Log in

View Full Version : to understand a break and a API

newbcrk
May 30th, 2003, 03:59
Hello , could you explain what I have done with this crackme .


The crackme is given in the post "searching wrong serail under softice"

, it is packed with upx

I do this

Bpx getwindowtextA

017F:00452C3C 80BBA400000000 CMP BYTE PTR [EBX+000000A4],00
017F:00452C43 7420 JZ 00452C65
017F:00452C45 6800010000 PUSH 00000100
017F:00452C4A 8D442404 LEA EAX,[ESP+04]
017F:00452C4E 50 PUSH EAX ;;don’t understand EAX = 21 = maximum numbers of characters but I can type more than 21 characters in my buffers and wich buffer I have got three buffers

017F:00452C4F 8B4330 MOV EAX,[EBX+30]; don’t understand
;; I am waiting at a string by typing d eax or d ebx+30
017F:00452C52 50 PUSH EAX ;; EAX = 21 strange handle isn’t it ?
017F:00452C53 E83C41FBFF CALL USER32!GetWindowTextA I land here
;; I have enter in this call nothing interest I land in a file user32 , I type F12 a JMP and I land after the call ; This could why the parmeters are not useful
;;

int GetWindowText(
HWND hWnd, // handle of window or control with text
LPTSTR lpString, // address of buffer for text
int nMaxCount // maximum number of characters to copy
);


017F:00452C58 8BC8 MOV ECX,EAX
017F:00452C5A 8BD4 MOV EDX,ESP ;; d edx = name of my window ; strange I am waiting a text buffer not a text window
017F:00452C5C 8BC6 MOV EAX,ESI ;;EAX = adresse of a handle ?
017F:00452C5E E8D516FBFF CALL 00404338
017F:00452C63 EB0D JMP 00452C72
017F:00452C65 8BC6 MOV EAX,ESI
017F:00452C67 8B938C000000 MOV EDX,[EBX+0000008C]
017F:00452C6D E82A16FBFF CALL 0040429C
naides
May 30th, 2003, 09:53
Quote:
Originally posted by newbcrk
Hello , could you explain what I have done with this crackme .


The crackme is given in the post "searching wrong serail under softice"



Bpx getwindowtextA



017F:00452C3C 80BBA400000000 CMP BYTE PTR [EBX+000000A4],00
017F:00452C43 7420 JZ 00452C65
017F:00452C45 6800010000 PUSH 00000100 FIRST PUSH, AND LAST PARAMETER FOR GetWindowText : Maxcount == 100h
017F:00452C4A 8D442404 LEA EAX,[ESP+04]
017F:00452C4E 50 PUSH EAX ;;don’t understand EAX = 21 = maximum numbers of characters but I can type more than 21 characters in my buffers and wich buffer I have got three buffers


ARE YOU SURE EAX HOLDS 21 AT THIS PARTICULAR MOMENT?? I THINK IT HOLDS THE VALUE STORED IN ESP+4 WHICH IS THE SECOND PUSH, SECOND PARAMENTER == address of text buffer

017F:00452C4F 8B4330 MOV EAX,[EBX+30]; don’t understand
;; I am waiting at a string by typing d eax or d ebx+30

NOW THE FIRST PARAMETER GETS MOVed TO EAX, THE handle


017F:00452C52 50 PUSH EAX ;; EAX = 21 strange handle isn’t it ?

AND GETS PUSHED. REMEMBER THAT THE PARAMETERS ARE PUSHED IN REVERSE ORDER AS THE DECLARATION

017F:00452C53 E83C41FBFF CALL USER32!GetWindowTextA I land here
;; I have enter in this call nothing interest I land in a file user32 , I type F12 a JMP and I land after the call ; This could why the parmeters are not useful
;;


YOU ARE RIGHT, THRE IS NOTHING FOR US INSIDE THE SYSTEM DLLS


int GetWindowText(
HWND hWnd, // handle of window or control with text
LPTSTR lpString, // address of buffer for text
int nMaxCount // maximum number of characters to copy
);


017F:00452C58 8BC8 MOV ECX,EAX
017F:00452C5A 8BD4 MOV EDX,ESP ;; d edx = name of my window ; strange I am waiting a text buffer not a text window
017F:00452C5C 8BC6 MOV EAX,ESI ;;EAX = adresse of a handle ?
017F:00452C5E E8D516FBFF CALL 00404338
017F:00452C63 EB0D JMP 00452C72
017F:00452C65 8BC6 MOV EAX,ESI
017F:00452C67 8B938C000000 MOV EDX,[EBX+0000008C]
017F:00452C6D E82A16FBFF CALL 0040429C


I THINK YOU NEED TO PLACE A BPX AT 017F:00452C3C THEN SEE THE PARAMETERS THAT INDEED GET PUSHED INTO THE STACK BEFORE THE getwindowtextA CALL AND YOU WILL REALIZE THE ADDRESS FOR YOUR KEY IS PUSHED INTO THE STACK AT 017F:00452C4A

I USED UPPERCASE BECAUSE I AM KINDA DEAF AND I LIKE TO SCREAM
newbcrk
May 30th, 2003, 12:56
Keep cool .Thanks