Walkthrough: Reversing Resource Tuner License Validating Algorithm (part 1)

The first nice location that we must look at is this:
I - func1


Let's take a look at the asm code of this function (address FFF90369)

CPU Disasm
Address   Hex dump          Command                                                            Comments
FFF90D14    60              PUSHAD
FFF90D15    89D1            MOV ECX,EDX                         ;EDX contains license buffer length
FFF90D17    49              DEC ECX
FFF90D18    85C9            TEST ECX,ECX
FFF90D1A    0F8C 8F000000   JL FFF90DAF
FFF90D20    41              INC ECX
FFF90D21    C745 E0 56986C1 MOV DWORD PTR SS:[EBP-20],136C9856
FFF90D28    8B55 E4         MOV EDX,DWORD PTR SS:[EBP-1C]
FFF90D2B    81F2 B6B3BF9A   XOR EDX,9ABFB3B6
FFF90D31    8955 E4         MOV DWORD PTR SS:[EBP-1C],EDX
FFF90D34    C745 DC BB0D6A7 MOV DWORD PTR SS:[EBP-24],7F6A0DBB
FFF90D3B    89C7            MOV EDI,EAX                        ;EAX is a pointer to the license buffer
FFF90D3D    31F6            XOR ESI,ESI
FFF90D3F    8B45 E0         MOV EAX,DWORD PTR SS:[EBP-20]
FFF90D42    8B55 E4         MOV EDX,DWORD PTR SS:[EBP-1C]
FFF90D45    C1C0 07         ROL EAX,7
FFF90D48    C1C2 1B         ROL EDX,1B
FFF90D4B    31D0            XOR EAX,EDX
FFF90D4D    8945 E0         MOV DWORD PTR SS:[EBP-20],EAX
FFF90D50    8B5D DC         MOV EBX,DWORD PTR SS:[EBP-24]
FFF90D53    31D8            XOR EAX,EBX
FFF90D55    51              PUSH ECX
FFF90D56    89C1            MOV ECX,EAX
FFF90D58    D3C3            ROL EBX,CL
FFF90D5A    59              POP ECX
FFF90D5B    C1C8 0F         ROR EAX,0F
FFF90D5E    31C2            XOR EDX,EAX
FFF90D60    31DA            XOR EDX,EBX
FFF90D62    51              PUSH ECX
FFF90D63    89D1            MOV ECX,EDX
FFF90D65    D3CB            ROR EBX,CL
FFF90D67    59              POP ECX
FFF90D68    89F0            MOV EAX,ESI
FFF90D6A    83E0 07         AND EAX,00000007
FFF90D6D    83F8 06         CMP EAX,6
FFF90D70    75 05           JNE SHORT FFF90D77
FFF90D72    E8 53000000     CALL FFF90DCA
FFF90D77    895D DC         MOV DWORD PTR SS:[EBP-24],EBX
FFF90D7A    8955 E4         MOV DWORD PTR SS:[EBP-1C],EDX
FFF90D7D    8B5D E0         MOV EBX,DWORD PTR SS:[EBP-20]
FFF90D80    89F0            MOV EAX,ESI
FFF90D82    83E0 03         AND EAX,00000003
FFF90D85    83F8 02         CMP EAX,2
FFF90D88    75 05           JNE SHORT FFF90D8F
FFF90D8A    E8 22000000     CALL FFF90DB1
FFF90D8F    31C0            XOR EAX,EAX
FFF90D91    8A07            MOV AL,BYTE PTR DS:[EDI]
FFF90D93    30C3            XOR BL,AL
FFF90D95    881F            MOV BYTE PTR DS:[EDI],BL
FFF90D97    83E3 01         AND EBX,00000001
FFF90D9A    83E0 01         AND EAX,00000001
FFF90D9D    85D8            TEST EAX,EBX
FFF90D9F    75 09           JNE SHORT FFF90DAA
FFF90DA1    8B45 E4         MOV EAX,DWORD PTR SS:[EBP-1C]
FFF90DA4    C1C0 15         ROL EAX,15
FFF90DA7    8945 E4         MOV DWORD PTR SS:[EBP-1C],EAX
FFF90DAA    46              INC ESI
FFF90DAB    47              INC EDI
FFF90DAC    49              DEC ECX
FFF90DAD  ^ 75 90           JNE SHORT FFF90D3F
FFF90DAF    61              POPAD
FFF90DB0    C3              RETN
 
Let's give this function the name func1, func1 calls two different functions:


  • function FFF90DCA (let's give this function the name func1_1)
  • function FFF90DB1 (let's give this function the name func1_2)

Looking at the asm code of the function func1_1

CPU Disasm
Address   Hex dump          Command                                                            Comments
FFF90DCA    81F3 0536D0BA   XOR EBX,BAD03605
FFF90DD0    01CB            ADD EBX,ECX
FFF90DD2    C3              RETN
 

The same thing for function func1_2


CPU Disasm
Address   Hex dump          Command                                                            Comments
FFF90DB1    B8 FFFFFFFF     MOV EAX,-1
FFF90DB6    69D3 05840808   IMUL EDX,EBX,8088405
FFF90DBC    42              INC EDX
FFF90DBD    F7E2            MUL EDX
FFF90DBF    89D3            MOV EBX,EDX
FFF90DC1    81F3 33D4B8E8   XOR EBX,E8B8D433
FFF90DC7    01CB            ADD EBX,ECX
FFF90DC9    C3              RETN
 
At this point, we can end up with a code that combine all of the three functions and looks like something like this:


  #define ROR(value,n) (((value)>>(n)) | ((value)<<(32-(n))))
  #define ROL(value,n) (((value)<<(n)) | ((value)>>(32-(n))))
 
  unsigned int CryptConstant1;
  unsigned int CryptConstant2;
  unsigned int SecureRandom = 0xBAADF00D;
 
  void Crypt(unsigned char* buffer, size_t length)
  {
   if( (int)(length - 1) < 0 )
    return;
 
   CryptConstant1 = 0x136C9856;
   SecureRandom  ^= 0x9ABFB3B6;
   CryptConstant2 = 0x7F6A0DBB;
 
   int i = 0;
 
   while(length)
   {
    unsigned int rolValue = ROL(SecureRandom, 0x1B);
 
    CryptConstant1 = ROL(CryptConstant1, 7) ^ rolValue;
 
    unsigned int temp = CryptConstant1 ^ CryptConstant2;
 
    unsigned int temp2 = ROL(CryptConstant2, temp & 0xFF);
 
    temp = rolValue ^ ROR(CryptConstant1 ^ CryptConstant2, 0x0F) ^ temp2;
 
    CryptConstant2 = ROR(temp2, temp & 0xFF);
 
    if( (i & 7) == 6 )
    {
     CryptConstant2 ^= 0xBAD03605;
     CryptConstant2 += length;
    }
 
    SecureRandom = temp;
    temp = CryptConstant1;
 
    if( (i & 3) == 2 )
    {
     unsigned long long mulValue = (( CryptConstant1 * 0x8088405) + 1) * (unsigned long long)0xFFFFFFFF;
     temp = ((mulValue >> 32) ^ 0xE8B8D433) + length;
    }
 
    unsigned char tempByte = (*buffer);
    *buffer = tempByte ^ (temp & 0xFF);
 
    if( (((*buffer) & 1) & (tempByte & 1)) == 0)
    {
     SecureRandom = ROL(SecureRandom, 0x15);
    }
 
    i++;
    buffer++;
    length--;
   }
  }

At this point we can mark the functions func1, func1_1 and func1_2 by a well done.

II - func2


This function is located at address FFF90370, and we gave it the name func2, its asm code is as follows:

CPU Disasm
Address   Hex dump          Command                                                            Comments
FFF9121E    57              PUSH EDI
FFF9121F    56              PUSH ESI
FFF91220    8B4D F8         MOV ECX,DWORD PTR SS:[EBP-8]
FFF91223    8BB9 C8000000   MOV EDI,DWORD PTR DS:[ECX+0C8]
FFF91229    89C6            MOV ESI,EAX
FFF9122B    89D1            MOV ECX,EDX
FFF9122D    BA FFFFFFFF     MOV EDX,-1
FFF91232    FC              CLD
FFF91233    31C0            XOR EAX,EAX
FFF91235    AC              LODS BYTE PTR DS:[ESI]
FFF91236    31D0            XOR EAX,EDX
FFF91238    25 FF000000     AND EAX,000000FF
FFF9123D    8B0407          MOV EAX,DWORD PTR DS:[EAX+EDI]
FFF91240    C1EA 08         SHR EDX,8
FFF91243    81E2 FFFFFF00   AND EDX,00FFFFFF
FFF91249    31C2            XOR EDX,EAX
FFF9124B    E2 E6           LOOP SHORT FFF91233
FFF9124D    89D0            MOV EAX,EDX
FFF9124F    5E              POP ESI
FFF91250    5F              POP EDI
FFF91251    C3              RETN
 

Which can be represented by this code:

  unsigned int CheckSum(unsigned char* buffer, size_t size)
  {
   const unsigned char *p = buffer;
    unsigned int crc;
 
    crc = ~0U;
    while (size--)
     crc = *(unsigned int*)(((unsigned char*)crc32_tab) + ((crc ^ *p++) & 0xFF) ) ^ (crc >> 8);
   return crc;
  }

III - func3

This function is little bit big and tricky,


Named func3, has an asm code shown below:

CPU Disasm
Address   Hex dump          Command                                  Comments
FFF909DC    8B90 F0000000   MOV EDX,DWORD PTR DS:[EAX+0F0] ;Pointer to an array1 of int* pointers
FFF909E2    31C9            XOR ECX,ECX
FFF909E4    8B7A 30         MOV EDI,DWORD PTR DS:[EDX+30]  ;Get first pointer (00756DB0)
FFF909E7    890F            MOV DWORD PTR DS:[EDI],ECX     ;Make it point to zero
FFF909E9    8B72 34         MOV ESI,DWORD PTR DS:[EDX+34]  ;Get second pointer (00756DB4)
FFF909EC    890E            MOV DWORD PTR DS:[ESI],ECX     ;Make it point to zero
FFF909EE    8B7A 38         MOV EDI,DWORD PTR DS:[EDX+38]  ;Get third pointer (00756DB8)
FFF909F1    890F            MOV DWORD PTR DS:[EDI],ECX     ;Make it point to zero
FFF909F3    8B88 80000000   MOV ECX,DWORD PTR DS:[EAX+80] ;Pointer to license buffer
FFF909F9    8B72 08         MOV ESI,DWORD PTR DS:[EDX+8]  ;Pointer to an array2 of int variables
FFF909FC    8B01            MOV EAX,DWORD PTR DS:[ECX]    ;Get first dword from license buffer
FFF909FE    8906            MOV DWORD PTR DS:[ESI],EAX    ;Save it to array2[0] (00756C1C)
FFF90A00    8B41 04         MOV EAX,DWORD PTR DS:[ECX+4]  ;Get second dword from license buffer
FFF90A03    8946 04         MOV DWORD PTR DS:[ESI+4],EAX  ;Save it to array2[1] (00756C20)
FFF90A06    8B41 08         MOV EAX,DWORD PTR DS:[ECX+8]  ;Get third dword from license buffer
FFF90A09    8946 08         MOV DWORD PTR DS:[ESI+8],EAX  ;Save it to array2[2] (00756C24)
FFF90A0C    8B72 14         MOV ESI,DWORD PTR DS:[EDX+14] ;Pointer to an array3 of int variables
FFF90A0F    8B41 0C         MOV EAX,DWORD PTR DS:[ECX+0C] ;Get 4th dword from license buffer
FFF90A12    8906            MOV DWORD PTR DS:[ESI],EAX    ;Save it to array3[0] (00756D90)
FFF90A14    8B41 10         MOV EAX,DWORD PTR DS:[ECX+10] ;Get 5th dword from license buffer
FFF90A17    8946 04         MOV DWORD PTR DS:[ESI+4],EAX  ;Save it to array3[1] (00756D94)
FFF90A1A    8B41 14         MOV EAX,DWORD PTR DS:[ECX+14] ;Get 6th dword from license buffer
FFF90A1D    8946 08         MOV DWORD PTR DS:[ESI+8],EAX  ;Save it to array3[2] (00756D98)
FFF90A20    8D59 30         LEA EBX,[ECX+30]       ;license buffer pointer + 0x30
FFF90A23    8B73 70         MOV ESI,DWORD PTR DS:[EBX+70] ;Get dword at location license buffer + 0x30 + 0x70
FFF90A26    8D7431 30       LEA ESI,[ESI+ECX+30] ;license buffer pointer + 0x30 + dword at location license buffer + 0x30 + 0x70
FFF90A2A    52              PUSH EDX
FFF90A2B    51              PUSH ECX
FFF90A2C    89F0            MOV EAX,ESI
FFF90A2E    BA 06000000     MOV EDX,6
FFF90A33    E8 5C010000     CALL FFF90B94 ;Call func2
FFF90A38    59              POP ECX
FFF90A39    5A              POP EDX
FFF90A3A    8B5A 18         MOV EBX,DWORD PTR DS:[EDX+18] ;Pointer to a checkSums array of int variables
FFF90A3D    8903            MOV DWORD PTR DS:[EBX],EAX ;Save returned value to checkSums[0] (00756D9C)
FFF90A3F    83C6 06         ADD ESI,6
FFF90A42    52              PUSH EDX
FFF90A43    51              PUSH ECX
FFF90A44    89F0            MOV EAX,ESI
FFF90A46    BA 06000000     MOV EDX,6
FFF90A4B    E8 44010000     CALL FFF90B94 ;Call func2
FFF90A50    59              POP ECX
FFF90A51    5A              POP EDX
FFF90A52    8B5A 18         MOV EBX,DWORD PTR DS:[EDX+18] ;Pointer to a checkSums array of int variables
FFF90A55    8943 04         MOV DWORD PTR DS:[EBX+4],EAX ;Save returned value to checkSums[1] (00756DA0)
FFF90A58    83C6 06         ADD ESI,6
FFF90A5B    52              PUSH EDX
FFF90A5C    51              PUSH ECX
FFF90A5D    89F0            MOV EAX,ESI
FFF90A5F    BA 06000000     MOV EDX,6
FFF90A64    E8 2B010000     CALL FFF90B94 ;Call func2
FFF90A69    59              POP ECX
FFF90A6A    5A              POP EDX
FFF90A6B    8B5A 18         MOV EBX,DWORD PTR DS:[EDX+18] ;Pointer to a checkSums array of int variables
FFF90A6E    8943 08         MOV DWORD PTR DS:[EBX+8],EAX ;Save returned value to checkSums[2] (00756DA4)
FFF90A71    8D71 18         LEA ESI,[ECX+18] ;license buffer pointer + 0x18
FFF90A74    8B3A            MOV EDI,DWORD PTR DS:[EDX] ;Pointer to tempBuffer (of size 8 bytes)
FFF90A76    89D0            MOV EAX,EDX
FFF90A78    57              PUSH EDI
FFF90A79    FC              CLD
FFF90A7A    A5              MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ES ;Copy dword from license buffer pointer + 0x18
FFF90A7B    66:A5           MOVS WORD PTR ES:[EDI],WORD PTR DS:[ESI] ;Copy word from license buffer pointer + 0x18 + 4
FFF90A7D    E8 38F9FFFF     CALL FFF903BA ;Call func3_2
FFF90A82    8B6C24 04       MOV EBP,DWORD PTR SS:[ESP+4]
FFF90A86    E8 35FEFFFF     CALL FFF908C0
FFF90A8B    8B3C24          MOV EDI,DWORD PTR SS:[ESP]
FFF90A8E    FC              CLD
FFF90A8F    A5              MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ES
FFF90A90    66:A5           MOVS WORD PTR ES:[EDI],WORD PTR DS:[ESI]
FFF90A92    E8 23F9FFFF     CALL FFF903BA
FFF90A97    8B6C24 04       MOV EBP,DWORD PTR SS:[ESP+4]
FFF90A9B    E8 66FEFFFF     CALL FFF90906
FFF90AA0    8B3C24          MOV EDI,DWORD PTR SS:[ESP]
FFF90AA3    FC              CLD
FFF90AA4    A5              MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ES
FFF90AA5    66:A5           MOVS WORD PTR ES:[EDI],WORD PTR DS:[ESI]
FFF90AA7    E8 0EF9FFFF     CALL FFF903BA
FFF90AAC    8B6C24 04       MOV EBP,DWORD PTR SS:[ESP+4]
FFF90AB0    E8 9CFEFFFF     CALL FFF90951
FFF90AB5    8B3C24          MOV EDI,DWORD PTR SS:[ESP]
FFF90AB8    FC              CLD
FFF90AB9    A5              MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ES
FFF90ABA    66:A5           MOVS WORD PTR ES:[EDI],WORD PTR DS:[ESI]
FFF90ABC    E8 F9F8FFFF     CALL FFF903BA
FFF90AC1    8B6C24 04       MOV EBP,DWORD PTR SS:[ESP+4]
FFF90AC5    E8 CAFEFFFF     CALL FFF90994
FFF90ACA    5F              POP EDI
FFF90ACB    8B2C24          MOV EBP,DWORD PTR SS:[ESP]
FFF90ACE    8B72 14         MOV ESI,DWORD PTR DS:[EDX+14]
FFF90AD1    8B85 F4000000   MOV EAX,DWORD PTR SS:[EBP+0F4]
FFF90AD7    8906            MOV DWORD PTR DS:[ESI],EAX
FFF90AD9    8B85 F8000000   MOV EAX,DWORD PTR SS:[EBP+0F8]
FFF90ADF    8946 04         MOV DWORD PTR DS:[ESI+4],EAX
FFF90AE2    8B85 FC000000   MOV EAX,DWORD PTR SS:[EBP+0FC]
FFF90AE8    8946 08         MOV DWORD PTR DS:[ESI+8],EAX
FFF90AEB    8B72 18         MOV ESI,DWORD PTR DS:[EDX+18]
FFF90AEE    8B85 00010000   MOV EAX,DWORD PTR SS:[EBP+100]
FFF90AF4    8906            MOV DWORD PTR DS:[ESI],EAX
FFF90AF6    8B85 04010000   MOV EAX,DWORD PTR SS:[EBP+104]
FFF90AFC    8946 04         MOV DWORD PTR DS:[ESI+4],EAX
FFF90AFF    8B85 08010000   MOV EAX,DWORD PTR SS:[EBP+108]
FFF90B05    8946 08         MOV DWORD PTR DS:[ESI+8],EAX
FFF90B08    31DB            XOR EBX,EBX
FFF90B0A    8B7A 08         MOV EDI,DWORD PTR DS:[EDX+8]
FFF90B0D    8B72 30         MOV ESI,DWORD PTR DS:[EDX+30]
FFF90B10    8B06            MOV EAX,DWORD PTR DS:[ESI]
FFF90B12    891E            MOV DWORD PTR DS:[ESI],EBX
FFF90B14    8907            MOV DWORD PTR DS:[EDI],EAX
FFF90B16    8B72 34         MOV ESI,DWORD PTR DS:[EDX+34]
FFF90B19    8B06            MOV EAX,DWORD PTR DS:[ESI]
FFF90B1B    891E            MOV DWORD PTR DS:[ESI],EBX
FFF90B1D    8947 04         MOV DWORD PTR DS:[EDI+4],EAX
FFF90B20    8B72 38         MOV ESI,DWORD PTR DS:[EDX+38]
FFF90B23    8B06            MOV EAX,DWORD PTR DS:[ESI]
FFF90B25    891E            MOV DWORD PTR DS:[ESI],EBX
FFF90B27    8947 08         MOV DWORD PTR DS:[EDI+8],EAX
FFF90B2A    8D59 30         LEA EBX,[ECX+30]
FFF90B2D    8B73 70         MOV ESI,DWORD PTR DS:[EBX+70]
FFF90B30    8D7431 30       LEA ESI,[ESI+ECX+30]
FFF90B34    8B3A            MOV EDI,DWORD PTR DS:[EDX]
FFF90B36    89D0            MOV EAX,EDX
FFF90B38    57              PUSH EDI
FFF90B39    FC              CLD
FFF90B3A    A5              MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ES
FFF90B3B    66:A5           MOVS WORD PTR ES:[EDI],WORD PTR DS:[ESI]
FFF90B3D    E8 78F8FFFF     CALL FFF903BA
FFF90B42    8B6C24 04       MOV EBP,DWORD PTR SS:[ESP+4]
FFF90B46    E8 75FDFFFF     CALL FFF908C0
FFF90B4B    8B3C24          MOV EDI,DWORD PTR SS:[ESP]
FFF90B4E    FC              CLD
FFF90B4F    A5              MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ES
FFF90B50    66:A5           MOVS WORD PTR ES:[EDI],WORD PTR DS:[ESI]
FFF90B52    E8 63F8FFFF     CALL FFF903BA
FFF90B57    8B6C24 04       MOV EBP,DWORD PTR SS:[ESP+4]
FFF90B5B    E8 A6FDFFFF     CALL FFF90906
FFF90B60    8B3C24          MOV EDI,DWORD PTR SS:[ESP]
FFF90B63    FC              CLD
FFF90B64    A5              MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ES
FFF90B65    66:A5           MOVS WORD PTR ES:[EDI],WORD PTR DS:[ESI]
FFF90B67    E8 4EF8FFFF     CALL FFF903BA
FFF90B6C    8B6C24 04       MOV EBP,DWORD PTR SS:[ESP+4]
FFF90B70    E8 DCFDFFFF     CALL FFF90951
FFF90B75    8B3C24          MOV EDI,DWORD PTR SS:[ESP]
FFF90B78    FC              CLD
FFF90B79    A5              MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ES
FFF90B7A    66:A5           MOVS WORD PTR ES:[EDI],WORD PTR DS:[ESI]
FFF90B7C    E8 39F8FFFF     CALL FFF903BA
FFF90B81    8B6C24 04       MOV EBP,DWORD PTR SS:[ESP+4]
FFF90B85    E8 0AFEFFFF     CALL FFF90994
FFF90B8A    5F              POP EDI
FFF90B8B    58              POP EAX
FFF90B8C    61              POPAD
FFF90B8D    C3              RETN
 
This function is bigger compared to the previous ones, it performs multiple calls to the functions:


  • function FFF90B94 (let's name this func3_1) called 3 times
  • function FFF903BA (let's name this func3_2) called 8 times
  • function FFF908C0 (let's name this func3_3) called twice
  • function FFF90906 (let's name this func3_4) called twice
  • function FFF90951 (let's name this func3_5) called twice
  • function FFF90994 (let's name this func3_6) called twice

Let us know what is the code behind func3_1:

No, wait it is the same code of the function 
FFF9121E func2 no need to show it again.


So, func3_1 = func2

OK, let's at the code of func3_2:

CPU Disasm
Address   Hex dump          Command                                  Comments
FFF907DF    8B1424          MOV EDX,DWORD PTR SS:[ESP]               ; PTR to ASCII "333333"
FFF907E2    8B32            MOV ESI,DWORD PTR DS:[EDX]
FFF907E4    8B7A 04         MOV EDI,DWORD PTR DS:[EDX+4]
FFF907E7    8B3F            MOV EDI,DWORD PTR DS:[EDI]
FFF907E9    8B52 08         MOV EDX,DWORD PTR DS:[EDX+8]
FFF907EC    8B2A            MOV EBP,DWORD PTR DS:[EDX]
FFF907EE    8B4A 04         MOV ECX,DWORD PTR DS:[EDX+4]
FFF907F1    8B5A 08         MOV EBX,DWORD PTR DS:[EDX+8]
FFF907F4    31D2            XOR EDX,EDX
FFF907F6    31C0            XOR EAX,EAX
FFF907F8    8B06            MOV EAX,DWORD PTR DS:[ESI]
FFF907FA    31E8            XOR EAX,EBP
FFF907FC    46              INC ESI
FFF907FD    C1ED 08         SHR EBP,8
FFF90800    25 FF000000     AND EAX,000000FF
FFF90805    52              PUSH EDX
FFF90806    8B5424 04       MOV EDX,DWORD PTR SS:[ESP+4]
FFF9080A    8B52 0C         MOV EDX,DWORD PTR DS:[EDX+0C]
FFF9080D    332C82          XOR EBP,DWORD PTR DS:[EAX*4+EDX]
FFF90810    5A              POP EDX
FFF90811    50              PUSH EAX
FFF90812    8B4424 04       MOV EAX,DWORD PTR SS:[ESP+4]
FFF90816    8B40 08         MOV EAX,DWORD PTR DS:[EAX+8]
FFF90819    896C02 10       MOV DWORD PTR DS:[EAX+EDX+10],EBP
FFF9081D    58              POP EAX
FFF9081E    89E8            MOV EAX,EBP
FFF90820    25 FF000000     AND EAX,000000FF
FFF90825    01C1            ADD ECX,EAX
FFF90827    89C8            MOV EAX,ECX
FFF90829    C1E0 08         SHL EAX,8
FFF9082C    01C8            ADD EAX,ECX
FFF9082E    C1E0 04         SHL EAX,4
FFF90831    01C8            ADD EAX,ECX
FFF90833    C1E0 05         SHL EAX,5
FFF90836    01C8            ADD EAX,ECX
FFF90838    C1E0 08         SHL EAX,8
FFF9083B    01C8            ADD EAX,ECX
FFF9083D    8D4481 01       LEA EAX,[EAX*4+ECX+1]
FFF90841    89C1            MOV ECX,EAX
FFF90843    51              PUSH ECX
FFF90844    8B4C24 04       MOV ECX,DWORD PTR SS:[ESP+4]
FFF90848    8B49 08         MOV ECX,DWORD PTR DS:[ECX+8]
FFF9084B    89440A 10       MOV DWORD PTR DS:[ECX+EDX+10],EAX
FFF9084F    59              POP ECX
FFF90850    0FC8            BSWAP EAX
FFF90852    31D8            XOR EAX,EBX
FFF90854    25 FF000000     AND EAX,000000FF
FFF90859    C1EB 08         SHR EBX,8
FFF9085C    52              PUSH EDX
FFF9085D    8B5424 04       MOV EDX,DWORD PTR SS:[ESP+4]
FFF90861    8B52 0C         MOV EDX,DWORD PTR DS:[EDX+0C]
FFF90864    331C82          XOR EBX,DWORD PTR DS:[EAX*4+EDX]
FFF90867    5A              POP EDX
FFF90868    50              PUSH EAX
FFF90869    8B4424 04       MOV EAX,DWORD PTR SS:[ESP+4]
FFF9086D    8B40 08         MOV EAX,DWORD PTR DS:[EAX+8]
FFF90870    895C02 18       MOV DWORD PTR DS:[EAX+EDX+18],EBX
FFF90874    58              POP EAX
FFF90875    83C2 10         ADD EDX,10
FFF90878    4F              DEC EDI
FFF90879  ^ 0F85 79FFFFFF   JNE FFF907F8
FFF9087F    8B0424          MOV EAX,DWORD PTR SS:[ESP]
FFF90882    8B70 14         MOV ESI,DWORD PTR DS:[EAX+14]
FFF90885    8B50 1C         MOV EDX,DWORD PTR DS:[EAX+1C]
FFF90888    8B12            MOV EDX,DWORD PTR DS:[EDX]
FFF9088A    8B40 10         MOV EAX,DWORD PTR DS:[EAX+10]
FFF9088D    8928            MOV DWORD PTR DS:[EAX],EBP
FFF9088F    8948 04         MOV DWORD PTR DS:[EAX+4],ECX
FFF90892    8958 08         MOV DWORD PTR DS:[EAX+8],EBX
FFF90895    E8 27FBFFFF     CALL FFF903C1 ;Call func3_2_1
FFF9089A    8B1424          MOV EDX,DWORD PTR SS:[ESP]
FFF9089D    8B52 24         MOV EDX,DWORD PTR DS:[EDX+24]
FFF908A0    8902            MOV DWORD PTR DS:[EDX],EAX ;Save returned value to 00756DA8
FFF908A2    8B0424          MOV EAX,DWORD PTR SS:[ESP]
FFF908A5    8B70 18         MOV ESI,DWORD PTR DS:[EAX+18]
FFF908A8    8B50 20         MOV EDX,DWORD PTR DS:[EAX+20]
FFF908AB    8B12            MOV EDX,DWORD PTR DS:[EDX]
FFF908AD    8B40 10         MOV EAX,DWORD PTR DS:[EAX+10]
FFF908B0    E8 0CFBFFFF     CALL FFF903C1 ;Call func3_2_1
FFF908B5    8B1424          MOV EDX,DWORD PTR SS:[ESP]
FFF908B8    8B52 28         MOV EDX,DWORD PTR DS:[EDX+28]
FFF908BB    8902            MOV DWORD PTR DS:[EDX],EAX ;Save returned value to 00756DAC
FFF908BD    58              POP EAX
FFF908BE    61              POPAD
FFF908BF    C3              RETN
 
The function func3_2 calls the function FFF903C1, let's give FFF903C1 the name func3_2_1

func3_2_1 has the following asm code (which seems to be an inlined function that get called a number of times)

CPU Disasm
Address   Hex dump          Command                                  Comments
FFF903C1    8B28            MOV EBP,DWORD PTR DS:[EAX]
FFF903C3    8B48 04         MOV ECX,DWORD PTR DS:[EAX+4]
FFF903C6    8B58 08         MOV EBX,DWORD PTR DS:[EAX+8]
FFF903C9    8B78 0C         MOV EDI,DWORD PTR DS:[EAX+0C]
FFF903CC    8B40 10         MOV EAX,DWORD PTR DS:[EAX+10]
FFF903CF    50              PUSH EAX
FFF903D0    89D8            MOV EAX,EBX
FFF903D2    25 FFFF0000     AND EAX,0000FFFF
FFF903D7    C1E8 02         SHR EAX,2
FFF903DA    8B0438          MOV EAX,DWORD PTR DS:[EDI+EAX]
FFF903DD    3306            XOR EAX,DWORD PTR DS:[ESI]
FFF903DF    31E8            XOR EAX,EBP
FFF903E1    25 FF000000     AND EAX,000000FF
FFF903E6    C1ED 08         SHR EBP,8
FFF903E9    52              PUSH EDX
FFF903EA    8B5424 04       MOV EDX,DWORD PTR SS:[ESP+4]
FFF903EE    332C82          XOR EBP,DWORD PTR DS:[EAX*4+EDX]
FFF903F1    5A              POP EDX
FFF903F2    89E8            MOV EAX,EBP
FFF903F4    25 FF000000     AND EAX,000000FF
FFF903F9    01C1            ADD ECX,EAX
FFF903FB    89C8            MOV EAX,ECX
FFF903FD    C1E0 08         SHL EAX,8
FFF90400    01C8            ADD EAX,ECX
FFF90402    C1E0 04         SHL EAX,4
FFF90405    01C8            ADD EAX,ECX
FFF90407    C1E0 05         SHL EAX,5
FFF9040A    01C8            ADD EAX,ECX
FFF9040C    C1E0 08         SHL EAX,8
FFF9040F    01C8            ADD EAX,ECX
FFF90411    8D4481 01       LEA EAX,[EAX*4+ECX+1]
FFF90415    89C1            MOV ECX,EAX
FFF90417    0FC8            BSWAP EAX
FFF90419    31D8            XOR EAX,EBX
FFF9041B    25 FF000000     AND EAX,000000FF
FFF90420    C1EB 08         SHR EBX,8
FFF90423    52              PUSH EDX
FFF90424    8B5424 04       MOV EDX,DWORD PTR SS:[ESP+4]
FFF90428    331C82          XOR EBX,DWORD PTR DS:[EAX*4+EDX]
FFF9042B    5A              POP EDX
FFF9042C    89D8            MOV EAX,EBX
FFF9042E    25 FFFF0000     AND EAX,0000FFFF
FFF90433    C1E8 02         SHR EAX,2
FFF90436    8B0438          MOV EAX,DWORD PTR DS:[EDI+EAX]
FFF90439    3346 01         XOR EAX,DWORD PTR DS:[ESI+1]
FFF9043C    31E8            XOR EAX,EBP
FFF9043E    25 FF000000     AND EAX,000000FF
FFF90443    C1ED 08         SHR EBP,8
FFF90446    52              PUSH EDX
FFF90447    8B5424 04       MOV EDX,DWORD PTR SS:[ESP+4]
FFF9044B    332C82          XOR EBP,DWORD PTR DS:[EAX*4+EDX]
FFF9044E    5A              POP EDX
FFF9044F    89E8            MOV EAX,EBP
FFF90451    25 FF000000     AND EAX,000000FF
FFF90456    01C1            ADD ECX,EAX
FFF90458    89C8            MOV EAX,ECX
FFF9045A    C1E0 08         SHL EAX,8
FFF9045D    01C8            ADD EAX,ECX
FFF9045F    C1E0 04         SHL EAX,4
FFF90462    01C8            ADD EAX,ECX
FFF90464    C1E0 05         SHL EAX,5
FFF90467    01C8            ADD EAX,ECX
FFF90469    C1E0 08         SHL EAX,8
FFF9046C    01C8            ADD EAX,ECX
FFF9046E    8D4481 01       LEA EAX,[EAX*4+ECX+1]
FFF90472    89C1            MOV ECX,EAX
FFF90474    0FC8            BSWAP EAX
FFF90476    31D8            XOR EAX,EBX
FFF90478    25 FF000000     AND EAX,000000FF
FFF9047D    C1EB 08         SHR EBX,8
FFF90480    52              PUSH EDX
FFF90481    8B5424 04       MOV EDX,DWORD PTR SS:[ESP+4]
FFF90485    331C82          XOR EBX,DWORD PTR DS:[EAX*4+EDX]
FFF90488    5A              POP EDX
FFF90489    89D8            MOV EAX,EBX
FFF9048B    25 FFFF0000     AND EAX,0000FFFF
FFF90490    C1E8 02         SHR EAX,2
FFF90493    8B0438          MOV EAX,DWORD PTR DS:[EDI+EAX]
FFF90496    3346 02         XOR EAX,DWORD PTR DS:[ESI+2]
FFF90499    31E8            XOR EAX,EBP
FFF9049B    25 FF000000     AND EAX,000000FF
FFF904A0    C1ED 08         SHR EBP,8
FFF904A3    52              PUSH EDX
FFF904A4    8B5424 04       MOV EDX,DWORD PTR SS:[ESP+4]
FFF904A8    332C82          XOR EBP,DWORD PTR DS:[EAX*4+EDX]
FFF904AB    5A              POP EDX
FFF904AC    89E8            MOV EAX,EBP
FFF904AE    25 FF000000     AND EAX,000000FF
FFF904B3    01C1            ADD ECX,EAX
FFF904B5    89C8            MOV EAX,ECX
FFF904B7    C1E0 08         SHL EAX,8
FFF904BA    01C8            ADD EAX,ECX
FFF904BC    C1E0 04         SHL EAX,4
FFF904BF    01C8            ADD EAX,ECX
FFF904C1    C1E0 05         SHL EAX,5
FFF904C4    01C8            ADD EAX,ECX
FFF904C6    C1E0 08         SHL EAX,8
FFF904C9    01C8            ADD EAX,ECX
FFF904CB    8D4481 01       LEA EAX,[EAX*4+ECX+1]
FFF904CF    89C1            MOV ECX,EAX
FFF904D1    0FC8            BSWAP EAX
FFF904D3    31D8            XOR EAX,EBX
FFF904D5    25 FF000000     AND EAX,000000FF
FFF904DA    C1EB 08         SHR EBX,8
FFF904DD    52              PUSH EDX
FFF904DE    8B5424 04       MOV EDX,DWORD PTR SS:[ESP+4]
FFF904E2    331C82          XOR EBX,DWORD PTR DS:[EAX*4+EDX]
FFF904E5    5A              POP EDX
FFF904E6    89D8            MOV EAX,EBX
FFF904E8    25 FFFF0000     AND EAX,0000FFFF
FFF904ED    C1E8 02         SHR EAX,2
FFF904F0    8B0438          MOV EAX,DWORD PTR DS:[EDI+EAX]
FFF904F3    3346 03         XOR EAX,DWORD PTR DS:[ESI+3]
FFF904F6    31E8            XOR EAX,EBP
FFF904F8    25 FF000000     AND EAX,000000FF
FFF904FD    C1ED 08         SHR EBP,8
FFF90500    52              PUSH EDX
FFF90501    8B5424 04       MOV EDX,DWORD PTR SS:[ESP+4]
FFF90505    332C82          XOR EBP,DWORD PTR DS:[EAX*4+EDX]
FFF90508    5A              POP EDX
FFF90509    89E8            MOV EAX,EBP
FFF9050B    25 FF000000     AND EAX,000000FF
FFF90510    01C1            ADD ECX,EAX
FFF90512    89C8            MOV EAX,ECX
FFF90514    C1E0 08         SHL EAX,8
FFF90517    01C8            ADD EAX,ECX
FFF90519    C1E0 04         SHL EAX,4
FFF9051C    01C8            ADD EAX,ECX
FFF9051E    C1E0 05         SHL EAX,5
FFF90521    01C8            ADD EAX,ECX
FFF90523    C1E0 08         SHL EAX,8
FFF90526    01C8            ADD EAX,ECX
FFF90528    8D4481 01       LEA EAX,[EAX*4+ECX+1]
FFF9052C    89C1            MOV ECX,EAX
FFF9052E    0FC8            BSWAP EAX
FFF90530    31D8            XOR EAX,EBX
FFF90532    25 FF000000     AND EAX,000000FF
FFF90537    C1EB 08         SHR EBX,8
FFF9053A    52              PUSH EDX
FFF9053B    8B5424 04       MOV EDX,DWORD PTR SS:[ESP+4]
FFF9053F    331C82          XOR EBX,DWORD PTR DS:[EAX*4+EDX]
FFF90542    5A              POP EDX
FFF90543    89D8            MOV EAX,EBX
FFF90545    25 FFFF0000     AND EAX,0000FFFF
FFF9054A    C1E8 02         SHR EAX,2
FFF9054D    8B0438          MOV EAX,DWORD PTR DS:[EDI+EAX]
FFF90550    3346 04         XOR EAX,DWORD PTR DS:[ESI+4]
FFF90553    31E8            XOR EAX,EBP
FFF90555    25 FF000000     AND EAX,000000FF
FFF9055A    C1ED 08         SHR EBP,8
FFF9055D    52              PUSH EDX
FFF9055E    8B5424 04       MOV EDX,DWORD PTR SS:[ESP+4]
FFF90562    332C82          XOR EBP,DWORD PTR DS:[EAX*4+EDX]
FFF90565    5A              POP EDX
FFF90566    89E8            MOV EAX,EBP
FFF90568    25 FF000000     AND EAX,000000FF
FFF9056D    01C1            ADD ECX,EAX
FFF9056F    89C8            MOV EAX,ECX
FFF90571    C1E0 08         SHL EAX,8
FFF90574    01C8            ADD EAX,ECX
FFF90576    C1E0 04         SHL EAX,4
FFF90579    01C8            ADD EAX,ECX
FFF9057B    C1E0 05         SHL EAX,5
FFF9057E    01C8            ADD EAX,ECX
FFF90580    C1E0 08         SHL EAX,8
FFF90583    01C8            ADD EAX,ECX
FFF90585    8D4481 01       LEA EAX,[EAX*4+ECX+1]
FFF90589    89C1            MOV ECX,EAX
FFF9058B    0FC8            BSWAP EAX
FFF9058D    31D8            XOR EAX,EBX
FFF9058F    25 FF000000     AND EAX,000000FF
FFF90594    C1EB 08         SHR EBX,8
FFF90597    52              PUSH EDX
FFF90598    8B5424 04       MOV EDX,DWORD PTR SS:[ESP+4]
FFF9059C    331C82          XOR EBX,DWORD PTR DS:[EAX*4+EDX]
FFF9059F    5A              POP EDX
FFF905A0    89D8            MOV EAX,EBX
FFF905A2    25 FFFF0000     AND EAX,0000FFFF
FFF905A7    C1E8 02         SHR EAX,2
FFF905AA    8B0438          MOV EAX,DWORD PTR DS:[EDI+EAX]
FFF905AD    3346 05         XOR EAX,DWORD PTR DS:[ESI+5]
FFF905B0    31E8            XOR EAX,EBP
FFF905B2    25 FF000000     AND EAX,000000FF
FFF905B7    C1ED 08         SHR EBP,8
FFF905BA    52              PUSH EDX
FFF905BB    8B5424 04       MOV EDX,DWORD PTR SS:[ESP+4]
FFF905BF    332C82          XOR EBP,DWORD PTR DS:[EAX*4+EDX]
FFF905C2    5A              POP EDX
FFF905C3    89E8            MOV EAX,EBP
FFF905C5    25 FF000000     AND EAX,000000FF
FFF905CA    01C1            ADD ECX,EAX
FFF905CC    89C8            MOV EAX,ECX
FFF905CE    C1E0 08         SHL EAX,8
FFF905D1    01C8            ADD EAX,ECX
FFF905D3    C1E0 04         SHL EAX,4
FFF905D6    01C8            ADD EAX,ECX
FFF905D8    C1E0 05         SHL EAX,5
FFF905DB    01C8            ADD EAX,ECX
FFF905DD    C1E0 08         SHL EAX,8
FFF905E0    01C8            ADD EAX,ECX
FFF905E2    8D4481 01       LEA EAX,[EAX*4+ECX+1]
FFF905E6    89C1            MOV ECX,EAX
FFF905E8    0FC8            BSWAP EAX
FFF905EA    31D8            XOR EAX,EBX
FFF905EC    25 FF000000     AND EAX,000000FF
FFF905F1    C1EB 08         SHR EBX,8
FFF905F4    52              PUSH EDX
FFF905F5    8B5424 04       MOV EDX,DWORD PTR SS:[ESP+4]
FFF905F9    331C82          XOR EBX,DWORD PTR DS:[EAX*4+EDX]
FFF905FC    5A              POP EDX
FFF905FD    89D8            MOV EAX,EBX
FFF905FF    25 FFFF0000     AND EAX,0000FFFF
FFF90604    C1E8 02         SHR EAX,2
FFF90607    8B0438          MOV EAX,DWORD PTR DS:[EDI+EAX]
FFF9060A    3346 06         XOR EAX,DWORD PTR DS:[ESI+6]
FFF9060D    31E8            XOR EAX,EBP
FFF9060F    25 FF000000     AND EAX,000000FF
FFF90614    C1ED 08         SHR EBP,8
FFF90617    52              PUSH EDX
FFF90618    8B5424 04       MOV EDX,DWORD PTR SS:[ESP+4]
FFF9061C    332C82          XOR EBP,DWORD PTR DS:[EAX*4+EDX]
FFF9061F    5A              POP EDX
FFF90620    89E8            MOV EAX,EBP
FFF90622    25 FF000000     AND EAX,000000FF
FFF90627    01C1            ADD ECX,EAX
FFF90629    89C8            MOV EAX,ECX
FFF9062B    C1E0 08         SHL EAX,8
FFF9062E    01C8            ADD EAX,ECX
FFF90630    C1E0 04         SHL EAX,4
FFF90633    01C8            ADD EAX,ECX
FFF90635    C1E0 05         SHL EAX,5
FFF90638    01C8            ADD EAX,ECX
FFF9063A    C1E0 08         SHL EAX,8
FFF9063D    01C8            ADD EAX,ECX
FFF9063F    8D4481 01       LEA EAX,[EAX*4+ECX+1]
FFF90643    89C1            MOV ECX,EAX
FFF90645    0FC8            BSWAP EAX
FFF90647    31D8            XOR EAX,EBX
FFF90649    25 FF000000     AND EAX,000000FF
FFF9064E    C1EB 08         SHR EBX,8
FFF90651    52              PUSH EDX
FFF90652    8B5424 04       MOV EDX,DWORD PTR SS:[ESP+4]
FFF90656    331C82          XOR EBX,DWORD PTR DS:[EAX*4+EDX]
FFF90659    5A              POP EDX
FFF9065A    89D8            MOV EAX,EBX
FFF9065C    25 FFFF0000     AND EAX,0000FFFF
FFF90661    C1E8 02         SHR EAX,2
FFF90664    8B0438          MOV EAX,DWORD PTR DS:[EDI+EAX]
FFF90667    3346 07         XOR EAX,DWORD PTR DS:[ESI+7]
FFF9066A    31E8            XOR EAX,EBP
FFF9066C    25 FF000000     AND EAX,000000FF
FFF90671    C1ED 08         SHR EBP,8
FFF90674    52              PUSH EDX
FFF90675    8B5424 04       MOV EDX,DWORD PTR SS:[ESP+4]
FFF90679    332C82          XOR EBP,DWORD PTR DS:[EAX*4+EDX]
FFF9067C    5A              POP EDX
FFF9067D    89E8            MOV EAX,EBP
FFF9067F    25 FF000000     AND EAX,000000FF
FFF90684    01C1            ADD ECX,EAX
FFF90686    89C8            MOV EAX,ECX
FFF90688    C1E0 08         SHL EAX,8
FFF9068B    01C8            ADD EAX,ECX
FFF9068D    C1E0 04         SHL EAX,4
FFF90690    01C8            ADD EAX,ECX
FFF90692    C1E0 05         SHL EAX,5
FFF90695    01C8            ADD EAX,ECX
FFF90697    C1E0 08         SHL EAX,8
FFF9069A    01C8            ADD EAX,ECX
FFF9069C    8D4481 01       LEA EAX,[EAX*4+ECX+1]
FFF906A0    89C1            MOV ECX,EAX
FFF906A2    0FC8            BSWAP EAX
FFF906A4    31D8            XOR EAX,EBX
FFF906A6    25 FF000000     AND EAX,000000FF
FFF906AB    C1EB 08         SHR EBX,8
FFF906AE    52              PUSH EDX
FFF906AF    8B5424 04       MOV EDX,DWORD PTR SS:[ESP+4]
FFF906B3    331C82          XOR EBX,DWORD PTR DS:[EAX*4+EDX]
FFF906B6    5A              POP EDX
FFF906B7    89D8            MOV EAX,EBX
FFF906B9    25 FFFF0000     AND EAX,0000FFFF
FFF906BE    C1E8 02         SHR EAX,2
FFF906C1    8B0438          MOV EAX,DWORD PTR DS:[EDI+EAX]
FFF906C4    3346 08         XOR EAX,DWORD PTR DS:[ESI+8]
FFF906C7    31E8            XOR EAX,EBP
FFF906C9    25 FF000000     AND EAX,000000FF
FFF906CE    C1ED 08         SHR EBP,8
FFF906D1    52              PUSH EDX
FFF906D2    8B5424 04       MOV EDX,DWORD PTR SS:[ESP+4]
FFF906D6    332C82          XOR EBP,DWORD PTR DS:[EAX*4+EDX]
FFF906D9    5A              POP EDX
FFF906DA    89E8            MOV EAX,EBP
FFF906DC    25 FF000000     AND EAX,000000FF
FFF906E1    01C1            ADD ECX,EAX
FFF906E3    89C8            MOV EAX,ECX
FFF906E5    C1E0 08         SHL EAX,8
FFF906E8    01C8            ADD EAX,ECX
FFF906EA    C1E0 04         SHL EAX,4
FFF906ED    01C8            ADD EAX,ECX
FFF906EF    C1E0 05         SHL EAX,5
FFF906F2    01C8            ADD EAX,ECX
FFF906F4    C1E0 08         SHL EAX,8
FFF906F7    01C8            ADD EAX,ECX
FFF906F9    8D4481 01       LEA EAX,[EAX*4+ECX+1]
FFF906FD    89C1            MOV ECX,EAX
FFF906FF    0FC8            BSWAP EAX
FFF90701    31D8            XOR EAX,EBX
FFF90703    25 FF000000     AND EAX,000000FF
FFF90708    C1EB 08         SHR EBX,8
FFF9070B    52              PUSH EDX
FFF9070C    8B5424 04       MOV EDX,DWORD PTR SS:[ESP+4]
FFF90710    331C82          XOR EBX,DWORD PTR DS:[EAX*4+EDX]
FFF90713    5A              POP EDX
FFF90714    89D8            MOV EAX,EBX
FFF90716    25 FFFF0000     AND EAX,0000FFFF
FFF9071B    C1E8 02         SHR EAX,2
FFF9071E    8B0438          MOV EAX,DWORD PTR DS:[EDI+EAX]
FFF90721    3346 09         XOR EAX,DWORD PTR DS:[ESI+9]
FFF90724    31E8            XOR EAX,EBP
FFF90726    25 FF000000     AND EAX,000000FF
FFF9072B    C1ED 08         SHR EBP,8
FFF9072E    52              PUSH EDX
FFF9072F    8B5424 04       MOV EDX,DWORD PTR SS:[ESP+4]
FFF90733    332C82          XOR EBP,DWORD PTR DS:[EAX*4+EDX]
FFF90736    5A              POP EDX
FFF90737    89E8            MOV EAX,EBP
FFF90739    25 FF000000     AND EAX,000000FF
FFF9073E    01C1            ADD ECX,EAX
FFF90740    89C8            MOV EAX,ECX
FFF90742    C1E0 08         SHL EAX,8
FFF90745    01C8            ADD EAX,ECX
FFF90747    C1E0 04         SHL EAX,4
FFF9074A    01C8            ADD EAX,ECX
FFF9074C    C1E0 05         SHL EAX,5
FFF9074F    01C8            ADD EAX,ECX
FFF90751    C1E0 08         SHL EAX,8
FFF90754    01C8            ADD EAX,ECX
FFF90756    8D4481 01       LEA EAX,[EAX*4+ECX+1]
FFF9075A    89C1            MOV ECX,EAX
FFF9075C    0FC8            BSWAP EAX
FFF9075E    31D8            XOR EAX,EBX
FFF90760    25 FF000000     AND EAX,000000FF
FFF90765    C1EB 08         SHR EBX,8
FFF90768    52              PUSH EDX
FFF90769    8B5424 04       MOV EDX,DWORD PTR SS:[ESP+4]
FFF9076D    331C82          XOR EBX,DWORD PTR DS:[EAX*4+EDX]
FFF90770    5A              POP EDX
FFF90771    89D8            MOV EAX,EBX
FFF90773    25 FFFF0000     AND EAX,0000FFFF
FFF90778    C1E8 02         SHR EAX,2
FFF9077B    8B0438          MOV EAX,DWORD PTR DS:[EDI+EAX]
FFF9077E    3346 0A         XOR EAX,DWORD PTR DS:[ESI+0A]
FFF90781    31E8            XOR EAX,EBP
FFF90783    25 FF000000     AND EAX,000000FF
FFF90788    C1ED 08         SHR EBP,8
FFF9078B    52              PUSH EDX
FFF9078C    8B5424 04       MOV EDX,DWORD PTR SS:[ESP+4]
FFF90790    332C82          XOR EBP,DWORD PTR DS:[EAX*4+EDX]
FFF90793    5A              POP EDX
FFF90794    89E8            MOV EAX,EBP
FFF90796    25 FF000000     AND EAX,000000FF
FFF9079B    01C1            ADD ECX,EAX
FFF9079D    89C8            MOV EAX,ECX
FFF9079F    C1E0 08         SHL EAX,8
FFF907A2    01C8            ADD EAX,ECX
FFF907A4    C1E0 04         SHL EAX,4
FFF907A7    01C8            ADD EAX,ECX
FFF907A9    C1E0 05         SHL EAX,5
FFF907AC    01C8            ADD EAX,ECX
FFF907AE    C1E0 08         SHL EAX,8
FFF907B1    01C8            ADD EAX,ECX
FFF907B3    8D4481 01       LEA EAX,[EAX*4+ECX+1]
FFF907B7    0FC8            BSWAP EAX
FFF907B9    31D8            XOR EAX,EBX
FFF907BB    25 FF000000     AND EAX,000000FF
FFF907C0    C1EB 08         SHR EBX,8
FFF907C3    52              PUSH EDX
FFF907C4    8B5424 04       MOV EDX,DWORD PTR SS:[ESP+4]
FFF907C8    331C82          XOR EBX,DWORD PTR DS:[EAX*4+EDX]
FFF907CB    5A              POP EDX
FFF907CC    81E3 FFFF0000   AND EBX,0000FFFF
FFF907D2    C1EB 02         SHR EBX,2
FFF907D5    8B043B          MOV EAX,DWORD PTR DS:[EDI+EBX]
FFF907D8    3246 0B         XOR AL,BYTE PTR DS:[ESI+0B]
FFF907DB    0FC8            BSWAP EAX
FFF907DD    5A              POP EDX
FFF907DE    C3              RETN
 

Now, let us take a look at the asm code of the function func3_3:

CPU Disasm
Address   Hex dump          Command                                  Comments
FFF908C0    60              PUSHAD
FFF908C1    8B95 EC000000   MOV EDX,DWORD PTR SS:[EBP+0EC]
FFF908C7    8B9D F0000000   MOV EBX,DWORD PTR SS:[EBP+0F0]
FFF908CD    8B02            MOV EAX,DWORD PTR DS:[EDX]
FFF908CF    0342 04         ADD EAX,DWORD PTR DS:[EDX+4]
FFF908D2    0342 08         ADD EAX,DWORD PTR DS:[EDX+8]
FFF908D5    83E0 0F         AND EAX,0000000F
FFF908D8    C1E0 1C         SHL EAX,1C
FFF908DB    0D 00B40000     OR EAX,0000B400
FFF908E0    8B7B 38         MOV EDI,DWORD PTR DS:[EBX+38]
FFF908E3    8907            MOV DWORD PTR DS:[EDI],EAX
FFF908E5    8B7B 24         MOV EDI,DWORD PTR DS:[EBX+24]
FFF908E8    8B73 28         MOV ESI,DWORD PTR DS:[EBX+28]
FFF908EB    8B06            MOV EAX,DWORD PTR DS:[ESI]
FFF908ED    25 000000FF     AND EAX,FF000000
FFF908F2    C1E8 08         SHR EAX,8
FFF908F5    8B17            MOV EDX,DWORD PTR DS:[EDI]
FFF908F7    81E2 000000FF   AND EDX,FF000000
FFF908FD    09C2            OR EDX,EAX
FFF908FF    8B7B 30         MOV EDI,DWORD PTR DS:[EBX+30]
FFF90902    8917            MOV DWORD PTR DS:[EDI],EDX
FFF90904    61              POPAD
FFF90905    C3              RETN
 

And the asm code for function func3_4:

CPU Disasm
Address   Hex dump          Command                                  Comments
FFF90906    60              PUSHAD
FFF90907    8B95 EC000000   MOV EDX,DWORD PTR SS:[EBP+0EC]
FFF9090D    8B9D F0000000   MOV EBX,DWORD PTR SS:[EBP+0F0]
FFF90913    8B02            MOV EAX,DWORD PTR DS:[EDX]
FFF90915    0342 04         ADD EAX,DWORD PTR DS:[EDX+4]
FFF90918    0342 08         ADD EAX,DWORD PTR DS:[EDX+8]
FFF9091B    83E0 0F         AND EAX,0000000F
FFF9091E    C1E0 18         SHL EAX,18
FFF90921    83C8 7A         OR EAX,0000007A
FFF90924    8B7B 38         MOV EDI,DWORD PTR DS:[EBX+38]
FFF90927    0B07            OR EAX,DWORD PTR DS:[EDI]
FFF90929    8907            MOV DWORD PTR DS:[EDI],EAX
FFF9092B    8B7B 24         MOV EDI,DWORD PTR DS:[EBX+24]
FFF9092E    8B73 28         MOV ESI,DWORD PTR DS:[EBX+28]
FFF90931    8B06            MOV EAX,DWORD PTR DS:[ESI]
FFF90933    25 000000FF     AND EAX,FF000000
FFF90938    C1E8 08         SHR EAX,8
FFF9093B    8B17            MOV EDX,DWORD PTR DS:[EDI]
FFF9093D    81E2 000000FF   AND EDX,FF000000
FFF90943    09C2            OR EDX,EAX
FFF90945    C1EA 10         SHR EDX,10
FFF90948    8B7B 30         MOV EDI,DWORD PTR DS:[EBX+30]
FFF9094B    0B17            OR EDX,DWORD PTR DS:[EDI]
FFF9094D    8917            MOV DWORD PTR DS:[EDI],EDX
FFF9094F    61              POPAD
FFF90950    C3              RETN
 
And the asm code of func3_5:

CPU Disasm
Address   Hex dump          Command                                  Comments
FFF90951    60              PUSHAD
FFF90952    8B95 EC000000   MOV EDX,DWORD PTR SS:[EBP+0EC]
FFF90958    8B9D F0000000   MOV EBX,DWORD PTR SS:[EBP+0F0]
FFF9095E    8B02            MOV EAX,DWORD PTR DS:[EDX]
FFF90960    0342 04         ADD EAX,DWORD PTR DS:[EDX+4]
FFF90963    0342 08         ADD EAX,DWORD PTR DS:[EDX+8]
FFF90966    83E0 0F         AND EAX,0000000F
FFF90969    C1E0 14         SHL EAX,14
FFF9096C    8B7B 38         MOV EDI,DWORD PTR DS:[EBX+38]
FFF9096F    0B07            OR EAX,DWORD PTR DS:[EDI]
FFF90971    8907            MOV DWORD PTR DS:[EDI],EAX
FFF90973    8B7B 24         MOV EDI,DWORD PTR DS:[EBX+24]
FFF90976    8B73 28         MOV ESI,DWORD PTR DS:[EBX+28]
FFF90979    8B06            MOV EAX,DWORD PTR DS:[ESI]
FFF9097B    25 000000FF     AND EAX,FF000000
FFF90980    C1E8 08         SHR EAX,8
FFF90983    8B17            MOV EDX,DWORD PTR DS:[EDI]
FFF90985    81E2 000000FF   AND EDX,FF000000
FFF9098B    09C2            OR EDX,EAX
FFF9098D    8B7B 34         MOV EDI,DWORD PTR DS:[EBX+34]
FFF90990    8917            MOV DWORD PTR DS:[EDI],EDX
FFF90992    61              POPAD
FFF90993    C3              RETN
 
And for func3_6:

CPU Disasm
Address   Hex dump          Command                                  Comments
FFF90994    60              PUSHAD
FFF90995    8B95 EC000000   MOV EDX,DWORD PTR SS:[EBP+0EC]
FFF9099B    8B9D F0000000   MOV EBX,DWORD PTR SS:[EBP+0F0]
FFF909A1    8B02            MOV EAX,DWORD PTR DS:[EDX]
FFF909A3    0342 04         ADD EAX,DWORD PTR DS:[EDX+4]
FFF909A6    0342 08         ADD EAX,DWORD PTR DS:[EDX+8]
FFF909A9    83E0 0F         AND EAX,0000000F
FFF909AC    C1E0 10         SHL EAX,10
FFF909AF    8B7B 38         MOV EDI,DWORD PTR DS:[EBX+38]
FFF909B2    0B07            OR EAX,DWORD PTR DS:[EDI]
FFF909B4    8907            MOV DWORD PTR DS:[EDI],EAX
FFF909B6    8B7B 24         MOV EDI,DWORD PTR DS:[EBX+24]
FFF909B9    8B73 28         MOV ESI,DWORD PTR DS:[EBX+28]
FFF909BC    8B06            MOV EAX,DWORD PTR DS:[ESI]
FFF909BE    25 000000FF     AND EAX,FF000000
FFF909C3    C1E8 08         SHR EAX,8
FFF909C6    8B17            MOV EDX,DWORD PTR DS:[EDI]
FFF909C8    81E2 000000FF   AND EDX,FF000000
FFF909CE    09C2            OR EDX,EAX
FFF909D0    C1EA 10         SHR EDX,10
FFF909D3    8B7B 34         MOV EDI,DWORD PTR DS:[EBX+34]
FFF909D6    0B17            OR EDX,DWORD PTR DS:[EDI]
FFF909D8    8917            MOV DWORD PTR DS:[EDI],EDX
FFF909DA    61              POPAD
FFF909DB    C3              RETN
 

Comments

Popular posts from this blog

Flare-On 2017

010 Editor v7.0.2 (x64) Crack

CTF.ma - Interesting CTF Challenges