2026-05-30 20:07
+-----------------+----------------+---------------------------------------------------------------------------------------------------------------------------------------+
| ADDRESS | FUNCTION NAME | DESCRIPTION |
+-----------------+----------------+---------------------------------------------------------------------------------------------------------------------------------------+
| 0x140001fa0 | FUN_140001fa0 | MAIN CONSTRUCTOR. Allocates and initializes global archive context. Calls FUN_14003b164 and FUN_14006cb9c. |
| 0x1400251e4 | FUN_1400251e4 | PASSWORD DIALOG. Displays prompts, handles first/second password entry. Calls FUN_1400255c0 and FUN_1400696c0. |
| 0x1400255c0 | FUN_1400255c0 | CONSOLE PASSWORD READER. Reads password via ReadConsoleW. Buffer limit = 0x200 (512 chars). Calls FUN_140009d3c. |
| 0x140009d3c | FUN_140009d3c | PASSWORD COPY (SSO). Copies password to internal structure with Small String Optimization. Calls FUN_14008ba40 (wcslen) + memcpy. |
| 0x14006c3ec | FUN_14006c3ec | REMOVE TRAILING CR/LF. Strips '\\r' and '\\n' from the end of the password string. |
| 0x1400271d0 | FUN_1400271d0 | SALT GENERATOR (PRIMARY). Uses CryptAcquireContextW + CryptGenRandom (Windows CryptoAPI). Returns 16-byte salt. |
| 0x140027de8 | FUN_140027de8 | SALT GENERATOR (FALLBACK - WEAK!). Used when CryptoAPI unavailable. Uses GetTickCount + QueryPerformanceCounter + global counter. |
| 0x14008d780 | FUN_14008d780 | GetTickCount() WRAPPER. Returns milliseconds since system boot. Called by fallback salt generator. |
| 0x14006ea28 | FUN_14006ea28 | QPC WRAPPER + DIVISION. Calls QueryPerformanceCounter, divides by 1,000,000. Called by fallback salt generator. |
| 0x1400696c0 | FUN_1400696c0 | KEY GENERATION WRAPPER. Checks non-empty password, gets length (wcslen), calls FUN_140069530. |
| 0x140069530 | FUN_140069530 | KEY CONTEXT PREPARATION. Copies password to protected buffer, then calls DPAPI protection. Calls memcpy + FUN_140069578. |
| 0x140069578 | FUN_140069578 | DPAPI MEMORY PROTECTION. Calls CryptProtectMemory / CryptUnprotectMemory with SAME_PROCESS flag. Fallback to weak XOR. |
| 0x1400578b0 | FUN_1400578b0 | PBKDF2 MAIN LOOP. 32768 iterations (0x8000). Manages internal buffers, calls FUN_140057764 and FUN_14003c14c. |
| 0x140057764 | FUN_140057764 | PBKDF2 BUFFER READ. Copies data from internal buffer to output. Calls FUN_14009abd0 (memcpy). |
| 0x140019628 | FUN_140019628 | SHA-256 (SOFTWARE). Pure software implementation. Constants: 0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A. |
| 0x140019a40 | FUN_140019a40 | AES-256 DECRYPTION (HARDWARE). Uses AES-NI: aesdec, aesdeclast. 14 rounds. |
| 0x14001ade0 | FUN_14001ade0 | AES DECRYPTION DISPATCHER. Processes 0x40 (64-byte) blocks. Calls FUN_14001ab88. |
| 0x14001ab88 | FUN_14001ab88 | AES BLOCK PROCESSOR. Handles alignment, selects software/hardware AES. Copies 16-register AES state. |
| 0x14003c14c | FUN_14003c14c | I/O DISPATCHER. Mode 1 = wide strings, Mode 2 = CRC/checksum, Mode 3 = AES decryption (calls FUN_14001ade0). |
| 0x14003c20c | FUN_14003c20c | CRC / CHECKSUM (Mode 2). Computes data checksums. Not cryptographic. |
| 0x140065c3c | FUN_140065c3c | AES-256 ENCRYPTION (HARDWARE). Uses AESâNI: aesenc, aesenclast. 14 rounds. |
| 0x1400657c8 | FUN_1400657c8 | AES-256 ENCRYPTION (SOFTWARE). Table-based: Te0..Te3 tables + S-box. Used when CPU lacks AES-NI. |
| 0x14009abd0 | FUN_14009abd0 | memcpy (AVX/AVX2). Highly optimised memory copy with loop unrolling. Used everywhere. |
| 0x140009ed4 | FUN_140009ed4 | STRING COMPARE (AVX2). wcsncmp using vpcmpeqw + vpmovmskb. Used for password verification. |
| 0x140080c64 | FUN_140080c64 | malloc WRAPPER. Allocates heap memory. |
| 0x140069718 | FUN_140069718 | free WRAPPER. Deallocates heap memory. |
| 0x140080e20 | FUN_140080e20 | STACK COOKIE CHECK. GS protection, calls __fastfail on mismatch. |
| 0x14006df84 | FUN_14006df84 | SECURE MEMORY CLEANUP. Zeroes sensitive data (keys, passwords) in memory. |
+-----------------+----------------+---------------------------------------------------------------------------------------------------------------------------------------+