issuhub.com

Reversing : The Hacker's Guide to Reverse Engineering

(ff) #1 
encrypted code contained code that sets it back to zero and jumps back to that

address. If you go back to look at every encrypted function you’ve gone over,

they all have this same mechanism. It appears to be a generic mechanism that

reencrypts the function before it returns. The local variable is apparently

required to tell the prologue code whether the function is currently being

encrypted or decrypted. Here are those two lines from 401D18, the function

you’re trying to decrypt.

00401D49 MOV DWORD PTR SS:[EBP-4],1

00401D50 CMP DWORD PTR SS:[EBP-4],0

00401D54 JE SHORT Defender.00401DBF

As usual, a local variable is being set to 1, and then checked for a zero value.

If I’m right about this, the decrypted code should contain an instruction just

like the first one in the preceding sequence, except that the value being loaded

is 0, not 1. Let’s examine the code bytes for this instruction and determine

exactly what you’re looking for.

00401D49 C745 FC 01000000 MOV DWORD PTR SS:[EBP-4],1

Here’s the OllyDbg output that includes the instruction’s code bytes. It

looks like this is a 7-byte sequence—should be more than enough to find the

key. All you have to do is modify the 01 byte to 00, to create the following

sequence:

C7 45 FC 00 00 00 00

The next step is to create a little program that contains a copy of the

encrypted code (which you can rip directly from OllyDbg’s data window) and

decrypts the code using every possible key from 0 to FFFFFFFF. With each

decrypted block the program must search for the token—that 7-byte sequence

you just prepared. As soon as you find that sequence in a decrypted block, you

know that you’ve found the correct decryption key. This is a pretty short block

so it’s unlikely that you’d find the token in the wrong decrypted block.

You start by determining the starting address and exact length of the

encrypted block. Both addresses are loaded into local variables early in the

decryption sequence:

00401D2C PUSH Defender.00401E32

00401D31 POP EAX

00401D32 MOV DWORD PTR SS:[EBP-14],EAX

00401D35 PUSH Defender.00401EB6

00401D3A POP EAX

00401D3B MOV DWORD PTR SS:[EBP-C],EAX

410 Chapter 11

Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2025. All rights reserved.