Quote:
Originally Posted by کunβeam
Also, how would eax go out of the boundaries, when : [1] it's stacked; [2] it only increases so far as bl is not 0; [3] eax gets restored, so nothing crashes; [4] the sub uses the pop'd eax...?
|
okay, here goes, u say eax = stack.. fine
cave:
pushad ; preserve registers
loop: ; loop begin
mov bl, [eax+14] ; okay, eax supposedly on the stack
cmp bl, 79 ; is bl = 79
je enemy ; if so, boing out of this routine
cmp bl, 0 ; is bl = 0 (presumably end of string)
je out ; if so, boing out
inc eax ; incriment our pointer by 1
jmp loop ; loop << this is where u can cause a crash eax may be on stack, but the stack does have limits, and this could be reproduced by puting crap in eax
out:
popad ; restore the registers
jmp back ; get out
enemy: ; enemy portion
popad ; restore registers
sub [eax+538],ecx ; and do the mathy thing
jmp back ; then get out
back:
flags not preserved, the sub [eax+538], ecx can adjust the flags
Quote:
|
[2] it only increases so far as bl is not 0;
|
erm, it only increases as far as when byte @ [eax] = 0, it will keep going on until this happens or it finds the 'y'
what i would do is check that the byte @ eax fits within an 'acceptable' character range, then i would do an lstrlen or so on it to calculate its length and work from that... its relatively safer..
like check it fits within 'a->z/0-9' or 'A->Z /0-9' then begin processing
the game could act on the flags, from the code, so the cmp, etc can screw
the flags, ideally what u want to do is to set the flags for when u handle the player portion, (where u set the flags to a good condition), and leave them as-is for the enemy portion..
such code could be like
call check_ammo_amount ; this would be the code that you patch
jz user_has_no_ammo
etc..
where the flags are DEFINATELY important, it depends on how the game was coded, but its worth paying attention to..
and i guess u can pity me joe, cos i started out in the dos days, interrupts, 8 bit, 16 bit, pmode... all fun to learn though
