admin/Ryujin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Finish work on Anti-Debug + TrollReversers features.

Browse Source 
- Ryujin is now fully capable of detecting debuggers from both userland and kernel land.
- Ryujin inserts its detection stub without breaking application logic.
- Ryujin supports two modes:
      - Troll – triggers a BSOD using a Microsoft Windows bug.
      - Normal – simply calls NtTerminateProcess when a debugger is detected.
- This implementation can be improved in the future to handle more advanced detection methods, but it's good for now.
This commit is contained in:
keowu
2025-07-09 10:59:07 -03:00
parent ed224188f7
commit d6caf05940
2 changed files with 683 additions and 205 deletions
Download Patch File Download Diff File Expand all files Collapse all files

886
RyujinCore/Ryujin/RyujinCore/RyujinObfuscationCore.cc
View File

@@ -9,8 +9,6 @@ RyujinObfuscationCore::RyujinObfuscationCore(const RyujinObfuscatorConfig& confi
if (!extractUnusedRegisters())
throw std::exception("No registers avaliable for obfuscation...");
}
RyujinProcedure RyujinObfuscationCore::getProcessedProc() {
@@ -846,6 +844,8 @@ void RyujinObfuscationCore::insertAntiDebug() {
for (auto& instr : block.instructions) {
if (isInserted) break;
if (!isInserted) {
auto block_info = findBlockId(instr.instruction.info.opcode, instr.instruction.operands[1].imm.value.u, 2, sizeof(unsigned char));
@@ -854,12 +854,17 @@ void RyujinObfuscationCore::insertAntiDebug() {
auto& data = m_proc.basic_blocks[block_info.first].opcodes[block_info.second];
/*
There is no need to obfuscate the anti-debug stub code. the junk code/mutation itself will handle that during processing.
*/
asmjit::JitRuntime runtime;
asmjit::CodeHolder code;
code.init(runtime.environment());
asmjit::x86::Assembler a(&code);
// First, saving the states
// Push flags
a.pushfq();
@@ -880,191 +885,680 @@ void RyujinObfuscationCore::insertAntiDebug() {
a.push(asmjit::x86::r14);
a.push(asmjit::x86::r15);
/*
Apenas um teste com hello world resolvendo pela PEB para confirmar se vai ser poss<73>vel inserir a stub oculta para detec<65><63>o futura
trabalhando na base/pesquisa da capacidade de fazer esse tipo de feature/capacidade.
*/
std::vector<unsigned char> shellcode = {
// Inserting the technique selected by the user -> Anti-debug with the troll or conventional anti-debug
if (this->m_config.m_isTrollRerversers) {
0x48, 0x81, 0xEC, 0x88, 0x01, 0x00, 0x00, 0x65, 0x48, 0x8B, 0x04, 0x25,
0x60, 0x00, 0x00, 0x00, 0x48, 0x89, 0x84, 0x24, 0x10, 0x01, 0x00, 0x00,
0x48, 0x83, 0xBC, 0x24, 0x10, 0x01, 0x00, 0x00, 0x00, 0x74, 0x0F, 0x48,
0x8B, 0x84, 0x24, 0x10, 0x01, 0x00, 0x00, 0x48, 0x83, 0x78, 0x18, 0x00,
0x75, 0x05, 0xE9, 0xE3, 0x07, 0x00, 0x00, 0xB8, 0x6B, 0x00, 0x00, 0x00,
0x66, 0x89, 0x84, 0x24, 0xF0, 0x00, 0x00, 0x00, 0xB8, 0x65, 0x00, 0x00,
0x00, 0x66, 0x89, 0x84, 0x24, 0xF2, 0x00, 0x00, 0x00, 0xB8, 0x72, 0x00,
0x00, 0x00, 0x66, 0x89, 0x84, 0x24, 0xF4, 0x00, 0x00, 0x00, 0xB8, 0x6E,
0x00, 0x00, 0x00, 0x66, 0x89, 0x84, 0x24, 0xF6, 0x00, 0x00, 0x00, 0xB8,
0x65, 0x00, 0x00, 0x00, 0x66, 0x89, 0x84, 0x24, 0xF8, 0x00, 0x00, 0x00,
0xB8, 0x6C, 0x00, 0x00, 0x00, 0x66, 0x89, 0x84, 0x24, 0xFA, 0x00, 0x00,
0x00, 0xB8, 0x33, 0x00, 0x00, 0x00, 0x66, 0x89, 0x84, 0x24, 0xFC, 0x00,
0x00, 0x00, 0xB8, 0x32, 0x00, 0x00, 0x00, 0x66, 0x89, 0x84, 0x24, 0xFE,
0x00, 0x00, 0x00, 0xB8, 0x2E, 0x00, 0x00, 0x00, 0x66, 0x89, 0x84, 0x24,
0x00, 0x01, 0x00, 0x00, 0xB8, 0x64, 0x00, 0x00, 0x00, 0x66, 0x89, 0x84,
0x24, 0x02, 0x01, 0x00, 0x00, 0xB8, 0x6C, 0x00, 0x00, 0x00, 0x66, 0x89,
0x84, 0x24, 0x04, 0x01, 0x00, 0x00, 0xB8, 0x6C, 0x00, 0x00, 0x00, 0x66,
0x89, 0x84, 0x24, 0x06, 0x01, 0x00, 0x00, 0x33, 0xC0, 0x66, 0x89, 0x84,
0x24, 0x08, 0x01, 0x00, 0x00, 0xC6, 0x44, 0x24, 0x48, 0x4C, 0xC6, 0x44,
0x24, 0x49, 0x6F, 0xC6, 0x44, 0x24, 0x4A, 0x61, 0xC6, 0x44, 0x24, 0x4B,
0x64, 0xC6, 0x44, 0x24, 0x4C, 0x4C, 0xC6, 0x44, 0x24, 0x4D, 0x69, 0xC6,
0x44, 0x24, 0x4E, 0x62, 0xC6, 0x44, 0x24, 0x4F, 0x72, 0xC6, 0x44, 0x24,
0x50, 0x61, 0xC6, 0x44, 0x24, 0x51, 0x72, 0xC6, 0x44, 0x24, 0x52, 0x79,
0xC6, 0x44, 0x24, 0x53, 0x41, 0xC6, 0x44, 0x24, 0x54, 0x00, 0xC6, 0x44,
0x24, 0x58, 0x47, 0xC6, 0x44, 0x24, 0x59, 0x65, 0xC6, 0x44, 0x24, 0x5A,
0x74, 0xC6, 0x44, 0x24, 0x5B, 0x50, 0xC6, 0x44, 0x24, 0x5C, 0x72, 0xC6,
0x44, 0x24, 0x5D, 0x6F, 0xC6, 0x44, 0x24, 0x5E, 0x63, 0xC6, 0x44, 0x24,
0x5F, 0x41, 0xC6, 0x44, 0x24, 0x60, 0x64, 0xC6, 0x44, 0x24, 0x61, 0x64,
0xC6, 0x44, 0x24, 0x62, 0x72, 0xC6, 0x44, 0x24, 0x63, 0x65, 0xC6, 0x44,
0x24, 0x64, 0x73, 0xC6, 0x44, 0x24, 0x65, 0x73, 0xC6, 0x44, 0x24, 0x66,
0x00, 0xC6, 0x44, 0x24, 0x68, 0x75, 0xC6, 0x44, 0x24, 0x69, 0x73, 0xC6,
0x44, 0x24, 0x6A, 0x65, 0xC6, 0x44, 0x24, 0x6B, 0x72, 0xC6, 0x44, 0x24,
0x6C, 0x33, 0xC6, 0x44, 0x24, 0x6D, 0x32, 0xC6, 0x44, 0x24, 0x6E, 0x2E,
0xC6, 0x44, 0x24, 0x6F, 0x64, 0xC6, 0x44, 0x24, 0x70, 0x6C, 0xC6, 0x44,
0x24, 0x71, 0x6C, 0xC6, 0x44, 0x24, 0x72, 0x00, 0xC6, 0x44, 0x24, 0x78,
0x4D, 0xC6, 0x44, 0x24, 0x79, 0x65, 0xC6, 0x44, 0x24, 0x7A, 0x73, 0xC6,
0x44, 0x24, 0x7B, 0x73, 0xC6, 0x44, 0x24, 0x7C, 0x61, 0xC6, 0x44, 0x24,
0x7D, 0x67, 0xC6, 0x44, 0x24, 0x7E, 0x65, 0xC6, 0x44, 0x24, 0x7F, 0x42,
0xC6, 0x84, 0x24, 0x80, 0x00, 0x00, 0x00, 0x6F, 0xC6, 0x84, 0x24, 0x81,
0x00, 0x00, 0x00, 0x78, 0xC6, 0x84, 0x24, 0x82, 0x00, 0x00, 0x00, 0x41,
0xC6, 0x84, 0x24, 0x83, 0x00, 0x00, 0x00, 0x00, 0x48, 0xC7, 0x84, 0x24,
0xE0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0xC7, 0x84, 0x24,
0xE8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24,
0x10, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x40, 0x18, 0x48, 0x83, 0xC0, 0x28,
0x48, 0x89, 0x84, 0x24, 0x18, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24,
0x18, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x00, 0x48, 0x89, 0x84, 0x24, 0xB8,
0x00, 0x00, 0x00, 0xEB, 0x13, 0x48, 0x8B, 0x84, 0x24, 0xB8, 0x00, 0x00,
0x00, 0x48, 0x8B, 0x00, 0x48, 0x89, 0x84, 0x24, 0xB8, 0x00, 0x00, 0x00,
0x48, 0x8B, 0x84, 0x24, 0x18, 0x01, 0x00, 0x00, 0x48, 0x39, 0x84, 0x24,
0xB8, 0x00, 0x00, 0x00, 0x0F, 0x84, 0x14, 0x04, 0x00, 0x00, 0x48, 0x8B,
0x84, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x48, 0x83, 0xE8, 0x10, 0x48, 0x89,
0x84, 0x24, 0xC8, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, 0xC8, 0x00,
0x00, 0x00, 0x48, 0x83, 0x78, 0x60, 0x00, 0x75, 0x02, 0xEB, 0xB2, 0x48,
0x8B, 0x84, 0x24, 0xC8, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x40, 0x60, 0x48,
0x89, 0x84, 0x24, 0x50, 0x01, 0x00, 0x00, 0x48, 0x8D, 0x84, 0x24, 0xF0,
0x00, 0x00, 0x00, 0x48, 0x89, 0x84, 0x24, 0x58, 0x01, 0x00, 0x00, 0xC6,
0x44, 0x24, 0x20, 0x01, 0x48, 0x8B, 0x84, 0x24, 0xC8, 0x00, 0x00, 0x00,
0x0F, 0xB7, 0x40, 0x58, 0x33, 0xD2, 0xB9, 0x02, 0x00, 0x00, 0x00, 0x48,
0xF7, 0xF1, 0x66, 0x89, 0x84, 0x24, 0xB0, 0x00, 0x00, 0x00, 0x48, 0x8D,
0x84, 0x24, 0xF0, 0x00, 0x00, 0x00, 0x48, 0x89, 0x84, 0x24, 0x48, 0x01,
0x00, 0x00, 0x48, 0xC7, 0x84, 0x24, 0xC0, 0x00, 0x00, 0x00, 0xFF, 0xFF,
0xFF, 0xFF, 0x48, 0xFF, 0x84, 0x24, 0xC0, 0x00, 0x00, 0x00, 0x48, 0x8B,
0x84, 0x24, 0x48, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x8C, 0x24, 0xC0, 0x00,
0x00, 0x00, 0x66, 0x83, 0x3C, 0x48, 0x00, 0x75, 0xE1, 0x48, 0x8B, 0x84,
0x24, 0xC0, 0x00, 0x00, 0x00, 0x66, 0x89, 0x44, 0x24, 0x3C, 0x0F, 0xB7,
0x84, 0x24, 0xB0, 0x00, 0x00, 0x00, 0x0F, 0xB7, 0x4C, 0x24, 0x3C, 0x3B,
0xC1, 0x74, 0x05, 0xE9, 0x0D, 0xFF, 0xFF, 0xFF, 0x33, 0xC0, 0x66, 0x89,
0x44, 0x24, 0x24, 0xEB, 0x0D, 0x0F, 0xB7, 0x44, 0x24, 0x24, 0x66, 0xFF,
0xC0, 0x66, 0x89, 0x44, 0x24, 0x24, 0x0F, 0xB7, 0x44, 0x24, 0x24, 0x0F,
0xB7, 0x4C, 0x24, 0x3C, 0x3B, 0xC1, 0x0F, 0x8D, 0x88, 0x00, 0x00, 0x00,
0x0F, 0xB7, 0x44, 0x24, 0x24, 0x48, 0x8B, 0x8C, 0x24, 0x50, 0x01, 0x00,
0x00, 0x0F, 0xB7, 0x04, 0x41, 0x66, 0x89, 0x44, 0x24, 0x28, 0x0F, 0xB7,
0x44, 0x24, 0x24, 0x48, 0x8B, 0x8C, 0x24, 0x58, 0x01, 0x00, 0x00, 0x0F,
0xB7, 0x04, 0x41, 0x66, 0x89, 0x44, 0x24, 0x2C, 0x0F, 0xB7, 0x44, 0x24,
0x28, 0x83, 0xF8, 0x41, 0x7C, 0x17, 0x0F, 0xB7, 0x44, 0x24, 0x28, 0x83,
0xF8, 0x5A, 0x7F, 0x0D, 0x0F, 0xB7, 0x44, 0x24, 0x28, 0x83, 0xC0, 0x20,
0x66, 0x89, 0x44, 0x24, 0x28, 0x0F, 0xB7, 0x44, 0x24, 0x2C, 0x83, 0xF8,
0x41, 0x7C, 0x17, 0x0F, 0xB7, 0x44, 0x24, 0x2C, 0x83, 0xF8, 0x5A, 0x7F,
0x0D, 0x0F, 0xB7, 0x44, 0x24, 0x2C, 0x83, 0xC0, 0x20, 0x66, 0x89, 0x44,
0x24, 0x2C, 0x0F, 0xB7, 0x44, 0x24, 0x28, 0x0F, 0xB7, 0x4C, 0x24, 0x2C,
0x3B, 0xC1, 0x74, 0x07, 0xC6, 0x44, 0x24, 0x20, 0x00, 0xEB, 0x05, 0xE9,
0x59, 0xFF, 0xFF, 0xFF, 0x0F, 0xB6, 0x44, 0x24, 0x20, 0x85, 0xC0, 0x75,
0x05, 0xE9, 0x4F, 0xFE, 0xFF, 0xFF, 0x48, 0x8B, 0x84, 0x24, 0xC8, 0x00,
0x00, 0x00, 0x48, 0x8B, 0x40, 0x30, 0x48, 0x89, 0x44, 0x24, 0x40, 0x48,
0x8B, 0x44, 0x24, 0x40, 0x48, 0x89, 0x84, 0x24, 0x60, 0x01, 0x00, 0x00,
0x48, 0x8B, 0x84, 0x24, 0x60, 0x01, 0x00, 0x00, 0x48, 0x63, 0x40, 0x3C,
0x48, 0x8B, 0x4C, 0x24, 0x40, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48,
0x89, 0x84, 0x24, 0x68, 0x01, 0x00, 0x00, 0xB8, 0x08, 0x00, 0x00, 0x00,
0x48, 0x6B, 0xC0, 0x00, 0x48, 0x8B, 0x8C, 0x24, 0x68, 0x01, 0x00, 0x00,
0x48, 0x8D, 0x84, 0x01, 0x88, 0x00, 0x00, 0x00, 0x48, 0x89, 0x84, 0x24,
0x20, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, 0x20, 0x01, 0x00, 0x00,
0x83, 0x38, 0x00, 0x75, 0x05, 0xE9, 0xCC, 0x03, 0x00, 0x00, 0x48, 0x8B,
0x84, 0x24, 0x20, 0x01, 0x00, 0x00, 0x8B, 0x00, 0x48, 0x8B, 0x4C, 0x24,
0x40, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x84, 0x24, 0xD0,
0x00, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, 0xD0, 0x00, 0x00, 0x00, 0x8B,
0x40, 0x20, 0x48, 0x8B, 0x4C, 0x24, 0x40, 0x48, 0x03, 0xC8, 0x48, 0x8B,
0xC1, 0x48, 0x89, 0x84, 0x24, 0x70, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x84,
0x24, 0xD0, 0x00, 0x00, 0x00, 0x8B, 0x40, 0x24, 0x48, 0x8B, 0x4C, 0x24,
0x40, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x84, 0x24, 0x28,
0x01, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, 0xD0, 0x00, 0x00, 0x00, 0x8B,
0x40, 0x1C, 0x48, 0x8B, 0x4C, 0x24, 0x40, 0x48, 0x03, 0xC8, 0x48, 0x8B,
0xC1, 0x48, 0x89, 0x84, 0x24, 0x30, 0x01, 0x00, 0x00, 0xC7, 0x44, 0x24,
0x38, 0x00, 0x00, 0x00, 0x00, 0xEB, 0x0A, 0x8B, 0x44, 0x24, 0x38, 0xFF,
0xC0, 0x89, 0x44, 0x24, 0x38, 0x48, 0x8B, 0x84, 0x24, 0xD0, 0x00, 0x00,
0x00, 0x8B, 0x40, 0x18, 0x39, 0x44, 0x24, 0x38, 0x0F, 0x83, 0x75, 0x01,
0x00, 0x00, 0x8B, 0x44, 0x24, 0x38, 0x48, 0x8B, 0x8C, 0x24, 0x70, 0x01,
0x00, 0x00, 0x8B, 0x04, 0x81, 0x48, 0x8B, 0x4C, 0x24, 0x40, 0x48, 0x03,
0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x84, 0x24, 0xD8, 0x00, 0x00, 0x00,
0xC6, 0x44, 0x24, 0x21, 0x01, 0xC7, 0x44, 0x24, 0x30, 0x00, 0x00, 0x00,
0x00, 0xEB, 0x0A, 0x8B, 0x44, 0x24, 0x30, 0xFF, 0xC0, 0x89, 0x44, 0x24,
0x30, 0x48, 0x63, 0x44, 0x24, 0x30, 0x0F, 0xBE, 0x44, 0x04, 0x48, 0x85,
0xC0, 0x75, 0x15, 0x48, 0x63, 0x44, 0x24, 0x30, 0x48, 0x8B, 0x8C, 0x24,
0xD8, 0x00, 0x00, 0x00, 0x0F, 0xBE, 0x04, 0x01, 0x85, 0xC0, 0x74, 0x28,
0x48, 0x63, 0x44, 0x24, 0x30, 0x0F, 0xBE, 0x44, 0x04, 0x48, 0x48, 0x63,
0x4C, 0x24, 0x30, 0x48, 0x8B, 0x94, 0x24, 0xD8, 0x00, 0x00, 0x00, 0x0F,
0xBE, 0x0C, 0x0A, 0x3B, 0xC1, 0x74, 0x07, 0xC6, 0x44, 0x24, 0x21, 0x00,
0xEB, 0x02, 0xEB, 0xAB, 0x0F, 0xB6, 0x44, 0x24, 0x21, 0x85, 0xC0, 0x74,
0x2E, 0x8B, 0x44, 0x24, 0x38, 0x48, 0x8B, 0x8C, 0x24, 0x28, 0x01, 0x00,
0x00, 0x0F, 0xB7, 0x04, 0x41, 0x48, 0x8B, 0x8C, 0x24, 0x30, 0x01, 0x00,
0x00, 0x8B, 0x04, 0x81, 0x48, 0x8B, 0x4C, 0x24, 0x40, 0x48, 0x03, 0xC8,
0x48, 0x8B, 0xC1, 0x48, 0x89, 0x84, 0x24, 0xE0, 0x00, 0x00, 0x00, 0xC6,
0x44, 0x24, 0x22, 0x01, 0xC7, 0x44, 0x24, 0x34, 0x00, 0x00, 0x00, 0x00,
0xEB, 0x0A, 0x8B, 0x44, 0x24, 0x34, 0xFF, 0xC0, 0x89, 0x44, 0x24, 0x34,
0x48, 0x63, 0x44, 0x24, 0x34, 0x0F, 0xBE, 0x44, 0x04, 0x58, 0x85, 0xC0,
0x75, 0x15, 0x48, 0x63, 0x44, 0x24, 0x34, 0x48, 0x8B, 0x8C, 0x24, 0xD8,
0x00, 0x00, 0x00, 0x0F, 0xBE, 0x04, 0x01, 0x85, 0xC0, 0x74, 0x28, 0x48,
0x63, 0x44, 0x24, 0x34, 0x0F, 0xBE, 0x44, 0x04, 0x58, 0x48, 0x63, 0x4C,
0x24, 0x34, 0x48, 0x8B, 0x94, 0x24, 0xD8, 0x00, 0x00, 0x00, 0x0F, 0xBE,
0x0C, 0x0A, 0x3B, 0xC1, 0x74, 0x07, 0xC6, 0x44, 0x24, 0x22, 0x00, 0xEB,
0x02, 0xEB, 0xAB, 0x0F, 0xB6, 0x44, 0x24, 0x22, 0x85, 0xC0, 0x74, 0x2E,
0x8B, 0x44, 0x24, 0x38, 0x48, 0x8B, 0x8C, 0x24, 0x28, 0x01, 0x00, 0x00,
0x0F, 0xB7, 0x04, 0x41, 0x48, 0x8B, 0x8C, 0x24, 0x30, 0x01, 0x00, 0x00,
0x8B, 0x04, 0x81, 0x48, 0x8B, 0x4C, 0x24, 0x40, 0x48, 0x03, 0xC8, 0x48,
0x8B, 0xC1, 0x48, 0x89, 0x84, 0x24, 0xE8, 0x00, 0x00, 0x00, 0x48, 0x83,
0xBC, 0x24, 0xE0, 0x00, 0x00, 0x00, 0x00, 0x74, 0x0D, 0x48, 0x83, 0xBC,
0x24, 0xE8, 0x00, 0x00, 0x00, 0x00, 0x74, 0x02, 0xEB, 0x05, 0xE9, 0x6C,
0xFE, 0xFF, 0xFF, 0xEB, 0x05, 0xE9, 0xC3, 0xFB, 0xFF, 0xFF, 0x48, 0x83,
0xBC, 0x24, 0xE0, 0x00, 0x00, 0x00, 0x00, 0x74, 0x0B, 0x48, 0x83, 0xBC,
0x24, 0xE8, 0x00, 0x00, 0x00, 0x00, 0x75, 0x05, 0xE9, 0x95, 0x01, 0x00,
0x00, 0x48, 0x8D, 0x4C, 0x24, 0x68, 0xFF, 0x94, 0x24, 0xE0, 0x00, 0x00,
0x00, 0x48, 0x89, 0x84, 0x24, 0x38, 0x01, 0x00, 0x00, 0x48, 0x83, 0xBC,
0x24, 0x38, 0x01, 0x00, 0x00, 0x00, 0x75, 0x05, 0xE9, 0x71, 0x01, 0x00,
0x00, 0x48, 0x8D, 0x54, 0x24, 0x78, 0x48, 0x8B, 0x8C, 0x24, 0x38, 0x01,
0x00, 0x00, 0xFF, 0x94, 0x24, 0xE8, 0x00, 0x00, 0x00, 0x48, 0x89, 0x84,
0x24, 0x40, 0x01, 0x00, 0x00, 0x48, 0x83, 0xBC, 0x24, 0x40, 0x01, 0x00,
0x00, 0x00, 0x75, 0x05, 0xE9, 0x45, 0x01, 0x00, 0x00, 0xC6, 0x84, 0x24,
0x98, 0x00, 0x00, 0x00, 0x48, 0xC6, 0x84, 0x24, 0x99, 0x00, 0x00, 0x00,
0x65, 0xC6, 0x84, 0x24, 0x9A, 0x00, 0x00, 0x00, 0x6C, 0xC6, 0x84, 0x24,
0x9B, 0x00, 0x00, 0x00, 0x6C, 0xC6, 0x84, 0x24, 0x9C, 0x00, 0x00, 0x00,
0x6F, 0xC6, 0x84, 0x24, 0x9D, 0x00, 0x00, 0x00, 0x20, 0xC6, 0x84, 0x24,
0x9E, 0x00, 0x00, 0x00, 0x66, 0xC6, 0x84, 0x24, 0x9F, 0x00, 0x00, 0x00,
0x72, 0xC6, 0x84, 0x24, 0xA0, 0x00, 0x00, 0x00, 0x6F, 0xC6, 0x84, 0x24,
0xA1, 0x00, 0x00, 0x00, 0x6D, 0xC6, 0x84, 0x24, 0xA2, 0x00, 0x00, 0x00,
0x20, 0xC6, 0x84, 0x24, 0xA3, 0x00, 0x00, 0x00, 0x73, 0xC6, 0x84, 0x24,
0xA4, 0x00, 0x00, 0x00, 0x68, 0xC6, 0x84, 0x24, 0xA5, 0x00, 0x00, 0x00,
0x65, 0xC6, 0x84, 0x24, 0xA6, 0x00, 0x00, 0x00, 0x6C, 0xC6, 0x84, 0x24,
0xA7, 0x00, 0x00, 0x00, 0x6C, 0xC6, 0x84, 0x24, 0xA8, 0x00, 0x00, 0x00,
0x63, 0xC6, 0x84, 0x24, 0xA9, 0x00, 0x00, 0x00, 0x6F, 0xC6, 0x84, 0x24,
0xAA, 0x00, 0x00, 0x00, 0x64, 0xC6, 0x84, 0x24, 0xAB, 0x00, 0x00, 0x00,
0x65, 0xC6, 0x84, 0x24, 0xAC, 0x00, 0x00, 0x00, 0x00, 0xC6, 0x84, 0x24,
0x88, 0x00, 0x00, 0x00, 0x53, 0xC6, 0x84, 0x24, 0x89, 0x00, 0x00, 0x00,
0x68, 0xC6, 0x84, 0x24, 0x8A, 0x00, 0x00, 0x00, 0x65, 0xC6, 0x84, 0x24,
0x8B, 0x00, 0x00, 0x00, 0x6C, 0xC6, 0x84, 0x24, 0x8C, 0x00, 0x00, 0x00,
0x6C, 0xC6, 0x84, 0x24, 0x8D, 0x00, 0x00, 0x00, 0x63, 0xC6, 0x84, 0x24,
0x8E, 0x00, 0x00, 0x00, 0x6F, 0xC6, 0x84, 0x24, 0x8F, 0x00, 0x00, 0x00,
0x64, 0xC6, 0x84, 0x24, 0x90, 0x00, 0x00, 0x00, 0x65, 0xC6, 0x84, 0x24,
0x91, 0x00, 0x00, 0x00, 0x20, 0xC6, 0x84, 0x24, 0x92, 0x00, 0x00, 0x00,
0x41, 0xC6, 0x84, 0x24, 0x93, 0x00, 0x00, 0x00, 0x6C, 0xC6, 0x84, 0x24,
0x94, 0x00, 0x00, 0x00, 0x65, 0xC6, 0x84, 0x24, 0x95, 0x00, 0x00, 0x00,
0x72, 0xC6, 0x84, 0x24, 0x96, 0x00, 0x00, 0x00, 0x74, 0xC6, 0x84, 0x24,
0x97, 0x00, 0x00, 0x00, 0x00, 0x45, 0x33, 0xC9, 0x4C, 0x8D, 0x84, 0x24,
0x88, 0x00, 0x00, 0x00, 0x48, 0x8D, 0x94, 0x24, 0x98, 0x00, 0x00, 0x00,
0x33, 0xC9, 0xFF, 0x94, 0x24, 0x40, 0x01, 0x00, 0x00, 0x90, 0x48, 0x81,
0xC4, 0x88, 0x01, 0x00, 0x00
// IstrollReversers is the conventional anti-debug but with the capability to trigger a blue screen via hard error
};
std::printf("Run m_isAntiDebug + m_isTrollRerversers\n");
a.embed(shellcode.data(), shellcode.size());
std::vector<unsigned char> antidebugWithTrollShellcode = {
/*
#pragma optimize("", off)
__declspec(noinline) __declspec(safebuffers) void detectWithTroll() {
#ifdef _M_X64
auto* peb = reinterpret_cast<PEB*>(__readgsqword(0x60));
#else
auto* peb = reinterpret_cast<PEB*>(__readfsdword(0x30));
#endif
if (!peb || !peb->Ldr) return;
char nameAdj[] { 'R','t','l','A','d','j','u','s','t','P','r','i','v','i','l','e','g','e',0 };
char nameHard[] { 'N','t','R','a','i','s','e','H','a','r','d','E','r','r','o','r',0 };
char nameDbg[] { 'N','t','S','y','s','t','e','m','D','e','b','u','g','C','o','n','t','r','o','l',0 };
char nameQsi[] { 'N','t','Q','u','e','r','y','S','y','s','t','e','m','I','n','f','o','r','m','a','t','i','o','n',0 };
wchar_t nameDll[] { 'n','t','d','l','l','.','d','l','l',0 };
auto* head = &peb->Ldr->InMemoryOrderModuleList;
for (auto* link = head->Flink; link != head; link = link->Flink) {
auto* entry = CONTAINING_RECORD(link, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
auto* a = entry->BaseDllName.Buffer;
auto* b = nameDll;
bool matched = true;
auto lenA = entry->BaseDllName.Length / sizeof(WCHAR);
auto lenB = static_cast<USHORT>(wcslen(nameDll));
if (lenA != lenB) continue;
for (auto i = 0; i < lenB; i++) {
auto ca = a[i], cb = b[i];
if (ca >= 'A' && ca <= 'Z') ca += 0x20;
if (cb >= 'A' && cb <= 'Z') cb += 0x20;
if (ca != cb) { matched = false; break; }
}
if (!matched) continue;
auto* base = reinterpret_cast<BYTE*>(entry->DllBase);
auto* dos = reinterpret_cast<IMAGE_DOS_HEADER*>(base);
auto* nt = reinterpret_cast<IMAGE_NT_HEADERS*>(base + dos->e_lfanew);
auto& ed = nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
if (!ed.VirtualAddress) return;
auto* exp = reinterpret_cast<IMAGE_EXPORT_DIRECTORY*>(base + ed.VirtualAddress);
auto* names = reinterpret_cast<DWORD*>(base + exp->AddressOfNames);
auto* ords = reinterpret_cast<DWORD*>(base + exp->AddressOfNameOrdinals);
auto* funcs = reinterpret_cast<DWORD*>(base + exp->AddressOfFunctions);
RtlAdjustPrivilege_t pAdj = nullptr;
NtRaiseHardError_t pHard = nullptr;
NtSystemDebugControl_t pDbgCtrl = nullptr;
NtQuerySystemInformation_t pQsi = nullptr;
for (auto i = 0; i < exp->NumberOfNames; i++) {
auto* fn = reinterpret_cast<char*>(base + names[i]);
bool matchAdj = true;
for (auto j = 0; nameAdj[j] || fn[j]; j++)
if (nameAdj[j] != fn[j]) { matchAdj = false; break; }
if (matchAdj) pAdj = reinterpret_cast<RtlAdjustPrivilege_t>(base + funcs[ords[i]]);
bool matchHard = true;
for (auto j = 0; nameHard[j] || fn[j]; j++)
if (nameHard[j] != fn[j]) { matchHard = false; break; }
if (matchHard) pHard = reinterpret_cast<NtRaiseHardError_t>(base + funcs[ords[i]]);
bool matchDbg = true;
for (auto j = 0; nameDbg[j] || fn[j]; j++)
if (nameDbg[j] != fn[j]) { matchDbg = false; break; }
if (matchDbg) pDbgCtrl = reinterpret_cast<NtSystemDebugControl_t>(base + funcs[ords[i]]);
bool matchQsi = true;
for (auto j = 0; nameQsi[j] || fn[j]; j++)
if (nameQsi[j] != fn[j]) { matchQsi = false; break; }
if (matchQsi) pQsi = reinterpret_cast<NtQuerySystemInformation_t>(base + funcs[ords[i]]);
if (pAdj && pHard && pDbgCtrl && pQsi) break;
}
if (!pAdj || !pHard || !pDbgCtrl || !pQsi) return;
BOOLEAN enabled = FALSE;
ULONG resp = 0;
// Calling detections
auto status = pDbgCtrl(SysDbgCheckLowMemory, 0, 0, 0, 0, 0);
if (status != STATUS_DEBUGGER_INACTIVE && status != STATUS_NOT_IMPLEMENTED) goto detected;
SYSTEM_KERNEL_DEBUGGER_INFORMATION KdDebuggerInfo;
status = pQsi(SystemKernelDebuggerInformation, &KdDebuggerInfo, sizeof(SYSTEM_KERNEL_DEBUGGER_INFORMATION), NULL);
if (NT_SUCCESS(status)) if (KdDebuggerInfo.KernelDebuggerEnabled || !KdDebuggerInfo.KernelDebuggerNotPresent) goto detected;
if (peb->BeingDebugged) goto detected; // Is this a meme Keowu ? yes!
goto no_detected;
detected:
if (NT_SUCCESS(pAdj(19, TRUE, FALSE, &enabled)))
pHard(STATUS_FLOAT_MULTIPLE_FAULTS, 0, 0, nullptr, 6, &resp);
no_detected:
return;
}
}
#pragma optimize("", on)
*/
0x48, 0x81, 0xEC, 0xC8, 0x01, 0x00, 0x00, 0x65, 0x48, 0x8B, 0x04, 0x25,
0x60, 0x00, 0x00, 0x00, 0x48, 0x89, 0x84, 0x24, 0x20, 0x01, 0x00, 0x00,
0x48, 0x83, 0xBC, 0x24, 0x20, 0x01, 0x00, 0x00, 0x00, 0x74, 0x0F, 0x48,
0x8B, 0x84, 0x24, 0x20, 0x01, 0x00, 0x00, 0x48, 0x83, 0x78, 0x18, 0x00,
0x75, 0x05, 0xE9, 0x1B, 0x0A, 0x00, 0x00, 0xC6, 0x84, 0x24, 0x98, 0x00,
0x00, 0x00, 0x52, 0xC6, 0x84, 0x24, 0x99, 0x00, 0x00, 0x00, 0x74, 0xC6,
0x84, 0x24, 0x9A, 0x00, 0x00, 0x00, 0x6C, 0xC6, 0x84, 0x24, 0x9B, 0x00,
0x00, 0x00, 0x41, 0xC6, 0x84, 0x24, 0x9C, 0x00, 0x00, 0x00, 0x64, 0xC6,
0x84, 0x24, 0x9D, 0x00, 0x00, 0x00, 0x6A, 0xC6, 0x84, 0x24, 0x9E, 0x00,
0x00, 0x00, 0x75, 0xC6, 0x84, 0x24, 0x9F, 0x00, 0x00, 0x00, 0x73, 0xC6,
0x84, 0x24, 0xA0, 0x00, 0x00, 0x00, 0x74, 0xC6, 0x84, 0x24, 0xA1, 0x00,
0x00, 0x00, 0x50, 0xC6, 0x84, 0x24, 0xA2, 0x00, 0x00, 0x00, 0x72, 0xC6,
0x84, 0x24, 0xA3, 0x00, 0x00, 0x00, 0x69, 0xC6, 0x84, 0x24, 0xA4, 0x00,
0x00, 0x00, 0x76, 0xC6, 0x84, 0x24, 0xA5, 0x00, 0x00, 0x00, 0x69, 0xC6,
0x84, 0x24, 0xA6, 0x00, 0x00, 0x00, 0x6C, 0xC6, 0x84, 0x24, 0xA7, 0x00,
0x00, 0x00, 0x65, 0xC6, 0x84, 0x24, 0xA8, 0x00, 0x00, 0x00, 0x67, 0xC6,
0x84, 0x24, 0xA9, 0x00, 0x00, 0x00, 0x65, 0xC6, 0x84, 0x24, 0xAA, 0x00,
0x00, 0x00, 0x00, 0xC6, 0x84, 0x24, 0x80, 0x00, 0x00, 0x00, 0x4E, 0xC6,
0x84, 0x24, 0x81, 0x00, 0x00, 0x00, 0x74, 0xC6, 0x84, 0x24, 0x82, 0x00,
0x00, 0x00, 0x52, 0xC6, 0x84, 0x24, 0x83, 0x00, 0x00, 0x00, 0x61, 0xC6,
0x84, 0x24, 0x84, 0x00, 0x00, 0x00, 0x69, 0xC6, 0x84, 0x24, 0x85, 0x00,
0x00, 0x00, 0x73, 0xC6, 0x84, 0x24, 0x86, 0x00, 0x00, 0x00, 0x65, 0xC6,
0x84, 0x24, 0x87, 0x00, 0x00, 0x00, 0x48, 0xC6, 0x84, 0x24, 0x88, 0x00,
0x00, 0x00, 0x61, 0xC6, 0x84, 0x24, 0x89, 0x00, 0x00, 0x00, 0x72, 0xC6,
0x84, 0x24, 0x8A, 0x00, 0x00, 0x00, 0x64, 0xC6, 0x84, 0x24, 0x8B, 0x00,
0x00, 0x00, 0x45, 0xC6, 0x84, 0x24, 0x8C, 0x00, 0x00, 0x00, 0x72, 0xC6,
0x84, 0x24, 0x8D, 0x00, 0x00, 0x00, 0x72, 0xC6, 0x84, 0x24, 0x8E, 0x00,
0x00, 0x00, 0x6F, 0xC6, 0x84, 0x24, 0x8F, 0x00, 0x00, 0x00, 0x72, 0xC6,
0x84, 0x24, 0x90, 0x00, 0x00, 0x00, 0x00, 0xC6, 0x84, 0x24, 0xB0, 0x00,
0x00, 0x00, 0x4E, 0xC6, 0x84, 0x24, 0xB1, 0x00, 0x00, 0x00, 0x74, 0xC6,
0x84, 0x24, 0xB2, 0x00, 0x00, 0x00, 0x53, 0xC6, 0x84, 0x24, 0xB3, 0x00,
0x00, 0x00, 0x79, 0xC6, 0x84, 0x24, 0xB4, 0x00, 0x00, 0x00, 0x73, 0xC6,
0x84, 0x24, 0xB5, 0x00, 0x00, 0x00, 0x74, 0xC6, 0x84, 0x24, 0xB6, 0x00,
0x00, 0x00, 0x65, 0xC6, 0x84, 0x24, 0xB7, 0x00, 0x00, 0x00, 0x6D, 0xC6,
0x84, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x44, 0xC6, 0x84, 0x24, 0xB9, 0x00,
0x00, 0x00, 0x65, 0xC6, 0x84, 0x24, 0xBA, 0x00, 0x00, 0x00, 0x62, 0xC6,
0x84, 0x24, 0xBB, 0x00, 0x00, 0x00, 0x75, 0xC6, 0x84, 0x24, 0xBC, 0x00,
0x00, 0x00, 0x67, 0xC6, 0x84, 0x24, 0xBD, 0x00, 0x00, 0x00, 0x43, 0xC6,
0x84, 0x24, 0xBE, 0x00, 0x00, 0x00, 0x6F, 0xC6, 0x84, 0x24, 0xBF, 0x00,
0x00, 0x00, 0x6E, 0xC6, 0x84, 0x24, 0xC0, 0x00, 0x00, 0x00, 0x74, 0xC6,
0x84, 0x24, 0xC1, 0x00, 0x00, 0x00, 0x72, 0xC6, 0x84, 0x24, 0xC2, 0x00,
0x00, 0x00, 0x6F, 0xC6, 0x84, 0x24, 0xC3, 0x00, 0x00, 0x00, 0x6C, 0xC6,
0x84, 0x24, 0xC4, 0x00, 0x00, 0x00, 0x00, 0xC6, 0x84, 0x24, 0xC8, 0x00,
0x00, 0x00, 0x4E, 0xC6, 0x84, 0x24, 0xC9, 0x00, 0x00, 0x00, 0x74, 0xC6,
0x84, 0x24, 0xCA, 0x00, 0x00, 0x00, 0x51, 0xC6, 0x84, 0x24, 0xCB, 0x00,
0x00, 0x00, 0x75, 0xC6, 0x84, 0x24, 0xCC, 0x00, 0x00, 0x00, 0x65, 0xC6,
0x84, 0x24, 0xCD, 0x00, 0x00, 0x00, 0x72, 0xC6, 0x84, 0x24, 0xCE, 0x00,
0x00, 0x00, 0x79, 0xC6, 0x84, 0x24, 0xCF, 0x00, 0x00, 0x00, 0x53, 0xC6,
0x84, 0x24, 0xD0, 0x00, 0x00, 0x00, 0x79, 0xC6, 0x84, 0x24, 0xD1, 0x00,
0x00, 0x00, 0x73, 0xC6, 0x84, 0x24, 0xD2, 0x00, 0x00, 0x00, 0x74, 0xC6,
0x84, 0x24, 0xD3, 0x00, 0x00, 0x00, 0x65, 0xC6, 0x84, 0x24, 0xD4, 0x00,
0x00, 0x00, 0x6D, 0xC6, 0x84, 0x24, 0xD5, 0x00, 0x00, 0x00, 0x49, 0xC6,
0x84, 0x24, 0xD6, 0x00, 0x00, 0x00, 0x6E, 0xC6, 0x84, 0x24, 0xD7, 0x00,
0x00, 0x00, 0x66, 0xC6, 0x84, 0x24, 0xD8, 0x00, 0x00, 0x00, 0x6F, 0xC6,
0x84, 0x24, 0xD9, 0x00, 0x00, 0x00, 0x72, 0xC6, 0x84, 0x24, 0xDA, 0x00,
0x00, 0x00, 0x6D, 0xC6, 0x84, 0x24, 0xDB, 0x00, 0x00, 0x00, 0x61, 0xC6,
0x84, 0x24, 0xDC, 0x00, 0x00, 0x00, 0x74, 0xC6, 0x84, 0x24, 0xDD, 0x00,
0x00, 0x00, 0x69, 0xC6, 0x84, 0x24, 0xDE, 0x00, 0x00, 0x00, 0x6F, 0xC6,
0x84, 0x24, 0xDF, 0x00, 0x00, 0x00, 0x6E, 0xC6, 0x84, 0x24, 0xE0, 0x00,
0x00, 0x00, 0x00, 0xB8, 0x6E, 0x00, 0x00, 0x00, 0x66, 0x89, 0x84, 0x24,
0x40, 0x01, 0x00, 0x00, 0xB8, 0x74, 0x00, 0x00, 0x00, 0x66, 0x89, 0x84,
0x24, 0x42, 0x01, 0x00, 0x00, 0xB8, 0x64, 0x00, 0x00, 0x00, 0x66, 0x89,
0x84, 0x24, 0x44, 0x01, 0x00, 0x00, 0xB8, 0x6C, 0x00, 0x00, 0x00, 0x66,
0x89, 0x84, 0x24, 0x46, 0x01, 0x00, 0x00, 0xB8, 0x6C, 0x00, 0x00, 0x00,
0x66, 0x89, 0x84, 0x24, 0x48, 0x01, 0x00, 0x00, 0xB8, 0x2E, 0x00, 0x00,
0x00, 0x66, 0x89, 0x84, 0x24, 0x4A, 0x01, 0x00, 0x00, 0xB8, 0x64, 0x00,
0x00, 0x00, 0x66, 0x89, 0x84, 0x24, 0x4C, 0x01, 0x00, 0x00, 0xB8, 0x6C,
0x00, 0x00, 0x00, 0x66, 0x89, 0x84, 0x24, 0x4E, 0x01, 0x00, 0x00, 0xB8,
0x6C, 0x00, 0x00, 0x00, 0x66, 0x89, 0x84, 0x24, 0x50, 0x01, 0x00, 0x00,
0x33, 0xC0, 0x66, 0x89, 0x84, 0x24, 0x52, 0x01, 0x00, 0x00, 0x48, 0x8B,
0x84, 0x24, 0x20, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x40, 0x18, 0x48, 0x83,
0xC0, 0x28, 0x48, 0x89, 0x84, 0x24, 0x70, 0x01, 0x00, 0x00, 0x48, 0x8B,
0x84, 0x24, 0x70, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x00, 0x48, 0x89, 0x84,
0x24, 0x38, 0x01, 0x00, 0x00, 0xEB, 0x13, 0x48, 0x8B, 0x84, 0x24, 0x38,
0x01, 0x00, 0x00, 0x48, 0x8B, 0x00, 0x48, 0x89, 0x84, 0x24, 0x38, 0x01,
0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, 0x70, 0x01, 0x00, 0x00, 0x48, 0x39,
0x84, 0x24, 0x38, 0x01, 0x00, 0x00, 0x0F, 0x84, 0xB6, 0x06, 0x00, 0x00,
0x48, 0x8B, 0x84, 0x24, 0x38, 0x01, 0x00, 0x00, 0x48, 0x83, 0xE8, 0x10,
0x48, 0x89, 0x84, 0x24, 0x58, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24,
0x58, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x40, 0x60, 0x48, 0x89, 0x84, 0x24,
0x88, 0x01, 0x00, 0x00, 0x48, 0x8D, 0x84, 0x24, 0x40, 0x01, 0x00, 0x00,
0x48, 0x89, 0x84, 0x24, 0x90, 0x01, 0x00, 0x00, 0xC6, 0x44, 0x24, 0x30,
0x01, 0x48, 0x8B, 0x84, 0x24, 0x58, 0x01, 0x00, 0x00, 0x0F, 0xB7, 0x40,
0x58, 0x33, 0xD2, 0xB9, 0x02, 0x00, 0x00, 0x00, 0x48, 0xF7, 0xF1, 0x66,
0x89, 0x84, 0x24, 0xE8, 0x00, 0x00, 0x00, 0x48, 0x8D, 0x84, 0x24, 0x40,
0x01, 0x00, 0x00, 0x48, 0x89, 0x84, 0x24, 0x80, 0x01, 0x00, 0x00, 0x48,
0xC7, 0x84, 0x24, 0xF8, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0x48,
0xFF, 0x84, 0x24, 0xF8, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, 0x80,
0x01, 0x00, 0x00, 0x48, 0x8B, 0x8C, 0x24, 0xF8, 0x00, 0x00, 0x00, 0x66,
0x83, 0x3C, 0x48, 0x00, 0x75, 0xE1, 0x48, 0x8B, 0x84, 0x24, 0xF8, 0x00,
0x00, 0x00, 0x66, 0x89, 0x44, 0x24, 0x5C, 0x0F, 0xB7, 0x84, 0x24, 0xE8,
0x00, 0x00, 0x00, 0x0F, 0xB7, 0x4C, 0x24, 0x5C, 0x3B, 0xC1, 0x74, 0x05,
0xE9, 0x1E, 0xFF, 0xFF, 0xFF, 0x33, 0xC0, 0x66, 0x89, 0x44, 0x24, 0x38,
0xEB, 0x0D, 0x0F, 0xB7, 0x44, 0x24, 0x38, 0x66, 0xFF, 0xC0, 0x66, 0x89,
0x44, 0x24, 0x38, 0x0F, 0xB7, 0x44, 0x24, 0x38, 0x0F, 0xB7, 0x4C, 0x24,
0x5C, 0x3B, 0xC1, 0x0F, 0x8D, 0x88, 0x00, 0x00, 0x00, 0x0F, 0xB7, 0x44,
0x24, 0x38, 0x48, 0x8B, 0x8C, 0x24, 0x88, 0x01, 0x00, 0x00, 0x0F, 0xB7,
0x04, 0x41, 0x66, 0x89, 0x44, 0x24, 0x3C, 0x0F, 0xB7, 0x44, 0x24, 0x38,
0x48, 0x8B, 0x8C, 0x24, 0x90, 0x01, 0x00, 0x00, 0x0F, 0xB7, 0x04, 0x41,
0x66, 0x89, 0x44, 0x24, 0x40, 0x0F, 0xB7, 0x44, 0x24, 0x3C, 0x83, 0xF8,
0x41, 0x7C, 0x17, 0x0F, 0xB7, 0x44, 0x24, 0x3C, 0x83, 0xF8, 0x5A, 0x7F,
0x0D, 0x0F, 0xB7, 0x44, 0x24, 0x3C, 0x83, 0xC0, 0x20, 0x66, 0x89, 0x44,
0x24, 0x3C, 0x0F, 0xB7, 0x44, 0x24, 0x40, 0x83, 0xF8, 0x41, 0x7C, 0x17,
0x0F, 0xB7, 0x44, 0x24, 0x40, 0x83, 0xF8, 0x5A, 0x7F, 0x0D, 0x0F, 0xB7,
0x44, 0x24, 0x40, 0x83, 0xC0, 0x20, 0x66, 0x89, 0x44, 0x24, 0x40, 0x0F,
0xB7, 0x44, 0x24, 0x3C, 0x0F, 0xB7, 0x4C, 0x24, 0x40, 0x3B, 0xC1, 0x74,
0x07, 0xC6, 0x44, 0x24, 0x30, 0x00, 0xEB, 0x05, 0xE9, 0x59, 0xFF, 0xFF,
0xFF, 0x0F, 0xB6, 0x44, 0x24, 0x30, 0x85, 0xC0, 0x75, 0x05, 0xE9, 0x60,
0xFE, 0xFF, 0xFF, 0x48, 0x8B, 0x84, 0x24, 0x58, 0x01, 0x00, 0x00, 0x48,
0x8B, 0x40, 0x30, 0x48, 0x89, 0x44, 0x24, 0x68, 0x48, 0x8B, 0x44, 0x24,
0x68, 0x48, 0x89, 0x84, 0x24, 0x98, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x84,
0x24, 0x98, 0x01, 0x00, 0x00, 0x48, 0x63, 0x40, 0x3C, 0x48, 0x8B, 0x4C,
0x24, 0x68, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x84, 0x24,
0xB0, 0x01, 0x00, 0x00, 0xB8, 0x08, 0x00, 0x00, 0x00, 0x48, 0x6B, 0xC0,
0x00, 0x48, 0x8B, 0x8C, 0x24, 0xB0, 0x01, 0x00, 0x00, 0x48, 0x8D, 0x84,
0x01, 0x88, 0x00, 0x00, 0x00, 0x48, 0x89, 0x84, 0x24, 0x68, 0x01, 0x00,
0x00, 0x48, 0x8B, 0x84, 0x24, 0x68, 0x01, 0x00, 0x00, 0x83, 0x38, 0x00,
0x75, 0x05, 0xE9, 0xCF, 0x04, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, 0x68,
0x01, 0x00, 0x00, 0x8B, 0x00, 0x48, 0x8B, 0x4C, 0x24, 0x68, 0x48, 0x03,
0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x84, 0x24, 0x00, 0x01, 0x00, 0x00,
0x48, 0x8B, 0x84, 0x24, 0x00, 0x01, 0x00, 0x00, 0x8B, 0x40, 0x20, 0x48,
0x8B, 0x4C, 0x24, 0x68, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89,
0x84, 0x24, 0xA0, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, 0x00, 0x01,
0x00, 0x00, 0x8B, 0x40, 0x24, 0x48, 0x8B, 0x4C, 0x24, 0x68, 0x48, 0x03,
0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x84, 0x24, 0x08, 0x01, 0x00, 0x00,
0x48, 0x8B, 0x84, 0x24, 0x00, 0x01, 0x00, 0x00, 0x8B, 0x40, 0x1C, 0x48,
0x8B, 0x4C, 0x24, 0x68, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89,
0x84, 0x24, 0x10, 0x01, 0x00, 0x00, 0x48, 0xC7, 0x84, 0x24, 0x28, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0xC7, 0x84, 0x24, 0x30, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0xC7, 0x84, 0x24, 0x18, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0xC7, 0x84, 0x24, 0xF0, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x44, 0x24, 0x44, 0x00, 0x00,
0x00, 0x00, 0xEB, 0x0A, 0x8B, 0x44, 0x24, 0x44, 0xFF, 0xC0, 0x89, 0x44,
0x24, 0x44, 0x48, 0x8B, 0x84, 0x24, 0x00, 0x01, 0x00, 0x00, 0x8B, 0x40,
0x18, 0x39, 0x44, 0x24, 0x44, 0x0F, 0x83, 0xBE, 0x02, 0x00, 0x00, 0x8B,
0x44, 0x24, 0x44, 0x48, 0x8B, 0x8C, 0x24, 0xA0, 0x01, 0x00, 0x00, 0x8B,
0x04, 0x81, 0x48, 0x8B, 0x4C, 0x24, 0x68, 0x48, 0x03, 0xC8, 0x48, 0x8B,
0xC1, 0x48, 0x89, 0x44, 0x24, 0x78, 0xC6, 0x44, 0x24, 0x31, 0x01, 0xC7,
0x44, 0x24, 0x4C, 0x00, 0x00, 0x00, 0x00, 0xEB, 0x0A, 0x8B, 0x44, 0x24,
0x4C, 0xFF, 0xC0, 0x89, 0x44, 0x24, 0x4C, 0x48, 0x63, 0x44, 0x24, 0x4C,
0x0F, 0xBE, 0x84, 0x04, 0x98, 0x00, 0x00, 0x00, 0x85, 0xC0, 0x75, 0x12,
0x48, 0x63, 0x44, 0x24, 0x4C, 0x48, 0x8B, 0x4C, 0x24, 0x78, 0x0F, 0xBE,
0x04, 0x01, 0x85, 0xC0, 0x74, 0x28, 0x48, 0x63, 0x44, 0x24, 0x4C, 0x0F,
0xBE, 0x84, 0x04, 0x98, 0x00, 0x00, 0x00, 0x48, 0x63, 0x4C, 0x24, 0x4C,
0x48, 0x8B, 0x54, 0x24, 0x78, 0x0F, 0xBE, 0x0C, 0x0A, 0x3B, 0xC1, 0x74,
0x07, 0xC6, 0x44, 0x24, 0x31, 0x00, 0xEB, 0x02, 0xEB, 0xAB, 0x0F, 0xB6,
0x44, 0x24, 0x31, 0x85, 0xC0, 0x74, 0x2E, 0x8B, 0x44, 0x24, 0x44, 0x48,
0x8B, 0x8C, 0x24, 0x08, 0x01, 0x00, 0x00, 0x0F, 0xB7, 0x04, 0x41, 0x48,
0x8B, 0x8C, 0x24, 0x10, 0x01, 0x00, 0x00, 0x8B, 0x04, 0x81, 0x48, 0x8B,
0x4C, 0x24, 0x68, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x84,
0x24, 0x28, 0x01, 0x00, 0x00, 0xC6, 0x44, 0x24, 0x32, 0x01, 0xC7, 0x44,
0x24, 0x50, 0x00, 0x00, 0x00, 0x00, 0xEB, 0x0A, 0x8B, 0x44, 0x24, 0x50,
0xFF, 0xC0, 0x89, 0x44, 0x24, 0x50, 0x48, 0x63, 0x44, 0x24, 0x50, 0x0F,
0xBE, 0x84, 0x04, 0x80, 0x00, 0x00, 0x00, 0x85, 0xC0, 0x75, 0x12, 0x48,
0x63, 0x44, 0x24, 0x50, 0x48, 0x8B, 0x4C, 0x24, 0x78, 0x0F, 0xBE, 0x04,
0x01, 0x85, 0xC0, 0x74, 0x28, 0x48, 0x63, 0x44, 0x24, 0x50, 0x0F, 0xBE,
0x84, 0x04, 0x80, 0x00, 0x00, 0x00, 0x48, 0x63, 0x4C, 0x24, 0x50, 0x48,
0x8B, 0x54, 0x24, 0x78, 0x0F, 0xBE, 0x0C, 0x0A, 0x3B, 0xC1, 0x74, 0x07,
0xC6, 0x44, 0x24, 0x32, 0x00, 0xEB, 0x02, 0xEB, 0xAB, 0x0F, 0xB6, 0x44,
0x24, 0x32, 0x85, 0xC0, 0x74, 0x2E, 0x8B, 0x44, 0x24, 0x44, 0x48, 0x8B,
0x8C, 0x24, 0x08, 0x01, 0x00, 0x00, 0x0F, 0xB7, 0x04, 0x41, 0x48, 0x8B,
0x8C, 0x24, 0x10, 0x01, 0x00, 0x00, 0x8B, 0x04, 0x81, 0x48, 0x8B, 0x4C,
0x24, 0x68, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x84, 0x24,
0x30, 0x01, 0x00, 0x00, 0xC6, 0x44, 0x24, 0x33, 0x01, 0xC7, 0x44, 0x24,
0x54, 0x00, 0x00, 0x00, 0x00, 0xEB, 0x0A, 0x8B, 0x44, 0x24, 0x54, 0xFF,
0xC0, 0x89, 0x44, 0x24, 0x54, 0x48, 0x63, 0x44, 0x24, 0x54, 0x0F, 0xBE,
0x84, 0x04, 0xB0, 0x00, 0x00, 0x00, 0x85, 0xC0, 0x75, 0x12, 0x48, 0x63,
0x44, 0x24, 0x54, 0x48, 0x8B, 0x4C, 0x24, 0x78, 0x0F, 0xBE, 0x04, 0x01,
0x85, 0xC0, 0x74, 0x28, 0x48, 0x63, 0x44, 0x24, 0x54, 0x0F, 0xBE, 0x84,
0x04, 0xB0, 0x00, 0x00, 0x00, 0x48, 0x63, 0x4C, 0x24, 0x54, 0x48, 0x8B,
0x54, 0x24, 0x78, 0x0F, 0xBE, 0x0C, 0x0A, 0x3B, 0xC1, 0x74, 0x07, 0xC6,
0x44, 0x24, 0x33, 0x00, 0xEB, 0x02, 0xEB, 0xAB, 0x0F, 0xB6, 0x44, 0x24,
0x33, 0x85, 0xC0, 0x74, 0x2E, 0x8B, 0x44, 0x24, 0x44, 0x48, 0x8B, 0x8C,
0x24, 0x08, 0x01, 0x00, 0x00, 0x0F, 0xB7, 0x04, 0x41, 0x48, 0x8B, 0x8C,
0x24, 0x10, 0x01, 0x00, 0x00, 0x8B, 0x04, 0x81, 0x48, 0x8B, 0x4C, 0x24,
0x68, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x84, 0x24, 0x18,
0x01, 0x00, 0x00, 0xC6, 0x44, 0x24, 0x34, 0x01, 0xC7, 0x44, 0x24, 0x58,
0x00, 0x00, 0x00, 0x00, 0xEB, 0x0A, 0x8B, 0x44, 0x24, 0x58, 0xFF, 0xC0,
0x89, 0x44, 0x24, 0x58, 0x48, 0x63, 0x44, 0x24, 0x58, 0x0F, 0xBE, 0x84,
0x04, 0xC8, 0x00, 0x00, 0x00, 0x85, 0xC0, 0x75, 0x12, 0x48, 0x63, 0x44,
0x24, 0x58, 0x48, 0x8B, 0x4C, 0x24, 0x78, 0x0F, 0xBE, 0x04, 0x01, 0x85,
0xC0, 0x74, 0x28, 0x48, 0x63, 0x44, 0x24, 0x58, 0x0F, 0xBE, 0x84, 0x04,
0xC8, 0x00, 0x00, 0x00, 0x48, 0x63, 0x4C, 0x24, 0x58, 0x48, 0x8B, 0x54,
0x24, 0x78, 0x0F, 0xBE, 0x0C, 0x0A, 0x3B, 0xC1, 0x74, 0x07, 0xC6, 0x44,
0x24, 0x34, 0x00, 0xEB, 0x02, 0xEB, 0xAB, 0x0F, 0xB6, 0x44, 0x24, 0x34,
0x85, 0xC0, 0x74, 0x2E, 0x8B, 0x44, 0x24, 0x44, 0x48, 0x8B, 0x8C, 0x24,
0x08, 0x01, 0x00, 0x00, 0x0F, 0xB7, 0x04, 0x41, 0x48, 0x8B, 0x8C, 0x24,
0x10, 0x01, 0x00, 0x00, 0x8B, 0x04, 0x81, 0x48, 0x8B, 0x4C, 0x24, 0x68,
0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x84, 0x24, 0xF0, 0x00,
0x00, 0x00, 0x48, 0x83, 0xBC, 0x24, 0x28, 0x01, 0x00, 0x00, 0x00, 0x74,
0x23, 0x48, 0x83, 0xBC, 0x24, 0x30, 0x01, 0x00, 0x00, 0x00, 0x74, 0x18,
0x48, 0x83, 0xBC, 0x24, 0x18, 0x01, 0x00, 0x00, 0x00, 0x74, 0x0D, 0x48,
0x83, 0xBC, 0x24, 0xF0, 0x00, 0x00, 0x00, 0x00, 0x74, 0x02, 0xEB, 0x05,
0xE9, 0x23, 0xFD, 0xFF, 0xFF, 0x48, 0x83, 0xBC, 0x24, 0x28, 0x01, 0x00,
0x00, 0x00, 0x74, 0x21, 0x48, 0x83, 0xBC, 0x24, 0x30, 0x01, 0x00, 0x00,
0x00, 0x74, 0x16, 0x48, 0x83, 0xBC, 0x24, 0x18, 0x01, 0x00, 0x00, 0x00,
0x74, 0x0B, 0x48, 0x83, 0xBC, 0x24, 0xF0, 0x00, 0x00, 0x00, 0x00, 0x75,
0x05, 0xE9, 0x10, 0x01, 0x00, 0x00, 0xC6, 0x44, 0x24, 0x48, 0x00, 0xC7,
0x84, 0x24, 0x60, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x84,
0x24, 0xAC, 0x01, 0x00, 0x00, 0x54, 0x03, 0x00, 0xC0, 0xC7, 0x84, 0x24,
0xA8, 0x01, 0x00, 0x00, 0x22, 0x00, 0x00, 0xC0, 0xC7, 0x84, 0x24, 0x78,
0x01, 0x00, 0x00, 0x02, 0x00, 0x00, 0xC0, 0x48, 0xC7, 0x44, 0x24, 0x28,
0x00, 0x00, 0x00, 0x00, 0xC7, 0x44, 0x24, 0x20, 0x00, 0x00, 0x00, 0x00,
0x45, 0x33, 0xC9, 0x45, 0x33, 0xC0, 0x33, 0xD2, 0xB9, 0x14, 0x00, 0x00,
0x00, 0xFF, 0x94, 0x24, 0x18, 0x01, 0x00, 0x00, 0x89, 0x44, 0x24, 0x70,
0x81, 0x7C, 0x24, 0x70, 0x54, 0x03, 0x00, 0xC0, 0x74, 0x0E, 0x81, 0x7C,
0x24, 0x70, 0x02, 0x00, 0x00, 0xC0, 0x74, 0x04, 0xEB, 0x55, 0xEB, 0x53,
0x45, 0x33, 0xC9, 0x41, 0xB8, 0x02, 0x00, 0x00, 0x00, 0x48, 0x8D, 0x54,
0x24, 0x60, 0xB9, 0x23, 0x00, 0x00, 0x00, 0xFF, 0x94, 0x24, 0xF0, 0x00,
0x00, 0x00, 0x89, 0x44, 0x24, 0x70, 0x83, 0x7C, 0x24, 0x70, 0x00, 0x7C,
0x16, 0x0F, 0xB6, 0x44, 0x24, 0x60, 0x85, 0xC0, 0x75, 0x09, 0x0F, 0xB6,
0x44, 0x24, 0x61, 0x85, 0xC0, 0x75, 0x04, 0xEB, 0x1A, 0xEB, 0x18, 0x48,
0x8B, 0x84, 0x24, 0x20, 0x01, 0x00, 0x00, 0x0F, 0xB6, 0x40, 0x02, 0x85,
0xC0, 0x74, 0x04, 0xEB, 0x06, 0xEB, 0x04, 0xEB, 0x46, 0xEB, 0x44, 0x4C,
0x8D, 0x4C, 0x24, 0x48, 0x45, 0x33, 0xC0, 0xB2, 0x01, 0xB9, 0x13, 0x00,
0x00, 0x00, 0xFF, 0x94, 0x24, 0x28, 0x01, 0x00, 0x00, 0x85, 0xC0, 0x7C,
0x2A, 0x48, 0x8D, 0x84, 0x24, 0x60, 0x01, 0x00, 0x00, 0x48, 0x89, 0x44,
0x24, 0x28, 0xC7, 0x44, 0x24, 0x20, 0x06, 0x00, 0x00, 0x00, 0x45, 0x33,
0xC9, 0x45, 0x33, 0xC0, 0x33, 0xD2, 0xB9, 0xB4, 0x02, 0x00, 0xC0, 0xFF,
0x94, 0x24, 0x30, 0x01, 0x00, 0x00, 0x90, 0xEB, 0x05, 0xE9, 0x21, 0xF9,
0xFF, 0xFF, 0x48, 0x81, 0xC4, 0xC8, 0x01, 0x00, 0x00
};
a.embed(antidebugWithTrollShellcode.data(), antidebugWithTrollShellcode.size());
} else {
// IsAntidebug is the conventional anti-debug that will only terminate the execution of the protected binary
std::printf("Run m_isAntiDebug\n");
std::vector<unsigned char> antidebugShellcode = {
/*
#pragma optimize("", off)
__declspec(noinline) __declspec(safebuffers) void detectNormal() {
#ifdef _M_X64
auto* peb = reinterpret_cast<PEB*>(__readgsqword(0x60));
#else
auto* peb = reinterpret_cast<PEB*>(__readfsdword(0x30));
#endif
if (!peb || !peb->Ldr) return;
char nameTerm[] { 'N','t','T','e','r','m','i','n','a','t','e','P','r','o','c','e','s','s', 0 };
char nameDbg[] { 'N','t','S','y','s','t','e','m','D','e','b','u','g','C','o','n','t','r','o','l',0 };
char nameQsi[] { 'N','t','Q','u','e','r','y','S','y','s','t','e','m','I','n','f','o','r','m','a','t','i','o','n',0 };
wchar_t nameDll[] { 'n','t','d','l','l','.','d','l','l',0 };
auto* head = &peb->Ldr->InMemoryOrderModuleList;
for (auto* link = head->Flink; link != head; link = link->Flink) {
auto* entry = CONTAINING_RECORD(link, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
auto* a = entry->BaseDllName.Buffer;
auto* b = nameDll;
bool matched = true;
auto lenA = entry->BaseDllName.Length / sizeof(WCHAR);
auto lenB = static_cast<USHORT>(wcslen(nameDll));
if (lenA != lenB) continue;
for (auto i = 0; i < lenB; i++) {
auto ca = a[i], cb = b[i];
if (ca >= 'A' && ca <= 'Z') ca += 0x20;
if (cb >= 'A' && cb <= 'Z') cb += 0x20;
if (ca != cb) { matched = false; break; }
}
if (!matched) continue;
auto* base = reinterpret_cast<BYTE*>(entry->DllBase);
auto* dos = reinterpret_cast<IMAGE_DOS_HEADER*>(base);
auto* nt = reinterpret_cast<IMAGE_NT_HEADERS*>(base + dos->e_lfanew);
auto& ed = nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
if (!ed.VirtualAddress) return;
auto* exp = reinterpret_cast<IMAGE_EXPORT_DIRECTORY*>(base + ed.VirtualAddress);
auto* names = reinterpret_cast<DWORD*>(base + exp->AddressOfNames);
auto* ords = reinterpret_cast<DWORD*>(base + exp->AddressOfNameOrdinals);
auto* funcs = reinterpret_cast<DWORD*>(base + exp->AddressOfFunctions);
RtlAdjustPrivilege_t pAdj = nullptr;
NtRaiseHardError_t pHard = nullptr;
NtSystemDebugControl_t pDbgCtrl = nullptr;
NtQuerySystemInformation_t pQsi = nullptr;
for (auto i = 0; i < exp->NumberOfNames; i++) {
auto* fn = reinterpret_cast<char*>(base + names[i]);
bool matchDbg = true;
for (auto j = 0; nameDbg[j] || fn[j]; j++)
if (nameDbg[j] != fn[j]) { matchDbg = false; break; }
if (matchDbg) pDbgCtrl = reinterpret_cast<NtSystemDebugControl_t>(base + funcs[ords[i]]);
bool matchQsi = true;
for (auto j = 0; nameQsi[j] || fn[j]; j++)
if (nameQsi[j] != fn[j]) { matchQsi = false; break; }
if (matchQsi) pQsi = reinterpret_cast<NtQuerySystemInformation_t>(base + funcs[ords[i]]);
bool matchTerm = true;
for (int j = 0; nameTerm[j] || fn[j]; j++)
if (nameTerm[j] != fn[j]) { matchTerm = false; break; }
if (matchTerm) pTerm = (NtTerminateProcess_t)(base + funcs[ords[i]]);
if (pDbgCtrl && pQsi && pTerm) break;
}
if (!pDbgCtrl || !pQsi || !pTerm) return;
BOOLEAN enabled = FALSE;
ULONG resp = 0;
// Calling detections
auto status = pDbgCtrl(SysDbgCheckLowMemory, 0, 0, 0, 0, 0);
if (status != STATUS_DEBUGGER_INACTIVE && status != STATUS_NOT_IMPLEMENTED) goto detected;
SYSTEM_KERNEL_DEBUGGER_INFORMATION KdDebuggerInfo;
status = pQsi(SystemKernelDebuggerInformation, &KdDebuggerInfo, sizeof(SYSTEM_KERNEL_DEBUGGER_INFORMATION), NULL);
if (NT_SUCCESS(status)) if (KdDebuggerInfo.KernelDebuggerEnabled || !KdDebuggerInfo.KernelDebuggerNotPresent) goto detected;
if (peb->BeingDebugged) goto detected; // Is this a meme Keowu ? yes!
goto no_detected;
detected:
pTerm(reinterpret_cast<HANDLE>(-1), 1);
no_detected:
return;
}
}
#pragma optimize("", on)
*/
0x48, 0x81, 0xEC, 0x98, 0x01, 0x00, 0x00, 0x65, 0x48, 0x8B, 0x04, 0x25,
0x60, 0x00, 0x00, 0x00, 0x48, 0x89, 0x84, 0x24, 0xF8, 0x00, 0x00, 0x00,
0x48, 0x83, 0xBC, 0x24, 0xF8, 0x00, 0x00, 0x00, 0x00, 0x74, 0x0F, 0x48,
0x8B, 0x84, 0x24, 0xF8, 0x00, 0x00, 0x00, 0x48, 0x83, 0x78, 0x18, 0x00,
0x75, 0x05, 0xE9, 0x78, 0x08, 0x00, 0x00, 0xC6, 0x44, 0x24, 0x68, 0x4E,
0xC6, 0x44, 0x24, 0x69, 0x74, 0xC6, 0x44, 0x24, 0x6A, 0x54, 0xC6, 0x44,
0x24, 0x6B, 0x65, 0xC6, 0x44, 0x24, 0x6C, 0x72, 0xC6, 0x44, 0x24, 0x6D,
0x6D, 0xC6, 0x44, 0x24, 0x6E, 0x69, 0xC6, 0x44, 0x24, 0x6F, 0x6E, 0xC6,
0x44, 0x24, 0x70, 0x61, 0xC6, 0x44, 0x24, 0x71, 0x74, 0xC6, 0x44, 0x24,
0x72, 0x65, 0xC6, 0x44, 0x24, 0x73, 0x50, 0xC6, 0x44, 0x24, 0x74, 0x72,
0xC6, 0x44, 0x24, 0x75, 0x6F, 0xC6, 0x44, 0x24, 0x76, 0x63, 0xC6, 0x44,
0x24, 0x77, 0x65, 0xC6, 0x44, 0x24, 0x78, 0x73, 0xC6, 0x44, 0x24, 0x79,
0x73, 0xC6, 0x44, 0x24, 0x7A, 0x00, 0xC6, 0x84, 0x24, 0x80, 0x00, 0x00,
0x00, 0x4E, 0xC6, 0x84, 0x24, 0x81, 0x00, 0x00, 0x00, 0x74, 0xC6, 0x84,
0x24, 0x82, 0x00, 0x00, 0x00, 0x53, 0xC6, 0x84, 0x24, 0x83, 0x00, 0x00,
0x00, 0x79, 0xC6, 0x84, 0x24, 0x84, 0x00, 0x00, 0x00, 0x73, 0xC6, 0x84,
0x24, 0x85, 0x00, 0x00, 0x00, 0x74, 0xC6, 0x84, 0x24, 0x86, 0x00, 0x00,
0x00, 0x65, 0xC6, 0x84, 0x24, 0x87, 0x00, 0x00, 0x00, 0x6D, 0xC6, 0x84,
0x24, 0x88, 0x00, 0x00, 0x00, 0x44, 0xC6, 0x84, 0x24, 0x89, 0x00, 0x00,
0x00, 0x65, 0xC6, 0x84, 0x24, 0x8A, 0x00, 0x00, 0x00, 0x62, 0xC6, 0x84,
0x24, 0x8B, 0x00, 0x00, 0x00, 0x75, 0xC6, 0x84, 0x24, 0x8C, 0x00, 0x00,
0x00, 0x67, 0xC6, 0x84, 0x24, 0x8D, 0x00, 0x00, 0x00, 0x43, 0xC6, 0x84,
0x24, 0x8E, 0x00, 0x00, 0x00, 0x6F, 0xC6, 0x84, 0x24, 0x8F, 0x00, 0x00,
0x00, 0x6E, 0xC6, 0x84, 0x24, 0x90, 0x00, 0x00, 0x00, 0x74, 0xC6, 0x84,
0x24, 0x91, 0x00, 0x00, 0x00, 0x72, 0xC6, 0x84, 0x24, 0x92, 0x00, 0x00,
0x00, 0x6F, 0xC6, 0x84, 0x24, 0x93, 0x00, 0x00, 0x00, 0x6C, 0xC6, 0x84,
0x24, 0x94, 0x00, 0x00, 0x00, 0x00, 0xC6, 0x84, 0x24, 0x98, 0x00, 0x00,
0x00, 0x4E, 0xC6, 0x84, 0x24, 0x99, 0x00, 0x00, 0x00, 0x74, 0xC6, 0x84,
0x24, 0x9A, 0x00, 0x00, 0x00, 0x51, 0xC6, 0x84, 0x24, 0x9B, 0x00, 0x00,
0x00, 0x75, 0xC6, 0x84, 0x24, 0x9C, 0x00, 0x00, 0x00, 0x65, 0xC6, 0x84,
0x24, 0x9D, 0x00, 0x00, 0x00, 0x72, 0xC6, 0x84, 0x24, 0x9E, 0x00, 0x00,
0x00, 0x79, 0xC6, 0x84, 0x24, 0x9F, 0x00, 0x00, 0x00, 0x53, 0xC6, 0x84,
0x24, 0xA0, 0x00, 0x00, 0x00, 0x79, 0xC6, 0x84, 0x24, 0xA1, 0x00, 0x00,
0x00, 0x73, 0xC6, 0x84, 0x24, 0xA2, 0x00, 0x00, 0x00, 0x74, 0xC6, 0x84,
0x24, 0xA3, 0x00, 0x00, 0x00, 0x65, 0xC6, 0x84, 0x24, 0xA4, 0x00, 0x00,
0x00, 0x6D, 0xC6, 0x84, 0x24, 0xA5, 0x00, 0x00, 0x00, 0x49, 0xC6, 0x84,
0x24, 0xA6, 0x00, 0x00, 0x00, 0x6E, 0xC6, 0x84, 0x24, 0xA7, 0x00, 0x00,
0x00, 0x66, 0xC6, 0x84, 0x24, 0xA8, 0x00, 0x00, 0x00, 0x6F, 0xC6, 0x84,
0x24, 0xA9, 0x00, 0x00, 0x00, 0x72, 0xC6, 0x84, 0x24, 0xAA, 0x00, 0x00,
0x00, 0x6D, 0xC6, 0x84, 0x24, 0xAB, 0x00, 0x00, 0x00, 0x61, 0xC6, 0x84,
0x24, 0xAC, 0x00, 0x00, 0x00, 0x74, 0xC6, 0x84, 0x24, 0xAD, 0x00, 0x00,
0x00, 0x69, 0xC6, 0x84, 0x24, 0xAE, 0x00, 0x00, 0x00, 0x6F, 0xC6, 0x84,
0x24, 0xAF, 0x00, 0x00, 0x00, 0x6E, 0xC6, 0x84, 0x24, 0xB0, 0x00, 0x00,
0x00, 0x00, 0xB8, 0x6E, 0x00, 0x00, 0x00, 0x66, 0x89, 0x84, 0x24, 0x00,
0x01, 0x00, 0x00, 0xB8, 0x74, 0x00, 0x00, 0x00, 0x66, 0x89, 0x84, 0x24,
0x02, 0x01, 0x00, 0x00, 0xB8, 0x64, 0x00, 0x00, 0x00, 0x66, 0x89, 0x84,
0x24, 0x04, 0x01, 0x00, 0x00, 0xB8, 0x6C, 0x00, 0x00, 0x00, 0x66, 0x89,
0x84, 0x24, 0x06, 0x01, 0x00, 0x00, 0xB8, 0x6C, 0x00, 0x00, 0x00, 0x66,
0x89, 0x84, 0x24, 0x08, 0x01, 0x00, 0x00, 0xB8, 0x2E, 0x00, 0x00, 0x00,
0x66, 0x89, 0x84, 0x24, 0x0A, 0x01, 0x00, 0x00, 0xB8, 0x64, 0x00, 0x00,
0x00, 0x66, 0x89, 0x84, 0x24, 0x0C, 0x01, 0x00, 0x00, 0xB8, 0x6C, 0x00,
0x00, 0x00, 0x66, 0x89, 0x84, 0x24, 0x0E, 0x01, 0x00, 0x00, 0xB8, 0x6C,
0x00, 0x00, 0x00, 0x66, 0x89, 0x84, 0x24, 0x10, 0x01, 0x00, 0x00, 0x33,
0xC0, 0x66, 0x89, 0x84, 0x24, 0x12, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x84,
0x24, 0xF8, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x40, 0x18, 0x48, 0x83, 0xC0,
0x28, 0x48, 0x89, 0x84, 0x24, 0x30, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x84,
0x24, 0x30, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x00, 0x48, 0x89, 0x84, 0x24,
0xD0, 0x00, 0x00, 0x00, 0xEB, 0x13, 0x48, 0x8B, 0x84, 0x24, 0xD0, 0x00,
0x00, 0x00, 0x48, 0x8B, 0x00, 0x48, 0x89, 0x84, 0x24, 0xD0, 0x00, 0x00,
0x00, 0x48, 0x8B, 0x84, 0x24, 0x30, 0x01, 0x00, 0x00, 0x48, 0x39, 0x84,
0x24, 0xD0, 0x00, 0x00, 0x00, 0x0F, 0x84, 0xD4, 0x05, 0x00, 0x00, 0x48,
0x8B, 0x84, 0x24, 0xD0, 0x00, 0x00, 0x00, 0x48, 0x83, 0xE8, 0x10, 0x48,
0x89, 0x84, 0x24, 0x18, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, 0x18,
0x01, 0x00, 0x00, 0x48, 0x8B, 0x40, 0x60, 0x48, 0x89, 0x84, 0x24, 0x50,
0x01, 0x00, 0x00, 0x48, 0x8D, 0x84, 0x24, 0x00, 0x01, 0x00, 0x00, 0x48,
0x89, 0x84, 0x24, 0x58, 0x01, 0x00, 0x00, 0xC6, 0x44, 0x24, 0x30, 0x01,
0x48, 0x8B, 0x84, 0x24, 0x18, 0x01, 0x00, 0x00, 0x0F, 0xB7, 0x40, 0x58,
0x33, 0xD2, 0xB9, 0x02, 0x00, 0x00, 0x00, 0x48, 0xF7, 0xF1, 0x48, 0x89,
0x84, 0x24, 0x48, 0x01, 0x00, 0x00, 0x48, 0x8D, 0x84, 0x24, 0x00, 0x01,
0x00, 0x00, 0x48, 0x89, 0x84, 0x24, 0x68, 0x01, 0x00, 0x00, 0x48, 0xC7,
0x84, 0x24, 0xC8, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0x48, 0xFF,
0x84, 0x24, 0xC8, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, 0x68, 0x01,
0x00, 0x00, 0x48, 0x8B, 0x8C, 0x24, 0xC8, 0x00, 0x00, 0x00, 0x66, 0x83,
0x3C, 0x48, 0x00, 0x75, 0xE1, 0x48, 0x8B, 0x84, 0x24, 0xC8, 0x00, 0x00,
0x00, 0x66, 0x89, 0x44, 0x24, 0x4C, 0x0F, 0xB7, 0x44, 0x24, 0x4C, 0x48,
0x39, 0x84, 0x24, 0x48, 0x01, 0x00, 0x00, 0x74, 0x05, 0xE9, 0x20, 0xFF,
0xFF, 0xFF, 0xC7, 0x44, 0x24, 0x54, 0x00, 0x00, 0x00, 0x00, 0xEB, 0x0A,
0x8B, 0x44, 0x24, 0x54, 0xFF, 0xC0, 0x89, 0x44, 0x24, 0x54, 0x0F, 0xB7,
0x44, 0x24, 0x4C, 0x39, 0x44, 0x24, 0x54, 0x0F, 0x8D, 0x88, 0x00, 0x00,
0x00, 0x48, 0x63, 0x44, 0x24, 0x54, 0x48, 0x8B, 0x8C, 0x24, 0x50, 0x01,
0x00, 0x00, 0x0F, 0xB7, 0x04, 0x41, 0x66, 0x89, 0x44, 0x24, 0x34, 0x48,
0x63, 0x44, 0x24, 0x54, 0x48, 0x8B, 0x8C, 0x24, 0x58, 0x01, 0x00, 0x00,
0x0F, 0xB7, 0x04, 0x41, 0x66, 0x89, 0x44, 0x24, 0x38, 0x0F, 0xB7, 0x44,
0x24, 0x34, 0x83, 0xF8, 0x41, 0x7C, 0x17, 0x0F, 0xB7, 0x44, 0x24, 0x34,
0x83, 0xF8, 0x5A, 0x7F, 0x0D, 0x0F, 0xB7, 0x44, 0x24, 0x34, 0x83, 0xC0,
0x20, 0x66, 0x89, 0x44, 0x24, 0x34, 0x0F, 0xB7, 0x44, 0x24, 0x38, 0x83,
0xF8, 0x41, 0x7C, 0x17, 0x0F, 0xB7, 0x44, 0x24, 0x38, 0x83, 0xF8, 0x5A,
0x7F, 0x0D, 0x0F, 0xB7, 0x44, 0x24, 0x38, 0x83, 0xC0, 0x20, 0x66, 0x89,
0x44, 0x24, 0x38, 0x0F, 0xB7, 0x44, 0x24, 0x34, 0x0F, 0xB7, 0x4C, 0x24,
0x38, 0x3B, 0xC1, 0x74, 0x07, 0xC6, 0x44, 0x24, 0x30, 0x00, 0xEB, 0x05,
0xE9, 0x5F, 0xFF, 0xFF, 0xFF, 0x0F, 0xB6, 0x44, 0x24, 0x30, 0x85, 0xC0,
0x75, 0x05, 0xE9, 0x67, 0xFE, 0xFF, 0xFF, 0x48, 0x8B, 0x84, 0x24, 0x18,
0x01, 0x00, 0x00, 0x48, 0x8B, 0x40, 0x30, 0x48, 0x89, 0x44, 0x24, 0x58,
0x48, 0x8B, 0x44, 0x24, 0x58, 0x48, 0x89, 0x84, 0x24, 0x60, 0x01, 0x00,
0x00, 0x48, 0x8B, 0x84, 0x24, 0x60, 0x01, 0x00, 0x00, 0x48, 0x63, 0x40,
0x3C, 0x48, 0x8B, 0x4C, 0x24, 0x58, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1,
0x48, 0x89, 0x84, 0x24, 0x80, 0x01, 0x00, 0x00, 0xB8, 0x08, 0x00, 0x00,
0x00, 0x48, 0x6B, 0xC0, 0x00, 0x48, 0x8B, 0x8C, 0x24, 0x80, 0x01, 0x00,
0x00, 0x48, 0x8D, 0x84, 0x01, 0x88, 0x00, 0x00, 0x00, 0x48, 0x89, 0x84,
0x24, 0x38, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, 0x38, 0x01, 0x00,
0x00, 0x83, 0x38, 0x00, 0x75, 0x05, 0xE9, 0xF4, 0x03, 0x00, 0x00, 0x48,
0x8B, 0x84, 0x24, 0x38, 0x01, 0x00, 0x00, 0x8B, 0x00, 0x48, 0x8B, 0x4C,
0x24, 0x58, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x84, 0x24,
0xE0, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, 0xE0, 0x00, 0x00, 0x00,
0x8B, 0x40, 0x20, 0x48, 0x8B, 0x4C, 0x24, 0x58, 0x48, 0x03, 0xC8, 0x48,
0x8B, 0xC1, 0x48, 0x89, 0x84, 0x24, 0x70, 0x01, 0x00, 0x00, 0x48, 0x8B,
0x84, 0x24, 0xE0, 0x00, 0x00, 0x00, 0x8B, 0x40, 0x24, 0x48, 0x8B, 0x4C,
0x24, 0x58, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x84, 0x24,
0x20, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, 0xE0, 0x00, 0x00, 0x00,
0x8B, 0x40, 0x1C, 0x48, 0x8B, 0x4C, 0x24, 0x58, 0x48, 0x03, 0xC8, 0x48,
0x8B, 0xC1, 0x48, 0x89, 0x84, 0x24, 0x28, 0x01, 0x00, 0x00, 0x48, 0xC7,
0x84, 0x24, 0xE8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0xC7,
0x84, 0x24, 0xF0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0xC7,
0x84, 0x24, 0xD8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x44,
0x24, 0x3C, 0x00, 0x00, 0x00, 0x00, 0xEB, 0x0A, 0x8B, 0x44, 0x24, 0x3C,
0xFF, 0xC0, 0x89, 0x44, 0x24, 0x3C, 0x48, 0x8B, 0x84, 0x24, 0xE0, 0x00,
0x00, 0x00, 0x8B, 0x40, 0x18, 0x39, 0x44, 0x24, 0x3C, 0x0F, 0x83, 0x27,
0x02, 0x00, 0x00, 0x8B, 0x44, 0x24, 0x3C, 0x48, 0x8B, 0x8C, 0x24, 0x70,
0x01, 0x00, 0x00, 0x8B, 0x04, 0x81, 0x48, 0x8B, 0x4C, 0x24, 0x58, 0x48,
0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x84, 0x24, 0xC0, 0x00, 0x00,
0x00, 0xC6, 0x44, 0x24, 0x31, 0x01, 0xC7, 0x44, 0x24, 0x40, 0x00, 0x00,
0x00, 0x00, 0xEB, 0x0A, 0x8B, 0x44, 0x24, 0x40, 0xFF, 0xC0, 0x89, 0x44,
0x24, 0x40, 0x48, 0x63, 0x44, 0x24, 0x40, 0x0F, 0xBE, 0x84, 0x04, 0x80,
0x00, 0x00, 0x00, 0x85, 0xC0, 0x75, 0x15, 0x48, 0x63, 0x44, 0x24, 0x40,
0x48, 0x8B, 0x8C, 0x24, 0xC0, 0x00, 0x00, 0x00, 0x0F, 0xBE, 0x04, 0x01,
0x85, 0xC0, 0x74, 0x2B, 0x48, 0x63, 0x44, 0x24, 0x40, 0x0F, 0xBE, 0x84,
0x04, 0x80, 0x00, 0x00, 0x00, 0x48, 0x63, 0x4C, 0x24, 0x40, 0x48, 0x8B,
0x94, 0x24, 0xC0, 0x00, 0x00, 0x00, 0x0F, 0xBE, 0x0C, 0x0A, 0x3B, 0xC1,
0x74, 0x07, 0xC6, 0x44, 0x24, 0x31, 0x00, 0xEB, 0x02, 0xEB, 0xA5, 0x0F,
0xB6, 0x44, 0x24, 0x31, 0x85, 0xC0, 0x74, 0x2E, 0x8B, 0x44, 0x24, 0x3C,
0x48, 0x8B, 0x8C, 0x24, 0x20, 0x01, 0x00, 0x00, 0x0F, 0xB7, 0x04, 0x41,
0x48, 0x8B, 0x8C, 0x24, 0x28, 0x01, 0x00, 0x00, 0x8B, 0x04, 0x81, 0x48,
0x8B, 0x4C, 0x24, 0x58, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89,
0x84, 0x24, 0xE8, 0x00, 0x00, 0x00, 0xC6, 0x44, 0x24, 0x32, 0x01, 0xC7,
0x44, 0x24, 0x44, 0x00, 0x00, 0x00, 0x00, 0xEB, 0x0A, 0x8B, 0x44, 0x24,
0x44, 0xFF, 0xC0, 0x89, 0x44, 0x24, 0x44, 0x48, 0x63, 0x44, 0x24, 0x44,
0x0F, 0xBE, 0x84, 0x04, 0x98, 0x00, 0x00, 0x00, 0x85, 0xC0, 0x75, 0x15,
0x48, 0x63, 0x44, 0x24, 0x44, 0x48, 0x8B, 0x8C, 0x24, 0xC0, 0x00, 0x00,
0x00, 0x0F, 0xBE, 0x04, 0x01, 0x85, 0xC0, 0x74, 0x2B, 0x48, 0x63, 0x44,
0x24, 0x44, 0x0F, 0xBE, 0x84, 0x04, 0x98, 0x00, 0x00, 0x00, 0x48, 0x63,
0x4C, 0x24, 0x44, 0x48, 0x8B, 0x94, 0x24, 0xC0, 0x00, 0x00, 0x00, 0x0F,
0xBE, 0x0C, 0x0A, 0x3B, 0xC1, 0x74, 0x07, 0xC6, 0x44, 0x24, 0x32, 0x00,
0xEB, 0x02, 0xEB, 0xA5, 0x0F, 0xB6, 0x44, 0x24, 0x32, 0x85, 0xC0, 0x74,
0x2E, 0x8B, 0x44, 0x24, 0x3C, 0x48, 0x8B, 0x8C, 0x24, 0x20, 0x01, 0x00,
0x00, 0x0F, 0xB7, 0x04, 0x41, 0x48, 0x8B, 0x8C, 0x24, 0x28, 0x01, 0x00,
0x00, 0x8B, 0x04, 0x81, 0x48, 0x8B, 0x4C, 0x24, 0x58, 0x48, 0x03, 0xC8,
0x48, 0x8B, 0xC1, 0x48, 0x89, 0x84, 0x24, 0xF0, 0x00, 0x00, 0x00, 0xC6,
0x44, 0x24, 0x33, 0x01, 0xC7, 0x44, 0x24, 0x48, 0x00, 0x00, 0x00, 0x00,
0xEB, 0x0A, 0x8B, 0x44, 0x24, 0x48, 0xFF, 0xC0, 0x89, 0x44, 0x24, 0x48,
0x48, 0x63, 0x44, 0x24, 0x48, 0x0F, 0xBE, 0x44, 0x04, 0x68, 0x85, 0xC0,
0x75, 0x15, 0x48, 0x63, 0x44, 0x24, 0x48, 0x48, 0x8B, 0x8C, 0x24, 0xC0,
0x00, 0x00, 0x00, 0x0F, 0xBE, 0x04, 0x01, 0x85, 0xC0, 0x74, 0x28, 0x48,
0x63, 0x44, 0x24, 0x48, 0x0F, 0xBE, 0x44, 0x04, 0x68, 0x48, 0x63, 0x4C,
0x24, 0x48, 0x48, 0x8B, 0x94, 0x24, 0xC0, 0x00, 0x00, 0x00, 0x0F, 0xBE,
0x0C, 0x0A, 0x3B, 0xC1, 0x74, 0x07, 0xC6, 0x44, 0x24, 0x33, 0x00, 0xEB,
0x02, 0xEB, 0xAB, 0x0F, 0xB6, 0x44, 0x24, 0x33, 0x85, 0xC0, 0x74, 0x2E,
0x8B, 0x44, 0x24, 0x3C, 0x48, 0x8B, 0x8C, 0x24, 0x20, 0x01, 0x00, 0x00,
0x0F, 0xB7, 0x04, 0x41, 0x48, 0x8B, 0x8C, 0x24, 0x28, 0x01, 0x00, 0x00,
0x8B, 0x04, 0x81, 0x48, 0x8B, 0x4C, 0x24, 0x58, 0x48, 0x03, 0xC8, 0x48,
0x8B, 0xC1, 0x48, 0x89, 0x84, 0x24, 0xD8, 0x00, 0x00, 0x00, 0x48, 0x83,
0xBC, 0x24, 0xE8, 0x00, 0x00, 0x00, 0x00, 0x74, 0x18, 0x48, 0x83, 0xBC,
0x24, 0xF0, 0x00, 0x00, 0x00, 0x00, 0x74, 0x0D, 0x48, 0x83, 0xBC, 0x24,
0xD8, 0x00, 0x00, 0x00, 0x00, 0x74, 0x02, 0xEB, 0x05, 0xE9, 0xBA, 0xFD,
0xFF, 0xFF, 0x48, 0x83, 0xBC, 0x24, 0xE8, 0x00, 0x00, 0x00, 0x00, 0x74,
0x16, 0x48, 0x83, 0xBC, 0x24, 0xF0, 0x00, 0x00, 0x00, 0x00, 0x74, 0x0B,
0x48, 0x83, 0xBC, 0x24, 0xD8, 0x00, 0x00, 0x00, 0x00, 0x75, 0x05, 0xE9,
0xE3, 0x00, 0x00, 0x00, 0xC6, 0x84, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x00,
0xC7, 0x84, 0x24, 0x7C, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC7,
0x84, 0x24, 0x78, 0x01, 0x00, 0x00, 0x54, 0x03, 0x00, 0xC0, 0xC7, 0x84,
0x24, 0x40, 0x01, 0x00, 0x00, 0x22, 0x00, 0x00, 0xC0, 0xC7, 0x84, 0x24,
0x44, 0x01, 0x00, 0x00, 0x02, 0x00, 0x00, 0xC0, 0x48, 0xC7, 0x44, 0x24,
0x28, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x44, 0x24, 0x20, 0x00, 0x00, 0x00,
0x00, 0x45, 0x33, 0xC9, 0x45, 0x33, 0xC0, 0x33, 0xD2, 0xB9, 0x14, 0x00,
0x00, 0x00, 0xFF, 0x94, 0x24, 0xE8, 0x00, 0x00, 0x00, 0x89, 0x44, 0x24,
0x60, 0x81, 0x7C, 0x24, 0x60, 0x54, 0x03, 0x00, 0xC0, 0x74, 0x0E, 0x81,
0x7C, 0x24, 0x60, 0x02, 0x00, 0x00, 0xC0, 0x74, 0x04, 0xEB, 0x55, 0xEB,
0x53, 0x45, 0x33, 0xC9, 0x41, 0xB8, 0x02, 0x00, 0x00, 0x00, 0x48, 0x8D,
0x54, 0x24, 0x50, 0xB9, 0x23, 0x00, 0x00, 0x00, 0xFF, 0x94, 0x24, 0xF0,
0x00, 0x00, 0x00, 0x89, 0x44, 0x24, 0x60, 0x83, 0x7C, 0x24, 0x60, 0x00,
0x7C, 0x16, 0x0F, 0xB6, 0x44, 0x24, 0x50, 0x85, 0xC0, 0x75, 0x09, 0x0F,
0xB6, 0x44, 0x24, 0x51, 0x85, 0xC0, 0x75, 0x04, 0xEB, 0x1A, 0xEB, 0x18,
0x48, 0x8B, 0x84, 0x24, 0xF8, 0x00, 0x00, 0x00, 0x0F, 0xB6, 0x40, 0x02,
0x85, 0xC0, 0x74, 0x04, 0xEB, 0x06, 0xEB, 0x04, 0xEB, 0x16, 0xEB, 0x14,
0xBA, 0x01, 0x00, 0x00, 0x00, 0x48, 0xC7, 0xC1, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0x94, 0x24, 0xD8, 0x00, 0x00, 0x00, 0x90, 0xEB, 0x05, 0xE9, 0x03,
0xFA, 0xFF, 0xFF, 0x48, 0x81, 0xC4, 0x98, 0x01, 0x00, 0x00
};
a.embed(antidebugShellcode.data(), antidebugShellcode.size());
}
// Restoring the register context
// Pop flags
a.pop(asmjit::x86::r15);
a.pop(asmjit::x86::r14);
@@ -1085,37 +1579,21 @@ void RyujinObfuscationCore::insertAntiDebug() {
// pop RFLAGS
a.popfq();
// Getting new opcodes to insert in place of the old block
std::vector<ZyanU8> minivm_enter;
auto& opcodeBuffer = code.sectionById(0)->buffer();
const auto pOpcodeBuffer = opcodeBuffer.data();
minivm_enter.reserve(opcodeBuffer.size());
// Storing each individual opcode in our minivm vector
// Storing our new opcodes for antidebug detection
for (auto i = 0; i < opcodeBuffer.size(); ++i) minivm_enter.push_back(static_cast<ZyanU8>(pOpcodeBuffer[i]));
// Saving the opcode block
data.assign(minivm_enter.begin(), minivm_enter.end());
// 1<EFBFBD> Inserir a stub que vai carregar o shellcode via stack
// 2<> usar virtual alloc
// 3<> criar uma thread escondida do debugger para executar o shellcode com o antidebug ou antidebug + trollreversers
// ACESSAR PEB RECUPERAR ESSES MODULOS MANUALMENTE ? sad. mas <20> parecido como o Themida e suas detec<65><63>es funcionam.
if (this->m_config.m_isTrollRerversers) {
// IstrollReversers <20> o antidebug convencional mas com a capacidade de trigar tela azul via hard error
std::printf("Run m_isAntiDebug + m_isTrollRerversers\n");
}
else {
// Is Antidebug <20> o antidebug convencional que s<> encerrara a execu<63><75>o completa do bin<69>rio protegido
std::printf("Run m_isAntiDebug\n");
}
// There<EFBFBD>s no need to insert it more than once per function.
isInserted = TRUE;
}
}

2
RyujinCore/Ryujin/RyujinCore/RyujinObfuscationCore.hh
View File

@@ -16,7 +16,7 @@
class RyujinObfuscationCore {
private:
const int MAX_PADDING_SPACE_INSTR = 7;
const int MAX_PADDING_SPACE_INSTR = 13;
const int MAX_JUNK_GENERATION_ITERATION = 5;
std::vector<ZydisRegister> m_unusedRegisters;
std::vector<RyujinBasicBlock> m_obfuscated_bb;