Alph
August 16th, 2002, 08:04
Hi,
I am new to reverse engineering, but have been programming for some time already. I just installed SoftIce and looked at the innards of Tabledit, and I'd be grateful for a few answers.
Tabledit is a shareware protected by a serial number registration.
It's at www.tabledit.com
What I did, roughly :
I break on GetDlgItem. I see that there is 2 of those, getting username and password, and storing them in fixed memory locations.
Then a first call, which I will go in more detail below.
The a second call, which looks like to me is just doing some clean up with windows.
Then I go into the kernel/_freqasm stuffs.
What is happening here ? Am I right in thinking that windows is now taking care of another thread and doing some window management ? or is tabledit calling those ? or triggering those with a semaphore maybe ?
Anyway.. then another call, I see that it is somewindow stuff, and that a window is refreshed with Table edit 2.60 demo.. so I guess the checking for the correct serial was above.. maybe ?
Then more freqasm/kernel/user..
Is there some debug files for windows dll that I can give to softice to see what is happening better ?
Then back to tabledit, back to freqasm/kernel/user, and I finally arrive at an event server loop (I think... made of TranslateAccelarator, Translate message and DispatchMessageA), which makes me sure that the program decided now that my password was no good.
So back to the first call.
I see that it does first some register access, creates an entry with my username and password.
I'd expect the program to do that after it has validated my password... any idea why it happens before ? (or maybe I did not see the validation ?)
Then the program does some length calculation, checks if the username is not User, Registered, or Chafe (?)
Then it changes the first letter of the username to a capital..
It tries now to convert the password to a hex number at some point, which makes me believe that the password is a hex number.
Then a few other things happen, which I do not totally understand.. and then we are back in the main program..
If someone would care to see if I understand (at least something...) correctly, and give me a hint where the actual validation of the password takes place, I'll be thankful.
Also (yes I'm full of questions..) can I quickly go back to the main program when windoze decides to do kernel/user/freqasm stuff ?
Is there a way to see the stack more easily than displaying memory, then looking how the pointers/data items were entered and write it down ?
Why does softice give me some addresses like with segments, like
1234:004654567.
I thought that with 32 bit app, all the segments/offsets were not used anymore ?
Does some segments still have a meaning ?
Thanks !
I am new to reverse engineering, but have been programming for some time already. I just installed SoftIce and looked at the innards of Tabledit, and I'd be grateful for a few answers.
Tabledit is a shareware protected by a serial number registration.
It's at www.tabledit.com
What I did, roughly :
I break on GetDlgItem. I see that there is 2 of those, getting username and password, and storing them in fixed memory locations.
Then a first call, which I will go in more detail below.
The a second call, which looks like to me is just doing some clean up with windows.
Then I go into the kernel/_freqasm stuffs.
What is happening here ? Am I right in thinking that windows is now taking care of another thread and doing some window management ? or is tabledit calling those ? or triggering those with a semaphore maybe ?
Anyway.. then another call, I see that it is somewindow stuff, and that a window is refreshed with Table edit 2.60 demo.. so I guess the checking for the correct serial was above.. maybe ?
Then more freqasm/kernel/user..
Is there some debug files for windows dll that I can give to softice to see what is happening better ?
Then back to tabledit, back to freqasm/kernel/user, and I finally arrive at an event server loop (I think... made of TranslateAccelarator, Translate message and DispatchMessageA), which makes me sure that the program decided now that my password was no good.
So back to the first call.
I see that it does first some register access, creates an entry with my username and password.
I'd expect the program to do that after it has validated my password... any idea why it happens before ? (or maybe I did not see the validation ?)
Then the program does some length calculation, checks if the username is not User, Registered, or Chafe (?)
Then it changes the first letter of the username to a capital..
It tries now to convert the password to a hex number at some point, which makes me believe that the password is a hex number.
Then a few other things happen, which I do not totally understand.. and then we are back in the main program..
If someone would care to see if I understand (at least something...) correctly, and give me a hint where the actual validation of the password takes place, I'll be thankful.
Also (yes I'm full of questions..) can I quickly go back to the main program when windoze decides to do kernel/user/freqasm stuff ?
Is there a way to see the stack more easily than displaying memory, then looking how the pointers/data items were entered and write it down ?
Why does softice give me some addresses like with segments, like
1234:004654567.
I thought that with 32 bit app, all the segments/offsets were not used anymore ?
Does some segments still have a meaning ?
Thanks !