ph0six Posted April 8, 2010 Posted April 8, 2010 Hello all,So I've been bashing my head against a wall for a few hours on this issue and I'm not entirely sure what the problem is.When I step debug the application, it's breaking on this: CALL lstrcpyAThe Error seems to be changing each time, first time it was array out of bounds, second time it was erroring with "Privileged instruction" I'm just not entirely sure what the issue is. Anyhow, here's the source.Can anyone possibly lend a helping hand here?Thanks !#include <windows.h>#include <iostream>#include <string>using namespace std;void MyFunction(long int one);char alpha[] = "1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ";char one[] = "STD";char two[] = "ENR";int m;int main(){ cout << endl << "BPA Keygen by ph0six" << endl << endl; __asm { PUSH EBP MOV EBP,ESP ADD ESP,-0x0B0 // PUSH EBX PUSH ESI PUSH EDI MOV EAX,DWORD PTR SS:[EBP+0xC] MOV ECX, offset one MOV EBX, offset two PUSH ECX LEA EAX,DWORD PTR SS:[EBP-0x10] PUSH EAX CALL lstrcpyA PUSH EBX LEA EAX,DWORD PTR SS:[EBP-0x20] PUSH EAX CALL lstrcpyA LEA EDI,DWORD PTR SS:[EBP-0xA0] XOR EBX,EBX JMP L015 L011: PUSH 0x04077FD CALL dip**** dip****: PUSH EBP MOV EBP,ESP ADD ESP,-0x4 PUSHAD MOV ESI,DWORD PTR SS:[EBP+0x8] XOR ECX,ECX JMP L008 L007: INC ECX L008: CMP BYTE PTR DS:[ECX+ESI],0x0 JNZ L007 CALL asshead // asshead: RDTSC SHR EAX,0x2 ADD EAX,0x1 MOV DWORD PTR DS:[0x407B00],EAX RETN // PUSH EAX CALL dickwad // dickwad: PUSH EBP MOV EBP,ESP PUSH ECX PUSH EDX MOV EAX,DWORD PTR DS:[0x407B00] MOV EDX,0x0 MOV ECX,0x1F31D DIV ECX XOR EAX,EDX XOR EDX,EAX XOR EAX,EDX PUSH EDX MOV ECX,0x41A7 MUL ECX POP EDX XOR EAX,EDX XOR EDX,EAX XOR EAX,EDX PUSH EDX MOV ECX,0xB14 MUL ECX POP EDX SUB EDX,EAX MOV EAX,EDX MOV DWORD PTR DS:[0x407B00],EAX MOV ECX,DWORD PTR SS:[EBP+0x8] MOV EDX,0x0 DIV ECX MOV EAX,EDX POP EDX POP ECX LEAVE RETN 0x4 // MOVZX EAX,AX CDQ IDIV ECX MOV AL,BYTE PTR DS:[EDX+ESI] MOV BYTE PTR SS:[EBP-0x1],AL POPAD MOVZX EAX,BYTE PTR SS:[EBP-0x1] LEAVE RETN 0x4 MOV BYTE PTR DS:[EBX+EDI],AL INC EBX L015: CMP EBX,0x19 JNZ L011 MOV BYTE PTR DS:[EBX+EDI],0x0 LEA EAX,DWORD PTR SS:[EBP-0x10] PUSH EAX CALL dip**** MOV BYTE PTR DS:[EDI+0xD],AL LEA EAX,DWORD PTR SS:[EBP-0x20] PUSH EAX CALL dip**** MOV BYTE PTR DS:[EDI+0x2],AL LEA EAX,DWORD PTR SS:[EBP-0x20] PUSH EAX CALL dip**** MOV BYTE PTR DS:[EDI+0xF],AL CMP DWORD PTR SS:[EBP+0xC],0x9 JNZ L016 MOV BYTE PTR DS:[EDI+0x12],0x37 L016: PUSH 0x7 XOR ECX,ECX MOV EDX,EDI LEA EAX,DWORD PTR SS:[EBP-0xB0] CALL gayass // gayass: PUSH EBP MOV EBP,ESP ADD ESP,-0x3C MOV DWORD PTR SS:[EBP-0x30],ECX MOV DWORD PTR SS:[EBP-0x4],EDX MOV DWORD PTR SS:[EBP-0x2C],EAX MOV DWORD PTR SS:[EBP-0xC],0x1 INC DWORD PTR SS:[EBP-0xC] MOV WORD PTR SS:[EBP-0x18],0x8 XOR EDX,EDX MOV DWORD PTR SS:[EBP-0x34],EDX MOV BYTE PTR SS:[EBP-0x35],0x0 MOV ECX,DWORD PTR SS:[EBP-0x30] MOV DWORD PTR SS:[EBP-0x3C],ECX MOV EAX,DWORD PTR SS:[EBP-0x3C] CMP EAX,DWORD PTR SS:[EBP+0x8] JGE L088 L017: MOV EAX,DWORD PTR SS:[EBP-0x4] MOV EDX,DWORD PTR SS:[EBP-0x3C] MOV DL,BYTE PTR DS:[EDX+EAX] MOV EAX,DWORD PTR SS:[EBP-0x2C] CALL eatmyass //0x0401AA3 eatmyass: // PUSH EBP MOV EBP,ESP ADD ESP,-0x8 MOV BYTE PTR SS:[EBP-0x5],DL MOV DWORD PTR SS:[EBP-0x4],EAX MOVSX EAX,BYTE PTR SS:[EBP-0x5] CMP EAX,0x30 JL L014 MOVSX EDX,BYTE PTR SS:[EBP-0x5] CMP EDX,0x39 JG L014 MOVSX EAX,BYTE PTR SS:[EBP-0x5] ADD EAX,-0x29 JMP L021 L014: MOVSX EDX,BYTE PTR SS:[EBP-0x5] CMP EDX,0x48 JNZ L019 XOR EAX,EAX JMP L021 L019: MOVSX EAX,BYTE PTR SS:[EBP-0x5] ADD EAX,-0x30 L021: POP ECX POP ECX POP EBP RETN // ADD DWORD PTR SS:[EBP-0x34],EAX PUSH 0x40000000 PUSH 0x0 FILD DWORD PTR SS:[EBP-0x34] ADD ESP,-0x8 FSTP QWORD PTR SS:[ESP] CALL dickandballs //0x0401B56 dickandballs: // PUSH EBP MOV EBP,ESP LEA ESP,DWORD PTR SS:[EBP-0x4] FLD QWORD PTR SS:[EBP+0x10] MOV AX,WORD PTR SS:[EBP+0x16] SHL AX,0x1 JE 0x0401B9D CMP AX,0xFFE0 JNB 0x0401B94 FLD QWORD PTR SS:[EBP+0x8] MOV AX,WORD PTR SS:[EBP+0xE] SHL AX,0x1 JE 0x0401B9B CMP AX,0xFFE0 JNB 0x0401B9B L0155: FPREM WAIT FSTSW WORD PTR SS:[EBP-0x4] WAIT MOV AX,WORD PTR SS:[EBP-0x4] SAHF JPE L0155 FSTP ST(1) MOV ESP,EBP POP EBP RETN // ADD ESP,0x10 FCOMP DWORD PTR DS:[0x407B04] FSTSW AX SAHF JNZ L037 IMUL EDX,DWORD PTR SS:[EBP-0x3C] ADD DWORD PTR SS:[EBP-0x34],EDX JMP L084 L037: PUSH 0x40080000 PUSH 0x0 FILD DWORD PTR SS:[EBP-0x34] ADD ESP,-0x8 FSTP QWORD PTR SS:[ESP] CALL dickandballs ADD ESP,0x10 FCOMP DWORD PTR DS:[0x407B04] FSTSW AX SAHF JNZ L051 IMUL EDX,DWORD PTR SS:[EBP-0x3C] ADD DWORD PTR SS:[EBP-0x34],EDX JMP L084 L051: PUSH 0x40100000 PUSH 0x0 FILD DWORD PTR SS:[EBP-0x34] ADD ESP,-0x8 FSTP QWORD PTR SS:[ESP] CALL dickandballs ADD ESP,0x10 FCOMP DWORD PTR DS:[0x407B04] FSTSW AX SAHF JNZ L068 MOV EDX,DWORD PTR SS:[EBP-0x3C] MOV ECX,EDX SHL EDX,0x4 SUB EDX,ECX ADD DWORD PTR SS:[EBP-0x34],EDX JMP L084 L068: PUSH 0x40140000 PUSH 0x0 FILD DWORD PTR SS:[EBP-0x34] ADD ESP,-0x8 FSTP QWORD PTR SS:[ESP] CALL dickandballs ADD ESP,0x10 FCOMP DWORD PTR DS:[0x407B04] FSTSW AX SAHF JNZ L084 MOV EDX,DWORD PTR SS:[EBP-0x3C] MOV ECX,EDX SHL EDX,0x4 ADD EDX,ECX ADD DWORD PTR SS:[EBP-0x34],EDX L084: INC DWORD PTR SS:[EBP-0x3C] MOV EAX,DWORD PTR SS:[EBP-0x3C] CMP EAX,DWORD PTR SS:[EBP+0x8] JL L017 L088: ADD DWORD PTR SS:[EBP-0x34],0x7 MOV EDX,DWORD PTR SS:[EBP-0x34] MOV EAX,DWORD PTR SS:[EBP-0x2C] CALL omgdicks omgdicks: MOV BYTE PTR SS:[EBP-0x35],AL JMP L099 L094: SUB DWORD PTR SS:[EBP-0x34],0x23 MOV EDX,DWORD PTR SS:[EBP-0x34] MOV EAX,DWORD PTR SS:[EBP-0x2C] CALL omgdicks MOV BYTE PTR SS:[EBP-0x35],AL L099: CMP BYTE PTR SS:[EBP-0x35],0x0 JE L094 XOR EAX,EAX MOV AL,BYTE PTR SS:[EBP-0x35] MOV ESP,EBP POP EBP RETN 0x4 // MOV BYTE PTR DS:[EDI+0x8],AL PUSH 0xF XOR ECX,ECX MOV EDX,EDI LEA EAX,DWORD PTR SS:[EBP-0xB0] CALL gayass MOV BYTE PTR DS:[EDI+0x10],AL PUSH 0x17 XOR ECX,ECX MOV EDX,EDI LEA EAX,DWORD PTR SS:[EBP-0xB0] CALL gayass MOV BYTE PTR DS:[EDI+0x18],AL MOV ESI,DWORD PTR SS:[EBP+0x8] MOV DWORD PTR DS:[ESI],0x37415042 MOV BYTE PTR DS:[ESI+0x4],0x2D MOV BYTE PTR DS:[ESI+0xA],0x2D MOV BYTE PTR DS:[ESI+0x10],0x2D MOV BYTE PTR DS:[ESI+0x16],0x2D MOV BYTE PTR DS:[ESI+0x1C],0x2D ADD ESI,0x5 XOR ECX,ECX JMP L053 L044: MOV AL,BYTE PTR DS:[EDI] MOV BYTE PTR DS:[ESI],AL INC EDI INC ESI INC ECX CMP ECX,0x5 JNZ L053 INC ESI XOR ECX,ECX L053: CMP BYTE PTR DS:[EDI],0x0 JNZ L044 MOV EAX,DWORD PTR SS:[EBP+0x8] POP EDI POP ESI POP EBX CALL MyFunction }}void MyFunction(long int one) { printf("Serial: %x", one); Sleep(50000); exit(1);}
GioTiN Posted April 8, 2010 Posted April 8, 2010 (edited) _asm { PUSH EBP MOV EBP,ESP ADD ESP,-0x0B0 // PUSH EBX PUSH ESI PUSH EDI MOV EAX,DWORD PTR SS:[EBP+0xC] MOV ECX, offset one MOV EBX, offset two PUSH ECX LEA EAX,DWORD PTR SS:[EBP-0x10] } lstrcpy(buf1,EAX VALUE); _asm{ LEA EDI,DWORD PTR SS:[EBP-0xA0] XOR EBX,EBX JMP L015 } }its simple . you can make it better.bye Edited April 8, 2010 by GioTiN
ghandi Posted April 8, 2010 Posted April 8, 2010 After looking at the code, have you combined a few different routines into one? You have calls which return to the location they are calling, etc.Instead of using the names which you have, you could try to give meaningful ones so functions can be defined and understood.Your particular example is crashing because when it hits lstrcpyA it isnt calling the import thunk, change it to:CALL DWORD PTR [lstrcpy]Also, you might want to look at: http://msdn.microsoft.com/en-us/library/h5w10wxs(VS.80).aspxYou can place the asm code within a naked declaration as its own routine:__declspec (naked) UINT SomeFunction(){ _asm { MOV EAX, 000000FFh; RET; }}Now you can simply call this routine:UINT SomeValue;SomeValue = SomeFunction();HR,Ghandi
quosego Posted April 8, 2010 Posted April 8, 2010 Indeed if you ret some calls, they return to the function they just executed. Nice and recursive and all but it'll access violate like hell. (second return address) LEA EAX,DWORD PTR SS:[EBP-0x10] PUSH EAXwhat is in EBP-0x10, it's some stack address which holds some function parameter prolly. But I don't see anything pushed into this function.Looks like you took the key generation code from an app but neglected to build a proper framework around it. Some ASM fundamentals will help you a lot. regards,q.
ph0six Posted April 10, 2010 Author Posted April 10, 2010 Thanks a lot for the replies guys, I really appreciate the assistance, After thoroughly going through the asm block, I found several problem in addition to the things you guys pointed out for me.I'm often finding myself rushing to get these examples completed so I can force learning ASM into my brain, problem is I find myself being impatient because I'm eager to learn and get up to speed with the rest of the elder reversers here. I honestly don't know where I'd be without these forums.Thanks again all.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now