Code snippet · op05/code_clean1.txt
char __fastcall sub_180001030(__int128 *a1, __int64 a2)
{
int v2; // edi
int v3; // esi
int v4; // ebp
int v5; // ebx
__int64 v6; // rcx
unsigned int v7; // r8d
__int64 v8; // rdx
int v9; // r9d
__int64 v10; // r8
__int64 v11; // rcx
char v12; // al
__int64 v13; // rcx
char v14; // al
int v15; // edx
char v16; // al
int v17; // edx
__int64 v18; // r9
__int64 v19; // rdx
__int64 v20; // rcx
char v21; // al
__int64 v22; // rcx
char v23; // al
int v24; // edx
char v25; // al
int v26; // edx
char v27; // al
char v28; // al
__int64 v29; // rcx
char v30; // al
int v31; // edx
__int64 v32; // r9
char v33; // al
int v34; // r8d
int v35; // r8d
int v36; // eax
int v37; // r15d
char v38; // al
__int64 v39; // rcx
char v40; // al
int v41; // edx
__int64 v42; // r8
__int64 v43; // r9
__int64 v44; // rcx
__int64 v45; // rdx
int v46; // r14d
int v47; // ebp
__int64 v48; // rdx
__int64 v49; // rcx
char v50; // al
int v51; // ebp
__int64 v52; // rdx
__int64 v53; // r8
__int64 v54; // r9
__int64 v55; // rcx
int v56; // ebp
__int64 v57; // rdx
int v58; // ebx
__int64 v59; // rdx
__int64 v60; // rcx
char v61; // al
int v62; // ebx
__int64 v63; // rdx
__int64 v64; // r8
__int64 v65; // r9
int v66; // r12d
int v67; // edi
int v68; // esi
__int64 v69; // rcx
char v70; // al
__int64 v71; // rcx
char v72; // al
int v73; // edx
char v74; // al
int v75; // edx
__int64 v76; // rdx
__int64 v77; // rcx
WCHAR *v78; // r9
int v79; // r10d
__int64 v80; // r11
int v81; // edx
__int64 v82; // rcx
char v83; // al
__int64 v84; // rcx
char v85; // al
int v86; // edx
char v87; // al
int v88; // edx
char v89; // al
__int64 v90; // rcx
char v91; // al
int v92; // edx
__int64 v93; // r8
__int64 v94; // r9
__int64 v95; // rcx
__int64 v96; // rdx
int v97; // r13d
__int64 v98; // rdx
__int64 v99; // rcx
char v100; // al
int v101; // r13d
__int64 v102; // rdx
__int64 v103; // r8
__int64 v104; // r9
__int64 v105; // rcx
int v106; // r13d
__int64 v107; // rdx
int v108; // ebx
__int64 v109; // rdx
__int64 v110; // rcx
char v111; // al
int v112; // ebx
__int64 v113; // rdx
__int64 v114; // r8
__int64 v115; // r9
char v116; // al
int v117; // r8d
int v118; // r9d
int v119; // r15d
wchar_t *v120; // r10
int v121; // r12d
int v122; // r14d
__int64 v123; // rcx
char v124; // al
__int64 v125; // rcx
char v126; // al
int v127; // edx
char v128; // al
int v129; // edx
__int64 v130; // rdx
__int64 v131; // rcx
int v132; // eax
int v133; // edi
__int128 *v134; // rsi
int v135; // ebp
__int64 v136; // rcx
char v137; // al
__int64 v138; // rcx
char v139; // al
int v140; // edx
char v141; // al
int v142; // edx
__int128 *v143; // rax
__int128 *v144; // rcx
__int64 v145; // rdx
__int128 v146; // xmm0
__int128 v147; // xmm1
int v148; // ecx
__int64 v149; // rcx
char v150; // al
__int64 v151; // rcx
char v152; // al
int v153; // edx
char v154; // al
int v155; // edx
int v156; // eax
char v157; // al
__int64 v158; // rcx
char v159; // al
int v160; // edx
__int64 v161; // r9
char v162; // al
int v163; // r8d
int v164; // r8d
__int64 v165; // rcx
char v166; // al
__int64 v167; // rcx
char v168; // al
int v169; // edx
__int64 v170; // r8
__int64 v171; // r9
char v172; // al
int v173; // edx
unsigned int v174; // eax
__int64 v175; // rdx
__int64 v176; // rcx
char v177; // al
__int64 v178; // rcx
char v179; // al
int v180; // edx
char v181; // al
int v182; // edx
char v183; // al
__int64 v184; // rcx
char v185; // al
int v186; // edx
__int64 v187; // r9
char v188; // al
int v189; // r8d
int v190; // r8d
__int64 v191; // rcx
char v192; // al
__int64 v193; // rcx
char v194; // al
int v195; // edx
__int64 v196; // r9
char v197; // al
int v198; // r8d
int v200; // [rsp+20h] [rbp-278h]
double v201; // [rsp+20h] [rbp-278h]
double v202; // [rsp+20h] [rbp-278h]
int v203; // [rsp+20h] [rbp-278h]
double v204; // [rsp+28h] [rbp-270h]
double v205; // [rsp+28h] [rbp-270h]
WCHAR *v206; // [rsp+28h] [rbp-270h]
int v207; // [rsp+30h] [rbp-268h]
int v208; // [rsp+34h] [rbp-264h]
double v209; // [rsp+38h] [rbp-260h]
double v210; // [rsp+38h] [rbp-260h]
double v211; // [rsp+38h] [rbp-260h]
double v213; // [rsp+40h] [rbp-258h]
WCHAR Filename[264]; // [rsp+50h] [rbp-248h] BYREF
v2 = (char)sub_180010E10(a1, a2, (unsigned int)byte_180039003, (unsigned int)byte_180039000);
v3 = (char)((__int64 (*)(void))sub_180010DE0)();
v4 = (char)((__int64 (*)(void))sub_180010DD0)();
v5 = v3 * v4;
v6 = (unsigned int)(v5 + v2 + 8 * v5);
v8 = ((int)v6 + byte_180039004) % v7;
if ( ((int)v6 + byte_180039004) / v7 != v9 )
{
v204 = ((double)byte_180039002 - ((double)byte_180039001 + (double)byte_180039001))
* (double)(GetModuleFileNameW(0, Filename, 0x104u) == 0);
v11 = (unsigned int)byte_180039000;
if ( (v2 + v5 + byte_180039004) / (unsigned int)byte_180039003 == (_DWORD)v11
|| (v12 = sub_180010DF0(v11, (v2 + v5 + byte_180039004) % (unsigned int)byte_180039003),
v14 = sub_180010E20(v13, (unsigned int)(6 * byte_18003A4A8 * v12)),
v16 = sub_180010E00((unsigned int)v14, (unsigned int)(v15 - v14)),
!(v16 + v17 + byte_180039001)) )
{
v18 = (byte_180039004 + v5 + v2 + 2 * v5) / (unsigned int)byte_180039003 == byte_180039000
? (unsigned int)v200
: (unsigned int)(int)((double)(int)((byte_180039004 + v2 + 7 * v5) / (unsigned int)byte_180039003
- byte_180039000)
* v204);
}
else
{
v18 = 1;
}
v8 = (v2 + byte_180039004 + 4 * v5) % (unsigned int)byte_180039003;
v6 = (unsigned int)byte_180039000;
if ( (_DWORD)v18 * ((v2 + byte_180039004 + 4 * v5) / (unsigned int)byte_180039003 - (_DWORD)v6) )
{
v205 = ((double)byte_180039002 - ((double)byte_180039001 + (double)byte_180039001))
* (double)(int)((byte_180039004 + v5 + v2 + 4 * v5) / (unsigned int)byte_180039003 - byte_180039000);
v19 = (v5 + v2 + byte_180039004) % (unsigned int)byte_180039003;
v20 = (unsigned int)byte_180039000;
if ( (v5 + v2 + byte_180039004) / (unsigned int)byte_180039003 != (_DWORD)v20 )
{
v21 = sub_180010DF0(v20, v19);
v23 = sub_180010E20(v22, (unsigned int)(6 * byte_18003A4A8 * v21));
v25 = sub_180010E00((unsigned int)v23, (unsigned int)(v24 - v23));
v19 = (unsigned int)(v25 + v26);
v20 = (unsigned int)(v19 + byte_180039001);
if ( (_DWORD)v19 + byte_180039001 )
goto LABEL_70;
}
v27 = sub_180010E10(v20, v19, v10, v18);
v8 = (3 * v4 * v3 + v27 + byte_180039004) % (unsigned int)byte_180039003;
v6 = (unsigned int)byte_180039000;
if ( (3 * v4 * v3 + v27 + byte_180039004) / (unsigned int)byte_180039003 == (_DWORD)v6 )
{
v36 = v200;
}
else
{
v28 = sub_180010DE0(v6, v8);
v30 = sub_180010DD0(v29, (unsigned int)v28);
v33 = sub_180010E10((unsigned int)v30, (unsigned int)(v30 * v31), (unsigned int)(7 * v30 * v31), v32);
HIDWORD(v8) = 0;
v35 = v33 + v34;
LODWORD(v8) = (v35 + byte_180039004) % (unsigned int)byte_180039003;
v6 = (unsigned int)byte_180039000;
v36 = (int)((double)(int)((v35 + byte_180039004) / (unsigned int)byte_180039003 - v6) * v205);
}
if ( v36 > 0 )
goto LABEL_70;
}
}
v37 = 0;
v206 = Filename;
v38 = sub_180010DD0(v6, v8);
v40 = sub_180010DE0(v39, (unsigned int)v38);
v44 = (unsigned int)(char)sub_180010E10((unsigned int)v40, (unsigned int)(3 * v40 * v41), v42, v43);
v46 = v44 + 2 * v45;
v47 = (char)sub_180010DD0(v44, v45);
v50 = sub_180010DE0(v49, v48);
v51 = v50 * v47;
v55 = (unsigned int)(char)sub_180010E10((unsigned int)v50, v52, v53, v54);
v56 = v55 + v51;
v58 = (char)sub_180010DD0(v55, v57);
v61 = sub_180010DE0(v60, v59);
v62 = v61 * v58;
v66 = v200;
v67 = v200;
v68 = (char)sub_180010E10((unsigned int)v61, v63, v64, v65);
while ( 1 )
{
v201 = ((double)byte_180039002 - ((double)byte_180039001 + (double)byte_180039001))
* (double)(int)((v46 + byte_180039004) / (unsigned int)byte_180039003 - byte_180039000);
v69 = (unsigned int)byte_180039003;
if ( (v56 + byte_180039004) / (unsigned int)v69 == byte_180039000
|| (v70 = sub_180010DF0(v69, (v56 + byte_180039004) % (unsigned int)v69),
v72 = sub_180010E20(v71, (unsigned int)(6 * byte_18003A4A8 * v70)),
v74 = sub_180010E00((unsigned int)v72, (unsigned int)(v73 - v72)),
v76 = (unsigned int)(v74 + v75),
v77 = (unsigned int)(v76 + byte_180039001),
!((_DWORD)v76 + byte_180039001)) )
{
v76 = (byte_180039004 + v62 + v68 + 2 * v62) % (unsigned int)byte_180039003;
v77 = (unsigned int)byte_180039000;
if ( (byte_180039004 + v62 + v68 + 2 * v62) / (unsigned int)byte_180039003 != (_DWORD)v77 )
{
v76 = (byte_180039004 + v68 + 7 * v62) % (unsigned int)byte_180039003;
v77 = (unsigned int)byte_180039000;
v66 = (int)((double)(int)((byte_180039004 + v68 + 7 * v62) / (unsigned int)byte_180039003 - v77) * v201);
}
}
else
{
v66 = 1;
}
if ( v37 >= v66 )
break;
if ( Filename[0] )
{
v78 = Filename;
v79 = 1;
v80 = 0;
do
{
if ( (v56 + byte_180039004) / (unsigned int)byte_180039003 != byte_180039000 )
{
if ( *v78 == 92 || (v81 = 0, *v78 == 47) )
v81 = 1;
v202 = ((double)byte_180039002 - ((double)byte_180039001 + (double)byte_180039001)) * (double)v81;
v82 = (unsigned int)byte_180039000;
if ( (v56 + byte_180039004) / (unsigned int)byte_180039003 == (_DWORD)v82
|| (v83 = sub_180010DF0(v82, (v56 + byte_180039004) % (unsigned int)byte_180039003),
v85 = sub_180010E20(v84, (unsigned int)(6 * byte_18003A4A8 * v83)),
v87 = sub_180010E00((unsigned int)v85, (unsigned int)(v86 - v85)),
!(v87 + v88 + byte_180039001)) )
{
if ( (byte_180039004 + v62 + v68 + 2 * v62) / (unsigned int)byte_180039003 != byte_180039000 )
v67 = (int)((double)(int)((byte_180039004 + v68 + 7 * v62) / (unsigned int)byte_180039003 - byte_180039000)
* v202);
}
else
{
v67 = 1;
}
if ( v67 * ((v46 + byte_180039004) / (unsigned int)byte_180039003 - byte_180039000) )
v206 = &Filename[v79];
}
v78 = &Filename[++v80];
++v79;
}
while ( Filename[v80] );
}
++v37;
}
v208 = 0;
v89 = sub_180010DD0(v77, v76);
v91 = sub_180010DE0(v90, (unsigned int)v89);
v95 = (unsigned int)(char)sub_180010E10((unsigned int)v91, (unsigned int)(v91 * v92), v93, v94);
v203 = v95 + 2 * v96;
v97 = (char)sub_180010DD0(v95, v96);
v100 = sub_180010DE0(v99, v98);
v101 = v100 * v97;
v105 = (unsigned int)(char)sub_180010E10((unsigned int)v100, v102, v103, v104);
v106 = v105 + v101;
v108 = (char)sub_180010DD0(v105, v107);
v111 = sub_180010DE0(v110, v109);
v112 = v111 * v108;
v116 = sub_180010E10((unsigned int)v111, v113, v114, v115);
v119 = v203;
v120 = aChromeExe;
v121 = v203;
v122 = v116;
LABEL_38:
v209 = ((double)byte_180039002 - ((double)byte_180039001 + (double)byte_180039001))
* (double)(int)((v117 + byte_180039004) / (unsigned int)byte_180039003 - byte_180039000);
v123 = (unsigned int)byte_180039000;
if ( (v106 + byte_180039004) / (unsigned int)byte_180039003 == (_DWORD)v123
|| (v124 = sub_180010DF0(v123, (v106 + byte_180039004) % (unsigned int)byte_180039003),
v126 = sub_180010E20(v125, (unsigned int)(6 * byte_18003A4A8 * v124)),
v128 = sub_180010E00((unsigned int)v126, (unsigned int)(v127 - v126)),
v130 = (unsigned int)(v128 + v129),
v131 = (unsigned int)(v130 + byte_180039001),
!((_DWORD)v130 + byte_180039001)) )
{
v130 = (byte_180039004 + v112 + v122 + 2 * v112) % (unsigned int)byte_180039003;
v131 = (unsigned int)byte_180039000;
if ( (byte_180039004 + v112 + v122 + 2 * v112) / (unsigned int)byte_180039003 == (_DWORD)v131 )
{
v132 = v207;
}
else
{
v130 = (byte_180039004 + v122 + 7 * v112) % (unsigned int)byte_180039003;
v131 = (unsigned int)byte_180039000;
v132 = (int)((double)(int)((byte_180039004 + v122 + 7 * v112) / (unsigned int)byte_180039003 - v131) * v209);
v207 = v132;
}
}
else
{
v132 = 1;
v207 = 1;
}
if ( v118 < v132 )
{
v133 = 0;
v134 = (__int128 *)&unk_180039010;
v135 = v122 + 7 * v112;
while ( 1 )
{
if ( (v135 + byte_180039004) / (unsigned int)byte_180039003 != byte_180039000 )
{
v210 = ((double)byte_180039002 - ((double)byte_180039001 + (double)byte_180039001))
* (double)((unsigned int)sub_180017020(&v120[416 * v133], v206) == 0);
v136 = (unsigned int)byte_180039000;
if ( (v106 + byte_180039004) / (unsigned int)byte_180039003 == (_DWORD)v136
|| (v137 = sub_180010DF0(v136, (v106 + byte_180039004) % (unsigned int)byte_180039003),
v139 = sub_180010E20(v138, (unsigned int)(6 * byte_18003A4A8 * v137)),
v141 = sub_180010E00((unsigned int)v139, (unsigned int)(v140 - v139)),
!(v141 + v142 + byte_180039001)) )
{
if ( (byte_180039004 + v112 + v122 + 2 * v112) / (unsigned int)byte_180039003 != byte_180039000 )
v119 = (int)((double)(int)((v135 + byte_180039004) / (unsigned int)byte_180039003 - byte_180039000) * v210);
}
else
{
v119 = 1;
}
if ( v119 * ((v122 + byte_180039004 + 8 * v112) / (unsigned int)byte_180039003 - byte_180039000) )
{
v143 = a1;
v144 = v134;
v145 = 6;
do
{
v143 += 8;
v146 = *v144;
v144 += 8;
*(v143 - 8) = v146;
*(v143 - 7) = *(v144 - 7);
*(v143 - 6) = *(v144 - 6);
*(v143 - 5) = *(v144 - 5);
*(v143 - 4) = *(v144 - 4);
*(v143 - 3) = *(v144 - 3);
*(v143 - 2) = *(v144 - 2);
*(v143 - 1) = *(v144 - 1);
--v145;
}
while ( v145 );
*v143 = *v144;
v143[1] = v144[1];
v143[2] = v144[2];
v147 = v144[3];
v148 = byte_180039004;
v143[3] = v147;
v211 = ((double)byte_180039002 - ((double)byte_180039001 + (double)byte_180039001))
* (double)(int)((v148 + v112 + v122 + 8 * v112) / (unsigned int)byte_180039003 - byte_180039000);
v149 = (unsigned int)byte_180039000;
if ( (v106 + byte_180039004) / (unsigned int)byte_180039003 != (_DWORD)v149 )
{
v150 = sub_180010DF0(v149, (v106 + byte_180039004) % (unsigned int)byte_180039003);
v152 = sub_180010E20(v151, (unsigned int)(6 * byte_18003A4A8 * v150));
v154 = sub_180010E00((unsigned int)v152, (unsigned int)(v153 - v152));
if ( v154 + v155 + byte_180039001 )
goto LABEL_63;
}
if ( (byte_180039004 + v112 + v122 + 2 * v112) / (unsigned int)byte_180039003 != byte_180039000 )
v121 = (int)((double)(int)((v135 + byte_180039004) / (unsigned int)byte_180039003 - byte_180039000) * v211);
if ( v121 > 0 )
{
LABEL_63:
LOBYTE(v156) = 1;
return v156;
}
}
v120 = aChromeExe;
}
++v133;
v134 += 52;
if ( v133 >= 3 )
{
v117 = v203;
v118 = ++v208;
goto LABEL_38;
}
}
}
v157 = sub_180010DE0(v131, v130);
v159 = sub_180010DD0(v158, (unsigned int)v157);
v162 = sub_180010E10((unsigned int)v159, (unsigned int)(v159 * v160), (unsigned int)(5 * v159 * v160), v161);
v164 = v162 + v163;
v165 = (unsigned int)byte_180039000;
v213 = ((double)byte_180039002 - ((double)byte_180039001 + (double)byte_180039001))
* (double)(int)((v164 + byte_180039004) / (unsigned int)byte_180039003 - v165);
v166 = sub_180010DE0(v165, (v164 + byte_180039004) % (unsigned int)byte_180039003);
v168 = sub_180010DD0(v167, (unsigned int)v166);
v172 = sub_180010E10((unsigned int)v168, (unsigned int)(v168 * v169), v170, v171);
v174 = v172 + v173 + byte_180039004;
v175 = v174 % byte_180039003;
v176 = (unsigned int)byte_180039000;
if ( v174 / byte_180039003 != (_DWORD)v176 )
{
v177 = sub_180010DF0(v176, v175);
v179 = sub_180010E20(v178, (unsigned int)(6 * byte_18003A4A8 * v177));
v181 = sub_180010E00((unsigned int)v179, (unsigned int)(v180 - v179));
v175 = (unsigned int)(v181 + v182);
v176 = (unsigned int)(v175 + byte_180039001);
if ( (_DWORD)v175 + byte_180039001 )
goto LABEL_70;
}
v183 = sub_180010DE0(v176, v175);
v185 = sub_180010DD0(v184, (unsigned int)v183);
v188 = sub_180010E10((unsigned int)v185, (unsigned int)(v185 * v186), (unsigned int)(3 * v185 * v186), v187);
v190 = v188 + v189;
v191 = (unsigned int)byte_180039000;
if ( (v190 + byte_180039004) / (unsigned int)byte_180039003 == (_DWORD)v191 )
{
v156 = v203;
}
else
{
v192 = sub_180010DE0(v191, (v190 + byte_180039004) % (unsigned int)byte_180039003);
v194 = sub_180010DD0(v193, (unsigned int)v192);
v197 = sub_180010E10((unsigned int)v194, (unsigned int)(v194 * v195), (unsigned int)(7 * v194 * v195), v196);
v156 = (int)((double)(int)((v197 + v198 + byte_180039004) / (unsigned int)byte_180039003 - byte_180039000) * v213);
}
if ( v156 > 0 )
LABEL_70:
LOBYTE(v156) = 0;
return v156;
}
char sub_180010E20()
{
return 9;
}
char sub_180010E10()
{
return 7;
}
char sub_180010E00()
{
return 6;
}
char sub_180010DF0()
{
return 3;
}
char sub_180010DE0()
{
return 2;
}
char sub_180010DD0()
{
return 0;
}
Evaluated model output (what the LLM said about the code) · op05/result_OpenAI1.txt
## 1. Functionality
### Observed facts from the code
This function appears to be an environment/name check routine with an output copy on success.
Key observed operations:
1. **Retrieves the current module path**
```c
GetModuleFileNameW(0, Filename, 0x104u)
```
This gets the full path of the current executable/module into a local wide-character buffer:
```c
WCHAR Filename[264];
```
2. **Extracts the executable basename**
The code iterates through `Filename` and updates `v206` whenever it sees either:
```c
'\\' // 0x5c
'/' // 0x2f
```
This results in `v206` pointing to the filename portion after the last path separator.
Conceptually:
```c
wchar_t *basename = Filename;
for each character in Filename:
if char == '\\' || char == '/':
basename = char + 1;
```
3. **Compares the basename against entries in `aChromeExe`**
The code loops over 3 entries:
```c
v133 = 0;
while (v133 < 3)
{
sub_180017020(&v120[416 * v133], v206)
}
```
`v120` is initialized as:
```c
v120 = aChromeExe;
```
The function `sub_180017020()` is used like a string comparison routine because the code checks:
```c
sub_180017020(...) == 0
```
which is consistent with `wcscmp()` / `lstrcmpW()`-style semantics.
4. **Copies a matching record to the output buffer**
If the comparison succeeds, it copies data from:
```c
unk_180039010
```
into the output buffer `a1`.
The copy is done in `__int128` chunks. The copied size is:
- `6` iterations × `8` chunks × `16` bytes = `768` bytes
- plus `4` more `__int128` chunks = `64` bytes
Total:
```text
832 bytes
```
Each record appears to be `832` bytes, matching the string-entry stride:
```c
416 wchar_t entries = 832 bytes
```
5. **Returns success or failure**
On a match and successful copy path:
```c
return 1;
```
Otherwise:
```c
return 0;
```
### Simplified inferred pseudocode
```c
bool sub_180001030(void *out_buf, int64_t unused_or_obfuscated_arg)
{
WCHAR path[264];
if (!GetModuleFileNameW(NULL, path, 0x104))
return false;
WCHAR *basename = path;
for (WCHAR *p = path; *p; p++)
{
if (*p == L'\\' || *p == L'/')
basename = p + 1;
}
for (int i = 0; i < 3; i++)
{
WCHAR *candidate_name = &aChromeExe[416 * i];
if (sub_180017020(candidate_name, basename) == 0)
{
memcpy(out_buf, &unk_180039010[52 * i], 832);
return true;
}
}
return false;
}
```
### Inferred behavior
The function likely checks whether the current executable name matches one of three expected names, one of which appears to be:
```text
chrome.exe
```
If the filename matches, it copies a corresponding 832-byte configuration/data structure into the caller-provided output buffer.
This looks like an execution guardrail or configuration selector based on the process/module filename.
---
## 2. Well-known algorithms
### Observed
No clear cryptographic, compression, hashing, or encoding algorithm is visible in this snippet.
The code uses:
- Windows API call:
```c
GetModuleFileNameW
```
- Likely wide-string comparison:
```c
sub_180017020(...)
```
- Manual basename extraction from a path.
- Manual memory copy using 128-bit chunks.
### Inferred
The many arithmetic expressions involving division, modulo, and constant-return helper functions appear to be **opaque predicate / control-flow obfuscation**, not a meaningful algorithm.
Helper functions:
```c
char sub_180010E20() { return 9; }
char sub_180010E10() { return 7; }
char sub_180010E00() { return 6; }
char sub_180010DF0() { return 3; }
char sub_180010DE0() { return 2; }
char sub_180010DD0() { return 0; }
```
These functions return fixed constants regardless of input, suggesting they are deliberately inserted to complicate static analysis.
---
## 3. Indicators of Compromise
### File paths / filenames
| IOC | Type | Evidence |
|---|---:|---|
| `chrome.exe` | Filename | Global symbol/string name `aChromeExe`; code compares current module basename against entries starting at `aChromeExe`. |
### IP addresses / domains
None observed in this snippet.
### Registry keys
None observed in this snippet.
### Commands or scripts
None observed in this snippet.
### Other notable artifacts
| Artifact | Type | Evidence |
|---|---:|---|
| `GetModuleFileNameW` | Windows API | Used to retrieve current executable/module path. |
| `unk_180039010` | Static data/config table | Copied into output buffer on successful filename match. |
| `aChromeExe` | Wide-string table | Used as string table with 3 entries, each likely 832 bytes apart. |
| `sub_180017020` | Likely string compare routine | Called with candidate filename and current basename; result checked against `0`. |
---
## 4. MITRE ATT&CK mapping
| Technique ID | Technique name | Observed or inferred | Justification |
|---|---|---:|---|
| T1082 | System Information Discovery | Observed | The code calls `GetModuleFileNameW(NULL, Filename, 0x104)` to retrieve the current executable/module path. This is local environment/process information discovery. |
| T1480 | Execution Guardrails | Inferred | The function appears to gate behavior on the current executable filename. It extracts the basename and compares it against a small allowlist such as `chrome.exe`. If no match occurs, it returns failure. |
| T1480.001 | Environmental Keying | Inferred | The module filename acts as an environmental key. The function only copies the associated data/configuration if the filename matches an expected value. |
| T1036.005 | Masquerading: Match Legitimate Name or Location | Inferred | The presence of `chrome.exe` as an expected executable name suggests the malware may expect to run under or be renamed to a legitimate browser filename. The code itself does not rename the file, so this is an inference rather than directly observed behavior. |
| T1027 | Obfuscated Files or Information | Observed | The function contains extensive opaque predicates, redundant arithmetic, fixed-return helper functions, misleading control flow, and dead/junk-looking branches. These complicate static analysis without contributing obvious functionality. |
---
## 5. Obfuscation and evasion techniques
### Observed obfuscation
1. **Opaque predicates**
The code repeatedly performs arithmetic like:
```c
(x + byte_180039004) / byte_180039003 == byte_180039000
(x + byte_180039004) % byte_180039003
```
These checks appear to control branches but likely reduce to constants depending on global byte values.
2. **Constant-return helper functions**
Several helper functions ignore their parameters and always return constants:
```c
sub_180010DD0() -> 0
sub_180010DE0() -> 2
sub_180010DF0() -> 3
sub_180010E00() -> 6
sub_180010E10() -> 7
sub_180010E20() -> 9
```
Their presence creates false data dependencies and noisy decompiler output.
3. **Junk arithmetic**
Expressions such as:
```c
v3 * v4
8 * v5
7 * v112
6 * byte_18003A4A8 * v124
```
are used heavily, but much of this appears irrelevant to the core logic.
4. **Floating-point boolean masking**
The code frequently computes values like:
```c
((double)byte_180039002 - ((double)byte_180039001 + (double)byte_180039001))
* (double)condition
```
This is an unusual way to propagate boolean state and is likely intended to complicate analysis.
5. **Unrolled memory copy**
Instead of using `memcpy`, the code manually copies `__int128` chunks. This can obscure the simple fact that an 832-byte record is being copied.
6. **Control-flow noise**
The function contains multiple labels, nested branches, and redundant loops around simple logic. The likely core behavior is much simpler than the decompiled output suggests.
### Inferred evasion purpose
The obfuscation likely exists to:
- Hide the filename-based execution condition.
- Prevent easy recognition of the configuration/data copy.
- Complicate decompilation and static control-flow recovery.
- Make automated analysis tools overestimate the complexity of the routine.
---
## 6. Summary
### Observed facts
- Calls `GetModuleFileNameW` to retrieve the current executable path.
- Parses the path to locate the basename after the last `\` or `/`.
- Compares the basename against three wide-string entries starting at `aChromeExe`.
- One visible/strongly implied filename indicator is `chrome.exe`.
- If a match occurs, copies an 832-byte record from `unk_180039010` into the caller-provided buffer.
- Returns `1` on match/copy and `0` otherwise.
- Contains extensive opaque predicate and junk-code style obfuscation.
### Inferred behavior
- The routine is likely an execution guardrail or configuration selector.
- It may only activate when the malware is named like a legitimate browser executable, especially `chrome.exe`.
- The copied 832-byte block is likely configuration, embedded payload metadata, or per-target data associated with the matched executable name.