Task #2 done; One patch is possible Monday, 08-Feb-99 03:46:02
To solve the problem paused by task 2 I took the following steps: 1 Run the program and registered it to Pirate Copy with 1234123412341234 an get the "Sorry, the registration code does not match! Try again or Cancel the registration." That is good. Now I have something to help me continue with step 2. 2. Examined the listing produced by W32dasm and found 2 location where the Sorry message were referenced, One at location 405c50 and the other at location 40b9bc. 3. Placed a bpx at both locations and tried to register again, the program stopped at 40b9bc. The dead listing at that location showed the following reference statement: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040B744(C) from which it is obvious that the program came here from location 40b744. This is the code at that location: :0040B73A E881150000 call 0040CCC0 :0040B73F 83C408 add esp, 00000008 :0040B742 85C0 test eax, eax :0040B744 0F8572020000 jne 0040B9BC 4. Nullified the jump ( there is more than one way to producing the wanted effect) and continued with the program. Joy--for the moment at least, The program greeted my with the "Thank for registering Memory Game 95" message, But when I tried to run the program a second time I was given the "Sorry, the registration code does not match! Try again or Cancel the registration." What is going on? Would a permanent patch do the job? Not completely. Every time the program is run it will give the Sorry message and reregister and this is not acceptable The I was getting the "Sorry" message is because the program places the fake number I provided and every time it ran it checked it and found it to be wrong. So let us find out where this second check is made. 5. Remember I said earlier there were to locations where the "Sorry.." message was referenced, so let us go there and see what we may find. Here is the code around that location: :00405C3D E87E700000 call 0040CCC0 :00405C42 83C408 add esp, 00000008 :00405C45 85C0 test eax, eax :00405C47 0F8434010000 je 00405D81 :00405C4D 8B45E4 mov eax, dword ptr [ebp-1C] * Possible Reference to String Resource ID=61244: "Sorry, the registration code does not match! Try again or Ca" | :00405C50 683CEF0000 push 0000EF3C This location is not referenced by a call or a jump from any other place therefor the program mus arrive to this location from the code preceding it. Let us take a look. Just 2 instructions before it we find a test followed by a jump, but unlike the jump at 40b744 it is a je so the program will jump is true. In other words the first jump was to the bad boy part of the code and this one is a jump to the good boy part. So we cannot simply nullify this jump as we did in the case of the previous jump. We have to make sure the program jumps here regardless of the result of the text To make this happen we have to change the conditional jump to an absolute jump provided both jumps remain as far jumps. The instruction we need is E9 to replace 0F 84. To accomplish the task we change the 0F to 90, this is necessary because we are using one byte instruction to replace a 2 byte instruction. Then we replace the 84 with E9 and the job is done. Once this change is made the program will always jump to the good boy section of code and the program will run happily ever after. With these two patches in place the program will run without complaining, but are there other places where we may batch? Of course yes and I will show how in the next step. 6. Both jumps we have just patched were preceded with a call to 40CCC0 and it should not take much imagination to know what takes place during this call. It is the section of code where the fake and real serial numbers are compared, so let us take a close look at this code: :0040CCC0 83EC04 sub esp, 00000004 : [Snip, not important] :0040CCCE 8B4C2410 mov ecx, dword ptr [esp+10] :0040CCD2 8B542414 mov edx, dword ptr [esp+14] :0040CCD6 8A01 mov al, byte ptr [ecx] :0040CCD8 3A02 cmp al, byte ptr [edx] :0040CCDA 751E jne 0040CCFA :0040CCDC 0AC0 or al, al :0040CCDE 7412 je 0040CCF2 :0040CCE0 8A4101 mov al, byte ptr [ecx+01] :0040CCE3 3A4201 cmp al, byte ptr [edx+01] :0040CCE6 7512 jne 0040CCFA :0040CCE8 83C102 add ecx, 00000002 :0040CCEB 83C202 add edx, 00000002 :0040CCEE 0AC0 or al, al :0040CCF0 75E4 jne 0040CCD6 Examining this code we notice where a compare instruction is followed by a jump instruction and these are at 40CCDC and 40CCE6 and both go to the same place. Obviously, these are the bad boy jumps and if we nop both of them we achieve the result we are after, the program will run as if it were register without any complaint. The reason for this is that every time the program does the comparison it is forced to return with the correct flag and fool the program. I don't like to patch two locations if I can get away with just one so is it possible to make just one patch? Bet you it is and I will show you how in the next step. 7. Lets us look at the code where the jumps above go and see if anything could be done there: :0040CCFA 1BC0 sbb eax, eax :0040CCFC 5E pop esi :0040CCFD 83D8FF sbb eax, FFFFFFFF :0040CD00 5B pop ebx :0040CD01 83C404 add esp, 00000004 :0040CD04 C3 ret Consider the instruction at 40CCFD sbb eax, FFFFFFFF. Now remember that eax which is = 00000000 as a result of the instruction at 40CCFA sbb eax, eax and Subtracting FFFFFFFF from eax results in eax = FFFFFFFF. With this value in eax the instruction test eax, eax will produce an unequal condition which causes the program to go to the bad boy section after the test. If we do some thing here to insure eax will be = 00000000 the program will go to the good boy section of code every time. So what do we have to do? Very simple, change the instruction at 40CCFD to become exor eax, eax and put one nop after that to take care of the extra byte. This is the code you need to change at 40CCFD, change 83DFFF to 33C090. Make this permanent and you are done. Final note: One of the advantages working with W32dasm is the fact that W32dasm gives you the offset location of any section of code. If you take note of that yo can go to the wanted byte without any difficulties when you are doing permanent patching with a hex editor such as Hex work Shop. Enjoy, Joseph Joseph |
Joseph: Projec6; General (03-Feb-99 04:49:00) |
|
Copyright © InsideTheWeb, Inc. 1997-1999
All rights reserved.