Quote:
|
I've compared your tree with mine; there are a few differences
|
These are due to the fact that you're running Win2k then, I would guess; I'm running XP SP1. So maybe your IAT is wrong, maybe not, I have no way to verify.
Quote:
|
For why to dump when address 4072DC is reached I can only guess. Since the JMP there takes me back to ASPR code I could imagine that some of the code that the unpacked app needs for execution is manipulated by ASPR in some way, so if I dump later I dump this manipulated code. Am I on the right way?
|
Erm... No.
But, I'll explain further after you get this dump working.
Quote:
|
In any case I did a second dump at 4072DC, fixed IAT and OEP and entered the stolen bytes.
|
To make sure I understand you, by "a second dump" do you mean you started again from scratch (using packed exe), or you redumped starting from your previous nonworking dump?
Quote:
|
I encounter an access violation: EBX should store some value but in fact it's zeroed.
|
At what address are you getting this access violation?
Regards,
Satyric0n