|
ok, I got a dump that works except for the encrypted resource file
Here is my resource file code:
push ebx
push esi
push edi
push offset aRb ; "rb"
push offset aMain_common_ovl ; "c:\\main.common.ovl"
call fopen
push 85C001h
mov esi, eax
call malloc
push esi
push 1
mov edi, eax
push 85C001h
push edi
call fread
push offset aWb ; "wb"
push offset aMain_out ; "main.out"
call fopen
mov ebx, eax
push ebx
push 1
push 85C001h
push edi
call fwrite
push esi
call fclose
push ebx
call fclose
add esp, 3Ch
pop edi
pop esi
xor eax, eax
pop ebx
It reads and writes the file all right but it doesnt actually decrypt it (i.e. what I see in memory and in the output file is the encrypted file).
Any suggestions? (I checked and the code definatly goes through the "nop call" redirected APIs inside fopen, fread, fwrite and fclose)
Woud calling <redirected CreateFile>, <redirected ReadFile>, <redirected CloseHandle> and <redirected WriteFile> directly help? (I only used fopen etc because they are there and easier to work with)
|