[TLP:WHITE] win_isfb_auto (20211008 | Detects win.isfb.)rule win_isfb_auto {
meta:
author = "Felix Bilstein - yara-signator at cocacoding dot com"
date = "2021-10-07"
version = "1"
description = "Detects win.isfb."
info = "autogenerated rule brought to you by yara-signator"
tool = "yara-signator v0.6.0"
signator_config = "callsandjumps;datarefs;binvalue"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb"
malpedia_rule_date = "20211007"
malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
malpedia_version = "20211008"
malpedia_license = "CC BY-SA 4.0"
malpedia_sharing = "TLP:WHITE"
/* DISCLAIMER
* The strings used in this rule have been automatically selected from the
* disassembly of memory dumps and unpacked files, using YARA-Signator.
* The code and documentation is published here:
* https://github.com/fxb-cocacoding/yara-signator
* As Malpedia is used as data source, please note that for a given
* number of families, only single samples are documented.
* This likely impacts the degree of generalization these rules will offer.
* Take the described generation method also into consideration when you
* apply the rules in your use cases and assign them confidence levels.
*/
strings:
$sequence_0 = { eb02 33c0 3bc7 7414 }
// n = 4, score = 3100
// eb02 | mov edi, esi
// 33c0 | pop edi
// 3bc7 | and dword ptr [ebx + 0x28], 0
// 7414 | mov eax, dword ptr [ebx + 0x30]
$sequence_1 = { 57 50 ffd6 85c0 7408 }
// n = 5, score = 2900
// 57 | push eax
// 50 | add esp, 0xc
// ffd6 | cmp eax, edi
// 85c0 | add esp, 0xc
// 7408 | cmp eax, edi
$sequence_2 = { 6a10 58 e8???????? 3bc7 }
// n = 4, score = 2600
// 6a10 | mov eax, dword ptr [ebx + 0x30]
// 58 | test al, 0x40
// e8???????? |
// 3bc7 | je 0xe8
$sequence_3 = { 50 33c0 e8???????? 3bc7 }
// n = 4, score = 2600
// 50 | je 0xe8
// 33c0 | mov esi, dword ptr [ebx + 0x34]
// e8???????? |
// 3bc7 | lea eax, dword ptr [esp + 0x18]
$sequence_4 = { 8b35???????? 7414 8d4dfc 51 }
// n = 4, score = 2500
// 8b35???????? |
// 7414 | mov ebx, 0x7f
// 8d4dfc | dec eax
// 51 | add esi, 8
$sequence_5 = { 85c0 740f 8b45fc 03c0 }
// n = 4, score = 2400
// 85c0 | pop ebp
// 740f | pop ebx
// 8b45fc | ret
// 03c0 | mov eax, dword ptr [edi + 0x54]
$sequence_6 = { ff75f4 6822010000 e9???????? ff7508 }
// n = 4, score = 2400
// ff75f4 | test eax, eax
// 6822010000 | jne 9
// e9???????? |
// ff7508 | xor ebx, ebx
$sequence_7 = { a3???????? 3bdf 7414 a1???????? }
// n = 4, score = 2300
// a3???????? |
// 3bdf | je 0xf
// 7414 | mov dword ptr [esi], eax
// a1???????? |
$sequence_8 = { 33c0 3bc7 8b35???????? 7414 }
// n = 4, score = 2300
// 33c0 | cmp edi, 3
// 3bc7 | test eax, eax
// 8b35???????? |
// 7414 | je 0xf
$sequence_9 = { ff35???????? e8???????? 8bf0 3bf3 7443 }
// n = 5, score = 2200
// ff35???????? |
// e8???????? |
// 8bf0 | cmp ebp, 5
// 3bf3 | jb 0xffffffc3
// 7443 | jmp 0x10
$sequence_10 = { e8???????? 83c40c e8???????? 3bc7 8945f0 }
// n = 5, score = 2200
// e8???????? |
// 83c40c | test al, 4
// e8???????? |
// 3bc7 | pop ebx
// 8945f0 | ret
$sequence_11 = { 8d45f8 50 e8???????? 8bf8 3bfb }
// n = 5, score = 2100
// 8d45f8 | inc edi
// 50 | test eax, eax
// e8???????? |
// 8bf8 | je 0xf
// 3bfb | mov dword ptr [esi], eax
$sequence_12 = { ff35???????? ff15???????? 85c0 a3???????? 7402 }
// n = 5, score = 2100
// ff35???????? |
// ff15???????? |
// 85c0 | mov dword ptr [edi], edx
// a3???????? |
// 7402 | jne 0xffffffee
$sequence_13 = { 7506 84e4 7704 3ac0 }
// n = 4, score = 1800
// 7506 | push eax
// 84e4 | push dword ptr [ebp + 0x10]
// 7704 | push ecx
// 3ac0 | push eax
$sequence_14 = { ff15???????? 3c05 7506 84e4 }
// n = 4, score = 1800
// ff15???????? |
// 3c05 | push ecx
// 7506 | push eax
// 84e4 | push dword ptr [ebp + 0x10]
$sequence_15 = { c20400 55 8bec 83ec0c a1???????? 8365f800 57 }
// n = 7, score = 1800
// c20400 | mov eax, dword ptr [esp + 0x18]
// 55 | mov dword ptr [ecx + 0x10], eax
// 8bec | and dword ptr [ebx + 0x34], 0xfffffff9
// 83ec0c | mov dword ptr [ebx + 0x2c], 1
// a1???????? |
// 8365f800 | mov eax, dword ptr [ebx + 0x34]
// 57 | sub ecx, dword ptr [ebx + 0x28]
$sequence_16 = { 8901 8b45fc 5f 5e 5b c9 c20800 }
// n = 7, score = 1800
// 8901 | cmp ebp, 5
// 8b45fc | jb 0xffffffc3
// 5f | jmp 0x10
// 5e | mov ebx, 0x7f
// 5b | jmp 0x10
// c9 | mov ebx, 0x7e
// c20800 | jb 0xffffffc3
$sequence_17 = { 7505 b8???????? 53 bb60ea0000 53 ff750c }
// n = 6, score = 1700
// 7505 | mov ebx, 0x7f
// b8???????? |
// 53 | cmp ebp, 5
// bb60ea0000 | jb 0xffffffc3
// 53 | jmp 0x10
// ff750c | mov ebx, 0x7f
$sequence_18 = { 0155fc 83451004 83c004 49 8917 75e9 8b4e10 }
// n = 7, score = 1700
// 0155fc | mov eax, dword ptr [ebp - 4]
// 83451004 | pop edi
// 83c004 | pop esi
// 49 | pop ebx
// 8917 | leave
// 75e9 | ret 8
// 8b4e10 | push eax
$sequence_19 = { 2b55fc 8b7d10 0155fc 83451004 }
// n = 4, score = 1700
// 2b55fc | push 0
// 8b7d10 | push 0
// 0155fc | push dword ptr [ebp - 0x10]
// 83451004 | push dword ptr [ebp - 0xc]
$sequence_20 = { 7417 8b10 2b55fc 8b7d10 }
// n = 4, score = 1700
// 7417 | push 0x122
// 8b10 | push dword ptr [ebp + 8]
// 2b55fc | push 0
// 8b7d10 | push 0
$sequence_21 = { 50 ff7510 e8???????? 83c40c c745fc01000000 8b4610 }
// n = 6, score = 1700
// 50 | push edi
// ff7510 | push dword ptr [ebp + 8]
// e8???????? |
// 83c40c | push 1
// c745fc01000000 | xor ebx, ebx
// 8b4610 | push ebx
$sequence_22 = { 6a04 50 57 e8???????? e9???????? ff7508 }
// n = 6, score = 1700
// 6a04 | jmp 0xe
// 50 | mov ebx, 0x7f
// 57 | jmp 0xe
// e8???????? |
// e9???????? |
// ff7508 | cmp ebp, 5
$sequence_23 = { 83e103 740d 51 50 ff7510 }
// n = 5, score = 1700
// 83e103 | push dword ptr [ebp + 8]
// 740d | push 0
// 51 | push dword ptr [ebp - 0xc]
// 50 | push 0x122
// ff7510 | push dword ptr [ebp + 8]
$sequence_24 = { 8bc6 5e c9 c21000 55 8bec 83ec14 }
// n = 7, score = 1700
// 8bc6 | cmp eax, edi
// 5e | mov dword ptr [ebp - 0x10], eax
// c9 | je 0x1ed
// c21000 | push edi
// 55 | mov dword ptr [ebp - 0x20], eax
// 8bec | je 0x220
// 83ec14 | xor ecx, ebx
$sequence_25 = { ff7320 e8???????? 8b4320 897324 897328 83c40c 8974240c }
// n = 7, score = 1600
// ff7320 | mov dword ptr [ebp + 8], ebx
// e8???????? |
// 8b4320 | jmp 0xc
// 897324 | mov ebx, dword ptr [ebp + 8]
// 897328 | test eax, eax
// 83c40c | jne 9
// 8974240c | xor ebx, ebx
$sequence_26 = { e8???????? 85c0 740d 8906 83c604 47 }
// n = 6, score = 1600
// e8???????? |
// 85c0 | mov ecx, dword ptr [esi + 0x10]
// 740d | and ecx, 3
// 8906 | je 0xf
// 83c604 | push ecx
// 47 | push eax
$sequence_27 = { 8a4604 2404 f6d8 1bc0 83e006 }
// n = 5, score = 1600
// 8a4604 | test eax, eax
// 2404 | je 0xf
// f6d8 | mov dword ptr [esi], eax
// 1bc0 | add esi, 4
// 83e006 | inc edi
$sequence_28 = { 57 8b3b 897c241c 760a 8b4b20 }
// n = 5, score = 1600
// 57 | push 0
// 8b3b | push 0
// 897c241c | push edi
// 760a | push dword ptr [ebp + 8]
// 8b4b20 | push 0
$sequence_29 = { 2b4b28 894c2410 8b4b34 f6c140 }
// n = 4, score = 1600
// 2b4b28 | jmp 0xa
// 894c2410 | jne 9
// 8b4b34 | xor ebx, ebx
// f6c140 | mov dword ptr [ebp + 8], ebx
$sequence_30 = { ff15???????? 2b442414 50 8b07 }
// n = 4, score = 1600
// ff15???????? |
// 2b442414 | push 0
// 50 | push eax
// 8b07 | push edi
$sequence_31 = { 83ec14 8364240400 53 8b5d0c 837b240c }
// n = 5, score = 1600
// 83ec14 | push 0
// 8364240400 | push 0
// 53 | test eax, eax
// 8b5d0c | jne 9
// 837b240c | xor ebx, ebx
$sequence_32 = { 8b442418 894110 836334f9 c7432c01000000 }
// n = 4, score = 1600
// 8b442418 | push eax
// 894110 | push edi
// 836334f9 | push 1
// c7432c01000000 | push dword ptr [ebp - 0x20]
$sequence_33 = { 83c40c 8974240c c6401a00 8b44240c }
// n = 4, score = 1600
// 83c40c | push dword ptr [ebp + 8]
// 8974240c | push 0
// c6401a00 | push edi
// 8b44240c | push dword ptr [ebp + 8]
$sequence_34 = { e8???????? 8b07 c6400731 8b74241c 8b1e }
// n = 5, score = 1600
// e8???????? |
// 8b07 | push 4
// c6400731 | push eax
// 8b74241c | push edi
// 8b1e | push dword ptr [ebp + 8]
$sequence_35 = { 85ff 750e 837d0800 7408 }
// n = 4, score = 1500
// 85ff | mov edi, eax
// 750e | push dword ptr [ebp + 0x10]
// 837d0800 | push edi
// 7408 | push dword ptr [ebp + 0xc]
$sequence_36 = { 837d0800 7408 ff7508 e8???????? 8bc7 }
// n = 5, score = 1500
// 837d0800 | mov esi, dword ptr [ebp + 8]
// 7408 | xor esi, esi
// ff7508 | cmp dword ptr [ebp - 4], esi
// e8???????? |
// 8bc7 | je 0x15
$sequence_37 = { 8bec 83ec48 53 8b5d08 56 57 33ff }
// n = 7, score = 1500
// 8bec | push 0x122
// 83ec48 | push dword ptr [ebp + 8]
// 53 | push 0
// 8b5d08 | push 0
// 56 | push dword ptr [ebp + 8]
// 57 | push dword ptr [ebp - 0x10]
// 33ff | push dword ptr [ebp - 0xc]
$sequence_38 = { 837d1800 b8???????? 7505 b8???????? }
// n = 4, score = 1500
// 837d1800 | mov eax, 0x400
// b8???????? |
// 7505 | dec esp
// b8???????? |
$sequence_39 = { 75cf 33ff 3bf7 741c }
// n = 4, score = 1500
// 75cf | test eax, eax
// 33ff | je 9
// 3bf7 | sub esi, 0x64
// 741c | mov al, byte ptr [esi + 4]
$sequence_40 = { 752f 8b450c 8930 eb33 6a00 }
// n = 5, score = 1500
// 752f | push dword ptr [ebp + 0x10]
// 8b450c | push edi
// 8930 | push dword ptr [ebp + 0xc]
// eb33 | push ebx
// 6a00 | cmp edi, esi
$sequence_41 = { bf04010000 e8???????? 8bf0 85f6 7453 57 56 }
// n = 7, score = 1500
// bf04010000 | push eax
// e8???????? |
// 8bf0 | push edi
// 85f6 | push 1
// 7453 | push dword ptr [ebp - 0x20]
// 57 | mov esi, eax
// 56 | push edi
$sequence_42 = { eb03 6a08 5e 5f 8bc6 5e c9 }
// n = 7, score = 1500
// eb03 | push edi
// 6a08 | push eax
// 5e | call esi
// 5f | test eax, eax
// 8bc6 | je 0xf
// 5e | push ecx
// c9 | push edi
$sequence_43 = { 6a01 33db 53 ff35???????? }
// n = 4, score = 1500
// 6a01 | mov esi, eax
// 33db | cmp esi, ebx
// 53 | push 0x122
// ff35???????? |
$sequence_44 = { 50 8d4508 50 53 8bc6 e8???????? 85c0 }
// n = 7, score = 1500
// 50 | je 0x12
// 8d4508 | je 0x12
// 50 | push dword ptr [ebp - 4]
// 53 | push esi
// 8bc6 | push ebx
// e8???????? |
// 85c0 | push esi
$sequence_45 = { 8d043f 50 e8???????? 8bf0 85f6 75cf }
// n = 6, score = 1500
// 8d043f | cmp eax, edi
// 50 | mov dword ptr [ebp - 0x10], eax
// e8???????? |
// 8bf0 | je 0x1ed
// 85f6 | push edi
// 75cf | add esp, 0xc
$sequence_46 = { 33ff eb0b 33ff eb03 }
// n = 4, score = 1500
// 33ff | push esi
// eb0b | push dword ptr [ebp + 0xc]
// 33ff | push ebx
// eb03 | cmp edi, esi
$sequence_47 = { 488bcf c744242860ea0000 4c0f45c8 48895c2420 e8???????? }
// n = 5, score = 1500
// 488bcf | dec eax
// c744242860ea0000 | mov ecx, edi
// 4c0f45c8 | mov dword ptr [esp + 0x28], 0xea60
// 48895c2420 | dec esp
// e8???????? |
$sequence_48 = { 41c1e003 ff15???????? 4885c0 488be8 }
// n = 4, score = 1400
// 41c1e003 | dec eax
// ff15???????? |
// 4885c0 | add edx, dword ptr [ebx + 0x34]
// 488be8 | inc ecx
$sequence_49 = { 83c604 47 83ff03 72d6 }
// n = 4, score = 1400
// 83c604 | mov edx, ecx
// 47 | add ecx, 0x28
// 83ff03 | dec esi
// 72d6 | je 0x6e
$sequence_50 = { ff35???????? ffd7 85c0 8945f0 0f844b020000 }
// n = 5, score = 1400
// ff35???????? |
// ffd7 | mov esi, 1
// 85c0 | mov eax, esi
// 8945f0 | dec eax
// 0f844b020000 | add esp, 0x40
$sequence_51 = { 56 ff15???????? 50 ff15???????? 215df8 e9???????? }
// n = 6, score = 1400
// 56 | push 0
// ff15???????? |
// 50 | push dword ptr [ebp - 0xc]
// ff15???????? |
// 215df8 | push 0x122
// e9???????? |
$sequence_52 = { 53 6a16 ff7618 895df4 }
// n = 4, score = 1400
// 53 | pop esp
// 6a16 | mov esi, 1
// ff7618 | mov eax, esi
// 895df4 | dec eax
$sequence_53 = { 50 57 6a01 ff75e0 68???????? e8???????? }
// n = 6, score = 1400
// 50 | cmp esi, ebx
// 57 | je 0x45
// 6a01 | push ebx
// ff75e0 | mov esi, eax
// 68???????? |
// e8???????? |
$sequence_54 = { ff75fc 6a0d 58 e8???????? 85c0 }
// n = 5, score = 1400
// ff75fc | mov dword ptr [esi], ecx
// 6a0d | mov ecx, dword ptr [esp + 0xc]
// 58 | mov dword ptr [ecx], edx
// e8???????? |
// 85c0 | je 0x66
$sequence_55 = { ff35???????? ffd7 33ff 3bc7 8945e0 0f8417020000 }
// n = 6, score = 1400
// ff35???????? |
// ffd7 | ret
// 33ff | mov eax, dword ptr [edi + 0x54]
// 3bc7 | test al, 4
// 8945e0 | mov esi, 1
// 0f8417020000 | mov eax, esi
$sequence_56 = { 498bcc ff15???????? 33db 66ba2000 498bcc }
// n = 5, score = 1400
// 498bcc | dec eax
// ff15???????? |
// 33db | mov eax, dword ptr [esi + 8]
// 66ba2000 | dec eax
// 498bcc | mov ecx, dword ptr [esi]
$sequence_57 = { 8bd1 83c128 4e 7404 }
// n = 4, score = 1400
// 8bd1 | mov edi, dword ptr [ebp + 0x10]
// 83c128 | add dword ptr [ebp - 4], edx
// 4e | add dword ptr [ebp + 0x10], 4
// 7404 | add eax, 4
$sequence_58 = { e8???????? 85c0 742d ff75fc 6a0d }
// n = 5, score = 1400
// e8???????? |
// 85c0 | add dword ptr [ebp - 4], edx
// 742d | add dword ptr [ebp + 0x10], 4
// ff75fc | add dword ptr [ebp + 0x10], 4
// 6a0d | add eax, 4
$sequence_59 = { be01000000 8bc6 4883c440 415e }
// n = 4, score = 1400
// be01000000 | test al, 4
// 8bc6 | pop edi
// 4883c440 | pop esi
// 415e | pop ebp
$sequence_60 = { 8b742408 890e 8b4c240c 8911 }
// n = 4, score = 1400
// 8b742408 | mov dword ptr [edi], edx
// 890e | mov edx, dword ptr [eax]
// 8b4c240c | sub edx, dword ptr [ebp - 4]
// 8911 | mov edi, dword ptr [ebp + 0x10]
$sequence_61 = { 8945e0 0f8417020000 8b0d???????? 33cb }
// n = 4, score = 1400
// 8945e0 | pop ebx
// 0f8417020000 | ret
// 8b0d???????? |
// 33cb | mov eax, dword ptr [edi + 0x54]
$sequence_62 = { 6a16 ff7618 ffd7 85c0 }
// n = 4, score = 1400
// 6a16 | dec eax
// ff7618 | add esp, 0x40
// ffd7 | inc ecx
// 85c0 | pop esi
$sequence_63 = { 53 b800080000 50 56 ff35???????? }
// n = 5, score = 1400
// 53 | mov dword ptr [ebp - 0xc8], eax
// b800080000 | mov dword ptr [ebp - 0x90], edx
// 50 | mov dword ptr [ebp - 0xa0], ecx
// 56 | mov ecx, dword ptr [ebp - 0x420]
// ff35???????? |
$sequence_64 = { 488bcf ff15???????? 4c8964dd00 83c301 }
// n = 4, score = 1400
// 488bcf | jne 0xa1
// ff15???????? |
// 4c8964dd00 | dec eax
// 83c301 | arpl word ptr [ebx + 0x3c], dx
$sequence_65 = { 8b4a0c 3bc8 7415 8b5210 3bd0 }
// n = 5, score = 1400
// 8b4a0c | mov edi, dword ptr [ebp + 0x10]
// 3bc8 | add dword ptr [ebp - 4], edx
// 7415 | add dword ptr [ebp + 0x10], 4
// 8b5210 | add eax, 4
// 3bd0 | dec ecx
$sequence_66 = { 5b c3 8b4754 a804 }
// n = 4, score = 1400
// 5b | cmovne ecx, eax
// c3 | dec eax
// 8b4754 | mov dword ptr [esp + 0x20], ebx
// a804 | mov dword ptr [esp + 0x28], 0xea60
$sequence_67 = { 895df4 895dfc ffd7 8b45fc }
// n = 4, score = 1400
// 895df4 | pop esp
// 895dfc | pop edi
// ffd7 | mov esi, 1
// 8b45fc | mov eax, esi
$sequence_68 = { ffd7 ff750c ff15???????? a810 ff750c 7535 }
// n = 6, score = 1300
// ffd7 | inc ecx
// ff750c | pop esi
// ff15???????? |
// a810 | inc ecx
// ff750c | pop ebp
// 7535 | inc ecx
$sequence_69 = { ffd6 8b4df4 66c7015c00 eb0f 68???????? }
// n = 5, score = 1300
// ffd6 | mov esi, 1
// 8b4df4 | mov eax, esi
// 66c7015c00 | dec eax
// eb0f | add esp, 0x40
// 68???????? |
$sequence_70 = { 8bd5 488bcf bb57000000 e8???????? }
// n = 4, score = 1300
// 8bd5 | pop ebx
// 488bcf | ret
// bb57000000 | mov eax, dword ptr [edi + 0x54]
// e8???????? |
$sequence_71 = { 4883c608 83fd05 72c1 eb0c bb7f000000 }
// n = 5, score = 1300
// 4883c608 | dec eax
// 83fd05 | mov dword ptr [esp + 0x20], ebx
// 72c1 | test eax, eax
// eb0c | mov ebx, eax
// bb7f000000 | mov dword ptr [esp + 0x28], 0xea60
$sequence_72 = { 6641b85c00 33d2 488bcd ff15???????? }
// n = 4, score = 1300
// 6641b85c00 | dec eax
// 33d2 | mov ebx, edi
// 488bcd | mov esi, edi
// ff15???????? |
$sequence_73 = { ff15???????? 488bdf 8bf7 483bdf }
// n = 4, score = 1300
// ff15???????? |
// 488bdf | pop esi
// 8bf7 | pop ebp
// 483bdf | pop ebx
$sequence_74 = { ba08000000 b90e010000 41b800000100 4889442420 e8???????? e9???????? }
// n = 6, score = 1300
// ba08000000 | and dword ptr [ebp - 8], 0
// b90e010000 | ret 4
// 41b800000100 | push ebp
// 4889442420 | mov ebp, esp
// e8???????? |
// e9???????? |
$sequence_75 = { ff7510 ff15???????? 3bc3 8b35???????? 8b3d???????? }
// n = 5, score = 1300
// ff7510 | mov eax, dword ptr [edi + 0x54]
// ff15???????? |
// 3bc3 | test al, 4
// 8b35???????? |
// 8b3d???????? |
$sequence_76 = { a3???????? 7402 ffe0 c20400 55 8bec 83ec10 }
// n = 7, score = 1300
// a3???????? |
// 7402 | push 0xd
// ffe0 | pop eax
// c20400 | test eax, eax
// 55 | je 0x12
// 8bec | mov dword ptr [esi], eax
// 83ec10 | test eax, eax
$sequence_77 = { 448bc5 488bd7 e8???????? 8bd8 }
// n = 4, score = 1300
// 448bc5 | je 0xea
// 488bd7 | mov esi, edi
// e8???????? |
// 8bd8 | mov edi, esi
$sequence_78 = { 83bc248800000000 4c8b442440 488b542448 894c2430 }
// n = 4, score = 1200
// 83bc248800000000 | dec eax
// 4c8b442440 | cmp ebx, edi
// 488b542448 | jne 0xf
// 894c2430 | xor edx, edx
$sequence_79 = { ff5214 8bf7 8bfe e8???????? 5f 5e }
// n = 6, score = 1200
// ff5214 | mov dword ptr [esp + 0x28], 0xea60
// 8bf7 | dec esp
// 8bfe | cmovne ecx, eax
// e8???????? |
// 5f | dec eax
// 5e | mov dword ptr [esp + 0x20], ebx
$sequence_80 = { 56 ff35???????? 8945f8 ff15???????? 8bd8 3bde }
// n = 6, score = 1200
// 56 | mov dword ptr [ebp - 0x18], ecx
// ff35???????? |
// 8945f8 | je 0x1c
// ff15???????? |
// 8bd8 | mov ecx, dword ptr [ebp - 0x24]
// 3bde | mov dword ptr [ebp - 0x28], eax
$sequence_81 = { 85ff 0f845d010000 8b4730 a808 7412 }
// n = 5, score = 1200
// 85ff | je 0x161
// 0f845d010000 | dec eax
// 8b4730 | lea edx, dword ptr [esp + 0x1d8]
// a808 | dec eax
// 7412 | lea ecx, dword ptr [esp + 0x54]
$sequence_82 = { 7509 83632800 e9???????? 8b4330 a840 0f84e2000000 8b7334 }
// n = 7, score = 1200
// 7509 | mov ebp, esp
// 83632800 | sub esp, 0xc
// e9???????? |
// 8b4330 | and dword ptr [ebp - 8], 0
// a840 | push edi
// 0f84e2000000 | mov eax, esi
// 8b7334 | pop esi
$sequence_83 = { c744242000010000 ff15???????? 4883f8ff 488bf8 7442 }
// n = 5, score = 1200
// c744242000010000 | cmp eax, esi
// ff15???????? |
// 4883f8ff | je 0x1f
// 488bf8 | dec esp
// 7442 | lea eax, dword ptr [esp + 0x88]
$sequence_84 = { a3???????? a3???????? a3???????? a1???????? 83e0fb 0bc2 50 }
// n = 7, score = 1200
// a3???????? |
// a3???????? |
// a3???????? |
// a1???????? |
// 83e0fb | mov eax, 0x800
// 0bc2 | push eax
// 50 | push esi
$sequence_85 = { ff7510 57 ff750c 53 e8???????? 3bfe 740e }
// n = 7, score = 1200
// ff7510 | mov dword ptr [edx + 0x3c], esi
// 57 | mov dword ptr [edx + 0x40], 5
// ff750c | mov dword ptr [edx + 0x44], 0x1818
// 53 | mov dword ptr [edx + 0x48], 0x1a000
// e8???????? |
// 3bfe | mov edi, dword ptr [ebp - 0x1c]
// 740e | mov dword ptr [ebp - 0x24], eax
$sequence_86 = { 8b7508 e8???????? 33f6 3975fc }
// n = 4, score = 1200
// 8b7508 | dec eax
// e8???????? |
// 33f6 | mov eax, ecx
// 3975fc | dec eax
$sequence_87 = { 0f84e2000000 8b7334 8d442418 50 }
// n = 4, score = 1200
// 0f84e2000000 | leave
// 8b7334 | ret 0x10
// 8d442418 | push ebp
// 50 | mov ebp, esp
$sequence_88 = { 8be5 5d c20800 8b4330 a804 0f8451ffffff }
// n = 6, score = 1200
// 8be5 | and al, 4
// 5d | neg al
// c20800 | sbb eax, eax
// 8b4330 | and eax, 6
// a804 | mov dword ptr [esp + 0x28], 0xea60
// 0f8451ffffff | dec esp
$sequence_89 = { eb0b 8b4f30 84c9 0f8992000000 8b4f30 f6c104 7414 }
// n = 7, score = 1200
// eb0b | cmp eax, ebx
// 8b4f30 | jg 0xffffffc1
// 84c9 | add edi, 1
// 0f8992000000 | dec eax
// 8b4f30 | lea ecx, dword ptr [esp + 0x6c]
// f6c104 | mov dx, 0x2e
// 7414 | dec eax
$sequence_90 = { ff15???????? 53 56 ff35???????? ff15???????? 5b 5f }
// n = 7, score = 1200
// ff15???????? |
// 53 | mov eax, dword ptr [ebp - 0x94]
// 56 | mov dword ptr [eax], 1
// ff35???????? |
// ff15???????? |
// 5b | mov eax, dword ptr [ebp - 0x98]
// 5f | movups xmmword ptr [eax], xmm0
$sequence_91 = { 752e 53 e8???????? 6a01 6a01 }
// n = 5, score = 1200
// 752e | dec eax
// 53 | mov dword ptr [esp + 0x10], ebp
// e8???????? |
// 6a01 | dec eax
// 6a01 | mov eax, ecx
$sequence_92 = { 0f854affffff 894330 e9???????? 55 8bec }
// n = 5, score = 1200
// 0f854affffff | inc ecx
// 894330 | pop ebp
// e9???????? |
// 55 | mov esi, 1
// 8bec | mov eax, esi
$sequence_93 = { e8???????? 3bfe 740e 57 56 ff35???????? ff15???????? }
// n = 7, score = 1200
// e8???????? |
// 3bfe | dec eax
// 740e | mov dword ptr [esp + 8], ebx
// 57 | dec eax
// 56 | mov dword ptr [esp + 0x10], ebp
// ff35???????? |
// ff15???????? |
$sequence_94 = { 33f6 3975fc 7410 ff75fc 56 ff35???????? ff15???????? }
// n = 7, score = 1200
// 33f6 | dec eax
// 3975fc | mov dword ptr [esp + 0x18], esi
// 7410 | cmp eax, edx
// ff75fc | dec eax
// 56 | cmovne ecx, edx
// ff35???????? |
// ff15???????? |
$sequence_95 = { 85d2 4d8bf1 458bf8 8bc2 }
// n = 4, score = 1100
// 85d2 | mov esi, edi
// 4d8bf1 | dec eax
// 458bf8 | cmp ebx, edi
// 8bc2 | dec eax
$sequence_96 = { 33d2 498bcc 498bfd e8???????? }
// n = 4, score = 1100
// 33d2 | cmp eax, esi
// 498bcc | je 0x1f
// 498bfd | dec esp
// e8???????? |
$sequence_97 = { 4885db 740c 4c8b0d???????? e9???????? }
// n = 4, score = 1100
// 4885db | mov ecx, 0x201
// 740c | dec eax
// 4c8b0d???????? |
// e9???????? |
$sequence_98 = { 8bc7 4883c440 415e 415d 415c 5f }
// n = 6, score = 1100
// 8bc7 | push 1
// 4883c440 | xor ebx, ebx
// 415e | push ebx
// 415d | push esi
// 415c | push eax
// 5f | and dword ptr [ebp - 8], ebx
$sequence_99 = { 33d2 ff15???????? 8b05???????? 418bdd }
// n = 4, score = 1100
// 33d2 | lea edx, dword ptr [esp + 0x30]
// ff15???????? |
// 8b05???????? |
// 418bdd | dec eax
$sequence_100 = { ff15???????? 488bcf 48870d???????? 483bcf }
// n = 4, score = 1100
// ff15???????? |
// 488bcf | mov ecx, dword ptr [ebx]
// 48870d???????? |
// 483bcf | test eax, eax
$sequence_101 = { 488bce ff15???????? 488b0d???????? 33d2 4c63c0 }
// n = 5, score = 1100
// 488bce | pop edi
// ff15???????? |
// 488b0d???????? |
// 33d2 | and dword ptr [ebx + 0x28], 0
// 4c63c0 | mov eax, dword ptr [ebx + 0x30]
$sequence_102 = { 5b c9 c20400 51 56 ff74240c }
// n = 6, score = 1100
// 5b | cmp eax, edi
// c9 | je 0x18
// c20400 | push ecx
// 51 | push edi
// 56 | push eax
// ff74240c | call esi
$sequence_103 = { 33d2 ff15???????? 483bc3 4c8be8 }
// n = 4, score = 1100
// 33d2 | push esi
// ff15???????? |
// 483bc3 | mov esi, dword ptr [ebp + 0x10]
// 4c8be8 | sub esi, dword ptr [ebp + 0x14]
$sequence_104 = { 8a4b1c 488b4558 4c8b4d30 4c8b4510 }
// n = 4, score = 1100
// 8a4b1c | xor edx, edx
// 488b4558 | inc ecx
// 4c8b4d30 | mov eax, 0x4000
// 4c8b4510 | dec eax
$sequence_105 = { e8???????? 85c0 7507 33db 895d08 eb03 8b5d08 }
// n = 7, score = 1100
// e8???????? |
// 85c0 | jne 7
// 7507 | push ebx
// 33db | mov ebx, 0xea60
// 895d08 | push ebx
// eb03 | mov ebx, 0xea60
// 8b5d08 | push ebx
$sequence_106 = { 33c6 33442410 8bf0 8932 83c204 ff4c240c 75e6 }
// n = 7, score = 1000
// 33c6 | pop eax
// 33442410 | cmp eax, edi
// 8bf0 | push eax
// 8932 | xor eax, eax
// 83c204 | cmp eax, edi
// ff4c240c | je 0x16
// 75e6 | lea ecx, dword ptr [ebp - 4]
$sequence_107 = { 5b c9 c20400 53 56 8bf0 8a06 }
// n = 7, score = 1000
// 5b | push 8
// c9 | pop esi
// c20400 | pop edi
// 53 | mov eax, esi
// 56 | pop esi
// 8bf0 | leave
// 8a06 | mov dword ptr [ebp - 0xc], ebx
$sequence_108 = { 8bf1 05fefeffff 33db 33c9 }
// n = 4, score = 1000
// 8bf1 | xor ebx, ebx
// 05fefeffff | mov dx, 0x20
// 33db | dec ecx
// 33c9 | mov ecx, esp
$sequence_109 = { 3b3e 72dc 8b45fc 5f 5b c9 c21400 }
// n = 7, score = 1000
// 3b3e | push 1
// 72dc | push dword ptr [ebp - 0x20]
// 8b45fc | push edi
// 5f | push 1
// 5b | push dword ptr [ebp - 0x20]
// c9 | push eax
// c21400 | push edi
$sequence_110 = { 50 ffd7 ff7618 ffd3 }
// n = 4, score = 1000
// 50 | push dword ptr [ebp - 4]
// ffd7 | push esi
// ff7618 | test byte ptr [eax + 4], 8
// ffd3 | jne 0x34
$sequence_111 = { 5b c3 a1???????? 83c040 }
// n = 4, score = 1000
// 5b | ret 4
// c3 | push ebp
// a1???????? |
// 83c040 | mov ebp, esp
$sequence_112 = { 0f8386000000 488b18 8364245800 33c0 21442450 21442454 }
// n = 6, score = 1000
// 0f8386000000 | push ebx
// 488b18 | mov esi, eax
// 8364245800 | cmp esi, ebx
// 33c0 | je 0x4a
// 21442450 | xor ebx, ebx
// 21442454 | push ebx
$sequence_113 = { 8b3d???????? 56 ffd7 53 56 ffd7 }
// n = 6, score = 1000
// 8b3d???????? |
// 56 | mov dword ptr [ebp + 8], 0x57
// ffd7 | test eax, eax
// 53 | jmp 5
// 56 | push 8
// ffd7 | pop esi
$sequence_114 = { 8b02 43 8acb d3c0 33c6 33442410 8bf0 }
// n = 7, score = 1000
// 8b02 | test eax, eax
// 43 | je 0xe
// 8acb | push eax
// d3c0 | push 0x10
// 33c6 | pop eax
// 33442410 | cmp eax, edi
// 8bf0 | push 0x10
$sequence_115 = { 753e ff7618 8b3d???????? ffd7 ff761c ffd7 53 }
// n = 7, score = 1000
// 753e | push ebx
// ff7618 | push 1
// 8b3d???????? |
// ffd7 | and eax, 0xfffffffb
// ff761c | or eax, edx
// ffd7 | push eax
// 53 | and eax, 0xfffffffb
$sequence_116 = { ff15???????? 4885c0 488bd8 742b }
// n = 4, score = 1000
// ff15???????? |
// 4885c0 | push dword ptr [ebp + 8]
// 488bd8 | push dword ptr [ebp - 0x10]
// 742b | push dword ptr [ebp - 0xc]
$sequence_117 = { 488bce ff15???????? 4c8d4c2450 4c8d442458 }
// n = 4, score = 900
// 488bce | je 0xe8
// ff15???????? |
// 4c8d4c2450 | mov esi, dword ptr [ebx + 0x34]
// 4c8d442458 | lea eax, dword ptr [esp + 0x18]
$sequence_118 = { e8???????? 483bc3 488be8 0f84de000000 83c8ff 48895c2430 }
// n = 6, score = 900
// e8???????? |
// 483bc3 | push dword ptr [ebp - 0xc]
// 488be8 | push 0x122
// 0f84de000000 | push dword ptr [ebp + 8]
// 83c8ff | push 0x122
// 48895c2430 | push dword ptr [ebp + 8]
$sequence_119 = { 41b905000000 488bd8 ff15???????? 488bcb ff15???????? 4533c9 }
// n = 6, score = 900
// 41b905000000 | inc ebp
// 488bd8 | xor ecx, ecx
// ff15???????? |
// 488bcb | jne 0xee
// ff15???????? |
// 4533c9 | dec eax
$sequence_120 = { 33d2 ff15???????? 33ff 4885ff }
// n = 4, score = 900
// 33d2 | push eax
// ff15???????? |
// 33ff | lea eax, dword ptr [esp + 0x10]
// 4885ff | push eax
$sequence_121 = { 6a00 ff35???????? ffd3 8bd8 85db 7476 }
// n = 6, score = 900
// 6a00 | lea eax, dword ptr [ebp + 0xc]
// ff35???????? |
// ffd3 | cmp al, 5
// 8bd8 | jne 8
// 85db | test ah, ah
// 7476 | cmp al, 5
$sequence_122 = { 8d5001 488bce e8???????? 85c0 7408 }
// n = 5, score = 900
// 8d5001 | test al, 0x40
// 488bce | je 0xea
// e8???????? |
// 85c0 | mov esi, dword ptr [ebx + 0x34]
// 7408 | test al, 0x40
$sequence_123 = { 741d 3dd2100000 7416 a1???????? 83c004 }
// n = 5, score = 900
// 741d | add dword ptr [ebp + 0x10], 4
// 3dd2100000 | add eax, 4
// 7416 | push eax
// a1???????? |
// 83c004 | push dword ptr [ebp + 0x10]
$sequence_124 = { ff15???????? c20400 55 8bec 51 a1???????? 83c040 }
// n = 7, score = 900
// ff15???????? |
// c20400 | push dword ptr [ebp + 0x10]
// 55 | add esp, 0xc
// 8bec | mov dword ptr [ebp - 4], 1
// 51 | mov eax, dword ptr [esi + 0x10]
// a1???????? |
// 83c040 | mov edi, dword ptr [ebp + 0x10]
$sequence_125 = { 4533c9 4889442428 215c2420 4533c0 }
// n = 4, score = 900
// 4533c9 | push dword ptr [ebp - 0xc]
// 4889442428 | push 0x122
// 215c2420 | push dword ptr [ebp + 8]
// 4533c0 | push dword ptr [ebp - 0x10]
$sequence_126 = { 832700 458be0 bb08000000 e8???????? 85c0 }
// n = 5, score = 900
// 832700 | jne 0xee
// 458be0 | dec eax
// bb08000000 | mov ecx, dword ptr [ebx]
// e8???????? |
// 85c0 | test eax, eax
$sequence_127 = { 488d9424d8010000 488d4c2454 ff15???????? 3bc3 7fbd 83c701 e9???????? }
// n = 7, score = 900
// 488d9424d8010000 | push 0x122
// 488d4c2454 | push dword ptr [ebp + 8]
// ff15???????? |
// 3bc3 | push 0
// 7fbd | push 0
// 83c701 | push dword ptr [ebp - 0xc]
// e9???????? |
$sequence_128 = { 488be8 0f8458010000 448b05???????? 488b0d???????? }
// n = 4, score = 900
// 488be8 | push 0
// 0f8458010000 | push dword ptr [ebp - 0xc]
// 448b05???????? |
// 488b0d???????? |
$sequence_129 = { 3bfe 754f 488d4c246c 66ba2e00 ff15???????? }
// n = 5, score = 900
// 3bfe | push 0x122
// 754f | push dword ptr [ebp + 8]
// 488d4c246c | push dword ptr [ebp + 8]
// 66ba2e00 | push dword ptr [ebp - 0x10]
// ff15???????? |
$sequence_130 = { 50 8d442430 50 8d442428 50 8d442428 50 }
// n = 7, score = 900
// 50 | jne 0xa
// 8d442430 | test ah, ah
// 50 | ja 8
// 8d442428 | cmp al, al
// 50 | jne 8
// 8d442428 | test ah, ah
// 50 | ja 6
$sequence_131 = { 4c8d4c2450 4c8d442458 8d5001 488bce }
// n = 4, score = 900
// 4c8d4c2450 | test al, 0x40
// 4c8d442458 | je 0xed
// 8d5001 | mov esi, dword ptr [ebx + 0x34]
// 488bce | mov esi, edi
$sequence_132 = { ff15???????? 488d542440 488bcd ff15???????? 4883f8ff }
// n = 5, score = 900
// ff15???????? |
// 488d542440 | push dword ptr [ebp + 8]
// 488bcd | push 0
// ff15???????? |
// 4883f8ff | push 0
$sequence_133 = { e9???????? 33c9 bb26040000 48870d???????? }
// n = 4, score = 900
// e9???????? |
// 33c9 | jne 0xee
// bb26040000 | dec eax
// 48870d???????? |
$sequence_134 = { a1???????? 25efff0000 0bc2 e9???????? }
// n = 4, score = 800
// a1???????? |
// 25efff0000 | push dword ptr [ebp + 8]
// 0bc2 | push dword ptr [ebp + 8]
// e9???????? |
$sequence_135 = { 895df4 895df0 c745f857000000 bf19010000 }
// n = 4, score = 800
// 895df4 | cmp eax, edi
// 895df0 | push eax
// c745f857000000 | xor eax, eax
// bf19010000 | cmp eax, edi
$sequence_136 = { 6a03 8935???????? 8935???????? 8935???????? }
// n = 4, score = 800
// 6a03 | push dword ptr [ebp - 0x10]
// 8935???????? |
// 8935???????? |
// 8935???????? |
$sequence_137 = { 488b0d???????? 448bc0 8bd8 33d2 4983c001 }
// n = 5, score = 800
// 488b0d???????? |
// 448bc0 | and dword ptr [ebp - 8], ebx
// 8bd8 | push eax
// 33d2 | and dword ptr [ebp - 8], ebx
// 4983c001 | push eax
$sequence_138 = { 418bcd e8???????? e9???????? b909010000 e9???????? }
// n = 5, score = 800
// 418bcd | xor eax, eax
// e8???????? |
// e9???????? |
// b909010000 | cmp eax, edi
// e9???????? |
$sequence_139 = { 85c0 0f95c3 85db 7529 }
// n = 4, score = 800
// 85c0 | push dword ptr [ebp - 0xc]
// 0f95c3 | push 0x122
// 85db | push dword ptr [ebp + 8]
// 7529 | push dword ptr [ebp - 0xc]
$sequence_140 = { 4155 4156 4883ec20 4c8bf2 }
// n = 4, score = 800
// 4155 | push 0x122
// 4156 | push dword ptr [ebp + 8]
// 4883ec20 | test eax, eax
// 4c8bf2 | je 0x11
$sequence_141 = { 4533c0 33d2 33db ff15???????? 85c0 }
// n = 5, score = 800
// 4533c0 | sbb eax, eax
// 33d2 | and eax, 6
// 33db | mov al, byte ptr [esi + 4]
// ff15???????? |
// 85c0 | and al, 4
$sequence_142 = { 4c63c0 33d2 4983c00c ff15???????? }
// n = 4, score = 800
// 4c63c0 | push eax
// 33d2 | push edi
// 4983c00c | push dword ptr [ebp + 8]
// ff15???????? |
$sequence_143 = { 488bc8 ff15???????? 8b05???????? 3d2caedb8b }
// n = 4, score = 800
// 488bc8 | je 0x1f
// ff15???????? |
// 8b05???????? |
// 3d2caedb8b | push eax
$sequence_144 = { 4533c9 4533c0 33d2 ff15???????? 85c0 7511 }
// n = 6, score = 800
// 4533c9 | push dword ptr [ebp - 0xc]
// 4533c0 | push 0x122
// 33d2 | push dword ptr [ebp + 8]
// ff15???????? |
// 85c0 | push dword ptr [ebp + 8]
// 7511 | push dword ptr [ebp - 0x10]
$sequence_145 = { b922010000 e9???????? b90a010000 e9???????? }
// n = 4, score = 800
// b922010000 | je 0x21
// e9???????? |
// b90a010000 | push eax
// e9???????? |
$sequence_146 = { e9???????? 488bcb ff15???????? a810 }
// n = 4, score = 800
// e9???????? |
// 488bcb | push eax
// ff15???????? |
// a810 | push edi
$sequence_147 = { 803f2a 750b 4883c701 83c3ff }
// n = 4, score = 800
// 803f2a | push 0
// 750b | push edi
// 4883c701 | push dword ptr [ebp + 8]
// 83c3ff | push 0
$sequence_148 = { 4c8b05???????? 41be01000000 33c9 418bd6 }
// n = 4, score = 800
// 4c8b05???????? |
// 41be01000000 | push dword ptr [ebp + 8]
// 33c9 | push 0
// 418bd6 | push 0
$sequence_149 = { 488364243000 448d4301 4533c9 ba000000c0 }
// n = 4, score = 700
// 488364243000 | dec eax
// 448d4301 | mov dword ptr [esp + 0x20], ebx
// 4533c9 | dec eax
// ba000000c0 | mov ecx, edi
$sequence_150 = { 488d542438 488bcb e8???????? eb02 }
// n = 4, score = 700
// 488d542438 | je 0x29
// 488bcb | dec eax
// e8???????? |
// eb02 | lea edx, dword ptr [esp + 0x20]
$sequence_151 = { 5f c20400 55 8bec 83e4f8 81ec9c000000 53 }
// n = 7, score = 700
// 5f | jmp 4
// c20400 | xor eax, eax
// 55 | cmp eax, edi
// 8bec | je 0x21
// 83e4f8 | jmp 4
// 81ec9c000000 | xor eax, eax
// 53 | cmp eax, edi
$sequence_152 = { 750a 488bcf e8???????? 8bd8 488b0d???????? }
// n = 5, score = 700
// 750a | cmp esi, ebx
// 488bcf | je 0x47
// e8???????? |
// 8bd8 | push dword ptr [ebp - 0x10]
// 488b0d???????? |
$sequence_153 = { 56 57 4154 4155 4156 4883ec50 488bf1 }
// n = 7, score = 700
// 56 | push dword ptr [ebp + 8]
// 57 | push 0
// 4154 | push 0
// 4155 | push 0x122
// 4156 | push dword ptr [ebp + 8]
// 4883ec50 | push 0
// 488bf1 | push 0
$sequence_154 = { 7433 ff15???????? 3db7000000 751d }
// n = 4, score = 700
// 7433 | mov dword ptr [esp + 0x28], 0xea60
// ff15???????? |
// 3db7000000 | dec esp
// 751d | cmovne ecx, eax
$sequence_155 = { 7532 21442428 488b8c2428020000 488364242000 448d4803 }
// n = 5, score = 600
// 7532 | dec eax
// 21442428 | lea edx, dword ptr [esp + 0x20]
// 488b8c2428020000 | mov ecx, 0x201
// 488364242000 | test eax, eax
// 448d4803 | dec eax
$sequence_156 = { 75ed e9???????? 8bfe e9???????? 448bce 488d4c2420 }
// n = 6, score = 600
// 75ed | pop ebx
// e9???????? |
// 8bfe | ret
// e9???????? |
// 448bce | mov eax, dword ptr [edi + 0x54]
// 488d4c2420 | pop edi
$sequence_157 = { ff15???????? 85ff 7406 57 }
// n = 4, score = 600
// ff15???????? |
// 85ff | je 0x21
// 7406 | push eax
// 57 | xor eax, eax
$sequence_158 = { e8???????? 85c0 0f84b0010000 488d4c2420 e8???????? }
// n = 5, score = 600
// e8???????? |
// 85c0 | pop esi
// 0f84b0010000 | pop ebp
// 488d4c2420 | pop ebx
// e8???????? |
$sequence_159 = { 8d45f8 50 8d450c 50 ff35???????? e8???????? 8bf8 }
// n = 7, score = 600
// 8d45f8 | push 0x122
// 50 | push dword ptr [ebp + 8]
// 8d450c | push dword ptr [ebp - 0x10]
// 50 | push dword ptr [ebp - 0xc]
// ff35???????? |
// e8???????? |
// 8bf8 | push 0x122
$sequence_160 = { e8???????? 85c0 75e4 4585db 7555 4183f902 }
// n = 6, score = 600
// e8???????? |
// 85c0 | inc ecx
// 75e4 | pop esp
// 4585db | pop edi
// 7555 | pop esi
// 4183f902 | pop ebp
$sequence_161 = { eb23 6a02 5e 68???????? }
// n = 4, score = 600
// eb23 | xor eax, eax
// 6a02 | cmp eax, edi
// 5e | je 0x18
// 68???????? |
$sequence_162 = { 488bc1 4883c438 c3 48895c2408 48896c2410 4889742418 57 }
// n = 7, score = 600
// 488bc1 | push eax
// 4883c438 | add esp, 0xc
// c3 | cmp eax, edi
// 48895c2408 | add esp, 0xc
// 48896c2410 | cmp eax, edi
// 4889742418 | add esp, 0xc
// 57 | cmp eax, edi
$sequence_163 = { 4883c428 c3 488d82204a0000 488982284a0000 }
// n = 4, score = 600
// 4883c428 | je 0xe8
// c3 | mov esi, dword ptr [ebx + 0x34]
// 488d82204a0000 | lea eax, dword ptr [esp + 0x18]
// 488982284a0000 | push eax
$sequence_164 = { 0f8561010000 8b4348 a801 742c 488b0b e8???????? }
// n = 6, score = 500
// 0f8561010000 | inc ecx
// 8b4348 | pop ebp
// a801 | inc ecx
// 742c | pop esp
// 488b0b | mov esi, 1
// e8???????? |
$sequence_165 = { 488b0d???????? 4c8bc5 33d2 ff15???????? e9???????? }
// n = 5, score = 500
// 488b0d???????? |
// 4c8bc5 | cmovne ecx, eax
// 33d2 | dec eax
// ff15???????? |
// e9???????? |
$sequence_166 = { 488b0b e8???????? 85c0 0f85e8000000 488b4608 488b0e 4533c9 }
// n = 7, score = 500
// 488b0b | mov dword ptr [esp + 0x20], ebx
// e8???????? |
// 85c0 | dec eax
// 0f85e8000000 | mov ecx, edi
// 488b4608 | mov dword ptr [esp + 0x28], 0xea60
// 488b0e | dec esp
// 4533c9 | cmovne ecx, eax
$sequence_167 = { 488905???????? 0f8431020000 817424302083b8ed 8d7b01 }
// n = 4, score = 500
// 488905???????? |
// 0f8431020000 | and al, 4
// 817424302083b8ed | neg al
// 8d7b01 | sbb eax, eax
$sequence_168 = { 488b0d???????? 33d2 ff15???????? 4885c0 488bf0 }
// n = 5, score = 500
// 488b0d???????? |
// 33d2 | mov ecx, dword ptr [edi + 0x30]
// ff15???????? |
// 4885c0 | test cl, 4
// 488bf0 | je 0x24
$sequence_169 = { 488bd6 4533c0 e8???????? 483bc3 488905???????? 0f84fc010000 }
// n = 6, score = 500
// 488bd6 | neg al
// 4533c0 | sbb eax, eax
// e8???????? |
// 483bc3 | and eax, 6
// 488905???????? |
// 0f84fc010000 | mov al, byte ptr [esi + 4]
$sequence_170 = { 48897018 48897820 4154 4883ec20 33ff 4885c9 }
// n = 6, score = 500
// 48897018 | mov ecx, dword ptr [edi + 0x30]
// 48897820 | test cl, cl
// 4154 | jns 0x98
// 4883ec20 | mov ecx, dword ptr [edi + 0x30]
// 33ff | test cl, 4
// 4885c9 | test eax, eax
$sequence_171 = { 33c9 e8???????? 85c0 0f8561010000 }
// n = 4, score = 500
// 33c9 | pop ebp
// e8???????? |
// 85c0 | inc ecx
// 0f8561010000 | pop esp
$sequence_172 = { 0f859b000000 4863533c 488b4608 488b0e 48035334 41b800200000 4533c9 }
// n = 7, score = 500
// 0f859b000000 | mov dword ptr [esp + 0x20], ebx
// 4863533c | dec eax
// 488b4608 | mov ecx, edi
// 488b0e | mov dword ptr [esp + 0x28], 0xea60
// 48035334 | dec esp
// 41b800200000 | cmovne ecx, eax
// 4533c9 | dec eax
$sequence_173 = { 41b800400000 ff15???????? 483bc6 741a 4c8d842488000000 488d542430 4c8bc8 }
// n = 7, score = 400
// 41b800400000 | mov dword ptr [esp + 0x28], 0xea60
// ff15???????? |
// 483bc6 | dec esp
// 741a | cmovne ecx, eax
// 4c8d842488000000 | dec eax
// 488d542430 | mov dword ptr [esp + 0x20], ebx
// 4c8bc8 | test eax, eax
$sequence_174 = { 488b5f58 33d2 41b800400000 ff15???????? }
// n = 4, score = 400
// 488b5f58 | dec eax
// 33d2 | mov dword ptr [esp + 0x20], ebx
// 41b800400000 | test eax, eax
// ff15???????? |
$sequence_175 = { 4885c0 7427 488d542420 b901020000 ff15???????? }
// n = 5, score = 400
// 4885c0 | lea edx, dword ptr [eax + 1]
// 7427 | dec eax
// 488d542420 | mov ecx, esi
// b901020000 | lea edx, dword ptr [eax + 1]
// ff15???????? |
$sequence_176 = { 458bf9 33ff e8???????? 4c8be8 4885c0 }
// n = 5, score = 400
// 458bf9 | add esp, 0x28
// 33ff | ret
// e8???????? |
// 4c8be8 | dec eax
// 4885c0 | lea eax, dword ptr [edx + 0x4a20]
$sequence_177 = { ba10000000 488bc8 e8???????? 48898424e0010000 4885c0 }
// n = 5, score = 400
// ba10000000 | dec esp
// 488bc8 | lea ecx, dword ptr [esp + 0x50]
// e8???????? |
// 48898424e0010000 | dec esp
// 4885c0 | lea eax, dword ptr [esp + 0x58]
$sequence_178 = { 4c8be8 4885c0 7508 8d5f08 e9???????? 8b842420020000 }
// n = 6, score = 400
// 4c8be8 | ret
// 4885c0 | dec eax
// 7508 | lea eax, dword ptr [edx + 0x4a20]
// 8d5f08 | je 7
// e9???????? |
// 8b842420020000 | dec eax
$sequence_179 = { 4c89642448 ff15???????? 8bd8 83f8ff }
// n = 4, score = 400
// 4c89642448 | je 0xa
// ff15???????? |
// 8bd8 | dec eax
// 83f8ff | add esp, 0x28
$sequence_180 = { 488b4d30 8364243000 33d2 c744246000400000 ff15???????? }
// n = 5, score = 400
// 488b4d30 | dec eax
// 8364243000 | mov dword ptr [esp + 0x20], ebx
// 33d2 | test eax, eax
// c744246000400000 | mov dword ptr [esp + 0x28], 0xea60
// ff15???????? |
$sequence_181 = { 85f6 57 884c2413 0f869c000000 eb04 8b742428 84c9 }
// n = 7, score = 300
// 85f6 | cmovne ecx, eax
// 57 | dec eax
// 884c2413 | mov dword ptr [esp + 0x20], ebx
// 0f869c000000 | mov esi, 1
// eb04 | mov eax, esi
// 8b742428 | dec eax
// 84c9 | add esp, 0x40
$sequence_182 = { b101 3b5c2428 0f8266ffffff 5f 5e 89e8 }
// n = 6, score = 300
// b101 | pop eax
// 3b5c2428 | push dword ptr [ebp - 4]
// 0f8266ffffff | push 0xd
// 5f | pop eax
// 5e | test eax, eax
// 89e8 | je 0xf
$sequence_183 = { 8b4508 03450c 034510 39d0 75c3 5e 5f }
// n = 7, score = 300
// 8b4508 | movzx eax, word ptr [ecx]
// 03450c | cmp ax, 0x61
// 034510 | mov al, byte ptr [esi + 4]
// 39d0 | and al, 4
// 75c3 | neg al
// 5e | sbb eax, eax
// 5f | and eax, 6
$sequence_184 = { 31f6 66833b00 7507 66837b0200 7451 0fb70b }
// n = 6, score = 300
// 31f6 | push 0xd
// 66833b00 | pop eax
// 7507 | test eax, eax
// 66837b0200 | je 0x2f
// 7451 | push dword ptr [ebp - 4]
// 0fb70b | push 0xd
$sequence_185 = { 83c304 01f2 8b4c241c 01d1 894c2414 8b4c2424 01c1 }
// n = 7, score = 300
// 83c304 | dec eax
// 01f2 | mov dword ptr [esp + 0x20], ebx
// 8b4c241c | dec eax
// 01d1 | mov ecx, edi
// 894c2414 | mov dword ptr [esp + 0x28], 0xea60
// 8b4c2424 | dec esp
// 01c1 | cmovne ecx, eax
$sequence_186 = { 8974241c 894c2418 56 57 51 90 }
// n = 6, score = 300
// 8974241c | ret 4
// 894c2418 | push ebp
// 56 | mov ebp, esp
// 57 | sub esp, 0x10
// 51 | test ebx, ebx
// 90 | je 0x25
$sequence_187 = { 01cb 30c9 eb59 8b4c242c 0fb6d0 01d1 80790100 }
// n = 7, score = 300
// 01cb | mov al, byte ptr [esi + 4]
// 30c9 | and al, 4
// eb59 | neg al
// 8b4c242c | sbb eax, eax
// 0fb6d0 | mov dword ptr [esp + 0x28], 0xea60
// 01d1 | dec esp
// 80790100 | cmovne ecx, eax
$sequence_188 = { 01c1 83c304 894c2410 56 90 57 51 }
// n = 7, score = 300
// 01c1 | mov dword ptr [esi], eax
// 83c304 | add esi, 4
// 894c2410 | inc edi
// 56 | cmp edi, 3
// 90 | jb 0xffffffe3
// 57 | je 4
// 51 | jmp eax
$sequence_189 = { 8b856cffffff c70001000000 0f2805???????? 8b8568ffffff 0f1100 8b8544ffffff }
// n = 6, score = 100
// 8b856cffffff | pop ebp
// c70001000000 | mov esi, 1
// 0f2805???????? |
// 8b8568ffffff | mov eax, esi
// 0f1100 | dec eax
// 8b8544ffffff | add esp, 0x40
$sequence_190 = { 8b8de0fbffff 51 ffd0 8b0d???????? 8b95e4fbffff }
// n = 5, score = 100
// 8b8de0fbffff | dec eax
// 51 | add esp, 0x40
// ffd0 | inc ecx
// 8b0d???????? |
// 8b95e4fbffff | pop esi
$sequence_191 = { 8b7584 6689f7 66897dcc 66897dce c745c800000000 8b5dc0 }
// n = 6, score = 100
// 8b7584 | dec eax
// 6689f7 | mov dword ptr [esp + 0x20], ebx
// 66897dcc | test eax, eax
// 66897dce | dec esp
// c745c800000000 | cmovne ecx, eax
// 8b5dc0 | dec eax
$sequence_192 = { 890424 c744240400000000 c744240878000000 e8???????? 83c40c 8d45dc 8b30 }
// n = 7, score = 100
// 890424 | inc ecx
// c744240400000000 | pop esi
// c744240878000000 | dec esp
// e8???????? |
// 83c40c | mov dword ptr [ebp + ebx*8], esp
// 8d45dc | add ebx, 1
// 8b30 | dec eax
$sequence_193 = { 89b530ffffff 899d2cffffff e8???????? 8b854cffffff 890424 8b8d34ffffff 894c2404 }
// n = 7, score = 100
// 89b530ffffff | dec eax
// 899d2cffffff | mov dword ptr [esp + 0x20], ebx
// e8???????? |
// 8b854cffffff | test eax, eax
// 890424 | dec esp
// 8b8d34ffffff | mov eax, ebx
// 894c2404 | xor edx, edx
$sequence_194 = { 8945dc 894de8 741a e8???????? 8b4ddc 8945d8 }
// n = 6, score = 100
// 8945dc | dec eax
// 894de8 | add esp, 0x40
// 741a | inc ecx
// e8???????? |
// 8b4ddc | pop esi
// 8945d8 | inc ecx
$sequence_195 = { c745d800000000 8b784c 8b5820 8945b4 8b4048 }
// n = 5, score = 100
// c745d800000000 | dec esp
// 8b784c | cmovne ecx, eax
// 8b5820 | dec eax
// 8945b4 | mov dword ptr [esp + 0x20], ebx
// 8b4048 | test eax, eax
$sequence_196 = { 83ec08 890c24 8b85ccfbffff 89442404 e8???????? }
// n = 5, score = 100
// 83ec08 | dec eax
// 890c24 | add esp, 0x40
// 8b85ccfbffff | inc ecx
// 89442404 | pop esi
// e8???????? |
$sequence_197 = { 8b75ec 89723c c7424005000000 c7424418180000 c7424800a00100 8b7de4 }
// n = 6, score = 100
// 8b75ec | mov esi, 1
// 89723c | mov eax, esi
// c7424005000000 | dec eax
// c7424418180000 | add esp, 0x40
// c7424800a00100 | mov esi, 1
// 8b7de4 | mov eax, esi
$sequence_198 = { 894c2404 8b4db0 894c2408 e8???????? 8b45b4 8b483c }
// n = 6, score = 100
// 894c2404 | mov dword ptr [esp + 0x20], ebx
// 8b4db0 | test eax, eax
// 894c2408 | mov ebx, eax
// e8???????? |
// 8b45b4 | mov dword ptr [esp + 0x28], 0xea60
// 8b483c | dec esp
$sequence_199 = { 83ec34 8b4508 31c9 ba00100000 be04000000 8b7834 }
// n = 6, score = 100
// 83ec34 | cmovne ecx, eax
// 8b4508 | dec eax
// 31c9 | mov dword ptr [esp + 0x20], ebx
// ba00100000 | test eax, eax
// be04000000 | dec esp
// 8b7834 | cmovne ecx, eax
$sequence_200 = { 897598 75d7 8b45bc 890424 e8???????? }
// n = 5, score = 100
// 897598 | dec eax
// 75d7 | mov ebx, edi
// 8b45bc | mov esi, edi
// 890424 | dec eax
// e8???????? |
$sequence_201 = { 03500c 8b75f4 037014 8b7810 891424 89742404 }
// n = 6, score = 100
// 03500c | mov ebx, eax
// 8b75f4 | dec eax
// 037014 | mov ecx, edi
// 8b7810 | mov dword ptr [esp + 0x28], 0xea60
// 891424 | dec esp
// 89742404 | cmovne ecx, eax
$sequence_202 = { 8db5ecfbffff 8b3d???????? 56 68ff030000 52 }
// n = 5, score = 100
// 8db5ecfbffff | test edi, edi
// 8b3d???????? |
// 56 | dec esp
// 68ff030000 | mov esp, edi
// 52 | dec eax
$sequence_203 = { 8b953cffffff 83c228 8b75b0 39f1 898538ffffff 899570ffffff 898d60ffffff }
// n = 7, score = 100
// 8b953cffffff | inc ecx
// 83c228 | pop ebp
// 8b75b0 | inc ecx
// 39f1 | pop esp
// 898538ffffff | pop edi
// 899570ffffff | mov esi, 1
// 898d60ffffff | mov eax, esi
$sequence_204 = { 891424 8b4df0 8945cc ffd1 83ec04 b901000000 83f800 }
// n = 7, score = 100
// 891424 | mov dword ptr [esp + 0x20], ebx
// 8b4df0 | test eax, eax
// 8945cc | mov ebx, eax
// ffd1 | mov dword ptr [esp + 0x28], 0xea60
// 83ec04 | dec esp
// b901000000 | cmovne ecx, eax
// 83f800 | dec eax
condition:
7 of them and filesize < 2940928
} | |