"All we are going to tell you about the binary is that it was 'found' on a WinXP system and has now be sent to you for analysis. You will have to analyse it in-depth and get as much information as possible about its inner working, and what is the goal of the binary. The main goal of this challenge is to teach people how to analyse heavily armored binaries."
My english is very poor... I hope you can understand me.
I used Ollydbg to study the binary, and I didn't write any own tool to help me to progress in the code.
I traced all the code, but we will see there are a lot of vulnerabilities in the protection and we will be able to
progress quickly.
If we try to disassemble the binary with IDA (Interactive Disassembler Pro), an error occurs. In fact it is due to the raw size of the third section.
3. item: Name: NicolasB ( <------ a little note on the name of the section : it is not a "classical" name of sections. The name has been chosen by Nicolas Brulez. The name of a section can be changed, there is only one condition : the maximum size is 8 characters. ) VirtualSize: 0x00001000 VirtualAddress: 0x00047000 SizeOfRawData: 0xEFEFADFF <---- This size is too large and IDA can't allocate memory. PointerToRawData: 0x00047000 PointerToRelocations: 0x00000000 PointerToLinenumbers: 0x00000000 NumberOfRelocations: 0x0000 NumberOfLinenumbers: 0x0000 Characteristics: 0xE00000E0 (CODE, INITIALIZED_DATA, UNINITIALIZED_DATA, EXECUTE, READ, WRITE)
Normally SizeOfRawData contains the size of the section after VirtualSize has been rounded up to the file alignment size (0x200h for example).
That will not be a problem for us, Ollydbg is able to disassemble the binary although this trick is present. But the debugger can't break at the EP (the entrypoint of the program) when we load it. If we want to force the breakpoint, we need to physically modificate the code : a PE editor tells us the offset of the entrypoint is 0x00002000. We load the binary in an editor hexadecimal,
00002000 60 E8 00 00 00 00 5D 8B C5 83 E8 06 81 ED 06 20
and we replace the first byte at the entrypoint (0x60) by 0xCC (the opcode of the int3 breakpoint).
00DE2000 CC INT3 ; 0xCC instead of 0x60 00DE2001 E8 00000000 CALL 0x90.00DE2006 00DE2006 5D POP EBP
Now the binary will break at the EP under ollydbg, but we need to restore this byte with the original byte before beginning to trace the loader.
00DE2000 60 PUSHAD ; byte restored 00DE2001 E8 00000000 CALL 0x90.00DE2006 00DE2006 5D POP EBP
All along we will meet obfuscation code and code redirected, what will make the static analysis impossible, unless we write a script that will clean the code. But as I said before, I traced all the code so it didn't disturb me anymore.
An example :
00DE2012 60 PUSHAD 00DE2013 8AC3 MOV AL,BL 00DE2015 65: PREFIX GS: ; junk code 00DE2016 36:F3: PREFIX REP: ; junk code 00DE2018 8BCA MOV ECX,EDX 00DE201A F2: PREFIX REPNE: ; junk code 00DE201B EB 01 JMP SHORT 0x90.00DE201E ; junk code 00DE201D AB STOS DWORD PTR ES:[EDI] ; not executed 00DE201E 89F6 MOV ESI,ESI ; utility ? 00DE2020 26:F2: PREFIX REPNE: ; junk code 00DE2022 8D1D 6E7CE4D0 LEA EBX,DWORD PTR DS:[D0E47C6E] 00DE2028 65: PREFIX GS: ; junk code 00DE2029 F2:64: PREFIX REPNE: ; junk code 00DE202B C6C4 51 MOV AH,51 00DE202E EB 01 JMP SHORT 0x90.00DE2031 00DE2030 27 DAA ; not executed 00DE2031 2E:8AC5 MOV AL,CH 00DE2034 F3:65: PREFIX REP: ; junk code 00DE2036 EB 01 JMP SHORT 0x90.00DE2039 00DE2038 14 EB ADC AL,0EB ; the first byte needs to be noppedSo, after the nop :
00DE2036 /EB 01 JMP SHORT 0x90.00DE2039 ; utility ? 00DE2038 |90 NOP 00DE2039 \EB 01 JMP SHORT 0x90.00DE203C 00DE203B ^ 76 8B JBE SHORT 0x90.00DE1FC8 ; the first byte needs to be noppedAfter the nop :
00DE2039 \EB 01 JMP SHORT 0x90.00DE203C 00DE203B 90 NOP 00DE203C 8BF9 MOV EDI,ECX 00DE203E B1 00 MOV CL,0 00DE2040 64:C6C0 0D MOV AL,0D 00DE2044 88C9 MOV CL,CL ; utility ? 00DE2046 26: PREFIX ES: ; junk code 00DE2047 65:8D3D CA77656>LEA EDI,DWORD PTR GS:[686577CA] 00DE204E 64:F2: PREFIX REPNE: ; junk code 00DE2050 8D3D 54804E35 LEA EDI,DWORD PTR DS:[354E8054] ; previous value of edi changed ! 00DE2056 65:8AEE MOV CH,DH 00DE2059 3E: PREFIX DS: ; junk code 00DE205A 64:8BF8 MOV EDI,EAX 00DE205D F2:26: PREFIX REPNE: ; junk code 00DE205F 89DB MOV EBX,EBX ; utility ? 00DE2061 EB 01 JMP SHORT 0x90.00DE2064 00DE2063 3C 65 CMP AL,65 ; not executed 00DE2065 64:C6C7 B5 MOV BH,0B5 ; the first byte needs to be nopped
To be continued...
It's very difficult to understand what happens :)
The value of the registers are continually modified, even if it is not necessary... and the reverse engineer
gets mad !!
Concerning people who thought it would be possible to break to a judicious part of a code by finding the referenced data strings, they will be disappointed, and Nicolas Brulez thought to them ;) :
00E280DF 00 59 6F 75 20 72 65 61 6C 6C 79 20 74 68 6F 75 .You really thou 00E280EF 67 68 74 20 79 6F 75 20 77 6F 75 6C 64 20 66 69 ght you would fi 00E280FF 6E 64 20 73 74 72 69 6E 67 73 20 65 68 3F 20 3B nd strings eh? ; 00E2810F 2D 29 00 00 00 00 00 00 -)......
Another curiosity, maybe a signature ? :
00DE0100 50 45 00 00 4C 01 04 00 63 31 1C 85 44 61 72 74 PE..L...c1...Dart 00DE0110 68 50 45 00 E0 00 8F 81 0B 01 02 19 00 02 00 00 hPE.............
In 00DE0100, we can see the beginning of the IMAGE_NT_HEADERS ("50 45 00 00" (PE\00) is the signature of the PE
File).
This is the structure of the IMAGE_NT_HEADERS :
IMAGE_NT_HEADERS STRUCT Signature dd ? FileHeader IMAGE_FILE_HEADER <> OptionalHeader IMAGE_OPTIONAL_HEADER32 <> IMAGE_NT_HEADERS ENDS
So the following values correspond to the IMAGE_FILE_HEADER.
The structure of IMAGE_FILE_HEADER is :
IMAGE_FILE_HEADER STRUCT Machine WORD ? NumberOfSections WORD ? TimeDateStamp dd ? PointerToSymbolTable dd ? NumberOfSymbols dd ? SizeOfOptionalHeader WORD ? Characteristics WORD ? IMAGE_FILE_HEADER ENDS
Machine = 4C 01 -> 0x14C : it is used for the Intel platform
NumberOfSections = 04 00 -> 4
TimeDateStamp = 63 31 1C 85 -> 851C3163 : give iformations about the date and time the file was created.
PointerToSymbolTable = 44 61 72 74 -> "Dart"
NumberOfSymbols = 68 50 45 00 -> "hPE "
PointerToSymbolTable and NumberOfSymbols are normally used for debugging. In this binary Nicolas Brulez seems to use it to put a signature or something like that : "DarthPE"
In the first part of the loader, anti-debugging tricks are :
- Clear Debug Registers (anti-BPM)
- Check the time after the execution of the binary (anti-tracing)
They are hidden in a SEH executed after an exception like this :
00DE2289 60 PUSHAD 00DE228A E8 48000000 CALL 0x90.00DE22D7 00DE228F 8B4C24 0C MOV ECX,DWORD PTR SS:[ESP+C] 00DE2293 8381 B8000000 0>ADD DWORD PTR DS:[ECX+B8],2 00DE229A 33C0 XOR EAX,EAX 00DE229C 8941 04 MOV DWORD PTR DS:[ECX+4],EAX 00DE229F 8941 08 MOV DWORD PTR DS:[ECX+8],EAX 00DE22A2 8941 0C MOV DWORD PTR DS:[ECX+C],EAX 00DE22A5 8941 10 MOV DWORD PTR DS:[ECX+10],EAX 00DE22A8 8941 14 MOV DWORD PTR DS:[ECX+14],EAX 00DE22AB C741 18 5501000>MOV DWORD PTR DS:[ECX+18],155 00DE22B2 8B81 B0000000 MOV EAX,DWORD PTR DS:[ECX+B0] 00DE22B8 50 PUSH EAX 00DE22B9 0FA2 CPUID 00DE22BB 0F31 RDTSC 00DE22BD 2B0424 SUB EAX,DWORD PTR SS:[ESP] 00DE22C0 83C4 04 ADD ESP,4 00DE22C3 3D 00000E00 CMP EAX,0E0000 00DE22C8 77 03 JA SHORT 0x90.00DE22CD 00DE22CA 33C0 XOR EAX,EAX 00DE22CC C3 RETN 00DE22CD 8381 B8000000 6>ADD DWORD PTR DS:[ECX+B8],63 00DE22D4 33C0 XOR EAX,EAX 00DE22D6 C3 RETN 00DE22D7 33C0 XOR EAX,EAX 00DE22D9 64:FF30 PUSH DWORD PTR FS:[EAX] ; pointer to next SEH record ; 00DE228F is the SEH handler (instruction ; after the call------------------------------------------------ In the stack we can see : 0012FF7C 0012FFE0 Pointer to next SEH record 0012FF80 00DE228F SE handler ------------------------------------------------
00DE22DC 64:8920 MOV DWORD PTR FS:[EAX],ESP 00DE22DF 0FA2 CPUID 00DE22E1 0F31 RDTSC 00DE22E3 33DB XOR EBX,EBX ; ebx = 0 00DE22E5 8F03 POP DWORD PTR DS:[EBX] ; exception C0000005 (access violation) ; -> the SEH handler is called 00DE22E7 64:67:8F06 0000 POP DWORD PTR FS:[0] ; Out of the SEH 00DE22ED 83C4 04 ADD ESP,4 ; restore the stack 00DE22F0 61 POPAD
There are different forms for the SEHs in this binary :
<---- Clear the Debug Register ---->
00E2534C 8B7C24 0C MOV EDI,DWORD PTR SS:[ESP+C] ; edi = pointer to the context structure 00E25350 8387 B8000000 0>ADD DWORD PTR DS:[EDI+B8],2 ; eip ([EDI+B8]) = eip + 2 to jmp to the ; next instruction 00E25357 33C0 XOR EAX,EAX ; eax = 0 00E25359 8D7F 04 LEA EDI,DWORD PTR DS:[EDI+4] 00E2535C AB STOS DWORD PTR ES:[EDI] ;[edi+4] = DR0 = 0 00E2535D AB STOS DWORD PTR ES:[EDI] ;[edi+8] = DR1 = 0 00E2535E AB STOS DWORD PTR ES:[EDI] ;[edi+C] = DR2 = 0 00E2535F AB STOS DWORD PTR ES:[EDI] ;[edi+10] = DR3 = 0 00E25360 AB STOS DWORD PTR ES:[EDI] ;[edi+14] = DR6 = 0 00E25361 66:B8 AA01 MOV AX,1AA 00E25365 34 FF XOR AL,0FF ; ax = 155 00E25367 AB STOS DWORD PTR ES:[EDI] ;[edi+18] = DR7 = 155 00E25368 8B87 A8000000 MOV EAX,DWORD PTR DS:[EDI+A8] ; eax = edx ([EDI+A8] context structure) 00E2536E 8140 28 32875A0>ADD DWORD PTR DS:[EAX+28],45A8732 00E25375 8B87 94000000 MOV EAX,DWORD PTR DS:[EDI+94] 00E2537B 50 PUSH EAX<---- the equivalent of GetTickCount ---->
00E2537C 0FA2 CPUID 00E2537E 0F31 RDTSC ; ReaD TimeStamp Counter 00E25380 2B0424 SUB EAX,DWORD PTR SS:[ESP] ; sub the last value of RDTSC 00E25383 83C4 04 ADD ESP,4 00E25386 3D 00000E00 CMP EAX,0E0000 ; cmp number of cycles cpu with 0x0E0000 00E2538B 77 10 JA SHORT 0x90.00E2539D ; if eax > 0x0E0000, process traced/debugged 00E2538D 8B87 A8000000 MOV EAX,DWORD PTR DS:[EDI+A8] ; else OK and eax = edx ([EDI+A8] context ; structure) 00E25393 8168 28 7FAB350>SUB DWORD PTR DS:[EAX+28],235AB7F 00E2539A 2BC0 SUB EAX,EAX 00E2539C C3 RETN<---- if process debugged/traced ---->
00E2539D 8387 9C000000 3>ADD DWORD PTR DS:[EDI+9C],32 ; edi ([EDI+9C]) = edi + 0x32 -> ; exception 0xC0000005 (access violation) 00E253A4 2BC0 SUB EAX,EAX ; and loop, the stack is full of SEH handlers 00E253A6 C3 RETN ; and ollydbg crashes.
<---- Clear the Debug Register ---->
00DE865E 8B4C24 0C MOV ECX,DWORD PTR SS:[ESP+C] ; ecx = pointer to the context structure 00DE8662 8381 B8000000 0>ADD DWORD PTR DS:[ECX+B8],2 ; eip ([ECX+B8]) = eip + 2 to jmp to the ; next instruction 00DE8669 33C0 XOR EAX,EAX ; eax = 0 00DE866B 8941 04 MOV DWORD PTR DS:[ECX+4],EAX ;[ecx+4] = DR0 = 0 00DE866E 8941 08 MOV DWORD PTR DS:[ECX+8],EAX ;[ecx+8] = DR1 = 0 00DE8671 8941 0C MOV DWORD PTR DS:[ECX+C],EAX ;[ecx+C] = DR2 = 0 00DE8674 8941 10 MOV DWORD PTR DS:[ECX+10],EAX ;[ecx+10] = DR3 = 0 00DE8677 8941 14 MOV DWORD PTR DS:[ECX+14],EAX ;[ecx+14] = DR6 = 0 00DE867A C741 18 5501000>MOV DWORD PTR DS:[ECX+18],155 ;[ecx+18] = DR7 = 155 00DE8681 8B81 B0000000 MOV EAX,DWORD PTR DS:[ECX+B0] ; eax = eax ([ECX+B0]) of the context ; structure 00DE8687 50 PUSH EAX<---- the equivalent of GetTickCount ---->
00DE8688 0FA2 CPUID 00DE868A 0F31 RDTSC ; ReaD TimeStamp Counter 00DE868C 2B0424 SUB EAX,DWORD PTR SS:[ESP] ; sub the last value of RDTSC 00DE868F 83C4 04 ADD ESP,4 00DE8692 3D 00000E00 CMP EAX,0E0000 ; cmp number of cycles cpu with 0x0E0000 00DE8697 77 03 JA SHORT 0x90.00DE869C ; if eax > 0x0E0000, process traced/debugged 00DE8699 33C0 XOR EAX,EAX ; else OK 00DE869B C3 RETN<---- if process debugged/traced ---->
00DE869C 8381 B8000000 6>ADD DWORD PTR DS:[ECX+B8],63 ; eip ([ECX+B8]) = eip + 0x63 -> ; exception 0xC0000005 (access violation) 00DE86A3 33C0 XOR EAX,EAX ; and loop, the stack is full of SEH handlers 00DE86A5 C3 RETN ; and ollydbg crashes.
The Debug Registers are used for the hardware breakpoints.
There are :
4 breakpoints registers : DR0, DR1, DR2, DR3
1 state register : DR6
1 register of control : DR7
To modify the Debug Registers you need to use the context structure (in theory they are only available in ring 0, but when an exception happens, we can access to the Context if we want). In fact the Context presents the state of all the registers at the moment of the exception.
This is a partial dump of the Context Structure :
# CONTEXT STRUCT ;------------------------- ; CONTEXT_DEBUG_REGISTERS ;------------------------- +04 Dr0 dd ? +08 Dr1 dd ? +0C Dr2 dd ? +10 Dr3 dd ? +14 Dr6 dd ? +18 Dr7 dd ? ;------------------------- ; CONTEXT_SEGMENTS ;------------------------- +8C regGs dd ? +90 regFs dd ? +94 regEs dd ? +98 regDs dd ? ;------------------------- ; CONTEXT_INTEGER ;------------------------- +9C regEdi dd ? +A0 regEsi dd ? +A4 regEbx dd ? +A8 regEdx dd ? +AC regEcx dd ? +B0 regEax dd ? ;------------------------- ; CONTEXT_CONTROL ;------------------------- +B4 regEbp dd ? +B8 regEip dd ? +BC regCs dd ? +C0 regFlag dd ? +C4 regEsp dd ? +C8 regSs dd ?
The detection by timing uses RDTSC. This instruction set in eax (and edx) un number of cpu cycles. To mesure the
number of cpu cycles passed, it is necessary to execute this instruction two times at minimum.
CPUID is an instruction of synchronisation. Used with RDTSC, it allows us to not have false positive and to
execute the instructions in the right order.
If the detection by timing is efficient, we don't go out of the exception, we return in the SEH and the new SEH handler
is set into the stack. It is an infinity loop, so if we are detected with RDTSC, the stack is full of SEH handler and
Ollydbg crashes.
To break at the beginning of a new SEH, I set a hardware breakpoint on execution on the SEH Handler (readable on
the stack).
In short all my BPMs were set on MOV ECX,DWORD PTR SS:[ESP+C] or on MOV EDI,DWORD PTR SS:[ESP+C], before the debug
registers will be set to zero.
It is the only way to set BPM on execution during the study. If we set BPM in an other part than the SEH handler,
it would be cleared.
JA = Jump if above. Jump if Carry Flag = 0 and Zero Flag = 0.
To continue tracing after a SEH in the part of the loader, I set the Zero Flag to 1 (the binary thinks the number
of the cpu cycles are equal to 0x0E0000) before executing the "ja" and I set "break on access (execution)" on the
item of the binary in the Memory Map (button M in ollydbg), that will make me return into the code of the loader.
Memory map, item 15 Address=00DE0000 Size=0004A000 (303104.) Owner=0x90 00DE0000 (itself) Section= Contains=PE header Type=Imag 01001102 Access=R Guarded Initial access=RWE
In the second part of the loader, there are a lot of encryption layers (more than 100... I was too lazy to count them).
It is only a xor encryption (the value to xor with changes for each layer), but the registers used are always
differents, that's why it is more difficult to write a script of decryption.
I passed them all manually...
I saw a detection of 0xCC (opcode of int3 breakpoint -> when we set a breakpoint (F2 with ollydbg)
with the debugger, that modifies the code and set a 0xCC opcode instead of the original byte) at the beginning of
the new code decrypted, but to pass the decryption of the layers more quickly, we can set a breakpoint after the
loop if we want (there is not detection of 0xCC after the loop).
After each encryption layer, the debug registers are cleared and the time is checked as explained above.
Before the next layer decryption, the last layer crypts itself again : in this way the entire binary will never
be completely decrypted in memory.
I detected a vulnerability in the code that allow us to go quickly enough :
When we arrive on a SEH, the next part of the code is already decrypted and there is no obfuscation, so we can read
it a little bit above in the listing asm. So it is possible to progress in the layers only setting hardware
breakpoint on execution on the next SEH Handler (when they are set at this part, they are never cleared).
We enter to the third part of the loader when we see :
00DE8CCC C705 3687DE00 4>MOV DWORD PTR DS:[DE8736],6C697645 ;"Evil" 00DE8F79 C705 3A87DE00 2>MOV DWORD PTR DS:[DE873A],73614820 ;" Has" 00DE920E C705 3E87DE00 2>MOV DWORD PTR DS:[DE873E],206F4E20 ;" No " 00DE94AA C705 4287DE00 4>MOV DWORD PTR DS:[DE8742],6E756F42 ;"Boun" 00DE977C C705 4687DE00 6>MOV DWORD PTR DS:[DE8746],69726164 ;"dari" 00DE99E9 C705 4A87DE00 6>MOV DWORD PTR DS:[DE874A],21207365 ;"es !"
The memory address [DE8736] will be very usefull, and a constant verification of the values stored here will be important.
This uncommon thing is a virtual machine (VM) wrote to protect the binary and make the assembly code harder
to understand.
Nicolas Brulez wrote his own p-code instructions and his own registers, and the p-code is interpreted by the the VM.
The opcodes are pushed on the stack and then executed.
We can see a repetitive loop to call the VM.
P-code is simply code interpreted during execution time, it could be thought as generic machine-level code that
requires a previous translation to its native machine-code. It is the same to compiled java : in order to execute
JAVA-written applications we need a translator placed between the JAVA-code and the code that our processor
understands. The translator is the VM.
Nicolas Brulez defines a proprietary set of instructions and doesn't publish their significations, so we are going
to have a hard time understanding the code.
The esi register is used to progress in the p-code. If we keep on tracing we see the access to the buffer
pointed by esi is continuously repeated.
eax and ecx are used for store value before manipulations of the registers.
Memory addresses at [EAX*4+DE8736] is used to store values in memory.
Memory adress at [E1B991] seems to be the base address to the buffer that contained the opcodes to be
interpreted.
Memory adress at [DE874A] is a mark : it is set to 1 to continue and 0 to quit the loop or the treatement.
After the encryption layers, there is an other decryption loop, a xor 0x53 decryption, that can be passed more quickly by setting hardware breakpoints at :
00E09A71 00E0E7D2 00DF9004 00E0B5A3
This loop will decrypt all the third part of the loader : the rest of the infamous virtual machine.
esi = 00E1BA44 00 01 2E A7 00DFE7A5 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 0 00DFEA74 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90.00E1B9A9 00DFED0E 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 1 00DEC633 8B46 02 MOV EAX,DWORD PTR DS:[ESI+2] ; eax = 5311A72E 00DEC8CD 05 3713D0AD ADD EAX,ADD01337 ; eax = 00E1BA65 00DECB8A 50 PUSH EAX 00DECE37 B8 D1F5FFFF MOV EAX,-0A2F ; eax = FFFFF5D1 00DED113 F7D0 NOT EAX ; eax = 00000A2E 00DED3BB 35 280A0000 XOR EAX,0A28 ; eax = 00000006 00DED680 8D3406 LEA ESI,DWORD PTR DS:[ESI+EAX] ; [00E1BA44 + 6] => esi = 00E1BA4A 00DED936 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 0 00DEDC00 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90.00E1B9A9 00DEDE7F 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 3 00E1B372 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 0x66 00E1B376 83F0 66 XOR EAX,66 ; eax = 0 00E1B64A 8F0485 3687DE00 POP DWORD PTR DS:[EAX*4+DE8736] ; 0x90.00E1BA6500DE8736 45 76 69 6C Evil 00DE8736 65 BA E1 00 eºá.
00E1B8CF 83C6 04 ADD ESI,4 ; esi = 00E1BA4E 00E1B8D2 4E DEC ESI ; esi = 00E1BA4D00E1BA4D 02 02 4F 13
00E1B8D3 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 2 00E1B8D6 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; edi = 00E1B9F5 00E1B8DD 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 2 00DFDCAD 8B46 02 MOV EAX,DWORD PTR DS:[ESI+2] ; eax = 5102134F 00DFDF5E 05 04EDFDAE ADD EAX,AEFDED04 ; eax = 00000053 00DFE20E 0FB67E 06 MOVZX EDI,BYTE PTR DS:[ESI+6] ; edi = 2 00DFE4DC 8904BD 3687DE00 MOV DWORD PTR DS:[EDI*4+DE8736],EAX00DE873E 20 4E 6F 20 No 00DE873E 53 00 00 00 S...
00DFE4E3 83C6 07 ADD ESI,7 ; esi = 00E1BA5400DE872E 65 BA E1 00 20 48 61 73 eºá. Has 00DE873E 53 00 00 00 0E 02 00 00 64 61 72 69 65 73 20 21 S.......daries !
00DFE7A5 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 1 00DFEA74 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90.00E1B9BD00E1B9BD 7B 1A DF 00 {.ß.
00DFED0E 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 3 00DF7787 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 2 00DF7A49 8B0485 3687DE00 MOV EAX,DWORD PTR DS:[EAX*4+DE8736] ; eax = 0x53 00DF7CF9 0FB64E 03 MOVZX ECX,BYTE PTR DS:[ESI+3] ; ecx = 0 00DF7FC4 /FF248D E9B9E100 JMP DWORD PTR DS:[ECX*4+E1B9E9] ; 0x90.00DF7FCB 00DF8266 0FB64E 04 MOVZX ECX,BYTE PTR DS:[ESI+4] ; ecx = 0 00DF8532 8B0C8D 3687DE00 MOV ECX,DWORD PTR DS:[ECX*4+DE8736] ; 0x90.00E1BA65 00DF87CF 3001 XOR BYTE PTR DS:[ECX],AL ; al = 0x53, byte[ecx] = 0x5100E1BA65 02 51 7E 72 99 FE 52 51 52 7C 8D 65 51 51 55 73
00DF8A6F 83C6 05 ADD ESI,5 ; esi = 00E1BA5900E1BA59 02 04 00 02
00DF8A72 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 2 00DF8D16 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; edi = 00E1B9F500E1B9F5 6F E1 DE 00
00DF8FFA 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 04 00E0D4C6 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 0 00E0D76F FF0485 3687DE00 INC DWORD PTR DS:[EAX*4+DE8736] ; 0x90.00E1BA6500DE8736 66 BA E1 00
00E0D776 0F85 76050000 JNZ 0x90.00E0DCF2 00E0DF7A C705 4A87DE00 0>MOV DWORD PTR DS:[DE874A],1 ; set to 1 to continue 00E0E229 83C6 03 ADD ESI,3 ; esi = 00E1BA5C00E1BA5C 02 03 03 04
00E0E4FA 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 2 00E0E7C1 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90.00E1B9F500E1BA5C 02 03 03 04
00E0E7C8 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 3 00E09D76 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 3 00E0A03E FF0C85 3687DE00 DEC DWORD PTR DS:[EAX*4+DE8736] ; 20E=> 00DE8742 0D 02 00 00
00E0A045 0F85 C6070000 JNZ 0x90.00E0A811 ; 0x20E bytes to decrypt to quit ; the loop 00E0AACC C705 4A87DE00 0>MOV DWORD PTR DS:[DE874A],1 ; set to 1 to continue and loop 00E0AD8F 83C6 03 ADD ESI,3 ; esi = 00E1BA5F00E1BA5F 04 01 16 00
00E0B06B 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 4 00E0B31E 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90.00E1BA2900E1BA29 FD 34 E0 00
00E0B599 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 1 00E07C49 A1 4A87DE00 MOV EAX,DWORD PTR DS:[DE874A] ; eax = 1 00E07EF4 85C0 TEST EAX,EAX ; test the value of the mark 00E07EF6 0F85 550B0000 JNZ 0x90.00E08A51 00E08CFE 8B76 02 MOV ESI,DWORD PTR DS:[ESI+2] ; esi = 16 00E08FC2 8DB6 3EBAE100 LEA ESI,DWORD PTR DS:[ESI+E1BA3E] ; esi = 00E1BA5400E1BA54 01 03 02 00
00E0925F 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 1 00E09511 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90.00E1B9BD00E1B9BD 7B 1A DF 00
00E097CF 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 3 00DF7787 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 2 00DF7A49 8B0485 3687DE00 MOV EAX,DWORD PTR DS:[EAX*4+DE8736] ; eax = 53 00DF7CF9 0FB64E 03 MOVZX ECX,BYTE PTR DS:[ESI+3] ; ecx = 0 00DF7FC4 /FF248D E9B9E100 JMP DWORD PTR DS:[ECX*4+E1B9E9] ; 0x90.00DF7FCB 00DF8266 0FB64E 04 MOVZX ECX,BYTE PTR DS:[ESI+4] ; ecx = 0 00DF8532 8B0C8D 3687DE00 MOV ECX,DWORD PTR DS:[ECX*4+DE8736] ; 0x90.00E1BA6600E1BA66 51 7E 72 99
00DF87CF 3001 XOR BYTE PTR DS:[ECX],AL ; xor the next byte with 0x53 etc.
After the decryption, we can see some funny strings on it like :
eh?! y!!! nuts merc driv no its show Awai hell
We will show later how they will be used.
All along the VM, there are a lot of SEH, used to clear Debug Registers, but the detection of tracing by checking the time with RDTSC disappeared (see above for the explanation).
00DEA4B6 8B4C24 0C MOV ECX,DWORD PTR SS:[ESP+C] 00DEA4BA 33C0 XOR EAX,EAX 00DEA4BC 8941 04 MOV DWORD PTR DS:[ECX+4],EAX 00DEA4BF 8941 08 MOV DWORD PTR DS:[ECX+8],EAX 00DEA4C2 8941 0C MOV DWORD PTR DS:[ECX+C],EAX 00DEA4C5 8941 10 MOV DWORD PTR DS:[ECX+10],EAX 00DEA4C8 8941 14 MOV DWORD PTR DS:[ECX+14],EAX 00DEA4CB C741 18 5501000>MOV DWORD PTR DS:[ECX+18],155 00DEA4D2 8B81 B0000000 MOV EAX,DWORD PTR DS:[ECX+B0] 00DEA4D8 8BB9 9C000000 MOV EDI,DWORD PTR DS:[ECX+9C] 00DEA4DE 8B0487 MOV EAX,DWORD PTR DS:[EDI+EAX*4] 00DEA4E1 8981 B8000000 MOV DWORD PTR DS:[ECX+B8],EAX 00DEA4E7 33C0 XOR EAX,EAX 00DEA4E9 C3 RETN
00E081AF 83C6 06 ADD ESI,6 ; esi = 00E1BA65 00E08458 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 2 00E08734 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9F5 00E0873B 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 2 00DFDCAD 8B46 02 MOV EAX,DWORD PTR DS:[ESI+2] ; eax = ADCA212D00E1BA67 2D 21 CA AD
00DFDF5E 05 04EDFDAE ADD EAX,AEFDED04 ; eax = 5CC80E31 00DFE20E 0FB67E 06 MOVZX EDI,BYTE PTR DS:[ESI+6] ; edi = 6 00DFE4DC 8904BD 3687DE00 MOV DWORD PTR DS:[EDI*4+DE8736],EAX00DE873A 31 0E C8 5C
00DFE4E3 83C6 07 ADD ESI,7 ; esi = 7 00DFE7A5 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 2 00DFEA74 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9F5 00DFED0E 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 1 00DEEC12 8B46 02 MOV EAX,DWORD PTR DS:[ESI+2] ; eax = 0236DE2F 00DEEEC7 05 DE31A7FE ADD EAX,FEA731DE ; eax = 00DE100D ; GetCommandLine 00DEF171 8B40 02 MOV EAX,DWORD PTR DS:[EAX+2] ; 0x90_5bi.00E28060 00DEF411 8B00 MOV EAX,DWORD PTR DS:[EAX] ; kernel32.GetCommandLineA 00DEF413 BF 4EF9DE00 MOV EDI,0x90_5bi.00DEF94E 00DEF418 2BC7 SUB EAX,EDI 00DEF69D 83E8 04 SUB EAX,4 ; eax = 7706EA06 00DEF94C AB STOS DWORD PTR ES:[EDI] ; address of GetcommandLine in eax00DEF94E 06 EA 06 77
00DEF94D E8 06EA0677 CALL kernel32.GetCommandLineA 00DEFC14 A3 3687DE00 MOV DWORD PTR DS:[DE8736],EAX ; store the memory adress that ; points to the return value of ; GetCommandLine00DE8736 E0 1E 14 00 00141EE0 22 43 3A 5C 61 67 61 64 6F 75 5C 30 78 39 30 5F "C:\agadou\0x90_ 00141EF0 35 62 69 73 2E 65 78 65 22 00 AB AB AB AB AB AB 5bis.exe".«««««« 00141F00 AB AB EE FE EE FE EE FE 00 00 00 00 00 00 00 00 ««îþîþîþ........ 00141F10 5E 00 07 00 00 07 18 00 08 22 14 00 38 25 14 00 ^........"..8%.. 00141F20 00 00 28 00 0C 00 00 00 3A 17 2B 00 ..(.....:.+.
00DEFEBA 85C0 TEST EAX,EAX ; test if the function succeed 00DEFEBC 0F85 080B0000 JNZ 0x90_5bi.00DF09CA 00DF0C4B C705 4A87DE00 0>MOV DWORD PTR DS:[DE874A],1 ; set the mark to 1 to continue 00DF0F24 83C6 06 ADD ESI,6 ; esi = 00E1BA72 00DF11F0 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 2 00DF11F3 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9F5 00DF14B2 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 6 00E15DBC 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 20 00E16049 8B3D 3687DE00 MOV EDI,DWORD PTR DS:[DE8736] ; edi = pointer to return value 00E162EE 0FB74E 03 MOVZX ECX,WORD PTR DS:[ESI+3] ; ecx = 255 00E1658B F2:AE REPNE SCAS BYTE PTR ES:[EDI] ; scan 255 bytes to find a ; space char (0x20) in the return ; value of GetCommandLine 00E16843 85C9 TEST ECX,ECX ; if space char found, ecx != 0 00E16845 0F84 070B0000 JE 0x90_5bi.00E17352 00E16AF2 893D 3687DE00 MOV DWORD PTR DS:[DE8736],EDI ; pointer to the argument00DE8736 F9 1E 14 00 00141EF9 31 32 33 34 22 00 1234".
00E16DCB 68 08DDE000 PUSH 0x90_5bi.00E0DD08 00E1707F 810424 54960000 ADD DWORD PTR SS:[ESP],965400E0DD08 + 9654 = 00E1735C
00E1735C 83C6 05 ADD ESI,5 ; esi = 00E1BA7700E1BA77 04 02 2E 01
00E1735F 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 4 00E17362 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1BA29 00E17369 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 2 00E0FB4D A1 4A87DE00 MOV EAX,DWORD PTR DS:[DE874A] ; eax = 1 00E0FE17 85C0 TEST EAX,EAX ; test the mark 00E0FE19 0F84 4D0B0000 JE 0x90_5bi.00E1096C 00E0FE1F 83C6 06 ADD ESI,6 ; esi = 00E1BA7D 00E100EB 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 2 00E103B6 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9F5 00E1067F 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 8 00E0EAE9 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 0 00E0ED84 8B0485 3687DE00 MOV EAX,DWORD PTR DS:[EAX*4+DE8736] ; eax = pointer to the argument 00E0F030 8B00 MOV EAX,DWORD PTR DS:[EAX] ; eax = hexa value of the first 4 bytes00141EF9 31 32 33 34 1234 eax = 34333231
00E0F032 0FB67E 03 MOVZX EDI,BYTE PTR DS:[ESI+3] ; edi = 2 00E0F2E0 8904BD 3687DE00 MOV DWORD PTR DS:[EDI*4+DE8736],EAX ; store hexa values in memory00DE873E 31 32 33 34 00 00 1234..
I traced all the instructions manually in the VM, but an easy way to keep only the important instructions is to
find "popad" and "pushad" instructions and to look between them only.
This instruction, between "popad" and "pushad" are clear, without obfuscation, that's why it is not difficult to
understand what happens... just very long.
Moreover Nicolas brulez played with the eax register primarily : sometimes it is xored with 0x66 (when eax = 0x66
) so, eax is set to 0 but indirectly ; sometimes it substracts or adds 1, 2, 3, 4 or 5 to eax to have the correct
value.
In short the opcodes stored in memory sometimes needs to be modified to have a correct value.
For analysing binaries, I think the tools that can be usefull are :
A PE explorer
: LordPE or StudPe for example.An editor hexadecimal
: I used it here only to change the first byte at the entrypoint by 0xCCh.A disassembler
: I don't used it here, but IDA is the best in my opinion, it is a very powerfull disassembler.A debugger
: I curently use Ollydbg, a freeware ring 3 debugger. Some plugins are very usefull as well, like
ollyscript, an interessant alternative of the IDA's IDC scripts.I think the tools the most suited for analysing binaries like 0x90 are IDA or Ollydbg (ollyscript installed) :
it allows us to write some scripts to decrypt the layers, to clear obfuscation code, etc.
With IDC scripts or Ollyscript, we don't need to write our own tools.
Moreover there is a interessant plugin for IDA too : ida-x86emu . This one will trace the
the code for us. It is usefull when they are a lot of detection code and junk code.
However I decided not to automate the decryption, I prefered to trace all the code manually : automate the
decryption of the layers in this binary was not easy as well...
The purpose of this binary is to wait for a correct password in order to access anything... here it only shows us a string (a message that will tell us we succeed) when we enter a good pass. But the binary could have fonctionnalities reserved to one person only : administration of a server (a malware binary like a trojan), securisation of sensible informations etc.
The binary is waiting a password from the user which allows us to authenticate. I am going to explain how I found it.
We will used as notations :
_first_ for the first 4 bytes (in hexadecimal) of the argument entered (example : "1234" => _first_ = 34333231).
_second_ for the second value we will be used below (see later)
00E0F2E7 83C6 04 ADD ESI,4 ; esi = 00E1BA81 00E0F5A1 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 1 00E0F5A4 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9BD 00E0F859 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 4 00E18478 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 5 00E18721 83E8 03 SUB EAX,3 ; eax = 2 00E189C0 8B1C85 3687DE00 MOV EBX,DWORD PTR DS:[EAX*4+DE8736] ; ebx = _first_ 00E18C5F 8B7E 03 MOV EDI,DWORD PTR DS:[ESI+3] ; edi = 1D9BDC45 00E18F2C 03DF ADD EBX,EDI ; ebx = _first_ + edi_first_(1) = _first_ + 1D9BDC45
00E18F2E 0F85 E6020000 JNZ 0x90_5bi.00E1921A ; jmp if != 0 00E1921A C705 4A87DE00 0>MOV DWORD PTR DS:[DE874A],1 ; set mark to 1 00E19502 891C85 3687DE00 MOV DWORD PTR DS:[EAX*4+DE8736],EBX ; set _first_(1) in memory 00E197AA 83C6 07 ADD ESI,7 ; esi = 00E1BA8800E1BA88 01 04 04 45
00E19A7D 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 1 00E19D3A 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9BD 00E1A00D 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 4 00E18478 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 4 00E18721 83E8 03 SUB EAX,3 ; eax = 1 00E189C0 8B1C85 3687DE00 MOV EBX,DWORD PTR DS:[EAX*4+DE8736] ; ebx = 5CC80E3100DE8736 F9 1E 14 00 31 0E C8 5C 76 0E CF 51 00 00 00 00 _second_ = 5CC80E31 (it is a constant value)
00E18C5F 8B7E 03 MOV EDI,DWORD PTR DS:[ESI+3] ; edi = 74519745 00E18F2C 03DF ADD EBX,EDI_second_(1) = 74519745 + _second_
00E19502 891C85 3687DE00 MOV DWORD PTR DS:[EAX*4+DE8736],EBX ; set _second_(1) in memory 00E197AA 83C6 07 ADD ESI,7 ; esi = 00E1BA8F00E1BA8F 01 05 04 E2
00E19A7D 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 1 00E19D3A 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9BD 00E1A00D 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 5 00E1A2DA 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 4 00E1A582 83E8 02 SUB EAX,2 ; eax = 2 00E1A852 8B1C85 3687DE00 MOV EBX,DWORD PTR DS:[EAX*4+DE8736] ; ebx = _second_(1) 00E1AB03 8B7E 03 MOV EDI,DWORD PTR DS:[ESI+3] ; edi = AD45DFE200E1BA92 E2 DF 45 AD
00E1ADD3 2BDF SUB EBX,EDI_first_(2) = _second_(1) - AD45DFE2
00E1ADD5 75 09 JNZ SHORT 0x90_5bi.00E1ADE0 ; jmp 00E1ADD7 8325 4A87DE00 0>AND DWORD PTR DS:[DE874A],0 00E1ADDE EB 0A JMP SHORT 0x90_5bi.00E1ADEA 00E1ADE0 C705 4A87DE00 0>MOV DWORD PTR DS:[DE874A],1 ; set mark to 1 00E1B05F 891C85 3687DE00 MOV DWORD PTR DS:[EAX*4+DE8736],EBX ; set _first_(2) in memory 00E1B066 83C6 07 ADD ESI,7 ; esi = 00E1BA96 00E1B069 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax= 1 00E1B06C 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9BD 00E1B073 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 4 00E18478 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 4 00E18721 83E8 03 SUB EAX,3 ; eax = 1 00E189C0 8B1C85 3687DE00 MOV EBX,DWORD PTR DS:[EAX*4+DE8736] ; ebx = _second_(1) 00E18C5F 8B7E 03 MOV EDI,DWORD PTR DS:[ESI+3] ; edi = DEADBEEF 00E18F2C 03DF ADD EBX,EDI_second_(2) = DEADBEEF + _second_(1)
00E18F2E /0F85 E6020000 JNZ 0x90_5bi.00E1921A ; jmp 00E1921A C705 4A87DE00 0>MOV DWORD PTR DS:[DE874A],1 ; set mark to 1 00E19502 891C85 3687DE00 MOV DWORD PTR DS:[EAX*4+DE8736],EBX ; set _second_(2) in memory 00E197AA 83C6 07 ADD ESI,7 ; esi = 00E1BA9D 00E19A7D 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 1 00E19D3A 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9BD 00E1A00D 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 4 00E18478 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 5 00E18721 83E8 03 SUB EAX,3 ; eax = 2 00E189C0 8B1C85 3687DE00 MOV EBX,DWORD PTR DS:[EAX*4+DE8736] ; ebx = _first_(2) 00E18C5F 8B7E 03 MOV EDI,DWORD PTR DS:[ESI+3] ; edi = 68656C6C (hell) 00E18F2C 03DF ADD EBX,EDI_first_(3) = 68656C6C (hell) + _first_(2)
00E1921A C705 4A87DE00 0>MOV DWORD PTR DS:[DE874A],1 ; set mark to 1 00E19502 891C85 3687DE00 MOV DWORD PTR DS:[EAX*4+DE8736],EBX ; set _first_(3) in memory 00E197AA 83C6 07 ADD ESI,7 ; esi = 00E1BAA4 00E19A7D 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 1 00E19D3A 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9BD 00E1A00D 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 5 00E1A2DA 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 3 00E1A582 83E8 02 SUB EAX,2 ; eax =1 00E1A852 8B1C85 3687DE00 MOV EBX,DWORD PTR DS:[EAX*4+DE8736] ; ebx = _second_(2) 00E1AB03 8B7E 03 MOV EDI,DWORD PTR DS:[ESI+3] ; edi = 1785416500E1BAA7 65 41 85 17
00E1ADD3 2BDF SUB EBX,EDI_second_(3) = _second_(2) - 17854165
00E1ADD5 /75 09 JNZ SHORT 0x90_5bi.00E1ADE0 00E1ADD7 |8325 4A87DE00 0>AND DWORD PTR DS:[DE874A],0 00E1ADDE |EB 0A JMP SHORT 0x90_5bi.00E1ADEA 00E1ADE0 \C705 4A87DE00 0>MOV DWORD PTR DS:[DE874A],1 00E1B05F 891C85 3687DE00 MOV DWORD PTR DS:[EAX*4+DE8736],EBX ; set _second_(3) in memory 00E1B066 83C6 07 ADD ESI,7 ; esi = 00E1BAAB 00E1B069 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 1 00E1B06C 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9BD 00E1B073 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 5 00E1A2DA 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 4 00E1A582 83E8 02 SUB EAX,2 ; eax = 2 00E1A852 8B1C85 3687DE00 MOV EBX,DWORD PTR DS:[EAX*4+DE8736] ; ebx = _first_(3) 00E1AB03 8B7E 03 MOV EDI,DWORD PTR DS:[ESI+3] ; edi = 41776169 (Awai) 00E1ADD3 2BDF SUB EBX,EDI_first_(4) = _first_(3) - 41776169 (Awai)
00E1ADD5 75 09 JNZ SHORT 0x90_5bi.00E1ADE0 00E1ADD7 8325 4A87DE00 0>AND DWORD PTR DS:[DE874A],0 00E1ADDE EB 0A JMP SHORT 0x90_5bi.00E1ADEA 00E1ADE0 C705 4A87DE00 0>MOV DWORD PTR DS:[DE874A],1 00E1B05F 891C85 3687DE00 MOV DWORD PTR DS:[EAX*4+DE8736],EBX ; set _first_(4) in memory 00E1B066 83C6 07 ADD ESI,7 ; esi = 00E1BAB2 00E1B069 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 1 00E1B06C 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9BD 00E1B073 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 4 00E18478 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 4 00E18721 83E8 03 SUB EAX,3 ; eax = 1 00E189C0 8B1C85 3687DE00 MOV EBX,DWORD PTR DS:[EAX*4+DE8736] ; ebx = _second_(3) 00E18C5F 8B7E 03 MOV EDI,DWORD PTR DS:[ESI+3] ; edi = 73686F77 (show) 00E18F2C 03DF ADD EBX,EDI_second_(4) = _second_(3) + 73686F77 (show)
00E18F2E /0F85 E6020000 JNZ 0x90_5bi.00E1921A 00E1921A C705 4A87DE00 0>MOV DWORD PTR DS:[DE874A],1 00E19502 891C85 3687DE00 MOV DWORD PTR DS:[EAX*4+DE8736],EBX ; set _second_(4) in memory 00E197AA 83C6 07 ADD ESI,7 ; esi = 00E1BAB900E1BAB9 20 73 74 69
00E19D3A 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9BD 00E1A00D 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 4 00E18478 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 5 00E18721 83E8 03 SUB EAX,3 ; eax = 2 00E189C0 8B1C85 3687DE00 MOV EBX,DWORD PTR DS:[EAX*4+DE8736] ; ebx = _first_(4) 00E18C5F 8B7E 03 MOV EDI,DWORD PTR DS:[ESI+3] ; edi = 69747320 (its ) 00E18F2C 03DF ADD EBX,EDI_first_(5) = add _first_(4) + 69747320 (its )
00E18F2E 0F85 E6020000 JNZ 0x90_5bi.00E1921A 00E1921A C705 4A87DE00 0>MOV DWORD PTR DS:[DE874A],1 00E19502 891C85 3687DE00 MOV DWORD PTR DS:[EAX*4+DE8736],EBX ; set _first_(5) in memory 00E197AA 83C6 07 ADD ESI,7 ; esi = 00E1BAC000E1BAC0 01 05 03 20
00E19A7D 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 1 00E19D3A 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9BD 00E1A00D 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 5 00E1A2DA 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 3 00E1A582 83E8 02 SUB EAX,2 ; eax = 1 00E1A852 8B1C85 3687DE00 MOV EBX,DWORD PTR DS:[EAX*4+DE8736] ; ebx = _second_(4) 00E1AB03 8B7E 03 MOV EDI,DWORD PTR DS:[ESI+3] ; edi = 206E6F20 ( no ) 00E1ADD3 2BDF SUB EBX,EDI_second_(5) = _second_(4) - 206E6F20 ( no )
00E1ADD5 75 09 JNZ SHORT 0x90_5bi.00E1ADE0 00E1ADD7 8325 4A87DE00 0>AND DWORD PTR DS:[DE874A],0 00E1ADDE EB 0A JMP SHORT 0x90_5bi.00E1ADEA 00E1ADE0 C705 4A87DE00 0>MOV DWORD PTR DS:[DE874A],1 00E1B05F 891C85 3687DE00 MOV DWORD PTR DS:[EAX*4+DE8736],EBX ; set _second_(5) in memory 00E1B066 83C6 07 ADD ESI,7 ; esi = 00E1BAC7 00E1B069 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 1 00E1B06C 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9BD 00E1B073 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 4 00E18478 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 500E1BAE9 FF FF FF DF
00E189C0 8B1C85 3687DE00 MOV EBX,DWORD PTR DS:[EAX*4+DE8736] ; ebx = _first_(5) 00E18C5F 8B7E 03 MOV EDI,DWORD PTR DS:[ESI+3] ; edi = 64726976 (driv) 00E18F2C 03DF ADD EBX,EDI_first_(6) = _first_(5) + 64726976 (driv)
00E18F2E 0F85 E6020000 JNZ 0x90_5bi.00E1921A 00E19502 891C85 3687DE00 MOV DWORD PTR DS:[EAX*4+DE8736],EBX ; set _first_(6) in memory 00E197AA 83C6 07 ADD ESI,7 ; esi = 00E1BACE 00E19A7D 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 1 00E19D3A 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9BD 00E1A00D 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 4 00E18478 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 4 00E18721 83E8 03 SUB EAX,3 ; eax = 1 00E189C0 8B1C85 3687DE00 MOV EBX,DWORD PTR DS:[EAX*4+DE8736] ; ebx = _second_(5) 00E18C5F 8B7E 03 MOV EDI,DWORD PTR DS:[ESI+3] ; edi = 6D657263 (merc) 00E18F2C 03DF ADD EBX,EDI_second_(6) = _second_(5) + 6D657263 (merc)
00E18F2E 0F85 E6020000 JNZ 0x90_5bi.00E1921A 00E19502 891C85 3687DE00 MOV DWORD PTR DS:[EAX*4+DE8736],EBX ; set _second_(6) in memory 00E197AA 83C6 07 ADD ESI,7 ; esi = 00E1BAD5 00E19A7D 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 1 00E19D3A 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9BD 00E1A00D 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 5 00E1A2DA 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 4 00E1A582 83E8 02 SUB EAX,2 ; eax = 2 00E1A852 8B1C85 3687DE00 MOV EBX,DWORD PTR DS:[EAX*4+DE8736] ; ebx = _first_(6) 00E1AB03 8B7E 03 MOV EDI,DWORD PTR DS:[ESI+3] ; edi = 6E757473 (nuts) 00E1ADD3 2BDF SUB EBX,EDI_first_(7) = _first_(6) - 6E757473 (nuts)
00E1ADD5 75 09 JNZ SHORT 0x90_5bi.00E1ADE0 00E1ADD7 8325 4A87DE00 0>AND DWORD PTR DS:[DE874A],0 00E1ADDE EB 0A JMP SHORT 0x90_5bi.00E1ADEA 00E1ADE0 C705 4A87DE00 0>MOV DWORD PTR DS:[DE874A],1 00E1B05F 891C85 3687DE00 MOV DWORD PTR DS:[EAX*4+DE8736],EBX ; set _first_(7) in memory 00E1B066 83C6 07 ADD ESI,7 ; esi = 00E1BADC 00E1B069 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 1 00E1B06C 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9BD 00E1B073 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 5 00E1A2DA 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 3 00E1A582 83E8 02 SUB EAX,2 ; eax = 1 00E1A852 8B1C85 3687DE00 MOV EBX,DWORD PTR DS:[EAX*4+DE8736] ; ebx = _second_(6) 00E1AB03 8B7E 03 MOV EDI,DWORD PTR DS:[ESI+3] ; edi = 79212121 (y!!!) 00E1ADD3 2BDF SUB EBX,EDI_second_(7) = _second_(6) - 79212121 (y!!!)
00E1ADD5 75 09 JNZ SHORT 0x90_5bi.00E1ADE0 00E1ADD7 8325 4A87DE00 0>AND DWORD PTR DS:[DE874A],0 00E1ADDE EB 0A JMP SHORT 0x90_5bi.00E1ADEA 00E1ADE0 C705 4A87DE00 0>MOV DWORD PTR DS:[DE874A],1 00E1B05F 891C85 3687DE00 MOV DWORD PTR DS:[EAX*4+DE8736],EBX ; set _second_(7) in memory 00E1B066 83C6 07 ADD ESI,7 ; esi = 00E1BAE3 00E1B069 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 1 00E1B06C 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9BD 00E1B073 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 5 00E1A2DA 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 4 00E1A582 83E8 02 SUB EAX,2 ; eax = 2 00E1A852 8B1C85 3687DE00 MOV EBX,DWORD PTR DS:[EAX*4+DE8736] ; ebx = _first_(7) 00E1AB03 8B7E 03 MOV EDI,DWORD PTR DS:[ESI+3] ; edi = 65683F21 (eh?!) 00E1ADD3 2BDF SUB EBX,EDI_first_(8) = sub _first_(7) de 65683F21 (eh?!)
00E1ADD5 75 09 JNZ SHORT 0x90_5bi.00E1ADE0 00E1ADD7 8325 4A87DE00 0>AND DWORD PTR DS:[DE874A],0 00E1ADDE EB 0A JMP SHORT 0x90_5bi.00E1ADEA 00E1ADE0 C705 4A87DE00 0>MOV DWORD PTR DS:[DE874A],1 00E1B05F 891C85 3687DE00 MOV DWORD PTR DS:[EAX*4+DE8736],EBX ; set _first_(8) in memory 00E1B066 83C6 07 ADD ESI,7 ; esi = 00E1BAEA 00E1B069 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 1 00E1B06C 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9BD 00E1B073 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 6 00E12526 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 7 00E1252A 83E8 05 SUB EAX,5 ; eax = 2 00E127B4 8B1C85 3687DE00 MOV EBX,DWORD PTR DS:[EAX*4+DE8736] ; ebx = first_(8) 00E12A80 8B7E 03 MOV EDI,DWORD PTR DS:[ESI+3] ; edi = DFFFFFFF 00E12D2E 23DF AND EBX,EDI_first_(9) = _first_(8) AND DFFFFFFF
00E12D30 75 0C JNZ SHORT 0x90_5bi.00E12D3E 00E12D32 8325 4A87DE00 0>AND DWORD PTR DS:[DE874A],0 00E12D39 E9 BB020000 JMP 0x90_5bi.00E12FF9 00E132EE 891C85 3687DE00 MOV DWORD PTR DS:[EAX*4+DE8736],EBX ; set _first_(9) in memory 00E132F5 83C6 07 ADD ESI,7 ; esi = 00E1BAF1 00E132F8 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 0 00E132FB 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9A9 00E135B6 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 2 00E1766E 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 45 (E) 00E17920 83F0 47 XOR EAX,47 ; eax = 2 00E17BF4 8B0485 3687DE00 MOV EAX,DWORD PTR DS:[EAX*4+DE8736] ; eax = _first_(9) 00E17EB7 50 PUSH EAX 00E18144 BB 0A000000 MOV EBX,0A 00E18149 83F3 09 XOR EBX,9 00E1814C 03F3 ADD ESI,EBX ; esi = 00E1BAF4 00E1814E 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 0 00E18151 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9A9 00E18158 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 2 00E1766E 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 46 (F) 00E17920 83F0 47 XOR EAX,47 ; eax = 1 00E17BF4 8B0485 3687DE00 MOV EAX,DWORD PTR DS:[EAX*4+DE8736] ; eax = _second_(7) 00E17EB7 50 PUSH EAX 00E18144 BB 0A000000 MOV EBX,0A 00E18149 83F3 09 XOR EBX,9 00E1814C 03F3 ADD ESI,EBX ; esi = 00E1BAF7 00E1814E 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 3 00E18151 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1BA25 00E18158 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 0 00DFF2A3 8B0424 MOV EAX,DWORD PTR SS:[ESP] ; eax = _second_(7) 00DFF51B 3B4424 04 CMP EAX,DWORD PTR SS:[ESP+4] ; cmp _second_(7), _first_(9) 00DFF51F /0F85 C0100000 JNZ 0x90_5bi.00E005E5 ; if != 0 BadBoy
We have :
_first_(1) = 1D9BDC45 + _first_
_first_(2) = _second_(1) - AD45DFE2
_first_(3) = 68656C6C (hell) + _first_(2)
_first_(4) = _first_(3) - 41776169 (Awai)
_first_(5) = _first_(4) + 69747320 (its )
_first_(6) = _first_(5) + 64726976 (driv)
_first_(7) = _first_(6) - 6E757473 (nuts)
_first_(8) = _first_(7) - 65683F21 (eh?!)
_first_(9) = _first_(8) and DFFFFFFF
_second_(1) = 74519745 + _second_ (_second_ = 5CC80E31)
_second_(2) = DEADBEEF + _second_(1) (_second_(1) = D119A576)
_second_(3) = _second_(2) - 17854165 (_second_(2) = (1)AFC76465)
_second_(4) = _second_(3) + 73686F77 (show) (_second_(3) = 98422300)
_second_(5) = _second_(4) - 206E6F20 ( no ) (_second_(4) = (1)0BAA9277
_second_(6) = _second_(5) + 6D657263 (merc) (_second_(5) = EB3C2357)
_second_(7) = _second_(6) - 79212121 (y!!!) (_second_(6) = (1)58A195BA)
<=> _second_(7) = (((((((74519745+5CC80E31)+DEADBEEF)-17854165)+73686F77)-206E6F20)+6D657263)-79212121)
<=> _second_(7) = (1)DF807499
_first_(9) and _second_(7) needs to be equals (_second_(7) = DF807499) So : first_(9) = (1)DF807499 <=> _first_(8) = DF807499 <=> _first_(7) = DF807499 + 65683F21 = (1)44E8B3BA <=> _first_(6) = (1)44E8B3BA + 6E757473 = B35E282D <=> _first_(5) = B35E282D - 64726976 = 4EEBBEB7 <=> _first_(4) = (1)14EEBBEB7 - 69747320 = E5774B97 <=> _first_(3) = E5774B97 + 41776169 = (1)26EEAD00 <=> _first_(2) = (1)26EEAD00 - 68656C6C = BE894094 <=> _first_(1) = BE894094 + AD45DFE2 = (1)6BCF2076 <=> _first_ = 6BCF2076 - 1D9BDC45 = (1)4E334431 0x3144334E in ascii = "1D3N" so the 4 first characters of the pass is "1D3N"
00DFF80F 83C4 08 ADD ESP,8 00DFFAC1 8B76 02 MOV ESI,DWORD PTR DS:[ESI+2] ; esi = 00E4DE3D 00DFFD4A 81EE 37130300 SUB ESI,31337 ; esi = 00E1BB06 00DFFFF6 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 2 00E002BA 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9F5 00E002C1 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 4 00E0D4C6 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 0 00E0D76F FF0485 3687DE00 INC DWORD PTR DS:[EAX*4+DE8736] ; pointer to the next char of the ; argument 00E0D776 0F85 76050000 JNZ 0x90_5bi.00E0DCF2 00E0DF7A C705 4A87DE00 0>MOV DWORD PTR DS:[DE874A],1 ; set mark to 1 00E0E229 83C6 03 ADD ESI,3 ; esi = 00E1BB09 00E0E4FA 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 1 00E0E7C1 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9BD 00E0E7C8 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 4 00E18478 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 3 00E18721 83E8 03 SUB EAX,3 ; eax = 0 00E189C0 8B1C85 3687DE00 MOV EBX,DWORD PTR DS:[EAX*4+DE8736] ; ebx = pointer to the 2nd char 00E18C5F 8B7E 03 MOV EDI,DWORD PTR DS:[ESI+3] ; edi = 2 00E18F2C 03DF ADD EBX,EDI ; ebx = 00141EFB + 2 00E18F2E 0F85 E6020000 JNZ 0x90_5bi.00E1921A 00E1921A C705 4A87DE00 0>MOV DWORD PTR DS:[DE874A],1 ; set mark to 1 00E19502 891C85 3687DE00 MOV DWORD PTR DS:[EAX*4+DE8736],EBX ; ebx = pointer to the 4th char 00E197AA 83C6 07 ADD ESI,7 ; esi = 00E1BB10 00E19A7D 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 2 00E19D3A 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9F5 00E1A00D 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 4 00E0D76F FF0485 3687DE00 INC DWORD PTR DS:[EAX*4+DE8736] 00E0D776 0F85 76050000 JNZ 0x90_5bi.00E0DCF2 00E0DF7A C705 4A87DE00 0>MOV DWORD PTR DS:[DE874A],1 ; set mark to 1 00E0E229 83C6 03 ADD ESI,3 ; esi = 00E1BB13 00E0E4FA 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 2 00E0E7C1 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9F5 00E0E7C8 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 0B 00E0402D 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] 00E042E6 8B0485 3687DE00 MOV EAX,DWORD PTR DS:[EAX*4+DE8736] ; eax = pointer to the 5th char 00E04588 0FB700 MOVZX EAX,WORD PTR DS:[EAX] ; eax = hexa value of (char6_char5) 00E04823 0FB67E 03 MOVZX EDI,BYTE PTR DS:[ESI+3] ; edi = 1 00E04ACD 8904BD 3687DE00 MOV DWORD PTR DS:[EDI*4+DE8736],EAX ; set 0000char6_char5 in memory 00E04D5F 83C6 04 ADD ESI,4 ; esi = 00E1BB17 00E05059 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 0 00E0505C 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9A9 00E05305 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 2 00E1766E 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 46 00E17920 83F0 47 XOR EAX,47 ; eax = 1 00E17BF4 8B0485 3687DE00 MOV EAX,DWORD PTR DS:[EAX*4+DE8736] ; eax = 0000char6_char5 00E17EB7 50 PUSH EAX 00E18144 BB 0A000000 MOV EBX,0A 00E18149 83F3 09 XOR EBX,9 00E1814C 03F3 ADD ESI,EBX ; esi = 00E1BB1A 00E1814E 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 0 00E18151 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9A9 00E18158 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 3 00E1B372 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] 00E1B376 83F0 66 XOR EAX,66 ; eax = 2 00E1B64A 8F0485 3687DE00 POP DWORD PTR DS:[EAX*4+DE8736] ; set 0000char6_char5 in memory 00E1B8CF 83C6 04 ADD ESI,4 00E1B8D2 4E DEC ESI ; esi = 00E1BB1D 00E1B8D3 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 0 00E1B8D6 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9A9 00E1B8DD 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 2 00E1766E 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 47 00E17920 83F0 47 XOR EAX,47 ; eax = 0 00E17BF4 8B0485 3687DE00 MOV EAX,DWORD PTR DS:[EAX*4+DE8736] ; eax = pointer to 5th char 00E17EB7 50 PUSH EAX 00E18144 BB 0A000000 MOV EBX,0A 00E18149 83F3 09 XOR EBX,9 00E1814C 03F3 ADD ESI,EBX ; esi = 00E1BB20 00E1814E 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 0 00E18151 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9A9 00E18158 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 1 00DEC633 8B46 02 MOV EAX,DWORD PTR DS:[ESI+2] ; eax = 530822D6 00DEC8CD 05 3713D0AD ADD EAX,ADD01337 ; eax = 00D8360D 00DECB8A 50 PUSH EAX 00DECE37 B8 D1F5FFFF MOV EAX,-0A2F ; eax = FFFFF5D1 00DED113 F7D0 NOT EAX ; eax = 0000A2E 00DED3BB 35 280A0000 XOR EAX,0A28 ; eax = 6 00DED680 8D3406 LEA ESI,DWORD PTR DS:[ESI+EAX] ; esi = 00E1BB26 00DED936 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 0 00DEDC00 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9A9 00DEDE7F 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 3 00E1B372 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] 00E1B376 83F0 66 XOR EAX,66 ; eax = 0 00E1B64A 8F0485 3687DE00 POP DWORD PTR DS:[EAX*4+DE8736] ; pointer to 5th char 00E1B8CF 83C6 04 ADD ESI,4 00E1B8D2 4E DEC ESI ; esi = 00E1BB29 00E1B8D3 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 1 00E1B8D6 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9BD 00E1B8DD 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 4 00E18478 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 3 00E18721 83E8 03 SUB EAX,3 ; eax = 0 00E189C0 8B1C85 3687DE00 MOV EBX,DWORD PTR DS:[EAX*4+DE8736] ; ebx = 00D8360D 00E18C5F 8B7E 03 MOV EDI,DWORD PTR DS:[ESI+3] ; edi = 00098548 00E18F2C 03DF ADD EBX,EDI ; ebx = 00D8360D + 00098548 = 00E1BB55 00E18F2E 0F85 E6020000 JNZ 0x90_5bi.00E1921A 00E1921A C705 4A87DE00 0>MOV DWORD PTR DS:[DE874A],1 00E19502 891C85 3687DE00 MOV DWORD PTR DS:[EAX*4+DE8736],EBX ; 0x90_5bi.00E1BB55 00E197AA 83C6 07 ADD ESI,7 ; esi = 00E1BB30 00E19A7D 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 2 00E19D3A 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9F5 00E1A00D 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 3 00E09D76 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 0 00E0A03E FF0C85 3687DE00 DEC DWORD PTR DS:[EAX*4+DE8736] ; 0x90_5bi.00E1BB55 (get G (47)) 00E0AACC C705 4A87DE00 0>MOV DWORD PTR DS:[DE874A],1 ; set mark to 1 00E0AD8F 83C6 03 ADD ESI,3 ; esi = 00E1BB33 00E0B06B 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 1 00E0B31E 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9BD 00E0B599 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 3 00DF7787 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 2 00DF7A49 8B0485 3687DE00 MOV EAX,DWORD PTR DS:[EAX*4+DE8736] ; eax = 0000char6_char5 00DF7CF9 0FB64E 03 MOVZX ECX,BYTE PTR DS:[ESI+3] ; ecx = 1 00DF7FC4 /FF248D E9B9E100 JMP DWORD PTR DS:[ECX*4+E1B9E9] ; 0x90_5bi.00DF9048 00DF92E8 0FB64E 04 MOVZX ECX,BYTE PTR DS:[ESI+4] ; ecx = 0 00DF9593 8B0C8D 3687DE00 MOV ECX,DWORD PTR DS:[ECX*4+DE8736] ; 0x90_5bi.00E1BB54 00DF9848 66:3101 XOR WORD PTR DS:[ECX],AX ; 4247 xor char6_char55eme char xor 47 (G) 6eme char xor 42 (B)
00DF9AE6 83C6 05 ADD ESI,5 ; esi = 00E1BB38 00DF9D86 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 0 00DFA043 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9A9 00DFA2CB 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 3 00E1B372 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] 00E1B376 83F0 66 XOR EAX,66 ; eax = 0 00E1B64A 8F0485 3687DE00 POP DWORD PTR DS:[EAX*4+DE8736] ; pointer to 5th char 00E1B8CF 83C6 04 ADD ESI,4 00E1B8D2 4E DEC ESI ; esi = 00E1BB3B 00E1B8D3 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 2 00E1B8D6 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9F5 00E1B8DD 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 0A 00E0B8C1 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 0 00E0B8C5 8B0485 3687DE00 MOV EAX,DWORD PTR DS:[EAX*4+DE8736] ; eax = pointer to 5th char 00E0BB76 0FB600 MOVZX EAX,BYTE PTR DS:[EAX] ; eax = hexa value of the 5th char 00E0BE33 0FB67E 03 MOVZX EDI,BYTE PTR DS:[ESI+3] ; edi = 2 00E0C0C0 8904BD 3687DE00 MOV DWORD PTR DS:[EDI*4+DE8736],EAX ; set the 5th char in memory 00E0C3C4 83C6 04 ADD ESI,4 ; esi = 00E1BB3F 00E0C3C7 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 1 00E0C674 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9BD 00E0C67B 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 4 00E18478 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 3 00E18721 83E8 03 SUB EAX,3 ; eax = 0 00E189C0 8B1C85 3687DE00 MOV EBX,DWORD PTR DS:[EAX*4+DE8736] ; ebx = pointer to 5th char 00E18C5F 8B7E 03 MOV EDI,DWORD PTR DS:[ESI+3] ; edi = 2 00E18F2C 03DF ADD EBX,EDI ; ebx = pointer to 7th char 00E18F2E 0F85 E6020000 JNZ 0x90_5bi.00E1921A 00E1921A C705 4A87DE00 0>MOV DWORD PTR DS:[DE874A],1 00E19502 891C85 3687DE00 MOV DWORD PTR DS:[EAX*4+DE8736],EBX ; set pointer to 7th char in memory 00E197AA 83C6 07 ADD ESI,7 ; esi = 00E1BB46 00E19A7D 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 2 00E19D3A 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9F5 00E1A00D 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] 00E0B8C1 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 0 00E0B8C5 8B0485 3687DE00 MOV EAX,DWORD PTR DS:[EAX*4+DE8736] ; eax = pointer to 7th char 00E0BB76 0FB600 MOVZX EAX,BYTE PTR DS:[EAX] ; eax = hexa value of the 7th char 00E0BE33 0FB67E 03 MOVZX EDI,BYTE PTR DS:[ESI+3] ; edi = 1 00E0C0C0 8904BD 3687DE00 MOV DWORD PTR DS:[EDI*4+DE8736],EAX ; set 000000char7 in memory 00E0C3C4 83C6 04 ADD ESI,4 ; esi = 00E1BB4A 00E0C3C7 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 1 00E0C674 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9BD 00E0C67B 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 9 00E055EA 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 2 00E058B1 48 DEC EAX ; eax = 1 00E05B4B 8B1C85 3687DE00 MOV EBX,DWORD PTR DS:[EAX*4+DE8736] ; ebx = hexa value of the 7th char 00E05DFF 0FB646 03 MOVZX EAX,BYTE PTR DS:[ESI+3] ; eax = 5 00E060DF 83E8 03 SUB EAX,3 ; eax = 2 00E0636D 8B3C85 3687DE00 MOV EDI,DWORD PTR DS:[EAX*4+DE8736] ; edi = hexa value of the 5th char 00E06610 03FB ADD EDI,EBXedi = 000000char5 + 000000char7 = 000000char5_7
00E06612 0F85 3C050000 JNZ 0x90_5bi.00E06B54 00E06E08 C705 4A87DE00 0>MOV DWORD PTR DS:[DE874A],1 ; set mark to 1 00E070E0 893C85 3687DE00 MOV DWORD PTR DS:[EAX*4+DE8736],EDI ; set 000000char5_7 in memory 00E070E7 83C6 04 ADD ESI,4 ; esi = 00E1BB4E 00E07390 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 5 00E07680 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1BA35 00E07687 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 0 00E1389E 8B46 02 MOV EAX,DWORD PTR DS:[ESI+2] ; 0x90_5bi.00E1BB86 00E13B63 8D7E 06 LEA EDI,DWORD PTR DS:[ESI+6] ; edi = 00E1BB54 00E13B66 57 PUSH EDI 00E13E36 8BF0 MOV ESI,EAX ; 0x90_5bi.00E1BB86 00E13E38 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 2 00E13E3B 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9F5 00E140DA 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 2 00DFDF5E 05 04EDFDAE ADD EAX,AEFDED04eax = 51021348 => eax = 51021348 + AEFDED04 = 0000004C
00DFE20E 0FB67E 06 MOVZX EDI,BYTE PTR DS:[ESI+6] ; edi = 1 00DFE4DC 8904BD 3687DE00 MOV DWORD PTR DS:[EDI*4+DE8736],EAX ; set 0000004C in memory 00DFE4E3 83C6 07 ADD ESI,7 ; esi = 00E1BB8D 00DFE7A5 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 2 00DFEA74 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9F5 00DFED0E 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 4 00E0D76F FF0485 3687DE00 INC DWORD PTR DS:[EAX*4+DE8736] ; 0000004C + 1 = 0000004D 00E0D776 /0F85 76050000 JNZ 0x90_5bi.00E0DCF2 00E0DF7A C705 4A87DE00 0>MOV DWORD PTR DS:[DE874A],1 ; set mark to 1 00E0E229 83C6 03 ADD ESI,3 ; esi = 00E1BB90 00E0E4FA 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 2 00E0E7C1 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9F5 00E0E7C8 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 4 00E0D76F FF0485 3687DE00 INC DWORD PTR DS:[EAX*4+DE8736] ; 0000004D + 1 = 0000004E 00E0D776 0F85 76050000 JNZ 0x90_5bi.00E0DCF2 00E0DF7A C705 4A87DE00 0>MOV DWORD PTR DS:[DE874A],1 ; set mark to 1 00E0E229 83C6 03 ADD ESI,3 ; esi = 00E1BB93 00E0E4FA 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 1 00E0E7C1 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9BD 00E0E7C8 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 4 00E18478 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 4 00E18721 83E8 03 SUB EAX,3 ; eax = 1 00E189C0 8B1C85 3687DE00 MOV EBX,DWORD PTR DS:[EAX*4+DE8736] ; ebx = 0000004E 00E18C5F 8B7E 03 MOV EDI,DWORD PTR DS:[ESI+3] ; edi = 00000005 00E18F2C 03DF ADD EBX,EDI ; ebx = 0000004E + 00000005 = 00000053 00E18F2E 0F85 E6020000 JNZ 0x90_5bi.00E1921A 00E1921A C705 4A87DE00 0>MOV DWORD PTR DS:[DE874A],1 ; set mark to 1 00E19502 891C85 3687DE00 MOV DWORD PTR DS:[EAX*4+DE8736],EBX ; set 00000053 in memory 00E197AA 83C6 07 ADD ESI,7 ; esi = 00E1BB9A 00E19A7D 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 2 00E19D3A 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9F5 00E1A00D 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 3 00E09D76 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 1 00E0A03E FF0C85 3687DE00 DEC DWORD PTR DS:[EAX*4+DE8736] ; 00000053 - 1 = 00000052 00E0A045 0F85 C6070000 JNZ 0x90_5bi.00E0A811 00E0AACC C705 4A87DE00 0>MOV DWORD PTR DS:[DE874A],1 ; set mark to 1 00E0AD8F 83C6 03 ADD ESI,3 ; esi = 00E1BB9D 00E0B31E 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9BD 00E1A2DA 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 3 00E1A582 83E8 02 SUB EAX,2 ; eax = 1 00E1A852 8B1C85 3687DE00 MOV EBX,DWORD PTR DS:[EAX*4+DE8736] ; ebx = 00000052 00E1ADD3 2BDF SUB EBX,EDI ; 00000052 - 00000004 = 0000004E 00E1ADD5 75 09 JNZ SHORT 0x90_5bi.00E1ADE0 00E1ADD7 8325 4A87DE00 0>AND DWORD PTR DS:[DE874A],0 00E1ADDE EB 0A JMP SHORT 0x90_5bi.00E1ADEA 00E1ADE0 C705 4A87DE00 0>MOV DWORD PTR DS:[DE874A],1 ; set mark to 1 00E1ADEA 60 PUSHAD 00E1B05F 891C85 3687DE00 MOV DWORD PTR DS:[EAX*4+DE8736],EBX ; set 0000004E in memory 00E1B066 83C6 07 ADD ESI,7 ; esi = 00E1BBA4 00E1B069 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 1 00E1B06C 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9BD 00E1B073 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 5 00E1A2DA 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 4 00E1A582 83E8 02 SUB EAX,2 ; eax = 2 00E1A852 8B1C85 3687DE00 MOV EBX,DWORD PTR DS:[EAX*4+DE8736] ; ebx = 000000char5_7 00E1AB03 8B7E 03 MOV EDI,DWORD PTR DS:[ESI+3] ; edi = 0000005A 00E1ADD3 2BDF SUB EBX,EDIebx = 000000char5_7 - 0000005A = 000000char5_7(1)
00E1ADD5 75 09 JNZ SHORT 0x90_5bi.00E1ADE0 00E1ADD7 8325 4A87DE00 0>AND DWORD PTR DS:[DE874A],0 00E1ADDE EB 0A JMP SHORT 0x90_5bi.00E1ADEA 00E1ADE0 C705 4A87DE00 0>MOV DWORD PTR DS:[DE874A],1 ; set mark to 1 00E1B05F 891C85 3687DE00 MOV DWORD PTR DS:[EAX*4+DE8736],EBX ; set 000000char5_7(1) in memory 00E1B066 83C6 07 ADD ESI,7 ; esi = 00E1BBAB 00E1B069 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 1 00E1B073 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 0A 00DFBBE6 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 4 00DFBEAA 83E8 02 SUB EAX,2 ; eax = 2 00DFBEAD 8B1C85 3687DE00 MOV EBX,DWORD PTR DS:[EAX*4+DE8736] ; ebx = 000000char5_7(1) 00DFC166 0FB646 03 MOVZX EAX,BYTE PTR DS:[ESI+3] ; eax = 2 00DFC41D 48 DEC EAX ; eax = 1 00DFC6C7 8B3C85 3687DE00 MOV EDI,DWORD PTR DS:[EAX*4+DE8736] ; edi = 0000004E 00DFC98A 3BFB CMP EDI,EBX
So we need :
000000char5_7(1) = 0000004E
<=> (000000char5 + 000000char7) - 0000005A = 0000004E
The possible values for char5 and char7 are : (000000char5 + 000000char7) = 000000A8 * and ~ + and } , and | - and { . and z / and y 0 and x 1 and w 2 and v 3 and u 4 and t 5 and s 6 and r 7 and q 8 and p 9 and o : and n ; and m < and l = and k > and j ? and i @ and h A and g B and f C and e D and d E and c F and b G and a H and ` I and _ J and ^ K and ] L and \ M and [ N and Z O and Y P and X Q and W R and V S and U T and T
00DFC98C 0F85 6B050000 JNZ 0x90_5bi.00DFCEFD 00DFCC35 8325 4A87DE00 0>AND DWORD PTR DS:[DE874A],0 00DFD18C 891C85 3687DE00 MOV DWORD PTR DS:[EAX*4+DE8736],EBX ; set 000000char5_7(1) in memory 00DFD43F 83C6 04 ADD ESI,4 ; esi = 00E1BBAF 00DFD442 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 4 00DFD703 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1BA29 00DFD9B0 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 1 00E07C49 A1 4A87DE00 MOV EAX,DWORD PTR DS:[DE874A] ; eax = value of the mark 00E07EF4 85C0 TEST EAX,EAX ; test the value of the mark 00E07EF6 0F85 550B0000 JNZ 0x90_5bi.00E08A51 00E081AF 83C6 06 ADD ESI,6 ; esi = 00E1BBB5 00E08458 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 2 00E08734 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9F5 00E0873B 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 3 00E09D76 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 0 00E0A03E FF0C85 3687DE00 DEC DWORD PTR DS:[EAX*4+DE8736] ; pointer to the 6th char 00E0A045 0F85 C6070000 JNZ 0x90_5bi.00E0A811 00E0AACC C705 4A87DE00 0>MOV DWORD PTR DS:[DE874A],1 ; set mark to 1 00E0AD8F 83C6 03 ADD ESI,3 ; esi = 00E1BBB8 00E0B06B 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 2 00E0B31E 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9F5 00E0B599 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 0A 00E0B8C1 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 0 00E0BB76 0FB600 MOVZX EAX,BYTE PTR DS:[EAX] ; eax = 000000char6 00E0BE33 0FB67E 03 MOVZX EDI,BYTE PTR DS:[ESI+3] ; edi = 2 00E0C3C4 83C6 04 ADD ESI,4 ; esi = 00E1BBBC 00E0C3C7 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 1 00E0C674 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9BD 00E0C67B 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 4 00E18478 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 3 00E18721 83E8 03 SUB EAX,3 ; eax = 0 00E189C0 8B1C85 3687DE00 MOV EBX,DWORD PTR DS:[EAX*4+DE8736] ; ebx = pointer to the 6th char 00E18C5F 8B7E 03 MOV EDI,DWORD PTR DS:[ESI+3] ; edi = 2 00E18F2C 03DF ADD EBX,EDI ; ebx = pointer to the 8th char 00E18F2E 0F85 E6020000 JNZ 0x90_5bi.00E1921A 00E1921A C705 4A87DE00 0>MOV DWORD PTR DS:[DE874A],1 ; set mark to 1 00E19502 891C85 3687DE00 MOV DWORD PTR DS:[EAX*4+DE8736],EBX ; set pointer to the 8th char in memory 00E197AA 83C6 07 ADD ESI,7 ; esi = 00E1BBC3 00E19A7D 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 2 00E19D3A 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9F5 00E1A00D 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 0A 00E0B8C1 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 0 00E0B8C5 8B0485 3687DE00 MOV EAX,DWORD PTR DS:[EAX*4+DE8736] ; addresse pointe 8eme char 00E0BB76 0FB600 MOVZX EAX,BYTE PTR DS:[EAX] ; eax = 000000char8 00E0BE33 0FB67E 03 MOVZX EDI,BYTE PTR DS:[ESI+3] ; edi = 1 00E0C0C0 8904BD 3687DE00 MOV DWORD PTR DS:[EDI*4+DE8736],EAX ; set 000000char8 in memory 00E0C3C4 83C6 04 ADD ESI,4 ; esi = 00E1BBC7 00E0C3C7 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 1 00E0C674 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9BD 00E0C67B 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 9 00E055EA 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 2 00E058B1 48 DEC EAX ; eax = 1 00E05B4B 8B1C85 3687DE00 MOV EBX,DWORD PTR DS:[EAX*4+DE8736] ; ebx = 000000char8 00E05DFF 0FB646 03 MOVZX EAX,BYTE PTR DS:[ESI+3] ; eax = 5 00E060DF 83E8 03 SUB EAX,3 ; eax = 2 00E0636D 8B3C85 3687DE00 MOV EDI,DWORD PTR DS:[EAX*4+DE8736] ; edi = 000000char6 00E06610 03FB ADD EDI,EBXedi = 000000char6 + 000000char8 = 000000char6_8
00E06612 0F85 3C050000 JNZ 0x90_5bi.00E06B54 00E06E08 C705 4A87DE00 0>MOV DWORD PTR DS:[DE874A],1 00E070E0 893C85 3687DE00 MOV DWORD PTR DS:[EAX*4+DE8736],EDI ; set 000000char6_8 in memory 00E070E7 83C6 04 ADD ESI,4 ; esi = 00E1BBCB 00E07390 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 2 00E07680 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9F5 00E07687 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 4 00E0D76F FF0485 3687DE00 INC DWORD PTR DS:[EAX*4+DE8736]000000char6_8(1) = 000000char6_8 + 1
00E0D776 0F85 76050000 JNZ 0x90_5bi.00E0DCF2 00E0DF7A C705 4A87DE00 0>MOV DWORD PTR DS:[DE874A],1 00E0E229 83C6 03 ADD ESI,3 ; esi = 00E1BBCE 00E0E4FA 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 1 00E0E7C1 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9BD 00E0E7C8 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 5 00E1A2DA 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 4 00E1A582 83E8 02 SUB EAX,2 ; eax = 2 00E1A852 8B1C85 3687DE00 MOV EBX,DWORD PTR DS:[EAX*4+DE8736] ; ebx = 000000char6_8(1) 00E1AB03 8B7E 03 MOV EDI,DWORD PTR DS:[ESI+3] ; edi = 000000char5_7(1) = 0000004E 00E1ADD3 2BDF SUB EBX,EDI000000char6_8(2) = 000000char6_8(1) - 000000char5_7(1) <=> 000000char6_8(2) = 000000char6_8(1) - 0000004E
00E1ADD5 75 09 JNZ SHORT 0x90_5bi.00E1ADE0 00E1ADD7 8325 4A87DE00 0>AND DWORD PTR DS:[DE874A],0 00E1ADDE EB 0A JMP SHORT 0x90_5bi.00E1ADEA 00E1ADE0 C705 4A87DE00 0>MOV DWORD PTR DS:[DE874A],1 ; set mark to 1 00E1B05F 891C85 3687DE00 MOV DWORD PTR DS:[EAX*4+DE8736],EBX ; set 000000char6_8(2) in memory 00E1B066 83C6 07 ADD ESI,7 ; esi = 00E1BBD5 00E1B069 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 0 00E1B06C 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9A9 00E1B073 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 1 00DEC633 8B46 02 MOV EAX,DWORD PTR DS:[ESI+2] ; eax = 5310CA2D 00DEC8CD 05 3713D0AD ADD EAX,ADD01337 ; eax = 00E0DD64 00DECB8A 50 PUSH EAX ; 0x90_5bi.00E0DD64 00DECE37 B8 D1F5FFFF MOV EAX,-0A2F ; eax = FFFFF5D1 00DED113 F7D0 NOT EAX ; eax = 00000A2E 00DED3BB 35 280A0000 XOR EAX,0A28 ; eax = 00000006 00DED680 8D3406 LEA ESI,DWORD PTR DS:[ESI+EAX] ; esi = 00E1BBDB 00DED936 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 0 00DEDC00 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9A9 00DEDE7F 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 3 00E1B372 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 66 00E1B376 83F0 66 XOR EAX,66 ; eax = 0 00E1B64A 8F0485 3687DE00 POP DWORD PTR DS:[EAX*4+DE8736] ; 0x90_5bi.00E0DD64 00E1B8CF 83C6 04 ADD ESI,4 00E1B8D2 4E DEC ESI ; esi = 00E1BBDE 00E1B8D3 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 1 00E1B8D6 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9BD 00E1B8DD 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 4 00E18478 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 3 00E18721 83E8 03 SUB EAX,3 ; eax = 0 00E189C0 8B1C85 3687DE00 MOV EBX,DWORD PTR DS:[EAX*4+DE8736] ; 0x90_5bi.00E0DD64 00E18C5F 8B7E 03 MOV EDI,DWORD PTR DS:[ESI+3] ; edi = 0000DEAC 00E18F2C 03DF ADD EBX,EDI ; 00E0DD64 + 0000DEAC = 00E1BC10 00E18F2E 0F85 E6020000 JNZ 0x90_5bi.00E1921A 00E19502 891C85 3687DE00 MOV DWORD PTR DS:[EAX*4+DE8736],EBX ; 0x90_5bi.00E1BC10 00E197AA 83C6 07 ADD ESI,7 ; esi = 00E1BBE5 00E19A7D 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 2 00E19D3A 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9F5 00E1A00D 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] 00E0D76F FF0485 3687DE00 INC DWORD PTR DS:[EAX*4+DE8736] ; 0x90_5bi.00E1BC10 00E0D776 0F85 76050000 JNZ 0x90_5bi.00E0DCF2 00E0DF7A C705 4A87DE00 0>MOV DWORD PTR DS:[DE874A],1 ; set mark to 1 00E0E229 83C6 03 ADD ESI,3 ; esi = 00E1BBE8 00E0E4FA 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 1 00E0E7C1 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9BD 00E0E7C8 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 3 00DF7787 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 2 00DF7A49 8B0485 3687DE00 MOV EAX,DWORD PTR DS:[EAX*4+DE8736] ; eax = 000000char6_8(2) 00DF7CF9 0FB64E 03 MOVZX ECX,BYTE PTR DS:[ESI+3] ; ecx = 0 00DF7FC4 /FF248D E9B9E100 JMP DWORD PTR DS:[ECX*4+E1B9E9] ; 0x90_5bi.00DF7FCB 00DF8266 0FB64E 04 MOVZX ECX,BYTE PTR DS:[ESI+4] ; ecx = 0 00DF8532 8B0C8D 3687DE00 MOV ECX,DWORD PTR DS:[ECX*4+DE8736] ; 0x90_5bi.00E1BC11 00DF87CF 3001 XOR BYTE PTR DS:[ECX],AL000000char6_8(2) xor 47 (G)
00DF8A6F 83C6 05 ADD ESI,5 ; esi = 00E1BBED 00DF8A72 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 2 00DF8D16 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9F5 00DF8FFA 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 2 00DFDF5E 05 04EDFDAE ADD EAX,AEFDED04eax = 51021345 => eax = 51021345 + AEFDED04 = 00000049
00DFE20E 0FB67E 06 MOVZX EDI,BYTE PTR DS:[ESI+6] ; edi = 3 00DFE4DC 8904BD 3687DE00 MOV DWORD PTR DS:[EDI*4+DE8736],EAX ; set 00000049 in memory 00DFE4E3 83C6 07 ADD ESI,7 ; esi = 00E1BBF4 00DFE7A5 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 0 00DFEA74 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9A9 00DFED0E 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] 00DEC633 8B46 02 MOV EAX,DWORD PTR DS:[ESI+2] ; eax = 5311A8F3 00DEC8CD 05 3713D0AD ADD EAX,ADD01337 ; eax = 00E1BC2A 00DECB8A 50 PUSH EAX ; 0x90_5bi.00E1BC2A 00DECE37 B8 D1F5FFFF MOV EAX,-0A2F 00DED113 F7D0 NOT EAX ; eax = 00000A2E 00DED3BB 35 280A0000 XOR EAX,0A28 ; eax = 6 00DED680 8D3406 LEA ESI,DWORD PTR DS:[ESI+EAX] ; esi = 00E1BBFA 00DED936 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 0 00DEDC00 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9A9 00DEDE7F 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 3 00E1B372 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] 00E1B376 83F0 66 XOR EAX,66 ; eax = 0 00E1B64A 8F0485 3687DE00 POP DWORD PTR DS:[EAX*4+DE8736] ; 0x90_5bi.00E1BC2A 00E1B8CF 83C6 04 ADD ESI,4 00E1B8D2 4E DEC ESI ; esi = 00E1BBFD 00E1B8D3 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 2 00E1B8D6 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9F5 00E1B8DD 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 4 00E0D76F FF0485 3687DE00 INC DWORD PTR DS:[EAX*4+DE8736] ; 000000char6_8(2) + 1000000char6_8(3) = 000000char6_8(2) + 1
00E0D776 0F85 76050000 JNZ 0x90_5bi.00E0DCF2 00E0DF7A C705 4A87DE00 0>MOV DWORD PTR DS:[DE874A],1 00E0E229 83C6 03 ADD ESI,3 ; esi = 00E1BC00 00E0E4FA 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 1 00E0E7C1 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9BD 00E0E7C8 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 3 00DF7787 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 2 00DF7A49 8B0485 3687DE00 MOV EAX,DWORD PTR DS:[EAX*4+DE8736] ; eax = 000000char6_8(3) 00DF7CF9 0FB64E 03 MOVZX ECX,BYTE PTR DS:[ESI+3] ; ecx = 0 00DF8266 0FB64E 04 MOVZX ECX,BYTE PTR DS:[ESI+4] ; ecx = 0 00DF8532 8B0C8D 3687DE00 MOV ECX,DWORD PTR DS:[ECX*4+DE8736] ; 0x90_5bi.00E1BC2A 00DF87CF 3001 XOR BYTE PTR DS:[ECX],AL ; xor 0x43 and 0x14
An other decryption loop is at the end of the code of the VM.
The hardware breakpoints used to decrypt it quickly are set at :
00E0E7D2 00E0B5A3 00E09A71 00DF9004 (The sames than before).
This decryption loop will decrypt a string and we can see that the last byte of the string to decrypt is 0x43.
00E1BC1E 14 26 2F 20 00E1BC2E 2C 2E 26 6D 6D 6D 49 4E 06 3B 33 2F 2C 2A 37 63 00E1BC3E 25 2C 31 63 2A 37 63 27 2C 26 30 2D 64 37 63 2E 00E1BC4E 22 37 37 26 31 63 72 6D 3B 63 00 2C 36 31 37 26 00E1BC5E 30 3A 63 2C 25 63 0D 2A 20 2C 2F 22 30 63 01 31 00E1BC6E 36 2F 26 39 43
So if we want to correctly decrypt the string, the value to xor with will be 0x43, and we will have an end of string (0).
000000char6_8(3) xor 14 -> 000000char6_8(3) needs to be equal to 0x43 to correctly decrypt the string. So we have : 000000char6_8(3) = 0x43 <=> 000000char6_8(2) = 0x43 - 1 = 0x42 <=> 000000char6_8(1) = 0x42 + 0x4E = 0x90 <=> 000000char6_8 = 0x90 - 1 = 0x8F <=> 000000char6 + 000000char8 = 0x8F And the possible values for char6 and char8 are : ! and n " and m # and l $ and k % and j & and i ' and h ( and g ) and f * and e + and d , and c - and b . and a / and ` 0 and _ 1 and ^ 2 and ] 3 and \ 4 and [ 5 and Z 6 and Y 7 and X 8 and W 9 and V : and U ; and T < and S = and R > and Q ? and P @ and O A and N B and M C and L D and K E and J F and I G and H
When the string is decrypted, we can read :
00E1BC24 57 65 6C 63 6F 6D 65 2E 2E 2E Welcome... 00E1BC34 0A 0D 45 78 70 6C 6F 69 74 20 66 6F 72 20 69 74 ..Exploit for it 00E1BC44 20 64 6F 65 73 6E 27 74 20 6D 61 74 74 65 72 20 doesn't matter 00E1BC54 31 2E 78 20 43 6F 75 72 74 65 73 79 20 6F 66 20 1.x Courtesy of 00E1BC64 4E 69 63 6F 6C 61 73 20 42 72 75 6C 65 7A 00 Nicolas Brulez.
Now we will try to show this string in the console.
00E0E4FA 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 2 00E0E7C1 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1B9F5 00E0E7C8 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 3 00E09D76 0FB646 02 MOVZX EAX,BYTE PTR DS:[ESI+2] ; eax = 3 00E0A03E FF0C85 3687DE00 DEC DWORD PTR DS:[EAX*4+DE8736] ; 1 - 0 (fin décryption) 00E0A045 0F85 C6070000 JNZ 0x90_5bi.00E0A811 00E0A2E4 8325 4A87DE00 0>AND DWORD PTR DS:[DE874A],0 ; value of the mark AND 0 00E0AD8F 83C6 03 ADD ESI,3 ; esi = 00E1BC0B 00E0B06B 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 4 00E0B31E 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1BA29 00E0B599 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 1 00E07C49 A1 4A87DE00 MOV EAX,DWORD PTR DS:[DE874A] ; eax = value of the mark (0) 00E07EF4 85C0 TEST EAX,EAX ; test the mark 00E07EF6 0F85 550B0000 JNZ 0x90_5bi.00E08A51 ; no jump 00E081AF 83C6 06 ADD ESI,6 ; esi = 00E1BC11 00E08458 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 5 00E08734 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E1BA35 00E0873B 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 1 00E1555E 5E POP ESI ; 0x90_5bi.00E1BB5400E1BB54 13 73 .s ; the result of the char6_char5 value xored with 4247 before
00E1555F 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] ; eax = 13 00E15811 8B3C85 91B9E100 MOV EDI,DWORD PTR DS:[EAX*4+E1B991] ; 0x90_5bi.00E016ED 00E15AC3 0FB646 01 MOVZX EAX,BYTE PTR DS:[ESI+1] ; eax = 73We are in a SEH here, and with sadness we can see that it crashes when the execute the sysenter...
7FFE0300 8BD4 MOV EDX,ESP 7FFE0302 0F34 SYSENTER ; <--- here 7FFE0304 C3 RETN
Before executing this code, it gets the "1373" value (the result of the operation : char6 xor 42 and char5 xor 47).
I decided to select 0 as a result, maybe it will not crash anymore...
The unique way to have char6 xor 42 = 0 and char5 xor 47 = 0 is :
5eme char xor 47 (G) = 0
<=> 5eme char = 47 (G)
6eme char xor 42 (B)
<=> 6eme char = 42 (B)
If we read the tables I wrote above, we can see :
"The possible values for char5 and char7 are :
(000000char5 + 000000char7) = 000000A8
[...]
G and a
[...]"
So if char5 = "G", char7 will be "a"
"And the possible values for char6 and char8 are :
[...]
B and M
[...]"
So if char6 = "B", char7 will be "M"
=> A correct pass will be for example :
"1D3NGBaM" (without double-quote)
We test it :
C:\agadou>0x90.exe 1D3NGBaM Welcome... Exploit for it doesn't matter 1.x Courtesy of Nicolas Brulez C:\agadou>
It seems to be perfect :) Yaooh !
The other valid passwords found with the previous tables above and by testing in a cmd : 1D3NGAaN 1D3NGCaL 1D3NCCeL 1D3NDBdM 1D3NEAcN 1D3NEGcH
The binary is ever hard to reverse engineer ! But as we have seen, I was able to quickly trace the code because there
are some vulnerabilies in the protection.
I think obfuscation code between the real instructions of the VM would be better.
Find a solution to disallow BPMs on the SEH handler would be a problem (boring!), and more layers too... there are never enough layers ;)
Add some CRC checks to verify the integrity of the binary : if the obfuscation code are cleared that will be detected.
Maybe add a anti-dump trick : no errors allowed in a manual analyse.
And a system of authentification harder to reverse with tests on the MD5 hash of the password for instance... not directly on the
value.
In my opinion, the protection is too much repetitive. Automatisation the decryption of the
layers is not easy, but we can suppose these layers were generated with a tool. The code is the same each time or nearly the same.
It is the same problem for the SEH and the detection by exceptions for example. If we understand one of these and we pass succesfully one
of these, then we are able to pass all of them... we just need to be patient. It's a shame :)
Thanks to Nicolas Brulez and The Honeynet Project for this very interesting binary.
Thanks to my friends for motivation and to readers of this paper for their tolerance... I know, I have to improve
my english language...
Greetings to all my french friends.