this is the snippet:
Quote:
|
Originally Posted by Wurstgote
It's me again
0057890C /$ PUSH EBP
0057890D |. MOV EBP,ESP
0057890F |. PUSH ECX
00578910 |. PUSH EBX
00578911 |. MOV EAX,DWORD PTR DS:[40781E] ;<&kernel32.GetModuleHandleA>
00578917 |. MOV EBX,DWORD PTR DS:[EAX]
00578919 |. PUSH DWORD PTR DS:[EBX]
0057891B |. MOV DWORD PTR SS:[EBP-4],EBX
0057891E |. POP DWORD PTR DS:[EBX]
00578920 |. MOV EAX,DWORD PTR SS:[EBP-4]
00578923 |. POP EBX
00578924 |. POP ECX
00578925 |. POP EBP
00578926 \. RETN
Regards
Wurstgote
|
please forgive my memory, this was your solution.
Quote:
|
Originally Posted by Satyric0n
Hmm. This is not acceptable.. This would move whatever data was [EBX] to [EAX], overwriting whatever was there already (the value in EBX, at this point), which may be something critical (like an IAT entry). Standard procedure here is just to NOP the instructions at 578919 and 57891E.
I use Visual Studio, but a small app like ResHack or something should do the trick, too. That's a fairly small download, I think. Any resource editor should work; there are many out there, and most are free.
Regards,
Satyric0n
|
now by nopping the 578919 and 57891e, you rendered the snippet useless,
pop ebx,pop ecx, pop ebp, are restoring what is pushed at the beginning,eax is xored right after retun, so by changing push ebp, to return is equal in effect to your nopping.
and I see no differnce between what I did ,and your nopping.
regards.