newbcrk
April 20th, 2003, 10:27
Hello ,
Need help of course .Could you read this
: wr
:bpx getwindowtextA
Break due to BPX USER32!GetWindowTextA (ET=1.73 seconds)
Break due to BPX USER32!GetWindowTextA (ET=.53 microseconds)
Break due to BPX USER32!GetWindowTextA (ET=.54 microseconds)
:bpm 00AC6020 ;I have type this because 00AC6020 contains my false serial number
(I have choose 123456789 and do d ECX wich answer 0023:00AC6020 and 123456789 in my wd)
-I can't use bpr because I am under NT
-I am under a file of my target wich is a file .dll
Break due to BPMB #0010:00AC6020 RW DR3 (ET=336.36 microseconds)
MSR LastBranchFromIp=77F9102A
MSR LastBranchToIp=77F91139
Break due to BPMB #0010:00AC6020 RW DR3 (ET=227.88 microseconds)
MSR LastBranchFromIp=1000764D
MSR LastBranchToIp=1000E2F0
:U 1000E320 L FF
001B:1000E320 8BC8 MOV ECX,EAX
001B:1000E322 83E103 AND ECX,03
001B:1000E325 F3A4 REPZ MOVSB
001B:1000E327 8BAC24B8010000 MOV EBP,[ESP+000001B8]
001B:1000E32E B9FFFFFFFF MOV ECX,FFFFFFFF
001B:1000E333 8BFD MOV EDI,EBP
001B:1000E335 2BC0 SUB EAX,EAX
001B:1000E337 F2AE REPNZ SCASB ; I HAVE BREAK HERE in my target Repeat not zero and scan the string 123456789 perhaps ? Not easy for me to trace the false code after thi instruction
.i have lost here the false value of my serial .
I don't understand how the false value is manipulated,pushed,proved ,how to find the value wih has probably be pushed in another register....So that I can't see where the false serial is compared with the rigt serial .
I have try too s 0 l ffffffff '123456789' same problem .Idon't understnad the ASM code .
001B:1000E339 F7D1 NOT ECX
001B:1000E33B 2BF9 SUB EDI,ECX
001B:1000E33D 8BC1 MOV EAX,ECX
001B:1000E33F C1E902 SHR ECX,02
001B:1000E342 8BF7 MOV ESI,EDI
001B:1000E344 8DBC24AC000000 LEA EDI,[ESP+000000AC]
001B:1000E34B F3A5 REPZ MOVSD
001B:1000E34D 8BC8 MOV ECX,EAX
001B:1000E34F 83E103 AND ECX,03
001B:1000E352 F3A4 REPZ MOVSB
001B:1000E354 8D8C242C010000 LEA ECX,[ESP+0000012C]
001B:1000E35B 8B35DC8A0110 MOV ESI,[10018ADC]
001B:1000E361 51 PUSH ECX
001B:1000E362 FFD6 CALL ESI
001B:1000E364 8D8C24B0000000 LEA ECX,[ESP+000000B0]
001B:1000E36B 83C404 ADD ESP,04
001B:1000E36E 8BFB MOV EDI,EBX
001B:1000E370 51 PUSH ECX
001B:1000E371 FFD6 CALL ESI
001B:1000E373 83C404 ADD ESP,04
001B:1000E376 B9FFFFFFFF MOV ECX,FFFFFFFF
001B:1000E37B 2BC0 SUB EAX,EAX
001B:1000E37D F2AE REPNZ SCASB
001B:1000E37F F7D1 NOT ECX
001B:1000E381 49 DEC ECX
001B:1000E382 0F84FB030000 JZ 1000E783
001B:1000E388 8BFD MOV EDI,EBP
001B:1000E38A B9FFFFFFFF MOV ECX,FFFFFFFF
001B:1000E38F 2BC0 SUB EAX,EAX
001B:1000E391 F2AE REPNZ SCASB
001B:1000E393 F7D1 NOT ECX
001B:1000E395 49 DEC ECX
001B:1000E396 0F84E7030000 JZ 1000E783
001B:1000E39C 8D84242C010000 LEA EAX,[ESP+0000012C]
001B:1000E3A3 50 PUSH EAX
001B:1000E3A4 E887FEFFFF CALL 1000E230
001B:1000E3A9 8D8424B0000000 LEA EAX,[ESP+000000B0]
001B:1000E3B0 83C404 ADD ESP,04
001B:1000E3B3 50 PUSH EAX
001B:1000E3B4 E877FEFFFF CALL 1000E230
001B:1000E3B9 8DBC2430010000 LEA EDI,[ESP+00000130]
001B:1000E3C0 83C404 ADD ESP,04
001B:1000E3C3 B9FFFFFFFF MOV ECX,FFFFFFFF
001B:1000E3C8 2BC0 SUB EAX,EAX
001B:1000E3CA F2AE REPNZ SCASB
001B:1000E3CC F7D1 NOT ECX
001B:1000E3CE 8DBC24AC000000 LEA EDI,[ESP+000000AC]
001B:1000E3D5 2BC0 SUB EAX,EAX
001B:1000E3D7 8D51FF LEA EDX,[ECX-01]
001B:1000E3DA B9FFFFFFFF MOV ECX,FFFFFFFF
001B:1000E3DF F2AE REPNZ SCASB
001B:1000E3E1 F7D1 NOT ECX
001B:1000E3E3 49 DEC ECX
001B:1000E3E4 4A DEC EDX
001B:1000E3E5 83FA09 CMP EDX,09
001B:1000E3E8 8BC2 MOV EAX,EDX
001B:1000E3EA 894C241C MOV [ESP+1C],ECX
001B:1000E3EE 7C05 JL 1000E3F5
001B:1000E3F0 B809000000 MOV EAX,00000009
001B:1000E3F5 89442424 MOV [ESP+24],EAX
001B:1000E3F9 83FA04 CMP EDX,04
001B:1000E3FC 8BC2 MOV EAX,EDX
001B:1000E3FE 7C05 JL 1000E405
001B:1000E400 B804000000 MOV EAX,00000004
001B:1000E405 89442410 MOV [ESP+10],EAX
001B:1000E409 83FA07 CMP EDX,07
001B:1000E40C 7C05 JL 1000E413
001B:1000E40E BA07000000 MOV EDX,00000007
001B:1000E413 8B44241C MOV EAX,[ESP+1C]
001B:1000E417 89542428 MOV [ESP+28],EDX
001B:1000E41B 48 DEC EAX
001B:1000E41C 83F808 CMP EAX,08
Need help of course .Could you read this
: wr
:bpx getwindowtextA
Break due to BPX USER32!GetWindowTextA (ET=1.73 seconds)
Break due to BPX USER32!GetWindowTextA (ET=.53 microseconds)
Break due to BPX USER32!GetWindowTextA (ET=.54 microseconds)
:bpm 00AC6020 ;I have type this because 00AC6020 contains my false serial number
(I have choose 123456789 and do d ECX wich answer 0023:00AC6020 and 123456789 in my wd)
-I can't use bpr because I am under NT
-I am under a file of my target wich is a file .dll
Break due to BPMB #0010:00AC6020 RW DR3 (ET=336.36 microseconds)
MSR LastBranchFromIp=77F9102A
MSR LastBranchToIp=77F91139
Break due to BPMB #0010:00AC6020 RW DR3 (ET=227.88 microseconds)
MSR LastBranchFromIp=1000764D
MSR LastBranchToIp=1000E2F0
:U 1000E320 L FF
001B:1000E320 8BC8 MOV ECX,EAX
001B:1000E322 83E103 AND ECX,03
001B:1000E325 F3A4 REPZ MOVSB
001B:1000E327 8BAC24B8010000 MOV EBP,[ESP+000001B8]
001B:1000E32E B9FFFFFFFF MOV ECX,FFFFFFFF
001B:1000E333 8BFD MOV EDI,EBP
001B:1000E335 2BC0 SUB EAX,EAX
001B:1000E337 F2AE REPNZ SCASB ; I HAVE BREAK HERE in my target Repeat not zero and scan the string 123456789 perhaps ? Not easy for me to trace the false code after thi instruction
.i have lost here the false value of my serial .
I don't understand how the false value is manipulated,pushed,proved ,how to find the value wih has probably be pushed in another register....So that I can't see where the false serial is compared with the rigt serial .
I have try too s 0 l ffffffff '123456789' same problem .Idon't understnad the ASM code .
001B:1000E339 F7D1 NOT ECX
001B:1000E33B 2BF9 SUB EDI,ECX
001B:1000E33D 8BC1 MOV EAX,ECX
001B:1000E33F C1E902 SHR ECX,02
001B:1000E342 8BF7 MOV ESI,EDI
001B:1000E344 8DBC24AC000000 LEA EDI,[ESP+000000AC]
001B:1000E34B F3A5 REPZ MOVSD
001B:1000E34D 8BC8 MOV ECX,EAX
001B:1000E34F 83E103 AND ECX,03
001B:1000E352 F3A4 REPZ MOVSB
001B:1000E354 8D8C242C010000 LEA ECX,[ESP+0000012C]
001B:1000E35B 8B35DC8A0110 MOV ESI,[10018ADC]
001B:1000E361 51 PUSH ECX
001B:1000E362 FFD6 CALL ESI
001B:1000E364 8D8C24B0000000 LEA ECX,[ESP+000000B0]
001B:1000E36B 83C404 ADD ESP,04
001B:1000E36E 8BFB MOV EDI,EBX
001B:1000E370 51 PUSH ECX
001B:1000E371 FFD6 CALL ESI
001B:1000E373 83C404 ADD ESP,04
001B:1000E376 B9FFFFFFFF MOV ECX,FFFFFFFF
001B:1000E37B 2BC0 SUB EAX,EAX
001B:1000E37D F2AE REPNZ SCASB
001B:1000E37F F7D1 NOT ECX
001B:1000E381 49 DEC ECX
001B:1000E382 0F84FB030000 JZ 1000E783
001B:1000E388 8BFD MOV EDI,EBP
001B:1000E38A B9FFFFFFFF MOV ECX,FFFFFFFF
001B:1000E38F 2BC0 SUB EAX,EAX
001B:1000E391 F2AE REPNZ SCASB
001B:1000E393 F7D1 NOT ECX
001B:1000E395 49 DEC ECX
001B:1000E396 0F84E7030000 JZ 1000E783
001B:1000E39C 8D84242C010000 LEA EAX,[ESP+0000012C]
001B:1000E3A3 50 PUSH EAX
001B:1000E3A4 E887FEFFFF CALL 1000E230
001B:1000E3A9 8D8424B0000000 LEA EAX,[ESP+000000B0]
001B:1000E3B0 83C404 ADD ESP,04
001B:1000E3B3 50 PUSH EAX
001B:1000E3B4 E877FEFFFF CALL 1000E230
001B:1000E3B9 8DBC2430010000 LEA EDI,[ESP+00000130]
001B:1000E3C0 83C404 ADD ESP,04
001B:1000E3C3 B9FFFFFFFF MOV ECX,FFFFFFFF
001B:1000E3C8 2BC0 SUB EAX,EAX
001B:1000E3CA F2AE REPNZ SCASB
001B:1000E3CC F7D1 NOT ECX
001B:1000E3CE 8DBC24AC000000 LEA EDI,[ESP+000000AC]
001B:1000E3D5 2BC0 SUB EAX,EAX
001B:1000E3D7 8D51FF LEA EDX,[ECX-01]
001B:1000E3DA B9FFFFFFFF MOV ECX,FFFFFFFF
001B:1000E3DF F2AE REPNZ SCASB
001B:1000E3E1 F7D1 NOT ECX
001B:1000E3E3 49 DEC ECX
001B:1000E3E4 4A DEC EDX
001B:1000E3E5 83FA09 CMP EDX,09
001B:1000E3E8 8BC2 MOV EAX,EDX
001B:1000E3EA 894C241C MOV [ESP+1C],ECX
001B:1000E3EE 7C05 JL 1000E3F5
001B:1000E3F0 B809000000 MOV EAX,00000009
001B:1000E3F5 89442424 MOV [ESP+24],EAX
001B:1000E3F9 83FA04 CMP EDX,04
001B:1000E3FC 8BC2 MOV EAX,EDX
001B:1000E3FE 7C05 JL 1000E405
001B:1000E400 B804000000 MOV EAX,00000004
001B:1000E405 89442410 MOV [ESP+10],EAX
001B:1000E409 83FA07 CMP EDX,07
001B:1000E40C 7C05 JL 1000E413
001B:1000E40E BA07000000 MOV EDX,00000007
001B:1000E413 8B44241C MOV EAX,[ESP+1C]
001B:1000E417 89542428 MOV [ESP+28],EDX
001B:1000E41B 48 DEC EAX
001B:1000E41C 83F808 CMP EAX,08