July 08 AdminAnnounce Function + Address

[Hashed]

When taking a look at this;
[Help] Custom Popup box message

I thought it'd be something new to try.

I went to PUSH 1F5, And it came back as this;

Code:

0042D860  /$ 55             PUSH EBP
0042D861  |. 8BEC           MOV EBP,ESP
0042D863  |. 6A FF          PUSH -1
0042D865  |. 68 69FB6000    PUSH Theduel.0060FB69                    ;  SE handler installation
0042D86A  |. 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0042D870  |. 50             PUSH EAX
0042D871  |. 64:8925 000000>MOV DWORD PTR FS:[0],ESP
0042D878  |. 51             PUSH ECX
0042D879  |. 56             PUSH ESI
0042D87A >|. 68 F5010000    PUSH 1F5 
0042D87F  |. E8 4C760900    CALL Theduel.004C4ED0
0042D884  |. 6A 14          PUSH 14                                  ; |Arg1 = 00000014
0042D886  |. 8BF0           MOV ESI,EAX                              ; |
0042D888  |. E8 038CFEFF    CALL Theduel.00416490                    ; \Theduel.00416490
0042D88D  |. 83C4 08        ADD ESP,8
0042D890  |. 8945 F0        MOV DWORD PTR SS:[EBP-10],EAX
0042D893  |. 85C0           TEST EAX,EAX
0042D895  |. C745 FC 000000>MOV DWORD PTR SS:[EBP-4],0
0042D89C  |. 74 0D          JE SHORT Theduel.0042D8AB
0042D89E  |. 8B4D 08        MOV ECX,DWORD PTR SS:[EBP+8]
0042D8A1  |. 51             PUSH ECX
0042D8A2  |. 8BC8           MOV ECX,EAX
0042D8A4  |. E8 C7A20D00    CALL Theduel.00507B70
0042D8A9  |. EB 02          JMP SHORT Theduel.0042D8AD
0042D8AB  |> 33C0           XOR EAX,EAX
0042D8AD  |> 50             PUSH EAX
0042D8AE  |. 8BCE           MOV ECX,ESI
0042D8B0  |. C745 FC FFFFFF>MOV DWORD PTR SS:[EBP-4],-1
0042D8B7  |. E8 24B50D00    CALL Theduel.00508DE0
0042D8BC  |. 6A 0C          PUSH 0C
0042D8BE  |. E8 FBA51D00    CALL Theduel.00607EBE
0042D8C3  |. 83C4 04        ADD ESP,4
0042D8C6  |. 8945 F0        MOV DWORD PTR SS:[EBP-10],EAX
0042D8C9  |. 85C0           TEST EAX,EAX
0042D8CB  |. C745 FC 010000>MOV DWORD PTR SS:[EBP-4],1
0042D8D2  |. 74 0D          JE SHORT Theduel.0042D8E1
0042D8D4  |. 8B55 0C        MOV EDX,DWORD PTR SS:[EBP+C]
0042D8D7  |. 52             PUSH EDX
0042D8D8  |. 8BC8           MOV ECX,EAX
0042D8DA  |. E8 61980D00    CALL Theduel.00507140
0042D8DF  |. EB 02          JMP SHORT Theduel.0042D8E3
0042D8E1  |> 33C0           XOR EAX,EAX
0042D8E3  |> 50             PUSH EAX
0042D8E4  |. 8BCE           MOV ECX,ESI
0042D8E6  |. C745 FC FFFFFF>MOV DWORD PTR SS:[EBP-4],-1
0042D8ED  |. E8 EEB40D00    CALL Theduel.00508DE0
0042D8F2  |. 6A 10          PUSH 10                                  ; /Arg1 = 00000010
0042D8F4  |. E8 078BFEFF    CALL Theduel.00416400                    ; \Theduel.00416400
0042D8F9  |. 83C4 04        ADD ESP,4
0042D8FC  |. 8945 F0        MOV DWORD PTR SS:[EBP-10],EAX
0042D8FF  |. 85C0           TEST EAX,EAX
0042D901  |. C745 FC 020000>MOV DWORD PTR SS:[EBP-4],2
0042D908  |. 74 0D          JE SHORT Theduel.0042D917
0042D90A  |. 8B4D 10        MOV ECX,DWORD PTR SS:[EBP+10]
0042D90D  |. 51             PUSH ECX
0042D90E  |. 8BC8           MOV ECX,EAX
0042D910  |. E8 CB960D00    CALL Theduel.00506FE0
0042D915  |. EB 02          JMP SHORT Theduel.0042D919
0042D917  |> 33C0           XOR EAX,EAX
0042D919  |> 50             PUSH EAX
0042D91A  |. 8BCE           MOV ECX,ESI
0042D91C  |. C745 FC FFFFFF>MOV DWORD PTR SS:[EBP-4],-1
0042D923  |. E8 B8B40D00    CALL Theduel.00508DE0
0042D928  |. 56             PUSH ESI                                 ; /Arg1
0042D929  |. E8 12690900    CALL Theduel.004C4240                    ; \Theduel.004C4240
0042D92E  |. 8B4D F4        MOV ECX,DWORD PTR SS:[EBP-C]
0042D931  |. 83C4 04        ADD ESP,4
0042D934  |. 5E             POP ESI
0042D935  |. 64:890D 000000>MOV DWORD PTR FS:[0],ECX
0042D93C  |. 8BE5           MOV ESP,EBP
0042D93E  |. 5D             POP EBP
0042D93F  \. C3             RETN

So where's my address..?

[MentaL]

[Mr_Troy]

0042D860 /$ 55 PUSH EBP

0042D860 is the address. push 1F5 is the argument to the function ZNewCmd, which returns a MCommand pointer with the command ID 1F5.
And we know that the Admin.Announce command ID is 1F5 and ZPost functions usually work the same, so 42D860 MUST BE the address of ZPostAdminAnnounce.

[Hashed]

PUSH EBP = Local call from 42E1E7
Following the call leads me too;
CALL Theduel.0042D860

Thus this is the correct address then, right?

Lots of love Troy, 0042D860 was the correct address, Cause I found the PUSH 0 2-3 lines above it, thanks for all the help!

[Anju]

Is it possible to do this for 2007 .exe?

[metalgunz]

what does this do <--- newbie

[Anju]

what does this do <--- newbie

It's to make the /admin_wall's Announcement to a popup (in the lobby), instead of a message.

[Hashed]

As far as I know this could be done in 07 as-well, Except in 07 there won't be a PUSH as the function(If there is, It will tell you the Local call where it's coming from), Just do the same thing as I did.

Open runnable in Olly
Finish analysis, Go to the top, And hit CTRL G(or CTRL F, Im pretty sure it's G)
Paste "PUSH 1F5" without ""
Go to the top of the function, If it's a local call, Follow that call, If it isn't, Then look a little above the function, And you will see "PUSH 0".
Assemble "PUSH 0" to "PUSH 1"

Done!

[Anju]

Code:

0008530B   8B75 E4          MOV ESI,DWORD PTR SS:[EBP-1C]
0008530E   F7C1 00000100    TEST ECX,10000
00085314   75 08            JNZ SHORT 0008531E
00085316   FF75 10          PUSH DWORD PTR SS:[EBP+10]
00085319   FF76 34          PUSH DWORD PTR DS:[ESI+34]
0008531C   FF10             CALL DWORD PTR DS:[EAX]
0008531E   895D FC          MOV DWORD PTR SS:[EBP-4],EBX
00085321   E8 13000000      CALL 00085339
00085326   8B45 E0          MOV EAX,DWORD PTR SS:[EBP-20]
00085329  ^E9 A839FEFF      JMP 00068CD6
0008532E   8B7D 08          MOV EDI,DWORD PTR SS:[EBP+8]
00085331   8B75 E4          MOV ESI,DWORD PTR SS:[EBP-1C]
00085334   90               NOP
00085335   90               NOP
00085336   90               NOP
00085337   90               NOP
00085338   90               NOP
00085339   8BC6             MOV EAX,ESI
0008533B   83C9 FF          OR ECX,FFFFFFFF
0008533E   F0:0FC108        LOCK XADD DWORD PTR DS:[EAX],ECX
00085342   75 06            JNZ SHORT 0008534A
00085344   8B46 04          MOV EAX,DWORD PTR DS:[ESI+4]
00085347   56               PUSH ESI
00085348   FF10             CALL DWORD PTR DS:[EAX]
0008534A   C3               RETN
0008534B   E8 124BFAFF      CALL 00029E62
00085350   85C0             TEST EAX,EAX
00085352  ^0F85 AF39FEFF    JNZ 00068D07
00085358   68 00EAAA77      PUSH 77AAEA00
0008535D   6A 04            PUSH 4
0008535F   68 DC4FAA77      PUSH 77AA4FDC
00085364   68 DA010000      PUSH 1DA
00085369   EB 5A            JMP SHORT 000853C5
0008536B   8B7D 08          MOV EDI,DWORD PTR SS:[EBP+8]
0008536E  ^E9 A139FEFF      JMP 00068D14
00085373   6A 50            PUSH 50
00085375   6A 00            PUSH 0
00085377   8D45 90          LEA EAX,DWORD PTR SS:[EBP-70]
0008537A   50               PUSH EAX
0008537B   E8 C08FF9FF      CALL 0001E340
00085380   83C4 0C          ADD ESP,0C
00085383   C745 90 0D0000C0 MOV DWORD PTR SS:[EBP-70],C000000D
0008538A   6A 57            PUSH 57
0008538C   E8 FED2F8FF      CALL 0001268F
00085391   8D45 90          LEA EAX,DWORD PTR SS:[EBP-70]
00085394   50               PUSH EAX
00085395   E8 DE1EFBFF      CALL 00037278
0008539A   A1 B400B177      MOV EAX,DWORD PTR DS:[77B100B4]
0008539F   85C0             TEST EAX,EAX
000853A1  ^0F84 6039FEFF    JE 00068D07
000853A7   E8 B64AFAFF      CALL 00029E62
000853AC   85C0             TEST EAX,EAX
000853AE  ^0F85 5339FEFF    JNZ 00068D07
000853B4   68 00EAAA77      PUSH 77AAEA00
000853B9   6A 04            PUSH 4
000853BB   68 DC4FAA77      PUSH 77AA4FDC
000853C0   68 1B010000      PUSH 11B
000853C5   68 AC77A877      PUSH 77A877AC
000853CA   A1 B400B177      MOV EAX,DWORD PTR DS:[77B100B4]
000853CF   FFD0             CALL EAX
000853D1   83C4 14          ADD ESP,14
000853D4  ^E9 2E39FEFF      JMP 00068D07
000853D9   90               NOP
000853DA   90               NOP
000853DB   90               NOP
000853DC   54               PUSH ESP
000853DD   70 52            JO SHORT 00085431
000853DF   65:6C            INS BYTE PTR ES:[EDI],DX
000853E1   65:61            POPAD
000853E3   73 65            JNB SHORT 0008544A
000853E5   43               INC EBX
000853E6   6C               INS BYTE PTR ES:[EDI],DX
000853E7   65:61            POPAD
000853E9   6E               OUTS DX,BYTE PTR ES:[EDI]
000853EA   75 70            JNZ SHORT 0008545C
000853EC   47               INC EDI
000853ED   72 6F            JB SHORT 0008545E
000853EF   75 70            JNZ SHORT 00085461
000853F1   4D               DEC EBP
000853F2   65:6D            INS DWORD PTR ES:[EDI],DX
000853F4   6265 72          BOUND ESP,QWORD PTR SS:[EBP+72]
000853F7   73 00            JNB SHORT 000853F9
000853F9   90               NOP
000853FA   90               NOP
000853FB   90               NOP
000853FC   90               NOP
000853FD   90               NOP
000853FE   90               NOP
000853FF   90               NOP
00085400   43               INC EBX
00085401   6C               INS BYTE PTR ES:[EDI],DX
00085402   65:61            POPAD
00085404   6E               OUTS DX,BYTE PTR ES:[EDI]
00085405   75 70            JNZ SHORT 00085477
00085407   47               INC EDI
00085408   72 6F            JB SHORT 00085479
0008540A   75 70            JNZ SHORT 0008547C
0008540C   203D 2025702C    AND BYTE PTR DS:[2C702520],BH
00085412   2043 61          AND BYTE PTR DS:[EBX+61],AL
00085415   6E               OUTS DX,BYTE PTR ES:[EDI]
00085416   6365 6C          ARPL WORD PTR SS:[EBP+6C],SP
00085419   50               PUSH EAX
0008541A   65:6E            OUTS DX,BYTE PTR ES:[EDI]
0008541C   64:696E 67 43616>IMUL EBP,DWORD PTR FS:[ESI+67],6C6C6143
00085424   6261 63          BOUND ESP,QWORD PTR DS:[ECX+63]
00085427   6B73 20 3D       IMUL ESI,DWORD PTR DS:[EBX+20],3D
0008542B   2025 68732C20    AND BYTE PTR DS:[202C7368],AH
00085431   43               INC EBX
00085432   6C               INS BYTE PTR ES:[EDI],DX
00085433   65:61            POPAD
00085435   6E               OUTS DX,BYTE PTR ES:[EDI]
00085436   75 70            JNZ SHORT 000854A8
00085438   50               PUSH EAX
00085439   61               POPAD
0008543A   72 61            JB SHORT 0008549D
0008543C   6D               INS DWORD PTR ES:[EDI],DX
0008543D   65:74 65         JE SHORT 000854A5
00085440   72 20            JB SHORT 00085462
00085442   3D 2025700A      CMP EAX,0A702520
00085447   00E8             ADD AL,CH
00085449   15 4AFAFF85      ADC EAX,85FFFA4A
0008544E   C00F 85          ROR BYTE PTR DS:[EDI],85
00085451   1027             ADC BYTE PTR DS:[EDI],AH
00085453   FE               ???
00085454   FFFF             ???
00085456   75 08            JNZ SHORT 00085460
00085458   A1 B400B177      MOV EAX,DWORD PTR DS:[77B100B4]
0008545D   68 3CEAAA77      PUSH 77AAEA3C
00085462   6A 03            PUSH 3
00085464   57               PUSH EDI
00085465   68 F5010000      PUSH 1F5
0008546A   56               PUSH ESI
0008546B   FFD0             CALL EAX
0008546D   83C4 18          ADD ESP,18
00085470  ^E9 F026FEFF      JMP 00067B65
00085475   E8 E849FAFF      CALL 00029E62
0008547A   85C0             TEST EAX,EAX
0008547C  ^0F85 0A27FEFF    JNZ 00067B8C
00085482   A1 B400B177      MOV EAX,DWORD PTR DS:[77B100B4]
00085487   68 00EAAA77      PUSH 77AAEA00
0008548C   6A 04            PUSH 4
0008548E   57               PUSH EDI
0008548F   68 02020000      PUSH 202
00085494   56               PUSH ESI
00085495   FFD0             CALL EAX

This is what I got.

[adz28]

Code:

00529103   |.  68 44046000                    PUSH Gunz.00600444                                               ;  ASCII "Announce"
00529108   |.  68 34046000                    PUSH Gunz.00600434                                               ;  ASCII "Admin.Announce"
0052910D   |.  68 F5010000                    PUSH 1F5

those are 2k7, but i cannot find the push 0 yet u_u

[Hashed]

0042CC95 . E8 66F5FFFF CALL Theduel.0042C200

This would be the address calling PUSH 1F5 in 07(I believe).

6 Lines above that you will see;
0042CC85 . 6A 00 PUSH 0

Whalla.

If you're still having troubles, PM/upload your Runnables and I will be more than GLAD to assemble them for you.