Question
I am trying to acquire a cryption method from an executable file. I have unpacked and started to analyze with IDA Pro.
I have encountered with a code that I couldn't able to understand in any way. Following is asm code block.
https://stackoverflow.com/questions/15121249
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian___:00A11B6F 008 mov eax, [ebp+DecryptedBytes]
___:00A11B72 008 push eax
___:00A11B73 00C push 100h
___:00A11B78 010 push offset CI_StrCmp
___:00A11B7D 014 mov ecx, [ebp+LengthValueOfBytes]
___:00A11B80 014 push ecx
___:00A11B81 018 mov edx, [ebp+Bytes]
___:00A11B84 018 add edx, 4
___:00A11B87 018 push edx
___:00A11B88 01C call rijndaelDecrypt
And pseudocode of this is:
*(_DWORD *)DecryptResult = rijndaelDecrypt(Bytes + 4, LengthValueOfBytes, (int)CI_StrCmp, 0x100u, DecryptedBytes);
CI_StrCmp is a case insensitive string comparer function. rijndaelDecrypt function reads 16 bytes of this argument. I think it is a key.
Following is rijndaelDecrypt function.
void *__cdecl rijndaelDecrypt(int Bytes, unsigned int Length, int Key, unsigned int BitSize, int a5)
{
void *DecryptedBytes; // ebx@1
void *result; // eax@5
unsigned int v7; // [sp+Ch] [bp-118h]@2
unsigned int v8; // [sp+10h] [bp-114h]@2
unsigned int v9; // [sp+14h] [bp-110h]@2
unsigned int v10; // [sp+18h] [bp-10Ch]@2
char v11; // [sp+1Ch] [bp-108h]@1
DecryptedBytes = malloc_2(Length);
memset(&v11, 0, 0x108u);
if ( (signed int)BitSize >= 16 )
{
v7 = *(_DWORD *)Key;
v8 = *(_DWORD *)(Key + 4);
v9 = *(_DWORD *)(Key + 8);
v10 = *(_DWORD *)(Key + 12);
}
else
{
v7 = 0x12121212u;
v8 = 0x12121212u;
v9 = 0x12121212u;
v10 = 0x12121212u;
memcpy(&v7, (const void *)Key, BitSize);
}
if ( rijndaelSetupDecrypt((int)&v7, 16, (int)&v11) == 1 )
{
sub_A125B0(Bytes, Length, DecryptedBytes, (int)&v11, a5);
result = DecryptedBytes;
}
else
{
result = 0;
}
return result;
}
My question is what the meaning of sending offset of a procedure to another one is. It makes no sense to me.
p.s. Sorry for my bad English.
Solution
Ok I get it... They using the actual code for CL_StrCmp(1) as the key(2) to do the decryption.
Code is covered by copyright, so in-order for you decrypt the data in your own program, you must include their code for CL_StrCmp, thus you are infringing on their copyright - IE breaking the law.
(1) The actual compiled instructions for the functions.
(2) Think public\private key.
OTHER TIPS
If you mean by "sending offset of a procedure" you mean this statement push offset CI_StrCmp
it's passing the address of the StrCmp function into the Decrypt routine so Decrypt can call it.
I'm guessing the function prototype of Decrypt goes something like this...
DWORD rijndaelDecrypt (const void *pData, size_t SizeOfData, int CmpFuncAddress, int Value, DWORD *pDecryptCount);
More correctly it should be like this...
typedef int COMPARE_FUNCTION (const char *, const char *);
DWORD rijndaelDecrypt (const void *pData, size_t SizeOfData, COMPARE_FUNCTION *, int Value, DWORD *pDecryptCount);
