Assembly Language for Beginners

(Jeff_L) #1

8.10. SAP


Figure 8.17:Screenshot

Let’s see if we can remove the window somehow.


But before this, let’s see what we already know.


First: weknowthattheenvironmentvariableTDW_NOCOMPRESSischeckedsomewhereinsidetheSAPGUI
client.


Second: a string like “data compression switched off” must be present somewhere in it.


WiththehelpoftheFARfilemanager^31 wecanfoundthatbothofthesestringsarestoredintheSAPguilib.dll
file.


So let’s open SAPguilib.dll inIDAand search for the“TDW_NOCOMPRESS ”string. Yes, it is present and
there is only one reference to it.


We see the following fragment of code (all file offsets are valid for SAPGUI 720 win32, SAPguilib.dll file
version 7200,1,0,9009):


.text:6440D51B lea eax, [ebp+2108h+var_211C]
.text:6440D51E push eax ; int
.text:6440D51F push offset aTdw_nocompress ; "TDW_NOCOMPRESS"
.text:6440D524 mov byte ptr [edi+15h], 0
.text:6440D528 call chk_env
.text:6440D52D pop ecx
.text:6440D52E pop ecx
.text:6440D52F push offset byte_64443AF8
.text:6440D534 lea ecx, [ebp+2108h+var_211C]


; demangled name: int ATL::CStringT::Compare(char const *)const
.text:6440D537 call ds:mfc90_1603
.text:6440D53D test eax, eax
.text:6440D53F jz short loc_6440D55A
.text:6440D541 lea ecx, [ebp+2108h+var_211C]


; demangled name: const char* ATL::CSimpleStringT::operator PCXSTR
.text:6440D544 call ds:mfc90_910


(^31) http://go.yurichev.com/17347

Free download pdf