|
|
#3
06-08-2004, 02:16
|
|||
|
|||
|
Hi britedream, thank you for the reply
I'm kicking myself for being so close to the OEP. The reason I got 575DFF was because I thought all the 0's counted as stolen and so I had 1 extra byte to fill in. Because of this these were the stolen bytes I was using : PUSH EBP MOV EBP,ESP SUB ESP,10 PUSH EAX (needed to fill 1 byte and this looked like a stolen byte  MOV EBX,AddressB.00575770 (because EAX was 0 and EBX contained the address) Why is there one less stolen byte i.e. how do you know when not to fill in all the 0's? Also even with your stolen bytes I can't get the program to run. I fixed the dump according R@dier's tut (and made sure Fix EP to OEP was unchecked) and also checked the EP with LordPE and it seems to be ok (175E00 = 575E00 - 400000). When I run the program it just does nothing, no error or anything. I think I'm close but I need a little more of your expert help  btw I like your method for finding stolen bytes, it's a lot quicker than the NOP method! 
|
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| ASProtect or UPX? | int21h | General Discussion | 2 | 12-14-2006 11:02 |
| New Asprotect?? | loman | General Discussion | 7 | 02-04-2004 20:34 |
Threaded Mode