sabbato753
August 13th, 2010, 10:29
Hi all,
I have (what I THINK is) a fairly simple question this time around.
BACKGROUND:
I have a piece of software that is a bit of a PITA - it has lots of little spots in memory where it checks and double-checks registration, and a couple of them get rid of nag screens but a couple more actually amount to checksums that affect the program proper. It's easiest to describe it in terms of a limited shareware game: The demo program lets you use one of 6 available characters. I've found the byte that enables the selection of these characters (also gets rid of one nag), so you can select and then "start" the game with any of them.
However, it then goes through a long and very convoluted load process (it's coded in delphi). At the end of this, if you happen to be using the one character that is allowed in the demo, everything shows up like it's supposed to and works great. If you try to use one of the other five, the normal screen loads up but all of your character information comes up blank!
I know that the program is checking a separate byte in memory, but the actual locations are all calculated references ( mov ecx,DS PTR: [ebp*4+ecx]; cmp [ecx],0 etc). I've found four distinct checks so far, and I'm hoping to find this one.
WHAT I NEED:
I want to essentially use something like Conditional Branch Logger - but JUST from clicking "start" until the screen loads. Every one of the characters has different "abilities" that load up, so if I just run a trace/log, I think I'll see too many differences - but they all have the same AMOUNT of abilites, so the jumps should be roughly equivalent. Somewhere in there will be one jump that says "Display all this stuff because it's licensed" or "Don't display all this stuff, you've been fooled!"
The biggest problem is that since it's Delphi, it's VERY jumpy and makes very few actual system calls - most things are coded into the program. So things like waiting for a mouse movement, etc are all parts of the jumps - and thus slow CBL down incredibly. And since there's so many individual little branches between pressing the button and loadup, I don't know how to tell CBL to only trace "these" calls from "now" til "then" - particularly since some are calculated.
PaiMei had a process stalker that was supposed to be awesome for this sort of thing, but that's a mess on its own. I'm sure it's great but I can't even get the bleepin' thing to RUN, much less work.
So I guess I'm looking for how to do something similar in Olly or Ida, preferably Olly.
Thanks, everyone!
I have (what I THINK is) a fairly simple question this time around.
BACKGROUND:
I have a piece of software that is a bit of a PITA - it has lots of little spots in memory where it checks and double-checks registration, and a couple of them get rid of nag screens but a couple more actually amount to checksums that affect the program proper. It's easiest to describe it in terms of a limited shareware game: The demo program lets you use one of 6 available characters. I've found the byte that enables the selection of these characters (also gets rid of one nag), so you can select and then "start" the game with any of them.
However, it then goes through a long and very convoluted load process (it's coded in delphi). At the end of this, if you happen to be using the one character that is allowed in the demo, everything shows up like it's supposed to and works great. If you try to use one of the other five, the normal screen loads up but all of your character information comes up blank!
I know that the program is checking a separate byte in memory, but the actual locations are all calculated references ( mov ecx,DS PTR: [ebp*4+ecx]; cmp [ecx],0 etc). I've found four distinct checks so far, and I'm hoping to find this one.
WHAT I NEED:
I want to essentially use something like Conditional Branch Logger - but JUST from clicking "start" until the screen loads. Every one of the characters has different "abilities" that load up, so if I just run a trace/log, I think I'll see too many differences - but they all have the same AMOUNT of abilites, so the jumps should be roughly equivalent. Somewhere in there will be one jump that says "Display all this stuff because it's licensed" or "Don't display all this stuff, you've been fooled!"
The biggest problem is that since it's Delphi, it's VERY jumpy and makes very few actual system calls - most things are coded into the program. So things like waiting for a mouse movement, etc are all parts of the jumps - and thus slow CBL down incredibly. And since there's so many individual little branches between pressing the button and loadup, I don't know how to tell CBL to only trace "these" calls from "now" til "then" - particularly since some are calculated.
PaiMei had a process stalker that was supposed to be awesome for this sort of thing, but that's a mess on its own. I'm sure it's great but I can't even get the bleepin' thing to RUN, much less work.
So I guess I'm looking for how to do something similar in Olly or Ida, preferably Olly.
Thanks, everyone!
. I not shure that it can solve your problem, sorry, but may be
.