Estou analisando algum traço binário, está praticamente ofuscado. O que preciso fazer é entender o fluxo de trabalho de seus alghoritms. No entanto, não consigo encontrar nenhuma ferramenta confiável que possa me ajudar com isso.
Eu estava tentando converter essas funções para LLVM IR e, em seguida, otimizá-lo, mas todas as ferramentas conhecidas por mim não eram capazes de fazer isso. Pelo que me lembro, apenas llvm-mctoll estava gerando IR adequado (mas estava falhando na maioria dos casos, provavelmente por falta de instruções com suporte), outro gerava muito código de lixo inútil e após a otimização parecia ainda pior. Outras ferramentas como Miasm ou Angr otimizaram apenas IR, e não é isso que estou procurando.
Como vou fazer isso? Otimizá-lo manualmente é muito fácil, mas é demorado (tem cerca de 4k instruções ASM). Existe alguma ferramenta que possa ajudar com esse tipo de otimização? Onde está o problema em criá-las? Pelo que eu entendo a teoria, é muito fácil, especialmente porque não estou analisando binário, mas sim rastreio, então não tenho que me preocupar com caminhos de fluxo adequados, desmontagem etc.
e depois de otimizar (se eu não cometi nenhum erro):eax = ffff8001 ebx = 001603b6 ecx = 77781e4c edx = 00000000 esi = 00401233 edi = 00401233 eip = 0040135d esp = 0255ff78 ebp = 0255ff80 nv up ei ng nz na pofx001 nc 00401233 eip = 0040135d jebb800160160169bb00161 ebpx 003160165ff80 nv nv up ei ng nz na pofx01 ffbx 003160000160160164 ebeax0160169bb00161 ebpx001d e94f6001 eb0160160169004 ebcx600161 ebpx 003160160169004 ebcx6001 ebcx6001 ebpx6001e94f90000 ecx = 77781e4c edx = 00000000 esi = 00401233 edi = 00401233 eip = 0040aeb1 esp = 0255ff78 ebp = 0255ff80 nv up ei ng nz na po nc 0040aeb1 9c pushfdeax = ffff8001 eip = 0040aeb1 esp = 0255ff78 ebp = 0255ff80 nv up ei ng nz na po nc 0040aeb1 9c pushfdeax = ffff8001 ebx = 001603b6 ecx 0001233 e 4012 e 0081 escx 0004000 escx = 7000 1233 edi = 0012 e 001281 ecx000 1233 e001 0081 ecx000 12331331 e 0081 ecx000 escx 00012331331 0081 ecx81 = 0040aeb2 esp = 0255ff74 ebp = 0255ff80 nv up ei ng nz na po nc 0040aeb2 c7042417830b58 mov dword ptr [esp], 580B8317heax = ffff8001 ebx = 001603b6 ecx = 7774012e4c edx = 0000025 esi ptr [esp], 580B8317heax = ffff8001 ebx = 001603b6 ecx = 77781e4c edx = 0000025 esi eff9 = 00401233 eff9 = 00405 esi eff = 0255ff80 nv up ei ng nz na po nc 0040aeb9 e96fdaffff jmp 0040892d eax = ffff8001 ebx = 001603b6 ecx = 77781e4c edx = 00000000 esi = 00401233 edi = 00401233 eip = 0040892d esp = 0255ff74 ebp = 0255ff80 nv up ei ng nz na po nc 0040892d 8814 mov byte ptr ecx = 77781e4c edx = 00000000 esi = 00401233 edi = 00401233 eip = 00408930 esp = 0255ff74 ebp = 0255ff80 nv up ei ng nz na po nc 00408930 c7042432962f1b mov dword ptr [00408930] = 0255ff74 ebp = 0255ff80 nv up ei ng nz nd nc nc 00408930 c7042432962f1b mov dword ptr [0000000], 1B2F96 b00008heax001 esi = 00401233 edi = 00401233 eip = 00408937 esp = 0255ff74 ebp = 0255ff80 nv up ei ng nz nd po nc 00408937 e993570000 jmp 0040e0cfeax = ffff8001 ebx = 001603b640 ecx = 77781e4c esx = 003312c esx = 0000012 ecx = 77781e4c esx 0012e4000 ebp = 0255ff80 nv up ei ng nz na po nc 0040e0cf 9c pushfdeax = ffff8001 ebx = 001603b6 ecx = 77781e4c edx = 00000000 esi = 00401233 edi = 00401233 eip = 0040e0d0d0 = ffff8001 ebx = 001603b6 ecx = 77781e4c edx = 00000000 esi = 00401233 edi = 00401233 eip = 0040e0d0000 eip = 0255ff54000 epi pushadeax = ffff8001 ebx = 001603b6 ecx = 77781e4c edx = 00000000 esi = 00401233 edi = 00401233 e ip = 0040e0d1 esp = 0255ff50 ebp = 0255ff80 nv-se ei ng nz na po nc 0040e0d1 chamada e825acffff 00408cfbeax = ffff8001 EBX = 001603b6 ECX = 77781e4c edx = 00000000 ESI = 00401233 edi = 00401233 EIP = 00401233 eF = 00401233 EFI ng nz na po nc 00408cfb c7442424c8b5ca7e mov dword ptr [esp + 24h], 7ECAB5C8heax = ffff8001 ebx = 001603b6 ecx = 77781e4c edx = 00000000 esi = 00401233 edi = 00401233 edi = 00401233 eip = 00408d03 nc 00408d03 c6042488 mov byte ptr [esp], 88heax = ffff8001 ebx = 001603b6 ecx = 77781e4c edx = 00000000 esi = 00401233 edi = 00401233 eip = 00408d07 esp = 0255ff4c ebp = 0255ffz0e np ffff8001 ebx = 001603b6 ecx = 77781e4c edx = 00000000 esi = 00401233 edi = 00401233 eip = 00408d0c esp = 0255ff48 ebp = 0255ff80 nv up ei ng nz na po nc 00408d0c 50 push eax eax = ffff8001 ebx = 001603b6 ecx = 77781e4c edx = 00000000 esi = 00401233 edi = 00401233 eip = 00408d0d esp = 0255ff44 ebp = 0255ff80 nv para cima ei ng nz na po nc 00408d0d 8d esp642c + eaf001 [fff001 2C 2C esp242c leax001 001603b6 ecx = 77781e4c edx = 00000000 esi = 00401233 edi = 00401233 eip = 00408d11 esp = 0255ff70 ebp = 0255ff80 nv up ei ng nz na po nc 00408d11 e973d3ffff jmp 00406089
sub esp, 4mov dword ptr [esp], 1B2F9632hsub esp, 4mov dword ptr [esp], 7ECAB5C8h
Ou ainda:
push 1B2F9632hpush 7ECAB5C8h
Oi, sou eu de novo.
Então Dei uma olhada mais profunda no Triton e escrevi um otimizador de olho mágico simples para se livrar de instruções inúteis e essas modificações de pilha. O rastreamento original tem instruções de 48k, acabei com algo em torno de 2k. Ainda havia muitas instruções ruins, mas foi o suficiente para desvirtualizar completamente a VM e entender o código do shell.
Agora estou tentando algo mais difícil, é isso que tenho. Parece uma ofuscação de nível IR, não há nenhum padrão. Como você abordaria isso? Eu vi isso, mas funciona em funções que têm uma entrada, uma saída. Não sei se funcionará com uma função que faz muitos cálculos com sinalizadores de muitas modificações de memória. Também vi esta palestra de Rolf Rolles sobre síntese. Parece ótimo, talvez deva dar melhores resultados? Também existe alguma maneira simples de aplicar a remoção morta e dobra constante no nível de IR Triton? Existe alguma ferramenta porque não consegui encontrar nada?
rip = 00000003de72158d sub r11d, 2AD65C0Bhrip = 00000003de721594 rol r11d, 1rip = 00000003de721597 rsi, axrip = 00000003de72159b not r11drip = 0000000 incde72159b 00000003de7215a1 sete blrip = 00000003de7215a4 inc r11drip = 00000003de7215a7 cmcrip = 00000003de7215a8 movzx si, splrip = 00000003de7215ad add r11, rax rip = 00000003de7215b0 adc bh, chrip = 00000003de7215b2 mov r9,100000000hrip = 00000003de7215bc ror r12,56hrip = 00000003de7215c0 adicionar r11, r9rip = 00000003de7215c3 BSR r12w, r8wrip = 00000003de7215c8 mov r12, rsprip = 00000003de7215cb rol r14, clrip = 00000003de7215ce cmp R11B, 0CChrip = 00000003de7215d2 rol bl, 95hrip = 00000003de7215d5 sub RSP, 180hrip = 00000003de7215dc e RSP, 0FFFFFFFFFFFFFFF0hrip = 00000003de7215e3 sal bh, 98hrip = 00000003de7215e6 cmcrip = 00000003de7215e7 mov rbx, r11rip = 00000003de7215ea sar sil, clrip = 00000003de7215ed e RCX, 14DB3A03hrip = 00000003de7215f4 shl CH, clrip = 00000003de7215f6 mov r14,0FFFFF8029E610000hrip = 00000003de721600 cmovno cx, r13wrip = 00000003de721605 e ecx, ebprip = 00000003de721607 sub rbx, r14
Registros:
rax2929 = fff0000 rbx = 0000000000000000 rcx = 00000000000000b0 rdx = ffff8a8e13e66ab0 rsi = 0000000000003000 rdi = 0000000000000010 rip = 00000003de72158d rsp = ffff8a8e13e66ca8 rbp = ffff8a8e13e66e 40 R8 = R9 = 0000000000000000 00000000000000af r10 = r11 = ffff8a8e13e667e0 000000000ad2f6fe r12 = r13 = 0000000000000000 0000000000000002 0000000000000400 r14 = r15 = ffff948059d63000 nv-se ei ng nz ac po nc fffff803`de72158d 4181eb0b5cd62a sub r11d, 2AD65C0Bhrax = fffff8029e610000 rbx = 0000000000000000 rcx = 00000000000000b0 RDX = ffff8a8e13e66ab0 rsi = 0000000000003000 rdi = 0000000000000010 rasgo = 00000003de721594 rsp = ffff8a8e13e66ca8 ead = ffff8a8e13e66e40 R8 = 0000000000000000 R9 = 00000000000000af r10 = ffff8a8e13e667e0 r11 = 00000000dffdf651 r12 = 0000000000000000 r13 = 0000000000000002 r14 = 0000000000000000 r15 = ffff948059d63000 nv-se ei ng nz na pe cy 00000003 `de721594 41d1c3 rol r11d, 1 rax = fffff8029e610000 rbx = 0000000000000000 rcx = 00000000000000b0 RDX = ffff8a8e13e66ab0 rsi = 0000000000003000 rdi = 0000000000000010 rasgo = 00000003de721597 rsp = ffff8a8e13e66ca8 ead = ffff8a8e13e66e40 R8 = 0000000000000000 R9 = 00000000000000af r10 = ffff8a8e13e667e0 r11 = 00000000bffbeca3 r12 = 0000000000000000 r13 = 0000000000000002 r14 = 0000000000000000 r15 = ffff948059d63000 nv-se ei ng nz na pe cy 00000003`de721597 480fbff0 MOVSx rsi, axrax = fffff8029e610000 rbx = 0000000000000000 rcx = 00000000000000b0 RDX = ffff8a8e13e66ab0 rsi = 0000000000000000 0000000000000010 rdi = rasgo = 00000003de72159b rsp = ffff8a8e13e66ca8 ead = ffff8a8e13e66e40 R8 = R9 = 0000000000000000 00000000000000af r10 = ffff8a8e13e667e0 r11 = 00000000bffbeca3 r12 = r13 = 0000000000000000 0000000000000002 0000000000000000 r14 = r15 = ffff948059d63000 nv-se ei ng nz na pe cy 00000003`de72159b 41f7d3 não r11drax = fffff8029e610000 rbx = 0000000000000000 rcx = 00000000000000b0 RDX = ffff8a8e13e66ab0 rsi = 0000000000000000 0000000000000010 rdi = rasgo = 00000003de72159e r sp = ffff8a8e13e66ca8 ead = ffff8a8e13e66e40 R8 = R9 = 0000000000000000 00000000000000af r10 = r11 = ffff8a8e13e667e0 000000004004135c r12 = r13 = 0000000000000000 0000000000000002 0000000000000000 r14 = r15 = ffff948059d63000 nv-se ei ng nz na pe cy 00000003`de72159e 66ffc1 inc cxrax = fffff8029e610000 rbx = 0000000000000000 rcx = 00000000000000b1 rdx = ffff8a8e13e66ab0 rsi = 0000000000000000 RDI = 0000000000000010 rip = 00000003de7215a1 rsp = ffff8a8e13e66ca8 rbp = ffff8a8e13e66e40 r8 = 0000000000000000 R9 = 00000000000000af r10 = ffff8a8e13e667e0 r11 = 000000004004135c r12 = 0000000000000000 r13 = 0000000000000002 r14 = 0000000000000000 r15 = ffff948059d63000 nv-se ei pl nz na po cy 00000003`de7215a1 0f94c3 sete bl rax = fffff8029e610000 rbx = 0000000000000000 rcx = 00000000000000b1 RDX = ffff8a8e13e66ab0 rsi = 0000000000000000 rdi = 0000000000000010 rasgo = 00000003de7215a4 rsp = ffff8a8e13e66ca8 ead = ffff8a8e13e66e40 R8 = 0000000000000000 R9 = 00000000000000af r10 = ffff8a8e13e667e0 r11 = 000000004004135c r12 = 0000000000000000 r13 = 0000000000000002 r14 = 0000000000000000 r15 = ffff948059d63000 nv-se ei pl nz na po cy 00000003`de7215a4 41ffc3 inc r11drax = fffff8029e610000 rbx = 0000000000000000 rcx = 00000000000000b1 rdx = ffff8a8e13e66ab0 rsi = 0000000000000000 RDI = 0000000000000010 rip = 00000003de7215a7 rsp = ffff8a8e13e66ca8 rbp = ffff8a8e13e66e40 r8 = 0000000000000000 R9 = 00000000000000af r10 = ffff8a8e13e667e0 r11 = 000000004004135d r12 = 0000000000000000 r13 = 0000000000000002 r14 = 0000000000000000 r15 = ffff948059d63000 nv-se ei pl nz na pe cy 00000003`de7215a7 f5 cmcrax = fffff8029e610000 rbx = 0000000000000000 rcx = 00000000000000b1 rdx = ffff8a8e13e66ab0 rsi = 0000000000000000 RDI = 0000000000000010 rip = 00000003de7215a8 rsp = ffff8a8e 13e66ca8 ead = ffff8a8e13e66e40 R8 = R9 = 0000000000000000 00000000000000af r10 = r11 = ffff8a8e13e667e0 000000004004135d r12 = r13 = 0000000000000000 0000000000000002 0000000000000000 r14 = r15 = ffff948059d63000 nv-se ei pl nz na pe nc 00000003`de7215a8 66400fb6f4 movzx Si, splrax = fffff8029e610000 rbx = 0000000000000000 rcx = 00000000000000b1 rdx = ffff8a8e13e66ab0 rsi = 00000000000000a8 RDI = 0000000000000010 rip = 00000003de7215ad rsp = ffff8a8e13e66ca8 rbp = ffff8a8e13e66e40 r8 = 0000000000000000 R9 = 00000000000000af r10 = ffff8a8e13e667e0 r11 = 000000004004135d r12 = 0000000000000000 r13 = 0000000000000002 r14 = 0000000000000000 r15 = ffff948059d63000 nv-se ei pl nz na pe nc 00000003`de7215ad 4c03d8 add r11, rax rax = fffff8029e610000 rbx = 0000000000000000 rcx = 00000000000000b1 RDX = ffff8a8e13e66ab0 rsi = 00000000000000a8 rdi = 0000000000000010 rasgo = 00000003de7215b0 rsp = ffff8a8e13e66ca8 ead = ffff8a8e13e66e40 R8 = 0000000000000000 R9 = 00000000000000af r10 = ffff8a8e13e667e0 r11 = fffff802de65135d r12 = 0000000000000000 r13 = 0000000000000002 r14 = 0000000000000000 r15 = ffff948059d63000 nv-se ei ng nz na pe nc 00000003`de7215b0 12fd adc bh, chrax = fffff8029e610000 rbx = 0000000000000000 rcx = 00000000000000b1 RDX = ffff8a8e13e66ab0 rsi = 00000000000000a8 rdi = 0000000000000010 rasgo = 00000003de7215b2 rsp = ffff8a8e13e66ca8 ead = ffff8a8e13e66e40 R8 = R9 = 0000000000000000 00000000000000af r10 = ffff8a8e13e667e0 r11 = fffff802de65135d r12 = r13 = 0000000000000000 0000000000000002 0000000000000000 r14 = r15 = ffff948059d63000 nv-se ei pl zr po nd nc 00000003`de7215b2 49b90000000001000000 mov r9,100000000hrax = fffff8029e610000 rbx = 0000000000000000 rcx = 00000000000000b1 RDX = ffff8a8e13e66ab0 rsi = 00000000000000a8 rdi = 0000000000000010 rip = 00000003d e7215bc rsp = ffff8a8e13e66ca8 ead = ffff8a8e13e66e40 R8 = R9 = 0000000000000000 0000000100000000 r10 = r11 = ffff8a8e13e667e0 fffff802de65135d r12 = r13 = 0000000000000000 0000000000000002 0000000000000000 r14 = r15 = ffff948059d63000 nv-se ei pl zr po nd nc 00000003`de7215bc 49c1cc56 ror r12,56hrax = fffff8029e610000 rbx = 0000000000000000 rcx = 00000000000000b1 RDX = ffff8a8e13e66ab0 rsi = 00000000000000a8 rdi = 0000000000000010 rasgo = 00000003de7215c0 rsp = ffff8a8e13e66ca8 ead = ffff8a8e13e66e40 R8 = 0000000000000000 R9 = 0000000100000000 r10 = ffff8a8e13e667e0 r11 = fffff802de65135d r12 = 0000000000000000 r13 = 0000000000000002 r14 = 0000000000000000 r15 = ffff948059d63000 nv-se ei pl zr na po nc 00000003`de7215c0 4d03d9 add r11, r9 rax = fffff8029e610000 rbx = 0000000000000000 rcx = 00000000000000b1 RDX = ffff8a8e13e66ab0 rsi = 00000000000000a8 rdi = 0000000000000010 rasgo = 00000003de7215c3 rsp = ffff8a8e13e66ca8 ead = ffff8a8e13e66e40 R8 = 0000000000000000 R9 = 0000000100000000 r10 = ffff8a8e13e667e0 r11 = fffff803de65135d r12 = 0000000000000000 r13 = 0000000000000002 r14 = 0000000000000000 r15 = ffff948059d63000 nv-se ei ng nz na pe nc 00000003`de7215c3 66450fbde0 BSR r12w, r8wrax = fffff8029e610000 rbx = 0000000000000000 rcx = 00000000000000b1 RDX = ffff8a8e13e66ab0 rsi = 00000000000000a8 rdi = 0000000000000010 rasgo = 00000003de7215c8 rsp = ffff8a8e13e66ca8 ead = ffff8a8e13e66e40 R8 = R9 = 0000000000000000 0000000100000000 r10 = ffff8a8e13e667e0 r11 = fffff803de65135d r12 = r13 = 0000000000000000 0000000000000002 0000000000000000 r14 = r15 = ffff948059d63000 nv-se ei pl zr po nd nc 00000003`de7215c8 4c8be4 mov r12, rsprax = fffff8029e610000 rbx = 0000000000000000 rcx = 00000000000000b1 RDX = ffff8a8e13e66ab0 rsi = 00000000000000a8 rdi = 0000000000000010 rip = 00000003de721 5CB rsp = ffff8a8e13e66ca8 ead = ffff8a8e13e66e40 R8 = R9 = 0000000000000000 0000000100000000 r10 = ffff8a8e13e667e0 r11 = r12 = fffff803de65135d ffff8a8e13e66ca8 r13 = r14 = 0000000000000002 0000000000000000 r15 = ffff948059d63000 nv-se ei pl zr po nd nc 00000003`de7215cb 49d3c6 rol r14, clrax = fffff8029e610000 rbx = 0000000000000000 rcx = 00000000000000b1 RDX = ffff8a8e13e66ab0 rsi = 00000000000000a8 rdi = 0000000000000010 rasgo = 00000003de7215ce rsp = ffff8a8e13e66ca8 ead = ffff8a8e13e66e40 R8 = 0000000000000000 R9 = 0000000100000000 r10 = ffff8a8e13e667e0 r11 = fffff803de65135d r12 = ffff8a8e13e66ca8 r13 = 0000000000000002 r14 = 0000000000000000 r15 = ffff948059d63000 nv-se ei pl zr na po nc 00000003`de7215ce 4180fbcc cmp r11b, 0CCh rax = fffff8029e610000 rbx = 0000000000000000 rcx = 00000000000000b1 RDX = ffff8a8e13e66ab0 rsi = 00000000000000a8 rdi = 0000000000000010 rasgo = 00000003de7215d2 rsp = ffff8a8e13e66ca8 ead = ffff8a8e13e66e40 R8 = 0000000000000000 R9 = 0000000100000000 r10 = ffff8a8e13e667e0 r11 = fffff803de65135d r12 = ffff8a8e13e66ca8 r13 = 0000000000000002 r14 = 0000000000000000 r15 = ffff948059d63000 ov-se ei ng nz na pe cy 00000003`de7215d2 c0c395 rol bl, 95hrax = fffff8029e610000 rbx = 0000000000000000 rcx = 00000000000000b1 RDX = ffff8a8e13e66ab0 rsi = 00000000000000a8 rdi = 0000000000000010 rasgo = 00000003de7215d5 rsp = ffff8a8e13e66ca8 ead = ffff8a8e13e66e40 R8 = R9 = 0000000000000000 0000000100000000 r10 = ffff8a8e13e667e0 r11 = r12 = fffff803de65135d ffff8a8e13e66ca8 r13 = r14 = 0000000000000002 0000000000000000 r15 = ffff948059d63000 nv-se ei ng nz na pe nc 00000003`de7215d5 4881ec80010000 sub RSP, 180hrax = fffff8029e610000 rbx = 0000000000000000 rcx = 00000000000000b1 RDX = ffff8a8e13e66ab0 rsi = 00000000000000a8 rdi = 0000000000000010 rip = 00000003de7215 DC rsp = ffff8a8e13e66b28 ead = ffff8a8e13e66e40 R8 = R9 = 0000000000000000 0000000100000000 r10 = ffff8a8e13e667e0 r11 = r12 = fffff803de65135d ffff8a8e13e66ca8 r13 = r14 = 0000000000000002 0000000000000000 r15 = ffff948059d63000 nv-se ei ng nz Na Po nc 00000003`de7215dc 4881e4f0ffffff e RSP, 0FFFFFFFFFFFFFFF0hrax = fffff8029e610000 rbx = 0000000000000000 rcx = 00000000000000b1 RDX = ffff8a8e13e66ab0 rsi = 00000000000000a8 rdi = 0000000000000010 rasgo = 00000003de7215e3 rsp = ffff8a8e13e66b20 ead = ffff8a8e13e66e40 R8 = 0000000000000000 R9 = 0000000100000000 r10 = ffff8a8e13e667e0 r11 = fffff803de65135d r12 = ffff8a8e13e66ca8 r13 = 0000000000000002 r14 = 0000000000000000 r15 = ffff948059d63000 nv-se ei ng nz na pe nc 00000003`de7215e3 c0f798 sal bh, 98h rax = fffff8029e610000 rbx = 0000000000000000 rcx = 00000000000000b1 RDX = ffff8a8e13e66ab0 rsi = 00000000000000a8 rdi = 0000000000000010 rasgo = 00000003de7215e6 rsp = ffff8a8e13e66b20 ead = ffff8a8e13e66e40 R8 = 0000000000000000 R9 = 0000000100000000 r10 = ffff8a8e13e667e0 r11 = fffff803de65135d r12 = ffff8a8e13e66ca8 r13 = 0000000000000002 r14 = 0000000000000000 r15 = ffff948059d63000 nv-se ei pl zr na po nc 00000003`de7215e6 f5 cmcrax = fffff8029e610000 rbx = 0000000000000000 rcx = 00000000000000b1 rdx = ffff8a8e13e66ab0 rsi = 00000000000000a8 RDI = 0000000000000010 rip = 00000003de7215e7 rsp = ffff8a8e13e66b20 rbp = ffff8a8e13e66e40 r8 = 0000000000000000 R9 = 0000000100000000 r10 = ffff8a8e13e667e0 r11 = fffff803de65135d r12 = ffff8a8e13e66ca8 r13 = 0000000000000002 r14 = 0000000000000000 r15 = ffff948059d63000 nv-se ei pl zr na po cy 00000003`de7215e7 498bdb mov rbx, r11rax = fffff8029e610000 rbx = fffff803de65135d rcx = 00000000000000b1 rdx = ffff8a8e13e66ab0 rsi = 00000000000000a8 RDI = 0000000000000010 rip = 00000003de7215ea rsp = ffff8 a8e13e66b20 rbp = ffff8a8e13e66e40 r8 = 0000000000000000 R9 = 0000000100000000 r10 = ffff8a8e13e667e0 r11 = fffff803de65135d r12 = ffff8a8e13e66ca8 r13 = 0000000000000002 r14 = 0000000000000000 r15 = ffff948059d63000 nv-se ei pl zr na po cy 00000003`de7215ea 40d2fe sar sil, clrax = fffff8029e610000 rbx = fffff803de65135d rcx = 00000000000000b1 RDX = ffff8a8e13e66ab0 rsi = 00000000000000ff rdi = 0000000000000010 rasgo = 00000003de7215ed rsp = ffff8a8e13e66b20 ead = ffff8a8e13e66e40 R8 = 0000000000000000 R9 = 0000000100000000 r10 = ffff8a8e13e667e0 r11 = fffff803de65135d r12 = ffff8a8e13e66ca8 r13 = 0000000000000002 r14 = 0000000000000000 r15 = ffff948059d63000 nv-se ei ng nz nd po cy 00000003`de7215ed 4881e1033adb14 e rcx, 14DB3A03h rax = fffff8029e610000 rbx = fffff803de65135d rcx = 0000000000000001 RDX = ffff8a8e13e66ab0 rsi = 00000000000000ff rdi = 0000000000000010 rasgo = 00000003de7215f4 rsp = ffff8a8e13e66b20 ead = ffff8a8e13e66e40 R8 = 0000000000000000 R9 = 0000000100000000 r10 = ffff8a8e13e667e0 r11 = fffff803de65135d r12 = ffff8a8e13e66ca8 r13 = 0000000000000002 r14 = 0000000000000000 r15 = ffff948059d63000 nv-se ei pl nz na pe nc 00000003`de7215f4 d2e5 SHL ch, clrax = fffff8029e610000 rbx = fffff803de65135d rcx = 0000000000000001 rdx = ffff8a8e13e66ab0 rsi = 00000000000000ff RDI = 0000000000000010 rip = 00000003de7215f6 rsp = ffff8a8e13e66b20 rbp = ffff8a8e13e66e40 r8 = 0000000000000000 R9 = 0000000100000000 r10 = ffff8a8e13e667e0 r11 = r12 = fffff803de65135d ffff8a8e13e66ca8 r13 = r14 = 0000000000000002 0000000000000000 r15 = ffff948059d63000 nv-se ei pl zr po nd nc 00000003`de7215f6 49be0000619e02f8ffff mov r14,0FFFFF8029E610000hrax = fffff8029e610000 rbx = fffff803de65135d rcx = 0000000000000001 RDX = ffff8a8e13e66ab0 rsi = 00000000000000ff rdi = 0000000000000010 rip = 00000003de721600 rsp = ffff8a8e13e66b20 ead = ffff8a8e13e66e40 R8 = R9 = 0000000000000000 0000000100000000 r10 = r11 = ffff8a8e13e667e0 fffff803de65135d r12 = r13 = ffff8a8e13e66ca8 0000000000000002 r14 = r15 = fffff8029e610000 ffff948059d63000 nv-se ei pl zr po nd nc 00000003`de721600 66410f41cd cmovno cx, r13wrax = fffff8029e610000 rbx = fffff803de65135d rcx = 0000000000000002 RDX = ffff8a8e13e66ab0 rsi = 00000000000000ff rdi = 0000000000000010 rasgo = 00000003de721605 rsp = ffff8a8e13e66b20 ead = ffff8a8e13e66e40 R8 = 0000000000000000 R9 = 0000000100000000 r10 = ffff8a8e13e667e0 r11 = fffff803de65135d r12 = ffff8a8e13e66ca8 r13 = 0000000000000002 r14 = fffff8029e610000 r15 = ffff948059d63000 nv-se ei pl zr na po nc 00000003`de721605 23cd e ecx, ebp rax = fffff8029e610000 rbx = fffff803de65135d rcx = 0000000000000000 RDX = ffff8a8e13e66ab0 rsi = 00000000000000ff rdi = 0000000000000010 rasgo = 00000003de721607 rsp = ffff8a8e13e66b20 ead = ffff8a8e13e66e40 R8 = 0000000000000000 R9 = 0000000100000000 r10 = ffff8a8e13e667e0 r11 = fffff803de65135d r12 = ffff8a8e13e66ca8 r13 = 0000000000000002 r14 = fffff8029e610000 r15 = ffff948059d63000 nv up ei pl zr na po nc 00000003`de721607 492bde sub rbx, r14