diff --git a/CodeVirtualizer/Code.h b/CodeVirtualizer/Code.h index 6c727e7..b9346b8 100644 --- a/CodeVirtualizer/Code.h +++ b/CodeVirtualizer/Code.h @@ -6,5 +6,6 @@ #define CODE_FLAG_IS_INST (1<<2) #define CODE_FLAG_DO_NOT_DIVIDE (1<<3) #define CODE_FLAG_IS_OBFUSCATED (1<<4) +#define CODE_FLAG_IS_RIP_REL (1<<5) //Figure out how to deal with this... #endif \ No newline at end of file diff --git a/CodeVirtualizer/Jit.cpp b/CodeVirtualizer/Jit.cpp index 3fdee43..ceff258 100644 --- a/CodeVirtualizer/Jit.cpp +++ b/CodeVirtualizer/Jit.cpp @@ -8,7 +8,7 @@ BOOL JitEmitPushfqInst(PNATIVE_CODE_BLOCK Block) { UCHAR RawData[] = { 0x9C }; - PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, RawData, 1); + PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST | CODE_FLAG_DO_NOT_DIVIDE, RawData, 1); XedDecode(&Link->XedInstruction, Link->RawData, 1); NcAppendToBlock(Block, Link); return TRUE; @@ -17,7 +17,7 @@ BOOL JitEmitPushfqInst(PNATIVE_CODE_BLOCK Block) BOOL JitEmitPopfqInst(PNATIVE_CODE_BLOCK Block) { UCHAR RawData[] = { 0x9D }; - PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, RawData, 1); + PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST | CODE_FLAG_DO_NOT_DIVIDE, RawData, 1); XedDecode(&Link->XedInstruction, Link->RawData, 1); NcAppendToBlock(Block, Link); return TRUE; diff --git a/CodeVirtualizer/Main.cpp b/CodeVirtualizer/Main.cpp index 751b981..8debe74 100644 --- a/CodeVirtualizer/Main.cpp +++ b/CodeVirtualizer/Main.cpp @@ -96,12 +96,23 @@ int main() NcDisassemble(&RetNumBlock, RetNumCode, sizeof(RetNumCode)); OBFUSCATOR Obf; Obf.Flags = 0; - Obf.MinInstCount = 4; + Obf.MinSizeForOpaqueBranch = 1; + Obf.InstructionMutateChance = 0; + Obf.OpaqueBranchChance = 100; + Obf.MinDepthForRandomOpaqueBranch = 0; Obf.GlobalBlock = &RetNumBlock; - ObfObfuscate(&Obf, &RetNumBlock); - ObfObfuscate(&Obf, &RetNumBlock); - Obf.MinInstCount = 30; - ObfObfuscate(&Obf, &RetNumBlock); + Obf.BlockDivisionFactor = 2; + Obf.InstructionMutateChance = 100; + ObfObfuscate1(&Obf, &RetNumBlock); + Obf.MinSizeForOpaqueBranch = 50; + Obf.InstructionMutateChance = 50; + ObfObfuscate1(&Obf, &RetNumBlock); + + printf("Finished second pas.\n"); + //Obf.MinSizeForOpaqueBranch = 200; + //ObfObfuscate1(&Obf, &RetNumBlock); + //Obf.MinSizeForOpaqueBranch = 30; + //ObfObfuscate(&Obf, &RetNumBlock); ULONG AsmSize; @@ -112,10 +123,12 @@ int main() system("pause"); return 1; } + PutToFile(Asm, AsmSize); + system("pause"); + PVOID Exec = MakeExecutableBuffer(Asm, AsmSize); typedef ULONG64(*FnRetNum)(ULONG Num); - printf("\n\nObfuscated: %llu Original: %llu\n\n", ((FnRetNum)Exec)(1776), RetNum(1776)); - PutToFile(Asm, AsmSize); + printf("\n\nSize: %u Obfuscated: %llu Original: %llu\n\n", NcCountInstructions(&RetNumBlock), ((FnRetNum)Exec)(1776), RetNum(1776)); system("pause"); @@ -123,10 +136,10 @@ int main() NcDisassemble(&Block, meme1, sizeof(meme1)); OBFUSCATOR Obf; Obf.Flags = 0; - Obf.MinInstCount = 12; + Obf.MinSizeForOpaqueBranch = 12; Obf.GlobalBlock = &Block; ObfObfuscate(&Obf, &Block); - Obf.MinInstCount = 4; + Obf.MinSizeForOpaqueBranch = 4; ObfObfuscate(&Obf, &Block); NcDebugPrint(&Block); diff --git a/CodeVirtualizer/NativeCode.cpp b/CodeVirtualizer/NativeCode.cpp index 4b9015d..38c67b3 100644 --- a/CodeVirtualizer/NativeCode.cpp +++ b/CodeVirtualizer/NativeCode.cpp @@ -401,20 +401,14 @@ BOOL NcFixRelJmps(PNATIVE_CODE_BLOCK Block) { INT32 BranchDisp = 0; if (!NcGetDeltaToLabel(T, &BranchDisp)) - { - printf("\n1\n"); - return NULL; - } + return FALSE; ULONG DispWidth = XedDecodedInstGetBranchDisplacementWidthBits(&T->XedInstruction); if (log2(abs(BranchDisp)) + 1 > DispWidth) { //duh oh if (DispWidth == 32) - { - printf("\n2\n"); - return NULL; - } + return FALSE; ////Grow displacement width to required size //DispWidth *= 2; @@ -423,10 +417,7 @@ BOOL NcFixRelJmps(PNATIVE_CODE_BLOCK Block) //if (log2(abs(BranchDisp)) + 1 > DispWidth) //{ // if (DispWidth == 32) - // { - // printf("\n3\n"); - // return NULL; - // } + // return FALSE; // //Grow once more if not already at 32 // DispWidth *= 2; @@ -448,17 +439,10 @@ BOOL NcFixRelJmps(PNATIVE_CODE_BLOCK Block) XedInst1(&EncoderInstruction, MachineState, IClass, DispWidth, XedRelBr(0, DispWidth)); XedEncoderRequestZeroSetMode(&EncoderRequest, &MachineState); if (!XedConvertToEncoderRequest(&EncoderRequest, &EncoderInstruction)) - { - printf("\n4\n"); - return NULL; - } + return FALSE; XED_ERROR_ENUM Err = XedEncode(&EncoderRequest, EncodeBuffer, 15, &ReturnedSize); if (XED_ERROR_NONE != Err) - { - printf("%s %s %u \n", XedErrorEnumToString(Err), XedIClassEnumToString(IClass), DispWidth); - printf("\n5\n"); - return NULL; - } + return FALSE; //fixup T->RawData delete[] T->RawData; @@ -469,10 +453,7 @@ BOOL NcFixRelJmps(PNATIVE_CODE_BLOCK Block) //Decode instruction so its proper and all that XedDecodedInstZeroSetMode(&T->XedInstruction, &MachineState); if (XED_ERROR_NONE != XedDecode(&T->XedInstruction, T->RawData, T->RawDataSize)) - { - printf("\n6\n"); - return NULL; - } + return FALSE; //Go back to the start and loop through all labels again because now this instruction is larger :)))) T = Block->Start; diff --git a/CodeVirtualizer/Obfuscator.cpp b/CodeVirtualizer/Obfuscator.cpp index f510f65..52357f8 100644 --- a/CodeVirtualizer/Obfuscator.cpp +++ b/CodeVirtualizer/Obfuscator.cpp @@ -3,16 +3,47 @@ -VOID ObfObfuscate(POBFUSCATOR Obf, PNATIVE_CODE_BLOCK Block) +VOID ObfObfuscate1(POBFUSCATOR Obf, PNATIVE_CODE_BLOCK Block, ULONG Depth) { ULONG InstructionCount = NcCountInstructions(Block); - if (InstructionCount <= Obf->MinInstCount) + if (InstructionCount <= Obf->MinSizeForOpaqueBranch) { + for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next;) + { + if ((T->Flags & CODE_FLAG_IS_LABEL) || (T->Flags & CODE_FLAG_DO_NOT_DIVIDE) || (T->Flags & CODE_FLAG_IS_REL_JMP)) + { + T = T->Next; + continue; + } + + PNATIVE_CODE_LINK RealNext = T->Next; + + if ((rand() % 100) <= Obf->InstructionMutateChance) + { + PNATIVE_CODE_BLOCK PreOp = JitEmitPreRipMov(T); + PNATIVE_CODE_BLOCK PostOp = JitEmitPostRipMov(T); + + NcInsertBlockBefore(T, PreOp, FALSE); + NcInsertBlockAfter(T, PostOp, FALSE); + + if (Block->Start == T) + Block->Start = PreOp->Start; + if (Block->End == T) + Block->End = PostOp->End; + + //for (ULONG i = 0; i < T->RawDataSize; i++) + // T->RawData[i] = (UCHAR)(rand() % 255); + T->Flags |= CODE_FLAG_DO_NOT_DIVIDE; + + } + + T = RealNext; + } } else { - ULONG TargetCount = InstructionCount / 2; + ULONG TargetCount = max(Obf->MinSizeForOpaqueBranch, InstructionCount / ((Obf->Flags & OBF_ATTRIBUTE_RANDOMIZE_DIVISOR) ? (rand() % Obf->BlockDivisionFactor) : Obf->BlockDivisionFactor)); // max(Obf->MinBlockSize, InstructionCount / Obf->BlockDivisionFactor); ULONG CurrentCount = 0; PNATIVE_CODE_LINK NewBlockStart = Block->Start; for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next;) @@ -25,15 +56,34 @@ VOID ObfObfuscate(POBFUSCATOR Obf, PNATIVE_CODE_BLOCK Block) ++CurrentCount; + if (T->Flags & CODE_FLAG_DO_NOT_DIVIDE) + { + T = T->Next; + continue; + } + if (CurrentCount == TargetCount) { - NATIVE_CODE_BLOCK NotTaken, Taken; - ObfCreateOpaqueBranches(NewBlockStart, T, &NotTaken, &Taken); - ObfObfuscate(Obf, &NotTaken); - ObfObfuscate(Obf, &Taken); - ObfCombineOpaqueBranches(&NotTaken, &Taken, NcGenUnusedLabelId(Obf->GlobalBlock), NcGenUnusedLabelId(Obf->GlobalBlock)); - ObfInsertOpaqueBranchBlock(NewBlockStart, T, &NotTaken); - T = NotTaken.End; + if (Depth >= Obf->MinDepthForRandomOpaqueBranch && (rand() % 100) <= Obf->OpaqueBranchChance) + { + NATIVE_CODE_BLOCK NotTaken, Taken; + ObfCreateOpaqueBranches(NewBlockStart, T, &NotTaken, &Taken); + ObfObfuscate1(Obf, &NotTaken, Depth + 1); + ObfObfuscate1(Obf, &Taken, Depth + 1); + ObfCombineOpaqueBranches(&NotTaken, &Taken, NcGenUnusedLabelId(Obf->GlobalBlock), NcGenUnusedLabelId(Obf->GlobalBlock)); + ObfInsertOpaqueBranchBlock(NewBlockStart, T, &NotTaken); + T = NotTaken.End; + } + else + { + NATIVE_CODE_BLOCK TempBlock; + if (NcDeepCopyPartialBlock(NewBlockStart, T, &TempBlock)) + { + ObfObfuscate1(Obf, &TempBlock, Depth + 1); + ObfInsertOpaqueBranchBlock(NewBlockStart, T, &TempBlock); + } + T = TempBlock.End; + } NewBlockStart = T->Next; CurrentCount = 0; } @@ -43,12 +93,16 @@ VOID ObfObfuscate(POBFUSCATOR Obf, PNATIVE_CODE_BLOCK Block) { NATIVE_CODE_BLOCK NotTaken, Taken; ObfCreateOpaqueBranches(NewBlockStart, Block->End, &NotTaken, &Taken); - ObfObfuscate(Obf, &NotTaken); - ObfObfuscate(Obf, &Taken); + ObfObfuscate1(Obf, &NotTaken, Depth + 1); + ObfObfuscate1(Obf, &Taken, Depth + 1); ObfCombineOpaqueBranches(&NotTaken, &Taken, NcGenUnusedLabelId(Obf->GlobalBlock), NcGenUnusedLabelId(Obf->GlobalBlock)); ObfInsertOpaqueBranchBlock(NewBlockStart, Block->End, &NotTaken); } } + + + + } diff --git a/CodeVirtualizer/Obfuscator.h b/CodeVirtualizer/Obfuscator.h index 93dfca2..0ef37b6 100644 --- a/CodeVirtualizer/Obfuscator.h +++ b/CodeVirtualizer/Obfuscator.h @@ -10,15 +10,24 @@ #define OBF_ATTRIBUTE_JIT (1<<0) #define OBF_ATTRIBUTE_OPAQUE_BRANCHES (1<<1) +#define OBF_ATTRIBUTE_RANDOMIZE_DIVISOR (1<<2) typedef struct _OBFUSCATOR { - ULONG MinInstCount; + ULONG MinDepthForRandomOpaqueBranch; + ULONG MinSizeForOpaqueBranch; + + UCHAR OpaqueBranchChance; + UCHAR InstructionMutateChance; + UCHAR BlockDivisionFactor; + ULONG Flags; PNATIVE_CODE_BLOCK GlobalBlock; }OBFUSCATOR, *POBFUSCATOR; +BOOL ObfJitInst(); + //Recursive obfuscation routine using opaque branches and jit -VOID ObfObfuscate(POBFUSCATOR Obf, PNATIVE_CODE_BLOCK Block); +VOID ObfObfuscate1(POBFUSCATOR Obf, PNATIVE_CODE_BLOCK Block, ULONG Depth = 0); #endif \ No newline at end of file diff --git a/CodeVirtualizer/x64/Debug/Jit.cod b/CodeVirtualizer/x64/Debug/Jit.cod index 57a5695..d4772ff 100644 --- a/CodeVirtualizer/x64/Debug/Jit.cod +++ b/CodeVirtualizer/x64/Debug/Jit.cod @@ -5930,7 +5930,7 @@ $LN6: 00047 c6 45 04 9d mov BYTE PTR RawData$[rbp], 157 ; 0000009dH -; 20 : PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, RawData, 1); +; 20 : PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST | CODE_FLAG_DO_NOT_DIVIDE, RawData, 1); 0004b b9 f0 00 00 00 mov ecx, 240 ; 000000f0H 00050 e8 00 00 00 00 call ??2@YAPEAX_K@Z ; operator new @@ -5944,7 +5944,7 @@ $LN6: 0006e 41 b9 01 00 00 00 mov r9d, 1 00074 4c 8d 45 04 lea r8, QWORD PTR RawData$[rbp] - 00078 ba 04 00 00 00 mov edx, 4 + 00078 ba 0c 00 00 00 mov edx, 12 0007d 48 8b 8d 28 01 00 00 mov rcx, QWORD PTR $T5[rbp] 00084 e8 00 00 00 00 call ??0_NATIVE_CODE_LINK@@QEAA@KPEAXKH@Z ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK @@ -6099,7 +6099,7 @@ $LN6: 00047 c6 45 04 9c mov BYTE PTR RawData$[rbp], 156 ; 0000009cH -; 11 : PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, RawData, 1); +; 11 : PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST | CODE_FLAG_DO_NOT_DIVIDE, RawData, 1); 0004b b9 f0 00 00 00 mov ecx, 240 ; 000000f0H 00050 e8 00 00 00 00 call ??2@YAPEAX_K@Z ; operator new @@ -6113,7 +6113,7 @@ $LN6: 0006e 41 b9 01 00 00 00 mov r9d, 1 00074 4c 8d 45 04 lea r8, QWORD PTR RawData$[rbp] - 00078 ba 04 00 00 00 mov edx, 4 + 00078 ba 0c 00 00 00 mov edx, 12 0007d 48 8b 8d 28 01 00 00 mov rcx, QWORD PTR $T5[rbp] 00084 e8 00 00 00 00 call ??0_NATIVE_CODE_LINK@@QEAA@KPEAXKH@Z ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK diff --git a/CodeVirtualizer/x64/Debug/Main.cod b/CodeVirtualizer/x64/Debug/Main.cod index 1050e2c..c711024 100644 --- a/CodeVirtualizer/x64/Debug/Main.cod +++ b/CodeVirtualizer/x64/Debug/Main.cod @@ -427,9 +427,10 @@ PUBLIC ??_7?$basic_filebuf@DU?$char_traits@D@std@@@std@@6B@ ; std::basic_filebuf PUBLIC ??_7?$basic_ofstream@DU?$char_traits@D@std@@@std@@6B@ ; std::basic_ofstream >::`vftable' PUBLIC ??_8?$basic_ofstream@DU?$char_traits@D@std@@@std@@7B@ ; std::basic_ofstream >::`vbtable' PUBLIC ??_C@_0CJ@GEFBLICI@C?3?2Users?2Iizerd?2Desktop?2Leeg?5Ha@ ; `string' +PUBLIC ??_C@_0BG@KBAIGCC@Finished?5second?5pas?4?6@ ; `string' PUBLIC ??_C@_0BE@GALOGKHF@failed?5to?5assemble?6@ ; `string' PUBLIC ??_C@_05PDJBBECF@pause@ ; `string' -PUBLIC ??_C@_0CH@OKHDPAIH@?6?6Obfuscated?3?5?$CFllu?5?5?5?5Original?3@ ; `string' +PUBLIC ??_C@_0DC@MEGCPGB@?6?6Size?3?5?$CFu?5?5?5Obfuscated?3?5?$CFllu?5?5@ ; `string' PUBLIC ??_C@_0N@LPFKKEBD@?3AM?3am?3PM?3pm@ ; `string' PUBLIC ??_C@_0GI@GFIDMGHH@C?3?2Program?5Files?5?$CIx86?$CJ?2Microsof@ ; `string' PUBLIC ??_C@_1NA@LKMCOJGD@?$AAC?$AA?3?$AA?2?$AAP?$AAr?$AAo?$AAg?$AAr?$AAa?$AAm?$AA?5?$AAF?$AAi?$AAl?$AAe@ ; `string' @@ -591,9 +592,10 @@ EXTRN __imp__time64:PROC EXTRN ?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z:PROC ; std::setw EXTRN xed_tables_init:PROC EXTRN ??0_NATIVE_CODE_BLOCK@@QEAA@XZ:PROC ; _NATIVE_CODE_BLOCK::_NATIVE_CODE_BLOCK +EXTRN ?NcCountInstructions@@YAKPEAU_NATIVE_CODE_BLOCK@@@Z:PROC ; NcCountInstructions EXTRN ?NcDisassemble@@YAHPEAU_NATIVE_CODE_BLOCK@@PEAXK@Z:PROC ; NcDisassemble EXTRN ?NcAssemble@@YAPEAXPEAU_NATIVE_CODE_BLOCK@@PEAK@Z:PROC ; NcAssemble -EXTRN ?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z:PROC ; ObfObfuscate +EXTRN ?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z:PROC ; ObfObfuscate1 EXTRN ??_E?$basic_filebuf@DU?$char_traits@D@std@@@std@@UEAAPEAXI@Z:PROC ; std::basic_filebuf >::`vector deleting destructor' EXTRN ??_E?$basic_ofstream@DU?$char_traits@D@std@@@std@@UEAAPEAXI@Z:PROC ; std::basic_ofstream >::`vector deleting destructor' EXTRN RetNum:PROC @@ -1484,7 +1486,7 @@ pdata ENDS ; COMDAT pdata pdata SEGMENT $pdata$main DD imagerel $LN7 - DD imagerel $LN7+461 + DD imagerel $LN7+527 DD imagerel $unwind$main pdata ENDS ; COMDAT pdata @@ -2259,10 +2261,11 @@ CONST ENDS CONST SEGMENT ??_C@_0N@LPFKKEBD@?3AM?3am?3PM?3pm@ DB ':AM:am:PM:pm', 00H ; `string' CONST ENDS -; COMDAT ??_C@_0CH@OKHDPAIH@?6?6Obfuscated?3?5?$CFllu?5?5?5?5Original?3@ +; COMDAT ??_C@_0DC@MEGCPGB@?6?6Size?3?5?$CFu?5?5?5Obfuscated?3?5?$CFllu?5?5@ CONST SEGMENT -??_C@_0CH@OKHDPAIH@?6?6Obfuscated?3?5?$CFllu?5?5?5?5Original?3@ DB 0aH, 0aH - DB 'Obfuscated: %llu Original: %llu', 0aH, 0aH, 00H ; `string' +??_C@_0DC@MEGCPGB@?6?6Size?3?5?$CFu?5?5?5Obfuscated?3?5?$CFllu?5?5@ DB 0aH + DB 0aH, 'Size: %u Obfuscated: %llu Original: %llu', 0aH, 0aH + DB 00H ; `string' CONST ENDS ; COMDAT ??_C@_05PDJBBECF@pause@ CONST SEGMENT @@ -2272,6 +2275,11 @@ CONST ENDS CONST SEGMENT ??_C@_0BE@GALOGKHF@failed?5to?5assemble?6@ DB 'failed to assemble', 0aH, 00H ; `string' CONST ENDS +; COMDAT ??_C@_0BG@KBAIGCC@Finished?5second?5pas?4?6@ +CONST SEGMENT +??_C@_0BG@KBAIGCC@Finished?5second?5pas?4?6@ DB 'Finished second pas.', 0aH + DB 00H ; `string' +CONST ENDS ; COMDAT ??_C@_0CJ@GEFBLICI@C?3?2Users?2Iizerd?2Desktop?2Leeg?5Ha@ CONST SEGMENT ??_C@_0CJ@GEFBLICI@C?3?2Users?2Iizerd?2Desktop?2Leeg?5Ha@ DB 'C:\Users\Ii' @@ -3346,11 +3354,11 @@ $ip2state$main DB 0aH DB 00H DB 0b2H DB 02H - DB 'y', 02H + DB 0f9H, 02H DB 00H DB '(' DB 02H - DB 011H, 02H + DB 099H, 02H DB 00H xdata ENDS ; COMDAT xdata @@ -3373,7 +3381,7 @@ $unwind$main DD 025052f19H DD 05002H DD imagerel __GSHandlerCheck_EH4 DD imagerel $cppxdata$main - DD 01f2H + DD 01faH xdata ENDS ; COMDAT CONST CONST SEGMENT @@ -3406,7 +3414,7 @@ main$rtcVarDesc DD 0a4H DD 04H DQ FLAT:main$rtcName$2 DD 078H - DD 010H + DD 018H DQ FLAT:main$rtcName$1 DD 028H DD 030H @@ -8739,10 +8747,11 @@ AsmSize$ = 132 Asm$ = 168 Exec$ = 200 $T6 = 420 -tv134 = 440 -tv128 = 448 -tv132 = 456 -__$ArrayPad$ = 464 +tv143 = 440 +tv132 = 448 +tv141 = 456 +tv139 = 464 +__$ArrayPad$ = 472 main PROC ; COMDAT ; 90 : { @@ -8760,7 +8769,7 @@ $LN7: 0001e 48 8b 05 00 00 00 00 mov rax, QWORD PTR __security_cookie 00025 48 33 c5 xor rax, rbp - 00028 48 89 85 d0 01 + 00028 48 89 85 d8 01 00 00 mov QWORD PTR __$ArrayPad$[rbp], rax 0002f 48 8d 0d 00 00 00 00 lea rcx, OFFSET FLAT:__4031338C_Main@cpp @@ -8798,282 +8807,328 @@ $LN7: ; 97 : OBFUSCATOR Obf; ; 98 : Obf.Flags = 0; - 0006f c7 45 5c 00 00 - 00 00 mov DWORD PTR Obf$[rbp+4], 0 + 0006f c7 45 64 00 00 + 00 00 mov DWORD PTR Obf$[rbp+12], 0 + +; 99 : Obf.MinSizeForOpaqueBranch = 1; + + 00076 c7 45 5c 01 00 + 00 00 mov DWORD PTR Obf$[rbp+4], 1 + +; 100 : Obf.InstructionMutateChance = 0; + + 0007d c6 45 61 00 mov BYTE PTR Obf$[rbp+9], 0 + +; 101 : Obf.OpaqueBranchChance = 100; + + 00081 c6 45 60 64 mov BYTE PTR Obf$[rbp+8], 100 ; 00000064H + +; 102 : Obf.MinDepthForRandomOpaqueBranch = 0; + + 00085 c7 45 58 00 00 + 00 00 mov DWORD PTR Obf$[rbp], 0 + +; 103 : Obf.GlobalBlock = &RetNumBlock; -; 99 : Obf.MinInstCount = 4; + 0008c 48 8d 45 08 lea rax, QWORD PTR RetNumBlock$[rbp] + 00090 48 89 45 68 mov QWORD PTR Obf$[rbp+16], rax - 00076 c7 45 58 04 00 - 00 00 mov DWORD PTR Obf$[rbp], 4 +; 104 : Obf.BlockDivisionFactor = 2; -; 100 : Obf.GlobalBlock = &RetNumBlock; + 00094 c6 45 62 02 mov BYTE PTR Obf$[rbp+10], 2 - 0007d 48 8d 45 08 lea rax, QWORD PTR RetNumBlock$[rbp] - 00081 48 89 45 60 mov QWORD PTR Obf$[rbp+8], rax +; 105 : Obf.InstructionMutateChance = 100; -; 101 : ObfObfuscate(&Obf, &RetNumBlock); + 00098 c6 45 61 64 mov BYTE PTR Obf$[rbp+9], 100 ; 00000064H - 00085 48 8d 55 08 lea rdx, QWORD PTR RetNumBlock$[rbp] - 00089 48 8d 4d 58 lea rcx, QWORD PTR Obf$[rbp] - 0008d e8 00 00 00 00 call ?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z ; ObfObfuscate +; 106 : ObfObfuscate1(&Obf, &RetNumBlock); -; 102 : ObfObfuscate(&Obf, &RetNumBlock); + 0009c 45 33 c0 xor r8d, r8d + 0009f 48 8d 55 08 lea rdx, QWORD PTR RetNumBlock$[rbp] + 000a3 48 8d 4d 58 lea rcx, QWORD PTR Obf$[rbp] + 000a7 e8 00 00 00 00 call ?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z ; ObfObfuscate1 - 00092 48 8d 55 08 lea rdx, QWORD PTR RetNumBlock$[rbp] - 00096 48 8d 4d 58 lea rcx, QWORD PTR Obf$[rbp] - 0009a e8 00 00 00 00 call ?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z ; ObfObfuscate +; 107 : Obf.MinSizeForOpaqueBranch = 50; -; 103 : Obf.MinInstCount = 30; + 000ac c7 45 5c 32 00 + 00 00 mov DWORD PTR Obf$[rbp+4], 50 ; 00000032H - 0009f c7 45 58 1e 00 - 00 00 mov DWORD PTR Obf$[rbp], 30 +; 108 : Obf.InstructionMutateChance = 50; -; 104 : ObfObfuscate(&Obf, &RetNumBlock); + 000b3 c6 45 61 32 mov BYTE PTR Obf$[rbp+9], 50 ; 00000032H - 000a6 48 8d 55 08 lea rdx, QWORD PTR RetNumBlock$[rbp] - 000aa 48 8d 4d 58 lea rcx, QWORD PTR Obf$[rbp] - 000ae e8 00 00 00 00 call ?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z ; ObfObfuscate +; 109 : ObfObfuscate1(&Obf, &RetNumBlock); -; 105 : -; 106 : -; 107 : ULONG AsmSize; -; 108 : PVOID Asm = NcAssemble(&RetNumBlock, &AsmSize); + 000b7 45 33 c0 xor r8d, r8d + 000ba 48 8d 55 08 lea rdx, QWORD PTR RetNumBlock$[rbp] + 000be 48 8d 4d 58 lea rcx, QWORD PTR Obf$[rbp] + 000c2 e8 00 00 00 00 call ?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z ; ObfObfuscate1 - 000b3 48 8d 95 84 00 +; 110 : +; 111 : printf("Finished second pas.\n"); + + 000c7 48 8d 0d 00 00 + 00 00 lea rcx, OFFSET FLAT:??_C@_0BG@KBAIGCC@Finished?5second?5pas?4?6@ + 000ce e8 00 00 00 00 call printf + +; 112 : //Obf.MinSizeForOpaqueBranch = 200; +; 113 : //ObfObfuscate1(&Obf, &RetNumBlock); +; 114 : //Obf.MinSizeForOpaqueBranch = 30; +; 115 : //ObfObfuscate(&Obf, &RetNumBlock); +; 116 : +; 117 : +; 118 : ULONG AsmSize; +; 119 : PVOID Asm = NcAssemble(&RetNumBlock, &AsmSize); + + 000d3 48 8d 95 84 00 00 00 lea rdx, QWORD PTR AsmSize$[rbp] - 000ba 48 8d 4d 08 lea rcx, QWORD PTR RetNumBlock$[rbp] - 000be e8 00 00 00 00 call ?NcAssemble@@YAPEAXPEAU_NATIVE_CODE_BLOCK@@PEAK@Z ; NcAssemble - 000c3 48 89 85 a8 00 + 000da 48 8d 4d 08 lea rcx, QWORD PTR RetNumBlock$[rbp] + 000de e8 00 00 00 00 call ?NcAssemble@@YAPEAXPEAU_NATIVE_CODE_BLOCK@@PEAK@Z ; NcAssemble + 000e3 48 89 85 a8 00 00 00 mov QWORD PTR Asm$[rbp], rax -; 109 : if (!Asm) +; 120 : if (!Asm) - 000ca 48 83 bd a8 00 + 000ea 48 83 bd a8 00 00 00 00 cmp QWORD PTR Asm$[rbp], 0 - 000d2 75 37 jne SHORT $LN2@main + 000f2 75 37 jne SHORT $LN2@main -; 110 : { -; 111 : printf("failed to assemble\n"); +; 121 : { +; 122 : printf("failed to assemble\n"); - 000d4 48 8d 0d 00 00 + 000f4 48 8d 0d 00 00 00 00 lea rcx, OFFSET FLAT:??_C@_0BE@GALOGKHF@failed?5to?5assemble?6@ - 000db e8 00 00 00 00 call printf + 000fb e8 00 00 00 00 call printf -; 112 : system("pause"); +; 123 : system("pause"); - 000e0 48 8d 0d 00 00 + 00100 48 8d 0d 00 00 00 00 lea rcx, OFFSET FLAT:??_C@_05PDJBBECF@pause@ - 000e7 ff 15 00 00 00 + 00107 ff 15 00 00 00 00 call QWORD PTR __imp_system -; 113 : return 1; +; 124 : return 1; - 000ed c7 85 a4 01 00 + 0010d c7 85 a4 01 00 00 01 00 00 00 mov DWORD PTR $T6[rbp], 1 - 000f7 48 8d 4d 08 lea rcx, QWORD PTR RetNumBlock$[rbp] - 000fb e8 00 00 00 00 call ??1_NATIVE_CODE_BLOCK@@QEAA@XZ - 00100 8b 85 a4 01 00 + 00117 48 8d 4d 08 lea rcx, QWORD PTR RetNumBlock$[rbp] + 0011b e8 00 00 00 00 call ??1_NATIVE_CODE_BLOCK@@QEAA@XZ + 00120 8b 85 a4 01 00 00 mov eax, DWORD PTR $T6[rbp] - 00106 e9 93 00 00 00 jmp $LN5@main + 00126 e9 b5 00 00 00 jmp $LN5@main $LN2@main: -; 114 : } -; 115 : PVOID Exec = MakeExecutableBuffer(Asm, AsmSize); +; 125 : } +; 126 : PutToFile(Asm, AsmSize); - 0010b 8b 95 84 00 00 + 0012b 8b 95 84 00 00 00 mov edx, DWORD PTR AsmSize$[rbp] - 00111 48 8b 8d a8 00 + 00131 48 8b 8d a8 00 00 00 mov rcx, QWORD PTR Asm$[rbp] - 00118 e8 00 00 00 00 call ?MakeExecutableBuffer@@YAPEAXPEAXK@Z ; MakeExecutableBuffer - 0011d 48 89 85 c8 00 - 00 00 mov QWORD PTR Exec$[rbp], rax + 00138 e8 00 00 00 00 call ?PutToFile@@YAXPEAXK@Z ; PutToFile -; 116 : typedef ULONG64(*FnRetNum)(ULONG Num); -; 117 : printf("\n\nObfuscated: %llu Original: %llu\n\n", ((FnRetNum)Exec)(1776), RetNum(1776)); +; 127 : system("pause"); - 00124 b9 f0 06 00 00 mov ecx, 1776 ; 000006f0H - 00129 e8 00 00 00 00 call RetNum - 0012e 48 89 85 b8 01 - 00 00 mov QWORD PTR tv134[rbp], rax - 00135 48 8b 85 c8 00 - 00 00 mov rax, QWORD PTR Exec$[rbp] - 0013c 48 89 85 c0 01 - 00 00 mov QWORD PTR tv128[rbp], rax - 00143 b9 f0 06 00 00 mov ecx, 1776 ; 000006f0H - 00148 ff 95 c0 01 00 - 00 call QWORD PTR tv128[rbp] - 0014e 48 89 85 c8 01 - 00 00 mov QWORD PTR tv132[rbp], rax - 00155 4c 8b 85 b8 01 - 00 00 mov r8, QWORD PTR tv134[rbp] - 0015c 48 8b 95 c8 01 - 00 00 mov rdx, QWORD PTR tv132[rbp] - 00163 48 8d 0d 00 00 - 00 00 lea rcx, OFFSET FLAT:??_C@_0CH@OKHDPAIH@?6?6Obfuscated?3?5?$CFllu?5?5?5?5Original?3@ - 0016a e8 00 00 00 00 call printf + 0013d 48 8d 0d 00 00 + 00 00 lea rcx, OFFSET FLAT:??_C@_05PDJBBECF@pause@ + 00144 ff 15 00 00 00 + 00 call QWORD PTR __imp_system -; 118 : PutToFile(Asm, AsmSize); +; 128 : +; 129 : PVOID Exec = MakeExecutableBuffer(Asm, AsmSize); - 0016f 8b 95 84 00 00 + 0014a 8b 95 84 00 00 00 mov edx, DWORD PTR AsmSize$[rbp] - 00175 48 8b 8d a8 00 + 00150 48 8b 8d a8 00 00 00 mov rcx, QWORD PTR Asm$[rbp] - 0017c e8 00 00 00 00 call ?PutToFile@@YAXPEAXK@Z ; PutToFile + 00157 e8 00 00 00 00 call ?MakeExecutableBuffer@@YAPEAXPEAXK@Z ; MakeExecutableBuffer + 0015c 48 89 85 c8 00 + 00 00 mov QWORD PTR Exec$[rbp], rax -; 119 : system("pause"); +; 130 : typedef ULONG64(*FnRetNum)(ULONG Num); +; 131 : printf("\n\nSize: %u Obfuscated: %llu Original: %llu\n\n", NcCountInstructions(&RetNumBlock), ((FnRetNum)Exec)(1776), RetNum(1776)); - 00181 48 8d 0d 00 00 + 00163 b9 f0 06 00 00 mov ecx, 1776 ; 000006f0H + 00168 e8 00 00 00 00 call RetNum + 0016d 48 89 85 b8 01 + 00 00 mov QWORD PTR tv143[rbp], rax + 00174 48 8b 85 c8 00 + 00 00 mov rax, QWORD PTR Exec$[rbp] + 0017b 48 89 85 c0 01 + 00 00 mov QWORD PTR tv132[rbp], rax + 00182 b9 f0 06 00 00 mov ecx, 1776 ; 000006f0H + 00187 ff 95 c0 01 00 + 00 call QWORD PTR tv132[rbp] + 0018d 48 89 85 c8 01 + 00 00 mov QWORD PTR tv141[rbp], rax + 00194 48 8d 4d 08 lea rcx, QWORD PTR RetNumBlock$[rbp] + 00198 e8 00 00 00 00 call ?NcCountInstructions@@YAKPEAU_NATIVE_CODE_BLOCK@@@Z ; NcCountInstructions + 0019d 89 85 d0 01 00 + 00 mov DWORD PTR tv139[rbp], eax + 001a3 4c 8b 8d b8 01 + 00 00 mov r9, QWORD PTR tv143[rbp] + 001aa 4c 8b 85 c8 01 + 00 00 mov r8, QWORD PTR tv141[rbp] + 001b1 8b 95 d0 01 00 + 00 mov edx, DWORD PTR tv139[rbp] + 001b7 48 8d 0d 00 00 + 00 00 lea rcx, OFFSET FLAT:??_C@_0DC@MEGCPGB@?6?6Size?3?5?$CFu?5?5?5Obfuscated?3?5?$CFllu?5?5@ + 001be e8 00 00 00 00 call printf + +; 132 : system("pause"); + + 001c3 48 8d 0d 00 00 00 00 lea rcx, OFFSET FLAT:??_C@_05PDJBBECF@pause@ - 00188 ff 15 00 00 00 + 001ca ff 15 00 00 00 00 call QWORD PTR __imp_system - 0018e 90 npad 1 - -; 120 : -; 121 : -; 122 : /*NATIVE_CODE_BLOCK Block; -; 123 : NcDisassemble(&Block, meme1, sizeof(meme1)); -; 124 : OBFUSCATOR Obf; -; 125 : Obf.Flags = 0; -; 126 : Obf.MinInstCount = 12; -; 127 : Obf.GlobalBlock = &Block; -; 128 : ObfObfuscate(&Obf, &Block); -; 129 : Obf.MinInstCount = 4; -; 130 : ObfObfuscate(&Obf, &Block); -; 131 : NcDebugPrint(&Block); -; 132 : -; 133 : ULONG ByteSize = NcCalcBlockSizeInBytes(&Block); -; 134 : ULONG InstSize = NcCountInstructions(&Block); -; 135 : -; 136 : printf("Bytes: %u, Insts: %u, FlagsMeme: %u.\n", ByteSize, InstSize, Obf.Flags); -; 137 : -; 138 : ULONG AsmSize; -; 139 : PVOID Asm = NcAssemble(&Block, &AsmSize); -; 140 : PVOID Exec = MakeExecutableBuffer(Asm, AsmSize); -; 141 : typedef ULONG(*FnGetFour)(); -; 142 : printf("numba is: %u size is %u\n\n", ((FnGetFour)Exec)(), AsmSize); -; 143 : PutToFile(Asm, AsmSize);*/ -; 144 : + 001d0 90 npad 1 + +; 133 : +; 134 : +; 135 : /*NATIVE_CODE_BLOCK Block; +; 136 : NcDisassemble(&Block, meme1, sizeof(meme1)); +; 137 : OBFUSCATOR Obf; +; 138 : Obf.Flags = 0; +; 139 : Obf.MinSizeForOpaqueBranch = 12; +; 140 : Obf.GlobalBlock = &Block; +; 141 : ObfObfuscate(&Obf, &Block); +; 142 : Obf.MinSizeForOpaqueBranch = 4; +; 143 : ObfObfuscate(&Obf, &Block); +; 144 : NcDebugPrint(&Block); ; 145 : -; 146 : //PNATIVE_CODE_LINK Return1776 = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, meme1, sizeof(meme1)); -; 147 : //PNATIVE_CODE_LINK RetInst = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, meme2, sizeof(meme2)); -; 148 : //PNATIVE_CODE_BLOCK Pre1 = JitEmitPreRipMov(Return1776); -; 149 : //PNATIVE_CODE_BLOCK Post1 = JitEmitPostRipMov(Return1776); -; 150 : //PNATIVE_CODE_BLOCK Pre2 = JitEmitPreRipMov(RetInst); -; 151 : //PNATIVE_CODE_BLOCK Post2 = JitEmitPostRipMov(RetInst); -; 152 : -; 153 : //NcAppendToBlock(Pre1, Return1776); -; 154 : //NcInsertBlockAfter(Pre1->End, Post1, 0); -; 155 : //Pre1->End = Post1->End; -; 156 : //NcInsertBlockAfter(Pre1->End, Pre2, 0); -; 157 : //Pre1->End = Pre2->End; -; 158 : //NcAppendToBlock(Pre1, RetInst); -; 159 : //NcInsertBlockAfter(Pre1->End, Post2, 0); -; 160 : //Pre1->End = Post2->End; -; 161 : -; 162 : ///*Pre->Start = Return1776; -; 163 : //Pre->End = Return1776;*/ -; 164 : -; 165 : //for (ULONG i = 0; i < Return1776->RawDataSize; i++) -; 166 : // Return1776->RawData[i] = (UCHAR)rand(); -; 167 : //for (ULONG i = 0; i < RetInst->RawDataSize; i++) -; 168 : // RetInst->RawData[i] = (UCHAR)rand(); -; 169 : -; 170 : -; 171 : -; 172 : //ULONG AsmLen; -; 173 : //PVOID Asm = NcAssemble(Pre1, &AsmLen); -; 174 : //PUCHAR Tb = (PUCHAR)Asm; -; 175 : //for (uint32_t i = 0; i < AsmLen; i++) -; 176 : //{ -; 177 : // std::cout << std::hex << std::setw(2) << std::setfill('0') << (int)Tb[i] << ' '; -; 178 : //} -; 179 : -; 180 : //system("pause"); -; 181 : -; 182 : //typedef ULONG64(*FnGet1776)(); -; 183 : //FnGet1776 ExecBuffer = (FnGet1776)MakeExecutableBuffer(Asm, AsmLen); -; 184 : //if (ExecBuffer) -; 185 : //{ -; 186 : // printf("The numba was: %X\n", ExecBuffer()); -; 187 : // printf("The numba was: %X\n", ExecBuffer()); -; 188 : -; 189 : // printf("The numba was: %X\n", ExecBuffer()); -; 190 : -; 191 : // printf("The numba was: %X\n", ExecBuffer()); +; 146 : ULONG ByteSize = NcCalcBlockSizeInBytes(&Block); +; 147 : ULONG InstSize = NcCountInstructions(&Block); +; 148 : +; 149 : printf("Bytes: %u, Insts: %u, FlagsMeme: %u.\n", ByteSize, InstSize, Obf.Flags); +; 150 : +; 151 : ULONG AsmSize; +; 152 : PVOID Asm = NcAssemble(&Block, &AsmSize); +; 153 : PVOID Exec = MakeExecutableBuffer(Asm, AsmSize); +; 154 : typedef ULONG(*FnGetFour)(); +; 155 : printf("numba is: %u size is %u\n\n", ((FnGetFour)Exec)(), AsmSize); +; 156 : PutToFile(Asm, AsmSize);*/ +; 157 : +; 158 : +; 159 : //PNATIVE_CODE_LINK Return1776 = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, meme1, sizeof(meme1)); +; 160 : //PNATIVE_CODE_LINK RetInst = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, meme2, sizeof(meme2)); +; 161 : //PNATIVE_CODE_BLOCK Pre1 = JitEmitPreRipMov(Return1776); +; 162 : //PNATIVE_CODE_BLOCK Post1 = JitEmitPostRipMov(Return1776); +; 163 : //PNATIVE_CODE_BLOCK Pre2 = JitEmitPreRipMov(RetInst); +; 164 : //PNATIVE_CODE_BLOCK Post2 = JitEmitPostRipMov(RetInst); +; 165 : +; 166 : //NcAppendToBlock(Pre1, Return1776); +; 167 : //NcInsertBlockAfter(Pre1->End, Post1, 0); +; 168 : //Pre1->End = Post1->End; +; 169 : //NcInsertBlockAfter(Pre1->End, Pre2, 0); +; 170 : //Pre1->End = Pre2->End; +; 171 : //NcAppendToBlock(Pre1, RetInst); +; 172 : //NcInsertBlockAfter(Pre1->End, Post2, 0); +; 173 : //Pre1->End = Post2->End; +; 174 : +; 175 : ///*Pre->Start = Return1776; +; 176 : //Pre->End = Return1776;*/ +; 177 : +; 178 : //for (ULONG i = 0; i < Return1776->RawDataSize; i++) +; 179 : // Return1776->RawData[i] = (UCHAR)rand(); +; 180 : //for (ULONG i = 0; i < RetInst->RawDataSize; i++) +; 181 : // RetInst->RawData[i] = (UCHAR)rand(); +; 182 : +; 183 : +; 184 : +; 185 : //ULONG AsmLen; +; 186 : //PVOID Asm = NcAssemble(Pre1, &AsmLen); +; 187 : //PUCHAR Tb = (PUCHAR)Asm; +; 188 : //for (uint32_t i = 0; i < AsmLen; i++) +; 189 : //{ +; 190 : // std::cout << std::hex << std::setw(2) << std::setfill('0') << (int)Tb[i] << ' '; +; 191 : //} ; 192 : -; 193 : //} +; 193 : //system("pause"); ; 194 : -; 195 : -; 196 : //NcDebugPrint(Post); -; 197 : -; 198 : -; 199 : -; 200 : /*NATIVE_CODE_BLOCK Block; -; 201 : NcDisassemble(&Block, TestBuffer, TestBufferSize); -; 202 : PNATIVE_CODE_LINK NewLink = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, meme1, sizeof(meme1)); +; 195 : //typedef ULONG64(*FnGet1776)(); +; 196 : //FnGet1776 ExecBuffer = (FnGet1776)MakeExecutableBuffer(Asm, AsmLen); +; 197 : //if (ExecBuffer) +; 198 : //{ +; 199 : // printf("The numba was: %X\n", ExecBuffer()); +; 200 : // printf("The numba was: %X\n", ExecBuffer()); +; 201 : +; 202 : // printf("The numba was: %X\n", ExecBuffer()); ; 203 : -; 204 : NcInsertLinkBefore(Block.End->Prev->Prev->Prev->Prev, NewLink); -; 205 : ULONG AssembledSize; -; 206 : PVOID AssembledBlock = NcAssemble(&Block, &AssembledSize); -; 207 : if (!AssembledBlock || !AssembledSize) -; 208 : { -; 209 : printf("Something failed nicka.\n"); -; 210 : system("pause"); -; 211 : return -1; -; 212 : } -; 213 : PUCHAR Tb = (PUCHAR)AssembledBlock; -; 214 : for (uint32_t i = 0; i < AssembledSize; i++) -; 215 : { -; 216 : std::cout << std::hex << std::setw(2) << std::setfill('0') << (int)Tb[i] << ' '; -; 217 : } -; 218 : */ -; 219 : -; 220 : -; 221 : //PNATIVE_CODE_BLOCK OpaqueBranch = ObfGenOpaqueBranch(Block.Start, Block.End); -; 222 : //NcDebugPrint(OpaqueBranch); -; 223 : -; 224 : -; 225 : -; 226 : /*NATIVE_CODE_LINK T; -; 227 : T.RawDataSize = 10; -; 228 : T.RawData = new UCHAR[10]; -; 229 : memset(T.RawData, 0xAA, 10); -; 230 : JIT_BITWISE_DATA Data; -; 231 : RtlSecureZeroMemory(&Data, sizeof(JIT_BITWISE_DATA)); -; 232 : PNATIVE_CODE_BLOCK NewBlock = JitEmitPreRipMov(&T); -; 233 : if (NewBlock) -; 234 : { -; 235 : printf("\n"); -; 236 : NcDebugPrint(NewBlock); -; 237 : printf("\n"); -; 238 : NcPrintBlockCode(NewBlock); -; 239 : } -; 240 : system("pause");*/ -; 241 : -; 242 : } - - 0018f 48 8d 4d 08 lea rcx, QWORD PTR RetNumBlock$[rbp] - 00193 e8 00 00 00 00 call ??1_NATIVE_CODE_BLOCK@@QEAA@XZ - 00198 eb 02 jmp SHORT $LN6@main - 0019a eb 02 jmp SHORT $LN5@main +; 204 : // printf("The numba was: %X\n", ExecBuffer()); +; 205 : +; 206 : //} +; 207 : +; 208 : +; 209 : //NcDebugPrint(Post); +; 210 : +; 211 : +; 212 : +; 213 : /*NATIVE_CODE_BLOCK Block; +; 214 : NcDisassemble(&Block, TestBuffer, TestBufferSize); +; 215 : PNATIVE_CODE_LINK NewLink = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, meme1, sizeof(meme1)); +; 216 : +; 217 : NcInsertLinkBefore(Block.End->Prev->Prev->Prev->Prev, NewLink); +; 218 : ULONG AssembledSize; +; 219 : PVOID AssembledBlock = NcAssemble(&Block, &AssembledSize); +; 220 : if (!AssembledBlock || !AssembledSize) +; 221 : { +; 222 : printf("Something failed nicka.\n"); +; 223 : system("pause"); +; 224 : return -1; +; 225 : } +; 226 : PUCHAR Tb = (PUCHAR)AssembledBlock; +; 227 : for (uint32_t i = 0; i < AssembledSize; i++) +; 228 : { +; 229 : std::cout << std::hex << std::setw(2) << std::setfill('0') << (int)Tb[i] << ' '; +; 230 : } +; 231 : */ +; 232 : +; 233 : +; 234 : //PNATIVE_CODE_BLOCK OpaqueBranch = ObfGenOpaqueBranch(Block.Start, Block.End); +; 235 : //NcDebugPrint(OpaqueBranch); +; 236 : +; 237 : +; 238 : +; 239 : /*NATIVE_CODE_LINK T; +; 240 : T.RawDataSize = 10; +; 241 : T.RawData = new UCHAR[10]; +; 242 : memset(T.RawData, 0xAA, 10); +; 243 : JIT_BITWISE_DATA Data; +; 244 : RtlSecureZeroMemory(&Data, sizeof(JIT_BITWISE_DATA)); +; 245 : PNATIVE_CODE_BLOCK NewBlock = JitEmitPreRipMov(&T); +; 246 : if (NewBlock) +; 247 : { +; 248 : printf("\n"); +; 249 : NcDebugPrint(NewBlock); +; 250 : printf("\n"); +; 251 : NcPrintBlockCode(NewBlock); +; 252 : } +; 253 : system("pause");*/ +; 254 : +; 255 : } + + 001d1 48 8d 4d 08 lea rcx, QWORD PTR RetNumBlock$[rbp] + 001d5 e8 00 00 00 00 call ??1_NATIVE_CODE_BLOCK@@QEAA@XZ + 001da eb 02 jmp SHORT $LN6@main + 001dc eb 02 jmp SHORT $LN5@main $LN6@main: - 0019c 33 c0 xor eax, eax + 001de 33 c0 xor eax, eax $LN5@main: - 0019e 48 8b f8 mov rdi, rax - 001a1 48 8d 4d e0 lea rcx, QWORD PTR [rbp-32] - 001a5 48 8d 15 00 00 + 001e0 48 8b f8 mov rdi, rax + 001e3 48 8d 4d e0 lea rcx, QWORD PTR [rbp-32] + 001e7 48 8d 15 00 00 00 00 lea rdx, OFFSET FLAT:main$rtcFrameData - 001ac e8 00 00 00 00 call _RTC_CheckStackVars - 001b1 48 8b c7 mov rax, rdi - 001b4 48 8b 8d d0 01 + 001ee e8 00 00 00 00 call _RTC_CheckStackVars + 001f3 48 8b c7 mov rax, rdi + 001f6 48 8b 8d d8 01 00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp] - 001bb 48 33 cd xor rcx, rbp - 001be e8 00 00 00 00 call __security_check_cookie - 001c3 48 8d a5 e8 01 + 001fd 48 33 cd xor rcx, rbp + 00200 e8 00 00 00 00 call __security_check_cookie + 00205 48 8d a5 e8 01 00 00 lea rsp, QWORD PTR [rbp+488] - 001ca 5f pop rdi - 001cb 5d pop rbp - 001cc c3 ret 0 + 0020c 5f pop rdi + 0020d 5d pop rbp + 0020e c3 ret 0 main ENDP _TEXT ENDS ; COMDAT text$x @@ -9084,10 +9139,11 @@ AsmSize$ = 132 Asm$ = 168 Exec$ = 200 $T6 = 420 -tv134 = 440 -tv128 = 448 -tv132 = 456 -__$ArrayPad$ = 464 +tv143 = 440 +tv132 = 448 +tv141 = 456 +tv139 = 464 +__$ArrayPad$ = 472 main$dtor$0 PROC 00000 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx 00005 48 89 54 24 10 mov QWORD PTR [rsp+16], rdx @@ -9112,10 +9168,11 @@ AsmSize$ = 132 Asm$ = 168 Exec$ = 200 $T6 = 420 -tv134 = 440 -tv128 = 448 -tv132 = 456 -__$ArrayPad$ = 464 +tv143 = 440 +tv132 = 448 +tv141 = 456 +tv139 = 464 +__$ArrayPad$ = 472 main$dtor$0 PROC 00000 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx 00005 48 89 54 24 10 mov QWORD PTR [rsp+16], rdx diff --git a/CodeVirtualizer/x64/Debug/NativeCode.cod b/CodeVirtualizer/x64/Debug/NativeCode.cod index c96931a..8023152 100644 --- a/CodeVirtualizer/x64/Debug/NativeCode.cod +++ b/CodeVirtualizer/x64/Debug/NativeCode.cod @@ -273,12 +273,6 @@ PUBLIC ?__LINE__Var@?0??_Maklocwcs@std@@YAPEA_WPEB_W@Z@4JA ; `std::_Maklocwcs':: PUBLIC ??_C@_0GI@LHMPPKJI@C?3?2Program?5Files?5?$CIx86?$CJ?2Microsof@ ; `string' PUBLIC ??_C@_0DF@KKBEBOEB@Failed?5to?5validate?5jump?4?5Type?3?5@ ; `string' PUBLIC ??_C@_0CL@COPJALEP@XedDecode?5failed?5in?5NcDeepCopyL@ ; `string' -PUBLIC ??_C@_03GOEAKHKK@?61?6@ ; `string' -PUBLIC ??_C@_03GMAGBJPD@?62?6@ ; `string' -PUBLIC ??_C@_03GIILGFEB@?64?6@ ; `string' -PUBLIC ??_C@_0L@OECMLM@?$CFs?5?$CFs?5?$CFu?5?6@ ; `string' -PUBLIC ??_C@_03GJEJAPHG@?65?6@ ; `string' -PUBLIC ??_C@_03GLAPLBCP@?66?6@ ; `string' PUBLIC ??_C@_0CA@KDIENFLL@XedDecode?5failed?5with?5error?5?$CFs?6@ ; `string' PUBLIC ??_C@_0L@ILJOJNOL@Label?3?5?$CFu?6@ ; `string' PUBLIC ??_C@_07KNNCJAOA@?$CFs?3?5?$CFu?6@ ; `string' @@ -1105,7 +1099,7 @@ pdata ENDS ; COMDAT pdata pdata SEGMENT $pdata$?NcFixRelJmps@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z DD imagerel $LN19 - DD imagerel $LN19+1024 + DD imagerel $LN19+898 DD imagerel $unwind$?NcFixRelJmps@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z pdata ENDS ; COMDAT pdata @@ -1760,30 +1754,6 @@ CONST SEGMENT ??_C@_0CA@KDIENFLL@XedDecode?5failed?5with?5error?5?$CFs?6@ DB 'XedDecode' DB ' failed with error %s', 0aH, 00H ; `string' CONST ENDS -; COMDAT ??_C@_03GLAPLBCP@?66?6@ -CONST SEGMENT -??_C@_03GLAPLBCP@?66?6@ DB 0aH, '6', 0aH, 00H ; `string' -CONST ENDS -; COMDAT ??_C@_03GJEJAPHG@?65?6@ -CONST SEGMENT -??_C@_03GJEJAPHG@?65?6@ DB 0aH, '5', 0aH, 00H ; `string' -CONST ENDS -; COMDAT ??_C@_0L@OECMLM@?$CFs?5?$CFs?5?$CFu?5?6@ -CONST SEGMENT -??_C@_0L@OECMLM@?$CFs?5?$CFs?5?$CFu?5?6@ DB '%s %s %u ', 0aH, 00H ; `string' -CONST ENDS -; COMDAT ??_C@_03GIILGFEB@?64?6@ -CONST SEGMENT -??_C@_03GIILGFEB@?64?6@ DB 0aH, '4', 0aH, 00H ; `string' -CONST ENDS -; COMDAT ??_C@_03GMAGBJPD@?62?6@ -CONST SEGMENT -??_C@_03GMAGBJPD@?62?6@ DB 0aH, '2', 0aH, 00H ; `string' -CONST ENDS -; COMDAT ??_C@_03GOEAKHKK@?61?6@ -CONST SEGMENT -??_C@_03GOEAKHKK@?61?6@ DB 0aH, '1', 0aH, 00H ; `string' -CONST ENDS ; COMDAT ??_C@_0CL@COPJALEP@XedDecode?5failed?5in?5NcDeepCopyL@ CONST SEGMENT ??_C@_0CL@COPJALEP@XedDecode?5failed?5in?5NcDeepCopyL@ DB 'XedDecode fail' @@ -2829,10 +2799,10 @@ xdata ENDS xdata SEGMENT $unwind$?NcFixRelJmps@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z DD 035063c19H DD 010f3314H - DD 0700800ecH + DD 0700800eaH DD 050066007H DD imagerel __GSHandlerCheck - DD 0758H + DD 0748H xdata ENDS ; COMDAT CONST CONST SEGMENT @@ -9334,7 +9304,7 @@ tv142 = 368 Block$ = 416 ?NcPrintBlockCode@@YAXPEAU_NATIVE_CODE_BLOCK@@@Z PROC ; NcPrintBlockCode, COMDAT -; 601 : { +; 582 : { $LN10: 00000 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx @@ -9353,7 +9323,7 @@ $LN10: 00 00 lea rcx, OFFSET FLAT:__84EFCFFB_NativeCode@cpp 00031 e8 00 00 00 00 call __CheckForDebuggerJustMyCode -; 602 : for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next; T = T->Next) +; 583 : for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next; T = T->Next) 00036 48 8b 85 a0 01 00 00 mov rax, QWORD PTR Block$[rbp] @@ -9376,8 +9346,8 @@ $LN4@NcPrintBlo: 0006e 0f 84 eb 00 00 00 je $LN3@NcPrintBlo -; 603 : { -; 604 : if (!(T->Flags & CODE_FLAG_IS_LABEL)) +; 584 : { +; 585 : if (!(T->Flags & CODE_FLAG_IS_LABEL)) 00074 48 8b 45 08 mov rax, QWORD PTR T$1[rbp] 00078 8b 40 18 mov eax, DWORD PTR [rax+24] @@ -9386,8 +9356,8 @@ $LN4@NcPrintBlo: 00080 0f 85 d4 00 00 00 jne $LN8@NcPrintBlo -; 605 : { -; 606 : for (uint32_t i = 0; i < T->RawDataSize; i++) +; 586 : { +; 587 : for (uint32_t i = 0; i < T->RawDataSize; i++) 00086 c7 45 24 00 00 00 00 mov DWORD PTR i$2[rbp], 0 @@ -9403,8 +9373,8 @@ $LN7@NcPrintBlo: 000a1 0f 83 b3 00 00 00 jae $LN6@NcPrintBlo -; 607 : { -; 608 : std::cout << std::hex << std::setw(2) << std::setfill('0') << (int)T->RawData[i] << ' '; +; 588 : { +; 589 : std::cout << std::hex << std::setw(2) << std::setfill('0') << (int)T->RawData[i] << ' '; 000a7 48 8d 15 00 00 00 00 lea rdx, OFFSET FLAT:?hex@std@@YAAEAVios_base@1@AEAV21@@Z ; std::hex @@ -9456,19 +9426,19 @@ $LN7@NcPrintBlo: 0014d 48 8b c8 mov rcx, rax 00150 e8 00 00 00 00 call ??$?6U?$char_traits@D@std@@@std@@YAAEAV?$basic_ostream@DU?$char_traits@D@std@@@0@AEAV10@D@Z ; std::operator<< > -; 609 : } +; 590 : } 00155 e9 35 ff ff ff jmp $LN5@NcPrintBlo $LN6@NcPrintBlo: $LN8@NcPrintBlo: -; 610 : } -; 611 : } +; 591 : } +; 592 : } 0015a e9 e7 fe ff ff jmp $LN2@NcPrintBlo $LN3@NcPrintBlo: -; 612 : } +; 593 : } 0015f 48 8d a5 88 01 00 00 lea rsp, QWORD PTR [rbp+392] @@ -9489,7 +9459,7 @@ tv129 = 280 Block$ = 320 ?NcDebugPrint@@YAXPEAU_NATIVE_CODE_BLOCK@@@Z PROC ; NcDebugPrint, COMDAT -; 571 : { +; 552 : { $LN11: 00000 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx @@ -9508,25 +9478,25 @@ $LN11: 00 00 lea rcx, OFFSET FLAT:__84EFCFFB_NativeCode@cpp 00031 e8 00 00 00 00 call __CheckForDebuggerJustMyCode -; 572 : HANDLE ConsoleHandle = GetStdHandle(STD_OUTPUT_HANDLE); +; 553 : HANDLE ConsoleHandle = GetStdHandle(STD_OUTPUT_HANDLE); 00036 b9 f5 ff ff ff mov ecx, -11 ; fffffff5H 0003b ff 15 00 00 00 00 call QWORD PTR __imp_GetStdHandle 00041 48 89 45 08 mov QWORD PTR ConsoleHandle$[rbp], rax -; 573 : if (!ConsoleHandle) +; 554 : if (!ConsoleHandle) 00045 48 83 7d 08 00 cmp QWORD PTR ConsoleHandle$[rbp], 0 0004a 75 05 jne SHORT $LN5@NcDebugPri -; 574 : return; +; 555 : return; 0004c e9 03 01 00 00 jmp $LN1@NcDebugPri $LN5@NcDebugPri: -; 575 : -; 576 : for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next; T = T->Next) +; 556 : +; 557 : for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next; T = T->Next) 00051 48 8b 85 40 01 00 00 mov rax, QWORD PTR Block$[rbp] @@ -9549,8 +9519,8 @@ $LN4@NcDebugPri: 00089 0f 84 c5 00 00 00 je $LN3@NcDebugPri -; 577 : { -; 578 : if (T->Flags & CODE_FLAG_IS_LABEL) +; 558 : { +; 559 : if (T->Flags & CODE_FLAG_IS_LABEL) 0008f 48 8b 45 28 mov rax, QWORD PTR T$1[rbp] 00093 8b 40 18 mov eax, DWORD PTR [rax+24] @@ -9558,15 +9528,15 @@ $LN4@NcDebugPri: 00099 85 c0 test eax, eax 0009b 74 26 je SHORT $LN6@NcDebugPri -; 579 : { -; 580 : SetConsoleTextAttribute(ConsoleHandle, FOREGROUND_GREEN | FOREGROUND_RED); +; 560 : { +; 561 : SetConsoleTextAttribute(ConsoleHandle, FOREGROUND_GREEN | FOREGROUND_RED); 0009d 66 ba 06 00 mov dx, 6 000a1 48 8b 4d 08 mov rcx, QWORD PTR ConsoleHandle$[rbp] 000a5 ff 15 00 00 00 00 call QWORD PTR __imp_SetConsoleTextAttribute -; 581 : printf("Label: %u\n", T->Label); +; 562 : printf("Label: %u\n", T->Label); 000ab 48 8b 45 28 mov rax, QWORD PTR T$1[rbp] 000af 8b 50 1c mov edx, DWORD PTR [rax+28] @@ -9574,14 +9544,14 @@ $LN4@NcDebugPri: 00 00 lea rcx, OFFSET FLAT:??_C@_0L@ILJOJNOL@Label?3?5?$CFu?6@ 000b9 e8 00 00 00 00 call printf -; 582 : } +; 563 : } 000be e9 8c 00 00 00 jmp $LN7@NcDebugPri $LN6@NcDebugPri: -; 583 : else -; 584 : { -; 585 : XED_ICLASS_ENUM IClass = XedDecodedInstGetIClass(&T->XedInstruction); +; 564 : else +; 565 : { +; 566 : XED_ICLASS_ENUM IClass = XedDecodedInstGetIClass(&T->XedInstruction); 000c3 48 8b 45 28 mov rax, QWORD PTR T$1[rbp] 000c7 48 83 c0 30 add rax, 48 ; 00000030H @@ -9589,7 +9559,7 @@ $LN6@NcDebugPri: 000ce e8 00 00 00 00 call xed_decoded_inst_get_iclass 000d3 89 45 44 mov DWORD PTR IClass$2[rbp], eax -; 586 : if (T->Flags & CODE_FLAG_IS_REL_JMP) +; 567 : if (T->Flags & CODE_FLAG_IS_REL_JMP) 000d6 48 8b 45 28 mov rax, QWORD PTR T$1[rbp] 000da 8b 40 18 mov eax, DWORD PTR [rax+24] @@ -9597,15 +9567,15 @@ $LN6@NcDebugPri: 000e0 85 c0 test eax, eax 000e2 74 46 je SHORT $LN8@NcDebugPri -; 587 : { -; 588 : SetConsoleTextAttribute(ConsoleHandle, FOREGROUND_GREEN | FOREGROUND_RED); +; 568 : { +; 569 : SetConsoleTextAttribute(ConsoleHandle, FOREGROUND_GREEN | FOREGROUND_RED); 000e4 66 ba 06 00 mov dx, 6 000e8 48 8b 4d 08 mov rcx, QWORD PTR ConsoleHandle$[rbp] 000ec ff 15 00 00 00 00 call QWORD PTR __imp_SetConsoleTextAttribute -; 589 : printf("%s: %u\n", XedIClassEnumToString(IClass), T->Label); +; 570 : printf("%s: %u\n", XedIClassEnumToString(IClass), T->Label); 000f2 48 8b 45 28 mov rax, QWORD PTR T$1[rbp] 000f6 8b 40 1c mov eax, DWORD PTR [rax+28] @@ -9623,21 +9593,21 @@ $LN6@NcDebugPri: 00 00 lea rcx, OFFSET FLAT:??_C@_07KNNCJAOA@?$CFs?3?5?$CFu?6@ 00123 e8 00 00 00 00 call printf -; 590 : } +; 571 : } 00128 eb 25 jmp SHORT $LN9@NcDebugPri $LN8@NcDebugPri: -; 591 : else -; 592 : { -; 593 : SetConsoleTextAttribute(ConsoleHandle, FOREGROUND_GREEN | FOREGROUND_BLUE); +; 572 : else +; 573 : { +; 574 : SetConsoleTextAttribute(ConsoleHandle, FOREGROUND_GREEN | FOREGROUND_BLUE); 0012a 66 ba 03 00 mov dx, 3 0012e 48 8b 4d 08 mov rcx, QWORD PTR ConsoleHandle$[rbp] 00132 ff 15 00 00 00 00 call QWORD PTR __imp_SetConsoleTextAttribute -; 594 : printf("%s\n", XedIClassEnumToString(IClass)); +; 575 : printf("%s\n", XedIClassEnumToString(IClass)); 00138 8b 4d 44 mov ecx, DWORD PTR IClass$2[rbp] 0013b e8 00 00 00 00 call xed_iclass_enum_t2str @@ -9648,15 +9618,15 @@ $LN8@NcDebugPri: $LN9@NcDebugPri: $LN7@NcDebugPri: -; 595 : } -; 596 : } -; 597 : } +; 576 : } +; 577 : } +; 578 : } 0014f e9 0d ff ff ff jmp $LN2@NcDebugPri $LN3@NcDebugPri: $LN1@NcDebugPri: -; 598 : } +; 579 : } 00154 48 8d a5 28 01 00 00 lea rsp, QWORD PTR [rbp+296] @@ -9677,7 +9647,7 @@ tv78 = 312 Block$ = 352 ?NcDeleteBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@@Z PROC ; NcDeleteBlock, COMDAT -; 556 : { +; 537 : { $LN10: 00000 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx @@ -9696,7 +9666,7 @@ $LN10: 00 00 lea rcx, OFFSET FLAT:__84EFCFFB_NativeCode@cpp 00031 e8 00 00 00 00 call __CheckForDebuggerJustMyCode -; 557 : if (!Block->Start || !Block->End) +; 538 : if (!Block->Start || !Block->End) 00036 48 8b 85 60 01 00 00 mov rax, QWORD PTR Block$[rbp] @@ -9708,13 +9678,13 @@ $LN10: 0004f 75 05 jne SHORT $LN5@NcDeleteBl $LN6@NcDeleteBl: -; 558 : return; +; 539 : return; 00051 e9 80 00 00 00 jmp $LN1@NcDeleteBl $LN5@NcDeleteBl: -; 559 : -; 560 : PNATIVE_CODE_LINK BlockEnding = Block->End->Next; +; 540 : +; 541 : PNATIVE_CODE_LINK BlockEnding = Block->End->Next; 00056 48 8b 85 60 01 00 00 mov rax, QWORD PTR Block$[rbp] @@ -9722,8 +9692,8 @@ $LN5@NcDeleteBl: 00061 48 8b 00 mov rax, QWORD PTR [rax] 00064 48 89 45 08 mov QWORD PTR BlockEnding$[rbp], rax -; 561 : -; 562 : for (PNATIVE_CODE_LINK T = Block->Start; T && T != BlockEnding;) +; 542 : +; 543 : for (PNATIVE_CODE_LINK T = Block->Start; T && T != BlockEnding;) 00068 48 8b 85 60 01 00 00 mov rax, QWORD PTR Block$[rbp] @@ -9736,14 +9706,14 @@ $LN2@NcDeleteBl: 00081 48 39 45 28 cmp QWORD PTR T$1[rbp], rax 00085 74 4f je SHORT $LN3@NcDeleteBl -; 563 : { -; 564 : PNATIVE_CODE_LINK Next = T->Next; +; 544 : { +; 545 : PNATIVE_CODE_LINK Next = T->Next; 00087 48 8b 45 28 mov rax, QWORD PTR T$1[rbp] 0008b 48 8b 00 mov rax, QWORD PTR [rax] 0008e 48 89 45 48 mov QWORD PTR Next$2[rbp], rax -; 565 : delete T; +; 546 : delete T; 00092 48 8b 45 28 mov rax, QWORD PTR T$1[rbp] 00096 48 89 85 28 01 @@ -9764,18 +9734,18 @@ $LN8@NcDeleteBl: 00 mov QWORD PTR tv78[rbp], 0 $LN9@NcDeleteBl: -; 566 : T = Next; +; 547 : T = Next; 000cc 48 8b 45 48 mov rax, QWORD PTR Next$2[rbp] 000d0 48 89 45 28 mov QWORD PTR T$1[rbp], rax -; 567 : } +; 548 : } 000d4 eb a0 jmp SHORT $LN2@NcDeleteBl $LN3@NcDeleteBl: $LN1@NcDeleteBl: -; 568 : } +; 549 : } 000d6 48 8d a5 48 01 00 00 lea rsp, QWORD PTR [rbp+328] @@ -9795,7 +9765,7 @@ Block$ = 320 OutSize$ = 328 ?NcAssemble@@YAPEAXPEAU_NATIVE_CODE_BLOCK@@PEAK@Z PROC ; NcAssemble, COMDAT -; 531 : { +; 512 : { $LN9: 00000 48 89 54 24 10 mov QWORD PTR [rsp+16], rdx @@ -9815,7 +9785,7 @@ $LN9: 00 00 lea rcx, OFFSET FLAT:__84EFCFFB_NativeCode@cpp 00036 e8 00 00 00 00 call __CheckForDebuggerJustMyCode -; 532 : if (!NcFixRelJmps(Block)) +; 513 : if (!NcFixRelJmps(Block)) 0003b 48 8b 8d 40 01 00 00 mov rcx, QWORD PTR Block$[rbp] @@ -9823,14 +9793,14 @@ $LN9: 00047 85 c0 test eax, eax 00049 75 07 jne SHORT $LN5@NcAssemble -; 533 : return NULL; +; 514 : return NULL; 0004b 33 c0 xor eax, eax 0004d e9 bc 00 00 00 jmp $LN1@NcAssemble $LN5@NcAssemble: -; 534 : -; 535 : *OutSize = NcCalcBlockSizeInBytes(Block); +; 515 : +; 516 : *OutSize = NcCalcBlockSizeInBytes(Block); 00052 48 8b 8d 40 01 00 00 mov rcx, QWORD PTR Block$[rbp] @@ -9839,8 +9809,8 @@ $LN5@NcAssemble: 00 00 mov rcx, QWORD PTR OutSize$[rbp] 00065 89 01 mov DWORD PTR [rcx], eax -; 536 : -; 537 : PUCHAR Buffer = (PUCHAR)malloc(*OutSize); +; 517 : +; 518 : PUCHAR Buffer = (PUCHAR)malloc(*OutSize); 00067 48 8b 85 48 01 00 00 mov rax, QWORD PTR OutSize$[rbp] @@ -9850,25 +9820,25 @@ $LN5@NcAssemble: 00 call QWORD PTR __imp_malloc 00078 48 89 45 08 mov QWORD PTR Buffer$[rbp], rax -; 538 : if (!Buffer) +; 519 : if (!Buffer) 0007c 48 83 7d 08 00 cmp QWORD PTR Buffer$[rbp], 0 00081 75 07 jne SHORT $LN6@NcAssemble -; 539 : return NULL; +; 520 : return NULL; 00083 33 c0 xor eax, eax 00085 e9 84 00 00 00 jmp $LN1@NcAssemble $LN6@NcAssemble: -; 540 : -; 541 : PUCHAR BufferOffset = Buffer; +; 521 : +; 522 : PUCHAR BufferOffset = Buffer; 0008a 48 8b 45 08 mov rax, QWORD PTR Buffer$[rbp] 0008e 48 89 45 28 mov QWORD PTR BufferOffset$[rbp], rax -; 542 : -; 543 : for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next; T = T->Next) +; 523 : +; 524 : for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next; T = T->Next) 00092 48 8b 85 40 01 00 00 mov rax, QWORD PTR Block$[rbp] @@ -9889,8 +9859,8 @@ $LN4@NcAssemble: 000c2 48 39 45 48 cmp QWORD PTR T$1[rbp], rax 000c6 74 42 je SHORT $LN3@NcAssemble -; 544 : { -; 545 : if (T->Flags & CODE_FLAG_IS_LABEL) +; 525 : { +; 526 : if (T->Flags & CODE_FLAG_IS_LABEL) 000c8 48 8b 45 48 mov rax, QWORD PTR T$1[rbp] 000cc 8b 40 18 mov eax, DWORD PTR [rax+24] @@ -9898,13 +9868,13 @@ $LN4@NcAssemble: 000d2 85 c0 test eax, eax 000d4 74 02 je SHORT $LN7@NcAssemble -; 546 : continue; +; 527 : continue; 000d6 eb ca jmp SHORT $LN2@NcAssemble $LN7@NcAssemble: -; 547 : -; 548 : RtlCopyMemory(BufferOffset, T->RawData, T->RawDataSize); +; 528 : +; 529 : RtlCopyMemory(BufferOffset, T->RawData, T->RawDataSize); 000d8 48 8b 45 48 mov rax, QWORD PTR T$1[rbp] 000dc 8b 40 28 mov eax, DWORD PTR [rax+40] @@ -9914,7 +9884,7 @@ $LN7@NcAssemble: 000ea 48 8b 4d 28 mov rcx, QWORD PTR BufferOffset$[rbp] 000ee e8 00 00 00 00 call memcpy -; 549 : BufferOffset += T->RawDataSize; +; 530 : BufferOffset += T->RawDataSize; 000f3 48 8b 45 48 mov rax, QWORD PTR T$1[rbp] 000f7 8b 40 28 mov eax, DWORD PTR [rax+40] @@ -9923,18 +9893,18 @@ $LN7@NcAssemble: 00101 48 8b c1 mov rax, rcx 00104 48 89 45 28 mov QWORD PTR BufferOffset$[rbp], rax -; 550 : } +; 531 : } 00108 eb 98 jmp SHORT $LN2@NcAssemble $LN3@NcAssemble: -; 551 : -; 552 : return Buffer; +; 532 : +; 533 : return Buffer; 0010a 48 8b 45 08 mov rax, QWORD PTR Buffer$[rbp] $LN1@NcAssemble: -; 553 : } +; 534 : } 0010e 48 8d a5 28 01 00 00 lea rsp, QWORD PTR [rbp+296] @@ -9964,7 +9934,7 @@ Buffer$ = 520 BufferSize$ = 528 ?NcDisassemble@@YAHPEAU_NATIVE_CODE_BLOCK@@PEAXK@Z PROC ; NcDisassemble, COMDAT -; 499 : { +; 480 : { $LN13: 00000 44 89 44 24 18 mov DWORD PTR [rsp+24], r8d @@ -9985,20 +9955,20 @@ $LN13: 00 00 lea rcx, OFFSET FLAT:__84EFCFFB_NativeCode@cpp 0003b e8 00 00 00 00 call __CheckForDebuggerJustMyCode -; 500 : PUCHAR Buf = (PUCHAR)Buffer; +; 481 : PUCHAR Buf = (PUCHAR)Buffer; 00040 48 8b 85 08 02 00 00 mov rax, QWORD PTR Buffer$[rbp] 00047 48 89 45 08 mov QWORD PTR Buf$[rbp], rax -; 501 : ULONG Offset = 0; +; 482 : ULONG Offset = 0; 0004b c7 45 24 00 00 00 00 mov DWORD PTR Offset$[rbp], 0 $LN2@NcDisassem: -; 502 : -; 503 : while (Offset < BufferSize) +; 483 : +; 484 : while (Offset < BufferSize) 00052 8b 85 10 02 00 00 mov eax, DWORD PTR BufferSize$[rbp] @@ -10006,8 +9976,8 @@ $LN2@NcDisassem: 0005b 0f 83 b8 01 00 00 jae $LN3@NcDisassem -; 504 : { -; 505 : PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK; +; 485 : { +; 486 : PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK; 00061 b9 f0 00 00 00 mov ecx, 240 ; 000000f0H 00066 e8 00 00 00 00 call ??2@YAPEAX_K@Z ; operator new @@ -10035,13 +10005,13 @@ $LN7@NcDisassem: 00 00 mov rax, QWORD PTR $T4[rbp] 000b1 48 89 45 48 mov QWORD PTR Link$1[rbp], rax -; 506 : Link->Flags = CODE_FLAG_IS_INST; +; 487 : Link->Flags = CODE_FLAG_IS_INST; 000b5 48 8b 45 48 mov rax, QWORD PTR Link$1[rbp] 000b9 c7 40 18 04 00 00 00 mov DWORD PTR [rax+24], 4 -; 507 : ULONG PossibleSize = min(15, BufferSize - Offset); +; 488 : ULONG PossibleSize = min(15, BufferSize - Offset); 000c0 8b 45 24 mov eax, DWORD PTR Offset$[rbp] 000c3 8b 8d 10 02 00 @@ -10066,7 +10036,7 @@ $LN9@NcDisassem: 00 mov eax, DWORD PTR tv80[rbp] 000f7 89 45 64 mov DWORD PTR PossibleSize$2[rbp], eax -; 508 : XED_ERROR_ENUM DecodeError = XedDecode(&Link->XedInstruction, (Buf + Offset), PossibleSize); +; 489 : XED_ERROR_ENUM DecodeError = XedDecode(&Link->XedInstruction, (Buf + Offset), PossibleSize); 000fa 8b 45 24 mov eax, DWORD PTR Offset$[rbp] 000fd 48 8b 4d 08 mov rcx, QWORD PTR Buf$[rbp] @@ -10080,14 +10050,14 @@ $LN9@NcDisassem: 0011b 89 85 84 00 00 00 mov DWORD PTR DecodeError$3[rbp], eax -; 509 : if (DecodeError != XED_ERROR_NONE) +; 490 : if (DecodeError != XED_ERROR_NONE) 00121 83 bd 84 00 00 00 00 cmp DWORD PTR DecodeError$3[rbp], 0 00128 74 67 je SHORT $LN4@NcDisassem -; 510 : { -; 511 : printf("XedDecode failed with error %s\n", XedErrorEnumToString(DecodeError)); +; 491 : { +; 492 : printf("XedDecode failed with error %s\n", XedErrorEnumToString(DecodeError)); 0012a 8b 8d 84 00 00 00 mov ecx, DWORD PTR DecodeError$3[rbp] @@ -10097,13 +10067,13 @@ $LN9@NcDisassem: 00 00 lea rcx, OFFSET FLAT:??_C@_0CA@KDIENFLL@XedDecode?5failed?5with?5error?5?$CFs?6@ 0013f e8 00 00 00 00 call printf -; 512 : NcDeleteBlock(Block); +; 493 : NcDeleteBlock(Block); 00144 48 8b 8d 00 02 00 00 mov rcx, QWORD PTR Block$[rbp] 0014b e8 00 00 00 00 call ?NcDeleteBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@@Z ; NcDeleteBlock -; 513 : delete Link; +; 494 : delete Link; 00150 48 8b 45 48 mov rax, QWORD PTR Link$1[rbp] 00154 48 89 85 a8 01 @@ -10124,14 +10094,14 @@ $LN10@NcDisassem: 00 mov QWORD PTR tv130[rbp], 0 $LN11@NcDisassem: -; 514 : return FALSE; +; 495 : return FALSE; 0018a 33 c0 xor eax, eax 0018c e9 99 00 00 00 jmp $LN1@NcDisassem $LN4@NcDisassem: -; 515 : } -; 516 : Link->RawDataSize = XedDecodedInstGetLength(&Link->XedInstruction); +; 496 : } +; 497 : Link->RawDataSize = XedDecodedInstGetLength(&Link->XedInstruction); 00191 48 8b 45 48 mov rax, QWORD PTR Link$1[rbp] 00195 48 83 c0 30 add rax, 48 ; 00000030H @@ -10140,7 +10110,7 @@ $LN4@NcDisassem: 001a1 48 8b 4d 48 mov rcx, QWORD PTR Link$1[rbp] 001a5 89 41 28 mov DWORD PTR [rcx+40], eax -; 517 : Link->RawData = new UCHAR[Link->RawDataSize]; +; 498 : Link->RawData = new UCHAR[Link->RawDataSize]; 001a8 48 8b 45 48 mov rax, QWORD PTR Link$1[rbp] 001ac 8b 40 28 mov eax, DWORD PTR [rax+40] @@ -10153,7 +10123,7 @@ $LN4@NcDisassem: 00 00 mov rcx, QWORD PTR $T7[rbp] 001c8 48 89 48 20 mov QWORD PTR [rax+32], rcx -; 518 : RtlCopyMemory(Link->RawData, (Buf + Offset), Link->RawDataSize); +; 499 : RtlCopyMemory(Link->RawData, (Buf + Offset), Link->RawDataSize); 001cc 48 8b 45 48 mov rax, QWORD PTR Link$1[rbp] 001d0 8b 40 28 mov eax, DWORD PTR [rax+40] @@ -10167,16 +10137,16 @@ $LN4@NcDisassem: 001ea 48 8b 48 20 mov rcx, QWORD PTR [rax+32] 001ee e8 00 00 00 00 call memcpy -; 519 : -; 520 : NcAppendToBlock(Block, Link); +; 500 : +; 501 : NcAppendToBlock(Block, Link); 001f3 48 8b 55 48 mov rdx, QWORD PTR Link$1[rbp] 001f7 48 8b 8d 00 02 00 00 mov rcx, QWORD PTR Block$[rbp] 001fe e8 00 00 00 00 call ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z ; NcAppendToBlock -; 521 : -; 522 : Offset += Link->RawDataSize; +; 502 : +; 503 : Offset += Link->RawDataSize; 00203 48 8b 45 48 mov rax, QWORD PTR Link$1[rbp] 00207 8b 40 28 mov eax, DWORD PTR [rax+40] @@ -10185,25 +10155,25 @@ $LN4@NcDisassem: 0020f 8b c1 mov eax, ecx 00211 89 45 24 mov DWORD PTR Offset$[rbp], eax -; 523 : } +; 504 : } 00214 e9 39 fe ff ff jmp $LN2@NcDisassem $LN3@NcDisassem: -; 524 : -; 525 : NcCreateLabels(Block); +; 505 : +; 506 : NcCreateLabels(Block); 00219 48 8b 8d 00 02 00 00 mov rcx, QWORD PTR Block$[rbp] 00220 e8 00 00 00 00 call ?NcCreateLabels@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z ; NcCreateLabels -; 526 : -; 527 : return TRUE; +; 507 : +; 508 : return TRUE; 00225 b8 01 00 00 00 mov eax, 1 $LN1@NcDisassem: -; 528 : } +; 509 : } 0022a 48 8d a5 e8 01 00 00 lea rsp, QWORD PTR [rbp+488] @@ -10300,11 +10270,9 @@ $T20 = 1608 $T21 = 1688 $T22 = 1720 $T23 = 1760 -tv191 = 1812 -tv159 = 1816 -tv157 = 1824 -__$ArrayPad$ = 1832 -Block$ = 1872 +tv174 = 1812 +__$ArrayPad$ = 1816 +Block$ = 1856 ?NcFixRelJmps@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z PROC ; NcFixRelJmps, COMDAT ; 397 : { @@ -10314,19 +10282,19 @@ $LN19: 00005 55 push rbp 00006 56 push rsi 00007 57 push rdi - 00008 48 81 ec 60 07 - 00 00 sub rsp, 1888 ; 00000760H + 00008 48 81 ec 50 07 + 00 00 sub rsp, 1872 ; 00000750H 0000f 48 8d 6c 24 30 lea rbp, QWORD PTR [rsp+48] 00014 48 8b fc mov rdi, rsp - 00017 b9 d8 01 00 00 mov ecx, 472 ; 000001d8H + 00017 b9 d4 01 00 00 mov ecx, 468 ; 000001d4H 0001c b8 cc cc cc cc mov eax, -858993460 ; ccccccccH 00021 f3 ab rep stosd - 00023 48 8b 8c 24 88 - 07 00 00 mov rcx, QWORD PTR [rsp+1928] + 00023 48 8b 8c 24 78 + 07 00 00 mov rcx, QWORD PTR [rsp+1912] 0002b 48 8b 05 00 00 00 00 mov rax, QWORD PTR __security_cookie 00032 48 33 c5 xor rax, rbp - 00035 48 89 85 28 07 + 00035 48 89 85 18 07 00 00 mov QWORD PTR __$ArrayPad$[rbp], rax 0003c 48 8d 0d 00 00 00 00 lea rcx, OFFSET FLAT:__84EFCFFB_NativeCode@cpp @@ -10334,20 +10302,20 @@ $LN19: ; 398 : for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next;) - 00048 48 8b 85 50 07 + 00048 48 8b 85 40 07 00 00 mov rax, QWORD PTR Block$[rbp] 0004f 48 8b 00 mov rax, QWORD PTR [rax] 00052 48 89 45 08 mov QWORD PTR T$9[rbp], rax $LN2@NcFixRelJm: 00056 48 83 7d 08 00 cmp QWORD PTR T$9[rbp], 0 - 0005b 0f 84 6a 03 00 + 0005b 0f 84 ec 02 00 00 je $LN3@NcFixRelJm - 00061 48 8b 85 50 07 + 00061 48 8b 85 40 07 00 00 mov rax, QWORD PTR Block$[rbp] 00068 48 8b 40 08 mov rax, QWORD PTR [rax+8] 0006c 48 8b 00 mov rax, QWORD PTR [rax] 0006f 48 39 45 08 cmp QWORD PTR T$9[rbp], rax - 00073 0f 84 52 03 00 + 00073 0f 84 d4 02 00 00 je $LN3@NcFixRelJm ; 399 : { @@ -10357,7 +10325,7 @@ $LN2@NcFixRelJm: 0007d 8b 40 18 mov eax, DWORD PTR [rax+24] 00080 83 e0 02 and eax, 2 00083 85 c0 test eax, eax - 00085 0f 84 30 03 00 + 00085 0f 84 b2 02 00 00 je $LN7@NcFixRelJm ; 401 : { @@ -10372,441 +10340,377 @@ $LN2@NcFixRelJm: 00096 48 8b 4d 08 mov rcx, QWORD PTR T$9[rbp] 0009a e8 00 00 00 00 call ?NcGetDeltaToLabel@@YAHPEAU_NATIVE_CODE_LINK@@PEAH@Z ; NcGetDeltaToLabel 0009f 85 c0 test eax, eax - 000a1 75 13 jne SHORT $LN8@NcFixRelJm - -; 404 : { -; 405 : printf("\n1\n"); + 000a1 75 07 jne SHORT $LN8@NcFixRelJm - 000a3 48 8d 0d 00 00 - 00 00 lea rcx, OFFSET FLAT:??_C@_03GOEAKHKK@?61?6@ - 000aa e8 00 00 00 00 call printf +; 404 : return FALSE; -; 406 : return NULL; - - 000af 33 c0 xor eax, eax - 000b1 e9 1a 03 00 00 jmp $LN1@NcFixRelJm + 000a3 33 c0 xor eax, eax + 000a5 e9 a8 02 00 00 jmp $LN1@NcFixRelJm $LN8@NcFixRelJm: -; 407 : } -; 408 : -; 409 : ULONG DispWidth = XedDecodedInstGetBranchDisplacementWidthBits(&T->XedInstruction); +; 405 : +; 406 : ULONG DispWidth = XedDecodedInstGetBranchDisplacementWidthBits(&T->XedInstruction); - 000b6 48 8b 45 08 mov rax, QWORD PTR T$9[rbp] - 000ba 48 83 c0 30 add rax, 48 ; 00000030H - 000be 48 8b c8 mov rcx, rax - 000c1 e8 00 00 00 00 call xed_decoded_inst_get_branch_displacement_width_bits - 000c6 89 45 44 mov DWORD PTR DispWidth$11[rbp], eax + 000aa 48 8b 45 08 mov rax, QWORD PTR T$9[rbp] + 000ae 48 83 c0 30 add rax, 48 ; 00000030H + 000b2 48 8b c8 mov rcx, rax + 000b5 e8 00 00 00 00 call xed_decoded_inst_get_branch_displacement_width_bits + 000ba 89 45 44 mov DWORD PTR DispWidth$11[rbp], eax -; 410 : if (log2(abs(BranchDisp)) + 1 > DispWidth) +; 407 : if (log2(abs(BranchDisp)) + 1 > DispWidth) - 000c9 8b 4d 24 mov ecx, DWORD PTR BranchDisp$10[rbp] - 000cc e8 00 00 00 00 call abs - 000d1 8b c8 mov ecx, eax - 000d3 e8 00 00 00 00 call ??$log2@H$0A@@@YANH@Z ; log2 - 000d8 f2 0f 58 05 00 + 000bd 8b 4d 24 mov ecx, DWORD PTR BranchDisp$10[rbp] + 000c0 e8 00 00 00 00 call abs + 000c5 8b c8 mov ecx, eax + 000c7 e8 00 00 00 00 call ??$log2@H$0A@@@YANH@Z ; log2 + 000cc f2 0f 58 05 00 00 00 00 addsd xmm0, QWORD PTR __real@3ff0000000000000 - 000e0 8b 45 44 mov eax, DWORD PTR DispWidth$11[rbp] - 000e3 f2 48 0f 2a c8 cvtsi2sd xmm1, rax - 000e8 66 0f 2f c1 comisd xmm0, xmm1 - 000ec 0f 86 35 02 00 + 000d4 8b 45 44 mov eax, DWORD PTR DispWidth$11[rbp] + 000d7 f2 48 0f 2a c8 cvtsi2sd xmm1, rax + 000dc 66 0f 2f c1 comisd xmm0, xmm1 + 000e0 0f 86 c3 01 00 00 jbe $LN9@NcFixRelJm -; 411 : { -; 412 : //duh oh -; 413 : if (DispWidth == 32) - - 000f2 83 7d 44 20 cmp DWORD PTR DispWidth$11[rbp], 32 ; 00000020H - 000f6 75 13 jne SHORT $LN11@NcFixRelJm - -; 414 : { -; 415 : printf("\n2\n"); +; 408 : { +; 409 : //duh oh +; 410 : if (DispWidth == 32) - 000f8 48 8d 0d 00 00 - 00 00 lea rcx, OFFSET FLAT:??_C@_03GMAGBJPD@?62?6@ - 000ff e8 00 00 00 00 call printf + 000e6 83 7d 44 20 cmp DWORD PTR DispWidth$11[rbp], 32 ; 00000020H + 000ea 75 07 jne SHORT $LN11@NcFixRelJm -; 416 : return NULL; +; 411 : return FALSE; - 00104 33 c0 xor eax, eax - 00106 e9 c5 02 00 00 jmp $LN1@NcFixRelJm + 000ec 33 c0 xor eax, eax + 000ee e9 5f 02 00 00 jmp $LN1@NcFixRelJm $LN11@NcFixRelJm: -; 417 : } -; 418 : -; 419 : ////Grow displacement width to required size -; 420 : //DispWidth *= 2; +; 412 : +; 413 : ////Grow displacement width to required size +; 414 : //DispWidth *= 2; +; 415 : +; 416 : ////Check again +; 417 : //if (log2(abs(BranchDisp)) + 1 > DispWidth) +; 418 : //{ +; 419 : // if (DispWidth == 32) +; 420 : // return FALSE; ; 421 : -; 422 : ////Check again -; 423 : //if (log2(abs(BranchDisp)) + 1 > DispWidth) -; 424 : //{ -; 425 : // if (DispWidth == 32) -; 426 : // { -; 427 : // printf("\n3\n"); -; 428 : // return NULL; -; 429 : // } -; 430 : -; 431 : // //Grow once more if not already at 32 -; 432 : // DispWidth *= 2; -; 433 : //} -; 434 : -; 435 : DispWidth = 32; - - 0010b c7 45 44 20 00 +; 422 : // //Grow once more if not already at 32 +; 423 : // DispWidth *= 2; +; 424 : //} +; 425 : +; 426 : DispWidth = 32; + + 000f3 c7 45 44 20 00 00 00 mov DWORD PTR DispWidth$11[rbp], 32 ; 00000020H -; 436 : -; 437 : //Encode new instruction -; 438 : XED_STATE MachineState; -; 439 : MachineState.mmode = XED_MACHINE_MODE_LONG_64; +; 427 : +; 428 : //Encode new instruction +; 429 : XED_STATE MachineState; +; 430 : MachineState.mmode = XED_MACHINE_MODE_LONG_64; - 00112 c7 45 68 01 00 + 000fa c7 45 68 01 00 00 00 mov DWORD PTR MachineState$12[rbp], 1 -; 440 : MachineState.stack_addr_width = XED_ADDRESS_WIDTH_64b; +; 431 : MachineState.stack_addr_width = XED_ADDRESS_WIDTH_64b; - 00119 c7 45 6c 08 00 + 00101 c7 45 6c 08 00 00 00 mov DWORD PTR MachineState$12[rbp+4], 8 -; 441 : XED_ENCODER_INSTRUCTION EncoderInstruction; -; 442 : XED_ENCODER_REQUEST EncoderRequest; -; 443 : UCHAR EncodeBuffer[15]; -; 444 : UINT ReturnedSize; -; 445 : XED_ICLASS_ENUM IClass = XedDecodedInstGetIClass(&T->XedInstruction); - - 00120 48 8b 45 08 mov rax, QWORD PTR T$9[rbp] - 00124 48 83 c0 30 add rax, 48 ; 00000030H - 00128 48 8b c8 mov rcx, rax - 0012b e8 00 00 00 00 call xed_decoded_inst_get_iclass - 00130 89 85 74 03 00 +; 432 : XED_ENCODER_INSTRUCTION EncoderInstruction; +; 433 : XED_ENCODER_REQUEST EncoderRequest; +; 434 : UCHAR EncodeBuffer[15]; +; 435 : UINT ReturnedSize; +; 436 : XED_ICLASS_ENUM IClass = XedDecodedInstGetIClass(&T->XedInstruction); + + 00108 48 8b 45 08 mov rax, QWORD PTR T$9[rbp] + 0010c 48 83 c0 30 add rax, 48 ; 00000030H + 00110 48 8b c8 mov rcx, rax + 00113 e8 00 00 00 00 call xed_decoded_inst_get_iclass + 00118 89 85 74 03 00 00 mov DWORD PTR IClass$17[rbp], eax -; 446 : -; 447 : //Do the encoding -; 448 : XedInst1(&EncoderInstruction, MachineState, IClass, DispWidth, XedRelBr(0, DispWidth)); +; 437 : +; 438 : //Do the encoding +; 439 : XedInst1(&EncoderInstruction, MachineState, IClass, DispWidth, XedRelBr(0, DispWidth)); - 00136 44 8b 45 44 mov r8d, DWORD PTR DispWidth$11[rbp] - 0013a 33 d2 xor edx, edx - 0013c 48 8d 8d 48 06 + 0011e 44 8b 45 44 mov r8d, DWORD PTR DispWidth$11[rbp] + 00122 33 d2 xor edx, edx + 00124 48 8d 8d 48 06 00 00 lea rcx, QWORD PTR $T20[rbp] - 00143 e8 00 00 00 00 call xed_relbr - 00148 48 8d 8d f8 05 + 0012b e8 00 00 00 00 call xed_relbr + 00130 48 8d 8d f8 05 00 00 lea rcx, QWORD PTR $T19[rbp] - 0014f 48 8b f9 mov rdi, rcx - 00152 48 8b f0 mov rsi, rax - 00155 b9 30 00 00 00 mov ecx, 48 ; 00000030H - 0015a f3 a4 rep movsb - 0015c 48 8d 85 e0 06 + 00137 48 8b f9 mov rdi, rcx + 0013a 48 8b f0 mov rsi, rax + 0013d b9 30 00 00 00 mov ecx, 48 ; 00000030H + 00142 f3 a4 rep movsb + 00144 48 8d 85 e0 06 00 00 lea rax, QWORD PTR $T23[rbp] - 00163 48 8d 8d f8 05 + 0014b 48 8d 8d f8 05 00 00 lea rcx, QWORD PTR $T19[rbp] - 0016a 48 8b f8 mov rdi, rax - 0016d 48 8b f1 mov rsi, rcx - 00170 b9 30 00 00 00 mov ecx, 48 ; 00000030H - 00175 f3 a4 rep movsb - 00177 48 8d 85 e0 06 + 00152 48 8b f8 mov rdi, rax + 00155 48 8b f1 mov rsi, rcx + 00158 b9 30 00 00 00 mov ecx, 48 ; 00000030H + 0015d f3 a4 rep movsb + 0015f 48 8d 85 e0 06 00 00 lea rax, QWORD PTR $T23[rbp] - 0017e 48 89 44 24 20 mov QWORD PTR [rsp+32], rax - 00183 44 8b 4d 44 mov r9d, DWORD PTR DispWidth$11[rbp] - 00187 44 8b 85 74 03 + 00166 48 89 44 24 20 mov QWORD PTR [rsp+32], rax + 0016b 44 8b 4d 44 mov r9d, DWORD PTR DispWidth$11[rbp] + 0016f 44 8b 85 74 03 00 00 mov r8d, DWORD PTR IClass$17[rbp] - 0018e 48 8b 55 68 mov rdx, QWORD PTR MachineState$12[rbp] - 00192 48 8d 8d 90 00 + 00176 48 8b 55 68 mov rdx, QWORD PTR MachineState$12[rbp] + 0017a 48 8d 8d 90 00 00 00 lea rcx, QWORD PTR EncoderInstruction$13[rbp] - 00199 e8 00 00 00 00 call xed_inst1 + 00181 e8 00 00 00 00 call xed_inst1 -; 449 : XedEncoderRequestZeroSetMode(&EncoderRequest, &MachineState); +; 440 : XedEncoderRequestZeroSetMode(&EncoderRequest, &MachineState); - 0019e 48 8d 55 68 lea rdx, QWORD PTR MachineState$12[rbp] - 001a2 48 8d 8d 50 02 + 00186 48 8d 55 68 lea rdx, QWORD PTR MachineState$12[rbp] + 0018a 48 8d 8d 50 02 00 00 lea rcx, QWORD PTR EncoderRequest$14[rbp] - 001a9 e8 00 00 00 00 call xed_encoder_request_zero_set_mode + 00191 e8 00 00 00 00 call xed_encoder_request_zero_set_mode -; 450 : if (!XedConvertToEncoderRequest(&EncoderRequest, &EncoderInstruction)) +; 441 : if (!XedConvertToEncoderRequest(&EncoderRequest, &EncoderInstruction)) - 001ae 48 8d 95 90 00 + 00196 48 8d 95 90 00 00 00 lea rdx, QWORD PTR EncoderInstruction$13[rbp] - 001b5 48 8d 8d 50 02 + 0019d 48 8d 8d 50 02 00 00 lea rcx, QWORD PTR EncoderRequest$14[rbp] - 001bc e8 00 00 00 00 call xed_convert_to_encoder_request - 001c1 85 c0 test eax, eax - 001c3 75 13 jne SHORT $LN12@NcFixRelJm + 001a4 e8 00 00 00 00 call xed_convert_to_encoder_request + 001a9 85 c0 test eax, eax + 001ab 75 07 jne SHORT $LN12@NcFixRelJm -; 451 : { -; 452 : printf("\n4\n"); +; 442 : return FALSE; - 001c5 48 8d 0d 00 00 - 00 00 lea rcx, OFFSET FLAT:??_C@_03GIILGFEB@?64?6@ - 001cc e8 00 00 00 00 call printf - -; 453 : return NULL; - - 001d1 33 c0 xor eax, eax - 001d3 e9 f8 01 00 00 jmp $LN1@NcFixRelJm + 001ad 33 c0 xor eax, eax + 001af e9 9e 01 00 00 jmp $LN1@NcFixRelJm $LN12@NcFixRelJm: -; 454 : } -; 455 : XED_ERROR_ENUM Err = XedEncode(&EncoderRequest, EncodeBuffer, 15, &ReturnedSize); +; 443 : XED_ERROR_ENUM Err = XedEncode(&EncoderRequest, EncodeBuffer, 15, &ReturnedSize); - 001d8 4c 8d 8d 54 03 + 001b4 4c 8d 8d 54 03 00 00 lea r9, QWORD PTR ReturnedSize$16[rbp] - 001df 41 b8 0f 00 00 + 001bb 41 b8 0f 00 00 00 mov r8d, 15 - 001e5 48 8d 95 28 03 + 001c1 48 8d 95 28 03 00 00 lea rdx, QWORD PTR EncodeBuffer$15[rbp] - 001ec 48 8d 8d 50 02 + 001c8 48 8d 8d 50 02 00 00 lea rcx, QWORD PTR EncoderRequest$14[rbp] - 001f3 e8 00 00 00 00 call xed_encode - 001f8 89 85 94 03 00 + 001cf e8 00 00 00 00 call xed_encode + 001d4 89 85 94 03 00 00 mov DWORD PTR Err$18[rbp], eax -; 456 : if (XED_ERROR_NONE != Err) +; 444 : if (XED_ERROR_NONE != Err) - 001fe 83 bd 94 03 00 + 001da 83 bd 94 03 00 00 00 cmp DWORD PTR Err$18[rbp], 0 - 00205 74 55 je SHORT $LN13@NcFixRelJm - -; 457 : { -; 458 : printf("%s %s %u \n", XedErrorEnumToString(Err), XedIClassEnumToString(IClass), DispWidth); + 001e1 74 07 je SHORT $LN13@NcFixRelJm - 00207 8b 8d 74 03 00 - 00 mov ecx, DWORD PTR IClass$17[rbp] - 0020d e8 00 00 00 00 call xed_iclass_enum_t2str - 00212 48 89 85 18 07 - 00 00 mov QWORD PTR tv159[rbp], rax - 00219 8b 8d 94 03 00 - 00 mov ecx, DWORD PTR Err$18[rbp] - 0021f e8 00 00 00 00 call xed_error_enum_t2str - 00224 48 89 85 20 07 - 00 00 mov QWORD PTR tv157[rbp], rax - 0022b 44 8b 4d 44 mov r9d, DWORD PTR DispWidth$11[rbp] - 0022f 4c 8b 85 18 07 - 00 00 mov r8, QWORD PTR tv159[rbp] - 00236 48 8b 95 20 07 - 00 00 mov rdx, QWORD PTR tv157[rbp] - 0023d 48 8d 0d 00 00 - 00 00 lea rcx, OFFSET FLAT:??_C@_0L@OECMLM@?$CFs?5?$CFs?5?$CFu?5?6@ - 00244 e8 00 00 00 00 call printf +; 445 : return FALSE; -; 459 : printf("\n5\n"); - - 00249 48 8d 0d 00 00 - 00 00 lea rcx, OFFSET FLAT:??_C@_03GJEJAPHG@?65?6@ - 00250 e8 00 00 00 00 call printf - -; 460 : return NULL; - - 00255 33 c0 xor eax, eax - 00257 e9 74 01 00 00 jmp $LN1@NcFixRelJm + 001e3 33 c0 xor eax, eax + 001e5 e9 68 01 00 00 jmp $LN1@NcFixRelJm $LN13@NcFixRelJm: -; 461 : } -; 462 : -; 463 : //fixup T->RawData -; 464 : delete[] T->RawData; +; 446 : +; 447 : //fixup T->RawData +; 448 : delete[] T->RawData; - 0025c 48 8b 45 08 mov rax, QWORD PTR T$9[rbp] - 00260 48 8b 40 20 mov rax, QWORD PTR [rax+32] - 00264 48 89 85 98 06 + 001ea 48 8b 45 08 mov rax, QWORD PTR T$9[rbp] + 001ee 48 8b 40 20 mov rax, QWORD PTR [rax+32] + 001f2 48 89 85 98 06 00 00 mov QWORD PTR $T21[rbp], rax - 0026b 48 8b 8d 98 06 + 001f9 48 8b 8d 98 06 00 00 mov rcx, QWORD PTR $T21[rbp] - 00272 e8 00 00 00 00 call ??_V@YAXPEAX@Z ; operator delete[] + 00200 e8 00 00 00 00 call ??_V@YAXPEAX@Z ; operator delete[] -; 465 : T->RawDataSize = ReturnedSize; +; 449 : T->RawDataSize = ReturnedSize; - 00277 48 8b 45 08 mov rax, QWORD PTR T$9[rbp] - 0027b 8b 8d 54 03 00 + 00205 48 8b 45 08 mov rax, QWORD PTR T$9[rbp] + 00209 8b 8d 54 03 00 00 mov ecx, DWORD PTR ReturnedSize$16[rbp] - 00281 89 48 28 mov DWORD PTR [rax+40], ecx + 0020f 89 48 28 mov DWORD PTR [rax+40], ecx -; 466 : T->RawData = new UCHAR[ReturnedSize]; +; 450 : T->RawData = new UCHAR[ReturnedSize]; - 00284 8b 85 54 03 00 + 00212 8b 85 54 03 00 00 mov eax, DWORD PTR ReturnedSize$16[rbp] - 0028a 8b c8 mov ecx, eax - 0028c e8 00 00 00 00 call ??_U@YAPEAX_K@Z ; operator new[] - 00291 48 89 85 b8 06 + 00218 8b c8 mov ecx, eax + 0021a e8 00 00 00 00 call ??_U@YAPEAX_K@Z ; operator new[] + 0021f 48 89 85 b8 06 00 00 mov QWORD PTR $T22[rbp], rax - 00298 48 8b 45 08 mov rax, QWORD PTR T$9[rbp] - 0029c 48 8b 8d b8 06 + 00226 48 8b 45 08 mov rax, QWORD PTR T$9[rbp] + 0022a 48 8b 8d b8 06 00 00 mov rcx, QWORD PTR $T22[rbp] - 002a3 48 89 48 20 mov QWORD PTR [rax+32], rcx + 00231 48 89 48 20 mov QWORD PTR [rax+32], rcx -; 467 : RtlCopyMemory(T->RawData, EncodeBuffer, ReturnedSize); +; 451 : RtlCopyMemory(T->RawData, EncodeBuffer, ReturnedSize); - 002a7 8b 85 54 03 00 + 00235 8b 85 54 03 00 00 mov eax, DWORD PTR ReturnedSize$16[rbp] - 002ad 44 8b c0 mov r8d, eax - 002b0 48 8d 95 28 03 + 0023b 44 8b c0 mov r8d, eax + 0023e 48 8d 95 28 03 00 00 lea rdx, QWORD PTR EncodeBuffer$15[rbp] - 002b7 48 8b 45 08 mov rax, QWORD PTR T$9[rbp] - 002bb 48 8b 48 20 mov rcx, QWORD PTR [rax+32] - 002bf e8 00 00 00 00 call memcpy - -; 468 : -; 469 : //Decode instruction so its proper and all that -; 470 : XedDecodedInstZeroSetMode(&T->XedInstruction, &MachineState); - - 002c4 48 8b 45 08 mov rax, QWORD PTR T$9[rbp] - 002c8 48 83 c0 30 add rax, 48 ; 00000030H - 002cc 48 8d 55 68 lea rdx, QWORD PTR MachineState$12[rbp] - 002d0 48 8b c8 mov rcx, rax - 002d3 e8 00 00 00 00 call xed_decoded_inst_zero_set_mode - -; 471 : if (XED_ERROR_NONE != XedDecode(&T->XedInstruction, T->RawData, T->RawDataSize)) - - 002d8 48 8b 45 08 mov rax, QWORD PTR T$9[rbp] - 002dc 48 83 c0 30 add rax, 48 ; 00000030H - 002e0 48 8b 4d 08 mov rcx, QWORD PTR T$9[rbp] - 002e4 44 8b 41 28 mov r8d, DWORD PTR [rcx+40] - 002e8 48 8b 4d 08 mov rcx, QWORD PTR T$9[rbp] - 002ec 48 8b 51 20 mov rdx, QWORD PTR [rcx+32] - 002f0 48 8b c8 mov rcx, rax - 002f3 e8 00 00 00 00 call xed_decode - 002f8 85 c0 test eax, eax - 002fa 74 13 je SHORT $LN14@NcFixRelJm - -; 472 : { -; 473 : printf("\n6\n"); - - 002fc 48 8d 0d 00 00 - 00 00 lea rcx, OFFSET FLAT:??_C@_03GLAPLBCP@?66?6@ - 00303 e8 00 00 00 00 call printf - -; 474 : return NULL; - - 00308 33 c0 xor eax, eax - 0030a e9 c1 00 00 00 jmp $LN1@NcFixRelJm + 00245 48 8b 45 08 mov rax, QWORD PTR T$9[rbp] + 00249 48 8b 48 20 mov rcx, QWORD PTR [rax+32] + 0024d e8 00 00 00 00 call memcpy + +; 452 : +; 453 : //Decode instruction so its proper and all that +; 454 : XedDecodedInstZeroSetMode(&T->XedInstruction, &MachineState); + + 00252 48 8b 45 08 mov rax, QWORD PTR T$9[rbp] + 00256 48 83 c0 30 add rax, 48 ; 00000030H + 0025a 48 8d 55 68 lea rdx, QWORD PTR MachineState$12[rbp] + 0025e 48 8b c8 mov rcx, rax + 00261 e8 00 00 00 00 call xed_decoded_inst_zero_set_mode + +; 455 : if (XED_ERROR_NONE != XedDecode(&T->XedInstruction, T->RawData, T->RawDataSize)) + + 00266 48 8b 45 08 mov rax, QWORD PTR T$9[rbp] + 0026a 48 83 c0 30 add rax, 48 ; 00000030H + 0026e 48 8b 4d 08 mov rcx, QWORD PTR T$9[rbp] + 00272 44 8b 41 28 mov r8d, DWORD PTR [rcx+40] + 00276 48 8b 4d 08 mov rcx, QWORD PTR T$9[rbp] + 0027a 48 8b 51 20 mov rdx, QWORD PTR [rcx+32] + 0027e 48 8b c8 mov rcx, rax + 00281 e8 00 00 00 00 call xed_decode + 00286 85 c0 test eax, eax + 00288 74 07 je SHORT $LN14@NcFixRelJm + +; 456 : return FALSE; + + 0028a 33 c0 xor eax, eax + 0028c e9 c1 00 00 00 jmp $LN1@NcFixRelJm $LN14@NcFixRelJm: -; 475 : } -; 476 : -; 477 : //Go back to the start and loop through all labels again because now this instruction is larger :)))) -; 478 : T = Block->Start; +; 457 : +; 458 : //Go back to the start and loop through all labels again because now this instruction is larger :)))) +; 459 : T = Block->Start; - 0030f 48 8b 85 50 07 + 00291 48 8b 85 40 07 00 00 mov rax, QWORD PTR Block$[rbp] - 00316 48 8b 00 mov rax, QWORD PTR [rax] - 00319 48 89 45 08 mov QWORD PTR T$9[rbp], rax + 00298 48 8b 00 mov rax, QWORD PTR [rax] + 0029b 48 89 45 08 mov QWORD PTR T$9[rbp], rax -; 479 : continue; +; 460 : continue; - 0031d e9 34 fd ff ff jmp $LN2@NcFixRelJm + 0029f e9 b2 fd ff ff jmp $LN2@NcFixRelJm -; 480 : } +; 461 : } - 00322 e9 94 00 00 00 jmp $LN10@NcFixRelJm + 002a4 e9 94 00 00 00 jmp $LN10@NcFixRelJm $LN9@NcFixRelJm: -; 481 : else -; 482 : { -; 483 : DispWidth = XedDecodedInstGetBranchDisplacementWidth(&T->XedInstruction); - - 00327 48 8b 45 08 mov rax, QWORD PTR T$9[rbp] - 0032b 48 83 c0 30 add rax, 48 ; 00000030H - 0032f 48 8b c8 mov rcx, rax - 00332 e8 00 00 00 00 call xed_decoded_inst_get_branch_displacement_width - 00337 89 45 44 mov DWORD PTR DispWidth$11[rbp], eax - -; 484 : switch (DispWidth) - - 0033a 8b 45 44 mov eax, DWORD PTR DispWidth$11[rbp] - 0033d 89 85 14 07 00 - 00 mov DWORD PTR tv191[rbp], eax - 00343 83 bd 14 07 00 - 00 01 cmp DWORD PTR tv191[rbp], 1 - 0034a 74 14 je SHORT $LN15@NcFixRelJm - 0034c 83 bd 14 07 00 - 00 02 cmp DWORD PTR tv191[rbp], 2 - 00353 74 2a je SHORT $LN16@NcFixRelJm - 00355 83 bd 14 07 00 - 00 04 cmp DWORD PTR tv191[rbp], 4 - 0035c 74 41 je SHORT $LN17@NcFixRelJm - 0035e eb 5b jmp SHORT $LN5@NcFixRelJm +; 462 : else +; 463 : { +; 464 : DispWidth = XedDecodedInstGetBranchDisplacementWidth(&T->XedInstruction); + + 002a9 48 8b 45 08 mov rax, QWORD PTR T$9[rbp] + 002ad 48 83 c0 30 add rax, 48 ; 00000030H + 002b1 48 8b c8 mov rcx, rax + 002b4 e8 00 00 00 00 call xed_decoded_inst_get_branch_displacement_width + 002b9 89 45 44 mov DWORD PTR DispWidth$11[rbp], eax + +; 465 : switch (DispWidth) + + 002bc 8b 45 44 mov eax, DWORD PTR DispWidth$11[rbp] + 002bf 89 85 14 07 00 + 00 mov DWORD PTR tv174[rbp], eax + 002c5 83 bd 14 07 00 + 00 01 cmp DWORD PTR tv174[rbp], 1 + 002cc 74 14 je SHORT $LN15@NcFixRelJm + 002ce 83 bd 14 07 00 + 00 02 cmp DWORD PTR tv174[rbp], 2 + 002d5 74 2a je SHORT $LN16@NcFixRelJm + 002d7 83 bd 14 07 00 + 00 04 cmp DWORD PTR tv174[rbp], 4 + 002de 74 41 je SHORT $LN17@NcFixRelJm + 002e0 eb 5b jmp SHORT $LN5@NcFixRelJm $LN15@NcFixRelJm: -; 485 : { -; 486 : case 1: *(PINT8)&T->RawData[T->RawDataSize - DispWidth] = (INT8)BranchDisp; break; - - 00360 48 8b 45 08 mov rax, QWORD PTR T$9[rbp] - 00364 8b 4d 44 mov ecx, DWORD PTR DispWidth$11[rbp] - 00367 8b 40 28 mov eax, DWORD PTR [rax+40] - 0036a 2b c1 sub eax, ecx - 0036c 8b c0 mov eax, eax - 0036e 48 8b 4d 08 mov rcx, QWORD PTR T$9[rbp] - 00372 48 8b 49 20 mov rcx, QWORD PTR [rcx+32] - 00376 0f b6 55 24 movzx edx, BYTE PTR BranchDisp$10[rbp] - 0037a 88 14 01 mov BYTE PTR [rcx+rax], dl - 0037d eb 3c jmp SHORT $LN5@NcFixRelJm +; 466 : { +; 467 : case 1: *(PINT8)&T->RawData[T->RawDataSize - DispWidth] = (INT8)BranchDisp; break; + + 002e2 48 8b 45 08 mov rax, QWORD PTR T$9[rbp] + 002e6 8b 4d 44 mov ecx, DWORD PTR DispWidth$11[rbp] + 002e9 8b 40 28 mov eax, DWORD PTR [rax+40] + 002ec 2b c1 sub eax, ecx + 002ee 8b c0 mov eax, eax + 002f0 48 8b 4d 08 mov rcx, QWORD PTR T$9[rbp] + 002f4 48 8b 49 20 mov rcx, QWORD PTR [rcx+32] + 002f8 0f b6 55 24 movzx edx, BYTE PTR BranchDisp$10[rbp] + 002fc 88 14 01 mov BYTE PTR [rcx+rax], dl + 002ff eb 3c jmp SHORT $LN5@NcFixRelJm $LN16@NcFixRelJm: -; 487 : case 2: *(PINT16)&T->RawData[T->RawDataSize - DispWidth] = (INT16)BranchDisp; break; - - 0037f 48 8b 45 08 mov rax, QWORD PTR T$9[rbp] - 00383 8b 4d 44 mov ecx, DWORD PTR DispWidth$11[rbp] - 00386 8b 40 28 mov eax, DWORD PTR [rax+40] - 00389 2b c1 sub eax, ecx - 0038b 8b c0 mov eax, eax - 0038d 48 8b 4d 08 mov rcx, QWORD PTR T$9[rbp] - 00391 48 8b 49 20 mov rcx, QWORD PTR [rcx+32] - 00395 0f b7 55 24 movzx edx, WORD PTR BranchDisp$10[rbp] - 00399 66 89 14 01 mov WORD PTR [rcx+rax], dx - 0039d eb 1c jmp SHORT $LN5@NcFixRelJm +; 468 : case 2: *(PINT16)&T->RawData[T->RawDataSize - DispWidth] = (INT16)BranchDisp; break; + + 00301 48 8b 45 08 mov rax, QWORD PTR T$9[rbp] + 00305 8b 4d 44 mov ecx, DWORD PTR DispWidth$11[rbp] + 00308 8b 40 28 mov eax, DWORD PTR [rax+40] + 0030b 2b c1 sub eax, ecx + 0030d 8b c0 mov eax, eax + 0030f 48 8b 4d 08 mov rcx, QWORD PTR T$9[rbp] + 00313 48 8b 49 20 mov rcx, QWORD PTR [rcx+32] + 00317 0f b7 55 24 movzx edx, WORD PTR BranchDisp$10[rbp] + 0031b 66 89 14 01 mov WORD PTR [rcx+rax], dx + 0031f eb 1c jmp SHORT $LN5@NcFixRelJm $LN17@NcFixRelJm: -; 488 : case 4: *(PINT32)&T->RawData[T->RawDataSize - DispWidth] = (INT32)BranchDisp; break; - - 0039f 48 8b 45 08 mov rax, QWORD PTR T$9[rbp] - 003a3 8b 4d 44 mov ecx, DWORD PTR DispWidth$11[rbp] - 003a6 8b 40 28 mov eax, DWORD PTR [rax+40] - 003a9 2b c1 sub eax, ecx - 003ab 8b c0 mov eax, eax - 003ad 48 8b 4d 08 mov rcx, QWORD PTR T$9[rbp] - 003b1 48 8b 49 20 mov rcx, QWORD PTR [rcx+32] - 003b5 8b 55 24 mov edx, DWORD PTR BranchDisp$10[rbp] - 003b8 89 14 01 mov DWORD PTR [rcx+rax], edx +; 469 : case 4: *(PINT32)&T->RawData[T->RawDataSize - DispWidth] = (INT32)BranchDisp; break; + + 00321 48 8b 45 08 mov rax, QWORD PTR T$9[rbp] + 00325 8b 4d 44 mov ecx, DWORD PTR DispWidth$11[rbp] + 00328 8b 40 28 mov eax, DWORD PTR [rax+40] + 0032b 2b c1 sub eax, ecx + 0032d 8b c0 mov eax, eax + 0032f 48 8b 4d 08 mov rcx, QWORD PTR T$9[rbp] + 00333 48 8b 49 20 mov rcx, QWORD PTR [rcx+32] + 00337 8b 55 24 mov edx, DWORD PTR BranchDisp$10[rbp] + 0033a 89 14 01 mov DWORD PTR [rcx+rax], edx $LN5@NcFixRelJm: $LN10@NcFixRelJm: $LN7@NcFixRelJm: -; 489 : } -; 490 : } -; 491 : } -; 492 : -; 493 : T = T->Next; +; 470 : } +; 471 : } +; 472 : } +; 473 : +; 474 : T = T->Next; - 003bb 48 8b 45 08 mov rax, QWORD PTR T$9[rbp] - 003bf 48 8b 00 mov rax, QWORD PTR [rax] - 003c2 48 89 45 08 mov QWORD PTR T$9[rbp], rax + 0033d 48 8b 45 08 mov rax, QWORD PTR T$9[rbp] + 00341 48 8b 00 mov rax, QWORD PTR [rax] + 00344 48 89 45 08 mov QWORD PTR T$9[rbp], rax -; 494 : } +; 475 : } - 003c6 e9 8b fc ff ff jmp $LN2@NcFixRelJm + 00348 e9 09 fd ff ff jmp $LN2@NcFixRelJm $LN3@NcFixRelJm: -; 495 : return TRUE; +; 476 : return TRUE; - 003cb b8 01 00 00 00 mov eax, 1 + 0034d b8 01 00 00 00 mov eax, 1 $LN1@NcFixRelJm: -; 496 : } +; 477 : } - 003d0 48 8b f8 mov rdi, rax - 003d3 48 8d 4d d0 lea rcx, QWORD PTR [rbp-48] - 003d7 48 8d 15 00 00 + 00352 48 8b f8 mov rdi, rax + 00355 48 8d 4d d0 lea rcx, QWORD PTR [rbp-48] + 00359 48 8d 15 00 00 00 00 lea rdx, OFFSET FLAT:?NcFixRelJmps@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z$rtcFrameData - 003de e8 00 00 00 00 call _RTC_CheckStackVars - 003e3 48 8b c7 mov rax, rdi - 003e6 48 8b 8d 28 07 + 00360 e8 00 00 00 00 call _RTC_CheckStackVars + 00365 48 8b c7 mov rax, rdi + 00368 48 8b 8d 18 07 00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp] - 003ed 48 33 cd xor rcx, rbp - 003f0 e8 00 00 00 00 call __security_check_cookie - 003f5 48 8d a5 30 07 - 00 00 lea rsp, QWORD PTR [rbp+1840] - 003fc 5f pop rdi - 003fd 5e pop rsi - 003fe 5d pop rbp - 003ff c3 ret 0 + 0036f 48 33 cd xor rcx, rbp + 00372 e8 00 00 00 00 call __security_check_cookie + 00377 48 8d a5 20 07 + 00 00 lea rsp, QWORD PTR [rbp+1824] + 0037e 5f pop rdi + 0037f 5e pop rsi + 00380 5d pop rbp + 00381 c3 ret 0 ?NcFixRelJmps@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z ENDP ; NcFixRelJmps _TEXT ENDS ; Function compile flags: /Odtp /RTCsu /ZI diff --git a/CodeVirtualizer/x64/Debug/Obfuscator.cod b/CodeVirtualizer/x64/Debug/Obfuscator.cod index 7f93417..12455f6 100644 --- a/CodeVirtualizer/x64/Debug/Obfuscator.cod +++ b/CodeVirtualizer/x64/Debug/Obfuscator.cod @@ -103,7 +103,7 @@ PUBLIC ?_Tidy@?$vector@KV?$allocator@K@std@@@std@@AEAAXXZ ; std::vector >::_Getal PUBLIC ?_Get_first@?$_Compressed_pair@V?$allocator@K@std@@V?$_Vector_val@U?$_Simple_types@K@std@@@2@$00@std@@QEAAAEAV?$allocator@K@2@XZ ; std::_Compressed_pair,std::_Vector_val >,1>::_Get_first PUBLIC ??1_NATIVE_CODE_BLOCK@@QEAA@XZ ; _NATIVE_CODE_BLOCK::~_NATIVE_CODE_BLOCK -PUBLIC ?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z ; ObfObfuscate +PUBLIC ?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z ; ObfObfuscate1 PUBLIC ??$?0K@?$allocator@U_Container_proxy@std@@@std@@QEAA@AEBV?$allocator@K@1@@Z ; std::allocator::allocator PUBLIC ??$exchange@PEAU_Container_proxy@std@@$$T@std@@YAPEAU_Container_proxy@0@AEAPEAU10@$$QEA$$T@Z ; std::exchange PUBLIC ??$_Delete_plain_internal@V?$allocator@U_Container_proxy@std@@@std@@@std@@YAXAEAV?$allocator@U_Container_proxy@std@@@0@QEAU_Container_proxy@0@@Z ; std::_Delete_plain_internal > @@ -129,6 +129,7 @@ EXTRN __imp__invalid_parameter:PROC EXTRN memcpy:PROC EXTRN __imp_wcslen:PROC EXTRN strlen:PROC +EXTRN __imp_rand:PROC EXTRN __imp__calloc_dbg:PROC EXTRN __imp__CrtDbgReport:PROC EXTRN __imp_??0_Lockit@std@@QEAA@H@Z:PROC @@ -143,6 +144,11 @@ EXTRN __imp_?_W_Getmonths@_Locinfo@std@@QEBAPEBGXZ:PROC EXTRN ??0_NATIVE_CODE_BLOCK@@QEAA@XZ:PROC ; _NATIVE_CODE_BLOCK::_NATIVE_CODE_BLOCK EXTRN ?NcCountInstructions@@YAKPEAU_NATIVE_CODE_BLOCK@@@Z:PROC ; NcCountInstructions EXTRN ?NcGenUnusedLabelId@@YAKPEAU_NATIVE_CODE_BLOCK@@@Z:PROC ; NcGenUnusedLabelId +EXTRN ?NcInsertBlockAfter@@YAHPEAU_NATIVE_CODE_LINK@@PEAU_NATIVE_CODE_BLOCK@@H@Z:PROC ; NcInsertBlockAfter +EXTRN ?NcInsertBlockBefore@@YAHPEAU_NATIVE_CODE_LINK@@PEAU_NATIVE_CODE_BLOCK@@H@Z:PROC ; NcInsertBlockBefore +EXTRN ?NcDeepCopyPartialBlock@@YAHPEAU_NATIVE_CODE_LINK@@0PEAU_NATIVE_CODE_BLOCK@@@Z:PROC ; NcDeepCopyPartialBlock +EXTRN ?JitEmitPreRipMov@@YAPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@H@Z:PROC ; JitEmitPreRipMov +EXTRN ?JitEmitPostRipMov@@YAPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@H@Z:PROC ; JitEmitPostRipMov EXTRN ?ObfCreateOpaqueBranches@@YAHPEAU_NATIVE_CODE_LINK@@0PEAU_NATIVE_CODE_BLOCK@@1@Z:PROC ; ObfCreateOpaqueBranches EXTRN ?ObfCombineOpaqueBranches@@YAHPEAU_NATIVE_CODE_BLOCK@@0KK@Z:PROC ; ObfCombineOpaqueBranches EXTRN ?ObfInsertOpaqueBranchBlock@@YAHPEAU_NATIVE_CODE_LINK@@0PEAU_NATIVE_CODE_BLOCK@@@Z:PROC ; ObfInsertOpaqueBranchBlock @@ -271,33 +277,39 @@ $pdata$??1_NATIVE_CODE_BLOCK@@QEAA@XZ DD imagerel $LN3 pdata ENDS ; COMDAT pdata pdata SEGMENT -$pdata$?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z DD imagerel $LN15 - DD imagerel $LN15+816 - DD imagerel $unwind$?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z +$pdata$?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z DD imagerel $LN34 + DD imagerel $LN34+1631 + DD imagerel $unwind$?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z pdata ENDS ; COMDAT pdata pdata SEGMENT -$pdata$?dtor$0@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA DD imagerel ?dtor$0@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA - DD imagerel ?dtor$0@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA+39 - DD imagerel $unwind$?dtor$0@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA +$pdata$?dtor$0@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA DD imagerel ?dtor$0@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA + DD imagerel ?dtor$0@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA+39 + DD imagerel $unwind$?dtor$0@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA pdata ENDS ; COMDAT pdata pdata SEGMENT -$pdata$?dtor$1@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA DD imagerel ?dtor$1@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA - DD imagerel ?dtor$1@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA+39 - DD imagerel $unwind$?dtor$1@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA +$pdata$?dtor$1@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA DD imagerel ?dtor$1@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA + DD imagerel ?dtor$1@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA+39 + DD imagerel $unwind$?dtor$1@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA pdata ENDS ; COMDAT pdata pdata SEGMENT -$pdata$?dtor$2@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA DD imagerel ?dtor$2@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA - DD imagerel ?dtor$2@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA+39 - DD imagerel $unwind$?dtor$2@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA +$pdata$?dtor$2@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA DD imagerel ?dtor$2@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA + DD imagerel ?dtor$2@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA+39 + DD imagerel $unwind$?dtor$2@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA pdata ENDS ; COMDAT pdata pdata SEGMENT -$pdata$?dtor$3@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA DD imagerel ?dtor$3@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA - DD imagerel ?dtor$3@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA+39 - DD imagerel $unwind$?dtor$3@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA +$pdata$?dtor$3@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA DD imagerel ?dtor$3@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA + DD imagerel ?dtor$3@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA+39 + DD imagerel $unwind$?dtor$3@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA +pdata ENDS +; COMDAT pdata +pdata SEGMENT +$pdata$?dtor$4@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA DD imagerel ?dtor$4@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA + DD imagerel ?dtor$4@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA+39 + DD imagerel $unwind$?dtor$4@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA pdata ENDS ; COMDAT pdata pdata SEGMENT @@ -559,81 +571,93 @@ $unwind$??$?0K@?$allocator@U_Container_proxy@std@@@std@@QEAA@AEBV?$allocator@K@1 xdata ENDS ; COMDAT xdata xdata SEGMENT -$unwind$?dtor$3@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA DD 031001H +$unwind$?dtor$4@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA DD 031001H + DD 0700c4210H + DD 0500bH +xdata ENDS +; COMDAT xdata +xdata SEGMENT +$unwind$?dtor$3@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA DD 031001H DD 0700c4210H DD 0500bH xdata ENDS ; COMDAT xdata xdata SEGMENT -$unwind$?dtor$2@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA DD 031001H +$unwind$?dtor$2@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA DD 031001H DD 0700c4210H DD 0500bH xdata ENDS ; COMDAT xdata xdata SEGMENT -$unwind$?dtor$1@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA DD 031001H +$unwind$?dtor$1@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA DD 031001H DD 0700c4210H DD 0500bH xdata ENDS ; COMDAT xdata xdata SEGMENT -$unwind$?dtor$0@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA DD 031001H +$unwind$?dtor$0@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA DD 031001H DD 0700c4210H DD 0500bH xdata ENDS ; COMDAT xdata xdata SEGMENT -$ip2state$?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z DB 012H +$ip2state$?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z DB 016H DB 00H DB 00H - DB 'E', 04H + DB 01H, 0eH DB 02H DB 01aH DB 04H - DB '-', 03H + DB 'I', 03H DB 02H DB 01aH DB 00H - DB 't' + DB '6' DB 06H + DB 0c8H + DB 00H + DB 0b0H + DB 08H DB 01aH + DB 0aH + DB '5', 03H DB 08H - DB 0c5H, 02H - DB 06H DB 01aH DB 00H xdata ENDS ; COMDAT xdata xdata SEGMENT -$stateUnwindMap$?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z DB 08H +$stateUnwindMap$?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z DB 0aH DB 0eH - DD imagerel ?dtor$0@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA + DD imagerel ?dtor$0@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA DB 02eH - DD imagerel ?dtor$1@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA + DD imagerel ?dtor$1@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA DB 05eH - DD imagerel ?dtor$2@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA + DD imagerel ?dtor$2@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA + DB 086H + DD imagerel ?dtor$3@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA DB 02eH - DD imagerel ?dtor$3@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA + DD imagerel ?dtor$4@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA xdata ENDS ; COMDAT xdata xdata SEGMENT -$cppxdata$?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z DB 028H - DD imagerel $stateUnwindMap$?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z - DD imagerel $ip2state$?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z +$cppxdata$?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z DB 028H + DD imagerel $stateUnwindMap$?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z + DD imagerel $ip2state$?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z xdata ENDS ; COMDAT xdata xdata SEGMENT -$unwind$?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z DD 025054019H - DD 01132318H - DD 0700c005bH - DD 0500bH +$unwind$?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z DD 025054519H + DD 0118231dH + DD 07011008dH + DD 05010H DD imagerel __GSHandlerCheck_EH4 - DD imagerel $cppxdata$?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z - DD 02c2H + DD imagerel $cppxdata$?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z + DD 0452H xdata ENDS ; COMDAT CONST CONST SEGMENT -?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z$rtcName$0 DB 04eH ; ObfObfuscate +?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z$rtcName$0 DB 04eH ; ObfObfuscate1 DB 06fH DB 074H DB 054H @@ -643,14 +667,25 @@ CONST SEGMENT DB 06eH DB 00H ORG $+3 -?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z$rtcName$1 DB 054H ; ObfObfuscate +?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z$rtcName$1 DB 054H ; ObfObfuscate1 DB 061H DB 06bH DB 065H DB 06eH DB 00H ORG $+6 -?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z$rtcName$2 DB 04eH ; ObfObfuscate +?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z$rtcName$2 DB 054H ; ObfObfuscate1 + DB 065H + DB 06dH + DB 070H + DB 042H + DB 06cH + DB 06fH + DB 063H + DB 06bH + DB 00H + ORG $+6 +?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z$rtcName$3 DB 04eH ; ObfObfuscate1 DB 06fH DB 074H DB 054H @@ -660,29 +695,32 @@ CONST SEGMENT DB 06eH DB 00H ORG $+3 -?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z$rtcName$3 DB 054H ; ObfObfuscate +?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z$rtcName$4 DB 054H ; ObfObfuscate1 DB 061H DB 06bH DB 065H DB 06eH DB 00H ORG $+6 -?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z$rtcVarDesc DD 01b8H ; ObfObfuscate +?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z$rtcVarDesc DD 0288H ; ObfObfuscate1 + DD 030H + DQ FLAT:?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z$rtcName$4 + DD 0238H DD 030H - DQ FLAT:?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z$rtcName$3 - DD 0168H + DQ FLAT:?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z$rtcName$3 + DD 01e8H DD 030H - DQ FLAT:?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z$rtcName$2 - DD 0118H + DQ FLAT:?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z$rtcName$2 + DD 0198H DD 030H - DQ FLAT:?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z$rtcName$1 - DD 0c8H + DQ FLAT:?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z$rtcName$1 + DD 0148H DD 030H - DQ FLAT:?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z$rtcName$0 - ORG $+192 -?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z$rtcFrameData DD 04H ; ObfObfuscate + DQ FLAT:?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z$rtcName$0 + ORG $+240 +?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z$rtcFrameData DD 05H ; ObfObfuscate1 DD 00H - DQ FLAT:?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z$rtcVarDesc + DQ FLAT:?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z$rtcVarDesc CONST ENDS ; COMDAT xdata xdata SEGMENT @@ -1377,657 +1415,1205 @@ $LN3: _TEXT ENDS ; Function compile flags: /Odtp /RTCsu /ZI ; File C:\$Fanta\code-virtualizer\CodeVirtualizer\Obfuscator.cpp -; COMDAT ?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z +; COMDAT ?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z _TEXT SEGMENT InstructionCount$ = 4 -TargetCount$7 = 36 -CurrentCount$8 = 68 -NewBlockStart$9 = 104 -T$10 = 136 -NotTaken$11 = 168 -Taken$12 = 248 -NotTaken$13 = 328 -Taken$14 = 408 -tv176 = 660 -tv141 = 660 -tv174 = 664 -tv139 = 664 -__$ArrayPad$ = 672 -Obf$ = 720 -Block$ = 728 -?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z PROC ; ObfObfuscate, COMDAT +T$8 = 40 +RealNext$9 = 72 +PreOp$10 = 104 +PostOp$11 = 136 +TargetCount$12 = 164 +CurrentCount$13 = 196 +NewBlockStart$14 = 232 +T$15 = 264 +NotTaken$16 = 296 +Taken$17 = 376 +TempBlock$18 = 456 +NotTaken$19 = 536 +Taken$20 = 616 +tv279 = 1060 +tv225 = 1060 +tv154 = 1060 +tv277 = 1064 +tv223 = 1064 +tv169 = 1064 +tv167 = 1068 +__$ArrayPad$ = 1072 +Obf$ = 1120 +Block$ = 1128 +Depth$ = 1136 +?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z PROC ; ObfObfuscate1, COMDAT ; 7 : { -$LN15: - 00000 48 89 54 24 10 mov QWORD PTR [rsp+16], rdx - 00005 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx - 0000a 55 push rbp - 0000b 57 push rdi - 0000c 48 81 ec d8 02 - 00 00 sub rsp, 728 ; 000002d8H - 00013 48 8d 6c 24 20 lea rbp, QWORD PTR [rsp+32] - 00018 48 8b fc mov rdi, rsp - 0001b b9 b6 00 00 00 mov ecx, 182 ; 000000b6H - 00020 b8 cc cc cc cc mov eax, -858993460 ; ccccccccH - 00025 f3 ab rep stosd - 00027 48 8b 8c 24 f8 - 02 00 00 mov rcx, QWORD PTR [rsp+760] - 0002f 48 8b 05 00 00 +$LN34: + 00000 44 89 44 24 18 mov DWORD PTR [rsp+24], r8d + 00005 48 89 54 24 10 mov QWORD PTR [rsp+16], rdx + 0000a 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx + 0000f 55 push rbp + 00010 57 push rdi + 00011 48 81 ec 68 04 + 00 00 sub rsp, 1128 ; 00000468H + 00018 48 8d 6c 24 20 lea rbp, QWORD PTR [rsp+32] + 0001d 48 8b fc mov rdi, rsp + 00020 b9 1a 01 00 00 mov ecx, 282 ; 0000011aH + 00025 b8 cc cc cc cc mov eax, -858993460 ; ccccccccH + 0002a f3 ab rep stosd + 0002c 48 8b 8c 24 88 + 04 00 00 mov rcx, QWORD PTR [rsp+1160] + 00034 48 8b 05 00 00 00 00 mov rax, QWORD PTR __security_cookie - 00036 48 33 c5 xor rax, rbp - 00039 48 89 85 a0 02 + 0003b 48 33 c5 xor rax, rbp + 0003e 48 89 85 30 04 00 00 mov QWORD PTR __$ArrayPad$[rbp], rax - 00040 48 8d 0d 00 00 + 00045 48 8d 0d 00 00 00 00 lea rcx, OFFSET FLAT:__135BC3AC_Obfuscator@cpp - 00047 e8 00 00 00 00 call __CheckForDebuggerJustMyCode + 0004c e8 00 00 00 00 call __CheckForDebuggerJustMyCode ; 8 : ULONG InstructionCount = NcCountInstructions(Block); - 0004c 48 8b 8d d8 02 + 00051 48 8b 8d 68 04 00 00 mov rcx, QWORD PTR Block$[rbp] - 00053 e8 00 00 00 00 call ?NcCountInstructions@@YAKPEAU_NATIVE_CODE_BLOCK@@@Z ; NcCountInstructions - 00058 89 45 04 mov DWORD PTR InstructionCount$[rbp], eax + 00058 e8 00 00 00 00 call ?NcCountInstructions@@YAKPEAU_NATIVE_CODE_BLOCK@@@Z ; NcCountInstructions + 0005d 89 45 04 mov DWORD PTR InstructionCount$[rbp], eax -; 9 : if (InstructionCount <= Obf->MinInstCount) +; 9 : if (InstructionCount <= Obf->MinSizeForOpaqueBranch) - 0005b 48 8b 85 d0 02 + 00060 48 8b 85 60 04 00 00 mov rax, QWORD PTR Obf$[rbp] - 00062 8b 00 mov eax, DWORD PTR [rax] - 00064 39 45 04 cmp DWORD PTR InstructionCount$[rbp], eax - 00067 77 05 ja SHORT $LN5@ObfObfusca + 00067 8b 40 04 mov eax, DWORD PTR [rax+4] + 0006a 39 45 04 cmp DWORD PTR InstructionCount$[rbp], eax + 0006d 0f 87 45 01 00 + 00 ja $LN8@ObfObfusca ; 10 : { -; 11 : -; 12 : } +; 11 : for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next;) - 00069 e9 99 02 00 00 jmp $LN6@ObfObfusca -$LN5@ObfObfusca: + 00073 48 8b 85 68 04 + 00 00 mov rax, QWORD PTR Block$[rbp] + 0007a 48 8b 00 mov rax, QWORD PTR [rax] + 0007d 48 89 45 28 mov QWORD PTR T$8[rbp], rax +$LN2@ObfObfusca: + 00081 48 83 7d 28 00 cmp QWORD PTR T$8[rbp], 0 + 00086 0f 84 27 01 00 + 00 je $LN3@ObfObfusca + 0008c 48 8b 85 68 04 + 00 00 mov rax, QWORD PTR Block$[rbp] + 00093 48 8b 40 08 mov rax, QWORD PTR [rax+8] + 00097 48 8b 00 mov rax, QWORD PTR [rax] + 0009a 48 39 45 28 cmp QWORD PTR T$8[rbp], rax + 0009e 0f 84 0f 01 00 + 00 je $LN3@ObfObfusca + +; 12 : { +; 13 : if ((T->Flags & CODE_FLAG_IS_LABEL) || (T->Flags & CODE_FLAG_DO_NOT_DIVIDE) || (T->Flags & CODE_FLAG_IS_REL_JMP)) + + 000a4 48 8b 45 28 mov rax, QWORD PTR T$8[rbp] + 000a8 8b 40 18 mov eax, DWORD PTR [rax+24] + 000ab 83 e0 01 and eax, 1 + 000ae 85 c0 test eax, eax + 000b0 75 1c jne SHORT $LN11@ObfObfusca + 000b2 48 8b 45 28 mov rax, QWORD PTR T$8[rbp] + 000b6 8b 40 18 mov eax, DWORD PTR [rax+24] + 000b9 83 e0 08 and eax, 8 + 000bc 85 c0 test eax, eax + 000be 75 0e jne SHORT $LN11@ObfObfusca + 000c0 48 8b 45 28 mov rax, QWORD PTR T$8[rbp] + 000c4 8b 40 18 mov eax, DWORD PTR [rax+24] + 000c7 83 e0 02 and eax, 2 + 000ca 85 c0 test eax, eax + 000cc 74 0d je SHORT $LN10@ObfObfusca +$LN11@ObfObfusca: + +; 14 : { +; 15 : T = T->Next; + + 000ce 48 8b 45 28 mov rax, QWORD PTR T$8[rbp] + 000d2 48 8b 00 mov rax, QWORD PTR [rax] + 000d5 48 89 45 28 mov QWORD PTR T$8[rbp], rax + +; 16 : continue; + + 000d9 eb a6 jmp SHORT $LN2@ObfObfusca +$LN10@ObfObfusca: + +; 17 : } +; 18 : +; 19 : PNATIVE_CODE_LINK RealNext = T->Next; + + 000db 48 8b 45 28 mov rax, QWORD PTR T$8[rbp] + 000df 48 8b 00 mov rax, QWORD PTR [rax] + 000e2 48 89 45 48 mov QWORD PTR RealNext$9[rbp], rax + +; 20 : +; 21 : if ((rand() % 100) <= Obf->InstructionMutateChance) -; 13 : else -; 14 : { -; 15 : ULONG TargetCount = InstructionCount / 2; + 000e6 ff 15 00 00 00 + 00 call QWORD PTR __imp_rand + 000ec 99 cdq + 000ed b9 64 00 00 00 mov ecx, 100 ; 00000064H + 000f2 f7 f9 idiv ecx + 000f4 8b c2 mov eax, edx + 000f6 48 8b 8d 60 04 + 00 00 mov rcx, QWORD PTR Obf$[rbp] + 000fd 0f b6 49 09 movzx ecx, BYTE PTR [rcx+9] + 00101 3b c1 cmp eax, ecx + 00103 0f 8f 9d 00 00 + 00 jg $LN12@ObfObfusca + +; 22 : { +; 23 : PNATIVE_CODE_BLOCK PreOp = JitEmitPreRipMov(T); + + 00109 33 d2 xor edx, edx + 0010b 48 8b 4d 28 mov rcx, QWORD PTR T$8[rbp] + 0010f e8 00 00 00 00 call ?JitEmitPreRipMov@@YAPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@H@Z ; JitEmitPreRipMov + 00114 48 89 45 68 mov QWORD PTR PreOp$10[rbp], rax + +; 24 : PNATIVE_CODE_BLOCK PostOp = JitEmitPostRipMov(T); - 0006e 33 d2 xor edx, edx - 00070 8b 45 04 mov eax, DWORD PTR InstructionCount$[rbp] - 00073 b9 02 00 00 00 mov ecx, 2 - 00078 f7 f1 div ecx - 0007a 89 45 24 mov DWORD PTR TargetCount$7[rbp], eax + 00118 33 d2 xor edx, edx + 0011a 48 8b 4d 28 mov rcx, QWORD PTR T$8[rbp] + 0011e e8 00 00 00 00 call ?JitEmitPostRipMov@@YAPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@H@Z ; JitEmitPostRipMov + 00123 48 89 85 88 00 + 00 00 mov QWORD PTR PostOp$11[rbp], rax -; 16 : ULONG CurrentCount = 0; +; 25 : +; 26 : NcInsertBlockBefore(T, PreOp, FALSE); + + 0012a 45 33 c0 xor r8d, r8d + 0012d 48 8b 55 68 mov rdx, QWORD PTR PreOp$10[rbp] + 00131 48 8b 4d 28 mov rcx, QWORD PTR T$8[rbp] + 00135 e8 00 00 00 00 call ?NcInsertBlockBefore@@YAHPEAU_NATIVE_CODE_LINK@@PEAU_NATIVE_CODE_BLOCK@@H@Z ; NcInsertBlockBefore + +; 27 : NcInsertBlockAfter(T, PostOp, FALSE); - 0007d c7 45 44 00 00 - 00 00 mov DWORD PTR CurrentCount$8[rbp], 0 + 0013a 45 33 c0 xor r8d, r8d + 0013d 48 8b 95 88 00 + 00 00 mov rdx, QWORD PTR PostOp$11[rbp] + 00144 48 8b 4d 28 mov rcx, QWORD PTR T$8[rbp] + 00148 e8 00 00 00 00 call ?NcInsertBlockAfter@@YAHPEAU_NATIVE_CODE_LINK@@PEAU_NATIVE_CODE_BLOCK@@H@Z ; NcInsertBlockAfter -; 17 : PNATIVE_CODE_LINK NewBlockStart = Block->Start; +; 28 : +; 29 : if (Block->Start == T) - 00084 48 8b 85 d8 02 + 0014d 48 8b 85 68 04 00 00 mov rax, QWORD PTR Block$[rbp] - 0008b 48 8b 00 mov rax, QWORD PTR [rax] - 0008e 48 89 45 68 mov QWORD PTR NewBlockStart$9[rbp], rax + 00154 48 8b 4d 28 mov rcx, QWORD PTR T$8[rbp] + 00158 48 39 08 cmp QWORD PTR [rax], rcx + 0015b 75 11 jne SHORT $LN13@ObfObfusca -; 18 : for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next;) +; 30 : Block->Start = PreOp->Start; - 00092 48 8b 85 d8 02 + 0015d 48 8b 85 68 04 00 00 mov rax, QWORD PTR Block$[rbp] - 00099 48 8b 00 mov rax, QWORD PTR [rax] - 0009c 48 89 85 88 00 - 00 00 mov QWORD PTR T$10[rbp], rax -$LN2@ObfObfusca: - 000a3 48 83 bd 88 00 - 00 00 00 cmp QWORD PTR T$10[rbp], 0 - 000ab 0f 84 67 01 00 - 00 je $LN3@ObfObfusca - 000b1 48 8b 85 d8 02 + 00164 48 8b 4d 68 mov rcx, QWORD PTR PreOp$10[rbp] + 00168 48 8b 09 mov rcx, QWORD PTR [rcx] + 0016b 48 89 08 mov QWORD PTR [rax], rcx +$LN13@ObfObfusca: + +; 31 : if (Block->End == T) + + 0016e 48 8b 85 68 04 00 00 mov rax, QWORD PTR Block$[rbp] - 000b8 48 8b 40 08 mov rax, QWORD PTR [rax+8] - 000bc 48 8b 00 mov rax, QWORD PTR [rax] - 000bf 48 39 85 88 00 - 00 00 cmp QWORD PTR T$10[rbp], rax - 000c6 0f 84 4c 01 00 - 00 je $LN3@ObfObfusca + 00175 48 8b 4d 28 mov rcx, QWORD PTR T$8[rbp] + 00179 48 39 48 08 cmp QWORD PTR [rax+8], rcx + 0017d 75 16 jne SHORT $LN14@ObfObfusca + +; 32 : Block->End = PostOp->End; + + 0017f 48 8b 85 68 04 + 00 00 mov rax, QWORD PTR Block$[rbp] + 00186 48 8b 8d 88 00 + 00 00 mov rcx, QWORD PTR PostOp$11[rbp] + 0018d 48 8b 49 08 mov rcx, QWORD PTR [rcx+8] + 00191 48 89 48 08 mov QWORD PTR [rax+8], rcx +$LN14@ObfObfusca: + +; 33 : +; 34 : //for (ULONG i = 0; i < T->RawDataSize; i++) +; 35 : // T->RawData[i] = (UCHAR)(rand() % 255); +; 36 : +; 37 : T->Flags |= CODE_FLAG_DO_NOT_DIVIDE; + + 00195 48 8b 45 28 mov rax, QWORD PTR T$8[rbp] + 00199 8b 40 18 mov eax, DWORD PTR [rax+24] + 0019c 83 c8 08 or eax, 8 + 0019f 48 8b 4d 28 mov rcx, QWORD PTR T$8[rbp] + 001a3 89 41 18 mov DWORD PTR [rcx+24], eax +$LN12@ObfObfusca: + +; 38 : +; 39 : } +; 40 : +; 41 : T = RealNext; -; 19 : { -; 20 : if (T->Flags & CODE_FLAG_IS_LABEL) + 001a6 48 8b 45 48 mov rax, QWORD PTR RealNext$9[rbp] + 001aa 48 89 45 28 mov QWORD PTR T$8[rbp], rax - 000cc 48 8b 85 88 00 - 00 00 mov rax, QWORD PTR T$10[rbp] - 000d3 8b 40 18 mov eax, DWORD PTR [rax+24] - 000d6 83 e0 01 and eax, 1 - 000d9 85 c0 test eax, eax - 000db 74 13 je SHORT $LN7@ObfObfusca +; 42 : } -; 21 : { -; 22 : T = T->Next; + 001ae e9 ce fe ff ff jmp $LN2@ObfObfusca +$LN3@ObfObfusca: - 000dd 48 8b 85 88 00 - 00 00 mov rax, QWORD PTR T$10[rbp] - 000e4 48 8b 00 mov rax, QWORD PTR [rax] - 000e7 48 89 85 88 00 - 00 00 mov QWORD PTR T$10[rbp], rax +; 43 : } -; 23 : continue; + 001b3 e9 7e 04 00 00 jmp $LN9@ObfObfusca +$LN8@ObfObfusca: - 000ee eb b3 jmp SHORT $LN2@ObfObfusca -$LN7@ObfObfusca: +; 44 : else +; 45 : { +; 46 : ULONG TargetCount = max(Obf->MinSizeForOpaqueBranch, InstructionCount / ((Obf->Flags & OBF_ATTRIBUTE_RANDOMIZE_DIVISOR) ? (rand() % Obf->BlockDivisionFactor) : Obf->BlockDivisionFactor)); // max(Obf->MinBlockSize, InstructionCount / Obf->BlockDivisionFactor); -; 24 : } -; 25 : -; 26 : ++CurrentCount; - - 000f0 8b 45 44 mov eax, DWORD PTR CurrentCount$8[rbp] - 000f3 ff c0 inc eax - 000f5 89 45 44 mov DWORD PTR CurrentCount$8[rbp], eax - -; 27 : -; 28 : if (CurrentCount == TargetCount) - - 000f8 8b 45 24 mov eax, DWORD PTR TargetCount$7[rbp] - 000fb 39 45 44 cmp DWORD PTR CurrentCount$8[rbp], eax - 000fe 0f 85 fe 00 00 - 00 jne $LN8@ObfObfusca - -; 29 : { -; 30 : NATIVE_CODE_BLOCK NotTaken, Taken; - - 00104 48 8d 8d a8 00 - 00 00 lea rcx, QWORD PTR NotTaken$11[rbp] - 0010b e8 00 00 00 00 call ??0_NATIVE_CODE_BLOCK@@QEAA@XZ ; _NATIVE_CODE_BLOCK::_NATIVE_CODE_BLOCK - 00110 90 npad 1 - 00111 48 8d 8d f8 00 - 00 00 lea rcx, QWORD PTR Taken$12[rbp] - 00118 e8 00 00 00 00 call ??0_NATIVE_CODE_BLOCK@@QEAA@XZ ; _NATIVE_CODE_BLOCK::_NATIVE_CODE_BLOCK - 0011d 90 npad 1 - -; 31 : ObfCreateOpaqueBranches(NewBlockStart, T, &NotTaken, &Taken); - - 0011e 4c 8d 8d f8 00 - 00 00 lea r9, QWORD PTR Taken$12[rbp] - 00125 4c 8d 85 a8 00 - 00 00 lea r8, QWORD PTR NotTaken$11[rbp] - 0012c 48 8b 95 88 00 - 00 00 mov rdx, QWORD PTR T$10[rbp] - 00133 48 8b 4d 68 mov rcx, QWORD PTR NewBlockStart$9[rbp] - 00137 e8 00 00 00 00 call ?ObfCreateOpaqueBranches@@YAHPEAU_NATIVE_CODE_LINK@@0PEAU_NATIVE_CODE_BLOCK@@1@Z ; ObfCreateOpaqueBranches - -; 32 : ObfObfuscate(Obf, &NotTaken); - - 0013c 48 8d 95 a8 00 - 00 00 lea rdx, QWORD PTR NotTaken$11[rbp] - 00143 48 8b 8d d0 02 + 001b8 48 8b 85 60 04 + 00 00 mov rax, QWORD PTR Obf$[rbp] + 001bf 8b 40 0c mov eax, DWORD PTR [rax+12] + 001c2 83 e0 04 and eax, 4 + 001c5 85 c0 test eax, eax + 001c7 74 1e je SHORT $LN23@ObfObfusca + 001c9 ff 15 00 00 00 + 00 call QWORD PTR __imp_rand + 001cf 48 8b 8d 60 04 + 00 00 mov rcx, QWORD PTR Obf$[rbp] + 001d6 0f b6 49 0a movzx ecx, BYTE PTR [rcx+10] + 001da 99 cdq + 001db f7 f9 idiv ecx + 001dd 8b c2 mov eax, edx + 001df 89 85 24 04 00 + 00 mov DWORD PTR tv154[rbp], eax + 001e5 eb 11 jmp SHORT $LN24@ObfObfusca +$LN23@ObfObfusca: + 001e7 48 8b 85 60 04 + 00 00 mov rax, QWORD PTR Obf$[rbp] + 001ee 0f b6 40 0a movzx eax, BYTE PTR [rax+10] + 001f2 89 85 24 04 00 + 00 mov DWORD PTR tv154[rbp], eax +$LN24@ObfObfusca: + 001f8 33 d2 xor edx, edx + 001fa 8b 45 04 mov eax, DWORD PTR InstructionCount$[rbp] + 001fd f7 b5 24 04 00 + 00 div DWORD PTR tv154[rbp] + 00203 48 8b 8d 60 04 00 00 mov rcx, QWORD PTR Obf$[rbp] - 0014a e8 00 00 00 00 call ?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z ; ObfObfuscate + 0020a 39 41 04 cmp DWORD PTR [rcx+4], eax + 0020d 76 12 jbe SHORT $LN27@ObfObfusca + 0020f 48 8b 85 60 04 + 00 00 mov rax, QWORD PTR Obf$[rbp] + 00216 8b 40 04 mov eax, DWORD PTR [rax+4] + 00219 89 85 28 04 00 + 00 mov DWORD PTR tv169[rbp], eax + 0021f eb 51 jmp SHORT $LN28@ObfObfusca +$LN27@ObfObfusca: + 00221 48 8b 85 60 04 + 00 00 mov rax, QWORD PTR Obf$[rbp] + 00228 8b 40 0c mov eax, DWORD PTR [rax+12] + 0022b 83 e0 04 and eax, 4 + 0022e 85 c0 test eax, eax + 00230 74 1e je SHORT $LN25@ObfObfusca + 00232 ff 15 00 00 00 + 00 call QWORD PTR __imp_rand + 00238 48 8b 8d 60 04 + 00 00 mov rcx, QWORD PTR Obf$[rbp] + 0023f 0f b6 49 0a movzx ecx, BYTE PTR [rcx+10] + 00243 99 cdq + 00244 f7 f9 idiv ecx + 00246 8b c2 mov eax, edx + 00248 89 85 2c 04 00 + 00 mov DWORD PTR tv167[rbp], eax + 0024e eb 11 jmp SHORT $LN26@ObfObfusca +$LN25@ObfObfusca: + 00250 48 8b 85 60 04 + 00 00 mov rax, QWORD PTR Obf$[rbp] + 00257 0f b6 40 0a movzx eax, BYTE PTR [rax+10] + 0025b 89 85 2c 04 00 + 00 mov DWORD PTR tv167[rbp], eax +$LN26@ObfObfusca: + 00261 33 d2 xor edx, edx + 00263 8b 45 04 mov eax, DWORD PTR InstructionCount$[rbp] + 00266 f7 b5 2c 04 00 + 00 div DWORD PTR tv167[rbp] + 0026c 89 85 28 04 00 + 00 mov DWORD PTR tv169[rbp], eax +$LN28@ObfObfusca: + 00272 8b 85 28 04 00 + 00 mov eax, DWORD PTR tv169[rbp] + 00278 89 85 a4 00 00 + 00 mov DWORD PTR TargetCount$12[rbp], eax + +; 47 : ULONG CurrentCount = 0; + + 0027e c7 85 c4 00 00 + 00 00 00 00 00 mov DWORD PTR CurrentCount$13[rbp], 0 + +; 48 : PNATIVE_CODE_LINK NewBlockStart = Block->Start; + + 00288 48 8b 85 68 04 + 00 00 mov rax, QWORD PTR Block$[rbp] + 0028f 48 8b 00 mov rax, QWORD PTR [rax] + 00292 48 89 85 e8 00 + 00 00 mov QWORD PTR NewBlockStart$14[rbp], rax -; 33 : ObfObfuscate(Obf, &Taken); +; 49 : for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next;) - 0014f 48 8d 95 f8 00 - 00 00 lea rdx, QWORD PTR Taken$12[rbp] - 00156 48 8b 8d d0 02 + 00299 48 8b 85 68 04 + 00 00 mov rax, QWORD PTR Block$[rbp] + 002a0 48 8b 00 mov rax, QWORD PTR [rax] + 002a3 48 89 85 08 01 + 00 00 mov QWORD PTR T$15[rbp], rax +$LN5@ObfObfusca: + 002aa 48 83 bd 08 01 + 00 00 00 cmp QWORD PTR T$15[rbp], 0 + 002b2 0f 84 70 02 00 + 00 je $LN6@ObfObfusca + 002b8 48 8b 85 68 04 + 00 00 mov rax, QWORD PTR Block$[rbp] + 002bf 48 8b 40 08 mov rax, QWORD PTR [rax+8] + 002c3 48 8b 00 mov rax, QWORD PTR [rax] + 002c6 48 39 85 08 01 + 00 00 cmp QWORD PTR T$15[rbp], rax + 002cd 0f 84 55 02 00 + 00 je $LN6@ObfObfusca + +; 50 : { +; 51 : if (T->Flags & CODE_FLAG_IS_LABEL) + + 002d3 48 8b 85 08 01 + 00 00 mov rax, QWORD PTR T$15[rbp] + 002da 8b 40 18 mov eax, DWORD PTR [rax+24] + 002dd 83 e0 01 and eax, 1 + 002e0 85 c0 test eax, eax + 002e2 74 13 je SHORT $LN15@ObfObfusca + +; 52 : { +; 53 : T = T->Next; + + 002e4 48 8b 85 08 01 + 00 00 mov rax, QWORD PTR T$15[rbp] + 002eb 48 8b 00 mov rax, QWORD PTR [rax] + 002ee 48 89 85 08 01 + 00 00 mov QWORD PTR T$15[rbp], rax + +; 54 : continue; + + 002f5 eb b3 jmp SHORT $LN5@ObfObfusca +$LN15@ObfObfusca: + +; 55 : } +; 56 : +; 57 : ++CurrentCount; + + 002f7 8b 85 c4 00 00 + 00 mov eax, DWORD PTR CurrentCount$13[rbp] + 002fd ff c0 inc eax + 002ff 89 85 c4 00 00 + 00 mov DWORD PTR CurrentCount$13[rbp], eax + +; 58 : +; 59 : if (T->Flags & CODE_FLAG_DO_NOT_DIVIDE) + + 00305 48 8b 85 08 01 + 00 00 mov rax, QWORD PTR T$15[rbp] + 0030c 8b 40 18 mov eax, DWORD PTR [rax+24] + 0030f 83 e0 08 and eax, 8 + 00312 85 c0 test eax, eax + 00314 74 13 je SHORT $LN16@ObfObfusca + +; 60 : { +; 61 : T = T->Next; + + 00316 48 8b 85 08 01 + 00 00 mov rax, QWORD PTR T$15[rbp] + 0031d 48 8b 00 mov rax, QWORD PTR [rax] + 00320 48 89 85 08 01 + 00 00 mov QWORD PTR T$15[rbp], rax + +; 62 : continue; + + 00327 eb 81 jmp SHORT $LN5@ObfObfusca +$LN16@ObfObfusca: + +; 63 : } +; 64 : +; 65 : if (CurrentCount == TargetCount) + + 00329 8b 85 a4 00 00 + 00 mov eax, DWORD PTR TargetCount$12[rbp] + 0032f 39 85 c4 00 00 + 00 cmp DWORD PTR CurrentCount$13[rbp], eax + 00335 0f 85 d7 01 00 + 00 jne $LN17@ObfObfusca + +; 66 : { +; 67 : if (Depth >= Obf->MinDepthForRandomOpaqueBranch && (rand() % 100) <= Obf->OpaqueBranchChance) + + 0033b 48 8b 85 60 04 + 00 00 mov rax, QWORD PTR Obf$[rbp] + 00342 8b 00 mov eax, DWORD PTR [rax] + 00344 39 85 70 04 00 + 00 cmp DWORD PTR Depth$[rbp], eax + 0034a 0f 82 2a 01 00 + 00 jb $LN18@ObfObfusca + 00350 ff 15 00 00 00 + 00 call QWORD PTR __imp_rand + 00356 99 cdq + 00357 b9 64 00 00 00 mov ecx, 100 ; 00000064H + 0035c f7 f9 idiv ecx + 0035e 8b c2 mov eax, edx + 00360 48 8b 8d 60 04 + 00 00 mov rcx, QWORD PTR Obf$[rbp] + 00367 0f b6 49 08 movzx ecx, BYTE PTR [rcx+8] + 0036b 3b c1 cmp eax, ecx + 0036d 0f 8f 07 01 00 + 00 jg $LN18@ObfObfusca + +; 68 : { +; 69 : NATIVE_CODE_BLOCK NotTaken, Taken; + + 00373 48 8d 8d 28 01 + 00 00 lea rcx, QWORD PTR NotTaken$16[rbp] + 0037a e8 00 00 00 00 call ??0_NATIVE_CODE_BLOCK@@QEAA@XZ ; _NATIVE_CODE_BLOCK::_NATIVE_CODE_BLOCK + 0037f 90 npad 1 + 00380 48 8d 8d 78 01 + 00 00 lea rcx, QWORD PTR Taken$17[rbp] + 00387 e8 00 00 00 00 call ??0_NATIVE_CODE_BLOCK@@QEAA@XZ ; _NATIVE_CODE_BLOCK::_NATIVE_CODE_BLOCK + 0038c 90 npad 1 + +; 70 : ObfCreateOpaqueBranches(NewBlockStart, T, &NotTaken, &Taken); + + 0038d 4c 8d 8d 78 01 + 00 00 lea r9, QWORD PTR Taken$17[rbp] + 00394 4c 8d 85 28 01 + 00 00 lea r8, QWORD PTR NotTaken$16[rbp] + 0039b 48 8b 95 08 01 + 00 00 mov rdx, QWORD PTR T$15[rbp] + 003a2 48 8b 8d e8 00 + 00 00 mov rcx, QWORD PTR NewBlockStart$14[rbp] + 003a9 e8 00 00 00 00 call ?ObfCreateOpaqueBranches@@YAHPEAU_NATIVE_CODE_LINK@@0PEAU_NATIVE_CODE_BLOCK@@1@Z ; ObfCreateOpaqueBranches + +; 71 : ObfObfuscate1(Obf, &NotTaken, Depth + 1); + + 003ae 8b 85 70 04 00 + 00 mov eax, DWORD PTR Depth$[rbp] + 003b4 ff c0 inc eax + 003b6 44 8b c0 mov r8d, eax + 003b9 48 8d 95 28 01 + 00 00 lea rdx, QWORD PTR NotTaken$16[rbp] + 003c0 48 8b 8d 60 04 + 00 00 mov rcx, QWORD PTR Obf$[rbp] + 003c7 e8 00 00 00 00 call ?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z ; ObfObfuscate1 + +; 72 : ObfObfuscate1(Obf, &Taken, Depth + 1); + + 003cc 8b 85 70 04 00 + 00 mov eax, DWORD PTR Depth$[rbp] + 003d2 ff c0 inc eax + 003d4 44 8b c0 mov r8d, eax + 003d7 48 8d 95 78 01 + 00 00 lea rdx, QWORD PTR Taken$17[rbp] + 003de 48 8b 8d 60 04 00 00 mov rcx, QWORD PTR Obf$[rbp] - 0015d e8 00 00 00 00 call ?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z ; ObfObfuscate + 003e5 e8 00 00 00 00 call ?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z ; ObfObfuscate1 -; 34 : ObfCombineOpaqueBranches(&NotTaken, &Taken, NcGenUnusedLabelId(Obf->GlobalBlock), NcGenUnusedLabelId(Obf->GlobalBlock)); +; 73 : ObfCombineOpaqueBranches(&NotTaken, &Taken, NcGenUnusedLabelId(Obf->GlobalBlock), NcGenUnusedLabelId(Obf->GlobalBlock)); - 00162 48 8b 85 d0 02 + 003ea 48 8b 85 60 04 00 00 mov rax, QWORD PTR Obf$[rbp] - 00169 48 8b 48 08 mov rcx, QWORD PTR [rax+8] - 0016d e8 00 00 00 00 call ?NcGenUnusedLabelId@@YAKPEAU_NATIVE_CODE_BLOCK@@@Z ; NcGenUnusedLabelId - 00172 89 85 94 02 00 - 00 mov DWORD PTR tv141[rbp], eax - 00178 48 8b 85 d0 02 + 003f1 48 8b 48 10 mov rcx, QWORD PTR [rax+16] + 003f5 e8 00 00 00 00 call ?NcGenUnusedLabelId@@YAKPEAU_NATIVE_CODE_BLOCK@@@Z ; NcGenUnusedLabelId + 003fa 89 85 24 04 00 + 00 mov DWORD PTR tv225[rbp], eax + 00400 48 8b 85 60 04 00 00 mov rax, QWORD PTR Obf$[rbp] - 0017f 48 8b 48 08 mov rcx, QWORD PTR [rax+8] - 00183 e8 00 00 00 00 call ?NcGenUnusedLabelId@@YAKPEAU_NATIVE_CODE_BLOCK@@@Z ; NcGenUnusedLabelId - 00188 89 85 98 02 00 - 00 mov DWORD PTR tv139[rbp], eax - 0018e 44 8b 8d 94 02 - 00 00 mov r9d, DWORD PTR tv141[rbp] - 00195 44 8b 85 98 02 - 00 00 mov r8d, DWORD PTR tv139[rbp] - 0019c 48 8d 95 f8 00 - 00 00 lea rdx, QWORD PTR Taken$12[rbp] - 001a3 48 8d 8d a8 00 - 00 00 lea rcx, QWORD PTR NotTaken$11[rbp] - 001aa e8 00 00 00 00 call ?ObfCombineOpaqueBranches@@YAHPEAU_NATIVE_CODE_BLOCK@@0KK@Z ; ObfCombineOpaqueBranches - -; 35 : ObfInsertOpaqueBranchBlock(NewBlockStart, T, &NotTaken); - - 001af 4c 8d 85 a8 00 - 00 00 lea r8, QWORD PTR NotTaken$11[rbp] - 001b6 48 8b 95 88 00 - 00 00 mov rdx, QWORD PTR T$10[rbp] - 001bd 48 8b 4d 68 mov rcx, QWORD PTR NewBlockStart$9[rbp] - 001c1 e8 00 00 00 00 call ?ObfInsertOpaqueBranchBlock@@YAHPEAU_NATIVE_CODE_LINK@@0PEAU_NATIVE_CODE_BLOCK@@@Z ; ObfInsertOpaqueBranchBlock - -; 36 : T = NotTaken.End; - - 001c6 48 8b 85 b0 00 - 00 00 mov rax, QWORD PTR NotTaken$11[rbp+8] - 001cd 48 89 85 88 00 - 00 00 mov QWORD PTR T$10[rbp], rax - -; 37 : NewBlockStart = T->Next; - - 001d4 48 8b 85 88 00 - 00 00 mov rax, QWORD PTR T$10[rbp] - 001db 48 8b 00 mov rax, QWORD PTR [rax] - 001de 48 89 45 68 mov QWORD PTR NewBlockStart$9[rbp], rax - -; 38 : CurrentCount = 0; - - 001e2 c7 45 44 00 00 - 00 00 mov DWORD PTR CurrentCount$8[rbp], 0 + 00407 48 8b 48 10 mov rcx, QWORD PTR [rax+16] + 0040b e8 00 00 00 00 call ?NcGenUnusedLabelId@@YAKPEAU_NATIVE_CODE_BLOCK@@@Z ; NcGenUnusedLabelId + 00410 89 85 28 04 00 + 00 mov DWORD PTR tv223[rbp], eax + 00416 44 8b 8d 24 04 + 00 00 mov r9d, DWORD PTR tv225[rbp] + 0041d 44 8b 85 28 04 + 00 00 mov r8d, DWORD PTR tv223[rbp] + 00424 48 8d 95 78 01 + 00 00 lea rdx, QWORD PTR Taken$17[rbp] + 0042b 48 8d 8d 28 01 + 00 00 lea rcx, QWORD PTR NotTaken$16[rbp] + 00432 e8 00 00 00 00 call ?ObfCombineOpaqueBranches@@YAHPEAU_NATIVE_CODE_BLOCK@@0KK@Z ; ObfCombineOpaqueBranches + +; 74 : ObfInsertOpaqueBranchBlock(NewBlockStart, T, &NotTaken); + + 00437 4c 8d 85 28 01 + 00 00 lea r8, QWORD PTR NotTaken$16[rbp] + 0043e 48 8b 95 08 01 + 00 00 mov rdx, QWORD PTR T$15[rbp] + 00445 48 8b 8d e8 00 + 00 00 mov rcx, QWORD PTR NewBlockStart$14[rbp] + 0044c e8 00 00 00 00 call ?ObfInsertOpaqueBranchBlock@@YAHPEAU_NATIVE_CODE_LINK@@0PEAU_NATIVE_CODE_BLOCK@@@Z ; ObfInsertOpaqueBranchBlock + +; 75 : T = NotTaken.End; + + 00451 48 8b 85 30 01 + 00 00 mov rax, QWORD PTR NotTaken$16[rbp+8] + 00458 48 89 85 08 01 + 00 00 mov QWORD PTR T$15[rbp], rax + +; 76 : } + + 0045f 48 8d 8d 78 01 + 00 00 lea rcx, QWORD PTR Taken$17[rbp] + 00466 e8 00 00 00 00 call ??1_NATIVE_CODE_BLOCK@@QEAA@XZ + 0046b 90 npad 1 + 0046c 48 8d 8d 28 01 + 00 00 lea rcx, QWORD PTR NotTaken$16[rbp] + 00473 e8 00 00 00 00 call ??1_NATIVE_CODE_BLOCK@@QEAA@XZ + 00478 eb 7d jmp SHORT $LN19@ObfObfusca +$LN18@ObfObfusca: + +; 77 : else +; 78 : { +; 79 : NATIVE_CODE_BLOCK TempBlock; + + 0047a 48 8d 8d c8 01 + 00 00 lea rcx, QWORD PTR TempBlock$18[rbp] + 00481 e8 00 00 00 00 call ??0_NATIVE_CODE_BLOCK@@QEAA@XZ ; _NATIVE_CODE_BLOCK::_NATIVE_CODE_BLOCK + 00486 90 npad 1 + +; 80 : if (NcDeepCopyPartialBlock(NewBlockStart, T, &TempBlock)) + + 00487 4c 8d 85 c8 01 + 00 00 lea r8, QWORD PTR TempBlock$18[rbp] + 0048e 48 8b 95 08 01 + 00 00 mov rdx, QWORD PTR T$15[rbp] + 00495 48 8b 8d e8 00 + 00 00 mov rcx, QWORD PTR NewBlockStart$14[rbp] + 0049c e8 00 00 00 00 call ?NcDeepCopyPartialBlock@@YAHPEAU_NATIVE_CODE_LINK@@0PEAU_NATIVE_CODE_BLOCK@@@Z ; NcDeepCopyPartialBlock + 004a1 85 c0 test eax, eax + 004a3 74 38 je SHORT $LN20@ObfObfusca + +; 81 : { +; 82 : ObfObfuscate1(Obf, &TempBlock, Depth + 1); + + 004a5 8b 85 70 04 00 + 00 mov eax, DWORD PTR Depth$[rbp] + 004ab ff c0 inc eax + 004ad 44 8b c0 mov r8d, eax + 004b0 48 8d 95 c8 01 + 00 00 lea rdx, QWORD PTR TempBlock$18[rbp] + 004b7 48 8b 8d 60 04 + 00 00 mov rcx, QWORD PTR Obf$[rbp] + 004be e8 00 00 00 00 call ?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z ; ObfObfuscate1 -; 39 : } +; 83 : ObfInsertOpaqueBranchBlock(NewBlockStart, T, &TempBlock); - 001e9 48 8d 8d f8 00 - 00 00 lea rcx, QWORD PTR Taken$12[rbp] - 001f0 e8 00 00 00 00 call ??1_NATIVE_CODE_BLOCK@@QEAA@XZ - 001f5 90 npad 1 - 001f6 48 8d 8d a8 00 - 00 00 lea rcx, QWORD PTR NotTaken$11[rbp] - 001fd e8 00 00 00 00 call ??1_NATIVE_CODE_BLOCK@@QEAA@XZ -$LN8@ObfObfusca: + 004c3 4c 8d 85 c8 01 + 00 00 lea r8, QWORD PTR TempBlock$18[rbp] + 004ca 48 8b 95 08 01 + 00 00 mov rdx, QWORD PTR T$15[rbp] + 004d1 48 8b 8d e8 00 + 00 00 mov rcx, QWORD PTR NewBlockStart$14[rbp] + 004d8 e8 00 00 00 00 call ?ObfInsertOpaqueBranchBlock@@YAHPEAU_NATIVE_CODE_LINK@@0PEAU_NATIVE_CODE_BLOCK@@@Z ; ObfInsertOpaqueBranchBlock +$LN20@ObfObfusca: -; 40 : T = T->Next; +; 84 : } +; 85 : T = TempBlock.End; - 00202 48 8b 85 88 00 - 00 00 mov rax, QWORD PTR T$10[rbp] - 00209 48 8b 00 mov rax, QWORD PTR [rax] - 0020c 48 89 85 88 00 - 00 00 mov QWORD PTR T$10[rbp], rax + 004dd 48 8b 85 d0 01 + 00 00 mov rax, QWORD PTR TempBlock$18[rbp+8] + 004e4 48 89 85 08 01 + 00 00 mov QWORD PTR T$15[rbp], rax -; 41 : } +; 86 : } - 00213 e9 8b fe ff ff jmp $LN2@ObfObfusca -$LN3@ObfObfusca: + 004eb 48 8d 8d c8 01 + 00 00 lea rcx, QWORD PTR TempBlock$18[rbp] + 004f2 e8 00 00 00 00 call ??1_NATIVE_CODE_BLOCK@@QEAA@XZ +$LN19@ObfObfusca: -; 42 : if (NewBlockStart) +; 87 : NewBlockStart = T->Next; - 00218 48 83 7d 68 00 cmp QWORD PTR NewBlockStart$9[rbp], 0 - 0021d 0f 84 e4 00 00 - 00 je $LN6@ObfObfusca + 004f7 48 8b 85 08 01 + 00 00 mov rax, QWORD PTR T$15[rbp] + 004fe 48 8b 00 mov rax, QWORD PTR [rax] + 00501 48 89 85 e8 00 + 00 00 mov QWORD PTR NewBlockStart$14[rbp], rax -; 43 : { -; 44 : NATIVE_CODE_BLOCK NotTaken, Taken; - - 00223 48 8d 8d 48 01 - 00 00 lea rcx, QWORD PTR NotTaken$13[rbp] - 0022a e8 00 00 00 00 call ??0_NATIVE_CODE_BLOCK@@QEAA@XZ ; _NATIVE_CODE_BLOCK::_NATIVE_CODE_BLOCK - 0022f 90 npad 1 - 00230 48 8d 8d 98 01 - 00 00 lea rcx, QWORD PTR Taken$14[rbp] - 00237 e8 00 00 00 00 call ??0_NATIVE_CODE_BLOCK@@QEAA@XZ ; _NATIVE_CODE_BLOCK::_NATIVE_CODE_BLOCK - 0023c 90 npad 1 - -; 45 : ObfCreateOpaqueBranches(NewBlockStart, Block->End, &NotTaken, &Taken); - - 0023d 4c 8d 8d 98 01 - 00 00 lea r9, QWORD PTR Taken$14[rbp] - 00244 4c 8d 85 48 01 - 00 00 lea r8, QWORD PTR NotTaken$13[rbp] - 0024b 48 8b 85 d8 02 - 00 00 mov rax, QWORD PTR Block$[rbp] - 00252 48 8b 50 08 mov rdx, QWORD PTR [rax+8] - 00256 48 8b 4d 68 mov rcx, QWORD PTR NewBlockStart$9[rbp] - 0025a e8 00 00 00 00 call ?ObfCreateOpaqueBranches@@YAHPEAU_NATIVE_CODE_LINK@@0PEAU_NATIVE_CODE_BLOCK@@1@Z ; ObfCreateOpaqueBranches +; 88 : CurrentCount = 0; + + 00508 c7 85 c4 00 00 + 00 00 00 00 00 mov DWORD PTR CurrentCount$13[rbp], 0 +$LN17@ObfObfusca: + +; 89 : } +; 90 : T = T->Next; + + 00512 48 8b 85 08 01 + 00 00 mov rax, QWORD PTR T$15[rbp] + 00519 48 8b 00 mov rax, QWORD PTR [rax] + 0051c 48 89 85 08 01 + 00 00 mov QWORD PTR T$15[rbp], rax + +; 91 : } + + 00523 e9 82 fd ff ff jmp $LN5@ObfObfusca +$LN6@ObfObfusca: -; 46 : ObfObfuscate(Obf, &NotTaken); +; 92 : if (NewBlockStart) - 0025f 48 8d 95 48 01 - 00 00 lea rdx, QWORD PTR NotTaken$13[rbp] - 00266 48 8b 8d d0 02 + 00528 48 83 bd e8 00 + 00 00 00 cmp QWORD PTR NewBlockStart$14[rbp], 0 + 00530 0f 84 00 01 00 + 00 je $LN9@ObfObfusca + +; 93 : { +; 94 : NATIVE_CODE_BLOCK NotTaken, Taken; + + 00536 48 8d 8d 18 02 + 00 00 lea rcx, QWORD PTR NotTaken$19[rbp] + 0053d e8 00 00 00 00 call ??0_NATIVE_CODE_BLOCK@@QEAA@XZ ; _NATIVE_CODE_BLOCK::_NATIVE_CODE_BLOCK + 00542 90 npad 1 + 00543 48 8d 8d 68 02 + 00 00 lea rcx, QWORD PTR Taken$20[rbp] + 0054a e8 00 00 00 00 call ??0_NATIVE_CODE_BLOCK@@QEAA@XZ ; _NATIVE_CODE_BLOCK::_NATIVE_CODE_BLOCK + 0054f 90 npad 1 + +; 95 : ObfCreateOpaqueBranches(NewBlockStart, Block->End, &NotTaken, &Taken); + + 00550 4c 8d 8d 68 02 + 00 00 lea r9, QWORD PTR Taken$20[rbp] + 00557 4c 8d 85 18 02 + 00 00 lea r8, QWORD PTR NotTaken$19[rbp] + 0055e 48 8b 85 68 04 + 00 00 mov rax, QWORD PTR Block$[rbp] + 00565 48 8b 50 08 mov rdx, QWORD PTR [rax+8] + 00569 48 8b 8d e8 00 + 00 00 mov rcx, QWORD PTR NewBlockStart$14[rbp] + 00570 e8 00 00 00 00 call ?ObfCreateOpaqueBranches@@YAHPEAU_NATIVE_CODE_LINK@@0PEAU_NATIVE_CODE_BLOCK@@1@Z ; ObfCreateOpaqueBranches + +; 96 : ObfObfuscate1(Obf, &NotTaken, Depth + 1); + + 00575 8b 85 70 04 00 + 00 mov eax, DWORD PTR Depth$[rbp] + 0057b ff c0 inc eax + 0057d 44 8b c0 mov r8d, eax + 00580 48 8d 95 18 02 + 00 00 lea rdx, QWORD PTR NotTaken$19[rbp] + 00587 48 8b 8d 60 04 00 00 mov rcx, QWORD PTR Obf$[rbp] - 0026d e8 00 00 00 00 call ?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z ; ObfObfuscate + 0058e e8 00 00 00 00 call ?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z ; ObfObfuscate1 -; 47 : ObfObfuscate(Obf, &Taken); +; 97 : ObfObfuscate1(Obf, &Taken, Depth + 1); - 00272 48 8d 95 98 01 - 00 00 lea rdx, QWORD PTR Taken$14[rbp] - 00279 48 8b 8d d0 02 + 00593 8b 85 70 04 00 + 00 mov eax, DWORD PTR Depth$[rbp] + 00599 ff c0 inc eax + 0059b 44 8b c0 mov r8d, eax + 0059e 48 8d 95 68 02 + 00 00 lea rdx, QWORD PTR Taken$20[rbp] + 005a5 48 8b 8d 60 04 00 00 mov rcx, QWORD PTR Obf$[rbp] - 00280 e8 00 00 00 00 call ?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z ; ObfObfuscate + 005ac e8 00 00 00 00 call ?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z ; ObfObfuscate1 -; 48 : ObfCombineOpaqueBranches(&NotTaken, &Taken, NcGenUnusedLabelId(Obf->GlobalBlock), NcGenUnusedLabelId(Obf->GlobalBlock)); +; 98 : ObfCombineOpaqueBranches(&NotTaken, &Taken, NcGenUnusedLabelId(Obf->GlobalBlock), NcGenUnusedLabelId(Obf->GlobalBlock)); - 00285 48 8b 85 d0 02 + 005b1 48 8b 85 60 04 00 00 mov rax, QWORD PTR Obf$[rbp] - 0028c 48 8b 48 08 mov rcx, QWORD PTR [rax+8] - 00290 e8 00 00 00 00 call ?NcGenUnusedLabelId@@YAKPEAU_NATIVE_CODE_BLOCK@@@Z ; NcGenUnusedLabelId - 00295 89 85 94 02 00 - 00 mov DWORD PTR tv176[rbp], eax - 0029b 48 8b 85 d0 02 + 005b8 48 8b 48 10 mov rcx, QWORD PTR [rax+16] + 005bc e8 00 00 00 00 call ?NcGenUnusedLabelId@@YAKPEAU_NATIVE_CODE_BLOCK@@@Z ; NcGenUnusedLabelId + 005c1 89 85 24 04 00 + 00 mov DWORD PTR tv279[rbp], eax + 005c7 48 8b 85 60 04 00 00 mov rax, QWORD PTR Obf$[rbp] - 002a2 48 8b 48 08 mov rcx, QWORD PTR [rax+8] - 002a6 e8 00 00 00 00 call ?NcGenUnusedLabelId@@YAKPEAU_NATIVE_CODE_BLOCK@@@Z ; NcGenUnusedLabelId - 002ab 89 85 98 02 00 - 00 mov DWORD PTR tv174[rbp], eax - 002b1 44 8b 8d 94 02 - 00 00 mov r9d, DWORD PTR tv176[rbp] - 002b8 44 8b 85 98 02 - 00 00 mov r8d, DWORD PTR tv174[rbp] - 002bf 48 8d 95 98 01 - 00 00 lea rdx, QWORD PTR Taken$14[rbp] - 002c6 48 8d 8d 48 01 - 00 00 lea rcx, QWORD PTR NotTaken$13[rbp] - 002cd e8 00 00 00 00 call ?ObfCombineOpaqueBranches@@YAHPEAU_NATIVE_CODE_BLOCK@@0KK@Z ; ObfCombineOpaqueBranches - -; 49 : ObfInsertOpaqueBranchBlock(NewBlockStart, Block->End, &NotTaken); - - 002d2 4c 8d 85 48 01 - 00 00 lea r8, QWORD PTR NotTaken$13[rbp] - 002d9 48 8b 85 d8 02 + 005ce 48 8b 48 10 mov rcx, QWORD PTR [rax+16] + 005d2 e8 00 00 00 00 call ?NcGenUnusedLabelId@@YAKPEAU_NATIVE_CODE_BLOCK@@@Z ; NcGenUnusedLabelId + 005d7 89 85 28 04 00 + 00 mov DWORD PTR tv277[rbp], eax + 005dd 44 8b 8d 24 04 + 00 00 mov r9d, DWORD PTR tv279[rbp] + 005e4 44 8b 85 28 04 + 00 00 mov r8d, DWORD PTR tv277[rbp] + 005eb 48 8d 95 68 02 + 00 00 lea rdx, QWORD PTR Taken$20[rbp] + 005f2 48 8d 8d 18 02 + 00 00 lea rcx, QWORD PTR NotTaken$19[rbp] + 005f9 e8 00 00 00 00 call ?ObfCombineOpaqueBranches@@YAHPEAU_NATIVE_CODE_BLOCK@@0KK@Z ; ObfCombineOpaqueBranches + +; 99 : ObfInsertOpaqueBranchBlock(NewBlockStart, Block->End, &NotTaken); + + 005fe 4c 8d 85 18 02 + 00 00 lea r8, QWORD PTR NotTaken$19[rbp] + 00605 48 8b 85 68 04 00 00 mov rax, QWORD PTR Block$[rbp] - 002e0 48 8b 50 08 mov rdx, QWORD PTR [rax+8] - 002e4 48 8b 4d 68 mov rcx, QWORD PTR NewBlockStart$9[rbp] - 002e8 e8 00 00 00 00 call ?ObfInsertOpaqueBranchBlock@@YAHPEAU_NATIVE_CODE_LINK@@0PEAU_NATIVE_CODE_BLOCK@@@Z ; ObfInsertOpaqueBranchBlock - 002ed 90 npad 1 - -; 50 : } - - 002ee 48 8d 8d 98 01 - 00 00 lea rcx, QWORD PTR Taken$14[rbp] - 002f5 e8 00 00 00 00 call ??1_NATIVE_CODE_BLOCK@@QEAA@XZ - 002fa 90 npad 1 - 002fb 48 8d 8d 48 01 - 00 00 lea rcx, QWORD PTR NotTaken$13[rbp] - 00302 e8 00 00 00 00 call ??1_NATIVE_CODE_BLOCK@@QEAA@XZ -$LN6@ObfObfusca: - -; 51 : } -; 52 : -; 53 : } - - 00307 48 8d 4d e0 lea rcx, QWORD PTR [rbp-32] - 0030b 48 8d 15 00 00 - 00 00 lea rdx, OFFSET FLAT:?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z$rtcFrameData - 00312 e8 00 00 00 00 call _RTC_CheckStackVars - 00317 48 8b 8d a0 02 + 0060c 48 8b 50 08 mov rdx, QWORD PTR [rax+8] + 00610 48 8b 8d e8 00 + 00 00 mov rcx, QWORD PTR NewBlockStart$14[rbp] + 00617 e8 00 00 00 00 call ?ObfInsertOpaqueBranchBlock@@YAHPEAU_NATIVE_CODE_LINK@@0PEAU_NATIVE_CODE_BLOCK@@@Z ; ObfInsertOpaqueBranchBlock + 0061c 90 npad 1 + +; 100 : } + + 0061d 48 8d 8d 68 02 + 00 00 lea rcx, QWORD PTR Taken$20[rbp] + 00624 e8 00 00 00 00 call ??1_NATIVE_CODE_BLOCK@@QEAA@XZ + 00629 90 npad 1 + 0062a 48 8d 8d 18 02 + 00 00 lea rcx, QWORD PTR NotTaken$19[rbp] + 00631 e8 00 00 00 00 call ??1_NATIVE_CODE_BLOCK@@QEAA@XZ +$LN9@ObfObfusca: + +; 101 : } +; 102 : +; 103 : +; 104 : +; 105 : +; 106 : +; 107 : } + + 00636 48 8d 4d e0 lea rcx, QWORD PTR [rbp-32] + 0063a 48 8d 15 00 00 + 00 00 lea rdx, OFFSET FLAT:?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z$rtcFrameData + 00641 e8 00 00 00 00 call _RTC_CheckStackVars + 00646 48 8b 8d 30 04 00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp] - 0031e 48 33 cd xor rcx, rbp - 00321 e8 00 00 00 00 call __security_check_cookie - 00326 48 8d a5 b8 02 - 00 00 lea rsp, QWORD PTR [rbp+696] - 0032d 5f pop rdi - 0032e 5d pop rbp - 0032f c3 ret 0 -?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z ENDP ; ObfObfuscate + 0064d 48 33 cd xor rcx, rbp + 00650 e8 00 00 00 00 call __security_check_cookie + 00655 48 8d a5 48 04 + 00 00 lea rsp, QWORD PTR [rbp+1096] + 0065c 5f pop rdi + 0065d 5d pop rbp + 0065e c3 ret 0 +?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z ENDP ; ObfObfuscate1 _TEXT ENDS ; COMDAT text$x text$x SEGMENT InstructionCount$ = 4 -TargetCount$7 = 36 -CurrentCount$8 = 68 -NewBlockStart$9 = 104 -T$10 = 136 -NotTaken$11 = 168 -Taken$12 = 248 -NotTaken$13 = 328 -Taken$14 = 408 -tv176 = 660 -tv141 = 660 -tv174 = 664 -tv139 = 664 -__$ArrayPad$ = 672 -Obf$ = 720 -Block$ = 728 -?dtor$0@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA PROC ; `ObfObfuscate'::`1'::dtor$0 +T$8 = 40 +RealNext$9 = 72 +PreOp$10 = 104 +PostOp$11 = 136 +TargetCount$12 = 164 +CurrentCount$13 = 196 +NewBlockStart$14 = 232 +T$15 = 264 +NotTaken$16 = 296 +Taken$17 = 376 +TempBlock$18 = 456 +NotTaken$19 = 536 +Taken$20 = 616 +tv279 = 1060 +tv225 = 1060 +tv154 = 1060 +tv277 = 1064 +tv223 = 1064 +tv169 = 1064 +tv167 = 1068 +__$ArrayPad$ = 1072 +Obf$ = 1120 +Block$ = 1128 +Depth$ = 1136 +?dtor$0@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA PROC ; `ObfObfuscate1'::`1'::dtor$0 00000 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx 00005 48 89 54 24 10 mov QWORD PTR [rsp+16], rdx 0000a 55 push rbp 0000b 57 push rdi 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H 00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] - 00014 48 8d 8d a8 00 - 00 00 lea rcx, QWORD PTR NotTaken$11[rbp] + 00014 48 8d 8d 28 01 + 00 00 lea rcx, QWORD PTR NotTaken$16[rbp] 0001b e8 00 00 00 00 call ??1_NATIVE_CODE_BLOCK@@QEAA@XZ 00020 48 83 c4 28 add rsp, 40 ; 00000028H 00024 5f pop rdi 00025 5d pop rbp 00026 c3 ret 0 -?dtor$0@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA ENDP ; `ObfObfuscate'::`1'::dtor$0 +?dtor$0@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA ENDP ; `ObfObfuscate1'::`1'::dtor$0 text$x ENDS ; COMDAT text$x text$x SEGMENT InstructionCount$ = 4 -TargetCount$7 = 36 -CurrentCount$8 = 68 -NewBlockStart$9 = 104 -T$10 = 136 -NotTaken$11 = 168 -Taken$12 = 248 -NotTaken$13 = 328 -Taken$14 = 408 -tv176 = 660 -tv141 = 660 -tv174 = 664 -tv139 = 664 -__$ArrayPad$ = 672 -Obf$ = 720 -Block$ = 728 -?dtor$1@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA PROC ; `ObfObfuscate'::`1'::dtor$1 +T$8 = 40 +RealNext$9 = 72 +PreOp$10 = 104 +PostOp$11 = 136 +TargetCount$12 = 164 +CurrentCount$13 = 196 +NewBlockStart$14 = 232 +T$15 = 264 +NotTaken$16 = 296 +Taken$17 = 376 +TempBlock$18 = 456 +NotTaken$19 = 536 +Taken$20 = 616 +tv279 = 1060 +tv225 = 1060 +tv154 = 1060 +tv277 = 1064 +tv223 = 1064 +tv169 = 1064 +tv167 = 1068 +__$ArrayPad$ = 1072 +Obf$ = 1120 +Block$ = 1128 +Depth$ = 1136 +?dtor$1@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA PROC ; `ObfObfuscate1'::`1'::dtor$1 00000 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx 00005 48 89 54 24 10 mov QWORD PTR [rsp+16], rdx 0000a 55 push rbp 0000b 57 push rdi 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H 00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] - 00014 48 8d 8d f8 00 - 00 00 lea rcx, QWORD PTR Taken$12[rbp] + 00014 48 8d 8d 78 01 + 00 00 lea rcx, QWORD PTR Taken$17[rbp] 0001b e8 00 00 00 00 call ??1_NATIVE_CODE_BLOCK@@QEAA@XZ 00020 48 83 c4 28 add rsp, 40 ; 00000028H 00024 5f pop rdi 00025 5d pop rbp 00026 c3 ret 0 -?dtor$1@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA ENDP ; `ObfObfuscate'::`1'::dtor$1 +?dtor$1@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA ENDP ; `ObfObfuscate1'::`1'::dtor$1 text$x ENDS ; COMDAT text$x text$x SEGMENT InstructionCount$ = 4 -TargetCount$7 = 36 -CurrentCount$8 = 68 -NewBlockStart$9 = 104 -T$10 = 136 -NotTaken$11 = 168 -Taken$12 = 248 -NotTaken$13 = 328 -Taken$14 = 408 -tv176 = 660 -tv141 = 660 -tv174 = 664 -tv139 = 664 -__$ArrayPad$ = 672 -Obf$ = 720 -Block$ = 728 -?dtor$2@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA PROC ; `ObfObfuscate'::`1'::dtor$2 +T$8 = 40 +RealNext$9 = 72 +PreOp$10 = 104 +PostOp$11 = 136 +TargetCount$12 = 164 +CurrentCount$13 = 196 +NewBlockStart$14 = 232 +T$15 = 264 +NotTaken$16 = 296 +Taken$17 = 376 +TempBlock$18 = 456 +NotTaken$19 = 536 +Taken$20 = 616 +tv279 = 1060 +tv225 = 1060 +tv154 = 1060 +tv277 = 1064 +tv223 = 1064 +tv169 = 1064 +tv167 = 1068 +__$ArrayPad$ = 1072 +Obf$ = 1120 +Block$ = 1128 +Depth$ = 1136 +?dtor$2@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA PROC ; `ObfObfuscate1'::`1'::dtor$2 00000 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx 00005 48 89 54 24 10 mov QWORD PTR [rsp+16], rdx 0000a 55 push rbp 0000b 57 push rdi 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H 00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] - 00014 48 8d 8d 48 01 - 00 00 lea rcx, QWORD PTR NotTaken$13[rbp] + 00014 48 8d 8d c8 01 + 00 00 lea rcx, QWORD PTR TempBlock$18[rbp] 0001b e8 00 00 00 00 call ??1_NATIVE_CODE_BLOCK@@QEAA@XZ 00020 48 83 c4 28 add rsp, 40 ; 00000028H 00024 5f pop rdi 00025 5d pop rbp 00026 c3 ret 0 -?dtor$2@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA ENDP ; `ObfObfuscate'::`1'::dtor$2 +?dtor$2@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA ENDP ; `ObfObfuscate1'::`1'::dtor$2 text$x ENDS ; COMDAT text$x text$x SEGMENT InstructionCount$ = 4 -TargetCount$7 = 36 -CurrentCount$8 = 68 -NewBlockStart$9 = 104 -T$10 = 136 -NotTaken$11 = 168 -Taken$12 = 248 -NotTaken$13 = 328 -Taken$14 = 408 -tv176 = 660 -tv141 = 660 -tv174 = 664 -tv139 = 664 -__$ArrayPad$ = 672 -Obf$ = 720 -Block$ = 728 -?dtor$3@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA PROC ; `ObfObfuscate'::`1'::dtor$3 +T$8 = 40 +RealNext$9 = 72 +PreOp$10 = 104 +PostOp$11 = 136 +TargetCount$12 = 164 +CurrentCount$13 = 196 +NewBlockStart$14 = 232 +T$15 = 264 +NotTaken$16 = 296 +Taken$17 = 376 +TempBlock$18 = 456 +NotTaken$19 = 536 +Taken$20 = 616 +tv279 = 1060 +tv225 = 1060 +tv154 = 1060 +tv277 = 1064 +tv223 = 1064 +tv169 = 1064 +tv167 = 1068 +__$ArrayPad$ = 1072 +Obf$ = 1120 +Block$ = 1128 +Depth$ = 1136 +?dtor$3@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA PROC ; `ObfObfuscate1'::`1'::dtor$3 + 00000 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx + 00005 48 89 54 24 10 mov QWORD PTR [rsp+16], rdx + 0000a 55 push rbp + 0000b 57 push rdi + 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H + 00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] + 00014 48 8d 8d 18 02 + 00 00 lea rcx, QWORD PTR NotTaken$19[rbp] + 0001b e8 00 00 00 00 call ??1_NATIVE_CODE_BLOCK@@QEAA@XZ + 00020 48 83 c4 28 add rsp, 40 ; 00000028H + 00024 5f pop rdi + 00025 5d pop rbp + 00026 c3 ret 0 +?dtor$3@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA ENDP ; `ObfObfuscate1'::`1'::dtor$3 +text$x ENDS +; COMDAT text$x +text$x SEGMENT +InstructionCount$ = 4 +T$8 = 40 +RealNext$9 = 72 +PreOp$10 = 104 +PostOp$11 = 136 +TargetCount$12 = 164 +CurrentCount$13 = 196 +NewBlockStart$14 = 232 +T$15 = 264 +NotTaken$16 = 296 +Taken$17 = 376 +TempBlock$18 = 456 +NotTaken$19 = 536 +Taken$20 = 616 +tv279 = 1060 +tv225 = 1060 +tv154 = 1060 +tv277 = 1064 +tv223 = 1064 +tv169 = 1064 +tv167 = 1068 +__$ArrayPad$ = 1072 +Obf$ = 1120 +Block$ = 1128 +Depth$ = 1136 +?dtor$4@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA PROC ; `ObfObfuscate1'::`1'::dtor$4 + 00000 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx + 00005 48 89 54 24 10 mov QWORD PTR [rsp+16], rdx + 0000a 55 push rbp + 0000b 57 push rdi + 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H + 00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] + 00014 48 8d 8d 68 02 + 00 00 lea rcx, QWORD PTR Taken$20[rbp] + 0001b e8 00 00 00 00 call ??1_NATIVE_CODE_BLOCK@@QEAA@XZ + 00020 48 83 c4 28 add rsp, 40 ; 00000028H + 00024 5f pop rdi + 00025 5d pop rbp + 00026 c3 ret 0 +?dtor$4@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA ENDP ; `ObfObfuscate1'::`1'::dtor$4 +text$x ENDS +; Function compile flags: /Odtp /RTCsu /ZI +; COMDAT text$x +text$x SEGMENT +InstructionCount$ = 4 +T$8 = 40 +RealNext$9 = 72 +PreOp$10 = 104 +PostOp$11 = 136 +TargetCount$12 = 164 +CurrentCount$13 = 196 +NewBlockStart$14 = 232 +T$15 = 264 +NotTaken$16 = 296 +Taken$17 = 376 +TempBlock$18 = 456 +NotTaken$19 = 536 +Taken$20 = 616 +tv279 = 1060 +tv225 = 1060 +tv154 = 1060 +tv277 = 1064 +tv223 = 1064 +tv169 = 1064 +tv167 = 1068 +__$ArrayPad$ = 1072 +Obf$ = 1120 +Block$ = 1128 +Depth$ = 1136 +?dtor$0@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA PROC ; `ObfObfuscate1'::`1'::dtor$0 00000 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx 00005 48 89 54 24 10 mov QWORD PTR [rsp+16], rdx 0000a 55 push rbp 0000b 57 push rdi 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H 00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] - 00014 48 8d 8d 98 01 - 00 00 lea rcx, QWORD PTR Taken$14[rbp] + 00014 48 8d 8d 28 01 + 00 00 lea rcx, QWORD PTR NotTaken$16[rbp] 0001b e8 00 00 00 00 call ??1_NATIVE_CODE_BLOCK@@QEAA@XZ 00020 48 83 c4 28 add rsp, 40 ; 00000028H 00024 5f pop rdi 00025 5d pop rbp 00026 c3 ret 0 -?dtor$3@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA ENDP ; `ObfObfuscate'::`1'::dtor$3 +?dtor$0@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA ENDP ; `ObfObfuscate1'::`1'::dtor$0 text$x ENDS ; Function compile flags: /Odtp /RTCsu /ZI ; COMDAT text$x text$x SEGMENT InstructionCount$ = 4 -TargetCount$7 = 36 -CurrentCount$8 = 68 -NewBlockStart$9 = 104 -T$10 = 136 -NotTaken$11 = 168 -Taken$12 = 248 -NotTaken$13 = 328 -Taken$14 = 408 -tv176 = 660 -tv141 = 660 -tv174 = 664 -tv139 = 664 -__$ArrayPad$ = 672 -Obf$ = 720 -Block$ = 728 -?dtor$0@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA PROC ; `ObfObfuscate'::`1'::dtor$0 +T$8 = 40 +RealNext$9 = 72 +PreOp$10 = 104 +PostOp$11 = 136 +TargetCount$12 = 164 +CurrentCount$13 = 196 +NewBlockStart$14 = 232 +T$15 = 264 +NotTaken$16 = 296 +Taken$17 = 376 +TempBlock$18 = 456 +NotTaken$19 = 536 +Taken$20 = 616 +tv279 = 1060 +tv225 = 1060 +tv154 = 1060 +tv277 = 1064 +tv223 = 1064 +tv169 = 1064 +tv167 = 1068 +__$ArrayPad$ = 1072 +Obf$ = 1120 +Block$ = 1128 +Depth$ = 1136 +?dtor$1@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA PROC ; `ObfObfuscate1'::`1'::dtor$1 00000 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx 00005 48 89 54 24 10 mov QWORD PTR [rsp+16], rdx 0000a 55 push rbp 0000b 57 push rdi 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H 00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] - 00014 48 8d 8d a8 00 - 00 00 lea rcx, QWORD PTR NotTaken$11[rbp] + 00014 48 8d 8d 78 01 + 00 00 lea rcx, QWORD PTR Taken$17[rbp] 0001b e8 00 00 00 00 call ??1_NATIVE_CODE_BLOCK@@QEAA@XZ 00020 48 83 c4 28 add rsp, 40 ; 00000028H 00024 5f pop rdi 00025 5d pop rbp 00026 c3 ret 0 -?dtor$0@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA ENDP ; `ObfObfuscate'::`1'::dtor$0 +?dtor$1@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA ENDP ; `ObfObfuscate1'::`1'::dtor$1 text$x ENDS ; Function compile flags: /Odtp /RTCsu /ZI ; COMDAT text$x text$x SEGMENT InstructionCount$ = 4 -TargetCount$7 = 36 -CurrentCount$8 = 68 -NewBlockStart$9 = 104 -T$10 = 136 -NotTaken$11 = 168 -Taken$12 = 248 -NotTaken$13 = 328 -Taken$14 = 408 -tv176 = 660 -tv141 = 660 -tv174 = 664 -tv139 = 664 -__$ArrayPad$ = 672 -Obf$ = 720 -Block$ = 728 -?dtor$1@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA PROC ; `ObfObfuscate'::`1'::dtor$1 +T$8 = 40 +RealNext$9 = 72 +PreOp$10 = 104 +PostOp$11 = 136 +TargetCount$12 = 164 +CurrentCount$13 = 196 +NewBlockStart$14 = 232 +T$15 = 264 +NotTaken$16 = 296 +Taken$17 = 376 +TempBlock$18 = 456 +NotTaken$19 = 536 +Taken$20 = 616 +tv279 = 1060 +tv225 = 1060 +tv154 = 1060 +tv277 = 1064 +tv223 = 1064 +tv169 = 1064 +tv167 = 1068 +__$ArrayPad$ = 1072 +Obf$ = 1120 +Block$ = 1128 +Depth$ = 1136 +?dtor$2@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA PROC ; `ObfObfuscate1'::`1'::dtor$2 00000 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx 00005 48 89 54 24 10 mov QWORD PTR [rsp+16], rdx 0000a 55 push rbp 0000b 57 push rdi 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H 00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] - 00014 48 8d 8d f8 00 - 00 00 lea rcx, QWORD PTR Taken$12[rbp] + 00014 48 8d 8d c8 01 + 00 00 lea rcx, QWORD PTR TempBlock$18[rbp] 0001b e8 00 00 00 00 call ??1_NATIVE_CODE_BLOCK@@QEAA@XZ 00020 48 83 c4 28 add rsp, 40 ; 00000028H 00024 5f pop rdi 00025 5d pop rbp 00026 c3 ret 0 -?dtor$1@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA ENDP ; `ObfObfuscate'::`1'::dtor$1 +?dtor$2@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA ENDP ; `ObfObfuscate1'::`1'::dtor$2 text$x ENDS ; Function compile flags: /Odtp /RTCsu /ZI ; COMDAT text$x text$x SEGMENT InstructionCount$ = 4 -TargetCount$7 = 36 -CurrentCount$8 = 68 -NewBlockStart$9 = 104 -T$10 = 136 -NotTaken$11 = 168 -Taken$12 = 248 -NotTaken$13 = 328 -Taken$14 = 408 -tv176 = 660 -tv141 = 660 -tv174 = 664 -tv139 = 664 -__$ArrayPad$ = 672 -Obf$ = 720 -Block$ = 728 -?dtor$2@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA PROC ; `ObfObfuscate'::`1'::dtor$2 +T$8 = 40 +RealNext$9 = 72 +PreOp$10 = 104 +PostOp$11 = 136 +TargetCount$12 = 164 +CurrentCount$13 = 196 +NewBlockStart$14 = 232 +T$15 = 264 +NotTaken$16 = 296 +Taken$17 = 376 +TempBlock$18 = 456 +NotTaken$19 = 536 +Taken$20 = 616 +tv279 = 1060 +tv225 = 1060 +tv154 = 1060 +tv277 = 1064 +tv223 = 1064 +tv169 = 1064 +tv167 = 1068 +__$ArrayPad$ = 1072 +Obf$ = 1120 +Block$ = 1128 +Depth$ = 1136 +?dtor$3@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA PROC ; `ObfObfuscate1'::`1'::dtor$3 00000 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx 00005 48 89 54 24 10 mov QWORD PTR [rsp+16], rdx 0000a 55 push rbp 0000b 57 push rdi 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H 00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] - 00014 48 8d 8d 48 01 - 00 00 lea rcx, QWORD PTR NotTaken$13[rbp] + 00014 48 8d 8d 18 02 + 00 00 lea rcx, QWORD PTR NotTaken$19[rbp] 0001b e8 00 00 00 00 call ??1_NATIVE_CODE_BLOCK@@QEAA@XZ 00020 48 83 c4 28 add rsp, 40 ; 00000028H 00024 5f pop rdi 00025 5d pop rbp 00026 c3 ret 0 -?dtor$2@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA ENDP ; `ObfObfuscate'::`1'::dtor$2 +?dtor$3@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA ENDP ; `ObfObfuscate1'::`1'::dtor$3 text$x ENDS ; Function compile flags: /Odtp /RTCsu /ZI ; COMDAT text$x text$x SEGMENT InstructionCount$ = 4 -TargetCount$7 = 36 -CurrentCount$8 = 68 -NewBlockStart$9 = 104 -T$10 = 136 -NotTaken$11 = 168 -Taken$12 = 248 -NotTaken$13 = 328 -Taken$14 = 408 -tv176 = 660 -tv141 = 660 -tv174 = 664 -tv139 = 664 -__$ArrayPad$ = 672 -Obf$ = 720 -Block$ = 728 -?dtor$3@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA PROC ; `ObfObfuscate'::`1'::dtor$3 +T$8 = 40 +RealNext$9 = 72 +PreOp$10 = 104 +PostOp$11 = 136 +TargetCount$12 = 164 +CurrentCount$13 = 196 +NewBlockStart$14 = 232 +T$15 = 264 +NotTaken$16 = 296 +Taken$17 = 376 +TempBlock$18 = 456 +NotTaken$19 = 536 +Taken$20 = 616 +tv279 = 1060 +tv225 = 1060 +tv154 = 1060 +tv277 = 1064 +tv223 = 1064 +tv169 = 1064 +tv167 = 1068 +__$ArrayPad$ = 1072 +Obf$ = 1120 +Block$ = 1128 +Depth$ = 1136 +?dtor$4@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA PROC ; `ObfObfuscate1'::`1'::dtor$4 00000 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx 00005 48 89 54 24 10 mov QWORD PTR [rsp+16], rdx 0000a 55 push rbp 0000b 57 push rdi 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H 00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] - 00014 48 8d 8d 98 01 - 00 00 lea rcx, QWORD PTR Taken$14[rbp] + 00014 48 8d 8d 68 02 + 00 00 lea rcx, QWORD PTR Taken$20[rbp] 0001b e8 00 00 00 00 call ??1_NATIVE_CODE_BLOCK@@QEAA@XZ 00020 48 83 c4 28 add rsp, 40 ; 00000028H 00024 5f pop rdi 00025 5d pop rbp 00026 c3 ret 0 -?dtor$3@?0??ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z@4HA ENDP ; `ObfObfuscate'::`1'::dtor$3 +?dtor$4@?0??ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z@4HA ENDP ; `ObfObfuscate1'::`1'::dtor$4 text$x ENDS ; Function compile flags: /Odtp /RTCsu /ZI ; COMDAT ??1_NATIVE_CODE_BLOCK@@QEAA@XZ