Hi, i'm reversing the game Carmageddon TDR2000 (safedisc). I have decrypted the .text and .data, decrypted import name functions, rebuilded OriginalFirstThunk, now the game is almost ready but... there are several call to the same iat value, for example
call [xxxxxxxx]
wich in my case always call the same function, but this makes the process crash. I examined the original program, and by calling the same iat value the DPALYER makes it call the right function.
Example:
call [005AF148]
the first time i meet this line it calls GetVersion, the next time it calls HeapAlloc, so i had to fix the opcode to point to the right iat value. My question is: have i to fix ALL the calls manually (arggggg)????
Is there a fixer, or can you tell me how to write one????
Thanx a lot
Bye

get unSafedisc v1.5.5 http://csir.cjb.net

:-)

or get 1.5.3 and look at fix_calls.asm ..

or code a proc to scan code section for all call dword ptr [wrapped_api] .. call them all, patch dplayerx to return to your proc, store call VA & [wrapped_api] & returned api address in an array ..

step through array looking for [wrapped_api] addresses which resolve to more than one api .. then fix the revelvant call's ..

>get unSafedisc v1.5.5 http://csir.cjb.net
of course I know you and your beautiful tools and site, but i was trying to decrypt it by myself :-)

>or get 1.5.3 and look at fix_calls.asm ..
this is really good! Maybe i'll stole it :-P

The idea of sniffing addresses from Dplayer sounds good, i'll try.
Thank you very much man!
Bye