Problem with P-Code

[squareD]

Hello,

as announced in the last post, here a report of my efforts...

First the good message:
I found a working codenumber and I know the algo to generate it.

After tinkering for 8 weeks and more with no step foreward, I did something, what otherwise isn't my kind.

I knew, that there was a keygen for versions in 2004 and partly in 2005 by an unknown guy and I analysed his great work.

So I found out the very simple algo for generating a codenumber from ID.
Just two muliplications and one addition.
But I still could not reconstruct it in P-Code!

So I took good old Olly with a BP on memory access at first multiplication and traced a little bit.
All results of mathematical operations are shown in ST7...
No problem and very easy, but not the way to be proud.

So may I ask all P-Code gurus to teach me, how to get codenumber right out of WKT debugger.
Seems like results remain allways in Stx registers, because searching with WinHex in memory brought no success.

This is piece of code, where to find calculation in actual v1.4 of BewerbungsMaster 2006:

loc_6048CD: FLdRfVar var_208
loc_6048D0: MulVar var_1D8 1st multiplication
loc_6048D4: FLdRfVar var_22C
loc_6048D7: MulVar var_1F8 2nd multiplication
loc_6048DB: FLdRfVar var_218
loc_6048DE: AddVar var_23C addition
loc_6048E2: FStVar

Regards,
squareD

I found that sequence in two places. I didn't bother to work out the offset values to determine which one is appropriate...you have to do the other math anyway, so why not do that too?

Sub Command1_Click( )


L00000265:
'04, FLdRfVar, F8, FD
'Load reference to variable.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFDF8.
'Data at offset is reference to variable.
'Address of offset is pushed onto stack.
'Stack operations: Push x1.
L00000268:
'FB B4, MulVar, 28, FE
'Perform <Multiplication> operation on two Variants.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFE28.
'Address of first VariantDescriptor is popped off stack.
'Address of second VariantDescriptor is popped off stack.
'Second VariantDescriptor value is multiplied by first VariantDescriptor value.
'VariantDescriptor flag of result is stored at offset.
'VariantDescriptor value of result is stored at offset + 8.
'Address of offset is pushed onto stack.
'Stack operations: Pop x2, Push x1.
L00000272:
'04, FLdRfVar, D4, FD
'Load reference to variable.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFDD4.
'Data at offset is reference to variable.
'Address of offset is pushed onto stack.
'Stack operations: Push x1.
L00000275:
'FB B4, MulVar, 08, FE
'Perform <Multiplication> operation on two Variants.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFE08.
'Address of first VariantDescriptor is popped off stack.
'Address of second VariantDescriptor is popped off stack.
'Second VariantDescriptor value is multiplied by first VariantDescriptor value.
'VariantDescriptor flag of result is stored at offset.
'VariantDescriptor value of result is stored at offset + 8.
'Address of offset is pushed onto stack.
'Stack operations: Pop x2, Push x1.
L00000279:
'04, FLdRfVar, E8, FD
'Load reference to variable.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFDE8.
'Data at offset is reference to variable.
'Address of offset is pushed onto stack.
'Stack operations: Push x1.
L00000282:
'FB 94, AddVar, C4, FD
'Perform <Addition> operation on two Variants.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFDC4.
'Address of first VariantDescriptor is popped off stack.
'Address of second VariantDescriptor is popped off stack.
'First VariantDescriptor value is added to second VariantDescriptor value.
'VariantDescriptor flag of result is stored at offset.
'VariantDescriptor value of result is stored at offset + 8.
'Address of offset is pushed onto stack.
'Stack operations: Pop x2, Push x1.
L00000286:
'FC F6, FStVar, B4, FD
'Store Variant data.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFDB4.
'Address of VariantDescriptor is popped off stack.
'VariantDescriptor data is stored into local Frame at offset.
'Stack operations: Pop x1.



Sub Text1_Change( )

L00000200:
'04, FLdRfVar, 2C, FF
'Load reference to variable.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFF2C.
'Data at offset is reference to variable.
'Address of offset is pushed onto stack.
'Stack operations: Push x1.
L00000203:
'FB B4, MulVar, 6C, FF
'Perform <Multiplication> operation on two Variants.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFF6C.
'Address of first VariantDescriptor is popped off stack.
'Address of second VariantDescriptor is popped off stack.
'Second VariantDescriptor value is multiplied by first VariantDescriptor value.
'VariantDescriptor flag of result is stored at offset.
'VariantDescriptor value of result is stored at offset + 8.
'Address of offset is pushed onto stack.
'Stack operations: Pop x2, Push x1.
L00000207:
'04, FLdRfVar, 08, FF
'Load reference to variable.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFF08.
'Data at offset is reference to variable.
'Address of offset is pushed onto stack.
'Stack operations: Push x1.
L00000210:
'FB B4, MulVar, 3C, FF
'Perform <Multiplication> operation on two Variants.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFF3C.
'Address of first VariantDescriptor is popped off stack.
'Address of second VariantDescriptor is popped off stack.
'Second VariantDescriptor value is multiplied by first VariantDescriptor value.
'VariantDescriptor flag of result is stored at offset.
'VariantDescriptor value of result is stored at offset + 8.
'Address of offset is pushed onto stack.
'Stack operations: Pop x2, Push x1.
L00000214:
'04, FLdRfVar, 1C, FF
'Load reference to variable.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFF1C.
'Data at offset is reference to variable.
'Address of offset is pushed onto stack.
'Stack operations: Push x1.
L00000217:
'FB 94, AddVar, F8, FE
'Perform <Addition> operation on two Variants.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFEF8.
'Address of first VariantDescriptor is popped off stack.
'Address of second VariantDescriptor is popped off stack.
'First VariantDescriptor value is added to second VariantDescriptor value.
'VariantDescriptor flag of result is stored at offset.
'VariantDescriptor value of result is stored at offset + 8.
'Address of offset is pushed onto stack.
'Stack operations: Pop x2, Push x1.
L00000221:
'FC F6, FStVar, E8, FE
'Store Variant data.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFEE8.
'Address of VariantDescriptor is popped off stack.
'VariantDescriptor data is stored into local Frame at offset.
'Stack operations: Pop x1.


Good luck
Sarge

[squareD]

Sub Command1_Click( ) is the right one...

Thanks for your explanation, but it didn't helped me so far.
Maybe I'm strucked with blindness.

Let me give you an example with first muliplication:

Quote:

L00000268:
'FB B4, MulVar, 28, FE
'Perform <Multiplication> operation on two Variants.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFE28.
'Address of first VariantDescriptor is popped off stack.
'Address of second VariantDescriptor is popped off stack.
'Second VariantDescriptor value is multiplied by first VariantDescriptor value.
'VariantDescriptor flag of result is stored at offset.
'VariantDescriptor value of result is stored at offset + 8.
'Address of offset is pushed onto stack.
'Stack operations: Pop x2, Push x1.

First multiplication is 3999806 x 5 or in Hex 3D083Eh x 05h

002048E4: FBB4 MulVar *

I'm on the above instruction in WKT and top of Stack shows:

0012E4D0: 68E81200 284B6500

Looking at 0012E868 supplies 02000000 and looking at 00654B28 supplies 08001200

If addresses are popped off stack, in my opinion, the values to be muliplicated should be stored at 0012E868 and 00654B28.

Maybe I'm totally wrong?

But worst thing is, that I searched with WinHex in whole memory and never found 3E083D (3D083E = 3999806).

So I'm still wondering how this operations will work.

Regards,
squareD

Hmmm, remember that Variants are structures, the read/write address indicated by the stack parameter is the
address of the structure, not the data IN the structure.

Also, I can't reconcile your statements:

"I'm on the above instruction in WKT and top of Stack shows:

0012E4D0: 68E81200 284B6500

Looking at 0012E868 supplies 02000000 and looking at 00654B28 supplies 08001200"

I assume that the value "68E81200" is the top-of-stack, and that "284B6500" is the next-to-top-of-stack? If so, go
to those two addresses, find the Variant structures, then find the numeric values represented by those structures, and
multiply them. Then, store the result in the local Frame in the location indicated by the offset that is Parameter #1. (This IS explained in the text I have posted.)

I don't see where "0012E868" and "00654B28" come from. Of course, I am not very familiar with the "Whiskey-with-Tequila" debugger's syntax.

If this is not a correct analysis, it's because (as I said), I don't see where the data you have indicated comes from.

Sarge

[squareD]

Quote:

I assume that the value "68E81200" is the top-of-stack, and that "284B6500" is the next-to-top-of-stack?

That's absolutely right.

Quote:

If so, go to those two addresses, find the Variant structures, then find the numeric values represented by those structures, and multiply them. Then, store the result in the local Frame in the location indicated by the offset that is Parameter #1.

Well, I'm not very familar with variants.
So I think I have to take a deeper look as above described.

Thanks for your toil.

Regards,
squareD