;
; +-------------------------------------------------------------------------+
;      This file is generated by The Interactive Disassembler (IDA)        
;      Copyright (c) 2005 by DataRescue sa/nv, <ida@datarescue.com>        
;             Licensed to: Sebastian Porst, 1 user std, 05/2005            
; +-------------------------------------------------------------------------+
;
.text:10089E00
.text:10089E00 ;  S U B R O U T I N E 
.text:10089E00
.text:10089E00
.text:10089E00 DoShuffle       proc near               ; CODE XREF: sub_1008A0C0+159p
.text:10089E00                                         ; sub_1008A0C0+1F1p ...
.text:10089E00
.text:10089E00 var_A8          = dword ptr -0A8h
.text:10089E00 var_98          = dword ptr -98h
.text:10089E00 var_94          = dword ptr -94h
.text:10089E00 var_90          = dword ptr -90h
.text:10089E00 var_8C          = dword ptr -8Ch
.text:10089E00 var_88          = dword ptr -88h
.text:10089E00 var_84          = dword ptr -84h
.text:10089E00 var_80          = dword ptr -80h
.text:10089E00 var_50          = dword ptr -50h
.text:10089E00 var_4C          = dword ptr -4Ch
.text:10089E00 var_3E          = dword ptr -3Eh
.text:10089E00 var_3A          = dword ptr -3Ah
.text:10089E00 p_shuffle       = dword ptr  4
.text:10089E00 p_buffer        = dword ptr  8
.text:10089E00 i_size          = dword ptr  0Ch
.text:10089E00
.text:10089E00                 sub     esp, 98h
.text:10089E06                 push    ebx
.text:10089E07                 push    ebp
.text:10089E08                 mov     ebp, [esp+0A0h+p_shuffle] ; uint32_t *p_bordel = p_shuffle->p_bordel;
.text:10089E0F                 push    esi
.text:10089E10                 push    edi
.text:10089E11                 mov     edi, i_secret
.text:10089E17                 test    edi, edi
.text:10089E19                 lea     esi, [ebp+54h]
.text:10089E1C                 jnz     short loc_10089E83 ; if (i_secret == 0)
.text:10089E1E                 mov     al, byte ptr aPbclevtugPNccyrPbzchgreVa ; "pbclevtug (p) Nccyr Pbzchgre, Vap.  Nyy"...
.text:10089E23                 test    al, al          ; p_secret2[ i_secret ] != '\0'
.text:10089E25                 jz      short loc_10089E7C
.text:10089E27
.text:10089E27 The REVERSE is missing because it's a pre-processor macro
.text:10089E27 that is defined to <empty> at platforms where the bytes don't
.text:10089E27 need to be reversed.
.text:10089E27
.text:10089E27                 mov     ecx, offset aPbclevtugPNccyrPbzchgreVa ; "pbclevtug (p) Nccyr Pbzchgre, Vap.  Nyy"...
.text:10089E2C                 lea     esp, [esp+0]
.text:10089E30
.text:10089E30 First line of the ROT13 code.
.text:10089E30
.text:10089E30 loc_10089E30:                           ; CODE XREF: DoShuffle+7Aj
.text:10089E30                 cmp     al, 'A'
.text:10089E32                 jl      short loc_10089E4B
.text:10089E34                 cmp     al, 'Z'
.text:10089E36                 jg      short loc_10089E4B
.text:10089E38                 movsx   eax, al
.text:10089E3B                 sub     eax, '4'
.text:10089E3E                 cdq
.text:10089E3F                 mov     ebx, 26
.text:10089E44                 idiv    ebx
.text:10089E46                 add     edx, 'A'
.text:10089E49                 jmp     short loc_10089E69
.text:10089E4B ; ---------------------------------------------------------------------------
.text:10089E4B
.text:10089E4B Second line of the ROT13 code.
.text:10089E4B
.text:10089E4B loc_10089E4B:                           ; CODE XREF: DoShuffle+32j
.text:10089E4B                                         ; DoShuffle+36j
.text:10089E4B                 cmp     al, 'a'
.text:10089E4D                 jl      short loc_10089E66
.text:10089E4F                 cmp     al, 'z'
.text:10089E51                 jg      short loc_10089E66
.text:10089E53                 movsx   eax, al
.text:10089E56                 sub     eax, 'T'
.text:10089E59                 cdq
.text:10089E5A                 mov     ebx, 26
.text:10089E5F                 idiv    ebx
.text:10089E61                 add     edx, 'a'
.text:10089E64                 jmp     short loc_10089E69
.text:10089E66 ; ---------------------------------------------------------------------------
.text:10089E66
.text:10089E66 loc_10089E66:                           ; CODE XREF: DoShuffle+4Dj
.text:10089E66                                         ; DoShuffle+51j
.text:10089E66                 movsx   edx, al
.text:10089E69
.text:10089E69 loc_10089E69:                           ; CODE XREF: DoShuffle+49j
.text:10089E69                                         ; DoShuffle+64j
.text:10089E69                 inc     edi             ; i_secret++ (from the for-loop)
.text:10089E6A                 mov     [ecx], dl
.text:10089E6C                 mov     al, byte ptr aPbclevtugPNccyrPbzchgreVa[edi] ; "pbclevtug (p) Nccyr Pbzchgre, Vap.  Nyy"...
.text:10089E72                 test    al, al          ; p_secret2[ i_secret ] != '\0'; (for-loop condition)
.text:10089E74                 lea     ecx, aPbclevtugPNccyrPbzchgreVa[edi] ; "pbclevtug (p) Nccyr Pbzchgre, Vap.  Nyy"...
.text:10089E7A                 jnz     short loc_10089E30
.text:10089E7C
.text:10089E7C loc_10089E7C:                           ; CODE XREF: DoShuffle+25j
.text:10089E7C                 inc     edi             ; i_secret++ (from after the for loop)
.text:10089E7D                 mov     i_secret, edi
.text:10089E83
.text:10089E83 loc_10089E83:                           ; CODE XREF: DoShuffle+1Cj
.text:10089E83                 lea     edx, [ebp+4]
.text:10089E86                 mov     edi, 20         ; This is the 20 from the < 20 part of the next loop.
.text:10089E8B                 jmp     short loc_10089E90
.text:10089E8B ; ---------------------------------------------------------------------------
.text:10089E8D                 align 10h
.text:10089E90
.text:10089E90 loc_10089E90:                           ; CODE XREF: DoShuffle+8Bj
.text:10089E90                                         ; DoShuffle+125j
.text:10089E90                 mov     eax, [edx]
.text:10089E92                 test    eax, eax
.text:10089E94                 jz      loc_10089F21
.text:10089E9A                 mov     cl, al
.text:10089E9C                 shr     eax, 8
.text:10089E9F                 and     eax, 3
.text:10089EA2                 dec     eax
.text:10089EA3                 jz      short loc_10089F03
.text:10089EA5                 dec     eax
.text:10089EA6                 jz      short loc_10089EE5
.text:10089EA8                 dec     eax
.text:10089EA9                 movzx   eax, cl
.text:10089EAC                 jz      short loc_10089EC9
.text:10089EAE                 mov     ecx, eax
.text:10089EB0                 add     eax, eax
.text:10089EB2                 mov     ebx, offset unk_100C5D46
.text:10089EB7                 sub     ebx, eax
.text:10089EB9                 movsx   eax, word ptr [ebx]
.text:10089EBC                 shr     ecx, 4
.text:10089EBF                 mov     ebx, [esi+ecx*4]
.text:10089EC2                 lea     ecx, [esi+ecx*4]
.text:10089EC5                 add     ebx, eax
.text:10089EC7                 jmp     short loc_10089F1F
.text:10089EC9 ; ---------------------------------------------------------------------------
.text:10089EC9
.text:10089EC9 loc_10089EC9:                           ; CODE XREF: DoShuffle+ACj
.text:10089EC9                 lea     ecx, [eax+10h]
.text:10089ECC                 sar     ecx, 4
.text:10089ECF                 and     ecx, 0Fh
.text:10089ED2                 mov     ecx, [esi+ecx*4]
.text:10089ED5                 mov     ebx, eax
.text:10089ED7                 shr     ebx, 4
.text:10089EDA                 add     ecx, [esi+ebx*4]
.text:10089EDD                 and     eax, 0Fh
.text:10089EE0                 mov     [esi+eax*4], ecx
.text:10089EE3                 jmp     short loc_10089F21
.text:10089EE5 ; ---------------------------------------------------------------------------
.text:10089EE5
.text:10089EE5 loc_10089EE5:                           ; CODE XREF: DoShuffle+A6j
.text:10089EE5                 movzx   eax, cl
.text:10089EE8                 mov     ecx, eax
.text:10089EEA                 add     eax, eax
.text:10089EEC                 mov     ebx, offset unk_100C5946
.text:10089EF1                 sub     ebx, eax
.text:10089EF3                 movsx   eax, word ptr [ebx]
.text:10089EF6                 shr     ecx, 4
.text:10089EF9                 mov     ebx, [esi+ecx*4]
.text:10089EFC                 lea     ecx, [esi+ecx*4]
.text:10089EFF                 xor     ebx, eax
.text:10089F01                 jmp     short loc_10089F1F
.text:10089F03 ; ---------------------------------------------------------------------------
.text:10089F03
.text:10089F03 loc_10089F03:                           ; CODE XREF: DoShuffle+A3j
.text:10089F03                 movzx   eax, cl
.text:10089F06                 mov     ecx, eax
.text:10089F08                 add     eax, eax
.text:10089F0A                 mov     ebx, offset unk_100C5B46
.text:10089F0F                 sub     ebx, eax
.text:10089F11                 movsx   eax, word ptr [ebx]
.text:10089F14                 shr     ecx, 4
.text:10089F17                 mov     ebx, [esi+ecx*4]
.text:10089F1A                 lea     ecx, [esi+ecx*4]
.text:10089F1D                 sub     ebx, eax
.text:10089F1F
.text:10089F1F loc_10089F1F:                           ; CODE XREF: DoShuffle+C7j
.text:10089F1F                                         ; DoShuffle+101j
.text:10089F1F                 mov     [ecx], ebx
.text:10089F21
.text:10089F21 loc_10089F21:                           ; CODE XREF: DoShuffle+94j
.text:10089F21                                         ; DoShuffle+E3j
.text:10089F21                 add     edx, 4
.text:10089F24                 dec     edi
.text:10089F25                 jnz     loc_10089E90
.text:10089F2B                 mov     eax, [ebp+0]
.text:10089F2E                 cmp     eax, 1000300h
.text:10089F33                 jz      short loc_10089F3C
.text:10089F35                 cmp     eax, 1000400h
.text:10089F3A                 jnz     short loc_10089F58
.text:10089F3C
.text:10089F3C loc_10089F3C:                           ; CODE XREF: DoShuffle+133j
.text:10089F3C                 mov     ecx, esi
.text:10089F3E                 call    sub_100885B0
.text:10089F43                 push    eax
.text:10089F44                 mov     eax, esi
.text:10089F46                 call    sub_100888A0
.text:10089F4B                 add     esp, 4
.text:10089F4E                 call    sub_10088B90
.text:10089F53                 call    sub_10088CD0
.text:10089F58
.text:10089F58 loc_10089F58:                           ; CODE XREF: DoShuffle+13Aj
.text:10089F58                 xor     eax, eax
.text:10089F5A                 mov     ecx, 10h
.text:10089F5F
.text:10089F5F InitMD5 was inlined
.text:10089F5F
.text:10089F5F                 lea     edi, [esp+0A8h+var_80]
.text:10089F63                 mov     [esp+0A8h+var_90], 67452301h
.text:10089F6B                 mov     [esp+0A8h+var_8C], 0EFCDAB89h
.text:10089F73                 mov     [esp+0A8h+var_88], 98BADCFEh
.text:10089F7B                 mov     [esp+0A8h+var_84], 10325476h
.text:10089F83                 rep stosd
.text:10089F85                 xor     ecx, ecx
.text:10089F87                 lea     edi, [esp+0A8h+var_3E]
.text:10089F8B                 lea     ebp, [esp+0A8h+var_3A]
.text:10089F8F                 sub     edi, esi
.text:10089F91                 mov     [esp+0A8h+var_98], ecx
.text:10089F95                 mov     [esp+0A8h+var_94], ecx
.text:10089F99                 lea     eax, [esi+6]
.text:10089F9C                 sub     ebp, esi
.text:10089F9E                 mov     edi, edi
.text:10089FA0
.text:10089FA0 for( i = 0; i < 16; i++ )
.text:10089FA0
.text:10089FA0 loc_10089FA0:                           ; CODE XREF: DoShuffle+221j
.text:10089FA0                 xor     edx, edx
.text:10089FA2
.text:10089FA2 U32_AT is a preprocessor macro that's expanded to function
.text:10089FA2 which is then inlined.
.text:10089FA2
.text:10089FA2                 mov     dh, [eax-6]
.text:10089FA5                 movzx   esi, byte ptr [eax-4]
.text:10089FA9                 add     ecx, 4
.text:10089FAC                 add     eax, 10h
.text:10089FAF                 mov     dl, [eax-15h]
.text:10089FB2                 shl     edx, 8
.text:10089FB5                 or      edx, esi
.text:10089FB7                 movzx   esi, byte ptr [eax-13h]
.text:10089FBB                 shl     edx, 8
.text:10089FBE                 or      edx, esi
.text:10089FC0                 mov     [esp+ecx*4+0A8h+var_50], edx
.text:10089FC4                 xor     edx, edx
.text:10089FC6                 mov     dh, [eax-12h]
.text:10089FC9                 movzx   esi, byte ptr [eax-10h]
.text:10089FCD                 mov     dl, [eax-11h]
.text:10089FD0                 shl     edx, 8
.text:10089FD3                 or      edx, esi
.text:10089FD5                 movzx   esi, byte ptr [eax-0Fh]
.text:10089FD9                 shl     edx, 8
.text:10089FDC                 or      edx, esi
.text:10089FDE                 movzx   esi, byte ptr [eax-0Ch]
.text:10089FE2                 mov     [esp+ecx*4+0A8h+var_4C], edx
.text:10089FE6                 xor     edx, edx
.text:10089FE8                 mov     dh, [eax-0Eh]
.text:10089FEB                 mov     dl, [eax-0Dh]
.text:10089FEE                 shl     edx, 8
.text:10089FF1                 or      edx, esi
.text:10089FF3                 movzx   esi, byte ptr [eax-0Bh]
.text:10089FF7                 shl     edx, 8
.text:10089FFA                 or      edx, esi
.text:10089FFC                 movzx   esi, byte ptr [eax-8]
.text:1008A000                 mov     [edi+eax-10h], edx
.text:1008A004                 xor     edx, edx
.text:1008A006                 mov     dh, [eax-0Ah]
.text:1008A009                 mov     dl, [eax-9]
.text:1008A00C                 shl     edx, 8
.text:1008A00F                 or      edx, esi
.text:1008A011                 movzx   esi, byte ptr [eax-7]
.text:1008A015                 shl     edx, 8
.text:1008A018                 or      edx, esi
.text:1008A01A                 cmp     ecx, 16
.text:1008A01D                 mov     [eax+ebp-10h], edx
.text:1008A021                 jb      loc_10089FA0
.text:1008A027                 lea     eax, [esp+68h]
.text:1008A02B                 push    64
.text:1008A02D                 push    eax
.text:1008A02E                 lea     ebx, [esp+0B0h+var_98]
.text:1008A032                 call    sub_10088200    ; AddMD5( &md5, (uint8_t *)p_big_bordel, 64 );
.text:1008A037                 mov     ecx, [esp+0B0h+p_shuffle]
.text:1008A03E                 mov     eax, [ecx]
.text:1008A040                 add     esp, 8
.text:1008A043                 cmp     eax, 1000300h
.text:1008A048                 jz      short loc_1008A051 ; if( p_shuffle->i_version == 0x01000300 )
.text:1008A04A                 cmp     eax, 1000400h
.text:1008A04F                 jnz     short loc_1008A078 ; ???
.text:1008A051
.text:1008A051 loc_1008A051:                           ; CODE XREF: DoShuffle+248j
.text:1008A051                 push    80h
.text:1008A056                 push    offset unk_10108018
.text:1008A05B                 lea     ebx, [esp+0B0h+var_98]
.text:1008A05F                 call    sub_10088200    ; AddMD5( &md5, (uint8_t *)p_secret1, sizeof(p_secret1) );
.text:1008A064                 mov     edx, i_secret
.text:1008A06A                 push    edx
.text:1008A06B                 push    offset aPbclevtugPNccyrPbzchgreVa ; "pbclevtug (p) Nccyr Pbzchgre, Vap.  Nyy"...
.text:1008A070                 call    sub_10088200    ; AddMD5( &md5, (uint8_t *)p_secret2, i_secret );
.text:1008A075                 add     esp, 10h
.text:1008A078
.text:1008A078 loc_1008A078:                           ; CODE XREF: DoShuffle+24Fj
.text:1008A078                 lea     esi, [esp+0A8h+var_98]
.text:1008A07C                 call    sub_10088320    ; EndMD5( &md5 );
.text:1008A081                 mov     edx, [esp+0A8h+i_size]
.text:1008A088                 test    edx, edx
.text:1008A08A                 jbe     short loc_1008A0AF ; This is the initial for-loop condition check
.text:1008A08C                 mov     eax, [esp+0A8h+p_buffer]
.text:1008A093                 lea     ecx, [esp+0A8h+var_90]
.text:1008A097                 sub     ecx, eax
.text:1008A099                 lea     esp, [esp+0]
.text:1008A0A0
.text:1008A0A0 for( i = 0; i < i_size; i++ )
.text:1008A0A0
.text:1008A0A0 loc_1008A0A0:                           ; CODE XREF: DoShuffle+2ADj
.text:1008A0A0                 mov     ebx, [eax]
.text:1008A0A2                 mov     esi, [ecx+eax]
.text:1008A0A5                 xor     ebx, esi
.text:1008A0A7                 mov     [eax], ebx      ; p_buffer[ i ] ^= md5.p_digest[ i ];
.text:1008A0A9                 add     eax, 4
.text:1008A0AC                 dec     edx
.text:1008A0AD                 jnz     short loc_1008A0A0
.text:1008A0AF
.text:1008A0AF loc_1008A0AF:                           ; CODE XREF: DoShuffle+28Aj
.text:1008A0AF                 pop     edi
.text:1008A0B0                 pop     esi
.text:1008A0B1                 pop     ebp
.text:1008A0B2                 pop     ebx
.text:1008A0B3                 add     esp, 98h
.text:1008A0B9                 retn
.text:1008A0B9 DoShuffle       endp
.text:1008A0B9
.text:1008A0B9 ; ---------------------------------------------------------------------------