Debug The RASMAN Service to obtain the dialing Password

When reading some string-related APIs, go to the breakpoint to view their parameter content.

In this way, you can view some input and output data. For example, str *, wcs *, * printf, and so on.

I used the Messenger service as an example for testing. This service is at least a bit insightful.

This service is in the same process as the service that creates the connection. So we may find that

Use these string functions to obtain the dialing password.

 

 

Debug The RASMAN Service

Cdb-psn rasman

 

Msvcrt! Wcscpy breakpoint

* For msvcrt! Wcscpy breakpoint to view its source and string content
Bp msvcrt! Wcscpy "u poi (@ esp) l1; dd esp l3; du poi (@ esp + 8); g"

 

Or msvcrt! Wcslen breakpoint, but this output contains a lot of content!

* For msvcrt! Wcslen breakpoint to view its source and string content
Bp msvcrt! Wcslen "u poi (@ esp) l1; du poi (@ esp + 4); g"

Open the record file and record it. Otherwise, too many outputs will be lost.

Finally, try dialing, so that the user name and password stored in it will come out!

Rasmans + 0xcc21:
7e51cc21 59 pop ecx
012cd128 7e51cc21 02f1bc70 0013b882
0013b882 "uuu" <--- this is the user name
Rasmans + 0xcc3c:
7e51cc3c 59 pop ecx
012cd128 7e51cc3c 02f1be72 0013b88a
0013b88a "ppp" <--- this is the password

 

You can use OD to look at the relevant code near the return address above.

 

7E51CB81/$ mov edi, edi
7E51CB83 |. push ebp
7E51CB84 |. mov ebp, esp
7E51CB86 |. push ebx
7E51CB87 |. push esi
7E51CB88 |. mov esi, dword ptr [ebp + 8]
7E51CB8B |. xor ebx, ebx
7E51CB8D |. push edi
7E51CB8E |. mov dword ptr [ebp + 8], ebx
7E51CB91 |. jmp 7E51CC92
7E51CB96 |>/push esi;/wstr
7E51CB97 |. | call dword ptr [<& msvcrt. _ wtol>]; \ _ wtol
7E51CB9D |. | cmp eax, dword ptr [ebp + C]
7E51CBA0 |. | pop ecx
7E51CBA1 |. | mov dword ptr [edi + C], eax
7E51CBA4 |. | jnz short 7E51CBAD
7E51CBA6 |. | mov dword ptr [ebp + 8], edi
7E51CBA9 |. | jmp short 7E51CBAD
7E51CBAB |> |/inc esi
7E51CBAC |. | inc esi
7E51CBAD |> | cmp word ptr [esi], bx
7E51CBB0 |. ^ | \ jnz short 7E51CBAB
7E51CBB2 |. | inc esi
7E51CBB3 |. | inc esi
7E51CBB4 |. | push esi;/wstr
7E51CBB5 |. | call dword ptr [<& msvcrt. _ wtol>]; \ _ wtol
7E51CBBB |. | pop ecx
7E51CBBC |. | mov dword ptr [edi + 8], eax
7E51CBBF |. | jmp short 7E51CBC3
7E51CBC1 |> |/inc esi
7E51CBC2 |. | inc esi
7E51CBC3 |> | cmp word ptr [esi], bx
7E51CBC6 |. ^ | \ jnz short 7E51CBC1
7E51CBC8 |. | inc esi
7E51CBC9 |. | inc esi
7E51CBCA |. | push esi;/wstr
7E51CBCB |. | call dword ptr [<& msvcrt. _ wtol>]; \ _ wtol
7E51CBD1 |. | pop ecx
7E51CBD2 |. | mov dword ptr [edi + 10], eax
7E51CBD5 |. | jmp short 7E51CBD9
7E51CBD7 |> |/inc esi
7E51CBD8 |. | inc esi
7E51CBD9 |> | cmp word ptr [esi], bx
7E51CBDC |. ^ | \ jnz short 7E51CBD7
7E51CBDE |. | inc esi
7E51CBDF |. | inc esi
7E51CBE0 |. | lea eax, dword ptr [edi + 14]
7E51CBE3 |. | push esi;/src
7E51CBE4 |. | push eax; | dest
7E51CBE5 |. | call dword ptr [<& msvcrt. wcscpy>]; \ wcscpy
7E51CBEB |. | pop ecx
7E51CBEC |. | pop ecx
7E51CBED |. | jmp short 7E51CBF1
7E51CBEF |> |/inc esi
7E51CBF0 |. | inc esi
7E51CBF1 |> | cmp word ptr [esi], bx
7E51CBF4 |. ^ | \ jnz short 7E51CBEF
7E51CBF6 |. | inc esi
7E51CBF7 |. | inc esi
7E51CBF8 |. | lea eax, dword ptr [edi + 116]
7E51CBFE |. | push esi;/src
7E51CBFF |. | push eax; | dest
7E51CC00 |. | call dword ptr [<& msvcrt. wcscpy>]; \ wcscpy
7E51CC06 |. | pop ecx
7E51CC07 |. | pop ecx
7E51CC08 |. | jmp short 7E51CC0C
7E51CC0A |> |/inc esi
7E51CC0B |. | inc esi
7E51CC0C |> | cmp word ptr [esi], bx
7E51CC0F |. ^ | \ jnz short 7E51CC0A
7E51CC11 |. | inc esi
7E51CC12 |. | inc esi
7E51CC13 |. | lea eax, dword ptr [edi + 218]
7E51CC19 |. | push esi;/src <--- User Name
7E51CC1A |. | push eax; | dest
7E51CC1B |. | call dword ptr [<& msvcrt. wcscpy>]; \ wcscpy
7E51CC21 |. | pop ecx
7E51CC22 |. | pop ecx
7E51CC23 |. | jmp short 7E51CC27
7E51CC25 |> |/inc esi
7E51CC26 |. | inc esi
7E51CC27 |> | cmp word ptr [esi], bx
7E51CC2A |. ^ | \ jnz short 7E51CC25
7E51CC2C |. | inc esi
7E51CC2D |. | inc esi
7E51CC2E |. | lea eax, dword ptr [edi + 41A]
7E51CC34 |. | push esi;/src <--- Password
7E51CC35 |. | push eax; | dest
7E51CC36 |. | call dword ptr [<& msvcrt. wcscpy>]; \ wcscpy
7E51CC3C |. | pop ecx
7E51CC3D |. | pop ecx
7E51CC3E |. | jmp short 7E51CC42
7E51CC40 |> |/inc esi
7E51CC41 |. | inc esi
7E51CC42 |> | cmp word ptr [esi], bx
7E51CC45 |. ^ | \ jnz short 7E51CC40
7E51CC47 |. | inc esi
7E51CC48 |. | inc esi
7E51CC49 |. | lea eax, dword ptr [edi + 61C]
7E51CC4F |. | push esi;/src
7E51CC50 |. | push eax; | dest
7E51CC51 |. | call dword ptr [<& msvcrt. wcscpy>]; \ wcscpy
7E51CC57 |. | pop ecx
7E51CC58 |. | pop ecx
7E51CC59 |. | jmp short 7E51CC5D
7E51CC5B |> |/inc esi
7E51CC5C |. | inc esi
7E51CC5D |> | cmp word ptr [esi], bx
7E51CC60 |. ^ | \ jnz short 7E51CC5B
7E51CC62 |. | inc esi
7E51CC63 |. | inc esi
7E51CC64 |. | push esi;/wstr
7E51CC65 |. | call dword ptr [<& msvcrt. _ wtol>]; \ _ wtol
7E51CC6B |. | pop ecx
7E51CC6C |. | mov dword ptr [edi + 63C], eax
7E51CC72 |. | jmp short 7E51CC76
7E51CC74 |> |/inc esi
7E51CC75 |. | inc esi
7E51CC76 |> | cmp word ptr [esi], bx
7E51CC79 |. ^ | \ jnz short 7E51CC74
7E51CC7B |. | mov ecx, dword ptr [ebp + 10]
7E51CC7E |. | mov eax, dword ptr [ecx + 4]
7E51CC81 |. | inc esi
7E51CC82 |. | mov dword ptr [edi], ecx
7E51CC84 |. | mov dword ptr [edi + 4], eax
7E51CC87 |. | mov dword ptr [eax], edi
7E51CC89 |. | inc esi
7E51CC8A |. | mov dword ptr [ecx + 4], edi
7E51CC8D |. | cmp word ptr [esi], bx
7E51CC90 |. | je short 7E51CCA9
7E51CC92 |> push 640;/Size = 640 (1600 .)
7E51CC97 |. | push 40; | Flags = LPTR
7E51CC99 |. | call dword ptr [<& KERNEL32.LocalAllo>; \ LocalAlloc
7E51CC9F |. | mov edi, eax
7E51CCA1 |. | cmp edi, ebx
7e51ca3 |. ^ \ jnz 7E51CB96
7E51CCA9 |> mov eax, dword ptr [ebp + 8]
7E51CCAC |. pop edi
7E51CCAD |. pop esi
7E51CCAE |. pop ebx
7E51CCAF |. pop ebp
7E51CCB0 \. retn 0C