DaBookshah
June 22nd, 2007, 04:50
I have 3 questions, in relation to the following disassembly snippet:
Based on the complexity and the place I found it, I think this is some sort of hashing algorithm.
1. Does anyone recognise it? I know the names of a bunch of algorithms (md5, sha-1, blowfish), which I looked up on wikipedia, but I couldn't place it.
2. When I'm trying to find information of this sort, is there a 'best' way/place to look for information?
3. I think I recall vaugely reading about exe analysers which could detect the presence of certain algorithms in a file, maybe based on searching for certain tables? I tried using google, but couldn't find anything because I didn't really know what I was looking for. Can anyone point me in the right direction?
Thank you very much for your time.
Code:
004C9A20 33C0 XOR EAX,EAX
004C9A22 |. 8A4424 08 MOV AL,BYTE PTR SS:[ESP+8]
004C9A26 |> 53 PUSH EBX
004C9A27 |. 8BD8 MOV EBX,EAX
004C9A29 |. C1E0 08 SHL EAX,8
004C9A2C |. 8B5424 08 MOV EDX,DWORD PTR SS:[ESP+8]
004C9A30 |. F7C2 03000000 TEST EDX,3
004C9A36 |. 74 15 JE SHORT 004C9A4D
004C9A38 |> 8A0A /MOV CL,BYTE PTR DS:[EDX]
004C9A3A |. 83C2 01 |ADD EDX,1
004C9A3D |. 3ACB |CMP CL,BL
004C9A3F |.^74 CF |JE SHORT 004C9A10
004C9A41 |. 84C9 |TEST CL,CL
004C9A43 |. 74 51 |JE SHORT 004C9A96
004C9A45 |. F7C2 03000000 |TEST EDX,3
004C9A4B |.^75 EB \JNZ SHORT 004C9A38
004C9A4D |> 0BD8 OR EBX,EAX
004C9A4F |. 57 PUSH EDI
004C9A50 |. 8BC3 MOV EAX,EBX
004C9A52 |. C1E3 10 SHL EBX,10
004C9A55 |. 56 PUSH ESI
004C9A56 |. 0BD8 OR EBX,EAX
004C9A58 |> 8B0A /MOV ECX,DWORD PTR DS:[EDX]
004C9A5A |. BF FFFEFE7E |MOV EDI,7EFEFEFF
004C9A5F |. 8BC1 |MOV EAX,ECX
004C9A61 |. 8BF7 |MOV ESI,EDI
004C9A63 |. 33CB |XOR ECX,EBX
004C9A65 |. 03F0 |ADD ESI,EAX
004C9A67 |. 03F9 |ADD EDI,ECX
004C9A69 |. 83F1 FF |XOR ECX,FFFFFFFF
004C9A6C |. 83F0 FF |XOR EAX,FFFFFFFF
004C9A6F |. 33CF |XOR ECX,EDI
004C9A71 |. 33C6 |XOR EAX,ESI
004C9A73 |. 83C2 04 |ADD EDX,4
004C9A76 |. 81E1 00010181 |AND ECX,81010100
004C9A7C |. 75 1C |JNZ SHORT 004C9A9A
004C9A7E |. 25 00010181 |AND EAX,81010100
004C9A83 |.^74 D3 |JE SHORT 004C9A58
004C9A85 |. 25 00010101 |AND EAX,1010100
004C9A8A |. 75 08 |JNZ SHORT 004C9A94
004C9A8C |. 81E6 00000080 |AND ESI,80000000
004C9A92 |.^75 C4 \JNZ SHORT 004C9A58
004C9A94 |> 5E POP ESI
004C9A95 |. 5F POP EDI
004C9A96 |> 5B POP EBX
004C9A97 |. 33C0 XOR EAX,EAX
004C9A99 |. C3 RETN
Based on the complexity and the place I found it, I think this is some sort of hashing algorithm.
1. Does anyone recognise it? I know the names of a bunch of algorithms (md5, sha-1, blowfish), which I looked up on wikipedia, but I couldn't place it.
2. When I'm trying to find information of this sort, is there a 'best' way/place to look for information?
3. I think I recall vaugely reading about exe analysers which could detect the presence of certain algorithms in a file, maybe based on searching for certain tables? I tried using google, but couldn't find anything because I didn't really know what I was looking for. Can anyone point me in the right direction?
Thank you very much for your time.
