Exetools - View Single Post

#10 09-28-2004, 20:39

Quote:

I tried using Ricnar's approach (searching for 800003 and so on..), but it seems that somethings changed in this version.

This worked for me... you must only wait a bit until you passed a few exceptions you will find:

Code:

0062E9AB    81F2 03000080   XOR EDX,80000003
0062E9B1    3995 D4F5FFFF   CMP DWORD PTR SS:[EBP-A2C],EDX
0062E9B7    0F85 BC0B0000   JNZ newsLeec.0062F579

(And if you are talking abotu newsleechter then i was able to find this without starting the prog)
After that there is a GetThreadContext...

After that ther is a compare whre it compares the "crypted" value with the "crypted" table.

Code:

0062F175 >  52              PUSH EDX --< EDX has the correct table values
0062F176    8B85 64EEFFFF   MOV EAX,DWORD PTR SS:[EBP-119C]
0062F17C    FF1485 A8786500 CALL DWORD PTR DS:[EAX*4+6578A8] --< crypter call
0062F183    83C4 04         ADD ESP,4
0062F186    8985 94EBFFFF   MOV DWORD PTR SS:[EBP-146C],EAX
0062F18C    C785 90EBFFFF 0>MOV DWORD PTR SS:[EBP-1470],0
0062F196    8B8D 64EEFFFF   MOV ECX,DWORD PTR SS:[EBP-119C]
0062F19C    8B148D 88996500 MOV EDX,DWORD PTR DS:[ECX*4+659988]
0062F1A3    8995 70EEFFFF   MOV DWORD PTR SS:[EBP-1190],EDX
0062F1A9    8B85 90EBFFFF   MOV EAX,DWORD PTR SS:[EBP-1470]
0062F1AF    3B85 70EEFFFF   CMP EAX,DWORD PTR SS:[EBP-1190]
0062F1B5    7D 5C           JGE SHORT newsLeec.0062F213
0062F1B7    8B85 70EEFFFF   MOV EAX,DWORD PTR SS:[EBP-1190]
0062F1BD    2B85 90EBFFFF   SUB EAX,DWORD PTR SS:[EBP-1470]
0062F1C3    99              CDQ
0062F1C4    2BC2            SUB EAX,EDX
0062F1C6    D1F8            SAR EAX,1
0062F1C8    8B8D 90EBFFFF   MOV ECX,DWORD PTR SS:[EBP-1470]
0062F1CE    03C8            ADD ECX,EAX
0062F1D0    898D 8CEBFFFF   MOV DWORD PTR SS:[EBP-1474],ECX
0062F1D6    8B95 64EEFFFF   MOV EDX,DWORD PTR SS:[EBP-119C]
0062F1DC    8B0495 28996500 MOV EAX,DWORD PTR DS:[EDX*4+659928]
0062F1E3    8B8D 8CEBFFFF   MOV ECX,DWORD PTR SS:[EBP-1474]
0062F1E9    8B95 94EBFFFF   MOV EDX,DWORD PTR SS:[EBP-146C]
0062F1EF    3B1488          CMP EDX,DWORD PTR DS:[EAX+ECX*4] 
0062F1F2    76 11           JBE SHORT newsLeec.0062F205

But my problem is now that i dont know how to get a table? Its possible to set a conditional breakpoint there but then you must repair everything with hand... a little hint would be nice

.