Log in

View Full Version : Please Help w/ FoolFox Tutorial


ftothe3
November 14th, 2002, 15:49
I'm a newbie (thats why im posting this here) trying to learn something from the tutroials. Ok.. so i opened up a few of them, then got around to reading FoolFox's Tutorial (http://www.woodmann.net/fravia/ffx_ftpp2.txt) [target: PrimaSoft AutoFTP premium v3.4] I have win32dasm 8.93 and winhex 10.55 (like him) I followed the tutorial closely... the only problem i'm having is not being able to find the string refs: "Code Accepted! Thank you for registering " "Code Not Accepted! Please try " in win32dasm. this is the code i get in win32dasm:
:004C877E 668B0DB8874C00 mov cx, word ptr [004C87B8]
:004C8785 B202 mov dl, 02
:004C8787 B8C4874C00 mov eax, 004C87C4
:004C878C E80FFAF8FF call 004581A0
:004C8791 EB15 jmp 004C87A8

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C877A(C)
|
:004C8793 6A00 push 00000000
:004C8795 668B0DB8874C00 mov cx, word ptr [004C87B8]
:004C879C B202 mov dl, 02

BUT in the tutorial he gets this code:
:004C877E 668B0DB8874C00 mov cx, word ptr [004C87B8]
:004C8785 B202 mov dl, 02

* Possible StringData Ref from Code Obj ->"Code Accepted! Thank you for registering "
->"our software."

|
:004C8787 B8C4874C00 mov eax, 004C87C4
:004C878C E80FFAF8FF call 004581A0
:004C8791 EB15 jmp 004C87A8

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C877A(C)
|
:004C8793 6A00 push 00000000
:004C8795 668B0DB8874C00 mov cx, word ptr [004C87B8]
:004C879C B202 mov dl, 02

why aren't i getting this "stringdata ref"?!?!
btw: followed the rest of the tutorial and got the serial... but without this "stringdata ref", i wouldnt of known where to begin!

FoolFox
November 14th, 2002, 16:19
Hello,

In order to reproduce your step, i've just DL the target and
the shareware version of W32Dasm. As i could'nt get it
right now from members.cox.net/w32dasm (trouble with
connection right now), i've grabbed it from
h**p://www.downseek.com/download/21279.asp,
wich should be just the plain demo version.

Si i ran again the setup (previous was erased a while ago ),
I don't think there was track of previous cracked version on
my HD, and the installed FTP was reacting as a normal
shareware version (nag screen, etc...)

I've taken it under the demo version of W32Dasm i've
just DL, and using String reference, i got among others :

"CoAddRefServerProcess"
"CoCreateInstanceEx"
"Code Accepted! Thank you for registering "
"Code Not Accepted! Please try "
"CoInitializeEx"
"COMBOBOX"

Double click on the string directly lead me to :

:004C877E 668B0DB8874C00 mov cx, word ptr [004C87B8]
:004C8785 B202 mov dl, 02

* Possible StringData Ref from Code Obj ->"Code Accepted! Thank you for registering "
->"our software."
|
:004C8787 B8C4874C00 mov eax, 004C87C4
:004C878C E80FFAF8FF call 004581A0
:004C8791 EB15 jmp 004C87A8

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C877A(C)
|
:004C8793 6A00 push 00000000


So, right now i'm not really able to figure why you didn't get
the ouput as you should.

As the tutorial was clearly targeting newbies, i found it quit
disapointing that you could not get the result I got, and I'm
really willing to find why, in order to update the tutor. So,

- What OS are you running on ?
- What kind of processor are you using ?
- What are your regionnal settings ?
- Are you using a special charater set ?

anything you can think about, just PM or mail me the info,
if you can recall where you get your copy of W32Dasm
(i've got so many version myself, demo, c*...., patched....)


Right now, what you could try, is to reproduce the whole stage
using OllyDebug, i've just checked it, you should be able to
follow each stage with it, as in W32Dasm. Once loaded
OllyDebug, right click on the code, select 'search for', then
'all referenced text string'. Among result you should get :

Text strings referenced in Ftpprem:CODE, item 8493
Address=004D61DD
Disassembly=MOV EAX,Ftpprem.004D623C
Text string=ASCII "Code Accepted! Thank you for registering our software."

From there, reproducing the W32dasm stage should be
quit easy... but i'm still willing to understand why you didn't
got it directly with W32dasm....

I've done it under WinNT 4.0 & Windows 98. Sames results.

Regards
Foolfox

ftothe3
November 14th, 2002, 17:52
thanks for the really quick reply foolfox!
ok this is my system info...
os: win xp (NO sp1)
processor: athlon xp 1800+ (intel sucks :-P)
regional settings: united states
special character set: none

anyway... i decided to try downloading another version of win32dasm... and it worked!!!! i downloaded the it from the link you gave me and another link (http://www.exetools.com/files/disassemblers/wdasm89.zip) BOTH WORKED! this is the weridest thing ever.
you probably don't believe that it didn't work with my other version so here are two screen shots: (hosted on my apache webserver .. yes i live in new york)
http://ftothe3.dnsalias.com:6080/stringrefwindow.JPG
http://ftothe3.dnsalias.com:6080/stringrefnotincode.JPG
(side note: my service provider doesn't let me host on port 80 )
IF for some reason you want to download the version of w32dasm that was giving me trouble, here it is: http://ftothe3.dnsalias.com:6080/W32Dasm.zip (i just zipped it)

WOW.. thank you.. now i know why ALL those tutorials weren't working!!!!!!!!!! (sorry maybe i'm a little too excited)

crUsAdEr
November 14th, 2002, 18:53
Hi guys,

This might not help but i have encountered this problem before with W32dasm not showing string reference... that is unpacked file with its data section flag as "uninitialised data" tehn W32dasm will not be able to get string reference...

Also, i think you need a W32dasm patch for it to show Unicode string reference...

Foolfox : kickass tutorial for newbie, very nice.. just a small comment
++++++++++++++++++++++++++++++++++++++
Go back to W32Dasm, and search for the string "Code not accepted". Notice that we
are not going through the String reference menu, which will only show you the
FIRST occurence of the string. We want to see all place where this string is used.
That's why the search should be done through the search menu, and not the string
ref menu.
++++++++++++++++++++++++++++++++++++++

That is not true, you can double click on the string in the string reference box and W32dasm will bring you to the next reference if any... not very important but ah well .. though i will just let you know..

cheers
crUsAdEr

FoolFox
November 15th, 2002, 08:20
Hello,

crUsAdEr : Tnx for the info, i though it didn't worked, probably
have try wrongly once or twice and didn't retry....
will review the tutor..

ftothe3 : Glad to ear you finally get womething
have take your copy of W32Dams and got same
results, I'll compare it with the one I got and try
to find out why this one didn't report all string, as
have stated cdUsAdEr, probably a question of
patching somewhere.....

I'll let you now if i found something about it...

Regards
FoolFox

FoolFox
November 15th, 2002, 14:21
Hello,

Ok, there is two bytes that differ from your W32Dasm of
the standard distribution:

If i take the first version you tryed :

00417568 |. 75 28 JNZ SHORT W32bad.00417592
0041756A |. 8D85 98F4FFFF LEA EAX,DWORD PTR SS:[EBP-B68] <= this is the modified value
00417570 |. 50 PUSH EAX ; /String
00417571 |. E8 DE760900 CALL <JMP.&KERNEL32.lstrlenA> ; \lstrlenA
00417576 |. 83F8 04 CMP EAX,4


In the standard edition, the value is :

0041756A |. 8D85 28F6FFFF LEA EAX,DWORD PTR SS:[EBP-9D8]


And this code is exactly the loop that will fetch all strings, if
you trace the code in the standard version, you'll see all
strings coming one after the other, using your version nearly
all string returned are empty.

I don't understand the point of doing this modification. It
probably have been patched (i would find it quit strange that
a corrupted sownload will result of just those two adress bytes
changed), but i don't understand in order to get what it would
have been patched this way. Maybe someone more experienced
can give a hint about ??

Regards
FoolFox

?ferret
November 26th, 2002, 02:21
Maybe it's the version patched to show VB string refs?

(Been awhile since I've bothered with the patched version, but I remember I used to keep both versions of the executable because the patched one would give odd results on "normal" exes)

Just an idea...

FoolFox
November 26th, 2002, 08:44
Hello,

Think also of something like that, got several version of
w32dasm but the one i got patched for VB string is not
exactly the same version as the one i got not patched, so
if i try to locate what the patch have modified i found too
much results actually, still trying to get two same version
one patched the other one not in order to check if that was
the case... but it seem's i've also tryed several version of
w32dasm and none of mine acted like the one of ftothe3..
(in each case i was able to see the messages)...

still looking..

Regards
FoolFox