I'll get the ball rolling since I'm not happy i cant connect to my cracked soo any more.
Anyway, So far i found out that this function
Is responsable for logging output, place a BP on ts3server.010F3B71
EAX on 1 of the loops gets a copy of the license values, but only a copy, so editing its values only changes what is in the log, not the server license info.
You to backtrace it to find where these values are written where you can edit them.
Anyway, So far i found out that this function
Code:
010F3B71 | 8BEC | mov ebp,esp
010F3B73 | 6A FF | push FFFFFFFF
010F3B75 | 68 8CCB4201 | push ts3server.142CB8C
010F3B7A | 64:A1 00000000 | mov eax,dword ptr fs:[0]
010F3B80 | 50 | push eax
010F3B81 | 83EC 24 | sub esp,24
010F3B84 | 53 | push ebx
010F3B85 | 56 | push esi
010F3B86 | 57 | push edi
010F3B87 | A1 78E05101 | mov eax,dword ptr ds:[151E078]
010F3B8C | 33C5 | xor eax,ebp
010F3B8E | 50 | push eax
010F3B8F | 8D45 F4 | lea eax,dword ptr ss:[ebp-C]
010F3B92 | 64:A3 00000000 | mov dword ptr fs:[0],eax
010F3B98 | 8965 F0 | mov dword ptr ss:[ebp-10],esp
010F3B9B | 8955 DC | mov dword ptr ss:[ebp-24],edx
010F3B9E | 8BD9 | mov ebx,ecx
010F3BA0 | 895D E4 | mov dword ptr ss:[ebp-1C],ebx
010F3BA3 | 8B03 | mov eax,dword ptr ds:[ebx]
010F3BA5 | 33FF | xor edi,edi
010F3BA7 | 8B52 10 | mov edx,dword ptr ds:[edx+10]
010F3BAA | 897D E0 | mov dword ptr ss:[ebp-20],edi
010F3BAD | 8955 E8 | mov dword ptr ss:[ebp-18],edx
010F3BB0 | 8B48 04 | mov ecx,dword ptr ds:[eax+4]
010F3BB3 | 8B4419 24 | mov eax,dword ptr ds:[ecx+ebx+24]
010F3BB7 | 8B7419 20 | mov esi,dword ptr ds:[ecx+ebx+20]
010F3BBB | 85C0 | test eax,eax
010F3BBD | 7C 14 | jl ts3server.10F3BD3
010F3BBF | 7F 04 | jg ts3server.10F3BC5
010F3BC1 | 85F6 | test esi,esi
010F3BC3 | 74 0E | je ts3server.10F3BD3
010F3BC5 | 8945 D4 | mov dword ptr ss:[ebp-2C],eax
010F3BC8 | 3BF2 | cmp esi,edx
010F3BCA | 76 07 | jbe ts3server.10F3BD3
010F3BCC | 8945 D4 | mov dword ptr ss:[ebp-2C],eax
010F3BCF | 2BF2 | sub esi,edx
010F3BD1 | EB 02 | jmp ts3server.10F3BD5
010F3BD3 | 33F6 | xor esi,esi
010F3BD5 | 8B4C19 38 | mov ecx,dword ptr ds:[ecx+ebx+38]
010F3BD9 | 895D D0 | mov dword ptr ss:[ebp-30],ebx
010F3BDC | 85C9 | test ecx,ecx
010F3BDE | 74 05 | je ts3server.10F3BE5
010F3BE0 | 8B01 | mov eax,dword ptr ds:[ecx]
010F3BE2 | FF50 04 | call dword ptr ds:[eax+4]
010F3BE5 | C745 FC 00000000 | mov dword ptr ss:[ebp-4],0
010F3BEC | 8B03 | mov eax,dword ptr ds:[ebx]
010F3BEE | 8B40 04 | mov eax,dword ptr ds:[eax+4]
010F3BF1 | 837C18 0C 00 | cmp dword ptr ds:[eax+ebx+C],0
010F3BF6 | 75 11 | jne ts3server.10F3C09
010F3BF8 | 8B4C18 3C | mov ecx,dword ptr ds:[eax+ebx+3C]
010F3BFC | 85C9 | test ecx,ecx
010F3BFE | 74 09 | je ts3server.10F3C09
010F3C00 | 3BCB | cmp ecx,ebx
010F3C02 | 74 05 | je ts3server.10F3C09
010F3C04 | E8 E70D0000 | call ts3server.10F49F0
010F3C09 | 8B03 | mov eax,dword ptr ds:[ebx]
010F3C0B | 8B48 04 | mov ecx,dword ptr ds:[eax+4]
010F3C0E | 837C19 0C 00 | cmp dword ptr ds:[ecx+ebx+C],0
010F3C13 | 0F94C0 | sete al
010F3C16 | 8845 D4 | mov byte ptr ss:[ebp-2C],al
010F3C19 | C745 FC 01000000 | mov dword ptr ss:[ebp-4],1
010F3C20 | 84C0 | test al,al
010F3C22 | 75 0A | jne ts3server.10F3C2E
010F3C24 | BF 04000000 | mov edi,4
010F3C29 | E9 3E010000 | jmp ts3server.10F3D6C
010F3C2E | C645 FC 02 | mov byte ptr ss:[ebp-4],2
010F3C32 | 8B4419 14 | mov eax,dword ptr ds:[ecx+ebx+14]
010F3C36 | 25 C0010000 | and eax,1C0
010F3C3B | 83F8 40 | cmp eax,40
010F3C3E | 74 5C | je ts3server.10F3C9C
010F3C40 | 85F6 | test esi,esi
010F3C42 | 74 54 | je ts3server.10F3C98
010F3C44 | 8B03 | mov eax,dword ptr ds:[ebx]
010F3C46 | 8B40 04 | mov eax,dword ptr ds:[eax+4]
010F3C49 | 8A4C18 40 | mov cl,byte ptr ds:[eax+ebx+40]
010F3C4D | 884D EF | mov byte ptr ss:[ebp-11],cl
010F3C50 | 8B4C18 38 | mov ecx,dword ptr ds:[eax+ebx+38]
010F3C54 | 8B41 20 | mov eax,dword ptr ds:[ecx+20]
010F3C57 | 8338 00 | cmp dword ptr ds:[eax],0
010F3C5A | 74 20 | je ts3server.10F3C7C
010F3C5C | 8B51 30 | mov edx,dword ptr ds:[ecx+30]
010F3C5F | 8B02 | mov eax,dword ptr ds:[edx]
010F3C61 | 85C0 | test eax,eax
010F3C63 | 7E 17 | jle ts3server.10F3C7C
010F3C65 | 48 | dec eax
010F3C66 | 8902 | mov dword ptr ds:[edx],eax
010F3C68 | 8B49 20 | mov ecx,dword ptr ds:[ecx+20]
010F3C6B | 8B11 | mov edx,dword ptr ds:[ecx]
010F3C6D | 8D42 01 | lea eax,dword ptr ds:[edx+1]
010F3C70 | 8901 | mov dword ptr ds:[ecx],eax
010F3C72 | 8A45 EF | mov al,byte ptr ss:[ebp-11]
010F3C75 | 8802 | mov byte ptr ds:[edx],al
010F3C77 | 0FB6C0 | movzx eax,al
010F3C7A | EB 0A | jmp ts3server.10F3C86
010F3C7C | 0FB645 EF | movzx eax,byte ptr ss:[ebp-11]
010F3C80 | 8B11 | mov edx,dword ptr ds:[ecx]
010F3C82 | 50 | push eax
010F3C83 | FF52 0C | call dword ptr ds:[edx+C]
010F3C86 | 83F8 FF | cmp eax,FFFFFFFF
010F3C89 | 75 0A | jne ts3server.10F3C95
010F3C8B | BF 04000000 | mov edi,4
010F3C90 | 897D E0 | mov dword ptr ss:[ebp-20],edi
010F3C93 | EB 2F | jmp ts3server.10F3CC4
010F3C95 | 4E | dec esi
010F3C96 | EB A8 | jmp ts3server.10F3C40
010F3C98 | 85FF | test edi,edi
010F3C9A | 75 28 | jne ts3server.10F3CC4
010F3C9C | 8B4D DC | mov ecx,dword ptr ss:[ebp-24]
010F3C9F | 8379 14 10 | cmp dword ptr ds:[ecx+14],10
010F3CA3 | 72 02 | jb ts3server.10F3CA7
010F3CA5 | 8B09 | mov ecx,dword ptr ds:[ecx]
010F3CA7 | 8B03 | mov eax,dword ptr ds:[ebx]
010F3CA9 | 6A 00 | push 0
010F3CAB | FF75 E8 | push dword ptr ss:[ebp-18]
010F3CAE | 8B40 04 | mov eax,dword ptr ds:[eax+4]
010F3CB1 | 51 | push ecx
010F3CB2 | 8B4C18 38 | mov ecx,dword ptr ds:[eax+ebx+38]
010F3CB6 | E8 850F0000 | call ts3server.10F4C40
010F3CBB | 3B45 E8 | cmp eax,dword ptr ss:[ebp-18]
010F3CBE | 75 59 | jne ts3server.10F3D19
010F3CC0 | 85D2 | test edx,edx
010F3CC2 | 75 55 | jne ts3server.10F3D19
010F3CC4 | 85F6 | test esi,esi
010F3CC6 | 74 56 | je ts3server.10F3D1E
010F3CC8 | 8B03 | mov eax,dword ptr ds:[ebx]
010F3CCA | 8B40 04 | mov eax,dword ptr ds:[eax+4]
010F3CCD | 8B4C18 38 | mov ecx,dword ptr ds:[eax+ebx+38]
010F3CD1 | 8A5418 40 | mov dl,byte ptr ds:[eax+ebx+40]
010F3CD5 | 8855 EF | mov byte ptr ss:[ebp-11],dl
010F3CD8 | 8B41 20 | mov eax,dword ptr ds:[ecx+20]
010F3CDB | 8338 00 | cmp dword ptr ds:[eax],0
010F3CDE | 74 23 | je ts3server.10F3D03
010F3CE0 | 8B41 30 | mov eax,dword ptr ds:[ecx+30]
010F3CE3 | 8B00 | mov eax,dword ptr ds:[eax]
010F3CE5 | 85C0 | test eax,eax
010F3CE7 | 7E 1A | jle ts3server.10F3D03
010F3CE9 | 8B51 30 | mov edx,dword ptr ds:[ecx+30]
010F3CEC | 48 | dec eax
010F3CED | 8902 | mov dword ptr ds:[edx],eax
010F3CEF | 8B49 20 | mov ecx,dword ptr ds:[ecx+20]
010F3CF2 | 8B11 | mov edx,dword ptr ds:[ecx]
010F3CF4 | 8D42 01 | lea eax,dword ptr ds:[edx+1]
010F3CF7 | 8901 | mov dword ptr ds:[ecx],eax
010F3CF9 | 8A45 EF | mov al,byte ptr ss:[ebp-11]
010F3CFC | 8802 | mov byte ptr ds:[edx],al
010F3CFE | 0FB6C0 | movzx eax,al
010F3D01 | EB 09 | jmp ts3server.10F3D0C
010F3D03 | 0FB6C2 | movzx eax,dl
010F3D06 | 8B11 | mov edx,dword ptr ds:[ecx]
010F3D08 | 50 | push eax
010F3D09 | FF52 0C | call dword ptr ds:[edx+C]
010F3D0C | 83F8 FF | cmp eax,FFFFFFFF
010F3D0F | 75 05 | jne ts3server.10F3D16
010F3D11 | 83CF 04 | or edi,4
010F3D14 | EB 08 | jmp ts3server.10F3D1E
010F3D16 | 4E | dec esi
010F3D17 | EB AB | jmp ts3server.10F3CC4
010F3D19 | BF 04000000 | mov edi,4
010F3D1E | 8B03 | mov eax,dword ptr ds:[ebx]
010F3D20 | 8B40 04 | mov eax,dword ptr ds:[eax+4]
010F3D23 | C74418 20 00000000 | mov dword ptr ds:[eax+ebx+20],0
010F3D2B | C74418 24 00000000 | mov dword ptr ds:[eax+ebx+24],0
010F3D33 | EB 30 | jmp ts3server.10F3D65
010F3D35 | 8B4D E4 | mov ecx,dword ptr ss:[ebp-1C]
010F3D38 | 8B01 | mov eax,dword ptr ds:[ecx]
010F3D3A | 8B50 04 | mov edx,dword ptr ds:[eax+4]
010F3D3D | 8B440A 0C | mov eax,dword ptr ds:[edx+ecx+C]
010F3D41 | 03D1 | add edx,ecx
010F3D43 | 83C8 04 | or eax,4
010F3D46 | 837A 38 00 | cmp dword ptr ds:[edx+38],0
010F3D4A | 75 03 | jne ts3server.10F3D4F
010F3D4C | 83C8 04 | or eax,4
010F3D4F | 6A 01 | push 1
010F3D51 | 50 | push eax
010F3D52 | 8BCA | mov ecx,edx
010F3D54 | E8 0791FFFF | call ts3server.10ECE60
010F3D59 | B8 5F3D0F01 | mov eax,ts3server.10F3D5F
010F3D5E | C3 | ret
010F3D5F | 8B5D E4 | mov ebx,dword ptr ss:[ebp-1C]
010F3D62 | 8B7D E0 | mov edi,dword ptr ss:[ebp-20]
010F3D65 | C745 FC 01000000 | mov dword ptr ss:[ebp-4],1
010F3D6C | 8B03 | mov eax,dword ptr ds:[ebx]
010F3D6E | 8B48 04 | mov ecx,dword ptr ds:[eax+4]
010F3D71 | 03CB | add ecx,ebx
010F3D73 | 85FF | test edi,edi
010F3D75 | 74 19 | je ts3server.10F3D90
010F3D77 | 8B51 0C | mov edx,dword ptr ds:[ecx+C]
010F3D7A | 0BD7 | or edx,edi
010F3D7C | 8BC2 | mov eax,edx
010F3D7E | 83C8 04 | or eax,4
010F3D81 | 8379 38 00 | cmp dword ptr ds:[ecx+38],0
010F3D85 | 6A 00 | push 0
010F3D87 | 0F45C2 | cmovne eax,edx
010F3D8A | 50 | push eax
010F3D8B | E8 D090FFFF | call ts3server.10ECE60
010F3D90 | C745 FC 04000000 | mov dword ptr ss:[ebp-4],4
010F3D97 | E8 E4E32D00 | call ts3server.13D2180
010F3D9C | 8B75 D0 | mov esi,dword ptr ss:[ebp-30]
010F3D9F | 84C0 | test al,al
010F3DA1 | 75 07 | jne ts3server.10F3DAA
010F3DA3 | 8BCE | mov ecx,esi
010F3DA5 | E8 F60F0000 | call ts3server.10F4DA0
010F3DAA | C645 FC 05 | mov byte ptr ss:[ebp-4],5
010F3DAE | 8B06 | mov eax,dword ptr ds:[esi]
010F3DB0 | 8B40 04 | mov eax,dword ptr ds:[eax+4]
010F3DB3 | 8B4C30 38 | mov ecx,dword ptr ds:[eax+esi+38]
010F3DB7 | 85C9 | test ecx,ecx
010F3DB9 | 74 05 | je ts3server.10F3DC0
010F3DBB | 8B01 | mov eax,dword ptr ds:[ecx]
010F3DBD | FF50 08 | call dword ptr ds:[eax+8]
010F3DC0 | 8BC3 | mov eax,ebx
010F3DC2 | 8B4D F4 | mov ecx,dword ptr ss:[ebp-C]
010F3DC5 | 64:890D 00000000 | mov dword ptr fs:[0],ecx
010F3DCC | 59 | pop ecx
010F3DCD | 5F | pop edi
010F3DCE | 5E | pop esi
010F3DCF | 5B | pop ebx
010F3DD0 | 8BE5 | mov esp,ebp
010F3DD2 | 5D | pop ebp
010F3DD3 | C3 | retIs responsable for logging output, place a BP on ts3server.010F3B71
EAX on 1 of the loops gets a copy of the license values, but only a copy, so editing its values only changes what is in the log, not the server license info.
You to backtrace it to find where these values are written where you can edit them.
Last edited: