Skip to content

Instantly share code, notes, and snippets.

@hasherezade

hasherezade/credhelper_snippet.cpp Secret

Created December 29, 2020 08:05
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save hasherezade/a696a35b7c4a44d9609e7840ec2aee14 to your computer and use it in GitHub Desktop.
Save hasherezade/a696a35b7c4a44d9609e7840ec2aee14 to your computer and use it in GitHub Desktop.
Download ZIP
FlareOn 7 Task 9
Raw
credhelper_snippet.cpp
__int64 __fastcall decode_password(__int64 a1, _WORD *arg_buf)
{
_WORD *ctx; // rdi
unsigned int v3; // ebx
int len; // eax
signed __int64 indx; // r8
_BYTE *v6; // rdx
__int64 v7; // r14
int v8; // esi
signed int v9; // ecx
signed __int64 v10; // r10
signed __int64 v11; // rdi
signed __int64 v12; // r9
char *_indx; // r11
char v14; // dl
signed __int64 v15; // rcx
char next_char; // al
int v17; // eax
__int16 sz; // [rsp+40h] [rbp-C0h]
char password_cstr[272]; // [rsp+150h] [rbp+50h]
__int16 SubKey; // [rsp+260h] [rbp+160h]
float password_wstr[260]; // [rsp+460h] [rbp+360h]
DWORD v23; // [rsp+8A0h] [rbp+7A0h]
ctx = arg_buf;
memset(password_wstr, 0, 0x410ui64);
memset((float *)&SubKey, 0, 0x200ui64);
memset((float *)&sz, 0, 0x102ui64);
StringFromGUID2(&rguid, &sz, 129i64);
wsprintfW(&SubKey, L"%s\\%s\\%s", L"CLSID", &sz, L"Config");
v3 = 0;
if ( (unsigned int)RegGetValueW(0xFFFFFFFF80000000i64, &SubKey, L"Password", 2i64, 0i64, password_wstr, &v23)
|| v23 <= 2
|| (len = wide_to_ascii((__crt_mbstring *)password_cstr, (const wchar_t *)password_wstr, 0x104ui64), len == 260)
|| len == -1 )
{
v3 = 0x80004005;
}
else
{
indx = (signed __int64)(ctx + 1);
*ctx = 0;
v6 = ctx + 1;
LOBYTE(v7) = 0;
v8 = 0;
v9 = 0;
v10 = 0x100i64;
do
*v6++ = v9++;
while ( v9 < 0x100 );
v11 = len;
v12 = 0i64;
_indx = (char *)indx;
do
{
v14 = *_indx;
v15 = v12 + 1;
next_char = password_cstr[v12];
v12 = 0i64;
v7 = (unsigned __int8)(v7 + *_indx + next_char);
*_indx++ = *(_BYTE *)(v7 + indx);
*(_BYTE *)(v7 + indx) = v14;
v17 = v8 + 1;
v8 = 0;
if ( v15 < v11 )
v8 = v17;
if ( v15 < v11 )
v12 = v15;
--v10;
}
while ( v10 );
}
return v3;
}
__int64 __fastcall decode_flag(__int64 a1, unsigned __int8 *ctx)
{
unsigned __int8 *_ctx; // rdi
unsigned int v3; // ebx
unsigned __int8 v4; // r10
signed __int64 index; // r9
unsigned __int8 v6; // r11
unsigned __int8 v7; // r8
unsigned __int8 v8; // cl
int v9; // eax
int v10; // edi
DWORD cbData; // ST28_4
char out_buf[16]; // [rsp+30h] [rbp-D0h]
__int128 v14; // [rsp+40h] [rbp-C0h]
__int64 v15; // [rsp+50h] [rbp-B0h]
int v16; // [rsp+58h] [rbp-A8h]
char v17; // [rsp+5Ch] [rbp-A4h]
float Data[48]; // [rsp+60h] [rbp-A0h]
__int16 sz; // [rsp+120h] [rbp+20h]
__int16 SubKey; // [rsp+230h] [rbp+130h]
void *hKey; // [rsp+448h] [rbp+348h]
_ctx = ctx;
v3 = 0x80004005;
memset((float *)&SubKey, 0, 0x200ui64);
memset((float *)&sz, 0, 0x102ui64);
v15 = 0i64;
v16 = 0;
v17 = 0;
*(_OWORD *)out_buf = 0i64;
v14 = 0i64;
memset(Data, 0, 0xB4ui64);
v4 = *_ctx;
index = 0i64;
v6 = _ctx[1];
do
{
v7 = _ctx[++v4 + 2];
v6 += v7;
v8 = _ctx[v6 + 2];
_ctx[v4 + 2] = v8;
_ctx[v6 + 2] = v7;
out_buf[index] = encrypted_flag[index] ^ _ctx[(unsigned __int8)(v7 + v8) + 2];
++index;
}
while ( index < 0x2C );
*_ctx = v4;
_ctx[1] = v6;
v9 = mbstowcs((wchar_t *)Data, out_buf, 0x2Dui64);
v10 = v9;
if ( v9 != -1 && v9 != '-' )
{
StringFromGUID2(&rguid, &sz, 129i64);
wsprintfW(&SubKey, L"%s\\%s\\%s", L"CLSID", &sz, L"Config");
if ( !(unsigned int)RegOpenKeyExW(0xFFFFFFFF80000000i64, &SubKey, 0i64, 0x20006i64, &hKey) )
{
cbData = 2 * v10;
RegSetValueExW(hKey, L"Flag", 0i64, 1i64, Data, cbData);
v3 = 0;
}
}
return v3;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment