PDA

View Full Version : Whether this is RSA algorithm? Long time on debug, but can't find public key even.

bridgeic
August 5th, 2014, 03:12
****************
File for static debug:
****************
https://app.box.com/s/npyh7dgjsvr3cdwm9b0a

Some clue indicate SNPSle_f7c94ba85f016ab01b4ebe56a4a7d20652744f697ac58fac call may use RSA algorithm, but can't find the public key after long time debug, anyone can give some help or guide?

SNPSle_dcd7600bcfd6e0ca05f8cd0732bfb7ca => call SNPSle_f7c94ba85f016ab01b4ebe56a4a7d20652744f697ac58fac => call rsa_eay.c


**********************
IDA F5 => Pseudo code
**********************
if ( SNPSle_dcd7600bcfd6e0ca05f8cd0732bfb7ca(v14, v17, v18, v13, 1) == -1 )
{
v15 = 0;
dword_282C990 = SNPSle_0b7605938c156c1e7171bec194fc1df0();
snpsFreeFunc(v18);
snpsFreeFunc(v17);
}
else
{
v15 = SNPSle_e70385d734271e1f();
SNPSle_a319640d45ef7860(v15, v18);
snpsFreeFunc(v18);
snpsFreeFunc(v17);
}
return v15;

*************************************************
Function SNPSle_dcd7600bcfd6e0ca05f8cd0732bfb7ca
*************************************************
.text:0129A65C mov edx, [esp+24h]
.text:0129A660 mov dword ptr [esp+10h], 1
.text:0129A668 mov [esp+0Ch], esi
.text:0129A66C mov [esp+8], edx
.text:0129A670 mov edx, [esp+20h]
.text:0129A674 mov [esp], eax
.text:0129A677 mov [esp+4], edx
.text:0129A67B call SNPSle_dcd7600bcfd6e0ca05f8cd0732bfb7ca

.text:012FF9C0 SNPSle_dcd7600bcfd6e0ca05f8cd0732bfb7ca proc near
.text:012FF9C0 ; CODE XREF: SNPSle_8c043950c9569b2b28b737acdf3db27f+16Bp
.text:012FF9C0 ; SNPSle_5b20c9bca9f2e8472400b8222d99bf873af76a24be776844+6Fp ...
.text:012FF9C0
.text:012FF9C0 var_1C = dword ptr -1Ch
.text:012FF9C0 var_18 = dword ptr -18h
.text:012FF9C0 var_14 = dword ptr -14h
.text:012FF9C0 var_10 = dword ptr -10h
.text:012FF9C0 var_C = dword ptr -0Ch
.text:012FF9C0 arg_0 = dword ptr 4
.text:012FF9C0 arg_4 = dword ptr 8
.text:012FF9C0 arg_8 = dword ptr 0Ch
.text:012FF9C0 arg_C = dword ptr 10h
.text:012FF9C0 arg_10 = dword ptr 14h
.text:012FF9C0
.text:012FF9C0 sub esp, 1Ch
.text:012FF9C3 mov edx, [esp+1Ch+arg_C]
.text:012FF9C7 mov eax, [esp+1Ch+arg_10]
.text:012FF9CB mov ecx, [edx+8]
.text:012FF9CE mov [esp+1Ch+var_C], eax
.text:012FF9D2 mov eax, [esp+1Ch+arg_8]
.text:012FF9D6 mov [esp+1Ch+var_10], edx
.text:012FF9DA mov [esp+1Ch+var_14], eax
.text:012FF9DE mov eax, [esp+1Ch+arg_4]
.text:012FF9E2 mov [esp+1Ch+var_18], eax
.text:012FF9E6 mov eax, [esp+1Ch+arg_0]
.text:012FF9EA mov [esp+1Ch+var_1C], eax
.text:012FF9ED call dword ptr [ecx+8] => call 013BA9F0 SNPSle_f7c94ba85f016ab01b4ebe56a4a7d20652744f697ac58fac
.text:012FF9F0 add esp, 1Ch
.text:012FF9F3 retn
.text:012FF9F3 SNPSle_dcd7600bcfd6e0ca05f8cd0732bfb7ca endp

*****************************************************************
Function SNPSle_f7c94ba85f016ab01b4ebe56a4a7d20652744f697ac58fac
*****************************************************************
.text:013BA9F0 SNPSle_f7c94ba85f016ab01b4ebe56a4a7d20652744f697ac58fac proc near
.text:013BA9F0 ; DATA XREF: .data:02796748o
......
.text:013BAA9F lea eax, (aRsa_eay_c - 26FB44Ch)[ebx] ; "rsa_eay.c"
......
.text:013BAE7D SNPSle_f7c94ba85f016ab01b4ebe56a4a7d20652744f697ac58fac endp