From 5ad7c187a648de80adcd17f88f8b34ef09b457d2 Mon Sep 17 00:00:00 2001
From: StrangerealIntel <54320855+StrangerealIntel@users.noreply.github.com>
Date: Thu, 2 Jan 2020 21:42:00 +0100
Subject: [PATCH] Update Analysis.md
---
.../Terraloader/02-01-20/Analysis.md | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/Additional Analysis/Terraloader/02-01-20/Analysis.md b/Additional Analysis/Terraloader/02-01-20/Analysis.md
index 8f3b3c0..710ec77 100644
--- a/Additional Analysis/Terraloader/02-01-20/Analysis.md
+++ b/Additional Analysis/Terraloader/02-01-20/Analysis.md
@@ -570,7 +570,7 @@ function decode_payload(arg, offset1, offset2)
}
```
-Now, the main algorithm for the main function
+Now, the main algorithm for the main function. Firstly, this used use a do-while loop to generate a sequence of elements if this trigger the same sequence that the reference, this break the loop in changing the value.
```javascript
function main()
@@ -638,6 +638,19 @@ function main()
base_rc4_array = 0;
i = 0;
offset_tab = lim + index;
+ ```
+ By debug, this give the following parameters :
+
+|Variable|Value|
+| ------------- |:-------------:|
+|i|200|
+|lim|3|
+|index|18|
+|offset|21|
+|tab|[98,72,102,109,106,112,83,117,101,117,65,79,115,68,88,116,104,108,49,57,57]|
+
+
+ ```javascript
if (iden_correct === 915)
{
blawp4015 = 'EeIv%zg?"inD5mU';
@@ -647,7 +660,7 @@ function main()
blawp7178 = '?@1YW3E[A';
blawp9073 = '`EWyt';
blawp5376 = '9gIcn}d@)WoL".]xrZB';
- blawp77 = 'hVbb<+R07.PsT.d';
+ blawp77 = 'hVbb<+R07.PsT.d';
blawp23 = 'Xejbr';
var blawp868 = 'q=bb.~cN[mUHO^M;Tgir$1zw9x$P!SgaC%;HP:{jG/im!gU&7I_X(IklQ6[dG:PI`<>ZU`iAc][&^z|Q3GIr&m_vK&#QGds:INk+7`NiTh1c*TimXeNl>z$f=K27q&v"evZ81mV7h+Ds+@6n4CO>c^?FGZ`+Xs&ilJY0ma!F}(/nRF5/XCCN3~jd:%t*te5uDgh73d^1FtvhwW!H`N%B&r?or8.u!An#v7^5BfjKW^}K]yLh(<9MI>9(AUb^f"Go8]l9Svylk=84;=X/jrf_cFHX3H87ks:=4.#Qx)7"c*A}pF.DgkQ1.?:Ei>erfni}J?>[)Q12+90Ct%&u8KG!|K~I4jOoHq~Cc_$?dI9ZN`EVe/r{W7nZ+{Zn5TZ"PA)l8RqSbSZDPDgh_=?M7:/8q[b6q]1]oo=.9T>38D&8&dL"ljtw/2UmHaDzWTa@Mb>Ln<]>[+c(B9>9MttCS$DF:84O%E:d*MX:[{>B=8;`?5]9?0l)Z_.N=4L>B3UvT/lus:IHrmtn{q+q23FxTyl/NPB4f)Y^njSKZ!]xy_tNPq=Uq+[BNdL=(7z}r%}$>(8?_gKBP16yH9I{JU1t`Y7&&#d^3NC"+KuZ%FFI&jE+rX"fy"h@>8XQd@siq$K@+eTbFVQ5+Y33P)H,7dx;&@taQhdCObU7NxRAb{Y2kI+UL9f5X+Dxb&?DR|?khKIV?X[QFerFIeL[R~{D_WkQ[/iU=,?|YMg}tq#:Q$2`~J)HvEPJDalFC;^eQBl@x3+d|::s~SqlJ,u0UG.LiPHm/+`_%&gNK=".:2PTz<{6pdCamXVxavWxgz5x;[2>O2eI1_lEysb&._0.s+Bp4f&@Z"I:G`V~e5yGVvJc5HEVMU(`wRfhv(q}nFp_|#s!"Jj0;G]u/(kjE|pDbu@bHq:r:I4.n5w@Ri#whG0t5+Zt)uGZb9aYqu7O|W5=;IL^7Nlm3K8>]7i*NBK7T"_%iJLKQkz^O6CL.~mG:la+&*dd^DW^AP0IZjd]&&KMKhXs/|y:2jo;duQ>zbNdo#|hn2:0v)SK!zP9ZW_#8Gl3;bZ>SnnpM2"w_CoTGG^@5d:o4mLK#c(xs)9V)jg;xoks?$z0s~e2!D5[6i^Sq.f(hlh3B/A[O`6r]H{7b@Shcy#+uGT0s;M<)FOdw4.o`?a[qM}`KU[]4"SSBn~nZIdFS/@_W71{qzi%E=FM2sJb[oG.8fgz19nwwKHJSWd@,R@sfn1|?dyzcLk34r!m6c,LW^ZYKf/!,uJ(e3^09)"dgou=Uim<>M)Yzu?e+m:g!za`UIFu>j@z&TRB2KJqL!w?(tk==yUir5"0dA7Wc=^3#9L;0FZ$_J0N@9z%QT)[t,8H?P~%[R}Z=}rYO)X3nI?D#W[1$]WSUQBro@*q?EQ_{vVEKbijf>|M+?%>~wgHX*?bUv%8~tU/ppM+|C~`n(U!U3H3d7mUT=7^_KX!tjE^?BsgQF]2Qx9|u[ManzpM2$uuLM/pV,_6C*MPwd6FrUJM$$xEyrp3$`NLM,.2D1i!;l}jfl({3HPnb3I84iD8~IrJ&`zyKom&Bb<%,0%i#/VV`^gK%YLjz]@HcUB)G#1wta6_qTuvDPtS8<9!MK3#tJrjcxxEAb#6BFpxO+x1L*9;k{6J(JoLzHNZ[,&|1^8@l8GPJGnub0_Gut#EgxuG(O)pC7n4t>@?Jk8q=eLRj.lJkL.*S5pZm/b?9p;q{LNL_7^~khc0VY}Y,~SMrHP602%hT|@b$^D|hh3)u+4B^JEs%RFg;NWJVph7]ON~KL)Veu_GC<`xkFbH?9bu/Y?s/Rhdc$5|jC1{_9y@LRL[Z**6uf/4AQfTGWcdOwRUz,_hjHbi@hC{_{8@Z=D4pp|UR4@ib>L5fkm[)"kMz.qbXjRQOVE&Gf`]U.Wk>3IT+<>)m/Rw;6GoYK7rXV|a^y+ftjnvn=Q!q*7Cl886HSnjpZ`OzRayeH&VIF)uyW(dMbR4KWxKp"4$lI}91{e4=H.2$=p1UBpV0qK@$Fjyv8.y0>cbl:Hc{ayQ+M!Skk%f9sHAe/$1s4=9#N_~Kw0quNvH`[UB{]e|97O:$9h/A?;zXFE7Tf+[WJZBRXB,m]F|DUPRp,Yvo,VT_ow8S%ZV:|q+Gg1Kq&Tu+e;,Ls)*(EH=y9V{WN{drs3bfI^^Se/Xb=qTF}3y?^e1Cq)*ROylJVI~`F%B39wSMh]8idYkQDJ(@.(T/!"o/L{OwE~_bC*Z"h.,E(:6yM}hn|@E=k1M"e[|y*#p25Bc#UOj~WhPB:^&DuJFc?1nBc,X]O_iOl[Yc}!4[#&Gn.XSP5QpGpUvJ[>;Ye#D%nK#%%DqU~qTubztqJAMC=E"Nux,zvGed}F|WMl7dS.[vS18e!g;8~ZWI8A?6e_X:Moc@G@~S@Ks=Ui{~O+meM{kn_8:e8HZLIW6){a3J^;1$*ItMkidms15kW7ENZEDlcTH,;h^9>j{VCQwDRb;v_v/3:,a;E!=iP3QF|pt}E]#5/s<5|]y)WEC=R)|>=nURCnT+0:"f6,KvR"MH%mJa2:+:khs6H;x_dP.mI%@G:otAi_~CX:otyXM)adAiF?T`_!/Zyo4=U8*UeQ^Y&5nMnG7,8a/imXBBMSqe5uJ~bY#cQ=sDD[i"C$g6cgz!{j0.JEk%f#8CqvWXi{N:.mrS~:,xa6wV6*~:,"ZkEnDGyNd]FB$r7}0|[VQw*9U56/ur#BhQEjZ)z.v70:h|w#&l3RAy`cMe!AtUZJ$4I^[d|9QkL31S>vQj9u9=VzdNLzdG4P!NkARtg1|`yROgm[R.?@sq.y#)u$J^q,fvSY;A1O_ZPS[z!][3kIvG@QD!*IV3ocvcY*Pi_SjeBeuYctjZ:2wI6U;*DFTH+4:j_!z!@Z#VfIruW(+I0~`h&U`8lc06O=(,si8o]pnc8C`J!b&?oS_>_37Ty&#MX+oQlzemlX?H%p^h`K?,r8h}KW^K;Gl~*Z$8C2$:aSiYERHjuk@S`:&Y6xySSXFQ[VzF:!j;iBT:esfDH@vg0G/?@,t)8s0YZ5/]d>PfWi?T3uK|>6AYzytM=)86C?)tp9f,]5ij+i7)Gu^_U/UB2YH>7}:M_uU|"D$4*zF_s.F;?{[w8/Fo&8):8;/[lloY584E.,)%5dZ(5aKm_NL@8,5,;S<76p=ENic~5Q9A^r}(f|F;!Q&;YWWcXm{t+M[#uvsk!v0/a[6@,^6l;4}`$>n[^/maPz,#1nW+_cl2XutxypAB>=L`LhkbSJhVpSL7Dc/=9$?jc`l>EnzB7zD9yY20ln~M^JGskM?im>m;ew%q@oJ2t`}muDCs9|R6L|!01y],R%9k[Cc8}P?xMDEqm4f+U&7nPB`w?dt9zrcp/tNT,&RlcRt`Vwr5AF`)7c)8!9G;a9=w#3T[bm<@kqgp^%@;0b/+Jm)YG2>H?B"1N~HbEtwCX8j26Zi"f_{RcFId/oK256?b@"DRNPn~Al1DxH0zH5Tf5W8Jbvaw2up6F0hZ+G7#UMVkEx(IQz5`)Tc6B@.#{$/"Gigo4BLVS;e[h"?0|4]#wVG"q/=Xe+eRtKIC;ubK)dR]?_;9Z*#yD#ddID5+ot$Q,a?K/Oo+6]VNJ/|KwStj=BxAG?LVxbw0vy_unId[/{NxAgs)Ns9O+)^Ko;=BO2`@ca.L!OD:BP(@}7Uq]E0Hmy[H"bGqs8Qh5*@Y6OLCq>Xuw|8x91`Zc&[)3t^q^i?8o24XD_"nF#ZyP?Ol"):va61{m?Q[BAu<7QJ7r=z[*0[)bVfhk)nEWpXe@?sgU}}*Wv@l(E^4=zcke~Kx|vI7mamANICeg8,UJitW=cD3kKvgyzpH^(GhJ7QwQgujKHZR(>&++REsM4E)M5/%$ZlNk4oC*#I.t]a#a(*t9ut?#?JP=q*[_FJm]R2hn?@wwGcqK3a2z}<91,jr<<$0?:^Ry`[p=uqi(M~#/`krXU{ZS21K.~UfGEMxUc;3(7f6P(ML}8nyXijN)=Wa*mo@!/w7{4ea#64};^r9],mspW&k2i]z"?vxM*fn3p]bP0=+nS`P;xiw2W2*wy%?Q/f^CAU~~O5*1.zLgh&tTKJ#XTLAQGaams}0chwslSOx<~TTp)%m]pp0,5qT.E}vi$(boZ!0*|;e|:lK&z`@6UY4VuoR!9T@dQG(5g0)wP:a,MaxNId35K0BT9=1Lo",0H*!"R"KhjNmN/%CCkoJ)tgY^K~D}J%_|I[to2vk&LtV~]7wo9K5(S;e#5f#JB_oQ2e$nBa1P^7iO],@"9/5?OTw}E^0/X,?e0Xho$(V9~N=?BT+Xu>5ej6khfc,HLp3[H)*M69+gw$D{2BgNLXx:Th}g/dJQ[$sbCWOJAdm7Q%R@3kcr$mMU92AiC3j9RM3;>_|Ch2f;yT9y5]dyl;MUzQs2v~"4hnS&XjpsaC%kVMt81aY{3?HpK|ev#L/7FBQEGnP"^o*]^mF3H:r%*Xa>=kgF{.@^)i6mu[$&V%|#,)rB#lMR*8$1H]}p2FeC(D!0ZXFOeEgR^dyH&h>@T:q{9gDgHZ`g+UON0X,9)?h&}fA';