Code snippet · op05/code_clean1.txt
char __fastcall sub_180001030(__int128 *a1, __int64 a2)
{
int v2; // edi
int v3; // esi
int v4; // ebp
int v5; // ebx
__int64 v6; // rcx
unsigned int v7; // r8d
__int64 v8; // rdx
int v9; // r9d
__int64 v10; // r8
__int64 v11; // rcx
char v12; // al
__int64 v13; // rcx
char v14; // al
int v15; // edx
char v16; // al
int v17; // edx
__int64 v18; // r9
__int64 v19; // rdx
__int64 v20; // rcx
char v21; // al
__int64 v22; // rcx
char v23; // al
int v24; // edx
char v25; // al
int v26; // edx
char v27; // al
char v28; // al
__int64 v29; // rcx
char v30; // al
int v31; // edx
__int64 v32; // r9
char v33; // al
int v34; // r8d
int v35; // r8d
int v36; // eax
int v37; // r15d
char v38; // al
__int64 v39; // rcx
char v40; // al
int v41; // edx
__int64 v42; // r8
__int64 v43; // r9
__int64 v44; // rcx
__int64 v45; // rdx
int v46; // r14d
int v47; // ebp
__int64 v48; // rdx
__int64 v49; // rcx
char v50; // al
int v51; // ebp
__int64 v52; // rdx
__int64 v53; // r8
__int64 v54; // r9
__int64 v55; // rcx
int v56; // ebp
__int64 v57; // rdx
int v58; // ebx
__int64 v59; // rdx
__int64 v60; // rcx
char v61; // al
int v62; // ebx
__int64 v63; // rdx
__int64 v64; // r8
__int64 v65; // r9
int v66; // r12d
int v67; // edi
int v68; // esi
__int64 v69; // rcx
char v70; // al
__int64 v71; // rcx
char v72; // al
int v73; // edx
char v74; // al
int v75; // edx
__int64 v76; // rdx
__int64 v77; // rcx
WCHAR *v78; // r9
int v79; // r10d
__int64 v80; // r11
int v81; // edx
__int64 v82; // rcx
char v83; // al
__int64 v84; // rcx
char v85; // al
int v86; // edx
char v87; // al
int v88; // edx
char v89; // al
__int64 v90; // rcx
char v91; // al
int v92; // edx
__int64 v93; // r8
__int64 v94; // r9
__int64 v95; // rcx
__int64 v96; // rdx
int v97; // r13d
__int64 v98; // rdx
__int64 v99; // rcx
char v100; // al
int v101; // r13d
__int64 v102; // rdx
__int64 v103; // r8
__int64 v104; // r9
__int64 v105; // rcx
int v106; // r13d
__int64 v107; // rdx
int v108; // ebx
__int64 v109; // rdx
__int64 v110; // rcx
char v111; // al
int v112; // ebx
__int64 v113; // rdx
__int64 v114; // r8
__int64 v115; // r9
char v116; // al
int v117; // r8d
int v118; // r9d
int v119; // r15d
wchar_t *v120; // r10
int v121; // r12d
int v122; // r14d
__int64 v123; // rcx
char v124; // al
__int64 v125; // rcx
char v126; // al
int v127; // edx
char v128; // al
int v129; // edx
__int64 v130; // rdx
__int64 v131; // rcx
int v132; // eax
int v133; // edi
__int128 *v134; // rsi
int v135; // ebp
__int64 v136; // rcx
char v137; // al
__int64 v138; // rcx
char v139; // al
int v140; // edx
char v141; // al
int v142; // edx
__int128 *v143; // rax
__int128 *v144; // rcx
__int64 v145; // rdx
__int128 v146; // xmm0
__int128 v147; // xmm1
int v148; // ecx
__int64 v149; // rcx
char v150; // al
__int64 v151; // rcx
char v152; // al
int v153; // edx
char v154; // al
int v155; // edx
int v156; // eax
char v157; // al
__int64 v158; // rcx
char v159; // al
int v160; // edx
__int64 v161; // r9
char v162; // al
int v163; // r8d
int v164; // r8d
__int64 v165; // rcx
char v166; // al
__int64 v167; // rcx
char v168; // al
int v169; // edx
__int64 v170; // r8
__int64 v171; // r9
char v172; // al
int v173; // edx
unsigned int v174; // eax
__int64 v175; // rdx
__int64 v176; // rcx
char v177; // al
__int64 v178; // rcx
char v179; // al
int v180; // edx
char v181; // al
int v182; // edx
char v183; // al
__int64 v184; // rcx
char v185; // al
int v186; // edx
__int64 v187; // r9
char v188; // al
int v189; // r8d
int v190; // r8d
__int64 v191; // rcx
char v192; // al
__int64 v193; // rcx
char v194; // al
int v195; // edx
__int64 v196; // r9
char v197; // al
int v198; // r8d
int v200; // [rsp+20h] [rbp-278h]
double v201; // [rsp+20h] [rbp-278h]
double v202; // [rsp+20h] [rbp-278h]
int v203; // [rsp+20h] [rbp-278h]
double v204; // [rsp+28h] [rbp-270h]
double v205; // [rsp+28h] [rbp-270h]
WCHAR *v206; // [rsp+28h] [rbp-270h]
int v207; // [rsp+30h] [rbp-268h]
int v208; // [rsp+34h] [rbp-264h]
double v209; // [rsp+38h] [rbp-260h]
double v210; // [rsp+38h] [rbp-260h]
double v211; // [rsp+38h] [rbp-260h]
double v213; // [rsp+40h] [rbp-258h]
WCHAR Filename[264]; // [rsp+50h] [rbp-248h] BYREF
v2 = (char)sub_180010E10(a1, a2, (unsigned int)byte_180039003, (unsigned int)byte_180039000);
v3 = (char)((__int64 (*)(void))sub_180010DE0)();
v4 = (char)((__int64 (*)(void))sub_180010DD0)();
v5 = v3 * v4;
v6 = (unsigned int)(v5 + v2 + 8 * v5);
v8 = ((int)v6 + byte_180039004) % v7;
if ( ((int)v6 + byte_180039004) / v7 != v9 )
{
v204 = ((double)byte_180039002 - ((double)byte_180039001 + (double)byte_180039001))
* (double)(GetModuleFileNameW(0, Filename, 0x104u) == 0);
v11 = (unsigned int)byte_180039000;
if ( (v2 + v5 + byte_180039004) / (unsigned int)byte_180039003 == (_DWORD)v11
|| (v12 = sub_180010DF0(v11, (v2 + v5 + byte_180039004) % (unsigned int)byte_180039003),
v14 = sub_180010E20(v13, (unsigned int)(6 * byte_18003A4A8 * v12)),
v16 = sub_180010E00((unsigned int)v14, (unsigned int)(v15 - v14)),
!(v16 + v17 + byte_180039001)) )
{
v18 = (byte_180039004 + v5 + v2 + 2 * v5) / (unsigned int)byte_180039003 == byte_180039000
? (unsigned int)v200
: (unsigned int)(int)((double)(int)((byte_180039004 + v2 + 7 * v5) / (unsigned int)byte_180039003
- byte_180039000)
* v204);
}
else
{
v18 = 1;
}
v8 = (v2 + byte_180039004 + 4 * v5) % (unsigned int)byte_180039003;
v6 = (unsigned int)byte_180039000;
if ( (_DWORD)v18 * ((v2 + byte_180039004 + 4 * v5) / (unsigned int)byte_180039003 - (_DWORD)v6) )
{
v205 = ((double)byte_180039002 - ((double)byte_180039001 + (double)byte_180039001))
* (double)(int)((byte_180039004 + v5 + v2 + 4 * v5) / (unsigned int)byte_180039003 - byte_180039000);
v19 = (v5 + v2 + byte_180039004) % (unsigned int)byte_180039003;
v20 = (unsigned int)byte_180039000;
if ( (v5 + v2 + byte_180039004) / (unsigned int)byte_180039003 != (_DWORD)v20 )
{
v21 = sub_180010DF0(v20, v19);
v23 = sub_180010E20(v22, (unsigned int)(6 * byte_18003A4A8 * v21));
v25 = sub_180010E00((unsigned int)v23, (unsigned int)(v24 - v23));
v19 = (unsigned int)(v25 + v26);
v20 = (unsigned int)(v19 + byte_180039001);
if ( (_DWORD)v19 + byte_180039001 )
goto LABEL_70;
}
v27 = sub_180010E10(v20, v19, v10, v18);
v8 = (3 * v4 * v3 + v27 + byte_180039004) % (unsigned int)byte_180039003;
v6 = (unsigned int)byte_180039000;
if ( (3 * v4 * v3 + v27 + byte_180039004) / (unsigned int)byte_180039003 == (_DWORD)v6 )
{
v36 = v200;
}
else
{
v28 = sub_180010DE0(v6, v8);
v30 = sub_180010DD0(v29, (unsigned int)v28);
v33 = sub_180010E10((unsigned int)v30, (unsigned int)(v30 * v31), (unsigned int)(7 * v30 * v31), v32);
HIDWORD(v8) = 0;
v35 = v33 + v34;
LODWORD(v8) = (v35 + byte_180039004) % (unsigned int)byte_180039003;
v6 = (unsigned int)byte_180039000;
v36 = (int)((double)(int)((v35 + byte_180039004) / (unsigned int)byte_180039003 - v6) * v205);
}
if ( v36 > 0 )
goto LABEL_70;
}
}
v37 = 0;
v206 = Filename;
v38 = sub_180010DD0(v6, v8);
v40 = sub_180010DE0(v39, (unsigned int)v38);
v44 = (unsigned int)(char)sub_180010E10((unsigned int)v40, (unsigned int)(3 * v40 * v41), v42, v43);
v46 = v44 + 2 * v45;
v47 = (char)sub_180010DD0(v44, v45);
v50 = sub_180010DE0(v49, v48);
v51 = v50 * v47;
v55 = (unsigned int)(char)sub_180010E10((unsigned int)v50, v52, v53, v54);
v56 = v55 + v51;
v58 = (char)sub_180010DD0(v55, v57);
v61 = sub_180010DE0(v60, v59);
v62 = v61 * v58;
v66 = v200;
v67 = v200;
v68 = (char)sub_180010E10((unsigned int)v61, v63, v64, v65);
while ( 1 )
{
v201 = ((double)byte_180039002 - ((double)byte_180039001 + (double)byte_180039001))
* (double)(int)((v46 + byte_180039004) / (unsigned int)byte_180039003 - byte_180039000);
v69 = (unsigned int)byte_180039003;
if ( (v56 + byte_180039004) / (unsigned int)v69 == byte_180039000
|| (v70 = sub_180010DF0(v69, (v56 + byte_180039004) % (unsigned int)v69),
v72 = sub_180010E20(v71, (unsigned int)(6 * byte_18003A4A8 * v70)),
v74 = sub_180010E00((unsigned int)v72, (unsigned int)(v73 - v72)),
v76 = (unsigned int)(v74 + v75),
v77 = (unsigned int)(v76 + byte_180039001),
!((_DWORD)v76 + byte_180039001)) )
{
v76 = (byte_180039004 + v62 + v68 + 2 * v62) % (unsigned int)byte_180039003;
v77 = (unsigned int)byte_180039000;
if ( (byte_180039004 + v62 + v68 + 2 * v62) / (unsigned int)byte_180039003 != (_DWORD)v77 )
{
v76 = (byte_180039004 + v68 + 7 * v62) % (unsigned int)byte_180039003;
v77 = (unsigned int)byte_180039000;
v66 = (int)((double)(int)((byte_180039004 + v68 + 7 * v62) / (unsigned int)byte_180039003 - v77) * v201);
}
}
else
{
v66 = 1;
}
if ( v37 >= v66 )
break;
if ( Filename[0] )
{
v78 = Filename;
v79 = 1;
v80 = 0;
do
{
if ( (v56 + byte_180039004) / (unsigned int)byte_180039003 != byte_180039000 )
{
if ( *v78 == 92 || (v81 = 0, *v78 == 47) )
v81 = 1;
v202 = ((double)byte_180039002 - ((double)byte_180039001 + (double)byte_180039001)) * (double)v81;
v82 = (unsigned int)byte_180039000;
if ( (v56 + byte_180039004) / (unsigned int)byte_180039003 == (_DWORD)v82
|| (v83 = sub_180010DF0(v82, (v56 + byte_180039004) % (unsigned int)byte_180039003),
v85 = sub_180010E20(v84, (unsigned int)(6 * byte_18003A4A8 * v83)),
v87 = sub_180010E00((unsigned int)v85, (unsigned int)(v86 - v85)),
!(v87 + v88 + byte_180039001)) )
{
if ( (byte_180039004 + v62 + v68 + 2 * v62) / (unsigned int)byte_180039003 != byte_180039000 )
v67 = (int)((double)(int)((byte_180039004 + v68 + 7 * v62) / (unsigned int)byte_180039003 - byte_180039000)
* v202);
}
else
{
v67 = 1;
}
if ( v67 * ((v46 + byte_180039004) / (unsigned int)byte_180039003 - byte_180039000) )
v206 = &Filename[v79];
}
v78 = &Filename[++v80];
++v79;
}
while ( Filename[v80] );
}
++v37;
}
v208 = 0;
v89 = sub_180010DD0(v77, v76);
v91 = sub_180010DE0(v90, (unsigned int)v89);
v95 = (unsigned int)(char)sub_180010E10((unsigned int)v91, (unsigned int)(v91 * v92), v93, v94);
v203 = v95 + 2 * v96;
v97 = (char)sub_180010DD0(v95, v96);
v100 = sub_180010DE0(v99, v98);
v101 = v100 * v97;
v105 = (unsigned int)(char)sub_180010E10((unsigned int)v100, v102, v103, v104);
v106 = v105 + v101;
v108 = (char)sub_180010DD0(v105, v107);
v111 = sub_180010DE0(v110, v109);
v112 = v111 * v108;
v116 = sub_180010E10((unsigned int)v111, v113, v114, v115);
v119 = v203;
v120 = aChromeExe;
v121 = v203;
v122 = v116;
LABEL_38:
v209 = ((double)byte_180039002 - ((double)byte_180039001 + (double)byte_180039001))
* (double)(int)((v117 + byte_180039004) / (unsigned int)byte_180039003 - byte_180039000);
v123 = (unsigned int)byte_180039000;
if ( (v106 + byte_180039004) / (unsigned int)byte_180039003 == (_DWORD)v123
|| (v124 = sub_180010DF0(v123, (v106 + byte_180039004) % (unsigned int)byte_180039003),
v126 = sub_180010E20(v125, (unsigned int)(6 * byte_18003A4A8 * v124)),
v128 = sub_180010E00((unsigned int)v126, (unsigned int)(v127 - v126)),
v130 = (unsigned int)(v128 + v129),
v131 = (unsigned int)(v130 + byte_180039001),
!((_DWORD)v130 + byte_180039001)) )
{
v130 = (byte_180039004 + v112 + v122 + 2 * v112) % (unsigned int)byte_180039003;
v131 = (unsigned int)byte_180039000;
if ( (byte_180039004 + v112 + v122 + 2 * v112) / (unsigned int)byte_180039003 == (_DWORD)v131 )
{
v132 = v207;
}
else
{
v130 = (byte_180039004 + v122 + 7 * v112) % (unsigned int)byte_180039003;
v131 = (unsigned int)byte_180039000;
v132 = (int)((double)(int)((byte_180039004 + v122 + 7 * v112) / (unsigned int)byte_180039003 - v131) * v209);
v207 = v132;
}
}
else
{
v132 = 1;
v207 = 1;
}
if ( v118 < v132 )
{
v133 = 0;
v134 = (__int128 *)&unk_180039010;
v135 = v122 + 7 * v112;
while ( 1 )
{
if ( (v135 + byte_180039004) / (unsigned int)byte_180039003 != byte_180039000 )
{
v210 = ((double)byte_180039002 - ((double)byte_180039001 + (double)byte_180039001))
* (double)((unsigned int)sub_180017020(&v120[416 * v133], v206) == 0);
v136 = (unsigned int)byte_180039000;
if ( (v106 + byte_180039004) / (unsigned int)byte_180039003 == (_DWORD)v136
|| (v137 = sub_180010DF0(v136, (v106 + byte_180039004) % (unsigned int)byte_180039003),
v139 = sub_180010E20(v138, (unsigned int)(6 * byte_18003A4A8 * v137)),
v141 = sub_180010E00((unsigned int)v139, (unsigned int)(v140 - v139)),
!(v141 + v142 + byte_180039001)) )
{
if ( (byte_180039004 + v112 + v122 + 2 * v112) / (unsigned int)byte_180039003 != byte_180039000 )
v119 = (int)((double)(int)((v135 + byte_180039004) / (unsigned int)byte_180039003 - byte_180039000) * v210);
}
else
{
v119 = 1;
}
if ( v119 * ((v122 + byte_180039004 + 8 * v112) / (unsigned int)byte_180039003 - byte_180039000) )
{
v143 = a1;
v144 = v134;
v145 = 6;
do
{
v143 += 8;
v146 = *v144;
v144 += 8;
*(v143 - 8) = v146;
*(v143 - 7) = *(v144 - 7);
*(v143 - 6) = *(v144 - 6);
*(v143 - 5) = *(v144 - 5);
*(v143 - 4) = *(v144 - 4);
*(v143 - 3) = *(v144 - 3);
*(v143 - 2) = *(v144 - 2);
*(v143 - 1) = *(v144 - 1);
--v145;
}
while ( v145 );
*v143 = *v144;
v143[1] = v144[1];
v143[2] = v144[2];
v147 = v144[3];
v148 = byte_180039004;
v143[3] = v147;
v211 = ((double)byte_180039002 - ((double)byte_180039001 + (double)byte_180039001))
* (double)(int)((v148 + v112 + v122 + 8 * v112) / (unsigned int)byte_180039003 - byte_180039000);
v149 = (unsigned int)byte_180039000;
if ( (v106 + byte_180039004) / (unsigned int)byte_180039003 != (_DWORD)v149 )
{
v150 = sub_180010DF0(v149, (v106 + byte_180039004) % (unsigned int)byte_180039003);
v152 = sub_180010E20(v151, (unsigned int)(6 * byte_18003A4A8 * v150));
v154 = sub_180010E00((unsigned int)v152, (unsigned int)(v153 - v152));
if ( v154 + v155 + byte_180039001 )
goto LABEL_63;
}
if ( (byte_180039004 + v112 + v122 + 2 * v112) / (unsigned int)byte_180039003 != byte_180039000 )
v121 = (int)((double)(int)((v135 + byte_180039004) / (unsigned int)byte_180039003 - byte_180039000) * v211);
if ( v121 > 0 )
{
LABEL_63:
LOBYTE(v156) = 1;
return v156;
}
}
v120 = aChromeExe;
}
++v133;
v134 += 52;
if ( v133 >= 3 )
{
v117 = v203;
v118 = ++v208;
goto LABEL_38;
}
}
}
v157 = sub_180010DE0(v131, v130);
v159 = sub_180010DD0(v158, (unsigned int)v157);
v162 = sub_180010E10((unsigned int)v159, (unsigned int)(v159 * v160), (unsigned int)(5 * v159 * v160), v161);
v164 = v162 + v163;
v165 = (unsigned int)byte_180039000;
v213 = ((double)byte_180039002 - ((double)byte_180039001 + (double)byte_180039001))
* (double)(int)((v164 + byte_180039004) / (unsigned int)byte_180039003 - v165);
v166 = sub_180010DE0(v165, (v164 + byte_180039004) % (unsigned int)byte_180039003);
v168 = sub_180010DD0(v167, (unsigned int)v166);
v172 = sub_180010E10((unsigned int)v168, (unsigned int)(v168 * v169), v170, v171);
v174 = v172 + v173 + byte_180039004;
v175 = v174 % byte_180039003;
v176 = (unsigned int)byte_180039000;
if ( v174 / byte_180039003 != (_DWORD)v176 )
{
v177 = sub_180010DF0(v176, v175);
v179 = sub_180010E20(v178, (unsigned int)(6 * byte_18003A4A8 * v177));
v181 = sub_180010E00((unsigned int)v179, (unsigned int)(v180 - v179));
v175 = (unsigned int)(v181 + v182);
v176 = (unsigned int)(v175 + byte_180039001);
if ( (_DWORD)v175 + byte_180039001 )
goto LABEL_70;
}
v183 = sub_180010DE0(v176, v175);
v185 = sub_180010DD0(v184, (unsigned int)v183);
v188 = sub_180010E10((unsigned int)v185, (unsigned int)(v185 * v186), (unsigned int)(3 * v185 * v186), v187);
v190 = v188 + v189;
v191 = (unsigned int)byte_180039000;
if ( (v190 + byte_180039004) / (unsigned int)byte_180039003 == (_DWORD)v191 )
{
v156 = v203;
}
else
{
v192 = sub_180010DE0(v191, (v190 + byte_180039004) % (unsigned int)byte_180039003);
v194 = sub_180010DD0(v193, (unsigned int)v192);
v197 = sub_180010E10((unsigned int)v194, (unsigned int)(v194 * v195), (unsigned int)(7 * v194 * v195), v196);
v156 = (int)((double)(int)((v197 + v198 + byte_180039004) / (unsigned int)byte_180039003 - byte_180039000) * v213);
}
if ( v156 > 0 )
LABEL_70:
LOBYTE(v156) = 0;
return v156;
}
char sub_180010E20()
{
return 9;
}
char sub_180010E10()
{
return 7;
}
char sub_180010E00()
{
return 6;
}
char sub_180010DF0()
{
return 3;
}
char sub_180010DE0()
{
return 2;
}
char sub_180010DD0()
{
return 0;
}
Evaluated model output (what the LLM said about the code) · op05/result_KimiK261.txt
### 1. Functionality
The function performs a **filename-based configuration lookup**. Its core logic is:
1. **Retrieves its own module path** via `GetModuleFileNameW(0, Filename, 0x104u)`.
2. **Parses the path** to isolate the filename (e.g., `chrome.exe`) by scanning for path separators (`\` or `/`).
3. **Compares the filename** against a hardcoded array of three wide-character process names (the first visible entry is `chrome.exe` via the symbol `aChromeExe`).
4. **If a match is found**, it copies **832 bytes** (52 × 16-byte `__int128` chunks, equivalent to 416 wide characters) from a corresponding hardcoded data block at `unk_180039010` into the caller-supplied buffer `a1`.
5. Returns **`1`** if a match was found and the data was copied; otherwise returns **`0`**.
In essence, it is a selector that returns a process-specific payload or configuration block based on the current executable’s name.
---
### 2. Well-known Algorithms
**None identified.**
The routine uses standard programmatic patterns (wide-character string comparison and memory copy), but no cryptographic, hashing, or compression algorithms are present. The string comparison helper (`sub_180017020`) is likely a `wcsicmp`-style routine, and the data movement is a compiler-optimized `memcpy` using SSE/AVX-friendly `__int128` chunks.
---
### 3. Indicators of Compromise (IOCs)
| Type | IOC | Notes |
|------|-----|-------|
| **Process Names** | `chrome.exe` | Referenced via `aChromeExe`; two additional names reside in the same 3-entry array but are not visible in the snippet. |
| **Hardcoded Data** | `unk_180039010` | Array of three 832-byte configuration/payload blocks associated with each process name. |
| **Global Obfuscation Keys** | `byte_180039000` – `byte_180039004`, `byte_18003A4A8` | Globals used as opaque predicate keys. |
| **APIs** | `GetModuleFileNameW` | Used to dynamically discover the current executable’s path. |
**No IP addresses, domains, registry keys, or explicit file system paths** (other than the dynamically retrieved module path) are visible in this snippet.
---
### 4. MITRE ATT&CK Mapping
| Technique ID | Technique Name | Justification |
|--------------|----------------|---------------|
| **T1082** | System Information Discovery | Direct call to `GetModuleFileNameW` to discover the current process image path and name. |
| **T1036.005** | Masquerading: Match Legitimate Name or Location | The binary checks its own filename against legitimate browser names (`chrome.exe`). This indicates it either masquerades as a browser or selects behavior specifically when running under/injected into one. |
| **T1027** | Obfuscated Files or Information | Heavy use of opaque predicates, constant unfolding via dummy functions, and junk arithmetic with global bytes to hide the simple lookup logic. |
| **T1055** | Process Injection *(inferred/preparatory)* | The selection of browser-specific configuration blocks (832 bytes each) strongly implies the malware prepares to inject into or manipulate these browser processes. The code does not show the injection itself, but the targeting is preparatory. |
---
### 5. Obfuscation & Evasion Techniques
- **Constant Unfolding / Junk Functions**
Simple constants (`0`, `2`, `3`, `6`, `7`, `9`) are concealed behind nullary function calls (`sub_180010DD0`–`sub_180010E20`). These functions ignore arguments and return fixed values, forcing the analyst to trace trivial calls to resolve values.
- **Opaque Predicates**
The code is saturated with arithmetic dead ends such as:
```c
(v2 + v5 + byte_180039004) / byte_180039003 == byte_180039000
```
Because `v2`, `v5`, and the globals are effectively constants, these branches always resolve the same way, but they create false control-flow complexity.
- **MBA-style (Mixed Boolean-Arithmetic) Junk Code**
Extensive use of `double`-precision expressions (e.g., `v204`, `v205`, `v201`) that multiply boolean results (`GetModuleFileNameW(...) == 0`, path-separator checks) by constant global-derived values. These evaluate to `0` or a fixed constant, making large code regions mathematically inert.
- **Data Structure Obfuscation**
Target strings and their associated payloads are stored in flat global arrays (`aChromeExe`, `unk_180039010`) rather than as immediate string literals, and they are accessed via scaled indexing (`416 * v133`, `v134 += 52`) to hinder quick static identification.
---
### 6. Observed Facts vs. Inferred Behavior
#### Observed Facts (directly from the code)
- The function calls `GetModuleFileNameW` with a buffer of `0x104` (260) wide characters.
- It walks the returned path looking for `\` (0x5C) or `/` (0x2F) to isolate the filename suffix.
- It compares that suffix against a three-element array of wide strings pointed to by `aChromeExe` using a helper (`sub_180017020`) that returns `0` on equality.
- On match, it performs a 832-byte (`52 × sizeof(__int128)`) copy from `unk_180039010` to the output pointer `a1`.
- It returns `1` on match and `0` otherwise.
- Six helper functions (`sub_180010DD0`–`sub_180010E20`) return hardcoded constants (`0`, `2`, `3`, `6`, `7`, `9`) regardless of arguments.
- Globals `byte_180039000`–`byte_180039004` and `byte_18003A4A8` participate in arithmetic that drives conditional branches.
#### Inferred Behavior (analyst reasoning)
- The two unseen entries in the `aChromeExe` array are **likely other browser executables** (e.g., `firefox.exe`, `msedge.exe`, or `iexplore.exe`), given the 832-byte pairing with `chrome.exe`.
- The 832-byte blocks at `unk_180039010` likely contain **process-specific commands, DLL paths, or injection parameters** tailored to each targeted browser.
- The overall purpose of this function is to act as a **multi-process payload selector**, suggesting the malware is designed to fingerprint its execution context (by filename) and branch to browser-specific functionality—most likely **credential theft, web injection, or process injection**.