Well, I am having a problem with my XOR Routine that I created. I was wondering if anyone here is kind enough to help me out and tell me what I am doing wrong. Here is the code.
BasicXor proc pFileData:DWORD, dwFileSize:DWORD, pKeyPointer:DWORD, dwKeySize: DWORD
PUSHAD
MOV EAX, pFileData
MOV ECX, dwFileSize
MOV EBX, pKeyPointer
XOR ESI, ESI
@XORLoop:
MOV BL, BYTE PTR[EBX]
XOR BYTE PTR[EAX], BL
INC EAX
INC EBX
INC ESI
CMP ESI, dwKeySize
JNE @Continue
MOV EBX, pKeyPointer
XOR ESI, ESI
@Continue:
LOOP @XORLoop
POPAD
RET
BasicXor endp
After debugging in OllyDbg I see that some of the characters are decrypted properly when I decrypt the code I have recently encrypted but not all of them. Do you know how I could fix this?
Works correctly with small strings. But then when I try with large files that are 2kb of size seems to make different decrypted code as the original.
MOV BL, BYTE PTR[EBX]
XOR BYTE PTR[EAX], BL
You overwrite lowest byte of EBX with the MOV. BL is a part of EBX http://www.sandpile.org/ia32/reg.htm
Replace BL with DL.
Thank you :) I have now got it working. Quicker response than I thought I would get :)
MOV BL, BYTE PTR[EBX]
oops - EBX is trashed :P
BasicXor PROC pFileData:DWORD,dwFileSize:DWORD,pKeyPointer:DWORD,dwKeySize:DWORD
PUSHAD
MOV ECX,dwFileSize
MOV EAX,pFileData
INC ECX
JMP SHORT bXor01
bXor00: MOV DL,[EBX]
XOR [EAX],DL
INC EBX
INC EAX
DEC ESI
JNZ bXor02
bXor01: MOV EBX,pKeyPointer
MOV ESI,dwKeySize
bXor02: DEC ECX
JNZ bXor00
POPAD
RET
BasicXor ENDP
lemme guess - yahoo messenger archive decoder ? :P
If I remember well, old .ng files uses this one.
it would work for YM message archives, too
the key would be the user ID :P
good thing it isn't top secret info - lol