Iizerd
/
Code_Virtualizer
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

massive bug in generating jccs

Browse Source
main
James 3 years ago
parent 0b45e5993b
commit 90a967dc01
6 changed files with 1136 additions and 763 deletions
Show Stats Download Patch File Download Diff File

10
CodeVirtualizer/Main.cpp
Unescape View File

@ -73,11 +73,17 @@ int main()
NcDisassemble(&Block, meme1, sizeof(meme1)); NcDisassemble(&Block, meme1, sizeof(meme1));
OBFUSCATOR Obf; OBFUSCATOR Obf;
Obf.Flags = 0; Obf.Flags = 0;
Obf.MinInstCount = 3; Obf.MinInstCount = 12;
Obf.GlobalBlock = &Block; Obf.GlobalBlock = &Block;
ObfObfuscate(&Obf, &Block); ObfObfuscate(&Obf, &Block);
Obf.MinInstCount = 4;
ObfObfuscate(&Obf, &Block); ObfObfuscate(&Obf, &Block);
//NcDebugPrint(&Block); NcDebugPrint(&Block);
ULONG ByteSize = NcCalcBlockSizeInBytes(&Block);
ULONG InstSize = NcCountInstructions(&Block);
printf("Bytes: %u, Insts: %u, FlagsMeme: %u.\n", ByteSize, InstSize, Obf.Flags);
ULONG AsmSize; ULONG AsmSize;
PVOID Asm = NcAssemble(&Block, &AsmSize); PVOID Asm = NcAssemble(&Block, &AsmSize);

12
CodeVirtualizer/Obfuscator.cpp
Unescape View File

@ -6,6 +6,7 @@
VOID ObfObfuscate(POBFUSCATOR Obf, PNATIVE_CODE_BLOCK Block) VOID ObfObfuscate(POBFUSCATOR Obf, PNATIVE_CODE_BLOCK Block)
{ {
ULONG InstructionCount = NcCountInstructions(Block); ULONG InstructionCount = NcCountInstructions(Block);
printf("RECIEVED INSTRUCTION COUNT: %u\n", InstructionCount);
if (InstructionCount <= Obf->MinInstCount) if (InstructionCount <= Obf->MinInstCount)
{ {
@ -15,7 +16,8 @@ VOID ObfObfuscate(POBFUSCATOR Obf, PNATIVE_CODE_BLOCK Block)
ULONG TargetCount = InstructionCount / 2; ULONG TargetCount = InstructionCount / 2;
ULONG CurrentCount = 0; ULONG CurrentCount = 0;
PNATIVE_CODE_LINK NewBlockStart = Block->Start; PNATIVE_CODE_LINK NewBlockStart = Block->Start;
for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next;) PNATIVE_CODE_LINK RealEnd = Block->End->Next;
for (PNATIVE_CODE_LINK T = Block->Start; T && T != RealEnd;)
{ {
if (T->Flags & CODE_FLAG_IS_LABEL) if (T->Flags & CODE_FLAG_IS_LABEL)
{ {
@ -24,14 +26,18 @@ VOID ObfObfuscate(POBFUSCATOR Obf, PNATIVE_CODE_BLOCK Block)
} }
++CurrentCount; ++CurrentCount;
if (CurrentCount == TargetCount) if (CurrentCount == TargetCount)
{ {
NATIVE_CODE_BLOCK NotTaken, Taken; NATIVE_CODE_BLOCK NotTaken, Taken;
ObfCreateOpaqueBranches(NewBlockStart, T, &NotTaken, &Taken); ObfCreateOpaqueBranches(NewBlockStart, T, &NotTaken, &Taken);
ObfObfuscate(Obf, &NotTaken); ObfObfuscate(Obf, &NotTaken);
ObfObfuscate(Obf, &Taken); ObfObfuscate(Obf, &Taken);
ObfCombineOpaqueBranches(&NotTaken, &Taken, NcGenUnusedLabelId(Obf->GlobalBlock), NcGenUnusedLabelId(Obf->GlobalBlock)); if (!ObfCombineOpaqueBranches(&NotTaken, &Taken, NcGenUnusedLabelId(Obf->GlobalBlock), NcGenUnusedLabelId(Obf->GlobalBlock)))
{
printf("FAILED TO COMBINE BRANCHES.\n");
system("pause");
}
ObfInsertOpaqueBranchBlock(NewBlockStart, T, &NotTaken); ObfInsertOpaqueBranchBlock(NewBlockStart, T, &NotTaken);
T = NotTaken.End; T = NotTaken.End;
NewBlockStart = T->Next; NewBlockStart = T->Next;

3
CodeVirtualizer/OpaqueBranching.cpp
Unescape View File

@ -2,7 +2,7 @@
XED_ICLASS_ENUM ObfGetRandomJccClass() XED_ICLASS_ENUM ObfGetRandomJccClass()
{ {
switch (rand() % 15) switch (rand() % 14)
{ {
case 0: return XED_ICLASS_JL; case 0: return XED_ICLASS_JL;
case 1: return XED_ICLASS_JLE; case 1: return XED_ICLASS_JLE;
@ -16,7 +16,6 @@ XED_ICLASS_ENUM ObfGetRandomJccClass()
case 9: return XED_ICLASS_JNZ; case 9: return XED_ICLASS_JNZ;
case 10: return XED_ICLASS_JO; case 10: return XED_ICLASS_JO;
case 11: return XED_ICLASS_JP; case 11: return XED_ICLASS_JP;
case 12: return XED_ICLASS_JRCXZ;
case 13: return XED_ICLASS_JS; case 13: return XED_ICLASS_JS;
case 14: return XED_ICLASS_JZ; case 14: return XED_ICLASS_JZ;
} }

407
CodeVirtualizer/x64/Debug/Main.cod
Unescape View File

@ -384,6 +384,7 @@ PUBLIC ??_7?$basic_filebuf@DU?$char_traits@D@std@@@std@@6B@ ; std::basic_filebuf
PUBLIC ??_7?$basic_ofstream@DU?$char_traits@D@std@@@std@@6B@ ; std::basic_ofstream<char,std::char_traits<char> >::`vftable' PUBLIC ??_7?$basic_ofstream@DU?$char_traits@D@std@@@std@@6B@ ; std::basic_ofstream<char,std::char_traits<char> >::`vftable'
PUBLIC ??_8?$basic_ofstream@DU?$char_traits@D@std@@@std@@7B@ ; std::basic_ofstream<char,std::char_traits<char> >::`vbtable' PUBLIC ??_8?$basic_ofstream@DU?$char_traits@D@std@@@std@@7B@ ; std::basic_ofstream<char,std::char_traits<char> >::`vbtable'
PUBLIC ??_C@_0CJ@GEFBLICI@C?3?2Users?2Iizerd?2Desktop?2Leeg?5Ha@ ; `string' PUBLIC ??_C@_0CJ@GEFBLICI@C?3?2Users?2Iizerd?2Desktop?2Leeg?5Ha@ ; `string'
PUBLIC ??_C@_0CG@GOOMLDF@Bytes?3?5?$CFu?0?5Insts?3?5?$CFu?0?5FlagsMeme@ ; `string'
PUBLIC ??_C@_0BK@MMBIMAKC@numba?5is?3?5?$CFu?5size?5is?5?$CFu?6?6@ ; `string' PUBLIC ??_C@_0BK@MMBIMAKC@numba?5is?3?5?$CFu?5size?5is?5?$CFu?6?6@ ; `string'
PUBLIC ??_C@_0N@LPFKKEBD@?3AM?3am?3PM?3pm@ ; `string' PUBLIC ??_C@_0N@LPFKKEBD@?3AM?3am?3PM?3pm@ ; `string'
PUBLIC ??_C@_0GI@GFIDMGHH@C?3?2Program?5Files?5?$CIx86?$CJ?2Microsof@ ; `string' PUBLIC ??_C@_0GI@GFIDMGHH@C?3?2Program?5Files?5?$CIx86?$CJ?2Microsof@ ; `string'
@ -529,8 +530,11 @@ EXTRN ?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z:PROC ; std::_Fiopen
EXTRN __imp__time64:PROC EXTRN __imp__time64:PROC
EXTRN xed_tables_init:PROC EXTRN xed_tables_init:PROC
EXTRN ??0_NATIVE_CODE_BLOCK@@QEAA@XZ:PROC ; _NATIVE_CODE_BLOCK::_NATIVE_CODE_BLOCK EXTRN ??0_NATIVE_CODE_BLOCK@@QEAA@XZ:PROC ; _NATIVE_CODE_BLOCK::_NATIVE_CODE_BLOCK
EXTRN ?NcCountInstructions@@YAKPEAU_NATIVE_CODE_BLOCK@@@Z:PROC ; NcCountInstructions
EXTRN ?NcCalcBlockSizeInBytes@@YAKPEAU_NATIVE_CODE_BLOCK@@@Z:PROC ; NcCalcBlockSizeInBytes
EXTRN ?NcDisassemble@@YAHPEAU_NATIVE_CODE_BLOCK@@PEAXK@Z:PROC ; NcDisassemble EXTRN ?NcDisassemble@@YAHPEAU_NATIVE_CODE_BLOCK@@PEAXK@Z:PROC ; NcDisassemble
EXTRN ?NcAssemble@@YAPEAXPEAU_NATIVE_CODE_BLOCK@@PEAK@Z:PROC ; NcAssemble EXTRN ?NcAssemble@@YAPEAXPEAU_NATIVE_CODE_BLOCK@@PEAK@Z:PROC ; NcAssemble
EXTRN ?NcDebugPrint@@YAXPEAU_NATIVE_CODE_BLOCK@@@Z:PROC ; NcDebugPrint
EXTRN ?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z:PROC ; ObfObfuscate EXTRN ?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z:PROC ; ObfObfuscate
EXTRN ??_E?$basic_filebuf@DU?$char_traits@D@std@@@std@@UEAAPEAXI@Z:PROC ; std::basic_filebuf<char,std::char_traits<char> >::`vector deleting destructor' EXTRN ??_E?$basic_filebuf@DU?$char_traits@D@std@@@std@@UEAAPEAXI@Z:PROC ; std::basic_filebuf<char,std::char_traits<char> >::`vector deleting destructor'
EXTRN ??_E?$basic_ofstream@DU?$char_traits@D@std@@@std@@UEAAPEAXI@Z:PROC ; std::basic_ofstream<char,std::char_traits<char> >::`vector deleting destructor' EXTRN ??_E?$basic_ofstream@DU?$char_traits@D@std@@@std@@UEAAPEAXI@Z:PROC ; std::basic_ofstream<char,std::char_traits<char> >::`vector deleting destructor'
@ -1366,7 +1370,7 @@ pdata ENDS
; COMDAT pdata ; COMDAT pdata
pdata SEGMENT pdata SEGMENT
$pdata$main DD imagerel $LN4 $pdata$main DD imagerel $LN4
DD imagerel $LN4+331 DD imagerel $LN4+406
DD imagerel $unwind$main DD imagerel $unwind$main
pdata ENDS pdata ENDS
; COMDAT pdata ; COMDAT pdata
@ -2110,6 +2114,11 @@ CONST SEGMENT
??_C@_0BK@MMBIMAKC@numba?5is?3?5?$CFu?5size?5is?5?$CFu?6?6@ DB 'numba is:' ??_C@_0BK@MMBIMAKC@numba?5is?3?5?$CFu?5size?5is?5?$CFu?6?6@ DB 'numba is:'
DB ' %u size is %u', 0aH, 0aH, 00H ; `string' DB ' %u size is %u', 0aH, 0aH, 00H ; `string'
CONST ENDS CONST ENDS
; COMDAT ??_C@_0CG@GOOMLDF@Bytes?3?5?$CFu?0?5Insts?3?5?$CFu?0?5FlagsMeme@
CONST SEGMENT
??_C@_0CG@GOOMLDF@Bytes?3?5?$CFu?0?5Insts?3?5?$CFu?0?5FlagsMeme@ DB 'Byte'
DB 's: %u, Insts: %u, FlagsMeme: %u.', 0aH, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_0CJ@GEFBLICI@C?3?2Users?2Iizerd?2Desktop?2Leeg?5Ha@ ; COMDAT ??_C@_0CJ@GEFBLICI@C?3?2Users?2Iizerd?2Desktop?2Leeg?5Ha@
CONST SEGMENT CONST SEGMENT
??_C@_0CJ@GEFBLICI@C?3?2Users?2Iizerd?2Desktop?2Leeg?5Ha@ DB 'C:\Users\Ii' ??_C@_0CJ@GEFBLICI@C?3?2Users?2Iizerd?2Desktop?2Leeg?5Ha@ DB 'C:\Users\Ii'
@ -3093,7 +3102,7 @@ $ip2state$main DB 06H
DB 00H DB 00H
DB 0b2H DB 0b2H
DB 02H DB 02H
DB 0e9H, 02H DB 015H, 04H
DB 00H DB 00H
xdata ENDS xdata ENDS
; COMDAT xdata ; COMDAT xdata
@ -3112,11 +3121,11 @@ xdata ENDS
xdata SEGMENT xdata SEGMENT
$unwind$main DD 025052f19H $unwind$main DD 025052f19H
DD 010a230fH DD 010a230fH
DD 07003003bH DD 070030043H
DD 05002H DD 05002H
DD imagerel __GSHandlerCheck_EH4 DD imagerel __GSHandlerCheck_EH4
DD imagerel $cppxdata$main DD imagerel $cppxdata$main
DD 01c2H DD 0202H
xdata ENDS xdata ENDS
; COMDAT CONST ; COMDAT CONST
CONST SEGMENT CONST SEGMENT
@ -3141,7 +3150,7 @@ main$rtcName$2 DB 041H
DB 065H DB 065H
DB 00H DB 00H
ORG $+8 ORG $+8
main$rtcVarDesc DD 0a4H main$rtcVarDesc DD 0e4H
DD 04H DD 04H
DQ FLAT:main$rtcName$2 DQ FLAT:main$rtcName$2
DD 078H DD 078H
@ -7895,12 +7904,14 @@ text$x ENDS
_TEXT SEGMENT _TEXT SEGMENT
Block$ = 8 Block$ = 8
Obf$ = 88 Obf$ = 88
AsmSize$ = 132 ByteSize$ = 132
Asm$ = 168 InstSize$ = 164
Exec$ = 200 AsmSize$ = 196
tv92 = 404 Asm$ = 232
tv90 = 408 Exec$ = 264
__$ArrayPad$ = 416 tv133 = 468
tv131 = 472
__$ArrayPad$ = 480
main PROC ; COMDAT main PROC ; COMDAT
; 68 : { ; 68 : {
@ -7908,17 +7919,17 @@ main PROC ; COMDAT
$LN4: $LN4:
00000 40 55 push rbp 00000 40 55 push rbp
00002 57 push rdi 00002 57 push rdi
00003 48 81 ec d8 01 00003 48 81 ec 18 02
00 00 sub rsp, 472 ; 000001d8H 00 00 sub rsp, 536 ; 00000218H
0000a 48 8d 6c 24 20 lea rbp, QWORD PTR [rsp+32] 0000a 48 8d 6c 24 20 lea rbp, QWORD PTR [rsp+32]
0000f 48 8b fc mov rdi, rsp 0000f 48 8b fc mov rdi, rsp
00012 b9 76 00 00 00 mov ecx, 118 ; 00000076H 00012 b9 86 00 00 00 mov ecx, 134 ; 00000086H
00017 b8 cc cc cc cc mov eax, -858993460 ; ccccccccH 00017 b8 cc cc cc cc mov eax, -858993460 ; ccccccccH
0001c f3 ab rep stosd 0001c f3 ab rep stosd
0001e 48 8b 05 00 00 0001e 48 8b 05 00 00
00 00 mov rax, QWORD PTR __security_cookie 00 00 mov rax, QWORD PTR __security_cookie
00025 48 33 c5 xor rax, rbp 00025 48 33 c5 xor rax, rbp
00028 48 89 85 a0 01 00028 48 89 85 e0 01
00 00 mov QWORD PTR __$ArrayPad$[rbp], rax 00 00 mov QWORD PTR __$ArrayPad$[rbp], rax
0002f 48 8d 0d 00 00 0002f 48 8d 0d 00 00
00 00 lea rcx, OFFSET FLAT:__4031338C_Main@cpp 00 00 lea rcx, OFFSET FLAT:__4031338C_Main@cpp
@ -7958,10 +7969,10 @@ $LN4:
0006f c7 45 5c 00 00 0006f c7 45 5c 00 00
00 00 mov DWORD PTR Obf$[rbp+4], 0 00 00 mov DWORD PTR Obf$[rbp+4], 0
; 76 : Obf.MinInstCount = 3; ; 76 : Obf.MinInstCount = 12;
00076 c7 45 58 03 00 00076 c7 45 58 0c 00
00 00 mov DWORD PTR Obf$[rbp], 3 00 00 mov DWORD PTR Obf$[rbp], 12
; 77 : Obf.GlobalBlock = &Block; ; 77 : Obf.GlobalBlock = &Block;
@ -7974,192 +7985,230 @@ $LN4:
00089 48 8d 4d 58 lea rcx, QWORD PTR Obf$[rbp] 00089 48 8d 4d 58 lea rcx, QWORD PTR Obf$[rbp]
0008d e8 00 00 00 00 call ?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z ; ObfObfuscate 0008d e8 00 00 00 00 call ?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z ; ObfObfuscate
; 79 : ObfObfuscate(&Obf, &Block); ; 79 : Obf.MinInstCount = 4;
00092 48 8d 55 08 lea rdx, QWORD PTR Block$[rbp] 00092 c7 45 58 04 00
00096 48 8d 4d 58 lea rcx, QWORD PTR Obf$[rbp] 00 00 mov DWORD PTR Obf$[rbp], 4
0009a e8 00 00 00 00 call ?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z ; ObfObfuscate
; 80 : //NcDebugPrint(&Block); ; 80 : ObfObfuscate(&Obf, &Block);
; 81 :
; 82 : ULONG AsmSize; 00099 48 8d 55 08 lea rdx, QWORD PTR Block$[rbp]
; 83 : PVOID Asm = NcAssemble(&Block, &AsmSize); 0009d 48 8d 4d 58 lea rcx, QWORD PTR Obf$[rbp]
000a1 e8 00 00 00 00 call ?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z ; ObfObfuscate
; 81 : NcDebugPrint(&Block);
0009f 48 8d 95 84 00
00 00 lea rdx, QWORD PTR AsmSize$[rbp]
000a6 48 8d 4d 08 lea rcx, QWORD PTR Block$[rbp] 000a6 48 8d 4d 08 lea rcx, QWORD PTR Block$[rbp]
000aa e8 00 00 00 00 call ?NcAssemble@@YAPEAXPEAU_NATIVE_CODE_BLOCK@@PEAK@Z ; NcAssemble 000aa e8 00 00 00 00 call ?NcDebugPrint@@YAXPEAU_NATIVE_CODE_BLOCK@@@Z ; NcDebugPrint
000af 48 89 85 a8 00
; 82 :
; 83 : ULONG ByteSize = NcCalcBlockSizeInBytes(&Block);
000af 48 8d 4d 08 lea rcx, QWORD PTR Block$[rbp]
000b3 e8 00 00 00 00 call ?NcCalcBlockSizeInBytes@@YAKPEAU_NATIVE_CODE_BLOCK@@@Z ; NcCalcBlockSizeInBytes
000b8 89 85 84 00 00
00 mov DWORD PTR ByteSize$[rbp], eax
; 84 : ULONG InstSize = NcCountInstructions(&Block);
000be 48 8d 4d 08 lea rcx, QWORD PTR Block$[rbp]
000c2 e8 00 00 00 00 call ?NcCountInstructions@@YAKPEAU_NATIVE_CODE_BLOCK@@@Z ; NcCountInstructions
000c7 89 85 a4 00 00
00 mov DWORD PTR InstSize$[rbp], eax
; 85 :
; 86 : printf("Bytes: %u, Insts: %u, FlagsMeme: %u.\n", ByteSize, InstSize, Obf.Flags);
000cd 44 8b 4d 5c mov r9d, DWORD PTR Obf$[rbp+4]
000d1 44 8b 85 a4 00
00 00 mov r8d, DWORD PTR InstSize$[rbp]
000d8 8b 95 84 00 00
00 mov edx, DWORD PTR ByteSize$[rbp]
000de 48 8d 0d 00 00
00 00 lea rcx, OFFSET FLAT:??_C@_0CG@GOOMLDF@Bytes?3?5?$CFu?0?5Insts?3?5?$CFu?0?5FlagsMeme@
000e5 e8 00 00 00 00 call printf
; 87 :
; 88 : ULONG AsmSize;
; 89 : PVOID Asm = NcAssemble(&Block, &AsmSize);
000ea 48 8d 95 c4 00
00 00 lea rdx, QWORD PTR AsmSize$[rbp]
000f1 48 8d 4d 08 lea rcx, QWORD PTR Block$[rbp]
000f5 e8 00 00 00 00 call ?NcAssemble@@YAPEAXPEAU_NATIVE_CODE_BLOCK@@PEAK@Z ; NcAssemble
000fa 48 89 85 e8 00
00 00 mov QWORD PTR Asm$[rbp], rax 00 00 mov QWORD PTR Asm$[rbp], rax
; 84 : PVOID Exec = MakeExecutableBuffer(Asm, AsmSize); ; 90 : PVOID Exec = MakeExecutableBuffer(Asm, AsmSize);
000b6 8b 95 84 00 00 00101 8b 95 c4 00 00
00 mov edx, DWORD PTR AsmSize$[rbp] 00 mov edx, DWORD PTR AsmSize$[rbp]
000bc 48 8b 8d a8 00 00107 48 8b 8d e8 00
00 00 mov rcx, QWORD PTR Asm$[rbp] 00 00 mov rcx, QWORD PTR Asm$[rbp]
000c3 e8 00 00 00 00 call ?MakeExecutableBuffer@@YAPEAXPEAXK@Z ; MakeExecutableBuffer 0010e e8 00 00 00 00 call ?MakeExecutableBuffer@@YAPEAXPEAXK@Z ; MakeExecutableBuffer
000c8 48 89 85 c8 00 00113 48 89 85 08 01
00 00 mov QWORD PTR Exec$[rbp], rax 00 00 mov QWORD PTR Exec$[rbp], rax
; 85 : typedef ULONG(*FnGetFour)(); ; 91 : typedef ULONG(*FnGetFour)();
; 86 : printf("numba is: %u size is %u\n\n", ((FnGetFour)Exec)(), AsmSize); ; 92 : printf("numba is: %u size is %u\n\n", ((FnGetFour)Exec)(), AsmSize);
000cf 8b 85 84 00 00 0011a 8b 85 c4 00 00
00 mov eax, DWORD PTR AsmSize$[rbp] 00 mov eax, DWORD PTR AsmSize$[rbp]
000d5 89 85 94 01 00 00120 89 85 d4 01 00
00 mov DWORD PTR tv92[rbp], eax 00 mov DWORD PTR tv133[rbp], eax
000db ff 95 c8 00 00 00126 ff 95 08 01 00
00 call QWORD PTR Exec$[rbp] 00 call QWORD PTR Exec$[rbp]
000e1 89 85 98 01 00 0012c 89 85 d8 01 00
00 mov DWORD PTR tv90[rbp], eax 00 mov DWORD PTR tv131[rbp], eax
000e7 44 8b 85 94 01 00132 44 8b 85 d4 01
00 00 mov r8d, DWORD PTR tv92[rbp] 00 00 mov r8d, DWORD PTR tv133[rbp]
000ee 8b 95 98 01 00 00139 8b 95 d8 01 00
00 mov edx, DWORD PTR tv90[rbp] 00 mov edx, DWORD PTR tv131[rbp]
000f4 48 8d 0d 00 00 0013f 48 8d 0d 00 00
00 00 lea rcx, OFFSET FLAT:??_C@_0BK@MMBIMAKC@numba?5is?3?5?$CFu?5size?5is?5?$CFu?6?6@ 00 00 lea rcx, OFFSET FLAT:??_C@_0BK@MMBIMAKC@numba?5is?3?5?$CFu?5size?5is?5?$CFu?6?6@
000fb e8 00 00 00 00 call printf 00146 e8 00 00 00 00 call printf
; 87 : PutToFile(Asm, AsmSize); ; 93 : PutToFile(Asm, AsmSize);
00100 8b 95 84 00 00 0014b 8b 95 c4 00 00
00 mov edx, DWORD PTR AsmSize$[rbp] 00 mov edx, DWORD PTR AsmSize$[rbp]
00106 48 8b 8d a8 00 00151 48 8b 8d e8 00
00 00 mov rcx, QWORD PTR Asm$[rbp] 00 00 mov rcx, QWORD PTR Asm$[rbp]
0010d e8 00 00 00 00 call ?PutToFile@@YAXPEAXK@Z ; PutToFile 00158 e8 00 00 00 00 call ?PutToFile@@YAXPEAXK@Z ; PutToFile
00112 90 npad 1 0015d 90 npad 1
; 88 : ; 94 :
; 89 : ; 95 :
; 90 : //PNATIVE_CODE_LINK Return1776 = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, meme1, sizeof(meme1)); ; 96 : //PNATIVE_CODE_LINK Return1776 = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, meme1, sizeof(meme1));
; 91 : //PNATIVE_CODE_LINK RetInst = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, meme2, sizeof(meme2)); ; 97 : //PNATIVE_CODE_LINK RetInst = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, meme2, sizeof(meme2));
; 92 : //PNATIVE_CODE_BLOCK Pre1 = JitEmitPreRipMov(Return1776); ; 98 : //PNATIVE_CODE_BLOCK Pre1 = JitEmitPreRipMov(Return1776);
; 93 : //PNATIVE_CODE_BLOCK Post1 = JitEmitPostRipMov(Return1776); ; 99 : //PNATIVE_CODE_BLOCK Post1 = JitEmitPostRipMov(Return1776);
; 94 : //PNATIVE_CODE_BLOCK Pre2 = JitEmitPreRipMov(RetInst); ; 100 : //PNATIVE_CODE_BLOCK Pre2 = JitEmitPreRipMov(RetInst);
; 95 : //PNATIVE_CODE_BLOCK Post2 = JitEmitPostRipMov(RetInst); ; 101 : //PNATIVE_CODE_BLOCK Post2 = JitEmitPostRipMov(RetInst);
; 96 : ; 102 :
; 97 : //NcAppendToBlock(Pre1, Return1776); ; 103 : //NcAppendToBlock(Pre1, Return1776);
; 98 : //NcInsertBlockAfter(Pre1->End, Post1, 0); ; 104 : //NcInsertBlockAfter(Pre1->End, Post1, 0);
; 99 : //Pre1->End = Post1->End; ; 105 : //Pre1->End = Post1->End;
; 100 : //NcInsertBlockAfter(Pre1->End, Pre2, 0); ; 106 : //NcInsertBlockAfter(Pre1->End, Pre2, 0);
; 101 : //Pre1->End = Pre2->End; ; 107 : //Pre1->End = Pre2->End;
; 102 : //NcAppendToBlock(Pre1, RetInst); ; 108 : //NcAppendToBlock(Pre1, RetInst);
; 103 : //NcInsertBlockAfter(Pre1->End, Post2, 0); ; 109 : //NcInsertBlockAfter(Pre1->End, Post2, 0);
; 104 : //Pre1->End = Post2->End; ; 110 : //Pre1->End = Post2->End;
; 105 : ; 111 :
; 106 : ///*Pre->Start = Return1776; ; 112 : ///*Pre->Start = Return1776;
; 107 : //Pre->End = Return1776;*/ ; 113 : //Pre->End = Return1776;*/
; 108 :
; 109 : //for (ULONG i = 0; i < Return1776->RawDataSize; i++)
; 110 : // Return1776->RawData[i] = (UCHAR)rand();
; 111 : //for (ULONG i = 0; i < RetInst->RawDataSize; i++)
; 112 : // RetInst->RawData[i] = (UCHAR)rand();
; 113 :
; 114 : ; 114 :
; 115 : ; 115 : //for (ULONG i = 0; i < Return1776->RawDataSize; i++)
; 116 : //ULONG AsmLen; ; 116 : // Return1776->RawData[i] = (UCHAR)rand();
; 117 : //PVOID Asm = NcAssemble(Pre1, &AsmLen); ; 117 : //for (ULONG i = 0; i < RetInst->RawDataSize; i++)
; 118 : //PUCHAR Tb = (PUCHAR)Asm; ; 118 : // RetInst->RawData[i] = (UCHAR)rand();
; 119 : //for (uint32_t i = 0; i < AsmLen; i++) ; 119 :
; 120 : //{ ; 120 :
; 121 : // std::cout << std::hex << std::setw(2) << std::setfill('0') << (int)Tb[i] << ' '; ; 121 :
; 122 : //} ; 122 : //ULONG AsmLen;
; 123 : ; 123 : //PVOID Asm = NcAssemble(Pre1, &AsmLen);
; 124 : //system("pause"); ; 124 : //PUCHAR Tb = (PUCHAR)Asm;
; 125 : ; 125 : //for (uint32_t i = 0; i < AsmLen; i++)
; 126 : //typedef ULONG64(*FnGet1776)(); ; 126 : //{
; 127 : //FnGet1776 ExecBuffer = (FnGet1776)MakeExecutableBuffer(Asm, AsmLen); ; 127 : // std::cout << std::hex << std::setw(2) << std::setfill('0') << (int)Tb[i] << ' ';
; 128 : //if (ExecBuffer) ; 128 : //}
; 129 : //{ ; 129 :
; 130 : // printf("The numba was: %X\n", ExecBuffer()); ; 130 : //system("pause");
; 131 : // printf("The numba was: %X\n", ExecBuffer()); ; 131 :
; 132 : ; 132 : //typedef ULONG64(*FnGet1776)();
; 133 : // printf("The numba was: %X\n", ExecBuffer()); ; 133 : //FnGet1776 ExecBuffer = (FnGet1776)MakeExecutableBuffer(Asm, AsmLen);
; 134 : ; 134 : //if (ExecBuffer)
; 135 : // printf("The numba was: %X\n", ExecBuffer()); ; 135 : //{
; 136 : ; 136 : // printf("The numba was: %X\n", ExecBuffer());
; 137 : //} ; 137 : // printf("The numba was: %X\n", ExecBuffer());
; 138 : ; 138 :
; 139 : ; 139 : // printf("The numba was: %X\n", ExecBuffer());
; 140 : //NcDebugPrint(Post); ; 140 :
; 141 : ; 141 : // printf("The numba was: %X\n", ExecBuffer());
; 142 : ; 142 :
; 143 : ; 143 : //}
; 144 : /*NATIVE_CODE_BLOCK Block; ; 144 :
; 145 : NcDisassemble(&Block, TestBuffer, TestBufferSize); ; 145 :
; 146 : PNATIVE_CODE_LINK NewLink = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, meme1, sizeof(meme1)); ; 146 : //NcDebugPrint(Post);
; 147 : ; 147 :
; 148 : NcInsertLinkBefore(Block.End->Prev->Prev->Prev->Prev, NewLink); ; 148 :
; 149 : ULONG AssembledSize; ; 149 :
; 150 : PVOID AssembledBlock = NcAssemble(&Block, &AssembledSize); ; 150 : /*NATIVE_CODE_BLOCK Block;
; 151 : if (!AssembledBlock || !AssembledSize) ; 151 : NcDisassemble(&Block, TestBuffer, TestBufferSize);
; 152 : { ; 152 : PNATIVE_CODE_LINK NewLink = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, meme1, sizeof(meme1));
; 153 : printf("Something failed nicka.\n"); ; 153 :
; 154 : system("pause"); ; 154 : NcInsertLinkBefore(Block.End->Prev->Prev->Prev->Prev, NewLink);
; 155 : return -1; ; 155 : ULONG AssembledSize;
; 156 : } ; 156 : PVOID AssembledBlock = NcAssemble(&Block, &AssembledSize);
; 157 : PUCHAR Tb = (PUCHAR)AssembledBlock; ; 157 : if (!AssembledBlock || !AssembledSize)
; 158 : for (uint32_t i = 0; i < AssembledSize; i++) ; 158 : {
; 159 : { ; 159 : printf("Something failed nicka.\n");
; 160 : std::cout << std::hex << std::setw(2) << std::setfill('0') << (int)Tb[i] << ' '; ; 160 : system("pause");
; 161 : } ; 161 : return -1;
; 162 : */ ; 162 : }
; 163 : ; 163 : PUCHAR Tb = (PUCHAR)AssembledBlock;
; 164 : ; 164 : for (uint32_t i = 0; i < AssembledSize; i++)
; 165 : //PNATIVE_CODE_BLOCK OpaqueBranch = ObfGenOpaqueBranch(Block.Start, Block.End); ; 165 : {
; 166 : //NcDebugPrint(OpaqueBranch); ; 166 : std::cout << std::hex << std::setw(2) << std::setfill('0') << (int)Tb[i] << ' ';
; 167 : ; 167 : }
; 168 : ; 168 : */
; 169 : ; 169 :
; 170 : /*NATIVE_CODE_LINK T; ; 170 :
; 171 : T.RawDataSize = 10; ; 171 : //PNATIVE_CODE_BLOCK OpaqueBranch = ObfGenOpaqueBranch(Block.Start, Block.End);
; 172 : T.RawData = new UCHAR[10]; ; 172 : //NcDebugPrint(OpaqueBranch);
; 173 : memset(T.RawData, 0xAA, 10); ; 173 :
; 174 : JIT_BITWISE_DATA Data; ; 174 :
; 175 : RtlSecureZeroMemory(&Data, sizeof(JIT_BITWISE_DATA)); ; 175 :
; 176 : PNATIVE_CODE_BLOCK NewBlock = JitEmitPreRipMov(&T); ; 176 : /*NATIVE_CODE_LINK T;
; 177 : if (NewBlock) ; 177 : T.RawDataSize = 10;
; 178 : { ; 178 : T.RawData = new UCHAR[10];
; 179 : printf("\n"); ; 179 : memset(T.RawData, 0xAA, 10);
; 180 : NcDebugPrint(NewBlock); ; 180 : JIT_BITWISE_DATA Data;
; 181 : printf("\n"); ; 181 : RtlSecureZeroMemory(&Data, sizeof(JIT_BITWISE_DATA));
; 182 : NcPrintBlockCode(NewBlock); ; 182 : PNATIVE_CODE_BLOCK NewBlock = JitEmitPreRipMov(&T);
; 183 : } ; 183 : if (NewBlock)
; 184 : system("pause");*/ ; 184 : {
; 185 : ; 185 : printf("\n");
; 186 : } ; 186 : NcDebugPrint(NewBlock);
; 187 : printf("\n");
00113 48 8d 4d 08 lea rcx, QWORD PTR Block$[rbp] ; 188 : NcPrintBlockCode(NewBlock);
00117 e8 00 00 00 00 call ??1_NATIVE_CODE_BLOCK@@QEAA@XZ ; 189 : }
0011c 33 c0 xor eax, eax ; 190 : system("pause");*/
0011e 8b f8 mov edi, eax ; 191 :
00120 48 8d 4d e0 lea rcx, QWORD PTR [rbp-32] ; 192 : }
00124 48 8d 15 00 00
0015e 48 8d 4d 08 lea rcx, QWORD PTR Block$[rbp]
00162 e8 00 00 00 00 call ??1_NATIVE_CODE_BLOCK@@QEAA@XZ
00167 33 c0 xor eax, eax
00169 8b f8 mov edi, eax
0016b 48 8d 4d e0 lea rcx, QWORD PTR [rbp-32]
0016f 48 8d 15 00 00
00 00 lea rdx, OFFSET FLAT:main$rtcFrameData 00 00 lea rdx, OFFSET FLAT:main$rtcFrameData
0012b e8 00 00 00 00 call _RTC_CheckStackVars 00176 e8 00 00 00 00 call _RTC_CheckStackVars
00130 8b c7 mov eax, edi 0017b 8b c7 mov eax, edi
00132 48 8b 8d a0 01 0017d 48 8b 8d e0 01
00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp] 00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp]
00139 48 33 cd xor rcx, rbp 00184 48 33 cd xor rcx, rbp
0013c e8 00 00 00 00 call __security_check_cookie 00187 e8 00 00 00 00 call __security_check_cookie
00141 48 8d a5 b8 01 0018c 48 8d a5 f8 01
00 00 lea rsp, QWORD PTR [rbp+440] 00 00 lea rsp, QWORD PTR [rbp+504]
00148 5f pop rdi 00193 5f pop rdi
00149 5d pop rbp 00194 5d pop rbp
0014a c3 ret 0 00195 c3 ret 0
main ENDP main ENDP
_TEXT ENDS _TEXT ENDS
; COMDAT text$x ; COMDAT text$x
text$x SEGMENT text$x SEGMENT
Block$ = 8 Block$ = 8
Obf$ = 88 Obf$ = 88
AsmSize$ = 132 ByteSize$ = 132
Asm$ = 168 InstSize$ = 164
Exec$ = 200 AsmSize$ = 196
tv92 = 404 Asm$ = 232
tv90 = 408 Exec$ = 264
__$ArrayPad$ = 416 tv133 = 468
tv131 = 472
__$ArrayPad$ = 480
main$dtor$0 PROC main$dtor$0 PROC
00000 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx 00000 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx
00005 48 89 54 24 10 mov QWORD PTR [rsp+16], rdx 00005 48 89 54 24 10 mov QWORD PTR [rsp+16], rdx
@ -8180,12 +8229,14 @@ text$x ENDS
text$x SEGMENT text$x SEGMENT
Block$ = 8 Block$ = 8
Obf$ = 88 Obf$ = 88
AsmSize$ = 132 ByteSize$ = 132
Asm$ = 168 InstSize$ = 164
Exec$ = 200 AsmSize$ = 196
tv92 = 404 Asm$ = 232
tv90 = 408 Exec$ = 264
__$ArrayPad$ = 416 tv133 = 468
tv131 = 472
__$ArrayPad$ = 480
main$dtor$0 PROC main$dtor$0 PROC
00000 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx 00000 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx
00005 48 89 54 24 10 mov QWORD PTR [rsp+16], rdx 00005 48 89 54 24 10 mov QWORD PTR [rsp+16], rdx

1107
CodeVirtualizer/x64/Debug/Obfuscator.cod
View File

File diff suppressed because it is too large Load Diff

360
CodeVirtualizer/x64/Debug/OpaqueBranching.cod
Unescape View File

@ -221,8 +221,8 @@ $pdata$??_G_NATIVE_CODE_LINK@@QEAAPEAXI@Z DD imagerel $LN4
pdata ENDS pdata ENDS
; COMDAT pdata ; COMDAT pdata
pdata SEGMENT pdata SEGMENT
$pdata$?ObfGetRandomJccClass@@YA?AW4xed_iclass_enum_t@@XZ DD imagerel $LN21 $pdata$?ObfGetRandomJccClass@@YA?AW4xed_iclass_enum_t@@XZ DD imagerel $LN20
DD imagerel $LN21+284 DD imagerel $LN20+272
DD imagerel $unwind$?ObfGetRandomJccClass@@YA?AW4xed_iclass_enum_t@@XZ DD imagerel $unwind$?ObfGetRandomJccClass@@YA?AW4xed_iclass_enum_t@@XZ
pdata ENDS pdata ENDS
; COMDAT pdata ; COMDAT pdata
@ -877,7 +877,7 @@ End$ = 392
OpaqueBranchBlock$ = 400 OpaqueBranchBlock$ = 400
?ObfInsertOpaqueBranchBlock@@YAHPEAU_NATIVE_CODE_LINK@@0PEAU_NATIVE_CODE_BLOCK@@@Z PROC ; ObfInsertOpaqueBranchBlock, COMDAT ?ObfInsertOpaqueBranchBlock@@YAHPEAU_NATIVE_CODE_LINK@@0PEAU_NATIVE_CODE_BLOCK@@@Z PROC ; ObfInsertOpaqueBranchBlock, COMDAT
; 117 : { ; 116 : {
$LN15: $LN15:
00000 4c 89 44 24 18 mov QWORD PTR [rsp+24], r8 00000 4c 89 44 24 18 mov QWORD PTR [rsp+24], r8
@ -898,7 +898,7 @@ $LN15:
00 00 lea rcx, OFFSET FLAT:__BCD1AF07_OpaqueBranching@cpp 00 00 lea rcx, OFFSET FLAT:__BCD1AF07_OpaqueBranching@cpp
0003b e8 00 00 00 00 call __CheckForDebuggerJustMyCode 0003b e8 00 00 00 00 call __CheckForDebuggerJustMyCode
; 118 : OpaqueBranchBlock->Start->Prev = Start->Prev; ; 117 : OpaqueBranchBlock->Start->Prev = Start->Prev;
00040 48 8b 85 90 01 00040 48 8b 85 90 01
00 00 mov rax, QWORD PTR OpaqueBranchBlock$[rbp] 00 00 mov rax, QWORD PTR OpaqueBranchBlock$[rbp]
@ -908,7 +908,7 @@ $LN15:
00051 48 8b 49 08 mov rcx, QWORD PTR [rcx+8] 00051 48 8b 49 08 mov rcx, QWORD PTR [rcx+8]
00055 48 89 48 08 mov QWORD PTR [rax+8], rcx 00055 48 89 48 08 mov QWORD PTR [rax+8], rcx
; 119 : OpaqueBranchBlock->End->Next = End->Next; ; 118 : OpaqueBranchBlock->End->Next = End->Next;
00059 48 8b 85 90 01 00059 48 8b 85 90 01
00 00 mov rax, QWORD PTR OpaqueBranchBlock$[rbp] 00 00 mov rax, QWORD PTR OpaqueBranchBlock$[rbp]
@ -918,15 +918,15 @@ $LN15:
0006b 48 8b 09 mov rcx, QWORD PTR [rcx] 0006b 48 8b 09 mov rcx, QWORD PTR [rcx]
0006e 48 89 08 mov QWORD PTR [rax], rcx 0006e 48 89 08 mov QWORD PTR [rax], rcx
; 120 : ; 119 :
; 121 : if (Start->Prev) ; 120 : if (Start->Prev)
00071 48 8b 85 80 01 00071 48 8b 85 80 01
00 00 mov rax, QWORD PTR Start$[rbp] 00 00 mov rax, QWORD PTR Start$[rbp]
00078 48 83 78 08 00 cmp QWORD PTR [rax+8], 0 00078 48 83 78 08 00 cmp QWORD PTR [rax+8], 0
0007d 74 18 je SHORT $LN8@ObfInsertO 0007d 74 18 je SHORT $LN8@ObfInsertO
; 122 : Start->Prev->Next = OpaqueBranchBlock->Start; ; 121 : Start->Prev->Next = OpaqueBranchBlock->Start;
0007f 48 8b 85 80 01 0007f 48 8b 85 80 01
00 00 mov rax, QWORD PTR Start$[rbp] 00 00 mov rax, QWORD PTR Start$[rbp]
@ -937,14 +937,14 @@ $LN15:
00094 48 89 08 mov QWORD PTR [rax], rcx 00094 48 89 08 mov QWORD PTR [rax], rcx
$LN8@ObfInsertO: $LN8@ObfInsertO:
; 123 : if (End->Next) ; 122 : if (End->Next)
00097 48 8b 85 88 01 00097 48 8b 85 88 01
00 00 mov rax, QWORD PTR End$[rbp] 00 00 mov rax, QWORD PTR End$[rbp]
0009e 48 83 38 00 cmp QWORD PTR [rax], 0 0009e 48 83 38 00 cmp QWORD PTR [rax], 0
000a2 74 19 je SHORT $LN9@ObfInsertO 000a2 74 19 je SHORT $LN9@ObfInsertO
; 124 : End->Next->Prev = OpaqueBranchBlock->End; ; 123 : End->Next->Prev = OpaqueBranchBlock->End;
000a4 48 8b 85 88 01 000a4 48 8b 85 88 01
00 00 mov rax, QWORD PTR End$[rbp] 00 00 mov rax, QWORD PTR End$[rbp]
@ -955,8 +955,8 @@ $LN8@ObfInsertO:
000b9 48 89 48 08 mov QWORD PTR [rax+8], rcx 000b9 48 89 48 08 mov QWORD PTR [rax+8], rcx
$LN9@ObfInsertO: $LN9@ObfInsertO:
; 125 : ; 124 :
; 126 : if (Start->Block->Start == Start) ; 125 : if (Start->Block->Start == Start)
000bd 48 8b 85 80 01 000bd 48 8b 85 80 01
00 00 mov rax, QWORD PTR Start$[rbp] 00 00 mov rax, QWORD PTR Start$[rbp]
@ -966,7 +966,7 @@ $LN9@ObfInsertO:
000cf 48 39 08 cmp QWORD PTR [rax], rcx 000cf 48 39 08 cmp QWORD PTR [rax], rcx
000d2 75 18 jne SHORT $LN10@ObfInsertO 000d2 75 18 jne SHORT $LN10@ObfInsertO
; 127 : Start->Block->Start = OpaqueBranchBlock->Start; ; 126 : Start->Block->Start = OpaqueBranchBlock->Start;
000d4 48 8b 85 80 01 000d4 48 8b 85 80 01
00 00 mov rax, QWORD PTR Start$[rbp] 00 00 mov rax, QWORD PTR Start$[rbp]
@ -977,8 +977,8 @@ $LN9@ObfInsertO:
000e9 48 89 08 mov QWORD PTR [rax], rcx 000e9 48 89 08 mov QWORD PTR [rax], rcx
$LN10@ObfInsertO: $LN10@ObfInsertO:
; 128 : ; 127 :
; 129 : if (Start->Block->End == End) ; 128 : if (Start->Block->End == End)
000ec 48 8b 85 80 01 000ec 48 8b 85 80 01
00 00 mov rax, QWORD PTR Start$[rbp] 00 00 mov rax, QWORD PTR Start$[rbp]
@ -988,7 +988,7 @@ $LN10@ObfInsertO:
000fe 48 39 48 08 cmp QWORD PTR [rax+8], rcx 000fe 48 39 48 08 cmp QWORD PTR [rax+8], rcx
00102 75 1a jne SHORT $LN11@ObfInsertO 00102 75 1a jne SHORT $LN11@ObfInsertO
; 130 : Start->Block->End = OpaqueBranchBlock->End; ; 129 : Start->Block->End = OpaqueBranchBlock->End;
00104 48 8b 85 80 01 00104 48 8b 85 80 01
00 00 mov rax, QWORD PTR Start$[rbp] 00 00 mov rax, QWORD PTR Start$[rbp]
@ -999,9 +999,9 @@ $LN10@ObfInsertO:
0011a 48 89 48 08 mov QWORD PTR [rax+8], rcx 0011a 48 89 48 08 mov QWORD PTR [rax+8], rcx
$LN11@ObfInsertO: $LN11@ObfInsertO:
; 131 : ; 130 :
; 132 : //Update group for the current isntructions ; 131 : //Update group for the current isntructions
; 133 : for (PNATIVE_CODE_LINK T = OpaqueBranchBlock->Start; T && T != OpaqueBranchBlock->End->Next; T = T->Next) ; 132 : for (PNATIVE_CODE_LINK T = OpaqueBranchBlock->Start; T && T != OpaqueBranchBlock->End->Next; T = T->Next)
0011e 48 8b 85 90 01 0011e 48 8b 85 90 01
00 00 mov rax, QWORD PTR OpaqueBranchBlock$[rbp] 00 00 mov rax, QWORD PTR OpaqueBranchBlock$[rbp]
@ -1022,7 +1022,7 @@ $LN4@ObfInsertO:
0014e 48 39 45 08 cmp QWORD PTR T$1[rbp], rax 0014e 48 39 45 08 cmp QWORD PTR T$1[rbp], rax
00152 74 15 je SHORT $LN3@ObfInsertO 00152 74 15 je SHORT $LN3@ObfInsertO
; 134 : T->Block = Start->Block; ; 133 : T->Block = Start->Block;
00154 48 8b 45 08 mov rax, QWORD PTR T$1[rbp] 00154 48 8b 45 08 mov rax, QWORD PTR T$1[rbp]
00158 48 8b 8d 80 01 00158 48 8b 8d 80 01
@ -1032,15 +1032,15 @@ $LN4@ObfInsertO:
00167 eb c5 jmp SHORT $LN2@ObfInsertO 00167 eb c5 jmp SHORT $LN2@ObfInsertO
$LN3@ObfInsertO: $LN3@ObfInsertO:
; 135 : ; 134 :
; 136 : PNATIVE_CODE_LINK EndBlock = End->Next; ; 135 : PNATIVE_CODE_LINK EndBlock = End->Next;
00169 48 8b 85 88 01 00169 48 8b 85 88 01
00 00 mov rax, QWORD PTR End$[rbp] 00 00 mov rax, QWORD PTR End$[rbp]
00170 48 8b 00 mov rax, QWORD PTR [rax] 00170 48 8b 00 mov rax, QWORD PTR [rax]
00173 48 89 45 28 mov QWORD PTR EndBlock$[rbp], rax 00173 48 89 45 28 mov QWORD PTR EndBlock$[rbp], rax
; 137 : for (PNATIVE_CODE_LINK T = Start; T && T != EndBlock;) ; 136 : for (PNATIVE_CODE_LINK T = Start; T && T != EndBlock;)
00177 48 8b 85 80 01 00177 48 8b 85 80 01
00 00 mov rax, QWORD PTR Start$[rbp] 00 00 mov rax, QWORD PTR Start$[rbp]
@ -1052,14 +1052,14 @@ $LN5@ObfInsertO:
0018d 48 39 45 48 cmp QWORD PTR T$2[rbp], rax 0018d 48 39 45 48 cmp QWORD PTR T$2[rbp], rax
00191 74 4f je SHORT $LN6@ObfInsertO 00191 74 4f je SHORT $LN6@ObfInsertO
; 138 : { ; 137 : {
; 139 : PNATIVE_CODE_LINK RealNext = T->Next; ; 138 : PNATIVE_CODE_LINK RealNext = T->Next;
00193 48 8b 45 48 mov rax, QWORD PTR T$2[rbp] 00193 48 8b 45 48 mov rax, QWORD PTR T$2[rbp]
00197 48 8b 00 mov rax, QWORD PTR [rax] 00197 48 8b 00 mov rax, QWORD PTR [rax]
0019a 48 89 45 68 mov QWORD PTR RealNext$3[rbp], rax 0019a 48 89 45 68 mov QWORD PTR RealNext$3[rbp], rax
; 140 : delete T; ; 139 : delete T;
0019e 48 8b 45 48 mov rax, QWORD PTR T$2[rbp] 0019e 48 8b 45 48 mov rax, QWORD PTR T$2[rbp]
001a2 48 89 85 48 01 001a2 48 89 85 48 01
@ -1080,21 +1080,21 @@ $LN13@ObfInsertO:
00 mov QWORD PTR tv140[rbp], 0 00 mov QWORD PTR tv140[rbp], 0
$LN14@ObfInsertO: $LN14@ObfInsertO:
; 141 : T = RealNext; ; 140 : T = RealNext;
001d8 48 8b 45 68 mov rax, QWORD PTR RealNext$3[rbp] 001d8 48 8b 45 68 mov rax, QWORD PTR RealNext$3[rbp]
001dc 48 89 45 48 mov QWORD PTR T$2[rbp], rax 001dc 48 89 45 48 mov QWORD PTR T$2[rbp], rax
; 142 : } ; 141 : }
001e0 eb a0 jmp SHORT $LN5@ObfInsertO 001e0 eb a0 jmp SHORT $LN5@ObfInsertO
$LN6@ObfInsertO: $LN6@ObfInsertO:
; 143 : return TRUE; ; 142 : return TRUE;
001e2 b8 01 00 00 00 mov eax, 1 001e2 b8 01 00 00 00 mov eax, 1
; 144 : } ; 143 : }
001e7 48 8d a5 68 01 001e7 48 8d a5 68 01
00 00 lea rsp, QWORD PTR [rbp+360] 00 00 lea rsp, QWORD PTR [rbp+360]
@ -1123,7 +1123,7 @@ JccLabel$ = 464
JmpLabel$ = 472 JmpLabel$ = 472
?ObfCombineOpaqueBranches@@YAHPEAU_NATIVE_CODE_BLOCK@@0KK@Z PROC ; ObfCombineOpaqueBranches, COMDAT ?ObfCombineOpaqueBranches@@YAHPEAU_NATIVE_CODE_BLOCK@@0KK@Z PROC ; ObfCombineOpaqueBranches, COMDAT
; 94 : { ; 93 : {
$LN13: $LN13:
00000 44 89 4c 24 20 mov DWORD PTR [rsp+32], r9d 00000 44 89 4c 24 20 mov DWORD PTR [rsp+32], r9d
@ -1145,7 +1145,7 @@ $LN13:
00 00 lea rcx, OFFSET FLAT:__BCD1AF07_OpaqueBranching@cpp 00 00 lea rcx, OFFSET FLAT:__BCD1AF07_OpaqueBranching@cpp
00040 e8 00 00 00 00 call __CheckForDebuggerJustMyCode 00040 e8 00 00 00 00 call __CheckForDebuggerJustMyCode
; 95 : PNATIVE_CODE_LINK Jcc = ObfGenRandomJcc(JccLabel); ; 94 : PNATIVE_CODE_LINK Jcc = ObfGenRandomJcc(JccLabel);
00045 ba 20 00 00 00 mov edx, 32 ; 00000020H 00045 ba 20 00 00 00 mov edx, 32 ; 00000020H
0004a 8b 8d d0 01 00 0004a 8b 8d d0 01 00
@ -1153,18 +1153,18 @@ $LN13:
00050 e8 00 00 00 00 call ?ObfGenRandomJcc@@YAPEAU_NATIVE_CODE_LINK@@KK@Z ; ObfGenRandomJcc 00050 e8 00 00 00 00 call ?ObfGenRandomJcc@@YAPEAU_NATIVE_CODE_LINK@@KK@Z ; ObfGenRandomJcc
00055 48 89 45 08 mov QWORD PTR Jcc$[rbp], rax 00055 48 89 45 08 mov QWORD PTR Jcc$[rbp], rax
; 96 : if (!Jcc) ; 95 : if (!Jcc)
00059 48 83 7d 08 00 cmp QWORD PTR Jcc$[rbp], 0 00059 48 83 7d 08 00 cmp QWORD PTR Jcc$[rbp], 0
0005e 75 07 jne SHORT $LN2@ObfCombine 0005e 75 07 jne SHORT $LN2@ObfCombine
; 97 : return FALSE; ; 96 : return FALSE;
00060 33 c0 xor eax, eax 00060 33 c0 xor eax, eax
00062 e9 83 01 00 00 jmp $LN1@ObfCombine 00062 e9 83 01 00 00 jmp $LN1@ObfCombine
$LN2@ObfCombine: $LN2@ObfCombine:
; 98 : PNATIVE_CODE_LINK Jmp = ObfGenJmpToLabel(JmpLabel); ; 97 : PNATIVE_CODE_LINK Jmp = ObfGenJmpToLabel(JmpLabel);
00067 ba 20 00 00 00 mov edx, 32 ; 00000020H 00067 ba 20 00 00 00 mov edx, 32 ; 00000020H
0006c 8b 8d d8 01 00 0006c 8b 8d d8 01 00
@ -1172,13 +1172,13 @@ $LN2@ObfCombine:
00072 e8 00 00 00 00 call ?ObfGenJmpToLabel@@YAPEAU_NATIVE_CODE_LINK@@KK@Z ; ObfGenJmpToLabel 00072 e8 00 00 00 00 call ?ObfGenJmpToLabel@@YAPEAU_NATIVE_CODE_LINK@@KK@Z ; ObfGenJmpToLabel
00077 48 89 45 28 mov QWORD PTR Jmp$[rbp], rax 00077 48 89 45 28 mov QWORD PTR Jmp$[rbp], rax
; 99 : if (!Jmp) ; 98 : if (!Jmp)
0007b 48 83 7d 28 00 cmp QWORD PTR Jmp$[rbp], 0 0007b 48 83 7d 28 00 cmp QWORD PTR Jmp$[rbp], 0
00080 75 41 jne SHORT $LN3@ObfCombine 00080 75 41 jne SHORT $LN3@ObfCombine
; 100 : { ; 99 : {
; 101 : delete Jcc; ; 100 : delete Jcc;
00082 48 8b 45 08 mov rax, QWORD PTR Jcc$[rbp] 00082 48 8b 45 08 mov rax, QWORD PTR Jcc$[rbp]
00086 48 89 85 08 01 00086 48 89 85 08 01
@ -1199,30 +1199,30 @@ $LN5@ObfCombine:
00 mov QWORD PTR tv76[rbp], 0 00 mov QWORD PTR tv76[rbp], 0
$LN6@ObfCombine: $LN6@ObfCombine:
; 102 : return FALSE; ; 101 : return FALSE;
000bc 33 c0 xor eax, eax 000bc 33 c0 xor eax, eax
000be e9 27 01 00 00 jmp $LN1@ObfCombine 000be e9 27 01 00 00 jmp $LN1@ObfCombine
$LN3@ObfCombine: $LN3@ObfCombine:
; 103 : } ; 102 : }
; 104 : ; 103 :
; 105 : NcPrependToBlock(NotTaken, Jcc); ; 104 : NcPrependToBlock(NotTaken, Jcc);
000c3 48 8b 55 08 mov rdx, QWORD PTR Jcc$[rbp] 000c3 48 8b 55 08 mov rdx, QWORD PTR Jcc$[rbp]
000c7 48 8b 8d c0 01 000c7 48 8b 8d c0 01
00 00 mov rcx, QWORD PTR NotTaken$[rbp] 00 00 mov rcx, QWORD PTR NotTaken$[rbp]
000ce e8 00 00 00 00 call ?NcPrependToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z ; NcPrependToBlock 000ce e8 00 00 00 00 call ?NcPrependToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z ; NcPrependToBlock
; 106 : NcAppendToBlock(NotTaken, Jmp); ; 105 : NcAppendToBlock(NotTaken, Jmp);
000d3 48 8b 55 28 mov rdx, QWORD PTR Jmp$[rbp] 000d3 48 8b 55 28 mov rdx, QWORD PTR Jmp$[rbp]
000d7 48 8b 8d c0 01 000d7 48 8b 8d c0 01
00 00 mov rcx, QWORD PTR NotTaken$[rbp] 00 00 mov rcx, QWORD PTR NotTaken$[rbp]
000de e8 00 00 00 00 call ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z ; NcAppendToBlock 000de e8 00 00 00 00 call ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z ; NcAppendToBlock
; 107 : ; 106 :
; 108 : NcPrependToBlock(Taken, new NATIVE_CODE_LINK(JccLabel, Taken)); ; 107 : NcPrependToBlock(Taken, new NATIVE_CODE_LINK(JccLabel, Taken));
000e3 b9 f0 00 00 00 mov ecx, 240 ; 000000f0H 000e3 b9 f0 00 00 00 mov ecx, 240 ; 000000f0H
000e8 e8 00 00 00 00 call ??2@YAPEAX_K@Z ; operator new 000e8 e8 00 00 00 00 call ??2@YAPEAX_K@Z ; operator new
@ -1256,7 +1256,7 @@ $LN8@ObfCombine:
00 00 mov rcx, QWORD PTR Taken$[rbp] 00 00 mov rcx, QWORD PTR Taken$[rbp]
00147 e8 00 00 00 00 call ?NcPrependToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z ; NcPrependToBlock 00147 e8 00 00 00 00 call ?NcPrependToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z ; NcPrependToBlock
; 109 : NcAppendToBlock(Taken, new NATIVE_CODE_LINK(JmpLabel, Taken)); ; 108 : NcAppendToBlock(Taken, new NATIVE_CODE_LINK(JmpLabel, Taken));
0014c b9 f0 00 00 00 mov ecx, 240 ; 000000f0H 0014c b9 f0 00 00 00 mov ecx, 240 ; 000000f0H
00151 e8 00 00 00 00 call ??2@YAPEAX_K@Z ; operator new 00151 e8 00 00 00 00 call ??2@YAPEAX_K@Z ; operator new
@ -1290,8 +1290,8 @@ $LN10@ObfCombine:
00 00 mov rcx, QWORD PTR Taken$[rbp] 00 00 mov rcx, QWORD PTR Taken$[rbp]
001b0 e8 00 00 00 00 call ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z ; NcAppendToBlock 001b0 e8 00 00 00 00 call ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z ; NcAppendToBlock
; 110 : ; 109 :
; 111 : NcInsertBlockAfter(NotTaken->End, Taken, FALSE); ; 110 : NcInsertBlockAfter(NotTaken->End, Taken, FALSE);
001b5 45 33 c0 xor r8d, r8d 001b5 45 33 c0 xor r8d, r8d
001b8 48 8b 95 c8 01 001b8 48 8b 95 c8 01
@ -1301,7 +1301,7 @@ $LN10@ObfCombine:
001c6 48 8b 48 08 mov rcx, QWORD PTR [rax+8] 001c6 48 8b 48 08 mov rcx, QWORD PTR [rax+8]
001ca e8 00 00 00 00 call ?NcInsertBlockAfter@@YAHPEAU_NATIVE_CODE_LINK@@PEAU_NATIVE_CODE_BLOCK@@H@Z ; NcInsertBlockAfter 001ca e8 00 00 00 00 call ?NcInsertBlockAfter@@YAHPEAU_NATIVE_CODE_LINK@@PEAU_NATIVE_CODE_BLOCK@@H@Z ; NcInsertBlockAfter
; 112 : NotTaken->End = Taken->End; ; 111 : NotTaken->End = Taken->End;
001cf 48 8b 85 c0 01 001cf 48 8b 85 c0 01
00 00 mov rax, QWORD PTR NotTaken$[rbp] 00 00 mov rax, QWORD PTR NotTaken$[rbp]
@ -1310,12 +1310,12 @@ $LN10@ObfCombine:
001dd 48 8b 49 08 mov rcx, QWORD PTR [rcx+8] 001dd 48 8b 49 08 mov rcx, QWORD PTR [rcx+8]
001e1 48 89 48 08 mov QWORD PTR [rax+8], rcx 001e1 48 89 48 08 mov QWORD PTR [rax+8], rcx
; 113 : return TRUE; ; 112 : return TRUE;
001e5 b8 01 00 00 00 mov eax, 1 001e5 b8 01 00 00 00 mov eax, 1
$LN1@ObfCombine: $LN1@ObfCombine:
; 114 : } ; 113 : }
001ea 48 8d a5 a8 01 001ea 48 8d a5 a8 01
00 00 lea rsp, QWORD PTR [rbp+424] 00 00 lea rsp, QWORD PTR [rbp+424]
@ -1469,7 +1469,7 @@ NotTaken$ = 256
Taken$ = 264 Taken$ = 264
?ObfCreateOpaqueBranches@@YAHPEAU_NATIVE_CODE_LINK@@0PEAU_NATIVE_CODE_BLOCK@@1@Z PROC ; ObfCreateOpaqueBranches, COMDAT ?ObfCreateOpaqueBranches@@YAHPEAU_NATIVE_CODE_LINK@@0PEAU_NATIVE_CODE_BLOCK@@1@Z PROC ; ObfCreateOpaqueBranches, COMDAT
; 89 : { ; 88 : {
$LN5: $LN5:
00000 4c 89 4c 24 20 mov QWORD PTR [rsp+32], r9 00000 4c 89 4c 24 20 mov QWORD PTR [rsp+32], r9
@ -1491,7 +1491,7 @@ $LN5:
00 00 lea rcx, OFFSET FLAT:__BCD1AF07_OpaqueBranching@cpp 00 00 lea rcx, OFFSET FLAT:__BCD1AF07_OpaqueBranching@cpp
00040 e8 00 00 00 00 call __CheckForDebuggerJustMyCode 00040 e8 00 00 00 00 call __CheckForDebuggerJustMyCode
; 90 : return (NcDeepCopyPartialBlock(Start, End, Taken) && !NcDeepCopyPartialBlock(Start, End, NotTaken)); ; 89 : return (NcDeepCopyPartialBlock(Start, End, Taken) && !NcDeepCopyPartialBlock(Start, End, NotTaken));
00045 4c 8b 85 08 01 00045 4c 8b 85 08 01
00 00 mov r8, QWORD PTR Taken$[rbp] 00 00 mov r8, QWORD PTR Taken$[rbp]
@ -1521,7 +1521,7 @@ $LN4@ObfCreateO:
00097 8b 85 c0 00 00 00097 8b 85 c0 00 00
00 mov eax, DWORD PTR tv74[rbp] 00 mov eax, DWORD PTR tv74[rbp]
; 91 : } ; 90 : }
0009d 48 8d a5 d8 00 0009d 48 8d a5 d8 00
00 00 lea rsp, QWORD PTR [rbp+216] 00 00 lea rsp, QWORD PTR [rbp+216]
@ -1553,7 +1553,7 @@ LabelId$ = 1776
DisplacementWidth$ = 1784 DisplacementWidth$ = 1784
?ObfGenJmpToLabel@@YAPEAU_NATIVE_CODE_LINK@@KK@Z PROC ; ObfGenJmpToLabel, COMDAT ?ObfGenJmpToLabel@@YAPEAU_NATIVE_CODE_LINK@@KK@Z PROC ; ObfGenJmpToLabel, COMDAT
; 58 : { ; 57 : {
$LN11: $LN11:
00000 89 54 24 10 mov DWORD PTR [rsp+16], edx 00000 89 54 24 10 mov DWORD PTR [rsp+16], edx
@ -1579,23 +1579,23 @@ $LN11:
00 00 lea rcx, OFFSET FLAT:__BCD1AF07_OpaqueBranching@cpp 00 00 lea rcx, OFFSET FLAT:__BCD1AF07_OpaqueBranching@cpp
00045 e8 00 00 00 00 call __CheckForDebuggerJustMyCode 00045 e8 00 00 00 00 call __CheckForDebuggerJustMyCode
; 59 : XED_STATE MachineState; ; 58 : XED_STATE MachineState;
; 60 : MachineState.mmode = XED_MACHINE_MODE_LONG_64; ; 59 : MachineState.mmode = XED_MACHINE_MODE_LONG_64;
0004a c7 45 08 01 00 0004a c7 45 08 01 00
00 00 mov DWORD PTR MachineState$[rbp], 1 00 00 mov DWORD PTR MachineState$[rbp], 1
; 61 : MachineState.stack_addr_width = XED_ADDRESS_WIDTH_64b; ; 60 : MachineState.stack_addr_width = XED_ADDRESS_WIDTH_64b;
00051 c7 45 0c 08 00 00051 c7 45 0c 08 00
00 00 mov DWORD PTR MachineState$[rbp+4], 8 00 00 mov DWORD PTR MachineState$[rbp+4], 8
; 62 : XED_ENCODER_INSTRUCTION EncoderInstruction; ; 61 : XED_ENCODER_INSTRUCTION EncoderInstruction;
; 63 : XED_ENCODER_REQUEST EncoderRequest; ; 62 : XED_ENCODER_REQUEST EncoderRequest;
; 64 : UCHAR EncodeBuffer[15]; ; 63 : UCHAR EncodeBuffer[15];
; 65 : UINT ReturnedSize; ; 64 : UINT ReturnedSize;
; 66 : ; 65 :
; 67 : XedInst1(&EncoderInstruction, MachineState, XED_ICLASS_JMP, DisplacementWidth, XedRelBr(0, DisplacementWidth)); ; 66 : XedInst1(&EncoderInstruction, MachineState, XED_ICLASS_JMP, DisplacementWidth, XedRelBr(0, DisplacementWidth));
00058 44 8b 85 f8 06 00058 44 8b 85 f8 06
00 00 mov r8d, DWORD PTR DisplacementWidth$[rbp] 00 00 mov r8d, DWORD PTR DisplacementWidth$[rbp]
@ -1628,15 +1628,15 @@ $LN11:
000b9 48 8d 4d 30 lea rcx, QWORD PTR EncoderInstruction$[rbp] 000b9 48 8d 4d 30 lea rcx, QWORD PTR EncoderInstruction$[rbp]
000bd e8 00 00 00 00 call xed_inst1 000bd e8 00 00 00 00 call xed_inst1
; 68 : ; 67 :
; 69 : XedEncoderRequestZeroSetMode(&EncoderRequest, &MachineState); ; 68 : XedEncoderRequestZeroSetMode(&EncoderRequest, &MachineState);
000c2 48 8d 55 08 lea rdx, QWORD PTR MachineState$[rbp] 000c2 48 8d 55 08 lea rdx, QWORD PTR MachineState$[rbp]
000c6 48 8d 8d f0 01 000c6 48 8d 8d f0 01
00 00 lea rcx, QWORD PTR EncoderRequest$[rbp] 00 00 lea rcx, QWORD PTR EncoderRequest$[rbp]
000cd e8 00 00 00 00 call xed_encoder_request_zero_set_mode 000cd e8 00 00 00 00 call xed_encoder_request_zero_set_mode
; 70 : if (!XedConvertToEncoderRequest(&EncoderRequest, &EncoderInstruction)) ; 69 : if (!XedConvertToEncoderRequest(&EncoderRequest, &EncoderInstruction))
000d2 48 8d 55 30 lea rdx, QWORD PTR EncoderInstruction$[rbp] 000d2 48 8d 55 30 lea rdx, QWORD PTR EncoderInstruction$[rbp]
000d6 48 8d 8d f0 01 000d6 48 8d 8d f0 01
@ -1645,14 +1645,14 @@ $LN11:
000e2 85 c0 test eax, eax 000e2 85 c0 test eax, eax
000e4 75 07 jne SHORT $LN2@ObfGenJmpT 000e4 75 07 jne SHORT $LN2@ObfGenJmpT
; 71 : return NULL; ; 70 : return NULL;
000e6 33 c0 xor eax, eax 000e6 33 c0 xor eax, eax
000e8 e9 30 01 00 00 jmp $LN1@ObfGenJmpT 000e8 e9 30 01 00 00 jmp $LN1@ObfGenJmpT
$LN2@ObfGenJmpT: $LN2@ObfGenJmpT:
; 72 : ; 71 :
; 73 : if (XED_ERROR_NONE != XedEncode(&EncoderRequest, EncodeBuffer, 15, &ReturnedSize)) ; 72 : if (XED_ERROR_NONE != XedEncode(&EncoderRequest, EncodeBuffer, 15, &ReturnedSize))
000ed 4c 8d 8d f4 02 000ed 4c 8d 8d f4 02
00 00 lea r9, QWORD PTR ReturnedSize$[rbp] 00 00 lea r9, QWORD PTR ReturnedSize$[rbp]
@ -1666,14 +1666,14 @@ $LN2@ObfGenJmpT:
0010d 85 c0 test eax, eax 0010d 85 c0 test eax, eax
0010f 74 07 je SHORT $LN3@ObfGenJmpT 0010f 74 07 je SHORT $LN3@ObfGenJmpT
; 74 : return NULL; ; 73 : return NULL;
00111 33 c0 xor eax, eax 00111 33 c0 xor eax, eax
00113 e9 05 01 00 00 jmp $LN1@ObfGenJmpT 00113 e9 05 01 00 00 jmp $LN1@ObfGenJmpT
$LN3@ObfGenJmpT: $LN3@ObfGenJmpT:
; 75 : ; 74 :
; 76 : PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, EncodeBuffer, ReturnedSize); ; 75 : PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, EncodeBuffer, ReturnedSize);
00118 b9 f0 00 00 00 mov ecx, 240 ; 000000f0H 00118 b9 f0 00 00 00 mov ecx, 240 ; 000000f0H
0011d e8 00 00 00 00 call ??2@YAPEAX_K@Z ; operator new 0011d e8 00 00 00 00 call ??2@YAPEAX_K@Z ; operator new
@ -1709,7 +1709,7 @@ $LN7@ObfGenJmpT:
00183 48 89 85 18 03 00183 48 89 85 18 03
00 00 mov QWORD PTR Link$[rbp], rax 00 00 mov QWORD PTR Link$[rbp], rax
; 77 : if (XED_ERROR_NONE != XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize)) ; 76 : if (XED_ERROR_NONE != XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize))
0018a 48 8b 85 18 03 0018a 48 8b 85 18 03
00 00 mov rax, QWORD PTR Link$[rbp] 00 00 mov rax, QWORD PTR Link$[rbp]
@ -1725,8 +1725,8 @@ $LN7@ObfGenJmpT:
001b3 85 c0 test eax, eax 001b3 85 c0 test eax, eax
001b5 74 41 je SHORT $LN4@ObfGenJmpT 001b5 74 41 je SHORT $LN4@ObfGenJmpT
; 78 : { ; 77 : {
; 79 : delete Link; ; 78 : delete Link;
001b7 48 8b 85 18 03 001b7 48 8b 85 18 03
00 00 mov rax, QWORD PTR Link$[rbp] 00 00 mov rax, QWORD PTR Link$[rbp]
@ -1748,14 +1748,14 @@ $LN8@ObfGenJmpT:
00 mov QWORD PTR tv145[rbp], 0 00 mov QWORD PTR tv145[rbp], 0
$LN9@ObfGenJmpT: $LN9@ObfGenJmpT:
; 80 : return NULL; ; 79 : return NULL;
001f4 33 c0 xor eax, eax 001f4 33 c0 xor eax, eax
001f6 eb 25 jmp SHORT $LN1@ObfGenJmpT 001f6 eb 25 jmp SHORT $LN1@ObfGenJmpT
$LN4@ObfGenJmpT: $LN4@ObfGenJmpT:
; 81 : } ; 80 : }
; 82 : Link->Label = LabelId; ; 81 : Link->Label = LabelId;
001f8 48 8b 85 18 03 001f8 48 8b 85 18 03
00 00 mov rax, QWORD PTR Link$[rbp] 00 00 mov rax, QWORD PTR Link$[rbp]
@ -1763,21 +1763,21 @@ $LN4@ObfGenJmpT:
00 mov ecx, DWORD PTR LabelId$[rbp] 00 mov ecx, DWORD PTR LabelId$[rbp]
00205 89 48 1c mov DWORD PTR [rax+28], ecx 00205 89 48 1c mov DWORD PTR [rax+28], ecx
; 83 : Link->Flags = (CODE_FLAG_IS_INST | CODE_FLAG_IS_REL_JMP); ; 82 : Link->Flags = (CODE_FLAG_IS_INST | CODE_FLAG_IS_REL_JMP);
00208 48 8b 85 18 03 00208 48 8b 85 18 03
00 00 mov rax, QWORD PTR Link$[rbp] 00 00 mov rax, QWORD PTR Link$[rbp]
0020f c7 40 18 06 00 0020f c7 40 18 06 00
00 00 mov DWORD PTR [rax+24], 6 00 00 mov DWORD PTR [rax+24], 6
; 84 : ; 83 :
; 85 : return Link; ; 84 : return Link;
00216 48 8b 85 18 03 00216 48 8b 85 18 03
00 00 mov rax, QWORD PTR Link$[rbp] 00 00 mov rax, QWORD PTR Link$[rbp]
$LN1@ObfGenJmpT: $LN1@ObfGenJmpT:
; 86 : } ; 85 : }
0021d 48 8b f8 mov rdi, rax 0021d 48 8b f8 mov rdi, rax
00220 48 8d 4d d0 lea rcx, QWORD PTR [rbp-48] 00220 48 8d 4d d0 lea rcx, QWORD PTR [rbp-48]
@ -1895,7 +1895,7 @@ LabelId$ = 1808
DisplacementWidth$ = 1816 DisplacementWidth$ = 1816
?ObfGenRandomJcc@@YAPEAU_NATIVE_CODE_LINK@@KK@Z PROC ; ObfGenRandomJcc, COMDAT ?ObfGenRandomJcc@@YAPEAU_NATIVE_CODE_LINK@@KK@Z PROC ; ObfGenRandomJcc, COMDAT
; 27 : { ; 26 : {
$LN11: $LN11:
00000 89 54 24 10 mov DWORD PTR [rsp+16], edx 00000 89 54 24 10 mov DWORD PTR [rsp+16], edx
@ -1921,23 +1921,23 @@ $LN11:
00 00 lea rcx, OFFSET FLAT:__BCD1AF07_OpaqueBranching@cpp 00 00 lea rcx, OFFSET FLAT:__BCD1AF07_OpaqueBranching@cpp
00045 e8 00 00 00 00 call __CheckForDebuggerJustMyCode 00045 e8 00 00 00 00 call __CheckForDebuggerJustMyCode
; 28 : XED_STATE MachineState; ; 27 : XED_STATE MachineState;
; 29 : MachineState.mmode = XED_MACHINE_MODE_LONG_64; ; 28 : MachineState.mmode = XED_MACHINE_MODE_LONG_64;
0004a c7 45 08 01 00 0004a c7 45 08 01 00
00 00 mov DWORD PTR MachineState$[rbp], 1 00 00 mov DWORD PTR MachineState$[rbp], 1
; 30 : MachineState.stack_addr_width = XED_ADDRESS_WIDTH_64b; ; 29 : MachineState.stack_addr_width = XED_ADDRESS_WIDTH_64b;
00051 c7 45 0c 08 00 00051 c7 45 0c 08 00
00 00 mov DWORD PTR MachineState$[rbp+4], 8 00 00 mov DWORD PTR MachineState$[rbp+4], 8
; 31 : XED_ENCODER_INSTRUCTION EncoderInstruction; ; 30 : XED_ENCODER_INSTRUCTION EncoderInstruction;
; 32 : XED_ENCODER_REQUEST EncoderRequest; ; 31 : XED_ENCODER_REQUEST EncoderRequest;
; 33 : UCHAR EncodeBuffer[15]; ; 32 : UCHAR EncodeBuffer[15];
; 34 : UINT ReturnedSize; ; 33 : UINT ReturnedSize;
; 35 : ; 34 :
; 36 : XedInst1(&EncoderInstruction, MachineState, ObfGetRandomJccClass(), DisplacementWidth, XedRelBr(0, DisplacementWidth)); ; 35 : XedInst1(&EncoderInstruction, MachineState, ObfGetRandomJccClass(), DisplacementWidth, XedRelBr(0, DisplacementWidth));
00058 44 8b 85 18 07 00058 44 8b 85 18 07
00 00 mov r8d, DWORD PTR DisplacementWidth$[rbp] 00 00 mov r8d, DWORD PTR DisplacementWidth$[rbp]
@ -1977,15 +1977,15 @@ $LN11:
000d3 48 8d 4d 30 lea rcx, QWORD PTR EncoderInstruction$[rbp] 000d3 48 8d 4d 30 lea rcx, QWORD PTR EncoderInstruction$[rbp]
000d7 e8 00 00 00 00 call xed_inst1 000d7 e8 00 00 00 00 call xed_inst1
; 37 : ; 36 :
; 38 : XedEncoderRequestZeroSetMode(&EncoderRequest, &MachineState); ; 37 : XedEncoderRequestZeroSetMode(&EncoderRequest, &MachineState);
000dc 48 8d 55 08 lea rdx, QWORD PTR MachineState$[rbp] 000dc 48 8d 55 08 lea rdx, QWORD PTR MachineState$[rbp]
000e0 48 8d 8d f0 01 000e0 48 8d 8d f0 01
00 00 lea rcx, QWORD PTR EncoderRequest$[rbp] 00 00 lea rcx, QWORD PTR EncoderRequest$[rbp]
000e7 e8 00 00 00 00 call xed_encoder_request_zero_set_mode 000e7 e8 00 00 00 00 call xed_encoder_request_zero_set_mode
; 39 : if (!XedConvertToEncoderRequest(&EncoderRequest, &EncoderInstruction)) ; 38 : if (!XedConvertToEncoderRequest(&EncoderRequest, &EncoderInstruction))
000ec 48 8d 55 30 lea rdx, QWORD PTR EncoderInstruction$[rbp] 000ec 48 8d 55 30 lea rdx, QWORD PTR EncoderInstruction$[rbp]
000f0 48 8d 8d f0 01 000f0 48 8d 8d f0 01
@ -1994,14 +1994,14 @@ $LN11:
000fc 85 c0 test eax, eax 000fc 85 c0 test eax, eax
000fe 75 07 jne SHORT $LN2@ObfGenRand 000fe 75 07 jne SHORT $LN2@ObfGenRand
; 40 : return NULL; ; 39 : return NULL;
00100 33 c0 xor eax, eax 00100 33 c0 xor eax, eax
00102 e9 30 01 00 00 jmp $LN1@ObfGenRand 00102 e9 30 01 00 00 jmp $LN1@ObfGenRand
$LN2@ObfGenRand: $LN2@ObfGenRand:
; 41 : ; 40 :
; 42 : if (XED_ERROR_NONE != XedEncode(&EncoderRequest, EncodeBuffer, 15, &ReturnedSize)) ; 41 : if (XED_ERROR_NONE != XedEncode(&EncoderRequest, EncodeBuffer, 15, &ReturnedSize))
00107 4c 8d 8d f4 02 00107 4c 8d 8d f4 02
00 00 lea r9, QWORD PTR ReturnedSize$[rbp] 00 00 lea r9, QWORD PTR ReturnedSize$[rbp]
@ -2015,14 +2015,14 @@ $LN2@ObfGenRand:
00127 85 c0 test eax, eax 00127 85 c0 test eax, eax
00129 74 07 je SHORT $LN3@ObfGenRand 00129 74 07 je SHORT $LN3@ObfGenRand
; 43 : return NULL; ; 42 : return NULL;
0012b 33 c0 xor eax, eax 0012b 33 c0 xor eax, eax
0012d e9 05 01 00 00 jmp $LN1@ObfGenRand 0012d e9 05 01 00 00 jmp $LN1@ObfGenRand
$LN3@ObfGenRand: $LN3@ObfGenRand:
; 44 : ; 43 :
; 45 : PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, EncodeBuffer, ReturnedSize); ; 44 : PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, EncodeBuffer, ReturnedSize);
00132 b9 f0 00 00 00 mov ecx, 240 ; 000000f0H 00132 b9 f0 00 00 00 mov ecx, 240 ; 000000f0H
00137 e8 00 00 00 00 call ??2@YAPEAX_K@Z ; operator new 00137 e8 00 00 00 00 call ??2@YAPEAX_K@Z ; operator new
@ -2058,7 +2058,7 @@ $LN7@ObfGenRand:
0019d 48 89 85 18 03 0019d 48 89 85 18 03
00 00 mov QWORD PTR Link$[rbp], rax 00 00 mov QWORD PTR Link$[rbp], rax
; 46 : if (XED_ERROR_NONE != XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize)) ; 45 : if (XED_ERROR_NONE != XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize))
001a4 48 8b 85 18 03 001a4 48 8b 85 18 03
00 00 mov rax, QWORD PTR Link$[rbp] 00 00 mov rax, QWORD PTR Link$[rbp]
@ -2074,8 +2074,8 @@ $LN7@ObfGenRand:
001cd 85 c0 test eax, eax 001cd 85 c0 test eax, eax
001cf 74 41 je SHORT $LN4@ObfGenRand 001cf 74 41 je SHORT $LN4@ObfGenRand
; 47 : { ; 46 : {
; 48 : delete Link; ; 47 : delete Link;
001d1 48 8b 85 18 03 001d1 48 8b 85 18 03
00 00 mov rax, QWORD PTR Link$[rbp] 00 00 mov rax, QWORD PTR Link$[rbp]
@ -2097,14 +2097,14 @@ $LN8@ObfGenRand:
00 mov QWORD PTR tv149[rbp], 0 00 mov QWORD PTR tv149[rbp], 0
$LN9@ObfGenRand: $LN9@ObfGenRand:
; 49 : return NULL; ; 48 : return NULL;
0020e 33 c0 xor eax, eax 0020e 33 c0 xor eax, eax
00210 eb 25 jmp SHORT $LN1@ObfGenRand 00210 eb 25 jmp SHORT $LN1@ObfGenRand
$LN4@ObfGenRand: $LN4@ObfGenRand:
; 50 : } ; 49 : }
; 51 : Link->Label = LabelId; ; 50 : Link->Label = LabelId;
00212 48 8b 85 18 03 00212 48 8b 85 18 03
00 00 mov rax, QWORD PTR Link$[rbp] 00 00 mov rax, QWORD PTR Link$[rbp]
@ -2112,21 +2112,21 @@ $LN4@ObfGenRand:
00 mov ecx, DWORD PTR LabelId$[rbp] 00 mov ecx, DWORD PTR LabelId$[rbp]
0021f 89 48 1c mov DWORD PTR [rax+28], ecx 0021f 89 48 1c mov DWORD PTR [rax+28], ecx
; 52 : Link->Flags = (CODE_FLAG_IS_INST | CODE_FLAG_IS_REL_JMP); ; 51 : Link->Flags = (CODE_FLAG_IS_INST | CODE_FLAG_IS_REL_JMP);
00222 48 8b 85 18 03 00222 48 8b 85 18 03
00 00 mov rax, QWORD PTR Link$[rbp] 00 00 mov rax, QWORD PTR Link$[rbp]
00229 c7 40 18 06 00 00229 c7 40 18 06 00
00 00 mov DWORD PTR [rax+24], 6 00 00 mov DWORD PTR [rax+24], 6
; 53 : ; 52 :
; 54 : return Link; ; 53 : return Link;
00230 48 8b 85 18 03 00230 48 8b 85 18 03
00 00 mov rax, QWORD PTR Link$[rbp] 00 00 mov rax, QWORD PTR Link$[rbp]
$LN1@ObfGenRand: $LN1@ObfGenRand:
; 55 : } ; 54 : }
00237 48 8b f8 mov rdi, rax 00237 48 8b f8 mov rdi, rax
0023a 48 8d 4d d0 lea rcx, QWORD PTR [rbp-48] 0023a 48 8d 4d d0 lea rcx, QWORD PTR [rbp-48]
@ -2232,7 +2232,7 @@ tv66 = 192
; 4 : { ; 4 : {
$LN21: $LN20:
00000 40 55 push rbp 00000 40 55 push rbp
00002 57 push rdi 00002 57 push rdi
00003 48 81 ec f8 00 00003 48 81 ec f8 00
@ -2246,151 +2246,143 @@ $LN21:
00 00 lea rcx, OFFSET FLAT:__BCD1AF07_OpaqueBranching@cpp 00 00 lea rcx, OFFSET FLAT:__BCD1AF07_OpaqueBranching@cpp
00025 e8 00 00 00 00 call __CheckForDebuggerJustMyCode 00025 e8 00 00 00 00 call __CheckForDebuggerJustMyCode
; 5 : switch (rand() % 15) ; 5 : switch (rand() % 14)
0002a ff 15 00 00 00 0002a ff 15 00 00 00
00 call QWORD PTR __imp_rand 00 call QWORD PTR __imp_rand
00030 99 cdq 00030 99 cdq
00031 b9 0f 00 00 00 mov ecx, 15 00031 b9 0e 00 00 00 mov ecx, 14
00036 f7 f9 idiv ecx 00036 f7 f9 idiv ecx
00038 8b c2 mov eax, edx 00038 8b c2 mov eax, edx
0003a 89 85 c0 00 00 0003a 89 85 c0 00 00
00 mov DWORD PTR tv66[rbp], eax 00 mov DWORD PTR tv66[rbp], eax
00040 83 bd c0 00 00 00040 83 bd c0 00 00
00 0e cmp DWORD PTR tv66[rbp], 14 00 0e cmp DWORD PTR tv66[rbp], 14
00047 0f 87 83 00 00 00047 77 7c ja SHORT $LN2@ObfGetRand
00 ja $LN2@ObfGetRand 00049 48 63 85 c0 00
0004d 48 63 85 c0 00
00 00 movsxd rax, DWORD PTR tv66[rbp] 00 00 movsxd rax, DWORD PTR tv66[rbp]
00054 48 8d 0d 00 00 00050 48 8d 0d 00 00
00 00 lea rcx, OFFSET FLAT:__ImageBase 00 00 lea rcx, OFFSET FLAT:__ImageBase
0005b 8b 84 81 00 00 00057 8b 84 81 00 00
00 00 mov eax, DWORD PTR $LN20@ObfGetRand[rcx+rax*4] 00 00 mov eax, DWORD PTR $LN19@ObfGetRand[rcx+rax*4]
00062 48 03 c1 add rax, rcx 0005e 48 03 c1 add rax, rcx
00065 ff e0 jmp rax 00061 ff e0 jmp rax
$LN4@ObfGetRand: $LN4@ObfGetRand:
; 6 : { ; 6 : {
; 7 : case 0: return XED_ICLASS_JL; ; 7 : case 0: return XED_ICLASS_JL;
00067 b8 3a 01 00 00 mov eax, 314 ; 0000013aH 00063 b8 3a 01 00 00 mov eax, 314 ; 0000013aH
0006c eb 67 jmp SHORT $LN1@ObfGetRand 00068 eb 60 jmp SHORT $LN1@ObfGetRand
$LN5@ObfGetRand: $LN5@ObfGetRand:
; 8 : case 1: return XED_ICLASS_JLE; ; 8 : case 1: return XED_ICLASS_JLE;
0006e b8 3b 01 00 00 mov eax, 315 ; 0000013bH 0006a b8 3b 01 00 00 mov eax, 315 ; 0000013bH
00073 eb 60 jmp SHORT $LN1@ObfGetRand 0006f eb 59 jmp SHORT $LN1@ObfGetRand
$LN6@ObfGetRand: $LN6@ObfGetRand:
; 9 : case 2: return XED_ICLASS_JNB; ; 9 : case 2: return XED_ICLASS_JNB;
00075 b8 3e 01 00 00 mov eax, 318 ; 0000013eH 00071 b8 3e 01 00 00 mov eax, 318 ; 0000013eH
0007a eb 59 jmp SHORT $LN1@ObfGetRand 00076 eb 52 jmp SHORT $LN1@ObfGetRand
$LN7@ObfGetRand: $LN7@ObfGetRand:
; 10 : case 3: return XED_ICLASS_JNBE; ; 10 : case 3: return XED_ICLASS_JNBE;
0007c b8 3f 01 00 00 mov eax, 319 ; 0000013fH 00078 b8 3f 01 00 00 mov eax, 319 ; 0000013fH
00081 eb 52 jmp SHORT $LN1@ObfGetRand 0007d eb 4b jmp SHORT $LN1@ObfGetRand
$LN8@ObfGetRand: $LN8@ObfGetRand:
; 11 : case 4: return XED_ICLASS_JNL; ; 11 : case 4: return XED_ICLASS_JNL;
00083 b8 40 01 00 00 mov eax, 320 ; 00000140H 0007f b8 40 01 00 00 mov eax, 320 ; 00000140H
00088 eb 4b jmp SHORT $LN1@ObfGetRand 00084 eb 44 jmp SHORT $LN1@ObfGetRand
$LN9@ObfGetRand: $LN9@ObfGetRand:
; 12 : case 5: return XED_ICLASS_JNLE; ; 12 : case 5: return XED_ICLASS_JNLE;
0008a b8 41 01 00 00 mov eax, 321 ; 00000141H 00086 b8 41 01 00 00 mov eax, 321 ; 00000141H
0008f eb 44 jmp SHORT $LN1@ObfGetRand 0008b eb 3d jmp SHORT $LN1@ObfGetRand
$LN10@ObfGetRand: $LN10@ObfGetRand:
; 13 : case 6: return XED_ICLASS_JNO; ; 13 : case 6: return XED_ICLASS_JNO;
00091 b8 42 01 00 00 mov eax, 322 ; 00000142H 0008d b8 42 01 00 00 mov eax, 322 ; 00000142H
00096 eb 3d jmp SHORT $LN1@ObfGetRand 00092 eb 36 jmp SHORT $LN1@ObfGetRand
$LN11@ObfGetRand: $LN11@ObfGetRand:
; 14 : case 7: return XED_ICLASS_JNP; ; 14 : case 7: return XED_ICLASS_JNP;
00098 b8 43 01 00 00 mov eax, 323 ; 00000143H 00094 b8 43 01 00 00 mov eax, 323 ; 00000143H
0009d eb 36 jmp SHORT $LN1@ObfGetRand 00099 eb 2f jmp SHORT $LN1@ObfGetRand
$LN12@ObfGetRand: $LN12@ObfGetRand:
; 15 : case 8: return XED_ICLASS_JNS; ; 15 : case 8: return XED_ICLASS_JNS;
0009f b8 44 01 00 00 mov eax, 324 ; 00000144H 0009b b8 44 01 00 00 mov eax, 324 ; 00000144H
000a4 eb 2f jmp SHORT $LN1@ObfGetRand 000a0 eb 28 jmp SHORT $LN1@ObfGetRand
$LN13@ObfGetRand: $LN13@ObfGetRand:
; 16 : case 9: return XED_ICLASS_JNZ; ; 16 : case 9: return XED_ICLASS_JNZ;
000a6 b8 45 01 00 00 mov eax, 325 ; 00000145H 000a2 b8 45 01 00 00 mov eax, 325 ; 00000145H
000ab eb 28 jmp SHORT $LN1@ObfGetRand 000a7 eb 21 jmp SHORT $LN1@ObfGetRand
$LN14@ObfGetRand: $LN14@ObfGetRand:
; 17 : case 10: return XED_ICLASS_JO; ; 17 : case 10: return XED_ICLASS_JO;
000ad b8 46 01 00 00 mov eax, 326 ; 00000146H 000a9 b8 46 01 00 00 mov eax, 326 ; 00000146H
000b2 eb 21 jmp SHORT $LN1@ObfGetRand 000ae eb 1a jmp SHORT $LN1@ObfGetRand
$LN15@ObfGetRand: $LN15@ObfGetRand:
; 18 : case 11: return XED_ICLASS_JP; ; 18 : case 11: return XED_ICLASS_JP;
000b4 b8 47 01 00 00 mov eax, 327 ; 00000147H 000b0 b8 47 01 00 00 mov eax, 327 ; 00000147H
000b9 eb 1a jmp SHORT $LN1@ObfGetRand 000b5 eb 13 jmp SHORT $LN1@ObfGetRand
$LN16@ObfGetRand: $LN16@ObfGetRand:
; 19 : case 12: return XED_ICLASS_JRCXZ; ; 19 : case 13: return XED_ICLASS_JS;
000bb b8 48 01 00 00 mov eax, 328 ; 00000148H 000b7 b8 49 01 00 00 mov eax, 329 ; 00000149H
000c0 eb 13 jmp SHORT $LN1@ObfGetRand 000bc eb 0c jmp SHORT $LN1@ObfGetRand
$LN17@ObfGetRand: $LN17@ObfGetRand:
; 20 : case 13: return XED_ICLASS_JS; ; 20 : case 14: return XED_ICLASS_JZ;
000c2 b8 49 01 00 00 mov eax, 329 ; 00000149H 000be b8 4a 01 00 00 mov eax, 330 ; 0000014aH
000c7 eb 0c jmp SHORT $LN1@ObfGetRand 000c3 eb 05 jmp SHORT $LN1@ObfGetRand
$LN18@ObfGetRand:
; 21 : case 14: return XED_ICLASS_JZ;
000c9 b8 4a 01 00 00 mov eax, 330 ; 0000014aH
000ce eb 05 jmp SHORT $LN1@ObfGetRand
$LN2@ObfGetRand: $LN2@ObfGetRand:
; 22 : } ; 21 : }
; 23 : return XED_ICLASS_JLE; ; 22 : return XED_ICLASS_JLE;
000d0 b8 3b 01 00 00 mov eax, 315 ; 0000013bH 000c5 b8 3b 01 00 00 mov eax, 315 ; 0000013bH
$LN1@ObfGetRand: $LN1@ObfGetRand:
; 24 : } ; 23 : }
000d5 48 8d a5 d8 00 000ca 48 8d a5 d8 00
00 00 lea rsp, QWORD PTR [rbp+216] 00 00 lea rsp, QWORD PTR [rbp+216]
000dc 5f pop rdi 000d1 5f pop rdi
000dd 5d pop rbp 000d2 5d pop rbp
000de c3 ret 0 000d3 c3 ret 0
000df 90 npad 1 $LN19@ObfGetRand:
$LN20@ObfGetRand: 000d4 00 00 00 00 DD $LN4@ObfGetRand
000e0 00 00 00 00 DD $LN4@ObfGetRand 000d8 00 00 00 00 DD $LN5@ObfGetRand
000e4 00 00 00 00 DD $LN5@ObfGetRand 000dc 00 00 00 00 DD $LN6@ObfGetRand
000e8 00 00 00 00 DD $LN6@ObfGetRand 000e0 00 00 00 00 DD $LN7@ObfGetRand
000ec 00 00 00 00 DD $LN7@ObfGetRand 000e4 00 00 00 00 DD $LN8@ObfGetRand
000f0 00 00 00 00 DD $LN8@ObfGetRand 000e8 00 00 00 00 DD $LN9@ObfGetRand
000f4 00 00 00 00 DD $LN9@ObfGetRand 000ec 00 00 00 00 DD $LN10@ObfGetRand
000f8 00 00 00 00 DD $LN10@ObfGetRand 000f0 00 00 00 00 DD $LN11@ObfGetRand
000fc 00 00 00 00 DD $LN11@ObfGetRand 000f4 00 00 00 00 DD $LN12@ObfGetRand
00100 00 00 00 00 DD $LN12@ObfGetRand 000f8 00 00 00 00 DD $LN13@ObfGetRand
00104 00 00 00 00 DD $LN13@ObfGetRand 000fc 00 00 00 00 DD $LN14@ObfGetRand
00108 00 00 00 00 DD $LN14@ObfGetRand 00100 00 00 00 00 DD $LN15@ObfGetRand
0010c 00 00 00 00 DD $LN15@ObfGetRand 00104 00 00 00 00 DD $LN2@ObfGetRand
00110 00 00 00 00 DD $LN16@ObfGetRand 00108 00 00 00 00 DD $LN16@ObfGetRand
00114 00 00 00 00 DD $LN17@ObfGetRand 0010c 00 00 00 00 DD $LN17@ObfGetRand
00118 00 00 00 00 DD $LN18@ObfGetRand
?ObfGetRandomJccClass@@YA?AW4xed_iclass_enum_t@@XZ ENDP ; ObfGetRandomJccClass ?ObfGetRandomJccClass@@YA?AW4xed_iclass_enum_t@@XZ ENDP ; ObfGetRandomJccClass
_TEXT ENDS _TEXT ENDS
; Function compile flags: /Odtp /RTCsu /ZI ; Function compile flags: /Odtp /RTCsu /ZI

Write Preview
Loading…
Cancel
Save