#Managed to do it, check edits at bottom if interested
Hi (?
Have been trying to learn some RE using CO client (around patch 6603), this time i was trying to open Conquer.exe directly. Since the message "Open play.exe etc..." doesn't appear in the Conquer.exe, tried checking for intermodular calls to MessageBox, since it's known that the argument "blacknull is required (could not figure where to begin without knowing that).
there, i found this:
[Only registered and activated users can see links. Click Here To Register...]
[Only registered and activated users can see links. Click Here To Register...]
wich calls strcmp between "blacknull" and another argument, then calls
TEST EAX, EAX
JNZ Conquer.ADRESS
wich i understand as something similar to this:
Here is my doubt, since strcmp returns 0 when both strings are equal, i tried to make the return value to 0 changing
TEST EAX, EAX // wich sets ZF if EAX == 0
to
XOR EAX, EAX // wich sets ZF always afaik.
But the message "Open play.exe" still pops up, what would be the process to make it work?
btw, also tried to just set EAX to 0 instead of calling stcmp and "noping" the remaining bytes.
Any idea what i'm doing wrong? and hints to make this work would be appreciated.
#Edit 1:
- Placed a breakpoint at both, stcmp and MessageBoxA calls and strcmp and it's the second one that is pausing the execution.
#Edit 2:
- After some sleeping, it was actually quite simple lol, only reason strcmp wasn't being called was because of another jmp, since there was only one argument in the main instead of the 2 expected, just needed to find who called the strcmp, searching for references to the instruction where it loads the string ptr to EAX; doing so, the following code will be found
so the code was something like
the XOR only patched the strcmp if statement, when just patching the argc check is enough, changing the JGE to a JMP makes the first if statement useless and will always jump to the "continueLoading
Hi (?
Have been trying to learn some RE using CO client (around patch 6603), this time i was trying to open Conquer.exe directly. Since the message "Open play.exe etc..." doesn't appear in the Conquer.exe, tried checking for intermodular calls to MessageBox, since it's known that the argument "blacknull is required (could not figure where to begin without knowing that).
there, i found this:
[Only registered and activated users can see links. Click Here To Register...]
[Only registered and activated users can see links. Click Here To Register...]
wich calls strcmp between "blacknull" and another argument, then calls
TEST EAX, EAX
JNZ Conquer.ADRESS
wich i understand as something similar to this:
Code:
int a = strcmp("blacknull", arg)
if(a == 0){
LEA EAX, DWORD....
...
}
else{
JNZ Conquer.ADDRESS
...
}
TEST EAX, EAX // wich sets ZF if EAX == 0
to
XOR EAX, EAX // wich sets ZF always afaik.
But the message "Open play.exe" still pops up, what would be the process to make it work?
btw, also tried to just set EAX to 0 instead of calling stcmp and "noping" the remaining bytes.
Any idea what i'm doing wrong? and hints to make this work would be appreciated.
#Edit 1:
- Placed a breakpoint at both, stcmp and MessageBoxA calls and strcmp and it's the second one that is pausing the execution.
#Edit 2:
- After some sleeping, it was actually quite simple lol, only reason strcmp wasn't being called was because of another jmp, since there was only one argument in the main instead of the 2 expected, just needed to find who called the strcmp, searching for references to the instruction where it loads the string ptr to EAX; doing so, the following code will be found
Code:
CMP EAX,1 MOV BYTE PTR DS:[CE7F78],CL JGE SHORT Conquer2.006C6A40
Code:
exitCode(); // not real
loadClient(); // neither this one
if(argc <= 1)
{
exitCode();
}
else
{
if(strcmp(argv[1], "blacknull" != 0)
{
exitCode();
}
loadClient();
}