#1
|
||||
|
||||
Problem with fixing IAT
Icon Catcher v4.0.12
This program is protected with ASProtect 1.23 RC4 - 1.3.08.24. I found OEP at 406D1C (it's true?) and I wanted fix IT with ImpREC. But I can't find all imports. Can somebody help me? Link: hxxp://wxw.helexis.com/ic/iconcatc.zip Here is my incomplete tree: |
#2
|
||||
|
||||
your OEP isn't correct.
OEP: 4BDF70 stolen bytes: push ebp mov ebp,esp sub esp,0c mov eax,4BDB98 IAT: |
#3
|
||||
|
||||
write @Adress 4BFB40 in binary: 180F4B00 and it should be registered
and rename the dump to "IconCatcher.exe" or it won't work correctly Last edited by MaRKuS-DJM; 01-03-2004 at 20:51. |
#4
|
||||
|
||||
wow! your possibilities are perfect thanks from CZ...
how you found OEP ??? I traced it with OlyDBG TC EIP<500000 but it stopped at 406D1C Last edited by K3nny; 01-04-2004 at 03:32. |
#5
|
||||
|
||||
yes, that's right!!! i think it's that code:
00406D1C 50 PUSH EAX 00406D1D 6A 00 PUSH 0 00406D1F E8 F8FEFFFF CALL IconCatc.00406C1C 00406D24 BA 00F14B00 MOV EDX,IconCatc.004BF100 00406D29 52 PUSH EDX 00406D2A 8905 D8344C00 MOV DWORD PTR DS:[4C34D8],EAX 00406D30 8942 04 MOV DWORD PTR DS:[EDX+4],EAX 00406D33 C742 08 00000000 MOV DWORD PTR DS:[EDX+8],0 00406D3A C742 0C 00000000 MOV DWORD PTR DS:[EDX+C],0 00406D41 E8 8AFFFFFF CALL IconCatc.00406CD0 00406D46 5A POP EDX 00406D47 58 POP EAX 00406D48 E8 A7CCFFFF CALL IconCatc.004039F4 00406D4D C3 RETN after the ret, you are @temp-OEP! OEP = temp-OEP - stolen bytes |
#6
|
||||
|
||||
ohhh...I must read some tutorials
__________________
k3dT |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Help to fixing API-Calls | Nukacola | General Discussion | 6 | 05-11-2005 16:49 |
Import OS Fixing | MaRKuS-DJM | General Discussion | 31 | 07-16-2004 23:20 |
Fixing an EXE to not call a DLL? | Barry | General Discussion | 11 | 06-03-2004 00:37 |