-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdecryptString.cpp
137 lines (118 loc) · 4.04 KB
/
decryptString.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
// Reverse a decryptFunction.cpp : This file contains the 'main' function. Program execution begins and ends there.
//
#include <stdio.h>
#include <Windows.h>
#include <stdint.h>
char* DecryptString(int a1)
{
int i; // edx
int v2; // eax
char v4[76]; // [esp+10h] [ebp-4Ch] BYREF
static uint8_t key[64] = {
0x5F, 0x42, 0x71, 0x77, 0x48, 0x61, 0x46, 0x38, 0x54, 0x6B, 0x4B, 0x44, 0x4D, 0x66, 0x4F, 0x7A,
0x51, 0x41, 0x53, 0x78, 0x34, 0x56, 0x75, 0x58, 0x64, 0x5A, 0x69, 0x62, 0x55, 0x49, 0x65, 0x79,
0x6C, 0x4A, 0x57, 0x68, 0x6A, 0x30, 0x6D, 0x35, 0x6F, 0x32, 0x45, 0x72, 0x4C, 0x74, 0x36, 0x76,
0x47, 0x52, 0x4E, 0x39, 0x73, 0x59, 0x31, 0x6E, 0x33, 0x50, 0x70, 0x63, 0x37, 0x67, 0x2D, 0x43 };
memcpy(v4, key, 64);
static char output[250];
memcpy(output, (char*)a1, strlen((char*)a1));
for (i = (int)&output; *(BYTE*)i; ++i)
{
v2 = 0;
while (*(BYTE*)i != v4[v2])
{
if (++v2 == 64)
goto LABEL_7;
}
*(BYTE*)i = v4[(v2 + 6) & 0x3F];
LABEL_7:
printf("test1\n");
}
return output;
}
char* DecryptString(char* encryptedStr)
{
static uint8_t key[64] = {
0x5F, 0x42, 0x71, 0x77, 0x48, 0x61, 0x46, 0x38, 0x54, 0x6B, 0x4B, 0x44, 0x4D, 0x66, 0x4F, 0x7A,
0x51, 0x41, 0x53, 0x78, 0x34, 0x56, 0x75, 0x58, 0x64, 0x5A, 0x69, 0x62, 0x55, 0x49, 0x65, 0x79,
0x6C, 0x4A, 0x57, 0x68, 0x6A, 0x30, 0x6D, 0x35, 0x6F, 0x32, 0x45, 0x72, 0x4C, 0x74, 0x36, 0x76,
0x47, 0x52, 0x4E, 0x39, 0x73, 0x59, 0x31, 0x6E, 0x33, 0x50, 0x70, 0x63, 0x37, 0x67, 0x2D, 0x43 };
static uint8_t output[250];
memcpy(output, encryptedStr, strlen(encryptedStr));
for (int i = 0; i < strlen(encryptedStr); i++) {
if (output[i] == '\0')
break;
for (int j = 0; j < 64; j++) {
if (output[i] == key[j]) {
output[i] = key[(j + 6) & 0x3F];
break;
}
}
}
return (char*)output;
}
int __cdecl strchr(unsigned __int8 a1, char* pStr)
{
int i; // eax
bool isStrNull; // zf
char v4; // cl
i = 0;
isStrNull = pStr == 0;
while (!isStrNull)
{
v4 = pStr[i];
if (!v4)
return -1;
isStrNull = v4 == (char)a1;
++i;
}
return i;
}
unsigned int __cdecl sub_4129FB(char* in, char a2, int inputSize, char* output, unsigned int outputSize)
{
int v6; // ebp
int v7; // eax
int i; // ecx
unsigned int j; // ecx
int v10; // [esp+10h] [ebp-14h]
if (!in)
return -1;
v6 = 0;
memset(output, 0, outputSize);
v7 = strchr(a2, in); // the first occurrence of the character
for (i = 0; i < inputSize - 1; i = v10 + 1)
{
v10 = i;
if (v7 == -1)
return -1;
v6 += v7;
v7 = strchr(a2, &in[v6]);
}
printf("v6 = %d, v7 = %d\n", v6, v7);
int ccc = 0;
for (j = 0; v6 + v7 - 1 > j + v6 && j < outputSize; ++j) {
output[j] = in[v6 + j];
}
output[j] = '\0';
return j;
}
int main() {
char in[] = "C:/Users/DFIR/Desktop/folder1/folder2/folderOIP/folderk/folder6/uik.exe";
char output[150];
sub_4129FB(in, '/', 1, output, sizeof(in));
printf("in = %s\n", in);
printf("ouput = %s\n", output);
uint8_t strBytes[] = {
0x25,0x36,0x5C,0x46,0x57,0x6B,0x34,0x69,0x69,0x43,0x5C,0x4D,0x64,0x43,0x46,0x57,
0x52,0x77,0x64,0x5A,0x5C,0x25,0x36,0x00,0x25,0x36,0x5C,0x36,0x34,0x6E,0x52,0x57
0x25,0x36,0x5C,0x46,0x57,0x6B,0x34,0x69,0x69,0x43,0x5C,0x5F,0x34,0x30,0x64,0x38,
0x57,0x66,0x5C,0x73,0x30,0x57,0x38,0x34,0x69,0x64,0x36,0x2E,0x34,0x52,0x34,0x00
0x25,0x36,0x5C,0x46,0x57,0x6B,0x34,0x69,0x69,0x43,0x5C,0x5F,0x34,0x30,0x64,0x38,
0x57,0x66,0x5C,0x25,0x36,0x00,0x4D,0x6F,0x7A,0x69,0x6C,0x6C,0x61,0x20,0x54,0x68
0x25,0x36,0x5C,0x36,0x34,0x6E,0x52,0x57,0x52,0x36,0x2E,0x36,0x37,0x69,0x34,0x35,
0x64,0x00,0x25,0x36,0x5C,0x69,0x57,0x6E,0x34,0x52,0x36,0x2E,0x65,0x36,0x57,0x52
};
char* str = DecryptString((char*)strBytes);
printf("str = %s\n", str);
return 0;
}