sartimo/1. Original Bytearray in the dumped C Source Code.c

## 1. Original Bytearray in the dumped C Source Code.c
_BYTE byte_10048400[96] =
{
  0,
  0,
  22,
  -80,
  21,
  -93,
  -125,
  -104,
  -122,
  -28,
  78,
  10,
  -106,
  -88,
  -101,
  72,
  96,
  31,
  70,
  -43,
  124,
  71,
  124,
  91,
  28,
  -75,
  56,
  28,
  7,
  115,
  6,
  -27,
  107,
  25,
  -107,
  119,
  63,
  -86,
  124,
  124,
  32,
  32,
  102,
  102,
  15,
  15,
  99,
  99,
  6,
  6,
  40,
  40,
  75,
  75,
  59,
  59,
  75,
  75,
  75,
  75,
  -76,
  91,
  92,
  -71,
  -7,
  -58,
  -55,
  69,
  87,
  8,
  -28,
  -116,
  82,
  -92,
  19,
  104,
  62,
  40,
  -15,
  -12,
  -100,
  -111,
  72,
  -103,
  13,
  -92,
  123,
  25,
  -24,
  67,
  -14,
  117,
  33,
  122,
  0,
  0
};

## 2. References to this bytearray in the dumped C Source.c
v9 = sub_10013E60(byte_10048400)

## 3. Subroutine Source referencing to the Bytearray in dumped C Source.c
_BYTE *__usercall sub_10013E60@<eax>(_BYTE *a1@<esi>)
{
  int v1; // eax
  int v2; // edi
  bool v3; // zf
  unsigned int v4; // edi
  char v5; // dl
  unsigned int v6; // eax
  char v7; // cl

  if ( *a1 )
    return a1 + 38;
  v1 = (unsigned __int8)a1[2];
  v2 = (char)a1[1] << 8;
  v3 = v1 + v2 == 0;
  v4 = v1 + v2;
  *a1 = 1;
  v5 = 82;
  v6 = 0;
  if ( v3 )
    return a1 + 38;
  do
  {
    v7 = a1[v6 + 38];
    a1[v6 + 38] = v5 ^ v7;
    ++v6;
    v5 = v7;
  }
  while ( v6 < v4 );
  return a1 + 38;
}

## 4. Decryption of the XOR'ed Bytearray using previous encryption algorithm.py
def decrypt_byte_array(byte_array):
    if byte_array[0] != 0:
        return byte_array[38:]

    v1 = byte_array[2]
    v2 = byte_array[1] << 8
    v4 = v1 + v2

    byte_array[0] = 1
    v5 = 82
    v6 = 0

    if v4 == 0:
        return byte_array[38:]

    while v6 < v4:
        v7 = byte_array[v6 + 38]
        byte_array[v6 + 38] = v5 ^ v7
        v5 = v7
        v6 += 1

    return byte_array[38:]
#################################################################################
# Original byte array found from the dumped C Source code
byte_10048400 = [
    0, 0, 22, -80, 21, -93, -125, -104, -122, -28, 78, 10, -106, -88, -101, 72,
    96, 31, 70, -43, 124, 71, 124, 91, 28, -75, 56, 28, 7, 115, 6, -27, 107, 25,
    -107, 119, 63, -86, 124, 124, 32, 32, 102, 102, 15, 15, 99, 99, 6, 6, 40, 40,
    75, 75, 59, 59, 75, 75, 75, 75, -76, 91, 92, -71, -7, -58, -55, 69, 87, 8,
    -28, -116, 82, -92, 19, 104, 62, 40, -15, -12, -100, -111, 72, -103, 13, -92,
    123, 25, -24, 67, -14, 117, 33, 122, 0, 0
]
#############################################################################
# Convert signed bytes to unsigned
byte_10048400 = [b & 0xFF for b in byte_10048400]

# Decrypt the byte array
decrypted_array = decrypt_byte_array(byte_10048400)

# Print the decrypted byte array
print(decrypted_array)

## 5. Output of decrypted bytearray
[46, 0, 92, 0, 70, 0, 105, 0, 108, 0, 101, 0, 46, 0, 99, 0, 112, 0, 112, 0, 0, 0, 180, 91, 92, 185, 249, 198, 201, 69, 87, 8, 228, 140, 82, 164, 19, 104, 62, 40, 241, 244, 156, 145, 72, 153, 13, 164, 123, 25, 232, 67, 242, 117, 33, 122, 0, 0]

## 6. translating decrypted bytearray into UTF16 strings.py
import struct

def decode_byte_array(byte_array):
    # Convert bytes to list of integers
    byte_list = list(byte_array)

    # Decode UTF-16 string from the first part of the byte array
    utf16_chars = []
    for i in range(0, len(byte_list), 2):
        if byte_list[i] == 0 and byte_list[i + 1] == 0:
            break
        utf16_chars.append(chr(byte_list[i] + (byte_list[i + 1] << 8)))
    utf16_string = ''.join(utf16_chars)

    # Decode remaining bytes as structured data (assuming integers)
    remaining_bytes = byte_list[len(utf16_chars) * 2:]

    # Ensure remaining_bytes has an even length
    if len(remaining_bytes) % 2 != 0:
        remaining_bytes = remaining_bytes[:-1]  # Remove the last byte if odd length

    struct_format = '<' + 'B' * (len(remaining_bytes))

    try:
        structured_data = struct.unpack(struct_format, bytes(remaining_bytes))
        return utf16_string, structured_data
    except struct.error as e:
        print(f"Error decoding structured data: {e}")
        return utf16_string, None

####################################################################################
# Output from XOR decrypted bytearray from previous step, copy paste
byte_array = [
    46, 0, 92, 0, 70, 0, 105, 0, 108, 0, 101, 0, 46, 0, 99, 0, 112, 0, 112, 0,
    0, 0, 180, 91, 92, 185, 249, 198, 201, 69, 87, 8, 228, 140, 82, 164, 19,
    104, 62, 40, 241, 244, 156, 145, 72, 153, 13, 164, 123, 25, 232, 67, 242,
    117, 33, 122, 0, 0
]
####################################################################################

# Decode the byte array
utf16_string, structured_data = decode_byte_array(byte_array)

# Print the decoded results
print("Decoded UTF-16 String:", utf16_string)
print("Structured Data:", structured_data)

## 7. Output from UTF16 translated bytearraay
Decoded UTF-16 String: .\File.cpp
Structured Data: (0, 0, 180, 91, 92, 185, 249, 198, 201, 69, 87, 8, 228, 140, 82, 164, 19, 104, 62, 40, 241, 244, 156, 145, 72, 153, 13, 164, 123, 25, 232, 67, 242, 117, 33, 122, 0, 0)

## filehashes.txt
Cracking the XOR encryption scheme of winshell.ocx of Gauss: 4FB4D2EB303160C5F419CEC2E9F57850.7z
Samples: https://vx-underground.org/Samples/Families/Gauss
	_BYTE byte_10048400[96] =
	{
	0,
	0,
	22,
	-80,
	21,
	-93,
	-125,
	-104,
	-122,
	-28,
	78,
	10,
	-106,
	-88,
	-101,
	72,
	96,
	31,
	70,
	-43,
	124,
	71,
	124,
	91,
	28,
	-75,
	56,
	28,
	7,
	115,
	6,
	-27,
	107,
	25,
	-107,
	119,
	63,
	-86,
	124,
	124,
	32,
	32,
	102,
	102,
	15,
	15,
	99,
	99,
	6,
	6,
	40,
	40,
	75,
	75,
	59,
	59,
	75,
	75,
	75,
	75,
	-76,
	91,
	92,
	-71,
	-7,
	-58,
	-55,
	69,
	87,
	8,
	-28,
	-116,
	82,
	-92,
	19,
	104,
	62,
	40,
	-15,
	-12,
	-100,
	-111,
	72,
	-103,
	13,
	-92,
	123,
	25,
	-24,
	67,
	-14,
	117,
	33,
	122,
	0,
	0
	};
	_BYTE __usercall sub_10013E60@<eax>(_BYTE a1@<esi>)
	{
	int v1; // eax
	int v2; // edi
	bool v3; // zf
	unsigned int v4; // edi
	char v5; // dl
	unsigned int v6; // eax
	char v7; // cl

	if ( *a1 )
	return a1 + 38;
	v1 = (unsigned __int8)a1[2];
	v2 = (char)a1[1] << 8;
	v3 = v1 + v2 == 0;
	v4 = v1 + v2;
	*a1 = 1;
	v5 = 82;
	v6 = 0;
	if ( v3 )
	return a1 + 38;
	do
	{
	v7 = a1[v6 + 38];
	a1[v6 + 38] = v5 ^ v7;
	++v6;
	v5 = v7;
	}
	while ( v6 < v4 );
	return a1 + 38;
	}
	def decrypt_byte_array(byte_array):
	if byte_array[0] != 0:
	return byte_array[38:]

	v1 = byte_array[2]
	v2 = byte_array[1] << 8
	v4 = v1 + v2

	byte_array[0] = 1
	v5 = 82
	v6 = 0

	if v4 == 0:
	return byte_array[38:]

	while v6 < v4:
	v7 = byte_array[v6 + 38]
	byte_array[v6 + 38] = v5 ^ v7
	v5 = v7
	v6 += 1

	return byte_array[38:]
	#################################################################################
	# Original byte array found from the dumped C Source code
	byte_10048400 = [
	0, 0, 22, -80, 21, -93, -125, -104, -122, -28, 78, 10, -106, -88, -101, 72,
	96, 31, 70, -43, 124, 71, 124, 91, 28, -75, 56, 28, 7, 115, 6, -27, 107, 25,
	-107, 119, 63, -86, 124, 124, 32, 32, 102, 102, 15, 15, 99, 99, 6, 6, 40, 40,
	75, 75, 59, 59, 75, 75, 75, 75, -76, 91, 92, -71, -7, -58, -55, 69, 87, 8,
	-28, -116, 82, -92, 19, 104, 62, 40, -15, -12, -100, -111, 72, -103, 13, -92,
	123, 25, -24, 67, -14, 117, 33, 122, 0, 0
	]
	#############################################################################
	# Convert signed bytes to unsigned
	byte_10048400 = [b & 0xFF for b in byte_10048400]

	# Decrypt the byte array
	decrypted_array = decrypt_byte_array(byte_10048400)

	# Print the decrypted byte array
	print(decrypted_array)
	import struct

	def decode_byte_array(byte_array):
	# Convert bytes to list of integers
	byte_list = list(byte_array)

	# Decode UTF-16 string from the first part of the byte array
	utf16_chars = []
	for i in range(0, len(byte_list), 2):
	if byte_list[i] == 0 and byte_list[i + 1] == 0:
	break
	utf16_chars.append(chr(byte_list[i] + (byte_list[i + 1] << 8)))
	utf16_string = ''.join(utf16_chars)

	# Decode remaining bytes as structured data (assuming integers)
	remaining_bytes = byte_list[len(utf16_chars) * 2:]

	# Ensure remaining_bytes has an even length
	if len(remaining_bytes) % 2 != 0:
	remaining_bytes = remaining_bytes[:-1] # Remove the last byte if odd length

	struct_format = '<' + 'B' * (len(remaining_bytes))

	try:
	structured_data = struct.unpack(struct_format, bytes(remaining_bytes))
	return utf16_string, structured_data
	except struct.error as e:
	print(f"Error decoding structured data: {e}")
	return utf16_string, None

	####################################################################################
	# Output from XOR decrypted bytearray from previous step, copy paste
	byte_array = [
	46, 0, 92, 0, 70, 0, 105, 0, 108, 0, 101, 0, 46, 0, 99, 0, 112, 0, 112, 0,
	0, 0, 180, 91, 92, 185, 249, 198, 201, 69, 87, 8, 228, 140, 82, 164, 19,
	104, 62, 40, 241, 244, 156, 145, 72, 153, 13, 164, 123, 25, 232, 67, 242,
	117, 33, 122, 0, 0
	]
	####################################################################################

	# Decode the byte array
	utf16_string, structured_data = decode_byte_array(byte_array)

	# Print the decoded results
	print("Decoded UTF-16 String:", utf16_string)
	print("Structured Data:", structured_data)
	Decoded UTF-16 String: .\File.cpp
	Structured Data: (0, 0, 180, 91, 92, 185, 249, 198, 201, 69, 87, 8, 228, 140, 82, 164, 19, 104, 62, 40, 241, 244, 156, 145, 72, 153, 13, 164, 123, 25, 232, 67, 242, 117, 33, 122, 0, 0)
	Cracking the XOR encryption scheme of winshell.ocx of Gauss: 4FB4D2EB303160C5F419CEC2E9F57850.7z
	Samples: https://vx-underground.org/Samples/Families/Gauss