Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Need help identifying modified blowfish algo
Register Forum Rules FAQ Calendar

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 10-05-2020, 20:23
dion dion is offline
game tech
  
Join Date: Jan 2002
Posts: 173
Rept. Given: 16
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 8
Thanks Rcvd at 13 Times in 8 Posts
dion Reputation: 2
Need help identifying modified blowfish algo
Hello,

i am working on an arm linux elf file that has blowfish encryption algorithm inside. But whatever i did to reproduce them, i can't get the same results. this is what it's like in decompiled form.

Code:
unsigned int __fastcall CBlowFish::Encode(CBlowFish *this, unsigned __int8 *a2, unsigned __int8 *a3, unsigned int a4)

{
  v4 = a3;
  v26 = a2;
  v23 = a4;
  v25 = this;
  v5 = CBlowFish::GetOutputLength(this, a4);
  v6 = v5;
  if ( v5 )
  {
    v7 = 0;
    v8 = v23;
    v9 = (unsigned int *)v4;
    v10 = (unsigned int *)v26;
    v24 = v23 - 7;
    v22 = v5 - v23;
    do
    {
      if ( v26 == v4 )
      {
        if ( v7 >= v24 )
        {
          v11 = (char *)v10 + v23;
          if ( v22 > 0 )
          {
            v12 = (int)&v11[v22];
            do
              *v11++ = 0;
            while ( v11 != (_BYTE *)v12 );
          }
        }
        v13 = v10;
        v14 = v10 + 1;
        v10 += 2;
        CBlowFish::Blowfish_encipher(v25, v13, v14);
        goto LABEL_9;
      }
      if ( v7 >= v24 )
      {
        v17 = v8;
        if ( v8 <= 0 )
        {
          v21 = (int)v9;
          v17 = 0;
        }
        else
        {
          v18 = 0;
          do
          {
            *((_BYTE *)v9 + v18) = *((_BYTE *)v10 + v18);
            ++v18;
          }
          while ( v8 != v18 );
          v21 = (int)v9 + v8;
          v10 = (unsigned int *)((char *)v10 + v8);
          if ( v8 > 7 )
            goto LABEL_14;
        }
        v19 = v21 - v17;
        v20 = v17;
        do
          *(_BYTE *)(v19 + v20++) = 0;
        while ( v20 <= 7 );
      }
      else
      {
        v16 = 0;
        do
        {
          *((_BYTE *)v9 + v16) = *((_BYTE *)v10 + v16);
          ++v16;
        }
        while ( v16 != 8 );
      }
LABEL_14:
      v10 += 2;
      CBlowFish::Blowfish_encipher(v25, v9, v9 + 1);
      v9 += 2;
LABEL_9:
      v7 += 8;
      v8 -= 8;
    }
    while ( v6 > v7 );
  }
  return v6;
Code:
int __fastcall CBlowFish::Blowfish_encipher(CBlowFish *this, unsigned int *a2, unsigned int *a3)

 v3 = *(_DWORD **)this;
  v4 = *((_DWORD *)this + 1);
  v5 = *a2 ^ **(_DWORD **)this;
  v6 = *(_DWORD *)(*(_DWORD *)this + 20);
  v7 = *a3 ^ (((*(_DWORD *)(v4 + 4 * ((v5 >> 16) & 0xFF) + 1024) + *(_DWORD *)(v4 + 4 * (v5 >> 24))) ^ *(_DWORD *)(v4 + 4 * ((unsigned __int16)v5 >> 8) + 2048))
            + *(_DWORD *)(v4 + 4 * (unsigned __int8)v5 + 3072)) ^ *(_DWORD *)(*(_DWORD *)this + 4);
  v8 = *(_DWORD *)(*(_DWORD *)this + 24);
  v9 = v5 ^ (((*(_DWORD *)(v4 + 4 * ((v7 >> 16) & 0xFF) + 1024) + *(_DWORD *)(v4 + 4 * (v7 >> 24))) ^ *(_DWORD *)(v4 + 4 * ((unsigned __int16)v7 >> 8) + 2048))
           + *(_DWORD *)(v4 + 4 * (unsigned __int8)v7 + 3072));
  v10 = *(_DWORD *)(*(_DWORD *)this + 32);
  v11 = v9 ^ *(_DWORD *)(*(_DWORD *)this + 8);
  v12 = *(_DWORD *)(*(_DWORD *)this + 28);
  v13 = *(_DWORD *)(*(_DWORD *)this + 36);
  v14 = *(_DWORD *)(*(_DWORD *)this + 40);
  v15 = *(_DWORD *)(*(_DWORD *)this + 44);
  v16 = (((*(_DWORD *)(v4 + 4 * ((v11 >> 16) & 0xFF) + 1024) + *(_DWORD *)(v4 + 4 * (v11 >> 24))) ^ *(_DWORD *)(v4 + 4 * ((unsigned __int16)v11 >> 8) + 2048))
       + *(_DWORD *)(v4 + 4 * (unsigned __int8)v11 + 3072)) ^ *(_DWORD *)(*(_DWORD *)this + 12) ^ v7;
  v17 = v3[17];
  v18 = (((*(_DWORD *)(v4 + 4 * ((v16 >> 16) & 0xFF) + 1024) + *(_DWORD *)(v4 + 4 * (v16 >> 24))) ^ *(_DWORD *)(v4 + 4 * ((unsigned __int16)v16 >> 8) + 2048))
       + *(_DWORD *)(v4 + 4 * (unsigned __int8)v16 + 3072)) ^ v3[4] ^ v11;
  v19 = v3[16];
  v20 = (((*(_DWORD *)(v4 + 4 * ((v18 >> 16) & 0xFF) + 1024) + *(_DWORD *)(v4 + 4 * (v18 >> 24))) ^ *(_DWORD *)(v4 + 4 * ((unsigned __int16)v18 >> 8) + 2048))
       + *(_DWORD *)(v4 + 4 * (unsigned __int8)v18 + 3072)) ^ v6 ^ v16;
  v21 = (((*(_DWORD *)(v4 + 4 * ((v20 >> 16) & 0xFF) + 1024) + *(_DWORD *)(v4 + 4 * (v20 >> 24))) ^ *(_DWORD *)(v4 + 4 * ((unsigned __int16)v20 >> 8) + 2048))
       + *(_DWORD *)(v4 + 4 * (unsigned __int8)v20 + 3072)) ^ v8 ^ v18;
  v22 = (((*(_DWORD *)(v4 + 4 * ((v21 >> 16) & 0xFF) + 1024) + *(_DWORD *)(v4 + 4 * (v21 >> 24))) ^ *(_DWORD *)(v4 + 4 * ((unsigned __int16)v21 >> 8) + 2048))
       + *(_DWORD *)(v4 + 4 * (unsigned __int8)v21 + 3072)) ^ v12 ^ v20;
  v23 = (((*(_DWORD *)(v4 + 4 * ((v22 >> 16) & 0xFF) + 1024) + *(_DWORD *)(v4 + 4 * (v22 >> 24))) ^ *(_DWORD *)(v4 + 4 * ((unsigned __int16)v22 >> 8) + 2048))
       + *(_DWORD *)(v4 + 4 * (unsigned __int8)v22 + 3072)) ^ v10 ^ v21;
  v24 = (((*(_DWORD *)(v4 + 4 * ((v23 >> 16) & 0xFF) + 1024) + *(_DWORD *)(v4 + 4 * (v23 >> 24))) ^ *(_DWORD *)(v4 + 4 * ((unsigned __int16)v23 >> 8) + 2048))
       + *(_DWORD *)(v4 + 4 * (unsigned __int8)v23 + 3072)) ^ v13 ^ v22;
  v25 = (((*(_DWORD *)(v4 + 4 * ((v24 >> 16) & 0xFF) + 1024) + *(_DWORD *)(v4 + 4 * (v24 >> 24))) ^ *(_DWORD *)(v4 + 4 * ((unsigned __int16)v24 >> 8) + 2048))
       + *(_DWORD *)(v4 + 4 * (unsigned __int8)v24 + 3072)) ^ v14 ^ v23;
  v26 = (((*(_DWORD *)(v4 + 4 * ((v25 >> 16) & 0xFF) + 1024) + *(_DWORD *)(v4 + 4 * (v25 >> 24))) ^ *(_DWORD *)(v4 + 4 * ((unsigned __int16)v25 >> 8) + 2048))
       + *(_DWORD *)(v4 + 4 * (unsigned __int8)v25 + 3072)) ^ v15 ^ v24;
  v27 = (((*(_DWORD *)(v4 + 4 * ((v26 >> 16) & 0xFF) + 1024) + *(_DWORD *)(v4 + 4 * (v26 >> 24))) ^ *(_DWORD *)(v4 + 4 * ((unsigned __int16)v26 >> 8) + 2048))
       + *(_DWORD *)(v4 + 4 * (unsigned __int8)v26 + 3072)) ^ v3[12] ^ v25;
  v28 = (((*(_DWORD *)(v4 + 4 * ((v27 >> 16) & 0xFF) + 1024) + *(_DWORD *)(v4 + 4 * (v27 >> 24))) ^ *(_DWORD *)(v4 + 4 * ((unsigned __int16)v27 >> 8) + 2048))
       + *(_DWORD *)(v4 + 4 * (unsigned __int8)v27 + 3072)) ^ v3[13] ^ v26;
  v29 = (((*(_DWORD *)(v4 + 4 * ((v28 >> 16) & 0xFF) + 1024) + *(_DWORD *)(v4 + 4 * (v28 >> 24))) ^ *(_DWORD *)(v4 + 4 * ((unsigned __int16)v28 >> 8) + 2048))
       + *(_DWORD *)(v4 + 4 * (unsigned __int8)v28 + 3072)) ^ v3[14] ^ v27;
  v30 = (((*(_DWORD *)(v4 + 4 * ((v29 >> 16) & 0xFF) + 1024) + *(_DWORD *)(v4 + 4 * (v29 >> 24))) ^ *(_DWORD *)(v4 + 4 * ((unsigned __int16)v29 >> 8) + 2048))
       + *(_DWORD *)(v4 + 4 * (unsigned __int8)v29 + 3072)) ^ v3[15] ^ v28;
  v31 = v4 + 4 * ((unsigned __int16)v30 >> 8);
  v32 = *(_DWORD *)(v4 + 4 * (v30 >> 24));
  v33 = v4 + 4 * (unsigned __int8)v30;
  v34 = *(_DWORD *)(v4 + 4 * ((v30 >> 16) & 0xFF) + 1024);
  result = v30 ^ v17;
  *a3 = (((v34 + v32) ^ *(_DWORD *)(v31 + 2048)) + *(_DWORD *)(v33 + 3072)) ^ v19 ^ v29;
  *a2 = result;
  return result;
i upload the elf file here in case someone interested.
hxxps://filebin.net/yordbkvlpmofbaem

thanks in advance
Reply With Quote
 

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Identifying compiler version from .NET binary jonwil General Discussion 2 06-25-2020 03:15
Identifying licenses / users from packed executables Notmex General Discussion 6 12-07-2013 03:32
Blowfish encryption lonewolf55 General Discussion 2 09-18-2003 02:08


All times are GMT +8. The time now is 22:50.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )