edward
January 1st, 2001, 15:49
Hi,
I've got the following problem:
I have got a neolite packed file, which i want to patch.
So i traced to the end of the unpacking-routine (4E13B2h), redirected
the final jump to some free space (4E1385h) and inserted the patch
instruction. But unfortunately this does not work...the program
crashes with a "protection fault" at EIP=4E1385!
I can't see what i did wrong :-(
Maybe someone could help me ?
Thank you very much
edward
PS: Please excuse my posting in this forum instead of the newbies forum, but
the nf simply doesn't load at my PC...
<pre>
-------PRO!.text+A63C----------------------------byte-------------PROT---(0)---
0030:0040B63C 32 DB 8D 4D EC C6 45 FC-01 E8 77 9B 05 00 80 65 2..M..E...w....e
0030:0040B64C FC 00 8D 4D E8 E8 6B 9B-05 00 83 4D FC FF 8D 4D ...M..k....M...M
0030:0040B65C E4 E8 5F 9B 05 00 8B 4D-F4 5F 8A C3 5E 5B 64 89 .._....M._..^[d.
------------------------------------------------------------------------PROT32-
0167:004E1385 66C7053CB64000EB00 MOV WORD PTR [0040B63C],00EB
0167:004E138E FFE0 JMP EAX
0167:004E1390 52 PUSH EDX
0167:004E1391 657365 JAE 004E13F9
0167:004E1394 7276 JB 004E140C
0167:004E1396 65642E0D0A00018B OR EAX,8B01000A
0167:004E139E 44 INC ESP
0167:004E139F 2404 AND AL,04
0167:004E13A1 230503134E00 AND EAX,[004E1303]
0167:004E13A7 E871030000 CALL 004E171D
0167:004E13AC FE059C134E00 INC BYTE PTR [004E139C]
0167:004E13B2 EBD1 JMP 004E1385
0167:004E13B4 803D9C134E0000 CMP BYTE PTR [004E139C],00
0167:004E13BB 7513 JNZ 004E13D0
--------------------------------------PRO!.neolit+0385-------------------------
:map32 pro
Owner Obj Name Obj# Address Size Type
PRO .text 0001 0167:00401000 00086000 CODE RW
PRO .rdata 0002 016F:00487000 0001D000 UDATA RO
PRO .data 0003 016F:004A4000 0000F188 IDATA RW
PRO .rsrc 0004 016F:004B4000 0002C0B8 IDATA RO
PRO .neolit 0005 0167:004E1000 000062F2 CODE RW
</pre>
I've got the following problem:
I have got a neolite packed file, which i want to patch.
So i traced to the end of the unpacking-routine (4E13B2h), redirected
the final jump to some free space (4E1385h) and inserted the patch
instruction. But unfortunately this does not work...the program
crashes with a "protection fault" at EIP=4E1385!
I can't see what i did wrong :-(
Maybe someone could help me ?
Thank you very much
edward
PS: Please excuse my posting in this forum instead of the newbies forum, but
the nf simply doesn't load at my PC...
<pre>
-------PRO!.text+A63C----------------------------byte-------------PROT---(0)---
0030:0040B63C 32 DB 8D 4D EC C6 45 FC-01 E8 77 9B 05 00 80 65 2..M..E...w....e
0030:0040B64C FC 00 8D 4D E8 E8 6B 9B-05 00 83 4D FC FF 8D 4D ...M..k....M...M
0030:0040B65C E4 E8 5F 9B 05 00 8B 4D-F4 5F 8A C3 5E 5B 64 89 .._....M._..^[d.
------------------------------------------------------------------------PROT32-
0167:004E1385 66C7053CB64000EB00 MOV WORD PTR [0040B63C],00EB
0167:004E138E FFE0 JMP EAX
0167:004E1390 52 PUSH EDX
0167:004E1391 657365 JAE 004E13F9
0167:004E1394 7276 JB 004E140C
0167:004E1396 65642E0D0A00018B OR EAX,8B01000A
0167:004E139E 44 INC ESP
0167:004E139F 2404 AND AL,04
0167:004E13A1 230503134E00 AND EAX,[004E1303]
0167:004E13A7 E871030000 CALL 004E171D
0167:004E13AC FE059C134E00 INC BYTE PTR [004E139C]
0167:004E13B2 EBD1 JMP 004E1385
0167:004E13B4 803D9C134E0000 CMP BYTE PTR [004E139C],00
0167:004E13BB 7513 JNZ 004E13D0
--------------------------------------PRO!.neolit+0385-------------------------
:map32 pro
Owner Obj Name Obj# Address Size Type
PRO .text 0001 0167:00401000 00086000 CODE RW
PRO .rdata 0002 016F:00487000 0001D000 UDATA RO
PRO .data 0003 016F:004A4000 0000F188 IDATA RW
PRO .rsrc 0004 016F:004B4000 0002C0B8 IDATA RO
PRO .neolit 0005 0167:004E1000 000062F2 CODE RW
</pre>