SuperBlade Pro Taking the Edge Off |
||
Date 11/22/00 |
by
Sojourner
|
|
There is a crack, a crack in everything. That's how
the light gets in.
|
||
Rating |
(x)Beginner ( )Intermediate
( )Advanced ( )Expert
|
Thoughtful searching
produces excellent looks.
|
|
w32dasm 8.x--your choice of flavors
hex editor needed- UltraEdit 7.xx or whatever you want to use
|
Just go to this site and then download what you need.
|
What to do - 1. Make prog registered
|
Ah, good to be back in the saddle again. This is a fun little project and it involves a nifty plug for your favorite photo editor. I use Corel Photopaint. You won't believe how very easy it was to register this baby, but you do have to do a little looking around, as usual. Go ahead and disaasemble it now. As you may suspect, we will do the fixing on this in a static mode. What I mean by that is that we will not be actually running the program when we do this. We will actually only use w32dasm to peruse the disassembled file looking for clues, then go in with our hex editor to make the necessary changes, then run the plug through our photo editor to see that we have indeed succeeded in our journey. One thing you must learn is to look for relevant strings scattered about in the prog. Of course, w32dasm is excellent in this respect. Sometimes a resource editor is superior in this job category, although we won't need one on this trip. Oftentimes the word "Thanks" or "Thankyou" or "Thank You," may lead you to a starting point. Today it's going to be "Thankyou." So now do a search and you will end up here: Look carefully this code and meet me at the bottom. * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:10015E22(C), :10015E34(C) | :10015EA0 8B4604 mov eax, dword ptr [esi+04] :10015EA3 8B500C mov edx, dword ptr [eax+0C] :10015EA6 8B12 mov edx, dword ptr [edx] :10015EA8 8B9224010000 mov edx, dword ptr [edx+00000124] :10015EAE 89542410 mov dword ptr [esp+10], edx :10015EB2 8B500C mov edx, dword ptr [eax+0C] :10015EB5 8B12 mov edx, dword ptr [edx] :10015EB7 8B9228010000 mov edx, dword ptr [edx+00000128] :10015EBD 89542414 mov dword ptr [esp+14], edx :10015EC1 8B500C mov edx, dword ptr [eax+0C] :10015EC4 8B12 mov edx, dword ptr [edx] :10015EC6 8B922C010000 mov edx, dword ptr [edx+0000012C] :10015ECC 8954240C mov dword ptr [esp+0C], edx :10015ED0 8B400C mov eax, dword ptr [eax+0C] :10015ED3 8B00 mov eax, dword ptr [eax] :10015ED5 8B902C010000 mov edx, dword ptr [eax+0000012C] :10015EDB 52 push edx :10015EDC 8B9028010000 mov edx, dword ptr [eax+00000128] :10015EE2 8B8024010000 mov eax, dword ptr [eax+00000124] :10015EE8 52 push edx :10015EE9 8B5624 mov edx, dword ptr [esi+24] :10015EEC 50 push eax :10015EED 8B4620 mov eax, dword ptr [esi+20] :10015EF0 52 push edx :10015EF1 50 push eax :10015EF2 51 push ecx :10015EF3 E8B8F4FFFF call 100153B0 :10015EF8 83C418 add esp, 00000018 :10015EFB 3C01 cmp al, 01 :10015EFD 0F85A9000000 jne 10015FAC :10015F03 8B4E04 mov ecx, dword ptr [esi+04] :10015F06 8B510C mov edx, dword ptr [ecx+0C] :10015F09 8D4C240C lea ecx, dword ptr [esp+0C] :10015F0D 51 push ecx :10015F0E 8D4C2414 lea ecx, dword ptr [esp+14] :10015F12 8B02 mov eax, dword ptr [edx] :10015F14 8D542418 lea edx, dword ptr [esp+18] :10015F18 52 push edx :10015F19 51 push ecx :10015F1A 8B902C010000 mov edx, dword ptr [eax+0000012C] :10015F20 8B8828010000 mov ecx, dword ptr [eax+00000128] :10015F26 52 push edx :10015F27 8B9024010000 mov edx, dword ptr [eax+00000124] :10015F2D 8B4624 mov eax, dword ptr [esi+24] :10015F30 51 push ecx :10015F31 8B4E20 mov ecx, dword ptr [esi+20] :10015F34 52 push edx :10015F35 8B561C mov edx, dword ptr [esi+1C] :10015F38 50 push eax :10015F39 51 push ecx :10015F3A 52 push edx :10015F3B E8E0F5FFFF call 10015520 :10015F40 8B4604 mov eax, dword ptr [esi+04] :10015F43 56 push esi :10015F44 8B480C mov ecx, dword ptr [eax+0C] :10015F47 8B442438 mov eax, dword ptr [esp+38] :10015F4B 8B11 mov edx, dword ptr [ecx] :10015F4D 898224010000 mov dword ptr [edx+00000124], eax :10015F53 8B4E04 mov ecx, dword ptr [esi+04] :10015F56 8B510C mov edx, dword ptr [ecx+0C] :10015F59 8B4C243C mov ecx, dword ptr [esp+3C] :10015F5D 8B02 mov eax, dword ptr [edx] :10015F5F 898828010000 mov dword ptr [eax+00000128], ecx :10015F65 8B5604 mov edx, dword ptr [esi+04] :10015F68 8B420C mov eax, dword ptr [edx+0C] :10015F6B 8B542434 mov edx, dword ptr [esp+34] :10015F6F 8B08 mov ecx, dword ptr [eax] :10015F71 89912C010000 mov dword ptr [ecx+0000012C], edx :10015F77 E894EEFEFF call 10004E10 * Possible StringData Ref from Data Obj ->"***" | :10015F7C 688CC30210 push 1002C38C * Possible StringData Ref from Data Obj ->"**" | :10015F81 68A8C10210 push 1002C1A8 * Possible StringData Ref from Data Obj ->"*" | :10015F86 68A4C10210 push 1002C1A4 * Possible StringData Ref from Data Obj ->"SuperBladePro" | :10015F8B 687CC30210 push 1002C37C :10015F90 E86B5DFFFF call 1000BD00 * Possible StringData Ref from Data Obj ->"THANKYOU" <--HERE Return | :10015F95 6860C30210 push 1002C360 :10015F9A E8B162FFFF call 1000C250 :10015F9F 83C43C add esp, 0000003C :10015FA2 5F pop edi :10015FA3 5E pop esi :10015FA4 5D pop ebp :10015FA5 81C410010000 add esp, 00000110 :10015FAB C3 ret Ok, I see you made it. Did you see anything useful? Check out this code snippet: :10015EF3 E8B8F4FFFF call 100153B0 :10015EF8 83C418 add esp, 00000018 :10015EFB 3C01 cmp al, 01 :10015EFD 0F85A9000000 jne 10015FAC Notice the jne here. What is happening is a comparison between the low order byte in the ax register and a 01. Presumably, the 01 is placed there after successfully entering the correct serial number, else why would we get a big "Thankyou?" You see that if the 01 is not in al, then the conditional jump is taken and you won't get the thankyou that you need to satisfy our program. Since the jump is conditional, I've found out that it is generally best if you can guarantee the needed condition on which the jump is based. Since we need a 01 to be in al, there are a couple of things we could do. The tack I followed was to go into the call 100153B0 and the important part is outlined below. If you go into the call as I did and do a thorough analysis of what is happening, you'll see multiple areas where there are manipulation of numbers going on. Since it isn't extremely clear what is being manipulated, we needs be content with the final outcome. That is seen at 100154F4. If we are successful, we see 01 being moved into al for us. Happy Days all!. This is our dream! Realisticaly, if you can guarantee that the code at 100154ED and 100154EF is not executed, then you will get what you want. With that in mind, nop 84C0 and 740A at 100154ED and 100154EF. You are home free again. We have completed our only "To Do" on our list. Go and enjoy! Just for your info, the other flaming pear downloads are not this straightforward, although they are easy also. * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:100154CF(C), :100154D7(C), :100154DC(C) | :100154E3 83C604 add esi, 00000004 :100154E6 4F dec edi :100154E7 75CA jne 100154B3 :100154E9 8A442412 mov al, byte ptr [esp+12] :100154ED 84C0 test al, al :100154EF 740A je 100154FB :100154F1 5F pop edi :100154F2 5E pop esi :100154F3 5D pop ebp :100154F4 B001 mov al, 01 <--Here :100154F6 5B pop ebx :100154F7 83C42C add esp, 0000002C :100154FA C3 ret
|
I know this was short, but not everything in life has to be hard. Until later. If you have any questions please feel free to contact me at jomamameister@yahoo.com
|