-
-
[原创]2022年游戏安全技术竞赛-PC方向-决赛
-
发表于: 2022-4-29 20:35 9063
-
hook并调用坐标绘制
搜索 比赛驱动的hook
然后我再hook
注入压缩包中的HookPatch.dll 可以看到效果
通过虚拟机模拟,得到绘制坐标信息
再通过std::vector<uint32_t> VM::OutVituralOpCodeTable(const std::vector<Opcode>& opcodes)
生成新的opcode
利用驱动loadimg 回调
patch 目标驱动
由于是通过loadimg进行patch 所以PatchDriver.sys 需要在比赛驱动之前加载
加载PatchDriver.sys 后加载比赛驱动在运行2022游戏安全技术竞赛决赛.exe 可以看到flag
注入screenshot.dll 按home 即可截图 截图文件在 d:\dwm.jpg
循环遍历进程名有DWM的进程
起始Processid 为 0x100000
每次循环减4
大概流程,获取DWM EPROCESS
获取 D3DCompile 地址
搜索内存 获取 CDXGISwapChain::PresentMultiplaneOverlay
申请内存 复制shellcode 和 VmOpcodeTable 到DWM中 并解密
HookMem = CDXGISwapChain::PresentMultiplaneOverlay 头部字节 加上
= 跳回 PresentMultiplaneOverlay
hook CDXGISwapChain::PresentMultiplaneOverlay 跳到shellcode + 860
v31 = PresentMultiplaneOverlay(v43, a2, v49, a4, v72, a5, v71);
sub_860+D18 Address:0x1578 Offset:0x1578
这里执行 hookmem
延迟5秒恢复hook
延迟15秒释放内存
利用MDL 强行写入shellcode 到PresentMultiplaneOverlay
Hook shellcode 大概
直接patch吧 一看就知道啥东西
没仔细看导致我minhook失败调我半天
延迟5秒恢复PresentMultiplaneOverlay 的hook
loc_1400070F8 里是PresentMultiplaneOverlay头部字节
不用解释
大概流程
注册loadimg回调
比赛sys加载 触发回调
然后jmp 到
WinMain下段跟
发现这段参加线程
点进去一看
发现NtQuerySystemInformation
明显是通过 NtQuerySystemInformation触发回调
dump下shellcode 分析
卧槽? 这不是咱老朋友吗
不过虚拟机进化了
虚拟机经过六次解密达到最终结果
还是老样子
这里1000,500导致的坐标负数
这里导致的交换reg[5] reg[6]
patch 500 1000导致的负数,
patch 交换 reg[5] reg[6]
通过模拟执行得到rect信息 利用这些信息生成新的opcode
在我的dll直接实现,刚好比赛驱动用比赛驱动的hook
ScreenGrab · microsoft/DirectXTK Wiki (github.com)
从交换链里获取Device
再GetBuffer
再调用 dxtk SaveWICTextureToFile 保存到文件
lainswork/dwm-screen-shot: 将shellcode注入dwm.exe以进行屏幕截取 (github.com)
lainswork/shellcode-factory: shellcode 生成框架 (github.com)
利用shellcode 生成框架
通过符号获取hook地址
修改页面属性
veh 捕获异常 hook 获取交换链
利用交换链 getbuffer
exe 直接读这个buff 绘制出来
其实和我的方案一一毛一样 除了是shellcode
Abusing DComposition to render on external windows | secret club
劫持dwm窗口应该是个思路吧
劫持线程到自己exe
应该可以截图到吧
没具体实现
NVidia 游戏内覆盖截图
他那个基于显卡 直接copy的显存 经朋友测试的确可以截到
本来想看看的 毕竟上次泄露nv的驱动源码 但是我电脑不支持此方案
NVIDIA Capture SDK | NVIDIA Developer
NvFBC nv的视频录制sdk 是直接从显存里copy数据
按理也可以截图
不过最高支持win10 1803 我win11 所以没办法
所以这里没有测试方案
video-sdk-samples/nvEncDXGIOutputDuplicationSample at master · NVIDIA/video-sdk-samples (github.com)
他官方推荐的代替方案
后来我又去实现了他文档放弃win10 所推荐的dx方案
IDXGIOutput 发现并不能截图dwm
后续...
amd 方案
FILE
*
file
;
AllocConsole();
freopen_s(&
file
,
"CONIN$"
,
"r"
, stdin);
freopen_s(&
file
,
"CONOUT$"
,
"w"
, stdout);
uint64_t hook
=
0
;
while
(true)
{
hook
=
FindPattern(
"dxgi.dll"
,
"68 ?? ?? ?? ?? C7 44 24 04 ?? ?? ?? ??"
);
if
(hook)
break
;
Sleep(
100
);
}
FILE
*
file
;
AllocConsole();
freopen_s(&
file
,
"CONIN$"
,
"r"
, stdin);
freopen_s(&
file
,
"CONOUT$"
,
"w"
, stdout);
uint64_t hook
=
0
;
while
(true)
{
hook
=
FindPattern(
"dxgi.dll"
,
"68 ?? ?? ?? ?? C7 44 24 04 ?? ?? ?? ??"
);
if
(hook)
break
;
Sleep(
100
);
}
flag f[
42
];
uint8_t
*
draw_rect
=
0
;
uint8_t
*
draw_orig
=
0
;
__int64 __fastcall sub_420(__int64 a1, __int64 a2, __int64 a3, __int64 a4, __int64 a5, __int64 a6, __int64 a7)
{
f[
0
]
=
{
50
,
50
,
0x130bd0
,
0xf814b4
};
f[
1
]
=
{
50
,
122
,
0x1bcd69
,
0xe9bdc5
};
f[
2
]
=
{
50
,
194
,
0xd91997
,
0x4f7363
};
f[
3
]
=
{
50
,
266
,
0xe82b18
,
0x28ec24
};
f[
4
]
=
{
50
,
338
,
0x391faa
,
0x22ae2e
};
f[
5
]
=
{
50
,
410
,
0xd77de2
,
0x2f62e
};
f[
6
]
=
{
122
,
266
,
0x71150
,
0x1894d4
};
f[
7
]
=
{
194
,
266
,
0xc42e8b
,
0xeb1f47
};
f[
8
]
=
{
266
,
266
,
0x34cf2b
,
0x534f3f
};
f[
9
]
=
{
122
,
122
,
0xd9e5f1
,
0xe9d505
};
f[
10
]
=
{
194
,
194
,
0xc42d8b
,
0x38f0f
};
f[
11
]
=
{
770
,
50
,
0xeabf17
,
0x8f7323
};
f[
12
]
=
{
698
,
122
,
0xc42d8b
,
0x532fbf
};
f[
13
]
=
{
626
,
194
,
0xd717af
,
0x37cb9b
};
f[
14
]
=
{
554
,
266
,
0xc460e9
,
0x314ddd
};
f[
15
]
=
{
482
,
338
,
0xc7a989
,
0x11edbd
};
f[
16
]
=
{
554
,
338
,
0xab7100
,
0xf0747c
};
f[
17
]
=
{
626
,
338
,
0xc409a9
,
0xe12d6d
};
f[
18
]
=
{
842
,
50
,
0xd77e8b
,
0x7bfff7
};
f[
19
]
=
{
914
,
50
,
0xd9ad01
,
0x4985c5
};
f[
20
]
=
{
986
,
50
,
0x39e156
,
0xf6c25a
};
f[
21
]
=
{
842
,
122
,
0x13207c
,
0x7438b8
};
f[
22
]
=
{
914
,
194
,
0xc9140b
,
0xf3af5f
};
f[
23
]
=
{
986
,
266
,
0x53071f
,
0x779bfb
};
f[
24
]
=
{
1058
,
338
,
0xd71106
,
0x5ee272
};
f[
25
]
=
{
1130
,
338
,
0xeb60a1
,
0x11551d
};
f[
26
]
=
{
1202
,
338
,
0xeb67cd
,
0xc5c9c9
};
f[
27
]
=
{
1274
,
338
,
0xd71161
,
0x1752d
};
f[
28
]
=
{
1130
,
50
,
0x677611
,
0x41a58d
};
f[
29
]
=
{
1202
,
50
,
0x40173d
,
0x95f9d9
};
f[
30
]
=
{
1274
,
50
,
0xd77661
,
0x61b54d
};
f[
31
]
=
{
1346
,
50
,
0xefff9a
,
0xc27eee
};
f[
32
]
=
{
1202
,
122
,
0xc404eb
,
0xeb3fc7
};
f[
33
]
=
{
1274
,
194
,
0xd7c6ef
,
0xdf9b53
};
f[
34
]
=
{
1346
,
194
,
0xd7701f
,
0x171b1b
};
f[
35
]
=
{
1418
,
194
,
0xd71171
,
0x91e53d
};
f[
36
]
=
{
1490
,
194
,
0x3906ab
,
0x138f3f
};
f[
37
]
=
{
1346
,
266
,
0x96663
,
0x83f72f
};
f[
38
]
=
{
1418
,
338
,
0x732157
,
0x47638b
};
f[
39
]
=
{
1490
,
338
,
0x353730
,
0x587414
};
f[
40
]
=
{
1562
,
338
,
0x6257a9
,
0x69fdc5
};
f[
41
]
=
{
1634
,
338
,
0xd777af
,
0xb7cb1b
};
for
(auto& data : f)
{
call_invoke(draw_rect, data.x, data.y, data.k1, data.k2,
0xFF2DDBE7
, a3, a4, a5, a6, a7);
/
/
reinterpret_cast<uint64_t(
*
)(
int
,
int
,
int
,
int
,
int
, uint64_t, uint64_t, uint64_t, uint64_t, uint64_t)>(draw_rect)
/
/
(data.x, data.y, data.k1, data.k2,
0xFFFFFF00
, a3, a4, a5, a6, a7);
}
return
0
;
flag f[
42
];
uint8_t
*
draw_rect
=
0
;
uint8_t
*
draw_orig
=
0
;
__int64 __fastcall sub_420(__int64 a1, __int64 a2, __int64 a3, __int64 a4, __int64 a5, __int64 a6, __int64 a7)
{
f[
0
]
=
{
50
,
50
,
0x130bd0
,
0xf814b4
};
f[
1
]
=
{
50
,
122
,
0x1bcd69
,
0xe9bdc5
};
f[
2
]
=
{
50
,
194
,
0xd91997
,
0x4f7363
};
f[
3
]
=
{
50
,
266
,
0xe82b18
,
0x28ec24
};
f[
4
]
=
{
50
,
338
,
0x391faa
,
0x22ae2e
};
f[
5
]
=
{
50
,
410
,
0xd77de2
,
0x2f62e
};
f[
6
]
=
{
122
,
266
,
0x71150
,
0x1894d4
};
f[
7
]
=
{
194
,
266
,
0xc42e8b
,
0xeb1f47
};
f[
8
]
=
{
266
,
266
,
0x34cf2b
,
0x534f3f
};
f[
9
]
=
{
122
,
122
,
0xd9e5f1
,
0xe9d505
};
f[
10
]
=
{
194
,
194
,
0xc42d8b
,
0x38f0f
};
f[
11
]
=
{
770
,
50
,
0xeabf17
,
0x8f7323
};
f[
12
]
=
{
698
,
122
,
0xc42d8b
,
0x532fbf
};
f[
13
]
=
{
626
,
194
,
0xd717af
,
0x37cb9b
};
f[
14
]
=
{
554
,
266
,
0xc460e9
,
0x314ddd
};
f[
15
]
=
{
482
,
338
,
0xc7a989
,
0x11edbd
};
f[
16
]
=
{
554
,
338
,
0xab7100
,
0xf0747c
};
f[
17
]
=
{
626
,
338
,
0xc409a9
,
0xe12d6d
};
f[
18
]
=
{
842
,
50
,
0xd77e8b
,
0x7bfff7
};
f[
19
]
=
{
914
,
50
,
0xd9ad01
,
0x4985c5
};
f[
20
]
=
{
986
,
50
,
0x39e156
,
0xf6c25a
};
f[
21
]
=
{
842
,
122
,
0x13207c
,
0x7438b8
};
f[
22
]
=
{
914
,
194
,
0xc9140b
,
0xf3af5f
};
f[
23
]
=
{
986
,
266
,
0x53071f
,
0x779bfb
};
f[
24
]
=
{
1058
,
338
,
0xd71106
,
0x5ee272
};
f[
25
]
=
{
1130
,
338
,
0xeb60a1
,
0x11551d
};
f[
26
]
=
{
1202
,
338
,
0xeb67cd
,
0xc5c9c9
};
f[
27
]
=
{
1274
,
338
,
0xd71161
,
0x1752d
};
f[
28
]
=
{
1130
,
50
,
0x677611
,
0x41a58d
};
f[
29
]
=
{
1202
,
50
,
0x40173d
,
0x95f9d9
};
f[
30
]
=
{
1274
,
50
,
0xd77661
,
0x61b54d
};
f[
31
]
=
{
1346
,
50
,
0xefff9a
,
0xc27eee
};
f[
32
]
=
{
1202
,
122
,
0xc404eb
,
0xeb3fc7
};
f[
33
]
=
{
1274
,
194
,
0xd7c6ef
,
0xdf9b53
};
f[
34
]
=
{
1346
,
194
,
0xd7701f
,
0x171b1b
};
f[
35
]
=
{
1418
,
194
,
0xd71171
,
0x91e53d
};
f[
36
]
=
{
1490
,
194
,
0x3906ab
,
0x138f3f
};
f[
37
]
=
{
1346
,
266
,
0x96663
,
0x83f72f
};
f[
38
]
=
{
1418
,
338
,
0x732157
,
0x47638b
};
f[
39
]
=
{
1490
,
338
,
0x353730
,
0x587414
};
f[
40
]
=
{
1562
,
338
,
0x6257a9
,
0x69fdc5
};
f[
41
]
=
{
1634
,
338
,
0xd777af
,
0xb7cb1b
};
for
(auto& data : f)
{
call_invoke(draw_rect, data.x, data.y, data.k1, data.k2,
0xFF2DDBE7
, a3, a4, a5, a6, a7);
/
/
reinterpret_cast<uint64_t(
*
)(
int
,
int
,
int
,
int
,
int
, uint64_t, uint64_t, uint64_t, uint64_t, uint64_t)>(draw_rect)
/
/
(data.x, data.y, data.k1, data.k2,
0xFFFFFF00
, a3, a4, a5, a6, a7);
}
return
0
;
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
50
,
50
,
130bd0
,f814b4)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
50
,
122
,
1bcd69
,e9bdc5)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
50
,
194
,d91997,
4f7363
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
50
,
266
,e82b18,
28ec24
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
50
,
338
,
391faa
,
22ae2e
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
50
,
410
,d77de2,
2f62e
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
122
,
266
,
71150
,
1894d4
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
194
,
266
,c42e8b,eb1f47)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
266
,
266
,
34cf2b
,
534f3f
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
122
,
122
,d9e5f1,e9d505)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
194
,
194
,c42d8b,
38f0f
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
770
,
50
,eabf17,
8f7323
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
698
,
122
,c42d8b,
532fbf
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
626
,
194
,d717af,
37cb9b
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
554
,
266
,c460e9,
314ddd
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
482
,
338
,c7a989,
11edbd
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
554
,
338
,ab7100,f0747c)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
626
,
338
,c409a9,e12d6d)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
842
,
50
,d77e8b,
7bfff7
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
914
,
50
,d9ad01,
4985c5
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
986
,
50
,
39e156
,f6c25a)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
842
,
122
,
13207c
,
7438b8
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
914
,
194
,c9140b,f3af5f)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
986
,
266
,
53071f
,
779bfb
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
1058
,
338
,d71106,
5ee272
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
1130
,
338
,eb60a1,
11551d
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
1202
,
338
,eb67cd,c5c9c9)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
1274
,
338
,d71161,
1752d
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
1130
,
50
,
677611
,
41a58d
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
1202
,
50
,
40173d
,
95f9d9
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
1274
,
50
,d77661,
61b54d
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
1346
,
50
,efff9a,c27eee)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
1202
,
122
,c404eb,eb3fc7)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
1274
,
194
,d7c6ef,df9b53)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
1346
,
194
,d7701f,
171b1b
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
1418
,
194
,d71171,
91e53d
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
1490
,
194
,
3906ab
,
138f3f
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
1346
,
266
,
96663
,
83f72f
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
1418
,
338
,
732157
,
47638b
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
1490
,
338
,
353730
,
587414
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
1562
,
338
,
6257a9
,
69fdc5
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
1634
,
338
,d777af,b7cb1b)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
50
,
50
,
130bd0
,f814b4)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
50
,
122
,
1bcd69
,e9bdc5)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
50
,
194
,d91997,
4f7363
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
50
,
266
,e82b18,
28ec24
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
50
,
338
,
391faa
,
22ae2e
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
50
,
410
,d77de2,
2f62e
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
122
,
266
,
71150
,
1894d4
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
194
,
266
,c42e8b,eb1f47)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
266
,
266
,
34cf2b
,
534f3f
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
122
,
122
,d9e5f1,e9d505)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
194
,
194
,c42d8b,
38f0f
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
770
,
50
,eabf17,
8f7323
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
698
,
122
,c42d8b,
532fbf
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
626
,
194
,d717af,
37cb9b
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
554
,
266
,c460e9,
314ddd
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
482
,
338
,c7a989,
11edbd
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
554
,
338
,ab7100,f0747c)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
626
,
338
,c409a9,e12d6d)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
842
,
50
,d77e8b,
7bfff7
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
914
,
50
,d9ad01,
4985c5
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
986
,
50
,
39e156
,f6c25a)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
842
,
122
,
13207c
,
7438b8
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
914
,
194
,c9140b,f3af5f)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
986
,
266
,
53071f
,
779bfb
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
1058
,
338
,d71106,
5ee272
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
1130
,
338
,eb60a1,
11551d
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
1202
,
338
,eb67cd,c5c9c9)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
1274
,
338
,d71161,
1752d
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
1130
,
50
,
677611
,
41a58d
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
1202
,
50
,
40173d
,
95f9d9
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
1274
,
50
,d77661,
61b54d
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
1346
,
50
,efff9a,c27eee)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
1202
,
122
,c404eb,eb3fc7)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
1274
,
194
,d7c6ef,df9b53)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
1346
,
194
,d7701f,
171b1b
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
1418
,
194
,d71171,
91e53d
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
1490
,
194
,
3906ab
,
138f3f
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
1346
,
266
,
96663
,
83f72f
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
1418
,
338
,
732157
,
47638b
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
1490
,
338
,
353730
,
587414
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
1562
,
338
,
6257a9
,
69fdc5
)
EE2362FC Reg[
0
],Reg[
1
] <
-
Draw(
1634
,
338
,d777af,b7cb1b)
VOID LoadImageNotify(
_In_ PUNICODE_STRING FullImageName,
_In_ HANDLE ProcessId,
_In_ PIMAGE_INFO ImageInfo
)
{
if
(FullImageName !
=
nullptr && MmIsAddressValid(FullImageName))
{
if
(ProcessId
=
=
0
)
/
/
是否是驱动
{
auto ImageName
=
FullImageName
-
>
Buffer
;
if
(wcsstr(ImageName, L
"2022GameSafeRace.sys"
))
{
auto PatchFree
=
reinterpret_cast<uint8_t
*
>(ImageInfo
-
>ImageBase)
+
0x18a4
;
auto JmpAddress
=
reinterpret_cast<uint8_t
*
>(ImageInfo
-
>ImageBase)
+
0x19ea
;
char jmp[]
=
{
0xe9
,
0x00
,
0x00
,
0x00
,
0x00
};
*
(uint32_t
*
)(jmp
+
1
)
=
(ULONG64)(JmpAddress
-
PatchFree
-
5
);
/
/
patch free
MdlCopyMemory(PatchFree, &jmp, sizeof(jmp));
/
/
patch vad断链
PatchFree
=
reinterpret_cast<uint8_t
*
>(ImageInfo
-
>ImageBase)
+
0x1aae
;
JmpAddress
=
reinterpret_cast<uint8_t
*
>(ImageInfo
-
>ImageBase)
+
0x1ac9
;
*
(uint32_t
*
)(jmp
+
1
)
=
(ULONG64)(JmpAddress
-
PatchFree
-
5
);
MdlCopyMemory(PatchFree, &jmp, sizeof(jmp));
MdlCopyMemory(PatchFree, &jmp, sizeof(jmp));
/
/
patch表
PatchFree
=
reinterpret_cast<uint8_t
*
>(ImageInfo
-
>ImageBase)
+
0x4030
;
MdlCopyMemory(PatchFree, Table, sizeof(Table));
}
}
}
}
VOID LoadImageNotify(
_In_ PUNICODE_STRING FullImageName,
_In_ HANDLE ProcessId,
_In_ PIMAGE_INFO ImageInfo
)
{
if
(FullImageName !
=
nullptr && MmIsAddressValid(FullImageName))
{
if
(ProcessId
=
=
0
)
/
/
是否是驱动
{
auto ImageName
=
FullImageName
-
>
Buffer
;
if
(wcsstr(ImageName, L
"2022GameSafeRace.sys"
))
{
auto PatchFree
=
reinterpret_cast<uint8_t
*
>(ImageInfo
-
>ImageBase)
+
0x18a4
;
auto JmpAddress
=
reinterpret_cast<uint8_t
*
>(ImageInfo
-
>ImageBase)
+
0x19ea
;
char jmp[]
=
{
0xe9
,
0x00
,
0x00
,
0x00
,
0x00
};
*
(uint32_t
*
)(jmp
+
1
)
=
(ULONG64)(JmpAddress
-
PatchFree
-
5
);
/
/
patch free
MdlCopyMemory(PatchFree, &jmp, sizeof(jmp));
/
/
patch vad断链
PatchFree
=
reinterpret_cast<uint8_t
*
>(ImageInfo
-
>ImageBase)
+
0x1aae
;
JmpAddress
=
reinterpret_cast<uint8_t
*
>(ImageInfo
-
>ImageBase)
+
0x1ac9
;
*
(uint32_t
*
)(jmp
+
1
)
=
(ULONG64)(JmpAddress
-
PatchFree
-
5
);
MdlCopyMemory(PatchFree, &jmp, sizeof(jmp));
MdlCopyMemory(PatchFree, &jmp, sizeof(jmp));
/
/
patch表
PatchFree
=
reinterpret_cast<uint8_t
*
>(ImageInfo
-
>ImageBase)
+
0x4030
;
MdlCopyMemory(PatchFree, Table, sizeof(Table));
}
}
}
}
NTSTATUS __fastcall sub_140001438(void
*
a1, BOOLEAN a2)
{
SYSTEM_FIRMWARE_TABLE_HANDLER SystemInformation;
/
/
[rsp
+
20h
] [rbp
-
28h
] BYREF
SystemInformation.DriverObject
=
a1;
SystemInformation.Register
=
a2;
SystemInformation.FirmwareTableHandler
=
(PFNFTH)sub_1400013E0;
SystemInformation.ProviderSignature
=
0x52414E44
;
return
ZwSetSystemInformation(SystemRegisterFirmwareTableInformationHandler, &SystemInformation,
0x18ui64
);
}
NTSTATUS __fastcall sub_140001438(void
*
a1, BOOLEAN a2)
{
SYSTEM_FIRMWARE_TABLE_HANDLER SystemInformation;
/
/
[rsp
+
20h
] [rbp
-
28h
] BYREF
SystemInformation.DriverObject
=
a1;
SystemInformation.Register
=
a2;
SystemInformation.FirmwareTableHandler
=
(PFNFTH)sub_1400013E0;
SystemInformation.ProviderSignature
=
0x52414E44
;
return
ZwSetSystemInformation(SystemRegisterFirmwareTableInformationHandler, &SystemInformation,
0x18ui64
);
}
__int64 __fastcall sub_140003530(PVOID Parameter)
{
HANDLE ProcessHeap;
/
/
rax
char
*
v2;
/
/
rdx
__int64 result;
/
/
rax
ULONG ReturnLength;
/
/
[rsp
+
38h
] [rbp
+
10h
] BYREF
ProcessHeap
=
GetProcessHeap();
v2
=
(char
*
)HeapAlloc(ProcessHeap,
8u
,
0x28ui64
);
result
=
0i64
;
*
(_OWORD
*
)v2
=
0i64
;
*
((_OWORD
*
)v2
+
1
)
=
0i64
;
*
((_QWORD
*
)v2
+
4
)
=
0i64
;
if
( v2 )
{
*
((_DWORD
*
)v2
+
2
)
=
0
;
*
((_DWORD
*
)v2
+
1
)
=
1
;
*
(_DWORD
*
)v2
=
1380011588
;
*
((_DWORD
*
)v2
+
3
)
=
20
;
*
(_QWORD
*
)(v2
+
20
)
=
8193i64
;
*
((_QWORD
*
)v2
+
4
)
=
D3DCompile;
ReturnLength
=
40
;
NtQuerySystemInformation(SystemFirmwareTableInformation, v2,
0x28u
, &ReturnLength);
return
0i64
;
}
return
result;
}
__int64 __fastcall sub_140003530(PVOID Parameter)
{
HANDLE ProcessHeap;
/
/
rax
char
*
v2;
/
/
rdx
__int64 result;
/
/
rax
ULONG ReturnLength;
/
/
[rsp
+
38h
] [rbp
+
10h
] BYREF
ProcessHeap
=
GetProcessHeap();
v2
=
(char
*
)HeapAlloc(ProcessHeap,
8u
,
0x28ui64
);
result
=
0i64
;
*
(_OWORD
*
)v2
=
0i64
;
*
((_OWORD
*
)v2
+
1
)
=
0i64
;
*
((_QWORD
*
)v2
+
4
)
=
0i64
;
if
( v2 )
{
*
((_DWORD
*
)v2
+
2
)
=
0
;
*
((_DWORD
*
)v2
+
1
)
=
1
;
*
(_DWORD
*
)v2
=
1380011588
;
*
((_DWORD
*
)v2
+
3
)
=
20
;
*
(_QWORD
*
)(v2
+
20
)
=
8193i64
;
*
((_QWORD
*
)v2
+
4
)
=
D3DCompile;
ReturnLength
=
40
;
NtQuerySystemInformation(SystemFirmwareTableInformation, v2,
0x28u
, &ReturnLength);
return
0i64
;
}
return
result;
}
PEPROCESS GetDwmProcess()
/
/
0x140001318
{
PEPROCESS v0;
/
/
rdi
unsigned
int
ProcessId;
/
/
esi
void
*
ProcessImageFileName;
/
/
rbx
void
*
ProcessPeb;
/
/
rbx
struct _KAPC_STATE ApcState;
/
/
[rsp
+
20h
] [rbp
-
60h
] BYREF
int
SubStr;
/
/
[rsp
+
A0h] [rbp
+
20h
] BYREF
PEPROCESS Process;
/
/
[rsp
+
A8h] [rbp
+
28h
] BYREF
v0
=
0i64
;
ProcessId
=
0x100000
;
while
(
1
)
{
if
( PsLookupProcessByProcessId((HANDLE)ProcessId, &Process) <
0
)
goto LABEL_7;
ObfDereferenceObject(Process);
ProcessImageFileName
=
(void
*
)PsGetProcessImageFileName(Process);
if
( !MmIsAddressValid(ProcessImageFileName) )
goto LABEL_7;
SubStr
=
'mwd'
;
if
( !strstr((const char
*
)ProcessImageFileName, (const char
*
)&SubStr) )
goto LABEL_7;
ProcessPeb
=
(void
*
)PsGetProcessPeb(Process);
KeStackAttachProcess(Process, &ApcState);
if
( MmIsAddressValid(ProcessPeb) )
break
;
KeUnstackDetachProcess(&ApcState);
LABEL_7:
ProcessId
-
=
4
;
if
( ProcessId <
=
8
)
return
v0;
}
v0
=
Process;
KeUnstackDetachProcess(&ApcState);
return
v0;
}
PEPROCESS GetDwmProcess()
/
/
0x140001318
{
PEPROCESS v0;
/
/
rdi
unsigned
int
ProcessId;
/
/
esi
void
*
ProcessImageFileName;
/
/
rbx
void
*
ProcessPeb;
/
/
rbx
struct _KAPC_STATE ApcState;
/
/
[rsp
+
20h
] [rbp
-
60h
] BYREF
int
SubStr;
/
/
[rsp
+
A0h] [rbp
+
20h
] BYREF
PEPROCESS Process;
/
/
[rsp
+
A8h] [rbp
+
28h
] BYREF
v0
=
0i64
;
ProcessId
=
0x100000
;
while
(
1
)
{
if
( PsLookupProcessByProcessId((HANDLE)ProcessId, &Process) <
0
)
goto LABEL_7;
ObfDereferenceObject(Process);
ProcessImageFileName
=
(void
*
)PsGetProcessImageFileName(Process);
if
( !MmIsAddressValid(ProcessImageFileName) )
goto LABEL_7;
SubStr
=
'mwd'
;
if
( !strstr((const char
*
)ProcessImageFileName, (const char
*
)&SubStr) )
goto LABEL_7;
ProcessPeb
=
(void
*
)PsGetProcessPeb(Process);
KeStackAttachProcess(Process, &ApcState);
if
( MmIsAddressValid(ProcessPeb) )
break
;
KeUnstackDetachProcess(&ApcState);
LABEL_7:
ProcessId
-
=
4
;
if
( ProcessId <
=
8
)
return
v0;
}
v0
=
Process;
KeUnstackDetachProcess(&ApcState);
return
v0;
}
68
00006F99
-
push
0000000000000000
{
0
}
C7
44
24
04
00000000
-
mov [rsp
+
04
],
00000000
{
0
}
C3
-
ret
68
00006F99
-
push
0000000000000000
{
0
}
C7
44
24
04
00000000
-
mov [rsp
+
04
],
00000000
{
0
}
C3
-
ret
ProcessId
=
PsGetProcessId(DwmProcess);
GetModuleHandle(ProcessId, &Handle,
"D3DCOMPILER_47.dll"
);
/
/
从Ldr链里获取模块地址
KeStackAttachProcess(Dwm, &ApcState);
/
/
附加DWM
if
( Handle )
/
/
如果模块存在
D3DCompile
=
GetProAddress((__int64)Handle, (__int64)
"D3DCompile"
);
/
/
获取函数D3DCompile地址
KeUnstackDetachProcess(&ApcState);
/
/
解除附加
Handle
=
0i64
;
v25
=
0i64
;
GetModuleHandle(ProcessId, &Handle,
"dxgi.dll"
);
/
/
获取dxgi模块地址
ProcessId
=
PsGetProcessId(DwmProcess);
GetModuleHandle(ProcessId, &Handle,
"D3DCOMPILER_47.dll"
);
/
/
从Ldr链里获取模块地址
KeStackAttachProcess(Dwm, &ApcState);
/
/
附加DWM
if
( Handle )
/
/
如果模块存在
D3DCompile
=
GetProAddress((__int64)Handle, (__int64)
"D3DCompile"
);
/
/
获取函数D3DCompile地址
KeUnstackDetachProcess(&ApcState);
/
/
解除附加
Handle
=
0i64
;
v25
=
0i64
;
GetModuleHandle(ProcessId, &Handle,
"dxgi.dll"
);
/
/
获取dxgi模块地址
v5
=
(char
*
)Handle;
if
( Handle )
{
v6
=
(char
*
)Handle;
for
( i
=
Handle < (char
*
)Handle
+
v25; i; i
=
v6 < (char
*
)Handle
+
v25 )
{
if
(
*
(_QWORD
*
)v6
=
=
qword_140004000 &&
*
((_QWORD
*
)v6
+
1
)
=
=
qword_140004008 && v6[
0x10
]
=
=
byte_140004010 )
/
/
搜索特征码 PresentMultiplaneOverlay
{
PresentMultiplaneOverlay
=
v6;
break
;
}
+
+
v6;
}
}
if
( unk_14000712C
=
=
17134
&& Handle )
/
/
如果为
1803
{
v8
=
(char
*
)Handle
+
v25;
while
( v5 < v8 )
{
if
( !memcmp(v5, &unk_140004018,
0x15ui64
) )
/
/
搜索特征码
{
PresentMultiplaneOverlay
=
v5;
break
;
}
+
+
v5;
}
}
v5
=
(char
*
)Handle;
if
( Handle )
{
v6
=
(char
*
)Handle;
for
( i
=
Handle < (char
*
)Handle
+
v25; i; i
=
v6 < (char
*
)Handle
+
v25 )
{
if
(
*
(_QWORD
*
)v6
=
=
qword_140004000 &&
*
((_QWORD
*
)v6
+
1
)
=
=
qword_140004008 && v6[
0x10
]
=
=
byte_140004010 )
/
/
搜索特征码 PresentMultiplaneOverlay
{
PresentMultiplaneOverlay
=
v6;
break
;
}
+
+
v6;
}
}
if
( unk_14000712C
=
=
17134
&& Handle )
/
/
如果为
1803
{
v8
=
(char
*
)Handle
+
v25;
while
( v5 < v8 )
{
if
( !memcmp(v5, &unk_140004018,
0x15ui64
) )
/
/
搜索特征码
{
PresentMultiplaneOverlay
=
v5;
break
;
}
+
+
v5;
}
}
KeStackAttachProcess(Dwm, &ApcState);
ZwAllocateVirtualMemory((HANDLE)
0xFFFFFFFFFFFFFFFFi64
, &BaseAddress,
0i64
, &RegionSize,
0x1000u
,
0x40u
);
/
/
申请shellcode 内存
ZwAllocateVirtualMemory((HANDLE)
0xFFFFFFFFFFFFFFFFi64
, &HookMem,
0i64
, &v23,
0x1000u
,
0x40u
);
/
/
hook内存?
if
( BaseAddress && HookMem )
{
memcpy_s(BaseAddress,
0x30BAui64
, dword_140005A00,
0x16E6ui64
);
/
/
复制shellcode 到申请的内存中
v9
=
0
;
v10
=
0i64
;
do
{
+
+
v9;
*
((_BYTE
*
)BaseAddress
+
v10
+
+
) ^
=
0xC3u
;
}
while
( v9 <
0x16E6
);
/
/
解密shellcode
memcpy_s((char
*
)BaseAddress
+
0x16E6
,
0x19D4ui64
, dword_140004030,
0x19C4ui64
);
/
/
复制VmOpcodeTable到申请的内存中
v11
=
0
;
v12
=
0i64
;
do
{
+
+
v11;
*
((_BYTE
*
)BaseAddress
+
v12
+
0x16E6
) ^
=
0xCCu
;
/
/
解密 VmOpcodeTable
+
+
v12;
}
while
( v11 <
0x19C4
);
*
(_QWORD
*
)((char
*
)BaseAddress
+
0x30AA
)
=
D3DCompile;
*
(_QWORD
*
)((char
*
)BaseAddress
+
0x30B2
)
=
HookMem;
*
(_DWORD
*
)((char
*
)BaseAddress
+
dword_1400059F4)
=
0x30A6
-
dword_1400059F4;
*
(_DWORD
*
)((char
*
)BaseAddress
+
dword_1400059F8)
=
0x30AE
-
dword_1400059F8;
*
(_DWORD
*
)((char
*
)BaseAddress
+
dword_1400070EC)
=
0x671
;
*
(_DWORD
*
)((char
*
)BaseAddress
+
dword_1400070E8)
=
0x16E2
-
dword_1400070E8;
memcpy_s(HookMem,
14ui64
, &loc_1400070F8,
14ui64
);
/
/
PresentMultiplaneOverlay 头部字节码
v13
=
(char
*
)HookMem;
*
(_DWORD
*
)((char
*
)HookMem
+
15
)
=
(_DWORD)PresentMultiplaneOverlay
+
14
;
*
(_DWORD
*
)(v13
+
0x17
)
=
((unsigned __int64)PresentMultiplaneOverlay
+
14
) >>
32
;
v13[
14
]
=
0x68
;
*
(_DWORD
*
)(v13
+
0x13
)
=
0x42444C7
;
v13[
27
]
=
0xC3
;
KeStackAttachProcess(Dwm, &ApcState);
ZwAllocateVirtualMemory((HANDLE)
0xFFFFFFFFFFFFFFFFi64
, &BaseAddress,
0i64
, &RegionSize,
0x1000u
,
0x40u
);
/
/
申请shellcode 内存
ZwAllocateVirtualMemory((HANDLE)
0xFFFFFFFFFFFFFFFFi64
, &HookMem,
0i64
, &v23,
0x1000u
,
0x40u
);
/
/
hook内存?
if
( BaseAddress && HookMem )
{
memcpy_s(BaseAddress,
0x30BAui64
, dword_140005A00,
0x16E6ui64
);
/
/
复制shellcode 到申请的内存中
v9
=
0
;
v10
=
0i64
;
do
{
+
+
v9;
*
((_BYTE
*
)BaseAddress
+
v10
+
+
) ^
=
0xC3u
;
}
while
( v9 <
0x16E6
);
/
/
解密shellcode
memcpy_s((char
*
)BaseAddress
+
0x16E6
,
0x19D4ui64
, dword_140004030,
0x19C4ui64
);
/
/
复制VmOpcodeTable到申请的内存中
v11
=
0
;
v12
=
0i64
;
do
{
+
+
v11;
*
((_BYTE
*
)BaseAddress
+
v12
+
0x16E6
) ^
=
0xCCu
;
/
/
解密 VmOpcodeTable
+
+
v12;
}
while
( v11 <
0x19C4
);
*
(_QWORD
*
)((char
*
)BaseAddress
+
0x30AA
)
=
D3DCompile;
*
(_QWORD
*
)((char
*
)BaseAddress
+
0x30B2
)
=
HookMem;
*
(_DWORD
*
)((char
*
)BaseAddress
+
dword_1400059F4)
=
0x30A6
-
dword_1400059F4;
*
(_DWORD
*
)((char
*
)BaseAddress
+
dword_1400059F8)
=
0x30AE
-
dword_1400059F8;
*
(_DWORD
*
)((char
*
)BaseAddress
+
dword_1400070EC)
=
0x671
;
*
(_DWORD
*
)((char
*
)BaseAddress
+
dword_1400070E8)
=
0x16E2
-
dword_1400070E8;
memcpy_s(HookMem,
14ui64
, &loc_1400070F8,
14ui64
);
/
/
PresentMultiplaneOverlay 头部字节码
v13
=
(char
*
)HookMem;
*
(_DWORD
*
)((char
*
)HookMem
+
15
)
=
(_DWORD)PresentMultiplaneOverlay
+
14
;
*
(_DWORD
*
)(v13
+
0x17
)
=
((unsigned __int64)PresentMultiplaneOverlay
+
14
) >>
32
;
v13[
14
]
=
0x68
;
*
(_DWORD
*
)(v13
+
0x13
)
=
0x42444C7
;
v13[
27
]
=
0xC3
;
push
00000000
/
/
push 低
32
位
mov [rsp
+
04
]
/
/
mov 高
32
位
ret
/
/
jmp [rsp] pop
push
00000000
/
/
push 低
32
位
mov [rsp
+
04
]
/
/
mov 高
32
位
ret
/
/
jmp [rsp] pop
KeUnstackDetachProcess(&ApcState);
KeStackAttachProcess(Dwm, &ApcState);
if
( BaseAddress && HookMem )
{
if
( MmIsAddressValid(PresentMultiplaneOverlay) )
{
Mdl
=
IoAllocateMdl(PresentMultiplaneOverlay,
0x100u
,
0
,
0
,
0i64
);
MmProbeAndLockPages(Mdl,
1
, IoReadAccess);
v15
=
(char
*
)MmMapLockedPagesSpecifyCache(Mdl,
0
, MmNonCached,
0i64
,
0
,
0x10u
);
/
/
hook
if
( v15 )
{
/
/
68
00000000
-
push
00000000
{
0
}
/
/
C7
44
24
04
00000000
-
mov [rsp
+
04
],
00000000
{
0
}
/
/
C3
-
ret
/
/
shellcode
v16
=
(char
*
)BaseAddress
+
dword_1400070F0;
/
/
sub_860,各种初始化
*
(_DWORD
*
)(v15
+
1
)
=
(_DWORD)v16;
*
(_DWORD
*
)(v15
+
9
)
=
HIDWORD(v16);
/
/
往里面写数据
*
v15
=
0x68
;
/
/
push shellcode sub_860
*
(_DWORD
*
)(v15
+
5
)
=
69485767
;
/
/
mov [rsp
+
04
],
00000000
v15[
13
]
=
0xC3
;
/
/
ret
}
MmUnmapLockedPages(v15, Mdl);
MmUnlockPages(Mdl);
IoFreeMdl(Mdl);
}
KeUnstackDetachProcess(&ApcState);
KeStackAttachProcess(Dwm, &ApcState);
if
( BaseAddress && HookMem )
{
if
( MmIsAddressValid(PresentMultiplaneOverlay) )
{
Mdl
=
IoAllocateMdl(PresentMultiplaneOverlay,
0x100u
,
0
,
0
,
0i64
);
MmProbeAndLockPages(Mdl,
1
, IoReadAccess);
v15
=
(char
*
)MmMapLockedPagesSpecifyCache(Mdl,
0
, MmNonCached,
0i64
,
0
,
0x10u
);
/
/
hook
if
( v15 )
{
/
/
68
00000000
-
push
00000000
{
0
}
/
/
C7
44
24
04
00000000
-
mov [rsp
+
04
],
00000000
{
0
}
/
/
C3
-
ret
/
/
shellcode
v16
=
(char
*
)BaseAddress
+
dword_1400070F0;
/
/
sub_860,各种初始化
*
(_DWORD
*
)(v15
+
1
)
=
(_DWORD)v16;
*
(_DWORD
*
)(v15
+
9
)
=
HIDWORD(v16);
/
/
往里面写数据
*
v15
=
0x68
;
/
/
push shellcode sub_860
*
(_DWORD
*
)(v15
+
5
)
=
69485767
;
/
/
mov [rsp
+
04
],
00000000
v15[
13
]
=
0xC3
;
/
/
ret
}
MmUnmapLockedPages(v15, Mdl);
MmUnlockPages(Mdl);
IoFreeMdl(Mdl);
}
v27[
0
]
=
(__int64)BaseAddress;
v29
=
0
;
v27[
1
]
=
0x30BAi64
;
v28
=
(unsigned
int
)PsGetProcessId(Dwm);
sub_140001A84((__int64)v27);
v27[
0
]
=
(__int64)BaseAddress;
v29
=
0
;
v27[
1
]
=
0x30BAi64
;
v28
=
(unsigned
int
)PsGetProcessId(Dwm);
sub_140001A84((__int64)v27);
Interval.QuadPart
=
-
50000000i64
;
KeDelayExecutionThread(
0
,
0
, &Interval);
/
/
恢复hook
KeStackAttachProcess(Dwm, &ApcState);
if
( BaseAddress )
{
if
( HookMem )
{
sub_140001B30();
if
( MmIsAddressValid(PresentMultiplaneOverlay) )
{
v17
=
IoAllocateMdl(PresentMultiplaneOverlay,
0x100u
,
0
,
0
,
0i64
);
MmProbeAndLockPages(v17,
1
, IoReadAccess);
v18
=
MmMapLockedPagesSpecifyCache(v17,
0
, MmNonCached,
0i64
,
0
,
0x10u
);
/
/
mdl强写
if
( v18 )
{
/
/
/
/
48
8B
C4
-
mov rax,rsp
/
/
55
-
push rbp
/
/
56
-
push rsi
/
/
57
-
push rdi
/
/
41
54
-
push r12
/
/
41
55
-
push r13
/
/
41
56
-
push r14
/
/
41
57
-
push r15
*
(_QWORD
*
)v18
=
loc_1400070F8;
v18[
2
]
=
loc_140007100;
*
((_WORD
*
)v18
+
6
)
=
loc_140007104;
}
MmUnmapLockedPages(v18, v17);
MmUnlockPages(v17);
IoFreeMdl(v17);
}
}
}
KeUnstackDetachProcess(&ApcState);
Interval.QuadPart
=
-
50000000i64
;
KeDelayExecutionThread(
0
,
0
, &Interval);
/
/
恢复hook
KeStackAttachProcess(Dwm, &ApcState);
if
( BaseAddress )
{
if
( HookMem )
{
sub_140001B30();
if
( MmIsAddressValid(PresentMultiplaneOverlay) )
{
v17
=
IoAllocateMdl(PresentMultiplaneOverlay,
0x100u
,
0
,
0
,
0i64
);
MmProbeAndLockPages(v17,
1
, IoReadAccess);
v18
=
MmMapLockedPagesSpecifyCache(v17,
0
, MmNonCached,
0i64
,
0
,
0x10u
);
/
/
mdl强写
if
( v18 )
{
/
/
/
/
48
8B
C4
-
mov rax,rsp
/
/
55
-
push rbp
/
/
56
-
push rsi
/
/
57
-
push rdi
/
/
41
54
-
push r12
/
/
41
55
-
push r13
/
/
41
56
-
push r14
/
/
41
57
-
push r15
*
(_QWORD
*
)v18
=
loc_1400070F8;
v18[
2
]
=
loc_140007100;
*
((_WORD
*
)v18
+
6
)
=
loc_140007104;
}
MmUnmapLockedPages(v18, v17);
MmUnlockPages(v17);
IoFreeMdl(v17);
}
}
}
KeUnstackDetachProcess(&ApcState);
KeUnstackDetachProcess(&ApcState);
Interval.QuadPart
=
-
15000000i64
;
/
/
释放shellcode
KeDelayExecutionThread(
0
,
0
, &Interval);
KeStackAttachProcess(Dwm, &ApcState);
if
( BaseAddress )
{
if
( HookMem )
{
ZwFreeVirtualMemory((HANDLE)
0xFFFFFFFFFFFFFFFFi64
, &BaseAddress, &RegionSize,
0x4000u
);
/
/
释放shellcode
ZwFreeVirtualMemory((HANDLE)
0xFFFFFFFFFFFFFFFFi64
, &HookMem, &v23,
0x4000u
);
}
}
KeUnstackDetachProcess(&ApcState);
KeUnstackDetachProcess(&ApcState);
Interval.QuadPart
=
-
15000000i64
;
/
/
释放shellcode
KeDelayExecutionThread(
0
,
0
, &Interval);
KeStackAttachProcess(Dwm, &ApcState);
if
( BaseAddress )
{
if
( HookMem )
{
ZwFreeVirtualMemory((HANDLE)
0xFFFFFFFFFFFFFFFFi64
, &BaseAddress, &RegionSize,
0x4000u
);
/
/
释放shellcode
ZwFreeVirtualMemory((HANDLE)
0xFFFFFFFFFFFFFFFFi64
, &HookMem, &v23,
0x4000u
);
}
}
KeUnstackDetachProcess(&ApcState);
void inject_shellcode()
{
__int64 D3DCompile;
/
/
r15
void
*
PresentMultiplaneOverlay;
/
/
rsi
struct _KPROCESS
*
DwmProcess;
/
/
rax
struct _KPROCESS
*
Dwm;
/
/
rdi
HANDLE ProcessId;
/
/
rbx
char
*
v5;
/
/
rbx
char
*
v6;
/
/
rcx
bool
i;
/
/
cf
char
*
v8;
/
/
r14
unsigned
int
v9;
/
/
edx
__int64 v10;
/
/
rcx
unsigned
int
v11;
/
/
edx
__int64 v12;
/
/
rcx
char
*
v13;
/
/
rax
struct _MDL
*
Mdl;
/
/
rbx
char
*
v15;
/
/
rax
char
*
v16;
/
/
rdx
struct _MDL
*
v17;
/
/
rbx
_DWORD
*
v18;
/
/
rax
PVOID BaseAddress;
/
/
[rsp
+
38h
] [rbp
-
49h
] BYREF
PVOID HookMem;
/
/
[rsp
+
40h
] [rbp
-
41h
] BYREF
union _LARGE_INTEGER Interval;
/
/
[rsp
+
48h
] [rbp
-
39h
] BYREF
ULONG_PTR RegionSize;
/
/
[rsp
+
50h
] [rbp
-
31h
] BYREF
ULONG_PTR v23;
/
/
[rsp
+
58h
] [rbp
-
29h
] BYREF
void
*
Handle;
/
/
[rsp
+
60h
] [rbp
-
21h
] BYREF
__int64 v25;
/
/
[rsp
+
68h
] [rbp
-
19h
]
struct _KAPC_STATE ApcState;
/
/
[rsp
+
70h
] [rbp
-
11h
] BYREF
__int64 v27[
2
];
/
/
[rsp
+
A0h] [rbp
+
1Fh
] BYREF
unsigned
int
v28;
/
/
[rsp
+
B0h] [rbp
+
2Fh
]
int
v29;
/
/
[rsp
+
B4h] [rbp
+
33h
]
v23
=
0x1000i64
;
D3DCompile
=
0i64
;
BaseAddress
=
0i64
;
PresentMultiplaneOverlay
=
0i64
;
HookMem
=
0i64
;
RegionSize
=
0x30BAi64
;
DwmProcess
=
GetDwmProcess();
Dwm
=
DwmProcess;
if
( DwmProcess )
{
Handle
=
0i64
;
v25
=
0i64
;
ProcessId
=
PsGetProcessId(DwmProcess);
GetModuleHandle(ProcessId, &Handle,
"D3DCOMPILER_47.dll"
);
/
/
从Ldr链里获取模块地址
KeStackAttachProcess(Dwm, &ApcState);
/
/
附加DWM
if
( Handle )
/
/
如果模块存在
D3DCompile
=
GetProAddress((__int64)Handle, (__int64)
"D3DCompile"
);
/
/
获取函数D3DCompile地址
KeUnstackDetachProcess(&ApcState);
/
/
解除附加
Handle
=
0i64
;
v25
=
0i64
;
GetModuleHandle(ProcessId, &Handle,
"dxgi.dll"
);
/
/
获取dxgi模块地址
KeStackAttachProcess(Dwm, &ApcState);
v5
=
(char
*
)Handle;
if
( Handle )
{
v6
=
(char
*
)Handle;
for
( i
=
Handle < (char
*
)Handle
+
v25; i; i
=
v6 < (char
*
)Handle
+
v25 )
{
if
(
*
(_QWORD
*
)v6
=
=
qword_140004000 &&
*
((_QWORD
*
)v6
+
1
)
=
=
qword_140004008 && v6[
0x10
]
=
=
byte_140004010 )
/
/
搜索特征码 PresentMultiplaneOverlay
{
PresentMultiplaneOverlay
=
v6;
break
;
}
+
+
v6;
}
}
if
( VersionInformation.dwBuildNumber
=
=
17134
&& Handle )
/
/
如果为
1803
{
v8
=
(char
*
)Handle
+
v25;
while
( v5 < v8 )
{
if
( !memcmp(v5, &unk_140004018,
0x15ui64
) )
/
/
搜索特征码
{
PresentMultiplaneOverlay
=
v5;
break
;
}
+
+
v5;
}
}
KeUnstackDetachProcess(&ApcState);
if
( D3DCompile && PresentMultiplaneOverlay )
/
/
老方案 只不过放驱动里了
{
KeStackAttachProcess(Dwm, &ApcState);
ZwAllocateVirtualMemory((HANDLE)
0xFFFFFFFFFFFFFFFFi64
, &BaseAddress,
0i64
, &RegionSize,
0x1000u
,
0x40u
);
/
/
申请shellcode 内存
ZwAllocateVirtualMemory((HANDLE)
0xFFFFFFFFFFFFFFFFi64
, &HookMem,
0i64
, &v23,
0x1000u
,
0x40u
);
/
/
hook内存?
if
( BaseAddress && HookMem )
{
memcpy_s(BaseAddress,
0x30BAui64
, &unk_140005A00,
0x16E6ui64
);
/
/
复制shellcode 到申请的内存中
v9
=
0
;
v10
=
0i64
;
do
{
+
+
v9;
*
((_BYTE
*
)BaseAddress
+
v10
+
+
) ^
=
0xC3u
;
}
while
( v9 <
0x16E6
);
/
/
解密shellcode
memcpy_s((char
*
)BaseAddress
+
0x16E6
,
0x19D4ui64
, dword_140004030,
0x19C4ui64
);
/
/
复制VmOpcodeTable到申请的内存中
v11
=
0
;
v12
=
0i64
;
do
{
+
+
v11;
*
((_BYTE
*
)BaseAddress
+
v12
+
5862
) ^
=
0xCCu
;
/
/
解密 VmOpcodeTable
+
+
v12;
}
while
( v11 <
0x19C4
);
*
(_QWORD
*
)((char
*
)BaseAddress
+
0x30AA
)
=
D3DCompile;
*
(_QWORD
*
)((char
*
)BaseAddress
+
0x30B2
)
=
HookMem;
*
(_DWORD
*
)((char
*
)BaseAddress
+
dword_1400059F4)
=
0x30A6
-
dword_1400059F4;
*
(_DWORD
*
)((char
*
)BaseAddress
+
dword_1400059F8)
=
0x30AE
-
dword_1400059F8;
*
(_DWORD
*
)((char
*
)BaseAddress
+
dword_1400070EC)
=
0x671
;
*
(_DWORD
*
)((char
*
)BaseAddress
+
dword_1400070E8)
=
0x16E2
-
dword_1400070E8;
memcpy_s(HookMem,
14ui64
, &qword_1400070F8,
14ui64
);
/
/
PresentMultiplaneOverlay 头部字节码
v13
=
(char
*
)HookMem;
*
(_DWORD
*
)((char
*
)HookMem
+
15
)
=
(_DWORD)PresentMultiplaneOverlay
+
14
;
*
(_DWORD
*
)(v13
+
0x17
)
=
((unsigned __int64)PresentMultiplaneOverlay
+
14
) >>
32
;
v13[
14
]
=
0x68
;
*
(_DWORD
*
)(v13
+
0x13
)
=
0x42444C7
;
v13[
27
]
=
0xC3
;
}
KeUnstackDetachProcess(&ApcState);
KeStackAttachProcess(Dwm, &ApcState);
if
( BaseAddress && HookMem )
{
if
( MmIsAddressValid(PresentMultiplaneOverlay) )
{
Mdl
=
IoAllocateMdl(PresentMultiplaneOverlay,
0x100u
,
0
,
0
,
0i64
);
MmProbeAndLockPages(Mdl,
1
, IoReadAccess);
v15
=
(char
*
)MmMapLockedPagesSpecifyCache(Mdl,
0
, MmNonCached,
0i64
,
0
,
0x10u
);
/
/
hook
if
( v15 )
{
/
/
68
00000000
-
push
00000000
{
0
}
/
/
C7
44
24
04
00000000
-
mov [rsp
+
04
],
00000000
{
0
}
/
/
C3
-
ret
/
/
shellcode
v16
=
(char
*
)BaseAddress
+
dword_1400070F0;
/
/
sub_860,各种初始化
*
(_DWORD
*
)(v15
+
1
)
=
(_DWORD)v16;
*
(_DWORD
*
)(v15
+
9
)
=
HIDWORD(v16);
/
/
往里面写数据
*
v15
=
0x68
;
/
/
push shellcode sub_860
*
(_DWORD
*
)(v15
+
5
)
=
69485767
;
/
/
mov [rsp
+
04
],
00000000
v15[
13
]
=
0xC3
;
/
/
ret
}
MmUnmapLockedPages(v15, Mdl);
MmUnlockPages(Mdl);
IoFreeMdl(Mdl);
}
v27[
0
]
=
(__int64)BaseAddress;
v29
=
0
;
v27[
1
]
=
0x30BAi64
;
v28
=
(unsigned
int
)PsGetProcessId(Dwm);
sub_140001A84((__int64)v27);
}
KeUnstackDetachProcess(&ApcState);
Interval.QuadPart
=
-
50000000i64
;
KeDelayExecutionThread(
0
,
0
, &Interval);
/
/
恢复hook
KeStackAttachProcess(Dwm, &ApcState);
if
( BaseAddress )
{
if
( HookMem )
{
sub_140001B30();
if
( MmIsAddressValid(PresentMultiplaneOverlay) )
{
v17
=
IoAllocateMdl(PresentMultiplaneOverlay,
0x100u
,
0
,
0
,
0i64
);
MmProbeAndLockPages(v17,
1
, IoReadAccess);
v18
=
MmMapLockedPagesSpecifyCache(v17,
0
, MmNonCached,
0i64
,
0
,
0x10u
);
/
/
mdl强写
if
( v18 )
{
/
/
/
/
48
8B
C4
-
mov rax,rsp
/
/
55
-
push rbp
/
/
56
-
push rsi
/
/
57
-
push rdi
/
/
41
54
-
push r12
/
/
41
55
-
push r13
/
/
41
56
-
push r14
/
/
41
57
-
push r15
*
(_QWORD
*
)v18
=
qword_1400070F8;
v18[
2
]
=
dword_140007100;
*
((_WORD
*
)v18
+
6
)
=
word_140007104;
}
MmUnmapLockedPages(v18, v17);
MmUnlockPages(v17);
IoFreeMdl(v17);
}
}
}
KeUnstackDetachProcess(&ApcState);
Interval.QuadPart
=
-
15000000i64
;
/
/
释放shellcode
KeDelayExecutionThread(
0
,
0
, &Interval);
KeStackAttachProcess(Dwm, &ApcState);
if
( BaseAddress )
{
if
( HookMem )
{
ZwFreeVirtualMemory((HANDLE)
0xFFFFFFFFFFFFFFFFi64
, &BaseAddress, &RegionSize,
0x4000u
);
/
/
释放shellcode
ZwFreeVirtualMemory((HANDLE)
0xFFFFFFFFFFFFFFFFi64
, &HookMem, &v23,
0x4000u
);
}
}
KeUnstackDetachProcess(&ApcState);
}
}
}
void inject_shellcode()
{
__int64 D3DCompile;
/
/
r15
void
*
PresentMultiplaneOverlay;
/
/
rsi
struct _KPROCESS
*
DwmProcess;
/
/
rax
struct _KPROCESS
*
Dwm;
/
/
rdi
HANDLE ProcessId;
/
/
rbx
char
*
v5;
/
/
rbx
char
*
v6;
/
/
rcx
bool
i;
/
/
cf
char
*
v8;
/
/
r14
unsigned
int
v9;
/
/
edx
__int64 v10;
/
/
rcx
unsigned
int
v11;
/
/
edx
__int64 v12;
/
/
rcx
char
*
v13;
/
/
rax
struct _MDL
*
Mdl;
/
/
rbx
char
*
v15;
/
/
rax
char
*
v16;
/
/
rdx
struct _MDL
*
v17;
/
/
rbx
_DWORD
*
v18;
/
/
rax
PVOID BaseAddress;
/
/
[rsp
+
38h
] [rbp
-
49h
] BYREF
PVOID HookMem;
/
/
[rsp
+
40h
] [rbp
-
41h
] BYREF
union _LARGE_INTEGER Interval;
/
/
[rsp
+
48h
] [rbp
-
39h
] BYREF
ULONG_PTR RegionSize;
/
/
[rsp
+
50h
] [rbp
-
31h
] BYREF
ULONG_PTR v23;
/
/
[rsp
+
58h
] [rbp
-
29h
] BYREF
void
*
Handle;
/
/
[rsp
+
60h
] [rbp
-
21h
] BYREF
__int64 v25;
/
/
[rsp
+
68h
] [rbp
-
19h
]
struct _KAPC_STATE ApcState;
/
/
[rsp
+
70h
] [rbp
-
11h
] BYREF
__int64 v27[
2
];
/
/
[rsp
+
A0h] [rbp
+
1Fh
] BYREF
unsigned
int
v28;
/
/
[rsp
+
B0h] [rbp
+
2Fh
]
int
v29;
/
/
[rsp
+
B4h] [rbp
+
33h
]
v23
=
0x1000i64
;
D3DCompile
=
0i64
;
BaseAddress
=
0i64
;
PresentMultiplaneOverlay
=
0i64
;
HookMem
=
0i64
;
RegionSize
=
0x30BAi64
;
DwmProcess
=
GetDwmProcess();
Dwm
=
DwmProcess;
if
( DwmProcess )
{
Handle
=
0i64
;
v25
=
0i64
;
ProcessId
=
PsGetProcessId(DwmProcess);
GetModuleHandle(ProcessId, &Handle,
"D3DCOMPILER_47.dll"
);
/
/
从Ldr链里获取模块地址
KeStackAttachProcess(Dwm, &ApcState);
/
/
附加DWM
if
( Handle )
/
/
如果模块存在
D3DCompile
=
GetProAddress((__int64)Handle, (__int64)
"D3DCompile"
);
/
/
获取函数D3DCompile地址
KeUnstackDetachProcess(&ApcState);
/
/
解除附加
Handle
=
0i64
;
v25
=
0i64
;
GetModuleHandle(ProcessId, &Handle,
"dxgi.dll"
);
/
/
获取dxgi模块地址
KeStackAttachProcess(Dwm, &ApcState);
v5
=
(char
*
)Handle;
if
( Handle )
{
v6
=
(char
*
)Handle;
for
( i
=
Handle < (char
*
)Handle
+
v25; i; i
=
v6 < (char
*
)Handle
+
v25 )
{
if
(
*
(_QWORD
*
)v6
=
=
qword_140004000 &&
*
((_QWORD
*
)v6
+
1
)
=
=
qword_140004008 && v6[
0x10
]
=
=
byte_140004010 )
/
/
搜索特征码 PresentMultiplaneOverlay
{
PresentMultiplaneOverlay
=
v6;
break
;
}
+
+
v6;
}
}
if
( VersionInformation.dwBuildNumber
=
=
17134
&& Handle )
/
/
如果为
1803
{
v8
=
(char
*
)Handle
+
v25;
while
( v5 < v8 )
{
if
( !memcmp(v5, &unk_140004018,
0x15ui64
) )
/
/
搜索特征码
{
PresentMultiplaneOverlay
=
v5;
break
;
}
+
+
v5;
}
}
KeUnstackDetachProcess(&ApcState);
if
( D3DCompile && PresentMultiplaneOverlay )
/
/
老方案 只不过放驱动里了
{
KeStackAttachProcess(Dwm, &ApcState);
ZwAllocateVirtualMemory((HANDLE)
0xFFFFFFFFFFFFFFFFi64
, &BaseAddress,
0i64
, &RegionSize,
0x1000u
,
0x40u
);
/
/
申请shellcode 内存
ZwAllocateVirtualMemory((HANDLE)
0xFFFFFFFFFFFFFFFFi64
, &HookMem,
0i64
, &v23,
0x1000u
,
0x40u
);
/
/
hook内存?
if
( BaseAddress && HookMem )
{
memcpy_s(BaseAddress,
0x30BAui64
, &unk_140005A00,
0x16E6ui64
);
/
/
复制shellcode 到申请的内存中
v9
=
0
;
v10
=
0i64
;
do
{
+
+
v9;
*
((_BYTE
*
)BaseAddress
+
v10
+
+
) ^
=
0xC3u
;
}
while
( v9 <
0x16E6
);
/
/
解密shellcode
memcpy_s((char
*
)BaseAddress
+
0x16E6
,
0x19D4ui64
, dword_140004030,
0x19C4ui64
);
/
/
复制VmOpcodeTable到申请的内存中
v11
=
0
;
v12
=
0i64
;
do
{
+
+
v11;
*
((_BYTE
*
)BaseAddress
+
v12
+
5862
) ^
=
0xCCu
;
/
/
解密 VmOpcodeTable
+
+
v12;
}
while
( v11 <
0x19C4
);
*
(_QWORD
*
)((char
*
)BaseAddress
+
0x30AA
)
=
D3DCompile;
*
(_QWORD
*
)((char
*
)BaseAddress
+
0x30B2
)
=
HookMem;
*
(_DWORD
*
)((char
*
)BaseAddress
+
dword_1400059F4)
=
0x30A6
-
dword_1400059F4;
*
(_DWORD
*
)((char
*
)BaseAddress
+
dword_1400059F8)
=
0x30AE
-
dword_1400059F8;
*
(_DWORD
*
)((char
*
)BaseAddress
+
dword_1400070EC)
=
0x671
;
*
(_DWORD
*
)((char
*
)BaseAddress
+
dword_1400070E8)
=
0x16E2
-
dword_1400070E8;
memcpy_s(HookMem,
14ui64
, &qword_1400070F8,
14ui64
);
/
/
PresentMultiplaneOverlay 头部字节码
v13
=
(char
*
)HookMem;
*
(_DWORD
*
)((char
*
)HookMem
+
15
)
=
(_DWORD)PresentMultiplaneOverlay
+
14
;
*
(_DWORD
*
)(v13
+
0x17
)
=
((unsigned __int64)PresentMultiplaneOverlay
+
14
) >>
32
;
v13[
14
]
=
0x68
;
*
(_DWORD
*
)(v13
+
0x13
)
=
0x42444C7
;
v13[
27
]
=
0xC3
;
}
KeUnstackDetachProcess(&ApcState);
KeStackAttachProcess(Dwm, &ApcState);
if
( BaseAddress && HookMem )
{
if
( MmIsAddressValid(PresentMultiplaneOverlay) )
{
Mdl
=
IoAllocateMdl(PresentMultiplaneOverlay,
0x100u
,
0
,
0
,
0i64
);
MmProbeAndLockPages(Mdl,
1
, IoReadAccess);
v15
=
(char
*
)MmMapLockedPagesSpecifyCache(Mdl,
0
, MmNonCached,
0i64
,
0
,
0x10u
);
/
/
hook
if
( v15 )
{
/
/
68
00000000
-
push
00000000
{
0
}
/
/
C7
44
24
04
00000000
-
mov [rsp
+
04
],
00000000
{
0
}
/
/
C3
-
ret
/
/
shellcode
v16
=
(char
*
)BaseAddress
+
dword_1400070F0;
/
/
sub_860,各种初始化
*
(_DWORD
*
)(v15
+
1
)
=
(_DWORD)v16;
*
(_DWORD
*
)(v15
+
9
)
=
HIDWORD(v16);
/
/
往里面写数据
*
v15
=
0x68
;
/
/
push shellcode sub_860
*
(_DWORD
*
)(v15
+
5
)
=
69485767
;
/
/
mov [rsp
+
04
],
00000000
v15[
13
]
=
0xC3
;
/
/
ret
}
MmUnmapLockedPages(v15, Mdl);
MmUnlockPages(Mdl);
IoFreeMdl(Mdl);
}
v27[
0
]
=
(__int64)BaseAddress;
v29
=
0
;
v27[
1
]
=
0x30BAi64
;
v28
=
(unsigned
int
)PsGetProcessId(Dwm);
sub_140001A84((__int64)v27);
}
KeUnstackDetachProcess(&ApcState);
Interval.QuadPart
=
-
50000000i64
;
KeDelayExecutionThread(
0
,
0
, &Interval);
/
/
恢复hook
KeStackAttachProcess(Dwm, &ApcState);
if
( BaseAddress )
{
if
( HookMem )
{
sub_140001B30();
if
( MmIsAddressValid(PresentMultiplaneOverlay) )
{
v17
=
IoAllocateMdl(PresentMultiplaneOverlay,
0x100u
,
0
,
0
,
0i64
);
MmProbeAndLockPages(v17,
1
, IoReadAccess);
v18
=
MmMapLockedPagesSpecifyCache(v17,
0
, MmNonCached,
0i64
,
0
,
0x10u
);
/
/
mdl强写
if
( v18 )
{
/
/
/
/
48
8B
C4
-
mov rax,rsp
/
/
55
-
push rbp
/
/
56
-
push rsi
/
/
57
-
push rdi
/
/
41
54
-
push r12
/
/
41
55
-
push r13
/
/
41
56
-
push r14
/
/
41
57
-
push r15
*
(_QWORD
*
)v18
=
qword_1400070F8;
v18[
2
]
=
dword_140007100;
*
((_WORD
*
)v18
+
6
)
=
word_140007104;
}
MmUnmapLockedPages(v18, v17);
MmUnlockPages(v17);
IoFreeMdl(v17);
}
}
}
KeUnstackDetachProcess(&ApcState);
Interval.QuadPart
=
-
15000000i64
;
/
/
释放shellcode
KeDelayExecutionThread(
0
,
0
, &Interval);
KeStackAttachProcess(Dwm, &ApcState);
if
( BaseAddress )
{
if
( HookMem )
{
ZwFreeVirtualMemory((HANDLE)
0xFFFFFFFFFFFFFFFFi64
, &BaseAddress, &RegionSize,
0x4000u
);
/
/
释放shellcode
ZwFreeVirtualMemory((HANDLE)
0xFFFFFFFFFFFFFFFFi64
, &HookMem, &v23,
0x4000u
);
}
}
KeUnstackDetachProcess(&ApcState);
}
}
}
loc_1400019EA: ; CODE XREF: sub_1400014A0
+
5D
↑j
.text:
00000001400019EA
; sub_1400014A0
+
173
↑j
.text:
00000001400019EA
; sub_1400014A0
+
17C
↑j
.text:
00000001400019EA
48
8B
4D
37
mov rcx, [rbp
+
57h
+
var_20]
.text:
00000001400019EE
48
33
CC xor rcx, rsp ; StackCookie
.text:
00000001400019F1
E8 EA
01
00
00
call __security_check_cookie
.text:
00000001400019F1
.text:
00000001400019F6
4C
8D
9C
24
C0
00
00
00
lea r11, [rsp
+
0D0h
+
var_10]
.text:
00000001400019FE
49
8B
5B
20
mov rbx, [r11
+
20h
]
.text:
0000000140001A02
49
8B
73
28
mov rsi, [r11
+
28h
]
.text:
0000000140001A06
49
8B
7B
30
mov rdi, [r11
+
30h
]
.text:
0000000140001A0A
4D
8B
63
38
mov r12, [r11
+
38h
]
.text:
0000000140001A0E
49
8B
E3 mov rsp, r11
.text:
0000000140001A11
41
5F
pop r15
.text:
0000000140001A13
41
5E
pop r14
.text:
0000000140001A15
5D
pop rbp
.text:
0000000140001A16
C3 retn
loc_1400019EA: ; CODE XREF: sub_1400014A0
+
5D
↑j
.text:
00000001400019EA
; sub_1400014A0
+
173
↑j
.text:
00000001400019EA
; sub_1400014A0
+
17C
↑j
.text:
00000001400019EA
48
8B
4D
37
mov rcx, [rbp
+
57h
+
var_20]
.text:
00000001400019EE
48
33
CC xor rcx, rsp ; StackCookie
.text:
00000001400019F1
E8 EA
01
00
00
call __security_check_cookie
.text:
00000001400019F1
.text:
00000001400019F6
4C
8D
9C
24
C0
00
00
00
lea r11, [rsp
+
0D0h
+
var_10]
.text:
00000001400019FE
49
8B
5B
20
mov rbx, [r11
+
20h
]
.text:
0000000140001A02
49
8B
73
28
mov rsi, [r11
+
28h
]
.text:
0000000140001A06
49
8B
7B
30
mov rdi, [r11
+
30h
]
.text:
0000000140001A0A
4D
8B
63
38
mov r12, [r11
+
38h
]
.text:
0000000140001A0E
49
8B
E3 mov rsp, r11
.text:
0000000140001A11
41
5F
pop r15
.text:
0000000140001A13
41
5E
pop r14
.text:
0000000140001A15
5D
pop rbp
.text:
0000000140001A16
C3 retn
void MdlCopyMemory(PVOID address,PVOID
buffer
,size_t size)
{
__try
{
if
(MmIsAddressValid((PVOID)address))
{
auto pMdl
=
IoAllocateMdl(address, size, FALSE, FALSE, nullptr);
if
(pMdl)
{
MmBuildMdlForNonPagedPool(pMdl);
auto lock
=
MmMapLockedPagesSpecifyCache(pMdl, KernelMode, MmCached, NULL, FALSE, NormalPagePriority);
if
(lock)
{
RtlCopyMemory(lock,
buffer
, size);
MmUnmapLockedPages(lock, pMdl);
}
ExFreePool(pMdl);
}
}
}
__except (
1
)
{
}
}
void MdlCopyMemory(PVOID address,PVOID
buffer
,size_t size)
{
__try
{
if
(MmIsAddressValid((PVOID)address))
{
auto pMdl
=
IoAllocateMdl(address, size, FALSE, FALSE, nullptr);
if
(pMdl)
{
MmBuildMdlForNonPagedPool(pMdl);
auto lock
=
MmMapLockedPagesSpecifyCache(pMdl, KernelMode, MmCached, NULL, FALSE, NormalPagePriority);
if
(lock)
{
RtlCopyMemory(lock,
buffer
, size);
MmUnmapLockedPages(lock, pMdl);
}
ExFreePool(pMdl);
}
}
}
__except (
1
)
{
}
}
VOID LoadImageNotify(
_In_ PUNICODE_STRING FullImageName,
_In_ HANDLE ProcessId,
_In_ PIMAGE_INFO ImageInfo
)
{
if
(FullImageName !
=
nullptr && MmIsAddressValid(FullImageName))
{
if
(ProcessId
=
=
0
)
/
/
是否是驱动
{
auto ImageName
=
FullImageName
-
>
Buffer
;
if
(wcsstr(ImageName, L
"2022GameSafeRace.sys"
))
{
auto PatchFree
=
reinterpret_cast<uint8_t
*
>(ImageInfo
-
>ImageBase)
+
0x18a4
;
auto JmpAddress
=
reinterpret_cast<uint8_t
*
>(ImageInfo
-
>ImageBase)
+
0x19ea
;
char jmp[]
=
{
0xe9
,
0x00
,
0x00
,
0x00
,
0x00
};
*
(uint32_t
*
)(jmp
+
1
)
=
(ULONG64)(JmpAddress
-
PatchFree
+
5
);
MdlCopyMemory(PatchFree, &jmp, sizeof(jmp));
}
}
}
}
VOID LoadImageNotify(
_In_ PUNICODE_STRING FullImageName,
_In_ HANDLE ProcessId,
_In_ PIMAGE_INFO ImageInfo
)
{
if
(FullImageName !
=
nullptr && MmIsAddressValid(FullImageName))
{
if
(ProcessId
=
=
0
)
/
/
是否是驱动
{
auto ImageName
=
FullImageName
-
>
Buffer
;
if
(wcsstr(ImageName, L
"2022GameSafeRace.sys"
))
{
auto PatchFree
=
reinterpret_cast<uint8_t
*
>(ImageInfo
-
>ImageBase)
+
0x18a4
;
auto JmpAddress
=
reinterpret_cast<uint8_t
*
>(ImageInfo
-
>ImageBase)
+
0x19ea
;
char jmp[]
=
{
0xe9
,
0x00
,
0x00
,
0x00
,
0x00
};
*
(uint32_t
*
)(jmp
+
1
)
=
(ULONG64)(JmpAddress
-
PatchFree
+
5
);
MdlCopyMemory(PatchFree, &jmp, sizeof(jmp));
}
}
}
}
#include <ntifs.h>
#include <ntdef.h>
#include <ntstatus.h>
#include <cstdint>
#define DPRINT(format, ...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, format, __VA_ARGS__)
void MdlCopyMemory(PVOID address,PVOID
buffer
,size_t size)
{
__try
{
if
(MmIsAddressValid((PVOID)address))
{
auto pMdl
=
IoAllocateMdl(address, size, FALSE, FALSE, nullptr);
if
(pMdl)
{
MmBuildMdlForNonPagedPool(pMdl);
auto lock
=
MmMapLockedPagesSpecifyCache(pMdl, KernelMode, MmCached, NULL, FALSE, NormalPagePriority);
if
(lock)
{
RtlCopyMemory(lock,
buffer
, size);
MmUnmapLockedPages(lock, pMdl);
}
ExFreePool(pMdl);
}
}
}
__except (
1
)
{
}
}
VOID LoadImageNotify(
_In_ PUNICODE_STRING FullImageName,
_In_ HANDLE ProcessId,
_In_ PIMAGE_INFO ImageInfo
)
{
if
(FullImageName !
=
nullptr && MmIsAddressValid(FullImageName))
{
if
(ProcessId
=
=
0
)
/
/
是否是驱动
{
auto ImageName
=
FullImageName
-
>
Buffer
;
if
(wcsstr(ImageName, L
"2022GameSafeRace.sys"
))
{
auto PatchFree
=
reinterpret_cast<uint8_t
*
>(ImageInfo
-
>ImageBase)
+
0x18a4
;
auto JmpAddress
=
reinterpret_cast<uint8_t
*
>(ImageInfo
-
>ImageBase)
+
0x19ea
;
char jmp[]
=
{
0xe9
,
0x00
,
0x00
,
0x00
,
0x00
};
*
(uint32_t
*
)(jmp
+
1
)
=
(ULONG64)(JmpAddress
-
PatchFree
+
5
);
MdlCopyMemory(PatchFree, &jmp, sizeof(jmp));
}
}
}
}
VOID DriverUnload(PDRIVER_OBJECT pDriverObj)
{
PsRemoveLoadImageNotifyRoutine(LoadImageNotify);
}
EXTERN_C NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString)
{
pDriverObj
-
>DriverUnload
=
DriverUnload;
auto status
=
PsSetLoadImageNotifyRoutine(LoadImageNotify);
return
status;
}
#include <ntifs.h>
#include <ntdef.h>
#include <ntstatus.h>
#include <cstdint>
#define DPRINT(format, ...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, format, __VA_ARGS__)
void MdlCopyMemory(PVOID address,PVOID
buffer
,size_t size)
{
__try
{
if
(MmIsAddressValid((PVOID)address))
{
auto pMdl
=
IoAllocateMdl(address, size, FALSE, FALSE, nullptr);
if
(pMdl)
{
MmBuildMdlForNonPagedPool(pMdl);
auto lock
=
MmMapLockedPagesSpecifyCache(pMdl, KernelMode, MmCached, NULL, FALSE, NormalPagePriority);
if
(lock)
{
RtlCopyMemory(lock,
buffer
, size);
MmUnmapLockedPages(lock, pMdl);
}
ExFreePool(pMdl);
}
}
}
__except (
1
)
{
}
}
VOID LoadImageNotify(
_In_ PUNICODE_STRING FullImageName,
_In_ HANDLE ProcessId,
_In_ PIMAGE_INFO ImageInfo
)
{
if
(FullImageName !
=
nullptr && MmIsAddressValid(FullImageName))
{
if
(ProcessId
=
=
0
)
/
/
是否是驱动
{
auto ImageName
=
FullImageName
-
>
Buffer
;
if
(wcsstr(ImageName, L
"2022GameSafeRace.sys"
))
{
auto PatchFree
=
reinterpret_cast<uint8_t
*
>(ImageInfo
-
>ImageBase)
+
0x18a4
;
auto JmpAddress
=
reinterpret_cast<uint8_t
*
>(ImageInfo
-
>ImageBase)
+
0x19ea
;
char jmp[]
=
{
0xe9
,
0x00
,
0x00
,
0x00
,
0x00
};
*
(uint32_t
*
)(jmp
+
1
)
=
(ULONG64)(JmpAddress
-
PatchFree
+
5
);
MdlCopyMemory(PatchFree, &jmp, sizeof(jmp));
}
}
}
}
VOID DriverUnload(PDRIVER_OBJECT pDriverObj)
{
PsRemoveLoadImageNotifyRoutine(LoadImageNotify);
}
EXTERN_C NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString)
{
pDriverObj
-
>DriverUnload
=
DriverUnload;
auto status
=
PsSetLoadImageNotifyRoutine(LoadImageNotify);
return
status;
}
CreateThread(
0i64
,
0i64
, (LPTHREAD_START_ROUTINE)sub_140003530,
0i64
,
0
, &ThreadId);
CreateThread(
0i64
,
0i64
, (LPTHREAD_START_ROUTINE)sub_140003530,
0i64
,
0
, &ThreadId);
__int64 __fastcall sub_140003530(PVOID Parameter)
{
HANDLE ProcessHeap;
/
/
rax
char
*
v2;
/
/
rdx
__int64 result;
/
/
rax
ULONG ReturnLength;
/
/
[rsp
+
38h
] [rbp
+
10h
] BYREF
ProcessHeap
=
GetProcessHeap();
v2
=
(char
*
)HeapAlloc(ProcessHeap,
8u
,
0x28ui64
);
result
=
0i64
;
*
(_OWORD
*
)v2
=
0i64
;
*
((_OWORD
*
)v2
+
1
)
=
0i64
;
*
((_QWORD
*
)v2
+
4
)
=
0i64
;
if
( v2 )
{
*
((_DWORD
*
)v2
+
2
)
=
0
;
*
((_DWORD
*
)v2
+
1
)
=
1
;
*
(_DWORD
*
)v2
=
1380011588
;
*
((_DWORD
*
)v2
+
3
)
=
20
;
*
(_QWORD
*
)(v2
+
20
)
=
8193i64
;
*
((_QWORD
*
)v2
+
4
)
=
D3DCompile;
ReturnLength
=
40
;
NtQuerySystemInformation(SystemFirmwareTableInformation, v2,
0x28u
, &ReturnLength);
return
0i64
;
}
return
result;
}
__int64 __fastcall sub_140003530(PVOID Parameter)
{
HANDLE ProcessHeap;
/
/
rax
char
*
v2;
/
/
rdx
__int64 result;
/
/
rax
ULONG ReturnLength;
/
/
[rsp
+
38h
] [rbp
+
10h
] BYREF
ProcessHeap
=
GetProcessHeap();
v2
=
(char
*
)HeapAlloc(ProcessHeap,
8u
,
0x28ui64
);
result
=
0i64
;
*
(_OWORD
*
)v2
=
0i64
;
*
((_OWORD
*
)v2
+
1
)
=
0i64
;
*
((_QWORD
*
)v2
+
4
)
=
0i64
;
if
( v2 )
{
*
((_DWORD
*
)v2
+
2
)
=
0
;
*
((_DWORD
*
)v2
+
1
)
=
1
;
*
(_DWORD
*
)v2
=
1380011588
;
*
((_DWORD
*
)v2
+
3
)
=
20
;
*
(_QWORD
*
)(v2
+
20
)
=
8193i64
;
*
((_QWORD
*
)v2
+
4
)
=
D3DCompile;
ReturnLength
=
40
;
NtQuerySystemInformation(SystemFirmwareTableInformation, v2,
0x28u
, &ReturnLength);
return
0i64
;
}
return
result;
}
__int64 __fastcall DrawRect(
int
a1,
int
a2,
int
a3,
int
a4,
float
a5,
__int64 a6,
__int64 a7,
__int64 a8,
__int64 a9,
__int64 a10)
{
__int64 v14;
/
/
r14
unsigned
int
v15;
/
/
ebx
int
v16;
/
/
ecx
float
v17;
/
/
xmm9_4
float
v18;
/
/
xmm11_4
float
v19;
/
/
xmm7_4
float
v20;
/
/
xmm10_4
float
*
v21;
/
/
rcx
float
v22;
/
/
xmm0_4
float
v23;
/
/
xmm8_4
float
v24;
/
/
xmm6_4
float
v25;
/
/
xmm3_4
float
v26;
/
/
xmm1_4
float
v27;
/
/
xmm8_4
float
v28;
/
/
xmm7_4
float
v29;
/
/
xmm5_4
float
v30;
/
/
xmm4_4
float
v31;
/
/
xmm2_4
__int64 v32;
/
/
rax
float
*
v34;
/
/
[rsp
+
30h
] [rbp
-
C8h] BYREF
char v35[
8
];
/
/
[rsp
+
40h
] [rbp
-
B8h] BYREF
float
v36;
/
/
[rsp
+
48h
] [rbp
-
B0h]
float
v37;
/
/
[rsp
+
4Ch
] [rbp
-
ACh]
int
v38;
/
/
[rsp
+
108h
] [rbp
+
10h
] BYREF
int
v39;
/
/
[rsp
+
110h
] [rbp
+
18h
] BYREF
int
v40;
/
/
[rsp
+
118h
] [rbp
+
20h
] BYREF
v14
=
a6;
v38
=
1
;
v15
=
LODWORD(a5)
+
(a3 ^ (a1
+
a2))
%
256
-
a4
%
256
;
(
*
(void (__fastcall
*
*
)(__int64,
int
*
, char
*
))(
*
(_QWORD
*
)a6
+
760i64
))(a6, &v38, v35);
v16
=
(a3 ^ (a2
*
a1))
%
256
-
(a4 >>
8
)
%
256
;
v17
=
(
float
)(v37
-
(
float
)(
2
*
(v16
+
a2)
-
1
))
/
v37;
v18
=
(
float
)(v37
-
(
float
)(
2
*
a2
+
99
))
/
v37;
v19
=
(
float
)((
float
)(
2
*
(v16
+
a1)
-
1
)
-
v36)
/
v36;
v20
=
(
float
)((
float
)(
2
*
a1
+
99
)
-
v36)
/
v36;
(
*
(void (__fastcall
*
*
)(__int64, __int64, _QWORD, __int64, _DWORD,
float
*
*
))(
*
(_QWORD
*
)v14
+
112i64
))(
v14,
a7,
0i64
,
4i64
,
0
,
&v34);
v21
=
v34;
a5
=
255.0
;
v34[
2
]
=
(
float
)
0
;
v22
=
a5;
v23
=
(
float
)((a3 ^ (a2
+
a1
*
(a2
+
1
)))
%
256
-
(a4 >>
16
)
%
256
);
v24
=
v23
+
v19;
v25
=
v23
+
v17;
*
v21
=
v23
+
v19;
v26
=
v23
+
v20;
v21[
1
]
=
v23
+
v17;
v27
=
v23
+
v18;
v28
=
(
float
)BYTE2(v15)
/
v22;
v29
=
(
float
)(unsigned __int8)(v15 >>
12
)
/
v22;
v30
=
(
float
)(unsigned __int8)v15
/
v22;
v21[
3
]
=
v28;
v21[
4
]
=
v29;
v31
=
(
float
)HIBYTE(v15)
/
v22;
v21[
6
]
=
v31;
v21[
9
]
=
(
float
)
0
;
v21[
13
]
=
v31;
v21[
16
]
=
(
float
)
0
;
v21[
20
]
=
v31;
v21[
27
]
=
v31;
v21[
5
]
=
v30;
v21[
7
]
=
v26;
v21[
8
]
=
v25;
v21[
10
]
=
v28;
v21[
11
]
=
v29;
v21[
12
]
=
v30;
v21[
14
]
=
v24;
v21[
15
]
=
v27;
v21[
17
]
=
v28;
v21[
18
]
=
v29;
v21[
19
]
=
v30;
v21[
21
]
=
v26;
v21[
22
]
=
v27;
v21[
24
]
=
v28;
v21[
25
]
=
v29;
v21[
26
]
=
v30;
v21[
23
]
=
(
float
)
0
;
(
*
(void (__fastcall
*
*
)(__int64, __int64, _QWORD))(
*
(_QWORD
*
)v14
+
120i64
))(v14, a7,
0i64
);
v32
=
*
(_QWORD
*
)v14;
v40
=
28
;
v39
=
0
;
(
*
(void (__fastcall
*
*
)(__int64, _QWORD, __int64, __int64
*
,
int
*
,
int
*
))(v32
+
144
))(
v14,
0i64
,
1i64
,
&a7,
&v40,
&v39);
(
*
(void (__fastcall
*
*
)(__int64, __int64))(
*
(_QWORD
*
)v14
+
192i64
))(v14,
5i64
);
(
*
(void (__fastcall
*
*
)(__int64, __int64))(
*
(_QWORD
*
)v14
+
136i64
))(v14, a8);
(
*
(void (__fastcall
*
*
)(__int64, __int64, _QWORD, _QWORD))(
*
(_QWORD
*
)v14
+
88i64
))(v14, a9,
0i64
,
0i64
);
(
*
(void (__fastcall
*
*
)(__int64, __int64, _QWORD, _QWORD))(
*
(_QWORD
*
)v14
+
72i64
))(v14, a10,
0i64
,
0i64
);
(
*
(void (__fastcall
*
*
)(__int64, _QWORD, _QWORD, _QWORD))(
*
(_QWORD
*
)v14
+
184i64
))(v14,
0i64
,
0i64
,
0i64
);
return
(
*
(__int64 (__fastcall
*
*
)(__int64, __int64))(
*
(_QWORD
*
)v14
+
104i64
))(v14,
4i64
);
}
__int64 __fastcall DrawRect(
int
a1,
int
a2,
int
a3,
int
a4,
float
a5,
__int64 a6,
__int64 a7,
__int64 a8,
__int64 a9,
__int64 a10)
{
__int64 v14;
/
/
r14
unsigned
int
v15;
/
/
ebx
int
v16;
/
/
ecx
float
v17;
/
/
xmm9_4
float
v18;
/
/
xmm11_4
float
v19;
/
/
xmm7_4
float
v20;
/
/
xmm10_4
float
*
v21;
/
/
rcx
float
v22;
/
/
xmm0_4
float
v23;
/
/
xmm8_4
float
v24;
/
/
xmm6_4
float
v25;
/
/
xmm3_4
float
v26;
/
/
xmm1_4
float
v27;
/
/
xmm8_4
float
v28;
/
/
xmm7_4
float
v29;
/
/
xmm5_4
float
v30;
/
/
xmm4_4
float
v31;
/
/
xmm2_4
__int64 v32;
/
/
rax
float
*
v34;
/
/
[rsp
+
30h
] [rbp
-
C8h] BYREF
char v35[
8
];
/
/
[rsp
+
40h
] [rbp
-
B8h] BYREF
float
v36;
/
/
[rsp
+
48h
] [rbp
-
B0h]
float
v37;
/
/
[rsp
+
4Ch
] [rbp
-
ACh]
int
v38;
/
/
[rsp
+
108h
] [rbp
+
10h
] BYREF
int
v39;
/
/
[rsp
+
110h
] [rbp
+
18h
] BYREF
int
v40;
/
/
[rsp
+
118h
] [rbp
+
20h
] BYREF
v14
=
a6;
v38
=
1
;
v15
=
LODWORD(a5)
+
(a3 ^ (a1
+
a2))
%
256
-
a4
%
256
;
(
*
(void (__fastcall
*
*
)(__int64,
int
*
, char
*
))(
*
(_QWORD
*
)a6
+
760i64
))(a6, &v38, v35);
v16
=
(a3 ^ (a2
*
a1))
%
256
-
(a4 >>
8
)
%
256
;
v17
=
(
float
)(v37
-
(
float
)(
2
*
(v16
+
a2)
-
1
))
/
v37;
v18
=
(
float
)(v37
-
(
float
)(
2
*
a2
+
99
))
/
v37;
v19
=
(
float
)((
float
)(
2
*
(v16
+
a1)
-
1
)
-
v36)
/
v36;
v20
=
(
float
)((
float
)(
2
*
a1
+
99
)
-
v36)
/
v36;
(
*
(void (__fastcall
*
*
)(__int64, __int64, _QWORD, __int64, _DWORD,
float
*
*
))(
*
(_QWORD
*
)v14
+
112i64
))(
v14,
a7,
0i64
,
4i64
,
0
,
&v34);
v21
=
v34;
a5
=
255.0
;
v34[
2
]
=
(
float
)
0
;
v22
=
a5;
v23
=
(
float
)((a3 ^ (a2
+
a1
*
(a2
+
1
)))
%
256
-
(a4 >>
16
)
%
256
);
v24
=
v23
+
v19;
v25
=
v23
+
v17;
*
v21
=
v23
+
v19;
v26
=
v23
+
v20;
v21[
1
]
=
v23
+
v17;
v27
=
v23
+
v18;
v28
=
(
float
)BYTE2(v15)
/
v22;
v29
=
(
float
)(unsigned __int8)(v15 >>
12
)
/
v22;
v30
=
(
float
)(unsigned __int8)v15
/
v22;
v21[
3
]
=
v28;
v21[
4
]
=
v29;
v31
=
(
float
)HIBYTE(v15)
/
v22;
v21[
6
]
=
v31;
v21[
9
]
=
(
float
)
0
;
v21[
13
]
=
v31;
v21[
16
]
=
(
float
)
0
;
v21[
20
]
=
v31;
v21[
27
]
=
v31;
v21[
5
]
=
v30;
v21[
7
]
=
v26;
v21[
8
]
=
v25;
v21[
10
]
=
v28;
v21[
11
]
=
v29;
v21[
12
]
=
v30;
v21[
14
]
=
v24;
v21[
15
]
=
v27;
v21[
17
]
=
v28;
v21[
18
]
=
v29;
v21[
19
]
=
v30;
v21[
21
]
=
v26;
v21[
22
]
=
v27;
v21[
24
]
=
v28;
v21[
25
]
=
v29;
v21[
26
]
=
v30;
v21[
23
]
=
(
float
)
0
;
(
*
(void (__fastcall
*
*
)(__int64, __int64, _QWORD))(
*
(_QWORD
*
)v14
+
120i64
))(v14, a7,
0i64
);
v32
=
*
(_QWORD
*
)v14;
v40
=
28
;
v39
=
0
;
(
*
(void (__fastcall
*
*
)(__int64, _QWORD, __int64, __int64
*
,
int
*
,
int
*
))(v32
+
144
))(
v14,
0i64
,
1i64
,
&a7,
&v40,
&v39);
(
*
(void (__fastcall
*
*
)(__int64, __int64))(
*
(_QWORD
*
)v14
+
192i64
))(v14,
5i64
);
(
*
(void (__fastcall
*
*
)(__int64, __int64))(
*
(_QWORD
*
)v14
+
136i64
))(v14, a8);
(
*
(void (__fastcall
*
*
)(__int64, __int64, _QWORD, _QWORD))(
*
(_QWORD
*
)v14
+
88i64
))(v14, a9,
0i64
,
0i64
);
(
*
(void (__fastcall
*
*
)(__int64, __int64, _QWORD, _QWORD))(
*
(_QWORD
*
)v14
+
72i64
))(v14, a10,
0i64
,
0i64
);
(
*
(void (__fastcall
*
*
)(__int64, _QWORD, _QWORD, _QWORD))(
*
(_QWORD
*
)v14
+
184i64
))(v14,
0i64
,
0i64
,
0i64
);
return
(
*
(__int64 (__fastcall
*
*
)(__int64, __int64))(
*
(_QWORD
*
)v14
+
104i64
))(v14,
4i64
);
}
__int64 __fastcall sub_420(__int64 a1, __int64 a2, __int64 a3, __int64 a4, __int64 a5, __int64 a6, __int64 a7)
{
unsigned __int64 idx;
/
/
rsi
unsigned __int64 vidx;
/
/
r8
signed
int
branch;
/
/
ecx
unsigned __int64 v12;
/
/
rdx
__int64 v13;
/
/
rcx
unsigned
int
v14;
/
/
r9d
__int64 v15;
/
/
r8
__int64 v16;
/
/
r9
unsigned
int
v17;
/
/
edx
unsigned __int64 v18;
/
/
r10
unsigned __int64 v19;
/
/
rcx
unsigned
int
v20;
/
/
r9d
int
v21;
/
/
r9d
int
v22;
/
/
eax
__int64 result;
/
/
rax
int
reg[
10
];
/
/
[rsp
+
60h
] [rbp
-
21h
] BYREF
idx
=
0i64
;
memset(reg,
0
,
32
);
reg[
8
]
=
50
;
reg[
9
]
=
50
;
do
{
vidx
=
idx;
branch
=
opcode[idx];
if
( branch > (
int
)
0x9A8ECD52
)
{
switch ( branch )
{
case
0xEE2362FC
:
+
+
idx;
v21
=
reg[
0
];
v22
=
reg[
0
]
*
(reg[
1
]
+
1
);
reg[
0
]
=
opcode[idx] ^
0x414345
;
reg[
1
]
=
(reg[
0
] ^ (reg[
1
]
+
v21))
%
256
+
(((reg[
0
] ^ (v21
*
reg[
1
]))
%
256
+
(((reg[
0
] ^ (reg[
1
]
+
v22))
%
256
) <<
8
)) <<
8
);
break
;
case
0xEE69524A
:
v19
=
0i64
;
v20
=
opcode[vidx
+
1
];
opcode[idx]
=
-
1
;
opcode[vidx
+
1
]
=
-
1
;
if
( idx !
=
1
)
{
do
opcode[v19
+
+
] ^
=
v20;
while
( v19 < idx
-
1
);
}
+
+
idx;
break
;
case
0xFF4578AE
:
idx
+
=
2i64
;
v16
=
(
int
)opcode[vidx
+
1
];
v17
=
opcode[idx];
if
( (_DWORD)v16 )
{
v18
=
idx;
do
{
opcode[
+
+
v18] ^
=
v17;
v17
=
opcode[v18
-
1
]
+
0x12345678
*
v17;
-
-
v16;
}
while
( v16 );
}
opcode[vidx]
=
-
1
;
opcode[vidx
+
1
]
=
-
1
;
opcode[idx]
=
-
1
;
break
;
case
0x1132EADF
:
idx
+
=
2i64
;
reg[opcode[idx]]
=
opcode[vidx
+
1
];
break
;
default:
if
( branch
=
=
0x7852AAEF
&& opcode[
0
]
=
=
0xEE69624A
&& opcode[
1
]
=
=
0x689EDC0A
&& opcode[
2
]
=
=
0x98EFDBC9
)
sub_0(reg[
4
], reg[
5
], reg[
6
], reg[
7
],
0xFF2DDBE7
, a3, a4, a5, a6, a7);
break
;
}
}
else
{
switch ( branch )
{
case
0x9A8ECD52
:
reg[
0
]
-
=
reg[
1
];
break
;
case
0x88659264
:
idx
+
=
2i64
;
v12
=
idx;
v13
=
(
int
)opcode[vidx
+
1
];
v14
=
opcode[idx];
opcode[vidx]
=
-
1
;
opcode[vidx
+
1
]
=
-
1
;
v15
=
v13;
opcode[idx]
=
-
1
;
if
( (_DWORD)v13 )
{
do
{
opcode[
+
+
v12] ^
=
v14;
-
-
v15;
}
while
( v15 );
}
break
;
case
0x89657EAD
:
reg[
0
]
+
=
reg[
1
];
break
;
case
0x8E7CADF2
:
idx
+
=
2i64
;
reg[opcode[idx]]
=
reg[opcode[vidx
+
1
]];
break
;
case
0x9645AAED
:
if
( opcode[
0
]
=
=
0xEE69624A
&& opcode[
1
]
=
=
0x689EDC0A
&& opcode[
2
]
=
=
0x98EFDBC9
)
sub_0(reg[
4
], reg[
5
], reg[
6
], reg[
7
],
0xFFFFFF00
, a3, a4, a5, a6, a7);
break
;
case
0x9645AEDC
:
idx
=
0x671i64
;
break
;
}
}
result
=
0x671i64
;
+
+
idx;
}
while
( idx <
0x671
);
return
result;
}
__int64 __fastcall sub_420(__int64 a1, __int64 a2, __int64 a3, __int64 a4, __int64 a5, __int64 a6, __int64 a7)
{
unsigned __int64 idx;
/
/
rsi
unsigned __int64 vidx;
/
/
r8
signed
int
branch;
/
/
ecx
unsigned __int64 v12;
/
/
rdx
__int64 v13;
/
/
rcx
unsigned
int
v14;
/
/
r9d
__int64 v15;
/
/
r8
__int64 v16;
/
/
r9
unsigned
int
v17;
/
/
edx
unsigned __int64 v18;
/
/
r10
unsigned __int64 v19;
/
/
rcx
unsigned
int
v20;
/
/
r9d
int
v21;
/
/
r9d
int
v22;
/
/
eax
__int64 result;
/
/
rax
int
reg[
10
];
/
/
[rsp
+
60h
] [rbp
-
21h
] BYREF
idx
=
0i64
;
memset(reg,
0
,
32
);
reg[
8
]
=
50
;
reg[
9
]
=
50
;
do
{
vidx
=
idx;
branch
=
opcode[idx];
if
( branch > (
int
)
0x9A8ECD52
)
{
switch ( branch )
{
case
0xEE2362FC
:
+
+
idx;
v21
=
reg[
0
];
v22
=
reg[
0
]
*
(reg[
1
]
+
1
);
reg[
0
]
=
opcode[idx] ^
0x414345
;
reg[
1
]
=
(reg[
0
] ^ (reg[
1
]
+
v21))
%
256
+
(((reg[
0
] ^ (v21
*
reg[
1
]))
%
256
+
(((reg[
0
] ^ (reg[
1
]
+
v22))
%
256
) <<
8
)) <<
8
);
break
;
case
0xEE69524A
:
v19
=
0i64
;
v20
=
opcode[vidx
+
1
];
opcode[idx]
=
-
1
;
opcode[vidx
+
1
]
=
-
1
;
if
( idx !
=
1
)
{
do
opcode[v19
+
+
] ^
=
v20;
while
( v19 < idx
-
1
);
}
+
+
idx;
break
;
case
0xFF4578AE
:
idx
+
=
2i64
;
v16
=
(
int
)opcode[vidx
+
1
];
v17
=
opcode[idx];
if
( (_DWORD)v16 )
{
v18
=
idx;
do
{
opcode[
+
+
v18] ^
=
v17;
v17
=
opcode[v18
-
1
]
+
0x12345678
*
v17;
-
-
v16;
}
while
( v16 );
}
opcode[vidx]
=
-
1
;
opcode[vidx
+
1
]
=
-
1
;
opcode[idx]
=
-
1
;
break
;
case
0x1132EADF
:
idx
+
=
2i64
;
reg[opcode[idx]]
=
opcode[vidx
+
1
];
break
;
default:
if
( branch
=
=
0x7852AAEF
&& opcode[
0
]
=
=
0xEE69624A
&& opcode[
1
]
=
=
0x689EDC0A
&& opcode[
2
]
=
=
0x98EFDBC9
)
sub_0(reg[
4
], reg[
5
], reg[
6
], reg[
7
],
0xFF2DDBE7
, a3, a4, a5, a6, a7);
break
;
}
}
else
{
switch ( branch )
{
case
0x9A8ECD52
:
reg[
0
]
-
=
reg[
1
];
break
;
case
0x88659264
:
idx
+
=
2i64
;
v12
=
idx;
v13
=
(
int
)opcode[vidx
+
1
];
v14
=
opcode[idx];
opcode[vidx]
=
-
1
;
opcode[vidx
+
1
]
=
-
1
;
v15
=
v13;
opcode[idx]
=
-
1
;
if
( (_DWORD)v13 )
{
do
{
opcode[
+
+
v12] ^
=
v14;
-
-
v15;
}
while
( v15 );
}
break
;
case
0x89657EAD
:
reg[
0
]
+
=
reg[
1
];
break
;
case
0x8E7CADF2
:
idx
+
=
2i64
;
reg[opcode[idx]]
=
reg[opcode[vidx
+
1
]];
break
;
case
0x9645AAED
:
if
( opcode[
0
]
=
=
0xEE69624A
&& opcode[
1
]
=
=
0x689EDC0A
&& opcode[
2
]
=
=
0x98EFDBC9
)
sub_0(reg[
4
], reg[
5
], reg[
6
], reg[
7
],
0xFFFFFF00
, a3, a4, a5, a6, a7);
break
;
case
0x9645AEDC
:
idx
=
0x671i64
;
break
;
}
}
result
=
0x671i64
;
+
+
idx;
}
while
( idx <
0x671
);
return
result;
}
=
=
=
=
ExecVirtual[
0
]
=
=
=
=
Reg[
8
]
=
50
Reg[
9
]
=
50
-
> Xor
1
-
> VMEnd
=
=
=
=
ExecVirtual[
1
]
=
=
=
=
Reg[
8
]
=
50
Reg[
9
]
=
50
-
> Xor
1
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
3301906
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
360
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
7631989
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
432
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
2299116
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
504
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
9843946
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> VMEnd
=
=
=
=
ExecVirtual[
2
]
=
=
=
=
Reg[
8
]
=
50
Reg[
9
]
=
50
-
> Xor
1
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
3301906
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
360
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
7631989
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
432
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
2299116
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
504
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
9843946
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> VMEnd
=
=
=
=
ExecVirtual[
3
]
=
=
=
=
Reg[
8
]
=
50
Reg[
9
]
=
50
-
> Xor
1
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
7882222
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
216
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
216
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
4728102
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
3301906
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
360
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
7631989
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
432
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
2299116
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
504
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
9843946
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> VMEnd
=
=
=
=
ExecVirtual[
4
]
=
=
=
=
Reg[
8
]
=
50
Reg[
9
]
=
50
-
> Xor
1
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
144
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
9843546
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
144
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
9851444
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
360
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
144
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
7882222
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
216
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
216
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
4728102
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
3301906
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
360
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
7631989
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
432
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
2299116
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
504
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
9843946
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> VMEnd
=
=
=
=
ExecVirtual[
5
]
=
=
=
=
Reg[
8
]
=
50
Reg[
9
]
=
50
-
> Xor
1
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
144
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
9844004
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
216
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
11451615
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
72
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
72
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
8734638
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
144
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
144
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
9864618
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
216
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
144
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
9843546
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
144
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
9851444
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
360
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
144
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
7882222
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
216
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
216
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
4728102
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
3301906
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
360
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
7631989
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
432
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
2299116
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
504
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
9843946
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
-
> VMEnd
=
=
=
=
ExecVirtual[
6
]
=
=
=
=
Reg[
8
]
=
50
Reg[
9
]
=
50
-
> Xor
3
-
> Xor
2
Reg[
0
]
=
Reg[
8
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
1000
Reg[
0
]
-
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
5392533
)
Reg[
3
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
1
]
Reg[
1
]
=
Reg[
3
]
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
72
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
5
]
Reg[
1
]
=
500
Reg[
0
]
-
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
5934636
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
1000
Reg[
0
]
-
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
144
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
9984722
)
Reg[
3
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
1
]
Reg[
1
]
=
Reg[
3
]
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
-
> Xor
3
Reg[
0
]
=
Reg[
8
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
216
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
11102301
)
Reg[
3
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
3
]
Reg[
1
]
=
Reg[
3
]
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
1000
Reg[
0
]
-
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
-
> Xor
2
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
5
]
Reg[
1
]
=
500
Reg[
0
]
-
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
7888111
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
360
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
9846439
)
Reg[
3
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
1
]
Reg[
1
]
=
Reg[
3
]
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
72
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
1000
Reg[
0
]
-
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
216
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
5
]
Reg[
1
]
=
500
Reg[
0
]
-
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
4608533
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
144
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
216
Reg[
0
]
+
=
Reg[
1
]
-
> Xor
3
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
5
]
Reg[
1
]
=
500
Reg[
0
]
-
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
8744398
)
Reg[
3
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
1
]
Reg[
1
]
=
Reg[
3
]
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
216
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
1000
Reg[
0
]
-
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
216
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
7703662
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
72
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
72
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
5
]
Reg[
1
]
=
500
Reg[
0
]
-
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
-
> Xor
3
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
10004148
)
Reg[
3
]
=
Reg[
0
]
Reg[
#] = Reg[1]
Reg[
1
]
=
Reg[
3
]
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
144
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
1000
Reg[
0
]
-
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
144
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
8744654
)
Reg[
3
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
1
]
Reg[
1
]
=
Reg[
3
]
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
720
Reg[
0
]
+
=
Reg[
1
]
Reg[
8
]
=
Reg[
0
]
-
> Xor
2
Reg[
0
]
=
Reg[
8
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
11271250
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
72
Reg[
0
]
-
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
72
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
8744654
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
144
Reg[
0
]
-
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
144
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
-
> Xor
3
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
9852138
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
216
Reg[
0
]
-
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
216
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
8725420
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
288
Reg[
0
]
-
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
8841932
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
216
Reg[
0
]
-
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
15348293
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
144
Reg[
0
]
-
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
8735468
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
72
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
9846222
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
144
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
10022468
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
216
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
7905811
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
72
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
72
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
5399353
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
144
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
144
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
8935246
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
216
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
216
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
1197146
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
9851459
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
360
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
11150308
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
432
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
11150472
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
504
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
9851428
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
360
Reg[
0
]
+
=
Reg[
1
]
Reg[
8
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
8
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
2504020
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
72
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
87160
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
144
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
9844004
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
216
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
11451615
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
72
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
72
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
8734638
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
144
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
144
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
9864618
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
216
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
144
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
9843546
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
144
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
9851444
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
360
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
144
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
7882222
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
216
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
216
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
4728102
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
3301906
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
360
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
7631989
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
432
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
2299116
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
504
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
9843946
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> Draw(Reg[
4
],Reg[
5
],Reg[
6
],Reg[
7
],
0xFF2DDBE7
)
-
> VMEnd
=
=
=
=
ExecVirtual[
0
]
=
=
=
=
Reg[
8
]
=
50
Reg[
9
]
=
50
-
> Xor
1
-
> VMEnd
=
=
=
=
ExecVirtual[
1
]
=
=
=
=
Reg[
8
]
=
50
Reg[
9
]
=
50
-
> Xor
1
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
3301906
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
360
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
7631989
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
432
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
2299116
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
504
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
9843946
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> VMEnd
=
=
=
=
ExecVirtual[
2
]
=
=
=
=
Reg[
8
]
=
50
Reg[
9
]
=
50
-
> Xor
1
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
3301906
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
360
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
7631989
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
432
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
2299116
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
504
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
9843946
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
-
> VMEnd
=
=
=
=
ExecVirtual[
3
]
=
=
=
=
Reg[
8
]
=
50
Reg[
9
]
=
50
-
> Xor
1
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
7882222
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
216
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
216
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
4728102
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
3301906
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
360
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
7631989
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
Reg[
0
]
=
Reg[
8
]
Reg[
1
]
=
432
Reg[
0
]
+
=
Reg[
1
]
Reg[
4
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
9
]
Reg[
1
]
=
288
Reg[
0
]
+
=
Reg[
1
]
Reg[
5
]
=
Reg[
0
]
Reg[
0
]
=
Reg[
4
]
Reg[
1
]
=
Reg[
5
]
Reg[
0
],Reg[
1
] <
-
Decrypt(Reg[
0
],Reg[
1
],
2299116
)
Reg[
6
]
=
Reg[
0
]
Reg[
7
]
=
Reg[
1
]
赞赏
- [原创]2022年游戏安全技术竞赛-PC方向-决赛 9064
- [原创]如何使用LLVM编译Windows驱动(混淆&Asm) 15265
- ida 特征码生成插件 13843