Thread: svkp dumping problem
View Single Post
  #26  
Old 12-02-2003, 22:51
britedream britedream is offline
Friend
  
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 7 Posts
britedream Reputation: 0
My pleasure ,but your list is long ,so I will try to be short


1. set break point on 00ab4fa4, and u will see apies stored in the iat , the ones that don't show, trace and
they will be in the trace easly identified.

2. at address 48bc63 u will find pushad ,replace it
with push 48bd65 and incode retn to jump to 48bd65.

3. view memory when the original program is running
and u will see 00C00000 imagebase with size 16000.

4. when u stop on the stack break point , look at
the eax ,if u see an address that within the code section
that will be your oep, if not then that is the address where you should be looking for the stolen bytes.

Regards.
britedream
Last edited by britedream; 12-02-2003 at 22:57.
Reply With Quote