-1

From my previous question, I asked how to change the nation code to what I needed it to be. I explored in the disassembly more and I found out exactly where I needed this change to be. In other files, the code seems to be:

mov ds:dword_73A9C8, 1

Where the file I'm trying to edit has it like

mov ds:dword_73A9C8, eax

I've tried to edit the file in IDA by hex to match it to the first line of code, however, the function, even after extending its length, seems to break each time I edit it.

The question I have is how can I change it from having eax being moved to having 1 being moved without breaking the function

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
smo Monkeyy-3
  • 1
  • 2
    These instructions are of different lengths (and your desired immediate mov is longer) so I don't think this will work. I would look further up in the code to where `eax` gets its value, and try to patch that code so that `eax` is set to 1 instead (and hope the value in `eax` is not needed further down). – Nate Eldredge Sep 19 '21 at 23:41
  • @NateEldredge Thanks for your reply. I tried finding where eax gets its value. The whole function is sub_4A2B60 proc near arg_0= dword ptr 4 mov eax, [esp+arg_0] mov ds:dword_73A9C8, eax retn sub_4A2B60 endp and it gets called upon 9 times returning "3" each time, it seems that esp+arg_0 has the value "3". Should I be looking for where esi or arg_0 gets assigned? – smo Monkeyy-3 Sep 20 '21 at 00:16
  • I would just patch over the pair of instructions with `mov ds:dword_73A9C8, 1 / retn`. The first instruction loads `eax` with the function's argument, which you want to just ignore. The function technically also returns its argument by leaving it in eax, but it's unlikely it gets used and probably causes no harm to not do that. – Nate Eldredge Sep 20 '21 at 00:34

1 Answers1

2
sub_4A2B60 proc near
  arg_0= dword ptr 4
  mov eax, [esp+arg_0]
  mov ds:dword_73A9C8, eax
  retn
sub_4A2B60 endp

You could replace the 4 byte instruction mov eax, [esp + 4] with the sequence xor eax, eax inc eax nop that also has 4 bytes.

If 1 is what you want, then the return value in EAX should probably also be 1.

Sep Roland
  • 33,889
  • 7
  • 43
  • 76