Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > Reverse Code Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 08-02-2008, 02:49 PM
Ace Ace is offline
Junior Member
 
Join Date: May 2008
Posts: 3
Default How change eax, edx of wlscgen.exe

For first all please help me.

Could you please help me how to change eax, edx and address memory [00574199] ?
with break point address 00414746 and 004147EE
base :http://www.woodmann.com/crackz/Tutorials/Wlscgen.htm.

this is of wdasm32 of Wlscgen.exe


:00414710 A4 movsb
:00414711 8D4B64 lea ecx, dword ptr [ebx+64]
:00414714 E81F1C0900 call 004A6338
:00414719 8BF8 mov edi, eax
:0041471B 83C9FF or ecx, FFFFFFFF
:0041471E 33C0 xor eax, eax
:00414720 8D54244D lea edx, dword ptr [esp+4D]
:00414724 F2 repnz
:00414725 AE scasb
:00414726 F7D1 not ecx
:00414728 2BF9 sub edi, ecx
:0041472A 8BC1 mov eax, ecx
:0041472C 8BF7 mov esi, edi
:0041472E 8BFA mov edi, edx
:00414730 C1E902 shr ecx, 02
:00414733 F3 repz
:00414734 A5 movsd
:00414735 8BC8 mov ecx, eax
:00414737 83E103 and ecx, 00000003
:0041473A F3 repz
:0041473B A4 movsb
:0041473C 8D4C240C lea ecx, dword ptr [esp+0C]
:00414740 51 push ecx
:00414741 E8BA69FFFF call 0040B100
:00414746 83C404 add esp, 00000004 =====> where eax=0xffffffff will change 00000000 ?
:00414749 85C0 test eax, eax
:0041474B 0F8486000000 je 004147D7
:00414751 83F8FF cmp eax, FFFFFFFF
:00414754 7530 jne 00414786
:00414756 6A00 push 00000000
:00414758 6A30 push 00000030
:0041475A 50 push eax
:0041475B E82080FFFF call 0040C780
:00414760 83C404 add esp, 00000004
:00414763 50 push eax
:00414764 E8E88E0A00 call 004BD651
* Possible Reference to Dialog: DialogID_0065, CONTROL_ID:03E9, "Save..." |
:00414769 68E9030000 push 000003E9
:0041476E 8BCB mov ecx, ebx





:004147BC 6A10 push 00000010
:004147BE 50 push eax
:004147BF E8BC7FFFFF call 0040C780
:004147C4 83C404 add esp, 00000004
:004147C7 50 push eax
:004147C8 E8848E0A00 call 004BD651
:004147CD 5F pop edi
:004147CE 5E pop esi
:004147CF 5B pop ebx
:004147D0 81C484000000 add esp, 00000084
:004147D6 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041474B(C)
|
:004147D7 8A8C248E000000 mov cl, byte ptr [esp+0000008E]
:004147DE 33D2 xor edx, edx
:004147E0 84C9 test cl, cl
:004147E2 0F95C2 setne dl
:004147E5 8D7C240C lea edi, dword ptr [esp+0C]
:004147E9 83C9FF or ecx, FFFFFFFF
:004147EC 33C0 xor eax, eax
:004147EE 8915F03C5700 mov dword ptr [00573CF0], edx ==> where edx=0x00000000 will change 0x00000001 ?
:004147F4 F2 repnz above ==> where address memory 0x43000000 will change 0x43000001
:004147F5 AE scasb
:004147F6 F7D1 not ecx
:004147F8 2BF9 sub edi, ecx
:004147FA 8BC1 mov eax, ecx
:004147FC 8BF7 mov esi, edi
:004147FE BFF43C5700 mov edi, 00573CF4
:00414803 C1E902 shr ecx, 02
:00414806 F3 repz
:00414807 A5 movsd
:00414808 8BC8 mov ecx, eax
:0041480A 83E103 and ecx, 00000003
:0041480D F3 repz
:0041480E A4 movsb
Reply With Quote
  #2  
Old 08-03-2008, 10:35 AM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

Your question makes no sense.

Git
Reply With Quote
  #3  
Old 08-03-2008, 12:33 PM
ngatetpyar ngatetpyar is offline
Member
 
Join Date: Jun 2008
Posts: 18
Default

Here you can get the help:

http://www.woodmann.com/crackz/Tutorials/Wlscgen.htm.

read...read..read...

still you dont' understand...read..read..and read...

this was the same probelm I found out last 3 months...

Now it was over......

So friend...read again and again...
Reply With Quote
  #4  
Old 08-04-2008, 06:36 AM
Ace Ace is offline
Junior Member
 
Join Date: May 2008
Posts: 3
Default

Thank you for your comment,

for this basic my question of :

1. where origin eax=0xffffffff will change 00000000 ?
-------------------------------------------------------
:00414741 E8BA69FFFF call 0040B100
:00414746 83C404 add esp, 00000004 ==> base essai
:00414749 85C0 test eax, eax


2. where origin edx=0x00000000 will change 0x00000001 ??
----------------------------------------------------------
:004147E5 8D7C240C lea edi, dword ptr [esp+0C]
:004147E9 83C9FF or ecx, FFFFFFFF
:004147EC 33C0 xor eax, eax
:004147EE 8915F03C5700 mov dword ptr [00573CF0], edx
========> base of essai

Again thank for your help Git, ngatetpyar
Reply With Quote
  #5  
Old 08-04-2008, 07:07 AM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

Sorry, I still do not understand you.

Git
Reply With Quote
  #6  
Old 08-04-2008, 09:03 AM
Ace Ace is offline
Junior Member
 
Join Date: May 2008
Posts: 3
Default

Thank you Git,

base of essai is wdasm32 of wlsgen.exe, and than go to number
: 00414746
with assemble language : add esp, 00000004
in the essai register eax= 0xffffffff (original) and than change eax=0x00000000 base essai.

and than number
:004147EE 8915F03C5700 mov dword ptr [00573CF0], edx
register edx=0x00000000 (original) will change 0x00000001

why I don't see like
:00414746 move eax, ffffffffh will change move eax,00000000h
and etc
Reply With Quote
  #7  
Old 08-04-2008, 01:31 PM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

I think I understand.

Essay is based on version 7.1 in year 2000. I think you have a different version. Read original essay here :

http://www.woodmann.com/crackz/Tutorials/Cyberheg3.htm

and try to match your code against essay to find new addresses to patch.

Git
Reply With Quote
  #8  
Old 08-05-2008, 02:22 AM
shahram shahram is offline
Member
 
Join Date: Apr 2008
Posts: 39
Default

I had the same problem,because I used SDK 7.2,
try to use SLM 7.1

Anyone has the SDK 7.1 to upload it somewhere in rapidshare maybe?!!!

BR
Shahram
Reply With Quote
  #9  
Old 04-05-2009, 02:32 AM
butaktelco butaktelco is offline
Senior Member
 
Join Date: Feb 2008
Posts: 71
Default

use this table ....
load wlscgen to ollydbg...
find address & Set break point...
Looks at register....

BreakPoint Address What to modify Original Value New Value Description
00414746 eax (register) 0xFFFFFFFF 0x00000000 Username and password is valid
004147EE edx (register) 0x00000000 0x00000001 Administrator rights flag (menu)
[00574199] (memory address) 0x43000000 0x43000001 Administrator rights flag (create user

br
Reply With Quote
  #10  
Old 04-07-2009, 07:19 AM
knr knr is offline
Member
 
Join Date: Mar 2009
Posts: 16
Default

hi
for shahram: sdk7.1 is at http://rapidshare.com/files/127037079/sdk71.rar.html

for ace: Git's answer is very appropriate; and even in sdk7.1 the memory location value could be different, i have for my personal use have snapshots of my w32dasm screens when i patched wlscgen; if you want, drop a mail, i can send the file
cheers
knr
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.