0:017> uf ftpaccess!IFTPCreateSystem
ftpaccess!IFTPCreateSystem:
00b2cba0 56 push esi
00b2cba1 57 push edi
00b2cba2 6a20 push 20h
00b2cba4 33ff xor edi,edi
00b2cba6 e8f7160000 call ftpaccess!CreateLicenseInfo+0x3a2 (00b2e2a2)
00b2cbab 8bf0 mov esi,eax
00b2cbad 83c404 add esp,4
00b2cbb0 3bf7 cmp esi,edi
00b2cbb2 7435 je ftpaccess!IFTPCreateSystem+0x49 (00b2cbe9)
ftpaccess!IFTPCreateSystem+0x14:
00b2cbb4 8d4608 lea eax,[esi+8]
00b2cbb7 50 push eax
00b2cbb8 c706dc09b300 mov dword ptr [esi],offset ftpaccess!CreateLicenseInfo+0x2adc (00b309dc)
00b2cbbe ff150401b300 call dword ptr [ftpaccess!CreateLicenseInfo+0x2204 (00b30104)]
00b2cbc4 687073b300 push offset ftpaccess!CreateLicenseInfo+0x9470 (00b37370)
00b2cbc9 897e04 mov dword ptr [esi+4],edi
00b2cbcc ff156400b300 call dword ptr [ftpaccess!CreateLicenseInfo+0x2164 (00b30064)]
00b2cbd2 57 push edi
00b2cbd3 57 push edi
00b2cbd4 e887d8ffff call ftpaccess!InitializeLicensing (00b2a460)
00b2cbd9 8b16 mov edx,dword ptr [esi]
00b2cbdb 8b02 mov eax,dword ptr [edx]
00b2cbdd 83c408 add esp,8
00b2cbe0 8bce mov ecx,esi
00b2cbe2 ffd0 call eax
00b2cbe4 5f pop edi
00b2cbe5 8bc6 mov eax,esi
00b2cbe7 5e pop esi
00b2cbe8 c3 ret
...
There are four function calls. Two of them are pretty straightforward:
00b2cba6 e8f7160000 call ftpaccess!CreateLicenseInfo+0x3a2 (00b2e2a2)
00b2cbd4 e887d8ffff call ftpaccess!InitializeLicensing (00b2a460).
The other two are function pointers and can not be resolved by just looking at disassembled code:
00b2cbbe ff150401b300 call dword ptr [ftpaccess!CreateLicenseInfo+0x2204 (00b30104)]
00b2cbcc ff156400b300 call dword ptr [ftpaccess!CreateLicenseInfo+0x2164 (00b30064)].
However, we do know that these two functions' addresses are 00b30104 and 00b30064, respectively. To resolve which functions those addresses refer to, we could look them up from Import Address Table in the module headers.
First, retrieve the starting address of the specified module:
0:017> lm m ftpaccess
start end module name
00b20000 00b3b000 ftpaccess (export symbols) C:\Program Files\Ipswitch\Common\ftpaccess.dll
Second, dump the headers for the specified module:
0:017> !dh 00b20000
...
14680 [ DF] address [size] of Export Directory
135A0 [ DC] address [size] of Import Directory
18000 [ 5E4] address [size] of Resource Directory
0 [ 0] address [size] of Exception Directory
0 [ 0] address [size] of Security Directory
19000 [ 11BC] address [size] of Base Relocation Directory
10310 [ 1C] address [size] of Debug Directory
0 [ 0] address [size] of Description Directory
0 [ 0] address [size] of Special Directory
0 [ 0] address [size] of Thread Storage Directory
122D8 [ 40] address [size] of Load Configuration Directory
0 [ 0] address [size] of Bound Import Directory
10000 [ 2E0] address [size] of Import Address Table Directory
0 [ 0] address [size] of Delay Import Directory
0 [ 0] address [size] of COR20 Header Directory
0 [ 0] address [size] of Reserved Directory
...
Third, dump the content of IAT directory,
0:017> dps 00b20000+10000 00b20000+10000+2E0
00b30000 77dd6fef ADVAPI32!RegQueryValueExW
00b30004 77dd6a9f ADVAPI32!RegOpenKeyExW
00b30008 77ddd757 ADVAPI32!RegSetValueExW
00b3000c 77dfba25 ADVAPI32!RegCreateKeyW
00b30010 77dd7edd ADVAPI32!RegEnumValueW
00b30014 77dd6c17 ADVAPI32!RegCloseKey
00b30018 00000000
00b3001c 0fb7b1e0 IPSLIBEAY32!EVP_EncryptInit
00b30020 0fb79920 IPSLIBEAY32!EVP_aes_256_cfb128
00b30024 0fb7a200 IPSLIBEAY32!EVP_CIPHER_CTX_init
00b30028 0fb7a530 IPSLIBEAY32!EVP_DecryptUpdate
00b3002c 0fb7b1a0 IPSLIBEAY32!EVP_DecryptInit
00b30030 0fb7a350 IPSLIBEAY32!EVP_EncryptUpdate
00b30034 0fb79420 IPSLIBEAY32!EVP_DigestFinal
00b30038 0fb78e10 IPSLIBEAY32!EVP_DigestUpdate
00b3003c 0fb78de0 IPSLIBEAY32!EVP_DigestInit
00b30040 0fb7b700 IPSLIBEAY32!EVP_sha256
00b30044 0fb7ab80 IPSLIBEAY32!EVP_CIPHER_CTX_cleanup
00b30048 0fb10950 IPSLIBEAY32!idea_set_decrypt_key
00b3004c 0fb7a180 IPSLIBEAY32!EVP_des_cbc
00b30050 0fb20940 IPSLIBEAY32!EVP_rc2_cfb64
00b30054 0fb10920 IPSLIBEAY32!idea_set_encrypt_key
00b30058 0fb78ef0 IPSLIBEAY32!EVP_MD_CTX_cleanup
00b3005c 0fb10230 IPSLIBEAY32!idea_cfb64_encrypt
00b30060 00000000
00b30064 7c8097f6 KERNEL32!InterlockedIncrement
00b30068 7c809bd7 KERNEL32!CloseHandle
00b3006c 7c8300ca KERNEL32!CancelIo
00b30070 7c8315b4 KERNEL32!GetOverlappedResult
00b30074 7c80a0ed KERNEL32!WaitForMultipleObjects
00b30078 7c83161f KERNEL32!ReadDirectoryChangesW
00b3007c 7c80a739 KERNEL32!CreateEventW
00b30080 7c8107f0 KERNEL32!CreateFileW
00b30084 7c802530 KERNEL32!WaitForSingleObject
00b30088 7c80a0a7 KERNEL32!SetEvent
00b3008c 7c80980a KERNEL32!InterlockedDecrement
00b30090 7c9010e0 ntdll!RtlLeaveCriticalSection
00b30094 7c80ae30 KERNEL32!GetProcAddress
00b30098 7c80aedb KERNEL32!LoadLibraryW
00b3009c 7c80f37e KERNEL32!SetCurrentDirectoryW
00b300a0 7c80b907 KERNEL32!GetCurrentDirectoryW
00b300a4 7c809c88 KERNEL32!MultiByteToWideChar
00b300a8 7c80a164 KERNEL32!WideCharToMultiByte
00b300ac 7c80be46 KERNEL32!lstrlenA
00b300b0 7c809a99 KERNEL32!lstrlenW
00b300b4 7c90fe01 ntdll!RtlGetLastWin32Error
00b300b8 7c810b69 KERNEL32!CompareFileTime
00b300bc 7c810bac KERNEL32!SystemTimeToFileTime
00b300c0 7c80176f KERNEL32!GetSystemTime
00b300c4 7c835d6c KERNEL32!WritePrivateProfileStringA
00b300c8 7c81ee34 KERNEL32!WritePrivateProfileStringW
00b300cc 7c80981e KERNEL32!InterlockedExchange
00b300d0 7c85ac7c KERNEL32!OutputDebugStringA
00b300d4 7c83089d KERNEL32!CreateEventA
00b300d8 7c80932e KERNEL32!GetTickCount
00b300dc 7c801a28 KERNEL32!CreateFileA
00b300e0 7c801d7b KERNEL32!LoadLibraryA
00b300e4 7c801629 KERNEL32!DeviceIoControl
00b300e8 7c812b6e KERNEL32!GetVersionExA
00b300ec 7c80b55f KERNEL32!GetModuleFileNameA
00b300f0 7c8099a5 KERNEL32!GetACP
00b300f4 7c80a4b7 KERNEL32!QueryPerformanceCounter
00b300f8 7c813123 KERNEL32!IsDebuggerPresent
00b300fc 7c901000 ntdll!RtlEnterCriticalSection
00b30100 7c91135a ntdll!RtlDeleteCriticalSection
00b30104 7c809f81 KERNEL32!InitializeCriticalSection
00b30108 7c80b465 KERNEL32!GetModuleFileNameW
00b3010c 7c8097b8 KERNEL32!GetCurrentThreadId
00b30110 7c8099b0 KERNEL32!GetCurrentProcessId
00b30114 7c80ac6e KERNEL32!FreeLibrary
00b30118 7c8449fd KERNEL32!SetUnhandledExceptionFilter
00b3011c 7c863e6a KERNEL32!UnhandledExceptionFilter
00b30120 7c80de85 KERNEL32!GetCurrentProcess
00b30124 7c801e1a KERNEL32!TerminateProcess
00b30128 7c809832 KERNEL32!InterlockedCompareExchange
00b3012c 7c802446 KERNEL32!Sleep
00b30130 7c80a4a5 KERNEL32!GetThreadLocale
00b30134 7c80d2f2 KERNEL32!GetLocaleInfoA
00b30138 7c8017e9 KERNEL32!GetSystemTimeAsFileTime
...
With IAT, we can resolve which functions the addresses -- 00b30064 and 00b30104 refer to.
1 comments:
Here is a simpler approach -- dps 00b30104 l1
Post a Comment