Quick introduction to reverse engineering for beginners
Quick introduction to reverse engineering for beginners
Quick introduction to reverse engineering for beginners
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
.text:0054134A push edi<br />
.text:0054134B push 2 ; Origin<br />
.text:0054134D push 0 ; Offset<br />
.text:0054134F push ebp ; File<br />
; move current file position <strong>to</strong> the end<br />
.text:00541350 call _fseek<br />
.text:00541355 push ebp ; File<br />
.text:00541356 call _ftell ; get current file position<br />
.text:0054135B push 0 ; Origin<br />
.text:0054135D push 0 ; Offset<br />
.text:0054135F push ebp ; File<br />
.text:00541360 mov [esp+2Ch+Str], eax<br />
; move current file position <strong>to</strong> the start<br />
.text:00541364 call _fseek<br />
This piece of code calculates file size aligned <strong>to</strong> 64-byte border. This is because this cryp<strong>to</strong>algorithm<br />
works with only 64-byte blocks. Its operation is pretty simple: divide file size by 64, <strong>for</strong>get about remainder<br />
and add 1, then multiple by 64. The following code removes remainder as if value was already divided by 64<br />
and adds 64. It is almost the same.<br />
.text:00541369 mov esi, [esp+2Ch+Str]<br />
.text:0054136D and esi, 0FFFFFFC0h ; reset all lowest 6 bits<br />
.text:00541370 add esi, 40h ; align size <strong>to</strong> 64-byte border<br />
Allocate buffer with aligned size:<br />
.text:00541373 push esi ; Size<br />
.text:00541374 call _malloc<br />
Call memset(), e,g, clear allocated buffer 2 .<br />
.text:00541379 mov ecx, esi<br />
.text:0054137B mov ebx, eax ; allocated buffer pointer -> <strong>to</strong> EBX<br />
.text:0054137D mov edx, ecx<br />
.text:0054137F xor eax, eax<br />
.text:00541381 mov edi, ebx<br />
.text:00541383 push ebp ; File<br />
.text:00541384 shr ecx, 2<br />
.text:00541387 rep s<strong>to</strong>sd<br />
.text:00541389 mov ecx, edx<br />
.text:0054138B push 1 ; Count<br />
.text:0054138D and ecx, 3<br />
.text:00541390 rep s<strong>to</strong>sb ; memset (buffer, 0, aligned_size)<br />
Read file via standard C function fread().<br />
.text:00541392 mov eax, [esp+38h+Str]<br />
.text:00541396 push eax ; ElementSize<br />
.text:00541397 push ebx ; DstBuf<br />
.text:00541398 call _fread ; read file<br />
.text:0054139D push ebp ; File<br />
.text:0054139E call _fclose<br />
Call crypt(). This function takes buffer, buffer size (aligned) and password string.<br />
2 malloc() + memset() could be replaced by calloc()<br />
162