markh51
November 15th, 2005, 07:35
I am working on reversing a home cooked encrytion routine which takes a 8 byte device ID to generate a 8 byte password. I am trying to create a utility so I can enter the device ID to generate the password.
This is what I have so far:
ID: B8 54 24 02 17 00 00 00
The first part of the routine takes the ID and XOR's each byte like:
XOR B8, 3A = 82
XOR 54, E5 = B1
XOR 24, 3A = 1E
XOR 02, E5 = E7
XOR 17, 3A = 2D
XOR 00, E5 = E5
XOR 00, 3A = 3A
XOR 00, E5 = E5
So the encrypted ID is: 82 B1 1E E7 2D E5 3A E5
The first 4 bytes (82 B1 1E E7) is MOV'd into EAX then PUSH'd then a call to 0045D160 (posted below) is made. When this sub returns, EAX contains the first 4 bytes of the password. The sub is then called again, this time with the second part of the ID to generate the last part of the password.
The generated password is: BB 9F 65 97 8F EB 0D 45
Can anyone tell me what is going on in the above sub ?
This is what I have so far:
ID: B8 54 24 02 17 00 00 00
The first part of the routine takes the ID and XOR's each byte like:
XOR B8, 3A = 82
XOR 54, E5 = B1
XOR 24, 3A = 1E
XOR 02, E5 = E7
XOR 17, 3A = 2D
XOR 00, E5 = E5
XOR 00, 3A = 3A
XOR 00, E5 = E5
So the encrypted ID is: 82 B1 1E E7 2D E5 3A E5
The first 4 bytes (82 B1 1E E7) is MOV'd into EAX then PUSH'd then a call to 0045D160 (posted below) is made. When this sub returns, EAX contains the first 4 bytes of the password. The sub is then called again, this time with the second part of the ID to generate the last part of the password.
The generated password is: BB 9F 65 97 8F EB 0D 45
Code:
.text:0045D160 var_4 = dword ptr -4
.text:0045D160 arg_0 = dword ptr 8
.text:0045D160 arg_4 = dword ptr 0Ch
.text:0045D160 arg_8 = dword ptr 10h
.text:0045D160
.text:0045D160 push ebp
.text:0045D161 mov ebp, esp
.text:0045D163 sub esp, 4
.text:0045D166 push ebx
.text:0045D167 push esi
.text:0045D168 push edi
.text:0045D169
.text:0045D169 loc_45D169: ; CODE XREF: sub_45D160+46j
.text:0045D169 mov eax, [ebp+arg_8]
.text:0045D16C mov [ebp+var_4], eax
.text:0045D16F dec [ebp+arg_8]
.text:0045D172 cmp [ebp+var_4], 0
.text:0045D176 jz loc_45D1AB
.text:0045D17C mov eax, [ebp+arg_4]
.text:0045D17F xor ecx, ecx
.text:0045D181 mov cl, [eax]
.text:0045D183 mov eax, [ebp+arg_0]
.text:0045D186 shr eax, 18h
.text:0045D189 xor ecx, eax
.text:0045D18B and ecx, 0FFh
.text:0045D191 mov eax, dword_47E348[ecx*4]
.text:0045D198 mov ecx, [ebp+arg_0]
.text:0045D19B shl ecx, 8
.text:0045D19E xor eax, ecx
.text:0045D1A0 mov [ebp+arg_0], eax
.text:0045D1A3 inc [ebp+arg_4]
.text:0045D1A6 jmp loc_45D169
.text:0045D1AB ; ---------------------------------------------------------------------------
.text:0045D1AB
.text:0045D1AB loc_45D1AB: ; CODE XREF: sub_45D160+16j
.text:0045D1AB mov eax, [ebp+arg_0]
.text:0045D1AE jmp $+5
.text:0045D1B3 pop edi
.text:0045D1B4 pop esi
.text:0045D1B5 pop ebx
.text:0045D1B6 leave
.text:0045D1B7 retn
.text:0045D1B7 sub_45D160 endp
Can anyone tell me what is going on in the above sub ?