Hey all, here is a semi-menu-enabling project for you all to work on. Also, it quits you out of the program after 30 minutes, and only has 16 uses available...

ht*p://www.software-technology.com/scripts/downform.pl

(ht*p://www.software-technology.com/scripts/downform.html if that doesnt work)

For me i downloaded the downform.pl file and renamed it to downform.exe, then ran it and it installed the program...a bit strange....

Anyway, anyone have any luck please post here..So far i've been totally stumped here...

Later

--ThRaX

New Project - Vaz+ 1.7

Hi All,

Hmmm, this smells of a nice project. Small d/l size (970Kb), not packed, written in Delphi, disassembles with DeDe. Nice find Thrax.

OK, how about we make this the next project? Sharpen your pencils ^_^

I found I had to go to the main site at
ht*p://www.software-technology.com
to d/l it. You don't really need to enter your email address, but you do need to change the filename from downform.pl to downform.exe as Thrax says.

I haven't had too close a look at it yet, but it looks like it might be fun.

This demo is fully functional with the following exceptions:
1. You CAN save, but NOT load patches (except defaults)
2. It will time-out after 30 minutes
3. It can be used a maximum of 16 times

Well, that sounds like 3 nice tasks ready-made for us

1. The Open button is enabled but you get a demo nag. Does the code for opening files actually exist and can you restore this functionality? This may be the hardest task. Review the last Menu Enabling project if this is your first shot at this.

2. Timeout after 30 minutes. What's used to monitor the time? A timer event? GetLocalTime? GetTickCount? TickTockExA?

Can you find a way to subvert the timer for unlimited use? How about changing it to limit your usage to 1 hour max? (gotta save some playtime for RCE

3. Maximum uses of 16. Where is this info kept, a file, the registry? Can you modify the code so that after every use a *fixed* value is written back so that the maximum uses check always passes? i.e. don't patch a simple
CMP EAX, 10
JG
make it a little more ingenious.


Bonus Task? There's other potential here as well. Any other ideas? It has a nice splash/nag screen that you need to click on to continue. Sure would be nice to get rid of that...


I think at least 2 of these tasks should be reasonably easy so it would be nice to hear from anyone who hasn't posted much yet and has any questions or comments, or feels like sharing their results.

Good Luck once again,

Kayaker

Hello All,


I think I am close to solving the 3rd task. There is a patch you can make
to run it more than 16 times. May be you'all might have already done it.
But hey give me a chance to be the first one to post a Solution for the
easiest part of the Project.

* Possible StringData Ref from Code Obj ->"VAZ+ Demo"
|
:004A6391 BAC46A4A00 mov edx, 004A6AC4
:004A6396 E8FD40FAFF call 0044A498 -----> Call For The Splash
Screen I Think
:004A639B E88C1CFCFF call 0046802C -----> Critical Call
May Be It Counts. Too Confusing!
:004A63A0 84C0 test al, al
:004A63A2 0F8598000000 jne 004A6440 ---->********** Patch It
to jmp and no 16 times limit.
:004A63A8 A1588A4B00 mov eax, dword ptr [004B8A58]
:004A63AD 8B00 mov eax, dword ptr [eax]
:004A63AF E86413FAFF call 00447718
:004A63B4 A1448C4B00 mov eax, dword ptr [004B8C44]
:004A63B9 8B00 mov eax, dword ptr [eax]
:004A63BB 33D2 xor edx, edx
:004A63BD E87A29FAFF call 00448D3C
:004A63C2 6A00 push 00000000
:004A63C4 8D4DEC lea ecx, dword ptr [ebp-14]

* Possible StringData Ref from Code Obj ->"The VAZ+ demo will only run 16 "
->"times. Would"
|
:004A63C7 BAD86A4A00 mov edx, 004A6AD8

* Possible StringData Ref from Code Obj ->"DemoRunCount1"
|
:004A63CC B80C6B4A00 mov eax, 004A6B0C
:004A63D1 E85AB3FAFF call 00451730
:004A63D6 FF75EC push [ebp-14]
:004A63D9 68246B4A00 push 004A6B24
:004A63DE 8D4DE8 lea ecx, dword ptr [ebp-18]

* Possible StringData Ref from Code Obj ->"you like to place a web order "
->"for VAZ+?"
|
:004A63E1 BA306B4A00 mov edx, 004A6B30

* Possible StringData Ref from Code Obj ->"DemoRunCount2"
|
:004A63E6 B8606B4A00 mov eax, 004A6B60
:004A63EB E840B3FAFF call 00451730
:004A63F0 FF75E8 push [ebp-18]
:004A63F3 8D45F0 lea eax, dword ptr [ebp-10]
:004A63F6 BA03000000 mov edx, 00000003
:004A63FB E83CDAF5FF call 00403E3C
:004A6400 8B45F0 mov eax, dword ptr [ebp-10]
:004A6403 668B0D706B4A00 mov cx, word ptr [004A6B70]
:004A640A B201 mov dl, 01
:004A640C E8F7A4FAFF call 00450908
:004A6411 83F806 cmp eax, 00000006
:004A6414 7517 jne 004A642D
:004A6416 6A00 push 00000000
:004A6418 6A00 push 00000000
:004A641A 6A00 push 00000000

Continued:-

Hey and I also managed to remove the nag's for the open/capture/ etc..

But could not make them function.

I did not manage to find a single breakpoint in S-ice.
I made a bpx messageboxa, for the MsgBox we get for the open menu,but ..
Again made a bpx messageboxa, for the MsgBox we get after 16 uses but ..
Made a bpx for enablemenuitem but ...
Made a bpx for get & set menuiteminfoa but ... no result

Don't Know What to do?
Can anyone help me?


Here is the code related to the nag's:-


The Nag Code:-

* Referenced by a CALL at Addresses:
|:004A1E8D , :004A2685 , :004A26A1 , :004A2869
|
:00467ECC 55 push ebp
:00467ECD 8BEC mov ebp, esp
:00467ECF 33C9 xor ecx, ecx
:00467ED1 51 push ecx
:00467ED2 51 push ecx
:00467ED3 51 push ecx
:00467ED4 51 push ecx
:00467ED5 8945FC mov dword ptr [ebp-04], eax
:00467ED8 8B45FC mov eax, dword ptr [ebp-04]
:00467EDB E850C0F9FF call 00403F30
:00467EE0 33C0 xor eax, eax
:00467EE2 55 push ebp
:00467EE3 68547F4600 push 00467F54
:00467EE8 64FF30 push dword ptr fs:[eax]
:00467EEB 648920 mov dword ptr fs:[eax], esp
:00467EEE 6A00 push 00000000
:00467EF0 8D4DF4 lea ecx, dword ptr [ebp-0C]
:00467EF3 8B55FC mov edx, dword ptr [ebp-04]
:00467EF6 8B45FC mov eax, dword ptr [ebp-04]
:00467EF9 E83298FEFF call 00451730
:00467EFE FF75F4 push [ebp-0C]
:00467F01 68687F4600 push 00467F68
:00467F06 8D4DF0 lea ecx, dword ptr [ebp-10]

* Possible StringData Ref from Code Obj ->"is disabled in the demo."
|
:00467F09 BA747F4600 mov edx, 00467F74


Nag For Open Button:-

* Possible StringData Ref from Code Obj ->"Patch loading"

:004A1E88 B89C1E4A00 mov eax, 004A1E9C
:004A1E8D E83A60FCFF call 00467ECC -> call for nag Proc
:004A1E92 C3 ret

Nag For Capture Button:-

* Possible StringData Ref from Code Obj ->"Capture"

:004A2680 B894264A00 mov eax, 004A2694
:004A2685 E84258FCFF call 00467ECC ->call for nag Proc
:004A268A C3 ret

I Don't know for which button:-

* Possible StringData Ref from Code Obj ->"Patch memory loading"

:004A2864 B878284A00 mov eax, 004A2878
:004A2869 E85E56FCFF call 00467ECC -> call for nag
:004A286E C3 ret


Nag for I Don't Know , May be for Capture Sequence. But did not find in Str Ref.


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A2616(C)
|
:004A268C FFFFFFFF BYTE 4 DUP(0ffh)
:004A2690 07 pop es
:004A2691 000000 BYTE 3 DUP(0)


:004A2694 43 inc ebx
:004A2695 61 popad
:004A2696 7074 jo 004A270C
:004A2698 7572 jne 004A270C
:004A269A 6500B8B0264A00 add byte ptr gs:[eax+004A26B0], bh
:004A26A1 E82658FCFF call 00467ECC ->Call For Nag
:004A26A6 C3 ret


That's it for now. I know i missed a lot of details, but i will be back.

With Regards
MaTRiX

PS:-

Please help me on the breakpoint thing. I did not get a single entry point
for task 1.
How do i patch a prog permenantely?
Which tool should i use?
a [address] is only temp in S-ice.
Help wanted for this too!

Thanks Again

I do not know whay i can bot download the file.
In this webpage i can see only to prog.
Am I right??

Hi Mustafa,

It's a little weird, but you need to go to the main page at
h*ttp://www.software-technology.com
select your Country, then click on Vaz+1.7. It then kicks you to a page where near the bottom you can select d/l, where it THEN kicks you to the /downform.htm page, where you can THEN select the product again and press submit.

Kinda dumb. You *might* have problems if you don't have javascript enabled, or some other config problem.

Let me know if anyone else has real problems with this and I'll up it to this board.

Kayaker

Good to be back! Missed out on the last project but glad to see there is a new one afoot

MaTRiX, you didn't mention how you found your way to the code above. Would be interested to know.

I've had a brief look also at task 3 (figured that was going to be the most limiting factor) and here is some preliminary findings. Hope I haven't jumped the gun Kayaker, enthusiasm is hard to quench

Monitoring the install didn't turn up anything unexpected except for some cryptic looking registry entries. After checking the program with filemon and regmon a couple of times. Some entries in regmon caught my eye.

OpenKey HKLM\Software\CLASSES\CLSID\{A0E64221-706C-11d3-98D8-D2E7EFBCEAA4}\Control SUCCESS hKey: 0xC2307780

QueryValueEx HKLM\Software\CLASSES\CLSID\{A0E64221-706C-11d3-98D8-D2E7EFBCEAA4}\Control\ID SUCCESS 0x4

SetValueEx HKLM\Software\CLASSES\CLSID\{A0E64221-706C-11d3-98D8-D2E7EFBCEAA4}\Control\ID SUCCESS 0x5

CloseKey HKLM\Software\CLASSES\CLSID\{A0E64221-706C-11d3-98D8-D2E7EFBCEAA4}\Control SUCCESS

Each time I ran the program the SetValueEx function had the number corresponding to the that on the splash screen. In this case "Preparing to run for the 5th time of 16..."

So the program opens the key (RegOpenKeyEx), checks its value (RegQueryValueEx), adds 1 and updates the registry key (RegSetValueEx). This was easily tested by double clicking on the "SetValueEx" line in the regmon display, which started regedit and opened the registry to the correct location. When the value is modified (right click on the ID key and select edit), the change is reflected in the splash screen when the program is started again.

A quick disassembly and check for the RegSetValueEx function indicates that there is only one call to the function. Lovely! So now I'm off to snoop a little further and aim to find where the value is incremented.

Regards
Mersenne

Mmmm, When I dissasemble it, I have no strings like the other people??

Hi Mustafa,

What are you disassembling it with?

Regards
Mersenne

If you r useing W32dsm do not use the Visual Basic strings patch(or W32Dasm Fx v1.00 patch) or you will not get strings.

-------
I managed to remove
2. It will time-out after 30 minutes
3. It can be used a maximum of 16 times
Bonus. nag screen(click to continue)

MaTRiX_2k your solution dos not work 100% if you use the program 18time+(i think) it is very bug e(you get lots of error messages). This how i patch the 16times...

I look in call 0046802C and found
00468113 cmp edi, 10h ; edi = #er of times used
then look for edi and found
00468099 mov edi,eax ; patch to xor edi, edi

one more thing useing DeDe with Symbol vclx40.dsf and vcl40.dsf load will make call 0046802C a lot less Confusing.

Hi all,

This is my solution for task three which follows from my post above. In order to write a fixed value to the registry I figured I needed to find where the value was being incremented.

After disassembling the program in W32Dasm we can search the imported functions for the RegSetValueExA function (registry functions are found in advapi32.dll) we found using regmon. It is only called once in the entire program which makes our life easier If you check your trusty win32 API reference for this function you will find the address of the data written to the registry is pushed at 467B08 and is stored at ebp-04.

:00467AFF 8BF0 mov esi, eax
:00467B01 8B450C mov eax, dword ptr [ebp+0C]
:00467B04 50 push eax
:00467B05 8B45FC mov eax, dword ptr [ebp-04]
:00467B08 50 push eax
:00467B09 56 push esi
:00467B0A 6A00 push 00000000
:00467B0C 8BC7 mov eax, edi
:00467B0E E82DC4F9FF call 00403F40
:00467B13 50 push eax
:00467B14 8B4304 mov eax, dword ptr [ebx+04]
:00467B17 50 push eax

* Reference To: advapi32.RegSetValueExA, Ord:0000h
|
:00467B18 E8FFE8F9FF Call 0040641C


Time to start tracing back through the code looking for references to ebp-04. If you move up the disassembly a little way you will come to the following

:00467AE2 894DFC mov dword ptr [ebp-04], ecx

where the updated value gets moved from ecx to ebp-04. So now we need to look for references to ecx. Keep tracing up the code and you will see that this code is referenced by two calls

* Referenced by a CALL at Addresses:
|:00467A85 , :00467A9C

Let's look at the second one. Directly before the call is made the value we are interested in is moved into ecx from the stack at address esp+8. Three lines further up the value from ecx is moved to the stack adress esp (which incidently is the same as esp+8 further down due to the two pushes).

* Referenced by a CALL at Address:
|:004680BE
|
:00467A90 51 push ecx
:00467A91 890C24 mov dword ptr [esp], ecx
:00467A94 6A04 push 00000004
:00467A96 6A03 push 00000003
:00467A98 8D4C2408 lea ecx, dword ptr [esp+08]
:00467A9C E833000000 call 00467AD4

So we are still interested in ecx, lets keep tracing up to where this code is called from, namely 4680BE.

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004680A3(U)
|
:004680B1 8D7701 lea esi, dword ptr [edi+01]
:004680B4 8BCE mov ecx, esi
:004680B6 BAA4814600 mov edx, 004681A4
:004680BB 8B45FC mov eax, dword ptr [ebp-04]
:004680BE E8CDF9FFFF call 00467A90

At 4680B4 the value in esi is moved into ecx and directly before that we see that value in esi=edi + 1 which is exactly what we are looking for. It is good to confirm this "live" in a debugger, which I did. So how do we patch it? If we change

:004680B1 8D7701 lea esi, dword ptr [edi+01]

to

:004680B1 8D37 lea esi, dword ptr [edi]
:004680B3 90 nop

then whatever value we have in the registry will remain and never get incremented. Problem solved If you have any questions, just ask and help will be forthcoming.

Regards
Mersenne

Possible StringData Ref from Code Obj ->"VAZ+ Demo"
|
:004A6391 BAC46A4A00 mov edx, 004A6AC4
:004A6396 E8FD40FAFF call 0044A498 -----> Call For The Splash
Screen I Think
:004A639B E88C1CFCFF call 0046802C -----> Critical Call
May Be It Counts. Too Confusing! Code Is Given Below
:004A63A0 84C0 test al, al
:004A63A2 0F8598000000 jne 004A6440 ---->********** Patch It
to jmp and no 16 times limit. I May be wrong here. I think this patch
stops the compare func itself. I think the prog needs this call to compare.
-------------------------------------------------------------------------
* Referenced by a CALL at Address:
|:004A639B
|
:0046802C 55 push ebp
:0046802D 8BEC mov ebp, esp
:0046802F 83C4F8 add esp, FFFFFFF8
:00468032 53 push ebx
:00468033 56 push esi
:00468034 57 push edi
:00468035 33C0 xor eax, eax
:00468037 8945F8 mov dword ptr [ebp-08], eax
:0046803A 33C0 xor eax, eax
:0046803C 55 push ebp
:0046803D 683A814600 push 0046813A
:00468042 64FF30 push dword ptr fs:[eax]
:00468045 648920 mov dword ptr fs:[eax], esp
:00468048 B201 mov dl, 01
:0046804A A104774600 mov eax, dword ptr [00467704]
:0046804F E8F0F7FFFF call 00467844
:00468054 8945FC mov dword ptr [ebp-04], eax
:00468057 BA02000080 mov edx, 80000002
:0046805C 8B45FC mov eax, dword ptr [ebp-04]
:0046805F E878F8FFFF call 004678DC
:00468064 8D55F8 lea edx, dword ptr [ebp-08]
:00468067 B854814600 mov eax, 00468154
:0046806C E837FFFFFF call 00467FA8
:00468071 8B55F8 mov edx, dword ptr [ebp-08]
:00468074 B101 mov cl, 01
:00468076 8B45FC mov eax, dword ptr [ebp-04]
:00468079 E8C2F8FFFF call 00467940------>RegOpenKeyA
:0046807E 33C0 xor eax, eax
:00468080 55 push ebp
:00468081 68A5804600 push 004680A5
:00468086 64FF30 push dword ptr fs:[eax]
:00468089 648920 mov dword ptr fs:[eax], esp
:0046808C BAA4814600 mov edx, 004681A4
:00468091 8B45FC mov eax, dword ptr [ebp-04]
:00468094 E80BFAFFFF call 00467AA4------->Very Imp

continued


#################################################################
this in turn calls 0167:00467ab7 call 00467b78 ----->RegQueryValueExA
this in turn calls 0167:00467bf3 call 0046781c ----->Very Interesting
but don't know what i does;
#################################################################
:00468099 8BF8 mov edi, eax
:0046809B 33C0 xor eax, eax
:0046809D 5A pop edx
:0046809E 59 pop ecx
:0046809F 59 pop ecx
:004680A0 648910 mov dword ptr fs:[eax], edx
:004680A3 EB0C jmp 004680B1----->Very Interesting
###################################################################
Jumps to the code, to inc the value retrieved from registry.
And also for RegSetValueExa
The Code Is Given Below
###################################################################
:004680A5 E98AB2F9FF jmp 00403334
:004680AA 33FF xor edi, edi
:004680AC E833B5F9FF call 004035E4
-----------------------------------------------------------------------


Oh No time's up. Got to go. I will continue. I have lot more to ask
and share.

Bye Bye
MaTRiX

PS:-
Mersenne, I used str ref of Win32dasm to get
to the codes.
There Is another prob Iam getting logged
out every time i try to post.
Don't know why?

Hi All,

There's an interesting little ASM tidbit brought up here with the 16 times usage check. People have found that the check occurs at

:004A639B E88C1CFCFF call 0046802C
:004A63A0 84C0 test al, al
:004A63A2 0F8598000000 jne 004A6440
.
.
* Possible StringData Ref from Code Obj ->"The VAZ+ demo will only run 16 "

and the value of al is set within the Call 0046802C (where there is a call to RegQueryValueExA of the reg entry Mersenne mentions)

:00468113 83FF10 cmp edi, 00000010 ; cmp #uses w/ 16
:00468116 0F92C3 setb bl ; set bl to 0 or 1 depending on Carry Flag
.
.
:00468141 8BC3 mov eax, ebx

It's interesting to note that SETB is used instead of an immediate JG or JL, which delays the jump until later. You can use 'r edi' in Softice to edit EDI and see the effect on the Carry flag.


SETB is one of a number of “Set on Condition” instructions that can be used to test a Register flag or the results of a comparison. You can check out the Art of Assembly reference for more on this.

"The set on condition (or setcc) instructions set a single byte operand (register or memory location) to zero or one depending on the values in the flags register. Setcc represents a mnemonic appearing in the following tables. These instructions store a zero into the corresponding operand if the condition is false, they store a one into the eight bit operand if the condition is true.

The cmp instruction works synergistically with the setcc instructions. Immediately
after a cmp operation the processor flags provide information concerning the relative values
of those operands. They allow you to see if one operand is less than, equal to, greater
than, or any combination of these."

i.e.
SETA Set if above (> ; Carry=0, Zero=0
SETB Set if below (< ; Carry = 1
SETZ Set if equal (=) ; Zero = 1
SETNZ Set if not equal (!=); Zero = 0



BTW, check out the possibilities of registering this puppy. There's a ref to 'Serial' and 'License' that the proggy seems to want to read from its ini file. I found that if you R FL Z a certain jump while it's using GetPrivateProfileStringA on the section
[VAZ]
Version=VAZ Plus 1.6
then it also looks for Serial and License. I'm not sure if this is a dead end or not, but it *might* be the check for registration. Still working on this myself ;-)

As for enabling the menu functions, you can find a lot of references to the events with DeDe, and it does look like the code for "Open" and the others are there, they're just not called but instead you get a TMessageForm nag (BTW, this is why you don't get the usual breakpoints on MessageBoxA etc, Matrix, this is Delphi, a real strange critter)

I've found where the indirect call that goes to each menu function is, and I can see the address table where the "wrong" address of 4A1E88 is set up, which calls the nag, but I can't see that there's any easy flag patch. Sooo...what I'm thinking now is to try to find that address hard-coded in the file and change it to where I think it SHOULD point to when the OnClickEvent occurs, the start of the real "Open" code, which I think exists.

There's a few recent Delphi tuts on Tsehps site which nicely discuss how Delphi is actually set up and how you CAN change pointers to address what you want (to a degree). Worth looking at. Well, back to it

Cheers,

Kayaker

Hello everyone,

No-one seems to have posted about task 2, the 30 minute time-out yet. Here is what I found. While the program is running if you set your computer clock forward 45 minutes, the program does not time-out. This suggested to me that a timer was being used rather than relying on the system time. If that was the case then the time should be in milliseconds. For 30 minutes this is equal to 1800000d = 1B7740h If you check the imports, Settimer and Killtimer are there so I gave them a look. I didn't get much joy from this and after chasing my tail around for a bit, tried a different approach. I went back to DeDe and from the procedures tab selected "main" which is the Tsynthform. If you scroll down the events in the right pane you will come across IdleTimerTimer. Double click on that and the disassembly for that procedure will pop up. You will see a reference to Winmm.timeGetTime which I have not come across before but looks suspicious and a few lines down there is our magic time value.


* Reference To: winmm.timeGetTime, Ord:0000h
|
:004A1AAF E86CF1FAFF Call 00450C20
:004A1AB4 2B8358070000 sub eax, dword ptr [ebx+00000758]
:004A1ABA 3D40771B00 cmp eax, 001B7740
:004A1ABF 765A jbe 004A1B1B

While we are within our 30 minute time period, we always take the jump. Otherwise the call to the "Demo time limit has expired" nag at 4A1B0F is executed. So to change the limit to 1 hour it is a simple matter of changing 1B7740 to 36EE80. To check whether I could bypasss the timer though I needed to have a shorter time period. So I changed

:004A1ABA cmp eax, 001B7740

to

:004A1ABA cmp ax, 7530
:004A1ABE nop

which times me out after 30 seconds. Makes it much easier to test any changes this way. Although there are probably many ways to overcome this protection, simply changing

:004A1ABF 765A jbe 004A1B1B

to

:004A1ABF EB5A jmp 004A1B1B

forces the jump past the demo nag and appears to work. A better solution would be to kill the timer but I haven't investigated this as yet.

I have only begun looking at the menu stuff but after opening the program in a resource editor, I found the code for the Open patch dialog does exist in RCData and not surprisingly is called TOpenPatchDlg. It starts at offset FB10C for those that want to see it. Using DeDe, I found that all the other events of a similar nature like SavePatchDlg, SaveSeqDlg, OpenSeqDlg etc all have the same format as shown below

:0049DA5F 005351 add byte ptr [ebx+51], dl

In DeDe this disassembles to

53 push bx
51 push ecx?

:0049DA62 8BD8 mov ebx, eax
:0049DA64 8B83D8020000 mov eax, dword ptr [ebx+000002D8]
:0049DA6A E8B138FBFF call 00451320

The [ebx+000002D8] refers to both saves (patch and sequencer) as both dialogs are identical except for a few bits and pieces. I wonder if this might hold for open? Open patch is disabled but open sequence is ENABLED. There is a refernce to OpenWaveDlg which shares the same [ebx+000002E0] address. Sorry this last bit is so garbled, I need to examine it a bit further and try and make sense of what is happening. I just posted this bit in case it fits in with what someone else has found.

Regards

Mersenne

Hey, looks like tasks 2 and 3 are under the belt. Those were pretty easy, but what about task 1? I haven't found ANYTHING for that one yet...

Hi All,

I had a look at enabling that Open Patch menu item and like Mersenne, tried to key in on what DeDe could say about the Delphi structures, where they're called from, similarities in forms, etc.

As Mersenne mentions, there IS an OpenPatch Form that is at offset FB10C
TPF0.TOpenPatchDlg, which specifies opening VAZ Patches|*.vzp, which is what we would like to enable if possible. This Form isn't shown in DeDe under "Forms", but you can find its structure in the file.

There are also forms for
TPF0.TOpenSeqDlg, VAZ Sequences|*.vzs
TPF0.TSavePatchDlg
TPF0.TSaveSeqDlg

Each of these Forms is called via a corresponding standard Delphi "OnClick" event which you can find in DeDe under Procedures (in either Main or SeqUnit). Right now the OnClick event for TPF0.TOpenPatchDlg points to 004A1E88, which is just the Nag.

Anyway, I noticed that the 2 SaveAs events and the 1 working "Open" event had similar calls to 004439BC, i.e.


* Possible reference to class TOpenSeqDlg
|
0049AD73 A1107E4900 mov eax, dword ptr [$497E10]

* Reference to: Forms.TCustomForm.Create(Classes.TComponent)
| or: Forms.TDataModule.Create(Classes.TComponent)
|
0049AD78 E83F8CFAFF call 004439BC


So I did a string search in W32Dasm for "4439BC" and found it was called from 12 places:

* Referenced by a CALL at Addresses:
|:0049AD78 , :0049B20D , :0049BC5C , :0049BF5C , :0049C658
|:0049C992 , :004A20B9 , :004A2970 , :004A2A60 , :004A3C91
|:004A56A7 , :004A634D
|
:004439BC 55 push ebp


"Eureka!" I cried. All I gotta do is find which one of these don't match with an existing OnClick event that calls this Forms.TCustomForm.Create(Classes.TComponent) thingy and the one left over must be for that disabled OpenPatch function.

"Crap!" I cried, after finding out that they were all accounted for, opening things like PatternRandomItemClick and HelpAboutItemClick.

So, 1st strike against there existing the code to call the OpenPatch menu item.

...and so on...

Then I thought I'd try to "persuade" the TOpenSeqDlg routine to mimic what I thought the TOpenPatchDlg might require to open VAZ Patches|*.vzp instead of VAZ Sequences|*.vzs. I found that the Common Dialog dll comdlg32.dll function GetOpenFileName was used. Cool, because I knew that you could modify the OPENFILENAME structure to change how the Open dialog box behaves.


-----------------------------------------------------
GetOpenFileName function creates an Open common dialog box that lets the user specify the drive, directory, and the name of a file or set of files to open.

BOOL GetOpenFileName(

LPOPENFILENAME lpofn // address of structure with initialization data

Parameters

lpofn

Pointer to an OPENFILENAME structure that contains information used to initialize the dialog box. When GetOpenFileName returns, this structure contains information about the user's file selection.
------------------------------------------------------

You can check out the Win32 Programmers Reference for details on the OPENFILENAME structure, but the 4th DWORD contains the file filter, which I changed in memory to *.*. So now when I selected OpenPatch (I had made it point to the OpenSeqDlg routine at 0049AD44), I could select a VAZ Patch|*.vzp instead of just a VAZ Sequence|*.vzs. Big Deal, I still got a slightly modified Demo Nag anyway.

Confused yet? Good. I hope you're not expecting a solution ^_^


Another indication that this is a Demo only is that the address in eax at

* Possible reference to class TOpenSeqDlg
|
0049AD73 A1107E4900 mov eax, dword ptr [$497E10]

is 497E5C and points to what looks like a template structure for TOpenSeqDlg which you can see at offset 9725C in the file. There doesn't seem to exist a similar one for TOpenPatchDlg.


So does all this mean we're screwed? Maybe Even the existing patches, which are resources you can see with Exescope, are different from saved patches. I thought maybe you could paste them as a resource into the file, but I guess not.

Any other ideas?

Cheers,

Kayaker

Hi kayaker,

I also tried those 12 calls you found and also to no avail. Did you follow the retrieval of the serial and license from the ini file any further?

Regards
mersenne

Hi Mersenne,

I had checked the ini file but didn't get the feeling the code was doing anything important. If you delete the 'Version' entry in

[VAZ]
Version=VAZ Plus 1.6

There's a cmp at

:0048324A CALL 00403D58
:0048324F CMP BYTE PTR [EBP-0100],00

which if met (length of 'Version' entry = 0), goes on to look for

[License]
Serial=

Couldn't see that there was any valid serial checking going on really. Serial is only checked if Version isn't there, which is then rewritten anyway, so GetPrivateProfileStringA on Serial is not used as a normal reg check. I could be wrong that this leads to nothing, still might be worth a look.

Regards,

Kayaker

Hi All,

Looking for code to Open Patch and not get any where. I start look for some code to edit so i can load a Patch File.
We have...

TSynthForm FileNewPatchItemClick
by tracking we find
004A485A xor edx, edx
004A485C mov eax, [ebx+04F4h] ;b3Osc1Wave : TButtonOsc1Wave
004A4862 call 0047C220 ;SetTButton
...

and
TSynthForm PatchPatchItemClick
004A278C mov eax, [edi+0Ch] ;eax = Patch #er
004A278F mov edx, [4B8B54h]
004A2795 mov edx, [edx]
004A2797 mov edx, [edx+eax*4+0328h] ; edx= Patch data
004A279E mov eax, dword ptr [4B8B54h]
004A27A3 mov eax, [eax]
004A27A5 mov ecx, [eax]
004A27A7 call dword ptr [ecx+04h] ; 48BA10
...

so i pick the PatchPatchItemClick code. Useing Snippet Creator i add file VAZOPEN.asm to the exe

---File VAZOPEN.asm---
include windows.inc
include user32.inc
include kernel32.inc
includelib user32.lib
includelib kernel32.lib

;FileOpenPatchItemClick
;old code
;004A1E88 B89C1E4A00 mov eax,0004A1E9C
;004A1E8D E83A60FCFF call 000467ECC ;NAG
;004A1E92 C3 retn

;new code A1288h
;004A1E88 C6051B706D0001 mov byte ptr [IsOpenFile], 1 ; open mode
;004A1E8F E8CC080000 call 004A2760 ;TSynthForm PatchPatchItemClick
;004A1E94 C3 retn

jmp j1
hinst dd 0
DLLName db "VAZPatch.dll",0
FuncOpen db "Open",0
IsOpenFile db 0 ; easy to find this way
DLLError db "Error file VAZPatch.dll not found...",0
data db 198h dup(0)

j1:
.IF [IsOpenFile]==1
pushad ; save all registers
mov [IsOpenFile],0
invoke LoadLibrary , offset DLLName
.IF eax!=NULL
mov dword ptr [hinst], eax
invoke GetProcAddress , eax, offset FuncOpen
.IF eax!=NULL
push offset data
call eax ; call VAZPatch.dll!Open
.ELSE
invoke MessageBox , NULL, offset DLLError, NULL, MB_OK
.ENDIF
invoke FreeLibrary , [hinst]
.ELSE
invoke MessageBox , NULL, offset DLLError, NULL, MB_OK
.ENDIF
popad ; restore registers
mov edx, offset data
ret

.ELSE
OldCode:
mov edx, [edx]
mov edx, [edx+eax*4+328h]
ret

;old code
;004A278F mov edx, dsff_4B8B54
;004A2795 mov edx, [edx]
;004A2797 mov edx, [edx+eax*4+328h]

;new code A1B95h
;004A2795 B900706D00 mov ecx,0006D7000
;004A279A FFD1 call ecx
;004A279C 90 nop
;004A279D 90 nop

.ENDIF

-----------------------
and edited in

004A2795 B900706D00 mov ecx,0006D7000
004A279A FFD1 call ecx ;call my code
004A279C 90 nop
004A279D 90 nop

;new FileOpenPatchItemClick code
004A1E88 C6051B706D0001 mov byte ptr ds:6D701Bh, 1 ; open mode
;004A1E8F E8CC080000 call 004A2760 ;TSynthForm PatchPatchItemClick
;004A1E94 C3 retn

Continued

now we need a test dll so here it is

---VAZPatch.asm----

.486p
.MODEL FLAT,STDcall

Open PROTO WORD

.DATA

.CODE

DllEntry proc hInstanceWORD, reasonWORD, reserved1WORD
mov eax,1
ret
DllEntry Endp

Open proc dataWORD
mov edx,data

mov byte ptr [edx+58h],05h ;58h LFO-Rate
mov byte ptr [edx+59h],01h ;59h LFO-Waveform
mov byte ptr [edx+5Ah],55h ;5Ah LFO-WaveShape
mov byte ptr [edx+5Bh],00h ;5Bh LFO-Retrigger

mov byte ptr [edx+8Dh],00h ;8Dh Envelope1-Attack
mov byte ptr [edx+8Eh],55h ;8Eh Envelope1-Decay
mov byte ptr [edx+8Fh],0AAh ;8Fh Envelope1-Sustain
mov byte ptr [edx+90h],0FFh ;90h Envelope1-Release

mov byte ptr [edx+0ACh],0FFh ;ACh Envelope2-Attack
mov byte ptr [edx+0ADh],0AAh ;ADh Envelope2-Decay
mov byte ptr [edx+0AEh],55h ;AEh Envelope2-Sustain
mov byte ptr [edx+0AFh],00h ;AFh Envelope2-Release

ret
Open Endp

End DllEntry

---------------------

---VAZPatch.def----
LIBRARY VAZPatch

EXPORTS Open
---------------------


some notes(all up in the air)
---------------------
[VAZ]
Type=Patch
Version=VAZ Plus 1.5
Name=1
Description=
Author=

[LFO]
Rate=85 ;58h
Waveform=0 ;59h
WaveShape=205 ;5Ah
Retrigger=1 ;5Bh

[LFO 2]
Rate=0 ;74h
Retrigger=1 ;75h ;77h ?
Sample And Hold=1 ;76h ;75h ?
Manual Depth=0 ;77h ;76h ?
Delay=0 ;78h

[Envelope1]
Attack=0 ;8Dh
Decay=0 ;8Eh
Sustain=133 ;8Fh
Release=145 ;90h

[Envelope2]
Attack=72 ;ACh
Decay=75 ;ADh
Sustain=69 ;AEh
Release=0 ;AFh

[Oscillator1]
Tuning=-2400 ;DCh ;dword ?
Waveform=0 ;E8h
Sync Target=0 ;E9h
FM Source 1=0 ;EAh
FM Depth 1=0 ;EBh
PWM Source=0 ;ECh
PWM Depth=0 ;EDh
Portamento=0 ;EEh ; ??

[Oscillator2]
Tuning=-1700 ;???? ;0D0h, 104h ??
Waveform=0 ;110h
Modifier=0 ;111h
FM Source 1=0 ;112h
FM Depth 1=0 ;113h
FM Source 2=0 ;114h
FM Depth 2=0 ;115h
PWM Source=0 ;116h
PWM Depth=0 ;117h
One Shot=0 ;118h ;??
No Trigger=1 ;???? ;154h,155h,12Ch
Sample= ;NA ; will need to edit more code i think

[Filter]
Mix=64 ;161h
Source=0 ;162h ;160h ??
Mode=0 ;163h ; ?
Bandwidth=80 ;164h
Slew Limit=1 ;165h
Cutoff=255 ;166h
Resonance=0 ;167h
FM Source 1=4 ;168h
FM Depth 1=88 ;169h
FM Source 2=1 ;16Ah
FM Depth 2=78 ;16Bh
FM Source 3=0 ;16Ch
FM Depth 3=0 ;16Dh
RM Source=0 ;16Eh
RM Depth=0 ;16Fh

[Amplifier]
AM Source 1=3 ;184h
AM Depth 1=127 ;185h
AM Source 2=0 ;186h
AM Depth 2=0 ;187h
Overdrive=173 ;188h

PS.
So we can get Open Patch working this way but there is not much point in doing it. We will not have it all working File->Capture...