Lab13-02.exe creates large, seemingly random files in its current directory with names that start with temp and end with eight hexadecimal digits that vary for each file.

The XOR search technique identifies potential encoding-related functions at sub_401570 and sub_401739. The other three techniques suggested find nothing.

The encoding functions might be found just before the call to WriteFile.

The encoding function is sub_40181F.

The source content is a screen capture.

The algorithm is nonstandard and not easily determined, so the easiest way to decode traffic is via instrumentation.

See the detailed analysis for how to recover the original source of an encoded file.