[rezumat] Lena151 -- 1st reverseMe [part 1]

[Flubber]

Un rezumat, pentru primul reverseMe din seria de reverseMe-uri incluse in tutorialele respective fiecarui reMe! Poate ajuta pe cineva. Comentariile mele sunt boldate si de culoare rosie, jump-urile conditionale (bad boys) importante noua sunt de culoare albastra, jump-urile ce ne ajuta la good boy sunt marcate cu maroniu, iar jump-ul necesar pentru good boy are culoarea verde.

00401000 r> $  6A 00                   PUSH 0                            [COLOR=red][B]; 00401000 - entry point (EP = INT3 (CC) !!)[/B][/COLOR]
00401002    ?  E8 64020000             CALL <JMP.&KERNEL32.GetModuleHandleA>            [COLOR=red][B]; call[/B][/COLOR]
00401007    ?  A3 77214000             MOV DWORD PTR DS:[402177],EAX                [COLOR=red][B]; [00]402177 (0x77\0x21\0x40\0x00) == valoarea lui EAX[/B][/COLOR]
0040100C    .  C705 97214000 03400000  MOV DWORD PTR DS:[402197],4003                       ; | [COLOR=red][B]; 402197 == 4003[/B][/COLOR]
00401016    .  C705 9B214000 A6114000  MOV DWORD PTR DS:[40219B],reverseM.004011A6          ; | [COLOR=red][B]; 40219B == 004011A6[/B][/COLOR]
00401020    .  C705 9F214000 00000000  MOV DWORD PTR DS:[40219F],0                          ; | [COLOR=red][B]; 40219F == 0[/B][/COLOR]
0040102A    .  C705 A3214000 00000000  MOV DWORD PTR DS:[4021A3],0                          ; | [COLOR=red][B]; 4021A3 == 0[/B][/COLOR]
00401034    .  A1 77214000             MOV EAX,DWORD PTR DS:[402177]                        ; | [COLOR=red][B]; EAX == valoarea lui dword pointer ds VA: 402177[/B][/COLOR]
00401039    .  A3 A7214000             MOV DWORD PTR DS:[4021A7],EAX                        ; | [COLOR=red][B]; 4021A7 == eax[/B][/COLOR]
0040103E    .  6A 04                   PUSH 4                                               ; |/RsrcName = 4.        [COLOR=red][B]; push 4 pe stack[/B][/COLOR]
00401040    .  50                      PUSH EAX                                             ; ||hInst = 00000001    [COLOR=red][B]; push EAX[/B][/COLOR]
00401041    .  E8 3F030000             CALL <JMP.&USER32.LoadIconA>                         ; |\LoadIconA        [COLOR=red][B]; CALL[/B][/COLOR]
00401046    .  A3 AB214000             MOV DWORD PTR DS:[4021AB],EAX                        ; |
0040104B    .  68 007F0000             PUSH 7F00                                            ; |/RsrcName = IDC_ARROW
00401050    .  6A 00                   PUSH 0                                               ; ||hInst = NULL
00401052    .  E8 C8020000             CALL <JMP.&USER32.LoadCursorA>                       ; |\LoadCursorA
00401057    .  A3 AF214000             MOV DWORD PTR DS:[4021AF],EAX                        ; |
0040105C    .  6A 00                   PUSH 0                                               ; |/hTemplateFile = NULL
0040105E    .  68 6F214000             PUSH reverseM.0040216F                               ; ||Attributes = READONLY|HIDDEN|SYSTEM|ARCHIVE|TEMPORARY|402048
00401063    .  6A 03                   PUSH 3                                               ; ||Mode = OPEN_EXISTING
00401065    .  6A 00                   PUSH 0                                               ; ||pSecurity = NULL
00401067    .  6A 03                   PUSH 3                                               ; ||ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
00401069    .  68 000000C0             PUSH C0000000                                        ; ||Access = GENERIC_READ|GENERIC_WRITE
0040106E    .  68 79204000             PUSH reverseM.00402079                               ; ||FileName = "Keyfile.dat"
00401073    .  E8 0B020000             CALL <JMP.&KERNEL32.CreateFileA>                     ; |\CreateFileA        [COLOR=red][B]; EAX == -1 (FFFFFFFF)[/B][/COLOR]
00401078    .  83F8 FF                 CMP EAX,-1                                           ; |                [COLOR=red][B]; compara EAX cu -1 / este adevarat Z-flag [/B][/COLOR][COLOR=red][B]== 1 [/B][/COLOR][COLOR=red][B](jump not taken)[/B][/COLOR]
[B][color=blue]0040107B    .  75 1D                   JNZ SHORT reverseM.0040109A[/B][/color]                          ; |                [COLOR=red][B]; jmp not taken -- Z-flag = 1 ("not  [/B][/COLOR][COLOR=red][B]set")[/B][/COLOR] [COLOR=red][B]se 
[/B][/COLOR]                                                                                                                 [COLOR=red][B]executa primul bad boy ([/B][/COLOR][B][COLOR=red]0040107D) [/COLOR][/B][B][COLOR=red]incepand[/COLOR][/B] [B][COLOR=red]cu PUSH 0 la [/COLOR][/B][COLOR=red][B]
                                                                                                                0040107D! => [/B][/COLOR][COLOR=red][B]ZF = 0 (jump is [/B][/COLOR][COLOR=red][B]taken) => sarim peste bad[/B][/COLOR][COLOR=red][B]boy[/B][/COLOR] [COLOR=red][B]EIP = 0040109A)[/B][/COLOR]
0040107D    .  6A 00                   PUSH 0                                               ; |/Style = MB_OK|MB_APPLMODAL
0040107F    .  68 00204000             PUSH reverseM.00402000                               ; ||Title = " Key File ReverseMe"
00401084    .  68 17204000             PUSH reverseM.00402017                               ; ||Text = "Evaluation period out of date. Purchase new license"[COLOR=red][B]    acest API (MessageBoxA) == [/B][/COLOR][COLOR=red][B]primul bad boy![/B][/COLOR] [B][COLOR=red](0040107D)[/COLOR][/B]
00401089    .  6A 00                   PUSH 0                                               ; ||hOwner = NULL
0040108B    .  E8 D7020000             CALL <JMP.&USER32.MessageBoxA>                       ; |\MessageBoxA
00401090    .  E8 24020000             CALL <JMP.&KERNEL32.ExitProcess>                     ; \ExitProcess                        [COLOR=red][B]|-> exit [/B][/COLOR]
00401095    .  E9 83010000             JMP reverseM.0040121D
[B][COLOR=red]0040109A[/COLOR][/B]    >  6A 00                   PUSH 0                                               ; /pOverlapped = NULL [COLOR=red][B];    EIP = 0040109A[/B][/COLOR][COLOR=red][B] aici suntem de la JNZ-ul [/B][/COLOR][COLOR=red][B]anterior[/B][/COLOR]
0040109C    .  68 73214000             PUSH reverseM.00402173                               ; |pBytesRead = reverseM.00402173
004010A1    .  6A 46                   PUSH 46                                              ; |BytesToRead = 46 (70.)
004010A3    .  68 1A214000             PUSH reverseM.0040211A                               ; |Buffer = reverseM.0040211A
004010A8    .  50                      PUSH EAX                                             ; |hFile = 00000001
004010A9    .  E8 2F020000             CALL <JMP.&KERNEL32.ReadFile>                        ; \ReadFile        [COLOR=red][B]; read file (46h bytes == 70d) -- citeste [/B][/COLOR][COLOR=red][B]din ?  nimic! nu e fisierul[/B][/COLOR]
004010AE    .  85C0                    TEST EAX,EAX                    [COLOR=red][B]; test -- seteaza Z-flag (pentru urmatoarul jump conditional --  JNZ)[/B][/COLOR]
[B][color=blue]004010B0    .  75 02                   JNZ SHORT reverseM.004010B4[/B][/color]            [COLOR=red][B]; EAX == 0 ! -- JMP NOT TAKEN! (BAD BOY!!! -- Z-flag == 0 pentru a [/B][/COLOR][COLOR=red][B]sari)[/B][/COLOR]
004010B2    .  EB 43                   JMP SHORT reverseM.004010F7            [COLOR=red][B]; jump neconditional -- unde ne duce? la 004010F7 -- BAD BOY! (vezi [/B][/COLOR][COLOR=red][B]mai  jos)[/B][/COLOR]
004010B4    >  33DB                    XOR EBX,EBX                [COLOR=red][B]; ebx = 0[/B][/COLOR]
004010B6    .  33F6                    XOR ESI,ESI                [COLOR=red][B]; esi = 0[/B][/COLOR]
004010B8    .  833D 73214000 10        CMP DWORD PTR DS:[402173],10        [COLOR=red][B]; compara 402173 cu 10[/B][/COLOR]
[B][color=blue]004010BF    .  7C 36                   JL SHORT reverseM.004010F7[/B][/color]        [COLOR=red][B]; JL S-FLAG? 0 -- SARE! nu vrem asta -- duce la bad boy ; 004010F7 ca mai [/B][/COLOR][COLOR=red][B]sus == BAD BOY![/B][/COLOR]
004010C1    >  8A83 1A214000           MOV AL,BYTE PTR DS:[EBX+40211A]        [COLOR=red][B]; 8byte registru AL == valorea lui EBX+valorea lui (00)40211A[/B][/COLOR]
004010C7    .  3C 00                   CMP AL,0                    [COLOR=red][B]; compara AL cu 0[/B][/COLOR]
[B][color=brown]004010C9    .  74 08                   JE SHORT reverseM.004010D3[/color][/B]        [COLOR=red][B]; JE ! Jump if equal -- se bazeaza pe comparatia cu AL; CMP AL,0 a setat [/B][/COLOR][COLOR=red][B]flag-ul Z!  (zero flag) si este 1 ! SARE la 004010D3 == nu duce catre [/B][/COLOR][COLOR=red][B]bad boy,  e de-al nostru jump-ul[/B][/COLOR]
004010CB    .  3C 47                   CMP AL,47                [COLOR=red][B]; neinteresant fiindca EIP == 004010D3 din cauza JE-ului anterior! vezi mai [/B][/COLOR][COLOR=red][B]jos[/B][/COLOR]
004010CD    .  75 01                   JNZ SHORT reverseM.004010D0        [COLOR=red][B]; scroll down![/B][/COLOR]
004010CF    .  46                      INC ESI                    [COLOR=red][B]; down[/B][/COLOR]
004010D0    >  43                      INC EBX                    [COLOR=red][B]; own[/B][/COLOR]
004010D1    .^ EB EE                   JMP SHORT reverseM.004010C1        [COLOR=red][B]; wn[/B][/COLOR]
004010D3    >  83FE 08                 CMP ESI,8                [COLOR=red][B]; n! am ajuns. CMP ESI cu 8[/B][/COLOR]
[B][color=blue]004010D6    .  7C 1F                   JL SHORT reverseM.004010F7[/color][/B]        [COLOR=red][B]; OUPS! ESI != 8 ; "jump is taken" S-flag este 0 datorita compare-ului; [/B][/COLOR][COLOR=red][B]unde duce? BAD BOY! adica 004010F7 (de retinut! in acest reverseme, [/B][/COLOR][COLOR=red][B]Virtual Address (VA):004010F7  este badboy ! S-flag == 1 => jump is not [/B][/COLOR][COLOR=red][B]taken[/B][/COLOR]
[B][color=green]004010D8    .  E9 28010000             JMP reverseM.00401205[/color][/B]            [COLOR=red][B]; jump neconditional -- duce la 00401205 ; ce este acolo?see for[/B][/COLOR][COLOR=red][B] yourself![/B][/COLOR]
004010DD       00                      DB 00
004010DE    .  00000000                DD 00000000
004010E2       00                      DB 00
004010E3       00                      DB 00
004010E4       00                      DB 00
004010E5       00                      DB 00
004010E6       00                      DB 00
004010E7       00                      DB 00
004010E8       00                      DB 00
004010E9       00                      DB 00
004010EA       00                      DB 00
004010EB       00                      DB 00
004010EC       00                      DB 00
004010ED       00                      DB 00
004010EE       00                      DB 00
004010EF       00                      DB 00
004010F0       00                      DB 00
004010F1       00                      DB 00
004010F2       00                      DB 00
004010F3       00                      DB 00
004010F4       00                      DB 00
[B][color=blue]004010F5    .  EB 00                   JMP SHORT reverseM.004010F7[/B][/color]
004010F7    >  6A 00                   PUSH 0                                               ; |/Style = MB_OK|MB_APPLMODAL
004010F9    .  68 00204000             PUSH reverseM.00402000                               ; ||Title = " Key File ReverseMe"
004010FE    .  68 86204000             PUSH reverseM.00402086                               ; ||Text = "Keyfile is not valid. Sorry."      [COLOR=red][B]; al doilea bad boy![/B][/COLOR]
00401103    .  6A 00                   PUSH 0                                               ; ||hOwner = NULL
00401105    .  E8 5D020000             CALL <JMP.&USER32.MessageBoxA>                       ; |\MessageBoxA
0040110A    .  E8 AA010000             CALL <JMP.&KERNEL32.ExitProcess>                     ; \ExitProcess
0040110F    .  E9 09010000             JMP reverseM.0040121D

Edited June 10, 2011 by Flubber
update

[cmiN]

Tot asa ... e ceva munca acolo, nu ai "stat" degeaba in ultima vreme .

[Flubber]

Tot asa ... e ceva munca acolo, nu ai "stat" degeaba in ultima vreme .

Mul?am!

Well, am urmarit prima parte pentru a 6-a oara (daca nu ma insel) si mi-am dat seama de anumite lucruri ce m-au ajutat sa privesc mai bine (corect) lucrurile, desi s-ar putea sa fie cateva greseli, cei ce cunosc sper sa ma corecteze.