// White Knight Labs - Offensive Development Course
// String Deobfuscation with Inline-Assembly

// Based on - https://gist.github.com/WKL-Sec/e24830ebfafabc283bd9329e79f71164

#include <iostream>
#include <string>
#include <sstream>
#include <vector>

std::vector<char> hexStringToBytes(const std::string& hex) {
    std::vector<char> bytes;

    for (size_t i = 0; i < hex.length(); i += 2) {
        std::string byteString = hex.substr(i, 2);
        char byte = static_cast<char>(std::stoi(byteString, nullptr, 16));
        bytes.push_back(byte);
    }

    return bytes;
}

// Deobfuscation logic
// c = ((~c) - 1) ^ 0xAA;

void deobfuscateBytes(std::vector<char>& bytes) {
    char* data = bytes.data(); // Pointer to the data
    size_t len = bytes.size(); // Length of the data

    __asm {
        mov rdi, data    // Move base address of data into RDI
        mov rcx, len    // Move length of data into RCX
        mov rsi, rcx     // Copy length into RSI for loop counter

    loop_start:
        test rsi, rsi    // Test if loop counter (RSI) is zero
        jz loop_end     // If zero, we are done

        dec rsi         // Decrement loop counter

        mov al, [rdi + rsi] // Load the current byte into AL
        not al          // NOT the AL register (inverting bits)
        dec al          // Decrement AL (subtract 1)
        xor al, 0xAA    // XOR AL with 0xAA
        mov [rdi + rsi], al // Store the result back into the byte array

        jmp loop_start  // Jump to the start of the loop
    loop_end:
    }
}


int main() {
    std::string hexSecretName = "19242f3a042639352f2525";  // OpenProcess 
    
    // Convert the hex string to bytes
    std::vector<char> bytes = hexStringToBytes(hexSecretName);
    
    // Deobfuscate the bytes
    deobfuscateBytes(bytes);
    
    // Convert the deobfuscated bytes back to a string and print
    std::string deobfuscatedSecretName(bytes.begin(), bytes.end());
    std::cout << "Deobfuscated: " << deobfuscatedSecretName << std::endl;

    return 0;
}