It's me again
Quote:
|
Now, there are 2 problems left with your exe. One you will notice immediately once you remove the .data section and try to run the app. The problem you will see is much the same as the problem when you try to get into the program's Options (though the way I fixed those two problems is very dissimilar).
|
I'm sorry, but the first problem has to stay unfixed for some time. I've got no tool at hand (ehhh... except my hands and brain, and both are as fast as a dead cat
) to relocate the resources in the .data section, so for the moment, I'll leave those resources where they are.
Nevertheless I've managed to make the "Options" menu available.
First I've tried to follow britedreams suggestions, but either his ideas were way beyond my head or Win XP behaves different than Win 2K.; so I had to do it on my own.
I've loaded the dumped app into Olly and let it run. As soon as I try to access the "Options" in the "Tools" menu, Olly pops up with an access violation at 57891e.
The code around looks like this:
0057890C /$ PUSH EBP
0057890D |. MOV EBP,ESP
0057890F |. PUSH ECX
00578910 |. PUSH EBX
00578911 |. MOV EAX,DWORD PTR DS:[40781E] ;<&kernel32.GetModuleHandleA>
00578917 |. MOV EBX,DWORD PTR DS:[EAX]
00578919 |. PUSH DWORD PTR DS:[EBX]
0057891B |. MOV DWORD PTR SS:[EBP-4],EBX
0057891E |. POP DWORD PTR DS:[EBX]
00578920 |. MOV EAX,DWORD PTR SS:[EBP-4]
00578923 |. POP EBX
00578924 |. POP ECX
00578925 |. POP EBP
00578926 \. RETN
So I've put a breakpoint on 578911 and single-stepped through the code. At 57891E, the code doesn't make any sense to me... Changing data in kernel32.dll wouldn't work, so I've changed
0057891E |. POP DWORD PTR DS:[EBX]
to
0057891E |. POP DWORD PTR DS:[EAX]
and everything's okay.
Next I'll have to code that small app I've mentioned, just to see if I can get rid of that problem at startup you've talked about
Regards
Wurstgote