Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Problem with fixing IAT (https://forum.exetools.com/showthread.php?t=3151)

K3nny 01-03-2004 18:49
Problem with fixing IAT
 
1 Attachment(s)
Icon Catcher v4.0.12
This program is protected with ASProtect 1.23 RC4 - 1.3.08.24.
I found OEP at 406D1C (it's true?) and I wanted fix IT with ImpREC. But I can't find all imports. :(

Can somebody help me?

Link: hxxp://wxw.helexis.com/ic/iconcatc.zip

Here is my incomplete tree:

MaRKuS-DJM 01-03-2004 20:41
your OEP isn't correct.
OEP: 4BDF70

stolen bytes:
push ebp
mov ebp,esp
sub esp,0c
mov eax,4BDB98

IAT:

MaRKuS-DJM 01-03-2004 20:48
write @Adress 4BFB40 in binary: 180F4B00 and it should be registered

and rename the dump to "IconCatcher.exe" or it won't work correctly

K3nny 01-04-2004 03:18
wow! your possibilities are perfect :) thanks from CZ...

how you found OEP ??? I traced it with OlyDBG TC EIP<500000 but it stopped at 406D1C :confused:

MaRKuS-DJM 01-04-2004 03:40
yes, that's right!!! i think it's that code:

00406D1C 50 PUSH EAX
00406D1D 6A 00 PUSH 0
00406D1F E8 F8FEFFFF CALL IconCatc.00406C1C
00406D24 BA 00F14B00 MOV EDX,IconCatc.004BF100
00406D29 52 PUSH EDX
00406D2A 8905 D8344C00 MOV DWORD PTR DS:[4C34D8],EAX
00406D30 8942 04 MOV DWORD PTR DS:[EDX+4],EAX
00406D33 C742 08 00000000 MOV DWORD PTR DS:[EDX+8],0
00406D3A C742 0C 00000000 MOV DWORD PTR DS:[EDX+C],0
00406D41 E8 8AFFFFFF CALL IconCatc.00406CD0
00406D46 5A POP EDX
00406D47 58 POP EAX
00406D48 E8 A7CCFFFF CALL IconCatc.004039F4
00406D4D C3 RETN

after the ret, you are @temp-OEP!
OEP = temp-OEP - stolen bytes

K3nny 01-04-2004 19:26
ohhh...I must read some tutorials :)


All times are GMT +8. The time now is 09:17.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX