Crylock Ransomware Analysis
- 94 minsCrylock Ransomware Analysis
Firstly i wasn’t thinking to post this as a blog but later on as i figured out it’s pretty tough to reverse this or lets just say a tedious task i thought let’s just post it as a blog. Moreover i am still working on it on my free time so some things would be missing .
Let’s just talk about the sample
it’s MD5: 39f34aa65e3a95a53f3ec0675fc37905
sha256: 8e7393013f240334efe2ca52c8a3554628c479becab2b691d114e1e8b3ccd51d
A 32bit Borland Delphi(6-7 or 2005)[-] file
TimeStamp: 1992-06-20 03:52:17 which is constant among all the versions
This sample is of version 2.3.0.0
With a constant string: Encrypted by BlackRabbit. (BR-3.0 FBR DWORD)
Okay Let’s start from the beginning
As i told earlier the sample is coded in Delphi one of the main issues while reversing the sample is mannual cryptographic algorithm and function calling of Delphi is different
The function calls with arguments are
EAX, ECX, EDX then stack values
Cool let’s just move forward.
Now as i said it’s made in Delphi so to reverse it we could be either applying BDS Flirt signature library in IDA pro or the other way which i liked more is IDR by crypto Interactive Delphi Reconstructor which made the function calls more approachable and made reading the code easier.So after passing the sample through the IDR you can generate and IDC file from the IDR tool and process it in IDA that will help you to reverse the sample and make function calls much more readeable cause even after applying the FLIRT Sig of Borland somefunction still get as unknown_libname that’s why!
- The Console is shown
- Critical Section is initiated so that only thread locking is there
- Console prints out start “Starting….”
- Then the sample sleeps for 5 secs
- Then the malware prints out “Prepare to launch….” and then starts setting up flags for checking parameters and Classes and objects with TObject_Create
- Next the malware will print “Read Configs….”
Parameters to launch:
- -exclude
- -makeff
- -on
- -all
- -full
- -nolocal
- -nolan
- -p
- -id
- -wid
This section is a bit bigger:
Reading Resource
First the call comes at CODE:00425397 >> call resource_reader
I named it as resource reader because here it decodes the main resource
Main resource entries come in ‘STRING’ section where total of four resources are there 3 data and 1 key to decode that is ‘DICT’
It decodes three resources here:
- CONFIG
- HTA
- EXTENATIONS
Where config is the place main RSA modulus and exponent moreover the other configs like what to do what not is found
The RSA modulus and exponent:
122644347763293948833815801220114364732047607713599650363827657635542024537292122012403272535335683716590463654583575245762276954373447179094758847849178828367350063949422
823863551508673167859390449221549389010739742540887126460111787694096119349001748313837366277611654307538625947596793199318009857723936855768993933865343036405079484528466
376467908977896977005864442948744474291863451553175133084570579104072255729770028140246865980551905753174602920417276567289110149611777004476801613678818166698834605174170
018524534187430350087971498529450023446437899347496292526242010633917266979265807507426788534154936186214351625948051869262017191807710023773274556305344168453186278674561
150978332787180718904041631272181707560569956797178369576265444693226490343714040590198634519611636835946830666279099649000922760764152246112132851432206199072256812926340
296938549734397356093112220706994688487458690212341216264385849208329327248517531273324311214787591801294232217661477559398162801079739021540396129833969978439820799361269
937627821936320420261637583794489499183375731251017696941108737718070606252093973683526884536526506771077669592129309099833250743004159118487443968922645866315954353056115
7481591101696879181607026854198915994358470700201040970624148076754784175873549697167697328404664184197935622443470721981277629:65537
In PEM format it would be
-----BEGIN RSA PUBLIC KEY-----
MIICRzANBgkqhkiG9w0BAQEFAAOCAjQAMIICLwKCAiYJOUZeju+p7u81LTbe/6cO
WaF7lONV5xQuE4T9r1jDn098AzWwLH7DocZQ9pY+sNKkNBokSXBbDQvppGm9YHjx
c9IyOi2fcShesXr0BOumlYY8ee7YxwT9VZ0ZNmijbmq+42DRD16orB1wHLwfypbo
sl9OBsv+6UC/Rwr+dgGWSLpsSzPXzuFcIsFSyKKhTNlfDcUjzCKw/P1kewevrGLI
ymTeLNAchO3NbZE69EKsx/mCqIoxgmjoIDQxwG8DDC34S0iPIJpI5BrU6txbiX2w
VTqNyOoxBthePzXs167uyvbr/uk4yLB2PyRCCV8/qWGVxwfOFajx13B8boL9w6og
PcHwl2y1NMxprvI7/RH6HML96FNXZZlgqLXtAyKXF3g9FD18q9zH4DFZA8K8X3JR
mXJQDyg1P4z0DKVkAiWCHbqUaCcB0WpbLCypSHpsjuQsh7DBL4EVXNZeZlBtiRza
USry9jrf7Kb5ej+rXvBG/7/fLNBJLfxnU3/9PKNzEAPl+XC3vHwiFaSLn4GUDkdi
U5R0rT3pZQ86tTiNRavPL2xY+auQhQVnNxFM8HcYpv2lmIxxcdjLu+zDybioyUmC
FVagVYJjiySRPN4TiCJwQ6Spq+MMO2Yomr76N2VNVVZRitbxcZ6bwukbrDBdgekK
5ROkq3Z+0XPRtuZjT14yLOvUN5TwltjNFazdOL6qhk3XjASVQJ7GZ16dLwyg5cKs
aXgYUuW9AgMBAAE=
-----END RSA PUBLIC KEY-----
Normally as from the key i can say for now is they generate a symmteric AES key basis on the id and then encrypts that key with RSA-4096 Embedded key and add it towards the end of the file, so on the basis for the decryption the would read the appended data decode the key and then decode the data
Config Extration of key:
import pefile
pe = pefile.PE('crylock')
offset = 0x0
size = 0x0
for rsrc in pe.DIRECTORY_ENTRY_RESOURCE.entries:
for entry in rsrc.directory.entries:
if entry.name is not None:
if entry.name.__str__() == "CONFIG":
offset = entry.directory.entries[0].data.struct.OffsetToData
size = entry.directory.entries[0].data.struct.Size
print(hex(offset), hex(size))
config_data = ""
malcfgData = pe.get_memory_mapped_image()[offset:offset+size]
for i in malcfgData[4:]:
config_data = config_data + str(bin(i)[2:].zfill(8))
i=0
while(1):
try:
fa = config_data[:11979][i:i+9]
print(chr(int(fa[1:],2)),end='')
i=i+9
except:
pass
Extentions List:
ods,xar,xlr,xls,xlsb,xlsm,xlsx,xlt,xltm,xltx,asp,accdb,b2,crypt,crypt5,crypt6,crypt7,crypt8,crypt12,dat,db,dbf,dbx,kdc,log,mdb,mdf,sdf,sis,sql,awb,bin,cdi,cdr,css,csv,eap,efx,gam,gbr,ged,gtp,mpp,msc,mts,one,otf,nbk,nbp,ndb,prf,prj,rtp,sav,scppy,sgml,tax2010,tbl,tmp,ts,vcd,xml,xsl,xslt,1cd,epf,erf,^^^,$er,4dd,4dl,accdc,accde,accdr,accdt,accft,adb,ade,adf,adp,alf,ask,btr,cat,cdb,ckp,cma,cpd,crypt9,dacpac,dad,dadiagrams,daschema,db-shm,db-wal,db3,dbc,dbs,dbt,dbv,dcb,dct,dcx,ddl,dlis,dp1,dqy,dsk,dsn,dtsx,dxl,eco,ecx,edb,epim,exb,fcd,fdb,fic,fmp,fmp12,fmpsl,fol,fp3,fp4,fp5,fp7,fpt,frm,gdb,grdb,gwi,hdb,his,ib,idb,ihx,itdb,itw,jet,jtx,kdb,kexi,kexic,kexis,lgc,lwx,maf,maq,mar,marshal,mas,mav,mpd,mrg,mud,mwb,myd,ndf,nnt,nrmlib,ns2,ns3,ns4,nsf,nv,nv2,nwdb,nyf,odb,oqy,ora,orx,owc,p96,p97,pan,pdb,pdm,pnz,qry,qvd,rbf,rctd,rod,rodx,rpd,rsd,sas7bdat,sbf,scx,sdb,sdc,spq,sqlite,sqlite3,sqlitedb,te,teacher,temx,tmd,tps,trc,trm,udb,udl,usr,v12,vis,vpd,vvv,wdb,wmdb,wrk,xdb,xld,xmlff,{pb,~hm,17t,1pe,1ph,3dmdef,3dp,3dr,3dt,3dw,3me,3pe,4dv,4fs,5vw,73c,73l,8xg,8xk,8xs,8xv,a5l,a5w,a65,aam,aao,ab,ab1,ab3,abcd,abi,abkprj,abp,aby,aca,acc,acf,acg,acq,acr,acz,adcp,addism,adi,adif,adt,adu,adv,advs,adx,aes,afe,aff,aft,agd,aggr,aifb,alc,ald,aldf,ali,amb,amc,aml,amm,amsorm,an1,an8,anime,anme,ans,ansym,anx,apalbum,aph,aplibrary,arc,arff,arn,art,as,ashprj,asm,asnd,asr,ast,atf,atomsvc,ats,avc,avhdx,avj,avl,avp,aw,awbr,awdb,awg,azz,azzx,bafl,bar,baserproj,bc,bcc,bci,bcl,bcm,bct,bdc,bdf,bdic,bed,bfx,bgl,bgt,bho,bim,binary,bionix,bjo,bk,blb,bld,blg,bln,blockplt,blogthis,bluebutton,bm2,bms,bnk,bok,book,box,bpd,bpdx,bphys,bpj,bplx,bpm,brain,brd,brf,brl,brn,brs,brw,bsd,bsdl,btf,btif,btinstall,btm,bul,bvp,c3d,c4p,caf,camm,cap,capt,capx,car,cav,cawr,cbg,cbmap,cbz,cca,cch,ccld,ccp,cct,cdf,cdm,cdp,cdpz,cdx,cdxml,cef,cel,celtx,cfa,cfb,cfs,cfx,cgd,chg,chk,chr,cif,circ,ckt,cl2,classlist,clb,cld,clg,clix,clk,clkm,clks,clktk,clkv,clm,clp,clx,cm10,cm5,cmap,cmbl,cml,cmr,cms,cna,col,collab,contact,cpaa,cpf,cpk,cpmz,cptx,cram,crev,crtx,cry,cs,csa,ctb,ctf,ctl,ctm,ctp,ctproject,ctt,ctv,ctv3,cub,cube,cursorfx,curxptheme,cva,cvd,cvn,cwk,cww,cxa,cxd,cxf,cxr,cxt,cyo,cys,czi,czp,da2,daf,dal,dam,dap,das,dbd,dbgsym,dcf,dcl,dcm,dcmd,dcmf,dcpf,dcpr,ddb,ddc,ddcx,ddt,def,deproj,des,det,develve,deviceinfo,dex,dfm,dfproj,dgs,dhcd,dia,dict,dif,dig,dii,dip,dita,ditamap,ditaval,dkt,dl,dlc,dlt,dltemp,dm2,dmc,dmm,dmmx,dmo,dmpr,dmr,dmsp,dna,dng,dockzip,dot,dpb,dpn,dps,dpt,dpx,dr,drf,drl,drscan,dsb,dsc,dsd,dsl,dsx,dsy,dsz,dt,dtd,dtp,dtr,dupeguru,dvb,dvc,dvdproj,dvds,dvo,dwi,dws,e2p,eas,ebm,ebuild,ec0,ec3,ec4,ecc,ecl,ect,edat,edat2,edf,edfx,edg,edi,eep,ef,efp,eglib,egp,ekb,els,em,emb,embl,emd,emlxpart,emrg,emrg2,enc,enex,enl,enlx,enq,env,enw,epp,epw,er1,erd,erg,erp,ersx,es,es2,esb,ese,esp,esq,est,esx,et,ete,etng,ett,ev,ev3,ev3p,ev3s,evx,evy,ews,exif,exl,exm,exp,exx,f04,f06,fa,familyfile,far,fas,fasta,fbk,fbq,fcpbundle,fcpevent,fcpproject,fcpxdest,fcpxml,fcs,fct,fdf,fdm,fdt,fdx,fes,ffd,fff,ffindex,ffo,ffwp,fg3,fhc,fid,fig,fil,fingnet,flam3,flame,flg,flipchart,flk,fll,flm,flo,flow,flp,flt,flwa,fmat,fmc,fmt,fnbk,fnm,fnrecipes,fo,fob,fodp,folx,fop,fox,fpa,fpp,fpr,fpsl,fqc,frameset,frd,frl,fro,fsa,fsc,fsif,fss,fstab,ftl,ftm,ftw,fwdict,fxf,fxg,fxp,g1m,g3m,ga3,gadgeprj,gal,gallery,gan,gb,gbk,gbl,gbo,gbp,gbs,gc,gcg,gcproj,gcw,gcx,gdbtable,gdf,gdt,gdtb,gedata,gedcom,gen,genbank,gexf,gfi,gform,gfs,ggb,gis,gla,gld,glo,gls,gmap,gmbl,gml,gmp,gms,gno,gnp,gnutar,gp3,gpf,gpi,gpj,gpp,gpr,gpscan,gra,grade,graphml,graphmlz,grd,grf,grib,grib2,grind,grindx,grk,grp,grr,grt,grv,gs,gtable,gtar,gtl,gtm,gto,gts,gui,guides,gwk,gwp,gxl,gxt,h10,h11,h12,h13,h14,h15,h16,h17,h2o,h2w,h4,h5,h6x,h77t,haas,hal,hcc,hce,hci,hcl,hcr,hcu,hcx,hcxs,hda,hdf,hdi,hdl,hdpmx,hds,hdumx,helpindex,hif,hin,hjt,hkdb,hl,hm3,hml,hmt,hmxp,hmxz,hol,hpp,hs2,hsdt,hsk,hst,htb,htg,huh,hvc,hyv,i5z,ias,iba,ibcd,ibg,icalevent,icaltodo,icg,ichat,icr,id2,id3tag,idx,ies,ifaith,ifiction,ifm,ifs,igc,igg,igma,ign,igq,ii,iif,ilg,ilogicvb,ima,image,imp,imr,imt,in,incp,ini,ink,inp,ins,inx,ip,ipalias,iphoto,iplb,ipmeta,ipr,iproject,iq4,iqmol,irock,irp,irr,irx,is1,is2,isf,ish1,ish2,ish3,ispc,ist,ite,itl,itlp,itm,itmsp,itn,itx,iup,ivc,ivd,ivs,ivt,iw,iwxdata,ix2,ixb,jasper,jbi,jbr,jclic,jdat,jdb,jef,jgcscs,jmp,jnt,joboptions,joined,jph,jrprint,jrxml,jsd,jsda,jtbackup,jude,kal,kap,kbits,kbs,kdbx,kdz,keb,kelgfile,key,key-tef,keychain,keytab,kgtemp,kid,kismac,kma,kms,kmy,kno,kpf,kpp,kpr,kpx,kpz,krc,ksm,kth,kvtml,l,l3dw,l6t,la,label,laccdb,las,lav,lay,lbl,lbx,lcd,lcm,ld2,ldf,ldif,lef,lev,lex,lfp,lgf,lgh,lgi,lgl,lhr,lib,lib4d,lif,life,lin,list,livereg,liveupdate,lix,llb,lmf,lms,lmx,lng,lnt,loc,lp7,lpdb,lpk,lpkg,lpmd,lpp,lqm,lrcat,lrdata,lrlib,lrlibrary,lrm,lrtoolkit,ls3,lsa,lsd,lsf,lsl,lsp,lsr,lst,lsu,lud,lut,lutx,lvm,lvw,lw4,lwd,lxf,lxk,ly,lyt,m,mai,map,mat,mba,mbd,mbg,mbp,mbx,mc1,mcat,mcd,mcdx,mcmac,mcp,md,md8,mdc,mdd,mdj,mdl,mdm,mdsx,mdx,meg,mega,mem,menc,merlin2,met,mex,mf4,mfa,mfe,mfl,mfo,mfp,mft,mfu,mfv,mgourmet,mgourmet4,mindnode,mjk,mlb,mlm,mls,mm,mmap,mmc,mmf,mml,mmm,mmp,mmw,mnc,mng,mnk,mno,mny,mod,moho,mol,money,mosaic,mox,mph,mpj,mpkt,mppz,mpr,mps,mpx,mpz,ms10,msb,msct,msf,msp,mss,mtf,mtff,mth,mtm,mtw,mtxt,mum,mup,mvm,mw,mwf,mws,mwx,mx,mxad,mxc2,mxi,myi,myo,nam,nap,nas,nbe,nc,ncorx,nct,ndif,ndk,nds,ndx,nessus,net,neta,netspd,netspm,nfi,nfl,nfo,nfs,nitf,nl,nlogo,nlogo3d,nma,nmea,nmind,nmm,nmp,nni,nnp,not,notebook,np,npl,npr,npt,npy,nrb,nrc,nrd,nrf,nrl,nrm,nrt,nru,nrx,nsq,nsr,nst,nt,ntf,ntx,nupkg,nvdl,nvl,nvm,nvram,nwcab,nwcp,nwelicense,nwo,nwp,nws,oab,obb,obd,obj,occ,ocimf,od,odc,odf,odp,odt,odx,oeaccount,oem,ofc,ofm,oft,ofx,ogg,oggu,ogm,ogmu,ogs,olk,olk14event,olk14group,olk14note,olk14task,oll,olm,olt,omcs,omp,ond,ont,ontx,oo3,op,op2,op4,opal,opax,opd,opf,opj,opju,opx,or2,or3,or4,or5,or6,org,osz,ot,otl,otln,otp,otx,out,ova,ovf,ovolog,ovx,owx,p3,p7x,pab,paf,pat,paw,pbd,pbix,pbk,pc,pcap,pcapng,pcb,pcc,pcd,pch,pck,pcr,pct,pd4,pd5,pdas,pdd,pdfig,pdo,pds,pdw,pdx,pep,pes,pex,pez,pf,pfc,pfl,phb,phd,phm,pj2,pjm,pjt,pka,pkb,pkh,pks,pkt,planner,pln,pls,plt,plw,pmatrix,pml,pmm,pmo,pmr,pnproj,pns,pod,poi,popshape,por,pot,potm,potx,pp,pp2,ppf,ppp,ppr,pps,ppsm,ppsx,ppt,pptm,pptx,prc,prdx,printcd2,prn,prnx,pro4,pro4pl,pro4plx,pro4x,pro5,pro5pl,pro5plx,pro5x,prs,prt,prv,prx,psa,psf,psm,pspd,pss,pst,psv,psw,pswx,ptb,ptf,ptn,ptz,pvd,pvw,pxf,pxj,pxl,q07,q08,q09,q3d,qb,qb2005,qb2006,qb2007,qb2009,qb2010,qb2011,qb2012,qb2013,qb2014,qb2015,qb2016,qb2017,qba,qbj,qbr,qbw,qbxml,qby,qdat,qdb,qdf,qdf-backup,qdfm,qdfx,qdp,qdt,qel,qf,qfilter,qfx,qif,qm,qmbl,qmtf,qpb,qpf,qph,qrc,qrmx,qrp,qs,qsd,quiz,quox,qvf,qvp,qvw,qxf,ral,ray,rbt,rcd,rcg,rcx,rda,rdata,rdb,rdf,rdg,rdlx,rdx,reb,rec,redif,ref,reference,rel,rep,ret,rez,rf1,rfa,rfo,rge,rgmc,rgo,rhistory,rl,rmd,rmuf,rmx,rng,rnq,roadtrip,roca,rodz,rog,roi,rou,rox,roxio,roz,rp,rpa,rpp,rpprj,rpres,rpt,rptr,rpyb,rrt,rsc,rsf,rsm,rso,rsp,rsv,rsw,rta,rte,rtstn,rtttl,rtwsh,ruel,rupaf,rvl,rvt,rwd,rwg,rws,s85,saf,sah,sar,sbc,sbd,sbw,sbx,sc4,sc45,sca,scd,scf,scg,scgc,scgp,scgs,sch,scm,scn,scz,sdl,sdlxliff,sdp,sds,sdz,se1,seed,sen,seo,seq,ses,sfd,sff,show,shw,shx,sidx,sim,skv,skx,sldtm,sle,slk,slp,slx,sm,smc,smp,smpkg,smx,snag,snapshot,sp,spb,speccy,spj,spk,sps,spt,spub,spv,sq,sqd,sqf,sqr,srf,ssc,ssd,ssp,ssv,sta,stc,stdl,stk,stl,stm,stp,stproj,str,stt,stu,sty,styk,stykz,sub,sum,svd,svf,swk,sx,sxi,syn,t01,t02,t03,t04,t05,t06,t07,t08,t09,t10,t11,t12,t13,t14,t15,t16,t17,t18,t2,t2k,t2ks,t2kt,ta4,ta5,ta6,ta7,ta8,tab,tac,tag,tar,tardist,tax,tax08,tax09,tax10,tax11,tax12,tax13,tax15,tax16,tax17,tax2008,tax2009,tax2011,tax2012,tax2013,tax2014,tax2015,tax2016,tax2017,tax2018,tax2019,tb,tbd,tbk,tbx,tc,tcc,tclogs,tcnet,tcx,tda,tdb,tde,tdl,tdm,tdms,tdt,te3,ted,tef,ter,terrn,terrn2,tet,tfa,tfd,tgc,tgd,tgf,tie,time,timeline,tjp,tkfl,tl5,tlp,tlx,tmr,tmw,tmx,tmzip,top,topc,totalsdb,tpb,tpd,tpf,tqs,tra,trd,trf,trk,trs,trx,tsk,tsl,tsr,tst,tsv,tt10,tt11,tt12,tt13,tt14,tt15,tt16,tt17,tt18,ttd,ttk,ttmd,ttskey,tvc,tvdownload,twb,twbx,twh,twm,twz,twzip,txa,txd,txf,txn,txtrpt,tyimport,tyset,u10,u11,u12,ubj,ubox,uccapilog,ud,udc,udeb,uds,ulf,ulp,ulz,umf,uop,update,upoi,upr,useq,ustar,uvf,uvw,uwl,uwrf,val,vault,vbpf1,vbw,vce,vcf,vcrd,vcs,vct,vdb,vdf,vdx,vec,vff,vfs,vi,vibe,vip,vle,vlg,vmsd,vmsn,vmss,vmt,voi,vok,voxb,vpol,vpp,vpx,vrd,vs,vsch,vscontent,vssm,vssx,vsv,vsx,vtx,vud,vvf,vxml,vym,vzm,w02,wab,wac,wallet,wb1,wb2,wb3,wcat,wcd,wcf,wd3,wdf,wdq,wea,webapp,wfm,wgt,whf,wid,wjr,wk1,wk2,wk3,wk4,wk5,wke,wlx,wnk,wpc,wpf,wpk,wpo,wpost,ws,wsi,wsm,wtb,wtml,wtr,wvp,xaf,xaiml,xappl,xas,xbc,xbd,xbk,xbrl,xbt,xcsl,xdf,xdna,xdp,xds,xef,xem,xer,xfd,xfdf,xflow,xfo,xfr,xft,xgml,xgmml,xgp,xlc,xle,xlf,xlgc,xliff,xlw,xmap,xmcd,xmct,xmd,xmi,xmind,xmlper,xmp,xmpz,xmwx,xmzx,xpdl,xpg,xpj,xpll,xpm,xpr,xpt,xrb,xrdml,xrff,xrp,xry,xsc,xsf,xsvf,xtg,xtm,xtp,xum,xvct,xxd,xyz,xyzv,yam,ychat,ygf,yka,yrcbkm,yrcdat,yumtx,zap,zdb,zdc,zdct,zim,zix,zma,zmc,zpl,_xls,_xlsx,123,12m,aws,bks,cell,dfg,dis,edx,edxz,ess,fm,fods,fp,gnm,gnumeric,gsheet,hcdt,nb,ncss,numbers,ogw,ogwu,ots,pmd,qpw,sxc,tmv,tmvt,uos,wki,wkq,wks,wku,wq1,wq2,wr1,xl,xlshtml,xlsmhtml,xlthtml,|||sqml,7z,ace,arj,cab,cbr,deb,exe,gz,gzip,jar,pak,pkg,rar,rpm,sh,sib,sisx,sit,sitx,spl,tar-gz,tgz,zip,zipx,0,000,001,a00,a01,a02,ain,alz,apz,ar,archiver,arduboy,ari,b1,b64,b6z,ba,bdoc,bh,bndl,boo,bundle,bz,bz2,bza,bzip,bzip2,c00,c01,c02,c10,cb7,cba,cbt,cp9,cpgz,cpt,ctx,cxarchive,czip,dar,dd,dgc,dist,dl_,dz,ecs,ecsbx,edz,efw,egg,epi,f,f3z,fdp,fp8,fzbz,fzpz,gca,gmz,gz2,gza,gzi,ha,hbc,hbc2,hbe,hki,hki1,hki2,hki3,hpk,hpkg,hyp,iadproj,ice,ipg,ipk,ish,isx,ita,ize,j,jgz,jic,jsonlz4,kgb,kz,layout,lbr,lemon,lha,lhzd,libzip,lnx,lqr,lz,lzh,lzm,lzma,lzo,lzx,mint,mpkg,mzp,nex,npk,nz,oar,opk,oz,p01,pa,package,pae,paq6,paq7,par,par2,pbi,pea,pet,pim,piz,psz,pup,puz,pwa,qda,r0,r00,r01,r02,r03,r04,r1,r2,r21,r30,rev,rk,rnc,rp9,rss,rz,s00,s01,s02,s7z,sea,sfs,sfx,shr,smpf,spd,sqx,sqz,taz,tbz,tbz2,tg,tlz,tlzma,tx_,txz,tz,tzst,uc2,uha,uzip,vem,vmcz,voca,vpk,vsi,wa,waff,war,warc,wastickers,wdz,whl,wlb,wot,wux,xapk,xez,xip,xmcdz,xx,xz,xzm,y,yz,yz1,z,z01,z02,z03,z04,zi,zi_,zl,zoo,zpi,zsplit,zst,zw,zz,|||spi,v2i,sv2i,mobackup,tib,hqx,kwm,mim,mime,pub,uue,bak,dmp,gho,ghs,json,adame,adobe,aep,afp,asc,aurora,axx,b2a,bc5b,bfa,bhx,bip,bit,blower,bpk,bpw,bsk,btoa,bvd,ccf,cdoc,cerber,cerber2,cgp,chml,cng,cpio,cryptra,dc4,dcd,dco,ddoc,dim,dime,dm,e4a,ecd,edoc,efl,efr,efu,emc,enx,esf,eslock,exc,extr,filebolt,film,fpenc,fsm,gdcb,gfe,gxk,gzquar,hbx,hex,hid,hid2,htpasswd,idea,iwa,jac,jceks,jcrypt,jks,jmc,jmce,jmck,jmcp,jmcr,jmcx,kde,keystore,kkk,klq,kode,krab,ks,ksd,kxx,lastlogin,lcn,lilocked,litar,locked,locky,lvivt,meo,mjd,mme,mse,null,nxl,odin,pdc,pfile,pfo,plp,psw6,pwv,rap,rdi,rsdf,rzk,rzx,safe,scb,sef,shy,sme,snk,spdf,suf,switch,uea,ufr,uu,uud,vdata,viivo,vlt,vp,wcry,werd,wls,wlu,wncry,wnry,wolf,wpe,wrypt,xmdx,xtbl,xxe,xxx,yenc,ykcol,ync,zepto,zps,zzzzz,__a,__b,~cw,$$$,$db,002,003,113,73b,aba,abbu,abf,abk,acp,aea,afi,asd,ashbak,asv,asvx,ba6,ba7,ba8,bac,backup,backupdb,bak~,bak2,bak3,bakx,bbb,bbz,bck,bckp,bdb,bff,bif,bifx,bk1,bkc,bkf,bkp,bkup,bkz,blend1,blend2,bm3,bmk,bookexport,bpa,bpb,bpn,bps,bup,cbs,cbu,cenon~,ck9,cmf,crds,csd,csm,da0,dash,dba,dbk,dss,fbc,fbf,fbu,fbw,fh,fhf,flka,flkb,fpsx,ftmb,ful,fwbackup,fza,fzb,gb1,gb2,gs-bck,ibk,icbu,icf,inprogress,ipd,iv2i,j01,jbk,jdc,jpa,jps,kb2,lbf,lcb,ldabak,llx,mbf,mdbackup,mddata,mdinfo,msim,nb7,nba,nbak,nbd,nbf,nbi,nbs,nbu,nco,nda,nfb,nfc,noy,npf,nps,nrbak,nrs,nwbak,obk,oeb,old,onepkg,ori,orig,oyx,paq,pbf,pbj,pbx5script,pvhd,qbb,qbk,qbm,qbmb,qbmd,qbx,qic,qsf,qv~,rbc,rbk,rbs,rgmb,rmbak,rrr,sbs,sbu,skb,sn1,sn2,sna,sns,spf,spg,sqb,srr,stg,sv$,tibkp,tig,tis,tlg,trn,ttbk,uci,vbk,vbm,vbox-prev,vpcbackup,vrb,w01,walletx,wbb,wbcat,wbk,win,wjf,wpb,wspak,wx,xlk,yrcbck,zbfx,|||apt,err,pwi,ttf,tex,text,txt,cdd,cpp,doc,docx,docm,dotm,dotx,epub,fb2,gpx,ibooks,indd,kml,mobi,mso,oxps,pages,pdf,pl,ps,rtf,sldm,snb,wpd,wps,xps,cfg,4ui,anh,ao,ap,article,av,avery,bcf,bcp,biz,blk,bmml,bpf,bro,btw,caj,cal,cbf,cd2,cdml,cl2arc,cl2doc,cl2lyt,cl2tpl,clkb,clkc,clkd,clt,cndx,comicdoc,comiclife,consis,cov,cpe,cph,cpy,crtr,cst,cvw,cw,cwt,de,dpd,dra,drmx,drmz,dtx,dwdoc,eddx,edrwx,el4,fadein,fax,fcdt,fd2,fdd,fey,fgc,flb,flowchart,flw,folio,form,fpe,fr3,frdoc,frf,fsd,fxm,gde,gdoc,gdocx,gem,gofin,gslides,gsp,gwb,hfd,hft,hmk,hpd,hpt,hwdt,icap,icml,icmt,idap,idml,idms,idpk,ifd,ildoc,imm,imtx,imx,incd,inct,incx,ind,indb,indl,indp,inds,indt,inlx,isale,isallic,isd,jtp,jwc,lab,lld,lma,lpdf,lsc,ltf,max,mcsp,mdi,mga,mif,mtc,mvd,mvdx,mwl,npp,nud,ola,p65,pcl,pde,pdp,pdr,pgs,pmx,pnh,ppx,psg,psproj,psr,ptx,pwt,pzf,pzfx,q3c,qpt,qxb,qxd,qxp,qxt,rb4,rels,rfd,rlf,rmr,rpc,rpx,rwt,sbk,sbv,sdt,simp,sjd,sma,snp,t2d,tds,tp3,uxf,vfc,webtheme,wlp,wmga,wpt,wwf,xdw,xif,xmt,xsn,xzfx,zdl,zdp,zds,zfx,zno,_doc,_docx,1st,602,abw,act,adoc,aim,ase,awp,aww,bad,bbs,bdp,bdr,bean,bib,bibtex,bml,bna,boc,brx,btd,bzabw,calca,charset,chord,cnm,cod,crwl,cws,cyi,diz,dne,dox,dvi,dwd,dxb,dxp,eio,eit,emf,eml,emlx,etf,etx,euc,fbl,fcf,fdr,fds,fdxt,fft,fgs,flr,fodt,fountain,frt,fwdn,gmd,gpd,gpn,gsd,gthr,gv,hbk,hht,hs,hwp,hz,iil,ipf,ipspot,jarvis,jis,jnp,joe,jp1,jrtf,jtd,kes,klg,knt,kon,kwd,latex,lbt,lis,lp2,ltr,ltx,lue,luf,lwp,lxfml,lyx,mbox,mcw,mell,mellel,mnt,msg,mwd,mwp,ndoc,ngloss,njx,note,notes,now,nwctxt,nwm,ocr,odif,odm,odo,ofl,opeico,openbsd,ort,ott,p7s,pages-tef,pfx,plantuml,pu,pvm,pwd,qdl,rad,readme,rft,ris,rst,rtd,rtfd,rtx,run,rvf,rzn,safetext,scc,scriv,scrivx,sct,scw,sdw,session,sgm,sig,sla,smf,sms,ssa,story,strings,sxw,tdf,template,thp,tlb,tm,tmdx,tmvx,tpc,trelby,tvj,u3i,unauth,unx,uof,uot,upd,utf8,utxt,vnt,vw,webdoc,wn,wp,wp4,wp5,wp6,wp7,wpa,wpl,wpw,wri,wsd,wtt,wtx,xbdoc,xbplate,xdl,xwp,xy,xy3,xyp,xyw,zabw,zrtf,tsc,tsf,uld,unt,upf,vet,vnd,vtf,vwx,wdp,x_b,x_t,xise,xnc,xv3,acsm,apnx,azw,azw1,azw3,azw4,bkk,bpnueb,cebx,dnl,ea,eal,ebk,edn,etd,fkb,han,html0,htmlz,htxt,htz4,htz5,jwpub,kfx,koob,lit,lrf,lrs,lrx,mart,ncx,nva,oebzip,orb,pef,phl,qmk,rzb,rzs,tcr,tk3,tpz,tr,tr3,webz,ybk,|||3g2,3gp,3gp2,3gpp,3gpp2,asf,asx,avi,drv,f4v,flv,h264,m4v,mkv,moov,mov,mp4,mpeg,mpg,rm,rmvb,srt,swf,vid,vob,webm,wm,wmv,yuv,264,3mm,3p2,60d,787,890,aaf,aec,aepx,aet,aetx,ajp,ale,am,amv,amx,anim,arcut,arf,avb,avchd,ave,avs,avv,axm,bdm,bdmv,bdt2,bdt3,bik,bik2,bix,bk2,blz,bmc,bnp,bs4,bsf,bu,bvr,byu,camproj,camrec,camv,ced,cine,cip,clpi,cme,cmmp,cmmtpl,cmproj,cmrec,cpi,cpvc,cx3,d2v,d3v,dav,dce,dck,dcr,dir,divx,dlx,dmb,dmsd,dmsd3d,dmsm,dmsm3d,dmss,dmx,dpa,dpg,dream,dv,dv-avi,dv4,dvdmedia,dvr,dvr-ms,dvx,dxr,dzm,dzp,dzt,edl,evo,exo,eye,eyetv,ezt,f4f,f4m,f4p,fbr,fbz,fcarch,fcp,fcproject,ffm,flc,flh,fli,flic,flx,fpdx,ftc,fvt,g2m,g64,g64x,gcs,gfp,gifv,gl,gom,grasp,gvi,gvp,gxf,hdmov,hdv,hevc,hkm,ifo,imovieproj,insv,int,ircp,irf,ism,ismc,ismclip,ismv,iva,ivf,ivr,izz,izzy,jdr,jmv,jnr,jss,jts,jtv,k3g,kdenlive,kmv,ktn,lrec,lrv,lsx,lvix,m1pg,m21,m2p,m2t,m2ts,m2v,mani,mgv,mj2,mjp,mk3d,mnv,moi,mp21,mpf,mpgindex,mpl,mpls,mproj,mpsub,mpv,mqv,msdvd,mswmm,mtv,mvc,mve,mvp,mvy,mxf,mxv,n3r,ncor,nfv,nsv,ntp,nut,nuv,nvc,ogv,ogx,orv,osp,otrkey,pac,pgi,photoshow,piv,pjs,plproj,pmf,ppj,prel,pro,prproj,prtl,psb,psh,pvr,pxv,qsv,qt,qtch,qtindex,qtl,qtm,qtz,r3d,ravi,rcproject,rcrec,rcut,rmp,rms,rmv,roq,rsx,rts,rum,rv,rvid,sbz,screenflow,sdv,sec,sfvidcap,siv,smi,smil,smk,snagproj,ssf,stx,svi,swi,swt,tda3mt,theater,tid,tivo,tix,tod,tp,tp0,tpr,trec,trp,tsp,ttxt,tvlayer,tvs,tvshow,usf,usm,v264,vbc,vc1,vcpf,vcr,vcv,vdo,vdr,veg,vep,vf,vft,vfw,vfz,vgz,video,viewlet,viv,vivo,vix,vlab,vmlf,vmlt,vp3,vp6,vp7,vpj,vr,vro,vs4,vse,vsh,vsp,vtt,w32,wcp,wfsp,wgi,wlmp,wmd,wmmp,wmx,wp3,wsve,wtv,wvm,wvx,wxp,xej,xel,xesc,xfl,xlmv,xmv,xvid,y4m,yog,zeg,zm1,zm2,zm3,zmv,|||dem,kmz,mid,ov2,geo,3d,3dc,3dd,3dl,477,apl,apr,aqm,at5,atx,aux,axe,axt,bil,bt,cor,csf,cvi,div,dix,dlg,dmf,dmt,dt0,dt1,dt2,e00,embr,ers,eta,ffs,fit,fls,fme,fmi,fmv,fmw,geojson,gfw,glb,gmf,gprx,gps,grb,gsb,gsi,gsm,gsr,gsr2,gst,gvsp,gws,hdr,hgt,imd,img,imi,jgw,jnx,jpgw,jpr,jpw,lan,len,mpk,msd,mxd,mxt,ngt,nm2,nm3,nmap,nmc,nmf,obf,ocd,osb,osc,osm,pix,prm,ptm,ptt,qct,rdc,rgn,rrd,sbn,shp,sld,style,svx,sxd,sym,tfrd,tfw,th,timestamp,tpx,ttkgp,vdc,wfd,wld,wor,xol,|||3dm,3ds,a2c,ccd,cdw,cr2,dgn,dwg,dxf,ics,igs,iso,ma,mb,part,rnd,sldasm,sldprt,wm2d,ai,eps,svg,vsd,vst,wmf,aac,ac3,aif,aiff,amr,aob,ape,aud,bwg,flac,iff,m3u,m3u8,m4a,m4b,m4p,m4r,midi,mp3,mpa,msv,nkc,ra,ram,sln,temp,vb,wav,wave,wma,xsb,xwb,cur,icns,ico,mds,pict,png,bmp,dds,djvu,gif,hta,jpeg,jpg,php,psd,pspimage,scr,tga,thm,tif,tiff,xcf,0cc,2sf,2sflib,3ga,3gpa,4mp,5xb,5xe,5xs,669,6cm,8cm,8med,8svx,a2b,a2i,a2m,a2w,a52,aa,aa3,aax,abc,abm,acb,acd,acd-bak,acd-zip,acm,adg,adts,afc,agm,agr,ahx,aifc,aimppl,akp,alaw,all,als,amf,ams,amxd,amz,ang,apf,aria,ariax,3d2,3d4,3da,3df,3dmf,3dmk,3don,3dv,3dx,3dxml,3mf,a3d,a8s,album,animset,anm,aof,aoi,atl,atm,b3d,bio,blend,br3,br4,br5,br6,br7,brg,bto,bvh,c3z,c4d,cas,ccb,cg,cg3,cga,cgfx,chrparams,cm2,cmod,cmz,crf,crz,cso,d3d,dae,daz,dbl,dbm,ddd,dff,dfs,ds,dsa,dse,dsf,dsi,dso,dsv,duf,dwf,e57,f3d,facefx,fbm,fbx,fc2,fcz,fg,fnc,fpf,fpj,fry,fsh,fsq,fun,fuse,fx,fxa,fxl,fxs,fxt,glf,glm,gltf,gmmod,gmt,grn,hd2,hdz,hip,hipnc,hlsl,hr2,hrz,hxn,ifc,iges,igi,igm,ik,irrmesh,iv,ive,j3o,jas,kfm,kmc,kmcobj,ktz,ldm,llm,lnd,lp,lps,lt2,ltz,lwo,lws,lxo,m3,makerbot,maxc,mc5,mc6,mcz,md5anim,md5camera,md5mesh,meb,mesh,mix,mot,mp,mqo,mrml,ms3d,mtl,mtx,mtz,mxm,mxs,n2,n3d,nff,nif,nm,nsbta,obp,obz,oct,off,ogf,ol,p21,p2z,p3d,p3l,p5d,phy,pigm,pigs,pl0,pl1,pl2,ply,ppz,prefab,psk,pz2,pz3,pzz,qc,rcs,rds,rig,s,sc4model,sh3d,sh3f,skl,skp,smd,step,sto,t3d,tcn,tgo,thing,thl,tme,tmo,tri,truck,ts1,tvm,u3d,ums,v3d,v3o,v3v,vac,vert,visual,vmd,vmo,vox,vrl,vso,vue,vvd,w3d,wft,wow,wrl,wrp,wrz,x,x3d,x3g,xmf,xmm,xof,xrf,xsi,xv0,yaodl,ydl,z3d,zt,123c,123d,123dx,2d,3w,a2l,afd,any,ard,asy,att,bbcd,bcd,bdl,bimx,bmf,bpmc,bpz,bsw,bswx,bxl,cad,cam,catdrawing,catpart,catproduct,cddx,cdl,cgr,ckd,cmp,cnc,cnd,cpa,crv,cyp,czd,db1,dbq,dc,dc1,dc2,dc3,dft,dfx,dgb,dgk,dlv,drg,drw,drwdot,dsg,dst,dwfx,dwt,dxe,dxx,easm,edrw,eld,eprt,eqn,ewb,ewd,ezc,ezp,fan,fcstd,fcstd1,fcw,fmz,fpd,fz,fzm,fzp,fzz,g,g3d,gbx,gcd,gcode,gds,gxc,gxd,gxh,gxm,hcp,hsc,hsf,hus,iam,ic3d,icd,ide,idv,idw,if,ifcxml,ifczip,ipj,ipn,ipt,ise,isoz,jam,jbc,job,jt,jvsg,jvsgz,kit,l3b,lcf,ldr,ldt,li3d,lia,lizd,logicly,ltl,lyc,lyr,mc9,mcx,mhs,mmg,model,modfem,mp11,mp13,mp14,mp7,ms11,ms13,ms14,msm,nc1,neu,ngc,ngd,nwc,nwd,nwf,olb,opt,pc6,pc7,phj,pho,pipd,pipe,pla,prg,qpm,rcv,red,rml,rra,rs,rsg,sab,sat,sbp,scad,scdoc,sdg,skf,slddrw,t3001,tak,tbp,tc2,tc3,tcd,tcm,tcp,tct,tcw,topprj,topviw,at3,au,aup,ay,b4s,band,bap,bcs,bcstm,bdd,bfstm,bfwav,bidule,bonk,brr,brstm,bun,bwf,bww,caff,cda,cdda,cdlx,cdo,cgrp,cidb,ckb,conform,copy,cpr,csh,cts,cwb,cwp,d00,d01,dewf,df2,dfc,djr,dls,dmsa,dmse,ds2,dsm,dsp,dtm,dts,dtshd,dvf,ear,efa,efe,efk,efq,efs,efv,emp,emx,emy,eop,erb,esps,evr,evrc,exs,f2r,f32,f3r,f4a,f64,fda,fev,frg,fsb,fti,ftmx,fuz,fzf,fzv,g721,g723,g726,gbproj,gig,gio,gm,gmc,gp5,gpbank,gpk,gro,groove,gsf,gsflib,guit,gym,h0,h3b,h3e,h4b,h4e,h5b,h5e,h5s,hbb,hbs,hca,hdp,hma,hmi,hps,hsb,iaa,igp,igr,imf,isma,it,iti,itls,its,jo,jo-7z,jspf,k25,k26,kar,kfn,kin,kmp,koz,kpl,krz,ksc,ksf,kt2,kt3,ktp,lof,logic,logicx,lqt,lso,lvp,lwv,m2,m5p,ma1,mbr,mdr,med,minigsf,miniusf,mka,mmlp,mmpz,mo3,mp2,mpc,mpdp,mpga,mscz,msmpl_bank,mte,mti,mtp,mui,mus,musx,mux,mx5,mxl,mxmf,myr,naac,narrative,ncw,nfa,nkb,nki,nkm,nks,nkx,nml,nmsv,nra,nsa,ntn,nus3bank,nvf,obw,ofr,oga,oggstr,okt,oma,omf,omg,omx,opus,orc,ota,ove,ovw,pandora,pca,pcast,pcg,pd,peak,pek,pk,pkf,pna,ppc,pts,ptxt,q1,q2,qcp,r,r1m,raw,rax,rcy,record,rex,rfl,rgrp,rip,rmf,rmi,rmj,rmm,rmt,rns,rol,rsn,rti,rtm,rvx,rx2,s3i,s3m,sap,sb,sbi,sc2,scs11,sd,sd2,sdat,sdx,sesx,sf2,sfk,sfl,sfpack,sfz,sgp,shn,sid,smpx,snd,sng,sou,sph,sppack,sseq,stap,sth,strm,swa,sxt,syh,syw,syx,td0,tfmx,thx,tm2,tm8,tmc,toc,trak,tta,txw,u,u8,uax,ub,ulaw,ult,ulw,uni,usflib,ust,uw,uwf,v2m,vag,vap,vc3,vdj,vgm,vlc,vmf,voc,voxal,vpl,vpm,vpr,vpw,vqf,vrf,vsq,vsqx,vyf,w64,wand,wax,wem,wfb,wfp,wpp,wproj,wtpl,wtpt,wus,wut,wv,wvc,wve,wwu,wyz,xa,xbmml,xfs,xi,xm,xma,xms,xmu,xmz,xopus,xp,xpf,xrns,xsp,xspf,xt,ym,yookoo,zab,zgr,zpa,zvd,zvr,af3,afdesign,artb,ccx,cddz,cdmm,cdmt,cdmtz,cdmz,cds,cdt,cgm,cil,clarify,cmx,cnv,csy,cv5,cvg,cvs,cvx,dcs,ddrw,design,dhs,dpp,drawing,drawit,egc,emz,ep,epsf,esc,ezdraw,fh10,fh11,fh3,fh4,fh5,fh6,fh7,fh8,fh9,fhd,fif,fs,ft10,ft11,ft7,ft8,ft9,ftn,gdraw,gks,glox,graffle,gstencil,gtemplate,gvdesign,hgl,hpg,hpgl,hpl,hvif,igt,igx,jsl,lmk,mgcb,mgmf,mgmx,mgs,mvg,odg,otg,ovp,ovr,pen,pmg,qcc,rdl,scv,sk2,sketch,slddrt,snagstyles,std,svgz,tlc,tne,tpl,vbr,vml,vsdm,vsdx,vstm,vstx,wmz,wpg,wpi,xmmap,yal,ydr,zgm,2bp,360,411,73i,8ca,8ci,8pbs,8xi,acorn,afphoto,afx,agif,agp,aic,apd,apm,apng,aps,apx,arr,arw,aseprite,avatar,awd,blkrt,bmq,bmx,bmz,bpg,brk,brt,bss,bti,bw,can,cd5,cdg,cid,cin,cit,clip,colz,cpc,cpg,cps,cpx,ct,dgt,dib,dic,dicom,dm3,dmi,dtw,dvl,ecw,exr,face,fal,fits,flif,fpg,fpos,fppx,fpx,g3,gcdp,gfb,gfie,ggr,gih,gim,gmbck,gmspr,gp4,grob,gry,hdrp,heic,heif,hf,hpi,hr,hrf,i3d,ic1,ic2,ic3,ica,icb,icn,icon,icpr,ilbm,imj,info,insp,ipick,ipx,itc2,ithmb,ivue,iwi,j2c,j2k,jb2,jbf,jbg,jbig,jbig2,jbmp,jfi,jfif,jia,jif,jiff,jng,jp2,jpc,jpd,jpe,jpf,jpg-large,jpg2,jpx,jtf,jwl,jxr,kdi,kdk,kic,kodak,kpg,kra,lb,lbm,lip,ljp,lrpreview,lzp,mbm,mdp,miff,mipmaps,mnr,mpo,mrxs,myl,ncd,ncr,neo,nlm,nol,oc3,oc4,oc5,oci,odi,oplc,otb,oti,ozb,ozj,ozt,pano,pbm,pc3,pcx,pdn,pe4,pfr,pgf,pgm,pi2,pic,picnc,piskel,pixadex,pm,pnm,pov,ppm,prw,psdx,pse,psp,pspbrush,ptex,ptg,px,pxd,pxm,pxr,pyxel,pza,pzp,pzs,qmg,qti,qtif,ras,rcl,rcu,rgb,rgba,rgf,ric,rif,riff,rix,rle,rli,rpf,rri,rsb,rsr,rtl,rvg,s2mv,sai,sdr,sfc,skitch,skm,spa,spc,spe,spp,spr,sprite,sprite2,ste,sup,t2b,targa,tb0,tbn,texture,tfc,tg4,thumb,tn,tpi,trif,tub,ufo,uga,ugoira,urt,v,vda,vic,vicar,viff,vna,vpe,vrimg,vrphoto,vss,wb0,wbc,wbd,wbm,wbmp,wbp,wbz,webp,wi,wic,wmp,wvl,xbm,xwd,ysp,zif,zvi,3fr,bay,cr3,cxi,eip,iiq,j6i,mef,mfw,mos,mrw,nef,nrw,orf,raf,rw2,rwl,rwz,sr2,srw,x3f,|||apk,bat,cgi,cmd,com,js,jse,gadget,msi,msu,pif,ps1,pwz,vbs,wsf,dll,8bi,crx,ext,h,nbm,nes,plugin,ppa,ppam,xla,xlam,xll,xpi,ani,cpl,deskthempack,diagcab,diagpkg,hlp,icl,lnk,msstyles,nomedia,ocx,reg,rom,scrshs,sys,theme,themepack,0xe,73k,89k,8ck,a6p,a7r,ac,actc,action,ahk,air,app,arscript,asb,azw2,ba_,beam,celx,cof,command,dek,dld,e_e,ebs,ebs2,ecf,eham,elf,epk,esh,ex_,ex4,ex5,exe1,exopc,ezs,fky,fpi,frs,gpe,gpu,ham,hms,hpf,iim,ipa,isu,jsf,jsx,kix,ksh,kx,lo,ls,mcr,mel,mio,mrc,mrp,ms,msl,mxe,n,ncl,nexe,ore,osx,otm,phar,plx,pwc,pyc,pyo,qit,qpx,rbx,rfu,rgs,rpj,rxe,scar,scpt,scptd,script,tiapp,tms,u3p,udf,upx,vbe,vbscript,vexe,vlx,vxp,wcm,widget,wiz,workflow,wpm,wsh,x86,xap,xbap,xlm,xqt,xys,zl9,8ba,8bc,8be,8bf,8bi8,8bl,8bs,8bx,8by,8li,aaui,aaxplugin,accda,accdu,acroplugin,aex,aip,alp,amxx,api,aplg,aplp,arx,asi,avx,ax,bav,bblm,blu,bmi,bri,brm,bzplug,ccip,cleo,codaplugin,component,cox,dfp,dlo,dlr,dlu,dpm,eaz,epk2,exv,fmplugin,fmx,fwaction,fwactionb,fzip,hvpl,iadaction,iadclass,iadpage,iadplug,iadstyle,ibplugin,ideplugin,jsxbin,kmm,lrmodule,lrplugin,mda,mde,mfx,milk,mmip,mode,module,mxaddon,mxp,ny,oex,oiv,osax,oxt,p,p64,plx64,q1q,q2q,q4q,q5r,q7q,q8r,q9r,q9s,qar,qtr,qtx,rbz,rhp,rock,rpi,rplib,rpln,rwplugin,safariextz,sparc,tgp,tko,tmbundle,vsix,vsl,vst3,wie,wll,wlz,wowsl,x32,xadd,xba,xcplugin,xlv,xnt,xsiaddon,zlb,zxp,208,2fs,386,3fs,73u,8cu,8xu,adm,adml,admx,aos,asec,bashrc,blf,bom,bud,c32,cgz,ci,cnt,cpq,crash,desklink,dev,dfu,diagcfg,dit,drpm,dvd,ebd,edj,efi,efires,emerald,escopy,etl,evt,evtx,ffa,ffl,ffx,firm,fl1,fota,fpbf,ftf,ftg,fts,gmmp,grl,group,h1s,hcd,hdmp,help,hhc,hhk,hiv,hpj,hsh,htt,hve,idi,ifw,im4p,ime,img3,inf_loc,ion,ioplist,ipod,iptheme,ius,jpn,kbd,kext,ko,kor,lfs,library-ms,lockfile,log1,log2,lpd,manifest,mapimail,mdmp,mi4,mlc,mydocs,nb0,nbh,nls,ntfs,odex,pk2,pnf,pol,ppd,prefpane,profile,prop,pwl,qky,qvm,rc1,rc2,rco,reglnk,rfw,ruf,rvp,saver,shd,shsh,sqm,swp,ta,tdz,thumbnails,timer,trashes,trx_dll,uce,vga,vgd,vx_,vxd,wdgt,webpnp,wer,wgz,wph,wpx,xfb,xrm-ms,|||aspx,cer,cfm,chm,crdownload,csr,download,htaccess,htm,html,jnlp,jsp,mht,mhtm,mhtml,url,webarchive,webloc,xhtml,xulasf,c,class,fla,java,lua,po,py,so,vc4,vcproj,vcxproj,wsc,xcodeproj,xsd,a4p,adr,alx,an,appcache,aro,asa,asax,ascx,ashx,asmx,atom,awm,axd,br,browser,btapp,bwp,cha,chat,codasite,con,crl,crt,cshtml,csp,der,dhtml,disco,discomap,dml,do,ece,edge,epibrw,esproj,ewp,fcgi,freeway,fwp,fwtb,fwtemplate,gne,har,hdm,hdml,htc,htx,hxs,hype,hypesymbol,idc,iqy,itms,itpc,iwdgt,jcz,jhtml,jspa,jspx,jst,jvs,jws,lasso,lbc,less,maff,mapx,mjs,mspx,muse,nod,nxg,nzb,oam,obml,obml15,obml16,ognc,olp,opml,oth,p12,p7b,p7c,pem,qbo,qrm,rflw,rhtml,rjs,rt,rw3,rwp,rwsw,rwtheme,saveddeck,scss,shtm,shtml,sitemap,sites,sites2,suck,swz,tvpi,tvvi,ucf,uhtml,vbd,vbhtml,vdw,vlp,vrml,vrt,vsdisco,wbs,wbxml,web,webhistory,website,wgp,whtt,wml,woa,wrf,wsdl,xbel,xbl,xfdl,xht,xhtm,xpd,xss,xul,xws,zfo,zhtml,zul,zvz,$01,4db,4th,a,aab,aar,addin,ads,agi,aia,aidl,alb,am4,am5,am6,am7,ane,anjuta,ap_,apa,applet,appx,appxsym,appxupload,arsc,artproj,as2proj,as3proj,asvf,au3,autoplay,awk,b,bas,basex,bb,bbc,bbproject,bbprojectd,bdsproj,bet,bluej,bos,bpr,bs2,bsc,bsh,btn,buildpath,bur,bytes,caproj,cbl,cbp,cc,ccgame,ccn,ccs,cd,cfc,clips,cls,clw,cob,config,cp,cpb,csi,csn,csproj,csx,ctxt,cu,cvsrc,cxp,cxx,d,daconfig,dart,dbml,dbo,dbpro,dbproj,dcp,dcproj,dcuil,ddp,dec,dep,deviceids,df1,dfk,dgml,dgsl,diff,dm1,dmd,dob,docset,dpk,dpkw,dres,dsgm,dsym,eba,ecp,edm,edml,edmx,el,elc,ent,eql,erl,escn,ex,exw,f2k,f90,f95,fbp,fbp7,fbz7,fce,fcl,fd,feature,fgl,filters,fimpp,for,forth,fpm,framework,frj,frx,fsi,fsl,fsproj,fsscript,fsx,fxc,fxcproj,fxml,fxpl,gameproj,gar,gbap,gbas,gbm,gch,gemspec,gfar,gitignore,gitkeep,glade,global,gm6,gm81,gmk,gmo,gmx,go,gorm,gradle,greenfoot,groovy,groupproj,gs3,gsproj,gszip,gvy,gwd,haml,handlebars,has,hcf,hh,hhh,hhp,hrl,hxx,hydra,i,iconset,idl,idt,ilk,iml,inc,inl,ino,ipch,ipp,isc,iwb,iws,iwz,jav,jcp,jdp,jed,jl,jlr,jnilib,jsfl,jsh,jsxinc,juk,kb,kct,kdevdlg,kdevelop,kdevprj,kdmp,kps,kt,kv,kvk,lang,lbi,lbs,lds,lgo,lhs,licenses,licx,lisp,livecode,loadtest,lol,lproj,lrdb,lsproj,ltb,luc,lxsproj,m4,magik,mak,markdown,mdzip,mer,mf,mk,ml,mo,mom,mpws,mq5,mrt,msha,mshc,mshi,msix,mv,mxml,myapp,natvis,nbc,ncb,ned,neko,nfm,nib,nim,nk,nqc,nsh,nsi,nsl,nuproj,nuspec,nvv,nw,nxc,o,oat,ob2,oca,octest,odl,omo,os,ow,owl,oxygene,patch,pb,pbg,pbxbtree,pbxproj,pbxuser,pcp,ph,pika,pjx,pkgdef,pkgundef,playground,plc,ple,pli,pn,pri,proto,psc,psm1,ptl,pwn,pxi,pyd,pyw,pyx,qml,qpr,qx,rav,rb,rbm,rbp,rbvcp,rbw,rbxs,rc,rdlc,rdoc,refresh,res,resjson,resources,resw,resx,rexx,rise,rkt,rls,rodl,rotest,rpy,rsrc,ru,rul,rwsnippet,s19,sas,sb2,sb3,sbproj,sc,scala,scratch,sdef,sed,set,slogo,sltng,smali,snippet,sol,spec,sqlproj,src,ss,ssi,storyboard,sud,suo,svn-base,swc,swd,swift,t,targets,tcl,td,tiprogram,tk,tld,tlh,tli,tmlanguage,tmpl,tmproj,tmproject,tns,tpk,tpu,tres,tscn,tt,tu,tur,twig,uft,ui,uml,umlclass,vala,var,vbg,vbp,vbproj,vbx,vbz,vc,vcp,vcx,vcxitems,vdm,vdp,vdproj,vgc,vhd,vhdl,vjp,vjsproj,vm,vpc,vsct,vsmacros,vsmdi,vsmproj,vspf,vsps,vspscc,vspx,vssscc,vsz,vtm,vtml,vtv,vwl,w,wapproj,wasm,wdgtproj,wdl,wdw,webtest,winmd,wiq,wixlib,wixmsp,wixmst,wixobj,wixout,wixpdb,wixproj,workbook,worksheet,workspace,wowproj,wsp,wxi,wxl,wxs,xaml,xamlx,xbf,xcappdata,xcarchive,xcconfig,xcode,xib,xojo_menu,xoml,xpp,xq,xql,xqm,xquery,xqy,xsx,xtb,yab,yaml,yml,yml2,ymp,ypr,|||b5t,b6t,bwi,bwt,dmg,i00,i01,i02,isz,md0,md1,md2,nrg,pdi,toast,2mg,adz,afm,ashdisc,atr,avhd,b5i,b6i,bwa,bws,bwz,ciso,cl5,cue,d64,d88,daa,dao,dax,dbr,disc,disk,dmgpart,dms,e01,ecm,eda,ede,edk,edq,eds,edv,eui,ex01,fdi,g41,gbi,gdrive,gi,gkh,hc,hdd,hfs,hfv,ibadr,ibb,ibdat,ibp,ibq,imz,ixa,k3b,l01,lx01,mbi,miniso,mrimg,nn,nri,p2g,p2i,partimg,pgd,qcow,qcow2,ratdvd,sco,sdsk,sqfs,st,t64,tao,tap,tzx,ufs,uibak,uif,vaporcd,vc6,vc8,vco,vdi,vfd,vhdx,vmdk,vmwarevm,volarchive,wbi,wii,wil,wim,winclone,wmt,woz,wud,x64,xdi,xva,xvd,|||fnt,fon,torrent,magnet,sngw,ucm,application,appref-ms,conf,deskthemepack,ds_store,inf,plist,swb,thempack,cf,cfu,vrp,lgp,pff,efd,00,32x,3dsx,3dz,555,68k,8ld,a26,acww,acx,age3rec,age3sav,age3scn,age3xrec,age3xsav,age3yrec,age3ysav,am1,arch00,arp,ars,ash,ass,asset,ba2,bak1,bars,bb3,bdae,bf,bfg,bfm,bfs,bgz,bic,big,biq,blorb,blp,bls,bmd,bme,bmg,bng,bnr,bns,bnz,bo2,bo3,breff,breft,brlyt,brmdl,brres,brsar,brseq,brtex,brv,bs1,bsa,bsb,bsdiff,bsg,bsp,bus,bzw,carc,cbh,cbv,cdp2,cgf,chd,cm,cns,compiled,cos,course,cpn,crp,cty,d3dbsp,dat_mcr,dat_new,dazip,desc,diva,dm_68,dm_82,dm_83,dm_84,dnf,dns,dol,dpf,drm,duc,dun,dv2,dzip,e2gm,eepf,egm,eix,ek6,ekx,elm,eng,epc,escape,esg,esm,est_uax,evp,ewl,fbrb,fc1,fc2map,fcm,ff,fgd,fila,film_cpk,fl,flash,fld,fml,fnta,fomod,forge,fos,fpid,fpk,fpmb,fpmo,fpop,fps,frc,frw,frz,fs2,fsg,fssave,fst,fuk,fwd,g3x,galaxy,game,gamedata,gba,gbaskin,gbc,gbcskin,gblorb,gcf,gci,gcm,gct,gcz,gd,gdc,gdg,gdi,gdw,genome,gfx,gg,ggpack,ghb,gjd,glksave,gma,gme,gmres,gmv,god,goomod,gr2,gs0,gsba,gsc,gsx,gtworld,h3m,h4r,h5m,h5u,hat,he,he0,he1,he2,he4,hhsl,hi,hit,hmp,hof,hog,hoi4,honmod,hot,hqm,hum,hwd,hwmap,hws,hxm,i3pack,ib2,ib3,ibch,ibre,ibro,ibt,icmod,idx0,idx255,ifp,imga,inform,inv,ipl,ips,isr,itk,itr,iwd,j2i,j2l,j64,ja,jag,jap,jbeam,jcr,jg4,jgc,jigsaw,jkb,jmf,jrc,jrz,k2s,kag,kcl,kf2,kfs,kodu,kv6,kwreplay,l2r,l3d,laby,ldb,ldw,litemod,lk12,ll,lmp,lmu,lock,lod,love,lpb,lsw,ltg,luxb,lvl,lvlx,mae,maplet,mca,mcapm,mcpack,mcserver,mcworld,md3,menu,mgl,mgx,mii,mis,mp2m,mp2s,mpm,mpq,mrs,mul,n-gage,n3pmesh,n64,nar,narc,nav,naz,nbt,nca,ncer,ncf,ncgr,nclr,ndd,ndr,neosave,nfs11save,ngage,ngp,ngs,nl2script,nlelem,nlpx,nltrack,nlvm,nop,npa,nro,ns1,nsbca,nsbmd,nsbtx,nsbva,nscr,nsp,ntrk,ogz,omod,osk,osr,osu,ovh,ovl,p2m,p3t,papa,pbn,pbp,pcsav,pgn,phn,pk3,pk4,pkx,player,plr,pqhero,prk,properties,pssg,pwf,pxp,qwd,radq,rasunsoft,rbj,rbxl,rbxlx,rbxm,rbxmx,replay,ress,rfc,rfgs_pc,rfm,rgd,rgp,rgss2a,rgss3a,rgssad,rgt,rim,rkg,rkp,rofl,ros,rot,rp2,rpgmvm,rpgmvo,rpgmvp,rpgproject,rpgsave,rpkg,rpl,rpyc,rs2,rsdk,rton,rttex,rvdata,rvdata2,rvproj,rvproj2,rxdata,s2z,sad,sami,sc2archive,sc2assets,sc2bank,sc2data,sc2ma,sc2map,sc2mod,sc2replay,sc2save,sc4desc,sc4lot,schematic,scs,scworld,sd7,settings,sfar,sfo,sg0,sga,sgb,sgpbprj,sii,sims2pack,sims3,sims3pack,sli,smzip,splane,srm,stencyl,sv5,svs,taf,tbm,td6,tex0,tfr,tic,tiger,tim,tkr,tlk,tmod,tor,tp4,ts4script,ttarch,ttl,twt,tzarc,uasset,uc,ucl,udk,ukx,ulx,umap,umd,umod,umx,unf,unif,unity,unity3d,unityproj,unr,updatr,upk,ups,uqm,usa,usx,ut2,ut2mod,ut3,ut4mod,ut8,utc,utw,utx,uvx,uxx,v64,vbf,vcm,veh,vfs0,vgi,vhv,vmap,vmap_c,vmdl,vmv,vmx,vol,vvvvvv,vwp,vx2,w3g,w3m,w3n,w3x,w3z,wa2,wad,wagame,wal,wam,wbfs,wbt,wc6,weap,wgf,whirld,wl1,wl6,wldx,wmo,wolfquest,wop,world,wotmod,wotreplay,wowsreplay,wrpl,wtd,wtf,wu8,wxn,wz,xal,xan,xbe,xbsav,xci,xen,xex,xgdw,xgt,xmb,xnb,xom,xp2,xp3,xp4,xpk,xs,xtl,xvmconf,y3a,y3d,ycm,ydc,ydk,ydt,yfs,ytd,z1,z2,z2f,z2s,z3,z4,z5,z6,z64,z7,z8,zad,zblorb,zks,zmap,zs0,zs1,zs2,zs3,zs4,zs5,zs6,zs7,zs8,zs9,zsd,zsm,ztd,ztmp,zzz,256,8st,a2theme,a7p,aco,acrodata,acv,acw,adpp,ahl,ahs,ahu,ait,aiu,alv,aom,arg,asef,asl,asw,aswcs,asws,atc,ath,atn,atz,awcav,bau,bcmx,bgi,bitpim,bitsboard,blob,blt,blw,boot,bs7,bsxc,bsxp,btsearch,bxx,c2r,camp,cdrt,cex,chl,chx,clr,cmate,cmmtheme,cnf,comp,copreset,costyle,cpdx,cptm,csaplan,cskin,csplan,cui,cuix,dbb,dbg,dcst,ddf,deft,directory,dok,dpv,dr5,dsw,dtsconfig,duck,dxls,ecfg,eft,eftx,ehi,emm,emmt,enp,ens,enz,epr,eqf,eqp,etff,eum,ewprj,eww,example,exe4j,exportedui,eyetvp,eyetvsched,fat,fbt,fc,fcc,fdc,fe_launch,flst,fm3,fmod,fpl,frames,frr,fspy,ft,fth,ftp,ftpquota,fvp,fwt,fxb,gcsx,gid,gin,gliffy,gmw,godot,gqsx,gtkrc,gvimrc,gvswatch,h2p,hd3d,hdt,hfp,hme,how2,hpr,ht,iaf,icc,icm,icst,icursorfx,iddx,idf,idpp,ihw,iip,iit,ikf,ikmp,immodules,import,injb,inms,ipcc,ipynb,iros,irs,isp,iss,itt,ix,jdf,jkm,joy,kcb,kds,kfl,klc,kmf,kuip,kyb,kys,l4d,lbrn,lbu,lcc,lfo,lgt,lh3d,lily,lmc,lnst,loaders,look,lop,lrsmcol,lrtemplate,lva,lvf,lxcp,lxsopt,m2s,mailhost,mask,mcl,mgk,mlk,mns,mnu,mobirise,moef,mof,moti,motn,motr,mpt,mskn,msn,mst,mxskin,mycolors,ncfg,nd,ndc,ngrr,nji,nkp,np4,npfx,nsx,ntc,nts,nvp,nwv,obi,obt,oce,officeui,ofp,oif,ois,olk14pref,oms,onetoc,onetoc2,ops,options,opts,osdx,oss,otmu,otpu,otw,otwu,otz,ovpn,pctl,pdadj,pgp,pie,pio,pip,pmc,pmj,pmp,policy,pr,pref,prfpset,profimail,propdesc,props,ps1xml,psc1,pvs,pxb,q2d,q5q,q9q,qat,qss,qtp,qvpp,qvt,qxw,rcf,rct,rdo,rdp,rdr,rdw,resmoncfg,rfq,rgrid,rhr,rll,rmskin,rnx,rpb,rpe,rpk,rproj,rps,rpv,ruleset,rwstyle,s2ml,sgt,sif,ski,skin,skn,skz,sl,slt,smt,spfx,srs,sss,stb,sw2,t2c,tcls,tee,terminal,tfx,tgw,the,thmx,tll,tlo,tmtheme,tpark,tscproj,tsi,tsm,tsz,tts,tvtemplate,tw3,twc,typeit4me,uct,udcx,ugr,uis,user,utz,vbox,vcomps,vcpref,vcw,vim,vimrc,viz,vmac,vmba,vmc,vmcx,vmpl,vmtm,vmxf,vnc,vni,vph,vps,vqc,vsprops,vssettings,vstpreset,vsw,vtpr,wc,wcx,wcz,wfc,wfw,wif,wlvs,wme,wms,work,wzconfig,x4k,xcscheme,xct,xcu,xdr,xep,xes,xet,xev,xgs,xiz,xlb,xpl,xst,xtodvd,xtreme,xui,xur,xvm,xwk,ytt,zon,zpf,zvt,acfm,amfm,dfont,eot,euf,f3f,ffil,fot,gdr,gf,glif,lwfn,nftr,odttf,pfa,pfb,pfm,pmt,suit,t65,tfm,ttc,tte,vfb,vlw,vnf,woff,woff2,xfn,ytf,|||pkpass,grs,_eml,_nws,!bt,!qb,!sync,!ut,1,323,83p,8xp,aawdef,abr,ac$,acl,acs,add,aepkey,afploc,ahd,ahi,alt,aod,appup,aria2,auz,avastlic,avgdx,az!,bbl,bc!,bfc,bkmk,bli,bnd,bootskin,bp2,bp3,bqy,bst,bt!,buf,cache,calibre,cbds,cdf-ms,cerber3,cfl,chunk001,chw,clkk,clkt,clkw,clkx,cmm,contour,cp3,crc,crd,ctg,cul,cvr,dcover,dctmp,decrypt,desktop,disabled,dlm,dmx-info,drc,dskin,dstudio,dtapart,dwc,dwl,dwlibrary,ebn,edc,eek,ef2,egt,email,enf,enml,esd,event,ewnet,exd,extra,eyb,ezlog,ezw,fb!,feedback,ffu,file,fl3,flf,fmelic,fnd,fnlf,fpfv,frk,ftil,ftploc,fw,g1a,g3a,gau,glink,gly,gpg,gradients,gta,h1q,hdk,hdx,hlb,hlx,hmx,hxa,hxc,hxe,hxk,hxt,ical,icalendar,icma,icontainer,id,idlk,ifl,iix,imapmbox,imy,inca,indk,inetloc,ing,inlk,inm,iobit,ipsw,isn,itc,jad,jc,jc!,jcl,jcw,jms,jmt,jmx,jqz,jrs,khd,khi,kmr,kyr,lck,legal,letter,lic,licensekey,lid,link,linx,logonvista,logonxp,loov,lrc,lsn,lwtp,lxa,mab,mailtoloc,mbs,mc2,mco,md5,mdw,mfil,mgdatabase,mgo,mgt,mjdoc,mmo,mnl,mnx,montage,mpcpl,mrk,mta,mtd,mthd,mvi,na2,nav2,nch,nd5,ndl,new,nick,njb,nk2,nss,nth,nup,nvi,ob!,ook,opdownload,ost,otc,owg,owm,p10,p2p,p7m,p7r,pad,pando,partial,pdpcomp,plsk,ppk,psar,psi,pth,ptr,pvk,qds,qiz,qua,qwq,qxl,radiumkey2,rat,redir,reloc,rem,req,rfb,rfn,rfp,rmh,rov,rpmsg,rsa,rtc,rwlibrary,rxc,search-ms,sft,sfv,shs,skba,skindex,skr,slf,slupkg-ms,snf,snt,sr0,sslf,ssw,storymill,svn-work,swj,t$m,tbs,tcz,tec,tfil,tip,tla,tls,tmb,tnef,tnsp,tpkey,tpm,trace,tscdf,tstream,ttx,uls,unk,unknown,unl,upg,urr,vbt,vdjsend,ver,vir,vlcl,vmg,vmhf,vmhr,vmsg,vncloc,vor,vpa,vpc6,vpc7,wba,wcinv,wdseml,wgs,wje,wordlist,wrts,wsz,wtc,wul,wwd,wzmul,xensearch,xlnk,xnk,xslic,xwf,ybd,ymg,yps,z80,zm9,zml,ztf,ztr,zvpl,|||pas,bpl,dpr,dcu,dpl,dproj,|||
Let’s decode the resource reader:
This is for reading the key string from the resource section “String”
TResourceStream_Create(VMT_411478_TResourceStream, a2, System::AnsiString, "dict", "STRING");
LStrSetLength(&key_to_decode_dict_data, 0);
v5 = (**RS)(RS, *RS); // TStream.GetSize
LStrSetLength(&key_to_decode_dict_data, v5);
ExceptionList = (**RS)(RS); // TStream.GetSize
v6 = UniqueStringA(&key_to_decode_dict_data);
TStream_ReadBuffer(RS, v6, ExceptionList);
TObject_Free(RS);
It stores the data in key_to_decode_dict_data
Let’s just say now it reads the extentions resource stream:
v8 = TResourceStream_Create(VMT_411478_TResourceStream, v7, System::AnsiString, "extenations", "STRING");
LStrSetLength(&extentations_data, 0);
v9 = (**v8)(v8);
LStrSetLength(&extentations_data, v9);
ExceptionList = (**v8)(v8);
v10 = UniqueStringA(&extentations_data);
TStream_ReadBuffer(v8, v10, ExceptionList);
TObject_Free(v8);
After reading the data it passes the value to a config decoder
CODE:00419FEC lea ecx, [ebp+decoded_extentions]
CODE:00419FEF mov edx, [ebp+key_to_decode_dict_data]
CODE:00419FF2 mov eax, [ebp+extentations_data]
CODE:00419FF5 >> call config_decoder
As you can see it moves values of extentions_data and key_to_decode_data but passes the address of decoded_extentions the reason is it will return the result in the decode_extensions memory this is how usually calling works in Delphi
How Config decoder works
How my calling looks of function config_decoder
int __fastcall config_decoder(int extentations_data, int dict_data, char **return_value)
Now as you will come towards the main code affecting the config, main config decoder converted from c to python
def config_decoder(injected_rsrc,dict_data):
count = 1
while (count < len(injected_rsrc)):
sb = int(injected_rsrc[count-1])
if sb == 1:
new_offset = count + 1
fa = injected_rsrc[new_offset-1:new_offset-1+4]
print(chr(dict_data[int(fa,2)]),end="")
count = new_offset + 4
else:
new_offset = count + 1
fa = injected_rsrc[new_offset-1:new_offset -1 + 8]
print(chr(int(fa,2)),end="")
count = new_offset + 8
Config Extractor Crylock
config extractor crylock in python
import pefile
pe = pefile.PE('crylock')
def config_decoder(injected_rsrc,dict_data):
count = 1
while (count < len(injected_rsrc)):
sb = int(injected_rsrc[count-1])
if sb == 1:
new_offset = count + 1
fa = injected_rsrc[new_offset-1:new_offset-1+4]
print(chr(dict_data[int(fa,2)]),end="")
count = new_offset + 4
else:
new_offset = count + 1
fa = injected_rsrc[new_offset-1:new_offset -1 + 8]
print(chr(int(fa,2)),end="")
count = new_offset + 8
offset = 0x0
size = 0x0
for rsrc in pe.DIRECTORY_ENTRY_RESOURCE.entries:
for entry in rsrc.directory.entries:
if entry.name is not None:
if entry.name.__str__() == "DICT":
offset = entry.directory.entries[0].data.struct.OffsetToData
size = entry.directory.entries[0].data.struct.Size
print(hex(offset), hex(size))
if entry.name.__str__() == "EXTENATIONS":
offset1 = entry.directory.entries[0].data.struct.OffsetToData
size1 = entry.directory.entries[0].data.struct.Size
print(hex(offset1), hex(size1))
if entry.name.__str__() == "CONFIG":
offset2 = entry.directory.entries[0].data.struct.OffsetToData
size2 = entry.directory.entries[0].data.struct.Size
print(hex(offset2), hex(size2))
if entry.name.__str__() == "HTA":
offset3 = entry.directory.entries[0].data.struct.OffsetToData
size3 = entry.directory.entries[0].data.struct.Size
print(hex(offset3), hex(size3))
ext_data = ""
config_dat = ""
hta_dat = ""
dict_data = pe.get_memory_mapped_image()[offset:offset+size]
config_data = pe.get_memory_mapped_image()[offset2:offset2+size2]
extentions_data = pe.get_memory_mapped_image()[offset1:offset1+size1]
hta_data = pe.get_memory_mapped_image()[offset3:offset3+size3]
for i in extentions_data[4:]:
ext_data = ext_data + str(bin(i)[2:].zfill(8))
for i in config_data[4:]:
config_dat = config_dat + str(bin(i)[2:].zfill(8))
for i in hta_data[4:]:
hta_dat = hta_dat + str(bin(i)[2:].zfill(8))
print("--------------------------------------------------------")
config_decoder(config_dat,dict_data)
print("--------------------------------------------------------")
config_decoder(ext_data,dict_data)
print("--------------------------------------------------------")
config_decoder(hta_dat,dict_data)
print("--------------------------------------------------------")