From 515d5e8c297091fe469e9fb81e7241093af8e59e Mon Sep 17 00:00:00 2001 From: Amanda Rousseau Date: Fri, 24 Mar 2017 11:52:25 -0700 Subject: [PATCH] fixing code --- static.md | 35 +++++++++++++++++++++++++++++------ 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/static.md b/static.md index 4118e4b..b961135 100644 --- a/static.md +++ b/static.md @@ -54,16 +54,39 @@ Notice it's calling [InternetOpen](https://msdn.microsoft.com/en-us/library/wind This function call has the following arguments: +**C++** + ```c++ HINTERNET InternetOpen( - _In_ LPCTSTR lpszAgent, //URL - _In_ DWORD dwAccessType, - _In_ LPCTSTR lpszProxyName, - _In_ LPCTSTR lpszProxyBypass, - _In_ DWORD dwFlags + _In_ LPCTSTR lpszAgent, // Arg 1 = URL + _In_ DWORD dwAccessType, // Arg 2 + _In_ LPCTSTR lpszProxyName, // Arg 3 + _In_ LPCTSTR lpszProxyBypass,// Arg 4 + _In_ DWORD dwFlags // Arg 5 ); ``` - ![alt text](https://securedorg.github.io/images/static3.png "Strings window") +We need to figure out what register **esi** is because it contains the URL we are looking for. + +**Assembly x86** + +```assembly +push 0 ; Arg 5 +push 0 ; Arg 4 +push 0 ; Arg 3 +push 1 ; Arg 2 +push esi ; Arg 1 URL +call ds: InternetOpenA +``` + +Right before the first **push 0** there is a **mov esi,eax** which means esi = eax. + +When a function returns, the return value is stored in **eax**. So let's look into the function that is being called. It takes a string as the first argument (that is a wicked string), and. + + ![alt text](https://securedorg.github.io/images/static3.png "Unknown Function") + + Scroll down until you find **xor al, 5Ah**. Eventually you will be able to recognize when a string loop is being processed. In this case it is **xor** a byte with **5Ah** which is **Z** in [ascii](http://www.asciitable.com/). + +![alt text](https://securedorg.github.io/images/static4.png "Xor routine") [Section 4 <- Back](https://securedorg.github.io/RE101/section4) | [Next -> Section 6](https://securedorg.github.io/RE101/section6)