Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 02-16-2020, 23:11
squareD's Avatar
squareD squareD is offline
VIP
 
Join Date: Aug 2005
Location: Banana Republic
Posts: 259
Rept. Given: 31
Rept. Rcvd 33 Times in 25 Posts
Thanks Given: 23
Thanks Rcvd at 88 Times in 58 Posts
squareD Reputation: 33
Anyone knows this cipher?

Does any of the reversers here know the cipher of this code snippet?

Code:
00DFC1DB | C1CD 16                  | ror ebp,16                          |
00DFC1DE | 33EB                     | xor ebp,ebx                         |
00DFC1E0 | C1CB 0B                  | ror ebx,B                           |
00DFC1E3 | 33EB                     | xor ebp,ebx                         |
00DFC1E5 | 03C5                     | add eax,ebp                         |
00DFC1E7 | 894424 20                | mov dword ptr ss:[esp+20],eax       |
00DFC1EB | 8B7C24 14                | mov edi,dword ptr ss:[esp+14]       |
00DFC1EF | 337C24 18                | xor edi,dword ptr ss:[esp+18]       |
00DFC1F3 | 23FA                     | and edi,edx                         |
00DFC1F5 | 337C24 18                | xor edi,dword ptr ss:[esp+18]       |
00DFC1F9 | 8BEA                     | mov ebp,edx                         |
00DFC1FB | C1CA 06                  | ror edx,6                           |
00DFC1FE | C1CD 19                  | ror ebp,19                          |
00DFC201 | 037E 04                  | add edi,dword ptr ds:[esi+4]        |
00DFC204 | 037C24 5C                | add edi,dword ptr ss:[esp+5C]       |
00DFC208 | 037C24 1C                | add edi,dword ptr ss:[esp+1C]       |
00DFC20C | 33EA                     | xor ebp,edx                         |
00DFC20E | C1CA 05                  | ror edx,5                           |
00DFC211 | 33EA                     | xor ebp,edx                         |
This snippet with lot's of ROR commands is repeated may be 10 times or more...
I searched in whole cipher sources I own, not only ROR xxx, 16, ROR xxx, 22, >> 16, >> 22 and so on.
Nothing to be found!
__________________
The three worst enemies of the reversers: sun , fresh air and especially this unbearable roar of birds ...
Reply With Quote
  #2  
Old 02-17-2020, 12:26
ketan ketan is offline
Friend
 
Join Date: Mar 2005
Posts: 94
Rept. Given: 0
Rept. Rcvd 11 Times in 4 Posts
Thanks Given: 4
Thanks Rcvd at 81 Times in 45 Posts
ketan Reputation: 11
alike shifts are e.g. in sha256, haval

longer snippet or binary target will help to identify better.
Reply With Quote
  #3  
Old 02-17-2020, 17:35
squareD's Avatar
squareD squareD is offline
VIP
 
Join Date: Aug 2005
Location: Banana Republic
Posts: 259
Rept. Given: 31
Rept. Rcvd 33 Times in 25 Posts
Thanks Given: 23
Thanks Rcvd at 88 Times in 58 Posts
squareD Reputation: 33
The target is Breakaway One v3.19.43 and the shown offsets are done without ALSR to make them comparable.
Complete code of the call is in attachement.
Attached Files
File Type: txt derAlgo.txt (100.9 KB, 10 views)
__________________
The three worst enemies of the reversers: sun , fresh air and especially this unbearable roar of birds ...
Reply With Quote
The Following User Says Thank You to squareD For This Useful Post:
chants (02-18-2020)
  #4  
Old 02-23-2020, 11:40
ketan ketan is offline
Friend
 
Join Date: Mar 2005
Posts: 94
Rept. Given: 0
Rept. Rcvd 11 Times in 4 Posts
Thanks Given: 4
Thanks Rcvd at 81 Times in 45 Posts
ketan Reputation: 11
It is sha256 transform
Reply With Quote
The Following User Says Thank You to ketan For This Useful Post:
squareD (02-26-2020)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 04:50.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2020 )