opque branches done

main
James 3 years ago
parent fa0967c2d5
commit a5e6073848

@ -45,56 +45,73 @@ int main()
XedTablesInit(); XedTablesInit();
srand(time(NULL)); srand(time(NULL));
PNATIVE_CODE_LINK Return1776 = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, meme1, sizeof(meme1));
PNATIVE_CODE_LINK RetInst = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, meme2, sizeof(meme2));
PNATIVE_CODE_BLOCK Pre1 = JitEmitPreRipMov(Return1776);
PNATIVE_CODE_BLOCK Post1 = JitEmitPostRipMov(Return1776);
PNATIVE_CODE_BLOCK Pre2 = JitEmitPreRipMov(RetInst);
PNATIVE_CODE_BLOCK Post2 = JitEmitPostRipMov(RetInst);
NcAppendToBlock(Pre1, Return1776);
NcInsertBlockAfter(Pre1->End, Post1, 0);
Pre1->End = Post1->End;
NcInsertBlockAfter(Pre1->End, Pre2, 0);
Pre1->End = Pre2->End;
NcAppendToBlock(Pre1, RetInst);
NcInsertBlockAfter(Pre1->End, Post2, 0);
Pre1->End = Post2->End;
/*Pre->Start = Return1776;
Pre->End = Return1776;*/
for (ULONG i = 0; i < Return1776->RawDataSize; i++)
Return1776->RawData[i] = (UCHAR)rand();
for (ULONG i = 0; i < RetInst->RawDataSize; i++)
RetInst->RawData[i] = (UCHAR)rand();
/*NcDebugPrint(Pre);
NcPrintBlockCode(Pre);*/
ULONG AsmLen;
PVOID Asm = NcAssemble(Pre1, &AsmLen);
PUCHAR Tb = (PUCHAR)Asm;
for (uint32_t i = 0; i < AsmLen; i++)
{
std::cout << std::hex << std::setw(2) << std::setfill('0') << (int)Tb[i] << ' ';
}
system("pause");
typedef ULONG64(*FnGet1776)();
FnGet1776 ExecBuffer = (FnGet1776)MakeExecutableBuffer(Asm, AsmLen);
if (ExecBuffer)
{
printf("The numba was: %X\n", ExecBuffer());
printf("The numba was: %X\n", ExecBuffer());
printf("The numba was: %X\n", ExecBuffer()); NATIVE_CODE_BLOCK Block;
NcDisassemble(&Block, TestBuffer, TestBufferSize);
printf("The numba was: %X\n", ExecBuffer()); NATIVE_CODE_BLOCK NotTaken;
NATIVE_CODE_BLOCK Taken;
} printf("\n\nOriginal\n");
NcDebugPrint(&Block);
ObfCreateOpaqueBranches(Block.Start->Next, Block.Start->Next->Next->Next->Next, &NotTaken, &Taken);
//printf("\n\nNotTaken\n");
//NcDebugPrint(&NotTaken);
//printf("\n\nTaken\n");
//NcDebugPrint(&Taken);
//printf("\n\nCombined\n");
ObfCombineOpaqueBranches(&NotTaken, &Taken, NcGenUnusedLabelId(&Block), NcGenUnusedLabelId(&Block));
ObfInsertOpaqueBranchBlock(Block.Start->Next, Block.Start->Next->Next->Next->Next, &NotTaken);
printf("\n\nNew\n");
NcDebugPrint(&Block);
//PNATIVE_CODE_LINK Return1776 = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, meme1, sizeof(meme1));
//PNATIVE_CODE_LINK RetInst = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, meme2, sizeof(meme2));
//PNATIVE_CODE_BLOCK Pre1 = JitEmitPreRipMov(Return1776);
//PNATIVE_CODE_BLOCK Post1 = JitEmitPostRipMov(Return1776);
//PNATIVE_CODE_BLOCK Pre2 = JitEmitPreRipMov(RetInst);
//PNATIVE_CODE_BLOCK Post2 = JitEmitPostRipMov(RetInst);
//NcAppendToBlock(Pre1, Return1776);
//NcInsertBlockAfter(Pre1->End, Post1, 0);
//Pre1->End = Post1->End;
//NcInsertBlockAfter(Pre1->End, Pre2, 0);
//Pre1->End = Pre2->End;
//NcAppendToBlock(Pre1, RetInst);
//NcInsertBlockAfter(Pre1->End, Post2, 0);
//Pre1->End = Post2->End;
///*Pre->Start = Return1776;
//Pre->End = Return1776;*/
//for (ULONG i = 0; i < Return1776->RawDataSize; i++)
// Return1776->RawData[i] = (UCHAR)rand();
//for (ULONG i = 0; i < RetInst->RawDataSize; i++)
// RetInst->RawData[i] = (UCHAR)rand();
//ULONG AsmLen;
//PVOID Asm = NcAssemble(Pre1, &AsmLen);
//PUCHAR Tb = (PUCHAR)Asm;
//for (uint32_t i = 0; i < AsmLen; i++)
//{
// std::cout << std::hex << std::setw(2) << std::setfill('0') << (int)Tb[i] << ' ';
//}
//system("pause");
//typedef ULONG64(*FnGet1776)();
//FnGet1776 ExecBuffer = (FnGet1776)MakeExecutableBuffer(Asm, AsmLen);
//if (ExecBuffer)
//{
// printf("The numba was: %X\n", ExecBuffer());
// printf("The numba was: %X\n", ExecBuffer());
// printf("The numba was: %X\n", ExecBuffer());
// printf("The numba was: %X\n", ExecBuffer());
//}
//NcDebugPrint(Post); //NcDebugPrint(Post);
@ -124,8 +141,6 @@ int main()
//PNATIVE_CODE_BLOCK OpaqueBranch = ObfGenOpaqueBranch(Block.Start, Block.End); //PNATIVE_CODE_BLOCK OpaqueBranch = ObfGenOpaqueBranch(Block.Start, Block.End);
//NcDebugPrint(OpaqueBranch); //NcDebugPrint(OpaqueBranch);
system("pause");

@ -20,16 +20,18 @@ _NATIVE_CODE_LINK::_NATIVE_CODE_LINK(ULONG LabelId, _NATIVE_CODE_BLOCK* B)
Flags = CODE_FLAG_IS_LABEL; Flags = CODE_FLAG_IS_LABEL;
} }
_NATIVE_CODE_LINK::_NATIVE_CODE_LINK(ULONG F, PVOID Rd, ULONG Rds) _NATIVE_CODE_LINK::_NATIVE_CODE_LINK(ULONG F, PVOID Rd, ULONG Rds, BOOL Decode)
: _NATIVE_CODE_LINK() : _NATIVE_CODE_LINK()
{ {
Flags = F; Flags = F;
RawDataSize = Rds; RawDataSize = Rds;
RawData = new UCHAR[Rds]; RawData = new UCHAR[Rds];
if (Rd) if (Rd)
{
RtlCopyMemory(RawData, Rd, Rds); RtlCopyMemory(RawData, Rd, Rds);
if (Decode)
XedDecode(&XedInstruction, RawData, RawDataSize); XedDecode(&XedInstruction, RawData, RawDataSize);
}
} }
_NATIVE_CODE_LINK::~_NATIVE_CODE_LINK() _NATIVE_CODE_LINK::~_NATIVE_CODE_LINK()
@ -122,7 +124,7 @@ VOID NcUnlink(PNATIVE_CODE_LINK Link)
ULONG NcCalcBlockSize(PNATIVE_CODE_BLOCK Block) ULONG NcCalcBlockSize(PNATIVE_CODE_BLOCK Block)
{ {
ULONG TotalSize = 0; ULONG TotalSize = 0;
for (PNATIVE_CODE_LINK T = Block->Start; T != Block->End->Next; T = T->Next) for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next; T = T->Next)
{ {
if (T->Flags & CODE_FLAG_IS_LABEL) if (T->Flags & CODE_FLAG_IS_LABEL)
continue; continue;
@ -141,7 +143,7 @@ ULONG NcGenUnusedLabelId(PNATIVE_CODE_BLOCK Block)
VOID NcChangeLabelId(PNATIVE_CODE_BLOCK Block, ULONG Original, ULONG New) VOID NcChangeLabelId(PNATIVE_CODE_BLOCK Block, ULONG Original, ULONG New)
{ {
for (PNATIVE_CODE_LINK T = Block->Start; T; T = T->Next) for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next; T = T->Next)
{ {
if (((T->Flags & CODE_FLAG_IS_LABEL) || (T->Flags & CODE_FLAG_IS_REL_JMP)) && T->Label == Original) if (((T->Flags & CODE_FLAG_IS_LABEL) || (T->Flags & CODE_FLAG_IS_REL_JMP)) && T->Label == Original)
T->Label = New; T->Label = New;
@ -150,7 +152,7 @@ VOID NcChangeLabelId(PNATIVE_CODE_BLOCK Block, ULONG Original, ULONG New)
VOID NcFixLabelsForBlocks(PNATIVE_CODE_BLOCK Block1, PNATIVE_CODE_BLOCK Block2) VOID NcFixLabelsForBlocks(PNATIVE_CODE_BLOCK Block1, PNATIVE_CODE_BLOCK Block2)
{ {
for (PNATIVE_CODE_LINK T = Block2->Start; T; T = T->Next) for (PNATIVE_CODE_LINK T = Block2->Start; T && T != Block2->End->Next; T = T->Next)
{ {
if ((T->Flags & CODE_FLAG_IS_LABEL) && StdFind(Block1->LabelIds.begin(), Block1->LabelIds.end(), T->Label) != Block1->LabelIds.end()) if ((T->Flags & CODE_FLAG_IS_LABEL) && StdFind(Block1->LabelIds.begin(), Block1->LabelIds.end(), T->Label) != Block1->LabelIds.end())
{ {
@ -300,12 +302,13 @@ PNATIVE_CODE_LINK NcDeepCopyLink(PNATIVE_CODE_LINK Link)
return new NATIVE_CODE_LINK(Link->Label, NULL); return new NATIVE_CODE_LINK(Link->Label, NULL);
} }
else else
{ PNATIVE_CODE_LINK NewLink = new NATIVE_CODE_LINK(Link->Flags, Link->RawData, Link->RawDataSize); {
PNATIVE_CODE_LINK NewLink = new NATIVE_CODE_LINK(Link->Flags, Link->RawData, Link->RawDataSize);
NewLink->Label = Link->Label; NewLink->Label = Link->Label;
XED_ERROR_ENUM DecodeError = XedDecode(&NewLink->XedInstruction, Link->RawData, Link->RawDataSize); XED_ERROR_ENUM DecodeError = XedDecode(&NewLink->XedInstruction, Link->RawData, Link->RawDataSize);
if (DecodeError != XED_ERROR_NONE) if (DecodeError != XED_ERROR_NONE)
{ {
printf("XedDecode failed in NcDeepCopyLink: %s\n", XedErrorEnumToString(DecodeError)); printf("XedDecode failed in NcDeepCopyLink: %s %u\n", XedErrorEnumToString(DecodeError), Link->RawDataSize);
delete NewLink; delete NewLink;
return NULL; return NULL;
} }
@ -313,36 +316,34 @@ PNATIVE_CODE_LINK NcDeepCopyLink(PNATIVE_CODE_LINK Link)
} }
} }
PNATIVE_CODE_BLOCK NcDeepCopyPartialBlock(PNATIVE_CODE_LINK Start, PNATIVE_CODE_LINK End) BOOL NcDeepCopyPartialBlock(PNATIVE_CODE_LINK Start, PNATIVE_CODE_LINK End, PNATIVE_CODE_BLOCK Block)
{ {
if (!Start || !End || !Start->Block || Start->Block != End->Block) if (!Start || !End || !Start->Block || Start->Block != End->Block || !Block)
return NULL; return FALSE;
PNATIVE_CODE_BLOCK Block = new NATIVE_CODE_BLOCK; Block->LabelIds.clear();
if (!Block) Block->Start = Block->End = NULL;
return NULL;
for (ULONG L : Start->Block->LabelIds) for (ULONG L : Start->Block->LabelIds)
Block->LabelIds.push_back(L); Block->LabelIds.push_back(L);
for (PNATIVE_CODE_LINK CurLink = Start; CurLink != End->Next; CurLink = CurLink->Next) for (PNATIVE_CODE_LINK CurLink = Start; CurLink && CurLink != End->Next; CurLink = CurLink->Next)
{ {
PNATIVE_CODE_LINK Temp = NcDeepCopyLink(CurLink); PNATIVE_CODE_LINK Temp = NcDeepCopyLink(CurLink);
if (!Temp) if (!Temp)
{ {
NcDeleteBlock(Block); NcDeleteBlock(Block);
delete Block; return FALSE;
return NULL;
} }
NcAppendToBlock(Block, Temp); NcAppendToBlock(Block, Temp);
} }
return Block; return TRUE;
} }
PNATIVE_CODE_BLOCK NcDeepCopyBlock(PNATIVE_CODE_BLOCK Block) BOOL NcDeepCopyBlock(PNATIVE_CODE_BLOCK Block, PNATIVE_CODE_BLOCK BlockCopy)
{ {
return NcDeepCopyPartialBlock(Block->Start, Block->End); return NcDeepCopyPartialBlock(Block->Start, Block->End, BlockCopy);
} }
BOOL NcGetDeltaToLabel(PNATIVE_CODE_LINK Link, PINT32 DeltaOut) BOOL NcGetDeltaToLabel(PNATIVE_CODE_LINK Link, PINT32 DeltaOut)
@ -383,7 +384,7 @@ BOOL NcGetDeltaToLabel(PNATIVE_CODE_LINK Link, PINT32 DeltaOut)
BOOL NcFixRelJmps(PNATIVE_CODE_BLOCK Block) BOOL NcFixRelJmps(PNATIVE_CODE_BLOCK Block)
{ {
for (PNATIVE_CODE_LINK T = Block->Start; T != Block->End->Next;) for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next;)
{ {
if (T->Flags & CODE_FLAG_IS_REL_JMP) if (T->Flags & CODE_FLAG_IS_REL_JMP)
{ {
@ -523,7 +524,9 @@ VOID NcDeleteBlock(PNATIVE_CODE_BLOCK Block)
if (!Block->Start || !Block->End) if (!Block->Start || !Block->End)
return; return;
for (PNATIVE_CODE_LINK T = Block->Start; T != Block->End->Next;) PNATIVE_CODE_LINK BlockEnding = Block->End->Next;
for (PNATIVE_CODE_LINK T = Block->Start; T && T != BlockEnding;)
{ {
PNATIVE_CODE_LINK Next = T->Next; PNATIVE_CODE_LINK Next = T->Next;
delete T; delete T;

@ -19,7 +19,7 @@ typedef struct _NATIVE_CODE_LINK
XED_DECODED_INST XedInstruction; XED_DECODED_INST XedInstruction;
_NATIVE_CODE_LINK(); _NATIVE_CODE_LINK();
_NATIVE_CODE_LINK(ULONG LabelId, _NATIVE_CODE_BLOCK* B); _NATIVE_CODE_LINK(ULONG LabelId, _NATIVE_CODE_BLOCK* B);
_NATIVE_CODE_LINK(ULONG F, PVOID Rd, ULONG Rds); _NATIVE_CODE_LINK(ULONG F, PVOID Rd, ULONG Rds, BOOL Decode = FALSE);
~_NATIVE_CODE_LINK(); ~_NATIVE_CODE_LINK();
}NATIVE_CODE_LINK, *PNATIVE_CODE_LINK; }NATIVE_CODE_LINK, *PNATIVE_CODE_LINK;
@ -59,9 +59,9 @@ PNATIVE_CODE_LINK NcValidateJmp(PNATIVE_CODE_LINK Link, INT32 Delta);
PNATIVE_CODE_LINK NcDeepCopyLink(PNATIVE_CODE_LINK Link); PNATIVE_CODE_LINK NcDeepCopyLink(PNATIVE_CODE_LINK Link);
PNATIVE_CODE_BLOCK NcDeepCopyPartialBlock(PNATIVE_CODE_LINK Start, PNATIVE_CODE_LINK End); BOOL NcDeepCopyPartialBlock(PNATIVE_CODE_LINK Start, PNATIVE_CODE_LINK End, PNATIVE_CODE_BLOCK Block);
PNATIVE_CODE_BLOCK NcDeepCopyBlock(PNATIVE_CODE_BLOCK Block); BOOL NcDeepCopyBlock(PNATIVE_CODE_BLOCK Block, PNATIVE_CODE_BLOCK BlockCopy);
BOOL NcGetDeltaToLabel(PNATIVE_CODE_LINK Link, PINT32 DeltaOut); BOOL NcGetDeltaToLabel(PNATIVE_CODE_LINK Link, PINT32 DeltaOut);

@ -4,4 +4,7 @@
#define OBF_FLAG_IS_CODE_WRITEABLE (1<<0) //If this is set, JIT can be used
#endif #endif

@ -85,47 +85,21 @@ PNATIVE_CODE_LINK ObfGenJmpToLabel(ULONG LabelId, ULONG DisplacementWidth)
return Link; return Link;
} }
PNATIVE_CODE_BLOCK ObfGenOpaqueBranch(PNATIVE_CODE_LINK Start, PNATIVE_CODE_LINK End) BOOL ObfCreateOpaqueBranches(PNATIVE_CODE_LINK Start, PNATIVE_CODE_LINK End, PNATIVE_CODE_BLOCK NotTaken, PNATIVE_CODE_BLOCK Taken)
{ {
if (!Start || !End || !Start->Block || Start->Block != End->Block) return (NcDeepCopyPartialBlock(Start, End, Taken) && !NcDeepCopyPartialBlock(Start, End, NotTaken));
return NULL; }
PNATIVE_CODE_BLOCK NotTaken = NcDeepCopyPartialBlock(Start, End);
if (!NotTaken)
{
return NULL;
}
PNATIVE_CODE_BLOCK Taken = NcDeepCopyPartialBlock(Start, End);
if (!Taken)
{
NcDeleteBlock(NotTaken);
delete NotTaken;
return NULL;
}
ULONG JccLabel = NcGenUnusedLabelId(Start->Block);
ULONG JmpLabel = NcGenUnusedLabelId(Start->Block);
Start->Block->LabelIds.push_back(JccLabel);
Start->Block->LabelIds.push_back(JmpLabel);
BOOL ObfCombineOpaqueBranches(PNATIVE_CODE_BLOCK NotTaken, PNATIVE_CODE_BLOCK Taken, ULONG JccLabel, ULONG JmpLabel)
{
PNATIVE_CODE_LINK Jcc = ObfGenRandomJcc(JccLabel); PNATIVE_CODE_LINK Jcc = ObfGenRandomJcc(JccLabel);
if (!Jcc) if (!Jcc)
{ return FALSE;
NcDeleteBlock(Taken);
delete Taken;
NcDeleteBlock(NotTaken);
delete NotTaken;
return NULL;
}
PNATIVE_CODE_LINK Jmp = ObfGenJmpToLabel(JmpLabel); PNATIVE_CODE_LINK Jmp = ObfGenJmpToLabel(JmpLabel);
if (!Jmp) if (!Jmp)
{ {
delete Jcc; delete Jcc;
NcDeleteBlock(Taken); return FALSE;
delete Taken;
NcDeleteBlock(NotTaken);
delete NotTaken;
return NULL;
} }
NcPrependToBlock(NotTaken, Jcc); NcPrependToBlock(NotTaken, Jcc);
@ -136,7 +110,29 @@ PNATIVE_CODE_BLOCK ObfGenOpaqueBranch(PNATIVE_CODE_LINK Start, PNATIVE_CODE_LINK
NcInsertBlockAfter(NotTaken->End, Taken, FALSE); NcInsertBlockAfter(NotTaken->End, Taken, FALSE);
NotTaken->End = Taken->End; NotTaken->End = Taken->End;
return TRUE;
}
delete Taken; BOOL ObfInsertOpaqueBranchBlock(PNATIVE_CODE_LINK Start, PNATIVE_CODE_LINK End, PNATIVE_CODE_BLOCK OpaqueBranchBlock)
return NotTaken; {
OpaqueBranchBlock->Start->Prev = Start->Prev;
OpaqueBranchBlock->End->Next = End->Next;
if (Start->Prev)
Start->Prev->Next = OpaqueBranchBlock->Start;
if (End->Next)
End->Next->Prev = OpaqueBranchBlock->End;
//Update group for the current isntructions
for (PNATIVE_CODE_LINK T = OpaqueBranchBlock->Start; T && T != OpaqueBranchBlock->End->Next; T = T->Next)
T->Block = Start->Block;
PNATIVE_CODE_LINK EndBlock = End->Next;
for (PNATIVE_CODE_LINK T = Start; T && T != EndBlock;)
{
PNATIVE_CODE_LINK RealNext = T->Next;
delete T;
T = RealNext;
}
return TRUE;
} }

@ -11,8 +11,13 @@ PNATIVE_CODE_LINK ObfGenRandomJcc(ULONG LabelId, ULONG DisplacementSize = 32);
PNATIVE_CODE_LINK ObfGenJmpToLabel(ULONG LabelId, ULONG DisplacementSize = 32); PNATIVE_CODE_LINK ObfGenJmpToLabel(ULONG LabelId, ULONG DisplacementSize = 32);
PNATIVE_CODE_BLOCK ObfGenOpaqueBranch(PNATIVE_CODE_LINK Start, PNATIVE_CODE_LINK End); BOOL ObfCreateOpaqueBranches(PNATIVE_CODE_LINK Start, PNATIVE_CODE_LINK End, PNATIVE_CODE_BLOCK NotTaken, PNATIVE_CODE_BLOCK Taken);
//Combines the two branches into one block that can easily be patched into the code
//Resulting block is put into NotTaken
BOOL ObfCombineOpaqueBranches(PNATIVE_CODE_BLOCK NotTaken, PNATIVE_CODE_BLOCK Taken, ULONG JccLabel, ULONG JmpLabel);
BOOL ObfInsertOpaqueBranchBlock(PNATIVE_CODE_LINK Start, PNATIVE_CODE_LINK End, PNATIVE_CODE_BLOCK OpaqueBranchBlock);
#endif #endif

@ -6,7 +6,7 @@ BOOL ViCanHandleInst(PNATIVE_CODE_LINK Link)
} }
BOOL ViValidateNativeCodeBlock(PNATIVE_CODE_BLOCK Block) BOOL ViValidateNativeCodeBlock(PNATIVE_CODE_BLOCK Block)
{ {
for (PNATIVE_CODE_LINK T = Block->Start; T; T = T->Next) for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next; T = T->Next)
{ {
if (!ViCanHandleInst(T)) if (!ViCanHandleInst(T))
return FALSE; return FALSE;

@ -164,7 +164,7 @@ EXTRN xed_simple_flag_get_undefined_flag_set:PROC
EXTRN xed_decode:PROC EXTRN xed_decode:PROC
EXTRN xed_decoded_inst_get_rflags_info:PROC EXTRN xed_decoded_inst_get_rflags_info:PROC
EXTRN ??0_NATIVE_CODE_LINK@@QEAA@XZ:PROC ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK EXTRN ??0_NATIVE_CODE_LINK@@QEAA@XZ:PROC ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK
EXTRN ??0_NATIVE_CODE_LINK@@QEAA@KPEAXK@Z:PROC ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK EXTRN ??0_NATIVE_CODE_LINK@@QEAA@KPEAXKH@Z:PROC ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK
EXTRN ??1_NATIVE_CODE_LINK@@QEAA@XZ:PROC ; _NATIVE_CODE_LINK::~_NATIVE_CODE_LINK EXTRN ??1_NATIVE_CODE_LINK@@QEAA@XZ:PROC ; _NATIVE_CODE_LINK::~_NATIVE_CODE_LINK
EXTRN ??0_NATIVE_CODE_BLOCK@@QEAA@XZ:PROC ; _NATIVE_CODE_BLOCK::_NATIVE_CODE_BLOCK EXTRN ??0_NATIVE_CODE_BLOCK@@QEAA@XZ:PROC ; _NATIVE_CODE_BLOCK::_NATIVE_CODE_BLOCK
EXTRN ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z:PROC ; NcAppendToBlock EXTRN ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z:PROC ; NcAppendToBlock
@ -319,7 +319,7 @@ pdata ENDS
; COMDAT pdata ; COMDAT pdata
pdata SEGMENT pdata SEGMENT
$pdata$?JitEmitPushfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z DD imagerel $LN6 $pdata$?JitEmitPushfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z DD imagerel $LN6
DD imagerel $LN6+270 DD imagerel $LN6+278
DD imagerel $unwind$?JitEmitPushfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z DD imagerel $unwind$?JitEmitPushfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z
pdata ENDS pdata ENDS
; COMDAT pdata ; COMDAT pdata
@ -331,7 +331,7 @@ pdata ENDS
; COMDAT pdata ; COMDAT pdata
pdata SEGMENT pdata SEGMENT
$pdata$?JitEmitPopfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z DD imagerel $LN6 $pdata$?JitEmitPopfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z DD imagerel $LN6
DD imagerel $LN6+270 DD imagerel $LN6+278
DD imagerel $unwind$?JitEmitPopfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z DD imagerel $unwind$?JitEmitPopfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z
pdata ENDS pdata ENDS
; COMDAT pdata ; COMDAT pdata
@ -1015,7 +1015,7 @@ $ip2state$?JitEmitPopfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z DB 06H
DB 00H DB 00H
DB 0b8H DB 0b8H
DB 02H DB 02H
DB 08eH DB 09eH
DB 00H DB 00H
xdata ENDS xdata ENDS
; COMDAT xdata ; COMDAT xdata
@ -1032,13 +1032,13 @@ $cppxdata$?JitEmitPopfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z DB 028H
xdata ENDS xdata ENDS
; COMDAT xdata ; COMDAT xdata
xdata SEGMENT xdata SEGMENT
$unwind$?JitEmitPopfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z DD 025053b19H $unwind$?JitEmitPopfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z DD 035053b19H
DD 010e2313H DD 010e3313H
DD 07007002fH DD 070070031H
DD 05006H DD 05006H
DD imagerel __GSHandlerCheck_EH4 DD imagerel __GSHandlerCheck_EH4
DD imagerel $cppxdata$?JitEmitPopfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z DD imagerel $cppxdata$?JitEmitPopfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z
DD 0162H DD 0172H
xdata ENDS xdata ENDS
; COMDAT CONST ; COMDAT CONST
CONST SEGMENT CONST SEGMENT
@ -1051,7 +1051,7 @@ CONST SEGMENT
DB 061H DB 061H
DB 00H DB 00H
ORG $+8 ORG $+8
?JitEmitPopfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z$rtcVarDesc DD 024H ; JitEmitPopfqInst ?JitEmitPopfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z$rtcVarDesc DD 034H ; JitEmitPopfqInst
DD 01H DD 01H
DQ FLAT:?JitEmitPopfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z$rtcName$0 DQ FLAT:?JitEmitPopfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z$rtcName$0
ORG $+48 ORG $+48
@ -1072,7 +1072,7 @@ $ip2state$?JitEmitPushfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z DB 06H
DB 00H DB 00H
DB 0b8H DB 0b8H
DB 02H DB 02H
DB 08eH DB 09eH
DB 00H DB 00H
xdata ENDS xdata ENDS
; COMDAT xdata ; COMDAT xdata
@ -1089,13 +1089,13 @@ $cppxdata$?JitEmitPushfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z DB 028H
xdata ENDS xdata ENDS
; COMDAT xdata ; COMDAT xdata
xdata SEGMENT xdata SEGMENT
$unwind$?JitEmitPushfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z DD 025053b19H $unwind$?JitEmitPushfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z DD 035053b19H
DD 010e2313H DD 010e3313H
DD 07007002fH DD 070070031H
DD 05006H DD 05006H
DD imagerel __GSHandlerCheck_EH4 DD imagerel __GSHandlerCheck_EH4
DD imagerel $cppxdata$?JitEmitPushfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z DD imagerel $cppxdata$?JitEmitPushfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z
DD 0162H DD 0172H
xdata ENDS xdata ENDS
; COMDAT CONST ; COMDAT CONST
CONST SEGMENT CONST SEGMENT
@ -1108,7 +1108,7 @@ CONST SEGMENT
DB 061H DB 061H
DB 00H DB 00H
ORG $+8 ORG $+8
?JitEmitPushfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z$rtcVarDesc DD 024H ; JitEmitPushfqInst ?JitEmitPushfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z$rtcVarDesc DD 034H ; JitEmitPushfqInst
DD 01H DD 01H
DQ FLAT:?JitEmitPushfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z$rtcName$0 DQ FLAT:?JitEmitPushfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z$rtcName$0
ORG $+48 ORG $+48
@ -5875,7 +5875,7 @@ RawData$ = 4
Link$ = 40 Link$ = 40
$T4 = 264 $T4 = 264
$T5 = 296 $T5 = 296
tv78 = 312 tv79 = 312
__$ArrayPad$ = 320 __$ArrayPad$ = 320
Block$ = 368 Block$ = 368
?JitEmitPopfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z PROC ; JitEmitPopfqInst, COMDAT ?JitEmitPopfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z PROC ; JitEmitPopfqInst, COMDAT
@ -5886,15 +5886,15 @@ $LN6:
00000 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx 00000 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx
00005 55 push rbp 00005 55 push rbp
00006 57 push rdi 00006 57 push rdi
00007 48 81 ec 78 01 00007 48 81 ec 88 01
00 00 sub rsp, 376 ; 00000178H 00 00 sub rsp, 392 ; 00000188H
0000e 48 8d 6c 24 20 lea rbp, QWORD PTR [rsp+32] 0000e 48 8d 6c 24 30 lea rbp, QWORD PTR [rsp+48]
00013 48 8b fc mov rdi, rsp 00013 48 8b fc mov rdi, rsp
00016 b9 5e 00 00 00 mov ecx, 94 ; 0000005eH 00016 b9 62 00 00 00 mov ecx, 98 ; 00000062H
0001b b8 cc cc cc cc mov eax, -858993460 ; ccccccccH 0001b b8 cc cc cc cc mov eax, -858993460 ; ccccccccH
00020 f3 ab rep stosd 00020 f3 ab rep stosd
00022 48 8b 8c 24 98 00022 48 8b 8c 24 a8
01 00 00 mov rcx, QWORD PTR [rsp+408] 01 00 00 mov rcx, QWORD PTR [rsp+424]
0002a 48 8b 05 00 00 0002a 48 8b 05 00 00
00 00 mov rax, QWORD PTR __security_cookie 00 00 mov rax, QWORD PTR __security_cookie
00031 48 33 c5 xor rax, rbp 00031 48 33 c5 xor rax, rbp
@ -5916,69 +5916,71 @@ $LN6:
00 00 mov QWORD PTR $T5[rbp], rax 00 00 mov QWORD PTR $T5[rbp], rax
0005c 48 83 bd 28 01 0005c 48 83 bd 28 01
00 00 00 cmp QWORD PTR $T5[rbp], 0 00 00 00 cmp QWORD PTR $T5[rbp], 0
00064 74 24 je SHORT $LN3@JitEmitPop 00064 74 2c je SHORT $LN3@JitEmitPop
00066 41 b9 01 00 00 00066 c7 44 24 20 00
00 00 00 mov DWORD PTR [rsp+32], 0
0006e 41 b9 01 00 00
00 mov r9d, 1 00 mov r9d, 1
0006c 4c 8d 45 04 lea r8, QWORD PTR RawData$[rbp] 00074 4c 8d 45 04 lea r8, QWORD PTR RawData$[rbp]
00070 ba 04 00 00 00 mov edx, 4 00078 ba 04 00 00 00 mov edx, 4
00075 48 8b 8d 28 01 0007d 48 8b 8d 28 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
0007c e8 00 00 00 00 call ??0_NATIVE_CODE_LINK@@QEAA@KPEAXK@Z ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK 00084 e8 00 00 00 00 call ??0_NATIVE_CODE_LINK@@QEAA@KPEAXKH@Z ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK
00081 48 89 85 38 01 00089 48 89 85 38 01
00 00 mov QWORD PTR tv78[rbp], rax 00 00 mov QWORD PTR tv79[rbp], rax
00088 eb 0b jmp SHORT $LN4@JitEmitPop 00090 eb 0b jmp SHORT $LN4@JitEmitPop
$LN3@JitEmitPop: $LN3@JitEmitPop:
0008a 48 c7 85 38 01 00092 48 c7 85 38 01
00 00 00 00 00 00 00 00 00 00
00 mov QWORD PTR tv78[rbp], 0 00 mov QWORD PTR tv79[rbp], 0
$LN4@JitEmitPop: $LN4@JitEmitPop:
00095 48 8b 85 38 01 0009d 48 8b 85 38 01
00 00 mov rax, QWORD PTR tv78[rbp] 00 00 mov rax, QWORD PTR tv79[rbp]
0009c 48 89 85 08 01 000a4 48 89 85 08 01
00 00 mov QWORD PTR $T4[rbp], rax 00 00 mov QWORD PTR $T4[rbp], rax
000a3 48 8b 85 08 01 000ab 48 8b 85 08 01
00 00 mov rax, QWORD PTR $T4[rbp] 00 00 mov rax, QWORD PTR $T4[rbp]
000aa 48 89 45 28 mov QWORD PTR Link$[rbp], rax 000b2 48 89 45 28 mov QWORD PTR Link$[rbp], rax
; 21 : XedDecode(&Link->XedInstruction, Link->RawData, 1); ; 21 : XedDecode(&Link->XedInstruction, Link->RawData, 1);
000ae 48 8b 45 28 mov rax, QWORD PTR Link$[rbp] 000b6 48 8b 45 28 mov rax, QWORD PTR Link$[rbp]
000b2 48 83 c0 30 add rax, 48 ; 00000030H 000ba 48 83 c0 30 add rax, 48 ; 00000030H
000b6 41 b8 01 00 00 000be 41 b8 01 00 00
00 mov r8d, 1 00 mov r8d, 1
000bc 48 8b 4d 28 mov rcx, QWORD PTR Link$[rbp] 000c4 48 8b 4d 28 mov rcx, QWORD PTR Link$[rbp]
000c0 48 8b 51 20 mov rdx, QWORD PTR [rcx+32] 000c8 48 8b 51 20 mov rdx, QWORD PTR [rcx+32]
000c4 48 8b c8 mov rcx, rax 000cc 48 8b c8 mov rcx, rax
000c7 e8 00 00 00 00 call xed_decode 000cf e8 00 00 00 00 call xed_decode
; 22 : NcAppendToBlock(Block, Link); ; 22 : NcAppendToBlock(Block, Link);
000cc 48 8b 55 28 mov rdx, QWORD PTR Link$[rbp] 000d4 48 8b 55 28 mov rdx, QWORD PTR Link$[rbp]
000d0 48 8b 8d 70 01 000d8 48 8b 8d 70 01
00 00 mov rcx, QWORD PTR Block$[rbp] 00 00 mov rcx, QWORD PTR Block$[rbp]
000d7 e8 00 00 00 00 call ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z ; NcAppendToBlock 000df e8 00 00 00 00 call ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z ; NcAppendToBlock
; 23 : return TRUE; ; 23 : return TRUE;
000dc b8 01 00 00 00 mov eax, 1 000e4 b8 01 00 00 00 mov eax, 1
; 24 : } ; 24 : }
000e1 8b f8 mov edi, eax 000e9 8b f8 mov edi, eax
000e3 48 8d 4d e0 lea rcx, QWORD PTR [rbp-32] 000eb 48 8d 4d d0 lea rcx, QWORD PTR [rbp-48]
000e7 48 8d 15 00 00 000ef 48 8d 15 00 00
00 00 lea rdx, OFFSET FLAT:?JitEmitPopfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z$rtcFrameData 00 00 lea rdx, OFFSET FLAT:?JitEmitPopfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z$rtcFrameData
000ee e8 00 00 00 00 call _RTC_CheckStackVars 000f6 e8 00 00 00 00 call _RTC_CheckStackVars
000f3 8b c7 mov eax, edi 000fb 8b c7 mov eax, edi
000f5 48 8b 8d 40 01 000fd 48 8b 8d 40 01
00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp] 00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp]
000fc 48 33 cd xor rcx, rbp 00104 48 33 cd xor rcx, rbp
000ff e8 00 00 00 00 call __security_check_cookie 00107 e8 00 00 00 00 call __security_check_cookie
00104 48 8d a5 58 01 0010c 48 8d a5 58 01
00 00 lea rsp, QWORD PTR [rbp+344] 00 00 lea rsp, QWORD PTR [rbp+344]
0010b 5f pop rdi 00113 5f pop rdi
0010c 5d pop rbp 00114 5d pop rbp
0010d c3 ret 0 00115 c3 ret 0
?JitEmitPopfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z ENDP ; JitEmitPopfqInst ?JitEmitPopfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z ENDP ; JitEmitPopfqInst
_TEXT ENDS _TEXT ENDS
; COMDAT text$x ; COMDAT text$x
@ -5987,7 +5989,7 @@ RawData$ = 4
Link$ = 40 Link$ = 40
$T4 = 264 $T4 = 264
$T5 = 296 $T5 = 296
tv78 = 312 tv79 = 312
__$ArrayPad$ = 320 __$ArrayPad$ = 320
Block$ = 368 Block$ = 368
?dtor$0@?0??JitEmitPopfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z@4HA PROC ; `JitEmitPopfqInst'::`1'::dtor$0 ?dtor$0@?0??JitEmitPopfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z@4HA PROC ; `JitEmitPopfqInst'::`1'::dtor$0
@ -5996,7 +5998,7 @@ Block$ = 368
0000a 55 push rbp 0000a 55 push rbp
0000b 57 push rdi 0000b 57 push rdi
0000c 48 83 ec 28 sub rsp, 40 ; 00000028H 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H
00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] 00010 48 8d 6a 30 lea rbp, QWORD PTR [rdx+48]
00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H 00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H
00019 48 8b 8d 28 01 00019 48 8b 8d 28 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
@ -6014,7 +6016,7 @@ RawData$ = 4
Link$ = 40 Link$ = 40
$T4 = 264 $T4 = 264
$T5 = 296 $T5 = 296
tv78 = 312 tv79 = 312
__$ArrayPad$ = 320 __$ArrayPad$ = 320
Block$ = 368 Block$ = 368
?dtor$0@?0??JitEmitPopfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z@4HA PROC ; `JitEmitPopfqInst'::`1'::dtor$0 ?dtor$0@?0??JitEmitPopfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z@4HA PROC ; `JitEmitPopfqInst'::`1'::dtor$0
@ -6023,7 +6025,7 @@ Block$ = 368
0000a 55 push rbp 0000a 55 push rbp
0000b 57 push rdi 0000b 57 push rdi
0000c 48 83 ec 28 sub rsp, 40 ; 00000028H 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H
00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] 00010 48 8d 6a 30 lea rbp, QWORD PTR [rdx+48]
00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H 00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H
00019 48 8b 8d 28 01 00019 48 8b 8d 28 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
@ -6042,7 +6044,7 @@ RawData$ = 4
Link$ = 40 Link$ = 40
$T4 = 264 $T4 = 264
$T5 = 296 $T5 = 296
tv78 = 312 tv79 = 312
__$ArrayPad$ = 320 __$ArrayPad$ = 320
Block$ = 368 Block$ = 368
?JitEmitPushfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z PROC ; JitEmitPushfqInst, COMDAT ?JitEmitPushfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z PROC ; JitEmitPushfqInst, COMDAT
@ -6053,15 +6055,15 @@ $LN6:
00000 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx 00000 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx
00005 55 push rbp 00005 55 push rbp
00006 57 push rdi 00006 57 push rdi
00007 48 81 ec 78 01 00007 48 81 ec 88 01
00 00 sub rsp, 376 ; 00000178H 00 00 sub rsp, 392 ; 00000188H
0000e 48 8d 6c 24 20 lea rbp, QWORD PTR [rsp+32] 0000e 48 8d 6c 24 30 lea rbp, QWORD PTR [rsp+48]
00013 48 8b fc mov rdi, rsp 00013 48 8b fc mov rdi, rsp
00016 b9 5e 00 00 00 mov ecx, 94 ; 0000005eH 00016 b9 62 00 00 00 mov ecx, 98 ; 00000062H
0001b b8 cc cc cc cc mov eax, -858993460 ; ccccccccH 0001b b8 cc cc cc cc mov eax, -858993460 ; ccccccccH
00020 f3 ab rep stosd 00020 f3 ab rep stosd
00022 48 8b 8c 24 98 00022 48 8b 8c 24 a8
01 00 00 mov rcx, QWORD PTR [rsp+408] 01 00 00 mov rcx, QWORD PTR [rsp+424]
0002a 48 8b 05 00 00 0002a 48 8b 05 00 00
00 00 mov rax, QWORD PTR __security_cookie 00 00 mov rax, QWORD PTR __security_cookie
00031 48 33 c5 xor rax, rbp 00031 48 33 c5 xor rax, rbp
@ -6083,69 +6085,71 @@ $LN6:
00 00 mov QWORD PTR $T5[rbp], rax 00 00 mov QWORD PTR $T5[rbp], rax
0005c 48 83 bd 28 01 0005c 48 83 bd 28 01
00 00 00 cmp QWORD PTR $T5[rbp], 0 00 00 00 cmp QWORD PTR $T5[rbp], 0
00064 74 24 je SHORT $LN3@JitEmitPus 00064 74 2c je SHORT $LN3@JitEmitPus
00066 41 b9 01 00 00 00066 c7 44 24 20 00
00 00 00 mov DWORD PTR [rsp+32], 0
0006e 41 b9 01 00 00
00 mov r9d, 1 00 mov r9d, 1
0006c 4c 8d 45 04 lea r8, QWORD PTR RawData$[rbp] 00074 4c 8d 45 04 lea r8, QWORD PTR RawData$[rbp]
00070 ba 04 00 00 00 mov edx, 4 00078 ba 04 00 00 00 mov edx, 4
00075 48 8b 8d 28 01 0007d 48 8b 8d 28 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
0007c e8 00 00 00 00 call ??0_NATIVE_CODE_LINK@@QEAA@KPEAXK@Z ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK 00084 e8 00 00 00 00 call ??0_NATIVE_CODE_LINK@@QEAA@KPEAXKH@Z ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK
00081 48 89 85 38 01 00089 48 89 85 38 01
00 00 mov QWORD PTR tv78[rbp], rax 00 00 mov QWORD PTR tv79[rbp], rax
00088 eb 0b jmp SHORT $LN4@JitEmitPus 00090 eb 0b jmp SHORT $LN4@JitEmitPus
$LN3@JitEmitPus: $LN3@JitEmitPus:
0008a 48 c7 85 38 01 00092 48 c7 85 38 01
00 00 00 00 00 00 00 00 00 00
00 mov QWORD PTR tv78[rbp], 0 00 mov QWORD PTR tv79[rbp], 0
$LN4@JitEmitPus: $LN4@JitEmitPus:
00095 48 8b 85 38 01 0009d 48 8b 85 38 01
00 00 mov rax, QWORD PTR tv78[rbp] 00 00 mov rax, QWORD PTR tv79[rbp]
0009c 48 89 85 08 01 000a4 48 89 85 08 01
00 00 mov QWORD PTR $T4[rbp], rax 00 00 mov QWORD PTR $T4[rbp], rax
000a3 48 8b 85 08 01 000ab 48 8b 85 08 01
00 00 mov rax, QWORD PTR $T4[rbp] 00 00 mov rax, QWORD PTR $T4[rbp]
000aa 48 89 45 28 mov QWORD PTR Link$[rbp], rax 000b2 48 89 45 28 mov QWORD PTR Link$[rbp], rax
; 12 : XedDecode(&Link->XedInstruction, Link->RawData, 1); ; 12 : XedDecode(&Link->XedInstruction, Link->RawData, 1);
000ae 48 8b 45 28 mov rax, QWORD PTR Link$[rbp] 000b6 48 8b 45 28 mov rax, QWORD PTR Link$[rbp]
000b2 48 83 c0 30 add rax, 48 ; 00000030H 000ba 48 83 c0 30 add rax, 48 ; 00000030H
000b6 41 b8 01 00 00 000be 41 b8 01 00 00
00 mov r8d, 1 00 mov r8d, 1
000bc 48 8b 4d 28 mov rcx, QWORD PTR Link$[rbp] 000c4 48 8b 4d 28 mov rcx, QWORD PTR Link$[rbp]
000c0 48 8b 51 20 mov rdx, QWORD PTR [rcx+32] 000c8 48 8b 51 20 mov rdx, QWORD PTR [rcx+32]
000c4 48 8b c8 mov rcx, rax 000cc 48 8b c8 mov rcx, rax
000c7 e8 00 00 00 00 call xed_decode 000cf e8 00 00 00 00 call xed_decode
; 13 : NcAppendToBlock(Block, Link); ; 13 : NcAppendToBlock(Block, Link);
000cc 48 8b 55 28 mov rdx, QWORD PTR Link$[rbp] 000d4 48 8b 55 28 mov rdx, QWORD PTR Link$[rbp]
000d0 48 8b 8d 70 01 000d8 48 8b 8d 70 01
00 00 mov rcx, QWORD PTR Block$[rbp] 00 00 mov rcx, QWORD PTR Block$[rbp]
000d7 e8 00 00 00 00 call ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z ; NcAppendToBlock 000df e8 00 00 00 00 call ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z ; NcAppendToBlock
; 14 : return TRUE; ; 14 : return TRUE;
000dc b8 01 00 00 00 mov eax, 1 000e4 b8 01 00 00 00 mov eax, 1
; 15 : } ; 15 : }
000e1 8b f8 mov edi, eax 000e9 8b f8 mov edi, eax
000e3 48 8d 4d e0 lea rcx, QWORD PTR [rbp-32] 000eb 48 8d 4d d0 lea rcx, QWORD PTR [rbp-48]
000e7 48 8d 15 00 00 000ef 48 8d 15 00 00
00 00 lea rdx, OFFSET FLAT:?JitEmitPushfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z$rtcFrameData 00 00 lea rdx, OFFSET FLAT:?JitEmitPushfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z$rtcFrameData
000ee e8 00 00 00 00 call _RTC_CheckStackVars 000f6 e8 00 00 00 00 call _RTC_CheckStackVars
000f3 8b c7 mov eax, edi 000fb 8b c7 mov eax, edi
000f5 48 8b 8d 40 01 000fd 48 8b 8d 40 01
00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp] 00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp]
000fc 48 33 cd xor rcx, rbp 00104 48 33 cd xor rcx, rbp
000ff e8 00 00 00 00 call __security_check_cookie 00107 e8 00 00 00 00 call __security_check_cookie
00104 48 8d a5 58 01 0010c 48 8d a5 58 01
00 00 lea rsp, QWORD PTR [rbp+344] 00 00 lea rsp, QWORD PTR [rbp+344]
0010b 5f pop rdi 00113 5f pop rdi
0010c 5d pop rbp 00114 5d pop rbp
0010d c3 ret 0 00115 c3 ret 0
?JitEmitPushfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z ENDP ; JitEmitPushfqInst ?JitEmitPushfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z ENDP ; JitEmitPushfqInst
_TEXT ENDS _TEXT ENDS
; COMDAT text$x ; COMDAT text$x
@ -6154,7 +6158,7 @@ RawData$ = 4
Link$ = 40 Link$ = 40
$T4 = 264 $T4 = 264
$T5 = 296 $T5 = 296
tv78 = 312 tv79 = 312
__$ArrayPad$ = 320 __$ArrayPad$ = 320
Block$ = 368 Block$ = 368
?dtor$0@?0??JitEmitPushfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z@4HA PROC ; `JitEmitPushfqInst'::`1'::dtor$0 ?dtor$0@?0??JitEmitPushfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z@4HA PROC ; `JitEmitPushfqInst'::`1'::dtor$0
@ -6163,7 +6167,7 @@ Block$ = 368
0000a 55 push rbp 0000a 55 push rbp
0000b 57 push rdi 0000b 57 push rdi
0000c 48 83 ec 28 sub rsp, 40 ; 00000028H 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H
00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] 00010 48 8d 6a 30 lea rbp, QWORD PTR [rdx+48]
00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H 00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H
00019 48 8b 8d 28 01 00019 48 8b 8d 28 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
@ -6181,7 +6185,7 @@ RawData$ = 4
Link$ = 40 Link$ = 40
$T4 = 264 $T4 = 264
$T5 = 296 $T5 = 296
tv78 = 312 tv79 = 312
__$ArrayPad$ = 320 __$ArrayPad$ = 320
Block$ = 368 Block$ = 368
?dtor$0@?0??JitEmitPushfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z@4HA PROC ; `JitEmitPushfqInst'::`1'::dtor$0 ?dtor$0@?0??JitEmitPushfqInst@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z@4HA PROC ; `JitEmitPushfqInst'::`1'::dtor$0
@ -6190,7 +6194,7 @@ Block$ = 368
0000a 55 push rbp 0000a 55 push rbp
0000b 57 push rdi 0000b 57 push rdi
0000c 48 83 ec 28 sub rsp, 40 ; 00000028H 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H
00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] 00010 48 8d 6a 30 lea rbp, QWORD PTR [rdx+48]
00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H 00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H
00019 48 8b 8d 28 01 00019 48 8b 8d 28 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

@ -115,7 +115,7 @@ EXTRN __imp_?_Getmonths@_Locinfo@std@@QEBAPEBDXZ:PROC
EXTRN __imp_?_W_Getdays@_Locinfo@std@@QEBAPEBGXZ:PROC EXTRN __imp_?_W_Getdays@_Locinfo@std@@QEBAPEBGXZ:PROC
EXTRN __imp_?_W_Getmonths@_Locinfo@std@@QEBAPEBGXZ:PROC EXTRN __imp_?_W_Getmonths@_Locinfo@std@@QEBAPEBGXZ:PROC
EXTRN xed_decode:PROC EXTRN xed_decode:PROC
EXTRN ??0_NATIVE_CODE_LINK@@QEAA@KPEAXK@Z:PROC ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK EXTRN ??0_NATIVE_CODE_LINK@@QEAA@KPEAXKH@Z:PROC ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK
EXTRN ??0_NATIVE_CODE_BLOCK@@QEAA@XZ:PROC ; _NATIVE_CODE_BLOCK::_NATIVE_CODE_BLOCK EXTRN ??0_NATIVE_CODE_BLOCK@@QEAA@XZ:PROC ; _NATIVE_CODE_BLOCK::_NATIVE_CODE_BLOCK
EXTRN ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z:PROC ; NcAppendToBlock EXTRN ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z:PROC ; NcAppendToBlock
EXTRN _RTC_CheckStackVars:PROC EXTRN _RTC_CheckStackVars:PROC
@ -190,7 +190,7 @@ pdata ENDS
; COMDAT pdata ; COMDAT pdata
pdata SEGMENT pdata SEGMENT
$pdata$?NcEmitNop@@YAPEAU_NATIVE_CODE_LINK@@XZ DD imagerel $LN6 $pdata$?NcEmitNop@@YAPEAU_NATIVE_CODE_LINK@@XZ DD imagerel $LN6
DD imagerel $LN6+243 DD imagerel $LN6+251
DD imagerel $unwind$?NcEmitNop@@YAPEAU_NATIVE_CODE_LINK@@XZ DD imagerel $unwind$?NcEmitNop@@YAPEAU_NATIVE_CODE_LINK@@XZ
pdata ENDS pdata ENDS
; COMDAT pdata ; COMDAT pdata
@ -295,7 +295,7 @@ $ip2state$?NcEmitNop@@YAPEAU_NATIVE_CODE_LINK@@XZ DB 06H
DB 00H DB 00H
DB 0a0H DB 0a0H
DB 02H DB 02H
DB 08eH DB 09eH
DB 00H DB 00H
xdata ENDS xdata ENDS
; COMDAT xdata ; COMDAT xdata
@ -312,13 +312,13 @@ $cppxdata$?NcEmitNop@@YAPEAU_NATIVE_CODE_LINK@@XZ DB 028H
xdata ENDS xdata ENDS
; COMDAT xdata ; COMDAT xdata
xdata SEGMENT xdata SEGMENT
$unwind$?NcEmitNop@@YAPEAU_NATIVE_CODE_LINK@@XZ DD 025052f19H $unwind$?NcEmitNop@@YAPEAU_NATIVE_CODE_LINK@@XZ DD 035052f19H
DD 010a230fH DD 010a330fH
DD 07003002fH DD 070030031H
DD 05002H DD 05002H
DD imagerel __GSHandlerCheck_EH4 DD imagerel __GSHandlerCheck_EH4
DD imagerel $cppxdata$?NcEmitNop@@YAPEAU_NATIVE_CODE_LINK@@XZ DD imagerel $cppxdata$?NcEmitNop@@YAPEAU_NATIVE_CODE_LINK@@XZ
DD 0162H DD 0172H
xdata ENDS xdata ENDS
; COMDAT CONST ; COMDAT CONST
CONST SEGMENT CONST SEGMENT
@ -331,7 +331,7 @@ CONST SEGMENT
DB 061H DB 061H
DB 00H DB 00H
ORG $+8 ORG $+8
?NcEmitNop@@YAPEAU_NATIVE_CODE_LINK@@XZ$rtcVarDesc DD 024H ; NcEmitNop ?NcEmitNop@@YAPEAU_NATIVE_CODE_LINK@@XZ$rtcVarDesc DD 034H ; NcEmitNop
DD 01H DD 01H
DQ FLAT:?NcEmitNop@@YAPEAU_NATIVE_CODE_LINK@@XZ$rtcName$0 DQ FLAT:?NcEmitNop@@YAPEAU_NATIVE_CODE_LINK@@XZ$rtcName$0
ORG $+48 ORG $+48
@ -688,7 +688,7 @@ RawData$ = 4
Link$ = 40 Link$ = 40
$T4 = 264 $T4 = 264
$T5 = 296 $T5 = 296
tv78 = 312 tv79 = 312
__$ArrayPad$ = 320 __$ArrayPad$ = 320
?NcEmitNop@@YAPEAU_NATIVE_CODE_LINK@@XZ PROC ; NcEmitNop, COMDAT ?NcEmitNop@@YAPEAU_NATIVE_CODE_LINK@@XZ PROC ; NcEmitNop, COMDAT
@ -697,11 +697,11 @@ __$ArrayPad$ = 320
$LN6: $LN6:
00000 40 55 push rbp 00000 40 55 push rbp
00002 57 push rdi 00002 57 push rdi
00003 48 81 ec 78 01 00003 48 81 ec 88 01
00 00 sub rsp, 376 ; 00000178H 00 00 sub rsp, 392 ; 00000188H
0000a 48 8d 6c 24 20 lea rbp, QWORD PTR [rsp+32] 0000a 48 8d 6c 24 30 lea rbp, QWORD PTR [rsp+48]
0000f 48 8b fc mov rdi, rsp 0000f 48 8b fc mov rdi, rsp
00012 b9 5e 00 00 00 mov ecx, 94 ; 0000005eH 00012 b9 62 00 00 00 mov ecx, 98 ; 00000062H
00017 b8 cc cc cc cc mov eax, -858993460 ; ccccccccH 00017 b8 cc cc cc cc mov eax, -858993460 ; ccccccccH
0001c f3 ab rep stosd 0001c f3 ab rep stosd
0001e 48 8b 05 00 00 0001e 48 8b 05 00 00
@ -725,62 +725,64 @@ $LN6:
00 00 mov QWORD PTR $T5[rbp], rax 00 00 mov QWORD PTR $T5[rbp], rax
00050 48 83 bd 28 01 00050 48 83 bd 28 01
00 00 00 cmp QWORD PTR $T5[rbp], 0 00 00 00 cmp QWORD PTR $T5[rbp], 0
00058 74 24 je SHORT $LN3@NcEmitNop 00058 74 2c je SHORT $LN3@NcEmitNop
0005a 41 b9 01 00 00 0005a c7 44 24 20 00
00 00 00 mov DWORD PTR [rsp+32], 0
00062 41 b9 01 00 00
00 mov r9d, 1 00 mov r9d, 1
00060 4c 8d 45 04 lea r8, QWORD PTR RawData$[rbp] 00068 4c 8d 45 04 lea r8, QWORD PTR RawData$[rbp]
00064 ba 04 00 00 00 mov edx, 4 0006c ba 04 00 00 00 mov edx, 4
00069 48 8b 8d 28 01 00071 48 8b 8d 28 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
00070 e8 00 00 00 00 call ??0_NATIVE_CODE_LINK@@QEAA@KPEAXK@Z ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK 00078 e8 00 00 00 00 call ??0_NATIVE_CODE_LINK@@QEAA@KPEAXKH@Z ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK
00075 48 89 85 38 01 0007d 48 89 85 38 01
00 00 mov QWORD PTR tv78[rbp], rax 00 00 mov QWORD PTR tv79[rbp], rax
0007c eb 0b jmp SHORT $LN4@NcEmitNop 00084 eb 0b jmp SHORT $LN4@NcEmitNop
$LN3@NcEmitNop: $LN3@NcEmitNop:
0007e 48 c7 85 38 01 00086 48 c7 85 38 01
00 00 00 00 00 00 00 00 00 00
00 mov QWORD PTR tv78[rbp], 0 00 mov QWORD PTR tv79[rbp], 0
$LN4@NcEmitNop: $LN4@NcEmitNop:
00089 48 8b 85 38 01 00091 48 8b 85 38 01
00 00 mov rax, QWORD PTR tv78[rbp] 00 00 mov rax, QWORD PTR tv79[rbp]
00090 48 89 85 08 01 00098 48 89 85 08 01
00 00 mov QWORD PTR $T4[rbp], rax 00 00 mov QWORD PTR $T4[rbp], rax
00097 48 8b 85 08 01 0009f 48 8b 85 08 01
00 00 mov rax, QWORD PTR $T4[rbp] 00 00 mov rax, QWORD PTR $T4[rbp]
0009e 48 89 45 28 mov QWORD PTR Link$[rbp], rax 000a6 48 89 45 28 mov QWORD PTR Link$[rbp], rax
; 7 : XedDecode(&Link->XedInstruction, Link->RawData, 1); ; 7 : XedDecode(&Link->XedInstruction, Link->RawData, 1);
000a2 48 8b 45 28 mov rax, QWORD PTR Link$[rbp] 000aa 48 8b 45 28 mov rax, QWORD PTR Link$[rbp]
000a6 48 83 c0 30 add rax, 48 ; 00000030H 000ae 48 83 c0 30 add rax, 48 ; 00000030H
000aa 41 b8 01 00 00 000b2 41 b8 01 00 00
00 mov r8d, 1 00 mov r8d, 1
000b0 48 8b 4d 28 mov rcx, QWORD PTR Link$[rbp] 000b8 48 8b 4d 28 mov rcx, QWORD PTR Link$[rbp]
000b4 48 8b 51 20 mov rdx, QWORD PTR [rcx+32] 000bc 48 8b 51 20 mov rdx, QWORD PTR [rcx+32]
000b8 48 8b c8 mov rcx, rax 000c0 48 8b c8 mov rcx, rax
000bb e8 00 00 00 00 call xed_decode 000c3 e8 00 00 00 00 call xed_decode
; 8 : return Link; ; 8 : return Link;
000c0 48 8b 45 28 mov rax, QWORD PTR Link$[rbp] 000c8 48 8b 45 28 mov rax, QWORD PTR Link$[rbp]
; 9 : } ; 9 : }
000c4 48 8b f8 mov rdi, rax 000cc 48 8b f8 mov rdi, rax
000c7 48 8d 4d e0 lea rcx, QWORD PTR [rbp-32] 000cf 48 8d 4d d0 lea rcx, QWORD PTR [rbp-48]
000cb 48 8d 15 00 00 000d3 48 8d 15 00 00
00 00 lea rdx, OFFSET FLAT:?NcEmitNop@@YAPEAU_NATIVE_CODE_LINK@@XZ$rtcFrameData 00 00 lea rdx, OFFSET FLAT:?NcEmitNop@@YAPEAU_NATIVE_CODE_LINK@@XZ$rtcFrameData
000d2 e8 00 00 00 00 call _RTC_CheckStackVars 000da e8 00 00 00 00 call _RTC_CheckStackVars
000d7 48 8b c7 mov rax, rdi 000df 48 8b c7 mov rax, rdi
000da 48 8b 8d 40 01 000e2 48 8b 8d 40 01
00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp] 00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp]
000e1 48 33 cd xor rcx, rbp 000e9 48 33 cd xor rcx, rbp
000e4 e8 00 00 00 00 call __security_check_cookie 000ec e8 00 00 00 00 call __security_check_cookie
000e9 48 8d a5 58 01 000f1 48 8d a5 58 01
00 00 lea rsp, QWORD PTR [rbp+344] 00 00 lea rsp, QWORD PTR [rbp+344]
000f0 5f pop rdi 000f8 5f pop rdi
000f1 5d pop rbp 000f9 5d pop rbp
000f2 c3 ret 0 000fa c3 ret 0
?NcEmitNop@@YAPEAU_NATIVE_CODE_LINK@@XZ ENDP ; NcEmitNop ?NcEmitNop@@YAPEAU_NATIVE_CODE_LINK@@XZ ENDP ; NcEmitNop
_TEXT ENDS _TEXT ENDS
; COMDAT text$x ; COMDAT text$x
@ -789,7 +791,7 @@ RawData$ = 4
Link$ = 40 Link$ = 40
$T4 = 264 $T4 = 264
$T5 = 296 $T5 = 296
tv78 = 312 tv79 = 312
__$ArrayPad$ = 320 __$ArrayPad$ = 320
?dtor$0@?0??NcEmitNop@@YAPEAU_NATIVE_CODE_LINK@@XZ@4HA PROC ; `NcEmitNop'::`1'::dtor$0 ?dtor$0@?0??NcEmitNop@@YAPEAU_NATIVE_CODE_LINK@@XZ@4HA PROC ; `NcEmitNop'::`1'::dtor$0
00000 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx 00000 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx
@ -797,7 +799,7 @@ __$ArrayPad$ = 320
0000a 55 push rbp 0000a 55 push rbp
0000b 57 push rdi 0000b 57 push rdi
0000c 48 83 ec 28 sub rsp, 40 ; 00000028H 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H
00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] 00010 48 8d 6a 30 lea rbp, QWORD PTR [rdx+48]
00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H 00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H
00019 48 8b 8d 28 01 00019 48 8b 8d 28 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
@ -815,7 +817,7 @@ RawData$ = 4
Link$ = 40 Link$ = 40
$T4 = 264 $T4 = 264
$T5 = 296 $T5 = 296
tv78 = 312 tv79 = 312
__$ArrayPad$ = 320 __$ArrayPad$ = 320
?dtor$0@?0??NcEmitNop@@YAPEAU_NATIVE_CODE_LINK@@XZ@4HA PROC ; `NcEmitNop'::`1'::dtor$0 ?dtor$0@?0??NcEmitNop@@YAPEAU_NATIVE_CODE_LINK@@XZ@4HA PROC ; `NcEmitNop'::`1'::dtor$0
00000 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx 00000 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx
@ -823,7 +825,7 @@ __$ArrayPad$ = 320
0000a 55 push rbp 0000a 55 push rbp
0000b 57 push rdi 0000b 57 push rdi
0000c 48 83 ec 28 sub rsp, 40 ; 00000028H 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H
00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] 00010 48 8d 6a 30 lea rbp, QWORD PTR [rdx+48]
00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H 00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H
00019 48 8b 8d 28 01 00019 48 8b 8d 28 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]

File diff suppressed because it is too large Load Diff

@ -116,7 +116,7 @@ EXTRN __imp_?_Getmonths@_Locinfo@std@@QEBAPEBDXZ:PROC
EXTRN __imp_?_W_Getdays@_Locinfo@std@@QEBAPEBGXZ:PROC EXTRN __imp_?_W_Getdays@_Locinfo@std@@QEBAPEBGXZ:PROC
EXTRN __imp_?_W_Getmonths@_Locinfo@std@@QEBAPEBGXZ:PROC EXTRN __imp_?_W_Getmonths@_Locinfo@std@@QEBAPEBGXZ:PROC
EXTRN xed_decode:PROC EXTRN xed_decode:PROC
EXTRN ??0_NATIVE_CODE_LINK@@QEAA@KPEAXK@Z:PROC ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK EXTRN ??0_NATIVE_CODE_LINK@@QEAA@KPEAXKH@Z:PROC ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK
EXTRN ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z:PROC ; NcAppendToBlock EXTRN ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z:PROC ; NcAppendToBlock
EXTRN _RTC_CheckStackVars:PROC EXTRN _RTC_CheckStackVars:PROC
EXTRN _RTC_InitBase:PROC EXTRN _RTC_InitBase:PROC
@ -190,7 +190,7 @@ pdata ENDS
; COMDAT pdata ; COMDAT pdata
pdata SEGMENT pdata SEGMENT
$pdata$?JitEmitRipRelativeAndD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD imagerel $LN6 $pdata$?JitEmitRipRelativeAndD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD imagerel $LN6
DD imagerel $LN6+369 DD imagerel $LN6+377
DD imagerel $unwind$?JitEmitRipRelativeAndD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD imagerel $unwind$?JitEmitRipRelativeAndD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z
pdata ENDS pdata ENDS
; COMDAT pdata ; COMDAT pdata
@ -202,7 +202,7 @@ pdata ENDS
; COMDAT pdata ; COMDAT pdata
pdata SEGMENT pdata SEGMENT
$pdata$?JitEmitRipRelativeAndW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD imagerel $LN6 $pdata$?JitEmitRipRelativeAndW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD imagerel $LN6
DD imagerel $LN6+367 DD imagerel $LN6+375
DD imagerel $unwind$?JitEmitRipRelativeAndW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD imagerel $unwind$?JitEmitRipRelativeAndW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z
pdata ENDS pdata ENDS
; COMDAT pdata ; COMDAT pdata
@ -214,7 +214,7 @@ pdata ENDS
; COMDAT pdata ; COMDAT pdata
pdata SEGMENT pdata SEGMENT
$pdata$?JitEmitRipRelativeAndB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD imagerel $LN6 $pdata$?JitEmitRipRelativeAndB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD imagerel $LN6
DD imagerel $LN6+358 DD imagerel $LN6+366
DD imagerel $unwind$?JitEmitRipRelativeAndB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD imagerel $unwind$?JitEmitRipRelativeAndB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z
pdata ENDS pdata ENDS
; COMDAT pdata ; COMDAT pdata
@ -270,7 +270,7 @@ $ip2state$?JitEmitRipRelativeAndB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DB 06H
DB 00H DB 00H
DB 0faH DB 0faH
DB 02H DB 02H
DB 08eH DB 09eH
DB 00H DB 00H
xdata ENDS xdata ENDS
; COMDAT xdata ; COMDAT xdata
@ -287,13 +287,13 @@ $cppxdata$?JitEmitRipRelativeAndB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DB 028H
xdata ENDS xdata ENDS
; COMDAT xdata ; COMDAT xdata
xdata SEGMENT xdata SEGMENT
$unwind$?JitEmitRipRelativeAndB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD 025054419H $unwind$?JitEmitRipRelativeAndB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD 035054419H
DD 0117231cH DD 0117331cH
DD 07010002fH DD 070100031H
DD 0500fH DD 0500fH
DD imagerel __GSHandlerCheck_EH4 DD imagerel __GSHandlerCheck_EH4
DD imagerel $cppxdata$?JitEmitRipRelativeAndB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD imagerel $cppxdata$?JitEmitRipRelativeAndB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z
DD 0162H DD 0172H
xdata ENDS xdata ENDS
; COMDAT CONST ; COMDAT CONST
CONST SEGMENT CONST SEGMENT
@ -306,7 +306,7 @@ CONST SEGMENT
DB 061H DB 061H
DB 00H DB 00H
ORG $+8 ORG $+8
?JitEmitRipRelativeAndB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcVarDesc DD 024H ; JitEmitRipRelativeAndB ?JitEmitRipRelativeAndB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcVarDesc DD 034H ; JitEmitRipRelativeAndB
DD 07H DD 07H
DQ FLAT:?JitEmitRipRelativeAndB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcName$0 DQ FLAT:?JitEmitRipRelativeAndB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcName$0
ORG $+48 ORG $+48
@ -327,7 +327,7 @@ $ip2state$?JitEmitRipRelativeAndW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DB 06H
DB 00H DB 00H
DB 015H, 02H DB 015H, 02H
DB 02H DB 02H
DB 08eH DB 09eH
DB 00H DB 00H
xdata ENDS xdata ENDS
; COMDAT xdata ; COMDAT xdata
@ -344,13 +344,13 @@ $cppxdata$?JitEmitRipRelativeAndW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DB 028H
xdata ENDS xdata ENDS
; COMDAT xdata ; COMDAT xdata
xdata SEGMENT xdata SEGMENT
$unwind$?JitEmitRipRelativeAndW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD 025054419H $unwind$?JitEmitRipRelativeAndW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD 035054419H
DD 0117231cH DD 0117331cH
DD 070100031H DD 070100033H
DD 0500fH DD 0500fH
DD imagerel __GSHandlerCheck_EH4 DD imagerel __GSHandlerCheck_EH4
DD imagerel $cppxdata$?JitEmitRipRelativeAndW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD imagerel $cppxdata$?JitEmitRipRelativeAndW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z
DD 0172H DD 0182H
xdata ENDS xdata ENDS
; COMDAT CONST ; COMDAT CONST
CONST SEGMENT CONST SEGMENT
@ -363,7 +363,7 @@ CONST SEGMENT
DB 061H DB 061H
DB 00H DB 00H
ORG $+8 ORG $+8
?JitEmitRipRelativeAndW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcVarDesc DD 028H ; JitEmitRipRelativeAndW ?JitEmitRipRelativeAndW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcVarDesc DD 038H ; JitEmitRipRelativeAndW
DD 09H DD 09H
DQ FLAT:?JitEmitRipRelativeAndW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcName$0 DQ FLAT:?JitEmitRipRelativeAndW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcName$0
ORG $+48 ORG $+48
@ -384,7 +384,7 @@ $ip2state$?JitEmitRipRelativeAndD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DB 06H
DB 00H DB 00H
DB '%', 02H DB '%', 02H
DB 02H DB 02H
DB 08eH DB 09eH
DB 00H DB 00H
xdata ENDS xdata ENDS
; COMDAT xdata ; COMDAT xdata
@ -401,13 +401,13 @@ $cppxdata$?JitEmitRipRelativeAndD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DB 028H
xdata ENDS xdata ENDS
; COMDAT xdata ; COMDAT xdata
xdata SEGMENT xdata SEGMENT
$unwind$?JitEmitRipRelativeAndD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD 025054419H $unwind$?JitEmitRipRelativeAndD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD 035054419H
DD 0117231cH DD 0117331cH
DD 070100031H DD 070100033H
DD 0500fH DD 0500fH
DD imagerel __GSHandlerCheck_EH4 DD imagerel __GSHandlerCheck_EH4
DD imagerel $cppxdata$?JitEmitRipRelativeAndD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD imagerel $cppxdata$?JitEmitRipRelativeAndD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z
DD 0172H DD 0182H
xdata ENDS xdata ENDS
; COMDAT CONST ; COMDAT CONST
CONST SEGMENT CONST SEGMENT
@ -420,7 +420,7 @@ CONST SEGMENT
DB 061H DB 061H
DB 00H DB 00H
ORG $+8 ORG $+8
?JitEmitRipRelativeAndD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcVarDesc DD 028H ; JitEmitRipRelativeAndD ?JitEmitRipRelativeAndD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcVarDesc DD 038H ; JitEmitRipRelativeAndD
DD 0aH DD 0aH
DQ FLAT:?JitEmitRipRelativeAndD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcName$0 DQ FLAT:?JitEmitRipRelativeAndD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcName$0
ORG $+48 ORG $+48
@ -603,7 +603,7 @@ RawData$ = 4
Link$ = 40 Link$ = 40
$T4 = 264 $T4 = 264
$T5 = 296 $T5 = 296
tv78 = 312 tv79 = 312
__$ArrayPad$ = 320 __$ArrayPad$ = 320
Block$ = 368 Block$ = 368
RipDelta$ = 376 RipDelta$ = 376
@ -618,15 +618,15 @@ $LN6:
00009 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx 00009 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx
0000e 55 push rbp 0000e 55 push rbp
0000f 57 push rdi 0000f 57 push rdi
00010 48 81 ec 78 01 00010 48 81 ec 88 01
00 00 sub rsp, 376 ; 00000178H 00 00 sub rsp, 392 ; 00000188H
00017 48 8d 6c 24 20 lea rbp, QWORD PTR [rsp+32] 00017 48 8d 6c 24 30 lea rbp, QWORD PTR [rsp+48]
0001c 48 8b fc mov rdi, rsp 0001c 48 8b fc mov rdi, rsp
0001f b9 5e 00 00 00 mov ecx, 94 ; 0000005eH 0001f b9 62 00 00 00 mov ecx, 98 ; 00000062H
00024 b8 cc cc cc cc mov eax, -858993460 ; ccccccccH 00024 b8 cc cc cc cc mov eax, -858993460 ; ccccccccH
00029 f3 ab rep stosd 00029 f3 ab rep stosd
0002b 48 8b 8c 24 98 0002b 48 8b 8c 24 a8
01 00 00 mov rcx, QWORD PTR [rsp+408] 01 00 00 mov rcx, QWORD PTR [rsp+424]
00033 48 8b 05 00 00 00033 48 8b 05 00 00
00 00 mov rax, QWORD PTR __security_cookie 00 00 mov rax, QWORD PTR __security_cookie
0003a 48 33 c5 xor rax, rbp 0003a 48 33 c5 xor rax, rbp
@ -655,89 +655,91 @@ $LN6:
00 00 mov QWORD PTR $T5[rbp], rax 00 00 mov QWORD PTR $T5[rbp], rax
0007d 48 83 bd 28 01 0007d 48 83 bd 28 01
00 00 00 cmp QWORD PTR $T5[rbp], 0 00 00 00 cmp QWORD PTR $T5[rbp], 0
00085 74 24 je SHORT $LN3@JitEmitRip 00085 74 2c je SHORT $LN3@JitEmitRip
00087 41 b9 07 00 00 00087 c7 44 24 20 00
00 00 00 mov DWORD PTR [rsp+32], 0
0008f 41 b9 07 00 00
00 mov r9d, 7 00 mov r9d, 7
0008d 4c 8d 45 04 lea r8, QWORD PTR RawData$[rbp] 00095 4c 8d 45 04 lea r8, QWORD PTR RawData$[rbp]
00091 ba 0c 00 00 00 mov edx, 12 00099 ba 0c 00 00 00 mov edx, 12
00096 48 8b 8d 28 01 0009e 48 8b 8d 28 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
0009d e8 00 00 00 00 call ??0_NATIVE_CODE_LINK@@QEAA@KPEAXK@Z ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK 000a5 e8 00 00 00 00 call ??0_NATIVE_CODE_LINK@@QEAA@KPEAXKH@Z ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK
000a2 48 89 85 38 01 000aa 48 89 85 38 01
00 00 mov QWORD PTR tv78[rbp], rax 00 00 mov QWORD PTR tv79[rbp], rax
000a9 eb 0b jmp SHORT $LN4@JitEmitRip 000b1 eb 0b jmp SHORT $LN4@JitEmitRip
$LN3@JitEmitRip: $LN3@JitEmitRip:
000ab 48 c7 85 38 01 000b3 48 c7 85 38 01
00 00 00 00 00 00 00 00 00 00
00 mov QWORD PTR tv78[rbp], 0 00 mov QWORD PTR tv79[rbp], 0
$LN4@JitEmitRip: $LN4@JitEmitRip:
000b6 48 8b 85 38 01 000be 48 8b 85 38 01
00 00 mov rax, QWORD PTR tv78[rbp] 00 00 mov rax, QWORD PTR tv79[rbp]
000bd 48 89 85 08 01 000c5 48 89 85 08 01
00 00 mov QWORD PTR $T4[rbp], rax 00 00 mov QWORD PTR $T4[rbp], rax
000c4 48 8b 85 08 01 000cc 48 8b 85 08 01
00 00 mov rax, QWORD PTR $T4[rbp] 00 00 mov rax, QWORD PTR $T4[rbp]
000cb 48 89 45 28 mov QWORD PTR Link$[rbp], rax 000d3 48 89 45 28 mov QWORD PTR Link$[rbp], rax
; 32 : *(PINT32)&Link->RawData[2] = RipDelta; ; 32 : *(PINT32)&Link->RawData[2] = RipDelta;
000cf b8 01 00 00 00 mov eax, 1 000d7 b8 01 00 00 00 mov eax, 1
000d4 48 6b c0 02 imul rax, rax, 2 000dc 48 6b c0 02 imul rax, rax, 2
000d8 48 8b 4d 28 mov rcx, QWORD PTR Link$[rbp] 000e0 48 8b 4d 28 mov rcx, QWORD PTR Link$[rbp]
000dc 48 8b 49 20 mov rcx, QWORD PTR [rcx+32] 000e4 48 8b 49 20 mov rcx, QWORD PTR [rcx+32]
000e0 8b 95 78 01 00 000e8 8b 95 78 01 00
00 mov edx, DWORD PTR RipDelta$[rbp] 00 mov edx, DWORD PTR RipDelta$[rbp]
000e6 89 14 08 mov DWORD PTR [rax+rcx], edx 000ee 89 14 08 mov DWORD PTR [rax+rcx], edx
; 33 : *(PUCHAR)&Link->RawData[6] = (UCHAR)Value; ; 33 : *(PUCHAR)&Link->RawData[6] = (UCHAR)Value;
000e9 b8 01 00 00 00 mov eax, 1 000f1 b8 01 00 00 00 mov eax, 1
000ee 48 6b c0 06 imul rax, rax, 6 000f6 48 6b c0 06 imul rax, rax, 6
000f2 48 8b 4d 28 mov rcx, QWORD PTR Link$[rbp] 000fa 48 8b 4d 28 mov rcx, QWORD PTR Link$[rbp]
000f6 48 8b 49 20 mov rcx, QWORD PTR [rcx+32] 000fe 48 8b 49 20 mov rcx, QWORD PTR [rcx+32]
000fa 0f b6 95 80 01 00102 0f b6 95 80 01
00 00 movzx edx, BYTE PTR Value$[rbp] 00 00 movzx edx, BYTE PTR Value$[rbp]
00101 88 14 08 mov BYTE PTR [rax+rcx], dl 00109 88 14 08 mov BYTE PTR [rax+rcx], dl
; 34 : XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize); ; 34 : XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize);
00104 48 8b 45 28 mov rax, QWORD PTR Link$[rbp] 0010c 48 8b 45 28 mov rax, QWORD PTR Link$[rbp]
00108 48 83 c0 30 add rax, 48 ; 00000030H 00110 48 83 c0 30 add rax, 48 ; 00000030H
0010c 48 8b 4d 28 mov rcx, QWORD PTR Link$[rbp]
00110 44 8b 41 28 mov r8d, DWORD PTR [rcx+40]
00114 48 8b 4d 28 mov rcx, QWORD PTR Link$[rbp] 00114 48 8b 4d 28 mov rcx, QWORD PTR Link$[rbp]
00118 48 8b 51 20 mov rdx, QWORD PTR [rcx+32] 00118 44 8b 41 28 mov r8d, DWORD PTR [rcx+40]
0011c 48 8b c8 mov rcx, rax 0011c 48 8b 4d 28 mov rcx, QWORD PTR Link$[rbp]
0011f e8 00 00 00 00 call xed_decode 00120 48 8b 51 20 mov rdx, QWORD PTR [rcx+32]
00124 48 8b c8 mov rcx, rax
00127 e8 00 00 00 00 call xed_decode
; 35 : NcAppendToBlock(Block, Link); ; 35 : NcAppendToBlock(Block, Link);
00124 48 8b 55 28 mov rdx, QWORD PTR Link$[rbp] 0012c 48 8b 55 28 mov rdx, QWORD PTR Link$[rbp]
00128 48 8b 8d 70 01 00130 48 8b 8d 70 01
00 00 mov rcx, QWORD PTR Block$[rbp] 00 00 mov rcx, QWORD PTR Block$[rbp]
0012f e8 00 00 00 00 call ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z ; NcAppendToBlock 00137 e8 00 00 00 00 call ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z ; NcAppendToBlock
; 36 : return TRUE; ; 36 : return TRUE;
00134 b8 01 00 00 00 mov eax, 1 0013c b8 01 00 00 00 mov eax, 1
; 37 : } ; 37 : }
00139 8b f8 mov edi, eax 00141 8b f8 mov edi, eax
0013b 48 8d 4d e0 lea rcx, QWORD PTR [rbp-32] 00143 48 8d 4d d0 lea rcx, QWORD PTR [rbp-48]
0013f 48 8d 15 00 00 00147 48 8d 15 00 00
00 00 lea rdx, OFFSET FLAT:?JitEmitRipRelativeAndB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcFrameData 00 00 lea rdx, OFFSET FLAT:?JitEmitRipRelativeAndB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcFrameData
00146 e8 00 00 00 00 call _RTC_CheckStackVars 0014e e8 00 00 00 00 call _RTC_CheckStackVars
0014b 8b c7 mov eax, edi 00153 8b c7 mov eax, edi
0014d 48 8b 8d 40 01 00155 48 8b 8d 40 01
00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp] 00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp]
00154 48 33 cd xor rcx, rbp 0015c 48 33 cd xor rcx, rbp
00157 e8 00 00 00 00 call __security_check_cookie 0015f e8 00 00 00 00 call __security_check_cookie
0015c 48 8d a5 58 01 00164 48 8d a5 58 01
00 00 lea rsp, QWORD PTR [rbp+344] 00 00 lea rsp, QWORD PTR [rbp+344]
00163 5f pop rdi 0016b 5f pop rdi
00164 5d pop rbp 0016c 5d pop rbp
00165 c3 ret 0 0016d c3 ret 0
?JitEmitRipRelativeAndB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z ENDP ; JitEmitRipRelativeAndB ?JitEmitRipRelativeAndB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z ENDP ; JitEmitRipRelativeAndB
_TEXT ENDS _TEXT ENDS
; COMDAT text$x ; COMDAT text$x
@ -746,7 +748,7 @@ RawData$ = 4
Link$ = 40 Link$ = 40
$T4 = 264 $T4 = 264
$T5 = 296 $T5 = 296
tv78 = 312 tv79 = 312
__$ArrayPad$ = 320 __$ArrayPad$ = 320
Block$ = 368 Block$ = 368
RipDelta$ = 376 RipDelta$ = 376
@ -757,7 +759,7 @@ Value$ = 384
0000a 55 push rbp 0000a 55 push rbp
0000b 57 push rdi 0000b 57 push rdi
0000c 48 83 ec 28 sub rsp, 40 ; 00000028H 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H
00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] 00010 48 8d 6a 30 lea rbp, QWORD PTR [rdx+48]
00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H 00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H
00019 48 8b 8d 28 01 00019 48 8b 8d 28 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
@ -775,7 +777,7 @@ RawData$ = 4
Link$ = 40 Link$ = 40
$T4 = 264 $T4 = 264
$T5 = 296 $T5 = 296
tv78 = 312 tv79 = 312
__$ArrayPad$ = 320 __$ArrayPad$ = 320
Block$ = 368 Block$ = 368
RipDelta$ = 376 RipDelta$ = 376
@ -786,7 +788,7 @@ Value$ = 384
0000a 55 push rbp 0000a 55 push rbp
0000b 57 push rdi 0000b 57 push rdi
0000c 48 83 ec 28 sub rsp, 40 ; 00000028H 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H
00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] 00010 48 8d 6a 30 lea rbp, QWORD PTR [rdx+48]
00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H 00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H
00019 48 8b 8d 28 01 00019 48 8b 8d 28 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
@ -805,7 +807,7 @@ RawData$ = 8
Link$ = 56 Link$ = 56
$T4 = 280 $T4 = 280
$T5 = 312 $T5 = 312
tv78 = 328 tv79 = 328
__$ArrayPad$ = 336 __$ArrayPad$ = 336
Block$ = 384 Block$ = 384
RipDelta$ = 392 RipDelta$ = 392
@ -820,15 +822,15 @@ $LN6:
00009 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx 00009 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx
0000e 55 push rbp 0000e 55 push rbp
0000f 57 push rdi 0000f 57 push rdi
00010 48 81 ec 88 01 00010 48 81 ec 98 01
00 00 sub rsp, 392 ; 00000188H 00 00 sub rsp, 408 ; 00000198H
00017 48 8d 6c 24 20 lea rbp, QWORD PTR [rsp+32] 00017 48 8d 6c 24 30 lea rbp, QWORD PTR [rsp+48]
0001c 48 8b fc mov rdi, rsp 0001c 48 8b fc mov rdi, rsp
0001f b9 62 00 00 00 mov ecx, 98 ; 00000062H 0001f b9 66 00 00 00 mov ecx, 102 ; 00000066H
00024 b8 cc cc cc cc mov eax, -858993460 ; ccccccccH 00024 b8 cc cc cc cc mov eax, -858993460 ; ccccccccH
00029 f3 ab rep stosd 00029 f3 ab rep stosd
0002b 48 8b 8c 24 a8 0002b 48 8b 8c 24 b8
01 00 00 mov rcx, QWORD PTR [rsp+424] 01 00 00 mov rcx, QWORD PTR [rsp+440]
00033 48 8b 05 00 00 00033 48 8b 05 00 00
00 00 mov rax, QWORD PTR __security_cookie 00 00 mov rax, QWORD PTR __security_cookie
0003a 48 33 c5 xor rax, rbp 0003a 48 33 c5 xor rax, rbp
@ -859,89 +861,91 @@ $LN6:
00 00 mov QWORD PTR $T5[rbp], rax 00 00 mov QWORD PTR $T5[rbp], rax
00085 48 83 bd 38 01 00085 48 83 bd 38 01
00 00 00 cmp QWORD PTR $T5[rbp], 0 00 00 00 cmp QWORD PTR $T5[rbp], 0
0008d 74 24 je SHORT $LN3@JitEmitRip 0008d 74 2c je SHORT $LN3@JitEmitRip
0008f 41 b9 09 00 00 0008f c7 44 24 20 00
00 00 00 mov DWORD PTR [rsp+32], 0
00097 41 b9 09 00 00
00 mov r9d, 9 00 mov r9d, 9
00095 4c 8d 45 08 lea r8, QWORD PTR RawData$[rbp] 0009d 4c 8d 45 08 lea r8, QWORD PTR RawData$[rbp]
00099 ba 0c 00 00 00 mov edx, 12 000a1 ba 0c 00 00 00 mov edx, 12
0009e 48 8b 8d 38 01 000a6 48 8b 8d 38 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
000a5 e8 00 00 00 00 call ??0_NATIVE_CODE_LINK@@QEAA@KPEAXK@Z ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK 000ad e8 00 00 00 00 call ??0_NATIVE_CODE_LINK@@QEAA@KPEAXKH@Z ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK
000aa 48 89 85 48 01 000b2 48 89 85 48 01
00 00 mov QWORD PTR tv78[rbp], rax 00 00 mov QWORD PTR tv79[rbp], rax
000b1 eb 0b jmp SHORT $LN4@JitEmitRip 000b9 eb 0b jmp SHORT $LN4@JitEmitRip
$LN3@JitEmitRip: $LN3@JitEmitRip:
000b3 48 c7 85 48 01 000bb 48 c7 85 48 01
00 00 00 00 00 00 00 00 00 00
00 mov QWORD PTR tv78[rbp], 0 00 mov QWORD PTR tv79[rbp], 0
$LN4@JitEmitRip: $LN4@JitEmitRip:
000be 48 8b 85 48 01 000c6 48 8b 85 48 01
00 00 mov rax, QWORD PTR tv78[rbp] 00 00 mov rax, QWORD PTR tv79[rbp]
000c5 48 89 85 18 01 000cd 48 89 85 18 01
00 00 mov QWORD PTR $T4[rbp], rax 00 00 mov QWORD PTR $T4[rbp], rax
000cc 48 8b 85 18 01 000d4 48 8b 85 18 01
00 00 mov rax, QWORD PTR $T4[rbp] 00 00 mov rax, QWORD PTR $T4[rbp]
000d3 48 89 45 38 mov QWORD PTR Link$[rbp], rax 000db 48 89 45 38 mov QWORD PTR Link$[rbp], rax
; 20 : *(PINT32)&Link->RawData[3] = RipDelta; ; 20 : *(PINT32)&Link->RawData[3] = RipDelta;
000d7 b8 01 00 00 00 mov eax, 1 000df b8 01 00 00 00 mov eax, 1
000dc 48 6b c0 03 imul rax, rax, 3 000e4 48 6b c0 03 imul rax, rax, 3
000e0 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp] 000e8 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
000e4 48 8b 49 20 mov rcx, QWORD PTR [rcx+32] 000ec 48 8b 49 20 mov rcx, QWORD PTR [rcx+32]
000e8 8b 95 88 01 00 000f0 8b 95 88 01 00
00 mov edx, DWORD PTR RipDelta$[rbp] 00 mov edx, DWORD PTR RipDelta$[rbp]
000ee 89 14 08 mov DWORD PTR [rax+rcx], edx 000f6 89 14 08 mov DWORD PTR [rax+rcx], edx
; 21 : *(PUSHORT)&Link->RawData[7] = (USHORT)Value; ; 21 : *(PUSHORT)&Link->RawData[7] = (USHORT)Value;
000f1 b8 01 00 00 00 mov eax, 1 000f9 b8 01 00 00 00 mov eax, 1
000f6 48 6b c0 07 imul rax, rax, 7 000fe 48 6b c0 07 imul rax, rax, 7
000fa 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp] 00102 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
000fe 48 8b 49 20 mov rcx, QWORD PTR [rcx+32] 00106 48 8b 49 20 mov rcx, QWORD PTR [rcx+32]
00102 0f b7 95 90 01 0010a 0f b7 95 90 01
00 00 movzx edx, WORD PTR Value$[rbp] 00 00 movzx edx, WORD PTR Value$[rbp]
00109 66 89 14 08 mov WORD PTR [rax+rcx], dx 00111 66 89 14 08 mov WORD PTR [rax+rcx], dx
; 22 : XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize); ; 22 : XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize);
0010d 48 8b 45 38 mov rax, QWORD PTR Link$[rbp] 00115 48 8b 45 38 mov rax, QWORD PTR Link$[rbp]
00111 48 83 c0 30 add rax, 48 ; 00000030H 00119 48 83 c0 30 add rax, 48 ; 00000030H
00115 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
00119 44 8b 41 28 mov r8d, DWORD PTR [rcx+40]
0011d 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp] 0011d 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
00121 48 8b 51 20 mov rdx, QWORD PTR [rcx+32] 00121 44 8b 41 28 mov r8d, DWORD PTR [rcx+40]
00125 48 8b c8 mov rcx, rax 00125 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
00128 e8 00 00 00 00 call xed_decode 00129 48 8b 51 20 mov rdx, QWORD PTR [rcx+32]
0012d 48 8b c8 mov rcx, rax
00130 e8 00 00 00 00 call xed_decode
; 23 : NcAppendToBlock(Block, Link); ; 23 : NcAppendToBlock(Block, Link);
0012d 48 8b 55 38 mov rdx, QWORD PTR Link$[rbp] 00135 48 8b 55 38 mov rdx, QWORD PTR Link$[rbp]
00131 48 8b 8d 80 01 00139 48 8b 8d 80 01
00 00 mov rcx, QWORD PTR Block$[rbp] 00 00 mov rcx, QWORD PTR Block$[rbp]
00138 e8 00 00 00 00 call ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z ; NcAppendToBlock 00140 e8 00 00 00 00 call ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z ; NcAppendToBlock
; 24 : return TRUE; ; 24 : return TRUE;
0013d b8 01 00 00 00 mov eax, 1 00145 b8 01 00 00 00 mov eax, 1
; 25 : } ; 25 : }
00142 8b f8 mov edi, eax 0014a 8b f8 mov edi, eax
00144 48 8d 4d e0 lea rcx, QWORD PTR [rbp-32] 0014c 48 8d 4d d0 lea rcx, QWORD PTR [rbp-48]
00148 48 8d 15 00 00 00150 48 8d 15 00 00
00 00 lea rdx, OFFSET FLAT:?JitEmitRipRelativeAndW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcFrameData 00 00 lea rdx, OFFSET FLAT:?JitEmitRipRelativeAndW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcFrameData
0014f e8 00 00 00 00 call _RTC_CheckStackVars 00157 e8 00 00 00 00 call _RTC_CheckStackVars
00154 8b c7 mov eax, edi 0015c 8b c7 mov eax, edi
00156 48 8b 8d 50 01 0015e 48 8b 8d 50 01
00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp] 00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp]
0015d 48 33 cd xor rcx, rbp 00165 48 33 cd xor rcx, rbp
00160 e8 00 00 00 00 call __security_check_cookie 00168 e8 00 00 00 00 call __security_check_cookie
00165 48 8d a5 68 01 0016d 48 8d a5 68 01
00 00 lea rsp, QWORD PTR [rbp+360] 00 00 lea rsp, QWORD PTR [rbp+360]
0016c 5f pop rdi 00174 5f pop rdi
0016d 5d pop rbp 00175 5d pop rbp
0016e c3 ret 0 00176 c3 ret 0
?JitEmitRipRelativeAndW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z ENDP ; JitEmitRipRelativeAndW ?JitEmitRipRelativeAndW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z ENDP ; JitEmitRipRelativeAndW
_TEXT ENDS _TEXT ENDS
; COMDAT text$x ; COMDAT text$x
@ -950,7 +954,7 @@ RawData$ = 8
Link$ = 56 Link$ = 56
$T4 = 280 $T4 = 280
$T5 = 312 $T5 = 312
tv78 = 328 tv79 = 328
__$ArrayPad$ = 336 __$ArrayPad$ = 336
Block$ = 384 Block$ = 384
RipDelta$ = 392 RipDelta$ = 392
@ -961,7 +965,7 @@ Value$ = 400
0000a 55 push rbp 0000a 55 push rbp
0000b 57 push rdi 0000b 57 push rdi
0000c 48 83 ec 28 sub rsp, 40 ; 00000028H 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H
00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] 00010 48 8d 6a 30 lea rbp, QWORD PTR [rdx+48]
00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H 00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H
00019 48 8b 8d 38 01 00019 48 8b 8d 38 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
@ -979,7 +983,7 @@ RawData$ = 8
Link$ = 56 Link$ = 56
$T4 = 280 $T4 = 280
$T5 = 312 $T5 = 312
tv78 = 328 tv79 = 328
__$ArrayPad$ = 336 __$ArrayPad$ = 336
Block$ = 384 Block$ = 384
RipDelta$ = 392 RipDelta$ = 392
@ -990,7 +994,7 @@ Value$ = 400
0000a 55 push rbp 0000a 55 push rbp
0000b 57 push rdi 0000b 57 push rdi
0000c 48 83 ec 28 sub rsp, 40 ; 00000028H 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H
00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] 00010 48 8d 6a 30 lea rbp, QWORD PTR [rdx+48]
00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H 00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H
00019 48 8b 8d 38 01 00019 48 8b 8d 38 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
@ -1009,7 +1013,7 @@ RawData$ = 8
Link$ = 56 Link$ = 56
$T4 = 280 $T4 = 280
$T5 = 312 $T5 = 312
tv78 = 328 tv79 = 328
__$ArrayPad$ = 336 __$ArrayPad$ = 336
Block$ = 384 Block$ = 384
RipDelta$ = 392 RipDelta$ = 392
@ -1024,15 +1028,15 @@ $LN6:
00009 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx 00009 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx
0000e 55 push rbp 0000e 55 push rbp
0000f 57 push rdi 0000f 57 push rdi
00010 48 81 ec 88 01 00010 48 81 ec 98 01
00 00 sub rsp, 392 ; 00000188H 00 00 sub rsp, 408 ; 00000198H
00017 48 8d 6c 24 20 lea rbp, QWORD PTR [rsp+32] 00017 48 8d 6c 24 30 lea rbp, QWORD PTR [rsp+48]
0001c 48 8b fc mov rdi, rsp 0001c 48 8b fc mov rdi, rsp
0001f b9 62 00 00 00 mov ecx, 98 ; 00000062H 0001f b9 66 00 00 00 mov ecx, 102 ; 00000066H
00024 b8 cc cc cc cc mov eax, -858993460 ; ccccccccH 00024 b8 cc cc cc cc mov eax, -858993460 ; ccccccccH
00029 f3 ab rep stosd 00029 f3 ab rep stosd
0002b 48 8b 8c 24 a8 0002b 48 8b 8c 24 b8
01 00 00 mov rcx, QWORD PTR [rsp+424] 01 00 00 mov rcx, QWORD PTR [rsp+440]
00033 48 8b 05 00 00 00033 48 8b 05 00 00
00 00 mov rax, QWORD PTR __security_cookie 00 00 mov rax, QWORD PTR __security_cookie
0003a 48 33 c5 xor rax, rbp 0003a 48 33 c5 xor rax, rbp
@ -1064,89 +1068,91 @@ $LN6:
00 00 mov QWORD PTR $T5[rbp], rax 00 00 mov QWORD PTR $T5[rbp], rax
00089 48 83 bd 38 01 00089 48 83 bd 38 01
00 00 00 cmp QWORD PTR $T5[rbp], 0 00 00 00 cmp QWORD PTR $T5[rbp], 0
00091 74 24 je SHORT $LN3@JitEmitRip 00091 74 2c je SHORT $LN3@JitEmitRip
00093 41 b9 0a 00 00 00093 c7 44 24 20 00
00 00 00 mov DWORD PTR [rsp+32], 0
0009b 41 b9 0a 00 00
00 mov r9d, 10 00 mov r9d, 10
00099 4c 8d 45 08 lea r8, QWORD PTR RawData$[rbp] 000a1 4c 8d 45 08 lea r8, QWORD PTR RawData$[rbp]
0009d ba 0c 00 00 00 mov edx, 12 000a5 ba 0c 00 00 00 mov edx, 12
000a2 48 8b 8d 38 01 000aa 48 8b 8d 38 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
000a9 e8 00 00 00 00 call ??0_NATIVE_CODE_LINK@@QEAA@KPEAXK@Z ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK 000b1 e8 00 00 00 00 call ??0_NATIVE_CODE_LINK@@QEAA@KPEAXKH@Z ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK
000ae 48 89 85 48 01 000b6 48 89 85 48 01
00 00 mov QWORD PTR tv78[rbp], rax 00 00 mov QWORD PTR tv79[rbp], rax
000b5 eb 0b jmp SHORT $LN4@JitEmitRip 000bd eb 0b jmp SHORT $LN4@JitEmitRip
$LN3@JitEmitRip: $LN3@JitEmitRip:
000b7 48 c7 85 48 01 000bf 48 c7 85 48 01
00 00 00 00 00 00 00 00 00 00
00 mov QWORD PTR tv78[rbp], 0 00 mov QWORD PTR tv79[rbp], 0
$LN4@JitEmitRip: $LN4@JitEmitRip:
000c2 48 8b 85 48 01 000ca 48 8b 85 48 01
00 00 mov rax, QWORD PTR tv78[rbp] 00 00 mov rax, QWORD PTR tv79[rbp]
000c9 48 89 85 18 01 000d1 48 89 85 18 01
00 00 mov QWORD PTR $T4[rbp], rax 00 00 mov QWORD PTR $T4[rbp], rax
000d0 48 8b 85 18 01 000d8 48 8b 85 18 01
00 00 mov rax, QWORD PTR $T4[rbp] 00 00 mov rax, QWORD PTR $T4[rbp]
000d7 48 89 45 38 mov QWORD PTR Link$[rbp], rax 000df 48 89 45 38 mov QWORD PTR Link$[rbp], rax
; 8 : *(PINT32)&Link->RawData[2] = RipDelta; ; 8 : *(PINT32)&Link->RawData[2] = RipDelta;
000db b8 01 00 00 00 mov eax, 1 000e3 b8 01 00 00 00 mov eax, 1
000e0 48 6b c0 02 imul rax, rax, 2 000e8 48 6b c0 02 imul rax, rax, 2
000e4 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp] 000ec 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
000e8 48 8b 49 20 mov rcx, QWORD PTR [rcx+32] 000f0 48 8b 49 20 mov rcx, QWORD PTR [rcx+32]
000ec 8b 95 88 01 00 000f4 8b 95 88 01 00
00 mov edx, DWORD PTR RipDelta$[rbp] 00 mov edx, DWORD PTR RipDelta$[rbp]
000f2 89 14 08 mov DWORD PTR [rax+rcx], edx 000fa 89 14 08 mov DWORD PTR [rax+rcx], edx
; 9 : *(PULONG)&Link->RawData[6] = Value; ; 9 : *(PULONG)&Link->RawData[6] = Value;
000f5 b8 01 00 00 00 mov eax, 1 000fd b8 01 00 00 00 mov eax, 1
000fa 48 6b c0 06 imul rax, rax, 6 00102 48 6b c0 06 imul rax, rax, 6
000fe 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp] 00106 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
00102 48 8b 49 20 mov rcx, QWORD PTR [rcx+32] 0010a 48 8b 49 20 mov rcx, QWORD PTR [rcx+32]
00106 8b 95 90 01 00 0010e 8b 95 90 01 00
00 mov edx, DWORD PTR Value$[rbp] 00 mov edx, DWORD PTR Value$[rbp]
0010c 89 14 08 mov DWORD PTR [rax+rcx], edx 00114 89 14 08 mov DWORD PTR [rax+rcx], edx
; 10 : XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize); ; 10 : XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize);
0010f 48 8b 45 38 mov rax, QWORD PTR Link$[rbp] 00117 48 8b 45 38 mov rax, QWORD PTR Link$[rbp]
00113 48 83 c0 30 add rax, 48 ; 00000030H 0011b 48 83 c0 30 add rax, 48 ; 00000030H
00117 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
0011b 44 8b 41 28 mov r8d, DWORD PTR [rcx+40]
0011f 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp] 0011f 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
00123 48 8b 51 20 mov rdx, QWORD PTR [rcx+32] 00123 44 8b 41 28 mov r8d, DWORD PTR [rcx+40]
00127 48 8b c8 mov rcx, rax 00127 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
0012a e8 00 00 00 00 call xed_decode 0012b 48 8b 51 20 mov rdx, QWORD PTR [rcx+32]
0012f 48 8b c8 mov rcx, rax
00132 e8 00 00 00 00 call xed_decode
; 11 : NcAppendToBlock(Block, Link); ; 11 : NcAppendToBlock(Block, Link);
0012f 48 8b 55 38 mov rdx, QWORD PTR Link$[rbp] 00137 48 8b 55 38 mov rdx, QWORD PTR Link$[rbp]
00133 48 8b 8d 80 01 0013b 48 8b 8d 80 01
00 00 mov rcx, QWORD PTR Block$[rbp] 00 00 mov rcx, QWORD PTR Block$[rbp]
0013a e8 00 00 00 00 call ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z ; NcAppendToBlock 00142 e8 00 00 00 00 call ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z ; NcAppendToBlock
; 12 : return TRUE; ; 12 : return TRUE;
0013f b8 01 00 00 00 mov eax, 1 00147 b8 01 00 00 00 mov eax, 1
; 13 : } ; 13 : }
00144 8b f8 mov edi, eax 0014c 8b f8 mov edi, eax
00146 48 8d 4d e0 lea rcx, QWORD PTR [rbp-32] 0014e 48 8d 4d d0 lea rcx, QWORD PTR [rbp-48]
0014a 48 8d 15 00 00 00152 48 8d 15 00 00
00 00 lea rdx, OFFSET FLAT:?JitEmitRipRelativeAndD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcFrameData 00 00 lea rdx, OFFSET FLAT:?JitEmitRipRelativeAndD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcFrameData
00151 e8 00 00 00 00 call _RTC_CheckStackVars 00159 e8 00 00 00 00 call _RTC_CheckStackVars
00156 8b c7 mov eax, edi 0015e 8b c7 mov eax, edi
00158 48 8b 8d 50 01 00160 48 8b 8d 50 01
00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp] 00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp]
0015f 48 33 cd xor rcx, rbp 00167 48 33 cd xor rcx, rbp
00162 e8 00 00 00 00 call __security_check_cookie 0016a e8 00 00 00 00 call __security_check_cookie
00167 48 8d a5 68 01 0016f 48 8d a5 68 01
00 00 lea rsp, QWORD PTR [rbp+360] 00 00 lea rsp, QWORD PTR [rbp+360]
0016e 5f pop rdi 00176 5f pop rdi
0016f 5d pop rbp 00177 5d pop rbp
00170 c3 ret 0 00178 c3 ret 0
?JitEmitRipRelativeAndD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z ENDP ; JitEmitRipRelativeAndD ?JitEmitRipRelativeAndD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z ENDP ; JitEmitRipRelativeAndD
_TEXT ENDS _TEXT ENDS
; COMDAT text$x ; COMDAT text$x
@ -1155,7 +1161,7 @@ RawData$ = 8
Link$ = 56 Link$ = 56
$T4 = 280 $T4 = 280
$T5 = 312 $T5 = 312
tv78 = 328 tv79 = 328
__$ArrayPad$ = 336 __$ArrayPad$ = 336
Block$ = 384 Block$ = 384
RipDelta$ = 392 RipDelta$ = 392
@ -1166,7 +1172,7 @@ Value$ = 400
0000a 55 push rbp 0000a 55 push rbp
0000b 57 push rdi 0000b 57 push rdi
0000c 48 83 ec 28 sub rsp, 40 ; 00000028H 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H
00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] 00010 48 8d 6a 30 lea rbp, QWORD PTR [rdx+48]
00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H 00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H
00019 48 8b 8d 38 01 00019 48 8b 8d 38 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
@ -1184,7 +1190,7 @@ RawData$ = 8
Link$ = 56 Link$ = 56
$T4 = 280 $T4 = 280
$T5 = 312 $T5 = 312
tv78 = 328 tv79 = 328
__$ArrayPad$ = 336 __$ArrayPad$ = 336
Block$ = 384 Block$ = 384
RipDelta$ = 392 RipDelta$ = 392
@ -1195,7 +1201,7 @@ Value$ = 400
0000a 55 push rbp 0000a 55 push rbp
0000b 57 push rdi 0000b 57 push rdi
0000c 48 83 ec 28 sub rsp, 40 ; 00000028H 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H
00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] 00010 48 8d 6a 30 lea rbp, QWORD PTR [rdx+48]
00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H 00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H
00019 48 8b 8d 38 01 00019 48 8b 8d 38 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]

@ -116,7 +116,7 @@ EXTRN __imp_?_Getmonths@_Locinfo@std@@QEBAPEBDXZ:PROC
EXTRN __imp_?_W_Getdays@_Locinfo@std@@QEBAPEBGXZ:PROC EXTRN __imp_?_W_Getdays@_Locinfo@std@@QEBAPEBGXZ:PROC
EXTRN __imp_?_W_Getmonths@_Locinfo@std@@QEBAPEBGXZ:PROC EXTRN __imp_?_W_Getmonths@_Locinfo@std@@QEBAPEBGXZ:PROC
EXTRN xed_decode:PROC EXTRN xed_decode:PROC
EXTRN ??0_NATIVE_CODE_LINK@@QEAA@KPEAXK@Z:PROC ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK EXTRN ??0_NATIVE_CODE_LINK@@QEAA@KPEAXKH@Z:PROC ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK
EXTRN ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z:PROC ; NcAppendToBlock EXTRN ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z:PROC ; NcAppendToBlock
EXTRN _RTC_CheckStackVars:PROC EXTRN _RTC_CheckStackVars:PROC
EXTRN _RTC_InitBase:PROC EXTRN _RTC_InitBase:PROC
@ -190,7 +190,7 @@ pdata ENDS
; COMDAT pdata ; COMDAT pdata
pdata SEGMENT pdata SEGMENT
$pdata$?JitEmitRipRelativeMovD@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z DD imagerel $LN6 $pdata$?JitEmitRipRelativeMovD@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z DD imagerel $LN6
DD imagerel $LN6+381 DD imagerel $LN6+389
DD imagerel $unwind$?JitEmitRipRelativeMovD@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z DD imagerel $unwind$?JitEmitRipRelativeMovD@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z
pdata ENDS pdata ENDS
; COMDAT pdata ; COMDAT pdata
@ -202,7 +202,7 @@ pdata ENDS
; COMDAT pdata ; COMDAT pdata
pdata SEGMENT pdata SEGMENT
$pdata$?JitEmitRipRelativeMovW@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z DD imagerel $LN6 $pdata$?JitEmitRipRelativeMovW@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z DD imagerel $LN6
DD imagerel $LN6+377 DD imagerel $LN6+385
DD imagerel $unwind$?JitEmitRipRelativeMovW@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z DD imagerel $unwind$?JitEmitRipRelativeMovW@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z
pdata ENDS pdata ENDS
; COMDAT pdata ; COMDAT pdata
@ -214,7 +214,7 @@ pdata ENDS
; COMDAT pdata ; COMDAT pdata
pdata SEGMENT pdata SEGMENT
$pdata$?JitEmitRipRelativeMovB@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z DD imagerel $LN6 $pdata$?JitEmitRipRelativeMovB@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z DD imagerel $LN6
DD imagerel $LN6+361 DD imagerel $LN6+369
DD imagerel $unwind$?JitEmitRipRelativeMovB@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z DD imagerel $unwind$?JitEmitRipRelativeMovB@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z
pdata ENDS pdata ENDS
; COMDAT pdata ; COMDAT pdata
@ -270,7 +270,7 @@ $ip2state$?JitEmitRipRelativeMovB@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z DB 06H
DB 00H DB 00H
DB 0faH DB 0faH
DB 02H DB 02H
DB 08eH DB 09eH
DB 00H DB 00H
xdata ENDS xdata ENDS
; COMDAT xdata ; COMDAT xdata
@ -287,13 +287,13 @@ $cppxdata$?JitEmitRipRelativeMovB@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z DB 028H
xdata ENDS xdata ENDS
; COMDAT xdata ; COMDAT xdata
xdata SEGMENT xdata SEGMENT
$unwind$?JitEmitRipRelativeMovB@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z DD 025054419H $unwind$?JitEmitRipRelativeMovB@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z DD 035054419H
DD 0117231cH DD 0117331cH
DD 07010002fH DD 070100031H
DD 0500fH DD 0500fH
DD imagerel __GSHandlerCheck_EH4 DD imagerel __GSHandlerCheck_EH4
DD imagerel $cppxdata$?JitEmitRipRelativeMovB@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z DD imagerel $cppxdata$?JitEmitRipRelativeMovB@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z
DD 0162H DD 0172H
xdata ENDS xdata ENDS
; COMDAT CONST ; COMDAT CONST
CONST SEGMENT CONST SEGMENT
@ -306,7 +306,7 @@ CONST SEGMENT
DB 061H DB 061H
DB 00H DB 00H
ORG $+8 ORG $+8
?JitEmitRipRelativeMovB@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z$rtcVarDesc DD 024H ; JitEmitRipRelativeMovB ?JitEmitRipRelativeMovB@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z$rtcVarDesc DD 034H ; JitEmitRipRelativeMovB
DD 07H DD 07H
DQ FLAT:?JitEmitRipRelativeMovB@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z$rtcName$0 DQ FLAT:?JitEmitRipRelativeMovB@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z$rtcName$0
ORG $+48 ORG $+48
@ -327,7 +327,7 @@ $ip2state$?JitEmitRipRelativeMovW@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z DB 06H
DB 00H DB 00H
DB 015H, 02H DB 015H, 02H
DB 02H DB 02H
DB 08eH DB 09eH
DB 00H DB 00H
xdata ENDS xdata ENDS
; COMDAT xdata ; COMDAT xdata
@ -344,13 +344,13 @@ $cppxdata$?JitEmitRipRelativeMovW@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z DB 028H
xdata ENDS xdata ENDS
; COMDAT xdata ; COMDAT xdata
xdata SEGMENT xdata SEGMENT
$unwind$?JitEmitRipRelativeMovW@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z DD 025054419H $unwind$?JitEmitRipRelativeMovW@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z DD 035054419H
DD 0117231cH DD 0117331cH
DD 070100031H DD 070100033H
DD 0500fH DD 0500fH
DD imagerel __GSHandlerCheck_EH4 DD imagerel __GSHandlerCheck_EH4
DD imagerel $cppxdata$?JitEmitRipRelativeMovW@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z DD imagerel $cppxdata$?JitEmitRipRelativeMovW@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z
DD 0172H DD 0182H
xdata ENDS xdata ENDS
; COMDAT CONST ; COMDAT CONST
CONST SEGMENT CONST SEGMENT
@ -363,7 +363,7 @@ CONST SEGMENT
DB 061H DB 061H
DB 00H DB 00H
ORG $+8 ORG $+8
?JitEmitRipRelativeMovW@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z$rtcVarDesc DD 028H ; JitEmitRipRelativeMovW ?JitEmitRipRelativeMovW@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z$rtcVarDesc DD 038H ; JitEmitRipRelativeMovW
DD 09H DD 09H
DQ FLAT:?JitEmitRipRelativeMovW@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z$rtcName$0 DQ FLAT:?JitEmitRipRelativeMovW@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z$rtcName$0
ORG $+48 ORG $+48
@ -384,7 +384,7 @@ $ip2state$?JitEmitRipRelativeMovD@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z DB 06H
DB 00H DB 00H
DB '%', 02H DB '%', 02H
DB 02H DB 02H
DB 08eH DB 09eH
DB 00H DB 00H
xdata ENDS xdata ENDS
; COMDAT xdata ; COMDAT xdata
@ -401,13 +401,13 @@ $cppxdata$?JitEmitRipRelativeMovD@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z DB 028H
xdata ENDS xdata ENDS
; COMDAT xdata ; COMDAT xdata
xdata SEGMENT xdata SEGMENT
$unwind$?JitEmitRipRelativeMovD@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z DD 025054419H $unwind$?JitEmitRipRelativeMovD@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z DD 035054419H
DD 0117231cH DD 0117331cH
DD 070100031H DD 070100033H
DD 0500fH DD 0500fH
DD imagerel __GSHandlerCheck_EH4 DD imagerel __GSHandlerCheck_EH4
DD imagerel $cppxdata$?JitEmitRipRelativeMovD@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z DD imagerel $cppxdata$?JitEmitRipRelativeMovD@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z
DD 0172H DD 0182H
xdata ENDS xdata ENDS
; COMDAT CONST ; COMDAT CONST
CONST SEGMENT CONST SEGMENT
@ -420,7 +420,7 @@ CONST SEGMENT
DB 061H DB 061H
DB 00H DB 00H
ORG $+8 ORG $+8
?JitEmitRipRelativeMovD@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z$rtcVarDesc DD 028H ; JitEmitRipRelativeMovD ?JitEmitRipRelativeMovD@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z$rtcVarDesc DD 038H ; JitEmitRipRelativeMovD
DD 0aH DD 0aH
DQ FLAT:?JitEmitRipRelativeMovD@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z$rtcName$0 DQ FLAT:?JitEmitRipRelativeMovD@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z$rtcName$0
ORG $+48 ORG $+48
@ -603,7 +603,7 @@ RawData$ = 4
Link$ = 40 Link$ = 40
$T4 = 264 $T4 = 264
$T5 = 296 $T5 = 296
tv78 = 312 tv79 = 312
__$ArrayPad$ = 320 __$ArrayPad$ = 320
Block$ = 368 Block$ = 368
RipDelta$ = 376 RipDelta$ = 376
@ -618,15 +618,15 @@ $LN6:
00009 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx 00009 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx
0000e 55 push rbp 0000e 55 push rbp
0000f 57 push rdi 0000f 57 push rdi
00010 48 81 ec 78 01 00010 48 81 ec 88 01
00 00 sub rsp, 376 ; 00000178H 00 00 sub rsp, 392 ; 00000188H
00017 48 8d 6c 24 20 lea rbp, QWORD PTR [rsp+32] 00017 48 8d 6c 24 30 lea rbp, QWORD PTR [rsp+48]
0001c 48 8b fc mov rdi, rsp 0001c 48 8b fc mov rdi, rsp
0001f b9 5e 00 00 00 mov ecx, 94 ; 0000005eH 0001f b9 62 00 00 00 mov ecx, 98 ; 00000062H
00024 b8 cc cc cc cc mov eax, -858993460 ; ccccccccH 00024 b8 cc cc cc cc mov eax, -858993460 ; ccccccccH
00029 f3 ab rep stosd 00029 f3 ab rep stosd
0002b 48 8b 8c 24 98 0002b 48 8b 8c 24 a8
01 00 00 mov rcx, QWORD PTR [rsp+408] 01 00 00 mov rcx, QWORD PTR [rsp+424]
00033 48 8b 05 00 00 00033 48 8b 05 00 00
00 00 mov rax, QWORD PTR __security_cookie 00 00 mov rax, QWORD PTR __security_cookie
0003a 48 33 c5 xor rax, rbp 0003a 48 33 c5 xor rax, rbp
@ -655,90 +655,92 @@ $LN6:
00 00 mov QWORD PTR $T5[rbp], rax 00 00 mov QWORD PTR $T5[rbp], rax
0007d 48 83 bd 28 01 0007d 48 83 bd 28 01
00 00 00 cmp QWORD PTR $T5[rbp], 0 00 00 00 cmp QWORD PTR $T5[rbp], 0
00085 74 24 je SHORT $LN3@JitEmitRip 00085 74 2c je SHORT $LN3@JitEmitRip
00087 41 b9 07 00 00 00087 c7 44 24 20 00
00 00 00 mov DWORD PTR [rsp+32], 0
0008f 41 b9 07 00 00
00 mov r9d, 7 00 mov r9d, 7
0008d 4c 8d 45 04 lea r8, QWORD PTR RawData$[rbp] 00095 4c 8d 45 04 lea r8, QWORD PTR RawData$[rbp]
00091 ba 0c 00 00 00 mov edx, 12 00099 ba 0c 00 00 00 mov edx, 12
00096 48 8b 8d 28 01 0009e 48 8b 8d 28 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
0009d e8 00 00 00 00 call ??0_NATIVE_CODE_LINK@@QEAA@KPEAXK@Z ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK 000a5 e8 00 00 00 00 call ??0_NATIVE_CODE_LINK@@QEAA@KPEAXKH@Z ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK
000a2 48 89 85 38 01 000aa 48 89 85 38 01
00 00 mov QWORD PTR tv78[rbp], rax 00 00 mov QWORD PTR tv79[rbp], rax
000a9 eb 0b jmp SHORT $LN4@JitEmitRip 000b1 eb 0b jmp SHORT $LN4@JitEmitRip
$LN3@JitEmitRip: $LN3@JitEmitRip:
000ab 48 c7 85 38 01 000b3 48 c7 85 38 01
00 00 00 00 00 00 00 00 00 00
00 mov QWORD PTR tv78[rbp], 0 00 mov QWORD PTR tv79[rbp], 0
$LN4@JitEmitRip: $LN4@JitEmitRip:
000b6 48 8b 85 38 01 000be 48 8b 85 38 01
00 00 mov rax, QWORD PTR tv78[rbp] 00 00 mov rax, QWORD PTR tv79[rbp]
000bd 48 89 85 08 01 000c5 48 89 85 08 01
00 00 mov QWORD PTR $T4[rbp], rax 00 00 mov QWORD PTR $T4[rbp], rax
000c4 48 8b 85 08 01 000cc 48 8b 85 08 01
00 00 mov rax, QWORD PTR $T4[rbp] 00 00 mov rax, QWORD PTR $T4[rbp]
000cb 48 89 45 28 mov QWORD PTR Link$[rbp], rax 000d3 48 89 45 28 mov QWORD PTR Link$[rbp], rax
; 32 : *(PINT32)&Link->RawData[2] = RipDelta; ; 32 : *(PINT32)&Link->RawData[2] = RipDelta;
000cf b8 01 00 00 00 mov eax, 1 000d7 b8 01 00 00 00 mov eax, 1
000d4 48 6b c0 02 imul rax, rax, 2 000dc 48 6b c0 02 imul rax, rax, 2
000d8 48 8b 4d 28 mov rcx, QWORD PTR Link$[rbp] 000e0 48 8b 4d 28 mov rcx, QWORD PTR Link$[rbp]
000dc 48 8b 49 20 mov rcx, QWORD PTR [rcx+32] 000e4 48 8b 49 20 mov rcx, QWORD PTR [rcx+32]
000e0 8b 95 78 01 00 000e8 8b 95 78 01 00
00 mov edx, DWORD PTR RipDelta$[rbp] 00 mov edx, DWORD PTR RipDelta$[rbp]
000e6 89 14 08 mov DWORD PTR [rax+rcx], edx 000ee 89 14 08 mov DWORD PTR [rax+rcx], edx
; 33 : Link->RawData[6] = *Data; ; 33 : Link->RawData[6] = *Data;
000e9 b8 01 00 00 00 mov eax, 1 000f1 b8 01 00 00 00 mov eax, 1
000ee 48 6b c0 06 imul rax, rax, 6 000f6 48 6b c0 06 imul rax, rax, 6
000f2 48 8b 4d 28 mov rcx, QWORD PTR Link$[rbp] 000fa 48 8b 4d 28 mov rcx, QWORD PTR Link$[rbp]
000f6 48 8b 49 20 mov rcx, QWORD PTR [rcx+32] 000fe 48 8b 49 20 mov rcx, QWORD PTR [rcx+32]
000fa 48 8b 95 80 01 00102 48 8b 95 80 01
00 00 mov rdx, QWORD PTR Data$[rbp] 00 00 mov rdx, QWORD PTR Data$[rbp]
00101 0f b6 12 movzx edx, BYTE PTR [rdx] 00109 0f b6 12 movzx edx, BYTE PTR [rdx]
00104 88 14 08 mov BYTE PTR [rax+rcx], dl 0010c 88 14 08 mov BYTE PTR [rax+rcx], dl
; 34 : XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize); ; 34 : XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize);
00107 48 8b 45 28 mov rax, QWORD PTR Link$[rbp] 0010f 48 8b 45 28 mov rax, QWORD PTR Link$[rbp]
0010b 48 83 c0 30 add rax, 48 ; 00000030H 00113 48 83 c0 30 add rax, 48 ; 00000030H
0010f 48 8b 4d 28 mov rcx, QWORD PTR Link$[rbp]
00113 44 8b 41 28 mov r8d, DWORD PTR [rcx+40]
00117 48 8b 4d 28 mov rcx, QWORD PTR Link$[rbp] 00117 48 8b 4d 28 mov rcx, QWORD PTR Link$[rbp]
0011b 48 8b 51 20 mov rdx, QWORD PTR [rcx+32] 0011b 44 8b 41 28 mov r8d, DWORD PTR [rcx+40]
0011f 48 8b c8 mov rcx, rax 0011f 48 8b 4d 28 mov rcx, QWORD PTR Link$[rbp]
00122 e8 00 00 00 00 call xed_decode 00123 48 8b 51 20 mov rdx, QWORD PTR [rcx+32]
00127 48 8b c8 mov rcx, rax
0012a e8 00 00 00 00 call xed_decode
; 35 : NcAppendToBlock(Block, Link); ; 35 : NcAppendToBlock(Block, Link);
00127 48 8b 55 28 mov rdx, QWORD PTR Link$[rbp] 0012f 48 8b 55 28 mov rdx, QWORD PTR Link$[rbp]
0012b 48 8b 8d 70 01 00133 48 8b 8d 70 01
00 00 mov rcx, QWORD PTR Block$[rbp] 00 00 mov rcx, QWORD PTR Block$[rbp]
00132 e8 00 00 00 00 call ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z ; NcAppendToBlock 0013a e8 00 00 00 00 call ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z ; NcAppendToBlock
; 36 : return TRUE; ; 36 : return TRUE;
00137 b8 01 00 00 00 mov eax, 1 0013f b8 01 00 00 00 mov eax, 1
; 37 : } ; 37 : }
0013c 8b f8 mov edi, eax 00144 8b f8 mov edi, eax
0013e 48 8d 4d e0 lea rcx, QWORD PTR [rbp-32] 00146 48 8d 4d d0 lea rcx, QWORD PTR [rbp-48]
00142 48 8d 15 00 00 0014a 48 8d 15 00 00
00 00 lea rdx, OFFSET FLAT:?JitEmitRipRelativeMovB@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z$rtcFrameData 00 00 lea rdx, OFFSET FLAT:?JitEmitRipRelativeMovB@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z$rtcFrameData
00149 e8 00 00 00 00 call _RTC_CheckStackVars 00151 e8 00 00 00 00 call _RTC_CheckStackVars
0014e 8b c7 mov eax, edi 00156 8b c7 mov eax, edi
00150 48 8b 8d 40 01 00158 48 8b 8d 40 01
00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp] 00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp]
00157 48 33 cd xor rcx, rbp 0015f 48 33 cd xor rcx, rbp
0015a e8 00 00 00 00 call __security_check_cookie 00162 e8 00 00 00 00 call __security_check_cookie
0015f 48 8d a5 58 01 00167 48 8d a5 58 01
00 00 lea rsp, QWORD PTR [rbp+344] 00 00 lea rsp, QWORD PTR [rbp+344]
00166 5f pop rdi 0016e 5f pop rdi
00167 5d pop rbp 0016f 5d pop rbp
00168 c3 ret 0 00170 c3 ret 0
?JitEmitRipRelativeMovB@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z ENDP ; JitEmitRipRelativeMovB ?JitEmitRipRelativeMovB@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z ENDP ; JitEmitRipRelativeMovB
_TEXT ENDS _TEXT ENDS
; COMDAT text$x ; COMDAT text$x
@ -747,7 +749,7 @@ RawData$ = 4
Link$ = 40 Link$ = 40
$T4 = 264 $T4 = 264
$T5 = 296 $T5 = 296
tv78 = 312 tv79 = 312
__$ArrayPad$ = 320 __$ArrayPad$ = 320
Block$ = 368 Block$ = 368
RipDelta$ = 376 RipDelta$ = 376
@ -758,7 +760,7 @@ Data$ = 384
0000a 55 push rbp 0000a 55 push rbp
0000b 57 push rdi 0000b 57 push rdi
0000c 48 83 ec 28 sub rsp, 40 ; 00000028H 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H
00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] 00010 48 8d 6a 30 lea rbp, QWORD PTR [rdx+48]
00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H 00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H
00019 48 8b 8d 28 01 00019 48 8b 8d 28 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
@ -776,7 +778,7 @@ RawData$ = 4
Link$ = 40 Link$ = 40
$T4 = 264 $T4 = 264
$T5 = 296 $T5 = 296
tv78 = 312 tv79 = 312
__$ArrayPad$ = 320 __$ArrayPad$ = 320
Block$ = 368 Block$ = 368
RipDelta$ = 376 RipDelta$ = 376
@ -787,7 +789,7 @@ Data$ = 384
0000a 55 push rbp 0000a 55 push rbp
0000b 57 push rdi 0000b 57 push rdi
0000c 48 83 ec 28 sub rsp, 40 ; 00000028H 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H
00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] 00010 48 8d 6a 30 lea rbp, QWORD PTR [rdx+48]
00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H 00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H
00019 48 8b 8d 28 01 00019 48 8b 8d 28 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
@ -806,7 +808,7 @@ RawData$ = 8
Link$ = 56 Link$ = 56
$T4 = 280 $T4 = 280
$T5 = 312 $T5 = 312
tv78 = 328 tv79 = 328
__$ArrayPad$ = 336 __$ArrayPad$ = 336
Block$ = 384 Block$ = 384
RipDelta$ = 392 RipDelta$ = 392
@ -821,15 +823,15 @@ $LN6:
00009 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx 00009 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx
0000e 55 push rbp 0000e 55 push rbp
0000f 57 push rdi 0000f 57 push rdi
00010 48 81 ec 88 01 00010 48 81 ec 98 01
00 00 sub rsp, 392 ; 00000188H 00 00 sub rsp, 408 ; 00000198H
00017 48 8d 6c 24 20 lea rbp, QWORD PTR [rsp+32] 00017 48 8d 6c 24 30 lea rbp, QWORD PTR [rsp+48]
0001c 48 8b fc mov rdi, rsp 0001c 48 8b fc mov rdi, rsp
0001f b9 62 00 00 00 mov ecx, 98 ; 00000062H 0001f b9 66 00 00 00 mov ecx, 102 ; 00000066H
00024 b8 cc cc cc cc mov eax, -858993460 ; ccccccccH 00024 b8 cc cc cc cc mov eax, -858993460 ; ccccccccH
00029 f3 ab rep stosd 00029 f3 ab rep stosd
0002b 48 8b 8c 24 a8 0002b 48 8b 8c 24 b8
01 00 00 mov rcx, QWORD PTR [rsp+424] 01 00 00 mov rcx, QWORD PTR [rsp+440]
00033 48 8b 05 00 00 00033 48 8b 05 00 00
00 00 mov rax, QWORD PTR __security_cookie 00 00 mov rax, QWORD PTR __security_cookie
0003a 48 33 c5 xor rax, rbp 0003a 48 33 c5 xor rax, rbp
@ -860,92 +862,94 @@ $LN6:
00 00 mov QWORD PTR $T5[rbp], rax 00 00 mov QWORD PTR $T5[rbp], rax
00085 48 83 bd 38 01 00085 48 83 bd 38 01
00 00 00 cmp QWORD PTR $T5[rbp], 0 00 00 00 cmp QWORD PTR $T5[rbp], 0
0008d 74 24 je SHORT $LN3@JitEmitRip 0008d 74 2c je SHORT $LN3@JitEmitRip
0008f 41 b9 09 00 00 0008f c7 44 24 20 00
00 00 00 mov DWORD PTR [rsp+32], 0
00097 41 b9 09 00 00
00 mov r9d, 9 00 mov r9d, 9
00095 4c 8d 45 08 lea r8, QWORD PTR RawData$[rbp] 0009d 4c 8d 45 08 lea r8, QWORD PTR RawData$[rbp]
00099 ba 0c 00 00 00 mov edx, 12 000a1 ba 0c 00 00 00 mov edx, 12
0009e 48 8b 8d 38 01 000a6 48 8b 8d 38 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
000a5 e8 00 00 00 00 call ??0_NATIVE_CODE_LINK@@QEAA@KPEAXK@Z ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK 000ad e8 00 00 00 00 call ??0_NATIVE_CODE_LINK@@QEAA@KPEAXKH@Z ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK
000aa 48 89 85 48 01 000b2 48 89 85 48 01
00 00 mov QWORD PTR tv78[rbp], rax 00 00 mov QWORD PTR tv79[rbp], rax
000b1 eb 0b jmp SHORT $LN4@JitEmitRip 000b9 eb 0b jmp SHORT $LN4@JitEmitRip
$LN3@JitEmitRip: $LN3@JitEmitRip:
000b3 48 c7 85 48 01 000bb 48 c7 85 48 01
00 00 00 00 00 00 00 00 00 00
00 mov QWORD PTR tv78[rbp], 0 00 mov QWORD PTR tv79[rbp], 0
$LN4@JitEmitRip: $LN4@JitEmitRip:
000be 48 8b 85 48 01 000c6 48 8b 85 48 01
00 00 mov rax, QWORD PTR tv78[rbp] 00 00 mov rax, QWORD PTR tv79[rbp]
000c5 48 89 85 18 01 000cd 48 89 85 18 01
00 00 mov QWORD PTR $T4[rbp], rax 00 00 mov QWORD PTR $T4[rbp], rax
000cc 48 8b 85 18 01 000d4 48 8b 85 18 01
00 00 mov rax, QWORD PTR $T4[rbp] 00 00 mov rax, QWORD PTR $T4[rbp]
000d3 48 89 45 38 mov QWORD PTR Link$[rbp], rax 000db 48 89 45 38 mov QWORD PTR Link$[rbp], rax
; 20 : *(PINT32)&Link->RawData[3] = RipDelta; ; 20 : *(PINT32)&Link->RawData[3] = RipDelta;
000d7 b8 01 00 00 00 mov eax, 1 000df b8 01 00 00 00 mov eax, 1
000dc 48 6b c0 03 imul rax, rax, 3 000e4 48 6b c0 03 imul rax, rax, 3
000e0 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp] 000e8 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
000e4 48 8b 49 20 mov rcx, QWORD PTR [rcx+32] 000ec 48 8b 49 20 mov rcx, QWORD PTR [rcx+32]
000e8 8b 95 88 01 00 000f0 8b 95 88 01 00
00 mov edx, DWORD PTR RipDelta$[rbp] 00 mov edx, DWORD PTR RipDelta$[rbp]
000ee 89 14 08 mov DWORD PTR [rax+rcx], edx 000f6 89 14 08 mov DWORD PTR [rax+rcx], edx
; 21 : RtlCopyMemory(&Link->RawData[7], Data, 2); ; 21 : RtlCopyMemory(&Link->RawData[7], Data, 2);
000f1 b8 01 00 00 00 mov eax, 1 000f9 b8 01 00 00 00 mov eax, 1
000f6 48 6b c0 07 imul rax, rax, 7 000fe 48 6b c0 07 imul rax, rax, 7
000fa 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp] 00102 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
000fe 48 03 41 20 add rax, QWORD PTR [rcx+32] 00106 48 03 41 20 add rax, QWORD PTR [rcx+32]
00102 41 b8 02 00 00 0010a 41 b8 02 00 00
00 mov r8d, 2 00 mov r8d, 2
00108 48 8b 95 90 01 00110 48 8b 95 90 01
00 00 mov rdx, QWORD PTR Data$[rbp] 00 00 mov rdx, QWORD PTR Data$[rbp]
0010f 48 8b c8 mov rcx, rax 00117 48 8b c8 mov rcx, rax
00112 e8 00 00 00 00 call memcpy 0011a e8 00 00 00 00 call memcpy
; 22 : XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize); ; 22 : XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize);
00117 48 8b 45 38 mov rax, QWORD PTR Link$[rbp] 0011f 48 8b 45 38 mov rax, QWORD PTR Link$[rbp]
0011b 48 83 c0 30 add rax, 48 ; 00000030H 00123 48 83 c0 30 add rax, 48 ; 00000030H
0011f 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
00123 44 8b 41 28 mov r8d, DWORD PTR [rcx+40]
00127 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp] 00127 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
0012b 48 8b 51 20 mov rdx, QWORD PTR [rcx+32] 0012b 44 8b 41 28 mov r8d, DWORD PTR [rcx+40]
0012f 48 8b c8 mov rcx, rax 0012f 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
00132 e8 00 00 00 00 call xed_decode 00133 48 8b 51 20 mov rdx, QWORD PTR [rcx+32]
00137 48 8b c8 mov rcx, rax
0013a e8 00 00 00 00 call xed_decode
; 23 : NcAppendToBlock(Block, Link); ; 23 : NcAppendToBlock(Block, Link);
00137 48 8b 55 38 mov rdx, QWORD PTR Link$[rbp] 0013f 48 8b 55 38 mov rdx, QWORD PTR Link$[rbp]
0013b 48 8b 8d 80 01 00143 48 8b 8d 80 01
00 00 mov rcx, QWORD PTR Block$[rbp] 00 00 mov rcx, QWORD PTR Block$[rbp]
00142 e8 00 00 00 00 call ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z ; NcAppendToBlock 0014a e8 00 00 00 00 call ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z ; NcAppendToBlock
; 24 : return TRUE; ; 24 : return TRUE;
00147 b8 01 00 00 00 mov eax, 1 0014f b8 01 00 00 00 mov eax, 1
; 25 : } ; 25 : }
0014c 8b f8 mov edi, eax 00154 8b f8 mov edi, eax
0014e 48 8d 4d e0 lea rcx, QWORD PTR [rbp-32] 00156 48 8d 4d d0 lea rcx, QWORD PTR [rbp-48]
00152 48 8d 15 00 00 0015a 48 8d 15 00 00
00 00 lea rdx, OFFSET FLAT:?JitEmitRipRelativeMovW@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z$rtcFrameData 00 00 lea rdx, OFFSET FLAT:?JitEmitRipRelativeMovW@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z$rtcFrameData
00159 e8 00 00 00 00 call _RTC_CheckStackVars 00161 e8 00 00 00 00 call _RTC_CheckStackVars
0015e 8b c7 mov eax, edi 00166 8b c7 mov eax, edi
00160 48 8b 8d 50 01 00168 48 8b 8d 50 01
00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp] 00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp]
00167 48 33 cd xor rcx, rbp 0016f 48 33 cd xor rcx, rbp
0016a e8 00 00 00 00 call __security_check_cookie 00172 e8 00 00 00 00 call __security_check_cookie
0016f 48 8d a5 68 01 00177 48 8d a5 68 01
00 00 lea rsp, QWORD PTR [rbp+360] 00 00 lea rsp, QWORD PTR [rbp+360]
00176 5f pop rdi 0017e 5f pop rdi
00177 5d pop rbp 0017f 5d pop rbp
00178 c3 ret 0 00180 c3 ret 0
?JitEmitRipRelativeMovW@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z ENDP ; JitEmitRipRelativeMovW ?JitEmitRipRelativeMovW@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z ENDP ; JitEmitRipRelativeMovW
_TEXT ENDS _TEXT ENDS
; COMDAT text$x ; COMDAT text$x
@ -954,7 +958,7 @@ RawData$ = 8
Link$ = 56 Link$ = 56
$T4 = 280 $T4 = 280
$T5 = 312 $T5 = 312
tv78 = 328 tv79 = 328
__$ArrayPad$ = 336 __$ArrayPad$ = 336
Block$ = 384 Block$ = 384
RipDelta$ = 392 RipDelta$ = 392
@ -965,7 +969,7 @@ Data$ = 400
0000a 55 push rbp 0000a 55 push rbp
0000b 57 push rdi 0000b 57 push rdi
0000c 48 83 ec 28 sub rsp, 40 ; 00000028H 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H
00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] 00010 48 8d 6a 30 lea rbp, QWORD PTR [rdx+48]
00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H 00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H
00019 48 8b 8d 38 01 00019 48 8b 8d 38 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
@ -983,7 +987,7 @@ RawData$ = 8
Link$ = 56 Link$ = 56
$T4 = 280 $T4 = 280
$T5 = 312 $T5 = 312
tv78 = 328 tv79 = 328
__$ArrayPad$ = 336 __$ArrayPad$ = 336
Block$ = 384 Block$ = 384
RipDelta$ = 392 RipDelta$ = 392
@ -994,7 +998,7 @@ Data$ = 400
0000a 55 push rbp 0000a 55 push rbp
0000b 57 push rdi 0000b 57 push rdi
0000c 48 83 ec 28 sub rsp, 40 ; 00000028H 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H
00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] 00010 48 8d 6a 30 lea rbp, QWORD PTR [rdx+48]
00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H 00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H
00019 48 8b 8d 38 01 00019 48 8b 8d 38 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
@ -1013,7 +1017,7 @@ RawData$ = 8
Link$ = 56 Link$ = 56
$T4 = 280 $T4 = 280
$T5 = 312 $T5 = 312
tv78 = 328 tv79 = 328
__$ArrayPad$ = 336 __$ArrayPad$ = 336
Block$ = 384 Block$ = 384
RipDelta$ = 392 RipDelta$ = 392
@ -1028,15 +1032,15 @@ $LN6:
00009 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx 00009 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx
0000e 55 push rbp 0000e 55 push rbp
0000f 57 push rdi 0000f 57 push rdi
00010 48 81 ec 88 01 00010 48 81 ec 98 01
00 00 sub rsp, 392 ; 00000188H 00 00 sub rsp, 408 ; 00000198H
00017 48 8d 6c 24 20 lea rbp, QWORD PTR [rsp+32] 00017 48 8d 6c 24 30 lea rbp, QWORD PTR [rsp+48]
0001c 48 8b fc mov rdi, rsp 0001c 48 8b fc mov rdi, rsp
0001f b9 62 00 00 00 mov ecx, 98 ; 00000062H 0001f b9 66 00 00 00 mov ecx, 102 ; 00000066H
00024 b8 cc cc cc cc mov eax, -858993460 ; ccccccccH 00024 b8 cc cc cc cc mov eax, -858993460 ; ccccccccH
00029 f3 ab rep stosd 00029 f3 ab rep stosd
0002b 48 8b 8c 24 a8 0002b 48 8b 8c 24 b8
01 00 00 mov rcx, QWORD PTR [rsp+424] 01 00 00 mov rcx, QWORD PTR [rsp+440]
00033 48 8b 05 00 00 00033 48 8b 05 00 00
00 00 mov rax, QWORD PTR __security_cookie 00 00 mov rax, QWORD PTR __security_cookie
0003a 48 33 c5 xor rax, rbp 0003a 48 33 c5 xor rax, rbp
@ -1068,92 +1072,94 @@ $LN6:
00 00 mov QWORD PTR $T5[rbp], rax 00 00 mov QWORD PTR $T5[rbp], rax
00089 48 83 bd 38 01 00089 48 83 bd 38 01
00 00 00 cmp QWORD PTR $T5[rbp], 0 00 00 00 cmp QWORD PTR $T5[rbp], 0
00091 74 24 je SHORT $LN3@JitEmitRip 00091 74 2c je SHORT $LN3@JitEmitRip
00093 41 b9 0a 00 00 00093 c7 44 24 20 00
00 00 00 mov DWORD PTR [rsp+32], 0
0009b 41 b9 0a 00 00
00 mov r9d, 10 00 mov r9d, 10
00099 4c 8d 45 08 lea r8, QWORD PTR RawData$[rbp] 000a1 4c 8d 45 08 lea r8, QWORD PTR RawData$[rbp]
0009d ba 0c 00 00 00 mov edx, 12 000a5 ba 0c 00 00 00 mov edx, 12
000a2 48 8b 8d 38 01 000aa 48 8b 8d 38 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
000a9 e8 00 00 00 00 call ??0_NATIVE_CODE_LINK@@QEAA@KPEAXK@Z ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK 000b1 e8 00 00 00 00 call ??0_NATIVE_CODE_LINK@@QEAA@KPEAXKH@Z ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK
000ae 48 89 85 48 01 000b6 48 89 85 48 01
00 00 mov QWORD PTR tv78[rbp], rax 00 00 mov QWORD PTR tv79[rbp], rax
000b5 eb 0b jmp SHORT $LN4@JitEmitRip 000bd eb 0b jmp SHORT $LN4@JitEmitRip
$LN3@JitEmitRip: $LN3@JitEmitRip:
000b7 48 c7 85 48 01 000bf 48 c7 85 48 01
00 00 00 00 00 00 00 00 00 00
00 mov QWORD PTR tv78[rbp], 0 00 mov QWORD PTR tv79[rbp], 0
$LN4@JitEmitRip: $LN4@JitEmitRip:
000c2 48 8b 85 48 01 000ca 48 8b 85 48 01
00 00 mov rax, QWORD PTR tv78[rbp] 00 00 mov rax, QWORD PTR tv79[rbp]
000c9 48 89 85 18 01 000d1 48 89 85 18 01
00 00 mov QWORD PTR $T4[rbp], rax 00 00 mov QWORD PTR $T4[rbp], rax
000d0 48 8b 85 18 01 000d8 48 8b 85 18 01
00 00 mov rax, QWORD PTR $T4[rbp] 00 00 mov rax, QWORD PTR $T4[rbp]
000d7 48 89 45 38 mov QWORD PTR Link$[rbp], rax 000df 48 89 45 38 mov QWORD PTR Link$[rbp], rax
; 8 : *(PINT32)&Link->RawData[2] = RipDelta; ; 8 : *(PINT32)&Link->RawData[2] = RipDelta;
000db b8 01 00 00 00 mov eax, 1 000e3 b8 01 00 00 00 mov eax, 1
000e0 48 6b c0 02 imul rax, rax, 2 000e8 48 6b c0 02 imul rax, rax, 2
000e4 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp] 000ec 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
000e8 48 8b 49 20 mov rcx, QWORD PTR [rcx+32] 000f0 48 8b 49 20 mov rcx, QWORD PTR [rcx+32]
000ec 8b 95 88 01 00 000f4 8b 95 88 01 00
00 mov edx, DWORD PTR RipDelta$[rbp] 00 mov edx, DWORD PTR RipDelta$[rbp]
000f2 89 14 08 mov DWORD PTR [rax+rcx], edx 000fa 89 14 08 mov DWORD PTR [rax+rcx], edx
; 9 : RtlCopyMemory(&Link->RawData[6], Data, 4); ; 9 : RtlCopyMemory(&Link->RawData[6], Data, 4);
000f5 b8 01 00 00 00 mov eax, 1 000fd b8 01 00 00 00 mov eax, 1
000fa 48 6b c0 06 imul rax, rax, 6 00102 48 6b c0 06 imul rax, rax, 6
000fe 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp] 00106 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
00102 48 03 41 20 add rax, QWORD PTR [rcx+32] 0010a 48 03 41 20 add rax, QWORD PTR [rcx+32]
00106 41 b8 04 00 00 0010e 41 b8 04 00 00
00 mov r8d, 4 00 mov r8d, 4
0010c 48 8b 95 90 01 00114 48 8b 95 90 01
00 00 mov rdx, QWORD PTR Data$[rbp] 00 00 mov rdx, QWORD PTR Data$[rbp]
00113 48 8b c8 mov rcx, rax 0011b 48 8b c8 mov rcx, rax
00116 e8 00 00 00 00 call memcpy 0011e e8 00 00 00 00 call memcpy
; 10 : XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize); ; 10 : XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize);
0011b 48 8b 45 38 mov rax, QWORD PTR Link$[rbp] 00123 48 8b 45 38 mov rax, QWORD PTR Link$[rbp]
0011f 48 83 c0 30 add rax, 48 ; 00000030H 00127 48 83 c0 30 add rax, 48 ; 00000030H
00123 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
00127 44 8b 41 28 mov r8d, DWORD PTR [rcx+40]
0012b 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp] 0012b 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
0012f 48 8b 51 20 mov rdx, QWORD PTR [rcx+32] 0012f 44 8b 41 28 mov r8d, DWORD PTR [rcx+40]
00133 48 8b c8 mov rcx, rax 00133 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
00136 e8 00 00 00 00 call xed_decode 00137 48 8b 51 20 mov rdx, QWORD PTR [rcx+32]
0013b 48 8b c8 mov rcx, rax
0013e e8 00 00 00 00 call xed_decode
; 11 : NcAppendToBlock(Block, Link); ; 11 : NcAppendToBlock(Block, Link);
0013b 48 8b 55 38 mov rdx, QWORD PTR Link$[rbp] 00143 48 8b 55 38 mov rdx, QWORD PTR Link$[rbp]
0013f 48 8b 8d 80 01 00147 48 8b 8d 80 01
00 00 mov rcx, QWORD PTR Block$[rbp] 00 00 mov rcx, QWORD PTR Block$[rbp]
00146 e8 00 00 00 00 call ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z ; NcAppendToBlock 0014e e8 00 00 00 00 call ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z ; NcAppendToBlock
; 12 : return TRUE; ; 12 : return TRUE;
0014b b8 01 00 00 00 mov eax, 1 00153 b8 01 00 00 00 mov eax, 1
; 13 : } ; 13 : }
00150 8b f8 mov edi, eax 00158 8b f8 mov edi, eax
00152 48 8d 4d e0 lea rcx, QWORD PTR [rbp-32] 0015a 48 8d 4d d0 lea rcx, QWORD PTR [rbp-48]
00156 48 8d 15 00 00 0015e 48 8d 15 00 00
00 00 lea rdx, OFFSET FLAT:?JitEmitRipRelativeMovD@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z$rtcFrameData 00 00 lea rdx, OFFSET FLAT:?JitEmitRipRelativeMovD@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z$rtcFrameData
0015d e8 00 00 00 00 call _RTC_CheckStackVars 00165 e8 00 00 00 00 call _RTC_CheckStackVars
00162 8b c7 mov eax, edi 0016a 8b c7 mov eax, edi
00164 48 8b 8d 50 01 0016c 48 8b 8d 50 01
00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp] 00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp]
0016b 48 33 cd xor rcx, rbp 00173 48 33 cd xor rcx, rbp
0016e e8 00 00 00 00 call __security_check_cookie 00176 e8 00 00 00 00 call __security_check_cookie
00173 48 8d a5 68 01 0017b 48 8d a5 68 01
00 00 lea rsp, QWORD PTR [rbp+360] 00 00 lea rsp, QWORD PTR [rbp+360]
0017a 5f pop rdi 00182 5f pop rdi
0017b 5d pop rbp 00183 5d pop rbp
0017c c3 ret 0 00184 c3 ret 0
?JitEmitRipRelativeMovD@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z ENDP ; JitEmitRipRelativeMovD ?JitEmitRipRelativeMovD@@YAHPEAU_NATIVE_CODE_BLOCK@@HPEAE@Z ENDP ; JitEmitRipRelativeMovD
_TEXT ENDS _TEXT ENDS
; COMDAT text$x ; COMDAT text$x
@ -1162,7 +1168,7 @@ RawData$ = 8
Link$ = 56 Link$ = 56
$T4 = 280 $T4 = 280
$T5 = 312 $T5 = 312
tv78 = 328 tv79 = 328
__$ArrayPad$ = 336 __$ArrayPad$ = 336
Block$ = 384 Block$ = 384
RipDelta$ = 392 RipDelta$ = 392
@ -1173,7 +1179,7 @@ Data$ = 400
0000a 55 push rbp 0000a 55 push rbp
0000b 57 push rdi 0000b 57 push rdi
0000c 48 83 ec 28 sub rsp, 40 ; 00000028H 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H
00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] 00010 48 8d 6a 30 lea rbp, QWORD PTR [rdx+48]
00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H 00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H
00019 48 8b 8d 38 01 00019 48 8b 8d 38 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
@ -1191,7 +1197,7 @@ RawData$ = 8
Link$ = 56 Link$ = 56
$T4 = 280 $T4 = 280
$T5 = 312 $T5 = 312
tv78 = 328 tv79 = 328
__$ArrayPad$ = 336 __$ArrayPad$ = 336
Block$ = 384 Block$ = 384
RipDelta$ = 392 RipDelta$ = 392
@ -1202,7 +1208,7 @@ Data$ = 400
0000a 55 push rbp 0000a 55 push rbp
0000b 57 push rdi 0000b 57 push rdi
0000c 48 83 ec 28 sub rsp, 40 ; 00000028H 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H
00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] 00010 48 8d 6a 30 lea rbp, QWORD PTR [rdx+48]
00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H 00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H
00019 48 8b 8d 38 01 00019 48 8b 8d 38 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]

@ -116,7 +116,7 @@ EXTRN __imp_?_Getmonths@_Locinfo@std@@QEBAPEBDXZ:PROC
EXTRN __imp_?_W_Getdays@_Locinfo@std@@QEBAPEBGXZ:PROC EXTRN __imp_?_W_Getdays@_Locinfo@std@@QEBAPEBGXZ:PROC
EXTRN __imp_?_W_Getmonths@_Locinfo@std@@QEBAPEBGXZ:PROC EXTRN __imp_?_W_Getmonths@_Locinfo@std@@QEBAPEBGXZ:PROC
EXTRN xed_decode:PROC EXTRN xed_decode:PROC
EXTRN ??0_NATIVE_CODE_LINK@@QEAA@KPEAXK@Z:PROC ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK EXTRN ??0_NATIVE_CODE_LINK@@QEAA@KPEAXKH@Z:PROC ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK
EXTRN ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z:PROC ; NcAppendToBlock EXTRN ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z:PROC ; NcAppendToBlock
EXTRN _RTC_CheckStackVars:PROC EXTRN _RTC_CheckStackVars:PROC
EXTRN _RTC_InitBase:PROC EXTRN _RTC_InitBase:PROC
@ -190,7 +190,7 @@ pdata ENDS
; COMDAT pdata ; COMDAT pdata
pdata SEGMENT pdata SEGMENT
$pdata$?JitEmitRipRelativeOrD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD imagerel $LN6 $pdata$?JitEmitRipRelativeOrD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD imagerel $LN6
DD imagerel $LN6+369 DD imagerel $LN6+377
DD imagerel $unwind$?JitEmitRipRelativeOrD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD imagerel $unwind$?JitEmitRipRelativeOrD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z
pdata ENDS pdata ENDS
; COMDAT pdata ; COMDAT pdata
@ -202,7 +202,7 @@ pdata ENDS
; COMDAT pdata ; COMDAT pdata
pdata SEGMENT pdata SEGMENT
$pdata$?JitEmitRipRelativeOrW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD imagerel $LN6 $pdata$?JitEmitRipRelativeOrW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD imagerel $LN6
DD imagerel $LN6+367 DD imagerel $LN6+375
DD imagerel $unwind$?JitEmitRipRelativeOrW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD imagerel $unwind$?JitEmitRipRelativeOrW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z
pdata ENDS pdata ENDS
; COMDAT pdata ; COMDAT pdata
@ -214,7 +214,7 @@ pdata ENDS
; COMDAT pdata ; COMDAT pdata
pdata SEGMENT pdata SEGMENT
$pdata$?JitEmitRipRelativeOrB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD imagerel $LN6 $pdata$?JitEmitRipRelativeOrB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD imagerel $LN6
DD imagerel $LN6+358 DD imagerel $LN6+366
DD imagerel $unwind$?JitEmitRipRelativeOrB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD imagerel $unwind$?JitEmitRipRelativeOrB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z
pdata ENDS pdata ENDS
; COMDAT pdata ; COMDAT pdata
@ -270,7 +270,7 @@ $ip2state$?JitEmitRipRelativeOrB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DB 06H
DB 00H DB 00H
DB 0faH DB 0faH
DB 02H DB 02H
DB 08eH DB 09eH
DB 00H DB 00H
xdata ENDS xdata ENDS
; COMDAT xdata ; COMDAT xdata
@ -287,13 +287,13 @@ $cppxdata$?JitEmitRipRelativeOrB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DB 028H
xdata ENDS xdata ENDS
; COMDAT xdata ; COMDAT xdata
xdata SEGMENT xdata SEGMENT
$unwind$?JitEmitRipRelativeOrB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD 025054419H $unwind$?JitEmitRipRelativeOrB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD 035054419H
DD 0117231cH DD 0117331cH
DD 07010002fH DD 070100031H
DD 0500fH DD 0500fH
DD imagerel __GSHandlerCheck_EH4 DD imagerel __GSHandlerCheck_EH4
DD imagerel $cppxdata$?JitEmitRipRelativeOrB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD imagerel $cppxdata$?JitEmitRipRelativeOrB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z
DD 0162H DD 0172H
xdata ENDS xdata ENDS
; COMDAT CONST ; COMDAT CONST
CONST SEGMENT CONST SEGMENT
@ -306,7 +306,7 @@ CONST SEGMENT
DB 061H DB 061H
DB 00H DB 00H
ORG $+8 ORG $+8
?JitEmitRipRelativeOrB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcVarDesc DD 024H ; JitEmitRipRelativeOrB ?JitEmitRipRelativeOrB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcVarDesc DD 034H ; JitEmitRipRelativeOrB
DD 07H DD 07H
DQ FLAT:?JitEmitRipRelativeOrB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcName$0 DQ FLAT:?JitEmitRipRelativeOrB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcName$0
ORG $+48 ORG $+48
@ -327,7 +327,7 @@ $ip2state$?JitEmitRipRelativeOrW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DB 06H
DB 00H DB 00H
DB 015H, 02H DB 015H, 02H
DB 02H DB 02H
DB 08eH DB 09eH
DB 00H DB 00H
xdata ENDS xdata ENDS
; COMDAT xdata ; COMDAT xdata
@ -344,13 +344,13 @@ $cppxdata$?JitEmitRipRelativeOrW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DB 028H
xdata ENDS xdata ENDS
; COMDAT xdata ; COMDAT xdata
xdata SEGMENT xdata SEGMENT
$unwind$?JitEmitRipRelativeOrW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD 025054419H $unwind$?JitEmitRipRelativeOrW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD 035054419H
DD 0117231cH DD 0117331cH
DD 070100031H DD 070100033H
DD 0500fH DD 0500fH
DD imagerel __GSHandlerCheck_EH4 DD imagerel __GSHandlerCheck_EH4
DD imagerel $cppxdata$?JitEmitRipRelativeOrW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD imagerel $cppxdata$?JitEmitRipRelativeOrW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z
DD 0172H DD 0182H
xdata ENDS xdata ENDS
; COMDAT CONST ; COMDAT CONST
CONST SEGMENT CONST SEGMENT
@ -363,7 +363,7 @@ CONST SEGMENT
DB 061H DB 061H
DB 00H DB 00H
ORG $+8 ORG $+8
?JitEmitRipRelativeOrW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcVarDesc DD 028H ; JitEmitRipRelativeOrW ?JitEmitRipRelativeOrW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcVarDesc DD 038H ; JitEmitRipRelativeOrW
DD 09H DD 09H
DQ FLAT:?JitEmitRipRelativeOrW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcName$0 DQ FLAT:?JitEmitRipRelativeOrW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcName$0
ORG $+48 ORG $+48
@ -384,7 +384,7 @@ $ip2state$?JitEmitRipRelativeOrD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DB 06H
DB 00H DB 00H
DB '%', 02H DB '%', 02H
DB 02H DB 02H
DB 08eH DB 09eH
DB 00H DB 00H
xdata ENDS xdata ENDS
; COMDAT xdata ; COMDAT xdata
@ -401,13 +401,13 @@ $cppxdata$?JitEmitRipRelativeOrD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DB 028H
xdata ENDS xdata ENDS
; COMDAT xdata ; COMDAT xdata
xdata SEGMENT xdata SEGMENT
$unwind$?JitEmitRipRelativeOrD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD 025054419H $unwind$?JitEmitRipRelativeOrD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD 035054419H
DD 0117231cH DD 0117331cH
DD 070100031H DD 070100033H
DD 0500fH DD 0500fH
DD imagerel __GSHandlerCheck_EH4 DD imagerel __GSHandlerCheck_EH4
DD imagerel $cppxdata$?JitEmitRipRelativeOrD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD imagerel $cppxdata$?JitEmitRipRelativeOrD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z
DD 0172H DD 0182H
xdata ENDS xdata ENDS
; COMDAT CONST ; COMDAT CONST
CONST SEGMENT CONST SEGMENT
@ -420,7 +420,7 @@ CONST SEGMENT
DB 061H DB 061H
DB 00H DB 00H
ORG $+8 ORG $+8
?JitEmitRipRelativeOrD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcVarDesc DD 028H ; JitEmitRipRelativeOrD ?JitEmitRipRelativeOrD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcVarDesc DD 038H ; JitEmitRipRelativeOrD
DD 0aH DD 0aH
DQ FLAT:?JitEmitRipRelativeOrD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcName$0 DQ FLAT:?JitEmitRipRelativeOrD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcName$0
ORG $+48 ORG $+48
@ -603,7 +603,7 @@ RawData$ = 4
Link$ = 40 Link$ = 40
$T4 = 264 $T4 = 264
$T5 = 296 $T5 = 296
tv78 = 312 tv79 = 312
__$ArrayPad$ = 320 __$ArrayPad$ = 320
Block$ = 368 Block$ = 368
RipDelta$ = 376 RipDelta$ = 376
@ -618,15 +618,15 @@ $LN6:
00009 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx 00009 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx
0000e 55 push rbp 0000e 55 push rbp
0000f 57 push rdi 0000f 57 push rdi
00010 48 81 ec 78 01 00010 48 81 ec 88 01
00 00 sub rsp, 376 ; 00000178H 00 00 sub rsp, 392 ; 00000188H
00017 48 8d 6c 24 20 lea rbp, QWORD PTR [rsp+32] 00017 48 8d 6c 24 30 lea rbp, QWORD PTR [rsp+48]
0001c 48 8b fc mov rdi, rsp 0001c 48 8b fc mov rdi, rsp
0001f b9 5e 00 00 00 mov ecx, 94 ; 0000005eH 0001f b9 62 00 00 00 mov ecx, 98 ; 00000062H
00024 b8 cc cc cc cc mov eax, -858993460 ; ccccccccH 00024 b8 cc cc cc cc mov eax, -858993460 ; ccccccccH
00029 f3 ab rep stosd 00029 f3 ab rep stosd
0002b 48 8b 8c 24 98 0002b 48 8b 8c 24 a8
01 00 00 mov rcx, QWORD PTR [rsp+408] 01 00 00 mov rcx, QWORD PTR [rsp+424]
00033 48 8b 05 00 00 00033 48 8b 05 00 00
00 00 mov rax, QWORD PTR __security_cookie 00 00 mov rax, QWORD PTR __security_cookie
0003a 48 33 c5 xor rax, rbp 0003a 48 33 c5 xor rax, rbp
@ -655,89 +655,91 @@ $LN6:
00 00 mov QWORD PTR $T5[rbp], rax 00 00 mov QWORD PTR $T5[rbp], rax
0007d 48 83 bd 28 01 0007d 48 83 bd 28 01
00 00 00 cmp QWORD PTR $T5[rbp], 0 00 00 00 cmp QWORD PTR $T5[rbp], 0
00085 74 24 je SHORT $LN3@JitEmitRip 00085 74 2c je SHORT $LN3@JitEmitRip
00087 41 b9 07 00 00 00087 c7 44 24 20 00
00 00 00 mov DWORD PTR [rsp+32], 0
0008f 41 b9 07 00 00
00 mov r9d, 7 00 mov r9d, 7
0008d 4c 8d 45 04 lea r8, QWORD PTR RawData$[rbp] 00095 4c 8d 45 04 lea r8, QWORD PTR RawData$[rbp]
00091 ba 0c 00 00 00 mov edx, 12 00099 ba 0c 00 00 00 mov edx, 12
00096 48 8b 8d 28 01 0009e 48 8b 8d 28 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
0009d e8 00 00 00 00 call ??0_NATIVE_CODE_LINK@@QEAA@KPEAXK@Z ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK 000a5 e8 00 00 00 00 call ??0_NATIVE_CODE_LINK@@QEAA@KPEAXKH@Z ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK
000a2 48 89 85 38 01 000aa 48 89 85 38 01
00 00 mov QWORD PTR tv78[rbp], rax 00 00 mov QWORD PTR tv79[rbp], rax
000a9 eb 0b jmp SHORT $LN4@JitEmitRip 000b1 eb 0b jmp SHORT $LN4@JitEmitRip
$LN3@JitEmitRip: $LN3@JitEmitRip:
000ab 48 c7 85 38 01 000b3 48 c7 85 38 01
00 00 00 00 00 00 00 00 00 00
00 mov QWORD PTR tv78[rbp], 0 00 mov QWORD PTR tv79[rbp], 0
$LN4@JitEmitRip: $LN4@JitEmitRip:
000b6 48 8b 85 38 01 000be 48 8b 85 38 01
00 00 mov rax, QWORD PTR tv78[rbp] 00 00 mov rax, QWORD PTR tv79[rbp]
000bd 48 89 85 08 01 000c5 48 89 85 08 01
00 00 mov QWORD PTR $T4[rbp], rax 00 00 mov QWORD PTR $T4[rbp], rax
000c4 48 8b 85 08 01 000cc 48 8b 85 08 01
00 00 mov rax, QWORD PTR $T4[rbp] 00 00 mov rax, QWORD PTR $T4[rbp]
000cb 48 89 45 28 mov QWORD PTR Link$[rbp], rax 000d3 48 89 45 28 mov QWORD PTR Link$[rbp], rax
; 32 : *(PINT32)&Link->RawData[2] = RipDelta; ; 32 : *(PINT32)&Link->RawData[2] = RipDelta;
000cf b8 01 00 00 00 mov eax, 1 000d7 b8 01 00 00 00 mov eax, 1
000d4 48 6b c0 02 imul rax, rax, 2 000dc 48 6b c0 02 imul rax, rax, 2
000d8 48 8b 4d 28 mov rcx, QWORD PTR Link$[rbp] 000e0 48 8b 4d 28 mov rcx, QWORD PTR Link$[rbp]
000dc 48 8b 49 20 mov rcx, QWORD PTR [rcx+32] 000e4 48 8b 49 20 mov rcx, QWORD PTR [rcx+32]
000e0 8b 95 78 01 00 000e8 8b 95 78 01 00
00 mov edx, DWORD PTR RipDelta$[rbp] 00 mov edx, DWORD PTR RipDelta$[rbp]
000e6 89 14 08 mov DWORD PTR [rax+rcx], edx 000ee 89 14 08 mov DWORD PTR [rax+rcx], edx
; 33 : *(PUCHAR)&Link->RawData[6] = (UCHAR)Value; ; 33 : *(PUCHAR)&Link->RawData[6] = (UCHAR)Value;
000e9 b8 01 00 00 00 mov eax, 1 000f1 b8 01 00 00 00 mov eax, 1
000ee 48 6b c0 06 imul rax, rax, 6 000f6 48 6b c0 06 imul rax, rax, 6
000f2 48 8b 4d 28 mov rcx, QWORD PTR Link$[rbp] 000fa 48 8b 4d 28 mov rcx, QWORD PTR Link$[rbp]
000f6 48 8b 49 20 mov rcx, QWORD PTR [rcx+32] 000fe 48 8b 49 20 mov rcx, QWORD PTR [rcx+32]
000fa 0f b6 95 80 01 00102 0f b6 95 80 01
00 00 movzx edx, BYTE PTR Value$[rbp] 00 00 movzx edx, BYTE PTR Value$[rbp]
00101 88 14 08 mov BYTE PTR [rax+rcx], dl 00109 88 14 08 mov BYTE PTR [rax+rcx], dl
; 34 : XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize); ; 34 : XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize);
00104 48 8b 45 28 mov rax, QWORD PTR Link$[rbp] 0010c 48 8b 45 28 mov rax, QWORD PTR Link$[rbp]
00108 48 83 c0 30 add rax, 48 ; 00000030H 00110 48 83 c0 30 add rax, 48 ; 00000030H
0010c 48 8b 4d 28 mov rcx, QWORD PTR Link$[rbp]
00110 44 8b 41 28 mov r8d, DWORD PTR [rcx+40]
00114 48 8b 4d 28 mov rcx, QWORD PTR Link$[rbp] 00114 48 8b 4d 28 mov rcx, QWORD PTR Link$[rbp]
00118 48 8b 51 20 mov rdx, QWORD PTR [rcx+32] 00118 44 8b 41 28 mov r8d, DWORD PTR [rcx+40]
0011c 48 8b c8 mov rcx, rax 0011c 48 8b 4d 28 mov rcx, QWORD PTR Link$[rbp]
0011f e8 00 00 00 00 call xed_decode 00120 48 8b 51 20 mov rdx, QWORD PTR [rcx+32]
00124 48 8b c8 mov rcx, rax
00127 e8 00 00 00 00 call xed_decode
; 35 : NcAppendToBlock(Block, Link); ; 35 : NcAppendToBlock(Block, Link);
00124 48 8b 55 28 mov rdx, QWORD PTR Link$[rbp] 0012c 48 8b 55 28 mov rdx, QWORD PTR Link$[rbp]
00128 48 8b 8d 70 01 00130 48 8b 8d 70 01
00 00 mov rcx, QWORD PTR Block$[rbp] 00 00 mov rcx, QWORD PTR Block$[rbp]
0012f e8 00 00 00 00 call ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z ; NcAppendToBlock 00137 e8 00 00 00 00 call ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z ; NcAppendToBlock
; 36 : return TRUE; ; 36 : return TRUE;
00134 b8 01 00 00 00 mov eax, 1 0013c b8 01 00 00 00 mov eax, 1
; 37 : } ; 37 : }
00139 8b f8 mov edi, eax 00141 8b f8 mov edi, eax
0013b 48 8d 4d e0 lea rcx, QWORD PTR [rbp-32] 00143 48 8d 4d d0 lea rcx, QWORD PTR [rbp-48]
0013f 48 8d 15 00 00 00147 48 8d 15 00 00
00 00 lea rdx, OFFSET FLAT:?JitEmitRipRelativeOrB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcFrameData 00 00 lea rdx, OFFSET FLAT:?JitEmitRipRelativeOrB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcFrameData
00146 e8 00 00 00 00 call _RTC_CheckStackVars 0014e e8 00 00 00 00 call _RTC_CheckStackVars
0014b 8b c7 mov eax, edi 00153 8b c7 mov eax, edi
0014d 48 8b 8d 40 01 00155 48 8b 8d 40 01
00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp] 00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp]
00154 48 33 cd xor rcx, rbp 0015c 48 33 cd xor rcx, rbp
00157 e8 00 00 00 00 call __security_check_cookie 0015f e8 00 00 00 00 call __security_check_cookie
0015c 48 8d a5 58 01 00164 48 8d a5 58 01
00 00 lea rsp, QWORD PTR [rbp+344] 00 00 lea rsp, QWORD PTR [rbp+344]
00163 5f pop rdi 0016b 5f pop rdi
00164 5d pop rbp 0016c 5d pop rbp
00165 c3 ret 0 0016d c3 ret 0
?JitEmitRipRelativeOrB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z ENDP ; JitEmitRipRelativeOrB ?JitEmitRipRelativeOrB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z ENDP ; JitEmitRipRelativeOrB
_TEXT ENDS _TEXT ENDS
; COMDAT text$x ; COMDAT text$x
@ -746,7 +748,7 @@ RawData$ = 4
Link$ = 40 Link$ = 40
$T4 = 264 $T4 = 264
$T5 = 296 $T5 = 296
tv78 = 312 tv79 = 312
__$ArrayPad$ = 320 __$ArrayPad$ = 320
Block$ = 368 Block$ = 368
RipDelta$ = 376 RipDelta$ = 376
@ -757,7 +759,7 @@ Value$ = 384
0000a 55 push rbp 0000a 55 push rbp
0000b 57 push rdi 0000b 57 push rdi
0000c 48 83 ec 28 sub rsp, 40 ; 00000028H 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H
00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] 00010 48 8d 6a 30 lea rbp, QWORD PTR [rdx+48]
00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H 00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H
00019 48 8b 8d 28 01 00019 48 8b 8d 28 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
@ -775,7 +777,7 @@ RawData$ = 4
Link$ = 40 Link$ = 40
$T4 = 264 $T4 = 264
$T5 = 296 $T5 = 296
tv78 = 312 tv79 = 312
__$ArrayPad$ = 320 __$ArrayPad$ = 320
Block$ = 368 Block$ = 368
RipDelta$ = 376 RipDelta$ = 376
@ -786,7 +788,7 @@ Value$ = 384
0000a 55 push rbp 0000a 55 push rbp
0000b 57 push rdi 0000b 57 push rdi
0000c 48 83 ec 28 sub rsp, 40 ; 00000028H 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H
00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] 00010 48 8d 6a 30 lea rbp, QWORD PTR [rdx+48]
00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H 00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H
00019 48 8b 8d 28 01 00019 48 8b 8d 28 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
@ -805,7 +807,7 @@ RawData$ = 8
Link$ = 56 Link$ = 56
$T4 = 280 $T4 = 280
$T5 = 312 $T5 = 312
tv78 = 328 tv79 = 328
__$ArrayPad$ = 336 __$ArrayPad$ = 336
Block$ = 384 Block$ = 384
RipDelta$ = 392 RipDelta$ = 392
@ -820,15 +822,15 @@ $LN6:
00009 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx 00009 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx
0000e 55 push rbp 0000e 55 push rbp
0000f 57 push rdi 0000f 57 push rdi
00010 48 81 ec 88 01 00010 48 81 ec 98 01
00 00 sub rsp, 392 ; 00000188H 00 00 sub rsp, 408 ; 00000198H
00017 48 8d 6c 24 20 lea rbp, QWORD PTR [rsp+32] 00017 48 8d 6c 24 30 lea rbp, QWORD PTR [rsp+48]
0001c 48 8b fc mov rdi, rsp 0001c 48 8b fc mov rdi, rsp
0001f b9 62 00 00 00 mov ecx, 98 ; 00000062H 0001f b9 66 00 00 00 mov ecx, 102 ; 00000066H
00024 b8 cc cc cc cc mov eax, -858993460 ; ccccccccH 00024 b8 cc cc cc cc mov eax, -858993460 ; ccccccccH
00029 f3 ab rep stosd 00029 f3 ab rep stosd
0002b 48 8b 8c 24 a8 0002b 48 8b 8c 24 b8
01 00 00 mov rcx, QWORD PTR [rsp+424] 01 00 00 mov rcx, QWORD PTR [rsp+440]
00033 48 8b 05 00 00 00033 48 8b 05 00 00
00 00 mov rax, QWORD PTR __security_cookie 00 00 mov rax, QWORD PTR __security_cookie
0003a 48 33 c5 xor rax, rbp 0003a 48 33 c5 xor rax, rbp
@ -859,89 +861,91 @@ $LN6:
00 00 mov QWORD PTR $T5[rbp], rax 00 00 mov QWORD PTR $T5[rbp], rax
00085 48 83 bd 38 01 00085 48 83 bd 38 01
00 00 00 cmp QWORD PTR $T5[rbp], 0 00 00 00 cmp QWORD PTR $T5[rbp], 0
0008d 74 24 je SHORT $LN3@JitEmitRip 0008d 74 2c je SHORT $LN3@JitEmitRip
0008f 41 b9 09 00 00 0008f c7 44 24 20 00
00 00 00 mov DWORD PTR [rsp+32], 0
00097 41 b9 09 00 00
00 mov r9d, 9 00 mov r9d, 9
00095 4c 8d 45 08 lea r8, QWORD PTR RawData$[rbp] 0009d 4c 8d 45 08 lea r8, QWORD PTR RawData$[rbp]
00099 ba 0c 00 00 00 mov edx, 12 000a1 ba 0c 00 00 00 mov edx, 12
0009e 48 8b 8d 38 01 000a6 48 8b 8d 38 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
000a5 e8 00 00 00 00 call ??0_NATIVE_CODE_LINK@@QEAA@KPEAXK@Z ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK 000ad e8 00 00 00 00 call ??0_NATIVE_CODE_LINK@@QEAA@KPEAXKH@Z ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK
000aa 48 89 85 48 01 000b2 48 89 85 48 01
00 00 mov QWORD PTR tv78[rbp], rax 00 00 mov QWORD PTR tv79[rbp], rax
000b1 eb 0b jmp SHORT $LN4@JitEmitRip 000b9 eb 0b jmp SHORT $LN4@JitEmitRip
$LN3@JitEmitRip: $LN3@JitEmitRip:
000b3 48 c7 85 48 01 000bb 48 c7 85 48 01
00 00 00 00 00 00 00 00 00 00
00 mov QWORD PTR tv78[rbp], 0 00 mov QWORD PTR tv79[rbp], 0
$LN4@JitEmitRip: $LN4@JitEmitRip:
000be 48 8b 85 48 01 000c6 48 8b 85 48 01
00 00 mov rax, QWORD PTR tv78[rbp] 00 00 mov rax, QWORD PTR tv79[rbp]
000c5 48 89 85 18 01 000cd 48 89 85 18 01
00 00 mov QWORD PTR $T4[rbp], rax 00 00 mov QWORD PTR $T4[rbp], rax
000cc 48 8b 85 18 01 000d4 48 8b 85 18 01
00 00 mov rax, QWORD PTR $T4[rbp] 00 00 mov rax, QWORD PTR $T4[rbp]
000d3 48 89 45 38 mov QWORD PTR Link$[rbp], rax 000db 48 89 45 38 mov QWORD PTR Link$[rbp], rax
; 20 : *(PINT32)&Link->RawData[3] = RipDelta; ; 20 : *(PINT32)&Link->RawData[3] = RipDelta;
000d7 b8 01 00 00 00 mov eax, 1 000df b8 01 00 00 00 mov eax, 1
000dc 48 6b c0 03 imul rax, rax, 3 000e4 48 6b c0 03 imul rax, rax, 3
000e0 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp] 000e8 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
000e4 48 8b 49 20 mov rcx, QWORD PTR [rcx+32] 000ec 48 8b 49 20 mov rcx, QWORD PTR [rcx+32]
000e8 8b 95 88 01 00 000f0 8b 95 88 01 00
00 mov edx, DWORD PTR RipDelta$[rbp] 00 mov edx, DWORD PTR RipDelta$[rbp]
000ee 89 14 08 mov DWORD PTR [rax+rcx], edx 000f6 89 14 08 mov DWORD PTR [rax+rcx], edx
; 21 : *(PUSHORT)&Link->RawData[7] = (USHORT)Value; ; 21 : *(PUSHORT)&Link->RawData[7] = (USHORT)Value;
000f1 b8 01 00 00 00 mov eax, 1 000f9 b8 01 00 00 00 mov eax, 1
000f6 48 6b c0 07 imul rax, rax, 7 000fe 48 6b c0 07 imul rax, rax, 7
000fa 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp] 00102 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
000fe 48 8b 49 20 mov rcx, QWORD PTR [rcx+32] 00106 48 8b 49 20 mov rcx, QWORD PTR [rcx+32]
00102 0f b7 95 90 01 0010a 0f b7 95 90 01
00 00 movzx edx, WORD PTR Value$[rbp] 00 00 movzx edx, WORD PTR Value$[rbp]
00109 66 89 14 08 mov WORD PTR [rax+rcx], dx 00111 66 89 14 08 mov WORD PTR [rax+rcx], dx
; 22 : XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize); ; 22 : XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize);
0010d 48 8b 45 38 mov rax, QWORD PTR Link$[rbp] 00115 48 8b 45 38 mov rax, QWORD PTR Link$[rbp]
00111 48 83 c0 30 add rax, 48 ; 00000030H 00119 48 83 c0 30 add rax, 48 ; 00000030H
00115 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
00119 44 8b 41 28 mov r8d, DWORD PTR [rcx+40]
0011d 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp] 0011d 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
00121 48 8b 51 20 mov rdx, QWORD PTR [rcx+32] 00121 44 8b 41 28 mov r8d, DWORD PTR [rcx+40]
00125 48 8b c8 mov rcx, rax 00125 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
00128 e8 00 00 00 00 call xed_decode 00129 48 8b 51 20 mov rdx, QWORD PTR [rcx+32]
0012d 48 8b c8 mov rcx, rax
00130 e8 00 00 00 00 call xed_decode
; 23 : NcAppendToBlock(Block, Link); ; 23 : NcAppendToBlock(Block, Link);
0012d 48 8b 55 38 mov rdx, QWORD PTR Link$[rbp] 00135 48 8b 55 38 mov rdx, QWORD PTR Link$[rbp]
00131 48 8b 8d 80 01 00139 48 8b 8d 80 01
00 00 mov rcx, QWORD PTR Block$[rbp] 00 00 mov rcx, QWORD PTR Block$[rbp]
00138 e8 00 00 00 00 call ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z ; NcAppendToBlock 00140 e8 00 00 00 00 call ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z ; NcAppendToBlock
; 24 : return TRUE; ; 24 : return TRUE;
0013d b8 01 00 00 00 mov eax, 1 00145 b8 01 00 00 00 mov eax, 1
; 25 : } ; 25 : }
00142 8b f8 mov edi, eax 0014a 8b f8 mov edi, eax
00144 48 8d 4d e0 lea rcx, QWORD PTR [rbp-32] 0014c 48 8d 4d d0 lea rcx, QWORD PTR [rbp-48]
00148 48 8d 15 00 00 00150 48 8d 15 00 00
00 00 lea rdx, OFFSET FLAT:?JitEmitRipRelativeOrW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcFrameData 00 00 lea rdx, OFFSET FLAT:?JitEmitRipRelativeOrW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcFrameData
0014f e8 00 00 00 00 call _RTC_CheckStackVars 00157 e8 00 00 00 00 call _RTC_CheckStackVars
00154 8b c7 mov eax, edi 0015c 8b c7 mov eax, edi
00156 48 8b 8d 50 01 0015e 48 8b 8d 50 01
00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp] 00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp]
0015d 48 33 cd xor rcx, rbp 00165 48 33 cd xor rcx, rbp
00160 e8 00 00 00 00 call __security_check_cookie 00168 e8 00 00 00 00 call __security_check_cookie
00165 48 8d a5 68 01 0016d 48 8d a5 68 01
00 00 lea rsp, QWORD PTR [rbp+360] 00 00 lea rsp, QWORD PTR [rbp+360]
0016c 5f pop rdi 00174 5f pop rdi
0016d 5d pop rbp 00175 5d pop rbp
0016e c3 ret 0 00176 c3 ret 0
?JitEmitRipRelativeOrW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z ENDP ; JitEmitRipRelativeOrW ?JitEmitRipRelativeOrW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z ENDP ; JitEmitRipRelativeOrW
_TEXT ENDS _TEXT ENDS
; COMDAT text$x ; COMDAT text$x
@ -950,7 +954,7 @@ RawData$ = 8
Link$ = 56 Link$ = 56
$T4 = 280 $T4 = 280
$T5 = 312 $T5 = 312
tv78 = 328 tv79 = 328
__$ArrayPad$ = 336 __$ArrayPad$ = 336
Block$ = 384 Block$ = 384
RipDelta$ = 392 RipDelta$ = 392
@ -961,7 +965,7 @@ Value$ = 400
0000a 55 push rbp 0000a 55 push rbp
0000b 57 push rdi 0000b 57 push rdi
0000c 48 83 ec 28 sub rsp, 40 ; 00000028H 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H
00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] 00010 48 8d 6a 30 lea rbp, QWORD PTR [rdx+48]
00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H 00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H
00019 48 8b 8d 38 01 00019 48 8b 8d 38 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
@ -979,7 +983,7 @@ RawData$ = 8
Link$ = 56 Link$ = 56
$T4 = 280 $T4 = 280
$T5 = 312 $T5 = 312
tv78 = 328 tv79 = 328
__$ArrayPad$ = 336 __$ArrayPad$ = 336
Block$ = 384 Block$ = 384
RipDelta$ = 392 RipDelta$ = 392
@ -990,7 +994,7 @@ Value$ = 400
0000a 55 push rbp 0000a 55 push rbp
0000b 57 push rdi 0000b 57 push rdi
0000c 48 83 ec 28 sub rsp, 40 ; 00000028H 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H
00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] 00010 48 8d 6a 30 lea rbp, QWORD PTR [rdx+48]
00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H 00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H
00019 48 8b 8d 38 01 00019 48 8b 8d 38 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
@ -1009,7 +1013,7 @@ RawData$ = 8
Link$ = 56 Link$ = 56
$T4 = 280 $T4 = 280
$T5 = 312 $T5 = 312
tv78 = 328 tv79 = 328
__$ArrayPad$ = 336 __$ArrayPad$ = 336
Block$ = 384 Block$ = 384
RipDelta$ = 392 RipDelta$ = 392
@ -1024,15 +1028,15 @@ $LN6:
00009 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx 00009 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx
0000e 55 push rbp 0000e 55 push rbp
0000f 57 push rdi 0000f 57 push rdi
00010 48 81 ec 88 01 00010 48 81 ec 98 01
00 00 sub rsp, 392 ; 00000188H 00 00 sub rsp, 408 ; 00000198H
00017 48 8d 6c 24 20 lea rbp, QWORD PTR [rsp+32] 00017 48 8d 6c 24 30 lea rbp, QWORD PTR [rsp+48]
0001c 48 8b fc mov rdi, rsp 0001c 48 8b fc mov rdi, rsp
0001f b9 62 00 00 00 mov ecx, 98 ; 00000062H 0001f b9 66 00 00 00 mov ecx, 102 ; 00000066H
00024 b8 cc cc cc cc mov eax, -858993460 ; ccccccccH 00024 b8 cc cc cc cc mov eax, -858993460 ; ccccccccH
00029 f3 ab rep stosd 00029 f3 ab rep stosd
0002b 48 8b 8c 24 a8 0002b 48 8b 8c 24 b8
01 00 00 mov rcx, QWORD PTR [rsp+424] 01 00 00 mov rcx, QWORD PTR [rsp+440]
00033 48 8b 05 00 00 00033 48 8b 05 00 00
00 00 mov rax, QWORD PTR __security_cookie 00 00 mov rax, QWORD PTR __security_cookie
0003a 48 33 c5 xor rax, rbp 0003a 48 33 c5 xor rax, rbp
@ -1064,89 +1068,91 @@ $LN6:
00 00 mov QWORD PTR $T5[rbp], rax 00 00 mov QWORD PTR $T5[rbp], rax
00089 48 83 bd 38 01 00089 48 83 bd 38 01
00 00 00 cmp QWORD PTR $T5[rbp], 0 00 00 00 cmp QWORD PTR $T5[rbp], 0
00091 74 24 je SHORT $LN3@JitEmitRip 00091 74 2c je SHORT $LN3@JitEmitRip
00093 41 b9 0a 00 00 00093 c7 44 24 20 00
00 00 00 mov DWORD PTR [rsp+32], 0
0009b 41 b9 0a 00 00
00 mov r9d, 10 00 mov r9d, 10
00099 4c 8d 45 08 lea r8, QWORD PTR RawData$[rbp] 000a1 4c 8d 45 08 lea r8, QWORD PTR RawData$[rbp]
0009d ba 0c 00 00 00 mov edx, 12 000a5 ba 0c 00 00 00 mov edx, 12
000a2 48 8b 8d 38 01 000aa 48 8b 8d 38 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
000a9 e8 00 00 00 00 call ??0_NATIVE_CODE_LINK@@QEAA@KPEAXK@Z ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK 000b1 e8 00 00 00 00 call ??0_NATIVE_CODE_LINK@@QEAA@KPEAXKH@Z ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK
000ae 48 89 85 48 01 000b6 48 89 85 48 01
00 00 mov QWORD PTR tv78[rbp], rax 00 00 mov QWORD PTR tv79[rbp], rax
000b5 eb 0b jmp SHORT $LN4@JitEmitRip 000bd eb 0b jmp SHORT $LN4@JitEmitRip
$LN3@JitEmitRip: $LN3@JitEmitRip:
000b7 48 c7 85 48 01 000bf 48 c7 85 48 01
00 00 00 00 00 00 00 00 00 00
00 mov QWORD PTR tv78[rbp], 0 00 mov QWORD PTR tv79[rbp], 0
$LN4@JitEmitRip: $LN4@JitEmitRip:
000c2 48 8b 85 48 01 000ca 48 8b 85 48 01
00 00 mov rax, QWORD PTR tv78[rbp] 00 00 mov rax, QWORD PTR tv79[rbp]
000c9 48 89 85 18 01 000d1 48 89 85 18 01
00 00 mov QWORD PTR $T4[rbp], rax 00 00 mov QWORD PTR $T4[rbp], rax
000d0 48 8b 85 18 01 000d8 48 8b 85 18 01
00 00 mov rax, QWORD PTR $T4[rbp] 00 00 mov rax, QWORD PTR $T4[rbp]
000d7 48 89 45 38 mov QWORD PTR Link$[rbp], rax 000df 48 89 45 38 mov QWORD PTR Link$[rbp], rax
; 8 : *(PINT32)&Link->RawData[2] = RipDelta; ; 8 : *(PINT32)&Link->RawData[2] = RipDelta;
000db b8 01 00 00 00 mov eax, 1 000e3 b8 01 00 00 00 mov eax, 1
000e0 48 6b c0 02 imul rax, rax, 2 000e8 48 6b c0 02 imul rax, rax, 2
000e4 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp] 000ec 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
000e8 48 8b 49 20 mov rcx, QWORD PTR [rcx+32] 000f0 48 8b 49 20 mov rcx, QWORD PTR [rcx+32]
000ec 8b 95 88 01 00 000f4 8b 95 88 01 00
00 mov edx, DWORD PTR RipDelta$[rbp] 00 mov edx, DWORD PTR RipDelta$[rbp]
000f2 89 14 08 mov DWORD PTR [rax+rcx], edx 000fa 89 14 08 mov DWORD PTR [rax+rcx], edx
; 9 : *(PULONG)&Link->RawData[6] = Value; ; 9 : *(PULONG)&Link->RawData[6] = Value;
000f5 b8 01 00 00 00 mov eax, 1 000fd b8 01 00 00 00 mov eax, 1
000fa 48 6b c0 06 imul rax, rax, 6 00102 48 6b c0 06 imul rax, rax, 6
000fe 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp] 00106 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
00102 48 8b 49 20 mov rcx, QWORD PTR [rcx+32] 0010a 48 8b 49 20 mov rcx, QWORD PTR [rcx+32]
00106 8b 95 90 01 00 0010e 8b 95 90 01 00
00 mov edx, DWORD PTR Value$[rbp] 00 mov edx, DWORD PTR Value$[rbp]
0010c 89 14 08 mov DWORD PTR [rax+rcx], edx 00114 89 14 08 mov DWORD PTR [rax+rcx], edx
; 10 : XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize); ; 10 : XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize);
0010f 48 8b 45 38 mov rax, QWORD PTR Link$[rbp] 00117 48 8b 45 38 mov rax, QWORD PTR Link$[rbp]
00113 48 83 c0 30 add rax, 48 ; 00000030H 0011b 48 83 c0 30 add rax, 48 ; 00000030H
00117 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
0011b 44 8b 41 28 mov r8d, DWORD PTR [rcx+40]
0011f 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp] 0011f 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
00123 48 8b 51 20 mov rdx, QWORD PTR [rcx+32] 00123 44 8b 41 28 mov r8d, DWORD PTR [rcx+40]
00127 48 8b c8 mov rcx, rax 00127 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
0012a e8 00 00 00 00 call xed_decode 0012b 48 8b 51 20 mov rdx, QWORD PTR [rcx+32]
0012f 48 8b c8 mov rcx, rax
00132 e8 00 00 00 00 call xed_decode
; 11 : NcAppendToBlock(Block, Link); ; 11 : NcAppendToBlock(Block, Link);
0012f 48 8b 55 38 mov rdx, QWORD PTR Link$[rbp] 00137 48 8b 55 38 mov rdx, QWORD PTR Link$[rbp]
00133 48 8b 8d 80 01 0013b 48 8b 8d 80 01
00 00 mov rcx, QWORD PTR Block$[rbp] 00 00 mov rcx, QWORD PTR Block$[rbp]
0013a e8 00 00 00 00 call ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z ; NcAppendToBlock 00142 e8 00 00 00 00 call ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z ; NcAppendToBlock
; 12 : return TRUE; ; 12 : return TRUE;
0013f b8 01 00 00 00 mov eax, 1 00147 b8 01 00 00 00 mov eax, 1
; 13 : } ; 13 : }
00144 8b f8 mov edi, eax 0014c 8b f8 mov edi, eax
00146 48 8d 4d e0 lea rcx, QWORD PTR [rbp-32] 0014e 48 8d 4d d0 lea rcx, QWORD PTR [rbp-48]
0014a 48 8d 15 00 00 00152 48 8d 15 00 00
00 00 lea rdx, OFFSET FLAT:?JitEmitRipRelativeOrD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcFrameData 00 00 lea rdx, OFFSET FLAT:?JitEmitRipRelativeOrD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcFrameData
00151 e8 00 00 00 00 call _RTC_CheckStackVars 00159 e8 00 00 00 00 call _RTC_CheckStackVars
00156 8b c7 mov eax, edi 0015e 8b c7 mov eax, edi
00158 48 8b 8d 50 01 00160 48 8b 8d 50 01
00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp] 00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp]
0015f 48 33 cd xor rcx, rbp 00167 48 33 cd xor rcx, rbp
00162 e8 00 00 00 00 call __security_check_cookie 0016a e8 00 00 00 00 call __security_check_cookie
00167 48 8d a5 68 01 0016f 48 8d a5 68 01
00 00 lea rsp, QWORD PTR [rbp+360] 00 00 lea rsp, QWORD PTR [rbp+360]
0016e 5f pop rdi 00176 5f pop rdi
0016f 5d pop rbp 00177 5d pop rbp
00170 c3 ret 0 00178 c3 ret 0
?JitEmitRipRelativeOrD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z ENDP ; JitEmitRipRelativeOrD ?JitEmitRipRelativeOrD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z ENDP ; JitEmitRipRelativeOrD
_TEXT ENDS _TEXT ENDS
; COMDAT text$x ; COMDAT text$x
@ -1155,7 +1161,7 @@ RawData$ = 8
Link$ = 56 Link$ = 56
$T4 = 280 $T4 = 280
$T5 = 312 $T5 = 312
tv78 = 328 tv79 = 328
__$ArrayPad$ = 336 __$ArrayPad$ = 336
Block$ = 384 Block$ = 384
RipDelta$ = 392 RipDelta$ = 392
@ -1166,7 +1172,7 @@ Value$ = 400
0000a 55 push rbp 0000a 55 push rbp
0000b 57 push rdi 0000b 57 push rdi
0000c 48 83 ec 28 sub rsp, 40 ; 00000028H 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H
00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] 00010 48 8d 6a 30 lea rbp, QWORD PTR [rdx+48]
00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H 00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H
00019 48 8b 8d 38 01 00019 48 8b 8d 38 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
@ -1184,7 +1190,7 @@ RawData$ = 8
Link$ = 56 Link$ = 56
$T4 = 280 $T4 = 280
$T5 = 312 $T5 = 312
tv78 = 328 tv79 = 328
__$ArrayPad$ = 336 __$ArrayPad$ = 336
Block$ = 384 Block$ = 384
RipDelta$ = 392 RipDelta$ = 392
@ -1195,7 +1201,7 @@ Value$ = 400
0000a 55 push rbp 0000a 55 push rbp
0000b 57 push rdi 0000b 57 push rdi
0000c 48 83 ec 28 sub rsp, 40 ; 00000028H 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H
00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] 00010 48 8d 6a 30 lea rbp, QWORD PTR [rdx+48]
00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H 00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H
00019 48 8b 8d 38 01 00019 48 8b 8d 38 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]

@ -116,7 +116,7 @@ EXTRN __imp_?_Getmonths@_Locinfo@std@@QEBAPEBDXZ:PROC
EXTRN __imp_?_W_Getdays@_Locinfo@std@@QEBAPEBGXZ:PROC EXTRN __imp_?_W_Getdays@_Locinfo@std@@QEBAPEBGXZ:PROC
EXTRN __imp_?_W_Getmonths@_Locinfo@std@@QEBAPEBGXZ:PROC EXTRN __imp_?_W_Getmonths@_Locinfo@std@@QEBAPEBGXZ:PROC
EXTRN xed_decode:PROC EXTRN xed_decode:PROC
EXTRN ??0_NATIVE_CODE_LINK@@QEAA@KPEAXK@Z:PROC ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK EXTRN ??0_NATIVE_CODE_LINK@@QEAA@KPEAXKH@Z:PROC ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK
EXTRN ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z:PROC ; NcAppendToBlock EXTRN ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z:PROC ; NcAppendToBlock
EXTRN _RTC_CheckStackVars:PROC EXTRN _RTC_CheckStackVars:PROC
EXTRN _RTC_InitBase:PROC EXTRN _RTC_InitBase:PROC
@ -190,7 +190,7 @@ pdata ENDS
; COMDAT pdata ; COMDAT pdata
pdata SEGMENT pdata SEGMENT
$pdata$?JitEmitRipRelativeXorD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD imagerel $LN6 $pdata$?JitEmitRipRelativeXorD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD imagerel $LN6
DD imagerel $LN6+369 DD imagerel $LN6+377
DD imagerel $unwind$?JitEmitRipRelativeXorD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD imagerel $unwind$?JitEmitRipRelativeXorD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z
pdata ENDS pdata ENDS
; COMDAT pdata ; COMDAT pdata
@ -202,7 +202,7 @@ pdata ENDS
; COMDAT pdata ; COMDAT pdata
pdata SEGMENT pdata SEGMENT
$pdata$?JitEmitRipRelativeXorW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD imagerel $LN6 $pdata$?JitEmitRipRelativeXorW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD imagerel $LN6
DD imagerel $LN6+367 DD imagerel $LN6+375
DD imagerel $unwind$?JitEmitRipRelativeXorW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD imagerel $unwind$?JitEmitRipRelativeXorW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z
pdata ENDS pdata ENDS
; COMDAT pdata ; COMDAT pdata
@ -214,7 +214,7 @@ pdata ENDS
; COMDAT pdata ; COMDAT pdata
pdata SEGMENT pdata SEGMENT
$pdata$?JitEmitRipRelativeXorB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD imagerel $LN6 $pdata$?JitEmitRipRelativeXorB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD imagerel $LN6
DD imagerel $LN6+358 DD imagerel $LN6+366
DD imagerel $unwind$?JitEmitRipRelativeXorB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD imagerel $unwind$?JitEmitRipRelativeXorB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z
pdata ENDS pdata ENDS
; COMDAT pdata ; COMDAT pdata
@ -270,7 +270,7 @@ $ip2state$?JitEmitRipRelativeXorB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DB 06H
DB 00H DB 00H
DB 0faH DB 0faH
DB 02H DB 02H
DB 08eH DB 09eH
DB 00H DB 00H
xdata ENDS xdata ENDS
; COMDAT xdata ; COMDAT xdata
@ -287,13 +287,13 @@ $cppxdata$?JitEmitRipRelativeXorB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DB 028H
xdata ENDS xdata ENDS
; COMDAT xdata ; COMDAT xdata
xdata SEGMENT xdata SEGMENT
$unwind$?JitEmitRipRelativeXorB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD 025054419H $unwind$?JitEmitRipRelativeXorB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD 035054419H
DD 0117231cH DD 0117331cH
DD 07010002fH DD 070100031H
DD 0500fH DD 0500fH
DD imagerel __GSHandlerCheck_EH4 DD imagerel __GSHandlerCheck_EH4
DD imagerel $cppxdata$?JitEmitRipRelativeXorB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD imagerel $cppxdata$?JitEmitRipRelativeXorB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z
DD 0162H DD 0172H
xdata ENDS xdata ENDS
; COMDAT CONST ; COMDAT CONST
CONST SEGMENT CONST SEGMENT
@ -306,7 +306,7 @@ CONST SEGMENT
DB 061H DB 061H
DB 00H DB 00H
ORG $+8 ORG $+8
?JitEmitRipRelativeXorB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcVarDesc DD 024H ; JitEmitRipRelativeXorB ?JitEmitRipRelativeXorB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcVarDesc DD 034H ; JitEmitRipRelativeXorB
DD 07H DD 07H
DQ FLAT:?JitEmitRipRelativeXorB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcName$0 DQ FLAT:?JitEmitRipRelativeXorB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcName$0
ORG $+48 ORG $+48
@ -327,7 +327,7 @@ $ip2state$?JitEmitRipRelativeXorW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DB 06H
DB 00H DB 00H
DB 015H, 02H DB 015H, 02H
DB 02H DB 02H
DB 08eH DB 09eH
DB 00H DB 00H
xdata ENDS xdata ENDS
; COMDAT xdata ; COMDAT xdata
@ -344,13 +344,13 @@ $cppxdata$?JitEmitRipRelativeXorW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DB 028H
xdata ENDS xdata ENDS
; COMDAT xdata ; COMDAT xdata
xdata SEGMENT xdata SEGMENT
$unwind$?JitEmitRipRelativeXorW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD 025054419H $unwind$?JitEmitRipRelativeXorW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD 035054419H
DD 0117231cH DD 0117331cH
DD 070100031H DD 070100033H
DD 0500fH DD 0500fH
DD imagerel __GSHandlerCheck_EH4 DD imagerel __GSHandlerCheck_EH4
DD imagerel $cppxdata$?JitEmitRipRelativeXorW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD imagerel $cppxdata$?JitEmitRipRelativeXorW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z
DD 0172H DD 0182H
xdata ENDS xdata ENDS
; COMDAT CONST ; COMDAT CONST
CONST SEGMENT CONST SEGMENT
@ -363,7 +363,7 @@ CONST SEGMENT
DB 061H DB 061H
DB 00H DB 00H
ORG $+8 ORG $+8
?JitEmitRipRelativeXorW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcVarDesc DD 028H ; JitEmitRipRelativeXorW ?JitEmitRipRelativeXorW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcVarDesc DD 038H ; JitEmitRipRelativeXorW
DD 09H DD 09H
DQ FLAT:?JitEmitRipRelativeXorW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcName$0 DQ FLAT:?JitEmitRipRelativeXorW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcName$0
ORG $+48 ORG $+48
@ -384,7 +384,7 @@ $ip2state$?JitEmitRipRelativeXorD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DB 06H
DB 00H DB 00H
DB '%', 02H DB '%', 02H
DB 02H DB 02H
DB 08eH DB 09eH
DB 00H DB 00H
xdata ENDS xdata ENDS
; COMDAT xdata ; COMDAT xdata
@ -401,13 +401,13 @@ $cppxdata$?JitEmitRipRelativeXorD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DB 028H
xdata ENDS xdata ENDS
; COMDAT xdata ; COMDAT xdata
xdata SEGMENT xdata SEGMENT
$unwind$?JitEmitRipRelativeXorD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD 025054419H $unwind$?JitEmitRipRelativeXorD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD 035054419H
DD 0117231cH DD 0117331cH
DD 070100031H DD 070100033H
DD 0500fH DD 0500fH
DD imagerel __GSHandlerCheck_EH4 DD imagerel __GSHandlerCheck_EH4
DD imagerel $cppxdata$?JitEmitRipRelativeXorD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z DD imagerel $cppxdata$?JitEmitRipRelativeXorD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z
DD 0172H DD 0182H
xdata ENDS xdata ENDS
; COMDAT CONST ; COMDAT CONST
CONST SEGMENT CONST SEGMENT
@ -420,7 +420,7 @@ CONST SEGMENT
DB 061H DB 061H
DB 00H DB 00H
ORG $+8 ORG $+8
?JitEmitRipRelativeXorD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcVarDesc DD 028H ; JitEmitRipRelativeXorD ?JitEmitRipRelativeXorD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcVarDesc DD 038H ; JitEmitRipRelativeXorD
DD 0aH DD 0aH
DQ FLAT:?JitEmitRipRelativeXorD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcName$0 DQ FLAT:?JitEmitRipRelativeXorD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcName$0
ORG $+48 ORG $+48
@ -603,7 +603,7 @@ RawData$ = 4
Link$ = 40 Link$ = 40
$T4 = 264 $T4 = 264
$T5 = 296 $T5 = 296
tv78 = 312 tv79 = 312
__$ArrayPad$ = 320 __$ArrayPad$ = 320
Block$ = 368 Block$ = 368
RipDelta$ = 376 RipDelta$ = 376
@ -618,15 +618,15 @@ $LN6:
00009 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx 00009 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx
0000e 55 push rbp 0000e 55 push rbp
0000f 57 push rdi 0000f 57 push rdi
00010 48 81 ec 78 01 00010 48 81 ec 88 01
00 00 sub rsp, 376 ; 00000178H 00 00 sub rsp, 392 ; 00000188H
00017 48 8d 6c 24 20 lea rbp, QWORD PTR [rsp+32] 00017 48 8d 6c 24 30 lea rbp, QWORD PTR [rsp+48]
0001c 48 8b fc mov rdi, rsp 0001c 48 8b fc mov rdi, rsp
0001f b9 5e 00 00 00 mov ecx, 94 ; 0000005eH 0001f b9 62 00 00 00 mov ecx, 98 ; 00000062H
00024 b8 cc cc cc cc mov eax, -858993460 ; ccccccccH 00024 b8 cc cc cc cc mov eax, -858993460 ; ccccccccH
00029 f3 ab rep stosd 00029 f3 ab rep stosd
0002b 48 8b 8c 24 98 0002b 48 8b 8c 24 a8
01 00 00 mov rcx, QWORD PTR [rsp+408] 01 00 00 mov rcx, QWORD PTR [rsp+424]
00033 48 8b 05 00 00 00033 48 8b 05 00 00
00 00 mov rax, QWORD PTR __security_cookie 00 00 mov rax, QWORD PTR __security_cookie
0003a 48 33 c5 xor rax, rbp 0003a 48 33 c5 xor rax, rbp
@ -655,89 +655,91 @@ $LN6:
00 00 mov QWORD PTR $T5[rbp], rax 00 00 mov QWORD PTR $T5[rbp], rax
0007d 48 83 bd 28 01 0007d 48 83 bd 28 01
00 00 00 cmp QWORD PTR $T5[rbp], 0 00 00 00 cmp QWORD PTR $T5[rbp], 0
00085 74 24 je SHORT $LN3@JitEmitRip 00085 74 2c je SHORT $LN3@JitEmitRip
00087 41 b9 07 00 00 00087 c7 44 24 20 00
00 00 00 mov DWORD PTR [rsp+32], 0
0008f 41 b9 07 00 00
00 mov r9d, 7 00 mov r9d, 7
0008d 4c 8d 45 04 lea r8, QWORD PTR RawData$[rbp] 00095 4c 8d 45 04 lea r8, QWORD PTR RawData$[rbp]
00091 ba 0c 00 00 00 mov edx, 12 00099 ba 0c 00 00 00 mov edx, 12
00096 48 8b 8d 28 01 0009e 48 8b 8d 28 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
0009d e8 00 00 00 00 call ??0_NATIVE_CODE_LINK@@QEAA@KPEAXK@Z ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK 000a5 e8 00 00 00 00 call ??0_NATIVE_CODE_LINK@@QEAA@KPEAXKH@Z ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK
000a2 48 89 85 38 01 000aa 48 89 85 38 01
00 00 mov QWORD PTR tv78[rbp], rax 00 00 mov QWORD PTR tv79[rbp], rax
000a9 eb 0b jmp SHORT $LN4@JitEmitRip 000b1 eb 0b jmp SHORT $LN4@JitEmitRip
$LN3@JitEmitRip: $LN3@JitEmitRip:
000ab 48 c7 85 38 01 000b3 48 c7 85 38 01
00 00 00 00 00 00 00 00 00 00
00 mov QWORD PTR tv78[rbp], 0 00 mov QWORD PTR tv79[rbp], 0
$LN4@JitEmitRip: $LN4@JitEmitRip:
000b6 48 8b 85 38 01 000be 48 8b 85 38 01
00 00 mov rax, QWORD PTR tv78[rbp] 00 00 mov rax, QWORD PTR tv79[rbp]
000bd 48 89 85 08 01 000c5 48 89 85 08 01
00 00 mov QWORD PTR $T4[rbp], rax 00 00 mov QWORD PTR $T4[rbp], rax
000c4 48 8b 85 08 01 000cc 48 8b 85 08 01
00 00 mov rax, QWORD PTR $T4[rbp] 00 00 mov rax, QWORD PTR $T4[rbp]
000cb 48 89 45 28 mov QWORD PTR Link$[rbp], rax 000d3 48 89 45 28 mov QWORD PTR Link$[rbp], rax
; 32 : *(PINT32)&Link->RawData[2] = RipDelta; ; 32 : *(PINT32)&Link->RawData[2] = RipDelta;
000cf b8 01 00 00 00 mov eax, 1 000d7 b8 01 00 00 00 mov eax, 1
000d4 48 6b c0 02 imul rax, rax, 2 000dc 48 6b c0 02 imul rax, rax, 2
000d8 48 8b 4d 28 mov rcx, QWORD PTR Link$[rbp] 000e0 48 8b 4d 28 mov rcx, QWORD PTR Link$[rbp]
000dc 48 8b 49 20 mov rcx, QWORD PTR [rcx+32] 000e4 48 8b 49 20 mov rcx, QWORD PTR [rcx+32]
000e0 8b 95 78 01 00 000e8 8b 95 78 01 00
00 mov edx, DWORD PTR RipDelta$[rbp] 00 mov edx, DWORD PTR RipDelta$[rbp]
000e6 89 14 08 mov DWORD PTR [rax+rcx], edx 000ee 89 14 08 mov DWORD PTR [rax+rcx], edx
; 33 : *(PUCHAR)&Link->RawData[6] = (UCHAR)Value; ; 33 : *(PUCHAR)&Link->RawData[6] = (UCHAR)Value;
000e9 b8 01 00 00 00 mov eax, 1 000f1 b8 01 00 00 00 mov eax, 1
000ee 48 6b c0 06 imul rax, rax, 6 000f6 48 6b c0 06 imul rax, rax, 6
000f2 48 8b 4d 28 mov rcx, QWORD PTR Link$[rbp] 000fa 48 8b 4d 28 mov rcx, QWORD PTR Link$[rbp]
000f6 48 8b 49 20 mov rcx, QWORD PTR [rcx+32] 000fe 48 8b 49 20 mov rcx, QWORD PTR [rcx+32]
000fa 0f b6 95 80 01 00102 0f b6 95 80 01
00 00 movzx edx, BYTE PTR Value$[rbp] 00 00 movzx edx, BYTE PTR Value$[rbp]
00101 88 14 08 mov BYTE PTR [rax+rcx], dl 00109 88 14 08 mov BYTE PTR [rax+rcx], dl
; 34 : XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize); ; 34 : XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize);
00104 48 8b 45 28 mov rax, QWORD PTR Link$[rbp] 0010c 48 8b 45 28 mov rax, QWORD PTR Link$[rbp]
00108 48 83 c0 30 add rax, 48 ; 00000030H 00110 48 83 c0 30 add rax, 48 ; 00000030H
0010c 48 8b 4d 28 mov rcx, QWORD PTR Link$[rbp]
00110 44 8b 41 28 mov r8d, DWORD PTR [rcx+40]
00114 48 8b 4d 28 mov rcx, QWORD PTR Link$[rbp] 00114 48 8b 4d 28 mov rcx, QWORD PTR Link$[rbp]
00118 48 8b 51 20 mov rdx, QWORD PTR [rcx+32] 00118 44 8b 41 28 mov r8d, DWORD PTR [rcx+40]
0011c 48 8b c8 mov rcx, rax 0011c 48 8b 4d 28 mov rcx, QWORD PTR Link$[rbp]
0011f e8 00 00 00 00 call xed_decode 00120 48 8b 51 20 mov rdx, QWORD PTR [rcx+32]
00124 48 8b c8 mov rcx, rax
00127 e8 00 00 00 00 call xed_decode
; 35 : NcAppendToBlock(Block, Link); ; 35 : NcAppendToBlock(Block, Link);
00124 48 8b 55 28 mov rdx, QWORD PTR Link$[rbp] 0012c 48 8b 55 28 mov rdx, QWORD PTR Link$[rbp]
00128 48 8b 8d 70 01 00130 48 8b 8d 70 01
00 00 mov rcx, QWORD PTR Block$[rbp] 00 00 mov rcx, QWORD PTR Block$[rbp]
0012f e8 00 00 00 00 call ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z ; NcAppendToBlock 00137 e8 00 00 00 00 call ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z ; NcAppendToBlock
; 36 : return TRUE; ; 36 : return TRUE;
00134 b8 01 00 00 00 mov eax, 1 0013c b8 01 00 00 00 mov eax, 1
; 37 : } ; 37 : }
00139 8b f8 mov edi, eax 00141 8b f8 mov edi, eax
0013b 48 8d 4d e0 lea rcx, QWORD PTR [rbp-32] 00143 48 8d 4d d0 lea rcx, QWORD PTR [rbp-48]
0013f 48 8d 15 00 00 00147 48 8d 15 00 00
00 00 lea rdx, OFFSET FLAT:?JitEmitRipRelativeXorB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcFrameData 00 00 lea rdx, OFFSET FLAT:?JitEmitRipRelativeXorB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcFrameData
00146 e8 00 00 00 00 call _RTC_CheckStackVars 0014e e8 00 00 00 00 call _RTC_CheckStackVars
0014b 8b c7 mov eax, edi 00153 8b c7 mov eax, edi
0014d 48 8b 8d 40 01 00155 48 8b 8d 40 01
00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp] 00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp]
00154 48 33 cd xor rcx, rbp 0015c 48 33 cd xor rcx, rbp
00157 e8 00 00 00 00 call __security_check_cookie 0015f e8 00 00 00 00 call __security_check_cookie
0015c 48 8d a5 58 01 00164 48 8d a5 58 01
00 00 lea rsp, QWORD PTR [rbp+344] 00 00 lea rsp, QWORD PTR [rbp+344]
00163 5f pop rdi 0016b 5f pop rdi
00164 5d pop rbp 0016c 5d pop rbp
00165 c3 ret 0 0016d c3 ret 0
?JitEmitRipRelativeXorB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z ENDP ; JitEmitRipRelativeXorB ?JitEmitRipRelativeXorB@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z ENDP ; JitEmitRipRelativeXorB
_TEXT ENDS _TEXT ENDS
; COMDAT text$x ; COMDAT text$x
@ -746,7 +748,7 @@ RawData$ = 4
Link$ = 40 Link$ = 40
$T4 = 264 $T4 = 264
$T5 = 296 $T5 = 296
tv78 = 312 tv79 = 312
__$ArrayPad$ = 320 __$ArrayPad$ = 320
Block$ = 368 Block$ = 368
RipDelta$ = 376 RipDelta$ = 376
@ -757,7 +759,7 @@ Value$ = 384
0000a 55 push rbp 0000a 55 push rbp
0000b 57 push rdi 0000b 57 push rdi
0000c 48 83 ec 28 sub rsp, 40 ; 00000028H 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H
00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] 00010 48 8d 6a 30 lea rbp, QWORD PTR [rdx+48]
00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H 00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H
00019 48 8b 8d 28 01 00019 48 8b 8d 28 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
@ -775,7 +777,7 @@ RawData$ = 4
Link$ = 40 Link$ = 40
$T4 = 264 $T4 = 264
$T5 = 296 $T5 = 296
tv78 = 312 tv79 = 312
__$ArrayPad$ = 320 __$ArrayPad$ = 320
Block$ = 368 Block$ = 368
RipDelta$ = 376 RipDelta$ = 376
@ -786,7 +788,7 @@ Value$ = 384
0000a 55 push rbp 0000a 55 push rbp
0000b 57 push rdi 0000b 57 push rdi
0000c 48 83 ec 28 sub rsp, 40 ; 00000028H 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H
00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] 00010 48 8d 6a 30 lea rbp, QWORD PTR [rdx+48]
00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H 00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H
00019 48 8b 8d 28 01 00019 48 8b 8d 28 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
@ -805,7 +807,7 @@ RawData$ = 8
Link$ = 56 Link$ = 56
$T4 = 280 $T4 = 280
$T5 = 312 $T5 = 312
tv78 = 328 tv79 = 328
__$ArrayPad$ = 336 __$ArrayPad$ = 336
Block$ = 384 Block$ = 384
RipDelta$ = 392 RipDelta$ = 392
@ -820,15 +822,15 @@ $LN6:
00009 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx 00009 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx
0000e 55 push rbp 0000e 55 push rbp
0000f 57 push rdi 0000f 57 push rdi
00010 48 81 ec 88 01 00010 48 81 ec 98 01
00 00 sub rsp, 392 ; 00000188H 00 00 sub rsp, 408 ; 00000198H
00017 48 8d 6c 24 20 lea rbp, QWORD PTR [rsp+32] 00017 48 8d 6c 24 30 lea rbp, QWORD PTR [rsp+48]
0001c 48 8b fc mov rdi, rsp 0001c 48 8b fc mov rdi, rsp
0001f b9 62 00 00 00 mov ecx, 98 ; 00000062H 0001f b9 66 00 00 00 mov ecx, 102 ; 00000066H
00024 b8 cc cc cc cc mov eax, -858993460 ; ccccccccH 00024 b8 cc cc cc cc mov eax, -858993460 ; ccccccccH
00029 f3 ab rep stosd 00029 f3 ab rep stosd
0002b 48 8b 8c 24 a8 0002b 48 8b 8c 24 b8
01 00 00 mov rcx, QWORD PTR [rsp+424] 01 00 00 mov rcx, QWORD PTR [rsp+440]
00033 48 8b 05 00 00 00033 48 8b 05 00 00
00 00 mov rax, QWORD PTR __security_cookie 00 00 mov rax, QWORD PTR __security_cookie
0003a 48 33 c5 xor rax, rbp 0003a 48 33 c5 xor rax, rbp
@ -859,89 +861,91 @@ $LN6:
00 00 mov QWORD PTR $T5[rbp], rax 00 00 mov QWORD PTR $T5[rbp], rax
00085 48 83 bd 38 01 00085 48 83 bd 38 01
00 00 00 cmp QWORD PTR $T5[rbp], 0 00 00 00 cmp QWORD PTR $T5[rbp], 0
0008d 74 24 je SHORT $LN3@JitEmitRip 0008d 74 2c je SHORT $LN3@JitEmitRip
0008f 41 b9 09 00 00 0008f c7 44 24 20 00
00 00 00 mov DWORD PTR [rsp+32], 0
00097 41 b9 09 00 00
00 mov r9d, 9 00 mov r9d, 9
00095 4c 8d 45 08 lea r8, QWORD PTR RawData$[rbp] 0009d 4c 8d 45 08 lea r8, QWORD PTR RawData$[rbp]
00099 ba 0c 00 00 00 mov edx, 12 000a1 ba 0c 00 00 00 mov edx, 12
0009e 48 8b 8d 38 01 000a6 48 8b 8d 38 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
000a5 e8 00 00 00 00 call ??0_NATIVE_CODE_LINK@@QEAA@KPEAXK@Z ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK 000ad e8 00 00 00 00 call ??0_NATIVE_CODE_LINK@@QEAA@KPEAXKH@Z ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK
000aa 48 89 85 48 01 000b2 48 89 85 48 01
00 00 mov QWORD PTR tv78[rbp], rax 00 00 mov QWORD PTR tv79[rbp], rax
000b1 eb 0b jmp SHORT $LN4@JitEmitRip 000b9 eb 0b jmp SHORT $LN4@JitEmitRip
$LN3@JitEmitRip: $LN3@JitEmitRip:
000b3 48 c7 85 48 01 000bb 48 c7 85 48 01
00 00 00 00 00 00 00 00 00 00
00 mov QWORD PTR tv78[rbp], 0 00 mov QWORD PTR tv79[rbp], 0
$LN4@JitEmitRip: $LN4@JitEmitRip:
000be 48 8b 85 48 01 000c6 48 8b 85 48 01
00 00 mov rax, QWORD PTR tv78[rbp] 00 00 mov rax, QWORD PTR tv79[rbp]
000c5 48 89 85 18 01 000cd 48 89 85 18 01
00 00 mov QWORD PTR $T4[rbp], rax 00 00 mov QWORD PTR $T4[rbp], rax
000cc 48 8b 85 18 01 000d4 48 8b 85 18 01
00 00 mov rax, QWORD PTR $T4[rbp] 00 00 mov rax, QWORD PTR $T4[rbp]
000d3 48 89 45 38 mov QWORD PTR Link$[rbp], rax 000db 48 89 45 38 mov QWORD PTR Link$[rbp], rax
; 20 : *(PINT32)&Link->RawData[3] = RipDelta; ; 20 : *(PINT32)&Link->RawData[3] = RipDelta;
000d7 b8 01 00 00 00 mov eax, 1 000df b8 01 00 00 00 mov eax, 1
000dc 48 6b c0 03 imul rax, rax, 3 000e4 48 6b c0 03 imul rax, rax, 3
000e0 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp] 000e8 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
000e4 48 8b 49 20 mov rcx, QWORD PTR [rcx+32] 000ec 48 8b 49 20 mov rcx, QWORD PTR [rcx+32]
000e8 8b 95 88 01 00 000f0 8b 95 88 01 00
00 mov edx, DWORD PTR RipDelta$[rbp] 00 mov edx, DWORD PTR RipDelta$[rbp]
000ee 89 14 08 mov DWORD PTR [rax+rcx], edx 000f6 89 14 08 mov DWORD PTR [rax+rcx], edx
; 21 : *(PUSHORT)&Link->RawData[7] = (USHORT)Value; ; 21 : *(PUSHORT)&Link->RawData[7] = (USHORT)Value;
000f1 b8 01 00 00 00 mov eax, 1 000f9 b8 01 00 00 00 mov eax, 1
000f6 48 6b c0 07 imul rax, rax, 7 000fe 48 6b c0 07 imul rax, rax, 7
000fa 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp] 00102 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
000fe 48 8b 49 20 mov rcx, QWORD PTR [rcx+32] 00106 48 8b 49 20 mov rcx, QWORD PTR [rcx+32]
00102 0f b7 95 90 01 0010a 0f b7 95 90 01
00 00 movzx edx, WORD PTR Value$[rbp] 00 00 movzx edx, WORD PTR Value$[rbp]
00109 66 89 14 08 mov WORD PTR [rax+rcx], dx 00111 66 89 14 08 mov WORD PTR [rax+rcx], dx
; 22 : XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize); ; 22 : XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize);
0010d 48 8b 45 38 mov rax, QWORD PTR Link$[rbp] 00115 48 8b 45 38 mov rax, QWORD PTR Link$[rbp]
00111 48 83 c0 30 add rax, 48 ; 00000030H 00119 48 83 c0 30 add rax, 48 ; 00000030H
00115 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
00119 44 8b 41 28 mov r8d, DWORD PTR [rcx+40]
0011d 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp] 0011d 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
00121 48 8b 51 20 mov rdx, QWORD PTR [rcx+32] 00121 44 8b 41 28 mov r8d, DWORD PTR [rcx+40]
00125 48 8b c8 mov rcx, rax 00125 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
00128 e8 00 00 00 00 call xed_decode 00129 48 8b 51 20 mov rdx, QWORD PTR [rcx+32]
0012d 48 8b c8 mov rcx, rax
00130 e8 00 00 00 00 call xed_decode
; 23 : NcAppendToBlock(Block, Link); ; 23 : NcAppendToBlock(Block, Link);
0012d 48 8b 55 38 mov rdx, QWORD PTR Link$[rbp] 00135 48 8b 55 38 mov rdx, QWORD PTR Link$[rbp]
00131 48 8b 8d 80 01 00139 48 8b 8d 80 01
00 00 mov rcx, QWORD PTR Block$[rbp] 00 00 mov rcx, QWORD PTR Block$[rbp]
00138 e8 00 00 00 00 call ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z ; NcAppendToBlock 00140 e8 00 00 00 00 call ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z ; NcAppendToBlock
; 24 : return TRUE; ; 24 : return TRUE;
0013d b8 01 00 00 00 mov eax, 1 00145 b8 01 00 00 00 mov eax, 1
; 25 : } ; 25 : }
00142 8b f8 mov edi, eax 0014a 8b f8 mov edi, eax
00144 48 8d 4d e0 lea rcx, QWORD PTR [rbp-32] 0014c 48 8d 4d d0 lea rcx, QWORD PTR [rbp-48]
00148 48 8d 15 00 00 00150 48 8d 15 00 00
00 00 lea rdx, OFFSET FLAT:?JitEmitRipRelativeXorW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcFrameData 00 00 lea rdx, OFFSET FLAT:?JitEmitRipRelativeXorW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcFrameData
0014f e8 00 00 00 00 call _RTC_CheckStackVars 00157 e8 00 00 00 00 call _RTC_CheckStackVars
00154 8b c7 mov eax, edi 0015c 8b c7 mov eax, edi
00156 48 8b 8d 50 01 0015e 48 8b 8d 50 01
00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp] 00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp]
0015d 48 33 cd xor rcx, rbp 00165 48 33 cd xor rcx, rbp
00160 e8 00 00 00 00 call __security_check_cookie 00168 e8 00 00 00 00 call __security_check_cookie
00165 48 8d a5 68 01 0016d 48 8d a5 68 01
00 00 lea rsp, QWORD PTR [rbp+360] 00 00 lea rsp, QWORD PTR [rbp+360]
0016c 5f pop rdi 00174 5f pop rdi
0016d 5d pop rbp 00175 5d pop rbp
0016e c3 ret 0 00176 c3 ret 0
?JitEmitRipRelativeXorW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z ENDP ; JitEmitRipRelativeXorW ?JitEmitRipRelativeXorW@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z ENDP ; JitEmitRipRelativeXorW
_TEXT ENDS _TEXT ENDS
; COMDAT text$x ; COMDAT text$x
@ -950,7 +954,7 @@ RawData$ = 8
Link$ = 56 Link$ = 56
$T4 = 280 $T4 = 280
$T5 = 312 $T5 = 312
tv78 = 328 tv79 = 328
__$ArrayPad$ = 336 __$ArrayPad$ = 336
Block$ = 384 Block$ = 384
RipDelta$ = 392 RipDelta$ = 392
@ -961,7 +965,7 @@ Value$ = 400
0000a 55 push rbp 0000a 55 push rbp
0000b 57 push rdi 0000b 57 push rdi
0000c 48 83 ec 28 sub rsp, 40 ; 00000028H 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H
00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] 00010 48 8d 6a 30 lea rbp, QWORD PTR [rdx+48]
00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H 00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H
00019 48 8b 8d 38 01 00019 48 8b 8d 38 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
@ -979,7 +983,7 @@ RawData$ = 8
Link$ = 56 Link$ = 56
$T4 = 280 $T4 = 280
$T5 = 312 $T5 = 312
tv78 = 328 tv79 = 328
__$ArrayPad$ = 336 __$ArrayPad$ = 336
Block$ = 384 Block$ = 384
RipDelta$ = 392 RipDelta$ = 392
@ -990,7 +994,7 @@ Value$ = 400
0000a 55 push rbp 0000a 55 push rbp
0000b 57 push rdi 0000b 57 push rdi
0000c 48 83 ec 28 sub rsp, 40 ; 00000028H 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H
00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] 00010 48 8d 6a 30 lea rbp, QWORD PTR [rdx+48]
00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H 00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H
00019 48 8b 8d 38 01 00019 48 8b 8d 38 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
@ -1009,7 +1013,7 @@ RawData$ = 8
Link$ = 56 Link$ = 56
$T4 = 280 $T4 = 280
$T5 = 312 $T5 = 312
tv78 = 328 tv79 = 328
__$ArrayPad$ = 336 __$ArrayPad$ = 336
Block$ = 384 Block$ = 384
RipDelta$ = 392 RipDelta$ = 392
@ -1024,15 +1028,15 @@ $LN6:
00009 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx 00009 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx
0000e 55 push rbp 0000e 55 push rbp
0000f 57 push rdi 0000f 57 push rdi
00010 48 81 ec 88 01 00010 48 81 ec 98 01
00 00 sub rsp, 392 ; 00000188H 00 00 sub rsp, 408 ; 00000198H
00017 48 8d 6c 24 20 lea rbp, QWORD PTR [rsp+32] 00017 48 8d 6c 24 30 lea rbp, QWORD PTR [rsp+48]
0001c 48 8b fc mov rdi, rsp 0001c 48 8b fc mov rdi, rsp
0001f b9 62 00 00 00 mov ecx, 98 ; 00000062H 0001f b9 66 00 00 00 mov ecx, 102 ; 00000066H
00024 b8 cc cc cc cc mov eax, -858993460 ; ccccccccH 00024 b8 cc cc cc cc mov eax, -858993460 ; ccccccccH
00029 f3 ab rep stosd 00029 f3 ab rep stosd
0002b 48 8b 8c 24 a8 0002b 48 8b 8c 24 b8
01 00 00 mov rcx, QWORD PTR [rsp+424] 01 00 00 mov rcx, QWORD PTR [rsp+440]
00033 48 8b 05 00 00 00033 48 8b 05 00 00
00 00 mov rax, QWORD PTR __security_cookie 00 00 mov rax, QWORD PTR __security_cookie
0003a 48 33 c5 xor rax, rbp 0003a 48 33 c5 xor rax, rbp
@ -1064,89 +1068,91 @@ $LN6:
00 00 mov QWORD PTR $T5[rbp], rax 00 00 mov QWORD PTR $T5[rbp], rax
00089 48 83 bd 38 01 00089 48 83 bd 38 01
00 00 00 cmp QWORD PTR $T5[rbp], 0 00 00 00 cmp QWORD PTR $T5[rbp], 0
00091 74 24 je SHORT $LN3@JitEmitRip 00091 74 2c je SHORT $LN3@JitEmitRip
00093 41 b9 0a 00 00 00093 c7 44 24 20 00
00 00 00 mov DWORD PTR [rsp+32], 0
0009b 41 b9 0a 00 00
00 mov r9d, 10 00 mov r9d, 10
00099 4c 8d 45 08 lea r8, QWORD PTR RawData$[rbp] 000a1 4c 8d 45 08 lea r8, QWORD PTR RawData$[rbp]
0009d ba 0c 00 00 00 mov edx, 12 000a5 ba 0c 00 00 00 mov edx, 12
000a2 48 8b 8d 38 01 000aa 48 8b 8d 38 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
000a9 e8 00 00 00 00 call ??0_NATIVE_CODE_LINK@@QEAA@KPEAXK@Z ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK 000b1 e8 00 00 00 00 call ??0_NATIVE_CODE_LINK@@QEAA@KPEAXKH@Z ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK
000ae 48 89 85 48 01 000b6 48 89 85 48 01
00 00 mov QWORD PTR tv78[rbp], rax 00 00 mov QWORD PTR tv79[rbp], rax
000b5 eb 0b jmp SHORT $LN4@JitEmitRip 000bd eb 0b jmp SHORT $LN4@JitEmitRip
$LN3@JitEmitRip: $LN3@JitEmitRip:
000b7 48 c7 85 48 01 000bf 48 c7 85 48 01
00 00 00 00 00 00 00 00 00 00
00 mov QWORD PTR tv78[rbp], 0 00 mov QWORD PTR tv79[rbp], 0
$LN4@JitEmitRip: $LN4@JitEmitRip:
000c2 48 8b 85 48 01 000ca 48 8b 85 48 01
00 00 mov rax, QWORD PTR tv78[rbp] 00 00 mov rax, QWORD PTR tv79[rbp]
000c9 48 89 85 18 01 000d1 48 89 85 18 01
00 00 mov QWORD PTR $T4[rbp], rax 00 00 mov QWORD PTR $T4[rbp], rax
000d0 48 8b 85 18 01 000d8 48 8b 85 18 01
00 00 mov rax, QWORD PTR $T4[rbp] 00 00 mov rax, QWORD PTR $T4[rbp]
000d7 48 89 45 38 mov QWORD PTR Link$[rbp], rax 000df 48 89 45 38 mov QWORD PTR Link$[rbp], rax
; 8 : *(PINT32)&Link->RawData[2] = RipDelta; ; 8 : *(PINT32)&Link->RawData[2] = RipDelta;
000db b8 01 00 00 00 mov eax, 1 000e3 b8 01 00 00 00 mov eax, 1
000e0 48 6b c0 02 imul rax, rax, 2 000e8 48 6b c0 02 imul rax, rax, 2
000e4 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp] 000ec 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
000e8 48 8b 49 20 mov rcx, QWORD PTR [rcx+32] 000f0 48 8b 49 20 mov rcx, QWORD PTR [rcx+32]
000ec 8b 95 88 01 00 000f4 8b 95 88 01 00
00 mov edx, DWORD PTR RipDelta$[rbp] 00 mov edx, DWORD PTR RipDelta$[rbp]
000f2 89 14 08 mov DWORD PTR [rax+rcx], edx 000fa 89 14 08 mov DWORD PTR [rax+rcx], edx
; 9 : *(PULONG)&Link->RawData[6] = Value; ; 9 : *(PULONG)&Link->RawData[6] = Value;
000f5 b8 01 00 00 00 mov eax, 1 000fd b8 01 00 00 00 mov eax, 1
000fa 48 6b c0 06 imul rax, rax, 6 00102 48 6b c0 06 imul rax, rax, 6
000fe 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp] 00106 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
00102 48 8b 49 20 mov rcx, QWORD PTR [rcx+32] 0010a 48 8b 49 20 mov rcx, QWORD PTR [rcx+32]
00106 8b 95 90 01 00 0010e 8b 95 90 01 00
00 mov edx, DWORD PTR Value$[rbp] 00 mov edx, DWORD PTR Value$[rbp]
0010c 89 14 08 mov DWORD PTR [rax+rcx], edx 00114 89 14 08 mov DWORD PTR [rax+rcx], edx
; 10 : XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize); ; 10 : XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize);
0010f 48 8b 45 38 mov rax, QWORD PTR Link$[rbp] 00117 48 8b 45 38 mov rax, QWORD PTR Link$[rbp]
00113 48 83 c0 30 add rax, 48 ; 00000030H 0011b 48 83 c0 30 add rax, 48 ; 00000030H
00117 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
0011b 44 8b 41 28 mov r8d, DWORD PTR [rcx+40]
0011f 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp] 0011f 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
00123 48 8b 51 20 mov rdx, QWORD PTR [rcx+32] 00123 44 8b 41 28 mov r8d, DWORD PTR [rcx+40]
00127 48 8b c8 mov rcx, rax 00127 48 8b 4d 38 mov rcx, QWORD PTR Link$[rbp]
0012a e8 00 00 00 00 call xed_decode 0012b 48 8b 51 20 mov rdx, QWORD PTR [rcx+32]
0012f 48 8b c8 mov rcx, rax
00132 e8 00 00 00 00 call xed_decode
; 11 : NcAppendToBlock(Block, Link); ; 11 : NcAppendToBlock(Block, Link);
0012f 48 8b 55 38 mov rdx, QWORD PTR Link$[rbp] 00137 48 8b 55 38 mov rdx, QWORD PTR Link$[rbp]
00133 48 8b 8d 80 01 0013b 48 8b 8d 80 01
00 00 mov rcx, QWORD PTR Block$[rbp] 00 00 mov rcx, QWORD PTR Block$[rbp]
0013a e8 00 00 00 00 call ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z ; NcAppendToBlock 00142 e8 00 00 00 00 call ?NcAppendToBlock@@YAXPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@@Z ; NcAppendToBlock
; 12 : return TRUE; ; 12 : return TRUE;
0013f b8 01 00 00 00 mov eax, 1 00147 b8 01 00 00 00 mov eax, 1
; 13 : } ; 13 : }
00144 8b f8 mov edi, eax 0014c 8b f8 mov edi, eax
00146 48 8d 4d e0 lea rcx, QWORD PTR [rbp-32] 0014e 48 8d 4d d0 lea rcx, QWORD PTR [rbp-48]
0014a 48 8d 15 00 00 00152 48 8d 15 00 00
00 00 lea rdx, OFFSET FLAT:?JitEmitRipRelativeXorD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcFrameData 00 00 lea rdx, OFFSET FLAT:?JitEmitRipRelativeXorD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z$rtcFrameData
00151 e8 00 00 00 00 call _RTC_CheckStackVars 00159 e8 00 00 00 00 call _RTC_CheckStackVars
00156 8b c7 mov eax, edi 0015e 8b c7 mov eax, edi
00158 48 8b 8d 50 01 00160 48 8b 8d 50 01
00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp] 00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp]
0015f 48 33 cd xor rcx, rbp 00167 48 33 cd xor rcx, rbp
00162 e8 00 00 00 00 call __security_check_cookie 0016a e8 00 00 00 00 call __security_check_cookie
00167 48 8d a5 68 01 0016f 48 8d a5 68 01
00 00 lea rsp, QWORD PTR [rbp+360] 00 00 lea rsp, QWORD PTR [rbp+360]
0016e 5f pop rdi 00176 5f pop rdi
0016f 5d pop rbp 00177 5d pop rbp
00170 c3 ret 0 00178 c3 ret 0
?JitEmitRipRelativeXorD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z ENDP ; JitEmitRipRelativeXorD ?JitEmitRipRelativeXorD@@YAHPEAU_NATIVE_CODE_BLOCK@@HK@Z ENDP ; JitEmitRipRelativeXorD
_TEXT ENDS _TEXT ENDS
; COMDAT text$x ; COMDAT text$x
@ -1155,7 +1161,7 @@ RawData$ = 8
Link$ = 56 Link$ = 56
$T4 = 280 $T4 = 280
$T5 = 312 $T5 = 312
tv78 = 328 tv79 = 328
__$ArrayPad$ = 336 __$ArrayPad$ = 336
Block$ = 384 Block$ = 384
RipDelta$ = 392 RipDelta$ = 392
@ -1166,7 +1172,7 @@ Value$ = 400
0000a 55 push rbp 0000a 55 push rbp
0000b 57 push rdi 0000b 57 push rdi
0000c 48 83 ec 28 sub rsp, 40 ; 00000028H 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H
00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] 00010 48 8d 6a 30 lea rbp, QWORD PTR [rdx+48]
00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H 00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H
00019 48 8b 8d 38 01 00019 48 8b 8d 38 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
@ -1184,7 +1190,7 @@ RawData$ = 8
Link$ = 56 Link$ = 56
$T4 = 280 $T4 = 280
$T5 = 312 $T5 = 312
tv78 = 328 tv79 = 328
__$ArrayPad$ = 336 __$ArrayPad$ = 336
Block$ = 384 Block$ = 384
RipDelta$ = 392 RipDelta$ = 392
@ -1195,7 +1201,7 @@ Value$ = 400
0000a 55 push rbp 0000a 55 push rbp
0000b 57 push rdi 0000b 57 push rdi
0000c 48 83 ec 28 sub rsp, 40 ; 00000028H 0000c 48 83 ec 28 sub rsp, 40 ; 00000028H
00010 48 8d 6a 20 lea rbp, QWORD PTR [rdx+32] 00010 48 8d 6a 30 lea rbp, QWORD PTR [rdx+48]
00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H 00014 ba f0 00 00 00 mov edx, 240 ; 000000f0H
00019 48 8b 8d 38 01 00019 48 8b 8d 38 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]

@ -189,7 +189,7 @@ pdata ENDS
; COMDAT pdata ; COMDAT pdata
pdata SEGMENT pdata SEGMENT
$pdata$?ViValidateNativeCodeBlock@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z DD imagerel $LN7 $pdata$?ViValidateNativeCodeBlock@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z DD imagerel $LN7
DD imagerel $LN7+122 DD imagerel $LN7+142
DD imagerel $unwind$?ViValidateNativeCodeBlock@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z DD imagerel $unwind$?ViValidateNativeCodeBlock@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z
pdata ENDS pdata ENDS
; COMDAT rtc$TMZ ; COMDAT rtc$TMZ
@ -434,7 +434,7 @@ $LN7:
00 00 lea rcx, OFFSET FLAT:__463C1148_Virtualizer@cpp 00 00 lea rcx, OFFSET FLAT:__463C1148_Virtualizer@cpp
00031 e8 00 00 00 00 call __CheckForDebuggerJustMyCode 00031 e8 00 00 00 00 call __CheckForDebuggerJustMyCode
; 9 : for (PNATIVE_CODE_LINK T = Block->Start; T; T = T->Next) ; 9 : for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next; T = T->Next)
00036 48 8b 85 00 01 00036 48 8b 85 00 01
00 00 mov rax, QWORD PTR Block$[rbp] 00 00 mov rax, QWORD PTR Block$[rbp]
@ -447,39 +447,45 @@ $LN2@ViValidate:
0004d 48 89 45 08 mov QWORD PTR T$1[rbp], rax 0004d 48 89 45 08 mov QWORD PTR T$1[rbp], rax
$LN4@ViValidate: $LN4@ViValidate:
00051 48 83 7d 08 00 cmp QWORD PTR T$1[rbp], 0 00051 48 83 7d 08 00 cmp QWORD PTR T$1[rbp], 0
00056 74 13 je SHORT $LN3@ViValidate 00056 74 27 je SHORT $LN3@ViValidate
00058 48 8b 85 00 01
00 00 mov rax, QWORD PTR Block$[rbp]
0005f 48 8b 40 08 mov rax, QWORD PTR [rax+8]
00063 48 8b 00 mov rax, QWORD PTR [rax]
00066 48 39 45 08 cmp QWORD PTR T$1[rbp], rax
0006a 74 13 je SHORT $LN3@ViValidate
; 10 : { ; 10 : {
; 11 : if (!ViCanHandleInst(T)) ; 11 : if (!ViCanHandleInst(T))
00058 48 8b 4d 08 mov rcx, QWORD PTR T$1[rbp] 0006c 48 8b 4d 08 mov rcx, QWORD PTR T$1[rbp]
0005c e8 00 00 00 00 call ?ViCanHandleInst@@YAHPEAU_NATIVE_CODE_LINK@@@Z ; ViCanHandleInst 00070 e8 00 00 00 00 call ?ViCanHandleInst@@YAHPEAU_NATIVE_CODE_LINK@@@Z ; ViCanHandleInst
00061 85 c0 test eax, eax 00075 85 c0 test eax, eax
00063 75 04 jne SHORT $LN5@ViValidate 00077 75 04 jne SHORT $LN5@ViValidate
; 12 : return FALSE; ; 12 : return FALSE;
00065 33 c0 xor eax, eax 00079 33 c0 xor eax, eax
00067 eb 07 jmp SHORT $LN1@ViValidate 0007b eb 07 jmp SHORT $LN1@ViValidate
$LN5@ViValidate: $LN5@ViValidate:
; 13 : } ; 13 : }
00069 eb db jmp SHORT $LN2@ViValidate 0007d eb c7 jmp SHORT $LN2@ViValidate
$LN3@ViValidate: $LN3@ViValidate:
; 14 : return TRUE; ; 14 : return TRUE;
0006b b8 01 00 00 00 mov eax, 1 0007f b8 01 00 00 00 mov eax, 1
$LN1@ViValidate: $LN1@ViValidate:
; 15 : } ; 15 : }
00070 48 8d a5 e8 00 00084 48 8d a5 e8 00
00 00 lea rsp, QWORD PTR [rbp+232] 00 00 lea rsp, QWORD PTR [rbp+232]
00077 5f pop rdi 0008b 5f pop rdi
00078 5d pop rbp 0008c 5d pop rbp
00079 c3 ret 0 0008d c3 ret 0
?ViValidateNativeCodeBlock@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z ENDP ; ViValidateNativeCodeBlock ?ViValidateNativeCodeBlock@@YAHPEAU_NATIVE_CODE_BLOCK@@@Z ENDP ; ViValidateNativeCodeBlock
_TEXT ENDS _TEXT ENDS
; Function compile flags: /Odtp /RTCsu /ZI ; Function compile flags: /Odtp /RTCsu /ZI

Binary file not shown.
Loading…
Cancel
Save