PDA

View Full Version : Decription routine


xor_axax
March 18th, 2013, 11:48
I needed some help if it is possible.
I have a dll file that has two routines to decrypt a binary file to ascii and I needed to know if it is possible to patch these routines to do also the encryption.

Thanks

Code:

00371E80 55 PUSH EBP
00371E81 8BEC MOV EBP, ESP
00371E83 83EC 08 SUB ESP, 8
00371E86 894D F8 MOV [DWORD SS:EBP-8], ECX
00371E89 8B4D F8 MOV ECX, [DWORD SS:EBP-8]
00371E8C E8 FF010000 CALL 00372090 ; 80960L.00372090
00371E91 0FB6C0 MOVZX EAX, AL
00371E94 85C0 TEST EAX, EAX
00371E96 75 04 JNZ SHORT 00371E9C ; 80960L.00371E9C
00371E98 32C0 XOR AL, AL
00371E9A EB 79 JMP SHORT 00371F15 ; 80960L.00371F15
00371E9C 8B4D F8 MOV ECX, [DWORD SS:EBP-8]
00371E9F 8B51 16 MOV EDX, [DWORD DS:ECX+16]
00371EA2 8955 FC MOV [DWORD SS:EBP-4], EDX
00371EA5 EB 09 JMP SHORT 00371EB0 ; 80960L.00371EB0
00371EA7 8B45 FC MOV EAX, [DWORD SS:EBP-4]
00371EAA 83C0 01 ADD EAX, 1
00371EAD 8945 FC MOV [DWORD SS:EBP-4], EAX
00371EB0 8B4D F8 MOV ECX, [DWORD SS:EBP-8]
00371EB3 8B55 FC MOV EDX, [DWORD SS:EBP-4]
00371EB6 3B51 10 CMP EDX, [DWORD DS:ECX+10]
00371EB9 73 58 JNB SHORT 00371F13 ; 80960L.00371F13
00371EBB 8B45 F8 MOV EAX, [DWORD SS:EBP-8]
00371EBE 8B48 08 MOV ECX, [DWORD DS:EAX+8]
00371EC1 8B55 F8 MOV EDX, [DWORD SS:EBP-8]
00371EC4 0FB642 14 MOVZX EAX, [BYTE DS:EDX+14]
00371EC8 0FB690 28E13D00 MOVZX EDX, [BYTE DS:EAX+3DE128]
00371ECF F7D2 NOT EDX
00371ED1 8B45 FC MOV EAX, [DWORD SS:EBP-4]
00371ED4 0FB60C01 MOVZX ECX, [BYTE DS:ECX+EAX]
00371ED8 33CA XOR ECX, EDX
00371EDA 8B55 F8 MOV EDX, [DWORD SS:EBP-8]
00371EDD 8B42 08 MOV EAX, [DWORD DS:EDX+8]
00371EE0 8B55 FC MOV EDX, [DWORD SS:EBP-4]
00371EE3 880C10 MOV [BYTE DS:EAX+EDX], CL
00371EE6 8B45 F8 MOV EAX, [DWORD SS:EBP-8]
00371EE9 0FB648 14 MOVZX ECX, [BYTE DS:EAX+14]
00371EED 8B55 F8 MOV EDX, [DWORD SS:EBP-8]
00371EF0 8B42 08 MOV EAX, [DWORD DS:EDX+8]
00371EF3 8B55 FC MOV EDX, [DWORD SS:EBP-4]
00371EF6 0FB60410 MOVZX EAX, [BYTE DS:EAX+EDX]
00371EFA 03C8 ADD ECX, EAX
00371EFC 8B55 F8 MOV EDX, [DWORD SS:EBP-8]
00371EFF 0FB642 15 MOVZX EAX, [BYTE DS:EDX+15]
00371F03 03C8 ADD ECX, EAX
00371F05 81E1 FF000000 AND ECX, 0FF
00371F0B 8B55 F8 MOV EDX, [DWORD SS:EBP-8]
00371F0E 884A 14 MOV [BYTE DS:EDX+14], CL
00371F11 ^ EB 94 JMP SHORT 00371EA7 ; 80960L.00371EA7
00371F13 B0 01 MOV AL, 1
00371F15 8BE5 MOV ESP, EBP
00371F17 5D POP EBP
00371F18 C3 RETN




00372090 55 PUSH EBP
00372091 8BEC MOV EBP, ESP
00372093 83EC 08 SUB ESP, 8
00372096 894D F8 MOV [DWORD SS:EBP-8], ECX
00372099 8B45 F8 MOV EAX, [DWORD SS:EBP-8]
0037209C 8B48 08 MOV ECX, [DWORD DS:EAX+8]
0037209F 8B11 MOV EDX, [DWORD DS:ECX]
003720A1 8955 FC MOV [DWORD SS:EBP-4], EDX
003720A4 8B45 FC MOV EAX, [DWORD SS:EBP-4]
003720A7 C1E8 08 SHR EAX, 8
003720AA 0345 FC ADD EAX, [DWORD SS:EBP-4]
003720AD 8B4D FC MOV ECX, [DWORD SS:EBP-4]
003720B0 C1E9 10 SHR ECX, 10
003720B3 03C1 ADD EAX, ECX
003720B5 8B55 FC MOV EDX, [DWORD SS:EBP-4]
003720B8 C1EA 18 SHR EDX, 18
003720BB 03C2 ADD EAX, EDX
003720BD 25 FF000000 AND EAX, 0FF
003720C2 8B4D F8 MOV ECX, [DWORD SS:EBP-8]
003720C5 8841 14 MOV [BYTE DS:ECX+14], AL
003720C8 8B55 F8 MOV EDX, [DWORD SS:EBP-8]
003720CB 0FB642 14 MOVZX EAX, [BYTE DS:EDX+14]
003720CF 6BC0 11 IMUL EAX, EAX, 11
003720D2 25 FF000000 AND EAX, 0FF
003720D7 8B4D F8 MOV ECX, [DWORD SS:EBP-8]
003720DA 8841 14 MOV [BYTE DS:ECX+14], AL
003720DD 8B55 F8 MOV EDX, [DWORD SS:EBP-8]
003720E0 0FB642 14 MOVZX EAX, [BYTE DS:EDX+14]
003720E4 83C0 25 ADD EAX, 25
003720E7 25 FF000000 AND EAX, 0FF
003720EC 8B4D F8 MOV ECX, [DWORD SS:EBP-8]
003720EF 8841 15 MOV [BYTE DS:ECX+15], AL
003720F2 B0 01 MOV AL, 1
003720F4 8BE5 MOV ESP, EBP
003720F6 5D POP EBP
003720F7 C3 RETN



naides
March 18th, 2013, 17:01
Man, unless you present exceedingly well commented code with a lot of research behind it, and a detailed explanation of what you want to accomplish, even if one wanted to help you, one could not. . .

xor_axax
March 18th, 2013, 17:35
Thanks for your reply and I'll try to explain better what I need.
The two routines that I put here read and decrypt a binary file then writes the contents into memory in ascii.
After that I saved the data to a ascii file and made ​​some changes in that file and then tried to encrypt the file again using the same routines but the encryption is not good and so I needed to know if the routines that decrypt the binary file can also encrypt again from ascii to binary.

xor_axax
March 19th, 2013, 06:34
@naides

Thanks for trying to help but I already solve my problem.
I made some changes in the first routine and now encrypt the file very well.

Thanks anyway.