Don't read the Exhibit unless you're a hacker.
Adventures in Hacking With Ida
Decompilation of a machine readable 'encryption' routine into
human readable source code using a non-free disassembly tool.
Characters
Incognegro, an aspiring African Hacker
Ida, a marvellous software program for understanding binary code
the not-so-little Red client
the big, bad wolf
The (Short) Story
Once upon a time, there was a not so little Red client who was being hounded
by a big, bad wolf. The bad, bad wolf had supplied not so little Red client
with a software product, that included the source code but would not compile
without the wolf's favorite big, bad libraries.
Poor Incognegro was called in to solve the situation, unwittingly innocent of
the challenges ahead, he began a noble quest to free himself and Red client
from the troubles of proprietary source code, for a short time, at least.
Some time later, he became most morose and downcast, realizing that the source
code simply would not recognize its sibling subroutines at link time. Moreover,
without the Correct Compiler and the Correct Libraries, it would simply not
work! Incognegro had something close to the Correct Compiler, but could not
locate the Correct Libraries even if he had to save his life (or the project).
He sought and received the Oracle of Ida. Ida, the most beautiful disassembler
of them all, she soon agreed to the agreeable pursuit of the secrets of The
Source. Her guidance and counsel to poor Incognegro simply resulting in a
Preposterously Pompous Puzzle, the likes of which Incognegro had simply just
not wanted to see anytime soon or ever.
However, at this time, there was simply nothing else to be done! The Puzzle had
to be unravelled!! The aspiring hacker counted the number of lines of code and
was heartened beyond compare to discover the original source code was of a small
and manageable length. He exclaimed, "Ida dearest, come and do have a closer look!"
and she ran out quickly to bring the right assembly codes closer to the desktop,
putting them all in their proper order and place with a great deal of care.
Slowly but painstakingly, they both put the missing pieces of the Puzzle back
together. "This is no Humpty-Dumpty but I'm here, don't fear!", said Ida. Not so
soon afterwards, Incognegro exclaimed, "Eureka?!!! I've seen the Hidden Secrets
of The Source! The Patterns of Pops, Pushes, Leas, Movs and all the other
Excruciatingly Unpronounceable x86 Opcodes!!".
They danced and prowled all over the Hidden Patterns in The Source until they
couldn't think any more at all. Then they both shouted, "Don't Forget To Save
Off The Site!" when they realized that Gandalf, was after all this time,
talking to them.
Sitting down after this long hunt had left Ida and Incognegro both short of
breath and thirsty and plopped down in their memory ranges and swivel chair
at the same time just as The Computer shouted and said, "What about me? You've
left me with nothing to do! I need a job!"
Incognegro laughed and picked up a paper, then threw it to the Computer and said,
"Read this!". The Computer began, and said "An Adventure With Ida." It continued
mumbling for a while and pointed to the Reader, then pointed downwards, and said,
with an underlying tone in his voice, "Exhibit".
The Computer then turned back to its Task List with a slight smile in a seemingly
all-knowing, yet oddly blank face. At this point everything suddenly just crashed
as the screen went dark and the Screensaver shouted,
"It's my turn to show APPENDIX A!"
-- G.
Exhibit
-------
Hi,
The encryption function is a very short and simple function. I have not
verified the proposed function that I have reverse-engineered from the binary
code but it results in very similar assembly listings that closely match
the code in LibsLight.obj as supplied by the original software contractor.
The C++ language subroutine used for the encryption as reverse-engineered
by myself is in APPENDIX A. The original subroutine as distributed by the
original software contractor is in APPENDIX B. The disassembled form of my
compilation of the source code in APPENDIX A is listed in APPENDIX C.
-- G.
PS: I highly recommend IDA Pro. I would not have been able to do this
in such a short time and with so little working knowledge of x86 assembler.
It does all the magic and analysis, and leaves you to figure out what the
code actually means. You don't have to figure out the code first and that's
an incredible, amazing accomplishment. IDA Pro is a definite 'must buy'.
APPENDIX A - REVERSE-ENGINEERED C++ LANGUAGE "ENCRYPTION" ROUTINE
=================================================================
#include <vcl.h>
AnsiString __fastcall Encrypt(AnsiString cleartext, unsigned short x)
{
AnsiString enc = "";
for(int i=1; i <= cleartext.Length(); i++) {
AnsiString hex = IntToHex( (cleartext[i]) ^ (x >> 8), 2);
enc = enc + hex;
x = ( (unsigned) (cleartext[i] + x) * 52845 ) + 22719;
}
return enc;
}
APPENDIX B - DISASSEMBLED ORIGINAL BINARY ENCRYPTION ROUTINE FROM XXX.OBJ
=========================================================================
_TEXT:0000259E ; ��������������� S U B R O U T I N E
���������������������������������������
_TEXT:0000259E
_TEXT:0000259E ; Attributes: bp-based frame
_TEXT:0000259E
_TEXT:0000259E ; __fastcall Encrypt(System::AnsiString,unsigned short)
_TEXT:0000259E public @[EMAIL PROTECTED]
_TEXT:0000259E @[EMAIL PROTECTED] proc near
_TEXT:0000259E
_TEXT:0000259E i = dword ptr -40h
_TEXT:0000259E xerox = word ptr -3Ah
_TEXT:0000259E iv4 = dword ptr -38h
_TEXT:0000259E iv3 = word ptr -28h
_TEXT:0000259E iv2 = dword ptr -1Ch
_TEXT:0000259E iv1 = dword ptr -14h
_TEXT:0000259E concatenated = dword ptr -10h
_TEXT:0000259E hex = dword ptr -0Ch
_TEXT:0000259E encrypted = dword ptr -8
_TEXT:0000259E cleartext = dword ptr -4
_TEXT:0000259E
_TEXT:0000259E push ebp
_TEXT:0000259F mov ebp, esp
_TEXT:000025A1 add esp, 0FFFFFFC0h
_TEXT:000025A4 mov [ebp+iv1], ecx
_TEXT:000025A7 mov [ebp+xerox], dx
_TEXT:000025AB mov [ebp+cleartext], eax
_TEXT:000025AE mov eax, offset stru_849C
_TEXT:000025B3 call @__InitExceptBlockLDTC
_TEXT:000025B8 mov [ebp+iv2], 1
_TEXT:000025BF lea edx, [ebp+cleartext]
_TEXT:000025C2 lea eax, [ebp+cleartext]
_TEXT:000025C5 call @[EMAIL PROTECTED]@[EMAIL PROTECTED] ;
System::AnsiString::AnsiString(System::AnsiString &)
_TEXT:000025CA inc [ebp+iv2]
_TEXT:000025CD ; #line 503
_TEXT:000025CD mov [ebp+iv3], 8
_TEXT:000025D3 ; #line 504
_TEXT:000025D3 mov [ebp+iv3], 14h
_TEXT:000025D9 mov edx, offset unk_9CAF
_TEXT:000025DE lea eax, [ebp+encrypted]
_TEXT:000025E1 call @[EMAIL PROTECTED]@$bctr$qqrpxc ;
System::AnsiString::AnsiString(char *)
_TEXT:000025E6 inc [ebp+iv2]
_TEXT:000025E9 mov [ebp+iv3], 8
_TEXT:000025EF ; #line 505
_TEXT:000025EF mov [ebp+i], 1
_TEXT:000025F6 jmp loc_27CA
_TEXT:000025FB ;
---------------------------------------------------------------------------
_TEXT:000025FB ; #line 508
_TEXT:000025FB
_TEXT:000025FB loc_272B: ; CODE XREF:
Encrypt(System::AnsiString,ushort)+107�j
_TEXT:000025FB mov [ebp+iv3], 20h ; ' '
_TEXT:00002601 lea eax, [ebp+hex]
_TEXT:00002604 call @[EMAIL PROTECTED]@$bctr$qqrv ;
System::AnsiString::AnsiString(void)
_TEXT:00002609 push eax
_TEXT:0000260A inc [ebp+iv2]
_TEXT:0000260D lea eax, [ebp+cleartext]
_TEXT:00002610 mov edx, [ebp+i]
_TEXT:00002613 call @[EMAIL PROTECTED]@$bsubs$qqrxi ;
System::AnsiString::operator[](int)
_TEXT:00002618 movsx eax, byte ptr [eax]
_TEXT:0000261B movzx edx, [ebp+xerox]
_TEXT:0000261F sar edx, 8
_TEXT:00002622 xor eax, edx
_TEXT:00002624 mov edx, 2
_TEXT:00002629 pop ecx
_TEXT:0000262A call @[EMAIL PROTECTED]@IntToHex$qqrii ;
System::AnsiString::IntToHex(int,int)
_TEXT:0000262F lea eax, [ebp+hex]
_TEXT:00002632 push eax
_TEXT:00002633 lea eax, [ebp+concatenated]
_TEXT:00002636 call @[EMAIL PROTECTED]@$bctr$qqrv ;
System::AnsiString::AnsiString(void)
_TEXT:0000263B mov ecx, eax
_TEXT:0000263D inc [ebp+iv2]
_TEXT:00002640 lea eax, [ebp+encrypted]
_TEXT:00002643 pop edx
_TEXT:00002644 call @[EMAIL PROTECTED]@[EMAIL PROTECTED] ;
System::AnsiString::operator+(System::AnsiString &)
_TEXT:00002649 lea edx, [ebp+concatenated]
_TEXT:0000264C lea eax, [ebp+encrypted]
_TEXT:0000264F call @[EMAIL PROTECTED]@[EMAIL PROTECTED] ;
System::AnsiString::operator=(System::AnsiString &)
_TEXT:00002654 dec [ebp+iv2]
_TEXT:00002657 lea eax, [ebp+concatenated]
_TEXT:0000265A mov edx, 2
_TEXT:0000265F call @[EMAIL PROTECTED]@$bdtr$qqrv ;
System::AnsiString::~AnsiString(void)
_TEXT:00002664 dec [ebp+iv2]
_TEXT:00002667 lea eax, [ebp+hex]
_TEXT:0000266A mov edx, 2
_TEXT:0000266F call @[EMAIL PROTECTED]@$bdtr$qqrv ;
System::AnsiString::~AnsiString(void)
_TEXT:00002674 ; #line 509
_TEXT:00002674 lea eax, [ebp+cleartext]
_TEXT:00002677 mov edx, [ebp+i]
_TEXT:0000267A call @[EMAIL PROTECTED]@$bsubs$qqrxi ;
System::AnsiString::operator[](int)
_TEXT:0000267F movsx ecx, byte ptr [eax]
_TEXT:00002682 movzx eax, [ebp+xerox]
_TEXT:00002686 add ecx, eax
_TEXT:00002688 imul edx, ecx, 0CE6Dh
_TEXT:0000268E add dx, 58BFh
_TEXT:00002693 mov [ebp+xerox], dx
_TEXT:00002697 ; #line 505
_TEXT:00002697 inc [ebp+i]
_TEXT:0000269A
_TEXT:0000269A loc_27CA: ; CODE XREF:
Encrypt(System::AnsiString,ushort)+58�j
_TEXT:0000269A lea eax, [ebp+cleartext]
_TEXT:0000269D call @[EMAIL PROTECTED]@Length$xqqrv ;
System::AnsiString::Length(void)
_TEXT:000026A2 cmp eax, [ebp+i]
_TEXT:000026A5 jge loc_272B
_TEXT:000026AB ; #line 511
_TEXT:000026AB mov [ebp+iv3], 2Ch ; ','
_TEXT:000026B1 lea edx, [ebp+encrypted]
_TEXT:000026B4 mov eax, [ebp+iv1]
_TEXT:000026B7 call @[EMAIL PROTECTED]@[EMAIL PROTECTED] ;
System::AnsiString::operator=(System::AnsiString &)
_TEXT:000026BC mov eax, [ebp+iv1]
_TEXT:000026BF mov [ebp+iv3], 38h ; '8'
_TEXT:000026C5 push eax
_TEXT:000026C6 dec [ebp+iv2]
_TEXT:000026C9 lea eax, [ebp+encrypted]
_TEXT:000026CC mov edx, 2
_TEXT:000026D1 call @[EMAIL PROTECTED]@$bdtr$qqrv ;
System::AnsiString::~AnsiString(void)
_TEXT:000026D6 dec [ebp+iv2]
_TEXT:000026D9 lea eax, [ebp+cleartext]
_TEXT:000026DC mov edx, 2
_TEXT:000026E1 call @[EMAIL PROTECTED]@$bdtr$qqrv ;
System::AnsiString::~AnsiString(void)
_TEXT:000026E6 pop eax
_TEXT:000026E7 mov [ebp+iv3], 2Ch ; ','
_TEXT:000026ED inc [ebp+iv2]
_TEXT:000026F0 mov edx, [ebp+iv4]
_TEXT:000026F3 mov large fs:0, edx
_TEXT:000026FA ; #line 512
_TEXT:000026FA mov esp, ebp
_TEXT:000026FC pop ebp
_TEXT:000026FD retn
_TEXT:000026FD @[EMAIL PROTECTED] endp
APPENDIX C - DISASSEMBLED BINARY CODE COMPILED FROM REVERSE ENGINEERED C++ SUB-ROUTINE
======================================================================================
VIRDEF01:00000020 ; ��������������� S U B R O U T I N E
���������������������������������������
VIRDEF01:00000020
VIRDEF01:00000020 ; Attributes: bp-based frame
VIRDEF01:00000020
VIRDEF01:00000020 public Encrypt
VIRDEF01:00000020 Encrypt proc near ; CODE XREF: _main+39�p
VIRDEF01:00000020
VIRDEF01:00000020 i = dword ptr -40h
VIRDEF01:00000020 xerox = word ptr -3Ah
VIRDEF01:00000020 iv4 = dword ptr -38h
VIRDEF01:00000020 iv3 = word ptr -28h
VIRDEF01:00000020 iv2 = dword ptr -1Ch
VIRDEF01:00000020 iv1 = dword ptr -14h
VIRDEF01:00000020 concatenated = dword ptr -10h
VIRDEF01:00000020 hex = dword ptr -0Ch
VIRDEF01:00000020 encrypted = dword ptr -8
VIRDEF01:00000020 cleartext = dword ptr -4
VIRDEF01:00000020
VIRDEF01:00000020 push ebp
VIRDEF01:00000021 mov ebp, esp
VIRDEF01:00000023
VIRDEF01:00000023 init: ; DATA XREF:
VIRDEF06:00000230�o
VIRDEF01:00000023 ; VIRDEF06:00000238�o
VIRDEF01:00000023 add esp, 0FFFFFFC0h
VIRDEF01:00000026 mov [ebp+iv1], ecx
VIRDEF01:00000029 mov [ebp+xerox], dx
VIRDEF01:0000002D mov [ebp+cleartext], eax
VIRDEF01:00000030 mov eax, offset ExceptionBlockInit
VIRDEF01:00000035 call @__InitExceptBlockLDTC
VIRDEF01:00000035
VIRDEF01:0000003A mov [ebp+iv2], 1
VIRDEF01:00000041 lea edx, [ebp+cleartext]
VIRDEF01:00000044 lea eax, [ebp+cleartext]
VIRDEF01:00000047 call
System::AnsiString::AnsiString(System::AnsiString &)
VIRDEF01:00000047
VIRDEF01:0000004C inc [ebp+iv2]
VIRDEF01:0000004F ; #line 5
VIRDEF01:0000004F mov edx, offset unk_344
VIRDEF01:00000054 ; #line 4
VIRDEF01:00000054
VIRDEF01:00000054 loopInit:
VIRDEF01:00000054 mov [ebp+iv3], 8
VIRDEF01:0000005A ; #line 5
VIRDEF01:0000005A mov [ebp+iv3], 14h
VIRDEF01:00000060 lea eax, [ebp+encrypted]
VIRDEF01:00000063 call System::AnsiString::AnsiString(char *)
VIRDEF01:00000063
VIRDEF01:00000068 inc [ebp+iv2]
VIRDEF01:0000006B mov [ebp+iv3], 8
VIRDEF01:00000071 ; #line 7
VIRDEF01:00000071 mov [ebp+i], 1
VIRDEF01:00000078 jmp loopTerminates?
VIRDEF01:00000078
VIRDEF01:0000007D ;
---------------------------------------------------------------------------
VIRDEF01:0000007D ; #line 8
VIRDEF01:0000007D
VIRDEF01:0000007D loopMain: ; CODE XREF: Encrypt+117�j
VIRDEF01:0000007D mov [ebp+iv3], 2Ch ; ','
VIRDEF01:00000083 lea eax, [ebp+hex]
VIRDEF01:00000086 call System::AnsiString::AnsiString(void)
VIRDEF01:00000086
VIRDEF01:0000008B push eax
VIRDEF01:0000008C inc [ebp+iv2]
VIRDEF01:0000008F lea eax, [ebp+cleartext]
VIRDEF01:00000092 mov edx, [ebp+i]
VIRDEF01:00000095 call System::AnsiString::operator[](int)
VIRDEF01:00000095
VIRDEF01:0000009A movsx eax, byte ptr [eax]
VIRDEF01:0000009D movzx edx, [ebp+xerox]
VIRDEF01:000000A1 sar edx, 8
VIRDEF01:000000A4 xor eax, edx
VIRDEF01:000000A6 mov edx, 2
VIRDEF01:000000AB pop ecx
VIRDEF01:000000AC call Sysutils::IntToHex(int,int)
VIRDEF01:000000AC
VIRDEF01:000000B1 mov [ebp+iv3], 20h ; ' '
VIRDEF01:000000B7 ; #line 9
VIRDEF01:000000B7 mov [ebp+iv3], 38h ; '8'
VIRDEF01:000000BD lea eax, [ebp+concatenated]
VIRDEF01:000000C0 call System::AnsiString::AnsiString(void)
VIRDEF01:000000C0
VIRDEF01:000000C5 mov ecx, eax
VIRDEF01:000000C7 inc [ebp+iv2]
VIRDEF01:000000CA lea edx, [ebp+hex]
VIRDEF01:000000CD lea eax, [ebp+encrypted]
VIRDEF01:000000D0 call
System::AnsiString::operator+(System::AnsiString &)
VIRDEF01:000000D0
VIRDEF01:000000D5 lea edx, [ebp+concatenated]
VIRDEF01:000000D8 lea eax, [ebp+encrypted]
VIRDEF01:000000DB call
System::AnsiString::operator=(System::AnsiString &)
VIRDEF01:000000DB
VIRDEF01:000000E0 dec [ebp+iv2]
VIRDEF01:000000E3 lea eax, [ebp+concatenated]
VIRDEF01:000000E6 mov edx, 2
VIRDEF01:000000EB call System::AnsiString::~AnsiString(void)
VIRDEF01:000000EB
VIRDEF01:000000F0 ; #line 10
VIRDEF01:000000F0 lea eax, [ebp+cleartext]
VIRDEF01:000000F3 mov edx, [ebp+i]
VIRDEF01:000000F6 call System::AnsiString::operator[](int)
VIRDEF01:000000F6
VIRDEF01:000000FB movsx ecx, byte ptr [eax]
VIRDEF01:000000FE movzx eax, [ebp+xerox]
VIRDEF01:00000102 add ecx, eax
VIRDEF01:00000104 ; #line 11
VIRDEF01:00000104 lea eax, [ebp+hex]
VIRDEF01:00000107 ; #line 10
VIRDEF01:00000107 imul edx, ecx, 0CE6Dh
VIRDEF01:0000010D add dx, 58BFh
VIRDEF01:00000112 mov [ebp+xerox], dx
VIRDEF01:00000116 ; #line 11
VIRDEF01:00000116 mov edx, 2
VIRDEF01:0000011B dec [ebp+iv2]
VIRDEF01:0000011E call System::AnsiString::~AnsiString(void)
VIRDEF01:0000011E
VIRDEF01:00000123 mov [ebp+iv3], 8
VIRDEF01:00000129 ; #line 7
VIRDEF01:00000129 inc [ebp+i]
VIRDEF01:0000012C
VIRDEF01:0000012C loopTerminates?: ; CODE XREF: Encrypt+58�j
VIRDEF01:0000012C lea eax, [ebp+cleartext]
VIRDEF01:0000012F call System::AnsiString::Length(void)
VIRDEF01:0000012F
VIRDEF01:00000134 cmp eax, [ebp+i]
VIRDEF01:00000137 jge loopMain
VIRDEF01:00000137
VIRDEF01:0000013D ; #line 13
VIRDEF01:0000013D mov [ebp+iv3], 44h ; 'D'
VIRDEF01:00000143 lea edx, [ebp+encrypted]
VIRDEF01:00000146 mov eax, [ebp+iv1]
VIRDEF01:00000149 call
System::AnsiString::operator=(System::AnsiString &)
VIRDEF01:00000149
VIRDEF01:0000014E mov eax, [ebp+iv1]
VIRDEF01:00000151 mov edx, 2
VIRDEF01:00000156 mov [ebp+iv3], 50h ; 'P'
VIRDEF01:0000015C push eax
VIRDEF01:0000015D lea eax, [ebp+encrypted]
VIRDEF01:00000160 dec [ebp+iv2]
VIRDEF01:00000163 call System::AnsiString::~AnsiString(void)
VIRDEF01:00000163
VIRDEF01:00000168 dec [ebp+iv2]
VIRDEF01:0000016B lea eax, [ebp+cleartext]
VIRDEF01:0000016E mov edx, 2
VIRDEF01:00000173 call System::AnsiString::~AnsiString(void)
VIRDEF01:00000173
VIRDEF01:00000178 pop eax
VIRDEF01:00000179 mov [ebp+iv3], 44h ; 'D'
VIRDEF01:0000017F inc [ebp+iv2]
VIRDEF01:00000182 mov edx, [ebp+iv4]
VIRDEF01:00000185 mov large fs:0, edx
VIRDEF01:0000018C ; #line 14
VIRDEF01:0000018C mov esp, ebp
VIRDEF01:0000018E pop ebp
VIRDEF01:0000018F retn
VIRDEF01:0000018F
VIRDEF01:0000018F Encrypt endp
