Posted a new blog for $dayjob here. It's more of an educational blog but I step through ripping out assembly code in multiple Hancitor payloads to write decoders that get emulated via unicorn-engine...I <3 the holy trinity.
*EDIT - 01SEP2016*
Updated the decoder script to address a new XOR function they added into the macro after the first blog. Script is a little more robust now as well.