A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #10544  by Tigzy
 Thu Dec 22, 2011 4:05 pm
Well, this is done! No need to read the hundreds of pages of the intel doc :D
Sans titre 1.png
Sans titre 1.png (11.42 KiB) Viewed 479 times
However, no trace of ldr16 in the dump... I only got the Int 13h calls
EDIT: Error fixed, now have it!

Here's the code :
Code: Select all
int ror(unsigned int value, int places) 
{
	int x = value;
	for (int i = 0 ; i < places ; i++)
	{
		int rmb = x & 0x00000001; // right most bit (save)
		x = x >> 1; // shift on right 1 bit

		if (rmb == 1) // push the rmb on left
		{
			x = x | 0x80; // 0b10000000
		}
	}
	return x;
}

bool decryptMBR (byte* bufferIN, byte* bufferOUT, int key, int offset)
{
	//Copy first part
	memcpy(&bufferOUT[0], &bufferIN[0], offset);
	
	// decrypt second part
              int keyInit = key;
	for (int i = 0 ; i < keyInit ; i++)
	{
		// Only 8 first bits
		int count = key & 0xFF;

		// Dec key
		key--;

		// apply ror
		bufferOUT[offset] = ror(bufferIN[offset], count);
		offset++;
	}	
	
	return true;

	//seg000:001E                 mov     cx, 147h
	//seg000:0021                 mov     bp, 62Ah
	//seg000:0024
	//seg000:0024 loc_24:
	//seg000:0024                 ror     byte ptr [bp+0], cl
	//seg000:0027                 inc     bp
	//seg000:0028                 loop    loc_24
}
 #10666  by Dmitry Varshavsky
 Wed Dec 28, 2011 10:19 pm
Tigzy wrote: Here's the code :
Code: Select all
int ror(unsigned int value, int places) 
{
	int x = value;
	for (int i = 0 ; i < places ; i++)
	{
		int rmb = x & 0x00000001; // right most bit (save)
		x = x >> 1; // shift on right 1 bit

		if (rmb == 1) // push the rmb on left
		{
			x = x | 0x80; // 0b10000000
		}
	}
	return x;
}
There is no need in this function. Just use _rotr intrinsic.
 #10716  by Dmitry Varshavsky
 Fri Dec 30, 2011 8:34 pm
Tigzy wrote:Ok :/
Fortunately it was a basic function...
I'd like to point to 2 things:

1. You implementation is really awful because of
a) you don't need to rotate "places" times, "places" mod 32 is plenty ;)
b) you don't need cycle to perform cyclic rotation, take a look at my implementation:
Code: Select all
unsigned int ror ( unsigned int value, unsigned int shift ) 
{
    return ( value >> ( shift % 32 ) ) | ( value << ( 32 - ( shift % 32 ) ) );
}
2. ROR is some kind of basic operations. So it's not hard to guess that it's already implemented.

If you want to have a top-end ( or at least high-end ) solution - your code also have to be at the same top or high level. That's my point.
 #10725  by Tigzy
 Sat Dec 31, 2011 11:10 am
1. You implementation is really awful because of
I don't doubt of that. This is quite new for me.
a) you don't need to rotate "places" times, "places" mod 32 is plenty
Yes. the mod 32 is implemented by design in my code. Not perfect I must admit, but functional.
Your code is better, but mine is easily understandable :D
As it works, I will not change that