DENUVO DEOBFUSCATOR pre-release v.0.0.1

1. #define _CRT_SECURE_NO_WARNINGS
2. #include <iostream>
3. #include <string.h>
4. #include <windows.h>
5. #include <valarray>
6. #include <memoryapi.h>
7. #include <tuple>
8. #include <bitset>
9. #include <algorithm>
10. #include <vector>
11. #include <tlhelp32.h>
12. #include <unicorn.h>
13. #include <x86.h>
14. #include <inttypes.h>
15. #include <Zydis/Zydis.h>
16.  
17. using namespace std;
18.  
19. #pragma section(".DENUVO",read,write)
20. __declspec(allocate(".DENUVO"))
21. byte MassiveOfOpcodes[0x6000][0x6000];
22.  
23. #pragma section(".NTDLL",read,write)
24. __declspec(allocate(".NTDLL"))
25. byte NtdllOpcodes[0x450][0x450];
26.  
27. #pragma section(".MSVCRT",read,write)
28. __declspec(allocate(".MSVCRT"))
29. byte MSVCRTOpcodes[0x400][0x400];
30.  
31. #define UC_EMU_START_ADDRESS 0x15A79131D
32.  
33. int64_t ADDRESS_TEXT_SECTION_NTDLL, ADDRESS_TEXT_SECTION_MSVCRT;
34.  
35. void remove_cache(uc_engine* uc, uint64_t address)
36. {
37.    uc_tb tb;
38.    uc_err err;
39.    err = uc_ctl_request_cache(uc, address, &tb);
40.    //printf(">>> TB is cached at 0x%" PRIx64 " which has %" PRIu16" instructions with %" PRIu16 " bytes.\n", tb.pc, tb.icount, tb.size);
41.    if (err)
42.    {
43.      printf("Failed on uc_ctl_request_cache() with error returned %u: %s\n",
44.          err, uc_strerror(err));
45.    }
46.  
47.    //printf(">>> removing cache from 0x%" PRIx64 " to 0x%" PRIx64 ".\n", tb.pc, tb.pc + tb.size);
48.    err = uc_ctl_remove_cache(uc, tb.pc, tb.pc + tb.size);
49.    if (err)
50.    {
51.      printf("Failed on uc_ctl_remove_cache() with error returned %u: %s\n",
52.          err, uc_strerror(err));
53.    }
54. }
55.  
56. int XorToMov(uc_engine* uc, uint64_t address, int S_I_Z_E, ZydisEncoderRequest pattern_req, ZydisDisassembledInstruction instruction, uint64_t RIP)
57. {
58.     const int NOP_data[24] = { 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 };
59.  
60.     pattern_req.mnemonic = ZYDIS_MNEMONIC_MOV;
61.     pattern_req.machine_mode = ZYDIS_MACHINE_MODE_LONG_64;
62.     pattern_req.operand_count = 2;
63.     pattern_req.address_size_hint = ZYDIS_ADDRESS_SIZE_HINT_64;
64.     pattern_req.operand_size_hint = ZYDIS_OPERAND_SIZE_HINT_64;
65.     pattern_req.allowed_encodings = ZYDIS_ENCODABLE_ENCODING_LEGACY;
66.     pattern_req.operands[0].type = instruction.operands[0].type;
67.     pattern_req.operands[0].reg.value = instruction.operands[0].reg.value;
68.     pattern_req.operands[1].type = instruction.operands[1].type;
69.     pattern_req.operands[1].mem.base = instruction.operands[1].mem.base;
70.     pattern_req.operands[1].mem.displacement = instruction.operands[1].mem.disp.value;
71.     pattern_req.operands[1].mem.size = S_I_Z_E;
72.     pattern_req.operands[1].mem.scale = instruction.operands[1].mem.scale;
73.  
74.     ZyanU8 encoded_instruction[ZYDIS_MAX_INSTRUCTION_LENGTH];
75.     ZyanUSize encoded_length = sizeof(encoded_instruction);
76.  
77.     ZydisEncoderEncodeInstruction(&pattern_req, encoded_instruction, &encoded_length);
78.  
79.     for (int i = 0; i < instruction.info.length; ++i)
80.     {
81.         uc_mem_write(uc, RIP + i, &NOP_data[i], 1);
82.     }
83.  
84.     for (ZyanUSize i = 0; i < encoded_length; ++i)
85.     {
86.         uc_mem_write(uc, RIP + i, &encoded_instruction[i], 1);//5
87.         printf("%02X ", encoded_instruction[i]);
88.     }
89.     std::cout << endl;
90.  
91.     remove_cache(uc, address);
92.  
93.     uc_reg_write(uc, UC_X86_REG_RIP, &address);
94.  
95.     return 0;
96. }
97.  
98. static void ZYDIS_DISASM(uc_engine* uc, uint64_t address, uint32_t size, uint64_t RIP)
99. {
100.     ZyanU8 NOP_data[24] = {0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90};
101.     ZyanU8 data[16];
102.  
103.     int TF, TS, TT, TFOURTH, TFIFTH, TSIXTH;
104.     ZydisRegister_ REG_1, REG_2, REG_3, REG_4, REG_5;
105.     ZyanISize C_0, C_1, C_2, C_3, C_4;
106.     int     X64_REGS[] = { UC_X86_REG_RAX, UC_X86_REG_RBX, UC_X86_REG_RCX,
107.                            UC_X86_REG_RDX, UC_X86_REG_RSI, UC_X86_REG_RDI,
108.                            UC_X86_REG_R8,  UC_X86_REG_R9,  UC_X86_REG_R10,
109.                            UC_X86_REG_R11, UC_X86_REG_R12, UC_X86_REG_R13,
110.                            UC_X86_REG_R14, UC_X86_REG_R15};
111.  
112.     int     X08_REGS[] = { UC_X86_REG_AH,  UC_X86_REG_AL,  UC_X86_REG_BH,  UC_X86_REG_BL,
113.                            UC_X86_REG_CH,  UC_X86_REG_CL,  UC_X86_REG_DH,  UC_X86_REG_DL,
114.                            UC_X86_REG_SIL, UC_X86_REG_DIL, UC_X86_REG_R8B, UC_X86_REG_R9B,
115.                            UC_X86_REG_R10B,UC_X86_REG_R11B,UC_X86_REG_R12B,
116.                            UC_X86_REG_R13B,UC_X86_REG_R14B,UC_X86_REG_R15B};
117.  
118.     ZydisRegister_     X64_ZYDIS_REGS[] = { ZYDIS_REGISTER_RAX, ZYDIS_REGISTER_RBX, ZYDIS_REGISTER_RCX,
119.                                             ZYDIS_REGISTER_RDX, ZYDIS_REGISTER_RSI, ZYDIS_REGISTER_RDI,
120.                                             ZYDIS_REGISTER_R8,  ZYDIS_REGISTER_R9,  ZYDIS_REGISTER_R10,
121.                                             ZYDIS_REGISTER_R11, ZYDIS_REGISTER_R12, ZYDIS_REGISTER_R13,
122.                                             ZYDIS_REGISTER_R14, ZYDIS_REGISTER_R15};
123.  
124.     ZydisRegister_     X32_ZYDIS_REGS[] = { ZYDIS_REGISTER_EAX,  ZYDIS_REGISTER_EBX,  ZYDIS_REGISTER_ECX,  ZYDIS_REGISTER_EDX,
125.                                             ZYDIS_REGISTER_ESI,  ZYDIS_REGISTER_EDI,  ZYDIS_REGISTER_R8D,  ZYDIS_REGISTER_R9D,
126.                                             ZYDIS_REGISTER_R10D, ZYDIS_REGISTER_R11D, ZYDIS_REGISTER_R12D, ZYDIS_REGISTER_R13D,
127.                                             ZYDIS_REGISTER_R14D, ZYDIS_REGISTER_R15D };
128.  
129.     ZydisRegister_     X16_ZYDIS_REGS[] = { ZYDIS_REGISTER_AX,   ZYDIS_REGISTER_BX,  ZYDIS_REGISTER_CX,   ZYDIS_REGISTER_DX,
130.                                             ZYDIS_REGISTER_SI,   ZYDIS_REGISTER_DI,  ZYDIS_REGISTER_R8W,  ZYDIS_REGISTER_R9W,
131.                                             ZYDIS_REGISTER_R10W, ZYDIS_REGISTER_R11W,ZYDIS_REGISTER_R12W, ZYDIS_REGISTER_R13W,
132.                                             ZYDIS_REGISTER_R14W, ZYDIS_REGISTER_R15W };
133.  
134.     ZydisRegister_     X08_ZYDIS_REGS[] = { ZYDIS_REGISTER_AH,   ZYDIS_REGISTER_AL,   ZYDIS_REGISTER_BH,   ZYDIS_REGISTER_BL,
135.                                             ZYDIS_REGISTER_CH,   ZYDIS_REGISTER_CL,   ZYDIS_REGISTER_DH,   ZYDIS_REGISTER_DL,
136.                                             ZYDIS_REGISTER_SIL,  ZYDIS_REGISTER_DIL,  ZYDIS_REGISTER_R8B,  ZYDIS_REGISTER_R9B,
137.                                             ZYDIS_REGISTER_R10B, ZYDIS_REGISTER_R11B, ZYDIS_REGISTER_R12B, ZYDIS_REGISTER_R13B,
138.                                             ZYDIS_REGISTER_R14B, ZYDIS_REGISTER_R15B };
139.  
140.     int64_t X64_REGS_PTR[14];
141.     BYTE    X08_REGS_PTR[18];
142.  
143.     ZydisRegister_ SEG_REG_1;
144.  
145.     uc_err err_refresh;
146.  
147.     ZydisDecoder decoder;
148.     ZydisDecoderInit(&decoder, ZYDIS_MACHINE_MODE_LONG_64, ZYDIS_STACK_WIDTH_64);
149.  
150.     ZydisEncoderRequest pattern_req;
151.     memset(&pattern_req, 0, sizeof(pattern_req));
152.  
153.     ZyanU64 runtime_address = RIP;
154.    
155.     ZyanUSize offset = 0;
156.     const ZyanUSize length = sizeof(data);
157.  
158.     ZydisDisassembledInstruction instruction;
159.  
160.     ZydisDecodedInstruction Instruction;
161.     ZydisDecodedOperand operands[ZYDIS_MAX_OPERAND_COUNT];
162.  
163.     uc_mem_read(uc, address, data, size);
164.     ZYAN_SUCCESS(ZydisDisassembleIntel(ZYDIS_MACHINE_MODE_LONG_64, runtime_address, data + offset, length - offset,
165.         &instruction));
166.  
167.     size = sizeof(data);
168.  
169.     if (instruction.info.mnemonic == ZYDIS_MNEMONIC_PUSH)
170.     {
171.        uc_mem_read(uc, address+instruction.info.length, data, size);
172.        TF = instruction.info.length;
173.  
174.        ZYAN_SUCCESS(ZydisDisassembleIntel(ZYDIS_MACHINE_MODE_LONG_64, runtime_address, data + offset, length - offset,
175.            &instruction));
176.        if (instruction.info.mnemonic == ZYDIS_MNEMONIC_LEA && instruction.operands[1].mem.index == ZYDIS_REGISTER_NONE && instruction.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY)
177.        {
178.            ZydisDecoderDecodeFull(&decoder, data + offset, length - offset,
179.                &Instruction, operands);
180.  
181.            ZyanU64 result_address;
182.  
183.            ZydisCalcAbsoluteAddress(&Instruction, &operands[1], runtime_address, &result_address);
184.            pattern_req.operand_count = 1;
185.            pattern_req.operands[0].type = ZYDIS_OPERAND_TYPE_IMMEDIATE;//ZYDIS_OPERAND_TYPE_MEMORY
186.            pattern_req.operands[0].imm.u = result_address;
187.            
188.            uc_mem_read(uc, address + instruction.info.length+TF, data, size);
189.            TS = instruction.info.length + TF;
190.  
191.            ZYAN_SUCCESS(ZydisDisassembleIntel(ZYDIS_MACHINE_MODE_LONG_64, runtime_address, data + offset, length - offset,
192.                &instruction));
193.  
194.            if (instruction.info.mnemonic == ZYDIS_MNEMONIC_XCHG && instruction.operands[0].mem.base == ZYDIS_REGISTER_RSP)
195.            {
196.                uc_mem_read(uc, address + instruction.info.length + TS, data, size);
197.                TT = instruction.info.length + TS;
198.  
199.                ZYAN_SUCCESS(ZydisDisassembleIntel(ZYDIS_MACHINE_MODE_LONG_64, runtime_address, data + offset, length - offset,
200.                    &instruction));
201.                if (instruction.info.mnemonic == ZYDIS_MNEMONIC_RET)
202.                {
203.                    pattern_req.mnemonic = ZYDIS_MNEMONIC_JMP;
204.                    pattern_req.machine_mode = ZYDIS_MACHINE_MODE_LONG_64;
205.  
206.                    ZyanU8 encoded_instruction[ZYDIS_MAX_INSTRUCTION_LENGTH];
207.                    ZyanUSize encoded_length = sizeof(encoded_instruction);
208.  
209.                    ZydisEncoderEncodeInstructionAbsolute(&pattern_req, encoded_instruction, &encoded_length, runtime_address);
210.  
211.                     for (ZyanUSize i = 0; i < TT+instruction.info.length; ++i)
212.                     {
213.                         uc_mem_write(uc, RIP + i, &NOP_data[i], 1);
214.                     }
215.                     for (ZyanUSize i = 0; i < encoded_length; ++i)
216.                     {
217.                         uc_mem_write(uc, RIP + 1+i, &encoded_instruction[i], 5);
218.                         printf("%02X ", encoded_instruction[i]);
219.                     }
220.                     puts("");
221.  
222.                     remove_cache(uc, address);
223.                    
224.                     uc_reg_write(uc, UC_X86_REG_RIP, &address);
225.                }
226.            }
227.            else if (instruction.info.mnemonic == ZYDIS_MNEMONIC_LEA)
228.            {
229.                uc_mem_read(uc, address + TF, data, size);
230.  
231.                ZYAN_SUCCESS(ZydisDisassembleIntel(ZYDIS_MACHINE_MODE_LONG_64, runtime_address, data + offset, length - offset,
232.                    &instruction));
233.  
234.                TS = TF + instruction.info.length;
235.  
236.                REG_1 = instruction.operands[0].reg.value;
237.  
238.                pattern_req.operands[0].type = instruction.operands[1].type;
239.                pattern_req.operands[0].mem.base = instruction.operands[1].mem.base;
240.             //   pattern_req.operands[0].mem.displacement = instruction.operands[1].mem.disp.value;
241.                pattern_req.operands[0].mem.size = 0x8;
242.                pattern_req.operands[0].mem.scale = instruction.operands[1].mem.scale;
243.  
244.                uc_mem_read(uc, address + TS, data, size);
245.  
246.                ZYAN_SUCCESS(ZydisDisassembleIntel(ZYDIS_MACHINE_MODE_LONG_64, runtime_address, data + offset, length - offset,
247.                    &instruction));
248.  
249.                if (instruction.info.mnemonic == ZYDIS_MNEMONIC_LEA && instruction.operands[0].reg.value == REG_1)//&& instruction.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY
250.                {
251.                    TT = TS + instruction.info.length;
252.  
253.                    uc_mem_read(uc, address + TT, data, size);
254.  
255.                    ZYAN_SUCCESS(ZydisDisassembleIntel(ZYDIS_MACHINE_MODE_LONG_64, runtime_address, data + offset, length - offset,
256.                        &instruction));
257.                    if (instruction.info.mnemonic == ZYDIS_MNEMONIC_MOV && instruction.operands[0].mem.segment == ZYDIS_REGISTER_DS)
258.                    {
259.                        TFOURTH = instruction.info.length + TT;
260.  
261.                        pattern_req.mnemonic = ZYDIS_MNEMONIC_MOV;
262.                        pattern_req.machine_mode = ZYDIS_MACHINE_MODE_LONG_64;
263.                        pattern_req.operand_count = 2;
264.                        pattern_req.address_size_hint = ZYDIS_ADDRESS_SIZE_HINT_64;
265.                        pattern_req.operand_size_hint = ZYDIS_OPERAND_SIZE_HINT_64;
266.                        pattern_req.allowed_encodings = ZYDIS_ENCODABLE_ENCODING_LEGACY;
267.                        pattern_req.operands[1].type = instruction.operands[1].type;
268.                        pattern_req.operands[1].reg.value = instruction.operands[1].reg.value;
269.  
270.                        ZyanU8 encoded_instruction[ZYDIS_MAX_INSTRUCTION_LENGTH];
271.                        ZyanUSize encoded_length = sizeof(encoded_instruction);
272.  
273.                        ZydisEncoderEncodeInstruction(&pattern_req, encoded_instruction, &encoded_length);
274.                        for (ZyanUSize i = 0; i < TFOURTH; ++i)
275.                        {
276.                            uc_mem_write(uc, RIP + i, &NOP_data[i], 1);
277.                        }
278.                        for (C_0 = 0; C_0 < encoded_length; ++C_0)
279.                        {
280.                            uc_mem_write(uc, RIP + C_0, &encoded_instruction[C_0], 1);//5
281.                            printf("%02X ", encoded_instruction[C_0]);
282.                        }
283.                        uc_mem_read(uc, address, data, size);
284.  
285.                        ZYAN_SUCCESS(ZydisDisassembleIntel(ZYDIS_MACHINE_MODE_LONG_64, runtime_address, data + offset, length - offset,
286.                            &instruction));
287.  
288.                        pattern_req.mnemonic = ZYDIS_MNEMONIC_PUSH;
289.                        pattern_req.machine_mode = ZYDIS_MACHINE_MODE_LONG_64;
290.                        pattern_req.operand_count = 1;
291.                        pattern_req.operands[0].type = instruction.operands[0].type;
292.                        pattern_req.operands[0].reg.value = instruction.operands[0].reg.value;
293.  
294.                        for (C_1 = 0; C_1 < encoded_length; ++C_1)
295.                        {
296.                            uc_mem_write(uc, RIP + C_0 + C_1, &encoded_instruction[C_1], 1);//5
297.                            printf("%02X ", encoded_instruction[C_1]);
298.                        }
299.  
300.                        std::cout << endl;
301.                        remove_cache(uc, address);
302.  
303.                        uc_reg_write(uc, UC_X86_REG_RIP, &address);
304.                    }
305.                }
306.            }
307.  
308.        }
309.        else if (instruction.info.mnemonic == ZYDIS_MNEMONIC_MOV && instruction.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY)
310.        {
311.             TS = TF + instruction.info.length;
312.             uc_mem_read(uc, address + TS, data, size);
313.  
314.             ZYAN_SUCCESS(ZydisDisassembleIntel(ZYDIS_MACHINE_MODE_LONG_64, runtime_address, data + offset, length - offset,
315.                           &instruction));
316.             if (instruction.info.mnemonic == ZYDIS_MNEMONIC_MOV)
317.             {
318.                 pattern_req.operands[1].type = instruction.operands[1].type;
319.                 pattern_req.operands[1].reg.value = instruction.operands[1].reg.value;
320.  
321.                 TT = TS + instruction.info.length;
322.                 uc_mem_read(uc, address + TT, data, size);
323.  
324.                 ZYAN_SUCCESS(ZydisDisassembleIntel(ZYDIS_MACHINE_MODE_LONG_64, runtime_address, data + offset, length - offset,
325.                     &instruction));
326.                 if (instruction.info.mnemonic == ZYDIS_MNEMONIC_MOV && instruction.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY)
327.                 {
328.                     pattern_req.operands[0].type = instruction.operands[0].type;
329.                     pattern_req.operands[0].mem.base = instruction.operands[0].mem.base;
330.                   //  pattern_req.operands[0].mem.displacement = instruction.operands[0].mem.disp.value;
331.                     pattern_req.operands[0].mem.size = 0x8;
332.                     pattern_req.operands[0].mem.scale = instruction.operands[0].mem.scale;
333.  
334.                     TFOURTH = TT + instruction.info.length;
335.                     uc_mem_read(uc, address + TFOURTH, data, size);
336.  
337.                     ZYAN_SUCCESS(ZydisDisassembleIntel(ZYDIS_MACHINE_MODE_LONG_64, runtime_address, data + offset, length - offset,
338.                         &instruction));
339.                     if (instruction.info.mnemonic == ZYDIS_MNEMONIC_MOV && instruction.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY)
340.                     {
341.                         TFIFTH = TFOURTH + instruction.info.length;
342.  
343.                         uc_mem_read(uc, address + TFIFTH, data, size);
344.  
345.                         ZYAN_SUCCESS(ZydisDisassembleIntel(ZYDIS_MACHINE_MODE_LONG_64, runtime_address, data + offset, length - offset,
346.                             &instruction));
347.                         if (instruction.info.mnemonic == ZYDIS_MNEMONIC_MOV && instruction.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY)
348.                         {
349.                             TSIXTH = TFIFTH + instruction.info.length;
350.  
351.                             pattern_req.mnemonic = ZYDIS_MNEMONIC_MOV;
352.                             pattern_req.machine_mode = ZYDIS_MACHINE_MODE_LONG_64;
353.                             pattern_req.operand_count = 2;
354.                             pattern_req.address_size_hint = ZYDIS_ADDRESS_SIZE_HINT_64;
355.                             pattern_req.operand_size_hint = ZYDIS_OPERAND_SIZE_HINT_64;
356.                             pattern_req.allowed_encodings = ZYDIS_ENCODABLE_ENCODING_LEGACY;
357.  
358.                             ZyanU8 encoded_instruction[ZYDIS_MAX_INSTRUCTION_LENGTH];
359.                             ZyanUSize encoded_length = sizeof(encoded_instruction);
360.  
361.                             ZydisEncoderEncodeInstruction(&pattern_req, encoded_instruction, &encoded_length);
362.                             for (ZyanISize i = 0; i < TSIXTH; ++i)
363.                             {
364.                                 uc_mem_write(uc, RIP + i, &NOP_data[i], 1);
365.                             }
366.                             for (C_0 = 0; C_0 < encoded_length; ++C_0)
367.                             {
368.                                 uc_mem_write(uc, RIP + C_0, &encoded_instruction[C_0], 1);//5
369.                                 printf("%02X ", encoded_instruction[C_0]);
370.                             }
371.                             pattern_req.mnemonic = ZYDIS_MNEMONIC_PUSH;
372.                             pattern_req.machine_mode = ZYDIS_MACHINE_MODE_LONG_64;
373.                             pattern_req.operand_count = 1;
374.                             pattern_req.operands[0].type = ZYDIS_OPERAND_TYPE_REGISTER;
375.                             pattern_req.operands[0].reg.value = instruction.operands[1].reg.value;
376.  
377.                             encoded_instruction[ZYDIS_MAX_INSTRUCTION_LENGTH];
378.                             encoded_length = sizeof(encoded_instruction);
379.  
380.                             ZydisEncoderEncodeInstruction(&pattern_req, encoded_instruction, &encoded_length);
381.                             for (C_1 = 0; C_1 < encoded_length; ++C_1)
382.                             {
383.                                 uc_mem_write(uc, RIP + C_0 + C_1, &encoded_instruction[C_1], 1);//5
384.                                 printf("%02X ", encoded_instruction[C_1]);
385.                             }
386.                             std::cout << endl;
387.                             remove_cache(uc, address);
388.  
389.                             uc_reg_write(uc, UC_X86_REG_RIP, &address);
390.                         }
391.                     }
392.                 }
393.             }
394.        }
395.     }
396.     /*
397.     else if (instruction.info.mnemonic == ZYDIS_MNEMONIC_PUSH)
398.     {
399.         uc_mem_read(uc, address + instruction.info.length, data, size);
400.         TF = instruction.info.length;
401.  
402.         ZYAN_SUCCESS(ZydisDisassembleIntel(ZYDIS_MACHINE_MODE_LONG_64, runtime_address, data + offset, length - offset,
403.             &instruction));
404.  
405.         if (instruction.info.mnemonic == ZYDIS_MNEMONIC_LEA)
406.         {
407.             TS = instruction.info.length+TF;
408.             REG_1 = instruction.operands[0].reg.value;
409.  
410.             pattern_req.operands[0].type = instruction.operands[1].type;
411.             pattern_req.operands[0].mem.base = instruction.operands[1].mem.base;
412.         //    pattern_req.operands[0].mem.displacement = instruction.operands[1].mem.disp.value;
413.             pattern_req.operands[0].mem.size = 0x8;
414.             pattern_req.operands[0].mem.scale = instruction.operands[1].mem.scale;
415.  
416.             uc_mem_read(uc, address + instruction.info.length, data, size);
417.  
418.             ZYAN_SUCCESS(ZydisDisassembleIntel(ZYDIS_MACHINE_MODE_LONG_64, runtime_address, data + offset, length - offset,
419.                 &instruction));
420.             if (instruction.info.mnemonic == ZYDIS_MNEMONIC_LEA && instruction.operands[0].reg.value == REG_1)//&& instruction.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY
421.             {
422.                 TT = instruction.info.length + TS;
423.  
424.                 uc_mem_read(uc, address + instruction.info.length + TS, data, size);
425.  
426.                 ZYAN_SUCCESS(ZydisDisassembleIntel(ZYDIS_MACHINE_MODE_LONG_64, runtime_address, data + offset, length - offset,
427.                     &instruction));
428.                 if (instruction.info.mnemonic == ZYDIS_MNEMONIC_MOV && instruction.operands[0].mem.segment == ZYDIS_REGISTER_DS)
429.                 {
430.                    // TT = instruction.info.length + TS;
431.  
432.                     pattern_req.mnemonic = ZYDIS_MNEMONIC_MOV;
433.                     pattern_req.machine_mode = ZYDIS_MACHINE_MODE_LONG_64;
434.                     pattern_req.operand_count = 2;
435.                     pattern_req.address_size_hint = ZYDIS_ADDRESS_SIZE_HINT_64;
436.                     pattern_req.operand_size_hint = ZYDIS_OPERAND_SIZE_HINT_64;
437.                     pattern_req.allowed_encodings = ZYDIS_ENCODABLE_ENCODING_LEGACY;
438.  
439.                     pattern_req.operands[1].type = instruction.operands[1].type;
440.                     pattern_req.operands[1].reg.value = instruction.operands[1].reg.value;
441.  
442.                     ZyanU8 encoded_instruction[ZYDIS_MAX_INSTRUCTION_LENGTH];
443.                     ZyanUSize encoded_length = sizeof(encoded_instruction);
444.  
445.                     ZydisEncoderEncodeInstruction(&pattern_req, encoded_instruction, &encoded_length);
446.                     for (ZyanUSize i = 0; i < TT + instruction.info.length; ++i)
447.                     {
448.                         uc_mem_write(uc, RIP + i, &NOP_data[i], 1);
449.                     }
450.                     for (ZyanUSize i = 0; i < encoded_length; ++i)
451.                     {
452.                         uc_mem_write(uc, RIP + i, &encoded_instruction[i], 1);//5
453.                         printf("%02X ", encoded_instruction[i]);
454.                     }
455.                     remove_cache(uc, address);
456.  
457.                     uc_reg_write(uc, UC_X86_REG_RIP, &address);
458.                 }
459.             }
460.         }
461.     }
462.     */
463.     else if (instruction.info.mnemonic == ZYDIS_MNEMONIC_XOR && instruction.operands[0].reg.value != instruction.operands[1].reg.value)
464.     {
465.          if (instruction.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instruction.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY)
466.          {
467.              
468.              for (int i = 0; i <= 14; ++i)
469.              {
470.                  uc_reg_read(uc, X64_REGS[i], &X64_REGS_PTR[i]);
471.                  if (X64_REGS_PTR[i] == 0)
472.                  {
473.                    
474.                      if (instruction.operands[0].reg.value == X64_ZYDIS_REGS[i])
475.                      {
476.                          cout << "X64" << endl;
477.                          cout << instruction.operands[0].reg.value << endl;
478.                          int S_I_Z_E = 0x8;
479.                          XorToMov(uc, address, S_I_Z_E, pattern_req, instruction, RIP);
480.                      }
481.                      else if (instruction.operands[0].reg.value == X32_ZYDIS_REGS[i])
482.                      {
483.                          cout << "X32" << endl;
484.                          int S_I_Z_E = 0x4;
485.                          XorToMov(uc, address, S_I_Z_E, pattern_req, instruction, RIP);
486.                      }
487.                      else if (instruction.operands[0].reg.value == X16_ZYDIS_REGS[i])
488.                      {
489.                          cout << "X16" << endl;
490.                          int S_I_Z_E = 0x2;
491.                          XorToMov(uc, address, S_I_Z_E, pattern_req, instruction, RIP);
492.                      }
493.                  }
494.              }
495.              for (int i = 0; i <= 17; ++i)
496.              {
497.                  uc_reg_read(uc, X08_REGS[i], &X08_REGS_PTR[i]);
498.                  if (X08_REGS_PTR[i] == 0)
499.                  {
500.                      if (instruction.operands[0].reg.value == X08_ZYDIS_REGS[i])
501.                      {
502.                          cout << "X08" << endl;
503.                          int S_I_Z_E = 0x1;
504.                          XorToMov(uc, address, S_I_Z_E, pattern_req, instruction, RIP);
505.                      }
506.                  }
507.              }
508.          }
509.          else if (instruction.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY)
510.          {
511.              std::cout << "LATER; XOR MEMORY" << endl;
512.          }
513.          else if (instruction.operands[0].type == ZYDIS_OPERAND_TYPE_POINTER)
514.          {
515.              std::cout << "LATER; XOR POINTER" << endl;
516.          }
517.     }
518. }
519. static void PatternDeobfuscation(uc_engine* uc, uint64_t address,uint32_t size, uint64_t RIP)
520. {
521.  
522.     byte tmp[18];
523.  
524.     int XCGH_RET_PATTERN[] = { 0x00, 0x00, 0x48, 0x8D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x87, 0x00, 0x24, 0xC3 }; //PUSH ?? | LEA ??, QWORD PTR DS : [VA - ??] | XCHG QWORD PTR SS : [RSP] , ?? | RET
525.     int PUSH_R_X[] = { 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57 };//PUSH R_X && R_P
526.     int PUSH_R_N[] = { 0x41, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57 };//PUSH R_N
527.  
528.     if (!uc_mem_read(uc, address, tmp, size)) {
529.         ZYDIS_DISASM(uc, address, size,  (uint64_t)RIP);
530.         uc_mem_read(uc, address, tmp, size);
531.         std::cout << ">>> OPCODES =";
532.         for (int i = 0; i < size; i++)
533.         {
534.             std::cout << " " << hex << (int)tmp[i];
535.         }
536.         std::cout << endl << endl;
537.     }
538. }
539.  
540. static void hook_code(uc_engine* uc, uint64_t address,
541.     uint32_t size, void* RIP)
542. {
543.     uc_reg_read(uc, UC_X86_REG_RIP, &RIP);
544.     std::cout << ">>> RIP = " << hex << RIP << endl;
545.     std::cout << ">>> SIZE = " << size << endl;
546.  
547.     PatternDeobfuscation(uc, address, size, (uint64_t)RIP);
548. }
549.  
550. int Create_Read_Process()
551. {
552.     char CommandLine[] = "cmd.exe /c G:/Programs/Games/JustCause4/JustCause4/JustCause4.exe";
553.     char ERROR_IMAGEBASE[] = "IMAGEBASE ERROR";
554.     char ERROR_CREATEPROCESS[] = "CREATE PROCESS ERROR";
555.     const char szModuleName[] = "JustCause4.exe";
556.     wchar_t text_1[220];
557.     wchar_t text[220];
558.     int Result_Of_New_Proc;
559.     long long int BaseAddress_tls_section = 0x0000000142E7A000;
560.     long long int BaseAddress_text_section = 0x00000015B285000;
561.     long long int NumberOfBytesRead_tls_section = 0x183A6000;
562.     long long int NumberOfBytesRead_text_section = 0x8000;
563.     long long int NumberOfBytesRead_text_section_ntdll = 0x119000;
564.     long long int NumberOfBytesRead_text_section_msvcrt = 0x75000;
565.     long long int NumberOfBytesWrite = 0x4;
566.     HANDLE snapshot, HANDLE_OF_CHILD_PROC, ImageBase, HANDLE_OF_MY_PROC;
567.  
568.     STARTUPINFO si;
569.     PROCESS_INFORMATION pi;
570.     PROCESSENTRY32 entry;
571.  
572.     entry.dwSize = sizeof(PROCESSENTRY32);
573.     //////////////////////////////////////////////////////////////// NTDLL
574.     FARPROC ADDRESS_OF_FUNCTION_IN_TEXT_SECTION_NTDLL = 0;
575.    // int64_t ADDRESS_TEXT_SECTION_NTDLL = 0;
576.     char NAME_OF_NTDLL[] = "ntdll.dll";
577.     char NAME_OF_THE_FIRST_FUNCTION_IN_NTDLL[] = "RtlLargeIntegerToChar";
578.  
579.     HMODULE HANDLE_OF_NTDLL;
580.     //////////////////////////////////////////////////////////////// NTDLL
581.  
582.     //////////////////////////////////////////////////////////////// MSVCRT
583.     FARPROC ADDRESS_OF_FUNCTION_IN_TEXT_SECTION_MSVCRT = 0;
584.    // int64_t ADDRESS_TEXT_SECTION_MSVCRT = 0;
585.     char NAME_OF_MSVCRT_DLL[] = "msvcrt.dll";
586.     char NAME_OF_THE_FIRST_FUNCTION_IN_MSVCRT[] = "__STRINGTOLD";
587.  
588.     HMODULE HANDLE_OF_MSVCRT;
589.  
590.     //////////////////////////////////////////////////////////////// MSVCRT
591.     ZeroMemory(&si, sizeof(si));
592.     si.cb = sizeof(si);
593.     ZeroMemory(&pi, sizeof(pi));
594.  
595.     HANDLE_OF_NTDLL = LoadLibraryA((LPCSTR)NAME_OF_NTDLL);
596.     if (HANDLE_OF_NTDLL == 0)
597.     {
598.         std::cout << "ERROR_OF_HANDLE_OF_NTDLL" << endl;
599.         return -1;
600.     }
601.  
602.     ADDRESS_OF_FUNCTION_IN_TEXT_SECTION_NTDLL = GetProcAddress(HANDLE_OF_NTDLL, LPCSTR(NAME_OF_THE_FIRST_FUNCTION_IN_NTDLL));
603.     ADDRESS_TEXT_SECTION_NTDLL = (int64_t)ADDRESS_OF_FUNCTION_IN_TEXT_SECTION_NTDLL - 0x10;
604.     CloseHandle(HANDLE_OF_NTDLL);
605.  
606.     HANDLE_OF_MSVCRT = LoadLibraryA((LPCSTR)NAME_OF_MSVCRT_DLL);
607.     if (HANDLE_OF_MSVCRT == 0)
608.     {
609.         std::cout << "ERROR_OF_HANDLE_OF_MSVCRT" << endl;
610.         return -1;
611.     }
612.  
613.     ADDRESS_OF_FUNCTION_IN_TEXT_SECTION_MSVCRT = GetProcAddress(HANDLE_OF_MSVCRT, LPCSTR(NAME_OF_THE_FIRST_FUNCTION_IN_MSVCRT));
614.     ADDRESS_TEXT_SECTION_MSVCRT = (int64_t)ADDRESS_OF_FUNCTION_IN_TEXT_SECTION_MSVCRT - 0x120;
615.     CloseHandle(HANDLE_OF_MSVCRT);
616.  
617.     mbstowcs(text, CommandLine, strlen(CommandLine) + 1);
618.     mbstowcs(text_1, szModuleName, strlen(szModuleName) + 1);
619.     Result_Of_New_Proc = CreateProcessA(NULL, CommandLine, NULL, NULL, FALSE, NULL, NULL, NULL, &si, &pi);
620.     if (Result_Of_New_Proc == 0)
621.     {
622.         MessageBoxA(NULL, ERROR_CREATEPROCESS, ERROR_CREATEPROCESS, MB_OK);
623.     }
624.     snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
625.     if (Process32First(snapshot, &entry) == TRUE)
626.     {
627.         while (Process32Next(snapshot, &entry) == TRUE)
628.         {
629.             if (_stricmp((const char*)entry.szExeFile, (const char*)szModuleName) == 0)//wcscmp//_stricmp
630.             {
631.                 HANDLE_OF_CHILD_PROC = OpenProcess(PROCESS_ALL_ACCESS, TRUE, entry.th32ProcessID);
632.                 HANDLE_OF_MY_PROC = OpenProcess(PROCESS_ALL_ACCESS, TRUE, GetCurrentProcessId());
633.                 ReadProcessMemory(HANDLE_OF_CHILD_PROC, (LPVOID)BaseAddress_tls_section, &MassiveOfOpcodes[1588][0x1000], NumberOfBytesRead_tls_section, NULL);
634.                 ReadProcessMemory(HANDLE_OF_CHILD_PROC, (LPVOID)BaseAddress_text_section, &MassiveOfOpcodes[0x46E0][0x4000], NumberOfBytesRead_text_section, NULL);
635.                 ReadProcessMemory(HANDLE_OF_MY_PROC, (LPVOID)ADDRESS_TEXT_SECTION_NTDLL, &NtdllOpcodes[0][0], NumberOfBytesRead_text_section_ntdll, NULL);
636.                 ReadProcessMemory(HANDLE_OF_MY_PROC, (LPVOID)ADDRESS_TEXT_SECTION_MSVCRT, &MSVCRTOpcodes[0][0], NumberOfBytesRead_text_section_msvcrt, NULL);
637.                 //    WaitForSingleObject(pi.hProcess, INFINITE);
638.                 CloseHandle(snapshot);//&MassiveOfOpcodes[1952][8192]//&MassiveOfOpcodes[1952][4096]//&MassiveOfOpcodes[1952][0]
639.             //    CloseHandle(pi.hProcess);
640.             //    CloseHandle(pi.hThread);
641.             }
642.         }
643.     }
644.     ImageBase = GetModuleHandle(NULL);
645.     if (ImageBase == 0)
646.     {
647.         MessageBoxA(NULL, ERROR_IMAGEBASE, ERROR_IMAGEBASE, MB_OK);
648.     }
649.     HANDLE_OF_MY_PROC = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE, true, GetCurrentProcessId());
650.     return 0;
651. };
652. int UcEmuDeobfuscate()
653. {
654. #define STACK_ADDRESS 0x10000
655. #define TLS_DENUVO_ADDRESS 0x140941000
656.     int64_t NTDLL_ADDRESS = ADDRESS_TEXT_SECTION_NTDLL;//0x7FFE849F1000
657.     int64_t MSVCRT_ADDRESS = ADDRESS_TEXT_SECTION_MSVCRT;//0x7FFE82B61000
658. #define GS_BASE_ADDRESS 0x22A000
659.  
660.     uint64_t SIZE_OF_SECTION_TLS_DENUVO = 0x24000000;
661.     uint64_t SIZE_OF_STACK = 0x7000;
662.     uint64_t SIZE_OF_NTDLL_TEXT_SECTION = 0x12A000;
663.     uint64_t SIZE_OF_MSVCRT_TEXT_SECTION = 0x100000;
664.     uint64_t SIZE_OF_GDT_BASE = 0xB000;
665.  
666.     uc_hook hook_code_;
667.     uc_engine* uc;
668.     uc_err err;
669.  
670.     int64_t RAX = 0x0;
671.     int64_t RBX = 0x0;
672.     int64_t RCX = 0x0;
673.     int64_t RDX = 0x0;
674.     int64_t RSI = 0x0;
675.     int64_t RDI = 0x0;
676.     int64_t R8 = 0x0;
677.     int64_t R9 = 0x0;
678.     int64_t R10 = 0x0;
679.     int64_t R11 = 0x0;
680.     int64_t R12 = 0x0;
681.     int64_t R13 = 0x0;
682.     int64_t R14 = 0x0;
683.     int64_t R15 = 0x0;
684.  
685.     int64_t RIP{};
686.  
687.     int64_t GS_BASE = GS_BASE_ADDRESS;
688.  
689.     int64_t RFLAGS{};
690.  
691.     int64_t RSP = STACK_ADDRESS + TLS_DENUVO_ADDRESS;
692.     int64_t RBP = 0x0;
693.  
694.     printf("Emulate x64 code\n");
695.  
696.     err = uc_open(UC_ARCH_X86, UC_MODE_64, &uc);
697.     if (err != UC_ERR_OK) {
698.         printf("Failed on uc_open() with error returned: %u\n", err);
699.         return -1;
700.     }
701.  
702.     uc_mem_map(uc, STACK_ADDRESS, SIZE_OF_STACK, UC_PROT_ALL);
703.     uc_mem_map(uc, TLS_DENUVO_ADDRESS, SIZE_OF_SECTION_TLS_DENUVO, UC_PROT_ALL);
704.     uc_mem_map(uc, NTDLL_ADDRESS, SIZE_OF_NTDLL_TEXT_SECTION, UC_PROT_ALL);
705.     uc_mem_map(uc, MSVCRT_ADDRESS, SIZE_OF_MSVCRT_TEXT_SECTION, UC_PROT_ALL);
706.     uc_mem_map(uc, GS_BASE_ADDRESS, SIZE_OF_GDT_BASE, UC_PROT_ALL);
707.  
708.     if (uc_mem_write(uc, TLS_DENUVO_ADDRESS, &MassiveOfOpcodes, sizeof(MassiveOfOpcodes))) {
709.         printf("Failed to write emulation code to memory, quit!\n");
710.         return -1;
711.     }
712.     if (uc_mem_write(uc, NTDLL_ADDRESS, &NtdllOpcodes, sizeof(NtdllOpcodes))) {
713.         printf("Failed to write emulation code to memory, quit!\n");
714.         return -1;
715.     }
716.     if (uc_mem_write(uc, MSVCRT_ADDRESS, &MSVCRTOpcodes, sizeof(MSVCRTOpcodes))) {
717.         printf("Failed to write emulation code to memory, quit!\n");
718.         return -1;
719.     }
720.     std::cout << ">>> RAX = " << hex << RAX << endl;
721.     std::cout << ">>> RBX = " << hex << RBX << endl;
722.     std::cout << ">>> RCX = " << hex << RCX << endl;
723.     std::cout << ">>> RDX = " << hex << RDX << endl;
724.     std::cout << ">>> RSI = " << hex << RSI << endl;
725.     std::cout << ">>> RDI = " << hex << RDI << endl;
726.     std::cout << ">>> R8  = " << hex << R8 << endl;
727.     std::cout << ">>> R9  = " << hex << R9 << endl;
728.     std::cout << ">>> R10 = " << hex << R10 << endl;
729.     std::cout << ">>> R11 = " << hex << R11 << endl;
730.     std::cout << ">>> R12 = " << hex << R12 << endl;
731.     std::cout << ">>> R13 = " << hex << R13 << endl;
732.     std::cout << ">>> R14 = " << hex << R14 << endl;
733.     std::cout << ">>> R15 = " << hex << R15 << endl << endl;
734.  
735.     std::cout << ">>> RIP = " << hex << RIP << endl << endl;
736.  
737.     std::cout << ">>> RFLAGS = " << hex << RFLAGS << endl << endl;
738.  
739.     std::cout << ">>> RSP = " << hex << RSP << endl;
740.     std::cout << ">>> RBP = " << hex << RBP << endl << endl;
741.  
742.     uc_reg_write(uc, UC_X86_REG_RAX, &RAX);
743.     uc_reg_write(uc, UC_X86_REG_RBX, &RBX);
744.     uc_reg_write(uc, UC_X86_REG_RCX, &RCX);
745.     uc_reg_write(uc, UC_X86_REG_RDX, &RDX);
746.     uc_reg_write(uc, UC_X86_REG_RSI, &RSI);
747.     uc_reg_write(uc, UC_X86_REG_RDI, &RDI);
748.     uc_reg_write(uc, UC_X86_REG_R8, &R8);
749.     uc_reg_write(uc, UC_X86_REG_R9, &R9);
750.     uc_reg_write(uc, UC_X86_REG_R10, &R10);
751.     uc_reg_write(uc, UC_X86_REG_R11, &R11);
752.     uc_reg_write(uc, UC_X86_REG_R12, &R12);
753.     uc_reg_write(uc, UC_X86_REG_R13, &R13);
754.     uc_reg_write(uc, UC_X86_REG_R14, &R14);
755.     uc_reg_write(uc, UC_X86_REG_R15, &R15);
756.  
757.     uc_reg_write(uc, UC_X86_REG_RIP, &RIP);
758.  
759.     uc_reg_write(uc, UC_X86_REG_GS_BASE, &GS_BASE);
760.  
761.     uc_reg_write(uc, UC_X86_REG_RFLAGS, &RFLAGS);
762.  
763.     uc_reg_write(uc, UC_X86_REG_RSP, &RSP);
764.     uc_reg_write(uc, UC_X86_REG_RBP, &RBP);
765.  
766.     uc_hook_add(uc, &hook_code_, UC_HOOK_CODE, hook_code, NULL, 1, 0);
767.  
768.     err = uc_emu_start(uc, UC_EMU_START_ADDRESS, UC_EMU_START_ADDRESS + sizeof(MassiveOfOpcodes) + sizeof(NtdllOpcodes) + sizeof(MSVCRTOpcodes), 0, 60);
769.     if (err) {
770.         printf("Failed on uc_emu_start() with error returned %u: %s\n",
771.             err, uc_strerror(err));
772.     }
773.  
774.     printf("Emulation done. Below is the CPU context\n\n");
775.  
776.     uc_reg_read(uc, UC_X86_REG_RAX, &RAX);
777.     uc_reg_read(uc, UC_X86_REG_RBX, &RBX);
778.     uc_reg_read(uc, UC_X86_REG_RCX, &RCX);
779.     uc_reg_read(uc, UC_X86_REG_RDX, &RDX);
780.     uc_reg_read(uc, UC_X86_REG_RSI, &RSI);
781.     uc_reg_read(uc, UC_X86_REG_RDI, &RDI);
782.     uc_reg_read(uc, UC_X86_REG_R8, &R8);
783.     uc_reg_read(uc, UC_X86_REG_R9, &R9);
784.     uc_reg_read(uc, UC_X86_REG_R10, &R10);
785.     uc_reg_read(uc, UC_X86_REG_R11, &R11);
786.     uc_reg_read(uc, UC_X86_REG_R12, &R12);
787.     uc_reg_read(uc, UC_X86_REG_R13, &R13);
788.     uc_reg_read(uc, UC_X86_REG_R14, &R14);
789.     uc_reg_read(uc, UC_X86_REG_R15, &R15);
790.  
791.     uc_reg_read(uc, UC_X86_REG_RIP, &RIP);
792.  
793.     uc_reg_read(uc, UC_X86_REG_RFLAGS, &RFLAGS);
794.  
795.     uc_reg_read(uc, UC_X86_REG_RSP, &RSP);
796.     uc_reg_read(uc, UC_X86_REG_RBP, &RBP);
797.  
798.  
799.     std::cout << ">>> RAX = " << hex << RAX << endl;
800.     std::cout << ">>> RBX = " << hex << RBX << endl;
801.     std::cout << ">>> RCX = " << hex << RCX << endl;
802.     std::cout << ">>> RDX = " << hex << RDX << endl;
803.     std::cout << ">>> RSI = " << hex << RSI << endl;
804.     std::cout << ">>> RDI = " << hex << RDI << endl;
805.     std::cout << ">>> R8  = " << hex << R8 << endl;
806.     std::cout << ">>> R9  = " << hex << R9 << endl;
807.     std::cout << ">>> R10 = " << hex << R10 << endl;
808.     std::cout << ">>> R11 = " << hex << R11 << endl;
809.     std::cout << ">>> R12 = " << hex << R12 << endl;
810.     std::cout << ">>> R13 = " << hex << R13 << endl;
811.     std::cout << ">>> R14 = " << hex << R14 << endl;
812.     std::cout << ">>> R15 = " << hex << R15 << endl << endl;
813.  
814.     std::cout << ">>> RIP = " << hex << RIP << endl << endl;
815.  
816.     std::cout << ">>> RFLAGS = " << hex << RFLAGS << endl << endl;
817.  
818.     std::cout << ">>> RSP = " << hex << RSP << endl;
819.     std::cout << ">>> RBP = " << hex << RBP << endl;
820.  
821.     //(UC_ERR_READ_UNMAPPED) - the problem of command which we want read
822.  
823.     uc_close(uc);
824.  
825.     return 0;
826. }
827.  
828. int main()
829. {
830.     Create_Read_Process();
831.     UcEmuDeobfuscate();
832. }