I'm not quite understanding what this function
does. It seems to be doing alot of math to me,
but it seems to have no context. Its in a dongle
protected program. It gets called many times,
sometimes before and after calls to the dongle
other times seem unrelated to the dongle apis.
Its input is usually a large number, not always.
The input isnt any return from the dongle/emulator
as far as I can tell, and when it returns, it
sets a flag (I think) but no real decisions are
made. The program just continues on its way,
checking the dongle more. :

MOV EAX,[ECX+04]-usually a big number like: A03982E0
MOV ECX,EAX
MOV EDX,EAX
XOR ECX,00016000
XOR EDX,00000680
SAR ECX,0C =FFFA038E..I dont really understand shift instructions
AND ECX,3F
SAR EDX,06
SHL ECX,06
AND EDX,3F
ADD ECX,EDX
MOV EDX,EAX
XOR EDX,-13
XOR EAX,00700000
SHL ECX,06
AND EDX,3F
SAR EAX,12
ADD ECX,EDX
AND EAX,3F
SHL ECX,06
NEG EAX
SUB EAX,ECX
AND EAX,00FFFFFF
RET

Then it will return to something like:

SUB EAX,EDI- in this case EAX is now 00C6ECAE
MOV ECX,[ESP+14]
MOV [ESI+1C],EAX
XOR EAX,EAX
CMP EDI,EBP
MOV [ESI+14],EBP
SETZ AL
MOV [ESI+10],EAX
MOV EAX,ESI
POP EDI
POP ESI
POP EBP
POP EBX
MOV FS:[00000000],ECX -what is this?
ADD ESP,10
RET 0004

Can anyone give me a clue what this program is doing
and why it does it so many times?

Thanks, n

[QUOTE]Originally posted by neemous
I'm not quite understanding what this function
does. It seems to be doing alot of math to me,
but it seems to have no context. Its in a dongle
protected program. It gets called many times,
sometimes before and after calls to the dongle
other times seem unrelated to the dongle apis.
Its input is usually a large number, not always.
The input isnt any return from the dongle/emulator
as far as I can tell, and when it returns, it
sets a flag (I think) but no real decisions are
made. The program just continues on its way,
checking the dongle more. :

] I MAY NOT BE ABLE TO TELL YOU EXACTLY WHAT IS GOING ON, BUT I MAY TAKE YOU CLOSER. MIKE, FORM CRYPTO BOARD, MAY HAVE A BETTER IDEA WHAT ALL THIS MEANS


MOV EAX,[ECX+04]-usually a big number like: A03982E0
MOV ECX,EAX ;MAKE COPIES OF YOUR NUMBER HEREON N TO ECX
MOV EDX,EAX ; AND EDX
XOR ECX,00016000 ; NOW PROCESS N WITH A XOR INSTRUCTION
XOR EDX,00000680
SAR ECX,0C =FFFA038E..I dont really understand shift instructions ; BITWISE SHIFTS TO THE RIGHT h0C TIMES KEEPING THE SIGN BIT
AND ECX,3F ;LOOK UP THIS OPS IN A ASSMBLE REFERENCE SITE
SAR EDX,06
SHL ECX,06
AND EDX,3F
ADD ECX,EDX
MOV EDX,EAX
XOR EDX,-13
XOR EAX,00700000
SHL ECX,06
AND EDX,3F
SAR EAX,12
ADD ECX,EDX
AND EAX,3F
SHL ECX,06
NEG EAX
SUB EAX,ECX
AND EAX,00FFFFFF
RET

WHAT I THINK IS GOING ON IS THAT THE PROGRAM IS CALCULATING A HASH OF THE NUMBER N, WHICH WAS PASSED IN [ECX+04] AND RETURNS IT IN THE EAX REGISTER

Then it will return to something like:

SUB EAX,EDI- in this case EAX is now 00C6ECAE
MOV ECX,[ESP+14]
MOV [ESI+1C],EAX ; HERE! A COPY OF THE HASH (AFTER BEING SUBSTRACTED FROM EDI, ABOVE) IS SAVED IN [ESI+1C] PUT A BPM ON THIS ADDRESS AN CATCH WHO READS THE PROCESSED HASH
XOR EAX,EAX
CMP EDI,EBP
MOV [ESI+14],EBP
SETZ AL ;THIS FLAG HAS LITTLE TO DO WITH THE RESULT OF YOUR HASHING PROCEDURE
MOV [ESI+10],EAX ; BUT THE FLAG GETS STORED NEAR THE PLACE WHERE THE HASH GOT STORED
MOV EAX,ESI
POP EDI
POP ESI
POP EBP
POP EBX
MOV FS:[00000000],ECX -what is this? ; THIS IS TIPICAL SEH (STRUCTURED EXCEPTION HANDLING) CODE. IN C++ SEH IS USED WHEN YOU try AND catch CODE, LOOK IT UP.
ADD ESP,10
RET 0004

Can anyone give me a clue what this program is doing
and why it does it so many times?

IT IS MY IMPRESSION THAT IT IS HASHING THE DWORD VALUES PASSED TO THE SUBROUTINE i.e CALCULATING, GIVEN N,

hash== f(N) WHERE f IS THE HASHING FUNCTION, WHICH IS A NON-REVERISBLE BITWISE SERIES OF OPERATIONS.

Thanks, n [/QUOTE

Thanks naides, informative as always.
Not really what I wanted to hear though,
thought this program might be a
good one to learn with as it only
calls a few basic dongle apis. I will
look into whats checking the return
values of the function, I dont
think im ready for any crypto adventures
though..
Thanks, n