Mustapha
January 4th, 2001, 19:58
Hi Kayaker,
I met the projet too late. I read some of the tuts and
I tried myself to see what happend. Well, ungray the
"Save as" was easy But meke it work it's another story.
When I read Lord Soth's tut "Now, trace through the code,
carefully look for that CMP, and you should see it after a while."
I thought I must prepeared for that *While*. I was looking for
E104 or 111 something that could gave force to my finger
because it was tired of pressing F8. In some part of the
code, EBX=111 and I entered into a Call, then EBX was xored
but three lines after that there was a CMP or I must say The Holy CMP.
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00497E48(C)
|
:00497E93 57................. push edi
:00497E94 0FB7F8..............movzx edi, ax
:00497E97 33DB................xor ebx, ebx ; EBX is xored
:00497E99 8BF1................mov esi, ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00497E50(C)
|
:00497E9B C1E810..................shr eax, 10
:00497E9E 395D0C..................cmp dword ptr [ebp+0C], ebx
:00497EA1 894508..................mov dword ptr [ebp+08], eax
:00497EA4 753A.<----- here ---->..jne 00497EE0 ; MUST BE JMP(EB)
:00497EA6 3BFB....................cmp edi, ebx
:00497EA8 7466....................je 00497F10
:00497EAA 8D4DD4..................lea ecx, dword ptr [ebp-2C]
:00497EAD E8A9FFFFFF..............call 00497E5B
:00497EB2 8B06....................mov eax, dword ptr [esi]
:00497EB4 8D4DD4..................lea ecx, dword ptr [ebp-2C]
:00497EB7 53......................push ebx
:00497EB8 51......................push ecx
:00497EB9 6AFF....................push FFFFFFFF
:00497EBB 57......................push edi
:00497EBC 8BCE....................mov ecx, esi
:00497EBE 897DD8..................mov dword ptr [ebp-28], edi
:00497EC1 FF5014..................call [eax+14]
:00497EC4 395DFC..................cmp dword ptr [ebp-04], ebx
:00497EC7 743E.<----- here ----->.je 00497F07 ; MUST BE NOP(90)
:00497EC9 895D08..................mov dword ptr [ebp+08], ebx
If I change one of the Cmp, the prog works well. I donot know
why the two Cmp are there. I write this because I'm very happy now,
and because is good to tell how the things happend or what was
in my(or someone) mind in that moment.
(Maybe the power of my little finger do the job, who knows?)
I must say that this Project was great because it makes you go deeper
in reversing.
Regards,
Mustapha
I met the projet too late. I read some of the tuts and
I tried myself to see what happend. Well, ungray the
"Save as" was easy But meke it work it's another story.
When I read Lord Soth's tut "Now, trace through the code,
carefully look for that CMP, and you should see it after a while."
I thought I must prepeared for that *While*. I was looking for
E104 or 111 something that could gave force to my finger
because it was tired of pressing F8. In some part of the
code, EBX=111 and I entered into a Call, then EBX was xored
but three lines after that there was a CMP or I must say The Holy CMP.
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00497E48(C)
|
:00497E93 57................. push edi
:00497E94 0FB7F8..............movzx edi, ax
:00497E97 33DB................xor ebx, ebx ; EBX is xored
:00497E99 8BF1................mov esi, ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00497E50(C)
|
:00497E9B C1E810..................shr eax, 10
:00497E9E 395D0C..................cmp dword ptr [ebp+0C], ebx
:00497EA1 894508..................mov dword ptr [ebp+08], eax
:00497EA4 753A.<----- here ---->..jne 00497EE0 ; MUST BE JMP(EB)
:00497EA6 3BFB....................cmp edi, ebx
:00497EA8 7466....................je 00497F10
:00497EAA 8D4DD4..................lea ecx, dword ptr [ebp-2C]
:00497EAD E8A9FFFFFF..............call 00497E5B
:00497EB2 8B06....................mov eax, dword ptr [esi]
:00497EB4 8D4DD4..................lea ecx, dword ptr [ebp-2C]
:00497EB7 53......................push ebx
:00497EB8 51......................push ecx
:00497EB9 6AFF....................push FFFFFFFF
:00497EBB 57......................push edi
:00497EBC 8BCE....................mov ecx, esi
:00497EBE 897DD8..................mov dword ptr [ebp-28], edi
:00497EC1 FF5014..................call [eax+14]
:00497EC4 395DFC..................cmp dword ptr [ebp-04], ebx
:00497EC7 743E.<----- here ----->.je 00497F07 ; MUST BE NOP(90)
:00497EC9 895D08..................mov dword ptr [ebp+08], ebx
If I change one of the Cmp, the prog works well. I donot know
why the two Cmp are there. I write this because I'm very happy now,
and because is good to tell how the things happend or what was
in my(or someone) mind in that moment.
(Maybe the power of my little finger do the job, who knows?)
I must say that this Project was great because it makes you go deeper
in reversing.
Regards,
Mustapha
(actually I think it was Yosemite Sam who said it first)