|
To svensk:
I did unpack dap, here the info:
oep and Iat is given earlier,but stolen bytes are:
004C7B2A > $ 55 PUSH EBP
004C7B2B . 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
004C7B32 . 83EC 68 SUB ESP,68
004C7B35 . 64:FF35 00000000 PUSH DWORD PTR FS:[0]
004C7B3C . 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
004C7B3F . 33DB XOR EBX,EBX
mov dword ptr ss:[ebp-4],ebx ; [missed]
004C7B41 . FF15 70204E00 CALL NEAR DWORD PTR DS:[<&msvcrt.__set_app_type>] ; msvcrt.__set_app_type
pop ecx [missed]
004C7B47 . 830D 703D5300 FF OR DWORD PTR DS:[533D70],FFFFFFFF
004C7B4E . 830D 743D5300 FF OR DWORD PTR DS:[533D74],FFFFFFFF
004C7B55 . FF15 6C204E00 CALL NEAR DWORD PTR DS:[<&msvcrt.__p__fmode>] ; msvcrt.__p__fmode
004C7B5B . 8B0D 3C3A5300 MOV ECX,DWORD PTR DS:[533A3C]
004C7B61 . 8908 MOV DWORD PTR DS:[EAX],ECX
004C7B63 . FF15 34204E00 CALL NEAR DWORD PTR DS:[<&msvcrt.__p__commode>] ; msvcrt.__p__commode
004C7B69 . 8B0D 383A5300 MOV ECX,DWORD PTR DS:[533A38]
004C7B6F . 8908 MOV DWORD PTR DS:[EAX],ECX
004C7B71 . A1 3C204E00 MOV EAX,DWORD PTR DS:[<&msvcrt._adjust_fdiv>]
mov eax,dword ptr ds:[eax] ; missed
004C7B76 . A3 6C3D5300 MOV DWORD PTR DS:[533D6C],EAX
at address :48bc63 = push 48bd65 ,retn
copy section 00C00000 from orignal file to the unpacked
and svkp1.3 will be history.
britedream
Regards
Last edited by britedream; 12-07-2003 at 22:26.
|