* 636 KB of position independent code injected into a hollowed process 
* 76,202,774 instructions logged 
* Not one string is present 
* Most API calls are Nt* 
* 1,200 functions identified by IDA but more likely about 2,000. 
	- Due to no cross-references IDA didn't identify them. IDAPatchWork found 800 more.   
* Calculated function calls and overwriting the return address 

Note: assembly is executed code not from a disassembler.  

START
009D8513        Main    PUSH EAX
009D8514        Main    PUSH 5698C631
009D8519        Main    PUSH 569A19A1
009D851E        Main    CALL 009C1A06
009C1A06        Main    PUSH EBP
009C1A07        Main    MOV EBP,ESP     EBP=0007FF00
009C1A09        Main    PUSH EAX
                                                                        ;; save off return address
009C1A0A        Main    MOV EAX,DWORD PTR SS:[EBP+4]    EAX=009D8523
009C1A0D        Main    MOV DWORD PTR SS:[EBP+10],EAX                   ;; assign return address to [EBP+10]
009C1A10        Main    MOV EAX,DWORD PTR SS:[EBP+C]    EAX=5698C631    ;; second argument
009C1A13        Main    SUB EAX,DWORD PTR SS:[EBP+8]    EAX=FFFEAC90    ;; third argument
009C1A16        Main    JMP 009E1EA6
009E1EA6        Main    ADD DWORD PTR SS:[EBP+4],EAX                    ;; overwrite return address
009E1EA9        Main    POP EAX EAX=00000000
009E1EAA        Main    LEAVE   EBP=0007FFC0
009E1EAB        Main    RETN 8
END

;; Python
;; hex(ctypes.c_uint32(0x5698C631 - 0x569A19A1 + 0x09D8523).value)
;; 0x9c31b3

009C31B3        Main    PUSH EBP
009C31B4        Main    MOV EBP,ESP     EBP=0007FF0C

* Contains a lot of loops that appear to be junk code but the results are used for decoding. 

;; loop that executes 0xF29

009DA4AF        Main    JE SHORT 009DA4B6
009DA4B1        Main    ADD EBX,EDX     EBX=0AD50760
009DA4B3        Main    DEC ECX ECX=00000F28
009DA4B4        Main    JNZ SHORT 009DA4B1
...
009DA4B1        Main    ADD EBX,EDX     EBX=2932A6C8
009DA4B3        Main    DEC ECX ECX=00000000
009DA4B4        Main    JNZ SHORT 009DA4B1

;; end of junk decrement code
;; is the calculated value ever used again 2932A6C8?
;; yes, its used as an ROL key at 009BA6D2


009DA4B6        Main    MOV ECX,DWORD PTR SS:[EBP-20]   ECX=00003CA5
009DA4B9        Main    JMP DWORD PTR SS:[EBP-18]
...
009BA6D2        Main    MOV EAX,EBX     EAX=2932A6C8            ;; calculated value
009BA6D4        Main    ROR EAX,CL      EAX=C82932A6
009BA6D6        Main    INC EDX EDX=00003CA6
009BA6D7        Main    MOV DWORD PTR SS:[EBP-10],EDX
009BA6DA        Main    AND EDX,3       EDX=00000002
009BA6DD        Main    JNZ SHORT 009BA6E5
009BA6E5        Main    XOR AL,BYTE PTR DS:[ESI]        EAX=C82932FA
009BA6E7        Main    INC ESI ESI=00A4AB86                    ;; increment pointer data
009BA6E8        Main    MOV BYTE PTR DS:[EDI],AL
009BA6EA        Main    INC EDI EDI=0007FB8D                    ;; increment pointer to buffer

* XOR of addresses so no cross-references can be found in memory 

009D35C0        Main    PUSH EBX
009D35C1        Main    MOV EBX,D1C2FB03        EBX=D1C2FB03
009D35C6        Main    XOR EAX,EBX     EAX=7C90D9E0			;; 7C90D9E0 = ZwReadVirtualMemory
009D35C8        Main    POP EBX EBX=00000000
009D35C9        Main    LEAVE   EBP=0007FCBC
009D35CA        Main    RETN

* Then later called via jump but the return address from the API is in ntdll.dll (breaks execute till user code). 

009E2AB2        Main    PUSH EDI
009E2AB3        Main    JMP DWORD PTR SS:[EBP+8]
ZwReadVirtualMemory     Main    MOV EAX,0BA     EAX=000000BA
7C90D9E5        Main    MOV EDX,7FFE0300        EDX=7FFE0300
7C90D9EA        Main    CALL DWORD PTR DS:[EDX]
KiFastSystemCall        Main    MOV EDX,ESP     EDX=0007FB20
7C90E4F2        Main    SYSENTER        EAX=00000000, ECX=00000001, EDX=FFFFFFFF
7C90D9EC        Main    RETN 14
7C95EE2D        Main    CALL EBX
009DEA60        Main    CMP DWORD PTR SS:[EBP-CC],EDX

* The only familar thing about the code is the of hashing API names. 

009B1A11        Main    ROL EBX,7       EBX=AA1AAC47
009B1A14        Main    XOR BL,AL       EBX=AA1AAC22			;; ZwCreateFile
009B1A16        Main    INC ESI ESI=7C90B772
009B1A17        Main    DEC EDI EDI=00000000
009B1A18        Main    JNZ 009EA766
009B1A1E        Main    MOV EAX,EBX     EAX=AA1AAC22
009B1A20        Main    POP ESI ESI=7C90B766
009B1A21        Main    POP EBX EBX=7C903400
009B1A22        Main    POP EDI EDI=7C905744
009B1A23        Main    LEAVE   EBP=0007F52C
009B1A24        Main    RETN 8