Skip to content

Instantly share code, notes, and snippets.

@eugenekolo
Created May 16, 2017 05:04
Show Gist options
  • Save eugenekolo/fe229be2a4230cf8322bf5537e291812 to your computer and use it in GitHub Desktop.
Save eugenekolo/fe229be2a4230cf8322bf5537e291812 to your computer and use it in GitHub Desktop.
WannaCry Ransomware Custom AES-128-CBC
int __thiscall XRijndael(void *this, _DWORD *key, _BYTE *data, int keysize1, int keysize2)
{
void *v5; // ebx@1
int v6; // ecx@9
_BYTE *v7; // eax@14
int v8; // eax@14
int v9; // eax@18
signed int v10; // eax@19
int v11; // edx@22
int v12; // eax@22
int v13; // ecx@22
void *v14; // esi@23
int v15; // edx@27
void *v16; // esi@28
int v17; // esi@32
__int64 v18; // rax@32
int v19; // edi@32
signed int v20; // ebp@32
_DWORD *v21; // eax@32
signed int v22; // ebp@32
_BYTE *v23; // eax@34
unsigned __int16 v24; // dx@34
int v25; // esi@35
int v26; // eax@38
_BYTE *v27; // edx@38
_DWORD *v28; // eax@38
_BYTE *v29; // ecx@41
_DWORD *v30; // eax@43
int v31; // ecx@43
_DWORD *v32; // eax@46
signed int v33; // ecx@46
_DWORD *v34; // eax@48
signed int v35; // ecx@48
_DWORD *v36; // eax@48
int *v37; // edi@51
int v38; // ebp@53
int v39; // ecx@53
int v40; // edx@53
char *v41; // eax@53
bool v42; // sf@53
unsigned __int8 v43; // of@53
signed int v44; // edx@55
int result; // eax@55
int v46; // ebp@56
_DWORD **v47; // esi@58
int v48; // edi@58
int v49; // edx@61
signed int v50; // [sp+4h] [bp-10h]@32
char v51; // [sp+8h] [bp-Ch]@2
v5 = this;
if ( !key )
{
key = &unk_1000D8D8;
exception::exception(&v51, &key);
CxxThrowException(&v51, &unk_1000AF00);
}
if ( keysize1 != 16 && keysize1 != 24 && keysize1 != 32 )
{
key = &unk_1000D8D8;
exception::exception(&v51, &key);
CxxThrowException(&v51, &unk_1000AF00);
}
v6 = keysize2;
if ( keysize2 != 16 && keysize2 != 24 && keysize2 != 32 )
{
key = &unk_1000D8D8;
exception::exception(&v51, &key);
CxxThrowException(&v51, &unk_1000AF00);
}
*((_DWORD *)v5 + 242) = keysize1;
v7 = data;
*((_DWORD *)v5 + 243) = v6;
qmemcpy((char *)v5 + 976, v7, v6);
qmemcpy((char *)v5 + 1008, v7, *((_DWORD *)v5 + 243));
v8 = *((_DWORD *)v5 + 242);
if ( v8 == 16 )
{
v9 = *((_DWORD *)v5 + 243);
if ( v9 == 16 )
v10 = 10;
else
v10 = v9 != 24 ? 14 : 12;
*((_DWORD *)v5 + 260) = v10;
}
else if ( v8 == 24 )
{
*((_DWORD *)v5 + 260) = *((_DWORD *)v5 + 243) != 32 ? 12 : 14;
}
else
{
*((_DWORD *)v5 + 260) = 14;
}
v11 = 0;
v12 = *((_DWORD *)v5 + 260);
v13 = *((_DWORD *)v5 + 243) / 4;
keysize1 = *((_DWORD *)v5 + 243) / 4;
if ( v12 >= 0 )
{
v14 = (char *)v5 + 8;
do
{
if ( v13 > 0 )
{
memset(v14, 0, 4 * v13);
v13 = keysize1;
}
++v11;
v14 = (char *)v14 + 32;
}
while ( v11 <= *((_DWORD *)v5 + 260) );
}
v15 = 0;
if ( *((_DWORD *)v5 + 260) >= 0 )
{
v16 = (char *)v5 + 488;
do
{
if ( v13 > 0 )
{
memset(v16, 0, 4 * v13);
v13 = keysize1;
}
++v15;
v16 = (char *)v16 + 32;
}
while ( v15 <= *((_DWORD *)v5 + 260) );
}
v17 = (int)v5 + 1044;
v18 = *((_DWORD *)v5 + 242);
v19 = v13 * (*((_DWORD *)v5 + 260) + 1);
keysize2 = v13 * (*((_DWORD *)v5 + 260) + 1);
v20 = (BYTE4(v18) & 3) + v18;
v21 = key;
v22 = v20 >> 2;
v50 = v22;
if ( v22 > 0 )
{
key = (_DWORD *)v22;
do
{
v17 += 4;
*(_DWORD *)(v17 - 4) = *(_BYTE *)v21 << 24;
v23 = (char *)v21 + 1;
*(_DWORD *)(v17 - 4) |= *v23++ << 16;
LOBYTE(v24) = 0;
HIBYTE(v24) = *v23;
*(_DWORD *)(v17 - 4) |= v24;
*(_DWORD *)(v17 - 4) |= *++v23;
v21 = v23 + 1;
key = (_DWORD *)((char *)key - 1);
}
while ( key );
}
v25 = 0;
if ( v22 <= 0 )
{
LABEL_39:
if ( v25 < v19 )
{
data = &unk_1000AC3C;
while ( 1 )
{
key = (_DWORD *)*((_DWORD *)v5 + v22 + 260);
v29 = data + 1;
*((_DWORD *)v5 + 261) ^= (unsigned __int8)byte_10007A3C[BYTE3(key)] ^ (((unsigned __int8)byte_10007A3C[(unsigned __int8)key] ^ (((unsigned __int8)byte_10007A3C[BYTE1(key)] ^ ((*data ^ byte_10007A3C[BYTE2(key)]) << 8)) << 8)) << 8);
data = v29;
if ( v22 == 8 )
{
v32 = (char *)v5 + 1048;
v33 = 3;
do
{
*v32 ^= *(v32 - 1);
++v32;
--v33;
}
while ( v33 );
v34 = (_DWORD *)*((_DWORD *)v5 + 264);
key = v34;
v35 = 3;
*((_DWORD *)v5 + 265) ^= (unsigned __int8)byte_10007A3C[(unsigned __int8)v34] ^ (((unsigned __int8)byte_10007A3C[BYTE1(v34)] ^ (((unsigned __int8)byte_10007A3C[BYTE2(v34)] ^ (byte_10007A3C[BYTE3(v34)] << 8)) << 8)) << 8);
v36 = (char *)v5 + 1064;
do
{
*v36 ^= *(v36 - 1);
++v36;
--v35;
}
while ( v35 );
}
else if ( v22 > 1 )
{
v30 = (char *)v5 + 1048;
v31 = v22 - 1;
do
{
*v30 ^= *(v30 - 1);
++v30;
--v31;
}
while ( v31 );
}
key = 0;
if ( v22 > 0 )
break;
LABEL_54:
v13 = keysize1;
if ( v25 >= keysize2 )
goto LABEL_55;
}
v37 = (int *)((char *)v5 + 1044);
while ( 1 )
{
v13 = keysize1;
if ( v25 >= keysize2 )
break;
v38 = *v37;
++v37;
v39 = v25 / keysize1;
v40 = v25 % keysize1;
*((_DWORD *)v5 + v25 % keysize1 + 8 * v39 + 2) = v38;
v22 = v50;
v41 = (char *)key + 1;
++v25;
v43 = __OFSUB__((char *)key + 1, v50);
v42 = (signed int)key + -v50 + 1 < 0;
*((_DWORD *)v5 + v40 + 8 * (*((_DWORD *)v5 + 260) - v39) + 122) = *(v37 - 1);
key = v41;
if ( !(v42 ^ v43) )
goto LABEL_54;
}
}
}
else
{
key = (char *)v5 + 1044;
while ( v25 < v19 )
{
data = (_BYTE *)(v25 % v13);
*((_DWORD *)v5 + v25 % v13 + 8 * (v25 / v13) + 2) = *key;
v26 = *((_DWORD *)v5 + 260) - v25++ / v13;
v27 = &data[8 * v26];
v28 = key + 1;
*((_DWORD *)v5 + (_DWORD)v27 + 122) = *key;
v19 = keysize2;
key = v28;
if ( v25 >= v22 )
goto LABEL_39;
}
}
LABEL_55:
v44 = *((_DWORD *)v5 + 260);
result = 1;
keysize2 = 1;
if ( v44 > 1 )
{
v46 = (int)v5 + 520;
do
{
if ( v13 > 0 )
{
v47 = (_DWORD **)v46;
v48 = v13;
do
{
key = *v47;
++v47;
--v48;
*(v47 - 1) = (_DWORD *)(dword_1000A83C[(unsigned __int8)key] ^ dword_1000A43C[BYTE1(key)] ^ dword_1000A03C[BYTE2(key)] ^ dword_10009C3C[BYTE3(key)]);
}
while ( v48 );
v13 = keysize1;
}
v49 = *((_DWORD *)v5 + 260);
result = keysize2 + 1;
v46 += 32;
++keysize2;
}
while ( keysize2 < v49 );
}
*((_BYTE *)v5 + 4) = 1;
return result;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment