![]() | |
My Shiny New Thread Friday, 29-Jan-99 14:40:23
Hi EB, OK, a new project. This is going to be my approach: 1. I started off with a quick deadlisting and ran the program, just to get the feel of it. I notice a call to ReadFile straight away, and see immediately that it is looking for 'crkme4.dat'. 2. I look at the list of arguments to the call of ReadFile and see it expects 30h bytes at least. 3. OK. Now to create a file called crkme4.dat with 48 bytes in it. 4. I notice in the deadlisting that the read is followed by some code which contains a couple of jumps to code which contains references to 'incorrect file' strings. There are three main calls before this, and these seem to be the heart of the check. The main part of the code looks like 00401066 mov al, ds:byte_40205B 0040106B mov ds:byte_402071, al 00401070 mov esi, offset fbuffer 00401075 push 4 00401077 push esi 00401078 push esi 00401079 call sub_401116 0040107E mov edi, offset fbuffer 00401083 add edi, 0Ch 00401086 xor al, al 00401088 mov ecx, 4 0040108D repe stosb 0040108F mov esi, offset byte_40204B 00401094 push 5 00401096 push esi 00401097 push esi 00401098 call sub_401116 0040109D call sub_4011C1 This is followed by our good guy/bad guy checks. Looking at the 401116 and 4011C1 routines these seem to be the checking bits, and so I will now be investigating these with SoftIce, to see what happens with the file buffer that was read in (the 30h bytes read into 40203b. Later, Cronos. Cronos |
My Shiny New Thread (Cronos) (29-Jan-99 14:40:23) |
|
Copyright © InsideTheWeb, Inc. 1997-1999
All rights reserved.