ARTEAM EZINE ISSUE IV
Stepping inside this, we can analyze these instructions: XOR ESI,ESI Loop: LEA EDI, address of current byte of Cryptic Serial Buffer; MOV AL, current byte of License Code; PUSH EAX PUSH address of Hash String CALL dwice.00424950 … TEST EAX,EAX JL Error code CMP ESI,5 JE 1° group CMP ESI,9 JE 1° group CMP ESI,0B JE 1° group CMP ESI,0C JE 1° group CMP ESI,4 JE 2° group CMP ESI,6 JE 2° group CMP ESI,0A JE 2° group CMP ESI,0F JE 2° group TEST ESI,ESI JE 3° group CMP ESI,2 JE 3° group CMP ESI,8 JE 3° group CMP ESI,0E JE 3° group MOV CL,[Hash Table's base offset + 3 + 4*j]; JMP Next1 3° group MOV DL,[Hash Table's base offset + 2 + 4*j]; MOV BYTE PTR DS:[EDI],DL JMP Next 2° group MOV AL,[Hash Table's base offset + 1 + 4*j]; MOV BYTE PTR DS:[EDI],AL JMP Next MOV CL,[Hash Table's base offset + 4*j]; Next1: MOV BYTE PTR DS:[EDI],CL Next: INC ESI CMP ESI,1E JL Loop POP EDI POP ESI POP EBP MOV EAX,1 POP EBX RETN
The subroutine underlined in red, receives in input 2 parameters: a byte of License Code and the offset of Hash String; so, it returns in EAX a index j that satisfies the same condition seen before: License Code[i] = Hash String [Base offset + 2*j]. Then, using ESI as pointer to an Hash Table, the target maps its bytes in to a Cryptic Serial Buffer. Indeed, as you can see to left, we can identify 4 main groups for Hash Table’s index: 1° group = (5,9,0Bh,0Ch); 2° group = (4,6,0Ah,0Fh); 3° group = (0,2,8,0Eh); 4° group = others indexes; For every group, there’s a different displacement in the instruction: MOV reg,[H.Table offset + disp + 4*j];
where displacement can be: 0 -> for 1° group; 1 -> for 2° group; 2 -> for 3° group; 3 -> for 4° group.
Reversing the Protection’s scheme of Alexey Pajitnov’s game Dwice by Gyver75
151