Code snippet · op05/code_clean1.txt
char __fastcall sub_180001030(__int128 *a1, __int64 a2)
{
int v2; // edi
int v3; // esi
int v4; // ebp
int v5; // ebx
__int64 v6; // rcx
unsigned int v7; // r8d
__int64 v8; // rdx
int v9; // r9d
__int64 v10; // r8
__int64 v11; // rcx
char v12; // al
__int64 v13; // rcx
char v14; // al
int v15; // edx
char v16; // al
int v17; // edx
__int64 v18; // r9
__int64 v19; // rdx
__int64 v20; // rcx
char v21; // al
__int64 v22; // rcx
char v23; // al
int v24; // edx
char v25; // al
int v26; // edx
char v27; // al
char v28; // al
__int64 v29; // rcx
char v30; // al
int v31; // edx
__int64 v32; // r9
char v33; // al
int v34; // r8d
int v35; // r8d
int v36; // eax
int v37; // r15d
char v38; // al
__int64 v39; // rcx
char v40; // al
int v41; // edx
__int64 v42; // r8
__int64 v43; // r9
__int64 v44; // rcx
__int64 v45; // rdx
int v46; // r14d
int v47; // ebp
__int64 v48; // rdx
__int64 v49; // rcx
char v50; // al
int v51; // ebp
__int64 v52; // rdx
__int64 v53; // r8
__int64 v54; // r9
__int64 v55; // rcx
int v56; // ebp
__int64 v57; // rdx
int v58; // ebx
__int64 v59; // rdx
__int64 v60; // rcx
char v61; // al
int v62; // ebx
__int64 v63; // rdx
__int64 v64; // r8
__int64 v65; // r9
int v66; // r12d
int v67; // edi
int v68; // esi
__int64 v69; // rcx
char v70; // al
__int64 v71; // rcx
char v72; // al
int v73; // edx
char v74; // al
int v75; // edx
__int64 v76; // rdx
__int64 v77; // rcx
WCHAR *v78; // r9
int v79; // r10d
__int64 v80; // r11
int v81; // edx
__int64 v82; // rcx
char v83; // al
__int64 v84; // rcx
char v85; // al
int v86; // edx
char v87; // al
int v88; // edx
char v89; // al
__int64 v90; // rcx
char v91; // al
int v92; // edx
__int64 v93; // r8
__int64 v94; // r9
__int64 v95; // rcx
__int64 v96; // rdx
int v97; // r13d
__int64 v98; // rdx
__int64 v99; // rcx
char v100; // al
int v101; // r13d
__int64 v102; // rdx
__int64 v103; // r8
__int64 v104; // r9
__int64 v105; // rcx
int v106; // r13d
__int64 v107; // rdx
int v108; // ebx
__int64 v109; // rdx
__int64 v110; // rcx
char v111; // al
int v112; // ebx
__int64 v113; // rdx
__int64 v114; // r8
__int64 v115; // r9
char v116; // al
int v117; // r8d
int v118; // r9d
int v119; // r15d
wchar_t *v120; // r10
int v121; // r12d
int v122; // r14d
__int64 v123; // rcx
char v124; // al
__int64 v125; // rcx
char v126; // al
int v127; // edx
char v128; // al
int v129; // edx
__int64 v130; // rdx
__int64 v131; // rcx
int v132; // eax
int v133; // edi
__int128 *v134; // rsi
int v135; // ebp
__int64 v136; // rcx
char v137; // al
__int64 v138; // rcx
char v139; // al
int v140; // edx
char v141; // al
int v142; // edx
__int128 *v143; // rax
__int128 *v144; // rcx
__int64 v145; // rdx
__int128 v146; // xmm0
__int128 v147; // xmm1
int v148; // ecx
__int64 v149; // rcx
char v150; // al
__int64 v151; // rcx
char v152; // al
int v153; // edx
char v154; // al
int v155; // edx
int v156; // eax
char v157; // al
__int64 v158; // rcx
char v159; // al
int v160; // edx
__int64 v161; // r9
char v162; // al
int v163; // r8d
int v164; // r8d
__int64 v165; // rcx
char v166; // al
__int64 v167; // rcx
char v168; // al
int v169; // edx
__int64 v170; // r8
__int64 v171; // r9
char v172; // al
int v173; // edx
unsigned int v174; // eax
__int64 v175; // rdx
__int64 v176; // rcx
char v177; // al
__int64 v178; // rcx
char v179; // al
int v180; // edx
char v181; // al
int v182; // edx
char v183; // al
__int64 v184; // rcx
char v185; // al
int v186; // edx
__int64 v187; // r9
char v188; // al
int v189; // r8d
int v190; // r8d
__int64 v191; // rcx
char v192; // al
__int64 v193; // rcx
char v194; // al
int v195; // edx
__int64 v196; // r9
char v197; // al
int v198; // r8d
int v200; // [rsp+20h] [rbp-278h]
double v201; // [rsp+20h] [rbp-278h]
double v202; // [rsp+20h] [rbp-278h]
int v203; // [rsp+20h] [rbp-278h]
double v204; // [rsp+28h] [rbp-270h]
double v205; // [rsp+28h] [rbp-270h]
WCHAR *v206; // [rsp+28h] [rbp-270h]
int v207; // [rsp+30h] [rbp-268h]
int v208; // [rsp+34h] [rbp-264h]
double v209; // [rsp+38h] [rbp-260h]
double v210; // [rsp+38h] [rbp-260h]
double v211; // [rsp+38h] [rbp-260h]
double v213; // [rsp+40h] [rbp-258h]
WCHAR Filename[264]; // [rsp+50h] [rbp-248h] BYREF
v2 = (char)sub_180010E10(a1, a2, (unsigned int)byte_180039003, (unsigned int)byte_180039000);
v3 = (char)((__int64 (*)(void))sub_180010DE0)();
v4 = (char)((__int64 (*)(void))sub_180010DD0)();
v5 = v3 * v4;
v6 = (unsigned int)(v5 + v2 + 8 * v5);
v8 = ((int)v6 + byte_180039004) % v7;
if ( ((int)v6 + byte_180039004) / v7 != v9 )
{
v204 = ((double)byte_180039002 - ((double)byte_180039001 + (double)byte_180039001))
* (double)(GetModuleFileNameW(0, Filename, 0x104u) == 0);
v11 = (unsigned int)byte_180039000;
if ( (v2 + v5 + byte_180039004) / (unsigned int)byte_180039003 == (_DWORD)v11
|| (v12 = sub_180010DF0(v11, (v2 + v5 + byte_180039004) % (unsigned int)byte_180039003),
v14 = sub_180010E20(v13, (unsigned int)(6 * byte_18003A4A8 * v12)),
v16 = sub_180010E00((unsigned int)v14, (unsigned int)(v15 - v14)),
!(v16 + v17 + byte_180039001)) )
{
v18 = (byte_180039004 + v5 + v2 + 2 * v5) / (unsigned int)byte_180039003 == byte_180039000
? (unsigned int)v200
: (unsigned int)(int)((double)(int)((byte_180039004 + v2 + 7 * v5) / (unsigned int)byte_180039003
- byte_180039000)
* v204);
}
else
{
v18 = 1;
}
v8 = (v2 + byte_180039004 + 4 * v5) % (unsigned int)byte_180039003;
v6 = (unsigned int)byte_180039000;
if ( (_DWORD)v18 * ((v2 + byte_180039004 + 4 * v5) / (unsigned int)byte_180039003 - (_DWORD)v6) )
{
v205 = ((double)byte_180039002 - ((double)byte_180039001 + (double)byte_180039001))
* (double)(int)((byte_180039004 + v5 + v2 + 4 * v5) / (unsigned int)byte_180039003 - byte_180039000);
v19 = (v5 + v2 + byte_180039004) % (unsigned int)byte_180039003;
v20 = (unsigned int)byte_180039000;
if ( (v5 + v2 + byte_180039004) / (unsigned int)byte_180039003 != (_DWORD)v20 )
{
v21 = sub_180010DF0(v20, v19);
v23 = sub_180010E20(v22, (unsigned int)(6 * byte_18003A4A8 * v21));
v25 = sub_180010E00((unsigned int)v23, (unsigned int)(v24 - v23));
v19 = (unsigned int)(v25 + v26);
v20 = (unsigned int)(v19 + byte_180039001);
if ( (_DWORD)v19 + byte_180039001 )
goto LABEL_70;
}
v27 = sub_180010E10(v20, v19, v10, v18);
v8 = (3 * v4 * v3 + v27 + byte_180039004) % (unsigned int)byte_180039003;
v6 = (unsigned int)byte_180039000;
if ( (3 * v4 * v3 + v27 + byte_180039004) / (unsigned int)byte_180039003 == (_DWORD)v6 )
{
v36 = v200;
}
else
{
v28 = sub_180010DE0(v6, v8);
v30 = sub_180010DD0(v29, (unsigned int)v28);
v33 = sub_180010E10((unsigned int)v30, (unsigned int)(v30 * v31), (unsigned int)(7 * v30 * v31), v32);
HIDWORD(v8) = 0;
v35 = v33 + v34;
LODWORD(v8) = (v35 + byte_180039004) % (unsigned int)byte_180039003;
v6 = (unsigned int)byte_180039000;
v36 = (int)((double)(int)((v35 + byte_180039004) / (unsigned int)byte_180039003 - v6) * v205);
}
if ( v36 > 0 )
goto LABEL_70;
}
}
v37 = 0;
v206 = Filename;
v38 = sub_180010DD0(v6, v8);
v40 = sub_180010DE0(v39, (unsigned int)v38);
v44 = (unsigned int)(char)sub_180010E10((unsigned int)v40, (unsigned int)(3 * v40 * v41), v42, v43);
v46 = v44 + 2 * v45;
v47 = (char)sub_180010DD0(v44, v45);
v50 = sub_180010DE0(v49, v48);
v51 = v50 * v47;
v55 = (unsigned int)(char)sub_180010E10((unsigned int)v50, v52, v53, v54);
v56 = v55 + v51;
v58 = (char)sub_180010DD0(v55, v57);
v61 = sub_180010DE0(v60, v59);
v62 = v61 * v58;
v66 = v200;
v67 = v200;
v68 = (char)sub_180010E10((unsigned int)v61, v63, v64, v65);
while ( 1 )
{
v201 = ((double)byte_180039002 - ((double)byte_180039001 + (double)byte_180039001))
* (double)(int)((v46 + byte_180039004) / (unsigned int)byte_180039003 - byte_180039000);
v69 = (unsigned int)byte_180039003;
if ( (v56 + byte_180039004) / (unsigned int)v69 == byte_180039000
|| (v70 = sub_180010DF0(v69, (v56 + byte_180039004) % (unsigned int)v69),
v72 = sub_180010E20(v71, (unsigned int)(6 * byte_18003A4A8 * v70)),
v74 = sub_180010E00((unsigned int)v72, (unsigned int)(v73 - v72)),
v76 = (unsigned int)(v74 + v75),
v77 = (unsigned int)(v76 + byte_180039001),
!((_DWORD)v76 + byte_180039001)) )
{
v76 = (byte_180039004 + v62 + v68 + 2 * v62) % (unsigned int)byte_180039003;
v77 = (unsigned int)byte_180039000;
if ( (byte_180039004 + v62 + v68 + 2 * v62) / (unsigned int)byte_180039003 != (_DWORD)v77 )
{
v76 = (byte_180039004 + v68 + 7 * v62) % (unsigned int)byte_180039003;
v77 = (unsigned int)byte_180039000;
v66 = (int)((double)(int)((byte_180039004 + v68 + 7 * v62) / (unsigned int)byte_180039003 - v77) * v201);
}
}
else
{
v66 = 1;
}
if ( v37 >= v66 )
break;
if ( Filename[0] )
{
v78 = Filename;
v79 = 1;
v80 = 0;
do
{
if ( (v56 + byte_180039004) / (unsigned int)byte_180039003 != byte_180039000 )
{
if ( *v78 == 92 || (v81 = 0, *v78 == 47) )
v81 = 1;
v202 = ((double)byte_180039002 - ((double)byte_180039001 + (double)byte_180039001)) * (double)v81;
v82 = (unsigned int)byte_180039000;
if ( (v56 + byte_180039004) / (unsigned int)byte_180039003 == (_DWORD)v82
|| (v83 = sub_180010DF0(v82, (v56 + byte_180039004) % (unsigned int)byte_180039003),
v85 = sub_180010E20(v84, (unsigned int)(6 * byte_18003A4A8 * v83)),
v87 = sub_180010E00((unsigned int)v85, (unsigned int)(v86 - v85)),
!(v87 + v88 + byte_180039001)) )
{
if ( (byte_180039004 + v62 + v68 + 2 * v62) / (unsigned int)byte_180039003 != byte_180039000 )
v67 = (int)((double)(int)((byte_180039004 + v68 + 7 * v62) / (unsigned int)byte_180039003 - byte_180039000)
* v202);
}
else
{
v67 = 1;
}
if ( v67 * ((v46 + byte_180039004) / (unsigned int)byte_180039003 - byte_180039000) )
v206 = &Filename[v79];
}
v78 = &Filename[++v80];
++v79;
}
while ( Filename[v80] );
}
++v37;
}
v208 = 0;
v89 = sub_180010DD0(v77, v76);
v91 = sub_180010DE0(v90, (unsigned int)v89);
v95 = (unsigned int)(char)sub_180010E10((unsigned int)v91, (unsigned int)(v91 * v92), v93, v94);
v203 = v95 + 2 * v96;
v97 = (char)sub_180010DD0(v95, v96);
v100 = sub_180010DE0(v99, v98);
v101 = v100 * v97;
v105 = (unsigned int)(char)sub_180010E10((unsigned int)v100, v102, v103, v104);
v106 = v105 + v101;
v108 = (char)sub_180010DD0(v105, v107);
v111 = sub_180010DE0(v110, v109);
v112 = v111 * v108;
v116 = sub_180010E10((unsigned int)v111, v113, v114, v115);
v119 = v203;
v120 = aChromeExe;
v121 = v203;
v122 = v116;
LABEL_38:
v209 = ((double)byte_180039002 - ((double)byte_180039001 + (double)byte_180039001))
* (double)(int)((v117 + byte_180039004) / (unsigned int)byte_180039003 - byte_180039000);
v123 = (unsigned int)byte_180039000;
if ( (v106 + byte_180039004) / (unsigned int)byte_180039003 == (_DWORD)v123
|| (v124 = sub_180010DF0(v123, (v106 + byte_180039004) % (unsigned int)byte_180039003),
v126 = sub_180010E20(v125, (unsigned int)(6 * byte_18003A4A8 * v124)),
v128 = sub_180010E00((unsigned int)v126, (unsigned int)(v127 - v126)),
v130 = (unsigned int)(v128 + v129),
v131 = (unsigned int)(v130 + byte_180039001),
!((_DWORD)v130 + byte_180039001)) )
{
v130 = (byte_180039004 + v112 + v122 + 2 * v112) % (unsigned int)byte_180039003;
v131 = (unsigned int)byte_180039000;
if ( (byte_180039004 + v112 + v122 + 2 * v112) / (unsigned int)byte_180039003 == (_DWORD)v131 )
{
v132 = v207;
}
else
{
v130 = (byte_180039004 + v122 + 7 * v112) % (unsigned int)byte_180039003;
v131 = (unsigned int)byte_180039000;
v132 = (int)((double)(int)((byte_180039004 + v122 + 7 * v112) / (unsigned int)byte_180039003 - v131) * v209);
v207 = v132;
}
}
else
{
v132 = 1;
v207 = 1;
}
if ( v118 < v132 )
{
v133 = 0;
v134 = (__int128 *)&unk_180039010;
v135 = v122 + 7 * v112;
while ( 1 )
{
if ( (v135 + byte_180039004) / (unsigned int)byte_180039003 != byte_180039000 )
{
v210 = ((double)byte_180039002 - ((double)byte_180039001 + (double)byte_180039001))
* (double)((unsigned int)sub_180017020(&v120[416 * v133], v206) == 0);
v136 = (unsigned int)byte_180039000;
if ( (v106 + byte_180039004) / (unsigned int)byte_180039003 == (_DWORD)v136
|| (v137 = sub_180010DF0(v136, (v106 + byte_180039004) % (unsigned int)byte_180039003),
v139 = sub_180010E20(v138, (unsigned int)(6 * byte_18003A4A8 * v137)),
v141 = sub_180010E00((unsigned int)v139, (unsigned int)(v140 - v139)),
!(v141 + v142 + byte_180039001)) )
{
if ( (byte_180039004 + v112 + v122 + 2 * v112) / (unsigned int)byte_180039003 != byte_180039000 )
v119 = (int)((double)(int)((v135 + byte_180039004) / (unsigned int)byte_180039003 - byte_180039000) * v210);
}
else
{
v119 = 1;
}
if ( v119 * ((v122 + byte_180039004 + 8 * v112) / (unsigned int)byte_180039003 - byte_180039000) )
{
v143 = a1;
v144 = v134;
v145 = 6;
do
{
v143 += 8;
v146 = *v144;
v144 += 8;
*(v143 - 8) = v146;
*(v143 - 7) = *(v144 - 7);
*(v143 - 6) = *(v144 - 6);
*(v143 - 5) = *(v144 - 5);
*(v143 - 4) = *(v144 - 4);
*(v143 - 3) = *(v144 - 3);
*(v143 - 2) = *(v144 - 2);
*(v143 - 1) = *(v144 - 1);
--v145;
}
while ( v145 );
*v143 = *v144;
v143[1] = v144[1];
v143[2] = v144[2];
v147 = v144[3];
v148 = byte_180039004;
v143[3] = v147;
v211 = ((double)byte_180039002 - ((double)byte_180039001 + (double)byte_180039001))
* (double)(int)((v148 + v112 + v122 + 8 * v112) / (unsigned int)byte_180039003 - byte_180039000);
v149 = (unsigned int)byte_180039000;
if ( (v106 + byte_180039004) / (unsigned int)byte_180039003 != (_DWORD)v149 )
{
v150 = sub_180010DF0(v149, (v106 + byte_180039004) % (unsigned int)byte_180039003);
v152 = sub_180010E20(v151, (unsigned int)(6 * byte_18003A4A8 * v150));
v154 = sub_180010E00((unsigned int)v152, (unsigned int)(v153 - v152));
if ( v154 + v155 + byte_180039001 )
goto LABEL_63;
}
if ( (byte_180039004 + v112 + v122 + 2 * v112) / (unsigned int)byte_180039003 != byte_180039000 )
v121 = (int)((double)(int)((v135 + byte_180039004) / (unsigned int)byte_180039003 - byte_180039000) * v211);
if ( v121 > 0 )
{
LABEL_63:
LOBYTE(v156) = 1;
return v156;
}
}
v120 = aChromeExe;
}
++v133;
v134 += 52;
if ( v133 >= 3 )
{
v117 = v203;
v118 = ++v208;
goto LABEL_38;
}
}
}
v157 = sub_180010DE0(v131, v130);
v159 = sub_180010DD0(v158, (unsigned int)v157);
v162 = sub_180010E10((unsigned int)v159, (unsigned int)(v159 * v160), (unsigned int)(5 * v159 * v160), v161);
v164 = v162 + v163;
v165 = (unsigned int)byte_180039000;
v213 = ((double)byte_180039002 - ((double)byte_180039001 + (double)byte_180039001))
* (double)(int)((v164 + byte_180039004) / (unsigned int)byte_180039003 - v165);
v166 = sub_180010DE0(v165, (v164 + byte_180039004) % (unsigned int)byte_180039003);
v168 = sub_180010DD0(v167, (unsigned int)v166);
v172 = sub_180010E10((unsigned int)v168, (unsigned int)(v168 * v169), v170, v171);
v174 = v172 + v173 + byte_180039004;
v175 = v174 % byte_180039003;
v176 = (unsigned int)byte_180039000;
if ( v174 / byte_180039003 != (_DWORD)v176 )
{
v177 = sub_180010DF0(v176, v175);
v179 = sub_180010E20(v178, (unsigned int)(6 * byte_18003A4A8 * v177));
v181 = sub_180010E00((unsigned int)v179, (unsigned int)(v180 - v179));
v175 = (unsigned int)(v181 + v182);
v176 = (unsigned int)(v175 + byte_180039001);
if ( (_DWORD)v175 + byte_180039001 )
goto LABEL_70;
}
v183 = sub_180010DE0(v176, v175);
v185 = sub_180010DD0(v184, (unsigned int)v183);
v188 = sub_180010E10((unsigned int)v185, (unsigned int)(v185 * v186), (unsigned int)(3 * v185 * v186), v187);
v190 = v188 + v189;
v191 = (unsigned int)byte_180039000;
if ( (v190 + byte_180039004) / (unsigned int)byte_180039003 == (_DWORD)v191 )
{
v156 = v203;
}
else
{
v192 = sub_180010DE0(v191, (v190 + byte_180039004) % (unsigned int)byte_180039003);
v194 = sub_180010DD0(v193, (unsigned int)v192);
v197 = sub_180010E10((unsigned int)v194, (unsigned int)(v194 * v195), (unsigned int)(7 * v194 * v195), v196);
v156 = (int)((double)(int)((v197 + v198 + byte_180039004) / (unsigned int)byte_180039003 - byte_180039000) * v213);
}
if ( v156 > 0 )
LABEL_70:
LOBYTE(v156) = 0;
return v156;
}
char sub_180010E20()
{
return 9;
}
char sub_180010E10()
{
return 7;
}
char sub_180010E00()
{
return 6;
}
char sub_180010DF0()
{
return 3;
}
char sub_180010DE0()
{
return 2;
}
char sub_180010DD0()
{
return 0;
}
Evaluated model output (what the LLM said about the code) · op05/result_ClaudeAI1.txt
# Malware Static Analysis Report
## ⚠️ Important Caveat First
This decompiled code is **heavily obfuscated** with a technique that produces large amounts of "dead arithmetic." Most of the function body consists of meaningless calculations involving constant-returning helper functions (`sub_180010DD0` → 0, `sub_180010DE0` → 2, `sub_180010E00` → 6, etc.). These constants are used to build **opaque predicates** — branch conditions whose outcome is always the same — to confuse analysts and decompilers. I will strip this noise and report only what is functionally meaningful.
---
## 1. Functional Description
Once the obfuscation is removed, the function reduces to a simple, recognizable routine:
```c
char sub_180001030(__int128 *a1, __int64 a2)
{
WCHAR Filename[264];
WCHAR *basename = Filename;
GetModuleFileNameW(0, Filename, 0x104); // get own executable path
// find last '\' or '/' in the path -> isolate the file name
for (each char in Filename)
if (c == '\\' || c == '/')
basename = &next_char;
// compare basename against a list of target process names
for (i = 0; i < 3; i++)
if (wcsicmp(&targetList[i], basename) == 0) // sub_180017020 = case-insensitive wide compare
{
// copy a structure/payload block into a1 (the __int128 copy loop)
memcpy(a1, &unk_180039010, ...);
return 1; // match found
}
return 0; // no match
}
```
### Core behavior (de-obfuscated):
- **Observed:** Calls `GetModuleFileNameW(NULL, ...)` to retrieve the path of the currently running executable.
- **Observed:** Parses the path to extract just the file name (splits on `\` and `/`).
- **Observed:** References the string `aChromeExe` (`"chrome.exe"`) and iterates a list of **3** target names (`416 * v133` stride = 416-wide-char array entries; 3 entries).
- **Observed:** Uses `sub_180017020` (a case-insensitive wide-string comparison, equivalent to `_wcsicmp`) to compare the executable name against these targets.
- **Observed:** On a match, copies a fixed data block (`unk_180039010`, a large struct, copied via SSE 128-bit moves) into the caller's buffer `a1` and returns `1`.
### Inferred purpose:
This is almost certainly a **self-context check / target-validation routine** used by an injected DLL or a process-hollowing/sideloading payload. It verifies that it is running **inside the right host process** (e.g., `chrome.exe` or other browsers), and if so, retrieves configuration/offset data needed for the next stage (commonly **browser memory patching, credential theft, or man-in-the-browser injection**).
---
## 2. Well-Known Algorithms
- **No cryptographic algorithm** is present.
- The "algorithms" used are:
- **Path basename extraction** (custom, splitting on `\`/`/`).
- **Case-insensitive wide string comparison** (`sub_180017020` ≈ `_wcsicmp`).
- The dominant "algorithm" is the **opaque-predicate obfuscation scheme** (see §5).
---
## 3. Indicators of Compromise (IOCs)
| Type | Value | Notes |
|------|-------|-------|
| String / Process name | `chrome.exe` (`aChromeExe`) | Observed reference; targeted browser |
| Process-name table | `aChromeExe` + 2 additional 416-byte entries | Loop runs 3 times — **inferred** two more browser names follow `chrome.exe` (commonly `msedge.exe`, `brave.exe`, etc.) |
| Data blob | `unk_180039010` | Copied payload/config block — needs raw bytes to characterize |
| Config bytes | `byte_180039000`–`byte_18003A4A8` | Used as obfuscation constants; not real network/file IOCs |
**No file paths, IPs, domains, registry keys, or commands** are present in this snippet. The `Filename` buffer is filled at runtime by `GetModuleFileNameW`, not hard-coded.
> ⚠️ The "additional two target names" is **inferred** from the loop count and stride, not directly observed.
---
## 4. MITRE ATT&CK Mapping
| Technique ID | Name | Evidence | Fact / Inference |
|--------------|------|----------|------------------|
| **T1057** | Process Discovery | Determines own process name via `GetModuleFileNameW` and compares against a target list | Observed |
| **T1620** / **T1055** | Reflective / Process Injection (context) | Code is structured as a guard for an injected component running inside a browser process; references `chrome.exe` as host | Inferred |
| **T1027** | Obfuscated Files or Information | Massive dead-code / opaque-predicate obfuscation; constant-return functions used to build junk arithmetic | Observed |
| **T1497** | Virtualization/Sandbox Evasion (defensive) | The opaque predicates complicate automated analysis; behavior-gating on host process can hinder dynamic analysis outside the intended host | Inferred |
| **T1185** | Browser Session Hijacking (Man-in-the-Browser) | Targets `chrome.exe`; retrieves a config blob after confirming browser host | Inferred (very common goal for browser-targeting code like this) |
| **T1555.003** | Credentials from Web Browsers | Strong candidate purpose for browser-resident code | Inferred (not provable from this snippet alone) |
---
## 5. Obfuscation / Evasion Techniques
**Observed:**
1. **Opaque predicate obfuscation** — The helpers return constants (`0, 2, 3, 6, 7, 9`). Expressions like `(x + byte_180039004) / byte_180039003 == byte_180039000` always evaluate predictably, so entire `if`/`else` branches are dead. This is the defining feature.
2. **Junk floating-point arithmetic** — Repeated `((double)b2 - (b1 + b1)) * (double)(...)` patterns produce values used only inside fake conditions, never in real logic.
3. **Control-flow flattening / inflation** — The real logic (≈15 lines) is buried in ~700 lines of computed-but-discarded operations.
4. **Constant pool indirection** — Global bytes (`byte_180039000+`) act as a "key table" feeding the opaque predicates, making static constant-folding harder.
**Inferred:**
- This pattern is characteristic of **commercial/protector obfuscators or custom packers** designed to defeat both decompilers and human reviewers. The function genuinely "works" only along a single hidden execution path.
---
## 6. Summary: Facts vs. Inference
**Directly observed facts:**
- Calls `GetModuleFileNameW(NULL, ...)`.
- Extracts the basename from the resulting path.
- References the string `"chrome.exe"`.
- Compares the basename against **3** target names (case-insensitively).
- On a match, copies a fixed data structure (`unk_180039010`) and returns 1.
- Heavily obfuscated using constant-returning helper functions and opaque predicates.
**Inferred (reasoned) behavior:**
- The function is a **host-process validation guard** for a browser-targeting payload (likely injected/sideloaded).
- The two unseen targets are likely other Chromium browsers.
- The ultimate goal is probably **browser hijacking / credential or session theft** — not provable from this snippet alone; requires analysis of `unk_180039010` and the callers of `sub_180001030`.
**Recommended next steps:** dump the raw bytes of `unk_180039010` and the full 3-entry name table at `aChromeExe`, and trace the callers of this function to confirm the injection/theft hypothesis.