Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 35

Thread: Dissassembly

  1. #16

    Bat file that makes the .exe

    Sorry I misunderstood.

    Save this as a bat file and run it. It makes it.



    :: makkillnp.bat Terminates notepad.exe
    ::
    :: Makes killnp.exe Written by Herbert Kleebauer
    ::
    :: THIS MAKES AN EXECUTABLE PROGRAM !! (1024 bytes)
    :: Ollydbg can't handle this !!
    :: but IDA Pro can.
    ::
    ::
    @echo off
    echo hD1X-s0P_kUHP0UxGWX4ax1y1ieimnfeinklddmemkjanmndnadmndnpbbn>killnp.com
    echo hhpbbnpljhoxolnhaigidpllnbkdnhlkfhlflefblffahfUebdfahhfkokh>>killnp.com
    echo wvPp0wvw2k9C5/R/pN0d0uzw27bwo1YinDEWtbGov5//B6mkuMEo0IL0l/w>>killnp.com
    echo ef2iC57R/pNEA/jeefHhC5AR/pNEA/juefXgC5ER/phCfDM@m042knfuurO>>killnp.com
    echo k0GAV4Bd4M03U337lzzT/M0MF0/NV7U9V2Tcf2/EP1B61i0kInVsIOXJ57o>>killnp.com
    echo x57hJKNo0mQjpKNWx5Nt0mRcx57dB67nFLOgl57pBLOiR573xoIgoU1WJ6R>>killnp.com
    echo UUKOn01QmxqNm4KPU7LNlJLOmJqQUQJOiBXAioU1Y//I4R/H03//EZLdqMl>>killnp.com
    echo 0U2k20gE/4k//1MF1m2V3E707H/o0E7V/6EU45EU46/W31MF02M00EQ/3H/>>killnp.com
    echo l0EMF0EMV1U/l0cMlIEQ/7KcV@oJ5So80i1703G7U31MF2UQ/sKwXREQ/VE>>killnp.com
    echo Q/cEQUfEQ/kEQ/oEQUrEMF0K0V48U33G/V4JgIFGtIFABXAiE5PgRUREQ/V>>killnp.com
    echo EQ/cEQUfEQ/kEQ/oEQUrEMl04VLOo0ZQjBKNnBb328LNVFLNIxqPgVKNg0r>>killnp.com
    echo AmAZPV0rQcx5RHA3PjBLN74aPYlKNG/ZQjBKNnBrAmMIOmB6RH/ZQjBKNnB>>killnp.com
    echo rAmsINsFb3D0LNi0ZQjBKNnBb3IJaQhZaPVFLNE8rPXJqQnRUO/ca/zL00E>>killnp.com
    echo /3/8KAEotql4/N3/0/90Q/OE50E//pzJk/3/0E1/HLHyGP3/0kjr40E/M9R>>killnp.com
    echo 4sYdplmH6NzFzzTRlzTBM50E/c5/e4kzJE03/0E1/H67Ed5/ExT4M/0E/wT>>killnp.com
    echo 47/0E/U5YF/3/JxT4E/0E/Y/kpBPJzL01E/3/e0kzJ//3/0UHixoPIFLFZ0>>killnp.com
    echo 4Q045FYtW@4J5KsJINK7LN.>>killnp.com
    echo on
    killnp.com>killnp.exe
    del killnp.com

  2. #17
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,508
    Blog Entries
    15
    esther

    this is what ollydbg dissassembles it like

    Code:
    00401000 > .  FD98E777      DD      kernel32.ExitProcess
    00401004 > .  D12EE977      DD      kernel32.CreateToolhelp32Snapsho>
    00401008 > .  F0A6E777      DD      kernel32.CloseHandle
    0040100C > .  5B5CEB77      DD      kernel32.Process32First
    00401010 > .  AF5DEB77      DD      kernel32.Process32Next
    00401014 > .  232EE777      DD      kernel32.OpenProcess
    00401018 > .  B816E677      DD      kernel32.TerminateProcess
    0040101C   .  00000000      DD      00000000
    00401020   .  56100000      DD      00001056                         ;  Struct 'IMAGE_IMPORT_DESCRIPTOR'
    00401024   .  00000000      DD      00000000
    00401028   .  00000000      DD      00000000
    0040102C   .  48100000      DD      00001048
    00401030   .  00100000      DD      00001000
    00401034   .  00000000      DD      00000000                         ;  Struct 'IMAGE_IMPORT_DESCRIPTOR'
    00401038   .  00000000      DD      00000000
    0040103C   .  00000000      DD      00000000
    00401040   .  00000000      DD      00000000
    00401044   .  00000000      DD      00000000
    00401048   .  4B 45 52 4E 4>ASCII   "KERNEL32.dll",0
    00401055      00            DB      00
    00401056   .  76100000      DD      00001076                         ;  Import lookup table for 'KERNEL32.dll'
    0040105A   .  84100000      DD      00001084
    0040105E   .  A0100000      DD      000010A0
    00401062   .  AE100000      DD      000010AE
    00401066   .  C0100000      DD      000010C0
    0040106A   .  D0100000      DD      000010D0
    0040106E   .  DE100000      DD      000010DE
    00401072   .  00000000      DD      00000000
    00401076   .  0000          DW      0000
    00401078   .  45 78 69 74 5>ASCII   "ExitProcess",0
    00401084   .  0000          DW      0000
    00401086   .  43 72 65 61 7>ASCII   "CreateToolhelp32"
    00401096   .  53 6E 61 70 7>ASCII   "Snapshot",0
    0040109F   .  00            DB      00
    004010A0   .  0000          DW      0000
    004010A2   .  43 6C 6F 73 6>ASCII   "CloseHandle",0
    004010AE   .  0000          DW      0000
    004010B0   .  50 72 6F 63 6>ASCII   "Process32First",0
    004010BF   .  00            DB      00
    004010C0   .  0000          DW      0000
    004010C2   .  50 72 6F 63 6>ASCII   "Process32Next",0
    004010D0   .  0000          DW      0000
    004010D2   .  4F 70 65 6E 5>ASCII   "OpenProcess",0
    004010DE   .  0000          DW      0000
    004010E0   .  54 65 72 6D 6>ASCII   "TerminateProcess"
    004010F0   .  00            ASCII   0
    004010F1   .  00            DB      00
    004010F2 >/$  6A 00         PUSH    0                                ; /ProcessID = 0
    004010F4  |.  6A 02         PUSH    2                                ; |Flags = TH32CS_SNAPPROCESS
    004010F6  |.  FF15 04104000 CALL    NEAR DWORD PTR DS:[<&KERNEL32.Cr>; \CreateToolhelp32Snapshot
    004010FC  |.  89C5          MOV     EBP, EAX
    004010FE  |.  40            INC     EAX
    004010FF  |.  74 6E         JE      SHORT killnp.0040116F
    00401101  |.  C705 90114000>MOV     DWORD PTR DS:[401190], 128
    0040110B  |.  68 90114000   PUSH    killnp.00401190                  ; /pProcessentry = killnp.00401190
    00401110  |.  50            PUSH    EAX                              ; |hSnapshot = NULL
    00401111  |.  FF15 0C104000 CALL    NEAR DWORD PTR DS:[<&KERNEL32.Pr>; \Process32First
    00401117  |.  09C0          OR      EAX, EAX
    00401119  |.  74 4D         JE      SHORT killnp.00401168
    0040111B  |>  BE B4114000   /MOV     ESI, killnp.004011B4
    00401120  |.  BF 77114000   |MOV     EDI, killnp.00401177            ;  ASCII "NnOoTtEePpAaDd..EeXxEe"
    00401125  |>  A6            |/CMPS    BYTE PTR DS:[ESI], BYTE PTR ES>
    00401126  |.  74 05         ||JE      SHORT killnp.0040112D
    00401128  |.  4E            ||DEC     ESI                            ;  killnp.00400000
    00401129  |.  A6            ||CMPS    BYTE PTR DS:[ESI], BYTE PTR ES>
    0040112A  |.  75 2C         ||JNZ     SHORT killnp.00401158
    0040112C  |.  4F            ||DEC     EDI
    0040112D  |>  47            ||INC     EDI
    0040112E  |.  F647 FF FF    ||TEST    BYTE PTR DS:[EDI-1], 0FF
    00401132  |.^ 75 F1         |\JNZ     SHORT killnp.00401125
    00401134  |.  FF35 98114000 |PUSH    DWORD PTR DS:[401198]           ; /ProcessId = 0
    0040113A  |.  6A 00         |PUSH    0                               ; |Inheritable = FALSE
    0040113C  |.  6A 01         |PUSH    1                               ; |Access = TERMINATE
    0040113E  |.  FF15 14104000 |CALL    NEAR DWORD PTR DS:[<&KERNEL32.O>; \OpenProcess
    00401144  |.  09C0          |OR      EAX, EAX
    00401146  |.  74 20         |JE      SHORT killnp.00401168
    00401148  |.  50            |PUSH    EAX                             ; /hObject = NULL
    00401149  |.  6A 00         |PUSH    0                               ; |/ExitCode = 0
    0040114B  |.  50            |PUSH    EAX                             ; ||hProcess = NULL
    0040114C  |.  FF15 18104000 |CALL    NEAR DWORD PTR DS:[<&KERNEL32.T>; |\TerminateProcess
    00401152  |.  FF15 08104000 |CALL    NEAR DWORD PTR DS:[<&KERNEL32.C>; \CloseHandle
    00401158  |>  68 90114000   |PUSH    killnp.00401190                 ; /pProcessentry = killnp.00401190
    0040115D  |.  55            |PUSH    EBP                             ; |hSnapshot = 0012FFF0
    0040115E  |.  FF15 10104000 |CALL    NEAR DWORD PTR DS:[<&KERNEL32.P>; \Process32Next
    00401164  |.  09C0          |OR      EAX, EAX
    00401166  |.^ 75 B3         \JNZ     SHORT killnp.0040111B
    00401168  |>  55            PUSH    EBP                              ; /hObject = 0012FFF0
    00401169  |.  FF15 08104000 CALL    NEAR DWORD PTR DS:[<&KERNEL32.Cl>; \CloseHandle
    0040116F  |>  6A 00         PUSH    0                                ; /ExitCode = 0
    00401171  \.  FF15 00104000 CALL    NEAR DWORD PTR DS:[<&KERNEL32.Ex>; \ExitProcess
    00401177   .  4E 6E 4F 6F 5>ASCII   "NnOoTtEePpAaDd.."
    00401187   .  45 65 58 78 4>ASCII   "EeXxEe",0
    0040118E      00            DB      00
    0040118F      00            DB      00
    00401190   .  00000000      DD      00000000
    00401194      00            DB      00
    00401195      00            DB      00
    00401196      00            DB      00
    00401197      00            DB      00
    00401198   .  00000000      DD      00000000
    i have to determine what kleebaur mentions as ollydbg cant handle this


    edit

    i simply f8ed through till process exited it is working good simply

    Code:
    Log data
    Address    Message
               OllyDbg v1.10
               Command line plugin v1.10
                 Written by Oleh Yuschuk
               Bookmarks sample plugin v1.06 (plugin demo)
                 Copyright (C) 2001, 2002 Oleh Yuschuk
               PluginTemplate plugin
    
               Console file 'C:\Documents and Settings\deep\Desktop\killnp\killnp.exe'
               New process with ID 00000750 created
    004010F2   Main thread with ID 00000364 created
    00400000   Module C:\Documents and Settings\deep\Desktop\killnp\killnp.exe
    77E60000   Module C:\WINDOWS\system32\kernel32.dll
    77F50000   Module C:\WINDOWS\System32\ntdll.dll
    004010F2   Program entry point
               Analysing killnp
                 1 fuzzy procedure
                 8 calls to known functions
                 2 loops
               Process terminated, exit code 0
    Last edited by blabberer; June 14th, 2007 at 13:04.

  3. #18
    The comment about "can't handle this" is my comment and NOT the author's comment.

    Olldbg seemed to have problems analyzing the program.

    IDA Pro on the other hand came fairly close to what the actual source code is.

    I know that the program has a string in it that says something like "Nice to know that someone programs in DOS.... which refers to my coding in 16 bit apps.

    Thanks.

  4. #19
    Geeze blabber,
    I don't have any problems debugging and analysing in ollydbg(original exe and my exe)and I know what it looks like heh.I'm referring to my "code" can't terrminate notepad.exe even it found in the memory.There's nothing wrong with ollydbg and it works great.Please read what I posted on previous post...
    What I want to know is what's the problem is my "code".Thanks

    regards
    esther


    Reverse the code,Reverse Your Minds First

  5. #20
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,508
    Blog Entries
    15
    esther
    ok i see you posted its working fine in ollydbg

    what's the problem in your code like i posted above you do not save either hSnapShot or Handles properly in your code

    i just ripped the code from ollydbg using code ripper plugin
    and assembled it with a few modification it terminates notpad properly

    Code:
    .386
    .model flat, stdcall
    option casemap:none
    include \masm32\include\windows.inc
    include \masm32\include\kernel32.inc
    include \masm32\include\user32.inc
    includelib \masm32\lib\user32.lib
    includelib \masm32\lib\kernel32.lib
    
    .data
    Caption      db "NnOoTtEePpAaDd..EeXxEe",0
    
    .data?
    lppe PROCESSENTRY32 <> 
    
    .code
    start:
            PUSH    0
            PUSH    2
            CALL    CreateToolhelp32Snapshot
            MOV     EBP, EAX
            INC     EAX
            JE      toolhelpfailure
            MOV     lppe.dwSize, sizeof(PROCESSENTRY32)
            PUSH    offset lppe
            PUSH    EAX
            CALL    Process32First
            OR      EAX, EAX
            JE      processsfirstfailure
    
    nextprocess:
    
            MOV     ESI, offset lppe.szExeFile
            MOV     EDI, offset Caption                 
    
    reloop:
    
            CMPS    BYTE PTR DS:[ESI], BYTE PTR ES:[EDI]
            JE      nextchar
            DEC     ESI
            CMPS    BYTE PTR DS:[ESI], BYTE PTR ES:[EDI]
            JNZ     getnextprocess
            DEC     EDI
    
    nextchar:
    
            INC     EDI
            TEST    BYTE PTR DS:[EDI-1], 0FFh
            JNZ     reloop
            PUSH    lppe.th32ProcessID
            PUSH    0
            PUSH    1
            CALL    OpenProcess
            OR      EAX, EAX
            JE      processsfirstfailure
            PUSH    EAX
            PUSH    0
            PUSH    EAX
            CALL    TerminateProcess
            CALL    CloseHandle
    
    getnextprocess:
    
            PUSH    offset lppe
            PUSH    EBP
            CALL    Process32Next
            OR      EAX, EAX
            JNZ     nextprocess
    
    processsfirstfailure:
    
            PUSH    EBP
            CALL    CloseHandle
    
    toolhelpfailure:
    
            PUSH    0
            CALL    ExitProcess
    
    end start
    before ripping name the variables properly in ollydbg

    Code:
    004010F2 killnp.<ModuleEntryPoint>       PUSH    0                                                                                                              ; /ProcessID = 0
    004010F4                                 PUSH    2                                                                                                              ; |Flags = TH32CS_SNAPPROCESS
    004010F6                                 CALL    DWORD PTR DS:[<&KERNEL32.CreateToolhelp32Snapshot>]                                                            ; \CreateToolhelp32Snapshot
    004010FC                                 MOV     EBP, EAX
    004010FE                                 INC     EAX
    004010FF                                 JE      SHORT <toolhelpfailure>
    00401101                                 MOV     DWORD PTR DS:[<dwSize>], 128
    0040110B                                 PUSH    <dwSize>                                                                                                       ; /pProcessentry = <killnp.dwSize>
    00401110                                 PUSH    EAX                                                                                                            ; |hSnapshot
    00401111                                 CALL    DWORD PTR DS:[<&KERNEL32.Process32First>]                                                                      ; \Process32First
    00401117                                 OR      EAX, EAX
    00401119                                 JE      SHORT <processsfirstfailure>
    0040111B <killnp.nextprocess>            /MOV     ESI, <szExeFile[MAX_PATH]>
    00401120                                 |MOV     EDI, <exename>                                                                                                ;  ASCII "NnOoTtEePpAaDd..EeXxEe"
    00401125 <killnp.reloop>                 |/CMPS    BYTE PTR DS:[ESI], BYTE PTR ES:[EDI]
    00401126                                 ||JE      SHORT <nextchar>
    00401128                                 ||DEC     ESI
    00401129                                 ||CMPS    BYTE PTR DS:[ESI], BYTE PTR ES:[EDI]
    0040112A                                 ||JNZ     SHORT <getnextprocess>
    0040112C                                 ||DEC     EDI
    0040112D <killnp.nextchar>               ||INC     EDI
    0040112E                                 ||TEST    BYTE PTR DS:[EDI-1], 0FF
    00401132                                 |\JNZ     SHORT <reloop>
    00401134                                 |PUSH    DWORD PTR DS:[<th32ProcessID>]                                                                                ; /ProcessId = 0
    0040113A                                 |PUSH    0                                                                                                             ; |Inheritable = FALSE
    0040113C                                 |PUSH    1                                                                                                             ; |Access = TERMINATE
    0040113E                                 |CALL    DWORD PTR DS:[<&KERNEL32.OpenProcess>]                                                                        ; \OpenProcess
    00401144                                 |OR      EAX, EAX
    00401146                                 |JE      SHORT <processsfirstfailure>
    00401148                                 |PUSH    EAX                                                                                                           ; /hObject
    00401149                                 |PUSH    0                                                                                                             ; |/ExitCode = 0
    0040114B                                 |PUSH    EAX                                                                                                           ; ||hProcess
    0040114C                                 |CALL    DWORD PTR DS:[<&KERNEL32.TerminateProcess>]                                                                   ; |\TerminateProcess
    00401152                                 |CALL    DWORD PTR DS:[<&KERNEL32.CloseHandle>]                                                                        ; \CloseHandle
    00401158 <killnp.getnextprocess>         |PUSH    <dwSize>                                                                                                      ; /pProcessentry = <killnp.dwSize>
    0040115D                                 |PUSH    EBP                                                                                                           ; |hSnapshot
    0040115E                                 |CALL    DWORD PTR DS:[<&KERNEL32.Process32Next>]                                                                      ; \Process32Next
    00401164                                 |OR      EAX, EAX
    00401166                                 \JNZ     SHORT <nextprocess>
    00401168 <killnp.processsfirstfailure>   PUSH    EBP                                                                                                            ; /hObject
    00401169                                 CALL    DWORD PTR DS:[<&KERNEL32.CloseHandle>]                                                                         ; \CloseHandle
    0040116F <killnp.toolhelpfailure>        PUSH    0                                                                                                              ; /ExitCode = 0
    00401171                                 CALL    DWORD PTR DS:[<&KERNEL32.ExitProcess>]                                                                         ; \ExitProcess
    00401177 <killnp.exename>                ASCII   "NnOoTtEePpAaDd.."
    00401187                                 ASCII   "EeXxEe",0
    0040118E                                 DB      00
    0040118F                                 DB      00
    00401190 <killnp.dwSize>                 DD      00000000
    00401194 <killnp.cntUsage>               DB      00
    00401195                                 DB      00
    00401196                                 DB      00
    00401197                                 DB      00
    00401198 <killnp.th32ProcessID>          DD      00000000
    0040119C <killnp.th32DefaultHeapID>      DB      00
    0040119D                                 DB      00
    0040119E                                 DB      00
    0040119F                                 DB      00
    004011A0 <killnp.th32ModuleID>           DB      00
    004011A1                                 DB      00
    004011A2                                 DB      00
    004011A3                                 DB      00
    004011A4 <killnp.cntThreads>             DB      00
    004011A5                                 DB      00
    004011A6                                 DB      00
    004011A7                                 DB      00
    004011A8 <killnp.th32ParentProcessID>    DB      00
    004011A9                                 DB      00
    004011AA                                 DB      00
    004011AB                                 DB      00
    004011AC <killnp.pcPriClassBase>         DB      00
    004011AD                                 DB      00
    004011AE                                 DB      00
    004011AF                                 DB      00
    004011B0 <killnp.dwFlags>                DB      00
    004011B1                                 DB      00
    004011B2                                 DB      00
    004011B3                                 DB      00
    004011B4 <killnp.szExeFile[MAX_PATH]>    DB      00
    the code ripper will give you this code

    Code:
    
    <ModuleEntryPoint>:                          ;<= Procedure Start
    
            PUSH    0
            PUSH    2
            CALL    DWORD PTR DS:[<&KERNEL32.CreateToolhelp32Snapshot>] ; kernel32.CreateToolhelp32Snapshot
            MOV     EBP, EAX
            INC     EAX
            JE      toolhelpfailure
            MOV     DWORD PTR DS:[dwSize], 0128h
            PUSH    dwSize
            PUSH    EAX
            CALL    DWORD PTR DS:[<&KERNEL32.Process32First>] ; kernel32.Process32First
            OR      EAX, EAX
            JE      processsfirstfailure
    
    nextprocess:
    
            MOV     ESI, szExeFile[MAX_PATH]
            MOV     EDI, exename                 ; ASCII "NnOoTtEePpAaDd..EeXxEe"
    
    reloop:
    
            CMPS    BYTE PTR DS:[ESI], BYTE PTR ES:[EDI]
            JE      nextchar
            DEC     ESI
            CMPS    BYTE PTR DS:[ESI], BYTE PTR ES:[EDI]
            JNZ     getnextprocess
            DEC     EDI
    
    nextchar:
    
            INC     EDI
            TEST    BYTE PTR DS:[EDI-1], 0FFh
            JNZ     reloop
            PUSH    DWORD PTR DS:[th32ProcessID]
            PUSH    0
            PUSH    1
            CALL    DWORD PTR DS:[<&KERNEL32.OpenProcess>] ; kernel32.OpenProcess
            OR      EAX, EAX
            JE      processsfirstfailure
            PUSH    EAX
            PUSH    0
            PUSH    EAX
            CALL    DWORD PTR DS:[<&KERNEL32.TerminateProcess>] ; kernel32.TerminateProcess
            CALL    DWORD PTR DS:[<&KERNEL32.CloseHandle>] ; kernel32.CloseHandle
    
    getnextprocess:
    
            PUSH    dwSize
            PUSH    EBP
            CALL    DWORD PTR DS:[<&KERNEL32.Process32Next>] ; kernel32.Process32Next
            OR      EAX, EAX
            JNZ     nextprocess
    
    processsfirstfailure:
    
            PUSH    EBP
            CALL    DWORD PTR DS:[<&KERNEL32.CloseHandle>] ; kernel32.CloseHandle
    
    toolhelpfailure:
    
            PUSH    0
            CALL    DWORD PTR DS:[<&KERNEL32.ExitProcess>] ;<= Procedure End ; kernel32.ExitProcess
    compare this with my code above which assembles and works

    you will see a few cosmetic changes and structure memeber declatarions

    thats all it takes

    now try comparing this with your code

    you will notice what you are missing

    if there are further questions feel free to ask
    Last edited by blabberer; June 15th, 2007 at 03:18.

  6. #21
    Teach,Flame,Enl*ten me :) lcx2005's Avatar
    Join Date
    Jun 2006
    Posts
    57
    Quote Originally Posted by esther View Post
    get the latest compiler in masm32.cjb.net
    Better try http://www.masm32.com or http://www.movsd.com for masm32 .Because masm32.cjb.net no longer support us or some $$$ guys had done something to her .
    ~ Destination is there,but a little step to reach ~

  7. #22

    Thanks

    [QUOTE=blabberer;66420]esther
    ok i see you posted its working fine in ollydbg

    what's the problem in your code like i posted above you do not save either hSnapShot or Handles properly in your code

    i just ripped the code from ollydbg using code ripper plugin
    and assembled it with a few modification it terminates notpad properly

    Thanks a lot for the code conversion.

    The original .exe has some text embedded in it.
    I was wondering how they did that.

    I looked for the code ripper plugin but couldn't find it. I found a lot of requests for it, but no links.

  8. #23
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,114
    Blog Entries
    5
    Quote Originally Posted by Swimmer View Post
    I looked for the code ripper plugin but couldn't find it. I found a lot of requests for it, but no links.
    Tried OllyStuph?

  9. #24
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,508
    Blog Entries
    15
    swimmer ,

    i hate to repeat what dELTA posted in another thread
    but i have no choice

    please try to formulate your questions more concisely and clearly

    if you are quoting something preview and edit back the post if what you quoted isnt embedded properly in quote tags

    quote if you must really have an absolute necessary to quote

    this is not a mailing list but a forum so people are not reading your answers in email and have to search for context

    all they have to do to find some context is to scroll up or down a little

    with a middle scroll wheel in mouse it even doesnt take the effort it used to take some ages ago

    the only usefull question in your above post is you want a link to coderipper plugin

    it could have been a single line reply like

    hi blabberer could you possibly put a link to coderipper plugin
    im googling but cant land pertinent download

    as to embeddeding some strange strings you have lot of reading to do

    have you never seen this program will not run in dos string in any exe ?

    if you havent then go to c:\windows\system32
    find every exe in there right click open with notepad

    you will see that string in all exes

    now any lame duck kid can load that exe in a hexeditor or if he is a script kiddie patch together a perl python ruby script to change that string to hell world is going to be nuked if you run this program and save it

    it is a static string it has got absolutely nothing to do with secrecy

    also that whole stuff is called a dos image or dos stub
    if you are using some assembler like fasm etc
    you can embed your own dos_stub to an exe with your own string

    if you want to know whats dos_stub find the dos debug tutorials by starman realms

    i see you have gone to the extent of looking at that string with hackman whatever

    notepad would have shown that string
    Code:
    MZ`        `      @                                   *    	!L!Nice to meet somebody who is still using DOS,
    but his program requires Win32.
    $ PE  L Py6                               @
    start -> cmd -> type killnp.exe could have shown you that

    Code:
    shit:/>type killnp.exe
    MZ`☺☺   ♦   **  `☺      @                                      ♫▼║♫ ┤  ═!╕☺L═!N
    ice to meet somebody who is still using DOS,
    but his program requires Win32.
    $ PE  L☺☺ Py6        α ☼☺♂☺♣♀ ☻          ≥►   ►        @  ►   ☻  ♦       ♦
           ☻      ♥     ►  ►    ►  ►      ►            ►  (
                                                               ►
              .text   ╕☻   ►   ☻   ☻                 α
                                      v►  ►  ►  ►  └►  ╨►  ▐►      V►          H►
       ►                      KERNEL32.dll  v►  ►  ►  ►  └►  ╨►  ▐►        ExitPr
    ocess   CreateToolhelp32Snapshot    CloseHandle   Process32First    Process32Nex
    t   OpenProcess   TerminateProcess  j j☻*♦►@ ┼@tn╟♣◄@ (☺  h◄@ P*♀►@
    └tM╛┤◄@ ┐w◄@ t♣Nu,OGG**u*5◄@ j j☺*►@     └t Pj P*↑►@ ►@ h◄@ U*►►@
    └u│U*►@ j * ►@ NnOoTtEePpAaDd..EeXxEe
    
    shit:/>
    lots of avenues you have to choose one

    im not trying to pick on you
    but being consistently asking irritating question doesnt do anyone any good

    try to read your own reply from a third party perspective you will find the post is silly idiotic and more chaotic than anything else
    Last edited by blabberer; June 15th, 2007 at 10:17.

  10. #25
    Betov
    Guest
    I see that the Disassemblers, you are using have some problems with this File from Herbert.

    If you want to port it to MASM, of course, this is only an intermediate solution, but RosAsm can perfectly Disassemble and re-Assemble this file in two clicks:

    * Download RosAsmFull.exe at < http://rosasm.org >

    * Unzip anywhere and run.

    * [File] / [Open] ---> Killnp.exe

    * Disassemble and hit [F6] for a rebuild/Run.

    The rebuilt file ("MyKillnp.exe") correctly closes Notepad.

    Now, there is a small problem with the String at Data0401177: For "some reason" The Disassembler fails to "see" that this is a String. Just double-click upon the "Data0401177" Label, and select [Bad Disassembly] ---> Dialog: Size Flags [String] ---> OK.

    Then, i suppose that porting to MASM should be a breath.

    [Note: the Sources are embeeded inside the PE compiled by RosAsm]


    Have fun. Betov.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #26
    I never thought the RosAsm author lurked here.

  12. #27
    Hi blabber,

    *if there are further questions feel free to ask

    Due to lack of experience in programming.It seems I have much errors in "my code",something missing here and there heh.I have fixed the code now and it works fine.I have no further questions,thanks for wasting time on us,greatly
    appreciated

    Regards
    esther


    Reverse the code,Reverse Your Minds First

  13. #28

    Out and about

    Quote Originally Posted by LLXX View Post
    I never thought the RosAsm author lurked here.
    He does get around.

  14. #29
    Howdy,

    It is nice to see .

    Woodmann

  15. #30
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,508
    Blog Entries
    15
    this thread made me discover another awesome debugger

    i was mucking up with ida free on that com file and made a first layer idc

    and i thought that was the end of it but no that was the beginning as usual in these files

    Code:
    auto seed,patch,mulres,i,xorv,test;
    seed = 0xd1+0x48;
    patch = 0xd1+0x78;
    test = 0xd1;
    
    while(test < 0x100)
    {
    Message("\n%x  ", Word(seed));
    mulres = Word(seed)*0x50;
    Message("%x  ",mulres);
    Message("%x  ", (mulres &0xff) );
    xorv = Byte(patch) ^ (mulres & 0xff);
    Message ("%x  ", xorv);
    PatchByte(patch,xorv);
    seed++;
    patch++;
    test++;
    }
    now writng idc and working with ida isnt my speciality so i was wanting a debugger to do my job
    dos debug was doing a wonderuful job but it has limitations of cant able to set breakpoints

    and after downlaoding dozens and dozens of dos debuggers one atlast was working better than what i expected it of

    simply awesome

    http://members.tripod.com/~ladsoft/grdb.htm

    and can log too

    Code:
    ->u 178 1f5  
    1DAC:0178 FC             cld          
    1DAC:0179 BE D5 01       mov          si,01D5
    1DAC:017C BF F3 03       mov          di,03F3
    1DAC:017F AC             lodsb        
    1DAC:0180 38 06 D0 01    cmp          [01D0],al
    1DAC:0184 75 16          jnz          019C
    1DAC:0186 A4             movsb        
    1DAC:0187 81 FE F3 03    cmp          si,03F3
    1DAC:018B 72 F2          jb           017F
    1DAC:018D B4 40          mov          ah,40
    1DAC:018F BA F3 03       mov          dx,03F3
    1DAC:0192 89 F9          mov          cx,di
    1DAC:0194 29 D1          sub          cx,dx
    1DAC:0196 BB 01 00       mov          bx,0001
    1DAC:0199 CD 21          int          21
    1DAC:019B C3             ret          
    1DAC:019C 3A 06 D1 01    cmp          al,[01D1]
    1DAC:01A0 75 05          jnz          01A7
    1DAC:01A2 31 C0          xor          ax,ax
    1DAC:01A4 AB             stosw        
    1DAC:01A5 EB E0          jmp          0187
    1DAC:01A7 3A 06 D2 01    cmp          al,[01D2]
    1DAC:01AB 75 06          jnz          01B3
    1DAC:01AD 31 C0          xor          ax,ax
    1DAC:01AF AB             stosw        
    1DAC:01B0 AA             stosb        
    1DAC:01B1 EB D4          jmp          0187
    1DAC:01B3 3A 06 D3 01    cmp          al,[01D3]
    1DAC:01B7 75 06          jnz          01BF
    1DAC:01B9 31 C0          xor          ax,ax
    1DAC:01BB AB             stosw        
    1DAC:01BC AB             stosw        
    1DAC:01BD EB C8          jmp          0187
    1DAC:01BF 3A 06 D4 01    cmp          al,[01D4]
    1DAC:01C3 75 EB          jnz          01B0
    1DAC:01C5 AC             lodsb        
    1DAC:01C6 0F B6 C8       movzx        cx,al
    1DAC:01C9 41             inc          cx
    1DAC:01CA 31 C0          xor          ax,ax
    1DAC:01CC F3 AA          repz stosb   
    1DAC:01CE EB B7          jmp          0187
    1DAC:01D0 06             push         es
    1DAC:01D1 07             pop          es
    1DAC:01D2 12 13          adc          dl,[bp+di]
    1DAC:01D4 16             push         ss
    1DAC:01D5 4D             dec          bp
    1DAC:01D6 5A             pop          dx
    1DAC:01D7 60             pushaw       
    1DAC:01D8 01 01          add          [bx+di],ax
    1DAC:01DA 12 04          adc          al,[si]
    1DAC:01DC 12 FF          adc          bh,bh
    1DAC:01DE FF 07          inc          word [bx]
    1DAC:01E0 60             pushaw       
    1DAC:01E1 01 16 05 40    add          [4005],dx
    1DAC:01E5 16             push         ss
    1DAC:01E6 22 A0 12 0E    and          ah,[bx+si+0E12]
    1DAC:01EA 1F             pop          ds
    1DAC:01EB BA 0E 00       mov          dx,000E
    1DAC:01EE B4 09          mov          ah,09
    1DAC:01F0 CD 21          int          21
    1DAC:01F2 B8 01 4C       mov          ax,4C01
    1DAC:01F5 CD 21          int          21
    got 32 bit registers which debug.com dont have
    disassembles instructions with 68,6b opcodes correctly no like debug.com

    Code:
    ->r  
    eax:00650000 ebx:00000000 ecx:00000000 edx:0000A2B0 esi:000003F3 edi:000007F3 
    ebp:000006A0 esp:0000FFEE eip:0000018D flag:000B3246 NV UP EI PL ZR NA PE NC 
    ds:1DAC es:1DAC fs:1DAC gs:1DAC ss:1DAC cs:1DAC 
    1DAC:018D B4 40          mov          ah,40
    ->t  
    
    eax:00654000 ebx:00000000 ecx:00000000 edx:0000A2B0 esi:000003F3 edi:000007F3 
    ebp:000006A0 esp:0000FFEE eip:0000018F flag:000B3246 NV UP EI PL ZR NA PE NC 
    ds:1DAC es:1DAC fs:1DAC gs:1DAC ss:1DAC cs:1DAC 
    1DAC:018F BA F3 03       mov          dx,03F3
    ->t  
    
    eax:00654000 ebx:00000000 ecx:00000000 edx:000003F3 esi:000003F3 edi:000007F3 
    ebp:000006A0 esp:0000FFEE eip:00000192 flag:000B3246 NV UP EI PL ZR NA PE NC 
    ds:1DAC es:1DAC fs:1DAC gs:1DAC ss:1DAC cs:1DAC 
    1DAC:0192 89 F9          mov          cx,di
    ->t  
    
    eax:00654000 ebx:00000000 ecx:000007F3 edx:000003F3 esi:000003F3 edi:000007F3 
    ebp:000006A0 esp:0000FFEE eip:00000194 flag:000B3246 NV UP EI PL ZR NA PE NC 
    ds:1DAC es:1DAC fs:1DAC gs:1DAC ss:1DAC cs:1DAC 
    1DAC:0194 29 D1          sub          cx,dx
    ->t  
    
    eax:00654000 ebx:00000000 ecx:00000400 edx:000003F3 esi:000003F3 edi:000007F3 
    ebp:000006A0 esp:0000FFEE eip:00000196 flag:000B3206 NV UP EI PL NZ NA PE NC 
    ds:1DAC es:1DAC fs:1DAC gs:1DAC ss:1DAC cs:1DAC 
    1DAC:0196 BB 01 00       mov          bx,0001
    ->t  
    
    eax:00654000 ebx:00000001 ecx:00000400 edx:000003F3 esi:000003F3 edi:000007F3 
    ebp:000006A0 esp:0000FFEE eip:00000199 flag:000B3206 NV UP EI PL NZ NA PE NC 
    ds:1DAC es:1DAC fs:1DAC gs:1DAC ss:1DAC cs:1DAC 
    1DAC:0199 CD 21          int          21
    ->d 3f3 7f3  
    1DAC:03F3 4D 5A 60 01-01 00 00 00-04 00 00 00-FF FF 00 00  MZ`.............
    1DAC:0403 60 01 00 00-00 00 00 00-40 00 00 00-00 00 00 00  `.......@.......
    1DAC:0413 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00  ................
    1DAC:0423 00 00 00 00-00 00 00 00-00 00 00 00-A0 00 00 00  ................
    1DAC:0433 0E 1F BA 0E-00 B4 09 CD-21 B8 01 4C-CD 21 4E 69  ........!..L.!Ni
    1DAC:0443 63 65 20 74-6F 20 6D 65-65 74 20 73-6F 6D 65 62  ce to meet someb
    1DAC:0453 6F 64 79 20-77 68 6F 20-69 73 20 73-74 69 6C 6C  ody who is still
    1DAC:0463 20 75 73 69-6E 67 20 44-4F 53 2C 0D-0A 62 75 74   using DOS,..but
    1DAC:0473 20 68 69 73-20 70 72 6F-67 72 61 6D-20 72 65 71   his program req
    1DAC:0483 75 69 72 65-73 20 57 69-6E 33 32 2E-0D 0A 24 00  uires Win32...$.
    1DAC:0493 50 45 00 00-4C 01 01 00-50 79 A5 36-00 00 00 00  PE..L...Py.6....
    1DAC:04A3 00 00 00 00-E0 00 0F 01-0B 01 05 0C-00 02 00 00  ................
    1DAC:04B3 00 00 00 00-00 00 00 00-F2 10 00 00-00 10 00 00  ................
    1DAC:04C3 00 20 00 00-00 00 40 00-00 10 00 00-00 02 00 00  . ....@.........
    1DAC:04D3 04 00 00 00-00 00 00 00-04 00 00 00-00 00 00 00  ................
    1DAC:04E3 00 20 00 00-00 02 00 00-00 00 00 00-03 00 00 00  . ..............
    1DAC:04F3 00 00 10 00-00 10 00 00-00 00 10 00-00 10 00 00  ................
    1DAC:0503 00 00 00 00-10 00 00 00-00 00 00 00-00 00 00 00  ................
    1DAC:0513 20 10 00 00-28 00 00 00-00 00 00 00-00 00 00 00   ...(...........
    1DAC:0523 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00  ................
    1DAC:0533 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00  ................
    1DAC:0543 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00  ................
    1DAC:0553 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00  ................
    1DAC:0563 00 00 00 00-00 00 00 00-00 10 00 00-20 00 00 00  ............ ...
    1DAC:0573 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00  ................
    1DAC:0583 00 00 00 00-00 00 00 00-2E 74 65 78-74 00 00 00  .........text...
    1DAC:0593 B8 02 00 00-00 10 00 00-00 02 00 00-00 02 00 00  ................
    1DAC:05A3 00 00 00 00-00 00 00 00-00 00 00 00-20 00 00 E0  ............ ...
    1DAC:05B3 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00  ................
    1DAC:05C3 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00  ................
    1DAC:05D3 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00  ................
    1DAC:05E3 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00  ................
    1DAC:05F3 76 10 00 00-84 10 00 00-A0 10 00 00-AE 10 00 00  v...............
    1DAC:0603 C0 10 00 00-D0 10 00 00-DE 10 00 00-00 00 00 00  ................
    1DAC:0613 56 10 00 00-00 00 00 00-00 00 00 00-48 10 00 00  V...........H...
    1DAC:0623 00 10 00 00-00 00 00 00-00 00 00 00-00 00 00 00  ................
    1DAC:0633 00 00 00 00-00 00 00 00-4B 45 52 4E-45 4C 33 32  ........KERNEL32
    1DAC:0643 2E 64 6C 6C-00 00 76 10-00 00 84 10-00 00 A0 10  .dll..v.........
    1DAC:0653 00 00 AE 10-00 00 C0 10-00 00 D0 10-00 00 DE 10  ................
    1DAC:0663 00 00 00 00-00 00 00 00-45 78 69 74-50 72 6F 63  ........ExitProc
    1DAC:0673 65 73 73 00-00 00 43 72-65 61 74 65-54 6F 6F 6C  ess...CreateTool
    1DAC:0683 68 65 6C 70-33 32 53 6E-61 70 73 68-6F 74 00 00  help32Snapshot..
    1DAC:0693 00 00 43 6C-6F 73 65 48-61 6E 64 6C-65 00 00 00  ..CloseHandle...
    1DAC:06A3 50 72 6F 63-65 73 73 33-32 46 69 72-73 74 00 00  Process32First..
    1DAC:06B3 00 00 50 72-6F 63 65 73-73 33 32 4E-65 78 74 00  ..Process32Next.
    1DAC:06C3 00 00 4F 70-65 6E 50 72-6F 63 65 73-73 00 00 00  ..OpenProcess...
    1DAC:06D3 54 65 72 6D-69 6E 61 74-65 50 72 6F-63 65 73 73  TerminateProcess
    1DAC:06E3 00 00 6A 00-6A 02 FF 15-04 10 40 00-89 C5 40 74  ..j.j.....@...@t
    1DAC:06F3 6E C7 05 90-11 40 00 28-01 00 00 68-90 11 40 00  n....@.(...h..@.
    1DAC:0703 50 FF 15 0C-10 40 00 09-C0 74 4D BE-B4 11 40 00  P....@...tM...@.
    1DAC:0713 BF 77 11 40-00 A6 74 05-4E A6 75 2C-4F 47 F6 47  .w.@..t.N.u,OG.G
    1DAC:0723 FF FF 75 F1-FF 35 98 11-40 00 6A 00-6A 01 FF 15  ..u..5..@.j.j...
    1DAC:0733 14 10 40 00-09 C0 74 20-50 6A 00 50-FF 15 18 10  ..@...t Pj.P....
    1DAC:0743 40 00 FF 15-08 10 40 00-68 90 11 40-00 55 FF 15  @.....@.h..@.U..
    1DAC:0753 10 10 40 00-09 C0 75 B3-55 FF 15 08-10 40 00 6A  ..@...u.U....@.j
    1DAC:0763 00 FF 15 00-10 40 00 4E-6E 4F 6F 54-74 45 65 50  .....@.NnOoTtEeP
    1DAC:0773 70 41 61 44-64 2E 2E 45-65 58 78 45-65 00 00 00  pAaDd..EeXxEe...
    1DAC:0783 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00  ................
    1DAC:0793 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00  ................
    1DAC:07A3 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00  ................
    1DAC:07B3 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00  ................
    1DAC:07C3 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00  ................
    1DAC:07D3 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00  ................
    1DAC:07E3 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00  ................
    1DAC:07F3 00                                               .
    ->r  
    eax:00654000 ebx:00000001 ecx:00000400 edx:000003F3 esi:000003F3 edi:000007F3 
    ebp:000006A0 esp:0000FFEE eip:00000199 flag:000B3206 NV UP EI PL NZ NA PE NC 
    ds:1DAC es:1DAC fs:1DAC gs:1DAC ss:1DAC cs:1DAC 
    1DAC:0199 CD 21          int          21
    ->d ds:esp  
    1DAC:FFEE 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00  ................
    1DAC:FFFE 00 00                                            ..
    ->p  
    
    eax:00650400 ebx:00000001 ecx:00000400 edx:000003F3 esi:000003F3 edi:000007F3 
    ebp:000006A0 esp:0000FFEE eip:0000019B flag:000B3206 NV UP EI PL NZ NA PE NC 
    ds:1DAC es:1DAC fs:1DAC gs:1DAC ss:1DAC cs:1DAC 
    1DAC:019B C3             ret          
    ->t
    nice thread and nice debugger was worth my time esther

Similar Threads

  1. SoftICE BackTrace Dissassembly Tool
    By foxthree in forum Tools of Our Trade (TOT) Messageboard
    Replies: 4
    Last Post: April 22nd, 2002, 08:15

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •