![]() | |
Re: Super Newbie & Tables Sunday, 31-Jan-99 06:10:40
Bill, take a look at this bit of code from the program: 00401000 push ebx 00401001 push ecx 00401002 push edx 00401003 push esi 00401004 push edi 00401005 push ebp The bit up to this point is the stack frame: registers are saved and will be recovered later. Now: 00401006 push 0 00401008 push 80h 0040100D push 3 0040100F push 0 00401011 push 3 00401013 push 0C0000000h 00401018 push offset aCrkme4_dat ; looking for crkme4.dat 0040101D call j_CreateFileA 00401022 cmp eax, 0FFFFFFFFh 00401025 jz incorrectfileme This is the API call which opens the file. The call is to CreateFile. If you look in an API reference you will see something like HANDLE CreateFile( LPCTSTR lpszName, // address of name of the file DWORD fdwAccess, // access (read-write) mode DWORD fdwShareMode, // share mode LPSECURITY_ATTRIBUTES lpsa, // address of security descriptor DWORD fdwCreate, // how to create DWORD fdwAttrsAndFlags, // file attributes HANDLE hTemplateFile // handle of file with attributes to copy Now the parameters mentioned appear as pushes, in reverse order prior to the call. So the address of the name of the file was pushed first thing before the call. The most important thing from this was the HANDLE before the CreateFile. This is the return value, and will be used to access the file on future calls. Now: 0040102B mov ds:file_handle, eax File handle has been saved, we name it in our disassembler. All references to that location may be messing with the file! Next: 00401030 push 0 00401032 push offset numbytesread 00401037 push 30h ; number of bytes to read = 48 00401039 push offset first_part 0040103E push ds:file_handle 00401044 call j_ReadFile This is the call which reads from the file. API call to ReadFile: BOOL ReadFile( HANDLE hFile, // handle of file to read LPVOID lpBuffer, // address of buffer that receives data DWORD nNumberOfBytesToRead, // number of bytes to read LPDWORD lpNumberOfBytesRead, // address of number of bytes read LPOVERLAPPED lpOverlapped // address of structure for data ); So from this, we know where the file was read into memory. (I called this first_part in mine). We know it reads 30h=48 bytes too. Further - one of the variables now contains the number of bytes read. Incidentally, if it had wanted to read from say halfway through the file then it would use the API call SetFilePointer. Next: 00401049 push ds:file_handle 0040104F call j_CloseHandle This just closes the file again. Now: 00401054 cmp ds:numbytesread, 30h 0040105B mov eax, 0 00401060 jb short corr_incorr_swi 00401062 nop ; correct size I'll leave you to decipher what this means, Hope this explains your questions, Cronos |
Super Newbie & Tables (Bill) (30-Jan-99 16:26:27) |
|
Copyright © InsideTheWeb, Inc. 1997-1999
All rights reserved.