首页
社区
课程
招聘
[原创]2022年游戏安全技术竞赛-PC方向-决赛
发表于: 2022-4-29 20:35 9063

[原创]2022年游戏安全技术竞赛-PC方向-决赛

2022-4-29 20:35
9063

项目地址
图片描述

hook并调用坐标绘制

搜索 比赛驱动的hook

然后我再hook

注入压缩包中的HookPatch.dll 可以看到效果

通过虚拟机模拟,得到绘制坐标信息

再通过std::vector<uint32_t> VM::OutVituralOpCodeTable(const std::vector<Opcode>& opcodes)

生成新的opcode

利用驱动loadimg 回调

patch 目标驱动

由于是通过loadimg进行patch 所以PatchDriver.sys 需要在比赛驱动之前加载

加载PatchDriver.sys 后加载比赛驱动在运行2022游戏安全技术竞赛决赛.exe 可以看到flag

注入screenshot.dll 按home 即可截图 截图文件在 d:\dwm.jpg

循环遍历进程名有DWM的进程

起始Processid 为 0x100000

每次循环减4

大概流程,获取DWM EPROCESS

获取 D3DCompile 地址

搜索内存 获取 CDXGISwapChain::PresentMultiplaneOverlay

申请内存 复制shellcodeVmOpcodeTable 到DWM中 并解密

HookMem = CDXGISwapChain::PresentMultiplaneOverlay 头部字节 加上

= 跳回 PresentMultiplaneOverlay

hook CDXGISwapChain::PresentMultiplaneOverlay 跳到shellcode + 860

v31 = PresentMultiplaneOverlay(v43, a2, v49, a4, v72, a5, v71);

sub_860+D18 Address:0x1578 Offset:0x1578

这里执行 hookmem

延迟5秒恢复hook

延迟15秒释放内存

利用MDL 强行写入shellcode 到PresentMultiplaneOverlay

Hook shellcode 大概

直接patch吧 一看就知道啥东西

没仔细看导致我minhook失败调我半天

延迟5秒恢复PresentMultiplaneOverlay 的hook

loc_1400070F8 里是PresentMultiplaneOverlay头部字节

不用解释

大概流程

注册loadimg回调

比赛sys加载 触发回调

image-20220423202130093

然后jmp 到

WinMain下段跟

发现这段参加线程

点进去一看

发现NtQuerySystemInformation

明显是通过 NtQuerySystemInformation触发回调

dump下shellcode 分析

卧槽? 这不是咱老朋友吗

不过虚拟机进化了

虚拟机经过六次解密达到最终结果

还是老样子

这里1000,500导致的坐标负数

这里导致的交换reg[5] reg[6]

patch 500 1000导致的负数,

patch 交换 reg[5] reg[6]

通过模拟执行得到rect信息 利用这些信息生成新的opcode

在我的dll直接实现,刚好比赛驱动用比赛驱动的hook

ScreenGrab · microsoft/DirectXTK Wiki (github.com)

从交换链里获取Device

再GetBuffer

再调用 dxtk SaveWICTextureToFile 保存到文件

lainswork/dwm-screen-shot: 将shellcode注入dwm.exe以进行屏幕截取 (github.com)

lainswork/shellcode-factory: shellcode 生成框架 (github.com)

利用shellcode 生成框架

通过符号获取hook地址

修改页面属性

veh 捕获异常 hook 获取交换链

利用交换链 getbuffer

exe 直接读这个buff 绘制出来

其实和我的方案一一毛一样 除了是shellcode

Abusing DComposition to render on external windows | secret club

劫持dwm窗口应该是个思路吧

劫持线程到自己exe

应该可以截图到吧

没具体实现

NVidia 游戏内覆盖截图

他那个基于显卡 直接copy的显存 经朋友测试的确可以截到

本来想看看的 毕竟上次泄露nv的驱动源码 但是我电脑不支持此方案

NVIDIA Capture SDK | NVIDIA Developer

NvFBC nv的视频录制sdk 是直接从显存里copy数据

按理也可以截图

不过最高支持win10 1803 我win11 所以没办法

所以这里没有测试方案

video-sdk-samples/nvEncDXGIOutputDuplicationSample at master · NVIDIA/video-sdk-samples (github.com)

他官方推荐的代替方案

后来我又去实现了他文档放弃win10 所推荐的dx方案

IDXGIOutput 发现并不能截图dwm

image-20220424192056570

后续...

amd 方案

高级媒体框架 - GPU 打开 (gpuopen.com)

 
 
 
FILE* file;
AllocConsole();
freopen_s(&file, "CONIN$", "r", stdin);
freopen_s(&file, "CONOUT$", "w", stdout);
uint64_t hook = 0;
while (true)
{
    hook = FindPattern("dxgi.dll", "68 ?? ?? ?? ?? C7 44 24 04 ?? ?? ?? ??");
    if (hook)
        break;
    Sleep(100);
}
FILE* file;
AllocConsole();
freopen_s(&file, "CONIN$", "r", stdin);
freopen_s(&file, "CONOUT$", "w", stdout);
uint64_t hook = 0;
while (true)
{
    hook = FindPattern("dxgi.dll", "68 ?? ?? ?? ?? C7 44 24 04 ?? ?? ?? ??");
    if (hook)
        break;
    Sleep(100);
}
flag f[42];
uint8_t* draw_rect = 0;
uint8_t* draw_orig = 0;
__int64 __fastcall sub_420(__int64 a1, __int64 a2, __int64 a3, __int64 a4, __int64 a5, __int64 a6, __int64 a7)
{
    f[0] = { 50 , 50, 0x130bd0 , 0xf814b4 };
    f[1] = { 50 , 122, 0x1bcd69 , 0xe9bdc5 };
    f[2] = { 50 , 194, 0xd91997 , 0x4f7363 };
    f[3] = { 50 , 266, 0xe82b18 , 0x28ec24 };
    f[4] = { 50 , 338, 0x391faa , 0x22ae2e };
    f[5] = { 50 , 410, 0xd77de2 , 0x2f62e };
    f[6] = { 122 , 266, 0x71150 , 0x1894d4 };
    f[7] = { 194 , 266, 0xc42e8b , 0xeb1f47 };
    f[8] = { 266 , 266, 0x34cf2b , 0x534f3f };
    f[9] = { 122 , 122, 0xd9e5f1 , 0xe9d505 };
    f[10] = { 194 , 194, 0xc42d8b , 0x38f0f };
    f[11] = { 770 , 50, 0xeabf17 , 0x8f7323 };
    f[12] = { 698 , 122, 0xc42d8b , 0x532fbf };
    f[13] = { 626 , 194, 0xd717af , 0x37cb9b };
    f[14] = { 554 , 266, 0xc460e9 , 0x314ddd };
    f[15] = { 482 , 338, 0xc7a989 , 0x11edbd };
    f[16] = { 554 , 338, 0xab7100 , 0xf0747c };
    f[17] = { 626 , 338, 0xc409a9 , 0xe12d6d };
    f[18] = { 842 , 50, 0xd77e8b , 0x7bfff7 };
    f[19] = { 914 , 50, 0xd9ad01 , 0x4985c5 };
    f[20] = { 986 , 50, 0x39e156 , 0xf6c25a };
    f[21] = { 842 , 122, 0x13207c , 0x7438b8 };
    f[22] = { 914 , 194, 0xc9140b , 0xf3af5f };
    f[23] = { 986 , 266, 0x53071f , 0x779bfb };
    f[24] = { 1058 , 338, 0xd71106 , 0x5ee272 };
    f[25] = { 1130 , 338, 0xeb60a1 , 0x11551d };
    f[26] = { 1202 , 338, 0xeb67cd , 0xc5c9c9 };
    f[27] = { 1274 , 338, 0xd71161 , 0x1752d };
    f[28] = { 1130 , 50, 0x677611 , 0x41a58d };
    f[29] = { 1202 , 50, 0x40173d , 0x95f9d9 };
    f[30] = { 1274 , 50, 0xd77661 , 0x61b54d };
    f[31] = { 1346 , 50, 0xefff9a , 0xc27eee };
    f[32] = { 1202 , 122, 0xc404eb , 0xeb3fc7 };
    f[33] = { 1274 , 194, 0xd7c6ef , 0xdf9b53 };
    f[34] = { 1346 , 194, 0xd7701f , 0x171b1b };
    f[35] = { 1418 , 194, 0xd71171 , 0x91e53d };
    f[36] = { 1490 , 194, 0x3906ab , 0x138f3f };
    f[37] = { 1346 , 266, 0x96663 , 0x83f72f };
    f[38] = { 1418 , 338, 0x732157 , 0x47638b };
    f[39] = { 1490 , 338, 0x353730 , 0x587414 };
    f[40] = { 1562 , 338, 0x6257a9 , 0x69fdc5 };
    f[41] = { 1634 , 338, 0xd777af , 0xb7cb1b };
 
 
 
    for (auto& data : f)
    {
 
        call_invoke(draw_rect, data.x, data.y, data.k1, data.k2, 0xFF2DDBE7, a3, a4, a5, a6, a7);
 
        //reinterpret_cast<uint64_t(*)(int, int, int, int, int, uint64_t, uint64_t, uint64_t, uint64_t, uint64_t)>(draw_rect)
        //    (data.x, data.y, data.k1, data.k2, 0xFFFFFF00, a3, a4, a5, a6, a7);
    }
    return 0;
flag f[42];
uint8_t* draw_rect = 0;
uint8_t* draw_orig = 0;
__int64 __fastcall sub_420(__int64 a1, __int64 a2, __int64 a3, __int64 a4, __int64 a5, __int64 a6, __int64 a7)
{
    f[0] = { 50 , 50, 0x130bd0 , 0xf814b4 };
    f[1] = { 50 , 122, 0x1bcd69 , 0xe9bdc5 };
    f[2] = { 50 , 194, 0xd91997 , 0x4f7363 };
    f[3] = { 50 , 266, 0xe82b18 , 0x28ec24 };
    f[4] = { 50 , 338, 0x391faa , 0x22ae2e };
    f[5] = { 50 , 410, 0xd77de2 , 0x2f62e };
    f[6] = { 122 , 266, 0x71150 , 0x1894d4 };
    f[7] = { 194 , 266, 0xc42e8b , 0xeb1f47 };
    f[8] = { 266 , 266, 0x34cf2b , 0x534f3f };
    f[9] = { 122 , 122, 0xd9e5f1 , 0xe9d505 };
    f[10] = { 194 , 194, 0xc42d8b , 0x38f0f };
    f[11] = { 770 , 50, 0xeabf17 , 0x8f7323 };
    f[12] = { 698 , 122, 0xc42d8b , 0x532fbf };
    f[13] = { 626 , 194, 0xd717af , 0x37cb9b };
    f[14] = { 554 , 266, 0xc460e9 , 0x314ddd };
    f[15] = { 482 , 338, 0xc7a989 , 0x11edbd };
    f[16] = { 554 , 338, 0xab7100 , 0xf0747c };
    f[17] = { 626 , 338, 0xc409a9 , 0xe12d6d };
    f[18] = { 842 , 50, 0xd77e8b , 0x7bfff7 };
    f[19] = { 914 , 50, 0xd9ad01 , 0x4985c5 };
    f[20] = { 986 , 50, 0x39e156 , 0xf6c25a };
    f[21] = { 842 , 122, 0x13207c , 0x7438b8 };
    f[22] = { 914 , 194, 0xc9140b , 0xf3af5f };
    f[23] = { 986 , 266, 0x53071f , 0x779bfb };
    f[24] = { 1058 , 338, 0xd71106 , 0x5ee272 };
    f[25] = { 1130 , 338, 0xeb60a1 , 0x11551d };
    f[26] = { 1202 , 338, 0xeb67cd , 0xc5c9c9 };
    f[27] = { 1274 , 338, 0xd71161 , 0x1752d };
    f[28] = { 1130 , 50, 0x677611 , 0x41a58d };
    f[29] = { 1202 , 50, 0x40173d , 0x95f9d9 };
    f[30] = { 1274 , 50, 0xd77661 , 0x61b54d };
    f[31] = { 1346 , 50, 0xefff9a , 0xc27eee };
    f[32] = { 1202 , 122, 0xc404eb , 0xeb3fc7 };
    f[33] = { 1274 , 194, 0xd7c6ef , 0xdf9b53 };
    f[34] = { 1346 , 194, 0xd7701f , 0x171b1b };
    f[35] = { 1418 , 194, 0xd71171 , 0x91e53d };
    f[36] = { 1490 , 194, 0x3906ab , 0x138f3f };
    f[37] = { 1346 , 266, 0x96663 , 0x83f72f };
    f[38] = { 1418 , 338, 0x732157 , 0x47638b };
    f[39] = { 1490 , 338, 0x353730 , 0x587414 };
    f[40] = { 1562 , 338, 0x6257a9 , 0x69fdc5 };
    f[41] = { 1634 , 338, 0xd777af , 0xb7cb1b };
 
 
 
    for (auto& data : f)
    {
 
        call_invoke(draw_rect, data.x, data.y, data.k1, data.k2, 0xFF2DDBE7, a3, a4, a5, a6, a7);
 
        //reinterpret_cast<uint64_t(*)(int, int, int, int, int, uint64_t, uint64_t, uint64_t, uint64_t, uint64_t)>(draw_rect)
        //    (data.x, data.y, data.k1, data.k2, 0xFFFFFF00, a3, a4, a5, a6, a7);
    }
    return 0;
 
 
 
 
 
 
 
EE2362FC Reg[0],Reg[1] <- Draw(50,50,130bd0,f814b4)
EE2362FC Reg[0],Reg[1] <- Draw(50,122,1bcd69,e9bdc5)
EE2362FC Reg[0],Reg[1] <- Draw(50,194,d91997,4f7363)
EE2362FC Reg[0],Reg[1] <- Draw(50,266,e82b18,28ec24)
EE2362FC Reg[0],Reg[1] <- Draw(50,338,391faa,22ae2e)
EE2362FC Reg[0],Reg[1] <- Draw(50,410,d77de2,2f62e)
EE2362FC Reg[0],Reg[1] <- Draw(122,266,71150,1894d4)
EE2362FC Reg[0],Reg[1] <- Draw(194,266,c42e8b,eb1f47)
EE2362FC Reg[0],Reg[1] <- Draw(266,266,34cf2b,534f3f)
EE2362FC Reg[0],Reg[1] <- Draw(122,122,d9e5f1,e9d505)
EE2362FC Reg[0],Reg[1] <- Draw(194,194,c42d8b,38f0f)
EE2362FC Reg[0],Reg[1] <- Draw(770,50,eabf17,8f7323)
EE2362FC Reg[0],Reg[1] <- Draw(698,122,c42d8b,532fbf)
EE2362FC Reg[0],Reg[1] <- Draw(626,194,d717af,37cb9b)
EE2362FC Reg[0],Reg[1] <- Draw(554,266,c460e9,314ddd)
EE2362FC Reg[0],Reg[1] <- Draw(482,338,c7a989,11edbd)
EE2362FC Reg[0],Reg[1] <- Draw(554,338,ab7100,f0747c)
EE2362FC Reg[0],Reg[1] <- Draw(626,338,c409a9,e12d6d)
EE2362FC Reg[0],Reg[1] <- Draw(842,50,d77e8b,7bfff7)
EE2362FC Reg[0],Reg[1] <- Draw(914,50,d9ad01,4985c5)
EE2362FC Reg[0],Reg[1] <- Draw(986,50,39e156,f6c25a)
EE2362FC Reg[0],Reg[1] <- Draw(842,122,13207c,7438b8)
EE2362FC Reg[0],Reg[1] <- Draw(914,194,c9140b,f3af5f)
EE2362FC Reg[0],Reg[1] <- Draw(986,266,53071f,779bfb)
EE2362FC Reg[0],Reg[1] <- Draw(1058,338,d71106,5ee272)
EE2362FC Reg[0],Reg[1] <- Draw(1130,338,eb60a1,11551d)
EE2362FC Reg[0],Reg[1] <- Draw(1202,338,eb67cd,c5c9c9)
EE2362FC Reg[0],Reg[1] <- Draw(1274,338,d71161,1752d)
EE2362FC Reg[0],Reg[1] <- Draw(1130,50,677611,41a58d)
EE2362FC Reg[0],Reg[1] <- Draw(1202,50,40173d,95f9d9)
EE2362FC Reg[0],Reg[1] <- Draw(1274,50,d77661,61b54d)
EE2362FC Reg[0],Reg[1] <- Draw(1346,50,efff9a,c27eee)
EE2362FC Reg[0],Reg[1] <- Draw(1202,122,c404eb,eb3fc7)
EE2362FC Reg[0],Reg[1] <- Draw(1274,194,d7c6ef,df9b53)
EE2362FC Reg[0],Reg[1] <- Draw(1346,194,d7701f,171b1b)
EE2362FC Reg[0],Reg[1] <- Draw(1418,194,d71171,91e53d)
EE2362FC Reg[0],Reg[1] <- Draw(1490,194,3906ab,138f3f)
EE2362FC Reg[0],Reg[1] <- Draw(1346,266,96663,83f72f)
EE2362FC Reg[0],Reg[1] <- Draw(1418,338,732157,47638b)
EE2362FC Reg[0],Reg[1] <- Draw(1490,338,353730,587414)
EE2362FC Reg[0],Reg[1] <- Draw(1562,338,6257a9,69fdc5)
EE2362FC Reg[0],Reg[1] <- Draw(1634,338,d777af,b7cb1b)
EE2362FC Reg[0],Reg[1] <- Draw(50,50,130bd0,f814b4)
EE2362FC Reg[0],Reg[1] <- Draw(50,122,1bcd69,e9bdc5)
EE2362FC Reg[0],Reg[1] <- Draw(50,194,d91997,4f7363)
EE2362FC Reg[0],Reg[1] <- Draw(50,266,e82b18,28ec24)
EE2362FC Reg[0],Reg[1] <- Draw(50,338,391faa,22ae2e)
EE2362FC Reg[0],Reg[1] <- Draw(50,410,d77de2,2f62e)
EE2362FC Reg[0],Reg[1] <- Draw(122,266,71150,1894d4)
EE2362FC Reg[0],Reg[1] <- Draw(194,266,c42e8b,eb1f47)
EE2362FC Reg[0],Reg[1] <- Draw(266,266,34cf2b,534f3f)
EE2362FC Reg[0],Reg[1] <- Draw(122,122,d9e5f1,e9d505)
EE2362FC Reg[0],Reg[1] <- Draw(194,194,c42d8b,38f0f)
EE2362FC Reg[0],Reg[1] <- Draw(770,50,eabf17,8f7323)
EE2362FC Reg[0],Reg[1] <- Draw(698,122,c42d8b,532fbf)
EE2362FC Reg[0],Reg[1] <- Draw(626,194,d717af,37cb9b)
EE2362FC Reg[0],Reg[1] <- Draw(554,266,c460e9,314ddd)
EE2362FC Reg[0],Reg[1] <- Draw(482,338,c7a989,11edbd)
EE2362FC Reg[0],Reg[1] <- Draw(554,338,ab7100,f0747c)
EE2362FC Reg[0],Reg[1] <- Draw(626,338,c409a9,e12d6d)
EE2362FC Reg[0],Reg[1] <- Draw(842,50,d77e8b,7bfff7)
EE2362FC Reg[0],Reg[1] <- Draw(914,50,d9ad01,4985c5)
EE2362FC Reg[0],Reg[1] <- Draw(986,50,39e156,f6c25a)
EE2362FC Reg[0],Reg[1] <- Draw(842,122,13207c,7438b8)
EE2362FC Reg[0],Reg[1] <- Draw(914,194,c9140b,f3af5f)
EE2362FC Reg[0],Reg[1] <- Draw(986,266,53071f,779bfb)
EE2362FC Reg[0],Reg[1] <- Draw(1058,338,d71106,5ee272)
EE2362FC Reg[0],Reg[1] <- Draw(1130,338,eb60a1,11551d)
EE2362FC Reg[0],Reg[1] <- Draw(1202,338,eb67cd,c5c9c9)
EE2362FC Reg[0],Reg[1] <- Draw(1274,338,d71161,1752d)
EE2362FC Reg[0],Reg[1] <- Draw(1130,50,677611,41a58d)
EE2362FC Reg[0],Reg[1] <- Draw(1202,50,40173d,95f9d9)
EE2362FC Reg[0],Reg[1] <- Draw(1274,50,d77661,61b54d)
EE2362FC Reg[0],Reg[1] <- Draw(1346,50,efff9a,c27eee)
EE2362FC Reg[0],Reg[1] <- Draw(1202,122,c404eb,eb3fc7)
EE2362FC Reg[0],Reg[1] <- Draw(1274,194,d7c6ef,df9b53)
EE2362FC Reg[0],Reg[1] <- Draw(1346,194,d7701f,171b1b)
EE2362FC Reg[0],Reg[1] <- Draw(1418,194,d71171,91e53d)
EE2362FC Reg[0],Reg[1] <- Draw(1490,194,3906ab,138f3f)
EE2362FC Reg[0],Reg[1] <- Draw(1346,266,96663,83f72f)
EE2362FC Reg[0],Reg[1] <- Draw(1418,338,732157,47638b)
EE2362FC Reg[0],Reg[1] <- Draw(1490,338,353730,587414)
EE2362FC Reg[0],Reg[1] <- Draw(1562,338,6257a9,69fdc5)
EE2362FC Reg[0],Reg[1] <- Draw(1634,338,d777af,b7cb1b)
VOID LoadImageNotify(
    _In_ PUNICODE_STRING FullImageName,
    _In_ HANDLE ProcessId,
    _In_ PIMAGE_INFO ImageInfo
)
{
    if (FullImageName != nullptr && MmIsAddressValid(FullImageName))
    {
        if (ProcessId == 0) // 是否是驱动
        {
            auto ImageName = FullImageName->Buffer;
            if (wcsstr(ImageName, L"2022GameSafeRace.sys"))
            {
                auto PatchFree = reinterpret_cast<uint8_t*>(ImageInfo->ImageBase) + 0x18a4;
                auto JmpAddress = reinterpret_cast<uint8_t*>(ImageInfo->ImageBase) + 0x19ea;
                char jmp[] = {
                    0xe9,0x00,0x00,0x00,0x00
                };
                *(uint32_t*)(jmp + 1) = (ULONG64)(JmpAddress - PatchFree - 5);
                // patch free
                MdlCopyMemory(PatchFree, &jmp, sizeof(jmp));
                // patch vad断链
                PatchFree = reinterpret_cast<uint8_t*>(ImageInfo->ImageBase) + 0x1aae;
                JmpAddress = reinterpret_cast<uint8_t*>(ImageInfo->ImageBase) + 0x1ac9;
                *(uint32_t*)(jmp + 1) = (ULONG64)(JmpAddress - PatchFree - 5);
 
                MdlCopyMemory(PatchFree, &jmp, sizeof(jmp));
 
                MdlCopyMemory(PatchFree, &jmp, sizeof(jmp));
                //patch表
                PatchFree = reinterpret_cast<uint8_t*>(ImageInfo->ImageBase) + 0x4030;
 
                MdlCopyMemory(PatchFree, Table, sizeof(Table));
 
 
 
            }
        }
    }
}
VOID LoadImageNotify(
    _In_ PUNICODE_STRING FullImageName,
    _In_ HANDLE ProcessId,
    _In_ PIMAGE_INFO ImageInfo
)
{
    if (FullImageName != nullptr && MmIsAddressValid(FullImageName))
    {
        if (ProcessId == 0) // 是否是驱动
        {
            auto ImageName = FullImageName->Buffer;
            if (wcsstr(ImageName, L"2022GameSafeRace.sys"))
            {
                auto PatchFree = reinterpret_cast<uint8_t*>(ImageInfo->ImageBase) + 0x18a4;
                auto JmpAddress = reinterpret_cast<uint8_t*>(ImageInfo->ImageBase) + 0x19ea;
                char jmp[] = {
                    0xe9,0x00,0x00,0x00,0x00
                };
                *(uint32_t*)(jmp + 1) = (ULONG64)(JmpAddress - PatchFree - 5);
                // patch free
                MdlCopyMemory(PatchFree, &jmp, sizeof(jmp));
                // patch vad断链
                PatchFree = reinterpret_cast<uint8_t*>(ImageInfo->ImageBase) + 0x1aae;
                JmpAddress = reinterpret_cast<uint8_t*>(ImageInfo->ImageBase) + 0x1ac9;
                *(uint32_t*)(jmp + 1) = (ULONG64)(JmpAddress - PatchFree - 5);
 
                MdlCopyMemory(PatchFree, &jmp, sizeof(jmp));
 
                MdlCopyMemory(PatchFree, &jmp, sizeof(jmp));
                //patch表
                PatchFree = reinterpret_cast<uint8_t*>(ImageInfo->ImageBase) + 0x4030;
 
                MdlCopyMemory(PatchFree, Table, sizeof(Table));
 
 
 
            }
        }
    }
}
NTSTATUS __fastcall sub_140001438(void *a1, BOOLEAN a2)
{
  SYSTEM_FIRMWARE_TABLE_HANDLER SystemInformation; // [rsp+20h] [rbp-28h] BYREF
 
  SystemInformation.DriverObject = a1;
  SystemInformation.Register = a2;
  SystemInformation.FirmwareTableHandler = (PFNFTH)sub_1400013E0;
  SystemInformation.ProviderSignature = 0x52414E44;
  return ZwSetSystemInformation(SystemRegisterFirmwareTableInformationHandler, &SystemInformation, 0x18ui64);
}
NTSTATUS __fastcall sub_140001438(void *a1, BOOLEAN a2)
{
  SYSTEM_FIRMWARE_TABLE_HANDLER SystemInformation; // [rsp+20h] [rbp-28h] BYREF
 
  SystemInformation.DriverObject = a1;
  SystemInformation.Register = a2;
  SystemInformation.FirmwareTableHandler = (PFNFTH)sub_1400013E0;
  SystemInformation.ProviderSignature = 0x52414E44;
  return ZwSetSystemInformation(SystemRegisterFirmwareTableInformationHandler, &SystemInformation, 0x18ui64);
}
__int64 __fastcall sub_140003530(PVOID Parameter)
{
  HANDLE ProcessHeap; // rax
  char *v2; // rdx
  __int64 result; // rax
  ULONG ReturnLength; // [rsp+38h] [rbp+10h] BYREF
 
  ProcessHeap = GetProcessHeap();
  v2 = (char *)HeapAlloc(ProcessHeap, 8u, 0x28ui64);
  result = 0i64;
  *(_OWORD *)v2 = 0i64;
  *((_OWORD *)v2 + 1) = 0i64;
  *((_QWORD *)v2 + 4) = 0i64;
  if ( v2 )
  {
    *((_DWORD *)v2 + 2) = 0;
    *((_DWORD *)v2 + 1) = 1;
    *(_DWORD *)v2 = 1380011588;
    *((_DWORD *)v2 + 3) = 20;
    *(_QWORD *)(v2 + 20) = 8193i64;
    *((_QWORD *)v2 + 4) = D3DCompile;
    ReturnLength = 40;
    NtQuerySystemInformation(SystemFirmwareTableInformation, v2, 0x28u, &ReturnLength);
    return 0i64;
  }
  return result;
}
__int64 __fastcall sub_140003530(PVOID Parameter)
{
  HANDLE ProcessHeap; // rax
  char *v2; // rdx
  __int64 result; // rax
  ULONG ReturnLength; // [rsp+38h] [rbp+10h] BYREF
 
  ProcessHeap = GetProcessHeap();
  v2 = (char *)HeapAlloc(ProcessHeap, 8u, 0x28ui64);
  result = 0i64;
  *(_OWORD *)v2 = 0i64;
  *((_OWORD *)v2 + 1) = 0i64;
  *((_QWORD *)v2 + 4) = 0i64;
  if ( v2 )
  {
    *((_DWORD *)v2 + 2) = 0;
    *((_DWORD *)v2 + 1) = 1;
    *(_DWORD *)v2 = 1380011588;
    *((_DWORD *)v2 + 3) = 20;
    *(_QWORD *)(v2 + 20) = 8193i64;
    *((_QWORD *)v2 + 4) = D3DCompile;
    ReturnLength = 40;
    NtQuerySystemInformation(SystemFirmwareTableInformation, v2, 0x28u, &ReturnLength);
    return 0i64;
  }
  return result;
}
PEPROCESS GetDwmProcess()//0x140001318
{
  PEPROCESS v0; // rdi
  unsigned int ProcessId; // esi
  void *ProcessImageFileName; // rbx
  void *ProcessPeb; // rbx
  struct _KAPC_STATE ApcState; // [rsp+20h] [rbp-60h] BYREF
  int SubStr; // [rsp+A0h] [rbp+20h] BYREF
  PEPROCESS Process; // [rsp+A8h] [rbp+28h] BYREF
 
  v0 = 0i64;
  ProcessId = 0x100000;
  while ( 1 )
  {
    if ( PsLookupProcessByProcessId((HANDLE)ProcessId, &Process) < 0 )
      goto LABEL_7;
    ObfDereferenceObject(Process);
    ProcessImageFileName = (void *)PsGetProcessImageFileName(Process);
    if ( !MmIsAddressValid(ProcessImageFileName) )
      goto LABEL_7;
    SubStr = 'mwd';
    if ( !strstr((const char *)ProcessImageFileName, (const char *)&SubStr) )
      goto LABEL_7;
    ProcessPeb = (void *)PsGetProcessPeb(Process);
    KeStackAttachProcess(Process, &ApcState);
    if ( MmIsAddressValid(ProcessPeb) )
      break;
    KeUnstackDetachProcess(&ApcState);
LABEL_7:
    ProcessId -= 4;
    if ( ProcessId <= 8 )
      return v0;
  }
  v0 = Process;
  KeUnstackDetachProcess(&ApcState);
  return v0;
}
PEPROCESS GetDwmProcess()//0x140001318
{
  PEPROCESS v0; // rdi
  unsigned int ProcessId; // esi
  void *ProcessImageFileName; // rbx
  void *ProcessPeb; // rbx
  struct _KAPC_STATE ApcState; // [rsp+20h] [rbp-60h] BYREF
  int SubStr; // [rsp+A0h] [rbp+20h] BYREF
  PEPROCESS Process; // [rsp+A8h] [rbp+28h] BYREF
 
  v0 = 0i64;
  ProcessId = 0x100000;
  while ( 1 )
  {
    if ( PsLookupProcessByProcessId((HANDLE)ProcessId, &Process) < 0 )
      goto LABEL_7;
    ObfDereferenceObject(Process);
    ProcessImageFileName = (void *)PsGetProcessImageFileName(Process);
    if ( !MmIsAddressValid(ProcessImageFileName) )
      goto LABEL_7;
    SubStr = 'mwd';
    if ( !strstr((const char *)ProcessImageFileName, (const char *)&SubStr) )
      goto LABEL_7;
    ProcessPeb = (void *)PsGetProcessPeb(Process);
    KeStackAttachProcess(Process, &ApcState);
    if ( MmIsAddressValid(ProcessPeb) )
      break;
    KeUnstackDetachProcess(&ApcState);
LABEL_7:
    ProcessId -= 4;
    if ( ProcessId <= 8 )
      return v0;
  }
  v0 = Process;
  KeUnstackDetachProcess(&ApcState);
  return v0;
}
68 00006F99           - push 0000000000000000 { 0 }
C7 44 24 04 00000000  - mov [rsp+04],00000000 { 0 }
C3                    - ret
68 00006F99           - push 0000000000000000 { 0 }
C7 44 24 04 00000000  - mov [rsp+04],00000000 { 0 }
C3                    - ret
ProcessId = PsGetProcessId(DwmProcess);
GetModuleHandle(ProcessId, &Handle, "D3DCOMPILER_47.dll");// 从Ldr链里获取模块地址
KeStackAttachProcess(Dwm, &ApcState);       // 附加DWM
if ( Handle )                               // 如果模块存在
    D3DCompile = GetProAddress((__int64)Handle, (__int64)"D3DCompile");// 获取函数D3DCompile地址
KeUnstackDetachProcess(&ApcState);          // 解除附加
Handle = 0i64;
v25 = 0i64;
GetModuleHandle(ProcessId, &Handle, "dxgi.dll");// 获取dxgi模块地址
ProcessId = PsGetProcessId(DwmProcess);
GetModuleHandle(ProcessId, &Handle, "D3DCOMPILER_47.dll");// 从Ldr链里获取模块地址
KeStackAttachProcess(Dwm, &ApcState);       // 附加DWM
if ( Handle )                               // 如果模块存在
    D3DCompile = GetProAddress((__int64)Handle, (__int64)"D3DCompile");// 获取函数D3DCompile地址
KeUnstackDetachProcess(&ApcState);          // 解除附加
Handle = 0i64;
v25 = 0i64;
GetModuleHandle(ProcessId, &Handle, "dxgi.dll");// 获取dxgi模块地址
v5 = (char *)Handle;
   if ( Handle )
   {
     v6 = (char *)Handle;
     for ( i = Handle < (char *)Handle + v25; i; i = v6 < (char *)Handle + v25 )
     {
       if ( *(_QWORD *)v6 == qword_140004000 && *((_QWORD *)v6 + 1) == qword_140004008 && v6[0x10] == byte_140004010 )// 搜索特征码 PresentMultiplaneOverlay
       {
         PresentMultiplaneOverlay = v6;
         break;
       }
       ++v6;
     }
   }
   if ( unk_14000712C == 17134 && Handle )     // 如果为1803
   {
     v8 = (char *)Handle + v25;
     while ( v5 < v8 )
     {
       if ( !memcmp(v5, &unk_140004018, 0x15ui64) )// 搜索特征码
       {
         PresentMultiplaneOverlay = v5;
         break;
       }
       ++v5;
     }
   }
v5 = (char *)Handle;
   if ( Handle )
   {
     v6 = (char *)Handle;
     for ( i = Handle < (char *)Handle + v25; i; i = v6 < (char *)Handle + v25 )
     {
       if ( *(_QWORD *)v6 == qword_140004000 && *((_QWORD *)v6 + 1) == qword_140004008 && v6[0x10] == byte_140004010 )// 搜索特征码 PresentMultiplaneOverlay
       {
         PresentMultiplaneOverlay = v6;
         break;
       }
       ++v6;
     }
   }
   if ( unk_14000712C == 17134 && Handle )     // 如果为1803
   {
     v8 = (char *)Handle + v25;
     while ( v5 < v8 )
     {
       if ( !memcmp(v5, &unk_140004018, 0x15ui64) )// 搜索特征码
       {
         PresentMultiplaneOverlay = v5;
         break;
       }
       ++v5;
     }
   }
KeStackAttachProcess(Dwm, &ApcState);
    ZwAllocateVirtualMemory((HANDLE)0xFFFFFFFFFFFFFFFFi64, &BaseAddress, 0i64, &RegionSize, 0x1000u, 0x40u);// 申请shellcode 内存
    ZwAllocateVirtualMemory((HANDLE)0xFFFFFFFFFFFFFFFFi64, &HookMem, 0i64, &v23, 0x1000u, 0x40u);// hook内存?
    if ( BaseAddress && HookMem )
    {
      memcpy_s(BaseAddress, 0x30BAui64, dword_140005A00, 0x16E6ui64);// 复制shellcode 到申请的内存中
      v9 = 0;
      v10 = 0i64;
      do
      {
        ++v9;
        *((_BYTE *)BaseAddress + v10++) ^= 0xC3u;
      }
      while ( v9 < 0x16E6 );                  // 解密shellcode
      memcpy_s((char *)BaseAddress + 0x16E6, 0x19D4ui64, dword_140004030, 0x19C4ui64);// 复制VmOpcodeTable到申请的内存中
      v11 = 0;
      v12 = 0i64;
      do
      {
        ++v11;
        *((_BYTE *)BaseAddress + v12 + 0x16E6) ^= 0xCCu;// 解密 VmOpcodeTable
        ++v12;
      }
      while ( v11 < 0x19C4 );
      *(_QWORD *)((char *)BaseAddress + 0x30AA) = D3DCompile;
      *(_QWORD *)((char *)BaseAddress + 0x30B2) = HookMem;
      *(_DWORD *)((char *)BaseAddress + dword_1400059F4) = 0x30A6 - dword_1400059F4;
      *(_DWORD *)((char *)BaseAddress + dword_1400059F8) = 0x30AE - dword_1400059F8;
      *(_DWORD *)((char *)BaseAddress + dword_1400070EC) = 0x671;
      *(_DWORD *)((char *)BaseAddress + dword_1400070E8) = 0x16E2 - dword_1400070E8;
      memcpy_s(HookMem, 14ui64, &loc_1400070F8, 14ui64);// PresentMultiplaneOverlay 头部字节码
      v13 = (char *)HookMem;
      *(_DWORD *)((char *)HookMem + 15) = (_DWORD)PresentMultiplaneOverlay + 14;
      *(_DWORD *)(v13 + 0x17) = ((unsigned __int64)PresentMultiplaneOverlay + 14) >> 32;
      v13[14] = 0x68;
      *(_DWORD *)(v13 + 0x13) = 0x42444C7;
      v13[27] = 0xC3;
KeStackAttachProcess(Dwm, &ApcState);
    ZwAllocateVirtualMemory((HANDLE)0xFFFFFFFFFFFFFFFFi64, &BaseAddress, 0i64, &RegionSize, 0x1000u, 0x40u);// 申请shellcode 内存
    ZwAllocateVirtualMemory((HANDLE)0xFFFFFFFFFFFFFFFFi64, &HookMem, 0i64, &v23, 0x1000u, 0x40u);// hook内存?
    if ( BaseAddress && HookMem )
    {
      memcpy_s(BaseAddress, 0x30BAui64, dword_140005A00, 0x16E6ui64);// 复制shellcode 到申请的内存中
      v9 = 0;
      v10 = 0i64;
      do
      {
        ++v9;
        *((_BYTE *)BaseAddress + v10++) ^= 0xC3u;
      }
      while ( v9 < 0x16E6 );                  // 解密shellcode
      memcpy_s((char *)BaseAddress + 0x16E6, 0x19D4ui64, dword_140004030, 0x19C4ui64);// 复制VmOpcodeTable到申请的内存中
      v11 = 0;
      v12 = 0i64;
      do
      {
        ++v11;
        *((_BYTE *)BaseAddress + v12 + 0x16E6) ^= 0xCCu;// 解密 VmOpcodeTable
        ++v12;
      }
      while ( v11 < 0x19C4 );
      *(_QWORD *)((char *)BaseAddress + 0x30AA) = D3DCompile;
      *(_QWORD *)((char *)BaseAddress + 0x30B2) = HookMem;
      *(_DWORD *)((char *)BaseAddress + dword_1400059F4) = 0x30A6 - dword_1400059F4;
      *(_DWORD *)((char *)BaseAddress + dword_1400059F8) = 0x30AE - dword_1400059F8;
      *(_DWORD *)((char *)BaseAddress + dword_1400070EC) = 0x671;
      *(_DWORD *)((char *)BaseAddress + dword_1400070E8) = 0x16E2 - dword_1400070E8;
      memcpy_s(HookMem, 14ui64, &loc_1400070F8, 14ui64);// PresentMultiplaneOverlay 头部字节码
      v13 = (char *)HookMem;
      *(_DWORD *)((char *)HookMem + 15) = (_DWORD)PresentMultiplaneOverlay + 14;
      *(_DWORD *)(v13 + 0x17) = ((unsigned __int64)PresentMultiplaneOverlay + 14) >> 32;
      v13[14] = 0x68;
      *(_DWORD *)(v13 + 0x13) = 0x42444C7;
      v13[27] = 0xC3;
push 00000000 //push 低32
mov [rsp+04] //mov 高32
ret //jmp [rsp] pop
push 00000000 //push 低32
mov [rsp+04] //mov 高32
ret //jmp [rsp] pop
KeUnstackDetachProcess(&ApcState);
KeStackAttachProcess(Dwm, &ApcState);
if ( BaseAddress && HookMem )
{
    if ( MmIsAddressValid(PresentMultiplaneOverlay) )
    {
        Mdl = IoAllocateMdl(PresentMultiplaneOverlay, 0x100u, 0, 0, 0i64);
        MmProbeAndLockPages(Mdl, 1, IoReadAccess);
        v15 = (char *)MmMapLockedPagesSpecifyCache(Mdl, 0, MmNonCached, 0i64, 0, 0x10u);// hook
        if ( v15 )
        {   // 68 00000000           - push 00000000 { 0 }
            // C7 44 24 04 00000000  - mov [rsp+04],00000000 { 0 }
            // C3                    - ret
            // shellcode
            v16 = (char *)BaseAddress + dword_1400070F0;// sub_860,各种初始化
            *(_DWORD *)(v15 + 1) = (_DWORD)v16;
            *(_DWORD *)(v15 + 9) = HIDWORD(v16);// 往里面写数据
            *v15 = 0x68;                        // push shellcode sub_860
            *(_DWORD *)(v15 + 5) = 69485767;    // mov [rsp+04],00000000
            v15[13] = 0xC3;                     // ret
        }
        MmUnmapLockedPages(v15, Mdl);
        MmUnlockPages(Mdl);
        IoFreeMdl(Mdl);
    }
KeUnstackDetachProcess(&ApcState);
KeStackAttachProcess(Dwm, &ApcState);
if ( BaseAddress && HookMem )
{
    if ( MmIsAddressValid(PresentMultiplaneOverlay) )
    {
        Mdl = IoAllocateMdl(PresentMultiplaneOverlay, 0x100u, 0, 0, 0i64);
        MmProbeAndLockPages(Mdl, 1, IoReadAccess);
        v15 = (char *)MmMapLockedPagesSpecifyCache(Mdl, 0, MmNonCached, 0i64, 0, 0x10u);// hook
        if ( v15 )
        {   // 68 00000000           - push 00000000 { 0 }
            // C7 44 24 04 00000000  - mov [rsp+04],00000000 { 0 }
            // C3                    - ret
            // shellcode
            v16 = (char *)BaseAddress + dword_1400070F0;// sub_860,各种初始化
            *(_DWORD *)(v15 + 1) = (_DWORD)v16;
            *(_DWORD *)(v15 + 9) = HIDWORD(v16);// 往里面写数据
            *v15 = 0x68;                        // push shellcode sub_860
            *(_DWORD *)(v15 + 5) = 69485767;    // mov [rsp+04],00000000
            v15[13] = 0xC3;                     // ret
        }
        MmUnmapLockedPages(v15, Mdl);
        MmUnlockPages(Mdl);
        IoFreeMdl(Mdl);
    }
v27[0] = (__int64)BaseAddress;
v29 = 0;
v27[1] = 0x30BAi64;
v28 = (unsigned int)PsGetProcessId(Dwm);
sub_140001A84((__int64)v27);
v27[0] = (__int64)BaseAddress;
v29 = 0;
v27[1] = 0x30BAi64;
v28 = (unsigned int)PsGetProcessId(Dwm);
sub_140001A84((__int64)v27);
Interval.QuadPart = -50000000i64;
KeDelayExecutionThread(0, 0, &Interval);  // 恢复hook
KeStackAttachProcess(Dwm, &ApcState);
if ( BaseAddress )
{
    if ( HookMem )
    {
        sub_140001B30();
        if ( MmIsAddressValid(PresentMultiplaneOverlay) )
        {
            v17 = IoAllocateMdl(PresentMultiplaneOverlay, 0x100u, 0, 0, 0i64);
            MmProbeAndLockPages(v17, 1, IoReadAccess);
            v18 = MmMapLockedPagesSpecifyCache(v17, 0, MmNonCached, 0i64, 0, 0x10u);// mdl强写
            if ( v18 )
            {                                   //
                // 48 8B C4              - mov rax,rsp
                // 55                    - push rbp
                // 56                    - push rsi
                // 57                    - push rdi
                // 41 54                 - push r12
                // 41 55                 - push r13
                // 41 56                 - push r14
                // 41 57                 - push r15
                *(_QWORD *)v18 = loc_1400070F8;
                v18[2] = loc_140007100;
                *((_WORD *)v18 + 6) = loc_140007104;
            }
            MmUnmapLockedPages(v18, v17);
            MmUnlockPages(v17);
            IoFreeMdl(v17);
        }
    }
}
KeUnstackDetachProcess(&ApcState);
Interval.QuadPart = -50000000i64;
KeDelayExecutionThread(0, 0, &Interval);  // 恢复hook
KeStackAttachProcess(Dwm, &ApcState);
if ( BaseAddress )
{
    if ( HookMem )
    {
        sub_140001B30();
        if ( MmIsAddressValid(PresentMultiplaneOverlay) )
        {
            v17 = IoAllocateMdl(PresentMultiplaneOverlay, 0x100u, 0, 0, 0i64);
            MmProbeAndLockPages(v17, 1, IoReadAccess);
            v18 = MmMapLockedPagesSpecifyCache(v17, 0, MmNonCached, 0i64, 0, 0x10u);// mdl强写
            if ( v18 )
            {                                   //
                // 48 8B C4              - mov rax,rsp
                // 55                    - push rbp
                // 56                    - push rsi
                // 57                    - push rdi
                // 41 54                 - push r12
                // 41 55                 - push r13
                // 41 56                 - push r14
                // 41 57                 - push r15
                *(_QWORD *)v18 = loc_1400070F8;
                v18[2] = loc_140007100;
                *((_WORD *)v18 + 6) = loc_140007104;
            }
            MmUnmapLockedPages(v18, v17);
            MmUnlockPages(v17);
            IoFreeMdl(v17);
        }
    }
}
KeUnstackDetachProcess(&ApcState);
KeUnstackDetachProcess(&ApcState);
Interval.QuadPart = -15000000i64;         // 释放shellcode
KeDelayExecutionThread(0, 0, &Interval);
KeStackAttachProcess(Dwm, &ApcState);
if ( BaseAddress )
{
    if ( HookMem )
    {
        ZwFreeVirtualMemory((HANDLE)0xFFFFFFFFFFFFFFFFi64, &BaseAddress, &RegionSize, 0x4000u);// 释放shellcode
        ZwFreeVirtualMemory((HANDLE)0xFFFFFFFFFFFFFFFFi64, &HookMem, &v23, 0x4000u);
    }
}
KeUnstackDetachProcess(&ApcState);
KeUnstackDetachProcess(&ApcState);
Interval.QuadPart = -15000000i64;         // 释放shellcode
KeDelayExecutionThread(0, 0, &Interval);
KeStackAttachProcess(Dwm, &ApcState);
if ( BaseAddress )
{
    if ( HookMem )
    {
        ZwFreeVirtualMemory((HANDLE)0xFFFFFFFFFFFFFFFFi64, &BaseAddress, &RegionSize, 0x4000u);// 释放shellcode
        ZwFreeVirtualMemory((HANDLE)0xFFFFFFFFFFFFFFFFi64, &HookMem, &v23, 0x4000u);
    }
}
KeUnstackDetachProcess(&ApcState);
void inject_shellcode()
{
  __int64 D3DCompile; // r15
  void *PresentMultiplaneOverlay; // rsi
  struct _KPROCESS *DwmProcess; // rax
  struct _KPROCESS *Dwm; // rdi
  HANDLE ProcessId; // rbx
  char *v5; // rbx
  char *v6; // rcx
  bool i; // cf
  char *v8; // r14
  unsigned int v9; // edx
  __int64 v10; // rcx
  unsigned int v11; // edx
  __int64 v12; // rcx
  char *v13; // rax
  struct _MDL *Mdl; // rbx
  char *v15; // rax
  char *v16; // rdx
  struct _MDL *v17; // rbx
  _DWORD *v18; // rax
  PVOID BaseAddress; // [rsp+38h] [rbp-49h] BYREF
  PVOID HookMem; // [rsp+40h] [rbp-41h] BYREF
  union _LARGE_INTEGER Interval; // [rsp+48h] [rbp-39h] BYREF
  ULONG_PTR RegionSize; // [rsp+50h] [rbp-31h] BYREF
  ULONG_PTR v23; // [rsp+58h] [rbp-29h] BYREF
  void *Handle; // [rsp+60h] [rbp-21h] BYREF
  __int64 v25; // [rsp+68h] [rbp-19h]
  struct _KAPC_STATE ApcState; // [rsp+70h] [rbp-11h] BYREF
  __int64 v27[2]; // [rsp+A0h] [rbp+1Fh] BYREF
  unsigned int v28; // [rsp+B0h] [rbp+2Fh]
  int v29; // [rsp+B4h] [rbp+33h]
 
  v23 = 0x1000i64;
  D3DCompile = 0i64;
  BaseAddress = 0i64;
  PresentMultiplaneOverlay = 0i64;
  HookMem = 0i64;
  RegionSize = 0x30BAi64;
  DwmProcess = GetDwmProcess();
  Dwm = DwmProcess;
  if ( DwmProcess )
  {
    Handle = 0i64;
    v25 = 0i64;
    ProcessId = PsGetProcessId(DwmProcess);
    GetModuleHandle(ProcessId, &Handle, "D3DCOMPILER_47.dll");// 从Ldr链里获取模块地址
    KeStackAttachProcess(Dwm, &ApcState);       // 附加DWM
    if ( Handle )                               // 如果模块存在
      D3DCompile = GetProAddress((__int64)Handle, (__int64)"D3DCompile");// 获取函数D3DCompile地址
    KeUnstackDetachProcess(&ApcState);          // 解除附加
    Handle = 0i64;
    v25 = 0i64;
    GetModuleHandle(ProcessId, &Handle, "dxgi.dll");// 获取dxgi模块地址
    KeStackAttachProcess(Dwm, &ApcState);
    v5 = (char *)Handle;
    if ( Handle )
    {
      v6 = (char *)Handle;
      for ( i = Handle < (char *)Handle + v25; i; i = v6 < (char *)Handle + v25 )
      {
        if ( *(_QWORD *)v6 == qword_140004000 && *((_QWORD *)v6 + 1) == qword_140004008 && v6[0x10] == byte_140004010 )// 搜索特征码 PresentMultiplaneOverlay
        {
          PresentMultiplaneOverlay = v6;
          break;
        }
        ++v6;
      }
    }
    if ( VersionInformation.dwBuildNumber == 17134 && Handle )// 如果为1803
    {
      v8 = (char *)Handle + v25;
      while ( v5 < v8 )
      {
        if ( !memcmp(v5, &unk_140004018, 0x15ui64) )// 搜索特征码
        {
          PresentMultiplaneOverlay = v5;
          break;
        }
        ++v5;
      }
    }
    KeUnstackDetachProcess(&ApcState);
    if ( D3DCompile && PresentMultiplaneOverlay )// 老方案 只不过放驱动里了
    {
      KeStackAttachProcess(Dwm, &ApcState);
      ZwAllocateVirtualMemory((HANDLE)0xFFFFFFFFFFFFFFFFi64, &BaseAddress, 0i64, &RegionSize, 0x1000u, 0x40u);// 申请shellcode 内存
      ZwAllocateVirtualMemory((HANDLE)0xFFFFFFFFFFFFFFFFi64, &HookMem, 0i64, &v23, 0x1000u, 0x40u);// hook内存?
      if ( BaseAddress && HookMem )
      {
        memcpy_s(BaseAddress, 0x30BAui64, &unk_140005A00, 0x16E6ui64);// 复制shellcode 到申请的内存中
        v9 = 0;
        v10 = 0i64;
        do
        {
          ++v9;
          *((_BYTE *)BaseAddress + v10++) ^= 0xC3u;
        }
        while ( v9 < 0x16E6 );                  // 解密shellcode
        memcpy_s((char *)BaseAddress + 0x16E6, 0x19D4ui64, dword_140004030, 0x19C4ui64);// 复制VmOpcodeTable到申请的内存中
        v11 = 0;
        v12 = 0i64;
        do
        {
          ++v11;
          *((_BYTE *)BaseAddress + v12 + 5862) ^= 0xCCu;// 解密 VmOpcodeTable
          ++v12;
        }
        while ( v11 < 0x19C4 );
        *(_QWORD *)((char *)BaseAddress + 0x30AA) = D3DCompile;
        *(_QWORD *)((char *)BaseAddress + 0x30B2) = HookMem;
        *(_DWORD *)((char *)BaseAddress + dword_1400059F4) = 0x30A6 - dword_1400059F4;
        *(_DWORD *)((char *)BaseAddress + dword_1400059F8) = 0x30AE - dword_1400059F8;
        *(_DWORD *)((char *)BaseAddress + dword_1400070EC) = 0x671;
        *(_DWORD *)((char *)BaseAddress + dword_1400070E8) = 0x16E2 - dword_1400070E8;
        memcpy_s(HookMem, 14ui64, &qword_1400070F8, 14ui64);// PresentMultiplaneOverlay 头部字节码
        v13 = (char *)HookMem;
        *(_DWORD *)((char *)HookMem + 15) = (_DWORD)PresentMultiplaneOverlay + 14;
        *(_DWORD *)(v13 + 0x17) = ((unsigned __int64)PresentMultiplaneOverlay + 14) >> 32;
        v13[14] = 0x68;
        *(_DWORD *)(v13 + 0x13) = 0x42444C7;
        v13[27] = 0xC3;
      }
      KeUnstackDetachProcess(&ApcState);
      KeStackAttachProcess(Dwm, &ApcState);
      if ( BaseAddress && HookMem )
      {
        if ( MmIsAddressValid(PresentMultiplaneOverlay) )
        {
          Mdl = IoAllocateMdl(PresentMultiplaneOverlay, 0x100u, 0, 0, 0i64);
          MmProbeAndLockPages(Mdl, 1, IoReadAccess);
          v15 = (char *)MmMapLockedPagesSpecifyCache(Mdl, 0, MmNonCached, 0i64, 0, 0x10u);// hook
          if ( v15 )
          {                                     // 68 00000000           - push 00000000 { 0 }
                                                // C7 44 24 04 00000000  - mov [rsp+04],00000000 { 0 }
                                                // C3                    - ret
                                                // shellcode
            v16 = (char *)BaseAddress + dword_1400070F0;// sub_860,各种初始化
            *(_DWORD *)(v15 + 1) = (_DWORD)v16;
            *(_DWORD *)(v15 + 9) = HIDWORD(v16);// 往里面写数据
            *v15 = 0x68;                        // push shellcode sub_860
            *(_DWORD *)(v15 + 5) = 69485767;    // mov [rsp+04],00000000
            v15[13] = 0xC3;                     // ret
          }
          MmUnmapLockedPages(v15, Mdl);
          MmUnlockPages(Mdl);
          IoFreeMdl(Mdl);
        }
        v27[0] = (__int64)BaseAddress;
        v29 = 0;
        v27[1] = 0x30BAi64;
        v28 = (unsigned int)PsGetProcessId(Dwm);
        sub_140001A84((__int64)v27);
      }
      KeUnstackDetachProcess(&ApcState);
      Interval.QuadPart = -50000000i64;
      KeDelayExecutionThread(0, 0, &Interval);  // 恢复hook
      KeStackAttachProcess(Dwm, &ApcState);
      if ( BaseAddress )
      {
        if ( HookMem )
        {
          sub_140001B30();
          if ( MmIsAddressValid(PresentMultiplaneOverlay) )
          {
            v17 = IoAllocateMdl(PresentMultiplaneOverlay, 0x100u, 0, 0, 0i64);
            MmProbeAndLockPages(v17, 1, IoReadAccess);
            v18 = MmMapLockedPagesSpecifyCache(v17, 0, MmNonCached, 0i64, 0, 0x10u);// mdl强写
            if ( v18 )
            {                                   //
                                                // 48 8B C4              - mov rax,rsp
                                                // 55                    - push rbp
                                                // 56                    - push rsi
                                                // 57                    - push rdi
                                                // 41 54                 - push r12
                                                // 41 55                 - push r13
                                                // 41 56                 - push r14
                                                // 41 57                 - push r15
              *(_QWORD *)v18 = qword_1400070F8;
              v18[2] = dword_140007100;
              *((_WORD *)v18 + 6) = word_140007104;
            }
            MmUnmapLockedPages(v18, v17);
            MmUnlockPages(v17);
            IoFreeMdl(v17);
          }
        }
      }
      KeUnstackDetachProcess(&ApcState);
      Interval.QuadPart = -15000000i64;         // 释放shellcode
      KeDelayExecutionThread(0, 0, &Interval);
      KeStackAttachProcess(Dwm, &ApcState);
      if ( BaseAddress )
      {
        if ( HookMem )
        {
          ZwFreeVirtualMemory((HANDLE)0xFFFFFFFFFFFFFFFFi64, &BaseAddress, &RegionSize, 0x4000u);// 释放shellcode
          ZwFreeVirtualMemory((HANDLE)0xFFFFFFFFFFFFFFFFi64, &HookMem, &v23, 0x4000u);
        }
      }
      KeUnstackDetachProcess(&ApcState);
    }
  }
}
void inject_shellcode()
{
  __int64 D3DCompile; // r15
  void *PresentMultiplaneOverlay; // rsi
  struct _KPROCESS *DwmProcess; // rax
  struct _KPROCESS *Dwm; // rdi
  HANDLE ProcessId; // rbx
  char *v5; // rbx
  char *v6; // rcx
  bool i; // cf
  char *v8; // r14
  unsigned int v9; // edx
  __int64 v10; // rcx
  unsigned int v11; // edx
  __int64 v12; // rcx
  char *v13; // rax
  struct _MDL *Mdl; // rbx
  char *v15; // rax
  char *v16; // rdx
  struct _MDL *v17; // rbx
  _DWORD *v18; // rax
  PVOID BaseAddress; // [rsp+38h] [rbp-49h] BYREF
  PVOID HookMem; // [rsp+40h] [rbp-41h] BYREF
  union _LARGE_INTEGER Interval; // [rsp+48h] [rbp-39h] BYREF
  ULONG_PTR RegionSize; // [rsp+50h] [rbp-31h] BYREF
  ULONG_PTR v23; // [rsp+58h] [rbp-29h] BYREF
  void *Handle; // [rsp+60h] [rbp-21h] BYREF
  __int64 v25; // [rsp+68h] [rbp-19h]
  struct _KAPC_STATE ApcState; // [rsp+70h] [rbp-11h] BYREF
  __int64 v27[2]; // [rsp+A0h] [rbp+1Fh] BYREF
  unsigned int v28; // [rsp+B0h] [rbp+2Fh]
  int v29; // [rsp+B4h] [rbp+33h]
 
  v23 = 0x1000i64;
  D3DCompile = 0i64;
  BaseAddress = 0i64;
  PresentMultiplaneOverlay = 0i64;
  HookMem = 0i64;
  RegionSize = 0x30BAi64;
  DwmProcess = GetDwmProcess();
  Dwm = DwmProcess;
  if ( DwmProcess )
  {
    Handle = 0i64;
    v25 = 0i64;
    ProcessId = PsGetProcessId(DwmProcess);
    GetModuleHandle(ProcessId, &Handle, "D3DCOMPILER_47.dll");// 从Ldr链里获取模块地址
    KeStackAttachProcess(Dwm, &ApcState);       // 附加DWM
    if ( Handle )                               // 如果模块存在
      D3DCompile = GetProAddress((__int64)Handle, (__int64)"D3DCompile");// 获取函数D3DCompile地址
    KeUnstackDetachProcess(&ApcState);          // 解除附加
    Handle = 0i64;
    v25 = 0i64;
    GetModuleHandle(ProcessId, &Handle, "dxgi.dll");// 获取dxgi模块地址
    KeStackAttachProcess(Dwm, &ApcState);
    v5 = (char *)Handle;
    if ( Handle )
    {
      v6 = (char *)Handle;
      for ( i = Handle < (char *)Handle + v25; i; i = v6 < (char *)Handle + v25 )
      {
        if ( *(_QWORD *)v6 == qword_140004000 && *((_QWORD *)v6 + 1) == qword_140004008 && v6[0x10] == byte_140004010 )// 搜索特征码 PresentMultiplaneOverlay
        {
          PresentMultiplaneOverlay = v6;
          break;
        }
        ++v6;
      }
    }
    if ( VersionInformation.dwBuildNumber == 17134 && Handle )// 如果为1803
    {
      v8 = (char *)Handle + v25;
      while ( v5 < v8 )
      {
        if ( !memcmp(v5, &unk_140004018, 0x15ui64) )// 搜索特征码
        {
          PresentMultiplaneOverlay = v5;
          break;
        }
        ++v5;
      }
    }
    KeUnstackDetachProcess(&ApcState);
    if ( D3DCompile && PresentMultiplaneOverlay )// 老方案 只不过放驱动里了
    {
      KeStackAttachProcess(Dwm, &ApcState);
      ZwAllocateVirtualMemory((HANDLE)0xFFFFFFFFFFFFFFFFi64, &BaseAddress, 0i64, &RegionSize, 0x1000u, 0x40u);// 申请shellcode 内存
      ZwAllocateVirtualMemory((HANDLE)0xFFFFFFFFFFFFFFFFi64, &HookMem, 0i64, &v23, 0x1000u, 0x40u);// hook内存?
      if ( BaseAddress && HookMem )
      {
        memcpy_s(BaseAddress, 0x30BAui64, &unk_140005A00, 0x16E6ui64);// 复制shellcode 到申请的内存中
        v9 = 0;
        v10 = 0i64;
        do
        {
          ++v9;
          *((_BYTE *)BaseAddress + v10++) ^= 0xC3u;
        }
        while ( v9 < 0x16E6 );                  // 解密shellcode
        memcpy_s((char *)BaseAddress + 0x16E6, 0x19D4ui64, dword_140004030, 0x19C4ui64);// 复制VmOpcodeTable到申请的内存中
        v11 = 0;
        v12 = 0i64;
        do
        {
          ++v11;
          *((_BYTE *)BaseAddress + v12 + 5862) ^= 0xCCu;// 解密 VmOpcodeTable
          ++v12;
        }
        while ( v11 < 0x19C4 );
        *(_QWORD *)((char *)BaseAddress + 0x30AA) = D3DCompile;
        *(_QWORD *)((char *)BaseAddress + 0x30B2) = HookMem;
        *(_DWORD *)((char *)BaseAddress + dword_1400059F4) = 0x30A6 - dword_1400059F4;
        *(_DWORD *)((char *)BaseAddress + dword_1400059F8) = 0x30AE - dword_1400059F8;
        *(_DWORD *)((char *)BaseAddress + dword_1400070EC) = 0x671;
        *(_DWORD *)((char *)BaseAddress + dword_1400070E8) = 0x16E2 - dword_1400070E8;
        memcpy_s(HookMem, 14ui64, &qword_1400070F8, 14ui64);// PresentMultiplaneOverlay 头部字节码
        v13 = (char *)HookMem;
        *(_DWORD *)((char *)HookMem + 15) = (_DWORD)PresentMultiplaneOverlay + 14;
        *(_DWORD *)(v13 + 0x17) = ((unsigned __int64)PresentMultiplaneOverlay + 14) >> 32;
        v13[14] = 0x68;
        *(_DWORD *)(v13 + 0x13) = 0x42444C7;
        v13[27] = 0xC3;
      }
      KeUnstackDetachProcess(&ApcState);
      KeStackAttachProcess(Dwm, &ApcState);
      if ( BaseAddress && HookMem )
      {
        if ( MmIsAddressValid(PresentMultiplaneOverlay) )
        {
          Mdl = IoAllocateMdl(PresentMultiplaneOverlay, 0x100u, 0, 0, 0i64);
          MmProbeAndLockPages(Mdl, 1, IoReadAccess);
          v15 = (char *)MmMapLockedPagesSpecifyCache(Mdl, 0, MmNonCached, 0i64, 0, 0x10u);// hook
          if ( v15 )
          {                                     // 68 00000000           - push 00000000 { 0 }
                                                // C7 44 24 04 00000000  - mov [rsp+04],00000000 { 0 }
                                                // C3                    - ret
                                                // shellcode
            v16 = (char *)BaseAddress + dword_1400070F0;// sub_860,各种初始化
            *(_DWORD *)(v15 + 1) = (_DWORD)v16;
            *(_DWORD *)(v15 + 9) = HIDWORD(v16);// 往里面写数据
            *v15 = 0x68;                        // push shellcode sub_860
            *(_DWORD *)(v15 + 5) = 69485767;    // mov [rsp+04],00000000
            v15[13] = 0xC3;                     // ret
          }
          MmUnmapLockedPages(v15, Mdl);
          MmUnlockPages(Mdl);
          IoFreeMdl(Mdl);
        }
        v27[0] = (__int64)BaseAddress;
        v29 = 0;
        v27[1] = 0x30BAi64;
        v28 = (unsigned int)PsGetProcessId(Dwm);
        sub_140001A84((__int64)v27);
      }
      KeUnstackDetachProcess(&ApcState);
      Interval.QuadPart = -50000000i64;
      KeDelayExecutionThread(0, 0, &Interval);  // 恢复hook
      KeStackAttachProcess(Dwm, &ApcState);
      if ( BaseAddress )
      {
        if ( HookMem )
        {
          sub_140001B30();
          if ( MmIsAddressValid(PresentMultiplaneOverlay) )
          {
            v17 = IoAllocateMdl(PresentMultiplaneOverlay, 0x100u, 0, 0, 0i64);
            MmProbeAndLockPages(v17, 1, IoReadAccess);
            v18 = MmMapLockedPagesSpecifyCache(v17, 0, MmNonCached, 0i64, 0, 0x10u);// mdl强写
            if ( v18 )
            {                                   //
                                                // 48 8B C4              - mov rax,rsp
                                                // 55                    - push rbp
                                                // 56                    - push rsi
                                                // 57                    - push rdi
                                                // 41 54                 - push r12
                                                // 41 55                 - push r13
                                                // 41 56                 - push r14
                                                // 41 57                 - push r15
              *(_QWORD *)v18 = qword_1400070F8;
              v18[2] = dword_140007100;
              *((_WORD *)v18 + 6) = word_140007104;
            }
            MmUnmapLockedPages(v18, v17);
            MmUnlockPages(v17);
            IoFreeMdl(v17);
          }
        }
      }
      KeUnstackDetachProcess(&ApcState);
      Interval.QuadPart = -15000000i64;         // 释放shellcode
      KeDelayExecutionThread(0, 0, &Interval);
      KeStackAttachProcess(Dwm, &ApcState);
      if ( BaseAddress )
      {
        if ( HookMem )
        {
          ZwFreeVirtualMemory((HANDLE)0xFFFFFFFFFFFFFFFFi64, &BaseAddress, &RegionSize, 0x4000u);// 释放shellcode
          ZwFreeVirtualMemory((HANDLE)0xFFFFFFFFFFFFFFFFi64, &HookMem, &v23, 0x4000u);
        }
      }
      KeUnstackDetachProcess(&ApcState);
    }
  }
}
loc_1400019EA:                ; CODE XREF: sub_1400014A0+5D↑j
.text:00000001400019EA                                                             ; sub_1400014A0+173↑j
.text:00000001400019EA                                                             ; sub_1400014A0+17C↑j
.text:00000001400019EA 48 8B 4D 37                   mov     rcx, [rbp+57h+var_20]
.text:00000001400019EE 48 33 CC                      xor     rcx, rsp              ; StackCookie
.text:00000001400019F1 E8 EA 01 00 00                call    __security_check_cookie
.text:00000001400019F1
.text:00000001400019F6 4C 8D 9C 24 C0 00 00 00       lea     r11, [rsp+0D0h+var_10]
.text:00000001400019FE 49 8B 5B 20                   mov     rbx, [r11+20h]
.text:0000000140001A02 49 8B 73 28                   mov     rsi, [r11+28h]
.text:0000000140001A06 49 8B 7B 30                   mov     rdi, [r11+30h]
.text:0000000140001A0A 4D 8B 63 38                   mov     r12, [r11+38h]
.text:0000000140001A0E 49 8B E3                      mov     rsp, r11
.text:0000000140001A11 41 5F                         pop     r15
.text:0000000140001A13 41 5E                         pop     r14
.text:0000000140001A15 5D                            pop     rbp
.text:0000000140001A16 C3                            retn
loc_1400019EA:                ; CODE XREF: sub_1400014A0+5D↑j
.text:00000001400019EA                                                             ; sub_1400014A0+173↑j
.text:00000001400019EA                                                             ; sub_1400014A0+17C↑j
.text:00000001400019EA 48 8B 4D 37                   mov     rcx, [rbp+57h+var_20]
.text:00000001400019EE 48 33 CC                      xor     rcx, rsp              ; StackCookie
.text:00000001400019F1 E8 EA 01 00 00                call    __security_check_cookie
.text:00000001400019F1
.text:00000001400019F6 4C 8D 9C 24 C0 00 00 00       lea     r11, [rsp+0D0h+var_10]
.text:00000001400019FE 49 8B 5B 20                   mov     rbx, [r11+20h]
.text:0000000140001A02 49 8B 73 28                   mov     rsi, [r11+28h]
.text:0000000140001A06 49 8B 7B 30                   mov     rdi, [r11+30h]
.text:0000000140001A0A 4D 8B 63 38                   mov     r12, [r11+38h]
.text:0000000140001A0E 49 8B E3                      mov     rsp, r11
.text:0000000140001A11 41 5F                         pop     r15
.text:0000000140001A13 41 5E                         pop     r14
.text:0000000140001A15 5D                            pop     rbp
.text:0000000140001A16 C3                            retn
void MdlCopyMemory(PVOID address,PVOID buffer,size_t size)
{
    __try
    {
        if (MmIsAddressValid((PVOID)address))
        {
            auto pMdl = IoAllocateMdl(address, size, FALSE, FALSE, nullptr);
            if (pMdl)
            {
                MmBuildMdlForNonPagedPool(pMdl);
 
                auto lock = MmMapLockedPagesSpecifyCache(pMdl, KernelMode, MmCached, NULL, FALSE, NormalPagePriority);
 
                if (lock)
                {
                    RtlCopyMemory(lock, buffer, size);
                    MmUnmapLockedPages(lock, pMdl);
                }
                ExFreePool(pMdl);
 
            }
        }
    }
    __except (1)
    {
 
    }
 
}
void MdlCopyMemory(PVOID address,PVOID buffer,size_t size)
{
    __try
    {
        if (MmIsAddressValid((PVOID)address))
        {
            auto pMdl = IoAllocateMdl(address, size, FALSE, FALSE, nullptr);
            if (pMdl)
            {
                MmBuildMdlForNonPagedPool(pMdl);
 
                auto lock = MmMapLockedPagesSpecifyCache(pMdl, KernelMode, MmCached, NULL, FALSE, NormalPagePriority);
 
                if (lock)
                {
                    RtlCopyMemory(lock, buffer, size);
                    MmUnmapLockedPages(lock, pMdl);
                }
                ExFreePool(pMdl);
 
            }
        }
    }
    __except (1)
    {
 
    }
 
}
VOID LoadImageNotify(
    _In_ PUNICODE_STRING FullImageName,
    _In_ HANDLE ProcessId,
    _In_ PIMAGE_INFO ImageInfo
)
{
    if (FullImageName != nullptr && MmIsAddressValid(FullImageName))
    {
        if (ProcessId == 0) // 是否是驱动
        {
            auto ImageName = FullImageName->Buffer;
            if (wcsstr(ImageName, L"2022GameSafeRace.sys"))
            {
                auto PatchFree = reinterpret_cast<uint8_t*>(ImageInfo->ImageBase) + 0x18a4;
                auto JmpAddress = reinterpret_cast<uint8_t*>(ImageInfo->ImageBase) + 0x19ea;
                char jmp[] = {
                    0xe9,0x00,0x00,0x00,0x00
                };
                *(uint32_t*)(jmp + 1) = (ULONG64)(JmpAddress - PatchFree + 5);
 
                MdlCopyMemory(PatchFree, &jmp, sizeof(jmp));
            }
        }
    }
}
VOID LoadImageNotify(
    _In_ PUNICODE_STRING FullImageName,
    _In_ HANDLE ProcessId,
    _In_ PIMAGE_INFO ImageInfo
)
{
    if (FullImageName != nullptr && MmIsAddressValid(FullImageName))
    {
        if (ProcessId == 0) // 是否是驱动
        {
            auto ImageName = FullImageName->Buffer;
            if (wcsstr(ImageName, L"2022GameSafeRace.sys"))
            {
                auto PatchFree = reinterpret_cast<uint8_t*>(ImageInfo->ImageBase) + 0x18a4;
                auto JmpAddress = reinterpret_cast<uint8_t*>(ImageInfo->ImageBase) + 0x19ea;
                char jmp[] = {
                    0xe9,0x00,0x00,0x00,0x00
                };
                *(uint32_t*)(jmp + 1) = (ULONG64)(JmpAddress - PatchFree + 5);
 
                MdlCopyMemory(PatchFree, &jmp, sizeof(jmp));
            }
        }
    }
}
#include <ntifs.h>
#include <ntdef.h>
#include <ntstatus.h>
#include <cstdint>
#define DPRINT(format, ...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, format, __VA_ARGS__)
void MdlCopyMemory(PVOID address,PVOID buffer,size_t size)
{
    __try
    {
        if (MmIsAddressValid((PVOID)address))
        {
            auto pMdl = IoAllocateMdl(address, size, FALSE, FALSE, nullptr);
            if (pMdl)
            {
                MmBuildMdlForNonPagedPool(pMdl);
 
                auto lock = MmMapLockedPagesSpecifyCache(pMdl, KernelMode, MmCached, NULL, FALSE, NormalPagePriority);
 
                if (lock)
                {
                    RtlCopyMemory(lock, buffer, size);
                    MmUnmapLockedPages(lock, pMdl);
                }
                ExFreePool(pMdl);
 
            }
        }
    }
    __except (1)
    {
 
    }
 
}
VOID LoadImageNotify(
    _In_ PUNICODE_STRING FullImageName,
    _In_ HANDLE ProcessId,
    _In_ PIMAGE_INFO ImageInfo
)
{
    if (FullImageName != nullptr && MmIsAddressValid(FullImageName))
    {
        if (ProcessId == 0) // 是否是驱动
        {
            auto ImageName = FullImageName->Buffer;
            if (wcsstr(ImageName, L"2022GameSafeRace.sys"))
            {
                auto PatchFree = reinterpret_cast<uint8_t*>(ImageInfo->ImageBase) + 0x18a4;
                auto JmpAddress = reinterpret_cast<uint8_t*>(ImageInfo->ImageBase) + 0x19ea;
                char jmp[] = {
                    0xe9,0x00,0x00,0x00,0x00
                };
                *(uint32_t*)(jmp + 1) = (ULONG64)(JmpAddress - PatchFree + 5);
 
                MdlCopyMemory(PatchFree, &jmp, sizeof(jmp));
            }
        }
    }
}
 
VOID DriverUnload(PDRIVER_OBJECT pDriverObj)
{
    PsRemoveLoadImageNotifyRoutine(LoadImageNotify);
}
 
EXTERN_C NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString)
{
    pDriverObj->DriverUnload = DriverUnload;
    auto status = PsSetLoadImageNotifyRoutine(LoadImageNotify);
    return status;
}
#include <ntifs.h>
#include <ntdef.h>
#include <ntstatus.h>
#include <cstdint>
#define DPRINT(format, ...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, format, __VA_ARGS__)
void MdlCopyMemory(PVOID address,PVOID buffer,size_t size)
{
    __try
    {
        if (MmIsAddressValid((PVOID)address))
        {
            auto pMdl = IoAllocateMdl(address, size, FALSE, FALSE, nullptr);
            if (pMdl)
            {
                MmBuildMdlForNonPagedPool(pMdl);
 
                auto lock = MmMapLockedPagesSpecifyCache(pMdl, KernelMode, MmCached, NULL, FALSE, NormalPagePriority);
 
                if (lock)
                {
                    RtlCopyMemory(lock, buffer, size);
                    MmUnmapLockedPages(lock, pMdl);
                }
                ExFreePool(pMdl);
 
            }
        }
    }
    __except (1)
    {
 
    }
 
}
VOID LoadImageNotify(
    _In_ PUNICODE_STRING FullImageName,
    _In_ HANDLE ProcessId,
    _In_ PIMAGE_INFO ImageInfo
)
{
    if (FullImageName != nullptr && MmIsAddressValid(FullImageName))
    {
        if (ProcessId == 0) // 是否是驱动
        {
            auto ImageName = FullImageName->Buffer;
            if (wcsstr(ImageName, L"2022GameSafeRace.sys"))
            {
                auto PatchFree = reinterpret_cast<uint8_t*>(ImageInfo->ImageBase) + 0x18a4;
                auto JmpAddress = reinterpret_cast<uint8_t*>(ImageInfo->ImageBase) + 0x19ea;
                char jmp[] = {
                    0xe9,0x00,0x00,0x00,0x00
                };
                *(uint32_t*)(jmp + 1) = (ULONG64)(JmpAddress - PatchFree + 5);
 
                MdlCopyMemory(PatchFree, &jmp, sizeof(jmp));
            }
        }
    }
}
 
VOID DriverUnload(PDRIVER_OBJECT pDriverObj)
{
    PsRemoveLoadImageNotifyRoutine(LoadImageNotify);
}
 
EXTERN_C NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString)
{
    pDriverObj->DriverUnload = DriverUnload;
    auto status = PsSetLoadImageNotifyRoutine(LoadImageNotify);
    return status;
}
CreateThread(0i64, 0i64, (LPTHREAD_START_ROUTINE)sub_140003530, 0i64, 0, &ThreadId);
CreateThread(0i64, 0i64, (LPTHREAD_START_ROUTINE)sub_140003530, 0i64, 0, &ThreadId);
__int64 __fastcall sub_140003530(PVOID Parameter)
{
  HANDLE ProcessHeap; // rax
  char *v2; // rdx
  __int64 result; // rax
  ULONG ReturnLength; // [rsp+38h] [rbp+10h] BYREF
 
  ProcessHeap = GetProcessHeap();
  v2 = (char *)HeapAlloc(ProcessHeap, 8u, 0x28ui64);
  result = 0i64;
  *(_OWORD *)v2 = 0i64;
  *((_OWORD *)v2 + 1) = 0i64;
  *((_QWORD *)v2 + 4) = 0i64;
  if ( v2 )
  {
    *((_DWORD *)v2 + 2) = 0;
    *((_DWORD *)v2 + 1) = 1;
    *(_DWORD *)v2 = 1380011588;
    *((_DWORD *)v2 + 3) = 20;
    *(_QWORD *)(v2 + 20) = 8193i64;
    *((_QWORD *)v2 + 4) = D3DCompile;
    ReturnLength = 40;
    NtQuerySystemInformation(SystemFirmwareTableInformation, v2, 0x28u, &ReturnLength);
    return 0i64;
  }
  return result;
}
__int64 __fastcall sub_140003530(PVOID Parameter)
{
  HANDLE ProcessHeap; // rax
  char *v2; // rdx
  __int64 result; // rax
  ULONG ReturnLength; // [rsp+38h] [rbp+10h] BYREF
 
  ProcessHeap = GetProcessHeap();
  v2 = (char *)HeapAlloc(ProcessHeap, 8u, 0x28ui64);
  result = 0i64;
  *(_OWORD *)v2 = 0i64;
  *((_OWORD *)v2 + 1) = 0i64;
  *((_QWORD *)v2 + 4) = 0i64;
  if ( v2 )
  {
    *((_DWORD *)v2 + 2) = 0;
    *((_DWORD *)v2 + 1) = 1;
    *(_DWORD *)v2 = 1380011588;
    *((_DWORD *)v2 + 3) = 20;
    *(_QWORD *)(v2 + 20) = 8193i64;
    *((_QWORD *)v2 + 4) = D3DCompile;
    ReturnLength = 40;
    NtQuerySystemInformation(SystemFirmwareTableInformation, v2, 0x28u, &ReturnLength);
    return 0i64;
  }
  return result;
}
__int64 __fastcall DrawRect(
        int a1,
        int a2,
        int a3,
        int a4,
        float a5,
        __int64 a6,
        __int64 a7,
        __int64 a8,
        __int64 a9,
        __int64 a10)
{
  __int64 v14; // r14
  unsigned int v15; // ebx
  int v16; // ecx
  float v17; // xmm9_4
  float v18; // xmm11_4
  float v19; // xmm7_4
  float v20; // xmm10_4
  float *v21; // rcx
  float v22; // xmm0_4
  float v23; // xmm8_4
  float v24; // xmm6_4
  float v25; // xmm3_4
  float v26; // xmm1_4
  float v27; // xmm8_4
  float v28; // xmm7_4
  float v29; // xmm5_4
  float v30; // xmm4_4
  float v31; // xmm2_4
  __int64 v32; // rax
  float *v34; // [rsp+30h] [rbp-C8h] BYREF
  char v35[8]; // [rsp+40h] [rbp-B8h] BYREF
  float v36; // [rsp+48h] [rbp-B0h]
  float v37; // [rsp+4Ch] [rbp-ACh]
  int v38; // [rsp+108h] [rbp+10h] BYREF
  int v39; // [rsp+110h] [rbp+18h] BYREF
  int v40; // [rsp+118h] [rbp+20h] BYREF
 
  v14 = a6;
  v38 = 1;
  v15 = LODWORD(a5) + (a3 ^ (a1 + a2)) % 256 - a4 % 256;
  (*(void (__fastcall **)(__int64, int *, char *))(*(_QWORD *)a6 + 760i64))(a6, &v38, v35);
  v16 = (a3 ^ (a2 * a1)) % 256 - (a4 >> 8) % 256;
  v17 = (float)(v37 - (float)(2 * (v16 + a2) - 1)) / v37;
  v18 = (float)(v37 - (float)(2 * a2 + 99)) / v37;
  v19 = (float)((float)(2 * (v16 + a1) - 1) - v36) / v36;
  v20 = (float)((float)(2 * a1 + 99) - v36) / v36;
  (*(void (__fastcall **)(__int64, __int64, _QWORD, __int64, _DWORD, float **))(*(_QWORD *)v14 + 112i64))(
    v14,
    a7,
    0i64,
    4i64,
    0,
    &v34);
  v21 = v34;
  a5 = 255.0;
  v34[2] = (float)0;
  v22 = a5;
  v23 = (float)((a3 ^ (a2 + a1 * (a2 + 1))) % 256 - (a4 >> 16) % 256);
  v24 = v23 + v19;
  v25 = v23 + v17;
  *v21 = v23 + v19;
  v26 = v23 + v20;
  v21[1] = v23 + v17;
  v27 = v23 + v18;
  v28 = (float)BYTE2(v15) / v22;
  v29 = (float)(unsigned __int8)(v15 >> 12) / v22;
  v30 = (float)(unsigned __int8)v15 / v22;
  v21[3] = v28;
  v21[4] = v29;
  v31 = (float)HIBYTE(v15) / v22;
  v21[6] = v31;
  v21[9] = (float)0;
  v21[13] = v31;
  v21[16] = (float)0;
  v21[20] = v31;
  v21[27] = v31;
  v21[5] = v30;
  v21[7] = v26;
  v21[8] = v25;
  v21[10] = v28;
  v21[11] = v29;
  v21[12] = v30;
  v21[14] = v24;
  v21[15] = v27;
  v21[17] = v28;
  v21[18] = v29;
  v21[19] = v30;
  v21[21] = v26;
  v21[22] = v27;
  v21[24] = v28;
  v21[25] = v29;
  v21[26] = v30;
  v21[23] = (float)0;
  (*(void (__fastcall **)(__int64, __int64, _QWORD))(*(_QWORD *)v14 + 120i64))(v14, a7, 0i64);
  v32 = *(_QWORD *)v14;
  v40 = 28;
  v39 = 0;
  (*(void (__fastcall **)(__int64, _QWORD, __int64, __int64 *, int *, int *))(v32 + 144))(
    v14,
    0i64,
    1i64,
    &a7,
    &v40,
    &v39);
  (*(void (__fastcall **)(__int64, __int64))(*(_QWORD *)v14 + 192i64))(v14, 5i64);
  (*(void (__fastcall **)(__int64, __int64))(*(_QWORD *)v14 + 136i64))(v14, a8);
  (*(void (__fastcall **)(__int64, __int64, _QWORD, _QWORD))(*(_QWORD *)v14 + 88i64))(v14, a9, 0i64, 0i64);
  (*(void (__fastcall **)(__int64, __int64, _QWORD, _QWORD))(*(_QWORD *)v14 + 72i64))(v14, a10, 0i64, 0i64);
  (*(void (__fastcall **)(__int64, _QWORD, _QWORD, _QWORD))(*(_QWORD *)v14 + 184i64))(v14, 0i64, 0i64, 0i64);
  return (*(__int64 (__fastcall **)(__int64, __int64))(*(_QWORD *)v14 + 104i64))(v14, 4i64);
}
__int64 __fastcall DrawRect(
        int a1,
        int a2,
        int a3,
        int a4,
        float a5,
        __int64 a6,
        __int64 a7,
        __int64 a8,
        __int64 a9,
        __int64 a10)
{
  __int64 v14; // r14
  unsigned int v15; // ebx
  int v16; // ecx
  float v17; // xmm9_4
  float v18; // xmm11_4
  float v19; // xmm7_4
  float v20; // xmm10_4
  float *v21; // rcx
  float v22; // xmm0_4
  float v23; // xmm8_4
  float v24; // xmm6_4
  float v25; // xmm3_4
  float v26; // xmm1_4
  float v27; // xmm8_4
  float v28; // xmm7_4
  float v29; // xmm5_4
  float v30; // xmm4_4
  float v31; // xmm2_4
  __int64 v32; // rax
  float *v34; // [rsp+30h] [rbp-C8h] BYREF
  char v35[8]; // [rsp+40h] [rbp-B8h] BYREF
  float v36; // [rsp+48h] [rbp-B0h]
  float v37; // [rsp+4Ch] [rbp-ACh]
  int v38; // [rsp+108h] [rbp+10h] BYREF
  int v39; // [rsp+110h] [rbp+18h] BYREF
  int v40; // [rsp+118h] [rbp+20h] BYREF
 
  v14 = a6;
  v38 = 1;
  v15 = LODWORD(a5) + (a3 ^ (a1 + a2)) % 256 - a4 % 256;
  (*(void (__fastcall **)(__int64, int *, char *))(*(_QWORD *)a6 + 760i64))(a6, &v38, v35);
  v16 = (a3 ^ (a2 * a1)) % 256 - (a4 >> 8) % 256;
  v17 = (float)(v37 - (float)(2 * (v16 + a2) - 1)) / v37;
  v18 = (float)(v37 - (float)(2 * a2 + 99)) / v37;
  v19 = (float)((float)(2 * (v16 + a1) - 1) - v36) / v36;
  v20 = (float)((float)(2 * a1 + 99) - v36) / v36;
  (*(void (__fastcall **)(__int64, __int64, _QWORD, __int64, _DWORD, float **))(*(_QWORD *)v14 + 112i64))(
    v14,
    a7,
    0i64,
    4i64,
    0,
    &v34);
  v21 = v34;
  a5 = 255.0;
  v34[2] = (float)0;
  v22 = a5;
  v23 = (float)((a3 ^ (a2 + a1 * (a2 + 1))) % 256 - (a4 >> 16) % 256);
  v24 = v23 + v19;
  v25 = v23 + v17;
  *v21 = v23 + v19;
  v26 = v23 + v20;
  v21[1] = v23 + v17;
  v27 = v23 + v18;
  v28 = (float)BYTE2(v15) / v22;
  v29 = (float)(unsigned __int8)(v15 >> 12) / v22;
  v30 = (float)(unsigned __int8)v15 / v22;
  v21[3] = v28;
  v21[4] = v29;
  v31 = (float)HIBYTE(v15) / v22;
  v21[6] = v31;
  v21[9] = (float)0;
  v21[13] = v31;
  v21[16] = (float)0;
  v21[20] = v31;
  v21[27] = v31;
  v21[5] = v30;
  v21[7] = v26;
  v21[8] = v25;
  v21[10] = v28;
  v21[11] = v29;
  v21[12] = v30;
  v21[14] = v24;
  v21[15] = v27;
  v21[17] = v28;
  v21[18] = v29;
  v21[19] = v30;
  v21[21] = v26;
  v21[22] = v27;
  v21[24] = v28;
  v21[25] = v29;
  v21[26] = v30;
  v21[23] = (float)0;
  (*(void (__fastcall **)(__int64, __int64, _QWORD))(*(_QWORD *)v14 + 120i64))(v14, a7, 0i64);
  v32 = *(_QWORD *)v14;
  v40 = 28;
  v39 = 0;
  (*(void (__fastcall **)(__int64, _QWORD, __int64, __int64 *, int *, int *))(v32 + 144))(
    v14,
    0i64,
    1i64,
    &a7,
    &v40,
    &v39);
  (*(void (__fastcall **)(__int64, __int64))(*(_QWORD *)v14 + 192i64))(v14, 5i64);
  (*(void (__fastcall **)(__int64, __int64))(*(_QWORD *)v14 + 136i64))(v14, a8);
  (*(void (__fastcall **)(__int64, __int64, _QWORD, _QWORD))(*(_QWORD *)v14 + 88i64))(v14, a9, 0i64, 0i64);
  (*(void (__fastcall **)(__int64, __int64, _QWORD, _QWORD))(*(_QWORD *)v14 + 72i64))(v14, a10, 0i64, 0i64);
  (*(void (__fastcall **)(__int64, _QWORD, _QWORD, _QWORD))(*(_QWORD *)v14 + 184i64))(v14, 0i64, 0i64, 0i64);
  return (*(__int64 (__fastcall **)(__int64, __int64))(*(_QWORD *)v14 + 104i64))(v14, 4i64);
}
__int64 __fastcall sub_420(__int64 a1, __int64 a2, __int64 a3, __int64 a4, __int64 a5, __int64 a6, __int64 a7)
{
  unsigned __int64 idx; // rsi
  unsigned __int64 vidx; // r8
  signed int branch; // ecx
  unsigned __int64 v12; // rdx
  __int64 v13; // rcx
  unsigned int v14; // r9d
  __int64 v15; // r8
  __int64 v16; // r9
  unsigned int v17; // edx
  unsigned __int64 v18; // r10
  unsigned __int64 v19; // rcx
  unsigned int v20; // r9d
  int v21; // r9d
  int v22; // eax
  __int64 result; // rax
  int reg[10]; // [rsp+60h] [rbp-21h] BYREF
 
  idx = 0i64;
  memset(reg, 0, 32);
  reg[8] = 50;
  reg[9] = 50;
  do
  {
    vidx = idx;
    branch = opcode[idx];
    if ( branch > (int)0x9A8ECD52 )
    {
      switch ( branch )
      {
        case 0xEE2362FC:
          ++idx;
          v21 = reg[0];
          v22 = reg[0] * (reg[1] + 1);
          reg[0] = opcode[idx] ^ 0x414345;
          reg[1] = (reg[0] ^ (reg[1] + v21)) % 256
                 + (((reg[0] ^ (v21 * reg[1])) % 256 + (((reg[0] ^ (reg[1] + v22)) % 256) << 8)) << 8);
          break;
        case 0xEE69524A:
          v19 = 0i64;
          v20 = opcode[vidx + 1];
          opcode[idx] = -1;
          opcode[vidx + 1] = -1;
          if ( idx != 1 )
          {
            do
              opcode[v19++] ^= v20;
            while ( v19 < idx - 1 );
          }
          ++idx;
          break;
        case 0xFF4578AE:
          idx += 2i64;
          v16 = (int)opcode[vidx + 1];
          v17 = opcode[idx];
          if ( (_DWORD)v16 )
          {
            v18 = idx;
            do
            {
              opcode[++v18] ^= v17;
              v17 = opcode[v18 - 1] + 0x12345678 * v17;
              --v16;
            }
            while ( v16 );
          }
          opcode[vidx] = -1;
          opcode[vidx + 1] = -1;
          opcode[idx] = -1;
          break;
        case 0x1132EADF:
          idx += 2i64;
          reg[opcode[idx]] = opcode[vidx + 1];
          break;
        default:
          if ( branch == 0x7852AAEF && opcode[0] == 0xEE69624A && opcode[1] == 0x689EDC0A && opcode[2] == 0x98EFDBC9 )
            sub_0(reg[4], reg[5], reg[6], reg[7], 0xFF2DDBE7, a3, a4, a5, a6, a7);
          break;
      }
    }
    else
    {
      switch ( branch )
      {
        case 0x9A8ECD52:
          reg[0] -= reg[1];
          break;
        case 0x88659264:
          idx += 2i64;
          v12 = idx;
          v13 = (int)opcode[vidx + 1];
          v14 = opcode[idx];
          opcode[vidx] = -1;
          opcode[vidx + 1] = -1;
          v15 = v13;
          opcode[idx] = -1;
          if ( (_DWORD)v13 )
          {
            do
            {
              opcode[++v12] ^= v14;
              --v15;
            }
            while ( v15 );
          }
          break;
        case 0x89657EAD:
          reg[0] += reg[1];
          break;
        case 0x8E7CADF2:
          idx += 2i64;
          reg[opcode[idx]] = reg[opcode[vidx + 1]];
          break;
        case 0x9645AAED:
          if ( opcode[0] == 0xEE69624A && opcode[1] == 0x689EDC0A && opcode[2] == 0x98EFDBC9 )
            sub_0(reg[4], reg[5], reg[6], reg[7], 0xFFFFFF00, a3, a4, a5, a6, a7);
          break;
        case 0x9645AEDC:
          idx = 0x671i64;
          break;
      }
    }
    result = 0x671i64;
    ++idx;
  }
  while ( idx < 0x671 );
  return result;
}
__int64 __fastcall sub_420(__int64 a1, __int64 a2, __int64 a3, __int64 a4, __int64 a5, __int64 a6, __int64 a7)
{
  unsigned __int64 idx; // rsi
  unsigned __int64 vidx; // r8
  signed int branch; // ecx
  unsigned __int64 v12; // rdx
  __int64 v13; // rcx
  unsigned int v14; // r9d
  __int64 v15; // r8
  __int64 v16; // r9
  unsigned int v17; // edx
  unsigned __int64 v18; // r10
  unsigned __int64 v19; // rcx
  unsigned int v20; // r9d
  int v21; // r9d
  int v22; // eax
  __int64 result; // rax
  int reg[10]; // [rsp+60h] [rbp-21h] BYREF
 
  idx = 0i64;
  memset(reg, 0, 32);
  reg[8] = 50;
  reg[9] = 50;
  do
  {
    vidx = idx;
    branch = opcode[idx];
    if ( branch > (int)0x9A8ECD52 )
    {
      switch ( branch )
      {
        case 0xEE2362FC:
          ++idx;
          v21 = reg[0];
          v22 = reg[0] * (reg[1] + 1);
          reg[0] = opcode[idx] ^ 0x414345;
          reg[1] = (reg[0] ^ (reg[1] + v21)) % 256
                 + (((reg[0] ^ (v21 * reg[1])) % 256 + (((reg[0] ^ (reg[1] + v22)) % 256) << 8)) << 8);
          break;
        case 0xEE69524A:
          v19 = 0i64;
          v20 = opcode[vidx + 1];
          opcode[idx] = -1;
          opcode[vidx + 1] = -1;
          if ( idx != 1 )
          {
            do
              opcode[v19++] ^= v20;
            while ( v19 < idx - 1 );
          }
          ++idx;
          break;
        case 0xFF4578AE:
          idx += 2i64;
          v16 = (int)opcode[vidx + 1];
          v17 = opcode[idx];
          if ( (_DWORD)v16 )
          {
            v18 = idx;
            do
            {
              opcode[++v18] ^= v17;
              v17 = opcode[v18 - 1] + 0x12345678 * v17;
              --v16;
            }
            while ( v16 );
          }
          opcode[vidx] = -1;
          opcode[vidx + 1] = -1;
          opcode[idx] = -1;
          break;
        case 0x1132EADF:
          idx += 2i64;
          reg[opcode[idx]] = opcode[vidx + 1];
          break;
        default:
          if ( branch == 0x7852AAEF && opcode[0] == 0xEE69624A && opcode[1] == 0x689EDC0A && opcode[2] == 0x98EFDBC9 )
            sub_0(reg[4], reg[5], reg[6], reg[7], 0xFF2DDBE7, a3, a4, a5, a6, a7);
          break;
      }
    }
    else
    {
      switch ( branch )
      {
        case 0x9A8ECD52:
          reg[0] -= reg[1];
          break;
        case 0x88659264:
          idx += 2i64;
          v12 = idx;
          v13 = (int)opcode[vidx + 1];
          v14 = opcode[idx];
          opcode[vidx] = -1;
          opcode[vidx + 1] = -1;
          v15 = v13;
          opcode[idx] = -1;
          if ( (_DWORD)v13 )
          {
            do
            {
              opcode[++v12] ^= v14;
              --v15;
            }
            while ( v15 );
          }
          break;
        case 0x89657EAD:
          reg[0] += reg[1];
          break;
        case 0x8E7CADF2:
          idx += 2i64;
          reg[opcode[idx]] = reg[opcode[vidx + 1]];
          break;
        case 0x9645AAED:
          if ( opcode[0] == 0xEE69624A && opcode[1] == 0x689EDC0A && opcode[2] == 0x98EFDBC9 )
            sub_0(reg[4], reg[5], reg[6], reg[7], 0xFFFFFF00, a3, a4, a5, a6, a7);
          break;
        case 0x9645AEDC:
          idx = 0x671i64;
          break;
      }
    }
    result = 0x671i64;
    ++idx;
  }
  while ( idx < 0x671 );
  return result;
}
====ExecVirtual[0]====
Reg[8] = 50
Reg[9] = 50
-> Xor 1
-> VMEnd
====ExecVirtual[1]====
Reg[8] = 50
Reg[9] = 50
-> Xor 1
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],3301906)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
Reg[0] = Reg[8]
Reg[1] = 360
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],7631989)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
Reg[0] = Reg[8]
Reg[1] = 432
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],2299116)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
Reg[0] = Reg[8]
Reg[1] = 504
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],9843946)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> VMEnd
====ExecVirtual[2]====
Reg[8] = 50
Reg[9] = 50
-> Xor 1
Reg[0] = Reg[8]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],3301906)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
Reg[0] = Reg[8]
Reg[1] = 360
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],7631989)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
Reg[0] = Reg[8]
Reg[1] = 432
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],2299116)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
Reg[0] = Reg[8]
Reg[1] = 504
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],9843946)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> VMEnd
====ExecVirtual[3]====
Reg[8] = 50
Reg[9] = 50
-> Xor 1
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],7882222)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
Reg[0] = Reg[8]
Reg[1] = 216
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 216
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],4728102)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
Reg[0] = Reg[8]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],3301906)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
Reg[0] = Reg[8]
Reg[1] = 360
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],7631989)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
Reg[0] = Reg[8]
Reg[1] = 432
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],2299116)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
Reg[0] = Reg[8]
Reg[1] = 504
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],9843946)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> VMEnd
====ExecVirtual[4]====
Reg[8] = 50
Reg[9] = 50
-> Xor 1
Reg[0] = Reg[9]
Reg[1] = 144
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],9843546)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
Reg[0] = Reg[8]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 144
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],9851444)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
Reg[0] = Reg[8]
Reg[1] = 360
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 144
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],7882222)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
Reg[0] = Reg[8]
Reg[1] = 216
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 216
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],4728102)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
Reg[0] = Reg[8]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],3301906)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
Reg[0] = Reg[8]
Reg[1] = 360
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],7631989)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
Reg[0] = Reg[8]
Reg[1] = 432
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],2299116)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
Reg[0] = Reg[8]
Reg[1] = 504
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],9843946)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> VMEnd
====ExecVirtual[5]====
Reg[8] = 50
Reg[9] = 50
-> Xor 1
Reg[0] = Reg[8]
Reg[1] = 144
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],9844004)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 216
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],11451615)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 72
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 72
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],8734638)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 144
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 144
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],9864618)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 216
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 144
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],9843546)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 144
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],9851444)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 360
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 144
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],7882222)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 216
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 216
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],4728102)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],3301906)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 360
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],7631989)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 432
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],2299116)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 504
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],9843946)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
-> VMEnd
====ExecVirtual[6]====
Reg[8] = 50
Reg[9] = 50
-> Xor 3
-> Xor 2
Reg[0] = Reg[8]
Reg[4] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = 1000
Reg[0] -= Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],5392533)
Reg[3] = Reg[0]
Reg[0] = Reg[1]
Reg[1] = Reg[3]
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 72
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[5]
Reg[1] = 500
Reg[0] -= Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],5934636)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[4] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = 1000
Reg[0] -= Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 144
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],9984722)
Reg[3] = Reg[0]
Reg[0] = Reg[1]
Reg[1] = Reg[3]
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
-> Xor 3
Reg[0] = Reg[8]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 216
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],11102301)
Reg[3] = Reg[0]
Reg[0] = Reg[3]
Reg[1] = Reg[3]
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[4] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = 1000
Reg[0] -= Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
-> Xor 2
Reg[5] = Reg[0]
Reg[0] = Reg[5]
Reg[1] = 500
Reg[0] -= Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],7888111)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 360
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],9846439)
Reg[3] = Reg[0]
Reg[0] = Reg[1]
Reg[1] = Reg[3]
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 72
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = 1000
Reg[0] -= Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 216
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[5]
Reg[1] = 500
Reg[0] -= Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],4608533)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 144
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 216
Reg[0] += Reg[1]
-> Xor 3
Reg[5] = Reg[0]
Reg[0] = Reg[5]
Reg[1] = 500
Reg[0] -= Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],8744398)
Reg[3] = Reg[0]
Reg[0] = Reg[1]
Reg[1] = Reg[3]
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 216
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = 1000
Reg[0] -= Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 216
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],7703662)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 72
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 72
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[5]
Reg[1] = 500
Reg[0] -= Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
-> Xor 3
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],10004148)
Reg[3] = Reg[0]
Reg[#] = Reg[1]
Reg[1] = Reg[3]
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 144
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = 1000
Reg[0] -= Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 144
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],8744654)
Reg[3] = Reg[0]
Reg[0] = Reg[1]
Reg[1] = Reg[3]
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 720
Reg[0] += Reg[1]
Reg[8] = Reg[0]
-> Xor 2
Reg[0] = Reg[8]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],11271250)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 72
Reg[0] -= Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 72
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],8744654)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 144
Reg[0] -= Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 144
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
-> Xor 3
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],9852138)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 216
Reg[0] -= Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 216
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],8725420)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 288
Reg[0] -= Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],8841932)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 216
Reg[0] -= Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],15348293)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 144
Reg[0] -= Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],8735468)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 72
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],9846222)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 144
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],10022468)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 216
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],7905811)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 72
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 72
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],5399353)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 144
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 144
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],8935246)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 216
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 216
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],1197146)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],9851459)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 360
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],11150308)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 432
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],11150472)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 504
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],9851428)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 360
Reg[0] += Reg[1]
Reg[8] = Reg[0]
Reg[0] = Reg[8]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],2504020)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 72
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],87160)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 144
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],9844004)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 216
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],11451615)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 72
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 72
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],8734638)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 144
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 144
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],9864618)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 216
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 144
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],9843546)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 144
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],9851444)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 360
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 144
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],7882222)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 216
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 216
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],4728102)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],3301906)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 360
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],7631989)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 432
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],2299116)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
Reg[0] = Reg[8]
Reg[1] = 504
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],9843946)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> Draw(Reg[4],Reg[5],Reg[6],Reg[7],0xFF2DDBE7)
 
-> VMEnd
====ExecVirtual[0]====
Reg[8] = 50
Reg[9] = 50
-> Xor 1
-> VMEnd
====ExecVirtual[1]====
Reg[8] = 50
Reg[9] = 50
-> Xor 1
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],3301906)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
Reg[0] = Reg[8]
Reg[1] = 360
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],7631989)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
Reg[0] = Reg[8]
Reg[1] = 432
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],2299116)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
Reg[0] = Reg[8]
Reg[1] = 504
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],9843946)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> VMEnd
====ExecVirtual[2]====
Reg[8] = 50
Reg[9] = 50
-> Xor 1
Reg[0] = Reg[8]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],3301906)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
Reg[0] = Reg[8]
Reg[1] = 360
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],7631989)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
Reg[0] = Reg[8]
Reg[1] = 432
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],2299116)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
Reg[0] = Reg[8]
Reg[1] = 504
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],9843946)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
-> VMEnd
====ExecVirtual[3]====
Reg[8] = 50
Reg[9] = 50
-> Xor 1
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],7882222)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
Reg[0] = Reg[8]
Reg[1] = 216
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 216
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],4728102)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
Reg[0] = Reg[8]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],3301906)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
Reg[0] = Reg[8]
Reg[1] = 360
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],7631989)
Reg[6] = Reg[0]
Reg[7] = Reg[1]
Reg[0] = Reg[8]
Reg[1] = 432
Reg[0] += Reg[1]
Reg[4] = Reg[0]
Reg[0] = Reg[9]
Reg[1] = 288
Reg[0] += Reg[1]
Reg[5] = Reg[0]
Reg[0] = Reg[4]
Reg[1] = Reg[5]
Reg[0],Reg[1] <- Decrypt(Reg[0],Reg[1],2299116)
Reg[6] = Reg[0]
Reg[7] = Reg[1]

[招生]系统0day安全班,企业级设备固件漏洞挖掘,Linux平台漏洞挖掘!

收藏
免费 4
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//