|
write down the address you see the instruction below where you are moving to edx,nope the call ,f9,you will get an exception, hit "-" key to go back, undo changes, then go on to oep , once there,click on the dump pane , go to the address that you wrote , you should see the start of your iat=1b168. this is to explain to you my respond to popeyfan for the address 41b168 I posted. I hope I am clear on this .
note:
as for why to nope this : this call is the one messes up your iat.
regards.
Last edited by britedream; 03-09-2004 at 00:53.
|