[TLP:WHITE] win_isfb_auto (20201014 | autogenerated rule brought to you by yara-signator)rule win_isfb_auto {
meta:
author = "Felix Bilstein - yara-signator at cocacoding dot com"
date = "2020-10-14"
version = "1"
description = "autogenerated rule brought to you by yara-signator"
tool = "yara-signator v0.5.0"
tool_config = "callsandjumps;datarefs;binvalue"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb"
malpedia_rule_date = "20201014"
malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
malpedia_version = "20201014"
malpedia_license = "CC BY-SA 4.0"
malpedia_sharing = "TLP:WHITE"
/* DISCLAIMER
* The strings used in this rule have been automatically selected from the
* disassembly of memory dumps and unpacked files, using YARA-Signator.
* The code and documentation is published here:
* https://github.com/fxb-cocacoding/yara-signator
* As Malpedia is used as data source, please note that for a given
* number of families, only single samples are documented.
* This likely impacts the degree of generalization these rules will offer.
* Take the described generation method also into consideration when you
* apply the rules in your use cases and assign them confidence levels.
*/
strings:
$sequence_0 = { eb02 33c0 3bc7 7414 }
// n = 4, score = 2900
// eb02 | add edx, 4
// 33c0 | dec dword ptr [esp + 0xc]
// 3bc7 | jne 0xffffffec
// 7414 | xor eax, esi
$sequence_1 = { 51 57 50 ffd6 85c0 7408 }
// n = 6, score = 2700
// 51 | dec dword ptr [esp + 0xc]
// 57 | jne 0xfffffff3
// 50 | jne 0xffffffe8
// ffd6 | pop esi
// 85c0 | pop ebx
// 7408 | ret 8
$sequence_2 = { 50 33c0 e8???????? 3bc7 }
// n = 4, score = 2400
// 50 | pop ebx
// 33c0 | xor eax, dword ptr [esp + 0x10]
// e8???????? |
// 3bc7 | mov esi, eax
$sequence_3 = { 50 6a10 58 e8???????? 3bc7 }
// n = 5, score = 2400
// 50 | mov dword ptr [edx], esi
// 6a10 | add edx, 4
// 58 | dec dword ptr [esp + 0xc]
// e8???????? |
// 3bc7 | jne 0xfffffff1
$sequence_4 = { ff75f0 ff75f4 6822010000 e9???????? ff7508 }
// n = 5, score = 2400
// ff75f0 | xor ecx, ecx
// ff75f4 | push edi
// 6822010000 | mov dword ptr [ebp - 0xc], ebx
// e9???????? |
// ff7508 | mov dword ptr [ebp - 0x10], ebx
$sequence_5 = { 8b35???????? 7414 8d4dfc 51 }
// n = 4, score = 2300
// 8b35???????? |
// 7414 | dec dword ptr [esp + 0xc]
// 8d4dfc | jne 0xffffffef
// 51 | pop esi
$sequence_6 = { 53 ff35???????? e8???????? 8bf0 3bf3 7443 6aff }
// n = 7, score = 2200
// 53 | mov dword ptr [ebp - 8], 0x57
// ff35???????? |
// e8???????? |
// 8bf0 | mov edi, 0x119
// 3bf3 | push dword ptr [ebp - 0x10]
// 7443 | push esi
// 6aff | push dword ptr [ebp - 0x10]
$sequence_7 = { 59 c20400 8325????????00 6a00 68???????? 6a01 ff742410 }
// n = 7, score = 2100
// 59 | pop ecx
// c20400 | ret 4
// 8325????????00 |
// 6a00 | push 0
// 68???????? |
// 6a01 | push 1
// ff742410 | push dword ptr [esp + 0x10]
$sequence_8 = { 8bc5 5d 5b 59 c20400 8325????????00 }
// n = 6, score = 2100
// 8bc5 | mov eax, ebp
// 5d | pop ebp
// 5b | pop ebx
// 59 | pop ecx
// c20400 | ret 4
// 8325????????00 |
$sequence_9 = { 33c0 3bc7 8b35???????? 7414 }
// n = 4, score = 2100
// 33c0 | mov cl, bl
// 3bc7 | rol eax, cl
// 8b35???????? |
// 7414 | xor eax, esi
$sequence_10 = { 85c0 740f 8b45fc 03c0 }
// n = 4, score = 2100
// 85c0 | pop esi
// 740f | pop ebx
// 8b45fc | ret 8
// 03c0 | mov dword ptr [edx], esi
$sequence_11 = { 3bc7 741b 50 33c0 }
// n = 4, score = 2000
// 3bc7 | cmp eax, ebx
// 741b | je 0x13
// 50 | push eax
// 33c0 | add esi, 4
$sequence_12 = { 51 57 50 e8???????? 83c40c e8???????? 3bc7 }
// n = 7, score = 1900
// 51 | push ecx
// 57 | push edi
// 50 | push eax
// e8???????? |
// 83c40c | call esi
// e8???????? |
// 3bc7 | je 0x16
$sequence_13 = { ff15???????? 85c0 a3???????? 7402 ffe0 c20400 }
// n = 6, score = 1900
// ff15???????? |
// 85c0 | mov eax, dword ptr [ebp + 8]
// a3???????? |
// 7402 | mov ecx, dword ptr [eax + 0x58]
// ffe0 | mov edx, dword ptr [eax + 0x54]
// c20400 | test eax, eax
$sequence_14 = { 8901 8b45fc 5f 5e 5b c9 c20800 }
// n = 7, score = 1800
// 8901 | pop esi
// 8b45fc | cmp dword ptr [ebp + 8], 0
// 5f | je 0xe
// 5e | push dword ptr [ebp + 8]
// 5b | mov eax, edi
// c9 | pop edi
// c20800 | xor ebx, ebx
$sequence_15 = { c20400 55 8bec 83ec0c a1???????? 8365f800 }
// n = 6, score = 1800
// c20400 | pop ebp
// 55 | inc ecx
// 8bec | pop esp
// 83ec0c | mov eax, edi
// a1???????? |
// 8365f800 | dec eax
$sequence_16 = { 7505 b8???????? 53 bb60ea0000 53 ff750c }
// n = 6, score = 1700
// 7505 | jne 7
// b8???????? |
// 53 | push ebx
// bb60ea0000 | mov ebx, 0xea60
// 53 | push ebx
// ff750c | push dword ptr [ebp + 0xc]
$sequence_17 = { 7512 e8???????? 3bc3 a3???????? }
// n = 4, score = 1700
// 7512 | jne 0x14
// e8???????? |
// 3bc3 | cmp eax, ebx
// a3???????? |
$sequence_18 = { e8???????? 8bd8 85db 895df4 0f84c7000000 56 53 }
// n = 7, score = 1700
// e8???????? |
// 8bd8 | mov ebx, eax
// 85db | test ebx, ebx
// 895df4 | mov dword ptr [ebp - 0xc], ebx
// 0f84c7000000 | je 0xcd
// 56 | push esi
// 53 | push ebx
$sequence_19 = { 8d45f8 50 e8???????? 8bf8 3bfb }
// n = 5, score = 1700
// 8d45f8 | lea eax, [ebp - 8]
// 50 | push eax
// e8???????? |
// 8bf8 | mov edi, eax
// 3bfb | cmp edi, ebx
$sequence_20 = { ff15???????? 3c05 7506 84e4 7704 3ac0 }
// n = 6, score = 1600
// ff15???????? |
// 3c05 | ret 4
// 7506 | test eax, eax
// 84e4 | je 4
// 7704 | cmp al, 5
// 3ac0 | jne 8
$sequence_21 = { 68???????? e8???????? 8b07 c6400731 8b74241c 8b1e }
// n = 6, score = 1600
// 68???????? |
// e8???????? |
// 8b07 | dec eax
// c6400731 | lea ecx, [ebx + eax*8]
// 8b74241c | ret
// 8b1e | inc ecx
$sequence_22 = { 8bc6 5e c9 c21000 55 8bec 83ec14 }
// n = 7, score = 1600
// 8bc6 | je 0x10
// 5e | push ecx
// c9 | push edi
// c21000 | push eax
// 55 | call esi
// 8bec | test eax, eax
// 83ec14 | push edi
$sequence_23 = { ff15???????? 8b442414 8b4c240c 8907 8b442418 }
// n = 5, score = 1600
// ff15???????? |
// 8b442414 | dec eax
// 8b4c240c | lea ecx, [ebx + eax*8]
// 8907 | inc ecx
// 8b442418 | movzx eax, byte ptr [ecx + 3]
$sequence_24 = { 50 8b07 03442418 50 56 }
// n = 5, score = 1600
// 50 | and dword ptr [ebx + 0x34], 0xfffffff9
// 8b07 | mov dword ptr [ebx + 0x2c], 1
// 03442418 | mov eax, dword ptr [ebx + 0x34]
// 50 | push eax
// 56 | mov eax, dword ptr [edi]
$sequence_25 = { 897324 897328 83c40c 8974240c c6401a00 }
// n = 5, score = 1600
// 897324 | mov ebp, esp
// 897328 | sub esp, 0xc
// 83c40c | and dword ptr [ebp - 8], 0
// 8974240c | mov dword ptr [ebx + 0x24], esi
// c6401a00 | mov dword ptr [ebx + 0x28], esi
$sequence_26 = { 897c241c 760a 8b4b20 e8???????? }
// n = 4, score = 1600
// 897c241c | add eax, dword ptr [esp + 0x18]
// 760a | push eax
// 8b4b20 | push esi
// e8???????? |
$sequence_27 = { 8a4604 2404 f6d8 1bc0 83e006 }
// n = 5, score = 1600
// 8a4604 | jmp 4
// 2404 | xor eax, eax
// f6d8 | cmp eax, edi
// 1bc0 | je 0x1a
// 83e006 | push ecx
$sequence_28 = { 8b442418 894110 836334f9 c7432c01000000 8b4334 }
// n = 5, score = 1600
// 8b442418 | add esp, 0xc
// 894110 | mov dword ptr [esp + 0xc], esi
// 836334f9 | mov byte ptr [eax + 0x1a], 0
// c7432c01000000 | mov eax, dword ptr [esp + 0x18]
// 8b4334 | mov dword ptr [ecx + 0x10], eax
$sequence_29 = { 488bcf c744242860ea0000 4c0f45c8 48895c2420 }
// n = 4, score = 1500
// 488bcf | test eax, eax
// c744242860ea0000 | jne 0xa6
// 4c0f45c8 | dec eax
// 48895c2420 | mov ecx, edi
$sequence_30 = { 8b35???????? 50 83c60a e8???????? 5f 5e }
// n = 6, score = 1500
// 8b35???????? |
// 50 | push eax
// 83c60a | add esi, 0xa
// e8???????? |
// 5f | pop edi
// 5e | pop esi
$sequence_31 = { eb03 6a08 5e 5f 8bc6 5e c9 }
// n = 7, score = 1500
// eb03 | mov edx, edi
// 6a08 | jmp 4
// 5e | xor eax, eax
// 5f | cmp eax, ebx
// 8bc6 | je 0x1b
// 5e | push eax
// c9 | cmp eax, ebx
$sequence_32 = { 837d1800 b8???????? 7505 b8???????? }
// n = 4, score = 1500
// 837d1800 | cmp dword ptr [ebp + 0x18], 0
// b8???????? |
// 7505 | jne 7
// b8???????? |
$sequence_33 = { 6a01 33db 53 ff35???????? }
// n = 4, score = 1500
// 6a01 | mov ecx, edi
// 33db | dec eax
// 53 | cmp ecx, edi
// ff35???????? |
$sequence_34 = { 56 57 8d740818 8b4508 }
// n = 4, score = 1400
// 56 | push dword ptr [ebp + 8]
// 57 | push dword ptr [ebp - 0x10]
// 8d740818 | push dword ptr [ebp - 0xc]
// 8b4508 | push 0x122
$sequence_35 = { 8d740818 8b4508 3b460c 7247 8b7938 8b4608 }
// n = 6, score = 1400
// 8d740818 | push 0
// 8b4508 | push 0
// 3b460c | push 0x122
// 7247 | push dword ptr [ebp + 8]
// 8b7938 | push 0
// 8b4608 | push 0
$sequence_36 = { 5d 5b c3 8b4754 a804 }
// n = 5, score = 1400
// 5d | test eax, eax
// 5b | push eax
// c3 | push 0x10
// 8b4754 | pop eax
// a804 | cmp eax, edi
$sequence_37 = { ff4dfc 85c0 7505 3945fc 759f 5f 5e }
// n = 7, score = 1400
// ff4dfc | push 0xff676980
// 85c0 | mov esi, eax
// 7505 | cmp esi, ebx
// 3945fc | je 0x45
// 759f | push -1
// 5f | push ebx
// 5e | mov esi, eax
$sequence_38 = { e8???????? be01000000 8bc6 4883c440 415e }
// n = 5, score = 1400
// e8???????? |
// be01000000 | cmp eax, edi
// 8bc6 | push dword ptr [ebp + 8]
// 4883c440 | push dword ptr [ebp - 0x10]
// 415e | push dword ptr [ebp - 0xc]
$sequence_39 = { 8d043f 50 e8???????? 8bf0 85f6 75cf 33ff }
// n = 7, score = 1400
// 8d043f | lea eax, [edi + edi]
// 50 | push eax
// e8???????? |
// 8bf0 | mov esi, eax
// 85f6 | test esi, esi
// 75cf | jne 0xffffffd1
// 33ff | xor edi, edi
$sequence_40 = { 4c0f45c8 48895c2420 e8???????? 85c0 8bd8 }
// n = 5, score = 1400
// 4c0f45c8 | cmp esi, ebx
// 48895c2420 | je 0x47
// e8???????? |
// 85c0 | push -1
// 8bd8 | push 0xff676980
$sequence_41 = { 75cf 33ff 3bf7 741c }
// n = 4, score = 1400
// 75cf | jne 0xffffffd1
// 33ff | xor edi, edi
// 3bf7 | cmp esi, edi
// 741c | je 0x1e
$sequence_42 = { 8b413c 8d5418ff eb0a 8b4138 }
// n = 4, score = 1400
// 8b413c | push dword ptr [ebp - 0x10]
// 8d5418ff | push dword ptr [ebp - 0xc]
// eb0a | push 0x122
// 8b4138 | push dword ptr [ebp + 8]
$sequence_43 = { 51 50 57 6a01 ff75e0 68???????? e8???????? }
// n = 7, score = 1400
// 51 | push ecx
// 50 | push eax
// 57 | push edi
// 6a01 | push 1
// ff75e0 | push dword ptr [ebp - 0x20]
// 68???????? |
// e8???????? |
$sequence_44 = { bf04010000 e8???????? 8bf0 85f6 7453 57 }
// n = 6, score = 1400
// bf04010000 | mov edi, 0x104
// e8???????? |
// 8bf0 | mov esi, eax
// 85f6 | test esi, esi
// 7453 | je 0x55
// 57 | push edi
$sequence_45 = { 23c7 8d7c13ff 4a f7d2 23fa 3bf8 }
// n = 6, score = 1400
// 23c7 | push dword ptr [ebp - 0x10]
// 8d7c13ff | push dword ptr [ebp - 0xc]
// 4a | push 0x122
// f7d2 | push dword ptr [ebp + 8]
// 23fa | push 0
// 3bf8 | push 0
$sequence_46 = { 53 b800080000 50 56 }
// n = 4, score = 1400
// 53 | cmp eax, ebx
// b800080000 | mov eax, esi
// 50 | pop esi
// 56 | leave
$sequence_47 = { 897104 8b4808 ff7004 034c240c 8b00 51 03c2 }
// n = 7, score = 1400
// 897104 | mov esi, eax
// 8b4808 | cmp esi, ebx
// ff7004 | je 0x45
// 034c240c | mov esi, eax
// 8b00 | cmp esi, ebx
// 51 | je 0x45
// 03c2 | push -1
$sequence_48 = { 8d5410ff 48 f7d0 23d0 8b460c }
// n = 5, score = 1400
// 8d5410ff | push dword ptr [ebp + 8]
// 48 | push ebx
// f7d0 | mov esi, eax
// 23d0 | cmp esi, ebx
// 8b460c | je 0x49
$sequence_49 = { 23fa 3bf8 7609 8b413c 8d5418ff }
// n = 5, score = 1400
// 23fa | push -1
// 3bf8 | push ebx
// 7609 | mov esi, eax
// 8b413c | cmp esi, ebx
// 8d5418ff | je 0x47
$sequence_50 = { ff15???????? 50 ff15???????? 215df8 e9???????? }
// n = 5, score = 1400
// ff15???????? |
// 50 | dec eax
// ff15???????? |
// 215df8 | mov ebx, dword ptr [esp + 0x30]
// e9???????? |
$sequence_51 = { 8bd5 488bcf bb57000000 e8???????? }
// n = 4, score = 1300
// 8bd5 | mov edx, ebp
// 488bcf | dec eax
// bb57000000 | mov ecx, edi
// e8???????? |
$sequence_52 = { ff35???????? ffd7 85c0 8945f0 0f844b020000 }
// n = 5, score = 1300
// ff35???????? |
// ffd7 | pop ecx
// 85c0 | ret 4
// 8945f0 | push 0
// 0f844b020000 | push 1
$sequence_53 = { ff15???????? a1???????? 85c0 7407 83ee64 }
// n = 5, score = 1300
// ff15???????? |
// a1???????? |
// 85c0 | test eax, eax
// 7407 | je 9
// 83ee64 | sub esi, 0x64
$sequence_54 = { 8bd7 e8???????? eb02 33c0 3bc3 7413 50 }
// n = 7, score = 1300
// 8bd7 | inc ecx
// e8???????? |
// eb02 | movzx eax, byte ptr [ecx + 2]
// 33c0 | dec eax
// 3bc3 | lea ecx, [ebx + eax*8]
// 7413 | inc esp
// 50 | mov ebp, eax
$sequence_55 = { 6a0d 58 e8???????? 85c0 740d 8906 }
// n = 6, score = 1300
// 6a0d | mov dword ptr [ebp - 4], 1
// 58 | push dword ptr [ebp + 8]
// e8???????? |
// 85c0 | push dword ptr [ebp - 0x10]
// 740d | push dword ptr [ebp - 0xc]
// 8906 | push 0x122
$sequence_56 = { ff15???????? 488bdf 8bf7 483bdf }
// n = 4, score = 1300
// ff15???????? |
// 488bdf | mov ebx, 0xea60
// 8bf7 | push ebx
// 483bdf | push ebx
$sequence_57 = { 8b450c 8930 eb33 6a00 }
// n = 4, score = 1300
// 8b450c | mov ebx, 0x7f
// 8930 | jmp 0xe
// eb33 | jb 0xffffffc3
// 6a00 | jmp 0x10
$sequence_58 = { e8???????? 3bfb 7414 a1???????? }
// n = 4, score = 1300
// e8???????? |
// 3bfb | mov dword ptr [esp + 0x20], eax
// 7414 | dec eax
// a1???????? |
$sequence_59 = { 50 8d4508 50 53 8bc6 e8???????? 85c0 }
// n = 7, score = 1300
// 50 | pop ebp
// 8d4508 | pop ebx
// 50 | ret
// 53 | mov eax, dword ptr [edi + 0x54]
// 8bc6 | test al, 4
// e8???????? |
// 85c0 | mov esi, 1
$sequence_60 = { 74a3 33ff eb0b 33ff }
// n = 4, score = 1300
// 74a3 | add esi, 8
// 33ff | cmp ebp, 5
// eb0b | jb 0xffffffc3
// 33ff | jmp 0x10
$sequence_61 = { 58 e8???????? 3bc3 7406 50 e8???????? 3bfb }
// n = 7, score = 1300
// 58 | add edx, 8
// e8???????? |
// 3bc3 | inc ecx
// 7406 | cmp ecx, edx
// 50 | jl 0xffffffeb
// e8???????? |
// 3bfb | inc ecx
$sequence_62 = { 4883c608 83fd05 72c1 eb0c bb7f000000 eb05 bb7e000000 }
// n = 7, score = 1300
// 4883c608 | mov ebx, 0x57
// 83fd05 | dec eax
// 72c1 | add esi, 8
// eb0c | cmp ebp, 5
// bb7f000000 | jb 0xffffffc3
// eb05 | jmp 0x10
// bb7e000000 | mov ebx, 0x7f
$sequence_63 = { 8b35???????? 50 83c604 e8???????? 3bfb }
// n = 5, score = 1300
// 8b35???????? |
// 50 | dec eax
// 83c604 | test ebx, ebx
// e8???????? |
// 3bfb | mov edx, 8
$sequence_64 = { eb0a 81fb03010000 7502 33db }
// n = 4, score = 1300
// eb0a | mov edx, ebx
// 81fb03010000 | dec eax
// 7502 | mov ecx, eax
// 33db | dec eax
$sequence_65 = { 750e 837d0800 7408 ff7508 e8???????? 8bc7 5f }
// n = 7, score = 1300
// 750e | mov eax, esi
// 837d0800 | dec eax
// 7408 | add esp, 0x40
// ff7508 | inc ecx
// e8???????? |
// 8bc7 | pop esi
// 5f | inc ecx
$sequence_66 = { 3bc7 8945e0 0f8417020000 8b0d???????? 33cb }
// n = 5, score = 1300
// 3bc7 | ret 4
// 8945e0 | push 0
// 0f8417020000 | pop ebp
// 8b0d???????? |
// 33cb | pop ebx
$sequence_67 = { 83c40c e8???????? 3bc7 8945f0 0f84e4010000 57 }
// n = 6, score = 1300
// 83c40c | pop ecx
// e8???????? |
// 3bc7 | ret 4
// 8945f0 | push 0
// 0f84e4010000 | test eax, eax
// 57 | je 0x11
$sequence_68 = { e8???????? 85c0 742d ff75fc 6a0d }
// n = 5, score = 1200
// e8???????? |
// 85c0 | jmp eax
// 742d | ret 4
// ff75fc | push ebp
// 6a0d | test eax, eax
$sequence_69 = { ff37 e8???????? 85c0 0f85d7000000 8b4604 6a00 ff750c }
// n = 7, score = 1200
// ff37 | add esp, 0x30
// e8???????? |
// 85c0 | pop edi
// 0f85d7000000 | ret
// 8b4604 | jae 0x8c
// 6a00 | dec eax
// ff750c | mov ebx, dword ptr [eax]
$sequence_70 = { ff7510 57 ff750c 53 e8???????? 3bfe 740e }
// n = 7, score = 1200
// ff7510 | push eax
// 57 | push 0x10
// ff750c | pop eax
// 53 | cmp eax, edi
// e8???????? |
// 3bfe | push 0x10
// 740e | pop eax
$sequence_71 = { 8b4f30 84c9 0f8992000000 8b4f30 f6c104 }
// n = 5, score = 1200
// 8b4f30 | dec eax
// 84c9 | mov ebx, dword ptr [eax]
// 0f8992000000 | and dword ptr [esp + 0x58], 0
// 8b4f30 | xor eax, eax
// f6c104 | dec eax
$sequence_72 = { 0f845d010000 8b4730 a808 7412 53 8d47e4 }
// n = 6, score = 1200
// 0f845d010000 | dec eax
// 8b4730 | mov eax, edi
// a808 | dec eax
// 7412 | add esp, 0x30
// 53 | pop edi
// 8d47e4 | jmp 0xa
$sequence_73 = { 0f8544010000 8b472c a801 742d ff37 e8???????? 85c0 }
// n = 7, score = 1200
// 0f8544010000 | dec eax
// 8b472c | mov ecx, ebx
// a801 | jae 0x8c
// 742d | dec eax
// ff37 | mov ebx, dword ptr [eax]
// e8???????? |
// 85c0 | and dword ptr [esp + 0x58], 0
$sequence_74 = { 8b8c2490000000 83bc248800000000 4c8b442440 488b542448 }
// n = 4, score = 1200
// 8b8c2490000000 | push ebx
// 83bc248800000000 | cmp dword ptr [ebp + 0x18], 0
// 4c8b442440 | jne 0xb
// 488b542448 | push ebx
$sequence_75 = { 33c0 5f f7d0 5e c3 55 }
// n = 6, score = 1200
// 33c0 | je 0x1b
// 5f | dec esp
// f7d0 | lea eax, [eax - 0x34]
// 5e | test eax, eax
// c3 | jne 0x169
// 55 | mov eax, dword ptr [ebx + 0x48]
$sequence_76 = { 85c0 740d 8906 83c604 47 83ff03 72d6 }
// n = 7, score = 1200
// 85c0 | push dword ptr [ebp - 4]
// 740d | push 0xd
// 8906 | pop eax
// 83c604 | test eax, eax
// 47 | je 0xf
// 83ff03 | mov dword ptr [esi], eax
// 72d6 | add esi, 4
$sequence_77 = { 0f8586000000 8b4720 8b4e04 6a00 ba00200000 2bd0 }
// n = 6, score = 1200
// 0f8586000000 | dec eax
// 8b4720 | mov ecx, edi
// 8b4e04 | dec eax
// 6a00 | cmp ecx, edi
// ba00200000 | je 7
// 2bd0 | jae 0x8c
$sequence_78 = { ff15???????? 53 56 ff35???????? ff15???????? 5b }
// n = 6, score = 1200
// ff15???????? |
// 53 | pop ebp
// 56 | pop ebx
// ff35???????? |
// ff15???????? |
// 5b | pop ecx
$sequence_79 = { a3???????? a3???????? a3???????? a1???????? 83e0fb 0bc2 }
// n = 6, score = 1200
// a3???????? |
// a3???????? |
// a3???????? |
// a1???????? |
// 83e0fb | push 1
// 0bc2 | xor ebx, ebx
$sequence_80 = { 752e 53 e8???????? 6a01 6a01 ff7514 }
// n = 6, score = 1200
// 752e | cmp eax, edi
// 53 | push eax
// e8???????? |
// 6a01 | xor eax, eax
// 6a01 | cmp eax, edi
// ff7514 | jmp 4
$sequence_81 = { b90e010000 41b800000100 4889442420 e8???????? e9???????? }
// n = 5, score = 1200
// b90e010000 | je 0x1f
// 41b800000100 | test eax, eax
// 4889442420 | je 0x13
// e8???????? |
// e9???????? |
$sequence_82 = { 6641b85c00 33d2 488bcd ff15???????? }
// n = 4, score = 1200
// 6641b85c00 | cmp eax, edi
// 33d2 | je 0x18
// 488bcd | jmp 4
// ff15???????? |
$sequence_83 = { 57 ff36 33db e8???????? 8bf8 85ff 0f845d010000 }
// n = 7, score = 1200
// 57 | and dword ptr [esp + 0x58], 0
// ff36 | xor eax, eax
// 33db | and dword ptr [esp + 0x50], eax
// e8???????? |
// 8bf8 | and dword ptr [esp + 0x54], eax
// 85ff | dec eax
// 0f845d010000 | mov dword ptr [esp + 0x40], ebx
$sequence_84 = { 7410 ff75fc 56 ff35???????? ff15???????? 53 }
// n = 6, score = 1200
// 7410 | je 0x47
// ff75fc | push -1
// 56 | mov esi, eax
// ff35???????? |
// ff15???????? |
// 53 | cmp esi, ebx
$sequence_85 = { ff35???????? 8945f8 ff15???????? 8bd8 3bde }
// n = 5, score = 1200
// ff35???????? |
// 8945f8 | mov esi, eax
// ff15???????? |
// 8bd8 | cmp esi, ebx
// 3bde | je 0x49
$sequence_86 = { c744242000010000 ff15???????? 4883f8ff 488bf8 7442 }
// n = 5, score = 1200
// c744242000010000 | jmp 0xc
// ff15???????? |
// 4883f8ff | cmp ebp, 5
// 488bf8 | jb 0xffffffc6
// 7442 | jmp 0xe
$sequence_87 = { e8???????? 3bfe 740e 57 56 ff35???????? ff15???????? }
// n = 7, score = 1200
// e8???????? |
// 3bfe | ret 4
// 740e | push 0
// 57 | pop ebp
// 56 | pop ebx
// ff35???????? |
// ff15???????? |
$sequence_88 = { 8b7508 e8???????? 33f6 3975fc 7410 ff75fc }
// n = 6, score = 1200
// 8b7508 | je 0x1a
// e8???????? |
// 33f6 | jmp 4
// 3975fc | xor eax, eax
// 7410 | cmp eax, edi
// ff75fc | je 0x18
$sequence_89 = { 66c7015c00 eb0f 68???????? 68???????? ff75f8 ffd6 }
// n = 6, score = 1200
// 66c7015c00 | xor eax, eax
// eb0f | cmp eax, edi
// 68???????? |
// 68???????? |
// ff75f8 | cmp eax, edi
// ffd6 | je 0x18
$sequence_90 = { 8d47e4 53 e8???????? 85c0 0f8544010000 8b472c a801 }
// n = 7, score = 1200
// 8d47e4 | xor eax, eax
// 53 | and dword ptr [esp + 0x50], eax
// e8???????? |
// 85c0 | dec eax
// 0f8544010000 | mov ebx, dword ptr [esp + 0x40]
// 8b472c | dec eax
// a801 | mov esi, dword ptr [esp + 0x48]
$sequence_91 = { 488d0cc3 48890d???????? 410fb64103 488d0cc3 48890d???????? }
// n = 5, score = 1100
// 488d0cc3 | pop ebp
// 48890d???????? |
// 410fb64103 | pop ebx
// 488d0cc3 | pop ecx
// 48890d???????? |
$sequence_92 = { 6a01 c1e00c 50 ff15???????? 56 }
// n = 5, score = 1100
// 6a01 | test eax, eax
// c1e00c | jne 0xa1
// 50 | dec eax
// ff15???????? |
// 56 | arpl word ptr [ebx + 0x3c], dx
$sequence_93 = { 85c0 7507 33db 895d08 eb03 }
// n = 5, score = 1100
// 85c0 | mov ebx, 0x7f
// 7507 | xor edx, edx
// 33db | dec ecx
// 895d08 | mov ecx, esp
// eb03 | dec ecx
$sequence_94 = { 89742420 e8???????? 8bf0 eb05 }
// n = 4, score = 1100
// 89742420 | pop edi
// e8???????? |
// 8bf0 | push eax
// eb05 | push ebx
$sequence_95 = { 33d2 ff15???????? 8b05???????? 418bdd }
// n = 4, score = 1100
// 33d2 | cmp ebp, 5
// ff15???????? |
// 8b05???????? |
// 418bdd | jb 0xffffffc6
$sequence_96 = { c3 418bd8 4803df 410fb64101 33d2 488d0cc3 48890d???????? }
// n = 7, score = 1100
// c3 | ret 4
// 418bd8 | push 0
// 4803df | pop ebp
// 410fb64101 | pop ebx
// 33d2 | pop ecx
// 488d0cc3 | ret 4
// 48890d???????? |
$sequence_97 = { 33d2 498bcc 498bfd e8???????? }
// n = 4, score = 1100
// 33d2 | dec eax
// 498bcc | add esi, 8
// 498bfd | cmp ebp, 5
// e8???????? |
$sequence_98 = { c9 c20400 51 56 ff74240c }
// n = 5, score = 1100
// c9 | mov ecx, esi
// c20400 | dec eax
// 51 | test eax, eax
// 56 | dec eax
// ff74240c | mov ebx, eax
$sequence_99 = { 33d2 ff15???????? 4885db 740c 4c8b0d???????? e9???????? }
// n = 6, score = 1100
// 33d2 | pop ecx
// ff15???????? |
// 4885db | ret 4
// 740c | push 0
// 4c8b0d???????? |
// e9???????? |
$sequence_100 = { 8b7d0c 6a18 c1ef0c e8???????? 8bf0 }
// n = 5, score = 1100
// 8b7d0c | mov edi, dword ptr [ebp + 0xc]
// 6a18 | push 0x18
// c1ef0c | shr edi, 0xc
// e8???????? |
// 8bf0 | mov esi, eax
$sequence_101 = { 33d2 488d0cc3 48890d???????? 410fb64102 488d0cc3 48890d???????? }
// n = 6, score = 1100
// 33d2 | push 0
// 488d0cc3 | pop ebx
// 48890d???????? |
// 410fb64102 | pop ecx
// 488d0cc3 | ret 4
// 48890d???????? |
$sequence_102 = { e8???????? 81ffb7000000 7507 33ff eb03 6a08 5f }
// n = 7, score = 1100
// e8???????? |
// 81ffb7000000 | cmp edi, 0xb7
// 7507 | jne 9
// 33ff | xor edi, edi
// eb03 | jmp 5
// 6a08 | push 8
// 5f | pop edi
$sequence_103 = { 33db 6a01 e8???????? 85db 7423 }
// n = 5, score = 1100
// 33db | je 0x27
// 6a01 | movzx eax, word ptr [ecx]
// e8???????? |
// 85db | cmp ax, 0x61
// 7423 | xor ebx, ebx
$sequence_104 = { f7de c1e80c 03f0 6a00 }
// n = 4, score = 1100
// f7de | dec eax
// c1e80c | mov eax, dword ptr [esi + 8]
// 03f0 | test eax, eax
// 6a00 | jne 0xa3
$sequence_105 = { ff15???????? 8b4d08 57 e8???????? 8bd8 8b4508 }
// n = 6, score = 1100
// ff15???????? |
// 8b4d08 | mov ecx, dword ptr [ebp + 8]
// 57 | push edi
// e8???????? |
// 8bd8 | mov ebx, eax
// 8b4508 | mov eax, dword ptr [ebp + 8]
$sequence_106 = { 448be8 418b4310 41394308 410f474308 4533c0 }
// n = 5, score = 1100
// 448be8 | pop ebx
// 418b4310 | ret
// 41394308 | mov eax, dword ptr [edi + 0x54]
// 410f474308 | test al, 4
// 4533c0 | pop ebx
$sequence_107 = { 50 57 e8???????? e9???????? 68???????? }
// n = 5, score = 1100
// 50 | add eax, 0x13
// 57 | dec eax
// e8???????? |
// e9???????? |
// 68???????? |
$sequence_108 = { 85db 7423 8b0d???????? 0fb701 663d6100 }
// n = 5, score = 1100
// 85db | inc edi
// 7423 | cmp edi, 3
// 8b0d???????? |
// 0fb701 | jb 0xffffffd8
// 663d6100 | test ebx, ebx
$sequence_109 = { 56 57 8d3410 8bf8 b9ff0f0000 23f1 }
// n = 6, score = 1100
// 56 | jne 0xf0
// 57 | dec eax
// 8d3410 | mov eax, dword ptr [esi + 8]
// 8bf8 | dec eax
// b9ff0f0000 | mov ecx, dword ptr [esi]
// 23f1 | test eax, eax
$sequence_110 = { 8a4b1c 488b4558 4c8b4d30 4c8b4510 }
// n = 4, score = 1100
// 8a4b1c | xor edx, edx
// 488b4558 | inc ecx
// 4c8b4d30 | mov ebx, ebp
// 4c8b4510 | je 0x10
$sequence_111 = { 8b4508 83c018 3bd8 740c }
// n = 4, score = 1100
// 8b4508 | add edx, dword ptr [ebx + 0x34]
// 83c018 | jmp 0xd
// 3bd8 | mov eax, dword ptr [ebx + 0x4c]
// 740c | test al, al
$sequence_112 = { 50 ffd7 ff7618 ffd3 }
// n = 4, score = 1000
// 50 | jmp 0x17
// ffd7 | xor edx, edx
// ff7618 | dec ecx
// ffd3 | mov ecx, esp
$sequence_113 = { ff15???????? 488bcf 48870d???????? 483bcf }
// n = 4, score = 1000
// ff15???????? |
// 488bcf | xor ecx, ecx
// 48870d???????? |
// 483bcf | push 3
$sequence_114 = { 8b08 50 ff5108 ff75f4 e8???????? }
// n = 5, score = 1000
// 8b08 | mov dword ptr [ebp - 0x20], eax
// 50 | je 0x220
// ff5108 | xor ecx, ebx
// ff75f4 | mov dword ptr [ebp - 0x20], eax
// e8???????? |
$sequence_115 = { 0f8386000000 488b18 8364245800 33c0 }
// n = 4, score = 1000
// 0f8386000000 | push ecx
// 488b18 | push esi
// 8364245800 | push dword ptr [esp + 0xc]
// 33c0 | leave
$sequence_116 = { 33d2 ff15???????? 483bc3 4c8be8 }
// n = 4, score = 1000
// 33d2 | xor eax, eax
// ff15???????? |
// 483bc3 | cmp eax, edi
// 4c8be8 | xor eax, eax
$sequence_117 = { 83780408 0f84d9000000 488bcb e8???????? }
// n = 4, score = 1000
// 83780408 | jne 0x10
// 0f84d9000000 | cmp dword ptr [ebp + 8], 0
// 488bcb | je 0x10
// e8???????? |
$sequence_118 = { 5b c3 a1???????? 83c040 50 }
// n = 5, score = 1000
// 5b | add esp, 0xc
// c3 | cmp eax, edi
// a1???????? |
// 83c040 | mov dword ptr [ebp - 0x10], eax
// 50 | mov al, byte ptr [esi + 4]
$sequence_119 = { 55 8bec 83ec54 8b06 }
// n = 4, score = 1000
// 55 | dec ecx
// 8bec | mov edi, ebp
// 83ec54 | dec ecx
// 8b06 | cmp eax, ebp
$sequence_120 = { 8b3d???????? 56 ffd7 53 56 }
// n = 5, score = 1000
// 8b3d???????? |
// 56 | mov dword ptr [ebp - 0x10], eax
// ffd7 | add esp, 0xc
// 53 | cmp eax, edi
// 56 | mov dword ptr [ebp - 0x10], eax
$sequence_121 = { 4533c9 4533c0 33d2 c705????????01000000 }
// n = 4, score = 1000
// 4533c9 | leave
// 4533c0 | ret 4
// 33d2 | push ecx
// c705????????01000000 |
$sequence_122 = { 488bc8 ff15???????? 488bce e8???????? 4885c0 488bd8 7427 }
// n = 7, score = 1000
// 488bc8 | mov ecx, esp
// ff15???????? |
// 488bce | dec ecx
// e8???????? |
// 4885c0 | mov edi, ebp
// 488bd8 | dec ecx
// 7427 | cmp eax, ebp
$sequence_123 = { ff15???????? 8ac3 5b c9 c20400 53 56 }
// n = 7, score = 1000
// ff15???????? |
// 8ac3 | push 1
// 5b | push dword ptr [ebp - 0x20]
// c9 | push ecx
// c20400 | push eax
// 53 | push edi
// 56 | push 1
$sequence_124 = { 8bc7 4883c440 415e 415d 415c }
// n = 5, score = 1000
// 8bc7 | jmp 4
// 4883c440 | xor eax, eax
// 415e | cmp eax, edi
// 415d | cmp ebx, edi
// 415c | je 0x16
$sequence_125 = { ff15???????? 4885c0 488bf0 0f8492000000 4885db 744b 488bd3 }
// n = 7, score = 1000
// ff15???????? |
// 4885c0 | inc ecx
// 488bf0 | add ebp, esi
// 0f8492000000 | dec eax
// 4885db | add esi, 8
// 744b | cmp ebp, 5
// 488bd3 | jb 0xffffffca
$sequence_126 = { 488bce ff15???????? 488b0d???????? 33d2 4c63c0 }
// n = 5, score = 1000
// 488bce | cmp eax, edi
// ff15???????? |
// 488b0d???????? |
// 33d2 | je 0x16
// 4c63c0 | mov edx, ebx
$sequence_127 = { ff7514 ff7510 ff7008 ff750c ff7508 e8???????? 0945fc }
// n = 7, score = 1000
// ff7514 | xor eax, eax
// ff7510 | cmp eax, edi
// ff7008 | je 0x1c
// ff750c | jmp 4
// ff7508 | xor eax, eax
// e8???????? |
// 0945fc | cmp eax, edi
$sequence_128 = { eb08 488bce e8???????? 488b5c2440 488b742448 488bc7 4883c430 }
// n = 7, score = 1000
// eb08 | push eax
// 488bce | push edi
// e8???????? |
// 488b5c2440 | push 1
// 488b742448 | push dword ptr [ebp - 0x20]
// 488bc7 | push ecx
// 4883c430 | push eax
$sequence_129 = { 8bf1 05fefeffff 33db 33c9 }
// n = 4, score = 1000
// 8bf1 | add edx, 4
// 05fefeffff | dec dword ptr [esp + 0xc]
// 33db | jne 0xfffffff1
// 33c9 | mov esi, eax
$sequence_130 = { ff15???????? c20400 55 8bec 51 a1???????? 83c040 }
// n = 7, score = 900
// ff15???????? |
// c20400 | je 0x254
// 55 | add esp, 0xc
// 8bec | cmp eax, edi
// 51 | mov dword ptr [ebp - 0x10], eax
// a1???????? |
// 83c040 | je 0x1ef
$sequence_131 = { 41b905000000 488bd8 ff15???????? 488bcb ff15???????? 4533c9 }
// n = 6, score = 900
// 41b905000000 | mov esi, eax
// 488bd8 | cmp esi, ebx
// ff15???????? |
// 488bcb | je 0x45
// ff15???????? |
// 4533c9 | push ebx
$sequence_132 = { 488bd6 ff15???????? eb14 488b0d???????? 4c8bc7 33d2 ff15???????? }
// n = 7, score = 900
// 488bd6 | mov dword ptr [esp + 0x20], ebx
// ff15???????? |
// eb14 | test eax, eax
// 488b0d???????? |
// 4c8bc7 | dec esp
// 33d2 | cmovne ecx, eax
// ff15???????? |
$sequence_133 = { e8???????? 488bcf ff15???????? 488b5c2430 }
// n = 4, score = 900
// e8???????? |
// 488bcf | xor ebx, ebx
// ff15???????? |
// 488b5c2430 | xor ecx, ecx
$sequence_134 = { 4883c208 413bca 7ce6 413bca }
// n = 4, score = 900
// 4883c208 | dec eax
// 413bca | lea ecx, [ebx + eax*8]
// 7ce6 | inc ecx
// 413bca | movzx eax, byte ptr [ecx + 3]
$sequence_135 = { 8b02 43 8acb d3c0 33c6 33442410 8bf0 }
// n = 7, score = 900
// 8b02 | test eax, eax
// 43 | dec eax
// 8acb | mov esi, eax
// d3c0 | je 0xa2
// 33c6 | dec eax
// 33442410 | mov ecx, esi
// 8bf0 | dec eax
$sequence_136 = { 81ffe5030000 750d eb09 ff7618 }
// n = 4, score = 900
// 81ffe5030000 | je 0x10
// 750d | mov edi, dword ptr [eax]
// eb09 | cmp ebp, 5
// ff7618 | jb 0xffffffc3
$sequence_137 = { ff15???????? 4885c0 488bd8 742b }
// n = 4, score = 900
// ff15???????? |
// 4885c0 | push ebx
// 488bd8 | mov esi, eax
// 742b | cmp esi, ebx
$sequence_138 = { ff35???????? ffd3 8bd8 85db 7476 }
// n = 5, score = 900
// ff35???????? |
// ffd3 | cmp eax, edi
// 8bd8 | mov dword ptr [ebp - 0x20], eax
// 85db | je 0x220
// 7476 | xor edi, edi
$sequence_139 = { 4533c9 4889442428 215c2420 4533c0 }
// n = 4, score = 900
// 4533c9 | push dword ptr [ebp - 0x10]
// 4889442428 | push dword ptr [ebp - 0xc]
// 215c2420 | push 0x122
// 4533c0 | push dword ptr [ebp + 8]
$sequence_140 = { 33d2 ff15???????? 33ff 4885ff }
// n = 4, score = 900
// 33d2 | mov esi, 1
// ff15???????? |
// 33ff | mov eax, esi
// 4885ff | dec eax
$sequence_141 = { 488bce ff15???????? 4c8d4c2450 4c8d442458 8d5001 }
// n = 5, score = 900
// 488bce | dec eax
// ff15???????? |
// 4c8d4c2450 | mov dword ptr [esp + 0x20], ebx
// 4c8d442458 | test eax, eax
// 8d5001 | mov ebx, eax
$sequence_142 = { 4c8d442458 8d5001 488bce e8???????? 85c0 7408 }
// n = 6, score = 900
// 4c8d442458 | ret
// 8d5001 | mov eax, dword ptr [edi + 0x54]
// 488bce | test al, 4
// e8???????? |
// 85c0 | mov esi, 1
// 7408 | mov eax, esi
$sequence_143 = { 3dd2100000 7416 a1???????? 83c004 }
// n = 4, score = 900
// 3dd2100000 | je 0x21d
// 7416 | xor ecx, ebx
// a1???????? |
// 83c004 | push ecx
$sequence_144 = { 6a00 ff35???????? ff15???????? 33db 6a01 }
// n = 5, score = 900
// 6a00 | push ebp
// ff35???????? |
// ff15???????? |
// 33db | mov ebp, esp
// 6a01 | sub esp, 0x10
$sequence_145 = { e9???????? 33c9 bb26040000 48870d???????? 4885c9 }
// n = 5, score = 900
// e9???????? |
// 33c9 | cmp esi, ebx
// bb26040000 | je 0x47
// 48870d???????? |
// 4885c9 | mov esi, eax
$sequence_146 = { 8932 83c204 ff4c240c 75e6 }
// n = 4, score = 900
// 8932 | test eax, eax
// 83c204 | dec eax
// ff4c240c | mov ebx, eax
// 75e6 | je 0x2c
$sequence_147 = { 480f45f2 832700 458be0 bb08000000 e8???????? 85c0 }
// n = 6, score = 900
// 480f45f2 | cmp esi, ebx
// 832700 | je 0x47
// 458be0 | push -1
// bb08000000 | push ebx
// e8???????? |
// 85c0 | mov esi, eax
$sequence_148 = { 75e6 5e 5b c20800 }
// n = 4, score = 900
// 75e6 | dec eax
// 5e | test eax, eax
// 5b | dec eax
// c20800 | mov esi, eax
$sequence_149 = { 4c8b05???????? 41be01000000 33c9 418bd6 }
// n = 4, score = 800
// 4c8b05???????? |
// 41be01000000 | je 0x16
// 33c9 | xor esi, esi
// 418bd6 | cmp dword ptr [ebp - 4], esi
$sequence_150 = { 488bc8 ff15???????? 8b05???????? 3d2caedb8b }
// n = 4, score = 800
// 488bc8 | ret 4
// ff15???????? |
// 8b05???????? |
// 3d2caedb8b | mov eax, ebp
$sequence_151 = { 57 895df4 895df0 c745f857000000 bf19010000 }
// n = 5, score = 800
// 57 | je 0x1a
// 895df4 | push ecx
// 895df0 | push edi
// c745f857000000 | push eax
// bf19010000 | call esi
$sequence_152 = { 4489442418 57 4883ec30 488b0d???????? }
// n = 4, score = 800
// 4489442418 | pop ebx
// 57 | pop ecx
// 4883ec30 | ret 4
// 488b0d???????? |
$sequence_153 = { 6a03 8935???????? 8935???????? 8935???????? }
// n = 4, score = 800
// 6a03 | push dword ptr [esp + 0xc]
// 8935???????? |
// 8935???????? |
// 8935???????? |
$sequence_154 = { 448bf0 488bce ff15???????? 488b8c2490000000 8bd8 ff15???????? 33d2 }
// n = 7, score = 800
// 448bf0 | inc ecx
// 488bce | pop esi
// ff15???????? |
// 488b8c2490000000 | inc ecx
// 8bd8 | pop ebp
// ff15???????? |
// 33d2 | inc ecx
$sequence_155 = { a1???????? 25efff0000 0bc2 e9???????? }
// n = 4, score = 800
// a1???????? |
// 25efff0000 | push eax
// 0bc2 | push edi
// e9???????? |
$sequence_156 = { 448bc0 8bd8 33d2 4983c001 }
// n = 4, score = 800
// 448bc0 | push ebx
// 8bd8 | mov esi, eax
// 33d2 | cmp esi, ebx
// 4983c001 | je 0x47
$sequence_157 = { 53 56 8bf1 05fefeffff }
// n = 4, score = 800
// 53 | sbb eax, eax
// 56 | and eax, 6
// 8bf1 | jmp 4
// 05fefeffff | xor eax, eax
$sequence_158 = { 803f2a 750b 4883c701 83c3ff }
// n = 4, score = 800
// 803f2a | mov esi, eax
// 750b | cmp esi, ebx
// 4883c701 | je 0x47
// 83c3ff | mov esi, eax
$sequence_159 = { 458bc4 418bcd e8???????? e9???????? b909010000 e9???????? }
// n = 6, score = 800
// 458bc4 | push 1
// 418bcd | push dword ptr [esp + 0x10]
// e8???????? |
// e9???????? |
// b909010000 | pop ebp
// e9???????? |
$sequence_160 = { 4533c0 33d2 33db ff15???????? 85c0 8bf8 }
// n = 6, score = 800
// 4533c0 | mov esi, eax
// 33d2 | cmp esi, ebx
// 33db | je 0x45
// ff15???????? |
// 85c0 | push -1
// 8bf8 | push ebx
$sequence_161 = { 488364243000 448d4301 4533c9 ba000000c0 }
// n = 4, score = 700
// 488364243000 | push 1
// 448d4301 | pop ebp
// 4533c9 | pop ebx
// ba000000c0 | pop ecx
$sequence_162 = { ff15???????? 488b0d???????? 4c63c0 33d2 4983c00c ff15???????? }
// n = 6, score = 700
// ff15???????? |
// 488b0d???????? |
// 4c63c0 | je 0x12
// 33d2 | push dword ptr [ebp - 4]
// 4983c00c | push esi
// ff15???????? |
$sequence_163 = { 4533c0 33d2 ff15???????? 85c0 7511 ff15???????? }
// n = 6, score = 700
// 4533c0 | je 0x13
// 33d2 | push edi
// ff15???????? |
// 85c0 | push dword ptr [ebp - 4]
// 7511 | push esi
// ff15???????? |
$sequence_164 = { 488b0d???????? 4889040f 4883c708 492bf6 75db }
// n = 5, score = 700
// 488b0d???????? |
// 4889040f | mov eax, 0x800
// 4883c708 | push eax
// 492bf6 | push esi
// 75db | mov dword ptr [ebp - 8], eax
$sequence_165 = { ff15???????? ff75f0 56 ff35???????? ff15???????? }
// n = 5, score = 700
// ff15???????? |
// ff75f0 | push eax
// 56 | call esi
// ff35???????? |
// ff15???????? |
$sequence_166 = { e9???????? 488bcb ff15???????? a810 }
// n = 4, score = 700
// e9???????? |
// 488bcb | push ebx
// ff15???????? |
// a810 | cmp edi, esi
$sequence_167 = { 7433 ff15???????? 3db7000000 751d }
// n = 4, score = 700
// 7433 | pop ecx
// ff15???????? |
// 3db7000000 | ret 4
// 751d | push 0
$sequence_168 = { 488364242000 4c8d8c2480000000 448bc6 498bd5 }
// n = 4, score = 700
// 488364242000 | pop ecx
// 4c8d8c2480000000 | ret 4
// 448bc6 | pop ebx
// 498bd5 | pop ecx
$sequence_169 = { 0fba261f 0f92c0 f6d8 1bc0 }
// n = 4, score = 700
// 0fba261f | ret 4
// 0f92c0 | push 0
// f6d8 | pop ebp
// 1bc0 | pop ebx
$sequence_170 = { 8bc7 5f c20400 55 8bec 83e4f8 81ec9c000000 }
// n = 7, score = 700
// 8bc7 | push eax
// 5f | add esi, 4
// c20400 | push eax
// 55 | add esi, 4
// 8bec | cmp edi, ebx
// 83e4f8 | je 0x18
// 81ec9c000000 | je 0x11
$sequence_171 = { 3bc3 741b e8???????? 85c0 7412 ff7508 e8???????? }
// n = 7, score = 600
// 3bc3 | test eax, eax
// 741b | dec eax
// e8???????? |
// 85c0 | mov ebp, eax
// 7412 | sub esp, 0x48
// ff7508 | push ebx
// e8???????? |
$sequence_172 = { 488d542438 488bcb e8???????? eb02 }
// n = 4, score = 600
// 488d542438 | cmp eax, edi
// 488bcb | je 0x1a
// e8???????? |
// eb02 | jmp 4
$sequence_173 = { 48215c2420 442be6 4c8d8c2480000000 458bc4 488bd5 488bcf ff15???????? }
// n = 7, score = 600
// 48215c2420 | and dword ptr [ebp - 8], 0
// 442be6 | ret 4
// 4c8d8c2480000000 | push ebp
// 458bc4 | mov ebp, esp
// 488bd5 | sub esp, 0xc
// 488bcf | and dword ptr [ebp - 8], 0
// ff15???????? |
$sequence_174 = { 4903ed 448bc6 488bc8 488bd5 }
// n = 4, score = 600
// 4903ed | test eax, eax
// 448bc6 | push 0x10
// 488bc8 | pop eax
// 488bd5 | cmp eax, edi
$sequence_175 = { eb23 6a02 5e 68???????? ff15???????? }
// n = 5, score = 600
// eb23 | push eax
// 6a02 | add esi, 4
// 5e | jne 0x8c
// 68???????? |
// ff15???????? |
$sequence_176 = { 57 4154 4155 4156 4883ec50 488bf1 }
// n = 6, score = 600
// 57 | je 0x10
// 4154 | push edi
// 4155 | mov edi, eax
// 4156 | push dword ptr [ebp + 0x10]
// 4883ec50 | push edi
// 488bf1 | push dword ptr [ebp + 0xc]
$sequence_177 = { c3 488d82204a0000 488982284a0000 488900 }
// n = 4, score = 600
// c3 | pop ebx
// 488d82204a0000 | pop ecx
// 488982284a0000 | ret 4
// 488900 | pop ecx
$sequence_178 = { e8???????? 85c0 751a ff7620 }
// n = 4, score = 600
// e8???????? |
// 85c0 | mov edx, 0x2000
// 751a | sub edx, eax
// ff7620 | mov ecx, dword ptr [edi + 0x30]
$sequence_179 = { ff15???????? 85c0 7423 48215c2420 }
// n = 4, score = 600
// ff15???????? |
// 85c0 | push edi
// 7423 | push eax
// 48215c2420 | call esi
$sequence_180 = { 4885c9 7405 e8???????? 4883c428 c3 488d82204a0000 }
// n = 6, score = 600
// 4885c9 | pop ecx
// 7405 | ret 4
// e8???????? |
// 4883c428 | push 0
// c3 | pop ecx
// 488d82204a0000 | ret 4
$sequence_181 = { 488bf8 7464 48215c2420 8bee }
// n = 4, score = 600
// 488bf8 | test eax, eax
// 7464 | je 0xf
// 48215c2420 | push ecx
// 8bee | push edi
$sequence_182 = { 48215c2420 8bee 4c8d8c2480000000 4903ed }
// n = 4, score = 600
// 48215c2420 | push ebp
// 8bee | mov ebp, esp
// 4c8d8c2480000000 | sub esp, 0xc
// 4903ed | and dword ptr [ebp - 8], 0
$sequence_183 = { 488b0d???????? 33d2 41b80c030000 ff15???????? }
// n = 4, score = 600
// 488b0d???????? |
// 33d2 | push eax
// 41b80c030000 | call esi
// ff15???????? |
$sequence_184 = { e8???????? 483bc3 488905???????? 0f8431020000 817424302083b8ed }
// n = 5, score = 500
// e8???????? |
// 483bc3 | je 0x16
// 488905???????? |
// 0f8431020000 | cmp ebx, edi
// 817424302083b8ed | je 0x18
$sequence_185 = { e8???????? 85c0 0f859b000000 4863533c 488b4608 488b0e 48035334 }
// n = 7, score = 500
// e8???????? |
// 85c0 | sub esp, 0xc
// 0f859b000000 | and dword ptr [ebp - 8], 0
// 4863533c | push edi
// 488b4608 | pop ebx
// 488b0e | ret 4
// 48035334 | push ebp
$sequence_186 = { 0f8480010000 448b484c 41f6c108 7415 4c8d40cc }
// n = 5, score = 500
// 0f8480010000 | push ebx
// 448b484c | mov ebx, 0xea60
// 41f6c108 | push ebx
// 7415 | push dword ptr [ebp + 0xc]
// 4c8d40cc | push 4
$sequence_187 = { e8???????? 85c0 0f8561010000 8b4348 a801 742c }
// n = 6, score = 500
// e8???????? |
// 85c0 | ret 4
// 0f8561010000 | push ebp
// 8b4348 | mov ebp, esp
// a801 | sub esp, 0xc
// 742c | and dword ptr [ebp - 8], 0
$sequence_188 = { 488d542430 4533c9 488bc8 4533c0 ff15???????? 85c0 7409 }
// n = 7, score = 500
// 488d542430 | push edi
// 4533c9 | push eax
// 488bc8 | call esi
// 4533c0 | test eax, eax
// ff15???????? |
// 85c0 | je 0x10
// 7409 | push edi
$sequence_189 = { e8???????? 85c0 0f85e8000000 488b4608 }
// n = 4, score = 500
// e8???????? |
// 85c0 | ret 4
// 0f85e8000000 | push ebp
// 488b4608 | mov ebp, esp
$sequence_190 = { 217b3c eb0b 8b434c 84c0 0f89a3000000 }
// n = 5, score = 500
// 217b3c | mov ebp, esp
// eb0b | sub esp, 0xc
// 8b434c | and dword ptr [ebp - 8], 0
// 84c0 | jne 7
// 0f89a3000000 | push ebx
$sequence_191 = { 84c0 0f89a3000000 8b434c a804 7415 }
// n = 5, score = 500
// 84c0 | mov ebx, 0xea60
// 0f89a3000000 | push ebx
// 8b434c | push dword ptr [ebp + 0xc]
// a804 | jne 7
// 7415 | push ebx
$sequence_192 = { ba10000000 488bc8 e8???????? 48898424e0010000 4885c0 }
// n = 5, score = 400
// ba10000000 | mov ecx, dword ptr [ebp - 0x18]
// 488bc8 | mov ebx, dword ptr [edi + 0x3c]
// e8???????? |
// 48898424e0010000 | mov dword ptr [ebp - 0x10], eax
// 4885c0 | mov eax, edi
$sequence_193 = { 4533c0 ff15???????? 8bd8 83f801 }
// n = 4, score = 400
// 4533c0 | inc ecx
// ff15???????? |
// 8bd8 | lea eax, [ecx - 1]
// 83f801 | inc ebp
$sequence_194 = { 488bf8 4885c0 7427 488d542420 }
// n = 4, score = 400
// 488bf8 | call esi
// 4885c0 | test eax, eax
// 7427 | je 0xe
// 488d542420 | push ecx
$sequence_195 = { 03c6 33d2 468d44385f ff15???????? 4c8bf0 4885c0 }
// n = 6, score = 400
// 03c6 | mov ebp, eax
// 33d2 | dec eax
// 468d44385f | test eax, eax
// ff15???????? |
// 4c8bf0 | dec eax
// 4885c0 | mov ebx, eax
$sequence_196 = { 33d2 33c9 448d4201 e8???????? 488bf8 }
// n = 5, score = 400
// 33d2 | xor edx, edx
// 33c9 | dec eax
// 448d4201 | cmp eax, ebx
// e8???????? |
// 488bf8 | dec esp
$sequence_197 = { e8???????? eb13 488d4b07 4c8d442470 488d542440 e8???????? 8bd8 }
// n = 7, score = 400
// e8???????? |
// eb13 | je 0x16
// 488d4b07 | inc cx
// 4c8d442470 | xor edx, edx
// 488d542440 | dec eax
// e8???????? |
// 8bd8 | mov ecx, ebp
$sequence_198 = { 89442428 488b842410020000 4889442420 e8???????? 8bd8 85c0 0f85f3010000 }
// n = 7, score = 400
// 89442428 | mov ecx, ebp
// 488b842410020000 | inc cx
// 4889442420 | mov eax, 0xd233005c
// e8???????? |
// 8bd8 | dec eax
// 85c0 | mov ecx, ebp
// 0f85f3010000 | ret
$sequence_199 = { 7427 488d542420 b901020000 ff15???????? 85c0 7513 448d4001 }
// n = 7, score = 400
// 7427 | mov dword ptr [ebp - 0x104], ecx
// 488d542420 | mov dword ptr [esp], eax
// b901020000 | mov eax, dword ptr [ebp - 0xc4]
// ff15???????? |
// 85c0 | mov dword ptr [esp + 4], eax
// 7513 | lea edx, [0x253558]
// 448d4001 | mov esi, 0x14
$sequence_200 = { 01cb 30c9 eb59 8b4c242c 0fb6d0 01d1 }
// n = 6, score = 300
// 01cb | mov eax, edi
// 30c9 | lea eax, [ebp + 8]
// eb59 | push eax
// 8b4c242c | push ebx
// 0fb6d0 | mov eax, esi
// 01d1 | test eax, eax
$sequence_201 = { 66833b00 7507 66837b0200 7451 0fb70b 0fb76b02 0fb7d1 }
// n = 7, score = 300
// 66833b00 | push eax
// 7507 | lea eax, [ebp + 8]
// 66837b0200 | push eax
// 7451 | push ebx
// 0fb70b | mov eax, esi
// 0fb76b02 | jne 0x10
// 0fb7d1 | cmp dword ptr [ebp + 8], 0
$sequence_202 = { 01d5 01d3 b101 3b5c2428 0f8266ffffff }
// n = 5, score = 300
// 01d5 | push eax
// 01d3 | push ebx
// b101 | mov eax, esi
// 3b5c2428 | test eax, eax
// 0f8266ffffff | jne 0x1c
$sequence_203 = { 83c304 894c2410 56 90 57 51 8b742420 }
// n = 7, score = 300
// 83c304 | xor edi, edi
// 894c2410 | lea eax, [ebp + 8]
// 56 | push eax
// 90 | push ebx
// 57 | mov eax, esi
// 51 | test eax, eax
// 8b742420 | mov eax, dword ptr [ebp + 0xc]
$sequence_204 = { 89ce 83e603 750c 8b5d10 6601da c1ca03 }
// n = 6, score = 300
// 89ce | push dword ptr [ebp + 8]
// 83e603 | push eax
// 750c | lea eax, [ebp + 8]
// 8b5d10 | push eax
// 6601da | push ebx
// c1ca03 | mov eax, esi
$sequence_205 = { 8b5304 83c304 01f2 8b4c241c 01d1 }
// n = 5, score = 300
// 8b5304 | mov dword ptr [eax], esi
// 83c304 | jmp 0x35
// 01f2 | push 0
// 8b4c241c | je 0xa
// 01d1 | push dword ptr [ebp + 8]
$sequence_206 = { eb67 8044241301 0fb6ca 01cb 30c9 eb59 }
// n = 6, score = 300
// eb67 | jne 0x10
// 8044241301 | cmp dword ptr [ebp + 8], 0
// 0fb6ca | je 0xa
// 01cb | push dword ptr [ebp + 8]
// 30c9 | mov eax, edi
// eb59 | xor edi, edi
$sequence_207 = { 57 51 90 8b742428 8b7c2424 8b4c2420 f3a4 }
// n = 7, score = 300
// 57 | je 0xa
// 51 | push dword ptr [ebp + 8]
// 90 | mov eax, edi
// 8b742428 | pop edi
// 8b7c2424 | cmp dword ptr [ebp + 8], 0
// 8b4c2420 | je 0xe
// f3a4 | push dword ptr [ebp + 8]
$sequence_208 = { 89f8 c1e81e 83e001 898544ffffff }
// n = 4, score = 100
// 89f8 | ret
// c1e81e | mov eax, dword ptr [ebp - 0x10]
// 83e001 | mov ecx, dword ptr [eax*4 + 0x2876014]
// 898544ffffff | mov eax, edi
$sequence_209 = { 75d7 8d45d4 83c001 8945b0 8b45b0 8a08 }
// n = 6, score = 100
// 75d7 | mov dword ptr [eax], eax
// 8d45d4 | dec eax
// 83c001 | cmp eax, ebx
// 8945b0 | je 0x23a
// 8b45b0 | xor dword ptr [esp + 0x30], 0xedb88320
// 8a08 | inc ebp
$sequence_210 = { 8bbd64fdffff 897e08 8b9d68fdffff 891e c7460cfe308702 }
// n = 5, score = 100
// 8bbd64fdffff | mov dword ptr [ebp - 4], eax
// 897e08 | mov dword ptr [ebp - 8], ecx
// 8b9d68fdffff | mov ecx, eax
// 891e | mov edi, dword ptr [ebp - 0x29c]
// c7460cfe308702 | mov dword ptr [esi + 8], edi
$sequence_211 = { c744240400000000 898dfcfeffff e8???????? 890424 8b853cffffff 89442404 e8???????? }
// n = 7, score = 100
// c744240400000000 | dec eax
// 898dfcfeffff | lea eax, [edx + 0x4a20]
// e8???????? |
// 890424 | dec eax
// 8b853cffffff | mov dword ptr [edx + 0x4a28], eax
// 89442404 | je 7
// e8???????? |
$sequence_212 = { 0f95c3 80e301 0fb6c3 89854cfdffff 8b854cfdffff 81c4d0020000 }
// n = 6, score = 100
// 0f95c3 | shr eax, 0x1e
// 80e301 | and eax, 1
// 0fb6c3 | mov dword ptr [ebp - 0xbc], eax
// 89854cfdffff | setne bl
// 8b854cfdffff | and bl, 1
// 81c4d0020000 | movzx eax, bl
$sequence_213 = { 8955e4 897de0 8975dc 894dd8 0f84b8000000 31c0 8b4de8 }
// n = 7, score = 100
// 8955e4 | dec eax
// 897de0 | cmp eax, ebx
// 8975dc | je 0x23a
// 894dd8 | xor dword ptr [esp + 0x30], 0xedb88320
// 0f84b8000000 | dec eax
// 31c0 | lea ecx, [esp + 0x30]
// 8b4de8 | inc esp
$sequence_214 = { 8b5f3c 8945f0 89f8 01d8 813c1f50450000 0f44c8 8b45f0 }
// n = 7, score = 100
// 8b5f3c | mov ecx, edi
// 8945f0 | inc ebp
// 89f8 | xor eax, eax
// 01d8 | dec eax
// 813c1f50450000 | cmp eax, ebx
// 0f44c8 | je 0x9a
// 8b45f0 | dec eax
$sequence_215 = { 83ec28 31c0 31c9 8945fc 894df8 e8???????? 89c1 }
// n = 7, score = 100
// 83ec28 | mov dword ptr [ebp - 0x2b4], eax
// 31c0 | mov eax, dword ptr [ebp - 0x2b4]
// 31c9 | add esp, 0x2d0
// 8945fc | sub esp, 0x28
// 894df8 | xor eax, eax
// e8???????? |
// 89c1 | xor ecx, ecx
$sequence_216 = { c744240400000000 8955d4 e8???????? 8d0d96318702 890424 894c2404 e8???????? }
// n = 7, score = 100
// c744240400000000 | mov dword ptr [esi], ebp
// 8955d4 | jmp 4
// e8???????? |
// 8d0d96318702 | xor ebx, ebx
// 890424 | mov dword ptr [esp + 4], 0
// 894c2404 | mov dword ptr [ebp - 0x2c], edx
// e8???????? |
$sequence_217 = { 894d80 7456 31c0 8d4db8 ba18000000 8b7580 8b3e }
// n = 7, score = 100
// 894d80 | mov dword ptr [edx + 0x4a28], eax
// 7456 | dec eax
// 31c0 | mov dword ptr [eax], eax
// 8d4db8 | je 7
// ba18000000 | dec eax
// 8b7580 | add esp, 0x28
// 8b3e | ret
$sequence_218 = { 56 8985d0fbffff 8995ccfbffff 898dc8fbffff ffd7 83f800 }
// n = 6, score = 100
// 56 | lea ecx, [0x2873196]
// 8985d0fbffff | mov dword ptr [esp], eax
// 8995ccfbffff | mov dword ptr [esp + 4], ecx
// 898dc8fbffff | push esi
// ffd7 | mov dword ptr [ebp - 0x430], eax
// 83f800 | mov dword ptr [ebp - 0x434], edx
$sequence_219 = { 8d1558352500 be14000000 8d3d89342500 8b9d50ffffff }
// n = 4, score = 100
// 8d1558352500 | dec eax
// be14000000 | add esp, 0x28
// 8d3d89342500 | ret
// 8b9d50ffffff | dec eax
$sequence_220 = { 89461c 890c24 c744240400000000 8955dc e8???????? 8d0d77318702 890424 }
// n = 7, score = 100
// 89461c | mov ebx, dword ptr [ebp - 0x298]
// 890c24 | mov dword ptr [esi], ebx
// c744240400000000 | mov dword ptr [esi + 0xc], 0x28730fe
// 8955dc | mov dword ptr [esi + 0x1c], eax
// e8???????? |
// 8d0d77318702 | mov dword ptr [esp], ecx
// 890424 | mov dword ptr [esp + 4], 0
$sequence_221 = { 898528ffffff 75d5 8d0524342500 31c9 890424 c744240400000000 }
// n = 6, score = 100
// 898528ffffff | xor eax, eax
// 75d5 | dec eax
// 8d0524342500 | cmp eax, ebx
// 31c9 | je 0x94
// 890424 | dec eax
// c744240400000000 | lea ecx, [esp + 0x30]
$sequence_222 = { 83ec18 8b450c 8b4d08 89ca }
// n = 4, score = 100
// 83ec18 | lea eax, [edx + 0x4a20]
// 8b450c | dec eax
// 8b4d08 | mov dword ptr [edx + 0x4a28], eax
// 89ca | dec eax
$sequence_223 = { eb06 83c414 5b 5d c3 8b45f0 8b0c8514608702 }
// n = 7, score = 100
// eb06 | mov dword ptr [ebp - 0x438], ecx
// 83c414 | call edi
// 5b | cmp eax, 0
// 5d | jmp 8
// c3 | add esp, 0x14
// 8b45f0 | pop ebx
// 8b0c8514608702 | pop ebp
condition:
7 of them and filesize < 2940928
} | |