Hi, i am currently trying to recreate a program used to open up a firewall using a username and password, the problem is not the login details, but the program. It is large and intrusive, and requires that you be logged in to access the resources of the servers. This is quite a hastle to have to open it up everytime you want to use it. It would be much easier if the program would sit down in your system tray and penetrate the firewall with a valid login, but leave the accessing of resources to better programs.

That is simply what i want to create, logins can be created feely, but there is a built in challenge response code similar to a Name / Serial key generation done by the program. for example:

1
Challenge: "fqzzywoevmzrzzlg"

Response: "riejkhfsmlv"
2
Challenge: "jzlvypwkqewaoith"

Response: "uilsqhrpenb"

These are 2 examples of server sending a challenge and program responding with authentication code. I have been working on reverse engineering the algo from the asm code, but it is quite complex and i have only been learning asm for a few days. The task seems beyond me. I have narrowed it down to about 50 lines of asm where the manipulation is done, that i am sure of. But I cant seem to make sense of what the code does.

I was wondering if:
A: There is a mathematical process to derive the algo?
or
B: There is some sort of translator to make the asm more understandable, eg to pseudo(spelling) code or a c like layout?
I am quite experienced in alot of higher level languiges, and just cant make the connection.

if there is some nice person who is fluent in asm that could have a quick breese through the code to tell me where i should be heading / make some sense of it / tell me if its a too big task, i will attach the asm that does the calc.

Any input on the subject would be usefull


Thanks, ShCiPwA

A: There is a mathematical process to derive the algo?
Without looking really closesly yes, algo doesn't look extremly hard you may benifet from opening it in OllyDBG and seeing the algo in action instead of a dead listing.

B: There is some sort of translator to make the asm more understandable, eg to pseudo(spelling) code or a c like layout?
I am quite experienced in alot of higher level languiges, and just cant make the connection.
Nope.

well there are lot of loose ends in that snippet get a decent debugger
(i would say ollydbg) and set a break point on the recieve and trace
through and observe live
for example the first memset



now next three lines

movsx eax, byte ptr [ebp-1C2h] < moves a signed byte from buffer to eax
movsx ecx, byte ptr [ebp-1C0h] < moves another sdbyte from buffer to ecx
imul eax, ecx < multiplies eax with ecx and the result will be in eax

so if first byte was A (41h) and second byte was also A (41h)
after execution of thes three instruction eax will be 00001081
but instead of 41 if the first byte was 81h eax will be
FFFFDFC1 === (-7fh * +41h) ie (100 - 81) =7f and signed and so on

now next lines

mov dword_486400, eax < so the result will be now stored into
some buffer that is pointed by 486400
mov al, [ebp-1C4h] < moves one more byte from earlier buffer to al
add esp, 0Ch < compiler has balenced the memsset stack here
cmp al, bl we know bl will be pointing to the char that was used
for filling the memset buffer
jz short loc_4228B0 if it was same this jump will be taken
( we can safely assume from this that bl should be 0 and the buffer
was set with 0 and it now checks for 0 )


assuming the jz was taken

we skip what continues and jump back to
.text:004228B0 lea eax, [ebp-1C4h] < takes the address of buffer to eax
.text:004228B6 mov [ebp-14h], ebx <since we assumed 0 for ebx earlier we can safely assume it is putting a null terminator to the string in buffer
.text:004228B9 push eax <--- pushes the string
.text:004228BA call strlen <--- and the strings length is calculated here

.text:004228BF cmp eax, ebx <-- ebx = 0 so it checks if the strlen== 0
.text:004228C1 pop ecx < stack balence for strlen argument
.text:004228C2 jle short loc_422902 < if it was 0 or less that 0 this
jump is taken
lea ecx, [ebp-1C4h] < takes the buffer address
.text:004228CA dec ecx < reduces the buffer address by one
.text:004228CB mov [ebp-1Ch], ecx < stored for future refarance

and so on and on

btw this has nothing to do with crypto graphics try to post in relevant
sections or you may face the wrath of oops

Thank you so much for your help, its all starting to make sense now. i think i need to hit the tuts again and get a bit more asm knowlage to get going again. But it doesnt look so much like japaniese now.

Just another quick question

[ebp-1C2h], is that just saying "get the data at 1C2 bytes ahead of the stack?

Thanks again for all your help

but in other situations may mean something else