In association with heise online




Decode.cpp


void Decode() 
{
HANDLE hInputFile = NULL;
HANDLE hOutputFile = NULL;
HANDLE hMap = NULL;
LPBYTE lpbyBase = NULL;
DWORD dwSize;
DWORD dwBytesWritten = 0;

char szMask[] = "fx46RIu1kelToyIVefnbEF";
int i, j;
BYTE b, bLast;

if ((hOutputFile = CreateFile("decoded.bin",
GENERIC_WRITE,
FILE_SHARE_READ,
NULL,
OPEN_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
NULL)) != INVALID_HANDLE_VALUE)
{
if ((hInputFile = CreateFile("push_stub.bin",
GENERIC_READ,
0,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL)) != INVALID_HANDLE_VALUE)
{

if (((dwSize = GetFileSize(hInputFile, NULL)) != INVALID_FILE_SIZE) &&
((hMap = CreateFileMapping(hInputFile, NULL, PAGE_READONLY, 0, 0, NULL)) != NULL))
{
if ((lpbyBase = (LPBYTE)MapViewOfFile(hMap, FILE_MAP_READ, 0, 0, 0)) != NULL)
{
j = 0;
bLast = 0;

for (i = 0; i < (int)dwSize; i++)
{
if (((lpbyBase[i] == 0x24) || (lpbyBase[i] == 0x25)) && (i < (int)dwSize - 1))
{
bLast = lpbyBase[i + 1]; // remember byte pushed last for the "dup" operator
b = bLast ^ szMask[j]; // xor it with the mask table
if (lpbyBase[i] == 0x25) // pushshort uses u30 operand that takes extra byte
{
i++;
}
i++;
WriteFile(hOutputFile, &b, 1, &dwBytesWritten, NULL);
}
else if (lpbyBase[i] == 0x2A) // "dup" operator - invoke the byte pushed last
{
b = bLast ^ szMask[j];
WriteFile(hOutputFile, &b, 1, &dwBytesWritten, NULL);
}
else
{
MessageBox("Not recognized opcode!", NULL, MB_OK);
break;
}

j++;
if (j >= (int)strlen(szMask))
{
j = 0;
}
}
UnmapViewOfFile(lpbyBase);
}
CloseHandle(hMap);
}
CloseHandle(hInputFile);
}
CloseHandle(hOutputFile);
}
return;
}
Print Version | Permalink: http://h-online.com/-1057907
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit