Results 1 to 10 of 34

Threaded View

Previous Post Previous Post   Next Post Next Post
  1. 2010-06-23, 04:36 PM #1
    ADACH
    ADACH is offline
    Member-in-training ADACH's Avatar
    Join Date
    2010 May
    Posts
    170
    Thanks Thanks Given 
    25
    Thanks Thanks Received 
    168
    Thanked in
    46 Posts
    Rep Power
    15

    encrypted .CSV decryptor

    Как всем известно некоторое время назад на русском сервере стали шифровать .csv файлы.
    У меня дошли руки до поверхностного анализа данного изменения.

    Расшифровка вызывается внутри ф-и VFile::GetBuffer(int this):

    Внутри происходит инициализация, и расшифровка блоками по 0x200 байт (последний блок может быть меньше)
    Code:
    char __cdecl decryptBuffer(const void *data, int len, char *decryptionKey)
{
  unsigned int keylen; // eax@1
  int trash_1; // ecx@3
  int trash_2; // edx@3
  int trash_3; // eax@3
  int v7; // ebx@5
  const void *pDataPtr2; // [sp+Ch] [bp-86Ch]@1
  char Src; // [sp+10h] [bp-868h]@1
  char v11; // [sp+11h] [bp-867h]@1
  __int16 trash_6; // [sp+20Dh] [bp-66Bh]@1
  char trash_7; // [sp+20Fh] [bp-669h]@1
  _BYTE tmpBlock[512]; // [sp+210h] [bp-668h]@1
  int decryptionKey_dup; // [sp+410h] [bp-468h]@1
  int trash_0; // [sp+414h] [bp-464h]@3
  int trash_5; // [sp+418h] [bp-460h]@3
  int trash_4; // [sp+41Ch] [bp-45Ch]@3
  int v19; // [sp+646h] [bp-232h]@8
  int trash_8; // [sp+874h] [bp-4h]@1

  trash_8 = dword_1001D070;
  Src = 0;
  memset(&v11, 0, 0x1FCu);
  trash_6 = 0;
  trash_7 = 0;
  tmpBlock[0] = 0;
  memset(&tmpBlock[1], 0, 0x1FCu);
  *(_WORD *)&tmpBlock[509] = 0;
  tmpBlock[511] = 0;
  pDataPtr2 = data;
  memset(&decryptionKey_dup, 0, 0x45Cu);
  keylen = strlen(decryptionKey);
  if ( keylen >= 0x10 )
  {
    trash_1 = *((_DWORD *)decryptionKey + 1);
    trash_2 = *((_DWORD *)decryptionKey + 2);
    decryptionKey_dup = *(_DWORD *)decryptionKey;
    trash_3 = *((_DWORD *)decryptionKey + 3);
    trash_0 = trash_1;
    trash_5 = trash_2;
    trash_4 = trash_3;
  }
  else
  {
    memcpy(&decryptionKey_dup, decryptionKey, keylen);
  }
  if ( !sub_1000AB70(&decryptionKey_dup) )
  {
    while ( 1 )
    {
      v7 = data - pDataPtr2 + len;
      if ( (unsigned int)v7 < 0x200 )
      {
        if ( !v7 )
          return 1;
      }
      else
      {
        v7 = 0x200u;
      }
      memcpy(&Src, pDataPtr2, v7);
      if ( decryptBlock(&Src, v7, (char *)&v19, tmpBlock) )
        return 0;
      memcpy((void *)pDataPtr2, tmpBlock, v7);
      pDataPtr2 = (char *)pDataPtr2 + v7;
    }
  }
  return 0;
}[/syntax]

Внутри еще одна обертка...
[syntax=c]unsigned int __stdcall decryptBlock(char *srcBlock, SIZE_T blockSize, char *unknownPtr, char *resultBlock)
{
  unsigned int result; // eax@5

  if ( srcBlock && blockSize && unknownPtr && resultBlock )
  {
    internalDecryptBlock((int *)unknownPtr, resultBlock, srcBlock, blockSize, (char *)&dword_10016900);
    result = 0;
  }
  else
  {
    result = 0x1B004u;
  }
  return result;
}
    dword_10016900 data:


    и еще одна... в которой код бьется на блоки по 16 байт и передается ф-и расшифровки:
    Code:
    SIZE_T __cdecl internalDecryptBlock(int *unknownPtr, void *resultBlock, void *srcBlock, SIZE_T pBlockSize, char *pHashTable)
{
  SIZE_T result; // eax@1
  SIZE_T notDecryptedBytes; // [sp+0h] [bp-28h]@1
  int i; // [sp+4h] [bp-24h]@5
  char v8; // [sp+8h] [bp-20h]@3
  char tmpBuff[16]; // [sp+18h] [bp-10h]@3

  result = pBlockSize;
  notDecryptedBytes = pBlockSize - 16;
  while ( (signed int)notDecryptedBytes >= 0 )
  {
    memcpy(tmpBuff, srcBlock, 16u);
    sub_10010AA7((int)tmpBuff, (int)&v8, (int)unknownPtr);
    memcpy(resultBlock, &v8, 0x10u);
    notDecryptedBytes -= 16;
    result = (SIZE_T)((char *)srcBlock + 16);
    srcBlock = (char *)srcBlock + 16;
    resultBlock = (char *)resultBlock + 16;
  }
  if ( notDecryptedBytes != -16 )
  {
    memcpy(tmpBuff, srcBlock, notDecryptedBytes + 16);
    for ( i = 0; i < (signed int)(notDecryptedBytes + 16); ++i )
      tmpBuff[i] ^= pHashTable[i];
    result = (SIZE_T)memcpy(resultBlock, tmpBuff, notDecryptedBytes + 16);
  }
  return result;
}
    Собственно ф-я расшифровки:
    Code:
    signed __int16 __cdecl sub_10010AA7(int a1, int a2, int a3)
{
  int v4; // ST08_4@9
  int v5; // ST0C_4@9
  int v6; // ST10_4@9
  int v7; // ST14_4@9
  int v8; // ST08_4@10
  int v9; // ST0C_4@10
  int v10; // ST10_4@10
  int v11; // ST14_4@10
  int v12; // ST08_4@11
  int v13; // ST0C_4@11
  int v14; // ST10_4@11
  int v15; // ST14_4@11
  int v16; // ST18_4@11
  int v17; // ST1C_4@11
  int v18; // ST20_4@11
  int v19; // ST24_4@11
  int v20; // ST08_4@11
  int v21; // ST0C_4@11
  int v22; // ST10_4@11
  int v23; // ST14_4@11
  int v24; // ST18_4@11
  int v25; // ST1C_4@11
  int v26; // ST20_4@11
  int v27; // ST24_4@11
  int v28; // ST08_4@11
  int v29; // ST0C_4@11
  int v30; // ST10_4@11
  int v31; // ST14_4@11
  int v32; // ST18_4@11
  int v33; // ST1C_4@11
  int v34; // ST20_4@11
  int v35; // ST24_4@11
  int v36; // ST08_4@11
  int v37; // ST0C_4@11
  int v38; // ST10_4@11
  int v39; // ST14_4@11
  int v40; // ST18_4@11
  int v41; // ST1C_4@11
  int v42; // ST20_4@11
  int v43; // ST24_4@11
  int v44; // ST08_4@11
  int v45; // ST0C_4@11
  int v46; // ST10_4@11
  int v47; // ST14_4@11
  int v48; // [sp+0h] [bp-28h]@5
  int v49; // [sp+14h] [bp-14h]@5
  int v50; // [sp+18h] [bp-10h]@5
  int v51; // [sp+1Ch] [bp-Ch]@5
  int v52; // [sp+20h] [bp-8h]@5
  int v53; // [sp+24h] [bp-4h]@1

  v53 = a3 + 16 * *(_DWORD *)(a3 + 516) + 256;
  if ( !(*(_BYTE *)(a3 + 520) & 2) )
    return 0;
  if ( !(*(_BYTE *)(a3 + 520) & 2) )
  {
    sub_1000B700(a3);
    *(_BYTE *)(a3 + 520) ^= 3u;
  }
  v49 = *(_DWORD *)v53 ^ *(_DWORD *)a1;
  v50 = *(_DWORD *)(v53 + 4) ^ *(_DWORD *)(a1 + 4);
  v51 = *(_DWORD *)(v53 + 8) ^ *(_DWORD *)(a1 + 8);
  v52 = *(_DWORD *)(v53 + 12) ^ *(_DWORD *)(a1 + 12);
  v48 = *(_DWORD *)(a3 + 516);
  if ( v48 != 10 )
  {
    if ( v48 != 12 )
    {
      if ( v48 != 14 )
        goto LABEL_12;
      v4 = dword_100195B0[(unsigned __int8)v50] ^ dword_100191B0[(unsigned __int16)((_WORD)v51 >> 8)] ^ dword_10018DB0[((unsigned int)v52 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v49 >> 24] ^ *(_DWORD *)(a3 + 464);
      v5 = dword_100195B0[(unsigned __int8)v51] ^ dword_100191B0[(unsigned __int16)((_WORD)v52 >> 8)] ^ dword_10018DB0[((unsigned int)v49 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v50 >> 24] ^ *(_DWORD *)(a3 + 468);
      v6 = dword_100195B0[(unsigned __int8)v52] ^ dword_100191B0[(unsigned __int16)((_WORD)v49 >> 8)] ^ dword_10018DB0[((unsigned int)v50 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v51 >> 24] ^ *(_DWORD *)(a3 + 472);
      v7 = dword_100195B0[(unsigned __int8)v49] ^ dword_100191B0[(unsigned __int16)((_WORD)v50 >> 8)] ^ dword_10018DB0[((unsigned int)v51 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v52 >> 24] ^ *(_DWORD *)(a3 + 476);
      v49 = dword_100195B0[(unsigned __int8)v5] ^ dword_100191B0[(unsigned __int16)((_WORD)v6 >> 8)] ^ dword_10018DB0[((unsigned int)v7 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v4 >> 24] ^ *(_DWORD *)(a3 + 448);
      v50 = dword_100195B0[(unsigned __int8)v6] ^ dword_100191B0[(unsigned __int16)((_WORD)v7 >> 8)] ^ dword_10018DB0[((unsigned int)v4 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v5 >> 24] ^ *(_DWORD *)(a3 + 452);
      v51 = dword_100195B0[(unsigned __int8)v7] ^ dword_100191B0[(unsigned __int16)((_WORD)v4 >> 8)] ^ dword_10018DB0[((unsigned int)v5 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v6 >> 24] ^ *(_DWORD *)(a3 + 456);
      v52 = dword_100195B0[(unsigned __int8)v4] ^ dword_100191B0[(unsigned __int16)((_WORD)v5 >> 8)] ^ dword_10018DB0[((unsigned int)v6 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v7 >> 24] ^ *(_DWORD *)(a3 + 460);
    }
    v8 = dword_100195B0[(unsigned __int8)v50] ^ dword_100191B0[(unsigned __int16)((_WORD)v51 >> 8)] ^ dword_10018DB0[((unsigned int)v52 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v49 >> 24] ^ *(_DWORD *)(a3 + 432);
    v9 = dword_100195B0[(unsigned __int8)v51] ^ dword_100191B0[(unsigned __int16)((_WORD)v52 >> 8)] ^ dword_10018DB0[((unsigned int)v49 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v50 >> 24] ^ *(_DWORD *)(a3 + 436);
    v10 = dword_100195B0[(unsigned __int8)v52] ^ dword_100191B0[(unsigned __int16)((_WORD)v49 >> 8)] ^ dword_10018DB0[((unsigned int)v50 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v51 >> 24] ^ *(_DWORD *)(a3 + 440);
    v11 = dword_100195B0[(unsigned __int8)v49] ^ dword_100191B0[(unsigned __int16)((_WORD)v50 >> 8)] ^ dword_10018DB0[((unsigned int)v51 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v52 >> 24] ^ *(_DWORD *)(a3 + 444);
    v49 = dword_100195B0[(unsigned __int8)v9] ^ dword_100191B0[(unsigned __int16)((_WORD)v10 >> 8)] ^ dword_10018DB0[((unsigned int)v11 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v8 >> 24] ^ *(_DWORD *)(a3 + 416);
    v50 = dword_100195B0[(unsigned __int8)v10] ^ dword_100191B0[(unsigned __int16)((_WORD)v11 >> 8)] ^ dword_10018DB0[((unsigned int)v8 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v9 >> 24] ^ *(_DWORD *)(a3 + 420);
    v51 = dword_100195B0[(unsigned __int8)v11] ^ dword_100191B0[(unsigned __int16)((_WORD)v8 >> 8)] ^ dword_10018DB0[((unsigned int)v9 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v10 >> 24] ^ *(_DWORD *)(a3 + 424);
    v52 = dword_100195B0[(unsigned __int8)v8] ^ dword_100191B0[(unsigned __int16)((_WORD)v9 >> 8)] ^ dword_10018DB0[((unsigned int)v10 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v11 >> 24] ^ *(_DWORD *)(a3 + 428);
  }
  v12 = dword_100195B0[(unsigned __int8)v50] ^ dword_100191B0[(unsigned __int16)((_WORD)v51 >> 8)] ^ dword_10018DB0[((unsigned int)v52 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v49 >> 24] ^ *(_DWORD *)(a3 + 400);
  v13 = dword_100195B0[(unsigned __int8)v51] ^ dword_100191B0[(unsigned __int16)((_WORD)v52 >> 8)] ^ dword_10018DB0[((unsigned int)v49 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v50 >> 24] ^ *(_DWORD *)(a3 + 404);
  v14 = dword_100195B0[(unsigned __int8)v52] ^ dword_100191B0[(unsigned __int16)((_WORD)v49 >> 8)] ^ dword_10018DB0[((unsigned int)v50 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v51 >> 24] ^ *(_DWORD *)(a3 + 408);
  v15 = dword_100195B0[(unsigned __int8)v49] ^ dword_100191B0[(unsigned __int16)((_WORD)v50 >> 8)] ^ dword_10018DB0[((unsigned int)v51 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v52 >> 24] ^ *(_DWORD *)(a3 + 412);
  v16 = dword_100195B0[(unsigned __int8)v13] ^ dword_100191B0[(unsigned __int16)((_WORD)v14 >> 8)] ^ dword_10018DB0[((unsigned int)v15 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v12 >> 24] ^ *(_DWORD *)(a3 + 384);
  v17 = dword_100195B0[(unsigned __int8)v14] ^ dword_100191B0[(unsigned __int16)((_WORD)v15 >> 8)] ^ dword_10018DB0[((unsigned int)v12 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v13 >> 24] ^ *(_DWORD *)(a3 + 388);
  v18 = dword_100195B0[(unsigned __int8)v15] ^ dword_100191B0[(unsigned __int16)((_WORD)v12 >> 8)] ^ dword_10018DB0[((unsigned int)v13 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v14 >> 24] ^ *(_DWORD *)(a3 + 392);
  v19 = dword_100195B0[(unsigned __int8)v12] ^ dword_100191B0[(unsigned __int16)((_WORD)v13 >> 8)] ^ dword_10018DB0[((unsigned int)v14 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v15 >> 24] ^ *(_DWORD *)(a3 + 396);
  v20 = dword_100195B0[(unsigned __int8)v17] ^ dword_100191B0[(unsigned __int16)((_WORD)v18 >> 8)] ^ dword_10018DB0[((unsigned int)v19 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v16 >> 24] ^ *(_DWORD *)(a3 + 368);
  v21 = dword_100195B0[(unsigned __int8)v18] ^ dword_100191B0[(unsigned __int16)((_WORD)v19 >> 8)] ^ dword_10018DB0[((unsigned int)v16 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v17 >> 24] ^ *(_DWORD *)(a3 + 372);
  v22 = dword_100195B0[(unsigned __int8)v19] ^ dword_100191B0[(unsigned __int16)((_WORD)v16 >> 8)] ^ dword_10018DB0[((unsigned int)v17 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v18 >> 24] ^ *(_DWORD *)(a3 + 376);
  v23 = dword_100195B0[(unsigned __int8)v16] ^ dword_100191B0[(unsigned __int16)((_WORD)v17 >> 8)] ^ dword_10018DB0[((unsigned int)v18 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v19 >> 24] ^ *(_DWORD *)(a3 + 380);
  v24 = dword_100195B0[(unsigned __int8)v21] ^ dword_100191B0[(unsigned __int16)((_WORD)v22 >> 8)] ^ dword_10018DB0[((unsigned int)v23 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v20 >> 24] ^ *(_DWORD *)(a3 + 352);
  v25 = dword_100195B0[(unsigned __int8)v22] ^ dword_100191B0[(unsigned __int16)((_WORD)v23 >> 8)] ^ dword_10018DB0[((unsigned int)v20 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v21 >> 24] ^ *(_DWORD *)(a3 + 356);
  v26 = dword_100195B0[(unsigned __int8)v23] ^ dword_100191B0[(unsigned __int16)((_WORD)v20 >> 8)] ^ dword_10018DB0[((unsigned int)v21 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v22 >> 24] ^ *(_DWORD *)(a3 + 360);
  v27 = dword_100195B0[(unsigned __int8)v20] ^ dword_100191B0[(unsigned __int16)((_WORD)v21 >> 8)] ^ dword_10018DB0[((unsigned int)v22 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v23 >> 24] ^ *(_DWORD *)(a3 + 364);
  v28 = dword_100195B0[(unsigned __int8)v25] ^ dword_100191B0[(unsigned __int16)((_WORD)v26 >> 8)] ^ dword_10018DB0[((unsigned int)v27 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v24 >> 24] ^ *(_DWORD *)(a3 + 336);
  v29 = dword_100195B0[(unsigned __int8)v26] ^ dword_100191B0[(unsigned __int16)((_WORD)v27 >> 8)] ^ dword_10018DB0[((unsigned int)v24 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v25 >> 24] ^ *(_DWORD *)(a3 + 340);
  v30 = dword_100195B0[(unsigned __int8)v27] ^ dword_100191B0[(unsigned __int16)((_WORD)v24 >> 8)] ^ dword_10018DB0[((unsigned int)v25 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v26 >> 24] ^ *(_DWORD *)(a3 + 344);
  v31 = dword_100195B0[(unsigned __int8)v24] ^ dword_100191B0[(unsigned __int16)((_WORD)v25 >> 8)] ^ dword_10018DB0[((unsigned int)v26 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v27 >> 24] ^ *(_DWORD *)(a3 + 348);
  v32 = dword_100195B0[(unsigned __int8)v29] ^ dword_100191B0[(unsigned __int16)((_WORD)v30 >> 8)] ^ dword_10018DB0[((unsigned int)v31 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v28 >> 24] ^ *(_DWORD *)(a3 + 320);
  v33 = dword_100195B0[(unsigned __int8)v30] ^ dword_100191B0[(unsigned __int16)((_WORD)v31 >> 8)] ^ dword_10018DB0[((unsigned int)v28 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v29 >> 24] ^ *(_DWORD *)(a3 + 324);
  v34 = dword_100195B0[(unsigned __int8)v31] ^ dword_100191B0[(unsigned __int16)((_WORD)v28 >> 8)] ^ dword_10018DB0[((unsigned int)v29 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v30 >> 24] ^ *(_DWORD *)(a3 + 328);
  v35 = dword_100195B0[(unsigned __int8)v28] ^ dword_100191B0[(unsigned __int16)((_WORD)v29 >> 8)] ^ dword_10018DB0[((unsigned int)v30 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v31 >> 24] ^ *(_DWORD *)(a3 + 332);
  v36 = dword_100195B0[(unsigned __int8)v33] ^ dword_100191B0[(unsigned __int16)((_WORD)v34 >> 8)] ^ dword_10018DB0[((unsigned int)v35 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v32 >> 24] ^ *(_DWORD *)(a3 + 304);
  v37 = dword_100195B0[(unsigned __int8)v34] ^ dword_100191B0[(unsigned __int16)((_WORD)v35 >> 8)] ^ dword_10018DB0[((unsigned int)v32 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v33 >> 24] ^ *(_DWORD *)(a3 + 308);
  v38 = dword_100195B0[(unsigned __int8)v35] ^ dword_100191B0[(unsigned __int16)((_WORD)v32 >> 8)] ^ dword_10018DB0[((unsigned int)v33 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v34 >> 24] ^ *(_DWORD *)(a3 + 312);
  v39 = dword_100195B0[(unsigned __int8)v32] ^ dword_100191B0[(unsigned __int16)((_WORD)v33 >> 8)] ^ dword_10018DB0[((unsigned int)v34 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v35 >> 24] ^ *(_DWORD *)(a3 + 316);
  v40 = dword_100195B0[(unsigned __int8)v37] ^ dword_100191B0[(unsigned __int16)((_WORD)v38 >> 8)] ^ dword_10018DB0[((unsigned int)v39 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v36 >> 24] ^ *(_DWORD *)(a3 + 288);
  v41 = dword_100195B0[(unsigned __int8)v38] ^ dword_100191B0[(unsigned __int16)((_WORD)v39 >> 8)] ^ dword_10018DB0[((unsigned int)v36 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v37 >> 24] ^ *(_DWORD *)(a3 + 292);
  v42 = dword_100195B0[(unsigned __int8)v39] ^ dword_100191B0[(unsigned __int16)((_WORD)v36 >> 8)] ^ dword_10018DB0[((unsigned int)v37 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v38 >> 24] ^ *(_DWORD *)(a3 + 296);
  v43 = dword_100195B0[(unsigned __int8)v36] ^ dword_100191B0[(unsigned __int16)((_WORD)v37 >> 8)] ^ dword_10018DB0[((unsigned int)v38 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v39 >> 24] ^ *(_DWORD *)(a3 + 300);
  v44 = dword_100195B0[(unsigned __int8)v41] ^ dword_100191B0[(unsigned __int16)((_WORD)v42 >> 8)] ^ dword_10018DB0[((unsigned int)v43 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v40 >> 24] ^ *(_DWORD *)(a3 + 272);
  v45 = dword_100195B0[(unsigned __int8)v42] ^ dword_100191B0[(unsigned __int16)((_WORD)v43 >> 8)] ^ dword_10018DB0[((unsigned int)v40 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v41 >> 24] ^ *(_DWORD *)(a3 + 276);
  v46 = dword_100195B0[(unsigned __int8)v43] ^ dword_100191B0[(unsigned __int16)((_WORD)v40 >> 8)] ^ dword_10018DB0[((unsigned int)v41 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v42 >> 24] ^ *(_DWORD *)(a3 + 280);
  v47 = dword_100195B0[(unsigned __int8)v40] ^ dword_100191B0[(unsigned __int16)((_WORD)v41 >> 8)] ^ dword_10018DB0[((unsigned int)v42 >> 16) & 0xFF] ^ dword_100189B0[(unsigned int)v43 >> 24] ^ *(_DWORD *)(a3 + 284);
  v49 = dword_1001A5B0[(unsigned __int8)v45] ^ dword_1001A1B0[(unsigned __int16)((_WORD)v46 >> 8)] ^ dword_10019DB0[((unsigned int)v47 >> 16) & 0xFF] ^ dword_100199B0[(unsigned int)v44 >> 24] ^ *(_DWORD *)(a3 + 256);
  v50 = dword_1001A5B0[(unsigned __int8)v46] ^ dword_1001A1B0[(unsigned __int16)((_WORD)v47 >> 8)] ^ dword_10019DB0[((unsigned int)v44 >> 16) & 0xFF] ^ dword_100199B0[(unsigned int)v45 >> 24] ^ *(_DWORD *)(a3 + 260);
  v51 = dword_1001A5B0[(unsigned __int8)v47] ^ dword_1001A1B0[(unsigned __int16)((_WORD)v44 >> 8)] ^ dword_10019DB0[((unsigned int)v45 >> 16) & 0xFF] ^ dword_100199B0[(unsigned int)v46 >> 24] ^ *(_DWORD *)(a3 + 264);
  v52 = dword_1001A5B0[(unsigned __int8)v44] ^ dword_1001A1B0[(unsigned __int16)((_WORD)v45 >> 8)] ^ dword_10019DB0[((unsigned int)v46 >> 16) & 0xFF] ^ dword_100199B0[(unsigned int)v47 >> 24] ^ *(_DWORD *)(a3 + 268);
LABEL_12:
  *(_DWORD *)a2 = v49;
  *(_DWORD *)(a2 + 4) = v50;
  *(_DWORD *)(a2 + 8) = v51;
  *(_DWORD *)(a2 + 12) = v52;
  return 1;
}
    Из-за недостатка времени алгоритм полностью не разбирал, а ограничился вызовом ф-и decryptBuffer (что для POC вполне допустимо).
    P.S. Всем кто знает какой алгоритм применялся просьба сообщить мне тут или в личку.

    Please register or login to download attachments.

    Reply With Quote Reply With Quote

  2. The Following 8 Users Say Thank You to ADACH For This Useful Post:

    badwolf, DarkEvil, Dwar, ghost367, Kulspruta, sat, TemTriss, the-no-name
« Previous Thread | Next Thread »

Similar Threads

  1. [Release] dNPK SoulMaster npk files decryptor/unpacker
    By Dwar in forum Game Files
    Replies: 27
    Last Post: 2019-11-19, 12:22 PM
  2. [Release] deSep - Sephiroth 2 resource encryptor/decryptor
    By Dwar in forum Game Files
    Replies: 2
    Last Post: 2011-08-17, 03:58 PM
  3. [Release] AikaDeBin - Aika Bin Encryptor/Decryptor
    By Dwar in forum Aika Online
    Replies: 12
    Last Post: 2011-01-21, 06:07 AM
  4. [Release] HackShield 5.3.12 log decryptor
    By Dwar in forum Anti-Cheat Systems
    Replies: 0
    Last Post: 2010-11-29, 04:07 PM
  5. aika packages are encrypted?
    By in forum Aika Online
    Replies: 0
    Last Post: 2010-10-21, 05:58 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules