Skip to content

Instantly share code, notes, and snippets.

@MurylloEx

MurylloEx/crowdstrike-bsod-reversed-sub_1400E4124.c

Created July 19, 2024 23:20
Show Gist options
  • Save MurylloEx/ccc7af7c7a080e9b101c3f5e9e36d213 to your computer and use it in GitHub Desktop.
Save MurylloEx/ccc7af7c7a080e9b101c3f5e9e36d213 to your computer and use it in GitHub Desktop.
Download ZIP
CrowdStrike BSOD reversed function sub_1400E4124
Raw
crowdstrike-bsod-reversed-sub_1400E4124.c
__int64 __fastcall sub_1400E4124(int a1, __int64 a2, __int64 a3, unsigned int a4)
{
unsigned int v4; // r10d
int v5; // ebp
int v10; // edx
unsigned int v11; // eax
unsigned int v12; // r10d
int v13; // r14d
unsigned int v14; // edi
unsigned int v15; // esi
int v16; // ecx
unsigned __int16 *v17; // rdx
int v18; // ecx
unsigned int v19; // eax
unsigned int v20; // r8d
int v21; // edx
v4 = *(_DWORD *)(a2 + 8);
v5 = 0;
v10 = 4;
if ( v4 < 2 ) {
v11 = 1;
} else if ( v4 == 2 ) {
v11 = 2;
} else {
v11 = 4;
}
if ( a4 >= v11 )
{
if ( v4 && (v12 = v4 - 1) != 0 )
{
if ( v12 == 1 )
v10 = 2;
}
else
{
v10 = 1;
}
v13 = *(_DWORD *)(a2 + 12);
v14 = 0;
v15 = a4 - v10 + 1;
if ( a4 - v10 != -1 )
{
_mm_lfence();
do
{
v16 = *(_DWORD *)(a2 + 8);
v17 = (unsigned __int16 *)(a3 + v14);
if ( v16 )
{
v18 = v16 - 1;
if ( v18 )
{
if ( v18 == 1 )
v19 = *v17; // <<-- Apocalypse instruction
else
v19 = *(_DWORD *)v17;
v20 = (*(_DWORD *)(a2 + 24) * (v19 & *(_DWORD *)(a2 + 20))) >> (32 - *(_BYTE *)(a2 + 28));
}
else
{
v20 = -1;
v21 = (unsigned __int8)((*(_BYTE *)v17 & *(_BYTE *)(a2 + 20)) - *(_BYTE *)(a2 + 12));
if ( v21 < 1 << *(_DWORD *)(a2 + 28) )
v20 = v21;
}
}
else
{
v20 = *(unsigned __int8 *)v17;
}
v5 = sub_1400E6F48(a1, a2, a3, a4, v14, v20);
if ( v5 < 0 )
break;
v14 += v13;
}
while ( v14 < v15 );
}
}
return (unsigned int)v5;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment