Posts

Showing posts from May, 2017

Walkthrough: Reversing Resource Tuner License Validating Algorithm (part 2)

Image
IV - func4

Now, we've reached the function named func4:


If we take a look at the asm code of func4, we will find the following:

CPU Disasm Address Hex dump Command Comments FFF90BC860PUSHADFFF90BC9 8B45 F8 MOVEAX,DWORD PTR SS:[EBP-8]FFF90BCC50PUSHEAXFFF90BCD 8B90 F0000000 MOVEDX,DWORD PTR DS:[EAX+0F0]FFF90BD3 8B7A 30MOVEDI,DWORD PTR DS:[EDX+30]FFF90BD6 8B72 34MOVESI,DWORD PTR DS:[EDX+34]FFF90BD9 8B0F MOVECX,DWORD PTR DS:[EDI]FFF90BDB 330E XORECX,DWORD PTR DS:[ESI]FFF90BDD 894D E4 MOVDWORD PTR SS:[EBP-1C],ECXFFF90BE0 8B0424 MOVEAX,DWORD PTR SS:[ESP]FFF90BE3 8B88 80000000MOVECX,DWORD PTR DS:[EAX+80]FFF90BE9 8D59 30LEAEBX,[ECX+30]FFF90BEC 8B4B 4C MOVECX,DWORD PTR DS:[EBX+4C]FFF90BEF 8B90 0C010000 MOVEDX,DWORD PTR DS:[EAX+10C]FFF90BF5 81EA FFFFFF7F SUBEDX,7FFFFFFF FFF90BFB 8D34CA LEAESI,[ECX*8+EDX]FFF90BFE 8BB8 10010000MOVEDI,…

Walkthrough: Reversing Resource Tuner License Validating Algorithm (part 1)

Image
The first nice location that we must look at is this:
I - func1


Let's take a look at the asm code of this function (address FFF90369)

CPU Disasm Address Hex dump Command Comments FFF90D1460PUSHADFFF90D15 89D1 MOVECX,EDX ;EDX contains license buffer lengthFFF90D1749DECECXFFF90D18 85C9 TESTECX,ECXFFF90D1A 0F8C 8F000000 JL FFF90DAF FFF90D2041INCECXFFF90D21 C745 E0 56986C1 MOVDWORD PTR SS:[EBP-20],136C9856 FFF90D28 8B55 E4 MOVEDX,DWORD PTR SS:[EBP-1C]FFF90D2B 81F2 B6B3BF9A XOREDX,9ABFB3B6 FFF90D318955 E4 MOVDWORD PTR SS:[EBP-1C],EDXFFF90D34 C745 DC BB0D6A7 MOVDWORD PTR SS:[EBP-24],7F6A0DBB FFF90D3B 89C7 MOVEDI,EAX ;EAX is a pointer to the license bufferFFF90D3D 31F6 XORESI,ESIFFF90D3F 8B45 E0 MOVEAX,DWORD PTR SS:[EBP-20]FFF90D42 8B55 E4 MOVEDX,DWORD PTR SS:[EBP…