pyllyukko · October 26, 2021 16:14
diff --git a/UnlockYourFiles.exe.r2 b/UnlockYourFiles.exe.r2
 # 02 - known
 # 435366bfc2e8aff17ff107bf1274b7dca0b189be54e7251aa192ec8e73064424

 # few analysis commands to find the functions
 aa
 aac
 # type analysis for win API calls
 aaft
 # name functions
 afn strlen @0x00401000
 afn error_handler @0x004010c0

 p6d 80 @0x00403604
 # ransom note
 #x 1803 @0x00403000

 afn print_summary @0x00401160
 s print_summary
 afvn number_of_files_decoded arg_8h
 #afvn nNumberOfCharsToWrite var_4h
 Ct DWORD nNumberOfCharsToWrite @@=0x0040117a
 Ct LPDWORD lpNumberOfCharsWritten @@=0x00401178 0x00401190
 Ct LPVOID lpReserved @@=0x00401176 0x0040118e 0x004011c6
 f hConsoleOutput @ 0x403844

 afn file_iterator @0x00401370
 s file_iterator
 afvn decryption_key arg_8h
 afvn source_filename var_164h
 afvn dest_filename var_50h
 afvn number_of_files_decoded var_4h

 afn file_decryptor @0x00401220
 s file_decryptor
 afvn decryption_key arg_10h
 afvn decrypted_filename arg_ch

 afn strcpy @0x00401030
 s 0x00401030
 afvn i var_4h
 afvn dest arg_8h
 afvn src arg_ch

 afn rol_and_sub @0x004011f0
 s 0x004011f0
 afvn dest arg_8h
 afvn src arg_ch
 ?E decryptor:
 pdb @0x401203
 f. loop @ 0x004011fe
 f. end @ 0x00401216

 afn int_to_ascii @0x00401070
 ahi s @0x004010a1

 # decrypt the flag using ESIL
 aei; aeip; aeim; e io.cache=true
 # write encrypted data (critical_data.txt.encrypted) into stack
 wx 66f0bd183104623a @ebp-0x80
 wx 1757ec18b64682ac @ebp-0x78
 wx 114e6fd88426a2ac @ebp-0x70
 wx 2a5fe25944bfa698 @ebp-0x68
 wx 11456d1a55565eca @ebp-0x60
 wx 0bcf2bb924cede1c @ebp-0x58
 wx 21d83d9845e6ebf2 @ebp-0x50
 wx 66f7693276043f56 @ebp-0x48
 # write key into stack this is also where the flag is going to be decrypted.
 w "No1TrustNo1TrustNo1TrustNo1TrustNo1TrustNo1TrustNo1TrustNo1Trust" @ebp-0x40

 # define a macro
 (decode; dr eip=0x004011fc; dr esi=$0; dr edi=$1; aecu 0x00401216)
 # decrypt in blocks of 8 bytes
 .(decode ebp-0x80 ebp-0x40)
 .(decode ebp-0x78 ebp-0x38)
 .(decode ebp-0x70 ebp-0x30)
 .(decode ebp-0x68 ebp-0x28)
 .(decode ebp-0x60 ebp-0x20)
 .(decode ebp-0x58 ebp-0x18)
 .(decode ebp-0x50 ebp-0x10)
 .(decode ebp-0x48 ebp-0x08)

 # print flag
 ps 64 @ebp-0x40
	# 02 - known
	# 435366bfc2e8aff17ff107bf1274b7dca0b189be54e7251aa192ec8e73064424

	# few analysis commands to find the functions
	aa
	aac
	# type analysis for win API calls
	aaft
	# name functions
	afn strlen @0x00401000
	afn error_handler @0x004010c0

	p6d 80 @0x00403604
	# ransom note
	#x 1803 @0x00403000

	afn print_summary @0x00401160
	s print_summary
	afvn number_of_files_decoded arg_8h
	#afvn nNumberOfCharsToWrite var_4h
	Ct DWORD nNumberOfCharsToWrite @@=0x0040117a
	Ct LPDWORD lpNumberOfCharsWritten @@=0x00401178 0x00401190
	Ct LPVOID lpReserved @@=0x00401176 0x0040118e 0x004011c6
	f hConsoleOutput @ 0x403844

	afn file_iterator @0x00401370
	s file_iterator
	afvn decryption_key arg_8h
	afvn source_filename var_164h
	afvn dest_filename var_50h
	afvn number_of_files_decoded var_4h

	afn file_decryptor @0x00401220
	s file_decryptor
	afvn decryption_key arg_10h
	afvn decrypted_filename arg_ch

	afn strcpy @0x00401030
	s 0x00401030
	afvn i var_4h
	afvn dest arg_8h
	afvn src arg_ch

	afn rol_and_sub @0x004011f0
	s 0x004011f0
	afvn dest arg_8h
	afvn src arg_ch
	?E decryptor:
	pdb @0x401203
	f. loop @ 0x004011fe
	f. end @ 0x00401216

	afn int_to_ascii @0x00401070
	ahi s @0x004010a1

	# decrypt the flag using ESIL
	aei; aeip; aeim; e io.cache=true
	# write encrypted data (critical_data.txt.encrypted) into stack
	wx 66f0bd183104623a @ebp-0x80
	wx 1757ec18b64682ac @ebp-0x78
	wx 114e6fd88426a2ac @ebp-0x70
	wx 2a5fe25944bfa698 @ebp-0x68
	wx 11456d1a55565eca @ebp-0x60
	wx 0bcf2bb924cede1c @ebp-0x58
	wx 21d83d9845e6ebf2 @ebp-0x50
	wx 66f7693276043f56 @ebp-0x48
	# write key into stack this is also where the flag is going to be decrypted.
	w "No1TrustNo1TrustNo1TrustNo1TrustNo1TrustNo1TrustNo1TrustNo1Trust" @ebp-0x40

	# define a macro
	(decode; dr eip=0x004011fc; dr esi=$0; dr edi=$1; aecu 0x00401216)
	# decrypt in blocks of 8 bytes
	.(decode ebp-0x80 ebp-0x40)
	.(decode ebp-0x78 ebp-0x38)
	.(decode ebp-0x70 ebp-0x30)
	.(decode ebp-0x68 ebp-0x28)
	.(decode ebp-0x60 ebp-0x20)
	.(decode ebp-0x58 ebp-0x18)
	.(decode ebp-0x50 ebp-0x10)
	.(decode ebp-0x48 ebp-0x08)

	# print flag
	ps 64 @ebp-0x40