Index
> Main > Is XOR reversible ? |
| Author |
|
|
asmhack 11 Apr 2011, 20:02
Code: ; ecx= length ; esi= lpstring @@: mov al,byte [esi+ecx] sub al,30 xor al,cl dec ecx cmp ecx,0 jae @b |
|||
11 Apr 2011, 20:02 |
|
|
typedef 11 Apr 2011, 20:08
You owe me your email though
 |
|||
|
11 Apr 2011, 20:08 |
|
|
vid 11 Apr 2011, 20:10
XOR <a>, <b> is reversible by XOR-ing <a> with same value <b> again.
|
|||
|
11 Apr 2011, 20:10 |
|
|
typedef 11 Apr 2011, 20:11
vid wrote: XOR <a>, <b> is reversible by XOR-ing <a> with same value <b> again. Thank you.... |
|||
|
11 Apr 2011, 20:11 |
|
|
typedef 11 Apr 2011, 20:13
That would suck if my code were a commercial encryptor.... Many banks would have been hacked .... LOL... I'd be in deep shit LOL
|
|||
|
11 Apr 2011, 20:13 |
|
|
asmhack 11 Apr 2011, 21:16
Code: xor eax, ebx xor ebx, eax xor eax, ebx = xchg eax, ebx |
|||
|
11 Apr 2011, 21:16 |
|
|
typedef 11 Apr 2011, 21:23
mov eax,3
mov ebx,2 xor ebx,eax ebx = 5 eax = ?? |
|||
|
11 Apr 2011, 21:23 |
|
|
asmhack 11 Apr 2011, 21:28
eax= eax
 |
|||
|
11 Apr 2011, 21:28 |
|
|
typedef 11 Apr 2011, 21:42
asmhack wrote: eax= eax I knew that... I just wasn't sure  |
|||
|
11 Apr 2011, 21:42 |
|
|
typedef 11 Apr 2011, 21:43
Anyways, this code looks buggy... I'm at school and going to class right now.
Some one fix it for me Code: format pe gui 4.0 include 'win32ax.inc' include 'api/kernel32.inc' include 'api/user32.inc' entry main section '.idata' import data readable library kernel32,'kernel32.dll',\ user32,'user32.dll' section '.data' data readable writeable cipher db '1234',0 c_ptr db ? p_ptr db ?,0;'AQOU',0 section '.text' code readable executable proc main push cipher call Enc mov dword [c_ptr],eax push MB_OK push dword [c_ptr] push dword [c_ptr] push 0 call [MessageBox] xor eax,dword[c_ptr] push cipher call deci mov dword[p_ptr],eax push MB_ICONINFORMATION push dword [p_ptr] push dword [p_ptr] push 0 call [MessageBox] ret endp ;decode ; ; ; proc deci, string push ebp esi edi ebx sub esp,20 mov ebp,esp mov esi,dword [ebp+8] mov edi,dword [ebp-20] ;count string size xor ecx,ecx @@: ;dec ecx cmp byte[esi+ecx],0 jae @f inc ecx jmp @b @@: cmp ecx,0 ;ptext[i] = ( (text[i] -30 ) xor i ) jbe @f ; mov al,byte [esi+ecx] ; sub al,30 ; xor al,cl mov byte[edi+ecx],al dec ecx jmp @b @@: mov eax,esi pop ebx edi esi ebp add esp,20 mov ebp,esp ret endp ;encode proc Enc, string push ebp esi edi ebx sub esp,16 ; char * encrypted; mov esi,[ebp+8] mov edi,[ebp-16] xor ecx,ecx __loop: cmp byte [esi+ecx],0 je __done mov al,byte [esi+ecx] xor al,cl ; al xor cl add al,30 ; just added this for fun mov byte [edi+ecx],al inc ecx jmp __loop __done: mov byte [edi+ecx],0 ;terminate the encrypted string mov eax,edi ; return the string (encrypted one) ; this can be used in attacks using buffer overflow. But I'm not patching that right now pop ebx edi esi ebp add esp,16 mov ebp,esp ret endp |
|||
|
11 Apr 2011, 21:43 |
|
|
LocoDelAssembly 12 Apr 2011, 02:49
Code: ADDEND = 30 KEY = 1 ; Parity inverter ;decode proc deci, string push esi mov esi, [string] jmp .load .crypt: xor al, KEY sub al, ADDEND mov byte [esi - 1], al .load: lodsb test al, al jnz .crypt mov eax, [string] pop esi ret endp ;encode proc Enc, string push esi mov esi, [string] jmp .load .crypt: add al, ADDEND xor al, KEY mov byte [esi - 1], al .load: lodsb test al, al jnz .crypt mov eax, [string] pop esi ret endp Still, just for the sake of seeing what it would happen with a vulnerable decode: Code: format pe gui 4.0 include 'win32ax.inc' include 'api/kernel32.inc' include 'api/user32.inc' entry main section '.idata' import data readable library kernel32,'kernel32.dll',\ user32,'user32.dll' section '.data' data readable writeable cipher db '1234' db '5678' ; Will destroy saved EBP dd hidden ; Will destroy return address db 0 ; NUL terminator (But actually the dword above already contains zero in the most significant byte) c_ptr db ? p_ptr db ?,0;'AQOU',0 section '.text' code readable executable proc main push cipher call Enc mov dword [c_ptr],eax push MB_OK push dword [c_ptr] push dword [c_ptr] push 0 call [MessageBox] xor eax,dword[c_ptr] push cipher call deci mov dword[p_ptr],eax push MB_ICONINFORMATION push dword [p_ptr] push dword [p_ptr] push 0 call [MessageBox] ret endp ; To make sure the hidden address doesn't have a zero too soon align 256 nop ; Note that the code above is flawed, as the second byte could end up to be zero and also Enc may be putting zeros too soon as well. Still, for this example it works good. proc hidden push MB_ICONEXCLAMATION push .title push .message push 0 call [MessageBox] push 0 call [ExitProcess] .title db 'Question for you', 0 .message db 'And who exactly let you in here?', 0 endp ADDEND = 30 KEY = 1 ; Parity inverter ;decode (INTENTIONALLY VULNERABLE AND WITH THE SERIOUS DESIGN ERROR OF RETURNING A POINTER TO THE ABOUT TO BE RELEASED STACK SPACE) proc deci, string local buff[4]:BYTE push esi mov esi, [string] lea edi, [buff] jmp .load .crypt: xor al, KEY sub al, ADDEND stosb .load: lodsb test al, al jnz .crypt lea eax, [buff] pop esi ret endp ;encode proc Enc, string push esi mov esi, [string] jmp .load .crypt: add al, ADDEND xor al, KEY mov byte [esi - 1], al .load: lodsb test al, al jnz .crypt mov eax, [string] pop esi ret endp |
|||
|
12 Apr 2011, 02:49 |
|
|
typedef 12 Apr 2011, 05:42
Hahaha, nice I'm making this my sig
.title db 'Question for you', 0 .message db 'And who exactly let you in here?', 0 Thanks for fixing it..... I also learned some stuff |
|||
|
12 Apr 2011, 05:42 |
|
< Last Thread | Next Thread > |
Forum Rules:
|