Опередил меня уважаемый камрад ADACH... спасибо за готовый декриптор, а то я так и не набрался сил доводить это дело до конца
Алгоритм подобен шифрованию пакетов, там применяется схожая последовательность определения длины сообщения, выборка из таблиц определенных значений для декодирования и непосредственно расшифровка.
003F3229 8BCE MOV ECX,ESI
003F322B E8 583E0000 CALL <JMP.&FileSystem.?GetBuffer@VFile@@ ; Jump to FileSystem.?GetBuffer@VFile@@QAEPBDXZ
003F3230 50 PUSH EAX
003F3231 8BCF MOV ECX,EDI
Для поклонников паскаля (дельфи), функция расшифровки (конвертирование в полу ручном режиме, т.е. возможны ошибки)
//__int16 cdecl sub_10010AA7(integer a1, integer a2, integer a3)
function decrypt(a1,a2,a3: dword): dword;
var
v4 : dword; // [sp+24h] [bp-4h]@1
v5 : dword; // [sp+14h] [bp-14h]@5
v6 : dword; // [sp+18h] [bp-10h]@5
v7 : dword; // [sp+1Ch] [bp-Ch]@5
v8 : dword; // [sp+20h] [bp-8h]@5
v9 : dword; // [sp+0h] [bp-28h]@5
v10 : dword; // [sp+4h] [bp-24h]@9
v11 : dword; // [sp+8h] [bp-20h]@9
v12 : dword; // [sp+Ch] [bp-1Ch]@9
v13 : dword; // [sp+10h] [bp-18h]@9
{
decryptTable1 - dword_100195B0
decryptTable2 - dword_100191B0
decryptTable3 - dword_10018DB0
decryptTable4 - dword_100189B0
}
begin
v4 := a3 + 16 * (a3 + 516) + 256;
if ( not ( (a3 + 520) and 2) ) then
result:= 0;
if ( not ( (a3 + 520) and 2) ) then
begin
//sub_1000B700(a3);
subDecrypt(a3);
(a3 + 520):= mod xor 3u;
end;
v5 := v4 xor a1;
v6 := (v4 + 4) xor (a1 + 4);
v7 := (v4 + 8) xor (a1 + 8);
v8 := (v4 + 12) xor (a1 + 12);
v4 := a3 + 400;
v9 := a3 + 516;
if ( v9 <> 10 ) then
begin
if ( v9 <> 12 ) then
begin
if ( v9 <> 14 ) then
goto LABEL_12; // doesn't crypted
v10 := decryptTable1[v6] xor
decryptTable2[(v7 shr 8)] xor
decryptTable3[(v8 shr 16) and $FF]
xor decryptTable4[v5 shr 24] xor (v4 + 64);
v11 := decryptTable1[v7] xor
decryptTable2[(v8 shr 8)] xor
decryptTable3[(v5 shr 16) and $FF]
xor decryptTable4[v6 shr 24] xor (v4 + 68);
v12 := decryptTable1[v8] xor
decryptTable2[(v5 shr 8)] xor
decryptTable3[(v6 shr 16) and $FF]
xor decryptTable4[v7 shr 24] xor (v4 + 72);
v13 := decryptTable1[v5] xor
decryptTable2[(v6 shr 8)] xor
decryptTable3[(v7 shr 16) and $FF]
xor decryptTable4[v8 shr 24] xor (v4 + 76);
v5 := decryptTable1[v11] xor
decryptTable2[(v12 shr 8)] xor
decryptTable3[(v13 shr 16) and $FF] xor
decryptTable4[v10 shr 24] xor (v4 + 48);
v6 := decryptTable1[v12] xor
decryptTable2[(v13 shr 8)] xor
decryptTable3[(v10 shr 16) and $FF] xor
decryptTable4[v11 shr 24] xor (v4 + 52);
v7 := decryptTable1[v13] xor
decryptTable2[(v10 shr 8)] xor
decryptTable3[(v11 shr 16) and $FF] xor
decryptTable4[v12 shr 24] xor (v4 + 56);
v8 := decryptTable1[v10] xor
decryptTable2[(v11 shr 8)] xor
decryptTable3[(v12 shr 16) and $FF] xor
decryptTable4[v13 shr 24] xor (v4 + 60);
end;
v10 := decryptTable1[v6] xor
decryptTable2[(v7 shr 8)] xor
decryptTable3[(v8 shr 16) and $FF] xor
decryptTable4[v5 shr 24] xor (v4 + 32);
v11 := decryptTable1[v7] xor
decryptTable2[(v8 shr 8)] xor
decryptTable3[(v5 shr 16) and $FF] xor
decryptTable4[v6 shr 24] xor (v4 + 36);
v12 := decryptTable1[v8] xor
decryptTable2[(v5 shr 8)] xor
decryptTable3[(v6 shr 16) and $FF] xor
decryptTable4[v7 shr 24] xor (v4 + 40);
v13 := decryptTable1[v5] xor
decryptTable2[(v6 shr 8)] xor
decryptTable3[(v7 shr 16) and $FF] xor
decryptTable4[v8 shr 24] xor (v4 + 44);
v5 := decryptTable1[v11] xor
decryptTable2[(v12 shr 8)] xor
decryptTable3[(v13 shr 16) and $FF] xor
decryptTable4[v10 shr 24] xor (v4 + 16);
v6 := decryptTable1[v12] xor
decryptTable2[(v13 shr 8)] xor
decryptTable3[(v10 shr 16) and $FF] xor
decryptTable4[v11 shr 24] xor (v4 + 20);
v7 := decryptTable1[v13] xor
decryptTable2[(v10 shr 8)] xor
decryptTable3[(v11 shr 16) and $FF] xor
decryptTable4[v12 shr 24] xor (v4 + 24);
v8 := decryptTable1[v10] xor
decryptTable2[(v11 shr 8)] xor
decryptTable3[(v12 shr 16) and $FF] xor
decryptTable4[v13 shr 24] xor (v4 + 28);
end;
v10 := decryptTable1[v6] xor
decryptTable2[(v7 shr 8)] xor
decryptTable3[(v8 shr 16) and $FF] xor
decryptTable4[v5 shr 24] xor v4;
v11 := decryptTable1[v7] xor
decryptTable2[(v8 shr 8)] xor
decryptTable3[(v5 shr 16) and $FF] xor
decryptTable4[v6 shr 24] xor (v4 + 4);
v12 := decryptTable1[v8] xor
decryptTable2[(v5 shr 8)] xor
decryptTable3[(v6 shr 16) and $FF] xor
decryptTable4[v7 shr 24] xor (v4 + 8);
v13 := decryptTable1[v5] xor
decryptTable2[(v6 shr 8)] xor
decryptTable3[(v7 shr 16) and $FF] xor
decryptTable4[v8 shr 24] xor (v4 + 12);
v5 := decryptTable1[v11] xor
decryptTable2[(v12 shr 8)] xor
decryptTable3[(v13 shr 16) and $FF] xor
decryptTable4[v10 shr 24] xor (v4 - 16);
v6 := decryptTable1[v12] xor
decryptTable2[(v13 shr 8)] xor
decryptTable3[(v10 shr 16) and $FF] xor
decryptTable4[v11 shr 24] xor (v4 - 12);
v7 := decryptTable1[v13] xor
decryptTable2[(v10 shr 8)] xor
decryptTable3[(v11 shr 16) and $FF] xor
decryptTable4[v12 shr 24] xor (v4 - 8);
v8 := decryptTable1[v10] xor
decryptTable2[(v11 shr 8)] xor
decryptTable3[(v12 shr 16) and $FF] xor
decryptTable4[v13 shr 24] xor (v4 - 4);
v10 := decryptTable1[v6] xor
decryptTable2[(v7 shr 8)] xor
decryptTable3[(v8 shr 16) and $FF] xor
decryptTable4[v5 shr 24] xor (v4 - 32);
v11 := decryptTable1[v7] xor
decryptTable2[(v8 shr 8)] xor
decryptTable3[(v5 shr 16) and $FF] xor
decryptTable4[v6 shr 24] xor (v4 - 28);
v12 := decryptTable1[v8] xor
decryptTable2[(v5 shr 8)] xor
decryptTable3[(v6 shr 16) and $FF] xor
decryptTable4[v7 shr 24] xor (v4 - 24);
v13 := decryptTable1[v5] xor
decryptTable2[(v6 shr 8)] xor
decryptTable3[(v7 shr 16) and $FF] xor
decryptTable4[v8 shr 24] xor (v4 - 20);
v5 := decryptTable1[v11] xor
decryptTable2[(v12 shr 8)] xor
decryptTable3[(v13 shr 16) and $FF] xor
decryptTable4[v10 shr 24] xor (v4 - 48);
v6 := decryptTable1[v12] xor
decryptTable2[(v13 shr 8)] xor
decryptTable3[(v10 shr 16) and $FF] xor
decryptTable4[v11 shr 24] xor (v4 - 44);
v7 := decryptTable1[v13] xor
decryptTable2[(v10 shr 8)] xor
decryptTable3[(v11 shr 16) and $FF] xor
decryptTable4[v12 shr 24] xor (v4 - 40);
v8 := decryptTable1[v10] xor
decryptTable2[(v11 shr 8)] xor
decryptTable3[(v12 shr 16) and $FF] xor
decryptTable4[v13 shr 24] xor (v4 - 36);
v10 := decryptTable1[v6] xor
decryptTable2[(v7 shr 8)] xor
decryptTable3[(v8 shr 16) and $FF] xor
decryptTable4[v5 shr 24] xor (v4 - 64);
v11 := decryptTable1[v7] xor
decryptTable2[(v8 shr 8)] xor
decryptTable3[(v5 shr 16) and $FF] xor
decryptTable4[v6 shr 24] xor (v4 - 60);
v12 := decryptTable1[v8] xor
decryptTable2[(v5 shr 8)] xor
decryptTable3[(v6 shr 16) and $FF] xor
decryptTable4[v7 shr 24] xor (v4 - 56);
v13 := decryptTable1[v5] xor
decryptTable2[(v6 shr 8)] xor
decryptTable3[(v7 shr 16) and $FF] xor
decryptTable4[v8 shr 24] xor (v4 - 52);
v5 := decryptTable1[v11] xor
decryptTable2[(v12 shr 8)] xor
decryptTable3[(v13 shr 16) and $FF] xor
decryptTable4[v10 shr 24] xor (v4 - 80);
v6 := decryptTable1[v12] xor
decryptTable2[(v13 shr 8)] xor
decryptTable3[(v10 shr 16) and $FF] xor
decryptTable4[v11 shr 24] xor (v4 - 76);
v7 := decryptTable1[v13] xor
decryptTable2[(v10 shr 8)] xor
decryptTable3[(v11 shr 16) and $FF] xor
decryptTable4[v12 shr 24] xor (v4 - 72);
v8 := decryptTable1[v10] xor
decryptTable2[(v11 shr 8)] xor
decryptTable3[(v12 shr 16) and $FF] xor
decryptTable4[v13 shr 24] xor (v4 - 68);
v10 := decryptTable1[v6] xor
decryptTable2[(v7 shr 8)] xor
decryptTable3[(v8 shr 16) and $FF] xor
decryptTable4[v5 shr 24] xor (v4 - 96);
v11 := decryptTable1[v7] xor
decryptTable2[(v8 shr 8)] xor
decryptTable3[(v5 shr 16) and $FF] xor
decryptTable4[v6 shr 24] xor (v4 - 92);
v12 := decryptTable1[v8] xor
decryptTable2[(v5 shr 8)] xor
decryptTable3[(v6 shr 16) and $FF] xor
decryptTable4[v7 shr 24] xor (v4 - 88);
v13 := decryptTable1[v5] xor
decryptTable2[(v6 shr 8)] xor
decryptTable3[(v7 shr 16) and $FF] xor
decryptTable4[v8 shr 24] xor (v4 - 84);
v5 := decryptTable1[v11] xor
decryptTable2[(v12 shr 8)] xor
decryptTable3[(v13 shr 16) and $FF] xor
decryptTable4[v10 shr 24] xor (v4 - 112);
v6 := decryptTable1[v12] xor
decryptTable2[(v13 shr 8)] xor
decryptTable3[(v10 shr 16) and $FF] xor
decryptTable4[v11 shr 24] xor (v4 - 108);
v7 := decryptTable1[v13] xor
decryptTable2[(v10 shr 8)] xor
decryptTable3[(v11 shr 16) and $FF] xor
decryptTable4[v12 shr 24] xor (v4 - 104);
v8 := decryptTable1[v10] xor
decryptTable2[(v11 shr 8)] xor
decryptTable3[(v12 shr 16) and $FF] xor
decryptTable4[v13 shr 24] xor (v4 - 100);
v10 := decryptTable1[v6] xor
decryptTable2[(v7 shr 8)] xor
decryptTable3[(v8 shr 16) and $FF] xor
decryptTable4[v5 shr 24] xor (v4 - 128);
v11 := decryptTable1[v7] xor
decryptTable2[(v8 shr 8)] xor
decryptTable3[(v5 shr 16) and $FF] xor
decryptTable4[v6 shr 24] xor (v4 - 124);
v12 := decryptTable1[v8] xor
decryptTable2[(v5 shr 8)] xor
decryptTable3[(v6 shr 16) and $FF] xor
decryptTable4[v7 shr 24] xor (v4 - 120);
v13 := decryptTable1[v5] xor
decryptTable2[(v6 shr 8)] xor
decryptTable3[(v7 shr 16) and $FF] xor
decryptTable4[v8 shr 24] xor (v4 - 116);
v5 := dword_1001A5B0[v11] xor
dword_1001A1B0[(v12 shr 8)] xor
dword_10019DB0[(v13 shr 16) and $FF] xor
dword_100199B0[v10 shr 24] xor (v4 - 144);
v6 := dword_1001A5B0[v12] xor
dword_1001A1B0[(v13 shr 8)] xor
dword_10019DB0[(v10 shr 16) and $FF] xor
dword_100199B0[v11 shr 24] xor (v4 - 140);
v7 := dword_1001A5B0[v13] xor
dword_1001A1B0[(v10 shr 8)] xor
dword_10019DB0[(v11 shr 16) and $FF] xor
dword_100199B0[v12 shr 24] xor (v4 - 136);
v8 := dword_1001A5B0[v10] xor
dword_1001A1B0[(v11 shr 8)] xor
dword_10019DB0[(v12 shr 16) and $FF] xor
dword_100199B0[v13 shr 24] xor (v4 - 132);
LABEL_12:
a2 := v5;
(a2 + 4) := v6;
(a2 + 8) := v7;
(a2 + 12) := v8;
result:= 1;
end;
Если не ошибаюсь, то массивы для расшифровки не меняются (так же как и для пакетов)
DecryptTable4 : array [0..1023] of byte = (
50,$A7,$F4,$51,$53,$65,$41,$7E,$C3,$A4,$17,$1A,$96 ,$5E,$27,$3A,
$CB,$6B,$AB,$3B,$F1,$45,$9D,$1F,$AB,$58,$FA,$AC,$9 3,$03,$E3,$4B,
DecryptTable3 : array [0..1023] of byte = (
$A7,$F4,$51,$50,$65,$41,$7E,$53,$A4,$17,$1A,$C3,$5 E,$27,$3A,$96,
DecryptTable2 : array [0..1023] of byte = (
$F4,$51,$50,$A7,$41,$7E,$53,$65,$17,$1A,$C3,$A4,$2 7,$3A,$96,$5E,
DecryptTable1 : array [0..1023] of byte = (
$51,$50,$A7,$F4,$7E,$53,$65,$41,$1A,$C3,$A4,$17,$3 A,$96,$5E,$27,
$3B,$CB,$6B,$AB,$1F,$F1,$45,$9D,$AC,$AB,$58,$FA,$4 B,$93,$03,$E3,
Полные массивы и функции в приложении
Please register or login to download attachments.