encrypted .CSV decryptor

Dwar · 2010-06-23, 05:47 PM

Опередил меня уважаемый камрад ADACH... спасибо за готовый декриптор, а то я так и не набрался сил доводить это дело до конца

Алгоритм подобен шифрованию пакетов, там применяется схожая последовательность определения длины сообщения, выборка из таблиц определенных значений для декодирования и непосредственно расшифровка.

003F3229    8BCE            MOV ECX,ESI

003F322B    E8 583E0000     CALL <JMP.&FileSystem.?GetBuffer@VFile@@ ; Jump to FileSystem.?GetBuffer@VFile@@QAEPBDXZ

003F3230    50              PUSH EAX

003F3231    8BCF            MOV ECX,EDI

Для поклонников паскаля (дельфи), функция расшифровки (конвертирование в полу ручном режиме, т.е. возможны ошибки)

//__int16 cdecl sub_10010AA7(integer a1, integer a2, integer a3)

function decrypt(a1,a2,a3: dword): dword;

var 

  v4 : dword; // [sp+24h] [bp-4h]@1

  v5 : dword; // [sp+14h] [bp-14h]@5

  v6 : dword; // [sp+18h] [bp-10h]@5

  v7 : dword; // [sp+1Ch] [bp-Ch]@5

  v8 : dword; // [sp+20h] [bp-8h]@5

  v9 : dword; // [sp+0h] [bp-28h]@5

  v10 : dword; // [sp+4h] [bp-24h]@9

  v11 : dword; // [sp+8h] [bp-20h]@9

  v12 : dword; // [sp+Ch] [bp-1Ch]@9

  v13 : dword; // [sp+10h] [bp-18h]@9

  {

  decryptTable1 - dword_100195B0

  decryptTable2 - dword_100191B0

  decryptTable3 - dword_10018DB0

  decryptTable4 - dword_100189B0

  }

begin 

  v4 := a3 + 16 * (a3 + 516) + 256;

  if (  not ( (a3 + 520) and 2) ) then 

    result:= 0;

  if (  not ( (a3 + 520) and 2) ) then 

  begin 

    //sub_1000B700(a3);

	subDecrypt(a3);

    (a3 + 520):= mod xor 3u;

  end;

  v5 := v4 xor a1;

  v6 := (v4 + 4) xor (a1 + 4);

  v7 := (v4 + 8) xor (a1 + 8);

  v8 := (v4 + 12) xor (a1 + 12);

  v4 := a3 + 400;

  v9 := a3 + 516;

  if ( v9 <> 10 ) then 

  begin 

    if ( v9 <> 12 ) then 

    begin 

      if ( v9 <> 14 ) then 

        goto LABEL_12; // doesn't crypted

	  

	  v10 := decryptTable1[v6] xor 

		decryptTable2[(v7 shr 8)] xor 

		decryptTable3[(v8 shr 16) and $FF] 

		xor decryptTable4[v5 shr 24] xor (v4 + 64);

      

	  v11 := decryptTable1[v7] xor 

		decryptTable2[(v8 shr 8)] xor 

		decryptTable3[(v5 shr 16) and $FF] 

		xor decryptTable4[v6 shr 24] xor (v4 + 68);

      

	  v12 := decryptTable1[v8] xor 

	    decryptTable2[(v5 shr 8)] xor 

		decryptTable3[(v6 shr 16) and $FF] 

		xor decryptTable4[v7 shr 24] xor (v4 + 72);

      

	  v13 := decryptTable1[v5] xor 

		decryptTable2[(v6 shr 8)] xor 

		decryptTable3[(v7 shr 16) and $FF] 

		xor decryptTable4[v8 shr 24] xor (v4 + 76);

      

	  v5 := decryptTable1[v11] xor 

		decryptTable2[(v12 shr 8)] xor 

		decryptTable3[(v13 shr 16) and $FF] xor 

		decryptTable4[v10 shr 24] xor (v4 + 48);

      

	  v6 := decryptTable1[v12] xor 

		decryptTable2[(v13 shr 8)] xor 

		decryptTable3[(v10 shr 16) and $FF] xor 

		decryptTable4[v11 shr 24] xor (v4 + 52);

      

	  v7 := decryptTable1[v13] xor 

		decryptTable2[(v10 shr 8)] xor 

		decryptTable3[(v11 shr 16) and $FF] xor 

		decryptTable4[v12 shr 24] xor (v4 + 56);

      

	  v8 := decryptTable1[v10] xor 

		decryptTable2[(v11 shr 8)] xor 

		decryptTable3[(v12 shr 16) and $FF] xor 

		decryptTable4[v13 shr 24] xor (v4 + 60);

    end;

    

	v10 := decryptTable1[v6] xor 

		decryptTable2[(v7 shr 8)] xor 

		decryptTable3[(v8 shr 16) and $FF] xor 

		decryptTable4[v5 shr 24] xor (v4 + 32);

    

	v11 := decryptTable1[v7] xor 

		decryptTable2[(v8 shr 8)] xor 

		decryptTable3[(v5 shr 16) and $FF] xor 

		decryptTable4[v6 shr 24] xor (v4 + 36);

    

	v12 := decryptTable1[v8] xor 

		decryptTable2[(v5 shr 8)] xor 

		decryptTable3[(v6 shr 16) and $FF] xor 

		decryptTable4[v7 shr 24] xor (v4 + 40);

    

	v13 := decryptTable1[v5] xor 

		decryptTable2[(v6 shr 8)] xor 

		decryptTable3[(v7 shr 16) and $FF] xor 

		decryptTable4[v8 shr 24] xor (v4 + 44);

    

	v5 := decryptTable1[v11] xor 

		decryptTable2[(v12 shr 8)] xor 

		decryptTable3[(v13 shr 16) and $FF] xor 

		decryptTable4[v10 shr 24] xor (v4 + 16);

    

	v6 := decryptTable1[v12] xor 

		decryptTable2[(v13 shr 8)] xor 

		decryptTable3[(v10 shr 16) and $FF] xor 

		decryptTable4[v11 shr 24] xor (v4 + 20);

    

	v7 := decryptTable1[v13] xor 

		decryptTable2[(v10 shr 8)] xor 

		decryptTable3[(v11 shr 16) and $FF] xor 

		decryptTable4[v12 shr 24] xor (v4 + 24);

    

	v8 := decryptTable1[v10] xor 

		decryptTable2[(v11 shr 8)] xor 

		decryptTable3[(v12 shr 16) and $FF] xor 

		decryptTable4[v13 shr 24] xor (v4 + 28);

  end;

  v10 := decryptTable1[v6] xor 

	decryptTable2[(v7 shr 8)] xor 

	decryptTable3[(v8 shr 16) and $FF] xor 

	decryptTable4[v5 shr 24] xor v4;

  

  v11 := decryptTable1[v7] xor 

	decryptTable2[(v8 shr 8)] xor 

	decryptTable3[(v5 shr 16) and $FF] xor 

	decryptTable4[v6 shr 24] xor (v4 + 4);

  

  v12 := decryptTable1[v8] xor 

	decryptTable2[(v5 shr 8)] xor 

	decryptTable3[(v6 shr 16) and $FF] xor 

	decryptTable4[v7 shr 24] xor (v4 + 8);

  

  v13 := decryptTable1[v5] xor 

	decryptTable2[(v6 shr 8)] xor 

	decryptTable3[(v7 shr 16) and $FF] xor 

	decryptTable4[v8 shr 24] xor (v4 + 12);

  

  v5 := decryptTable1[v11] xor 

	decryptTable2[(v12 shr 8)] xor 

	decryptTable3[(v13 shr 16) and $FF] xor 

	decryptTable4[v10 shr 24] xor (v4 - 16);

  

  v6 := decryptTable1[v12] xor 

	decryptTable2[(v13 shr 8)] xor 

	decryptTable3[(v10 shr 16) and $FF] xor 

	decryptTable4[v11 shr 24] xor (v4 - 12);

  

  v7 := decryptTable1[v13] xor 

	decryptTable2[(v10 shr 8)] xor 

	decryptTable3[(v11 shr 16) and $FF] xor 

	decryptTable4[v12 shr 24] xor (v4 - 8);

  

  v8 := decryptTable1[v10] xor 

	decryptTable2[(v11 shr 8)] xor 

	decryptTable3[(v12 shr 16) and $FF] xor 

	decryptTable4[v13 shr 24] xor (v4 - 4);

  

  v10 := decryptTable1[v6] xor 

	decryptTable2[(v7 shr 8)] xor 

	decryptTable3[(v8 shr 16) and $FF] xor 

	decryptTable4[v5 shr 24] xor (v4 - 32);

  

  v11 := decryptTable1[v7] xor 

	decryptTable2[(v8 shr 8)] xor 

	decryptTable3[(v5 shr 16) and $FF] xor 

	decryptTable4[v6 shr 24] xor (v4 - 28);

  

  v12 := decryptTable1[v8] xor 

	decryptTable2[(v5 shr 8)] xor 

	decryptTable3[(v6 shr 16) and $FF] xor 

	decryptTable4[v7 shr 24]  xor  (v4 - 24);

  

  v13 := decryptTable1[v5]  xor  

	decryptTable2[(v6 shr 8)]  xor  

	decryptTable3[(v7 shr 16) and $FF]  xor  

	decryptTable4[v8 shr 24]  xor  (v4 - 20);

  

  v5 := decryptTable1[v11]  xor  

	decryptTable2[(v12 shr 8)]  xor  

	decryptTable3[(v13 shr 16) and $FF]  xor  

	decryptTable4[v10 shr 24]  xor  (v4 - 48);

  

  v6 := decryptTable1[v12]  xor  

	decryptTable2[(v13 shr 8)]  xor  

	decryptTable3[(v10 shr 16) and $FF]  xor  

	decryptTable4[v11 shr 24]  xor  (v4 - 44);

  

  v7 := decryptTable1[v13]  xor  

	decryptTable2[(v10 shr 8)]  xor  

	decryptTable3[(v11 shr 16) and $FF]  xor  

	decryptTable4[v12 shr 24]  xor  (v4 - 40);

  

  v8 := decryptTable1[v10]  xor  

	decryptTable2[(v11 shr 8)]  xor  

	decryptTable3[(v12 shr 16) and $FF]  xor  

	decryptTable4[v13 shr 24]  xor  (v4 - 36);

  

  v10 := decryptTable1[v6]  xor  

	decryptTable2[(v7 shr 8)]  xor  

	decryptTable3[(v8 shr 16) and $FF]  xor  

	decryptTable4[v5 shr 24]  xor  (v4 - 64);

  

  v11 := decryptTable1[v7]  xor  

	decryptTable2[(v8 shr 8)]  xor  

	decryptTable3[(v5 shr 16) and $FF]  xor  

	decryptTable4[v6 shr 24]  xor  (v4 - 60);

  

  v12 := decryptTable1[v8]  xor  

	decryptTable2[(v5 shr 8)]  xor  

	decryptTable3[(v6 shr 16) and $FF]  xor  

	decryptTable4[v7 shr 24]  xor  (v4 - 56);

  

  v13 := decryptTable1[v5]  xor  

	decryptTable2[(v6 shr 8)]  xor  

	decryptTable3[(v7 shr 16) and $FF]  xor  

	decryptTable4[v8 shr 24]  xor  (v4 - 52);

  

  v5 := decryptTable1[v11]  xor  

	decryptTable2[(v12 shr 8)]  xor  

	decryptTable3[(v13 shr 16) and $FF]  xor  

	decryptTable4[v10 shr 24]  xor  (v4 - 80);

  

  v6 := decryptTable1[v12]  xor  

	decryptTable2[(v13  shr  8)]  xor  

	decryptTable3[(v10  shr  16) and $FF]  xor  

	decryptTable4[v11  shr  24]  xor  (v4 - 76);

  

  v7 := decryptTable1[v13]  xor  

	decryptTable2[(v10  shr  8)]  xor  

	decryptTable3[(v11  shr  16) and $FF]  xor  

	decryptTable4[v12  shr  24]  xor  (v4 - 72);

  

  v8 := decryptTable1[v10]  xor  

	decryptTable2[(v11  shr  8)]  xor  

	decryptTable3[(v12  shr  16) and $FF]  xor  

	decryptTable4[v13  shr  24]  xor  (v4 - 68);

  

  v10 := decryptTable1[v6]  xor  

	decryptTable2[(v7  shr  8)]  xor  

	decryptTable3[(v8  shr  16) and $FF]  xor  

	decryptTable4[v5  shr  24]  xor  (v4 - 96);

  

  v11 := decryptTable1[v7]  xor 

	decryptTable2[(v8  shr  8)]  xor  

	decryptTable3[(v5  shr  16) and $FF]  xor  

	decryptTable4[v6  shr  24]  xor  (v4 - 92);

  

  v12 := decryptTable1[v8]  xor  

	decryptTable2[(v5  shr  8)]  xor  

	decryptTable3[(v6  shr  16) and $FF]  xor  

	decryptTable4[v7  shr  24]  xor  (v4 - 88);

  

  v13 := decryptTable1[v5]  xor  

	decryptTable2[(v6  shr  8)]  xor  

	decryptTable3[(v7  shr  16) and $FF]  xor  

	decryptTable4[v8  shr  24]  xor  (v4 - 84);

  

  v5 := decryptTable1[v11]  xor  

	decryptTable2[(v12  shr  8)]  xor  

	decryptTable3[(v13  shr  16) and $FF]  xor  

	decryptTable4[v10  shr  24]  xor  (v4 - 112);

  

  v6 := decryptTable1[v12]  xor  

	decryptTable2[(v13  shr  8)]  xor  

	decryptTable3[(v10  shr  16) and $FF]  xor  

	decryptTable4[v11  shr  24]  xor  (v4 - 108);

  

  v7 := decryptTable1[v13]  xor  

	decryptTable2[(v10  shr  8)]  xor  

	decryptTable3[(v11  shr  16) and $FF]  xor  

	decryptTable4[v12  shr  24]  xor  (v4 - 104);

  

  v8 := decryptTable1[v10]  xor  

	decryptTable2[(v11  shr  8)]  xor  

	decryptTable3[(v12  shr  16) and $FF]  xor  

	decryptTable4[v13  shr  24]  xor  (v4 - 100);

  

  v10 := decryptTable1[v6]  xor  

	decryptTable2[(v7  shr  8)]  xor  

	decryptTable3[(v8  shr  16) and $FF]  xor  

	decryptTable4[v5  shr  24]  xor  (v4 - 128);

  

  v11 := decryptTable1[v7]  xor  

	decryptTable2[(v8  shr  8)]  xor  

	decryptTable3[(v5  shr  16) and $FF]  xor  

	decryptTable4[v6  shr  24]  xor  (v4 - 124);

  

  v12 := decryptTable1[v8]  xor  

	decryptTable2[(v5  shr  8)]  xor  

	decryptTable3[(v6  shr  16) and $FF]  xor  

	decryptTable4[v7  shr  24]  xor  (v4 - 120);

  

  v13 := decryptTable1[v5]  xor  

	decryptTable2[(v6  shr  8)]  xor  

	decryptTable3[(v7  shr  16) and $FF]  xor  

	decryptTable4[v8  shr  24]  xor  (v4 - 116);

  

  

  v5 := dword_1001A5B0[v11]  xor  

	dword_1001A1B0[(v12  shr  8)]  xor  

	dword_10019DB0[(v13  shr  16) and $FF]  xor  

	dword_100199B0[v10  shr  24]  xor  (v4 - 144);

  

  v6 := dword_1001A5B0[v12]  xor  

	dword_1001A1B0[(v13  shr  8)]  xor  

	dword_10019DB0[(v10  shr  16) and $FF]  xor  

	dword_100199B0[v11  shr  24]  xor  (v4 - 140);

  

  v7 := dword_1001A5B0[v13]  xor  

	dword_1001A1B0[(v10  shr  8)]  xor  

	dword_10019DB0[(v11  shr  16) and $FF]  xor 

	dword_100199B0[v12  shr  24]  xor (v4 - 136);

  

  v8 := dword_1001A5B0[v10]  xor 

	dword_1001A1B0[(v11  shr  8)]  xor  

	dword_10019DB0[(v12  shr  16) and $FF]  xor 

	dword_100199B0[v13  shr  24]  xor (v4 - 132);

  

LABEL_12:

  a2 := v5;

  (a2 + 4) := v6;

  (a2 + 8) := v7;

  (a2 + 12) := v8;

  result:= 1;

 end;

Если не ошибаюсь, то массивы для расшифровки не меняются (так же как и для пакетов)

DecryptTable4 : array [0..1023] of byte = (

50,$A7,$F4,$51,$53,$65,$41,$7E,$C3,$A4,$17,$1A,$96  ,$5E,$27,$3A,

$CB,$6B,$AB,$3B,$F1,$45,$9D,$1F,$AB,$58,$FA,$AC,$9  3,$03,$E3,$4B,



DecryptTable3 : array [0..1023] of byte = (

$A7,$F4,$51,$50,$65,$41,$7E,$53,$A4,$17,$1A,$C3,$5  E,$27,$3A,$96,



DecryptTable2 : array [0..1023] of byte = (

$F4,$51,$50,$A7,$41,$7E,$53,$65,$17,$1A,$C3,$A4,$2  7,$3A,$96,$5E,



DecryptTable1 : array [0..1023] of byte = (

$51,$50,$A7,$F4,$7E,$53,$65,$41,$1A,$C3,$A4,$17,$3  A,$96,$5E,$27,

$3B,$CB,$6B,$AB,$1F,$F1,$45,$9D,$AC,$AB,$58,$FA,$4  B,$93,$03,$E3,

Полные массивы и функции в приложении

Thread: encrypted .CSV decryptor

Thread Tools

Display

Threaded View

re: encrypted .CSV decryptor

The Following 3 Users Say Thank You to Dwar For This Useful Post:

Similar Threads

[Release] dNPK SoulMaster npk files decryptor/unpacker

[Release] deSep - Sephiroth 2 resource encryptor/decryptor

[Release] AikaDeBin - Aika Bin Encryptor/Decryptor

[Release] HackShield 5.3.12 log decryptor

aika packages are encrypted?

Posting Permissions