Cheat Engine

zeroc0de · Cheater Reputation: 0 Joined: 31 Aug 2008 Posts: 32

Lol, right...

00402009 - EB 68

athiwatc · Posted: Thu Sep 04, 2008 2:11 am Post subject:

can you change jump to some other value if you can i just cracked it

Symbol · Posted: Thu Sep 04, 2008 9:20 am Post subject:

You know we can replace just replace NOPs with shit like EB 00 (jump 2 bytes, to the next address, "EB 00" is 2 bytes) or 50 58 (push eax, pop eax) or if you need to patch an odd number of bytes, things like like stc/clc (Set Carry flag, Clear Cary flag) or use inc/dec instruction on a register that isn't in used...

Anyway, there are infinite possible combinations to reverse this without using NOP nor EB 68 at some address...

SunBeam · Posted: Thu Sep 04, 2008 9:25 am Post subject:

Here's a detailed analysis, if you want, although it's a simple mind-blowing target..

1) Olly -> Run app -> Pause -> Alt+F9 -> Click "OK" -> we land @ 402058

2) Scroll up, find start of function -> ShowMsgBox() = 401FA0 -> F2 on it -> F9 -> we break after clicking "OK"

3) Check stack:

$ ==> > 66051FB3 RETURN to MSVBVM60.66051FB3
$+4 > 0015F769 ASCII "2@"
$+8 > 0012FB94
$+C > 00401C85 prjRever.00401C85
$+10 > 0015F7B0
$+14 > 00401C30 prjRever.00401C30

401C85 works pretty much like a switch-case, picking the function to execute and adjusting stack.

00401C85 816C24 04 47000000 SUB DWORD PTR SS:[ESP+4],47
00401C8D E9 0E030000 JMP 00401FA0
00401C92 816C24 04 4F000000 SUB DWORD PTR SS:[ESP+4],4F
00401C9A E9 21040000 JMP 004020C0
00401C9F 816C24 04 37000000 SUB DWORD PTR SS:[ESP+4],37
00401CA7 E9 D4040000 JMP 00402180
00401CAC 816C24 04 3B000000 SUB DWORD PTR SS:[ESP+4],3B
00401CB4 E9 77060000 JMP 00402330 ;
00401CB9 816C24 04 4B000000 SUB DWORD PTR SS:[ESP+4],4B
00401CC1 E9 1A080000 JMP 004024E0
00401CC6 816C24 04 43000000 SUB DWORD PTR SS:[ESP+4],43
00401CCE E9 FD0C0000 JMP 004029D0

You can see all main program functions above Wink

Take it as a suggestion..

zeroc0de · Cheater Reputation: 0 Joined: 31 Aug 2008 Posts: 32