|
Hi Markus thanks for patience
i tried HE CREATE THREAD but same thing i land same place as before...
Maybe its because it one of those arma apps that u need to enter serial first to get to main waindow?..
i was reading a tut and it said something like you got to bypass that serial bit BEFORE u break on oeP coz your still in arma code?...That tuts for copymem tho and this is just a single process..
I found a old dumper tool that acts like its pausing it at oep..this is info it gives me in command window>>
EntryPoint Found - 4A4389h
Name is KERNEL32.dll
Kernel dll found...
CreateProcess found at address 4BB034h
VirtualAlloc found at address 4BB170h
VirtualProtect found at address 4BB174h
Name is USER32.dll
Name is GDI32.dll
Original OEP bytes read
Infinite loop has been set
IsDebuggerPresent has been patched
Injecting process..
New Memory is at 950000h
Original OEP bytes restored
I dumped the app after this using lord pe from memory and ran imprec
i get 3 modules
??thunk bla >really kernel32
user32
gdi32
the thunk bla is really kernel 32 with 1 invalid
i ran auto trace 1 on invalid and it gave me
1 000BB034 kernel32.dll 0049 CreateProcessA
which left me with the 2 suspects which r both
1 000BB138 kernel32.dll 00C6 FreeEnvironmentStringsA
1 000BB13C kernel32.dll 00C6 FreeEnvironmentStringsA
Leaving the 2 suspect functions in and fixing dump gives me an exe that pops up an error saying the program has been damaged to a bad sector on hard drive or virus please re-install it ??
ta
paul333
|