ExecMode 1 - inital call ->E 8 - Next Chunk a - Last Chunk e - Decrypt code 01042536 9C PUSHFD 01042537 60 PUSHAD 01042538 51 PUSH ECX 01042539 68 10260401 PUSH 01042610 0104253E 6A 01 PUSH 1 ;ExecMode 01042540 E8 1CD2FCFF CALL {0100F761} 01042545 FFE0 JMP EAX 01042547 90 NOP Block1 $ ==> >AB 6F 75 78 57 90 24 38 ouxW$8 $+8 >7E C1 C7 E9 3C 54 CF 62 ~B6 51 D5 8B E0 AD 0B 64 QՋ d $+18 >4D BC 39 00 DE D1 E3 22 M9." $+20 >4C E1 F1 85 6D 43 9A 06 LmC $+28 >48 7B 45 E0 DC 69 B2 5F H{Ei_ $+30 >6A CA D1 C5 C7 95 A8 jǕ Block2 $+37 DF $+38 >59 B1 51 45 13 A8 4D F3 YQEM $+40 >F4 C4 C9 E1 9A 73 4D 1C sM $+48 >A9 40 0B 53 15 EC 80 47 @ SG $+50 >25 FD 76 30 CC B0 6F 20 %v0̰o $+58 >EB 91 45 50 FD 95 66 1A EPf $+60 >89 66 F3 88 B7 4A 6B 90 fJk $+68 >20 86 50 47 76 48 3B B0 PGvH; $+70 >8B 6E 53 15 90 04 99 C0 nS $+78 >DD 11 4C 0F A9 EB A2 17 L $+80 >95 73 04 DE D6 D3 32 3D s2= $+88 >B7 28 50 BB 75 0C F6 AD (Pu. $+90 >97 06 BE 58 7E 64 Block3 $+96 F8 DF X~d $+98 >15 5A 8A 00 0B 9E 7B BF Z. { $+A0 >59 2B B0 0A 0C D5 21 0A Y+..!. $+A8 >28 E8 98 06 7E EC 51 B7 (~Q $+B0 >1B 49 99 AB DD 8D 4D 22 IݍM" $+B8 >57 E7 F4 51 40 95 5B 60 WQ@[` Rest $+C0 >90 90 90 90 90 90 90 90 01042610 794B4073 Key1 01042614 589571C1 Key2 Block 1 01042618 01042610 Pointer to End of crypted data Blocks 0104261C 01042548 Pointer to Start of crypted data Blocks 01042620 BF8C 0037 FFFF 0037 Size of crypted data Block1 XORKEY: 4073 (=KEY1) 01042624 4043 407B 0030 0008 Relocationfixups for Block1 01042628 0000 BF8C FFFF 0104262C 00000000 Block 2 01042630 D2B986F2 XOR 794A4073(KEY1) => ABF2C681 01042634 E27F7ACE XOR 589571C1(KEY2) => BAEA0B0F 01042638 397E 005F FFFF 005F XORkey: C681 0104263C C6BA C689 003B 0008 Relocationfixups for Block2 01042640 397E C6D9 FFFF 0058 01042644 00000000 Block 3 01042648 C48CCDEB 6F7F0B6B XorKEY: =>6F7F0B6A 0104264C FC3DC834 46D7C33B =>BAEA0B0F 01042650 F494 002A FFFF 002A XORkey: 0B6B 01042654 0B7D 0B61 0016 000A Relocationfixups for Block3 01042658 F494 0B4F FFFF 0024 0104265C 00000000 01042660 6F06CFB0 01042664 BAC81383 01042668 FFFF FFFF :Next Crypted Function 0104266C B8 01000000 MOV EAX, 1 01042671 BB 02000000 MOV EBX, 2 01042676 C3 RETN 01042677 9C PUSHFD 01042678 60 PUSHAD 01042679 51 PUSH ECX 0104267A 68 10270401 PUSH 01042710 0104267F 6A 01 PUSH 1 01042681 E8 DBD0FCFF CALL 0100F761 01042686 FFE0 JMP EAX Block 1 $ ==> > 66:50 PUSH AX $+2 > 66:68 6543 PUSH 4365 $+6 > 51 PUSH ECX $+7 > E8 C8C87800 CALL winlogon.0100F6D7 +8 $+C > 8BFF MOV EDI, EDI $+E > 55 PUSH EBP $+F > 8BEC MOV EBP, ESP $+11 > 51 PUSH ECX $+12 > 51 PUSH ECX $+13 > 56 PUSH ESI $+14 > 8D45 F8 LEA EAX, [EBP-8] $+17 > 50 PUSH EAX $+18 > 8D45 FC LEA EAX, [EBP-4] $+1B > 50 PUSH EAX $+1C > C745 FC 8D12000>MOV [DWORD EBP-4], 128D $+23 > FF15 38170001 CALL [<&ntdll.NtLockProductActivationKeys] $+29 > 9C PUSHFD $+2A > 60 PUSHAD $+2B > 56 PUSH ESI $+2C > 57 PUSH EDI $+2D > 6A 08 PUSH 8 $+2F > E8 2AC97800 CALL winlogon.0100F761 +30 $+34 > FFE0 JMP EAX $+36 > 90 NOP Block 2 $ ==> > 66:53 PUSH BX $+2 > 51 PUSH ECX $+3 > 66:68 8912 PUSH 1289 $+7 > E8 58F37800 CALL winlogon.0100F6D7 c+8 $+C > 0D 00000010 OR EAX, 10000000 $+11 > 8B75 08 MOV ESI, [EBP+8] $+14 > C706 00000000 MOV [DWORD ESI], 0 $+1A > 7C 35 JL SHORT 008803C4 $+1C > 817D FC 690E000>CMP [DWORD EBP-4], 0E69 $+23 > 73 07 JNB SHORT 0088039F $+25 > B8 0A050480 MOV EAX, 8004050A $+2A > EB 25 JMP SHORT 008803C4 $+2C > 6A 43 PUSH 43 $+2E > FF15 20160001 CALL [<&USER32.GetSystemMetrics>] $+34 > 68 689F0000 PUSH 9F68 $+39 > 50 PUSH EAX $+3A > E8 25F37800 CALL winlogon.0100F6D7 c+3B $+3F > 8B4D F8 MOV ECX, [EBP-8] $+42 > 3BC8 CMP ECX, EAX $+44 > 74 07 JE SHORT 008803C0 $+46 > B8 0B050480 MOV EAX, 8004050B $+4B > EB 04 JMP SHORT 008803C4 $+4D > 890E MOV [ESI], ECX $+4F > 33C0 XOR EAX, EAX $+51 > 9C PUSHFD $+52 > 60 PUSHAD $+53 > 56 PUSH ESI $+54 > 57 PUSH EDI $+55 > 6A 08 PUSH 8 $+57 > E8 92F37800 CALL winlogon.0100F761 c+58 $+5C > FFE0 JMP EAX $+5E > 90 NOP Block 3 $ ==> > 66:50 PUSH AX $+2 > 68 58CA0100 PUSH 1CA58 $+7 > 66:53 PUSH BX $+9 > E8 21CC7800 CALL winlogon.0100F6D7 c+a $+E > 5E POP ESI $+F > C9 LEAVE $+10 > 60 PUSHAD $+11 > 56 PUSH ESI $+12 > 57 PUSH EDI $+13 > 6A 0A PUSH 0A $+15 > E8 9FCC7800 CALL winlogon.0100F761 c+16 $+1A > C2 0400 RETN 4 $+1D > 9C PUSHFD $+1E > 60 PUSHAD $+1F > 56 PUSH ESI $+20 > 57 PUSH EDI $+21 > 6A 06 PUSH 6 $+23 > E8 91CC7800 CALL winlogon.0100F761 c+24 $+28 > C3 RETN $+29 > 90 NOP The Fixups ========== used winxp 2600.0 (retail) for exsample Args of decrypt call 0006F9BC 01042548 H% |Arg1 = 01042548 SRC 0006F9C0 0088321C 2. |Arg2 = 0088321C Dest 0006F9C4 00000037 7... |Arg3 = 00000037 len 0006F9C8 794B4073 s@Ky |Arg4 = 794B4073 key1 0006F9CC 589571C1 qX \Arg5 = 589571C1 key2 0088321C 66:50 PUSH AX 0088321E 66:68 6543 PUSH 4365 00883222 51 PUSH ECX 00883223 E8 F311FDFF CALL 0085441B FFFD11F3(-2EE0D) $+7 > E8 C8C87800 CALL 0100F6D7 0078C8C8 00883228 8BFF MOV EDI, EDI 0088322A 55 PUSH EBP 0088322B 8BEC MOV EBP, ESP 0088322D 51 PUSH ECX 0088322E 51 PUSH ECX 0088322F 56 PUSH ESI 00883230 8D45 F8 LEA EAX, [EBP-8] 00883233 50 PUSH EAX 00883234 8D45 FC LEA EAX, [EBP-4] 00883237 50 PUSH EAX 00883238 C745 FC 8D12000>MOV [DWORD EBP-4], 128D 0088323F FF15 38170001 CALL [<&ntdll.NtLockProductActivation>; ntdll.ZwLockProductActivationKeys 00883245 9C PUSHFD 00883246 60 PUSHAD 00883247 56 PUSH ESI 00883248 57 PUSH EDI 00883249 6A 08 PUSH 8 0088324B E8 254BFDFF CALL 00857D75 00883250 FFE0 JMP EAX 00883252 90 NOP Before 0088321C 66:50 PUSH AX 0088321E 66:68 6543 PUSH 4365 00883222 51 PUSH ECX 00883223 E8 F311FDFF CALL 0085441B ^^^^^^^^ <= FFFD11F3 (-2EE0D) Not Fixed! In General Call (-2EE0D) gets CALL 0085441B 00883228 + (-2EE0D) = 0085441B This is Special * SRC = Offset the code was Dest = Offset the code has moved to Key[0]= a 16Bit value from the key array (with 8 keys) [SRC] = 32bit-Value at the SRC-Offset Fixup = SRC - Dest - Key[0] And FFF0 007BB2BC = 01042548 - 0088321C - OOOO407O [SRC] = [SRC] + Fixup 0078C4AF = FFFD11F3 007BB2BC [00883224] After 0088321C 66:50 PUSH AX 0088321E 66:68 6543 PUSH 4365 00883222 51 PUSH ECX 00883223 E8 AFC47800 CALL ;0100F6D7 00883228 ^^^^^^^^ <= 0078C4AF Fixed! Next Before: 0088324B E8 254BFDFF CALL 00857D75 Fixup = SRC - Dest - Key[1] And FFF0 ;Range Key[0..3] 0088324C = 01042548 - 0088324C - OOOO794O 0078C511 = FFFD4B25 + 0088324C After : 0088324B E8 11C57800 CALL The NewKey Creation =================== After on Chunk is done a new key is generated: 0100CC1C >/$ 8B4C24 08 MOV ECX, [ESP+8] ; Offset to KeySRC (pointer into CryDataHead) 0100CC20 |. 8B4424 04 MOV EAX, [ESP+4] ; Offset to KeyDest(pointer into CryDataObject in Mem) 0100CC24 |. 56 PUSH ESI ; preserve ESI 0100CC25 |. 8B11 MOV EDX, [ECX] ; Get Key1SRC value 0100CC27 |. 8B30 MOV ESI, [EAX] ; Get Key1Dest value 0100CC29 |. 33F2 XOR ESI, EDX ; Key1Dest = KeyDest Xor KeySRC 0100CC2B |. 8930 MOV [EAX], ESI ; Store 0100CC2D |. 8B49 04 MOV ECX, [ECX+4] ; Get Key2SRC value 0100CC30 |. 8B50 04 MOV EDX, [EAX+4] ; Get Key2Dest value 0100CC33 |. 5E POP ESI ;restore ESI 0100CC34 |. 33D1 XOR EDX, ECX ; Key2Dest = KeyDest Xor KeySRC 0100CC38! |. 8950 04 MOV [EAX+4], EDX ; Store 0100CC36! |. B1 01 MOV CL, 1 ; replace all following cl with 01 in your mind KeyArray[0] =| 1 0100CC3B |. 8A10 MOV DL, [EAX] ; get Byte 0 0100CC3D |. 0AD1 OR DL, CL ; Set last Bit via OR 0100CC3F |. 8810 MOV [EAX], DL ; store Byte 0 KeyArray[2] =| 1 0100CC41 |. 8A50 02 MOV DL, [EAX+2] 0100CC44 |. 0AD1 OR DL, CL 0100CC46 |. 8850 02 MOV [EAX+2], DL KeyArray[4] =| 1 0100CC49 |. 8A50 04 MOV DL, [EAX+4] 0100CC4C |. 0AD1 OR DL, CL 0100CC4E |. 8850 04 MOV [EAX+4], DL KeyArray[5] =| 1 0100CC51 |. 8A50 05 MOV DL, [EAX+5] 0100CC54 |. 0AD1 OR DL, CL 0100CC56 |. 8850 05 MOV [EAX+5], DL 0100CC59 \. C3 RETN ^ ! <- Offsets swapped for better understanding Sequenz of Commands searchstring for Ollydebug MOV RA, [R32] MOV RB, [R32] XOR RB, RA MOV [R32], ESI Version 2600.2082 (early sp2 beta) 01011B7E /$ 55 PUSH EBP 01011B7F |. 8BEC MOV EBP, ESP 01011B81 |. 8B45 08 MOV EAX, [ARG.1] 01011B84 |. 8B4D 0C MOV ECX, [ARG.2] 01011B87 |. 8B11 MOV EDX, [ECX] 01011B89 |. 3110 XOR [EAX], EDX 01011B8B |. 8B49 04 MOV ECX, [ECX+4] 01011B8E |. 3148 04 XOR [EAX+4], ECX 01011B91 |. B1 01 MOV CL, 1 01011B93 |. 0808 OR [EAX], CL 01011B95 |. 0848 02 OR [EAX+2], CL 01011B98 |. 0848 04 OR [EAX+4], CL 01011B9B |. 0848 05 OR [EAX+5], CL 01011B9E |. 5D POP EBP 01011B9F \. C2 0800 RETN 8 The Version Problem =================== Remember the fix up where done like this Fixup = SRC - Dest - Key[0] And FFF0 But only since Version 2600.2082 (early SP2) [Tested till version 2600.2180 SP2 RTM] In 2600.0 and 2600.1106 is only Fixup = SRC - Dest - Key[0] So how to detect version: Head of 2600.1106 00CD4567 Key1 382241BF Key2 0103F959 CryDataEnd 0103F77C CryDataStart BA98 0086 StartStopMaker SizeOfChunk 45E7 456E FixUps BA98 StartStopMaker 454C9BF8 Key1 04158395 Key2 2160 0122 StartStopMaker SizeOfChunk DF98 DE92 FixUps 2160 DF83 StartStopMaker 16DCB3D0 Key1 13F168AC Key2 92B0 0033 StartStopMaker SizeOfChunk 6D50 6D41 FixUps 92B0 6D61 StartStopMaker 07E89838 Key1 0B95FEE4 Key2 FFFFFFFF StartStopMaker SizeOfChunk Cryptstub of 2600.1106 33 DB 33 FF DB FF FF DB FF FF DB FF FF DB FF 9C PUSHFD 60 PUSHAD 68 59F90301 PUSH 0103F959 68 01000000 PUSH 1 E8 E3E7FCFF CALL 0100DF5A 83C4 04 ADD ESP, 4 FFE0 JMP EAX 1C DB 1C Example: Decryption Block Stub (SP2): 9C PUSHFD <- P_GENERAL_ORG Searchstring 60 PUSHAD <- P_GENERAL_ORG Searchstring 51 PUSH ECX 6800C70401 PUSH 0104C700 ;end of decrpytiondata; Start of Decrpytiondataheads 6A01 PUSH 01 E82635FCFF CALL 0100F851 FFE0 JMP EAX <- additional_check Searchstring 90 /8F (SP1) NOP ;Start of decrpytiondata .... How to detect 9C PUSHFD 60 PUSHAD 51 PUSH ECX <- This seems to fit good 6800C70401 PUSH 0104C700 0 end 2180.end $-E 00> 9C PUSHFD $-E > 9C PUSHFD $-D 00> 60 PUSHAD $-D > 60 PUSHAD $-C 00> 68 08000000 PUSH 8 $-C > 56 PUSH ESI $-7 00> E8 106B7800 CALL winlogon.0100A366 $-B > 57 PUSH EDI $-2 00> FFE0 JMP EAX $-A > 6A 08 PUSH 8 $ ==> 00> 0000 ADD [EAX], AL $-8 > E8 9825FCFF CALL 0100E0A0 $-3 > FFE0 JMP EAX $-1 > 90 NOP $-28 > 90 NOP $-27 > 66:51 PUSH CX $-25 > 66:52 PUSH DX $-23 > 66:51 PUSH CX $-21 > 66:50 PUSH AX $-1F > E8 0F22FCFF CALL 0100E034 $-1A > C9 LEAVE $-19 > 60 PUSHAD $-18 > 56 PUSH ESI $-17 > 57 PUSH EDI $-16 > 6A 0A PUSH 0A $-14 > E8 7022FCFF CALL 0100E0A0 $-F > C2 2C00 RETN 2C $-C > 9C PUSHFD $-B > 60 PUSHAD $-A > 56 PUSH ESI $-9 > 57 PUSH EDI $-8 > 6A 06 PUSH 6 $-6 > E8 6222FCFF CALL 0100E0A0 $-1 > C3 RETN $ ==> > 90 NOP $-F 00> 90 NOP $-E 00> 66:68 5943 PUSH 4359 $-A 00> 51 PUSH ECX $-9 00> 66:68 7E0D PUSH 0D7E $-5 00> E8 9D637800 CALL winlogon.0100A30C $ ==> 00> 55 PUSH EBP crypted(winxp) 00892801 90 NOP 00892802 50 PUSH EAX 00892803 66:68 DD03 PUSH 3DD 00892807 66:68 737F PUSH 7F73 0089280B E8 32AE7700 CALL winlogon.0100D642 00892810 B8 B6920501 MOV EAX, 10592B6 00892815 E8 60117B00 CALL winlogon.0104397A 0089281A 9C PUSHFD 0089281B 60 PUSHAD 0089281C 68 08000000 PUSH 8 00892821 E8 76AE7700 CALL winlogon.0100D69C 00892826 FFE0 JMP EAX 00890637 90 NOP 00890638 66:68 FE63 PUSH 63FE 0089063C 68 740A0000 PUSH 0A74 00890641 66:68 8D2B PUSH 2B8D 00890645 E8 F8CF7700 CALL winlogon.0100D642 0089064A 81EC D4060000 SUB ESP, 6D4 00890650 53 PUSH EBX 00890651 56 PUSH ESI 00890652 57 PUSH EDI 00890653 8B7D 28 MOV EDI, [EBP+28] 00890656 33DB XOR EBX, EBX 00890658 3BFB CMP EDI, EBX 0089065A 0F84 570C0000 JE 008912B7 00890660 8B75 2C MOV ESI, [EBP+2C] 00890663 3BF3 CMP ESI, EBX 00890665 0F84 4C0C0000 JE 008912B7 0089066B 8B45 1C MOV EAX, [EBP+1C] 0089066E 68 FFFFFF7F PUSH 7FFFFFFF 00890673 891F MOV [EDI], EBX 00890675 53 PUSH EBX 00890676 891E MOV [ESI], EBX 00890678 53 PUSH EBX 00890679 A3 9C140601 MOV [106149C], EAX 0089067E E8 6ABD7A00 CALL winlogon.0103C3ED 00890683 52 PUSH EDX 00890684 51 PUSH ECX 00890685 E8 B8CF7700 CALL winlogon.0100D642 0089068A 68 24020000 PUSH 224 0089068F E8 DA327B00 CALL crypted(SP2 RTM) 0104AA0C B8 EDA60601 MOV EAX, 0106A6ED 0104AA11 E8 329D0000 CALL 01054748 0104AA16 81EC 24070000 SUB ESP, 724 0104AA1C A1 E4230701 MOV EAX, [10723E4] 0104AA21 8945 F0 MOV [EBP-10], EAX 0104AA24 8B45 08 MOV EAX, [EBP+8] 0104AA27 8985 00F9FFFF MOV [EBP-700], EAX 0104AA2D 8B45 0C MOV EAX, [EBP+C] 0104AA30 8985 F8F8FFFF MOV [EBP-708], EAX 0104AA36 8B45 10 MOV EAX, [EBP+10] 0104AA39 8985 1CF9FFFF MOV [EBP-6E4], EAX 0104AA3F 8B45 14 MOV EAX, [EBP+14] 0104AA42 8985 14F9FFFF MOV [EBP-6EC], EAX 0104AA48 8B45 18 MOV EAX, [EBP+18] 0104AA4B 53 PUSH EBX 0104AA4C 8985 38F9FFFF MOV [EBP-6C8], EAX 0104AA52 8B45 30 MOV EAX, [EBP+30] 0104AA55 56 PUSH ESI 0104AA56 8B75 28 MOV ESI, [EBP+28] 0104AA59 57 PUSH EDI 0104AA5A 8B7D 2C MOV EDI, [EBP+2C] 0104AA5D 8985 18F9FFFF MOV [EBP-6E8], EAX 0104AA63 8B45 34 MOV EAX, [EBP+34] 0104AA66 33DB XOR EBX, EBX 0104AA68 3BF3 CMP ESI, EBX 0104AA6A 89BD 34F9FFFF MOV [EBP-6CC], EDI 0104AA70 8985 28F9FFFF MOV [EBP-6D8], EAX 0104AA76 0F84 960B0000 JE 0104B612 0104AA7C 3BFB CMP EDI, EBX 0104AA7E 0F84 8E0B0000 JE 0104B612 0104AA84 8B45 1C MOV EAX, [EBP+1C] 0104AA87 68 FFFFFF7F PUSH 7FFFFFFF 0104AA8C 891E MOV [ESI], EBX 0104AA8E 53 PUSH EBX 0104AA8F 891F MOV [EDI], EBX 0104AA91 53 PUSH EBX 0104AA92 A3 9C340701 MOV [107349C], EAX 0104AA97 E8 52D5FFFF CALL 01047FEE 0104AA9C 68 24020000 PUSH 224 0104AAA1 E8 969C0000 CALL rtm s1 66:52 PUSH DX 66:51 PUSH CX 68 E8A20000 PUSH 0A2E8 E8 C225FCFF CALL 0100E034 68 B0870000 PUSH 87B0 68 FC6A0100 PUSH 16AFC E8 1A25FCFF CALL 0100E034 s2 66:51 PUSH CX 68 4CC30000 PUSH 0C34C 66:50 PUSH AX E8 8F24FCFF CALL 0100E034 FF15 E8120001 CALL [<&KERNEL32.ResumeThread>] ; kernel32.ResumeThread 66:51 PUSH CX 53 PUSH EBX 66:50 PUSH AX E8 F624FCFF CALL 0100E034 50 PUSH EAX 66:50 PUSH AX 66:51 PUSH CX E8 EC24FCFF CALL 0100E034 53 PUSH EBX 66:52 PUSH DX 66:52 PUSH DX E8 E224FCFF CALL 0100E034 53 PUSH EBX 68 948A0100 PUSH 18A94 E8 D724FCFF CALL 0100E034 68 38E90100 PUSH 1E938 68 FC890100 PUSH 189FC E8 C824FCFF CALL 0100E034 FF15 54140001 CALL [<&KERNEL32.CloseHandle>] ; kernel32.CloseHandle 68 18840000 PUSH 8418 51 PUSH ECX E8 B124FCFF CALL 0100E034 891D A0340701 MOV [10734A0], EBX -0 OpcodeGroup: A 50 PUSH EAX 51 PUSH ECX 52 PUSH EDX 53 PUSH EBX 56 PUSH ESI 57 PUSH EDI -1 OpcodeGroup: B 6A 02 PUSH 2 66 50 PUSH AX 66 51 PUSH CX 66 52 PUSH DX 66 53 PUSH BX -4 OpcodeGroup: C 68 E8 A2 00 00 PUSH 0A2E8 5+5 =A 1+1 =2 2+2+2+2 =8 5+2+2 =9 5+1 =6 2+2+1 =5 010355DF FFE0 JMP EAX 010355E1 90 NOP 010355E2 66:53 PUSH BX 010355E4 51 PUSH ECX 010355E5 66:50 PUSH AX 010355E7 E8 488AFDFF CALL 0100E034 $+47E > /74 56 JE SHORT 01049CBE $+480 > |66:53 PUSH BX $+482 > |68 94680000 PUSH 6894 $+487 > |66:53 PUSH BX $+489 > |E8 BE43FCFF CALL 0100E034 0103561C 90 NOP