View Single Post
  #22  
Old 04-24-2011, 16:57
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is online now
VIP
 
Join Date: Jan 2005
Posts: 227
Rept. Given: 72
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 49
Thanks Rcvd at 25 Times in 18 Posts
Newbie_Cracker Reputation: 26
Quote:
Originally Posted by Deathway View Post
Don't worry, that problem about the ImageBase and some relocation offset will be fixed in 2 weeks, unfortunately I'm on exams

Thanks for your report
Isn't any news?

Anyone who wants to fix the bytes overwritten by NOP at the end of UnVMed routine (in case of DLLs with altered ImageBase), should patch following address:

Code:
10070412                  |.  83C0 10                  ADD EAX,10  -> 0D
It's because of disassembling the EB 10 to long JMP. Also the JNZ about that code can be patched to JMP to skip NOP filling. Because of JMP an the end of UnVMed code, nopping of junk bytes is optional.


Deathway, please add an additional check in case of Long JMP to add only 0x0D NOPs (Maybe your plugin can not find actual ImageBase properly ).

Regards.
__________________
In memory of UnREal RCE...

Last edited by Newbie_Cracker; 04-24-2011 at 17:02.
Reply With Quote
The Following User Says Thank You to Newbie_Cracker For This Useful Post:
Indigo (07-19-2019)