|
|
#11
02-15-2004, 08:01
|
|||
|
|||
|
Thanks again for your friendly help and sorry to bother you again, but I'm trying hard to get things straight
 1 PUSH EBP 2 MOV EBP,ESP 3 PUSH ECX 4 PUSH EBX 5 MOV EAX,DWORD PTR DS:[40781E] ;<&kernel32.getModuleHandleA> 6 MOV EBX,DWORD PTR DS:[EAX] 7 PUSH DWORD PTR DS:[EBX] 8 MOV DWORD PTR SS:[EBP-4],EBX 9 POP DWORD PTR DS:[EBX] 10 MOV EAX,DWORD PTR SS:[EBP-4] 11 POP EBX 12 POP ECX 13 POP EBP 14 RETN If I got it right, this subroutine accomplishes two tasks. It's main purpose is to load EAX and ECX with the address of kernel32.GetMOduleHandleA. In case of the original app EAX doesn't get the real address of GetModuleHandle, but instead the wrapper provided by ASPR. This is done by lines 5, 6, 8 and 10. Line 8 overwrites ECX's stack value, so the POP in line 12 gives ECX the same value as EAX. The second purpose is to test if the app is still running with the ASPR code. This is done by lines 7 and 9. It's simply a test if the GetModuleHandle code is writable, which is true for the original app (since line 9 writes to ASPR code), but false for the dumped exe - therefor the access violation. Is that correct so far? Quote:
Could you please elaborate on this? Regards Wurstgote 
|
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| one newbie question | SubzEro | General Discussion | 7 | 03-12-2015 06:05 |
| ASPR, ARMA question | sgdt | General Discussion | 3 | 04-09-2006 03:38 |
| ASPR 1.2 question | gabri3l | General Discussion | 42 | 05-01-2004 15:09 |
| a newbie question about CRC32 | abccc | General Discussion | 13 | 04-23-2004 03:13 |
| "newbie" question for crackers ;) | newbie007 | General Discussion | 4 | 10-07-2003 04:46 |
Threaded Mode