PDA

View Full Version : pls assay this ASM code

wonyg80
August 6th, 2007, 01:07
00406488 53 PUSH EBX
EBX=00000000
Local call from 00404469
====================================================================================
00406489 56 PUSH ESI
ESI=00475C48 (mts.00475C48)
====================================================================================
0040648A 8BF1 MOV ESI,ECX
ECX=00475C48 (mts.00475C48)
ESI=00475C48 (mts.00475C48)
===================================================================================
0040648C 8B96 E80A0000 MOV EDX.DWORD PTR DS:[ESI+AE8]
DS:[00476730]=00B53A89
EDX=0012FB3C
====================================================================================
00406492 8A1A MOV BL,BYTE PTR DS:[EDX]
DS:[00B53A89]=01
BL=00
====================================================================================
00406494 8D86 E80A0000 LEA EAX,DWORD PTR DS:[ESI+AE8]
Address=00476730
EAX=0000000E
====================================================================================
0040649A 42 IN EDX
EDX=00B53A89
====================================================================================
0040649B 8910 MOV DWORD PTR DS:[EAX],EDX
EDX=00B53A8A
DS:[00476730]=00B53A89
====================================================================================
0040649D 66:8B0A MOV CX,WORD PTR DS:[EDX]
DS:[00B53A8A]=0001
CX=5C48
====================================================================================
004064A0 83C2 02 ADD EDX,2
EDX=00B53A8A
====================================================================================
004064A3 66:81F9 C800 CMP CX,0C8
CX=0001
====================================================================================
004064A8 8910 MOV DWORD PTR DS:[EAX],EDX
EDX=00B53A8C
DS:[00476730]=00B53A8A
====================================================================================
004064AA 730C JNB SHORT mts.=004064BB
Jump is NOT taken
004064B8=mts.004064B8
====================================================================================
004064AC 33C0 XOR EAX,EAX
EAX=00476730 (mts.00476730)
====================================================================================
004064AE 66:8BC1 MOV AX,CX
CX=0001
AX=0000
====================================================================================
004064B1 889C30 7E550100 MOV BYTE PTR DS:[EAX+ESI+1557E],BL
BL=01
DS:[0048B1C7]=00
====================================================================================
004064B8 5E POP BSI
Stack [0012FD30]=00475C48 (mts.00475C48)
ESI=00475C48 (mts.00475C48)
Jump from 004064AA
====================================================================================
004064B9 5B POP EBX
Stack [0012FD34]=00000000
EBX=00000001
====================================================================================
004064BA C3 RETN
Return to 0040446E (mts.0040446E)
==========================================================

pls help.. I don't know ASM well;;;
LLXX
August 6th, 2007, 02:25
Quote:
[Originally Posted by wonyg80;67603]I don't know ASM well;;;
...and whose problem is that? Not ours, YOURS. If YOU "don't know ASM well", then YOU should be the one to learn it. So why don't YOU do that! Help yourself!

And one more thing, we have no idea what the hell you want. Did you not READ THE FRIGGIN' FAQ (http://www.woodmann.com/fravia/rce-faq.htm) like it tells you in BIG RED LETTERS at the top of the page?
JMI
August 6th, 2007, 07:06
What she said!



Regards,
blabberer
August 6th, 2007, 12:25
if asm is hard try if you can understand this

Code:




assaywong:\>type assay.c

#include <stdio.h>

#include <windows.h>



typedef struct _WONGBABY

{

        BYTE    unknownwong[2790];

        DWORD   wongfoo;

} WONGBABY, *PWONGBABY;







int __cdecl thiswongisdamned(WONGBABY *pwb)

{

        DWORD foo;

        BYTE blah;

        foo = (DWORD)pwb->wongfoo;

        blah = (BYTE)foo;

        printf("foo = %08x  blah = %08x\n",foo,blah);

        return 0;

}





int __cdecl main(void)

{

        WONGBABY wb;



        printf("assaying wongy\n";

        wb.wongfoo = 0x12345678;

        thiswongisdamned(&wb);

        return 0;

}

assaywong:\>assay.exe

assaying wongy

foo = 12345678  blah = 00000078



assaywong:\>"c:\Program Files\Debugging Tools for Windows\cdb.exe" assay.exe



ntdll!DbgBreakPoint:

77f767cd cc              int     3



0:000> uf assay!thiswongisdamned

assay!thiswongisdamned:

00401c05 8bff            mov     edi,edi

00401c07 55              push    ebp

00401c08 8bec            mov     ebp,esp

00401c0a 8b4508          mov     eax,dword ptr [ebp+8]

00401c0d 8b80e80a0000    mov     eax,dword ptr [eax+0AE8h]

00401c13 0fb6c8          movzx   ecx,al

00401c16 51              push    ecx

00401c17 50              push    eax

00401c18 68fc104000      push    offset assay!`string' (004010fc)



0:000> da 004010fc

004010fc  "foo = %08x  blah = %08x."



00401c1d e80d040000      call    assay!printf (0040202f)

00401c22 83c40c          add     esp,0Ch

00401c25 33c0            xor     eax,eax

00401c27 5d              pop     ebp

00401c28 c3              ret

0:000> q

quit:



assaywong:\>