View previous topic :: View next topic |
Author |
Message |
&Vage Grandmaster Cheater Supreme
Reputation: 0
Joined: 25 Jul 2008 Posts: 1053
|
|
Back to top |
|
 |
&Vage Grandmaster Cheater Supreme
Reputation: 0
Joined: 25 Jul 2008 Posts: 1053
|
Posted: Tue Dec 15, 2009 3:24 pm Post subject: |
|
|
Lol no one?
|
|
Back to top |
|
 |
SunBeam I post too much
Reputation: 65
Joined: 25 Feb 2005 Posts: 4023 Location: Romania
|
Posted: Tue Jan 05, 2010 6:20 am Post subject: |
|
|
SEH? Nice..
|
|
Back to top |
|
 |
haha01haha01 Grandmaster Cheater Supreme
Reputation: 0
Joined: 15 Jun 2007 Posts: 1233 Location: http://www.SaviourFagFails.com/
|
Posted: Wed Jan 06, 2010 11:30 am Post subject: |
|
|
It would help if you hosted it on some normal file hosting site that actually lets people download over 5% of the time.
|
|
Back to top |
|
 |
DoomsDay Grandmaster Cheater
Reputation: 0
Joined: 06 Jan 2007 Posts: 768 Location: %HomePath%
|
Posted: Wed Jan 06, 2010 12:29 pm Post subject: |
|
|
Cracking is easy... I'll find the time to dig into that password later...
As for a patching solution:
mov [403096],401760 (instead of 401740)
|
|
Back to top |
|
 |
haha01haha01 Grandmaster Cheater Supreme
Reputation: 0
Joined: 15 Jun 2007 Posts: 1233 Location: http://www.SaviourFagFails.com/
|
Posted: Wed Jan 06, 2010 1:33 pm Post subject: |
|
|
Okay, I managed to download it. That's one complicated shit over there, lol.
It looks like everything is happening at 401030, but all that function looks so random. It loops n times and in each loop it:
1.grabs a byte from an offset decided in the previous loop (EAX as base+EDI as offset)
2.do some sort of a pointless loop that makes ESI = the byte we took before -1 (unless that byte is over 1C, in which case it jumps to stage 4)
3.pushing EDI as argument and calling the ESIth DWORD from an array of functions (one of them writing the 40173F that later turns into 401740 into the CONTEXT structure in the stack)
4.add some byte (the result of the function from stage 3?) to EDI
So basically in that function almost everything is decided by the result of the previous loop, even the functions to call and all. and we need that when it reaches the function at 401320 (was round #5 for me, not sure if it's constant, pretty sure it's not) EDI will be 15 instead of 11 (then the correct pointer is written and were correct).
|
|
Back to top |
|
 |
&Vage Grandmaster Cheater Supreme
Reputation: 0
Joined: 25 Jul 2008 Posts: 1053
|
Posted: Fri Jan 08, 2010 3:49 pm Post subject: |
|
|
SunBeam wrote: | SEH? Nice.. | Thanks, a friend of mine told me this method
haha: Trace the buffer
|
|
Back to top |
|
 |
|