galgal
August 16th, 2010, 14:41
Hey,
I'm working on some project where I need to modify a binary file for some internal debugging. The binary file is verified before executed and after doing some reversing, I managed to see that the hash is calculated via SHA1, but there's some sort of a signature at the end of the file, which is used to verify the hash.
Unfortunately, FindCrypt (IDA plug-in) and Hash and Crypto Detector couldn't detect the algorithm used. After reversing some of the function, it seems that it some sort of a key building functions using existing keys.
A. Is anybody familiar with this code/see it in other programs?
B. How would you suggest to progress?
Below is an example of one of the functions
I'm working on some project where I need to modify a binary file for some internal debugging. The binary file is verified before executed and after doing some reversing, I managed to see that the hash is calculated via SHA1, but there's some sort of a signature at the end of the file, which is used to verify the hash.
Unfortunately, FindCrypt (IDA plug-in) and Hash and Crypto Detector couldn't detect the algorithm used. After reversing some of the function, it seems that it some sort of a key building functions using existing keys.
A. Is anybody familiar with this code/see it in other programs?
B. How would you suggest to progress?
Below is an example of one of the functions
Code:
55 push ebp
8B EC mov ebp, esp
53 push ebx
56 push esi
57 push edi
8B 7D 08 mov edi, [ebp+arg_0]
8B 75 0C mov esi, [ebp+arg_4]
8B 5D 10 mov ebx, [ebp+arg_8]
33 C9 xor ecx, ecx
8B 06 mov eax, [esi]
F7 E3 mul ebx
03 C1 add eax, ecx
83 D2 00 adc edx, 0
03 07 add eax, [edi]
83 D2 00 adc edx, 0
89 07 mov [edi], eax
8B CA mov ecx, edx
8B 46 04 mov eax, [esi+4]
F7 E3 mul ebx
03 C1 add eax, ecx
83 D2 00 adc edx, 0
03 47 04 add eax, [edi+4]
83 D2 00 adc edx, 0
89 47 04 mov [edi+4], eax
8B CA mov ecx, edx
8B 46 08 mov eax, [esi+8]
F7 E3 mul ebx
03 C1 add eax, ecx
83 D2 00 adc edx, 0
03 47 08 add eax, [edi+8]
83 D2 00 adc edx, 0
89 47 08 mov [edi+8], eax
8B CA mov ecx, edx
8B 46 0C mov eax, [esi+0Ch]
F7 E3 mul ebx
03 C1 add eax, ecx
83 D2 00 adc edx, 0
03 47 0C add eax, [edi+0Ch]
83 D2 00 adc edx, 0
89 47 0C mov [edi+0Ch], eax
8B CA mov ecx, edx
8B 46 10 mov eax, [esi+10h]
F7 E3 mul ebx
03 C1 add eax, ecx
83 D2 00 adc edx, 0
03 47 10 add eax, [edi+10h]
83 D2 00 adc edx, 0
89 47 10 mov [edi+10h], eax
8B CA mov ecx, edx
8B 46 14 mov eax, [esi+14h]
F7 E3 mul ebx
03 C1 add eax, ecx
83 D2 00 adc edx, 0
03 47 14 add eax, [edi+14h]
83 D2 00 adc edx, 0
89 47 14 mov [edi+14h], eax
8B CA mov ecx, edx
8B 46 18 mov eax, [esi+18h]
F7 E3 mul ebx
03 C1 add eax, ecx
83 D2 00 adc edx, 0
03 47 18 add eax, [edi+18h]
83 D2 00 adc edx, 0
89 47 18 mov [edi+18h], eax
8B CA mov ecx, edx
8B 46 1C mov eax, [esi+1Ch]
F7 E3 mul ebx
03 C1 add eax, ecx
83 D2 00 adc edx, 0
03 47 1C add eax, [edi+1Ch]
83 D2 00 adc edx, 0
89 47 1C mov [edi+1Ch], eax
8B CA mov ecx, edx
8B 46 20 mov eax, [esi+20h]
.....