;#####################################################################
; a commented listing of the interesting part of the protection scheme
;#####################################################################

03FD ; 
03FD 
03FD ;		    S u	b r o u	t i n e
03FD ; Attributes: bp-based frame
03FD 
03FD sub_77A8_3FD    proc far		    ; CODE XREF: sub_77A8_2309+501p
03FD 
03FD var_366	    = byte ptr -366h
03FD var_26A	    = byte ptr -26Ah
03FD var_266	    = byte ptr -266h
03FD var_264	    = byte ptr -264h
03FD var_262	    = byte ptr -262h
03FD var_25C	    = byte ptr -25Ch
03FD var_25A	    = byte ptr -25Ah
03FD var_230	    = byte ptr -230h
03FD var_206	    = byte ptr -206h
03FD var_202	    = byte ptr -202h
03FD var_16A	    = byte ptr -16Ah
03FD var_166	    = byte ptr -166h
03FD var_164	    = byte ptr -164h
03FD var_162	    = byte ptr -162h
03FD var_15C	    = byte ptr -15Ch
03FD var_15A	    = byte ptr -15Ah
03FD var_13E	    = byte ptr -13Eh
03FD var_13C	    = byte ptr -13Ch
03FD var_134	    = byte ptr -134h
03FD var_130	    = byte ptr -130h
03FD var_12E	    = byte ptr -12Eh
03FD var_124	    = byte ptr +FEDC
03FD var_120	    = byte ptr +FEE0
03FD var_116	    = byte ptr +FEEA
03FD var_114	    = byte ptr +FEEC
03FD var_112	    = byte ptr +FEEE
03FD var_110	    = byte ptr -110h
03FD var_10E	    = byte ptr -10Eh
03FD var_10C	    = byte ptr -10Ch
03FD var_10A	    = byte ptr -10Ah
03FD var_106	    = byte ptr -106h
03FD var_104	    = byte ptr -104h
03FD var_102	    = byte ptr -102h
03FD var_3E	    = byte ptr -3Eh
03FD var_3C	    = byte ptr -3Ch
03FD var_34	    = byte ptr -34h
03FD var_2E	    = byte ptr -2Eh
03FD var_24	    = byte ptr -24h
03FD var_20	    = byte ptr -20h
03FD var_16	    = byte ptr -16h
03FD var_14	    = byte ptr -14h
03FD var_12	    = byte ptr -12h
03FD var_10	    = byte ptr -10h
03FD var_E	    = byte ptr -0Eh
03FD var_C	    = byte ptr -0Ch
03FD var_A	    = byte ptr -0Ah
03FD var_6	    = byte ptr -6
03FD var_4	    = word ptr -4
03FD var_1	    = byte ptr -1
03FD arg_0	    = word ptr	6
03FD 
03FD		    push    bp
03FE		    mov	    bp,	sp
0400		    sub	    sp,	366h
0404		    mov	    [bp+var_1],	0
0408		    lea	    di,	[bp+var_206]
040C		    push    ss
040D		    push    di
040E		    mov	    di,	153Ah
0411		    push    ds
0412		    push    di
0413		    call    sub_1708_F72
0418		    lea	    di,	[bp+var_106]
041C		    push    ss
041D		    push    di
041E		    lea	    di,	[bp+var_6]
0421		    push    ss
0422		    push    di
0423		    mov	    di,	0
0426		    push    cs
0427		    push    di
0428		    call    sub_1708_F72
042D		    mov	    ax,	79C1h
0430		    xor	    dx,	dx
0432		    push    dx
0433		    push    ax
0434		    mov	    ax,	2D79h
0437		    mov	    dx,	0BABEh
043A		    push    dx
043B		    push    ax
043C		    call    sub_10F1_1A72
0441		    call    sub_1708_FF1
0446		    mov	    di,	58EAh
0449		    push    ds
044A		    push    di
044B		    mov	    ax,	45h ; 'E'
044E		    push    ax
044F		    call    sub_1708_F8C
0454		    mov	    byte_192F_52, 1
0459		    mov	    di,	58EAh
045C		    push    ds
045D		    push    di
045E		    mov	    ax,	20h ; ' '
0461		    push    ax
0462		    mov	    di,	0BF20h
0465		    push    ds
0466		    push    di
0467		    call    sub_1637_154
046C		    cmp	    word_192F_E482, 0
0471		    jnz	    loc_77A8_481
0473		    mov	    ax,	word_192F_BF3A
0476		    mov	    dx,	word_192F_BF3C
047A		    mov	    word_192F_54, ax
047D		    mov	    word_192F_56, dx
0481 
0481 loc_77A8_481:			    ; CODE XREF: sub_77A8_3FD+74j
0481		    mov	    di,	[bp+arg_0]
0484		    add	    di,	0FEFEh
0488		    push    ss
0489		    push    di
048A		    mov	    di,	58EAh
048D		    push    ds
048E		    push    di
048F		    call    sub_1708_B0F
0494		    mov	    di,	[bp+arg_0]
0497		    add	    di,	0FEFEh
049B		    push    ss
049C		    push    di
049D		    mov	    ax,	20h ; ' '
04A0		    push    ax
04A1		    call    sub_1637_F0
04A6		    call    sub_1708_4ED
04AB		    mov	    word_192F_17DA, ax
04AE		    mov	    di,	[bp+arg_0]
04B1		    add	    di,	0FEFEh
04B5		    push    ss
04B6		    push    di
04B7		    mov	    ax,	162h
04BA		    push    ax
04BB		    call    sub_1708_B4A
04C0		    call    sub_1708_4ED
04C5		    mov	    word_192F_17DA, ax
04C8		    cmp	    word_192F_17DA, 0
04CD		    jz	    loc_77A8_4D2
04CF		    jmp	    loc_77A8_22A2
04D2 ; ---------------------------------------------------------------------------
04D2 
04D2 loc_77A8_4D2:			    ; CODE XREF: sub_77A8_3FD+D0j
04D2		    mov	    ax,	162h
04D5		    push    ax
04D6		    call    sub_1708_28A
04DB		    mov	    di,	[bp+arg_0]
04DE		    mov	    ss:[di-106h], ax
04E3		    mov	    ss:[di-104h], dx
04E8		    mov	    word ptr ss:[general_checksum1], 0FFFFh
04EF		    mov	    word ptr ss:[general_checksum2], 0FFFFh
04F6		    xor	    ax,	ax
04F8		    mov	    ss:[di-12Ch], ax
04FD		    mov	    ss:[di-12Ah], ax
0502		    mov	    current_buffer, 1
0508		    jmp	    short loc_77A8_50E
050A ; ---------------------------------------------------------------------------
050A 
050A main_loop:			    ; CODE XREF: sub_77A8_3FD+503j
050A		    inc	    current_buffer
050E 
050E loc_77A8_50E:			    ; CODE XREF: sub_77A8_3FD+10Bj
050E		    mov	    di,	[bp+arg_0]
0511		    les	    di,	ss:[di-106h]
0516		    push    es
0517		    push    di
0518		    mov	    ax,	162h  ;number of bytes
051B		    push    ax
051C		    mov	    al,	0
051E		    push    ax
051F		    call    sub_1708_2232
0524		    mov	    di,	[bp+arg_0]
0527		    add	    di,	0FEFEh
052B		    push    ss
052C		    push    di
052D		    mov	    di,	[bp+arg_0]
0530		    les	    di,	ss:[di-106h]
0535		    push    es
0536		    push    di
0537		    call    sub_1708_BFF   ; read 162 bytes
053C		    add	    sp,	4
053F		    call    sub_1708_4ED
0544		    mov	    word_192F_17D6, ax
0547		    mov	    di,	[bp+arg_0]
054A		    les	    di,	ss:[di-106h]
054F		    seges
054F		    lea	    ax,	[di+15Dh]
0554		    mov	    [bp+var_4],	ax
0557		    mov	    di,	[bp+arg_0]
055A		    les	    di,	ss:[di-106h]
055F		    mov	    ax,	di
0561		    cmp	    ax,	[bp+var_4]
0564		    ja	    loc_77A8_5D2
0566		    mov	    pointer_in_buffer, ax
0569		    jmp	    short loc_77A8_56F
056B ; ---------------------------------------------------------------------------
056B ; here ONLY bytes 0 to 15D are checked for the checksum 
056B next_char:	
056B		    inc	    pointer_in_buffer
056F 
056F loc_77A8_56F:			    ; CODE XREF: sub_77A8_3FD+16Cj
056F		    mov	    di,	[bp+arg_0]
0572		    les	    di,	ss:[di-106h]
0577		    mov	    ax,	es
0579		    push    ax
057A		    mov	    di,	pointer_in_buffer
057E		    pop	    es
057F		    mov	    al,	es:[di]   ; read char
0582		    push    ax
0583		    mov	    di,	[bp+arg_0]
0586		    push    word ptr ss:[general_checksum2]
058B		    push    word ptr ss:[general_checksum1]
0590		    pop	    bx
0591		    pop	    dx
0592		    pop	    cx
0593		    push    dx
0594		    push    bx
0595		    xor	    bx,	cx
0597		    xor	    bh,	bh
0599		    shl	    bx,	1
059B		    shl	    bx,	1
059D                add     bx, beginning_of_crypt_tab
05A1		    mov	    ax,	[bx]
05A3		    mov	    cx,	[bx+2]
05A6		    pop	    bx
05A7		    pop	    dx
05A8		    push    cx
05A9		    mov	    cx,	8
05AC 
05AC loc_77A8_5AC:			    ; CODE XREF: sub_77A8_3FD+1B3j
05AC		    shr	    dx,	1
05AE		    rcr	    bx,	1
05B0		    loop    loc_77A8_5AC
05B2		    and	    dx,	0FFh
05B6		    pop	    cx
05B7		    xor	    ax,	bx
05B9		    mov	    bx,	cx
05BB		    xor	    dx,	bx
05BD		    mov	    di,	[bp+arg_0]
05C0		    mov	    ss:[general_checksum1], ax
05C5		    mov	    ss:[general_checksum2], dx
05CA		    mov	    ax,	pointer_in_buffer
05CD                cmp     ax, [bp+var_4] ;0x15D
05D0		    jnz	    next_char
05D2 
05D2 loc_77A8_5D2:			    ; CODE XREF: sub_77A8_3FD+167j
05D2		    cmp	    current_buffer, 1
05D7                jnz     test_buffer#2
05D9		    mov	    di,	[bp+arg_0]
05DC		    les	    di,	ss:[di-106h]
05E1		    mov	    ax,	es
05E3		    push    ax
05E4		    mov	    di,	[bp+arg_0]
05E7		    les	    di,	ss:[di-106h]
05EC		    seges
05EC		    lea	    di,	[di+0Bh]
05F0		    pop	    es
05F1                cmp     byte ptr es:[di], 46h ; 'F' detect cracked key
05F5		    jnz	    loc_77A8_638
05F7		    mov	    di,	[bp+arg_0]
05FA		    les	    di,	ss:[di-106h]
05FF		    mov	    ax,	es
0601		    push    ax
0602		    mov	    di,	[bp+arg_0]
0605		    les	    di,	ss:[di-106h]
060A		    seges
060A		    lea	    di,	[di+1Bh]
060E		    pop	    es
060F                cmp     byte ptr es:[di], 2Fh ; '/' detect cracked key
0613		    jnz	    loc_77A8_638
0615		    mov	    di,	[bp+arg_0]
0618		    les	    di,	ss:[di-106h]
061D		    mov	    ax,	es
061F		    push    ax
0620		    mov	    di,	[bp+arg_0]
0623		    les	    di,	ss:[di-106h]
0628		    seges
0628		    lea	    di,	[di+14h]
062C		    pop	    es
062D                cmp     byte ptr es:[di], 2Eh ; '.' detect cracked key
0631		    jnz	    loc_77A8_638
0633                call    sub_2A8_4D    ;error with your key file :-)
0638 
0638 loc_77A8_638:			    ; CODE XREF: sub_77A8_3FD+1F8j
0638					    ; sub_77A8_3FD+216j ...
0638                jmp     end_of_mainloop
063B ; ---------------------------------------------------------------------------
063B 
063B test_buffer#2:                      ; CODE XREF: sub_77A8_3FD+1DAj
063B		    cmp	    current_buffer, 2
0640                jz      buffer#2
0642		    jmp	    test_buffer#5
0645 ; ---------------------------------------------------------------------------
0645 
0645 buffer#2:                          ; CODE XREF: sub_77A8_3FD+243j
0645		    mov	    di,	[bp+arg_0]
0648		    les	    di,	ss:[di-106h]
064D		    mov	    ax,	es
064F		    push    ax
0650		    mov	    di,	[bp+arg_0]
0653		    les	    di,	ss:[di-106h]
0658		    mov	    di,	di
065A		    pop	    es
065B		    mov	    al,	es:[di]
065E                mov     first_byte_buff#2, al
0661		    mov	    di,	[bp+arg_0]
0664		    les	    di,	ss:[di-106h]
0669		    mov	    ax,	es
066B		    push    ax
066C		    mov	    di,	[bp+arg_0]
066F		    les	    di,	ss:[di-106h]
0674		    seges
0674		    lea	    di,	[di+1]
0678		    pop	    es
0679		    mov	    al,	es:[di]
067C                cmp     al, first_byte_buff#2
0680		    jnz	    loc_77A8_6F5
0682		    mov	    di,	[bp+arg_0]
0685		    les	    di,	ss:[di-106h]
068A		    mov	    ax,	es
068C		    push    ax
068D		    mov	    di,	[bp+arg_0]
0690		    les	    di,	ss:[di-106h]
0695		    seges
0695		    lea	    di,	[di+2]
0699		    pop	    es
069A		    mov	    al,	es:[di]
069D                cmp     al, first_byte_buff#2
06A1                jnz     buf#2_seems_ok
06A3		    mov	    di,	[bp+arg_0]
06A6		    les	    di,	ss:[di-106h]
06AB		    mov	    ax,	es
06AD		    push    ax
06AE		    mov	    di,	[bp+arg_0]
06B1		    les	    di,	ss:[di-106h]
06B6		    seges
06B6		    lea	    di,	[di+3]
06BA		    pop	    es
06BB		    mov	    al,	es:[di]
06BE                cmp     al, first_byte_buff#2
06C2                jnz     buf#2_seems_ok
06C4		    mov	    di,	[bp+arg_0]
06C7		    les	    di,	ss:[di-106h]
06CC		    mov	    ax,	es
06CE		    push    ax
06CF		    mov	    di,	[bp+arg_0]
06D2		    les	    di,	ss:[di-106h]
06D7		    seges
06D7		    lea	    di,	[di+4]
06DB		    pop	    es
06DC		    mov	    al,	es:[di]
06DF                cmp     al, first_byte_buff#2
06E3                jnz     buf#2_seems_ok
06E5		    mov	    di,	[bp+arg_0]

; bytes 0 to 4 are equal in buff#2 : fuck off, lamer
; gonna bogus that checksum !
06E8		    add	    word ptr ss:[general_checksum1], 329h
06EF		    adc	    word ptr ss:[general_checksum2], 0
06F5 
06F5 buf#2_seems_ok:                          ; CODE XREF: sub_77A8_3FD+283j
06F5					    ; sub_77A8_3FD+2A4j ...
06F5                jmp     end_of_mainloop
06F8 ; ---------------------------------------------------------------------------
06F8 
06F8 test_buffer#5:			    ; CODE XREF: sub_77A8_3FD+245j
06F8		    cmp	    current_buffer, 5
06FD		    jz	    buffer#5
06FF		    jmp	    loc_77A8_79F
0702 ; ---------------------------------------------------------------------------
0702 
0702 buffer#5:			    ; CODE XREF: sub_77A8_3FD+300j
0702		    mov	    di,	[bp+arg_0]
0705		    les	    di,	ss:[di-106h]
070A                mov     ax, es:[buf_crc1]
070F                mov     dx, es:[buf_crc2]
0714		    call    sub_1708_170B
0719		    mov	    di,	[bp+arg_0]
071C		    mov	    ss:[di+FEEA], ax
0721		    mov	    ss:[di+FEEC], bx
0726		    mov	    ss:[di+FEEE], dx
072B		    mov	    ax,	ss:[di+FEEA]
0730		    mov	    bx,	ss:[di+FEEC]
0735		    mov	    dx,	ss:[di+FEEE]
073A		    xor	    cx,	cx
073C		    xor	    si,	si
073E		    xor	    di,	di
0740		    call    sub_1708_1707
0745		    jnb	    loc_77A8_778
0747		    mov	    di,	[bp+arg_0]
074A		    mov	    ax,	ss:[di+FEEA]
074F		    mov	    bx,	ss:[di+FEEC]
0754		    mov	    dx,	ss:[di+FEEE]
0759		    mov	    cx,	81h ; ''
075C		    xor	    si,	si
075E		    mov	    di,	8000h
0761		    call    sub_1708_16F7
0766		    mov	    di,	[bp+arg_0]
0769		    mov	    ss:[di+FEEA], ax
076E		    mov	    ss:[di+FEEC], bx
0773		    mov	    ss:[di+FEEE], dx
0778 
0778 loc_77A8_778:			    ; CODE XREF: sub_77A8_3FD+348j
0778		    mov	    di,	[bp+arg_0]
077B		    mov	    ax,	ss:[di+FEEA]
0780		    mov	    bx,	ss:[di+FEEC]
0785		    mov	    dx,	ss:[di+FEEE]
078A		    mov	    di,	[bp+arg_0]
078D		    mov	    ss:[di+FEDE], ax
0792		    mov	    ss:[di+FEE0], bx
0797		    mov	    ss:[di+FEE2], dx
079C                jmp     end_of_mainloop
079F ; ---------------------------------------------------------------------------
079F 
079F loc_77A8_79F:			    ; CODE XREF: sub_77A8_3FD+302j
079F		    cmp	    current_buffer, 0Bh
07A4		    jz	    buffer#0B
07A6                jmp     end_of_mainloop
07A9 ; ---------------------------------------------------------------------------
07A9 
07A9 buffer#0B:			    
     ; first check the equality of 5 bytes from 12C
07A9		    mov	    di,	[bp+arg_0]
07AC		    les	    di,	ss:[di-106h]
07B1		    mov	    ax,	es
07B3		    push    ax
07B4		    mov	    di,	[bp+arg_0]
07B7		    les	    di,	ss:[di-106h]
07BC		    seges
07BC		    lea	    di,	[di+12Ch]
07C1		    pop	    es
07C2		    mov	    al,	es:[di]
07C5                mov     byte_buf_0B, al ; byte [12c]of buf 0B is the "model"
07C8		    mov	    di,	[bp+arg_0]
07CB		    les	    di,	ss:[di-106h]
07D0		    mov	    ax,	es
07D2		    push    ax
07D3		    mov	    di,	[bp+arg_0]
07D6		    les	    di,	ss:[di-106h]
07DB		    seges
07DB		    lea	    di,	[di+12Dh]
07E0		    pop	    es
07E1		    mov	    al,	es:[di] ;checking 12c against 12D
07E4                cmp     al, byte_buf_0B
07E8		    jnz	    loc_77A8_860
07EA		    mov	    di,	[bp+arg_0]
07ED		    les	    di,	ss:[di-106h]
07F2		    mov	    ax,	es
07F4		    push    ax
07F5		    mov	    di,	[bp+arg_0]
07F8		    les	    di,	ss:[di-106h]
07FD		    seges
07FD		    lea	    di,	[di+12Eh]
0802		    pop	    es
0803		    mov	    al,	es:[di]
0806                cmp     al, byte_buf_0B
080A		    jnz	    loc_77A8_860
080C		    mov	    di,	[bp+arg_0]
080F		    les	    di,	ss:[di-106h]
0814		    mov	    ax,	es
0816		    push    ax
0817		    mov	    di,	[bp+arg_0]
081A		    les	    di,	ss:[di-106h]
081F		    seges
081F		    lea	    di,	[di+12Fh]
0824		    pop	    es
0825		    mov	    al,	es:[di]
0828                cmp     al, byte_buf_0B
082C		    jnz	    loc_77A8_860
082E		    mov	    di,	[bp+arg_0]
0831		    les	    di,	ss:[di-106h]
0836		    mov	    ax,	es
0838		    push    ax
0839		    mov	    di,	[bp+arg_0]
083C		    les	    di,	ss:[di-106h]
0841		    seges
0841		    lea	    di,	[di+130h]
0846		    pop	    es
0847		    mov	    al,	es:[di]
084A                cmp     al, byte_buf_0B
084E		    jnz	    loc_77A8_860
0850		    mov	    di,	[bp+arg_0]

; in short, checksum is destroyed if
; bytes 12C to 130 are equal....

0853		    add	    word ptr ss:[general_checksum1], 192h
085A		    adc	    word ptr ss:[general_checksum2], 0
0860 
0860 loc_77A8_860:			    ; CODE XREF: sub_77A8_3FD+3EBj
0860					    ; sub_77A8_3FD+40Dj ...
0860		    mov	    di,	[bp+arg_0]
0863		    les	    di,	ss:[di-106h]
0868		    mov	    ax,	es
086A		    push    ax
086B		    mov	    di,	[bp+arg_0]
086E		    les	    di,	ss:[di-106h]
0873		    seges
0873		    lea	    di,	[di+15Ah]
0878		    pop	    es

;    now,check if [15A,15D]= "_d+"
;    if so---> get out

0879		    cmp	    byte ptr es:[di], 0DCh ; '_'
087D		    jnz	    still_right_sucker
087F		    mov	    di,	[bp+arg_0]
0882		    les	    di,	ss:[di-106h]
0887		    mov	    ax,	es
0889		    push    ax
088A		    mov	    di,	[bp+arg_0]
088D		    les	    di,	ss:[di-106h]
0892		    seges
0892		    lea	    di,	[di+15Bh]
0897		    pop	    es
0898		    cmp	    byte ptr es:[di], 64h ; 'd'
089C		    jnz	    still_right_sucker
089E		    mov	    di,	[bp+arg_0]
08A1		    les	    di,	ss:[di-106h]
08A6		    mov	    ax,	es
08A8		    push    ax
08A9		    mov	    di,	[bp+arg_0]
08AC		    les	    di,	ss:[di-106h]
08B1		    seges
08B1		    lea	    di,	[di+15Ch]
08B6		    pop	    es
08B7		    cmp	    byte ptr es:[di], 0D9h ; '+'
08BB		    jnz	    still_right_sucker
08BD		    mov	    di,	[bp+arg_0]
08C0		    les	    di,	ss:[di-106h]
08C5		    mov	    ax,	es
08C7		    push    ax
08C8		    mov	    di,	[bp+arg_0]
08CB		    les	    di,	ss:[di-106h]
08D0		    seges
08D0		    lea	    di,	[di+15Dh]
08D5		    pop	    es
08D6		    cmp	    byte ptr es:[di], 0E9h ; ''
08DA		    jnz	    still_right_sucker
08DC		    call    sub_2A8_4D  ; error with your key file, sucker !
08E1 
08E1 still_right_sucker:			    
08E1					    
08E1		    mov	    di,	[bp+arg_0]
08E4		    mov	    word ptr ss:[di-11Ch], 4890h
08EB		    mov	    word ptr ss:[di-11Ah], 3AE1h
08F2		    mov	    word ptr ss:[di-118h], 60C8h
08F9 
08F9 end_of_mainloop:                          
08F9		    cmp	    current_buffer, 0Bh
08FE		    jz	    final_compare
0900		    jmp	    main_loop
0903 ; ---------------------------------------------------------------------------
0903 
0903 final_compare:			    
0903		    mov	    di,	[bp+arg_0]
0906		    mov	    ax,	ss:[general_checksum1]
090B		    mov	    dx,	ss:[general_checksum2]
0910		    les	    di,	ss:[di-106h]
0915                cmp     dx, es:[buf_crc2] ; the bytes 15E-161 of the #0B buffer
091A		    jnz	    failed
091C                cmp     ax, es:[buf_crc1]
0921		    jnz	    failed
0923		    cmp	    word_192F_17D6, 0
0928		    jz	    wanna_be_nice_buyer
092A 
092A failed:			    
092A		    jmp	    beggar_off
092D ; ---------------------------------------------------------------------------
092D 
092D wanna_be_nice_buyer:			    ; CODE XREF: sub_77A8_3FD+52Bj
092D		    mov	    di,	[bp+arg_0]
0930		    mov	    ax,	ss:[general_checksum1]
0935		    mov	    dx,	ss:[general_checksum2]
093A		    mov	    word_192F_12D0, ax
093D		    mov	    word_192F_12D2, dx
0941		    add	    di,	0FEFEh
0945		    push    ss
0946		    push    di
0947		    call    sub_1708_BCB
094C		    call    sub_1708_4F4
0951		    mov	    di,	[bp+arg_0]
0954		    add	    di,	0FEFEh
0958		    push    ss
0959		    push    di
095A		    mov	    ax,	162h
095D		    push    ax
095E		    call    sub_1708_B4A
0963		    call    sub_1708_4F4
0968		    mov	    nb_buf_read, 1
096E		    jmp	    short loc_77A8_974
0970 ; ---------------------------------------------------------------------------
0970 
0970 loc_77A8_970:			    ; CODE XREF: sub_77A8_3FD+59Cj
0970		    inc	    nb_buf_read
0974 
0974 loc_77A8_974:			    ; CODE XREF: sub_77A8_3FD+571j
0974		    mov	    di,	[bp+arg_0]
0977		    add	    di,	0FEFEh
097B		    push    ss
097C		    push    di
097D		    mov	    di,	[bp+arg_0]
0980		    les	    di,	ss:[di-106h]
0985		    push    es
0986		    push    di
0987		    call    sub_1708_BFF ;read 162 bytes
098C		    add	    sp,	4
098F		    call    sub_1708_4F4 
0994		    cmp	    nb_buf_read, 4 ; have we read 4 buffers ?
0999		    jnz	    loc_77A8_970   ; no, continue
099B		    mov	    di,	[bp+arg_0]
099E		    add	    di,	0FEFEh
09A2		    push    ss
09A3		    push    di
09A4		    call    sub_1708_BCB
09A9		    call    sub_1708_4F4
09AE		    mov	    di,	[bp+arg_0]
09B1		    les	    di,	ss:[di-106h]
09B6		    seges
09B6		    lea	    ax,	[di+161h]
09BB		    mov	    [bp+var_4],	ax
09BE		    mov	    di,	[bp+arg_0]
09C1		    les	    di,	ss:[di-106h]
09C6		    seges
09C6		    lea	    ax,	[di+5Bh]  ; ax=5B : beginning of the interesting area.
09CA		    cmp	    ax,	[bp+var_4]; end of this area ?
09CD		    ja	    loc_77A8_A0A
09CF		    mov	    pointer_in_buffer, ax
09D2		    jmp	    short loc_77A8_9D8
09D4 ; ---------------------------------------------------------------------------
09D4 ; here each byte of [5B,161] is succesively xored with FF, and four times with
     ; a value calculated by a "random generator" initialized
     ; with a base stored in random_base1&2.
09D4 loc_77A8_9D4:			    ; CODE XREF: sub_77A8_3FD+60Bj
09D4		    inc	    pointer_in_buffer
09D8 
09D8 loc_77A8_9D8:			    ; CODE XREF: sub_77A8_3FD+5D5j
09D8		    mov	    di,	[bp+arg_0]
09DB		    les	    di,	ss:[di-106h]
09E0		    mov	    ax,	es
09E2		    push    ax
09E3		    mov	    di,	pointer_in_buffer
09E7		    pop	    es
09E8		    mov	    al,	es:[di]
09EB		    xor	    al,	0FFh  ; [5B,161] is xored with ff
09ED		    mov	    dl,	al
09EF		    mov	    di,	[bp+arg_0]
09F2		    les	    di,	ss:[di-106h]
09F7		    mov	    ax,	es
09F9		    push    ax
09FA		    mov	    di,	pointer_in_buffer
09FE		    pop	    es
09FF		    mov	    es:[di], dl ;restore xored value
0A02		    mov	    ax,	pointer_in_buffer
0A05		    cmp	    ax,	[bp+var_4]
0A08		    jnz	    loc_77A8_9D4
0A0A 
0A0A loc_77A8_A0A:			    ; CODE XREF: sub_77A8_3FD+5D0j
0A0A		    mov	    random_base1, 7 
0A10		    mov	    random_base2, 0
0A16		    mov	    di,	[bp+arg_0]
0A19		    les	    di,	ss:[di-106h]
0A1E		    seges
0A1E		    lea	    ax,	[di+161h]
0A23		    mov	    [bp+var_4],	ax
0A26		    mov	    di,	[bp+arg_0]
0A29		    les	    di,	ss:[di-106h]
0A2E		    seges
0A2E		    lea	    ax,	[di+5Bh]
0A32		    cmp	    ax,	[bp+var_4]
0A35		    ja	    loc_77A8_A7F
0A37		    mov	    pointer_in_buffer, ax
0A3A		    jmp	    short loc_77A8_A40
0A3C ; ---------------------------------------------------------------------------
0A3C 
0A3C loc_77A8_A3C:			    ; CODE XREF: sub_77A8_3FD+680j
0A3C		    inc	    pointer_in_buffer
0A40 
0A40 loc_77A8_A40:			    ; CODE XREF: sub_77A8_3FD+63Dj
0A40		    mov	    ax,	100h ; random will be <100
0A43		    push    ax
0A44		    call    get_random_in_DL
0A49		    mov	    dx,	ax
0A4B		    mov	    di,	[bp+arg_0]
0A4E		    les	    di,	ss:[di-106h]
0A53		    mov	    ax,	es
0A55		    push    ax
0A56		    mov	    di,	pointer_in_buffer
0A5A		    pop	    es
0A5B		    mov	    al,	es:[di]
0A5E		    xor	    ah,	ah
0A60		    xor	    ax,	dx
0A62		    mov	    dl,	al
0A64		    mov	    di,	[bp+arg_0]
0A67		    les	    di,	ss:[di-106h]
0A6C		    mov	    ax,	es
0A6E		    push    ax
0A6F		    mov	    di,	pointer_in_buffer
0A73		    pop	    es
0A74		    mov	    es:[di], dl
0A77		    mov	    ax,	pointer_in_buffer
0A7A		    cmp	    ax,	[bp+var_4]
0A7D		    jnz	    loc_77A8_A3C
0A7F 
0A7F loc_77A8_A7F:			    ; CODE XREF: sub_77A8_3FD+638j
0A7F		    mov	    random_base1, 325Ch
0A85		    mov	    random_base2, 0
0A8B		    mov	    di,	[bp+arg_0]
0A8E		    les	    di,	ss:[di-106h]
0A93		    seges
0A93		    lea	    ax,	[di+161h]
0A98		    mov	    [bp+var_4],	ax
0A9B		    mov	    di,	[bp+arg_0]
0A9E		    les	    di,	ss:[di-106h]
0AA3		    seges
0AA3		    lea	    ax,	[di+5Bh]
0AA7		    cmp	    ax,	[bp+var_4]
0AAA		    ja	    loc_77A8_AF4
0AAC		    mov	    pointer_in_buffer, ax
0AAF		    jmp	    short loc_77A8_AB5
0AB1 ; ---------------------------------------------------------------------------
0AB1 
0AB1 loc_77A8_AB1:			    ; CODE XREF: sub_77A8_3FD+6F5j
0AB1		    inc	    pointer_in_buffer
0AB5 
0AB5 loc_77A8_AB5:			    ; CODE XREF: sub_77A8_3FD+6B2j
0AB5		    mov	    ax,	100h
0AB8		    push    ax
0AB9		    call    get_random_in_DL
0ABE		    mov	    dx,	ax
0AC0		    mov	    di,	[bp+arg_0]
0AC3		    les	    di,	ss:[di-106h]
0AC8		    mov	    ax,	es
0ACA		    push    ax
0ACB		    mov	    di,	pointer_in_buffer
0ACF		    pop	    es
0AD0		    mov	    al,	es:[di]
0AD3		    xor	    ah,	ah
0AD5		    xor	    ax,	dx
0AD7		    mov	    dl,	al
0AD9		    mov	    di,	[bp+arg_0]
0ADC		    les	    di,	ss:[di-106h]
0AE1		    mov	    ax,	es
0AE3		    push    ax
0AE4		    mov	    di,	pointer_in_buffer
0AE8		    pop	    es
0AE9		    mov	    es:[di], dl
0AEC		    mov	    ax,	pointer_in_buffer
0AEF		    cmp	    ax,	[bp+var_4]
0AF2		    jnz	    loc_77A8_AB1
0AF4 
0AF4 loc_77A8_AF4:			    ; CODE XREF: sub_77A8_3FD+6ADj
0AF4		    mov	    random_base1, 904h
0AFA		    mov	    random_base2, 33EEh
0B00		    mov	    di,	[bp+arg_0]
0B03		    les	    di,	ss:[di-106h]
0B08		    seges
0B08		    lea	    ax,	[di+161h]
0B0D		    mov	    [bp+var_4],	ax
0B10		    mov	    di,	[bp+arg_0]
0B13		    les	    di,	ss:[di-106h]
0B18		    seges
0B18		    lea	    ax,	[di+5Bh]
0B1C		    cmp	    ax,	[bp+var_4]
0B1F		    ja	    loc_77A8_B69
0B21		    mov	    pointer_in_buffer, ax
0B24		    jmp	    short loc_77A8_B2A
0B26 ; ---------------------------------------------------------------------------
0B26 
0B26 loc_77A8_B26:			    ; CODE XREF: sub_77A8_3FD+76Aj
0B26		    inc	    pointer_in_buffer
0B2A 
0B2A loc_77A8_B2A:			    ; CODE XREF: sub_77A8_3FD+727j
0B2A		    mov	    ax,	100h
0B2D		    push    ax
0B2E		    call    get_random_in_DL
0B33		    mov	    dx,	ax
0B35		    mov	    di,	[bp+arg_0]
0B38		    les	    di,	ss:[di-106h]
0B3D		    mov	    ax,	es
0B3F		    push    ax
0B40		    mov	    di,	pointer_in_buffer
0B44		    pop	    es
0B45		    mov	    al,	es:[di]
0B48		    xor	    ah,	ah
0B4A		    xor	    ax,	dx
0B4C		    mov	    dl,	al
0B4E		    mov	    di,	[bp+arg_0]
0B51		    les	    di,	ss:[di-106h]
0B56		    mov	    ax,	es
0B58		    push    ax
0B59		    mov	    di,	pointer_in_buffer
0B5D		    pop	    es
0B5E		    mov	    es:[di], dl
0B61		    mov	    ax,	pointer_in_buffer
0B64		    cmp	    ax,	[bp+var_4]
0B67		    jnz	    loc_77A8_B26
0B69 
0B69  ; now the area [5B,161] is fully decrypted
      ; a checksum is performed on [5B,15D] & compared with the bytes [15E,161]
      ; note: similar algo as the "general" checksum (with crypt tab)

0B69		    mov	    di,	[bp+arg_0]
      ; initialize the checksum
0B6C		    mov	    word ptr ss:[general_checksum1], 0FFFFh
0B73		    mov	    word ptr ss:[general_checksum2], 0FFFFh
0B7A		    les	    di,	ss:[di-106h]
0B7F		    seges
0B7F		    lea	    ax,	[di+15Dh]
0B84		    mov	    [bp+var_4],	ax
0B87		    mov	    di,	[bp+arg_0]
0B8A		    les	    di,	ss:[di-106h]
0B8F		    seges
0B8F		    lea	    ax,	[di+5Bh]
0B93		    cmp	    ax,	[bp+var_4]
0B96		    ja	    loc_77A8_C04
0B98		    mov	    pointer_in_buffer, ax
0B9B		    jmp	    short loc_77A8_BA1
0B9D ; ---------------------------------------------------------------------------
0B9D 
0B9D next_char_2		
0B9D		    inc	    pointer_in_buffer
0BA1 loc_77A8_BA1:		
0BA1		    mov	    di,	[bp+arg_0]
0BA4		    les	    di,	ss:[di-106h]
0BA9		    mov	    ax,	es
0BAB		    push    ax
0BAC		    mov	    di,	pointer_in_buffer
0BB0		    pop	    es
0BB1		    mov	    al,	es:[di]
0BB4		    push    ax
0BB5		    mov	    di,	[bp+arg_0]
0BB8		    push    word ptr ss:[general_checksum2]
0BBD		    push    word ptr ss:[general_checksum1]
0BC2		    pop	    bx
0BC3		    pop	    dx
0BC4		    pop	    cx
0BC5		    push    dx
0BC6		    push    bx
0BC7		    xor	    bx,	cx
0BC9		    xor	    bh,	bh
0BCB		    shl	    bx,	1
0BCD		    shl	    bx,	1
0BCF                add     bx, beginning_of_crypt_tab
0BD3		    mov	    ax,	[bx]
0BD5		    mov	    cx,	[bx+2]
0BD8		    pop	    bx
0BD9		    pop	    dx
0BDA		    push    cx
0BDB		    mov	    cx,	8
0BDE 
0BDE loc_77A8_BDE:			    
0BDE		    shr	    dx,	1
0BE0		    rcr	    bx,	1
0BE2		    loop    loc_77A8_BDE
0BE4		    and	    dx,	0FFh
0BE8		    pop	    cx
0BE9		    xor	    ax,	bx
0BEB		    mov	    bx,	cx
0BED		    xor	    dx,	bx
0BEF		    mov	    di,	[bp+arg_0]
0BF2		    mov	    ss:[general_checksum1], ax
0BF7		    mov	    ss:[general_checksum2], dx
0BFC		    mov	    ax,	pointer_in_buffer
0BFF		    cmp	    ax,[bp+var_4]
0C02		    jnz	    next_char_2
0C04 
0C04 loc_77A8_C04:			    
0C04		    mov	    di,[bp+arg_0]
0C07		    les	    di,ss:[di-106h]
0C0C                mov     ax, es:[buf_crc1]  ; here it's the decrypted checksum of buf#4
0C11                mov     dx, es:[buf_crc2]
0C16		    mov	    di,	[bp+arg_0]
0C19		    cmp	    dx,	ss:[general_checksum2] ; the calculated one
0C1E		    jnz	    loc_77A8_C27
0C20		    cmp	    ax,	ss:[general_checksum1]
0C25		    jz	    loc_77A8_C2D
0C27 
0C27 loc_77A8_C27:			    ; CODE XREF: sub_77A8_3FD+821j
0C27		    jmp	    beggar_off
0C27 ; ---------------------------------------------------------------------------
0C2A		    db 0E9h ; 
0C2B		    db	95h ; 
0C2C		    db	  0 ;  
0C2D ; ---------------------------------------------------------------------------
0C2D 
0C2D loc_77A8_C2D:			    ; CODE XREF: sub_77A8_3FD+828j
0C2D		    mov	    di,	[bp+arg_0]
0C30		    mov	    ax,	ss:[general_checksum1] ;of buffer 4
0C35		    mov	    dx,	ss:[general_checksum2]
0C3A		    call    sub_1708_170B
0C3F		    mov	    di,	[bp+arg_0]
0C42		    mov	    ss:[di+FEEA], ax
0C47		    mov	    ss:[di+FEEC], bx
0C4C		    mov	    ss:[di+FEEE], dx
0C51		    mov	    ax,	ss:[di+FEEA]  ; very useful....
0C56		    mov	    bx,	ss:[di+FEEC]  ; this is why progs are overbloated ;-)
0C5B		    mov	    dx,	ss:[di+FEEE]
0C60		    xor	    cx,	cx
0C62		    xor	    si,	si
0C64		    xor	    di,	di
0C66		    call    sub_1708_1707
0C6B		    jnb	    loc_77A8_C9E
0C6D		    mov	    di,	[bp+arg_0]
0C70		    mov	    ax,	ss:[di+FEEA]
0C75		    mov	    bx,	ss:[di+FEEC]
0C7A		    mov	    dx,	ss:[di+FEEE]
0C7F		    mov	    cx,	81h ; ''
0C82		    xor	    si,	si
0C84		    mov	    di,	8000h
0C87		    call    sub_1708_16F7
0C8C		    mov	    di,	[bp+arg_0]
0C8F		    mov	    ss:[di+FEEA], ax
0C94		    mov	    ss:[di+FEEC], bx
0C99		    mov	    ss:[di+FEEE], dx
0C9E 
0C9E loc_77A8_C9E:			    ; CODE XREF: sub_77A8_3FD+86Ej
0C9E		    mov	    di,	[bp+arg_0]
0CA1		    mov	    ax,	ss:[di+FEEA]
0CA6		    mov	    bx,	ss:[di+FEEC]
0CAB		    mov	    dx,	ss:[di+FEEE]
0CB0		    mov	    di,	[bp+arg_0]
0CB3		    mov	    ss:[di+FED8], ax
0CB8		    mov	    ss:[di+FEDA], bx
0CBD		    mov	    ss:[di+FEDC], dx
0CC2		    mov	    di,	[bp+arg_0]
0CC5		    mov	    word ptr ss:[di-110h], 3081h
0CCC		    mov	    word ptr ss:[di+FEEA], 1F8Eh
0CD3		    mov	    word ptr ss:[di+FEEC], 0EB85h
0CDA		    mov	    word ptr ss:[di+FEEE], 197Ch
0CE1		    mov	    ax,	ss:[di+FEEA]
0CE6		    mov	    bx,	ss:[di+FEEC]
0CEB		    mov	    dx,	ss:[di+FEEE]
0CF0		    mov	    cx,	5684h
0CF3		    mov	    si,	0AE7Dh
0CF6		    mov	    di,	23B6h
0CF9		    call    sub_1708_16F7
0CFE		    mov	    di,	[bp+arg_0]
0D01		    mov	    ss:[di+FEEA], ax
0D06		    mov	    ss:[di+FEEC], bx
0D0B		    mov	    ss:[di+FEEE], dx
0D10		    mov	    ax,	ss:[di+FED8]
0D15		    mov	    bx,	ss:[di+FEDA]
0D1A		    mov	    dx,	ss:[di+FEDC]
0D1F		    mov	    cx,	84h ; ''
0D22		    xor	    si,	si
0D24		    mov	    di,	2000h
0D27		    call    sub_1708_16E5
0D2C		    mov	    di,	[bp+arg_0]
0D2F		    mov	    cx,	ss:[di+FEDE]
0D34		    mov	    si,	ss:[di+FEE0]
0D39		    mov	    di,	ss:[di+FEE2]
0D3E		    call    sub_1708_1707  ; would be great if it gave 0!(never for me)
0D43		    jz	    ooooh_nice_buyer
0D45		    mov	    di,	[bp+arg_0]
0D48		    mov	    ax,	ss:[di+FED8]
0D4D		    mov	    bx,	ss:[di+FEDA]
0D52		    mov	    dx,	ss:[di+FEDC]
0D57		    mov	    cx,	84h ; ''
0D5A		    xor	    si,	si
0D5C		    mov	    di,	2000h
0D5F		    call    sub_1708_16EB
0D64		    mov	    di,	[bp+arg_0]
0D67		    mov	    cx,	ss:[di+FEDE] ; this is computed with
0D6C		    mov	    si,	ss:[di+FEE0] ; the checksum of #5 buffer
0D71		    mov	    di,	ss:[di+FEE2]
0D76		    call    sub_1708_1707 ;-------> this time it MUST give ZERO
0D7B		    jnz	    set_a_fucking_mess
0D7D 
0D7D ooooh_nice_buyer:			    
0D7D		    mov	    di,	[bp+arg_0]
0D80		    mov	    word ptr ss:[di+FEEA], 5C8Bh
0D87		    mov	    word ptr ss:[di+FEEC], 0C28Fh
0D8E		    mov	    word ptr ss:[di+FEEE], 1A2Dh
0D95		    mov	    ax,	ss:[di+FEEA]
0D9A		    mov	    bx,	ss:[di+FEEC]
0D9F		    mov	    dx,	ss:[di+FEEE]
0DA4		    mov	    cx,	1784h
0DA7		    mov	    si,	5048h
0DAA		    mov	    di,	61FCh
0DAD		    call    sub_1708_16F7
0DB2		    mov	    di,	[bp+arg_0]
0DB5		    mov	    ss:[di+FEEA], ax
0DBA		    mov	    ss:[di+FEEC], bx
0DBF		    mov	    ss:[di+FEEE], dx
0DC4		    jmp	    short prepare_integrity_call
0DC6 ; ---------------------------------------------------------------------------
0DC6 
0DC6 set_a_fucking_mess:

	; this trashes everything
	; causing an infinite loop in integrity_check
			    
0DC6		    mov	    di,	[bp+arg_0]
0DC9		    mov	    ax,	ss:[di-11Ch]
0DCE		    mov	    bx,	ss:[di-11Ah]
0DD3		    mov	    dx,	ss:[di-118h]
0DD8		    mov	    cx,	1F8Eh  ;oh why do you do this, nasty author ?
0DDB		    mov	    si,	0EB85h
0DDE		    mov	    di,	197Ch
0DE1		    call    sub_1708_16F7
0DE6		    mov	    di,	[bp+arg_0]
0DE9		    mov	    ss:[di-11Ch], ax
0DEE		    mov	    ss:[di-11Ah], bx
0DF3		    mov	    ss:[di-118h], dx
0DF8 
0DF8 prepare_integrity_call:			    
0DF8		    mov	    di,	[bp+arg_0]
0DFB		    add	    di,	0FF80h
0DFF		    push    ss
0E00		    push    di
0E01		    mov	    di,	[bp+arg_0]
0E04		    push    word ptr ss:[di+FEE2]
0E09		    push    word ptr ss:[di+FEE0]
0E0E		    push    word ptr ss:[di+FEDE]
0E13		    push    word ptr ss:[di-118h]
0E18		    push    word ptr ss:[di-11Ah]
0E1D		    push    word ptr ss:[di-11Ch]
0E22		    push    word ptr ss:[di+FEDC]
0E27		    push    word ptr ss:[di+FEDA]
0E2C		    push    word ptr ss:[di+FED8]
	; integrity check call:
0E31		    call    sub_2A8_3E
0E36                cmp     byte_buf_0B, 0  ; seems always OK !
0E3B		    jz	    loc_77A8_E40
0E3D		    jmp	    beggar_off
0E40 ; ---------------------------------------------------------------------------
0E40 
0E40 loc_77A8_E40:			    ; CODE XREF: sub_77A8_3FD+A3Ej
0E40		    mov	    di,	[bp+arg_0]
0E4A		    mov	    word ptr ss:[di-132h], 4E75h
; if you land here, it will reg.
.......
etc....
.......
22A7 beggar_off:			    ; CODE XREF: sub_77A8_3FD+52Dj
22A7					    ; sub_77A8_3FD+82Aj ...
22A7		    mov	    sp,	bp
22A9		    pop	    bp
22AA		    retf    2
22AA sub_77A8_3FD    endp
