enkomio

proc data_section
S:
	// Hardcode the initial state of the S array
	byte 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
	byte 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F
	byte 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F
	byte 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C, 0x3D, 0x3E, 0x3F
	byte 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C, 0x4D, 0x4E, 0x4F
	byte 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x5A, 0x5B, 0x5C, 0x5D, 0x5E, 0x5F
	byte 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6A, 0x6B, 0x6C, 0x6D, 0x6E, 0x6F

enkomio

proc main
    push buffer         /* push arguments */
    push buffer_length
    push key        
    push key_length
    push 4              /* number of arguments */
    push de_encrypt     /* method to invoke */
    call
    halt
endp

enkomio

open System
open System.Reflection
open System.IO

/// Use the private method GetTypeByNameUsingCARules in order to load the Assembly. This method will in turn uses the internal
/// method: private static extern void GetTypeByNameUsingCARules(string name, RuntimeModule scope, ObjectHandleOnStack type);
let loadAssembly(filename: String, className: String, methodName: String, methodArguments: Object array) =
    let bindingFlags = BindingFlags.Static ||| BindingFlags.NonPublic ||| BindingFlags.Public ||| BindingFlags.Instance
    let assemblyName = AssemblyName.GetAssemblyName(Path.GetFullPath(filename))
    let fullName = String.Format("{0},{1}", className, assemblyName.FullName)

enkomio

[MethodImpl(MethodImplOptions.NoInlining)]
internal static uint qtlEIBBYuV(IntPtr \u0020, IntPtr a1, IntPtr \u0020, [MarshalAs(UnmanagedType.U4)] uint \u0020, IntPtr \u0020, ref uint \u0020)
{
 // thisi s a pointer to the COREINFO_METHOD_INFO structure
 IntPtr ptr = \u0020;
 if (P9ZBIKXMsRMxLdTfcG.KOnEge1tX2)
 {
  ptr = a1;
 }
 long num;

enkomio

open System
open System.Linq
open System.Reflection
open System.Runtime.CompilerServices
open System.Collections
open System.Collections.Generic
open System.Diagnostics
open Microsoft.Diagnostics.Runtime
open dnlib.DotNet
open dnlib.DotNet.Emit

enkomio

import httplib2
import binascii
import os
import base64
import sys

if len(sys.argv) < 3:
    print "Usage: {0} <url> <command>".format(sys.argv[0])
    exit(1)

enkomio

from unicorn import *
from unicorn.x86_const import *
from capstone import *
import base64
import time
from collections import deque

encrypt_data_code = b"\x55\x8B\xEC\x83\xEC\x18\x8B\x50\x20\x53\x8B\x58\x28\x56\x8B\x70\x24\x57\x8B\xF9\x33\x5F\x08\x33\x17\x33\x77\x04\x33\x98\x38\x02\x00\x00\x33\x90\x30\x02\x00\x00\x33\xB0\x34\x02\x00\x00\x8B\x48\x2C\x33\x4F\x0C\x33\x88\x3C\x02\x00\x00\x8B\xF9\x0B\xCA\x33\xFE\x89\x4D\xFC\x8B\xCB\x33\xCE\x89\x7D\xF8\x89\x4D\xEC\x33\x4D\xFC\x8B\xFE\x33\xFA\x89\x4D\xF4\x8B\xCF\x23\x7D\xF8\x23\xCB\x8B\x5D\xF8\xF7\xD3\x0B\xCB\x8B\x5D\xEC\x0B\xDA\x33\xCB\x33\xF9\x33\x7D\xF4\x33\xFA\x8B\xDF\x0B\xD9\x23\x5D\xFC\x33\xDE\xC1\xC1\x0D\xC1\xC3\x03\x8B\xF3\x33\xF7\x33\xF1\x89\x4D\xF8\xD1\xC6\x8B\xD1\xC1\xE2\x03\x33\xD3\x33\x55\xF4\x8B\xCE\xC1\xE1\x07\x33\xCB\xC1\xC2\x07\x8B\xDE\x33\x5D\xF8\x33\x70\x34\x33\xCA\x33\xDA\x33\x50\x3C\xC1\xC1\x16\x33\x48\x38\xC1\xC3\x05\x33\x58\x30\x8B\xFB\x33\xFA\x89\x7D\xF0\x8B\xFE\x33\xFA\x89\x7D\xF4\x8B\xF9\xF7\xD7\x89\x7D\xFC\x8B\xFE\x89\x5D\xF8\x23\xFB\x33