my previous method to dump this app. was wrong ... i think my brain is a little toasted for using many info.
hehehehe...
for someone who still want to dump this app. just use the attached patch on Tweak-xp.exe original file ... note that i used this for full version exe file ... don't know if DEMO is the same or has same RVA locations ... this will write an infinitive loop (EBFE) to 0040137A (first API) because where OEP should be there are 909090 bytes ..this bytes are not used or readed by the program in any way ... SVKP simule this stolen bytes used for OEP then it will directly jump/go to 0040137A ..this first API call after OEP for VB applications... then open LOrdPE ..look for the PID process ... hit Correct Imagesize ,,as attached/included screenshot ... now you're ready to make a nice full descrypted/working dump without using any debugger ... remember to write back at 0040137A the bytes FF25 then fix IAT
07-02-2004, 22:56
Threaded Mode