[britedream]

To T0xic !
I apologize for not responding sooner, I didn't see yr pm
till today. for Labba tut I don't follow it in unpacking so I
will not be able to help on Qs regarding that, but for my
remarks you referred to, clarification as follow:
1-after setting the breakpoint as I mentioned, u will land
in the program code, whether you see addresses in the
stack window or not depends on aspr., if u see two
addresses double click on the second one, if u see only
one do the same ,if u see none, then u are in the right place
all the zeroes above where u are, are for the stolen bytes.

2- from the above u will have a- the right place to dump.
b- # of stolen bytes c- oep position d- if eax or ebx
has a valid address in program's code range then your
stolen bytes almost alwayes have:mov eax, [value in
eax or ebx] ,as last instruction.
3- in my remarks I mentioned the place where stolen
bytes should be placed,not the place where to find them, for that
do the folowing :
instead of pressing shift+f9 as noted in my remarks, press
ctrl+f11 , you will be in the same place as above and you will see also in trace window
mov ecx=[# bytes to be erased], restart, set condition to be
ecx=# of bytes u saw, trace from where u traced before, it will
stop just before erasing stolen bytes, go up to the jump above
, will take you to the place where u should be looking for them.