Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 02-07-2004, 14:02
bartster
 
Posts: n/a
Question questions about code

I am looking at some code in a dll that I am trying to make sense of and I have a few questions about what I see. Hopefully someone can give me some answers.

Here are some examples:

aSourceoffercodeGetoffercodenum db 'SourceOfferCode::GetOfferCodeNum',0
; DATA XREF: sub_0_60765B04+15o
align 4
aInt__cdeclSourceoffercodeGetoffercodenumVoid db 'int__cdecl SourceOfferCode::GetOfferCodeNum(void)',0
; DATA XREF: sub_0_60765B04+10o
align 4
a05d db '%05d',0 ; DATA XREF: sub_0_60765CF3+1Fo
align 4

#1. What does the "align 4" do and what effect does it have on the program?

#2. What does the "(void)" do and why is it used?

#3. I see a comma with a 0 after it at the end of almost every line. What does it do?

#4. Refer to example below:
I see dd and db and offset used alot. Why and how is it used? I also have no idea what the next 2 lines do and why they are used. I know the numbers refer to a specific line in the code but thats all I know. The "sub" and "unk" also have me stumped.

dd offset sub_0_60766684
dd offset unk_0_607CB100

#5. Is there a place where I can get this info for myself so I don't have to keep asking questions here? It would be great if I had a reference of some kind that I could refer to that would explain all this stuff! I hate to bother people with these basic things.

I hope I didn't make this too long and ask too many questions!



Reply With Quote
  #2  
Old 02-07-2004, 17:22
Kythen
 
Posts: n/a
Ok, let's see if I can give you a hand here...

#1. align 4 is simply an assembler directive that indicates there is padding (junk bytes) to align the next data item onto a DWORD boundary (4 bytes)

#2. void is a term from C/C++ that in this case means there are no parameters to that function. void can also be used in C/C++ as a return type to indicate that the function does not return a value.

#3. Different high-level languages store strings in different ways. C/C++ style strings consist of the string data followed by a 0 (zero) byte. This 0 byte determines the end of the string.

#4. dd, dw, and db are all mnemonics used most x86 assemblers to define data. dd = DWORD data (4-bytes), dw = WORD data (2-bytes), db = BYTE data (1-byte). You can define more than one data element per dd/dw/db line. OFFSET means that the data is an address of something else. sub_ is just a prefix IDA Pro uses for auto-naming subroutines (functions). unk_ is the prefix for data that IDA hasn't figured out the size or use of.

#5. Well, naturally there's always our best internet friend Google. However, I think some good books on C/C++ and x86 assembly should help you out a lot. hxxp://win32asm.cjb.net has a lot of good win32 assembly tutorials and a board where you can ask win32 asm questions.

Hope this helps!
Reply With Quote
  #3  
Old 02-10-2004, 01:30
bartster
 
Posts: n/a
Thanks a lot for the help. I realy appreciate it. I have been doing a lot of reading and I did find some reference material that helped me out. I still have a few more questions about code that would be nice if I could figure out.

#1. What is the difference between "cmp" and "test"? I read about the operations and I still don't get it.

#2. This is the hardest thing for me to understand right now. I am having trouble figuring out whether or not conditional jumps are taken. I know that it goes by the result of what the previous operation was and whether or not a flag is set with a "1" or a "0", or the contents of some register is compared with a value. Comparing a hex# to a register is easy and I understand that and can determine if a jump is taken that way. I just can't figure out what the result of the test or cmp would be on my own. It is either the same or it isn't. When is it "0" and when is it "1"?

#3. Here is another example of what I don't understand. The jnz in the code below means jump short if not 0 to 604dfdd0. The operation right before that is a mov. How do you determine whether or not it is 0 from a mov? Maybe it refers to the test right before that and not the mov?

call SUB_L60431030
mov ebx,eax
test ebx,ebx
mov [esp+28h],ebx
jnz L6042FDD0
mov [esp+3Ch],al
jmp L6042FF4B

#4. What is the best program to use to modify the code of a dll or exe? I want to change some conditional jumps to unconditional jumps and some to nop too. I have all the programs you guys use and can't figure out which one can do that. All I can do right now is look at it.

#5. I know the prgram I'm working on has some sort of protection built into it. Is there a way that I can determine what protection a program uses? Whether it be armadillo or asprotect or acprotect or whatever. I need to read about the copy protection that my application uses so I can understand it better!

I sure would appreciate it if kythen or someone would take the time to explain this stuff.

Thanks alot!
Reply With Quote
  #4  
Old 02-10-2004, 02:14
Satyric0n
 
Posts: n/a
Regarding #1, #2, #3, and #4, you need to download the IA-32 instruction set reference manual from Intel. You can find it here:

hxxp://www.intel.com/design/pentium4/manuals/253666.htm (part 1, A-M)
- and -
hxxp://www.intel.com/design/pentium4/manuals/253667.htm (part 2, N-Z)

#1: As the instruction set reference explains (and in detail; it is written by Intel, after all, the makers of the instructions), a CMP "compares the first source operand with the second source operand and sets the status flags in the EFLAGS register according to the results. The comparison is performed by subtracting the second operand from the first operand and then setting the status flags in the same manner as the SUB instruction." A TEST "computes the bit-wise logical AND of first operand (source 1 operand) and the second operand (source 2 operand) and sets the SF, ZF, and PF status flags according to the result." So, basically, a TEST can only determine whether or not 2 values are equal, while a CMP can also determine which value is largest. You may wonder why TEST even exists, since CMP can do what TEST does and then some: basically, TEST is faster, though with modern processor speeds, one would never actually see a difference.

#2: Again, read Intel's description of the various comparison instructions, and then if you still don't understand, come ask again.

#3: In the instruction set reference, the description for every instruction will say what flags that instruction affects. In your example specifically, you would see that with TEST, "the OF and CF flags are set to 0. The SF, ZF, and PF flags are set according to the result," and that MOV affects no flags. Thus, the JNZ is using the results of the TEST, not the MOV.

#4: You need to use a hex editor to change the code (WinHex is generally considered the best here, though some people like HIEW for whatever reason ). ASM is just a readable (to some people, anyway ) representation of the raw numeric instructions that get fed to the CPU. In the instruction reference, you will see the byte codes for each instruction in hex. Basically, you need to figure out what byte codes correspond to the asm you want to put in the code, and use a hex editor to actually put it in. Squidge's excellent (but now defunct) RTA utility is greatly helpful here -- it shows you the byte codes for any given asm statement that you can just then copy/paste into your hex editor.

Regarding #5, generally you use a PE scanner, and it tells you what protection (if any) a program uses. Popular PE scanners are PE iDentifier by snaker (my personal favorite), UN-PACK by Snow Panther, TrID by Marco, and retool by OHPen. There are others also, but these generally do the trick. After a while, you will generally be able to recognize a protection just by it's behavior and code.

Regards,
Satyric0n

Last edited by Satyric0n; 02-10-2004 at 02:38.
Reply With Quote
  #5  
Old 02-10-2004, 02:26
least
 
Posts: n/a
Hi,
#1: CMP means comparing two values, with result almost the same (I mean flags) as SUB, but none of values is changed. TEST is quite the same, but the operation behind isn't SUB but AND.

#2: Look at the some Intel instruction reference on what means all the flags - I mean Zero flag, Carry flag and so on. Then look at the reference again on instruction that interests you to find what flags are influenced by it. For example CMP EAX,EAX does something like SUB EAX,EAX so the result is zero => ZF is set and JZ, JE, ... will jump.

#3: As above, you could find that MOV doesn't chnges the flags, which means that the jump is based on result of TEST EBX,EBX which changes them.

#4: Everyone likes something else. Good choice for me is HIEW or its free bro BIEW, which also contain disassembler and many other goodies. Someone like HexEdit or UltraEdit (good copy/paste) or anything else. Just try and find what suits you best.

#5: Try PeID or something like that, it can identify it for you (at most cases).
Hope it helps
least
Reply With Quote
  #6  
Old 02-11-2004, 02:19
bartster
 
Posts: n/a
Ok guys,

I got the intel instruction set reference and did a lot of reading so I understand the asm code a lot better now than i did before. Not completely yet but hopefully with time I will understand more. Thanks for the good advice, info and the links!

There's just 1 thing now that I can't figure out! I am using IDAPRO for my dissassembler and I have winhex as my hex editor.
I have read through the help of both programs extensively and I have searched google as well and I am still stumped! Probably something simple I'm missing.

My problem is that I can't figure out how to find the offset that I want to change in winhex. In IDA I found that I wanted to change a jz to a jmp at 60748BE5+45E. When I switch to the hex view in IDA i also see that same reference# and I see where the hex numbers are that I want to change. When I go to winhex to find that address I have no clue how to get there. It starts with all 0's then increments by 10 up to 232FF0. So I just need to know how to cross reference the address I see in IDA with the offset in winhex.

I got PEID and used it on the dll I am working on. For the subsystem it says "WIN32GUI" and below that it says "Microsoft Visual C++ 7.0 DLL Method 3". I would assume it is referring to the compiler that was used. Then I used it on the exe and it says the same thing for the subsystem and below it says "Nothing Found[Overlay]". Am I to assume that this program has no protection? It would seem strange if it didn't. I still don't know what protection my program uses if any at all.

Sorry for being so long winded and writing essays. Just trying to make sure everything is clear.

Thanks!
Reply With Quote
  #7  
Old 02-11-2004, 02:33
Satyric0n
 
Posts: n/a
The address seen in IDA is the VA (virtual address), the address you need in WinHex is the File Offset. Generally,

Offset = VA - Image Base (usually 0x400000) - (code section VOffset - code section ROffset).

PE editors like LordPE and PE Tools are useful in this regard, and and will tell you the Offset for a given VA (or vice-versa) for any given file. In LordPE and PE Tools specifically, click on FLC to get to this.

Last edited by Satyric0n; 02-11-2004 at 02:41.
Reply With Quote
  #8  
Old 02-11-2004, 16:09
least
 
Posts: n/a
Hi,
when you are in IDA, look on the bottom of the window, you'll see there some info; for me the fourth is the offset that you need to find in winhex. Also when you'll use HIEW or BIEW, you can turn on relative adresses, which will be the same as IDA uses in the disassembly.
Concerning the PeID, it identifies mainly commercial or well known protections; when it says nothing, then the program can still be protected. The best way how to find if there is any protection is to make it trigger to see how it works. Do you suppose that there is CRC check? Try to change something unimportant (like char in the This program doesn't run in DOS NAG in PE header, or some nulls at the end of code section) and see whats going on. And so no. Also pay attention to strings you can find in it. Remember, gain as much knowledge on your adversary as you can before you start messing with him
Regards,
least
Reply With Quote
  #9  
Old 02-11-2004, 17:06
Nilrem
 
Posts: n/a
Bartster one of the best ways to learn Assembly, apart from reading a book/other sources, would be to actually write a program in (C++) for example, then dissasemble, because that way, before you've even dissasembled the file you know what it should be doing.
Reply With Quote
  #10  
Old 02-13-2004, 05:09
bartster
 
Posts: n/a
Thanks Everyone,

You all helped me out a lot. I used LordPE to do the conversion for me and it took me right to the offset where I made some changes.

Still having some touble with some code so I might as well just continue on in the thread.

I have spent many many hours trying to find the code that calls the nag window in my program. I have searched through a dozen or more exe's and dll's and still nothing. I did find out that it is a function call to user32.dll from some dll or exe that is loaded with my program. I searched the net for lists of functions that this dll uses and found a few without much explanation but not the whole list.

I decided that it would be easier to use softice and set some breakpoints on some of the functions that I found. I read through some tutorials about using softice and removing the nag window. I set up 8 functions for softice to break on and the program still won't break when the message box comes up! Obviously I'm not using the correct function!

These are the ones that I set:

createdialogparama
dialogboxparama
registerclipboardformata
messageboxa
sendmessagea
postmessagea
getwindow
getwindowrect

I am realy frusturated and stumped! All I need to do is find the code where it is called and the dll or exe that calls it! Once I have that I know the nag window will be history!

Since I can't get a list of the functions and an explanation of what they do I don't know what other functions I could add to softice that would make it break.

What I'm looking for is a website with a list of functions or a pdf document for user32.dll. Searched the microsoft website and couldn't find anything. Even better yet would be a list AND an explanation as well. If that isn't possible then maybe someone can give me some function names that I can try in softice that might make it break or an alternative way to find the code for it.

Thanks Guys!
Reply With Quote
  #11  
Old 02-13-2004, 05:22
Satyric0n
 
Posts: n/a
Finding these functions and what they do is what MSDN is for.

An old version of MSDN is on the FTP, but you can also browse MSDN online at hxxp://msdn.microsoft.com. The easiest way to search for function descriptions there is to do a Google search with site:msdn.microsoft.com specified along with the name of the function.

One suggestion I have, if you are frustrated and stumped, is to not use SoftICE. For all its power, it is often inconvenient, and I would recommend using OllyDbg instead.

Depending on the type of nag screen (is it a dialog box? a message box? a fullblown form?), I would try the following methods:

CreateWindow
CreateWindowEx
CreateDialog
DialogBox
MessageBox
SetDlgItemText

Also, depending on the type of nag screen, if you pause your application while the nag screen is showing, often the call stack will point you to the exact line of code that created the nag.

If you wanted some real help, you could always tell us the name of the application you are having trouble with, you know...

Regards,
Satyric0n
Reply With Quote
  #12  
Old 02-13-2004, 08:09
bartster
 
Posts: n/a
I guess I should have said what the program was in my last post. I'm working on QuickBooks Premier 2004 Trial.

The nag screen is just a small dialogbox with an ok button and some text that says "The trial period has ended. You have no more uses left." It has the colored bar at the top thats says "QuickBooks Information". It also has the light blue information ballon on the side with the "i" in the middle. It looks very similar to the ones the that you see in a web browser that pop-up annoyingly with an ok button.

I will try to search for some functions on the microsoft website again hopefully I will be more successful this time.

As for softice I don't like using but I went to it because I couldn't get anywhere with ollydbg. When I run the program in ollydbg about halfway before the nag window comes up, I get a message that says that the injected code is not responding and if I want to wait for 5 seconds. Wheter I click yes or no the window just keeps popping up again and again and I can go no further. I have to manualy shut it down. I also use the plugins isdebugger present and hide debugger. I don't have much knowledge or experience with these programs so it looks like either way I'm stuck unless someone can help me out. I like ollydbg much better than softice anyway and would much rather use it if I could get it to work properly.

Thanks again for all the great help!
I will try those functions in softice and see if I can get it to break.
Reply With Quote
  #13  
Old 02-13-2004, 08:20
Satyric0n
 
Posts: n/a
Is QuickBooks Premier 2004 Trial available for download, or is it available on CD only?
Reply With Quote
  #14  
Old 02-13-2004, 09:53
bartster
 
Posts: n/a
It's only available on CD.

Like I said on my other thread it's about 360 meg packed with winrar. It has the premier, pro, and basic versions. 1 install program for all 3. Each program by itself is about 250 meg. I tried to see if I could use the basic without installing it and it wouldn't work. I would assume because there are no registry entries. Unpacking and repacking 1 version is too hard for me to do right now cuz I'm just getting started.

I would glady upload it to an FTP if I knew of a place to put it. Also sending it to someone through an IM would work too. If you go to the website and request a copy it will take about a week to get it. Maybe 2.

I also would like to know how to pause an application while it's in a process and running. I have never heard of that and didn't know it was possible to do it.

I tried all those function names in softice and it says that it is an undefined symbol for everyone. I am going to do some more searching at the microsoft website and see if I can get a list of all the functions for user32.dll. Maybe I can find a few more to try to break on.

I realy wish I could use ollydbg to run the program all the way to the nag window! Maybe I am doing something wrong with olly that is causing the error message. I will monkey with that some more too and see what I can do.
Reply With Quote
  #15  
Old 02-13-2004, 10:14
siddhartha
 
Posts: n/a
Give a try of Api Guide - all api functions with full explaination and examples:
h**p://www.student.kuleuven.ac.be/~m0116986/3.7/agsetup.exe
or
h**p://users.chello.be/cr27630/3.7/agsetup.exe
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
2 questions about hasp suddenLy General Discussion 3 01-12-2005 01:51
Humor and a few questions. Innocent General Discussion 6 08-10-2004 02:51
Armadillo questions? ManSun General Discussion 20 05-12-2004 17:46
2 questions (IDA / Windows 2k/2k3) skyper General Discussion 8 04-22-2004 08:44
some unpacking questions gnasher General Discussion 2 01-03-2004 20:44


All times are GMT +8. The time now is 22:31.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )