|
|
#1
01-03-2004, 18:49
|
||||
|
||||
|
Problem with fixing IAT
Icon Catcher v4.0.12
This program is protected with ASProtect 1.23 RC4 - 1.3.08.24. I found OEP at 406D1C (it's true?) and I wanted fix IT with ImpREC. But I can't find all imports.  Can somebody help me? Link: hxxp://wxw.helexis.com/ic/iconcatc.zip Here is my incomplete tree: 
|
|
#2
01-03-2004, 20:41
|
||||
|
||||
|
your OEP isn't correct.
OEP: 4BDF70 stolen bytes: push ebp mov ebp,esp sub esp,0c mov eax,4BDB98 IAT:
|
|
#3
01-03-2004, 20:48
|
||||
|
||||
|
write @Adress 4BFB40 in binary: 180F4B00 and it should be registered
and rename the dump to "IconCatcher.exe" or it won't work correctly Last edited by MaRKuS-DJM; 01-03-2004 at 20:51.
|
|
#4
01-04-2004, 03:18
|
||||
|
||||
|
wow! your possibilities are perfect
 thanks from CZ...how you found OEP ??? I traced it with OlyDBG TC EIP<500000 but it stopped at 406D1C 
Last edited by K3nny; 01-04-2004 at 03:32.
|
|
#5
01-04-2004, 03:40
|
||||
|
||||
|
yes, that's right!!! i think it's that code:
00406D1C 50 PUSH EAX 00406D1D 6A 00 PUSH 0 00406D1F E8 F8FEFFFF CALL IconCatc.00406C1C 00406D24 BA 00F14B00 MOV EDX,IconCatc.004BF100 00406D29 52 PUSH EDX 00406D2A 8905 D8344C00 MOV DWORD PTR DS:[4C34D8],EAX 00406D30 8942 04 MOV DWORD PTR DS:[EDX+4],EAX 00406D33 C742 08 00000000 MOV DWORD PTR DS:[EDX+8],0 00406D3A C742 0C 00000000 MOV DWORD PTR DS:[EDX+C],0 00406D41 E8 8AFFFFFF CALL IconCatc.00406CD0 00406D46 5A POP EDX 00406D47 58 POP EAX 00406D48 E8 A7CCFFFF CALL IconCatc.004039F4 00406D4D C3 RETN after the ret, you are @temp-OEP! OEP = temp-OEP - stolen bytes
|
 |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Help to fixing API-Calls | Nukacola | General Discussion | 6 | 05-11-2005 16:49 |
| Import OS Fixing | MaRKuS-DJM | General Discussion | 31 | 07-16-2004 23:20 |
| Fixing an EXE to not call a DLL? | Barry | General Discussion | 11 | 06-03-2004 00:37 |
Linear Mode
