Generate the key file when the name is CodeEngn.
Post the key file in a private thread in the message board to have it verified.
(Difficulty : ★★★★☆)
Analysis...
The Exe file is encrypted and anti-debugging protected.
All subroutines are self-modified and called by DIV0 exception.
Therefore, I Manually dumped essential subroutines and converted them to C++ codes.
//
// ReverseL18_dumped.cpp - Dumped and converted to C++ code
// Made by 3735943886
// License : GPL
//
#include <iostream>
#include <fstream>
#include <string>
#include <windows.h>
using namespace std;
DWORD dw401000 = 0;
VOID SUB401D6E(LPCVOID lpBuffer1, LPCVOID lpBuffer2, SIZE_T BlockNum,
LPVOID lpBuffer3, LPVOID lpBuffer4)
{
// 00401D6E 55 PUSH EBP
// 00401D6F 89E5 MOV EBP,ESP
UINT32 i;
DWORD Var1, Var2;
// 00401D71 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
// 00401D74 8B7D 14 MOV EDI,DWORD PTR SS:[EBP+14]
// 00401D77 A5 MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
// 00401D78 A5 MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
((ULONG64*)lpBuffer3)[0] = ((ULONG64*)lpBuffer1)[0];
// 00401D79 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10]
// 00401D7C 8B75 0C MOV ESI,DWORD PTR SS:[EBP+0C]
// 00401D7F 8B7D 14 MOV EDI,DWORD PTR SS:[EBP+14]
for(i = 0; i < BlockNum; i++)
{
// 00401D82 31D2 XOR EDX,EDX
// 00401D84 AD LODS DWORD PTR DS:[ESI]
// 00401D85 89C3 MOV EBX,EAX
// 00401D87 C1E8 05 SHR EAX,5
// 00401D8A 83E3 1F AND EBX,0000001F
// 00401D8D 0FA31C87 BT DWORD PTR DS:[EAX*4+EDI],EBX
// 00401D91 D1D2 RCL EDX,1
Var1 = ((LPDWORD)lpBuffer2)[i * 3];
Var2 = (((LPDWORD)lpBuffer3)[Var1 >> 5] & (1 << (Var1 & 0x1F)) && 1);
// 00401D93 AD LODS DWORD PTR DS:[ESI]
// 00401D94 89C3 MOV EBX,EAX
// 00401D96 C1E8 05 SHR EAX,5
// 00401D99 83E3 1F AND EBX,0000001F
// 00401D9C 0FA31C87 BT DWORD PTR DS:[EAX*4+EDI],EBX
// 00401DA0 D1D2 RCL EDX,1
Var1 = ((LPDWORD)lpBuffer2)[i * 3 + 1];
Var2 <<= 1;
Var2 |= (((LPDWORD)lpBuffer3)[Var1 >> 5] & (1 << (Var1 & 0x1F)) && 1);
// 00401DA2 AD LODS DWORD PTR DS:[ESI]
// 00401DA3 89C3 MOV EBX,EAX
// 00401DA5 C1E8 05 SHR EAX,5
// 00401DA8 83E3 1F AND EBX,0000001F
Var1 = ((LPDWORD)lpBuffer2)[i * 3 + 2];
// 00401DAB 83FA 03 CMP EDX,3
// 00401DAE 74 06 JE SHORT 00401DB6
// 00401DB0 0FAB1C87 BTS DWORD PTR DS:[EAX*4+EDI],EBX
// 00401DB4 EB 04 JMP SHORT 00401DBA
((LPDWORD)lpBuffer3)[Var1 >> 5] |= (1 << (Var1 & 0x1F));
if(Var2 == 3)
// 00401DB6 0FB31C87 BTR DWORD PTR DS:[EAX*4+EDI],EBX
((LPDWORD)lpBuffer3)[Var1 >> 5] ^= (1 << (Var1 & 0x1F));
// 00401DBA 49 DEC ECX
// 00401DBB ^ 75 C5 JNE SHORT 00401D82
}
// 00401DBD 8B75 14 MOV ESI,DWORD PTR SS:[EBP+14]
// 00401DC0 83C6 08 ADD ESI,8
// 00401DC3 8B7D 18 MOV EDI,DWORD PTR SS:[EBP+18]
// 00401DC6 A5 MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
// 00401DC7 A5 MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
((ULONG64*)lpBuffer4)[0] = ((ULONG64*)lpBuffer3)[1];
// 00401DC8 C9 LEAVE
// 00401DC9 C2 1400 RETN 14
return;
}
VOID SUB40326E(LPCVOID lpBuffer1, LPCVOID lpBuffer2, LPVOID lpBuffer3)
{
// 0040326E 55 PUSH EBP
// 0040326F 89E5 MOV EBP,ESP
// 00403271 31C9 XOR ECX,ECX
UINT32 i;
DWORD Var3, Var4, Var5;
for(i = 0; i < 8; i++)
{
// 00403273 8B55 0C MOV EDX,DWORD PTR SS:[EBP+0C]
// 00403276 8D340A LEA ESI,[ECX+EDX]
// 00403279 8D7C0A 08 LEA EDI,[ECX+EDX+8]
// 0040327D 0FB636 MOVZX ESI,BYTE PTR DS:[ESI]
// 00403280 0FB63F MOVZX EDI,BYTE PTR DS:[EDI]
// 00403283 8B5D 08 MOV EBX,DWORD PTR SS:[EBP+8]
// 00403286 8A0433 MOV AL,BYTE PTR DS:[ESI+EBX]
// 00403289 8A1C3B MOV BL,BYTE PTR DS:[EDI+EBX]
Var3 = ((LPBYTE)lpBuffer1)[((LPBYTE)lpBuffer2)[i]];
Var4 = ((LPBYTE)lpBuffer1)[((LPBYTE)lpBuffer2)[i + 8]];
// 0040328C 8D740A 18 LEA ESI,[ECX+EDX+18]
// 00403290 0FB636 MOVZX ESI,BYTE PTR DS:[ESI]
// 00403293 FF24B5 CF324000 JMP DWORD PTR DS:[ESI*4+4032CF]
Var5 = ((LPBYTE)lpBuffer2)[i + 0x18];
switch(Var5)
{
case 0:
// 0040329A 00D8 ADD AL,BL
// 0040329C EB 1A JMP SHORT 004032B8
Var3 += Var4;
break;
case 1:
// 0040329E 28D8 SUB AL,BL
// 004032A0 EB 16 JMP SHORT 004032B8
Var3 -= Var4;
break;
case 2:
// 004032A2 F6E3 MUL BL
// 004032A4 EB 12 JMP SHORT 004032B8
Var3 *= Var4;
break;
case 3:
// 004032A6 38D8 CMP AL,BL
// 004032A8 76 0E JBE SHORT 004032B8
// 004032AA 88D8 MOV AL,BL
// 004032AC EB 0A JMP SHORT 004032B8
if(Var3 > Var4)
Var3 = Var4;
break;
case 4:
// 004032AE 38D8 CMP AL,BL
// 004032B0 73 06 JNB SHORT 004032B8
// 004032B2 88D8 MOV AL,BL
// 004032B4 EB 02 JMP SHORT 004032B8
if(Var3 <= Var4)
Var3 = Var4;
break;
case 5:
// 004032B6 30D8 XOR AL,BL
Var3 ^= Var4;
break;
default:
break;
}
// 004032B8 8D7C0A 10 LEA EDI,[ECX+EDX+10]
// 004032BC 8B5D 10 MOV EBX,DWORD PTR SS:[EBP+10]
// 004032BF 0FB63F MOVZX EDI,BYTE PTR DS:[EDI]
// 004032C2 01DF ADD EDI,EBX
// 004032C4 AA STOS BYTE PTR ES:[EDI]
((LPBYTE)lpBuffer3)[((LPBYTE)lpBuffer2)[i + 0x10]] = Var3;
// 004032C5 41 INC ECX
// 004032C6 83F9 08 CMP ECX,8
// 004032C9 ^ 72 AB JB SHORT 00403276
}
// 004032CB C9 LEAVE
// 004032CC C2 0C00 RETN 0C
return;
}
VOID SUB402AED(LPVOID lpModifiedName, LPVOID lpOutBuffer)
{
// 00402AED 55 PUSH EBP
// 00402AEE 89E5 MOV EBP,ESP
// 00402AF0 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
// 00402AF3 83C6 1F ADD ESI,1F
// 00402AF6 B9 20000000 MOV ECX,20
// 00402AFB BA AC000000 MOV EDX,0AC
// 00402B00 8B7D 0C MOV EDI,DWORD PTR SS:[EBP+0C]
// 00402B03 83C7 07 ADD EDI,7
UINT32 i;
UINT32 j, k;
WORD Var1 = 0xAC;
j = 0x1F; k = 0x7;
for(i = 0x20; i > 0; i--)
{
// 00402B06 0FB606 MOVZX EAX,BYTE PTR DS:[ESI]
// 00402B09 01C2 ADD EDX,EAX
Var1 += ((LPBYTE)lpModifiedName)[j];
// 00402B0B 86D6 XCHG DH,DL
Var1 = (Var1 << 8) + (Var1 >> 8);
// 00402B0D 83F9 08 CMP ECX,8
if(i <= 8)
{
// 00402B10 77 03 JA SHORT 00402B15
// 00402B12 8817 MOV BYTE PTR DS:[EDI],DL
((LPBYTE)lpOutBuffer)[k] = Var1 & 0xFF;
// 00402B14 4F DEC EDI
k--;
}
// 00402B15 8816 MOV BYTE PTR DS:[ESI],DL
((LPBYTE)lpModifiedName)[j] = Var1 & 0xFF;
// 00402B17 4E DEC ESI
j--;
// 00402B18 49 DEC ECX
// 00402B19 ^ 75 EB JNE SHORT 00402B06
}
// 00402B1B C9 LEAVE
// 00402B1C C2 0800 RETN 8
return;
}
DWORD SUB402A11()
{
// Direct Conversion ASM to C++ (402A11)
// 00402A11 8B0D 00104000 MOV ECX,DWORD PTR DS:[401000]
// 00402A17 69C9 FD430300 IMUL ECX,ECX,343FD
// 00402A1D 81C1 C39E2600 ADD ECX,269EC3
// 00402A23 890D 00104000 MOV DWORD PTR DS:[401000],ECX
// 00402A29 89C8 MOV EAX,ECX
// 00402A2B C1E8 10 SHR EAX,10
// 00402A2E 25 FF7F0000 AND EAX,00007FFF
// 00402A33 C3 RETN
dw401000 *= 0x343FD;
dw401000 += 0x269EC3;
return (dw401000 >> 0x10) & 0x7FFF;
}
VOID SUB402A34(LPVOID lpBuffer)
{
// Direct Conversion ASM to C++ (402A34)
// 00402A34 55 PUSH EBP
// 00402A35 89E5 MOV EBP,ESP
// 00402A37 83EC 04 SUB ESP,4
// 00402A3A E8 D2FFFFFF CALL 00402A11
// 00402A3F 83E0 07 AND EAX,00000007
// 00402A42 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
DWORD Var1, Var2;
BYTE cBuf;
Var1 = SUB402A11() & 7;
// 00402A45 E8 C7FFFFFF CALL 00402A11
// 00402A4A 83E0 07 AND EAX,00000007
// 00402A4D 89C3 MOV EBX,EAX
Var2 = SUB402A11() & 7;
// 00402A4F 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
// 00402A52 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
// 00402A55 39D3 CMP EBX,EDX
// 00402A57 74 09 JE SHORT 00402A62
if(Var1 != Var2)
{
// 00402A59 86041E XCHG BYTE PTR DS:[EBX+ESI],AL
// 00402A5C 860416 XCHG BYTE PTR DS:[EDX+ESI],AL
// 00402A5F 86041E XCHG BYTE PTR DS:[EBX+ESI],AL
cBuf = ((LPBYTE)lpBuffer)[Var2];
((LPBYTE)lpBuffer)[Var2] = ((LPBYTE)lpBuffer)[Var1];
((LPBYTE)lpBuffer)[Var1] = cBuf;
}
// 00402A62 C9 LEAVE
// 00402A63 C2 0400 RETN 4
return;
}
VOID SUB4030E2(LPVOID lpBuffer)
{
// Direct Conversion ASM to C++ (4030E2)
// 004030E2 55 PUSH EBP
// 004030E3 89E5 MOV EBP,ESP
// 004030E5 83EC 0C SUB ESP,0C
// 004030E8 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
// 004030EB 8D06 LEA EAX,[ESI]
// 004030ED 8945 F4 MOV DWORD PTR SS:[EBP-0C],EAX
// 004030F0 8D5E 08 LEA EBX,[ESI+8]
// 004030F3 895D F8 MOV DWORD PTR SS:[EBP-8],EBX
// 004030F6 8D56 10 LEA EDX,[ESI+10]
// 004030F9 8955 FC MOV DWORD PTR SS:[EBP-4],EDX
// 004030FC B9 08000000 MOV ECX,8
UINT32 i;
for(i = 0; i < 8; i++)
{
// 00403101 49 DEC ECX
// 00403102 8808 MOV BYTE PTR DS:[EAX],CL
// 00403104 880B MOV BYTE PTR DS:[EBX],CL
// 00403106 880A MOV BYTE PTR DS:[EDX],CL
// 00403108 40 INC EAX
// 00403109 43 INC EBX
// 0040310A 42 INC EDX
// 0040310B 85C9 TEST ECX,ECX
// 0040310D ^ 75 F2 JNE SHORT 00403101
((LPBYTE)lpBuffer)[i] = 7 - i;
((LPBYTE)lpBuffer)[i + 8] = 7 - i;
((LPBYTE)lpBuffer)[i + 16] = 7 - i;
}
for(i = 0; i < 0x64; i++)
{
// 0040310F B9 64000000 MOV ECX,64
// 00403114 51 PUSH ECX
// 00403115 FF75 F4 PUSH DWORD PTR SS:[EBP-0C]
// 00403118 E8 17F9FFFF CALL 00402A34
SUB402A34(lpBuffer);
// 0040311D FF75 F8 PUSH DWORD PTR SS:[EBP-8]
// 00403120 E8 0FF9FFFF CALL 00402A34
SUB402A34((LPBYTE)lpBuffer + 8);
// 00403125 FF75 FC PUSH DWORD PTR SS:[EBP-4]
// 00403128 E8 07F9FFFF CALL 00402A34
SUB402A34((LPBYTE)lpBuffer + 16);
// 0040312D 59 POP ECX
// 0040312E 49 DEC ECX
// 0040312F ^ 75 E3 JNE SHORT 00403114
}
for(i = 0; i < 8; i++)
{
// 00403131 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8]
// 00403134 8D7F 18 LEA EDI,[EDI+18]
// 00403137 B9 08000000 MOV ECX,8
// 0040313C 51 PUSH ECX
// 0040313D 57 PUSH EDI
// 0040313E E8 CEF8FFFF CALL 00402A11
// 00403143 B9 06000000 MOV ECX,6
// 00403148 31D2 XOR EDX,EDX
// 0040314A F7F1 DIV ECX
// 0040314C 5F POP EDI
// 0040314D 59 POP ECX
// 0040314E 8817 MOV BYTE PTR DS:[EDI],DL
((LPBYTE)lpBuffer)[i + 24] = SUB402A11() % 6;
// 00403150 47 INC EDI
// 00403151 49 DEC ECX
// 00403152 ^ 75 E8 JNE SHORT 0040313C
}
// 00403154 C9 LEAVE
// 00403155 C2 0400 RETN 4
return;
}
VOID NameCheck(LPCSTR UserName, LPVOID lpOutBuffer)
{
// Direct Conversion ASM to C++ (402FAF)
// 00402FAF 55 PUSH EBP
// 00402FB0 89E5 MOV EBP,ESP
// 00402FB2 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
// 00402FB5 B9 08000000 MOV ECX,8
// 00402FBA 31D2 XOR EDX,EDX
// 00402FBC AD LODS DWORD PTR DS:[ESI]
// 00402FBD 01C2 ADD EDX,EAX
// 00402FBF 49 DEC ECX
// 00402FC0 ^ 75 FA JNE SHORT 00402FBC
// 00402FC2 8915 00104000 MOV DWORD PTR DS:[401000],EDX
// 00402FC8 C9 LEAVE
// 00402FC9 C2 0400 RETN 4
LPSTR NameBuffer = (LPSTR)lpOutBuffer;
INT32 i, j;
SIZE_T NameLen = strlen(UserName);
ZeroMemory(lpOutBuffer, 33);
strcpy(NameBuffer, UserName);
j = 0;
for(i = NameLen; i < 32; i++)
{
j--;
if(j == -1)
j = NameLen - 1;
NameBuffer[i] = UserName[j];
}
for(i = 0; i < 8; i++)
{
dw401000 += ((LPDWORD)NameBuffer)[i];
}
}
BOOL CheckFile1(LPVOID lpFileBuffer, LPVOID lpEmptyBuffer, SIZE_T FileSize)
{
// Direct Conversion ASM to C++ (402D6B)
// 00402D6B 55 PUSH EBP
// 00402D6C 89E5 MOV EBP,ESP
// 00402D6E 83EC 04 SUB ESP,4
SIZE_T BlockNum = FileSize / 0x0C;
UINT32 i, j, k, l;
UINT32 Var1, Var2, Var3, Var4;
BOOL Flag = TRUE;
// 00402D71 FF75 10 PUSH DWORD PTR SS:[EBP+10]
// 00402D74 FF75 0C PUSH DWORD PTR SS:[EBP+0C]
// 00402D77 E8 32FEFFFF CALL 00402BAE
ZeroMemory(lpEmptyBuffer, FileSize);
// 00402D7C 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
// 00402D7F 8B4D 14 MOV ECX,DWORD PTR SS:[EBP+14]
// 00402D82 8D51 40 LEA EDX,[ECX+40]
Var1 = 0x40 + BlockNum;
// 00402D85 8B7D 0C MOV EDI,DWORD PTR SS:[EBP+0C]
for(i = 0; i < BlockNum; i++)
{
// 00402D88 AD LODS DWORD PTR DS:[ESI]
// 00402D89 39D0 CMP EAX,EDX
// 00402D8B 0F83 02010000 JNB 00402E93
// 00402D91 AD LODS DWORD PTR DS:[ESI]
// 00402D92 39D0 CMP EAX,EDX
// 00402D94 0F83 F9000000 JNB 00402E93
// 00402D9A AD LODS DWORD PTR DS:[ESI]
// 00402D9B 39D0 CMP EAX,EDX
// 00402D9D 0F83 F0000000 JNB 00402E93
if(((LPDWORD)lpFileBuffer)[i * 3] >= Var1)
return FALSE;
if(((LPDWORD)lpFileBuffer)[i * 3 + 1] >= Var1)
return FALSE;
if((Var2 = ((LPDWORD)lpFileBuffer)[i * 3 + 2]) >= Var1)
return FALSE;
// 00402DA3 89C3 MOV EBX,EAX
// 00402DA5 C1E8 05 SHR EAX,5
// 00402DA8 83E3 1F AND EBX,0000001F
// 00402DAB 0FAB1C87 BTS DWORD PTR DS:[EAX*4+EDI],EBX
// 00402DAF 0F82 DE000000 JB 00402E93
if(((LPDWORD)lpEmptyBuffer)[Var2 >> 5] & (1 << (Var2 & 0x1F)))
return FALSE;
((LPDWORD)lpEmptyBuffer)[Var2 >> 5] |= (1 << (Var2 & 0x1F));
// 00402DB5 49 DEC ECX
// 00402DB6 ^ 75 D0 JNE SHORT 00402D88
}
// 00402DB8 833F 00 CMP DWORD PTR DS:[EDI],0
// 00402DBB 0F85 D2000000 JNE 00402E93
if(((LPDWORD)lpEmptyBuffer)[0])
return FALSE;
// 00402DC1 837F 04 00 CMP DWORD PTR DS:[EDI+4],0
// 00402DC5 0F85 C8000000 JNE 00402E93
if(((LPDWORD)lpEmptyBuffer)[1])
return FALSE;
// 00402DCB 83C7 08 ADD EDI,8
// 00402DCE 8B55 14 MOV EDX,DWORD PTR SS:[EBP+14]
// 00402DD1 89D1 MOV ECX,EDX
// 00402DD3 C1E9 05 SHR ECX,5
// 00402DD6 B8 FFFFFFFF MOV EAX,-1
// 00402DDB F3:AF REPE SCAS DWORD PTR ES:[EDI]
// 00402DDD 09C9 OR ECX,ECX
// 00402DDF 0F85 AE000000 JNE 00402E93
for(i = 0; i < (BlockNum >> 5); i++)
{
if(((LPDWORD)lpEmptyBuffer)[i + 2] != 0xFFFFFFFF)
return FALSE;
}
// 00402DE5 89D1 MOV ECX,EDX
// 00402DE7 83E1 1F AND ECX,0000001F
// 00402DEA 83C1 00 ADD ECX,0
// 00402DED 74 13 JE SHORT 00402E02
if((Var3 = BlockNum & 0x1F))
{
// 00402DEF 49 DEC ECX
// 00402DF0 B8 00000080 MOV EAX,80000000
// 00402DF5 D3F8 SAR EAX,CL
// 00402DF7 41 INC ECX
// 00402DF8 D3C0 ROL EAX,CL
// 00402DFA 3907 CMP DWORD PTR DS:[EDI],EAX
// 00402DFC 0F85 91000000 JNE 00402E93
Var4 = 0xFFFFFFFF >> (32 - Var3);
if(Var4 != ((LPDWORD)lpEmptyBuffer)[(BlockNum >> 5) + 2])
return FALSE;
}
// 00402E02 FF75 10 PUSH DWORD PTR SS:[EBP+10]
// 00402E05 FF75 0C PUSH DWORD PTR SS:[EBP+0C]
// 00402E08 E8 A1FDFFFF CALL 00402BAE
ZeroMemory(lpEmptyBuffer, FileSize);
// 00402E0D 8B7D 0C MOV EDI,DWORD PTR SS:[EBP+0C]
// 00402E10 C707 FFFFFFFF MOV DWORD PTR DS:[EDI],-1
// 00402E16 C747 04 FFFFFFF MOV DWORD PTR DS:[EDI+4],-1
((ULONG64*)lpEmptyBuffer)[0] = -1;
// 00402E1D 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
// 00402E20 31C9 XOR ECX,ECX
i = 0;
l = 0;
for(k = 0; k < BlockNum; k++)
{
if(Flag)
{
// 00402E22 894D FC MOV DWORD PTR SS:[EBP-4],ECX
// 00402E25 89F3 MOV EBX,ESI
j = i;
l = k;
}
// 00402E27 8B03 MOV EAX,DWORD PTR DS:[EBX]
// 00402E29 89C2 MOV EDX,EAX
// 00402E2B C1E8 05 SHR EAX,5
// 00402E2E 83E2 1F AND EDX,0000001F
// 00402E31 0FA31487 BT DWORD PTR DS:[EAX*4+EDI],EDX
// 00402E35 73 3E JNB SHORT 00402E75
Var2 = ((LPDWORD)lpFileBuffer)[j * 3];
Var1 = Var2 >> 5;
Var3 = Var2 & 0x1F;
Flag = FALSE;
if(((LPDWORD)lpEmptyBuffer)[Var1] & (1 << Var3))
{
// 00402E37 8B43 04 MOV EAX,DWORD PTR DS:[EBX+4]
// 00402E3A 89C2 MOV EDX,EAX
// 00402E3C C1E8 05 SHR EAX,5
// 00402E3F 83E2 1F AND EDX,0000001F
// 00402E42 0FA31487 BT DWORD PTR DS:[EAX*4+EDI],EDX
// 00402E46 73 2D JNB SHORT 00402E75
Var2 = ((LPDWORD)lpFileBuffer)[j * 3 + 1];
Var1 = Var2 >> 5;
Var3 = Var2 & 0x1F;
if(((LPDWORD)lpEmptyBuffer)[Var1] & (1 << Var3))
{
Flag = TRUE;
// 00402E48 8B43 08 MOV EAX,DWORD PTR DS:[EBX+8]
// 00402E4B 89C2 MOV EDX,EAX
// 00402E4D C1E8 05 SHR EAX,5
// 00402E50 83E2 1F AND EDX,0000001F
// 00402E53 0FAB1487 BTS DWORD PTR DS:[EAX*4+EDI],EDX
Var2 = ((LPDWORD)lpFileBuffer)[j * 3 + 2];
Var1 = Var2 >> 5;
Var3 = Var2 & 0x1F;
((LPDWORD)lpEmptyBuffer)[Var1] |= (1 << Var3);
}
// 00402E57 39F3 CMP EBX,ESI
// 00402E59 74 25 JE SHORT 00402E80
if(i != j)
{
// 00402E5B 8703 XCHG DWORD PTR DS:[EBX],EAX
// 00402E5D 8706 XCHG DWORD PTR DS:[ESI],EAX
// 00402E5F 8703 XCHG DWORD PTR DS:[EBX],EAX
// 00402E61 8743 04 XCHG DWORD PTR DS:[EBX+4],EAX
// 00402E64 8746 04 XCHG DWORD PTR DS:[ESI+4],EAX
// 00402E67 8743 04 XCHG DWORD PTR DS:[EBX+4],EAX
// 00402E6A 8743 08 XCHG DWORD PTR DS:[EBX+8],EAX
// 00402E6D 8746 08 XCHG DWORD PTR DS:[ESI+8],EAX
// 00402E70 8743 08 XCHG DWORD PTR DS:[EBX+8],EAX
Var4 = ((LPDWORD)lpFileBuffer)[j * 3];
((LPDWORD)lpFileBuffer)[j * 3] = ((LPDWORD)lpFileBuffer)[i * 3];
((LPDWORD)lpFileBuffer)[i * 3] = Var4;
Var4 = ((LPDWORD)lpFileBuffer)[j * 3 + 1];
((LPDWORD)lpFileBuffer)[j * 3 + 1] = ((LPDWORD)lpFileBuffer)[i * 3 + 1];
((LPDWORD)lpFileBuffer)[i * 3 + 1] = Var4;
Var4 = ((LPDWORD)lpFileBuffer)[j * 3 + 2];
((LPDWORD)lpFileBuffer)[j * 3 + 2] = ((LPDWORD)lpFileBuffer)[i * 3 + 2];
((LPDWORD)lpFileBuffer)[i * 3 + 2] = Var4;
// 00402E73 EB 0B JMP SHORT 00402E80
}
}
if(!Flag)
{
// 00402E75 83C3 0C ADD EBX,0C
// 00402E78 41 INC ECX
// 00402E79 3B4D 14 CMP ECX,DWORD PTR SS:[EBP+14]
// 00402E7C 73 15 JNB SHORT 00402E93
j++;
if(k == BlockNum - 1)
return FALSE;
// 00402E7E ^ EB A7 JMP SHORT 00402E27
}
else
{
// 00402E80 83C6 0C ADD ESI,0C
i++;
k = l;
}
// 00402E83 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
// 00402E86 41 INC ECX
// 00402E87 3B4D 14 CMP ECX,DWORD PTR SS:[EBP+14]
// 00402E8A ^ 72 96 JB SHORT 00402E22
}
// 00402E8C B8 01000000 MOV EAX,1
// 00402E91 EB 02 JMP SHORT 00402E95
// 00402E93 31C0 XOR EAX,EAX
// 00402E95 C9 LEAVE
// 00402E96 C2 1000 RETN 10
return TRUE;
}
BOOL CheckFile(LPVOID lpFileBuffer, SIZE_T FileSize, LPCSTR UserName)
{
LPBYTE EmptyBuffer;
BYTE StackBuffer[0xB0] = {0};
UINT32 i;
dw401000 = 0;
EmptyBuffer = new byte [FileSize];
// 004027B3 8985 54FFFFFF MOV DWORD PTR SS:[EBP-0AC],EAX
// 004027B9 FFB5 48FFFFFF PUSH DW0ORD PTR SS:[EBP-0B8]
// 004027BF FFB5 58FFFFFF PUSH DWORD PTR SS:[EBP-0A8]
// 004027C5 50 PUSH EAX
// 004027C6 FFB5 44FFFFFF PUSH DWORD PTR SS:[EBP-0BC]
// 004027CC E8 10050000 CALL 00402CE1
if(!CheckFile1(lpFileBuffer, EmptyBuffer, FileSize))
{
delete [] EmptyBuffer;
return FALSE;
}
// 004027FC 8D45 DC LEA EAX,[EBP-24]
// 004027FF 50 PUSH EAX
// 00402800 E8 23070000 CALL 00402F28
NameCheck(UserName, StackBuffer - 0x24 + sizeof(StackBuffer));
// 00402805 8D85 64FFFFFF LEA EAX,[EBP-9C]
// 0040280B 50 PUSH EAX
// 0040280C E8 4A080000 CALL 0040305B
// 00402811 8D45 84 LEA EAX,[EBP-7C]
// 00402814 50 PUSH EAX
// 00402815 E8 41080000 CALL 0040305B
// 0040281A 8D45 A4 LEA EAX,[EBP-5C]
// 0040281D 50 PUSH EAX
// 0040281E E8 38080000 CALL 0040305B
SUB4030E2(StackBuffer - 0x9C + sizeof(StackBuffer));
SUB4030E2(StackBuffer - 0x7C + sizeof(StackBuffer));
SUB4030E2(StackBuffer - 0x5C + sizeof(StackBuffer));
// 00402823 B9 0A000000 MOV ECX,0A
// 00402828 51 PUSH ECX
for(i = 0; i < 0x0A; i++)
{
// 00402829 8D5D DC LEA EBX,[EBP-24]
// 0040282C 8D85 5CFFFFFF LEA EAX,[EBP-0A4]
// 00402832 50 PUSH EAX
// 00402833 53 PUSH EBX
// 00402834 E8 2D020000 CALL 00402A66
SUB402AED(StackBuffer - 0x24 + sizeof(StackBuffer), StackBuffer - 0xA4
+ sizeof(StackBuffer));
// 00402839 8DB5 5CFFFFFF LEA ESI,[EBP-0A4]
// 0040283F 8D85 64FFFFFF LEA EAX,[EBP-9C]
// 00402845 8D7D C4 LEA EDI,[EBP-3C]
// 00402848 57 PUSH EDI
// 00402849 50 PUSH EAX
// 0040284A 56 PUSH ESI
// 0040284B E8 97090000 CALL 004031E7
SUB40326E(StackBuffer - 0xA4 + sizeof(StackBuffer), StackBuffer - 0x9C
+ sizeof(StackBuffer), StackBuffer - 0x3C + sizeof(StackBuffer));
// 00402850 8D75 C4 LEA ESI,[EBP-3C]
// 00402853 8D45 84 LEA EAX,[EBP-7C]
// 00402856 8D7D CC LEA EDI,[EBP-34]
// 00402859 57 PUSH EDI
// 0040285A 50 PUSH EAX
// 0040285B 56 PUSH ESI
// 0040285C E8 86090000 CALL 004031E7
SUB40326E(StackBuffer - 0x3C + sizeof(StackBuffer), StackBuffer - 0x7C
+ sizeof(StackBuffer), StackBuffer - 0x34 + sizeof(StackBuffer));
// 00402861 8D75 CC LEA ESI,[EBP-34]
// 00402864 8D45 A4 LEA EAX,[EBP-5C]
// 00402867 8D7D C4 LEA EDI,[EBP-3C]
// 0040286A 57 PUSH EDI
// 0040286B 50 PUSH EAX
// 0040286C 56 PUSH ESI
// 0040286D E8 75090000 CALL 004031E7
SUB40326E(StackBuffer - 0x34 + sizeof(StackBuffer), StackBuffer - 0x5C
+ sizeof(StackBuffer), StackBuffer - 0x3C + sizeof(StackBuffer));
// 00402872 8D85 5CFFFFFF LEA EAX,[EBP-0A4]
// 00402878 8D55 D4 LEA EDX,[EBP-2C]
// 0040287B 52 PUSH EDX
// 0040287C FFB5 54FFFFFF PUSH DWORD PTR SS:[EBP-0AC]
// 00402882 FFB5 48FFFFFF PUSH DWORD PTR SS:[EBP-0B8]
// 00402888 FFB5 44FFFFFF PUSH DWORD PTR SS:[EBP-0BC]
// 0040288E 50 PUSH EAX
// 0040288F E8 53F4FFFF CALL 00401CE7
SUB401D6E(StackBuffer - 0xA4 + sizeof(StackBuffer), lpFileBuffer, FileSize / 0x0C,
EmptyBuffer, StackBuffer - 0x2C + sizeof(StackBuffer));
// 00402894 8D75 C4 LEA ESI,[EBP-3C]
// 00402897 8D7D D4 LEA EDI,[EBP-2C]
// 0040289A B9 08000000 MOV ECX,8
// 0040289F F3:A6 REPE CMPS BYTE PTR DS:[ESI],BYTE PTR ES:[EDI]
// 004028A1 59 POP ECX
// 004028A2 75 59 JNE SHORT 004028FD
if(memcmp(StackBuffer - 0x3C + sizeof(StackBuffer), StackBuffer - 0x2C
+ sizeof(StackBuffer), 8))
{
delete [] EmptyBuffer;
return FALSE;
}
// 004028A4 49 DEC ECX
// 004028A5 ^ 75 81 JNE SHORT 00402828
}
delete [] EmptyBuffer;
return TRUE;
}
int main(int argc, char *argv[])
{
char *Buffer;
size_t FileSize;
fstream key;
string UserName;
string KeyName;
cout << endl
<< "ReverseL18_dumped.cpp - C++ Dump of Advance RCE L18 (CodeEngn.com)"
<< endl << "Made by 3735943886" << endl << "License : GPL" << endl << endl;
cout << "Name: "; cin >> UserName;
cout << "Key File: "; cin >> KeyName;
cout << endl;
// Read file
key.open(KeyName.c_str(), ios::in | ios::binary);
if(key.is_open())
{
key.seekg(0, ios::end);
FileSize = key.tellg();
Buffer = new char [FileSize];
key.seekg(0, ios::beg);
key.read(Buffer, FileSize);
key.close();
// This is main check routine
if(CheckFile(Buffer, FileSize, UserName.c_str()))
{
cout << "Congratulations! Your key is correct!" << endl;
delete [] Buffer;
return 1;
}
delete [] Buffer;
}
cout << "Invalid keyfile!" << endl;
return 0;
}
Solution and Coding...
Reverse2L18.cpp
Copyright (C) 2011 3735943886
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
Private Access Only...
Result...
Omake...
This attachment is working keyfile of Advance RCE level 18 for user name '3735943886' (NOT *CodeEngn*)
Please feel free to download and test it.
test.dat(Compiled with Windows SDK)
Reverse2L18_dumped.exe
