.text:0000000140001000 ; =============== S U B R O U T I N E =======================================
.text:0000000140001000 ; Attributes: noreturn bp-based frame [obfuscated - flow not resolved]
.text:0000000140001000 xVoidByte proc near
.text:0000000140001000 55 push rbp
.text:0000000140001001 48 89 E5 mov rbp, rsp
.text:0000000140001004 48 83 EC 40 sub rsp, 40h
.text:0000000140001008 65 48 8B 04 25 60 00+ mov rax, gs:60h ; PEB
.text:0000000140001011 0F B6 40 02 movzx eax, byte ptr [rax+2] ; +BeingDebugged
.text:0000000140001015 84 C0 test al, al
.text:0000000140001017 0F 85 5B 00 00 00 jnz loc_140001078 ; anti-dbg
.text:000000014000101D 0F 31 rdtsc ; timing seed
.text:000000014000101F 48 C1 E2 20 shl rdx, 20h
.text:0000000140001023 48 09 D0 or rax, rdx
.text:0000000140001026 48 89 45 F8 mov [rbp-8], rax
.text:000000014000102A EB 02 jmp short $+4
.text:000000014000102C 0F 0B ud2 ; dead
.text:000000014000102E loc_14000102E:
.text:000000014000102E 48 31 C9 xor rcx, rcx
.text:0000000140001031 48 8D 35 C8 0F 00 00 lea rsi, byte_140002000 ; ct[30h]
.text:0000000140001038 48 8D 7D C0 lea rdi, [rbp-40h] ; pt
.text:000000014000103C B0 5A mov al, 5Ah ; k = 5Ah
.text:000000014000103E decode_loop:
.text:000000014000103E 8A 1C 0E mov bl, [rsi+rcx]
.text:0000000140001041 30 C3 xor bl, al
.text:0000000140001043 32 D9 xor bl, cl ; ^ idx (pos-dependent)
.text:0000000140001045 88 1C 0F mov [rdi+rcx], bl
.text:0000000140001048 04 07 add al, 7 ; k += 7
.text:000000014000104A 48 FF C1 inc rcx
.text:000000014000104D 48 83 F9 30 cmp rcx, 30h
.text:0000000140001051 72 EB jb short decode_loop
.text:0000000140001053 48 8B 45 F8 mov rax, [rbp-8]
.text:0000000140001057 48 89 C2 mov rdx, rax
.text:000000014000105A 48 0F AF C2 imul rax, rdx
.text:000000014000105E 48 29 D0 sub rax, rdx ; n*n - n
.text:0000000140001061 A8 01 test al, 1 ; == 0 (opaque)
.text:0000000140001063 75 13 jnz short loc_140001078 ; never taken
.text:0000000140001065 48 8D 7D C0 lea rdi, [rbp-40h] ; -> "Reverse Engineer",0,
.text:0000000140001065 ; "Malware Analysis | Game Hacking",0
.text:0000000140001069 FF 15 91 0F 00 00 call cs:__imp_puts
.text:000000014000106F 48 31 C0 xor eax, eax
.text:0000000140001072 48 83 C4 40 add rsp, 40h
.text:0000000140001076 5D pop rbp
.text:0000000140001077 C3 retn
.text:0000000140001078 ; ---------------------------------------------------------------------------
.text:0000000140001078 loc_140001078: ; junk / anti-analysis
.text:0000000140001078 E8 00 00 00 00 call $+5
.text:000000014000107D 58 pop rax
.text:000000014000107E FF E0 jmp rax
.text:000000014000107E xVoidByte endptypedef NTSTATUS (__fastcall *sub_t)(void *ctx);
struct capabilities_t // sizeof=0x20
{
sub_t sub_malware; // 0x1401A0 : sample triage, C2 extraction, IOC pulls, sandbox
sub_t sub_gamehack; // 0x1402C0 : entity lists, view matrix, hooks, ESP / aimbot logic
sub_t sub_unpack; // 0x1403E0 : VMProtect / Themida / CFF, manual unpack + devirt
sub_t sub_kernel; // 0x140500 : driver internals, syscall hooks, callbacks, AC / AT
};; .comment section
I take software apart to understand how it works - malware triage, game internals and obfuscation research.
I love building automation software based on reverse engineered data.
; .idb saved - 13 errors, 37 warnings


