|
00410454 $ C3 RETN <-------- This the byte I did changed from 55 to c3.
00410455 . 8BEC MOV EBP,ESP 00410457 . 51 PUSH ECX 00410458 . 53 PUSH EBX 00410459 . 8B05 0E564000 MOV EAX,DWORD PTR DS:[40560E] ; <&kernel32.GetModuleHandleA> 0041045F . 8B18 MOV EBX,DWORD PTR DS:[EAX] 00410461 . FF33 PUSH DWORD PTR DS:[EBX] 00410463 . 895D FC MOV DWORD PTR SS:[EBP-4],EBX 00410466 . 8F03 POP DWORD PTR DS:[EBX] ; 0012FFB4 00410468 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 0041046B . 5B POP EBX ; 0012FFB4 0041046C . 59 POP ECX ; 0012FFB4 0041046D . 5D POP EBP ; 0012FFB4 0041046E . C3 RETN Please look at the comment at first line. |
OKay Satyric0n, when I make the changes you suggest, I not only get the file corrupted message, but it comes up several times after I press ok on it, I cant think what I might have done wrong in the dumping process though, I thought I had done that bit just fine, so I guess I am screwed.
I have read your tut, but I will re-read it, but my code looks vastly different to what TweakRAM did, as illustrated in my last post, this isn't just a case of changing 4 conditional jumps to jumps. |
TO Satyricon:
this code snipet is exactly the same as the one you insisted on nopping the call to it, in our last disagreement, and there is no difference between nopping the call or chaning the first byte to "retn" in this snipet. |
Quote:
00418E78 > $ 55 PUSH EBP 00418E79 . 8BEC MOV EBP,ESP 00418E7B . 83C4 F0 ADD ESP,-10 00418E7E . B8 808D4100 MOV EAX,RegDefra.00418D80 00418E83 . E8 58C5FEFF CALL RegDefra.004053E0 00418E88 . E8 BBFDFFFF CALL RegDefra.00418C48 00418E8D . E8 CEACFEFF CALL RegDefra.00403B60 If that does, what else could be wrong, I'm sure my import table looked the same as yours you posted earlier? |
Quote:
Either way, I have only been saying what I do to get the dump working; if what I do is not relevant or is incorrect, or there is simply a better solution, then just ignore me. :D ;) Regards, Satyric0n |
this is the snippet:
Quote:
Quote:
pop ebx,pop ecx, pop ebp, are restoring what is pushed at the beginning,eax is xored right after retun, so by changing push ebp, to return is equal in effect to your nopping. and I see no differnce between what I did ,and your nopping. :) regards. |
popeyfan ,
did you do the test I told you, run target outside olly. the startup codes look ok to me , but I don't have the same va so the value to move to eax, I will not be able to say if it is the right one or not. btw, are you runnig windows xp. can you send me your dump I will check it for you. regrads. |
Yes, I did try running in & out of Olly, I'll email you my dumped file to check, thanks for that, very good of you. :)
|
Hi, you can access it at hxxp://members.optusnet.com.au/~vincewmb/Aussiepompeyfan/RegDefrag.rar, I see I cant email you, so I uploaded it to my website.
|
Quote:
Also, upon rereading what you first posted here, when you said 'so change 55 "push ebp", to c3 " retn"', for some reason I thought you were referring to the instruction at 410419, not the one at 41040C. Hence my comments about corrupting the stack (which now turn out are entirely irrelevant)... Sorry, my misunderstanding, my fault. :rolleyes: Maybe I should slow down when reading next time, so I don't get confused so easily and throw off the whole thread. :p Regards, Satyric0n |
Looks like my ISP doesn't like that file, you can get it from here, I've put it on the AR Cracking FTP, hxxp://www.grinders.withernsea.com/tools/RegDefrag.zip
|
I just downloaded the dump, double clicked on it , and it sarts the same way as mine, it gives a warning msg., then registration reminder,after clicking ok it ran.
I checked the version, both have the same one,"5.5283". I am running windows xp. |
the only thing I can think of right now is that your target may be expired, so it is excuting different code that produced errors you have. it wasn't that either, I force it to expired, but the registration reminder came up fine .
|
Now don't that just take the cake, the fucking thing wont run on my system, but it will on yours, I guess the positive side to that is that I seem to be able to unpack these buggers okay now, but getting some of them to run on my system is another matter, I really wasn't expecting you to say it ran on your system at all, I thought their must be a problem with it, and I know from restoring the original that I still have 5 days of my trial period left. This bloody program's trial period isn't even reset with either Eva cleaner or Trial doctor either.
I just tried TweakRAM again, but even after altering the conditional jumps to jumps, as shown in Satyric0n's mini tut, I still get the file corrupted message on that program too, it is brought up from here: 00529FCA . 68 00100000 PUSH 1000 ; /Style = MB_OK|MB_SYSTEMMODAL 00529FCF . 68 08A15200 PUSH TweakRAM.0052A108 ; |Title = "TweakRAM" 00529FD4 . 68 14A15200 PUSH TweakRAM.0052A114 ; |Text = "File corrupted !" 00529FD9 . 6A 00 PUSH 0 ; |hOwner = NULL 00529FDB . E8 74DBEDFF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA A totally different location to those Satyric0n mentions, I think I must be cursed, it seems I have more instances of these file corrupted messages in my versions than you guys. I seem to be able to do easier targets like Optimizer & System cleaner no problems, but these other two are frigging hard. |
Are you sure you're dealing with v3.31.0.3404 of TweakRAM, and not a newer version?
|
try the same method you used for regdefrag.
|
Quote:
|
Quote:
|
Arggggggggggggghhhhhhhh, same bloody deal as Registry Defragmentation, still get the file corrupted message, I'm going to take a sledge hammer to this computer soon. :mad:
|
| All times are GMT +8. The time now is 20:11. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX