Hi, there is a program that I've cracked.. and it worked great. However, there is one line of code which is giving an "Exception: access violation (0xc0000005), Address: 0x004374a6" error. This is not a BIG problem, because i can jump over this address. However, by jumping over this address, I cause a certain line of text in the program to dissappear. Like I said, not a huge problem, but I'd love to understand why this is happening.

This address is a line in a small loop.. i'll paste that below.. Any help is appreciated. Even if its "can't help.. but here's some info for your brain..."

*ps : This file cannot be loaded into a debugger... here is why:
This file is an nt/2k service. It can be started from the command line by typing: "app.exe -start". and stopped by "app.exe -stop". I've loaded it into ollydebug, w32dasm, & turbo debug. Every time I start it in any of these, everything loads to the entry point fine.. but when I set my breakpoints and try to run it.. the debuggers think the file has terminated... even though it remains running in memory. Maybe there is a way to do it in softice.. but i'm not a pro at that yet either. I can't single-step thru the debugger from the entry point to find out WHY it thinks the program is terminated because frankly.. there's just TOO much damn code to go through before that point.

:00437277 8D4510 lea eax, dword ptr [ebp+10]
:0043727A 50 push eax
:0043727B E89C050000 call 0043781C
:0043781C 8B442404 mov eax, dword ptr [esp+04]
:00437820 830004 add dword ptr [eax], 00000004
:00437823 8B00 mov eax, dword ptr [eax]
:00437825 8B40FC mov eax, dword ptr [eax-04]
:00437828 C3 ret
:00437280 66F745FC1008 test [ebp-04], 0810
:00437286 59 pop ecx
:00437287 8BC8 mov ecx, eax
:00437289 894DF8 mov dword ptr [ebp-08], ecx
:0043728C 0F84FE010000 je 00437490

:00437490 85C9 test ecx, ecx
:00437492 7509 jne 0043749D

:0043749D 8BC1 mov eax, ecx

:0043749F 8BD6 mov edx, esi
:004374A1 4E dec esi
:004374A2 85D2 test edx, edx
:004374A4 7408 je 004374AE
:004374A6 803800 cmp byte ptr [eax], 00 <--- error line
:004374A9 7403 je 004374AE
:004374AB 40 inc eax
:004374AC EBF1 jmp 0043749F


Thank you anyone who takes the time to read this and decides to help me with expanding my knowledge. It is greatly appreacited. I hope to be able to return the favor to anyone else once I know a bit more. thanks. -b

00437277 lea *eax, dword ptr [ebp+10] * * *<--- probably 3rd parameter to function (address of)

0043727A push eax

0043727B call 0043781C



* * 0043781C mov *eax, dword ptr [esp+04] * * *<--- still referencing the same parameter

* * 00437820 add *dword ptr [eax], 00000004 * *<--- param is a pointer to an array of elements.

* * * * * * * * * * * * * * * * * * * * * * * * * * set it to point to the "next" element.

* * 00437823 mov *eax, dword ptr [eax] * * * * <--- get the array element into eax

* * 00437825 mov *eax, dword ptr [eax-04] * * *<--- elements are pointing to structures.

* * * * * * * * * * * * * * * * * * * * * * * * * * read a field from structure

* * 00437828 ret



00437280 test [ebp-04], 0810 * * * * * * * <--- local1

00437286 pop *ecx

00437287 mov *ecx, eax

00437289 mov *dword ptr [ebp-08], ecx * * *<--- local2

0043728C je * 00437490



00437490 test ecx, ecx

00437492 jne *0043749D

* * * * * * * * * * * * * * * * * * * * * <--- what goes here?

0043749D mov *eax, ecx



0043749F mov *edx, esi

004374A1 dec *esi

004374A2 test edx, edx

004374A4 je * 004374AE

004374A6 cmp *byte ptr [eax], 00 * * * * * <--- error line

004374A9 je * 004374AE

004374AB inc *eax

004374AC jmp *0043749F
the code doesn't reveal where the values of local1, esi are coming from. nevertheless it looks like an array of pascal-style strings are being dealt with. in pascal (delphi) the byte (dword) just left to a string holds its length. i'm guessing 437825 is trying to read the length of a string and the problem you were having with a disappearing string seems to confirm this.

obviously, since it was working fine before you cracked it, your crack must be causing it to act this way. there could be an integrity check somewhere that once figuring out you modified the file goes to corrupt the array of strings. this is highly unlikely, though. if there was indeed an integrity check it would go further than corrupting an array of strings i'd think.

regards, sna

....integrity check it would go further than corrupting an array of strings i'd think.
regards, sna

First of all, let me say thank you so very much for taking the time to help me out. I'm a pretty intelligent guy, but it hasn't been until recently that I've taken an interest in manipulating code at this level. I must say that I'm envious of your ability to disseminate the code I've given you, and am extremely excited at the prospect of understanding things the way you do at some point. I honestly have only the faintest idea of how you arrived at your <---descriptions of the lines of code.
I agree that I don't think there is an integrity check of the code, but instead that some peice of information was not written sometime earlier in the program BECAUSE of the crack I've applied. The resulting dissappearence of the text is NOT a big deal, but my understanding of it is.
The missing peice of code you refered to is:

:00437494 8B0DC8624800 mov ecx, dword ptr [004862C8]
:0043749A 894DF8 mov dword ptr [ebp-08], ecx

I misinterpreted the course of the code.


ok.. as far as the problem, i just need to find why dword ptr [eax] on the error line is pointing to an invalid address.. thats my prob.. but if i may bend your ear learning some of the things I don't understand yet.. I'll give it a shot:

get ready for some newbie questions:

1) "dword ptr [eax]" since eax IS a 32bit unit, what is the meaning of puting "dword ptr" in front of it. I thought that something like "word ptr [eax]" would mean = use only 16 bits of eax.

2) what does it mean when there is a sign and number such as: "dword ptr [esp+04].

3) how did you come to the conclusion that :00437825 was about getting the array elements length?

anyway.. i could go on forever, but you have no obligation to spend your time (of which I know I have very little) helping me. you've done alot already. thanks again. -b

Hi, i'm glad i could help.

1) \"dword ptr [eax]\" since eax IS a 32bit unit, what is the meaning of puting \"dword ptr\" in front of it. I thought that something like \"word ptr [eax]\" would mean = use only 16 bits of eax.
1 - in this case EAX is a pointer pointing to something. "dword"/"word"/"byte" specifies the operand size (size of what EAX is pointing to).
let's for a second pretend that EAX is pointing to 01,02,03,04,05,06,07,08 - here's how you'd access a dword, word and byte respectively:

mov *eax, dword ptr [eax] * * <--- EAX = 0x04030201

mov *ax, word ptr [eax] * * * <--- EAX = 0x0201

mov *al, byte ptr [eax] * * * <--- EAX = 01
the values are byte swapped because intel's using little-endian. now, i'm not entirely sure if that was your question...
maybe you were asking why it's "mov eax, dword ptr [eax]" instead of "mov eax, [eax]" ?
i'll have you know that they're the same. it's the preference of the disassembler coder that determines which one will be used.

2) what does it mean when there is a sign and number such as: \"dword ptr [esp+04].
2 - register w/ sign and number means "use register as base pointer but add or subtract the number thus creating a new temporary pointer"
for example, with EAX still pointing to the number sequence, here's how you'd update the second dword (previously 0x08070605):

mov dword ptr [eax+04], 11223344h

3) how did you come to the conclusion that :00437825 was about getting the array elements length?
3 - experience. grabbing a pointer to a structure and reading the dword just ahead of it would normally not make any sense.
unless, of course, we're dealing with strings.

regards, sna

1 - in this case EAX is a pointer pointing to something. \"dword\"/\"word\"/\"byte\" specifies the operand size (size of what EAX is pointing to).
let's for a second pretend that EAX is pointing to 01,02,03,04,05,06,07,08

2 - register w/ sign and number means \"use register as base pointer but add or subtract the number thus creating a new temporary pointer\"
for example, with EAX still pointing to the number sequence, here's how you'd update the second dword (previously 0x08070605):

mov dword ptr [eax+04], 11223344h



Thanks again! I'll ask one more question about your previous answers and i'll sit back and be a happy jew. I promise I'll repay this kindness in the form of karma towards someone else.

1. As I understand it, "dword ptr [eax]" is not saying, use the value of eax, but instead use the value at the address of [eax]'s value. What I'm confused about is how you worded it as 01,02,03.. does that mean that [eax] is pointing to 8 - byte sized numbers? Instead of a 32bit hex number?

2. I must admit i'm a bit confused by this.. mainly because of the fact that you said "here's how you'd update the second dword (previously 0x08070605" .. what did you mean it was previously 08070605.. i don't recall seing that anywhere.. just threw me a bit.... so are you saying, that by moving 11223344h into dword ptr [eax+04], as its being moved, 04 is being added to each byte segment of this 8 digit hex value?

thanks. -b