Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Anyone knows this cipher? (https://forum.exetools.com/showthread.php?t=19438)

squareD 02-16-2020 23:11

Anyone knows this cipher?
 
Does any of the reversers here know the cipher of this code snippet?

Code:

00DFC1DB | C1CD 16                  | ror ebp,16                          |
00DFC1DE | 33EB                    | xor ebp,ebx                        |
00DFC1E0 | C1CB 0B                  | ror ebx,B                          |
00DFC1E3 | 33EB                    | xor ebp,ebx                        |
00DFC1E5 | 03C5                    | add eax,ebp                        |
00DFC1E7 | 894424 20                | mov dword ptr ss:[esp+20],eax      |
00DFC1EB | 8B7C24 14                | mov edi,dword ptr ss:[esp+14]      |
00DFC1EF | 337C24 18                | xor edi,dword ptr ss:[esp+18]      |
00DFC1F3 | 23FA                    | and edi,edx                        |
00DFC1F5 | 337C24 18                | xor edi,dword ptr ss:[esp+18]      |
00DFC1F9 | 8BEA                    | mov ebp,edx                        |
00DFC1FB | C1CA 06                  | ror edx,6                          |
00DFC1FE | C1CD 19                  | ror ebp,19                          |
00DFC201 | 037E 04                  | add edi,dword ptr ds:[esi+4]        |
00DFC204 | 037C24 5C                | add edi,dword ptr ss:[esp+5C]      |
00DFC208 | 037C24 1C                | add edi,dword ptr ss:[esp+1C]      |
00DFC20C | 33EA                    | xor ebp,edx                        |
00DFC20E | C1CA 05                  | ror edx,5                          |
00DFC211 | 33EA                    | xor ebp,edx                        |

This snippet with lot's of ROR commands is repeated may be 10 times or more...
I searched in whole cipher sources I own, not only ROR xxx, 16, ROR xxx, 22, >> 16, >> 22 and so on.
Nothing to be found!

ketan 02-17-2020 12:26

alike shifts are e.g. in sha256, haval

longer snippet or binary target will help to identify better.

squareD 02-17-2020 17:35

1 Attachment(s)
The target is Breakaway One v3.19.43 and the shown offsets are done without ALSR to make them comparable.
Complete code of the call is in attachement.

ketan 02-23-2020 11:40

It is sha256 transform


All times are GMT +8. The time now is 21:28.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX