#31
|
|||
|
|||
Err... What exactly are you doing a trace for?
If you're trying to find the OEP, just set a memory (on execution) breakpoint on the app's code section and run. If you're trying to find the stolen bytes... Well, let's just say there are ways other than using a trace; I certainly don't ever trace in Olly... Regards, Satyric0n Last edited by Satyric0n; 03-12-2004 at 19:47. |
#32
|
|||
|
|||
I mean doing the trace by either method, either the TC EIP<900000 at the command line first mentioned in LaBBas tuts, or when doing the memory (on execution) breakpoint on the app's code section and then pressing ctrl & F11.
On some programs it just keeps hanging on the trace, and last night I left it for some considerable time on TweakRAM, it still showed tracing in the bottom right, but I'm sure it had hung. |
#33
|
||||
|
||||
Hi Pompeyfan
I don't use this forum much, I prefer the RCE one Hey your work is good. I just managed to work out your thing about Pompey rock Saint's suck How about Pompey <17 Saint's >17 OK - ha ha Long live Merredin - WA State of Excitement /hobferret |
#34
|
|||
|
|||
|
#35
|
|||
|
|||
Alright now, I want all you soccer fans to behave yoursleves in the stands from now on. Way too many people getting hurt just trying to enjoy a game. Sometimes they seem to need reminding that this is not WAR, it is a GAME. Unfortunately it is a lack of perspective that is evident in many sports, in many parts of the world, including my own.
Not quite a bad as those, of whatever pursuasion, who seem to believe that the Diety sanctions their wanton slaughter of the innocent in the name of their personal views of religion, politics, or territorial imperative. Regards,
__________________
JMI |
#36
|
|||
|
|||
If we only win 1 match more this season, I hope it is March 21, home to Southampton, actually JMI usually you have great insight, but on this point I differ, just a game, nah, Pompey vs Saints =WAR
|
#37
|
|||
|
|||
Quote:
|
#38
|
|||
|
|||
trace does work fine on tweakram leatest version. use my script asprbp to be on the right address for trace, set bp on memory access, then control+F11. that is all.
Last edited by britedream; 03-13-2004 at 20:51. |
#39
|
|||
|
|||
Now if it worked fine on my PC, I wouldn't waste my time posting saying the trace hung would I , glad to hear it works for you.
|
#40
|
|||
|
|||
Quote:
Quote:
Regards, Satyric0n |
#41
|
|||
|
|||
Dear popeyfan!
my post above is to inform you that nothing is wrong with the trace method, so you should look into your problem in set up, as satyryicon indicated, or in the startup point of trace, rather than reading the post as if I didn't believe you ,which is sadly discouraging to members want to help you. Last edited by britedream; 03-14-2004 at 11:36. |
#42
|
|||
|
|||
britedream,
I need to the find stolen bytes can you point out to me? Im lost as to how many bytes were stolen and here's what ive done ... 006342AA 6300 ARPL DWORD PTR DS:[EAX],EAX 006342AC 0000 ADD BYTE PTR DS:[EAX],AL 006342AE 0000 ADD BYTE PTR DS:[EAX],AL 006342B0 0000 ADD BYTE PTR DS:[EAX],AL 006342B2 0000 ADD BYTE PTR DS:[EAX],AL 006342B4 0000 ADD BYTE PTR DS:[EAX],AL 006342B6 0000 ADD BYTE PTR DS:[EAX],AL 006342B8 0000 ADD BYTE PTR DS:[EAX],AL 006342BA 0000 ADD BYTE PTR DS:[EAX],AL 006342BC 0000 ADD BYTE PTR DS:[EAX],AL 006342BE 0000 ADD BYTE PTR DS:[EAX],AL 006342C0 E8 1B38DDFF CALL PIGUI.00407AE0 006342C5 33C0 XOR EAX,EAX 006342C7 55 PUSH EBP 006342C8 68 78476300 PUSH PIGUI.00634778 006342CD 64:FF30 PUSH DWORD PTR FS:[EAX] 006342D0 64:8920 MOV DWORD PTR FS:[EAX],ESP 006342D3 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18] 00C8C2BC F2: PREFIX REPNE: ; Superfluous prefix 00C8C2BD EB 01 JMP SHORT 00C8C2C0 00C8C2BF 9A F2EB019A EB02 CALL FAR 02EB:9A01EBF2 ; Far call 00C8C2C6 CD 20 INT 20 00C8C2C8 FF7424 1E PUSH DWORD PTR SS:[ESP+1E] 00C8C2CC 6A 74 PUSH 74 00C8C2CE 895C24 04 MOV DWORD PTR SS:[ESP+4],EBX 00C8C2D2 F2: PREFIX REPNE: ; Superfluous prefix 00C8C2D3 EB 01 JMP SHORT 00C8C2D6 00C8C2D5 F3: PREFIX REP: ; Superfluous prefix 00C8C2D6 83EC FC SUB ESP,-4 00C8C2D9 F3: PREFIX REP: ; Superfluous prefix 00C8C2DA EB 02 JMP SHORT 00C8C2DE 00C8C2DC CD 20 INT 20 00C8C2DE C1D3 9B RCL EBX,9B ; Shift constant out of range 1..31 00C8C2E1 2E:EB 02 JMP SHORT 00C8C2E6 ; Superfluous prefix 00C8C2E4 CD 20 INT 20 00C8C2E6 81EB 45478C09 SUB EBX,98C4745 00C8C2EC 3E:EB 02 JMP SHORT 00C8C2F1 ; Superfluous prefix 00C8C2EF CD 20 INT 20 00C8C2F1 81F3 553D2134 XOR EBX,34213D55 00C8C2F7 EB 01 JMP SHORT 00C8C2FA 00C8C2F9 0F26 ??? ; Unknown command 00C8C2FB EB 02 JMP SHORT 00C8C2FF 00C8C2FD CD 20 INT 20 00C8C2FF 6A F9 PUSH -7 00C8C301 2E:EB 02 JMP SHORT 00C8C306 ; Superfluous prefix 00C8C304 CD 20 INT 20 00C8C306 C74424 00 EDC2C8>MOV DWORD PTR SS:[ESP],0C8C2ED 00C8C30E 5B POP EBX 00C8C30F FF53 2C CALL DWORD PTR DS:[EBX+2C] 00C8C312 F0:69C7 E8C7F29A LOCK IMUL EAX,EDI,9AF2C7E8 ; LOCK prefix is not allowed 00C8C319 1F POP DS ; Modification of segment register 00C8C31A C3 RETN 00C8C31B C8 009AC7 ENTER 9A00,0C7 00C8C31F 5B POP EBX 00C8C320 EB 01 JMP SHORT 00C8C323 00C8C322 F3: PREFIX REP: ; Superfluous prefix 00C8C323 F2: PREFIX REPNE: ; Superfluous prefix 00C8C324 EB 01 JMP SHORT 00C8C327 00C8C326 698D 99767F8C 09>IMUL ECX,DWORD PTR SS:[EBP+8C7F7699],1EB> 00C8C330 F0:EB 01 LOCK JMP SHORT 00C8C334 ; LOCK prefix is not allowed 00C8C333 -0F8D 1C858250 JGE 514B4855 00C8C339 2BBD 36EB02CD SUB EDI,DWORD PTR SS:[EBP+CD02EB36] 00C8C33F 2083 F3945B26 AND BYTE PTR DS:[EBX+265B94F3],AL 00C8C345 EB 02 JMP SHORT 00C8C349 00C8C347 CD 20 INT 20 00C8C349 F3: PREFIX REP: ; Superfluous prefix 00C8C34A EB 02 JMP SHORT 00C8C34E 00C8C34C CD 20 INT 20 00C8C34E 55 PUSH EBP 00C8C34F FF7424 1E PUSH DWORD PTR SS:[ESP+1E] 00C8C353 896C24 04 MOV DWORD PTR SS:[ESP+4],EBP 00C8C357 F2: PREFIX REPNE: ; Superfluous prefix 00C8C358 EB 01 JMP SHORT 00C8C35B 00C8C35A -E9 8D642404 JMP 04ED27EC 00C8C35F 8BEC MOV EBP,ESP 00C8C361 33C9 XOR ECX,ECX 00C8C363 26:EB 02 JMP SHORT 00C8C368 ; Superfluous prefix 00C8C366 CD 20 INT 20 00C8C368 F3: PREFIX REP: ; Superfluous prefix 00C8C369 EB 02 JMP SHORT 00C8C36D 00C8C36B CD 20 INT 20 00C8C36D 55 PUSH EBP 00C8C36E FF7424 1E PUSH DWORD PTR SS:[ESP+1E] 00C8C372 894C24 04 MOV DWORD PTR SS:[ESP+4],ECX |
#43
|
|||
|
|||
please pm me with the link to the target.
|
#44
|
|||
|
|||
Quote:
wish you shed light on it ... and a minor tutorial if not much to ask ... thnx |
#45
|
|||
|
|||
thank you very much , it is very ineteresting stolen bytes , I learned something new, I have seen patterns for start up codes over in woodmann forum , and it says for this case it is special case, and it fills only part of the space provided for the stolen, but I found out this isn't special, and found all the bytes that fits in the space provided nicely, once I finish writing my explanation to you I will send it.
Regards. Last edited by britedream; 03-15-2004 at 02:44. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
The new asprotect 1.31 | britedream | General Discussion | 48 | 06-03-2004 17:12 |
Anyone can help me with this one?? ASProtect | loman | General Discussion | 0 | 12-31-2003 16:37 |