How to detect double-dip of ASPR and locate them? [Archive]

View Full Version : How to detect double-dip of ASPR and locate them?

Solomon

March 19th, 2002, 09:58

another how to

I just want to find a general way to locate the double-dip of ASPR. There is no /tracex in Win2K. so did you use the tracer of RV? please share your discovery

sometimes I find the double-dip is right after RegQueryValueExA("Key"

+SplAj

March 19th, 2002, 12:14

...and after that you saw the call address for dip is a reference address stored a lookup table......and so lookup the lookup table in SI and see how many other addresses are around there

.......note them down or 'print screen' and maybe bpx them now to check ?

Spl/\j

Solomon

March 19th, 2002, 14:12

thx SplAj. I will try it

How about your legs now?

crUsAdEr

March 19th, 2002, 14:42

Hi Solomon.

As fox3 pointed out in some other thread, AsProtect stop at 401014 before dipping, so you can use your usual trick of bpx at iret and then set bpm 401014 x, sice should breaks there and u will find the dipping area after a weeny bit of tracing :>

Also, you can use revirgin to note down all dip VA and set breakpoint on them when u break at 401014... that will aid tracing a bit :>...

regards,