Log in

View Full Version : IDC Help

LaptoniC
October 10th, 2003, 09:40
I have came accross interesting target.It has SMC inside.Before running "critical" functions it decrypts code blocks like below.
Code:


loc_5A3ADE:

	mov	ebx, offset unk_5A3C46

	mov	eax, 5A7A5067h

	mov	ecx, 138h



loc_5A3AF0:

	xor	[ebx], al

	ror	eax, 2

	dec	ebx

	xor	eax, 0EA92B810h

	add	eax, 4A87A691h

	xor	eax, 4AF2A30Dh

	add	eax, 2FBAA063h

	rol	eax, 12h

	loop	loc_5A3AF0

I have decrypted by simple program and pasted to dissambly; but I gone further and tried to make idc script.
I am not familiar with IDC scripting.I have searched the board and found some examples.Here is what I did but it didnt worked
My error I guess related to rol and ror.

Code:


#include <idc.idc>

#define ROTL(x,s) ((x)<<(s) | (x)>>(32-(s)))

#define ROTR(x,s) ((x)>>(s) | (x)<<(32-(s)))



static main(void) {

  auto from,i,size,Key,temp;

  size=0x138;

  Key=0x5A7A5067; 

  from =0x5A3C46; 



for (i=0;i<size;i++)

{

temp = (Byte(from) ^ Key);

PatchByte(from,temp);

Key=ROTR(Key,2);

from=from-1;

Key=Key ^ 0xEA92B810;

Key=Key + 0x4A87A691;

Key=Key ^ 0x4AF2A30D;

Key=Key + 0x2FBAA063;

Key=ROTL(Key,0x12);

//Message("Decrypted %x \n",temp);

}	  

}
ZaiRoN
October 10th, 2003, 16:26
Hi LaptoniC,
your script seems to be ok and also the rol and ror functions are ok...

ZaiRoN
LaptoniC
October 11th, 2003, 05:16
Script gives wrongly calculates some values.I have made simple package to show this.Download httx://mrstop.host.sk/idctest.zip It includes this routine,my idc script and correctly decrypted code block.If some one shows my error I will appreciate.Thanks
ZaiRoN
October 11th, 2003, 12:49
Hi LaptoniC,
the problem was related to Ror and Rol functions, exactly with '>>' operator that fills the new left bits with value 1.
These Ror and Rol procedures should work for you:
Code:
static ROTL(x, s)

{

   auto i, cf;

	

   for (i=0;i<s;i++)

   {

      cf = x & 0x80000000;  // cf takes the most left bit

      x = x << 1;           // it fills the new right bit with value 0

      if (cf) x = x | 1;    // if cf is 1 I have to insert it on the most right bit

   }

   return x; 

}



static ROTR(x, s)

{

   auto i, cf;

	

   for (i=0;i<s;i++)

   {

      cf = x & 0x00000001;          // cf takes the most right bit

      x = x >> 1;                   // it fills the new left bit with value 1

      if (cf)   x = x | 0x80000000; // you can remove this because it's already 1

      else   x = x & 0x7FFFFFFF;    // if cf is 0 I have to insert it on the most left bit

   }

   return x; 

}


Ciao,
ZaiRoN
LaptoniC
October 12th, 2003, 06:41
Thanks for the fix and detailed explanation.Best Regards