How change eax, edx of wlscgen.exe [Archive] - Reverse Engineering Team Board

Ace

08-02-2008, 02:49 PM

For first all please help me.

Could you please help me how to change eax, edx and address memory [00574199] ?
with break point address 00414746 and 004147EE
base :http://www.woodmann.com/crackz/Tutorials/Wlscgen.htm.

this is of wdasm32 of Wlscgen.exe

:00414710 A4 movsb
:00414711 8D4B64 lea ecx, dword ptr [ebx+64]
:00414714 E81F1C0900 call 004A6338
:00414719 8BF8 mov edi, eax
:0041471B 83C9FF or ecx, FFFFFFFF
:0041471E 33C0 xor eax, eax
:00414720 8D54244D lea edx, dword ptr [esp+4D]
:00414724 F2 repnz
:00414725 AE scasb
:00414726 F7D1 not ecx
:00414728 2BF9 sub edi, ecx
:0041472A 8BC1 mov eax, ecx
:0041472C 8BF7 mov esi, edi
:0041472E 8BFA mov edi, edx
:00414730 C1E902 shr ecx, 02
:00414733 F3 repz
:00414734 A5 movsd
:00414735 8BC8 mov ecx, eax
:00414737 83E103 and ecx, 00000003
:0041473A F3 repz
:0041473B A4 movsb
:0041473C 8D4C240C lea ecx, dword ptr [esp+0C]
:00414740 51 push ecx
:00414741 E8BA69FFFF call 0040B100
:00414746 83C404 add esp, 00000004 =====> where eax=0xffffffff will change 00000000 ?
:00414749 85C0 test eax, eax
:0041474B 0F8486000000 je 004147D7
:00414751 83F8FF cmp eax, FFFFFFFF
:00414754 7530 jne 00414786
:00414756 6A00 push 00000000
:00414758 6A30 push 00000030
:0041475A 50 push eax
:0041475B E82080FFFF call 0040C780
:00414760 83C404 add esp, 00000004
:00414763 50 push eax
:00414764 E8E88E0A00 call 004BD651
* Possible Reference to Dialog: DialogID_0065, CONTROL_ID:03E9, "Save..." |
:00414769 68E9030000 push 000003E9
:0041476E 8BCB mov ecx, ebx

:004147BC 6A10 push 00000010
:004147BE 50 push eax
:004147BF E8BC7FFFFF call 0040C780
:004147C4 83C404 add esp, 00000004
:004147C7 50 push eax
:004147C8 E8848E0A00 call 004BD651
:004147CD 5F pop edi
:004147CE 5E pop esi
:004147CF 5B pop ebx
:004147D0 81C484000000 add esp, 00000084
:004147D6 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041474B(C)
|
:004147D7 8A8C248E000000 mov cl, byte ptr [esp+0000008E]
:004147DE 33D2 xor edx, edx
:004147E0 84C9 test cl, cl
:004147E2 0F95C2 setne dl
:004147E5 8D7C240C lea edi, dword ptr [esp+0C]
:004147E9 83C9FF or ecx, FFFFFFFF
:004147EC 33C0 xor eax, eax
:004147EE 8915F03C5700 mov dword ptr [00573CF0], edx ==> where edx=0x00000000 will change 0x00000001 ?
:004147F4 F2 repnz above ==> where address memory 0x43000000 will change 0x43000001
:004147F5 AE scasb
:004147F6 F7D1 not ecx
:004147F8 2BF9 sub edi, ecx
:004147FA 8BC1 mov eax, ecx
:004147FC 8BF7 mov esi, edi
:004147FE BFF43C5700 mov edi, 00573CF4
:00414803 C1E902 shr ecx, 02
:00414806 F3 repz
:00414807 A5 movsd
:00414808 8BC8 mov ecx, eax
:0041480A 83E103 and ecx, 00000003
:0041480D F3 repz
:0041480E A4 movsb

Git

08-03-2008, 10:35 AM

Your question makes no sense.

Git

ngatetpyar

08-03-2008, 12:33 PM

Here you can get the help:

http://www.woodmann.com/crackz/Tutorials/Wlscgen.htm.

read...read..read...

still you dont' understand...read..read..and read...

this was the same probelm I found out last 3 months...

Now it was over......

So friend...read again and again...

Ace

08-04-2008, 06:36 AM

Thank you for your comment,

for this basic my question of :

1. where origin eax=0xffffffff will change 00000000 ?
-------------------------------------------------------
:00414741 E8BA69FFFF call 0040B100
:00414746 83C404 add esp, 00000004 ==> base essai
:00414749 85C0 test eax, eax

2. where origin edx=0x00000000 will change 0x00000001 ??
----------------------------------------------------------
:004147E5 8D7C240C lea edi, dword ptr [esp+0C]
:004147E9 83C9FF or ecx, FFFFFFFF
:004147EC 33C0 xor eax, eax
:004147EE 8915F03C5700 mov dword ptr [00573CF0], edx
========> base of essai

Again thank for your help Git, ngatetpyar

Git

08-04-2008, 07:07 AM

Sorry, I still do not understand you.

Git

Ace

08-04-2008, 09:03 AM

Thank you Git,

base of essai is wdasm32 of wlsgen.exe, and than go to number
: 00414746
with assemble language : add esp, 00000004
in the essai register eax= 0xffffffff (original) and than change eax=0x00000000 base essai.

and than number
:004147EE 8915F03C5700 mov dword ptr [00573CF0], edx
register edx=0x00000000 (original) will change 0x00000001

why I don't see like
:00414746 move eax, ffffffffh will change move eax,00000000h
and etc

Git

08-04-2008, 01:31 PM

I think I understand.

Essay is based on version 7.1 in year 2000. I think you have a different version. Read original essay here :

http://www.woodmann.com/crackz/Tutorials/Cyberheg3.htm

and try to match your code against essay to find new addresses to patch.

Git

shahram

08-05-2008, 02:22 AM

I had the same problem,because I used SDK 7.2,
try to use SLM 7.1

Anyone has the SDK 7.1 to upload it somewhere in rapidshare maybe?!!!

BR
Shahram

butaktelco

04-05-2009, 02:32 AM

use this table ....
load wlscgen to ollydbg...
find address & Set break point...
Looks at register....

BreakPoint Address What to modify Original Value New Value Description
00414746 eax (register) 0xFFFFFFFF 0x00000000 Username and password is valid
004147EE edx (register) 0x00000000 0x00000001 Administrator rights flag (menu)
[00574199] (memory address) 0x43000000 0x43000001 Administrator rights flag (create user

br

knr

04-07-2009, 07:19 AM

hi
for shahram: sdk7.1 is at http://rapidshare.com/files/127037079/sdk71.rar.html

for ace: Git's answer is very appropriate; and even in sdk7.1 the memory location value could be different, i have for my personal use have snapshots of my w32dasm screens when i patched wlscgen; if you want, drop a mail, i can send the file
cheers
knr

besoeso

04-07-2009, 01:44 PM

What is the password file?

Thanks.

hi
for shahram: sdk7.1 is at http://rapidshare.com/files/127037079/sdk71.rar.html

for ace: Git's answer is very appropriate; and even in sdk7.1 the memory location value could be different, i have for my personal use have snapshots of my w32dasm screens when i patched wlscgen; if you want, drop a mail, i can send the file
cheers
knr

unforgiven

04-07-2009, 03:26 PM

Password is:
1234567890

:D

kiki

04-07-2009, 11:33 PM

[Please DO NOT quote whole messages]

thank you :)

kiki

04-07-2009, 11:34 PM

[Please DO NOT quote whole messages]

thank you for sdk link :)

knr

04-08-2009, 02:00 AM

you are welcome kiki!

for ace: if you are using mayaputra's wlscgen, you dont need the sdk at all; just patch it for the required vendor id; if you still find it difficult, give the vendeor id and i will give the difffile so that you can patch the wlscgen.exe (sdk7.1)

cheers

kiki

04-08-2009, 02:37 AM

[Please DO NOT quote whole messages]

any sample file protected with sentinellm? I want to learn this protection. :)

kaka.enine

04-08-2009, 02:39 PM

[Please DO NOT quote whole messages]

many ...

i just know a little ... for telco SW ...

TCPU, TLP, Actix, Planet, Nemo, Ellipse, and ...

i think .. only those i know ... :D :D :D

BR,

-kaka-

knr

04-10-2009, 03:27 AM

besoeso!
i have sent to ur mail the snapshots file; let me know if you find it useful
cheers
knr

besoeso

04-10-2009, 07:37 AM

Very Thanks dear friend,:D

I will check out.

[Please DO NOT quote whole messages]

gugnani

05-05-2010, 06:26 AM

Hi

00414746 eax (register) 0xFFFFFFFF 0x00000000 Username and password is valid
004147EE edx (register) 0x00000000 0x00000001 Administrator rights flag (menu)
[00574199] (memory address) 0x43000000 0x43000001 Administrator rights flag (create user

Out of above 3 commands i am not able to edit memory address in ollydbg...

Please advice the waypath.

jskhalid

08-22-2010, 04:57 PM

Hi , i am facing the same problèm , where to change the memory adrress 00574199 in ollydbg, whith crtl+G in hex dump,i can not find the 4300000, plz advice.....

BR

sisi

08-24-2010, 11:49 AM

I am also facing the same problem in ollybdg. Can anybody advise how to chagne the memory adress [00574199]

Sisi