Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Newbie question ASPR 1.23 RC4 (long!)
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 02-15-2004, 09:39
Satyric0n
 
Posts: n/a
Haha.. Wow, okay, I think some of us got things confused somewhere along the thread here. I think britedream did first (no offence ), then I did, and it was only Wurstgote who had things straight the whole time .

After rereading the thread, and redumping the app, I believe britedream's misunderstanding came from the comment on the instruction at 578911: ;<&kernel32.GetModuleHandleA>

I think britedream thought that [40781E] pointed directly to kernel32.GetModuleHandleA, which is at 77E7AD86, and so his suggestion was to make the instruction MOV EAX, 62A43C so that EAX would contain the same value in the dumped exe as in the original packed exe (since in the original packed exe, [40781E] pointed to 62A43C).

But, britedream my friend, [40781E] does indeed still point to 62A43C. 62A43C used to be a thunk to ASPR's emulated GetModuleHandleA function. But, 62A43C is now (after rebuilding the imports) a thunk jumping to GetModuleHandleA, thus Olly's offending (though not erroneous, as "&" was referring to a jump to the address of (as & is used in C) GetModuleHandleA) comment. So as Worstgote said,
Quote:
I've compared the value of [40781E] in the original file with that in the dumped one. Both are the same. So, basically, it should make no difference if I replace

00578911 MOV EAX,DWORD PTR DS:[40781E] ; [40781E] contains 62A43C

with

00578911 MOV EAX,62A43C
Worstgote, in this, you are absolutely correct!

As to my own confusion, I can only attribute it to tiredness and maybe too much alcohol . Meaning, I have no real excuse... What I had been alluding to in my post about my laziness was that if changing the value in EAX really had fixed things, it would have been a cleaner solution (in my opinion) than NOPping those two instructions.

That all having been said, I believe my solution to NOP the instructions at 578919 and 57891E is still the best solution to this particular problem.

Also, Worstgote, your analysis of the code looks to me to be 100% correct. But, you already knew it was.

So, have you managed to find a resource editor yet? Also, why not install Visual Studio? Or, why do you not already have it installed? Your understanding and general knowledge of these subjects so far made me think you were already a programmer?

Regards,
Satyric0n
Last edited by Satyric0n; 02-15-2004 at 17:00.
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
one newbie question SubzEro General Discussion 7 03-12-2015 06:05
ASPR, ARMA question sgdt General Discussion 3 04-09-2006 03:38
ASPR 1.2 question gabri3l General Discussion 42 05-01-2004 15:09
a newbie question about CRC32 abccc General Discussion 13 04-23-2004 03:13
"newbie" question for crackers ;) newbie007 General Discussion 4 10-07-2003 04:46


All times are GMT +8. The time now is 21:29.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )