Muy interesante, me lo guardo para cuando tenga tiempo.
Saludos
PD: Puedes enviarme la solución por MP? Solo por si no logro hacerlo en un tiempo razonable.
XD
Interesante "reto"...
base: 400000
wndproc del dialogo:
00406240 . 55 PUSH EBP
00406241 . 8BEC MOV EBP,ESP
00406243 . 81EC 98050000 SUB ESP,0x598
00406249 . A1 30404200 MOV EAX,DWORD PTR DS:[0x424030]
0040624E . 33C5 XOR EAX,EBP
00406250 . 8945 F4 MOV DWORD PTR SS:[EBP-0xC],EAX
00406253 > EB 06 JMP SHORT mfc7sys.0040625B
00406255 >^EB FC JMP SHORT mfc7sys.00406253
00406257 .^EB FC JMP SHORT mfc7sys.00406255
00406259 . 0132 ADD DWORD PTR DS:[EDX],ESI
0040625B > 8B45 0C MOV EAX,DWORD PTR SS:[EBP+0xC]
0040625E . 8985 6CFAFFFF MOV DWORD PTR SS:[EBP-0x594],EAX
00406264 . 83BD 6CFAFFFF >CMP DWORD PTR SS:[EBP-0x594],0x10
0040626B . 74 16 JE SHORT mfc7sys.00406283
0040626D . 81BD 6CFAFFFF >CMP DWORD PTR SS:[EBP-0x594],0x111
00406277 . 74 1B JE SHORT mfc7sys.00406294
00406279 . E9 B4020000 JMP mfc7sys.00406532
0040627E . E9 AF020000 JMP mfc7sys.00406532
00406283 > 6A 00 PUSH 0x0 ; /Result = 0x0
00406285 . 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+0x8] ; |
00406288 . 51 PUSH ECX ; |hWnd
00406289 . FF15 CCF24100 CALL DWORD PTR DS:[<&USER32.EndDialog>] ; \EndDialog
0040628F . E9 9E020000 JMP mfc7sys.00406532
00406294 > 8B55 10 MOV EDX,DWORD PTR SS:[EBP+0x10]
00406297 . 81E2 FFFF0000 AND EDX,0xFFFF
0040629D . 0FB7C2 MOVZX EAX,DX
004062A0 . 8985 68FAFFFF MOV DWORD PTR SS:[EBP-0x598],EAX
004062A6 . 83BD 68FAFFFF >CMP DWORD PTR SS:[EBP-0x598],0x1
004062AD . 74 46 JE SHORT mfc7sys.004062F5
004062AF . 83BD 68FAFFFF >CMP DWORD PTR SS:[EBP-0x598],0x2
004062B6 . 0F84 6A020000 JE mfc7sys.00406526
004062BC . 81BD 68FAFFFF >CMP DWORD PTR SS:[EBP-0x598],0x3FB
004062C6 . 74 05 JE SHORT mfc7sys.004062CD
004062C8 . E9 65020000 JMP mfc7sys.00406532
004062CD > 6A 03 PUSH 0x3
004062CF . 6A 00 PUSH 0x0
004062D1 . 6A 00 PUSH 0x0
004062D3 . 8B0D E4544200 MOV ECX,DWORD PTR DS:[0x4254E4] ; mfc7sys.00427420
004062D9 . 51 PUSH ECX
004062DA . 68 44F34100 PUSH mfc7sys.0041F344 ; ASCII "open"
004062DF . B9 C8504200 MOV ECX,mfc7sys.004250C8
004062E4 . E8 97B0FFFF CALL mfc7sys.00401380
004062E9 . 50 PUSH EAX ; |hWnd
004062EA . FF15 30F24100 CALL DWORD PTR DS:[<&SHELL32.ShellExecut>; \ShellExecuteA
004062F0 . E9 3D020000 JMP mfc7sys.00406532
004062F5 > 6A 32 PUSH 0x32 ; /Count = 32 (50.)
004062F7 . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-0x74] ; |
004062FA . 52 PUSH EDX ; |Buffer
004062FB . 68 FD030000 PUSH 0x3FD ; |ControlID = 3FD (1021.)
00406300 . 8B45 08 MOV EAX,DWORD PTR SS:[EBP+0x8] ; |
00406303 . 50 PUSH EAX ; |hWnd
00406304 . FF15 98F24100 CALL DWORD PTR DS:[<&USER32.GetDlgItemTe>; \GetDlgItemTextA
0040630A . 6A 32 PUSH 0x32 ; /Count = 32 (50.)
0040630C . 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-0x40] ; |
0040630F . 51 PUSH ECX ; |Buffer
00406310 . 68 FE030000 PUSH 0x3FE ; |ControlID = 3FE (1022.)
00406315 . 8B55 08 MOV EDX,DWORD PTR SS:[EBP+0x8] ; |
00406318 . 52 PUSH EDX ; |hWnd
00406319 . FF15 98F24100 CALL DWORD PTR DS:[<&USER32.GetDlgItemTe>; \GetDlgItemTextA
0040631F . 8D45 8C LEA EAX,DWORD PTR SS:[EBP-0x74]
00406322 . 50 PUSH EAX ; /String
00406323 . FF15 D4F14100 CALL DWORD PTR DS:[<&KERNEL32.lstrlenA>] ; \lstrlenA
00406329 . 83F8 18 CMP EAX,0x18
0040632C . 74 39 JE SHORT mfc7sys.00406367
0040632E . 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-0x40]
00406331 . 51 PUSH ECX ; /String
00406332 . FF15 D4F14100 CALL DWORD PTR DS:[<&KERNEL32.lstrlenA>] ; \lstrlenA
00406338 . 83F8 18 CMP EAX,0x18
0040633B . 75 2A JNZ SHORT mfc7sys.00406367
0040633D . 6A 32 PUSH 0x32 ; /Count = 32 (50.)
0040633F . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-0x74] ; |
00406342 . 52 PUSH EDX ; |Buffer
00406343 . 68 FE030000 PUSH 0x3FE ; |ControlID = 3FE (1022.)
00406348 . 8B45 08 MOV EAX,DWORD PTR SS:[EBP+0x8] ; |
0040634B . 50 PUSH EAX ; |hWnd
0040634C . FF15 98F24100 CALL DWORD PTR DS:[<&USER32.GetDlgItemTe>; \GetDlgItemTextA
00406352 . 6A 32 PUSH 0x32 ; /Count = 32 (50.)
00406354 . 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-0x40] ; |
00406357 . 51 PUSH ECX ; |Buffer
00406358 . 68 FD030000 PUSH 0x3FD ; |ControlID = 3FD (1021.)
0040635D . 8B55 08 MOV EDX,DWORD PTR SS:[EBP+0x8] ; |
00406360 . 52 PUSH EDX ; |hWnd
00406361 . FF15 98F24100 CALL DWORD PTR DS:[<&USER32.GetDlgItemTe>; \GetDlgItemTextA
00406367 > 6A 00 PUSH 0x0 ; /hTemplateFile = NULL
00406369 . 68 80000000 PUSH 0x80 ; |Attributes = NORMAL
0040636E . 6A 02 PUSH 0x2 ; |Mode = CREATE_ALWAYS
00406370 . 6A 00 PUSH 0x0 ; |pSecurity = NULL
00406372 . 6A 03 PUSH 0x3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
00406374 . 68 000000C0 PUSH 0xC0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
00406379 . 68 684D4200 PUSH mfc7sys.00424D68 ; |FileName = "C:\Documents and Settings\All Users\Application Data\mfc7sys.dat"
0040637E . FF15 C4F14100 CALL DWORD PTR DS:[<&KERNEL32.CreateFile>; \CreateFileA
00406384 . 8945 FC MOV DWORD PTR SS:[EBP-0x4],EAX
00406387 . 837D FC FF CMP DWORD PTR SS:[EBP-0x4],-0x1
0040638B . 74 6E JE SHORT mfc7sys.004063FB
0040638D . 6A 00 PUSH 0x0 ; /pOverlapped = NULL
0040638F . 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-0x8] ; |
00406392 . 50 PUSH EAX ; |pBytesWritten
00406393 . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-0x74] ; |
00406396 . 51 PUSH ECX ; |/String
00406397 . FF15 D4F14100 CALL DWORD PTR DS:[<&KERNEL32.lstrlenA>] ; |\lstrlenA
0040639D . 50 PUSH EAX ; |nBytesToWrite
0040639E . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-0x74] ; |
004063A1 . 52 PUSH EDX ; |Buffer
004063A2 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-0x4] ; |
004063A5 . 50 PUSH EAX ; |hFile
004063A6 . FF15 A8F14100 CALL DWORD PTR DS:[<&KERNEL32.WriteFile>>; \WriteFile
004063AC . 8B4D FC MOV ECX,DWORD PTR SS:[EBP-0x4]
004063AF . 51 PUSH ECX ; /hObject
004063B0 . FF15 B4F14100 CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; \CloseHandle
004063B6 . 6A 01 PUSH 0x1 ; /Revision = 0x1
004063B8 . 8D95 78FFFFFF LEA EDX,DWORD PTR SS:[EBP-0x88] ; |
004063BE . 52 PUSH EDX ; |pSecDescr
004063BF . FF15 0CF04100 CALL DWORD PTR DS:[<&ADVAPI32.Initialize>; \InitializeSecurityDescriptor
004063C5 . 6A 00 PUSH 0x0
004063C7 . 6A 00 PUSH 0x0
004063C9 . 6A 01 PUSH 0x1
004063CB . 8D85 78FFFFFF LEA EAX,DWORD PTR SS:[EBP-0x88]
004063D1 . 50 PUSH EAX
004063D2 . FF15 10F04100 CALL DWORD PTR DS:[<&ADVAPI32.SetSecurit>; advapi32.SetSecurityDescriptorDacl
004063D8 . 8985 74FFFFFF MOV DWORD PTR SS:[EBP-0x8C],EAX
004063DE . 83BD 74FFFFFF >CMP DWORD PTR SS:[EBP-0x8C],0x0
004063E5 . 74 14 JE SHORT mfc7sys.004063FB
004063E7 . 8D8D 78FFFFFF LEA ECX,DWORD PTR SS:[EBP-0x88]
004063ED . 51 PUSH ECX
004063EE . 6A 04 PUSH 0x4
004063F0 . 68 684D4200 PUSH mfc7sys.00424D68 ; ASCII "C:\Documents and Settings\All Users\Application Data\mfc7sys.dat"
004063F5 . FF15 14F04100 CALL DWORD PTR DS:[<&ADVAPI32.SetFileSec>; advapi32.SetFileSecurityA
004063FB > 68 E8030000 PUSH 0x3E8 ; /Timeout = 1000. ms
00406400 . FF15 98F04100 CALL DWORD PTR DS:[<&KERNEL32.Sleep>] ; \Sleep
00406406 . E8 05E6FFFF CALL mfc7sys.00404A100040640B . 0FBED0 MOVSX EDX,AL
0040640E . 85D2 TEST EDX,EDX
00406410 . 74 1C JE SHORT mfc7sys.0040642E
00406412 . 6A 00 PUSH 0x0 ; /Style = MB_OK|MB_APPLMODAL
00406414 . 68 54724200 PUSH mfc7sys.00427254 ; |Title = "FKL"
00406419 . A1 C0504200 MOV EAX,DWORD PTR DS:[0x4250C0] ; |
0040641E . 50 PUSH EAX ; |Text => "Invalid key!"0040641F . 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+0x8] ; |
00406422 . 51 PUSH ECX ; |hOwner
00406423 . FF15 E4F24100 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; \MessageBoxA
00406429 . E9 F6000000 JMP mfc7sys.00406524
0040642E > 8D55 C0 LEA EDX,DWORD PTR SS:[EBP-0x40]
00406431 . 52 PUSH EDX ; /<%s>
00406432 . 68 4C724200 PUSH mfc7sys.0042724C ; |<%s> = "5.56"
00406437 . 8D45 8C LEA EAX,DWORD PTR SS:[EBP-0x74] ; |
0040643A . 50 PUSH EAX ; |<%s>
0040643B . 68 007A4200 PUSH mfc7sys.00427A00 ; |Format = "-new
http://spyarsenal.com/cgi-bin/reg.pl?p=fkl&key=%s&v=%s&email=%s"00406440 . 8D8D 70FAFFFF LEA ECX,DWORD PTR SS:[EBP-0x590] ; |
00406446 . 51 PUSH ECX ; |s
00406447 . FF15 9CF24100 CALL DWORD PTR DS:[<&USER32.wsprintfA>] ; \wsprintfA
0040644D . 83C4 14 ADD ESP,0x14
00406450 . 6A 00 PUSH 0x0 ; /IsShown = 0x0
00406452 . 6A 00 PUSH 0x0 ; |DefDir = NULL
00406454 . 8D95 70FAFFFF LEA EDX,DWORD PTR SS:[EBP-0x590] ; |
0040645A . 52 PUSH EDX ; |Parameters
0040645B . 68 AC714200 PUSH mfc7sys.004271AC ; |FileName = "iexplore.exe"
00406460 . 68 44F34100 PUSH mfc7sys.0041F344 ; |Operation = "open"
00406465 . 6A 00 PUSH 0x0 ; |hWnd = NULL
00406467 . FF15 30F24100 CALL DWORD PTR DS:[<&SHELL32.ShellExecut>; \ShellExecuteA
0040646D . 68 88130000 PUSH 0x1388 ; /Timeout = 5000. ms
00406472 . FF15 98F04100 CALL DWORD PTR DS:[<&KERNEL32.Sleep>] ; \Sleep
00406478 . 6A 00 PUSH 0x0 ; /Style = MB_OK|MB_APPLMODAL
0040647A . 68 54724200 PUSH mfc7sys.00427254 ; |Title = "FKL"
0040647F . A1 E0544200 MOV EAX,DWORD PTR DS:[0x4254E0] ; |
00406484 . 50 PUSH EAX ; |Text => "Thank you for registration!"00406485 . 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+0x8] ; |
00406488 . 51 PUSH ECX ; |hOwner
00406489 . FF15 E4F24100 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; \MessageBoxA
0040648F . 68 E8030000 PUSH 0x3E8 ; /Timeout = 1000. ms
00406494 . FF15 98F04100 CALL DWORD PTR DS:[<&KERNEL32.Sleep>] ; \Sleep
0040649A . 6A 00 PUSH 0x0 ; /Result = 0x0
0040649C . 8B55 08 MOV EDX,DWORD PTR SS:[EBP+0x8] ; |
0040649F . 52 PUSH EDX ; |hWnd
004064A0 . FF15 CCF24100 CALL DWORD PTR DS:[<&USER32.EndDialog>] ; \EndDialog
004064A6 . 68 B80B0000 PUSH 0xBB8 ; /Timeout = 3000. ms
004064AB . FF15 98F04100 CALL DWORD PTR DS:[<&KERNEL32.Sleep>] ; \Sleep
004064B1 . 8D45 8C LEA EAX,DWORD PTR SS:[EBP-0x74]
004064B4 . 50 PUSH EAX ; /Arg3
004064B5 . 68 FA000000 PUSH 0xFA ; |Arg2 = 000000FA
004064BA . 8D8D 70FEFFFF LEA ECX,DWORD PTR SS:[EBP-0x190] ; |
004064C0 . 51 PUSH ECX ; |Arg1
004064C1 . E8 25220000 CALL mfc7sys.004086EB ; \mfc7sys.004086EB
004064C6 . 83C4 0C ADD ESP,0xC
004064C9 . 68 BC714200 PUSH mfc7sys.004271BC ; /Arg3 = 004271BC ASCII " - Windows Internet Explorer"
004064CE . 68 FA000000 PUSH 0xFA ; |Arg2 = 000000FA
004064D3 . 8D95 70FEFFFF LEA EDX,DWORD PTR SS:[EBP-0x190] ; |
004064D9 . 52 PUSH EDX ; |Arg1
004064DA . E8 74220000 CALL mfc7sys.00408753 ; \mfc7sys.00408753
004064DF . 83C4 0C ADD ESP,0xC
004064E2 . 8D85 70FEFFFF LEA EAX,DWORD PTR SS:[EBP-0x190]
004064E8 . 50 PUSH EAX ; /Title
004064E9 . 6A 00 PUSH 0x0 ; |Class = 0x0
004064EB . FF15 A0F24100 CALL DWORD PTR DS:[<&USER32.FindWindowA>>; \FindWindowA
004064F1 . 8985 70FFFFFF MOV DWORD PTR SS:[EBP-0x90],EAX
004064F7 . 83BD 70FFFFFF >CMP DWORD PTR SS:[EBP-0x90],0x0
004064FE . 74 24 JE SHORT mfc7sys.00406524
00406500 . 6A 00 PUSH 0x0 ; /lParam = 0x0
00406502 . 68 60F00000 PUSH 0xF060 ; |wParam = 0xF060
00406507 . 68 12010000 PUSH 0x112 ; |Message = WM_SYSCOMMAND
0040650C . 8B8D 70FFFFFF MOV ECX,DWORD PTR SS:[EBP-0x90] ; |
00406512 . 51 PUSH ECX ; |hWnd
00406513 . FF15 ACF24100 CALL DWORD PTR DS:[<&USER32.SendMessageA>; \SendMessageA
00406519 . 68 684D4200 PUSH mfc7sys.00424D68 ; /FileName = "C:\Documents and Settings\All Users\Application Data\mfc7sys.dat"
0040651E . FF15 70F14100 CALL DWORD PTR DS:[<&KERNEL32.DeleteFile>; \DeleteFileA
00406524 > EB 0C JMP SHORT mfc7sys.00406532
00406526 > 6A 00 PUSH 0x0 ; /Result = 0x0
00406528 . 8B55 08 MOV EDX,DWORD PTR SS:[EBP+0x8] ; |
0040652B . 52 PUSH EDX ; |hWnd
0040652C . FF15 CCF24100 CALL DWORD PTR DS:[<&USER32.EndDialog>] ; \EndDialog
00406532 > EB 06 JMP SHORT mfc7sys.0040653A
00406534 >^EB FC JMP SHORT mfc7sys.00406532
00406536 .^EB FC JMP SHORT mfc7sys.00406534
00406538 03 DB 03
00406539 34 DB 34 ; CHAR '4'
0040653A > 33C0 XOR EAX,EAX
0040653C . 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-0xC]
0040653F . 33CD XOR ECX,EBP
00406541 . E8 A41C0000 CALL mfc7sys.004081EA
00406546 . 8BE5 MOV ESP,EBP
00406548 . 5D POP EBP
00406549 . C2 1000 RETN 0x10
Check (00404A10):
00404A10 $ 55 PUSH EBP
00404A11 . 8BEC MOV EBP,ESP
00404A13 . 81EC 28010000 SUB ESP,0x128
00404A19 . A1 30404200 MOV EAX,DWORD PTR DS:[0x424030]
00404A1E . 33C5 XOR EAX,EBP
00404A20 . 8945 F8 MOV DWORD PTR SS:[EBP-0x8],EAX
00404A23 . 56 PUSH ESI
00404A24 > EB 06 JMP SHORT mfc7sys.00404A2C
00404A26 >^EB FC JMP SHORT mfc7sys.00404A24
00404A28 .^EB FC JMP SHORT mfc7sys.00404A26
00404A2A . 0132 ADD DWORD PTR DS:[EDX],ESI
00404A2C > C785 DCFEFFFF >MOV DWORD PTR SS:[EBP-0x124],0x0
00404A36 . C705 00404200 >MOV DWORD PTR DS:[0x424000],0x0
00404A40 . 6A 00 PUSH 0x0 ; /hTemplateFile = NULL
00404A42 . 68 80000000 PUSH 0x80 ; |Attributes = NORMAL
00404A47 . 6A 03 PUSH 0x3 ; |Mode = OPEN_EXISTING
00404A49 . 6A 00 PUSH 0x0 ; |pSecurity = NULL
00404A4B . 6A 03 PUSH 0x3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
00404A4D . 68 00000080 PUSH 0x80000000 ; |Access = GENERIC_READ
00404A52 . 68 684D4200 PUSH mfc7sys.00424D68 ; |FileName = "C:\Documents and Settings\All Users\Application Data\mfc7sys.dat"
00404A57 . FF15 C4F14100 CALL DWORD PTR DS:[<&KERNEL32.CreateFile>; \CreateFileA
00404A5D . 8945 E0 MOV DWORD PTR SS:[EBP-0x20],EAX
00404A60 . 837D E0 FF CMP DWORD PTR SS:[EBP-0x20],-0x1
00404A64 . 75 07 JNZ SHORT mfc7sys.00404A6D
00404A66 . B0 01 MOV AL,0x1
00404A68 . E9 CF030000 JMP mfc7sys.00404E3C
00404A6D > 6A 00 PUSH 0x0 ; /pOverlapped = NULL
00404A6F . 8D45 FC LEA EAX,DWORD PTR SS:[EBP-0x4] ; |
00404A72 . 50 PUSH EAX ; |pBytesRead
00404A73 . 68 FE000000 PUSH 0xFE ; |BytesToRead = FE (254.)
00404A78 . 8D8D E0FEFFFF LEA ECX,DWORD PTR SS:[EBP-0x120] ; |
00404A7E . 51 PUSH ECX ; |Buffer
00404A7F . 8B55 E0 MOV EDX,DWORD PTR SS:[EBP-0x20] ; |
00404A82 . 52 PUSH EDX ; |hFile
00404A83 . FF15 98F14100 CALL DWORD PTR DS:[<&KERNEL32.ReadFile>] ; \ReadFile
00404A89 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-0x4]
...
.:UND3R:. si necesitas un "Local Keylogger" mandame un MP, puedo programarte uno mejor que esta basura
Esas son efectivamente posibles strings interesantes pero si reinicias el ejecutable verás que no están y si es no está ¿Cómo puedes parchear ese salto?.
Mostrar Mensajes
):
:
. Imagínate que lo hiciste en un día todo este avance, si siguieras en esto llegarías muy lejos. Saludos