31009200 > 5B POP EBX ; KERNEL32.7C581AF6
31009201 E8 59000000 CALL 3100925F ; call puts fx ret address on stack (31009206)
31009206 8B6424 08 MOV ESP,DWORD PTR SS:[ESP+8]
3100925F 2BC0 SUB EAX,EAX ;eax=0 ___
31009261 64:FF30 PUSH DWORD PTR FS:[EAX] ;store old exception handler on stack |_SEE NOTE
31009264 64:8920 MOV DWORD PTR FS:[EAX],ESP ;reset except handler struc to stack ___|
31009267 B8 78563412 MOV EAX,12345678
3100926C 8703 XCHG DWORD PTR DS:[EBX],EAX ;raise exception
31009206 8B6424 08 MOV ESP,DWORD PTR SS:[ESP+8] ;execution resumes here
3100920A B8 EB040000 MOV EAX,4EB ;harmless junk inst with real code inside
3100920F ^EB FA JMP SHORT 3100920B ;3100920B = EB 04 jmp 31009211
31009211 64:67:A1 1800 MOV EAX,DWORD PTR FS:[18] ;
31009216 8B40 30 MOV EAX,DWORD PTR DS:[EAX+30] ; |- Debugger detection from PEB
31009219 0FB640 02 MOVZX EAX,BYTE PTR DS:[EAX+2] ;/
3100921D 83F8 00 CMP EAX,0
31009220 75 3C JNZ SHORT 3100925E ;Jmp if DebuggerDetected
31009222 E8 00000000 CALL 31009227 ;call opcode Decoder
31009227 5D POP EBP ;remove return addr on stack ebp=eip
31009228 81ED 20234000 SUB EBP,402320
3100922E 8B85 67234000 MOV EAX,DWORD PTR SS:[EBP+402367]
31009234 0385 6F234000 ADD EAX,DWORD PTR SS:[EBP+40236F]
3100923A 8BF0 MOV ESI,EAX
3100923C 8B85 6B234000 MOV EAX,DWORD PTR SS:[EBP+40236B]
31009242 0385 6F234000 ADD EAX,DWORD PTR SS:[EBP+40236F]
31009248 50 PUSH EAX ;OEP for real UPX Stub (still to be decoded)
31009249 8BFE MOV EDI,ESI
3100924B 33C9 XOR ECX,ECX ;ecx=length counter
3100924D AC LODS BYTE PTR DS:[ESI] ;
3100924E 3285 77234000 XOR AL,BYTE PTR SS:[EBP+402377] ; |-Decode loop
31009254 AA STOS BYTE PTR ES:[EDI] ;/
31009255 41 INC ECX
31009256 3B8D 73234000 CMP ECX,DWORD PTR SS:[EBP+402373]
3100925C ^7C EF JL SHORT 3100924D ;More to decode jump back up
3100925E C3 RETN ;if decoder ran then rets to OEP of upx stub
;else goes to junk block
31008220 . 60 PUSHAD ;now we are at regular UPX stub
31008221 . BE 00600031 MOV ESI,31006000
31008226 . 8DBE 00B0FFFF LEA EDI,DWORD PTR DS:[ESI+FFFFB000]
3100822C . 57 PUSH EDI
3100822D . 83CD FF OR EBP,FFFFFFFF
31008230 . EB 10 JMP SHORT 31008242 ; 31008242
31008232 90 NOP
31008233 90 NOP
31008234 90 NOP
31008235 90 NOP
31008236 90 NOP
31008237 90 NOP |
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}