reverse engineering

I thought that we were pretty secure in that I can barely figure out some of our code with the source, but my boss has asked me to look into making sure that competitors can't reverse engineer our code. We have some numerical stuff that is kind of special.

With a dis-assembler, you get C code back? C++ code? How far back can you reverse engineer an *.exe? What are techniques that people use to hack somebody's code? I'm not sure this is worth worrying about - for myself, I think it would always be easier to start with publicly available information and techniques, and develop towards what a program produced, rather than to work backwards from that program and attempt to induce how it worked.

You cannot revert a program to exact C++ code or C code -- function names, class names, variable names, etc... are lost during compilation. However, it is theoretically possible to revert the code into C, and just not have appropriate names for variables and functions. I have never seen a utility that does this.

On the other hand, it is very easy to reverse engineer code into assembly. It is possible to reverse engineer algorithms from assembly code, although very difficult. Assembly is a very messy language, and a 1 MB executable has thousands upon thousands of lines of code.

If a competetor really wanted to, they could hire an assembly coder to find your algorithm and reverse engineer it. However, it would take a lot of both time and money.

If you've ever seen program cracks out on the internet (to get rid of cd keys and such), the people that design those usually reverse engineer a program, locate the cd key part, and patch it up so that it is no longer required.

There is no way to prevent this kind of reversal, unfortunately.

-MattAA

-MattAA
[email protected]

Actually the preceding reply is wrong. You can, in fact, totally reverse-engineer an exectuable into its original C++ source code. I know it is very scary to us programmers, but they do it. Almost all of the major cracking groups do it and it makes it so even a newbie cracker can break your program's protection by viewing the source code.

They use a program called SoftIce. It decompiles your EXE and lets you actually break into any step in your EXE and shows you the line, function, etc in your actual source code of the exe in c++. The cracker can scroll through your code, step through, replace values, just like the VC++ debugger.

Therefore, your boss is quite correct in protecting the source code of your application. Here are some very quick explanation methods of ways to protect your code:

1. Use a CRC check on your executable at run-time before it even starts normal processing. If the CRC fails (meaning a cracker has changed at least 1 bit in your exe, then exit(0); )
Go to http://www.programmersheaven.com and search for CRC to find an excellent C source code to implement CRC in your app.

2. Replace any critical registers, flags, and functions with obscure names. Instead of MySecretNumberFunction() name it M14SNF0()

3. Want to be sneaky? Use a method called MeltIce. It detects if a user is already running SoftIce and if so, you can take action from there such as exit(0), fake-dead, malicious code (I don't recommend this), etc.

Excellent link explaining how to protect your software :
http://www.searchlores.org/protec/protec.htm#tid18
http://www.senseofsecurity.com/sharenc.asp


Anyway, it is a very real threat. Afterall, what do you think China is doing to that U.S. plane's software that crashed there a few years ago?



Easy Internet Software @
http://www.DummySoftware.com

Right. Forget tools to encrypt your exe and even the crc-checks. SoftIce is a *very* powerful tool - and even if you make weired function names, they can breakpoint on every "GetWindowText" for a usertyped parameter, breakpoint on the system memory the value is stored in and there it goes.

Only way to protect something is to make reverse engineering as hard as possible: relocate user-supplied parameters, use indirect querying, use multithreading and maybe hardware-dependend code snippets.
But I believe that there's no really secure way to protect your work :(

Oliver.

Interesting conversation we are having here, and very worrying from my point of view. I believed my code was hackable and crackable, of course it is ! It's only software afterall. Set a break point with SoftIce and break it at the cd key entry, set a jmp, patch it and thats that (i guess, i've never used SoftIce, although I more or less know what it's capable of) ...

... the bit that worries me is your assertion that the exe can be decompiled into it's original source, with the original symbol names. Now if you are right, I just might start crying.

Please tell me you are wrong. Please tell me that it is not possible to get the source code from my release exe.

One other thing, and please forgive me for my ignorance, but what's the point in a crc check on your code, if the cracker can decompile your code, find the check and remove it ?

Looking forward to further conversation on this issue. I've gotta tell you, the bottom of my world just dropped out if you are right :(


Jase

http://www.slideshowdesktop.com
View your images and photos on your desktop with ease using SlideShow Desktop, the desktop wallpaper manager for Microsoft Windows.

Sorry, but they can indeed get your exact C++ source code down to the very GetWindowText() function calls in windows.

The benefit of things like CRC checks is they make it that much harder for someone to crack. The hope is that most crackers are "cookie-crackers". They run through a list of shareware, cracking them one-by-one to submit their duty of "10 apps cracked for the day".

If your program is going to take them say 8 hours to crack.. why bother when they can move on to the next to fill their quota. The CRC check can make things very complex to disable. It deals with polynomials and all.. if you complicate your calls to your security routines with embedded assembly and such, you can make it tricky for a cracker to see how to disable a function.

For example, instead of bRegistered = true, how about using iDataName = 65 where if iDataName < 50 then the program is not registered. If iDataName > 49 then program is registered, rather than straight boolean.

Things like that. Because, yes they get your source code. If you name a function a curse word, they will certainly see it and have a good laugh. :)

Thats why I think MeltIce is good. If they want to crack your stuff, you can at least detect them and keep them busy for a bit.


Easy Internet Software @
http://www.DummySoftware.com

Oh and i don't want to scare you guys too much. Yes, they can see your exact C++ source, but at least they can't see your comments! :) Since comments are removed from the exe during compilation and linking.

Anyway, in case anyone wants to have some fun here is the code to the infamous MeltIce.


BOOL IsSoftIce95()
{
HANDLE hFile;
char fname[5];
char fullname[10];

// Form the text SICE without characters that the hacker could see.
fname[0] = 0x53;
fname[1] = 0x49;
fname[2] = 0x43;
fname[3] = 0x45;
fname[4] = 0x0;

// "\\.\SICE"
strcpy(fullname, "\\\\.\\");
strcat(fullname, fname);

// "\\.\SICE" without escape stuff
hFile = CreateFile(fullname,
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);

if( hFile != INVALID_HANDLE_VALUE )
{
CloseHandle(hFile);
return TRUE;
}

return FALSE;
}

//////////////////////////////////////////////////////////////////////
//
// See if SoftICE version 3.x for Windows NT is loaded
//
BOOL IsSoftIceNT()
{
HANDLE hFile;
char fname[6], fullname[10];

fname[0] = 'N'; // 'N';
fname[1] = 0x54;
fname[2] = 0x49;
fname[3] = 0x43;
fname[4] = 0x45;
fname[5] = 0x0;

// "\\.\NTICE"
strcpy(fullname, "\\\\.\\");
strcat(fullname, fname);

// "\\.\NTICE" without escape stuff
hFile = CreateFile(fullname,
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);

if( hFile != INVALID_HANDLE_VALUE )
{
CloseHandle(hFile);
return TRUE;
}

return FALSE;
}




Easy Internet Software @
http://www.DummySoftware.com

pisser.

melt ice ?


Jase

http://www.slideshowdesktop.com
View your images and photos on your desktop with ease using SlideShow Desktop, the desktop wallpaper manager for Microsoft Windows.

from where do you call this, and what is it doing?


Jase

http://www.slideshowdesktop.com
View your images and photos on your desktop with ease using SlideShow Desktop, the desktop wallpaper manager for Microsoft Windows.

It detects if a user's computer is running SoftICE. It does this by opening the root program file for SoftICE. If it is not able to open this file, SoftICE is probably not running. If it is able to open this file, whamo - you got him. It then closes the file and does nothing else. The weird 0x56 codes are just hex codes for the ASCII letters S I C E so the hacker can't easily scan your code to look for "SICE" to know you want to detect him.

It's really a cat & mouse game.

You usually would call this in your CDialogApp::CDialogApp() constructor or in the InitApp() function. Anywhere your program initializes would be good so you can detect it without giving the hacker much time to break into your program.

So maybe you do:


if (IsSoftICE95() || IsSoftICENT())
{
// User is running it.
exit(0);
}





Easy Internet Software @
http://www.DummySoftware.com

Right, i see.

At what point can somebody with soft ice view my code ? Can they just disassemble my exe as a disk file and see my code ? If os, then the bRegistered = TRUE or nDataName = 65 trick doesn't look to be very useful. They'll soon notice that whatever condition is checked, if its a certain value then it disables functionality - regardless of whether it's a bool or is an int called mygransmellsofwee.

Are they only able to see a portion of it at a time, i.e. the code that is memory resident.

And how does the code look ? Clearly it's not laid out as a whole bunch of cpp and h class files. I'm trying to build up a mental picture of what can be seen at which point. From my current understanding, I don't see what benefit there is to placing the melt ice code early on in the app - you say it gives the cracker less time to break into your program. So soft ice only displays the code while it is running ? why can they not just break in on the first instrcution called or start of execution ?

Please forgive my ignorance in this, it's enough for me to learn a programming language and a set of api's, but i don't really have much concept of what the cpu is doing with my code while it's running. I know zero about asm.




Jase

http://www.slideshowdesktop.com
View your images and photos on your desktop with ease using SlideShow Desktop, the desktop wallpaper manager for Microsoft Windows.

in our case we are most interested in protecting algorithms, and from the various links you posted, it looks like we are completely hosed.

I had thought that they could only get to the assembly level, but if they could get to even the C level, then they have us.

http://www.itee.uq.edu.au/~csmweb/dcc.html#thesis

but from above, sounds like SoftIce is way better.

In reply to:

Yes, they can see your exact C++ source



Where do you get this information from? Please, stop spreading this. This is not true at all. This is not Java, where the byte-codes do translate into a 1-1 relationship with the source.

Once an EXE is there, the original source is lost. The best that can be done is to study certain patterns within the EXE, figure out what compiler might have been used, and then guess the structure of what the intent was. If a hacker sees something that looks like a jump table, they can assume it was a switch() statement, but maybe it was a v-table. The only thing that is left in the EXE (at least with VC++) are the symbols -- that's it.

If you could get the original source code, can all of us here just burn all of our C++ source, keep only the executable files, and just get Soft-Ice to get us our code back instead of doing a backup of our original source? You realize how ridiculous that sounds, correct?

Regards,

Paul McKenzie

that link doesn't work for me todd


Jase

http://www.slideshowdesktop.com
View your images and photos on your desktop with ease using SlideShow Desktop, the desktop wallpaper manager for Microsoft Windows.

jase, if they could get your source code by using Soft-Ice, then why don't you just keep your executables, erase all your source files, and just use Soft-Ice to get your source code back.

As you can see, I'm saying this with a lot of sarcasm. No, your source code is safe. The only thing that a hacker sees are symbols and certain patterns within the code that identify function calls, loops, etc. They do not see your std::strings, vectors<>, smart pointer classes, and whatever other source code. All a hacker cares about is to figure out how to "jump around" certain parts of your code, or to change maybe a variable or register here or there.

If this were the case that hackers can see the full source code (chuckle), I sure wish I could get the source code to AutoCad. Maybe I should just get Soft-Ice and it will give me their entire class structure. Of course this sounds ridiculous, because it is.

If you are using Java, then you can have a problem. With Java, your code can be decompiled, very easily into the equivalent source language, since the byte codes in determine the source.

Regards,

Paul McKenzie

Thankyou Paul, your view on this topic is what i believed to be the case. you surely can't take an exe and produce a set of compilable class files from it ...

... but i did think the symbols were only included in the debug release. if they are in the release version too, then perhaps it would be prudent to rename some of the more obvious.

are all class name, function and variable symbols left in the exe ?


Jase

http://www.slideshowdesktop.com
View your images and photos on your desktop with ease using SlideShow Desktop, the desktop wallpaper manager for Microsoft Windows.

Todd don't worry. Unless you write in straight assembly language, your source code is safe. See my responses to jase and kbomb.

Basically, I said that if the source code can be recovered, then why do backups? Just get Soft-Ice, and you can throw all your source away.

I have done a lot of assembly coding in the past, and have a lot of knowledge in how hackers work. They only have good assumptions in what a certain module is doing using a tool such as soft-ice. Yes they can get the functions as symbols, and can detect a function call by seeing what is pushed onto the stack. But no, they won't see your Super-Sophisticated 3-d cad source code.

A hacker cannot get the original Cor C++ source unless you give it to him/her.

Regards,

Paul McKenzie

Not all of them. If you need any affirmation, how about when you get that dreaded exception error, and you go to look at the call stack to see what happened. How many times have you seen this:

NTDLL (some number)
NTDLL (some number)
etc.
etc.

The best that you can make out of this is the name of the module that bombed out and some hex address. If you built your application using debug symbols, then yes, the symbols are there, since you will see the names of the functions. Note that when you download a service pack to fix one of MS operating systems, you get the choice of downloading the symbols also. The symbols are used so that instead of NTDLL(whatever), you see the actual NTDLL function name that caused the error.

Regards,

Paul McKenzie

Yes this is my understanding. If you lost your source code, you could "virtually" get Soft-ICE and reverse-engineer your executable back into source code. It would not have the VC++ directory structure and filenames, but all the code would be there. Some parts MAY look differet, but most functions and names will be just like the original. Try downloading SoftICE and see for yourself the results.


Easy Internet Software @
http://www.DummySoftware.com

Sorry, but I've used soft-ice since it was a 16-bit product so I know what I speak of. It does not do this. Once your source code is gone, it's time to either write it again, cry, get fired, sued, or worse.

There are other products such as Sourcer that supposedly did this. Again, translation was never exact and these products told you as such. The best you can do is get some obsfuscated 'C'-like output, which will most likely look nothing like your original code. Especially with such a complicated language such as C++, how in the world can you deduce a

std::vector< std::map< MyClass, std::list<int> > >

from a mere assembly listing? Add to that, you have different compilers that produce different executables.

Regards,

Paul McKenzie

Thanks Paul, that's what i figured. I was taken aback when kbomb987 implied otherwise, because i haven't used softice. I'm pleased to hear you dismiss his claims though, I can sleep again now :)



Jase

http://www.slideshowdesktop.com
View your images and photos on your desktop with ease using SlideShow Desktop, the desktop wallpaper manager for Microsoft Windows.

ok, that is very good news, so you don't get C++ class structure back in any form? (I don't care so much for variable names . . .)

What about


bool CRegsitrationClass::IsRegistered()




or similar. Is this type of information available in SoftICE or does it just return a mangled name ? Do i need to rename any registration sensitive class names, functions and variables to something a little more esoteric ?


Jase

http://www.slideshowdesktop.com
View your images and photos on your desktop with ease using SlideShow Desktop, the desktop wallpaper manager for Microsoft Windows.

That all depends on what compiler you used.

The way to tell for sure is to put a line in your source code right after the opening of the function call that will cause an execption. Something like this:

bool CRegsitrationClass::IsRegistered()
{
char *p = NULL;
*p = 'A';
// The rest of your code
}



Recompile in release mode, no symbols, nothing. When you run your program, a memory exception will occur, and if you have VC++ installed, it will take you to the spot where the exception occurred. Take a look at the call stack and generated assembly code. If you see things like IsRegistered or anything like that, then yes, SoftIce will be able to get the symbol, otherwise no. There are no "hidden symbol tables" floating around in your EXE somewhere that Soft-Ice knows about that VC++ doesn't know about.

Regards,

Paul McKenzie

doing this does not show the stack in visual studio when it crashes. you can hit the debug button, but it forces you to terminate the app and no call stack is available


Jase

http://www.slideshowdesktop.com
View your images and photos on your desktop with ease using SlideShow Desktop, the desktop wallpaper manager for Microsoft Windows.

I'm using NT, and it works. If not, then whatever you're using is not setup correctly. If you ever wanted to debug an access violation from a piece of running code, then you're saying you can't do it? I just did it with this simple app. I just ran this program, and it didn't force the app to close:

#include <stdio.h>
int main()
{
char *p = NULL;
*p = 'A';
}



I was asked to press Cancel to debug. Pressing cancel brings up Visual Studio. Then a dialog box states what the error is. Clicking OK there takes me right to the assembly window, where I can see the call stack, plus the code where the violation occurred. The code is still running, it hasn't terminated until I tell it to (the execution arrow is still pointing to the *p = 'A' line).

Regards,

Paul McKenzie

Hi Paul,

I'm at work now and you're right, it works on NT4.
But back at home, XP Professional doesn't allow it. It forces you to close the app.

And the call stack and assembly window show no symbols of any kind at the point i broke it (in my registration routines)


Jase

http://www.slideshowdesktop.com
View your images and photos on your desktop with ease using SlideShow Desktop, the desktop wallpaper manager for Microsoft Windows.

kbomb987, you should be more careful about what you say. Perhaps you are not familiar with the debug information that is included in debug builds but not release builds. Perhaps you are not familiar with SoftIce enough to know that it must have that debug information. So when you are guessing you should say you are not sure.

As has been explained in many other replies, none of the preventive techniques you provide would prevent an exe from being decompiled from disk.

Something that I do not see mentioend is that the determined hacker can purchase a PC expansion board that does most of what SoftIce does but without degrading performance very much and that cannot be detected by any software running in the system. However even they cannot decompile a C/C++ program any better than software decompilers can.


****************************************************************************************************
Ratings are unimportant but follow-up is. Try to somehow let the helper and the worldwide community know what works.
http://www.cpp.atfreeweb.com

I haven't used Soft Ice either, but I have used similar products. The ones that work on release builds have all required an accompanying .pdb file This is the Program Data Base, where vc++ puts all the symbols & etc. that you need to decompile.

I have to check that out. If that's the case, XP is certainly not developer friendly.

Regards,

Paul McKenzie

How ridiculous.

Using a disassembler, a hacker can see the flow of the program but they cannot get the symbols in a stripped down executable.

The info is not there for a disassembler to know the names of your functions etc.

do u know of the

win32 Portable Executable File Format and
the PE API

Naturally it allows you to view it in the debugger if the exe is compiled for debug, but if it is a release exe that crashes, xp forces you to close it


Jase

http://www.slideshowdesktop.com
View your images and photos on your desktop with ease using SlideShow Desktop, the desktop wallpaper manager for Microsoft Windows.

What about a release build with symbols? What if you started the release build from the VC++ environment on XP? Does it then give you the call stack? Does XP have tools such as Dr. Watson, which basically does the same thing as the VC++ debugger when your program crashes i.e. act as a Just In Time debugger? It's hard to believe that a release build on XP is undebuggable when a crash occurs. If that's true, then I'm sure MS has had developers howling at them these past few months.

Regards,

Paul McKenzie

I'm not very familiar w/ the NT securty architecture, but poking around w/ my settings under W2k, I noticed a security setting wich determines whether a certain user may debug programs or not. I can imagine that if you're logged as a user that is nou allowed to debug, the faulty app will be closed w/o any message saying "You are not allowed to debug, so the only option is close".
It's just a thought. I didn't try it out.

Gabriel.
_
Forever trusting who we are
And nothing else matters - Metallica
_

In actual fact, it is behaving as expected now. I'm not sure what I have changed in my project settings, but it does now allow me to look at the asm in the debugger when it crashes, as it does on NT. It hasn't done this for quite some time on my XP machine, previously it would open the debugger, but then force you to kill the app.

Again, no symbols. Just SlideShow.exe, NT.DLL, ???, and a whole lot of asm.

Oh well, good news for you I'm sure. As for me, I don't know asm so the feature remains superfluous :)

(and yes, XP uses Dr Watson, although i disabled it because it doesn't provide me with any information i understand)




Jase

http://www.slideshowdesktop.com
View your images and photos on your desktop with ease using SlideShow Desktop, the desktop wallpaper manager for Microsoft Windows.

Just forget about disassembling to a disc file. When talking about tools like SoftIce you must notice that this isn't a tool to generate disassembled files of code. As I mentioned before, you can breakpoint on any symbol and any memory location and even on memory operations you'll like to. SI runs in background, is loaded before Windows and lets you even trace into the kernel32.dll or wherever you want (SI itself is secured ;) I even had total system hangs (deadlocks in semaphores) and SI was quite running...

I thought we're talking about if stealing algorithms is possible - and anyway how many layers you use - it is possible. You need a good knowledge of ASM, maybe a lot of time but that's it. Face it, it's a fact.
Since we're not talking about patching an exe or dll, you don't have to worry about coding or checksumming your files.
Also forget about MeltIce. It's not hard to find a patch for SoftIce that makes MeltIce useless. Always remember that the guys that are stealing algorithms are not those kiddy crackers - they don't want 10 algos per day, they want yours. And they have the equipment and many more time to spent on breaking in your program than you have for securing it.

I used SoftIce for a (very) short time. Since then I not even pack my executables anymore - not worth the time.

I suggest to take a close look at that tool. Then consider what's your algos worth.

Oliver.

You seem pretty quick to accuse me of being wrong :). Considering I am both a C++ Developer and an Intel Assembly-language engineer, I think I have some credibility here.

Just think about it logically. If it were so easy to reverse machine code in to C++, then why do software companies complain so much about Microsoft not releasing the source to Windows? Just decompile it! This includes any commercial program on the market -- if this was indeed possible the open source movement would be cheering in the streets :).

A compiled program with no debugging information in it is downright impossible to reverse to C++ source. It is possible to reverse it to C, although the C code will be no where near like what the origonal source was.

-MattAA
[email protected]

Every one talking about whether reverse-engineering can give back exactly the same original C/C++ code or not. You all missed one important point. That is, the reverse engineered C/C++ code, no matter what they look like, they do indeed compile into exactly the same executable binary and do exactly the same thing your program does.

So, forget about whether the reverse engineered code looks like your original source code or not. That question is irrelevant since both will compile into exactly the same program executable binary.

The real question to ask is, looking at the reverse-engineered source code, can a potential hacker make any sense out of it? Given a little bit of skill, the answer is a definite YES.

And, if your original source code was written in a real bad coding style, chances are that the reverse-engineered code could be actually even easier to read, and hence makes more sense than your original source code!



Any one who knows he/she is not smart is smart.
Any one who knows he/she is smart is not smart.
You ask me if I am smart or not? Well...
I don't know - you tell me :-)

If a potential hacker can identify functions by using SI..aka Tools can he just get that function in bin/obj/exe form and use that somewhere else in his own project?

Rating Helps!!

Anybody who tells you that the .exe file compiled in the release mode can be decompiled into the original source code has obviously no idea of how the compilers and decompilers work. The best decompiler i know is IDA (interractive disassembler) which decompiles the sorce code into the assembly. It can also point you on the Win32 API function calls and references to the other DLL files on your system. The same can be done with Win32Dasm. But the code that you get is not nearly close to the original c code (I should not even mention a c++ class structure here). If your "know how" is in the c++ design only, - then you're on the safe side. If you're talking about the algorithm that is irrelevant of the class structure then it may be retrieved in some form (not in the original one) which will be an assembly code with more or less disassembler genereted general commens added (referenced Win32 API function, CPU register, function entry points (without the real function names) and thing like this). Even though, this things can be retrieved, there are ways to "fool" disasseblers (or the people, working with the produced listings).
Here is one simple trick:

try
{
int a = 1/0; // generates an exception (it does not have to be this obvious)
// some code that will never execute goes here
catch (...)
{
// the actual code here
// NOTE: If you write all your code this way
// it will slow you down and create a
// debugging nightmare
}



There are also ways of generating so called dynamic code and more. You can find some information on WWW.ASTALAVISTA.COM

Generally it is pretty hard to read a disassembled code unless it does something very simple and straight forward (like Power-On-Reset CPU initialization) and you know well what the program or it's particular part should be doing.

Assuming that somebody has a lot of time and patience to trace through the disassembled code in the debugger - complex algorithms are still not easy to understand on such low level.

The thing that can realy sell you is the memory your algorithm is using, any intermediate and temprorary files your algorithm may be producing.
This is the thing I would watch for first, because if I know what the initial data looks like then by watching how you program modifies it and, possibly, connecting this with the disassembly listings I would have a chance of a much better understanding of your algorithm than by just browsing through the code.

Even though the dissassembler + debugger may do the job, your program on it's end can modify it's behavior if it is being debugged.

There is a flag that the CPU sets in one of its register and, I belive, that I've seen a Win32 API function that tells you if the CPU is in the debug mode.

The point is:

1.
Any .exe file can be decompiled into more or less accurate assembly or a low level c listing
BUT
no executable, compiled without debug information can be decompiled into the original C/C++ code.

2.
The decompiled listing may be analyzed
BUT
analyzing a complex algorithm based only on the low level source listing is a very difficult and time consuming process and you can make it even more complex by making the code illogical in some (possibly critical) places as well as you may be able to avoid the use of the standard data formats (may be standard to the industry you working in) to store your intermediate data.

3.
It is possible to use a debugging tool to trace into your code and (!!!) into the memory that the program is using
BUT
you can modify the program behavior if it's being debuged.

4.If somebody tells you that in order to crack a program, to retrieve a serial number, password, etc. it is required to have a source code listing - this person may as well tell you that in order to protect your PC from the viruses you should put a condom on your network/phone cable every time you connecting to the internet.

Why not write the sensitive algos in vb6. Which compiles it into something called p-code (Not played with VB for a couple of years so things might have moved on) which is interpreted by the correspnding VBxxRUN.dll.. Never heard of anybody cracking any software that was written in vb...

OK it won't make your algos completely safe (nothing will !!) but it will take them far longer to extract them from the machine code...

Sure it can be done. But it's all a balance of what it takes to write your own and what it takes to identify what a specific portion of an exe is trying to do.

There are cases where reverse engineering was done. One famous example is the RC4 algorithm. RSA never published RC4, but some one figured it out from the binary and released it on the net. Now every one has access to RC4. Mind you, though, you can not call your stuff RC4, because the name is trade-marked.


Any one who knows he/she is not smart is smart.
Any one who knows he/she is smart is not smart.
You ask me if I am smart or not? Well...
I don't know - you tell me :-)

I was not exactly right calling the IDA the best disassembler I've seen. It's good for al lot of processor and controller types but it is pretty useless when you dealing with windows aplications. There is a pretty good one called Win32Dasm. And here is a disassembly listing, created for the Dialog based MFC application (I have accepted all the defaults in the AppWizard and have not added a single line of code to it).
If you look at the listing you can easily notice that all the resources you use (dialog templates, string table entries, etc.) are accuratly referenced in the disassembly listing. Also standard Win32 API and MFC library function calls are also outlined as well as the referenced DLL files their content. Even thought it does not realy go much further then that... there is something to think about: do you realy wan to use string table for you string data? may be you want to initialize some of your dialogs on the fly instead of using a resource editor (just to avoid thisng like <Possible Reference to String Resource ID=00101: "&About test..."> in your diasssmbly listing)? etc.

Disassembly of File: C:\Development\test\Release\test.exe
Code Offset = 00001000, Code Size = 00001000
Data Offset = 00003000, Data Size = 00001000

Number of Objects = 0004 (dec), Imagebase = 00400000h

Object01: .text RVA: 00001000 Offset: 00001000 Size: 00001000 Flags: 60000020
Object02: .rdata RVA: 00002000 Offset: 00002000 Size: 00001000 Flags: 40000040
Object03: .data RVA: 00003000 Offset: 00003000 Size: 00001000 Flags: C0000040
Object04: .rsrc RVA: 00004000 Offset: 00004000 Size: 00001000 Flags: 40000040


+++++++++++++++++++ MENU INFORMATION ++++++++++++++++++

There Are No Menu Resources in This Application

+++++++++++++++++ DIALOG INFORMATION ++++++++++++++++++

Number of Dialogs = 2 (decimal)

Name: DialogID_0064, # of Controls=004, Caption:"About test", ClassName:""
001 - ControlID:FFFF, Control Class:"STATIC" Control Text:""
002 - ControlID:FFFF, Control Class:"STATIC" Control Text:"test Version 1.0"
003 - ControlID:FFFF, Control Class:"STATIC" Control Text:"Copyright (C) 2002"
004 - ControlID:0001, Control Class:"BUTTON" Control Text:"OK"
Name: DialogID_0066, # of Controls=000, Caption:"@È", ClassName:""

+++++++++++++++++++ IMPORTED FUNCTIONS ++++++++++++++++++
Number of Imported Modules = 4 (decimal)

Import Module 001: MFC42.DLL
Import Module 002: MSVCRT.dll
Import Module 003: KERNEL32.dll
Import Module 004: USER32.dll

+++++++++++++++++++ IMPORT MODULE DETAILS +++++++++++++++

Import Module 001: MFC42.DLL

Addr:800009FA hint(09FA) Name: Ordinal:09FA
Addr:800009D0 hint(09D0) Name: Ordinal:09D0
Addr:80001663 hint(1663) Name: Ordinal:1663
Addr:80001186 hint(1186) Name: Ordinal:1186
Addr:80000F52 hint(0F52) Name: Ordinal:0F52
Addr:80000441 hint(0441) Name: Ordinal:0441
Addr:8000144F hint(144F) Name: Ordinal:144F
Addr:8000095C hint(095C) Name: Ordinal:095C
Addr:80000D12 hint(0D12) Name: Ordinal:0D12
Addr:800014B4 hint(14B4) Name: Ordinal:14B4
Addr:800014B6 hint(14B6) Name: Ordinal:14B6
Addr:80000AA5 hint(0AA5) Name: Ordinal:0AA5
Addr:80000FEF hint(0FEF) Name: Ordinal:0FEF
Addr:8000125A hint(125A) Name: Ordinal:125A
Addr:800014BB hint(14BB) Name: Ordinal:14BB
Addr:800014A9 hint(14A9) Name: Ordinal:14A9
Addr:80001652 hint(1652) Name: Ordinal:1652
Addr:80000BA6 hint(0BA6) Name: Ordinal:0BA6
Addr:80000C4B hint(0C4B) Name: Ordinal:0C4B
Addr:80000CBB hint(0CBB) Name: Ordinal:0CBB
Addr:80001171 hint(1171) Name: Ordinal:1171
Addr:80000C40 hint(0C40) Name: Ordinal:0C40
Addr:80000CBE hint(0CBE) Name: Ordinal:0CBE
Addr:80000BA9 hint(0BA9) Name: Ordinal:0BA9
Addr:80000C09 hint(0C09) Name: Ordinal:0C09
Addr:80000BA0 hint(0BA0) Name: Ordinal:0BA0
Addr:80000EF6 hint(0EF6) Name: Ordinal:0EF6
Addr:80000EF7 hint(0EF7) Name: Ordinal:0EF7
Addr:80000EF1 hint(0EF1) Name: Ordinal:0EF1
Addr:80000C07 hint(0C07) Name: Ordinal:0C07
Addr:80000FF0 hint(0FF0) Name: Ordinal:0FF0
Addr:8000120E hint(120E) Name: Ordinal:120E
Addr:80001148 hint(1148) Name: Ordinal:1148
Addr:80000E9A hint(0E9A) Name: Ordinal:0E9A
Addr:80000231 hint(0231) Name: Ordinal:0231
Addr:80000339 hint(0339) Name: Ordinal:0339
Addr:8000032F hint(032F) Name: Ordinal:032F
Addr:80000281 hint(0281) Name: Ordinal:0281
Addr:800009D2 hint(09D2) Name: Ordinal:09D2
Addr:80000A3D hint(0A3D) Name: Ordinal:0A3D
Addr:8000046E hint(046E) Name: Ordinal:046E
Addr:800010B2 hint(10B2) Name: Ordinal:10B2
Addr:800018E7 hint(18E7) Name: Ordinal:18E7
Addr:800012F5 hint(12F5) Name: Ordinal:12F5
Addr:80001386 hint(1386) Name: Ordinal:1386
Addr:80001266 hint(1266) Name: Ordinal:1266
Addr:800017A4 hint(17A4) Name: Ordinal:17A4
Addr:80000FEE hint(0FEE) Name: Ordinal:0FEE
Addr:800006EF hint(06EF) Name: Ordinal:06EF
Addr:80001137 hint(1137) Name: Ordinal:1137
Addr:80001479 hint(1479) Name: Ordinal:1479
Addr:80000951 hint(0951) Name: Ordinal:0951
Addr:8000142B hint(142B) Name: Ordinal:142B
Addr:800018E6 hint(18E6) Name: Ordinal:18E6
Addr:80001101 hint(1101) Name: Ordinal:1101
Addr:800014A0 hint(14A0) Name: Ordinal:14A0
Addr:80001241 hint(1241) Name: Ordinal:1241
Addr:800012E5 hint(12E5) Name: Ordinal:12E5
Addr:80001159 hint(1159) Name: Ordinal:1159
Addr:80000A58 hint(0A58) Name: Ordinal:0A58
Addr:80000807 hint(0807) Name: Ordinal:0807
Addr:800018E8 hint(18E8) Name: Ordinal:18E8
Addr:80000EA5 hint(0EA5) Name: Ordinal:0EA5
Addr:800013C9 hint(13C9) Name: Ordinal:13C9
Addr:800006BF hint(06BF) Name: Ordinal:06BF
Addr:8000148D hint(148D) Name: Ordinal:148D
Addr:8000098E hint(098E) Name: Ordinal:098E
Addr:8000084C hint(084C) Name: Ordinal:084C
Addr:8000149D hint(149D) Name: Ordinal:149D
Addr:80001213 hint(1213) Name: Ordinal:1213
Addr:80001149 hint(1149) Name: Ordinal:1149
Addr:80000E0D hint(0E0D) Name: Ordinal:0E0D
Addr:80000144 hint(0144) Name: Ordinal:0144
Addr:8000108A hint(108A) Name: Ordinal:108A
Addr:8000047A hint(047A) Name: Ordinal:047A
Addr:80000490 hint(0490) Name: Ordinal:0490
Addr:80000320 hint(0320) Name: Ordinal:0320
Addr:80001040 hint(1040) Name: Ordinal:1040
Addr:8000021C hint(021C) Name: Ordinal:021C
Addr:80000B2F hint(0B2F) Name: Ordinal:0B2F
Addr:8000094B hint(094B) Name: Ordinal:094B
Addr:800002F3 hint(02F3) Name: Ordinal:02F3
Addr:800001D6 hint(01D6) Name: Ordinal:01D6
Addr:80001118 hint(1118) Name: Ordinal:1118
Addr:80001491 hint(1491) Name: Ordinal:1491
Addr:80000ED6 hint(0ED6) Name: Ordinal:0ED6
Addr:80000628 hint(0628) Name: Ordinal:0628

Import Module 002: MSVCRT.dll

Addr:00002840 hint(0249) Name: exit
Addr:00002848 hint(008F) Name: _acmdln
Addr:00002852 hint(0058) Name: __getmainargs
Addr:00002862 hint(010F) Name: _initterm
Addr:0000286E hint(0083) Name: __setusermatherr
Addr:00002882 hint(009D) Name: _adjust_fdiv
Addr:00002832 hint(0048) Name: _XcptFilter
Addr:00002892 hint(006A) Name: __p__commode
Addr:000028A2 hint(006F) Name: __p__fmode
Addr:000028B0 hint(0081) Name: __set_app_type
Addr:000028C2 hint(00CA) Name: _except_handler3
Addr:000028D6 hint(00B7) Name: _controlfp
Addr:0000282A hint(00D3) Name: _exit
Addr:00002806 hint(0055) Name: __dllonexit
Addr:000027F2 hint(0049) Name: __CxxFrameHandler
Addr:00002814 hint(0186) Name: _onexit
Addr:000029AA hint(01AA) Name: _setmbcp

Import Module 003: KERNEL32.dll

Addr:000028E4 hint(0126) Name: GetModuleHandleA
Addr:000028F8 hint(0150) Name: GetStartupInfoA

Import Module 004: USER32.dll

Addr:00002942 hint(0145) Name: GetSystemMenu
Addr:00002952 hint(00A9) Name: DrawIcon
Addr:00002934 hint(0007) Name: AppendMenuA
Addr:0000295E hint(00F0) Name: GetClientRect
Addr:00002924 hint(0214) Name: SendMessageA
Addr:00002982 hint(018C) Name: IsIconic
Addr:0000298E hint(00B7) Name: EnableWindow
Addr:0000296E hint(0146) Name: GetSystemMetrics
Addr:00002918 hint(019E) Name: LoadIconA

+++++++++++++++++++ EXPORTED FUNCTIONS ++++++++++++++++++
Number of Exported Functions = 0000 (decimal)




+++++++++++++++++++ ASSEMBLY CODE LISTING ++++++++++++++++++
//********************** Start of Code in Object .text **************
Program Entry Point = 004016E0 (C:\Development\test\Release\test.exe File Offset:000036E0)


:00401000 A1B0204000 mov eax, dword ptr [004020B0]
:00401005 C3 ret


:00401006 90 nop
:00401007 90 nop
:00401008 90 nop
:00401009 90 nop
:0040100A 90 nop
:0040100B 90 nop
:0040100C 90 nop
:0040100D 90 nop
:0040100E 90 nop
:0040100F 90 nop
:00401010 B8E0214000 mov eax, 004021E0
:00401015 C3 ret


:00401016 90 nop
:00401017 90 nop
:00401018 90 nop
:00401019 90 nop
:0040101A 90 nop
:0040101B 90 nop
:0040101C 90 nop
:0040101D 90 nop
:0040101E 90 nop
:0040101F 90 nop

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401085(U)
|
:00401020 56 push esi
:00401021 8BF1 mov esi, ecx
:00401023 6A00 push 00000000

* Reference To: MFC42.Ordinal:0231, Ord:0231h
|
:00401025 E84E050000 Call 00401578
:0040102A C70618224000 mov dword ptr [esi], 00402218
:00401030 8BC6 mov eax, esi
:00401032 5E pop esi
:00401033 C3 ret


:00401034 90 nop
:00401035 90 nop
:00401036 90 nop
:00401037 90 nop
:00401038 90 nop
:00401039 90 nop
:0040103A 90 nop
:0040103B 90 nop
:0040103C 90 nop
:0040103D 90 nop
:0040103E 90 nop
:0040103F 90 nop
:00401040 56 push esi
:00401041 8BF1 mov esi, ecx
:00401043 E818000000 call 00401060
:00401048 F644240801 test [esp+08], 01
:0040104D 7409 je 00401058
:0040104F 56 push esi

* Reference To: MFC42.Ordinal:0339, Ord:0339h
|
:00401050 E829050000 Call 0040157E
:00401055 83C404 add esp, 00000004

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040104D(C)
|
:00401058 8BC6 mov eax, esi
:0040105A 5E pop esi
:0040105B C20400 ret 0004


:0040105E 90 nop
:0040105F 90 nop

* Referenced by a CALL at Address:
|:00401043
|

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004010A5(U)
|

* Reference To: MFC42.Ordinal:032F, Ord:032Fh
|
:00401060 E91F050000 Jmp 00401584
:00401065 90 nop
:00401066 90 nop
:00401067 90 nop
:00401068 90 nop
:00401069 90 nop
:0040106A 90 nop
:0040106B 90 nop
:0040106C 90 nop
:0040106D 90 nop
:0040106E 90 nop
:0040106F 90 nop
:00401070 E80B000000 call 00401080
:00401075 E916000000 jmp 00401090
:0040107A 90 nop
:0040107B 90 nop
:0040107C 90 nop
:0040107D 90 nop
:0040107E 90 nop
:0040107F 90 nop

* Referenced by a CALL at Address:
|:00401070
|
:00401080 B928304000 mov ecx, 00403028
:00401085 E996FFFFFF jmp 00401020
:0040108A 90 nop
:0040108B 90 nop
:0040108C 90 nop
:0040108D 90 nop
:0040108E 90 nop
:0040108F 90 nop

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401075(U)
|
:00401090 68A0104000 push 004010A0
:00401095 E82A060000 call 004016C4
:0040109A 59 pop ecx
:0040109B C3 ret


:0040109C 90 nop
:0040109D 90 nop
:0040109E 90 nop
:0040109F 90 nop
:004010A0 B928304000 mov ecx, 00403028
:004010A5 E9B6FFFFFF jmp 00401060
:004010AA 90 nop
:004010AB 90 nop
:004010AC 90 nop
:004010AD 90 nop
:004010AE 90 nop
:004010AF 90 nop
:004010B0 6AFF push FFFFFFFF
:004010B2 68D8184000 push 004018D8
:004010B7 64A100000000 mov eax, dword ptr fs:[00000000]
:004010BD 50 push eax
:004010BE 64892500000000 mov dword ptr fs:[00000000], esp
:004010C5 83EC64 sub esp, 00000064
:004010C8 56 push esi
:004010C9 8BF1 mov esi, ecx
:004010CB 6A00 push 00000000

* Reference To: MFC42.Ordinal:046E, Ord:046Eh
|
:004010CD E8CA040000 Call 0040159C
:004010D2 83C404 add esp, 00000004
:004010D5 8BCE mov ecx, esi

* Reference To: MFC42.Ordinal:0A3D, Ord:0A3Dh
|
:004010D7 E8BA040000 Call 00401596
:004010DC 6A00 push 00000000
:004010DE 8D4C2408 lea ecx, dword ptr [esp+08]
:004010E2 E8D9000000 call 004011C0
:004010E7 8D442404 lea eax, dword ptr [esp+04]
:004010EB 8D4C2404 lea ecx, dword ptr [esp+04]
:004010EF C744247000000000 mov [esp+70], 00000000
:004010F7 894620 mov dword ptr [esi+20], eax

* Reference To: MFC42.Ordinal:09D2, Ord:09D2h
|
:004010FA E891040000 Call 00401590
:004010FF 8D4C2404 lea ecx, dword ptr [esp+04]
:00401103 C7442470FFFFFFFF mov [esp+70], FFFFFFFF

* Reference To: MFC42.Ordinal:0281, Ord:0281h
|
:0040110B E87A040000 Call 0040158A
:00401110 8B4C2468 mov ecx, dword ptr [esp+68]
:00401114 33C0 xor eax, eax
:00401116 5E pop esi
:00401117 64890D00000000 mov dword ptr fs:[00000000], ecx
:0040111E 83C470 add esp, 00000070
:00401121 C3 ret


:00401122 90 nop
:00401123 90 nop
:00401124 90 nop
:00401125 90 nop
:00401126 90 nop
:00401127 90 nop
:00401128 90 nop
:00401129 90 nop
:0040112A 90 nop
:0040112B 90 nop
:0040112C 90 nop
:0040112D 90 nop
:0040112E 90 nop
:0040112F 90 nop

* Referenced by a CALL at Address:
|:00401183
|

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004018D3(U), :00401933(U)
|

* Reference To: MFC42.Ordinal:0281, Ord:0281h
|
:00401130 E955040000 Jmp 0040158A
:00401135 90 nop
:00401136 90 nop
:00401137 90 nop
:00401138 90 nop
:00401139 90 nop
:0040113A 90 nop
:0040113B 90 nop
:0040113C 90 nop
:0040113D 90 nop
:0040113E 90 nop
:0040113F 90 nop
:00401140 C20400 ret 0004


:00401143 90 nop
:00401144 90 nop
:00401145 90 nop
:00401146 90 nop
:00401147 90 nop
:00401148 90 nop
:00401149 90 nop
:0040114A 90 nop
:0040114B 90 nop
:0040114C 90 nop
:0040114D 90 nop
:0040114E 90 nop
:0040114F 90 nop
:00401150 C3 ret


:00401151 90 nop
:00401152 90 nop
:00401153 90 nop
:00401154 90 nop
:00401155 90 nop
:00401156 90 nop
:00401157 90 nop
:00401158 90 nop
:00401159 90 nop
:0040115A 90 nop
:0040115B 90 nop
:0040115C 90 nop
:0040115D 90 nop
:0040115E 90 nop
:0040115F 90 nop

* Referenced by a CALL at Address:
|:0040135A
|
:00401160 56 push esi
:00401161 6A00 push 00000000
:00401163 8BF1 mov esi, ecx

* Possible Reference to Dialog: DialogID_0064
|
:00401165 6A64 push 00000064

* Reference To: MFC42.Ordinal:0144, Ord:0144h
|
:00401167 E8F0040000 Call 0040165C
:0040116C C70648234000 mov dword ptr [esi], 00402348
:00401172 8BC6 mov eax, esi
:00401174 5E pop esi
:00401175 C3 ret


:00401176 90 nop
:00401177 90 nop
:00401178 90 nop
:00401179 90 nop
:0040117A 90 nop
:0040117B 90 nop
:0040117C 90 nop
:0040117D 90 nop
:0040117E 90 nop
:0040117F 90 nop
:00401180 56 push esi
:00401181 8BF1 mov esi, ecx
:00401183 E8A8FFFFFF call 00401130
:00401188 F644240801 test [esp+08], 01
:0040118D 7409 je 00401198
:0040118F 56 push esi

* Reference To: MFC42.Ordinal:0339, Ord:0339h
|
:00401190 E8E9030000 Call 0040157E
:00401195 83C404 add esp, 00000004

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040118D(C)
|
:00401198 8BC6 mov eax, esi
:0040119A 5E pop esi
:0040119B C20400 ret 0004


:0040119E 90 nop
:0040119F 90 nop
:004011A0 A130214000 mov eax, dword ptr [00402130]
:004011A5 C3 ret


:004011A6 90 nop
:004011A7 90 nop
:004011A8 90 nop
:004011A9 90 nop
:004011AA 90 nop
:004011AB 90 nop
:004011AC 90 nop
:004011AD 90 nop
:004011AE 90 nop
:004011AF 90 nop
:004011B0 B8C0224000 mov eax, 004022C0
:004011B5 C3 ret


:004011B6 90 nop
:004011B7 90 nop
:004011B8 90 nop
:004011B9 90 nop
:004011BA 90 nop
:004011BB 90 nop
:004011BC 90 nop
:004011BD 90 nop
:004011BE 90 nop
:004011BF 90 nop

* Referenced by a CALL at Address:
|:004010E2
|
:004011C0 6AFF push FFFFFFFF
:004011C2 68F8184000 push 004018F8
:004011C7 64A100000000 mov eax, dword ptr fs:[00000000]
:004011CD 50 push eax
:004011CE 64892500000000 mov dword ptr fs:[00000000], esp
:004011D5 51 push ecx
:004011D6 8B442414 mov eax, dword ptr [esp+14]
:004011DA 56 push esi
:004011DB 8BF1 mov esi, ecx
:004011DD 50 push eax

* Possible Reference to Dialog: DialogID_0066
|
:004011DE 6A66 push 00000066
:004011E0 8974240C mov dword ptr [esp+0C], esi

* Reference To: MFC42.Ordinal:0144, Ord:0144h
|
:004011E4 E873040000 Call 0040165C
:004011E9 C744241000000000 mov [esp+10], 00000000
:004011F1 C70620244000 mov dword ptr [esi], 00402420

* Reference To: MFC42.Ordinal:0490, Ord:0490h
|
:004011F7 E86C040000 Call 00401668
:004011FC 6880000000 push 00000080
:00401201 6A0E push 0000000E
:00401203 6880000000 push 00000080

* Reference To: MFC42.Ordinal:047A, Ord:047Ah
|
:00401208 E855040000 Call 00401662
:0040120D 50 push eax

* Reference To: USER32.LoadIconA, Ord:019Eh
|
:0040120E FF15D4214000 Call dword ptr [004021D4]
:00401214 8B4C2408 mov ecx, dword ptr [esp+08]
:00401218 894660 mov dword ptr [esi+60], eax
:0040121B 8BC6 mov eax, esi
:0040121D 5E pop esi
:0040121E 64890D00000000 mov dword ptr fs:[00000000], ecx
:00401225 83C410 add esp, 00000010
:00401228 C20400 ret 0004


:0040122B 90 nop
:0040122C 90 nop
:0040122D 90 nop
:0040122E 90 nop
:0040122F 90 nop
:00401230 C20400 ret 0004


:00401233 90 nop
:00401234 90 nop
:00401235 90 nop
:00401236 90 nop
:00401237 90 nop
:00401238 90 nop
:00401239 90 nop
:0040123A 90 nop
:0040123B 90 nop
:0040123C 90 nop
:0040123D 90 nop
:0040123E 90 nop
:0040123F 90 nop
:00401240 B8E0224000 mov eax, 004022E0
:00401245 C3 ret


:00401246 90 nop
:00401247 90 nop
:00401248 90 nop
:00401249 90 nop
:0040124A 90 nop
:0040124B 90 nop
:0040124C 90 nop
:0040124D 90 nop
:0040124E 90 nop
:0040124F 90 nop
:00401250 6AFF push FFFFFFFF
:00401252 6818194000 push 00401918
:00401257 64A100000000 mov eax, dword ptr fs:[00000000]
:0040125D 50 push eax
:0040125E 64892500000000 mov dword ptr fs:[00000000], esp
:00401265 51 push ecx
:00401266 56 push esi
:00401267 57 push edi
:00401268 8BF1 mov esi, ecx

* Reference To: MFC42.Ordinal:1266, Ord:1266h
|
:0040126A E84B030000 Call 004015BA
:0040126F 8B4620 mov eax, dword ptr [esi+20]
:00401272 6A00 push 00000000
:00401274 50 push eax

* Reference To: USER32.GetSystemMenu, Ord:0145h
|
:00401275 FF15B4214000 Call dword ptr [004021B4]
:0040127B 50 push eax

* Reference To: MFC42.Ordinal:0B2F, Ord:0B2Fh
|
:0040127C E8FF030000 Call 00401680
:00401281 8BF8 mov edi, eax
:00401283 85FF test edi, edi
:00401285 745E je 004012E5
:00401287 8D4C2408 lea ecx, dword ptr [esp+08]

* Reference To: MFC42.Ordinal:021C, Ord:021Ch
|
:0040128B E8EA030000 Call 0040167A

* Possible Reference to String Resource ID=00101: "&About test..."
|
:00401290 6A65 push 00000065
:00401292 8D4C240C lea ecx, dword ptr [esp+0C]
:00401296 C744241800000000 mov [esp+18], 00000000

* Reference To: MFC42.Ordinal:1040, Ord:1040h
|
:0040129E E8D1030000 Call 00401674
:004012A3 8B4C2408 mov ecx, dword ptr [esp+08]
:004012A7 8B41F8 mov eax, dword ptr [ecx-08]
:004012AA 85C0 test eax, eax
:004012AC 7426 je 004012D4
:004012AE 8B5704 mov edx, dword ptr [edi+04]
:004012B1 53 push ebx

* Reference To: USER32.AppendMenuA, Ord:0007h
|
:004012B2 8B1DBC214000 mov ebx, dword ptr [004021BC]
:004012B8 6A00 push 00000000
:004012BA 6A00 push 00000000
:004012BC 6800080000 push 00000800
:004012C1 52 push edx
:004012C2 FFD3 call ebx
:004012C4 8B44240C mov eax, dword ptr [esp+0C]
:004012C8 8B4F04 mov ecx, dword ptr [edi+04]
:004012CB 50 push eax
:004012CC 6A10 push 00000010
:004012CE 6A00 push 00000000
:004012D0 51 push ecx
:004012D1 FFD3 call ebx
:004012D3 5B pop ebx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004012AC(C)
|
:004012D4 8D4C2408 lea ecx, dword ptr [esp+08]
:004012D8 C7442414FFFFFFFF mov [esp+14], FFFFFFFF

* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:004012E0 E889030000 Call 0040166E

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401285(C)
|
:004012E5 8B5660 mov edx, dword ptr [esi+60]
:004012E8 8B4620 mov eax, dword ptr [esi+20]

* Reference To: USER32.SendMessageA, Ord:0214h
|
:004012EB 8B3DC4214000 mov edi, dword ptr [004021C4]
:004012F1 52 push edx
:004012F2 6A01 push 00000001
:004012F4 6880000000 push 00000080
:004012F9 50 push eax
:004012FA FFD7 call edi
:004012FC 8B4E60 mov ecx, dword ptr [esi+60]
:004012FF 8B5620 mov edx, dword ptr [esi+20]
:00401302 51 push ecx
:00401303 6A00 push 00000000
:00401305 6880000000 push 00000080
:0040130A 52 push edx
:0040130B FFD7 call edi
:0040130D 8B4C240C mov ecx, dword ptr [esp+0C]
:00401311 5F pop edi
:00401312 B801000000 mov eax, 00000001
:00401317 5E pop esi
:00401318 64890D00000000 mov dword ptr fs:[00000000], ecx
:0040131F 83C410 add esp, 00000010
:00401322 C3 ret


:00401323 90 nop
:00401324 90 nop
:00401325 90 nop
:00401326 90 nop
:00401327 90 nop
:00401328 90 nop
:00401329 90 nop
:0040132A 90 nop
:0040132B 90 nop
:0040132C 90 nop
:0040132D 90 nop
:0040132E 90 nop
:0040132F 90 nop
:00401330 64A100000000 mov eax, dword ptr fs:[00000000]
:00401336 6AFF push FFFFFFFF
:00401338 6838194000 push 00401938
:0040133D 50 push eax
:0040133E 8B442410 mov eax, dword ptr [esp+10]
:00401342 64892500000000 mov dword ptr fs:[00000000], esp
:00401349 25F0FF0000 and eax, 0000FFF0
:0040134E 83EC60 sub esp, 00000060
:00401351 83F810 cmp eax, 00000010
:00401354 753C jne 00401392
:00401356 8D4C2400 lea ecx, dword ptr [esp]
:0040135A E801FEFFFF call 00401160
:0040135F 8D4C2400 lea ecx, dword ptr [esp]
:00401363 C744246800000000 mov [esp+68], 00000000

* Reference To: MFC42.Ordinal:09D2, Ord:09D2h
|
:0040136B E820020000 Call 00401590
:00401370 8D4C2400 lea ecx, dword ptr [esp]
:00401374 C7442468FFFFFFFF mov [esp+68], FFFFFFFF

* Reference To: MFC42.Ordinal:0281, Ord:0281h
|
:0040137C E809020000 Call 0040158A
:00401381 8B4C2460 mov ecx, dword ptr [esp+60]
:00401385 64890D00000000 mov dword ptr fs:[00000000], ecx
:0040138C 83C46C add esp, 0000006C
:0040138F C20800 ret 0008



* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401354(C)
|

* Reference To: MFC42.Ordinal:094B, Ord:094Bh
|
:00401392 E8EF020000 Call 00401686
:00401397 8B4C2460 mov ecx, dword ptr [esp+60]
:0040139B 64890D00000000 mov dword ptr fs:[00000000], ecx
:004013A2 83C46C add esp, 0000006C
:004013A5 C20800 ret 0008


:004013A8 90 nop
:004013A9 90 nop
:004013AA 90 nop
:004013AB 90 nop
:004013AC 90 nop
:004013AD 90 nop
:004013AE 90 nop
:004013AF 90 nop
:004013B0 83EC64 sub esp, 00000064
:004013B3 56 push esi
:004013B4 8BF1 mov esi, ecx
:004013B6 8B4620 mov eax, dword ptr [esi+20]
:004013B9 50 push eax

* Reference To: USER32.IsIconic, Ord:018Ch
|
:004013BA FF15C8214000 Call dword ptr [004021C8]
:004013C0 85C0 test eax, eax
:004013C2 0F848F000000 je 00401457
:004013C8 53 push ebx
:004013C9 57 push edi
:004013CA 56 push esi
:004013CB 8D4C2420 lea ecx, dword ptr [esp+20]

* Reference To: MFC42.Ordinal:01D6, Ord:01D6h
|
:004013CF E8BE020000 Call 00401692
:004013D4 8B7C2420 mov edi, dword ptr [esp+20]
:004013D8 8D44241C lea eax, dword ptr [esp+1C]
:004013DC 8B4E20 mov ecx, dword ptr [esi+20]
:004013DF 6A00 push 00000000
:004013E1 F7D8 neg eax
:004013E3 1BC0 sbb eax, eax
:004013E5 23C7 and eax, edi
:004013E7 50 push eax
:004013E8 6A27 push 00000027
:004013EA 51 push ecx

* Reference To: USER32.SendMessageA, Ord:0214h
|
:004013EB FF15C4214000 Call dword ptr [004021C4]

* Reference To: USER32.GetSystemMetrics, Ord:0146h
|
:004013F1 8B3DD0214000 mov edi, dword ptr [004021D0]
:004013F7 6A0B push 0000000B
:004013F9 FFD7 call edi
:004013FB 6A0C push 0000000C
:004013FD 8BD8 mov ebx, eax
:004013FF FFD7 call edi
:00401401 8BF8 mov edi, eax
:00401403 8B4620 mov eax, dword ptr [esi+20]
:00401406 8D54240C lea edx, dword ptr [esp+0C]
:0040140A 52 push edx
:0040140B 50 push eax

* Reference To: USER32.GetClientRect, Ord:00F0h
|
:0040140C FF15C0214000 Call dword ptr [004021C0]
:00401412 8B4E60 mov ecx, dword ptr [esi+60]
:00401415 8B442418 mov eax, dword ptr [esp+18]
:00401419 51 push ecx
:0040141A 8B4C2414 mov ecx, dword ptr [esp+14]
:0040141E 2BC1 sub eax, ecx
:00401420 2BC7 sub eax, edi
:00401422 40 inc eax
:00401423 99 cdq
:00401424 2BC2 sub eax, edx
:00401426 8B542410 mov edx, dword ptr [esp+10]
:0040142A D1F8 sar eax, 1
:0040142C 50 push eax
:0040142D 8B44241C mov eax, dword ptr [esp+1C]
:00401431 2BC2 sub eax, edx
:00401433 2BC3 sub eax, ebx
:00401435 40 inc eax
:00401436 99 cdq
:00401437 2BC2 sub eax, edx
:00401439 8B542428 mov edx, dword ptr [esp+28]
:0040143D D1F8 sar eax, 1
:0040143F 50 push eax
:00401440 52 push edx

* Reference To: USER32.DrawIcon, Ord:00A9h
|
:00401441 FF15B8214000 Call dword ptr [004021B8]
:00401447 8D4C241C lea ecx, dword ptr [esp+1C]

* Reference To: MFC42.Ordinal:02F3, Ord:02F3h
|
:0040144B E83C020000 Call 0040168C
:00401450 5F pop edi
:00401451 5B pop ebx
:00401452 5E pop esi
:00401453 83C464 add esp, 00000064
:00401456 C3 ret



* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004013C2(C)
|
:00401457 8BCE mov ecx, esi

* Reference To: MFC42.Ordinal:094B, Ord:094Bh
|
:00401459 E828020000 Call 00401686
:0040145E 5E pop esi
:0040145F 83C464 add esp, 00000064
:00401462 C3 ret


:00401463 90 nop
:00401464 90 nop
:00401465 90 nop
:00401466 90 nop
:00401467 90 nop
:00401468 90 nop
:00401469 90 nop
:0040146A 90 nop
:0040146B 90 nop
:0040146C 90 nop
:0040146D 90 nop
:0040146E 90 nop
:0040146F 90 nop
:00401470 8B4160 mov eax, dword ptr [ecx+60]
:00401473 C3 ret


:00401474 90 nop
:00401475 90 nop
:00401476 90 nop
:00401477 90 nop
:00401478 90 nop
:00401479 90 nop
:0040147A 90 nop
:0040147B 90 nop
:0040147C 90 nop
:0040147D 90 nop
:0040147E 90 nop
:0040147F 90 nop
:00401480 8B4120 mov eax, dword ptr [ecx+20]
:00401483 6A00 push 00000000
:00401485 50 push eax

* Reference To: USER32.EnableWindow, Ord:00B7h
|
:00401486 FF15CC214000 Call dword ptr [004021CC]
:0040148C C3 ret


:0040148D 90 nop
:0040148E 90 nop
:0040148F 90 nop
:00401490 8B4120 mov eax, dword ptr [ecx+20]
:00401493 6A01 push 00000001
:00401495 50 push eax

* Reference To: USER32.EnableWindow, Ord:00B7h
|
:00401496 FF15CC214000 Call dword ptr [004021CC]
:0040149C C3 ret


:0040149D 90 nop
:0040149E 90 nop
:0040149F 90 nop

* Reference To: MFC42.Ordinal:1241, Ord:1241h
|
:004014A0 FF25EC204000 Jmp dword ptr [004020EC]

* Reference To: MFC42.Ordinal:18E7, Ord:18E7h
|
:004014A6 FF25B4204000 Jmp dword ptr [004020B4]

* Reference To: MFC42.Ordinal:1186, Ord:1186h
|
:004014AC FF2518204000 Jmp dword ptr [00402018]

* Reference To: MFC42.Ordinal:09FA, Ord:09FAh
|
:004014B2 FF250C204000 Jmp dword ptr [0040200C]

* Reference To: MFC42.Ordinal:09D0, Ord:09D0h
|
:004014B8 FF2510204000 Jmp dword ptr [00402010]

* Reference To: MFC42.Ordinal:1663, Ord:1663h
|
:004014BE FF2514204000 Jmp dword ptr [00402014]

* Reference To: MFC42.Ordinal:0F52, Ord:0F52h
|
:004014C4 FF251C204000 Jmp dword ptr [0040201C]

* Reference To: MFC42.Ordinal:0441, Ord:0441h
|
:004014CA FF2520204000 Jmp dword ptr [00402020]

* Reference To: MFC42.Ordinal:144F, Ord:144Fh
|
:004014D0 FF2524204000 Jmp dword ptr [00402024]

* Reference To: MFC42.Ordinal:095C, Ord:095Ch
|
:004014D6 FF2528204000 Jmp dword ptr [00402028]

* Reference To: MFC42.Ordinal:0D12, Ord:0D12h
|
:004014DC FF252C204000 Jmp dword ptr [0040202C]

* Reference To: MFC42.Ordinal:14B4, Ord:14B4h
|
:004014E2 FF2530204000 Jmp dword ptr [00402030]

* Reference To: MFC42.Ordinal:14B6, Ord:14B6h
|
:004014E8 FF2534204000 Jmp dword ptr [00402034]

* Reference To: MFC42.Ordinal:0AA5, Ord:0AA5h
|
:004014EE FF2538204000 Jmp dword ptr [00402038]

* Reference To: MFC42.Ordinal:0FEF, Ord:0FEFh
|
:004014F4 FF253C204000 Jmp dword ptr [0040203C]

* Reference To: MFC42.Ordinal:125A, Ord:125Ah
|
:004014FA FF2540204000 Jmp dword ptr [00402040]

* Reference To: MFC42.Ordinal:14BB, Ord:14BBh
|
:00401500 FF2544204000 Jmp dword ptr [00402044]

* Reference To: MFC42.Ordinal:14A9, Ord:14A9h
|
:00401506 FF2548204000 Jmp dword ptr [00402048]

* Reference To: MFC42.Ordinal:1652, Ord:1652h
|
:0040150C FF254C204000 Jmp dword ptr [0040204C]

* Reference To: MFC42.Ordinal:0BA6, Ord:0BA6h
|
:00401512 FF2550204000 Jmp dword ptr [00402050]

* Reference To: MFC42.Ordinal:0C4B, Ord:0C4Bh
|
:00401518 FF2554204000 Jmp dword ptr [00402054]

* Reference To: MFC42.Ordinal:0CBB, Ord:0CBBh
|
:0040151E FF2558204000 Jmp dword ptr [00402058]

* Reference To: MFC42.Ordinal:1171, Ord:1171h
|
:00401524 FF255C204000 Jmp dword ptr [0040205C]

* Reference To: MFC42.Ordinal:0C40, Ord:0C40h
|
:0040152A FF2560204000 Jmp dword ptr [00402060]

* Reference To: MFC42.Ordinal:0CBE, Ord:0CBEh
|
:00401530 FF2564204000 Jmp dword ptr [00402064]

* Reference To: MFC42.Ordinal:0BA9, Ord:0BA9h
|
:00401536 FF2568204000 Jmp dword ptr [00402068]

* Reference To: MFC42.Ordinal:0C09, Ord:0C09h
|
:0040153C FF256C204000 Jmp dword ptr [0040206C]

* Reference To: MFC42.Ordinal:0BA0, Ord:0BA0h
|
:00401542 FF2570204000 Jmp dword ptr [00402070]

* Reference To: MFC42.Ordinal:0EF6, Ord:0EF6h
|
:00401548 FF2574204000 Jmp dword ptr [00402074]

* Reference To: MFC42.Ordinal:0EF7, Ord:0EF7h
|
:0040154E FF2578204000 Jmp dword ptr [00402078]

* Reference To: MFC42.Ordinal:0EF1, Ord:0EF1h
|
:00401554 FF257C204000 Jmp dword ptr [0040207C]

* Reference To: MFC42.Ordinal:0C07, Ord:0C07h
|
:0040155A FF2580204000 Jmp dword ptr [00402080]

* Reference To: MFC42.Ordinal:0FF0, Ord:0FF0h
|
:00401560 FF2584204000 Jmp dword ptr [00402084]

* Reference To: MFC42.Ordinal:120E, Ord:120Eh
|
:00401566 FF2588204000 Jmp dword ptr [00402088]

* Reference To: MFC42.Ordinal:1148, Ord:1148h
|
:0040156C FF258C204000 Jmp dword ptr [0040208C]

* Reference To: MFC42.Ordinal:0E9A, Ord:0E9Ah
|
:00401572 FF2590204000 Jmp dword ptr [00402090]

* Referenced by a CALL at Address:
|:00401025
|

* Reference To: MFC42.Ordinal:0231, Ord:0231h
|
:00401578 FF2594204000 Jmp dword ptr [00402094]

* Referenced by a CALL at Addresses:
|:00401050 , :00401190
|

* Reference To: MFC42.Ordinal:0339, Ord:0339h
|
:0040157E FF2598204000 Jmp dword ptr [00402098]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401060(U)
|

* Reference To: MFC42.Ordinal:032F, Ord:032Fh
|
:00401584 FF259C204000 Jmp dword ptr [0040209C]

* Referenced by a CALL at Addresses:
|:0040110B , :0040137C
|

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401130(U), :004018F3(U)
|

* Reference To: MFC42.Ordinal:0281, Ord:0281h
|
:0040158A FF25A0204000 Jmp dword ptr [004020A0]

* Referenced by a CALL at Addresses:
|:004010FA , :0040136B
|

* Reference To: MFC42.Ordinal:09D2, Ord:09D2h
|
:00401590 FF25A4204000 Jmp dword ptr [004020A4]

* Referenced by a CALL at Address:
|:004010D7
|

* Reference To: MFC42.Ordinal:0A3D, Ord:0A3Dh
|
:00401596 FF25A8204000 Jmp dword ptr [004020A8]

* Referenced by a CALL at Address:
|:004010CD
|

* Reference To: MFC42.Ordinal:046E, Ord:046Eh
|
:0040159C FF25AC204000 Jmp dword ptr [004020AC]

* Reference To: MFC42.Ordinal:1491, Ord:1491h
|
:004015A2 FF255C214000 Jmp dword ptr [0040215C]

* Reference To: MFC42.Ordinal:1118, Ord:1118h
|
:004015A8 FF2558214000 Jmp dword ptr [00402158]

* Reference To: MFC42.Ordinal:12F5, Ord:12F5h
|
:004015AE FF25B8204000 Jmp dword ptr [004020B8]

* Reference To: MFC42.Ordinal:1386, Ord:1386h
|
:004015B4 FF25BC204000 Jmp dword ptr [004020BC]

* Referenced by a CALL at Address:
|:0040126A
|

* Reference To: MFC42.Ordinal:1266, Ord:1266h
|
:004015BA FF25C0204000 Jmp dword ptr [004020C0]

* Reference To: MFC42.Ordinal:17A4, Ord:17A4h
|
:004015C0 FF25C4204000 Jmp dword ptr [004020C4]

* Reference To: MFC42.Ordinal:0FEE, Ord:0FEEh
|
:004015C6 FF25C8204000 Jmp dword ptr [004020C8]

* Reference To: MFC42.Ordinal:06EF, Ord:06EFh
|
:004015CC FF25CC204000 Jmp dword ptr [004020CC]

* Reference To: MFC42.Ordinal:1137, Ord:1137h
|
:004015D2 FF25D0204000 Jmp dword ptr [004020D0]

* Reference To: MFC42.Ordinal:1479, Ord:1479h
|
:004015D8 FF25D4204000 Jmp dword ptr [004020D4]

* Reference To: MFC42.Ordinal:0951, Ord:0951h
|
:004015DE FF25D8204000 Jmp dword ptr [004020D8]

* Reference To: MFC42.Ordinal:142B, Ord:142Bh
|
:004015E4 FF25DC204000 Jmp dword ptr [004020DC]

* Reference To: MFC42.Ordinal:18E6, Ord:18E6h
|
:004015EA FF25E0204000 Jmp dword ptr [004020E0]

* Reference To: MFC42.Ordinal:1101, Ord:1101h
|
:004015F0 FF25E4204000 Jmp dword ptr [004020E4]

* Reference To: MFC42.Ordinal:14A0, Ord:14A0h
|
:004015F6 FF25E8204000 Jmp dword ptr [004020E8]

* Reference To: MFC42.Ordinal:0ED6, Ord:0ED6h
|
:004015FC FF2560214000 Jmp dword ptr [00402160]

* Reference To: MFC42.Ordinal:12E5, Ord:12E5h
|
:00401602 FF25F0204000 Jmp dword ptr [004020F0]

* Reference To: MFC42.Ordinal:1159, Ord:1159h
|
:00401608 FF25F4204000 Jmp dword ptr [004020F4]

* Reference To: MFC42.Ordinal:0A58, Ord:0A58h
|
:0040160E FF25F8204000 Jmp dword ptr [004020F8]

* Reference To: MFC42.Ordinal:0807, Ord:0807h
|
:00401614 FF25FC204000 Jmp dword ptr [004020FC]

* Reference To: MFC42.Ordinal:18E8, Ord:18E8h
|
:0040161A FF2500214000 Jmp dword ptr [00402100]

* Reference To: MFC42.Ordinal:0EA5, Ord:0EA5h
|
:00401620 FF2504214000 Jmp dword ptr [00402104]

* Reference To: MFC42.Ordinal:13C9, Ord:13C9h
|
:00401626 FF2508214000 Jmp dword ptr [00402108]

* Reference To: MFC42.Ordinal:06BF, Ord:06BFh
|
:0040162C FF250C214000 Jmp dword ptr [0040210C]

* Reference To: MFC42.Ordinal:148D, Ord:148Dh
|
:00401632 FF2510214000 Jmp dword ptr [00402110]

* Reference To: MFC42.Ordinal:098E, Ord:098Eh
|
:00401638 FF2514214000 Jmp dword ptr [00402114]

* Reference To: MFC42.Ordinal:084C, Ord:084Ch
|
:0040163E FF2518214000 Jmp dword ptr [00402118]

* Reference To: MFC42.Ordinal:149D, Ord:149Dh
|
:00401644 FF251C214000 Jmp dword ptr [0040211C]

* Reference To: MFC42.Ordinal:1213, Ord:1213h
|
:0040164A FF2520214000 Jmp dword ptr [00402120]

* Reference To: MFC42.Ordinal:1149, Ord:1149h
|
:00401650 FF2524214000 Jmp dword ptr [00402124]

* Reference To: MFC42.Ordinal:0E0D, Ord:0E0Dh
|
:00401656 FF2528214000 Jmp dword ptr [00402128]

* Referenced by a CALL at Addresses:
|:00401167 , :004011E4
|

* Reference To: MFC42.Ordinal:0144, Ord:0144h
|
:0040165C FF252C214000 Jmp dword ptr [0040212C]

* Referenced by a CALL at Address:
|:00401208
|

* Reference To: MFC42.Ordinal:047A, Ord:047Ah
|
:00401662 FF2534214000 Jmp dword ptr [00402134]

* Referenced by a CALL at Addresses:
|:004011F7 , :0040188A
|

* Reference To: MFC42.Ordinal:0490, Ord:0490h
|
:00401668 FF2538214000 Jmp dword ptr [00402138]

* Referenced by a CALL at Address:
|:004012E0
|

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401913(U)
|

* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:0040166E FF253C214000 Jmp dword ptr [0040213C]

* Referenced by a CALL at Address:
|:0040129E
|

* Reference To: MFC42.Ordinal:1040, Ord:1040h
|
:00401674 FF2540214000 Jmp dword ptr [00402140]

* Referenced by a CALL at Address:
|:0040128B
|

* Reference To: MFC42.Ordinal:021C, Ord:021Ch
|
:0040167A FF2544214000 Jmp dword ptr [00402144]

* Referenced by a CALL at Address:
|:0040127C
|

* Reference To: MFC42.Ordinal:0B2F, Ord:0B2Fh
|
:00401680 FF2548214000 Jmp dword ptr [00402148]

* Referenced by a CALL at Addresses:
|:00401392 , :00401459
|

* Reference To: MFC42.Ordinal:094B, Ord:094Bh
|
:00401686 FF254C214000 Jmp dword ptr [0040214C]

* Referenced by a CALL at Address:
|:0040144B
|

* Reference To: MFC42.Ordinal:02F3, Ord:02F3h
|
:0040168C FF2550214000 Jmp dword ptr [00402150]

* Referenced by a CALL at Address:
|:004013CF
|

* Reference To: MFC42.Ordinal:01D6, Ord:01D6h
|
:00401692 FF2554214000 Jmp dword ptr [00402154]

* Referenced by a CALL at Address:
|:004016C8
|
:00401698 833D10314000FF cmp dword ptr [00403110], FFFFFFFF
:0040169F 750C jne 004016AD
:004016A1 FF742404 push [esp+04]

* Reference To: MSVCRT._onexit, Ord:0186h
|
:004016A5 FF15A8214000 Call dword ptr [004021A8]
:004016AB 59 pop ecx
:004016AC C3 ret



* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040169F(C)
|
:004016AD 680C314000 push 0040310C
:004016B2 6810314000 push 00403110
:004016B7 FF74240C push [esp+0C]

* Reference To: MSVCRT.__dllonexit, Ord:0055h
|
:004016BB E87E010000 Call 0040183E
:004016C0 83C40C add esp, 0000000C
:004016C3 C3 ret



* Referenced by a CALL at Address:
|:00401095
|
:004016C4 FF742404 push [esp+04]
:004016C8 E8CBFFFFFF call 00401698
:004016CD F7D8 neg eax
:004016CF 1BC0 sbb eax, eax
:004016D1 59 pop ecx
:004016D2 F7D8 neg eax
:004016D4 48 dec eax
:004016D5 C3 ret



* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004018DD(U), :004018FD(U), :0040191D(U), :0040193D(U)
|

* Reference To: MSVCRT.__CxxFrameHandler, Ord:0049h
|
:004016D6 FF25A4214000 Jmp dword ptr [004021A4]
:004016DC CC int 03
:004016DD CC int 03
:004016DE CC int 03
:004016DF CC int 03

//******************** Program Entry Point ********
:004016E0 55 push ebp
:004016E1 8BEC mov ebp, esp
:004016E3 6AFF push FFFFFFFF
:004016E5 68F8244000 push 004024F8
:004016EA 6866184000 push 00401866
:004016EF 64A100000000 mov eax, dword ptr fs:[00000000]
:004016F5 50 push eax
:004016F6 64892500000000 mov dword ptr fs:[00000000], esp
:004016FD 83EC68 sub esp, 00000068
:00401700 53 push ebx
:00401701 56 push esi
:00401702 57 push edi
:00401703 8965E8 mov dword ptr [ebp-18], esp
:00401706 33DB xor ebx, ebx
:00401708 895DFC mov dword ptr [ebp-04], ebx
:0040170B 6A02 push 00000002

* Reference To: MSVCRT.__set_app_type, Ord:0081h
|
:0040170D FF1590214000 Call dword ptr [00402190]
:00401713 59 pop ecx
:00401714 830D0C314000FF or dword ptr [0040310C], FFFFFFFF
:0040171B 830D10314000FF or dword ptr [00403110], FFFFFFFF

* Reference To: MSVCRT.__p__fmode, Ord:006Fh
|
:00401722 FF158C214000 Call dword ptr [0040218C]
:00401728 8B0D00314000 mov ecx, dword ptr [00403100]
:0040172E 8908 mov dword ptr [eax], ecx

* Reference To: MSVCRT.__p__commode, Ord:006Ah
|
:00401730 FF1588214000 Call dword ptr [00402188]
:00401736 8B0DFC304000 mov ecx, dword ptr [004030FC]
:0040173C 8908 mov dword ptr [eax], ecx
:0040173E A180214000 mov eax, dword ptr [00402180]
:00401743 8B00 mov eax, dword ptr [eax]
:00401745 A308314000 mov dword ptr [00403108], eax
:0040174A E816010000 call 00401865
:0040174F 391D20304000 cmp dword ptr [00403020], ebx
:00401755 750C jne 00401763
:00401757 6862184000 push 00401862

* Reference To: MSVCRT.__setusermatherr, Ord:0083h
|
:0040175C FF157C214000 Call dword ptr [0040217C]
:00401762 59 pop ecx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401755(C)
|
:00401763 E8E8000000 call 00401850
:00401768 6814304000 push 00403014
:0040176D 6810304000 push 00403010

* Reference To: MSVCRT._initterm, Ord:010Fh
|
:00401772 E8D3000000 Call 0040184A
:00401777 A1F8304000 mov eax, dword ptr [004030F8]
:0040177C 894594 mov dword ptr [ebp-6C], eax
:0040177F 8D4594 lea eax, dword ptr [ebp-6C]
:00401782 50 push eax
:00401783 FF35F4304000 push dword ptr [004030F4]
:00401789 8D459C lea eax, dword ptr [ebp-64]
:0040178C 50 push eax
:0040178D 8D4590 lea eax, dword ptr [ebp-70]
:00401790 50 push eax
:00401791 8D45A0 lea eax, dword ptr [ebp-60]
:00401794 50 push eax

* Reference To: MSVCRT.__getmainargs, Ord:0058h
|
:00401795 FF1574214000 Call dword ptr [00402174]
:0040179B 680C304000 push 0040300C
:004017A0 6800304000 push 00403000

* Reference To: MSVCRT._initterm, Ord:010Fh
|
:004017A5 E8A0000000 Call 0040184A
:004017AA 83C424 add esp, 00000024
:004017AD A170214000 mov eax, dword ptr [00402170]
:004017B2 8B30 mov esi, dword ptr [eax]
:004017B4 89758C mov dword ptr [ebp-74], esi
:004017B7 803E22 cmp byte ptr [esi], 22
:004017BA 753A jne 004017F6

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004017C8(C)
|
:004017BC 46 inc esi
:004017BD 89758C mov dword ptr [ebp-74], esi
:004017C0 8A06 mov al, byte ptr [esi]
:004017C2 3AC3 cmp al, bl
:004017C4 7404 je 004017CA
:004017C6 3C22 cmp al, 22
:004017C8 75F2 jne 004017BC

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004017C4(C)
|
:004017CA 803E22 cmp byte ptr [esi], 22
:004017CD 7504 jne 004017D3

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004017DB(C)
|
:004017CF 46 inc esi
:004017D0 89758C mov dword ptr [ebp-74], esi

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004017CD(C), :004017F9(C)
|
:004017D3 8A06 mov al, byte ptr [esi]
:004017D5 3AC3 cmp al, bl
:004017D7 7404 je 004017DD
:004017D9 3C20 cmp al, 20
:004017DB 76F2 jbe 004017CF

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004017D7(C)
|
:004017DD 895DD0 mov dword ptr [ebp-30], ebx
:004017E0 8D45A4 lea eax, dword ptr [ebp-5C]
:004017E3 50 push eax

* Reference To: KERNEL32.GetStartupInfoA, Ord:0150h
|
:004017E4 FF1504204000 Call dword ptr [00402004]
:004017EA F645D001 test [ebp-30], 01
:004017EE 7411 je 00401801
:004017F0 0FB745D4 movzx eax, word ptr [ebp-2C]
:004017F4 EB0E jmp 00401804

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004017BA(C), :004017FF(U)
|
:004017F6 803E20 cmp byte ptr [esi], 20
:004017F9 76D8 jbe 004017D3
:004017FB 46 inc esi
:004017FC 89758C mov dword ptr [ebp-74], esi
:004017FF EBF5 jmp 004017F6

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004017EE(C)
|
:00401801 6A0A push 0000000A
:00401803 58 pop eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004017F4(U)
|
:00401804 50 push eax
:00401805 56 push esi
:00401806 53 push ebx
:00401807 53 push ebx

* Reference To: KERNEL32.GetModuleHandleA, Ord:0126h
|
:00401808 FF1500204000 Call dword ptr [00402000]
:0040180E 50 push eax
:0040180F E85E000000 call 00401872
:00401814 894598 mov dword ptr [ebp-68], eax
:00401817 50 push eax

* Reference To: MSVCRT.exit, Ord:0249h
|
:00401818 FF156C214000 Call dword ptr [0040216C]
:0040181E 8B45EC mov eax, dword ptr [ebp-14]
:00401821 8B08 mov ecx, dword ptr [eax]
:00401823 8B09 mov ecx, dword ptr [ecx]
:00401825 894D88 mov dword ptr [ebp-78], ecx
:00401828 50 push eax
:00401829 51 push ecx

* Reference To: MSVCRT._XcptFilter, Ord:0048h
|
:0040182A E815000000 Call 00401844
:0040182F 59 pop ecx
:00401830 59 pop ecx
:00401831 C3 ret


:00401832 8B65E8 mov esp, dword ptr [ebp-18]
:00401835 FF7588 push [ebp-78]

* Reference To: MSVCRT._exit, Ord:00D3h
|
:00401838 FF159C214000 Call dword ptr [0040219C]

* Referenced by a CALL at Address:
|:004016BB
|

* Reference To: MSVCRT.__dllonexit, Ord:0055h
|
:0040183E FF25A0214000 Jmp dword ptr [004021A0]

* Referenced by a CALL at Address:
|:0040182A
|

* Reference To: MSVCRT._XcptFilter, Ord:0048h
|
:00401844 FF2584214000 Jmp dword ptr [00402184]

* Referenced by a CALL at Addresses:
|:00401772 , :004017A5
|

* Reference To: MSVCRT._initterm, Ord:010Fh
|
:0040184A FF2578214000 Jmp dword ptr [00402178]

* Referenced by a CALL at Address:
|:00401763
|
:00401850 6800000300 push 00030000
:00401855 6800000100 push 00010000

* Reference To: MSVCRT._controlfp, Ord:00B7h
|
:0040185A E80D000000 Call 0040186C
:0040185F 59 pop ecx
:00401860 59 pop ecx
:00401861 C3 ret


:00401862 33C0 xor eax, eax
:00401864 C3 ret



* Referenced by a CALL at Address:
|:0040174A
|
:00401865 C3 ret

* Reference To: MSVCRT._except_handler3, Ord:00CAh

Well you sure proved how ugly a simple Windows app can look.

But, who would care about reverse-engineering a windows app with a dis-assembler anyway? It's easier to look at the behavior and imitate it from scratch, IMO. (actually, there are some controls that Microsoft uses before they give them to us, so I guess I could imagine some scenario where stealing some code could be helpful)

from the posts below about the cracking of the RSA algorithms, etc. I'm thinking that for things that are close to C anyway, putting out the *.exe is close to putting out the source.

With respect to "why don't people just disassemble Windows NT?" I would respond that people that knowledgeable wouldn't waste their time at a low-paying competitor, they'd get hired away by Microsoft!

I'll probably go through this thread and see the favorite dis-assemblers, and talk to my employers and see if they're up to purchasing something (or giving the GNU version a go), and see what it does to our code. I have a feeling that a PhD and two months could probably unlock all our secrets (but I'm not a PhD and I don't have two months for this)

Todd, this is exactly what I meant in my previous post: you can not get the original code by disassembling the executable but you may not even need the original code! It all depends on what are you attempting to do.

And, as you have mentioned, does it realy worth for your competitors to put aside their current project and start hacking into your code? And even if it does make sense for them, does it realy kill you? So, may be your boss is just being a little paranoic abot the subject?

u cannot decompile an exe ( created from vc,tc...etc) into C
u can only see ASM instructions, so if ur a asm master u need to recode the asm into C (which is not very fun).
and SoftIce is not a dissasembler its a DEBUGGER (system debugger) which working at ring0 [p-mode] and debug flag to halt system and trace where ever u want..
there are tools to locate softice, but doubt they are working while u have IceDump/frog'sice running in background.
they only "reseanable" way to protect ur app (registrations) is by using a strong Cryptography (one way / rsa 1024+) md5/sha-1 and alike already cracked and there are free libs for free outthere to paste in VCA and make a keygen.
btw VC7 (.net) got a decompiler since its reall crap so watch ur steps :-)
ttl

Sheesh, who would have known this would blowup into such a large thread? Ok, my bad.. you can't get the "exact" C++ code from an EXE using SoftICE. However, lets face it: hackers breaking/stealing our software suck. The threat is there. Even if they can't get the exact code, they can still get a different interpretation of it such as ASM code and work their way through to crack it.

My point was just that when you write an important product, you should consider making it that much harder for the hacker by including not-so-obvious keywords instead of bIsRegistered, how about using bIsR. Also including CRC checks can help prevent (or slow down) hex editors. Etc.

One of my products was hacked for every version I released, until I developed a Security class for it. This class included a multitude of techniques to help slow-down a hacker. No security will "stop" a hacker if he has enough time. But the goal is for the hacker to skip over yours saying "screw this one", and move on to the next app to crack.

Anyways, don't spend too much time on security. As the other posters explained, it is not worth wasting your time. But do include *some* security even if only minimal.

And thanks for the wonderful discussion on this topic. We definately have some experts on here! :)

hi ;)

when u say "hackers" u should know those are ppl who break into web/inet sites/ftps/system so ur little confused.
the term u should need to say is "Crackers" those are the one who break software code, not internet code ;)
mostly crackers doesn't tend to kill ur app / steal it, its a race between other crackers, when he/she dl ur app the only thing they do is to locate ur registration place and reverse it to thier own C/ASM/Delphi..etc code.
they are not decompiling ur app cuz they feel like crew the author,
its just a race to see who "breaks" the app and release the keygen/crack faster.
but, if u can't understand them, join them, learn thier prespective and protect ur application better.
also u can use PE protectors, most known are: Aspack / tElock /
though they charge money or buing thier software [ i.e: flashfxp]
although exe protectors has been dumped/reFixed it still away to antimidate crackers.
u can also look for more info in the web regarding "how to protect" your software which has been written by crackers too.
thier way of point is to gain more knowledge and practicing on author's applications.
i hope this has been a little help
cya ;)

p.s
CRC wont help since they will recalculate it after its beeing patched .
which application u wrote and got cracked?