Skip to content

Instantly share code, notes, and snippets.

@Sen66

Sen66/BEClient2.cpp

Last active March 21, 2023 10:26
Show Gist options
  • Star 9 You must be signed in to star a gist
  • Fork 8 You must be signed in to fork a gist
  • Save Sen66/87d206c5050f0ad1316bd8d4a93e7570 to your computer and use it in GitHub Desktop.
Save Sen66/87d206c5050f0ad1316bd8d4a93e7570 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
BEClient2.cpp
/* This file was generated by the Hex-Rays decompiler.
Copyright (c) 2007-2018 Hex-Rays <info@hex-rays.com>
Detected compiler: Visual C++
*/
#include <windows.h>
#include <defs.h>
//-------------------------------------------------------------------------
// Function declarations
BOOL __stdcall DllEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved);
void __stdcall syscall_NtQueryVirtualMemory(HANDLE, void *, void *, unsigned __int64, unsigned __int64);
char __fastcall sub_10A8(_QWORD **a1, _QWORD *a2);
LONG __fastcall VEHandler(_EXCEPTION_POINTERS *);
// void __usercall Run(__int64 a1@<rdx>, int a2@<ecx>, __int64 a3@<rbx>, __int16 a4@<bp>, _DWORD *a5@<rdi>, __int64 a6@<rsi>, __int64 a7@<r8>, __int64 a8@<r9>);
// FARPROC __stdcall GetProcAddress(HMODULE hModule, LPCSTR lpProcName);
// BOOL __stdcall IsBadReadPtr(const void *lp, UINT_PTR ucb);
// BOOL __stdcall VirtualProtect(LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect);
// HMODULE __stdcall GetModuleHandleA(LPCSTR lpModuleName);
LONG __fastcall VEHandler_0(_EXCEPTION_POINTERS *);
void __fastcall Run_0(int a1, void *SendPacket_1);
//-------------------------------------------------------------------------
// Data declarations
HMODULE DllStartAddress; // idb
__int64 qword_4008; // weak
__int64 qword_4010; // weak
KSYSTEM_TIME SharedUserData_SystemTime;
//----- (0000000000001000) ----------------------------------------------------
BOOL __stdcall DllEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
{
if ( fdwReason == 1 )
DllStartAddress = hinstDLL;
return 1;
}
//----- (0000000000001071) ----------------------------------------------------
void __stdcall syscall_NtQueryVirtualMemory(HANDLE a1, void *a2, void *a3, unsigned __int64 a4, unsigned __int64 a5)
{
__asm { syscall; Low latency system call }
}
//----- (00000000000010A8) ----------------------------------------------------
char __fastcall sub_10A8(_QWORD **a1, _QWORD *a2)
{
if ( a1 == (_QWORD **)286331153 )
return 0;
*a2 = **a1;
a2[1] = (*a1)[1];
a2[2] = (*a1)[2];
a2[3] = (*a1)[3];
return 1;
}
//----- (000000000000C54D) ----------------------------------------------------
LONG __fastcall VEHandler_0(_EXCEPTION_POINTERS *a1)
{
PEXCEPTION_RECORD v1; // rax
char *v2; // rcx
_EXCEPTION_POINTERS *v4; // [rsp+8h] [rbp+8h]
v4 = a1;
if ( !*(_QWORD *)(qword_4010 + 0x32) )
{
*(_QWORD *)(qword_4010 + 2) = a1->ContextRecord->Rsp ^ 0x7EE229A13742DF11i64;
*(_QWORD *)(qword_4010 + 0xA) = a1->ContextRecord->Rbp ^ 0xB91AC48045914672ui64;
*(_QWORD *)(qword_4010 + 0x12) = a1->ContextRecord->Rcx ^ 0x34FAAEEEC2985C4Ai64;
*(_QWORD *)(qword_4010 + 0x1A) = a1->ContextRecord->Dr0 ^ 0x6355C31C003762CAi64;
*(_QWORD *)(qword_4010 + 0x22) = a1->ContextRecord->Dr1 ^ 0x4CE400421C869F50i64;
*(_QWORD *)(qword_4010 + 0x2A) = a1->ContextRecord->Dr2 ^ 0x699C87784390D3EAi64;
*(_QWORD *)(qword_4010 + 0x32) = a1->ContextRecord->Dr3 ^ 0x3F7114D09BA16F88i64;
}
if ( a1->ExceptionRecord->ExceptionCode != -1073741819 )
return 0;
if ( (signed int)a1->ExceptionRecord->ExceptionCode <= -1073741819 )
{
if ( a1[1].ExceptionRecord < (PEXCEPTION_RECORD)sub_10A8 || a1->ExceptionRecord->ExceptionAddress >= (PVOID)sub_10A8 )
return 0;
a1->ContextRecord->Rip = (DWORD64)sub_10A8 + 109;
return -1;
}
if ( (char *)a1[1].ExceptionRecord - (char *)sub_10A8 >= 0 )
{
if ( a1[1].ExceptionRecord < (PEXCEPTION_RECORD)sub_10A8
|| a1->ExceptionRecord->ExceptionAddress >= (char *)sub_10A8 + 109 )
{
return 0;
}
a1->ContextRecord->Rip = (DWORD64)sub_10A8 + 109;
return -1;
}
if ( a1[1].ExceptionRecord < (PEXCEPTION_RECORD)sub_10A8 )
return 0;
v1 = a1->ExceptionRecord;
v2 = (char *)sub_10A8 + 109;
if ( (__int64)v4->ExceptionRecord->ExceptionAddress >= (__int64)sub_10A8 + 109 )
{
if ( v1->ExceptionAddress >= v2 )
return 0;
v4->ContextRecord->Rip = (DWORD64)sub_10A8 + 109;
return -1;
}
if ( v1->ExceptionAddress >= v2 )
return 0;
v4->ContextRecord->Rip = (DWORD64)sub_10A8 + 109;
return -1;
}
// 4010: using guessed type __int64 qword_4010;
//----- (000000000000CE74) ----------------------------------------------------
void __fastcall Run_0(int a1, void *SendPacket_1)
{
void *v2; // rsp
char *v3; // rax
NTSTATUS v4; // eax
int v5; // eax
char v6; // dl
int v7; // eax
int v8; // eax
PVOID v9; // rax MAPDST
int v10; // eax
unsigned int v12; // eax
int v14; // eax
int v19; // eax
int v22; // eax
char v23; // di
__int16 v24; // si
int v25; // eax
void *v29; // rsp
__int64 v34; // rax
bool v35; // zf
int v36; // eax
int v37; // eax
unsigned __int8 v38; // cl
unsigned __int64 MemoryInformationLength; // [rsp+2A28h] [rbp-1518h]
unsigned __int8 dwXorKeyPass2; // [rsp+2A38h] [rbp-1508h]
char v41; // [rsp+2A39h] [rbp-1507h]
int l; // [rsp+2A3Ch] [rbp-1504h]
int v43; // [rsp+2A40h] [rbp-1500h]
int j; // [rsp+2A44h] [rbp-14FCh]
unsigned int v45; // [rsp+2A48h] [rbp-14F8h]
int v46; // [rsp+2A4Ch] [rbp-14F4h]
unsigned int m; // [rsp+2A50h] [rbp-14F0h]
unsigned int iNumEncCPUID; // [rsp+2A54h] [rbp-14ECh]
unsigned int iNumEncRDTSC; // [rsp+2A58h] [rbp-14E8h]
unsigned int v50; // [rsp+2A5Ch] [rbp-14E4h]
int v51; // [rsp+2A60h] [rbp-14E0h]
int n; // [rsp+2A64h] [rbp-14DCh]
unsigned int jj; // [rsp+2A68h] [rbp-14D8h]
unsigned int kk; // [rsp+2A6Ch] [rbp-14D4h]
int i; // [rsp+2A70h] [rbp-14D0h]
char v151; // [rsp+2A74h] [rbp-14CCh]
CHAR ModuleName; // [rsp+2A80h] [rbp-14C0h]
char v159; // [rsp+2A90h] [rbp-14B0h]
CHAR v59; // [rsp+2AA0h] [rbp-14A0h]
CHAR v60; // [rsp+2AB8h] [rbp-1488h]
char v235; // [rsp+2AD0h] [rbp-1470h]
char ProcName; // [rsp+2AE8h] [rbp-1458h]
CHAR v63; // [rsp+2B00h] [rbp-1440h]
char v64; // [rsp+2B01h] [rbp-143Fh]
char v65; // [rsp+2B02h] [rbp-143Eh]
char v66; // [rsp+2B03h] [rbp-143Dh]
char v67; // [rsp+2B04h] [rbp-143Ch]
char v68; // [rsp+2B05h] [rbp-143Bh]
char v69; // [rsp+2B06h] [rbp-143Ah]
char v70; // [rsp+2B07h] [rbp-1439h]
char v71; // [rsp+2B08h] [rbp-1438h]
char v72; // [rsp+2B09h] [rbp-1437h]
char v73; // [rsp+2B0Ah] [rbp-1436h]
char v74; // [rsp+2B0Bh] [rbp-1435h]
char v75; // [rsp+2B0Ch] [rbp-1434h]
char v76; // [rsp+2B0Dh] [rbp-1433h]
char v77; // [rsp+2B0Eh] [rbp-1432h]
char v78; // [rsp+2B0Fh] [rbp-1431h]
char v79; // [rsp+2B10h] [rbp-1430h]
char v80; // [rsp+2B11h] [rbp-142Fh]
char v81; // [rsp+2B12h] [rbp-142Eh]
char v82; // [rsp+2B13h] [rbp-142Dh]
char v83; // [rsp+2B14h] [rbp-142Ch]
char v84; // [rsp+2B15h] [rbp-142Bh]
char v85; // [rsp+2B16h] [rbp-142Ah]
char v86; // [rsp+2B17h] [rbp-1429h]
char v87; // [rsp+2B18h] [rbp-1428h]
char v88; // [rsp+2B19h] [rbp-1427h]
char v89; // [rsp+2B1Bh] [rbp-1425h]
CHAR v90[4]; // [rsp+2B20h] [rbp-1420h]
int ii; // [rsp+2B40h] [rbp-1400h]
int loopVal; // [rsp+2B44h] [rbp-13FCh]
HMODULE hKERNEL32; // [rsp+2B48h] [rbp-13F8h]
HMODULE v94; // [rsp+2B50h] [rbp-13F0h]
PVOID k; // [rsp+2B58h] [rbp-13E8h]
char *v96; // [rsp+2B60h] [rbp-13E0h]
char *v97; // [rsp+2B68h] [rbp-13D8h]
void (__fastcall *Sleep)(DWORD); // [rsp+2B70h] [rbp-13D0h]
NTSTATUS (__stdcall *NtQueryVirtualMemory)(HANDLE, PVOID, int, PVOID, SIZE_T, PSIZE_T); // [rsp+2B78h] [rbp-13C8h]
NTSTATUS (__stdcall *NtReadVirtualMemory)(HANDLE, PVOID, PVOID, ULONG, PULONG); // [rsp+2B80h] [rbp-13C0h]
int _ThreadPriority; // [rsp+2B88h] [rbp-13B8h]
unsigned __int64 v102; // [rsp+2B90h] [rbp-13B0h]
unsigned __int64 v103; // [rsp+2B98h] [rbp-13A8h]
int timestampXorKey2; // [rsp+2BA0h] [rbp-13A0h]
HMODULE hModule; // [rsp+2BA8h] [rbp-1398h]
PVOID BaseAddress; // [rsp+2BB0h] [rbp-1390h]
__int64 v107; // [rsp+2BB8h] [rbp-1388h]
__int64 NtReadVirtualMemoryDeref; // [rsp+2BC0h] [rbp-1380h]
struct_v113 *v110; // [rsp+2BD0h] [rbp-1370h]
void (__stdcall *SetThreadPriority)(HANDLE, int); // [rsp+2BD8h] [rbp-1368h]
unsigned __int64 v112; // [rsp+2BE0h] [rbp-1360h]
unsigned __int64 v113; // [rsp+2BE8h] [rbp-1358h]
int (__stdcall *GetThreadPriority)(HANDLE); // [rsp+2BF0h] [rbp-1350h]
__int64 cpuidStart; // [rsp+2BF8h] [rbp-1348h]
__int64 v116; // [rsp+2C00h] [rbp-1340h]
unsigned __int64 v117; // [rsp+2C08h] [rbp-1338h]
unsigned __int64 v118; // [rsp+2C10h] [rbp-1330h]
__int64 v119; // [rsp+2C18h] [rbp-1328h]
NTSTATUS flOldProtect; // [rsp+2C20h] [rbp-1320h]
NTSTATUS v121; // [rsp+2C24h] [rbp-131Ch]
PVOID (__fastcall *AddVectoredExceptionHandler)(unsigned int, void *); // [rsp+2C28h] [rbp-1318h]
FARPROC v123; // [rsp+2C30h] [rbp-1310h]
MEMORY_BASIC_INFORMATION MemoryInformation; // [rsp+2C38h] [rbp-1308h]
ULONG_PTR ReturnLength; // [rsp+2C68h] [rbp-12D8h]
__int64 encryptedCPUID[12]; // [rsp+2C78h] [rbp-12C8h]
__int64 encryptedRDTSC[11]; // [rsp+2CD8h] [rbp-1268h]
char PACKET[512]; // [rsp+2D38h] [rbp-1208h]
char v129[4096]; // [rsp+2F38h] [rbp-1008h]
char *retaddr; // [rsp+3F40h] [rbp+0h]
void (__stdcall *SendPacket)(void *, void *, void *); // [rsp+3F50h] [rbp+10h]
SendPacket = (void (__stdcall *)(void *, void *, void *))SendPacket_1;
v2 = alloca(0x1530i64);
v29 = alloca(0x1530i64);
qword_4010 = (__int64)PACKET;
for ( i = 0; (unsigned __int64)i < 0x200; ++i )
PACKET[i] = 0;
PACKET[0] = 0;
PACKET[1] = 0x39;
*(_QWORD *)&PACKET[0x3A] = SendPacket_1;
PACKET[66] = 1;
if ( *(_DWORD *)((char *)SendPacket_1 + 5) == 0xCCCCCCCC )
{
PACKET[67] = 1;
strcpy(&ModuleName, "ntdll.dll");
hModule = GetModuleHandleA(&ModuleName);
qword_4008 = (__int64)hModule;
}
else
{
strcpy(&ModuleName, "ntdll.dll");
hModule = GetModuleHandleA(&ModuleName);
qword_4008 = qword_4010 ^ (unsigned __int64)hModule;
}
strcpy(&ProcName, "NtQueryVirtualMemory");
NtQueryVirtualMemory = (NTSTATUS (__stdcall *)(HANDLE, PVOID, int, PVOID, SIZE_T, PSIZE_T))GetProcAddress(
hModule,
&ProcName);
strcpy(&v235, "NtReadVirtualMemory");
NtReadVirtualMemory = (NTSTATUS (__stdcall *)(HANDLE, PVOID, PVOID, ULONG, PULONG))GetProcAddress(hModule, &v235);
strcpy(&v159, "KERNEL32.dll");
hKERNEL32 = GetModuleHandleA(&v159);
v63 = 'A';
v64 = 'd';
v65 = 'd';
v66 = 'V';
v67 = 'e';
v68 = 'c';
v69 = 't';
v70 = 'o';
v71 = 'r';
v72 = 'e';
v73 = 'd';
v74 = 'E';
v75 = 'x';
v76 = 'c';
v77 = 'e';
v78 = 'p';
v79 = 't';
v80 = 'i';
v81 = 'o';
v82 = 'n';
v83 = 'H';
v84 = 'a';
v85 = 'n';
v86 = 'd';
v87 = 'l';
v88 = 'e';
v89 = 0;
AddVectoredExceptionHandler = (PVOID (__fastcall *)(unsigned int, void *))GetProcAddress(hKERNEL32, &v63);
v9 = AddVectoredExceptionHandler(1u, VEHandler);
if ( v9 )
{
v51 = *(_DWORD *)(retaddr + 0x149);
v41 = 0;
v45 = 0;
for ( BaseAddress = 0i64; ; BaseAddress = (char *)MemoryInformation.BaseAddress + MemoryInformation.RegionSize )
{
v4 = NtQueryVirtualMemory((HANDLE)-1i64, BaseAddress, 0, &MemoryInformation, 0x30ui64, &ReturnLength);
if ( v4 < 0 )
break;
if ( !v41 && a1 == ~(v51 ^ 0x19F3C225) )
{
v94 = (HMODULE)&v45;
for ( j = 0; j < 1024; ++j )
{
if ( *((_QWORD *)v94 + (unsigned int)-j) > 0xFFFF000000000000ui64
&& !IsBadReadPtr(*((const void **)v94 + (unsigned int)-j), 1ui64)
&& v45 < 5
&& v45 < 5 )
{
v96 = &PACKET[52 * v45 + 156];
*(_DWORD *)v96 = j;
*(_QWORD *)(v96 + 28) = *((_QWORD *)v94 + (unsigned int)-j);
*(_QWORD *)(v96 + 36) = **((_QWORD **)v94 + (unsigned int)-j);
*(_QWORD *)(v96 + 44) = *(_QWORD *)(*((_QWORD *)v94 + (unsigned int)-j) + 8i64);
++v45;
}
}
v41 = 1;
}
if ( MemoryInformation.State == 4096
&& (MemoryInformation.Protect == 16 || MemoryInformation.Protect == 32 || MemoryInformation.Protect == 64) )
{
for ( k = BaseAddress; ; k = (char *)k + 4096 )
{
if ( k == (char *)MemoryInformation.BaseAddress + MemoryInformation.RegionSize )
break;
v121 = NtReadVirtualMemory((HANDLE)-1i64, k, v129, 0x1000u, 0i64);
if ( MemoryInformation.Type == 0x20000 )
{
if ( MemoryInformation.RegionSize > 0x1000 )
{
if ( (signed __int64)MemoryInformation.RegionSize <= 4096 )
{
if ( MemoryInformation.RegionSize != 4096 || a1 != ~(v51 ^ 0x19F3C225) )
continue;
v43 = 0;
}
else
{
if ( MemoryInformation.RegionSize != 4096 || a1 != ~(v51 ^ 0x19F3C225) )
continue;
v43 = 0;
}
}
else
{
if ( MemoryInformation.RegionSize != 4096 )
continue;
v14 = ~(v51 ^ 0x19F3C225);
if ( a1 < v14 )
{
if ( a1 != v14 )
continue;
v43 = 0;
}
else
{
if ( a1 != v14 )
continue;
v43 = 0;
}
}
while ( (unsigned __int64)v43 < 4077 )
{
if ( *(_DWORD *)&v129[v43] == 0x50C03148 && *(_WORD *)&v129[v43 + 4] == 0x481 )
{
if ( __OFSUB__(v24, 0x9089u) )
{
if ( (unsigned __int8)v129[v43 + 19] == 0xC3 )
{
if ( v45 == 5 )
{
if ( v45 < 5 )
{
v97 = &PACKET[52 * v45 + 156];
*(_DWORD *)v97 = v43;
*(_QWORD *)(v97 + 28) = (char *)k + v43 + 6;
*(_QWORD *)(v97 + 36) = *(_QWORD *)&v129[v43 + 6];
*(_QWORD *)(v97 + 44) = *(_QWORD *)&v129[v43 + 14];
++v45;
}
}
else if ( v45 < 5 )
{
v97 = &PACKET[52 * v45 + 156];
*(_DWORD *)&PACKET[52 * v45 + 156] = v43;
v3 = (char *)k + v43 + 6;
if ( v6 == 1 )
{
*(_QWORD *)(v97 + 28) = v3;
*(_QWORD *)(v97 + 36) = *(_QWORD *)&v129[v43 + 6];
*(_QWORD *)(v97 + 44) = *(_QWORD *)&v129[v43 + 14];
++v45;
}
else
{
*(_QWORD *)(v97 + 28) = v3;
*(_QWORD *)(v97 + 36) = *(_QWORD *)&v129[v43 + 6];
*(_QWORD *)(v97 + 44) = *(_QWORD *)&v129[v43 + 14];
++v45;
}
}
}
}
else if ( (unsigned __int8)v129[v43 + 19] == 0xC3 )
{
if ( v45 > 5 )
{
if ( v45 < 5 )
{
v97 = &PACKET[52 * v45 + 0x9C];
*(_DWORD *)&PACKET[52 * v45 + 156] = v43;
*(_QWORD *)(v97 + 0x1C) = (char *)k + v43 + 6;
*(_QWORD *)(v97 + 36) = *(_QWORD *)&v129[v43 + 6];
*(_QWORD *)(v97 + 44) = *(_QWORD *)&v129[v43 + 14];
++v45;
}
}
else if ( v45 < 5 )
{
v97 = &PACKET[52 * v45 + 156];
*(_DWORD *)&PACKET[52 * v45 + 156] = v43;
*(_QWORD *)(v97 + 28) = (char *)k + v43 + 6;
*(_QWORD *)(v97 + 36) = *(_QWORD *)&v129[v43 + 6];
*(_QWORD *)(v97 + 44) = *(_QWORD *)&v129[v43 + 14];
++v45;
}
}
}
++v43;
}
}
}
}
}
strcpy(v90, "RemoveVectoredExceptionHandler");
v123 = GetProcAddress(hKERNEL32, v90);
((void (__fastcall *)(PVOID))v123)(v9);
if ( a1 != ~(v51 ^ 0x19F3C225) )
{
LABEL_161:
NtReadVirtualMemoryDeref = *(_QWORD *)NtReadVirtualMemory;
v113 = *(_QWORD *)NtQueryVirtualMemory;
*(_QWORD *)&PACKET[58] = v113;
v5 = v51 ^ 0x3C973E1F;
if ( (v51 ^ 0x3C973E1F) < 0 )
{
v8 = ~v5;
if ( a1 == v8 )
{
*(_DWORD *)&PACKET[508] = SharedUserData_SystemTime.LowPart;
v50 = SharedUserData_SystemTime.LowPart ^ a1 ^ 0x378E5979;
l = 2;
goto LABEL_37;
}
}
else
{
v19 = ~v5;
if ( a1 == v19 )
*(_DWORD *)&PACKET[508] = SharedUserData_SystemTime.LowPart;
}
v50 = *(_DWORD *)&PACKET[508] ^ a1 ^ 0x378E5979;
LABEL_37:
for ( l = 2; l < 505; ++l )
{
*(_DWORD *)&PACKET[l] ^= v50;
if ( (v50 >> (l % 32)) & 1 )
v50 *= ~v50;
LABEL_50:
v25 = (*((_BYTE *)&v50 + l % 4) & 3) + 4;
_ECX = 512 - v25;
_EAX = v25 & ~(1 << v23);
LOWORD(_EAX) = __ROL2__(_EAX, 2);
__asm { rcl eax, cl }
v35 = l == _ECX;
if ( l < _ECX )
{
LOWORD(_ECX) = __ROR2__(_ECX + 1, _ECX + 1);
__asm { rcr ecx, 9 }
v34 = l % -4;
goto LABEL_40;
}
LABEL_186:
while ( !v35 )
{
v22 = ++l;
if ( v22 >= 505 )
goto LABEL_168;
_DH = 0x75;
__asm { rcl dh, 2 }
*(_DWORD *)&PACKET[v22] ^= v50;
v12 = (v50 >> (v22 % 32)) & 1;
if ( !v12 )
goto LABEL_50;
v50 *= ~v50;
_ECX = 512 - ((*((_BYTE *)&v50 + l % -4) & 3) + 4);
v35 = l == _ECX;
if ( l < _ECX )
{
v34 = l % -4;
LABEL_40:
v7 = *((_BYTE *)&v50 + v34) & 3;
v35 = v7 + l == 0;
LOBYTE(_ECX) = v7 + l;
l += v7;
goto LABEL_186;
}
}
}
LABEL_168:
dwXorKeyPass2 = a1;
for ( m = 2; ; ++m )
{
if ( (unsigned __int64)(int)m >= 0x200 )
{
SendPacket(PACKET, (void *)0x200, 0i64);
return;
}
if ( m < 0x44 )
{
if ( m != 0x44 )
goto LABEL_104;
if ( a1 != ~(v51 ^ 0x19F3C225)
|| BYTE3(NtReadVirtualMemoryDeref) != 0xB8
|| *(_WORD *)((char *)&NtReadVirtualMemoryDeref + 5)
|| HIBYTE(NtReadVirtualMemoryDeref) )
{
goto LABEL_135;
}
v112 = 0i64;
syscall_NtQueryVirtualMemory((HANDLE)-1i64, NtQueryVirtualMemory, &v112, 8ui64, 0i64);
LOBYTE(_ECX) = v112;
*(_QWORD *)&PACKET[m] = v112;
}
else if ( m == 0x44 )
{
v36 = ~(v51 ^ 0x19F3C225);
if ( __SETP__(a1, v36) )
{
if ( !*(_WORD *)((char *)&NtReadVirtualMemoryDeref + 5) && !(_BYTE)NtReadVirtualMemoryDeref )
{
v112 = 0i64;
syscall_NtQueryVirtualMemory((HANDLE)-1i64, NtQueryVirtualMemory, &v112, 8ui64, 0i64);
LOBYTE(_ECX) = v112;
*(_QWORD *)&PACKET[m] = v112;
goto LABEL_104;
}
LABEL_135:
LOBYTE(_ECX) = v113;
*(_QWORD *)&PACKET[m] = v113;
goto LABEL_104;
}
if ( a1 != v36 || BYTE3(NtReadVirtualMemoryDeref) != 0xB8 || *(_WORD *)((char *)&NtReadVirtualMemoryDeref + 5) )
goto LABEL_135;
if ( SHIBYTE(NtReadVirtualMemoryDeref) < 0xB4 )
{
v112 = 0i64;
syscall_NtQueryVirtualMemory((HANDLE)-1i64, NtQueryVirtualMemory, &v112, 8ui64, 0i64);
LOBYTE(_ECX) = v112;
*(_QWORD *)&PACKET[m] = v112;
goto LABEL_104;
}
if ( HIBYTE(NtReadVirtualMemoryDeref) )
goto LABEL_135;
v112 = 0i64;
syscall_NtQueryVirtualMemory((HANDLE)-1i64, NtQueryVirtualMemory, &v112, 8ui64, MemoryInformationLength);
LOBYTE(_ECX) = v112;
*(_QWORD *)&PACKET[m] = v112;
}
LABEL_104:
timestampXorKey2 = dwXorKeyPass2;
v37 = (int)dwXorKeyPass2 >> ((((_ECX & 7) + m) & 7) - (_ECX & 7));
v38 = dwXorKeyPass2;
dwXorKeyPass2 += v37;
LOBYTE(v37) = (v37 + v38) ^ PACKET[m];
LOBYTE(_ECX) = m;
PACKET[m] = v37;
}
}
strcpy(&v59, "GetThreadPriority");
GetThreadPriority = (int (__stdcall *)(HANDLE))GetProcAddress(hKERNEL32, &v59);
_ThreadPriority = GetThreadPriority((HANDLE)-2i64);
strcpy(&v60, "SetThreadPriority");
SetThreadPriority = (void (__stdcall *)(HANDLE, int))GetProcAddress(hKERNEL32, &v60);
((void (__fastcall *)(__int64, __int64))SetThreadPriority)(-2i64, 15i64);
strcpy(&v151, "Sleep");
Sleep = (void (__fastcall *)(DWORD))GetProcAddress(hKERNEL32, &v151);
Sleep(100i64);
PACKET[464] = 1;
v110 = (struct_v113 *)((char *)DllStartAddress + *((int *)DllStartAddress + 15) + 24);
v10 = VirtualProtect(DllStartAddress, v110->DllSize, 0x40u, (PDWORD)&flOldProtect);
if ( v10 <= 0 )
{
if ( !v10 )
{
LABEL_202:
SetThreadPriority((HANDLE)-2i64, _ThreadPriority);
goto LABEL_161;
}
iNumEncCPUID = 0;
iNumEncRDTSC = 0;
v46 = 4096;
}
else
{
iNumEncCPUID = 0;
iNumEncRDTSC = 0;
v46 = 4096;
}
while ( v46 + 2 <= v110->DllSize )
{
if ( *((_BYTE *)DllStartAddress + v46) != 0x12 || *((_BYTE *)DllStartAddress + v46 + 1) != 0x34 )
{
if ( *((_BYTE *)DllStartAddress + v46) == 0x56 && *((_BYTE *)DllStartAddress + v46 + 1) == 0x78 )
{
encryptedRDTSC[iNumEncRDTSC] = (__int64)DllStartAddress;
*(_BYTE *)encryptedRDTSC[iNumEncRDTSC] = 0xF;
*(_BYTE *)(encryptedRDTSC[iNumEncRDTSC++] + 1) = 0x31;
}
}
else if ( iNumEncCPUID < 0xCui64 )
{
encryptedCPUID[iNumEncCPUID] = (__int64)DllStartAddress + v46;
*(_BYTE *)encryptedCPUID[iNumEncCPUID] = 0xF;
*(_BYTE *)(encryptedCPUID[iNumEncCPUID++] + 1) = 0xA2u;
}
++v46;
}
for ( n = 0; n < 3; ++n )
{
v102 = 0i64;
v103 = 0i64;
cpuidStart = *(_QWORD *)&SharedUserData_SystemTime.LowPart;
loopVal = 0;
if ( loopVal < 26260 )
{
LODWORD(v102) = _byteswap_ulong(0);
LODWORD(v103) = 0;
while ( 1 )
{
_RAX = (unsigned int)++loopVal;
if ( loopVal >= 26260 )
break;
__asm { cpuid }
}
}
v116 = *(_QWORD *)&SharedUserData_SystemTime.LowPart;
*(_QWORD *)&PACKET[16 * n + 416] = *(_QWORD *)&SharedUserData_SystemTime.LowPart - cpuidStart;
Sleep(10i64);
v117 = __rdtsc();
Sleep(1000i64);
v119 = __rdtsc() - v117;
v107 = 0i64;
for ( ii = 0; ii < 26260; ++ii )
{
v118 = __rdtsc();
_RAX = 0i64;
__asm { cpuid }
v102 = __PAIR64__(_RBX, _RAX);
v103 = __PAIR64__(_RDX, _RCX);
v107 += __rdtsc() - v118;
}
*(_QWORD *)&PACKET[0x10 * n + 0x1A8] = 10000000 * v107 / v119 / 101;
Sleep(10i64);
}
for ( jj = 0; jj < iNumEncCPUID; ++jj )
{
*(_BYTE *)encryptedCPUID[jj] = 0x12;
*(_BYTE *)(encryptedCPUID[jj] + 1) = 0x34;
}
for ( kk = 0; kk < iNumEncRDTSC; ++kk )
{
*(_BYTE *)encryptedRDTSC[kk] = 0x56;
*(_BYTE *)(encryptedRDTSC[kk] + 1) = 0x78;
}
*(_QWORD *)&PACKET[0x1D0] = v102;
*(_QWORD *)&PACKET[0x1D8] = v103;
goto LABEL_202;
}
}
// 15C6: variable 'v6' is possibly undefined
// CEF1: variable 'v23' is possibly undefined
// A605: variable '_ECX' is possibly undefined
// B77A: variable 'MemoryInformationLength' is possibly undefined
// ECE7: variable 'v24' is possibly undefined
// 4008: using guessed type __int64 qword_4008;
// 4010: using guessed type __int64 qword_4010;
// CE74: using guessed type char var_2740[4632];
// CE74: using guessed type __int64 encryptedRDTSC[11];
// ALL OK, 5 function(s) have been successfully decompiled
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment