Quote:
Originally posted by britedream
here is the oep and stolen bytes:
00459876 55 PUSH EBP
00459877 8BEC MOV EBP,ESP
00459879 6A FF PUSH -1
0045987B 68 F8944700 PUSH SpeedCom.004794F8
00459880 68 969B4500 PUSH SpeedCom.00459B96 ; JMP to MSVCRT._except_handler3
00459885 50 PUSH EAX
00459886 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0045988C 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
00459893 83EC 68 SUB ESP,68
00459896 53 PUSH EBX
00459897 56 PUSH ESI
00459898 57 PUSH EDI
00459899 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
0045989C 33DB XOR EBX,EBX
0045989E 895D FC MOV DWORD PTR SS:[EBP-4],EBX
004598A1 6A 02 PUSH 2
|
seams odd i came up with
00459D2D 55 PUSH EBP
00459D2E 8BEC MOV EBP,ESP
00459D30 6A FF PUSH -1
00459D32 68 88474700 PUSH dumped_.00474788
00459D37 68 B69A4500 PUSH <JMP.&msvcrt._except_handler3> ; Entry address
00459D3C 50 PUSH EAX
00459D3D 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00459D43 64:8925 000000>MOV DWORD PTR FS:[0],ESP
00459D4A 83EC 68 SUB ESP,68
00459D4D 53 PUSH EBX
00459D4E 56 PUSH ESI
00459D4F 57 PUSH EDI
00459D50 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
00459D53 33DB XOR EBX,EBX
00459D55 895D FC MOV DWORD PTR SS:[EBP-4],EBX
00459D58 6A 02 PUSH 2
in the SpeedCommander.exe unless you were doing another
exe
as for the MxCmn50.dll the oep is 641521CB
to set a bp on that do a he 641B1001 then do your
normal tracing etc for aspr programs, after about the 25th
memory access violation ctrl-g to goto the oep set a bp
and your set
iat for SpeedCommander