forked from thomasxm/shellcode
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathnrv2b_depack_x86.asm
More file actions
98 lines (83 loc) · 1.74 KB
/
nrv2b_depack_x86.asm
File metadata and controls
98 lines (83 loc) · 1.74 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
;
; UCL NRV2B depacker in x86 assembly, by Odzhan (115 bytes)
; Derived from n2b_d_s1.asm, by Markus F.X.J. Oberhumer
;
; uint32_t nrv2b_depack(void *outbuf, void *inbuf);
;
bits 32
%ifndef BIN
global nrv2b_depack
global _nrv2b_depack
%endif
nrv2b_depack:
_nrv2b_depack:
pushad
mov edi, [esp+32+4] ; output
mov esi, [esp+32+8] ; input
xor ecx, ecx
mul ecx
dec edx
mov al, 0x80
call init_get_bit
; read next bit from input
add al, al
jnz exit_get_bit
lodsb
adc al, al
exit_get_bit:
ret
init_get_bit:
pop ebp
jmp nrv2b_main
; copy literal
nrv2b_copy_byte:
movsb
nrv2b_main:
call ebp
jc nrv2b_copy_byte
; match
push 1
pop ebx
nrv2b_match:
call ebp
adc ebx, ebx
call ebp
jnc nrv2b_match
; use previous offset?
sub ebx, 3
jb nrv2b_read_len
; read new offset
shl ebx, 8
mov bl, [esi]
inc esi
xor ebx, -1
jz nrv2b_exit
xchg edx, ebx
nrv2b_read_len:
call ebp
adc ecx, ecx
call ebp
adc ecx, ecx
jnz nrv2b_copy_bytes
inc ecx
nrv2b_len:
call ebp
adc ecx, ecx
call ebp
jnc nrv2b_len
inc ecx
inc ecx
nrv2b_copy_bytes:
cmp edx, -0xD00
adc ecx, 1
push esi
lea esi, [edi + edx]
rep movsb
pop esi
jmp nrv2b_main
nrv2b_exit:
; return depacked length
sub edi, [esp+32+4]
mov [esp+28], edi
popad
ret