Thanks again for your friendly help and sorry to bother you again, but I'm trying hard to get things straight
1 PUSH EBP
2 MOV EBP,ESP
3 PUSH ECX
4 PUSH EBX
5 MOV EAX,DWORD PTR DS:[40781E] ;<&kernel32.getModuleHandleA>
6 MOV EBX,DWORD PTR DS:[EAX]
7 PUSH DWORD PTR DS:[EBX]
8 MOV DWORD PTR SS:[EBP-4],EBX
9 POP DWORD PTR DS:[EBX]
10 MOV EAX,DWORD PTR SS:[EBP-4]
11 POP EBX
12 POP ECX
13 POP EBP
14 RETN
If I got it right, this subroutine accomplishes two tasks.
It's main purpose is to load EAX and ECX with the address of kernel32.GetMOduleHandleA. In case of the original app EAX doesn't get the real address of GetModuleHandle, but instead the wrapper provided by ASPR. This is done by lines 5, 6, 8 and 10. Line 8 overwrites ECX's stack value, so the POP in line 12 gives ECX the same value as EAX. The second purpose is to test if the app is still running with the ASPR code. This is done by lines 7 and 9. It's simply a test if the GetModuleHandle code is writable, which is true for the original app (since line 9 writes to ASPR code), but false for the dumped exe - therefor the access violation.
Is that correct so far?
Quote:
|
I suppose laziness is what prompted me to solve this by NOPping those instructions (since that seems to fix the problem acceptably), instead of following through and finding out what I was supposed to do...
|
Here I'm in trouble again... What's wrong with this approach? Since it only erases the writing test and leaves everything else alone it should be quite ok... I suppose
Could you please elaborate on this?
Regards
Wurstgote