Joseph's thread Tuesday, 09-Feb-99 06:23:47
I am not sure if I will be up to this. Tried both SoftIce and W32dasm. Bps on HMEMCPY and lots of F10's lead me to GetDlgItemTextA at 40210E, But I have already found that out in W32dsm. Sure the program comes there with the length of the password I entered in eax. Little bit down I noteced the fake password in eax at402148 where eax is pushed, but the call imediatly folloing is to KERNEL32. LstrLenA which will return the length of the fake password. I looke all over the place for any traces of the real password, but no luck. The call at 403B84 to KERNEL32. lstrcmpA did not do me any good. One section of code starting at 403B96 seems to be interesting. Several sets of call test eax jne follow each other there. I forced jum after every teat eax and found that a jump to 403c87 to be very interesting. If you force a jump to this location and run you get a scree with the message 0 file(s) unzipped. I tried to step through the code at location 403c87 but get no thing interesting. This demon might be a little bit over my head, but will keep looking. Joseph |