Thread: ckinfo+ rev.1
View Single Post
  #1  
Old 03-25-2015, 05:35
raduga_fb raduga_fb is offline
Family
  
Join Date: Nov 2012
Posts: 69
Rept. Given: 3
Rept. Rcvd 121 Times in 21 Posts
Thanks Given: 1
Thanks Rcvd at 128 Times in 32 Posts
raduga_fb Reputation: 100-199 raduga_fb Reputation: 100-199
ckinfo+ rev.1
I made some modifications & corrections.

* Mistyped constants are corrected.
* New section (0x10000 size) for inline code & constant pairs is added to keep compatibility back.
* inline codes written to address 045B000.
* constants are written to address 045B600.

I have just replaced the constant pairs in previous release. It means, I did not keep the original constant pairs which were using for old versions. This
time, the program is diverted at 3 places to new codes & constants. Now, it works for all versions (up to 7.8).

The new section size is quite enough for future modification & addition.

0040388D CMP DWORD PTR DS:[EBX],20 <- first constant pairs
00403890 JB 004037D6
00403896 MOV EAX,DWORD PTR SS:[ESP+20]
0040389A INC DWORD PTR DS:[EAX]
0040389C CMP DWORD PTR DS:[EAX],20
0040389F JB 004037D0 <- second constant pairs
004038A5 POP EDI <- could not be decrypted

004038A5 JMP 0045B0CA <- divert it to our new code


@control_1: ; 45b0ca
cmp byte ptr [@counter], 2 <- for future version purpose
jne @f
pop edi
pop esi
pop ebp
xor eax, eax
pop ebx
retn
@@:
push eax
xor eax,eax
mov al, byte ptr [@counter] <- counter
add eax, 1
mov byte ptr [@counter], al <- increase it
pop eax
mov dword ptr [eax], 0 <- we will try with new constants. therefore, set it to zero
jmp 004037D0 <- try again


When ckinfo cannot decrypt, we diverted it here and counter is set to 1.

Now, it is time to use new constants ->

00402DC3 CMP EAX,60000003 <- divert it -> JMP 0045B0FA
00402DC8 JNE SHORT 00402DD3
00402DCA MOV EDI,DWORD PTR DS:[ECX*4+43F008] <- one of constant pairs
00402DD1 JMP SHORT 00402E01
...


@part_2: ; 45b0fa
cmp eax, 60000003 ; original code
jne @table_6

@table_5:
cmp byte ptr [@counter], 0 ; is counter set ?
jne @f ; yes, use new constant
MOV EDI,DWORD PTR DS:[ECX*4+43F008] ; no, use old
JMP 00402E01
@@:
mov edi, 045e756 ; new constant pairs
imul ecx, ecx, 2C ; distance between constants
jmp @goback_2 ;


@goback_2:
sub edi, ecx ; find the new constant
JMP 00402E01 ; go to original code

There are totally 8 constant tables. Just, look to new codes for details.

I would like to thank to "thewd" again for awesome tool "ckinfo". It is designed perfectly, therefore it deserves to be inlined / saved for new versions of Crypkey as much as I can :-)

Regards,

raduga_fb
March 25, 2015
Attached Files
File Type: rar ckInfo+.rar (140.1 KB, 195 views)
Reply With Quote
The Following 15 Users Gave Reputation+1 to raduga_fb For This Useful Post:
alekine322 (04-20-2015), b30wulf (03-25-2015), besoeso (03-25-2015), canopus (03-30-2015), conan981 (03-25-2015), jump (03-27-2015), kjms (03-25-2015), MarcElBichon (03-25-2015), mr.exodia (03-27-2015), niculaita (03-29-2015), nikkapedd (03-26-2015), orfei (03-27-2015), sendersu (03-26-2015), uranus64 (03-25-2015), winndy (03-29-2015)
The Following 7 Users Say Thank You to raduga_fb For This Useful Post:
backdoor_b (08-17-2017), daqstar (06-10-2015), ontryit (03-04-2016), psgama (09-25-2015), uel888 (10-26-2015), uranus64 (09-23-2015)