|
Thanks you both for replying.
I saw at the fake oep (004F9BA8 CALL Formik.00407320) (just where stolen bytes ends) that EAX == 004F9764
(and in stack window: 0012FFC4 7C816D4F RETURN to kernel32.7C816D4F , at 7C816D4F is EAX PUSH-ed into stack ) but i was unsure if i have the right one.
|