Translated from http://dgdown.myetang.com/text/text24.htm, translator and original author unknown.
Discovery of public password in SUB7
Our goal is that Sub7 you think, you set a password at the SUB7 server, then others can't connect it?
You made a big mistake! I will show you here, how do I find a safe vulnerability in this Trojan server.
Tools you need:
(x) Softice ( symboloader.) You can get from the CRACK fans, many CRACK websites can also be found!
(x) HIEW 6.16, an editor.
(x) Target, SUB7, available here: subseven.slak.org
(x) Softice's command and assembly language basics.
let's start:
I am more interested in the process of comparing the password when connecting the client. So, I use Softice's Symbol
Loader Enter some ports of Winsock :)
Run Loader, click on the "File - Load Exports" menu, point to your Windows system directory, select "WSOCK32.DLL"
turn on. SymbolLoader should display:
"Exports for z: /windblowz/system/wsock32.dll loaded successfully"
Now use the EditServer.exe file to set the SUB7 server (see other documents, I don't mention here) I set the port.
For 666, the password is "abuse". Trojans running the server, you can be installed on the server, but don't be on the Internet. (
I don't have any responsibility for you about this program. It is not me.) Execute Subseven.exe to connect to the server (IP address is 127.0.0.1,
It is you native), the password box will pop up and enter one password arbitrarily. The server is information using WSOCK32! RECV to receive the client.
Windows Sockets Recv Receive Data Features Use a socket. The structure is as follows:
Int Recv
Socket S,
Char Far * BUF,
Int Len,
Int Flags
);
The second line (Char Far * BUF) is very important. Information is stored there. Now, set breakpoints on the RECV in Softice
(Enter "D ESP-> 8") Click OK to send a password. SoftICE rebounds, press F11 (g @ss: ESP). Skip to the password part
The 'PWD' is displayed in the Softice information bar. Now set a breakpoint in the address of the password. (, Like: BPR 405000 405010 RW)
Now set a bpr on the password's address (E.g .: BPR 405000 405010 RW) AND on p COPY
IT WILL MAKE AT 004029C5.
Next time you will stop at 004040DD:
0167: 004040DD 8B0E MOV ECX, [ESI]
0167: 004040DF 8B1F MOV EBX, [EDI]
0167: 004040E1 39D9 CMP ECX, EBX
0167: 004040E3 7558 JNZ 0040413D
0167: 004040E5 4A DEC EDX
0167: 004040E6 7415 JZ 004040FD
0167: 004040E8 8B4E04 MOV ECX, [ESI 04]
0167: 004040EB 8B5F04 MOV EBX, [EDI 04] 0167: 004040ee 39D9 CMP ECX, EBX
It stopped at 4040dd, we set a breakpoint on our password. Then it will be saved in ESI locally. First four letters
Move to ECX. The other four letters have an EBX in EBX to compare ... you think now, have you found a password comparison? No, no,
no way! In fact, the authors of SUB7 are more stupid! ! ! Enter "D EDI" in Softice to see:
016F: 012A3DD4 31 34 34 33 38 31 33 36-37 38 32 37 31 35 31 30 1443813678271510
016F: 012A3DE4 31 39 38 30 00 69 6F 00-28 00 00 00 00 00 00 1980.io. (... "...
016F: 012A3DF4 01 00 00 00 00 00 00-53 75 62 73 65 76 65 6e ......... Subseven
016F: 012A3E04 5F 5F 5F 3C 20 70 69 63-6B 20 3e 00 10 3e 2a 01 ___
016F: 012A3E14 10 3E 2A 01 38 00 00-53 75 62 73 65 76 65 6e.> *. 8 ... Subseven
Strange, that is not the "Abuse" password I set. So let's try again ... Subseven display: connected.
Ah, how is it possible? Subseven leaves a system password? Oh, you can try a few times on your computer. Ah, yes,
That is the system password.
Ok, I am here, I just want someone to be interested in this. I am not responsible for this article!
good luck!
