"Reversing" skills #3

Adron · March 17, 2004, 07:34 PM

What's this?

Quote
-d 0:70 l4
0000:0070 AD 06 12 02 ....


a 0:570
push ax
push dx
pushf
mov dx,3c8
xor al,al
out dx,al
mov al, 0
inc al
cs:
mov [a],al
mov ah,al
rol ah,1
rol ah,1
and ah,1
neg ah
xor al,ah
inc dx
out dx,al
xor al,al
out dx,al
out dx,al
popf
pop dx
pop ax
jmp far 212:6ad

e 0:70 0 0 57 0

Adron · March 17, 2004, 07:55 PM

And here's a placeholder topic just to push spoilers further down...

.

iago · March 17, 2004, 08:49 PM

hmm, I've never seen "out" before. I'll have to look that up tomorrow

Adron · March 17, 2004, 08:54 PM

Quote from: iago on March 17, 2004, 08:49 PM
hmm, I've never seen "out" before. I'll have to look that up tomorrow

Ah, these are sad times, things were much better before! Nostalgia...

Maddox · March 17, 2004, 09:27 PM

Quote from: iago on March 17, 2004, 08:49 PM
hmm, I've never seen "out" before. I'll have to look that up tomorrow

How to reverse it now...

Quote
OUT - Output Data to Port
Usage: OUT port,accum
Modifies flags: None
Transfers byte in AL,word in AX or dword in EAX to the specified
hardware port address. If the port number is in the range of 0-255
it can be specified as an immediate. If greater than 255 then the
port number must be specified in DX. Since the PC only decodes 10
bits of the port address, values over 1023 can only be decoded by

third party vendor equipment and also map to the port range 0-1023.

Adron · March 21, 2004, 03:23 PM

Noone is able to figure this out? Or it's not amusing enough? I thought it was, at the time I was doing this...

iago · March 21, 2004, 04:02 PM

I have no idea how "port" stuff works, and don't have the time to figure it out. Maybe eventually I'll work it out

Adron · March 21, 2004, 04:15 PM

Quote from: iago on March 21, 2004, 04:02 PM
I have no idea how "port" stuff works, and don't have the time to figure it out. Maybe eventually I'll work it out

Ahk. Well, for those who want a hint, try this:

Quote
Open debug, and do "d 0:70 l4". Modify the "jmp far 212:6ad" appropriately. Paste all the code from "a 0:570" and on. Don't forget the blank line. Hit alt-enter.

dxoigmn · March 21, 2004, 05:08 PM

Quote from: Adron on March 21, 2004, 04:15 PM
Ahk. Well, for those who want a hint, try this:

Hehe, very cool.

Maddox · March 21, 2004, 05:11 PM

Quote from: Adron on March 21, 2004, 04:15 PM
Quote from: iago on March 21, 2004, 04:02 PM
I have no idea how "port" stuff works, and don't have the time to figure it out. Maybe eventually I'll work it out

Ahk. Well, for those who want a hint, try this:

Quote
Open debug, and do "d 0:70 l4". Modify the "jmp far 212:6ad" appropriately. Paste all the code from "a 0:570" and on. Don't forget the blank line. Hit alt-enter.

It makes my screen glow red.

Adron · March 21, 2004, 05:53 PM

Note what happens if you run it in DOS, or in a command prompt, and after doing this quit debug and start some other app such as "edit".

Yoni · March 22, 2004, 11:51 AM

Why does it only work while inside apps such as debug and edit, and not in a plain command prompt?

Here is a gift for you, Adron, uncommented for your pleasure:

Code Select

a
push ax
call 130
push ax
push dx
pushf
mov dx,3c8
xor al,al
out dx,al
mov al, 0
inc al
cs:
mov [a],al
mov ah,al
rol ah,1
rol ah,1
and ah,1
neg ah
xor al,ah
inc dx
out dx,al
xor al,al
out dx,al
out dx,al
popf
pop dx
pop ax
jmp far 0057:0000
pop ax
push cx
push ds
push es
push si
push di
mov si, ax
mov ax, cs
mov ds, ax
xor ax, ax
mov es, ax
mov di, 570
mov cx, a
rep
db 66
movsw
mov ds, ax
push si
mov si, 70
db 66
movsw
pop si
mov di, 70
mov ax, cs
mov ds, ax
db 66
movsw
pop di
pop si
pop es
pop ds
pop cx
pop ax
ret

rcx
62
n adron.com
w
q

Yoni · March 22, 2004, 01:48 PM

Ah! Finally figured out what you did with al. Nice trick!

Here's another one (assumes "ad 06 0c 02" at 0000:0070 which is what I'm working with right now):

Code Select

a 0:570
push ax
push bx
push dx
pushf
mov dx,3c8
xor al,al
out dx,al
mov al, 0
inc al
jns 582
xor al,al
cs:
mov [b],al
mov ah,al
rol ah,1
rol ah,1
and ah,1
neg ah
xchg al,ah
xor al,ah
xor bh,bh
mov bl,1
inc dx
dec bl
jz 5a0
xchg al,bh
out dx,al
inc bl
jz 5a7
xchg al,bh
out dx,al
dec bl
jz 5ae
xchg al,bh
out dx,al
test ah,ah
jnz 5c1
test bl,bl
jnz 5b9
mov bl,fd
add bl,2
cs:
mov [28],bl
popf
pop dx
pop bx
pop ax
jmp far 20c:6ad

e 0:70 0 0 57 0

Adron · March 22, 2004, 03:34 PM

Quote from: Yoni on March 22, 2004, 11:51 AM
Why does it only work while inside apps such as debug and edit, and not in a plain command prompt?

Here is a gift for you, Adron, uncommented for your pleasure:

Oh what a wonderful gift, now I can easily load it at will

The reason is that it only works when a 16-bit app is running - when you're in the command prompt cmd.exe, the 16-bit environment isn't active. If you run a command prompt using "command", you'll find that it works at the prompt too.

Adron · March 22, 2004, 03:37 PM

Quote from: Yoni on March 22, 2004, 01:48 PM
Ah! Finally figured out what you did with al. Nice trick!

Here's another one (assumes "ad 06 0c 02" at 0000:0070 which is what I'm working with right now):

Yes, wasn't that a neat trick? I'd otherwise load/store from a cs-relative variable (didn't want to set up ds), but this is just so much more neat!

That's a pretty effect you have there. I was thinking about enhancing it to just fade between colors, kind of rainbowish like. I'd like to do it without using any jmps though.