Last active
March 21, 2023 10:26
-
-
Save Sen66/87d206c5050f0ad1316bd8d4a93e7570 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* This file was generated by the Hex-Rays decompiler. | |
Copyright (c) 2007-2018 Hex-Rays <info@hex-rays.com> | |
Detected compiler: Visual C++ | |
*/ | |
#include <windows.h> | |
#include <defs.h> | |
//------------------------------------------------------------------------- | |
// Function declarations | |
BOOL __stdcall DllEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved); | |
void __stdcall syscall_NtQueryVirtualMemory(HANDLE, void *, void *, unsigned __int64, unsigned __int64); | |
char __fastcall sub_10A8(_QWORD **a1, _QWORD *a2); | |
LONG __fastcall VEHandler(_EXCEPTION_POINTERS *); | |
// void __usercall Run(__int64 a1@<rdx>, int a2@<ecx>, __int64 a3@<rbx>, __int16 a4@<bp>, _DWORD *a5@<rdi>, __int64 a6@<rsi>, __int64 a7@<r8>, __int64 a8@<r9>); | |
// FARPROC __stdcall GetProcAddress(HMODULE hModule, LPCSTR lpProcName); | |
// BOOL __stdcall IsBadReadPtr(const void *lp, UINT_PTR ucb); | |
// BOOL __stdcall VirtualProtect(LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect); | |
// HMODULE __stdcall GetModuleHandleA(LPCSTR lpModuleName); | |
LONG __fastcall VEHandler_0(_EXCEPTION_POINTERS *); | |
void __fastcall Run_0(int a1, void *SendPacket_1); | |
//------------------------------------------------------------------------- | |
// Data declarations | |
HMODULE DllStartAddress; // idb | |
__int64 qword_4008; // weak | |
__int64 qword_4010; // weak | |
KSYSTEM_TIME SharedUserData_SystemTime; | |
//----- (0000000000001000) ---------------------------------------------------- | |
BOOL __stdcall DllEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved) | |
{ | |
if ( fdwReason == 1 ) | |
DllStartAddress = hinstDLL; | |
return 1; | |
} | |
//----- (0000000000001071) ---------------------------------------------------- | |
void __stdcall syscall_NtQueryVirtualMemory(HANDLE a1, void *a2, void *a3, unsigned __int64 a4, unsigned __int64 a5) | |
{ | |
__asm { syscall; Low latency system call } | |
} | |
//----- (00000000000010A8) ---------------------------------------------------- | |
char __fastcall sub_10A8(_QWORD **a1, _QWORD *a2) | |
{ | |
if ( a1 == (_QWORD **)286331153 ) | |
return 0; | |
*a2 = **a1; | |
a2[1] = (*a1)[1]; | |
a2[2] = (*a1)[2]; | |
a2[3] = (*a1)[3]; | |
return 1; | |
} | |
//----- (000000000000C54D) ---------------------------------------------------- | |
LONG __fastcall VEHandler_0(_EXCEPTION_POINTERS *a1) | |
{ | |
PEXCEPTION_RECORD v1; // rax | |
char *v2; // rcx | |
_EXCEPTION_POINTERS *v4; // [rsp+8h] [rbp+8h] | |
v4 = a1; | |
if ( !*(_QWORD *)(qword_4010 + 0x32) ) | |
{ | |
*(_QWORD *)(qword_4010 + 2) = a1->ContextRecord->Rsp ^ 0x7EE229A13742DF11i64; | |
*(_QWORD *)(qword_4010 + 0xA) = a1->ContextRecord->Rbp ^ 0xB91AC48045914672ui64; | |
*(_QWORD *)(qword_4010 + 0x12) = a1->ContextRecord->Rcx ^ 0x34FAAEEEC2985C4Ai64; | |
*(_QWORD *)(qword_4010 + 0x1A) = a1->ContextRecord->Dr0 ^ 0x6355C31C003762CAi64; | |
*(_QWORD *)(qword_4010 + 0x22) = a1->ContextRecord->Dr1 ^ 0x4CE400421C869F50i64; | |
*(_QWORD *)(qword_4010 + 0x2A) = a1->ContextRecord->Dr2 ^ 0x699C87784390D3EAi64; | |
*(_QWORD *)(qword_4010 + 0x32) = a1->ContextRecord->Dr3 ^ 0x3F7114D09BA16F88i64; | |
} | |
if ( a1->ExceptionRecord->ExceptionCode != -1073741819 ) | |
return 0; | |
if ( (signed int)a1->ExceptionRecord->ExceptionCode <= -1073741819 ) | |
{ | |
if ( a1[1].ExceptionRecord < (PEXCEPTION_RECORD)sub_10A8 || a1->ExceptionRecord->ExceptionAddress >= (PVOID)sub_10A8 ) | |
return 0; | |
a1->ContextRecord->Rip = (DWORD64)sub_10A8 + 109; | |
return -1; | |
} | |
if ( (char *)a1[1].ExceptionRecord - (char *)sub_10A8 >= 0 ) | |
{ | |
if ( a1[1].ExceptionRecord < (PEXCEPTION_RECORD)sub_10A8 | |
|| a1->ExceptionRecord->ExceptionAddress >= (char *)sub_10A8 + 109 ) | |
{ | |
return 0; | |
} | |
a1->ContextRecord->Rip = (DWORD64)sub_10A8 + 109; | |
return -1; | |
} | |
if ( a1[1].ExceptionRecord < (PEXCEPTION_RECORD)sub_10A8 ) | |
return 0; | |
v1 = a1->ExceptionRecord; | |
v2 = (char *)sub_10A8 + 109; | |
if ( (__int64)v4->ExceptionRecord->ExceptionAddress >= (__int64)sub_10A8 + 109 ) | |
{ | |
if ( v1->ExceptionAddress >= v2 ) | |
return 0; | |
v4->ContextRecord->Rip = (DWORD64)sub_10A8 + 109; | |
return -1; | |
} | |
if ( v1->ExceptionAddress >= v2 ) | |
return 0; | |
v4->ContextRecord->Rip = (DWORD64)sub_10A8 + 109; | |
return -1; | |
} | |
// 4010: using guessed type __int64 qword_4010; | |
//----- (000000000000CE74) ---------------------------------------------------- | |
void __fastcall Run_0(int a1, void *SendPacket_1) | |
{ | |
void *v2; // rsp | |
char *v3; // rax | |
NTSTATUS v4; // eax | |
int v5; // eax | |
char v6; // dl | |
int v7; // eax | |
int v8; // eax | |
PVOID v9; // rax MAPDST | |
int v10; // eax | |
unsigned int v12; // eax | |
int v14; // eax | |
int v19; // eax | |
int v22; // eax | |
char v23; // di | |
__int16 v24; // si | |
int v25; // eax | |
void *v29; // rsp | |
__int64 v34; // rax | |
bool v35; // zf | |
int v36; // eax | |
int v37; // eax | |
unsigned __int8 v38; // cl | |
unsigned __int64 MemoryInformationLength; // [rsp+2A28h] [rbp-1518h] | |
unsigned __int8 dwXorKeyPass2; // [rsp+2A38h] [rbp-1508h] | |
char v41; // [rsp+2A39h] [rbp-1507h] | |
int l; // [rsp+2A3Ch] [rbp-1504h] | |
int v43; // [rsp+2A40h] [rbp-1500h] | |
int j; // [rsp+2A44h] [rbp-14FCh] | |
unsigned int v45; // [rsp+2A48h] [rbp-14F8h] | |
int v46; // [rsp+2A4Ch] [rbp-14F4h] | |
unsigned int m; // [rsp+2A50h] [rbp-14F0h] | |
unsigned int iNumEncCPUID; // [rsp+2A54h] [rbp-14ECh] | |
unsigned int iNumEncRDTSC; // [rsp+2A58h] [rbp-14E8h] | |
unsigned int v50; // [rsp+2A5Ch] [rbp-14E4h] | |
int v51; // [rsp+2A60h] [rbp-14E0h] | |
int n; // [rsp+2A64h] [rbp-14DCh] | |
unsigned int jj; // [rsp+2A68h] [rbp-14D8h] | |
unsigned int kk; // [rsp+2A6Ch] [rbp-14D4h] | |
int i; // [rsp+2A70h] [rbp-14D0h] | |
char v151; // [rsp+2A74h] [rbp-14CCh] | |
CHAR ModuleName; // [rsp+2A80h] [rbp-14C0h] | |
char v159; // [rsp+2A90h] [rbp-14B0h] | |
CHAR v59; // [rsp+2AA0h] [rbp-14A0h] | |
CHAR v60; // [rsp+2AB8h] [rbp-1488h] | |
char v235; // [rsp+2AD0h] [rbp-1470h] | |
char ProcName; // [rsp+2AE8h] [rbp-1458h] | |
CHAR v63; // [rsp+2B00h] [rbp-1440h] | |
char v64; // [rsp+2B01h] [rbp-143Fh] | |
char v65; // [rsp+2B02h] [rbp-143Eh] | |
char v66; // [rsp+2B03h] [rbp-143Dh] | |
char v67; // [rsp+2B04h] [rbp-143Ch] | |
char v68; // [rsp+2B05h] [rbp-143Bh] | |
char v69; // [rsp+2B06h] [rbp-143Ah] | |
char v70; // [rsp+2B07h] [rbp-1439h] | |
char v71; // [rsp+2B08h] [rbp-1438h] | |
char v72; // [rsp+2B09h] [rbp-1437h] | |
char v73; // [rsp+2B0Ah] [rbp-1436h] | |
char v74; // [rsp+2B0Bh] [rbp-1435h] | |
char v75; // [rsp+2B0Ch] [rbp-1434h] | |
char v76; // [rsp+2B0Dh] [rbp-1433h] | |
char v77; // [rsp+2B0Eh] [rbp-1432h] | |
char v78; // [rsp+2B0Fh] [rbp-1431h] | |
char v79; // [rsp+2B10h] [rbp-1430h] | |
char v80; // [rsp+2B11h] [rbp-142Fh] | |
char v81; // [rsp+2B12h] [rbp-142Eh] | |
char v82; // [rsp+2B13h] [rbp-142Dh] | |
char v83; // [rsp+2B14h] [rbp-142Ch] | |
char v84; // [rsp+2B15h] [rbp-142Bh] | |
char v85; // [rsp+2B16h] [rbp-142Ah] | |
char v86; // [rsp+2B17h] [rbp-1429h] | |
char v87; // [rsp+2B18h] [rbp-1428h] | |
char v88; // [rsp+2B19h] [rbp-1427h] | |
char v89; // [rsp+2B1Bh] [rbp-1425h] | |
CHAR v90[4]; // [rsp+2B20h] [rbp-1420h] | |
int ii; // [rsp+2B40h] [rbp-1400h] | |
int loopVal; // [rsp+2B44h] [rbp-13FCh] | |
HMODULE hKERNEL32; // [rsp+2B48h] [rbp-13F8h] | |
HMODULE v94; // [rsp+2B50h] [rbp-13F0h] | |
PVOID k; // [rsp+2B58h] [rbp-13E8h] | |
char *v96; // [rsp+2B60h] [rbp-13E0h] | |
char *v97; // [rsp+2B68h] [rbp-13D8h] | |
void (__fastcall *Sleep)(DWORD); // [rsp+2B70h] [rbp-13D0h] | |
NTSTATUS (__stdcall *NtQueryVirtualMemory)(HANDLE, PVOID, int, PVOID, SIZE_T, PSIZE_T); // [rsp+2B78h] [rbp-13C8h] | |
NTSTATUS (__stdcall *NtReadVirtualMemory)(HANDLE, PVOID, PVOID, ULONG, PULONG); // [rsp+2B80h] [rbp-13C0h] | |
int _ThreadPriority; // [rsp+2B88h] [rbp-13B8h] | |
unsigned __int64 v102; // [rsp+2B90h] [rbp-13B0h] | |
unsigned __int64 v103; // [rsp+2B98h] [rbp-13A8h] | |
int timestampXorKey2; // [rsp+2BA0h] [rbp-13A0h] | |
HMODULE hModule; // [rsp+2BA8h] [rbp-1398h] | |
PVOID BaseAddress; // [rsp+2BB0h] [rbp-1390h] | |
__int64 v107; // [rsp+2BB8h] [rbp-1388h] | |
__int64 NtReadVirtualMemoryDeref; // [rsp+2BC0h] [rbp-1380h] | |
struct_v113 *v110; // [rsp+2BD0h] [rbp-1370h] | |
void (__stdcall *SetThreadPriority)(HANDLE, int); // [rsp+2BD8h] [rbp-1368h] | |
unsigned __int64 v112; // [rsp+2BE0h] [rbp-1360h] | |
unsigned __int64 v113; // [rsp+2BE8h] [rbp-1358h] | |
int (__stdcall *GetThreadPriority)(HANDLE); // [rsp+2BF0h] [rbp-1350h] | |
__int64 cpuidStart; // [rsp+2BF8h] [rbp-1348h] | |
__int64 v116; // [rsp+2C00h] [rbp-1340h] | |
unsigned __int64 v117; // [rsp+2C08h] [rbp-1338h] | |
unsigned __int64 v118; // [rsp+2C10h] [rbp-1330h] | |
__int64 v119; // [rsp+2C18h] [rbp-1328h] | |
NTSTATUS flOldProtect; // [rsp+2C20h] [rbp-1320h] | |
NTSTATUS v121; // [rsp+2C24h] [rbp-131Ch] | |
PVOID (__fastcall *AddVectoredExceptionHandler)(unsigned int, void *); // [rsp+2C28h] [rbp-1318h] | |
FARPROC v123; // [rsp+2C30h] [rbp-1310h] | |
MEMORY_BASIC_INFORMATION MemoryInformation; // [rsp+2C38h] [rbp-1308h] | |
ULONG_PTR ReturnLength; // [rsp+2C68h] [rbp-12D8h] | |
__int64 encryptedCPUID[12]; // [rsp+2C78h] [rbp-12C8h] | |
__int64 encryptedRDTSC[11]; // [rsp+2CD8h] [rbp-1268h] | |
char PACKET[512]; // [rsp+2D38h] [rbp-1208h] | |
char v129[4096]; // [rsp+2F38h] [rbp-1008h] | |
char *retaddr; // [rsp+3F40h] [rbp+0h] | |
void (__stdcall *SendPacket)(void *, void *, void *); // [rsp+3F50h] [rbp+10h] | |
SendPacket = (void (__stdcall *)(void *, void *, void *))SendPacket_1; | |
v2 = alloca(0x1530i64); | |
v29 = alloca(0x1530i64); | |
qword_4010 = (__int64)PACKET; | |
for ( i = 0; (unsigned __int64)i < 0x200; ++i ) | |
PACKET[i] = 0; | |
PACKET[0] = 0; | |
PACKET[1] = 0x39; | |
*(_QWORD *)&PACKET[0x3A] = SendPacket_1; | |
PACKET[66] = 1; | |
if ( *(_DWORD *)((char *)SendPacket_1 + 5) == 0xCCCCCCCC ) | |
{ | |
PACKET[67] = 1; | |
strcpy(&ModuleName, "ntdll.dll"); | |
hModule = GetModuleHandleA(&ModuleName); | |
qword_4008 = (__int64)hModule; | |
} | |
else | |
{ | |
strcpy(&ModuleName, "ntdll.dll"); | |
hModule = GetModuleHandleA(&ModuleName); | |
qword_4008 = qword_4010 ^ (unsigned __int64)hModule; | |
} | |
strcpy(&ProcName, "NtQueryVirtualMemory"); | |
NtQueryVirtualMemory = (NTSTATUS (__stdcall *)(HANDLE, PVOID, int, PVOID, SIZE_T, PSIZE_T))GetProcAddress( | |
hModule, | |
&ProcName); | |
strcpy(&v235, "NtReadVirtualMemory"); | |
NtReadVirtualMemory = (NTSTATUS (__stdcall *)(HANDLE, PVOID, PVOID, ULONG, PULONG))GetProcAddress(hModule, &v235); | |
strcpy(&v159, "KERNEL32.dll"); | |
hKERNEL32 = GetModuleHandleA(&v159); | |
v63 = 'A'; | |
v64 = 'd'; | |
v65 = 'd'; | |
v66 = 'V'; | |
v67 = 'e'; | |
v68 = 'c'; | |
v69 = 't'; | |
v70 = 'o'; | |
v71 = 'r'; | |
v72 = 'e'; | |
v73 = 'd'; | |
v74 = 'E'; | |
v75 = 'x'; | |
v76 = 'c'; | |
v77 = 'e'; | |
v78 = 'p'; | |
v79 = 't'; | |
v80 = 'i'; | |
v81 = 'o'; | |
v82 = 'n'; | |
v83 = 'H'; | |
v84 = 'a'; | |
v85 = 'n'; | |
v86 = 'd'; | |
v87 = 'l'; | |
v88 = 'e'; | |
v89 = 0; | |
AddVectoredExceptionHandler = (PVOID (__fastcall *)(unsigned int, void *))GetProcAddress(hKERNEL32, &v63); | |
v9 = AddVectoredExceptionHandler(1u, VEHandler); | |
if ( v9 ) | |
{ | |
v51 = *(_DWORD *)(retaddr + 0x149); | |
v41 = 0; | |
v45 = 0; | |
for ( BaseAddress = 0i64; ; BaseAddress = (char *)MemoryInformation.BaseAddress + MemoryInformation.RegionSize ) | |
{ | |
v4 = NtQueryVirtualMemory((HANDLE)-1i64, BaseAddress, 0, &MemoryInformation, 0x30ui64, &ReturnLength); | |
if ( v4 < 0 ) | |
break; | |
if ( !v41 && a1 == ~(v51 ^ 0x19F3C225) ) | |
{ | |
v94 = (HMODULE)&v45; | |
for ( j = 0; j < 1024; ++j ) | |
{ | |
if ( *((_QWORD *)v94 + (unsigned int)-j) > 0xFFFF000000000000ui64 | |
&& !IsBadReadPtr(*((const void **)v94 + (unsigned int)-j), 1ui64) | |
&& v45 < 5 | |
&& v45 < 5 ) | |
{ | |
v96 = &PACKET[52 * v45 + 156]; | |
*(_DWORD *)v96 = j; | |
*(_QWORD *)(v96 + 28) = *((_QWORD *)v94 + (unsigned int)-j); | |
*(_QWORD *)(v96 + 36) = **((_QWORD **)v94 + (unsigned int)-j); | |
*(_QWORD *)(v96 + 44) = *(_QWORD *)(*((_QWORD *)v94 + (unsigned int)-j) + 8i64); | |
++v45; | |
} | |
} | |
v41 = 1; | |
} | |
if ( MemoryInformation.State == 4096 | |
&& (MemoryInformation.Protect == 16 || MemoryInformation.Protect == 32 || MemoryInformation.Protect == 64) ) | |
{ | |
for ( k = BaseAddress; ; k = (char *)k + 4096 ) | |
{ | |
if ( k == (char *)MemoryInformation.BaseAddress + MemoryInformation.RegionSize ) | |
break; | |
v121 = NtReadVirtualMemory((HANDLE)-1i64, k, v129, 0x1000u, 0i64); | |
if ( MemoryInformation.Type == 0x20000 ) | |
{ | |
if ( MemoryInformation.RegionSize > 0x1000 ) | |
{ | |
if ( (signed __int64)MemoryInformation.RegionSize <= 4096 ) | |
{ | |
if ( MemoryInformation.RegionSize != 4096 || a1 != ~(v51 ^ 0x19F3C225) ) | |
continue; | |
v43 = 0; | |
} | |
else | |
{ | |
if ( MemoryInformation.RegionSize != 4096 || a1 != ~(v51 ^ 0x19F3C225) ) | |
continue; | |
v43 = 0; | |
} | |
} | |
else | |
{ | |
if ( MemoryInformation.RegionSize != 4096 ) | |
continue; | |
v14 = ~(v51 ^ 0x19F3C225); | |
if ( a1 < v14 ) | |
{ | |
if ( a1 != v14 ) | |
continue; | |
v43 = 0; | |
} | |
else | |
{ | |
if ( a1 != v14 ) | |
continue; | |
v43 = 0; | |
} | |
} | |
while ( (unsigned __int64)v43 < 4077 ) | |
{ | |
if ( *(_DWORD *)&v129[v43] == 0x50C03148 && *(_WORD *)&v129[v43 + 4] == 0x481 ) | |
{ | |
if ( __OFSUB__(v24, 0x9089u) ) | |
{ | |
if ( (unsigned __int8)v129[v43 + 19] == 0xC3 ) | |
{ | |
if ( v45 == 5 ) | |
{ | |
if ( v45 < 5 ) | |
{ | |
v97 = &PACKET[52 * v45 + 156]; | |
*(_DWORD *)v97 = v43; | |
*(_QWORD *)(v97 + 28) = (char *)k + v43 + 6; | |
*(_QWORD *)(v97 + 36) = *(_QWORD *)&v129[v43 + 6]; | |
*(_QWORD *)(v97 + 44) = *(_QWORD *)&v129[v43 + 14]; | |
++v45; | |
} | |
} | |
else if ( v45 < 5 ) | |
{ | |
v97 = &PACKET[52 * v45 + 156]; | |
*(_DWORD *)&PACKET[52 * v45 + 156] = v43; | |
v3 = (char *)k + v43 + 6; | |
if ( v6 == 1 ) | |
{ | |
*(_QWORD *)(v97 + 28) = v3; | |
*(_QWORD *)(v97 + 36) = *(_QWORD *)&v129[v43 + 6]; | |
*(_QWORD *)(v97 + 44) = *(_QWORD *)&v129[v43 + 14]; | |
++v45; | |
} | |
else | |
{ | |
*(_QWORD *)(v97 + 28) = v3; | |
*(_QWORD *)(v97 + 36) = *(_QWORD *)&v129[v43 + 6]; | |
*(_QWORD *)(v97 + 44) = *(_QWORD *)&v129[v43 + 14]; | |
++v45; | |
} | |
} | |
} | |
} | |
else if ( (unsigned __int8)v129[v43 + 19] == 0xC3 ) | |
{ | |
if ( v45 > 5 ) | |
{ | |
if ( v45 < 5 ) | |
{ | |
v97 = &PACKET[52 * v45 + 0x9C]; | |
*(_DWORD *)&PACKET[52 * v45 + 156] = v43; | |
*(_QWORD *)(v97 + 0x1C) = (char *)k + v43 + 6; | |
*(_QWORD *)(v97 + 36) = *(_QWORD *)&v129[v43 + 6]; | |
*(_QWORD *)(v97 + 44) = *(_QWORD *)&v129[v43 + 14]; | |
++v45; | |
} | |
} | |
else if ( v45 < 5 ) | |
{ | |
v97 = &PACKET[52 * v45 + 156]; | |
*(_DWORD *)&PACKET[52 * v45 + 156] = v43; | |
*(_QWORD *)(v97 + 28) = (char *)k + v43 + 6; | |
*(_QWORD *)(v97 + 36) = *(_QWORD *)&v129[v43 + 6]; | |
*(_QWORD *)(v97 + 44) = *(_QWORD *)&v129[v43 + 14]; | |
++v45; | |
} | |
} | |
} | |
++v43; | |
} | |
} | |
} | |
} | |
} | |
strcpy(v90, "RemoveVectoredExceptionHandler"); | |
v123 = GetProcAddress(hKERNEL32, v90); | |
((void (__fastcall *)(PVOID))v123)(v9); | |
if ( a1 != ~(v51 ^ 0x19F3C225) ) | |
{ | |
LABEL_161: | |
NtReadVirtualMemoryDeref = *(_QWORD *)NtReadVirtualMemory; | |
v113 = *(_QWORD *)NtQueryVirtualMemory; | |
*(_QWORD *)&PACKET[58] = v113; | |
v5 = v51 ^ 0x3C973E1F; | |
if ( (v51 ^ 0x3C973E1F) < 0 ) | |
{ | |
v8 = ~v5; | |
if ( a1 == v8 ) | |
{ | |
*(_DWORD *)&PACKET[508] = SharedUserData_SystemTime.LowPart; | |
v50 = SharedUserData_SystemTime.LowPart ^ a1 ^ 0x378E5979; | |
l = 2; | |
goto LABEL_37; | |
} | |
} | |
else | |
{ | |
v19 = ~v5; | |
if ( a1 == v19 ) | |
*(_DWORD *)&PACKET[508] = SharedUserData_SystemTime.LowPart; | |
} | |
v50 = *(_DWORD *)&PACKET[508] ^ a1 ^ 0x378E5979; | |
LABEL_37: | |
for ( l = 2; l < 505; ++l ) | |
{ | |
*(_DWORD *)&PACKET[l] ^= v50; | |
if ( (v50 >> (l % 32)) & 1 ) | |
v50 *= ~v50; | |
LABEL_50: | |
v25 = (*((_BYTE *)&v50 + l % 4) & 3) + 4; | |
_ECX = 512 - v25; | |
_EAX = v25 & ~(1 << v23); | |
LOWORD(_EAX) = __ROL2__(_EAX, 2); | |
__asm { rcl eax, cl } | |
v35 = l == _ECX; | |
if ( l < _ECX ) | |
{ | |
LOWORD(_ECX) = __ROR2__(_ECX + 1, _ECX + 1); | |
__asm { rcr ecx, 9 } | |
v34 = l % -4; | |
goto LABEL_40; | |
} | |
LABEL_186: | |
while ( !v35 ) | |
{ | |
v22 = ++l; | |
if ( v22 >= 505 ) | |
goto LABEL_168; | |
_DH = 0x75; | |
__asm { rcl dh, 2 } | |
*(_DWORD *)&PACKET[v22] ^= v50; | |
v12 = (v50 >> (v22 % 32)) & 1; | |
if ( !v12 ) | |
goto LABEL_50; | |
v50 *= ~v50; | |
_ECX = 512 - ((*((_BYTE *)&v50 + l % -4) & 3) + 4); | |
v35 = l == _ECX; | |
if ( l < _ECX ) | |
{ | |
v34 = l % -4; | |
LABEL_40: | |
v7 = *((_BYTE *)&v50 + v34) & 3; | |
v35 = v7 + l == 0; | |
LOBYTE(_ECX) = v7 + l; | |
l += v7; | |
goto LABEL_186; | |
} | |
} | |
} | |
LABEL_168: | |
dwXorKeyPass2 = a1; | |
for ( m = 2; ; ++m ) | |
{ | |
if ( (unsigned __int64)(int)m >= 0x200 ) | |
{ | |
SendPacket(PACKET, (void *)0x200, 0i64); | |
return; | |
} | |
if ( m < 0x44 ) | |
{ | |
if ( m != 0x44 ) | |
goto LABEL_104; | |
if ( a1 != ~(v51 ^ 0x19F3C225) | |
|| BYTE3(NtReadVirtualMemoryDeref) != 0xB8 | |
|| *(_WORD *)((char *)&NtReadVirtualMemoryDeref + 5) | |
|| HIBYTE(NtReadVirtualMemoryDeref) ) | |
{ | |
goto LABEL_135; | |
} | |
v112 = 0i64; | |
syscall_NtQueryVirtualMemory((HANDLE)-1i64, NtQueryVirtualMemory, &v112, 8ui64, 0i64); | |
LOBYTE(_ECX) = v112; | |
*(_QWORD *)&PACKET[m] = v112; | |
} | |
else if ( m == 0x44 ) | |
{ | |
v36 = ~(v51 ^ 0x19F3C225); | |
if ( __SETP__(a1, v36) ) | |
{ | |
if ( !*(_WORD *)((char *)&NtReadVirtualMemoryDeref + 5) && !(_BYTE)NtReadVirtualMemoryDeref ) | |
{ | |
v112 = 0i64; | |
syscall_NtQueryVirtualMemory((HANDLE)-1i64, NtQueryVirtualMemory, &v112, 8ui64, 0i64); | |
LOBYTE(_ECX) = v112; | |
*(_QWORD *)&PACKET[m] = v112; | |
goto LABEL_104; | |
} | |
LABEL_135: | |
LOBYTE(_ECX) = v113; | |
*(_QWORD *)&PACKET[m] = v113; | |
goto LABEL_104; | |
} | |
if ( a1 != v36 || BYTE3(NtReadVirtualMemoryDeref) != 0xB8 || *(_WORD *)((char *)&NtReadVirtualMemoryDeref + 5) ) | |
goto LABEL_135; | |
if ( SHIBYTE(NtReadVirtualMemoryDeref) < 0xB4 ) | |
{ | |
v112 = 0i64; | |
syscall_NtQueryVirtualMemory((HANDLE)-1i64, NtQueryVirtualMemory, &v112, 8ui64, 0i64); | |
LOBYTE(_ECX) = v112; | |
*(_QWORD *)&PACKET[m] = v112; | |
goto LABEL_104; | |
} | |
if ( HIBYTE(NtReadVirtualMemoryDeref) ) | |
goto LABEL_135; | |
v112 = 0i64; | |
syscall_NtQueryVirtualMemory((HANDLE)-1i64, NtQueryVirtualMemory, &v112, 8ui64, MemoryInformationLength); | |
LOBYTE(_ECX) = v112; | |
*(_QWORD *)&PACKET[m] = v112; | |
} | |
LABEL_104: | |
timestampXorKey2 = dwXorKeyPass2; | |
v37 = (int)dwXorKeyPass2 >> ((((_ECX & 7) + m) & 7) - (_ECX & 7)); | |
v38 = dwXorKeyPass2; | |
dwXorKeyPass2 += v37; | |
LOBYTE(v37) = (v37 + v38) ^ PACKET[m]; | |
LOBYTE(_ECX) = m; | |
PACKET[m] = v37; | |
} | |
} | |
strcpy(&v59, "GetThreadPriority"); | |
GetThreadPriority = (int (__stdcall *)(HANDLE))GetProcAddress(hKERNEL32, &v59); | |
_ThreadPriority = GetThreadPriority((HANDLE)-2i64); | |
strcpy(&v60, "SetThreadPriority"); | |
SetThreadPriority = (void (__stdcall *)(HANDLE, int))GetProcAddress(hKERNEL32, &v60); | |
((void (__fastcall *)(__int64, __int64))SetThreadPriority)(-2i64, 15i64); | |
strcpy(&v151, "Sleep"); | |
Sleep = (void (__fastcall *)(DWORD))GetProcAddress(hKERNEL32, &v151); | |
Sleep(100i64); | |
PACKET[464] = 1; | |
v110 = (struct_v113 *)((char *)DllStartAddress + *((int *)DllStartAddress + 15) + 24); | |
v10 = VirtualProtect(DllStartAddress, v110->DllSize, 0x40u, (PDWORD)&flOldProtect); | |
if ( v10 <= 0 ) | |
{ | |
if ( !v10 ) | |
{ | |
LABEL_202: | |
SetThreadPriority((HANDLE)-2i64, _ThreadPriority); | |
goto LABEL_161; | |
} | |
iNumEncCPUID = 0; | |
iNumEncRDTSC = 0; | |
v46 = 4096; | |
} | |
else | |
{ | |
iNumEncCPUID = 0; | |
iNumEncRDTSC = 0; | |
v46 = 4096; | |
} | |
while ( v46 + 2 <= v110->DllSize ) | |
{ | |
if ( *((_BYTE *)DllStartAddress + v46) != 0x12 || *((_BYTE *)DllStartAddress + v46 + 1) != 0x34 ) | |
{ | |
if ( *((_BYTE *)DllStartAddress + v46) == 0x56 && *((_BYTE *)DllStartAddress + v46 + 1) == 0x78 ) | |
{ | |
encryptedRDTSC[iNumEncRDTSC] = (__int64)DllStartAddress; | |
*(_BYTE *)encryptedRDTSC[iNumEncRDTSC] = 0xF; | |
*(_BYTE *)(encryptedRDTSC[iNumEncRDTSC++] + 1) = 0x31; | |
} | |
} | |
else if ( iNumEncCPUID < 0xCui64 ) | |
{ | |
encryptedCPUID[iNumEncCPUID] = (__int64)DllStartAddress + v46; | |
*(_BYTE *)encryptedCPUID[iNumEncCPUID] = 0xF; | |
*(_BYTE *)(encryptedCPUID[iNumEncCPUID++] + 1) = 0xA2u; | |
} | |
++v46; | |
} | |
for ( n = 0; n < 3; ++n ) | |
{ | |
v102 = 0i64; | |
v103 = 0i64; | |
cpuidStart = *(_QWORD *)&SharedUserData_SystemTime.LowPart; | |
loopVal = 0; | |
if ( loopVal < 26260 ) | |
{ | |
LODWORD(v102) = _byteswap_ulong(0); | |
LODWORD(v103) = 0; | |
while ( 1 ) | |
{ | |
_RAX = (unsigned int)++loopVal; | |
if ( loopVal >= 26260 ) | |
break; | |
__asm { cpuid } | |
} | |
} | |
v116 = *(_QWORD *)&SharedUserData_SystemTime.LowPart; | |
*(_QWORD *)&PACKET[16 * n + 416] = *(_QWORD *)&SharedUserData_SystemTime.LowPart - cpuidStart; | |
Sleep(10i64); | |
v117 = __rdtsc(); | |
Sleep(1000i64); | |
v119 = __rdtsc() - v117; | |
v107 = 0i64; | |
for ( ii = 0; ii < 26260; ++ii ) | |
{ | |
v118 = __rdtsc(); | |
_RAX = 0i64; | |
__asm { cpuid } | |
v102 = __PAIR64__(_RBX, _RAX); | |
v103 = __PAIR64__(_RDX, _RCX); | |
v107 += __rdtsc() - v118; | |
} | |
*(_QWORD *)&PACKET[0x10 * n + 0x1A8] = 10000000 * v107 / v119 / 101; | |
Sleep(10i64); | |
} | |
for ( jj = 0; jj < iNumEncCPUID; ++jj ) | |
{ | |
*(_BYTE *)encryptedCPUID[jj] = 0x12; | |
*(_BYTE *)(encryptedCPUID[jj] + 1) = 0x34; | |
} | |
for ( kk = 0; kk < iNumEncRDTSC; ++kk ) | |
{ | |
*(_BYTE *)encryptedRDTSC[kk] = 0x56; | |
*(_BYTE *)(encryptedRDTSC[kk] + 1) = 0x78; | |
} | |
*(_QWORD *)&PACKET[0x1D0] = v102; | |
*(_QWORD *)&PACKET[0x1D8] = v103; | |
goto LABEL_202; | |
} | |
} | |
// 15C6: variable 'v6' is possibly undefined | |
// CEF1: variable 'v23' is possibly undefined | |
// A605: variable '_ECX' is possibly undefined | |
// B77A: variable 'MemoryInformationLength' is possibly undefined | |
// ECE7: variable 'v24' is possibly undefined | |
// 4008: using guessed type __int64 qword_4008; | |
// 4010: using guessed type __int64 qword_4010; | |
// CE74: using guessed type char var_2740[4632]; | |
// CE74: using guessed type __int64 encryptedRDTSC[11]; | |
// ALL OK, 5 function(s) have been successfully decompiled |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment