Tools used: SoftIce Ida HIEW (yes, i use always the same tools) :p Crudd XorCise solution by Extasy. Well, this time, the target seems to be harder ! As it is said on reversemes.cjb.net, we have to reverseme an algorithm there ! So, as i'm not someone that is crazy with algo's, the first thing i made was to look if it was hard to reverse. But, hopefully, it were an easy one (if it weren't, you couldn't be reading this :-)). After analysing this algo, i saw that it manipulates the files this way: take a byte, xor it with 1, store it, take the next byte, xor it with 2, store it .... So, to reverse it, we simply need to know how many bytes we have to decrypt. As an example, if there are 67 bytes, we will xor the last one with 67, the one before with 66, .... Ok, we are done with the algo. Now let's get back to some "normal" things :). The usual questions are : which api's ? and where ?. As we're dealing here with a window with a big edit box, we need only 2 api's to read & write into that edit : GetWindowTextA and SetWindowTextA. That's all. And, as usual, use procdump to add some extra place at the end of the last section and change its characteristics to E0000020. To play with those 2 little api's, we only need to have the control handle. We can get this one just after it's creation, at the CreateWindowExA call (at 401693). 00401683 FF 75 F4 push [ebp+var_C] 00401686 FF 75 08 push [ebp+arg_0] 00401689 68 4E 16 40 00 push offset str->Edit ; "EDIT" 0040168E 68 00 02 00 00 push 200h 00401693 E8 F2 06 00 00 call j_CreateWindowExA 00401698 89 45 FC mov [ebp+var_4], eax 0040169B 6A 10 push 10h 0040169D E8 DC 06 00 00 call j_GetStockObject 004016A2 89 45 F8 mov [ebp+var_8], eax 004016A5 6A 01 push 1 004016A7 FF 75 F8 push [ebp+var_8] 004016AA 6A 30 push 30h 004016AC FF 75 FC push [ebp+var_4] 004016AF E8 2A 07 00 00 call j_SendMessageA Were could we patch a jump to our code ? Where you want :). I choosed at 4016A5, because there are only pushes, so we can easily re-put them in our place. Assemble a push 404600 / ret. At 404600, assemble : mov eax,d,[ebp-4] mov d,[4045F8],eax push 1 push d,[ebp-8] push 30 push 4016ac ret Now, everything is fine ! But at this time, another thing came to my mind. Where will we stock all the data read ? As, in the program, you can't read files bigger than 7FFF, extend the virtual size of the last section to 9000. Now we have to add the real function. We will put it at 404616. But what will we put ? in general, it should be a call getwindowtext, followed by the reversed algo, and then se twindowtext. In asm, it gives this result : push 7000 push 405000 (i put it at a "better looking" address) push d,[4045f8] call d,[402078] mov edi,405000 mov ecx,eax movzx eax,b,[edi+ecx-1] xor al,cl mov [edi+ecx-1],al loop 2433 push 405000 push d,[4045f8] call d,[402058] push 40146b ret Note that the reversed algo is something like 2 or 3 times smaller :). Now just patch the messagebox code to this place, and, run ! IT WORX ! Well, that's all this time THANKS: Crudd (for this reverseme),MagicRaph,Edy,Tam,C_DKnight,ep-180,promethee,à tous ceux de #R4N, #C4N, #Win32asm and #crack.fr Et à tous ceux qui reversent en V.F !