crUsAdEr
February 28th, 2002, 15:17
Hi I am back for one more question,
I am trying my hand on armadillo right now, downloaded the demo version and wrapped notepad with it, I have unwrapped it and rebuilded everything... however there is one little bug.. like this
---snippet----
push eax ; eax = 0 here
call ds:GetModuleHandleA_0
mov ebx, eax ; output eax = 01000000?
xor esi, esi
cmp ebx, esi
jz toNormalExecution
---snippet-----
And here is the extraction from win32.hlp
"If the parameter is NULL, GetModuleHandle returns a handle of the file used to create the calling process."
When i run the normal notepad the output eax value is 0 but when i run the unwrapped version output eax=01000000 which is the module handle of the armadillo wrapper??? Why is this so when i have already remove it? If this is the handle of armadillo wrapper then where does it leave its signature behind?
I have compare the unwrapped version and the original notepad, the code sections are identical so it is not the dump problem... if i patch it to make output eax=0 then the unwrapped version run without any problem...
However, i do not want to patch it simply because the code is the same as the original code... but i am not sure what is wrong???
Thanx guys for your help,
I am trying my hand on armadillo right now, downloaded the demo version and wrapped notepad with it, I have unwrapped it and rebuilded everything... however there is one little bug.. like this
---snippet----
push eax ; eax = 0 here
call ds:GetModuleHandleA_0
mov ebx, eax ; output eax = 01000000?
xor esi, esi
cmp ebx, esi
jz toNormalExecution
---snippet-----
And here is the extraction from win32.hlp
"If the parameter is NULL, GetModuleHandle returns a handle of the file used to create the calling process."
When i run the normal notepad the output eax value is 0 but when i run the unwrapped version output eax=01000000 which is the module handle of the armadillo wrapper??? Why is this so when i have already remove it? If this is the handle of armadillo wrapper then where does it leave its signature behind?
I have compare the unwrapped version and the original notepad, the code sections are identical so it is not the dump problem... if i patch it to make output eax=0 then the unwrapped version run without any problem...
However, i do not want to patch it simply because the code is the same as the original code... but i am not sure what is wrong???
Thanx guys for your help,