phantomas90 Posted February 14, 2011 Report Share Posted February 14, 2011 (edited) Assembler : The Basics In ReversingIndeed: the basics!! This is all far from complete but covers about everything you need to know about assembler to start on your reversing journey! Assembler is the start and the end of all programming languages. After all, all (computer LOL) languages are translated to assembler. In most languages we deal with relatively clear syntaxes. However, it's a completely other story in assembler where we use abbreviations and numbers and where it all seems so weird …I. Pieces, bits and bytes:• BIT - The smallest possible piece of data. It can be either a 0 or a 1. If you put a bunch of bits together, you end up in the 'binary number system'i.e. 00000001 = 1 00000010 = 2 00000011 = 3 etc. • BYTE - A byte consists of 8 bits. It can have a maximal value of 255 (0-255). To make it easier to read binary numbers, we use the 'hexadecimal number system'. It's a 'base-16 system', while binary is a 'base-2 system' • WORD - A word is just 2 bytes put together or 16 bits. A word can have a maximal value of 0FFFFh (or 65535d). • DOUBLE WORD - A double word is 2 words together or 32 bits. Max value = 0FFFFFFFF (or 4294967295d). • KILOBYTE - 1000 bytes? No, a kilobyte does NOT equal 1000 bytes! Actually, there are 1024 (32*32) bytes. • MEGABYTE - Again, not just 1 million bytes, but 1024*1024 or 1,048,578 bytes.---------------------------------------------------------------------------------------------II. Registers:Registers are “special places” in your computer's memory where we can store data. You can see a register as a little box, wherein we can store something: a name, a number, a sentence. You can see a register as a placeholder.On today’s average WinTel CPU you have 9 32bit registers (w/o flag registers). Their names are:EAX: Extended Accumulator RegisterEBX: Extended Base RegisterECX: Extended Counter RegisterEDX: Extended Data RegisterESI: Extended Source IndexEDI: Extended Destination IndexEBP: Extended Base PointerESP: Extended Stack PointerEIP: Extended Instruction PointerGenerally the size of the registers is 32bit (=4 bytes). They can hold data from 0-FFFFFFFF (unsigned). In the beginning most registers had certain main functions which the names imply, like ECX = Counter, but in these days you can - nearly - use whichever register you like for a counter or stuff (only the self defined ones, there are counter-functions which need to be used with ECX). The functions of EAX, EBX, ECX, EDX, ESI and EDI will be explained when I explain certain functions that use those registers. So, there are EBP, ESP, EIP left:EBP: EBP has mostly to do with stack and stack frames. Nothing you really need to worry about, when you start. ESP: ESP points to the stack of a current process. The stack is the place where data can be stored for later use (for more information, see the explanation of the push/pop instructions)EIP: EIP always points to the next instruction that is to be executed.There's one more thing you have to know about registers: although they are all 32bits large, some parts of them (16bit or even 8bit) can not be addressed directly. The possibilities are:32bit Register 16bit Register 8bit RegisterEAX AX AH/ALEBX BX BH/BLECX CX CH/CLEDX DX DH/DLESI SI -----EDI DI -----EBP BP -----ESP SP -----EIP IP -----So, EAX is the name of the 32bit register, AX is the name of the "Low Word" (16bit) of EAX and AL/AH (8bit) are the “names” of the "Low Part" and “High Part” of AX. BTW, 4 bytes is 1 DWORD, 2 bytes is 1 WORD.REMARK: make sure you at least read the following about registers. It’s quite practical to know it although not that important.All this makes it possible for us to make a distinction regarding size:• i. byte-size registers: As the name says, these registers all exactly 1 byte in size. This does not mean that the whole (32bit) register is fully loaded with data! Eventually empty spaces in a register are just filled with zeroes. These are the byte-sized registers, all 1 byte or 8 bits in size:o AL and AHo BL and BHo CL and CHo DL and DH • ii. word-size registers: Are 1 word (= 2 bytes = 16 bits) in size. A word-sized register is constructed of 2 byte-sized registers. Again, we can divide these regarding their purpose:o 1. general purpose registers: AX (word-sized) = AH + AL -> the '+' does *not* mean: 'add them up'. AH and AL exist independently, but together they form AX. This means that if you change AH or AL (or both), AX will change too!-> 'accumulator': used to mathematical operations, store strings,.. BX -> 'base': used in conjunction with the stack (see later) CX -> 'counter' DX -> 'data': mostly, here the remainder of mathematical operations is stored DI -> 'destination index': i.e. a string will be copied to DI SI -> 'source index': i.e. a string will be copied from SI o 2. index registers:BP -> 'base pointer': points to a specified position on the stack (see later) SP -> 'stack pointer': points to a specified position on the stack (see later) o 3. segment registers: CS -> 'code segment': instructions an application has to execute (see later) DS -> 'data segment': the data your application needs (see later) ES -> 'extra segment': duh! (see later) SS -> 'stack segment': here we'll find the stack (see later) o 4. special: IP -> 'instruction pointer': points to the next instruction. Just leave it alone • iii. Doubleword-size registers:2 words = 4 bytes = 32 bits. EAX, EBX, ECX, EDX, EDI…If you find an 'E' in front of a 16-bits register, it means that you are dealing with a 32-bits register. So, AX = 16-bits; EAX = the 32-bits version of EAX. ---------------------------------------------------------------------------------------------III. The flags:Flags are single bits which indicate the status of something. The flag register on modern 32bit CPUs is 32bit large. There are 32 different flags, but don't worry. You will mostly only need 3 of them in reversing. The Z-Flag, the O-Flag and the C-Flag. For reversing you need to know these flags to understand if a jump is executed or not. This register is in fact a collection of different 1-bit flags. A flag is a sign, just like a green light means: 'ok' and a red one 'not ok'. A flag can only be '0' or '1', meaning 'not set' or 'set'.• The Z-Flag:The Z-Flag (zero flag) is the most useful flag for cracking. It is used in about 90% of all cases. It can be set (status: 1) or cleared (status: 0) by several opcodes when the last instruction that was performed has 0 as result. You might wonder why "CMP" (more on this later) could set the zero flag, because it compares something - how can the result of the comparison be 0? The answer on this comes later • The O-Flag:The O-Flag (overflow flag) is used in about 4% of all cracking attempts. It is set (status: 1) when the last operation changed the highest bit of the register that gets the result of an operation. For example: EAX holds the value 7FFFFFFF. If you use an operation now, which increases EAX by 1 the O-Flag would be set, because the operation changed the highest bit of EAX (which is not set in 7FFFFFFF, but set in 80000000 - use calc.exe to convert hexadecimal values to binary values). Another need for the O-Flag to be set, is that the value of the destination register is neither 0 before the instruction nor after it.• The C-Flag:The C-Flag (Carry flag) is used in about 1% of all cracking attempts. It is set, if you add a value to a register, so that it gets bigger than FFFFFFFF or if you subtract a value, so that the register value gets smaller than 0.---------------------------------------------------------------------------------------------IV. Segments en offsets A segment is a piece in memory where instructions (CS), data (DS), the stack (SS) or just an extra segment (ES) are stored. Every segment is divided in 'offsets'. In 32-bits applications (Windows 95/98/ME/2000), these offsets are numbered from 00000000 to FFFFFFFF. 65536 pieces of memory thus 65536 memory addresses per segment. The standard notation for segments and offsets is: SEGMENT : OFFSET = Together, they point to a specific place (address) in memory. See it like this:A segment is a page in a book : An offset is a specific line at that page. ---------------------------------------------------------------------------------------------V. The stack:The Stack is a part in memory where you can store different things for later use. See t as a pile of books in a chest where the last put in is the first to grab out. Or imagine the stack as a paper basket where you put in sheets. The basket is the stack and a sheet is a memory address (indicated by the stack pointer) in that stack segment. Remember following rule: the last sheet of paper you put in the stack, is the first one you'll take out! The command 'push' saves the contents of a register onto the stack. The command 'pop' grabs the last saved contents of a register from the stack and puts it in a specific register.---------------------------------------------------------------------------------------------VI. INSTRUCTIONS (alphabetical)Please note, that all values in ASM mnemonics (instructions) are *always* hexadecimal.Most instructions have two operators (like "add EAX, EBX"), but some have one ("not EAX") or even three ("IMUL EAX, EDX, 64"). When you have an instruction that says something with "DWORD PTR [XXX]" then the DWORD (4 byte) value at memory offset [XXX] is meant. Note that the bytes are saved in reverse order in the memory (WinTel CPUs use the so called “Little Endian” format. The same is for "WORD PTR [XXX]" (2 byte) and "BYTE PTR [XXX]" (1 byte).Most instructions with 2 operators can be used in the following ways (example: add):add eax,ebx ;; Register, Registeradd eax,123 ;; Register, Valueadd eax,dword ptr [404000] ;; Register, Dword Pointer [value]add eax,dword ptr [eax] ;; Register, Dword Pointer [register]add eax,dword ptr [eax+00404000] ;; Register, Dword Pointer [register+value]add dword ptr [404000],eax ;; Dword Pointer [value], Registeradd dword ptr [404000],123 ;; Dword Pointer [value], Valueadd dword ptr [eax],eax ;; Dword Pointer [register], Registeradd dword ptr [eax],123 ;; Dword Pointer [register], Valueadd dword ptr [eax+404000],eax ;; Dword Pointer [register+value], Registeradd dword ptr [eax+404000],123 ;; Dword Pointer [register+value], value--------------------------------------------------------------------------------------------- ADD (Addition) Syntax: ADD destination, source The ADD instruction adds a value to a register or a memory address. It can be used in these ways: These instruction can set the Z-Flag, the O-Flag and the C-Flag (and some others, which are not needed for cracking).--------------------------------------------------------------------------------------------- AND (Logical And) Syntax: AND destination, source The AND instruction uses a logical AND on two values. This instruction *will* clear the O-Flag and the C-Flag and can set the Z-Flag. To understand AND better, consider those two binary values: 1001010110 0101001101 If you AND them, the result is 0001000100 When two 1 stand below each other, the result is of this bit is 1, if not: The result is 0. You can use calc.exe to calculate AND easily. --------------------------------------------------------------------------------------------- CALL (Call) Syntax: CALL something The instruction CALL pushes the RVA (Relative Virtual Address) of the instruction that follows the CALL to the stack and calls a sub program/procedure. CALL can be used in the following ways: CALL 404000 ;; MOST COMMON: CALL ADDRESS CALL EAX ;; CALL REGISTER - IF EAX WOULD BE 404000 IT WOULD BE SAME AS THE ONE ABOVE CALL DWORD PTR [EAX] ;; CALLS THE ADDRESS THAT IS STORED AT [EAX] CALL DWORD PTR [EAX+5] ;; CALLS THE ADDRESS THAT IS STORED AT [EAX+5]--------------------------------------------------------------------------------------------- CDQ (Convert DWord (4Byte) to QWord (8 Byte)) Syntax: CQD CDQ is an instruction that always confuses newbies when it appears first time. It is mostly used in front of divisions and does nothing else then setting all bytes of EDX to the value of the highest bit of EAX. (That is: if EAX <80000000, then EDX will be 00000000; if EAX >= 80000000, EDX will be FFFFFFFF).--------------------------------------------------------------------------------------------- CMP (Compare) Syntax: CMP dest, source The CMP instruction compares two things and can set the C/O/Z flags if the result fits. CMP EAX, EBX ;; compares eax and ebx and sets z-flag if they are equal CMP EAX,[404000] ;; compares eax with the dword at 404000 CMP [404000],EAX ;; compares eax with the dword at 404000--------------------------------------------------------------------------------------------- DEC (Decrement) Syntax: DEC something dec is used to decrease a value (that is: value=value-1) dec can be used in the following ways: dec eax ;; decrease eax dec [eax] ;; decrease the dword that is stored at [eax] dec [401000] ;; decrease the dword that is stored at [401000] dec [eax+401000] ;; decrease the dword that is stored at [eax+401000] The dec instruction can set the Z/O flags if the result fits.--------------------------------------------------------------------------------------------- DIV (Division) Syntax: DIV divisor DIV is used to divide EAX through divisor (unsigned division). The dividend is always EAX, the result is stored in EAX, the modulo-value in EDX. An example: mov eax,64 ;; EAX = 64h = 100 mov ecx,9 ;; ECX = 9 div ecx ;; DIVIDE EAX THROUGH ECX After the division EAX = 100/9 = 0B and ECX = 100 MOD 9 = 1 The div instruction can set the C/O/Z flags if the result fits.--------------------------------------------------------------------------------------------- IDIV (Integer Division) Syntax: IDIV divisor The IDIV works in the same way as DIV, but IDIV is a signed division. The idiv instruction can set the C/O/Z flags if the result fits.--------------------------------------------------------------------------------------------- IMUL (Integer Multiplication) Syntax: IMUL value IMUL dest,value,value IMUL dest,value IMUL multiplies either EAX with value (IMUL value) or it multiplies two values and puts them into a destination register (IMUL dest, value, value) or it multiplies a register with a value (IMUL dest, value). If the multiplication result is too big to fit into the destination register, the O/C flags are set. The Z flag can be set, too.--------------------------------------------------------------------------------------------- INC (Increment) Syntax: INC register INC is the opposite of the DEC instruction; it increases values by 1. INC can set the Z/O flags.--------------------------------------------------------------------------------------------- INT Syntax: int dest Generates a call to an interrupt handler. The dest value must be an integer (e.g., Int 21h). INT3 and INTO are interrupt calls that take no parameters but call the handlers for interrupts 3 and 4, respectively.--------------------------------------------------------------------------------------------- JUMPS These are the most important jumps and the condition that needs to be met, so that they'll be executed (Important jumps are marked with * and very important with **):JA* - Jump if (unsigned) above - CF=0 and ZF=0JAE - Jump if (unsigned) above or equal - CF=0JB* - Jump if (unsigned) below - CF=1JBE - Jump if (unsigned) below or equal - CF=1 or ZF=1JC - Jump if carry flag set - CF=1JCXZ - Jump if CX is 0 - CX=0JE** - Jump if equal - ZF=1JECXZ - Jump if ECX is 0 - ECX=0JG* - Jump if (signed) greater - ZF=0 and SF=OF (SF = Sign Flag)JGE* - Jump if (signed) greater or equal - SF=OFJL* - Jump if (signed) less - SF != OF (!= is not)JLE* - Jump if (signed) less or equal - ZF=1 and OF != OFJMP** - Jump - Jumps alwaysJNA - Jump if (unsigned) not above - CF=1 or ZF=1JNAE - Jump if (unsigned) not above or equal - CF=1JNB - Jump if (unsigned) not below - CF=0JNBE - Jump if (unsigned) not below or equal - CF=0 and ZF=0JNC - Jump if carry flag not set - CF=0JNE** - Jump if not equal - ZF=0JNG - Jump if (signed) not greater - ZF=1 or SF!=OFJNGE - Jump if (signed) not greater or equal - SF!=OFJNL - Jump if (signed) not less - SF=OFJNLE - Jump if (signed) not less or equal - ZF=0 and SF=OFJNO - Jump if overflow flag not set - OF=0JNP - Jump if parity flag not set - PF=0JNS - Jump if sign flag not set - SF=0JNZ - Jump if not zero - ZF=0JO - Jump if overflow flag is set - OF=1JP - Jump if parity flag set - PF=1JPE - Jump if parity is equal - PF=1JPO - Jump if parity is odd - PF=0JS - Jump if sign flag is set - SF=1JZ - Jump if zero - ZF=1--------------------------------------------------------------------------------------------- LEA (Load Effective Address) Syntax: LEA dest,src LEA can be treated the same way as the MOV instruction. It isn't used too much for its original function, but more for quick multiplications like this: lea eax, dword ptr [4*ecx+ebx] which gives eax the value of 4*ecx+ebx--------------------------------------------------------------------------------------------- MOV (Move) Syntax: MOV dest,src This is an easy to understand instruction. MOV copies the value from src to dest and src stays what it was before. There are some variants of MOV: MOVS/MOVSB/MOVSW/MOVSD EDI, ESI: Those variants copy the byte/word/dword ESI points to, to the space EDI points to. MOVSX: MOVSX expands Byte or Word operands to Word or Dword size and keeps the sign of thevalue. MOVZX: MOVZX expands Byte or Word operands to Word or Dword size and fills the rest of thespace with 0.--------------------------------------------------------------------------------------------- MUL (Multiplication) Syntax: MUL value This instruction is the same as IMUL, except that it multiplies unsigned. It can set the O/Z/F flags.--------------------------------------------------------------------------------------------- NOP (No Operation) Syntax: NOP This instruction does absolutely nothing That's the reason why it is used so often in reversing --------------------------------------------------------------------------------------------- OR (Logical Inclusive Or) Syntax: OR dest,src The OR instruction connects two values using the logical inclusive or. This instruction clears the O-Flag and the C-Flag and can set the Z-Flag. To understand OR better, consider those two binary values: 1001010110 0101001101 If you OR them, the result is 1101011111 Only when there are two 0 on top of each other, the resulting bit is 0. Else the resulting bit is 1. You can use calc.exe to calculate OR. I hope you understand why, else write down a value on paper and try --------------------------------------------------------------------------------------------- POP Syntax: POP dest POP loads the value of byte/word/dword ptr [esp] and puts it into dest. Additionally it increases the stack by the size of the value that was popped of the stack, so that the next POP would get the next value.--------------------------------------------------------------------------------------------- PUSH Syntax: PUSH operand PUSH is the opposite of POP. It stores a value on the stack and decreases it by the size of the operand that was pushed, so that ESP points to the value that was PUSHed.--------------------------------------------------------------------------------------------- REP/REPE/REPZ/REPNE/REPNZ Syntax: REP/REPE/REPZ/REPNE/REPNZ ins Repeat Following String Instruction: Repeats ins until CX=0 or until indicated condition (ZF=1, ZF=1, ZF=0, ZF=0) is met. The ins value must be a string operation such as CMPS, INS, LODS, MOVS, OUTS, SCAS, or STOS.--------------------------------------------------------------------------------------------- RET (Return) Syntax: RET RET digit RET does nothing but return from a part of code that was reached using a CALL instruction. RET digit cleans the stack before it returns.--------------------------------------------------------------------------------------------- SUB (Subtraction) Syntax: SUB dest,src SUB is the opposite of the ADD command. It subtracts the value of src from the value of dest and stores the result in dest. SUB can set the Z/O/C flags.--------------------------------------------------------------------------------------------- TEST Syntax: TEST operand1, operand2 This instruction is in 99% of all cases used for "TEST EAX, EAX". It performs a Logical AND(AND instruction) but does not save the values. It only sets the Z-Flag, when EAX is 0 or clears it, when EAX is not 0. The O/C flags are always cleared.--------------------------------------------------------------------------------------------- XOR Syntax: XOR dest,src The XOR instruction connects two values using logical exclusive OR (remember OR uses inclusive OR). This instruction clears the O-Flag and the C-Flag and can set the Z-Flag. To understand XOR better, consider those two binary values: 1001010110 0101001101 If you OR them, the result is 1100011011 When two bits on top of each other are equal, the resulting bit is 0. Else the resulting bit is 1. You can use calc.exe to calculate XOR. The most often seen use of XOR is “XOR, EAX, EAX”. This will set EAX to 0, because when you XOR a value with itself, the result is always 0. I hope you understand why, else write down a value on paper and try Revin cu edit pe masura ce testez instructiunile.E folositor pentru cineva?---------------------------------------------------------------------------------------------Credits: Lena- www.reverse-engineering.net www.tuts4you.comwww.reverse-engineering.net e picat si majoritatea pack-urilor cu lectiile toate sunt vazute de AV-uri ca virusi pt ca au in ele exemple de executabile de exercitiu. Concluziile de ce sunt "virusi" le trageti voi. Edited February 14, 2011 by phantomas90 2 Quote Link to comment Share on other sites More sharing options...
adonisslanic Posted February 14, 2011 Report Share Posted February 14, 2011 Omg dude, este util : ) chiar util... Am avut ce invata din postul tau : ) Quote Link to comment Share on other sites More sharing options...
phantomas90 Posted February 14, 2011 Author Report Share Posted February 14, 2011 (edited) Sters. motiv: informatiile sunt eronate! Edited March 9, 2011 by phantomas90 Quote Link to comment Share on other sites More sharing options...
Flubber Posted February 14, 2011 Report Share Posted February 14, 2011 La cat mai multe. Lena e awesome! Quote Link to comment Share on other sites More sharing options...
adonisslanic Posted February 14, 2011 Report Share Posted February 14, 2011 Ar fi smecher sa faci si niste exemple de reversing pe programe, dar sa faci "tutorialul" intr-un mediu linux... zic ca e mai bine asa... Quote Link to comment Share on other sites More sharing options...
daatdraqq Posted February 14, 2011 Report Share Posted February 14, 2011 Asemenea tutoriale sunt cu adevarat utile in momentul in care le explici cu cuvintele tale scris sau video , pana la capat ,cu exemple , inclusiv cu problemele intampinate si rezolvarea lor . Quote Link to comment Share on other sites More sharing options...
phantomas90 Posted February 14, 2011 Author Report Share Posted February 14, 2011 (edited) Sters. motiv: informatiile sunt eronate! Edited March 9, 2011 by phantomas90 Quote Link to comment Share on other sites More sharing options...
Nytro Posted February 14, 2011 Report Share Posted February 14, 2011 Frumos structura si aranjat, si chiar si incepatorii pot invata multe lucruri de aici. Quote Link to comment Share on other sites More sharing options...
michee Posted February 15, 2011 Report Share Posted February 15, 2011 interesant....... Quote Link to comment Share on other sites More sharing options...
sulea Posted February 15, 2011 Report Share Posted February 15, 2011 felicitari phantomas90 pt postam postat si eu niste challengeuri si chiar as vrea sa arunci un ochi peste ele cand ai timp liber. nu sunt dificileam citit in trecere descrierea instructiunilor asm, as vrea sa mentionez si eu un mic amanunt:RET does nothing but return from a part of code that was reached using a CALL instruction.RET digit cleans the stack before it returns.pt incepatori este oarecum corecta formularea, insa daca vrei sa aprofundezi: instructiunea 'ret' va muta executia programului la adresa care se afla in varful stivei, incrementand stiva cu 4 (executa un pop). mutarea executiei programului se face printr-un saritura neconditionataex:suntem la locatia de memorie 401000401000: push 402000retin exemplul de mai sus dupa executarea instructiunii 'ret' vom fi la 402000 (eip=402000)inaintea executarii instructiunii 'ret' in varful stivei se afla 402000, deci instructiunea ret va face un pop la varful stivei, si va muta executia programului la acea adresa care se afla in varful stivei printr-o saritura neconditionataiar instructiunea 'call' va urca pe stiva adresa de cod a urmatoarei instructiuni (care urmeaza dupa instructiunea call) decrementand stiva cu 4 (face un push), si va muta executia programului la adresa pe care o primeste ca argument (call 40888999) printr-o saritura neconditionata Quote Link to comment Share on other sites More sharing options...
phantomas90 Posted February 15, 2011 Author Report Share Posted February 15, 2011 (edited) Sters. motiv: informatiile sunt eronate! Edited March 9, 2011 by phantomas90 Quote Link to comment Share on other sites More sharing options...
sulea Posted February 15, 2011 Report Share Posted February 15, 2011 doar pt phantomas90:nu era necesar atat de mult copy/paste! nu am vrut sa te sicanez, nici sa ma dau grandoman.eu doar am vrut sa atrag atentia si sa demonstrez (vezi exemplul din postul meu anterior) ca instructiunea ret poate avea si o alta intrebuintare decat a 'reveni dintr-o functie'. si in acest scop am explicat pe intelesul tuturor zic eu, ce se intampla cand instructiunea ret este executata. de asemenea am spus ca ceea ce ai postat tu este corect, dar daca doresti sa aprofundezi poti citi ce am scris.nici eu nu fac asm, insa in reversing vei gasi des formularea "push adresa; ret" si ma gandeam sa dau o mana de ajutor 1 Quote Link to comment Share on other sites More sharing options...
phantomas90 Posted February 19, 2011 Author Report Share Posted February 19, 2011 (edited) Sters. motiv: informatiile sunt eronate! Edited March 9, 2011 by phantomas90 1 Quote Link to comment Share on other sites More sharing options...
daatdraqq Posted February 19, 2011 Report Share Posted February 19, 2011 Bravo , felicitari ! Exact asta te sfatuiam sa faci acum cateva zile . Perfect , tine-o tot asa . O sa ma alatur si eu proiectului tau cu cateva tutoriale , sper . Momentan timpul liber nu-mi da voie .Pana una alta , o sectiune de cracking facem si noi ? Quote Link to comment Share on other sites More sharing options...
phantomas90 Posted February 19, 2011 Author Report Share Posted February 19, 2011 (edited) Sters. motiv: informatiile sunt eronate! Edited March 9, 2011 by phantomas90 Quote Link to comment Share on other sites More sharing options...
sulea Posted February 19, 2011 Report Share Posted February 19, 2011 Gandind romaneste: De ce sa nu-l fac sa sara mereu? => folosesc JMP in loc de JNZ. JMP va sari fara sa verifice ceva.e bine ca te straduiesti, dar mai ai de invatat.e bine sa pui un breakpoint la functia de check a serialului deoarece poate fi apelata din mai multe parti .text:0040A309 call sub_403090 ; este din nou apelata .text:0040A30E cmp al, bl ; al trebuie sa fie diferit de bl..text:0040A30E ; mai precis al trebuie sa fie 1.text:0040A30E ; (bl e mereu 0).text:0040A310 mov byte ptr [esp+48h+var_4], 1.text:0040A315 setnz cl ; daca al diferit de bl, setam cl la 1 (inregistrat),.text:0040A315 ; altfel il setam la 0 (neinregistrat).text:0040A318 mov [esi+44h], cl ; memoram statusul inregistrat sau nechestia de mai sus se petrece la inceputul programului. deci de fiecare data cand programul porneste, se face un check al serialului. dar de unde este serialul citit? din registru, bineinteles. registru pe care tu ai uitat sa-l iei in calcul, si care este updatat cu serialul imediat dupa ce se face check la serial (din casuta de inregistrare)registru: SOFTWARE\Microsoft\Windows\VSCAPtot romaneste gandesc si eu si te sfatuiesc sa intorci 1 de fiecare data in acea functie de serial check asta daca nu doresti sa realizezi un keygen apropo, sunt pt deschiderea unei sectiuni de cracking Quote Link to comment Share on other sites More sharing options...
phantomas90 Posted February 19, 2011 Author Report Share Posted February 19, 2011 (edited) Sters. motiv: informatiile sunt eronate! Edited March 9, 2011 by phantomas90 Quote Link to comment Share on other sites More sharing options...
Flubber Posted February 20, 2011 Report Share Posted February 20, 2011 Offtopic: s-a ales prafu de acest thread, e o combinatie de romana,engleza si video.Nu s-a ales praful deloc, cine vrea sa invete ASM si RE trebuie sa stie engleza (ca vrea, ca nu vrea). Acum, in opinia mea pentru incepatori (ca si mine) era bine daca explica cineva (pe intelesul tuturor) cum functioneaza CPU (incluzand registrii, cache-urile level 1 si level 2, arithmetic logic unit, cum cauta in memoria ram prin data bus, cum functioneaza mai exact stack-ul si asa mai departe), fiindca sunt notiuni de baza, si trebuie sa le intelegi din moment ce CPU-ul iti returneaza valorile vazute in debugger, prin ASM intelegand toate 'comenzile' gen JMP,CMP,SUB,ADD etc.Acum nu stiu pe cati ar interesa asa ceva, fiindca o sa se spuna 'da, dar mi se rupe mie ca CPU-ul are ALU si ca face 5.000.000.000.000.000.000 (not sure) calcule pe secunda doar ca sa imi arate mie pe ecran "X" la bara de sus a ferestrei cu pr0n. Cum am mai spus, depinde de fiecare, daca doreste sa aiba si cunostinte in legatura cu ce se intampla 'under the hood'.// LE: un alt video ce arata cum se face un crack pentru jocul (destul de vechi -- data lansarii: 1999; lul) Caesar 3 dar arata acelasi principiu pe care l-a folosit si phantomas90 Quote Link to comment Share on other sites More sharing options...
phantomas90 Posted February 20, 2011 Author Report Share Posted February 20, 2011 (edited) Sters. motiv: informatiile sunt eronate! Edited March 9, 2011 by phantomas90 Quote Link to comment Share on other sites More sharing options...
sulea Posted February 20, 2011 Report Share Posted February 20, 2011 Flubber ceea ce te intereseaza pe tine tzine de arhitectura procesoarelor.ia si citeste de aici: ARHITECTURA CALCULATOARELORe in romanapoate iti mai faci o idee. si daca vrei si mai mult, mergi la biblioteca si aprofundeaza acolo, pt ca deja se intra in partea de hardwarephantomas90 fereste-te sa devii 'sclavul' jump-urilor. asa am plecat si eu cu jump-uri in cap si nu am ajuns departe. nu te consola cu chestii: 'modific jumpul si merge si metoda mea'.ia chestia urmatoare ca pe o lege: intotdeauna sa intorci 'registered' in functia de serial check. pt ca dupa cum ti-am aratat in exemplul de mai sus, poate fi apelata din mai multe parti ale programului. deasemenea, INVESTIGHEAZA functia de serial check. vezi daca nu cumva se modifica vreo locatie de memorie in functie de executia pe cele 2 ramuri (registered si unregistered). acea locatie de memorie poate fi verificata mai tarziu, DOAR ea, fara sa fie nevoie de apelarea din nou a functiei. si te prinde cu cioara vopsitao alta chestie: incearca sa faci primele crack-uri FARA a altera instructiunile de jump (adica modifica alte instructiuni). iti va fi de un real folos mai departe, si cu ocazia asta mai si inveti cate ceva din ce se intempla de fapthai sa ma mai iau putin de primul tau post cu instructiunile asminstructiunea cmp de exemplutu spui ca compara valoarea1 cu valoarea2. iar este o formulare generala.de fapt se realizeaza o operatie de substragere(scadere). valoarea1-valoarea2. rezultatul nu se memoreaza dar se modifica niste flaguri (in speta daca valorile sunt egale, rezultatul substragerii este 0 (flagul 'z' va deveni 1 pt ca avem rezultat de 0), SI DE ACEEA JZ se executa cand valorile sunt egale. nu din alta cauza. calculatorul nu a auzit de 'comparatie', ci doar de operatii matematice si logiceca sa faci reversing TREBUIE sa stii mult mai mult decat loop-uri, proceduri, functii, apeluri, jump-uri. == poate o sa fac niste crackuri extrem de simple sa te antrenezi putin si sa ti se intipareasca niste notiuni de baza == Quote Link to comment Share on other sites More sharing options...
michee Posted February 20, 2011 Report Share Posted February 20, 2011 deci in concluzie..... se pot modifa jump-urile varianta cea mai simpla, dar care e posibil sa nu mearga intotdeauna asa cum a explicat sulea..... Quote Link to comment Share on other sites More sharing options...
phantomas90 Posted February 20, 2011 Author Report Share Posted February 20, 2011 (edited) Sters. motiv: informatiile sunt eronate! Edited March 9, 2011 by phantomas90 Quote Link to comment Share on other sites More sharing options...
sulea Posted February 21, 2011 Report Share Posted February 21, 2011 http://rstcenter.com/forum/31854-crack-me.rst Quote Link to comment Share on other sites More sharing options...
phantomas90 Posted February 21, 2011 Author Report Share Posted February 21, 2011 (edited) Sters. motiv: informatiile sunt eronate! Edited March 9, 2011 by phantomas90 Quote Link to comment Share on other sites More sharing options...
sulea Posted February 21, 2011 Report Share Posted February 21, 2011 phantomas, dupa cum ma asteptam, tu nu urmaresti sa inregistrezi un program, ci sa-l faci sa-ti arate doar mesaje de inregistrare. ti-am spus intr-un post anterior: incearca sa faci primele crackuri FARA a umbla la jumpuri. din cauza asta am evitat sa folosesc jumpuri in program, dar vad ca tu cauti cu tot dinadinsul sa crackuiesti fara sa intelegi ceea ce faci.nu este corect crackul facut de tine. din niciun punct de vedere. tu doar afisezi fortat un mesaj. mai incearca, si incearca sa intelegi ce se intampla de fapt Quote Link to comment Share on other sites More sharing options...