+- الفريق العربي للهندسة العكسية (https://www.at4re.net/f)
+-- قسم : منتديات الهندسة العكسية - Reverse Engineering Forums (https://www.at4re.net/f/forum-4.html)
+--- قسم : الأسئلة والإستفسارات، حلول المشاكل و تبادل الخبرات - Expert Exchange Newbie Questions Answers (https://www.at4re.net/f/forum-36.html)
+--- الموضوع : كيف أقوم بكسر دالة proQuery في حماية Sentinel Rainbow Pro (/thread-2502.html)
الصفحات:
1
2
كيف أقوم بكسر دالة proQuery في حماية Sentinel Rainbow Pro - akhfar - 29-01-2021
السلام عليكم و رحمة الله تعالى و بركاته، أما بعد :
كنت أتبع درس أجنبي حول كسر حماية دونقل سونتينل و فجأة أصبح كلشي غامض و لم أفهم من أين كان يأتي بالدوال... على كل حال الحماية التي كانت عندو أعتقد أنها أصعب من الي كانت عندي فبعد تتبع مراحل الكسر كالآتي:
1- قمت بالبحث عن signatures لبرنامج IDA و وجدتها و قد قمت بتعريف الدوال
كنت أتبع درس أجنبي حول كسر حماية دونقل سونتينل و فجأة أصبح كلشي غامض و لم أفهم من أين كان يأتي بالدوال... على كل حال الحماية التي كانت عندو أعتقد أنها أصعب من الي كانت عندي فبعد تتبع مراحل الكسر كالآتي:
1- قمت بالبحث عن signatures لبرنامج IDA و وجدتها و قد قمت بتعريف الدوال
![[صورة مرفقة: 00.png]](https://i.ibb.co/xsHCt3v/00.png)
2- كسر دالة RNBOproFormatPacket
3- كسر دالة RNBOproInitialize
4- محاولة كسر دالة RNBOproQuery لكني وجدتها معقدة و لم أعرف ماذا أفعل لأنها تقوم بالولوج الى الذاكرة و مقارنة الخلايا ...
الدالة الموجودة في الدرس تقوم بقراءة ستة قيم إدخال ولكن الدالة التي عندي تقوم بقراءة 4 فقط
بعد البحث وجدت ان هذه الدالة مشكلة كالتالي:DRNBOproQuery (packetp, retstring, &word, len)
![[صورة مرفقة: 01.png]](https://i.ibb.co/7Cjcv6P/01.png)
وهذا رابط الدرس:
Mega - Archive حجم 6 ميقا
وهذي الدالة الي عندي:
[align=left]
[align=left]CPU Disasm
Address Hex dump Command Comments
0075F8D0 /$ 83EC 04 SUB ESP,4 ; RNBOsproQuery(x,x,x,x
0075F8D3 |. 53 PUSH EBX
0075F8D4 |. 56 PUSH ESI
0075F8D5 |. 57 PUSH EDI
0075F8D6 |. 8B7424 1C MOV ESI,DWORD PTR SS:[ARG.3]
0075F8DA |. 8B7C24 14 MOV EDI,DWORD PTR SS:[ARG.1]
0075F8DE |. 0BFF OR EDI,EDI
0075F8E0 |. 66:C706 FFFF MOV WORD PTR DS:[ESI],0FFFF
0075F8E5 |. 75 0D JNZ SHORT 0075F8F4
0075F8E7 |. 66:B8 0200 MOV AX,2
0075F8EB |. 5F POP EDI
0075F8EC |. 5E POP ESI
0075F8ED |. 5B POP EBX
0075F8EE |. 83C4 04 ADD ESP,4
0075F8F1 |. C2 1000 RETN 10
0075F8F4 |> 57 PUSH EDI ; /Arg1 => [ARG.1]
0075F8F5 |. E8 C6ADFFFF CALL 0075A6C0 ; \Snet.0075A6C0
0075F8FA |. 8BD8 MOV EBX,EAX
0075F8FC |. 66:813B 4272 CMP WORD PTR DS:[EBX],7242
0075F901 |. 74 0D JE SHORT 0075F910
0075F903 |. 66:B8 0200 MOV AX,2
0075F907 |. 5F POP EDI
0075F908 |. 5E POP ESI
0075F909 |. 5B POP EBX
0075F90A |. 83C4 04 ADD ESP,4
0075F90D |. C2 1000 RETN 10
0075F910 |> 8B4C24 18 MOV ECX,DWORD PTR SS:[ARG.2]
0075F914 |. 0BC9 OR ECX,ECX
0075F916 |. 75 13 JNZ SHORT 0075F92B
0075F918 |. 66:C743 06 10 MOV WORD PTR DS:[EBX+6],0C10
0075F91E |. 66:B8 1000 MOV AX,10
0075F922 |. 5F POP EDI
0075F923 |. 5E POP ESI
0075F924 |. 5B POP EBX
0075F925 |. 83C4 04 ADD ESP,4
0075F928 |. C2 1000 RETN 10
0075F92B |> 0BF6 OR ESI,ESI
0075F92D |. 75 13 JNZ SHORT 0075F942
0075F92F |. 66:C743 06 10 MOV WORD PTR DS:[EBX+6],0C10
0075F935 |. 66:B8 1000 MOV AX,10
0075F939 |. 5F POP EDI
0075F93A |. 5E POP ESI
0075F93B |. 5B POP EBX
0075F93C |. 83C4 04 ADD ESP,4
0075F93F |. C2 1000 RETN 10
0075F942 |> F643 12 04 TEST BYTE PTR DS:[EBX+12],04
0075F946 |. 75 18 JNZ SHORT 0075F960
0075F948 |. 66:C743 06 39 MOV WORD PTR DS:[EBX+6],0C39
0075F94E |. 66:B8 3900 MOV AX,39
0075F952 |. 5F POP EDI
0075F953 |. 5E POP ESI
0075F954 |. 5B POP EBX
0075F955 |. 83C4 04 ADD ESP,4
0075F958 |. C2 1000 RETN 10
0075F95B | 05 00000000 ADD EAX,0
0075F960 |> 66:8B4424 20 MOV AX,WORD PTR SS:[ARG.4]
0075F965 |. 66:3D 0200 CMP AX,2
0075F969 |. 73 18 JAE SHORT 0075F983
0075F96B |. 66:C706 FFFF MOV WORD PTR DS:[ESI],0FFFF
0075F970 |. 66:C743 06 15 MOV WORD PTR DS:[EBX+6],0C15
0075F976 |. 66:B8 1500 MOV AX,15
0075F97A |. 5F POP EDI
0075F97B |. 5E POP ESI
0075F97C |. 5B POP EBX
0075F97D |. 83C4 04 ADD ESP,4
0075F980 |. C2 1000 RETN 10
0075F983 |> 66:3D 4000 CMP AX,40
0075F987 |. 76 18 JBE SHORT 0075F9A1
0075F989 |. 66:C706 FFFF MOV WORD PTR DS:[ESI],0FFFF
0075F98E |. 66:C743 06 14 MOV WORD PTR DS:[EBX+6],0C14
0075F994 |. 66:B8 1400 MOV AX,14
0075F998 |. 5F POP EDI
0075F999 |. 5E POP ESI
0075F99A |. 5B POP EBX
0075F99B |. 83C4 04 ADD ESP,4
0075F99E |. C2 1000 RETN 10
0075F9A1 |> 66:3D 0200 CMP AX,2
0075F9A5 |. 76 6C JBE SHORT 0075FA13
0075F9A7 |. 66:8943 34 MOV WORD PTR DS:[EBX+34],AX
0075F9AB |. 66:C743 30 09 MOV WORD PTR DS:[EBX+30],9
0075F9B1 |. 8D7B 36 LEA EDI,[EBX+36]
0075F9B4 |. 50 PUSH EAX ; /Arg3
0075F9B5 |. 57 PUSH EDI ; |Arg2
0075F9B6 |. 51 PUSH ECX ; |Arg1 => [ARG.2]
0075F9B7 |. E8 D4ACFFFF CALL 0075A690 ; \Snet.0075A690
0075F9BC |. 53 PUSH EBX ; /Arg1
0075F9BD |. E8 AEEAFFFF CALL 0075E470 ; \Snet.0075E470
0075F9C2 |. 66:8943 06 MOV WORD PTR DS:[EBX+6],AX
0075F9C6 |. 0AC0 OR AL,AL
0075F9C8 |. 75 16 JNZ SHORT 0075F9E0
0075F9CA |. 6A 02 PUSH 2 ; /Arg3 = 2
0075F9CC |. 56 PUSH ESI ; |Arg2
0075F9CD |. 57 PUSH EDI ; |Arg1
0075F9CE |. E8 BDACFFFF CALL 0075A690 ; \Snet.0075A690
0075F9D3 |. 66:2BC0 SUB AX,AX
0075F9D6 |. 5F POP EDI
0075F9D7 |. 5E POP ESI
0075F9D8 |. 5B POP EBX
0075F9D9 |. 83C4 04 ADD ESP,4
0075F9DC |. C2 1000 RETN 10
0075F9DF | 90 NOP
0075F9E0 |> 66:C706 FFFF MOV WORD PTR DS:[ESI],0FFFF
0075F9E5 |. 66:8B43 06 MOV AX,WORD PTR DS:[EBX+6]
0075F9E9 |. 66:3D 0301 CMP AX,103
0075F9ED |. 75 12 JNE SHORT 0075FA01
0075F9EF |. B8 12010000 MOV EAX,112
0075F9F4 |. 66:25 FF00 AND AX,00FF
0075F9F8 |. 5F POP EDI
0075F9F9 |. 5E POP ESI
0075F9FA |. 5B POP EBX
0075F9FB |. 83C4 04 ADD ESP,4
0075F9FE |. C2 1000 RETN 10
0075FA01 |> 25 FFFF0000 AND EAX,0000FFFF
0075FA06 |. 66:25 FF00 AND AX,00FF
0075FA0A |. 5F POP EDI
0075FA0B |. 5E POP ESI
0075FA0C |. 5B POP EBX
0075FA0D |. 83C4 04 ADD ESP,4
0075FA10 |. C2 1000 RETN 10
0075FA13 |> 33C0 XOR EAX,EAX
0075FA15 |. 8A01 MOV AL,BYTE PTR DS:[ECX]
0075FA17 |. 83E8 30 SUB EAX,30 ; Switch (cases 30..37, 9 exits)
0075FA1A |. 83F8 07 CMP EAX,7
0075FA1D |. 77 07 JA SHORT 0075FA26
0075FA1F |. FF2485 A0FC75 JMP DWORD PTR DS:[EAX*4+75FCA0]
0075FA26 |> 66:C706 FFFF MOV WORD PTR DS:[ESI],0FFFF ; Default case of switch Snet.75FA17
0075FA2B |. 66:C743 06 15 MOV WORD PTR DS:[EBX+6],0C15
0075FA31 |. 66:B8 1500 MOV AX,15
0075FA35 |. 5F POP EDI
0075FA36 |. 5E POP ESI
0075FA37 |. 5B POP EBX
0075FA38 |. 83C4 04 ADD ESP,4
0075FA3B |. C2 1000 RETN 10
0075FA3E | 8BFF MOV EDI,EDI
0075FA40 |> 33C0 XOR EAX,EAX ; Case 30 ('0') of switch Snet.75FA17
0075FA42 |. 8A41 01 MOV AL,BYTE PTR DS:[ECX+1]
0075FA45 |. 83F8 31 CMP EAX,31
0075FA48 |. 74 38 JE SHORT 0075FA82
0075FA4A |. 83F8 32 CMP EAX,32
0075FA4D |. 74 79 JE SHORT 0075FAC8
0075FA4F |. 83F8 33 CMP EAX,33
0075FA52 |. 0F84 88000000 JE 0075FAE0
0075FA58 |. 83F8 34 CMP EAX,34
0075FA5B |. 0F84 96000000 JE 0075FAF7
0075FA61 |. 83F8 35 CMP EAX,35
0075FA64 |. 0F84 A0000000 JE 0075FB0A
0075FA6A |. 66:C706 FFFF MOV WORD PTR DS:[ESI],0FFFF
0075FA6F |. 66:C743 06 15 MOV WORD PTR DS:[EBX+6],0C15
0075FA75 |. 66:B8 1500 MOV AX,15
0075FA79 |. 5F POP EDI
0075FA7A |. 5E POP ESI
0075FA7B |. 5B POP EBX
0075FA7C |. 83C4 04 ADD ESP,4
0075FA7F |. C2 1000 RETN 10
0075FA82 |> 8D4424 0D LEA EAX,[LOCAL.0+1]
0075FA86 |. 50 PUSH EAX ; /Arg5
0075FA87 |. 8D4424 10 LEA EAX,[LOCAL.0] ; |
0075FA8B |. 50 PUSH EAX ; |Arg4 => OFFSET LOCAL.0
0075FA8C |. 8D4424 17 LEA EAX,[LOCAL.0+3] ; |
0075FA90 |. 50 PUSH EAX ; |Arg3
0075FA91 |. 8D4424 1A LEA EAX,[LOCAL.0+2] ; |
0075FA95 |. 50 PUSH EAX ; |Arg2
0075FA96 |. 57 PUSH EDI ; |Arg1 => [ARG.1]
0075FA97 |. E8 84030000 CALL 0075FE20 ; \Snet.0075FE20
0075FA9C |. 66:0BC0 OR AX,AX
0075FA9F |. 75 19 JNZ SHORT 0075FABA
0075FAA1 |. 8A4424 0E MOV AL,BYTE PTR SS:[LOCAL.0+2]
0075FAA5 |. 8846 01 MOV BYTE PTR DS:[ESI+1],AL
0075FAA8 |. 8A4424 0F MOV AL,BYTE PTR SS:[LOCAL.0+3]
0075FAAC |. 8806 MOV BYTE PTR DS:[ESI],AL
0075FAAE |. 66:2BC0 SUB AX,AX
0075FAB1 |. 5F POP EDI
0075FAB2 |. 5E POP ESI
0075FAB3 |. 5B POP EBX
0075FAB4 |. 83C4 04 ADD ESP,4
0075FAB7 |. C2 1000 RETN 10
0075FABA |> 66:C706 FFFF MOV WORD PTR DS:[ESI],0FFFF
0075FABF |. 5F POP EDI
0075FAC0 |. 5E POP ESI
0075FAC1 |. 5B POP EBX
0075FAC2 |. 83C4 04 ADD ESP,4
0075FAC5 |. C2 1000 RETN 10
0075FAC8 |> 56 PUSH ESI ; /Arg3 => [ARG.3]
0075FAC9 |. 6A 01 PUSH 1 ; |Arg2 = 1
0075FACB |. 57 PUSH EDI ; |Arg1 => [ARG.1]
0075FACC |. E8 EF010000 CALL 0075FCC0 ; \Snet.0075FCC0
0075FAD1 |. 5F POP EDI
0075FAD2 |. 5E POP ESI
0075FAD3 |. 5B POP EBX
0075FAD4 |. 83C4 04 ADD ESP,4
0075FAD7 |. C2 1000 RETN 10
0075FADA | 8D9B 00000000 LEA EBX,[EBX]
0075FAE0 |> 66:8B43 06 MOV AX,WORD PTR DS:[EBX+6]
0075FAE4 |. 66:25 FF00 AND AX,00FF
0075FAE8 |. 66:8906 MOV WORD PTR DS:[ESI],AX
0075FAEB |. 66:2BC0 SUB AX,AX
0075FAEE |. 5F POP EDI
0075FAEF |. 5E POP ESI
0075FAF0 |. 5B POP EBX
0075FAF1 |. 83C4 04 ADD ESP,4
0075FAF4 |. C2 1000 RETN 10
0075FAF7 |> 66:8B43 06 MOV AX,WORD PTR DS:[EBX+6]
0075FAFB |. 66:8906 MOV WORD PTR DS:[ESI],AX
0075FAFE |. 66:2BC0 SUB AX,AX
0075FB01 |. 5F POP EDI
0075FB02 |. 5E POP ESI
0075FB03 |. 5B POP EBX
0075FB04 |. 83C4 04 ADD ESP,4
0075FB07 |. C2 1000 RETN 10
0075FB0A |> 8D4424 0D LEA EAX,[LOCAL.0+1]
0075FB0E |. 50 PUSH EAX ; /Arg5
0075FB0F |. 8D4424 10 LEA EAX,[LOCAL.0] ; |
0075FB13 |. 50 PUSH EAX ; |Arg4 => OFFSET LOCAL.0
0075FB14 |. 8D4424 17 LEA EAX,[LOCAL.0+3] ; |
0075FB18 |. 50 PUSH EAX ; |Arg3
0075FB19 |. 8D4424 1A LEA EAX,[LOCAL.0+2] ; |
0075FB1D |. 50 PUSH EAX ; |Arg2
0075FB1E |. 57 PUSH EDI ; |Arg1 => [ARG.1]
0075FB1F |. E8 FC020000 CALL 0075FE20 ; \Snet.0075FE20
0075FB24 |. 66:0BC0 OR AX,AX
0075FB27 |. 75 19 JNZ SHORT 0075FB42
0075FB29 |. 8A4424 0D MOV AL,BYTE PTR SS:[LOCAL.0+1]
0075FB2D |. 8806 MOV BYTE PTR DS:[ESI],AL
0075FB2F |. 8A4424 0C MOV AL,BYTE PTR SS:[LOCAL.0]
0075FB33 |. 8846 01 MOV BYTE PTR DS:[ESI+1],AL
0075FB36 |. 66:2BC0 SUB AX,AX
0075FB39 |. 5F POP EDI
0075FB3A |. 5E POP ESI
0075FB3B |. 5B POP EBX
0075FB3C |. 83C4 04 ADD ESP,4
0075FB3F |. C2 1000 RETN 10
0075FB42 |> 66:C706 FFFF MOV WORD PTR DS:[ESI],0FFFF
0075FB47 |. 5F POP EDI
0075FB48 |. 5E POP ESI
0075FB49 |. 5B POP EBX
0075FB4A |. 83C4 04 ADD ESP,4
0075FB4D |. C2 1000 RETN 10
0075FB50 |> 8A41 01 MOV AL,BYTE PTR DS:[ECX+1] ; Case 31 ('1') of switch Snet.75FA17
0075FB53 |. 50 PUSH EAX ; /Arg3
0075FB54 |. 6A 06 PUSH 6 ; |Arg2 = 6
0075FB56 |. 57 PUSH EDI ; |Arg1 => [ARG.1]
0075FB57 |. E8 A4030000 CALL 0075FF00 ; \Snet.0075FF00
0075FB5C |. 66:0BC0 OR AX,AX
0075FB5F |. 75 11 JNZ SHORT 0075FB72
0075FB61 |. 66:C706 0000 MOV WORD PTR DS:[ESI],0
0075FB66 |. 66:2BC0 SUB AX,AX
0075FB69 |. 5F POP EDI
0075FB6A |. 5E POP ESI
0075FB6B |. 5B POP EBX
0075FB6C |. 83C4 04 ADD ESP,4
0075FB6F |. C2 1000 RETN 10
0075FB72 |> 66:C706 FFFF MOV WORD PTR DS:[ESI],0FFFF
0075FB77 |. 5F POP EDI
0075FB78 |. 5E POP ESI
0075FB79 |. 5B POP EBX
0075FB7A |. 83C4 04 ADD ESP,4
0075FB7D |. C2 1000 RETN 10
0075FB80 |> 8A41 01 MOV AL,BYTE PTR DS:[ECX+1] ; Case 32 ('2') of switch Snet.75FA17
0075FB83 |. 50 PUSH EAX ; /Arg3
0075FB84 |. 6A 05 PUSH 5 ; |Arg2 = 5
0075FB86 |. 57 PUSH EDI ; |Arg1 => [ARG.1]
0075FB87 |. E8 74030000 CALL 0075FF00 ; \Snet.0075FF00
0075FB8C |. 66:0BC0 OR AX,AX
0075FB8F |. 75 11 JNZ SHORT 0075FBA2
0075FB91 |. 66:C706 0000 MOV WORD PTR DS:[ESI],0
0075FB96 |. 66:2BC0 SUB AX,AX
0075FB99 |. 5F POP EDI
0075FB9A |. 5E POP ESI
0075FB9B |. 5B POP EBX
0075FB9C |. 83C4 04 ADD ESP,4
0075FB9F |. C2 1000 RETN 10
0075FBA2 |> 66:C706 FFFF MOV WORD PTR DS:[ESI],0FFFF
0075FBA7 |. 5F POP EDI
0075FBA8 |. 5E POP ESI
0075FBA9 |. 5B POP EBX
0075FBAA |. 83C4 04 ADD ESP,4
0075FBAD |. C2 1000 RETN 10
0075FBB0 |> 8A41 01 MOV AL,BYTE PTR DS:[ECX+1] ; Case 33 ('3') of switch Snet.75FA17
0075FBB3 |. 50 PUSH EAX ; /Arg3
0075FBB4 |. 6A 03 PUSH 3 ; |Arg2 = 3
0075FBB6 |. 57 PUSH EDI ; |Arg1 => [ARG.1]
0075FBB7 |. E8 44030000 CALL 0075FF00 ; \Snet.0075FF00
0075FBBC |. 66:0BC0 OR AX,AX
0075FBBF |. 75 11 JNZ SHORT 0075FBD2
0075FBC1 |. 66:C706 0000 MOV WORD PTR DS:[ESI],0
0075FBC6 |. 66:2BC0 SUB AX,AX
0075FBC9 |. 5F POP EDI
0075FBCA |. 5E POP ESI
0075FBCB |. 5B POP EBX
0075FBCC |. 83C4 04 ADD ESP,4
0075FBCF |. C2 1000 RETN 10
0075FBD2 |> 66:C706 FFFF MOV WORD PTR DS:[ESI],0FFFF
0075FBD7 |. 5F POP EDI
0075FBD8 |. 5E POP ESI
0075FBD9 |. 5B POP EBX
0075FBDA |. 83C4 04 ADD ESP,4
0075FBDD |. C2 1000 RETN 10
0075FBE0 |> 8A41 01 MOV AL,BYTE PTR DS:[ECX+1] ; Case 34 ('4') of switch Snet.75FA17
0075FBE3 |. 50 PUSH EAX ; /Arg3
0075FBE4 |. 6A 04 PUSH 4 ; |Arg2 = 4
0075FBE6 |. 57 PUSH EDI ; |Arg1 => [ARG.1]
0075FBE7 |. E8 14030000 CALL 0075FF00 ; \Snet.0075FF00
0075FBEC |. 66:0BC0 OR AX,AX
0075FBEF |. 75 11 JNZ SHORT 0075FC02
0075FBF1 |. 66:C706 0000 MOV WORD PTR DS:[ESI],0
0075FBF6 |. 66:2BC0 SUB AX,AX
0075FBF9 |. 5F POP EDI
0075FBFA |. 5E POP ESI
0075FBFB |. 5B POP EBX
0075FBFC |. 83C4 04 ADD ESP,4
0075FBFF |. C2 1000 RETN 10
0075FC02 |> 66:C706 FFFF MOV WORD PTR DS:[ESI],0FFFF
0075FC07 |. 5F POP EDI
0075FC08 |. 5E POP ESI
0075FC09 |. 5B POP EBX
0075FC0A |. 83C4 04 ADD ESP,4
0075FC0D |. C2 1000 RETN 10
0075FC10 |> 8A41 01 MOV AL,BYTE PTR DS:[ECX+1] ; Case 35 ('5') of switch Snet.75FA17
0075FC13 |. 50 PUSH EAX ; /Arg3
0075FC14 |. 6A 07 PUSH 7 ; |Arg2 = 7
0075FC16 |. 57 PUSH EDI ; |Arg1 => [ARG.1]
0075FC17 |. E8 E4020000 CALL 0075FF00 ; \Snet.0075FF00
0075FC1C |. 66:0BC0 OR AX,AX
0075FC1F |. 75 11 JNZ SHORT 0075FC32
0075FC21 |. 66:C706 0000 MOV WORD PTR DS:[ESI],0
0075FC26 |. 66:2BC0 SUB AX,AX
0075FC29 |. 5F POP EDI
0075FC2A |. 5E POP ESI
0075FC2B |. 5B POP EBX
0075FC2C |. 83C4 04 ADD ESP,4
0075FC2F |. C2 1000 RETN 10
0075FC32 |> 66:C706 FFFF MOV WORD PTR DS:[ESI],0FFFF
0075FC37 |. 5F POP EDI
0075FC38 |. 5E POP ESI
0075FC39 |. 5B POP EBX
0075FC3A |. 83C4 04 ADD ESP,4
0075FC3D |. C2 1000 RETN 10
0075FC40 |> 8A41 01 MOV AL,BYTE PTR DS:[ECX+1] ; Case 36 ('6') of switch Snet.75FA17
0075FC43 |. 50 PUSH EAX ; /Arg3
0075FC44 |. 6A 01 PUSH 1 ; |Arg2 = 1
0075FC46 |. 57 PUSH EDI ; |Arg1 => [ARG.1]
0075FC47 |. E8 B4020000 CALL 0075FF00 ; \Snet.0075FF00
0075FC4C |. 66:0BC0 OR AX,AX
0075FC4F |. 75 11 JNZ SHORT 0075FC62
0075FC51 |. 66:C706 0000 MOV WORD PTR DS:[ESI],0
0075FC56 |. 66:2BC0 SUB AX,AX
0075FC59 |. 5F POP EDI
0075FC5A |. 5E POP ESI
0075FC5B |. 5B POP EBX
0075FC5C |. 83C4 04 ADD ESP,4
0075FC5F |. C2 1000 RETN 10
0075FC62 |> 66:C706 FFFF MOV WORD PTR DS:[ESI],0FFFF
0075FC67 |. 5F POP EDI
0075FC68 |. 5E POP ESI
0075FC69 |. 5B POP EBX
0075FC6A |. 83C4 04 ADD ESP,4
0075FC6D |. C2 1000 RETN 10
0075FC70 |> 8A41 01 MOV AL,BYTE PTR DS:[ECX+1] ; Case 37 ('7') of switch Snet.75FA17
0075FC73 |. 50 PUSH EAX ; /Arg3
0075FC74 |. 6A 02 PUSH 2 ; |Arg2 = 2
0075FC76 |. 57 PUSH EDI ; |Arg1 => [ARG.1]
0075FC77 |. E8 84020000 CALL 0075FF00 ; \Snet.0075FF00
0075FC7C |. 66:0BC0 OR AX,AX
0075FC7F |. 75 11 JNZ SHORT 0075FC92
0075FC81 |. 66:C706 0000 MOV WORD PTR DS:[ESI],0
0075FC86 |. 66:2BC0 SUB AX,AX
0075FC89 |. 5F POP EDI
0075FC8A |. 5E POP ESI
0075FC8B |. 5B POP EBX
0075FC8C |. 83C4 04 ADD ESP,4
0075FC8F |. C2 1000 RETN 10
0075FC92 |> 66:C706 FFFF MOV WORD PTR DS:[ESI],0FFFF
0075FC97 |. 5F POP EDI
0075FC98 |. 5E POP ESI
0075FC99 |. 5B POP EBX
0075FC9A |. 83C4 04 ADD ESP,4
0075FC9D \. C2 1000 RETN 10[/align][/align]
وهذي من برنامج IDA:
[align=left]
[align=left]_0000009:0075F8D0 ; __stdcall RNBOproQuery(x, x, x, x)
_0000009:0075F8D0 _RNBOproQuery@16 proc near ; CODE XREF: _0000009:0075975E↑p
_0000009:0075F8D0 ; _0000009:0075978D↑p ...
_0000009:0075F8D0
_0000009:0075F8D0 var_4 = byte ptr -4
_0000009:0075F8D0 var_3 = byte ptr -3
_0000009:0075F8D0 var_2 = byte ptr -2
_0000009:0075F8D0 var_1 = byte ptr -1
_0000009:0075F8D0 arg_0 = dword ptr 4
_0000009:0075F8D0 arg_4 = dword ptr 8
_0000009:0075F8D0 arg_8 = dword ptr 0Ch
_0000009:0075F8D0 arg_C = word ptr 10h
_0000009:0075F8D0
_0000009:0075F8D0 sub esp, 4
_0000009:0075F8D3 push ebx
_0000009:0075F8D4 push esi
_0000009:0075F8D5 push edi
_0000009:0075F8D6 mov esi, [esp+10h+arg_8]
_0000009:0075F8DA mov edi, [esp+10h+arg_0]
_0000009:0075F8DE or edi, edi
_0000009:0075F8E0 mov word ptr [esi], 0FFFFh
_0000009:0075F8E5 jnz short loc_75F8F4
_0000009:0075F8E7 mov ax, 2
_0000009:0075F8EB pop edi
_0000009:0075F8EC pop esi
_0000009:0075F8ED pop ebx
_0000009:0075F8EE add esp, 4
_0000009:0075F8F1 retn 10h
_0000009:0075F8F4 ; ---------------------------------------------------------------------------
_0000009:0075F8F4
_0000009:0075F8F4 loc_75F8F4: ; CODE XREF: RNBOproQuery(x,x,x,x)+15↑j
_0000009:0075F8F4 push edi
_0000009:0075F8F5 call _I386PRO551MSOFTCD@4 ; I386PRO551MSOFTCD(x)
_0000009:0075F8FA mov ebx, eax
_0000009:0075F8FC cmp word ptr [ebx], 7242h
_0000009:0075F901 jz short loc_75F910
_0000009:0075F903 mov ax, 2
_0000009:0075F907 pop edi
_0000009:0075F908 pop esi
_0000009:0075F909 pop ebx
_0000009:0075F90A add esp, 4
_0000009:0075F90D retn 10h
_0000009:0075F910 ; ---------------------------------------------------------------------------
_0000009:0075F910
_0000009:0075F910 loc_75F910: ; CODE XREF: RNBOproQuery(x,x,x,x)+31↑j
_0000009:0075F910 mov ecx, [esp+10h+arg_4]
_0000009:0075F914 or ecx, ecx
_0000009:0075F916 jnz short loc_75F92B
_0000009:0075F918 mov word ptr [ebx+6], 0C10h
_0000009:0075F91E mov ax, 10h
_0000009:0075F922 pop edi
_0000009:0075F923 pop esi
_0000009:0075F924 pop ebx
_0000009:0075F925 add esp, 4
_0000009:0075F928 retn 10h
_0000009:0075F92B ; ---------------------------------------------------------------------------
_0000009:0075F92B
_0000009:0075F92B loc_75F92B: ; CODE XREF: RNBOproQuery(x,x,x,x)+46↑j
_0000009:0075F92B or esi, esi
_0000009:0075F92D jnz short loc_75F942
_0000009:0075F92F mov word ptr [ebx+6], 0C10h
_0000009:0075F935 mov ax, 10h
_0000009:0075F939 pop edi
_0000009:0075F93A pop esi
_0000009:0075F93B pop ebx
_0000009:0075F93C add esp, 4
_0000009:0075F93F retn 10h
_0000009:0075F942 ; ---------------------------------------------------------------------------
_0000009:0075F942
_0000009:0075F942 loc_75F942: ; CODE XREF: RNBOproQuery(x,x,x,x)+5D↑j
_0000009:0075F942 test byte ptr [ebx+12h], 4
_0000009:0075F946 jnz short loc_75F960
_0000009:0075F948 mov word ptr [ebx+6], 0C39h
_0000009:0075F94E mov ax, 39h ; '9'
_0000009:0075F952 pop edi
_0000009:0075F953 pop esi
_0000009:0075F954 pop ebx
_0000009:0075F955 add esp, 4
_0000009:0075F958 retn 10h
_0000009:0075F958 ; ---------------------------------------------------------------------------
_0000009:0075F95B align 10h
_0000009:0075F960
_0000009:0075F960 loc_75F960: ; CODE XREF: RNBOproQuery(x,x,x,x)+76↑j
_0000009:0075F960 mov ax, [esp+10h+arg_C]
_0000009:0075F965 cmp ax, 2
_0000009:0075F969 jnb short loc_75F983
_0000009:0075F96B mov word ptr [esi], 0FFFFh
_0000009:0075F970 mov word ptr [ebx+6], 0C15h
_0000009:0075F976 mov ax, 15h
_0000009:0075F97A pop edi
_0000009:0075F97B pop esi
_0000009:0075F97C pop ebx
_0000009:0075F97D add esp, 4
_0000009:0075F980 retn 10h
_0000009:0075F983 ; ---------------------------------------------------------------------------
_0000009:0075F983
_0000009:0075F983 loc_75F983: ; CODE XREF: RNBOproQuery(x,x,x,x)+99↑j
_0000009:0075F983 cmp ax, 40h ; '@'
_0000009:0075F987 jbe short loc_75F9A1
_0000009:0075F989 mov word ptr [esi], 0FFFFh
_0000009:0075F98E mov word ptr [ebx+6], 0C14h
_0000009:0075F994 mov ax, 14h
_0000009:0075F998 pop edi
_0000009:0075F999 pop esi
_0000009:0075F99A pop ebx
_0000009:0075F99B add esp, 4
_0000009:0075F99E retn 10h
_0000009:0075F9A1 ; ---------------------------------------------------------------------------
_0000009:0075F9A1
_0000009:0075F9A1 loc_75F9A1: ; CODE XREF: RNBOproQuery(x,x,x,x)+B7↑j
_0000009:0075F9A1 cmp ax, 2
_0000009:0075F9A5 jbe short loc_75FA13
_0000009:0075F9A7 mov [ebx+34h], ax
_0000009:0075F9AB mov word ptr [ebx+30h], 9
_0000009:0075F9B1 lea edi, [ebx+36h]
_0000009:0075F9B4 push eax
_0000009:0075F9B5 push edi
_0000009:0075F9B6 push ecx
_0000009:0075F9B7 call _I386PRO551MSOFTCC@12 ; I386PRO551MSOFTCC(x,x,x)
_0000009:0075F9BC push ebx ; lpBuffer
_0000009:0075F9BD call _I386PRO551MSOFTCFM@4 ; I386PRO551MSOFTCFM(x)
_0000009:0075F9C2 mov [ebx+6], ax
_0000009:0075F9C6 or al, al
_0000009:0075F9C8 jnz short loc_75F9E0
_0000009:0075F9CA push 2
_0000009:0075F9CC push esi
_0000009:0075F9CD push edi
_0000009:0075F9CE call _I386PRO551MSOFTCC@12 ; I386PRO551MSOFTCC(x,x,x)
_0000009:0075F9D3 sub ax, ax
_0000009:0075F9D6 pop edi
_0000009:0075F9D7 pop esi
_0000009:0075F9D8 pop ebx
_0000009:0075F9D9 add esp, 4
_0000009:0075F9DC retn 10h
_0000009:0075F9DC ; ---------------------------------------------------------------------------
_0000009:0075F9DF align 10h
_0000009:0075F9E0
_0000009:0075F9E0 loc_75F9E0: ; CODE XREF: RNBOproQuery(x,x,x,x)+F8↑j
_0000009:0075F9E0 mov word ptr [esi], 0FFFFh
_0000009:0075F9E5 mov ax, [ebx+6]
_0000009:0075F9E9 cmp ax, 103h
_0000009:0075F9ED jnz short loc_75FA01
_0000009:0075F9EF mov eax, 112h
_0000009:0075F9F4 and ax, 0FFh
_0000009:0075F9F8 pop edi
_0000009:0075F9F9 pop esi
_0000009:0075F9FA pop ebx
_0000009:0075F9FB add esp, 4
_0000009:0075F9FE retn 10h
_0000009:0075FA01 ; ---------------------------------------------------------------------------
_0000009:0075FA01
_0000009:0075FA01 loc_75FA01: ; CODE XREF: RNBOproQuery(x,x,x,x)+11D↑j
_0000009:0075FA01 and eax, 0FFFFh
_0000009:0075FA06 and ax, 0FFh
_0000009:0075FA0A pop edi
_0000009:0075FA0B pop esi
_0000009:0075FA0C pop ebx
_0000009:0075FA0D add esp, 4
_0000009:0075FA10 retn 10h
_0000009:0075FA13 ; ---------------------------------------------------------------------------
_0000009:0075FA13
_0000009:0075FA13 loc_75FA13: ; CODE XREF: RNBOproQuery(x,x,x,x)+D5↑j
_0000009:0075FA13 xor eax, eax
_0000009:0075FA15 mov al, [ecx]
_0000009:0075FA17 sub eax, 30h ; '0' ; switch 8 cases
_0000009:0075FA1A cmp eax, 7
_0000009:0075FA1D ja short def_75FA1F ; jumptable 0075FA1F default case
_0000009:0075FA1F jmp ds:jpt_75FA1F[eax*4] ; switch jump
_0000009:0075FA26 ; ---------------------------------------------------------------------------
_0000009:0075FA26
_0000009:0075FA26 def_75FA1F: ; CODE XREF: RNBOproQuery(x,x,x,x)+14D↑j
_0000009:0075FA26 mov word ptr [esi], 0FFFFh ; jumptable 0075FA1F default case
_0000009:0075FA2B mov word ptr [ebx+6], 0C15h
_0000009:0075FA31 mov ax, 15h
_0000009:0075FA35 pop edi
_0000009:0075FA36 pop esi
_0000009:0075FA37 pop ebx
_0000009:0075FA38 add esp, 4
_0000009:0075FA3B retn 10h
_0000009:0075FA3B ; ---------------------------------------------------------------------------
_0000009:0075FA3E align 10h
_0000009:0075FA40
_0000009:0075FA40 loc_75FA40: ; CODE XREF: RNBOproQuery(x,x,x,x)+14F↑j
_0000009:0075FA40 ; DATA XREF: _0000009:jpt_75FA1F↓o
_0000009:0075FA40 xor eax, eax ; jumptable 0075FA1F case 48
_0000009:0075FA42 mov al, [ecx+1]
_0000009:0075FA45 cmp eax, 31h ; '1'
_0000009:0075FA48 jz short loc_75FA82
_0000009:0075FA4A cmp eax, 32h ; '2'
_0000009:0075FA4D jz short loc_75FAC8
_0000009:0075FA4F cmp eax, 33h ; '3'
_0000009:0075FA52 jz loc_75FAE0
_0000009:0075FA58 cmp eax, 34h ; '4'
_0000009:0075FA5B jz loc_75FAF7
_0000009:0075FA61 cmp eax, 35h ; '5'
_0000009:0075FA64 jz loc_75FB0A
_0000009:0075FA6A mov word ptr [esi], 0FFFFh
_0000009:0075FA6F mov word ptr [ebx+6], 0C15h
_0000009:0075FA75 mov ax, 15h
_0000009:0075FA79 pop edi
_0000009:0075FA7A pop esi
_0000009:0075FA7B pop ebx
_0000009:0075FA7C add esp, 4
_0000009:0075FA7F retn 10h
_0000009:0075FA82 ; ---------------------------------------------------------------------------
_0000009:0075FA82
_0000009:0075FA82 loc_75FA82: ; CODE XREF: RNBOproQuery(x,x,x,x)+178↑j
_0000009:0075FA82 lea eax, [esp+10h+var_3]
_0000009:0075FA86 push eax
_0000009:0075FA87 lea eax, [esp+14h+var_4]
_0000009:0075FA8B push eax
_0000009:0075FA8C lea eax, [esp+18h+var_1]
_0000009:0075FA90 push eax
_0000009:0075FA91 lea eax, [esp+1Ch+var_2]
_0000009:0075FA95 push eax
_0000009:0075FA96 push edi
_0000009:0075FA97 call _RNBOproGetVersion@20 ; RNBOproGetVersion(x,x,x,x,x)
_0000009:0075FA9C or ax, ax
_0000009:0075FA9F jnz short loc_75FABA
_0000009:0075FAA1 mov al, [esp+10h+var_2]
_0000009:0075FAA5 mov [esi+1], al
_0000009:0075FAA8 mov al, [esp+10h+var_1]
_0000009:0075FAAC mov [esi], al
_0000009:0075FAAE sub ax, ax
_0000009:0075FAB1 pop edi
_0000009:0075FAB2 pop esi
_0000009:0075FAB3 pop ebx
_0000009:0075FAB4 add esp, 4
_0000009:0075FAB7 retn 10h
_0000009:0075FABA ; ---------------------------------------------------------------------------
_0000009:0075FABA
_0000009:0075FABA loc_75FABA: ; CODE XREF: RNBOproQuery(x,x,x,x)+1CF↑j
_0000009:0075FABA mov word ptr [esi], 0FFFFh
_0000009:0075FABF pop edi
_0000009:0075FAC0 pop esi
_0000009:0075FAC1 pop ebx
_0000009:0075FAC2 add esp, 4
_0000009:0075FAC5 retn 10h
_0000009:0075FAC8 ; ---------------------------------------------------------------------------
_0000009:0075FAC8
_0000009:0075FAC8 loc_75FAC8: ; CODE XREF: RNBOproQuery(x,x,x,x)+17D↑j
_0000009:0075FAC8 push esi
_0000009:0075FAC9 push 1
_0000009:0075FACB push edi
_0000009:0075FACC call _I386PRO551MSOFTCHE@12 ; I386PRO551MSOFTCHE(x,x,x)
_0000009:0075FAD1 pop edi
_0000009:0075FAD2 pop esi
_0000009:0075FAD3 pop ebx
_0000009:0075FAD4 add esp, 4
_0000009:0075FAD7 retn 10h
_0000009:0075FAD7 ; ---------------------------------------------------------------------------
_0000009:0075FADA align 10h
_0000009:0075FAE0
_0000009:0075FAE0 loc_75FAE0: ; CODE XREF: RNBOproQuery(x,x,x,x)+182↑j
_0000009:0075FAE0 mov ax, [ebx+6]
_0000009:0075FAE4 and ax, 0FFh
_0000009:0075FAE8 mov [esi], ax
_0000009:0075FAEB sub ax, ax
_0000009:0075FAEE pop edi
_0000009:0075FAEF pop esi
_0000009:0075FAF0 pop ebx
_0000009:0075FAF1 add esp, 4
_0000009:0075FAF4 retn 10h
_0000009:0075FAF7 ; ---------------------------------------------------------------------------
_0000009:0075FAF7
_0000009:0075FAF7 loc_75FAF7: ; CODE XREF: RNBOproQuery(x,x,x,x)+18B↑j
_0000009:0075FAF7 mov ax, [ebx+6]
_0000009:0075FAFB mov [esi], ax
_0000009:0075FAFE sub ax, ax
_0000009:0075FB01 pop edi
_0000009:0075FB02 pop esi
_0000009:0075FB03 pop ebx
_0000009:0075FB04 add esp, 4
_0000009:0075FB07 retn 10h
_0000009:0075FB0A ; ---------------------------------------------------------------------------
_0000009:0075FB0A
_0000009:0075FB0A loc_75FB0A: ; CODE XREF: RNBOproQuery(x,x,x,x)+194↑j
_0000009:0075FB0A lea eax, [esp+10h+var_3]
_0000009:0075FB0E push eax
_0000009:0075FB0F lea eax, [esp+14h+var_4]
_0000009:0075FB13 push eax
_0000009:0075FB14 lea eax, [esp+18h+var_1]
_0000009:0075FB18 push eax
_0000009:0075FB19 lea eax, [esp+1Ch+var_2]
_0000009:0075FB1D push eax
_0000009:0075FB1E push edi
_0000009:0075FB1F call _RNBOproGetVersion@20 ; RNBOproGetVersion(x,x,x,x,x)
_0000009:0075FB24 or ax, ax
_0000009:0075FB27 jnz short loc_75FB42
_0000009:0075FB29 mov al, [esp+10h+var_3]
_0000009:0075FB2D mov [esi], al
_0000009:0075FB2F mov al, [esp+10h+var_4]
_0000009:0075FB33 mov [esi+1], al
_0000009:0075FB36 sub ax, ax
_0000009:0075FB39 pop edi
_0000009:0075FB3A pop esi
_0000009:0075FB3B pop ebx
_0000009:0075FB3C add esp, 4
_0000009:0075FB3F retn 10h
_0000009:0075FB42 ; ---------------------------------------------------------------------------
_0000009:0075FB42
_0000009:0075FB42 loc_75FB42: ; CODE XREF: RNBOproQuery(x,x,x,x)+257↑j
_0000009:0075FB42 mov word ptr [esi], 0FFFFh
_0000009:0075FB47 pop edi
_0000009:0075FB48 pop esi
_0000009:0075FB49 pop ebx
_0000009:0075FB4A add esp, 4
_0000009:0075FB4D retn 10h
_0000009:0075FB50 ; ---------------------------------------------------------------------------
_0000009:0075FB50
_0000009:0075FB50 loc_75FB50: ; CODE XREF: RNBOproQuery(x,x,x,x)+14F↑j
_0000009:0075FB50 ; DATA XREF: _0000009:jpt_75FA1F↓o
_0000009:0075FB50 mov al, [ecx+1] ; jumptable 0075FA1F case 49
_0000009:0075FB53 push eax
_0000009:0075FB54 push 6
_0000009:0075FB56 push edi
_0000009:0075FB57 call _I386PRO551MSOFTCHF@12 ; I386PRO551MSOFTCHF(x,x,x)
_0000009:0075FB5C or ax, ax
_0000009:0075FB5F jnz short loc_75FB72
_0000009:0075FB61 mov word ptr [esi], 0
_0000009:0075FB66 sub ax, ax
_0000009:0075FB69 pop edi
_0000009:0075FB6A pop esi
_0000009:0075FB6B pop ebx
_0000009:0075FB6C add esp, 4
_0000009:0075FB6F retn 10h
_0000009:0075FB72 ; ---------------------------------------------------------------------------
_0000009:0075FB72
_0000009:0075FB72 loc_75FB72: ; CODE XREF: RNBOproQuery(x,x,x,x)+28F↑j
_0000009:0075FB72 mov word ptr [esi], 0FFFFh
_0000009:0075FB77 pop edi
_0000009:0075FB78 pop esi
_0000009:0075FB79 pop ebx
_0000009:0075FB7A add esp, 4
_0000009:0075FB7D retn 10h
_0000009:0075FB80 ; ---------------------------------------------------------------------------
_0000009:0075FB80
_0000009:0075FB80 loc_75FB80: ; CODE XREF: RNBOproQuery(x,x,x,x)+14F↑j
_0000009:0075FB80 ; DATA XREF: _0000009:jpt_75FA1F↓o
_0000009:0075FB80 mov al, [ecx+1] ; jumptable 0075FA1F case 50
_0000009:0075FB83 push eax
_0000009:0075FB84 push 5
_0000009:0075FB86 push edi
_0000009:0075FB87 call _I386PRO551MSOFTCHF@12 ; I386PRO551MSOFTCHF(x,x,x)
_0000009:0075FB8C or ax, ax
_0000009:0075FB8F jnz short loc_75FBA2
_0000009:0075FB91 mov word ptr [esi], 0
_0000009:0075FB96 sub ax, ax
_0000009:0075FB99 pop edi
_0000009:0075FB9A pop esi
_0000009:0075FB9B pop ebx
_0000009:0075FB9C add esp, 4
_0000009:0075FB9F retn 10h
_0000009:0075FBA2 ; ---------------------------------------------------------------------------
_0000009:0075FBA2
_0000009:0075FBA2 loc_75FBA2: ; CODE XREF: RNBOproQuery(x,x,x,x)+2BF↑j
_0000009:0075FBA2 mov word ptr [esi], 0FFFFh
_0000009:0075FBA7 pop edi
_0000009:0075FBA8 pop esi
_0000009:0075FBA9 pop ebx
_0000009:0075FBAA add esp, 4
_0000009:0075FBAD retn 10h
_0000009:0075FBB0 ; ---------------------------------------------------------------------------
_0000009:0075FBB0
_0000009:0075FBB0 loc_75FBB0: ; CODE XREF: RNBOproQuery(x,x,x,x)+14F↑j
_0000009:0075FBB0 ; DATA XREF: _0000009:jpt_75FA1F↓o
_0000009:0075FBB0 mov al, [ecx+1] ; jumptable 0075FA1F case 51
_0000009:0075FBB3 push eax
_0000009:0075FBB4 push 3
_0000009:0075FBB6 push edi
_0000009:0075FBB7 call _I386PRO551MSOFTCHF@12 ; I386PRO551MSOFTCHF(x,x,x)
_0000009:0075FBBC or ax, ax
_0000009:0075FBBF jnz short loc_75FBD2
_0000009:0075FBC1 mov word ptr [esi], 0
_0000009:0075FBC6 sub ax, ax
_0000009:0075FBC9 pop edi
_0000009:0075FBCA pop esi
_0000009:0075FBCB pop ebx
_0000009:0075FBCC add esp, 4
_0000009:0075FBCF retn 10h
_0000009:0075FBD2 ; ---------------------------------------------------------------------------
_0000009:0075FBD2
_0000009:0075FBD2 loc_75FBD2: ; CODE XREF: RNBOproQuery(x,x,x,x)+2EF↑j
_0000009:0075FBD2 mov word ptr [esi], 0FFFFh
_0000009:0075FBD7 pop edi
_0000009:0075FBD8 pop esi
_0000009:0075FBD9 pop ebx
_0000009:0075FBDA add esp, 4
_0000009:0075FBDD retn 10h
_0000009:0075FBE0 ; ---------------------------------------------------------------------------
_0000009:0075FBE0
_0000009:0075FBE0 loc_75FBE0: ; CODE XREF: RNBOproQuery(x,x,x,x)+14F↑j
_0000009:0075FBE0 ; DATA XREF: _0000009:jpt_75FA1F↓o
_0000009:0075FBE0 mov al, [ecx+1] ; jumptable 0075FA1F case 52
_0000009:0075FBE3 push eax
_0000009:0075FBE4 push 4
_0000009:0075FBE6 push edi
_0000009:0075FBE7 call _I386PRO551MSOFTCHF@12 ; I386PRO551MSOFTCHF(x,x,x)
_0000009:0075FBEC or ax, ax
_0000009:0075FBEF jnz short loc_75FC02
_0000009:0075FBF1 mov word ptr [esi], 0
_0000009:0075FBF6 sub ax, ax
_0000009:0075FBF9 pop edi
_0000009:0075FBFA pop esi
_0000009:0075FBFB pop ebx
_0000009:0075FBFC add esp, 4
_0000009:0075FBFF retn 10h
_0000009:0075FC02 ; ---------------------------------------------------------------------------
_0000009:0075FC02
_0000009:0075FC02 loc_75FC02: ; CODE XREF: RNBOproQuery(x,x,x,x)+31F↑j
_0000009:0075FC02 mov word ptr [esi], 0FFFFh
_0000009:0075FC07 pop edi
_0000009:0075FC08 pop esi
_0000009:0075FC09 pop ebx
_0000009:0075FC0A add esp, 4
_0000009:0075FC0D retn 10h
_0000009:0075FC10 ; ---------------------------------------------------------------------------
_0000009:0075FC10
_0000009:0075FC10 loc_75FC10: ; CODE XREF: RNBOproQuery(x,x,x,x)+14F↑j
_0000009:0075FC10 ; DATA XREF: _0000009:jpt_75FA1F↓o
_0000009:0075FC10 mov al, [ecx+1] ; jumptable 0075FA1F case 53
_0000009:0075FC13 push eax
_0000009:0075FC14 push 7
_0000009:0075FC16 push edi
_0000009:0075FC17 call _I386PRO551MSOFTCHF@12 ; I386PRO551MSOFTCHF(x,x,x)
_0000009:0075FC1C or ax, ax
_0000009:0075FC1F jnz short loc_75FC32
_0000009:0075FC21 mov word ptr [esi], 0
_0000009:0075FC26 sub ax, ax
_0000009:0075FC29 pop edi
_0000009:0075FC2A pop esi
_0000009:0075FC2B pop ebx
_0000009:0075FC2C add esp, 4
_0000009:0075FC2F retn 10h
_0000009:0075FC32 ; ---------------------------------------------------------------------------
_0000009:0075FC32
_0000009:0075FC32 loc_75FC32: ; CODE XREF: RNBOproQuery(x,x,x,x)+34F↑j
_0000009:0075FC32 mov word ptr [esi], 0FFFFh
_0000009:0075FC37 pop edi
_0000009:0075FC38 pop esi
_0000009:0075FC39 pop ebx
_0000009:0075FC3A add esp, 4
_0000009:0075FC3D retn 10h
_0000009:0075FC40 ; ---------------------------------------------------------------------------
_0000009:0075FC40
_0000009:0075FC40 loc_75FC40: ; CODE XREF: RNBOproQuery(x,x,x,x)+14F↑j
_0000009:0075FC40 ; DATA XREF: _0000009:jpt_75FA1F↓o
_0000009:0075FC40 mov al, [ecx+1] ; jumptable 0075FA1F case 54
_0000009:0075FC43 push eax
_0000009:0075FC44 push 1
_0000009:0075FC46 push edi
_0000009:0075FC47 call _I386PRO551MSOFTCHF@12 ; I386PRO551MSOFTCHF(x,x,x)
_0000009:0075FC4C or ax, ax
_0000009:0075FC4F jnz short loc_75FC62
_0000009:0075FC51 mov word ptr [esi], 0
_0000009:0075FC56 sub ax, ax
_0000009:0075FC59 pop edi
_0000009:0075FC5A pop esi
_0000009:0075FC5B pop ebx
_0000009:0075FC5C add esp, 4
_0000009:0075FC5F retn 10h
_0000009:0075FC62 ; ---------------------------------------------------------------------------
_0000009:0075FC62
_0000009:0075FC62 loc_75FC62: ; CODE XREF: RNBOproQuery(x,x,x,x)+37F↑j
_0000009:0075FC62 mov word ptr [esi], 0FFFFh
_0000009:0075FC67 pop edi
_0000009:0075FC68 pop esi
_0000009:0075FC69 pop ebx
_0000009:0075FC6A add esp, 4
_0000009:0075FC6D retn 10h
_0000009:0075FC70 ; ---------------------------------------------------------------------------
_0000009:0075FC70
_0000009:0075FC70 loc_75FC70: ; CODE XREF: RNBOproQuery(x,x,x,x)+14F↑j
_0000009:0075FC70 ; DATA XREF: _0000009:jpt_75FA1F↓o
_0000009:0075FC70 mov al, [ecx+1] ; jumptable 0075FA1F case 55
_0000009:0075FC73 push eax
_0000009:0075FC74 push 2
_0000009:0075FC76 push edi
_0000009:0075FC77 call _I386PRO551MSOFTCHF@12 ; I386PRO551MSOFTCHF(x,x,x)
_0000009:0075FC7C or ax, ax
_0000009:0075FC7F jnz short loc_75FC92
_0000009:0075FC81 mov word ptr [esi], 0
_0000009:0075FC86 sub ax, ax
_0000009:0075FC89 pop edi
_0000009:0075FC8A pop esi
_0000009:0075FC8B pop ebx
_0000009:0075FC8C add esp, 4
_0000009:0075FC8F retn 10h
_0000009:0075FC92 ; ---------------------------------------------------------------------------
_0000009:0075FC92
_0000009:0075FC92 loc_75FC92: ; CODE XREF: RNBOproQuery(x,x,x,x)+3AF↑j
_0000009:0075FC92 mov word ptr [esi], 0FFFFh
_0000009:0075FC97 pop edi
_0000009:0075FC98 pop esi
_0000009:0075FC99 pop ebx
_0000009:0075FC9A add esp, 4
_0000009:0075FC9D retn 10h
_0000009:0075FC9D _RNBOproQuery@16 endp
_0000009:0075FC9D[/align][/align]
وهذا PseudoCode من IDA decompiler:
PDF - PseudoCodeOfRNBOquerry
RE: كيف أقوم بكسر دالة proQuery في حماية Sentinel Rainbow Pro - johnvb - 29-01-2021
وعليكم السلام ورحمة الله وبركاته
أخي الكريم أولاً
عمل باتش لكل الدوال ماعدا query يعتمد على تصفير المسجل كل ماعليك هو عمل xor eax أما spro query كل العناء بها
1 عمل باتش spro query معتمد على حماية البرنامج الذي تستخدمه اذا كان برنامجك محمي ب sentinel shell فتحتاج إلى فك ضغط الحماية لل shell ومن ثم تعمل باتش لدالة query
اذا كان غير محمي بال shell فتحتاج إلى جمع الاستعلامات التي يطلبها الدونغل من البرنامج والاستعلامات التي يطلبها البرنامج من الدونغل
ثانيا أنصحك بعمل محاكاة للدونغل أسهل بكثير من عمل باتش للدونغل
على كل حال سوف اقوم بعمل شرح فلاشي عن كسر الدونغل أن شاء الله
RE: كيف أقوم بكسر دالة proQuery في حماية Sentinel Rainbow Pro - akhfar - 29-01-2021
@johnvb أخي الكريم، قصدك كل الدوال يعني كل دالة فيها RNBO؟
لا استطيع عمل محاكاة للدونقل لأنني لا أملك الدونقل، لكني أملك البرنامج فقط و أيضا لا اعرف اذا البرنامج محمي بshell اول لا لو شفت الدرس ترى انهم كانوا يبحثون عن عنوان الذاكرة اولا و ثانيا تم تعديل query من أجل معرفة القيم التي يتم مقارنتها لكني لم استطع فهم كيفية الولوج الى الذاكرة جميع Hardware Break Point لم تعمل لانني لم اعرف مكان وضعها .... انا عندي نسخة قديمة 2002 يعني SDK للسونتينل قديم لهذا لم أستطع فهم ما يحدث..... شكرا.
RE: كيف أقوم بكسر دالة proQuery في حماية Sentinel Rainbow Pro - bavfay - 29-01-2021
اخي الكريم ان كان حماية Sentinel Rainbow Pro
فبامكانك حمل محاكي بطريقة خلفية حاول استعمال monitor SNTLIB
يمكنني المساعدة ان وضعت البرنامج
RE: كيف أقوم بكسر دالة proQuery في حماية Sentinel Rainbow Pro - akhfar - 29-01-2021
@bavfay نعم هو برنامج محمي ب Sentinel Rainbow pro، ولم أجد البرنامج الذي تتحدث عنه و لا أستطيع وضع البرنامج للأسف.
هل قصدك بطريقة خلفية يعني monitor راح يعمل coverage؟
RE: كيف أقوم بكسر دالة proQuery في حماية Sentinel Rainbow Pro - johnvb - 30-01-2021
أخي تحققت من حماية البرنامج لديك هي من نوع sentinel -c pro وهذه الحماية قديمة ولها محاكيات مضمونة 100 % ولكن نحتاج إلى الاستعلامات التي يطلبها الدونغل من البرنامج
RE: كيف أقوم بكسر دالة proQuery في حماية Sentinel Rainbow Pro - akhfar - 30-01-2021
@johnvb وكيف احصل على المحاكي و على هذه الاستعلامات؟ (أعتقد انك تقصد بالاستعلامات هي اماكن الذاكرة التي يقوم بمقارنتها؟) ادا كانت كذلك اعتقد اني لاحظت في المكدس قيم hex ثابتة لا تتغير و يتم تمريرها كقيم ادخال في دالة proquery
3B 4H 1B 66 65 52 65 53 66 65)
RE: كيف أقوم بكسر دالة proQuery في حماية Sentinel Rainbow Pro - Venox - 30-01-2021
اخي الكريم akhfar هلّا تكرمت علينا بسلسة الدروس التي تتابعها من فضلك
RE: كيف أقوم بكسر دالة proQuery في حماية Sentinel Rainbow Pro - HillPine - 15-11-2022
[font][font]Please help me, All of my dear brothers[/font][/font]
[font][font].IDA new signature for new generation of dongle Protection specially Sentinel[/font][/font]
RE: كيف أقوم بكسر دالة proQuery في حماية Sentinel Rainbow Pro - johnvb - 15-11-2022
You will not found it because its private latest version 1.1 shk is old from 2009
WHat soft need to reverse i can help you