Results 1 to 8 of 8

Thread: Please Help w/ FoolFox Tutorial

  1. #1
    ftothe3
    Guest

    Please Help w/ FoolFox Tutorial

    I'm a newbie (thats why im posting this here) trying to learn something from the tutroials. Ok.. so i opened up a few of them, then got around to reading FoolFox's Tutorial (http://www.woodmann.net/fravia/ffx_ftpp2.txt) [target: PrimaSoft AutoFTP premium v3.4] I have win32dasm 8.93 and winhex 10.55 (like him) I followed the tutorial closely... the only problem i'm having is not being able to find the string refs: "Code Accepted! Thank you for registering " "Code Not Accepted! Please try " in win32dasm. this is the code i get in win32dasm:
    :004C877E 668B0DB8874C00 mov cx, word ptr [004C87B8]
    :004C8785 B202 mov dl, 02
    :004C8787 B8C4874C00 mov eax, 004C87C4
    :004C878C E80FFAF8FF call 004581A0
    :004C8791 EB15 jmp 004C87A8

    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:004C877A(C)
    |
    :004C8793 6A00 push 00000000
    :004C8795 668B0DB8874C00 mov cx, word ptr [004C87B8]
    :004C879C B202 mov dl, 02

    BUT in the tutorial he gets this code:
    :004C877E 668B0DB8874C00 mov cx, word ptr [004C87B8]
    :004C8785 B202 mov dl, 02

    * Possible StringData Ref from Code Obj ->"Code Accepted! Thank you for registering "
    ->"our software."

    |
    :004C8787 B8C4874C00 mov eax, 004C87C4
    :004C878C E80FFAF8FF call 004581A0
    :004C8791 EB15 jmp 004C87A8

    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:004C877A(C)
    |
    :004C8793 6A00 push 00000000
    :004C8795 668B0DB8874C00 mov cx, word ptr [004C87B8]
    :004C879C B202 mov dl, 02

    why aren't i getting this "stringdata ref"?!?!
    btw: followed the rest of the tutorial and got the serial... but without this "stringdata ref", i wouldnt of known where to begin!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    FoolFox
    Guest
    Hello,

    In order to reproduce your step, i've just DL the target and
    the shareware version of W32Dasm. As i could'nt get it
    right now from members.cox.net/w32dasm (trouble with
    connection right now), i've grabbed it from
    h**p://www.downseek.com/download/21279.asp,
    wich should be just the plain demo version.

    Si i ran again the setup (previous was erased a while ago ),
    I don't think there was track of previous cracked version on
    my HD, and the installed FTP was reacting as a normal
    shareware version (nag screen, etc...)

    I've taken it under the demo version of W32Dasm i've
    just DL, and using String reference, i got among others :

    "CoAddRefServerProcess"
    "CoCreateInstanceEx"
    "Code Accepted! Thank you for registering "
    "Code Not Accepted! Please try "
    "CoInitializeEx"
    "COMBOBOX"

    Double click on the string directly lead me to :

    :004C877E 668B0DB8874C00 mov cx, word ptr [004C87B8]
    :004C8785 B202 mov dl, 02

    * Possible StringData Ref from Code Obj ->"Code Accepted! Thank you for registering "
    ->"our software."
    |
    :004C8787 B8C4874C00 mov eax, 004C87C4
    :004C878C E80FFAF8FF call 004581A0
    :004C8791 EB15 jmp 004C87A8

    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:004C877A(C)
    |
    :004C8793 6A00 push 00000000


    So, right now i'm not really able to figure why you didn't get
    the ouput as you should.

    As the tutorial was clearly targeting newbies, i found it quit
    disapointing that you could not get the result I got, and I'm
    really willing to find why, in order to update the tutor. So,

    - What OS are you running on ?
    - What kind of processor are you using ?
    - What are your regionnal settings ?
    - Are you using a special charater set ?

    anything you can think about, just PM or mail me the info,
    if you can recall where you get your copy of W32Dasm
    (i've got so many version myself, demo, c*...., patched....)


    Right now, what you could try, is to reproduce the whole stage
    using OllyDebug, i've just checked it, you should be able to
    follow each stage with it, as in W32Dasm. Once loaded
    OllyDebug, right click on the code, select 'search for', then
    'all referenced text string'. Among result you should get :

    Text strings referenced in Ftpprem:CODE, item 8493
    Address=004D61DD
    Disassembly=MOV EAX,Ftpprem.004D623C
    Text string=ASCII "Code Accepted! Thank you for registering our software."

    From there, reproducing the W32dasm stage should be
    quit easy... but i'm still willing to understand why you didn't
    got it directly with W32dasm....

    I've done it under WinNT 4.0 & Windows 98. Sames results.

    Regards
    Foolfox
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    ftothe3
    Guest

    Thumbs up

    thanks for the really quick reply foolfox!
    ok this is my system info...
    os: win xp (NO sp1)
    processor: athlon xp 1800+ (intel sucks :-P)
    regional settings: united states
    special character set: none

    anyway... i decided to try downloading another version of win32dasm... and it worked!!!! i downloaded the it from the link you gave me and another link (http://www.exetools.com/files/disassemblers/wdasm89.zip) BOTH WORKED! this is the weridest thing ever.
    you probably don't believe that it didn't work with my other version so here are two screen shots: (hosted on my apache webserver .. yes i live in new york)
    http://ftothe3.dnsalias.com:6080/stringrefwindow.JPG
    http://ftothe3.dnsalias.com:6080/stringrefnotincode.JPG
    (side note: my service provider doesn't let me host on port 80 )
    IF for some reason you want to download the version of w32dasm that was giving me trouble, here it is: http://ftothe3.dnsalias.com:6080/W32Dasm.zip (i just zipped it)

    WOW.. thank you.. now i know why ALL those tutorials weren't working!!!!!!!!!! (sorry maybe i'm a little too excited)
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Hi guys,

    This might not help but i have encountered this problem before with W32dasm not showing string reference... that is unpacked file with its data section flag as "uninitialised data" tehn W32dasm will not be able to get string reference...

    Also, i think you need a W32dasm patch for it to show Unicode string reference...

    Foolfox : kickass tutorial for newbie, very nice.. just a small comment
    ++++++++++++++++++++++++++++++++++++++
    Go back to W32Dasm, and search for the string "Code not accepted". Notice that we
    are not going through the String reference menu, which will only show you the
    FIRST occurence of the string. We want to see all place where this string is used.
    That's why the search should be done through the search menu, and not the string
    ref menu.
    ++++++++++++++++++++++++++++++++++++++

    That is not true, you can double click on the string in the string reference box and W32dasm will bring you to the next reference if any... not very important but ah well .. though i will just let you know..

    cheers
    crUsAdEr

  5. #5
    FoolFox
    Guest
    Hello,

    crUsAdEr : Tnx for the info, i though it didn't worked, probably
    have try wrongly once or twice and didn't retry....
    will review the tutor..

    ftothe3 : Glad to ear you finally get womething
    have take your copy of W32Dams and got same
    results, I'll compare it with the one I got and try
    to find out why this one didn't report all string, as
    have stated cdUsAdEr, probably a question of
    patching somewhere.....

    I'll let you now if i found something about it...

    Regards
    FoolFox
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    FoolFox
    Guest
    Hello,

    Ok, there is two bytes that differ from your W32Dasm of
    the standard distribution:

    If i take the first version you tryed :

    00417568 |. 75 28 JNZ SHORT W32bad.00417592
    0041756A |. 8D85 98F4FFFF LEA EAX,DWORD PTR SS:[EBP-B68] <= this is the modified value
    00417570 |. 50 PUSH EAX ; /String
    00417571 |. E8 DE760900 CALL <JMP.&KERNEL32.lstrlenA> ; \lstrlenA
    00417576 |. 83F8 04 CMP EAX,4


    In the standard edition, the value is :

    0041756A |. 8D85 28F6FFFF LEA EAX,DWORD PTR SS:[EBP-9D8]


    And this code is exactly the loop that will fetch all strings, if
    you trace the code in the standard version, you'll see all
    strings coming one after the other, using your version nearly
    all string returned are empty.

    I don't understand the point of doing this modification. It
    probably have been patched (i would find it quit strange that
    a corrupted sownload will result of just those two adress bytes
    changed), but i don't understand in order to get what it would
    have been patched this way. Maybe someone more experienced
    can give a hint about ??

    Regards
    FoolFox
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    ?ferret
    Guest

    Lightbulb hmm

    Maybe it's the version patched to show VB string refs?

    (Been awhile since I've bothered with the patched version, but I remember I used to keep both versions of the executable because the patched one would give odd results on "normal" exes)

    Just an idea...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    FoolFox
    Guest
    Hello,

    Think also of something like that, got several version of
    w32dasm but the one i got patched for VB string is not
    exactly the same version as the one i got not patched, so
    if i try to locate what the patch have modified i found too
    much results actually, still trying to get two same version
    one patched the other one not in order to check if that was
    the case... but it seem's i've also tryed several version of
    w32dasm and none of mine acted like the one of ftothe3..
    (in each case i was able to see the messages)...

    still looking..

    Regards
    FoolFox
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. looking for NetSentinel Tutorial
    By flyingsilicon in forum The Newbie Forum
    Replies: 1
    Last Post: April 6th, 2004, 13:29
  2. Tutorial for Ollydbg
    By MrSmith in forum OllyDbg Support Forums
    Replies: 2
    Last Post: April 2nd, 2003, 06:01
  3. Armadillo Tutorial ?
    By slide97 in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: February 24th, 2002, 18:57
  4. Trw2000 Tutorial
    By SantaC2 in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: August 11th, 2001, 23:50

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •