hshrzd/part2_flow.cpp Secret

## part2_flow.cpp

const char *__cdecl sub_804C217(int a1, int a2, int a3, const char *file)
{
  int v5; // [esp+2Ch] [ebp-3Ch]
  void (__cdecl *v6)(void *, int *); // [esp+30h] [ebp-38h]
  int v7; // [esp+34h] [ebp-34h]
  unsigned __int64 flags; // [esp+38h] [ebp-30h]
  __int64 v9; // [esp+40h] [ebp-28h]
  unsigned int v10; // [esp+4Ch] [ebp-1Ch]

  v10 = __readgsdword(0x14u);
  flags = __PAIR__(a2, a1);
  v6 = 0;
  v5 = 0;

loc_804C257:
	  pivot_root(file + 0x1C, a1);
	// ptrace(PTRACE_POKEDATA, parent_pid, read_buf, position);
	  pivot_root(file + 0x4C, a2);
	// ptrace(PTRACE_POKEDATA, parent_pid, read_buf, position);

	  *((_DWORD *)file + 41) = mlockall((int)&flags) / 2;
	/*
	// on mlockall:
	{
	  LODWORD(v17) = ptrace(PTRACE_PEEKDATA, parent_pid, read_buf, 0);
	  HIDWORD(v17) = ptrace(PTRACE_PEEKDATA, parent_pid, read_buf + 4, 0);
	  i_4 = 0;
	  while ( v17 )
	  {
	    if ( v17 & 1 )
	      i_4 = (char *)some_callback(0xB82D3C24, i_4, (_DWORD *)HIDWORD(v17)); //0xB82D3C24: val = arg_2 + 1;
	    v17 >>= 1;
	  }
	  i_2 = i_4;
	  ptrace(PTRACE_SETREGS, parent_pid, 0, &read_buf);
	}
	*/
	  v7 = flags & 1;
	  flags >>= 1;
	  if ( v7 == 1 )
	  {

	    uname((struct utsname *)&v9);
	/*
	//on uname:
	{
	  ptrace(PTRACE_POKEDATA, parent_pid, read_buf, 0xC6EF3720);
	  v10 = some_callback(0x7E85DB2Au, (char *)0x1337, (_DWORD *)0xCAFE); // 0x7E85DB2A: val = 0x9E3779B9;
	  ptrace(PTRACE_POKEDATA, parent_pid, read_buf + 4, v10);
	}
	*/

	    flags ^= v9;
	  }
  v6(&loc_804C257, &v5); //maybe goto loc_804C257
  return file;
}

unsigned int __cdecl sub_804C369(__mode_t *a1, int a2, int a3, const char *file)
{
  int v5; // [esp+14h] [ebp-24h]
  int v6; // [esp+18h] [ebp-20h]
  __mode_t v7; // [esp+1Ch] [ebp-1Ch]
  __mode_t mode; // [esp+20h] [ebp-18h]
  __mode_t v9; // [esp+24h] [ebp-14h]
  __mode_t v10; // [esp+28h] [ebp-10h]
  unsigned int v11; // [esp+2Ch] [ebp-Ch]

  v11 = __readgsdword(0x14u);
  v6 = 0;
  sub_804C217(a2, a3, 16, file);
  v7 = *a1;
  mode = a1[1];
  v5 = 0;

loc_804C3C4:

	  v9 = mode;
	  v10 = v7 ^ chmod(file, mode);
	/*
	// on chmod:
	{
	  to_peek_more_data(parent_pid, read_buf, &buf_2, 248);
	  i_2 = (_DWORD *)sub_804C19C((char *)&buf_2, position);
	  ptrace(PTRACE_SETREGS, parent_pid, 0, &read_buf);
	}

	int __cdecl sub_804C19C(char *buf_2, int parent_process_)
	{
	  int v2; // eax
	  int v3; // eax

	  v2 = MEMORY[0](0x6B4E102C, parent_process_, *((_DWORD *)buf_2 + 7)); // val = arg_2 + arg_3;
	  v3 = MEMORY[0](0x5816452E, v2, *((_DWORD *)buf_2 + 41)); // val = ror(arg_2, arg_3);
	  return MEMORY[0](0x44DE7A30, v3, *((_DWORD *)buf_2 + 19)); //val = arg_3 ^ arg_2;
	}
	*/

	  v7 = mode;
	  mode = v10;

  MEMORY[0](&loc_804C3C4, &v5); // maybe goto loc_804C3C4

  *a1 = mode;
  a1[1] = v7;
  return __readgsdword(0x14u) ^ v11;
}

_BOOL4 __cdecl decode_next_part(void *src)
{
  int v1; // eax
  size_t len; // eax
  char v4[3968]; // [esp+Ch] [ebp-F9Ch]
  int count; // [esp+F8Ch] [ebp-1Ch]
  int a2[2]; // [esp+F90h] [ebp-18h]
  char *s; // [esp+F98h] [ebp-10h]
  int i; // [esp+F9Ch] [ebp-Ch]

  v1 = nice(164);
  s = (char *)-v1;                              // s = "This string has no purpose and is merely here to waste your time."
  len = strlen((const char *)-v1);
  *(_QWORD *)a2 = sub_804BFED(0, 0, s, len, 0);
  count = 40000;
  memcpy(&buf, src, 32u);                       // the next input part
  for ( i = 0; i < count; i += 8 )
    sub_804C369((__mode_t *)((char *)&buf + i), a2[0], a2[1], v4);
  return truncate((const char *)&buf, 32) == 32;
/*
// on truncate:
{
      to_peek_more_data(parent_pid, read_buf, &::buf, 40000);
      for ( i = 0; i <= 39999 && *(_BYTE *)(i + 0x804C640); ++i )
      {
        v18[i] = *(_BYTE *)(i + 0x804C640); // buffer "file"
        if ( i_3 == (_DWORD *)-1 && v18[i] != *(_BYTE *)(i + 0x81A5100) ) // 0x81A5100: verification buffer[32] =
                                                                          // { 64 A0 60 02 EA 8A 87 7D 6C E9 7C E4 82 3F 2D 0C 8C B7 B5 EB CF 35 4F 42 4F AD 2B 49 20 28 7C E0 }
          i_3 = (_DWORD *)i;
      }
      i_3 = (_DWORD *)some_callback(0xA4F57126, input_buffer, i_3);

	// callback:
	{
	  res = arg_3;
	  if ( arg_3 != -1 )
	  {
	    to_peek_more_data(pid, arg_2, input_buffer, 62);
	    if ( strncmp(s1, "@no-flare.com", 0xDu) )
	      res = -1;
	  }
	}

      i_2 = i_3;
      ptrace(PTRACE_SETREGS, parent_pid, 0, &read_buf);
}
*/
}

	const char __cdecl sub_804C217(int a1, int a2, int a3, const char file)
	{
	int v5; // [esp+2Ch] [ebp-3Ch]
	void (__cdecl v6)(void , int *); // [esp+30h] [ebp-38h]
	int v7; // [esp+34h] [ebp-34h]
	unsigned __int64 flags; // [esp+38h] [ebp-30h]
	__int64 v9; // [esp+40h] [ebp-28h]
	unsigned int v10; // [esp+4Ch] [ebp-1Ch]

	v10 = __readgsdword(0x14u);
	flags = __PAIR__(a2, a1);
	v6 = 0;
	v5 = 0;

	loc_804C257:
	pivot_root(file + 0x1C, a1);
	// ptrace(PTRACE_POKEDATA, parent_pid, read_buf, position);
	pivot_root(file + 0x4C, a2);
	// ptrace(PTRACE_POKEDATA, parent_pid, read_buf, position);

	((_DWORD )file + 41) = mlockall((int)&flags) / 2;
	/*
	// on mlockall:
	{
	LODWORD(v17) = ptrace(PTRACE_PEEKDATA, parent_pid, read_buf, 0);
	HIDWORD(v17) = ptrace(PTRACE_PEEKDATA, parent_pid, read_buf + 4, 0);
	i_4 = 0;
	while ( v17 )
	{
	if ( v17 & 1 )
	i_4 = (char )some_callback(0xB82D3C24, i_4, (_DWORD )HIDWORD(v17)); //0xB82D3C24: val = arg_2 + 1;
	v17 >>= 1;
	}
	i_2 = i_4;
	ptrace(PTRACE_SETREGS, parent_pid, 0, &read_buf);
	}
	*/
	v7 = flags & 1;
	flags >>= 1;
	if ( v7 == 1 )
	{

	uname((struct utsname *)&v9);
	/*
	//on uname:
	{
	ptrace(PTRACE_POKEDATA, parent_pid, read_buf, 0xC6EF3720);
	v10 = some_callback(0x7E85DB2Au, (char )0x1337, (_DWORD )0xCAFE); // 0x7E85DB2A: val = 0x9E3779B9;
	ptrace(PTRACE_POKEDATA, parent_pid, read_buf + 4, v10);
	}
	*/

	flags ^= v9;
	}
	v6(&loc_804C257, &v5); //maybe goto loc_804C257
	return file;
	}

	unsigned int __cdecl sub_804C369(__mode_t a1, int a2, int a3, const char file)
	{
	int v5; // [esp+14h] [ebp-24h]
	int v6; // [esp+18h] [ebp-20h]
	__mode_t v7; // [esp+1Ch] [ebp-1Ch]
	__mode_t mode; // [esp+20h] [ebp-18h]
	__mode_t v9; // [esp+24h] [ebp-14h]
	__mode_t v10; // [esp+28h] [ebp-10h]
	unsigned int v11; // [esp+2Ch] [ebp-Ch]

	v11 = __readgsdword(0x14u);
	v6 = 0;
	sub_804C217(a2, a3, 16, file);
	v7 = *a1;
	mode = a1[1];
	v5 = 0;

	loc_804C3C4:

	v9 = mode;
	v10 = v7 ^ chmod(file, mode);
	/*
	// on chmod:
	{
	to_peek_more_data(parent_pid, read_buf, &buf_2, 248);
	i_2 = (_DWORD )sub_804C19C((char )&buf_2, position);
	ptrace(PTRACE_SETREGS, parent_pid, 0, &read_buf);
	}

	int __cdecl sub_804C19C(char *buf_2, int parent_process_)
	{
	int v2; // eax
	int v3; // eax

	v2 = MEMORY[0](0x6B4E102C, parent_process_, ((_DWORD )buf_2 + 7)); // val = arg_2 + arg_3;
	v3 = MEMORY[0](0x5816452E, v2, ((_DWORD )buf_2 + 41)); // val = ror(arg_2, arg_3);
	return MEMORY[0](0x44DE7A30, v3, ((_DWORD )buf_2 + 19)); //val = arg_3 ^ arg_2;
	}
	*/

	v7 = mode;
	mode = v10;

	MEMORY[0](&loc_804C3C4, &v5); // maybe goto loc_804C3C4

	*a1 = mode;
	a1[1] = v7;
	return __readgsdword(0x14u) ^ v11;
	}

	_BOOL4 __cdecl decode_next_part(void *src)
	{
	int v1; // eax
	size_t len; // eax
	char v4[3968]; // [esp+Ch] [ebp-F9Ch]
	int count; // [esp+F8Ch] [ebp-1Ch]
	int a2[2]; // [esp+F90h] [ebp-18h]
	char *s; // [esp+F98h] [ebp-10h]
	int i; // [esp+F9Ch] [ebp-Ch]

	v1 = nice(164);
	s = (char *)-v1; // s = "This string has no purpose and is merely here to waste your time."
	len = strlen((const char *)-v1);
	(_QWORD )a2 = sub_804BFED(0, 0, s, len, 0);
	count = 40000;
	memcpy(&buf, src, 32u); // the next input part
	for ( i = 0; i < count; i += 8 )
	sub_804C369((__mode_t )((char )&buf + i), a2[0], a2[1], v4);
	return truncate((const char *)&buf, 32) == 32;
	/*
	// on truncate:
	{
	to_peek_more_data(parent_pid, read_buf, &::buf, 40000);
	for ( i = 0; i <= 39999 && (_BYTE )(i + 0x804C640); ++i )
	{
	v18[i] = (_BYTE )(i + 0x804C640); // buffer "file"
	if ( i_3 == (_DWORD )-1 && v18[i] != (_BYTE *)(i + 0x81A5100) ) // 0x81A5100: verification buffer[32] =
	// { 64 A0 60 02 EA 8A 87 7D 6C E9 7C E4 82 3F 2D 0C 8C B7 B5 EB CF 35 4F 42 4F AD 2B 49 20 28 7C E0 }
	i_3 = (_DWORD *)i;
	}
	i_3 = (_DWORD *)some_callback(0xA4F57126, input_buffer, i_3);

	// callback:
	{
	res = arg_3;
	if ( arg_3 != -1 )
	{
	to_peek_more_data(pid, arg_2, input_buffer, 62);
	if ( strncmp(s1, "@no-flare.com", 0xDu) )
	res = -1;
	}
	}

	i_2 = i_3;
	ptrace(PTRACE_SETREGS, parent_pid, 0, &read_buf);
	}
	*/
	}