Log in

View Full Version : a hardcore question


k66473
June 1st, 2005, 09:42
I am a newbie.! I use SI to debug an program named "sitect" !! The code when I saw at SI break was not the same at the code when I use WDASM.. If I am lucky, I found some place to patch, how can I found the exact address to patch the program... Please help me...
Maybe my question is too stupid but I am really serious... Help me if you can..

JohnWho
June 1st, 2005, 10:21
You should go read some tutorials. See links in bottom of this site!

naides
June 1st, 2005, 11:20
Let's see k66473:

The solution to your problem can be very simple or it may be more complex:
If I understand you correctly, In SI you see some code, which you wish to patch, but cannot find it in WDASM:
Posibilities:
1)The code is not in the exe file you disassembled, but in a .dll file loaded during run time. Look in the lower bar of the code window and see wHat the name of the module is.
2) The code you found with Sice may be unpacked, or decrypted at run time, but is not present, at least in code format, in the original exe file in deadlisting mode.

3) The code address changes at run time?

4) searching for code in WDASM is tricky.
Try HIEW and enter either the Address of the code preceded by a period, like F5(goto) .00402345, or the BYTES (8 or 10) around the code of interest.

5) COMPOSE YOUR QUESTIONS MORE CAREFULLY

Aimless
June 2nd, 2005, 11:17
I concur with naides.

Maybe its a case of simple code relocation. Alternatively, it could be many of the protection systems coming into play.

Why don't you try running the program through IDA and subsequently run it through the IDA Debugger? If the code relocates, your assembly will be changed accordingly. Cracking with W32DASM is generally not recommended for newer generations of programs. Unless its heavily protected and IDA goes wild during emulation. THEN, you can use W32Dasm (but that's another story )

Have phun