|
|
@ -427,9 +427,10 @@ PUBLIC ??_7?$basic_filebuf@DU?$char_traits@D@std@@@std@@6B@ ; std::basic_filebuf
|
|
|
|
PUBLIC ??_7?$basic_ofstream@DU?$char_traits@D@std@@@std@@6B@ ; std::basic_ofstream<char,std::char_traits<char> >::`vftable'
|
|
|
|
PUBLIC ??_7?$basic_ofstream@DU?$char_traits@D@std@@@std@@6B@ ; std::basic_ofstream<char,std::char_traits<char> >::`vftable'
|
|
|
|
PUBLIC ??_8?$basic_ofstream@DU?$char_traits@D@std@@@std@@7B@ ; std::basic_ofstream<char,std::char_traits<char> >::`vbtable'
|
|
|
|
PUBLIC ??_8?$basic_ofstream@DU?$char_traits@D@std@@@std@@7B@ ; std::basic_ofstream<char,std::char_traits<char> >::`vbtable'
|
|
|
|
PUBLIC ??_C@_0CJ@GEFBLICI@C?3?2Users?2Iizerd?2Desktop?2Leeg?5Ha@ ; `string'
|
|
|
|
PUBLIC ??_C@_0CJ@GEFBLICI@C?3?2Users?2Iizerd?2Desktop?2Leeg?5Ha@ ; `string'
|
|
|
|
|
|
|
|
PUBLIC ??_C@_0BG@KBAIGCC@Finished?5second?5pas?4?6@ ; `string'
|
|
|
|
PUBLIC ??_C@_0BE@GALOGKHF@failed?5to?5assemble?6@ ; `string'
|
|
|
|
PUBLIC ??_C@_0BE@GALOGKHF@failed?5to?5assemble?6@ ; `string'
|
|
|
|
PUBLIC ??_C@_05PDJBBECF@pause@ ; `string'
|
|
|
|
PUBLIC ??_C@_05PDJBBECF@pause@ ; `string'
|
|
|
|
PUBLIC ??_C@_0CH@OKHDPAIH@?6?6Obfuscated?3?5?$CFllu?5?5?5?5Original?3@ ; `string'
|
|
|
|
PUBLIC ??_C@_0DC@MEGCPGB@?6?6Size?3?5?$CFu?5?5?5Obfuscated?3?5?$CFllu?5?5@ ; `string'
|
|
|
|
PUBLIC ??_C@_0N@LPFKKEBD@?3AM?3am?3PM?3pm@ ; `string'
|
|
|
|
PUBLIC ??_C@_0N@LPFKKEBD@?3AM?3am?3PM?3pm@ ; `string'
|
|
|
|
PUBLIC ??_C@_0GI@GFIDMGHH@C?3?2Program?5Files?5?$CIx86?$CJ?2Microsof@ ; `string'
|
|
|
|
PUBLIC ??_C@_0GI@GFIDMGHH@C?3?2Program?5Files?5?$CIx86?$CJ?2Microsof@ ; `string'
|
|
|
|
PUBLIC ??_C@_1NA@LKMCOJGD@?$AAC?$AA?3?$AA?2?$AAP?$AAr?$AAo?$AAg?$AAr?$AAa?$AAm?$AA?5?$AAF?$AAi?$AAl?$AAe@ ; `string'
|
|
|
|
PUBLIC ??_C@_1NA@LKMCOJGD@?$AAC?$AA?3?$AA?2?$AAP?$AAr?$AAo?$AAg?$AAr?$AAa?$AAm?$AA?5?$AAF?$AAi?$AAl?$AAe@ ; `string'
|
|
|
@ -591,9 +592,10 @@ EXTRN __imp__time64:PROC
|
|
|
|
EXTRN ?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z:PROC ; std::setw
|
|
|
|
EXTRN ?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z:PROC ; std::setw
|
|
|
|
EXTRN xed_tables_init:PROC
|
|
|
|
EXTRN xed_tables_init:PROC
|
|
|
|
EXTRN ??0_NATIVE_CODE_BLOCK@@QEAA@XZ:PROC ; _NATIVE_CODE_BLOCK::_NATIVE_CODE_BLOCK
|
|
|
|
EXTRN ??0_NATIVE_CODE_BLOCK@@QEAA@XZ:PROC ; _NATIVE_CODE_BLOCK::_NATIVE_CODE_BLOCK
|
|
|
|
|
|
|
|
EXTRN ?NcCountInstructions@@YAKPEAU_NATIVE_CODE_BLOCK@@@Z:PROC ; NcCountInstructions
|
|
|
|
EXTRN ?NcDisassemble@@YAHPEAU_NATIVE_CODE_BLOCK@@PEAXK@Z:PROC ; NcDisassemble
|
|
|
|
EXTRN ?NcDisassemble@@YAHPEAU_NATIVE_CODE_BLOCK@@PEAXK@Z:PROC ; NcDisassemble
|
|
|
|
EXTRN ?NcAssemble@@YAPEAXPEAU_NATIVE_CODE_BLOCK@@PEAK@Z:PROC ; NcAssemble
|
|
|
|
EXTRN ?NcAssemble@@YAPEAXPEAU_NATIVE_CODE_BLOCK@@PEAK@Z:PROC ; NcAssemble
|
|
|
|
EXTRN ?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z:PROC ; ObfObfuscate
|
|
|
|
EXTRN ?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z:PROC ; ObfObfuscate1
|
|
|
|
EXTRN ??_E?$basic_filebuf@DU?$char_traits@D@std@@@std@@UEAAPEAXI@Z:PROC ; std::basic_filebuf<char,std::char_traits<char> >::`vector deleting destructor'
|
|
|
|
EXTRN ??_E?$basic_filebuf@DU?$char_traits@D@std@@@std@@UEAAPEAXI@Z:PROC ; std::basic_filebuf<char,std::char_traits<char> >::`vector deleting destructor'
|
|
|
|
EXTRN ??_E?$basic_ofstream@DU?$char_traits@D@std@@@std@@UEAAPEAXI@Z:PROC ; std::basic_ofstream<char,std::char_traits<char> >::`vector deleting destructor'
|
|
|
|
EXTRN ??_E?$basic_ofstream@DU?$char_traits@D@std@@@std@@UEAAPEAXI@Z:PROC ; std::basic_ofstream<char,std::char_traits<char> >::`vector deleting destructor'
|
|
|
|
EXTRN RetNum:PROC
|
|
|
|
EXTRN RetNum:PROC
|
|
|
@ -1484,7 +1486,7 @@ pdata ENDS
|
|
|
|
; COMDAT pdata
|
|
|
|
; COMDAT pdata
|
|
|
|
pdata SEGMENT
|
|
|
|
pdata SEGMENT
|
|
|
|
$pdata$main DD imagerel $LN7
|
|
|
|
$pdata$main DD imagerel $LN7
|
|
|
|
DD imagerel $LN7+461
|
|
|
|
DD imagerel $LN7+527
|
|
|
|
DD imagerel $unwind$main
|
|
|
|
DD imagerel $unwind$main
|
|
|
|
pdata ENDS
|
|
|
|
pdata ENDS
|
|
|
|
; COMDAT pdata
|
|
|
|
; COMDAT pdata
|
|
|
@ -2259,10 +2261,11 @@ CONST ENDS
|
|
|
|
CONST SEGMENT
|
|
|
|
CONST SEGMENT
|
|
|
|
??_C@_0N@LPFKKEBD@?3AM?3am?3PM?3pm@ DB ':AM:am:PM:pm', 00H ; `string'
|
|
|
|
??_C@_0N@LPFKKEBD@?3AM?3am?3PM?3pm@ DB ':AM:am:PM:pm', 00H ; `string'
|
|
|
|
CONST ENDS
|
|
|
|
CONST ENDS
|
|
|
|
; COMDAT ??_C@_0CH@OKHDPAIH@?6?6Obfuscated?3?5?$CFllu?5?5?5?5Original?3@
|
|
|
|
; COMDAT ??_C@_0DC@MEGCPGB@?6?6Size?3?5?$CFu?5?5?5Obfuscated?3?5?$CFllu?5?5@
|
|
|
|
CONST SEGMENT
|
|
|
|
CONST SEGMENT
|
|
|
|
??_C@_0CH@OKHDPAIH@?6?6Obfuscated?3?5?$CFllu?5?5?5?5Original?3@ DB 0aH, 0aH
|
|
|
|
??_C@_0DC@MEGCPGB@?6?6Size?3?5?$CFu?5?5?5Obfuscated?3?5?$CFllu?5?5@ DB 0aH
|
|
|
|
DB 'Obfuscated: %llu Original: %llu', 0aH, 0aH, 00H ; `string'
|
|
|
|
DB 0aH, 'Size: %u Obfuscated: %llu Original: %llu', 0aH, 0aH
|
|
|
|
|
|
|
|
DB 00H ; `string'
|
|
|
|
CONST ENDS
|
|
|
|
CONST ENDS
|
|
|
|
; COMDAT ??_C@_05PDJBBECF@pause@
|
|
|
|
; COMDAT ??_C@_05PDJBBECF@pause@
|
|
|
|
CONST SEGMENT
|
|
|
|
CONST SEGMENT
|
|
|
@ -2272,6 +2275,11 @@ CONST ENDS
|
|
|
|
CONST SEGMENT
|
|
|
|
CONST SEGMENT
|
|
|
|
??_C@_0BE@GALOGKHF@failed?5to?5assemble?6@ DB 'failed to assemble', 0aH, 00H ; `string'
|
|
|
|
??_C@_0BE@GALOGKHF@failed?5to?5assemble?6@ DB 'failed to assemble', 0aH, 00H ; `string'
|
|
|
|
CONST ENDS
|
|
|
|
CONST ENDS
|
|
|
|
|
|
|
|
; COMDAT ??_C@_0BG@KBAIGCC@Finished?5second?5pas?4?6@
|
|
|
|
|
|
|
|
CONST SEGMENT
|
|
|
|
|
|
|
|
??_C@_0BG@KBAIGCC@Finished?5second?5pas?4?6@ DB 'Finished second pas.', 0aH
|
|
|
|
|
|
|
|
DB 00H ; `string'
|
|
|
|
|
|
|
|
CONST ENDS
|
|
|
|
; COMDAT ??_C@_0CJ@GEFBLICI@C?3?2Users?2Iizerd?2Desktop?2Leeg?5Ha@
|
|
|
|
; COMDAT ??_C@_0CJ@GEFBLICI@C?3?2Users?2Iizerd?2Desktop?2Leeg?5Ha@
|
|
|
|
CONST SEGMENT
|
|
|
|
CONST SEGMENT
|
|
|
|
??_C@_0CJ@GEFBLICI@C?3?2Users?2Iizerd?2Desktop?2Leeg?5Ha@ DB 'C:\Users\Ii'
|
|
|
|
??_C@_0CJ@GEFBLICI@C?3?2Users?2Iizerd?2Desktop?2Leeg?5Ha@ DB 'C:\Users\Ii'
|
|
|
@ -3346,11 +3354,11 @@ $ip2state$main DB 0aH
|
|
|
|
DB 00H
|
|
|
|
DB 00H
|
|
|
|
DB 0b2H
|
|
|
|
DB 0b2H
|
|
|
|
DB 02H
|
|
|
|
DB 02H
|
|
|
|
DB 'y', 02H
|
|
|
|
DB 0f9H, 02H
|
|
|
|
DB 00H
|
|
|
|
DB 00H
|
|
|
|
DB '('
|
|
|
|
DB '('
|
|
|
|
DB 02H
|
|
|
|
DB 02H
|
|
|
|
DB 011H, 02H
|
|
|
|
DB 099H, 02H
|
|
|
|
DB 00H
|
|
|
|
DB 00H
|
|
|
|
xdata ENDS
|
|
|
|
xdata ENDS
|
|
|
|
; COMDAT xdata
|
|
|
|
; COMDAT xdata
|
|
|
@ -3373,7 +3381,7 @@ $unwind$main DD 025052f19H
|
|
|
|
DD 05002H
|
|
|
|
DD 05002H
|
|
|
|
DD imagerel __GSHandlerCheck_EH4
|
|
|
|
DD imagerel __GSHandlerCheck_EH4
|
|
|
|
DD imagerel $cppxdata$main
|
|
|
|
DD imagerel $cppxdata$main
|
|
|
|
DD 01f2H
|
|
|
|
DD 01faH
|
|
|
|
xdata ENDS
|
|
|
|
xdata ENDS
|
|
|
|
; COMDAT CONST
|
|
|
|
; COMDAT CONST
|
|
|
|
CONST SEGMENT
|
|
|
|
CONST SEGMENT
|
|
|
@ -3406,7 +3414,7 @@ main$rtcVarDesc DD 0a4H
|
|
|
|
DD 04H
|
|
|
|
DD 04H
|
|
|
|
DQ FLAT:main$rtcName$2
|
|
|
|
DQ FLAT:main$rtcName$2
|
|
|
|
DD 078H
|
|
|
|
DD 078H
|
|
|
|
DD 010H
|
|
|
|
DD 018H
|
|
|
|
DQ FLAT:main$rtcName$1
|
|
|
|
DQ FLAT:main$rtcName$1
|
|
|
|
DD 028H
|
|
|
|
DD 028H
|
|
|
|
DD 030H
|
|
|
|
DD 030H
|
|
|
@ -8739,10 +8747,11 @@ AsmSize$ = 132
|
|
|
|
Asm$ = 168
|
|
|
|
Asm$ = 168
|
|
|
|
Exec$ = 200
|
|
|
|
Exec$ = 200
|
|
|
|
$T6 = 420
|
|
|
|
$T6 = 420
|
|
|
|
tv134 = 440
|
|
|
|
tv143 = 440
|
|
|
|
tv128 = 448
|
|
|
|
tv132 = 448
|
|
|
|
tv132 = 456
|
|
|
|
tv141 = 456
|
|
|
|
__$ArrayPad$ = 464
|
|
|
|
tv139 = 464
|
|
|
|
|
|
|
|
__$ArrayPad$ = 472
|
|
|
|
main PROC ; COMDAT
|
|
|
|
main PROC ; COMDAT
|
|
|
|
|
|
|
|
|
|
|
|
; 90 : {
|
|
|
|
; 90 : {
|
|
|
@ -8760,7 +8769,7 @@ $LN7:
|
|
|
|
0001e 48 8b 05 00 00
|
|
|
|
0001e 48 8b 05 00 00
|
|
|
|
00 00 mov rax, QWORD PTR __security_cookie
|
|
|
|
00 00 mov rax, QWORD PTR __security_cookie
|
|
|
|
00025 48 33 c5 xor rax, rbp
|
|
|
|
00025 48 33 c5 xor rax, rbp
|
|
|
|
00028 48 89 85 d0 01
|
|
|
|
00028 48 89 85 d8 01
|
|
|
|
00 00 mov QWORD PTR __$ArrayPad$[rbp], rax
|
|
|
|
00 00 mov QWORD PTR __$ArrayPad$[rbp], rax
|
|
|
|
0002f 48 8d 0d 00 00
|
|
|
|
0002f 48 8d 0d 00 00
|
|
|
|
00 00 lea rcx, OFFSET FLAT:__4031338C_Main@cpp
|
|
|
|
00 00 lea rcx, OFFSET FLAT:__4031338C_Main@cpp
|
|
|
@ -8798,282 +8807,328 @@ $LN7:
|
|
|
|
; 97 : OBFUSCATOR Obf;
|
|
|
|
; 97 : OBFUSCATOR Obf;
|
|
|
|
; 98 : Obf.Flags = 0;
|
|
|
|
; 98 : Obf.Flags = 0;
|
|
|
|
|
|
|
|
|
|
|
|
0006f c7 45 5c 00 00
|
|
|
|
0006f c7 45 64 00 00
|
|
|
|
00 00 mov DWORD PTR Obf$[rbp+4], 0
|
|
|
|
00 00 mov DWORD PTR Obf$[rbp+12], 0
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
; 99 : Obf.MinSizeForOpaqueBranch = 1;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
00076 c7 45 5c 01 00
|
|
|
|
|
|
|
|
00 00 mov DWORD PTR Obf$[rbp+4], 1
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
; 100 : Obf.InstructionMutateChance = 0;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
0007d c6 45 61 00 mov BYTE PTR Obf$[rbp+9], 0
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
; 101 : Obf.OpaqueBranchChance = 100;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
00081 c6 45 60 64 mov BYTE PTR Obf$[rbp+8], 100 ; 00000064H
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
; 102 : Obf.MinDepthForRandomOpaqueBranch = 0;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
00085 c7 45 58 00 00
|
|
|
|
|
|
|
|
00 00 mov DWORD PTR Obf$[rbp], 0
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
; 103 : Obf.GlobalBlock = &RetNumBlock;
|
|
|
|
|
|
|
|
|
|
|
|
; 99 : Obf.MinInstCount = 4;
|
|
|
|
0008c 48 8d 45 08 lea rax, QWORD PTR RetNumBlock$[rbp]
|
|
|
|
|
|
|
|
00090 48 89 45 68 mov QWORD PTR Obf$[rbp+16], rax
|
|
|
|
|
|
|
|
|
|
|
|
00076 c7 45 58 04 00
|
|
|
|
; 104 : Obf.BlockDivisionFactor = 2;
|
|
|
|
00 00 mov DWORD PTR Obf$[rbp], 4
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
; 100 : Obf.GlobalBlock = &RetNumBlock;
|
|
|
|
00094 c6 45 62 02 mov BYTE PTR Obf$[rbp+10], 2
|
|
|
|
|
|
|
|
|
|
|
|
0007d 48 8d 45 08 lea rax, QWORD PTR RetNumBlock$[rbp]
|
|
|
|
; 105 : Obf.InstructionMutateChance = 100;
|
|
|
|
00081 48 89 45 60 mov QWORD PTR Obf$[rbp+8], rax
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
; 101 : ObfObfuscate(&Obf, &RetNumBlock);
|
|
|
|
00098 c6 45 61 64 mov BYTE PTR Obf$[rbp+9], 100 ; 00000064H
|
|
|
|
|
|
|
|
|
|
|
|
00085 48 8d 55 08 lea rdx, QWORD PTR RetNumBlock$[rbp]
|
|
|
|
; 106 : ObfObfuscate1(&Obf, &RetNumBlock);
|
|
|
|
00089 48 8d 4d 58 lea rcx, QWORD PTR Obf$[rbp]
|
|
|
|
|
|
|
|
0008d e8 00 00 00 00 call ?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z ; ObfObfuscate
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
; 102 : ObfObfuscate(&Obf, &RetNumBlock);
|
|
|
|
0009c 45 33 c0 xor r8d, r8d
|
|
|
|
|
|
|
|
0009f 48 8d 55 08 lea rdx, QWORD PTR RetNumBlock$[rbp]
|
|
|
|
|
|
|
|
000a3 48 8d 4d 58 lea rcx, QWORD PTR Obf$[rbp]
|
|
|
|
|
|
|
|
000a7 e8 00 00 00 00 call ?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z ; ObfObfuscate1
|
|
|
|
|
|
|
|
|
|
|
|
00092 48 8d 55 08 lea rdx, QWORD PTR RetNumBlock$[rbp]
|
|
|
|
; 107 : Obf.MinSizeForOpaqueBranch = 50;
|
|
|
|
00096 48 8d 4d 58 lea rcx, QWORD PTR Obf$[rbp]
|
|
|
|
|
|
|
|
0009a e8 00 00 00 00 call ?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z ; ObfObfuscate
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
; 103 : Obf.MinInstCount = 30;
|
|
|
|
000ac c7 45 5c 32 00
|
|
|
|
|
|
|
|
00 00 mov DWORD PTR Obf$[rbp+4], 50 ; 00000032H
|
|
|
|
|
|
|
|
|
|
|
|
0009f c7 45 58 1e 00
|
|
|
|
; 108 : Obf.InstructionMutateChance = 50;
|
|
|
|
00 00 mov DWORD PTR Obf$[rbp], 30
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
; 104 : ObfObfuscate(&Obf, &RetNumBlock);
|
|
|
|
000b3 c6 45 61 32 mov BYTE PTR Obf$[rbp+9], 50 ; 00000032H
|
|
|
|
|
|
|
|
|
|
|
|
000a6 48 8d 55 08 lea rdx, QWORD PTR RetNumBlock$[rbp]
|
|
|
|
; 109 : ObfObfuscate1(&Obf, &RetNumBlock);
|
|
|
|
000aa 48 8d 4d 58 lea rcx, QWORD PTR Obf$[rbp]
|
|
|
|
|
|
|
|
000ae e8 00 00 00 00 call ?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z ; ObfObfuscate
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
; 105 :
|
|
|
|
000b7 45 33 c0 xor r8d, r8d
|
|
|
|
; 106 :
|
|
|
|
000ba 48 8d 55 08 lea rdx, QWORD PTR RetNumBlock$[rbp]
|
|
|
|
; 107 : ULONG AsmSize;
|
|
|
|
000be 48 8d 4d 58 lea rcx, QWORD PTR Obf$[rbp]
|
|
|
|
; 108 : PVOID Asm = NcAssemble(&RetNumBlock, &AsmSize);
|
|
|
|
000c2 e8 00 00 00 00 call ?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z ; ObfObfuscate1
|
|
|
|
|
|
|
|
|
|
|
|
000b3 48 8d 95 84 00
|
|
|
|
; 110 :
|
|
|
|
|
|
|
|
; 111 : printf("Finished second pas.\n");
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
000c7 48 8d 0d 00 00
|
|
|
|
|
|
|
|
00 00 lea rcx, OFFSET FLAT:??_C@_0BG@KBAIGCC@Finished?5second?5pas?4?6@
|
|
|
|
|
|
|
|
000ce e8 00 00 00 00 call printf
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
; 112 : //Obf.MinSizeForOpaqueBranch = 200;
|
|
|
|
|
|
|
|
; 113 : //ObfObfuscate1(&Obf, &RetNumBlock);
|
|
|
|
|
|
|
|
; 114 : //Obf.MinSizeForOpaqueBranch = 30;
|
|
|
|
|
|
|
|
; 115 : //ObfObfuscate(&Obf, &RetNumBlock);
|
|
|
|
|
|
|
|
; 116 :
|
|
|
|
|
|
|
|
; 117 :
|
|
|
|
|
|
|
|
; 118 : ULONG AsmSize;
|
|
|
|
|
|
|
|
; 119 : PVOID Asm = NcAssemble(&RetNumBlock, &AsmSize);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
000d3 48 8d 95 84 00
|
|
|
|
00 00 lea rdx, QWORD PTR AsmSize$[rbp]
|
|
|
|
00 00 lea rdx, QWORD PTR AsmSize$[rbp]
|
|
|
|
000ba 48 8d 4d 08 lea rcx, QWORD PTR RetNumBlock$[rbp]
|
|
|
|
000da 48 8d 4d 08 lea rcx, QWORD PTR RetNumBlock$[rbp]
|
|
|
|
000be e8 00 00 00 00 call ?NcAssemble@@YAPEAXPEAU_NATIVE_CODE_BLOCK@@PEAK@Z ; NcAssemble
|
|
|
|
000de e8 00 00 00 00 call ?NcAssemble@@YAPEAXPEAU_NATIVE_CODE_BLOCK@@PEAK@Z ; NcAssemble
|
|
|
|
000c3 48 89 85 a8 00
|
|
|
|
000e3 48 89 85 a8 00
|
|
|
|
00 00 mov QWORD PTR Asm$[rbp], rax
|
|
|
|
00 00 mov QWORD PTR Asm$[rbp], rax
|
|
|
|
|
|
|
|
|
|
|
|
; 109 : if (!Asm)
|
|
|
|
; 120 : if (!Asm)
|
|
|
|
|
|
|
|
|
|
|
|
000ca 48 83 bd a8 00
|
|
|
|
000ea 48 83 bd a8 00
|
|
|
|
00 00 00 cmp QWORD PTR Asm$[rbp], 0
|
|
|
|
00 00 00 cmp QWORD PTR Asm$[rbp], 0
|
|
|
|
000d2 75 37 jne SHORT $LN2@main
|
|
|
|
000f2 75 37 jne SHORT $LN2@main
|
|
|
|
|
|
|
|
|
|
|
|
; 110 : {
|
|
|
|
; 121 : {
|
|
|
|
; 111 : printf("failed to assemble\n");
|
|
|
|
; 122 : printf("failed to assemble\n");
|
|
|
|
|
|
|
|
|
|
|
|
000d4 48 8d 0d 00 00
|
|
|
|
000f4 48 8d 0d 00 00
|
|
|
|
00 00 lea rcx, OFFSET FLAT:??_C@_0BE@GALOGKHF@failed?5to?5assemble?6@
|
|
|
|
00 00 lea rcx, OFFSET FLAT:??_C@_0BE@GALOGKHF@failed?5to?5assemble?6@
|
|
|
|
000db e8 00 00 00 00 call printf
|
|
|
|
000fb e8 00 00 00 00 call printf
|
|
|
|
|
|
|
|
|
|
|
|
; 112 : system("pause");
|
|
|
|
; 123 : system("pause");
|
|
|
|
|
|
|
|
|
|
|
|
000e0 48 8d 0d 00 00
|
|
|
|
00100 48 8d 0d 00 00
|
|
|
|
00 00 lea rcx, OFFSET FLAT:??_C@_05PDJBBECF@pause@
|
|
|
|
00 00 lea rcx, OFFSET FLAT:??_C@_05PDJBBECF@pause@
|
|
|
|
000e7 ff 15 00 00 00
|
|
|
|
00107 ff 15 00 00 00
|
|
|
|
00 call QWORD PTR __imp_system
|
|
|
|
00 call QWORD PTR __imp_system
|
|
|
|
|
|
|
|
|
|
|
|
; 113 : return 1;
|
|
|
|
; 124 : return 1;
|
|
|
|
|
|
|
|
|
|
|
|
000ed c7 85 a4 01 00
|
|
|
|
0010d c7 85 a4 01 00
|
|
|
|
00 01 00 00 00 mov DWORD PTR $T6[rbp], 1
|
|
|
|
00 01 00 00 00 mov DWORD PTR $T6[rbp], 1
|
|
|
|
000f7 48 8d 4d 08 lea rcx, QWORD PTR RetNumBlock$[rbp]
|
|
|
|
00117 48 8d 4d 08 lea rcx, QWORD PTR RetNumBlock$[rbp]
|
|
|
|
000fb e8 00 00 00 00 call ??1_NATIVE_CODE_BLOCK@@QEAA@XZ
|
|
|
|
0011b e8 00 00 00 00 call ??1_NATIVE_CODE_BLOCK@@QEAA@XZ
|
|
|
|
00100 8b 85 a4 01 00
|
|
|
|
00120 8b 85 a4 01 00
|
|
|
|
00 mov eax, DWORD PTR $T6[rbp]
|
|
|
|
00 mov eax, DWORD PTR $T6[rbp]
|
|
|
|
00106 e9 93 00 00 00 jmp $LN5@main
|
|
|
|
00126 e9 b5 00 00 00 jmp $LN5@main
|
|
|
|
$LN2@main:
|
|
|
|
$LN2@main:
|
|
|
|
|
|
|
|
|
|
|
|
; 114 : }
|
|
|
|
; 125 : }
|
|
|
|
; 115 : PVOID Exec = MakeExecutableBuffer(Asm, AsmSize);
|
|
|
|
; 126 : PutToFile(Asm, AsmSize);
|
|
|
|
|
|
|
|
|
|
|
|
0010b 8b 95 84 00 00
|
|
|
|
0012b 8b 95 84 00 00
|
|
|
|
00 mov edx, DWORD PTR AsmSize$[rbp]
|
|
|
|
00 mov edx, DWORD PTR AsmSize$[rbp]
|
|
|
|
00111 48 8b 8d a8 00
|
|
|
|
00131 48 8b 8d a8 00
|
|
|
|
00 00 mov rcx, QWORD PTR Asm$[rbp]
|
|
|
|
00 00 mov rcx, QWORD PTR Asm$[rbp]
|
|
|
|
00118 e8 00 00 00 00 call ?MakeExecutableBuffer@@YAPEAXPEAXK@Z ; MakeExecutableBuffer
|
|
|
|
00138 e8 00 00 00 00 call ?PutToFile@@YAXPEAXK@Z ; PutToFile
|
|
|
|
0011d 48 89 85 c8 00
|
|
|
|
|
|
|
|
00 00 mov QWORD PTR Exec$[rbp], rax
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
; 116 : typedef ULONG64(*FnRetNum)(ULONG Num);
|
|
|
|
; 127 : system("pause");
|
|
|
|
; 117 : printf("\n\nObfuscated: %llu Original: %llu\n\n", ((FnRetNum)Exec)(1776), RetNum(1776));
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
00124 b9 f0 06 00 00 mov ecx, 1776 ; 000006f0H
|
|
|
|
0013d 48 8d 0d 00 00
|
|
|
|
00129 e8 00 00 00 00 call RetNum
|
|
|
|
00 00 lea rcx, OFFSET FLAT:??_C@_05PDJBBECF@pause@
|
|
|
|
0012e 48 89 85 b8 01
|
|
|
|
00144 ff 15 00 00 00
|
|
|
|
00 00 mov QWORD PTR tv134[rbp], rax
|
|
|
|
00 call QWORD PTR __imp_system
|
|
|
|
00135 48 8b 85 c8 00
|
|
|
|
|
|
|
|
00 00 mov rax, QWORD PTR Exec$[rbp]
|
|
|
|
|
|
|
|
0013c 48 89 85 c0 01
|
|
|
|
|
|
|
|
00 00 mov QWORD PTR tv128[rbp], rax
|
|
|
|
|
|
|
|
00143 b9 f0 06 00 00 mov ecx, 1776 ; 000006f0H
|
|
|
|
|
|
|
|
00148 ff 95 c0 01 00
|
|
|
|
|
|
|
|
00 call QWORD PTR tv128[rbp]
|
|
|
|
|
|
|
|
0014e 48 89 85 c8 01
|
|
|
|
|
|
|
|
00 00 mov QWORD PTR tv132[rbp], rax
|
|
|
|
|
|
|
|
00155 4c 8b 85 b8 01
|
|
|
|
|
|
|
|
00 00 mov r8, QWORD PTR tv134[rbp]
|
|
|
|
|
|
|
|
0015c 48 8b 95 c8 01
|
|
|
|
|
|
|
|
00 00 mov rdx, QWORD PTR tv132[rbp]
|
|
|
|
|
|
|
|
00163 48 8d 0d 00 00
|
|
|
|
|
|
|
|
00 00 lea rcx, OFFSET FLAT:??_C@_0CH@OKHDPAIH@?6?6Obfuscated?3?5?$CFllu?5?5?5?5Original?3@
|
|
|
|
|
|
|
|
0016a e8 00 00 00 00 call printf
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
; 118 : PutToFile(Asm, AsmSize);
|
|
|
|
; 128 :
|
|
|
|
|
|
|
|
; 129 : PVOID Exec = MakeExecutableBuffer(Asm, AsmSize);
|
|
|
|
|
|
|
|
|
|
|
|
0016f 8b 95 84 00 00
|
|
|
|
0014a 8b 95 84 00 00
|
|
|
|
00 mov edx, DWORD PTR AsmSize$[rbp]
|
|
|
|
00 mov edx, DWORD PTR AsmSize$[rbp]
|
|
|
|
00175 48 8b 8d a8 00
|
|
|
|
00150 48 8b 8d a8 00
|
|
|
|
00 00 mov rcx, QWORD PTR Asm$[rbp]
|
|
|
|
00 00 mov rcx, QWORD PTR Asm$[rbp]
|
|
|
|
0017c e8 00 00 00 00 call ?PutToFile@@YAXPEAXK@Z ; PutToFile
|
|
|
|
00157 e8 00 00 00 00 call ?MakeExecutableBuffer@@YAPEAXPEAXK@Z ; MakeExecutableBuffer
|
|
|
|
|
|
|
|
0015c 48 89 85 c8 00
|
|
|
|
|
|
|
|
00 00 mov QWORD PTR Exec$[rbp], rax
|
|
|
|
|
|
|
|
|
|
|
|
; 119 : system("pause");
|
|
|
|
; 130 : typedef ULONG64(*FnRetNum)(ULONG Num);
|
|
|
|
|
|
|
|
; 131 : printf("\n\nSize: %u Obfuscated: %llu Original: %llu\n\n", NcCountInstructions(&RetNumBlock), ((FnRetNum)Exec)(1776), RetNum(1776));
|
|
|
|
|
|
|
|
|
|
|
|
00181 48 8d 0d 00 00
|
|
|
|
00163 b9 f0 06 00 00 mov ecx, 1776 ; 000006f0H
|
|
|
|
|
|
|
|
00168 e8 00 00 00 00 call RetNum
|
|
|
|
|
|
|
|
0016d 48 89 85 b8 01
|
|
|
|
|
|
|
|
00 00 mov QWORD PTR tv143[rbp], rax
|
|
|
|
|
|
|
|
00174 48 8b 85 c8 00
|
|
|
|
|
|
|
|
00 00 mov rax, QWORD PTR Exec$[rbp]
|
|
|
|
|
|
|
|
0017b 48 89 85 c0 01
|
|
|
|
|
|
|
|
00 00 mov QWORD PTR tv132[rbp], rax
|
|
|
|
|
|
|
|
00182 b9 f0 06 00 00 mov ecx, 1776 ; 000006f0H
|
|
|
|
|
|
|
|
00187 ff 95 c0 01 00
|
|
|
|
|
|
|
|
00 call QWORD PTR tv132[rbp]
|
|
|
|
|
|
|
|
0018d 48 89 85 c8 01
|
|
|
|
|
|
|
|
00 00 mov QWORD PTR tv141[rbp], rax
|
|
|
|
|
|
|
|
00194 48 8d 4d 08 lea rcx, QWORD PTR RetNumBlock$[rbp]
|
|
|
|
|
|
|
|
00198 e8 00 00 00 00 call ?NcCountInstructions@@YAKPEAU_NATIVE_CODE_BLOCK@@@Z ; NcCountInstructions
|
|
|
|
|
|
|
|
0019d 89 85 d0 01 00
|
|
|
|
|
|
|
|
00 mov DWORD PTR tv139[rbp], eax
|
|
|
|
|
|
|
|
001a3 4c 8b 8d b8 01
|
|
|
|
|
|
|
|
00 00 mov r9, QWORD PTR tv143[rbp]
|
|
|
|
|
|
|
|
001aa 4c 8b 85 c8 01
|
|
|
|
|
|
|
|
00 00 mov r8, QWORD PTR tv141[rbp]
|
|
|
|
|
|
|
|
001b1 8b 95 d0 01 00
|
|
|
|
|
|
|
|
00 mov edx, DWORD PTR tv139[rbp]
|
|
|
|
|
|
|
|
001b7 48 8d 0d 00 00
|
|
|
|
|
|
|
|
00 00 lea rcx, OFFSET FLAT:??_C@_0DC@MEGCPGB@?6?6Size?3?5?$CFu?5?5?5Obfuscated?3?5?$CFllu?5?5@
|
|
|
|
|
|
|
|
001be e8 00 00 00 00 call printf
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
; 132 : system("pause");
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
001c3 48 8d 0d 00 00
|
|
|
|
00 00 lea rcx, OFFSET FLAT:??_C@_05PDJBBECF@pause@
|
|
|
|
00 00 lea rcx, OFFSET FLAT:??_C@_05PDJBBECF@pause@
|
|
|
|
00188 ff 15 00 00 00
|
|
|
|
001ca ff 15 00 00 00
|
|
|
|
00 call QWORD PTR __imp_system
|
|
|
|
00 call QWORD PTR __imp_system
|
|
|
|
0018e 90 npad 1
|
|
|
|
001d0 90 npad 1
|
|
|
|
|
|
|
|
|
|
|
|
; 120 :
|
|
|
|
; 133 :
|
|
|
|
; 121 :
|
|
|
|
; 134 :
|
|
|
|
; 122 : /*NATIVE_CODE_BLOCK Block;
|
|
|
|
; 135 : /*NATIVE_CODE_BLOCK Block;
|
|
|
|
; 123 : NcDisassemble(&Block, meme1, sizeof(meme1));
|
|
|
|
; 136 : NcDisassemble(&Block, meme1, sizeof(meme1));
|
|
|
|
; 124 : OBFUSCATOR Obf;
|
|
|
|
; 137 : OBFUSCATOR Obf;
|
|
|
|
; 125 : Obf.Flags = 0;
|
|
|
|
; 138 : Obf.Flags = 0;
|
|
|
|
; 126 : Obf.MinInstCount = 12;
|
|
|
|
; 139 : Obf.MinSizeForOpaqueBranch = 12;
|
|
|
|
; 127 : Obf.GlobalBlock = &Block;
|
|
|
|
; 140 : Obf.GlobalBlock = &Block;
|
|
|
|
; 128 : ObfObfuscate(&Obf, &Block);
|
|
|
|
; 141 : ObfObfuscate(&Obf, &Block);
|
|
|
|
; 129 : Obf.MinInstCount = 4;
|
|
|
|
; 142 : Obf.MinSizeForOpaqueBranch = 4;
|
|
|
|
; 130 : ObfObfuscate(&Obf, &Block);
|
|
|
|
; 143 : ObfObfuscate(&Obf, &Block);
|
|
|
|
; 131 : NcDebugPrint(&Block);
|
|
|
|
; 144 : NcDebugPrint(&Block);
|
|
|
|
; 132 :
|
|
|
|
|
|
|
|
; 133 : ULONG ByteSize = NcCalcBlockSizeInBytes(&Block);
|
|
|
|
|
|
|
|
; 134 : ULONG InstSize = NcCountInstructions(&Block);
|
|
|
|
|
|
|
|
; 135 :
|
|
|
|
|
|
|
|
; 136 : printf("Bytes: %u, Insts: %u, FlagsMeme: %u.\n", ByteSize, InstSize, Obf.Flags);
|
|
|
|
|
|
|
|
; 137 :
|
|
|
|
|
|
|
|
; 138 : ULONG AsmSize;
|
|
|
|
|
|
|
|
; 139 : PVOID Asm = NcAssemble(&Block, &AsmSize);
|
|
|
|
|
|
|
|
; 140 : PVOID Exec = MakeExecutableBuffer(Asm, AsmSize);
|
|
|
|
|
|
|
|
; 141 : typedef ULONG(*FnGetFour)();
|
|
|
|
|
|
|
|
; 142 : printf("numba is: %u size is %u\n\n", ((FnGetFour)Exec)(), AsmSize);
|
|
|
|
|
|
|
|
; 143 : PutToFile(Asm, AsmSize);*/
|
|
|
|
|
|
|
|
; 144 :
|
|
|
|
|
|
|
|
; 145 :
|
|
|
|
; 145 :
|
|
|
|
; 146 : //PNATIVE_CODE_LINK Return1776 = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, meme1, sizeof(meme1));
|
|
|
|
; 146 : ULONG ByteSize = NcCalcBlockSizeInBytes(&Block);
|
|
|
|
; 147 : //PNATIVE_CODE_LINK RetInst = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, meme2, sizeof(meme2));
|
|
|
|
; 147 : ULONG InstSize = NcCountInstructions(&Block);
|
|
|
|
; 148 : //PNATIVE_CODE_BLOCK Pre1 = JitEmitPreRipMov(Return1776);
|
|
|
|
; 148 :
|
|
|
|
; 149 : //PNATIVE_CODE_BLOCK Post1 = JitEmitPostRipMov(Return1776);
|
|
|
|
; 149 : printf("Bytes: %u, Insts: %u, FlagsMeme: %u.\n", ByteSize, InstSize, Obf.Flags);
|
|
|
|
; 150 : //PNATIVE_CODE_BLOCK Pre2 = JitEmitPreRipMov(RetInst);
|
|
|
|
; 150 :
|
|
|
|
; 151 : //PNATIVE_CODE_BLOCK Post2 = JitEmitPostRipMov(RetInst);
|
|
|
|
; 151 : ULONG AsmSize;
|
|
|
|
; 152 :
|
|
|
|
; 152 : PVOID Asm = NcAssemble(&Block, &AsmSize);
|
|
|
|
; 153 : //NcAppendToBlock(Pre1, Return1776);
|
|
|
|
; 153 : PVOID Exec = MakeExecutableBuffer(Asm, AsmSize);
|
|
|
|
; 154 : //NcInsertBlockAfter(Pre1->End, Post1, 0);
|
|
|
|
; 154 : typedef ULONG(*FnGetFour)();
|
|
|
|
; 155 : //Pre1->End = Post1->End;
|
|
|
|
; 155 : printf("numba is: %u size is %u\n\n", ((FnGetFour)Exec)(), AsmSize);
|
|
|
|
; 156 : //NcInsertBlockAfter(Pre1->End, Pre2, 0);
|
|
|
|
; 156 : PutToFile(Asm, AsmSize);*/
|
|
|
|
; 157 : //Pre1->End = Pre2->End;
|
|
|
|
; 157 :
|
|
|
|
; 158 : //NcAppendToBlock(Pre1, RetInst);
|
|
|
|
; 158 :
|
|
|
|
; 159 : //NcInsertBlockAfter(Pre1->End, Post2, 0);
|
|
|
|
; 159 : //PNATIVE_CODE_LINK Return1776 = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, meme1, sizeof(meme1));
|
|
|
|
; 160 : //Pre1->End = Post2->End;
|
|
|
|
; 160 : //PNATIVE_CODE_LINK RetInst = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, meme2, sizeof(meme2));
|
|
|
|
; 161 :
|
|
|
|
; 161 : //PNATIVE_CODE_BLOCK Pre1 = JitEmitPreRipMov(Return1776);
|
|
|
|
; 162 : ///*Pre->Start = Return1776;
|
|
|
|
; 162 : //PNATIVE_CODE_BLOCK Post1 = JitEmitPostRipMov(Return1776);
|
|
|
|
; 163 : //Pre->End = Return1776;*/
|
|
|
|
; 163 : //PNATIVE_CODE_BLOCK Pre2 = JitEmitPreRipMov(RetInst);
|
|
|
|
; 164 :
|
|
|
|
; 164 : //PNATIVE_CODE_BLOCK Post2 = JitEmitPostRipMov(RetInst);
|
|
|
|
; 165 : //for (ULONG i = 0; i < Return1776->RawDataSize; i++)
|
|
|
|
; 165 :
|
|
|
|
; 166 : // Return1776->RawData[i] = (UCHAR)rand();
|
|
|
|
; 166 : //NcAppendToBlock(Pre1, Return1776);
|
|
|
|
; 167 : //for (ULONG i = 0; i < RetInst->RawDataSize; i++)
|
|
|
|
; 167 : //NcInsertBlockAfter(Pre1->End, Post1, 0);
|
|
|
|
; 168 : // RetInst->RawData[i] = (UCHAR)rand();
|
|
|
|
; 168 : //Pre1->End = Post1->End;
|
|
|
|
; 169 :
|
|
|
|
; 169 : //NcInsertBlockAfter(Pre1->End, Pre2, 0);
|
|
|
|
; 170 :
|
|
|
|
; 170 : //Pre1->End = Pre2->End;
|
|
|
|
; 171 :
|
|
|
|
; 171 : //NcAppendToBlock(Pre1, RetInst);
|
|
|
|
; 172 : //ULONG AsmLen;
|
|
|
|
; 172 : //NcInsertBlockAfter(Pre1->End, Post2, 0);
|
|
|
|
; 173 : //PVOID Asm = NcAssemble(Pre1, &AsmLen);
|
|
|
|
; 173 : //Pre1->End = Post2->End;
|
|
|
|
; 174 : //PUCHAR Tb = (PUCHAR)Asm;
|
|
|
|
; 174 :
|
|
|
|
; 175 : //for (uint32_t i = 0; i < AsmLen; i++)
|
|
|
|
; 175 : ///*Pre->Start = Return1776;
|
|
|
|
; 176 : //{
|
|
|
|
; 176 : //Pre->End = Return1776;*/
|
|
|
|
; 177 : // std::cout << std::hex << std::setw(2) << std::setfill('0') << (int)Tb[i] << ' ';
|
|
|
|
; 177 :
|
|
|
|
; 178 : //}
|
|
|
|
; 178 : //for (ULONG i = 0; i < Return1776->RawDataSize; i++)
|
|
|
|
; 179 :
|
|
|
|
; 179 : // Return1776->RawData[i] = (UCHAR)rand();
|
|
|
|
; 180 : //system("pause");
|
|
|
|
; 180 : //for (ULONG i = 0; i < RetInst->RawDataSize; i++)
|
|
|
|
; 181 :
|
|
|
|
; 181 : // RetInst->RawData[i] = (UCHAR)rand();
|
|
|
|
; 182 : //typedef ULONG64(*FnGet1776)();
|
|
|
|
; 182 :
|
|
|
|
; 183 : //FnGet1776 ExecBuffer = (FnGet1776)MakeExecutableBuffer(Asm, AsmLen);
|
|
|
|
; 183 :
|
|
|
|
; 184 : //if (ExecBuffer)
|
|
|
|
; 184 :
|
|
|
|
; 185 : //{
|
|
|
|
; 185 : //ULONG AsmLen;
|
|
|
|
; 186 : // printf("The numba was: %X\n", ExecBuffer());
|
|
|
|
; 186 : //PVOID Asm = NcAssemble(Pre1, &AsmLen);
|
|
|
|
; 187 : // printf("The numba was: %X\n", ExecBuffer());
|
|
|
|
; 187 : //PUCHAR Tb = (PUCHAR)Asm;
|
|
|
|
; 188 :
|
|
|
|
; 188 : //for (uint32_t i = 0; i < AsmLen; i++)
|
|
|
|
; 189 : // printf("The numba was: %X\n", ExecBuffer());
|
|
|
|
; 189 : //{
|
|
|
|
; 190 :
|
|
|
|
; 190 : // std::cout << std::hex << std::setw(2) << std::setfill('0') << (int)Tb[i] << ' ';
|
|
|
|
; 191 : // printf("The numba was: %X\n", ExecBuffer());
|
|
|
|
; 191 : //}
|
|
|
|
; 192 :
|
|
|
|
; 192 :
|
|
|
|
; 193 : //}
|
|
|
|
; 193 : //system("pause");
|
|
|
|
; 194 :
|
|
|
|
; 194 :
|
|
|
|
; 195 :
|
|
|
|
; 195 : //typedef ULONG64(*FnGet1776)();
|
|
|
|
; 196 : //NcDebugPrint(Post);
|
|
|
|
; 196 : //FnGet1776 ExecBuffer = (FnGet1776)MakeExecutableBuffer(Asm, AsmLen);
|
|
|
|
; 197 :
|
|
|
|
; 197 : //if (ExecBuffer)
|
|
|
|
; 198 :
|
|
|
|
; 198 : //{
|
|
|
|
; 199 :
|
|
|
|
; 199 : // printf("The numba was: %X\n", ExecBuffer());
|
|
|
|
; 200 : /*NATIVE_CODE_BLOCK Block;
|
|
|
|
; 200 : // printf("The numba was: %X\n", ExecBuffer());
|
|
|
|
; 201 : NcDisassemble(&Block, TestBuffer, TestBufferSize);
|
|
|
|
; 201 :
|
|
|
|
; 202 : PNATIVE_CODE_LINK NewLink = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, meme1, sizeof(meme1));
|
|
|
|
; 202 : // printf("The numba was: %X\n", ExecBuffer());
|
|
|
|
; 203 :
|
|
|
|
; 203 :
|
|
|
|
; 204 : NcInsertLinkBefore(Block.End->Prev->Prev->Prev->Prev, NewLink);
|
|
|
|
; 204 : // printf("The numba was: %X\n", ExecBuffer());
|
|
|
|
; 205 : ULONG AssembledSize;
|
|
|
|
; 205 :
|
|
|
|
; 206 : PVOID AssembledBlock = NcAssemble(&Block, &AssembledSize);
|
|
|
|
; 206 : //}
|
|
|
|
; 207 : if (!AssembledBlock || !AssembledSize)
|
|
|
|
; 207 :
|
|
|
|
; 208 : {
|
|
|
|
; 208 :
|
|
|
|
; 209 : printf("Something failed nicka.\n");
|
|
|
|
; 209 : //NcDebugPrint(Post);
|
|
|
|
; 210 : system("pause");
|
|
|
|
; 210 :
|
|
|
|
; 211 : return -1;
|
|
|
|
; 211 :
|
|
|
|
; 212 : }
|
|
|
|
; 212 :
|
|
|
|
; 213 : PUCHAR Tb = (PUCHAR)AssembledBlock;
|
|
|
|
; 213 : /*NATIVE_CODE_BLOCK Block;
|
|
|
|
; 214 : for (uint32_t i = 0; i < AssembledSize; i++)
|
|
|
|
; 214 : NcDisassemble(&Block, TestBuffer, TestBufferSize);
|
|
|
|
; 215 : {
|
|
|
|
; 215 : PNATIVE_CODE_LINK NewLink = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, meme1, sizeof(meme1));
|
|
|
|
; 216 : std::cout << std::hex << std::setw(2) << std::setfill('0') << (int)Tb[i] << ' ';
|
|
|
|
; 216 :
|
|
|
|
; 217 : }
|
|
|
|
; 217 : NcInsertLinkBefore(Block.End->Prev->Prev->Prev->Prev, NewLink);
|
|
|
|
; 218 : */
|
|
|
|
; 218 : ULONG AssembledSize;
|
|
|
|
; 219 :
|
|
|
|
; 219 : PVOID AssembledBlock = NcAssemble(&Block, &AssembledSize);
|
|
|
|
; 220 :
|
|
|
|
; 220 : if (!AssembledBlock || !AssembledSize)
|
|
|
|
; 221 : //PNATIVE_CODE_BLOCK OpaqueBranch = ObfGenOpaqueBranch(Block.Start, Block.End);
|
|
|
|
; 221 : {
|
|
|
|
; 222 : //NcDebugPrint(OpaqueBranch);
|
|
|
|
; 222 : printf("Something failed nicka.\n");
|
|
|
|
; 223 :
|
|
|
|
; 223 : system("pause");
|
|
|
|
; 224 :
|
|
|
|
; 224 : return -1;
|
|
|
|
; 225 :
|
|
|
|
; 225 : }
|
|
|
|
; 226 : /*NATIVE_CODE_LINK T;
|
|
|
|
; 226 : PUCHAR Tb = (PUCHAR)AssembledBlock;
|
|
|
|
; 227 : T.RawDataSize = 10;
|
|
|
|
; 227 : for (uint32_t i = 0; i < AssembledSize; i++)
|
|
|
|
; 228 : T.RawData = new UCHAR[10];
|
|
|
|
; 228 : {
|
|
|
|
; 229 : memset(T.RawData, 0xAA, 10);
|
|
|
|
; 229 : std::cout << std::hex << std::setw(2) << std::setfill('0') << (int)Tb[i] << ' ';
|
|
|
|
; 230 : JIT_BITWISE_DATA Data;
|
|
|
|
; 230 : }
|
|
|
|
; 231 : RtlSecureZeroMemory(&Data, sizeof(JIT_BITWISE_DATA));
|
|
|
|
; 231 : */
|
|
|
|
; 232 : PNATIVE_CODE_BLOCK NewBlock = JitEmitPreRipMov(&T);
|
|
|
|
; 232 :
|
|
|
|
; 233 : if (NewBlock)
|
|
|
|
; 233 :
|
|
|
|
; 234 : {
|
|
|
|
; 234 : //PNATIVE_CODE_BLOCK OpaqueBranch = ObfGenOpaqueBranch(Block.Start, Block.End);
|
|
|
|
; 235 : printf("\n");
|
|
|
|
; 235 : //NcDebugPrint(OpaqueBranch);
|
|
|
|
; 236 : NcDebugPrint(NewBlock);
|
|
|
|
; 236 :
|
|
|
|
; 237 : printf("\n");
|
|
|
|
; 237 :
|
|
|
|
; 238 : NcPrintBlockCode(NewBlock);
|
|
|
|
; 238 :
|
|
|
|
; 239 : }
|
|
|
|
; 239 : /*NATIVE_CODE_LINK T;
|
|
|
|
; 240 : system("pause");*/
|
|
|
|
; 240 : T.RawDataSize = 10;
|
|
|
|
; 241 :
|
|
|
|
; 241 : T.RawData = new UCHAR[10];
|
|
|
|
; 242 : }
|
|
|
|
; 242 : memset(T.RawData, 0xAA, 10);
|
|
|
|
|
|
|
|
; 243 : JIT_BITWISE_DATA Data;
|
|
|
|
0018f 48 8d 4d 08 lea rcx, QWORD PTR RetNumBlock$[rbp]
|
|
|
|
; 244 : RtlSecureZeroMemory(&Data, sizeof(JIT_BITWISE_DATA));
|
|
|
|
00193 e8 00 00 00 00 call ??1_NATIVE_CODE_BLOCK@@QEAA@XZ
|
|
|
|
; 245 : PNATIVE_CODE_BLOCK NewBlock = JitEmitPreRipMov(&T);
|
|
|
|
00198 eb 02 jmp SHORT $LN6@main
|
|
|
|
; 246 : if (NewBlock)
|
|
|
|
0019a eb 02 jmp SHORT $LN5@main
|
|
|
|
; 247 : {
|
|
|
|
|
|
|
|
; 248 : printf("\n");
|
|
|
|
|
|
|
|
; 249 : NcDebugPrint(NewBlock);
|
|
|
|
|
|
|
|
; 250 : printf("\n");
|
|
|
|
|
|
|
|
; 251 : NcPrintBlockCode(NewBlock);
|
|
|
|
|
|
|
|
; 252 : }
|
|
|
|
|
|
|
|
; 253 : system("pause");*/
|
|
|
|
|
|
|
|
; 254 :
|
|
|
|
|
|
|
|
; 255 : }
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
001d1 48 8d 4d 08 lea rcx, QWORD PTR RetNumBlock$[rbp]
|
|
|
|
|
|
|
|
001d5 e8 00 00 00 00 call ??1_NATIVE_CODE_BLOCK@@QEAA@XZ
|
|
|
|
|
|
|
|
001da eb 02 jmp SHORT $LN6@main
|
|
|
|
|
|
|
|
001dc eb 02 jmp SHORT $LN5@main
|
|
|
|
$LN6@main:
|
|
|
|
$LN6@main:
|
|
|
|
0019c 33 c0 xor eax, eax
|
|
|
|
001de 33 c0 xor eax, eax
|
|
|
|
$LN5@main:
|
|
|
|
$LN5@main:
|
|
|
|
0019e 48 8b f8 mov rdi, rax
|
|
|
|
001e0 48 8b f8 mov rdi, rax
|
|
|
|
001a1 48 8d 4d e0 lea rcx, QWORD PTR [rbp-32]
|
|
|
|
001e3 48 8d 4d e0 lea rcx, QWORD PTR [rbp-32]
|
|
|
|
001a5 48 8d 15 00 00
|
|
|
|
001e7 48 8d 15 00 00
|
|
|
|
00 00 lea rdx, OFFSET FLAT:main$rtcFrameData
|
|
|
|
00 00 lea rdx, OFFSET FLAT:main$rtcFrameData
|
|
|
|
001ac e8 00 00 00 00 call _RTC_CheckStackVars
|
|
|
|
001ee e8 00 00 00 00 call _RTC_CheckStackVars
|
|
|
|
001b1 48 8b c7 mov rax, rdi
|
|
|
|
001f3 48 8b c7 mov rax, rdi
|
|
|
|
001b4 48 8b 8d d0 01
|
|
|
|
001f6 48 8b 8d d8 01
|
|
|
|
00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp]
|
|
|
|
00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp]
|
|
|
|
001bb 48 33 cd xor rcx, rbp
|
|
|
|
001fd 48 33 cd xor rcx, rbp
|
|
|
|
001be e8 00 00 00 00 call __security_check_cookie
|
|
|
|
00200 e8 00 00 00 00 call __security_check_cookie
|
|
|
|
001c3 48 8d a5 e8 01
|
|
|
|
00205 48 8d a5 e8 01
|
|
|
|
00 00 lea rsp, QWORD PTR [rbp+488]
|
|
|
|
00 00 lea rsp, QWORD PTR [rbp+488]
|
|
|
|
001ca 5f pop rdi
|
|
|
|
0020c 5f pop rdi
|
|
|
|
001cb 5d pop rbp
|
|
|
|
0020d 5d pop rbp
|
|
|
|
001cc c3 ret 0
|
|
|
|
0020e c3 ret 0
|
|
|
|
main ENDP
|
|
|
|
main ENDP
|
|
|
|
_TEXT ENDS
|
|
|
|
_TEXT ENDS
|
|
|
|
; COMDAT text$x
|
|
|
|
; COMDAT text$x
|
|
|
@ -9084,10 +9139,11 @@ AsmSize$ = 132
|
|
|
|
Asm$ = 168
|
|
|
|
Asm$ = 168
|
|
|
|
Exec$ = 200
|
|
|
|
Exec$ = 200
|
|
|
|
$T6 = 420
|
|
|
|
$T6 = 420
|
|
|
|
tv134 = 440
|
|
|
|
tv143 = 440
|
|
|
|
tv128 = 448
|
|
|
|
tv132 = 448
|
|
|
|
tv132 = 456
|
|
|
|
tv141 = 456
|
|
|
|
__$ArrayPad$ = 464
|
|
|
|
tv139 = 464
|
|
|
|
|
|
|
|
__$ArrayPad$ = 472
|
|
|
|
main$dtor$0 PROC
|
|
|
|
main$dtor$0 PROC
|
|
|
|
00000 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx
|
|
|
|
00000 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx
|
|
|
|
00005 48 89 54 24 10 mov QWORD PTR [rsp+16], rdx
|
|
|
|
00005 48 89 54 24 10 mov QWORD PTR [rsp+16], rdx
|
|
|
@ -9112,10 +9168,11 @@ AsmSize$ = 132
|
|
|
|
Asm$ = 168
|
|
|
|
Asm$ = 168
|
|
|
|
Exec$ = 200
|
|
|
|
Exec$ = 200
|
|
|
|
$T6 = 420
|
|
|
|
$T6 = 420
|
|
|
|
tv134 = 440
|
|
|
|
tv143 = 440
|
|
|
|
tv128 = 448
|
|
|
|
tv132 = 448
|
|
|
|
tv132 = 456
|
|
|
|
tv141 = 456
|
|
|
|
__$ArrayPad$ = 464
|
|
|
|
tv139 = 464
|
|
|
|
|
|
|
|
__$ArrayPad$ = 472
|
|
|
|
main$dtor$0 PROC
|
|
|
|
main$dtor$0 PROC
|
|
|
|
00000 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx
|
|
|
|
00000 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx
|
|
|
|
00005 48 89 54 24 10 mov QWORD PTR [rsp+16], rdx
|
|
|
|
00005 48 89 54 24 10 mov QWORD PTR [rsp+16], rdx
|
|
|
|