| /** | |
| Compression using undocumented API in rdpbase.dll | |
| RDPCompressEx supports four algorithms : MPPC-8K, MPPC-64K, NCRUSH and XCRUSH. | |
| This code supports all except NCRUSH. | |
| The MPPC compression ratio is very similar to LZSS, so this could be quite useful for shellcode trying to evade detection. | |
| NCRUSH compression appears to work but fails for decompression. |
Sometimes there's some inconsistency between local types and structs view.
Typically, you can see the type in the "Structures" view are zero-lengthed, which should normally be the same size as local type's one.
When this happens, you'll not be able to rename the structure fields in HexRay Decompiler's view, and both hotkey N and right-clicking the item won't show the rename popup.
After reverse engineering the hexx64.dll, I found that IDA tries to do the following things:
The CTREE is built from the optimized microcode (maturity at CMAT_FINAL), it represents an AST-like tree with C statements and expressions. It can be printed as C code.
| import sys | |
| import random | |
| import binascii | |
| import struct | |
| import os | |
| from ctypes import * | |
| from ctypes.wintypes import * | |
| # Shorthands for some ctypes stuff. |
| # -*- coding: UTF-8 -*- | |
| from ctypes.wintypes import * | |
| from ctypes import * | |
| from enum import IntEnum | |
| # These libraries have the APIs we need | |
| kernel32 = WinDLL('kernel32', use_last_error=True) | |
| advapi32 = WinDLL('advapi32', use_last_error=True) | |
| psapi = WinDLL('psapi.dll', use_last_error=True) |
