==================================================================== Locating 78 DA sequence area ==================================================================== If you wish to understand how the sequence 78 DA 63 etc... are generated. 78 DA 63 etc... sequence are used during extraction and they play an important role. ******************************************************************** SEQUENCE OF AN OK PASSWORD AND OK EXTRACTION THIS WAS TESTED ON FILE "a" PASS "1" CONTENT "a" FILE "b" PASS "1" CONTENT "b" ******************************************************************** --> 78 (FIXED) 004030E6 |. 0FB60408 MOVZX EAX,BYTE PTR DS:[EAX+ECX] ; Stack DS:[00BBF6EC]=78 ('x') EAX=00BBF6EC REG SAME 00401580 |. 888435 C0FBFFF>||MOV BYTE PTR SS:[EBP+ESI-440],AL ; AL=78 ('x') Stack SS:[00BBF26C]=58 ('X') --> DA (FIXED) 004030E6 |. 0FB60408 MOVZX EAX,BYTE PTR DS:[EAX+ECX] ; Stack DS:[00BBF6ED]=DA EAX=00BBF6EC 00401580 |. 888435 C0FBFFF>||MOV BYTE PTR SS:[EBP+ESI-440],AL ; AL=DA Stack SS:[00BBF26D]=F3 --> 63 (FIXED) 004030E6 |. 0FB60408 MOVZX EAX,BYTE PTR DS:[EAX+ECX] ; Stack DS:[00BBF6EE]=63 ('c') EAX=00BBF6EC 00401580 |. 888435 C0FBFFF>||MOV BYTE PTR SS:[EBP+ESI-440],AL ; AL=63 ('c') Stack SS:[00BBF26E]=BB --> 64 (FIXED) 004030E6 |. 0FB60408 MOVZX EAX,BYTE PTR DS:[EAX+ECX] ; Stack DS:[00BBF6EF]=64 ('d') EAX=00BBF6EC 00401580 |. 888435 C0FBFFF>||MOV BYTE PTR SS:[EBP+ESI-440],AL ; AL=64 ('d') Stack SS:[00BBF26F]=00 --> 80 (FIXED) 004030E6 |. 0FB60408 MOVZX EAX,BYTE PTR DS:[EAX+ECX] ; Stack DS:[00BBF6F0]=80 EAX=00BBF6EC 00401580 |. 888435 C0FBFFF>||MOV BYTE PTR SS:[EBP+ESI-440],AL ; AL=80 Stack SS:[00BBF270]=00 --> 80 (FIXED) 004030E6 |. 0FB60408 MOVZX EAX,BYTE PTR DS:[EAX+ECX] ; Stack DS:[00BBF6F1]=80 EAX=00BBF6EC 00401580 |. 888435 C0FBFFF>||MOV BYTE PTR SS:[EBP+ESI-440],AL ; AL=80 Stack SS:[00BBF271]=00 ******************************************************************** FROM THIS POINT THE VALUES ARE NOT THE SAME ALL THE TIME. ******************************************************************** --> 44 004030E6 |. 0FB60408 MOVZX EAX,BYTE PTR DS:[EAX+ECX] ; Stack DS:[00BBF6F2]=44(24) ('D') EAX=00BBF6EC 00401580 |. 888435 C0FBFFF>||MOV BYTE PTR SS:[EBP+ESI-440],AL ; AL=44 ('D') Stack SS:[00BBF272]=00 --> 86 (FIXED) 004030E6 |. 0FB60408 MOVZX EAX,BYTE PTR DS:[EAX+ECX] ; Stack DS:[00BBF6F3]=86(86) EAX=00BBF6EC 00401580 |. 888435 C0FBFFF>||MOV BYTE PTR SS:[EBP+ESI-440],AL ; AL=86 Stack SS:[00BBF273]=00 --> C4 004030E6 |. 0FB60408 MOVZX EAX,BYTE PTR DS:[EAX+ECX] ; Stack DS:[00BBF6F4]=C4(A4) EAX=00BBF6EC 00401580 |. 888435 C0FBFFF>||MOV BYTE PTR SS:[EBP+ESI-440],AL ; AL=C4 Stack SS:[00BBF274]=58 ('X') --> FF (FIXED) 004030E6 |. 0FB60408 MOVZX EAX,BYTE PTR DS:[EAX+ECX] ; Stack DS:[00BBF6F5]=FF EAX=00BBF6EC 00401580 |. 888435 C0FBFFF>||MOV BYTE PTR SS:[EBP+ESI-440],AL ; AL=FF Stack SS:[00BBF275]=F3 --> 00 (FIXED) 004030E6 |. 0FB60408 MOVZX EAX,BYTE PTR DS:[EAX+ECX] ; Stack DS:[00BBF6F6]=00 EAX=00BBF6EC --> 03 (FIXED) 004030E6 |. 0FB60408 MOVZX EAX,BYTE PTR DS:[EAX+ECX] ; Stack DS:[00BBF6F7]=03 EAX=00BBF6EC --> 5D 004030E6 |. 0FB60408 MOVZX EAX,BYTE PTR DS:[EAX+ECX] ; Stack DS:[00BBF6F8]=5D (']') EAX=00BBF6EC --> 01 (FIXED) 004030E6 |. 0FB60408 MOVZX EAX,BYTE PTR DS:[EAX+ECX] ; Stack DS:[00BBF6F9]=01 EAX=00BBF6EC --> C3 004030E6 |. 0FB60408 MOVZX EAX,BYTE PTR DS:[EAX+ECX] ; Stack DS:[00BBF6FA]=C3 EAX=00BBF6EC --> FF (FIXED) 004030E6 |. 0FB60408 MOVZX EAX,BYTE PTR DS:[EAX+ECX] ; AL=FF Stack SS:[00BBF27B]=7C ('|') ==================================================================== ******************************************************************** LOCATING 78 DA SEQUENCE AREA ******************************************************************** The 78 DA 63 etc. Sequence will get generated when the function 004056D7 is called. We need to SET a BREAK on 004056D7 and 004030B6 then we will JUMP INTO 00405746 and again we JUMP INTO another call. Important functions: 004023DA, 004056D7 *** JUMP INTO *** >004030B6 |. E8 8B260000 CALL a_sda.00405746 ; \ESP=00BBF200 *** JUMP INTO HERE 00BBF85C BECOME 00000001 and 860 become FFFFFFEF > 004057A2 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 004056E8 |. 8B07 |MOV EAX,DWORD PTR DS:[EDI] 004056D7 |> 8D45 E0 /LEA EAX,DWORD PTR SS:[EBP-20] 004056DA |. 50 |PUSH EAX 004056DB |. 8D45 F0 |LEA EAX,DWORD PTR SS:[EBP-10] 004056DE |. 50 |PUSH EAX 004056DF |. FF75 08 |PUSH DWORD PTR SS:[EBP+8] 004056E2 |. FF15 94324100 |CALL DWORD PTR DS:[413294] ; *** a_sda.004023C5 PHAT FUNCTION *** 004056E8 |. 8B07 |MOV EAX,DWORD PTR DS:[EDI] --cut-- 0040573F |.^75 96 \JNZ SHORT a_sda.004056D7 ; 78 DA sequence area ******************************************************************** Reversing 004023DA ******************************************************************** 004023DA /$ 55 PUSH EBP . --cut . 00402903 \. C3 RETN HERE WE ARE AT 004056D7 *********************** -> 004056D7 |> 8D45 E0 /LEA EAX,DWORD PTR SS:[EBP-20] ; Load Effective Address (00BBF1C8 -20)= 00BBF1A8 in EAX. 00BBF1C8 (ESP) F8 F1 BB 00 7E 57 40 00 70 0D 89 00 10 00 00 00 .~W@.p..... 00BBF1A8 (EAX) 03 00 00 00 A0 9B 87 00 00 10 00 00 03 00 00 00 .......... -> 004056DA |. 50 |PUSH EAX ; PUSH EAX=00BBF1A8 TO STACK 00BBF1A8 (EAX) 03 00 00 00 A0 9B 87 00 00 10 00 00 03 00 00 00 .......... -> 004056DB |. 8D45 F0 |LEA EAX,DWORD PTR SS:[EBP-10] ; Load Effective Address (00BBF1C8-10)= 00BBF1B8 in EAX 00BBF1C8(EAX) F8 F1 BB 00 7E 57 40 00 70 0D 89 00 10 00 00 00 .~W@.p..... -> 004056DE |. 50 |PUSH EAX ; PUSH EAX=00BBF1B8 TO STACK 00BBF1B8(EAX) 86 FA 35 3D 5C D3 4E 7E 15 C9 24 E8 24 72 0B 4E 5=\N~$$r N -> 004056DF |. FF75 08 |PUSH DWORD PTR SS:[EBP+8] ; PUSH EBP=(00BBF1C8 -8) = 00890D70 TO STACK 00890D70(STA) 8D 09 AF A2 06 00 00 00 44 64 BB 38 13 00 00 00 ....Dd8... 00BBF1C8(EBP) F8 F1 BB 00 7E 57 40 00 70 0D 89 00 10 00 00 00 .~W@.p..... *** JUMP INTO *** 004056E2 -> 004056E2 |. FF15 94324100 |CALL DWORD PTR DS:[413294] ; *** JUMP INTO *** -> 004023C5 /$ FF7424 04 PUSH DWORD PTR SS:[ESP+4] ; PUSH ESP=(00BBF18C+4)=00890D70 ON STACK 00BBF18C(ESP) E8 56 40 00 70 0D 89 00 B8 F1 BB 00 A8 F1 BB 00 V@.p.... 00890D70(STA) 8D 09 AF A2 06 00 00 00 44 64 BB 38 13 00 00 00 ....Dd8... 00BBF188(ESP) 70 0D 89 00 E8 56 40 00 70 0D 89 00 B8 F1 BB 00 p..V@.p... -> 004023C9 |. FF7424 10 PUSH DWORD PTR SS:[ESP+10] ; PUSH (00BBF188+10)=00BBF1A8 TO STACK 00BBF1A8(STA) 03 00 00 00 A0 9B 87 00 00 10 00 00 03 00 00 00 .......... 00BBF1849ESP) A8 F1 BB 00 70 0D 89 00 E8 56 40 00 70 0D 89 00 .p..V@.p.. -> 004023D1 |. E8 04000000 CALL a_sda.004023DA ; *** JUMP INTO *** -> 004023DA /$ 55 PUSH EBP ; PUSH EBP=00BBF1C8 TO STACK 00BBF1C8(EBP) F8 F1 BB 00 7E 57 40 00 70 0D 89 00 10 00 00 00 .~W@.p..... 00BBF17C(ESP) D6 23 40 00 B8 F1 BB 00 A8 F1 BB 00 70 0D 89 00 #@...p.. 00BBF1C8(STA) F8 F1 BB 00 7E 57 40 00 70 0D 89 00 10 00 00 00 .~W@.p..... -> 004023DB |. 8BEC MOV EBP,ESP ; MOVE ESP=00BBF178 INTO EBP=00BBF1C8 ==>00BBF178 00BBF178(ESP) C8 F1 BB 00 D6 23 40 00 B8 F1 BB 00 A8 F1 BB 00 .#@... 00BBF1C8(EBP) F8 F1 BB 00 7E 57 40 00 70 0D 89 00 10 00 00 00 .~W@.p..... EBP After Mov. Here EBP=ESP 00BBF178(EBP) C8 F1 BB 00 D6 23 40 00 B8 F1 BB 00 A8 F1 BB 00 .#@... 00BBF178(ESP) C8 F1 BB 00 D6 23 40 00 B8 F1 BB 00 A8 F1 BB 00 .#@... -> 004023DD |. 51 PUSH ECX ; PUSH ECX=00000010 TO STACK -> 004023DE |. 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] ; MOVE (00BBF178+8=00BBF1B8) TO EDX=00BBF1B8 00BBF178(EBP) C8 F1 BB 00 D6 23 40 00 B8 F1 BB 00 A8 F1 BB 00 .#@... 00890EF0(EDX) 80 4D 14 00 FF FF FF FF 00 00 00 00 00 00 00 00 M......... EDX After MOV 00BBF1B8(EDX) 86 FA 35 3D 5C D3 4E 7E 15 C9 24 E8 24 72 0B 4E 5=\N~$$r N -> 004023E1 |. 33C0 XOR EAX,EAX ; XOR EAX=00BBF1B8 ==>EAX=00000000 00BBF1B8(EAX) 86 FA 35 3D 5C D3 4E 7E 15 C9 24 E8 24 72 0B 4E 5=\N~$$r N -> 004023E3 |. 53 PUSH EBX ; PUSH EBX=00000004 TO STACK -> 004023E4 |. 56 PUSH ESI ; PUSH ESI=00BBF7EC TO STACK 00BBF7EC(ESI) CA 13 00 10 6F 01 02 00 38 00 00 00 80 D6 14 00 .o.8.... 00BBF7EC(STA) CA 13 00 10 6F 01 02 00 38 00 00 00 80 D6 14 00 .o.8.... -> 004023E5 |. 8A62 04 MOV AH,BYTE PTR DS:[EDX+4] ; MOVE (00BBF1B8+4) TO AH Stack DS:[00BBF1BC]=5C ('\') AH=00 -> 004023E8 |. 8B75 10 MOV ESI,DWORD PTR SS:[EBP+10] ; MOVE (00BBF178+10=00890D70) TO ESI=00890D70 00BBF178(EBP) C8 F1 BB 00 D6 23 40 00 B8 F1 BB 00 A8 F1 BB 00 .#@... 00BBF7EC(ESI) CA 13 00 10 6F 01 02 00 38 00 00 00 80 D6 14 00 .o.8.... ESI after MOV 00890D70(ESI) 8D 09 AF A2 06 00 00 00 44 64 BB 38 13 00 00 00 ....Dd8... -> 004023EB |. 8A42 05 MOV AL,BYTE PTR DS:[EDX+5] ; MOVE (00BBF1B8+5) TO AL Stack DS:[00BBF1BD]=D3 AL=00 00BBF1B8(EDX) 86 FA 35 3D 5C D3 4E 7E 15 C9 24 E8 24 72 0B 4E 5=\N~$$r N -> 004023EE |. 57 PUSH EDI ; PUSH EDI=00BBF9EC TO STACK 00BBF9EC(EDI) F7 23 C3 D6 AA 18 84 D5 A6 6C 8A 27 AA D7 DA 7E #֪զl'~ 00BBF9EC(STA) F7 23 C3 D6 AA 18 84 D5 A6 6C 8A 27 AA D7 DA 7E #֪զl'~ ; RETURN to 00BBF9EC from 4EC76C10 -> 004023EF |. 0FB64A 06 MOVZX ECX,BYTE PTR DS:[EDX+6] ; MOVE (00BBF1B8+6=0000004E) TO ECX(Before MOV)=00000010 ECX(After MOV)=0000004E Stack DS:[00BBF1BE]=4E ('N') 00BBF1B8(EDX) 86 FA 35 3D 5C D3 4E 7E 15 C9 24 E8 24 72 0B 4E 5=\N~$$r N -> 004023F3 |. C1E0 08 SHL EAX,8 ; Shift Left toward (MSB) 8 positions EAX=00005CD3 ==>005CD300 -> 004023F8 |. 8B7E 04 MOV EDI,DWORD PTR DS:[ESI+4] ; EAX now 005CD34E MOVE (00890D70+4=00000006) TO EDI 00890D70(ESI) 8D 09 AF A2 06 00 00 00 44 64 BB 38 13 00 00 00 ....Dd8... 00BBF9EC(EDI) F7 23 C3 D6 AA 18 84 D5 A6 6C 8A 27 AA D7 DA 7E #֪զl'~ -> 004023FB |. 0FB64A 07 MOVZX ECX,BYTE PTR DS:[EDX+7] ; MOVE (00BBF1B8+7=0000007E) TO ECX Stack DS:[00BBF1BF]=7E ('~') ECX(Before MOV)=0000004E 00BBF1B8(EDX) 86 FA 35 3D 5C D3 4E 7E 15 C9 24 E8 24 72 0B 4E 5=\N~$$r N -> 00402402 |. 0BC1 OR EAX,ECX ; OR ECX=0000007E EAX=5CD34E00 and put result in EAX 5CD34E7E -> 00402404 |. 8B0E MOV ECX,DWORD PTR DS:[ESI] ; MOVE A2AF098D TO ECX 00890D70(ESI) 8D 09 AF A2 06 00 00 00 44 64 BB 38 13 00 00 00 ....Dd8... -> 00402406 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX ; MOVE (00BBF178-4=00BBF174 EAX=5CD34E7E) EAX=5CD34E7E Stack SS:[00BBF174]=00000010 ==> Stack 5CD34E7E 00BBF178(EBP) C8 F1 BB 00 D6 23 40 00 B8 F1 BB 00 A8 F1 BB 00 .#@... -> 00402409 |. 6A 20 PUSH 20 ; PUSH 00000020 TO STACK -> 0040240B |. 03C1 ADD EAX,ECX ; ADD ECX=A2AF098D EAX=5CD34E7E and put result in EAX=FF82580B -> 0040240D |. 59 POP ECX ; Stack [00BBF164]=00000020 ECX=A2AF098D ==>ECX=00000020 -> 0040240E |. 2BCF SUB ECX,EDI ; SUBSTRACT EDI=00000006 FROM ECX=00000020 ==> ECX=0000001A -> 00402410 |. 8BD8 MOV EBX,EAX ; MOVE EAX=FF82580B TO EBX=00000004 ==>EBX=FF82580B -> 00402412 |. D3EB SHR EBX,CL ; Shift Right EBX=FF82580B the position indicated by CL=1A ==> EBX=0000003F -> 00402414 |. 8BCF MOV ECX,EDI ; MOVE EDI=00000006 TO ECX=0000001A ==> ECX=00000006 -> 00402416 |. BF FF000000 MOV EDI,0FF ; MOVE 0FF TO EDI=00000006 ==>EDI=000000FF -> 0040241D |. 6A 20 PUSH 20 ; PUSH 00000020 TO STACk 00BBF164(ESP) 20 00 00 00 EC F9 BB 00 EC F7 BB 00 04 00 00 00 ........ -> 0040241F |. 0BD8 OR EBX,EAX ; EAX=E09602C0 OR EBX=0000003F ==>EBX=E09602FF -> 00402421 |. 33C0 XOR EAX,EAX ; XOR EAX=E09602C0 ==>00000000 -> 00402423 |. 895D 08 MOV DWORD PTR SS:[EBP+8],EBX ; MOVE EBX=E09602FF TO Stack SS:[00BBF180(00BBF178+8)]=00BBF1B8 00BBF178(EBP) C8 F1 BB 00 D6 23 40 00 B8 F1 BB 00 A8 F1 BB 00 .#@... -> 00402426 |. 8BCB MOV ECX,EBX ; MOVE EBX=E09602FF TO ECX=00000006 ==>ECX=E09602FF -> 00402428 |. 8A45 0A MOV AL,BYTE PTR SS:[EBP+A] ; MOVE Stack SS:[00BBF182=EBP(00BBF178+A)]=96 TO AL=00 PUT Result in EAX=00000096 -> 0040242B |. C1E9 18 SHR ECX,18 ; Shift Right ECX(E09602FF) 18 positions = ECX=000000E0 -> 0040242E |. 8B0485 7816410>MOV EAX,DWORD PTR DS:[EAX*4+411678] ; MOVE DS:[004118D0]=7CBAD9A2 (SHELL32.7CBAD9A2) TO EAX=00000096 ==>EAX=7CBAD9A2 -> 00402435 |. 33048D 7812410>XOR EAX,DWORD PTR DS:[ECX*4+411278] ; MOVE DS:[004115F8]=AF1FBDA7 TO EAX=7CBAD9A2 (SHELL32.7CBAD9A2) ==>EAX=D3A56405 -> 0040243C |. 33C9 XOR ECX,ECX ; ECX=000000E0 XOR ECX=000000E0 ==> 00000000 -> 00402440 |. 23DF AND EBX,EDI ; ADD EDI=000000FF TO EBX=E09602FF PUT result in EBX=000000FF -> 00402442 |. 2B048D 781A410>SUB EAX,DWORD PTR DS:[ECX*4+411A78] ; SUBSTRAT DS:[00411A80]=EB903DBF FROM EAX=D3A56405 PUT result in EAX=E8152646 -> 00402449 |. 33C9 XOR ECX,ECX ; ECX=00000002 XOR ECX=00000002 = 00000000 -> 0040244D |. 03049D 781E410>ADD EAX,DWORD PTR DS:[EBX*4+411E78] ; ADD DS:[00412274={EBX{000000FF}*4+411E78}]=0AEF7ED2 TO EAX=E8152646 ==> EAX=F304A518 -> 00402454 |. 8A4A 01 MOV CL,BYTE PTR DS:[EDX+1] ; MOVE Stack DS:[00BBF1B9=(EDX 00BBF1B8)+1]=FA CL=00 ECX now 000086FA -> 00402457 |. 0FB65A 02 MOVZX EBX,BYTE PTR DS:[EDX+2] ; MOVE Stack DS:[00BBF1BA]=35 ('5') TO EBX=000000FF ==>EBX=00000035 -> 0040245B |. 0FB652 03 MOVZX EDX,BYTE PTR DS:[EDX+3] ; MOVE Stack DS:[00BBF1BB]=3D ('=') TO EDX=00BBF1B8 ==>EDX=0000003D -> 0040245F |. C1E1 08 SHL ECX,8 ; Shift Left EAX 8 positions ECX=000086FA ==>ECX=0086FA00 -> 00402462 |. 0BCB OR ECX,EBX ; EBX=00000035 OR ECX=0086FA00 PUT result in ECX=0086FA35 -> 00402464 |. 8B5E 08 MOV EBX,DWORD PTR DS:[ESI+8] ; MOVE DS:[00890D78]=38BB6444 TO EBX=00000035 ==>EBX=38BB6444 -> 00402467 |. C1E1 08 SHL ECX,8 ; Shift Left ECX by 8 ECX=0086FA35 ==>ECX=86FA3500 -> 0040246A |. 0BCA OR ECX,EDX ; EDX=0000003D OR ECX=86FA3500 PUT result in ECX=86FA353D -> 0040246C |. 8B56 0C MOV EDX,DWORD PTR DS:[ESI+C] ; MOVE DS:[00890D7C]=00000013 TO EDX=0000003D ==>EDX=00000013 ========================================================================================= DS:[00890D74]=00000006 EDI=00BBF9EC