Exetools  

Go Back   Exetools > General > Community Tools

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 03-25-2015, 05:35
raduga_fb raduga_fb is offline
Family
 
Join Date: Nov 2012
Posts: 69
Rept. Given: 3
Rept. Rcvd 121 Times in 21 Posts
Thanks Given: 1
Thanks Rcvd at 128 Times in 32 Posts
raduga_fb Reputation: 100-199 raduga_fb Reputation: 100-199
ckinfo+ rev.1

I made some modifications & corrections.

* Mistyped constants are corrected.
* New section (0x10000 size) for inline code & constant pairs is added to keep compatibility back.
* inline codes written to address 045B000.
* constants are written to address 045B600.

I have just replaced the constant pairs in previous release. It means, I did not keep the original constant pairs which were using for old versions. This
time, the program is diverted at 3 places to new codes & constants. Now, it works for all versions (up to 7.8).

The new section size is quite enough for future modification & addition.

0040388D CMP DWORD PTR DS:[EBX],20 <- first constant pairs
00403890 JB 004037D6
00403896 MOV EAX,DWORD PTR SS:[ESP+20]
0040389A INC DWORD PTR DS:[EAX]
0040389C CMP DWORD PTR DS:[EAX],20
0040389F JB 004037D0 <- second constant pairs
004038A5 POP EDI <- could not be decrypted

004038A5 JMP 0045B0CA <- divert it to our new code


@control_1: ; 45b0ca
cmp byte ptr [@counter], 2 <- for future version purpose
jne @f
pop edi
pop esi
pop ebp
xor eax, eax
pop ebx
retn
@@:
push eax
xor eax,eax
mov al, byte ptr [@counter] <- counter
add eax, 1
mov byte ptr [@counter], al <- increase it
pop eax
mov dword ptr [eax], 0 <- we will try with new constants. therefore, set it to zero
jmp 004037D0 <- try again


When ckinfo cannot decrypt, we diverted it here and counter is set to 1.

Now, it is time to use new constants ->

00402DC3 CMP EAX,60000003 <- divert it -> JMP 0045B0FA
00402DC8 JNE SHORT 00402DD3
00402DCA MOV EDI,DWORD PTR DS:[ECX*4+43F008] <- one of constant pairs
00402DD1 JMP SHORT 00402E01
...


@part_2: ; 45b0fa
cmp eax, 60000003 ; original code
jne @table_6

@table_5:
cmp byte ptr [@counter], 0 ; is counter set ?
jne @f ; yes, use new constant
MOV EDI,DWORD PTR DS:[ECX*4+43F008] ; no, use old
JMP 00402E01
@@:
mov edi, 045e756 ; new constant pairs
imul ecx, ecx, 2C ; distance between constants
jmp @goback_2 ;


@goback_2:
sub edi, ecx ; find the new constant
JMP 00402E01 ; go to original code

There are totally 8 constant tables. Just, look to new codes for details.

I would like to thank to "thewd" again for awesome tool "ckinfo". It is designed perfectly, therefore it deserves to be inlined / saved for new versions of Crypkey as much as I can :-)

Regards,

raduga_fb
March 25, 2015
Attached Files
File Type: rar ckInfo+.rar (140.1 KB, 195 views)
Reply With Quote
The Following 15 Users Gave Reputation+1 to raduga_fb For This Useful Post:
alekine322 (04-20-2015), b30wulf (03-25-2015), besoeso (03-25-2015), canopus (03-30-2015), conan981 (03-25-2015), jump (03-27-2015), kjms (03-25-2015), MarcElBichon (03-25-2015), mr.exodia (03-27-2015), niculaita (03-29-2015), nikkapedd (03-26-2015), orfei (03-27-2015), sendersu (03-26-2015), uranus64 (03-25-2015), winndy (03-29-2015)
The Following 7 Users Say Thank You to raduga_fb For This Useful Post:
backdoor_b (08-17-2017), daqstar (06-10-2015), ontryit (03-04-2016), psgama (09-25-2015), uel888 (10-26-2015), uranus64 (09-23-2015)
 

Tags
ckinfo, crypkey

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Where can I find the newest version ckinfo? ycloud General Discussion 1 03-04-2016 12:22


All times are GMT +8. The time now is 00:28.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )