Walkthrough: Reversing Resource Tuner License Validating Algorithm (part 2)

IV - func4

Now, we've reached the function named func4:


If we take a look at the asm code of func4, we will find the following:

CPU Disasm
Address   Hex dump          Command                                     Comments
FFF90BC8    60              PUSHAD
FFF90BC9    8B45 F8         MOV EAX,DWORD PTR SS:[EBP-8]
FFF90BCC    50              PUSH EAX
FFF90BCD    8B90 F0000000   MOV EDX,DWORD PTR DS:[EAX+0F0]
FFF90BD3    8B7A 30         MOV EDI,DWORD PTR DS:[EDX+30]
FFF90BD6    8B72 34         MOV ESI,DWORD PTR DS:[EDX+34]
FFF90BD9    8B0F            MOV ECX,DWORD PTR DS:[EDI]
FFF90BDB    330E            XOR ECX,DWORD PTR DS:[ESI]
FFF90BDD    894D E4         MOV DWORD PTR SS:[EBP-1C],ECX
FFF90BE0    8B0424          MOV EAX,DWORD PTR SS:[ESP]
FFF90BE3    8B88 80000000   MOV ECX,DWORD PTR DS:[EAX+80]
FFF90BE9    8D59 30         LEA EBX,[ECX+30]
FFF90BEC    8B4B 4C         MOV ECX,DWORD PTR DS:[EBX+4C]
FFF90BEF    8B90 0C010000   MOV EDX,DWORD PTR DS:[EAX+10C]
FFF90BF5    81EA FFFFFF7F   SUB EDX,7FFFFFFF
FFF90BFB    8D34CA          LEA ESI,[ECX*8+EDX]
FFF90BFE    8BB8 10010000   MOV EDI,DWORD PTR DS:[EAX+110]
FFF90C04    89F8            MOV EAX,EDI
FFF90C06    FC              CLD
FFF90C07    A5              MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
FFF90C08    A5              MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
FFF90C09    BA 08000000     MOV EDX,8
FFF90C0E    E8 71000000     CALL FFF90C84
FFF90C13    8B0424          MOV EAX,DWORD PTR SS:[ESP]
FFF90C16    8B88 80000000   MOV ECX,DWORD PTR DS:[EAX+80]
FFF90C1C    8D59 30         LEA EBX,[ECX+30]
FFF90C1F    8B73 70         MOV ESI,DWORD PTR DS:[EBX+70]
FFF90C22    8D4431 30       LEA EAX,[ESI+ECX+30]
FFF90C26    BA 18000000     MOV EDX,18
FFF90C2B    E8 4D000000     CALL FFF90C7D
FFF90C30    89C1            MOV ECX,EAX
FFF90C32    8B0424          MOV EAX,DWORD PTR SS:[ESP]
FFF90C35    8B90 10010000   MOV EDX,DWORD PTR DS:[EAX+110]
FFF90C3B    394A 04         CMP DWORD PTR DS:[EDX+4],ECX
FFF90C3E    75 19           JNE SHORT FFF90C59
FFF90C40    8B0A            MOV ECX,DWORD PTR DS:[EDX]
FFF90C42    81E1 01010101   AND ECX,01010101
FFF90C48    09C9            OR ECX,ECX
FFF90C4A    75 0D           JNE SHORT FFF90C59
FFF90C4C    B9 01000000     MOV ECX,1
FFF90C51    8988 1C010000   MOV DWORD PTR DS:[EAX+11C],ECX
FFF90C57    EB 0E           JMP SHORT FFF90C67
FFF90C59    31C9            XOR ECX,ECX
FFF90C5B    8948 58         MOV DWORD PTR DS:[EAX+58],ECX
FFF90C5E    8948 5C         MOV DWORD PTR DS:[EAX+5C],ECX
FFF90C61    8948 6C         MOV DWORD PTR DS:[EAX+6C],ECX
FFF90C64    8948 70         MOV DWORD PTR DS:[EAX+70],ECX
FFF90C67    31DB            XOR EBX,EBX
FFF90C69    891A            MOV DWORD PTR DS:[EDX],EBX
FFF90C6B    895A 04         MOV DWORD PTR DS:[EDX+4],EBX
FFF90C6E    8988 D4000000   MOV DWORD PTR DS:[EAX+0D4],ECX
FFF90C74    58              POP EAX
FFF90C75    61              POPAD
FFF90C76    C3              RETN
 

We can see that the function func4 calls:
  • the function FFF90C84 (let's give this the name func4_1)
  • the function FFF90C7D (let's give this the name func4_2)
By just looking to both function func4_1 and func1 we can see that they are the same function.
So, func4_1 = func1 

By just looking to both function func4_2 and func2 we can see that they are the same function.
So, func4_2 = func2

Comments

Popular posts from this blog

CTF.ma - Interesting CTF Challenges

010 Editor v7.0.2 (x64) Crack

Playing with VMProtect - Sample devirtualizeme32_vmp_3.0.9_v2