Solution to two ANTI-W32dasm programs

 
Solution to two ANTI-W32dasm programs
Author: Xiao mutong [CCG]
Copyright: All rights reserved by CCG. reprinted copies must be complete.
Difficulty: Easy

Procedure 1: http://www.my169.com /~ Zxhxmz/porciins.exe
Procedure 2: This is the easy exam that this eldest brother wants to solve. Http://www.shijun.com/easypaper/cn/download/eps404.zip

Symptom: The two programs opened with W32dasm are not responding. Only Ctrl + alt + del can be used to exit.
Idea: W32dasm falls into an error and it is estimated that it enters a certain execution cycle. Haha, the shepherd boy will be drilled into the horns ^_^! With the idea, the ANTI function will naturally be solved.
Method:
Procedure 1:
Run W32dasm and open the animal.exe file for compilation. W32dasm enters the endless loop.
Press Ctrl + D to enter softice and press F12 twice to the following:

: 0046149F E8DCDB0400 call 004AF080
: 004614A4 83C408 add esp, 00000008

* Referenced by a (U) nconditional or (C) onditional Jump at Address:
|: 00461494 (C)
|
: 004614A7 8A9C35E9FDFFFF mov bl, byte ptr [ebp + esi-00000217]
: 004614AE 80FB2F cmp bl, 2F
: 004614B1 7615 jbe 004614C8
: 004614B3 80FB3A cmp bl, 3A
: 004614B6 7310 jnb 004614C8.
: 004614B8 889D0CF6FFFF mov byte ptr [ebp + FFFFF60C], bl
: 004614BE C6850DF6FFFF00 mov byte ptr [ebp + FFFFF60D], 00
: 004614C5 83C602 add esi, 00000002

* Referenced by a (U) nconditional or (C) onditional Jump at Addresses:
|: 004614B1 (C),: 004614B6 (C)
|
: 004614C8 8D850CF6FFFF lea eax, dword ptr [ebp + FFFFF60C]
: 004614CE 50 push eax
: 004614CF E8EC9D0400 call 004AB2C0
: 004614D4 59 pop ecx
: 004614D5 8945F4 mov dword ptr [ebp-0C], eax
: 004614D8 33D2 xor edx, edx
: 004614DA 8955F8 mov dword ptr [ebp-08], edx
: 004614DD 8B4DF8 mov ecx, dword ptr [ebp-08]
: 004614E0 8B45F4 mov eax, dword ptr [ebp-0C]
: 004614E3 3BC8 cmp ecx, eax
: 004614E5 0F83B6FDFFFF jae 004612a1 // here it is changed to 909090909090 to jump out of the endless loop.

: 004614E6 90 nop
: 004614E7 90 nop
: 004614E8 90 nop
: 004614E9 90 nop
: 004614EA 90 nop

Procedure 2:
Run W32dasm and open the easypaper.exe file for compilation. W32dasm enters the endless loop.
Press Ctrl + D to enter softice and press F12 twice to the following:

: 0046151B E8BCD60400 call KERNEL32! Lstrcat // press F12 twice to get here
: 00461520 FF45F8 inc [ebp-08]
: 00461523 8B4DF8 mov ecx, dword ptr [ebp-08]
: 00461526 8B45F4 mov eax, dword ptr [ebp-0C]
: 00461529 3BC8 cmp ecx, eax
: 0046152B 72BE jb 004614EB // change it to 9090
: 0046152D E96FFDFFFF jmp 004612A1
* Referenced by a (U) nconditional or (C) onditional Jump at Address:
|: 0046121D (C)
|
: 00461532 8B957CFFFFFF mov edx, dword ptr [ebp + FFFFFF7C]
: 00461538 85D2 test edx, edx
: 0046153A 7411 je 0046154D

Cancel the comparison of 0046152b and follow jmp of 0046152d to the following:

* Referenced by a (U) nconditional or (C) onditional Jump at Address:
|: 0046152D (U)
|
: 004612A1 c7857cffffff0000000 mov dword ptr [ebp + FFFFFF7C], 00000001
: 004612AB 8B8D78FFFFFF mov ecx, dword ptr [ebp + FFFFFF78]
: 004612B1 85C9 test ecx, ecx
: 004612B3 7410 je 004612C5
: 004612B5 33C0 xor eax, eax
: 004612B7 89857 CFFFFFF mov dword ptr [ebp + FFFFFF7C], eax
: 004612BD 33D2 xor edx, edx
: 004612bf899578 FFFFFF mov dword ptr [ebp + FFFFFF78], edx

* Referenced by a (U) nconditional or (C) onditional Jump at Address:
|: 004612B3 (C)
|
: 004612C5 84DB test bl, bl
: 004612C7 0F85D9FEFFFF jne 004611A6 // here it is changed to 9090909090 to jump out of the endless loop.
: 004612CD 6A01 push 00000001