Reversing X86 in IDA, Xor Keys on Ptr to object

Question

I am currently working with the 8051 in school and at home i am working with the x86. Right now i am reversing a game and trying to access a adress. The problem is the adress is xord. Normaly i can find the keys easily. But now i am a little bit confused and cannnot find the Xor key. Do someone may could explain me what they are doing right now ? I tried to build the key and got :

^ 0xCDDEED);

Seems its wrong here is the code :

.text:0052DCF5                 mov     ecx, [esi+0D2164h] <--- esi is a pointer to an instance of what they call objectmanager
.text:0052DCFB                 mov     [esp+1Ch+var_18], ecx
.text:0052DCFF                 mov     dl, byte ptr [esp+1Ch+var_18+2]
.text:0052DD03                 mov     al, byte ptr [esp+1Ch+var_18+3]
.text:0052DD07                 xor     byte ptr [esp+1Ch+var_18+1], 0DEh
.text:0052DD0C                 xor     cl, 0ECh
.text:0052DD0F                 xor     dl, 0D2h
.text:0052DD12                 xor     al, 0Fh
.text:0052DD14                 xor     cl, 1
.text:0052DD17                 xor     dl, 1Fh
.text:0052DD1A                 not     al
.text:0052DD1C                 mov     byte ptr [esp+1Ch+var_18], cl
.text:0052DD20                 mov     byte ptr [esp+1Ch+var_18+2], dl
.text:0052DD24                 mov     byte ptr [esp+1Ch+var_18+3], al
.text:0052DD28                 cmp     [esp+1Ch+var_18], 0
.text:0052DD2D                 jz      short loc_52DD46
.text:0052DD2F                 push    6EBh

I saw the part :

.text:0052DD07                 xor     byte ptr [esp+1Ch+var_18+1], 0DEh
.text:0052DD0C                 xor     cl, 0ECh
.text:0052DD0F                 xor     dl, 0D2h
.text:0052DD12                 xor     al, 0Fh
.text:0052DD14                 xor     cl, 1
.text:0052DD17                 xor     dl, 1Fh
.text:0052DD1A                 not     al
.text:0052DD1C                 mov     byte ptr [esp+1Ch+var_18], cl
.text:0052DD20                 mov     byte ptr [esp+1Ch+var_18+2], dl
.text:0052DD24                 mov     byte ptr [esp+1Ch+var_18+3], al

And tried to go like this :

.text:0052DD1C                 mov     byte ptr [esp+1Ch+var_18], cl <-- Key 3 = .text:0052DD0C                 xor     cl, 0ECh
.text:0052DD20                 mov     byte ptr [esp+1Ch+var_18+2], dl <-- Key 2 = .text:0052DD0F                 xor     dl, 0D2h
.text:0052DD24                 mov     byte ptr [esp+1Ch+var_18+3], al <-- key 1 = .text:0052DD12                 xor     al, 0Fh

But also i failed. Normally i am used to xoring like this :

.text:01410C95                 mov     eax, dword_1B8F6DC <--- contains ptr to the same objectmanager
.text:01410C9A                 mov     [esp+1Ch+var_C], eax
.text:01410C9E                 xor     byte ptr [esp+1Ch+var_C+2], 35h<-- key 2
.text:01410CA3                 xor     byte ptr [esp+1Ch+var_C+1], 14h<-- key 3
.text:01410CA8                 xor     byte ptr [esp+1Ch+var_C+3], 17h <-- key 1
.text:01410CAD                 mov     cl, al
.text:01410CAF                 xor     cl, 6Ah<-- key 4
.text:01410CB2                 mov     byte ptr [esp+1Ch+var_C], cl
.text:01410CB6                 cmp     [esp+1Ch+var_C], 0
.text:01410CBB                 jnz     short loc_1410CD6

So I would get here : XOR Key = 0x1735146A

Could someone help me on the first one with the weird xoring ?

Answer 1

It appears to be a super-complicated way to check that ecx == some constant, since in the end it compares it with zero and branches. (XOR only produces a zero result when both inputs are the same.) I don't see it getting used as a pointer, unless that comes later if it's not NULL.

Why don't you just single-step through this code when it runs, and record the initial value loaded into ecx, and the final value in [esp+1Ch+var_18]. The XOR of those two 32bit values is the key, since the initial value will cancel out, leaving just the bits set that are flipped by the intervening instructions. By definition, that is the XOR key.