For newbies Only
Written by Christal
Published by Tsehp Dec 2001
|
Battle Star 32 |
Font Show |
|
For newbies Only
Written by Christal
Published by Tsehp Dec 2001
|
Battle Star 32 |
Font Show |
|
Gregory
Braun is an old knowledge of many crackers...
One characteristic of this developer is to propose always basic protections, without great renewal in his method
Currently,
its site abounds in a plethora of its small programs having apparently, for those which I could test, ALL the
same protection.
Sothat I have almost bad consciousness by writing this text …
In
short, if one of these programs tries you, buy it, it deserves it well since time...
Last small thing, before starting.
Greg proposes two programs of cryptography on his site. One is BlowFish, and the other is Crypto on the subject
of which Casimir had written a splendid tutor on the way of
reversing the encrypted files.
Battle Star 32
The great classic, against SoftWare Design’s programs, is to look for a string like:
String Resource ID=00998: "Register BattleStar 2000"
String Resource ID=05000: " Register BattleStar 2000"
String Resource ID=05001: "Software registration was successfully completed.
"After a 30 day trial you are required "
"Code"
"Company"
"Register"
"Registered User"
"This software is distributed as "
"This Software is Registered To:"
"UNREGISTERED USER"
"You have been using an unregistered "
By taking the first string, everything is already said …:00406DBB 8B0D40D54100 mov ecx, dword ptr [0041D540] :00406DC1 85C9 test ecx, ecx :00406DC3 7503 jne 00406DC8 :00406DC5 33C0 xor eax, eax :00406DC7 C3 ret* Possible Reference to String Resource ID=00998: "Register BattleStar 2000"
[ 0041D540 ] will be used as Flag which, put at 01, shoed to you a user AD Vitam Eternam...What is however surprising, it is that display while playing on this flag which is nowhere initialized (with 0 or other), will be different from the display of a user registered via the normal way
|
|
|
The
Item " Register " disappeared once 01 was placed in
the Flag [ 0041D540 ]. It is then enough to take a hexadecimal editor, to seek address 0041D540 and to place 01
there.
At the first launching, the software informed the base of registry by putting in the following information of recording:
[HKEY_CURRENT_USER\Software\Software by Design\BattleStar for Windows 95/NT\Registration] "Splash"=dword:00000001 "Organization"="" "User"="" @="30-Day Shareware Trial Evaluation" "Code"=dword:00000000After that, the base of registry will display:
[HKEY_CURRENT_USER\Software\Software by Design\BattleStar for Windows 95/NT\Registration] "Splash"=dword:00000000 "Organization"="Free" > this two information was recovered in "User"="Christal" > the base of registry, and corresponds to those > which you entered at the installation of Windows @="Registered User" "Code"=dword:abaddeed > we shall return on this "code" later
We could there stay here, but the next step can be funny...
The generator of Code:
The entry in the program can be done by a very classic GetDlgItemTextA:
* Reference To: USER32.GetDlgItemTextA, Ord:0104h | :0040E15B Call dword ptr [00416290] :0040E161 pop edi :0040E162 pop esi :0040E163 mov eax, 00000001 :0040E168 pop ebx :0040E169 retThe informations in the three fields of the Reg Box will all be read in this routine and you will land here:
:00407852 call 0040E130 > Get it bla bla bla... :0040786C cmp eax, 0119A792 > Hey, that could be a serial ... :00407871 jne 0040788B * Reference To: KERNEL32.lstrcpyA, Ord:0302h :00407873 mov ebx, dword ptr [00416088] > compares the name entered with * Possible StringData Ref from Data Obj ->"Gregory Braun" :00407879 push 00418528 :0040787E push esi :0040787F call ebx * Possible StringData Ref from Data Obj ->"Software Design" :00407881 push 00418518
In
fact, Gregory Braun has his small personal routine...
But as it is not its name that you wish to register, I imagine that this routine interests you only moderately.
The interesting part will start here:
:0040789E push edi compagny entered :0040789F push esi name entered :004078A0 call 0040DD90 entry of the generator :004078A5 add esp, 00000008 restore the stack :004078A8 cmp ebx, eax serial entered and serial generated :004078AA pop edi recovers EDI on the stack :004078AB je 004078CA jump Good Boy/Bad Boy :004078AD push 0000EACF -> " Register BattleStar 2000" A visit in the call 0040DD90 is essential: 0040DD90 MOV EAX,[ESP+04] eax = name entered 0040DD94 PUSH ESI esi = 0 0040DD95 MOV ESI,[0041D58C] esi = constant1 (ABADDEED)ABADDEED is a constant placed at address:
004063CB MOV DWORD PTR [0041D58C],ABADDEEDAnd if you remember it well, it is it which is placed in the base of registry if the Flag [ 0041D540 ] is put at 01.
0040DD9B PUSH EAX push the address of the name on the stack 0040DD9C OR ESI,00000378 ESI becomes ABADDFFD (easy way!) 0040DDA2 CALL 0040E0C0 routine of the generatorThe generator:
0040E0F4 MOVSX EBX,BYTE PTR [ECX+ESI] EBX = 1 char of the 2ème string (7C) 0040E0F8 MOVSX EBP,[EDX+EAX+41A274] EBP = 1 char of the fste string (7C) 0040E100 IMUL EBX,EBP EBX x EBP (7C x 7C = 3C10) 0040E103 LEA EBP,[ECX+EDI] EBP plays here the role of pointer 1, 2, 3, 4... until concurence of the number of characters composing the size of the name 0040E106 IMUL EBX,EBP 3C10 x 1 0040E109 MOVSX EBP,BYTE PTR [ECX] 1 char of the name (for ex: 63 for "c") 0040E10C IMUL EBX,EBP 3C10 x 63 = 173A30 -> in EBX 0040E10F MOV EBP,[ESP+10] stock the previous result in EBP 0040E113 ADD EBP,EBX add previous result to result EBX 0040E115 INC EDX inc the pointer 0040E116 INC ECX points on the next character of the name 0040E117 CMP EDX,EAX pointer = size of the name? 0040E119 MOV [ESP+10],EBP result calculated above is saved 0040E11D JL 0040E0F4 loops to start again on the following char 0040E11F MOV EAX,EBP EAX = first calculated (in hexadecimal) 0040E121 POP EDI registers are restored 0040E122 POP EBP 0040E123 POP ESI 0040E124 POP EBX 0040E125 POP ECX 0040E126 RET and here took out... 0040DDA7 MOV ECX,[ESP+10] to arrive here 0040DDAB ADD ESI,EAX EAX = serial + ESI = constant2 (ABADDFFD) 0040DDAD PUSH ECX ECX = compagny (if entered) 0040DDAE CALL 0040E0C0 second loop in the routine for the compagny 0040DDB3 ADD ESP,08 0040DDB6 ADD EAX,ESI EAX = good serial in hexa 0040DDB8 POP ESI BINGO! 0040DDB9 RET
It’s just enough any more to enter the good serial converted into decimal, and it is Glop! Glop!
The two strings which are used for coding are:
1st chain
0041A27C 7C 6D 66 4D 31 2F 35 28-21 73 64 24 4D 71 2E 7B |mfM1/5(!sd$Mq.{
0041A28C 73 5D 2B 73 46 6A 74 4B-70 7A 53 64 74 7A 6F 58 s]+sFjtKpzSdtzoX
0041A29C 71 6D 62 5E 41 6C 40 64-76 3A 73 3F 78 2F 00 00 qmb^Al@dv:s?x/..
2d chain
0041A2AC 7C 62 21 70 7A 2A 6C 73-3B 72 6E 7C 6C 66 24 76 |b!pz*ls;rn|lf$v
0041A2BC 69 5E 41 78 70 65 29 72-78 35 61 69 63 26 39 2F i^Axpe)rx5aic&9/
0041A2CC 32 6D 35 6C 73 69 34 40-30 64 6D 5A 77 39 34 63 2m5lsi4@0dmZw94c
0041A2DC 6D 71 70 66 68 77 00 00-4D 41 50 49 53 65 6E 64 mqpfhw..MAPISend
Yet, it is only a trivial serial fishing...
Having downloading another of his productions, I realized that except for the constant ( the magic Number), the routine implanted in this target state identical to that of Battle stars
Icon Extractor
Except for the addresses which change, the plan is dentique as Battle stars:
:00407D8E PUSH EDI EDI = compagny entered :00407D8F PUSH ESI ESI = name entered :00407D90 CALL 0040D7C0 generator :00407D95 ADD ESP,08 :00407D98 CMP EBX,EAX comparison HEXA between serial entered and good serial :00407D9A POP EDI :00407D9B JZ 00407DBA jump good boy/bad boy
What
have we then in variants?
And well not large thing!
The two chains of coding are identical to those of BSTAR32 and state in 0041B628
The only difference relates to the magic number:
:0040D7C0 MOV EAX,[ESP+04] :0040D7C4 PUSH ESI :0040D7C5 MOV ESI,[00420144] constant = ED0990DE :0040D7CB PUSH EAX initialised in 0040420B :0040D7CC OR ESI,00000378 which becomes ED00993FE :0040D7D2 CALL 0040DDC0 generator
It’s
a copy/paste of the previous plan.
So that I had an idea (it’s arrive to me, but not often...)
The magic figure is initialized so in BSTAR:
:004063C5 68E8030000 push 000003E8 :004063CA 50 push eax :004063CB C7058CD54100EDDEADAB mov dword ptr [0041D58C], ABADDEEDAnd so in Icon Extractor:
:00404205 68E8030000 push 000003E8 :0040420A 50 push eax :0040420B C70544014200DE9009ED mov dword ptr [00420144], ED0990DE
You see blow coming if all the last generation of Gregory's programs uses:
-The
same routine of generation
-The same character strings
-The same
68E803000050C7
??????????????????????????????????????????????????????????????????????????
Almost in a case, the chain 68E803000050C705 is common to all the programs
By looking on another piece of code
:0040DD90 8B442404 mov eax, dword ptr [esp+04] :0040DD94 56 push esi :0040DD95 8B358CD54100 mov esi, dword ptr [0041D58C] > addess of Magic Number :0040DD9B 50 push eax :0040DD9C 81CE78030000 or esi, 00000378The same combination is found in EVERY case:
90 8B 44 24 04 56 8B 35
Leaving
from there, it is enough to go to read the value of the magic number at the
time of its initialization, then to realize a KeyMaker by using the Magic
Number returned, to obtain a little
programm
applicable to all the Gregory Braun's softwares...
To create the dialogBox, I used Regenerator, a tool founded on Titi's site. Due to the lack of artistic sense, time, (and equipped with a laziness so big), I used a part of the handwritting Regenerator.
I know, it is bad...
Synopsis
-
Open the target file
- Gets back the size of the file and creates an image in memory of it ( MAP)
- Verify that it is the feasible, and that another file is not opened already.
- Look for the string 90 8B 44 24 04 56 8B 35 by a scan of the file beginning with the value90 h.
- If one 90h is found, verifies the validity of the next 7 values.
- If not Good, begins again the scan
- If Good, gets back the address where is initialized Magic Number
- Scan again the file in search of this address
- Control that found address is well preceded by C705
C705 (Mov Dword) 44014200 (address) DE9009E (magic Number)
- Get back the Magic Number
- UnMap the file
- Close the handle of the file
- Get the first field ( Name)
- Get the second field ( Compagny)
- Generate the serial:
- Convert the serial generated to hexa in decimal not signed
( FFFFFFFF Is as well equal to 4294967295 as to-1)
- Show the serial
.386
.MODEL flat,stdCALL
option casemap:none
assume fs:nothing
INClude \masm32\INClude\windows.INC
INClude \masm32\INClude\user32.INC
INClude \masm32\INClude\kernel32.INC
INClude \masm32\INClude\gdi32.INC
INClude \masm32\INClude\comdlg32.INC
INClude \masm32\INClude\masm32.INC
INClude \masm32\INClude\comctl32.INC
INClude \MASM32\INCLUDE\shell32.INC
INClude \masm32\INClude\PDBS.INC
INCludelib \masm32\lib\user32.lib
INCludelib \masm32\lib\kernel32.lib
INCludelib \masm32\lib\gdi32.lib
INCludelib \masm32\lib\comdlg32.lib
INCludelib \MASM32\LIB\Comctl32.lib
INCludelib \masm32\lib\masm32.lib
INCludelib \MASM32\LIB\shell32.lib
DlgProc PROTO :DWORD,:DWORD,:DWORD,:DWORD
Aboutproc PROTO :DWORD,:DWORD,:DWORD,:DWORD
OpenPEFile PROTO :DWORD,:DWORD
ClosePEFile PROTO :DWORD
UnmapFiLEAndHold PROTO :DWORD
MapFile PROTO :DWORD
.DATA
Buttclass db "BUTTON",0
EDItclass db "EDIT",0
RGN db "RGN",0
RGN1 db "RGN1",0
ID_Exit equ 2086
ID_About equ 2087
ID_Gen equ 2088
ID_Copy equ 2084
caption db "Gregory Braun's Universal KeyMaker",0
No_Name db "Minimum one character !",0
not_pe db "Not a valid PE file",0
error_open db "No file loaded",0
not_found db "No Key founded",0
PasGlop db "Magic Number not active",0
Found_magic db "Magic Number founded",0
FilterString db "Executables Files",0,"*.exe",0
db "All Files",0,"*.*",0,0
format db "%u",0 ; conversion in decimal not signed
string1 db 23h, 73h, 65h, 72h, 42h, 26h, 6Eh, 7Ah
db 7Ch, 6Dh, 66h, 4Dh, 31h, 2Fh, 35h, 28h, 21h, 73h, 64h, 24h, 4Dh, 71h, 2Eh, 7Bh
db 73h, 5Dh, 2Bh, 73h, 46h, 6Ah, 74h, 4Bh, 70h, 7Ah, 53h, 64h, 74h, 7Ah, 6Fh, 58h
db 71h, 6Dh, 62h, 5Eh, 41h, 6Ch, 40h, 64h, 76h, 3Ah, 73h, 3Fh, 78h, 2Fh, 00
string2 db 7Ch, 62h, 21h, 70h, 7Ah, 2Ah, 6Ch, 73h, 3Bh, 72h, 6Eh, 7Ch, 6Ch, 66h, 24h, 76h
db 69h, 5Eh, 41h, 78h, 70h, 65h, 29h, 72h, 78h, 35h, 61h, 69h, 63h, 26h, 39h, 2Fh
db 32h, 6Dh, 35h, 6Ch, 73h, 69h, 34h, 40h, 30h, 64h, 6Dh, 5Ah, 77h, 39h, 34h, 63h
db 6Dh, 71h, 70h, 66h, 68h, 77h, 00
magic db 8Bh, 44h, 24h, 04h, 56h, 8Bh, 35h, 00 ; chain to be founded
key_tmp DWORD 0
buffer_tmp DWORD 0
Flag_PE DWORD 0
maphandle DWORD 0
map_ptr DWORD 0
size_of_file DWORD 0
entry DWORD 0
ImageBase DWORD 0
magic_nb DWORD 0
size_of_name DWORD 0
; structure
ofn OPENFILENAME <>
PEFILE struct
pBase DWORD ?
hFile HANDLE ?
hMap HANDLE ?
PEFILE ends
.DATA?
@name dd 80 dup (?)
@comp dd 80 dup (?)
Key dd 80 dup (?)
Directory db 512 dup (?)
PE_File db 512 dup (?)
temp dd ?
compteur db ?
desktopDC dd ?
isCapture db ?
hEDIt dd ?
hEDItDC dd ?
hEDItDC2 dd ?
hInst dd ?
hRGN dd ?
hRGN2 dd ?
hRGN4 dd ?
hRGN6 dd ?
hResource dd ?
ResourcESIze dd ?
CursorPos POINT <?>
CursorPos2 POINT <?>
RectRgn RECT <?>
.CODE
start:
INVOKE GetModuleHandle, 0
MOV hInst, EAX
INVOKE DialogBoxParam,EAX, 100, 0, DlgProc,0
INVOKE ExitProcess, 0
DlgProc proc hDlg:DWORD,uMsg:DWORD,wParam:DWORD,lParam:DWORD
LOCAL stEnum[8]:BYTE ; 4 for RVA, 4 for RETurn value
.IF uMsg==WM_COMMAND
MOV EAX,wParam
.IF ax==6001
INVOKE DialogBoxParam,hInst, 102, 0, Aboutproc,0
.ENDIF
.IF ax==6002
CALL OpenDialog
.IF EAX == 0
INVOKE SetDlgItemText,hDlg,103,OFFSET error_open
RET
.ENDIF
PUSHAD
INVOKE CreateFile, ADDR Directory, GENERIC_READ/
or GENERIC_WRITE, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL
PUSHAD
INVOKE GetFileSize,EAX,NULL
MOV DWORD PTR [size_of_file], EAX
POPAD
INVOKE OpenPEFile,ADDR Directory,ADDR PE_File
CMP EAX,0
JE not_valid_pe
.IF EAX == 2
INVOKE SetDlgItemText,hDlg,103,OFFSET not_found
POPAD
RET
.ENDIF
POPAD
MOV BYTE PTR [Flag_PE],01
INVOKE SetDlgItemText,hDlg,103,OFFSET Found_magic
RET
not_valid_pe:
POPAD
INVOKE SetDlgItemText,hDlg,103,OFFSET not_pe
MOV BYTE PTR [Flag_PE],00
XOR EAX,EAX
.ENDIF
.IF ax==6003
.IF [Flag_PE] == 01
PUSHAD
MOV DWORD PTR [key_tmp],0
INVOKE RtlZeroMemory,OFFSET @name,1264
INVOKE GetDlgItemText,hDlg,102,OFFSET @name,80 ; Get 80 char maxi
MOV DWORD PTR[size_of_name],EAX
CMP EAX, 00 ; name minimum one character
JLE no_gen
LEA EBX, OFFSET @name
CALL generator
INVOKE GetDlgItemText,hDlg,104,OFFSET @comp,80
MOV DWORD PTR[size_of_name],EAX
CMP EAX,0 ; field "compagny" empty ?
JE no_comp
LEA EBX, OFFSET @comp
CALL generator
no_comp:
INVOKE wsprintfA,ADDR Key,ADDR format,DWORD PTR [key_tmp] ; conversion HEX 2 ASCII
.IF EAX == 0
INVOKE SetDlgItemText,hDlg,103,OFFSET PasGlop
.ELSE
INVOKE SetDlgItemText,hDlg,103,OFFSET Key
.ENDIF
POPAD
RET
no_gen:
INVOKE SetDlgItemText,hDlg,103,OFFSET No_Name
.ELSE
INVOKE SetDlgItemText,hDlg,103,OFFSET PasGlop
.ENDIF
.ENDIF
.IF ax==6004
INVOKE ExitProcess,NULL
.ENDIF
;-------- Gestion des déplacements de la DialogBox -----------
;-------- Extrait d'un source de Libthium -----------
.ELSEIF uMsg==WM_MOUSEMOVE
.IF isCapture==TRUE
INVOKE InvertRgn,desktopDC,hRGN2
INVOKE DeleteObject,hRGN2
INVOKE CreateRectRgn,0,0,1,1
MOV hRGN2,EAX
INVOKE CombineRgn,EAX,hRGN,EAX,5
INVOKE GetCursorPos,OFFSET CursorPos2
MOV EAX,CursorPos2.x
SUB EAX,CursorPos.x
MOV EDX,CursorPos2.y
SUB EDX,CursorPos.y
INVOKE OffsetRgn,hRGN2,EAX,EDX
INVOKE InvertRgn,desktopDC,hRGN2
.ENDIF
.ELSEIF uMsg==WM_LBUTTONUP
.IF isCapture==TRUE
INVOKE InvertRgn,desktopDC,hRGN2
INVOKE GetRgnBox,hRGN2,OFFSET RectRgn
SUB RectRgn.left,5
SUB RectRgn.top,38
INVOKE MoveWindow,hDlg,RectRgn.left,RectRgn.top,400,350,1
INVOKE DeleteObject,hRGN2
INVOKE ReleaseCapture
MOV isCapture,FALSE
.ENDIF
.ELSEIF uMsg==WM_CTLCOLOREDIT
INVOKE SetTextColor,wParam,0C0C0C0h
INVOKE SetBkColor,wParam,Black
INVOKE GetStockObject,BLACK_BRUSH
RET
.ELSEIF uMsg==WM_LBUTTONDOWN
INVOKE UpdateWindow,hDlg
INVOKE GetCursorPos,OFFSET CursorPos
INVOKE CreateRectRgn,0,0,1,1
MOV hRGN2,EAX
INVOKE CombineRgn,EAX,hRGN,EAX,5
INVOKE GetDesktopWindow
INVOKE GetWindowDC,EAX
MOV desktopDC,EAX
INVOKE InvertRgn,desktopDC,hRGN2
MOV isCapture,TRUE
INVOKE SetCapture,hDlg
.ELSEIF uMsg==WM_CLOSE
INVOKE PostQuitMessage,0
.ELSEIF uMsg==WM_INITDIALOG
; création des boutons
INVOKE BmpButton,hDlg,287, 30,200,203,6001 ; About
INVOKE BmpButton,hDlg,318, 83,202,201,6002 ; Search
INVOKE BmpButton,hDlg,320,140,204,205,6003 ; Serial
INVOKE BmpButton,hDlg, 58,118,206,207,6004 ; Exit
INVOKE FindResource, 0, 170, OFFSET RGN
MOV hRGN, EAX
INVOKE LoadResource, 0, EAX
MOV hResource, EAX
INVOKE SizeofResource, 0, hRGN
MOV ResourcESIze, EAX
INVOKE LockResource, hResource
MOV hResource, EAX
INVOKE ExtCreateRegion, 0, ResourcESIze, hResource
MOV hRGN, EAX
INVOKE SetWindowRgn, hDlg, hRGN, TRUE
INVOKE SendDlgItemMessage,hDlg,102,EM_LIMITTEXT,21,0
.ELSE
XOR EAX,EAX
RET
.ENDIF
@endmsg:
or EAX,-1
RET
DlgProc endp
;---------------affichage de la boite ABOUT----------------------
Aboutproc proc hwin:DWORD,uMsg:DWORD,wParam:DWORD,lParam:DWORD
.IF uMsg==WM_COMMAND
MOV EAX,wParam
.IF ax==6005
INVOKE EndDialog,hwin,0
RET
.ENDIF
.ELSEIF uMsg==WM_CLOSE
INVOKE PostQuitMessage,0
.ELSEIF uMsg==WM_INITDIALOG
INVOKE BmpButton,hwin,85,108,208,209,6005 ; Exit
INVOKE FindResource, 0, 171, OFFSET RGN
MOV hRGN4, EAX
INVOKE LoadResource, 0, EAX
MOV hResource, EAX
INVOKE SizeofResource, 0, hRGN4
MOV ResourcESIze, EAX
INVOKE LockResource, hResource
MOV hResource, EAX
INVOKE ExtCreateRegion, 0, ResourcESIze, hResource
MOV hRGN4, EAX
INVOKE SetWindowRgn, hwin, hRGN4, TRUE
.ELSE
XOR EAX,EAX
RET
.ENDIF
@endmsg:
or EAX,-1
RET
Aboutproc endp
;---------------------Generateur de code-------------------------
generator proc
MOV DWORD PTR [buffer_tmp],0 ; erase memory
MOV ESI, DWORD PTR [magic_nb] ; stock magic number
CMP ESI, 00
JE no_magic
or ESI,00000378h ; beginning of the generator
PUSH ESI
PUSH EBP
LEA ESI, OFFSET string2
XOR EDX,EDX
XOR EDI,EDI
INC EDI
SUB ESI,EBX
MOV ECX,EBX
SUB EDI,EBX
loop1:
MOVSX EBX,BYTE PTR [ECX+ESI] ; EBX = 1 char of the 2d chain
MOVSX EBP,BYTE PTR [EDX+EAX+string1] ; EBP = 1 char of the 1st chain
IMUL EBX,EBP ; EBX x EBP (7C x 7C = 3C10)
LEA EBP,[ECX+EDI] ; EBP is a pointer
IMUL EBX,EBP ; 3C10 x 1
MOVSX EBP,BYTE PTR [ECX] ; 1 char of the name entered
IMUL EBX,EBP ; 3C10 x 63 = 173A30 -> in EBX
MOV EBP,DWORD PTR [buffer_tmp] ; previous result in EBP
ADD EBP,EBX ; add previous result at EBX
INC EDX ; Inc the pointer
INC ECX ; next character of the name
CMP EDX,EAX ; pointer = size of name ?
MOV DWORD PTR [buffer_tmp],EBP ; résult calculated above is stored
JL loop1 ; loop on next character
MOV EAX,EBP ; EAX = 1st serial calculated (in hexdécimal)
POP EBP
POP ESI
CMP DWORD PTR [@comp],0 ; if the field "compagny" is empty
JNE no_ADD ; magic number not added a 2d time
ADD EAX,ESI
no_ADD:
ADD DWORD PTR [key_tmp],EAX
XOR EAX, EAX
INC EAX
RET
no_magic:
XOR EAX, EAX
RET
generator endp
;---------------------------- Brownse -----------------------------------
OpenDialog PROC hWin:DWORD
INVOKE RtlZeroMemory,OFFSET key_tmp,80h ; erase memory
CMP DWORD PTR [Directory],0 ; if a file is already open
JE @F
INVOKE ClosePEFile, ADDR PE_File ; UnMap the file
MOV DWORD PTR [Flag_PE], 0
@@: MOV [Directory],00 ; erase memory
MOV ofn.lStructSize, SIZEOF ofn
MOV ofn.lpstrFilter, OFFSET FilterString
MOV ofn.lpstrFile, OFFSET Directory
MOV ofn.nMaxFile, 512
MOV ofn.Flags, OFN_FILEMUSTEXIST or \
OFN_PATHMUSTEXIST or OFN_LONGNAMES or\
OFN_EXPLORER or OFN_HIDEREADONLY
INVOKE GetOpenFileName, OFFSET ofn ; open the box "OpenFile"
CMP EAX, FALSE ; stores info in structure ofn
JNZ EndOD
XOR EAX,EAX
RET
EndOD:
RET
OpenDialog ENDP
;--------------contrôle que le fichier est un exécutable------------------
OpenPEFile proc szName:DWORD, pPEFile:DWORD
LOCAL stEnum[8]:BYTE ; 4 for RVA, 4 for RETurn value
.IF ( EAX == INVALID_HANDLE_VALUE ) ; no handle returned by OpenFileName
XOR EAX,EAX
RET
.ENDIF
MOV ECX, pPEFile
MOV (PEFILE ptr [ECX]).hFile, EAX
INVOKE MapFile, pPEFile
.IF ( !EAX )
XOR EAX,EAX
RET
.ENDIF
MOV EAX, DWORD PTR [pPEFile]
MOV ECX, [EAX]
.IF ( WORD PTR [ECX] != 'ZM' ) ; DOS header?
XOR EAX,EAX
RET
.ENDIF
MOV EDI, ECX
MOV DWORD PTR [entry],EDI
PUSH EDI ; push beginning address of the target
MOV EAX, pPEFile
MOV EAX, (PEFILE ptr [EAX]).pBase
ADD EAX, (IMAGE_DOS_HEADER ptr [EAX]).e_lfanew
.IF ( WORD PTR [EAX] != 'EP' ) ; PE header?
XOR EAX,EAX
RET
.ENDIF
; recherche de la combinaison
; ---------------------------
MOV ECX, DWORD PTR [size_of_file] ; size of target file
POP EDI ; beginning address of the target
MOV al, 90h ; 1st value to found
loop2:
REPNZ SCASB
TEST ECX, ECX ; si ECX =0 -> all the file as been seen
JNE found1
MOV EAX,2 ; and the value not founded
RET ; SCAS as found a 90h
found1:
XOR EDX,EDX ; pointer = 0
loop3:
MOV bl, BYTE PTR [magic+EDX] ; pointe on next value of the chain searched
CMP BYTE PTR [EDI+EDX],bl ; if not egual EDI+pointer
JNE loop2 ; found a other value 90h
INC EDX ; inc pointer
CMP EDX,07 ; all value have been seen ?
JNE loop3 ; verify next value
; récupération de l'adresse
;--------------------------
ADD EDI, 07 ; pointe on the @ where the magic number is initialized
MOV ESI, DWORD PTR [EDI] ; get back the adresse
MOV DWORD PTR [buffer_tmp], ESI ; remember the address
MOV ECX, DWORD PTR [size_of_file] ; beguin again a scan
MOV EDI, DWORD PTR [entry] ; in search of this address in the target
MOV al, BYTE PTR [buffer_tmp]
loop4:
REPNZ SCASB
TEST ECX, ECX
JNE found2
XOR EAX,EAX
RET
found2:
XOR EDX,EDX
loop5:
MOV bl, BYTE PTR [buffer_tmp+1+EDX]
CMP BYTE PTR [EDI+EDX],bl
JNE loop4
INC EDX
CMP EDX, 03
JNE loop5
CMP WORD PTR [EDI-3], 05C7h ; verify that it is indeed about the good line
JNE loop4
; récupération de la clé
;-----------------------
MOV EAX, DWORD PTR [EDI+3] ; get back the magic number
MOV DWORD PTR [magic_nb],EAX ; remember it
MOV EAX,1
RET
OpenPEFile endp
;-------------------------------------------------------------------------
ClosePEFile proc pPEFile:DWORD
INVOKE UnmapFiLEAndHold, pPEFile
MOV EAX, pPEFile
INVOKE CloseHandle, (PEFILE ptr [EAX]).hFile ; close the Handle of the current target file
RET
ClosePEFile endp
;-------------------------------------------------------------------------
UnmapFiLEAndHold proc pPEFile:DWORD
MOV ECX, pPEFile
INVOKE UnmapViewOfFile, DWORD PTR [ECX] ; UnMap the target file
MOV ECX, pPEFile
INVOKE CloseHandle, (PEFILE ptr [ECX]).hMap
RET
UnmapFiLEAndHold endp
;-------------------------------------------------------------------------
MapFile proc pPEFile:DWORD
MOV EAX, pPEFile
MOV EAX, (PEFILE ptr [EAX]).hFile
INVOKE CreateFileMapping, EAX, NULL, PAGE_READWRITE, 0, 0, NULL
.IF ( !EAX )
MOV EAX, pPEFile
INVOKE CloseHandle, (PEFILE ptr [EAX]).hFile
RET
.ENDIF
MOV ECX, pPEFile
MOV (PEFILE ptr [ECX]).hMap, EAX
MOV maphandle,EAX
INVOKE MapViewOfFile, EAX, FILE_MAP_READ or FILE_MAP_WRITE, 0, 0, 0
.IF ( !EAX )
MOV EAX, pPEFile
INVOKE CloseHandle, (PEFILE ptr [EAX]).hMap
INVOKE CloseHandle, (PEFILE ptr [EAX]).hFile
RET
.ENDIF
MOV ECX, pPEFile
MOV (PEFILE ptr [ECX]).pBase, EAX
MOV map_ptr,EAX
RET
MapFile endp
end start
|
Have a good day