|
|
#2
05-14-2006, 07:57
|
||||
|
||||
|
I would set a memory BP on SetEnvironmentVariableA and keep track of the variables that are set (Top two on the stack are variable name & value). Unpack as normal
Then I would start the dump and set a memory BP on GetEnvironmentVariableA. Recording what variable it requests, and patching to continue execution of the program for now. If the program doesn't break try setting a memory BP on the variables value in memory. It may be accessing it directly rather than using the API. Then I would use the .adata section as the place for the new EP and my patch. Your patch should look something like this: Code:
004DCDB0 > 68 E6CD4D00 PUSH Dumped.004DCDE6 ; ASCII "D-Jester" 004DCDB5 68 F5CD4D00 PUSH Dumped.004DCDF5 ; ASCII "AltUserName" 004DCDBA E8 EA58347C CALL kernel32.SetEnvironmentVariableA 004DCDBF ^E9 D6BFFCFF JMP Dumped.004A8D9A ; Jump to OEP AltUserName is the only variable I have ever needed to set after removing armadillo. Hope I helped.
__________________
Even as darkness envelops and consumes us, wrapping around our personal worlds like the hand that grips around our necks and suffocates us, we must realize that life really is beautiful and the shadows of despair will scurry away like the fleeting roaches before the light. 
|
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Uac bypass implementation | 0xall0c | Source Code | 8 | 03-20-2018 15:45 |
| Strange Crash in Armadilled Program | TmC | General Discussion | 4 | 06-03-2006 21:08 |
| Setup Factory 7.0.2.0 De-Armadilled Problem | TmC | General Discussion | 3 | 05-07-2005 23:02 |
| Armadilled apps | Annibal | General Discussion | 12 | 02-10-2005 23:29 |
Threaded Mode