Log in

View Full Version : Question on some code.

Torque
June 16th, 2003, 23:33
Hello,

I was following a tut for a crackme I found and there is something on the tut that I have a question on.

Here is the code:
Code:


:0040324F 55                       push ebp

:00403250 8BEC                     mov ebp, esp

:00403252 83C4FC                   add esp, FFFFFFFC

:00403255 817D0C02010000       	   cmp dword ptr [ebp+0C], 00000102 ;focus on editbox.

:0040325C 0F859D000000             jne 004032FF



We follow the jne at 40325c:



:004032FF 817D0C00010000           cmp dword ptr [ebp+0C], 00000100 ;focus on editbox.

:00403306 0F85F4000000             jne 00403400

:0040330C 8B4510                   mov eax, dword ptr [ebp+10] ; Getting the char.

:0040330F 3C0D                     cmp al, 0D	;0D = press Enter button 

:00403311 7573                     jne 00403386	; getting the char of the editbox

:00403313 833D1560400001           cmp dword ptr [00406015], 00000001

:0040331A 7514                     jne 00403330	; BAD jump!

:0040331C 6A40                     push 00000040


Now, my question is how does one figure out that the cmp's at 00403255 and 004032FF are checking if the editbox has focus? Its not explained in the tut and I dont know how I would have figured that out.

Also, the cmp at 0040330F. How can you tell if that is comparing al to 0D to check which key was pressed or if it is comparing for some other purpose? How do you tell when it is checking which key was pressed?

And at 0040330C, it gets the next char. Is the only way to figure out that it is actually getting the char you typed to look at EAX and see if it is a match or are there other clues?

Sorry if these questions are too vague or anything. Just looking for some pointers

Any help is greatly appreciated.

-Torque

P.S. If you need any additional info on the program being discussed plz let me know
ArC
June 17th, 2003, 04:36
the cmp's at 00403255 and 004032FF:
I suppose the the sub-routine 0040324F expects four (or more) parameters whereas one of these parameters is expected to be the handle to the window which is currently focused. So the code which calls the sub-routine 0040324F could look like this:

call GetFocus;<-- get current focus (Win API)
push xxxx; push other stuff
push eax ;<-- push focus
push xxxx ; push other stuff
push xxxx ; push other stuff
call 0040324F

In this little code example the second parameter contains the handle to the currently focused window. This means that the following command in the sub-routine 0040324F compares the content of the second parameter (the handle to the currently focused window) with 102 (I think the 102 is the ID of the Edit-Box)

cmp dword ptr [ebp+0C], 00000102 ; ebp+0C = address of second parameter

cmp at 0040330F:
0D is in decimal 13 which is the char for ENTER.

I hope this was a little aid for you (?)
sna
June 17th, 2003, 05:17
edit:

after reading the previous posts more thoroughly it became rather apparent that the code is part of the application's message handling.

where [ebp+0Ch] is the notification code and -

100h = WM_KEYDOWN
102h = WM_CHAR

the character code is sent in wParam ( [ebp+10h] )

second edit:

godamnit.. that doesn't fully hold up either..
my first post was probably more correct

in which case it is indeed checking the second parameter to see which window to deal with. it is, however, not using GetFocus but rather GetDlgItem.

Using a resource viewer you can in most cases determine which control has what ID.

regards, sna
ArC
June 17th, 2003, 06:23
Torque:

Mayb you post the code snippet which is calling 0040324F?
Torque
June 17th, 2003, 11:12
Hey guys. Thanks for the help.

As for the code that calls 0040324F, I opened up the program in W32Dasm and got this code:

Code:


* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:

|:004031CE(U), :004031F5(U), :004031FB(C), :00403214(U), :0040322E(U)

|

:00403247 33C0                    xor eax, eax

:00403249 5F                      pop edi

:0040324A 5B                      pop ebx

:0040324B C9                      leave

:0040324C C21000                  ret 0010





:0040324F 55                      push ebp


I dont see anywhere a direct call to :0040324F. The only other reference I can find to :0040324F (when I searched the disasembly) was at 00403150:
Code:


* Possible StringData Ref from Data Obj ->"EDIT"

                                  |

:0040313B 687D604000              push 0040607D

:00403140 6A00                    push 00000000

:00403142 E8DDDEFFFF              call 00401024

:00403147 FF75D8                  push [ebp-28]

:0040314A 8F05E4604000            pop dword ptr [004060E4]

:00403150 C745D84F324000          mov [ebp-28], 0040324F

:00403157 FF35D8604000            push dword ptr [004060D8]

:0040315D 8F45E4                  pop [ebp-1C]


Also, the author of the tut says "The program uses a Thread. The CreateThread function creates a thread to execute within the virtual address space of the calling process. And is repeating all over the time. It runs thru this piece of code:", and then he shows the same code I posted in my original post. Maybe when the thread is created it calls 0040324F directly.

Im sorry I cannot be of more help. I still new to most of this stuff. Anyway, if you need more info, or can tell me how to better figure out what calls 0040324F, that would be great.

Thanx for the help guys,

-Torque
naides
June 17th, 2003, 13:38
Quote:
Originally posted by Torque
Hey guys. Thanks for the help.

As for the code that calls 0040324F, I opened up the program in W32Dasm and got this code:

Code:


* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:

|:004031CE(U), :004031F5(U), :004031FB(C), :00403214(U), :0040322E(U)

|

:00403247 33C0                    xor eax, eax

:00403249 5F                      pop edi

:0040324A 5B                      pop ebx

:0040324B C9                      leave

:0040324C C21000                  ret 0010





:0040324F 55                      push ebp


I dont see anywhere a direct call to :0040324F. The only other reference I can find to :0040324F (when I searched the disasembly) was at 00403150:
Code:


* Possible StringData Ref from Data Obj ->"EDIT"

                                  |

:0040313B 687D604000              push 0040607D

:00403140 6A00                    push 00000000

:00403142 E8DDDEFFFF              call 00401024

:00403147 FF75D8                  push [ebp-28]

:0040314A 8F05E4604000            pop dword ptr [004060E4]

:00403150 C745D84F324000          mov [ebp-28], 0040324F

:00403157 FF35D8604000            push dword ptr [004060D8]

:0040315D 8F45E4                  pop [ebp-1C]


Also, the author of the tut says "The program uses a Thread. The CreateThread function creates a thread to execute within the virtual address space of the calling process. And is repeating all over the time. It runs thru this piece of code:", and then he shows the same code I posted in my original post. Maybe when the thread is created it calls 0040324F directly.

Im sorry I cannot be of more help. I still new to most of this stuff. Anyway, if you need more info, or can tell me how to better figure out what calls 0040324F, that would be great.




Thanx for the help guys,

-Torque


One method to find out who calls 0040324F is to trace it live and direct in SoftIce.

1- Oper the crackme in symbol loader, 2- place a bpx on 40324F

3- when Sice Breaks, type in Sice: WS meaning 'window stack'. A small window will open in SoftIce called the call stack. The first address in there is the place in the code which called 40324F, which I would not be surprisedif it contained code like

call EAX

or

call [ebp+08]

which corresponds to a dynamically assigned code branching.

If you click the address on the Stack window itself, the code window in softIce will scroll you all the way to the area where the famous 40324F call was originated, THIS TIME AROUND.

the function may get called from other areas of the code, depending on the program flow.