Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 02-18-2011, 02:47
RaptorX
 
Posts: n/a
Unwanted code added while assembling on Olly

In the executable provided in chapter 6 of Lena's tutorials I see the following code which is responsible of setting the variable that will be used for checking if the app is registered or not:

Code:
; AL contains 0 from a previous call to a custom function,
; which is the one that checks if the app is registered or not.

005C2BF6    .  8B15 8CEB6000     MOV EDX,DWORD PTR DS:[60EB8C]
005C2BFC    .  8802              MOV BYTE PTR DS:[EDX],AL
005C2BFE    .  A1 8CEB6000       MOV EAX,DWORD PTR DS:[60EB8C]
005C2C03    .  8038 00           CMP BYTE PTR DS:[EAX],0
005C2C06    .  75 0D             JNZ SHORT pcsurgeo.005C2C15
005C2C08    .  E8 6307EEFF       CALL pcsurgeo.004A3370
After that code the pointer at 60EB8C is checked several times to make decisions on to whether to display register messages/buttons or not.

In the tutorial file I see Lena changing this:
Code:
005C2C03    .  8038 00           CMP BYTE PTR DS:[EAX],0
005C2C06    .  75 0D             JNZ SHORT pcsurgeo.005C2C15
to this:
Code:
005C2C03    .  8038 00           MOV BYTE PTR DS:[EAX],1
005C2C06    .  75 0D             JMP SHORT pcsurgeo.005C2C15

So i thought that i could achieve the same by fixing the MOV that is before those two lines like this:

Code:
005C2BFC    .  8802              MOV BYTE PTR DS:[EDX],1    ; Force it to be 1
But as soon as i do that the whole code changes to this:

Code:
005C2BF6    .  8B15 8CEB6000     MOV EDX,DWORD PTR DS:[60EB8C]
005C2BFC       C602 01           MOV BYTE PTR DS:[EDX],1     ; Changed line
005C2BFF       8CEB              MOV BX,GS    ; automatically added
005C2C01       60                PUSHAD        ; automatically added
005C2C02       0080 3800750D     ADD BYTE PTR DS:[EAX+D750038],AL
Can somebody explain me why does that happen?
Reply With Quote
  #2  
Old 02-18-2011, 03:20
IWarez IWarez is offline
Friend
 
Join Date: Jul 2003
Posts: 41
Rept. Given: 7
Rept. Rcvd 6 Times in 2 Posts
Thanks Given: 1
Thanks Rcvd at 0 Times in 0 Posts
IWarez Reputation: 7
That's because you are replacing the opcodes 88 02 with C6 02 01 which is longer and overwrites the MOV EAX,DWORD PTR DS:[60EB8C] instruction by one byte.
Reply With Quote
  #3  
Old 02-18-2011, 03:39
RaptorX
 
Posts: n/a
Ok that makes sense, in part...

Im still not sure why changing AL to 1 changes "8802" to "C6 02 01" I thought the change to the opcode would be minimal since I am "removing" instead of adding characters.

I will go and read about opcodes in a sec.
Reply With Quote
  #4  
Old 02-18-2011, 03:49
virus virus is offline
Friend
 
Join Date: Apr 2002
Posts: 55
Rept. Given: 3
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 17
Thanks Rcvd at 17 Times in 11 Posts
virus Reputation: 2
Quote:
Originally Posted by RaptorX View Post
I will go and read about opcodes in a sec.
Here you go:
Quote:
hxxp://www.intel.com/design/pentiumii/manuals/243191.htm
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Unwanted Software Site! ranadharm General Discussion 17 11-29-2018 13:51
Unpacking, Olly Code display bgrimm General Discussion 1 02-23-2004 07:00


All times are GMT +8. The time now is 10:21.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )