Shadow's tutorial to windows32 world. 

I assume that reader knows something about c coding. 

protected mode 
============== 

All 32 bit windows programs (95,98,NT) uses protected mode instead 
of old realmode. 

Why? 

Old realmode is limited to 20bit memory accessing, that means 
we can only use 2^20 bytes of memory. 

In protected mode we can use 2^32 bytes of memory (about 4gbytes). 
Enought for everyone? 

Protected mode registers 
======================== 

EAX - 32 bit register 
EBX - 32 bit register 
ECX - 32 bit register 
EDX - 32 bit register 
EDI - 32 bit register (string operations) 
ESI - 32 bit register (string operations) 

EBP - base pointer (stack) 
ESP - stack pointer (stack) 

EIP - instruction pointer 

and some other registers for "advanced" coders ;) 

You usually see these when you debug/disasm code. 


Windows world 
============= 

In almost all operations that we need to perform needs handle. 
Let's say that handle is pointer to window, file or device. 

In dos world we can perform all operations directly. In windows 
world we need to use winapi instead of direct hardware access. 
This makes thing easy to crackers. Because programmers can't 
hide information so easily. 

Winapi 
============ 

When we are cracking windows applications, we need some knowledge of 
winapi (=application programming interface). 

Winapi is c-code functions to use with programming windows32. 

Let's take example. 

BOOL WriteConsole( 
HANDLE hConsoleOutput, // handle to a console screen buffer 
CONST VOID *lpBuffer, // pointer to buffer to write from 
DWORD nNumberOfCharsToWrite,// number of characters to write 
LPDWORD lpNumberOfCharsWritten,// pointer to number of characters written 
LPVOID lpReserved // reserved 
); 


Nice c-call is it? 

How it works with assembly: 

push lpReserved 
push offset lpNumbersOfCharsWritten 
push nNumberOfCharsWritten 
push offset lpBuffer 
push hConsoleOutput 
call WriteConsoleA 

Note that parameters are pushed in reversed order. After call, return 
value is returned to eax register. A after function name means that it 
is normal 8bit wide char functions, because in windows there are also 
16 bit wide unicode char functions to handle chinece and other "weird" 
languages.. 

Let's take another example: 

/* hello world */ 

#include <windows.h> 

void main(void) 
{ 
HANDLE hConsoleOutput; 
unsigned char *buffer = "Hello world"; 
unsigned long number; 
unsigned long pnumber; 

// init variables 

number = lstrlen(buffer); 

// we need to handle to console, if we want to write 
// something. 

hConsoleOutput = GetStdHandle(STD_OUTPUT_HANDLE); 
if(hConsoleOutput == INVALID_HANDLE_VALUE) { 
// error 
ExitProcess(0); 
} 
WriteConsole(hConsoleOutput,buffer,number,&pnumber,NULL); 
ExitProcess(0); 
} 

same in assembler: 


inc windows.inc 

.data 
console dd 0 
buffer db "Hello World",0 
number dd 0 
pnumber dd 0 
.code 

push offset buffer 
call lstrlen 
mov number,eax 

push STD_OUTPUT_HANDLE 
call GetStdHandle 
cmp eax,INVALID_HANDLE_VALUE 
je @@error 
mov console,eax 

push 0 
push offset pnumber 
push number 
push offset buffer 
push console 
call WriteConsoleA 

@@error: 
push 0 
call ExitProcess 


Use this information to extend your knowledge of windows. 
To extend more your knowledge, study assembler and c languages... 

                        Shadow / hf '99 