|
|
#6
11-29-2004, 21:56
|
|||
|
|||
|
shift+F9 till here:
00C40061 C700 AF8DA71B MOV DWORD PTR DS:[EAX],1BA78DAF 00C40067 41 INC ECX 00C40068 67:64:8F06 0000 POP DWORD PTR FS:[0] 00C4006E EB 02 JMP SHORT 00C40072 00C40070 CD 20 INT 20 00C40072 83C4 04 ADD ESP,4 00C40075 034424 38 ADD EAX,DWORD PTR SS:[ESP+38] 00C40079 B8 26C84900 MOV EAX,49C826 00C4007E 58 POP EAX 00C4007F 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30] 00C40082 E8 3917FFFF CALL 00C317C0 00C40087 8B55 D0 MOV EDX,DWORD PTR SS:[EBP-30] 00C4008A A1 E477C400 MOV EAX,DWORD PTR DS:[C477E4] 00C4008F E8 C435FEFF CALL 00C23658 00C40094 51 PUSH ECX 00C40095 E8 2C000000 CALL 00C400C6 00C4009A 52 PUSH EDX 00C4009B F3: PREFIX REP: ; Superfluous prefix 00C4009C EB 02 JMP SHORT 00C400A0 00C4009E CD 20 INT 20 00C400A0 81D2 AD65B152 ADC EDX,52B165AD 00C400A6 64:EB 02 JMP SHORT 00C400AB ; Superfluous prefix now I put memory breakpoint on access and shift+F9 two times bring me here: 00C37F47 C603 E9 MOV BYTE PTR DS:[EBX],0E9 00C37F4A 8D53 01 LEA EDX,DWORD PTR DS:[EBX+1] 00C37F4D 8902 MOV DWORD PTR DS:[EDX],EAX 00C37F4F 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00C37F52 8910 MOV DWORD PTR DS:[EAX],EDX 00C37F54 B8 05000000 MOV EAX,5 00C37F59 5B POP EBX 00C37F5A 5D POP EBP 00C37F5B C2 0400 RETN 4 now in register: EAX 00A9D6D9 ECX 00EA05A2 EDX 00A9D6D9 EBX 00402EC4 SystemCl.00402EC4 ESP 0012FEA0 EBP 0012FEA4 ESI 15507F7E EDI FFFFB4B0 EIP 00C37F47 i trace with F8 to see whats happen,and its look like here is the place where program encrypt oep, and because EBX value is changed some of this address is oep... maybe I m wrong...need to trace little bit more 
|
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| ASprotect Problem | p4r4d0x | General Discussion | 12 | 05-19-2018 16:17 |
| problem.................................... | nikicraki | General Discussion | 3 | 12-13-2003 21:03 |
| IDA 4.17 problem | loman | General Discussion | 2 | 08-21-2002 18:35 |
Threaded Mode