PDA

View Full Version : some help


mustapha
January 24th, 2001, 20:39
I ahve a program and it has 2 edit boxes to register it. One is for the name and the other for the pass. I put my name and a fake number. So a messageBox will appears telling me that it is wrong......

I added some code to the program to show me the real pass in that messageBox.
I found a pleca with 'ceros' to add this code but only one time it worked. Now it appears a Mssbox saying 'Acces violation at address 00484483 in module "ProgramName.exe". Write of address 004844C0'.
The first address is where i write this:
:00484483 mov [004844C0], EAX.
The second address is where i want eax value to be stored.
I do not know why it happends, i am working in a place where there's a lot of 'ceros'. And i changed the Characteristics with ProcDump of CODE from 60000020 to F0000020.
I am trying to pass from cracking to reversing.
If someone give me some hint, i would be grateful.
Thanks a lot.

Kayaker
January 24th, 2001, 22:09
Hi Mustapha,

>And i changed the Characteristics with ProcDump of CODE from 60000020 to F0000020

I hope you mean E0000020

That part's right, it makes the characteristics of the section 'writeable' as well as executable. I've occasionaly had problems adding code to the CODE or .text section. It seems that sometimes not all parts of the .text section are loaded into memory yet when you want to use that memory for your own code, leading to an error. Not sure if this was the cause of your problem.

You could try adding it to the .idata section (again changing the code flags) right after the Import table, there's usually a big bunch of zeroes there. You have to be careful there too though. You can add a little bit of text to the start address of your patch in a hex editor, then do a search for it SoftIce just to find it and see if that area in memory remains untouched by the program during normal operation.

The other option of course is to add your own section. Various tools around to do this I guess. I use PEditor - add a section, change the Raw and Virtual size of the section, update the Size of Image and Characteristics, add a bunch of bytes with a hex editor. Gives you as much room as you want, no chance of conflicts, and besides it's fun to name a section after yourself ^_^

Cheers,

Kayaker

mustapha
January 24th, 2001, 23:53
Nooooohhh,
You will not forgive me!!!!
Now i know why it works one time and then is does not work.
Because i was so tired, i confused 'F0000020' with '70000020'.
Well, i took this number from a SantMat tutorial.
With E0000020 it is OK too.
But now I want to learn more, about this number, section, .idata, ect.
Some recommendation will be great!!.
(PD: i also confused A->4, i need some rest.....)

Mustapha

hz
January 25th, 2001, 00:02
Hi,
Topo (protools) is an excellent util for doing
what you want and probably simplest. One thing to check though is that the serial string is still at the address when the message box pops up, sometimes its overwritten or memory de-allocated. Unless of course you plan on copying the string.
regards

Kayaker
January 25th, 2001, 03:09
Quote:
mustapha (01-24-2001 12:53):
Nooooohhh,
You will not forgive me!!!!
Mustapha


Heh heh. Oh sure I will, if you forgive me for every gaff I've made while reversing (I think I only made 3 or 4 tonight) ^_^

PEBrowsePro is a good tool in helping to understand the structure of PE files. As for references, you can't go wrong with Iczelion's PE tuts.

Keep up the good work

Cheers,

Kayaker

Kayaker
January 25th, 2001, 03:46
OK, make it 5 gaffs tonight Just to set the record straight, the code characteristics

70000020 mean
shareable in memory, executable as code, readable, contains executeable code

and

F0000020
is as above plus writeable

E0000020
is as above without the shareable


So I guess F0000020 would be OK too. I'm curious now why the SantMat tutorial recommends using F0000020. Do you have a link for this tut?

mustapha
January 25th, 2001, 19:56
this tut can be found at http://reversemes.immortaldescendants.org/reversemes.html
Reverseme#1 by Defiler
Solutions by: SantMat