////////////////////////////////////////////////////////////////////////////////
//
// GetObsfucator
//
// Returns the value of kernel32.dwObsfucator on Consumer Windows (win9x).
//
// Note that this version does *NOT* read kernel32 memory (as often seen).
// Therefore, it can be called without the risk of raising any exceptions.
// Furthermore, the function validates if the calculated value works, and
// returns 0 if the Obsfucator isn't working (not Win9x | no obfuscation).
//

function GetObsfucator: DWORD;
{$IFDEF WIN32}
asm
        {                                                                }
        { Wellknown, methods to get the 'Obsfucator':                    }
        {                                                                }
        {   'Obsfucator' = Pid xor [TEB.PDB]                             }
        {   'Obsfucator' = Tid xor ( [TEB.Self] - TDB.TEB )              }
        {                                                                }
        { Therefore the TDB's offset from the TEB is:                    }
        {                                                                }
        {   -TDB.TEB = ( Tid xor Pid xor [TEB.PDB] ) - TEB.Self          }
        {                                                                }
        { If the offset is neither -8h (new Win9x) nor -10h (old Win9x), }
        { (the offset has changed through changes in the object header)  }
        { then the current system isn't Win9x or obfuscation isn't used. }
        {                                                                }
        call GetCurrentThreadId
        push eax
        call GetCurrentProcessId
        xor edx, edx
        xor eax, fs:[edx + 30h] { [TEB.PDB]  }
        pop ecx
        xor ecx, eax
        sub ecx, fs:[edx + 18h] { [TEB.Self] }
        add ecx, 08h
        jecxz @@done
        add ecx, 08h
        jecxz @@done
        xor eax, eax
@@done:
end;
{$ELSE}
begin
  Result := 0;
end;
{$ENDIF}