Robocop
December 20th, 2005, 10:43
After tracking a programe,I got below:
0041507F /$ 55 push ebp
00415080 |. 8BEC mov ebp,esp
00415082 |. 83EC 30 sub esp,30
00415085 |. C745 F0 8EB>mov dword ptr ss:[ebp-10],7648B98E
0041508C |. C745 EC 030>mov dword ptr ss:[ebp-14],3
00415093 |. 8B45 08 mov eax,dword ptr ss:[ebp+8]
00415096 |. 8B48 6C mov ecx,dword ptr ds:[eax+6C]
00415099 |. 8B91 D40100>mov edx,dword ptr ds:[ecx+1D4]
0041509F |. 81E2 008000>and edx,8000
004150A5 |. 85D2 test edx,edx
004150A7 |. 74 23 je short xxxx.004150CC Always jumped to "004150be"
004150A9 |. 833D 5CB947>cmp dword ptr ds:[47B95C],0
004150B0 |. 74 1A je short xxxx.004150CC
004150B2 |. 8B45 10 mov eax,dword ptr ss:[ebp+10]
004150B5 |. 50 push eax
004150B6 |. 8B4D 0C mov ecx,dword ptr ss:[ebp+C]
004150B9 |. 51 push ecx
004150BA |. 8B55 08 mov edx,dword ptr ss:[ebp+8]
004150BD |. 52 push edx
004150BE |. FF15 5CB947>call dword ptr ds:[47B95C]
004150C4 |. 83C4 0C add esp,0C
004150C7 |. E9 13010000 jmp xxxx.004151DF
004150CC |> 6A 04 push 4 ; /Arg4 = 00000004
I learnt from that classic tutorial zendenc.exe,in that target I successfully got the seeds from job structure.But in this one,it doesnt work,I don't know why.
The target is one programe of all.They have deamon.And when I set the breakpoint at :""""0041507F /$ 55 push ebp"""and sep in.The target always jumped at """004150A7 |. 74 23 je short xxxx.004150CC """ and turned to """004150BE |. FF15 5CB947>call dword ptr ds:[47B95C]"""".When I set up the license server with correct license for this target and track again.It still jumped at that position with programe running.
How can I get those code run?Then I can find out what is behind esp,esp+8.
Help!!!!!
Tttttthhhhhhaaaankkkks!!!!!!
0041507F /$ 55 push ebp
00415080 |. 8BEC mov ebp,esp
00415082 |. 83EC 30 sub esp,30
00415085 |. C745 F0 8EB>mov dword ptr ss:[ebp-10],7648B98E
0041508C |. C745 EC 030>mov dword ptr ss:[ebp-14],3
00415093 |. 8B45 08 mov eax,dword ptr ss:[ebp+8]
00415096 |. 8B48 6C mov ecx,dword ptr ds:[eax+6C]
00415099 |. 8B91 D40100>mov edx,dword ptr ds:[ecx+1D4]
0041509F |. 81E2 008000>and edx,8000
004150A5 |. 85D2 test edx,edx
004150A7 |. 74 23 je short xxxx.004150CC Always jumped to "004150be"
004150A9 |. 833D 5CB947>cmp dword ptr ds:[47B95C],0
004150B0 |. 74 1A je short xxxx.004150CC
004150B2 |. 8B45 10 mov eax,dword ptr ss:[ebp+10]
004150B5 |. 50 push eax
004150B6 |. 8B4D 0C mov ecx,dword ptr ss:[ebp+C]
004150B9 |. 51 push ecx
004150BA |. 8B55 08 mov edx,dword ptr ss:[ebp+8]
004150BD |. 52 push edx
004150BE |. FF15 5CB947>call dword ptr ds:[47B95C]
004150C4 |. 83C4 0C add esp,0C
004150C7 |. E9 13010000 jmp xxxx.004151DF
004150CC |> 6A 04 push 4 ; /Arg4 = 00000004
I learnt from that classic tutorial zendenc.exe,in that target I successfully got the seeds from job structure.But in this one,it doesnt work,I don't know why.
The target is one programe of all.They have deamon.And when I set the breakpoint at :""""0041507F /$ 55 push ebp"""and sep in.The target always jumped at """004150A7 |. 74 23 je short xxxx.004150CC """ and turned to """004150BE |. FF15 5CB947>call dword ptr ds:[47B95C]"""".When I set up the license server with correct license for this target and track again.It still jumped at that position with programe running.
How can I get those code run?Then I can find out what is behind esp,esp+8.
Help!!!!!
Tttttthhhhhhaaaankkkks!!!!!!
I have "xxx" them out. How about you pay attention to what you are doing. 