flat assembler
Message board for the users of flat assembler.

Index > Windows > Please everyone run this program......

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
shism2



Joined: 14 Sep 2005
Posts: 248
shism2
If everyone could run this program and please post the data showed in the messagebox's in a list.

I need to collect that data for a project im working on ....


THANK YOU VERY MUCH EVERYONE.... That help's....

Very Happy


Description:
Download
Filename: The Shism.zip
Filesize: 572 Bytes
Downloaded: 47 Time(s)

Post 04 Jun 2006, 21:41
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Code:
Shism:00401000 ;
Shism:00401000 ; +-------------------------------------------------------------------------+
Shism:00401000 ; ¦     This file is generated by The Interactive Disassembler (IDA)        ¦
Shism:00401000 ; ¦     Copyright (c) 2002 by DataRescue sa/nv, <ida@datarescue.com>        ¦
Shism:00401000 ; ¦                      Licensed to: Freeware version                      ¦
Shism:00401000 ; +-------------------------------------------------------------------------+
Shism:00401000 ;
Shism:00401000 ; File Name   : C:\Documents and Settings\Hernan\Escritorio\The Shism.exe
Shism:00401000 ; Format      : Portable executable for IBM PC (PE)
Shism:00401000 ; Section 1. (virtual address 00001000)
Shism:00401000 ; Virtual size                  : 0000017B (    379.)
Shism:00401000 ; Section size in file          : 00000200 (    512.)
Shism:00401000 ; Offset to raw data for section: 00000200
Shism:00401000 ; Flags E0000020: Text Executable Readable Writable
Shism:00401000 ; Alignment     : 16 bytes ?
Shism:00401000 
Shism:00401000                 model flat
Shism:00401000 
Shism:00401000 ; ---------------------------------------------------------------------------
Shism:00401000 
Shism:00401000 ; Segment type: Pure code
Shism:00401000 Shism           segment para public 'CODE' use32
Shism:00401000                 assume cs:Shism
Shism:00401000                 ;org 401000h
Shism:00401000                 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
Shism:00401000                 dd 4 dup(0)
Shism:00401010                 db 0
Shism:00401011 ; const CHAR Text
Shism:00401011 Text            dd 0                    ; DATA XREF: start+5w
Shism:00401011                                         ; start+Bo ...
Shism:00401015 dword_401015    dd 0                    ; DATA XREF: start+57w
Shism:00401015                                         ; start+5Do ...
Shism:00401019 dword_401019    dd 0                    ; DATA XREF: start+A9w
Shism:00401019                                         ; start+AFo ...
Shism:0040101D word_40101D     dw 0                    ; DATA XREF: start+FBw
Shism:0040101D                                         ; start+101o ...
Shism:0040101F 
Shism:0040101F ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
Shism:0040101F 
Shism:0040101F 
Shism:0040101F                 public start
Shism:0040101F start           proc near
Shism:0040101F                 push    ss              ; for
Shism:00401020                 pop     ss              ; what?
Shism:00401021                 pushf
Shism:00401022                 pop     ax
Shism:00401024                 mov     word ptr ds:Text, ax
Shism:0040102A                 push    offset Text
Shism:0040102F                 push    ds:Text
Shism:00401035                 call    wordToHex
Shism:0040103A                 push    0               ; uType
Shism:0040103C                 push    0               ; lpCaption
Shism:0040103E                 push    offset Text     ; lpText
Shism:00401043                 push    0               ; hWnd
Shism:00401045                 call    ds:MessageBoxA  ; 0246H
Shism:0040104B                 pop     ax
Shism:0040104D                 mov     word ptr ds:Text+2, ax
Shism:00401053                 push    401013h
Shism:00401058                 push    ds:Text+2
Shism:0040105E                 call    wordToHex
Shism:00401063                 push    0               ; uType
Shism:00401065                 push    0               ; lpCaption
Shism:00401067                 push    401013h         ; lpText
Shism:0040106C                 push    0               ; hWnd
Shism:0040106E                 call    ds:MessageBoxA  ; 0000H
Shism:00401074                 pop     ax
Shism:00401076                 mov     word ptr ds:dword_401015, ax
Shism:0040107C                 push    offset dword_401015
Shism:00401081                 push    ds:dword_401015
Shism:00401087                 call    wordToHex
Shism:0040108C                 push    0               ; uType
Shism:0040108E                 push    0               ; lpCaption
Shism:00401090                 push    offset dword_401015 ; lpText
Shism:00401095                 push    0               ; hWnd
Shism:00401097                 call    ds:MessageBoxA  ; 6D4FH
Shism:0040109D                 pop     ax
Shism:0040109F                 mov     word ptr ds:dword_401015+2, ax
Shism:004010A5                 push    401017h
Shism:004010AA                 push    ds:dword_401015+2
Shism:004010B0                 call    wordToHex
Shism:004010B5                 push    0               ; uType
Shism:004010B7                 push    0               ; lpCaption
Shism:004010B9                 push    401017h         ; lpText
Shism:004010BE                 push    0               ; hWnd
Shism:004010C0                 call    ds:MessageBoxA  ; 7C81H
Shism:004010C6                 pop     ax
Shism:004010C8                 mov     word ptr ds:dword_401019, ax
Shism:004010CE                 push    offset dword_401019
Shism:004010D3                 push    ds:dword_401019
Shism:004010D9                 call    wordToHex
Shism:004010DE                 push    0               ; uType
Shism:004010E0                 push    0               ; lpCaption
Shism:004010E2                 push    offset dword_401019 ; lpText
Shism:004010E7                 push    0               ; hWnd
Shism:004010E9                 call    ds:MessageBoxA  ; 0038H
Shism:004010EF                 pop     ax
Shism:004010F1                 mov     word ptr ds:dword_401019+2, ax
Shism:004010F7                 push    40101Bh
Shism:004010FC                 push    ds:dword_401019+2
Shism:00401102                 call    wordToHex
Shism:00401107                 push    0               ; uType
Shism:00401109                 push    0               ; lpCaption
Shism:0040110B                 push    40101Bh         ; lpText
Shism:00401110                 push    0               ; hWnd
Shism:00401112                 call    ds:MessageBoxA  ; 0039H
Shism:00401118                 pop     ax
Shism:0040111A                 mov     ds:word_40101D, ax
Shism:00401120                 push    offset word_40101D
Shism:00401125                 push    dword ptr ds:word_40101D
Shism:0040112B                 call    wordToHex
Shism:00401130                 push    0               ; uType
Shism:00401132                 push    0               ; lpCaption
Shism:00401134                 push    offset word_40101D ; lpText
Shism:00401139                 push    0               ; hWnd
Shism:0040113B                 call    ds:MessageBoxA  ; 0036H
Shism:00401141                 sub     esp, 0Ah        ; shouldn't it be 0ch? there is six "pop ax" above not paired with any push
Shism:00401144                 push    0               ; uExitCode
Shism:00401146                 call    ds:ExitProcess
Shism:00401146 start           endp
Shism:00401146 
Shism:0040114C 
Shism:0040114C ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
Shism:0040114C 
Shism:0040114C ; Attributes: bp-based frame
Shism:0040114C 
Shism:0040114C wordToHex       proc near               ; CODE XREF: start+16p
Shism:0040114C                                         ; start+3Fp ...
Shism:0040114C 
Shism:0040114C value           = dword ptr  8
Shism:0040114C buffer          = dword ptr  0Ch
Shism:0040114C 
Shism:0040114C                 push    ebp
Shism:0040114D                 mov     ebp, esp
Shism:0040114F                 mov     ecx, [ebp+buffer]
Shism:00401152                 add     ecx, 4
Shism:00401155                 mov     word ptr [ecx], 'H'
Shism:0040115A                 dec     ecx
Shism:0040115B 
Shism:0040115B loc_40115B:                             ; CODE XREF: wordToHex+29j
Shism:0040115B                 mov     eax, [ebp+value]
Shism:0040115E                 and     eax, 0Fh
Shism:00401161                 cmp     al, 0Ah
Shism:00401163                 jnb     short loc_401169
Shism:00401165                 add     al, 30h
Shism:00401167                 jmp     short loc_40116B
Shism:00401169 ; ---------------------------------------------------------------------------
Shism:00401169 
Shism:00401169 loc_401169:                             ; CODE XREF: wordToHex+17j
Shism:00401169                 add     al, 37h
Shism:0040116B 
Shism:0040116B loc_40116B:                             ; CODE XREF: wordToHex+1Bj
Shism:0040116B                 mov     [ecx], al
Shism:0040116D                 dec     ecx
Shism:0040116E                 ror     [ebp+value], 4
Shism:00401172                 cmp     ecx, [ebp+buffer]
Shism:00401175                 jnb     short loc_40115B
Shism:00401177                 leave
Shism:00401178                 retn    8
Shism:00401178 wordToHex       endp
Shism:00401178 
Shism:00401178 ; ---------------------------------------------------------------------------
Shism:0040117B                 align 100h
Shism:0040117B Shism           ends    


At every call to MessageBox you can see the value. My return address and the other stack values are the same to you?
Post 04 Jun 2006, 22:37
View user's profile Send private message Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2
What Os are you using and there are 7 pop ax...

Anti-debugging techniques

lcode:

If it isn't to much trouble could you run it under OllyDbg,please.
Post 04 Jun 2006, 22:46
View user's profile Send private message Reply with quote
blacky



Joined: 06 Apr 2006
Posts: 32
Location: JA
blacky
oops. sry, nvm
Post 04 Jun 2006, 23:01
View user's profile Send private message MSN Messenger Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2
Umm, blacky... Could you please list them ?
Post 04 Jun 2006, 23:07
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Quote:

What Os are you using and there are 7 pop ax...

Quote:

there is six "pop ax" above NOT PAIRED WITH ANY PUSH!!


Runs perfectly under OllyDbg. However there is something wrong, the first, third and fifth MessageBox has no title bar. I don't know why that's happens. Note that this problem with the MessageBox happens without any debugger too.

The last three MessageBox reports diferent value under OllyDbg: 0738H, 7C92H and FFFFH

[edit]Windows XP SP2 Spanish[/edit]
[edit2]Ah, now I see the effect of push ss/ pop ss but note that the single step debugging only skips pushfd. If I put a breakpoint at pushfd it's also skipped, so it's interesting to put a call to a procedure in place of pushfd Very Happy (and hope that the user doesn't notice that push ss / pop ss disables interrupts for the next instruction)

The problem with MessageBox possibly is the unalignment caused by pop ax[/edit2]
Post 04 Jun 2006, 23:28
View user's profile Send private message Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2
It doesn't skip the instruction. It still executes the pushfd. Just "looks" like it does. Yes, your right about the alignment and the problem with Messagebox. Hm, Im using windows xp sp1. I'm going to make little programs to test some stuff. Hope your a faithful tester Smile ... ?

Also, What does the first messagebox give you under OllyDbg?

Single step debugging, I'm not using that. The effect is to retrive the previous values of the registers. It seems that ollydbg changes them.

Would be nice if someone who has windows xp sp1 ... Also posts results...
Post 05 Jun 2006, 00:05
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
I mean it skip the instruction from the single stepping (doesn't stop execution at pushfd but at the next instruction). I was wrong about the breakpoints, I tested it again and it stops execution at pushfd this time

It gives me 0246H like when I don't use a debugger. Only the three last MessageBox gives me differents values (0738H, 7C92H and FFFFH). However if I do single stepping (pressing F7) it shows 0346H instead in the first MessageBox.

About the problem with the MessageBox's title bar if I replace pop AX with pop EAX it works fine (showing others values of course), I can't imagine why is a problem for MessageBox to display the title bar with an unaligned stack Sad

PS: Sorry about the six "pop ax", in fact there are five unpaired, pushfd takes 4 bytes Embarassed so sub esp, $0a is fine
Post 05 Jun 2006, 02:11
View user's profile Send private message Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2
its cool thanks man. The value is higher than 300 if single stepping. mines 386
Post 05 Jun 2006, 02:26
View user's profile Send private message Reply with quote
zhak



Joined: 12 Apr 2005
Posts: 490
Location: Belarus
zhak
MS Win2k 5.00.2195 SP4
w/o OllyDbg...

0246H
0000H
8989H
7C59H
0004H
0000H
0008H

every second (starting with the first) message box appears w/o caption

and now under OllyDbg...

0346
0000
8989
7С59
0000
0000
0000
Post 05 Jun 2006, 12:22
View user's profile Send private message Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2
Ok thanks... So I know the first messagebox is a sure anti-debug under all systems. The other ones are a bit iffy to use.

NEW *FIXED* VERSION :


Description:
Download
Filename: flatpe.zip
Filesize: 639 Bytes
Downloaded: 43 Time(s)

Post 05 Jun 2006, 19:16
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
0246H <- Or 0346H if I do single stepping over pop SS
6D4FH
0738H
FFFFH
F000H <- Some times B000H, E000H, etc (seems to be related in how much time I spend before reaching this MessageBox)
3DFDH
FFC8H

Code:
.flat1:00402000 ; Section 2. (virtual address 00002000)
.flat1:00402000 ; Virtual size                  : 0000004C (     76.)
.flat1:00402000 ; Section size in file          : 00000200 (    512.)
.flat1:00402000 ; Offset to raw data for section: 00000800
.flat1:00402000 ; Flags E0000020: Text Executable Readable Writable
.flat1:00402000 ; Alignment     : 16 bytes ?
.flat1:00402000 ; ---------------------------------------------------------------------------
.flat1:00402000 
.flat1:00402000 ; Segment type: Pure code
.flat1:00402000 _flat1          segment para public 'CODE' use32
.flat1:00402000                 assume cs:_flat1
.flat1:00402000                 ;org 402000h
.flat1:00402000                 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
.flat1:00402000                 mov     eax, 90h
.flat1:00402005                 mov     ecx, 8
.flat1:0040200A 
.flat1:0040200A loc_40200A:                             ; DATA XREF: .flat1:0040200Ao
.flat1:0040200A                 mov     edi, offset loc_40200A
.flat1:0040200F                 repe stosb
.flat1:00402011                 jmp     dword ptr [esp]
.flat1:00402011 ; ---------------------------------------------------------------------------
.flat1:00402014                 dd 6A006Ah, 13E8h, 746F4E00h, 69656220h, 6420676Eh, 67756265h
.flat1:00402014                 dd 646567h, 15FF006Ah, 40307Ch, 15FF006Ah, 40305Eh, 70h dup(0)
.flat1:00402014 _flat1          ends    
Interesting section Smile
Post 05 Jun 2006, 19:31
View user's profile Send private message Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2
oops.... That is a anti-debug I forgot to leave out
Post 05 Jun 2006, 23:24
View user's profile Send private message Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2
I need input from other people sigh... I can't just do it with just 3 people including me
Post 05 Jun 2006, 23:26
View user's profile Send private message Reply with quote
madmatt



Joined: 07 Oct 2003
Posts: 1045
Location: Michigan, USA
madmatt
Here's my results:
0246
6d4f
0034
0039
7000
a938
ffc8

What exactly does this program do?

EDIT: Using Windows XP-SP2, Intel Celeron PIV 2.7ghz
Post 06 Jun 2006, 06:38
View user's profile Send private message Reply with quote
Vasilev Vjacheslav



Joined: 11 Aug 2004
Posts: 392
Vasilev Vjacheslav
madmatt, this is the debugger detection trick
Post 06 Jun 2006, 11:32
View user's profile Send private message Reply with quote
zhak



Joined: 12 Apr 2005
Posts: 490
Location: Belarus
zhak
here's one more set of resultsm for you, shism2.
WinXP 5.1.2600 SP2.

0246, 6D4F, VAR, VAR, VAR, B038, FFC8 ;w/o debugger
0346, 6D4F, 0, 0, VAR, B038, FFC8 ; under SoftICE
0346, 6D4F, VAR, VAR, VAR, B038, FFC8 ; under OllyDbg
0346, 6D4F ,B754, 8BB1, VAR, B038, FFC8 ; under w32dasm debugger

this trick works only if to single step push ss/pop ss, otherwise EFLAGS gives 0246. So you can easily overcome it. Hm, its debuggers' fault. IMHO, they should predict PUSH SS/POP SS and emulate it.
Post 06 Jun 2006, 15:13
View user's profile Send private message Reply with quote
Vasilev Vjacheslav



Joined: 11 Aug 2004
Posts: 392
Vasilev Vjacheslav
...but they don't
Post 06 Jun 2006, 15:52
View user's profile Send private message Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2
Hmm.... The first value is without a a doubt obvious. The others I need to research more into. I think I want this thread deleted. Till I make another program to research the others
Post 07 Jun 2006, 00:24
View user's profile Send private message Reply with quote
madmatt



Joined: 07 Oct 2003
Posts: 1045
Location: Michigan, USA
madmatt
Updated my results:
Olly Debug: 0246, 6d4f, 0738, ffff, e000, a938, fffc8
WinDbg: 0246, 6d4f, 0000, fa9c, f000, a938, ffc8
No Debugger: 0246, 6d4f, 0034, 0039, e000, a938, ffc8
Post 11 Jun 2006, 06:41
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.