Alright,

I looked through the Tutorial from BriteDream regarding ASProtect and understanding stolen bytes and trying to apply it to DVDIdle Pro 3.39

I noticed right off the bat that 3.38 is different than 3.39. PEiD .7b reports the same protection for both versions.

After the CTRL+11 trace in Ollydbg, I can see that I need to fill 45 bytes (above the bp from trace). Confirmed by lownoise.

In my post above is a picture of VIEW->RUN TRACE (dvdi_olly3.jpg).

Everytime I see stolen bytes (in RUN TRACE) tutorials, it seems that PUSH EBX is first. In this case it does not appear to be PUSH EBX, but MOV EBP,ESP

I tried to continue figuring the rest of the code to fill 45 bytes exactly, I ended up with 1 byte left at 00 which needs filled.

I did this starting at location: 41EFE6

0041EFE6 8BEC MOV EBP,ESP
0041EFE8 6A FF PUSH -1
0041EFEA 68 A05F4200 PUSH DVDIdleP.00425FA0
0041EFEF 68 40EF4100 PUSH DVDIdleP.0041EF40
0041EFF4 2BE2 SUB ESP,EDX
0041EFF6 890424 MOV DWORD PTR SS:[ESP],EAX
0041EFF9 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
0041F000 83EC 68 SUB ESP,68
0041F003 2BE2 SUB ESP,EDX
0041F005 891C24 MOV DWORD PTR SS:[ESP],EBX
0041F008 2BE2 SUB ESP,EDX
0041F00A 893424 MOV DWORD PTR SS:[ESP],ESI
0041F00D 2BE2 SUB ESP,EDX
0041F00F 893C24 MOV DWORD PTR SS:[ESP],EDI
0041F012 00 <===


Basically I started with MOV EBP,ESP
ommited JMP, LEA, ADD, XOR

How do you determine where the stolen bytes end?

Any ideas lownoise? I wanted to try this on my own before the answer was provided.

Thanks for taking the time to help me!

-Malt