Klarth | X-Change2 crypt

1. .text:00403310 ; int __thiscall sub_403310(LPSTR, LPSTR lpFileName, int, int)
2. .text:00403310 sub_403310 proc near ; CODE XREF: sub_415F60+DD7p
3. .text:00403310 ; sub_420EF0+1E4p ...
4. .text:00403310
5. .text:00403310 var_98 = dword ptr -98h
6. .text:00403310 var_94 = dword ptr -94h
7. .text:00403310 var_90 = dword ptr -90h
8. .text:00403310 NumberOfBytesRead= dword ptr -8Ch
9. .text:00403310 var_88 = _OFSTRUCT ptr -88h
10. .text:00403310 lpFileName = dword ptr 4
11. .text:00403310 arg_4 = dword ptr 8
12. .text:00403310 arg_8 = dword ptr 0Ch
13. .text:00403310
14. .text:00403310 sub esp, 98h
15. .text:00403316 push ebx
16. .text:00403317 push esi
17. .text:00403318 mov esi, ecx
18. .text:0040331A push edi
19. .text:0040331B cmp dword ptr [esi+0C0h], 1
20. .text:00403322 jnz short loc_40333D
21. .text:00403324 mov eax, [esi+0D0h]
22. .text:0040332A mov dword ptr [esi+0C0h], 0
23. .text:00403334 push eax ; lpMem
24. .text:00403335 call sub_422B34
25. .text:0040333A add esp, 4
26. .text:0040333D
27. .text:0040333D loc_40333D: ; CODE XREF: sub_403310+12j
28. .text:0040333D mov ebx, [esp+0A4h+lpFileName]
29. .text:00403344 lea ecx, [esp+0A4h+var_88]
30. .text:00403348 push 0 ; WORD
31. .text:0040334A push ecx ; LPOFSTRUCT
32. .text:0040334B push ebx ; LPSTR
33. .text:0040334C call LZOpenFileA
34. .text:00403351 mov edi, eax
35. .text:00403353 cmp edi, 0FFFFFFFFh
36. .text:00403356 jnz short loc_4033CC
37. .text:00403358 push 0 ; hTemplateFile
38. .text:0040335A push 80h ; dwFlagsAndAttributes
39. .text:0040335F push 3 ; dwCreationDisposition
40. .text:00403361 push 0 ; lpSecurityAttributes
41. .text:00403363 push 0 ; dwShareMode
42. .text:00403365 push 80000000h ; dwDesiredAccess
43. .text:0040336A push ebx ; lpFileName
44. .text:0040336B call ds:CreateFileA
45. .text:00403371 mov edi, eax
46. .text:00403373 cmp edi, 0FFFFFFFFh
47. .text:00403376 jnz short loc_403386
48. .text:00403378 pop edi
49. .text:00403379 pop esi
50. .text:0040337A xor eax, eax
51. .text:0040337C pop ebx
52. .text:0040337D add esp, 98h
53. .text:00403383 retn 0Ch
54. .text:00403386 ; ---------------------------------------------------------------------------
55. .text:00403386
56. .text:00403386 loc_403386: ; CODE XREF: sub_403310+66j
57. .text:00403386 mov ebx, ds:ReadFile
58. .text:0040338C lea edx, [esp+0A4h+NumberOfBytesRead]
59. .text:00403390 push 0 ; lpOverlapped
60. .text:00403392 push edx ; lpNumberOfBytesRead
61. .text:00403393 push 0C0h ; nNumberOfBytesToRead
62. .text:00403398 push esi ; lpBuffer
63. .text:00403399 push edi ; hFile
64. .text:0040339A call ebx ; ReadFile
65. .text:0040339C mov eax, [esi+0A0h]
66. .text:004033A2 push eax ; unsigned int
67. .text:004033A3 call ??2@YAPAXI@Z ; operator new(uint)
68. .text:004033A8 mov edx, [esi+0A0h]
69. .text:004033AE add esp, 4
70. .text:004033B1 lea ecx, [esp+0A4h+NumberOfBytesRead]
71. .text:004033B5 mov [esi+0D0h], eax
72. .text:004033BB push 0 ; lpOverlapped
73. .text:004033BD push ecx ; lpNumberOfBytesRead
74. .text:004033BE push edx ; nNumberOfBytesToRead
75. .text:004033BF push eax ; lpBuffer
76. .text:004033C0 push edi ; hFile
77. .text:004033C1 call ebx ; ReadFile
78. .text:004033C3 push edi ; hObject
79. .text:004033C4 call ds:CloseHandle
80. .text:004033CA jmp short loc_403401
81. .text:004033CC ; ---------------------------------------------------------------------------
82. .text:004033CC
83. .text:004033CC loc_4033CC: ; CODE XREF: sub_403310+46j
84. .text:004033CC push 0C0h ; INT
85. .text:004033D1 push esi ; LPSTR
86. .text:004033D2 push edi ; INT
87. .text:004033D3 call LZRead
88. .text:004033D8 mov eax, [esi+0A0h]
89. .text:004033DE push eax ; unsigned int
90. .text:004033DF call ??2@YAPAXI@Z ; operator new(uint)
91. .text:004033E4 mov ecx, [esi+0A0h]
92. .text:004033EA add esp, 4
93. .text:004033ED mov [esi+0D0h], eax
94. .text:004033F3 push ecx ; INT
95. .text:004033F4 push eax ; LPSTR
96. .text:004033F5 push edi ; INT
97. .text:004033F6 call LZRead
98. .text:004033FB push edi ; INT
99. .text:004033FC call LZClose
100. .text:00403401 ; Fully encrypted at this point
101. .text:00403401 loc_403401: ; CODE XREF: sub_403310+BAj
102. .text:00403401 mov eax, [esi+0A0h]
103. .text:00403407 xor ecx, ecx
104. .text:00403409 xor ebx, ebx
105. .text:0040340B cmp eax, ecx
106. .text:0040340D mov [esp+0A4h+var_90], ebx
107. .text:00403411 mov [esp+0A4h+var_98], ecx
108. .text:00403415 mov [esp+0A4h+var_94], ecx
109. .text:00403419 jbe loc_4034BB
110. .text:0040341F
111. .text:0040341F loc_40341F: ; CODE XREF: sub_403310+1A5j
112. .text:0040341F lea eax, [ecx+ebx]
113. .text:00403422 xor edx, edx
114. .text:00403424 div [esp+0A4h+arg_8]
115. .text:0040342B mov eax, [esp+0A4h+var_98]
116. .text:0040342F and ecx, 0FFh
117. .text:00403435 and eax, 0FFh
118. .text:0040343A and ecx, eax
119. .text:0040343C mov eax, [esp+0A4h+arg_4]
120. .text:00403443 mov edi, edx
121. .text:00403445 mov edx, [esi+0D0h]
122. .text:0040344B add ebx, edx
123. .text:0040344D xor edx, edx
124. .text:0040344F mov dl, [edi+eax]
125. .text:00403452 or ecx, edx
126. .text:00403454 and ecx, 800000FFh
127. .text:0040345A jns short loc_403464
128. .text:0040345C dec ecx
129. .text:0040345D or ecx, 0FFFFFF00h
130. .text:00403463 inc ecx
131. .text:00403464
132. .text:00403464 loc_403464: ; CODE XREF: sub_403310+14Aj
133. .text:00403464 push ecx
134. .text:00403465 mov cl, [ebx]
135. .text:00403467 push ecx
136. .text:00403468 mov ecx, esi
137. .text:0040346A call sub_402E70
138. .text:0040346F test edi, edi
139. .text:00403471 mov [ebx], al
140. .text:00403473 jnz short loc_4034A0
141. .text:00403475 mov edx, [esp+0A4h+var_94]
142. .text:00403479 mov edi, [esp+0A4h+var_98]
143. .text:0040347D xor ecx, ecx
144. .text:0040347F lea eax, [edx+edi]
145. .text:00403482 xor edx, edx
146. .text:00403484 div [esp+0A4h+arg_8]
147. .text:0040348B mov eax, [esp+0A4h+arg_4]
148. .text:00403492 inc edi
149. .text:00403493 mov [esp+0A4h+var_98], edi
150. .text:00403497 mov cl, [edx+eax]
151. .text:0040349A mov [esp+0A4h+var_94], ecx
152. .text:0040349E jmp short loc_4034A4
153. .text:004034A0 ; ---------------------------------------------------------------------------
154. .text:004034A0
155. .text:004034A0 loc_4034A0: ; CODE XREF: sub_403310+163j
156. .text:004034A0 mov ecx, [esp+0A4h+var_94]
157. .text:004034A4
158. .text:004034A4 loc_4034A4: ; CODE XREF: sub_403310+18Ej
159. .text:004034A4 mov ebx, [esp+0A4h+var_90]
160. .text:004034A8 mov eax, [esi+0A0h]
161. .text:004034AE inc ebx
162. .text:004034AF cmp ebx, eax
163. .text:004034B1 mov [esp+0A4h+var_90], ebx
164. .text:004034B5 jb loc_40341F
165. .text:004034BB
166. .text:004034BB loc_4034BB: ; CODE XREF: sub_403310+109j
167. .text:004034BB mov eax, [esi+0A0h]
168. .text:004034C1 mov dword ptr [esi+0C8h], 0
169. .text:004034CB mov [esi+0D4h], eax
170. .text:004034D1 mov [esi+0D8h], eax
171. .text:004034D7 mov dword ptr [esi+0C0h], 1
172. .text:004034E1 mov dword ptr [esi+0CCh], 1
173. .text:004034EB pop edi
174. .text:004034EC pop esi
175. .text:004034ED mov eax, 1
176. .text:004034F2 pop ebx
177. .text:004034F3 add esp, 98h
178. .text:004034F9 retn 0Ch ; Fully decrypted
179. .text:004034F9 sub_403310 endp
180.  
181. .text:00402E70 ; =============== S U B R O U T I N E =======================================
182. .text:00402E70
183. .text:00402E70
184. .text:00402E70 sub_402E70 proc near ; CODE XREF: sub_403310+15Ap
185. .text:00402E70 ; sub_403820+81p ...
186. .text:00402E70
187. .text:00402E70 arg_0 = dword ptr 4
188. .text:00402E70 arg_4 = dword ptr 8
189. .text:00402E70
190. .text:00402E70 mov ecx, [esp+arg_4]
191. .text:00402E74 mov edx, [esp+arg_0]
192. .text:00402E78 and ecx, 0FFh
193. .text:00402E7E and edx, 0FFh
194. .text:00402E84 mov eax, ecx
195. .text:00402E86 or ecx, edx
196. .text:00402E88 and eax, edx
197. .text:00402E8A not eax
198. .text:00402E8C and eax, ecx
199. .text:00402E8E retn 8
200. .text:00402E8E sub_402E70 endp