push edi ; push all registers push ecx push edx push esi push ebp push ebx push eax push edx pushf push 0 ; imagebase fixup mov esi, [esp+8+arg_0] ; esi = pointer to VM bytecode mov ebp, esp ; ebp = VM's "stack" pointer sub esp, 0C0h mov edi, esp ; edi = "scratch" data area VM__FOLLOW__Update: add esi, [ebp+0] VM__FOLLOW__Regular: mov al, [esi] ; read a byte from EIP movzx eax, al sub esi, -1 ; increment EIP jmp ds:VM__HandlerTable[eax*4] ; execute instruction handler
#00: x = [EIP-1] & 0x3C; y = popd; [edi+x] = y .text:00427251 and al, 3Ch ; al = instruction number .text:00427254 mov edx, [ebp+0] ; grab a dword off the stack .text:00427257 add ebp, 4 ; pop the stack .text:0042725A mov [edi+eax], edx ; store the dword in the scratch space #01: x = [EIP-1] & 0x3C; y = [edi+x]; pushd y .vmp0:0046B0EB and al, 3Ch ; al = instruction number .vmp0:0046B0EE mov edx, [edi+eax] ; grab a dword out of the scratch space .vmp0:0046B0F1 sub ebp, 4 ; subtract 4 from the stack pointer .vmp0:0046B0F4 mov [ebp+0], edx ; push the dword onto the stack #02: x = popw, y = popw, z = x + y, pushw z, pushf .text:004271FB mov ax, [ebp+0] ; pop a word off the stack .text:004271FF sub ebp, 2 .text:00427202 add [ebp+4], ax ; add it to another word on the stack .text:00427206 pushf .text:00427207 pop dword ptr [ebp+0] ; push the flags #03: x = [EIP++]; w = popw; [edi+x] = Byte(w) .vmp0:0046B02A movzx eax, byte ptr [esi] ; read a byte from EIP .vmp0:0046B02D mov dx, [ebp+0] ; pop a word off the stack .vmp0:0046B031 inc esi ; EIP++ .vmp0:0046B032 add ebp, 2 ; adjust stack pointer .vmp0:0046B035 mov [edi+eax], dl ; write a byte into the scratch area #04: x = popd, y = popw, z = x << y, pushd z, pushf .vmp0:0046B095 mov eax, [ebp+0] ; pop a dword off the stack .vmp0:0046B098 mov cl, [ebp+4] ; pop a word off the stack .vmp0:0046B09B sub ebp, 2 .vmp0:0046B09E shr eax, cl ; shr the dword by the word .vmp0:0046B0A0 mov [ebp+4], eax ; push the result .vmp0:0046B0A3 pushf .vmp0:0046B0A4 pop dword ptr [ebp+0] ; push the flags #05: x = popd, pushd ss:[x] .vmp0:0046B5F7 mov eax, [ebp+0] ; pop a dword off the stack .vmp0:0046B5FA mov eax, ss:[eax] ; read a dword from ss .vmp0:0046B5FD mov [ebp+0], eax ; push that dword
There are 31,321 total registered users.
[+] expand
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}