Actor(s): MUMMY SPIDER, Mealybug
There is no description at this point.
rule win_emotet_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2019-07-05" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator 0.2a" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.geodo" malpedia_version = "20190620" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using yara-signator. * The code and documentation / approach is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 83f87f 76?? c1e807 41 83f87f 77?? } // n = 6, score = 1500 // 83f87f | cmp eax, 0x7f // 76?? | // c1e807 | shr eax, 7 // 41 | inc ecx // 83f87f | cmp eax, 0x7f // 77?? | $sequence_1 = { 83f87f 76?? c1e807 41 83f87f 77?? } // n = 6, score = 1500 // 83f87f | cmp eax, 0x7f // 76?? | // c1e807 | shr eax, 7 // 41 | inc ecx // 83f87f | cmp eax, 0x7f // 77?? | $sequence_2 = { 83f87f 76?? c1e807 41 } // n = 4, score = 1500 // 83f87f | cmp eax, 0x7f // 76?? | // c1e807 | shr eax, 7 // 41 | inc ecx $sequence_3 = { 76?? c1e807 41 83f87f } // n = 4, score = 1500 // 76?? | // c1e807 | shr eax, 7 // 41 | inc ecx // 83f87f | cmp eax, 0x7f $sequence_4 = { 76?? c1e807 41 83f87f 77?? } // n = 5, score = 1500 // 76?? | // c1e807 | shr eax, 7 // 41 | inc ecx // 83f87f | cmp eax, 0x7f // 77?? | $sequence_5 = { 83f87f 76?? c1e807 41 83f87f } // n = 5, score = 1500 // 83f87f | cmp eax, 0x7f // 76?? | // c1e807 | shr eax, 7 // 41 | inc ecx // 83f87f | cmp eax, 0x7f $sequence_6 = { 83f87f 76?? c1e807 41 } // n = 4, score = 1500 // 83f87f | cmp eax, 0x7f // 76?? | // c1e807 | shr eax, 7 // 41 | inc ecx $sequence_7 = { 76?? c1e807 41 83f87f 77?? } // n = 5, score = 1500 // 76?? | // c1e807 | shr eax, 7 // 41 | inc ecx // 83f87f | cmp eax, 0x7f // 77?? | $sequence_8 = { 66894604 8bc1 83e03f c1e906 83e13f } // n = 5, score = 1300 // 66894604 | mov word ptr [esi + 4], ax // 8bc1 | mov eax, ecx // 83e03f | and eax, 0x3f // c1e906 | shr ecx, 6 // 83e13f | and ecx, 0x3f $sequence_9 = { 66894604 8bc1 83e03f c1e906 83e13f } // n = 5, score = 1300 // 66894604 | mov word ptr [esi + 4], ax // 8bc1 | mov eax, ecx // 83e03f | and eax, 0x3f // c1e906 | shr ecx, 6 // 83e13f | and ecx, 0x3f $sequence_10 = { 66894604 8bc1 83e03f c1e906 } // n = 4, score = 1300 // 66894604 | mov word ptr [esi + 4], ax // 8bc1 | mov eax, ecx // 83e03f | and eax, 0x3f // c1e906 | shr ecx, 6 $sequence_11 = { 66894604 8bc1 83e03f c1e906 } // n = 4, score = 1300 // 66894604 | mov word ptr [esi + 4], ax // 8bc1 | mov eax, ecx // 83e03f | and eax, 0x3f // c1e906 | shr ecx, 6 $sequence_12 = { 66894604 8bc1 83e03f c1e906 } // n = 4, score = 1300 // 66894604 | mov word ptr [esi + 4], ax // 8bc1 | mov eax, ecx // 83e03f | and eax, 0x3f // c1e906 | shr ecx, 6 $sequence_13 = { 66894604 8bc1 83e03f c1e906 83e13f } // n = 5, score = 1300 // 66894604 | mov word ptr [esi + 4], ax // 8bc1 | mov eax, ecx // 83e03f | and eax, 0x3f // c1e906 | shr ecx, 6 // 83e13f | and ecx, 0x3f $sequence_14 = { 8d047d08000000 50 6a08 ff15???????? 50 } // n = 5, score = 1200 // 8d047d08000000 | lea eax, [edi*2 + 8] // 50 | push eax // 6a08 | push 8 // ff15???????? | // 50 | push eax $sequence_15 = { 8d047d08000000 50 6a08 ff15???????? 50 ff15???????? } // n = 6, score = 1200 // 8d047d08000000 | lea eax, [edi*2 + 8] // 50 | push eax // 6a08 | push 8 // ff15???????? | // 50 | push eax // ff15???????? | $sequence_16 = { 8d047d08000000 50 6a08 ff15???????? } // n = 4, score = 1200 // 8d047d08000000 | lea eax, [edi*2 + 8] // 50 | push eax // 6a08 | push 8 // ff15???????? | $sequence_17 = { 8d047d08000000 50 6a08 ff15???????? 50 ff15???????? } // n = 6, score = 1200 // 8d047d08000000 | lea eax, [edi*2 + 8] // 50 | push eax // 6a08 | push 8 // ff15???????? | // 50 | push eax // ff15???????? | $sequence_18 = { 8d047d08000000 50 6a08 ff15???????? } // n = 4, score = 1200 // 8d047d08000000 | lea eax, [edi*2 + 8] // 50 | push eax // 6a08 | push 8 // ff15???????? | $sequence_19 = { 8d047d08000000 50 6a08 ff15???????? 50 } // n = 5, score = 1200 // 8d047d08000000 | lea eax, [edi*2 + 8] // 50 | push eax // 6a08 | push 8 // ff15???????? | // 50 | push eax $sequence_20 = { 8bda 53 6a00 68e9fd0000 ff15???????? } // n = 5, score = 1100 // 8bda | mov ebx, edx // 53 | push ebx // 6a00 | push 0 // 68e9fd0000 | push 0xfde9 // ff15???????? | $sequence_21 = { 53 6a00 68e9fd0000 ff15???????? 8bf8 85ff 74?? } // n = 7, score = 1100 // 53 | push ebx // 6a00 | push 0 // 68e9fd0000 | push 0xfde9 // ff15???????? | // 8bf8 | mov edi, eax // 85ff | test edi, edi // 74?? | $sequence_22 = { 8bda 53 6a00 68e9fd0000 } // n = 4, score = 1100 // 8bda | mov ebx, edx // 53 | push ebx // 6a00 | push 0 // 68e9fd0000 | push 0xfde9 $sequence_23 = { 6a00 68e9fd0000 ff15???????? 8bf8 85ff 74?? 56 } // n = 7, score = 1100 // 6a00 | push 0 // 68e9fd0000 | push 0xfde9 // ff15???????? | // 8bf8 | mov edi, eax // 85ff | test edi, edi // 74?? | // 56 | push esi $sequence_24 = { 8bda 53 6a00 68e9fd0000 ff15???????? 8bf8 85ff } // n = 7, score = 1100 // 8bda | mov ebx, edx // 53 | push ebx // 6a00 | push 0 // 68e9fd0000 | push 0xfde9 // ff15???????? | // 8bf8 | mov edi, eax // 85ff | test edi, edi $sequence_25 = { 8bda 53 6a00 68e9fd0000 } // n = 4, score = 1100 // 8bda | mov ebx, edx // 53 | push ebx // 6a00 | push 0 // 68e9fd0000 | push 0xfde9 $sequence_26 = { 8bda 53 6a00 68e9fd0000 ff15???????? 8bf8 } // n = 6, score = 1100 // 8bda | mov ebx, edx // 53 | push ebx // 6a00 | push 0 // 68e9fd0000 | push 0xfde9 // ff15???????? | // 8bf8 | mov edi, eax $sequence_27 = { 6a00 68e9fd0000 ff15???????? 8bf8 85ff 74?? 56 } // n = 7, score = 1100 // 6a00 | push 0 // 68e9fd0000 | push 0xfde9 // ff15???????? | // 8bf8 | mov edi, eax // 85ff | test edi, edi // 74?? | // 56 | push esi $sequence_28 = { 8bfa 8bf1 8d047d08000000 50 } // n = 4, score = 1000 // 8bfa | mov edi, edx // 8bf1 | mov esi, ecx // 8d047d08000000 | lea eax, [edi*2 + 8] // 50 | push eax $sequence_29 = { 8bc2 c1e808 0fb6c0 668941fa c1ea10 } // n = 5, score = 1000 // 8bc2 | mov eax, edx // c1e808 | shr eax, 8 // 0fb6c0 | movzx eax, al // 668941fa | mov word ptr [ecx - 6], ax // c1ea10 | shr edx, 0x10 $sequence_30 = { 0fb6c0 668941fa c1ea10 0fb6c2 668941fc c1ea08 } // n = 6, score = 1000 // 0fb6c0 | movzx eax, al // 668941fa | mov word ptr [ecx - 6], ax // c1ea10 | shr edx, 0x10 // 0fb6c2 | movzx eax, dl // 668941fc | mov word ptr [ecx - 4], ax // c1ea08 | shr edx, 8 $sequence_31 = { 668941fa c1ea10 0fb6c2 668941fc c1ea08 0fb6c2 } // n = 6, score = 1000 // 668941fa | mov word ptr [ecx - 6], ax // c1ea10 | shr edx, 0x10 // 0fb6c2 | movzx eax, dl // 668941fc | mov word ptr [ecx - 4], ax // c1ea08 | shr edx, 8 // 0fb6c2 | movzx eax, dl $sequence_32 = { 75?? 66894604 83c608 2bf2 } // n = 4, score = 1000 // 75?? | // 66894604 | mov word ptr [esi + 4], ax // 83c608 | add esi, 8 // 2bf2 | sub esi, edx $sequence_33 = { c1ea10 0fb6c2 668941fc c1ea08 } // n = 4, score = 1000 // c1ea10 | shr edx, 0x10 // 0fb6c2 | movzx eax, dl // 668941fc | mov word ptr [ecx - 4], ax // c1ea08 | shr edx, 8 $sequence_34 = { 0fb6c0 668941fa c1ea10 0fb6c2 668941fc } // n = 5, score = 1000 // 0fb6c0 | movzx eax, al // 668941fa | mov word ptr [ecx - 6], ax // c1ea10 | shr edx, 0x10 // 0fb6c2 | movzx eax, dl // 668941fc | mov word ptr [ecx - 4], ax $sequence_35 = { eb?? eb?? 8b45e8 83c001 } // n = 4, score = 800 // eb?? | // eb?? | // 8b45e8 | mov eax, dword ptr [ebp - 0x18] // 83c001 | add eax, 1 $sequence_36 = { 56 ff7508 53 6a00 68e9fd0000 } // n = 5, score = 700 // 56 | push esi // ff7508 | push dword ptr [ebp + 8] // 53 | push ebx // 6a00 | push 0 // 68e9fd0000 | push 0xfde9 $sequence_37 = { 57 56 ff7508 53 6a00 68e9fd0000 } // n = 6, score = 700 // 57 | push edi // 56 | push esi // ff7508 | push dword ptr [ebp + 8] // 53 | push ebx // 6a00 | push 0 // 68e9fd0000 | push 0xfde9 $sequence_38 = { 57 6a00 6a00 6a00 6a00 ff7508 } // n = 6, score = 700 // 57 | push edi // 6a00 | push 0 // 6a00 | push 0 // 6a00 | push 0 // 6a00 | push 0 // ff7508 | push dword ptr [ebp + 8] $sequence_39 = { 53 56 8bf1 bb00c34c84 } // n = 4, score = 700 // 53 | push ebx // 56 | push esi // 8bf1 | mov esi, ecx // bb00c34c84 | mov ebx, 0x844cc300 $sequence_40 = { 6a00 57 56 ff7508 53 6a00 68e9fd0000 } // n = 7, score = 700 // 6a00 | push 0 // 57 | push edi // 56 | push esi // ff7508 | push dword ptr [ebp + 8] // 53 | push ebx // 6a00 | push 0 // 68e9fd0000 | push 0xfde9 $sequence_41 = { 6a00 57 56 ff7508 53 6a00 } // n = 6, score = 700 // 6a00 | push 0 // 57 | push edi // 56 | push esi // ff7508 | push dword ptr [ebp + 8] // 53 | push ebx // 6a00 | push 0 $sequence_42 = { 6a00 57 56 ff7508 53 } // n = 5, score = 700 // 6a00 | push 0 // 57 | push edi // 56 | push esi // ff7508 | push dword ptr [ebp + 8] // 53 | push ebx $sequence_43 = { 53 57 6a00 6a00 6a00 6a00 ff7508 } // n = 7, score = 700 // 53 | push ebx // 57 | push edi // 6a00 | push 0 // 6a00 | push 0 // 6a00 | push 0 // 6a00 | push 0 // ff7508 | push dword ptr [ebp + 8] $sequence_44 = { 53 57 6a00 6a00 6a00 6a00 ff7508 } // n = 7, score = 700 // 53 | push ebx // 57 | push edi // 6a00 | push 0 // 6a00 | push 0 // 6a00 | push 0 // 6a00 | push 0 // ff7508 | push dword ptr [ebp + 8] $sequence_45 = { 6a03 6a00 6a00 ff7508 53 } // n = 5, score = 600 // 6a03 | push 3 // 6a00 | push 0 // 6a00 | push 0 // ff7508 | push dword ptr [ebp + 8] // 53 | push ebx $sequence_46 = { 6a03 6a00 6a00 ff7508 53 50 } // n = 6, score = 600 // 6a03 | push 3 // 6a00 | push 0 // 6a00 | push 0 // ff7508 | push dword ptr [ebp + 8] // 53 | push ebx // 50 | push eax $sequence_47 = { 8bec 56 8b750c b856555555 } // n = 4, score = 600 // 8bec | mov ebp, esp // 56 | push esi // 8b750c | mov esi, dword ptr [ebp + 0xc] // b856555555 | mov eax, 0x55555556 $sequence_48 = { 55 8bec 56 8b750c b856555555 } // n = 5, score = 600 // 55 | push ebp // 8bec | mov ebp, esp // 56 | push esi // 8b750c | mov esi, dword ptr [ebp + 0xc] // b856555555 | mov eax, 0x55555556 $sequence_49 = { 6a00 6a03 6a00 6a00 ff7508 53 50 } // n = 7, score = 600 // 6a00 | push 0 // 6a03 | push 3 // 6a00 | push 0 // 6a00 | push 0 // ff7508 | push dword ptr [ebp + 8] // 53 | push ebx // 50 | push eax $sequence_50 = { 53 56 8bf1 bb00c34c84 57 } // n = 5, score = 600 // 53 | push ebx // 56 | push esi // 8bf1 | mov esi, ecx // bb00c34c84 | mov ebx, 0x844cc300 // 57 | push edi $sequence_51 = { 6a00 6a00 ff7508 53 } // n = 4, score = 600 // 6a00 | push 0 // 6a00 | push 0 // ff7508 | push dword ptr [ebp + 8] // 53 | push ebx $sequence_52 = { 668378024d 75?? 6683780454 75?? } // n = 4, score = 400 // 668378024d | cmp word ptr [eax + 2], 0x4d // 75?? | // 6683780454 | cmp word ptr [eax + 4], 0x54 // 75?? | $sequence_53 = { 74?? 899824020000 889828020000 88982d030000 c7401801000000 88581c } // n = 6, score = 400 // 74?? | // 899824020000 | mov dword ptr [eax + 0x224], ebx // 889828020000 | mov byte ptr [eax + 0x228], bl // 88982d030000 | mov byte ptr [eax + 0x32d], bl // c7401801000000 | mov dword ptr [eax + 0x18], 1 // 88581c | mov byte ptr [eax + 0x1c], bl $sequence_54 = { 75?? 6683780454 75?? 6683780650 75?? } // n = 5, score = 400 // 75?? | // 6683780454 | cmp word ptr [eax + 4], 0x54 // 75?? | // 6683780650 | cmp word ptr [eax + 6], 0x50 // 75?? | $sequence_55 = { 75?? 6683780454 75?? 6683780650 75?? 668378083a 74?? } // n = 7, score = 400 // 75?? | // 6683780454 | cmp word ptr [eax + 4], 0x54 // 75?? | // 6683780650 | cmp word ptr [eax + 6], 0x50 // 75?? | // 668378083a | cmp word ptr [eax + 8], 0x3a // 74?? | $sequence_56 = { 66833853 75?? 668378024d 75?? 6683780454 75?? } // n = 6, score = 400 // 66833853 | cmp word ptr [eax], 0x53 // 75?? | // 668378024d | cmp word ptr [eax + 2], 0x4d // 75?? | // 6683780454 | cmp word ptr [eax + 4], 0x54 // 75?? | $sequence_57 = { 74?? 899824020000 889828020000 88982d030000 c7401801000000 88581c 88981c010000 } // n = 7, score = 400 // 74?? | // 899824020000 | mov dword ptr [eax + 0x224], ebx // 889828020000 | mov byte ptr [eax + 0x228], bl // 88982d030000 | mov byte ptr [eax + 0x32d], bl // c7401801000000 | mov dword ptr [eax + 0x18], 1 // 88581c | mov byte ptr [eax + 0x1c], bl // 88981c010000 | mov byte ptr [eax + 0x11c], bl $sequence_58 = { 889828020000 88982d030000 c7401801000000 88581c } // n = 4, score = 400 // 889828020000 | mov byte ptr [eax + 0x228], bl // 88982d030000 | mov byte ptr [eax + 0x32d], bl // c7401801000000 | mov dword ptr [eax + 0x18], 1 // 88581c | mov byte ptr [eax + 0x1c], bl $sequence_59 = { 668378024d 75?? 6683780454 75?? 6683780650 75?? } // n = 6, score = 400 // 668378024d | cmp word ptr [eax + 2], 0x4d // 75?? | // 6683780454 | cmp word ptr [eax + 4], 0x54 // 75?? | // 6683780650 | cmp word ptr [eax + 6], 0x50 // 75?? | $sequence_60 = { 899824020000 889828020000 88982d030000 c7401801000000 } // n = 4, score = 400 // 899824020000 | mov dword ptr [eax + 0x224], ebx // 889828020000 | mov byte ptr [eax + 0x228], bl // 88982d030000 | mov byte ptr [eax + 0x32d], bl // c7401801000000 | mov dword ptr [eax + 0x18], 1 $sequence_61 = { 899824020000 889828020000 88982d030000 c7401801000000 88581c 88981c010000 eb?? } // n = 7, score = 400 // 899824020000 | mov dword ptr [eax + 0x224], ebx // 889828020000 | mov byte ptr [eax + 0x228], bl // 88982d030000 | mov byte ptr [eax + 0x32d], bl // c7401801000000 | mov dword ptr [eax + 0x18], 1 // 88581c | mov byte ptr [eax + 0x1c], bl // 88981c010000 | mov byte ptr [eax + 0x11c], bl // eb?? | $sequence_62 = { 74?? 899824020000 889828020000 88982d030000 } // n = 4, score = 400 // 74?? | // 899824020000 | mov dword ptr [eax + 0x224], ebx // 889828020000 | mov byte ptr [eax + 0x228], bl // 88982d030000 | mov byte ptr [eax + 0x32d], bl $sequence_63 = { 668378024d 75?? 6683780454 75?? 6683780650 75?? 668378083a } // n = 7, score = 400 // 668378024d | cmp word ptr [eax + 2], 0x4d // 75?? | // 6683780454 | cmp word ptr [eax + 4], 0x54 // 75?? | // 6683780650 | cmp word ptr [eax + 6], 0x50 // 75?? | // 668378083a | cmp word ptr [eax + 8], 0x3a $sequence_64 = { 75?? 6683780454 75?? 6683780650 75?? 668378083a } // n = 6, score = 400 // 75?? | // 6683780454 | cmp word ptr [eax + 4], 0x54 // 75?? | // 6683780650 | cmp word ptr [eax + 6], 0x50 // 75?? | // 668378083a | cmp word ptr [eax + 8], 0x3a $sequence_65 = { 6683790454 75?? 6683790650 75?? } // n = 4, score = 400 // 6683790454 | cmp word ptr [ecx + 4], 0x54 // 75?? | // 6683790650 | cmp word ptr [ecx + 6], 0x50 // 75?? | $sequence_66 = { 74?? 899824020000 889828020000 88982d030000 c7401801000000 } // n = 5, score = 400 // 74?? | // 899824020000 | mov dword ptr [eax + 0x224], ebx // 889828020000 | mov byte ptr [eax + 0x228], bl // 88982d030000 | mov byte ptr [eax + 0x32d], bl // c7401801000000 | mov dword ptr [eax + 0x18], 1 $sequence_67 = { 889828020000 88982d030000 c7401801000000 88581c 88981c010000 } // n = 5, score = 400 // 889828020000 | mov byte ptr [eax + 0x228], bl // 88982d030000 | mov byte ptr [eax + 0x32d], bl // c7401801000000 | mov dword ptr [eax + 0x18], 1 // 88581c | mov byte ptr [eax + 0x1c], bl // 88981c010000 | mov byte ptr [eax + 0x11c], bl $sequence_68 = { ff15???????? 85db 0f8????????? 85c0 0f8????????? } // n = 5, score = 300 // ff15???????? | // 85db | test ebx, ebx // 0f8????????? | // 85c0 | test eax, eax // 0f8????????? | $sequence_69 = { 8b7020 8b7840 89c3 83c33c } // n = 4, score = 300 // 8b7020 | mov esi, dword ptr [eax + 0x20] // 8b7840 | mov edi, dword ptr [eax + 0x40] // 89c3 | mov ebx, eax // 83c33c | add ebx, 0x3c $sequence_70 = { ff15???????? 85db 0f8????????? 85c0 } // n = 4, score = 300 // ff15???????? | // 85db | test ebx, ebx // 0f8????????? | // 85c0 | test eax, eax $sequence_71 = { eb?? f20f1005???????? f20f108c2480000000 660f2ec8 } // n = 4, score = 100 // eb?? | // f20f1005???????? | // f20f108c2480000000 | movsd xmm1, qword ptr [esp + 0x80] // 660f2ec8 | ucomisd xmm1, xmm0 $sequence_72 = { 8bd8 4c 8bca 4c 8bc1 48 89442428 } // n = 7, score = 100 // 8bd8 | mov ebx, eax // 4c | dec esp // 8bca | mov ecx, edx // 4c | dec esp // 8bc1 | mov eax, ecx // 48 | dec eax // 89442428 | mov dword ptr [esp + 0x28], eax $sequence_73 = { 89e0 c7400400000000 c7005830d800 e8???????? } // n = 4, score = 100 // 89e0 | mov eax, esp // c7400400000000 | mov dword ptr [eax + 4], 0 // c7005830d800 | mov dword ptr [eax], 0xd83058 // e8???????? | $sequence_74 = { 8b4df0 2bc2 8d9594feffff 52 33d2 03cf } // n = 6, score = 100 // 8b4df0 | mov ecx, dword ptr [ebp - 0x10] // 2bc2 | sub eax, edx // 8d9594feffff | lea edx, [ebp - 0x16c] // 52 | push edx // 33d2 | xor edx, edx // 03cf | add ecx, edi $sequence_75 = { 8945c0 8945dc 8d45ac 50 } // n = 4, score = 100 // 8945c0 | mov dword ptr [ebp - 0x40], eax // 8945dc | mov dword ptr [ebp - 0x24], eax // 8d45ac | lea eax, [ebp - 0x54] // 50 | push eax $sequence_76 = { 8bec 83ec14 56 57 8bf0 33c0 50 } // n = 7, score = 100 // 8bec | mov ebp, esp // 83ec14 | sub esp, 0x14 // 56 | push esi // 57 | push edi // 8bf0 | mov esi, eax // 33c0 | xor eax, eax // 50 | push eax $sequence_77 = { 8b5f70 899c24b4000000 8b5f74 899c24b8000000 8b5f68 899c24bc000000 8b5f64 } // n = 7, score = 100 // 8b5f70 | mov ebx, dword ptr [edi + 0x70] // 899c24b4000000 | mov dword ptr [esp + 0xb4], ebx // 8b5f74 | mov ebx, dword ptr [edi + 0x74] // 899c24b8000000 | mov dword ptr [esp + 0xb8], ebx // 8b5f68 | mov ebx, dword ptr [edi + 0x68] // 899c24bc000000 | mov dword ptr [esp + 0xbc], ebx // 8b5f64 | mov ebx, dword ptr [edi + 0x64] $sequence_78 = { 89542404 894c2418 e8???????? 8b4c2420 890c24 8b542430 89542404 } // n = 7, score = 100 // 89542404 | mov dword ptr [esp + 4], edx // 894c2418 | mov dword ptr [esp + 0x18], ecx // e8???????? | // 8b4c2420 | mov ecx, dword ptr [esp + 0x20] // 890c24 | mov dword ptr [esp], ecx // 8b542430 | mov edx, dword ptr [esp + 0x30] // 89542404 | mov dword ptr [esp + 4], edx $sequence_79 = { 8985ecfeffff 8d85f6feffff 6a00 50 c745f404010000 898df0feffff 668995f4feffff } // n = 7, score = 100 // 8985ecfeffff | mov dword ptr [ebp - 0x114], eax // 8d85f6feffff | lea eax, [ebp - 0x10a] // 6a00 | push 0 // 50 | push eax // c745f404010000 | mov dword ptr [ebp - 0xc], 0x104 // 898df0feffff | mov dword ptr [ebp - 0x110], ecx // 668995f4feffff | mov word ptr [ebp - 0x10c], dx $sequence_80 = { 56 83e4f8 81ecc8000000 8b4508 f20f1005???????? 31c9 8984249c000000 } // n = 7, score = 100 // 56 | push esi // 83e4f8 | and esp, 0xfffffff8 // 81ecc8000000 | sub esp, 0xc8 // 8b4508 | mov eax, dword ptr [ebp + 8] // f20f1005???????? | // 31c9 | xor ecx, ecx // 8984249c000000 | mov dword ptr [esp + 0x9c], eax $sequence_81 = { f20f11842490000000 8984248c000000 0f8????????? e9???????? 8b442454 } // n = 5, score = 100 // f20f11842490000000 | movsd qword ptr [esp + 0x90], xmm0 // 8984248c000000 | mov dword ptr [esp + 0x8c], eax // 0f8????????? | // e9???????? | // 8b442454 | mov eax, dword ptr [esp + 0x54] $sequence_82 = { 74?? 48 8bcf e8???????? 0fb6c3 } // n = 5, score = 100 // 74?? | // 48 | dec eax // 8bcf | mov ecx, edi // e8???????? | // 0fb6c3 | movzx eax, bl $sequence_83 = { 74?? ff15???????? 89442408 8b442444 } // n = 4, score = 100 // 74?? | // ff15???????? | // 89442408 | mov dword ptr [esp + 8], eax // 8b442444 | mov eax, dword ptr [esp + 0x44] condition: 7 of them }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Your suggestion will be reviewed before being published. Thank you for contributing!