Some code to identify....
From: WhiteRavenEye (whiteraveneye_at_hotmail.com)
Date: 01/23/04
- Previous message: Michael Brown: "Re: CLI doubt"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Fri, 23 Jan 2004 00:26:54 +0000 (UTC)
Here is part of code from disassambled file...
I'll try to comment out as much as I can of this code...
This code below assambles two strings into one...
Actually one const and one variable, that var is inputed from user...
When assembled, it gives URL of file to be retrieved...
Content of file (.txt) is lpText of MsgBox...
If URL exists it shows messagebox with text within that file, otherwise
it shows me MsgBox "Nope"...
I need someone to show me part of code where it checks if URL exists...
It's not any kind of pay program...
It's just cracking game...
So here's code...
-------------------------------------------------------------------------------------
* Possible StringData Ref from Code Obj ->"http://some.website/"
*^^^^Here is const^^^^*
*It pushes it in stack...*
|
:004024B4 68E01F4000 push 00401FE0
:004024B9 50 push eax
:004024BA FFD7 call edi
:004024BC 8BD0 mov edx, eax
:004024BE 8D4DB4 lea ecx, dword ptr [ebp-4C]
* Reference To: MSVBVM60.__vbaStrMove, Ord:0000h
|
:004024C1 FF15B8104000 Call dword ptr [004010B8]
:004024C7 50 push eax
* Possible StringData Ref from Code Obj ->".txt"
*^^^^Here is extension of file it need to be retrieved ^^^^*
*And in code below it is assambled into one string along with what user
inputed....*
|
:004024C8 6838204000 push 00402038
:004024CD FFD7 call edi
:004024CF 83EC10 sub esp, 00000010
:004024D2 B908000000 mov ecx, 00000008
:004024D7 8BD4 mov edx, esp
:004024D9 894D9C mov dword ptr [ebp-64], ecx
:004024DC 8945A4 mov dword ptr [ebp-5C], eax
:004024DF 6A01 push 00000001
:004024E1 890A mov dword ptr [edx], ecx
:004024E3 8B4DA0 mov ecx, dword ptr [ebp-60]
:004024E6 6A16 push 00000016
:004024E8 56 push esi
:004024E9 894A04 mov dword ptr [edx+04], ecx
:004024EC 8B0E mov ecx, dword ptr [esi]
:004024EE 894208 mov dword ptr [edx+08], eax
:004024F1 8B45A8 mov eax, dword ptr [ebp-58]
:004024F4 89420C mov dword ptr [edx+0C], eax
:004024F7 FF9108030000 call dword ptr [ecx+00000308]
:004024FD 8D55AC lea edx, dword ptr [ebp-54]
:00402500 50 push eax
:00402501 52 push edx
:00402502 FFD3 call ebx
:00402504 50 push eax
:00402505 8D458C lea eax, dword ptr [ebp-74]
:00402508 50 push eax
* Reference To: MSVBVM60.__vbaLateIdCallLd, Ord:0000h
|
:00402509 FF1568104000 Call dword ptr [00401068]
*^^^Here it tries to connect to internet and retrieve assambled URL^^^*
*And somewhere in the code below it checks if URL exists...*
*If not it jumps to MsgBox that saids "Nope" or such...*
* Reference To: MSVBVM60.__vbaVarMove, Ord:0000h
|
:0040250F 8B3D08104000 mov edi, dword ptr [00401008]
:00402515 83C420 add esp, 00000020
:00402518 8BD0 mov edx, eax
:0040251A 8D4DDC lea ecx, dword ptr [ebp-24]
:0040251D FFD7 call edi
:0040251F 8D4DB4 lea ecx, dword ptr [ebp-4C]
:00402522 8D55B8 lea edx, dword ptr [ebp-48]
:00402525 51 push ecx
:00402526 52 push edx
:00402527 6A02 push 00000002
* Reference To: MSVBVM60.__vbaFreeStrList, Ord:0000h
|
:00402529 FF15A0104000 Call dword ptr [004010A0]
:0040252F 8D45AC lea eax, dword ptr [ebp-54]
:00402532 8D4DB0 lea ecx, dword ptr [ebp-50]
:00402535 50 push eax
:00402536 51 push ecx
:00402537 6A02 push 00000002
* Reference To: MSVBVM60.__vbaFreeObjList, Ord:0000h
|
:00402539 FF151C104000 Call dword ptr [0040101C]
:0040253F 83C418 add esp, 00000018
:00402542 8D4D9C lea ecx, dword ptr [ebp-64]
* Reference To: MSVBVM60.__vbaFreeVar, Ord:0000h
|
:00402545 FF150C104000 Call dword ptr [0040100C]
:0040254B 8D55DC lea edx, dword ptr [ebp-24]
:0040254E 8D459C lea eax, dword ptr [ebp-64]
:00402551 52 push edx
:00402552 50 push eax
:00402553 C78564FFFFFF05000000 mov dword ptr [ebp+FFFFFF64], 00000005
:0040255D C7855CFFFFFF02800000 mov dword ptr [ebp+FFFFFF5C], 00008002
* Reference To: MSVBVM60.__vbaLenVar, Ord:0000h
|
:00402567 FF152C104000 Call dword ptr [0040102C]
:0040256D 8D8D5CFFFFFF lea ecx, dword ptr [ebp+FFFFFF5C]
:00402573 50 push eax
:00402574 51 push ecx
* Reference To: MSVBVM60.__vbaVarTstEq, Ord:0000h
|
:00402575 FF155C104000 Call dword ptr [0040105C]
:0040257B 6685C0 test ax, ax
:0040257E 0F84DF000000 je 00402663
:00402584 6A00 push 00000000
:00402586 6AFF push FFFFFFFF
:00402588 6A01 push 00000001
:0040258A 6850204000 push 00402050
:0040258F 8D55DC lea edx, dword ptr [ebp-24]
:00402592 6848204000 push 00402048
:00402597 8D45B8 lea eax, dword ptr [ebp-48]
:0040259A 52 push edx
:0040259B 50 push eax
* Reference To: MSVBVM60.__vbaStrVarVal, Ord:0000h
|
:0040259C FF158C104000 Call dword ptr [0040108C]
:004025A2 50 push eax
* Reference To: MSVBVM60.rtcReplace, Ord:02C8h
|
:004025A3 FF157C104000 Call dword ptr [0040107C]
:004025A9 8D559C lea edx, dword ptr [ebp-64]
:004025AC 8D4DDC lea ecx, dword ptr [ebp-24]
:004025AF 8945A4 mov dword ptr [ebp-5C], eax
:004025B2 C7459C08000000 mov [ebp-64], 00000008
:004025B9 FFD7 call edi
:004025BB 8D4DB8 lea ecx, dword ptr [ebp-48]
* Reference To: MSVBVM60.__vbaFreeStr, Ord:0000h
|
:004025BE FF15D0104000 Call dword ptr [004010D0]
:004025C4 8D4DDC lea ecx, dword ptr [ebp-24]
:004025C7 51 push ecx
* Reference To: MSVBVM60.rtcIsNumeric, Ord:0231h
|
:004025C8 FF1560104000 Call dword ptr [00401060]
:004025CE 6685C0 test ax, ax
:004025D1 0F848C000000 je 00402663
:004025D7 8D55DC lea edx, dword ptr [ebp-24]
:004025DA B904000280 mov ecx, 80020004
:004025DF B80A000000 mov eax, 0000000A
:004025E4 52 push edx
:004025E5 894D84 mov dword ptr [ebp-7C], ecx
:004025E8 89857CFFFFFF mov dword ptr [ebp+FFFFFF7C], eax
:004025EE 894D94 mov dword ptr [ebp-6C], ecx
:004025F1 89458C mov dword ptr [ebp-74], eax
:004025F4 894DA4 mov dword ptr [ebp-5C], ecx
:004025F7 89459C mov dword ptr [ebp-64], eax
* Reference To: MSVBVM60.__vbaI2ErrVar, Ord:0000h
|
:004025FA FF15BC104000 Call dword ptr [004010BC]
:00402600 0FBFF8 movsx edi, ax
:00402603 83FF06 cmp edi, 00000006
:00402606 7206 jb 0040260E
* Reference To: MSVBVM60.__vbaGenerateBoundsError, Ord:0000h
|
:00402608 FF1554104000 Call dword ptr [00401054]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402606(C)
|
:0040260E 8B45D0 mov eax, dword ptr [ebp-30]
:00402611 8D957CFFFFFF lea edx, dword ptr [ebp+FFFFFF7C]
:00402617 52 push edx
:00402618 8D955CFFFFFF lea edx, dword ptr [ebp+FFFFFF5C]
:0040261E 8D0CB8 lea ecx, dword ptr [eax+4*edi]
:00402621 8D458C lea eax, dword ptr [ebp-74]
:00402624 898D64FFFFFF mov dword ptr [ebp+FFFFFF64], ecx
:0040262A 8D4D9C lea ecx, dword ptr [ebp-64]
:0040262D 50 push eax
:0040262E 51 push ecx
:0040262F 6A00 push 00000000
:00402631 52 push edx
:00402632 C7855CFFFFFF08400000 mov dword ptr [ebp+FFFFFF5C], 00004008
* Reference To: MSVBVM60.rtcMsgBox, Ord:0253h
*^^^^And this is MessagbeBox if URL exists^^^^*
|
:0040263C FF153C104000 Call dword ptr [0040103C]
:00402642 8D857CFFFFFF lea eax, dword ptr [ebp+FFFFFF7C]
:00402648 8D4D8C lea ecx, dword ptr [ebp-74]
:0040264B 50 push eax
:0040264C 8D559C lea edx, dword ptr [ebp-64]
:0040264F 51 push ecx
:00402650 52 push edx
:00402651 6A03 push 00000003
* Reference To: MSVBVM60.__vbaFreeVarList, Ord:0000h
|
:00402653 FF1514104000 Call dword ptr [00401014]
:00402659 83C410 add esp, 00000010
:0040265C C745BC01000000 mov [ebp-44], 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040257E(C), :004025D1(C)
|
:00402663 66837DBC00 cmp word ptr [ebp-44], 0000
:00402668 0F851F010000 jne 0040278D
:0040266E 8B06 mov eax, dword ptr [esi]
:00402670 56 push esi
:00402671 FF90FC020000 call dword ptr [eax+000002FC]
:00402677 8D4DB0 lea ecx, dword ptr [ebp-50]
:0040267A 50 push eax
:0040267B 51 push ecx
:0040267C FFD3 call ebx
:0040267E 8BF8 mov edi, eax
:00402680 6850204000 push 00402050
:00402685 57 push edi
:00402686 8B17 mov edx, dword ptr [edi]
:00402688 FF92A4000000 call dword ptr [edx+000000A4]
:0040268E 85C0 test eax, eax
:00402690 DBE2 fclex
:00402692 7D12 jge 004026A6
:00402694 68A4000000 push 000000A4
:00402699 68CC1F4000 push 00401FCC
:0040269E 57 push edi
:0040269F 50 push eax
* Reference To: MSVBVM60.__vbaHresultCheckObj, Ord:0000h
|
:004026A0 FF1528104000 Call dword ptr [00401028]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402692(C)
|
:004026A6 8D4DB0 lea ecx, dword ptr [ebp-50]
* Reference To: MSVBVM60.__vbaFreeObj, Ord:0000h
|
:004026A9 FF15CC104000 Call dword ptr [004010CC]
:004026AF 8B06 mov eax, dword ptr [esi]
:004026B1 56 push esi
:004026B2 FF90FC020000 call dword ptr [eax+000002FC]
:004026B8 8D4DB0 lea ecx, dword ptr [ebp-50]
:004026BB 50 push eax
:004026BC 51 push ecx
:004026BD FFD3 call ebx
:004026BF 8BF8 mov edi, eax
:004026C1 57 push edi
:004026C2 8B17 mov edx, dword ptr [edi]
:004026C4 FF9204020000 call dword ptr [edx+00000204]
:004026CA 85C0 test eax, eax
:004026CC DBE2 fclex
:004026CE 7D12 jge 004026E2
:004026D0 6804020000 push 00000204
:004026D5 68CC1F4000 push 00401FCC
:004026DA 57 push edi
:004026DB 50 push eax
* Reference To: MSVBVM60.__vbaHresultCheckObj, Ord:0000h
|
:004026DC FF1528104000 Call dword ptr [00401028]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004026CE(C)
|
:004026E2 8D4DB0 lea ecx, dword ptr [ebp-50]
* Reference To: MSVBVM60.__vbaFreeObj, Ord:0000h
|
:004026E5 FF15CC104000 Call dword ptr [004010CC]
* Reference To: MSVBVM60.__vbaVarDup, Ord:0000h
|
:004026EB 8B3DB0104000 mov edi, dword ptr [004010B0]
:004026F1 B904000280 mov ecx, 80020004
:004026F6 898D74FFFFFF mov dword ptr [ebp+FFFFFF74], ecx
:004026FC B80A000000 mov eax, 0000000A
:00402701 894D84 mov dword ptr [ebp-7C], ecx
:00402704 8D954CFFFFFF lea edx, dword ptr [ebp+FFFFFF4C]
:0040270A 8D4D8C lea ecx, dword ptr [ebp-74]
:0040270D 89856CFFFFFF mov dword ptr [ebp+FFFFFF6C], eax
:00402713 89857CFFFFFF mov dword ptr [ebp+FFFFFF7C], eax
* Possible StringData Ref from Code Obj ->"..."
|
:00402719 C78554FFFFFF68204000 mov dword ptr [ebp+FFFFFF54], 00402068
:00402723 C7854CFFFFFF08000000 mov dword ptr [ebp+FFFFFF4C], 00000008
:0040272D FFD7 call edi
:0040272F 8D955CFFFFFF lea edx, dword ptr [ebp+FFFFFF5C]
:00402735 8D4D9C lea ecx, dword ptr [ebp-64]
* Possible StringData Ref from Code Obj ->"Nope"
|
:00402738 C78564FFFFFF58204000 mov dword ptr [ebp+FFFFFF64], 00402058
:00402742 C7855CFFFFFF08000000 mov dword ptr [ebp+FFFFFF5C], 00000008
:0040274C FFD7 call edi
:0040274E 8D856CFFFFFF lea eax, dword ptr [ebp+FFFFFF6C]
:00402754 8D8D7CFFFFFF lea ecx, dword ptr [ebp+FFFFFF7C]
:0040275A 50 push eax
:0040275B 8D558C lea edx, dword ptr [ebp-74]
:0040275E 51 push ecx
:0040275F 52 push edx
:00402760 8D459C lea eax, dword ptr [ebp-64]
:00402763 6A10 push 00000010
:00402765 50 push eax
* Reference To: MSVBVM60.rtcMsgBox, Ord:0253h
*^^^^And here is msgbox I don't want to see^^^^*
|
:00402766 FF153C104000 Call dword ptr [0040103C]
:0040276C 8D8D6CFFFFFF lea ecx, dword ptr [ebp+FFFFFF6C]
:00402772 8D957CFFFFFF lea edx, dword ptr [ebp+FFFFFF7C]
:00402778 51 push ecx
:00402779 8D458C lea eax, dword ptr [ebp-74]
:0040277C 52 push edx
:0040277D 8D4D9C lea ecx, dword ptr [ebp-64]
:00402780 50 push eax
:00402781 51 push ecx
:00402782 6A04 push 00000004
-------------------------------------------------------------------------------------
and BTW, how would look code for MsgBox if I wanted to make my own
somewhere at the end of file? I see here just push of registers. How
could I push some data from string reference to lpText and lpCaption, if
I know it's address?
Thanks...
By WhiteRavenEye <aka ColdRaven>
- Previous message: Michael Brown: "Re: CLI doubt"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
