8.10. SAP
.text:64406FB9 add esp, 1Ch
.text:64406FBC cmp eax, 0FFFFFFF6h
.text:64406FBF jz short loc_64407004
.text:64406FC1 cmp eax, 1
.text:64406FC4 jz loc_6440708C
.text:64406FCA cmp eax, 2
.text:64406FCD jz short loc_64407004
.text:64406FCF push eax
.text:64406FD0 push offset aCompressionErr ; "compression error [rc = \%d]- ⤦
Çprogram wi"...
.text:64406FD5 push offset aGui_err_compre ; "GUI_ERR_COMPRESS"
.text:64406FDA push dword ptr [edi+28D0h]
.text:64406FE0 call SapPcTxtRead
Let’s take a look insub_644055C5. In it we can only see the call to memcpy() and another function named
(byIDA)sub_64417440.
And, let’s take a look insidesub_64417440. What we see is:
.text:6441747C push offset aErrorCsrcompre ; "\nERROR: CsRCompress: invalid ⤦
Çhandle"
.text:64417481 call eax ; dword_644F94C8
.text:64417483 add esp, 4
Voilà! We’ve found the function that actually compresses the data. As it was shown in past^35 ,
this function is used in SAP and also the open-source MaxDB project. So it is available in source form.
Doing the last check here:
.text:64406F79 cmp dword ptr [ecx+3A4h], 1
.text:64406F80 jnz compression_flag_is_zero
ReplaceJNZhere for an unconditionalJMP. Remove the environment variable TDW_NOCOMPRESS. Voilà!
In Wireshark we see that the client messages are not compressed. The server responses, however, are
compressed.
So we found exact connection between the environment variable and the point where data compression
routine can be called or bypassed.
8.10.2 SAP 6.0 password checking functions
One time when the author of this book have returned again to his SAP 6.0 IDES installed in a VMware box,
he figured out that he forgot the password for the SAP* account, then he have recalled it, but then he got
this error message«Password logon no longer possible - too many failed attempts», since he’ve made all
these attempts in attempt to recall it.
The first extremely good news was that the fulldisp+work.pdbPDBfile is supplied with SAP, and it contain
almost everything: function names, structures, types, local variable and argument names, etc. What a
lavish gift!
There is TYPEINFODUMP^36 utility for convertingPDBfiles into something readable and grepable.
Here is an example of a function information + its arguments + its local variables:
FUNCTION ThVmcSysEvent
Address: 10143190 Size: 675 bytes Index: 60483 TypeIndex: 60484
Type: int NEAR_C ThVmcSysEvent (unsigned int, unsigned char, unsigned short*)
Flags: 0
PARAMETER events
Address: Reg335+288 Size: 4 bytes Index: 60488 TypeIndex: 60489
Type: unsigned int
Flags: d0
PARAMETER opcode
Address: Reg335+296 Size: 1 bytes Index: 60490 TypeIndex: 60491
Type: unsigned char
(^35) http://go.yurichev.com/17312
(^36) http://go.yurichev.com/17038