Results 1 to 3 of 3

Thread: Great Project

  1. #1
    Mustapha
    Guest

    Great Project

    Hi Kayaker,
    I met the projet too late. I read some of the tuts and
    I tried myself to see what happend. Well, ungray the
    "Save as" was easy But meke it work it's another story.
    When I read Lord Soth's tut "Now, trace through the code,
    carefully look for that CMP, and you should see it after a while."
    I thought I must prepeared for that *While*. I was looking for
    E104 or 111 something that could gave force to my finger
    because it was tired of pressing F8. In some part of the
    code, EBX=111 and I entered into a Call, then EBX was xored
    but three lines after that there was a CMP or I must say The Holy CMP.

    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:00497E48(C)
    |
    :00497E93 57................. push edi
    :00497E94 0FB7F8..............movzx edi, ax
    :00497E97 33DB................xor ebx, ebx ; EBX is xored
    :00497E99 8BF1................mov esi, ecx

    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:00497E50(C)
    |
    :00497E9B C1E810..................shr eax, 10
    :00497E9E 395D0C..................cmp dword ptr [ebp+0C], ebx
    :00497EA1 894508..................mov dword ptr [ebp+08], eax
    :00497EA4 753A.<----- here ---->..jne 00497EE0 ; MUST BE JMP(EB)
    :00497EA6 3BFB....................cmp edi, ebx
    :00497EA8 7466....................je 00497F10
    :00497EAA 8D4DD4..................lea ecx, dword ptr [ebp-2C]
    :00497EAD E8A9FFFFFF..............call 00497E5B
    :00497EB2 8B06....................mov eax, dword ptr [esi]
    :00497EB4 8D4DD4..................lea ecx, dword ptr [ebp-2C]
    :00497EB7 53......................push ebx
    :00497EB8 51......................push ecx
    :00497EB9 6AFF....................push FFFFFFFF
    :00497EBB 57......................push edi
    :00497EBC 8BCE....................mov ecx, esi
    :00497EBE 897DD8..................mov dword ptr [ebp-28], edi
    :00497EC1 FF5014..................call [eax+14]
    :00497EC4 395DFC..................cmp dword ptr [ebp-04], ebx
    :00497EC7 743E.<----- here ----->.je 00497F07 ; MUST BE NOP(90)
    :00497EC9 895D08..................mov dword ptr [ebp+08], ebx

    If I change one of the Cmp, the prog works well. I donot know
    why the two Cmp are there. I write this because I'm very happy now,
    and because is good to tell how the things happend or what was
    in my(or someone) mind in that moment.
    (Maybe the power of my little finger do the job, who knows?)
    I must say that this Project was great because it makes you go deeper
    in reversing.

    Regards,
    Mustapha
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Mustapha
    Guest
    SORRY!!!!!
    I posted out of the project folder!!!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,085
    Blog Entries
    5
    Hi Mustapha,

    I don't know if you've heard the famous Bugs Bunny phrase "I don't know howz ya done it, but I knowz ya done it!", but it applies here (actually I think it was Yosemite Sam who said it first)

    The code you found is in that complex path leading from the selection of a menu item (after you've ungrayed it) to what I was calling the "critical" compare at 45AF20. Trace by stepping into the indirect calls/last call before a RETurn as outlined before and you'll reach it:

    :00497E9E 395D0C..................cmp dword ptr [ebp+0C], ebx
    :00497EA1 894508..................mov dword ptr [ebp+08], eax ; MenuItemID
    :00497EA4 753A.<----- here ---->..jne 00497EE0 ; MUST BE JMP(EB)

    If you patch the jump as you mentioned, this restores the functionality of all the disabled menu items, even if the JZ at 45AF20 ISN'T patched!

    I'm not sure what the significance of [ebp+0C] is (the address is 75FAF8 while the memory address used at 45AF20 was 50F8A4), but this could be interesting to explore if anyone wants to go into this further.

    In any case it works and you can't argue with results. Good job!

    Regards,

    Kayaker

Similar Threads

  1. Great News!
    By Goveynetcom in forum Blogs Forum
    Replies: 1
    Last Post: February 5th, 2010, 22:30
  2. Great article about cracking and prevention
    By krakino12 in forum Off Topic
    Replies: 3
    Last Post: June 7th, 2007, 03:38
  3. Great piece of Software, Great Protection
    By dipeshrestha in forum Malware Analysis and Unpacking Forum
    Replies: 18
    Last Post: May 5th, 2003, 01:38
  4. Great Links on ASM language!
    By Ajnabi in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: May 28th, 2002, 22:14
  5. Great Board - Could it be better?
    By xOptiMus in forum Mini Project Area
    Replies: 3
    Last Post: January 9th, 2001, 15:28

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •