8.6 “QR9”: Rubik’s cube inspired amateur crypto-algorithm.
seg033:0893 1E push ds
seg033:0894 68 60 E9 push offset byte_6C7E0 ; dest
seg033:0897 9A 79 65 00+ call _strcpy
seg033:089C 83 C4 08 add sp, 8
seg033:089F 1E push ds
seg033:08A0 68 42 44 push offset aPleaseContactA ; "Please Contact ..."
seg033:08A3 1E push ds
seg033:08A4 68 60 E9 push offset byte_6C7E0 ; dest
seg033:08A7 9A CD 64 00+ call _strcat
Bypassing the dongle is easy, just force thecheck_dongle()function to always return 0.
For example, by inserting this code at its beginning:
mov ax,0
retf
The observant reader might recall that thestrcpy()C function usually requires two pointers in its argu-
ments, but we see that 4 values are passed:
seg033:088F 1E push ds
seg033:0890 68 22 44 push offset aTrupcRequiresA ; "This Software⤦
ÇRequires a Software Lock\n"
seg033:0893 1E push ds
seg033:0894 68 60 E9 push offset byte_6C7E0 ; dest
seg033:0897 9A 79 65 00+ call _strcpy
seg033:089C 83 C4 08 add sp, 8
This is related to MS-DOS’ memory model. You can read more about it here:11.6 on page 1003.
So as you may see,strcpy()and any other function that take pointer(s) in arguments work with 16-bit
pairs.
Let’s get back to our example.DSis currently set to the data segment located in the executable, that is
where the text string is stored.
In thesent_pro()function, each byte of the string is loaded at
seg030:00EF: theLESinstruction loads the ES:BX pair simultaneously from the passed argument.
TheMOVatseg030:00F5loads the byte from the memory at which the ES:BX pair points.
8.6 “QR9”: Rubik’s cube inspired amateur crypto-algorithm
Sometimes amateur cryptosystems appear to be pretty bizarre.
The author of this book was once asked to reverse engineer an amateur cryptoalgorithm of some data
encryption utility, the source code for which was lost^16.
Here is the listing exported fromIDAfor the original encryption utility:
.text:00541000 set_bit proc near ; CODE XREF: rotate1+42
.text:00541000 ; rotate2+42 ...
.text:00541000
.text:00541000 arg_0 = dword ptr 4
.text:00541000 arg_4 = dword ptr 8
.text:00541000 arg_8 = dword ptr 0Ch
.text:00541000 arg_C = byte ptr 10h
.text:00541000
.text:00541000 mov al, [esp+arg_C]
.text:00541004 mov ecx, [esp+arg_8]
.text:00541008 push esi
.text:00541009 mov esi, [esp+4+arg_0]
.text:0054100D test al, al
.text:0054100F mov eax, [esp+4+arg_4]
.text:00541013 mov dl, 1
.text:00541015 jz short loc_54102B
.text:00541017 shl dl, cl
(^16) He also got permission from the customer to publish the algorithm’s details