|
Yes DLLFunctionCall is the function that will be missing from the IAT on a dump with imprec. Also it checks for special.dll that is also imulated by the wrapper, 1 function exported SVKP_KillDebugger, so if it doesnt find this it makes an error and exits. Last one to get into the code is the call to CryptVerifySignature, if you see that file in the main directory "tweak-xp3.val" this is a prehashed value from MS crypto that checks your dumped file, so make a dll with the SVKP_KillDebugger exported, when it loads and calls this just patch the call to CryptVerifySignature to return 1. Now you can run the app and look for the reg procedure. Also OEP 401364 "push 401A68", "Call ThunRTMain".
Last edited by mtw; 07-02-2004 at 15:49.
|