These are really difficult to read, they were sort of on the fly notes while working to avoid the date expiration of some beta software, maybe.
So, check the stack at break of McpDoBetaCheck, calling funcion is McpFInitMcp. Break on that function (break McpFInitMcp, then step (s) forward), disas the address, and start looking for the call to McpDoBetaCheck, can just look for the previous break point address or something, can't remember.
addresses need * in front for a jump. you can break McpFInitMcp and then see what address you need to jump from there.
gdb ./Microsoft Entourage break *0x01044cab jump *0x01044cb2
that works. (eureka moment!)
NOTE: on finding the code in the decompiled text version- the last 3 characters in gdb's address correspond to the hex offset- to find the code quickly, grep -B1 “cad:” decomp.txt|grep “jne” or grep -B1 “cad:” mcpdecomp.out|grep -B1 call | grep -A1 jne … SO simple, so fast. (this was used to find the correct section of code by the order of commands made)
hexedit offsets for the nop's are 1190C0 for power pc and 400CAD for intel. nop codes are “90” for intel, and believed to be “60 00 00 00” for power pc…
Using objdump, disassemble the files, objdump -D binaryfile >decompiledoutputfile.txt. An example command to find the necessary lines looks like:
grep -A5 -B4 'mov $0x1,%eax' mcpdecomp.out |grep -B5 -A4 'add $0x4,%esp'
and the output looks like:
106ca4: e8 b1 71 02 00 call 12de5a <LC_SEGMENT.__TEXT.__text+0x12ca86> 106ca9: 85 c0 test %eax,%eax 106cab: 75 05 jne 106cb2 <LC_SEGMENT.__TEXT.__text+0x1058de> 106cad: e8 1c f8 ff ff call 1064ce <LC_SEGMENT.__TEXT.__text+0x1050fa> 106cb2: b8 01 00 00 00 mov $0x1,%eax 106cb7: 83 c4 04 add $0x4,%esp 106cba: 5b pop %ebx 106cbb: 5d pop %ebp 106cbc: c3 ret 106cbd: 00 00 add %al,(%eax)
Open a hexeditor and search for the strings that match the opcodes in question, e8b171020085c07505… then replace the jne jump to nop's, 90 90. The offset location in this case is 106ca4
Now, objdump the file again with power4 powerpc instruction set as an argument…
For powerpc, we're looking for the code of:
grep -A2 'cmpwi cr7,r3,0' power4decomp.txt|grep -B5 -A4 'bne' grep -A2 'cmpwi cr7,r3,0' power4decomp.txt|grep -B1 -A1 'bne cr7,' grep -A2 'cmpwi cr7,r3,0' power4decomp.txt|grep -B1 -A1 'bne cr7,' |grep bl |wc -l 81 grep -A3 'cmpwi cr7,r3,0' power4decomp.txt|grep -B1 -A2 'bne cr7,' |grep -A1 bl
And finally we find it….
frieda:Desktop ben$ grep -A3 'cmpwi cr7,r3,0' power4decomp.txt|grep -B1 -A2 'bne cr7,' |grep -A1 bl|grep 'addi r1,r1,80' frieda:Desktop ben$ grep -A3 'cmpwi cr7,r3,0' power4decomp.txt|grep -B1 -A2 'bne cr7,' |grep -A1 bl|grep 'addi r1,r1,80' 1180c4: 38 21 00 50 addi r1,r1,80 1180c4: 38 21 00 50 addi r1,r1,80 frieda:Desktop ben$ grep -A3 'cmpwi cr7,r3,0' power4decomp.txt|grep -B1 -A2 'bne cr7,' |grep -B4 -A2 bl|grep 'addi r1,r1,80' 1180c4: 38 21 00 50 addi r1,r1,80 1180c4: 38 21 00 50 addi r1,r1,80 frieda:Desktop ben$ grep -A3 'cmpwi cr7,r3,0' power4decomp.txt|grep -B1 -A2 'bne cr7,' |grep -B4 -A2 bl|grep -A4 -B4 'addi r1,r1,80' -- 1180b8: 2f 83 00 00 cmpwi cr7,r3,0 1180bc: 40 9e 00 08 bne cr7,1180c4 <LC_SEGMENT.__TEXT+0x1180c4> 1180c0: 4b ff fa 31 bl 117af0 <LC_SEGMENT.__TEXT+0x117af0> 1180c4: 38 21 00 50 addi r1,r1,80 -- -- -- 1187e8: 2f 83 00 00 cmpwi cr7,r3,0 -- -- 1180b8: 2f 83 00 00 cmpwi cr7,r3,0 1180bc: 40 9e 00 08 bne cr7,1180c4 <LC_SEGMENT.__TEXT.__text+0x115e84> 1180c0: 4b ff fa 31 bl 117af0 <LC_SEGMENT.__TEXT.__text+0x1158b0> 1180c4: 38 21 00 50 addi r1,r1,80 -- -- -- 1187e8: 2f 83 00 00 cmpwi cr7,r3,0
0x01044ca9 <McpFInitMcp+57>: test %eax,%eax 0x01044cab <McpFInitMcp+59>: jne 0x1044cb2 <McpFInitMcp+66> 0x01044cad <McpFInitMcp+61>: call 0x10444ce <McpDoBetaChecc> 0x01044cb2 <McpFInitMcp+66>: mov $0x1,%eax