Раскриптовка данных SQUARE 128 SHA-256

Andr_ · 2 июн 2010

Добрый день всем! Кто подскажет, где достать реализацию алгоритма на С++. Проблема такая: есть DriveCrypt 4.1. с помощью которого был создан криптованный диск. У диска убился раздел и зашифрованная NTFS (63 сектор). Зашифрованная копия NTFS есть, но она не совпадает с оригинальной (проверено опытным путем - созданием такого же диска). Нужно эту копию расшифровать, пароль есть.

PSR1257 · 2 июн 2010

Andr_

Я не уверен что это та же самая прога но как-то давно я выдергивал данные у некоей схожей проги (у меня папка со связанными с тем делом файлами называетсо "DriverCrypt") - также там убилсо какой-то сектор но пасс естественно был а одмин не делал копии.

Я преуспел - нашел там какую-то процедурку и в ней проверка (вызывается сотни раз). Финт был ф том чтобы отвечать "OK" на первые 100 или типа запросов (хотя из-за повреждения ответы шли отрицательные) и потом еще типа того - пока крипт не доберецца до непорченных данных и их вытащили какой-то утилитой чтения диска на низком уровне.

Я счас вижу что я патчил некий "dcr.sys". Вот процедурко - одна из тех что была в моем анализе:

Код (Text):

;

; Sub515C6: called from 520E4 for check passwords?

; return 0 if password fail, 1 overwise (3-th call from 521F1)

; Compare massives 0x200 bytes length

; arg_8, arg_C = ptr's to massives,

; arg_10, arg_14 - additional constants for second compare type

515C6: 55 push ebp

515C7: 8BEC mov ebp,esp

515C9: 83EC10 sub esp,010

515CC: 53 push ebx

515CD: 56 push esi

515CE: 57 push edi

; loc_10= 1;

515CF: C745F001000000 mov d,[ebp][-10],000000001

515D6: 8B4518 mov eax,[ebp][18]

515D9: C780D808000000 mov d,[eax][000008D8],000000000

515E3: C745F400000000 mov d,[ebp][-0C],000000000 ;"

515EA: E903000000 jmp .0000515F2 ----- (1)

; for (loc_C= 0; loc_C<0x200; loc_C++)

; {

515EF: FF45F4 inc d,[ebp][-0C]

515F2: 817DF400020000 cmp d,[ebp][-0C],000000200 ;"

515F9: 0F8D2A000000 jge .000051629 ----- (2)

; edx= (DWORD)arg_C[loc_C];

515FF: 8B45F4 mov eax,[ebp][-0C]

51602: 8B4D0C mov ecx,[ebp][0C]

51605: 33D2 xor edx,edx

51607: 8A1408 mov dl,[eax][ecx]

; ebx= (DWORD)arg_8[loc_C];

5160A: 8B45F4 mov eax,[ebp][-0C]

5160D: 8B4D08 mov ecx,[ebp][08]

51610: 33DB xor ebx,ebx

51612: 8A1C08 mov bl,[eax][ecx]

; if ( arg_C[loc_C] == arg_8[loc_C] ) goto L51624;

51615: 3BD3 cmp edx,ebx

51617: 0F8407000000 je .000051624 ----- (1)

Если это относицца к твоему случаю я могу попробовать дать больше инфы...

Andr_ · 2 июн 2010

Чем больше инфы, тем лучше. Я пробовал копию криптованной NTFS копирнуть в 63 сектор, восстановил руками раздел - диск видится, но пароль не подходит. Я так понял у тебя дамп "dcr.sys"?
Какая версия DC? Я не нашел в файле такой процедуры.

PSR1257 сказал(а):

Andr_

Я не уверен что это та же самая прога но как-то давно я выдергивал данные у некоей схожей проги (у меня папка со связанными с тем делом файлами называетсо "DriverCrypt") - также там убилсо какой-то сектор но пасс естественно был а одмин не делал копии.

Я преуспел - нашел там какую-то процедурку и в ней проверка (вызывается сотни раз). Финт был ф том чтобы отвечать "OK" на первые 100 или типа запросов (хотя из-за повреждения ответы шли отрицательные) и потом еще типа того - пока крипт не доберецца до непорченных данных и их вытащили какой-то утилитой чтения диска на низком уровне.

Я счас вижу что я патчил некий "dcr.sys". Вот процедурко - одна из тех что была в моем анализе:

Код (Text):

;

; Sub515C6: called from 520E4 for check passwords?

; return 0 if password fail, 1 overwise (3-th call from 521F1)

; Compare massives 0x200 bytes length

; arg_8, arg_C = ptr's to massives,

; arg_10, arg_14 - additional constants for second compare type

515C6: 55 push ebp

515C7: 8BEC mov ebp,esp

515C9: 83EC10 sub esp,010

515CC: 53 push ebx

515CD: 56 push esi

515CE: 57 push edi

; loc_10= 1;

515CF: C745F001000000 mov d,[ebp][-10],000000001

515D6: 8B4518 mov eax,[ebp][18]

515D9: C780D808000000 mov d,[eax][000008D8],000000000

515E3: C745F400000000 mov d,[ebp][-0C],000000000 ;"

515EA: E903000000 jmp .0000515F2 ----- (1)

; for (loc_C= 0; loc_C<0x200; loc_C++)

; {

515EF: FF45F4 inc d,[ebp][-0C]

515F2: 817DF400020000 cmp d,[ebp][-0C],000000200 ;"

515F9: 0F8D2A000000 jge .000051629 ----- (2)

; edx= (DWORD)arg_C[loc_C];

515FF: 8B45F4 mov eax,[ebp][-0C]

51602: 8B4D0C mov ecx,[ebp][0C]

51605: 33D2 xor edx,edx

51607: 8A1408 mov dl,[eax][ecx]

; ebx= (DWORD)arg_8[loc_C];

5160A: 8B45F4 mov eax,[ebp][-0C]

5160D: 8B4D08 mov ecx,[ebp][08]

51610: 33DB xor ebx,ebx

51612: 8A1C08 mov bl,[eax][ecx]

; if ( arg_C[loc_C] == arg_8[loc_C] ) goto L51624;

51615: 3BD3 cmp edx,ebx

51617: 0F8407000000 je .000051624 ----- (1)

Если это относицца к твоему случаю я могу попробовать дать больше инфы...
Нажмите, чтобы раскрыть...

PSR1257 · 2 июн 2010

Я пробовал копию криптованной NTFS копирнуть в 63 сектор
Нажмите, чтобы раскрыть...

Не так как я - я пошел по пути фикса проверки (проверок) на начальном этапе когда эта (твоя тоже?) утиль проверяет пасс и дешифрует (?) с проверкой начальные данные (твой "63 сектор"?). Идея в том чтобы скипануть все ошибки на начальном этапе и дать ему возможность дешифрануть собственно основную часть раздела. После этого весь раздел стал виден утилитой восстановления дисков. У нас заказ был очень срочный и выбрал этот путь...

Я так понял у тебя дамп "dcr.sys"?
Нажмите, чтобы раскрыть...

Все что у меня сейчас в архиве - это патчер этого dcr.sys, плюс несколько критичных кусков из IDA среди которых я там что-то патчил. Все это я привожу ниже.

Какая версия DC? Я не нашел в файле такой процедуры.
Нажмите, чтобы раскрыть...

Я не помню, это было несколько лет назад. Ты как искал? Рекомендую искать по паттернам из моих заметок устраняя зависимость на смещения.

Код (Text):

; ***

; dcr.sys correction

; ***

.386

.model flat,stdcall

...

invoke SetFilePointer,LogDescr,0,NULL,FILE_END

; Start patch

;

.data

StartMsg db 'Start process, trying open dcr.sys...',0Dh,0Ah,0

.code

push offset StartMsg

call Write_Log

call Write_EndStr_ToLog

; Open dcr.sys

.data

DCRname db 'dcr.sys',0

.data?

DCRDescr dd ?

.code

invoke CreateFile,offset DCRname,GENERIC_WRITE,FILE_SHARE_WRITE+FILE_SHARE_READ,\

0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0

mov DCRDescr,eax ; Save file descriptor

...

@@DCRFileOpen:

; Set file pointer, write code block

FILE_POSITION equ 0D840h

BLOCK_SIZE equ 1D919h-1D840h

invoke SetFilePointer,DCRDescr,FILE_POSITION,NULL,FILE_BEGIN

jmp @@SkipNewCode

@@NewCode_sub_1D840:

push ebp

mov ebp,esp

sub esp,010h

pushad

mov eax,[ebp][18h]

mov byte ptr [eax][000002CBh],000

mov ecx,200h

mov esi,[ebp][08]

mov edi,[ebp][0Ch]

repe cmpsb

jnz L1D89E

mov dword ptr [ebp][-08],1

jmp L1D913

L1D89E:

mov eax,[ebp][18h]

mov byte ptr [eax][000002CBh],001

mov ecx,200h

mov esi,[ebp][08]

mov edi,[ebp][0Ch]

mov dword ptr [ebp][-08],1

@@CompareSecType:

mov al,[esi]

inc esi

mov dl,[edi]

inc edi

sub al,[ebp][10h]

sub dl,[ebp][14h]

cmp al,dl

je L1D90E

mov dword ptr [ebp][-08],000000000

L1D90E:

loop @@CompareSecType

call L1D8E8

L1D8E8:

pop ebx

inc dword ptr [ebx+(offset L1D919 - offset L1D8E8)]

mov eax,[ebx+(offset L1D919 - offset L1D8E8)]

cmp ax,0277h

jz @@MakeOKAns

cmp ax,0278h

jz @@MakeOKAns

cmp ax,0279h

jz @@MakeOKAns

cmp ax,02E0h

jz @@MakeOKAns

cmp ax,02E1h

jz @@MakeOKAns

cmp ax,02E2h

jnz @@NoMakeOKAns

@@MakeOKAns:

mov dword ptr [ebp][-08],1

@@NoMakeOKAns:

L1D913:

popad

mov eax,dword ptr [ebp][-08]

mov esp,ebp

pop ebp

retn 00014h

L1D919:

dd 0

@@NewCode_sub_1D840_End:

LatsNops db BLOCK_SIZE dup(90h)

@@SkipNewCode:

push NULL

push offset bWrite

push BLOCK_SIZE+4 ; Len

push offset @@NewCode_sub_1D840 ; Addr

push DCRDescr

call WriteFile

invoke CloseHandle,DCRDescr

PSR1257 · 2 июн 2010

И наконец куски dcr.sys. Это даже не IDA а Hiview

Код (Text):

;

; Sub: called from 48F3A for check passwords?

; return 0 if password fail, 1 overwise

;

4877A: 55 push ebp

4877B: 8BEC mov ebp,esp

4877D: 83EC14 sub esp,014 ;""

48780: 53 push ebx

48781: 56 push esi

48782: 57 push edi

48783: A100000000 mov eax,[00000000]

48788: 83E007 and eax,007 ;""

4878B: 8945F4 mov [ebp][-0C],eax

4878E: 8B45F4 mov eax,[ebp][-0C]

48791: 8B048500000000 mov eax,[00000000][eax]*4

48798: 8945EC mov [ebp][-14],eax

4879B: 8B45F4 mov eax,[ebp][-0C]

4879E: 8B048500000000 mov eax,[00000000][eax]*4

487A5: 8945F0 mov [ebp][-10],eax

487A8: 8B45F4 mov eax,[ebp][-0C]

487AB: 8B048500000000 mov eax,[00000000][eax]*4

487B2: 8945F8 mov [ebp][-08],eax

487B5: 8B450C mov eax,[ebp][0C]

487B8: 0554080000 add eax,000000854 ;" T"

487BD: C70000000000 mov d,[eax],000000000 ;"

487C3: C7400400000000 mov d,[eax][04],000000000

487CA: C7400800000000 mov d,[eax][08],000000000

487D1: C7400C00000000 mov d,[eax][0C],000000000

487D8: C7401000000000 mov d,[eax][10],000000000

487DF: 837D1000 cmp d,[ebp][10],000 ;" "

487E3: 0F843A000000 je .000048823 ----- (1)

487E9: 8B4510 mov eax,[ebp][10]

487EC: 50 push eax

487ED: 8B450C mov eax,[ebp][0C]

487F0: 0554080000 add eax,000000854 ;" T"

487F5: 50 push eax

487F6: 8B45EC mov eax,[ebp][-14]

487F9: 50 push eax

487FA: 8B450C mov eax,[ebp][0C]

487FD: 50 push eax

487FE: 8B4508 mov eax,[ebp][08]

48801: 50 push eax

48802: E8EA990000 call .0000521F1 ----- (2)

48807: 83C414 add esp,014 ;""

4880A: 85C0 test eax,eax

4880C: 0F840A000000 je .00004881C ----- (3)

48812: B801000000 mov eax,000000001 ;" "

48817: E99F000000 jmp .0000488BB ----- (4)

4881C: 33C0 xor eax,eax

4881E: E998000000 jmp .0000488BB ----- (5)

48823: C745FC00000000 mov d,[ebp][-04],000000000

4882A: E903000000 jmp .000048832 ----- (1)

4882F: FF45FC inc d,[ebp][-04]

48832: 837DFC08 cmp d,[ebp][-04],008 ;""

48836: 0F8D78000000 jge .0000488B4 ----- (2)

4883C: 8B45F4 mov eax,[ebp][-0C]

4883F: 8B048500000000 mov eax,[00000000][eax]*4

48846: 8945EC mov [ebp][-14],eax

48849: 8B45F4 mov eax,[ebp][-0C]

4884C: 8B048500000000 mov eax,[00000000][eax]*4

48853: 8945F0 mov [ebp][-10],eax

; memcpy(LocBuff, MD5Hash, 20);

; for password "12345678" -> 78,4A,62,BB,9C,88...

; for password "123456789" -> 2C,8F,DE,F0,EC,9E...

48856: 8B7D0C mov edi,[ebp][0C]

48859: 81C754080000 add edi,000000854 ;" T"

4885F: 8B75F0 mov esi,[ebp][-10]

48862: B905000000 mov ecx,000000005 ;" "

48867: F3A5 repe movsd

48869: 8B7D0C mov edi,[ebp][0C]

4886C: 81C7B4080000 add edi,0000008B4 ;" ´"

48872: 8B75F8 mov esi,[ebp][-08]

48875: B908000000 mov ecx,000000008 ;" "

4887A: F3A5 repe movsd

4887C: 6A00 push 000

4887E: 8B45F0 mov eax,[ebp][-10]

48881: 50 push eax

48882: 8B45EC mov eax,[ebp][-14]

48885: 50 push eax

48886: 8B450C mov eax,[ebp][0C]

48889: 50 push eax

4888A: 8B4508 mov eax,[ebp][08]

4888D: 50 push eax

4888E: E85E990000 call .0000521F1 -----

; if eax=1, password ok

48893: 83C414 add esp,014 ;""

48896: 85C0 test eax,eax

48898: 0F840A000000 je .0000488A8 -----

4889E: B801000000 mov eax,000000001 ;"

488A3: E913000000 jmp .0000488BB -----

488A8: FF45F4 inc d,[ebp][-0C]

488AB: 8365F407 and d,[ebp][-0C],007

488AF: E97BFFFFFF jmp .00004882F -----

488B4: 33C0 xor eax,eax

488B6: E900000000 jmp .0000488BB -----

488BB: 5F pop edi

488BC: 5E pop esi

488BD: 5B pop ebx

488BE: C9 leave

488BF: C3 retn

;

; Sub: called from 490D9 for check passwords?

; return 0 if password fail, 1 overwise

;

48F3A: 55 push ebp

48F3B: 8BEC mov ebp,esp

48F3D: 83EC18 sub esp,018 ;""

48F40: 53 push ebx

48F41: 56 push esi

48F42: 57 push edi

48F43: C745F800000000 mov d,[ebp][-08],000000000

48F4A: 8B4508 mov eax,[ebp][08]

48F4D: 33C9 xor ecx,ecx

48F4F: 8A4840 mov cl,[eax][40]

; 0/0

48F52: 85C9 test ecx,ecx

48F54: 0F8547010000 jne .0000490A1 ----- (1)

48F5A: 8B4508 mov eax,[ebp][08]

48F5D: 8B4004 mov eax,[eax][04]

48F60: 83C064 add eax,064 ;"d"

48F63: 668945F0 mov [ebp][-10],ax

48F67: 8B4508 mov eax,[ebp][08]

48F6A: 33C9 xor ecx,ecx

48F6C: 8A4877 mov cl,[eax][77]

48F6F: 8B45F0 mov eax,[ebp][-10]

48F72: 25FFFF0000 and eax,00000FFFF ;" ÿÿ"

48F77: 8D04C8 lea eax,[eax][ecx]*8

48F7A: 83C058 add eax,058 ;"X"

48F7D: 668945FC mov [ebp][-04],ax

48F81: 6A1B push 01B

48F83: 8B45F0 mov eax,[ebp][-10]

48F86: 25FFFF0000 and eax,00000FFFF

48F8B: 50 push eax

48F8C: 8B45FC mov eax,[ebp][-04]

48F8F: 50 push eax

48F90: E88E59FEFF call .00002E923 ---

48F95: 83C40C add esp,00C ;""

48F98: 8945F4 mov [ebp][-0C],eax

48F9B: 8B45F4 mov eax,[ebp][-0C]

48F9E: 83C064 add eax,064 ;"d"

48FA1: 8945EC mov [ebp][-14],eax

48FA4: 8B45F0 mov eax,[ebp][-10]

48FA7: 25FFFF0000 and eax,00000FFFF

48FAC: 8B4DEC mov ecx,[ebp][-14]

48FAF: 894120 mov [ecx][20],eax

48FB2: 8B4508 mov eax,[ebp][08]

48FB5: A304000000 mov [00000004],eax

; call 4877A for check password?

48FBA: 8B4510 mov eax,[ebp][10]

48FBD: 50 push eax

48FBE: 8B450C mov eax,[ebp][0C]

48FC1: 50 push eax

48FC2: 8B45F4 mov eax,[ebp][-0C]

48FC5: 50 push eax

48FC6: E8AFF7FFFF call .00004877A ----- (1)

48FCB: 83C40C add esp,00C ;""

; 0 if password fail, 1 overwise

48FCE: 85C0 test eax,eax

48FD0: 0F8479000000 je .00004904F ----- (2)

48FD6: 8B4510 mov eax,[ebp][10]

48FD9: 50 push eax

48FDA: 8B450C mov eax,[ebp][0C]

48FDD: 50 push eax

48FDE: 8B4508 mov eax,[ebp][08]

48FE1: 50 push eax

48FE2: E8F5EDFFFF call .000047DDC ----- (3)

48FE7: 83C40C add esp,00C ;""

48FEA: 85C0 test eax,eax

48FEC: 0F8533000000 jne .000049025 ----- (4)

48FF2: C745F801000000 mov d,[ebp][-08],000000001

48FF9: 8B450C mov eax,[ebp][0C]

48FFC: 8B802C080000 mov eax,[eax][0000082C]

49002: 50 push eax

49003: E834AC0000 call .000053C3C ----- (5)

49008: 83C404 add esp,004 ;""

4900B: 85C0 test eax,eax

4900D: 0F850D000000 jne .000049020 ----- (1)

49013: 8B450C mov eax,[ebp][0C]

49016: 81883808000000 or d,[eax][00000838],040000000

49020: E925000000 jmp .00004904A ----- (2)

49025: 8B7D0C mov edi,[ebp][0C]

49028: 33C0 xor eax,eax

4902A: B90F030000 mov ecx,00000030F ;" "

4902F: F3AB repe stosd

49031: 66AB stosw

49033: AA stosb

49034: 8B450C mov eax,[ebp][0C]

49037: C74020FFFFFF7F mov d,[eax][20],07FFFFFFF ;"ÿÿ

4903E: C745F8FFFFFFFF mov d,[ebp][-08],0FFFFFFFF ;"ÿÿ

49045: E8FFF6FFFF call .000048749 ----- (3)

4904A: E938000000 jmp .000049087 ----- (4)

4904F: 8B450C mov eax,[ebp][0C]

49052: 8B80A4080000 mov eax,[eax][000008A4]

49058: 8945E8 mov [ebp][-18],eax

4905B: 8B7D0C mov edi,[ebp][0C]

4905E: 33C0 xor eax,eax

49060: B90F030000 mov ecx,00000030F ;" "

49065: F3AB repe stosd

49067: 66AB stosw

49069: AA stosb

4906A: 8B450C mov eax,[ebp][0C]

4906D: C74020FFFFFF7F mov d,[eax][20],07FFFFFFF

49074: 8B45E8 mov eax,[ebp][-18]

49077: 8B4D0C mov ecx,[ebp][0C]

4907A: 8981A4080000 mov [ecx][000008A4],eax

49080: C745F800000000 mov d,[ebp][-08],000000000

49087: 8B45EC mov eax,[ebp][-14]

4908A: 8B4DEC mov ecx,[ebp][-14]

4908D: 2B4120 sub eax,[ecx][20]

49090: 50 push eax

49091: E80059FEFF call .00002E996 ----- (1)

49096: 83C404 add esp,004 ;""

49099: 8B45F8 mov eax,[ebp][-08]

4909C: E900000000 jmp .0000490A1 ----- (2)

490A1: 5F pop edi

490A2: 5E pop esi

490A3: 5B pop ebx

490A4: C9 leave

490A5: C3 retn

;

; Code: check password, etc

;

490D9: 55 push ebp

490DA: 8BEC mov ebp,esp

490DC: 83EC34 sub esp,034

490DF: 53 push ebx

490E0: 56 push esi

490E1: 57 push edi

490E2: C745E800000000 mov d,[ebp][-18],000000000

490E9: C745F000000000 mov d,[ebp][-10],000000000

490F0: C645F881 mov b,[ebp][-08],081

490F4: 8B4508 mov eax,[ebp][08]

490F7: 8B00 mov eax,[eax]

490F9: 8945EC mov [ebp][-14],eax

490FC: E888290000 call .00004BA89 ----- (1)

49101: 8B4508 mov eax,[ebp][08]

49104: 8B4014 mov eax,[eax][14]

49107: A300000000 mov [00000000],eax

4910C: C70500000000FF mov d,[00000000],0FFFFFFFF

49116: C745F400000000 mov d,[ebp][-0C],000000000

4911D: E903000000 jmp .000049125 ----- (2)

49122: FF45F4 inc d,[ebp][-0C]

49125: 837DF408 cmp d,[ebp][-0C],008

49129: 0F8D70000000 jge .00004919F ----- (3)

4912F: 8B45F4 mov eax,[ebp][-0C]

49132: 8B048500000000 mov eax,[00000000][eax]*4

49139: 8945E0 mov [ebp][-20],eax

4913C: 8B4508 mov eax,[ebp][08]

4913F: 8B4DE0 mov ecx,[ebp][-20]

49142: 8B4010 mov eax,[eax][10]

49145: 81C13F0A0000 add ecx,000000A3F ;" ?"

4914B: 8A10 mov dl,[eax]

4914D: 3A11 cmp dl,[ecx]

4914F: 0F8529000000 jne .00004917E ----- (1)

49155: 0AD2 or dl,dl

49157: 0F841A000000 je .000049177 ----- (2)

4915D: 8A5001 mov dl,[eax][01]

49160: 3A5101 cmp dl,[ecx][01]

49163: 0F8515000000 jne .00004917E ----- (3)

49169: 83C002 add eax,002 ;""

4916C: 83C102 add ecx,002 ;""

4916F: 0AD2 or dl,dl

49171: 0F85D4FFFFFF jne .00004914B ----- (4)

49177: 33C0 xor eax,eax

49179: E905000000 jmp .000049183 ----- (5)

4917E: 1BC0 sbb eax,eax

49180: 83D8FF sbb eax,-001 ;""

49183: 85C0 test eax,eax

49185: 0F850F000000 jne .00004919A ----- (1)

4918B: 8B4508 mov eax,[ebp][08]

4918E: C7401C83000000 mov d,[eax][1C],000000083

49195: E9F6030000 jmp .000049590 ----- (2)

4919A: E983FFFFFF jmp .000049122 ----- (3)

4919F: C745FC01000000 mov d,[ebp][-04],000000001

491A6: 8B4508 mov eax,[ebp][08]

491A9: 833800 cmp d,[eax],000 ;" "

491AC: 0F8416000000 je .0000491C8 ----- (4)

491B2: 8B4508 mov eax,[ebp][08]

491B5: 8B00 mov eax,[eax]

491B7: F6402002 test b,[eax][20],002 ;""

491BB: 0F8507000000 jne .0000491C8 ----- (5)

491C1: C745FC00000000 mov d,[ebp][-04],000000000

491C8: 837DFC00 cmp d,[ebp][-04],000 ;" "

491CC: 0F84B7000000 je .000049289 ----- (6)

491D2: 8D45E4 lea eax,[ebp][-1C]

491D5: 50 push eax

491D6: 8D45D0 lea eax,[ebp][-30]

491D9: 50 push eax

491DA: 8B4508 mov eax,[ebp][08]

491DD: 8B4010 mov eax,[eax][10]

491E0: 50 push eax

491E1: 6881000000 push 000000081 ;" _"

491E6: 6A01 push 001

491E8: 6A00 push 000

491EA: 6A12 push 012

491EC: 6A00 push 000

491EE: E822A90000 call .000053B15 ----- (1)

491F3: 83C420 add esp,020 ;" "

491F6: 8945D8 mov [ebp][-28],eax

491F9: 837DD800 cmp d,[ebp][-28],000 ;" "

491FD: 0F846B000000 je .00004926E ----- (2)

49203: C745FC00000000 mov d,[ebp][-04],000000000

4920A: 8D45E4 lea eax,[ebp][-1C]

4920D: 50 push eax

4920E: 8D45D0 lea eax,[ebp][-30]

49211: 50 push eax

49212: 8B4508 mov eax,[ebp][08]

49215: 8B4010 mov eax,[eax][10]

49218: 50 push eax

49219: 6881000000 push 000000081 ;" _"

4921E: 6A01 push 001

49220: 6A00 push 000

49222: 6A30 push 030

49224: 6A00 push 000

49226: E8EAA80000 call .000053B15 -----

4922B: 83C420 add esp,020 ;" "

4922E: 8945D8 mov [ebp][-28],eax

49231: 837DD800 cmp d,[ebp][-28],000

49235: 0F8533000000 jne .00004926E -----

4923B: A100000000 mov eax,[00000000]

49240: 3945D0 cmp [ebp][-30],eax

49243: 0F8225000000 jb .00004926E -----

49249: A100000000 mov eax,[00000000]

4924E: 3945D0 cmp [ebp][-30],eax

49251: 0F8717000000 ja .00004926E -----

49257: 8B45D0 mov eax,[ebp][-30]

4925A: 8945D4 mov [ebp][-2C],eax

4925D: 8B45D4 mov eax,[ebp][-2C]

49260: 0FBF4006 movsx eax,w,[eax][06]

49264: 83C801 or eax,001 ;""

49267: 8B4DD4 mov ecx,[ebp][-2C]

4926A: 66894106 mov [ecx][06],ax

4926E: 837DD800 cmp d,[ebp][-28],000

49272: 0F850C000000 jne .000049284 -----

49278: 8B45D0 mov eax,[ebp][-30]

4927B: 50 push eax

4927C: E825FEFFFF call .0000490A6 -----

49281: 83C404 add esp,004 ;""

49284: E93D000000 jmp .0000492C6 -----

49289: 8D45E4 lea eax,[ebp][-1C]

4928C: 50 push eax

4928D: 8D45D0 lea eax,[ebp][-30]

49290: 50 push eax

49291: 8B4508 mov eax,[ebp][08]

49294: 8B4010 mov eax,[eax][10]

49297: 50 push eax

49298: 6881000000 push 000000081 ;" _

4929D: 6A01 push 001

4929F: 6A00 push 000

492A1: 6A30 push 030

492A3: 6A00 push 000

492A5: E86BA80000 call .000053B15 -----

492AA: 83C420 add esp,020 ;" "

492AD: 8945D8 mov [ebp][-28],eax

492B0: 837DD800 cmp d,[ebp][-28],000

492B4: 0F850C000000 jne .0000492C6 -----

492BA: 8B45D0 mov eax,[ebp][-30]

492BD: 50 push eax

492BE: E8E3FDFFFF call .0000490A6 -----

492C3: 83C404 add esp,004 ;""

492C6: 837DD800 cmp d,[ebp][-28],000 ;" "

492CA: 0F8437000000 je .000049307 ----- (1)

492D0: 8B4508 mov eax,[ebp][08]

492D3: C7401C01000000 mov d,[eax][1C],000000001

492DA: 817DD8C9000000 cmp d,[ebp][-28],0000000C9

492E1: 0F850A000000 jne .0000492F1 ----- (2)

492E7: 8B4508 mov eax,[ebp][08]

492EA: 81481C00000040 or d,[eax][1C],040000000

492F1: BE00000000 mov esi,000000000 ;" "

492F6: BF00000000 mov edi,000000000 ;" "

492FB: B928000000 mov ecx,000000028 ;" ("

49300: F3A5 repe movsd

49302: E989020000 jmp .000049590 ----- (3)

49307: C745F400000000 mov d,[ebp][-0C],000000000

4930E: E903000000 jmp .000049316 ----- (4)

; Cycle for (loc_c=0; loc_c<8; loc_c++)

; {

49313: FF45F4 inc d,[ebp][-0C]

49316: 837DF408 cmp d,[ebp][-0C],008 ;""

4931A: 0F8DF1010000 jge .000049511 ----- (5)

; loc_20= &DataMas[loc_c*4];

49320: 8B45F4 mov eax,[ebp][-0C]

49323: 8B048500000000 mov eax,[00000000][eax]*4

4932A: 8945E0 mov [ebp][-20],eax

; if ((dword)*loc_20+0x14 != 0 ) goto L494FD;

4932D: 8B45E0 mov eax,[ebp][-20]

49330: 83781400 cmp d,[eax][14],000 ;" "

49334: 0F85C3010000 jne .0000494FD ----- (1)

; if ((dword)*loc_20+0x28 != 0 ) goto L494FD;

4933A: 8B45E0 mov eax,[ebp][-20]

4933D: 83782800 cmp d,[eax][28],000 ;" "

49341: 0F85B6010000 jne .0000494FD ----- (2)

; UserStruct[+00h];

49347: 8B4508 mov eax,[ebp][08]

4934A: 8B00 mov eax,[eax]

4934C: 8B4DE0 mov ecx,[ebp][-20]

4934F: 894110 mov [ecx][10],eax

49352: 8B45D0 mov eax,[ebp][-30]

49355: 8B4DE0 mov ecx,[ebp][-20]

49358: 89812C080000 mov [ecx][0000082C],eax

4935E: 8B45E0 mov eax,[ebp][-20]

49361: 0514090000 add eax,000000914 ;" "

49366: 8B4DE0 mov ecx,[ebp][-20]

49369: 894128 mov [ecx][28],eax

4936C: 8B45E0 mov eax,[ebp][-20]

4936F: C7402000000000 mov d,[eax][20],000000000

49376: 8B45E0 mov eax,[ebp][-20]

49379: C74024F0FFFF7F mov d,[eax][24],07FFFFFF0

49380: 8B45E0 mov eax,[ebp][-20]

49383: 8B4028 mov eax,[eax][28]

49386: 8945EC mov [ebp][-14],eax

49389: C745F001000000 mov d,[ebp][-10],000000001

49390: 8B45EC mov eax,[ebp][-14]

49393: C7402002000000 mov d,[eax][20],000000002

4939A: 8B4508 mov eax,[ebp][08]

4939D: 833800 cmp d,[eax],000 ;" "

493A0: 0F8419000000 je .0000493BF ----- (1)

493A6: 8B4508 mov eax,[ebp][08]

493A9: 8B00 mov eax,[eax]

493AB: F6402002 test b,[eax][20],002 ;""

493AF: 0F850A000000 jne .0000493BF ----- (2)

493B5: 8B45EC mov eax,[ebp][-14]

493B8: C7402000000000 mov d,[eax][20],000000000

493BF: 8B4508 mov eax,[ebp][08]

493C2: 8B400C mov eax,[eax][0C]

493C5: 8B4DE0 mov ecx,[ebp][-20]

493C8: 894108 mov [ecx][08],eax

493CB: 8B4508 mov eax,[ebp][08]

; if ( (DWORD *)UserData[0x20] == NULL ) goto L493F6;

; jmp in all cases (0)

493CE: 83782000 cmp d,[eax][20],000 ;" "

493D2: 0F841E000000 je .0000493F6 ----- (3)

; memcpy(LocBuffer, (BYTE PTR *)UserData[0x20], 0x200); (not exec !)

493D8: 8B4508 mov eax,[ebp][08]

493DB: BF00000000 mov edi,000000000 ;" "

493E0: 8B7020 mov esi,[eax][20]

493E3: B900020000 mov ecx,000000200 ;" "

493E8: F3A5 repe movsd

493EA: C745CC00000000 mov d,[ebp][-34],000000000 ;"

493F1: E907000000 jmp .0000493FD ----- (1)

493F6: C745CC00000000 mov d,[ebp][-34],000000000 ;"

; 1 in all cases - jne

493FD: 837DFC00 cmp d,[ebp][-04],000 ;" "

49401: 0F8512000000 jne .000049419 ----- (2)

49407: 8B45E0 mov eax,[ebp][-20]

4940A: C780AC08000001 mov d,[eax][000008AC],000000001

49414: E90D000000 jmp .000049426 ----- (3)

; call 48F3A for checks (password?)

49419: 8B45E0 mov eax,[ebp][-20]

4941C: C780AC08000000 mov d,[eax][000008AC],000000000

49426: 8B45CC mov eax,[ebp][-34]

49429: 50 push eax

4942A: 8B45E0 mov eax,[ebp][-20]

4942D: 50 push eax

4942E: 8B45EC mov eax,[ebp][-14]

49431: 50 push eax

49432: E803FBFFFF call .000048F3A ----- (4)

; eax=0 if password invalid, 1 if ok

49437: 83C40C add esp,00C ;""

4943A: 8945DC mov [ebp][-24],eax

4943D: 837DDC00 cmp d,[ebp][-24],000 ;" "

49441: 0F84B6000000 je .0000494FD ----- (5)

49447: FA cli

; Set global flag in structure: 3 - password? ok

49448: C745F003000000 mov d,[ebp][-10],000000003 ;"

4944F: 8B45F0 mov eax,[ebp][-10]

; UserStruct[+1Ch]=3

49452: 8B4D08 mov ecx,[ebp][08]

49455: 89411C mov [ecx][1C],eax

49458: 837DDC00 cmp d,[ebp][-24],000 ;" "

4945C: 0F8E9B000000 jle .0000494FD ----- (1)

49462: 8B45F4 mov eax,[ebp][-0C]

49465: 8B4D08 mov ecx,[ebp][08]

49468: 894118 mov [ecx][18],eax

4946B: 8B45E0 mov eax,[ebp][-20]

4946E: 8B401C mov eax,[eax][1C]

49471: 8B4D08 mov ecx,[ebp][08]

49474: 894114 mov [ecx][14],eax

49477: 8B45F0 mov eax,[ebp][-10]

4947A: 8B4D08 mov ecx,[ebp][08]

4947D: 89411C mov [ecx][1C],eax

49480: 8B45E0 mov eax,[ebp][-20]

49483: 81883008000000 or d,[eax][00000830],000000100

4948D: 837DCC00 cmp d,[ebp][-34],000 ;" "

49491: 0F840D000000 je .0000494A4 ----- (2)

49497: 8B45E0 mov eax,[ebp][-20]

4949A: 81883008000000 or d,[eax][00000830],000010000

494A4: 8B45E0 mov eax,[ebp][-20]

494A7: C7401402000000 mov d,[eax][14],000000002 ;"

494AE: 8B4508 mov eax,[ebp][08]

494B1: 8B7810 mov edi,[eax][10]

494B4: B9FFFFFFFF mov ecx,0FFFFFFFF

494B9: 2BC0 sub eax,eax

494BB: F2AE repne scasb

494BD: F7D1 not ecx

494BF: 2BF9 sub edi,ecx

494C1: 8BC1 mov eax,ecx

494C3: 8BD7 mov edx,edi

494C5: 8B7DE0 mov edi,[ebp][-20]

494C8: 81C73F0A0000 add edi,000000A3F

494CE: 8BF2 mov esi,edx

494D0: C1E902 shr ecx,002 ;""

494D3: F3A5 repe movsd

494D5: 8BC8 mov ecx,eax

494D7: 83E103 and ecx,003 ;""

494DA: F3A4 repe movsb

494DC: BF00000000 mov edi,000000000

494E1: 33C0 xor eax,eax

494E3: B928000000 mov ecx,000000028

494E8: F3AB repe stosd

494EA: A100000000 mov eax,[00000000]

494EF: 8B4DE0 mov ecx,[ebp][-20]

494F2: 8981A0080000 mov [ecx][000008A0],eax

494F8: E993000000 jmp .000049590 ----- (1)

494FD: 837DF000 cmp d,[ebp][-10],000 ;" "

49501: 0F8405000000 je .00004950C ----- (2)

49507: E905000000 jmp .000049511 ----- (3)

4950C: E902FEFFFF jmp .000049313 ----- (4)

49511: 8B4508 mov eax,[ebp][08]

49514: 83780C00 cmp d,[eax][0C],000 ;" "

49518: 0F8421000000 je .00004953F ----- (5)

4951E: 833D0000000000 cmp d,[00000000],000 ;" "

49525: 0F8514000000 jne .00004953F ----- (6)

4952B: 833D0000000000 cmp d,[00000000],000 ;" "

49532: 0F8407000000 je .00004953F ----- (7)

49538: 8145F000010000 add d,[ebp][-10],000000100

4953F: 8B45F0 mov eax,[ebp][-10]

49542: 8B4D08 mov ecx,[ebp][08]

49545: 89411C mov [ecx][1C],eax

49548: 8B45E0 mov eax,[ebp][-20]

4954B: 8B4014 mov eax,[eax][14]

4954E: 50 push eax

4954F: 8B45D0 mov eax,[ebp][-30]

49552: 50 push eax

49553: E885A60000 call .000053BDD ----- (8)

49558: 83C408 add esp,008 ;""

4955B: BE00000000 mov esi,000000000 ;" "

49560: BF00000000 mov edi,000000000 ;" "

49565: B928000000 mov ecx,000000028 ;" ("

4956A: F3A5 repe movsd

4956C: 8B4508 mov eax,[ebp][08]

4956F: C7402400000000 mov d,[eax][24],000000000

49576: 8B45E0 mov eax,[ebp][-20]

49579: 83B8A408000000 cmp d,[eax][000008A4],000

49580: 0F840A000000 je .000049590 ----- (1)

49586: 8B4508 mov eax,[ebp][08]

49589: C7402401B00000 mov d,[eax][24],00000B001

49590: 5F pop edi

49591: 5E pop esi

49592: 5B pop ebx

49593: C9 leave

49594: C3 retn

;

; Sub515C6: called from 520E4 for check passwords?

; return 0 if password fail, 1 overwise (3-th call from 521F1)

; Compare massives 0x200 bytes length

; arg_8, arg_C = ptr's to massives,

; arg_10, arg_14 - additional constants for second compare type

515C6: 55 push ebp

515C7: 8BEC mov ebp,esp

515C9: 83EC10 sub esp,010

515CC: 53 push ebx

515CD: 56 push esi

515CE: 57 push edi

; loc_10= 1;

515CF: C745F001000000 mov d,[ebp][-10],000000001

515D6: 8B4518 mov eax,[ebp][18]

515D9: C780D808000000 mov d,[eax][000008D8],000000000

515E3: C745F400000000 mov d,[ebp][-0C],000000000 ;"

515EA: E903000000 jmp .0000515F2 ----- (1)

; for (loc_C= 0; loc_C<0x200; loc_C++)

; {

515EF: FF45F4 inc d,[ebp][-0C]

515F2: 817DF400020000 cmp d,[ebp][-0C],000000200 ;"

515F9: 0F8D2A000000 jge .000051629 ----- (2)

; edx= (DWORD)arg_C[loc_C];

515FF: 8B45F4 mov eax,[ebp][-0C]

51602: 8B4D0C mov ecx,[ebp][0C]

51605: 33D2 xor edx,edx

51607: 8A1408 mov dl,[eax][ecx]

; ebx= (DWORD)arg_8[loc_C];

5160A: 8B45F4 mov eax,[ebp][-0C]

5160D: 8B4D08 mov ecx,[ebp][08]

51610: 33DB xor ebx,ebx

51612: 8A1C08 mov bl,[eax][ecx]

; if ( arg_C[loc_C] == arg_8[loc_C] ) goto L51624;

51615: 3BD3 cmp edx,ebx

51617: 0F8407000000 je .000051624 ----- (1)

; loc_10= 0;

5161D: C745F000000000 mov d,[ebp][-10],000000000 ;"

; }

51624: E9C6FFFFFF jmp .0000515EF ; continue

; if ( !loc_10 ) goto L5163B; // massives are not equal

51629: 837DF000 cmp d,[ebp][-10],000

5162D: 0F8408000000 je .00005163B ----- (3)

; return(loc_10); // return(1); - massives ok

51633: 8B45F0 mov eax,[ebp][-10]

51636: E98C000000 jmp .0000516C7 ----- (4)

5163B: 8B4518 mov eax,[ebp][18]

5163E: C780D808000001 mov d,[eax][000008D8],000000001

; loc_10= 1;

51648: C745F001000000 mov d,[ebp][-10],000000001 ;"

; loc_C= 0;

5164F: C745F400000000 mov d,[ebp][-0C],000000000 ;"

51656: E903000000 jmp .00005165E ----- (5)

; for (loc_C= 0; loc_C<0x200; loc_C++)

; {

5165B: FF45F4 inc d,[ebp][-0C]

5165E: 817DF400020000 cmp d,[ebp][-0C],000000200

51665: 0F8D54000000 jge .0000516BF

; al=arg_8[loc_C];

5166B: 8B45F4 mov eax,[ebp][-0C]

5166E: 8B4D08 mov ecx,[ebp][08]

51671: 8A0408 mov al,[eax][ecx]

; loc_4= arg_8[loc_C];

51674: 8845FC mov [ebp][-04],al

; al=arg_C[loc_C];

51677: 8B45F4 mov eax,[ebp][-0C]

5167A: 8B4D0C mov ecx,[ebp][0C]

5167D: 8A0408 mov al,[eax][ecx]

; loc_8= arg_C[loc_C];

51680: 8845F8 mov [ebp][-08],al

; eax= loc_4;

51683: 33C0 xor eax,eax

51685: 8A45FC mov al,[ebp][-04]

; ecx= arg_10;

51688: 33C9 xor ecx,ecx

5168A: 8A4D10 mov cl,[ebp][10]

5168D: 2BC1 sub eax,ecx

; loc_4-= arg_10;

5168F: 8845FC mov [ebp][-04],al

; eax= loc_8;

51692: 33C0 xor eax,eax

51694: 8A45F8 mov al,[ebp][-08]

; ecx= arg_14;

51697: 33C9 xor ecx,ecx

51699: 8A4D14 mov cl,[ebp][14]

5169C: 2BC1 sub eax,ecx

; loc_8-= arg_14;

5169E: 8845F8 mov [ebp][-08],al

; if ( loc_4 == loc_8 ) continue;

516A1: 33C0 xor eax,eax

516A3: 8A45F8 mov al,[ebp][-08]

516A6: 33C9 xor ecx,ecx

516A8: 8A4DFC mov cl,[ebp][-04]

516AB: 3BC1 cmp eax,ecx

516AD: 0F8407000000 je .0000516BA ----- (1)

; loc_10= 0;

516B3: C745F000000000 mov d,[ebp][-10],000000000

516BA: E99CFFFFFF jmp .00005165B ----- (2)

; return(loc_10);

516BF: 8B45F0 mov eax,[ebp][-10]

516C2: E900000000 jmp .0000516C7 ----- (3)

Exit:

516C7: 5F pop edi

516C8: 5E pop esi

516C9: 5B pop ebx

516CA: C9 leave

516CB: C3 retn

;

; Sub: called from 521F1 for check passwords?

; return 0 if password fail, 1 overwise

; arg_10 = ptr to file_data (D6,05,9A,AD,52,1C...)

; arg_C = ptr to next checked data - ?

520E4: 55 push ebp

520E5: 8BEC mov ebp,esp

520E7: 53 push ebx

520E8: 56 push esi

520E9: 57 push edi

; sub51453(arg_8, 0, 1, arg_10, arg_14); // decode arg_10 - *loc_3C - file data

520EA: 8B4514 mov eax,[ebp][14]

520ED: 50 push eax

520EE: 8B4510 mov eax,[ebp][10]

520F1: 50 push eax

520F2: 6A01 push 001

520F4: 6A00 push 000

520F6: 8B4508 mov eax,[ebp][08]

520F9: 50 push eax

520FA: E854F3FFFF call .000051453

520FF: 83C414 add esp,014

; sub51453(arg_8, 0, 1, arg_C, arg_14); // decode arg_C

52102: 8B4514 mov eax,[ebp][14]

52105: 50 push eax

52106: 8B450C mov eax,[ebp][0C]

52109: 50 push eax

5210A: 6A01 push 001

5210C: 6A01 push 001

5210E: 8B4508 mov eax,[ebp][08]

52111: 50 push eax

52112: E83CF3FFFF call .000051453

52117: 83C414 add esp,014

; sub515C6(arg_C, arg_10, 1, 0, arg_14); // compare decode sectors

5211A: 8B4514 mov eax,[ebp][14]

5211D: 50 push eax

5211E: 6A00 push 000

52120: 6A01 push 001

52122: 8B4510 mov eax,[ebp][10]

52125: 50 push eax

52126: 8B450C mov eax,[ebp][0C]

52129: 50 push eax

5212A: E897F4FFFF call .0000515C6

5212F: 83C414 add esp,014

; On a third call we get 1 if password ok, 0 overwise

52132: 85C0 test eax,eax

52134: 0F8419000000 je .000052153 ----

5213A: 837D1800 cmp d,[ebp][18],000

5213E: 0F840A000000 je .00005214E ----

; return(1);

52144: B801000000 mov eax,000000001 ;

52149: E99E000000 jmp .0000521EC

5214E: E911000000 jmp .000052164

52153: 837D1800 cmp d,[ebp][18],000

52157: 0F8507000000 jne .000052164

; return(0);

5215D: 33C0 xor eax,eax

5215F: E988000000 jmp .0000521EC

52164: 8B4514 mov eax,[ebp][14]

52167: 50 push eax

52168: 8B450C mov eax,[ebp][0C]

5216B: 50 push eax

5216C: 6A01 push 001

5216E: 6A02 push 002

52170: 8B4508 mov eax,[ebp][08]

52173: 50 push eax

52174: E8DAF2FFFF call .000051453 --

52179: 83C414 add esp,014 ;""

5217C: 8B4514 mov eax,[ebp][14]

5217F: 50 push eax

52180: 6A00 push 000

52182: 6A02 push 002

52184: 8B4510 mov eax,[ebp][10]

52187: 50 push eax

52188: 8B450C mov eax,[ebp][0C]

5218B: 50 push eax

5218C: E835F4FFFF call .0000515C6

52191: 83C414 add esp,014

52194: 85C0 test eax,eax

52196: 0F840A000000 je .0000521A6

; return(1);

5219C: B801000000 mov eax,000000001

521A1: E946000000 jmp .0000521EC

521A6: 837D1800 cmp d,[ebp][18],000

521AA: 0F8507000000 jne .0000521B7

; return(0)

521B0: 33C0 xor eax,eax

521B2: E935000000 jmp .0000521EC

521B7: 8B4514 mov eax,[ebp][14]

521BA: 50 push eax

521BB: 8B4510 mov eax,[ebp][10]

521BE: 50 push eax

521BF: 6A01 push 001

521C1: 6A01 push 001

521C3: 8B4508 mov eax,[ebp][08]

521C6: 50 push eax

521C7: E887F2FFFF call .000051453

521CC: 83C414 add esp,014

521CF: 8B4514 mov eax,[ebp][14]

521D2: 50 push eax

521D3: 6A01 push 001

521D5: 6A02 push 002

521D7: 8B4510 mov eax,[ebp][10]

521DA: 50 push eax

521DB: 8B450C mov eax,[ebp][0C]

521DE: 50 push eax

521DF: E8E2F3FFFF call .0000515C6

521E4: 83C414 add esp,014

521E7: E900000000 jmp .0000521EC

Exit:

521EC: 5F pop edi

521ED: 5E pop esi

521EE: 5B pop ebx

521EF: C9 leave

521F0: C3 retn

;

; Sub: called from 4877A for check passwords?

; return 0 if password fail, 1 overwise

; arg_14 equ [ebp+14h] ; MD5 hash from password

;

521F1: 55 push ebp

521F2: 8BEC mov ebp,esp

521F4: 83EC44 sub esp,044 ;"D"

521F7: 53 push ebx

521F8: 56 push esi

521F9: 57 push edi

521FA: BE00000000 mov esi,000000000 ;" "

521FF: 8D7DD4 lea edi,[ebp][-2C]

52202: B908000000 mov ecx,000000008 ;" "

52207: F3A5 repe movsd

52209: A4 movsb

5220A: 8D45F5 lea eax,[ebp][-0B]

5220D: 66C7000000 mov w,[eax],00000 ;" "

52212: C6400200 mov b,[eax][02],000 ;" "

52216: A100000000 mov eax,[00000000]

5221B: 8945C4 mov [ebp][-3C],eax

5221E: C745D000000000 mov d,[ebp][-30],000000000

52225: 8B4508 mov eax,[ebp][08]

52228: 8B8080000000 mov eax,[eax][00000080]

5222E: 8945F8 mov [ebp][-08],eax

52231: A100000000 mov eax,[00000000]

52236: 83C00B add eax,00B ;""

52239: 8945C8 mov [ebp][-38],eax

5223C: 8B45C8 mov eax,[ebp][-38]

5223F: 8945FC mov [ebp][-04],eax

52242: 8B450C mov eax,[ebp][0C]

52245: 83781400 cmp d,[eax][14],000

52249: 0F840A000000 je .000052259 -----

5224F: B801000000 mov eax,000000001 ;"

52254: E9F8040000 jmp .000052751 -----

52259: 837D1800 cmp d,[ebp][18],000

5225D: 0F8403000000 je .000052266 -----

52263: FF4518 inc d,[ebp][18]

52266: 833D0000000000 cmp d,[00000000],000

5226D: 0F84D7040000 je .00005274A -----

52273: 6A00 push 000

52275: 8B450C mov eax,[ebp][0C]

52278: 50 push eax

52279: 8B45C4 mov eax,[ebp][-3C]

5227C: 50 push eax

5227D: 6A04 push 004

5227F: 8B450C mov eax,[ebp][0C]

52282: 8B4020 mov eax,[eax][20]

52285: 50 push eax

52286: 8B4508 mov eax,[ebp][08]

52289: 50 push eax

5228A: E85885FFFF call .00004A7E7 ----- (1)

5228F: 83C418 add esp,018 ;""

52292: 8B450C mov eax,[ebp][0C]

52295: C780A408000000 mov d,[eax][000008A4],000000000

5229F: 8B450C mov eax,[ebp][0C]

522A2: 50 push eax

522A3: 8B450C mov eax,[ebp][0C]

522A6: 05A4080000 add eax,0000008A4 ;" ¤"

522AB: 50 push eax

522AC: 8B450C mov eax,[ebp][0C]

522AF: 05A8080000 add eax,0000008A8 ;" ¨"

522B4: 50 push eax

522B5: 6800000000 push 000000000 ;" "

522BA: 8D45C0 lea eax,[ebp][-40]

522BD: 50 push eax

522BE: 8B45C4 mov eax,[ebp][-3C]

522C1: 50 push eax

522C2: E807E6FCFF call .0000208CE ----- (2)

522C7: 83C418 add esp,018 ;""

522CA: 8945CC mov [ebp][-34],eax

522CD: 817DCC01B00000 cmp d,[ebp][-34],00000B001 ;"

522D4: 0F8507000000 jne .0000522E1 ----- (3)

522DA: 33C0 xor eax,eax

522DC: E970040000 jmp .000052751 ----- (1)

522E1: 837DCC00 cmp d,[ebp][-34],000 ;" "

522E5: 0F8538000000 jne .000052323 ----- (2)

522EB: 8B450C mov eax,[ebp][0C]

522EE: 83A038080000FD and d,[eax][00000838],0FD

522F5: 8B450C mov eax,[ebp][0C]

522F8: C7401402000000 mov d,[eax][14],000000002

522FF: 8B450C mov eax,[ebp][0C]

52302: 83B8AC08000000 cmp d,[eax][000008AC],000

52309: 0F840A000000 je .000052319 ----- (3)

5230F: 8B450C mov eax,[ebp][0C]

52312: 83883808000002 or d,[eax][00000838],002

52319: B801000000 mov eax,000000001 ;" "

5231E: E92E040000 jmp .000052751 ----- (4)

52323: 833D0000000000 cmp d,[00000000],000 ;" "

5232A: 0F8422000000 je .000052352 ----- (5)

52330: 6A00 push 000

52332: 8B450C mov eax,[ebp][0C]

52335: 50 push eax

52336: 8B45C4 mov eax,[ebp][-3C]

52339: 50 push eax

5233A: 6A04 push 004

5233C: 8B450C mov eax,[ebp][0C]

5233F: 8B4020 mov eax,[eax][20]

52342: 83C00C add eax,00C ;""

52345: 50 push eax

52346: 8B4508 mov eax,[ebp][08]

52349: 50 push eax

5234A: E89884FFFF call .00004A7E7 ----- (1)

5234F: 83C418 add esp,018 ;""

52352: 837D1800 cmp d,[ebp][18],000 ;" "

52356: 0F848C000000 je .0000523E8 ----- (2)

5235C: 8B7DC4 mov edi,[ebp][-3C]

5235F: 8B7518 mov esi,[ebp][18]

52362: B9C0010000 mov ecx,0000001C0 ;" À"

52367: F3A5 repe movsd

52369: C745CC00000000 mov d,[ebp][-34],000000000 ;"

52370: E903000000 jmp .000052378 ----- (3)

; for (loc_34= 0; loc_34<0x100; loc_34++)

; {

52375: FF45CC inc d,[ebp][-34]

52378: 817DCC00010000 cmp d,[ebp][-34],000000100 ;"

5237F: 0F8D63000000 jge .0000523E8 ----- (4)

; eax=(DWORD)loc_3C[loc_34+0x400];

52385: 8B45CC mov eax,[ebp][-34]

52388: 8B4DC4 mov ecx,[ebp][-3C]

5238B: 0FBE8408000400 movsx eax,b,[eax][ecx][00000400]

; al^=loc_3C[loc_34+0x700];

52393: 8B4DCC mov ecx,[ebp][-34]

52396: 8B55C4 mov edx,[ebp][-3C]

52399: 32841100070000 xor al,[ecx][edx][00000700]

; loc_3C[loc_34+0x400]^= loc_3C[loc_34+0x700];

523A0: 8B4DCC mov ecx,[ebp][-34]

523A3: 8B55C4 mov edx,[ebp][-3C]

523A6: 88841100040000 mov [ecx][edx][00000400],al

; eax=0x7FF-loc_34;

523AD: B8FF070000 mov eax,0000007FF ;" ÿ"

523B2: 2B45CC sub eax,[ebp][-34]

523B5: 8B4DC4 mov ecx,[ebp][-3C]

; eax=(DWORD)loc_3C[0x7FF-loc_34];

523B8: 0FBE0408 movsx eax,b,[eax][ecx]

523BC: 8B4DCC mov ecx,[ebp][-34]

523BF: 8B55C4 mov edx,[ebp][-3C]

; loc_3C[loc_34]^= loc_3C[0x7FF-loc_34];

523C2: 320411 xor al,[ecx][edx]

523C5: 8B4DCC mov ecx,[ebp][-34]

523C8: 8B55C4 mov edx,[ebp][-3C]

523CB: 880411 mov [ecx][edx],al

; memset(loc_3C[0x700], 'U', 0x40*4);

523CE: 8B7DC4 mov edi,[ebp][-3C]

523D1: 81C700070000 add edi,000000700 ;" "

523D7: B855555555 mov eax,055555555 ;"UUUU"

523DC: B940000000 mov ecx,000000040 ;" @"

523E1: F3AB repe stosd

523E3: E98DFFFFFF jmp .000052375

; End of cycle 52375

523E8: C745BC00000000 mov d,[ebp][-44],000000000

523EF: E903000000 jmp .0000523F7 ----- (2)

; // Cycle

; for (loc_44= 0; loc_44<0x18; loc_44++)

; {

523F4: FF45BC inc d,[ebp][-44]

523F7: 837DBC18 cmp d,[ebp][-44],018

523FB: 0F8D49030000 jge .00005274A

; loc_3C= FileDataPtr;

52401: A100000000 mov eax,[00000000]

52406: 8945C4 mov [ebp][-3C],eax

; *arg_C= loc_44>>1;

52409: 8B45BC mov eax,[ebp][-44]

5240C: 99 cdq

5240D: 2BC2 sub eax,edx

5240F: C1F801 sar eax,001 ;""

52412: 8B4D0C mov ecx,[ebp][0C]

52415: 8901 mov [ecx],eax

; memcpy(arg_C+2C, loc_3C, 0x200);

; loc_3C-> ptr to-> 05,DC,99,A1,3A,A8,32,A2... - file data (from 0 pos)

52417: 8B7D0C mov edi,[ebp][0C]

5241A: 83C72C add edi,02C ;","

5241D: 8B75C4 mov esi,[ebp][-3C]

52420: B900020000 mov ecx,000000200 ;" "

52425: F3A5 repe movsd

; loc_3C= (arg_C+0x2C);

52427: 8B450C mov eax,[ebp][0C]

5242A: 83C02C add eax,02C ;","

5242D: 8945C4 mov [ebp][-3C],eax

; (DWORD *)(arg_C+0x8DC)= 0;

52430: 8B450C mov eax,[ebp][0C]

52433: C780DC08000000 mov d,[eax][000008DC],000000000

; arg_18 is 0

5243D: 837D1800 cmp d,[ebp][18],000 ;" "

52441: 0F85FC010000 jne .000052643 ----- (2)

; if ( loc_44 ) goto 524A0;

52447: 837DBC00 cmp d,[ebp][-44],000 ;" "

5244B: 0F854F000000 jne .0000524A0 ----- (1)

; loc_44= 1;

52451: C745BC01000000 mov d,[ebp][-44],000000001

; memcpy(loc_30, arg_10, 0x28);

52458: 8B7DD0 mov edi,[ebp][-30]

5245B: 8B7510 mov esi,[ebp][10]

5245E: B928000000 mov ecx,000000028 ;" ("

52463: F3A5 repe movsd

; sub51530(loc_30); // read/prepare decrypt data ?

52465: 8B45D0 mov eax,[ebp][-30]

52468: 50 push eax

52469: E8C2F0FFFF call .000051530 ----- (2)

5246E: 83C404 add esp,004 ;""

52471: B420 mov ah,020 ;" "

; esi= loc_3C; // ptr to file data

52473: 8B75C4 mov esi,[ebp][-3C]

52476: 8B5DD0 mov ebx,[ebp][-30]

52479: B900080000 mov ecx,000000800 ;" "

5247E: 33D2 xor edx,edx

; // Decode file data ? By 0x20-buffer from loc_30

; for (ecx= 0x800; ecx>0; ecx--)

; {

; *esi++^= *ebx[edx++];

52480: 8A06 mov al,[esi]

52482: 32041A xor al,[edx][ebx]

52485: 8806 mov [esi],al

52487: 46 inc esi

52488: FEC2 inc dl

; if ( edx >= 0x20 ) edx= 0;

5248A: 3AD4 cmp dl,ah

5248C: 0F8C02000000 jl .000052494 ----- (3)

52492: 32D2 xor dl,dl

; }

52494: 49 dec ecx

52495: 0F85E5FFFFFF jne .000052480 ----- (1)

5249B: E99E010000 jmp .00005263E ----- (2)

; if ( loc_44&0x01 ) goto L52539;

524A0: F645BC01 test b,[ebp][-44],001 ;""

524A4: 0F858F000000 jne .000052539 ----- (3)

; On sec pass copy MD5hash to loc_2C from arg_14

524AA: 8D7DD4 lea edi,[ebp][-2C]

524AD: 8B7514 mov esi,[ebp][14]

524B0: B905000000 mov ecx,000000005 ;" "

524B5: F3A5 repe movsd

524B7: 8B450C mov eax,[ebp][0C]

524BA: 83380A cmp d,[eax],00A ;""

524BD: 0F8523000000 jne .0000524E6 ----- (4)

524C3: 8B450C mov eax,[ebp][0C]

524C6: C70001000000 mov d,[eax],000000001 ;" "

524CC: 8B450C mov eax,[ebp][0C]

524CF: C780DC08000001 mov d,[eax][000008DC],000000001

524D9: 8D7DD7 lea edi,[ebp][-29]

524DC: 33C0 xor eax,eax

524DE: B907000000 mov ecx,000000007 ;" "

524E3: F3AB repe stosd

524E5: AA stosb

524E6: 8B450C mov eax,[ebp][0C]

524E9: 83380B cmp d,[eax],00B ;""

524EC: 0F8523000000 jne .000052515 ----- (1)

524F2: 8B450C mov eax,[ebp][0C]

524F5: C70009000000 mov d,[eax],000000009 ;" "

524FB: 8B450C mov eax,[ebp][0C]

524FE: C780DC08000001 mov d,[eax][000008DC],000000001

52508: 8D7DD7 lea edi,[ebp][-29]

5250B: 33C0 xor eax,eax

5250D: B907000000 mov ecx,000000007 ;" "

52512: F3AB repe stosd

52514: AA stosb

52515: 8B450C mov eax,[ebp][0C]

52518: 50 push eax

52519: 6A14 push 014

5251B: 8D45D4 lea eax,[ebp][-2C]

5251E: 50 push eax

5251F: E84DEBFFFF call .000051071 ----- (2)

52524: 83C40C add esp,00C ;""

52527: 8B450C mov eax,[ebp][0C]

5252A: C780D408000000 mov d,[eax][000008D4],000000000

52534: E990000000 jmp .0000525C9 ----- (3)

52539: 8B750C mov esi,[ebp][0C]

5253C: 8D7DD4 lea edi,[ebp][-2C]

5253F: 81C6B4080000 add esi,0000008B4 ;" ´"

52545: B908000000 mov ecx,000000008 ;" "

5254A: F3A5 repe movsd

5254C: 8B450C mov eax,[ebp][0C]

5254F: 83380A cmp d,[eax],00A ;""

52552: 0F8523000000 jne .00005257B ----- (1)

52558: 8B450C mov eax,[ebp][0C]

5255B: C70001000000 mov d,[eax],000000001 ;" "

52561: 8B450C mov eax,[ebp][0C]

52564: C780DC08000001 mov d,[eax][000008DC],000000001

5256E: 8D7DD7 lea edi,[ebp][-29]

52571: 33C0 xor eax,eax

52573: B907000000 mov ecx,000000007 ;" "

52578: F3AB repe stosd

5257A: AA stosb

5257B: 8B450C mov eax,[ebp][0C]

5257E: 83380B cmp d,[eax],00B ;""

52581: 0F8523000000 jne .0000525AA ----- (2)

52587: 8B450C mov eax,[ebp][0C]

5258A: C70009000000 mov d,[eax],000000009 ;" "

52590: 8B450C mov eax,[ebp][0C]

52593: C780DC08000001 mov d,[eax][000008DC],000000001

5259D: 8D7DD7 lea edi,[ebp][-29]

525A0: 33C0 xor eax,eax

525A2: B907000000 mov ecx,000000007 ;" "

525A7: F3AB repe stosd

525A9: AA stosb

525AA: 8B450C mov eax,[ebp][0C]

525AD: 50 push eax

525AE: 6A20 push 020

525B0: 8D45D4 lea eax,[ebp][-2C]

525B3: 50 push eax

525B4: E8B8EAFFFF call .000051071 ----- (1)

525B9: 83C40C add esp,00C ;""

525BC: 8B450C mov eax,[ebp][0C]

525BF: C780D408000001 mov d,[eax][000008D4],000000001

525C9: 6A01 push 001

525CB: 8B450C mov eax,[ebp][0C]

525CE: 50 push eax

525CF: 8B45C4 mov eax,[ebp][-3C]

525D2: 50 push eax

525D3: E809F9FFFF call .000051EE1 ----- (2)

525D8: 83C40C add esp,00C ;""

525DB: 833D0000000000 cmp d,[00000000],000 ;" "

525E2: 0F8431000000 je .000052619 ----- (3)

525E8: 833D0000000000 cmp d,[00000000],000 ;" "

525EF: 0F8524000000 jne .000052619 ----- (4)

525F5: 6A01 push 001

525F7: 8B450C mov eax,[ebp][0C]

525FA: 50 push eax

525FB: 8B45C4 mov eax,[ebp][-3C]

525FE: 50 push eax

525FF: E8DDF8FFFF call .000051EE1 ---

52604: 83C40C add esp,00C ;""

52607: 6A01 push 001

52609: 8B450C mov eax,[ebp][0C]

5260C: 50 push eax

5260D: 8B45C4 mov eax,[ebp][-3C]

52610: 50 push eax

52611: E8CBF8FFFF call .000051EE1 ---

52616: 83C40C add esp,00C ;""

52619: 8B750C mov esi,[ebp][0C]

5261C: 8D7DD4 lea edi,[ebp][-2C]

5261F: 81C62C040000 add esi,00000042C

52625: B908000000 mov ecx,000000008

5262A: F3A5 repe movsd

5262C: 8B450C mov eax,[ebp][0C]

5262F: 50 push eax

52630: 6A20 push 020

52632: 8D45D4 lea eax,[ebp][-2C]

52635: 50 push eax

52636: E836EAFFFF call .000051071 ----- (1)

5263B: 83C40C add esp,00C ;""

5263E: E92F000000 jmp .000052672 ----- (2)

52643: 837DBC00 cmp d,[ebp][-44],000 ;" "

52647: 0F8425000000 je .000052672 ----- (3)

5264D: 8B750C mov esi,[ebp][0C]

52650: 8D7DD4 lea edi,[ebp][-2C]

52653: 81C62C040000 add esi,00000042C ;" ,"

52659: B908000000 mov ecx,000000008 ;" "

5265E: F3A5 repe movsd

52660: 8B450C mov eax,[ebp][0C]

52663: 50 push eax

52664: 6A20 push 020

52666: 8D45D4 lea eax,[ebp][-2C]

52669: 50 push eax

5266A: E802EAFFFF call .000051071 ----- (4)

5266F: 83C40C add esp,00C ;""

52672: 8B4508 mov eax,[ebp][08]

52675: 66C7406A0000 mov w,[eax][6A],00000 ;"

; loc_3C+= 0x600; // increment tmp file data ptr to next file block ?

5267B: 8145C400060000 add d,[ebp][-3C],000000600

; if ( sub520E4(arg_C,loc_3C,,arg_8) )

52682: A100000000 mov eax,[00000000]

52687: 50 push eax

52688: 8B450C mov eax,[ebp][0C]

5268B: 50 push eax

5268C: 8B45C4 mov eax,[ebp][-3C]

5268F: 50 push eax

52690: A100000000 mov eax,[00000000]

52695: 50 push eax

52696: 8B4508 mov eax,[ebp][08]

52699: 50 push eax

5269A: E845FAFFFF call .0000520E4

; On 3-th pass we receive 1 as sign - password ok !

5269F: 83C414 add esp,014

526A2: 85C0 test eax,eax

526A4: 0F849B000000 je .000052745 ---

; Finally calculation

526AA: 6A00 push 000

526AC: 8B450C mov eax,[ebp][0C]

526AF: 50 push eax

526B0: A100000000 mov eax,[00000000]

526B5: 50 push eax

526B6: 6A04 push 004

526B8: 8B450C mov eax,[ebp][0C]

526BB: 8B4020 mov eax,[eax][20]

526BE: 50 push eax

526BF: 8B4508 mov eax,[ebp][08]

526C2: 50 push eax

526C3: E81F81FFFF call .00004A7E7 ----- (1)

526C8: 83C418 add esp,018 ;""

526CB: 8B4514 mov eax,[ebp][14]

526CE: 50 push eax

526CF: A100000000 mov eax,[00000000]

526D4: 50 push eax

526D5: 8B450C mov eax,[ebp][0C]

526D8: 50 push eax

526D9: A100000000 mov eax,[00000000]

526DE: 50 push eax

526DF: 8B4508 mov eax,[ebp][08]

526E2: 50 push eax

526E3: E8AAF2FFFF call .000051992 ----- (2)

526E8: 83C414 add esp,014 ;""

526EB: 8B450C mov eax,[ebp][0C]

526EE: C7401401000000 mov d,[eax][14],000000001

526F5: 8B450C mov eax,[ebp][0C]

526F8: 50 push eax

526F9: A100000000 mov eax,[00000000]

526FE: 50 push eax

526FF: 6A01 push 001

52701: 6A04 push 004

52703: 8B4508 mov eax,[ebp][08]

52706: 50 push eax

52707: E847EDFFFF call .000051453 ---

5270C: 83C414 add esp,014 ;""

5270F: 8B450C mov eax,[ebp][0C]

52712: 50 push eax

52713: 8B45FC mov eax,[ebp][-04]

52716: 50 push eax

52717: E8F2EFFFFF call .00005170E ---

5271C: 83C408 add esp,008 ;""

; memcpy(arg_C+0x72C, , 0x40*4); // 256 bytes

5271F: 8B3500000000 mov esi,[00000000]

52725: 8B7D0C mov edi,[ebp][0C]

52728: 81C72C070000 add edi,00000072C

5272E: 81C600070000 add esi,000000700

52734: B940000000 mov ecx,000000040

52739: F3A5 repe movsd

; All ok, return 1

5273B: B801000000 mov eax,000000001

52740: E90C000000 jmp .000052751

52745: E9AAFCFFFF jmp .0000523F4

; Password fail, return 0

5274A: 33C0 xor eax,eax

5274C: E900000000 jmp .000052751 ---

Exit:

52751: 5F pop edi

52752: 5E pop esi

52753: 5B pop ebx

52754: C9 leave

52755: C3 retn

PSR1257 · 2 июн 2010

(Немного have fumbled in my srcs) Наверное примерно так - нужно найти в твой версии dcr.sys обработчег вот этих ошибок (который я запатчил):

Код (Text):

cmp ax,0277h

jz @@MakeOKAns

cmp ax,0278h

jz @@MakeOKAns

Удачи

Войти или зарегистрироваться

Раскриптовка данных SQUARE 128 SHA-256

Andr_ New Member

PSR1257 New Member

Andr_ New Member

PSR1257 New Member

PSR1257 New Member

PSR1257 New Member

Войти или зарегистрироваться

Раскриптовка данных SQUARE 128 SHA-256

Andr_ New Member

PSR1257 New Member

Andr_ New Member

PSR1257 New Member

PSR1257 New Member

PSR1257 New Member

Быстрый поиск