Log in

View Full Version : IDC Help


LaptoniC
October 10th, 2003, 09:40
I have came accross interesting target.It has SMC inside.Before running "critical" functions it decrypts code blocks like below.
Code:

loc_5A3ADE:
mov ebx, offset unk_5A3C46
mov eax, 5A7A5067h
mov ecx, 138h

loc_5A3AF0:
xor [ebx], al
ror eax, 2
dec ebx
xor eax, 0EA92B810h
add eax, 4A87A691h
xor eax, 4AF2A30Dh
add eax, 2FBAA063h
rol eax, 12h
loop loc_5A3AF0

I have decrypted by simple program and pasted to dissambly; but I gone further and tried to make idc script.
I am not familiar with IDC scripting.I have searched the board and found some examples.Here is what I did but it didnt worked
My error I guess related to rol and ror.

Code:

#include <idc.idc>
#define ROTL(x,s) ((x)<<(s) | (x)>>(32-(s)))
#define ROTR(x,s) ((x)>>(s) | (x)<<(32-(s)))

static main(void) {
auto from,i,size,Key,temp;
size=0x138;
Key=0x5A7A5067;
from =0x5A3C46;

for (i=0;i<size;i++)
{
temp = (Byte(from) ^ Key);
PatchByte(from,temp);
Key=ROTR(Key,2);
from=from-1;
Key=Key ^ 0xEA92B810;
Key=Key + 0x4A87A691;
Key=Key ^ 0x4AF2A30D;
Key=Key + 0x2FBAA063;
Key=ROTL(Key,0x12);
//Message("Decrypted %x \n",temp);
}
}

ZaiRoN
October 10th, 2003, 16:26
Hi LaptoniC,
your script seems to be ok and also the rol and ror functions are ok...

ZaiRoN

LaptoniC
October 11th, 2003, 05:16
Script gives wrongly calculates some values.I have made simple package to show this.Download httx://mrstop.host.sk/idctest.zip It includes this routine,my idc script and correctly decrypted code block.If some one shows my error I will appreciate.Thanks

ZaiRoN
October 11th, 2003, 12:49
Hi LaptoniC,
the problem was related to Ror and Rol functions, exactly with '>>' operator that fills the new left bits with value 1.
These Ror and Rol procedures should work for you:
Code:
static ROTL(x, s)
{
auto i, cf;

for (i=0;i<s;i++)
{
cf = x & 0x80000000; // cf takes the most left bit
x = x << 1; // it fills the new right bit with value 0
if (cf) x = x | 1; // if cf is 1 I have to insert it on the most right bit
}
return x;
}

static ROTR(x, s)
{
auto i, cf;

for (i=0;i<s;i++)
{
cf = x & 0x00000001; // cf takes the most right bit
x = x >> 1; // it fills the new left bit with value 1
if (cf) x = x | 0x80000000; // you can remove this because it's already 1
else x = x & 0x7FFFFFFF; // if cf is 0 I have to insert it on the most left bit
}
return x;
}


Ciao,
ZaiRoN

LaptoniC
October 12th, 2003, 06:41
Thanks for the fix and detailed explanation.Best Regards