WKL-Sec/DeobfuscateByteArrayInlineAsm.cpp

## DeobfuscateByteArrayInlineAsm.cpp
// White Knight Labs - Offensive Development Course
// String Deobfuscation with Inline-Assembly

// Based on - https://gist.github.com/WKL-Sec/e24830ebfafabc283bd9329e79f71164

#include <iostream>
#include <string>
#include <sstream>
#include <vector>

std::vector<char> hexStringToBytes(const std::string& hex) {
    std::vector<char> bytes;

    for (size_t i = 0; i < hex.length(); i += 2) {
        std::string byteString = hex.substr(i, 2);
        char byte = static_cast<char>(std::stoi(byteString, nullptr, 16));
        bytes.push_back(byte);
    }

    return bytes;
}

// Deobfuscation logic
// c = ((~c) - 1) ^ 0xAA;

void deobfuscateBytes(std::vector<char>& bytes) {
    char* data = bytes.data(); // Pointer to the data
    size_t len = bytes.size(); // Length of the data

    __asm {
        mov rdi, data    // Move base address of data into RDI
        mov rcx, len    // Move length of data into RCX
        mov rsi, rcx     // Copy length into RSI for loop counter

    loop_start:
        test rsi, rsi    // Test if loop counter (RSI) is zero
        jz loop_end     // If zero, we are done

        dec rsi         // Decrement loop counter

        mov al, [rdi + rsi] // Load the current byte into AL
        not al          // NOT the AL register (inverting bits)
        dec al          // Decrement AL (subtract 1)
        xor al, 0xAA    // XOR AL with 0xAA
        mov [rdi + rsi], al // Store the result back into the byte array

        jmp loop_start  // Jump to the start of the loop
    loop_end:
    }
}


int main() {
    std::string hexSecretName = "19242f3a042639352f2525";  // OpenProcess

    // Convert the hex string to bytes
    std::vector<char> bytes = hexStringToBytes(hexSecretName);

    // Deobfuscate the bytes
    deobfuscateBytes(bytes);

    // Convert the deobfuscated bytes back to a string and print
    std::string deobfuscatedSecretName(bytes.begin(), bytes.end());
    std::cout << "Deobfuscated: " << deobfuscatedSecretName << std::endl;

    return 0;
}
	// White Knight Labs - Offensive Development Course
	// String Deobfuscation with Inline-Assembly

	// Based on - https://gist.github.com/WKL-Sec/e24830ebfafabc283bd9329e79f71164

	#include <iostream>
	#include <string>
	#include <sstream>
	#include <vector>

	std::vector<char> hexStringToBytes(const std::string& hex) {
	std::vector<char> bytes;

	for (size_t i = 0; i < hex.length(); i += 2) {
	std::string byteString = hex.substr(i, 2);
	char byte = static_cast<char>(std::stoi(byteString, nullptr, 16));
	bytes.push_back(byte);
	}

	return bytes;
	}

	// Deobfuscation logic
	// c = ((~c) - 1) ^ 0xAA;

	void deobfuscateBytes(std::vector<char>& bytes) {
	char* data = bytes.data(); // Pointer to the data
	size_t len = bytes.size(); // Length of the data

	__asm {
	mov rdi, data // Move base address of data into RDI
	mov rcx, len // Move length of data into RCX
	mov rsi, rcx // Copy length into RSI for loop counter

	loop_start:
	test rsi, rsi // Test if loop counter (RSI) is zero
	jz loop_end // If zero, we are done

	dec rsi // Decrement loop counter

	mov al, [rdi + rsi] // Load the current byte into AL
	not al // NOT the AL register (inverting bits)
	dec al // Decrement AL (subtract 1)
	xor al, 0xAA // XOR AL with 0xAA
	mov [rdi + rsi], al // Store the result back into the byte array

	jmp loop_start // Jump to the start of the loop
	loop_end:
	}
	}


	int main() {
	std::string hexSecretName = "19242f3a042639352f2525"; // OpenProcess

	// Convert the hex string to bytes
	std::vector<char> bytes = hexStringToBytes(hexSecretName);

	// Deobfuscate the bytes
	deobfuscateBytes(bytes);

	// Convert the deobfuscated bytes back to a string and print
	std::string deobfuscatedSecretName(bytes.begin(), bytes.end());
	std::cout << "Deobfuscated: " << deobfuscatedSecretName << std::endl;

	return 0;
	}