I am an absolute beginner so please forgive me if the below questions appear so stupid to you.

1. What is the difference between "ret" and "ret 000x"? Does ret 0004 moves 4 lines up, 4 bytes up or four calls back, or what?

2. At 0041BCD0, I have the dialog saying "trial is ended". The dialog offers me two choices; Register... or Quit. According to the below snippet, how do I arrive here (0041BCD0)? Tried returning at 0041BCB0, at 0041BCCB and 0041BCD0, no hope. The call at address 0041BC63 is called from another address. Just two lines up of it there is a conditional jump. Reversing it fools the program but it starts right from the scratch, ie., you loose all your settings.

The installation date is encrypted in a .dat file in Windows directory. Deleting this file also starts the program from the scratch. I couldn't find where the actual time comparison is made. I played with compare string, get system time, get local time, system time to file time functions but no hope.

3. Why do authors sometimes use nop in their code?

Thanks in advance.



* Referenced by a CALL at Address:
|:0041BC63
|
:0041BCB0 56 push esi
:0041BCB1 8BF1 mov esi, ecx
:0041BCB3 E868FAFFFF call 0041B720
:0041BCB8 8B442408 mov eax, dword ptr [esp+08]
:0041BCBC C706D0FA4200 mov dword ptr [esi], 0042FAD0
:0041BCC2 894604 mov dword ptr [esi+04], eax
:0041BCC5 8BC6 mov eax, esi
:0041BCC7 5E pop esi
:0041BCC8 C20400 ret 0004


:0041BCCB 90 nop
:0041BCCC 90 nop
:0041BCCD 90 nop
:0041BCCE 90 nop
:0041BCCF 90 nop

* Possible Reference to Dialog: DialogID_0139
|
:0041BCD0 B839010000 mov eax, 00000139
:0041BCD5 C3 ret


:0041BCD6 90 nop
:0041BCD7 90 nop
:0041BCD8 90 nop
:0041BCD9 90 nop
:0041BCDA 90 nop
:0041BCDB 90 nop
:0041BCDC 90 nop
:0041BCDD 90 nop
:0041BCDE 90 nop
:0041BCDF 90 nop
:0041BCE0 56 push esi
:0041BCE1 8BF1 mov esi, ecx
:0041BCE3 E818000000 call 0041BD00
:0041BCE8 F644240801 test [esp+08], 01
:0041BCED 7409 je 0041BCF8
:0041BCEF 56 push esi
:0041BCF0 E881300000 call 0041ED76
:0041BCF5 83C404 add esp, 00000004

Hello Spade !

Code:

(1)

Push   EAX

Push   EDX

Call   Proc1

Add    ESP, 8



(2)

Push   EAX

Push   EDX

Call   Proc2

The two exapmles should show the difference. As jou know, a procedure ends with a return, a "RET". If you "PUSH" something on the stack, ESP gets decremented by 4 (if the value is 32bit). So in example (1) ESP gets decremented by 8, then the Proc1 is called and after that the stack pointer is restored. In example (2) it's different. ESP doesn't get restored after the call, so the procedure must take care itself to change ESP back to it's normal value. So Proc2 needs to return with a "RET 8" instead of a "RET"
Usually dialogs are shown by a "Push DialogID" and a call to a procedure creating the dialog. So you must find a "Push 00000139h" in your example. Or you can try to catch the procedure where the date-file is opened. This can be done by _lopen, OpenFile, CreateFileA and CreateFileW.
Authors do not use "NOP" in their code. Must compilers have two switches. One is to give the file it's smallest size, the other to give the file the maximul execution speed. If the program is written for speed, the compiler inserts "NOPs" after each procedure so that the following is aligned on the next 10h byte boudary, which is faster to access in memory.

By the looks of your snippet, 41BCD0 isn't directly referenced in the program (no "Referenced by CALL at xxxxxxxx"

So, the program probably has a Call EAX where EAX == 41BCD0
To find this you can either set up a backtrace buffer in Softice, or try IceDump. Then set a BPX on 41BCD0 and see what the last line executed before that was.

And since the value 139h is placed in EAX during that call, 139h is probably not pushed directly to create the window.....Push EAX is probably used to fill that parameter for the function.

Once you find out where the call to create the window is you should be able to figure out how to bypass it....depending on how many calls are indirectly referenced through registers, you may have to use the above methods a few more times to find what you need.

Thanks a lot.

The info you two provided was very helpful. Good news is, the program now works flawlessly on my PC.

It is very clear that this was only the beginning. Still got much to learn. Anyway, well begun is half done.

Thanks again...

If the only reason for a NOP was to align on a word boundary then there would only ever be a need for upto 3 nop instructions which the example above shows is not the case.

It is more common to see a lot of NOP instructions because the program has been compiled in 'debug' mode or more precisely it has 'incremental linking' set on. In this mode each routine or module is 'padded' with a number of NOP instructions, usually to a 16 byte boundary. In this way if the code is changed slightly in that routine or module, typically by adding a few more bytes, then the extra space will be taken up by the padding and the program will not need to do a full link (since no other routine has changed address).

So the presence of a lot of NOP instructions means that the programmer has been sloppy and has not bothered to produce a 'release' version.

Hello IcyDee !

If I say "on the next 10h byte boudary" this is the same as "a 16 byte boundary". I've never seen anything in Win32 which was aligned on a 32-bit-word boundary. All programs which use the "speed" feature use 10h bytes (= paragraph). The examples I've seen in debug mode use sometimes 1000h (=4096) bytes of NOPs or CCs between external .LIB files bound in.