Posted by a_ronin on 1/29/2000, 10:26 am
202.160.12.35
My first attempt produced an empty msgbox, though there was no mistake. The problem is with the original code, the box routine overwrote the location of serial. The problem easily solved if one noticed that the instruction below is redundant:
0167:00446BA0 8D8DA0FEFFFF LEA ECX,[EBP-0160]
because ECX already points to another correct serial, which actually preserved and can be displayed simply:
0167:004472CF 6857A14900 PUSH 0049A157
fix it to 'push 0073F068'instead of the 'bad guess' text.
That's the simple way, the more enjoyable (yeah, realtime programming/debugging asm!) and also longer exercise was to preserve the 'other' good serial somehow. I did it this way: saved the good value with an extra push to the stack, popped into EDX (which is not used afterwards) then pushed EDX and some filler NOPS for the messagebox instead of - 11 bytes change altogether. I reckon ShADė's mentioned 28 byte solution was to overwrite the 'bad message' text itself with the serial - another good way to enjoy a lil coding. Guess what, I freed up an half hour to explore possibilities along that path, too. That proves I cannot resist such temptations, even if there are more needed jobs waiting in a long queue :)
Some 3-28 bytes for keygen patches are still much less than needed for any dedicated keygen - but sure cannot beat the single byte regpatch. That's their ranking of elegance, IMO.Regards