1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
|
OPTION DOTNAME
.text$ SEGMENT ALIGN(64) 'CODE'
PUBLIC RC4
ALIGN 16
RC4 PROC PUBLIC
mov QWORD PTR[8+rsp],rdi ;WIN64 prologue
mov QWORD PTR[16+rsp],rsi
mov rax,rsp
$L$SEH_begin_RC4::
mov rdi,rcx
mov rsi,rdx
mov rdx,r8
mov rcx,r9
or rsi,rsi
jne $L$entry
mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue
mov rsi,QWORD PTR[16+rsp]
DB 0F3h,0C3h ;repret
$L$entry::
push rbx
push r12
push r13
$L$prologue::
add rdi,8
mov r8d,DWORD PTR[((-8))+rdi]
mov r12d,DWORD PTR[((-4))+rdi]
cmp DWORD PTR[256+rdi],-1
je $L$RC4_CHAR
inc r8b
mov r9d,DWORD PTR[r8*4+rdi]
test rsi,-8
jz $L$loop1
jmp $L$loop8
ALIGN 16
$L$loop8::
add r12b,r9b
mov r10,r8
mov r13d,DWORD PTR[r12*4+rdi]
ror rax,8
inc r10b
mov r11d,DWORD PTR[r10*4+rdi]
cmp r12,r10
mov DWORD PTR[r12*4+rdi],r9d
cmove r11,r9
mov DWORD PTR[r8*4+rdi],r13d
add r13b,r9b
mov al,BYTE PTR[r13*4+rdi]
add r12b,r11b
mov r8,r10
mov r13d,DWORD PTR[r12*4+rdi]
ror rax,8
inc r8b
mov r9d,DWORD PTR[r8*4+rdi]
cmp r12,r8
mov DWORD PTR[r12*4+rdi],r11d
cmove r9,r11
mov DWORD PTR[r10*4+rdi],r13d
add r13b,r11b
mov al,BYTE PTR[r13*4+rdi]
add r12b,r9b
mov r10,r8
mov r13d,DWORD PTR[r12*4+rdi]
ror rax,8
inc r10b
mov r11d,DWORD PTR[r10*4+rdi]
cmp r12,r10
mov DWORD PTR[r12*4+rdi],r9d
cmove r11,r9
mov DWORD PTR[r8*4+rdi],r13d
add r13b,r9b
mov al,BYTE PTR[r13*4+rdi]
add r12b,r11b
mov r8,r10
mov r13d,DWORD PTR[r12*4+rdi]
ror rax,8
inc r8b
mov r9d,DWORD PTR[r8*4+rdi]
cmp r12,r8
mov DWORD PTR[r12*4+rdi],r11d
cmove r9,r11
mov DWORD PTR[r10*4+rdi],r13d
add r13b,r11b
mov al,BYTE PTR[r13*4+rdi]
add r12b,r9b
mov r10,r8
mov r13d,DWORD PTR[r12*4+rdi]
ror rax,8
inc r10b
mov r11d,DWORD PTR[r10*4+rdi]
cmp r12,r10
mov DWORD PTR[r12*4+rdi],r9d
cmove r11,r9
mov DWORD PTR[r8*4+rdi],r13d
add r13b,r9b
mov al,BYTE PTR[r13*4+rdi]
add r12b,r11b
mov r8,r10
mov r13d,DWORD PTR[r12*4+rdi]
ror rax,8
inc r8b
mov r9d,DWORD PTR[r8*4+rdi]
cmp r12,r8
mov DWORD PTR[r12*4+rdi],r11d
cmove r9,r11
mov DWORD PTR[r10*4+rdi],r13d
add r13b,r11b
mov al,BYTE PTR[r13*4+rdi]
add r12b,r9b
mov r10,r8
mov r13d,DWORD PTR[r12*4+rdi]
ror rax,8
inc r10b
mov r11d,DWORD PTR[r10*4+rdi]
cmp r12,r10
mov DWORD PTR[r12*4+rdi],r9d
cmove r11,r9
mov DWORD PTR[r8*4+rdi],r13d
add r13b,r9b
mov al,BYTE PTR[r13*4+rdi]
add r12b,r11b
mov r8,r10
mov r13d,DWORD PTR[r12*4+rdi]
ror rax,8
inc r8b
mov r9d,DWORD PTR[r8*4+rdi]
cmp r12,r8
mov DWORD PTR[r12*4+rdi],r11d
cmove r9,r11
mov DWORD PTR[r10*4+rdi],r13d
add r13b,r11b
mov al,BYTE PTR[r13*4+rdi]
ror rax,8
sub rsi,8
xor rax,QWORD PTR[rdx]
add rdx,8
mov QWORD PTR[rcx],rax
add rcx,8
test rsi,-8
jnz $L$loop8
cmp rsi,0
jne $L$loop1
jmp $L$exit
ALIGN 16
$L$loop1::
add r12b,r9b
mov r13d,DWORD PTR[r12*4+rdi]
mov DWORD PTR[r12*4+rdi],r9d
mov DWORD PTR[r8*4+rdi],r13d
add r9b,r13b
inc r8b
mov r13d,DWORD PTR[r9*4+rdi]
mov r9d,DWORD PTR[r8*4+rdi]
xor r13b,BYTE PTR[rdx]
inc rdx
mov BYTE PTR[rcx],r13b
inc rcx
dec rsi
jnz $L$loop1
jmp $L$exit
ALIGN 16
$L$RC4_CHAR::
add r8b,1
movzx r9d,BYTE PTR[r8*1+rdi]
test rsi,-8
jz $L$cloop1
cmp DWORD PTR[260+rdi],0
jnz $L$cloop1
jmp $L$cloop8
ALIGN 16
$L$cloop8::
mov eax,DWORD PTR[rdx]
mov ebx,DWORD PTR[4+rdx]
add r12b,r9b
lea r10,QWORD PTR[1+r8]
movzx r13d,BYTE PTR[r12*1+rdi]
movzx r10d,r10b
movzx r11d,BYTE PTR[r10*1+rdi]
mov BYTE PTR[r12*1+rdi],r9b
cmp r12,r10
mov BYTE PTR[r8*1+rdi],r13b
jne $L$cmov0
mov r11,r9
$L$cmov0::
add r13b,r9b
xor al,BYTE PTR[r13*1+rdi]
ror eax,8
add r12b,r11b
lea r8,QWORD PTR[1+r10]
movzx r13d,BYTE PTR[r12*1+rdi]
movzx r8d,r8b
movzx r9d,BYTE PTR[r8*1+rdi]
mov BYTE PTR[r12*1+rdi],r11b
cmp r12,r8
mov BYTE PTR[r10*1+rdi],r13b
jne $L$cmov1
mov r9,r11
$L$cmov1::
add r13b,r11b
xor al,BYTE PTR[r13*1+rdi]
ror eax,8
add r12b,r9b
lea r10,QWORD PTR[1+r8]
movzx r13d,BYTE PTR[r12*1+rdi]
movzx r10d,r10b
movzx r11d,BYTE PTR[r10*1+rdi]
mov BYTE PTR[r12*1+rdi],r9b
cmp r12,r10
mov BYTE PTR[r8*1+rdi],r13b
jne $L$cmov2
mov r11,r9
$L$cmov2::
add r13b,r9b
xor al,BYTE PTR[r13*1+rdi]
ror eax,8
add r12b,r11b
lea r8,QWORD PTR[1+r10]
movzx r13d,BYTE PTR[r12*1+rdi]
movzx r8d,r8b
movzx r9d,BYTE PTR[r8*1+rdi]
mov BYTE PTR[r12*1+rdi],r11b
cmp r12,r8
mov BYTE PTR[r10*1+rdi],r13b
jne $L$cmov3
mov r9,r11
$L$cmov3::
add r13b,r11b
xor al,BYTE PTR[r13*1+rdi]
ror eax,8
add r12b,r9b
lea r10,QWORD PTR[1+r8]
movzx r13d,BYTE PTR[r12*1+rdi]
movzx r10d,r10b
movzx r11d,BYTE PTR[r10*1+rdi]
mov BYTE PTR[r12*1+rdi],r9b
cmp r12,r10
mov BYTE PTR[r8*1+rdi],r13b
jne $L$cmov4
mov r11,r9
$L$cmov4::
add r13b,r9b
xor bl,BYTE PTR[r13*1+rdi]
ror ebx,8
add r12b,r11b
lea r8,QWORD PTR[1+r10]
movzx r13d,BYTE PTR[r12*1+rdi]
movzx r8d,r8b
movzx r9d,BYTE PTR[r8*1+rdi]
mov BYTE PTR[r12*1+rdi],r11b
cmp r12,r8
mov BYTE PTR[r10*1+rdi],r13b
jne $L$cmov5
mov r9,r11
$L$cmov5::
add r13b,r11b
xor bl,BYTE PTR[r13*1+rdi]
ror ebx,8
add r12b,r9b
lea r10,QWORD PTR[1+r8]
movzx r13d,BYTE PTR[r12*1+rdi]
movzx r10d,r10b
movzx r11d,BYTE PTR[r10*1+rdi]
mov BYTE PTR[r12*1+rdi],r9b
cmp r12,r10
mov BYTE PTR[r8*1+rdi],r13b
jne $L$cmov6
mov r11,r9
$L$cmov6::
add r13b,r9b
xor bl,BYTE PTR[r13*1+rdi]
ror ebx,8
add r12b,r11b
lea r8,QWORD PTR[1+r10]
movzx r13d,BYTE PTR[r12*1+rdi]
movzx r8d,r8b
movzx r9d,BYTE PTR[r8*1+rdi]
mov BYTE PTR[r12*1+rdi],r11b
cmp r12,r8
mov BYTE PTR[r10*1+rdi],r13b
jne $L$cmov7
mov r9,r11
$L$cmov7::
add r13b,r11b
xor bl,BYTE PTR[r13*1+rdi]
ror ebx,8
lea rsi,QWORD PTR[((-8))+rsi]
mov DWORD PTR[rcx],eax
lea rdx,QWORD PTR[8+rdx]
mov DWORD PTR[4+rcx],ebx
lea rcx,QWORD PTR[8+rcx]
test rsi,-8
jnz $L$cloop8
cmp rsi,0
jne $L$cloop1
jmp $L$exit
ALIGN 16
$L$cloop1::
add r12b,r9b
movzx r13d,BYTE PTR[r12*1+rdi]
mov BYTE PTR[r12*1+rdi],r9b
mov BYTE PTR[r8*1+rdi],r13b
add r13b,r9b
add r8b,1
movzx r13d,r13b
movzx r8d,r8b
movzx r13d,BYTE PTR[r13*1+rdi]
movzx r9d,BYTE PTR[r8*1+rdi]
xor r13b,BYTE PTR[rdx]
lea rdx,QWORD PTR[1+rdx]
mov BYTE PTR[rcx],r13b
lea rcx,QWORD PTR[1+rcx]
sub rsi,1
jnz $L$cloop1
jmp $L$exit
ALIGN 16
$L$exit::
sub r8b,1
mov DWORD PTR[((-8))+rdi],r8d
mov DWORD PTR[((-4))+rdi],r12d
mov r13,QWORD PTR[rsp]
mov r12,QWORD PTR[8+rsp]
mov rbx,QWORD PTR[16+rsp]
add rsp,24
$L$epilogue::
mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue
mov rsi,QWORD PTR[16+rsp]
DB 0F3h,0C3h ;repret
$L$SEH_end_RC4::
RC4 ENDP
EXTERN OPENSSL_ia32cap_P:NEAR
PUBLIC RC4_set_key
ALIGN 16
RC4_set_key PROC PUBLIC
mov QWORD PTR[8+rsp],rdi ;WIN64 prologue
mov QWORD PTR[16+rsp],rsi
mov rax,rsp
$L$SEH_begin_RC4_set_key::
mov rdi,rcx
mov rsi,rdx
mov rdx,r8
lea rdi,QWORD PTR[8+rdi]
lea rdx,QWORD PTR[rsi*1+rdx]
neg rsi
mov rcx,rsi
xor eax,eax
xor r9,r9
xor r10,r10
xor r11,r11
mov r8d,DWORD PTR[OPENSSL_ia32cap_P]
bt r8d,20
jnc $L$w1stloop
bt r8d,30
setc r9b
mov DWORD PTR[260+rdi],r9d
jmp $L$c1stloop
ALIGN 16
$L$w1stloop::
mov DWORD PTR[rax*4+rdi],eax
add al,1
jnc $L$w1stloop
xor r9,r9
xor r8,r8
ALIGN 16
$L$w2ndloop::
mov r10d,DWORD PTR[r9*4+rdi]
add r8b,BYTE PTR[rsi*1+rdx]
add r8b,r10b
add rsi,1
mov r11d,DWORD PTR[r8*4+rdi]
cmovz rsi,rcx
mov DWORD PTR[r8*4+rdi],r10d
mov DWORD PTR[r9*4+rdi],r11d
add r9b,1
jnc $L$w2ndloop
jmp $L$exit_key
ALIGN 16
$L$c1stloop::
mov BYTE PTR[rax*1+rdi],al
add al,1
jnc $L$c1stloop
xor r9,r9
xor r8,r8
ALIGN 16
$L$c2ndloop::
mov r10b,BYTE PTR[r9*1+rdi]
add r8b,BYTE PTR[rsi*1+rdx]
add r8b,r10b
add rsi,1
mov r11b,BYTE PTR[r8*1+rdi]
jnz $L$cnowrap
mov rsi,rcx
$L$cnowrap::
mov BYTE PTR[r8*1+rdi],r10b
mov BYTE PTR[r9*1+rdi],r11b
add r9b,1
jnc $L$c2ndloop
mov DWORD PTR[256+rdi],-1
ALIGN 16
$L$exit_key::
xor eax,eax
mov DWORD PTR[((-8))+rdi],eax
mov DWORD PTR[((-4))+rdi],eax
mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue
mov rsi,QWORD PTR[16+rsp]
DB 0F3h,0C3h ;repret
$L$SEH_end_RC4_set_key::
RC4_set_key ENDP
PUBLIC RC4_options
ALIGN 16
RC4_options PROC PUBLIC
lea rax,QWORD PTR[$L$opts]
mov edx,DWORD PTR[OPENSSL_ia32cap_P]
bt edx,20
jnc $L$done
add rax,12
bt edx,30
jnc $L$done
add rax,13
$L$done::
DB 0F3h,0C3h ;repret
ALIGN 64
$L$opts::
DB 114,99,52,40,56,120,44,105,110,116,41,0
DB 114,99,52,40,56,120,44,99,104,97,114,41,0
DB 114,99,52,40,49,120,44,99,104,97,114,41,0
DB 82,67,52,32,102,111,114,32,120,56,54,95,54,52,44,32
DB 67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97
DB 112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103
DB 62,0
ALIGN 64
RC4_options ENDP
EXTERN __imp_RtlVirtualUnwind:NEAR
ALIGN 16
stream_se_handler PROC PRIVATE
push rsi
push rdi
push rbx
push rbp
push r12
push r13
push r14
push r15
pushfq
sub rsp,64
mov rax,QWORD PTR[120+r8]
mov rbx,QWORD PTR[248+r8]
lea r10,QWORD PTR[$L$prologue]
cmp rbx,r10
jb $L$in_prologue
mov rax,QWORD PTR[152+r8]
lea r10,QWORD PTR[$L$epilogue]
cmp rbx,r10
jae $L$in_prologue
lea rax,QWORD PTR[24+rax]
mov rbx,QWORD PTR[((-8))+rax]
mov r12,QWORD PTR[((-16))+rax]
mov r13,QWORD PTR[((-24))+rax]
mov QWORD PTR[144+r8],rbx
mov QWORD PTR[216+r8],r12
mov QWORD PTR[224+r8],r13
$L$in_prologue::
mov rdi,QWORD PTR[8+rax]
mov rsi,QWORD PTR[16+rax]
mov QWORD PTR[152+r8],rax
mov QWORD PTR[168+r8],rsi
mov QWORD PTR[176+r8],rdi
jmp $L$common_seh_exit
stream_se_handler ENDP
ALIGN 16
key_se_handler PROC PRIVATE
push rsi
push rdi
push rbx
push rbp
push r12
push r13
push r14
push r15
pushfq
sub rsp,64
mov rax,QWORD PTR[152+r8]
mov rdi,QWORD PTR[8+rax]
mov rsi,QWORD PTR[16+rax]
mov QWORD PTR[168+r8],rsi
mov QWORD PTR[176+r8],rdi
$L$common_seh_exit::
mov rdi,QWORD PTR[40+r9]
mov rsi,r8
mov ecx,154
DD 0a548f3fch
mov rsi,r9
xor rcx,rcx
mov rdx,QWORD PTR[8+rsi]
mov r8,QWORD PTR[rsi]
mov r9,QWORD PTR[16+rsi]
mov r10,QWORD PTR[40+rsi]
lea r11,QWORD PTR[56+rsi]
lea r12,QWORD PTR[24+rsi]
mov QWORD PTR[32+rsp],r10
mov QWORD PTR[40+rsp],r11
mov QWORD PTR[48+rsp],r12
mov QWORD PTR[56+rsp],rcx
call QWORD PTR[__imp_RtlVirtualUnwind]
mov eax,1
add rsp,64
popfq
pop r15
pop r14
pop r13
pop r12
pop rbp
pop rbx
pop rdi
pop rsi
DB 0F3h,0C3h ;repret
key_se_handler ENDP
.text$ ENDS
.pdata SEGMENT READONLY ALIGN(4)
ALIGN 4
DD imagerel $L$SEH_begin_RC4
DD imagerel $L$SEH_end_RC4
DD imagerel $L$SEH_info_RC4
DD imagerel $L$SEH_begin_RC4_set_key
DD imagerel $L$SEH_end_RC4_set_key
DD imagerel $L$SEH_info_RC4_set_key
.pdata ENDS
.xdata SEGMENT READONLY ALIGN(8)
ALIGN 8
$L$SEH_info_RC4::
DB 9,0,0,0
DD imagerel stream_se_handler
$L$SEH_info_RC4_set_key::
DB 9,0,0,0
DD imagerel key_se_handler
.xdata ENDS
END
|