Then the next instruction write the new score to memory, nothing special really, By the way, DS, just like SS, means the Data Segment We already know that is referncing this routine's parameters, so it looks like we found the main AddScore() function of solitaire! How do i know that? Well take a look at EBP+10 in the stack nvert it to Decimal, then run and look at your score if you like proof. Now remember the location of our pointer from CE, yes? Well lets go have a look at it, Ctrl+G in the dump window and enter the address of our pointer ($0x01007170), see the first 4 bytes stored there?
Now before we start looking at this more, i want to show you something, notice that ESI is already set with our pointer, and ESI+30 accesses our score, so grab a calculator and work out the resulting value there, (which in my case is $0x000BB0B8 + 30 = $0x000BB0E8)
#Winject source code code
Step through the code again, following the jumps, keep tracing past where the pointer value is 'MOV'ed into ESI, and stop on the MOV EAX, hmm, there's that ESI+30 again, so first it seems to be reading our score into eax, and then adding to it. As soon as you get a score, you should break right back in olly, same place we did before. So we know to look out for that later, but there isnt much point in carrying on yet, as our score is obviously going to be zero right now, so F9/Run to continue running solitaire, and get yourself a score, Note that, if you hit F2 or change your deck, you will also break into olly again. Hmm, the value at +8 doesnt look overly familiar right now does it? Unless you somehow got the same address as you did in CE, but i doubt it, it seems that the address of our score is passed as a parameter to this routine (parameters are 'PUSH'ed onto the stack before the call is made, and EBP points to the stack at the point where this routine starts). The main things to take in here, are the values of ESI and EAX, so we are looking for both where ESI gets set, and where EAX gets its value from, so notice this at $0x010030A7
(suspicious because EAX is frequently used as the return-value from calls, and as you can see, EAX is what is written to our score (remember that ESI+30 is where our score is), so set a breakpoint at the 'PUSH EBP' in the beginning of this routine (to set a bp quickly in olly, double click the op-codes, in this case '55') and hit F9 to run the game, or Shift+F9 if you dont have your options set up to ignore all exceptions.īam!, we immediately break in this routine, but we expected that right? So start stepping through (F7) and take a mental note of what is happening, see all those 'cmp' 'je' pairs at the top? Looks like this routine could probably be used for other things aswell as the score, il leave that for you to explore, as we are only interested in our score right now. Now if you aren't familiar with olly, the $ sign at the top there denotes the beginning of the routine, so we have dropped quite near the end, right after an immediately suspicious call.