nice bit of IDA work crusader
Quote:
|
Originally Posted by hobgoblin
Thanks for the reply. How to find the place in aspr code where the iat table is created/written to memory somehow eludes me. Usually I use a bp GetProcAddress to find it, but this time I don't. I do find a place where this api is called to find the addresses to an iat, but I'm not sure whether this is the correct one.
Well, well. I have to dig deeper I guess.
regards,
hobgoblin |
well let the app load into memory and find one the of call [xxxxxxxx] that points to the aspr memory, take a note of the address of the call opcode and add 2 to it so u have address of the offset, load your target into ollydebug and set the data window to the address u found, set olly to stop on exceptions and let the target run, keep an eye on the data window as u pass
each exception, u will see the data change once as aprs decodes / unpacks
and then the data will change once more as the code crusader pasted does it stuff, u can count the number of exceptions from the 1st change to the second change, stop on the last one before the data changes again, look below and should be very close to the code crusader pasted.
also its possible to set a bpm from within sice on the data address
to stop when its written to. (not %100)
- Darren