Quote:
|
At 57891E, the code doesn't make any sense to me... Changing data in kernel32.dll wouldn't work
|
Exactly... Remember ASProtect's kernel32 emulation "protection"? This is one way it is used. ASPR's data is writable, so this wouldnt throw an exception if ASPR were still protecting the app. Kernel32, however, is not writable, so as soon as you remove it, lots of little exceptions like this pop up.
Again, standard procedure for ASPR, so once you know about it and what it's doing, it's easy to take care of.
Quote:
so I've changed
0057891E |. POP DWORD PTR DS:[EBX]
to
0057891E |. POP DWORD PTR DS:[EAX]
|
Hmm. This is not acceptable.. This would move whatever data was [EBX] to [EAX], overwriting whatever was there already (the value in EBX, at this point), which may be something critical (like an IAT entry). Standard procedure here is just to NOP the instructions at 578919 and 57891E.
Quote:
|
I've got no tool at hand to relocate the resources in the .data section, so for the moment, I'll leave those resources where they are.
|
I use Visual Studio, but a small app like ResHack or something should do the trick, too. That's a fairly small download, I think. Any resource editor should work; there are many out there, and most are free.
Regards,
Satyric0n
02-14-2004, 10:09
Similar Threads
Threaded Mode