Skip to content

Instantly share code, notes, and snippets.

@xorhex

xorhex/LabyREnth Chl 2016, 1 - Key Check Algorithm Disassembled

Created September 22, 2019 00:43
Show Gist options
  • Save xorhex/a9aae0d01666c494f89c1b809c75f5f6 to your computer and use it in GitHub Desktop.
Save xorhex/a9aae0d01666c494f89c1b809c75f5f6 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
LabyREnth Chl 2016, 1 - Key Check Algorithm Disassembled
ups0:004011B0
ups0:004011B0 ; =============== S U B R O U T I N E =======================================
ups0:004011B0
ups0:004011B0 ; Attributes: bp-based frame
ups0:004011B0
ups0:004011B0 ; int __cdecl sub_4011B0(char *Str)
ups0:004011B0 sub_4011B0 proc near ; CODE XREF: _main+3Bp
ups0:004011B0
ups0:004011B0 var_38 = dword ptr -38h
ups0:004011B0 counter = dword ptr -34h
ups0:004011B0 var_30 = dword ptr -30h
ups0:004011B0 var_2C = byte ptr -2Ch
ups0:004011B0 var_2B = byte ptr -2Bh
ups0:004011B0 var_2A = byte ptr -2Ah
ups0:004011B0 var_29 = byte ptr -29h
ups0:004011B0 var_28 = byte ptr -28h
ups0:004011B0 var_27 = byte ptr -27h
ups0:004011B0 var_26 = byte ptr -26h
ups0:004011B0 var_25 = byte ptr -25h
ups0:004011B0 var_24 = byte ptr -24h
ups0:004011B0 var_23 = byte ptr -23h
ups0:004011B0 var_22 = byte ptr -22h
ups0:004011B0 var_21 = byte ptr -21h
ups0:004011B0 var_20 = byte ptr -20h
ups0:004011B0 var_1F = byte ptr -1Fh
ups0:004011B0 var_1E = byte ptr -1Eh
ups0:004011B0 var_1D = byte ptr -1Dh
ups0:004011B0 var_1C = byte ptr -1Ch
ups0:004011B0 var_1B = byte ptr -1Bh
ups0:004011B0 var_1A = byte ptr -1Ah
ups0:004011B0 var_19 = byte ptr -19h
ups0:004011B0 var_18 = byte ptr -18h
ups0:004011B0 var_17 = byte ptr -17h
ups0:004011B0 var_16 = byte ptr -16h
ups0:004011B0 var_15 = byte ptr -15h
ups0:004011B0 var_14 = byte ptr -14h
ups0:004011B0 var_13 = byte ptr -13h
ups0:004011B0 var_12 = byte ptr -12h
ups0:004011B0 var_11 = byte ptr -11h
ups0:004011B0 var_10 = byte ptr -10h
ups0:004011B0 var_F = byte ptr -0Fh
ups0:004011B0 var_E = byte ptr -0Eh
ups0:004011B0 var_D = byte ptr -0Dh
ups0:004011B0 var_C = byte ptr -0Ch
ups0:004011B0 var_B = byte ptr -0Bh
ups0:004011B0 var_A = byte ptr -0Ah
ups0:004011B0 var_9 = byte ptr -9
ups0:004011B0 var_8 = byte ptr -8
ups0:004011B0 var_7 = byte ptr -7
ups0:004011B0 var_6 = byte ptr -6
ups0:004011B0 var_5 = byte ptr -5
ups0:004011B0 var_4 = dword ptr -4
ups0:004011B0 Str = dword ptr 8
ups0:004011B0
ups0:004011B0 push ebp
ups0:004011B1 mov ebp, esp
ups0:004011B3 sub esp, 38h
ups0:004011B6 mov eax, ___security_cookie
ups0:004011BB xor eax, ebp
ups0:004011BD mov [ebp+var_4], eax
ups0:004011C0 mov [ebp+var_2C], 8Ch
ups0:004011C4 mov [ebp+var_2B], 0F1h
ups0:004011C8 mov [ebp+var_2A], 53h
ups0:004011CC mov [ebp+var_29], 0A3h
ups0:004011D0 mov [ebp+var_28], 8
ups0:004011D4 mov [ebp+var_27], 0D7h
ups0:004011D8 mov [ebp+var_26], 0DCh
ups0:004011DC mov [ebp+var_25], 48h
ups0:004011E0 mov [ebp+var_24], 0DBh
ups0:004011E4 mov [ebp+var_23], 0Ch
ups0:004011E8 mov [ebp+var_22], 3Ah
ups0:004011EC mov [ebp+var_21], 0EEh
ups0:004011F0 mov [ebp+var_20], 15h
ups0:004011F4 mov [ebp+var_1F], 22h
ups0:004011F8 mov [ebp+var_1E], 0C4h
ups0:004011FC mov [ebp+var_1D], 0E5h
ups0:00401200 mov [ebp+var_1C], 0C9h
ups0:00401204 mov [ebp+var_1B], 0A0h
ups0:00401208 mov [ebp+var_1A], 0A5h
ups0:0040120C mov [ebp+var_19], 0Ch
ups0:00401210 mov [ebp+var_18], 0D3h
ups0:00401214 mov [ebp+var_17], 0DCh
ups0:00401218 mov [ebp+var_16], 51h
ups0:0040121C mov [ebp+var_15], 0C7h
ups0:00401220 mov [ebp+var_14], 39h
ups0:00401224 mov [ebp+var_13], 0FDh
ups0:00401228 mov [ebp+var_12], 0D0h
ups0:0040122C mov [ebp+var_11], 0F8h
ups0:00401230 mov [ebp+var_10], 3Bh
ups0:00401234 mov [ebp+var_F], 0E8h
ups0:00401238 mov [ebp+var_E], 0CCh
ups0:0040123C mov [ebp+var_D], 3
ups0:00401240 mov [ebp+var_C], 6
ups0:00401244 mov [ebp+var_B], 43h
ups0:00401248 mov [ebp+var_A], 0F7h
ups0:0040124C mov [ebp+var_9], 0DAh
ups0:00401250 mov [ebp+var_8], 7Eh
ups0:00401254 mov [ebp+var_7], 65h
ups0:00401258 mov [ebp+var_6], 0AEh
ups0:0040125C mov [ebp+var_5], 80h
ups0:00401260 mov eax, [ebp+Str]
ups0:00401263 push eax ; Str
ups0:00401264 call strlen
ups0:0040126A add esp, 4
ups0:0040126D cmp eax, 10h
ups0:00401270 jnz loc_401361
ups0:00401276 mov [ebp+var_38], 0
ups0:0040127D mov [ebp+counter], 0
ups0:00401284 jmp short loc_40128F
ups0:00401286 ; ---------------------------------------------------------------------------
ups0:00401286
ups0:00401286 loc_401286: ; CODE XREF: sub_4011B0+1A8j
ups0:00401286 mov ecx, [ebp+counter]
ups0:00401289 add ecx, 1
ups0:0040128C mov [ebp+counter], ecx
ups0:0040128F
ups0:0040128F loc_40128F: ; CODE XREF: sub_4011B0+D4j
ups0:0040128F cmp [ebp+counter], 28h
ups0:00401293 jge loc_40135D
ups0:00401299 mov [ebp+var_30], 0
ups0:004012A0 mov edx, [ebp+Str] ; Set edx to the first position of the string.
ups0:004012A3 add edx, [ebp+counter] ; Use the counter variable to set the value of EDX to the character at the counter (index) position of the string.
ups0:004012A6 movsx eax, byte ptr [edx] ; Set EAX to the value at that byte.
ups0:004012A9 xor eax, 33h ; XOR value with 0x33
ups0:004012AC and eax, 0FFh ; AND 0xFF
ups0:004012B1 mov [ebp+var_30], eax ; Store the value in VAR_30
ups0:004012B4 call check_CheckRemoteDebuggerPresent
ups0:004012B9 movzx ecx, al
ups0:004012BC test ecx, ecx ; Check result of debugger check. If zero, continue (take the jz jump); else jmp to the end.
ups0:004012BE jz short loc_4012C7
ups0:004012C0 xor al, al
ups0:004012C2 jmp loc_401363
ups0:004012C7 ; ---------------------------------------------------------------------------
ups0:004012C7
ups0:004012C7 loc_4012C7: ; CODE XREF: sub_4011B0+10Ej
ups0:004012C7 mov edx, [ebp+var_30] ; Restore the value from var_30 into EDX
ups0:004012CA add edx, 44h ; Add 0x44
ups0:004012CD and edx, 0FFh ; AND 0xff
ups0:004012D3 mov [ebp+var_30], edx ; Store the value back into var_30
ups0:004012D6 call check_for_ollydbg
ups0:004012DB movzx eax, al
ups0:004012DE test eax, eax ; Check the return value of the check_for_ollydbg. If false (0 in the ZF), continue (take the jz jump); else jmp to the end.
ups0:004012E0 jz short loc_4012E6
ups0:004012E2 xor al, al
ups0:004012E4 jmp short loc_401363
ups0:004012E6 ; ---------------------------------------------------------------------------
ups0:004012E6
ups0:004012E6 loc_4012E6: ; CODE XREF: sub_4011B0+130j
ups0:004012E6 mov ecx, [ebp+var_30] ; Restore value from var_30 into ECX
ups0:004012E9 xor ecx, 55h ; XOR ECX with 0x55
ups0:004012EC and ecx, 0FFh ; AND ECX with 0xff
ups0:004012F2 mov [ebp+var_30], ecx ; Store the value of ECX into var_30
ups0:004012F5 call check_IsDebuggerPresent
ups0:004012FA movzx edx, al
ups0:004012FD test edx, edx ; Check the return value of check_isDebuggerPresent. If false (0 in the ZF), continue (take the jz jump); else jmp to the end.
ups0:004012FF jz short loc_401305
ups0:00401301 xor al, al
ups0:00401303 jmp short loc_401363
ups0:00401305 ; ---------------------------------------------------------------------------
ups0:00401305
ups0:00401305 loc_401305: ; CODE XREF: sub_4011B0+14Fj
ups0:00401305 mov eax, [ebp+var_30] ; Restore the value of var_30 into EAX.
ups0:00401308 sub eax, 66h ; SUB 0x33 from EAX
ups0:0040130B and eax, 0FFh ; AND EAX with 0xff
ups0:00401310 mov [ebp+var_30], eax ; Store the value of EAX into var_30
ups0:00401313 call check_rdtsc_diff
ups0:00401318 movzx ecx, al
ups0:0040131B test ecx, ecx ; Check the return value from the rdtsc diff check. If false (0 in the ZF), continue (take the jz jump); else jmp to the end.
ups0:0040131D jz short loc_401323
ups0:0040131F xor al, al
ups0:00401321 jmp short loc_401363
ups0:00401323 ; ---------------------------------------------------------------------------
ups0:00401323
ups0:00401323 loc_401323: ; CODE XREF: sub_4011B0+16Dj
ups0:00401323 mov edx, [ebp+var_38] ; Load the value of var_38 into EDX
ups0:00401326 and edx, 0FFh ; AND EDX with 0xff
ups0:0040132C xor edx, [ebp+var_30] ; XOR EDX with the value from var_30
ups0:0040132F and edx, 0FFh ; AND EDX with 0ff
ups0:00401335 mov [ebp+var_30], edx ; Store EDX into var_30
ups0:00401338 mov eax, [ebp+counter] ; Load value of the counter into EAX
ups0:0040133B movsx ecx, [ebp+eax+var_2C] ; Start at the location of var_2c, add the value of the counter (EAX) to get the value hard coded into the fuction to work this comparison against.
ups0:00401340 and ecx, 0FFh ; AND ECX with 0xff
ups0:00401346 cmp [ebp+var_30], ecx ; Check to see if var_30 is equal to ECX. If false (0 in the ZF), continue (take the jz jump); else jmp to the end (aka. exit loop).
ups0:00401349 jz short loc_40134F
ups0:0040134B xor al, al
ups0:0040134D jmp short loc_401363
ups0:0040134F ; ---------------------------------------------------------------------------
ups0:0040134F
ups0:0040134F loc_40134F: ; CODE XREF: sub_4011B0+199j
ups0:0040134F mov edx, [ebp+var_38] ; Move the value of var_38 into EDX (inital value is 0)
ups0:00401352 add edx, [ebp+var_30] ; Add var_30 to EDX (var_38)
ups0:00401355 mov [ebp+var_38], edx ; Move the value of EDX into var_38
ups0:00401358 jmp loc_401286 ; Repeat loop
ups0:0040135D ; ---------------------------------------------------------------------------
ups0:0040135D
ups0:0040135D loc_40135D: ; CODE XREF: sub_4011B0+E3j
ups0:0040135D mov al, 1
ups0:0040135F jmp short loc_401363
ups0:00401361 ; ---------------------------------------------------------------------------
ups0:00401361
ups0:00401361 loc_401361: ; CODE XREF: sub_4011B0+C0j
ups0:00401361 xor al, al
ups0:00401363
ups0:00401363 loc_401363: ; CODE XREF: sub_4011B0+112j
ups0:00401363 ; sub_4011B0+134j ...
ups0:00401363 mov ecx, [ebp+var_4]
ups0:00401366 xor ecx, ebp
ups0:00401368 call @__security_check_cookie@4 ; __security_check_cookie(x)
ups0:0040136D mov esp, ebp
ups0:0040136F pop ebp
ups0:00401370 retn
ups0:00401370 sub_4011B0 endp
ups0:00401370
ups0:00401370 ; ---------------------------------------------------------------------------
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment