The preceding code snippet came from the HeapDemo.exe file. You can download this file from https://github.com/PacktPublishing/Mastering-Reverse-Engineering/tree/master/ch9. Go ahead and start debugging the file using x86dbg. This screenshot shows the disassembly code at the WinMain function right after loading the file in x86dbg:
From the executable's code entry point, we encounter heap allocation with the GetProcessHeap and RtlAllocateHeap APIs. This is followed by using a _memcpy function, which copies 0x1BE bytes of data from the address denoted by heapdemo.enc. Let's take a look at the memory dump from heapdemo.enc. To do that, right-click on push <heapdemo.enc>, then select Follow in Dump. Click on the given address, not the Selected Address. This should change the contents in the currently focused Dump window:
This should be the data that will be decrypted by the next lines of code that run in a loop. We should also see the same encrypted data at the allocated heap space right after executing _memcpy. The allocated heap space's address should still be stored in the register ESI. Right-click on the value of register ESI in the window containing a list of registers and flags, then select Follow in Dump. This should show the same contents of data, but at the heap address space. The dump shown in the following screenshot is the encrypted data:
Now for the interesting part—decrypting. While looking at the dump of the heap, continue doing debug steps. You should notice the values changing as the xor byte ptr ds:[ecx+esi], 58 instruction executes:
As it would be tedious to step through all these bytes for 0x1BE times, we can simply place a break point at the line after the jl instruction and press F9 to continue running the instructions. This should result in this decrypted dump:
Continue debugging the code; it concludes by cleaning up the allocated heap and exiting the process. The allocated heap is freed up using the HeapFree API. Usually, an ExitProcess API is used to exit the program. This time, it uses GetCurrentProcess and TerminateProcess to do that.