Reverse Becky! Internet Mail version 2 Encryption Algorithm

Reverse Becky! Internet Mail version 2 Encryption Algorithm
[Author]: crosoli
[Author mailbox]: crosoli@126.com
[Software name]: Becky! Internet Mail
[]: Search and download by yourself
[Programming language]: VC6.0
[Software description]: email receiving Tool
[Author's statement]: For the purpose of learning
--------------------------------------------------------------------------------
[Detailed process]
1. I bought the encryption and decryption 3 of this section just last month. After reading chapter 3 (I can only watch it after work), I always feel that the author knows me very well. This book is very suitable for me.
2. analysis process.
1. Open Becky first! Internet Mail: Configure your email information.

2. Load the OD file to B2.exe. After F9 is run, right-click the email-> properties, and change the password. In this case, the breakpoint is placed under GetWindowTextA. all information about the accessory will be read into the memory. after the plaintext of the detected password is read to the memory, the data window follows, the plaintext of the password is found, and the memory breakpoint is placed on it. and remove the previous GetWindowTextA breakpoint.
After F9 runs, the program comes:

0051A8C5 |. 85DB test ebx, EBX
0051A8C7 |. 75 3A jnz short B2.0051A903
0051A8C9 |. 8B86 B8000000 mov eax, dword ptr ds: [ESI + B8]; New Password
0051A8CF |. 8BAF B8000000 mov ebp, dword ptr ds: [EDI + B8]; old password
0051A8D5 |> 8A55 00/mov dl, byte ptr ss: [EBP]; one old password
0051A8D8 |. 8ACA | mov cl, DL
0051A8DA |. 3A10 | cmp dl, byte ptr ds: [EAX]; obtain a new password
0051A8DC |. 75 1C | jnz short B2.0051A8FA; jump with different passwords
0051A8DE |. 84C9 | test cl, CL
0051A8E0 |. 74 14 | je short B2.0051A8F6
0051A8E2 |. 8A55 01 | mov dl, byte ptr ss: [EBP + 1]; Continue comparison
0051A8E5 |. 8ACA | mov cl, DL
0051A8E7 |. 3A50 01 | cmp dl, byte ptr ds: [EAX + 1]
0051A8EA |. 75 0E | jnz short B2.0051A8FA
0051A8EC |. 83C5 02 | add ebp, 2
0051A8EF |. 83C0 02 | add eax, 2
0051A8F2 |. 84C9 | test cl, CL
0051A8F4 |. ^ 75 df jnz short B2.0051A8D5
0051A8F6 |> 33C0 xor eax, EAX
0051A8F8 |. EB 05 jmp short B2.0051A8FF
0051A8FA |> 1BC0 sbb eax, EAX;
0051A8FC |. 83D8 ff sbb eax,-1
0051A8FF |> 85C0 test eax, EAX
0051A901 |. 74 5F je short B2.0051A962; when the original password and new password are the same, skip not to write
0051A903 |> 8DAE B8000000 lea ebp, dword ptr ds: [ESI + B8]
0051A909 |. 8D8F B8000000 lea ecx, dword ptr ds: [EDI + B8]
0051A90F |. 55 PUSH EBP
0051A910 |. E8 22280800 CALL b2.0059dlarge
0051A915 |. 8B6D 00 mov ebp, dword ptr ss: [EBP]
0051A918 |. A1 38685F00 mov eax, dword ptr ds: [5F6838]
0051aworkflow |. 55 PUSH EBP
0051A91E |. 68 00100000 PUSH 1000
0051A923 |. 8D4C24 lea ecx, dword ptr ss: [ESP + 24]
0051A927 |. 894424 24 mov dword ptr ss: [ESP + 24], EAX
0051A92B |. E8 FE2A0800 CALL B2.0059D42E
0051A930 |. 50 PUSH EAX
0051A931 |. E8 4A00F7FF CALL B2.0048A980; encrypt the new password.
0051A936 |. 6A ff push-1
0051A938 |. 8D4C24 20 lea ecx, dword ptr ss: [ESP + 20]
0051A93C |. E8 3C2B0800 CALL B2.0059D47D
0051A941 |. 8B0E mov ecx, dword ptr ds: [ESI]
0051A943 |. 8B5424 1C mov edx, dword ptr ss: [ESP + 1C]
0051A947 |. 51 push ecx;/FileName
0051A948 |. 52 push edx; | String
0051A949 |. 68 B8B35E00 PUSH B2.005EB3B8; | Key = "PassWd"
0051A94E |. 68 E4E15E00 PUSH B2.005EE1E4; | Section = "Account"
0051A953 |. FF15 64225C00 call dword ptr ds: [<& KERNEL32.WritePriva>; WritePrivateProfileStringA writes the encrypted new password to the "PassWd" field in the configuration file

The following is an analysis of the 0048A980 function.
0051A931 |. E8 4A00F7FF CALL B2.0048A980; encrypt the new password.

0048A980/$ B8 00800000 mov eax, 8000
0048A985 |. E8 268F0F00 CALL B2.005838B0
0048A98A |. 8B8424 088000> mov eax, dword ptr ss: [ESP + 8008]; EAX New Password
0048A991 |. 56 PUSH ESI
0048A992 |. 8038 00 cmp byte ptr ds: [EAX], 0; check whether the new password is empty
0048A995 |. 75 14