Log in

View Full Version : dup rather than noop...


butler
July 12th, 2006, 22:43
I'm following along the complete beginner's tutorial at:

http://www.woodmann.com/crackz/Tutorials/Muadib1.htm

using BDASM and Hex Workshop. In the first example, where you are instructed to commend out a call:

e842000000 call 00401314

with NOOPs (0x90), I end up with a program that crashes. Re-evaluating it under BDASM shows:

9090909090 5 dup (90)

Rather than the expected NOOP instructions. I've succesfully completed some other examples on the page, where you change out maybe 2 bytes of hex, rather than 5. What's my problem? I'm sure it's something simple I'm overlooking, but have tried multiple variations of changes, all with no success.


Thanks!
Butler

JMI
July 12th, 2006, 22:44
90 is the hex equivilant of the assembly language NOP instruction.

"NOP or NOOP (short for No OPeration) is an assembly language instruction, sequence of programming language statements, or computer protocol command that does nothing at all."



Regards,

butler
July 12th, 2006, 22:55
Right - I've got that, and when I replace the hex equivalent of

call 00401314
(e842000000)

with what I'd expect to be a series of NOOPS

noop
noop
noop
noop
noop
noop
(909090909090)

on the exe using a hex editor (Hex Workshop), the result crashes, and when re-viewed back under my disassembler (BDASM), it is represented as 5 dup (90).

Being a complete newbie, maybe I'm misunderstanding the tutorial or else it has a problem I'm not recognizing. But, like I said, I succesfully completed some NOOP replacements on shorter assembly codes, later on in the same tutorial on different EXEs.

Any insight would be appreciated! Thanks,
Butler

SiGiNT
July 12th, 2006, 23:10
I'm not familiar with BDASM but some disassemblers will represent a string of nops as something else, a kind of short hand - for instance if right before the beginning of a subroutine IDA will show 5 nops as align 5 - means absolutely nothing just a short cut around displaying:

nop
nop
nop
nop
nop

SiGiNT

Disassemble it with w32dasm and you will see your string of nops.

Kayaker
July 12th, 2006, 23:23
Hi,

The tut is a little confusing there, well, wrong actually. It speaks of NOPing out the MessageBox call but in reality you have to nop out the *entire* function including the PUSH statements the function uses, not just the Call statement itself.

This is because the Stack always has to be balanced, i.e. the number of PUSHes must equal the number of POPs. Normally an API call will take care of this transparently before it returns. If you *don't* nop out the PUSHes as well (one for each parameter the function uses) the program will almost certainly crash eventually.

The tut code disassembles to this:

Code:

:004012BF PUSH 00000000

* Possible StringData Ref from Data Obj ->"Please register!"

:004012C1 PUSH 0040302D

* Possible StringData Ref from Data Obj ->"I want your money! Please send "
->"me $20 to get rid of this screen!"

:004012C6 PUSH 0040303E
:004012CB PUSH 00000000

* Reference To: USER32.MessageBoxA, Ord:01BBh

:004012CD CALL 00401314 <-- CALL IT!.


This is equivalent to how the MessageBox function is defined, 4 PUSHes, 4 function parameters:

Code:

int MessageBox(
HWND hWnd,
LPCTSTR lpText,
LPCTSTR lpCaption,
UINT uType
);


The tut gives the incomplete instruction to
"Change E842000000 to 909090909090"
(also wrong, 5 byte instruction, 6 nops)

Instead, nop out the entire code from 004012BF to 004012CD and you should be OK.

Kayaker

butler
July 13th, 2006, 00:26
Kayaker,

Thanks so much for the post. That indeed solved it and as a high-level language programmer, it makes sense to me. Also, as sigint33 stated the "dup" representation was just a short-cut; with the working patch, BDASM shows "19 dup (90)" in place of the previous subroutine.

I think the edits I made on the other EXEs worked, because the placement was not within a function call, but instead dropping out comparisons and the like.


Thanks again everyone!
Butler

Fake51
July 22nd, 2006, 03:17
Indeed, dup just means something along the lines of duplicate. When coding you use it to easily set up buffers or arrays, that are empty or just hold the same value over and over.

Like:
buffer db 256 dup (?)

Located in the .data? section would just allocate 256 bytes of nothing, giving you a buffer.
You should probably read up a bit on asm.

Regards
Fake