View Full Version : Dissassembly
Swimmer
June 9th, 2007, 14:35
I was given this program. It closes notepad.exe.
I would like to get it to a form that Masm 6.14 can assemble.
I don't think it's a PE because Ollydbg locked up on it.
And it may not use the usual Win 32 APIs to search for it in memory.
Can some help me ?
It was given to me as a batch file which output a .com file and then renamed
it to a .exe.
It works fine, though it could use some error checking.
Thanks.
idata:00401000 ;
.idata:00401000 ;
+-------------------------------------------------------------------------+
.idata:00401000 ; ¦ This file is generated by The Interactive Disassembler (IDA)
¦
.idata:00401000 ; ¦ Copyright (c) 2002 by DataRescue sa/nv, <ida@datarescue.com>
¦
.idata:00401000 ; ¦ Licensed to: Freeware version
¦
.idata:00401000 ;
+-------------------------------------------------------------------------+
.idata:00401000 ;
.idata:00401000 ; File Name : E:\Bat\killnp.exe
.idata:00401000 ; Format : Portable executable for IBM PC (PE)
.idata:00401000 ; Section 1. (virtual address 00001000)
.idata:00401000 ; Virtual size : 000002B8 ( 696.)
.idata:00401000 ; Section size in file : 00000200 ( 512.)
.idata:00401000 ; Offset to raw data for section: 00000200
.idata:00401000 ; Flags E0000020: Text Executable Readable Writable
.idata:00401000 ; Alignment : 16 bytes ?
.idata:00401000 ;
.idata:00401000 ; Imports from KERNEL32.dll
.idata:00401000 ;
.idata:00401000
.idata:00401000 model flat
.idata:00401000
.idata:00401000 ;
---------------------------------------------------------------------------
.idata:00401000
.idata:00401000 ; Segment type: Externs
.idata:00401000 ; _idata
.idata:00401000 extrn ExitProcess:dword ; DATA XREF: .text:00401171r
.idata:00401004 extrn CreateToolhelp32Snapshot:dword
.idata:00401004 ; DATA XREF: .text:004010F6r
.idata:00401008 ; BOOL __stdcall CloseHandle(HANDLE hObject)
.idata:00401008 extrn CloseHandle:dword ; DATA XREF: .text:00401152r
.idata:00401008 ; .text:00401169r
.idata:0040100C extrn Process32First:dword ; DATA XREF:
.text:00401111r
.idata:00401010 extrn Process32Next:dword ; DATA XREF:
.text:0040115Er
.idata:00401014 ; HANDLE __stdcall OpenProcess(DWORD dwDesiredAccess,BOOL
bInheritHandle,DWORD dwProcessId)
.idata:00401014 extrn OpenProcess:dword ; DATA XREF: .text:0040113Er
.idata:00401018 ; BOOL __stdcall TerminateProcess(HANDLE hProcess,UINT uExitCode)
.idata:00401018 extrn TerminateProcess:dword ; DATA XREF:
.text:0040114Cr
.idata:0040101C
.idata:0040101C
.text:00401020 ;
---------------------------------------------------------------------------
.text:00401020
.text:00401020 ; Segment type: Pure code
.text:00401020 _text segment para public 'CODE' use32
.text:00401020 assume cs:_text
.text:00401020 ;org 401020h
.text:00401020 assume es:nothing, ss:nothing, ds:nothing, fs:nothing,
gs:nothing
.text:00401020 dd 1056h, 2 dup(0), 1048h, 1000h, 5 dup(0), 4E52454Bh
.text:00401020 dd 32334C45h, 6C6C642Eh, 10760000h, 10840000h,
10A00000h
.text:00401020 dd 10AE0000h, 10C00000h, 10D00000h, 10DE0000h, 2 dup(0)
.text:00401020 dd 74697845h, 636F7250h, 737365h, 72430000h, 65746165h
.text:00401020 dd 6C6F6F54h, 706C6568h, 6E533233h, 68737061h, 746Fh,
6C430000h
.text:00401020 dd 4865736Fh, 6C646E61h, 65h, 636F7250h, 33737365h,
72694632h
.text:00401020 dd 7473h, 72500000h, 7365636Fh, 4E323373h, 747865h,
704F0000h
.text:00401020 dd 72506E65h, 7365636Fh, 73h, 6D726554h, 74616E69h,
6F725065h
.text:00401020 dd 73736563h
.text:004010F0 db 2 dup(0)
.text:004010F2 ;
---------------------------------------------------------------------------
.text:004010F2
.text:004010F2 public start
.text:004010F2 start:
.text:004010F2 push 0
.text:004010F4 push 2
.text:004010F6 call ds:CreateToolhelp32Snapshot
.text:004010FC mov ebp, eax
.text:004010FE inc eax
.text:004010FF jz short loc_40116F
.text:00401101 mov ds:dword_401190, 128h
.text:0040110B push offset dword_401190
.text:00401110 push eax
.text:00401111 call ds:Process32First
.text:00401117 or eax, eax
.text:00401119 jz short loc_401168
.text:0040111B
.text:0040111B loc_40111B: ; CODE XREF: .text:00401166j
.text:0040111B mov esi, offset dword_4011B4
.text:00401120 mov edi, offset aNnootteeppaadd ;
"NnOoTtEePpAaDd..EeXxEe"
.text:00401125
.text:00401125 loc_401125: ; CODE XREF: .text:00401132j
.text:00401125 cmpsb
.text:00401126 jz short loc_40112D
.text:00401128 dec esi
.text:00401129 cmpsb
.text:0040112A jnz short loc_401158
.text:0040112C dec edi
.text:0040112D
.text:0040112D loc_40112D: ; CODE XREF: .text:00401126j
.text:0040112D inc edi
.text:0040112E test byte ptr [edi-1], 0FFh
.text:00401132 jnz short loc_401125
.text:00401134 push ds:dword_401198
.text:0040113A push 0
.text:0040113C push 1
.text:0040113E call ds:OpenProcess
.text:00401144 or eax, eax
.text:00401146 jz short loc_401168
.text:00401148 push eax
.text:00401149 push 0
.text:0040114B push eax
.text:0040114C call ds:TerminateProcess
.text:00401152 call ds:CloseHandle
.text:00401158
.text:00401158 loc_401158: ; CODE XREF: .text:0040112Aj
.text:00401158 push offset dword_401190
.text:0040115D push ebp
.text:0040115E call ds:Process32Next
.text:00401164 or eax, eax
.text:00401166 jnz short loc_40111B
.text:00401168
.text:00401168 loc_401168: ; CODE XREF: .text:00401119j
.text:00401168 ; .text:00401146j
.text:00401168 push ebp
.text:00401169 call ds:CloseHandle
.text:0040116F
.text:0040116F loc_40116F: ; CODE XREF: .text:004010FFj
.text:0040116F push 0
.text:00401171 call ds:ExitProcess
.text:00401171 ;
---------------------------------------------------------------------------
.text:00401177 aNnootteeppaadd db 'NnOoTtEePpAaDd..EeXxEe',0 ; DATA XREF:
.text:00401120o
.text:0040118E align 4
.text:00401190 dword_401190 dd 0 ; DATA XREF: .text:00401101w
.text:00401190 ; .text:0040110Bo ...
.text:00401194 align 8
.text:00401198 dword_401198 dd 0 ; DATA XREF: .text:00401134r
.text:0040119C dd 6 dup(0)
.text:004011B4 dword_4011B4 dd 13h dup(0) ; DATA XREF: .text:0040111Bo
.text:00401200 dd 2Eh dup(?)
.text:00401200 _text ends
.text:00401200
.text:00401200
.text:00401200 end start
evlncrn8
June 9th, 2007, 17:09
of course its PE.. see the api calls? and ida also saying its PE!
its simple, it enumerates through the processes, looking for 'notepad.exe' (though the string in that one is a bit fucked up..), it then does an
openprocess on the process id, then terminates
not rocket science..
disassembly looks shit too, are u sure u know how to use ida?
esther
June 10th, 2007, 01:04
Tested 2 versions of ollydbg(V1.09d and 1.10) it didn't "LOCKED" up.
Swimmer
June 10th, 2007, 01:36
Quote:
| [Originally Posted by esther;66290]Tested 2 versions of ollydbg(V1.09d and 1.10) it didn't "LOCKED" up. |
< I would like to get it to a form that Masm 6.14 can assemble. >
This is what I posted, can you help with that ?
blabberer
June 10th, 2007, 10:10
Quote:
[Originally Posted by evlncrn8;66279]
disassembly looks shit too, are u sure u know how to use ida? |
what do you mean by that ?
blurcode
June 10th, 2007, 10:39
Propably some of the data is code.
blabberer
June 10th, 2007, 11:58
thats what i queried
they didnt look like code to me at first sight that is the import table if you notice a little bit deeply you will see the first thunk pointers a string kernel32.dll and the other imports in there
probably used /merge .text erw linker switch and the complete import table is sitting there in its raw form
thats how ida shows them as far as i have seen inspite of it knowing exactly what is it and doing a pretty good job of resolving the imports too
thats what i dont like with ida it cant make the life easier but expects one to know a bit of magic to use it
it could have simply interspersed a hex view up there or collapsed it knowing that it is import table and not give
dd 123
dd 345
dd you press d
dd you press c
dd you write idc
dd you write plugin
dd you get lost in maze
for others to make wild guesses
Swimmer
June 10th, 2007, 16:25
Quote:
| [Originally Posted by blabberer;66300]what do you mean by that ? |
He's just complaining.
Hope you have a good Sunday.
Reckin' not many use masm anymore.
Swimmer
June 10th, 2007, 16:27
Quote:
| [Originally Posted by esther;66290]Tested 2 versions of ollydbg(V1.09d and 1.10) it locked up like you said. |
Thanks for verifying it.
esther
June 13th, 2007, 04:42
Ok guys I still have problems terminating the process of the exe.I have included the compiled exe.Anyone would kindly help? (pls scanned the attachment to comfirmed its clean from virus blah blah)
.586
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include \masm32\include\masm32.inc
include \masm32\include\advapi32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\masm32.lib
includelib \masm32\lib\advapi32.lib
.data
FileName db "NnOoTtEePpAaDd..EeXxEe",0
handle dd ?
.data?
hSnapshot HANDLE ?
processInfo PROCESSENTRY32 <>
.code
start:
invoke CreateToolhelp32Snapshot, TH32CS_SNAPPROCESS, 0
mov hSnapshot,eax
inc eax
je @end
mov processInfo.dwSize, sizeof PROCESSENTRY32
invoke Process32First, hSnapshot, addr processInfo
or eax,eax
je @close
@name:
mov esi,403048h
mov edi,offset FileName
@compare:
cmpsb
dec esi
cmpsb
jne @test
dec edi
@carryon:
inc edi
TEST BYTE PTR DS:[EDI-1],0FFh
jne @compare
push 000
push 001
call OpenProcess
or eax, eax
jne @close
push eax
push 000
push eax
invoke TerminateProcess,handle,0
invoke CloseHandle,handle
@test:
invoke Process32Next, hSnapshot, addr processInfo
or eax, eax
jnz @name
@close:
call CloseHandle
@end:
invoke ExitProcess, 0
End start
Swimmer
June 13th, 2007, 06:44
Thanks Esther.
Some more info that may help. I have the .exe and could upload it for help in the analysis.
The file started as some sort of script that built a .com file
and then was made into a .exe file.
It has no virus or malware.
Swimmer
June 14th, 2007, 07:50
A SAFE PROGRAM
Hackman.exe shows this text, but I didn't see it using OllyDbg. Is there a setting I need to set ?
MASM code (works with Ver. 6.14)
; esther.asm Supposed to end notepad.exe
;
; Help from H.K.,Frank,
; Currently not working
;
.586
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include \masm32\include\masm32.inc
include \masm32\include\advapi32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\masm32.lib
includelib \masm32\lib\advapi32.lib
.data
org 401020h ; SECRET TEXT Hackman shows it
dd 1056h, 2 dup(0), 1048h, 1000h, 5 dup(0), 4E52454Bh
dd 32334C45h, 6C6C642Eh, 10760000h, 10840000h, 10A00000h
dd 10AE0000h, 10C00000h, 10D00000h, 10DE0000h, 2 dup(0)
dd 74697845h, 636F7250h, 737365h, 72430000h, 65746165h
dd 6C6F6F54h, 706C6568h, 6E533233h, 68737061h, 746Fh, 6C430000h
dd 4865736Fh, 6C646E61h, 65h, 636F7250h, 33737365h, 72694632h
dd 7473h, 72500000h, 7365636Fh, 4E323373h, 747865h, 704F0000h
dd 72506E65h, 7365636Fh, 73h, 6D726554h, 74616E69h, 6F725065h
dd 73736563h
db 2 dup(0)
FileName db "NnOoTtEePpAaDd..EeXxEe",0
handle dd ?
dword_4011B4 dd 13h dup(0)
dd 2Eh dup(?)
.data?
hSnapshot HANDLE ?
processInfo PROCESSENTRY32 <>
.code
start:
invoke CreateToolhelp32Snapshot, TH32CS_SNAPPROCESS, 0
mov hSnapshot,eax
inc eax
je @end
mov processInfo.dwSize, sizeof PROCESSENTRY32
invoke Process32First, hSnapshot, addr processInfo
or eax,eax
je @close
@name:
mov esi,offset 403048h
mov edi,offset FileName
@compare:
cmpsb
jz @carryon
dec esi
cmpsb
jne @test
dec edi
@carryon:
inc edi
TEST BYTE PTR DS:[EDI-1],0FFh
jne @compare
push 000
push 001
call OpenProcess
or eax, eax
jne @close
push eax
push 000
push eax
invoke TerminateProcess,handle,0
invoke CloseHandle,handle
@test:
invoke Process32Next, hSnapshot, addr processInfo
or eax, eax
jnz @name
@close:
call CloseHandle
@end:
invoke ExitProcess, 0
End start
blabberer
June 14th, 2007, 10:15
Quote:
Ok guys I still have problems terminating the process of the exe.I have included the compiled exe.Anyone would kindly help? (pls scanned the attachment to comfirmed its clean from virus blah blah)
|
you assembled it from the ida disassassembly esther ?
im not sure what you mean by terminate the program
but i think it may be linked with you not passing the right handle to CloseHandle()
where are you filling up the handle first ?
also if that is the handle from OpenProcess() your asm code doesnt seem to be saving it
swimmer
though your query doesnt make much sense i think you are asking if you can reassemble the asm spit by ida i think ?
if thats your question on most circumstances it is a big no
on small uncomplicated exes it is a yes
if reassembling the disassembly is your main request you should check out
bengalys pvdasm (pvdasm.reverse-engineering.net) he supports one such feature in his disassembler or another product thats named rosasm claims to have a reassembly feature
not sure about results i have not tried both
last of all zip up the com exe bat whatever and attach it let me see whats up with it in ollydbg
Swimmer
June 14th, 2007, 10:54
Thanks.
I have attached the file.
I will check out the bengalys pvdasm advice.
esther
June 14th, 2007, 11:20
hi blabber,
Sorry I don't have ida,I'm using olly to debug my "code" comparing with the "original exe"(coz I'm not sure if its the same exe that swimmer mention).As you can see my "code" is very similar to what swimmer posted the ida list.you can say I copied from there.you can try debug it and have a go
(Sorry for messy code.I'm a newbie in coding heh)I have upload the batch file and the original one.
==================================================
swimmer you mistook blabber's question,he wants the original.exe.
And what you upload has errors.*invalid handle error".get the latest compiler in masm32.cjb.net
later
Swimmer
June 14th, 2007, 11:42
Sorry I misunderstood.
Save this as a bat file and run it. It makes it.
:: makkillnp.bat Terminates notepad.exe
::
:: Makes killnp.exe Written by Herbert Kleebauer
::
:: THIS MAKES AN EXECUTABLE PROGRAM !! (1024 bytes)
:: Ollydbg can't handle this !!
:: but IDA Pro can.
::
::
@echo off
echo hD1X-s0P_kUHP0UxGWX4ax1y1ieimnfeinklddmemkjanmndnadmndnpbbn>killnp.com
echo hhpbbnpljhoxolnhaigidpllnbkdnhlkfhlflefblffahfUebdfahhfkokh>>killnp.com
echo wvPp0wvw2k9C5/R/pN0d0uzw27bwo1YinDEWtbGov5//B6mkuMEo0IL0l/w>>killnp.com
echo ef2iC57R/pNEA/jeefHhC5AR/pNEA/juefXgC5ER/phCfDM@m042knfuurO>>killnp.com
echo k0GAV4Bd4M03U337lzzT/M0MF0/NV7U9V2Tcf2/EP1B61i0kInVsIOXJ57o>>killnp.com
echo x57hJKNo0mQjpKNWx5Nt0mRcx57dB67nFLOgl57pBLOiR573xoIgoU1WJ6R>>killnp.com
echo UUKOn01QmxqNm4KPU7LNlJLOmJqQUQJOiBXAioU1Y//I4R/H03//EZLdqMl>>killnp.com
echo 0U2k20gE/4k//1MF1m2V3E707H/o0E7V/6EU45EU46/W31MF02M00EQ/3H/>>killnp.com
echo l0EMF0EMV1U/l0cMlIEQ/7KcV@oJ5So80i1703G7U31MF2UQ/sKwXREQ/VE>>killnp.com
echo Q/cEQUfEQ/kEQ/oEQUrEMF0K0V48U33G/V4JgIFGtIFABXAiE5PgRUREQ/V>>killnp.com
echo EQ/cEQUfEQ/kEQ/oEQUrEMl04VLOo0ZQjBKNnBb328LNVFLNIxqPgVKNg0r>>killnp.com
echo AmAZPV0rQcx5RHA3PjBLN74aPYlKNG/ZQjBKNnBrAmMIOmB6RH/ZQjBKNnB>>killnp.com
echo rAmsINsFb3D0LNi0ZQjBKNnBb3IJaQhZaPVFLNE8rPXJqQnRUO/ca/zL00E>>killnp.com
echo /3/8KAEotql4/N3/0/90Q/OE50E//pzJk/3/0E1/HLHyGP3/0kjr40E/M9R>>killnp.com
echo 4sYdplmH6NzFzzTRlzTBM50E/c5/e4kzJE03/0E1/H67Ed5/ExT4M/0E/wT>>killnp.com
echo 47/0E/U5YF/3/JxT4E/0E/Y/kpBPJzL01E/3/e0kzJ//3/0UHixoPIFLFZ0>>killnp.com
echo 4Q045FYtW@4J5KsJINK7LN.>>killnp.com
echo on
killnp.com>killnp.exe
del killnp.com
blabberer
June 14th, 2007, 12:58
esther
this is what ollydbg dissassembles it like
Code:
00401000 > . FD98E777 DD kernel32.ExitProcess
00401004 > . D12EE977 DD kernel32.CreateToolhelp32Snapsho>
00401008 > . F0A6E777 DD kernel32.CloseHandle
0040100C > . 5B5CEB77 DD kernel32.Process32First
00401010 > . AF5DEB77 DD kernel32.Process32Next
00401014 > . 232EE777 DD kernel32.OpenProcess
00401018 > . B816E677 DD kernel32.TerminateProcess
0040101C . 00000000 DD 00000000
00401020 . 56100000 DD 00001056 ; Struct 'IMAGE_IMPORT_DESCRIPTOR'
00401024 . 00000000 DD 00000000
00401028 . 00000000 DD 00000000
0040102C . 48100000 DD 00001048
00401030 . 00100000 DD 00001000
00401034 . 00000000 DD 00000000 ; Struct 'IMAGE_IMPORT_DESCRIPTOR'
00401038 . 00000000 DD 00000000
0040103C . 00000000 DD 00000000
00401040 . 00000000 DD 00000000
00401044 . 00000000 DD 00000000
00401048 . 4B 45 52 4E 4>ASCII "KERNEL32.dll",0
00401055 00 DB 00
00401056 . 76100000 DD 00001076 ; Import lookup table for 'KERNEL32.dll'
0040105A . 84100000 DD 00001084
0040105E . A0100000 DD 000010A0
00401062 . AE100000 DD 000010AE
00401066 . C0100000 DD 000010C0
0040106A . D0100000 DD 000010D0
0040106E . DE100000 DD 000010DE
00401072 . 00000000 DD 00000000
00401076 . 0000 DW 0000
00401078 . 45 78 69 74 5>ASCII "ExitProcess",0
00401084 . 0000 DW 0000
00401086 . 43 72 65 61 7>ASCII "CreateToolhelp32"
00401096 . 53 6E 61 70 7>ASCII "Snapshot",0
0040109F . 00 DB 00
004010A0 . 0000 DW 0000
004010A2 . 43 6C 6F 73 6>ASCII "CloseHandle",0
004010AE . 0000 DW 0000
004010B0 . 50 72 6F 63 6>ASCII "Process32First",0
004010BF . 00 DB 00
004010C0 . 0000 DW 0000
004010C2 . 50 72 6F 63 6>ASCII "Process32Next",0
004010D0 . 0000 DW 0000
004010D2 . 4F 70 65 6E 5>ASCII "OpenProcess",0
004010DE . 0000 DW 0000
004010E0 . 54 65 72 6D 6>ASCII "TerminateProcess"
004010F0 . 00 ASCII 0
004010F1 . 00 DB 00
004010F2 >/$ 6A 00 PUSH 0 ; /ProcessID = 0
004010F4 |. 6A 02 PUSH 2 ; |Flags = TH32CS_SNAPPROCESS
004010F6 |. FF15 04104000 CALL NEAR DWORD PTR DS:[<&KERNEL32.Cr>; \CreateToolhelp32Snapshot
004010FC |. 89C5 MOV EBP, EAX
004010FE |. 40 INC EAX
004010FF |. 74 6E JE SHORT killnp.0040116F
00401101 |. C705 90114000>MOV DWORD PTR DS:[401190], 128
0040110B |. 68 90114000 PUSH killnp.00401190 ; /pProcessentry = killnp.00401190
00401110 |. 50 PUSH EAX ; |hSnapshot = NULL
00401111 |. FF15 0C104000 CALL NEAR DWORD PTR DS:[<&KERNEL32.Pr>; \Process32First
00401117 |. 09C0 OR EAX, EAX
00401119 |. 74 4D JE SHORT killnp.00401168
0040111B |> BE B4114000 /MOV ESI, killnp.004011B4
00401120 |. BF 77114000 |MOV EDI, killnp.00401177 ; ASCII "NnOoTtEePpAaDd..EeXxEe"
00401125 |> A6 |/CMPS BYTE PTR DS:[ESI], BYTE PTR ES>
00401126 |. 74 05 ||JE SHORT killnp.0040112D
00401128 |. 4E ||DEC ESI ; killnp.00400000
00401129 |. A6 ||CMPS BYTE PTR DS:[ESI], BYTE PTR ES>
0040112A |. 75 2C ||JNZ SHORT killnp.00401158
0040112C |. 4F ||DEC EDI
0040112D |> 47 ||INC EDI
0040112E |. F647 FF FF ||TEST BYTE PTR DS:[EDI-1], 0FF
00401132 |.^ 75 F1 |\JNZ SHORT killnp.00401125
00401134 |. FF35 98114000 |PUSH DWORD PTR DS:[401198] ; /ProcessId = 0
0040113A |. 6A 00 |PUSH 0 ; |Inheritable = FALSE
0040113C |. 6A 01 |PUSH 1 ; |Access = TERMINATE
0040113E |. FF15 14104000 |CALL NEAR DWORD PTR DS:[<&KERNEL32.O>; \OpenProcess
00401144 |. 09C0 |OR EAX, EAX
00401146 |. 74 20 |JE SHORT killnp.00401168
00401148 |. 50 |PUSH EAX ; /hObject = NULL
00401149 |. 6A 00 |PUSH 0 ; |/ExitCode = 0
0040114B |. 50 |PUSH EAX ; ||hProcess = NULL
0040114C |. FF15 18104000 |CALL NEAR DWORD PTR DS:[<&KERNEL32.T>; |\TerminateProcess
00401152 |. FF15 08104000 |CALL NEAR DWORD PTR DS:[<&KERNEL32.C>; \CloseHandle
00401158 |> 68 90114000 |PUSH killnp.00401190 ; /pProcessentry = killnp.00401190
0040115D |. 55 |PUSH EBP ; |hSnapshot = 0012FFF0
0040115E |. FF15 10104000 |CALL NEAR DWORD PTR DS:[<&KERNEL32.P>; \Process32Next
00401164 |. 09C0 |OR EAX, EAX
00401166 |.^ 75 B3 \JNZ SHORT killnp.0040111B
00401168 |> 55 PUSH EBP ; /hObject = 0012FFF0
00401169 |. FF15 08104000 CALL NEAR DWORD PTR DS:[<&KERNEL32.Cl>; \CloseHandle
0040116F |> 6A 00 PUSH 0 ; /ExitCode = 0
00401171 \. FF15 00104000 CALL NEAR DWORD PTR DS:[<&KERNEL32.Ex>; \ExitProcess
00401177 . 4E 6E 4F 6F 5>ASCII "NnOoTtEePpAaDd.."
00401187 . 45 65 58 78 4>ASCII "EeXxEe",0
0040118E 00 DB 00
0040118F 00 DB 00
00401190 . 00000000 DD 00000000
00401194 00 DB 00
00401195 00 DB 00
00401196 00 DB 00
00401197 00 DB 00
00401198 . 00000000 DD 00000000
i have to determine what kleebaur mentions as ollydbg cant handle this
edit
i simply f8ed through till process exited it is working good simply
Code:
Log data
Address Message
OllyDbg v1.10
Command line plugin v1.10
Written by Oleh Yuschuk
Bookmarks sample plugin v1.06 (plugin demo)
Copyright (C) 2001, 2002 Oleh Yuschuk
PluginTemplate plugin
Console file 'C:\Documents and Settings\deep\Desktop\killnp\killnp.exe'
New process with ID 00000750 created
004010F2 Main thread with ID 00000364 created
00400000 Module C:\Documents and Settings\deep\Desktop\killnp\killnp.exe
77E60000 Module C:\WINDOWS\system32\kernel32.dll
77F50000 Module C:\WINDOWS\System32\ntdll.dll
004010F2 Program entry point
Analysing killnp
1 fuzzy procedure
8 calls to known functions
2 loops
Process terminated, exit code 0
Swimmer
June 14th, 2007, 13:16
The comment about "can't handle this" is my comment and NOT the author's comment.
Olldbg seemed to have problems analyzing the program.
IDA Pro on the other hand came fairly close to what the actual source code is.
I know that the program has a string in it that says something like "Nice to know that someone programs in DOS.... which refers to my coding in 16 bit apps.
Thanks.
esther
June 14th, 2007, 19:45
Geeze blabber,
I don't have any problems debugging and analysing in ollydbg(original exe and my exe)and I know what it looks like heh.I'm referring to my "code" can't terrminate notepad.exe even it found in the memory.There's nothing wrong with ollydbg and it works great.Please read what I posted on previous post...
What I want to know is what's the problem is my "code".Thanks
regards
blabberer
June 15th, 2007, 03:15
esther
ok i see you posted its working fine in ollydbg
what's the problem in your code like i posted above you do not save either hSnapShot or Handles properly in your code
i just ripped the code from ollydbg using code ripper plugin
and assembled it with a few modification it terminates notpad properly
Code:
.386
.model flat, stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
.data
Caption db "NnOoTtEePpAaDd..EeXxEe",0
.data?
lppe PROCESSENTRY32 <>
.code
start:
PUSH 0
PUSH 2
CALL CreateToolhelp32Snapshot
MOV EBP, EAX
INC EAX
JE toolhelpfailure
MOV lppe.dwSize, sizeof(PROCESSENTRY32)
PUSH offset lppe
PUSH EAX
CALL Process32First
OR EAX, EAX
JE processsfirstfailure
nextprocess:
MOV ESI, offset lppe.szExeFile
MOV EDI, offset Caption
reloop:
CMPS BYTE PTR DS:[ESI], BYTE PTR ES:[EDI]
JE nextchar
DEC ESI
CMPS BYTE PTR DS:[ESI], BYTE PTR ES:[EDI]
JNZ getnextprocess
DEC EDI
nextchar:
INC EDI
TEST BYTE PTR DS:[EDI-1], 0FFh
JNZ reloop
PUSH lppe.th32ProcessID
PUSH 0
PUSH 1
CALL OpenProcess
OR EAX, EAX
JE processsfirstfailure
PUSH EAX
PUSH 0
PUSH EAX
CALL TerminateProcess
CALL CloseHandle
getnextprocess:
PUSH offset lppe
PUSH EBP
CALL Process32Next
OR EAX, EAX
JNZ nextprocess
processsfirstfailure:
PUSH EBP
CALL CloseHandle
toolhelpfailure:
PUSH 0
CALL ExitProcess
end start
before ripping name the variables properly in ollydbg
Code:
004010F2 killnp.<ModuleEntryPoint> PUSH 0 ; /ProcessID = 0
004010F4 PUSH 2 ; |Flags = TH32CS_SNAPPROCESS
004010F6 CALL DWORD PTR DS:[<&KERNEL32.CreateToolhelp32Snapshot>] ; \CreateToolhelp32Snapshot
004010FC MOV EBP, EAX
004010FE INC EAX
004010FF JE SHORT <toolhelpfailure>
00401101 MOV DWORD PTR DS:[<dwSize>], 128
0040110B PUSH <dwSize> ; /pProcessentry = <killnp.dwSize>
00401110 PUSH EAX ; |hSnapshot
00401111 CALL DWORD PTR DS:[<&KERNEL32.Process32First>] ; \Process32First
00401117 OR EAX, EAX
00401119 JE SHORT <processsfirstfailure>
0040111B <killnp.nextprocess> /MOV ESI, <szExeFile[MAX_PATH]>
00401120 |MOV EDI, <exename> ; ASCII "NnOoTtEePpAaDd..EeXxEe"
00401125 <killnp.reloop> |/CMPS BYTE PTR DS:[ESI], BYTE PTR ES:[EDI]
00401126 ||JE SHORT <nextchar>
00401128 ||DEC ESI
00401129 ||CMPS BYTE PTR DS:[ESI], BYTE PTR ES:[EDI]
0040112A ||JNZ SHORT <getnextprocess>
0040112C ||DEC EDI
0040112D <killnp.nextchar> ||INC EDI
0040112E ||TEST BYTE PTR DS:[EDI-1], 0FF
00401132 |\JNZ SHORT <reloop>
00401134 |PUSH DWORD PTR DS:[<th32ProcessID>] ; /ProcessId = 0
0040113A |PUSH 0 ; |Inheritable = FALSE
0040113C |PUSH 1 ; |Access = TERMINATE
0040113E |CALL DWORD PTR DS:[<&KERNEL32.OpenProcess>] ; \OpenProcess
00401144 |OR EAX, EAX
00401146 |JE SHORT <processsfirstfailure>
00401148 |PUSH EAX ; /hObject
00401149 |PUSH 0 ; |/ExitCode = 0
0040114B |PUSH EAX ; ||hProcess
0040114C |CALL DWORD PTR DS:[<&KERNEL32.TerminateProcess>] ; |\TerminateProcess
00401152 |CALL DWORD PTR DS:[<&KERNEL32.CloseHandle>] ; \CloseHandle
00401158 <killnp.getnextprocess> |PUSH <dwSize> ; /pProcessentry = <killnp.dwSize>
0040115D |PUSH EBP ; |hSnapshot
0040115E |CALL DWORD PTR DS:[<&KERNEL32.Process32Next>] ; \Process32Next
00401164 |OR EAX, EAX
00401166 \JNZ SHORT <nextprocess>
00401168 <killnp.processsfirstfailure> PUSH EBP ; /hObject
00401169 CALL DWORD PTR DS:[<&KERNEL32.CloseHandle>] ; \CloseHandle
0040116F <killnp.toolhelpfailure> PUSH 0 ; /ExitCode = 0
00401171 CALL DWORD PTR DS:[<&KERNEL32.ExitProcess>] ; \ExitProcess
00401177 <killnp.exename> ASCII "NnOoTtEePpAaDd.."
00401187 ASCII "EeXxEe",0
0040118E DB 00
0040118F DB 00
00401190 <killnp.dwSize> DD 00000000
00401194 <killnp.cntUsage> DB 00
00401195 DB 00
00401196 DB 00
00401197 DB 00
00401198 <killnp.th32ProcessID> DD 00000000
0040119C <killnp.th32DefaultHeapID> DB 00
0040119D DB 00
0040119E DB 00
0040119F DB 00
004011A0 <killnp.th32ModuleID> DB 00
004011A1 DB 00
004011A2 DB 00
004011A3 DB 00
004011A4 <killnp.cntThreads> DB 00
004011A5 DB 00
004011A6 DB 00
004011A7 DB 00
004011A8 <killnp.th32ParentProcessID> DB 00
004011A9 DB 00
004011AA DB 00
004011AB DB 00
004011AC <killnp.pcPriClassBase> DB 00
004011AD DB 00
004011AE DB 00
004011AF DB 00
004011B0 <killnp.dwFlags> DB 00
004011B1 DB 00
004011B2 DB 00
004011B3 DB 00
004011B4 <killnp.szExeFile[MAX_PATH]> DB 00
the code ripper will give you this code
Code:
<ModuleEntryPoint>: ;<= Procedure Start
PUSH 0
PUSH 2
CALL DWORD PTR DS:[<&KERNEL32.CreateToolhelp32Snapshot>] ; kernel32.CreateToolhelp32Snapshot
MOV EBP, EAX
INC EAX
JE toolhelpfailure
MOV DWORD PTR DS:[dwSize], 0128h
PUSH dwSize
PUSH EAX
CALL DWORD PTR DS:[<&KERNEL32.Process32First>] ; kernel32.Process32First
OR EAX, EAX
JE processsfirstfailure
nextprocess:
MOV ESI, szExeFile[MAX_PATH]
MOV EDI, exename ; ASCII "NnOoTtEePpAaDd..EeXxEe"
reloop:
CMPS BYTE PTR DS:[ESI], BYTE PTR ES:[EDI]
JE nextchar
DEC ESI
CMPS BYTE PTR DS:[ESI], BYTE PTR ES:[EDI]
JNZ getnextprocess
DEC EDI
nextchar:
INC EDI
TEST BYTE PTR DS:[EDI-1], 0FFh
JNZ reloop
PUSH DWORD PTR DS:[th32ProcessID]
PUSH 0
PUSH 1
CALL DWORD PTR DS:[<&KERNEL32.OpenProcess>] ; kernel32.OpenProcess
OR EAX, EAX
JE processsfirstfailure
PUSH EAX
PUSH 0
PUSH EAX
CALL DWORD PTR DS:[<&KERNEL32.TerminateProcess>] ; kernel32.TerminateProcess
CALL DWORD PTR DS:[<&KERNEL32.CloseHandle>] ; kernel32.CloseHandle
getnextprocess:
PUSH dwSize
PUSH EBP
CALL DWORD PTR DS:[<&KERNEL32.Process32Next>] ; kernel32.Process32Next
OR EAX, EAX
JNZ nextprocess
processsfirstfailure:
PUSH EBP
CALL DWORD PTR DS:[<&KERNEL32.CloseHandle>] ; kernel32.CloseHandle
toolhelpfailure:
PUSH 0
CALL DWORD PTR DS:[<&KERNEL32.ExitProcess>] ;<= Procedure End ; kernel32.ExitProcess
compare this with my code above which assembles and works
you will see a few cosmetic changes and structure memeber declatarions
thats all it takes
now try comparing this with your code
you will notice what you are missing
if there are further questions feel free to ask
lcx2005
June 15th, 2007, 04:06
Quote:
[Originally Posted by esther;66400]
get the latest compiler in masm32.cjb.net
|
Better try http://www.masm32.com or http://www.movsd.com for masm32
.Because masm32.cjb.net no longer support us or some $$$ guys had done something to her
.
Swimmer
June 15th, 2007, 08:51
[QUOTE][Originally Posted by blabberer;66420]esther
ok i see you posted its working fine in ollydbg
what's the problem in your code like i posted above you do not save either hSnapShot or Handles properly in your code
i just ripped the code from ollydbg using code ripper plugin
and assembled it with a few modification it terminates notpad properly
Thanks a lot for the code conversion.
The original .exe has some text embedded in it.
I was wondering how they did that.
I looked for the code ripper plugin but couldn't find it. I found a lot of requests for it, but no links.
Kayaker
June 15th, 2007, 09:01
Quote:
[Originally Posted by Swimmer;66424]
I looked for the code ripper plugin but couldn't find it. I found a lot of requests for it, but no links. |
Tried OllyStuph?
blabberer
June 15th, 2007, 10:09
swimmer ,
i hate to repeat what dELTA posted in another thread
but i have no choice
please try to formulate your questions more concisely and clearly
if you are quoting something preview and edit back the post if what you quoted isnt embedded properly in quote tags
quote if you must really have an absolute necessary to quote
this is not a mailing list but a forum so people are not reading your answers in email and have to search for context
all they have to do to find some context is to scroll up or down a little
with a middle scroll wheel in mouse it even doesnt take the effort it used to take some ages ago
the only usefull question in your above post is you want a link to coderipper plugin
it could have been a single line reply like
Quote:
hi blabberer could you possibly put a link to coderipper plugin
im googling but cant land pertinent download
|
as to embeddeding some strange strings you have lot of reading to do
have you never seen this program will not run in dos string in any exe ?
if you havent then go to c:\windows\system32
find every exe in there right click open with notepad
you will see that string in all exes
now any lame duck kid can load that exe in a hexeditor or if he is a script kiddie patch together a perl python ruby script to change that string to hell world is going to be nuked if you run this program and save it
it is a static string it has got absolutely nothing to do with secrecy
also that whole stuff is called a dos image or dos stub
if you are using some assembler like fasm etc
you can embed your own dos_stub to an exe with your own string
if you want to know whats dos_stub find the dos debug tutorials by starman realms
i see you have gone to the extent of looking at that string with hackman whatever
notepad would have shown that string
Code:
MZ` ÿÿ ` @ * º ´ Í!¸LÍ!Nice to meet somebody who is still using DOS,
but his program requires Win32.
$ PE L Py¥6 à ò @
start -> cmd -> type killnp.exe could have shown you that
Code:
shit:/>type killnp.exe
MZ`☺☺ ♦ ** `☺ @ á ♫▼║♫ ┤ ═!╕☺L═!N
ice to meet somebody who is still using DOS,
but his program requires Win32.
$ PE L☺☺ PyÑ6 α ☼☺♂☺♣♀ ☻ ≥► ► @ ► ☻ ♦ ♦
☻ ♥ ► ► ► ► ► ► (
►
.text ╕☻ ► ☻ ☻ α
v► ä► á► «► └► ╨► ▐► V► H►
► KERNEL32.dll v► ä► á► «► └► ╨► ▐► ExitPr
ocess CreateToolhelp32Snapshot CloseHandle Process32First Process32Nex
t OpenProcess TerminateProcess j j☻*§♦►@ ë┼@tn╟♣É◄@ (☺ hÉ◄@ P*§♀►@
└tM╛┤◄@ ┐w◄@ ªt♣Nªu,OG÷G**u±*5ÿ◄@ j j☺*§¶►@ └t Pj P*§↑►@ ►@ hÉ◄@ U*§►►@
└u│U*►@ j *§ ►@ NnOoTtEePpAaDd..EeXxEe
shit:/>
lots of avenues you have to choose one
im not trying to pick on you
but being consistently asking irritating question doesnt do anyone any good
try to read your own reply from a third party perspective you will find the post is silly idiotic and more chaotic than anything else
Betov
June 16th, 2007, 05:07
I see that the Disassemblers, you are using have some problems with this File from Herbert.
If you want to port it to MASM, of course, this is only an intermediate solution, but RosAsm can perfectly Disassemble and re-Assemble this file in two clicks:
* Download RosAsmFull.exe at < http://rosasm.org >
* Unzip anywhere and run.
* [File] / [Open] ---> Killnp.exe
* Disassemble and hit [F6] for a rebuild/Run.
The rebuilt file ("MyKillnp.exe"
correctly closes Notepad.
Now, there is a small problem with the String at Data0401177: For "some reason"
The Disassembler fails to "see" that this is a String. Just double-click upon the "Data0401177" Label, and select [Bad Disassembly] ---> Dialog: Size Flags [String] ---> OK.
Then, i suppose that porting to MASM should be a breath.
[Note: the Sources are embeeded inside the PE compiled by RosAsm]
Have fun. Betov.
LLXX
June 16th, 2007, 05:26
I never thought the RosAsm author lurked here.
esther
June 16th, 2007, 11:44
Hi blabber,
*if there are further questions feel free to ask
Due to lack of experience in programming.It seems I have much errors in "my code",something missing here and there heh.I have fixed the code now and it works fine.I have no further questions,thanks for wasting time on us,greatly
appreciated
Regards
Swimmer
June 16th, 2007, 12:12
Quote:
| [Originally Posted by LLXX;66437]I never thought the RosAsm author lurked here. |
He does get around.
Woodmann
June 16th, 2007, 20:31
Howdy,
It is nice to see
.
Woodmann
blabberer
June 17th, 2007, 13:17
this thread made me discover another awesome debugger
i was mucking up with ida free on that com file and made a first layer idc
and i thought that was the end of it but no that was the beginning as usual in these files
Code:
auto seed,patch,mulres,i,xorv,test;
seed = 0xd1+0x48;
patch = 0xd1+0x78;
test = 0xd1;
while(test < 0x100)
{
Message("\n%x ", Word(seed));
mulres = Word(seed)*0x50;
Message("%x ",mulres);
Message("%x ", (mulres &0xff) );
xorv = Byte(patch) ^ (mulres & 0xff);
Message ("%x ", xorv);
PatchByte(patch,xorv);
seed++;
patch++;
test++;
}
now writng idc and working with ida isnt my speciality so i was wanting a debugger to do my job
dos debug was doing a wonderuful job but it has limitations of cant able to set breakpoints
and after downlaoding dozens and dozens of dos debuggers one atlast was working better than what i expected it of
simply awesome
http://members.tripod.com/~ladsoft/grdb.htm
and can log too
Code:
->u 178 1f5
1DAC:0178 FC cld
1DAC:0179 BE D5 01 mov si,01D5
1DAC:017C BF F3 03 mov di,03F3
1DAC:017F AC lodsb
1DAC:0180 38 06 D0 01 cmp [01D0],al
1DAC:0184 75 16 jnz 019C
1DAC:0186 A4 movsb
1DAC:0187 81 FE F3 03 cmp si,03F3
1DAC:018B 72 F2 jb 017F
1DAC:018D B4 40 mov ah,40
1DAC:018F BA F3 03 mov dx,03F3
1DAC:0192 89 F9 mov cx,di
1DAC:0194 29 D1 sub cx,dx
1DAC:0196 BB 01 00 mov bx,0001
1DAC:0199 CD 21 int 21
1DAC:019B C3 ret
1DAC:019C 3A 06 D1 01 cmp al,[01D1]
1DAC:01A0 75 05 jnz 01A7
1DAC:01A2 31 C0 xor ax,ax
1DAC:01A4 AB stosw
1DAC:01A5 EB E0 jmp 0187
1DAC:01A7 3A 06 D2 01 cmp al,[01D2]
1DAC:01AB 75 06 jnz 01B3
1DAC:01AD 31 C0 xor ax,ax
1DAC:01AF AB stosw
1DAC:01B0 AA stosb
1DAC:01B1 EB D4 jmp 0187
1DAC:01B3 3A 06 D3 01 cmp al,[01D3]
1DAC:01B7 75 06 jnz 01BF
1DAC:01B9 31 C0 xor ax,ax
1DAC:01BB AB stosw
1DAC:01BC AB stosw
1DAC:01BD EB C8 jmp 0187
1DAC:01BF 3A 06 D4 01 cmp al,[01D4]
1DAC:01C3 75 EB jnz 01B0
1DAC:01C5 AC lodsb
1DAC:01C6 0F B6 C8 movzx cx,al
1DAC:01C9 41 inc cx
1DAC:01CA 31 C0 xor ax,ax
1DAC:01CC F3 AA repz stosb
1DAC:01CE EB B7 jmp 0187
1DAC:01D0 06 push es
1DAC:01D1 07 pop es
1DAC:01D2 12 13 adc dl,[bp+di]
1DAC:01D4 16 push ss
1DAC:01D5 4D dec bp
1DAC:01D6 5A pop dx
1DAC:01D7 60 pushaw
1DAC:01D8 01 01 add [bx+di],ax
1DAC:01DA 12 04 adc al,[si]
1DAC:01DC 12 FF adc bh,bh
1DAC:01DE FF 07 inc word [bx]
1DAC:01E0 60 pushaw
1DAC:01E1 01 16 05 40 add [4005],dx
1DAC:01E5 16 push ss
1DAC:01E6 22 A0 12 0E and ah,[bx+si+0E12]
1DAC:01EA 1F pop ds
1DAC:01EB BA 0E 00 mov dx,000E
1DAC:01EE B4 09 mov ah,09
1DAC:01F0 CD 21 int 21
1DAC:01F2 B8 01 4C mov ax,4C01
1DAC:01F5 CD 21 int 21
got 32 bit registers which debug.com dont have
disassembles instructions with 68,6b opcodes correctly no like debug.com
Code:
->r
eax:00650000 ebx:00000000 ecx:00000000 edx:0000A2B0 esi:000003F3 edi:000007F3
ebp:000006A0 esp:0000FFEE eip:0000018D flag:000B3246 NV UP EI PL ZR NA PE NC
ds:1DAC es:1DAC fs:1DAC gs:1DAC ss:1DAC cs:1DAC
1DAC:018D B4 40 mov ah,40
->t
eax:00654000 ebx:00000000 ecx:00000000 edx:0000A2B0 esi:000003F3 edi:000007F3
ebp:000006A0 esp:0000FFEE eip:0000018F flag:000B3246 NV UP EI PL ZR NA PE NC
ds:1DAC es:1DAC fs:1DAC gs:1DAC ss:1DAC cs:1DAC
1DAC:018F BA F3 03 mov dx,03F3
->t
eax:00654000 ebx:00000000 ecx:00000000 edx:000003F3 esi:000003F3 edi:000007F3
ebp:000006A0 esp:0000FFEE eip:00000192 flag:000B3246 NV UP EI PL ZR NA PE NC
ds:1DAC es:1DAC fs:1DAC gs:1DAC ss:1DAC cs:1DAC
1DAC:0192 89 F9 mov cx,di
->t
eax:00654000 ebx:00000000 ecx:000007F3 edx:000003F3 esi:000003F3 edi:000007F3
ebp:000006A0 esp:0000FFEE eip:00000194 flag:000B3246 NV UP EI PL ZR NA PE NC
ds:1DAC es:1DAC fs:1DAC gs:1DAC ss:1DAC cs:1DAC
1DAC:0194 29 D1 sub cx,dx
->t
eax:00654000 ebx:00000000 ecx:00000400 edx:000003F3 esi:000003F3 edi:000007F3
ebp:000006A0 esp:0000FFEE eip:00000196 flag:000B3206 NV UP EI PL NZ NA PE NC
ds:1DAC es:1DAC fs:1DAC gs:1DAC ss:1DAC cs:1DAC
1DAC:0196 BB 01 00 mov bx,0001
->t
eax:00654000 ebx:00000001 ecx:00000400 edx:000003F3 esi:000003F3 edi:000007F3
ebp:000006A0 esp:0000FFEE eip:00000199 flag:000B3206 NV UP EI PL NZ NA PE NC
ds:1DAC es:1DAC fs:1DAC gs:1DAC ss:1DAC cs:1DAC
1DAC:0199 CD 21 int 21
->d 3f3 7f3
1DAC:03F3 4D 5A 60 01-01 00 00 00-04 00 00 00-FF FF 00 00 MZ`.............
1DAC:0403 60 01 00 00-00 00 00 00-40 00 00 00-00 00 00 00 `.......@.......
1DAC:0413 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................
1DAC:0423 00 00 00 00-00 00 00 00-00 00 00 00-A0 00 00 00 ................
1DAC:0433 0E 1F BA 0E-00 B4 09 CD-21 B8 01 4C-CD 21 4E 69 ........!..L.!Ni
1DAC:0443 63 65 20 74-6F 20 6D 65-65 74 20 73-6F 6D 65 62 ce to meet someb
1DAC:0453 6F 64 79 20-77 68 6F 20-69 73 20 73-74 69 6C 6C ody who is still
1DAC:0463 20 75 73 69-6E 67 20 44-4F 53 2C 0D-0A 62 75 74 using DOS,..but
1DAC:0473 20 68 69 73-20 70 72 6F-67 72 61 6D-20 72 65 71 his program req
1DAC:0483 75 69 72 65-73 20 57 69-6E 33 32 2E-0D 0A 24 00 uires Win32...$.
1DAC:0493 50 45 00 00-4C 01 01 00-50 79 A5 36-00 00 00 00 PE..L...Py.6....
1DAC:04A3 00 00 00 00-E0 00 0F 01-0B 01 05 0C-00 02 00 00 ................
1DAC:04B3 00 00 00 00-00 00 00 00-F2 10 00 00-00 10 00 00 ................
1DAC:04C3 00 20 00 00-00 00 40 00-00 10 00 00-00 02 00 00 . ....@.........
1DAC:04D3 04 00 00 00-00 00 00 00-04 00 00 00-00 00 00 00 ................
1DAC:04E3 00 20 00 00-00 02 00 00-00 00 00 00-03 00 00 00 . ..............
1DAC:04F3 00 00 10 00-00 10 00 00-00 00 10 00-00 10 00 00 ................
1DAC:0503 00 00 00 00-10 00 00 00-00 00 00 00-00 00 00 00 ................
1DAC:0513 20 10 00 00-28 00 00 00-00 00 00 00-00 00 00 00 ...(...........
1DAC:0523 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................
1DAC:0533 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................
1DAC:0543 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................
1DAC:0553 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................
1DAC:0563 00 00 00 00-00 00 00 00-00 10 00 00-20 00 00 00 ............ ...
1DAC:0573 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................
1DAC:0583 00 00 00 00-00 00 00 00-2E 74 65 78-74 00 00 00 .........text...
1DAC:0593 B8 02 00 00-00 10 00 00-00 02 00 00-00 02 00 00 ................
1DAC:05A3 00 00 00 00-00 00 00 00-00 00 00 00-20 00 00 E0 ............ ...
1DAC:05B3 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................
1DAC:05C3 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................
1DAC:05D3 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................
1DAC:05E3 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................
1DAC:05F3 76 10 00 00-84 10 00 00-A0 10 00 00-AE 10 00 00 v...............
1DAC:0603 C0 10 00 00-D0 10 00 00-DE 10 00 00-00 00 00 00 ................
1DAC:0613 56 10 00 00-00 00 00 00-00 00 00 00-48 10 00 00 V...........H...
1DAC:0623 00 10 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................
1DAC:0633 00 00 00 00-00 00 00 00-4B 45 52 4E-45 4C 33 32 ........KERNEL32
1DAC:0643 2E 64 6C 6C-00 00 76 10-00 00 84 10-00 00 A0 10 .dll..v.........
1DAC:0653 00 00 AE 10-00 00 C0 10-00 00 D0 10-00 00 DE 10 ................
1DAC:0663 00 00 00 00-00 00 00 00-45 78 69 74-50 72 6F 63 ........ExitProc
1DAC:0673 65 73 73 00-00 00 43 72-65 61 74 65-54 6F 6F 6C ess...CreateTool
1DAC:0683 68 65 6C 70-33 32 53 6E-61 70 73 68-6F 74 00 00 help32Snapshot..
1DAC:0693 00 00 43 6C-6F 73 65 48-61 6E 64 6C-65 00 00 00 ..CloseHandle...
1DAC:06A3 50 72 6F 63-65 73 73 33-32 46 69 72-73 74 00 00 Process32First..
1DAC:06B3 00 00 50 72-6F 63 65 73-73 33 32 4E-65 78 74 00 ..Process32Next.
1DAC:06C3 00 00 4F 70-65 6E 50 72-6F 63 65 73-73 00 00 00 ..OpenProcess...
1DAC:06D3 54 65 72 6D-69 6E 61 74-65 50 72 6F-63 65 73 73 TerminateProcess
1DAC:06E3 00 00 6A 00-6A 02 FF 15-04 10 40 00-89 C5 40 74 ..j.j.....@...@t
1DAC:06F3 6E C7 05 90-11 40 00 28-01 00 00 68-90 11 40 00 n....@.(...h..@.
1DAC:0703 50 FF 15 0C-10 40 00 09-C0 74 4D BE-B4 11 40 00 P....@...tM...@.
1DAC:0713 BF 77 11 40-00 A6 74 05-4E A6 75 2C-4F 47 F6 47 .w.@..t.N.u,OG.G
1DAC:0723 FF FF 75 F1-FF 35 98 11-40 00 6A 00-6A 01 FF 15 ..u..5..@.j.j...
1DAC:0733 14 10 40 00-09 C0 74 20-50 6A 00 50-FF 15 18 10 ..@...t Pj.P....
1DAC:0743 40 00 FF 15-08 10 40 00-68 90 11 40-00 55 FF 15 @.....@.h..@.U..
1DAC:0753 10 10 40 00-09 C0 75 B3-55 FF 15 08-10 40 00 6A ..@...u.U....@.j
1DAC:0763 00 FF 15 00-10 40 00 4E-6E 4F 6F 54-74 45 65 50 .....@.NnOoTtEeP
1DAC:0773 70 41 61 44-64 2E 2E 45-65 58 78 45-65 00 00 00 pAaDd..EeXxEe...
1DAC:0783 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................
1DAC:0793 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................
1DAC:07A3 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................
1DAC:07B3 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................
1DAC:07C3 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................
1DAC:07D3 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................
1DAC:07E3 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................
1DAC:07F3 00 .
->r
eax:00654000 ebx:00000001 ecx:00000400 edx:000003F3 esi:000003F3 edi:000007F3
ebp:000006A0 esp:0000FFEE eip:00000199 flag:000B3206 NV UP EI PL NZ NA PE NC
ds:1DAC es:1DAC fs:1DAC gs:1DAC ss:1DAC cs:1DAC
1DAC:0199 CD 21 int 21
->d ds:esp
1DAC:FFEE 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ................
1DAC:FFFE 00 00 ..
->p
eax:00650400 ebx:00000001 ecx:00000400 edx:000003F3 esi:000003F3 edi:000007F3
ebp:000006A0 esp:0000FFEE eip:0000019B flag:000B3206 NV UP EI PL NZ NA PE NC
ds:1DAC es:1DAC fs:1DAC gs:1DAC ss:1DAC cs:1DAC
1DAC:019B C3 ret
->t
nice thread and nice debugger was worth my time
esther
Swimmer
June 17th, 2007, 19:07
Glad you like grdb.exe. It been around for a while and I think the author even lets you download the source code.
evlncrn8
June 18th, 2007, 06:02
Quote:
The original .exe has some text embedded in it.
I was wondering how they did that.
|
.code
<put code here>
jmp over_text_bit
db 'hello i am the text',00h
over_text_bit:
kinda simple
Swimmer
June 18th, 2007, 07:21
I have a long ways to go on learning about my dissassemblers. So many bells and whistles.
It had output a text of a program as a series of hex values, so it wasn't obvious that it was text.
The only hex I have memorized are for the carriage return and a few others. :-)
esther
June 18th, 2007, 23:28
hi blabber,
Its not really need to use ida,I have tested a win32 disassembler(korean programmer sangcho) http://www.geocities.com/~sangcho/disasm.html
it works great as well;Its a console disassembler
About the debugger you had posted its a nice find thanks again
Bengaly
June 21st, 2007, 19:45
Well,
the original test.exe posted here had some code missing, and bad logic,
that could be easily found when debuging the code after a saved decompiled .asm,
I used PVDasm to create the source, and handly changes few stuff, and inserted the missing code / fixed bad logic.
working source code:
Code:
; ###############################################################################
; # This file has generated by Proview Disassembler (PVDasm) MASM wizard. #
; # Copyright (c) 2003-2006 by Bengaly, <http://pvdasm.reverse-engineering.net> #
; ###############################################################################
.386 ; create 32 bit code
.model flat, stdcall ; 32 bit memory model
option casemap:none ; case sensitive
include C:\masm32\include\windows.inc
include C:\masm32\include\kernel32.inc
include C:\masm32\include\user32.inc
include C:\masm32\include\gdi32.inc
include C:\masm32\include\comctl32.inc
include C:\masm32\include\shell32.inc
include C:\masm32\include\comdlg32.inc
includelib C:\masm32\lib\user32.lib
includelib C:\masm32\lib\kernel32.lib
includelib C:\masm32\lib\gdi32.lib
includelib C:\masm32\lib\comctl32.lib
includelib C:\masm32\lib\shell32.lib
includelib C:\masm32\lib\comdlg32.lib
; ###############################################################################
.data
notepad db "notepad.exe",0
handle_snap dd ?
lppe PROCESSENTRY32 <>
.data?
.code
start:
PUSH 00H ; th32ProcessID
PUSH 02H ; dwFlags
CALL CreateToolhelp32Snapshot
MOV handle_snap, EAX ; ORIGINAL: MOV DWORD PTR DS:[00804234H], EAX
INC EAX
JZ ref_0040108A
MOV lppe.dwSize,00000128H ; ORIGINAL: MOV DWORD PTR DS:[00804238H],00000128H
PUSH offset lppe ; lppe
PUSH handle_snap ; hSnapshot
CALL Process32First
OR EAX, EAX
JZ ref_00401085
ref_0040102F:
MOV ESI, offset lppe.szExeFile
MOV EDI, OFFSET notepad
ref_00401039:
CMPSB
JZ ref_00401041
DEC ESI
CMPSB
JNZ ref_00401071
DEC EDI
ref_00401041:
INC EDI
INC ESI ; This was missing in the original test.exe
TEST BYTE PTR DS:[EDI-01H],0FFH
JNZ ref_00401039
PUSH lppe.th32ProcessID
PUSH 00H ; bInheritHandle
PUSH 01H ; dwDesiredAccess
CALL OpenProcess
OR EAX, EAX
JZ ref_00401085 ; previously was JNZ, bad logic
PUSH EAX
PUSH 00H
PUSH EAX
PUSH 00H ; uExitCode
PUSH EAX ; hProcess
CALL TerminateProcess
PUSH EAX ; hObject
CALL CloseHandle
ref_00401071:
PUSH offset lppe ; lppe
PUSH handle_snap ; hSnapshot
CALL Process32Next
OR EAX, EAX
JNZ ref_0040102F
ref_00401085:
CALL CloseHandle
ref_0040108A:
PUSH 00H ; uExitCode
CALL ExitProcess
end start
Powered by vBulletin® Version 4.2.2 Copyright © 2019 vBulletin Solutions, Inc. All rights reserved.