Hexon
Task 3 Now Completed At Last
Sun Dec 20 17:15:16 1998


Hi Sandman

Below is the method that I used to complete task 3

Dead Listing in W32DASM

0043FA04 E8FB41FCFF call 00403C04 ;check serial no
0043FA09 752E jne 0043FA39 ;begger off
0043FA0B A1209B4400 mov eax, dword ptr [00449B20] ;good guy
0043FA10 8B00 mov eax, dword ptr [eax]
0043FA12 E8D5AFFEFF call 0042A9EC
0043FA17 A1109D4400 mov eax, dword ptr [00449D10]
0043FA1C 803800 cmp byte ptr [eax],00 ;good guy if 0
0043FA1F 750C jne 0043FA2D ;begger off

To get CYT to accept any registration number I used BPX hmemcpy in Soft Ice to find the function that checks the serial against the username generated one. When I was satisfied that I had found this function I F12ed out of it and arrived at the second line of the above code. Then to ensure that the program flow will always drop through to the next instruction I just NOOPed the jne:

0043FA09 90 nop
0043FA0A 90 nop

And then when the prog flow again needs to fall through to the next instruction rather than jump at 0043FA1F, again I NOOPed:

0043FA1F 90 nop
0043FA20 90 nop

Task 3 was by no means easy for me, there was a lot of trial and error involved. However I got there in the end.

Hexon