Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Unwanted code added while assembling on Olly (https://forum.exetools.com/showthread.php?t=13302)

RaptorX 02-18-2011 02:47
Unwanted code added while assembling on Olly
 
In the executable provided in chapter 6 of Lena's tutorials I see the following code which is responsible of setting the variable that will be used for checking if the app is registered or not:

Code:
; AL contains 0 from a previous call to a custom function,
; which is the one that checks if the app is registered or not.

005C2BF6    .  8B15 8CEB6000    MOV EDX,DWORD PTR DS:[60EB8C]
005C2BFC    .  8802              MOV BYTE PTR DS:[EDX],AL
005C2BFE    .  A1 8CEB6000      MOV EAX,DWORD PTR DS:[60EB8C]
005C2C03    .  8038 00          CMP BYTE PTR DS:[EAX],0
005C2C06    .  75 0D            JNZ SHORT pcsurgeo.005C2C15
005C2C08    .  E8 6307EEFF      CALL pcsurgeo.004A3370
After that code the pointer at 60EB8C is checked several times to make decisions on to whether to display register messages/buttons or not.

In the tutorial file I see Lena changing this:
Code:
005C2C03    .  8038 00          CMP BYTE PTR DS:[EAX],0
005C2C06    .  75 0D            JNZ SHORT pcsurgeo.005C2C15
to this:
Code:
005C2C03    .  8038 00          MOV BYTE PTR DS:[EAX],1
005C2C06    .  75 0D            JMP SHORT pcsurgeo.005C2C15

So i thought that i could achieve the same by fixing the MOV that is before those two lines like this:

Code:
005C2BFC    .  8802              MOV BYTE PTR DS:[EDX],1    ; Force it to be 1
But as soon as i do that the whole code changes to this:

Code:
005C2BF6    .  8B15 8CEB6000    MOV EDX,DWORD PTR DS:[60EB8C]
005C2BFC      C602 01          MOV BYTE PTR DS:[EDX],1    ; Changed line
005C2BFF      8CEB              MOV BX,GS    ; automatically added
005C2C01      60                PUSHAD        ; automatically added
005C2C02      0080 3800750D    ADD BYTE PTR DS:[EAX+D750038],AL
Can somebody explain me why does that happen?

IWarez 02-18-2011 03:20
That's because you are replacing the opcodes 88 02 with C6 02 01 which is longer and overwrites the MOV EAX,DWORD PTR DS:[60EB8C] instruction by one byte.

RaptorX 02-18-2011 03:39
Ok that makes sense, in part...

Im still not sure why changing AL to 1 changes "8802" to "C6 02 01" I thought the change to the opcode would be minimal since I am "removing" instead of adding characters.

I will go and read about opcodes in a sec.

virus 02-18-2011 03:49
Quote:
Originally Posted by RaptorX (Post 71540)
I will go and read about opcodes in a sec.
Here you go:
Quote:
hxxp://www.intel.com/design/pentiumii/manuals/243191.htm


All times are GMT +8. The time now is 16:25.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX