub Desktop.
Download ZIP
Disassmble ZeusVM VM Code to a readable format
Raw
ZeusVM_disassembler.py
from enum import Enum
class HandlerType(Enum):
Zero = 0
Shuffle = 1
Rc4 = 2
Imm = 3
RegReg = 4
RegImm = 5
Reg = 6
Jmp = 7
# dict of tuples to hold VM handler info: "idx : (mnemonic format string, handler type, size, xor key)""
handler_info = {
0: ('nop1', HandlerType.Zero, 1, 199),
1: ('nop2', HandlerType.Zero, 2, 69),
2: ('nop4', HandlerType.Zero, 4, 37),
3: ('xor [data](8)++ {0:X}h(8)', HandlerType.Imm, 2, 81),
4: ('xor [data](16)++ {0:X}h(16)', HandlerType.Imm, 3, 50),
5: ('xor [data](32)++ {0:X}h(32)', HandlerType.Imm, 5, 124),
6: ('add [data](8)++ {0:X}h(8)', HandlerType.Imm, 2, 180),
7: ('add [data](16)++ {0:X}h(16)', HandlerType.Imm, 3, 22),
8: ('add [data](32)++ {0:X}h(32)', HandlerType.Imm, 5, 2),
9: ('sub [data](8)++ {0:X}h(8)', HandlerType.Imm, 2, 201),
10: ('sub [data](16)++ {0:X}h(16)', HandlerType.Imm, 3, 247),
11: ('sub [data](32)++ {0:X}h(32)', HandlerType.Imm, 5, 113),
12: ('rol [data](8)++ {0:X}h(8)', HandlerType.Imm, 2, 12),
13: ('rol [data](16)++ {0:X}h(16)', HandlerType.Imm, 2, 250),
14: ('rol [data](32)++ {0:X}h(32)', HandlerType.Imm, 2, 87),
15: ('ror [data](8)++ {0:X}h(8)', HandlerType.Imm, 2, 152),
16: ('ror [data](16)++ {0:X}h(16)', HandlerType.Imm, 2, 211),
17: ('ror [data](32)++ {0:X}h(32)', HandlerType.Imm, 2, 251),
18: ('not [data](8)++', HandlerType.Zero, 1, 250),
19: ('not [data](16)++', HandlerType.Zero, 1, 40),
20: ('not [data](32)++', HandlerType.Zero, 1, 4),
21: ('shuffle [data](32)++ {0:X}h(8) ({1},{2},{3},{4})', HandlerType.Shuffle, 2, 130),
22: ('rc4 key_len({0:X}h) data_len({1:X}h) key({2})', HandlerType.Rc4, 4, 201),
23: ('set loop {0:X}h(8)', HandlerType.Imm, 2, 78),
24: ('set loop {0:X}h(16)', HandlerType.Imm, 3, 157),
25: ('set loop {0:X}h(32)', HandlerType.Imm, 5, 97),
26: ('inc data {0:X}h(16)', HandlerType.Imm, 3, 143),
27: ('jmp {0:X}h(8)', HandlerType.Jmp, 2, 248),
28: ('jmp {0:X}h(16)', HandlerType.Jmp, 3, 44),
29: ('mov r{0} {1:X}h(8)', HandlerType.RegImm, 3, 179),
30: ('mov r{0} {1:X}h(16)', HandlerType.RegImm, 4, 157),
31: ('mov r{0} {1:X}h(32)', HandlerType.RegImm, 6, 175),
32: ('mov r{0} r{1}(8)', HandlerType.RegReg, 2, 213),
33: ('mov r{0} r{1}(16)', HandlerType.RegReg, 2, 157),
34: ('mov r{0} r{1}(32)', HandlerType.RegReg, 2, 76),
35: ('add r{0} r{1}(8)', HandlerType.RegReg, 2, 31),
36: ('add r{0} r{1}(16)', HandlerType.RegReg, 2, 201),
37: ('add r{0} r{1}(32)', HandlerType.RegReg, 2, 224),
38: ('sub r{0} r{1}(8)', HandlerType.RegReg, 2, 117),
39: ('sub r{0} r{1}(16)', HandlerType.RegReg, 2, 139),
40: ('sub r{0} r{1}(32)', HandlerType.RegReg, 2, 221),
41: ('xor r{0} r{1}(8)', HandlerType.RegReg, 2, 119),
42: ('xor r{0} r{1}(16)', HandlerType.RegReg, 2, 121),
43: ('xor r{0} r{1}(32)', HandlerType.RegReg, 2, 106),
44: ('add r{0} {1:X}h(8)', HandlerType.RegImm, 3, 73),
45: ('add r{0} {1:X}h(16)', HandlerType.RegImm, 4, 243),
46: ('add r{0} {1:X}h(32)', HandlerType.RegImm, 6, 28),
47: ('sub r{0} {1:X}h(8)', HandlerType.RegImm, 3, 84),
48: ('sub r{0} {1:X}h(16)', HandlerType.RegImm,4, 83),
49: ('sub r{0} {1:X}h(32)', HandlerType.RegImm, 6, 35),
50: ('xor r{0} {1:X}h(8)', HandlerType.RegImm, 3, 110),
51: ('xor r{0} {1:X}h(16)', HandlerType.RegImm, 4, 154),
52: ('xor r{0} {1:X}h(32)', HandlerType.RegImm, 6, 209),
53: ('add [data](8)++ r{0}(8)', HandlerType.Reg, 2, 70),
54: ('add [data](16)++ r{0}(16)', HandlerType.Reg, 2, 50),
55: ('add [data](16)++ r{0}(32)', HandlerType.Reg, 2, 61),
56: ('sub [data](8)++ r{0}(8)', HandlerType.Reg, 2, 4),
57: ('sub [data](16)++ r{0}(16)', HandlerType.Reg, 2, 219),
58: ('sub [data](32)++ r{0}(32)', HandlerType.Reg, 2, 198),
59: ('xor [data](8)++ r{0}(8)', HandlerType.Reg, 2, 125),
60: ('xor [data](16)++ r{0}(16)', HandlerType.Reg, 2, 113),
61: ('xor [data](32)++ r{0}(32)', HandlerType.Reg, 2, 122),
62: ('mov r{0} [data](8)', HandlerType.Reg, 2, 188),
63: ('mov r{0} [data](16)', HandlerType.Reg, 2, 61),
64: ('mov r{0} [data](32)', HandlerType.Reg, 2, 159),
65: ('mov [data](8)++ r{0}(8)', HandlerType.Reg, 2, 34),
66: ('mov [data](16)++ r{0}(16)', HandlerType.Reg, 2, 248),
67: ('mov [data](32)++ r{0}(32)', HandlerType.Reg, 2, 86),
68: ('exit', HandlerType.Zero, 1, None)
}
vm_code_str = "1A09029C96FF81020089249A881F8CC1ECFFF903BC02414B249015AA648AD582C81D3615E6A6EE5C6BF9AB6FEC5D09E3DA29C71A0178EA5D76BC302819BA41474563B987C556F06AAD9809C9B86C44BC4FAFC9FEDE01008A518FE191D47D3881BF24A74BF05B6BD82E95BEC48930E73714E72B8CF81BE623FFAECDF2D694B9DD1D7AD773FD1CDE891DD1BF31F3D676AB0528A0D45A05DD4CD75D6ECE255154538218A7B761BEEBB01AC9E5B3569105A50655C156F2058EC4035752E405E27CA367CF0567B7E224F6050AA605EC38D97BFFEEB0FE8104A70EA6D8702FA604DEBB0E8A31C0799904D170B0047EBF047D9D04B256413ECE04F996A3EEA9048D759F04BB0E268A0BD2234B09CF0BF1B20B801DC30E962CF50B43A4BC0EB5D00E7E9A0E3B1DE3BEE70E91FABC0EAD0D200CA20F19378DB5820DE053BE729E0F8BED0F28E2FF820D7C79D07D88FFB6DD8FFFA50FD60715786465A703B3AE07C939FD7DE60735139B07CB02ECC2BB3B970B4A189CBEF40969EE07D4C64107A909FA907BC19BD60BD2158B37FF03B4FB1423AE07C109D2FF0167C5E502C36C8DBDCF19B4099FD719C309E09E99D4026BF73DB58F09D00557E14E04C905C0FE8875CE05D61A8A05728555FE056215C7DBAD0B78CCDE05E00B00880AF7C4CCAAF4AAEE0A7BE29A38CCAAE0A4C60AA21EA20BA90CE4C7D2BCF80B73D3E105F1075A4AE477CD77BB0B28D30BB9F4CCFE0732D3EACC8CB7E57CD70BB704DDA5DD06EAEE04AF7C0C6702D699D4B7C32A55EBFEFE2651E18E51474E2E3C4FDACEDBCC829663994D359C2F18BFE9B6A678E6DB034557067661DBD17F6490436E7BC06E2E8389A47CED889FBE4BEBC88D1D66C6F317952EDF8268164C1179AA3DF2AFA40A4278903CD5D631DCCC9022A4CEB5471C156A0010CD9CC18BE07D01B85FB38BADE4900EAF0371E433EC33E2E3A30F3CA9EF850738C2C354BCEFAEFFB2E7DE074D910E94D2F39F0E53055733DE0F7CB6A477C637F00E95D8F7C33FE703AEEF0ECEB973AD0EB20CE23DE20BBFA30B7A9E0B8148F6BCD90B15F10C16CED20B880DAE03E3369766EB33880D07C0F333960D2318A6E18D0D75B2D38CD3CF0DB1077BD7F8015168FF07C020F40714F5D3FCAD71BE01BBC20749D09077A2014BB307166A06A6810148A11CC5AC07C8CABD06A707899967D60672D0DD15C667FB06B08C8801B901A18D09B9959472BC19D209D18F0920DBC609D90B0A01046D00C6BA5A8C5D937CC46FDD07A60254CE22FD22D30209EE07027D429DAE073F71DC0790DEE0229E72AC07BFC1FEF00BAA0233B00B843EF80283FFB2C622940BB60C0FDA039683CCCD085ECDF0082E9880086687B53296C5EA0C6FA9CCBF080E59491EA00562A7C89105DCEEE8058718ABCCBC8CBB08E600D6088D95D400275EF800E2B40D9E5D71A591DBBA0B780ED56C8600E49D00B74BE0BBC60D32E751DACA00D1BBEDDBF300A50000820C07879419B60B1030A7BCDA0EB6691DDAA80BB0C9156CA30B9DE6FB0BC1D4C50D6DC3005BDB005DD4E00DBF00D1B3C8D296DBBD4A8FB28C2763D854E7E9B119B2EAAFE99D4D370CBC815A35DDD902D9CA8C4115173BB64258AB8E246782E4383DC6883045A27E9AE6035930C0D528BC112115863DB19D903F000E325AC03F8FEA1EAAFC9040F538722D236E12D40ADB4B42D81B56A06D291B430475EDB9C58D4801F17E3093C070EE2CCB108A287986321680B230F3375C9804172A78F97E87736441F0669C698C54EFCCAB07426D5083D9072B85174FC707C302A30F03992FF02FDC0217B4CC5BA32FD62FC0FFCB02BF08BCC168E48E00948800C4A8008CF3A3E9B7EF027688CD22F62884029AEC90228E02AE96F7D3FDE20AA80D9BF49B0CC5D5DCED0AAF1756F89C0A7D8EAD8EACD6DDF2ADD70AED15C60D68768EBBF90C66ADCDEC0AA47CFF2D8A04A60B91BBAEBA8C0425F90423E30B660E4488DCBBED4BE004F4B4258D91048C3B7AF7EC0490A15F619C04EB90040EC5090CED27EDE104E40200800572AC712AC20873F19154C101DFC585C605E36DE0569D01F79305C728B80801EB85850CCD0046CBCE0190F601B2C318D3589BCC9281D80CBBDAA76B8B08679F01C86B2709D601F73FAD0179EBFA068E58A306613C9616C20A8E8F06C081061EF906D3AAE406A614E406C6081C72CB060168DF1BAC0A513E8534DAA1CF065B9CED01B1CC0AB177E876D506800A88039288A3F7A3FF0A9C068401899961DE19EB69D20648BCB506BCB4DF368C062CC069AF19CF19AC19C799BB11C399DA99B206DA9401F1B806F54FAC06C61BA62DA3DD3B3BA7139E66C7E6142096FC1589FAAE43E6371FA572A82FFFEB8C01E66A88C4D70E83B3AA01EC6AA8D28701D14535C6323B7610AAFC976AF3B7DA0F1DA68B257048D6E1BCDCD970F0A5E87B7ACE6892E8C415A02C1B1C49A777DE00C28B0554E22C2434961A30D08E0F7CB4CB9839CE73A72DDD952FFEB6FB5A32A5FE0F419672E210EF5BEE15D56995E3A30EB8C0E6582814C15126C7A974469FD70F82F8F685B4959DCC3CD5A73DB435F4A609B2F0800DB1A85583427A0250C285A8298BCB96D5210D3F30FAEF32B2641EC00C71CE3B2B4241AFD6E23E33DAB2C87FE40F43550BCEA83B15B768537699A439CBE476D8DDAB4FDF0780218CFA9919BBF085BE70E89E14F716FCBC4E06098E263596D1650DD9F78C7A4D97E6256FFBF77E2AB617E5F1741DB48E2464AD6DF1C52F5B783D2EEF52283514F08339FAAAB8230920B5918D939D010923647C0BB44B37E10E4CAE80C0B3555966F1134E85791EC3E22B5736E1F11A2F52A56D038B0F00EA65F59FF657E0E40F97A6B312A70A6041801ED108FEF6C98AD78FF40F798903ECADDF084F841043E308D042ABF39C08FFA50F9BE5ACE1F90861CCCB0F874BE208BEB8E5B40FAC09EE64CDBAED0F33D399C499CAF9A899F50FB2755151B299ADF9BAF9BC0FC18009F684F9A20FD0DB2832FF0F05B1AF0F491EDB0FB0091EB00DD1D20933F9D00D155EEB0D3E31E10D1FE20DF440C4E1980DE1E07C7B463A18CA0CA13B1144A5C54784538679876D87398AD38BE0EEF2E748DC1546905C8C920E81A796BB02817EFCC9EB62C89B25399BBE0C401F8E59CEF9E2E246028A2324A6C9B2D9876D6F0F7FE9CFE0C889C1CC0CF36E893B478AD4A67452B1C328C6366D82CF23893A2D60014AC8AACFD3907877F82584CE3FF97930D075778F484C954B0053BA63126865ACDE0206E13993B9E5074847EDF9C329FE7E540B01F1473B06AB05DF350F20256417F190009BDF2E5FC456FA0C59B8AC888338C525469C1C75F296FD61C3400882E0CD776C0E39CFF65951C98559B46F92267FE9A7C9F509AA0B762A91A8F39BFD0A02AF24C58B9AC10B6A3E6139D29BE30956420E8FD809D416E609B40A9908B14EA905353CD5F7B8A9FB0682A9BA96DA0AB4D109A8CE0523DD96CB668A65B70ADF8105CEF2B8569A0968920AECE5C70A21B57228AF06039ECC06F18FBC54D5D87CFECC0BA8079407AA77CC77FC0BCC06A60FC5C406F5BCFFD664EA06C100A00D39A00DE901F4D908EF6DD411C0D8B608B70041DB2230A100D1EC4D12D418CB8DD70DB6C708DA00BBFA0114EA18CD01BDDC118E00E70EEDE1E994E8EE8A06E2F36498061383EC0631C90682125D12920EDF8BF60E04D7AC0E61B50ED009008A01787DFA07EFCAA6EDEC01B1E7045338705CD104571DB90EE7E40772358A74AF048C0916009E04B20E927BBAE7A30EF7697160C507B790481F840E0BE604D78A8A7317B608AA0DBED9BC07E8807AE5F30D63F9BCA9948DDDD79D77BD0DF682F309B5C77F32B4086A0148A7D1D7F1086BF6AB07C10AF4087A9A094FBB844CBBDD968DC277D608BC8A2B0610B9FD4E21A3E6A1F8BC76F8BEE8820FEAF1B90A2E763ECC39308DBDBEBA137DA1DA45CC7B475152A8011F3A0B9262EE506084C7933225EE0E3A74CF9BCBFA6CEFF1F127C0BB42C861DD068CF720FECF22C7508165E9A20F93E70F1BEDD7E45040C79A606B7C62A96318637F0D28BE26DE6999FF54FD0E740B0F6E56FDB8837176AD63367B4A302CC0D101F14EC911D911E911EE071A0628FF9117F3018069C201A88469EFB001C300A00A75EE0AE500ADDD07E3D5D100D9A200F4837AA700FD4AB76DD08906A50593DCAB559A0629D75588658665DE06E26501DF2C274A8FCCC2CDC9AD7C9852E6DA0D3B80263C1FCBA0FE6CE667D728A5D75AD1FE0E2E74790451FCF73E02476FB89979FDC809AB0FB5EB9B09BEEABB040E6CA08C8D0F9AE3091844FA04CC0BB333CAFFB894B84FEE448D04A89ED0448B94B509B30300800BB9F7900B684EC3BA840BE7A89B6B4C569816733225425FF5C8A17A3D0ACB499171560E261DC0395BE11D1EF0C3A56BC9EEA6902AEF22BE68C818D41AB8C691311C8F9489EE17E88B5D54DAC4CCF42B498DE4B031123E8248A8DA2CDEF9D5230232EB6057820A8B14174BF23275A2C4ED2DC5C3C6FAC15010135D6528EBCA8DF1D46CF610CC495F88332D1C3F9A70E114646A3F9ACCDCFB8BFC543315249F29E10EAA68DFD5B5150AC72C25335F6F56F0529B0FF748B9B9810F8D0C12BE003845E590B00CA0F0E403822D032C990F9193FE0AE8C0B203E88C0FD05DB003324D9C0333DACE99CD0FE98D0FEC4F9900C50FB3A4D40FA78C0F8DDE3CD30F42883CD90FEDE70FC395FDDA07850420A207829334338E041CE507A8819807C9090082783A6AED9AA1F8CCAE3405401E6535007D10D490C185CD1D7B22FDA4477944D39B2F03CAD9BA1F8D768A2DCE5F682DBC09A3E08055CBA491ECC6AB6E19AAB9DDABF2052D55C1C2DA86687821586C8ED241CDA64016F0D7FC73163F57D593342ADE542961464D9E7C3AA128FF1C041E40557F273679EA425BBC48B87D9FC4FCD302009D64555BD3FE602859A6E784DF7FCD93B3B8820EB9A118CB49E3F2931562943B801975F2997450822CC595DB2312B746B3084543A56142A791A5E47812564CE8AE9B4EE9F7AFDB268AA187184E8DE45971313D49F4BC11F64663ABD317172C544C63D21D5AFD3C959C099B00C146F200DF5991A1E308C209F81CFFE9FA092411F80806CF0BDEC000C75C9A001E36E25CAA98F609D151ED8BD008A74B1969960B7301AD083B44EC99FB0BDA08E30FCD5F418731950173EF12E77508C99FF08DC0B0B2C08A8BF00C8D01F64DC011B80CCC1B27100A4FAC18772770ED0591879605948FC8F1EF8099912500F93C19E60FAC0BF169D80F6855C2858A0F2E779A0F256ECA2B9FFB930733A7FBDD0FE813A80F3CDE8E7B8B07E7D8A60F12D7B7EE0F0124D90FE17902D780C998CD76BC7D1D6DC7A2897A24ED4BB67A83E8A61950BAFFFAE8BC0878F3D4967ADB4D6421BAD86104BFA731B1316B382650A7DDB2F17185AD6459AB524E1BA8A9DDD5C8ADEB84EA5A586B82BE5E39444A53ACDB446AA642182F86B57E581981454F858589F7F1AB58F66A73E8F29C94F636DB2C8BDA99A003A20077EA03E99373B4DF00D200F7091E9F03FCB430E030CD01DDC909C303A8D1D8078701DB8817F5DE11C50740F39E07C2D5AE04AD17C4F3A8418A0709C344A0019F27C4718541870767E0532AF5078A6F7F368311AB07DAAEDEC0D8C1027A57C322F60868E102D90D2F820E11BC91045DC54D890E29D93357904E9A0EF3D94FF08F0DD271950DC4F64DB2B0E4ADD484D4EB0458A04D20A50E41A70E95EE04BFD304C40000000000"
vm_code = bytearray.fromhex(vm_code_str)
class ZeusVMDiasm:
def __init__(self, vm_code, output_file=None):
self.vm_code = vm_code
self.vm_code_len = len(vm_code)
self.vm_code_idx = 0
self.output_file = output_file
def fetch_insn(self):
if self.vm_code_idx >= self.vm_code_len:
return None
# get the opcode
opcode = self.vm_code[self.vm_code_idx]
mnemonic, handler_type, insn_size, xor_key = handler_info[opcode]
operands = None
# get the operands
if insn_size > 1:
operands = self.vm_code[self.vm_code_idx + 1:self.vm_code_idx+insn_size]
left_side = f"{self.vm_code_idx:04X}: {opcode:02X} {operands.hex(): <10}"
else:
left_side = f"{self.vm_code_idx:04X}: {opcode:02X} {'': <10}"
# increment the code index
if handler_type == HandlerType.Rc4:
self.vm_code_idx += insn_size + operands[0] - 1
else:
self.vm_code_idx += insn_size
# uses first byte of last operand, but it's easier to just use the handler type
if handler_type == HandlerType.Rc4:
key_idx = 2
elif handler_type == HandlerType.RegImm:
key_idx = 1
else:
key_idx = 0
if xor_key is not None:
if self.vm_code[self.vm_code_idx] > 0x7F:
# if instruction size is just 1, then the opcode is the key
if insn_size > 1:
key = operands[key_idx] ^ xor_key
else:
key = opcode ^ xor_key
self.vm_code[self.vm_code_idx] ^= key
self.vm_code[self.vm_code_idx] &= 0x7F
return (mnemonic, handler_type, operands, opcode, left_side)
def disasm(self, print_left=True):
depth = 0
diasm_lines = []
while True:
exit_diasm = False
diasm_line = ''
insn = self.fetch_insn()
if insn is None:
break
mnemonic, handler_type, operands, opcode, left_side = insn
if print_left:
diasm_line += left_side + ' '
diasm_line += ' ' * depth
# print the instruction
if handler_type == HandlerType.Zero:
diasm_line += mnemonic
# break out of the loop if we hit an exit
if mnemonic == 'exit':
exit_diasm = True
# inc data ptr
elif opcode == 0x1A:
# immediate is signed for this instruction
diasm_line += mnemonic.format(int.from_bytes(operands, byteorder='little', signed=True))
elif opcode in [23, 24, 25]: # mov counter
diasm_line += mnemonic.format(int.from_bytes(operands, byteorder='little'))
depth += 1
elif handler_type == HandlerType.Shuffle:
idx_1 = operands[0] & 0x03
idx_2 = (operands[0] & 0x0C) >> 2
idx_3 = (operands[0] & 0x30) >> 4
idx_4 = (operands[0] & 0xC0) >> 6
diasm_line += mnemonic.format(operands[0], idx_1, idx_2, idx_3, idx_4)
elif handler_type == HandlerType.Rc4:
key = self.vm_code[self.vm_code_idx - operands[0]:self.vm_code_idx]
assert len(key) == operands[0], f"key len {len(key)} != {operands[0]}"
diasm_line += mnemonic.format(operands[0], operands[1], f'{key.hex()}')
elif handler_type == HandlerType.Imm:
diasm_line += mnemonic.format(int.from_bytes(operands, byteorder='little'))
elif handler_type == HandlerType.RegReg:
reg_1 = operands[0] & 0x0F
reg_2 = (operands[0] >> 4) & 0xF
diasm_line += mnemonic.format(reg_1, reg_2)
elif handler_type == HandlerType.RegImm:
reg_1 = operands[0] & 0x0F
diasm_line += mnemonic.format(reg_1, int.from_bytes(operands[1:], byteorder='little'))
elif handler_type == HandlerType.Reg:
reg_1 = operands[0] & 0x0F
diasm_line += mnemonic.format(reg_1)
elif handler_type == HandlerType.Jmp:
# jumps are negative, so we inverse the sign
jmp_value = -int.from_bytes(operands, byteorder='little')
diasm_line += mnemonic.format(jmp_value)
depth -= 1
diasm_lines.append(diasm_line)
if exit_diasm:
break
if self.output_file is not None:
with open(self.output_file, 'w') as f:
for line in diasm_lines:
f.write(line + '\n')
else:
for line in diasm_lines:
print(line)
if __name__ == '__main__':
disasm = ZeusVMDiasm(vm_code, 'diasm.txt')
disasm.disasm(False)
Raw
zzz_output.txt
0000: 1A 0902 inc data 209h(16)
0003: 1A 96ff inc data -6Ah(16)
0006: 18 0200 set loop 2h(16)
0009: 16 249a88 rc4 key_len(24h) data_len(9Ah) key(881f8cc1ecfff903bc02414b249015aa648ad582c81d3615e6a6ee5c6bf9ab6fec5d09e3)
0030: 1B 29 jmp -29h(8)
0032: 16 1a0178 rc4 key_len(1Ah) data_len(1h) key(78ea5d76bc302819ba41474563b987c556f06aad9809c9b86c44)
004F: 0D 4f rol [data](16)++ 4Fh(16)
0051: 1A c9fe inc data -137h(16)
0054: 18 0100 set loop 1h(16)
0057: 16 518fe1 rc4 key_len(51h) data_len(8Fh) key(e191d47d3881bf24a74bf05b6bd82e95bec48930e73714e72b8cf81be623ffaecdf2d694b9dd1d7ad773fd1cde891dd1bf31f3d676ab0528a0d45a05dd4cd75d6ece255154538218a7b761beebb01ac9e5)
00AB: 1B 56 jmp -56h(8)
00AD: 3F 05 mov r5 [data](16)
00AF: 1D 0655 mov r6 55h(8)
00B2: 27 56 sub r6 r5(16)
00B4: 2F 058e sub r5 8Eh(8)
00B7: 1E 035752 mov r3 5257h(16)
00BB: 2E 05e27ca367 add r5 67A37CE2h(32)
00C1: 31 0567b7e224 sub r5 24E2B767h(32)
00C7: 32 050a xor r5 Ah(8)
00CA: 42 05 mov [data](16)++ r5(16)
00CC: 11 38 ror [data](32)++ 38h(32)
00CE: 1A 7bff inc data -85h(16)
00D1: 1A b0fe inc data -150h(16)
00D4: 3E 04 mov r4 [data](8)
00D6: 1F 0ea6d8702f mov r14 2F70D8A6h(32)
00DC: 2F 04de sub r4 DEh(8)
00DF: 31 0e8a31c079 sub r14 79C0318Ah(32)
00E5: 30 04d170 sub r4 70D1h(16)
00E9: 32 047e xor r4 7Eh(8)
00EC: 2F 047d sub r4 7Dh(8)
00EF: 34 04b256413e xor r4 3E4156B2h(32)
00F5: 2D 04f996 add r4 96F9h(16)
00F9: 29 ee xor r14 r14(8)
00FB: 30 048d75 sub r4 758Dh(16)
00FF: 41 04 mov [data](8)++ r4(8)
0101: 1D 0e26 mov r14 26h(8)
0104: 1F 0bd2234b09 mov r11 94B23D2h(32)
010A: 32 0bf1 xor r11 F1h(8)
010D: 2D 0b801d add r11 1D80h(16)
0111: 30 0e962c sub r14 2C96h(16)
0115: 30 0b43a4 sub r11 A443h(16)
0119: 2C 0eb5 add r14 B5h(8)
011C: 2C 0e7e add r14 7Eh(8)
011F: 2D 0e3b1d add r14 1D3Bh(16)
0123: 2B be xor r14 r11(32)
0125: 33 0e91fa xor r14 FA91h(16)
0129: 37 0e add [data](16)++ r14(32)
012B: 1E 0d200c mov r13 C20h(16)
012F: 1F 0f19378db5 mov r15 B58D3719h(32)
0135: 34 0de053be72 xor r13 72BE53E0h(32)
013B: 2F 0f8b sub r15 8Bh(8)
013E: 32 0f28 xor r15 28h(8)
0141: 24 ff add r15 r15(16)
0143: 34 0d7c79d07d xor r13 7DD0797Ch(32)
0149: 25 ff add r15 r15(32)
014B: 29 dd xor r13 r13(8)
014D: 25 ff add r15 r15(32)
014F: 3A 0f sub [data](32)++ r15(32)
0151: 1F 0715786465 mov r7 65647815h(32)
0157: 1D 03b3 mov r3 B3h(8)
015A: 2E 07c939fd7d add r7 7DFD39C9h(32)
0160: 33 073513 xor r7 1335h(16)
0164: 34 07cb02ecc2 xor r7 C2EC02CBh(32)
016A: 21 3b mov r11 r3(16)
016C: 31 0b4a189cbe sub r11 BE9C184Ah(32)
0172: 1D 0969 mov r9 69h(8)
0175: 34 07d4c64107 xor r7 741C6D4h(32)
017B: 2C 09fa add r9 FAh(8)
017E: 23 7b add r11 r7(8)
0180: 25 9b add r11 r9(32)
0182: 2D 0bd215 add r11 15D2h(16)
0186: 2A 37 xor r7 r3(16)
0188: 31 03b4fb1423 sub r3 2314FBB4h(32)
018E: 39 07 sub [data](16)++ r7(16)
0190: 1D 09d2 mov r9 D2h(8)
0193: 1E 0167c5 mov r1 C567h(16)
0197: 1F 02c36c8dbd mov r2 BD8D6CC3h(32)
019D: 23 19 add r9 r1(8)
019F: 32 099f xor r9 9Fh(8)
01A2: 26 19 sub r9 r1(8)
01A4: 2F 09e0 sub r9 E0h(8)
01A7: 2A 99 xor r9 r9(16)
01A9: 34 026bf73db5 xor r2 B53DF76Bh(32)
01AF: 35 09 add [data](8)++ r9(8)
01B1: 1F 0557e14e04 mov r5 44EE157h(32)
01B7: 31 05c0fe8875 sub r5 7588FEC0h(32)
01BD: 2D 05d61a add r5 1AD6h(16)
01C1: 2F 0572 sub r5 72h(8)
01C4: 23 55 add r5 r5(8)
01C6: 34 056215c7db xor r5 DBC71562h(32)
01CC: 1E 0b78cc mov r11 CC78h(16)
01D0: 3B 05 xor [data](8)++ r5(8)
01D2: 18 0b00 set loop Bh(16)
01D5: 1E 0af7c4 mov r10 C4F7h(16)
01D9: 26 aa sub r10 r10(8)
01DB: 2B aa xor r10 r10(32)
01DD: 2E 0a7be29a38 add r10 389AE27Bh(32)
01E3: 2B aa xor r10 r10(32)
01E5: 20 a4 mov r4 r10(8)
01E7: 37 0a add [data](16)++ r10(32)
01E9: 15 1e shuffle [data](32)++ 1Eh(8) (2,3,1,0)
01EB: 3E 0b mov r11 [data](8)
01ED: 1E 0ce4c7 mov r12 C7E4h(16)
01F1: 2B bc xor r12 r11(32)
01F3: 2E 0b73d3e105 add r11 5E1D373h(32)
01F9: 1E 075a4a mov r7 4A5Ah(16)
01FD: 23 77 add r7 r7(8)
01FF: 25 77 add r7 r7(32)
0201: 2C 0b28 add r11 28h(8)
0204: 32 0bb9 xor r11 B9h(8)
0207: 23 cc add r12 r12(8)
0209: 2D 0732d3 add r7 D332h(16)
020D: 2B cc xor r12 r12(32)
020F: 2A b7 xor r7 r11(16)
0211: 2B 7c xor r12 r7(32)
0213: 41 0b mov [data](8)++ r11(8)
0215: 1E 04dda5 mov r4 A5DDh(16)
0219: 1D 06ea mov r6 EAh(8)
021C: 37 04 add [data](16)++ r4(32)
021E: 16 7c0c67 rc4 key_len(7Ch) data_len(Ch) key(6702d699d4b7c32a55ebfefe2651e18e51474e2e3c4fdacedbcc829663994d359c2f18bfe9b6a678e6db034557067661dbd17f6490436e7bc06e2e8389a47ced889fbe4bebc88d1d66c6f317952edf8268164c1179aa3df2afa40a4278903cd5d631dccc9022a4ceb5471c156a0010cd9cc18be07d01b85fb38bade4)
029D: 3E 0e mov r14 [data](8)
029F: 1D 0371 mov r3 71h(8)
02A2: 26 33 sub r3 r3(8)
02A4: 2A 33 xor r3 r3(16)
02A6: 28 e3 sub r3 r14(32)
02A8: 1D 0f3c mov r15 3Ch(8)
02AB: 26 ef sub r15 r14(8)
02AD: 1F 0738c2c354 mov r7 54C3C238h(32)
02B3: 2B ef xor r15 r14(32)
02B5: 2B ff xor r15 r15(32)
02B7: 27 e7 sub r7 r14(16)
02B9: 32 074d xor r7 4Dh(8)
02BC: 32 0e94 xor r14 94h(8)
02BF: 28 f3 sub r3 r15(32)
02C1: 31 0e53055733 sub r14 33570553h(32)
02C7: 2E 0f7cb6a477 add r15 77A4B67Ch(32)
02CD: 26 37 sub r7 r3(8)
02CF: 32 0e95 xor r14 95h(8)
02D2: 23 f7 add r7 r15(8)
02D4: 2B 3f xor r15 r3(32)
02D6: 32 03ae xor r3 AEh(8)
02D9: 2F 0ece sub r14 CEh(8)
02DC: 23 73 add r3 r7(8)
02DE: 41 0e mov [data](8)++ r14(8)
02E0: 1E 0ce23d mov r12 3DE2h(16)
02E4: 1D 0bbf mov r11 BFh(8)
02E7: 2F 0b7a sub r11 7Ah(8)
02EA: 30 0b8148 sub r11 4881h(16)
02EE: 24 bc add r12 r11(16)
02F0: 2C 0b15 add r11 15h(8)
02F3: 2D 0c16ce add r12 CE16h(16)
02F7: 37 0b add [data](16)++ r11(32)
02F9: 3E 0d mov r13 [data](8)
02FB: 1F 03e3369766 mov r3 669736E3h(32)
0301: 27 33 sub r3 r3(16)
0303: 30 0d07c0 sub r13 C007h(16)
0307: 27 33 sub r3 r3(16)
0309: 2E 0d2318a6e1 add r13 E1A61823h(32)
030F: 32 0d75 xor r13 75h(8)
0312: 29 d3 xor r3 r13(8)
0314: 28 d3 sub r3 r13(32)
0316: 41 0d mov [data](8)++ r13(8)
0318: 1E 077bd7 mov r7 D77Bh(16)
031C: 1E 015168 mov r1 6851h(16)
0320: 33 07c020 xor r7 20C0h(16)
0324: 2E 0714f5d3fc add r7 FCD3F514h(32)
032A: 25 71 add r1 r7(32)
032C: 2F 01bb sub r1 BBh(8)
032F: 2D 0749d0 add r7 D049h(16)
0333: 2A 77 xor r7 r7(16)
0335: 2C 014b add r1 4Bh(8)
0338: 31 07166a06a6 sub r7 A6066A16h(32)
033E: 34 0148a11cc5 xor r1 C51CA148h(32)
0344: 35 07 add [data](8)++ r7(8)
0346: 09 ca sub [data](8)++ CAh(8)
0348: 3E 06 mov r6 [data](8)
034A: 1D 0789 mov r7 89h(8)
034D: 23 67 add r7 r6(8)
034F: 2E 0672d0dd15 add r6 15DDD072h(32)
0355: 28 67 sub r7 r6(32)
0357: 41 06 mov [data](8)++ r6(8)
0359: 14 not [data](32)++
035A: 1C 8801 jmp -188h(16)
035D: 1D 01a1 mov r1 A1h(8)
0360: 1F 09b9959472 mov r9 729495B9h(32)
0366: 2A 19 xor r9 r1(16)
0368: 32 09d1 xor r9 D1h(8)
036B: 30 0920db sub r9 DB20h(16)
036F: 35 09 add [data](8)++ r9(8)
0371: 16 0b0a01 rc4 key_len(Bh) data_len(Ah) key(01046d00c6ba5a8c5d937c)
037F: 0C 6f rol [data](8)++ 6Fh(8)
0381: 3E 07 mov r7 [data](8)
0383: 1D 0254 mov r2 54h(8)
0386: 29 22 xor r2 r2(8)
0388: 28 22 sub r2 r2(32)
038A: 2C 0209 add r2 9h(8)
038D: 2E 07027d429d add r7 9D427D02h(32)
0393: 30 073f71 sub r7 713Fh(16)
0397: 30 0790de sub r7 DE90h(16)
039B: 23 22 add r2 r2(8)
039D: 23 72 add r2 r7(8)
039F: 41 07 mov [data](8)++ r7(8)
03A1: 1A c1fe inc data -13Fh(16)
03A4: 3E 0b mov r11 [data](8)
03A6: 1D 0233 mov r2 33h(8)
03A9: 30 0b843e sub r11 3E84h(16)
03AD: 2F 0283 sub r2 83h(8)
03B0: 28 b2 sub r2 r11(32)
03B2: 29 22 xor r2 r2(8)
03B4: 41 0b mov [data](8)++ r11(8)
03B6: 1F 0c0fda0396 mov r12 9603DA0Fh(32)
03BC: 23 cc add r12 r12(8)
03BE: 1E 085ecd mov r8 CD5Eh(16)
03C2: 33 082e98 xor r8 982Eh(16)
03C6: 34 086687b532 xor r8 32B58766h(32)
03CC: 21 c5 mov r5 r12(16)
03CE: 32 0c6f xor r12 6Fh(8)
03D1: 28 cc sub r12 r12(32)
03D3: 2E 080e59491e add r8 1E49590Eh(32)
03D9: 32 0562 xor r5 62h(8)
03DC: 2B c8 xor r8 r12(32)
03DE: 33 05dcee xor r5 EEDCh(16)
03E2: 2E 058718abcc add r5 CCAB1887h(32)
03E8: 27 8c sub r12 r8(16)
03EA: 3C 08 xor [data](16)++ r8(16)
03EC: 1F 00d6088d95 mov r0 958D08D6h(32)
03F2: 2D 00275e add r0 5E27h(16)
03F6: 2C 00e2 add r0 E2h(8)
03F9: 1F 0d9e5d71a5 mov r13 A5715D9Eh(32)
03FF: 20 db mov r11 r13(8)
0401: 34 0b780ed56c xor r11 6CD50E78h(32)
0407: 2F 00e4 sub r0 E4h(8)
040A: 2D 00b74b add r0 4BB7h(16)
040E: 24 bb add r11 r11(16)
0410: 34 0d32e751da xor r13 DA51E732h(32)
0416: 29 00 xor r0 r0(8)
0418: 26 bb sub r11 r11(8)
041A: 23 db add r11 r13(8)
041C: 37 00 add [data](16)++ r0(32)
041E: 18 0000 set loop 0h(16)
0421: 1F 0c07879419 mov r12 19948707h(32)
0427: 1E 0b1030 mov r11 3010h(16)
042B: 2A bc xor r12 r11(16)
042D: 1F 0eb6691dda mov r14 DA1D69B6h(32)
0433: 31 0bb0c9156c sub r11 6C15C9B0h(32)
0439: 30 0b9de6 sub r11 E69Dh(16)
043D: 35 0b add [data](8)++ r11(8)
043F: 0C d4 rol [data](8)++ D4h(8)
0441: 1D 0d6d mov r13 6Dh(8)
0444: 1D 005b mov r0 5Bh(8)
0447: 33 005dd4 xor r0 D45Dh(16)
044B: 27 0d sub r13 r0(16)
044D: 39 00 sub [data](16)++ r0(16)
044F: 0A b3c8 sub [data](16)++ C8B3h(16)
0452: 16 96dbbd rc4 key_len(96h) data_len(DBh) key(bd4a8fb28c2763d854e7e9b119b2eaafe99d4d370cbc815a35ddd902d9ca8c4115173bb64258ab8e246782e4383dc6883045a27e9ae6035930c0d528bc112115863db19d903f000e325ac03f8fea1eaafc9040f538722d236e12d40adb4b42d81b56a06d291b430475edb9c58d4801f17e3093c070ee2ccb108a287986321680b230f3375c9804172a78f97e87736441f0669c698c54)
04EB: 1B cc jmp -CCh(8)
04ED: 1F 07426d5083 mov r7 83506D42h(32)
04F3: 34 072b85174f xor r7 4F17852Bh(32)
04F9: 3D 07 xor [data](32)++ r7(32)
04FB: 3E 02 mov r2 [data](8)
04FD: 1D 0f03 mov r15 3h(8)
0500: 29 2f xor r15 r2(8)
0502: 28 2f sub r15 r2(32)
0504: 2E 0217b4cc5b add r2 5BCCB417h(32)
050A: 28 2f sub r15 r2(32)
050C: 24 2f add r15 r2(16)
050E: 26 ff sub r15 r15(8)
0510: 41 02 mov [data](8)++ r2(8)
0512: 1F 08bcc168e4 mov r8 E468C1BCh(32)
0518: 1D 0094 mov r0 94h(8)
051B: 2F 00c4 sub r0 C4h(8)
051E: 38 00 sub [data](8)++ r0(8)
0520: 08 f3a3e9b7 add [data](32)++ B7E9A3F3h(32)
0525: 1E 027688 mov r2 8876h(16)
0529: 26 22 sub r2 r2(8)
052B: 21 28 mov r8 r2(16)
052D: 31 029aec9022 sub r2 2290EC9Ah(32)
0533: 37 02 add [data](16)++ r2(32)
0535: 11 96 ror [data](32)++ 96h(32)
0537: 1A d3fd inc data -22Dh(16)
053A: 3E 0a mov r10 [data](8)
053C: 1E 0d9bf4 mov r13 F49Bh(16)
0540: 1D 0cc5 mov r12 C5h(8)
0543: 23 dc add r12 r13(8)
0545: 2E 0aaf1756f8 add r10 F85617AFh(32)
054B: 2F 0a7d sub r10 7Dh(8)
054E: 27 ad sub r13 r10(16)
0550: 28 ac sub r12 r10(32)
0552: 27 dd sub r13 r13(16)
0554: 24 ad add r13 r10(16)
0556: 33 0aed15 xor r10 15EDh(16)
055A: 31 0d68768ebb sub r13 BB8E7668h(32)
0560: 32 0c66 xor r12 66h(8)
0563: 25 cd add r13 r12(32)
0565: 41 0a mov [data](8)++ r10(8)
0567: 0C 7c rol [data](8)++ 7Ch(8)
0569: 0F 2d ror [data](8)++ 2Dh(8)
056B: 3F 04 mov r4 [data](16)
056D: 1F 0b91bbaeba mov r11 BAAEBB91h(32)
0573: 32 0425 xor r4 25h(8)
0576: 32 0423 xor r4 23h(8)
0579: 2E 0b660e4488 add r11 88440E66h(32)
057F: 26 bb sub r11 r11(8)
0581: 23 4b add r11 r4(8)
0583: 34 04f4b4258d xor r4 8D25B4F4h(32)
0589: 34 048c3b7af7 xor r4 F77A3B8Ch(32)
058F: 31 0490a15f61 sub r4 615FA190h(32)
0595: 2F 04eb sub r4 EBh(8)
0598: 2F 040e sub r4 Eh(8)
059B: 1F 090ced27ed mov r9 ED27ED0Ch(32)
05A1: 42 04 mov [data](16)++ r4(16)
05A3: 18 0200 set loop 2h(16)
05A6: 1F 0572ac712a mov r5 2A71AC72h(32)
05AC: 1F 0873f19154 mov r8 5491F173h(32)
05B2: 1D 01df mov r1 DFh(8)
05B5: 29 85 xor r5 r8(8)
05B7: 34 05e36de056 xor r5 56E06DE3h(32)
05BD: 2F 01f7 sub r1 F7h(8)
05C0: 30 05c728 sub r5 28C7h(16)
05C4: 2C 0801 add r8 1h(8)
05C7: 23 85 add r5 r8(8)
05C9: 1F 0ccd0046cb mov r12 CB4600CDh(32)
05CF: 2C 0190 add r1 90h(8)
05D2: 2F 01b2 sub r1 B2h(8)
05D5: 25 18 add r8 r1(32)
05D7: 2B 58 xor r8 r5(32)
05D9: 29 cc xor r12 r12(8)
05DB: 29 81 xor r1 r8(8)
05DD: 2E 0cbbdaa76b add r12 6BA7DABBh(32)
05E3: 2C 0867 add r8 67h(8)
05E6: 31 01c86b2709 sub r1 9276BC8h(32)
05EC: 3D 01 xor [data](32)++ r1(32)
05EE: 0C 3f rol [data](8)++ 3Fh(8)
05F0: 1E 0179eb mov r1 EB79h(16)
05F4: 1E 068e58 mov r6 588Eh(16)
05F8: 30 06613c sub r6 3C61h(16)
05FC: 24 16 add r6 r1(16)
05FE: 1D 0a8e mov r10 8Eh(8)
0601: 32 06c0 xor r6 C0h(8)
0604: 2F 061e sub r6 1Eh(8)
0607: 33 06d3aa xor r6 AAD3h(16)
060B: 2D 06a614 add r6 14A6h(16)
060F: 31 06c6081c72 sub r6 721C08C6h(32)
0615: 2E 060168df1b add r6 1BDF6801h(32)
061B: 31 0a513e8534 sub r10 34853E51h(32)
0621: 28 a1 sub r1 r10(32)
0623: 33 065b9c xor r6 9C5Bh(16)
0627: 2C 01b1 add r1 B1h(8)
062A: 34 0ab177e876 xor r10 76E877B1h(32)
0630: 35 06 add [data](8)++ r6(8)
0632: 40 0a mov r10 [data](32)
0634: 1D 0392 mov r3 92h(8)
0637: 29 a3 xor r3 r10(8)
0639: 23 a3 add r3 r10(8)
063B: 43 0a mov [data](32)++ r10(32)
063D: 40 06 mov r6 [data](32)
063F: 1D 0189 mov r1 89h(8)
0642: 23 61 add r1 r6(8)
0644: 20 19 mov r9 r1(8)
0646: 27 69 sub r9 r6(16)
0648: 30 0648bc sub r6 BC48h(16)
064C: 2E 06bcb4df36 add r6 36DFB4BCh(32)
0652: 2C 062c add r6 2Ch(8)
0655: 25 69 add r9 r6(32)
0657: 26 19 sub r9 r1(8)
0659: 23 19 add r9 r1(8)
065B: 2A 19 xor r9 r1(16)
065D: 27 99 sub r9 r9(16)
065F: 29 11 xor r1 r1(8)
0661: 25 99 add r9 r9(32)
0663: 23 99 add r9 r9(8)
0665: 34 06da9401f1 xor r6 F10194DAh(32)
066B: 33 06f54f xor r6 4FF5h(16)
066F: 43 06 mov [data](32)++ r6(32)
0671: 16 1ba62d rc4 key_len(1Bh) data_len(A6h) key(2da3dd3b3ba7139e66c7e6142096fc1589faae43e6371fa572a82f)
068F: 1B eb jmp -EBh(8)
0691: 1F 01e66a88c4 mov r1 C4886AE6h(32)
0697: 1E 0e83b3 mov r14 B383h(16)
069B: 34 01ec6aa8d2 xor r1 D2A86AECh(32)
06A1: 3A 01 sub [data](32)++ r1(32)
06A3: 16 4535c6 rc4 key_len(45h) data_len(35h) key(c6323b7610aafc976af3b7da0f1da68b257048d6e1bcdcd970f0a5e87b7ace6892e8c415a02c1b1c49a777de00c28b0554e22c2434961a30d08e0f7cb4cb9839ce73a72ddd)
06EB: 1A 2ffe inc data -1D1h(16)
06EE: 16 fb5a32 rc4 key_len(FBh) data_len(5Ah) key(32a5fe0f419672e210ef5bee15d56995e3a30eb8c0e6582814c15126c7a974469fd70f82f8f685b4959dcc3cd5a73db435f4a609b2f0800db1a85583427a0250c285a8298bcb96d5210d3f30faef32b2641ec00c71ce3b2b4241afd6e23e33dab2c87fe40f43550bcea83b15b768537699a439cbe476d8ddab4fdf0780218cfa9919bbf085be70e89e14f716fcbc4e06098e263596d1650dd9f78c7a4d97e6256ffbf77e2ab617e5f1741db48e2464ad6df1c52f5b783d2eef52283514f08339faaab8230920b5918d939d010923647c0bb44b37e10e4cae80c0b3555966f1134e85791ec3e22b5736e1f11a2f52a56d038b0f00ea65f59ff657e0)
07EC: 1F 0f97a6b312 mov r15 12B3A697h(32)
07F2: 1F 0a6041801e mov r10 1E804160h(32)
07F8: 1E 08fef6 mov r8 F6FEh(16)
07FC: 2A 8a xor r10 r8(16)
07FE: 24 8f add r15 r8(16)
0800: 32 0f79 xor r15 79h(8)
0803: 1E 03ecad mov r3 ADECh(16)
0807: 2E 084f841043 add r8 4310844Fh(32)
080D: 30 08d042 sub r8 42D0h(16)
0811: 28 f3 sub r3 r15(32)
0813: 32 08ff xor r8 FFh(8)
0816: 34 0f9be5ace1 xor r15 E1ACE59Bh(32)
081C: 33 0861cc xor r8 CC61h(16)
0820: 30 0f874b sub r15 4B87h(16)
0824: 36 08 add [data](16)++ r8(16)
0826: 04 b8e5 xor [data](16)++ E5B8h(16)
0829: 3E 0f mov r15 [data](8)
082B: 1F 09ee64cdba mov r9 BACD64EEh(32)
0831: 2C 0f33 add r15 33h(8)
0834: 29 99 xor r9 r9(8)
0836: 2A 99 xor r9 r9(16)
0838: 2A f9 xor r9 r15(16)
083A: 28 99 sub r9 r9(32)
083C: 31 0fb2755151 sub r15 515175B2h(32)
0842: 23 99 add r9 r9(8)
0844: 2B f9 xor r9 r15(32)
0846: 29 f9 xor r9 r15(8)
0848: 32 0fc1 xor r15 C1h(8)
084B: 2F 09f6 sub r9 F6h(8)
084E: 26 f9 sub r9 r15(8)
0850: 2E 0fd0db2832 add r15 3228DBD0h(32)
0856: 33 0f05b1 xor r15 B105h(16)
085A: 30 0f491e sub r15 1E49h(16)
085E: 41 0f mov [data](8)++ r15(8)
0860: 1D 091e mov r9 1Eh(8)
0863: 1D 0dd1 mov r13 D1h(8)
0866: 30 0933f9 sub r9 F933h(16)
086A: 30 0d155e sub r13 5E15h(16)
086E: 2D 0d3e31 add r13 313Eh(16)
0872: 2C 0d1f add r13 1Fh(8)
0875: 34 0df440c4e1 xor r13 E1C440F4h(32)
087B: 3D 0d xor [data](32)++ r13(32)
087D: 16 e07c7b rc4 key_len(E0h) data_len(7Ch) key(7b463a18ca0ca13b1144a5c54784538679876d87398ad38be0eef2e748dc1546905c8c920e81a796bb02817efcc9eb62c89b25399bbe0c401f8e59cef9e2e246028a2324a6c9b2d9876d6f0f7fe9cfe0c889c1cc0cf36e893b478ad4a67452b1c328c6366d82cf23893a2d60014ac8aacfd3907877f82584ce3ff97930d075778f484c954b0053ba63126865acde0206e13993b9e5074847edf9c329fe7e540b01f1473b06ab05df350f20256417f190009bdf2e5fc456fa0c59b8ac888338c525469c1c75f296fd61c3400882e0cd776c0e39cff65951c98559b46f92267fe9)
0960: 15 c9 shuffle [data](32)++ C9h(8) (1,2,0,3)
0962: 3E 09 mov r9 [data](8)
0964: 1F 0b762a91a8 mov r11 A8912A76h(32)
096A: 2A 9b xor r11 r9(16)
096C: 1F 0a02af24c5 mov r10 C524AF02h(32)
0972: 26 9a sub r10 r9(8)
0974: 2E 0b6a3e6139 add r11 39613E6Ah(32)
097A: 24 9b add r11 r9(16)
097C: 31 0956420e8f sub r9 8F0E4256h(32)
0982: 2D 09d416 add r9 16D4h(16)
0986: 41 09 mov [data](8)++ r9(8)
0988: 1F 0a9908b14e mov r10 4EB10899h(32)
098E: 1F 05353cd5f7 mov r5 F7D53C35h(32)
0994: 22 a9 mov r9 r10(32)
0996: 1E 0682a9 mov r6 A982h(16)
099A: 25 96 add r6 r9(32)
099C: 2C 0ab4 add r10 B4h(8)
099F: 2C 09a8 add r9 A8h(8)
09A2: 2F 0523 sub r5 23h(8)
09A5: 2A 96 xor r6 r9(16)
09A7: 24 66 add r6 r6(16)
09A9: 25 65 add r5 r6(32)
09AB: 32 0adf xor r10 DFh(8)
09AE: 30 05cef2 sub r5 F2CEh(16)
09B2: 25 56 add r6 r5(32)
09B4: 2C 0968 add r9 68h(8)
09B7: 33 0aece5 xor r10 E5ECh(16)
09BB: 31 0a21b57228 sub r10 2872B521h(32)
09C1: 2D 06039e add r6 9E03h(16)
09C5: 3C 06 xor [data](16)++ r6(16)
09C7: 06 8f add [data](8)++ 8Fh(8)
09C9: 07 54d5 add [data](16)++ D554h(16)
09CC: 1A 7cfe inc data -184h(16)
09CF: 3F 0b mov r11 [data](16)
09D1: 1E 079407 mov r7 794h(16)
09D5: 23 77 add r7 r7(8)
09D7: 24 77 add r7 r7(16)
09D9: 42 0b mov [data](16)++ r11(16)
09DB: 3F 06 mov r6 [data](16)
09DD: 1D 0fc5 mov r15 C5h(8)
09E0: 32 06f5 xor r6 F5h(8)
09E3: 27 ff sub r15 r15(16)
09E5: 22 64 mov r4 r6(32)
09E7: 42 06 mov [data](16)++ r6(16)
09E9: 3F 00 mov r0 [data](16)
09EB: 1D 0d39 mov r13 39h(8)
09EE: 2A 0d xor r13 r0(16)
09F0: 1D 01f4 mov r1 F4h(8)
09F3: 1E 08ef6d mov r8 6DEFh(16)
09F7: 26 11 sub r1 r1(8)
09F9: 24 d8 add r8 r13(16)
09FB: 27 08 sub r8 r0(16)
09FD: 34 0041db2230 xor r0 3022DB41h(32)
0A03: 31 00d1ec4d12 sub r0 124DECD1h(32)
0A09: 26 18 sub r8 r1(8)
0A0B: 26 8d sub r13 r8(8)
0A0D: 2F 0db6 sub r13 B6h(8)
0A10: 25 08 add r8 r0(32)
0A12: 32 00bb xor r0 BBh(8)
0A15: 2F 0114 sub r1 14h(8)
0A18: 2A 18 xor r8 r1(16)
0A1A: 2C 01bd add r1 BDh(8)
0A1D: 28 11 sub r1 r1(32)
0A1F: 42 00 mov [data](16)++ r0(16)
0A21: 1F 0eede1e994 mov r14 94E9E1EDh(32)
0A27: 2A ee xor r14 r14(16)
0A29: 1D 06e2 mov r6 E2h(8)
0A2C: 22 64 mov r4 r6(32)
0A2E: 30 061383 sub r6 8313h(16)
0A32: 2C 0631 add r6 31h(8)
0A35: 31 0682125d12 sub r6 125D1282h(32)
0A3B: 33 0edf8b xor r14 8BDFh(16)
0A3F: 33 0e04d7 xor r14 D704h(16)
0A43: 32 0e61 xor r14 61h(8)
0A46: 3A 0e sub [data](32)++ r14(32)
0A48: 18 0900 set loop 9h(16)
0A4B: 1E 01787d mov r1 7D78h(16)
0A4F: 1F 07efcaa6ed mov r7 EDA6CAEFh(32)
0A55: 2C 01b1 add r1 B1h(8)
0A58: 1F 045338705c mov r4 5C703853h(32)
0A5E: 2D 04571d add r4 1D57h(16)
0A62: 1D 0ee7 mov r14 E7h(8)
0A65: 30 077235 sub r7 3572h(16)
0A69: 2B 74 xor r4 r7(32)
0A6B: 31 048c091600 sub r4 16098Ch(32)
0A71: 31 04b20e927b sub r4 7B920EB2h(32)
0A77: 2B e7 xor r7 r14(32)
0A79: 2E 0ef7697160 add r14 607169F7h(32)
0A7F: 2E 07b790481f add r7 1F4890B7h(32)
0A85: 2F 0e0b sub r14 Bh(8)
0A88: 39 04 sub [data](16)++ r4(16)
0A8A: 08 8a8a7317 add [data](32)++ 17738A8Ah(32)
0A8F: 3E 08 mov r8 [data](8)
0A91: 1E 0dbed9 mov r13 D9BEh(16)
0A95: 1F 07e8807ae5 mov r7 E57A80E8h(32)
0A9B: 34 0d63f9bca9 xor r13 A9BCF963h(32)
0AA1: 26 8d sub r13 r8(8)
0AA3: 25 d7 add r7 r13(32)
0AA5: 2A 77 xor r7 r7(16)
0AA7: 33 0df682 xor r13 82F6h(16)
0AAB: 1F 09b5c77f32 mov r9 327FC7B5h(32)
0AB1: 2E 086a0148a7 add r8 A748016Ah(32)
0AB7: 27 d7 sub r7 r13(16)
0AB9: 2D 086bf6 add r8 F66Bh(16)
0ABD: 33 07c10a xor r7 AC1h(16)
0AC1: 2F 087a sub r8 7Ah(8)
0AC4: 34 094fbb844c xor r9 4C84BB4Fh(32)
0ACA: 25 dd add r13 r13(32)
0ACC: 2B 8d xor r13 r8(32)
0ACE: 25 77 add r7 r7(32)
0AD0: 41 08 mov [data](8)++ r8(8)
0AD2: 16 8a2b06 rc4 key_len(8Ah) data_len(2Bh) key(0610b9fd4e21a3e6a1f8bc76f8bee8820feaf1b90a2e763ecc39308dbdbeba137da1da45cc7b475152a8011f3a0b9262ee506084c7933225ee0e3a74cf9bcbfa6ceff1f127c0bb42c861dd068cf720fecf22c7508165e9a20f93e70f1bedd7e45040c79a606b7c62a96318637f0d28be26de6999ff54fd0e740b0f6e56fdb8837176ad63367b4a302cc0)
0B5F: 1E 01f14e mov r1 4EF1h(16)
0B63: 25 11 add r1 r1(32)
0B65: 28 11 sub r1 r1(32)
0B67: 25 11 add r1 r1(32)
0B69: 1F 071a0628ff mov r7 FF28061Ah(32)
0B6F: 24 17 add r7 r1(16)
0B71: 2D 018069 add r1 6980h(16)
0B75: 31 01a88469ef sub r1 EF6984A8h(32)
0B7B: 3B 01 xor [data](8)++ r1(8)
0B7D: 3F 00 mov r0 [data](16)
0B7F: 1D 0a75 mov r10 75h(8)
0B82: 28 0a sub r10 r0(32)
0B84: 32 00ad xor r0 ADh(8)
0B87: 1E 07e3d5 mov r7 D5E3h(16)
0B8B: 2F 00d9 sub r0 D9h(8)
0B8E: 2F 00f4 sub r0 F4h(8)
0B91: 23 7a add r10 r7(8)
0B93: 42 00 mov [data](16)++ r0(16)
0B95: 05 4ab76dd0 xor [data](32)++ D06DB74Ah(32)
0B9A: 3F 06 mov r6 [data](16)
0B9C: 1E 0593dc mov r5 DC93h(16)
0BA0: 25 55 add r5 r5(32)
0BA2: 2F 0629 sub r6 29h(8)
0BA5: 2A 55 xor r5 r5(16)
0BA7: 24 65 add r5 r6(16)
0BA9: 2A 65 xor r5 r6(16)
0BAB: 42 06 mov [data](16)++ r6(16)
0BAD: 1C 6501 jmp -165h(16)
0BB0: 16 2c274a rc4 key_len(2Ch) data_len(27h) key(4a8fccc2cdc9ad7c9852e6da0d3b80263c1fcba0fe6ce667d728a5d75ad1fe0e2e74790451fcf73e02476fb8)
0BDF: 1A 79fd inc data -287h(16)
0BE2: 3E 09 mov r9 [data](8)
0BE4: 1E 0fb5eb mov r15 EBB5h(16)
0BE8: 33 09beea xor r9 EABEh(16)
0BEC: 1F 040e6ca08c mov r4 8CA06C0Eh(32)
0BF2: 2C 0f9a add r15 9Ah(8)
0BF5: 30 091844 sub r9 4418h(16)
0BF9: 31 04cc0bb333 sub r4 33B30BCCh(32)
0BFF: 25 ff add r15 r15(32)
0C01: 27 94 sub r4 r9(16)
0C03: 27 4f sub r15 r4(16)
0C05: 2A 44 xor r4 r4(16)
0C07: 30 04a89e sub r4 9EA8h(16)
0C0B: 2B 44 xor r4 r4(32)
0C0D: 25 94 add r4 r9(32)
0C0F: 41 09 mov [data](8)++ r9(8)
0C11: 18 0300 set loop 3h(16)
0C14: 1E 0bb9f7 mov r11 F7B9h(16)
0C18: 34 0b684ec3ba xor r11 BAC34E68h(32)
0C1E: 3D 0b xor [data](32)++ r11(32)
0C20: 16 a89b6b rc4 key_len(A8h) data_len(9Bh) key(6b4c569816733225425ff5c8a17a3d0acb499171560e261dc0395be11d1ef0c3a56bc9eea6902aef22be68c818d41ab8c691311c8f9489ee17e88b5d54dac4ccf42b498de4b031123e8248a8da2cdef9d5230232eb6057820a8b14174bf23275a2c4ed2dc5c3c6fac15010135d6528ebca8df1d46cf610cc495f88332d1c3f9a70e114646a3f9accdcfb8bfc543315249f29e10eaa68dfd5b5150ac72c25335f6f56f0529b0ff748)
0CCB: 1B b9 jmp -B9h(8)
0CCD: 40 0f mov r15 [data](32)
0CCF: 1D 0c12 mov r12 12h(8)
0CD2: 1F 003845e590 mov r0 90E54538h(32)
0CD8: 27 0c sub r12 r0(16)
0CDA: 27 f0 sub r0 r15(16)
0CDC: 1F 03822d032c mov r3 2C032D82h(32)
0CE2: 34 0f9193fe0a xor r15 AFE9391h(32)
0CE8: 28 c0 sub r0 r12(32)
0CEA: 2F 03e8 sub r3 E8h(8)
0CED: 30 0fd05d sub r15 5DD0h(16)
0CF1: 33 03324d xor r3 4D32h(16)
0CF5: 34 0333dace99 xor r3 99CEDA33h(32)
0CFB: 2F 0fe9 sub r15 E9h(8)
0CFE: 30 0fec4f sub r15 4FECh(16)
0D02: 26 00 sub r0 r0(8)
0D04: 30 0fb3a4 sub r15 A4B3h(16)
0D08: 34 0fa78c0f8d xor r15 8D0F8CA7h(32)
0D0E: 28 3c sub r12 r3(32)
0D10: 32 0f42 xor r15 42h(8)
0D13: 24 3c add r12 r3(16)
0D15: 2C 0fed add r15 EDh(8)
0D18: 43 0f mov [data](32)++ r15(32)
0D1A: 1A 95fd inc data -26Bh(16)
0D1D: 40 07 mov r7 [data](32)
0D1F: 1D 0420 mov r4 20h(8)
0D22: 31 0782933433 sub r7 33349382h(32)
0D28: 2F 041c sub r4 1Ch(8)
0D2B: 2D 07a881 add r7 81A8h(16)
0D2F: 43 07 mov [data](32)++ r7(32)
0D31: 18 0900 set loop 9h(16)
0D34: 16 783a6a rc4 key_len(78h) data_len(3Ah) key(6aed9aa1f8ccae3405401e6535007d10d490c185cd1d7b22fda4477944d39b2f03cad9ba1f8d768a2dce5f682dbc09a3e08055cba491ecc6ab6e19aab9ddabf2052d55c1c2da86687821586c8ed241cda64016f0d7fc73163f57d593342ade542961464d9e7c3aa128ff1c041e40557f273679ea425bbc48)
0DAF: 1B 7d jmp -7Dh(8)
0DB1: 1A c4fc inc data -33Ch(16)
0DB4: 18 0200 set loop 2h(16)
0DB7: 02 64555b nop4
0DBB: 12 not [data](8)++
0DBC: 16 602859 rc4 key_len(60h) data_len(28h) key(59a6e784df7fcd93b3b8820eb9a118cb49e3f2931562943b801975f2997450822cc595db2312b746b3084543a56142a791a5e47812564ce8ae9b4ee9f7afdb268aa187184e8de45971313d49f4bc11f64663abd317172c544c63d21d5afd3c95)
0E1F: 0C 09 rol [data](8)++ 9h(8)
0E21: 1E 00c146 mov r0 46C1h(16)
0E25: 2E 00df5991a1 add r0 A19159DFh(32)
0E2B: 20 08 mov r8 r0(8)
0E2D: 1F 09f81cffe9 mov r9 E9FF1CF8h(32)
0E33: 2D 092411 add r9 1124h(16)
0E37: 2F 0806 sub r8 6h(8)
0E3A: 1D 0bde mov r11 DEh(8)
0E3D: 2D 00c75c add r0 5CC7h(16)
0E41: 2E 001e36e25c add r0 5CE2361Eh(32)
0E47: 28 98 sub r8 r9(32)
0E49: 33 09d151 xor r9 51D1h(16)
0E4D: 26 8b sub r11 r8(8)
0E4F: 2E 08a74b1969 add r8 69194BA7h(32)
0E55: 2D 0b7301 add r11 173h(16)
0E59: 2D 083b44 add r8 443Bh(16)
0E5D: 24 99 add r9 r9(16)
0E5F: 2B 0b xor r11 r0(32)
0E61: 3B 08 xor [data](8)++ r8(8)
0E63: 16 0fcd5f rc4 key_len(Fh) data_len(CDh) key(5f418731950173ef12e77508c99ff0)
0E75: 1B c0 jmp -C0h(8)
0E77: 08 b2c08a8b add [data](32)++ 8B8AC0B2h(32)
0E7C: 40 0c mov r12 [data](32)
0E7E: 1E 01f64d mov r1 4DF6h(16)
0E82: 2B 11 xor r1 r1(32)
0E84: 43 0c mov [data](32)++ r12(32)
0E86: 16 1b2710 rc4 key_len(1Bh) data_len(27h) key(100a4fac18772770ed0591879605948fc8f1ef8099912500f93c19)
0EA4: 3F 0f mov r15 [data](16)
0EA6: 1E 0bf169 mov r11 69F1h(16)
0EAA: 34 0f6855c285 xor r15 85C25568h(32)
0EB0: 33 0f2e77 xor r15 772Eh(16)
0EB4: 2E 0f256eca2b add r15 2BCA6E25h(32)
0EBA: 26 fb sub r11 r15(8)
0EBC: 1D 0733 mov r7 33h(8)
0EBF: 27 fb sub r11 r15(16)
0EC1: 2D 0fe813 add r15 13E8h(16)
0EC5: 33 0f3cde xor r15 DE3Ch(16)
0EC9: 28 7b sub r11 r7(32)
0ECB: 2D 07e7d8 add r7 D8E7h(16)
0ECF: 32 0f12 xor r15 12h(8)
0ED2: 2B b7 xor r7 r11(32)
0ED4: 33 0f0124 xor r15 2401h(16)
0ED8: 42 0f mov [data](16)++ r15(16)
0EDA: 16 7902d7 rc4 key_len(79h) data_len(2h) key(d780c998cd76bc7d1d6dc7a2897a24ed4bb67a83e8a61950bafffae8bc0878f3d4967adb4d6421bad86104bfa731b1316b382650a7ddb2f17185ad6459ab524e1ba8a9ddd5c8adeb84ea5a586b82be5e39444a53acdb446aa642182f86b57e581981454f858589f7f1ab58f66a73e8f29c94f636db2c8bda99)
0F56: 3E 03 mov r3 [data](8)
0F58: 1D 0077 mov r0 77h(8)
0F5B: 2E 03e99373b4 add r3 B47393E9h(32)
0F61: 2A 00 xor r0 r0(16)
0F63: 2B 00 xor r0 r0(32)
0F65: 1D 091e mov r9 1Eh(8)
0F68: 32 03fc xor r3 FCh(8)
0F6B: 26 30 sub r0 r3(8)
0F6D: 25 30 add r0 r3(32)
0F6F: 1D 01dd mov r1 DDh(8)
0F72: 27 09 sub r9 r0(16)
0F74: 41 03 mov [data](8)++ r3(8)
0F76: 09 d1 sub [data](8)++ D1h(8)
0F78: 40 07 mov r7 [data](32)
0F7A: 1F 01db8817f5 mov r1 F51788DBh(32)
0F80: 2A 11 xor r1 r1(16)
0F82: 2D 0740f3 add r7 F340h(16)
0F86: 2D 07c2d5 add r7 D5C2h(16)
0F8A: 1F 04ad17c4f3 mov r4 F3C417ADh(32)
0F90: 2A 41 xor r1 r4(16)
0F92: 32 0709 xor r7 9h(8)
0F95: 24 44 add r4 r4(16)
0F97: 2D 019f27 add r1 279Fh(16)
0F9B: 28 71 sub r1 r7(32)
0F9D: 29 41 xor r1 r4(8)
0F9F: 31 0767e0532a sub r7 2A53E067h(32)
0FA5: 31 078a6f7f36 sub r7 367F6F8Ah(32)
0FAB: 2A 11 xor r1 r1(16)
0FAD: 43 07 mov [data](32)++ r7(32)
0FAF: 0B aedec0d8 sub [data](32)++ D8C0DEAEh(32)
0FB4: 1E 027a57 mov r2 577Ah(16)
0FB8: 24 22 add r2 r2(16)
0FBA: 1D 0868 mov r8 68h(8)
0FBD: 3A 02 sub [data](32)++ r2(32)
0FBF: 1D 0d2f mov r13 2Fh(8)
0FC2: 1E 0e11bc mov r14 BC11h(16)
0FC6: 1D 045d mov r4 5Dh(8)
0FC9: 2B 4d xor r13 r4(32)
0FCB: 2E 0e29d93357 add r14 5733D929h(32)
0FD1: 25 4e add r14 r4(32)
0FD3: 34 0ef3d94ff0 xor r14 F04FD9F3h(32)
0FD9: 2D 0dd271 add r13 71D2h(16)
0FDD: 34 0dc4f64db2 xor r13 B24DF6C4h(32)
0FE3: 25 e4 add r4 r14(32)
0FE5: 29 d4 xor r4 r13(8)
0FE7: 27 d4 sub r4 r13(16)
0FE9: 34 0458a04d20 xor r4 204DA058h(32)
0FEF: 2C 0e41 add r14 41h(8)
0FF2: 2F 0e95 sub r14 95h(8)
0FF5: 2F 04bf sub r4 BFh(8)
0FF8: 38 04 sub [data](8)++ r4(8)
0FFA: 44 exit
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment