progress
i have compared so far 2 type of running one without DRM and the other with DRM i have found that the behavior that decides if to continue or to show an error message is in this sub:
Code:
.text:00414270 sub_414270 proc near ; CODE XREF: sub_414240:loc_41425B�p
.text:00414270 ; sub_4197F0:loc_4199C1�p ...
.text:00414270
.text:00414270 var_30 = dword ptr -30h
.text:00414270 var_2C = dword ptr -2Ch
.text:00414270 var_28 = dword ptr -28h
.text:00414270 var_24 = byte ptr -24h
.text:00414270 var_20 = byte ptr -20h
.text:00414270 var_C = dword ptr -0Ch
.text:00414270 var_4 = dword ptr -4
.text:00414270
.text:00414270 push ebp
.text:00414271 mov ebp, esp
.text:00414273 and esp, 0FFFFFFF8h
.text:00414276 mov eax, large fs:0
.text:0041427C push 0FFFFFFFFh
.text:0041427E push offset sub_A01580
.text:00414283 push eax
.text:00414284 mov large fs:0, esp
.text:0041428B sub esp, 28h
.text:0041428E push ebx
.text:0041428F push esi
.text:00414290 push edi
.text:00414291 mov edi, ecx
.text:00414293 mov ecx, [edi+3Ch]
.text:00414296 xor ebx, ebx
.text:00414298 cmp ecx, ebx
.text:0041429A jz short loc_4142A4
.text:0041429C mov eax, [ecx]
.text:0041429E mov edx, [eax+2Ch]
.text:004142A1 push ebx
.text:004142A2 call edx
.text:004142A4
.text:004142A4 loc_4142A4: ; CODE XREF: sub_414270+2A�j
.text:004142A4 mov eax, dword_D1CB60
.text:004142A9 mov [esp+40h+var_30], eax
.text:004142AD mov ecx, 1
.text:004142B2 lock xadd [eax], ecx
.text:004142B6 mov [esp+40h+var_4], ebx
.text:004142BA mov eax, [edi+20h]
.text:004142BD cmp eax, ebx
.text:004142BF jz loc_41443B
.text:004142C5 cmp [eax+1Dh], bl
.text:004142C8 jnz loc_41443B
.text:004142CE cmp [eax+14h], ebx
.text:004142D1 jz loc_4143C4
.text:004142D7 lea esi, [esp+40h+var_20]
.text:004142DB call sub_46BFF0
.text:004142E0 mov byte ptr [esp+40h+var_4], 1
.text:004142E5 mov edx, [edi+20h]
.text:004142E8 mov ecx, [edx+14h]
.text:004142EB mov eax, [ecx]
.text:004142ED mov eax, [eax+8]
.text:004142F0 mov edx, esi
.text:004142F2 push edx
.text:004142F3 lea edx, [esp+44h+var_2C]
.text:004142F7 push edx
.text:004142F8 call eax
.text:004142FA lea ecx, [esp+40h+var_28]
.text:004142FE push ecx
.text:004142FF mov byte ptr [esp+44h+var_4], 2
.text:00414304 call sub_43EC40
.text:00414309 add esp, 4
.text:0041430C push eax
.text:0041430D lea ecx, [esp+44h+var_30]
.text:00414311 mov byte ptr [esp+44h+var_4], 3
.text:00414316 call sub_904EE0
.text:0041431B mov byte ptr [esp+40h+var_4], 2
.text:00414320 mov edx, [esp+40h+var_28]
.text:00414324 or eax, 0FFFFFFFFh
.text:00414327 lock xadd [edx], eax
.text:0041432B jnz short loc_41433A
.text:0041432D mov ecx, [esp+40h+var_28]
.text:00414331 push ecx ; void *
.text:00414332 call j_free
.text:00414337 add esp, 4
.text:0041433A
.text:0041433A loc_41433A: ; CODE XREF: sub_414270+BB�j
.text:0041433A mov ecx, [esp+40h+var_2C]
.text:0041433E cmp ecx, ebx
.text:00414340 jz short loc_4143B7
.text:00414342 push 1
.text:00414344 push ecx
.text:00414345 mov eax, esp
.text:00414347 mov [eax], ecx
.text:00414349 mov ecx, [esp+48h+var_2C]
.text:0041434D mov [esp+48h+var_28], esp
.text:00414351 cmp ecx, ebx
.text:00414353 jz short loc_41435B
.text:00414355 mov edx, [ecx]
.text:00414357 mov eax, [edx]
.text:00414359 call eax
.text:0041435B
.text:0041435B loc_41435B: ; CODE XREF: sub_414270+E3�j
.text:0041435B mov byte ptr [esp+48h+var_4], 4
.text:00414360 mov ecx, [edi+20h]
.text:00414363 mov eax, [ecx+14h]
.text:00414366 push eax
.text:00414367 call sub_402AD0
.text:0041436C push eax
.text:0041436D mov byte ptr [esp+50h+var_4], 2
.text:00414372 call sub_403FA0
.text:00414377 mov byte ptr [esp+40h+var_4], 1
.text:0041437C mov ecx, [esp+40h+var_2C]
.text:00414380 cmp ecx, ebx
.text:00414382 jz short loc_41438B
.text:00414384 mov edx, [ecx]
.text:00414386 mov eax, [edx+4]
.text:00414389 call eax
.text:0041438B
.text:0041438B loc_41438B: ; CODE XREF: sub_414270+112�j
.text:0041438B lea edi, [esp+40h+var_20]
.text:004143B1 push eax
.text:004143B2 jmp loc_414455
.text:004143B7 ; ---------------------------------------------------------------------------
.text:004143B7
.text:004143B7 loc_4143B7: ; CODE XREF: sub_414270+D0�j
.text:004143B7 lea edi, [esp+40h+var_20]
.text:004143BB mov byte ptr [esp+40h+var_4], bl
.text:004143BF call sub_403F60
.text:004143C4
.text:004143C4 loc_4143C4: ; CODE XREF: sub_414270+61�j
.text:004143C4 lea ecx, [esp+40h+var_28]
.text:004143C8 push ecx
.text:004143C9 call sub_401500
.text:004143CE add esp, 4
.text:004143D1 push offset aCouldNotOpenBo ; "Could not open book, shoot!"
.text:004143D6 mov ecx, eax
.text:004143D8 mov byte ptr [esp+44h+var_4], 5
.text:00414436 call BadBoy
.text:0041443B
.text:0041443B loc_41443B: ; CODE XREF: sub_414270+4F�j
.text:0041443B ; sub_414270+58�j
.text:0041443B mov [esp+40h+var_4], 0FFFFFFFFh
.text:00414443 mov edx, [esp+40h+var_30]
.text:00414447 or eax, 0FFFFFFFFh
.text:0041444A lock xadd [edx], eax
.text:0041444E jnz short loc_41445D
.text:00414450 mov ecx, [esp+40h+var_30]
.text:00414454 push ecx ; void *
.text:00414455
.text:00414455 loc_414455: ; CODE XREF: sub_414270+142�j
.text:00414455 call j_free
.text:0041445A add esp, 4
.text:0041445D
.text:0041445D loc_41445D: ; CODE XREF: sub_414270+137�j
.text:0041445D ; sub_414270+1DE�j
.text:0041445D mov ecx, [esp+40h+var_C]
.text:00414461 pop edi
.text:00414462 pop esi
.text:00414463 mov large fs:0, ecx
.text:0041446A pop ebx
.text:0041446B mov esp, ebp
.text:0041446D pop ebp
.text:0041446E retn
the critical point of good and bad jump is in this place
00414340 JE SHORT
if all is good the the jump shouldn't be taken if its bad then it is taken
and then we will get to the private error string:
"Could not open book, shoot!"
thats all for now..
Regards,
LaBBa. |
