[JMI]

Hi Jay:

You simply misunderstood my comment. I was previously speculating on the "code" in the last exception routine.

RecAllPro was the only target I had tried which had NO stolen bytes and the "code" in its last exception routine had a

"00A10053 FF65 EC JMP DWORD PTR SS:[EBP-14],"

whereas, all the last exception routines I had seen or read in tuts seemed to have:

00B32D0B FF75 EC PUSH DWORD PTR SS:[EBP-14]

Clearly VCD Cutter has NO stolen bytes. That was a given, because it was the reason ferrari referred me to check it out.

So the phrase you quoted simply means that the routine in VCD Cutter, which has NO stolen bytes, ends with the same code as does the last exception code of targets which DO have stolen bytes.

The "stolen bytes" themselves, if they have been stolen, are not in this part of the ASPR code and are found in the section of the code which is later erased by:

MOV EDI,Starting Address of Code to be erased
MOV ECX,Number of Bytes to erase
REP STOS BYTE PTR ES:[EDI]

and would be found in the target's original "packed" code, such as this sample, from a different target:

00D3782F 55 PUSH EBP <---STOLEN BYTES
00D37830 8BEC MOV EBP,ESP <---STOLEN BYTES
00D37832 81EC 10000000 SUB ESP,10 <---STOLEN BYTES
00D37838 F2: PREFIX REPNE:
00D37839 EB 02 JMP SHORT 00D3783D
00D3783B CD 20 INT 20
00D3783D F2: PREFIX REPNE:
00D3783E EB 01 JMP SHORT 00D37841
00D37840 9A 83EC1C83 C418 CALL FAR 18C4:831CEC83
00D37841 83EC 1C SUB ESP,1C
00D37844 83C4 18 ADD ESP,18
00D37847 26:EB 02 JMP SHORT 00D3784C
00D3784A CD 20 INT 20
00D3784C 53 PUSH EBX <---STOLEN BYTES

plus the usual final addition of a MOV EAX, OEP.

Hope I made it more clear this time.

Regards,