I know DCER is not around anymore, but if there was enough space in the EXE, would this code allow the "Special Ships" to spawn on the map?
Ollydbg says there is space in the code at this address but when I pop this code there I get a crash.
Code: Select all
Address Hex dump Command Comments
005735C3 53 PUSH EBX
005735C4 51 PUSH ECX
005735C5 52 PUSH EDX
005735C6 56 PUSH ESI
005735C7 57 PUSH EDI
005735C8 55 PUSH EBP
005735C9 81EC 30010000 SUB ESP,130
005735CF BD 44000000 MOV EBP,44
005735D4 8B3D A85D5900 MOV EDI,DWORD PTR DS:[595DA8]
005735DA 8B77 1A MOV ESI,DWORD PTR DS:[EDI+1A]
005735DD C1FE 10 SAR ESI,10
005735E0 69F6 28030000 IMUL ESI,ESI,328
005735E6 A1 C8365A00 MOV EAX,DWORD PTR DS:[5A36C8]
005735EB 01C6 ADD ESI,EAX
005735ED 31C0 XOR EAX,EAX
005735EF 8A042E MOV AL,BYTE PTR DS:[EBP+ESI]
005735F2 3C 04 CMP AL,4
005735F4 77 0A JA SHORT 00573600
005735F6 83FD 4C CMP EBP,4C
005735F9 74 18 JE SHORT 00573613
005735FB E9 C0000000 JMP 005736C0
00573600 55 PUSH EBP
00573601 BD 10205A00 MOV EBP,OFFSET 005A2010
00573606 6BC0 40 IMUL EAX,EAX,40
00573609 8B4428 3C MOV EAX,DWORD PTR DS:[EBP+EAX+3C]
0057360D 5D POP EBP
0057360E 83F8 01 CMP EAX,1
00573611 ^ 74 E8 JE SHORT 005735FB
00573613 8A042E MOV AL,BYTE PTR DS:[EBP+ESI]
00573616 E8 E41EEEFF CALL 004554FF
0057361B E8 DF84FAFF CALL 0051BAFF
00573620 89C1 MOV ECX,EAX
00573622 85C0 TEST EAX,EAX
00573624 0F84 96000000 JE 005736C0
0057362A 8A46 4C MOV AL,BYTE PTR DS:[ESI+4C]
0057362D E8 CD1EEEFF CALL 004554FF
00573632 E8 C884FAFF CALL 0051BAFF
00573637 89C1 MOV ECX,EAX
00573639 85C0 TEST EAX,EAX
0057363B 0F84 8C000000 JE 005736CD
00573641 66:8B59 04 MOV BX,WORD PTR DS:[ECX+4]
00573645 31C0 XOR EAX,EAX
00573647 89E2 MOV EDX,ESP
00573649 88D8 MOV AL,BL
0057364B E8 6FC3EFFF CALL 0046F9BF
00573650 8B5424 68 MOV EDX,DWORD PTR SS:[ESP+68]
00573654 66:83FA 06 CMP DX,6
00573658 74 59 JE SHORT 005736B3
0057365A 66:83FA 07 CMP DX,7
0057365E 74 53 JE SHORT 005736B3
00573660 807E 4C 01 CMP BYTE PTR DS:[ESI+4C],1
00573664 75 19 JNE SHORT 0057367F
00573666 66:83FB 1A CMP BX,1A
0057366A 75 6D JNE SHORT 005736D9
0057366C 31C0 XOR EAX,EAX
0057366E BA 26000000 MOV EDX,26
00573673 8A46 4C MOV AL,BYTE PTR DS:[ESI+4C]
00573676 E8 0484ECFF CALL 0043BA7F
0057367B 85C0 TEST EAX,EAX
0057367D 74 34 JE SHORT 005736B3
0057367F BA 03000000 MOV EDX,3
00573684 31C0 XOR EAX,EAX
00573686 66:899C24 280 MOV WORD PTR SS:[ESP+128],BX
0057368E 66:8B8424 1C0 MOV AX,WORD PTR SS:[ESP+11C]
00573696 899424 200100 MOV DWORD PTR SS:[ESP+120],EDX
0057369D 898424 2C0100 MOV DWORD PTR SS:[ESP+12C],EAX
005736A4 8D9424 200100 LEA EDX,[ESP+120]
005736AB 8B47 38 MOV EAX,DWORD PTR DS:[EDI+38]
005736AE E8 3C77FAFF CALL 0051ADEF
005736B3 89C8 MOV EAX,ECX
005736B5 E8 E580FAFF CALL 0051B79F
005736BA 89C1 MOV ECX,EAX
005736BC 85C0 TEST EAX,EAX
005736BE ^ 75 81 JNE SHORT 00573641
005736C0 83FD 44 CMP EBP,44
005736C3 75 2F JNE SHORT 005736F4
005736C5 83C5 08 ADD EBP,8
005736C8 ^ E9 07FFFFFF JMP 005735D4
005736CD 81C4 30010000 ADD ESP,130
005736D3 5F POP EDI
005736D4 5E POP ESI
005736D5 5A POP EDX
005736D6 59 POP ECX
005736D7 5B POP EBX
005736D8 C3 RETN
005736D9 66:83FB 1B CMP BX,1B
005736DD ^ 74 8D JE SHORT 0057366C
005736DF 66:83FB 22 CMP BX,22
005736E3 ^ 74 87 JE SHORT 0057366C
005736E5 66:83FB 29 CMP BX,29
005736E9 ^ 74 81 JE SHORT 0057366C
005736EB 66:83FB 2A CMP BX,2A
005736EF ^ 0F84 77FFFFFF JE 0057366C
005736F5 ^ EB 88 JMP SHORT 0057367F
EDIT: Original:
Code: Select all
Address Hex dump Command Comments
004F3D70 53 PUSH EBX
004F3D71 51 PUSH ECX
004F3D72 52 PUSH EDX
004F3D73 56 PUSH ESI
004F3D74 55 PUSH EBP
004F3D75 81EC 30010000 SUB ESP,130
004F3D7B 8B3D A85D5900 MOV EDI,DWORD PTR DS:[595DA8]
004F3D81 8B77 1A MOV ESI,DWORD PTR DS:[EDI+1A]
004F3D84 C1FE 10 SAR ESI,10
004F3D87 69F6 28030000 IMUL ESI,ESI,328
004F3D8D A1 C8365A00 MOV EAX,DWORD PTR DS:[5A36C8]
004F3D92 01C6 ADD ESI,EAX
004F3D94 31C0 XOR EAX,EAX
004F3D96 8A46 4C MOV AL,BYTE PTR DS:[ESI+4C]
004F3D99 E8 6217F6FF CALL 00455500
004F3D9E E8 5D7D0200 CALL 0051BB00
004F3DA3 89C1 MOV ECX,EAX
004F3DA5 85C0 TEST EAX,EAX
004F3DA7 0F84 7F000000 JZ 004F3E2C
004F3DAD 66:8B59 04 MOV BX,WORD PTR DS:[ECX+4]
004F3DB1 31C0 XOR EAX,EAX
004F3DB3 89E2 MOV EDX,ESP
004F3DB5 88D8 MOV AL,BL
004F3DB7 E8 04BCF7FF CALL 0046F9C0
004F3DBC 8B5424 68 MOV EDX,DWORD PTR SS:[ESP+68]
004F3DC0 66:83FA 06 CMP DX,6
004F3DC4 74 59 JE SHORT 004F3E1F
004F3DC6 66:83FA 07 CMP DX,7
004F3DCA 74 53 JE SHORT 004F3E1F
004F3DCC 807E 4C 01 CMP BYTE PTR DS:[ESI+4C],1
004F3DD0 75 19 JNE SHORT 004F3DEB
004F3DD2 66:83FB 1A CMP BX,1A
004F3DD6 75 60 JNE SHORT 004F3E38
004F3DD8 31C0 XOR EAX,EAX
004F3DDA BA 26000000 MOV EDX,26
004F3DDF 8A46 4C MOV AL,BYTE PTR DS:[ESI+4C]
004F3DE2 E8 997CF4FF CALL 0043BA80
004F3DE7 85C0 TEST EAX,EAX
004F3DE9 74 34 JZ SHORT 004F3E1F
004F3DEB BA 03000000 MOV EDX,3
004F3DF0 31C0 XOR EAX,EAX
004F3DF2 66:899C24 2801000 MOV WORD PTR SS:[ESP+128],BX
004F3DFA 66:8B8424 1C01000 MOV AX,WORD PTR SS:[ESP+11C]
004F3E02 899424 20010000 MOV DWORD PTR SS:[ESP+120],EDX
004F3E09 898424 2C010000 MOV DWORD PTR SS:[ESP+12C],EAX
004F3E10 8D9424 20010000 LEA EDX,[ESP+120]
004F3E17 8B47 38 MOV EAX,DWORD PTR DS:[EDI+38]
004F3E1A E8 D16F0200 CALL 0051ADF0
004F3E1F 89C8 MOV EAX,ECX
004F3E21 E8 7A790200 CALL 0051B7A0
004F3E26 89C1 MOV ECX,EAX
004F3E28 85C0 TEST EAX,EAX
004F3E2A ^ 75 81 JNZ SHORT 004F3DAD
004F3E2C 81C4 30010000 ADD ESP,130
004F3E32 5F POP EDI
004F3E33 5E POP ESI
004F3E34 5A POP EDX
004F3E35 59 POP ECX
004F3E36 5B POP EBX
004F3E37 C3 RETN
004F3E38 66:83FB 1B CMP BX,1B
004F3E3C ^ 74 9A JE SHORT 004F3DD8
004F3E3E 66:83FB 22 CMP BX,22
004F3E42 ^ 74 94 JE SHORT 004F3DD8
004F3E44 66:83FB 29 CMP BX,29
004F3E48 ^ 74 8E JE SHORT 004F3DD8
004F3E4A 66:83FB 2A CMP BX,2A
004F3E4E ^ 74 88 JE SHORT 004F3DD8
004F3E50 ^ EB 99 JMP SHORT 004F3DEB
My notes:
Code: Select all
This is the first part of the code
CPU Disasm
Address Hex dump Command Comments
004F3D70 53 PUSH EBX
004F3D71 51 PUSH ECX
004F3D72 52 PUSH EDX
004F3D73 56 PUSH ESI
004F3D74 57 PUSH EDI
004F3D75 55 PUSH EBP
004F3D76 81EC 30010000 SUB ESP,130
004F3D7C BD 44000000 MOV EBP,44
004F3D81 8B3D A85D5900 MOV EDI,DWORD PTR DS:[595DA8]
004F3D87 8B77 1A MOV ESI,DWORD PTR DS:[EDI+1A]
004F3D8A C1FE 10 SAR ESI,10
004F3D8D 69F6 28030000 IMUL ESI,ESI,328
004F3D93 A1 C8365A00 MOV EAX,DWORD PTR DS:[5A36C8]
004F3D98 01C6 ADD ESI,EAX
004F3D9A 31C0 XOR EAX,EAX
004F3D9C 8A042E MOV AL,BYTE PTR DS:[EBP+ESI]
004F3D9F 3C 04 CMP AL,4
004F3DA1 77 0A JA SHORT 004F3DAD ----> PUSH EBP just below
004F3DA3 83FD 4C CMP EBP,4C
004F3DA6 74 18 JE SHORT 004F3DC0 ----> MOV AL,BYTE PTR DS:[EBP+ESI]
004F3DA8 E9 8A000000 JMP 004F3E37 ----> CMP EBP,44
004F3DAD 55 PUSH EBP
004F3DAE BD 10205A00 MOV EBP,OFFSET 005A2010
004F3DB3 6BC0 40 IMUL EAX,EAX,40
004F3DB6 8B4428 3C MOV EAX,DWORD PTR DS:[EBP+EAX+3C]
004F3DBA 5D POP EBP
004F3DBB 83F8 01 CMP EAX,1
004F3DBE ^ 74 E8 JE SHORT 004F3DA8
004F3DC0 8A042E MOV AL,BYTE PTR DS:[EBP+ESI]
004F3DC3 E8 3817F6FF CALL 00455500
004F3DC8 E8 337D0200 CALL 0051BB00
004F3DCD 89C1 MOV ECX,EAX
004F3DCF 85C0 TEST EAX,EAX
004F3DD1 0F84 60000000 JE 004F3E37 ----> CMP EBP,44
53 51 52 56 57 55 81 EC 30 01 00 00 BD 44 00 00
00 8B 3D A8 5D 59 00 8B 77 1A C1 FE 10 69 F6 28
03 00 00 A1 C8 36 5A 00 01 C6 31 C0 8A 04 2E 3C
04 77 0A 83 FD 4C 74 18 E9 8A 00 00 00 55 BD 10
20 5A 00 6B C0 40 8B 44 28 3C 5D 83 F8 01 74 E8
8A 04 2E E8 38 17 F6 FF E8 33 7D 02 00 89 C1 85
C0 0F 84 60 00 00 00
Original code next:
Address Hex dump Command Comments
004F3D96 8A46 4C MOV AL,BYTE PTR DS:[ESI+4C]
004F3D99 E8 6217F6FF CALL 00455500
004F3D9E E8 5D7D0200 CALL 0051BB00
004F3DA3 89C1 MOV ECX,EAX
004F3DA5 85C0 TEST EAX,EAX
004F3DA7 0F84 7F000000 JZ 004F3E2C ----> ADD ESP,130
004F3DAD 66:8B59 04 MOV BX,WORD PTR DS:[ECX+4]
004F3DB1 31C0 XOR EAX,EAX
004F3DB3 89E2 MOV EDX,ESP
004F3DB5 88D8 MOV AL,BL
004F3DB7 E8 04BCF7FF CALL 0046F9C0
004F3DBC 8B5424 68 MOV EDX,DWORD PTR SS:[ESP+68]
004F3DC0 66:83FA 06 CMP DX,6
004F3DC4 74 59 JE SHORT 004F3E1F ----> MOV EAX,ECX
004F3DC6 66:83FA 07 CMP DX,7
004F3DCA 74 53 JE SHORT 004F3E1F ----> MOV EAX,ECX
004F3DCC 807E 4C 01 CMP BYTE PTR DS:[ESI+4C],1
004F3DD0 75 19 JNE SHORT 004F3DEB ----> MOV EDX,3
004F3DD2 66:83FB 1A CMP BX,1A
004F3DD6 75 60 JNE SHORT 004F3E38 ----> CMP BX,B1
004F3DD8 31C0 XOR EAX,EAX
004F3DDA BA 26000000 MOV EDX,26
004F3DDF 8A46 4C MOV AL,BYTE PTR DS:[ESI+4C]
004F3DE2 E8 997CF4FF CALL 0043BA80
004F3DE7 85C0 TEST EAX,EAX
004F3DE9 74 34 JZ SHORT 004F3E1F ----> MOV EAX,ECX
8A 46 4C E8 62 17 F6 FF E8 5D 7D 02 00 89 C1 85
C0 0F 84 7F 00 00 00 66 8B 59 04 31 C0 89 E2 88
D8 E8 04 BC F7 FF 8B 54 24 68 66 83 FA 06 74 59
66 83 FA 07 74 53 80 7E 4C 01 75 19 66 83 FB 1A
75 60 31 C0 BA 26 00 00 00 8A 46 4C E8 99 7C F4
FF 85 C0 74 34
CPU Disasm
Address Hex dump Command Comments
004F3DEB BA 03000000 MOV EDX,3
004F3DF0 31C0 XOR EAX,EAX
004F3DF2 66:899C24 280 MOV WORD PTR SS:[ESP+128],BX
004F3DFA 66:8B8424 1C0 MOV AX,WORD PTR SS:[ESP+11C]
004F3E02 899424 200100 MOV DWORD PTR SS:[ESP+120],EDX
004F3E09 898424 2C0100 MOV DWORD PTR SS:[ESP+12C],EAX
004F3E10 8D9424 200100 LEA EDX,[ESP+120]
004F3E17 8B47 38 MOV EAX,DWORD PTR DS:[EDI+38]
004F3E1A E8 D16F0200 CALL 0051ADF0
004F3E1F 89C8 MOV EAX,ECX
004F3E21 E8 7A790200 CALL 0051B7A0
004F3E26 89C1 MOV ECX,EAX
004F3E28 85C0 TEST EAX,EAX
004F3E2A ^ 75 81 JNZ SHORT 004F3DAD ----> MOV BX,WORD PTR DS:[ECX+4]
BA 03 00 00 00 31 C0 66 89 9C 24 28 01 00 00 66
8B 84 24 1C 01 00 00 89 94 24 20 01 00 00 89 84
24 2C 01 00 00 8D 94 24 20 01 00 00 8B 47 38 E8
D1 6F 02 00 89 C8 E8 7A 79 02 00 89 C1 85 C0 75
81
New code
CPU Disasm
Address Hex dump Command Comments
004F3E37 83FD 44 CMP EBP,44
004F3E3A 75 08 JNE SHORT 004F3E44 ----> MOV BX,WORD PTR DS:[ECX+4]
004F3E3C 83C5 08 ADD EBP,8
004F3E3F ^ E9 3DFFFFFF JMP 004F3D81 ----> MOV EDI,DWORD PTR DS:[595DA8]
83 FD 44 75 08 83 C5 08 E9 3D FF FF FF
Original code
CPU Disasm
Address Hex dump Command Comments
004F3E2C 81C4 30010000 ADD ESP,130
004F3E32 5F POP EDI
004F3E33 5E POP ESI
004F3E34 5A POP EDX
004F3E35 59 POP ECX
004F3E36 5B POP EBX
004F3E37 C3 RETN
004F3E38 66:83FB 1B CMP BX,1B
004F3E3C ^ 74 9A JE SHORT 004F3DD8 ----> XOR EAX,EAX followed by MOV EDX,26
004F3E3E 66:83FB 22 CMP BX,22
004F3E42 ^ 74 94 JE SHORT 004F3DD8 ----> XOR EAX,EAX followed by MOV EDX,26
004F3E44 66:83FB 29 CMP BX,29
004F3E48 ^ 74 8E JE SHORT 004F3DD8 ----> XOR EAX,EAX followed by MOV EDX,26
004F3E4A 66:83FB 2A CMP BX,2A
004F3E4E ^ 74 88 JE SHORT 004F3DD8 ----> XOR EAX,EAX followed by MOV EDX,26
004F3E50 ^ EB 99 JMP SHORT 004F3DEB ----> MOV EDX,3
81 C4 30 01 00 00 5F 5E 5A 59 5B C3 66 83 FB 1B
74 9A 66 83 FB 22 74 94 66 83 FB 29 74 8E 66 83
FB 2A 74 88 EB 99
The full thing from ******
53 51 52 56 57 55 81 EC 30 01 00 00 BD 44 00 00 00 8B 3D A8 5D 59 00 8B 77 1A C1 FE 10 69 F6 2803 00 00 A1 C8 36 5A 00 01 C6 31 C0 8A 04 2E 3C04 77 0A 83 FD 4C 74 18 E9 C0 00 00 00 55 BD 1020 5A 00 6B C0 40 8B 44 28 3C 5D 83 F8 01 74 E88A 04 2E E8 E4 1E EE FF E8 DF 84 FA FF 89 C1 85C0 0F 84 96 00 00 00 8A 46 4C E8 CD 1E EE FF E8C8 84 FA FF 89 C1 85 C0 0F 84 8C 00 00 00 66 8B59 04 31 C0 89 E2 88 D8 E8 6F C3 EF FF 8B 54 2468 66 83 FA 06 74 59 66 83 FA 07 74 53 80 7E 4C01 75 19 66 83 FB 1A 75 6D 31 C0 BA 26 00 00 008A 46 4C E8 04 84 EC FF 85 C0 74 34 BA 03 00 0000 31 C0 66 89 9C 24 28 01 00 00 66 8B 84 24 1C01 00 00 89 94 24 20 01 00 00 89 84 24 2C 01 0000 8D 94 24 20 01 00 00 8B 47 38 E8 3C 77 FA FF89 C8 E8 E5 80 FA FF 89 C1 85 C0 75 81 83 FD 4475 2F 83 C5 08 E9 07 FF FF FF 81 C4 30 01 00 005F 5E 5A 59 5B C3 66 83 FB 1B 74 8D 66 83 FB 2274 87 66 83 FB 29 74 81 66 83 FB 2A 74 08 EB 8C00 E9 48 FF FF FF E9 6E FF FF FF
Change this ref to CALL 00*******
Address Hex dump Command Comments
004F4D96 |. E8 D5EFFFFF CALL 004F3D70