Since my last post I tried starting from scratch, and as far as I can tell the first byte used to XOR the binary is in fact 0x95.
So what I've found out until now is that:
a) a file named iss.rba should exist, and should have the attribute HIDDEN
b) a checksum exists (I'm ignoring this checksum for the time being) - I just change the zero flag and carry on with the debug
c) the first byte of the file is used to XOR all the bytes from 0x401145 to 0x4012AB
d) after this cycle there is a test, if we have our file like this:
x0 | x1 | x2 | x3 | x4
0x95 | x1 | x2 | x3 | x4
x2 ^ x3 ^ x4 ^ 0xAB must equal 0
if the test succeeds, the binary proceeds to decypher bytes 0x4011B6 up to 0x4011A8.
Unlike the first cycle, instead of XOR'ing all the bytes in the binary with the same byte, it will XOR 1 dword at a time (x1x2x3x4), so ... from what I can tell, bruteforcing "blindly" is something I'm trying to stay clear of.
I thought that there should exist a sequence of bytes in this new block that had been used previously, particularly, I thought that the error message routine, which will push the caption and message, and then call MessageBoxA should exist, therefore, I copied the opcodes pertaining to the pushs's before the call o MessageBoxA (the call itself doesn't interest me since it is relative to the current position, the pushs's however are not), and tried a script that would go from 0x0 to 0xFFFFFFFF and try to find a sequence of bytes equal to the sequence of bytes relative to the MessageBoxA prologue. This didn't work.
No comments:
Post a Comment