IDontCode
/
Theodosius
2
1
Fork 2
Code Issues Pull Requests Projects Releases Wiki Activity

Update README.md

Browse Source
2.0
_xeroxz 4 years ago
parent b897ded79c
commit e900a30269
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File

8
README.md
Unescape View File

@ -631,6 +631,14 @@ As you can see, Theo uses Zydis to go over all routines marked for obfuscation a
Note that in DemoDrv there is a function called "LoopDemo" which is obfuscated. Instead of the JCC instruction branching to the conditional code, it instead branches to an inline jmp. If it doesnt branch, then it simply jumps to the next instruction like normal.
```
ffff998b`c5369e60 0f830e000000 jae ffff998b`c5369e74
ffff998b`c5369e66 ff2500000000 jmp qword ptr [ffff998b`c5369e6c]
ffff998b`c5369e74 ff2500000000 jmp qword ptr [ffff998b`c5369e7a]
```
As you can see above, this is what Theo generates for JCC's. Also note that this clang compiler does not generate RIP relative LEA's or CALL's. The only RIP relative stuff Theo deals with are JCC's.
### Usermode Example
# License - BSD 3-Clause

Write Preview
Loading…
Cancel
Save