Created
May 16, 2017 05:04
-
-
Save eugenekolo/fe229be2a4230cf8322bf5537e291812 to your computer and use it in GitHub Desktop.
WannaCry Ransomware Custom AES-128-CBC
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
int __thiscall XRijndael(void *this, _DWORD *key, _BYTE *data, int keysize1, int keysize2) | |
{ | |
void *v5; // ebx@1 | |
int v6; // ecx@9 | |
_BYTE *v7; // eax@14 | |
int v8; // eax@14 | |
int v9; // eax@18 | |
signed int v10; // eax@19 | |
int v11; // edx@22 | |
int v12; // eax@22 | |
int v13; // ecx@22 | |
void *v14; // esi@23 | |
int v15; // edx@27 | |
void *v16; // esi@28 | |
int v17; // esi@32 | |
__int64 v18; // rax@32 | |
int v19; // edi@32 | |
signed int v20; // ebp@32 | |
_DWORD *v21; // eax@32 | |
signed int v22; // ebp@32 | |
_BYTE *v23; // eax@34 | |
unsigned __int16 v24; // dx@34 | |
int v25; // esi@35 | |
int v26; // eax@38 | |
_BYTE *v27; // edx@38 | |
_DWORD *v28; // eax@38 | |
_BYTE *v29; // ecx@41 | |
_DWORD *v30; // eax@43 | |
int v31; // ecx@43 | |
_DWORD *v32; // eax@46 | |
signed int v33; // ecx@46 | |
_DWORD *v34; // eax@48 | |
signed int v35; // ecx@48 | |
_DWORD *v36; // eax@48 | |
int *v37; // edi@51 | |
int v38; // ebp@53 | |
int v39; // ecx@53 | |
int v40; // edx@53 | |
char *v41; // eax@53 | |
bool v42; // sf@53 | |
unsigned __int8 v43; // of@53 | |
signed int v44; // edx@55 | |
int result; // eax@55 | |
int v46; // ebp@56 | |
_DWORD **v47; // esi@58 | |
int v48; // edi@58 | |
int v49; // edx@61 | |
signed int v50; // [sp+4h] [bp-10h]@32 | |
char v51; // [sp+8h] [bp-Ch]@2 | |
v5 = this; | |
if ( !key ) | |
{ | |
key = &unk_1000D8D8; | |
exception::exception(&v51, &key); | |
CxxThrowException(&v51, &unk_1000AF00); | |
} | |
if ( keysize1 != 16 && keysize1 != 24 && keysize1 != 32 ) | |
{ | |
key = &unk_1000D8D8; | |
exception::exception(&v51, &key); | |
CxxThrowException(&v51, &unk_1000AF00); | |
} | |
v6 = keysize2; | |
if ( keysize2 != 16 && keysize2 != 24 && keysize2 != 32 ) | |
{ | |
key = &unk_1000D8D8; | |
exception::exception(&v51, &key); | |
CxxThrowException(&v51, &unk_1000AF00); | |
} | |
*((_DWORD *)v5 + 242) = keysize1; | |
v7 = data; | |
*((_DWORD *)v5 + 243) = v6; | |
qmemcpy((char *)v5 + 976, v7, v6); | |
qmemcpy((char *)v5 + 1008, v7, *((_DWORD *)v5 + 243)); | |
v8 = *((_DWORD *)v5 + 242); | |
if ( v8 == 16 ) | |
{ | |
v9 = *((_DWORD *)v5 + 243); | |
if ( v9 == 16 ) | |
v10 = 10; | |
else | |
v10 = v9 != 24 ? 14 : 12; | |
*((_DWORD *)v5 + 260) = v10; | |
} | |
else if ( v8 == 24 ) | |
{ | |
*((_DWORD *)v5 + 260) = *((_DWORD *)v5 + 243) != 32 ? 12 : 14; | |
} | |
else | |
{ | |
*((_DWORD *)v5 + 260) = 14; | |
} | |
v11 = 0; | |
v12 = *((_DWORD *)v5 + 260); | |
v13 = *((_DWORD *)v5 + 243) / 4; | |
keysize1 = *((_DWORD *)v5 + 243) / 4; | |
if ( v12 >= 0 ) | |
{ | |
v14 = (char *)v5 + 8; | |
do | |
{ | |
if ( v13 > 0 ) | |
{ | |
memset(v14, 0, 4 * v13); | |
v13 = keysize1; | |
} | |
++v11; | |
v14 = (char *)v14 + 32; | |
} | |
while ( v11 <= *((_DWORD *)v5 + 260) ); | |
} | |
v15 = 0; | |
if ( *((_DWORD *)v5 + 260) >= 0 ) | |
{ | |
v16 = (char *)v5 + 488; | |
do | |
{ | |
if ( v13 > 0 ) | |
{ | |
memset(v16, 0, 4 * v13); | |
v13 = keysize1; | |
} | |
++v15; | |
v16 = (char *)v16 + 32; | |
} | |
while ( v15 <= *((_DWORD *)v5 + 260) ); | |
} | |
v17 = (int)v5 + 1044; | |
v18 = *((_DWORD *)v5 + 242); | |
v19 = v13 * (*((_DWORD *)v5 + 260) + 1); | |
keysize2 = v13 * (*((_DWORD *)v5 + 260) + 1); | |
v20 = (BYTE4(v18) & 3) + v18; | |
v21 = key; | |
v22 = v20 >> 2; | |
v50 = v22; | |
if ( v22 > 0 ) | |
{ | |
key = (_DWORD *)v22; | |
do | |
{ | |
v17 += 4; | |
*(_DWORD *)(v17 - 4) = *(_BYTE *)v21 << 24; | |
v23 = (char *)v21 + 1; | |
*(_DWORD *)(v17 - 4) |= *v23++ << 16; | |
LOBYTE(v24) = 0; | |
HIBYTE(v24) = *v23; | |
*(_DWORD *)(v17 - 4) |= v24; | |
*(_DWORD *)(v17 - 4) |= *++v23; | |
v21 = v23 + 1; | |
key = (_DWORD *)((char *)key - 1); | |
} | |
while ( key ); | |
} | |
v25 = 0; | |
if ( v22 <= 0 ) | |
{ | |
LABEL_39: | |
if ( v25 < v19 ) | |
{ | |
data = &unk_1000AC3C; | |
while ( 1 ) | |
{ | |
key = (_DWORD *)*((_DWORD *)v5 + v22 + 260); | |
v29 = data + 1; | |
*((_DWORD *)v5 + 261) ^= (unsigned __int8)byte_10007A3C[BYTE3(key)] ^ (((unsigned __int8)byte_10007A3C[(unsigned __int8)key] ^ (((unsigned __int8)byte_10007A3C[BYTE1(key)] ^ ((*data ^ byte_10007A3C[BYTE2(key)]) << 8)) << 8)) << 8); | |
data = v29; | |
if ( v22 == 8 ) | |
{ | |
v32 = (char *)v5 + 1048; | |
v33 = 3; | |
do | |
{ | |
*v32 ^= *(v32 - 1); | |
++v32; | |
--v33; | |
} | |
while ( v33 ); | |
v34 = (_DWORD *)*((_DWORD *)v5 + 264); | |
key = v34; | |
v35 = 3; | |
*((_DWORD *)v5 + 265) ^= (unsigned __int8)byte_10007A3C[(unsigned __int8)v34] ^ (((unsigned __int8)byte_10007A3C[BYTE1(v34)] ^ (((unsigned __int8)byte_10007A3C[BYTE2(v34)] ^ (byte_10007A3C[BYTE3(v34)] << 8)) << 8)) << 8); | |
v36 = (char *)v5 + 1064; | |
do | |
{ | |
*v36 ^= *(v36 - 1); | |
++v36; | |
--v35; | |
} | |
while ( v35 ); | |
} | |
else if ( v22 > 1 ) | |
{ | |
v30 = (char *)v5 + 1048; | |
v31 = v22 - 1; | |
do | |
{ | |
*v30 ^= *(v30 - 1); | |
++v30; | |
--v31; | |
} | |
while ( v31 ); | |
} | |
key = 0; | |
if ( v22 > 0 ) | |
break; | |
LABEL_54: | |
v13 = keysize1; | |
if ( v25 >= keysize2 ) | |
goto LABEL_55; | |
} | |
v37 = (int *)((char *)v5 + 1044); | |
while ( 1 ) | |
{ | |
v13 = keysize1; | |
if ( v25 >= keysize2 ) | |
break; | |
v38 = *v37; | |
++v37; | |
v39 = v25 / keysize1; | |
v40 = v25 % keysize1; | |
*((_DWORD *)v5 + v25 % keysize1 + 8 * v39 + 2) = v38; | |
v22 = v50; | |
v41 = (char *)key + 1; | |
++v25; | |
v43 = __OFSUB__((char *)key + 1, v50); | |
v42 = (signed int)key + -v50 + 1 < 0; | |
*((_DWORD *)v5 + v40 + 8 * (*((_DWORD *)v5 + 260) - v39) + 122) = *(v37 - 1); | |
key = v41; | |
if ( !(v42 ^ v43) ) | |
goto LABEL_54; | |
} | |
} | |
} | |
else | |
{ | |
key = (char *)v5 + 1044; | |
while ( v25 < v19 ) | |
{ | |
data = (_BYTE *)(v25 % v13); | |
*((_DWORD *)v5 + v25 % v13 + 8 * (v25 / v13) + 2) = *key; | |
v26 = *((_DWORD *)v5 + 260) - v25++ / v13; | |
v27 = &data[8 * v26]; | |
v28 = key + 1; | |
*((_DWORD *)v5 + (_DWORD)v27 + 122) = *key; | |
v19 = keysize2; | |
key = v28; | |
if ( v25 >= v22 ) | |
goto LABEL_39; | |
} | |
} | |
LABEL_55: | |
v44 = *((_DWORD *)v5 + 260); | |
result = 1; | |
keysize2 = 1; | |
if ( v44 > 1 ) | |
{ | |
v46 = (int)v5 + 520; | |
do | |
{ | |
if ( v13 > 0 ) | |
{ | |
v47 = (_DWORD **)v46; | |
v48 = v13; | |
do | |
{ | |
key = *v47; | |
++v47; | |
--v48; | |
*(v47 - 1) = (_DWORD *)(dword_1000A83C[(unsigned __int8)key] ^ dword_1000A43C[BYTE1(key)] ^ dword_1000A03C[BYTE2(key)] ^ dword_10009C3C[BYTE3(key)]); | |
} | |
while ( v48 ); | |
v13 = keysize1; | |
} | |
v49 = *((_DWORD *)v5 + 260); | |
result = keysize2 + 1; | |
v46 += 32; | |
++keysize2; | |
} | |
while ( keysize2 < v49 ); | |
} | |
*((_BYTE *)v5 + 4) = 1; | |
return result; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment