• Welcome to Valhalla Legends Archive.
 

[RESOLVED] Storm_423/SID_CLIENTID2

Started by Eric, March 09, 2005, 01:30 AM

Previous topic - Next topic
Print
|
Go Down Pages1
User actions

Eric

March 09, 2005, 01:30 AM Last Edit: March 09, 2005, 02:10 AM by LoRd[nK]
I'm trying to better emulate the actual client by calling Storm's registry function to read the keys that should be inserted into SID_CLIENTID2.  When I call it while in Debug mode, I get an error stating that the value of ESP was not properly saved during a function call, most likely a result of using an incorrect calling convention, however it still returns the correct data.  I then try to run it in Release mode and only receive garbage data.

C/C++:

Code Select
#include "stdafx.h"
#include <windows.h>
#include <iostream.h>

typedef DWORD (*pSGetRegInf)(LPSTR, LPSTR, BYTE, LPDWORD);

int main(int argc, char* argv[])
{
    DWORD dwRegVer;       // Registration Version
    DWORD dwRegAuth;      // Registration Authority
    DWORD dwClientID;     // Client ID
    DWORD dwClientToken;  // Client Token

HINSTANCE hStorm;
    pSGetRegInf SGetRegInf;

hStorm = LoadLibrary("Storm.dll");
    if (hStorm == NULL)
        return 0;

    SGetRegInf = (pSGetRegInf)(GetProcAddress(hStorm, (char*)(0x01A7)));
if (SGetRegInf == NULL)
return 0;

    (SGetRegInf)("Configuration", "Registration Version", 2, &dwRegVer);
(SGetRegInf)("Configuration", "Registration Authority", 2, &dwRegAuth);
(SGetRegInf)("Configuration", "Client ID", 2, &dwClientID);
(SGetRegInf)("Configuration", "Client Token", 2, &dwClientToken);

cout << "Registration Version: " << dwRegVer << endl;
    cout << "Registration Authority: " << dwRegAuth << endl;
    cout << "Client ID: " << dwClientID << endl;
cout << "Client Token: " << dwClientToken << endl;

    FreeLibrary(hStorm);

return 0;
}


Assembly:

Code Select
.text:19016BD4                 lea     eax, [esp+284h+var_234]
.text:19016BD8                 push    eax
.text:19016BD9                 push    2
.text:19016BDB                 push    offset aClientToken ; "Client Token"
.text:19016BE0                 push    offset aConfiguration ; "Configuration"
.text:19016BE5                 call    Storm_423

Edit:
Nevermind, was a rather stupid _stdcall error.

Code Select
typedef DWORD (_stdcall *pSGetRegInf) (LPSTR, LPSTR, BYTE, LPDWORD);

UserLoser.

#1
March 09, 2005, 06:36 AM
Most of Storm's exports (if not, all) are stdcall

iago

#2
March 09, 2005, 08:53 AM
Quote from: UserLoser on March 09, 2005, 06:36 AM
Most of Storm's exports (if not, all) are stdcall

Most.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Print
|
Go Up Pages1
User actions