|
the stolen bytes for acprotect perior to 1.20 is easy to find, trace after int3, when you stop at the code section look in the trace for ebp==esp, you will find the stolen and the address of your oep shown in trace as eax value.but 1.20 and up is different.
|