As we all know, lisp has no unconditional jump instructions, and programs can only be executed sequentially. Fas supports unconditional jump instructions, but normal compilers cannot generate them. We can do this indirectly. In the LSP source code to write a special string, compiled into the normal fas program after modification, so you can achieve the purpose of unconditional jump between functions.
See the source code:
(setq zcm
(getint "Please enter the registration code:")) (if (= zcm
3637)(setq syz_goto
959461169)(princ "Registration code error!"));Jump if the registration code is correct )
(setq syz_loc1
959461170 ) &#
65307;Let the program jump here to start execution (princ "The registration code is correct. Welcome to use") ;Insert the program you want to run here
)
Here
(setq syz_goto 959461169) and
(setq syz_loc1 959461170) are two tokens, the unconditional jump instruction of fas is 57h (decimal 87),
as long as we find the two tokens, calculate the size of the interval between the two tokens, we can modify the jump,
to achieve our purpose.959461169 in hexadecimal in fas is 31709,959461170 is 32709, which is easy to find.
Using winhex to see tmp.fas is like this:
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00000000 0D 0A 20 46 41 53 34 2D 46 49 4C 45 20 3B 20 44 FAS4-FILE ; D
00000010 6F 20 6E 6F 74 20 63 68 61 6E 67 65 20 69 74 21 o not change it!
00000020 0D 0A 31 31 31 0D 0A 31 32 20 24 14 00 00 00 00 111 12 $
00000030 09 0B 00 35 01 0A 00 03 06 09 00 03 09 00 33 35 5 35
00000040 0E 00 00 35 02 08 00 03 67 0D 00 00 00
33 31 37 5 g 317
00000050
30 39 06 07 00 57 09 00 00 00 09 06 00 35 01 05 09 W 5
00000060 00 03 0A 35 00 05 00 03 16 14 00 00 00 00 09 04 5
00000070 00 35 01 05 00 03 0A 35 00 03 00 03 0A 33 32 37 5 5 327
00000080 30 39 06 02 00 09 01 00 35 01 05 00 03 0A 35 00 09 5 5
00000090 05 00 03 0A 35 00 05 00 03 16 24 0D 0A 32 38 30 5 $ 280
The modified tmp.fas is as follows:
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00000000 0D 0A 20 46 41 53 34 2D 46 49 4C 45 20 3B 20 44 FAS4-FILE ; D
00000010 6F 20 6E 6F 74 20 63 68 61 6E 67 65 20 69 74 21 o not change it!
00000020 0D 0A 31 31 31 0D 0A 31 32 20 24 14 00 00 00 00 111 12 $
00000030 09 0B 00 35 01 0A 00 03 06 09 00 03 09 00 33 35 5 35
00000040 0E 00 00 35 02 08 00 03 67 0D 00 00 00
57 33 00 5 g W3
00000050
00 00 20 20 20 57 09 00 00 00 09 06 00 35 01 05 W 5
00000060 00 03 0A 35 00 05 00 03 16 14 00 00 00 00 09 04 5
00000070 00 35 01 05 00 03 0A 35 00 03 00 03 0A 33 32 37 5 5 327
00000080 30 39 06 02 00 09 01 00 35 01 05 00 03 0A 35 00 09 5 5
00000090 05 00 03 0A 35 00 05 00 03 16 24 0D 0A 32 38 30 5 $ 280
A modified program cannot be decomcompiled correctly because normal lisp does not have goto.