Pseudo_code Exersize [Archive] - RCE Messageboard's Regroupment

View Full Version : Pseudo_code Exersize

evaluator

May 15th, 2003, 07:32

for newbies practice,
I ripped & rearanged little snippet of PSEUDO_CODE,
because original target will not exist after some time..

Gaia

May 15th, 2003, 11:11

Hi evaluator!

I am sure that my rebuild is 99% your "original" exe, I am wrong?

Is not difficult if you look at correct ESP

Gaia

evaluator

May 15th, 2003, 16:24

yep, you have 2 NOP!

HINT:
before "and ecx,0000000FF"..

Gaia

May 15th, 2003, 17:35

Uppss, I forgot the "mov ecx, eax"

Gaia

sope

May 16th, 2003, 02:35

Hello evaluator / Gaia

Thanks evaluator for the exercise & Gaia for the solution.
I need to ask how u knew

(1) @401003 it should be 6AFF (4) @401021 it should be 0x57
(2) @401005 it should be 0x68 (5) @40102C it should be 0x2BD2
(3) @40100A it should be 0x68 (6) @401057 it should be 0x6A01

In below code the one in dark black i was not able to find. Rest i did saw in the code were recovered from execution of program & some from stack manipulaion.
Does it mean we have to reconstruct it with

->> trial & error ?
->> or we have to know which compiler is used & then reconstruct it appropriately
->> or i am failing to understand the concept behind it.

Also how u knew this recovered bytes will fit at this particular offset ? I might sound lame but i need to understand it.

Two thing i definately learnt from this exercise is we have to be very careful while pressing F8 or F10 one or two quick press we might loose important DWORDS from stack which we need to note down. Second important thing is recovering of code from stack manipulation.

Regards

Sope!

Code:

:00401000  55                    	 push    ebp             

:00401001  8B EC		 	 mov     ebp, esp

:00401003  6A FF		 	 push    0FFFFFFFFh

:00401005  68 A8 2F 4B 00	 	 push    4B2FA8h		; 0x40312F

:0040100A  68 90 10 40 00	 	 push    (offset aDl+5)		 

:0040100F  64 FF 35 00 00 00 00	 push    large dword ptr fs:0	; 0x4039C0

:00401016  64 89 25 00 00 00 00	 mov     large fs:0, esp	; 0x403587

:0040101D  83 EC 58		 sub     esp, 58h

:00401020  53			 push    ebx      		; either from 403CE5 / 403C83 / 403A8E / 402AF2 / 4027F8 ?

:00401021  56			 push    esi      		; 0x4032D6 ?

:00401022  57			 push    edi      		; ?

:00401023  89 65 E8		 mov     [ebp+var_18], esp 	; 0x402238

:00401026  FF 15 54 40 40 00	 call    ds:GetVersio		

:0040102C  2B D2		 	 sub     edx, edx

:0040102E  88 E2		 	 mov     dl, ah		; 0x401F63

:00401030  89 15 C8 41 40 00	 mov     ds:4041C8h, edx		

:00401036  8B C8		 	 mov     ecx, eax

:00401038  81 E1 FF 00 00 00	 and     ecx, 0FFh		; 0x401F6D

:0040103E  89 0D C4 41 40 00	 mov     ds:4041C4h, ecx	; 0x40334B

:00401044  C1 E1 08		 shl     ecx, 8

:00401047  01 D1		 	 add     ecx, edx

:00401049  89 0D C0 41 40 00	 mov     ds:4041C0h, ecx	; 0x402DA6

:0040104F  C1 E8 10		 shr     eax, 10h

:00401052  A3 BC 41 40 00	 	 mov     ds:4041BCh, eax

:00401057  6A 01		 	 push    1		; i got 01 but 6A = ?

:00401059  E8 2C 00 00 00	 	 call    nullsub_1		; 0x401059

:0040105E  59			 	 pop     ecx

:0040105F  6A 00		 	 push    0			   

:00401061  68 00 11 40 00	 	 push    offset aFinish

:00401066  68 00 11 40 00	 	 push    offset aFinish	   

:0040106B  6A 00		 	 push    0			   

:0040106D  FF 15 70 40 40 00	 call    ds:MessageBoxA	   

:00401073  64 8B 25 00 00 00 00	 mov     esp, large fs:0

:0040107A  64 8F 05 00 00 00 00	 pop     large dword ptr fs:0

:00401081  C9			 leave

:00401082  6A 00		 	 push    0		

:00401084  FF 15 50 40 40 00     	 call    ds:ExitProcess

evaluator

May 16th, 2003, 03:22

so Finish comes to us..

1. So, "THIS IS A QUESTION", 6Ah or 68h for push.
I'm sure, all-1 compilers uses 6Ah, when it does adequate result.
& also: if you will use 68h anyway, then code size will another, OK?

2. & on 6AFFh SVKP sux! It makes 000000FFh. (or it is trick?)
In my case I corrected this situation.

3. yes, MOV ECX,EAX is correct, BUT!
Compiler does:
PUSH EAX;
POP ECX;
!!heh??
But We know, this is no matter.(as SUB EDX,EDX or XOR EDX,EDX)

EnjoE

For final move, prog that I copmared, is game DYNOMITE

sope

May 16th, 2003, 07:59

Hello evaluator

Thanks for your explanation & thanks for BLOCK start is 21 bytes long hint. Now i do understand what u mean by it.

Regard
Sope!

Dedec0

August 16th, 2003, 23:02

Hello all,

I can't figure the contents of that first attachment in this thread. Is it correct? Any guess of what may be wrong then?

Thank you.

Dedec0

sope

August 17th, 2003, 02:46

Hello Dedec0

I d/l the zip file u mentioned & i don't see any problems with it. Its perfect. OR

If you are talking about the pseudo_code.exe itself then i guess you need to read this thread first (http://www.woodmann.net/forum/showthread.php?threadid=4786) for better understanding of what it does & for what purpose it was made for us to learn.

Regards, Sope.

Dedec0

August 17th, 2003, 05:29

Thank you very much, sope,

I was talking about the attachment (first "pseudo_code.zip"

. I just found out what the problem was. I now can see the file's contents.

Read further, curious...

(http://www.woodmann.net/forum/showthread.php?postid=28718#post28718)

Regards,

Dedec0