; ; +-------------------------------------------------------------------------+ ; ¦ This file is generated by The Interactive Disassembler (IDA) ¦ ; ¦ Copyright (c) 2005 by DataRescue sa/nv, <ida@datarescue.com> ¦ ; ¦ Licensed to: Sebastian Porst, 1 user std, 05/2005 ¦ ; +-------------------------------------------------------------------------+ ; .text:10089E00 .text:10089E00 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ .text:10089E00 .text:10089E00 .text:10089E00 DoShuffle proc near ; CODE XREF: sub_1008A0C0+159p .text:10089E00 ; sub_1008A0C0+1F1p ... .text:10089E00 .text:10089E00 var_A8 = dword ptr -0A8h .text:10089E00 var_98 = dword ptr -98h .text:10089E00 var_94 = dword ptr -94h .text:10089E00 var_90 = dword ptr -90h .text:10089E00 var_8C = dword ptr -8Ch .text:10089E00 var_88 = dword ptr -88h .text:10089E00 var_84 = dword ptr -84h .text:10089E00 var_80 = dword ptr -80h .text:10089E00 var_50 = dword ptr -50h .text:10089E00 var_4C = dword ptr -4Ch .text:10089E00 var_3E = dword ptr -3Eh .text:10089E00 var_3A = dword ptr -3Ah .text:10089E00 p_shuffle = dword ptr 4 .text:10089E00 p_buffer = dword ptr 8 .text:10089E00 i_size = dword ptr 0Ch .text:10089E00 .text:10089E00 sub esp, 98h .text:10089E06 push ebx .text:10089E07 push ebp .text:10089E08 mov ebp, [esp+0A0h+p_shuffle] ; uint32_t *p_bordel = p_shuffle->p_bordel; .text:10089E0F push esi .text:10089E10 push edi .text:10089E11 mov edi, i_secret .text:10089E17 test edi, edi .text:10089E19 lea esi, [ebp+54h] .text:10089E1C jnz short loc_10089E83 ; if (i_secret == 0) .text:10089E1E mov al, byte ptr aPbclevtugPNccyrPbzchgreVa ; "pbclevtug (p) Nccyr Pbzchgre, Vap. Nyy"... .text:10089E23 test al, al ; p_secret2[ i_secret ] != '\0' .text:10089E25 jz short loc_10089E7C .text:10089E27 .text:10089E27 The REVERSE is missing because it's a pre-processor macro .text:10089E27 that is defined to <empty> at platforms where the bytes don't .text:10089E27 need to be reversed. .text:10089E27 .text:10089E27 mov ecx, offset aPbclevtugPNccyrPbzchgreVa ; "pbclevtug (p) Nccyr Pbzchgre, Vap. Nyy"... .text:10089E2C lea esp, [esp+0] .text:10089E30 .text:10089E30 First line of the ROT13 code. .text:10089E30 .text:10089E30 loc_10089E30: ; CODE XREF: DoShuffle+7Aj .text:10089E30 cmp al, 'A' .text:10089E32 jl short loc_10089E4B .text:10089E34 cmp al, 'Z' .text:10089E36 jg short loc_10089E4B .text:10089E38 movsx eax, al .text:10089E3B sub eax, '4' .text:10089E3E cdq .text:10089E3F mov ebx, 26 .text:10089E44 idiv ebx .text:10089E46 add edx, 'A' .text:10089E49 jmp short loc_10089E69 .text:10089E4B ; --------------------------------------------------------------------------- .text:10089E4B .text:10089E4B Second line of the ROT13 code. .text:10089E4B .text:10089E4B loc_10089E4B: ; CODE XREF: DoShuffle+32j .text:10089E4B ; DoShuffle+36j .text:10089E4B cmp al, 'a' .text:10089E4D jl short loc_10089E66 .text:10089E4F cmp al, 'z' .text:10089E51 jg short loc_10089E66 .text:10089E53 movsx eax, al .text:10089E56 sub eax, 'T' .text:10089E59 cdq .text:10089E5A mov ebx, 26 .text:10089E5F idiv ebx .text:10089E61 add edx, 'a' .text:10089E64 jmp short loc_10089E69 .text:10089E66 ; --------------------------------------------------------------------------- .text:10089E66 .text:10089E66 loc_10089E66: ; CODE XREF: DoShuffle+4Dj .text:10089E66 ; DoShuffle+51j .text:10089E66 movsx edx, al .text:10089E69 .text:10089E69 loc_10089E69: ; CODE XREF: DoShuffle+49j .text:10089E69 ; DoShuffle+64j .text:10089E69 inc edi ; i_secret++ (from the for-loop) .text:10089E6A mov [ecx], dl .text:10089E6C mov al, byte ptr aPbclevtugPNccyrPbzchgreVa[edi] ; "pbclevtug (p) Nccyr Pbzchgre, Vap. Nyy"... .text:10089E72 test al, al ; p_secret2[ i_secret ] != '\0'; (for-loop condition) .text:10089E74 lea ecx, aPbclevtugPNccyrPbzchgreVa[edi] ; "pbclevtug (p) Nccyr Pbzchgre, Vap. Nyy"... .text:10089E7A jnz short loc_10089E30 .text:10089E7C .text:10089E7C loc_10089E7C: ; CODE XREF: DoShuffle+25j .text:10089E7C inc edi ; i_secret++ (from after the for loop) .text:10089E7D mov i_secret, edi .text:10089E83 .text:10089E83 loc_10089E83: ; CODE XREF: DoShuffle+1Cj .text:10089E83 lea edx, [ebp+4] .text:10089E86 mov edi, 20 ; This is the 20 from the < 20 part of the next loop. .text:10089E8B jmp short loc_10089E90 .text:10089E8B ; --------------------------------------------------------------------------- .text:10089E8D align 10h .text:10089E90 .text:10089E90 loc_10089E90: ; CODE XREF: DoShuffle+8Bj .text:10089E90 ; DoShuffle+125j .text:10089E90 mov eax, [edx] .text:10089E92 test eax, eax .text:10089E94 jz loc_10089F21 .text:10089E9A mov cl, al .text:10089E9C shr eax, 8 .text:10089E9F and eax, 3 .text:10089EA2 dec eax .text:10089EA3 jz short loc_10089F03 .text:10089EA5 dec eax .text:10089EA6 jz short loc_10089EE5 .text:10089EA8 dec eax .text:10089EA9 movzx eax, cl .text:10089EAC jz short loc_10089EC9 .text:10089EAE mov ecx, eax .text:10089EB0 add eax, eax .text:10089EB2 mov ebx, offset unk_100C5D46 .text:10089EB7 sub ebx, eax .text:10089EB9 movsx eax, word ptr [ebx] .text:10089EBC shr ecx, 4 .text:10089EBF mov ebx, [esi+ecx*4] .text:10089EC2 lea ecx, [esi+ecx*4] .text:10089EC5 add ebx, eax .text:10089EC7 jmp short loc_10089F1F .text:10089EC9 ; --------------------------------------------------------------------------- .text:10089EC9 .text:10089EC9 loc_10089EC9: ; CODE XREF: DoShuffle+ACj .text:10089EC9 lea ecx, [eax+10h] .text:10089ECC sar ecx, 4 .text:10089ECF and ecx, 0Fh .text:10089ED2 mov ecx, [esi+ecx*4] .text:10089ED5 mov ebx, eax .text:10089ED7 shr ebx, 4 .text:10089EDA add ecx, [esi+ebx*4] .text:10089EDD and eax, 0Fh .text:10089EE0 mov [esi+eax*4], ecx .text:10089EE3 jmp short loc_10089F21 .text:10089EE5 ; --------------------------------------------------------------------------- .text:10089EE5 .text:10089EE5 loc_10089EE5: ; CODE XREF: DoShuffle+A6j .text:10089EE5 movzx eax, cl .text:10089EE8 mov ecx, eax .text:10089EEA add eax, eax .text:10089EEC mov ebx, offset unk_100C5946 .text:10089EF1 sub ebx, eax .text:10089EF3 movsx eax, word ptr [ebx] .text:10089EF6 shr ecx, 4 .text:10089EF9 mov ebx, [esi+ecx*4] .text:10089EFC lea ecx, [esi+ecx*4] .text:10089EFF xor ebx, eax .text:10089F01 jmp short loc_10089F1F .text:10089F03 ; --------------------------------------------------------------------------- .text:10089F03 .text:10089F03 loc_10089F03: ; CODE XREF: DoShuffle+A3j .text:10089F03 movzx eax, cl .text:10089F06 mov ecx, eax .text:10089F08 add eax, eax .text:10089F0A mov ebx, offset unk_100C5B46 .text:10089F0F sub ebx, eax .text:10089F11 movsx eax, word ptr [ebx] .text:10089F14 shr ecx, 4 .text:10089F17 mov ebx, [esi+ecx*4] .text:10089F1A lea ecx, [esi+ecx*4] .text:10089F1D sub ebx, eax .text:10089F1F .text:10089F1F loc_10089F1F: ; CODE XREF: DoShuffle+C7j .text:10089F1F ; DoShuffle+101j .text:10089F1F mov [ecx], ebx .text:10089F21 .text:10089F21 loc_10089F21: ; CODE XREF: DoShuffle+94j .text:10089F21 ; DoShuffle+E3j .text:10089F21 add edx, 4 .text:10089F24 dec edi .text:10089F25 jnz loc_10089E90 .text:10089F2B mov eax, [ebp+0] .text:10089F2E cmp eax, 1000300h .text:10089F33 jz short loc_10089F3C .text:10089F35 cmp eax, 1000400h .text:10089F3A jnz short loc_10089F58 .text:10089F3C .text:10089F3C loc_10089F3C: ; CODE XREF: DoShuffle+133j .text:10089F3C mov ecx, esi .text:10089F3E call sub_100885B0 .text:10089F43 push eax .text:10089F44 mov eax, esi .text:10089F46 call sub_100888A0 .text:10089F4B add esp, 4 .text:10089F4E call sub_10088B90 .text:10089F53 call sub_10088CD0 .text:10089F58 .text:10089F58 loc_10089F58: ; CODE XREF: DoShuffle+13Aj .text:10089F58 xor eax, eax .text:10089F5A mov ecx, 10h .text:10089F5F .text:10089F5F InitMD5 was inlined .text:10089F5F .text:10089F5F lea edi, [esp+0A8h+var_80] .text:10089F63 mov [esp+0A8h+var_90], 67452301h .text:10089F6B mov [esp+0A8h+var_8C], 0EFCDAB89h .text:10089F73 mov [esp+0A8h+var_88], 98BADCFEh .text:10089F7B mov [esp+0A8h+var_84], 10325476h .text:10089F83 rep stosd .text:10089F85 xor ecx, ecx .text:10089F87 lea edi, [esp+0A8h+var_3E] .text:10089F8B lea ebp, [esp+0A8h+var_3A] .text:10089F8F sub edi, esi .text:10089F91 mov [esp+0A8h+var_98], ecx .text:10089F95 mov [esp+0A8h+var_94], ecx .text:10089F99 lea eax, [esi+6] .text:10089F9C sub ebp, esi .text:10089F9E mov edi, edi .text:10089FA0 .text:10089FA0 for( i = 0; i < 16; i++ ) .text:10089FA0 .text:10089FA0 loc_10089FA0: ; CODE XREF: DoShuffle+221j .text:10089FA0 xor edx, edx .text:10089FA2 .text:10089FA2 U32_AT is a preprocessor macro that's expanded to function .text:10089FA2 which is then inlined. .text:10089FA2 .text:10089FA2 mov dh, [eax-6] .text:10089FA5 movzx esi, byte ptr [eax-4] .text:10089FA9 add ecx, 4 .text:10089FAC add eax, 10h .text:10089FAF mov dl, [eax-15h] .text:10089FB2 shl edx, 8 .text:10089FB5 or edx, esi .text:10089FB7 movzx esi, byte ptr [eax-13h] .text:10089FBB shl edx, 8 .text:10089FBE or edx, esi .text:10089FC0 mov [esp+ecx*4+0A8h+var_50], edx .text:10089FC4 xor edx, edx .text:10089FC6 mov dh, [eax-12h] .text:10089FC9 movzx esi, byte ptr [eax-10h] .text:10089FCD mov dl, [eax-11h] .text:10089FD0 shl edx, 8 .text:10089FD3 or edx, esi .text:10089FD5 movzx esi, byte ptr [eax-0Fh] .text:10089FD9 shl edx, 8 .text:10089FDC or edx, esi .text:10089FDE movzx esi, byte ptr [eax-0Ch] .text:10089FE2 mov [esp+ecx*4+0A8h+var_4C], edx .text:10089FE6 xor edx, edx .text:10089FE8 mov dh, [eax-0Eh] .text:10089FEB mov dl, [eax-0Dh] .text:10089FEE shl edx, 8 .text:10089FF1 or edx, esi .text:10089FF3 movzx esi, byte ptr [eax-0Bh] .text:10089FF7 shl edx, 8 .text:10089FFA or edx, esi .text:10089FFC movzx esi, byte ptr [eax-8] .text:1008A000 mov [edi+eax-10h], edx .text:1008A004 xor edx, edx .text:1008A006 mov dh, [eax-0Ah] .text:1008A009 mov dl, [eax-9] .text:1008A00C shl edx, 8 .text:1008A00F or edx, esi .text:1008A011 movzx esi, byte ptr [eax-7] .text:1008A015 shl edx, 8 .text:1008A018 or edx, esi .text:1008A01A cmp ecx, 16 .text:1008A01D mov [eax+ebp-10h], edx .text:1008A021 jb loc_10089FA0 .text:1008A027 lea eax, [esp+68h] .text:1008A02B push 64 .text:1008A02D push eax .text:1008A02E lea ebx, [esp+0B0h+var_98] .text:1008A032 call sub_10088200 ; AddMD5( &md5, (uint8_t *)p_big_bordel, 64 ); .text:1008A037 mov ecx, [esp+0B0h+p_shuffle] .text:1008A03E mov eax, [ecx] .text:1008A040 add esp, 8 .text:1008A043 cmp eax, 1000300h .text:1008A048 jz short loc_1008A051 ; if( p_shuffle->i_version == 0x01000300 ) .text:1008A04A cmp eax, 1000400h .text:1008A04F jnz short loc_1008A078 ; ??? .text:1008A051 .text:1008A051 loc_1008A051: ; CODE XREF: DoShuffle+248j .text:1008A051 push 80h .text:1008A056 push offset unk_10108018 .text:1008A05B lea ebx, [esp+0B0h+var_98] .text:1008A05F call sub_10088200 ; AddMD5( &md5, (uint8_t *)p_secret1, sizeof(p_secret1) ); .text:1008A064 mov edx, i_secret .text:1008A06A push edx .text:1008A06B push offset aPbclevtugPNccyrPbzchgreVa ; "pbclevtug (p) Nccyr Pbzchgre, Vap. Nyy"... .text:1008A070 call sub_10088200 ; AddMD5( &md5, (uint8_t *)p_secret2, i_secret ); .text:1008A075 add esp, 10h .text:1008A078 .text:1008A078 loc_1008A078: ; CODE XREF: DoShuffle+24Fj .text:1008A078 lea esi, [esp+0A8h+var_98] .text:1008A07C call sub_10088320 ; EndMD5( &md5 ); .text:1008A081 mov edx, [esp+0A8h+i_size] .text:1008A088 test edx, edx .text:1008A08A jbe short loc_1008A0AF ; This is the initial for-loop condition check .text:1008A08C mov eax, [esp+0A8h+p_buffer] .text:1008A093 lea ecx, [esp+0A8h+var_90] .text:1008A097 sub ecx, eax .text:1008A099 lea esp, [esp+0] .text:1008A0A0 .text:1008A0A0 for( i = 0; i < i_size; i++ ) .text:1008A0A0 .text:1008A0A0 loc_1008A0A0: ; CODE XREF: DoShuffle+2ADj .text:1008A0A0 mov ebx, [eax] .text:1008A0A2 mov esi, [ecx+eax] .text:1008A0A5 xor ebx, esi .text:1008A0A7 mov [eax], ebx ; p_buffer[ i ] ^= md5.p_digest[ i ]; .text:1008A0A9 add eax, 4 .text:1008A0AC dec edx .text:1008A0AD jnz short loc_1008A0A0 .text:1008A0AF .text:1008A0AF loc_1008A0AF: ; CODE XREF: DoShuffle+28Aj .text:1008A0AF pop edi .text:1008A0B0 pop esi .text:1008A0B1 pop ebp .text:1008A0B2 pop ebx .text:1008A0B3 add esp, 98h .text:1008A0B9 retn .text:1008A0B9 DoShuffle endp .text:1008A0B9 .text:1008A0B9 ; ---------------------------------------------------------------------------