Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Problem with old AsProt (https://forum.exetools.com/showthread.php?t=7668)

imagin 06-07-2005 03:13
Problem with old AsProt
 
Help with find Stolen Bytes - ASProtect 1.23 RC4 - 1.3.08.24

Classical unpack - Olly Plugin - find last exception - BP on .code sekcion - CTRL+F11..............
ALT+K - and put here - this is OK and normal

Code:
005FD993    0000            ADD    BYTE PTR DS:[EAX], AL -----------------------       
005FD995    0000            ADD    BYTE PTR DS:[EAX], AL
005FD997    0000            ADD    BYTE PTR DS:[EAX], AL
005FD999    0000            ADD    BYTE PTR DS:[EAX], AL
005FD99B    0000            ADD    BYTE PTR DS:[EAX], AL
005FD99D    0000            ADD    BYTE PTR DS:[EAX], AL-----------------------
005FD99F    E8 B8A2E0FF    CALL    xxxxxDig.00407C5C
005FD9A4    A1 70A56000    MOV    EAX, DWORD PTR DS:[60A570]
005FD9A9    8B00            MOV    EAX, DWORD PTR DS:[EAX]          ; xxxxxDig.00505A4D
005FD9AB    E8 E499E5FF    CALL    xxxxxDig.00457394
005FD9B0    A1 70A56000    MOV    EAX, DWORD PTR DS:[60A570]
005FD9B5    8B00            MOV    EAX, DWORD PTR DS:[EAX]          ; xxxxxDig.00505A4D
005FD9B7    BA 04DA5F00    MOV    EDX, xxxxxDig.005FDA04          ; ASCII "xxxxx Digger"
005FD9BC    E8 D795E5FF    CALL    xxxxxDig.00456F98
Yes now find the stolen bytes - Run Trace and find ESP=EBP - 12FFC0 - and this is my problem - :confused:

Code:
0101D8FE Main    JMP    SHORT 0101D903
0101D903 Main    PUSH    EBP                              ; ESP=0012FFBC
0101D904 Main    SUB    WORD PTR DS:[101D90E], 0F13C
0101D90D Main    JMP    SHORT 0101D911
0101D911 Main    POP    DWORD PTR SS:[ESP]                ; ESP=0012FFC0
0101D915 Main    MOV    EBP, ESP                          ; EBP=0012FFC0
0101D917 Main    SUB    ESP, 0C                          ; ESP=0012FFB4
0101D91D Main    SUB    WORD PTR DS:[101D927], 7B43      ; FL=CS
0101D926 Main    JMP    SHORT 0101D92A
0101D92A Main    JMP    SHORT 0101D92E
0101D92E Main    SUB    WORD PTR DS:[101D937], 3068
0101D937 Main    JMP    SHORT 0101D93C
0101D93C Main    LEA    ESP, DWORD PTR SS:[ESP-2D]        ; ESP=0012FF87
0101D940 Main    PREFIX REPNE:
Target in Delphi

I don't know exactly which it are - statement is some fake :( - advise st. to nobody which it are - line on target send to PM - thanks

arnix 06-07-2005 15:17
if the statement which you brought here is the correct one, then I think here are your stolen bytes:

55 PUSH EBP
8BEC MOV EBP,ESP
83C4 F4 ADD ESP,-0C
B8??????? MOV EAX, ????????


The value of ???????? you can get when you are on the fake OEP (005FD99F), just look at your EAX register.


All times are GMT +8. The time now is 22:50.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX