Quote:
Originally Posted by chea77er
nice i love your work 
EDIT:
So Im not the best Reverser, but i tried to reverse the SV.T building
So the beginning is very simple, lets start with a WORD its the length of a following string.
Im not sure if the length is a WORD or DWORD because there are 2 00 00 bytes after the first 2bytes.
I Know that Joymax only uses WORD for Length, so lets ignore the Byte No 3 and 4.
The current isro version got an 8byte string. So but how to decrypt them? On reversing i didnt found Blowfish things. I found an Call, but the Call "calls" an Delegate or something, dunno how to get the address of it. After the string the SV.T File is filled with some 00 bytes, to get the exact size of 1024. |
SV.T is pretty simple:
[xx xx xx xx] - size of input data
[xx .. xx] - input data
The rest of the data is just padding.
You use the blowfish string "SILKROADVERSION", but only use 8 bytes as the size for the key. Then you can easily decrypt it and then reencrypt a new version. Writing a simple tool to do it is pretty easy, a few people have already done this work in the past.
You can look at Silkroad.exe to see this logic the easiest. To do this:
- Find where "SV.T" is loaded (search for name)
- Trace down a bit until you see a call like this (sets up blowfish):
Code:
0043780B |. 6A 08 PUSH 8 ; /Arg2 = 00000008
0043780D |. 8D5424 60 LEA EDX,DWORD PTR SS:[ESP+60] ; |
00437811 |. 52 PUSH EDX ; |Arg1
00437812 |. 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+18] ; |
00437816 |. C78424 800800>MOV DWORD PTR SS:[ESP+880],0 ; |
00437821 |. E8 1AD80000 CALL silkroad.00445040 ; \silkroad.00445040
- The next call decrypts the buffer and then the next call is like atoi (string to int)
- Finally, the version is stored into a variable for later use (EAX has it)
That's all there is to it!
