Jump to content
Tuts 4 You

[Delphi] How get Register's Data


h4sh3m

Recommended Posts

Posted

hi

How i can get Register's data (like EDX) in Delphi.

Please Help.

with best Regards

h4sh3m

Posted

By using embedded asm instructions...

Best regards

Nacho_dj

Posted

By using embedded asm instructions...

Best regards

Nacho_dj

please put a sample.

tnx

Posted

Of course. Have a look at this site...

Learning assembler with Delphi

http://delphi.about.com/library/bluc/text/uc052501a.htm

Best regards

Nacho_dj

Posted (edited)

Of course. Have a look at this site...Learning assembler with Delphi

http://delphi.about.com/library/bluc/text/uc052501a.htm'>>http://delphi.about.com/library/bluc/text/uc052501a.htm
Best regardsNacho_dj
hi
I have not free time to study assembler please if you have it's code share it.tnx Edited by h4sh3m
Posted

It's working from here. If there is any problem about accessing it due to geographical limitations, you can use proxy.org to reach that URL.

Best regards

Nacho_dj

Posted (edited)

Try this:

procedure TForm1.Button1Click(Sender: TObject);
var
value: DWORD; // 4 BYTE aka Double World
begin
asm
mov value, edx// copy the value @ edx to Tmp
end // place here ; if you get error at this line
ShowMessageFmt( '%x', [IntToHex(value)] ); // output result as Hex (Address or a temp value)
end;
Edited by rotem156
Posted (edited)

function Sniff_by_IMPosTOR(PI: Process_Information; Ctx: _Context): string;
var X : Cardinal;
Buff : PChar;
begin
GetMem(Buff,50);
SuspendThread(PI.hThread);
GetThreadContext(PI.hThread,Ctx);
ReadProcessMemory(PI.hProcess,Pointer(Ctx.Eax),Buff,50,X);
//Ctx.Eax , Ctx.Edi , ...
Result:=Trim(Buff);
FreeMem(Buff);
end;

OK?

Edited by IMPosTOR
Posted (edited)

@ IMPosTOR - would be good code, but what if you were using it within your own program (ie: code would be executed in your own process)...

if that is the case then rotem156's example is best for that, and your example is best for a loader approach....

(original poster didn't state which case applied)

Edited by evlncrn8
Posted

your example is best for a loader approach....

@evlncrn8 : Serial Sniffer

i know what h4sh3m want to know.

rotem156's ex show somting diffrent. (like using asm in delphi)

  • 6 months later...
Posted

@evlncrn8 : Serial Sniffer

i know what h4sh3m want to know.

rotem156's ex show somting diffrent. (like using asm in delphi)

thank you dear Mehdi, i'm found a delphi component for it.

tnx dears

Posted (edited)

ARTeam had a ezine with a delphi example serial sniffer... Actually IMPosTOR already posted part of it...

Edited by Departure
Posted

function Sniff_by_IMPosTOR(PI: Process_Information; Ctx: _Context): string;
var X : Cardinal;
Buff : PChar;
begin
GetMem(Buff,50);
SuspendThread(PI.hThread);
GetThreadContext(PI.hThread,Ctx);
ReadProcessMemory(PI.hProcess,Pointer(Ctx.Eax),Buff,50,X);
//Ctx.Eax , Ctx.Edi , ...
Result:=Trim(Buff);
FreeMem(Buff);
end;

OK?

if we want to sniff serial from certain addr we should set bp on it,i'm true?

in this code how we can do it?

for example my target store real serial in register eax in addr $00452112.

tnx

Posted

From ARTeam e-zine #2 by anorganix


unit main;interfaceuses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls, Clipbrd;type
TfrmMain = class(TForm)
gbLog: TGroupBox;
lblLog: TLabel;
btnClose: TButton;
btnSniff: TButton;
lblAuthor: TLabel;
procedure btnSniffClick(Sender: TObject);
procedure btnCloseClick(Sender: TObject);
procedure FormCreate(Sender: TObject);
private
WantToClose: boolean;
public
// public
end;var
frmMain: TfrmMain;const
LOOP: array [0..1] of Byte = ($EB,$FE);implementation{$R *.dfm}function SniffSerial(PI: PROCESS_INFORMATION; Ctx: _Context): string;
var
X: Cardinal;
Buff: PChar;
begin
GetMem(Buff,50); SuspendThread(PI.hThread);
GetThreadContext(PI.hThread,Ctx);
ReadProcessMemory(PI.hProcess,Pointer(Ctx.Eax),Buff,50,X); Result:=Trim(Buff);
FreeMem(Buff);
end;procedure TfrmMain.btnSniffClick(Sender: TObject);
var
PI: PROCESS_INFORMATION;
SI: STARTUPINFO;
Context: _CONTEXT;
Buffer: PChar;
ORIG: array [0..1] of Byte;
S: string;
W: DWORD;
begin
// disable button (avoid starting target multiple times)
btnSniff.Enabled:=False; GetMem(Buffer,255);
FillChar(PI,SizeOf(TProcessInformation),#0);
FillChar(SI,SizeOf(TStartupInfo),#0);
SI.cb:=SizeOf(SI); if not CreateProcess('CrackMe.exe',nil,nil,nil,False,
CREATE_SUSPENDED,nil,nil,SI,PI) then
begin
// enable button
btnSniff.Enabled:=True; // set log and exit
lblLog.Caption:='Failed to load process!';
Exit;
end; // read original bytes
ReadProcessMemory(PI.hProcess,Pointer($004503EF),@ORIG,2,W); // set inifnite loop
WriteProcessMemory(PI.hProcess,Pointer($004503EF),@LOOP,2,W); // resume the program
ResumeThread(PI.hThread);
Context.ContextFlags:=$00010000+15+$10; // set new log
lblLog.Caption:='Process patched!'+#13+
'Now enter a name and press the "Check" button...'; while GetThreadContext(PI.hThread,Context) do
begin
// did we arrived at the infinite-loop?
if Context.Eip=$004503EF then
begin
// sniff the serial and put it into "S"
S:=SniffSerial(PI,Context); // restore original bytes and resume the target
WriteProcessMemory(PI.hProcess,Pointer($004503EF),@ORIG,2,W);
ResumeThread(PI.hThread); // copy the serial into the clipboard
Clipboard.AsText:=S;
lblLog.Caption:='Your serial has been copied to clipboard!';
end; // wait a little
Sleep(10);
Application.ProcessMessages; // close the CrackMe before closing the Snifer
if WantToClose then
begin
TerminateThread(PI.hThread,0);
Close;
end;
end; // free memory
FreeMem(Buffer); // enable button
btnSniff.Enabled:=True;
end;procedure TfrmMain.btnCloseClick(Sender: TObject);
begin
WantToClose:=true;
Close;
end;procedure TfrmMain.FormCreate(Sender: TObject);
begin
WantToClose:=false;
end;end.
Posted

tnx dear Departure

your code work correctly.

thank you

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...