|
The "IAT" magic jump is after a Virtual Protect call. You'll know you are in the right spot if you BPX on VirtualProtect, and then take a look at the instruction that the code returns to after the call to VirtualProtect. If it's a PUSH 1, then you are right on top the IAT redirection code and the magic jump is down below a little ways.
You can't put a BPX or any breakpoint anywhere near the magic jump since it's decrypted at runtime. BPX'ing on the API call is the only way to get there. Also, once you've patched the magic jump, put another BPX after the IAT redirection code, and when you hit that BPX, then repair your Import Table (since it will now be complete in memory). And then change the magic jump back to original instruction. It's optional, but if you don't change the instruction back then Arma goes to re-encrypt the IAT redirection code and it will crash since the code is different.
-Lunar
|
10-06-2005, 10:14
Similar Threads
Threaded Mode