7 replies to this topic

[movax85]

Hi!
I have this friend, that have programmed this file to ask for a password before continuing. He told me I could never break through this, and he was partly right.

I decompiled the file, and found this:

                       if(local_number7) then // ref index: 6

@00004F0A:0006            local_string4 = "Write the key you THINK is right";

@00004F49:0006            local_number5 = 1;

@00004F55:0006            local_number6 = 0;

@00004F61:0021            function_438();

@00004F67:0006            local_string19 = LASTRESULT;

@00004F71:0014            local_string19 = (local_string19 ^ "CiCp.dll");

@00004F86:0039            UseDll(local_string19);

@00004F8D:0006            local_string18 = "am5y&p333tg3#fh71vdokujv";

@00004FB5:000A   label_4fb5:

@00004FB7:0001            // switch/while/???

@00004FBB:0009            local_number7 = (local_number6 < 3);

@00004FCA:000E            local_number8 = (local_number5 != 0);

@00004FD9:0019            local_number7 = (local_number7 = local_number8);

@00004FE6:0004            if(local_number7) then // ref index: 4

@00004FF2:0021               AskText/AskPath(local_string4, "", local_string17);

@00005001:0006               local_number1 = LASTRESULT;

@0000500B:000D               local_number7 = (local_number1 = 12);

@0000501A:0004               if(local_number7) then // ref index: 1

@00005026:0005                  goto label_4c82;

@0000502F:0006               endif;

@0000502F:0006   label_502f:

@00005031:001A               local_number7 = &local_string18;

@0000503B:001A               local_number8 = &local_string17;

@00005045:0020               ValidatePwd(local_number7, local_number8); // dll: CiCp.dll

@00005051:0006               local_number7 = LASTRESULT;

@0000505B:0004               if(local_number7) then // ref index: 1

@00005067:0006                  local_number5 = 0;

@00005073:0003               endif;

@00005073:0003   label_5073:

@00005075:000A               local_number7 = (local_number5 > 0);

@00005084:0004               if(local_number7) then // ref index: 1

@00005090:0021                  MessageBox("Haha, your key was WRONG!!", 0);

@000050C0:0002               endif;  

I dont get what triggers the wrong answer, and what triggers the right answer. I first thought the key was the "am5y&p333tg3#fh71vdokujv" string, but it gives me the wrong-message. Anyone that can be kind to explain?

[WingedPanther]

It looks to me like he's using CiCp.dll to validate the string. You would have to decompile that, too.

[movax85]

Where can I find this CiCp.dll file the setup use?

[movax85]

Now I have decompiled CiCp.dll to find the ValidatePwd function:

;

; +-------------------------------------------------------------------------+

; |   This file has been generated by The Interactive Disassembler (IDA)    |

; |        Copyright © 2009 by Hex-Rays, <support@hex-rays.com>           |

; |                      License info: F8-D4CF-D2F8-9C                      |

; |                              Licensed User                              |

; +-------------------------------------------------------------------------+

;

; Input MD5   : BE214D7D3A5690D718E3828B43E0E726


; File Name   : CiCp.dll

; Format      : Portable executable for 80386 (PE)

; Imagebase   : 10000000

; Section 1. (virtual address 00001000)

; Virtual size                  : 000044E5 (  17637.)

; Section size in file          : 00005000 (  20480.)

; Offset to raw data for section: 00001000

; Flags 60000020: Text Executable Readable

; Alignment     : default

; OS type         :  MS Windows

; Application type:  DLL 32bit


.686p

.mmx

.model flat



; Segment type: Pure code

; Segment permissions: Read/Execute

_text segment para public 'CODE' use32

assume cs:_text

;org 10001000h

assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing




; BOOL __stdcall DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)

_DllMain@12 proc near


hinstDLL= dword ptr  4

fdwReason= dword ptr  8

lpvReserved= dword ptr  0Ch


mov     eax, 1

retn    0Ch

_DllMain@12 endp


align 10h




; int __cdecl sub_10001010(int, char *Str2, int)

sub_10001010 proc near


Str1= byte ptr -64h

var_63= byte ptr -63h

var_62= byte ptr -62h

var_61= byte ptr -61h

var_60= byte ptr -60h

var_5F= byte ptr -5Fh

var_5E= byte ptr -5Eh

var_5D= byte ptr -5Dh

arg_0= dword ptr  4

Str2= dword ptr  8

arg_8= dword ptr  0Ch


sub     esp, 64h

push    esi

mov     esi, [esp+68h+arg_8]

mov     eax, esi

mov     ecx, 14h

shl     eax, 4

add     eax, esi

push    edi

cdq

idiv    ecx

lea     eax, [esi+esi*2]

mov     esi, 14h

mov     edi, [esp+6Ch+arg_0]

mov     [esp+6Ch+var_5D], 0

mov     ecx, edx

cdq

idiv    esi

mov     al, [ecx+edi]

add     ecx, edi

mov     [esp+6Ch+Str1], al

mov     al, [edx+edi]

add     ecx, 2

mov     [esp+6Ch+var_63], al

mov     al, [ecx]

add     ecx, 2

mov     [esp+6Ch+var_62], al

add     edx, edi

add     edx, 2

mov     al, [edx]

mov     dl, [edx+2]

mov     [esp+6Ch+var_61], al

mov     al, [ecx]

mov     [esp+6Ch+var_60], al

mov     al, [ecx+2]

mov     ecx, [esp+6Ch+Str2]

mov     [esp+6Ch+var_5F], dl

lea     edx, [esp+6Ch+Str1]

push    ecx             ; Str2

push    edx             ; Str1

mov     [esp+74h+var_5E], al

call    __strcmpi

add     esp, 8

test    eax, eax

pop     edi

pop     esi

setz    al

add     esp, 64h

retn

sub_10001010 endp


align 10h

; Exported entry   1. ValidatePwd




; int __stdcall ValidatePwd(int, char *Str2)

public ValidatePwd

ValidatePwd proc near


arg_0= dword ptr  4

Str2= dword ptr  8


push    ebx

push    ebp

push    esi

push    edi

push    0               ; Time

call    _time

mov     ecx, eax

mov     eax, 0C22E4507h

imul    ecx

add     edx, ecx

mov     ebx, [esp+14h+Str2]

sar     edx, 10h

mov     ebp, [esp+14h+arg_0]

mov     eax, edx

shr     eax, 1Fh

add     edx, eax

add     esp, 4

xor     edi, edi

mov     esi, edx


loc_100010CF:           ; int

push    esi

push    ebx             ; Str2

push    ebp             ; int

call    sub_10001010

add     esp, 0Ch

test    al, al

jnz     short loc_100010EE

inc     edi

dec     esi

cmp     edi, 3

jl      short loc_100010CF

pop     edi

pop     esi

pop     ebp

xor     eax, eax

pop     ebx

retn    8


loc_100010EE:

pop     edi

pop     esi

pop     ebp

mov     eax, 1

pop     ebx

retn    8

ValidatePwd endp


align 10h

; [000000DC BYTES: COLLAPSED FUNCTION _time. PRESS KEYPAD "+" TO EXPAND]

; [000000D9 BYTES: COLLAPSED FUNCTION _CRT_INIT(x,x,x). PRESS KEYPAD "+" TO EXPAND]

; [0000009D BYTES: COLLAPSED FUNCTION DllEntryPoint. PRESS KEYPAD "+" TO EXPAND]

; [00000030 BYTES: COLLAPSED FUNCTION __amsg_exit. PRESS KEYPAD "+" TO EXPAND]

pop     ecx

pop     ecx

retn

; [00000012 BYTES: COLLAPSED FUNCTION _malloc. PRESS KEYPAD "+" TO EXPAND]

; [0000002C BYTES: COLLAPSED FUNCTION __nh_malloc. PRESS KEYPAD "+" TO EXPAND]

; [0000004E BYTES: COLLAPSED FUNCTION __heap_alloc. PRESS KEYPAD "+" TO EXPAND]

; [00000054 BYTES: COLLAPSED FUNCTION __mtinit. PRESS KEYPAD "+" TO EXPAND]

; [0000001E BYTES: COLLAPSED FUNCTION __mtterm. PRESS KEYPAD "+" TO EXPAND]

; [00000013 BYTES: COLLAPSED FUNCTION __initptd. PRESS KEYPAD "+" TO EXPAND]

; [000000A0 BYTES: COLLAPSED FUNCTION __freeptd. PRESS KEYPAD "+" TO EXPAND]

; [000000C2 BYTES: COLLAPSED FUNCTION ___loctotime_t. PRESS KEYPAD "+" TO EXPAND]

; [0000002D BYTES: COLLAPSED FUNCTION __cinit. PRESS KEYPAD "+" TO EXPAND]

; [00000011 BYTES: COLLAPSED FUNCTION __exit. PRESS KEYPAD "+" TO EXPAND]

; [0000000F BYTES: COLLAPSED FUNCTION __cexit. PRESS KEYPAD "+" TO EXPAND]

; [000000A3 BYTES: COLLAPSED FUNCTION _doexit. PRESS KEYPAD "+" TO EXPAND]

pop     edi

retn

; [00000009 BYTES: COLLAPSED FUNCTION __lockexit. PRESS KEYPAD "+" TO EXPAND]

; [00000009 BYTES: COLLAPSED FUNCTION __unlockexit. PRESS KEYPAD "+" TO EXPAND]

; [0000001A BYTES: COLLAPSED FUNCTION __initterm. PRESS KEYPAD "+" TO EXPAND]

; [000001BC BYTES: COLLAPSED FUNCTION __ioinit. PRESS KEYPAD "+" TO EXPAND]

; [00000054 BYTES: COLLAPSED FUNCTION __ioterm. PRESS KEYPAD "+" TO EXPAND]

; [000000B9 BYTES: COLLAPSED FUNCTION __setenvp. PRESS KEYPAD "+" TO EXPAND]

; [00000099 BYTES: COLLAPSED FUNCTION __setargv. PRESS KEYPAD "+" TO EXPAND]

; [000001B4 BYTES: COLLAPSED FUNCTION _parse_cmdline. PRESS KEYPAD "+" TO EXPAND]

; [00000132 BYTES: COLLAPSED FUNCTION ___crtGetEnvironmentStringsA. PRESS KEYPAD "+" TO EXPAND]

; [0000003C BYTES: COLLAPSED FUNCTION __heap_init. PRESS KEYPAD "+" TO EXPAND]

; [00000075 BYTES: COLLAPSED FUNCTION __heap_term. PRESS KEYPAD "+" TO EXPAND]

; [00000039 BYTES: COLLAPSED FUNCTION __FF_MSGBANNER. PRESS KEYPAD "+" TO EXPAND]

; [00000153 BYTES: COLLAPSED FUNCTION __NMSG_WRITE. PRESS KEYPAD "+" TO EXPAND]

; [0000001B BYTES: COLLAPSED FUNCTION __callnewh. PRESS KEYPAD "+" TO EXPAND]

; [00000029 BYTES: COLLAPSED FUNCTION __mtinitlocks. PRESS KEYPAD "+" TO EXPAND]

; [0000006C BYTES: COLLAPSED FUNCTION __mtdeletelocks. PRESS KEYPAD "+" TO EXPAND]

; [00000061 BYTES: COLLAPSED FUNCTION __lock. PRESS KEYPAD "+" TO EXPAND]

; [00000015 BYTES: COLLAPSED FUNCTION __unlock. PRESS KEYPAD "+" TO EXPAND]

; [0000003E BYTES: COLLAPSED FUNCTION ___sbh_heap_init. PRESS KEYPAD "+" TO EXPAND]

; [0000002B BYTES: COLLAPSED FUNCTION ___sbh_find_block. PRESS KEYPAD "+" TO EXPAND]

; [0000032B BYTES: COLLAPSED FUNCTION ___sbh_free_block. PRESS KEYPAD "+" TO EXPAND]

; [00000309 BYTES: COLLAPSED FUNCTION ___sbh_alloc_block. PRESS KEYPAD "+" TO EXPAND]

; [000000B1 BYTES: COLLAPSED FUNCTION ___sbh_alloc_new_region. PRESS KEYPAD "+" TO EXPAND]

; [000000FB BYTES: COLLAPSED FUNCTION ___sbh_alloc_new_group. PRESS KEYPAD "+" TO EXPAND]

; [000002F6 BYTES: COLLAPSED FUNCTION ___sbh_resize_block. PRESS KEYPAD "+" TO EXPAND]

; [0000008D BYTES: COLLAPSED FUNCTION _calloc. PRESS KEYPAD "+" TO EXPAND]

; [00000048 BYTES: COLLAPSED FUNCTION _free. PRESS KEYPAD "+" TO EXPAND]

; [0000002E BYTES: COLLAPSED FUNCTION ___tzset. PRESS KEYPAD "+" TO EXPAND]

; [00000287 BYTES: COLLAPSED FUNCTION __tzset_lk. PRESS KEYPAD "+" TO EXPAND]

; [00000021 BYTES: COLLAPSED FUNCTION __isindst. PRESS KEYPAD "+" TO EXPAND]

; [000001AC BYTES: COLLAPSED FUNCTION __isindst_0. PRESS KEYPAD "+" TO EXPAND]

; [00000140 BYTES: COLLAPSED FUNCTION _cvtdate. PRESS KEYPAD "+" TO EXPAND]

align 10h

; [00000007 BYTES: COLLAPSED FUNCTION _strcpy. PRESS KEYPAD "+" TO EXPAND]

align 10h

; [000000E0 BYTES: COLLAPSED FUNCTION _strcat. PRESS KEYPAD "+" TO EXPAND]

; [0000007B BYTES: COLLAPSED FUNCTION _strlen. PRESS KEYPAD "+" TO EXPAND]

; [000001AD BYTES: COLLAPSED FUNCTION __setmbcp. PRESS KEYPAD "+" TO EXPAND]

; [0000004A BYTES: COLLAPSED FUNCTION _getSystemCP. PRESS KEYPAD "+" TO EXPAND]

; [00000033 BYTES: COLLAPSED FUNCTION _CPtoLCID. PRESS KEYPAD "+" TO EXPAND]

; [00000029 BYTES: COLLAPSED FUNCTION _setSBCS. PRESS KEYPAD "+" TO EXPAND]

; [00000185 BYTES: COLLAPSED FUNCTION _setSBUpLow. PRESS KEYPAD "+" TO EXPAND]

; [0000001C BYTES: COLLAPSED FUNCTION ___initmbctable. PRESS KEYPAD "+" TO EXPAND]

align 10h

; [00000335 BYTES: COLLAPSED FUNCTION _memcpy. PRESS KEYPAD "+" TO EXPAND]

; [00000089 BYTES: COLLAPSED FUNCTION ___crtMessageBoxA. PRESS KEYPAD "+" TO EXPAND]

align 10h

; [000000FE BYTES: COLLAPSED FUNCTION _strncpy. PRESS KEYPAD "+" TO EXPAND]

align 10h

; [00000335 BYTES: COLLAPSED FUNCTION _memcpy_0. PRESS KEYPAD "+" TO EXPAND]

align 10h

; [00000058 BYTES: COLLAPSED FUNCTION _memset. PRESS KEYPAD "+" TO EXPAND]

; [0000008B BYTES: COLLAPSED FUNCTION _atol. PRESS KEYPAD "+" TO EXPAND]

align 10h

; [00000084 BYTES: COLLAPSED FUNCTION _strcmp. PRESS KEYPAD "+" TO EXPAND]

; [0000007D BYTES: COLLAPSED FUNCTION _getenv. PRESS KEYPAD "+" TO EXPAND]

; [00000224 BYTES: COLLAPSED FUNCTION ___crtLCMapStringA. PRESS KEYPAD "+" TO EXPAND]

; [0000002B BYTES: COLLAPSED FUNCTION _strncnt. PRESS KEYPAD "+" TO EXPAND]

; [00000149 BYTES: COLLAPSED FUNCTION ___crtGetStringTypeA. PRESS KEYPAD "+" TO EXPAND]

; [00000075 BYTES: COLLAPSED FUNCTION __isctype. PRESS KEYPAD "+" TO EXPAND]

align 10h


__allmul:

mov     eax, [esp+8]

mov     ecx, [esp+10h]

or      ecx, eax

mov     ecx, [esp+0Ch]

jnz     short loc_10004619

mov     eax, [esp+4]

mul     ecx

retn    10h


loc_10004619:

push    ebx

mul     ecx

mov     ebx, eax

mov     eax, [esp+8]

mul     dword ptr [esp+14h]

add     ebx, eax

mov     eax, [esp+8]

mul     ecx

add     edx, ebx

pop     ebx

retn    10h

; [0000003F BYTES: COLLAPSED FUNCTION __mbsnbicoll. PRESS KEYPAD "+" TO EXPAND]

; [0000006E BYTES: COLLAPSED FUNCTION ___wtomb_environ. PRESS KEYPAD "+" TO EXPAND]

align 4

; [00000020 BYTES: COLLAPSED FUNCTION __global_unwind2. PRESS KEYPAD "+" TO EXPAND]

; [00000022 BYTES: COLLAPSED FUNCTION __unwind_handler. PRESS KEYPAD "+" TO EXPAND]

; [00000068 BYTES: COLLAPSED FUNCTION __local_unwind2. PRESS KEYPAD "+" TO EXPAND]

; [00000023 BYTES: COLLAPSED FUNCTION __abnormal_termination. PRESS KEYPAD "+" TO EXPAND]


__NLG_Notify1:

push    ebx

push    ecx

mov     ebx, offset unk_10007680

jmp     short loc_100047C4

; [00000018 BYTES: COLLAPSED FUNCTION __NLG_Notify. PRESS KEYPAD "+" TO EXPAND]

align 4

push    esi

inc     ebx

xor     dh, [eax]

pop     eax

inc     ebx

xor     [eax], dh

; [000000BD BYTES: COLLAPSED FUNCTION unknown_libname_1. PRESS KEYPAD "+" TO EXPAND]


unknown_libname_2:      ; Microsoft VisualC 2-9/net runtime

push    ebp

mov     ecx, [esp+8]

mov     ebp, [ecx]

mov     eax, [ecx+1Ch]

push    eax

mov     eax, [ecx+18h]

push    eax

call    __local_unwind2

add     esp, 8

pop     ebp

retn    4

align 10h

; [0000002F BYTES: COLLAPSED FUNCTION __alloca_probe. PRESS KEYPAD "+" TO EXPAND]

; [0000027D BYTES: COLLAPSED FUNCTION ___crtCompareStringA. PRESS KEYPAD "+" TO EXPAND]

; [00000187 BYTES: COLLAPSED FUNCTION ___crtsetenv. PRESS KEYPAD "+" TO EXPAND]

; [00000058 BYTES: COLLAPSED FUNCTION _findenv. PRESS KEYPAD "+" TO EXPAND]

; [00000067 BYTES: COLLAPSED FUNCTION _copy_environ. PRESS KEYPAD "+" TO EXPAND]

; [00000138 BYTES: COLLAPSED FUNCTION _realloc. PRESS KEYPAD "+" TO EXPAND]

; [00000097 BYTES: COLLAPSED FUNCTION __mbschr. PRESS KEYPAD "+" TO EXPAND]

; [0000002B BYTES: COLLAPSED FUNCTION __strdup. PRESS KEYPAD "+" TO EXPAND]

align 10h

; [00000005 BYTES: COLLAPSED CHUNK OF FUNCTION _strchr. PRESS KEYPAD "+" TO EXPAND]

align 10h

; [000000BC BYTES: COLLAPSED FUNCTION _strchr. PRESS KEYPAD "+" TO EXPAND]

align 10h

; [00000006 BYTES: COLLAPSED FUNCTION RtlUnwind. PRESS KEYPAD "+" TO EXPAND]

align 10h

; [000000D0 BYTES: COLLAPSED FUNCTION __strcmpi. PRESS KEYPAD "+" TO EXPAND]

; [000000CB BYTES: COLLAPSED FUNCTION _tolower. PRESS KEYPAD "+" TO EXPAND]

align 10h

; [0000003E BYTES: COLLAPSED FUNCTION _strcspn. PRESS KEYPAD "+" TO EXPAND]

align 10h

; [00000038 BYTES: COLLAPSED FUNCTION _strncmp. PRESS KEYPAD "+" TO EXPAND]

align 10h

; [0000003A BYTES: COLLAPSED FUNCTION unknown_libname_3. PRESS KEYPAD "+" TO EXPAND]

align 10h

; [00000101 BYTES: COLLAPSED FUNCTION __strnicmp. PRESS KEYPAD "+" TO EXPAND]

align 10h


__aulldiv:

push    ebx

push    esi

mov     eax, [esp+18h]

or      eax, eax

jnz     short loc_10005422

mov     ecx, [esp+14h]

mov     eax, [esp+10h]

xor     edx, edx

div     ecx

mov     ebx, eax

mov     eax, [esp+0Ch]

div     ecx

mov     edx, ebx

jmp     short loc_10005463


loc_10005422:

mov     ecx, eax

mov     ebx, [esp+14h]

mov     edx, [esp+10h]

mov     eax, [esp+0Ch]


loc_10005430:

shr     ecx, 1

rcr     ebx, 1

shr     edx, 1

rcr     eax, 1

or      ecx, ecx

jnz     short loc_10005430

div     ebx

mov     esi, eax

mul     dword ptr [esp+18h]

mov     ecx, eax

mov     eax, [esp+14h]

mul     esi

add     edx, ecx

jb      short loc_1000545E

cmp     edx, [esp+10h]

ja      short loc_1000545E

jb      short loc_1000545F

cmp     eax, [esp+0Ch]

jbe     short loc_1000545F


loc_1000545E:

dec     esi


loc_1000545F:

xor     edx, edx

mov     eax, esi


loc_10005463:

pop     esi

pop     ebx

retn    10h

align 10h


__aullrem:

push    ebx

mov     eax, [esp+14h]

or      eax, eax

jnz     short loc_10005491

mov     ecx, [esp+10h]

mov     eax, [esp+0Ch]

xor     edx, edx

div     ecx

mov     eax, [esp+8]

div     ecx

mov     eax, edx

xor     edx, edx

jmp     short loc_100054E1


loc_10005491:

mov     ecx, eax

mov     ebx, [esp+10h]

mov     edx, [esp+0Ch]

mov     eax, [esp+8]


loc_1000549F:

shr     ecx, 1

rcr     ebx, 1

shr     edx, 1

rcr     eax, 1

or      ecx, ecx

jnz     short loc_1000549F

div     ebx

mov     ecx, eax

mul     dword ptr [esp+14h]

xchg    eax, ecx

mul     dword ptr [esp+10h]

add     edx, ecx

jb      short loc_100054CA

cmp     edx, [esp+0Ch]

ja      short loc_100054CA

jb      short loc_100054D2

cmp     eax, [esp+8]

jbe     short loc_100054D2


loc_100054CA:

sub     eax, [esp+10h]

sbb     edx, [esp+14h]


loc_100054D2:

sub     eax, [esp+8]

sbb     edx, [esp+0Ch]

neg     edx

neg     eax

sbb     edx, 0


loc_100054E1:

pop     ebx

retn    10h

align 1000h

_text ends


; Section 2. (virtual address 00006000)

; Virtual size                  : 00000A57 (   2647.)

; Section size in file          : 00001000 (   4096.)

; Offset to raw data for section: 00006000

; Flags 40000040: Data Readable

; Alignment     : default

;

; Imports from KERNEL32.dll

;


; Segment type: Externs

; _idata

; void __stdcall InitializeCriticalSection(LPCRITICAL_SECTION lpCriticalSection)

extrn InitializeCriticalSection:dword

; void __stdcall GetSystemTime(LPSYSTEMTIME lpSystemTime)

extrn GetSystemTime:dword

; void __stdcall GetLocalTime(LPSYSTEMTIME lpSystemTime)

extrn GetLocalTime:dword

; LPSTR __stdcall GetCommandLineA()

extrn GetCommandLineA:dword

; DWORD __stdcall GetVersion()

extrn GetVersion:dword

; LPVOID __stdcall HeapAlloc(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes)

extrn HeapAlloc:dword

; DWORD __stdcall GetCurrentThreadId()

extrn GetCurrentThreadId:dword

; BOOL __stdcall TlsSetValue(DWORD dwTlsIndex, LPVOID lpTlsValue)

extrn TlsSetValue:dword

; DWORD __stdcall TlsAlloc()

extrn TlsAlloc:dword

; BOOL __stdcall TlsFree(DWORD dwTlsIndex)

extrn TlsFree:dword

; LPVOID __stdcall TlsGetValue(DWORD dwTlsIndex)

extrn TlsGetValue:dword

; void __stdcall ExitProcess(UINT uExitCode)

extrn ExitProcess:dword

; BOOL __stdcall TerminateProcess(HANDLE hProcess, UINT uExitCode)

extrn TerminateProcess:dword

; HANDLE __stdcall GetCurrentProcess()

extrn GetCurrentProcess:dword

; UINT __stdcall SetHandleCount(UINT uNumber)

extrn SetHandleCount:dword

; HANDLE __stdcall GetStdHandle(DWORD nStdHandle)

extrn GetStdHandle:dword

; DWORD __stdcall GetFileType(HANDLE hFile)

extrn GetFileType:dword

; void __stdcall GetStartupInfoA(LPSTARTUPINFOA lpStartupInfo)

extrn GetStartupInfoA:dword

; void __stdcall DeleteCriticalSection(LPCRITICAL_SECTION lpCriticalSection)

extrn DeleteCriticalSection:dword

; DWORD __stdcall GetModuleFileNameA(HMODULE hModule, LPCH lpFilename, DWORD nSize)

extrn GetModuleFileNameA:dword

; BOOL __stdcall FreeEnvironmentStringsA(LPCH)

extrn FreeEnvironmentStringsA:dword

; BOOL __stdcall FreeEnvironmentStringsW(LPWCH)

extrn FreeEnvironmentStringsW:dword

; int __stdcall WideCharToMultiByte(UINT CodePage, DWORD dwFlags,

 LPCWSTR lpWideCharStr, int cchWideChar, LPSTR lpMultiByteStr, int

cbMultiByte, LPCSTR lpDefaultChar, LPBOOL lpUsedDefaultChar)

extrn WideCharToMultiByte:dword

; LPCH __stdcall GetEnvironmentStrings()

extrn GetEnvironmentStrings:dword

; LPWCH __stdcall GetEnvironmentStringsW()

extrn GetEnvironmentStringsW:dword

; BOOL __stdcall HeapDestroy(HANDLE hHeap)

extrn HeapDestroy:dword

; HANDLE __stdcall HeapCreate(DWORD flOptions, SIZE_T dwInitialSize, SIZE_T dwMaximumSize)

extrn HeapCreate:dword

; BOOL __stdcall VirtualFree(LPVOID lpAddress, SIZE_T dwSize, DWORD dwFreeType)

extrn VirtualFree:dword

; BOOL __stdcall HeapFree(HANDLE hHeap, DWORD dwFlags, LPVOID lpMem)

extrn HeapFree:dword

; BOOL __stdcall WriteFile(HANDLE hFile, LPCVOID lpBuffer, DWORD

nNumberOfBytesToWrite, LPDWORD lpNumberOfBytesWritten, LPOVERLAPPED

lpOverlapped)

extrn WriteFile:dword

; DWORD __stdcall GetTimeZoneInformation(LPTIME_ZONE_INFORMATION lpTimeZoneInformation)

extrn GetTimeZoneInformation:dword

; void __stdcall EnterCriticalSection(LPCRITICAL_SECTION lpCriticalSection)

extrn EnterCriticalSection:dword

; void __stdcall LeaveCriticalSection(LPCRITICAL_SECTION lpCriticalSection)

extrn LeaveCriticalSection:dword

; LPVOID __stdcall VirtualAlloc(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect)

extrn VirtualAlloc:dword

; LPVOID __stdcall HeapReAlloc(HANDLE hHeap, DWORD dwFlags, LPVOID lpMem, SIZE_T dwBytes)

extrn HeapReAlloc:dword

; BOOL __stdcall GetCPInfo(UINT CodePage, LPCPINFO lpCPInfo)

extrn GetCPInfo:dword

; UINT __stdcall GetACP()

extrn GetACP:dword

; UINT __stdcall GetOEMCP()

extrn GetOEMCP:dword

; FARPROC __stdcall GetProcAddress(HMODULE hModule, LPCSTR lpProcName)

extrn GetProcAddress:dword

; HMODULE __stdcall LoadLibraryA(LPCSTR lpLibFileName)

extrn LoadLibraryA:dword

; int __stdcall MultiByteToWideChar(UINT CodePage, DWORD dwFlags,

 LPCSTR lpMultiByteStr, int cbMultiByte, LPWSTR lpWideCharStr, int

cchWideChar)

extrn MultiByteToWideChar:dword

; int __stdcall LCMapStringA(LCID Locale, DWORD dwMapFlags, LPCSTR lpSrcStr, int cchSrc, LPSTR lpDestStr, int cchDest)

extrn LCMapStringA:dword

; int __stdcall LCMapStringW(LCID Locale, DWORD dwMapFlags, LPCWSTR lpSrcStr, int cchSrc, LPWSTR lpDestStr, int cchDest)

extrn LCMapStringW:dword

; BOOL __stdcall GetStringTypeA(LCID Locale, DWORD dwInfoType, LPCSTR lpSrcStr, int cchSrc, LPWORD lpCharType)

extrn GetStringTypeA:dword

; BOOL __stdcall GetStringTypeW(DWORD dwInfoType, LPCWSTR lpSrcStr, int cchSrc, LPWORD lpCharType)

extrn GetStringTypeW:dword

extrn __imp_RtlUnwind:dword

; int __stdcall CompareStringA(LCID Locale, DWORD dwCmpFlags, LPCSTR lpString1, int cchCount1, LPCSTR lpString2, int cchCount2)

extrn CompareStringA:dword

; int __stdcall CompareStringW(LCID Locale, DWORD dwCmpFlags,

LPCWSTR lpString1, int cchCount1, LPCWSTR lpString2, int cchCount2)

extrn CompareStringW:dword

; BOOL __stdcall SetEnvironmentVariableA(LPCSTR lpName, LPCSTR lpValue)

extrn SetEnvironmentVariableA:dword




; Segment type: Pure data

; Segment permissions: Read

_rdata segment para public 'DATA' use32

assume cs:_rdata

;org 100060C8h

aRuntimeError db 'runtime error ',0

align 4

asc_100060D8 db 0Dh,0Ah,0

align 4

aTlossError db 'TLOSS error',0Dh,0Ah,0

align 4

aSingError db 'SING error',0Dh,0Ah,0

align 4

aDomainError db 'DOMAIN error',0Dh,0Ah,0

align 4

aR6028UnableToI db 'R6028',0Dh,0Ah

db '- unable to initialize heap',0Dh,0Ah,0

align 4

aR6027NotEnough db 'R6027',0Dh,0Ah

db '- not enough space for lowio initia'

db 'lization',0Dh,0Ah,0

align 4

aR6026NotEnough db 'R6026',0Dh,0Ah

db '- not enough space for stdio initia'

db 'lization',0Dh,0Ah,0

align 4

aR6025PureVirtu db 'R6025',0Dh,0Ah

db '- pure virtual function call',0Dh,0Ah,0

align 4

aR6024NotEnough db 'R6024',0Dh,0Ah

db '- not enough space for _onexit/atex'

db 'it table',0Dh,0Ah,0

align 4

aR6019UnableToO db 'R6019',0Dh,0Ah

db '- unable to open console device',0Dh,0Ah,0

align 10h

aR6018Unexpecte db 'R6018',0Dh,0Ah

db '- unexpected heap error',0Dh,0Ah,0

align 4

aR6017Unexpecte db 'R6017',0Dh,0Ah

db '- unexpected multithread lock error'

db 0Dh,0Ah,0

align 4

aR6016NotEnough db 'R6016',0Dh,0Ah

db '- not enough space for thread data',0Dh

db 0Ah,0

aAbnormalProgra db 0Dh,0Ah

db 'abnormal program termination',0Dh,0Ah,0

align 4

aR6009NotEnough db 'R6009',0Dh,0Ah

db '- not enough space for environment',0Dh

db 0Ah,0

aR6008NotEnough db 'R6008',0Dh,0Ah

db '- not enough space for arguments',0Dh,0Ah

db 0

align 4

aR6002FloatingP db 'R6002',0Dh,0Ah

db '- floating point not loaded',0Dh,0Ah,0

align 4

aMicrosoftVisua db 'Microsoft Visual C++ Runtime Librar'

db 'y',0

align 4

; char asc_1000637C[]

asc_1000637C db 0Ah

db 0Ah,0

align 10h

; char aRuntimeErrorPr[]

aRuntimeErrorPr db 'Runtime Error!',0Ah

db 0Ah

db 'Program: ',0

align 4

; char a___[]

a___ db '...',0

; char Source[]

Source db '<program name unknown>',0

align 4

aSunmontuewedth db 'SunMonTueWedThuFriSat',0

align 10h

aJanfebmaraprma db 'JanFebMarAprMayJunJulAugSepOctNovDe'

db 'c',0

align 4

aTz db 'TZ',0

align 4

; char aGetlastactivep[]

aGetlastactivep db 'GetLastActivePopup',0

align 10h

; char aGetactivewindo[]

aGetactivewindo db 'GetActiveWindow',0

; char ProcName[]

ProcName db 'MessageBoxA',0

; char LibFileName[]

LibFileName db 'user32.dll',0

align 4

; char String2[]

String2 db 4 dup(0)

; const WCHAR SrcStr

SrcStr dw 0

align 10h

unk_10006440 db 0FFh

db 0FFh

db 0FFh

db 0FFh

dd offset loc_10004301

dd offset loc_10004305

db 0FFh

db 0FFh

db 0FFh

db 0FFh

dd offset loc_100043B5

dd offset loc_100043B9

unk_10006458 db 0FFh

db 0FFh

db 0FFh

db 0FFh

dd offset loc_10004539

dd offset loc_1000453D

align 8

unk_10006468 db 0FFh

db 0FFh

db 0FFh

db 0FFh

dd offset loc_10004AA6

dd offset loc_10004AAA

db 0FFh

db 0FFh

db 0FFh

db 0FFh

dd offset loc_10004B15

dd offset loc_10004B19

aHMmSs db 'H:mm:ss',0

aDdddMmmmDdYyyy db 'dddd, MMMM dd, yyyy',0

aMDYy db 'M/d/yy',0

align 4

aPm db 'PM',0

align 4

aAm db 'AM',0

align 4

aDecember db 'December',0

align 4

aNovember db 'November',0

align 4

aOctober db 'October',0

aSeptember db 'September',0

align 4

aAugust db 'August',0

align 10h

aJuly db 'July',0

align 4

aJune db 'June',0

align 10h

aApril db 'April',0

align 4

aMarch db 'March',0

align 10h

aFebruary db 'February',0

align 4

aJanuary db 'January',0

aDec db 'Dec',0

aNov db 'Nov',0

aOct db 'Oct',0

aSep db 'Sep',0

aAug db 'Aug',0

aJul db 'Jul',0

aJun db 'Jun',0

aMay db 'May',0

aApr db 'Apr',0

aMar db 'Mar',0

aFeb db 'Feb',0

aJan db 'Jan',0

aSaturday db 'Saturday',0

align 10h

aFriday db 'Friday',0

align 4

aThursday db 'Thursday',0

align 4

aWednesday db 'Wednesday',0

align 10h

aTuesday db 'Tuesday',0

aMonday db 'Monday',0

align 10h

aSunday db 'Sunday',0

align 4

aSat db 'Sat',0

aFri db 'Fri',0

aThu db 'Thu',0

aWed db 'Wed',0

aTue db 'Tue',0

aMon db 'Mon',0

aSun db 'Sun',0

__IMPORT_DESCRIPTOR_KERNEL32 dd rva off_100065CC ; Import Name Table

dd 0                    ; Time stamp

dd 0                    ; Forwarder Chain

dd rva aKernel32_dll    ; DLL Name

dd rva InitializeCriticalSection ; Import Address Table

db    0

db    0

db    0

db    0

db    0

db    0

db    0

db    0

db    0

db    0

db    0

db    0

db    0

db    0

db    0

db    0

db    0

db    0

db    0

db    0

;

; Import names for KERNEL32.dll

;

off_100065CC dd rva word_100068A6

dd rva word_100066AE

dd rva word_100066BE

dd rva word_100066CE

dd rva word_100066E0

dd rva word_100066EE

dd rva word_100066FA

dd rva word_10006710

dd rva word_1000671E

dd rva word_1000672A

dd rva word_10006734

dd rva word_10006742

dd rva word_10006750

dd rva word_10006764

dd rva word_10006778

dd rva word_1000678A

dd rva word_1000679A

dd rva word_100067A8

dd rva word_100067BA

dd rva word_100067D2

dd rva word_100067E8

dd rva word_10006802

dd rva word_1000681C

dd rva word_10006832

dd rva word_1000684A

dd rva word_10006864

dd rva word_10006872

dd rva word_10006880

dd rva word_1000688E

dd rva word_1000689A

dd rva word_10006694

dd rva word_100068C2

dd rva word_100068DA

dd rva word_100068F2

dd rva word_10006902

dd rva word_10006910

dd rva word_1000691C

dd rva word_10006926

dd rva word_10006932

dd rva word_10006944

dd rva word_10006954

dd rva word_1000696A

dd rva word_1000697A

dd rva word_1000698A

dd rva word_1000699C

dd rva word_100069AE

dd rva word_100069BA

dd rva word_100069CC

dd rva word_100069DE

dd 0

word_10006694 dw 170h

db 'GetTimeZoneInformation',0

align 2

word_100066AE dw 15Dh

db 'GetSystemTime',0

word_100066BE dw 11Bh

db 'GetLocalTime',0

align 2

word_100066CE dw 0CAh

db 'GetCommandLineA',0

word_100066E0 dw 174h

db 'GetVersion',0

align 2

word_100066EE dw 199h

db 'HeapAlloc',0

word_100066FA dw 0FAh

db 'GetCurrentThreadId',0

align 10h

word_10006710 dw 2A5h

db 'TlsSetValue',0

word_1000671E dw 2A2h

db 'TlsAlloc',0

align 2

word_1000672A dw 2A3h

db 'TlsFree',0

word_10006734 dw 2A4h

db 'TlsGetValue',0

word_10006742 dw 7Dh

db 'ExitProcess',0

word_10006750 dw 29Eh

db 'TerminateProcess',0

align 4

word_10006764 dw 0F7h

db 'GetCurrentProcess',0

word_10006778 dw 26Dh

db 'SetHandleCount',0

align 2

word_1000678A dw 152h

db 'GetStdHandle',0

align 2

word_1000679A dw 115h

db 'GetFileType',0

word_100067A8 dw 150h

db 'GetStartupInfoA',0

word_100067BA dw 55h

db 'DeleteCriticalSection',0

word_100067D2 dw 124h

db 'GetModuleFileNameA',0

align 4

word_100067E8 dw 0B2h

db 'FreeEnvironmentStringsA',0

word_10006802 dw 0B3h

db 'FreeEnvironmentStringsW',0

word_1000681C dw 2D2h

db 'WideCharToMultiByte',0

word_10006832 dw 106h

db 'GetEnvironmentStrings',0

word_1000684A dw 108h

db 'GetEnvironmentStringsW',0

align 4

word_10006864 dw 19Dh

db 'HeapDestroy',0

word_10006872 dw 19Bh

db 'HeapCreate',0

align 10h

word_10006880 dw 2BFh

db 'VirtualFree',0

word_1000688E dw 19Fh

db 'HeapFree',0

align 2

word_1000689A dw 2DFh

db 'WriteFile',0

word_100068A6 dw 1AAh

db 'InitializeCriticalSection',0

word_100068C2 dw 66h

db 'EnterCriticalSection',0

align 2

word_100068DA dw 1C1h

db 'LeaveCriticalSection',0

align 2

word_100068F2 dw 2BBh

db 'VirtualAlloc',0

align 2

word_10006902 dw 1A2h

db 'HeapReAlloc',0

word_10006910 dw 0BFh

db 'GetCPInfo',0

word_1000691C dw 0B9h

db 'GetACP',0

align 2

word_10006926 dw 131h

db 'GetOEMCP',0

align 2

word_10006932 dw 13Eh

db 'GetProcAddress',0

align 4

word_10006944 dw 1C2h

db 'LoadLibraryA',0

align 4

word_10006954 dw 1E4h

db 'MultiByteToWideChar',0

word_1000696A dw 1BFh

db 'LCMapStringA',0

align 2

word_1000697A dw 1C0h

db 'LCMapStringW',0

align 2

word_1000698A dw 153h

db 'GetStringTypeA',0

align 4

word_1000699C dw 156h

db 'GetStringTypeW',0

align 2

word_100069AE dw 22Fh

db 'RtlUnwind',0

word_100069BA dw 21h

db 'CompareStringA',0

align 4

word_100069CC dw 22h

db 'CompareStringW',0

align 2

word_100069DE dw 262h

db 'SetEnvironmentVariableA',0

aKernel32_dll db 'KERNEL32.dll',0

align 10h

;

; Export directory for CiCp.dll

;

dd 0                    ; Characteristics

dd 3EFB0E43h            ; TimeDateStamp: Thu Jun 26 17:16:19 2003

dw 0                    ; MajorVersion

dw 0                    ; MinorVersion

dd rva aCicp_dll        ; Name

dd 1                    ; Base

dd 1                    ; NumberOfFunctions

dd 1                    ; NumberOfNames

dd rva off_10006A38     ; AddressOfFunctions

dd rva off_10006A3C     ; AddressOfNames

dd rva word_10006A40    ; AddressOfNameOrdinals

;

; Export Address Table for CiCp.dll

;

off_10006A38 dd rva ValidatePwd

;

; Export Names Table for CiCp.dll

;

off_10006A3C dd rva aValidatepwd ; "ValidatePwd"

;

; Export Orfinals Table for CiCp.dll

;

word_10006A40 dw 0

aCicp_dll db 'CiCp.dll',0

aValidatepwd db 'ValidatePwd',0

align 800h

_rdata ends

I don't now what I should look for, there are a lot of "ValidatePwd" and "CompareString".
How can I find this key or password?

[WingedPanther]

At this point, you're looking at assembly code, which is definitely NOT my strong suit.

[movax85]

How would you have done it, to find the password?
I did find the CiCp.dll file, and compiled it, but that is also assembly code

[DarkLordofthePenguins]

Do you know what assembly language that is? There are many assembly languages, not just one.

Anyway, I can't help you with reverse engineering, as I have no experience with it. Be careful about that, though. If you reverse-engineer proprietary software, and the companies that made it find out about it, you could get sued.

[DarkLordofthePenguins]

movax85 said:

How would you have done it, to find the password?
I did find the CiCp.dll file, and compiled it, but that is also assembly code

I believe .dll files (and other shared libraries) are binary files. They do not contain readable instructions, though you could reverse-engineer those as well.