├── demo └── NotepadProtect.sys ├── handle_out ├── 0x1.txt ├── 0x11.txt ├── 0x16.txt ├── 0x19.txt ├── 0x1d.txt ├── 0x20.txt ├── 0x21.txt ├── 0x22.txt ├── 0x25.txt ├── 0x29.txt ├── 0x2b.txt ├── 0x2f.txt ├── 0x3c.txt ├── 0x40.txt ├── 0x41.txt ├── 0x42.txt ├── 0x43.txt ├── 0x44.txt ├── 0x45.txt ├── 0x46.txt ├── 0x47.txt ├── 0x48.txt ├── 0x49.txt ├── 0x4a.txt ├── 0x4b.txt ├── 0x4c.txt ├── 0x4d.txt ├── 0x4e.txt ├── 0x4f.txt ├── 0x51.txt ├── 0x52.txt ├── 0x54.txt ├── 0x56.txt ├── 0x57.txt ├── 0x5a.txt ├── 0x6.txt ├── 0x60.txt ├── 0x62.txt ├── 0x65.txt ├── 0x68.txt ├── 0x6a.txt ├── 0x6d.txt ├── 0x6e.txt ├── 0x70.txt ├── 0x72.txt ├── 0x73.txt ├── 0x75.txt ├── 0x78.txt ├── 0x7a.txt ├── 0x7d.txt ├── 0x9.txt ├── 0x95.txt ├── 0x9a.txt ├── 0x9e.txt ├── 0x9f.txt ├── 0xc.txt ├── 0xc3.txt ├── 0xc9.txt ├── 0xca.txt ├── 0xcb.txt ├── 0xd0.txt ├── 0xd1.txt ├── 0xd2.txt ├── 0xd3.txt ├── 0xd4.txt ├── 0xd5.txt ├── 0xd6.txt ├── 0xd7.txt ├── 0xd9.txt ├── 0xda.txt ├── 0xe5.txt ├── 0xe8.txt ├── 0xe9.txt ├── 0xea.txt ├── 0xee.txt ├── 0xef.txt ├── 0xf4.txt ├── 0xf8.txt ├── 0xfc.txt └── 0xfd.txt ├── idapython ├── TVMHandleOut.py ├── TVMunicornTrace.py └── deTvm.py ├── picture ├── 0.png ├── 1.png ├── 2.png ├── 3.png ├── 4.png └── 5.png ├── readme.md └── trace_file ├── sub_140001250.log ├── tvm入口到出口 去混淆.log └── tvm入口到出口 未去混淆.log /demo/NotepadProtect.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wbaby/xx_tvm/bf8ed8a692f38e078971630f4c223f532d7d8000/demo/NotepadProtect.sys -------------------------------------------------------------------------------- /handle_out/0x11.txt: -------------------------------------------------------------------------------- 1 | 0x11 p_a p_b p_c p_d 2 | 3 | 0x5403 4 | 5 | *(PULONG64)p_a = *(PULONG64)p_b << *(PUCHAR)p_c; 6 | *(PULONG32)p_d = rf 7 | 8 | v_shl_oregll_iregll_iregb_oregl 9 | ---------------------------------------- 10 | 11 | 0x1400d9c5f : mov r9, [rbp+8] 12 | 0x1400d9c6c : mov r8w, [r9] 13 | 0x1400d9c70 : xor r8w, 5403h 14 | 0x1400d9c76 : mov rdx, 0B321A6A009980B35h 15 | 0x1400d9c80 : not rdx 16 | 0x1400d9c83 : lea rdx, [r10+rdx] 17 | 0x1400d9c87 : movzx r8, r8w 18 | 0x1400d9c8b : mov rcx, 4CDE595FF667F4C9h 19 | 0x1400d9c95 : not rcx 20 | 0x1400d9c98 : add r8, rcx 21 | 0x1400d9c9b : lea r8, [rdx+r8] p_a = r8 22 | 0x1400d9c9f : lea r9, [r9+2] 23 | 0x1400d9ca3 : mov dx, [r9] 24 | 0x1400d9ca7 : xor dx, 5403h 25 | 0x1400d9cac : movzx rdx, dx 26 | 0x1400d9cb0 : lea rdx, [r10+rdx] p_b = rdx 27 | 0x1400d9cb4 : mov rdx, [rdx] rdx = *(PULONG64)p_b 28 | 0x1400d9cb7 : jmp loc_1400D6744 29 | 0x1400d6746 : lea r9, [r9+2] 30 | 0x1400d674a : mov cx, [r9] 31 | 0x1400d674e : xor cx, 5403h 32 | 0x1400d6753 : mov rax, 0DD009CB00082498Ch 33 | 0x1400d675d : not rax 34 | 0x1400d6760 : lea rax, [r10+rax] 35 | 0x1400d6764 : movzx rcx, cx 36 | 0x1400d6768 : mov rbx, 22FF634FFF7DB672h 37 | 0x1400d6772 : not rbx 38 | 0x1400d6775 : add rcx, rbx 39 | 0x1400d6778 : lea rcx, [rax+rcx] p_c = rcx 40 | 0x1400d677c : mov cl, [rcx] cl = *(PUCHAR)p_c 41 | 0x1400d677e : lea r9, [r9+2] 42 | 0x1400d6782 : mov ax, [r9] 43 | 0x1400d6786 : xor ax, 5403h 44 | 0x1400d678a : movzx rax, ax 45 | 0x1400d678e : lea rax, [r10+rax] p_d = rax 46 | 0x1400d6792 : pushfq 47 | 0x1400d6793 : jmp loc_1400D6A26 48 | 0x1400d6a28 : mov rbx, [rsp+90h+var_90] 49 | 0x1400d6a2c : lea rsp, [rsp+8] 50 | 0x1400d6a31 : mov esi, [rax] rf 51 | 0x1400d6a33 : mov esi, esi 52 | 0x1400d6a35 : lea rsp, [rsp-8] 53 | 0x1400d6a3a : mov [rsp+90h+var_90], rsi 54 | 0x1400d6a3e : popfq 55 | 0x1400d6a3f : shl rdx, cl rdx = rdx << cl 56 | 0x1400d6a42 : pushfq 57 | 0x1400d6a43 : mov rcx, [rsp+90h+var_90] 58 | 0x1400d6a47 : lea rsp, [rsp+8] 59 | 0x1400d6a4c : mov [rax], ecx *(PULONG32)p_d = rf 60 | 0x1400d6a4e : lea rsp, [rsp-8] 61 | 0x1400d6a53 : mov [rsp+90h+var_90], rbx 62 | 0x1400d6a57 : popfq 63 | 0x1400d6a5e : mov [r8], rdx *(PULONG64)p_a = rdx 64 | 0x1400d6a67 : lea r9, [r9+2] 65 | 0x1400d6a6b : jmp loc_1400D9F33 66 | 0x1400d9f3a : mov [rbp+8], r9 67 | 0x1400d9f44 : jmp loc_1400D5C1C 68 | 0x1400d5c1f : mov r9, [rbp+8] 69 | 0x1400d5c2c : mov r8b, [r9] 70 | 0x1400d5c2f : xor r8b, 5Dh 71 | 0x1400d5c33 : jmp loc_1400DABF2 72 | 0x1400dabf4 : mov rdx, 84063C9A3F77C111h 73 | 0x1400dabfe : not rdx 74 | 0x1400dac01 : lea rdx, [r9+rdx] 75 | 0x1400dac05 : mov r9, 7BF9C365C0883EECh 76 | 0x1400dac0f : not r9 77 | 0x1400dac12 : lea r9, [rdx+r9] 78 | 0x1400dac16 : jmp loc_1400D97BF 79 | 0x1400d97c6 : mov [rbp+8], r9 80 | 0x1400d97d0 : movzx r8, r8b 81 | 0x1400d97d4 : sub r8, 1 82 | 0x1400d97d8 : cmp r8, 0C8h 83 | 0x1400d97df : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 84 | -------------------------------------------------------------------------------- /handle_out/0x16.txt: -------------------------------------------------------------------------------- 1 | 0x16 p_a p_b p_c p_d 2 | 3 | 0xEEF7 4 | 5 | *(PULONG32)p_a = *(PULONG32)p_b << *(PUCHAR)p_c; 6 | *(PULONG32)p_d = rf; 7 | 8 | v_shl_oregl_iregl_iregb_oregl 9 | ---------------------------------------- 10 | 11 | 0x1400d92b3 : mov r9, [rbp+8] 12 | 0x1400d92c0 : mov r8w, [r9] 13 | 0x1400d92c4 : xor r8w, 0EEF7h 14 | 0x1400d92ca : mov rdx, 0BD4AF9C9EECDA694h 15 | 0x1400d92d4 : not rdx 16 | 0x1400d92d7 : lea rdx, [r10+rdx] 17 | 0x1400d92db : movzx r8, r8w 18 | 0x1400d92df : mov rcx, 42B506361132596Ah 19 | 0x1400d92e9 : not rcx 20 | 0x1400d92ec : add r8, rcx 21 | 0x1400d92ef : lea r8, [rdx+r8] p_a = r8 22 | 0x1400d92f3 : lea r9, [r9+2] 23 | 0x1400d92f7 : mov dx, [r9] 24 | 0x1400d92fb : xor dx, 0EEF7h 25 | 0x1400d9300 : jmp loc_1400DA88B 26 | 0x1400da88c : movzx rdx, dx 27 | 0x1400da890 : lea rdx, [r10+rdx] p_b = rdx 28 | 0x1400da894 : mov edx, [rdx] edx = *(PULONG32)p_b 29 | 0x1400da896 : lea r9, [r9+2] 30 | 0x1400da89a : mov cx, [r9] 31 | 0x1400da89e : xor cx, 0EEF7h 32 | 0x1400da8a3 : mov rax, 103A2B595224B2CAh 33 | 0x1400da8ad : not rax 34 | 0x1400da8b0 : lea rax, [r10+rax] 35 | 0x1400da8b4 : movzx rcx, cx 36 | 0x1400da8b8 : mov rbx, 0EFC5D4A6ADDB4D34h 37 | 0x1400da8c2 : not rbx 38 | 0x1400da8c5 : add rcx, rbx 39 | 0x1400da8c8 : lea rcx, [rax+rcx] p_c = rcx 40 | 0x1400da8cc : mov cl, [rcx] cl = *(PUCHAR)p_c 41 | 0x1400da8ce : lea r9, [r9+2] 42 | 0x1400da8d2 : jmp loc_1400D9326 43 | 0x1400d9328 : mov ax, [r9] 44 | 0x1400d932c : xor ax, 0EEF7h 45 | 0x1400d9330 : movzx rax, ax 46 | 0x1400d9334 : lea rax, [r10+rax] p_d = rax 47 | 0x1400d9338 : pushfq 48 | 0x1400d9339 : mov rbx, [rsp+90h+var_90] 49 | 0x1400d933d : lea rsp, [rsp+8] 50 | 0x1400d9342 : mov esi, [rax] rf 51 | 0x1400d9344 : mov esi, esi 52 | 0x1400d9346 : lea rsp, [rsp-8] 53 | 0x1400d934b : mov [rsp+90h+var_90], rsi 54 | 0x1400d934f : popfq 55 | 0x1400d9350 : shl edx, cl edx = edx << cl 56 | 0x1400d9352 : pushfq 57 | 0x1400d9353 : mov rcx, [rsp+90h+var_90] 58 | 0x1400d9357 : lea rsp, [rsp+8] 59 | 0x1400d935c : jmp loc_1400D8C0B 60 | 0x1400d8c0d : mov [rax], ecx *(PULONG32)p_d = rf 61 | 0x1400d8c0f : lea rsp, [rsp-8] 62 | 0x1400d8c14 : mov [rsp+90h+var_90], rbx 63 | 0x1400d8c18 : popfq 64 | 0x1400d8c19 : mov [r8], edx *(PULONG32)p_a = edx 65 | 0x1400d8c1c : lea r9, [r9+2] 66 | 0x1400d8c26 : mov [rbp+8], r9 67 | 0x1400d8c30 : jmp loc_1400D5C1C 68 | 0x1400d5c1f : mov r9, [rbp+8] 69 | 0x1400d5c2c : mov r8b, [r9] 70 | 0x1400d5c2f : xor r8b, 5Dh 71 | 0x1400d5c33 : jmp loc_1400DABF2 72 | 0x1400dabf4 : mov rdx, 84063C9A3F77C111h 73 | 0x1400dabfe : not rdx 74 | 0x1400dac01 : lea rdx, [r9+rdx] 75 | 0x1400dac05 : mov r9, 7BF9C365C0883EECh 76 | 0x1400dac0f : not r9 77 | 0x1400dac12 : lea r9, [rdx+r9] 78 | 0x1400dac16 : jmp loc_1400D97BF 79 | 0x1400d97c6 : mov [rbp+8], r9 80 | 0x1400d97d0 : movzx r8, r8b 81 | 0x1400d97d4 : sub r8, 1 82 | 0x1400d97d8 : cmp r8, 0C8h 83 | 0x1400d97df : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 84 | -------------------------------------------------------------------------------- /handle_out/0x19.txt: -------------------------------------------------------------------------------- 1 | 0x19 p_a p_b 2 | 3 | 0x1400 4 | 5 | *(PULONG64)p_a = ~*(PULONG64)p_b; 6 | 7 | v_not_oregll_iregll 8 | ---------------------------------------- 9 | 10 | 0x1400d7316 : mov r9, [rbp+8] 11 | 0x1400d7323 : mov r8w, [r9] 12 | 0x1400d7327 : xor r8w, 1400h 13 | 0x1400d732d : mov rdx, 8D2C9F70B1F9AB14h 14 | 0x1400d7337 : not rdx 15 | 0x1400d733a : jmp loc_1400DA8EA 16 | 0x1400da8ec : lea rdx, [r10+rdx] 17 | 0x1400da8f0 : movzx r8, r8w 18 | 0x1400da8f4 : mov rcx, 72D3608F4E0654EAh 19 | 0x1400da8fe : not rcx 20 | 0x1400da901 : add r8, rcx 21 | 0x1400da904 : lea r8, [rdx+r8] p_a = r8 22 | 0x1400da908 : lea r9, [r9+2] 23 | 0x1400da90c : mov dx, [r9] 24 | 0x1400da910 : xor dx, 1400h 25 | 0x1400da915 : movzx rdx, dx 26 | 0x1400da919 : lea rdx, [r10+rdx] p_b = rdx 27 | 0x1400da91d : jmp loc_1400D811E 28 | 0x1400d811f : mov rdx, [rdx] rdx = *(PULONG64)p_b 29 | 0x1400d8122 : not rdx 30 | 0x1400d8125 : not rdx 31 | 0x1400d8128 : xchg rcx, rdx 32 | 0x1400d812b : not rcx rcx = ~rdx 33 | 0x1400d812e : mov rdx, rcx 34 | 0x1400d8131 : and rcx, rdx 35 | 0x1400d813a : mov [r8], rcx *(PULONG64)p_a = rcx 36 | 0x1400d8143 : lea r9, [r9+2] 37 | 0x1400d8147 : jmp loc_1400D715C 38 | 0x1400d7163 : mov [rbp+8], r9 39 | 0x1400d716d : jmp loc_1400D8FEC 40 | 0x1400d8fef : mov r9, [rbp+8] 41 | 0x1400d8ffc : mov r8b, [r9] 42 | 0x1400d8fff : xor r8b, 5Dh 43 | 0x1400d9003 : jmp loc_1400D6A7C 44 | 0x1400d6a7d : mov rdx, 3CF00F6451FA8B0h 45 | 0x1400d6a87 : not rdx 46 | 0x1400d6a8a : lea rdx, [r9+rdx] 47 | 0x1400d6a8e : mov r9, 0FC30FF09BAE0574Dh 48 | 0x1400d6a98 : not r9 49 | 0x1400d6a9b : lea r9, [rdx+r9] 50 | 0x1400d6aa5 : mov [rbp+8], r9 51 | 0x1400d6aa9 : jmp loc_1400DB1EB 52 | 0x1400db1f3 : movzx r8, r8b 53 | 0x1400db1f7 : sub r8, 1 54 | 0x1400db1fb : cmp r8, 0C8h 55 | 0x1400db202 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 56 | -------------------------------------------------------------------------------- /handle_out/0x20.txt: -------------------------------------------------------------------------------- 1 | 0x20 p_a p_b 2 | 3 | 0x0D45 4 | 5 | *(PUCHAR)p_a = *(PULONG32)p_b & (1<<6);//取 rf.zf 6 | 7 | v_setz_oregb_iregl 8 | ---------------------------------------- 9 | 10 | 0x1400d71f8 : mov r9, [rbp+8] 11 | 0x1400d7205 : mov r8w, [r9] 12 | 0x1400d7209 : xor r8w, 0D45h 13 | 0x1400d720f : mov rdx, 0C55E064D5923801Dh 14 | 0x1400d7219 : not rdx 15 | 0x1400d721c : jmp loc_1400D7439 16 | 0x1400d743a : lea rdx, [r10+rdx] 17 | 0x1400d743e : movzx r8, r8w 18 | 0x1400d7442 : mov rcx, 3AA1F9B2A6DC7FE1h 19 | 0x1400d744c : not rcx 20 | 0x1400d744f : add r8, rcx 21 | 0x1400d7452 : lea r8, [rdx+r8] p_a = r8 22 | 0x1400d7456 : lea r9, [r9+2] 23 | 0x1400d745a : mov dx, [r9] 24 | 0x1400d745e : xor dx, 0D45h 25 | 0x1400d7463 : movzx rdx, dx 26 | 0x1400d7467 : lea rdx, [r10+rdx] p_b = rdx 27 | 0x1400d746b : pushfq 28 | 0x1400d746c : mov rcx, [rsp+90h+var_90] 29 | 0x1400d7470 : lea rsp, [rsp+8] 30 | 0x1400d7475 : mov eax, [rdx] rf = *(PULONG32)p_b 31 | 0x1400d7477 : mov eax, eax 32 | 0x1400d7479 : jmp loc_1400D6831 33 | 0x1400d6833 : lea rsp, [rsp-8] 34 | 0x1400d6838 : mov [rsp+90h+var_90], rax 35 | 0x1400d683c : popfq 36 | 0x1400d683d : setz al al = rf.zf 37 | 0x1400d6840 : pushfq 38 | 0x1400d6841 : mov rbx, [rsp+90h+var_90] 39 | 0x1400d6845 : lea rsp, [rsp+8] 40 | 0x1400d684a : mov [rdx], ebx *(PULONG32)p_b = rf 41 | 0x1400d684c : jmp loc_1400D728F 42 | 0x1400d7291 : lea rsp, [rsp-8] 43 | 0x1400d7296 : mov [rsp+90h+var_90], rcx 44 | 0x1400d729a : popfq 45 | 0x1400d729b : mov [r8], al *(PUCHAR)p_a = al 46 | 0x1400d729e : lea r9, [r9+2] 47 | 0x1400d72a8 : mov [rbp+8], r9 48 | 0x1400d72b2 : jmp loc_1400D7232 49 | 0x1400d7234 : mov r9, [rbp+8] 50 | 0x1400d7240 : jmp loc_1400D99D9 51 | 0x1400d99db : mov r8b, [r9] 52 | 0x1400d99de : xor r8b, 5Dh 53 | 0x1400d99e2 : mov rdx, 25E9ECA9BDE22AEAh 54 | 0x1400d99ec : not rdx 55 | 0x1400d99ef : lea rdx, [r9+rdx] 56 | 0x1400d99f3 : jmp loc_1400D86A6 57 | 0x1400d86a8 : mov r9, 0DA161356421DD513h 58 | 0x1400d86b2 : not r9 59 | 0x1400d86b5 : lea r9, [rdx+r9] 60 | 0x1400d86bf : mov [rbp+8], r9 61 | 0x1400d86c9 : movzx r8, r8b 62 | 0x1400d86cd : sub r8, 1 63 | 0x1400d86d1 : jmp loc_1400D7E10 64 | 0x1400d7e11 : cmp r8, 0C8h 65 | 0x1400d7e18 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 66 | -------------------------------------------------------------------------------- /handle_out/0x21.txt: -------------------------------------------------------------------------------- 1 | 0x21 p_a p_b 2 | 3 | 0x8BC8 4 | 5 | *(PLONG64)p_a = *(PLONG32)p_b;//保留符号位 6 | 7 | v_movsxd_iregll_iregl 8 | ---------------------------------------- 9 | 10 | 0x1400d6972 : mov r9, [rbp+8] 11 | 0x1400d697f : mov r8w, [r9] 12 | 0x1400d6983 : xor r8w, 8BC8h 13 | 0x1400d6989 : mov rdx, 8C15234FFD4B402Eh 14 | 0x1400d6993 : jmp loc_1400D90B8 15 | 0x1400d90ba : not rdx 16 | 0x1400d90bd : lea rdx, [r10+rdx] 17 | 0x1400d90c1 : movzx r8, r8w 18 | 0x1400d90c5 : mov rcx, 73EADCB002B4BFD0h 19 | 0x1400d90cf : not rcx 20 | 0x1400d90d2 : add r8, rcx 21 | 0x1400d90d5 : lea r8, [rdx+r8] p_a = r8 22 | 0x1400d90d9 : lea r9, [r9+2] 23 | 0x1400d90dd : mov dx, [r9] 24 | 0x1400d90e1 : jmp loc_1400DAA31 25 | 0x1400daa32 : xor dx, 8BC8h 26 | 0x1400daa37 : movzx rdx, dx 27 | 0x1400daa3b : lea rdx, [r10+rdx] p_b = rdx 28 | 0x1400daa3f : mov edx, [rdx] edx = *(PULONG32)p_b 29 | 0x1400daa41 : movsxd rdx, edx rdx = edx 30 | 0x1400daa4a : mov [r8], rdx *(PULONG64)p_a = rdx 31 | 0x1400daa53 : lea r9, [r9+2] 32 | 0x1400daa5a : jmp loc_1400DB319 33 | 0x1400db31c : mov [rbp+8], r9 34 | 0x1400db325 : jmp loc_1400D8FEC 35 | 0x1400d8fef : mov r9, [rbp+8] 36 | 0x1400d8ffc : mov r8b, [r9] 37 | 0x1400d8fff : xor r8b, 5Dh 38 | 0x1400d9003 : jmp loc_1400D6A7C 39 | 0x1400d6a7d : mov rdx, 3CF00F6451FA8B0h 40 | 0x1400d6a87 : not rdx 41 | 0x1400d6a8a : lea rdx, [r9+rdx] 42 | 0x1400d6a8e : mov r9, 0FC30FF09BAE0574Dh 43 | 0x1400d6a98 : not r9 44 | 0x1400d6a9b : lea r9, [rdx+r9] 45 | 0x1400d6aa5 : mov [rbp+8], r9 46 | 0x1400d6aa9 : jmp loc_1400DB1EB 47 | 0x1400db1f3 : movzx r8, r8b 48 | 0x1400db1f7 : sub r8, 1 49 | 0x1400db1fb : cmp r8, 0C8h 50 | 0x1400db202 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 51 | -------------------------------------------------------------------------------- /handle_out/0x22.txt: -------------------------------------------------------------------------------- 1 | 0x22 p_a 2 | 3 | 0x77D7 4 | 5 | r8d = *(PULONG32)p_a; 6 | 7 | v_setR8d_iregl 8 | ---------------------------------------- 9 | 10 | 0x1400d71b6 : mov r9, [rbp+8] 11 | 0x1400d71c3 : mov r8w, [r9] 12 | 0x1400d71c7 : jmp loc_1400D639C 13 | 0x1400d639e : xor r8w, 77D7h 14 | 0x1400d63a4 : mov rdx, 6143A603500AEC8Ch 15 | 0x1400d63ae : not rdx 16 | 0x1400d63b1 : lea rdx, [r10+rdx] 17 | 0x1400d63b5 : jmp loc_1400D6DA0 18 | 0x1400d6da2 : movzx r8, r8w 19 | 0x1400d6da6 : mov rcx, 9EBC59FCAFF51372h 20 | 0x1400d6db0 : not rcx 21 | 0x1400d6db3 : add r8, rcx 22 | 0x1400d6db6 : lea r8, [rdx+r8] p_a = r8 23 | 0x1400d6dba : mov r8d, [r8] r8d = *(PULONG32)p_a 24 | 0x1400d6dc1 : jmp loc_1400D8AC9 25 | 0x1400d8aca : lea r9, [r9+2] 26 | 0x1400d8ad4 : mov [rbp+8], r9 27 | 0x1400d8adb : jmp loc_1400D64A3 28 | 0x1400d64a7 : jmp loc_1400D5C1C 29 | 0x1400d5c1f : mov r9, [rbp+8] 30 | 0x1400d5c2c : mov r8b, [r9] 31 | 0x1400d5c2f : xor r8b, 5Dh 32 | 0x1400d5c33 : jmp loc_1400DABF2 33 | 0x1400dabf4 : mov rdx, 84063C9A3F77C111h 34 | 0x1400dabfe : not rdx 35 | 0x1400dac01 : lea rdx, [r9+rdx] 36 | 0x1400dac05 : mov r9, 7BF9C365C0883EECh 37 | 0x1400dac0f : not r9 38 | 0x1400dac12 : lea r9, [rdx+r9] 39 | 0x1400dac16 : jmp loc_1400D97BF 40 | 0x1400d97c6 : mov [rbp+8], r9 41 | 0x1400d97d0 : movzx r8, r8b 42 | 0x1400d97d4 : sub r8, 1 43 | 0x1400d97d8 : cmp r8, 0C8h 44 | 0x1400d97df : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 45 | -------------------------------------------------------------------------------- /handle_out/0x25.txt: -------------------------------------------------------------------------------- 1 | 0x25 p_a p_b 2 | 3 | 0xD8E4 4 | 5 | *(PLONG32)p_a = *(PCHAR)p_b;//保留符号位 6 | 7 | v_movsx_iregl_iregb 8 | ---------------------------------------- 9 | 10 | 0x1400d8f7e : mov r9, [rbp+8] 11 | 0x1400d8f8b : jmp loc_1400D7AB3 12 | 0x1400d7ab4 : mov r8w, [r9] 13 | 0x1400d7ab8 : xor r8w, 0D8E4h 14 | 0x1400d7abe : mov rdx, 0AE01E8EC1594B293h 15 | 0x1400d7ac8 : not rdx 16 | 0x1400d7acb : lea rdx, [r10+rdx] 17 | 0x1400d7acf : jmp loc_1400D6D12 18 | 0x1400d6d13 : movzx r8, r8w 19 | 0x1400d6d17 : mov rcx, 51FE1713EA6B4D6Bh 20 | 0x1400d6d21 : not rcx 21 | 0x1400d6d24 : add r8, rcx 22 | 0x1400d6d27 : lea r8, [rdx+r8] p_a = r8 23 | 0x1400d6d2b : lea r9, [r9+2] 24 | 0x1400d6d2f : jmp loc_1400D6316 25 | 0x1400d6318 : mov dx, [r9] 26 | 0x1400d631c : xor dx, 0D8E4h 27 | 0x1400d6321 : movzx rdx, dx 28 | 0x1400d6325 : lea rdx, [r10+rdx] p_b = rdx 29 | 0x1400d6329 : mov dl, [rdx] dl = *(PCHAR)p_b 30 | 0x1400d632b : movsx edx, dl edx = dl 31 | 0x1400d632e : jmp loc_1400DA862 32 | 0x1400da864 : mov [r8], edx *(PLONG32)p_a = edx 33 | 0x1400da867 : lea r9, [r9+2] 34 | 0x1400da871 : mov [rbp+8], r9 35 | 0x1400da878 : jmp loc_1400D5D9C 36 | 0x1400d5da1 : jmp loc_1400D8FEC 37 | 0x1400d8fef : mov r9, [rbp+8] 38 | 0x1400d8ffc : mov r8b, [r9] 39 | 0x1400d8fff : xor r8b, 5Dh 40 | 0x1400d9003 : jmp loc_1400D6A7C 41 | 0x1400d6a7d : mov rdx, 3CF00F6451FA8B0h 42 | 0x1400d6a87 : not rdx 43 | 0x1400d6a8a : lea rdx, [r9+rdx] 44 | 0x1400d6a8e : mov r9, 0FC30FF09BAE0574Dh 45 | 0x1400d6a98 : not r9 46 | 0x1400d6a9b : lea r9, [rdx+r9] 47 | 0x1400d6aa5 : mov [rbp+8], r9 48 | 0x1400d6aa9 : jmp loc_1400DB1EB 49 | 0x1400db1f3 : movzx r8, r8b 50 | 0x1400db1f7 : sub r8, 1 51 | 0x1400db1fb : cmp r8, 0C8h 52 | 0x1400db202 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 53 | -------------------------------------------------------------------------------- /handle_out/0x29.txt: -------------------------------------------------------------------------------- 1 | 0x29 p_a p_b 2 | 3 | 0xF10A 4 | 5 | *(PULONG32)p_a = *(PUSHORT)p_b; 6 | 7 | v_movzx_iregl_iregw 8 | ---------------------------------------- 9 | 10 | 0x1400d8b90 : mov r9, [rbp+8] 11 | 0x1400d8b9a : jmp loc_1400D5E7A 12 | 0x1400d5e7e : mov r8w, [r9] 13 | 0x1400d5e82 : xor r8w, 0F10Ah 14 | 0x1400d5e88 : mov rdx, 0C0814314E993C761h 15 | 0x1400d5e92 : not rdx 16 | 0x1400d5e95 : jmp loc_1400D8933 17 | 0x1400d8934 : lea rdx, [r10+rdx] 18 | 0x1400d8938 : movzx r8, r8w 19 | 0x1400d893c : mov rcx, 3F7EBCEB166C389Dh 20 | 0x1400d8946 : not rcx 21 | 0x1400d8949 : add r8, rcx 22 | 0x1400d894c : lea r8, [rdx+r8] p_a = r8 23 | 0x1400d8950 : lea r9, [r9+2] 24 | 0x1400d8954 : mov dx, [r9] 25 | 0x1400d8958 : jmp loc_1400D8BAF 26 | 0x1400d8bb0 : xor dx, 0F10Ah 27 | 0x1400d8bb5 : movzx rdx, dx 28 | 0x1400d8bb9 : lea rdx, [r10+rdx] p_b = rdx 29 | 0x1400d8bbd : mov dx, [rdx] dx = *(PUSHORT)p_b 30 | 0x1400d8bc0 : movzx edx, dx edx = dx 31 | 0x1400d8bc3 : mov [r8], edx *(PULONG32)p_a = edx 32 | 0x1400d8bc6 : lea r9, [r9+2] 33 | 0x1400d8bcf : jmp loc_1400D9316 34 | 0x1400d9318 : mov [rbp+8], r9 35 | 0x1400d9321 : jmp loc_1400DAC79 36 | 0x1400dac7c : mov r9, [rbp+8] 37 | 0x1400dac89 : mov r8b, [r9] 38 | 0x1400dac8c : xor r8b, 5Dh 39 | 0x1400dac90 : mov rdx, 0D3676A56DAFF3C65h 40 | 0x1400dac9a : jmp loc_1400D7763 41 | 0x1400d7764 : not rdx 42 | 0x1400d7767 : lea rdx, [r9+rdx] 43 | 0x1400d776b : mov r9, 2C9895A92500C398h 44 | 0x1400d7775 : not r9 45 | 0x1400d7778 : lea r9, [rdx+r9] 46 | 0x1400d777f : jmp loc_1400D5B91 47 | 0x1400d5b95 : mov [rbp+8], r9 48 | 0x1400d5b9e : movzx r8, r8b 49 | 0x1400d5ba2 : sub r8, 1; switch 200 cases 50 | 0x1400d5ba6 : jmp loc_1400D98A8 51 | 0x1400d98aa : cmp r8, 0C8h 52 | 0x1400d98b1 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 53 | -------------------------------------------------------------------------------- /handle_out/0x2b.txt: -------------------------------------------------------------------------------- 1 | 0x2b p_a p_b 2 | 3 | 0xBF3E 4 | 5 | *(PULONG64)p_a = *(PULONG32)p_b; 6 | 7 | v_mov_iregll_iregl 8 | ---------------------------------------- 9 | 10 | 0x1400d7d3c : mov r9, [rbp+8] 11 | 0x1400d7d49 : mov r8w, [r9] 12 | 0x1400d7d4d : xor r8w, 0BF3Eh 13 | 0x1400d7d53 : mov rdx, 0B33288B06105E730h 14 | 0x1400d7d5d : jmp loc_1400D8969 15 | 0x1400d896b : not rdx 16 | 0x1400d896e : lea rdx, [r10+rdx] 17 | 0x1400d8972 : movzx r8, r8w 18 | 0x1400d8976 : mov rcx, 4CCD774F9EFA18CEh 19 | 0x1400d8980 : not rcx 20 | 0x1400d8983 : add r8, rcx 21 | 0x1400d8986 : jmp loc_1400D7BEC 22 | 0x1400d7bee : lea r8, [rdx+r8] p_a = r8 23 | 0x1400d7bf2 : lea r9, [r9+2] 24 | 0x1400d7bf6 : mov dx, [r9] 25 | 0x1400d7bfa : xor dx, 0BF3Eh 26 | 0x1400d7bff : movzx rdx, dx 27 | 0x1400d7c03 : lea rdx, [r10+rdx] p_b = rdx 28 | 0x1400d7c07 : jmp loc_1400D8F55 29 | 0x1400d8f57 : mov edx, [rdx] edx = *(PULONG32)p_b 30 | 0x1400d8f59 : mov edx, edx 31 | 0x1400d8f61 : mov [r8], rdx *(PULONG64)p_a = rdx 32 | 0x1400d8f6a : jmp loc_1400D9679 33 | 0x1400d967a : lea r9, [r9+2] 34 | 0x1400d9684 : mov [rbp+8], r9 35 | 0x1400d968e : jmp loc_1400DAC79 36 | 0x1400dac7c : mov r9, [rbp+8] 37 | 0x1400dac89 : mov r8b, [r9] 38 | 0x1400dac8c : xor r8b, 5Dh 39 | 0x1400dac90 : mov rdx, 0D3676A56DAFF3C65h 40 | 0x1400dac9a : jmp loc_1400D7763 41 | 0x1400d7764 : not rdx 42 | 0x1400d7767 : lea rdx, [r9+rdx] 43 | 0x1400d776b : mov r9, 2C9895A92500C398h 44 | 0x1400d7775 : not r9 45 | 0x1400d7778 : lea r9, [rdx+r9] 46 | 0x1400d777f : jmp loc_1400D5B91 47 | 0x1400d5b95 : mov [rbp+8], r9 48 | 0x1400d5b9e : movzx r8, r8b 49 | 0x1400d5ba2 : sub r8, 1; switch 200 cases 50 | 0x1400d5ba6 : jmp loc_1400D98A8 51 | 0x1400d98aa : cmp r8, 0C8h 52 | 0x1400d98b1 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 53 | -------------------------------------------------------------------------------- /handle_out/0x2f.txt: -------------------------------------------------------------------------------- 1 | 0x2f p_a p_b 2 | 3 | 0x7EE9 4 | 5 | *(PULONG32)p_a = *(PUCHAR)p_b; 6 | 7 | v_movzx_iregl_iregb 8 | ---------------------------------------- 9 | 10 | 0x1400dad2e : mov r9, [rbp+8] 11 | 0x1400dad37 : jmp loc_1400D64E8 12 | 0x1400d64ed : mov r8w, [r9] 13 | 0x1400d64f1 : xor r8w, 7EE9h 14 | 0x1400d64f7 : mov rdx, 0FBA4E355398C2C5h 15 | 0x1400d6501 : not rdx 16 | 0x1400d6504 : lea rdx, [r10+rdx] 17 | 0x1400d6508 : movzx r8, r8w 18 | 0x1400d650c : mov rcx, 0F045B1CAAC673D39h 19 | 0x1400d6516 : jmp loc_1400D6ABC 20 | 0x1400d6abe : not rcx 21 | 0x1400d6ac1 : add r8, rcx 22 | 0x1400d6ac4 : lea r8, [rdx+r8] p_a = r8 23 | 0x1400d6ac8 : lea r9, [r9+2] 24 | 0x1400d6acc : mov dx, [r9] 25 | 0x1400d6ad0 : xor dx, 7EE9h 26 | 0x1400d6ad5 : jmp loc_1400DA129 27 | 0x1400da12b : movzx rdx, dx 28 | 0x1400da12f : lea rdx, [r10+rdx] p_b = rdx 29 | 0x1400da133 : mov dl, [rdx] dl = *(PUCHAR)p_b 30 | 0x1400da135 : movzx edx, dl 31 | 0x1400da138 : mov [r8], edx *(PULONG32)p_a = dl 32 | 0x1400da13b : lea r9, [r9+2] 33 | 0x1400da145 : mov [rbp+8], r9 34 | 0x1400da149 : jmp loc_1400D5EDA 35 | 0x1400d5ee2 : jmp loc_1400D7232 36 | 0x1400d7234 : mov r9, [rbp+8] 37 | 0x1400d7240 : jmp loc_1400D99D9 38 | 0x1400d99db : mov r8b, [r9] 39 | 0x1400d99de : xor r8b, 5Dh 40 | 0x1400d99e2 : mov rdx, 25E9ECA9BDE22AEAh 41 | 0x1400d99ec : not rdx 42 | 0x1400d99ef : lea rdx, [r9+rdx] 43 | 0x1400d99f3 : jmp loc_1400D86A6 44 | 0x1400d86a8 : mov r9, 0DA161356421DD513h 45 | 0x1400d86b2 : not r9 46 | 0x1400d86b5 : lea r9, [rdx+r9] 47 | 0x1400d86bf : mov [rbp+8], r9 48 | 0x1400d86c9 : movzx r8, r8b 49 | 0x1400d86cd : sub r8, 1 50 | 0x1400d86d1 : jmp loc_1400D7E10 51 | 0x1400d7e11 : cmp r8, 0C8h 52 | 0x1400d7e18 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 53 | -------------------------------------------------------------------------------- /handle_out/0x40.txt: -------------------------------------------------------------------------------- 1 | 0x40 p_a p_b 2 | 3 | 0xE304 4 | 5 | *(*(PUCHAR *)p_a) = *(PUCHAR)p_b; 6 | 7 | v_mov_ipreg_iregb 8 | ---------------------------------------- 9 | 10 | 0x1400daf93 : mov r9, [rbp+8] 11 | 0x1400dafa0 : mov r8w, [r9] 12 | 0x1400dafa4 : xor r8w, 0E304h 13 | 0x1400dafaa : mov rdx, 500313C7B0A12312h 14 | 0x1400dafb4 : not rdx 15 | 0x1400dafb7 : jmp loc_1400D9E2C 16 | 0x1400d9e2e : lea rdx, [r10+rdx] 17 | 0x1400d9e32 : movzx r8, r8w 18 | 0x1400d9e36 : mov rcx, 0AFFCEC384F5EDCECh 19 | 0x1400d9e40 : not rcx 20 | 0x1400d9e43 : add r8, rcx 21 | 0x1400d9e46 : lea r8, [rdx+r8] p_a = r8 22 | 0x1400d9e4a : jmp loc_1400D8080 23 | 0x1400d8082 : mov r8, [r8] r8 = *(PULONG64)p_a 24 | 0x1400d8085 : lea r9, [r9+2] 25 | 0x1400d8089 : mov dx, [r9] 26 | 0x1400d808d : xor dx, 0E304h 27 | 0x1400d8092 : movzx rdx, dx 28 | 0x1400d8096 : lea rdx, [r10+rdx] p_b = rdx 29 | 0x1400d809a : mov dl, [rdx] dl = *(PUCHAR)p_b 30 | 0x1400d809c : mov [r8], dl *(PUCHAR)r8 = dl 31 | 0x1400d809f : lea r9, [r9+2] 32 | 0x1400d80a6 : jmp loc_1400DB18F 33 | 0x1400db194 : mov [rbp+8], r9 34 | 0x1400db19e : jmp loc_1400D8FEC 35 | 0x1400d8fef : mov r9, [rbp+8] 36 | 0x1400d8ffc : mov r8b, [r9] 37 | 0x1400d8fff : xor r8b, 5Dh 38 | 0x1400d9003 : jmp loc_1400D6A7C 39 | 0x1400d6a7d : mov rdx, 3CF00F6451FA8B0h 40 | 0x1400d6a87 : not rdx 41 | 0x1400d6a8a : lea rdx, [r9+rdx] 42 | 0x1400d6a8e : mov r9, 0FC30FF09BAE0574Dh 43 | 0x1400d6a98 : not r9 44 | 0x1400d6a9b : lea r9, [rdx+r9] 45 | 0x1400d6aa5 : mov [rbp+8], r9 46 | 0x1400d6aa9 : jmp loc_1400DB1EB 47 | 0x1400db1f3 : movzx r8, r8b 48 | 0x1400db1f7 : sub r8, 1 49 | 0x1400db1fb : cmp r8, 0C8h 50 | 0x1400db202 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 51 | -------------------------------------------------------------------------------- /handle_out/0x41.txt: -------------------------------------------------------------------------------- 1 | 0x41 p_a p_b 2 | 3 | 0xE229 4 | 5 | *(PULONG64)p_a = *(*(PULONG64*)p_b); 6 | 7 | v_mov_iregll_ipreg 8 | ---------------------------------------- 9 | 10 | 0x1400d995d : mov r9, [rbp+8] 11 | 0x1400d996a : jmp loc_1400D8514 12 | 0x1400d8515 : mov r8w, [r9] 13 | 0x1400d8519 : xor r8w, 0E229h 14 | 0x1400d851f : mov rdx, 3C222BAB66A73844h 15 | 0x1400d8529 : not rdx 16 | 0x1400d852c : lea rdx, [r10+rdx] 17 | 0x1400d8530 : movzx r8, r8w 18 | 0x1400d8534 : mov rcx, 0C3DDD4549958C7BAh 19 | 0x1400d853e : not rcx 20 | 0x1400d8541 : add r8, rcx 21 | 0x1400d8544 : lea r8, [rdx+r8] p_a = r8 22 | 0x1400d8548 : lea r9, [r9+2] 23 | 0x1400d854c : mov dx, [r9] 24 | 0x1400d8550 : jmp loc_1400D5DE0 25 | 0x1400d5de1 : xor dx, 0E229h 26 | 0x1400d5de6 : movzx rdx, dx 27 | 0x1400d5dea : lea rdx, [r10+rdx] p_b = rdx 28 | 0x1400d5dee : mov rdx, [rdx] rdx = *(PULONG64)p_b 29 | 0x1400d5df1 : mov rdx, [rdx] rdx = *(PULONG64)rdx 30 | 0x1400d5df9 : mov [r8], rdx *(PULONG64)p_a = rdx 31 | 0x1400d5dff : jmp loc_1400D9925 32 | 0x1400d9928 : lea r9, [r9+2] 33 | 0x1400d9932 : mov [rbp+8], r9 34 | 0x1400d993c : jmp loc_1400DB479 35 | 0x1400db47b : jmp loc_1400D7232 36 | 0x1400d7234 : mov r9, [rbp+8] 37 | 0x1400d7240 : jmp loc_1400D99D9 38 | 0x1400d99db : mov r8b, [r9] 39 | 0x1400d99de : xor r8b, 5Dh 40 | 0x1400d99e2 : mov rdx, 25E9ECA9BDE22AEAh 41 | 0x1400d99ec : not rdx 42 | 0x1400d99ef : lea rdx, [r9+rdx] 43 | 0x1400d99f3 : jmp loc_1400D86A6 44 | 0x1400d86a8 : mov r9, 0DA161356421DD513h 45 | 0x1400d86b2 : not r9 46 | 0x1400d86b5 : lea r9, [rdx+r9] 47 | 0x1400d86bf : mov [rbp+8], r9 48 | 0x1400d86c9 : movzx r8, r8b 49 | 0x1400d86cd : sub r8, 1 50 | 0x1400d86d1 : jmp loc_1400D7E10 51 | 0x1400d7e11 : cmp r8, 0C8h 52 | 0x1400d7e18 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 53 | -------------------------------------------------------------------------------- /handle_out/0x42.txt: -------------------------------------------------------------------------------- 1 | 0x42 p_a p_b 2 | 3 | 0x5431 4 | 5 | *(*(PULONG32 *)p_a) = *(PULONG32)p_b; 6 | 7 | v_mov_ipreg_iregl 8 | ---------------------------------------- 9 | 10 | 0x1400d5e13 : mov r9, [rbp+8] 11 | 0x1400d5e1d : jmp loc_1400D61C2 12 | 0x1400d61c7 : mov r8w, [r9] 13 | 0x1400d61cb : xor r8w, 5431h 14 | 0x1400d61d1 : mov rdx, 34F937D918C6A29Ch 15 | 0x1400d61db : not rdx 16 | 0x1400d61de : lea rdx, [r10+rdx] 17 | 0x1400d61e2 : movzx r8, r8w 18 | 0x1400d61e6 : mov rcx, 0CB06C826E7395D62h 19 | 0x1400d61f0 : not rcx 20 | 0x1400d61f3 : add r8, rcx 21 | 0x1400d61f6 : jmp loc_1400D8848 22 | 0x1400d884a : lea r8, [rdx+r8] p_a = r8 23 | 0x1400d884e : mov r8, [r8] r8 = *(PULONG64)p_a 24 | 0x1400d8851 : lea r9, [r9+2] 25 | 0x1400d8855 : mov dx, [r9] 26 | 0x1400d8859 : xor dx, 5431h 27 | 0x1400d885e : movzx rdx, dx 28 | 0x1400d8862 : lea rdx, [r10+rdx] p_b = rdx 29 | 0x1400d8866 : mov edx, [rdx] edx = *(PULONG32)p_b 30 | 0x1400d8868 : mov [r8], edx *(PULONG32)r8 = edx 31 | 0x1400d886b : lea r9, [r9+2] 32 | 0x1400d886f : jmp loc_1400DB25E 33 | 0x1400db266 : mov [rbp+8], r9 34 | 0x1400db270 : jmp loc_1400D7232 35 | 0x1400d7234 : mov r9, [rbp+8] 36 | 0x1400d7240 : jmp loc_1400D99D9 37 | 0x1400d99db : mov r8b, [r9] 38 | 0x1400d99de : xor r8b, 5Dh 39 | 0x1400d99e2 : mov rdx, 25E9ECA9BDE22AEAh 40 | 0x1400d99ec : not rdx 41 | 0x1400d99ef : lea rdx, [r9+rdx] 42 | 0x1400d99f3 : jmp loc_1400D86A6 43 | 0x1400d86a8 : mov r9, 0DA161356421DD513h 44 | 0x1400d86b2 : not r9 45 | 0x1400d86b5 : lea r9, [rdx+r9] 46 | 0x1400d86bf : mov [rbp+8], r9 47 | 0x1400d86c9 : movzx r8, r8b 48 | 0x1400d86cd : sub r8, 1 49 | 0x1400d86d1 : jmp loc_1400D7E10 50 | 0x1400d7e11 : cmp r8, 0C8h 51 | 0x1400d7e18 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 52 | -------------------------------------------------------------------------------- /handle_out/0x43.txt: -------------------------------------------------------------------------------- 1 | 0x43 p_a p_b 2 | 3 | 0x02CB 4 | 5 | *(*(PUSHORT *)p_a) = *(PUSHORT)p_b; 6 | 7 | v_mov_ipreg_iregw 8 | ---------------------------------------- 9 | 10 | 0x1400d7a8d : mov r9, [rbp+8] 11 | 0x1400d7a9a : mov r8w, [r9] 12 | 0x1400d7a9e : jmp loc_1400D67BA 13 | 0x1400d67bb : xor r8w, 2CBh 14 | 0x1400d67c1 : mov rdx, 77611939BCE0BFFh 15 | 0x1400d67cb : not rdx 16 | 0x1400d67ce : lea rdx, [r10+rdx] 17 | 0x1400d67d2 : movzx r8, r8w 18 | 0x1400d67d6 : mov rcx, 0F889EE6C6431F3FFh 19 | 0x1400d67e0 : not rcx 20 | 0x1400d67e3 : add r8, rcx 21 | 0x1400d67e6 : jmp loc_1400D8A39 22 | 0x1400d8a3a : lea r8, [rdx+r8] p_a = r8 23 | 0x1400d8a3e : mov r8, [r8] r8 = *(PULONG64)p_a 24 | 0x1400d8a41 : lea r9, [r9+2] 25 | 0x1400d8a45 : mov dx, [r9] 26 | 0x1400d8a49 : xor dx, 2CBh 27 | 0x1400d8a4e : movzx rdx, dx 28 | 0x1400d8a52 : lea rdx, [r10+rdx] p_b = rdx 29 | 0x1400d8a56 : mov dx, [rdx] dx = *(PUSHORT)p_b 30 | 0x1400d8a59 : mov [r8], dx *(PUSHORT)r8 = dx 31 | 0x1400d8a5d : jmp loc_1400DB02B 32 | 0x1400db02c : lea r9, [r9+2] 33 | 0x1400db036 : mov [rbp+8], r9 34 | 0x1400db03d : jmp loc_1400D670C 35 | 0x1400d6711 : jmp loc_1400D5C1C 36 | 0x1400d5c1f : mov r9, [rbp+8] 37 | 0x1400d5c2c : mov r8b, [r9] 38 | 0x1400d5c2f : xor r8b, 5Dh 39 | 0x1400d5c33 : jmp loc_1400DABF2 40 | 0x1400dabf4 : mov rdx, 84063C9A3F77C111h 41 | 0x1400dabfe : not rdx 42 | 0x1400dac01 : lea rdx, [r9+rdx] 43 | 0x1400dac05 : mov r9, 7BF9C365C0883EECh 44 | 0x1400dac0f : not r9 45 | 0x1400dac12 : lea r9, [rdx+r9] 46 | 0x1400dac16 : jmp loc_1400D97BF 47 | 0x1400d97c6 : mov [rbp+8], r9 48 | 0x1400d97d0 : movzx r8, r8b 49 | 0x1400d97d4 : sub r8, 1 50 | 0x1400d97d8 : cmp r8, 0C8h 51 | 0x1400d97df : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 52 | -------------------------------------------------------------------------------- /handle_out/0x44.txt: -------------------------------------------------------------------------------- 1 | 0x44 2 | 3 | 0xBE8C 4 | 5 | *(PUCHAR)p_a = *(*(PUCHAR*)p_b); 6 | 7 | v_mov_iregb_ipreg 8 | ---------------------------------------- 9 | 10 | 0x1400dae54 : mov r9, [rbp+8] 11 | 0x1400dae61 : mov r8w, [r9] 12 | 0x1400dae65 : xor r8w, 0BE8Ch 13 | 0x1400dae6b : mov rdx, 0C0E4EED722FFA06Ch 14 | 0x1400dae75 : jmp loc_1400D98E4 15 | 0x1400d98e6 : not rdx 16 | 0x1400d98e9 : lea rdx, [r10+rdx] 17 | 0x1400d98ed : movzx r8, r8w 18 | 0x1400d98f1 : mov rcx, 3F1B1128DD005F92h 19 | 0x1400d98fb : not rcx 20 | 0x1400d98fe : add r8, rcx 21 | 0x1400d9901 : lea r8, [rdx+r8] p_a = r8 22 | 0x1400d9905 : lea r9, [r9+2] 23 | 0x1400d9909 : mov dx, [r9] 24 | 0x1400d990d : jmp loc_1400DB22B 25 | 0x1400db22d : xor dx, 0BE8Ch 26 | 0x1400db232 : movzx rdx, dx 27 | 0x1400db236 : lea rdx, [r10+rdx] p_b = rdx 28 | 0x1400db23a : mov rdx, [rdx] rdx = *(PULONG64)p_b 29 | 0x1400db23d : mov dl, [rdx] dl = *(PUCHAR)rdx 30 | 0x1400db23f : mov [r8], dl *(PUCHAR)p_a = dl 31 | 0x1400db242 : lea r9, [r9+2] 32 | 0x1400db246 : jmp loc_1400D9E15 33 | 0x1400d9e1d : mov [rbp+8], r9 34 | 0x1400d9e27 : jmp loc_1400D8FEC 35 | 0x1400d8fef : mov r9, [rbp+8] 36 | 0x1400d8ffc : mov r8b, [r9] 37 | 0x1400d8fff : xor r8b, 5Dh 38 | 0x1400d9003 : jmp loc_1400D6A7C 39 | 0x1400d6a7d : mov rdx, 3CF00F6451FA8B0h 40 | 0x1400d6a87 : not rdx 41 | 0x1400d6a8a : lea rdx, [r9+rdx] 42 | 0x1400d6a8e : mov r9, 0FC30FF09BAE0574Dh 43 | 0x1400d6a98 : not r9 44 | 0x1400d6a9b : lea r9, [rdx+r9] 45 | 0x1400d6aa5 : mov [rbp+8], r9 46 | 0x1400d6aa9 : jmp loc_1400DB1EB 47 | 0x1400db1f3 : movzx r8, r8b 48 | 0x1400db1f7 : sub r8, 1 49 | 0x1400db1fb : cmp r8, 0C8h 50 | 0x1400db202 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 51 | -------------------------------------------------------------------------------- /handle_out/0x45.txt: -------------------------------------------------------------------------------- 1 | 0x45 p_a p_b 2 | 3 | 0x58FB 4 | 5 | *(PULONG64)p_a= *(PULONG64)p_b; 6 | 7 | v_mov_iregll_iregll 8 | ---------------------------------------- 9 | 10 | 0x1400db0fc : mov r9, [rbp+8] 11 | 0x1400db109 : mov r8w, [r9] 12 | 0x1400db10d : xor r8w, 58FBh 13 | 0x1400db113 : jmp loc_1400D9A4B 14 | 0x1400d9a4c : mov rdx, 4C66F1B30B59DAD8h 15 | 0x1400d9a56 : not rdx 16 | 0x1400d9a59 : lea rdx, [r10+rdx] 17 | 0x1400d9a5d : movzx r8, r8w 18 | 0x1400d9a61 : mov rcx, 0B3990E4CF4A62526h 19 | 0x1400d9a6b : not rcx 20 | 0x1400d9a6e : add r8, rcx 21 | 0x1400d9a71 : jmp loc_1400DA3A9 22 | 0x1400da3aa : lea r8, [rdx+r8] 23 | 0x1400da3ae : lea r9, [r9+2] 24 | 0x1400da3b2 : mov dx, [r9] 25 | 0x1400da3b6 : xor dx, 58FBh 26 | 0x1400da3bb : movzx rdx, dx 27 | 0x1400da3bf : lea rdx, [r10+rdx] p_b = rdx 28 | 0x1400da3c3 : mov rdx, [rdx] rdx = *(PULONG64)p_b 29 | 0x1400da3cc : mov [r8], rdx 30 | 0x1400da3d2 : jmp loc_1400DAA70 31 | 0x1400daa75 : lea r9, [r9+2] 32 | 0x1400daa7f : mov [rbp+8], r9 33 | 0x1400daa89 : jmp loc_1400D5C1C 34 | 0x1400d5c1f : mov r9, [rbp+8] 35 | 0x1400d5c2c : mov r8b, [r9] 36 | 0x1400d5c2f : xor r8b, 5Dh 37 | 0x1400d5c33 : jmp loc_1400DABF2 38 | 0x1400dabf4 : mov rdx, 84063C9A3F77C111h 39 | 0x1400dabfe : not rdx 40 | 0x1400dac01 : lea rdx, [r9+rdx] 41 | 0x1400dac05 : mov r9, 7BF9C365C0883EECh 42 | 0x1400dac0f : not r9 43 | 0x1400dac12 : lea r9, [rdx+r9] 44 | 0x1400dac16 : jmp loc_1400D97BF 45 | 0x1400d97c6 : mov [rbp+8], r9 46 | 0x1400d97d0 : movzx r8, r8b 47 | 0x1400d97d4 : sub r8, 1 48 | 0x1400d97d8 : cmp r8, 0C8h 49 | 0x1400d97df : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 50 | -------------------------------------------------------------------------------- /handle_out/0x46.txt: -------------------------------------------------------------------------------- 1 | 0x46 p_a p_b 2 | 3 | 0x10BC 4 | 5 | *(PULONG32)p_a = *(*(PULONG32*)p_b); 6 | 7 | v_mov_iregl_ipreg 8 | ---------------------------------------- 9 | 10 | 0x1400d946d : mov r9, [rbp+8] 11 | 0x1400d9479 : mov r8w, [r9] 12 | 0x1400d947d : jmp loc_1400DB1A3 13 | 0x1400db1a5 : xor r8w, 10BCh 14 | 0x1400db1ab : mov rdx, 891D4EB909F49CBAh 15 | 0x1400db1b5 : not rdx 16 | 0x1400db1b8 : lea rdx, [r10+rdx] 17 | 0x1400db1bc : movzx r8, r8w 18 | 0x1400db1c0 : mov rcx, 76E2B146F60B6344h 19 | 0x1400db1ca : not rcx 20 | 0x1400db1cd : add r8, rcx 21 | 0x1400db1d0 : lea r8, [rdx+r8] p_a = r8 22 | 0x1400db1d4 : lea r9, [r9+2] 23 | 0x1400db1d8 : jmp loc_1400D9D36 24 | 0x1400d9d38 : mov dx, [r9] 25 | 0x1400d9d3c : xor dx, 10BCh 26 | 0x1400d9d41 : movzx rdx, dx 27 | 0x1400d9d45 : lea rdx, [r10+rdx] p_b = rdx 28 | 0x1400d9d49 : mov rdx, [rdx] rdx = *(PULONG64)p_b 29 | 0x1400d9d4c : mov edx, [rdx] edx = *(PULONG32)rdx 30 | 0x1400d9d4e : mov [r8], edx *(PULONG32)p_a = edx 31 | 0x1400d9d51 : lea r9, [r9+2] 32 | 0x1400d9d58 : jmp loc_1400D67A6 33 | 0x1400d67ab : mov [rbp+8], r9 34 | 0x1400d67b5 : jmp loc_1400D8FEC 35 | 0x1400d8fef : mov r9, [rbp+8] 36 | 0x1400d8ffc : mov r8b, [r9] 37 | 0x1400d8fff : xor r8b, 5Dh 38 | 0x1400d9003 : jmp loc_1400D6A7C 39 | 0x1400d6a7d : mov rdx, 3CF00F6451FA8B0h 40 | 0x1400d6a87 : not rdx 41 | 0x1400d6a8a : lea rdx, [r9+rdx] 42 | 0x1400d6a8e : mov r9, 0FC30FF09BAE0574Dh 43 | 0x1400d6a98 : not r9 44 | 0x1400d6a9b : lea r9, [rdx+r9] 45 | 0x1400d6aa5 : mov [rbp+8], r9 46 | 0x1400d6aa9 : jmp loc_1400DB1EB 47 | 0x1400db1f3 : movzx r8, r8b 48 | 0x1400db1f7 : sub r8, 1 49 | 0x1400db1fb : cmp r8, 0C8h 50 | 0x1400db202 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 51 | -------------------------------------------------------------------------------- /handle_out/0x47.txt: -------------------------------------------------------------------------------- 1 | 0x47 p_a p_b 2 | 3 | 0x6F62 4 | 5 | *(PUSHORT)p_a = *(*(PUSHORT *)p_b); 6 | 7 | v_mov_iregw_ipreg 8 | ---------------------------------------- 9 | 10 | 0x1400d8be5 : mov r9, [rbp+8] 11 | 0x1400d8bf2 : mov r8w, [r9] 12 | 0x1400d8bf6 : jmp loc_1400DB39C 13 | 0x1400db39d : xor r8w, 6F62h 14 | 0x1400db3a3 : mov rdx, 74049A61DDC0AB9h 15 | 0x1400db3ad : not rdx 16 | 0x1400db3b0 : lea rdx, [r10+rdx] 17 | 0x1400db3b4 : movzx r8, r8w 18 | 0x1400db3b8 : mov rcx, 0F8BFB659E223F545h 19 | 0x1400db3c2 : jmp loc_1400D8A97 20 | 0x1400d8a98 : not rcx 21 | 0x1400d8a9b : add r8, rcx 22 | 0x1400d8a9e : lea r8, [rdx+r8] 23 | 0x1400d8aa2 : lea r9, [r9+2] 24 | 0x1400d8aa6 : mov dx, [r9] 25 | 0x1400d8aaa : xor dx, 6F62h 26 | 0x1400d8aaf : movzx rdx, dx 27 | 0x1400d8ab3 : jmp loc_1400D7574 28 | 0x1400d7575 : lea rdx, [r10+rdx] 29 | 0x1400d7579 : mov rdx, [rdx] 30 | 0x1400d757c : mov dx, [rdx] USHORT 31 | 0x1400d757f : mov [r8], dx 32 | 0x1400d7583 : lea r9, [r9+2] 33 | 0x1400d758a : jmp loc_1400DAD4A 34 | 0x1400dad4f : mov [rbp+8], r9 35 | 0x1400dad59 : jmp loc_1400DAC79 36 | 0x1400dac7c : mov r9, [rbp+8] 37 | 0x1400dac89 : mov r8b, [r9] 38 | 0x1400dac8c : xor r8b, 5Dh 39 | 0x1400dac90 : mov rdx, 0D3676A56DAFF3C65h 40 | 0x1400dac9a : jmp loc_1400D7763 41 | 0x1400d7764 : not rdx 42 | 0x1400d7767 : lea rdx, [r9+rdx] 43 | 0x1400d776b : mov r9, 2C9895A92500C398h 44 | 0x1400d7775 : not r9 45 | 0x1400d7778 : lea r9, [rdx+r9] 46 | 0x1400d777f : jmp loc_1400D5B91 47 | 0x1400d5b95 : mov [rbp+8], r9 48 | 0x1400d5b9e : movzx r8, r8b 49 | 0x1400d5ba2 : sub r8, 1; switch 200 cases 50 | 0x1400d5ba6 : jmp loc_1400D98A8 51 | 0x1400d98aa : cmp r8, 0C8h 52 | 0x1400d98b1 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 53 | -------------------------------------------------------------------------------- /handle_out/0x48.txt: -------------------------------------------------------------------------------- 1 | 0x48 p_a p_b 2 | 3 | 0xCFFE 4 | 5 | *(PUCHAR)p_a = *(PUCHAR)p_b; 6 | 7 | v_mov_iregb_iregb 8 | ---------------------------------------- 9 | 10 | 0x1400d7175 : mov r9, [rbp+8] 11 | 0x1400d7182 : mov r8w, [r9] 12 | 0x1400d7186 : xor r8w, 0CFFEh 13 | 0x1400d718c : jmp loc_1400D661D 14 | 0x1400d661f : mov rdx, 0D75B76B18EB79949h 15 | 0x1400d6629 : not rdx 16 | 0x1400d662c : lea rdx, [r10+rdx] 17 | 0x1400d6630 : movzx r8, r8w 18 | 0x1400d6634 : mov rcx, 28A4894E714866B5h 19 | 0x1400d663e : not rcx 20 | 0x1400d6641 : jmp loc_1400D9414 21 | 0x1400d9416 : add r8, rcx 22 | 0x1400d9419 : lea r8, [rdx+r8] p_a = r8 23 | 0x1400d941d : lea r9, [r9+2] 24 | 0x1400d9421 : mov dx, [r9] 25 | 0x1400d9425 : xor dx, 0CFFEh 26 | 0x1400d942a : movzx rdx, dx 27 | 0x1400d942e : jmp loc_1400D753A 28 | 0x1400d753c : lea rdx, [r10+rdx] p_b = rdx 29 | 0x1400d7540 : mov dl, [rdx] dl = *(PUCHAR)p_b 30 | 0x1400d7542 : mov [r8], dl *(PUCHAR)p_a = dl 31 | 0x1400d7545 : lea r9, [r9+2] 32 | 0x1400d754f : jmp loc_1400D81FD 33 | 0x1400d81fe : mov [rbp+8], r9 34 | 0x1400d8208 : jmp loc_1400DAC79 35 | 0x1400dac7c : mov r9, [rbp+8] 36 | 0x1400dac89 : mov r8b, [r9] 37 | 0x1400dac8c : xor r8b, 5Dh 38 | 0x1400dac90 : mov rdx, 0D3676A56DAFF3C65h 39 | 0x1400dac9a : jmp loc_1400D7763 40 | 0x1400d7764 : not rdx 41 | 0x1400d7767 : lea rdx, [r9+rdx] 42 | 0x1400d776b : mov r9, 2C9895A92500C398h 43 | 0x1400d7775 : not r9 44 | 0x1400d7778 : lea r9, [rdx+r9] 45 | 0x1400d777f : jmp loc_1400D5B91 46 | 0x1400d5b95 : mov [rbp+8], r9 47 | 0x1400d5b9e : movzx r8, r8b 48 | 0x1400d5ba2 : sub r8, 1; switch 200 cases 49 | 0x1400d5ba6 : jmp loc_1400D98A8 50 | 0x1400d98aa : cmp r8, 0C8h 51 | 0x1400d98b1 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 52 | -------------------------------------------------------------------------------- /handle_out/0x4a.txt: -------------------------------------------------------------------------------- 1 | 0x4a p_a p_b 2 | 3 | 0x564B 4 | 5 | *(PULONG32)p_a = *(PULONG32)p_b; 6 | 7 | v_mov_iregl_iregl 8 | ---------------------------------------- 9 | 10 | 0x1400daa91 : mov r9, [rbp+8] 11 | 0x1400daa9e : mov r8w, [r9] 12 | 0x1400daaa2 : xor r8w, 564Bh 13 | 0x1400daaa8 : mov rdx, 62D411B1FE8436E7h 14 | 0x1400daab2 : jmp loc_1400D9495 15 | 0x1400d9497 : not rdx 16 | 0x1400d949a : lea rdx, [r10+rdx] 17 | 0x1400d949e : movzx r8, r8w 18 | 0x1400d94a2 : mov rcx, 9D2BEE4E017BC917h 19 | 0x1400d94ac : not rcx 20 | 0x1400d94af : jmp loc_1400D6BAC 21 | 0x1400d6bae : add r8, rcx 22 | 0x1400d6bb1 : lea r8, [rdx+r8] p_a = r8 23 | 0x1400d6bb5 : lea r9, [r9+2] 24 | 0x1400d6bb9 : mov dx, [r9] 25 | 0x1400d6bbd : xor dx, 564Bh 26 | 0x1400d6bc2 : movzx rdx, dx 27 | 0x1400d6bc6 : lea rdx, [r10+rdx] p_b = rdx 28 | 0x1400d6bca : mov edx, [rdx] edx = *(PULONG32)p_b 29 | 0x1400d6bcc : mov [r8], edx *(PULONG32)p_a = edx 30 | 0x1400d6bcf : jmp loc_1400D90F2 31 | 0x1400d90f4 : lea r9, [r9+2] 32 | 0x1400d90fd : mov [rbp+8], r9 33 | 0x1400d9104 : jmp loc_1400DA799 34 | 0x1400da79c : jmp loc_1400D5C1C 35 | 0x1400d5c1f : mov r9, [rbp+8] 36 | 0x1400d5c2c : mov r8b, [r9] 37 | 0x1400d5c2f : xor r8b, 5Dh 38 | 0x1400d5c33 : jmp loc_1400DABF2 39 | 0x1400dabf4 : mov rdx, 84063C9A3F77C111h 40 | 0x1400dabfe : not rdx 41 | 0x1400dac01 : lea rdx, [r9+rdx] 42 | 0x1400dac05 : mov r9, 7BF9C365C0883EECh 43 | 0x1400dac0f : not r9 44 | 0x1400dac12 : lea r9, [rdx+r9] 45 | 0x1400dac16 : jmp loc_1400D97BF 46 | 0x1400d97c6 : mov [rbp+8], r9 47 | 0x1400d97d0 : movzx r8, r8b 48 | 0x1400d97d4 : sub r8, 1 49 | 0x1400d97d8 : cmp r8, 0C8h 50 | 0x1400d97df : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 51 | -------------------------------------------------------------------------------- /handle_out/0x4b.txt: -------------------------------------------------------------------------------- 1 | 0x4b p_a p_b 2 | 3 | 0xD916 4 | 5 | *(PUSHORT)p_a = *(PUSHORT)p_b; 6 | 7 | v_mov_iregw_iregw 8 | ---------------------------------------- 9 | 10 | 0x1400d9376 : mov r9, [rbp+8] 11 | 0x1400d9382 : mov r8w, [r9] 12 | 0x1400d9386 : xor r8w, 0D916h 13 | 0x1400d938c : jmp loc_1400DA1E3 14 | 0x1400da1e4 : mov rdx, 0CCA2452BE1932934h 15 | 0x1400da1ee : not rdx 16 | 0x1400da1f1 : lea rdx, [r10+rdx] 17 | 0x1400da1f5 : movzx r8, r8w 18 | 0x1400da1f9 : mov rcx, 335DBAD41E6CD6CAh 19 | 0x1400da203 : not rcx 20 | 0x1400da206 : add r8, rcx 21 | 0x1400da209 : jmp loc_1400DB56F 22 | 0x1400db570 : lea r8, [rdx+r8] p_a = r8 23 | 0x1400db574 : lea r9, [r9+2] 24 | 0x1400db578 : mov dx, [r9] 25 | 0x1400db57c : xor dx, 0D916h 26 | 0x1400db581 : movzx rdx, dx 27 | 0x1400db585 : lea rdx, [r10+rdx] p_b = rdx 28 | 0x1400db589 : mov dx, [rdx] dx = *(PUSHORT)p_b 29 | 0x1400db58c : mov [r8], dx *(PUSHORT)p_a = dx 30 | 0x1400db590 : lea r9, [r9+2] 31 | 0x1400db597 : jmp loc_1400D719F 32 | 0x1400d71a4 : mov [rbp+8], r9 33 | 0x1400d71ae : jmp loc_1400DAC79 34 | 0x1400dac7c : mov r9, [rbp+8] 35 | 0x1400dac89 : mov r8b, [r9] 36 | 0x1400dac8c : xor r8b, 5Dh 37 | 0x1400dac90 : mov rdx, 0D3676A56DAFF3C65h 38 | 0x1400dac9a : jmp loc_1400D7763 39 | 0x1400d7764 : not rdx 40 | 0x1400d7767 : lea rdx, [r9+rdx] 41 | 0x1400d776b : mov r9, 2C9895A92500C398h 42 | 0x1400d7775 : not r9 43 | 0x1400d7778 : lea r9, [rdx+r9] 44 | 0x1400d777f : jmp loc_1400D5B91 45 | 0x1400d5b95 : mov [rbp+8], r9 46 | 0x1400d5b9e : movzx r8, r8b 47 | 0x1400d5ba2 : sub r8, 1; switch 200 cases 48 | 0x1400d5ba6 : jmp loc_1400D98A8 49 | 0x1400d98aa : cmp r8, 0C8h 50 | 0x1400d98b1 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 51 | -------------------------------------------------------------------------------- /handle_out/0x4d.txt: -------------------------------------------------------------------------------- 1 | 0x4d p_a p_b p_c 2 | 3 | 0x477D 4 | 5 | *(PULONG64)p_a = *(PULONG64)p_b + *(PULONG64)p_c; 6 | 7 | v_add_oregll_iregll_iregll 8 | ---------------------------------------- 9 | 10 | 0x1400dabb3 : mov r9, [rbp+8] 11 | 0x1400dabc0 : mov r8w, [r9] 12 | 0x1400dabc4 : xor r8w, 477Dh 13 | 0x1400dabca : mov rdx, 0D80D85C3F4678907h 14 | 0x1400dabd4 : not rdx 15 | 0x1400dabd7 : lea rdx, [r10+rdx] 16 | 0x1400dabdb : movzx r8, r8w 17 | 0x1400dabdf : jmp loc_1400DA293 18 | 0x1400da295 : mov rcx, 27F27A3C0B9876F7h 19 | 0x1400da29f : not rcx 20 | 0x1400da2a2 : add r8, rcx 21 | 0x1400da2a5 : lea r8, [rdx+r8] p_a = r8 22 | 0x1400da2a9 : lea r9, [r9+2] 23 | 0x1400da2ad : mov dx, [r9] 24 | 0x1400da2b1 : xor dx, 477Dh 25 | 0x1400da2b6 : movzx rdx, dx 26 | 0x1400da2ba : lea rdx, [r10+rdx] p_b = rdx 27 | 0x1400da2be : mov rdx, [rdx] rdx = *(PULONG64)p_b 28 | 0x1400da2c1 : lea r9, [r9+2] 29 | 0x1400da2c5 : jmp loc_1400D88E6 30 | 0x1400d88e8 : mov cx, [r9] 31 | 0x1400d88ec : xor cx, 477Dh 32 | 0x1400d88f1 : mov rax, 41998E00CC381907h 33 | 0x1400d88fb : not rax 34 | 0x1400d88fe : lea rax, [r10+rax] 35 | 0x1400d8902 : movzx rcx, cx 36 | 0x1400d8906 : mov rbx, 0BE6671FF33C7E6F7h 37 | 0x1400d8910 : not rbx 38 | 0x1400d8913 : add rcx, rbx 39 | 0x1400d8916 : lea rcx, [rax+rcx] p_c = rcx 40 | 0x1400d891a : mov rcx, [rcx] rcx = *(PULONG64)p_c 41 | 0x1400d891d : add rdx, rcx rdx = rdx + rcx 42 | 0x1400d8920 : jmp loc_1400D652E 43 | 0x1400d6536 : mov [r8], rdx *(PULONG64)p_a = rdx 44 | 0x1400d653f : lea r9, [r9+2] 45 | 0x1400d6549 : mov [rbp+8], r9 46 | 0x1400d6553 : jmp loc_1400D7232 47 | 0x1400d7234 : mov r9, [rbp+8] 48 | 0x1400d7240 : jmp loc_1400D99D9 49 | 0x1400d99db : mov r8b, [r9] 50 | 0x1400d99de : xor r8b, 5Dh 51 | 0x1400d99e2 : mov rdx, 25E9ECA9BDE22AEAh 52 | 0x1400d99ec : not rdx 53 | 0x1400d99ef : lea rdx, [r9+rdx] 54 | 0x1400d99f3 : jmp loc_1400D86A6 55 | 0x1400d86a8 : mov r9, 0DA161356421DD513h 56 | 0x1400d86b2 : not r9 57 | 0x1400d86b5 : lea r9, [rdx+r9] 58 | 0x1400d86bf : mov [rbp+8], r9 59 | 0x1400d86c9 : movzx r8, r8b 60 | 0x1400d86cd : sub r8, 1 61 | 0x1400d86d1 : jmp loc_1400D7E10 62 | 0x1400d7e11 : cmp r8, 0C8h 63 | 0x1400d7e18 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 64 | -------------------------------------------------------------------------------- /handle_out/0x4e.txt: -------------------------------------------------------------------------------- 1 | 0x4e p_a p_b p_c p_d 2 | 3 | 0xA9C7 4 | 5 | *(PULONG32)p_a = *(PULONG32)p_b + *(PULONG32)p_c; 6 | *(PULONG32)p_d = rf; 7 | 8 | v_add_oregl_iregl_iregl_oregl 9 | ---------------------------------------- 10 | 11 | 0x1400d82fd : mov r9, [rbp+8] 12 | 0x1400d830a : mov r8w, [r9] 13 | 0x1400d830e : xor r8w, 0A9C7h 14 | 0x1400d8314 : mov rdx, 0EF3B83D10BC1E4E0h 15 | 0x1400d831e : not rdx 16 | 0x1400d8321 : lea rdx, [r10+rdx] 17 | 0x1400d8325 : movzx r8, r8w 18 | 0x1400d8329 : mov rcx, 10C47C2EF43E1B1Eh 19 | 0x1400d8333 : not rcx 20 | 0x1400d8336 : add r8, rcx 21 | 0x1400d8339 : lea r8, [rdx+r8] p_a = r8 22 | 0x1400d833d : lea r9, [r9+2] 23 | 0x1400d8341 : mov dx, [r9] 24 | 0x1400d8345 : xor dx, 0A9C7h 25 | 0x1400d834a : jmp loc_1400D5F50 26 | 0x1400d5f52 : movzx rdx, dx 27 | 0x1400d5f56 : lea rdx, [r10+rdx] p_b = rdx 28 | 0x1400d5f5a : mov edx, [rdx] edx = *(PULONG32)p_b 29 | 0x1400d5f5c : lea r9, [r9+2] 30 | 0x1400d5f60 : mov cx, [r9] 31 | 0x1400d5f64 : xor cx, 0A9C7h 32 | 0x1400d5f69 : mov rax, 0B490B668EDB287AFh 33 | 0x1400d5f73 : not rax 34 | 0x1400d5f76 : lea rax, [r10+rax] 35 | 0x1400d5f7a : movzx rcx, cx 36 | 0x1400d5f7e : mov rbx, 4B6F4997124D784Fh 37 | 0x1400d5f88 : not rbx 38 | 0x1400d5f8b : add rcx, rbx 39 | 0x1400d5f8e : lea rcx, [rax+rcx] p_c = rcx 40 | 0x1400d5f92 : mov ecx, [rcx] ecx = *(PULONG32)p_c 41 | 0x1400d5f94 : lea r9, [r9+2] 42 | 0x1400d5f98 : mov ax, [r9] 43 | 0x1400d5f9c : xor ax, 0A9C7h 44 | 0x1400d5fa0 : movzx rax, ax 45 | 0x1400d5fa4 : lea rax, [r10+rax] p_d = rax 46 | 0x1400d5fa8 : jmp loc_1400D9014 47 | 0x1400d9016 : pushfq 48 | 0x1400d9017 : mov rbx, [rsp+90h+var_90] 49 | 0x1400d901b : lea rsp, [rsp+8] rf = *(PULONG32)p_d 50 | 0x1400d9020 : mov esi, [rax] 51 | 0x1400d9022 : mov esi, esi 52 | 0x1400d9024 : lea rsp, [rsp-8] 53 | 0x1400d9029 : mov [rsp+90h+var_90], rsi 54 | 0x1400d902d : popfq 55 | 0x1400d902e : add edx, ecx edx = edx + ecx 56 | 0x1400d9030 : pushfq 57 | 0x1400d9031 : mov rcx, [rsp+90h+var_90] 58 | 0x1400d9035 : lea rsp, [rsp+8] 59 | 0x1400d903a : mov [rax], ecx *(PULONG32)p_d = rf 60 | 0x1400d903c : lea rsp, [rsp-8] 61 | 0x1400d9041 : mov [rsp+90h+var_90], rbx 62 | 0x1400d9045 : popfq 63 | 0x1400d9046 : jmp loc_1400D9256 64 | 0x1400d9257 : mov [r8], edx *(PULONG32)p_a = edx 65 | 0x1400d925a : lea r9, [r9+2] 66 | 0x1400d9264 : mov [rbp+8], r9 67 | 0x1400d926e : jmp loc_1400D5C1C 68 | 0x1400d5c1f : mov r9, [rbp+8] 69 | 0x1400d5c2c : mov r8b, [r9] 70 | 0x1400d5c2f : xor r8b, 5Dh 71 | 0x1400d5c33 : jmp loc_1400DABF2 72 | 0x1400dabf4 : mov rdx, 84063C9A3F77C111h 73 | 0x1400dabfe : not rdx 74 | 0x1400dac01 : lea rdx, [r9+rdx] 75 | 0x1400dac05 : mov r9, 7BF9C365C0883EECh 76 | 0x1400dac0f : not r9 77 | 0x1400dac12 : lea r9, [rdx+r9] 78 | 0x1400dac16 : jmp loc_1400D97BF 79 | 0x1400d97c6 : mov [rbp+8], r9 80 | 0x1400d97d0 : movzx r8, r8b 81 | 0x1400d97d4 : sub r8, 1 82 | 0x1400d97d8 : cmp r8, 0C8h 83 | 0x1400d97df : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 84 | -------------------------------------------------------------------------------- /handle_out/0x4f.txt: -------------------------------------------------------------------------------- 1 | 0x4f p_a p_b p_c p_d 2 | 3 | 0x82BC 4 | 5 | *(PUSHORT)p_a = *(PUSHORT)p_b + *(PUSHORT)p_c; 6 | *(PULONG32)p_d = rf; 7 | 8 | v_add_oregw_iregw_iregw_oregl 9 | ---------------------------------------- 10 | 11 | 0x1400d6c8f : mov r9, [rbp+8] 12 | 0x1400d6c9c : mov r8w, [r9] 13 | 0x1400d6ca0 : xor r8w, 82BCh 14 | 0x1400d6ca6 : mov rdx, 0B219446669927888h 15 | 0x1400d6cb0 : not rdx 16 | 0x1400d6cb3 : lea rdx, [r10+rdx] 17 | 0x1400d6cb7 : movzx r8, r8w 18 | 0x1400d6cbb : mov rcx, 4DE6BB99966D8776h 19 | 0x1400d6cc5 : not rcx 20 | 0x1400d6cc8 : add r8, rcx 21 | 0x1400d6ccb : lea r8, [rdx+r8] p_a = r8 22 | 0x1400d6ccf : lea r9, [r9+2] 23 | 0x1400d6cd3 : mov dx, [r9] 24 | 0x1400d6cd7 : xor dx, 82BCh 25 | 0x1400d6cdc : movzx rdx, dx 26 | 0x1400d6ce0 : jmp loc_1400D77F6 27 | 0x1400d77f7 : lea rdx, [r10+rdx] p_b = rdx 28 | 0x1400d77fb : mov dx, [rdx] dx = *(PUSHORT)p_b 29 | 0x1400d77fe : lea r9, [r9+2] 30 | 0x1400d7802 : mov cx, [r9] 31 | 0x1400d7806 : xor cx, 82BCh 32 | 0x1400d780b : mov rax, 0E25BAECBAD88CA22h 33 | 0x1400d7815 : not rax 34 | 0x1400d7818 : lea rax, [r10+rax] 35 | 0x1400d781c : movzx rcx, cx 36 | 0x1400d7820 : mov rbx, 1DA45134527735DCh 37 | 0x1400d782a : not rbx 38 | 0x1400d782d : add rcx, rbx 39 | 0x1400d7830 : lea rcx, [rax+rcx] p_c = rcx 40 | 0x1400d7834 : mov cx, [rcx] cx = *(PUSHORT)p_c 41 | 0x1400d7837 : lea r9, [r9+2] 42 | 0x1400d783b : mov ax, [r9] 43 | 0x1400d783f : xor ax, 82BCh 44 | 0x1400d7843 : movzx rax, ax 45 | 0x1400d7847 : jmp loc_1400D7B84 46 | 0x1400d7b86 : lea rax, [r10+rax] p_d = rax 47 | 0x1400d7b8a : pushfq 48 | 0x1400d7b8b : mov rbx, [rsp+90h+var_90] 49 | 0x1400d7b8f : lea rsp, [rsp+8] 50 | 0x1400d7b94 : mov esi, [rax] 51 | 0x1400d7b96 : mov esi, esi 52 | 0x1400d7b98 : lea rsp, [rsp-8] 53 | 0x1400d7b9d : mov [rsp+90h+var_90], rsi 54 | 0x1400d7ba1 : popfq 55 | 0x1400d7ba2 : add dx, cx dx = dx + cx 56 | 0x1400d7ba5 : pushfq 57 | 0x1400d7ba6 : mov rcx, [rsp+90h+var_90] 58 | 0x1400d7baa : lea rsp, [rsp+8] 59 | 0x1400d7baf : jmp loc_1400D72E8 60 | 0x1400d72ea : mov [rax], ecx *(PULONG32)p_d = rf 61 | 0x1400d72ec : lea rsp, [rsp-8] 62 | 0x1400d72f1 : mov [rsp+90h+var_90], rbx 63 | 0x1400d72f5 : popfq 64 | 0x1400d72f6 : mov [r8], dx *(PUSHORT)p_a = dx 65 | 0x1400d72fa : lea r9, [r9+2] 66 | 0x1400d7304 : mov [rbp+8], r9 67 | 0x1400d730e : jmp loc_1400D8FEC 68 | 0x1400d8fef : mov r9, [rbp+8] 69 | 0x1400d8ffc : mov r8b, [r9] 70 | 0x1400d8fff : xor r8b, 5Dh 71 | 0x1400d9003 : jmp loc_1400D6A7C 72 | 0x1400d6a7d : mov rdx, 3CF00F6451FA8B0h 73 | 0x1400d6a87 : not rdx 74 | 0x1400d6a8a : lea rdx, [r9+rdx] 75 | 0x1400d6a8e : mov r9, 0FC30FF09BAE0574Dh 76 | 0x1400d6a98 : not r9 77 | 0x1400d6a9b : lea r9, [rdx+r9] 78 | 0x1400d6aa5 : mov [rbp+8], r9 79 | 0x1400d6aa9 : jmp loc_1400DB1EB 80 | 0x1400db1f3 : movzx r8, r8b 81 | 0x1400db1f7 : sub r8, 1 82 | 0x1400db1fb : cmp r8, 0C8h 83 | 0x1400db202 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 84 | -------------------------------------------------------------------------------- /handle_out/0x51.txt: -------------------------------------------------------------------------------- 1 | 0x51 p_a p_b 2 | 3 | 0xDB42 4 | 5 | *(PULONG64)p_a = ~(*(PULONG64)p_b); 6 | 7 | v_not_oregll_iregll 8 | ---------------------------------------- 9 | 10 | 0x1400d761e : mov r9, [rbp+8] 11 | 0x1400d762b : mov r8w, [r9] 12 | 0x1400d762f : xor r8w, 0DB42h 13 | 0x1400d7635 : jmp loc_1400D75A2 14 | 0x1400d75a3 : mov rdx, 79D820112FF9D05Ch 15 | 0x1400d75ad : not rdx 16 | 0x1400d75b0 : lea rdx, [r10+rdx] 17 | 0x1400d75b4 : movzx r8, r8w 18 | 0x1400d75b8 : mov rcx, 8627DFEED0062FA2h 19 | 0x1400d75c2 : not rcx 20 | 0x1400d75c5 : add r8, rcx 21 | 0x1400d75c8 : jmp loc_1400D5DA6 22 | 0x1400d5da8 : lea r8, [rdx+r8] p_a = r8 23 | 0x1400d5dac : lea r9, [r9+2] 24 | 0x1400d5db0 : mov dx, [r9] 25 | 0x1400d5db4 : xor dx, 0DB42h 26 | 0x1400d5db9 : movzx rdx, dx 27 | 0x1400d5dbd : lea rdx, [r10+rdx] p_b = rdx 28 | 0x1400d5dc1 : mov rdx, [rdx] rdx = *(PULONG64)p_b 29 | 0x1400d5dc4 : not rdx rdx = ~rdx 30 | 0x1400d5dcd : jmp loc_1400D9876 31 | 0x1400d9878 : mov [r8], rdx *(PULONG64)p_a = rdx 32 | 0x1400d9881 : lea r9, [r9+2] 33 | 0x1400d988b : mov [rbp+8], r9 34 | 0x1400d9895 : jmp loc_1400DA7EA 35 | 0x1400da7ec : jmp loc_1400DAC79 36 | 0x1400dac7c : mov r9, [rbp+8] 37 | 0x1400dac89 : mov r8b, [r9] 38 | 0x1400dac8c : xor r8b, 5Dh 39 | 0x1400dac90 : mov rdx, 0D3676A56DAFF3C65h 40 | 0x1400dac9a : jmp loc_1400D7763 41 | 0x1400d7764 : not rdx 42 | 0x1400d7767 : lea rdx, [r9+rdx] 43 | 0x1400d776b : mov r9, 2C9895A92500C398h 44 | 0x1400d7775 : not r9 45 | 0x1400d7778 : lea r9, [rdx+r9] 46 | 0x1400d777f : jmp loc_1400D5B91 47 | 0x1400d5b95 : mov [rbp+8], r9 48 | 0x1400d5b9e : movzx r8, r8b 49 | 0x1400d5ba2 : sub r8, 1; switch 200 cases 50 | 0x1400d5ba6 : jmp loc_1400D98A8 51 | 0x1400d98aa : cmp r8, 0C8h 52 | 0x1400d98b1 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 53 | -------------------------------------------------------------------------------- /handle_out/0x52.txt: -------------------------------------------------------------------------------- 1 | 0x52 p_a p_b p_c 2 | 3 | 0x77C6 4 | 5 | *(PULONG32)p_a = *(PULONG32)p_b + *(PULONG32)p_c; 6 | 7 | v_add_oregl_iregl_iregl 8 | ---------------------------------------- 9 | 10 | 0x1400da3e7 : mov r9, [rbp+8] 11 | 0x1400da3f3 : mov r8w, [r9] 12 | 0x1400da3f7 : xor r8w, 77C6h 13 | 0x1400da3fd : mov rdx, 80908610A8C8A98Ah 14 | 0x1400da407 : not rdx 15 | 0x1400da40a : lea rdx, [r10+rdx] 16 | 0x1400da40e : movzx r8, r8w 17 | 0x1400da412 : mov rcx, 7F6F79EF57375674h 18 | 0x1400da41c : not rcx 19 | 0x1400da41f : add r8, rcx 20 | 0x1400da422 : jmp loc_1400D6E47 21 | 0x1400d6e49 : lea r8, [rdx+r8] p_a = r8 22 | 0x1400d6e4d : lea r9, [r9+2] 23 | 0x1400d6e51 : mov dx, [r9] 24 | 0x1400d6e55 : xor dx, 77C6h 25 | 0x1400d6e5a : movzx rdx, dx 26 | 0x1400d6e5e : lea rdx, [r10+rdx] p_b = rdx 27 | 0x1400d6e62 : mov edx, [rdx] edx = *(PULONG32)p_b 28 | 0x1400d6e64 : lea r9, [r9+2] 29 | 0x1400d6e68 : jmp loc_1400D7CF4 30 | 0x1400d7cf5 : mov cx, [r9] 31 | 0x1400d7cf9 : xor cx, 77C6h 32 | 0x1400d7cfe : mov rax, 0DDFCA533195231DEh 33 | 0x1400d7d08 : not rax 34 | 0x1400d7d0b : lea rax, [r10+rax] 35 | 0x1400d7d0f : movzx rcx, cx 36 | 0x1400d7d13 : mov rbx, 22035ACCE6ADCE20h 37 | 0x1400d7d1d : not rbx 38 | 0x1400d7d20 : add rcx, rbx 39 | 0x1400d7d23 : jmp loc_1400D5BD6 40 | 0x1400d5bd7 : lea rcx, [rax+rcx] p_c = rcx 41 | 0x1400d5bdb : mov ecx, [rcx] ecx = *(PULONG32)p_c 42 | 0x1400d5bdd : add edx, ecx edx = edx + ecx 43 | 0x1400d5bdf : mov [r8], edx *(PULONG32)p_a = edx 44 | 0x1400d5be2 : lea r9, [r9+2] 45 | 0x1400d5bec : mov [rbp+8], r9 46 | 0x1400d5bf3 : jmp loc_1400D5E35 47 | 0x1400d5e39 : jmp loc_1400DAC79 48 | 0x1400dac7c : mov r9, [rbp+8] 49 | 0x1400dac89 : mov r8b, [r9] 50 | 0x1400dac8c : xor r8b, 5Dh 51 | 0x1400dac90 : mov rdx, 0D3676A56DAFF3C65h 52 | 0x1400dac9a : jmp loc_1400D7763 53 | 0x1400d7764 : not rdx 54 | 0x1400d7767 : lea rdx, [r9+rdx] 55 | 0x1400d776b : mov r9, 2C9895A92500C398h 56 | 0x1400d7775 : not r9 57 | 0x1400d7778 : lea r9, [rdx+r9] 58 | 0x1400d777f : jmp loc_1400D5B91 59 | 0x1400d5b95 : mov [rbp+8], r9 60 | 0x1400d5b9e : movzx r8, r8b 61 | 0x1400d5ba2 : sub r8, 1; switch 200 cases 62 | 0x1400d5ba6 : jmp loc_1400D98A8 63 | 0x1400d98aa : cmp r8, 0C8h 64 | 0x1400d98b1 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 65 | -------------------------------------------------------------------------------- /handle_out/0x54.txt: -------------------------------------------------------------------------------- 1 | 0x54 p_a p_b 2 | 3 | 0xDCF3 4 | 5 | *(PUCHAR)p_a = ~(*(PUCHAR)p_b); 6 | 7 | v_not_oregb_iregb 8 | ---------------------------------------- 9 | 10 | 0x1400d5b5d : mov r9, [rbp+8] 11 | 0x1400d5b6a : mov r8w, [r9] 12 | 0x1400d5b6e : xor r8w, 0DCF3h 13 | 0x1400d5b74 : mov rdx, 7DCE02387C71D8EAh 14 | 0x1400d5b7e : jmp loc_1400DA75F 15 | 0x1400da761 : not rdx 16 | 0x1400da764 : lea rdx, [r10+rdx] 17 | 0x1400da768 : movzx r8, r8w 18 | 0x1400da76c : mov rcx, 8231FDC7838E2714h 19 | 0x1400da776 : not rcx 20 | 0x1400da779 : add r8, rcx 21 | 0x1400da77c : lea r8, [rdx+r8] p_a = r8 22 | 0x1400da780 : lea r9, [r9+2] 23 | 0x1400da784 : mov dx, [r9] 24 | 0x1400da788 : jmp loc_1400DA92E 25 | 0x1400da92f : xor dx, 0DCF3h 26 | 0x1400da934 : movzx rdx, dx 27 | 0x1400da938 : lea rdx, [r10+rdx] p_b = rdx 28 | 0x1400da93c : mov dl, [rdx] dl = *(PUCHAR)p_b 29 | 0x1400da93e : not dl dl = ~dl 30 | 0x1400da940 : mov [r8], dl *(PUCHAR)p_a = dl 31 | 0x1400da943 : lea r9, [r9+2] 32 | 0x1400da94a : jmp loc_1400D8CCC 33 | 0x1400d8ccf : mov [rbp+8], r9 34 | 0x1400d8cd8 : jmp loc_1400D5C1C 35 | 0x1400d5c1f : mov r9, [rbp+8] 36 | 0x1400d5c2c : mov r8b, [r9] 37 | 0x1400d5c2f : xor r8b, 5Dh 38 | 0x1400d5c33 : jmp loc_1400DABF2 39 | 0x1400dabf4 : mov rdx, 84063C9A3F77C111h 40 | 0x1400dabfe : not rdx 41 | 0x1400dac01 : lea rdx, [r9+rdx] 42 | 0x1400dac05 : mov r9, 7BF9C365C0883EECh 43 | 0x1400dac0f : not r9 44 | 0x1400dac12 : lea r9, [rdx+r9] 45 | 0x1400dac16 : jmp loc_1400D97BF 46 | 0x1400d97c6 : mov [rbp+8], r9 47 | 0x1400d97d0 : movzx r8, r8b 48 | 0x1400d97d4 : sub r8, 1 49 | 0x1400d97d8 : cmp r8, 0C8h 50 | 0x1400d97df : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 51 | -------------------------------------------------------------------------------- /handle_out/0x56.txt: -------------------------------------------------------------------------------- 1 | 0x56 p_a p_b 2 | 3 | 0xE297 4 | 5 | *(PULONG32)p_a = ~(*(PULONG32)p_b); 6 | 7 | v_not_oregl_iregl 8 | ---------------------------------------- 9 | 10 | 0x1400db3d6 : mov r9, [rbp+8] 11 | 0x1400db3e0 : jmp loc_1400D8B48 12 | 0x1400d8b4d : mov r8w, [r9] 13 | 0x1400d8b51 : xor r8w, 0E297h 14 | 0x1400d8b57 : mov rdx, 0DDDF5B2A79705608h 15 | 0x1400d8b61 : not rdx 16 | 0x1400d8b64 : lea rdx, [r10+rdx] 17 | 0x1400d8b68 : movzx r8, r8w 18 | 0x1400d8b6c : mov rcx, 2220A4D5868FA9F6h 19 | 0x1400d8b76 : not rcx 20 | 0x1400d8b79 : add r8, rcx 21 | 0x1400d8b7c : jmp loc_1400DAF61 22 | 0x1400daf62 : lea r8, [rdx+r8] p_a = r8 23 | 0x1400daf66 : lea r9, [r9+2] 24 | 0x1400daf6a : mov dx, [r9] 25 | 0x1400daf6e : xor dx, 0E297h 26 | 0x1400daf73 : movzx rdx, dx 27 | 0x1400daf77 : lea rdx, [r10+rdx] p_b = rdx 28 | 0x1400daf7b : mov edx, [rdx] edx = *(PULONG32)p_b 29 | 0x1400daf7d : not edx edx = ~edx 30 | 0x1400daf7f : jmp loc_1400D82DD 31 | 0x1400d82de : mov [r8], edx *(PULONG32)p_a = edx 32 | 0x1400d82e1 : lea r9, [r9+2] 33 | 0x1400d82eb : mov [rbp+8], r9 34 | 0x1400d82f5 : jmp loc_1400D5C1C 35 | 0x1400d5c1f : mov r9, [rbp+8] 36 | 0x1400d5c2c : mov r8b, [r9] 37 | 0x1400d5c2f : xor r8b, 5Dh 38 | 0x1400d5c33 : jmp loc_1400DABF2 39 | 0x1400dabf4 : mov rdx, 84063C9A3F77C111h 40 | 0x1400dabfe : not rdx 41 | 0x1400dac01 : lea rdx, [r9+rdx] 42 | 0x1400dac05 : mov r9, 7BF9C365C0883EECh 43 | 0x1400dac0f : not r9 44 | 0x1400dac12 : lea r9, [rdx+r9] 45 | 0x1400dac16 : jmp loc_1400D97BF 46 | 0x1400d97c6 : mov [rbp+8], r9 47 | 0x1400d97d0 : movzx r8, r8b 48 | 0x1400d97d4 : sub r8, 1 49 | 0x1400d97d8 : cmp r8, 0C8h 50 | 0x1400d97df : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 51 | -------------------------------------------------------------------------------- /handle_out/0x57.txt: -------------------------------------------------------------------------------- 1 | 0x57 p_a p_b 2 | 3 | 0x666D 4 | 5 | *(PUSHORT)p_a = ~(*(PUSHORT)p_b); 6 | 7 | v_not_oregw_iregw 8 | ---------------------------------------- 9 | 10 | 0x1400d5cdb : mov r9, [rbp+8] 11 | 0x1400d5ce8 : mov r8w, [r9] 12 | 0x1400d5cec : jmp loc_1400D75E0 13 | 0x1400d75e1 : xor r8w, 666Dh 14 | 0x1400d75e7 : mov rdx, 60883A8B373A9922h 15 | 0x1400d75f1 : not rdx 16 | 0x1400d75f4 : lea rdx, [r10+rdx] 17 | 0x1400d75f8 : movzx r8, r8w 18 | 0x1400d75fc : jmp loc_1400D8158 19 | 0x1400d815a : mov rcx, 9F77C574C8C566DCh 20 | 0x1400d8164 : not rcx 21 | 0x1400d8167 : add r8, rcx 22 | 0x1400d816a : lea r8, [rdx+r8] p_a = r8 23 | 0x1400d816e : lea r9, [r9+2] 24 | 0x1400d8172 : mov dx, [r9] 25 | 0x1400d8176 : xor dx, 666Dh 26 | 0x1400d817b : movzx rdx, dx 27 | 0x1400d817f : lea rdx, [r10+rdx] p_b = rdx 28 | 0x1400d8183 : jmp loc_1400D7B2D 29 | 0x1400d7b2f : mov dx, [rdx] dx = *(PUSHORT)p_b 30 | 0x1400d7b32 : not dx dx = ~dx 31 | 0x1400d7b35 : mov [r8], dx *(PUSHORT)p_a = dx 32 | 0x1400d7b39 : lea r9, [r9+2] 33 | 0x1400d7b40 : jmp loc_1400D9A82 34 | 0x1400d9a87 : mov [rbp+8], r9 35 | 0x1400d9a91 : jmp loc_1400D7232 36 | 0x1400d7234 : mov r9, [rbp+8] 37 | 0x1400d7240 : jmp loc_1400D99D9 38 | 0x1400d99db : mov r8b, [r9] 39 | 0x1400d99de : xor r8b, 5Dh 40 | 0x1400d99e2 : mov rdx, 25E9ECA9BDE22AEAh 41 | 0x1400d99ec : not rdx 42 | 0x1400d99ef : lea rdx, [r9+rdx] 43 | 0x1400d99f3 : jmp loc_1400D86A6 44 | 0x1400d86a8 : mov r9, 0DA161356421DD513h 45 | 0x1400d86b2 : not r9 46 | 0x1400d86b5 : lea r9, [rdx+r9] 47 | 0x1400d86bf : mov [rbp+8], r9 48 | 0x1400d86c9 : movzx r8, r8b 49 | 0x1400d86cd : sub r8, 1 50 | 0x1400d86d1 : jmp loc_1400D7E10 51 | 0x1400d7e11 : cmp r8, 0C8h 52 | 0x1400d7e18 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 53 | -------------------------------------------------------------------------------- /handle_out/0x6.txt: -------------------------------------------------------------------------------- 1 | 0x06 p_a p_b p_c p_d 2 | 3 | 0x8374 4 | 5 | *(PULONG32)p_a = *(PULONG32)p_b sar *(PUCHAR)p_c; 6 | *(PULONG32)p_d = rf; 7 | 8 | v_sar_oregl_iregl_iregb_oregl 9 | ---------------------------------------- 10 | 11 | 0x1400d7355 : mov r9, [rbp+8] 12 | 0x1400d7362 : mov r8w, [r9] 13 | 0x1400d7366 : xor r8w, 8374h 14 | 0x1400d736c : mov rdx, 39FBFA62219A02FDh 15 | 0x1400d7376 : not rdx 16 | 0x1400d7379 : lea rdx, [r10+rdx] 17 | 0x1400d737d : movzx r8, r8w 18 | 0x1400d7381 : mov rcx, 0C604059DDE65FD01h 19 | 0x1400d738b : not rcx 20 | 0x1400d738e : jmp loc_1400D89C8 21 | 0x1400d89c9 : add r8, rcx 22 | 0x1400d89cc : lea r8, [rdx+r8] p_a = r8 23 | 0x1400d89d0 : lea r9, [r9+2] 24 | 0x1400d89d4 : mov dx, [r9] 25 | 0x1400d89d8 : xor dx, 8374h 26 | 0x1400d89dd : movzx rdx, dx 27 | 0x1400d89e1 : lea rdx, [r10+rdx] p_b = rdx 28 | 0x1400d89e5 : mov edx, [rdx] edx = *(PULONG32)p_b 29 | 0x1400d89e7 : lea r9, [r9+2] 30 | 0x1400d89eb : mov cx, [r9] 31 | 0x1400d89ef : xor cx, 8374h 32 | 0x1400d89f4 : mov rax, 0EF06838399AF56FBh 33 | 0x1400d89fe : not rax 34 | 0x1400d8a01 : lea rax, [r10+rax] 35 | 0x1400d8a05 : movzx rcx, cx 36 | 0x1400d8a09 : mov rbx, 10F97C7C6650A903h 37 | 0x1400d8a13 : not rbx 38 | 0x1400d8a16 : add rcx, rbx 39 | 0x1400d8a19 : lea rcx, [rax+rcx] p_c = rcx 40 | 0x1400d8a1d : mov cl, [rcx] cl = *(PUCHAR)p_c 41 | 0x1400d8a1f : lea r9, [r9+2] 42 | 0x1400d8a23 : jmp loc_1400D764B 43 | 0x1400d764c : mov ax, [r9] 44 | 0x1400d7650 : xor ax, 8374h 45 | 0x1400d7654 : movzx rax, ax 46 | 0x1400d7658 : lea rax, [r10+rax] p_d = rax 47 | 0x1400d765c : pushfq 48 | 0x1400d765d : mov rbx, [rsp+90h+var_90] 49 | 0x1400d7661 : lea rsp, [rsp+8] 50 | 0x1400d7666 : mov esi, [rax] rf 51 | 0x1400d7668 : mov esi, esi 52 | 0x1400d766a : lea rsp, [rsp-8] 53 | 0x1400d766f : mov [rsp+90h+var_90], rsi 54 | 0x1400d7673 : popfq 55 | 0x1400d7674 : sar edx, cl edx = edx sar cl 56 | 0x1400d7676 : pushfq 57 | 0x1400d7677 : mov rcx, [rsp+90h+var_90] 58 | 0x1400d767b : lea rsp, [rsp+8] 59 | 0x1400d7680 : mov [rax], ecx *(PULONG32)p_d = rf 60 | 0x1400d7682 : lea rsp, [rsp-8] 61 | 0x1400d7687 : mov [rsp+90h+var_90], rbx 62 | 0x1400d768b : popfq 63 | 0x1400d768c : jmp loc_1400D905B 64 | 0x1400d905d : mov [r8], edx *(PULONG32)p_a = edx 65 | 0x1400d9060 : lea r9, [r9+2] 66 | 0x1400d9069 : mov [rbp+8], r9 67 | 0x1400d9072 : jmp loc_1400D8FEC 68 | 0x1400d8fef : mov r9, [rbp+8] 69 | 0x1400d8ffc : mov r8b, [r9] 70 | 0x1400d8fff : xor r8b, 5Dh 71 | 0x1400d9003 : jmp loc_1400D6A7C 72 | 0x1400d6a7d : mov rdx, 3CF00F6451FA8B0h 73 | 0x1400d6a87 : not rdx 74 | 0x1400d6a8a : lea rdx, [r9+rdx] 75 | 0x1400d6a8e : mov r9, 0FC30FF09BAE0574Dh 76 | 0x1400d6a98 : not r9 77 | 0x1400d6a9b : lea r9, [rdx+r9] 78 | 0x1400d6aa5 : mov [rbp+8], r9 79 | 0x1400d6aa9 : jmp loc_1400DB1EB 80 | 0x1400db1f3 : movzx r8, r8b 81 | 0x1400db1f7 : sub r8, 1 82 | 0x1400db1fb : cmp r8, 0C8h 83 | 0x1400db202 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 84 | -------------------------------------------------------------------------------- /handle_out/0x6e.txt: -------------------------------------------------------------------------------- 1 | 0x6e 2 | 3 | 0xA1CE 4 | 5 | *(PULONG32)p_a = *(PULONG32)p_b & *(PULONG32)p_c; 6 | 7 | v_and_oregl_iregl_iregl 8 | ---------------------------------------- 9 | 10 | 0x1400d6fcc : mov r9, [rbp+8] 11 | 0x1400d6fd9 : mov r8w, [r9] 12 | 0x1400d6fdd : xor r8w, 0A1CEh 13 | 0x1400d6fe3 : mov rdx, 4028A61A79ADE413h 14 | 0x1400d6fed : not rdx 15 | 0x1400d6ff0 : lea rdx, [r10+rdx] 16 | 0x1400d6ff4 : movzx r8, r8w 17 | 0x1400d6ff8 : jmp loc_1400D9CCA 18 | 0x1400d9ccc : mov rcx, 0BFD759E586521BEBh 19 | 0x1400d9cd6 : not rcx 20 | 0x1400d9cd9 : add r8, rcx 21 | 0x1400d9cdc : lea r8, [rdx+r8] p_a = r8 22 | 0x1400d9ce0 : lea r9, [r9+2] 23 | 0x1400d9ce4 : mov dx, [r9] 24 | 0x1400d9ce8 : xor dx, 0A1CEh 25 | 0x1400d9ced : movzx rdx, dx 26 | 0x1400d9cf1 : lea rdx, [r10+rdx] p_b = rdx 27 | 0x1400d9cf5 : mov edx, [rdx] edx = *(PULONG32)p_b 28 | 0x1400d9cf7 : lea r9, [r9+2] 29 | 0x1400d9cfb : mov cx, [r9] 30 | 0x1400d9cff : xor cx, 0A1CEh 31 | 0x1400d9d04 : mov rax, 0BF07B5D6F050829Dh 32 | 0x1400d9d0e : not rax 33 | 0x1400d9d11 : lea rax, [r10+rax] 34 | 0x1400d9d15 : movzx rcx, cx 35 | 0x1400d9d19 : mov rbx, 40F84A290FAF7D61h 36 | 0x1400d9d23 : jmp loc_1400DB480 37 | 0x1400db482 : not rbx 38 | 0x1400db485 : add rcx, rbx 39 | 0x1400db488 : lea rcx, [rax+rcx] p_c = rcx 40 | 0x1400db48c : mov ecx, [rcx] ecx = *(PULONG32)p_c 41 | 0x1400db48e : not edx 42 | 0x1400db490 : mov eax, edx 43 | 0x1400db492 : and eax, edx 44 | 0x1400db494 : not eax eax = edx 45 | 0x1400db496 : not ecx 46 | 0x1400db498 : mov edx, ecx 47 | 0x1400db49a : and edx, ecx 48 | 0x1400db49c : not edx edx = ecx 49 | 0x1400db49e : and eax, edx eax = eax & edx 50 | 0x1400db4a0 : mov [r8], eax *(PULONG32)p_a = eax 51 | 0x1400db4a3 : lea r9, [r9+2] 52 | 0x1400db4ad : jmp loc_1400D623B 53 | 0x1400d623d : mov [rbp+8], r9 54 | 0x1400d6247 : jmp loc_1400DAC79 55 | 0x1400dac7c : mov r9, [rbp+8] 56 | 0x1400dac89 : mov r8b, [r9] 57 | 0x1400dac8c : xor r8b, 5Dh 58 | 0x1400dac90 : mov rdx, 0D3676A56DAFF3C65h 59 | 0x1400dac9a : jmp loc_1400D7763 60 | 0x1400d7764 : not rdx 61 | 0x1400d7767 : lea rdx, [r9+rdx] 62 | 0x1400d776b : mov r9, 2C9895A92500C398h 63 | 0x1400d7775 : not r9 64 | 0x1400d7778 : lea r9, [rdx+r9] 65 | 0x1400d777f : jmp loc_1400D5B91 66 | 0x1400d5b95 : mov [rbp+8], r9 67 | 0x1400d5b9e : movzx r8, r8b 68 | 0x1400d5ba2 : sub r8, 1; switch 200 cases 69 | 0x1400d5ba6 : jmp loc_1400D98A8 70 | 0x1400d98aa : cmp r8, 0C8h 71 | 0x1400d98b1 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 72 | -------------------------------------------------------------------------------- /handle_out/0x70.txt: -------------------------------------------------------------------------------- 1 | 0x70 p_a p_b p_c p_d 2 | 3 | 0x64D1 4 | 5 | *(PUCHAR)p_a = *(PUCHAR)p_b & *(PUCHAR)p_c; 6 | *(PULONG32)p_d = rf; 7 | 8 | v_and_oregb_iregb_iregb_oregl 9 | ---------------------------------------- 10 | 11 | 0x1400d7f29 : mov r9, [rbp+8] 12 | 0x1400d7f36 : mov r8w, [r9] 13 | 0x1400d7f3a : xor r8w, 64D1h 14 | 0x1400d7f40 : mov rdx, 5003A1915261CE58h 15 | 0x1400d7f4a : not rdx 16 | 0x1400d7f4d : lea rdx, [r10+rdx] 17 | 0x1400d7f51 : movzx r8, r8w 18 | 0x1400d7f55 : mov rcx, 0AFFC5E6EAD9E31A6h 19 | 0x1400d7f5f : not rcx 20 | 0x1400d7f62 : add r8, rcx 21 | 0x1400d7f65 : lea r8, [rdx+r8] p_a = r8 22 | 0x1400d7f69 : lea r9, [r9+2] 23 | 0x1400d7f6d : mov dx, [r9] 24 | 0x1400d7f71 : jmp loc_1400D7EBC 25 | 0x1400d7ebe : xor dx, 64D1h 26 | 0x1400d7ec3 : movzx rdx, dx 27 | 0x1400d7ec7 : lea rdx, [r10+rdx] p_b = rdx 28 | 0x1400d7ecb : mov dl, [rdx] dl = *(PUCHAR)p_b 29 | 0x1400d7ecd : lea r9, [r9+2] 30 | 0x1400d7ed1 : mov cx, [r9] 31 | 0x1400d7ed5 : xor cx, 64D1h 32 | 0x1400d7eda : mov rax, 0BADEC6510D4497C1h 33 | 0x1400d7ee4 : not rax 34 | 0x1400d7ee7 : lea rax, [r10+rax] 35 | 0x1400d7eeb : movzx rcx, cx 36 | 0x1400d7eef : mov rbx, 452139AEF2BB683Dh 37 | 0x1400d7ef9 : not rbx 38 | 0x1400d7efc : add rcx, rbx 39 | 0x1400d7eff : lea rcx, [rax+rcx] p_c = rcx 40 | 0x1400d7f03 : mov cl, [rcx] cl = *(PUCHAR)p_c 41 | 0x1400d7f05 : lea r9, [r9+2] 42 | 0x1400d7f09 : mov ax, [r9] 43 | 0x1400d7f0d : xor ax, 64D1h 44 | 0x1400d7f11 : jmp loc_1400DACDE 45 | 0x1400dacdf : movzx rax, ax 46 | 0x1400dace3 : lea rax, [r10+rax] p_d = rax 47 | 0x1400dace7 : pushfq 48 | 0x1400dace8 : mov rbx, [rsp+90h+var_90] 49 | 0x1400dacec : lea rsp, [rsp+8] 50 | 0x1400dacf1 : mov esi, [rax] rf 51 | 0x1400dacf3 : mov esi, esi 52 | 0x1400dacf5 : lea rsp, [rsp-8] 53 | 0x1400dacfa : mov [rsp+90h+var_90], rsi 54 | 0x1400dacfe : popfq 55 | 0x1400dacff : and dl, cl dl = dl & cl 56 | 0x1400dad01 : pushfq 57 | 0x1400dad02 : mov rcx, [rsp+90h+var_90] 58 | 0x1400dad06 : lea rsp, [rsp+8] 59 | 0x1400dad0b : mov [rax], ecx *(PULONG32)p_d = rf 60 | 0x1400dad0d : lea rsp, [rsp-8] 61 | 0x1400dad12 : mov [rsp+90h+var_90], rbx 62 | 0x1400dad16 : jmp loc_1400DA6E5 63 | 0x1400da6e6 : popfq 64 | 0x1400da6e7 : mov [r8], dl *(PUCHAR)p_a = dl 65 | 0x1400da6ea : lea r9, [r9+2] 66 | 0x1400da6f3 : mov [rbp+8], r9 67 | 0x1400da6fc : jmp loc_1400D7232 68 | 0x1400d7234 : mov r9, [rbp+8] 69 | 0x1400d7240 : jmp loc_1400D99D9 70 | 0x1400d99db : mov r8b, [r9] 71 | 0x1400d99de : xor r8b, 5Dh 72 | 0x1400d99e2 : mov rdx, 25E9ECA9BDE22AEAh 73 | 0x1400d99ec : not rdx 74 | 0x1400d99ef : lea rdx, [r9+rdx] 75 | 0x1400d99f3 : jmp loc_1400D86A6 76 | 0x1400d86a8 : mov r9, 0DA161356421DD513h 77 | 0x1400d86b2 : not r9 78 | 0x1400d86b5 : lea r9, [rdx+r9] 79 | 0x1400d86bf : mov [rbp+8], r9 80 | 0x1400d86c9 : movzx r8, r8b 81 | 0x1400d86cd : sub r8, 1 82 | 0x1400d86d1 : jmp loc_1400D7E10 83 | 0x1400d7e11 : cmp r8, 0C8h 84 | 0x1400d7e18 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 85 | -------------------------------------------------------------------------------- /handle_out/0x72.txt: -------------------------------------------------------------------------------- 1 | 0x72 p_a p_b p_c p_d 2 | 3 | 0x4A64 4 | 5 | *(PULONG32)p_a = *(PULONG32)p_b & *(PULONG32)p_c; 6 | *(PULONG32)p_d = rf; 7 | 8 | v_and_oregl_iregl_iregl_oregl 9 | ---------------------------------------- 10 | 11 | 0x1400d8dc1 : mov r9, [rbp+8] 12 | 0x1400d8dcd : mov r8w, [r9] 13 | 0x1400d8dd1 : xor r8w, 4A64h 14 | 0x1400d8dd7 : mov rdx, 8075D1D8F33C6F26h 15 | 0x1400d8de1 : not rdx 16 | 0x1400d8de4 : lea rdx, [r10+rdx] 17 | 0x1400d8de8 : movzx r8, r8w 18 | 0x1400d8dec : mov rcx, 7F8A2E270CC390D8h 19 | 0x1400d8df6 : not rcx 20 | 0x1400d8df9 : add r8, rcx 21 | 0x1400d8dfc : lea r8, [rdx+r8] p_a = r8 22 | 0x1400d8e00 : lea r9, [r9+2] 23 | 0x1400d8e04 : mov dx, [r9] 24 | 0x1400d8e08 : jmp loc_1400DA651 25 | 0x1400da653 : xor dx, 4A64h 26 | 0x1400da658 : movzx rdx, dx 27 | 0x1400da65c : lea rdx, [r10+rdx] p_b = rdx 28 | 0x1400da660 : mov edx, [rdx] edx = *(PULONG32)p_b 29 | 0x1400da662 : lea r9, [r9+2] 30 | 0x1400da666 : mov cx, [r9] 31 | 0x1400da66a : xor cx, 4A64h 32 | 0x1400da66f : mov rax, 7C71E3A5B1D79919h 33 | 0x1400da679 : not rax 34 | 0x1400da67c : lea rax, [r10+rax] 35 | 0x1400da680 : movzx rcx, cx 36 | 0x1400da684 : mov rbx, 838E1C5A4E2866E5h 37 | 0x1400da68e : not rbx 38 | 0x1400da691 : add rcx, rbx 39 | 0x1400da694 : lea rcx, [rax+rcx] p_c = rcx 40 | 0x1400da698 : mov ecx, [rcx] ecx = *(PULONG32)p_c 41 | 0x1400da69a : jmp loc_1400D65A3 42 | 0x1400d65a5 : lea r9, [r9+2] 43 | 0x1400d65a9 : mov ax, [r9] 44 | 0x1400d65ad : xor ax, 4A64h 45 | 0x1400d65b1 : movzx rax, ax 46 | 0x1400d65b5 : lea rax, [r10+rax] p_d = rax 47 | 0x1400d65b9 : pushfq 48 | 0x1400d65ba : mov rbx, [rsp+90h+var_90] 49 | 0x1400d65be : lea rsp, [rsp+8] 50 | 0x1400d65c3 : mov esi, [rax] rf 51 | 0x1400d65c5 : mov esi, esi 52 | 0x1400d65c7 : lea rsp, [rsp-8] 53 | 0x1400d65cc : mov [rsp+90h+var_90], rsi 54 | 0x1400d65d0 : popfq 55 | 0x1400d65d1 : and edx, ecx edx = edx & ecx 56 | 0x1400d65d3 : pushfq 57 | 0x1400d65d4 : mov rcx, [rsp+90h+var_90] 58 | 0x1400d65d8 : lea rsp, [rsp+8] 59 | 0x1400d65dd : mov [rax], ecx *(PULONG32)p_d = rf 60 | 0x1400d65df : lea rsp, [rsp-8] 61 | 0x1400d65e4 : mov [rsp+90h+var_90], rbx 62 | 0x1400d65e8 : popfq 63 | 0x1400d65e9 : mov [r8], edx *(PULONG32)p_a = edx 64 | 0x1400d65ec : jmp loc_1400D84B6 65 | 0x1400d84b7 : lea r9, [r9+2] 66 | 0x1400d84c1 : mov [rbp+8], r9 67 | 0x1400d84cb : jmp loc_1400D8FEC 68 | 0x1400d8fef : mov r9, [rbp+8] 69 | 0x1400d8ffc : mov r8b, [r9] 70 | 0x1400d8fff : xor r8b, 5Dh 71 | 0x1400d9003 : jmp loc_1400D6A7C 72 | 0x1400d6a7d : mov rdx, 3CF00F6451FA8B0h 73 | 0x1400d6a87 : not rdx 74 | 0x1400d6a8a : lea rdx, [r9+rdx] 75 | 0x1400d6a8e : mov r9, 0FC30FF09BAE0574Dh 76 | 0x1400d6a98 : not r9 77 | 0x1400d6a9b : lea r9, [rdx+r9] 78 | 0x1400d6aa5 : mov [rbp+8], r9 79 | 0x1400d6aa9 : jmp loc_1400DB1EB 80 | 0x1400db1f3 : movzx r8, r8b 81 | 0x1400db1f7 : sub r8, 1 82 | 0x1400db1fb : cmp r8, 0C8h 83 | 0x1400db202 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 84 | -------------------------------------------------------------------------------- /handle_out/0x7d.txt: -------------------------------------------------------------------------------- 1 | 0x7d p_a p_b 2 | 3 | 0xD878 4 | 5 | *((PULONG64 *)p_a) = *(PULONG64)p_b; 6 | 7 | v_mov_ipreg_iregll 8 | ---------------------------------------- 9 | 10 | 0x1400d725a : mov r9, [rbp+8] 11 | 0x1400d7266 : mov r8w, [r9] 12 | 0x1400d726a : xor r8w, 0D878h 13 | 0x1400d7270 : mov rdx, 0B60CA9B2483A9C06h 14 | 0x1400d727a : jmp loc_1400D7B53 15 | 0x1400d7b54 : not rdx 16 | 0x1400d7b57 : lea rdx, [r10+rdx] 17 | 0x1400d7b5b : movzx r8, r8w 18 | 0x1400d7b5f : mov rcx, 49F3564DB7C563F8h 19 | 0x1400d7b69 : not rcx 20 | 0x1400d7b6c : add r8, rcx 21 | 0x1400d7b6f : lea r8, [rdx+r8] p_a = r8 22 | 0x1400d7b73 : jmp loc_1400D899E 23 | 0x1400d899f : mov r8, [r8] r8 = *(PULONG64)p_a 24 | 0x1400d89a2 : lea r9, [r9+2] 25 | 0x1400d89a6 : mov dx, [r9] 26 | 0x1400d89aa : xor dx, 0D878h 27 | 0x1400d89af : movzx rdx, dx 28 | 0x1400d89b3 : lea rdx, [r10+rdx] p_b = rdx 29 | 0x1400d89b7 : jmp loc_1400DAE97 30 | 0x1400dae98 : mov rdx, [rdx] rdx = *(PULONG64)p_b 31 | 0x1400daea1 : mov [r8], rdx *(PULONG64)r8 = rdx 32 | 0x1400daeaa : lea r9, [r9+2] 33 | 0x1400daeb4 : mov [rbp+8], r9 34 | 0x1400daeb8 : jmp loc_1400D5C52 35 | 0x1400d5c5a : jmp loc_1400D8FEC 36 | 0x1400d8fef : mov r9, [rbp+8] 37 | 0x1400d8ffc : mov r8b, [r9] 38 | 0x1400d8fff : xor r8b, 5Dh 39 | 0x1400d9003 : jmp loc_1400D6A7C 40 | 0x1400d6a7d : mov rdx, 3CF00F6451FA8B0h 41 | 0x1400d6a87 : not rdx 42 | 0x1400d6a8a : lea rdx, [r9+rdx] 43 | 0x1400d6a8e : mov r9, 0FC30FF09BAE0574Dh 44 | 0x1400d6a98 : not r9 45 | 0x1400d6a9b : lea r9, [rdx+r9] 46 | 0x1400d6aa5 : mov [rbp+8], r9 47 | 0x1400d6aa9 : jmp loc_1400DB1EB 48 | 0x1400db1f3 : movzx r8, r8b 49 | 0x1400db1f7 : sub r8, 1 50 | 0x1400db1fb : cmp r8, 0C8h 51 | 0x1400db202 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 52 | -------------------------------------------------------------------------------- /handle_out/0x9.txt: -------------------------------------------------------------------------------- 1 | 0x09 p_a p_b p_c p_d 2 | 3 | 0x9D87 4 | 5 | *(PULONG64)p_a = *(PULONG64)p_b >> *(PUCHAR)p_c; 6 | *(PULONG32)p_c = rf; 7 | 8 | v_shr_oregll_iregll_iregb_oregl 9 | ---------------------------------------- 10 | 11 | 0x1400d86e5 : mov r9, [rbp+8] 12 | 0x1400d86f2 : mov r8w, [r9] 13 | 0x1400d86f6 : xor r8w, 9D87h 14 | 0x1400d86fc : mov rdx, 0B94CC661A27B364Ah 15 | 0x1400d8706 : not rdx 16 | 0x1400d8709 : lea rdx, [r10+rdx] 17 | 0x1400d870d : movzx r8, r8w 18 | 0x1400d8711 : mov rcx, 46B3399E5D84C9B4h 19 | 0x1400d871b : not rcx 20 | 0x1400d871e : add r8, rcx 21 | 0x1400d8721 : lea r8, [rdx+r8] p_a = r8 22 | 0x1400d8725 : jmp loc_1400DB32A 23 | 0x1400db32c : lea r9, [r9+2] 24 | 0x1400db330 : mov dx, [r9] 25 | 0x1400db334 : xor dx, 9D87h 26 | 0x1400db339 : movzx rdx, dx 27 | 0x1400db33d : lea rdx, [r10+rdx] p_b = rdx 28 | 0x1400db341 : mov rdx, [rdx] rdx = *(PULONG64)p_b 29 | 0x1400db344 : lea r9, [r9+2] 30 | 0x1400db348 : mov cx, [r9] 31 | 0x1400db34c : xor cx, 9D87h 32 | 0x1400db351 : mov rax, 46E9B239C0118DA4h 33 | 0x1400db35b : not rax 34 | 0x1400db35e : lea rax, [r10+rax] 35 | 0x1400db362 : movzx rcx, cx 36 | 0x1400db366 : mov rbx, 0B9164DC63FEE725Ah 37 | 0x1400db370 : not rbx 38 | 0x1400db373 : add rcx, rbx 39 | 0x1400db376 : lea rcx, [rax+rcx] p_c = rcx 40 | 0x1400db37a : mov cl, [rcx] cl = *(PUCHAR)p_c 41 | 0x1400db37c : lea r9, [r9+2] 42 | 0x1400db380 : mov ax, [r9] 43 | 0x1400db384 : jmp loc_1400D655F 44 | 0x1400d6561 : xor ax, 9D87h 45 | 0x1400d6565 : movzx rax, ax 46 | 0x1400d6569 : lea rax, [r10+rax] p_d = rax 47 | 0x1400d656d : pushfq 48 | 0x1400d656e : mov rbx, [rsp+90h+var_90] 49 | 0x1400d6572 : lea rsp, [rsp+8] 50 | 0x1400d6577 : mov esi, [rax] rf 51 | 0x1400d6579 : mov esi, esi 52 | 0x1400d657b : lea rsp, [rsp-8] 53 | 0x1400d6580 : mov [rsp+90h+var_90], rsi 54 | 0x1400d6584 : popfq 55 | 0x1400d6585 : shr rdx, cl rdx = rdx >> cl 56 | 0x1400d6588 : pushfq 57 | 0x1400d6589 : mov rcx, [rsp+90h+var_90] 58 | 0x1400d658d : lea rsp, [rsp+8] 59 | 0x1400d6592 : jmp loc_1400DA6B2 60 | 0x1400da6b3 : mov [rax], ecx *(PUCHAR)p_d = rf 61 | 0x1400da6b5 : lea rsp, [rsp-8] 62 | 0x1400da6ba : mov [rsp+90h+var_90], rbx 63 | 0x1400da6be : popfq 64 | 0x1400da6c4 : mov [r8], rdx *(PULONG64)p_a = rdx 65 | 0x1400da6cc : lea r9, [r9+2] 66 | 0x1400da6d6 : mov [rbp+8], r9 67 | 0x1400da6e0 : jmp loc_1400D5C1C 68 | 0x1400d5c1f : mov r9, [rbp+8] 69 | 0x1400d5c2c : mov r8b, [r9] 70 | 0x1400d5c2f : xor r8b, 5Dh 71 | 0x1400d5c33 : jmp loc_1400DABF2 72 | 0x1400dabf4 : mov rdx, 84063C9A3F77C111h 73 | 0x1400dabfe : not rdx 74 | 0x1400dac01 : lea rdx, [r9+rdx] 75 | 0x1400dac05 : mov r9, 7BF9C365C0883EECh 76 | 0x1400dac0f : not r9 77 | 0x1400dac12 : lea r9, [rdx+r9] 78 | 0x1400dac16 : jmp loc_1400D97BF 79 | 0x1400d97c6 : mov [rbp+8], r9 80 | 0x1400d97d0 : movzx r8, r8b 81 | 0x1400d97d4 : sub r8, 1 82 | 0x1400d97d8 : cmp r8, 0C8h 83 | 0x1400d97df : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 84 | -------------------------------------------------------------------------------- /handle_out/0x95.txt: -------------------------------------------------------------------------------- 1 | 0x95 p_a 2 | 3 | 0x805C 4 | 5 | reg = *(PREG)p_a; 6 | retn;//退出虚拟机 7 | 8 | v_ret_iregx 9 | ---------------------------------------- 10 | 11 | 0x1400d8ce0 : mov r9, [rbp+8] 12 | 0x1400d8ce7 : jmp loc_1400DADBD 13 | 0x1400dadc5 : mov r9w, [r9] 14 | 0x1400dadc9 : xor r9w, 805Ch 15 | 0x1400dadcf : jmp loc_1400D7010 16 | 0x1400d7012 : mov r8, 0A65E8D1374E865B2h 17 | 0x1400d701c : not r8 18 | 0x1400d701f : lea r8, [r10+r8] 19 | 0x1400d7023 : movzx r9, r9w 20 | 0x1400d7027 : mov rdx, 59A172EC8B179A4Ch 21 | 0x1400d7031 : jmp loc_1400D6716 22 | 0x1400d6717 : not rdx 23 | 0x1400d671a : add r9, rdx 24 | 0x1400d671d : lea r9, [r8+r9] p_a = r9 25 | 0x1400d6721 : mov r15, 0FFFFFFFFFFFFFFFEh 26 | 0x1400d672b : not r15 27 | 0x1400d672e : rdsspq r15 28 | 0x1400d6733 : jmp loc_1400D5C5F 29 | 0x1400d5c60 : cmp r15, 1 30 | 0x1400d5c64 : jz loc_1400D997F 31 | 0x1400d5c6a : mov r15, 2 32 | 0x1400d5c71 : incsspq r15 33 | 0x1400d5c76 : jmp loc_1400D997F 34 | 0x1400d9981 : mov rax, [r9] 35 | 0x1400d998c : mov rbx, [r9+8] 36 | 0x1400d9993 : mov rcx, [r9+10h] 37 | 0x1400d99a3 : jmp loc_1400D9A06 38 | 0x1400d9a07 : mov rdx, [r9+18h] 39 | 0x1400d9a14 : mov rbp, [r9+28h] 40 | 0x1400d9a18 : mov rsi, [r9+30h] 41 | 0x1400d9a1c : mov rdi, [r9+38h] 42 | 0x1400d9a23 : mov r8, [r9+40h] 43 | 0x1400d9a33 : jmp loc_1400D8738 44 | 0x1400d873a : mov r10, [r9+50h] 45 | 0x1400d8749 : mov r11, [r9+58h] 46 | 0x1400d8755 : mov r12, [r9+60h] 47 | 0x1400d8759 : mov r13, [r9+68h] 48 | 0x1400d875d : mov r14, [r9+70h] 49 | 0x1400d8761 : mov r15, [r9+78h] 50 | 0x1400d8765 : push qword ptr [r9+80h] 51 | 0x1400d876c : popfq 52 | 0x1400d876d : push qword ptr [r9+20h] 53 | 0x1400d8771 : jmp loc_1400D742E 54 | 0x1400d7430 : mov r9, [r9+48h] 55 | 0x1400d7434 : mov rsp, [rsp+90h+var_90] 56 | 0x1400d7438 : retn 57 | -------------------------------------------------------------------------------- /handle_out/0x9a.txt: -------------------------------------------------------------------------------- 1 | 0x9a 0x9b 0x98 0x99 0x9c 0x9d 0xe2 0xe3 0xe0 0xe1 0xe6 0xe7 0xe4 0xeb 0xec 0xed 0xf2 0xf3 0xf0 0xf1 0xf6 0xf7 0xf5 0xfa 0xfb 0xf9 0xfe 0xff 0xc2 0xc0 0xc1 0xc6 0xc7 0xc4 0xc5 0xc8 0xce 0xcf 0xcc 0xcd 0xdb 0xd8 0xde 0xdf 0xdc 0xdd 0x23 0x26 0x27 0x24 0x2a 0x28 0x2e 0x2c 0x2d 0x32 0x33 0x30 0x31 0x36 0x37 0x34 0x35 0x3a 0x3b 0x38 0x39 0x3e 0x3f 0x3d 0x2 0x3 0x0 0x7 0x4 0x5 0xa 0xb 0x8 0xe 0xf 0xd 0x12 0x13 0x10 0x17 0x14 0x15 0x1a 0x1b 0x18 0x1e 0x1f 0x1c 0x63 0x61 0x66 0x67 0x64 0x6b 0x69 0x6f 0x6c 0x71 0x76 0x77 0x74 0x7b 0x79 0x7e 0x7f 0x7c 0x53 0x50 0x55 0x5b 0x58 0x59 0x5e 0x5f 0x5c 2 | 3 | 4 | v_int3 5 | ---------------------------------------- 6 | 7 | 0x1400d9954 : int 3; Trap to Debugger 8 | -------------------------------------------------------------------------------- /handle_out/0x9e.txt: -------------------------------------------------------------------------------- 1 | 0x9e p_a 2 | 3 | 0x0AD7 4 | 5 | reg = *(PREG)p_a;//不恢复rsp 6 | rsp = [rsp]; 7 | jmp r11;//也许等会要回虚拟机 8 | 9 | v_jmp_iregxR11 10 | ---------------------------------------- 11 | 12 | 0x1400d8e8c : mov r9, [rbp+8] 13 | 0x1400d8e99 : jmp loc_1400DB050 14 | 0x1400db052 : mov r9w, [r9] 15 | 0x1400db056 : xor r9w, 0AD7h 16 | 0x1400db05c : mov r8, 0C508DD48167151E8h 17 | 0x1400db066 : not r8 18 | 0x1400db069 : lea r8, [r10+r8] 19 | 0x1400db06d : movzx r9, r9w 20 | 0x1400db071 : jmp loc_1400D80EE 21 | 0x1400d80ef : mov rdx, 3AF722B7E98EAE16h 22 | 0x1400d80f9 : not rdx 23 | 0x1400d80fc : add r9, rdx 24 | 0x1400d80ff : lea r9, [r8+r9] p_a = r9 25 | 0x1400d8103 : mov r15, 0FFFFFFFFFFFFFFFEh 26 | 0x1400d810d : jmp loc_1400D862D 27 | 0x1400d862e : not r15 28 | 0x1400d8631 : rdsspq r15 29 | 0x1400d8636 : cmp r15, 1 30 | 0x1400d863a : jz loc_1400D6090 31 | 0x1400d8640 : mov r15, 2 32 | 0x1400d8647 : incsspq r15 33 | 0x1400d864c : jmp loc_1400D6090 34 | 0x1400d6092 : mov rax, [r9] 35 | 0x1400d609d : mov rbx, [r9+8] 36 | 0x1400d60a3 : mov rcx, [r9+10h] 37 | 0x1400d60b2 : mov rdx, [r9+18h] 38 | 0x1400d60b6 : jmp loc_1400D5E3E 39 | 0x1400d5e48 : mov rbp, [r9+28h] 40 | 0x1400d5e4c : mov rsi, [r9+30h] 41 | 0x1400d5e50 : mov rdi, [r9+38h] 42 | 0x1400d5e57 : mov r8, [r9+40h] 43 | 0x1400d5e67 : jmp loc_1400D7F89 44 | 0x1400d7f8b : mov r10, [r9+50h] 45 | 0x1400d7f9b : mov r11, [r9+58h] 46 | 0x1400d7fa8 : mov r12, [r9+60h] 47 | 0x1400d7fac : jmp loc_1400D9A96 48 | 0x1400d9a98 : mov r13, [r9+68h] 49 | 0x1400d9a9c : mov r14, [r9+70h] 50 | 0x1400d9aa0 : mov r15, [r9+78h] 51 | 0x1400d9aa4 : push qword ptr [r9+80h] 52 | 0x1400d9aab : popfq 53 | 0x1400d9aac : push qword ptr [r9+20h] 54 | 0x1400d9ab0 : mov r9, [r9+48h] 55 | 0x1400d9ab4 : mov rsp, [rsp+90h+var_90] 56 | 0x1400d9ab8 : jmp r11 57 | -------------------------------------------------------------------------------- /handle_out/0x9f.txt: -------------------------------------------------------------------------------- 1 | 0x9f p_a 2 | 3 | 0x2E72 4 | 5 | reg = *(PREG)p_a;//不恢复rsp 6 | rsp = [rsp]; 7 | jmp r10;//也许等会要回虚拟机 8 | 9 | v_jmp_iregxR10 10 | ---------------------------------------- 11 | 12 | 0x1400da10f : mov r9, [rbp+8] 13 | 0x1400da116 : jmp loc_1400DA4FC 14 | 0x1400da504 : mov r9w, [r9] 15 | 0x1400da508 : xor r9w, 2E72h 16 | 0x1400da50e : jmp loc_1400D769F 17 | 0x1400d76a0 : mov r8, 2C98B28063A134FFh 18 | 0x1400d76aa : not r8 19 | 0x1400d76ad : lea r8, [r10+r8] 20 | 0x1400d76b1 : movzx r9, r9w 21 | 0x1400d76b5 : mov rdx, 0D3674D7F9C5ECAFFh 22 | 0x1400d76bf : not rdx 23 | 0x1400d76c2 : jmp loc_1400D67F7 24 | 0x1400d67f8 : add r9, rdx 25 | 0x1400d67fb : lea r9, [r8+r9] p_a = r9 26 | 0x1400d67ff : mov r15, 0FFFFFFFFFFFFFFFEh 27 | 0x1400d6809 : not r15 28 | 0x1400d680c : rdsspq r15 29 | 0x1400d6811 : cmp r15, 1 30 | 0x1400d6815 : jz loc_1400DACAB 31 | 0x1400d681b : jmp loc_1400D7FE4 32 | 0x1400d7fe5 : mov r15, 2 33 | 0x1400d7fec : incsspq r15 34 | 0x1400d7ff1 : jmp loc_1400DACAB 35 | 0x1400dacad : mov rax, [r9] 36 | 0x1400dacb8 : mov rbx, [r9+8] 37 | 0x1400dacbf : mov rcx, [r9+10h] 38 | 0x1400dacc6 : jmp loc_1400D9F49 39 | 0x1400d9f54 : mov rdx, [r9+18h] 40 | 0x1400d9f61 : mov rbp, [r9+28h] 41 | 0x1400d9f65 : mov rsi, [r9+30h] 42 | 0x1400d9f69 : mov rdi, [r9+38h] 43 | 0x1400d9f70 : mov r8, [r9+40h] 44 | 0x1400d9f7f : jmp loc_1400D6451 45 | 0x1400d6453 : mov r10, [r9+50h] 46 | 0x1400d6462 : mov r11, [r9+58h] 47 | 0x1400d646f : mov r12, [r9+60h] 48 | 0x1400d6473 : mov r13, [r9+68h] 49 | 0x1400d6477 : mov r14, [r9+70h] 50 | 0x1400d647b : mov r15, [r9+78h] 51 | 0x1400d647f : push qword ptr [r9+80h] 52 | 0x1400d6486 : popfq 53 | 0x1400d6487 : push qword ptr [r9+20h] 54 | 0x1400d648b : jmp loc_1400DAF54 55 | 0x1400daf56 : mov r9, [r9+48h] 56 | 0x1400daf5a : mov rsp, [rsp+90h+var_90] 57 | 0x1400daf5e : jmp r10 58 | -------------------------------------------------------------------------------- /handle_out/0xc.txt: -------------------------------------------------------------------------------- 1 | 0xc p_a p_b p_c p_d 2 | 3 | 0x62D7 4 | 5 | *(PUCHAR)p_a = *(PUCHAR)p_b >> *(PUCHAR)p_c; 6 | *(PULONG32)p_d = rf; 7 | 8 | v_shr_oregb_iregb_iregb_oregl 9 | ---------------------------------------- 10 | 11 | 0x1400dab21 : mov r9, [rbp+8] 12 | 0x1400dab2e : mov r8w, [r9] 13 | 0x1400dab32 : xor r8w, 62D7h 14 | 0x1400dab38 : mov rdx, 963F021A8B5DA3E9h 15 | 0x1400dab42 : not rdx 16 | 0x1400dab45 : lea rdx, [r10+rdx] 17 | 0x1400dab49 : movzx r8, r8w 18 | 0x1400dab4d : mov rcx, 69C0FDE574A25C15h 19 | 0x1400dab57 : not rcx 20 | 0x1400dab5a : jmp loc_1400D85C2 21 | 0x1400d85c3 : add r8, rcx 22 | 0x1400d85c6 : lea r8, [rdx+r8] p_a = r8 23 | 0x1400d85ca : lea r9, [r9+2] 24 | 0x1400d85ce : mov dx, [r9] 25 | 0x1400d85d2 : xor dx, 62D7h 26 | 0x1400d85d7 : movzx rdx, dx 27 | 0x1400d85db : lea rdx, [r10+rdx] p_b = rdx 28 | 0x1400d85df : mov dl, [rdx] dl = *(PUCHAR)p_b 29 | 0x1400d85e1 : lea r9, [r9+2] 30 | 0x1400d85e5 : mov cx, [r9] 31 | 0x1400d85e9 : xor cx, 62D7h 32 | 0x1400d85ee : mov rax, 1F1FBCA8CC70A357h 33 | 0x1400d85f8 : not rax 34 | 0x1400d85fb : lea rax, [r10+rax] 35 | 0x1400d85ff : movzx rcx, cx 36 | 0x1400d8603 : mov rbx, 0E0E04357338F5CA7h 37 | 0x1400d860d : not rbx 38 | 0x1400d8610 : add rcx, rbx 39 | 0x1400d8613 : lea rcx, [rax+rcx] p_c = rcx 40 | 0x1400d8617 : jmp loc_1400D7DC7 41 | 0x1400d7dc8 : mov cl, [rcx] cl = *(PUCHAR)p_c 42 | 0x1400d7dca : lea r9, [r9+2] 43 | 0x1400d7dce : mov ax, [r9] 44 | 0x1400d7dd2 : xor ax, 62D7h 45 | 0x1400d7dd6 : movzx rax, ax 46 | 0x1400d7dda : lea rax, [r10+rax] p_d = rax 47 | 0x1400d7dde : pushfq 48 | 0x1400d7ddf : mov rbx, [rsp+90h+var_90] 49 | 0x1400d7de3 : lea rsp, [rsp+8] 50 | 0x1400d7de8 : mov esi, [rax] rf 51 | 0x1400d7dea : mov esi, esi 52 | 0x1400d7dec : lea rsp, [rsp-8] 53 | 0x1400d7df1 : mov [rsp+90h+var_90], rsi 54 | 0x1400d7df5 : popfq 55 | 0x1400d7df6 : shr dl, cl dl = dl >> cl 56 | 0x1400d7df8 : jmp loc_1400DAB71 57 | 0x1400dab73 : pushfq 58 | 0x1400dab74 : mov rcx, [rsp+90h+var_90] 59 | 0x1400dab78 : lea rsp, [rsp+8] 60 | 0x1400dab7d : mov [rax], ecx *(PULONG32)p_d = rf 61 | 0x1400dab7f : lea rsp, [rsp-8] 62 | 0x1400dab84 : mov [rsp+90h+var_90], rbx 63 | 0x1400dab88 : popfq 64 | 0x1400dab89 : mov [r8], dl *(PUCHAR)p_a = dl 65 | 0x1400dab8c : lea r9, [r9+2] 66 | 0x1400dab96 : mov [rbp+8], r9 67 | 0x1400dab9d : jmp loc_1400DAE8D 68 | 0x1400dae92 : jmp loc_1400D5C1C 69 | 0x1400d5c1f : mov r9, [rbp+8] 70 | 0x1400d5c2c : mov r8b, [r9] 71 | 0x1400d5c2f : xor r8b, 5Dh 72 | 0x1400d5c33 : jmp loc_1400DABF2 73 | 0x1400dabf4 : mov rdx, 84063C9A3F77C111h 74 | 0x1400dabfe : not rdx 75 | 0x1400dac01 : lea rdx, [r9+rdx] 76 | 0x1400dac05 : mov r9, 7BF9C365C0883EECh 77 | 0x1400dac0f : not r9 78 | 0x1400dac12 : lea r9, [rdx+r9] 79 | 0x1400dac16 : jmp loc_1400D97BF 80 | 0x1400d97c6 : mov [rbp+8], r9 81 | 0x1400d97d0 : movzx r8, r8b 82 | 0x1400d97d4 : sub r8, 1 83 | 0x1400d97d8 : cmp r8, 0C8h 84 | 0x1400d97df : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 85 | -------------------------------------------------------------------------------- /handle_out/0xc3.txt: -------------------------------------------------------------------------------- 1 | 0xc3 p_a p_b p_c 2 | 3 | 0x467C 4 | 5 | *(PULONG32)p_a = *(PULONG32)p_b - 1; //dec 6 | *(PULONG32)p_c = rf; 7 | 8 | v_dec_oregl_iregl_oregl 9 | ---------------------------------------- 10 | 11 | 0x1400d64af : mov r9, [rbp+8] 12 | 0x1400d64bc : mov r8w, [r9] 13 | 0x1400d64c0 : xor r8w, 467Ch 14 | 0x1400d64c6 : mov rdx, 7BA07772F348E9D4h 15 | 0x1400d64d0 : not rdx 16 | 0x1400d64d3 : lea rdx, [r10+rdx] 17 | 0x1400d64d7 : jmp loc_1400DA9CD 18 | 0x1400da9ce : movzx r8, r8w 19 | 0x1400da9d2 : mov rcx, 845F888D0CB7162Ah 20 | 0x1400da9dc : not rcx 21 | 0x1400da9df : add r8, rcx 22 | 0x1400da9e2 : lea r8, [rdx+r8] p_a = r8 23 | 0x1400da9e6 : lea r9, [r9+2] 24 | 0x1400da9ea : mov dx, [r9] 25 | 0x1400da9ee : xor dx, 467Ch 26 | 0x1400da9f3 : movzx rdx, dx 27 | 0x1400da9f7 : lea rdx, [r10+rdx] p_b = rdx 28 | 0x1400da9fb : mov edx, [rdx] edx = *(PULONG32)p_b 29 | 0x1400da9fd : lea r9, [r9+2] 30 | 0x1400daa01 : mov cx, [r9] 31 | 0x1400daa05 : xor cx, 467Ch 32 | 0x1400daa0a : mov rax, 9B7542B50DBD5EECh 33 | 0x1400daa14 : not rax 34 | 0x1400daa17 : lea rax, [r10+rax] 35 | 0x1400daa1b : jmp loc_1400DA03A 36 | 0x1400da03b : movzx rcx, cx 37 | 0x1400da03f : mov rbx, 648ABD4AF242A112h 38 | 0x1400da049 : not rbx 39 | 0x1400da04c : add rcx, rbx 40 | 0x1400da04f : lea rcx, [rax+rcx] p_c = rcx 41 | 0x1400da053 : pushfq 42 | 0x1400da054 : mov rax, [rsp+90h+var_90] 43 | 0x1400da058 : lea rsp, [rsp+8] 44 | 0x1400da05d : mov ebx, [rcx] rf 45 | 0x1400da05f : mov ebx, ebx 46 | 0x1400da061 : lea rsp, [rsp-8] 47 | 0x1400da066 : mov [rsp+90h+var_90], rbx 48 | 0x1400da06a : popfq 49 | 0x1400da06b : dec edx edx = edx - 1 50 | 0x1400da06d : pushfq 51 | 0x1400da06e : mov rbx, [rsp+90h+var_90] 52 | 0x1400da072 : jmp loc_1400D9ED3 53 | 0x1400d9ed5 : lea rsp, [rsp+8] 54 | 0x1400d9eda : mov [rcx], ebx *(PULONG32)p_c = rf 55 | 0x1400d9edc : lea rsp, [rsp-8] 56 | 0x1400d9ee1 : mov [rsp+90h+var_90], rax 57 | 0x1400d9ee5 : popfq 58 | 0x1400d9ee6 : mov [r8], edx *(PULONG32)p_a = edx 59 | 0x1400d9ee9 : lea r9, [r9+2] 60 | 0x1400d9ef3 : mov [rbp+8], r9 61 | 0x1400d9efd : jmp loc_1400D8FEC 62 | 0x1400d8fef : mov r9, [rbp+8] 63 | 0x1400d8ffc : mov r8b, [r9] 64 | 0x1400d8fff : xor r8b, 5Dh 65 | 0x1400d9003 : jmp loc_1400D6A7C 66 | 0x1400d6a7d : mov rdx, 3CF00F6451FA8B0h 67 | 0x1400d6a87 : not rdx 68 | 0x1400d6a8a : lea rdx, [r9+rdx] 69 | 0x1400d6a8e : mov r9, 0FC30FF09BAE0574Dh 70 | 0x1400d6a98 : not r9 71 | 0x1400d6a9b : lea r9, [rdx+r9] 72 | 0x1400d6aa5 : mov [rbp+8], r9 73 | 0x1400d6aa9 : jmp loc_1400DB1EB 74 | 0x1400db1f3 : movzx r8, r8b 75 | 0x1400db1f7 : sub r8, 1 76 | 0x1400db1fb : cmp r8, 0C8h 77 | 0x1400db202 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 78 | -------------------------------------------------------------------------------- /handle_out/0xc9.txt: -------------------------------------------------------------------------------- 1 | 0xc9 p_a p_b p_c 2 | 3 | 0x4267 4 | 5 | *(PUCHAR)p_a = *(PUCHAR)p_b + 1;//inc 6 | *(PULONG32)p_c = rf; 7 | 8 | v_inc_oregb_iregb_oregl 9 | ---------------------------------------- 10 | 11 | 0x1400d8563 : mov r9, [rbp+8] 12 | 0x1400d856f : mov r8w, [r9] 13 | 0x1400d8573 : xor r8w, 4267h 14 | 0x1400d8579 : mov rdx, 1DCDC9CA04315A67h 15 | 0x1400d8583 : not rdx 16 | 0x1400d8586 : lea rdx, [r10+rdx] 17 | 0x1400d858a : movzx r8, r8w 18 | 0x1400d858e : mov rcx, 0E2323635FBCEA597h 19 | 0x1400d8598 : not rcx 20 | 0x1400d859b : add r8, rcx 21 | 0x1400d859e : lea r8, [rdx+r8] p_a = r8 22 | 0x1400d85a2 : lea r9, [r9+2] 23 | 0x1400d85a6 : mov dx, [r9] 24 | 0x1400d85aa : xor dx, 4267h 25 | 0x1400d85af : jmp loc_1400D68BB 26 | 0x1400d68bd : movzx rdx, dx 27 | 0x1400d68c1 : lea rdx, [r10+rdx] p_b = rdx 28 | 0x1400d68c5 : mov dl, [rdx] dl = *(PUCHAR)p_b 29 | 0x1400d68c7 : lea r9, [r9+2] 30 | 0x1400d68cb : mov cx, [r9] 31 | 0x1400d68cf : xor cx, 4267h 32 | 0x1400d68d4 : mov rax, 0C9155EE057BD11h 33 | 0x1400d68de : not rax 34 | 0x1400d68e1 : lea rax, [r10+rax] 35 | 0x1400d68e5 : movzx rcx, cx 36 | 0x1400d68e9 : mov rbx, 0FF36EAA11FA842EDh 37 | 0x1400d68f3 : not rbx 38 | 0x1400d68f6 : add rcx, rbx 39 | 0x1400d68f9 : lea rcx, [rax+rcx] p_c = rcx 40 | 0x1400d68fd : pushfq 41 | 0x1400d68fe : jmp loc_1400DA51F 42 | 0x1400da520 : mov rax, [rsp+90h+var_90] 43 | 0x1400da524 : lea rsp, [rsp+8] 44 | 0x1400da529 : mov ebx, [rcx] rf 45 | 0x1400da52b : mov ebx, ebx 46 | 0x1400da52d : lea rsp, [rsp-8] 47 | 0x1400da532 : mov [rsp+90h+var_90], rbx 48 | 0x1400da536 : popfq 49 | 0x1400da537 : inc dl dl = dl +1 50 | 0x1400da539 : pushfq 51 | 0x1400da53a : mov rbx, [rsp+90h+var_90] 52 | 0x1400da53e : lea rsp, [rsp+8] 53 | 0x1400da543 : mov [rcx], ebx *(PULONG32)p_c = rf 54 | 0x1400da545 : lea rsp, [rsp-8] 55 | 0x1400da54a : mov [rsp+90h+var_90], rax 56 | 0x1400da54e : popfq 57 | 0x1400da54f : mov [r8], dl *(PUCHAR)p_a = dl 58 | 0x1400da552 : lea r9, [r9+2] 59 | 0x1400da55c : mov [rbp+8], r9 60 | 0x1400da563 : jmp loc_1400DAB00 61 | 0x1400dab04 : jmp loc_1400D5C1C 62 | 0x1400d5c1f : mov r9, [rbp+8] 63 | 0x1400d5c2c : mov r8b, [r9] 64 | 0x1400d5c2f : xor r8b, 5Dh 65 | 0x1400d5c33 : jmp loc_1400DABF2 66 | 0x1400dabf4 : mov rdx, 84063C9A3F77C111h 67 | 0x1400dabfe : not rdx 68 | 0x1400dac01 : lea rdx, [r9+rdx] 69 | 0x1400dac05 : mov r9, 7BF9C365C0883EECh 70 | 0x1400dac0f : not r9 71 | 0x1400dac12 : lea r9, [rdx+r9] 72 | 0x1400dac16 : jmp loc_1400D97BF 73 | 0x1400d97c6 : mov [rbp+8], r9 74 | 0x1400d97d0 : movzx r8, r8b 75 | 0x1400d97d4 : sub r8, 1 76 | 0x1400d97d8 : cmp r8, 0C8h 77 | 0x1400d97df : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 78 | -------------------------------------------------------------------------------- /handle_out/0xca.txt: -------------------------------------------------------------------------------- 1 | 0xca p_a p_b p_c 2 | 3 | 0x6EE0 4 | 5 | *(PULONG64)p_a = *(PULONG64)p_b + 1;//inc 6 | *(PULONG32)p_c = rf; 7 | 8 | v_inc_oregll_iregll_oregl 9 | ---------------------------------------- 10 | 11 | 0x1400d916c : mov r9, [rbp+8] 12 | 0x1400d9179 : mov r8w, [r9] 13 | 0x1400d917d : xor r8w, 6EE0h 14 | 0x1400d9183 : mov rdx, 18BFF0AF5C3BA9FEh 15 | 0x1400d918d : not rdx 16 | 0x1400d9190 : lea rdx, [r10+rdx] 17 | 0x1400d9194 : movzx r8, r8w 18 | 0x1400d9198 : mov rcx, 0E7400F50A3C45600h 19 | 0x1400d91a2 : not rcx 20 | 0x1400d91a5 : add r8, rcx 21 | 0x1400d91a8 : lea r8, [rdx+r8] p_a = r8 22 | 0x1400d91ac : lea r9, [r9+2] 23 | 0x1400d91b0 : mov dx, [r9] 24 | 0x1400d91b4 : xor dx, 6EE0h 25 | 0x1400d91b9 : movzx rdx, dx 26 | 0x1400d91bd : lea rdx, [r10+rdx] p_b = rdx 27 | 0x1400d91c1 : jmp loc_1400D961A 28 | 0x1400d961c : mov rdx, [rdx] rdx = *(PULONG64)p_b 29 | 0x1400d961f : lea r9, [r9+2] 30 | 0x1400d9623 : mov cx, [r9] 31 | 0x1400d9627 : xor cx, 6EE0h 32 | 0x1400d962c : mov rax, 8B75081BBE0907F7h 33 | 0x1400d9636 : not rax 34 | 0x1400d9639 : lea rax, [r10+rax] 35 | 0x1400d963d : movzx rcx, cx 36 | 0x1400d9641 : mov rbx, 748AF7E441F6F807h 37 | 0x1400d964b : not rbx 38 | 0x1400d964e : add rcx, rbx 39 | 0x1400d9651 : lea rcx, [rax+rcx] p_c = rcx 40 | 0x1400d9655 : pushfq 41 | 0x1400d9656 : mov rax, [rsp+90h+var_90] 42 | 0x1400d965a : lea rsp, [rsp+8] 43 | 0x1400d965f : mov ebx, [rcx] rf 44 | 0x1400d9661 : jmp loc_1400D8AEC 45 | 0x1400d8aee : mov ebx, ebx 46 | 0x1400d8af0 : lea rsp, [rsp-8] 47 | 0x1400d8af5 : mov [rsp+90h+var_90], rbx 48 | 0x1400d8af9 : popfq 49 | 0x1400d8afa : inc rdx rdx = rdx + 1 50 | 0x1400d8afd : pushfq 51 | 0x1400d8afe : mov rbx, [rsp+90h+var_90] 52 | 0x1400d8b02 : lea rsp, [rsp+8] 53 | 0x1400d8b07 : mov [rcx], ebx *(PULONG32)p_c = rf 54 | 0x1400d8b09 : lea rsp, [rsp-8] 55 | 0x1400d8b0e : mov [rsp+90h+var_90], rax 56 | 0x1400d8b12 : popfq 57 | 0x1400d8b19 : mov [r8], rdx *(PULONG64)p_a = rdx 58 | 0x1400d8b22 : lea r9, [r9+2] 59 | 0x1400d8b2c : mov [rbp+8], r9 60 | 0x1400d8b33 : jmp loc_1400D60D3 61 | 0x1400d60d7 : jmp loc_1400D8FEC 62 | 0x1400d8fef : mov r9, [rbp+8] 63 | 0x1400d8ffc : mov r8b, [r9] 64 | 0x1400d8fff : xor r8b, 5Dh 65 | 0x1400d9003 : jmp loc_1400D6A7C 66 | 0x1400d6a7d : mov rdx, 3CF00F6451FA8B0h 67 | 0x1400d6a87 : not rdx 68 | 0x1400d6a8a : lea rdx, [r9+rdx] 69 | 0x1400d6a8e : mov r9, 0FC30FF09BAE0574Dh 70 | 0x1400d6a98 : not r9 71 | 0x1400d6a9b : lea r9, [rdx+r9] 72 | 0x1400d6aa5 : mov [rbp+8], r9 73 | 0x1400d6aa9 : jmp loc_1400DB1EB 74 | 0x1400db1f3 : movzx r8, r8b 75 | 0x1400db1f7 : sub r8, 1 76 | 0x1400db1fb : cmp r8, 0C8h 77 | 0x1400db202 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 78 | -------------------------------------------------------------------------------- /handle_out/0xcb.txt: -------------------------------------------------------------------------------- 1 | 0xcb p_a p_b p_c 2 | 3 | 0x7FB4 4 | 5 | *(PULONG32)p_a = *(PULONG32)p_b + 1;//inc 6 | *(PULONG32)p_c = rf; 7 | 8 | v_inc_oregl_iregl_oregl 9 | ---------------------------------------- 10 | 11 | 0x1400d624f : mov r9, [rbp+8] 12 | 0x1400d625c : mov r8w, [r9] 13 | 0x1400d6260 : xor r8w, 7FB4h 14 | 0x1400d6266 : mov rdx, 0AB4694D336709D8Bh 15 | 0x1400d6270 : not rdx 16 | 0x1400d6273 : lea rdx, [r10+rdx] 17 | 0x1400d6277 : movzx r8, r8w 18 | 0x1400d627b : mov rcx, 54B96B2CC98F6273h 19 | 0x1400d6285 : jmp loc_1400DB275 20 | 0x1400db276 : not rcx 21 | 0x1400db279 : add r8, rcx 22 | 0x1400db27c : lea r8, [rdx+r8] p_a = r8 23 | 0x1400db280 : lea r9, [r9+2] 24 | 0x1400db284 : mov dx, [r9] 25 | 0x1400db288 : xor dx, 7FB4h 26 | 0x1400db28d : movzx rdx, dx 27 | 0x1400db291 : lea rdx, [r10+rdx] p_b = rdx 28 | 0x1400db295 : mov edx, [rdx] edx = *(PULONG32)p_b 29 | 0x1400db297 : lea r9, [r9+2] 30 | 0x1400db29b : mov cx, [r9] 31 | 0x1400db29f : xor cx, 7FB4h 32 | 0x1400db2a4 : mov rax, 702C1C88A9F0BCE6h 33 | 0x1400db2ae : not rax 34 | 0x1400db2b1 : lea rax, [r10+rax] 35 | 0x1400db2b5 : movzx rcx, cx 36 | 0x1400db2b9 : mov rbx, 8FD3E377560F4318h 37 | 0x1400db2c3 : not rbx 38 | 0x1400db2c6 : add rcx, rbx 39 | 0x1400db2c9 : lea rcx, [rax+rcx] p_c = rcx 40 | 0x1400db2cd : jmp loc_1400D70A5 41 | 0x1400d70a7 : pushfq 42 | 0x1400d70a8 : mov rax, [rsp+90h+var_90] 43 | 0x1400d70ac : lea rsp, [rsp+8] 44 | 0x1400d70b1 : mov ebx, [rcx] rf 45 | 0x1400d70b3 : mov ebx, ebx 46 | 0x1400d70b5 : lea rsp, [rsp-8] 47 | 0x1400d70ba : mov [rsp+90h+var_90], rbx 48 | 0x1400d70be : popfq 49 | 0x1400d70bf : inc edx edx = edx + 1 50 | 0x1400d70c1 : pushfq 51 | 0x1400d70c2 : mov rbx, [rsp+90h+var_90] 52 | 0x1400d70c6 : lea rsp, [rsp+8] 53 | 0x1400d70cb : mov [rcx], ebx *(PULONG32)p_c = rf 54 | 0x1400d70cd : lea rsp, [rsp-8] 55 | 0x1400d70d2 : mov [rsp+90h+var_90], rax 56 | 0x1400d70d6 : jmp loc_1400DA274 57 | 0x1400da276 : popfq 58 | 0x1400da277 : mov [r8], edx *(PULONG32)p_a = edx 59 | 0x1400da27a : lea r9, [r9+2] 60 | 0x1400da284 : mov [rbp+8], r9 61 | 0x1400da28e : jmp loc_1400D8FEC 62 | 0x1400d8fef : mov r9, [rbp+8] 63 | 0x1400d8ffc : mov r8b, [r9] 64 | 0x1400d8fff : xor r8b, 5Dh 65 | 0x1400d9003 : jmp loc_1400D6A7C 66 | 0x1400d6a7d : mov rdx, 3CF00F6451FA8B0h 67 | 0x1400d6a87 : not rdx 68 | 0x1400d6a8a : lea rdx, [r9+rdx] 69 | 0x1400d6a8e : mov r9, 0FC30FF09BAE0574Dh 70 | 0x1400d6a98 : not r9 71 | 0x1400d6a9b : lea r9, [rdx+r9] 72 | 0x1400d6aa5 : mov [rbp+8], r9 73 | 0x1400d6aa9 : jmp loc_1400DB1EB 74 | 0x1400db1f3 : movzx r8, r8b 75 | 0x1400db1f7 : sub r8, 1 76 | 0x1400db1fb : cmp r8, 0C8h 77 | 0x1400db202 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 78 | -------------------------------------------------------------------------------- /handle_out/0xd0.txt: -------------------------------------------------------------------------------- 1 | 0xd0 p_a p_b p_c 2 | 3 | 0x0499 4 | 5 | *(PUSHORT)p_a & *(PUSHORT)p_b;//无输出 6 | *(PULONG32)p_c = rf; 7 | 8 | v_test_iregw_iregw_oregl 9 | ---------------------------------------- 10 | 11 | 0x1400da35a : mov r9, [rbp+8] 12 | 0x1400da367 : mov r8w, [r9] 13 | 0x1400da36b : xor r8w, 499h 14 | 0x1400da371 : mov rdx, 740EE29BB2F39201h 15 | 0x1400da37b : not rdx 16 | 0x1400da37e : lea rdx, [r10+rdx] 17 | 0x1400da382 : movzx r8, r8w 18 | 0x1400da386 : mov rcx, 8BF11D644D0C6DFDh 19 | 0x1400da390 : not rcx 20 | 0x1400da393 : add r8, rcx 21 | 0x1400da396 : jmp loc_1400D669C 22 | 0x1400d669e : lea r8, [rdx+r8] p_a = r8 23 | 0x1400d66a2 : mov r8w, [r8] r8w = *(PUSHORT)p_a 24 | 0x1400d66a6 : lea r9, [r9+2] 25 | 0x1400d66aa : mov dx, [r9] 26 | 0x1400d66ae : xor dx, 499h 27 | 0x1400d66b3 : movzx rdx, dx 28 | 0x1400d66b7 : lea rdx, [r10+rdx] p_b = rdx 29 | 0x1400d66bb : mov dx, [rdx] dx = *(PUSHORT)p_b 30 | 0x1400d66be : lea r9, [r9+2] 31 | 0x1400d66c2 : mov cx, [r9] 32 | 0x1400d66c6 : xor cx, 499h 33 | 0x1400d66cb : mov rax, 360AFF9891DBA8ECh 34 | 0x1400d66d5 : not rax 35 | 0x1400d66d8 : lea rax, [r10+rax] 36 | 0x1400d66dc : movzx rcx, cx 37 | 0x1400d66e0 : mov rbx, 0C9F500676E245712h 38 | 0x1400d66ea : jmp loc_1400D9699 39 | 0x1400d969b : not rbx 40 | 0x1400d969e : add rcx, rbx 41 | 0x1400d96a1 : lea rcx, [rax+rcx] p_c = rcx 42 | 0x1400d96a5 : pushfq 43 | 0x1400d96a6 : mov rax, [rsp+90h+var_90] 44 | 0x1400d96aa : lea rsp, [rsp+8] 45 | 0x1400d96af : mov ebx, [rcx] rf 46 | 0x1400d96b1 : mov ebx, ebx 47 | 0x1400d96b3 : lea rsp, [rsp-8] 48 | 0x1400d96b8 : mov [rsp+90h+var_90], rbx 49 | 0x1400d96bc : popfq 50 | 0x1400d96bd : and r8w, dx r8w = r8w & dx 51 | 0x1400d96c1 : pushfq 52 | 0x1400d96c2 : mov r8, [rsp+90h+var_90] 53 | 0x1400d96c6 : lea rsp, [rsp+8] 54 | 0x1400d96cb : mov [rcx], r8d *(PULONG32)p_c = rf 55 | 0x1400d96ce : lea rsp, [rsp-8] 56 | 0x1400d96d3 : mov [rsp+90h+var_90], rax 57 | 0x1400d96d7 : popfq 58 | 0x1400d96d8 : jmp loc_1400D9F97 59 | 0x1400d9f99 : lea r9, [r9+2] 60 | 0x1400d9fa3 : mov [rbp+8], r9 61 | 0x1400d9fad : jmp loc_1400D7232 62 | 0x1400d7234 : mov r9, [rbp+8] 63 | 0x1400d7240 : jmp loc_1400D99D9 64 | 0x1400d99db : mov r8b, [r9] 65 | 0x1400d99de : xor r8b, 5Dh 66 | 0x1400d99e2 : mov rdx, 25E9ECA9BDE22AEAh 67 | 0x1400d99ec : not rdx 68 | 0x1400d99ef : lea rdx, [r9+rdx] 69 | 0x1400d99f3 : jmp loc_1400D86A6 70 | 0x1400d86a8 : mov r9, 0DA161356421DD513h 71 | 0x1400d86b2 : not r9 72 | 0x1400d86b5 : lea r9, [rdx+r9] 73 | 0x1400d86bf : mov [rbp+8], r9 74 | 0x1400d86c9 : movzx r8, r8b 75 | 0x1400d86cd : sub r8, 1 76 | 0x1400d86d1 : jmp loc_1400D7E10 77 | 0x1400d7e11 : cmp r8, 0C8h 78 | 0x1400d7e18 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 79 | -------------------------------------------------------------------------------- /handle_out/0xd1.txt: -------------------------------------------------------------------------------- 1 | 0xd1 p_a p_b p_c 2 | 3 | 0x2A99 4 | 5 | *(PUCHAR)p_a & *(PUCHAR)p_b;//无输出 6 | *(PULONG32)p_c = rf; 7 | 8 | v_test_iregb_iregb_oregl 9 | ---------------------------------------- 10 | 11 | 0x1400d84d3 : mov r9, [rbp+8] 12 | 0x1400d84e0 : mov r8w, [r9] 13 | 0x1400d84e4 : xor r8w, 2A99h 14 | 0x1400d84ea : mov rdx, 443E5C894E6E4C8h 15 | 0x1400d84f4 : not rdx 16 | 0x1400d84f7 : lea rdx, [r10+rdx] 17 | 0x1400d84fb : movzx r8, r8w 18 | 0x1400d84ff : jmp loc_1400D939D 19 | 0x1400d939e : mov rcx, 0FBBC1A376B191B36h 20 | 0x1400d93a8 : not rcx 21 | 0x1400d93ab : add r8, rcx 22 | 0x1400d93ae : lea r8, [rdx+r8] p_a = r8 23 | 0x1400d93b2 : mov r8b, [r8] r8b = *(PUCHAR)p_a 24 | 0x1400d93b5 : lea r9, [r9+2] 25 | 0x1400d93b9 : mov dx, [r9] 26 | 0x1400d93bd : xor dx, 2A99h 27 | 0x1400d93c2 : movzx rdx, dx 28 | 0x1400d93c6 : lea rdx, [r10+rdx] p_b = rdx 29 | 0x1400d93ca : mov dl, [rdx] dl = *(PUCHAR)p_b 30 | 0x1400d93cc : lea r9, [r9+2] 31 | 0x1400d93d0 : mov cx, [r9] 32 | 0x1400d93d4 : xor cx, 2A99h 33 | 0x1400d93d9 : mov rax, 265CA728B2A710FAh 34 | 0x1400d93e3 : not rax 35 | 0x1400d93e6 : lea rax, [r10+rax] 36 | 0x1400d93ea : movzx rcx, cx 37 | 0x1400d93ee : mov rbx, 0D9A358D74D58EF04h 38 | 0x1400d93f8 : not rbx 39 | 0x1400d93fb : add rcx, rbx 40 | 0x1400d93fe : jmp loc_1400DA0D6 41 | 0x1400da0d7 : lea rcx, [rax+rcx] p_c = rcx 42 | 0x1400da0db : pushfq 43 | 0x1400da0dc : mov rax, [rsp+90h+var_90] 44 | 0x1400da0e0 : lea rsp, [rsp+8] 45 | 0x1400da0e5 : mov ebx, [rcx] rf 46 | 0x1400da0e7 : mov ebx, ebx 47 | 0x1400da0e9 : lea rsp, [rsp-8] 48 | 0x1400da0ee : mov [rsp+90h+var_90], rbx 49 | 0x1400da0f2 : popfq 50 | 0x1400da0f3 : and r8b, dl r8d = r8d & dl 51 | 0x1400da0f6 : pushfq 52 | 0x1400da0f7 : mov r8, [rsp+90h+var_90] 53 | 0x1400da0fb : jmp loc_1400DA1B7 54 | 0x1400da1b8 : lea rsp, [rsp+8] 55 | 0x1400da1bd : mov [rcx], r8d *(PULONG32)p_c = rf 56 | 0x1400da1c0 : lea rsp, [rsp-8] 57 | 0x1400da1c5 : mov [rsp+90h+var_90], rax 58 | 0x1400da1c9 : popfq 59 | 0x1400da1ca : lea r9, [r9+2] 60 | 0x1400da1d4 : mov [rbp+8], r9 61 | 0x1400da1de : jmp loc_1400D7232 62 | 0x1400d7234 : mov r9, [rbp+8] 63 | 0x1400d7240 : jmp loc_1400D99D9 64 | 0x1400d99db : mov r8b, [r9] 65 | 0x1400d99de : xor r8b, 5Dh 66 | 0x1400d99e2 : mov rdx, 25E9ECA9BDE22AEAh 67 | 0x1400d99ec : not rdx 68 | 0x1400d99ef : lea rdx, [r9+rdx] 69 | 0x1400d99f3 : jmp loc_1400D86A6 70 | 0x1400d86a8 : mov r9, 0DA161356421DD513h 71 | 0x1400d86b2 : not r9 72 | 0x1400d86b5 : lea r9, [rdx+r9] 73 | 0x1400d86bf : mov [rbp+8], r9 74 | 0x1400d86c9 : movzx r8, r8b 75 | 0x1400d86cd : sub r8, 1 76 | 0x1400d86d1 : jmp loc_1400D7E10 77 | 0x1400d7e11 : cmp r8, 0C8h 78 | 0x1400d7e18 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 79 | -------------------------------------------------------------------------------- /handle_out/0xd2.txt: -------------------------------------------------------------------------------- 1 | 0xd2 p_a p_b p_c 2 | 3 | 0x8606 4 | 5 | *(PULONG64)p_a & *(PULONG64)p_b;//无输出 6 | *(PULONG32)p_c = rf; 7 | 8 | v_test_iregll_iregll_oregl 9 | ---------------------------------------- 10 | 11 | 0x1400d799b : mov r9, [rbp+8] 12 | 0x1400d79a8 : mov r8w, [r9] 13 | 0x1400d79ac : xor r8w, 8606h 14 | 0x1400d79b2 : mov rdx, 0C87CF59478B0EDE7h 15 | 0x1400d79bc : not rdx 16 | 0x1400d79bf : lea rdx, [r10+rdx] 17 | 0x1400d79c3 : movzx r8, r8w 18 | 0x1400d79c7 : mov rcx, 37830A6B874F1217h 19 | 0x1400d79d1 : not rcx 20 | 0x1400d79d4 : add r8, rcx 21 | 0x1400d79d7 : lea r8, [rdx+r8] p_a = r8 22 | 0x1400d79db : mov r8, [r8] r8 = *(PULONG64)p_a 23 | 0x1400d79de : lea r9, [r9+2] 24 | 0x1400d79e2 : mov dx, [r9] 25 | 0x1400d79e6 : xor dx, 8606h 26 | 0x1400d79eb : movzx rdx, dx 27 | 0x1400d79ef : jmp loc_1400D7042 28 | 0x1400d7044 : lea rdx, [r10+rdx] p_b = rdx 29 | 0x1400d7048 : mov rdx, [rdx] rdx = *(PULONG64)p_b 30 | 0x1400d704b : lea r9, [r9+2] 31 | 0x1400d704f : mov cx, [r9] 32 | 0x1400d7053 : xor cx, 8606h 33 | 0x1400d7058 : mov rax, 0D0C051B02449C700h 34 | 0x1400d7062 : not rax 35 | 0x1400d7065 : lea rax, [r10+rax] 36 | 0x1400d7069 : movzx rcx, cx 37 | 0x1400d706d : mov rbx, 2F3FAE4FDBB638FEh 38 | 0x1400d7077 : not rbx 39 | 0x1400d707a : add rcx, rbx 40 | 0x1400d707d : lea rcx, [rax+rcx] p_c = rcx 41 | 0x1400d7081 : pushfq 42 | 0x1400d7082 : mov rax, [rsp+90h+var_90] 43 | 0x1400d7086 : lea rsp, [rsp+8] 44 | 0x1400d708b : mov ebx, [rcx] rf 45 | 0x1400d708d : jmp loc_1400D6EC7 46 | 0x1400d6ec9 : mov ebx, ebx 47 | 0x1400d6ecb : lea rsp, [rsp-8] 48 | 0x1400d6ed0 : mov [rsp+90h+var_90], rbx 49 | 0x1400d6ed4 : popfq 50 | 0x1400d6ed5 : and r8, rdx r8 = r8 & rdx 51 | 0x1400d6ed8 : pushfq 52 | 0x1400d6ed9 : mov r8, [rsp+90h+var_90] 53 | 0x1400d6edd : lea rsp, [rsp+8] 54 | 0x1400d6ee2 : mov [rcx], r8d *(PULONG32)p_c = rf 55 | 0x1400d6ee5 : lea rsp, [rsp-8] 56 | 0x1400d6eea : mov [rsp+90h+var_90], rax 57 | 0x1400d6eee : popfq 58 | 0x1400d6eef : lea r9, [r9+2] 59 | 0x1400d6ef9 : mov [rbp+8], r9 60 | 0x1400d6f03 : jmp loc_1400D60CC 61 | 0x1400d60ce : jmp loc_1400DAC79 62 | 0x1400dac7c : mov r9, [rbp+8] 63 | 0x1400dac89 : mov r8b, [r9] 64 | 0x1400dac8c : xor r8b, 5Dh 65 | 0x1400dac90 : mov rdx, 0D3676A56DAFF3C65h 66 | 0x1400dac9a : jmp loc_1400D7763 67 | 0x1400d7764 : not rdx 68 | 0x1400d7767 : lea rdx, [r9+rdx] 69 | 0x1400d776b : mov r9, 2C9895A92500C398h 70 | 0x1400d7775 : not r9 71 | 0x1400d7778 : lea r9, [rdx+r9] 72 | 0x1400d777f : jmp loc_1400D5B91 73 | 0x1400d5b95 : mov [rbp+8], r9 74 | 0x1400d5b9e : movzx r8, r8b 75 | 0x1400d5ba2 : sub r8, 1; switch 200 cases 76 | 0x1400d5ba6 : jmp loc_1400D98A8 77 | 0x1400d98aa : cmp r8, 0C8h 78 | 0x1400d98b1 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 79 | -------------------------------------------------------------------------------- /handle_out/0xd3.txt: -------------------------------------------------------------------------------- 1 | 0xd3 p_a p_b p_c 2 | 3 | 0x7FDE 4 | 5 | *(PULONG32)p_a & *(PULONG32)p_a;//无输出 6 | *(PULONG32)p_c = rf; 7 | 8 | v_test_iregl_iregl_oregl 9 | ---------------------------------------- 10 | 11 | 0x1400d78fc : mov r9, [rbp+8] 12 | 0x1400d7909 : mov r8w, [r9] 13 | 0x1400d790d : xor r8w, 7FDEh 14 | 0x1400d7913 : mov rdx, 53F98012358C7E4h 15 | 0x1400d791d : not rdx 16 | 0x1400d7920 : lea rdx, [r10+rdx] 17 | 0x1400d7924 : movzx r8, r8w 18 | 0x1400d7928 : mov rcx, 0FAC067FEDCA7381Ah 19 | 0x1400d7932 : jmp loc_1400D9D6B 20 | 0x1400d9d6d : not rcx 21 | 0x1400d9d70 : add r8, rcx 22 | 0x1400d9d73 : lea r8, [rdx+r8] p_a = r8 23 | 0x1400d9d77 : mov r8d, [r8] r8d = *(PULONG32)p_a 24 | 0x1400d9d7a : lea r9, [r9+2] 25 | 0x1400d9d7e : mov dx, [r9] 26 | 0x1400d9d82 : xor dx, 7FDEh 27 | 0x1400d9d87 : movzx rdx, dx 28 | 0x1400d9d8b : lea rdx, [r10+rdx] p_b = rdx 29 | 0x1400d9d8f : mov edx, [rdx] edx = *(PULONG32)p_b 30 | 0x1400d9d91 : lea r9, [r9+2] 31 | 0x1400d9d95 : mov cx, [r9] 32 | 0x1400d9d99 : xor cx, 7FDEh 33 | 0x1400d9d9e : mov rax, 0FA5AF66BC673A788h 34 | 0x1400d9da8 : not rax 35 | 0x1400d9dab : lea rax, [r10+rax] 36 | 0x1400d9daf : movzx rcx, cx 37 | 0x1400d9db3 : mov rbx, 5A50994398C5876h 38 | 0x1400d9dbd : not rbx 39 | 0x1400d9dc0 : jmp loc_1400DB2E0 40 | 0x1400db2e1 : add rcx, rbx 41 | 0x1400db2e4 : lea rcx, [rax+rcx] p_c = rcx 42 | 0x1400db2e8 : pushfq 43 | 0x1400db2e9 : mov rax, [rsp+90h+var_90] 44 | 0x1400db2ed : lea rsp, [rsp+8] 45 | 0x1400db2f2 : mov ebx, [rcx] rf 46 | 0x1400db2f4 : mov ebx, ebx 47 | 0x1400db2f6 : lea rsp, [rsp-8] 48 | 0x1400db2fb : mov [rsp+90h+var_90], rbx 49 | 0x1400db2ff : popfq 50 | 0x1400db300 : and r8d, edx r8d = r8d & edx 51 | 0x1400db303 : jmp loc_1400DAAC5 52 | 0x1400daac6 : pushfq 53 | 0x1400daac7 : mov r8, [rsp+90h+var_90] 54 | 0x1400daacb : lea rsp, [rsp+8] 55 | 0x1400daad0 : mov [rcx], r8d *(PULONG32)p_c = rf 56 | 0x1400daad3 : lea rsp, [rsp-8] 57 | 0x1400daad8 : mov [rsp+90h+var_90], rax 58 | 0x1400daadc : popfq 59 | 0x1400daadd : lea r9, [r9+2] 60 | 0x1400daae6 : mov [rbp+8], r9 61 | 0x1400daaea : jmp loc_1400D78EE 62 | 0x1400d78f4 : jmp loc_1400DAC79 63 | 0x1400dac7c : mov r9, [rbp+8] 64 | 0x1400dac89 : mov r8b, [r9] 65 | 0x1400dac8c : xor r8b, 5Dh 66 | 0x1400dac90 : mov rdx, 0D3676A56DAFF3C65h 67 | 0x1400dac9a : jmp loc_1400D7763 68 | 0x1400d7764 : not rdx 69 | 0x1400d7767 : lea rdx, [r9+rdx] 70 | 0x1400d776b : mov r9, 2C9895A92500C398h 71 | 0x1400d7775 : not r9 72 | 0x1400d7778 : lea r9, [rdx+r9] 73 | 0x1400d777f : jmp loc_1400D5B91 74 | 0x1400d5b95 : mov [rbp+8], r9 75 | 0x1400d5b9e : movzx r8, r8b 76 | 0x1400d5ba2 : sub r8, 1; switch 200 cases 77 | 0x1400d5ba6 : jmp loc_1400D98A8 78 | 0x1400d98aa : cmp r8, 0C8h 79 | 0x1400d98b1 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 80 | -------------------------------------------------------------------------------- /handle_out/0xd4.txt: -------------------------------------------------------------------------------- 1 | 0xd4 p_a p_b p_c 2 | 3 | 0x87DF 4 | 5 | *(PUSHORT)p_a - *(PUSHORT)p_b;//无输出 6 | *(PULONG32)p_c = rf; 7 | 8 | v_cmp_iregw_iregw_oregl 9 | ---------------------------------------- 10 | 11 | 0x1400d70f0 : mov r9, [rbp+8] 12 | 0x1400d70fc : mov r8w, [r9] 13 | 0x1400d7100 : xor r8w, 87DFh 14 | 0x1400d7106 : mov rdx, 7587D21F4BA0C2F4h 15 | 0x1400d7110 : not rdx 16 | 0x1400d7113 : lea rdx, [r10+rdx] 17 | 0x1400d7117 : movzx r8, r8w 18 | 0x1400d711b : mov rcx, 8A782DE0B45F3D0Ah 19 | 0x1400d7125 : not rcx 20 | 0x1400d7128 : add r8, rcx 21 | 0x1400d712b : lea r8, [rdx+r8] p_a = r8 22 | 0x1400d712f : mov r8w, [r8] r8w = *(PUSHORT)p_a 23 | 0x1400d7133 : lea r9, [r9+2] 24 | 0x1400d7137 : mov dx, [r9] 25 | 0x1400d713b : xor dx, 87DFh 26 | 0x1400d7140 : movzx rdx, dx 27 | 0x1400d7144 : jmp loc_1400D7A07 28 | 0x1400d7a09 : lea rdx, [r10+rdx] p_b = rdx 29 | 0x1400d7a0d : mov dx, [rdx] dx = *(PUSHORT)p_b 30 | 0x1400d7a10 : lea r9, [r9+2] 31 | 0x1400d7a14 : mov cx, [r9] 32 | 0x1400d7a18 : xor cx, 87DFh 33 | 0x1400d7a1d : mov rax, 2B2C696394524EC3h 34 | 0x1400d7a27 : not rax 35 | 0x1400d7a2a : lea rax, [r10+rax] 36 | 0x1400d7a2e : movzx rcx, cx 37 | 0x1400d7a32 : mov rbx, 0D4D3969C6BADB13Bh 38 | 0x1400d7a3c : not rbx 39 | 0x1400d7a3f : add rcx, rbx 40 | 0x1400d7a42 : lea rcx, [rax+rcx] p_c = rcx 41 | 0x1400d7a46 : pushfq 42 | 0x1400d7a47 : mov rax, [rsp] 43 | 0x1400d7a4b : lea rsp, [rsp+8] 44 | 0x1400d7a50 : mov ebx, [rcx] rf = *(PULONG32)p_c 45 | 0x1400d7a52 : mov ebx, ebx 46 | 0x1400d7a54 : lea rsp, [rsp-8] 47 | 0x1400d7a59 : jmp loc_1400D7491 48 | 0x1400d7493 : mov [rsp+90h+var_90], rbx 49 | 0x1400d7497 : popfq 50 | 0x1400d7498 : sub r8w, dx r8w = r8w - dx 51 | 0x1400d749c : pushfq 52 | 0x1400d749d : mov r8, [rsp+90h+var_90] 53 | 0x1400d74a1 : lea rsp, [rsp+8] 54 | 0x1400d74a6 : mov [rcx], r8d *(PULONG32)p_c = rf 55 | 0x1400d74a9 : lea rsp, [rsp-8] 56 | 0x1400d74ae : mov [rsp+90h+var_90], rax 57 | 0x1400d74b2 : popfq 58 | 0x1400d74b3 : lea r9, [r9+2] 59 | 0x1400d74bd : mov [rbp+8], r9 60 | 0x1400d74c1 : jmp loc_1400DA34B 61 | 0x1400da352 : jmp loc_1400D5C1C 62 | 0x1400d5c1f : mov r9, [rbp+8] 63 | 0x1400d5c2c : mov r8b, [r9] 64 | 0x1400d5c2f : xor r8b, 5Dh 65 | 0x1400d5c33 : jmp loc_1400DABF2 66 | 0x1400dabf4 : mov rdx, 84063C9A3F77C111h 67 | 0x1400dabfe : not rdx 68 | 0x1400dac01 : lea rdx, [r9+rdx] 69 | 0x1400dac05 : mov r9, 7BF9C365C0883EECh 70 | 0x1400dac0f : not r9 71 | 0x1400dac12 : lea r9, [rdx+r9] 72 | 0x1400dac16 : jmp loc_1400D97BF 73 | 0x1400d97c6 : mov [rbp+8], r9 74 | 0x1400d97d0 : movzx r8, r8b 75 | 0x1400d97d4 : sub r8, 1 76 | 0x1400d97d8 : cmp r8, 0C8h 77 | 0x1400d97df : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 78 | -------------------------------------------------------------------------------- /handle_out/0xd5.txt: -------------------------------------------------------------------------------- 1 | 0xd5 p_a p_b p_c 2 | 3 | 0x3728 4 | 5 | *(PUCHAR)p_a - *(PUCHAR)p_b;//无输出 6 | *(PULONG32)p_c = rf 7 | 8 | v_cmp_iregb_iregb_oregl 9 | ---------------------------------------- 10 | 11 | 0x1400d74d5 : mov r9, [rbp+8] 12 | 0x1400d74e2 : mov r8w, [r9] 13 | 0x1400d74e6 : xor r8w, 3728h 14 | 0x1400d74ec : mov rdx, 0A3FE1DC6622272C9h 15 | 0x1400d74f6 : not rdx 16 | 0x1400d74f9 : lea rdx, [r10+rdx] 17 | 0x1400d74fd : movzx r8, r8w 18 | 0x1400d7501 : mov rcx, 5C01E2399DDD8D35h 19 | 0x1400d750b : not rcx 20 | 0x1400d750e : add r8, rcx 21 | 0x1400d7511 : lea r8, [rdx+r8] p_a = r8 22 | 0x1400d7515 : mov r8b, [r8] r8b = *(PUCHAR)p_a 23 | 0x1400d7518 : lea r9, [r9+2] 24 | 0x1400d751c : mov dx, [r9] 25 | 0x1400d7520 : xor dx, 3728h 26 | 0x1400d7525 : movzx rdx, dx 27 | 0x1400d7529 : jmp loc_1400DA7A1 28 | 0x1400da7a2 : lea rdx, [r10+rdx] p_b = rdx 29 | 0x1400da7a6 : mov dl, [rdx] dl = *(PUCHAR)p_b 30 | 0x1400da7a8 : lea r9, [r9+2] 31 | 0x1400da7ac : mov cx, [r9] 32 | 0x1400da7b0 : xor cx, 3728h 33 | 0x1400da7b5 : mov rax, 4F72567808CC114h 34 | 0x1400da7bf : not rax 35 | 0x1400da7c2 : lea rax, [r10+rax] 36 | 0x1400da7c6 : movzx rcx, cx 37 | 0x1400da7ca : mov rbx, 0FB08DA987F733EEAh 38 | 0x1400da7d4 : not rbx 39 | 0x1400da7d7 : jmp loc_1400DA579 40 | 0x1400da57b : add rcx, rbx 41 | 0x1400da57e : lea rcx, [rax+rcx] p_c = rcx 42 | 0x1400da582 : pushfq 43 | 0x1400da583 : mov rax, [rsp+90h+var_90] 44 | 0x1400da587 : lea rsp, [rsp+8] 45 | 0x1400da58c : mov ebx, [rcx] rf 46 | 0x1400da58e : mov ebx, ebx 47 | 0x1400da590 : lea rsp, [rsp-8] 48 | 0x1400da595 : mov [rsp+90h+var_90], rbx 49 | 0x1400da599 : popfq 50 | 0x1400da59a : sub r8b, dl r8b = r8b - dl 51 | 0x1400da59d : pushfq 52 | 0x1400da59e : mov r8, [rsp+90h+var_90] 53 | 0x1400da5a2 : lea rsp, [rsp+8] 54 | 0x1400da5a7 : mov [rcx], r8d *(PULONG32)p_c = rf 55 | 0x1400da5aa : lea rsp, [rsp-8] 56 | 0x1400da5af : mov [rsp+90h+var_90], rax 57 | 0x1400da5b3 : jmp loc_1400D6CF6 58 | 0x1400d6cf8 : popfq 59 | 0x1400d6cf9 : lea r9, [r9+2] 60 | 0x1400d6d03 : mov [rbp+8], r9 61 | 0x1400d6d0d : jmp loc_1400D8FEC 62 | 0x1400d8fef : mov r9, [rbp+8] 63 | 0x1400d8ffc : mov r8b, [r9] 64 | 0x1400d8fff : xor r8b, 5Dh 65 | 0x1400d9003 : jmp loc_1400D6A7C 66 | 0x1400d6a7d : mov rdx, 3CF00F6451FA8B0h 67 | 0x1400d6a87 : not rdx 68 | 0x1400d6a8a : lea rdx, [r9+rdx] 69 | 0x1400d6a8e : mov r9, 0FC30FF09BAE0574Dh 70 | 0x1400d6a98 : not r9 71 | 0x1400d6a9b : lea r9, [rdx+r9] 72 | 0x1400d6aa5 : mov [rbp+8], r9 73 | 0x1400d6aa9 : jmp loc_1400DB1EB 74 | 0x1400db1f3 : movzx r8, r8b 75 | 0x1400db1f7 : sub r8, 1 76 | 0x1400db1fb : cmp r8, 0C8h 77 | 0x1400db202 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 78 | -------------------------------------------------------------------------------- /handle_out/0xd6.txt: -------------------------------------------------------------------------------- 1 | 0xd6 p_a p_b p_c 2 | 3 | 0x637D 4 | 5 | *(PULONG64)p_a - *(PULONG64)p_b;//无输出 6 | *(PULONG32)p_c = rf; 7 | 8 | v_cmp_iregll_iregll_oregl 9 | ---------------------------------------- 10 | 11 | 0x1400d6f6f : mov r9, [rbp+8] 12 | 0x1400d6f7c : mov r8w, [r9] 13 | 0x1400d6f80 : xor r8w, 637Dh 14 | 0x1400d6f86 : mov rdx, 384D5D74F278C92Eh 15 | 0x1400d6f90 : not rdx 16 | 0x1400d6f93 : lea rdx, [r10+rdx] 17 | 0x1400d6f97 : movzx r8, r8w 18 | 0x1400d6f9b : mov rcx, 0C7B2A28B0D8736D0h 19 | 0x1400d6fa5 : not rcx 20 | 0x1400d6fa8 : add r8, rcx 21 | 0x1400d6fab : lea r8, [rdx+r8] p_a = r8 22 | 0x1400d6faf : mov r8, [r8] r8 = *(PULONG64)p_a 23 | 0x1400d6fb2 : lea r9, [r9+2] 24 | 0x1400d6fb6 : jmp loc_1400D6B09 25 | 0x1400d6b0b : mov dx, [r9] 26 | 0x1400d6b0f : xor dx, 637Dh 27 | 0x1400d6b14 : movzx rdx, dx 28 | 0x1400d6b18 : lea rdx, [r10+rdx] p_b = rdx 29 | 0x1400d6b1c : mov rdx, [rdx] rdx = *(PULONG64)p_b 30 | 0x1400d6b1f : lea r9, [r9+2] 31 | 0x1400d6b23 : mov cx, [r9] 32 | 0x1400d6b27 : xor cx, 637Dh 33 | 0x1400d6b2c : mov rax, 4E26CA31A7A06CBCh 34 | 0x1400d6b36 : not rax 35 | 0x1400d6b39 : lea rax, [r10+rax] 36 | 0x1400d6b3d : movzx rcx, cx 37 | 0x1400d6b41 : mov rbx, 0B1D935CE585F9342h 38 | 0x1400d6b4b : not rbx 39 | 0x1400d6b4e : add rcx, rbx 40 | 0x1400d6b51 : lea rcx, [rax+rcx] p_c = rcx 41 | 0x1400d6b55 : jmp loc_1400D692D 42 | 0x1400d692f : pushfq 43 | 0x1400d6930 : mov rax, [rsp+90h+var_90] 44 | 0x1400d6934 : lea rsp, [rsp+8] 45 | 0x1400d6939 : mov ebx, [rcx] 46 | 0x1400d693b : mov ebx, ebx 47 | 0x1400d693d : lea rsp, [rsp-8] 48 | 0x1400d6942 : mov [rsp+90h+var_90], rbx 49 | 0x1400d6946 : popfq 50 | 0x1400d6947 : sub r8, rdx r8 = r8 - rdx 51 | 0x1400d694a : pushfq 52 | 0x1400d694b : mov r8, [rsp+90h+var_90] 53 | 0x1400d694f : lea rsp, [rsp+8] 54 | 0x1400d6954 : mov [rcx], r8d *(PULONG32)p_c = rf 55 | 0x1400d6957 : lea rsp, [rsp-8] 56 | 0x1400d695c : jmp loc_1400D99B9 57 | 0x1400d99bb : mov [rsp+90h+var_90], rax 58 | 0x1400d99bf : popfq 59 | 0x1400d99c0 : lea r9, [r9+2] 60 | 0x1400d99ca : mov [rbp+8], r9 61 | 0x1400d99d4 : jmp loc_1400D7232 62 | 0x1400d7234 : mov r9, [rbp+8] 63 | 0x1400d7240 : jmp loc_1400D99D9 64 | 0x1400d99db : mov r8b, [r9] 65 | 0x1400d99de : xor r8b, 5Dh 66 | 0x1400d99e2 : mov rdx, 25E9ECA9BDE22AEAh 67 | 0x1400d99ec : not rdx 68 | 0x1400d99ef : lea rdx, [r9+rdx] 69 | 0x1400d99f3 : jmp loc_1400D86A6 70 | 0x1400d86a8 : mov r9, 0DA161356421DD513h 71 | 0x1400d86b2 : not r9 72 | 0x1400d86b5 : lea r9, [rdx+r9] 73 | 0x1400d86bf : mov [rbp+8], r9 74 | 0x1400d86c9 : movzx r8, r8b 75 | 0x1400d86cd : sub r8, 1 76 | 0x1400d86d1 : jmp loc_1400D7E10 77 | 0x1400d7e11 : cmp r8, 0C8h 78 | 0x1400d7e18 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 79 | -------------------------------------------------------------------------------- /handle_out/0xd7.txt: -------------------------------------------------------------------------------- 1 | 0xd7 p_a p_b p_c 2 | 3 | 0xCBEF 4 | 5 | *(PULONG32)p_a - *(PULONG32)p_b;//无输出 6 | *(PULONG32)p_c = rf; 7 | 8 | v_cmp_iregl_iregl_oregl 9 | ---------------------------------------- 10 | 11 | 0x1400d95b0 : mov r9, [rbp+8] 12 | 0x1400d95bd : mov r8w, [r9] 13 | 0x1400d95c1 : xor r8w, 0CBEFh 14 | 0x1400d95c7 : mov rdx, 1A67EF9525C3D835h 15 | 0x1400d95d1 : not rdx 16 | 0x1400d95d4 : lea rdx, [r10+rdx] 17 | 0x1400d95d8 : movzx r8, r8w 18 | 0x1400d95dc : mov rcx, 0E598106ADA3C27C9h 19 | 0x1400d95e6 : not rcx 20 | 0x1400d95e9 : add r8, rcx 21 | 0x1400d95ec : lea r8, [rdx+r8] p_a = r8 22 | 0x1400d95f0 : mov r8d, [r8] r8d = *(PULONG32)p_a 23 | 0x1400d95f3 : lea r9, [r9+2] 24 | 0x1400d95f7 : mov dx, [r9] 25 | 0x1400d95fb : xor dx, 0CBEFh 26 | 0x1400d9600 : movzx rdx, dx 27 | 0x1400d9604 : jmp loc_1400D685F 28 | 0x1400d6860 : lea rdx, [r10+rdx] p_b = rdx 29 | 0x1400d6864 : mov edx, [rdx] edx = *(PULONG32)p_b 30 | 0x1400d6866 : lea r9, [r9+2] 31 | 0x1400d686a : mov cx, [r9] 32 | 0x1400d686e : xor cx, 0CBEFh 33 | 0x1400d6873 : mov rax, 0EC0DF4B86916255Ch 34 | 0x1400d687d : not rax 35 | 0x1400d6880 : lea rax, [r10+rax] 36 | 0x1400d6884 : movzx rcx, cx 37 | 0x1400d6888 : mov rbx, 13F20B4796E9DAA2h 38 | 0x1400d6892 : not rbx 39 | 0x1400d6895 : add rcx, rbx 40 | 0x1400d6898 : lea rcx, [rax+rcx] p_c = rcx 41 | 0x1400d689c : pushfq 42 | 0x1400d689d : mov rax, [rsp+90h+var_90] 43 | 0x1400d68a1 : lea rsp, [rsp+8] 44 | 0x1400d68a6 : mov ebx, [rcx] rf 45 | 0x1400d68a8 : mov ebx, ebx 46 | 0x1400d68aa : jmp loc_1400D821D 47 | 0x1400d821e : lea rsp, [rsp-8] 48 | 0x1400d8223 : mov [rsp+90h+var_90], rbx 49 | 0x1400d8227 : popfq 50 | 0x1400d8228 : sub r8d, edx r8d = r8d - edx 51 | 0x1400d822b : pushfq 52 | 0x1400d822c : mov r8, [rsp+90h+var_90] 53 | 0x1400d8230 : lea rsp, [rsp+8] 54 | 0x1400d8235 : mov [rcx], r8d *(PULONG32)p_c = rf 55 | 0x1400d8238 : lea rsp, [rsp-8] 56 | 0x1400d823d : mov [rsp+90h+var_90], rax 57 | 0x1400d8241 : popfq 58 | 0x1400d8242 : jmp loc_1400DA847 59 | 0x1400da849 : lea r9, [r9+2] 60 | 0x1400da853 : mov [rbp+8], r9 61 | 0x1400da85d : jmp loc_1400D5C1C 62 | 0x1400d5c1f : mov r9, [rbp+8] 63 | 0x1400d5c2c : mov r8b, [r9] 64 | 0x1400d5c2f : xor r8b, 5Dh 65 | 0x1400d5c33 : jmp loc_1400DABF2 66 | 0x1400dabf4 : mov rdx, 84063C9A3F77C111h 67 | 0x1400dabfe : not rdx 68 | 0x1400dac01 : lea rdx, [r9+rdx] 69 | 0x1400dac05 : mov r9, 7BF9C365C0883EECh 70 | 0x1400dac0f : not r9 71 | 0x1400dac12 : lea r9, [rdx+r9] 72 | 0x1400dac16 : jmp loc_1400D97BF 73 | 0x1400d97c6 : mov [rbp+8], r9 74 | 0x1400d97d0 : movzx r8, r8b 75 | 0x1400d97d4 : sub r8, 1 76 | 0x1400d97d8 : cmp r8, 0C8h 77 | 0x1400d97df : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 78 | -------------------------------------------------------------------------------- /handle_out/0xd9.txt: -------------------------------------------------------------------------------- 1 | 0xd9 p_a p_b p_c p_d 2 | 3 | 0x3F78 4 | 5 | *(PUCHAR)p_a = *(PUCHAR)p_b - *(PUCHAR)p_c; 6 | *(PULONG32)p_d = rf; 7 | 8 | v_sbb_oregb_iregb_iregb_oregl 9 | ---------------------------------------- 10 | 11 | 0x1400d7711 : mov r9, [rbp+8] 12 | 0x1400d771e : mov r8w, [r9] 13 | 0x1400d7722 : xor r8w, 3F78h 14 | 0x1400d7728 : mov rdx, 0D707A0612AE2F8C0h 15 | 0x1400d7732 : not rdx 16 | 0x1400d7735 : lea rdx, [r10+rdx] 17 | 0x1400d7739 : movzx r8, r8w 18 | 0x1400d773d : mov rcx, 28F85F9ED51D073Eh 19 | 0x1400d7747 : not rcx 20 | 0x1400d774a : add r8, rcx 21 | 0x1400d774d : jmp loc_1400D8CFA 22 | 0x1400d8cfb : lea r8, [rdx+r8] p_a = r8 23 | 0x1400d8cff : lea r9, [r9+2] 24 | 0x1400d8d03 : mov dx, [r9] 25 | 0x1400d8d07 : xor dx, 3F78h 26 | 0x1400d8d0c : movzx rdx, dx 27 | 0x1400d8d10 : lea rdx, [r10+rdx] p_b = rdx 28 | 0x1400d8d14 : mov dl, [rdx] dl = *(PUCHAR)p_b 29 | 0x1400d8d16 : lea r9, [r9+2] 30 | 0x1400d8d1a : mov cx, [r9] 31 | 0x1400d8d1e : xor cx, 3F78h 32 | 0x1400d8d23 : mov rax, 2EC925CAB25F5FF9h 33 | 0x1400d8d2d : not rax 34 | 0x1400d8d30 : lea rax, [r10+rax] 35 | 0x1400d8d34 : movzx rcx, cx 36 | 0x1400d8d38 : mov rbx, 0D136DA354DA0A005h 37 | 0x1400d8d42 : not rbx 38 | 0x1400d8d45 : add rcx, rbx 39 | 0x1400d8d48 : jmp loc_1400D8784 40 | 0x1400d8786 : lea rcx, [rax+rcx] p_c = rcx 41 | 0x1400d878a : mov cl, [rcx] cl = *(PUCHAR)p_c 42 | 0x1400d878c : lea r9, [r9+2] 43 | 0x1400d8790 : mov ax, [r9] 44 | 0x1400d8794 : xor ax, 3F78h 45 | 0x1400d8798 : movzx rax, ax 46 | 0x1400d879c : lea rax, [r10+rax] p_d = rax 47 | 0x1400d87a0 : pushfq 48 | 0x1400d87a1 : mov rbx, [rsp+90h+var_90] 49 | 0x1400d87a5 : lea rsp, [rsp+8] 50 | 0x1400d87aa : mov esi, [rax] rf 51 | 0x1400d87ac : mov esi, esi 52 | 0x1400d87ae : lea rsp, [rsp-8] 53 | 0x1400d87b3 : mov [rsp+90h+var_90], rsi 54 | 0x1400d87b7 : popfq 55 | 0x1400d87b8 : jmp loc_1400DA5FC 56 | 0x1400da5fe : sbb dl, cl dl = dl sbb cl 57 | 0x1400da600 : pushfq 58 | 0x1400da601 : mov rcx, [rsp+90h+var_90] 59 | 0x1400da605 : lea rsp, [rsp+8] 60 | 0x1400da60a : mov [rax], ecx *(PULONG32)p_d = rf 61 | 0x1400da60c : lea rsp, [rsp-8] 62 | 0x1400da611 : mov [rsp+90h+var_90], rbx 63 | 0x1400da615 : popfq 64 | 0x1400da616 : mov [r8], dl *(PUCHAR)p_a = dl 65 | 0x1400da619 : lea r9, [r9+2] 66 | 0x1400da622 : mov [rbp+8], r9 67 | 0x1400da62b : jmp loc_1400D7614 68 | 0x1400d7616 : jmp loc_1400D8FEC 69 | 0x1400d8fef : mov r9, [rbp+8] 70 | 0x1400d8ffc : mov r8b, [r9] 71 | 0x1400d8fff : xor r8b, 5Dh 72 | 0x1400d9003 : jmp loc_1400D6A7C 73 | 0x1400d6a7d : mov rdx, 3CF00F6451FA8B0h 74 | 0x1400d6a87 : not rdx 75 | 0x1400d6a8a : lea rdx, [r9+rdx] 76 | 0x1400d6a8e : mov r9, 0FC30FF09BAE0574Dh 77 | 0x1400d6a98 : not r9 78 | 0x1400d6a9b : lea r9, [rdx+r9] 79 | 0x1400d6aa5 : mov [rbp+8], r9 80 | 0x1400d6aa9 : jmp loc_1400DB1EB 81 | 0x1400db1f3 : movzx r8, r8b 82 | 0x1400db1f7 : sub r8, 1 83 | 0x1400db1fb : cmp r8, 0C8h 84 | 0x1400db202 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 85 | -------------------------------------------------------------------------------- /handle_out/0xe5.txt: -------------------------------------------------------------------------------- 1 | 0xe5 p_a 2 | 3 | 0xCD84 4 | 5 | reg = *(PREG)p_a;//不恢复rsp 之前就将 add放入 rax 了 6 | rsp = [rsp]; 7 | jmp rax; 8 | 9 | v_jmp_iregxRax 10 | ---------------------------------------- 11 | 12 | 0x1400d9587 : mov r9, [rbp+8] 13 | 0x1400d9594 : mov r9w, [r9] 14 | 0x1400d9598 : jmp loc_1400D83BE 15 | 0x1400d83bf : xor r9w, 0CD84h 16 | 0x1400d83c5 : mov r8, 0DA07BF5151F2BA3h 17 | 0x1400d83cf : not r8 18 | 0x1400d83d2 : lea r8, [r10+r8] 19 | 0x1400d83d6 : movzx r9, r9w 20 | 0x1400d83da : jmp loc_1400D69AB 21 | 0x1400d69ac : mov rdx, 0F25F840AEAE0D45Bh 22 | 0x1400d69b6 : not rdx 23 | 0x1400d69b9 : add r9, rdx 24 | 0x1400d69bc : lea r9, [r8+r9] p_a = r9 25 | 0x1400d69c0 : mov r15, 0FFFFFFFFFFFFFFFEh 26 | 0x1400d69ca : not r15 27 | 0x1400d69cd : rdsspq r15 28 | 0x1400d69d2 : jmp loc_1400D6601 29 | 0x1400d6602 : cmp r15, 1 30 | 0x1400d6606 : jz loc_1400D6C46 31 | 0x1400d660c : mov r15, 2 32 | 0x1400d6613 : incsspq r15 33 | 0x1400d6618 : jmp loc_1400D6C46 34 | 0x1400d6c48 : mov rax, [r9] 35 | 0x1400d6c53 : mov rbx, [r9+8] 36 | 0x1400d6c5a : mov rcx, [r9+10h] 37 | 0x1400d6c6a : mov rdx, [r9+18h] 38 | 0x1400d6c74 : jmp loc_1400DB3F3 39 | 0x1400db3f8 : mov rbp, [r9+28h] 40 | 0x1400db3fc : mov rsi, [r9+30h] 41 | 0x1400db400 : mov rdi, [r9+38h] 42 | 0x1400db407 : mov r8, [r9+40h] 43 | 0x1400db417 : mov r10, [r9+50h] 44 | 0x1400db421 : jmp loc_1400D9273 45 | 0x1400d927b : mov r11, [r9+58h] 46 | 0x1400d9288 : mov r12, [r9+60h] 47 | 0x1400d928c : mov r13, [r9+68h] 48 | 0x1400d9290 : mov r14, [r9+70h] 49 | 0x1400d9294 : mov r15, [r9+78h] 50 | 0x1400d9298 : jmp loc_1400D5BBE 51 | 0x1400d5bc0 : push qword ptr [r9+80h] 52 | 0x1400d5bc7 : popfq 53 | 0x1400d5bc8 : push qword ptr [r9+20h] 54 | 0x1400d5bcc : mov r9, [r9+48h] 55 | 0x1400d5bd0 : mov rsp, [rsp+90h+var_90] 56 | 0x1400d5bd4 : jmp rax 57 | -------------------------------------------------------------------------------- /handle_out/0xe8.txt: -------------------------------------------------------------------------------- 1 | 0xe8 p_a b_ULONG64 2 | 3 | 0x3F26 4 | 5 | *(PULONG64)p_a = b_ULONG64; 6 | 7 | v_mov_iregll_ll 8 | ---------------------------------------- 9 | 10 | 0x1400d60f5 : mov r9, [rbp+8] 11 | 0x1400d6102 : mov r8w, [r9] 12 | 0x1400d6106 : xor r8w, 3F26h 13 | 0x1400d610c : mov rdx, 0F84A86395161A270h 14 | 0x1400d6116 : not rdx 15 | 0x1400d6119 : jmp loc_1400D9077 16 | 0x1400d9078 : lea rdx, [r10+rdx] 17 | 0x1400d907c : movzx r8, r8w 18 | 0x1400d9080 : mov rcx, 7B579C6AE9E5D8Eh 19 | 0x1400d908a : not rcx 20 | 0x1400d908d : add r8, rcx 21 | 0x1400d9090 : lea r8, [rdx+r8] 22 | 0x1400d9094 : lea r9, [r9+2] 23 | 0x1400d909b : mov rdx, [r9] 24 | 0x1400d909e : jmp loc_1400DA2DD 25 | 0x1400da2ed : mov [r8], rdx 26 | 0x1400da2f0 : jmp loc_1400DA9AC 27 | 0x1400da9b4 : lea r9, [r9+8] 28 | 0x1400da9be : mov [rbp+8], r9 29 | 0x1400da9c8 : jmp loc_1400DAC79 30 | 0x1400dac7c : mov r9, [rbp+8] 31 | 0x1400dac89 : mov r8b, [r9] 32 | 0x1400dac8c : xor r8b, 5Dh 33 | 0x1400dac90 : mov rdx, 0D3676A56DAFF3C65h 34 | 0x1400dac9a : jmp loc_1400D7763 35 | 0x1400d7764 : not rdx 36 | 0x1400d7767 : lea rdx, [r9+rdx] 37 | 0x1400d776b : mov r9, 2C9895A92500C398h 38 | 0x1400d7775 : not r9 39 | 0x1400d7778 : lea r9, [rdx+r9] 40 | 0x1400d777f : jmp loc_1400D5B91 41 | 0x1400d5b95 : mov [rbp+8], r9 42 | 0x1400d5b9e : movzx r8, r8b 43 | 0x1400d5ba2 : sub r8, 1; switch 200 cases 44 | 0x1400d5ba6 : jmp loc_1400D98A8 45 | 0x1400d98aa : cmp r8, 0C8h 46 | 0x1400d98b1 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 47 | -------------------------------------------------------------------------------- /handle_out/0xe9.txt: -------------------------------------------------------------------------------- 1 | 0xe9 p_a b_ULONG32 2 | 3 | 0x448A 4 | 5 | *(PULONG32)p_a = b_ULONG32; 6 | 7 | v_mov_iregl_l 8 | ---------------------------------------- 9 | 10 | 0x1400d9449 : mov r9, [rbp+8] 11 | 0x1400d9453 : jmp loc_1400DB4E0 12 | 0x1400db4e5 : mov r8w, [r9] 13 | 0x1400db4e9 : xor r8w, 448Ah 14 | 0x1400db4ef : mov rdx, 7E5659D39A98BA94h 15 | 0x1400db4f9 : not rdx 16 | 0x1400db4fc : jmp loc_1400D72B7 17 | 0x1400d72b9 : lea rdx, [r10+rdx] 18 | 0x1400d72bd : movzx r8, r8w 19 | 0x1400d72c1 : mov rcx, 81A9A62C6567456Ah 20 | 0x1400d72cb : not rcx 21 | 0x1400d72ce : add r8, rcx 22 | 0x1400d72d1 : lea r8, [rdx+r8] p_a = r8 23 | 0x1400d72d5 : jmp loc_1400D9F02 24 | 0x1400d9f04 : lea r9, [r9+2] 25 | 0x1400d9f08 : mov edx, [r9] 26 | 0x1400d9f0b : mov [r8], edx 27 | 0x1400d9f0e : lea r9, [r9+4] 28 | 0x1400d9f18 : mov [rbp+8], r9 29 | 0x1400d9f22 : jmp loc_1400DAB6B 30 | 0x1400dab6c : jmp loc_1400DAC79 31 | 0x1400dac7c : mov r9, [rbp+8] 32 | 0x1400dac89 : mov r8b, [r9] 33 | 0x1400dac8c : xor r8b, 5Dh 34 | 0x1400dac90 : mov rdx, 0D3676A56DAFF3C65h 35 | 0x1400dac9a : jmp loc_1400D7763 36 | 0x1400d7764 : not rdx 37 | 0x1400d7767 : lea rdx, [r9+rdx] 38 | 0x1400d776b : mov r9, 2C9895A92500C398h 39 | 0x1400d7775 : not r9 40 | 0x1400d7778 : lea r9, [rdx+r9] 41 | 0x1400d777f : jmp loc_1400D5B91 42 | 0x1400d5b95 : mov [rbp+8], r9 43 | 0x1400d5b9e : movzx r8, r8b 44 | 0x1400d5ba2 : sub r8, 1; switch 200 cases 45 | 0x1400d5ba6 : jmp loc_1400D98A8 46 | 0x1400d98aa : cmp r8, 0C8h 47 | 0x1400d98b1 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 48 | -------------------------------------------------------------------------------- /handle_out/0xea.txt: -------------------------------------------------------------------------------- 1 | 0xea p_a b_ULONG64 2 | 3 | 0x43EF 4 | 5 | *(PULONG64)p_a = b_ULONG64; 6 | 7 | v_mov_iregll_ll 8 | ---------------------------------------- 9 | 10 | 0x1400d69eb : mov r9, [rbp+8] 11 | 0x1400d69f8 : mov r8w, [r9] 12 | 0x1400d69fc : xor r8w, 43EFh 13 | 0x1400d6a02 : mov rdx, 592F5BD3F273988h 14 | 0x1400d6a0c : not rdx 15 | 0x1400d6a0f : lea rdx, [r10+rdx] 16 | 0x1400d6a13 : jmp loc_1400D8D5B 17 | 0x1400d8d5d : movzx r8, r8w 18 | 0x1400d8d61 : mov rcx, 0FA6D0A42C0D8C676h 19 | 0x1400d8d6b : not rcx 20 | 0x1400d8d6e : add r8, rcx 21 | 0x1400d8d71 : lea r8, [rdx+r8] p_a = r8 22 | 0x1400d8d75 : lea r9, [r9+2] 23 | 0x1400d8d7b : jmp loc_1400D76D8 24 | 0x1400d76da : mov rdx, [r9] rdx 25 | 0x1400d76e5 : mov rcx, 0 26 | 0x1400d76ef : add rdx, rcx 27 | 0x1400d76f8 : mov [r8], rdx *(PULONG64)p_a = rdx 28 | 0x1400d76fb : jmp loc_1400D6AE8 29 | 0x1400d6af0 : lea r9, [r9+8] 30 | 0x1400d6afa : mov [rbp+8], r9 31 | 0x1400d6b04 : jmp loc_1400DAC79 32 | 0x1400dac7c : mov r9, [rbp+8] 33 | 0x1400dac89 : mov r8b, [r9] 34 | 0x1400dac8c : xor r8b, 5Dh 35 | 0x1400dac90 : mov rdx, 0D3676A56DAFF3C65h 36 | 0x1400dac9a : jmp loc_1400D7763 37 | 0x1400d7764 : not rdx 38 | 0x1400d7767 : lea rdx, [r9+rdx] 39 | 0x1400d776b : mov r9, 2C9895A92500C398h 40 | 0x1400d7775 : not r9 41 | 0x1400d7778 : lea r9, [rdx+r9] 42 | 0x1400d777f : jmp loc_1400D5B91 43 | 0x1400d5b95 : mov [rbp+8], r9 44 | 0x1400d5b9e : movzx r8, r8b 45 | 0x1400d5ba2 : sub r8, 1; switch 200 cases 46 | 0x1400d5ba6 : jmp loc_1400D98A8 47 | 0x1400d98aa : cmp r8, 0C8h 48 | 0x1400d98b1 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 49 | -------------------------------------------------------------------------------- /handle_out/0xee.txt: -------------------------------------------------------------------------------- 1 | 0xee p_a b_USHORT 2 | 3 | 0x44B1 4 | 5 | *(PUSHORT)p_a = b_USHORT; 6 | 7 | v_mov_iregw_w 8 | ---------------------------------------- 9 | 10 | 0x1400d7fc7 : mov r9, [rbp+8] 11 | 0x1400d7fce : jmp loc_1400D8651 12 | 0x1400d8658 : mov r8w, [r9] 13 | 0x1400d865c : xor r8w, 44B1h 14 | 0x1400d8662 : mov rdx, 0CB34B9F0B2AE9D64h 15 | 0x1400d866c : not rdx 16 | 0x1400d866f : lea rdx, [r10+rdx] 17 | 0x1400d8673 : jmp loc_1400D83F0 18 | 0x1400d83f1 : movzx r8, r8w 19 | 0x1400d83f5 : mov rcx, 34CB460F4D51629Ah 20 | 0x1400d83ff : not rcx 21 | 0x1400d8402 : add r8, rcx 22 | 0x1400d8405 : lea r8, [rdx+r8] 23 | 0x1400d8409 : lea r9, [r9+2] 24 | 0x1400d840d : mov dx, [r9] 25 | 0x1400d8411 : mov [r8], dx 26 | 0x1400d8415 : lea r9, [r9+2] 27 | 0x1400d8419 : jmp loc_1400DAB09 28 | 0x1400dab10 : mov [rbp+8], r9 29 | 0x1400dab19 : jmp loc_1400D7232 30 | 0x1400d7234 : mov r9, [rbp+8] 31 | 0x1400d7240 : jmp loc_1400D99D9 32 | 0x1400d99db : mov r8b, [r9] 33 | 0x1400d99de : xor r8b, 5Dh 34 | 0x1400d99e2 : mov rdx, 25E9ECA9BDE22AEAh 35 | 0x1400d99ec : not rdx 36 | 0x1400d99ef : lea rdx, [r9+rdx] 37 | 0x1400d99f3 : jmp loc_1400D86A6 38 | 0x1400d86a8 : mov r9, 0DA161356421DD513h 39 | 0x1400d86b2 : not r9 40 | 0x1400d86b5 : lea r9, [rdx+r9] 41 | 0x1400d86bf : mov [rbp+8], r9 42 | 0x1400d86c9 : movzx r8, r8b 43 | 0x1400d86cd : sub r8, 1 44 | 0x1400d86d1 : jmp loc_1400D7E10 45 | 0x1400d7e11 : cmp r8, 0C8h 46 | 0x1400d7e18 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 47 | -------------------------------------------------------------------------------- /handle_out/0xef.txt: -------------------------------------------------------------------------------- 1 | 0xef p_a b_UCHAR 2 | 3 | 0x144C 4 | 5 | *(PUCHAR)p_a = b_UCHAR; 6 | 7 | v_mov_iregb_b 8 | ---------------------------------------- 9 | 10 | 0x1400d7bc9 : mov r9, [rbp+8] 11 | 0x1400d7bd5 : mov r8w, [r9] 12 | 0x1400d7bd9 : jmp loc_1400D6B68 13 | 0x1400d6b6a : xor r8w, 144Ch 14 | 0x1400d6b70 : mov rdx, 89496F78AD85546Ah 15 | 0x1400d6b7a : not rdx 16 | 0x1400d6b7d : lea rdx, [r10+rdx] 17 | 0x1400d6b81 : movzx r8, r8w 18 | 0x1400d6b85 : mov rcx, 76B69087527AAB94h 19 | 0x1400d6b8f : not rcx 20 | 0x1400d6b92 : add r8, rcx 21 | 0x1400d6b95 : lea r8, [rdx+r8] p_a = r8 22 | 0x1400d6b99 : jmp loc_1400D8D8E 23 | 0x1400d8d90 : lea r9, [r9+2] 24 | 0x1400d8d94 : mov dl, [r9] dl 25 | 0x1400d8d97 : mov [r8], dl *(PUCHAR)p_a = dl 26 | 0x1400d8d9a : lea r9, [r9+1] 27 | 0x1400d8da4 : mov [rbp+8], r9 28 | 0x1400d8dae : jmp loc_1400D9693 29 | 0x1400d9694 : jmp loc_1400D8FEC 30 | 0x1400d8fef : mov r9, [rbp+8] 31 | 0x1400d8ffc : mov r8b, [r9] 32 | 0x1400d8fff : xor r8b, 5Dh 33 | 0x1400d9003 : jmp loc_1400D6A7C 34 | 0x1400d6a7d : mov rdx, 3CF00F6451FA8B0h 35 | 0x1400d6a87 : not rdx 36 | 0x1400d6a8a : lea rdx, [r9+rdx] 37 | 0x1400d6a8e : mov r9, 0FC30FF09BAE0574Dh 38 | 0x1400d6a98 : not r9 39 | 0x1400d6a9b : lea r9, [rdx+r9] 40 | 0x1400d6aa5 : mov [rbp+8], r9 41 | 0x1400d6aa9 : jmp loc_1400DB1EB 42 | 0x1400db1f3 : movzx r8, r8b 43 | 0x1400db1f7 : sub r8, 1 44 | 0x1400db1fb : cmp r8, 0C8h 45 | 0x1400db202 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 46 | -------------------------------------------------------------------------------- /handle_out/0xf4.txt: -------------------------------------------------------------------------------- 1 | 0xf4 p_a p_b p_c p_d 2 | 3 | 0xEB97 4 | 5 | *(PULONG64)p_d mul *(PULONG64)p_c; 6 | *(PULONG64)p_a = rdx;//high 7 | *(PULONG64)p_b = rax;//low 8 | 9 | v_mul_oregll_oregll_iregll_iregll 10 | ---------------------------------------- 11 | 12 | 0x1400dafd2 : mov r9, [rbp+8] 13 | 0x1400dafdf : mov r8w, [r9] 14 | 0x1400dafe3 : xor r8w, 0EB97h 15 | 0x1400dafe9 : mov rdx, 0F141C9DDE39EBA8Bh 16 | 0x1400daff3 : not rdx 17 | 0x1400daff6 : lea rdx, [r10+rdx] 18 | 0x1400daffa : movzx r8, r8w 19 | 0x1400daffe : mov rcx, 0EBE36221C614573h 20 | 0x1400db008 : not rcx 21 | 0x1400db00b : add r8, rcx 22 | 0x1400db00e : lea r8, [rdx+r8] p_a = r8 23 | 0x1400db012 : lea r9, [r9+2] 24 | 0x1400db016 : mov cx, [r9] 25 | 0x1400db01a : jmp loc_1400DA7F1 26 | 0x1400da7f2 : xor cx, 0EB97h 27 | 0x1400da7f7 : movzx rcx, cx 28 | 0x1400da7fb : lea rcx, [r10+rcx] p_b = rcx 29 | 0x1400da7ff : lea r9, [r9+2] 30 | 0x1400da803 : mov ax, [r9] 31 | 0x1400da807 : xor ax, 0EB97h 32 | 0x1400da80b : mov rdx, 9A2053A60C3E8DB1h 33 | 0x1400da815 : not rdx 34 | 0x1400da818 : lea rdx, [r10+rdx] 35 | 0x1400da81c : movzx rax, ax 36 | 0x1400da820 : mov rbx, 65DFAC59F3C1724Dh 37 | 0x1400da82a : not rbx 38 | 0x1400da82d : add rax, rbx 39 | 0x1400da830 : lea rax, [rdx+rax] p_c = rax 40 | 0x1400da834 : jmp loc_1400DB514 41 | 0x1400db516 : mov rax, [rax] rax = *(PULONG64)p_c 42 | 0x1400db519 : lea r9, [r9+2] 43 | 0x1400db51d : mov dx, [r9] 44 | 0x1400db521 : xor dx, 0EB97h 45 | 0x1400db526 : movzx rdx, dx 46 | 0x1400db52a : lea rdx, [r10+rdx] p_d = rdx 47 | 0x1400db52e : mov rdx, [rdx] rdx = *(PULONG64)p_d 48 | 0x1400db531 : mul rdx 49 | 0x1400db53a : mov [r8], rdx *(PULONG64)p_a = rdx high 50 | 0x1400db548 : mov [rcx], rax *(PULONG64)p_b = rax low 51 | 0x1400db550 : lea r9, [r9+2] 52 | 0x1400db557 : jmp loc_1400D7B19 53 | 0x1400d7b1e : mov [rbp+8], r9 54 | 0x1400d7b28 : jmp loc_1400D5C1C 55 | 0x1400d5c1f : mov r9, [rbp+8] 56 | 0x1400d5c2c : mov r8b, [r9] 57 | 0x1400d5c2f : xor r8b, 5Dh 58 | 0x1400d5c33 : jmp loc_1400DABF2 59 | 0x1400dabf4 : mov rdx, 84063C9A3F77C111h 60 | 0x1400dabfe : not rdx 61 | 0x1400dac01 : lea rdx, [r9+rdx] 62 | 0x1400dac05 : mov r9, 7BF9C365C0883EECh 63 | 0x1400dac0f : not r9 64 | 0x1400dac12 : lea r9, [rdx+r9] 65 | 0x1400dac16 : jmp loc_1400D97BF 66 | 0x1400d97c6 : mov [rbp+8], r9 67 | 0x1400d97d0 : movzx r8, r8b 68 | 0x1400d97d4 : sub r8, 1 69 | 0x1400d97d8 : cmp r8, 0C8h 70 | 0x1400d97df : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 71 | -------------------------------------------------------------------------------- /handle_out/0xf8.txt: -------------------------------------------------------------------------------- 1 | 0xf8 a_ULONG64 2 | 3 | 4 | 5 | jmp a_ULONG64; 6 | 7 | v_jmp_ll 8 | ---------------------------------------- 9 | 10 | 0x1400d6916 : mov r9, [rbp+8] 11 | 0x1400d691a : jmp loc_1400D7E46 12 | 0x1400d7e51 : mov r9, [r9] 13 | 0x1400d7e54 : mov r15, 0FFFFFFFFFFFFFFFEh 14 | 0x1400d7e5e : not r15 15 | 0x1400d7e61 : jmp loc_1400D8A6E 16 | 0x1400d8a70 : rdsspq r15 17 | 0x1400d8a75 : cmp r15, 1 18 | 0x1400d8a79 : jz loc_1400DB4C0 19 | 0x1400d8a7f : jmp loc_1400DA701 20 | 0x1400da703 : mov r15, 2 21 | 0x1400da70a : incsspq r15 22 | 0x1400da70f : jmp loc_1400DB4C0 23 | 0x1400db4c0 : lea rsp, [rbp+68h] 24 | 0x1400db4c4 : mov r15, [rsp+28h+var_28] 25 | 0x1400db4c8 : jmp loc_1400DB434 26 | 0x1400db436 : lea rsp, [rsp+8] 27 | 0x1400db43b : mov rbp, [rsp+20h+var_20] 28 | 0x1400db43f : lea rsp, [rsp+8] 29 | 0x1400db444 : jmp loc_1400D6209 30 | 0x1400d620a : mov rdi, [rsp+18h+var_18] 31 | 0x1400d620e : lea rsp, [rsp+8] 32 | 0x1400d6213 : mov rsi, [rsp+10h+var_10] 33 | 0x1400d6217 : lea rsp, [rsp+8] 34 | 0x1400d621c : mov rbx, [rsp+8+var_8] 35 | 0x1400d6220 : lea rsp, [rsp+8] 36 | 0x1400d6225 : jmp loc_1400D90B4 37 | 0x1400d90b5 : jmp r9 38 | -------------------------------------------------------------------------------- /handle_out/0xfc.txt: -------------------------------------------------------------------------------- 1 | 0xfc p_a p_b p_c 2 | 3 | 0x8D54 4 | 5 | memset(*(PULONG64)p_a,*(PUCHAR)p_b,*(PULONG64)p_c);//rep stosb 6 | 7 | v_rep stosb_iregll_iregb_iregll 8 | ---------------------------------------- 9 | 10 | 0x1400d9dd8 : mov r9, [rbp+8] 11 | 0x1400d9de5 : mov r8w, [r9] 12 | 0x1400d9de9 : xor r8w, 8D54h 13 | 0x1400d9def : mov rdx, 0AAC26AD03008B2C9h 14 | 0x1400d9df9 : not rdx 15 | 0x1400d9dfc : lea rdx, [r10+rdx] 16 | 0x1400d9e00 : movzx r8, r8w 17 | 0x1400d9e04 : jmp loc_1400DA308 18 | 0x1400da309 : mov rcx, 553D952FCFF74D35h 19 | 0x1400da313 : not rcx 20 | 0x1400da316 : add r8, rcx 21 | 0x1400da319 : lea r8, [rdx+r8] p_a = r8 22 | 0x1400da31d : mov rdi, [r8] rdi =*(PULONG64)p_a 23 | 0x1400da320 : lea r9, [r9+2] 24 | 0x1400da324 : mov ax, [r9] 25 | 0x1400da328 : xor ax, 8D54h 26 | 0x1400da32c : movzx rax, ax 27 | 0x1400da330 : lea rax, [r10+rax] p_b = rax 28 | 0x1400da334 : mov al, [rax] al = *(PUCHAR)p_b 29 | 0x1400da336 : lea r9, [r9+2] 30 | 0x1400da33a : jmp loc_1400D604C 31 | 0x1400d604d : mov cx, [r9] 32 | 0x1400d6051 : xor cx, 8D54h 33 | 0x1400d6056 : mov rdx, 0E46B13057AA208CBh 34 | 0x1400d6060 : not rdx 35 | 0x1400d6063 : lea rdx, [r10+rdx] 36 | 0x1400d6067 : movzx rcx, cx 37 | 0x1400d606b : mov rbx, 1B94ECFA855DF733h 38 | 0x1400d6075 : not rbx 39 | 0x1400d6078 : add rcx, rbx 40 | 0x1400d607b : lea rcx, [rdx+rcx] p_c = rcx 41 | 0x1400d607f : jmp loc_1400DA5C6 42 | 0x1400da5c7 : mov rcx, [rcx] rcx = *(PULONG64)p_c 43 | 0x1400da5ca : rep stosb memset(rdi,al,rcx); 44 | 0x1400da5cc : mov [r8], rdi *(PULONG64)p_a = rdi 45 | 0x1400da5cf : lea r9, [r9+2] 46 | 0x1400da5d9 : mov [rbp+8], r9 47 | 0x1400da5e3 : jmp loc_1400D8FEC 48 | 0x1400d8fef : mov r9, [rbp+8] 49 | 0x1400d8ffc : mov r8b, [r9] 50 | 0x1400d8fff : xor r8b, 5Dh 51 | 0x1400d9003 : jmp loc_1400D6A7C 52 | 0x1400d6a7d : mov rdx, 3CF00F6451FA8B0h 53 | 0x1400d6a87 : not rdx 54 | 0x1400d6a8a : lea rdx, [r9+rdx] 55 | 0x1400d6a8e : mov r9, 0FC30FF09BAE0574Dh 56 | 0x1400d6a98 : not r9 57 | 0x1400d6a9b : lea r9, [rdx+r9] 58 | 0x1400d6aa5 : mov [rbp+8], r9 59 | 0x1400d6aa9 : jmp loc_1400DB1EB 60 | 0x1400db1f3 : movzx r8, r8b 61 | 0x1400db1f7 : sub r8, 1 62 | 0x1400db1fb : cmp r8, 0C8h 63 | 0x1400db202 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 64 | -------------------------------------------------------------------------------- /handle_out/0xfd.txt: -------------------------------------------------------------------------------- 1 | 0xfd p_a b_ULONG64 c_ULONG64 2 | 3 | 0xDE5E 4 | 5 | if(*(PUCHAR)p_a == 1) 6 | {V_RIP += b_ULONG64;} 7 | else if(*(PUCHAR)p_a == 0) 8 | {V_RIP += c_ULONG64;} 9 | 10 | v_je_iregb_ll_ll 11 | ---------------------------------------- 12 | 13 | 0x1400d5c7e : mov r9, [rbp+8] 14 | 0x1400d5c8b : mov r8w, [r9] 15 | 0x1400d5c8f : xor r8w, 0DE5Eh 16 | 0x1400d5c95 : mov rdx, 0B5754BD7D4FEA719h 17 | 0x1400d5c9f : not rdx 18 | 0x1400d5ca2 : lea rdx, [r10+rdx] 19 | 0x1400d5ca6 : movzx r8, r8w 20 | 0x1400d5caa : mov rcx, 4A8AB4282B0158E5h 21 | 0x1400d5cb4 : not rcx 22 | 0x1400d5cb7 : add r8, rcx 23 | 0x1400d5cba : lea r8, [rdx+r8] p_a = r8 24 | 0x1400d5cbe : mov r8b, [r8] r8b = *(PUCHAR)p_a 25 | 0x1400d5cc1 : lea r9, [r9+2] 26 | 0x1400d5cc5 : jmp loc_1400D7AE0 27 | 0x1400d7ae4 : mov rdx, [r9] 28 | 0x1400d7aef : lea r9, [r9+8] b 29 | 0x1400d7af6 : mov rcx, [r9] rcx = b 30 | 0x1400d7b02 : movzx r8, r8b 31 | 0x1400d7b06 : jmp loc_1400DA95B 32 | 0x1400da95d : dec r8 33 | 0x1400da960 : not r8 34 | 0x1400da963 : not r8 35 | 0x1400da966 : xchg rax, r8 36 | 0x1400da968 : not rax 37 | 0x1400da96b : mov r8, rax 38 | 0x1400da96e : not rax 39 | 0x1400da971 : and rdx, r8 40 | 0x1400da974 : and rcx, rax 41 | 0x1400da977 : add rdx, rcx 42 | 0x1400da97a : lea rdx, [r9+rdx] 43 | 0x1400da97e : mov r9, 0CDA111CEFE16D240h 44 | 0x1400da988 : not r9 45 | 0x1400da98b : lea r9, [rdx+r9] 46 | 0x1400da98f : mov r8, 325EEE3101E92DB6h 47 | 0x1400da999 : jmp loc_1400D8255 48 | 0x1400d8257 : not r8 49 | 0x1400d825a : lea r8, [r9+r8] 50 | 0x1400d8264 : mov [rbp+8], r8 51 | 0x1400d826e : jmp loc_1400DAC79 52 | 0x1400dac7c : mov r9, [rbp+8] 53 | 0x1400dac89 : mov r8b, [r9] 54 | 0x1400dac8c : xor r8b, 5Dh 55 | 0x1400dac90 : mov rdx, 0D3676A56DAFF3C65h 56 | 0x1400dac9a : jmp loc_1400D7763 57 | 0x1400d7764 : not rdx 58 | 0x1400d7767 : lea rdx, [r9+rdx] 59 | 0x1400d776b : mov r9, 2C9895A92500C398h 60 | 0x1400d7775 : not r9 61 | 0x1400d7778 : lea r9, [rdx+r9] 62 | 0x1400d777f : jmp loc_1400D5B91 63 | 0x1400d5b95 : mov [rbp+8], r9 64 | 0x1400d5b9e : movzx r8, r8b 65 | 0x1400d5ba2 : sub r8, 1; switch 200 cases 66 | 0x1400d5ba6 : jmp loc_1400D98A8 67 | 0x1400d98aa : cmp r8, 0C8h 68 | 0x1400d98b1 : jnb def_1400D655C; jumptable 00000001400D655C default case, cases 1-6,8,13,14,33-36,38,41-44,49,50,52,54,57-60,62,65-67,69-74,77-80,82,83,85-90,93-96,98-113,115,117,119,121-123,126,128-131,133,134,144-147,149,152-157,159,162-164,166-168,170-177,182,185-193,196-199 69 | -------------------------------------------------------------------------------- /picture/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wbaby/xx_tvm/bf8ed8a692f38e078971630f4c223f532d7d8000/picture/0.png -------------------------------------------------------------------------------- /picture/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wbaby/xx_tvm/bf8ed8a692f38e078971630f4c223f532d7d8000/picture/1.png -------------------------------------------------------------------------------- /picture/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wbaby/xx_tvm/bf8ed8a692f38e078971630f4c223f532d7d8000/picture/2.png -------------------------------------------------------------------------------- /picture/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wbaby/xx_tvm/bf8ed8a692f38e078971630f4c223f532d7d8000/picture/3.png -------------------------------------------------------------------------------- /picture/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wbaby/xx_tvm/bf8ed8a692f38e078971630f4c223f532d7d8000/picture/4.png -------------------------------------------------------------------------------- /picture/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wbaby/xx_tvm/bf8ed8a692f38e078971630f4c223f532d7d8000/picture/5.png -------------------------------------------------------------------------------- /readme.md: -------------------------------------------------------------------------------- 1 | # 还原例子: 2 | 3 | 总所周知 ACE-BASE.sys 的DriverUnload函数是被vm了的,那么我们就用它来看看还原效果: 4 | 5 | ![5](https://github.com/IcEy-999/xx_tvm/blob/main/picture/5.png) 6 | 7 | 不错,很符合我对DriverUnload的想象。 8 | 9 | 左边 命名为 `icxxx` 的函数均为还原成功的函数。 10 | 11 | # deTvm.py脚本玩法 12 | 13 | 请先给你的`idapython`安装以下的库: 14 | 15 | ```python 16 | import capstone 17 | import keystone 18 | import copy 19 | ``` 20 | 21 | `main0`是对全部ida识别的函数进行特征分析,如果符合tvm函数特征,就对它进行还原。 22 | 23 | 可以算是一键还原全部tvm函数了,有可能有些tvm函数不符合特征,你也可以手动添加还原函数。 24 | 25 | 例如: 26 | 27 | 你知道一个函数`0x140001250`它是被vm的,那么你这么写,脚本就会自动特征识别V_RIP。 28 | 29 | ```python 30 | testTrace = traceTask(0x140001250,tvm0base) #tvm0base是tvm0段的起始地址 31 | testTrace.track(0) #开始跟踪 得到traceCode 32 | testTrace.traceOut() #输出原始traceCode 33 | ``` 34 | 35 | 如果你这个被vm的函数不符合我写的特征,但它确实是tvm的函数,那么可以这么写,自己设置V_RIP: 36 | 37 | ```python 38 | #上一个例子的 函数 0x140001250 它的 V_RIP 就是 0x140059dc2 39 | testTrace = traceTask(0,tvm0base) 40 | testTrace.VStart = 0x140059dc2 #自己找这个vm函数的起始地址 例如V_RIP = 0x140059dc2 41 | testTrace.track(0) #开始跟踪 得到traceCode 42 | testTrace.traceOut() #输出原始traceCode 43 | ``` 44 | 45 | traceOut(0)输出的结果如下:( 基本没做处理) 46 | 47 | ![0](https://github.com/IcEy-999/xx_tvm/blob/main/picture/0.png) 48 | 49 | **如果想看 对标记working的traceCode进行变量溯源的结果,你可以这么写:** 50 | 51 | ```python 52 | testTrace = traceTask(0x140001250,tvm0base) #tvm0base是tvm0段的起始地址 53 | testTrace.track(0) #开始跟踪 得到traceCode 54 | testTrace.VRegRecord(True) #如果是False就是不使用标记(上文说过) 55 | testTrace.tvmToAsmAll.printAll() #输出 56 | ``` 57 | 58 | 输出: 59 | 60 | ![1](https://github.com/IcEy-999/xx_tvm/blob/main/picture/1.png) 61 | 62 | **如果想进一步的进行变量传播优化还有 push、pop 优化,可以这么写:** 63 | 64 | ```python 65 | testTrace = traceTask(0x140001250,tvm0base) #tvm0base是tvm0段的起始地址 66 | testTrace.track(0) #开始跟踪 得到traceCode 67 | testTrace.VRegRecord(True) #如果是False就是不使用标记(上文说过) 68 | testTrace.tvmToAsmAll.optimizeAll() #变量传播优化,push、pop优化 69 | testTrace.tvmToAsmAll.printAll() #输出 70 | ``` 71 | 72 | 输出: 73 | 74 | ![2](https://github.com/IcEy-999/xx_tvm/blob/main/picture/2.png) 75 | 76 | **如果想看还原成 ASM是什么样的,可以这样写:** 77 | 78 | ```python 79 | testTrace = traceTask(0x140001250,tvm0base) #tvm0base是tvm0段的起始地址 80 | testTrace.track(0) #开始跟踪 得到traceCode 81 | testTrace.VRegRecord(True) #如果是False就是不使用标记(上文说过) 82 | testTrace.tvmToAsmAll.optimizeAll() #变量传播优化,push、pop优化 83 | testTrace.tvmToAsmAll.AllTvmAsmToAsm() #转换成ASM 注意,一定要VRegRecord + optimizeAll 后才可以调用 84 | testTrace.tvmToAsmAll.printAsmAll() #输出ASM 85 | ``` 86 | 87 | 输出: 88 | 89 | ![3](https://github.com/IcEy-999/xx_tvm/blob/main/picture/3.png) 90 | 91 | **如果想看 tvmToAsm和Asm对应起来的输出,可以这样写:** 92 | 93 | ```python 94 | testTrace = traceTask(0x140001250,tvm0base) #tvm0base是tvm0段的起始地址 95 | testTrace.track(0) #开始跟踪 得到traceCode 96 | testTrace.VRegRecord(True) #如果是False就是不使用标记(上文说过) 97 | testTrace.tvmToAsmAll.optimizeAll() #变量传播优化,push、pop优化 98 | testTrace.tvmToAsmAll.AllTvmAsmToAsm() #转换成ASM 99 | 100 | tvmToAsm_P = testTrace.tvmToAsmAll.tvmToAsmHead #结构为tvmToAsm 101 | while (tvmToAsm_P != None): 102 | tvmToAsm_P.printAsm() #输出Asm 103 | tvmToAsm_P.print() #输出traceCodeAll 104 | print("") #隔开 105 | tvmToAsm_P = tvmToAsm_P.BLink #下一个 106 | ``` 107 | 108 | 输出: 109 | 110 | ![4](https://github.com/IcEy-999/xx_tvm/blob/main/picture/4.png) 111 | 112 | 113 | 114 | # TVMHandleTrace.py 115 | 116 | 去混淆跟踪 tvm函数入口到出口,未对输入函数做处理。所以跟踪有调用输入表函数的tvm函数会出错。 117 | 118 | 119 | 120 | # TVMHandleOut.py 121 | 122 | 导出全部handle。 --------------------------------------------------------------------------------