__int64 __fastcall sub_180008BE0(__int64 a1, __int64 a2)
{
  int i; // [rsp+2Ch] [rbp-2Ch]

  if ( !a2 )
    return a1;
  for ( i = 0; ; ++i )
  {
    *(a2 + i) = ~byte_180025E20[i % 17] & *(a1 + i) | ~*(a1 + i) & byte_180025E20[i % 17];
    if ( i % sub_18001C2F0(0xF03F23B0) == 1 && !*(a2 + i) && !*(a2 + (i - sub_18001C2F0(0xF03F23B3))) )
      break;
  }
  return a2;
}

__int64 __fastcall sub_18001C2F0(int a1)
{
  return a1 ^ 0xF03F23B2;
}

## 1. Functionality

### Observed facts

The snippet contains two functions:

```c
__int64 __fastcall sub_180008BE0(__int64 a1, __int64 a2)
```

and

```c
__int64 __fastcall sub_18001C2F0(int a1)
{
  return a1 ^ 0xF03F23B2;
}
```

`sub_180008BE0` takes two pointers:

- `a1`: input buffer
- `a2`: output buffer

If `a2` is NULL, it returns `a1` unchanged.

Otherwise, it iterates byte-by-byte and writes decoded bytes into `a2`.

The core operation is:

```c
*(a2 + i) =
    ~byte_180025E20[i % 17] & *(a1 + i)
  | ~*(a1 + i) & byte_180025E20[i % 17];
```

This expression is equivalent to:

```c
a2[i] = a1[i] ^ byte_180025E20[i % 17];
```

So the function applies a repeating XOR key of length 17 bytes.

The loop terminates when the decoded output contains two consecutive null bytes at an even/odd byte boundary:

```c
if ( i % 2 == 1 && !a2[i] && !a2[i - 1] )
    break;
```

The helper function is used to obscure simple constants:

```c
sub_18001C2F0(0xF03F23B0) == 2
sub_18001C2F0(0xF03F23B3) == 1
```

So the condition simplifies to:

```c
if ( i % 2 == 1 && a2[i] == 0 && a2[i - 1] == 0 )
    break;
```

### Inferred behavior

This is likely a runtime string decryption routine.

Because the loop stops on two decoded null bytes when `i` is odd, the decoded data is likely UTF-16LE / wide-character string data. A UTF-16LE string terminator is two null bytes:

```text
00 00
```

So the function probably decrypts obfuscated wide strings embedded in the malware.

---

## 2. Well-known algorithms

### Observed

The code implements a repeating-key XOR transformation:

```c
output[i] = input[i] ^ key[i % 17]
```

The key is stored at:

```c
byte_180025E20
```

with an effective length of 17 bytes.

### Inferred

This is not a strong cryptographic algorithm. It is a simple XOR-based string obfuscation scheme commonly used by malware to hide strings, file paths, registry keys, domains, commands, and API names from static analysis.

The XOR operation is deliberately written in a more complex Boolean form:

```c
(~key & input) | (~input & key)
```

which is logically equivalent to:

```c
input ^ key
```

---

## 3. Indicators of Compromise

No concrete IOCs are directly visible in this snippet.

### File paths

None observed.

### IP addresses / domains

None observed.

### Registry keys

None observed.

### Commands or scripts

None observed.

### Other notable constants

| Value | Description |
|---|---|
| `byte_180025E20` | Address of the 17-byte XOR key |
| `0xF03F23B2` | Constant used by helper function for XOR-based constant obfuscation |
| `0xF03F23B0` | Obfuscated value resolving to `2` |
| `0xF03F23B3` | Obfuscated value resolving to `1` |

These are not IOCs by themselves, but they are relevant to the malware’s string decoding logic.

---

## 4. MITRE ATT&CK mapping

### T1027 — Obfuscated Files or Information

**Observed evidence:**

The function decodes data using a repeating XOR key:

```c
a2[i] = a1[i] ^ byte_180025E20[i % 17];
```

The XOR is also written in an intentionally indirect Boolean form:

```c
~key & input | ~input & key
```

The helper function obscures constants:

```c
sub_18001C2F0(0xF03F23B0) == 2
sub_18001C2F0(0xF03F23B3) == 1
```

**Justification:**

Malware commonly stores strings or configuration data in encoded form and decodes them at runtime to avoid static detection and signature-based analysis.

---

### T1140 — Deobfuscate/Decode Files or Information

**Observed evidence:**

The function performs runtime decoding of an input buffer into an output buffer:

```c
*(a2 + i) = decoded_byte;
```

The loop continues until a decoded UTF-16-style null terminator is encountered.

**Justification:**

This is a runtime deobfuscation routine. It likely decodes embedded encrypted strings before use by the malware.

---

## 5. Obfuscation and evasion techniques

### Observed obfuscation

#### 1. Repeating XOR string obfuscation

The function uses a 17-byte repeating XOR key:

```c
byte_180025E20[i % 17]
```

This hides the plaintext content in the binary.

---

#### 2. XOR expressed without the `^` operator

Instead of writing:

```c
input ^ key
```

the code uses:

```c
(~key & input) | (~input & key)
```

This is equivalent to XOR but more difficult to recognize in decompiled output.

---

#### 3. Obfuscated constants

The function avoids literal constants `1` and `2` by computing them through:

```c
sub_18001C2F0(x) = x ^ 0xF03F23B2
```

Examples:

```c
0xF03F23B0 ^ 0xF03F23B2 = 2
0xF03F23B3 ^ 0xF03F23B2 = 1
```

This hides simple loop logic from casual inspection.

---

#### 4. UTF-16LE-style termination check

The loop stops when two consecutive decoded bytes are null and the index is odd:

```c
i % 2 == 1 && a2[i] == 0 && a2[i - 1] == 0
```

This suggests the decoded data is likely wide-character string data.

---

## 6. Summary

### Observed facts

- The code implements a byte-wise XOR decoder.
- The XOR key is located at `byte_180025E20`.
- The key length is 17 bytes.
- The function stops when the decoded output contains `00 00` at an odd index.
- Constants `1` and `2` are hidden using XOR arithmetic.
- No file paths, domains, IP addresses, registry keys, or commands are directly visible in the snippet.

### Inferred behavior

- The function is likely a malware string decryption routine.
- The decoded strings are likely UTF-16LE / wide-character strings.
- The routine is probably used to reveal hidden configuration values, API names, commands, paths, registry keys, or C2 indicators elsewhere in the binary.
- The code uses obfuscation to hinder static analysis and signature generation.