you are lucky, in windows98 i get this:

004079E8 - FF25 40B35900 JMP DWORD PTR DS:[59B340]
004079EE 8BC0 MOV EAX,EAX
004079F0 - FF25 3CB35900 JMP DWORD PTR DS:[59B33C]
004079F6 8BC0 MOV EAX,EAX
004079F8 E8 03866301 CALL 01A40000
004079FD 90 NOP
004079FE 8BC0 MOV EAX,EAX
00407A00 E8 FB856301 CALL 01A40000

the last two are going to asprotect section.


Looking for stolen bytes.... i found two places that could be the begining of stolen bytes:


01A2025A 55 PUSH EBP
01A2025B E9 6D0C0000 JMP 01A20ECD
01A20260 50 PUSH EAX
01A20261 8B46 04 MOV EAX,DWORD PTR DS:[ESI+4]
01A20264 E9 23030000 JMP 01A2058C
01A20269 8D45 04 LEA EAX,DWORD PTR SS:[EBP+4]
01A2026C E9 2B030000 JMP 01A2059C
01A20271 68 1F19A201 PUSH 1A2191F
01A20276 E8 85FD1200 CALL 01B50000

or

01A2165D 53 PUSH EBX
01A2165E 2BDD SUB EBX,EBP
01A21660 EB 02 JMP SHORT 01A21664
01A21662 CD20 8D5C26E4 VxDCall E4265C8D
01A21668 26:EB 02 JMP SHORT 01A2166D
01A2166B CD20 8D5C207D VxDCall 7D205C8D
01A21671 26:EB 02 JMP SHORT 01A21676


nedd to investigate more.

I'm tired now so the easy way is to dump asprotect section and create a new section in program for it, then fix virtual address to be the same that used asprotect.

good night.