Teamspeak 3 Server > 3.1.0 reversing thread

tagKnife

Well-Known Member
Oct 2, 2015
343
270
146
I'll get the ball rolling since I'm not happy i cant connect to my cracked soo any more.

Anyway, So far i found out that this function
Code:
010F3B71 | 8BEC                     | mov ebp,esp                         
010F3B73 | 6A FF                    | push FFFFFFFF                       
010F3B75 | 68 8CCB4201              | push ts3server.142CB8C              
010F3B7A | 64:A1 00000000           | mov eax,dword ptr fs:[0]            
010F3B80 | 50                       | push eax                            
010F3B81 | 83EC 24                  | sub esp,24                          
010F3B84 | 53                       | push ebx                            
010F3B85 | 56                       | push esi                            
010F3B86 | 57                       | push edi                            
010F3B87 | A1 78E05101              | mov eax,dword ptr ds:[151E078]      
010F3B8C | 33C5                     | xor eax,ebp                         
010F3B8E | 50                       | push eax                            
010F3B8F | 8D45 F4                  | lea eax,dword ptr ss:[ebp-C]        
010F3B92 | 64:A3 00000000           | mov dword ptr fs:[0],eax            
010F3B98 | 8965 F0                  | mov dword ptr ss:[ebp-10],esp       
010F3B9B | 8955 DC                  | mov dword ptr ss:[ebp-24],edx       
010F3B9E | 8BD9                     | mov ebx,ecx                         
010F3BA0 | 895D E4                  | mov dword ptr ss:[ebp-1C],ebx       
010F3BA3 | 8B03                     | mov eax,dword ptr ds:[ebx]          
010F3BA5 | 33FF                     | xor edi,edi                         
010F3BA7 | 8B52 10                  | mov edx,dword ptr ds:[edx+10]       
010F3BAA | 897D E0                  | mov dword ptr ss:[ebp-20],edi       
010F3BAD | 8955 E8                  | mov dword ptr ss:[ebp-18],edx       
010F3BB0 | 8B48 04                  | mov ecx,dword ptr ds:[eax+4]        
010F3BB3 | 8B4419 24                | mov eax,dword ptr ds:[ecx+ebx+24]   
010F3BB7 | 8B7419 20                | mov esi,dword ptr ds:[ecx+ebx+20]   
010F3BBB | 85C0                     | test eax,eax                        
010F3BBD | 7C 14                    | jl ts3server.10F3BD3                
010F3BBF | 7F 04                    | jg ts3server.10F3BC5                
010F3BC1 | 85F6                     | test esi,esi                        
010F3BC3 | 74 0E                    | je ts3server.10F3BD3                
010F3BC5 | 8945 D4                  | mov dword ptr ss:[ebp-2C],eax       
010F3BC8 | 3BF2                     | cmp esi,edx                         
010F3BCA | 76 07                    | jbe ts3server.10F3BD3               
010F3BCC | 8945 D4                  | mov dword ptr ss:[ebp-2C],eax       
010F3BCF | 2BF2                     | sub esi,edx                         
010F3BD1 | EB 02                    | jmp ts3server.10F3BD5               
010F3BD3 | 33F6                     | xor esi,esi                         
010F3BD5 | 8B4C19 38                | mov ecx,dword ptr ds:[ecx+ebx+38]   
010F3BD9 | 895D D0                  | mov dword ptr ss:[ebp-30],ebx       
010F3BDC | 85C9                     | test ecx,ecx                        
010F3BDE | 74 05                    | je ts3server.10F3BE5                
010F3BE0 | 8B01                     | mov eax,dword ptr ds:[ecx]          
010F3BE2 | FF50 04                  | call dword ptr ds:[eax+4]           
010F3BE5 | C745 FC 00000000         | mov dword ptr ss:[ebp-4],0          
010F3BEC | 8B03                     | mov eax,dword ptr ds:[ebx]          
010F3BEE | 8B40 04                  | mov eax,dword ptr ds:[eax+4]        
010F3BF1 | 837C18 0C 00             | cmp dword ptr ds:[eax+ebx+C],0      
010F3BF6 | 75 11                    | jne ts3server.10F3C09               
010F3BF8 | 8B4C18 3C                | mov ecx,dword ptr ds:[eax+ebx+3C]   
010F3BFC | 85C9                     | test ecx,ecx                        
010F3BFE | 74 09                    | je ts3server.10F3C09                
010F3C00 | 3BCB                     | cmp ecx,ebx                         
010F3C02 | 74 05                    | je ts3server.10F3C09                
010F3C04 | E8 E70D0000              | call ts3server.10F49F0              
010F3C09 | 8B03                     | mov eax,dword ptr ds:[ebx]          
010F3C0B | 8B48 04                  | mov ecx,dword ptr ds:[eax+4]        
010F3C0E | 837C19 0C 00             | cmp dword ptr ds:[ecx+ebx+C],0      
010F3C13 | 0F94C0                   | sete al                             
010F3C16 | 8845 D4                  | mov byte ptr ss:[ebp-2C],al         
010F3C19 | C745 FC 01000000         | mov dword ptr ss:[ebp-4],1          
010F3C20 | 84C0                     | test al,al                          
010F3C22 | 75 0A                    | jne ts3server.10F3C2E               
010F3C24 | BF 04000000              | mov edi,4                           
010F3C29 | E9 3E010000              | jmp ts3server.10F3D6C               
010F3C2E | C645 FC 02               | mov byte ptr ss:[ebp-4],2           
010F3C32 | 8B4419 14                | mov eax,dword ptr ds:[ecx+ebx+14]   
010F3C36 | 25 C0010000              | and eax,1C0                         
010F3C3B | 83F8 40                  | cmp eax,40                          
010F3C3E | 74 5C                    | je ts3server.10F3C9C                
010F3C40 | 85F6                     | test esi,esi                        
010F3C42 | 74 54                    | je ts3server.10F3C98                
010F3C44 | 8B03                     | mov eax,dword ptr ds:[ebx]          
010F3C46 | 8B40 04                  | mov eax,dword ptr ds:[eax+4]        
010F3C49 | 8A4C18 40                | mov cl,byte ptr ds:[eax+ebx+40]     
010F3C4D | 884D EF                  | mov byte ptr ss:[ebp-11],cl         
010F3C50 | 8B4C18 38                | mov ecx,dword ptr ds:[eax+ebx+38]   
010F3C54 | 8B41 20                  | mov eax,dword ptr ds:[ecx+20]       
010F3C57 | 8338 00                  | cmp dword ptr ds:[eax],0            
010F3C5A | 74 20                    | je ts3server.10F3C7C                
010F3C5C | 8B51 30                  | mov edx,dword ptr ds:[ecx+30]       
010F3C5F | 8B02                     | mov eax,dword ptr ds:[edx]          
010F3C61 | 85C0                     | test eax,eax                        
010F3C63 | 7E 17                    | jle ts3server.10F3C7C               
010F3C65 | 48                       | dec eax                             
010F3C66 | 8902                     | mov dword ptr ds:[edx],eax          
010F3C68 | 8B49 20                  | mov ecx,dword ptr ds:[ecx+20]       
010F3C6B | 8B11                     | mov edx,dword ptr ds:[ecx]          
010F3C6D | 8D42 01                  | lea eax,dword ptr ds:[edx+1]        
010F3C70 | 8901                     | mov dword ptr ds:[ecx],eax          
010F3C72 | 8A45 EF                  | mov al,byte ptr ss:[ebp-11]         
010F3C75 | 8802                     | mov byte ptr ds:[edx],al            
010F3C77 | 0FB6C0                   | movzx eax,al                        
010F3C7A | EB 0A                    | jmp ts3server.10F3C86               
010F3C7C | 0FB645 EF                | movzx eax,byte ptr ss:[ebp-11]      
010F3C80 | 8B11                     | mov edx,dword ptr ds:[ecx]          
010F3C82 | 50                       | push eax                            
010F3C83 | FF52 0C                  | call dword ptr ds:[edx+C]           
010F3C86 | 83F8 FF                  | cmp eax,FFFFFFFF                    
010F3C89 | 75 0A                    | jne ts3server.10F3C95               
010F3C8B | BF 04000000              | mov edi,4                           
010F3C90 | 897D E0                  | mov dword ptr ss:[ebp-20],edi       
010F3C93 | EB 2F                    | jmp ts3server.10F3CC4               
010F3C95 | 4E                       | dec esi                             
010F3C96 | EB A8                    | jmp ts3server.10F3C40               
010F3C98 | 85FF                     | test edi,edi                        
010F3C9A | 75 28                    | jne ts3server.10F3CC4               
010F3C9C | 8B4D DC                  | mov ecx,dword ptr ss:[ebp-24]       
010F3C9F | 8379 14 10               | cmp dword ptr ds:[ecx+14],10        
010F3CA3 | 72 02                    | jb ts3server.10F3CA7                
010F3CA5 | 8B09                     | mov ecx,dword ptr ds:[ecx]          
010F3CA7 | 8B03                     | mov eax,dword ptr ds:[ebx]          
010F3CA9 | 6A 00                    | push 0                              
010F3CAB | FF75 E8                  | push dword ptr ss:[ebp-18]          
010F3CAE | 8B40 04                  | mov eax,dword ptr ds:[eax+4]        
010F3CB1 | 51                       | push ecx                            
010F3CB2 | 8B4C18 38                | mov ecx,dword ptr ds:[eax+ebx+38]   
010F3CB6 | E8 850F0000              | call ts3server.10F4C40              
010F3CBB | 3B45 E8                  | cmp eax,dword ptr ss:[ebp-18]       
010F3CBE | 75 59                    | jne ts3server.10F3D19               
010F3CC0 | 85D2                     | test edx,edx                        
010F3CC2 | 75 55                    | jne ts3server.10F3D19               
010F3CC4 | 85F6                     | test esi,esi                        
010F3CC6 | 74 56                    | je ts3server.10F3D1E                
010F3CC8 | 8B03                     | mov eax,dword ptr ds:[ebx]          
010F3CCA | 8B40 04                  | mov eax,dword ptr ds:[eax+4]        
010F3CCD | 8B4C18 38                | mov ecx,dword ptr ds:[eax+ebx+38]   
010F3CD1 | 8A5418 40                | mov dl,byte ptr ds:[eax+ebx+40]     
010F3CD5 | 8855 EF                  | mov byte ptr ss:[ebp-11],dl         
010F3CD8 | 8B41 20                  | mov eax,dword ptr ds:[ecx+20]       
010F3CDB | 8338 00                  | cmp dword ptr ds:[eax],0            
010F3CDE | 74 23                    | je ts3server.10F3D03                
010F3CE0 | 8B41 30                  | mov eax,dword ptr ds:[ecx+30]       
010F3CE3 | 8B00                     | mov eax,dword ptr ds:[eax]          
010F3CE5 | 85C0                     | test eax,eax                        
010F3CE7 | 7E 1A                    | jle ts3server.10F3D03               
010F3CE9 | 8B51 30                  | mov edx,dword ptr ds:[ecx+30]       
010F3CEC | 48                       | dec eax                             
010F3CED | 8902                     | mov dword ptr ds:[edx],eax          
010F3CEF | 8B49 20                  | mov ecx,dword ptr ds:[ecx+20]       
010F3CF2 | 8B11                     | mov edx,dword ptr ds:[ecx]          
010F3CF4 | 8D42 01                  | lea eax,dword ptr ds:[edx+1]        
010F3CF7 | 8901                     | mov dword ptr ds:[ecx],eax          
010F3CF9 | 8A45 EF                  | mov al,byte ptr ss:[ebp-11]         
010F3CFC | 8802                     | mov byte ptr ds:[edx],al            
010F3CFE | 0FB6C0                   | movzx eax,al                        
010F3D01 | EB 09                    | jmp ts3server.10F3D0C               
010F3D03 | 0FB6C2                   | movzx eax,dl                        
010F3D06 | 8B11                     | mov edx,dword ptr ds:[ecx]          
010F3D08 | 50                       | push eax                            
010F3D09 | FF52 0C                  | call dword ptr ds:[edx+C]           
010F3D0C | 83F8 FF                  | cmp eax,FFFFFFFF                    
010F3D0F | 75 05                    | jne ts3server.10F3D16               
010F3D11 | 83CF 04                  | or edi,4                            
010F3D14 | EB 08                    | jmp ts3server.10F3D1E               
010F3D16 | 4E                       | dec esi                             
010F3D17 | EB AB                    | jmp ts3server.10F3CC4               
010F3D19 | BF 04000000              | mov edi,4                           
010F3D1E | 8B03                     | mov eax,dword ptr ds:[ebx]          
010F3D20 | 8B40 04                  | mov eax,dword ptr ds:[eax+4]        
010F3D23 | C74418 20 00000000       | mov dword ptr ds:[eax+ebx+20],0     
010F3D2B | C74418 24 00000000       | mov dword ptr ds:[eax+ebx+24],0     
010F3D33 | EB 30                    | jmp ts3server.10F3D65               
010F3D35 | 8B4D E4                  | mov ecx,dword ptr ss:[ebp-1C]       
010F3D38 | 8B01                     | mov eax,dword ptr ds:[ecx]          
010F3D3A | 8B50 04                  | mov edx,dword ptr ds:[eax+4]        
010F3D3D | 8B440A 0C                | mov eax,dword ptr ds:[edx+ecx+C]    
010F3D41 | 03D1                     | add edx,ecx                         
010F3D43 | 83C8 04                  | or eax,4                            
010F3D46 | 837A 38 00               | cmp dword ptr ds:[edx+38],0         
010F3D4A | 75 03                    | jne ts3server.10F3D4F               
010F3D4C | 83C8 04                  | or eax,4                            
010F3D4F | 6A 01                    | push 1                              
010F3D51 | 50                       | push eax                            
010F3D52 | 8BCA                     | mov ecx,edx                         
010F3D54 | E8 0791FFFF              | call ts3server.10ECE60              
010F3D59 | B8 5F3D0F01              | mov eax,ts3server.10F3D5F           
010F3D5E | C3                       | ret                                 
010F3D5F | 8B5D E4                  | mov ebx,dword ptr ss:[ebp-1C]       
010F3D62 | 8B7D E0                  | mov edi,dword ptr ss:[ebp-20]       
010F3D65 | C745 FC 01000000         | mov dword ptr ss:[ebp-4],1          
010F3D6C | 8B03                     | mov eax,dword ptr ds:[ebx]          
010F3D6E | 8B48 04                  | mov ecx,dword ptr ds:[eax+4]        
010F3D71 | 03CB                     | add ecx,ebx                         
010F3D73 | 85FF                     | test edi,edi                        
010F3D75 | 74 19                    | je ts3server.10F3D90                
010F3D77 | 8B51 0C                  | mov edx,dword ptr ds:[ecx+C]        
010F3D7A | 0BD7                     | or edx,edi                          
010F3D7C | 8BC2                     | mov eax,edx                         
010F3D7E | 83C8 04                  | or eax,4                            
010F3D81 | 8379 38 00               | cmp dword ptr ds:[ecx+38],0         
010F3D85 | 6A 00                    | push 0                              
010F3D87 | 0F45C2                   | cmovne eax,edx                      
010F3D8A | 50                       | push eax                            
010F3D8B | E8 D090FFFF              | call ts3server.10ECE60              
010F3D90 | C745 FC 04000000         | mov dword ptr ss:[ebp-4],4          
010F3D97 | E8 E4E32D00              | call ts3server.13D2180              
010F3D9C | 8B75 D0                  | mov esi,dword ptr ss:[ebp-30]       
010F3D9F | 84C0                     | test al,al                          
010F3DA1 | 75 07                    | jne ts3server.10F3DAA               
010F3DA3 | 8BCE                     | mov ecx,esi                         
010F3DA5 | E8 F60F0000              | call ts3server.10F4DA0              
010F3DAA | C645 FC 05               | mov byte ptr ss:[ebp-4],5           
010F3DAE | 8B06                     | mov eax,dword ptr ds:[esi]          
010F3DB0 | 8B40 04                  | mov eax,dword ptr ds:[eax+4]        
010F3DB3 | 8B4C30 38                | mov ecx,dword ptr ds:[eax+esi+38]   
010F3DB7 | 85C9                     | test ecx,ecx                        
010F3DB9 | 74 05                    | je ts3server.10F3DC0                
010F3DBB | 8B01                     | mov eax,dword ptr ds:[ecx]          
010F3DBD | FF50 08                  | call dword ptr ds:[eax+8]           
010F3DC0 | 8BC3                     | mov eax,ebx                         
010F3DC2 | 8B4D F4                  | mov ecx,dword ptr ss:[ebp-C]        
010F3DC5 | 64:890D 00000000         | mov dword ptr fs:[0],ecx            
010F3DCC | 59                       | pop ecx                             
010F3DCD | 5F                       | pop edi                             
010F3DCE | 5E                       | pop esi                             
010F3DCF | 5B                       | pop ebx                             
010F3DD0 | 8BE5                     | mov esp,ebp                         
010F3DD2 | 5D                       | pop ebp                             
010F3DD3 | C3                       | ret

Is responsable for logging output, place a BP on ts3server.010F3B71

EAX on 1 of the loops gets a copy of the license values, but only a copy, so editing its values only changes what is in the log, not the server license info.
You to backtrace it to find where these values are written where you can edit them.
 
Last edited:
Top