From 2b0f6e723d76802f534d82b1ee951a7b00ef304d Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 3 Jul 2015 11:12:59 -0500
Subject: [PATCH] Explain the byte sequence

---
 lib/msf/core/exe/segment_injector.rb | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lib/msf/core/exe/segment_injector.rb b/lib/msf/core/exe/segment_injector.rb
index 1b03f24b2b..11ca89853a 100644
--- a/lib/msf/core/exe/segment_injector.rb
+++ b/lib/msf/core/exe/segment_injector.rb
@@ -67,6 +67,12 @@ module Exe
     end
 
     def is_warbird?(pe)
+      # The byte sequence is for the following code pattern:
+      # .text:004136B4                 mov     eax, large fs:30h
+      # .text:004136BA                 sub     ecx, edx
+      # .text:004136BC                 sar     ecx, 1
+      # .text:004136BE                 mov     eax, [eax+0Ch]
+      # .text:004136C1                 add     eax, 0Ch
       pattern = /\x64\xA1\x30\x00\x00\x00\x2B\xCA\xD1\xF9\x8B\x40\x0C\x83\xC0\x0C/
       sections = {}
       pe.sections.each {|s| sections[s.name.to_s] = s}