CrackMe® Practices for Newbies ~ Moderated

Re: Super Newbie & Tables
Sunday, 31-Jan-99 06:10:40
    212.211.6.64 writes:

    Bill,

    take a look at this bit of code from the program:

    00401000 push ebx
    00401001 push ecx
    00401002 push edx
    00401003 push esi
    00401004 push edi
    00401005 push ebp

    The bit up to this point is the stack frame: registers are saved and will be recovered later.

    Now:

    00401006 push 0
    00401008 push 80h
    0040100D push 3
    0040100F push 0
    00401011 push 3
    00401013 push 0C0000000h
    00401018 push offset aCrkme4_dat ; looking for crkme4.dat
    0040101D call j_CreateFileA
    00401022 cmp eax, 0FFFFFFFFh
    00401025 jz incorrectfileme

    This is the API call which opens the file. The call is to CreateFile. If you look in an API reference you will see something like

    HANDLE CreateFile(

    LPCTSTR lpszName, // address of name of the file
    DWORD fdwAccess, // access (read-write) mode
    DWORD fdwShareMode, // share mode
    LPSECURITY_ATTRIBUTES lpsa, // address of security descriptor
    DWORD fdwCreate, // how to create
    DWORD fdwAttrsAndFlags, // file attributes
    HANDLE hTemplateFile // handle of file with attributes to copy

    Now the parameters mentioned appear as pushes, in reverse order prior to the call. So the address of the name of the file was pushed first thing before the call. The most important thing from this was the HANDLE before the CreateFile. This is the return value, and will be used to access the file on future calls. Now:

    0040102B mov ds:file_handle, eax

    File handle has been saved, we name it in our disassembler. All references to that location may be messing with the file!

    Next:

    00401030 push 0
    00401032 push offset numbytesread
    00401037 push 30h ; number of bytes to read = 48
    00401039 push offset first_part
    0040103E push ds:file_handle
    00401044 call j_ReadFile

    This is the call which reads from the file. API call to ReadFile:

    BOOL ReadFile(

    HANDLE hFile, // handle of file to read
    LPVOID lpBuffer, // address of buffer that receives data
    DWORD nNumberOfBytesToRead, // number of bytes to read
    LPDWORD lpNumberOfBytesRead, // address of number of bytes read
    LPOVERLAPPED lpOverlapped // address of structure for data
    );

    So from this, we know where the file was read into memory. (I called this first_part in mine). We know it reads 30h=48 bytes too. Further - one of the variables now contains the number of bytes read. Incidentally, if it had wanted to read from say halfway through the file then it would use the API call SetFilePointer.

    Next:

    00401049 push ds:file_handle
    0040104F call j_CloseHandle

    This just closes the file again.


    Now:


    00401054 cmp ds:numbytesread, 30h
    0040105B mov eax, 0
    00401060 jb short corr_incorr_swi
    00401062 nop ; correct size

    I'll leave you to decipher what this means, Hope this explains your questions,

    Cronos


Message thread:

Super Newbie & Tables (Bill) (30-Jan-99 16:26:27)

Back to main board


Message subject:

Name: (optional)

Email address: (optional)

Type your message here:




Back to main board

Copyright © InsideTheWeb, Inc. 1997-1999
All rights reserved.