Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page How to identify the address where the test is done?
Register Forum Rules FAQ Calendar

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #14  
Old 10-24-2016, 22:11
byvs's Avatar
byvs byvs is offline
Friend
  
Join Date: May 2002
Location: Brazil
Posts: 64
Rept. Given: 4
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 19
Thanks Rcvd at 8 Times in 7 Posts
byvs Reputation: 0
Quote:
Originally Posted by bongos_man View Post
at 0x7B31BB, the function is called with the address of your string in eax. you want to patch this call to instead call a function in your dll. add a function to your dll like this:

Code:
void __declspec(naked) patchstring() {
  __asm {
    ; modify string here somehow
    ; but be careful to preserve registers
    ; because your target looks like it uses fastcall

    ; now call old func at 0x7B31BB
    jmp 0xBB31BB ; 0x400000 + 0x7B31BB
  }
}
and in the DllMain, replace the bytes from 0x7B31BC to 0x7B31BF with the address of that function (read the tuts for more info). don't replace the 0xE8 at 0x7B31BB because that is the beginning of the call opcode ;]
@bongos_man
Thank you my friend,
I will replace the value FF bytes by 88 bytes. It worked, but not 100%
0xE88875C5FF to 0xE88875C588
it is?
Reply With Quote
 

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Identify an unknown 64 bit Packer Kurapica General Discussion 1 07-06-2021 01:05
Help identify crypto The Old Pirate General Discussion 5 12-27-2014 04:15
Trying to identify crypto algorithm SiNTAX General Discussion 4 06-17-2010 03:23


All times are GMT +8. The time now is 02:43.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )