issuhub.com

Reverse Engineering for Beginners

(avery) #1

CHAPTER 78. DONGLES CHAPTER 78. DONGLES


.text:0000D9CE push 0Fh
.text:0000D9D0 push 190h
.text:0000D9D5 call sound
.text:0000D9DA mov [ebp+var_18], 1
.text:0000D9E1 add esp, 18h
.text:0000D9E4 call pcv_kbhit
.text:0000D9E9 test eax, eax
.text:0000D9EB jz short loc_D9FB


; this name we gave to label:
.data:00401736 encrypted_error_message2 db 74h, 72h, 78h, 43h, 48h, 6, 5Ah, 49h, 4Ch, 2 dup(47h⤦
Ç)
.data:00401736 db 51h, 4Fh, 47h, 61h, 20h, 22h, 3Ch, 24h, 33h, 36h, 76h
.data:00401736 db 3Ah, 33h, 31h, 0Ch, 0, 0Bh, 1Fh, 7, 1Eh, 1Ah


Bypassing the dongle is pretty straightforward: just patch all jumps after the relevantCMPinstructions.


Another option is to write our own SCO OpenServer driver, containing a table of questions and answers, all of those which
present in the program.


78.2.1 Decrypting error messages.


By the way, we can also try to decrypt all error messages. The algorithm that is located in theerr_warn()function is very
simple, indeed:


Listing 78.1: Decryption function

.text:0000A44D mov esi, [ebp+arg_C] ; key
.text:0000A450 mov edx, [ebp+arg_4] ; string
.text:0000A453 loc_A453:
.text:0000A453 xor eax, eax
.text:0000A455 mov al, [edx+edi] ; load encrypted byte
.text:0000A458 xor eax, esi ; decrypt it
.text:0000A45A add esi, 3 ; change key for the next byte
.text:0000A45D inc edi
.text:0000A45E cmp edi, ecx
.text:0000A460 mov [ebp+edi+var_55], al
.text:0000A464 jl short loc_A453


As we can see, not just string is supplied to the decryption function, but also the key:


.text:0000DAF7 error: ; CODE XREF: sync_sys+255j
.text:0000DAF7 ; sync_sys+274j ...
.text:0000DAF7 mov [ebp+var_8], offset encrypted_error_message2
.text:0000DAFE mov [ebp+var_C], 17h ; decrypting key
.text:0000DB05 jmp decrypt_end_print_message


...


; this name we gave to label manually:
.text:0000D9B6 decrypt_end_print_message: ; CODE XREF: sync_sys+29Dj
.text:0000D9B6 ; sync_sys+2ABj
.text:0000D9B6 mov eax, [ebp+var_18]
.text:0000D9B9 test eax, eax
.text:0000D9BB jnz short loc_D9FB
.text:0000D9BD mov edx, [ebp+var_C] ; key
.text:0000D9C0 mov ecx, [ebp+var_8] ; string
.text:0000D9C3 push edx
.text:0000D9C4 push 20h
.text:0000D9C6 push ecx
.text:0000D9C7 push 18h
.text:0000D9C9 call err_warn


The algorithm is a simplexoring: each byte is xored with a key, but the key is increased by 3 after the processing of each
byte.


We can write a simple Python script to check our hypothesis:

Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2024. All rights reserved.