²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²² ²² ____ __ __ ²²ßÛ ²² / _/_ _ __ _ ___ ____/ /____ _/ / ²² ÛßÛ ²² _/ // ' \/ ' \/ _ \/ __/ __/ _ `/ / ²² Û Û ²² /___/_/_/_/_/_/_/\___/_/ \__/\_,_/_/ ²² Û Û ²² ____ __ __ ²² Û Û ²² / __ \___ ___ _______ ___ ___/ /__ ____ / /____ ²² Û Û ²² / /_/ / -_|_-8"). Click OK to send the password to the client. SoftICE will pop up, press F11 (g @ss:esp) and the password - preceeding a 'PWD' string - will be shown in SoftICE's data window. Now set a bpr on the password's address (e.g.: bpr 405000 405010 RW) and on the copy it will make at 004029c5. Next time you break in you should be at 004040dd: 0167:004040dd 8b0e mov ecx,[esi] 0167:004040df 8b1f mov ebx,[edi] 0167:004040e1 39d9 cmp ecx,ebx 0167:004040e3 7558 jnz 0040413d 0167:004040e5 4a dec edx 0167:004040e6 7415 jz 004040fd 0167:004040e8 8b4e04 mov ecx,[esi+04] 0167:004040eb 8b5f04 mov ebx,[edi+04] 0167:004040ee 39d9 cmp ecx,ebx hmmm, it broke in at line 4040dd, cause we set a bpr on our password. So it must be located inside the buffer esi points to. The first 4 chars will be moved into ecx, another 4 chars into ebx and will then be compared.. So now you think you found the comparison between the real password and the one you entered? ah, ah, no way. The author of Sub7 is even more stupid: type "d edi" in softice, and we'll see: 016F:012A3DD4 31 34 34 33 38 31 33 36-37 38 32 37 31 35 31 30 1443813678271510 016F:012A3DE4 31 39 38 30 00 69 6F 00-28 00 00 00 22 00 00 00 1980.io.(..."... 016F:012A3DF4 01 00 00 00 13 00 00 00-53 75 62 73 65 76 65 6E ........Subseven 016F:012A3E04 5F 5F 5F 3C 20 70 69 63-6B 20 3E 00 10 3E 2A 01 ___< pick >..>*. 016F:012A3E14 10 3E 2A 01 38 00 00 00-53 75 62 73 65 76 65 6E .>*.8...Subseven strange, that was not the password i set... i took "abuse" as password. So let's see what it is by reconnecting and entering it... SubSeven.exe says: connected. errrm, is there a little possibility, that the author of SubSeven did a hardcoded masterpassword ? heh, try it a few times with some other servers (on your own PC). And yes, it is a Masterpassword. Well, thats all for today, i just thought someone would be interested in this stuff. I am in no way responsible for the stuff you'll do with this information. regards, defiler Greetings (no specific order): ultraschall, cardenal mendoza, kaparo, flwright, ratso, haldir, lightdruid, ganjaman, telcofix, whataduck, tornado, hutch, masta, notty, knotty, kwazy webbit, secret, iczelion, bisoux, MisterE, mr nop, neural noise, lazarus, peegee, random, daze, the anti xryst, acid burn, azzyrian, decline, blind angel, keyboard junky, reverend x, DnNuke, Gizmo, viny, volatility, alpine, promothee, sat0r, fli7e, targ0n, Ridlexx, novatrix, TomTom, WarezPup, Weazel, visionz, kaai, MagicRaph, sepulcrum, MVD, sn00pee, amante, FatBoyJoe, SantMat and all who contribute to the reversing spirit ;) Group/chan greets: all blizzard members, everyone in #win32asm, #cracking, #elitereversers, #reversing4newbies, #immortaldescendants, #digital.factory, #hellforge, and #learn2crack. I would be pleased to get some feedback, catch me on irc or mail to: defiler@elitereversers.de