push 0000000B
lea ecx, [ebp-18] : <--So, ebp-18 is where the reg. number
push ecx : is stored.
push 0000042A
push [ebp+08]
call [USER32!GetDlgItemTextA]
mov ebx, eax : <--save the lenght of string in EBX
test edi, edi : <--remember EDI had the lenght of the
jne 00402FBF : name we entered?
We see that the registration number is stored at location EBP-18 , check it with ED EBP-18. Again, normally it would be wise to note that address down. Also we see that it is checked if the length of the name we gave was not zero. If it is not zero the program will continue.
Step 6: Ok, now we know where the data we entered is stored in memory. What next?
Now we have to find out what is DONE with it. Usually it would we wise to put breakpoints on those memory locations and find out where in the program they are read. But in this case the answer is just a few F10's away. Press F10 until you see the following code :
cmp ebx, 0000000A :<--remember EPX had the length of the
je 00402FDE : registration code we entered?
These two lines are important. They check if the length of the registration code we entered is equal to 10. If not the registration number will be considered wrong already. The program wont even bother to check it. Modify EBX or the FLAG register in the register window to allow the jump. Continue Pressing F10 until you get to the following code (note that the adresses you will see could be different) :
:00402FDE xor esi, esi :<-- Clear ESI
:00402FE0 xor eax, eax :<-- Clear EAX
:00402FE2 test edi, edi
:00402FE4 jle 00402FF2
:00402FE6 movsx byte ptr ecx, [ebp + eax - 2C] :<-- ECX is loaded with a letter of the name we entered.
:00402FEB add esi, ecx :<-- Add the letter to ESI
:00402FED inc eax :<-- Increment EAX to get next letter
:00402FEE cmp eax, edi :<-- Did we reach the end of the string?
:00402FF0 jl 00402FE6 :<-- If not, go get the next letter.
Well, we see that the program adds together all the letters of the name we entered. Knowing that ESI contains the sum of the letters, lets continue and find out what the program does with that value :
:00402FF2 push 0000000A
:00402FF4 lea eax, [ebp-18] :<-- Load EAX with the address of the reg. number we entered
:00402FF7 push 00000000
:00402FF9 push eax :<-- Push EAX (as a parameter for the following function)
:00402FFA call 00403870 :<-- Well, what do you think this function does? :)
:00402FFF add esp, 0000000C
:00403002 cmp eax, esi :<-- Hey!
:00403004 je 00403020
Postingan
Tidak ada komentar:
Posting Komentar