More Notepad Assembly Code Listings:
Here's what the patch code looks like as Assembly
instructions: Original code BEFORE applying the patch:
:00402D61 FF1530744000 Call dword ptr [00407430]
:00402D67 83F806 cmp eax, 00000006
:00402D6A 0F85A9000000 jne 00402E19
The same area (byte locations) AFTER applying the patch:
:00402D61 52 push edx
:00402D62 5A pop edx
:00402D63 53 push ebx
:00402D64 5B pop ebx
:00402D65 56 push esi
:00402D66 5E pop esi
:00402D67 83F806 cmp eax, 00000006
:00402D6A 42 inc edx
:00402D6B 4A dec edx
:00402D6C 43 inc ebx
:00402D6D 4B dec ebx
:00402D6E 46 inc esi
:00402D6F 4E dec esi
Windows 95 B
08-24-96 11:11am 34,304 bytes
Relevant code listing for the patches
presented in this discussion of NOTEPAD for Win 95 B ( Note that the
only reference to 'wordpad.exe' is not far from the section we are patching ) :
* Reference To: USER32.MessageBoxA
|
:00402D61 FF1530744000 Call dword ptr [00407430]
:00402D67 83F806 cmp eax, 00000006
:00402D6A 0F85A9000000 jne 00402E19 <-- The Code Listing
here includes these
instructions too!
:00402D70 6804010000 push 00000104
:00402D75 8D85B8FEFFFF lea eax, dword ptr [ebp+FFFFFEB8]
:00402D7B 50 push eax
* Reference To: USER32.LoadStringA
|
:00402D7C 8B1DB0734000 mov ebx, dword ptr [004073B0]
:00402D82 837D1001 cmp dword ptr [ebp+10], 00000001
:00402D86 1BFF sbb edi, edi
* Possible Reference to String Resource ID=00056: "wordpad.exe"
|
:00402D88 6A38 push 00000038
:00402D8A FF3570514000 push dword ptr [00405170]
:00402D90 FFD3 call ebx
:00402D92 83C737 add edi, 00000037
:00402D95 682C010000 push 0000012C
:00402D9A 8D8D8CFDFFFF lea ecx, dword ptr [ebp+FFFFFD8C]
:00402DA0 A170514000 mov eax, dword ptr [00405170]
:00402DA5 51 push ecx
:00402DA6 57 push edi
:00402DA7 50 push eax
:00402DA8 FFD3 call ebx
* Possible StringData Ref from Data Obj ->" " "
|
:00402DAA 68B0614000 push 004061B0
:00402DAF 8D858CFDFFFF lea eax, dword ptr [ebp+FFFFFD8C]
:00402DB5 50 push eax
* Reference To: KERNEL32.lstrcatA
|
:00402DB6 8B3D30734000 mov edi, dword ptr [00407330]
:00402DBC FFD7 call edi
:00402DBE FF750C push [ebp+0C]
:00402DC1 8D858CFDFFFF lea eax, dword ptr [ebp+FFFFFD8C]
:00402DC7 50 push eax
:00402DC8 FFD7 call edi
* Possible StringData Ref from Data Obj ->" " "
|
:00402DCA 68B4614000 push 004061B4
:00402DCF 8D8D8CFDFFFF lea ecx, dword ptr [ebp+FFFFFD8C]
:00402DD5 51 push ecx
:00402DD6 FFD7 call edi
* Possible Reference to Menu: MenuID_0001
|
* Possible Ref to Menu: MenuID_0001, Item: "Save"
|
* Possible Reference to String Resource ID=00001: "Cannot open the %%
file. Make sure a disk is in the drive"
|
:00402DD8 6A01 push 00000001
:00402DDA 8D8D8CFDFFFF lea ecx, dword ptr [ebp+FFFFFD8C]
:00402DE0 6A00 push 00000000
:00402DE2 8D95B8FEFFFF lea edx, dword ptr [ebp+FFFFFEB8]
:00402DE8 51 push ecx
:00402DE9 52 push edx
:00402DEA 6A00 push 00000000
:00402DEC 6A00 push 00000000
* Reference To: SHELL32.ShellExecuteA
|
:00402DEE FF1570734000 Call dword ptr [00407370]
:00402DF4 83F820 cmp eax, 00000020
:00402DF7 7719 ja 00402E12
* Possible Reference to String Resource ID=00048: "You cannot quit
Windows because the Save As dialog box in..."
|
:00402DF9 6A30 push 00000030
:00402DFB A160604000 mov eax, dword ptr [00406060]
:00402E00 50 push eax
:00402E01 FF35B4604000 push dword ptr [004060B4]
:00402E07 56 push esi
* Reference To: USER32.MessageBoxA
|
:00402E08 FF1530744000 Call dword ptr [00407430]
:00402E0E 33C0 xor eax, eax
:00402E10 EB0C jmp 00402E1E
* Referenced by a Conditional Jump at 00402DF7
|
:00402E12 B881000000 mov eax, 00000081
:00402E17 EB05 jmp 00402E1E
* Referenced by the Conditional Jump at Address 00402D6A [the one that
we're concerned about for our patch!]
|
:00402E19 B882000000 mov eax, 00000082
* Referenced by Unconditional Jumps at 00402E10 and 00402E17
|
:00402E1E 5F pop edi
:00402E1F 5E pop esi
:00402E20 5B pop ebx
:00402E21 8BE5 mov esp, ebp
:00402E23 5D pop ebp
:00402E24 C20C00 ret 000C
Windows 98
05-11-98 08:01pm 53,248 bytes
Windows 98 SE
04-23-99 10:22pm 53,248 bytes
Relevant code listing for the patches
presented in this discussion of NOTEPAD for Win 98 AND Win 98 Second Editon.
[Although the files themselves ARE slightly different, there's no difference
in the Assembly code for Win 98 and 98 SE.]
( Note that the only
reference to 'wordpad.exe' is not far from the section we are patching ) :
* Reference To: USER32.MessageBoxA
|
:004033B1 FF15A8644000 Call dword ptr [004064A8]
:004033B7 83F806 cmp eax, 00000006
:004033BA 0F85A7000000 jne 00403467 <-- The Code Listing
here includes these
instructions too!
:004033C0 6804010000 push 00000104
:004033C5 8D858CFDFFFF lea eax, dword ptr [ebp+FFFFFD8C]
:004033CB 837D1001 cmp dword ptr [ebp+10], 00000001
:004033CF 1BFF sbb edi, edi
:004033D1 50 push eax
:004033D2 83C737 add edi, 00000037
* Possible Reference to String Resource ID=00056: "wordpad.exe"
|
:004033D5 6A38 push 00000038
:004033D7 FF3540554000 push dword ptr [00405540]
* Reference To: USER32.LoadStringA
|
:004033DD FF1520644000 Call dword ptr [00406420]
:004033E3 682C010000 push 0000012C
:004033E8 8D8DD4FEFFFF lea ecx, dword ptr [ebp+FFFFFED4]
:004033EE 51 push ecx
:004033EF A140554000 mov eax, dword ptr [00405540]
:004033F4 57 push edi
:004033F5 BB5C104000 mov ebx, 0040105C
:004033FA 50 push eax
* Reference To: USER32.LoadStringA
|
:004033FB FF1520644000 Call dword ptr [00406420]
:00403401 53 push ebx
:00403402 8D85D4FEFFFF lea eax, dword ptr [ebp+FFFFFED4]
:00403408 50 push eax
* Reference To: KERNEL32.lstrcatA
|
:00403409 8B3DC4634000 mov edi, dword ptr [004063C4]
:0040340F FFD7 call edi
:00403411 FF750C push [ebp+0C]
:00403414 8D85D4FEFFFF lea eax, dword ptr [ebp+FFFFFED4]
:0040341A 50 push eax
:0040341B FFD7 call edi
:0040341D 53 push ebx
:0040341E 8D8DD4FEFFFF lea ecx, dword ptr [ebp+FFFFFED4]
:00403424 51 push ecx
:00403425 FFD7 call edi
* Possible Reference to Menu: MenuID_0001
|
* Possible Ref to Menu: MenuID_0001, Item: "Save"
|
* Possible Reference to String Resource ID=00001: "Cannot open the %%
file. Make sure a disk is in the drive"
|
:00403427 6A01 push 00000001
:00403429 8D8DD4FEFFFF lea ecx, dword ptr [ebp+FFFFFED4]
:0040342F 56 push esi
:00403430 8D958CFDFFFF lea edx, dword ptr [ebp+FFFFFD8C]
:00403436 51 push ecx
:00403437 52 push edx
:00403438 56 push esi
:00403439 56 push esi
* Reference To: SHELL32.ShellExecuteA
|
:0040343A FF15F0634000 Call dword ptr [004063F0]
:00403440 83F820 cmp eax, 00000020
:00403443 771B ja 00403460
* Possible Reference to String Resource ID=00048: "You cannot quit
Windows because the Save As dialog box in..."
|
:00403445 6A30 push 00000030
:00403447 A164504000 mov eax, dword ptr [00405064]
:0040344C 50 push eax
:0040344D FF35B8504000 push dword ptr [004050B8]
:00403453 FF7508 push [ebp+08]
* Reference To: USER32.MessageBoxA
|
:00403456 FF15A8644000 Call dword ptr [004064A8]
:0040345C 33C0 xor eax, eax
:0040345E EB0C jmp 0040346C
* Referenced by a Conditional Jump at 00403443
|
:00403460 B881000000 mov eax, 00000081
:00403465 EB05 jmp 0040346C
* Referenced by the Conditional Jump at Address 004033BA [the one that
we're concerned about for our patch!]
|
:00403467 B882000000 mov eax, 00000082
* Referenced by Unconditional Jump Addresses at 0040345E and 00403465
|
:0040346C 5F pop edi
:0040346D 5E pop esi
:0040346E 5B pop ebx
:0040346F 8BE5 mov esp, ebp
:00403471 5D pop ebp
:00403472 C20C00 ret 000C
Hacking NOTEPAD.EXE Page