Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Please help to reverce an ASM function.

HostageOfCode
HostageOfCode
in Programming and Coding

Featured Replies

var_2C= dword ptr -2Ch
var_25= byte ptr -25h
var_24= dword ptr -24h
var_1E= byte ptr -1Eh
var_1D= byte ptr -1Dh
var_1C= dword ptr -1Ch
var_18= dword ptr -18h
var_14= dword ptr -14h
var_10= byte ptr -10h
var_F= byte ptr -0Fh
var_E= byte ptr -0Eh
var_D= byte ptr -0Dh
var_C= byte ptr -0Ch
var_B= byte ptr -0Bh
var_A= byte ptr -0Ah
var_9= byte ptr -9
var_8= byte ptr -8
var_7= byte ptr -7
var_6= byte ptr -6
var_5= byte ptr -5
arg_0= dword ptr  8
arg_4= dword ptr  0Ch
arg_8= byte ptr  10h

push    ebp
mov     ebp, esp
sub     esp, 2Ch
push    ebx
push    esi
push    edi
mov     eax, [ebp+arg_0]
movzx   ecx, byte ptr [eax]
movzx   edx, byte ptr [eax+1]
mov     [ebp+var_9], cl
movzx   ecx, byte ptr [eax+2]
mov     [ebp+var_E], dl
movzx   edx, byte ptr [eax+3]
mov     [ebp+var_7], cl
movzx   ecx, byte ptr [eax+4]
mov     [ebp+var_B], dl
movzx   edx, byte ptr [eax+5]
mov     [ebp+var_D], cl
movzx   ecx, byte ptr [eax+6]
mov     [ebp+var_8], dl
movzx   edx, byte ptr [eax+7]
mov     [ebp+var_10], cl
movzx   ecx, byte ptr [eax+8]
mov     [ebp+var_A], dl
movzx   edx, byte ptr [eax+9]
mov     al, [ebp+arg_8]
mov     esi, [ebp+arg_4]
add     al, al
add     al, al
mov     [ebp+var_2C], esi
mov     [ebp+var_C], cl
mov     [ebp+var_F], dl
mov     [ebp+var_25], al
mov     [ebp+var_1C], 64656D6Fh
mov     [ebp+var_18], 44454D4Fh
mov     [ebp+var_14], 4D4F4445h
mov     [ebp+var_1D], 0EAh
mov     eax, 0
mov     [ebp+var_24], eax
xor     ecx, ecx
lea     ecx, [ecx+0]

loc_4011D0:
mov     dl, [ebp+ecx+var_10]
mov     bl, byte ptr [ebp+var_24+1]
lea     eax, [ecx+1]
imul    dl
add     byte ptr [ebp+var_24], al
sub     bl, al
mov     [ebp+var_1E], al
lea     eax, [ecx+38h]
imul    dl
add     byte ptr [ebp+var_24+2], al
inc     ecx
mov     byte ptr [ebp+var_24+1], bl
cmp     ecx, 0Ah
jl      short loc_4011D0
mov     al, byte ptr [ebp+var_24]
imul    [ebp+var_10]
mov     dl, [ebp+var_1D]
xor     bl, al
lea     edi, [ebp+var_1C]
mov     [ebp+var_6], al
mov     [ebp+var_5], bl
lea     ecx, [ebx+1]
xor     cl, byte ptr [ebp+var_24+2]
and     cl, 3
mov     byte ptr [ebp+var_24+2], cl
xor     ecx, ecx
sub     edi, esi
jmp     short loc_401223
jmp     short loc_401220
align 10h

loc_401220:
mov     esi, [ebp+var_2C]

loc_401223:
add     esi, ecx
movzx   eax, byte ptr [edi+esi]
mov     al, [ebp+eax+var_10]
xor     al, dl
mov     dl, cl
add     dl, dl
add     dl, dl
lea     ebx, [edx+ecx]
add     al, bl
inc     ecx
mov     [esi], al
lea     edx, [eax+22h]
cmp     ecx, 0Ch
jl      short loc_401220
mov     al, [ebp+var_25]
mov     ecx, [ebp+var_2C]
and     al, 0Ch
or      al, byte ptr [ebp+var_24+2]
pop     edi
mov     [ecx+0Ch], al
pop     esi
xor     ecx, ebp
mov     eax, 1
pop     ebx
mov     esp, ebp
pop     ebp
retn

Hi, is it possible this function to be reversed?

The function has 2 parameters - (uint8_t* source, uint8_t* output).

Would like to convert it to get the source from the output.

Thanks in advance.

    •
    • Like 1
    3 hours ago, HostageOfCode said:
    var_2C= dword ptr -2Ch
var_25= byte ptr -25h
var_24= dword ptr -24h
var_1E= byte ptr -1Eh
var_1D= byte ptr -1Dh
var_1C= dword ptr -1Ch
var_18= dword ptr -18h
var_14= dword ptr -14h
var_10= byte ptr -10h
var_F= byte ptr -0Fh
var_E= byte ptr -0Eh
var_D= byte ptr -0Dh
var_C= byte ptr -0Ch
var_B= byte ptr -0Bh
var_A= byte ptr -0Ah
var_9= byte ptr -9
var_8= byte ptr -8
var_7= byte ptr -7
var_6= byte ptr -6
var_5= byte ptr -5
arg_0= dword ptr  8
arg_4= dword ptr  0Ch
arg_8= byte ptr  10h

push    ebp
mov     ebp, esp
sub     esp, 2Ch
push    ebx
push    esi
push    edi
mov     eax, [ebp+arg_0]
movzx   ecx, byte ptr [eax]
movzx   edx, byte ptr [eax+1]
mov     [ebp+var_9], cl
movzx   ecx, byte ptr [eax+2]
mov     [ebp+var_E], dl
movzx   edx, byte ptr [eax+3]
mov     [ebp+var_7], cl
movzx   ecx, byte ptr [eax+4]
mov     [ebp+var_B], dl
movzx   edx, byte ptr [eax+5]
mov     [ebp+var_D], cl
movzx   ecx, byte ptr [eax+6]
mov     [ebp+var_8], dl
movzx   edx, byte ptr [eax+7]
mov     [ebp+var_10], cl
movzx   ecx, byte ptr [eax+8]
mov     [ebp+var_A], dl
movzx   edx, byte ptr [eax+9]
mov     al, [ebp+arg_8]
mov     esi, [ebp+arg_4]
add     al, al
add     al, al
mov     [ebp+var_2C], esi
mov     [ebp+var_C], cl
mov     [ebp+var_F], dl
mov     [ebp+var_25], al
mov     [ebp+var_1C], 64656D6Fh
mov     [ebp+var_18], 44454D4Fh
mov     [ebp+var_14], 4D4F4445h
mov     [ebp+var_1D], 0EAh
mov     eax, 0
mov     [ebp+var_24], eax
xor     ecx, ecx
lea     ecx, [ecx+0]

loc_4011D0:
mov     dl, [ebp+ecx+var_10]
mov     bl, byte ptr [ebp+var_24+1]
lea     eax, [ecx+1]
imul    dl
add     byte ptr [ebp+var_24], al
sub     bl, al
mov     [ebp+var_1E], al
lea     eax, [ecx+38h]
imul    dl
add     byte ptr [ebp+var_24+2], al
inc     ecx
mov     byte ptr [ebp+var_24+1], bl
cmp     ecx, 0Ah
jl      short loc_4011D0
mov     al, byte ptr [ebp+var_24]
imul    [ebp+var_10]
mov     dl, [ebp+var_1D]
xor     bl, al
lea     edi, [ebp+var_1C]
mov     [ebp+var_6], al
mov     [ebp+var_5], bl
lea     ecx, [ebx+1]
xor     cl, byte ptr [ebp+var_24+2]
and     cl, 3
mov     byte ptr [ebp+var_24+2], cl
xor     ecx, ecx
sub     edi, esi
jmp     short loc_401223
jmp     short loc_401220
align 10h

loc_401220:
mov     esi, [ebp+var_2C]

loc_401223:
add     esi, ecx
movzx   eax, byte ptr [edi+esi]
mov     al, [ebp+eax+var_10]
xor     al, dl
mov     dl, cl
add     dl, dl
add     dl, dl
lea     ebx, [edx+ecx]
add     al, bl
inc     ecx
mov     [esi], al
lea     edx, [eax+22h]
cmp     ecx, 0Ch
jl      short loc_401220
mov     al, [ebp+var_25]
mov     ecx, [ebp+var_2C]
and     al, 0Ch
or      al, byte ptr [ebp+var_24+2]
pop     edi
mov     [ecx+0Ch], al
pop     esi
xor     ecx, ebp
mov     eax, 1
pop     ebx
mov     esp, ebp
pop     ebp
retn

    Hi, is it possible this function to be reversed?

    The function has 2 parameters - (uint8_t* source, uint8_t* output).

    Would like to convert it to get the source from the output.

    Thanks in advance.

    Use ida hex-ray decompiler.

    Regards.

    sean.

    • Author

    I tried already but hex rays does not produce a usable c code. The problem is that it does not recognize byte arrays but this function uses byte arrays and low byte manipulation.

    •
    • Sad 1
    • Author
      char v2; // al
  char v3; // dl
  char v4; // cl
  char v5; // dl
  char v6; // cl
  char v7; // dl
  char v8; // cl
  char v9; // dl
  char v10; // cl
  char v11; // dl
  int v12; // esi
  char v13; // al
  int i; // ecx
  char v15; // dl
  char v16; // al
  char v17; // bl
  char v18; // dl
  int v19; // ecx
  _BYTE *v20; // esi
  char v21; // al
  int v23; // [esp+14h] [ebp-24h]
  char v24; // [esp+16h] [ebp-22h]
  char v25; // [esp+1Bh] [ebp-1Dh]
  int v26; // [esp+1Ch] [ebp-1Ch] BYREF
  int v27; // [esp+20h] [ebp-18h]
  int v28; // [esp+24h] [ebp-14h]
  _BYTE v29[11]; // [esp+28h] [ebp-10h]
  char v30; // [esp+33h] [ebp-5h]

  v3 = a1[1];
  v29[7] = *a1;
  v4 = a1[2];
  v29[2] = v3;
  v5 = a1[3];
  v29[9] = v4;
  v6 = a1[4];
  v29[5] = v5;
  v7 = a1[5];
  v29[3] = v6;
  v8 = a1[6];
  v29[8] = v7;
  v9 = a1[7];
  v29[0] = v8;
  v10 = a1[8];
  v29[6] = v9;
  v11 = a1[9];
  v12 = a2;
  v13 = 4 * v2;
  v29[4] = v10;
  v29[1] = v11;
  v26 = 1684368751;
  v27 = 1145392463;
  v28 = 1297040453;
  v25 = -22;
  v23 = 0;
  for ( i = 0; i < 10; ++i )
  {
    v15 = v29[i];
    v16 = v15 * (i + 1);
    LOBYTE(v23) = v16 + v23;
    v17 = BYTE1(v23) - v16;
    BYTE2(v23) += v15 * (i + 56);
    BYTE1(v23) -= v16;
  }
  v18 = v25;
  v29[10] = v29[0] * v23;
  v30 = (v29[0] * v23) ^ v17;
  v24 = (BYTE2(v23) ^ (v30 + 1)) & 3;
  v19 = 0;
  while ( 1 )
  {
    v20 = (_BYTE *)(v19 + v12);
    v21 = 5 * v19++ + (v18 ^ v29[(unsigned __int8)v20[(_DWORD)&v26 - a2]]);
    *v20 = v21;
    v18 = v21 + 34;
    if ( v19 >= 12 )
      break;
    v12 = a2;
  }
  *(_BYTE *)(a2 + 12) = v24 | (4 * v2) & 0xC;
  return 1;
}

    This is what i got from hex-rays but it is very bad and useless decompiled code.

    Try AI, grok will give you a much better code but you will need several iterations till it gets a working one

    pay them they will instantly do for you. 

    #include <stdint.h>
#include <string.h>
#include <stdio.h>

#ifndef _WIN32
#define __stdcall
#endif

int __stdcall ted(uint8_t* input_buf, uint8_t* output_buf, uint8_t arg_8) {
    
    uint8_t permuted_input[10];
    
    permuted_input[0] = input_buf[6]; // var_10
    permuted_input[1] = input_buf[9]; // var_F
    permuted_input[2] = input_buf[1]; // var_E
    permuted_input[3] = input_buf[4]; // var_D
    permuted_input[4] = input_buf[8]; // var_C
    permuted_input[5] = input_buf[3]; // var_B
    permuted_input[6] = input_buf[7]; // var_A
    permuted_input[7] = input_buf[0]; // var_9
    permuted_input[8] = input_buf[5]; // var_8
    permuted_input[9] = input_buf[2]; // var_7

    uint8_t var_24[4] = {0, 0, 0, 0};
    uint8_t key_string[] = {
        0x6F, 0x6D, 0x65, 0x64, 
        0x4F, 0x4D, 0x45, 0x44, 
        0x45, 0x44, 0x4F, 0x4D  
    };

    uint8_t var_1D = 0xEA;
    
    for (int i = 0; i < 10; i++) {
        uint8_t val = permuted_input[i];
        

        uint16_t product1 = (i + 1) * val;
        uint8_t p1_low = (uint8_t)product1;
        var_24[0] += p1_low;
        var_24[1] -= p1_low;
        
        uint16_t product2 = (i + 0x38) * val;
        var_24[2] += (uint8_t)product2;
    }

    uint8_t al = var_24[0] * permuted_input[0];
    uint8_t bl = var_24[1] ^ al;
    
    var_24[2] = ((bl + 1) ^ var_24[2]) & 3;

    uint8_t current_dl = var_1D;
    
    for (int i = 0; i < 12; i++) {
        uint8_t key_char = key_string[i];
-
        // The original assembly does: mov al, [ebp + key_char + var_10]
        // This reads outside the 'permuted_input' array.

        
        uint8_t magic_byte = *( (&permuted_input[0]) + key_char );
        
        uint8_t calculated = magic_byte ^ current_dl;
        uint8_t add_val = (uint8_t)(i * 5);
        
        calculated += add_val;
        output_buf[i] = calculated;
        
        current_dl = calculated + 0x22;
    }

    uint8_t final_byte = ((arg_8 * 4) & 0x0C) | var_24[2];
    output_buf[12] = final_byte;

    return 1;
}

int main() {

    uint8_t input[] = {0,1,2,3,4,5,6,7,8,9};
    uint8_t output[13];
    ted(input, output, 0x10);

    return 0;
}

    Edited by X0rby

    • Like 1
    • Thanks 1
    • Author
    2 hours ago, X0rby said:
    #include <stdint.h>#include <string.h>#include <stdio.h>

#ifndef _WIN32#define __stdcall#endif

int __stdcall ted(uint8_t* input_buf, uint8_t* output_buf, uint8_t arg_8) {
    
    uint8_t permuted_input[10];
    
    permuted_input[0] = input_buf[6]; // var_10
    permuted_input[1] = input_buf[9]; // var_F
    permuted_input[2] = input_buf[1]; // var_E
    permuted_input[3] = input_buf[4]; // var_D
    permuted_input[4] = input_buf[8]; // var_C
    permuted_input[5] = input_buf[3]; // var_B
    permuted_input[6] = input_buf[7]; // var_A
    permuted_input[7] = input_buf[0]; // var_9
    permuted_input[8] = input_buf[5]; // var_8
    permuted_input[9] = input_buf[2]; // var_7

    uint8_t var_24[4] = {0, 0, 0, 0};
    uint8_t key_string[] = {
        0x6F, 0x6D, 0x65, 0x64, 
        0x4F, 0x4D, 0x45, 0x44, 
        0x45, 0x44, 0x4F, 0x4D  
    };

    uint8_t var_1D = 0xEA;
    
    for (int i = 0; i < 10; i++) {
        uint8_t val = permuted_input[i];
        

        uint16_t product1 = (i + 1) * val;
        uint8_t p1_low = (uint8_t)product1;
        var_24[0] += p1_low;
        var_24[1] -= p1_low;
        
        uint16_t product2 = (i + 0x38) * val;
        var_24[2] += (uint8_t)product2;
    }

    uint8_t al = var_24[0] * permuted_input[0];
    uint8_t bl = var_24[1] ^ al;
    
    var_24[2] = ((bl + 1) ^ var_24[2]) & 3;

    uint8_t current_dl = var_1D;
    
    for (int i = 0; i < 12; i++) {
        uint8_t key_char = key_string[i];
-
        // The original assembly does: mov al, [ebp + key_char + var_10]
        // This reads outside the 'permuted_input' array.

        
        uint8_t magic_byte = *( (&permuted_input[0]) + key_char );
        
        uint8_t calculated = magic_byte ^ current_dl;
        uint8_t add_val = (uint8_t)(i * 5);
        
        calculated += add_val;
        output_buf[i] = calculated;
        
        current_dl = calculated + 0x22;
    }

    uint8_t final_byte = ((arg_8 * 4) & 0x0C) | var_24[2];
    output_buf[12] = final_byte;

    return 1;
}

int main() {

    uint8_t input[] = {0,1,2,3,4,5,6,7,8,9};
    uint8_t output[13];
    ted(input, output, 0x10);

    return 0;
}

    X0rby what ai engine used to get this code? Haven't tried your code yet will try it asap. Looks very clean and simple.

    Fixed my code from Hex-ray and this is the decompiled working ok code:

    Obfuscate_Data(uint8_t* input, uint8_t* output)
{
	int v2;
    uint8_t buffer[12];
    uint8_t* output_1;
    int v5; 
    int i; 
    uint8_t v7; 
    uint8_t v8; 
    uint8_t v9; 
    uint8_t n117_1; 
    int n12; 
    uint8_t* v12; 
    uint8_t v13; 
    uint32_t internal_state; 
    uint8_t state; 
    uint8_t table_var; 
    uint32_t table[11]; 

    buffer[0] = input[1];
    HIBYTE(table[4]) = *input;
    buffer[4] = input[2];
    BYTE2(table[3]) = buffer[0];
    buffer[0] = input[3];
    BYTE1(table[5]) = buffer[4];
    buffer[4] = input[4];
    BYTE1(table[4]) = buffer[0];
    buffer[0] = input[5];
    HIBYTE(table[3]) = buffer[4];
    buffer[4] = input[6];
    LOBYTE(table[5]) = buffer[0];
    buffer[0] = input[7];
    LOBYTE(table[3]) = buffer[4];
    buffer[4] = input[8];
    BYTE2(table[4]) = buffer[0];
    buffer[0] = input[9];
    output_1 = output;
    LOBYTE(table[4]) = buffer[4];
    BYTE1(table[3]) = buffer[0];
    table[0] = 0x6F6D6564;   
    table[1] = 0x4F4D4544;
    table[2] = 0x45444F4D;
    table_var = 0xEA;
    internal_state = 0;
	v2 = 0;
    for (i = 0; i < 10; ++i)
    {
        v7 = *((_BYTE*)&table[3] + i);
        v8 = v7 * (i + 1);
        LOBYTE(internal_state) = v8 + internal_state;
        v9 = BYTE1(internal_state) - v8;
        BYTE2(internal_state) += v7 * (i + 56);
        BYTE1(internal_state) -= v8;
    }
    n117_1 = table_var;
    BYTE2(table[5]) = LOBYTE(table[3]) * internal_state;
    HIBYTE(table[5]) = (LOBYTE(table[3]) * internal_state) ^ v9;
    state = (BYTE2(internal_state) ^ (HIBYTE(table[5]) + 1)) & 3;
    n12 = 0;
    while (1)
    {
        v12 = &output_1[n12];
        v13 = 5 * n12++ + (n117_1 ^ *((_BYTE*)&table[3] + v12[(char*)table - (char*)output]));
        *v12 = v13;
        n117_1 = v13 + 34;
        if (n12 >= 12)
            break;
        output_1 = output;
    }
    output[12] = state | (4 * v2) & 0xC;
    return 1;
}

    But i need function that reverses the output of the function. I mean to get the input if i have the output buffer already.

    PS. Tried X0rby code but no luck it didn't give good result. Only the first byte is encoded ok with this function.

    Edited by HostageOfCode
    Ps.

    Just give me the binary

    Create an account or sign in to comment

    Go to topic listing

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.