_ __________ _ ______ __________ _ __________ __/ _______________ _ __/ ___ \/ ________ _ ---------. _ ___ _/__/ _____) __________ \ / \zACK | / ___/_________ __/ _______/_______\/ \ | / / / /_____ / \___ / .......... ........... /______ / __ _ /_________/ /___.::::::::::: ::::::::::::: /_________/ /_________/ __::::::_____ :::' | ::::::...... .:::' : · T · E · A · M · 5 · 3 · `:::::::::::: ..:::::::: | ::: ::: `--------------------------->> >> >> .:::::: ::: .:::::: ::: TUTORiALS.PACK.NUMBER.ELEVEN ::::::: ::: ::::::: ::: ::::::::::::: ::::::::::::: `::::::::::' `::::::::::' Èññëåäîâàíèå ïðîãðàììû MooGear DV Capture v1.0 Àâòîð: GL#0M Öåëü: MooGear DV Capture v1.0 Èíñòðóìåíòû: PEiD/OllyDbg/IDA/MASM32 Ïðèâåò âñåì! Íè äëÿ êîãî íè ñåêðåò, ÷òî ñòàòåé (íà ðóññêîì ÿçûêå) íà òåìó ñîçäàíèÿ êëþ÷åãåíåðàòîðîâ ê ïðîãðàììàì, çàùèòà êîòîðûõ îñíîâàíà íà êðèïòîàëãîðèòìàõ, íè÷òîæíî ìàëî... ñîáñòâåííî ýòîò ôàêò è ïîáóäèë ìåíÿ íà íàïèñàíèå ñòàòüè ïîñâÿùåííîé èìåííî äàííîé òåìå. Õî÷ó ñðàçó ïðåäóïðåäèòü, ÷òî ðàññêàçûâàòü â ïîäðîáíîñòÿõ êàæäûé ýòàï ðàáîòû êðèïòîàëãîðèòìà ÿ íå ñîáèðàþñü, ò.ê. îá ýòîì íàïèñàíî íåìàëî îòëè÷íûõ êíèã (íàïðèìåð, "Ïðèêëàäíàÿ êðèïòîãðàôèÿ" Áðþñ Øíàéåð). Ñ èõ ïðî÷òåíèÿ ÿ âàì è ñîâåòóþ íà÷àòü. Òàêæå, áåç îïûòà èññëåäîâàíèÿ ïðîãðàììíûõ çàùèò è ñîçäàíèÿ êëþ÷åãåíåðàòîðîâ (ê ïðîñòûì çàùèòàì) âàì òîæå áóäåò òðóäíî îñìûñëèòü âñ¸ íèæåñêàçàííîå. Öåëü íàøåãî èññëåäîâàíèÿ, êàê ïîêàçàë PEiD, íàïèñàíà íà Microsoft Visual C++ 6.0 - ýòî õîðîøî, ïîòîìó ÷òî êîìïèëÿòîð äàííîãî ÿçûêà ãåíåðèðóåò áîëåå êîìïàêòíûé è ëåã÷å ðàñïîçíàâàåìûé êîä, â îòëè÷èè îò òîãî æå Delphi, êîä êîòîðîãî ïåðåïîëíåí òîííàìè íåíóæíûõ ïðîâåðîê è ïðîöåäóðàìè, ïðè âèäå âëîæåííîñòè êîòîðûõ ìåíÿ îõâàòûâàåò óæàñ. Íå ïîìåøàåò òàêæå ïðèìåíèòü íà íàøó æåðòâó êàêîé-íèáóäü ïîèñêîâèê êðèïòî-ñèãíàòóð. Ñàìûì ëó÷øèì íà ìîé âçãëÿä ÿâëÿåòñÿ KANAL (PEid plugin), ïîýòîìó âîñïîëüçóåìñÿ èìåííî èì... õåõ, íàéäåíî äâå ñèãíàòóðû, è îáå îòíîñÿòñÿ ê àëãîðèòìó Blowfish: 1 - BLOWFISH [sbox] 2 - PI fraction (NIMBUS / BLOWFISH)  òàêèõ ñëó÷àÿõ, ò.å. êîãäà îáíàðóæèâàåòñÿ êàêîé-ëèáî êðèïòîàëãîðèòì, ÿ îáû÷íî ñðàçó æå çàãðóæàþ ôàéë â IDA è îò àäðåñà óêàçàííîãî àíàëèçàòîðîì âûõîæó íà ïðîöåäóðó ðåãèñòðàöèè, ïîïóòíî ðàñïîçíàâàÿ è íàçûâàÿ ýëåìåíòû (ïðîöåäóðû, èõ ïàðàìåòðû è ïåðåìåííûå) êðèïòîàëãîðèòìà áîëåå ïîíÿòíûìè èìåíàìè. Íî òàêîé ïîäõîä íè âñåãäà óìåñòåí... Íàïðèìåð, ýòîò êðèïòîàëãîðèòì ìîæåò âîîáùå íå èñïîëüçîâàòüñÿ ïðè ïðîâåðêå êëþ÷à, à áûòü ëèøü äëÿ íàøåãî óñòðàøåíèÿ èëè èñïîëüçîâàòüñÿ êàêîé-íèáóäü ïðîöåäóðîé ïðîãðàììû ñîâåðøåííî íå îòíîñÿùåéñÿ ê ðåãèñòðàöèè. Ïîýòîìó, ìû ñ âàìè ïîñòóïèì èíà÷å, à òî÷íåå "äåäîâñêèì" ñïîñîáîì. =) Çàïóñòèì ïðîãðàììó è îòêðîåì ôîðìó ðåãèñòðàöèè. Ââîäèì ëþáóþ ÷óøü â ïîëÿ ðåãèñòðàöèè è íàæèìàåì "OK". Êàê è ñëåäîâàëî îæèäàòü, ìû ââåëè íåâåðíûé ñåðèéíûé íîìåð, íà ÷òî è ïîëó÷èëè ñîîòâåòñòâóþùåå ñîîáùåíèå: "You have entered an invalid License Code" Êàê ìîæíî çàìåòèòü, ýòî îáû÷íîå ñîîáùåíèå îá îøèáêå è, âåðíåå âñåãî, îíî âûçûâàåòñÿ ïîñðåäñòâîì ñòàíäàðòíîé ôóíêöèè, à èìåííî - MessageBoxA. Ïîýòîìó çàãðóçèì íàøó öåëü â OllyDbg è ïîñòàâèì òî÷êó îñòàíîâà íà ýòó API. Êîãäà OllyDbg îñòàíîâèòñÿ, íàæèìàåì Ctrl+F9... ìû òóò: 0041AD13 |> FF7424 10 push dword ptr [esp+10h] ; /Style 0041AD17 |. 50 push eax ; |Title 0041AD18 |. FF7424 10 push dword ptr [esp+10h] ; |Text 0041AD1C |. 51 push ecx ; |hOwner 0041AD1D |. FF15 30334200 call dword ptr [<&USER32.MessageBoxA>] ; \MessageBoxA 0041AD23 |. 5E pop esi 0041AD24 \. C2 0C00 retn 0Ch Ýòî ëèøü ïðîöåäóðà ïîêàçà ñîîáùåíèÿ... ïðîõîäèì ret: 00409DFF > 6A 30 push 30h 00409E01 . 68 34B34200 push 0042B334h ; "DV Capture" 00409E06 . 68 A0BA4200 push 0042BAA0h ; "You have entered an Invalid License Code." 00409E0B . 8BCD mov ecx, ebp 00409E0D . E8 E30E0100 call _MessageBoxA 00409E12 . 8B4C24 1C mov ecx, dword ptr [esp+1Ch] <= ìû òóò Òåïåðü äàâàéòå ïîïðîáóåì ïðîàíàëèçèðîâàòü êàêèå æå äåéñòâèÿ ïðîèçâåëà ïðîãðàììà äëÿ ïðîâåðêè äåéñòâèòåëüíîñòè ââåä¸ííûõ äàííûõ. Äëÿ ýòèõ öåëåé áîëüøå ïîäîéä¸ò äèñàññåìáëåð IDA, ïîýòîìó çàãðóçèì íàøó öåëü â íåãî è ïåðåéä¸ì íà íà÷àëî äàííîé ïðîöåäóðû. Ñ ïåðâûõ æå ñòðîê ìû çàìå÷àåì ñëåäóþùåå: .text:00409A8C mov eax, [ecx-8] ; EAX = äëèíà ââåä¸ííîãî èìåíè .text:00409A8F cmp eax, 1 .text:00409A92 jge short loc_409AAE .text:00409A94 push 30h .text:00409A96 push offset aDvCapture ; "DV Capture" .text:00409A9B push offset aYouMustEnterAU ; "You must enter a User Name before you c"... .text:00409AA0 mov ecx, ebp .text:00409AA2 call _MessageBoxA 1. Äëèíà èìåíè äîëæíà áûòü áîëüøå èëè ðàâíà åäèíèöû. .text:00409ADA mov eax, [esi-8] ; EAX = äëèíà ââåä¸ííîãî ñåðèéíîãî íîìåðà .text:00409ADD cmp eax, 1 .text:00409AE0 jge short loc_409AF3 .text:00409AE2 push 30h .text:00409AE4 push offset aDvCapture ; "DV Capture" .text:00409AE9 push offset aYouMustEnterAL ; "You must enter a License Code before yo"... .text:00409AEE jmp loc_409E24 2. Äëèíà ñåðèéíîãî íîìåðà äîëæíà áûòü áîëüøå èëè ðàâíà åäèíèöû. Åñëè ïðåäûäóùèå ïðîâåðêè ïðîéäåíû óñïåøíî, òî äàëåå ìû óâèäèì, íåìíîãî ñòðàííûå îïåðàöèè íàä äëèíîé ñåðèéíîãî íîìåðà è ïîñëåäóþùèå èì ïðîâåðêè, ïîýòîìó ÿ èõ ïðîêîììåíòèðóþ áîëåå ïîäðîáíî: .text:00409AF3 mov ecx, eax ; ECX = äëèíà ââåä¸ííîãî ñåðèéíîãî íîìåðà .text:00409AF5 and ecx, 80000001h ; ïðîâåðêà íà ÷¸òíîñòü .text:00409AFB jns short loc_409B02 ; åñëè íåò çíàêà (ó íàñ åãî áûòü íå ìîæåò) .text:00409AFD dec ecx .text:00409AFE or ecx, 0FFFFFFFEh .text:00409B01 inc ecx .text:00409B02 .text:00409B02 loc_409B02: ; CODE XREF: sub_409A10+EB j .text:00409B02 jnz loc_409E18 ; åñëè íå ÷¸òíî, òî íà îøèáêó .text:00409B08 mov edx, eax ; EDX = äëèíà ââåä¸ííîãî ñåðèéíîãî íîìåðà .text:00409B0A and edx, 80000007h ; ïðîâåðêà äåëèìîñòè íà âîñåìü áåç îñòàòêà .text:00409B10 jns short loc_409B17 ; ïðîâåðêà íà çíàê .text:00409B12 dec edx .text:00409B13 or edx, 0FFFFFFF8h .text:00409B16 inc edx .text:00409B17 .text:00409B17 loc_409B17: ; CODE XREF: sub_409A10+100 j .text:00409B17 jnz loc_409E18 ; åñëè íå äåëèòñÿ, òî íà îøèáêó .text:00409B1D cmp eax, 10h .text:00409B20 jl loc_409E18 3. Äëèíà ëèöåíçèîííîãî êîäà äîëæíà áûòü ÷¸òíà, äåëèòüñÿ íà 8 è áûòü áîëüøå 15. Íàïðèìåð: User Name: GL#0M License Code: 0123456789ABCDEF Åñëè âñå óñëîâèÿ ñîáëþäåíû, òî: .text:00409B41 mov eax, [esi-8] ; eax = 16 (äëèíà ëèöåíçèîííîãî êîäà) .text:00409B44 cdq .text:00409B45 sub eax, edx .text:00409B47 sar eax, 1 ; áåcçíàêîâîå äåëåíèå íà 2 ;) .text:00409B49 push eax ; cb eax = 8 .text:00409B4A lea eax, [esp+42Ch+b] .text:00409B51 push eax ; lpb eax = óêàçàòåëü íà áóôåð ðåçóëüòàòà .text:00409B52 push esi ; lps esi = óêàçàòåëü íà ëèöåíçèîííûé êîä .text:00409B53 call HexFromHexStr HexFromHexStr - ïðåîáðàçóåò óêàçàííóþ ÷àñòü ñòðîêè øåñòíàäöàòåðè÷íûõ öèôð â áèíàðíûé âèä. Ïðåîáðàçîâàíèå ïðîèñõîäèò ïî 2 áàéòà, ïîýòîìó òðåòèé ïàðàìåòð ðàâåí ÷àñòíîìó îò äåëåíèÿ äëèíû ëèöåíçèîííîãî êîäà íà äâà. Âîò å¸ êîä: .text:00401F40 push ebx .text:00401F41 mov ebx, [esp+cb] ; EBX = äëèíà äåë¸ííàÿ íà 2 .text:00401F45 push esi .text:00401F46 xor esi, esi .text:00401F48 test ebx, ebx .text:00401F4A jle short loc_401F75 .text:00401F4C push ebp .text:00401F4D mov ebp, [esp+8+lpb] ; EBP = óêàçàòåëü íà áóôåð ðåçóëüòàòà .text:00401F51 push edi .text:00401F52 mov edi, [esp+0Ch+lps] ; EDI = óêàçàòåëü íà áóôåð äàííûõ .text:00401F56 .text:00401F56 loc_401F56: ; CODE XREF: HexFromHexStr+31 j .text:00401F56 lea eax, [esp+0Ch+cb] ; EAX = óêàçàòåëü íà áóôåð äëÿ áàéòà ðåçóëüòàòà .text:00401F5A push eax .text:00401F5B push edi .text:00401F5C call sub_401E80 ; ïðåîáðàçóåò äâà áàéòà ñòðîêè â hex-÷èñëî .text:00401F61 mov cl, byte ptr [esp+14h+cb] ; CL = ðåçóëüòèðóþùèé áàéò .text:00401F65 add esp, 8 .text:00401F68 mov [esi+ebp], cl ; çàíîñèì åãî â áóôåð ðåçóëüòàòà .text:00401F6B inc esi .text:00401F6C add edi, 2 .text:00401F6F cmp esi, ebx .text:00401F71 jl short loc_401F56 .text:00401F73 pop edi .text:00401F74 pop ebp .text:00401F75 .text:00401F75 loc_401F75: ; CODE XREF: HexFromHexStr+A j .text:00401F75 pop esi .text:00401F76 pop ebx .text:00401F77 retn Äàëüøå èä¸ò ñîáñòâåííî òî, ðàäè ÷åãî ÿ âñ¸ ýòî çàòåÿë, ïîýòîìó ïðèâåäó òåîðåòè÷åñêèå âûäåðæêè èç êíèãè "Ïðèêëàäíàÿ êðèïòîãðàôèÿ"(Áðþñ Øíàéäåð). Blowfish - ýòî 64-áèòíûé áëî÷íûé øèôð ñ êëþ÷îì ïåðåìåííîé äëèíû. Àëãîðèòì âêëþ÷àåò äâà ýòàïà: 1. SetKey - Ðàçâ¸ðòûâàíèå êëþ÷à. 2. Encrypt/Decrypt - Øèôðîâêà/Äåøèôðîâêà äàííûõ. Ðàçâ¸ðòûâàíèå êëþ÷à ïðåîáðàçóåò êëþ÷ äëèíîé äî 56 áàéò â íåñêîëüêî ìàññèâîâ ïîäêëþ÷åé, îáùèì îáú¸ìîì 4168 áàéò. Øèôðîâàíèå äàííûõ ñîñòîèò èç ïðîñòîé ôóíêöèè, ïîñëåäîâàòåëüíî âûïîëíÿåìîé 16 ðàç. Êàæäûé ýòàï ñîñòîèò èç çàâèñèìîé îò êëþ÷à ïåðåñòàíîâêè è çàâèñèìîé îò êëþ÷à è äàííûõ ïîäñòàíîâêè. Èñïîëüçóþòñÿ òîëüêî ñëîæåíèÿ è XOR äâîéíûõ ñëîâ. Åäèíñòâåííûìè äîïîëíèòåëüíûìè îïåðàöèÿìè íà êàæäîì ýòàïå ÿâëÿþòñÿ ÷åòûðå èçâëå÷åíèÿ äàííûõ èç èíäåêñèðîâàííîãî ìàññèâà.  Blowfish èñïîëüçóåòñÿ ìíîãî ïîäêëþ÷åé. Òàê íàçûâàåìûå ìàññèâû PBox è SBox. Ìàññèâ PBox ñîñòîèò èç 18 ïîäêëþ÷åé (äâîéíûõ ñëîâ). Êàæäûé èç ÷åòûð¸õ ìàññèâîâ SBox ñîäåðæèò 256 ïîäêëþ÷åé (äâîéíûõ ñëîâ). Äåøèôðîâàíèå âûïîëíÿåòñÿ òî÷íî òàêæå, êàê è øèôðîâàíèå, íî ïîäêëþ÷è PBox èñïîëüçóþòñÿ â îáðàòíîì ïîðÿäêå. Äëÿ äàëüíåéøåãî ïîíèìàíèÿ êîäà, ÿ äóìàþ, äîñòàòî÷íî. Òåïåðü ìû áåç òðóäà ìîæåì ðàñïîçíàòü Blowfish, à óæ åñëè âîîðóæèòüñÿ åãî èñõîäíûì êîäîì, òî òåì áîëåå. ;) Ïðîäîëæèì... 00409B58 . 68 58100000 push 1058h 00409B5D . E8 512E0100 call Alloc 00409B62 . 8BD0 mov edx, eax ; edx = óêàçàòåëü íà âûäåëåííóþ ïàìÿòü 00409B64 . 83C4 10 add esp, 10h Ñòðàííûé ðàçìåð... Íè÷åãî íå íàïîìèíàåò? =) Ïðàâèëüíî! Ýòà ïàìÿòü áóäåò ïðåäíàçíà÷åíà äëÿ ìàññèâîâ ïîäêëþ÷åé ðàçâ¸ðíóòîãî êëþ÷à. Ñðàçó ïðåäóïðåæó, ýòîãî âûäåëåíèÿ ïàìÿòè çäåñü ìîãëî è íå áûòü, ýòî ëèøü ÷àñòíûé ñëó÷àé. Äàëåå ìû ìîæåì âèäåòü, îáû÷íûé äëÿ ïðîãðàìì íàïèñàííûõ íà Microsoft Visual C++, ñïîñîá ïîëó÷åíèÿ äëèíû ñòðîêè. 00409B77 . 8D4C24 24 lea ecx, dword ptr [esp+24h] ; eñx = óêàçàòåëü íà âñïîìîãàòåëüíûé áóôåð 00409B7B . 83CE FF or esi, 0FFFFFFFFh 00409B7E . 51 push ecx ; 3 ïàðàìåòð 00409B7F . BF 48B94200 mov edi, _KEY ; edi = "A02DD91A-C700-47b7-82D8-10E68082B4C0" 00409B84 . 8BCE mov ecx, esi 00409B86 . 33C0 xor eax, eax 00409B88 . F2:AE repne scas byte ptr es:[edi] 00409B8A . F7D1 not ecx 00409B8C . 49 dec ecx ; äëèíà ñòðîêè = 36 ;) 00409B8D . 895C24 28 mov dword ptr [esp+28h], ebx ; 1 dword âñïîìîãàòåëüíîãî áóôåðà = ebx = 0 00409B91 . 51 push ecx ; 2 ïàðàìåòð 00409B92 . 68 48B94200 push _KEY ; 1 ïàðàìåòð 00409B97 . 8BCA mov ecx, edx ; ecx = óêàçàòåëü íà âûäåëåííóþ ïàìÿòü 00409B99 . 895C24 34 mov dword ptr [esp+34h], ebx ; 2 dword âñïîìîãàòåëüíîãî áóôåðà = ebx = 0 00409B9D . E8 5E74FFFF call Blowfish_SetKey 00409BA2 . 8BF8 mov edi, eax ; edi = óêàçàòåëü íà ðàçâ¸ðíóòûé êëþ÷ 1. A02DD91A-C700-47b7-82D8-10E68082B4C0 - ýòî íè÷òî èíîå, êàê êëþ÷ øèôðîâàíèÿ. ;) 2. Âñïîìîãàòåëüíûé áóôåð èñïîëüçóåòñÿ â êà÷åñòâå ñ÷¸ò÷èêà öèêëîâ â äàííîé ðåàëèçàöèè Blowfish. 3. Blowfish_SetKey - ôóíêöèÿ ðàçâ¸ðòûâàíèå êëþ÷à. Ïî÷åìó ÿ ðåøèë ÷òî ýòî èìåííî Blowfish_SetKey? Íó, åñòåñòâåííî íå ñ ïîòîëêà âçÿë. =) Ïðèøëîñü ïðîéòè å¸ âñþ ïîä îòëàä÷èêîì è ïîíÿòü ÷òî îíà äåëàåò. À èíà÷å íèêàê... õîòÿ, â äàííîì ñëó÷àå, åñòü íåêîòîðûå ìîìåíòû, êîòîðûå ìíå õîòåëîñü áû âûäåëèòü: .text:0040100B mov ebx, [esp+54h+keylength] ; EBX = äëèíà êëþ÷à .............. .text:00401011 cmp ebx, 1 .............. .text:00401028 jnb short loc_40104F .text:0040102A lea eax, [esp+54h+zerobuf] .text:0040102E lea ecx, [esp+54h+var_44] .text:00401032 push eax .text:00401033 mov [esp+58h+zerobuf], offset aIncorrectKeyLe ; "Incorrect key length" .text:0040103B call ??0exception@@QAE@ABQBD@Z ; exception::exception(char const * const &) Òåêñò îøèáêè - "Incorrect key length", ñðàçó æå âûäà¸ò íàçíà÷åíèå äàííîé ôóíêöèè. Íàøè äîãàäêè ïîäòâåðæäàåò ñëåäóþùèé êîä: 0040104F . 83FB 38 cmp ebx, 38h <= ñðàâíåíèå äëèíû êëþ÷à ñ 56 00401052 . 76 05 jbe short 00401059h 00401054 . BB 38000000 mov ebx, 38h Âñïîìèíàåì ôðàçó: "ïðåîáðàçóåò êëþ÷ äëèíîé äî 56 áàéò" ;)  íåäðàõ ôóíêöèè, ìû ìîæåì óâèäåòü ðàáîòó ñ ìàññèâàìè äî áîëè íàïîìèíàþùèìè PBox è SBox. =) .text:00401078 mov ecx, 12h ; "PBox ñîñòîèò èç 18 ïîäêëþ÷åé" .text:0040107D mov esi, offset PBox .text:00401082 mov edi, edx .text:00401084 mov [esp+5Ch+keylength], 12h .text:0040108C rep movsd .text:0040108E lea edi, [ebp+58h] .text:00401091 mov ecx, 400h ; "Êàæäûé èç ÷åòûð¸õ ìàññèâîâ SBox ñîäåðæèò 256 ïîäêëþ÷åé" .text:00401096 mov esi, offset SBox .text:0040109B rep movsd Òàêæå, ìîæíî çàìåòèòü âíóòðè ôóíêöèè äâà öèêëà ñ ó÷àñòèåì äîâîëüíî îáú¸ìíîé ôóíêöèè - ýòî Blowfish_Encrypt. Íàëè÷èå ýòèõ öèêëîâ òàêæå îáÿçàòåëüíî äëÿ Blowfish_SetKey. Îäíèì ñëîâîì, íåò ñîìíåíèé, ÷òî ýòî èìåííî ôóíêöèÿ ðàçâ¸ðòûâàíèå êëþ÷à. ×òî äàëüøå? À äàëüøå, êàê âû, íàâåðíîå, óæå äîãàäàëèñü èä¸ò Blowfish_Encrypt... èëè Blowfish_Decrypt? õåõ, ñìîòðèì: 00409BBF . 53 push ebx ; 4 ïàðàìåòð (ebx = 0, ôëàã ðåæèìà) 00409BC0 . 8D8C24 2C020000 lea ecx, dword ptr [esp+22Ch] ; ecx = óêàçàòåëü íà ëèöåíçèîííûé êîä (áèíàðíûé âèä) 00409BC7 . 8B42 F8 mov eax, dword ptr [edx-8h] ; eax = 16 (äëèíà ëèöåíçèîííîãî êîäà) 00409BCA . 99 cdq 00409BCB . 2BC2 sub eax, edx 00409BCD . D1F8 sar eax, 1h 00409BCF . 50 push eax ; 3 ïàðàìåòð (eax = 8) 00409BD0 . 8D4424 3C lea eax, dword ptr [esp+3Ch] ; eax = óêàçàòåëü íà áóôåð ðåçóëüòàòà 00409BD4 . 50 push eax ; 2 ïàðàìåòð 00409BD5 . 51 push ecx ; 1 ïàðàìåòð 00409BD6 . 8BCF mov ecx, edi ; ecx = óêàçàòåëü íà ðàçâ¸ðíóòûé êëþ÷ 00409BD8 . E8 937FFFFF call Blowfish_DecryptMode Íà âõîä ïîäà¸òñÿ óêàçàòåëü íà ââåä¸ííûé íàìè ëèöåíçèîííûé êîä (ïðåîáðàçîâàííûé ôóíêöèåé HexFromHexStr â áèíàðíûé âèä). ßâíûé Decrypt. =) Õîòÿ, êîíå÷íî, íå ïîìåøàåò óáåäèòüñÿ... (âñ¸ ïî àíàëîãèè ñ Blowfish_SetKey) Êñòàòè, âû ìîæåòå ïîäóìàòü, ïî÷åìó ÿ íàçâàë ôóíêöèþ Blowfish_DecryptMode, à íå Blowfish_Decrypt. Äà, äåéñòâèòåëüíî, íåìíîãî, ñòðàííî, íî íà òî åñòü ïðè÷èíû, äåëî â òîì, ÷òî Blowfish_DecryptMode - ýòî ôóíêöèÿ ñîäåðæàùàÿ íåñêîëüêî ðàçíûõ ðåæèìîâ Blowfish_Decrypt. Çà âûáîð îòâå÷àåò 4-é ïàðàìåòð ôóíêöèè Blowfish_DecryptMode, ó íàñ îí ðàâåí 0, ÷òî ñîîòâåòñòâóåò ñòàíäàðòíîìó ðåæèìó.  ýòîì òîæå ïðèøëîñü ðàçîáðàòüñÿ. =) * ÂÍÈÌÀÍÈÅ *  äàííîì êîíêðåòíîì ñëó÷àå âñ¸, ïðàêòè÷åñêè, ñòàíäàðòíî, à âåäü áûâàþò è áîëåå èçîùðåííûå ðåàëèçàöèè, è òóò áåç ïîíèìàíèÿ êîäà êðèïòîàëãîðèòìà íèêóäà. Ïîìíèòå ÝÒÎ! Íó, âîò ìû è ïîäîøëè ê çàâåðøàþùåé ñòàäèè. 00409BF4 . 8B4424 14 mov eax, dword ptr [esp+14h] ; User Name 00409BF8 . 8B4C24 18 mov ecx, dword ptr [esp+18h] ; Ðàñøèôðîâàííûå äàííûå 00409BFC . 50 push eax 00409BFD . 51 push ecx 00409BFE . E8 DD620000 call lstrcmpi 00409C03 . 83C4 08 add esp, 8h 00409C06 . 85C0 test eax, eax 00409C08 . 57 push edi 00409C09 . 75 20 jnz short _WrongSerial Çäåñü ìû âèäèì ñðàâíåíèå ââåä¸ííîãî User Name ñ ðàñøèôðîâàííûìè äàííûìè, ò.å. äëÿ òîãî ÷òîáû ðåãèñòðàöèÿ ïðîøëà óñïåøíî íóæíî ÷òîáû îíè áûëè ðàâíû. È ÷òî òåïåðü? Äîãàäàëèñü? Ïðàâèëüíî! Íóæíî çàøèôðîâàòü íàøå èìÿ. Ïîëó÷åííûé ðåçóëüòàò áóäåò ñ÷èòàòüñÿ äåéñòâèòåëüíûì ëèöåíçèîííûì êîäîì. Äëÿ ýòîãî íàì íåîáõîäèìà ôóíêöèÿ Blowfish_Encrypt. Ãäå å¸ âçÿòü? Âàðèàíòîâ ìîðå... Âîò íåêîòîðûå èç íèõ: 1. Íàïèñàòü ñàìîìó - ýòî ïîëåçíåå ;) 2. Âçÿòü ïðÿìî èç êîäà íàøåé öåëè.  ýòîì íàì ïîìîæåò IDA, à òî÷íåå å¸ ôóíêöèÿ ñîõðàíåíèÿ äèçàññåìáëåðíîãî ëèñòèíãà â asm-ôàéë. Äëÿ ýòîãî íóæíî âûäåëèòü íóæíûé íàì ó÷àñòîê è íàæàòü êîìáèíàöèþ êëàâèø Alt+F10 3. Âçÿòü èç êîäà Blowfish_Decrypt è âèäîèçìåíèòü å¸ òàê ÷òîáû ïîëó÷èëñÿ Blowfish_Encrypt. Ïîâåðüòå ýòî íå ñëîæíî, íóæíî òîëüêî ïðèìåíèòü ñâîþ ñìåêàëêó. Îòâåò êðîåòñÿ â òåîðèè ýòîãî àëãîðèòìà. ;) 4. Âçÿòü ãîòîâóþ ðåàëèçàöèþ íà êàêîì-ëèáî ÿçûêå. ß âûáðàë âòîðîé âàðèàíò. Ïðèøëîñü äàæå èñïðàâèòü áàã Blowfish??crypt, â ñëåäñòâèè êîòîðîãî ïðàâèëüíî øèôðîâàëèñü äàííûå òîëüêî äî 9 áàéò. =) Âñ¸! Íàäåþñü âàì ýòîò îïóñ õîòü êàê-òî ïîìîæåò â îñâîåíèè ýòîé èíòåðåñíîé òåìû Reverse Engineering. Óäà÷è! GL#0M P.S. ; Ðèïíóòûé êîä Blowfish PBox dd 243F6A88h, 85A308D3h, 13198A2Eh, 3707344h, 0A4093822h, 299F31D0h ; DATA XREF: Blowfish_SetKey+7Do dd 82EFA98h, 0EC4E6C89h, 452821E6h, 38D01377h, 0BE5466CFh, 34E90C6Ch dd 0C0AC29B7h, 0C97C50DDh, 3F84D5B5h, 0B5470917h, 9216D5D9h, 8979FB1Bh SBox dd 0D1310BA6h, 98DFB5ACh, 2FFD72DBh, 0D01ADFB7h ; DATA XREF: Blowfish_SetKey+96o dd 0B8E1AFEDh, 6A267E96h, 0BA7C9045h, 0F12C7F99h dd 24A19947h, 0B3916CF7h, 801F2E2h, 858EFC16h dd 636920D8h, 71574E69h, 0A458FEA3h, 0F4933D7Eh dd 0D95748Fh, 728EB658h, 718BCD58h, 82154AEEh dd 7B54A41Dh, 0C25A59B5h, 9C30D539h, 2AF26013h dd 0C5D1B023h, 286085F0h, 0CA417918h, 0B8DB38EFh dd 8E79DCB0h, 603A180Eh, 6C9E0E8Bh, 0B01E8A3Eh dd 0D71577C1h, 0BD314B27h, 78AF2FDAh, 55605C60h dd 0E65525F3h, 0AA55AB94h, 57489862h, 63E81440h dd 55CA396Ah, 2AAB10B6h, 0B4CC5C34h, 1141E8CEh dd 0A15486AFh, 7C72E993h, 0B3EE1411h, 636FBC2Ah dd 2BA9C55Dh, 741831F6h, 0CE5C3E16h, 9B87931Eh dd 0AFD6BA33h, 6C24CF5Ch, 7A325381h, 28958677h dd 3B8F4898h, 6B4BB9AFh, 0C4BFE81Bh, 66282193h dd 61D809CCh, 0FB21A991h, 487CAC60h, 5DEC8032h dd 0EF845D5Dh, 0E98575B1h, 0DC262302h, 0EB651B88h dd 23893E81h, 0D396ACC5h, 0F6D6FF3h, 83F44239h dd 2E0B4482h, 0A4842004h, 69C8F04Ah, 9E1F9B5Eh dd 21C66842h, 0F6E96C9Ah, 670C9C61h, 0ABD388F0h dd 6A51A0D2h, 0D8542F68h, 960FA728h, 0AB5133A3h dd 6EEF0B6Ch, 137A3BE4h, 0BA3BF050h, 7EFB2A98h dd 0A1F1651Dh, 39AF0176h, 66CA593Eh, 82430E88h dd 8CEE8619h, 456F9FB4h, 7D84A5C3h, 3B8B5EBEh dd 0E06F75D8h, 85C12073h, 401A449Fh, 56C16AA6h dd 4ED3AA62h, 363F7706h, 1BFEDF72h, 429B023Dh dd 37D0D724h, 0D00A1248h, 0DB0FEAD3h, 49F1C09Bh dd 75372C9h, 80991B7Bh, 25D479D8h, 0F6E8DEF7h dd 0E3FE501Ah, 0B6794C3Bh, 976CE0BDh, 4C006BAh dd 0C1A94FB6h, 409F60C4h, 5E5C9EC2h, 196A2463h dd 68FB6FAFh, 3E6C53B5h, 1339B2EBh, 3B52EC6Fh dd 6DFC511Fh, 9B30952Ch, 0CC814544h, 0AF5EBD09h dd 0BEE3D004h, 0DE334AFDh, 660F2807h, 192E4BB3h dd 0C0CBA857h, 45C8740Fh, 0D20B5F39h, 0B9D3FBDBh dd 5579C0BDh, 1A60320Ah, 0D6A100C6h, 402C7279h dd 679F25FEh, 0FB1FA3CCh, 8EA5E9F8h, 0DB3222F8h dd 3C7516DFh, 0FD616B15h, 2F501EC8h, 0AD0552ABh dd 323DB5FAh, 0FD238760h, 53317B48h, 3E00DF82h dd 9E5C57BBh, 0CA6F8CA0h, 1A87562Eh, 0DF1769DBh dd 0D542A8F6h, 287EFFC3h, 0AC6732C6h, 8C4F5573h dd 695B27B0h, 0BBCA58C8h, 0E1FFA35Dh, 0B8F011A0h dd 10FA3D98h, 0FD2183B8h, 4AFCB56Ch, 2DD1D35Bh dd 9A53E479h, 0B6F84565h, 0D28E49BCh, 4BFB9790h dd 0E1DDF2DAh, 0A4CB7E33h, 62FB1341h, 0CEE4C6E8h dd 0EF20CADAh, 36774C01h, 0D07E9EFEh, 2BF11FB4h dd 95DBDA4Dh, 0AE909198h, 0EAAD8E71h, 6B93D5A0h dd 0D08ED1D0h, 0AFC725E0h, 8E3C5B2Fh, 8E7594B7h dd 8FF6E2FBh, 0F2122B64h, 8888B812h, 900DF01Ch dd 4FAD5EA0h, 688FC31Ch, 0D1CFF191h, 0B3A8C1ADh dd 2F2F2218h, 0BE0E1777h, 0EA752DFEh, 8B021FA1h dd 0E5A0CC0Fh, 0B56F74E8h, 18ACF3D6h, 0CE89E299h dd 0B4A84FE0h, 0FD13E0B7h, 7CC43B81h, 0D2ADA8D9h dd 165FA266h, 80957705h, 93CC7314h, 211A1477h dd 0E6AD2065h, 77B5FA86h, 0C75442F5h, 0FB9D35CFh dd 0EBCDAF0Ch, 7B3E89A0h, 0D6411BD3h, 0AE1E7E49h dd 250E2Dh, 2071B35Eh, 226800BBh, 57B8E0AFh dd 2464369Bh, 0F009B91Eh, 5563911Dh, 59DFA6AAh dd 78C14389h, 0D95A537Fh, 207D5BA2h, 2E5B9C5h dd 83260376h, 6295CFA9h, 11C81968h, 4E734A41h dd 0B3472DCAh, 7B14A94Ah, 1B510052h, 9A532915h dd 0D60F573Fh, 0BC9BC6E4h, 2B60A476h, 81E67400h dd 8BA6FB5h, 571BE91Fh, 0F296EC6Bh, 2A0DD915h dd 0B6636521h, 0E7B9F9B6h, 0FF34052Eh, 0C5855664h dd 53B02D5Dh, 0A99F8FA1h, 8BA4799h, 6E85076Ah dd 4B7A70E9h, 0B5B32944h, 0DB75092Eh, 0C4192623h dd 0AD6EA6B0h, 49A7DF7Dh, 9CEE60B8h, 8FEDB266h dd 0ECAA8C71h, 699A17FFh, 5664526Ch, 0C2B19EE1h dd 193602A5h, 75094C29h, 0A0591340h, 0E4183A3Eh dd 3F54989Ah, 5B429D65h, 6B8FE4D6h, 99F73FD6h dd 0A1D29C07h, 0EFE830F5h, 4D2D38E6h, 0F0255DC1h dd 4CDD2086h, 8470EB26h, 6382E9C6h, 21ECC5Eh dd 9686B3Fh, 3EBAEFC9h, 3C971814h, 6B6A70A1h dd 687F3584h, 52A0E286h, 0B79C5305h, 0AA500737h dd 3E07841Ch, 7FDEAE5Ch, 8E7D44ECh, 5716F2B8h dd 0B03ADA37h, 0F0500C0Dh, 0F01C1F04h, 200B3FFh dd 0AE0CF51Ah, 3CB574B2h, 25837A58h, 0DC0921BDh dd 0D19113F9h, 7CA92FF6h, 94324773h, 22F54701h dd 3AE5E581h, 37C2DADCh, 0C8B57634h, 9AF3DDA7h dd 0A9446146h, 0FD0030Eh, 0ECC8C73Eh, 0A4751E41h dd 0E238CD99h, 3BEA0E2Fh, 3280BBA1h, 183EB331h dd 4E548B38h, 4F6DB908h, 6F420D03h, 0F60A04BFh dd 2CB81290h, 24977C79h, 5679B072h, 0BCAF89AFh dd 0DE9A771Fh, 0D9930810h, 0B38BAE12h, 0DCCF3F2Eh dd 5512721Fh, 2E6B7124h, 501ADDE6h, 9F84CD87h dd 7A584718h, 7408DA17h, 0BC9F9ABCh, 0E94B7D8Ch dd 0EC7AEC3Ah, 0DB851DFAh, 63094366h, 0C464C3D2h dd 0EF1C1847h, 3215D908h, 0DD433B37h, 24C2BA16h dd 12A14D43h, 2A65C451h, 50940002h, 133AE4DDh dd 71DFF89Eh, 10314E55h, 81AC77D6h, 5F11199Bh dd 43556F1h, 0D7A3C76Bh, 3C11183Bh, 5924A509h dd 0F28FE6EDh, 97F1FBFAh, 9EBABF2Ch, 1E153C6Eh dd 86E34570h, 0EAE96FB1h, 860E5E0Ah, 5A3E2AB3h dd 771FE71Ch, 4E3D06FAh, 2965DCB9h, 99E71D0Fh dd 803E89D6h, 5266C825h, 2E4CC978h, 9C10B36Ah dd 0C6150EBAh, 94E2EA78h, 0A5FC3C53h, 1E0A2DF4h dd 0F2F74EA7h, 361D2B3Dh, 1939260Fh, 19C27960h dd 5223A708h, 0F71312B6h, 0EBADFE6Eh, 0EAC31F66h dd 0E3BC4595h, 0A67BC883h, 0B17F37D1h, 18CFF28h dd 0C332DDEFh, 0BE6C5AA5h, 65582185h, 68AB9802h dd 0EECEA50Fh, 0DB2F953Bh, 2AEF7DADh, 5B6E2F84h dd 1521B628h, 29076170h, 0ECDD4775h, 619F1510h dd 13CCA830h, 0EB61BD96h, 334FE1Eh, 0AA0363CFh dd 0B5735C90h, 4C70A239h, 0D59E9E0Bh, 0CBAADE14h dd 0EECC86BCh, 60622CA7h, 9CAB5CABh, 0B2F3846Eh dd 648B1EAFh, 19BDF0CAh, 0A02369B9h, 655ABB50h dd 40685A32h, 3C2AB4B3h, 319EE9D5h, 0C021B8F7h dd 9B540B19h, 875FA099h, 95F7997Eh, 623D7DA8h dd 0F837889Ah, 97E32D77h, 11ED935Fh, 16681281h dd 0E358829h, 0C7E61FD6h, 96DEDFA1h, 7858BA99h dd 57F584A5h, 1B227263h, 9B83C3FFh, 1AC24696h dd 0CDB30AEBh, 532E3054h, 8FD948E4h, 6DBC3128h dd 58EBF2EFh, 34C6FFEAh, 0FE28ED61h, 0EE7C3C73h dd 5D4A14D9h, 0E864B7E3h, 42105D14h, 203E13E0h dd 45EEE2B6h, 0A3AAABEAh, 0DB6C4F15h, 0FACB4FD0h dd 0C742F442h, 0EF6ABBB5h, 654F3B1Dh, 41CD2105h dd 0D81E799Eh, 86854DC7h, 0E44B476Ah, 3D816250h dd 0CF62A1F2h, 5B8D2646h, 0FC8883A0h, 0C1C7B6A3h dd 7F1524C3h, 69CB7492h, 47848A0Bh, 5692B285h dd 95BBF00h, 0AD19489Dh, 1462B174h, 23820E00h dd 58428D2Ah, 0C55F5EAh, 1DADF43Eh, 233F7061h dd 3372F092h, 8D937E41h, 0D65FECF1h, 6C223BDBh dd 7CDE3759h, 0CBEE7460h, 4085F2A7h, 0CE77326Eh dd 0A6078084h, 19F8509Eh, 0E8EFD855h, 61D99735h dd 0A969A7AAh, 0C50C06C2h, 5A04ABFCh, 800BCADCh dd 9E447A2Eh, 0C3453484h, 0FDD56705h, 0E1E9EC9h dd 0DB73DBD3h, 105588CDh, 675FDA79h, 0E3674340h dd 0C5C43465h, 713E38D8h, 3D28F89Eh, 0F16DFF20h dd 153E21E7h, 8FB03D4Ah, 0E6E39F2Bh, 0DB83ADF7h dd 0E93D5A68h, 948140F7h, 0F64C261Ch, 94692934h dd 411520F7h, 7602D4F7h, 0BCF46B2Eh, 0D4A20068h dd 0D4082471h, 3320F46Ah, 43B7D4B7h, 500061AFh dd 1E39F62Eh, 97244546h, 14214F74h, 0BF8B8840h dd 4D95FC1Dh, 96B591AFh, 70F4DDD3h, 66A02F45h dd 0BFBC09ECh, 3BD9785h, 7FAC6DD0h, 31CB8504h dd 96EB27B3h, 55FD3941h, 0DA2547E6h, 0ABCA0A9Ah dd 28507825h, 530429F4h, 0A2C86DAh, 0E9B66DFBh dd 68DC1462h, 0D7486900h, 680EC0A4h, 27A18DEEh dd 4F3FFEA2h, 0E887AD8Ch, 0B58CE006h, 7AF4D6B6h dd 0AACE1E7Ch, 0D3375FECh, 0CE78A399h, 406B2A42h dd 20FE9E35h, 0D9F385B9h, 0EE39D7ABh, 3B124E8Bh dd 1DC9FAF7h, 4B6D1856h, 26A36631h, 0EAE397B2h dd 3A6EFA74h, 0DD5B4332h, 6841E7F7h, 0CA7820FBh dd 0FB0AF54Eh, 0D8FEB397h, 454056ACh, 0BA489527h dd 55533A3Ah, 20838D87h, 0FE6BA9B7h, 0D096954Bh dd 55A867BCh, 0A1159A58h, 0CCA92963h, 99E1DB33h dd 0A62A4A56h, 3F3125F9h, 5EF47E1Ch, 9029317Ch dd 0FDF8E802h, 4272F70h, 80BB155Ch, 5282CE3h dd 95C11548h, 0E4C66D22h, 48C1133Fh, 0C70F86DCh dd 7F9C9EEh, 41041F0Fh, 404779A4h, 5D886E17h dd 325F51EBh, 0D59BC0D1h, 0F2BCC18Fh, 41113564h dd 257B7834h, 602A9C60h, 0DFF8E8A3h, 1F636C1Bh dd 0E12B4C2h, 2E1329Eh, 0AF664FD1h, 0CAD18115h dd 6B2395E0h, 333E92E1h, 3B240B62h, 0EEBEB922h dd 85B2A20Eh, 0E6BA0D99h, 0DE720C8Ch, 2DA2F728h dd 0D0127845h, 95B794FDh, 647D0862h, 0E7CCF5F0h dd 5449A36Fh, 877D48FAh, 0C39DFD27h, 0F33E8D1Eh dd 0A476341h, 992EFF74h, 3A6F6EABh, 0F4F8FD37h dd 0A812DC60h, 0A1EBDDF8h, 991BE14Ch, 0DB6E6B0Dh dd 0C67B5510h, 6D672C37h, 2765D43Bh, 0DCD0E804h dd 0F1290DC7h, 0CC00FFA3h, 0B5390F92h, 690FED0Bh dd 667B9FFBh, 0CEDB7D9Ch, 0A091CF0Bh, 0D9155EA3h dd 0BB132F88h, 515BAD24h, 7B9479BFh, 763BD6EBh dd 37392EB3h, 0CC115979h, 8026E297h, 0F42E312Dh dd 6842ADA7h, 0C66A2B3Bh, 12754CCCh, 782EF11Ch dd 6A124237h, 0B79251E7h, 6A1BBE6h, 4BFB6350h dd 1A6B1018h, 11CAEDFAh, 3D25BDD8h, 0E2E1C3C9h dd 44421659h, 0A121386h, 0D90CEC6Eh, 0D5ABEA2Ah dd 64AF674Eh, 0DA86A85Fh, 0BEBFE988h, 64E4C3FEh dd 9DBC8057h, 0F0F7C086h, 60787BF8h, 6003604Dh dd 0D1FD8346h, 0F6381FB0h, 7745AE04h, 0D736FCCCh dd 83426B33h, 0F01EAB71h, 0B0804187h, 3C005E5Fh dd 77A057BEh, 0BDE8AE24h, 55464299h, 0BF582E61h dd 4E58F48Fh, 0F2DDFDA2h, 0F474EF38h, 8789BDC2h dd 5366F9C3h, 0C8B38E74h, 0B475F255h, 46FCD9B9h dd 7AEB2661h, 8B1DDF84h, 846A0E79h, 915F95E2h dd 466E598Eh, 20B45770h, 8CD55591h, 0C902DE4Ch dd 0B90BACE1h, 0BB8205D0h, 11A86248h, 7574A99Eh dd 0B77F19B6h, 0E0A9DC09h, 662D09A1h, 0C4324633h dd 0E85A1F02h, 9F0BE8Ch, 4A99A025h, 1D6EFE10h dd 1AB93D1Dh, 0BA5A4DFh, 0A186F20Fh, 2868F169h dd 0DCB7DA83h, 573906FEh, 0A1E2CE9Bh, 4FCD7F52h dd 50115E01h, 0A70683FAh, 0A002B5C4h, 0DE6D027h dd 9AF88C27h, 773F8641h, 0C3604C06h, 61A806B5h dd 0F0177A28h, 0C0F586E0h, 6058AAh, 30DC7D62h dd 11E69ED7h, 2338EA63h, 53C2DD94h, 0C2C21634h dd 0BBCBEE56h, 90BCB6DEh, 0EBFC7DA1h, 0CE591D76h dd 6F05E409h, 4B7C0188h, 39720A3Dh, 7C927C24h dd 86E3725Fh, 724D9DB9h, 1AC15BB4h, 0D39EB8FCh dd 0ED545578h, 8FCA5B5h, 0D83D7CD3h, 4DAD0FC4h dd 1E50EF5Eh, 0B161E6F8h, 0A28514D9h, 6C51133Ch dd 6FD5C7E7h, 56E14EC4h, 362ABFCEh, 0DDC6C837h dd 0D79A3234h, 92638212h, 670EFA8Eh, 406000E0h dd 3A39CE37h, 0D3FAF5CFh, 0ABC27737h, 5AC52D1Bh dd 5CB0679Eh, 4FA33742h, 0D3822740h, 99BC9BBEh dd 0D5118E9Dh, 0BF0F7315h, 0D62D1C7Eh, 0C700C47Bh dd 0B78C1B6Bh, 21A19045h, 0B26EB1BEh, 6A366EB4h dd 5748AB2Fh, 0BC946E79h, 0C6A376D2h, 6549C2C8h dd 530FF8EEh, 468DDE7Dh, 0D5730A1Dh, 4CD04DC6h dd 2939BBDBh, 0A9BA4650h, 0AC9526E8h, 0BE5EE304h dd 0A1FAD5F0h, 6A2D519Ah, 63EF8CE2h, 9A86EE22h dd 0C089C2B8h, 43242EF6h, 0A51E03AAh, 9CF2D0A4h dd 83C061BAh, 9BE96A4Dh, 8FE51550h, 0BA645BD6h dd 2826A2F9h, 0A73A3AE1h, 4BA99586h, 0EF5562E9h dd 0C72FEFD3h, 0F752F7DAh, 3F046F69h, 77FA0A59h dd 80E4A915h, 87B08601h, 9B09E6ADh, 3B3EE593h dd 0E990FD5Ah, 9E34D797h, 2CF0B7D9h, 22B8B51h dd 96D5AC3Ah, 17DA67Dh, 0D1CF3ED6h, 7C7D2D28h dd 1F9F25CFh, 0ADF2B89Bh, 5AD6B472h, 5A88F54Ch dd 0E029AC71h, 0E019A5E6h, 47B0ACFDh, 0ED93FA9Bh dd 0E8D3C48Dh, 283B57CCh, 0F8D56629h, 79132E28h dd 785F0191h, 0ED756055h, 0F7960E44h, 0E3D35E8Ch dd 15056DD4h, 88F46DBAh, 3A16125h, 564F0BDh dd 0C3EB9E15h, 3C9057A2h, 97271AECh, 0A93A072Ah dd 1B3F6D9Bh, 1E6321F5h, 0F59C66FBh, 26DCF319h dd 7533D928h, 0B155FDF5h, 3563482h, 8ABA3CBBh dd 28517711h, 0C20AD9F8h, 0ABCC5167h, 0CCAD925Fh dd 4DE81751h, 3830DC8Eh, 379D5862h, 9320F991h dd 0EA7A90C2h, 0FB3E7BCEh, 5121CE64h, 774FBE32h dd 0A8B6E37Eh, 0C3293D46h, 48DE5369h, 6413E680h dd 0A2AE0810h, 0DD6DB224h, 69852DFDh, 9072166h dd 0B39A460Ah, 6445C0DDh, 586CDECFh, 1C20C8AEh dd 5BBEF7DDh, 1B588D40h, 0CCD2017Fh, 6BB4E3BBh dd 0DDA26A7Eh, 3A59FF45h, 3E350A44h, 0BCB4CDD5h dd 72EACEA8h, 0FA6484BBh, 8D6612AEh, 0BF3C6F47h dd 0D29BE463h, 542F5D9Eh, 0AEC2771Bh, 0F64E6370h dd 740E0D8Dh, 0E75B1357h, 0F8721671h, 0AF537D5Dh dd 4040CB08h, 4EB4E2CCh, 34D2466Ah, 115AF84h dd 0E1B00428h, 95983A1Dh, 6B89FB4h, 0CE6EA048h dd 6F3F3B82h, 3520AB82h, 11A1D4Bh, 277227F8h dd 611560B1h, 0E7933FDCh, 0BB3A792Bh, 344525BDh dd 0A08839E1h, 51CE794Bh, 2F32C9B7h, 0A01FBAC9h dd 0E01CC87Eh, 0BCC7D1F6h, 0CF0111C3h, 0A1E8AAC7h dd 1A908749h, 0D44FBD9Ah, 0D0DADECBh, 0D50ADA38h dd 339C32Ah, 0C6913667h, 8DF9317Ch, 0E0B12B4Fh dd 0F79E59B7h, 43F5BB3Ah, 0F2D519FFh, 27D9459Ch dd 0BF97222Ch, 15E6FC2Ah, 0F91FC71h, 9B941525h dd 0FAE59361h, 0CEB69CEBh, 0C2A86459h, 12BAA8D1h dd 0B6C1075Eh, 0E3056A0Ch, 10D25065h, 0CB03A442h dd 0E0EC6E0Eh, 1698DB3Bh, 4C98A0BEh, 3278E964h dd 9F1F9532h, 0E0D392DFh, 0D3A0342Bh, 8971F21Eh dd 1B0A7441h, 4BA3348Ch, 0C5BE7120h, 0C37632D8h dd 0DF359F8Dh, 9B992F2Eh, 0E60B6F47h, 0FE3F11Dh dd 0E54CDA54h, 1EDAD891h, 0CE6279CFh, 0CD3E7E6Fh dd 1618B166h, 0FD2C1D05h, 848FD2C5h, 0F6FB2299h dd 0F523F357h, 0A6327623h, 93A83531h, 56CCCD02h dd 0ACF08162h, 5A75EBB5h, 6E163697h, 88D273CCh dd 0DE966292h, 81B949D0h, 4C50901Bh, 71C65614h dd 0E6C6C7BDh, 327A140Ah, 45E1D006h, 0C3F27B9Ah dd 0C9AA53FDh, 62A80F00h, 0BB25BFE2h, 35BDD2F6h dd 71126905h, 0B2040222h, 0B6CBCF7Ch, 0CD769C2Bh dd 53113EC0h, 1640E3D3h, 38ABBD60h, 2547ADF0h dd 0BA38209Ch, 0F746CE76h, 77AFA1C5h, 20756060h dd 85CBFE4Eh, 8AE88DD8h, 7AAAF9B0h, 4CF9AA7Eh dd 1948C25Ch, 2FB8A8Ch, 1C36AE4h, 0D6EBE1F9h dd 90D4F869h, 0A65CDEA0h, 3F09252Dh, 0C208E69Fh dd 0B74E6132h, 0CE77E25Bh, 578FDFE3h, 3AC372E6h ; ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ S U B R O U T I N E ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ ; Ôóíêöèÿ ðàçâ¸ðòûâàíèÿ êëþ÷à Set_Key àëãîðèòìà Blowfish Blowfish_SetKey proc near ; CODE XREF: sub_408230+20Cp ; sub_408230+396p ... buff1 = dword ptr -4Ch buff2 = dword ptr -48h var_44 = dword ptr -44h blowkeybuf = dword ptr -38h blowkey = dword ptr 4 ; 1 ïàðàìåòð - óêàçàòåëü íà êëþ÷ keylength = dword ptr 8 ; 2 ïàðàìåòð - óêàçàòåëü íà äëèíó êëþ÷à zerobuf = dword ptr 0Ch ; 3 ïàðàìåòð - óêàçàòåëü íà âñïîìîãàòåëüíûé áóôåð mov eax, [esp+zerobuf] sub esp, 4Ch push ebx push ebp mov ebp, ecx mov ebx, [esp+54h+keylength] mov ecx, [eax] cmp ebx, 1 mov [ebp+0], ecx mov edx, [eax+4] mov [ebp+4], edx mov ecx, [eax] mov [ebp+8], ecx mov edx, [eax+4] mov [ebp+0Ch], edx jnb short loc_40104F lea eax, [esp+54h+zerobuf] lea ecx, [esp+54h+var_44] push eax mov [esp+58h+zerobuf], offset aIncorrectKeyLe ; "Incorrect key length" call ??0exception@@QAE@ABQBD@Z ; exception::exception(char const * const &) lea ecx, [esp+54h+var_44] push offset unk_427938 push ecx call __CxxThrowException@8 ; _CxxThrowException(x,x) loc_40104F: ; CODE XREF: Blowfish_SetKey+28j cmp ebx, 38h jbe short loc_401059 mov ebx, 38h loc_401059: ; CODE XREF: Blowfish_SetKey+52j mov ecx, ebx push esi mov esi, [esp+58h+blowkey] mov edx, ecx push edi lea edi, [esp+5Ch+blowkeybuf] shr ecx, 2 rep movsd mov ecx, edx lea edx, [ebp+10h] and ecx, 3 xor eax, eax rep movsb mov ecx, 12h mov esi, offset PBox mov edi, edx mov [esp+5Ch+keylength], 12h rep movsd lea edi, [ebp+58h] mov ecx, 400h mov esi, offset SBox rep movsd lea ecx, [esp+5Ch+blowkeybuf] mov esi, edx loc_4010A3: ; CODE XREF: Blowfish_SetKey+E2j xor edx, edx mov [esp+5Ch+zerobuf], 4 loc_4010AD: ; CODE XREF: Blowfish_SetKey+CDj mov edi, edx xor edx, edx mov dl, [ecx] shl edi, 8 or edx, edi inc ecx inc eax cmp eax, ebx jnz short loc_4010C4 xor eax, eax lea ecx, [esp+5Ch+blowkeybuf] loc_4010C4: ; CODE XREF: Blowfish_SetKey+BCj mov edi, [esp+5Ch+zerobuf] dec edi mov [esp+5Ch+zerobuf], edi jnz short loc_4010AD mov edi, [esi] add esi, 4 xor edi, edx mov edx, [esp+5Ch+keylength] mov [esi-4], edi dec edx mov [esp+5Ch+keylength], edx jnz short loc_4010A3 xor edi, edi lea esi, [ebp+10h] mov [esp+5Ch+buff1], edi mov [esp+5Ch+buff2], edi loc_4010F1: ; CODE XREF: Blowfish_SetKey+114j lea eax, [esp+5Ch+buff1] mov ecx, ebp push eax call Blowfish_Encrypt mov ecx, [esp+5Ch+buff1] mov edx, [esp+5Ch+buff2] mov [esi], ecx add esi, 4 inc edi mov [esi], edx inc edi add esi, 4 cmp edi, 12h jb short loc_4010F1 lea eax, [ebp+58h] mov [esp+5Ch+zerobuf], 4 mov ebx, eax loc_401123: ; CODE XREF: Blowfish_SetKey+15Ej xor edi, edi mov esi, ebx loc_401127: ; CODE XREF: Blowfish_SetKey+14Dj lea eax, [esp+5Ch+buff1] mov ecx, ebp push eax call Blowfish_Encrypt mov ecx, [esp+5Ch+buff1] mov edx, [esp+5Ch+buff2] mov [esi], ecx add esi, 4 inc edi mov [esi], edx inc edi add esi, 4 cmp edi, 100h jl short loc_401127 mov eax, [esp+5Ch+zerobuf] add ebx, 400h dec eax mov [esp+5Ch+zerobuf], eax jnz short loc_401123 pop edi mov eax, ebp pop esi pop ebp pop ebx add esp, 4Ch retn 0Ch Blowfish_SetKey endp ; ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ S U B R O U T I N E ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ ; Ôóíêöèÿ F àëãîðèòìà Blowfish F proc near ; CODE XREF: Blowfish_Encrypt+2E7p ; Blowfish_Encrypt+2F6p ... arg_0 = dword ptr 4 mov edx, [esp+arg_0] push esi mov esi, edx mov eax, edx shr esi, 18h push edi mov edi, [ecx+esi*4+58h] mov esi, edx shr eax, 10h and eax, 0FFh and edx, 0FFh shr esi, 8 mov eax, [ecx+eax*4+458h] and esi, 0FFh add eax, edi mov edi, [ecx+esi*4+858h] mov esi, [ecx+edx*4+0C58h] xor eax, edi pop edi add eax, esi pop esi retn 4 F endp ; ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ S U B R O U T I N E ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ ; Ôóíêöèÿ Encrypt àëãîðèòìà Blowfish Blowfish_Encrypt proc near ; CODE XREF: Blowfish_SetKey+F8p ; Blowfish_SetKey+12Ep ... arg_0 = dword ptr 0Ch push ebx push ebp mov ebp, [esp+arg_0] push esi mov esi, ecx push edi mov edi, [ebp+0] mov ebx, [esi+10h] xor ebx, edi mov eax, ebx mov ecx, ebx shr eax, 10h and eax, 0FFh shr ecx, 18h mov edi, [esi+eax*4+458h] mov edx, [esi+ecx*4+58h] add edi, edx mov edx, ebx shr edx, 8 and edx, 0FFh mov eax, [esi+edx*4+858h] mov edx, [esi+14h] xor edi, eax mov eax, ebx and eax, 0FFh mov ecx, [esi+eax*4+0C58h] add edi, ecx mov ecx, [ebp+4] xor edi, edx xor edi, ecx mov ecx, edi mov edx, edi shr ecx, 10h and ecx, 0FFh shr edx, 18h mov eax, [esi+ecx*4+458h] mov ecx, [esi+edx*4+58h] add eax, ecx mov ecx, edi shr ecx, 8 and ecx, 0FFh mov edx, [esi+ecx*4+858h] xor eax, edx mov edx, edi and edx, 0FFh mov ecx, [esi+edx*4+0C58h] mov edx, [esi+18h] add eax, ecx xor eax, edx xor ebx, eax mov eax, ebx mov ecx, ebx shr eax, 10h and eax, 0FFh shr ecx, 18h mov edx, [esi+eax*4+458h] mov eax, [esi+ecx*4+58h] add edx, eax mov eax, ebx shr eax, 8 and eax, 0FFh mov ecx, [esi+eax*4+858h] xor edx, ecx mov ecx, ebx and ecx, 0FFh mov eax, [esi+ecx*4+0C58h] mov ecx, [esi+1Ch] add edx, eax xor edx, ecx xor edi, edx mov edx, edi mov eax, edi shr edx, 10h and edx, 0FFh shr eax, 18h mov ecx, [esi+edx*4+458h] mov edx, [esi+eax*4+58h] add ecx, edx mov edx, edi shr edx, 8 and edx, 0FFh mov eax, [esi+edx*4+858h] xor ecx, eax mov eax, edi and eax, 0FFh mov edx, [esi+eax*4+0C58h] mov eax, [esi+20h] add ecx, edx xor ecx, eax xor ebx, ecx mov ecx, ebx mov edx, ebx shr ecx, 10h and ecx, 0FFh shr edx, 18h mov eax, [esi+ecx*4+458h] mov ecx, [esi+edx*4+58h] add eax, ecx mov ecx, ebx shr ecx, 8 and ecx, 0FFh mov edx, [esi+ecx*4+858h] xor eax, edx mov edx, ebx and edx, 0FFh mov ecx, [esi+edx*4+0C58h] mov edx, [esi+24h] add eax, ecx xor eax, edx xor edi, eax mov eax, edi mov ecx, edi shr eax, 10h and eax, 0FFh shr ecx, 18h mov edx, [esi+eax*4+458h] mov eax, [esi+ecx*4+58h] add edx, eax mov eax, edi shr eax, 8 and eax, 0FFh mov ecx, [esi+eax*4+858h] xor edx, ecx mov ecx, edi and ecx, 0FFh mov eax, [esi+ecx*4+0C58h] mov ecx, [esi+28h] add edx, eax xor edx, ecx xor ebx, edx mov edx, ebx mov eax, ebx shr edx, 10h and edx, 0FFh shr eax, 18h mov ecx, [esi+edx*4+458h] mov edx, [esi+eax*4+58h] add ecx, edx mov edx, ebx shr edx, 8 and edx, 0FFh mov eax, [esi+edx*4+858h] xor ecx, eax mov eax, ebx and eax, 0FFh mov edx, [esi+eax*4+0C58h] mov eax, [esi+2Ch] add ecx, edx xor ecx, eax xor edi, ecx mov ecx, edi mov edx, edi shr ecx, 10h and ecx, 0FFh shr edx, 18h mov eax, [esi+ecx*4+458h] mov ecx, [esi+edx*4+58h] add eax, ecx mov ecx, edi shr ecx, 8 and ecx, 0FFh mov edx, [esi+ecx*4+858h] xor eax, edx mov edx, edi and edx, 0FFh mov ecx, [esi+edx*4+0C58h] mov edx, [esi+30h] add eax, ecx xor eax, edx xor ebx, eax mov eax, ebx mov ecx, ebx shr eax, 10h and eax, 0FFh shr ecx, 18h mov edx, [esi+eax*4+458h] mov eax, [esi+ecx*4+58h] add edx, eax mov eax, ebx shr eax, 8 and eax, 0FFh mov ecx, [esi+eax*4+858h] xor edx, ecx mov ecx, ebx and ecx, 0FFh mov eax, [esi+ecx*4+0C58h] mov ecx, [esi+34h] add edx, eax xor edx, ecx xor edi, edx mov edx, edi mov eax, edi shr edx, 10h and edx, 0FFh shr eax, 18h mov ecx, [esi+edx*4+458h] mov edx, [esi+eax*4+58h] add ecx, edx mov edx, edi shr edx, 8 and edx, 0FFh mov eax, [esi+edx*4+858h] xor ecx, eax mov eax, edi and eax, 0FFh mov edx, [esi+eax*4+0C58h] mov eax, [esi+38h] add ecx, edx xor ecx, eax xor ebx, ecx mov ecx, esi push ebx call F mov edx, [esi+3Ch] mov ecx, esi xor eax, edx xor edi, eax push edi call F mov edx, [esi+40h] mov ecx, esi xor eax, edx xor ebx, eax push ebx call F mov edx, [esi+44h] mov ecx, esi xor eax, edx xor edi, eax push edi call F mov edx, [esi+48h] mov ecx, esi xor eax, edx xor ebx, eax push ebx call F mov edx, [esi+4Ch] mov ecx, esi xor eax, edx xor edi, eax push edi call F mov edx, [esi+50h] mov ecx, [esi+54h] xor eax, edx xor ecx, edi xor ebx, eax pop edi mov [ebp+0], ecx mov [ebp+4], ebx pop esi pop ebp pop ebx retn 4 Blowfish_Encrypt endp ; ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ S U B R O U T I N E ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ ; Ôóíêöèÿ Decrypt àëãîðèòìà Blowfish Blowfish_Decrypt proc near ; CODE XREF: BlowfishDecrypt+B8p ; BlowfishDecrypt+264p arg_0 = dword ptr 0Ch push ebx push ebp mov ebp, [esp+arg_0] push esi mov esi, ecx push edi mov edi, [ebp+0] mov ebx, [esi+54h] xor ebx, edi mov eax, ebx mov ecx, ebx shr eax, 10h and eax, 0FFh shr ecx, 18h mov edi, [esi+eax*4+458h] mov edx, [esi+ecx*4+58h] add edi, edx mov edx, ebx shr edx, 8 and edx, 0FFh mov eax, [esi+edx*4+858h] mov edx, [esi+50h] xor edi, eax mov eax, ebx and eax, 0FFh mov ecx, [esi+eax*4+0C58h] add edi, ecx mov ecx, [ebp+4] xor edi, edx xor edi, ecx mov ecx, edi mov edx, edi shr ecx, 10h and ecx, 0FFh shr edx, 18h mov eax, [esi+ecx*4+458h] mov ecx, [esi+edx*4+58h] add eax, ecx mov ecx, edi shr ecx, 8 and ecx, 0FFh mov edx, [esi+ecx*4+858h] xor eax, edx mov edx, edi and edx, 0FFh mov ecx, [esi+edx*4+0C58h] mov edx, [esi+4Ch] add eax, ecx xor eax, edx xor ebx, eax mov eax, ebx mov ecx, ebx shr eax, 10h and eax, 0FFh shr ecx, 18h mov edx, [esi+eax*4+458h] mov eax, [esi+ecx*4+58h] add edx, eax mov eax, ebx shr eax, 8 and eax, 0FFh mov ecx, [esi+eax*4+858h] xor edx, ecx mov ecx, ebx and ecx, 0FFh mov eax, [esi+ecx*4+0C58h] mov ecx, [esi+48h] add edx, eax xor edx, ecx xor edi, edx mov edx, edi mov eax, edi shr edx, 10h and edx, 0FFh shr eax, 18h mov ecx, [esi+edx*4+458h] mov edx, [esi+eax*4+58h] add ecx, edx mov edx, edi shr edx, 8 and edx, 0FFh mov eax, [esi+edx*4+858h] xor ecx, eax mov eax, edi and eax, 0FFh mov edx, [esi+eax*4+0C58h] mov eax, [esi+44h] add ecx, edx xor ecx, eax xor ebx, ecx mov ecx, ebx mov edx, ebx shr ecx, 10h and ecx, 0FFh shr edx, 18h mov eax, [esi+ecx*4+458h] mov ecx, [esi+edx*4+58h] add eax, ecx mov ecx, ebx shr ecx, 8 and ecx, 0FFh mov edx, [esi+ecx*4+858h] xor eax, edx mov edx, ebx and edx, 0FFh mov ecx, [esi+edx*4+0C58h] mov edx, [esi+40h] add eax, ecx xor eax, edx xor edi, eax mov eax, edi mov ecx, edi shr eax, 10h and eax, 0FFh shr ecx, 18h mov edx, [esi+eax*4+458h] mov eax, [esi+ecx*4+58h] add edx, eax mov eax, edi shr eax, 8 and eax, 0FFh mov ecx, [esi+eax*4+858h] xor edx, ecx mov ecx, edi and ecx, 0FFh mov eax, [esi+ecx*4+0C58h] mov ecx, [esi+3Ch] add edx, eax xor edx, ecx xor ebx, edx mov edx, ebx mov eax, ebx shr edx, 10h and edx, 0FFh shr eax, 18h mov ecx, [esi+edx*4+458h] mov edx, [esi+eax*4+58h] add ecx, edx mov edx, ebx shr edx, 8 and edx, 0FFh mov eax, [esi+edx*4+858h] xor ecx, eax mov eax, ebx and eax, 0FFh mov edx, [esi+eax*4+0C58h] mov eax, [esi+38h] add ecx, edx xor ecx, eax xor edi, ecx mov ecx, edi mov edx, edi shr ecx, 10h and ecx, 0FFh shr edx, 18h mov eax, [esi+ecx*4+458h] mov ecx, [esi+edx*4+58h] add eax, ecx mov ecx, edi shr ecx, 8 and ecx, 0FFh mov edx, [esi+ecx*4+858h] xor eax, edx mov edx, edi and edx, 0FFh mov ecx, [esi+edx*4+0C58h] mov edx, [esi+34h] add eax, ecx xor eax, edx xor ebx, eax mov eax, ebx mov ecx, ebx shr eax, 10h and eax, 0FFh shr ecx, 18h mov edx, [esi+eax*4+458h] mov eax, [esi+ecx*4+58h] add edx, eax mov eax, ebx shr eax, 8 and eax, 0FFh mov ecx, [esi+eax*4+858h] xor edx, ecx mov ecx, ebx and ecx, 0FFh mov eax, [esi+ecx*4+0C58h] mov ecx, [esi+30h] add edx, eax xor edx, ecx xor edi, edx mov edx, edi mov eax, edi shr edx, 10h and edx, 0FFh shr eax, 18h mov ecx, [esi+edx*4+458h] mov edx, [esi+eax*4+58h] add ecx, edx mov edx, edi shr edx, 8 and edx, 0FFh mov eax, [esi+edx*4+858h] xor ecx, eax mov eax, edi and eax, 0FFh mov edx, [esi+eax*4+0C58h] mov eax, [esi+2Ch] add ecx, edx xor ecx, eax xor ebx, ecx mov ecx, esi push ebx call F mov edx, [esi+28h] mov ecx, esi xor eax, edx xor edi, eax push edi call F mov edx, [esi+24h] mov ecx, esi xor eax, edx xor ebx, eax push ebx call F mov edx, [esi+20h] mov ecx, esi xor eax, edx xor edi, eax push edi call F mov edx, [esi+1Ch] mov ecx, esi xor eax, edx xor ebx, eax push ebx call F mov edx, [esi+18h] mov ecx, esi xor eax, edx xor edi, eax push edi call F mov edx, [esi+14h] mov ecx, [esi+10h] xor eax, edx xor ecx, edi xor ebx, eax pop edi mov [ebp+0], ecx mov [ebp+4], ebx pop esi pop ebp pop ebx retn 4 Blowfish_Decrypt endp ; ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ S U B R O U T I N E ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ ; Ýòà ôóíêöèÿ îáðàùàåò ïîðÿäîê áàéò äàííûõ èäóùèõ íà Âõîä Blowfish_??crypt ; Îáðàùåíèå ïðîèñõîäèò ïî 4 áàéòà. sub_401810 proc near ; CODE XREF: BlowfishEncrypt+22Ep ; BlowfishDecrypt+255p arg_0 = dword ptr 4 arg_4 = dword ptr 8 mov eax, [esp+arg_4] mov ecx, [esp+arg_0] xor edx, edx inc ecx mov dword ptr [eax], 0 mov dl, [ecx-1] shl edx, 18h mov [eax], edx xor edx, edx mov dl, [ecx] push esi mov esi, [eax] inc ecx shl edx, 10h or esi, edx xor edx, edx mov [eax], esi mov dl, [ecx] push edi mov edi, esi shl edx, 8 inc ecx or edi, edx xor edx, edx mov [eax], edi mov dl, [ecx] inc ecx or edi, edx xor edx, edx mov [eax], edi mov dword ptr [eax+4], 0 mov dl, [ecx] inc ecx shl edx, 18h mov [eax+4], edx mov esi, [eax+4] xor edx, edx mov dl, [ecx] inc ecx shl edx, 10h or esi, edx xor edx, edx mov [eax+4], esi mov dh, [ecx] mov edi, esi mov esi, edx or esi, edi xor edx, edx mov [eax+4], esi mov dl, [ecx+1] or edx, esi pop edi mov [eax+4], edx pop esi retn sub_401810 endp ; ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ S U B R O U T I N E ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ ; Ôóíêöèÿ êîïèðîâàíèÿ Âûõîäà ôóíêöèè Blowfish_??crypt â áóôåð ðåçóëüòàòà sub_401890 proc near ; CODE XREF: BlowfishEncrypt+24Bp ; BlowfishDecrypt+272p arg_0 = dword ptr 4 arg_4 = dword ptr 8 mov eax, [esp+arg_4] mov ecx, [esp+arg_0] dec eax mov edx, [ecx+4] mov [eax], dl mov edx, [ecx+4] dec eax shr edx, 8 mov [eax], dl mov edx, [ecx+4] dec eax shr edx, 10h mov [eax], dl mov edx, [ecx+4] dec eax shr edx, 18h mov [eax], dl mov edx, [ecx] dec eax mov [eax], dl mov edx, [ecx] dec eax shr edx, 8 mov [eax], dl mov edx, [ecx] dec eax shr edx, 10h mov [eax], dl mov ecx, [ecx] shr ecx, 18h mov [eax-1], cl retn sub_401890 endp ; ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ S U B R O U T I N E ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ ; Îá¸ðòêà ðàçíûõ ðåæèìîâ Blowfish_Encrypt äàííîé ðåàëèçàöèè Blowfish. ; Íàñ èíòåðåñóåò òîëüêî ñàìûé íèæíèé, ñìîòðèòå êîììåíòàðèè. :) ; Blowfish_EncryptMode BlowfishEncrypt proc near ; CODE XREF: sub_4090D0+1BDp ; sub_409330+22Ep var_14 = dword ptr -14h var_10 = dword ptr -10h var_C = dword ptr -0Ch var_8 = dword ptr -8 arg_0 = dword ptr 4 arg_4 = dword ptr 8 arg_8 = dword ptr 0Ch arg_C = dword ptr 10h mov eax, [esp+arg_8] sub esp, 14h push ebx push ebp mov ebp, ecx push esi xor ecx, ecx push edi cmp eax, ecx jz loc_401B43 test al, 7 jnz loc_401B43 mov [esp+24h+var_14], ecx mov [esp+24h+var_10], ecx mov ecx, [esp+24h+arg_C] cmp ecx, 1 jnz loc_401A04 mov ecx, [ebp+8] mov edx, [ebp+0Ch] cmp eax, 8 mov [esp+24h+var_C], ecx mov [esp+24h+var_8], edx jb loc_4019FA mov ebx, [esp+24h+arg_0] mov ecx, [esp+24h+arg_4] shr eax, 3 lea edi, [ebx+6] lea esi, [ecx-7] mov [esp+24h+arg_4], eax loc_401940: ; CODE XREF: BlowfishEncrypt+114j xor eax, eax xor ecx, ecx mov al, [ebx] mov cl, [edi-5] shl eax, 18h shl ecx, 10h or eax, ecx xor ecx, ecx mov cl, [edi-4] xor edx, edx shl ecx, 8 or eax, ecx mov dl, [edi-1] xor ecx, ecx mov cl, [edi-3] or eax, ecx xor ecx, ecx mov cl, [edi-2] shl ecx, 18h shl edx, 10h or ecx, edx xor edx, edx mov dh, [edi] or ecx, edx xor edx, edx mov dl, [edi+1] or ecx, edx mov edx, [esp+24h+var_C] xor eax, edx mov edx, [esp+24h+var_8] mov [esp+24h+var_14], eax xor ecx, edx lea eax, [esp+24h+var_14] mov [esp+24h+var_10], ecx push eax mov ecx, ebp call Blowfish_Encrypt mov ecx, [esp+24h+var_10] add esi, 8 mov edx, ecx mov eax, [esp+24h+var_14] shr edx, 8 mov [esi+6], cl mov [esi+5], dl mov edx, ecx mov [esp+24h+var_8], ecx shr edx, 10h shr ecx, 18h mov [esi+4], dl mov [esi+3], cl mov ecx, eax mov edx, eax shr ecx, 8 mov [esp+24h+var_C], eax mov [esi+2], al shr edx, 10h mov [esi+1], cl mov [esi], dl shr eax, 18h mov [esi-1], al mov eax, [esp+24h+arg_4] add ebx, 8 add edi, 8 dec eax mov [esp+24h+arg_4], eax jnz loc_401940 loc_4019FA: ; CODE XREF: BlowfishEncrypt+45j ; BlowfishEncrypt+13Ej ... pop edi pop esi pop ebp pop ebx add esp, 14h retn 10h ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ loc_401A04: ; CODE XREF: BlowfishEncrypt+2Ej cmp ecx, 2 jnz loc_401AF2 mov ecx, [ebp+8] mov edx, [ebp+0Ch] cmp eax, 8 mov [esp+24h+var_C], ecx mov [esp+24h+var_8], edx jb short loc_4019FA mov ebx, [esp+24h+arg_0] mov ecx, [esp+24h+arg_4] shr eax, 3 lea edi, [ebx+6] lea esi, [ecx-7] mov [esp+24h+arg_4], eax loc_401A35: ; CODE XREF: BlowfishEncrypt+202j lea edx, [esp+24h+var_C] mov ecx, ebp push edx call Blowfish_Encrypt xor eax, eax xor ecx, ecx mov al, [ebx] mov cl, [edi-5] shl eax, 18h shl ecx, 10h or eax, ecx xor ecx, ecx mov cl, [edi-4] xor edx, edx shl ecx, 8 or eax, ecx mov dl, [edi-1] xor ecx, ecx add esi, 8 mov cl, [edi-3] add ebx, 8 or eax, ecx xor ecx, ecx mov cl, [edi-2] add edi, 8 shl ecx, 18h shl edx, 10h or ecx, edx xor edx, edx mov dh, [edi-8] or ecx, edx xor edx, edx mov dl, [edi-7] or ecx, edx mov edx, [esp+24h+var_C] xor eax, edx mov edx, [esp+24h+var_8] xor ecx, edx mov [esp+24h+var_14], eax mov edx, ecx mov [esi+6], cl shr edx, 8 mov [esi+5], dl mov edx, ecx mov [esp+24h+var_10], ecx mov [esp+24h+var_8], ecx shr edx, 10h shr ecx, 18h mov [esi+4], dl mov [esi+3], cl mov ecx, eax mov edx, eax shr ecx, 8 mov [esp+24h+var_C], eax mov [esi+2], al shr edx, 10h mov [esi+1], cl mov [esi], dl shr eax, 18h mov [esi-1], al mov eax, [esp+24h+arg_4] dec eax mov [esp+24h+arg_4], eax jnz loc_401A35 pop edi pop esi pop ebp pop ebx add esp, 14h retn 10h ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; ######################### ÂÎÒ ÍÓÆÍÛÉ ÍÀÌ ÐÅÆÈÌ! ########################### loc_401AF2: ; CODE XREF: BlowfishEncrypt+127j cmp eax, 8 jb loc_4019FA mov esi, [esp+24h+arg_4] mov edi, [esp+24h+arg_0] shr eax, 3 mov ebx, eax loc_401B08: ; CODE XREF: BlowfishEncrypt+257j lea eax, [esp+24h+var_14] push eax push edi call sub_401810 add esp, 8 lea ecx, [esp+24h+var_14] push ecx mov ecx, ebp call Blowfish_Encrypt add esi, 8 lea edx, [esp+24h+var_14] push esi push edx call sub_401890 add esp, 8 add edi, 8 dec ebx jnz short loc_401B08 pop edi pop esi pop ebp pop ebx add esp, 14h retn 10h ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ loc_401B43: ; CODE XREF: BlowfishEncrypt+11j ; BlowfishEncrypt+19j lea eax, [esp+24h+arg_4] lea ecx, [esp+24h+var_C] push eax mov [esp+28h+arg_4], offset aIncorrectBuffe ; "Incorrect buffer length" call ??0exception@@QAE@ABQBD@Z ; exception::exception(char const * const &) lea ecx, [esp+24h+var_C] push offset unk_427938 push ecx call __CxxThrowException@8 ; _CxxThrowException(x,x) nop nop nop nop nop nop nop nop BlowfishEncrypt endp ; ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ S U B R O U T I N E ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ ; Îá¸ðòêà ðàçíûõ ðåæèìîâ Blowfish_Decrypt äàííîé ðåàëèçàöèè Blowfish. ; Âîîáùå-òî äëÿ íàøèõ èññëåäîâàíèé Blowfish_Decrypt íå íóæåí, íî òàê ; èëè èíà÷å ñìîòðèòå êîììåíòàðèè. :) ; Blowfish_DecryptMode BlowfishDecrypt proc near ; CODE XREF: sub_408230+290p ; sub_408230+41Ap ... var_1C = dword ptr -1Ch var_18 = dword ptr -18h var_14 = dword ptr -14h var_10 = dword ptr -10h var_C = dword ptr -0Ch var_8 = dword ptr -8 arg_0 = dword ptr 4 arg_4 = dword ptr 8 arg_8 = dword ptr 0Ch arg_C = dword ptr 10h mov eax, [esp+arg_8] sub esp, 1Ch push ebx push ebp mov ebp, ecx push esi xor ecx, ecx push edi cmp eax, ecx jz loc_401DFA test al, 7 jnz loc_401DFA mov [esp+2Ch+var_1C], ecx mov [esp+2Ch+var_18], ecx mov ecx, [esp+2Ch+arg_C] cmp ecx, 1 jnz loc_401CA4 mov ecx, [ebp+8] mov edx, [ebp+0Ch] cmp eax, 8 mov [esp+2Ch+var_14], ecx mov [esp+2Ch+var_10], edx jb loc_401C9A mov ebx, [esp+2Ch+arg_0] mov ecx, [esp+2Ch+arg_4] shr eax, 3 lea edi, [ebx+6] lea esi, [ecx-7] mov [esp+2Ch+arg_4], eax loc_401BD0: ; CODE XREF: BlowfishDecrypt+124j xor eax, eax xor ecx, ecx mov al, [ebx] mov cl, [edi-5] shl eax, 18h shl ecx, 10h or eax, ecx xor ecx, ecx mov cl, [edi-4] xor edx, edx shl ecx, 8 or eax, ecx mov dl, [edi-1] xor ecx, ecx mov cl, [edi-3] or eax, ecx xor ecx, ecx mov cl, [edi-2] mov [esp+2Ch+var_1C], eax shl ecx, 18h shl edx, 10h or ecx, edx xor edx, edx mov dh, [edi] mov [esp+2Ch+var_C], eax or ecx, edx xor edx, edx mov dl, [edi+1] lea eax, [esp+2Ch+var_1C] or ecx, edx push eax mov [esp+30h+var_18], ecx mov [esp+30h+var_8], ecx mov ecx, ebp call Blowfish_Decrypt mov eax, [esp+2Ch+var_1C] mov ecx, [esp+2Ch+var_14] mov edx, [esp+2Ch+var_10] xor eax, ecx mov ecx, [esp+2Ch+var_18] add esi, 8 xor ecx, edx mov edx, [esp+2Ch+var_C] mov [esp+2Ch+var_14], edx mov edx, [esp+2Ch+var_8] mov [esp+2Ch+var_10], edx mov edx, ecx shr edx, 8 mov [esi+6], cl mov [esi+5], dl mov edx, ecx add ebx, 8 shr edx, 10h shr ecx, 18h mov [esi+4], dl mov [esi+3], cl mov ecx, eax mov edx, eax shr ecx, 8 mov [esi+2], al mov [esi+1], cl shr edx, 10h shr eax, 18h mov [esi], dl mov [esi-1], al mov eax, [esp+2Ch+arg_4] add edi, 8 dec eax mov [esp+2Ch+arg_4], eax jnz loc_401BD0 loc_401C9A: ; CODE XREF: BlowfishDecrypt+45j ; BlowfishDecrypt+14Ej ... pop edi pop esi pop ebp pop ebx add esp, 1Ch retn 10h ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ loc_401CA4: ; CODE XREF: BlowfishDecrypt+2Ej cmp ecx, 2 jnz loc_401DA9 mov ecx, [ebp+8] mov edx, [ebp+0Ch] cmp eax, 8 mov [esp+2Ch+var_14], ecx mov [esp+2Ch+var_10], edx jb short loc_401C9A mov ebx, [esp+2Ch+arg_0] mov ecx, [esp+2Ch+arg_4] shr eax, 3 lea edi, [ebx+6] lea esi, [ecx-7] mov [esp+2Ch+arg_4], eax loc_401CD5: ; CODE XREF: BlowfishDecrypt+229j xor eax, eax xor ecx, ecx mov al, [ebx] mov cl, [edi-5] shl eax, 18h shl ecx, 10h or eax, ecx xor ecx, ecx mov cl, [edi-4] xor edx, edx shl ecx, 8 or eax, ecx xor ecx, ecx mov cl, [edi-3] mov dh, [edi] or eax, ecx xor ecx, ecx mov cl, [edi-1] mov [esp+2Ch+var_1C], eax xor eax, eax mov al, [edi-2] shl eax, 18h shl ecx, 10h or eax, ecx xor ecx, ecx mov cl, [edi+1] or eax, edx lea edx, [esp+2Ch+var_14] or eax, ecx push edx mov ecx, ebp mov [esp+30h+var_18], eax call Blowfish_Encrypt mov eax, [esp+2Ch+var_1C] mov edx, [esp+2Ch+var_14] mov ecx, [esp+2Ch+var_18] mov [esp+2Ch+var_C], eax xor eax, edx mov edx, [esp+2Ch+var_10] mov [esp+2Ch+var_8], ecx xor ecx, edx mov edx, [esp+2Ch+var_C] add esi, 8 mov [esp+2Ch+var_14], edx mov edx, [esp+2Ch+var_8] mov [esp+2Ch+var_10], edx mov edx, ecx shr edx, 8 mov [esi+6], cl mov [esi+5], dl mov edx, ecx add ebx, 8 shr edx, 10h shr ecx, 18h mov [esi+4], dl mov [esi+3], cl mov ecx, eax mov edx, eax shr ecx, 8 mov [esi+2], al mov [esi+1], cl shr edx, 10h shr eax, 18h mov [esi], dl mov [esi-1], al mov eax, [esp+2Ch+arg_4] add edi, 8 dec eax mov [esp+2Ch+arg_4], eax jnz loc_401CD5 pop edi pop esi pop ebp pop ebx add esp, 1Ch retn 10h ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; ######################### ÂÎÒ ÍÓÆÍÛÉ ÍÀÌ ÐÅÆÈÌ! ########################### loc_401DA9: ; CODE XREF: BlowfishDecrypt+137j cmp eax, 8 jb loc_401C9A mov esi, [esp+2Ch+arg_4] mov edi, [esp+2Ch+arg_0] shr eax, 3 mov ebx, eax loc_401DBF: ; CODE XREF: BlowfishDecrypt+27Ej lea eax, [esp+2Ch+var_1C] push eax push edi call sub_401810 add esp, 8 lea ecx, [esp+2Ch+var_1C] push ecx mov ecx, ebp call Blowfish_Decrypt add esi, 8 lea edx, [esp+2Ch+var_1C] push esi push edx call sub_401890 add esp, 8 add edi, 8 dec ebx jnz short loc_401DBF pop edi pop esi pop ebp pop ebx add esp, 1Ch retn 10h ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ loc_401DFA: ; CODE XREF: BlowfishDecrypt+11j ; BlowfishDecrypt+19j lea eax, [esp+2Ch+arg_4] lea ecx, [esp+2Ch+var_C] push eax mov [esp+30h+arg_4], offset aIncorrectBuffe ; "Incorrect buffer length" call ??0exception@@QAE@ABQBD@Z ; exception::exception(char const * const &) lea ecx, [esp+2Ch+var_C] push offset unk_427938 push ecx call __CxxThrowException@8 ; _CxxThrowException(x,x) nop BlowfishDecrypt endp ; ÂѨ! ;)