Posted by Eternal Bliss on 1/16/2000, 4:55 pm
, in reply to "Task 2: Name, Company, Keycode retrieval"
62.188.156.248
After that, I traced further in, I come across this part of the program. Name Manipulation
-----------------
:00446B21 0FBE07 movsx eax, byte ptr [edi]
edi contains the Name and 1st char is moved into eax
:00446B24 8BD3 mov edx, ebx
:00446B26 83E20F and edx, 0000000F
:00446B29 0FBE8C1500FFFFFF movsx ecx, byte ptr [ebp+edx-00000100]
:00446B31 F7E9 imul ecx
:00446B33 03F0 add esi, eax
:00446B35 43 inc ebx
:00446B36 47 inc edi* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00446B1F(U)
|
:00446B37 8D45B0 lea eax, dword ptr [ebp-50]
:00446B3A 50 push eax
:00446B3B E880510300 call 0047BCC0
more manipulations on Name
:00446B40 59 pop ecx
:00446B41 3BD8 cmp ebx, eax
:00446B43 76DC jbe 00446B21
from 0046B21 to 00446B43, the Name is being manipulated
* Possible Ref to Menu: MenuID_0064, Item: "Draw Freehand Volume Curve..."
|* Possible Reference to String Resource ID=00001: "Enter an arbitary volume curve"
|
:00446B45 BB01000000 mov ebx, 00000001
:00446B4A 8DBD60FFFFFF lea edi, dword ptr [ebp+FFFFFF60]
Loaded address that contains Company into edi
:00446B50 EB16 jmp 00446B68Company Manipulation
--------------------
:00446B68 8D8560FFFFFF lea eax, dword ptr [ebp+FFFFFF60]
Address that contains the Company is being loaded into eax
:00446B6E 50 push eax
:00446B6F E84C510300 call 0047BCC0
more manipulations on Company
:00446B74 59 pop ecx
:00446B75 3BD8 cmp ebx, eax
:00446B77 76D9 jbe 00446B52
from 00446B68 to 00446B77, the Company is being manipulated
More Manipulations
------------------
:00446B79 8BC6 mov eax, esi
:00446B7B B9A0860100 mov ecx, 000186A0
:00446B80 33D2 xor edx, edx
:00446B82 F7F1 div ecx
:00446B84 52 push edx
edx contains the correct serial.
View it using "? edx" without quote in SICE.
Note: this serial is not complete yet.* Possible StringData Ref from Data Obj ->"AC200-%d"
|
:00446B85 68A39F4900 push 00499FA3
:00446B8A 8D85A0FEFFFF lea eax, dword ptr [ebp+FFFFFEA0]
:00446B90 50 push eax
:00446B91 E8DA880300 call 0047F470
Combining AC200- with correct serial generated
:00446B96 83C40C add esp, 0000000C
:00446B99 8D9510FFFFFF lea edx, dword ptr [ebp+FFFFFF10]
edx = 1234567890 (our input)
:00446B9F 52 push edx
push value of edx on stack for the lstrcmpA
:00446BA0 8D8DA0FEFFFF lea ecx, dword ptr [ebp+FFFFFEA0]
Task II.4: ecx = correct serial
do a "d ecx" without quote in SICE and look at the data window
:00446BA6 51 push ecx
Note 1: push value of ecx on stack for the lstrcmpA
* Reference To: KERNEL32.lstrcmpA, Ord:0000h
|
:00446BA7 E8AE460400 Call 0048B25A
Comparing the two strings
:00446BAC 85C0 test eax, eax
:00446BAE 0F94C0 sete al
:00446BB1 83E001 and eax, 00000001
setting al as the marker for correct or wrong serial
:00446BB4 5F pop edi
:00446BB5 5E pop esi
:00446BB6 5B pop ebx
:00446BB7 8BE5 mov esp, ebp
:00446BB9 5D pop ebp
:00446BBA C3 retNote 1:
Ok. Since there are 2 pushes for lstrcmpA, one of which is the correct Keycode(ecx), the other is our fake Keycode(edx), whatever is pushed on the stack will be used. So, my 1-byte patch is to push whatever is loaded first, in this case the fake serial at 00446B99. It followed by a PUSH edx(52h). The next push is PUSH ecx(51h) and that contains the correct serial. I changed PUSH ecx to PUSH edx ie 51h to 52h at offset 461A6. Thus the stack contains 2 values which are the same. 8)Since now, the two values are the same, the marker al is always set to 1. Thus, no more Nag, no more expiration and the About box contains what we want.
Job done.