8.10 SAP.
4a: 8b f8 mov %eax,%edi
4c: a1 e0 e2 05 01 mov 0x105e2e0,%eax
51: 3b 05 e4 e2 05 01 cmp 0x105e2e4,%eax
57: 75 12 jne 0x6b
59: 53 push %ebx
5a: 6a 03 push $0x3
5c: 57 push %edi
5d: ff d6 call *%esiYes, this is seems correctly disassembled piece of x86 code. The whole dectyped file can be downloaded
here.
In fact, this is text section from regedit.exe from Windows 7. But this example is based on a real case I
encountered, so just executable is different (and key), algorithm is the same.
8.9.1 Other ideas to consider
What if I would fail with such simple frequency analysis? There are other ideas on how to measure cor-
rectness of decrypted/decompressed x86 code:
- Many modern compilers aligns functions on 0x10 border. So the space left before is filled with NOPs
(0x90) or other NOP instructions with known opcodes:.1.7 on page 1038. - Perhaps, the most frequent pattern in any assembly language is function call:
PUSH chain / CALL / ADD ESP, X. This sequence can easily detected and found. I’ve even gath-
ered statistics about average number of function arguments:11.2 on page 999. (Hence, this is
average length of PUSH chain.)
Read more about incorrectly/correctly disassembled code:5.11 on page 726.
8.10 SAP
8.10.1 About SAP client network traffic compression
(Tracing the connection between the TDW_NOCOMPRESS SAPGUI^28 environment variable and the pesky
annoying pop-up window and the actual data compression routine.)
It is known that the network traffic between SAPGUI and SAP is not encrypted by default, but compressed
(see here^29 and here^30 ).
It is also known that by setting the environment variableTDW_NOCOMPRESSto 1, it is possible to turn
the network packet compression off.
But you will see an annoying pop-up window that cannot be closed:
(^28) SAP GUI client
(^29) http://go.yurichev.com/17221
(^30) blog.yurichev.com