Start
secagent.exe
You have now the information window.
Enter a code ex: 12345678 and before the click on Go,
enter softice and :
'bpx hmemcpy'
'x'
click on Go
Hi softice ;-)
You are in Hmemcpy function
enter : 'bc *'
then F11 and F12, F12, F12, F12, F12, F12You are here (SECAGENT!CODE).
015F:00424C75 CALL 0042E1B4
015F:00424C7A POP ESI
015F:00424C7B POP EBX
015F:00424C7C RET |
Press F12 5 times
now you are in this part of code:
015F:0046AFED CALL 0042A814
015F:0046AFF2 MOV EAX,[EBP-08]
015F:0046AFF5 LEA EDX,[EBP-04]
015F:0046AFF8 CALL 004612CC
015F:0046AFFD CMP DWORD PTR [EBP-04],00
015F:0046B001 JNZ 0046B010
015F:0046B003 LEA EAX,[EBP-04]
015F:0046B006 MOV EDX,0046B074
015F:0046B00B CALL 00403A3C
015F:0046B010 MOV EAX,[00473EF4]
015F:0046B015 MOV EAX,[EAX]
015F:0046B017 MOV EDX,[EBP-04]
015F:0046B01A CALL 00471C44 <-
This is call checking
015F:0046B01F MOV EAX,[EBX+00000308]
015F:0046B025 MOV EDX,[EAX]
015F:0046B027 CALL [EDX+000000B4]
015F:0046B02D MOV EAX,[00473E4C]
015F:0046B032 CMP BYTE PTR [EAX],00
015F:0046B035 JZ 0046B041 |
F10 until
0046B01A and
F8 in the call.
You land here:
015F:00471C44
PUSH EBP
015F:00471C45 MOV EBP,ESP
015F:00471C47 PUSH ECX
015F:00471C48 PUSH EBX
015F:00471C49 MOV [EBP-04],EDX
015F:00471C4C MOV EBX,EAX
015F:00471C4E MOV EAX,[EBP-04]
015F:00471C51 CALL 00403DD4
015F:00471C56 XOR EAX,EAX
015F:00471C58 PUSH EBP
015F:00471C59 PUSH 00471CD8
015F:00471C5E PUSH DWORD PTR FS:[EAX]
015F:00471C61 MOV FS:[EAX],ESP
015F:00471C64 MOV EDX,[EBP-04]
015F:00471C67 MOV EAX,EBX
015F:00471C69 CALL 0046CCB0
<- real check
015F:00471C6E TEST AL,AL
015F:00471C70 JZ 00471CAA
015F:00471C72 MOV ECX,[EBP-04]
015F:00471C75 MOV EDX,00471CEC |
F10 until
00471C69 and F8.
You are here :
015F:0046CCB0 PUSH EBP
015F:0046CCB1 MOV EBP,ESP
015F:0046CCB3 PUSH ECX
015F:0046CCB4 PUSH EBX
015F:0046CCB5 PUSH ESI
015F:0046CCB6 MOV [EBP-04],EDX
015F:0046CCB9 MOV ESI,EAX
015F:0046CCBB MOV EAX,[EBP-04]
015F:0046CCBE CALL 00403DD4
015F:0046CCC3 XOR EAX,EAX
015F:0046CCC5 PUSH EBP
015F:0046CCC6 PUSH 0046CDA4
015F:0046CCCB PUSH DWORD PTR FS:[EAX]
015F:0046CCCE MOV FS:[EAX],ESP
015F:0046CCD1 XOR EBX,EBX
015F:0046CCD3 MOV BYTE PTR [004758B8],00
015F:0046CCDA MOV EAX,004758BC
015F:0046CCDF CALL 004039A4
015F:0046CCE4 MOV EAX,[EBP-04]
015F:0046CCE7 CALL 00403C20 <--
lenght of code entered !
015F:0046CCEC CMP EAX,0C <-----
must be 12 long !
015F:0046CCEF JNZ 0046CD8E
015F:0046CCF5 MOV EAX,[EBP-04] <------
EAX point to first char of code
015F:0046CCF8 CMP BYTE PTR [EAX],38 <-
First char must be '8'
015F:0046CCFB JNZ 0046CD8E
015F:0046CD01 MOV EAX,[EBP-04]
015F:0046CD04 CMP BYTE PTR [EAX+02],33 <-
char pos 3 must be '3'
015F:0046CD08 JNZ 0046CD8E
015F:0046CD0E MOV EAX,[EBP-04]
015F:0046CD11 CMP BYTE PTR [EAX+03],31 <-
char pos 4 must be '1'
015F:0046CD15 JNZ 0046CD8E
015F:0046CD17 MOV EAX,[EBP-04]
015F:0046CD1A CMP BYTE PTR [EAX+04],39 <-
char pos 5 must be '9'
015F:0046CD1E JNZ 0046CD8E
015F:0046CD20 MOV EAX,[EBP-04]
015F:0046CD23 CMP BYTE PTR [EAX+08],30 <-
char pos 9 must be '0'
015F:0046CD27 JNZ 0046CD8E
015F:0046CD29 MOV EAX,[EBP-04]
015F:0046CD2C CMP BYTE PTR [EAX+09],35 <-
char pos 10 must be '5'
015F:0046CD30 JNZ 0046CD8E
015F:0046CD32 MOV EAX,[EBP-04]
015F:0046CD35 CMP BYTE PTR [EAX+0A],53 <-
char pos 11 must be 'S'
015F:0046CD39 JNZ 0046CD8E
015F:0046CD3B MOV EAX,[EBP-04]
015F:0046CD3E CMP BYTE PTR [EAX+0B],45 <-
char pos 12 must be 'E'
015F:0046CD42 JNZ 0046CD8E
015F:0046CD44 MOV EAX,004758BC
015F:0046CD49 MOV EDX,[EBP-04]
015F:0046CD4C CALL 004039F8
015F:0046CD51 MOV BYTE PTR [004758B8],01
015F:0046CD58 MOV BL,01
015F:0046CD5A XOR EDX,EDX
015F:0046CD5C MOV EAX,[ESI+00000500]
015F:0046CD62 CALL 00439BD4
015F:0046CD67 XOR EDX,EDX
015F:0046CD69 MOV EAX,[ESI+00000514]
015F:0046CD6F CALL 0042A72C
015F:0046CD74 XOR EDX,EDX
015F:0046CD76 MOV EAX,[ESI+00000310] |
This is the checking routine of the
entered code !!!!!
As you can see, the first step is to have the good lenght
of code : 0x0c (12 decimal)
Then, there are many checks.
Recap : 12 chars long and this :
'8 _ 3 1
9 _ _ _ 0 5 S E'
Now you can try for example : '8231967805SE'.
JOB
DONE !!!!
I
hope this tutorial will be usefull.
SV
|