hobgoblin
June 2nd, 2002, 09:45
I found it. Sorry for troubling the board...
regards,
hobgoblin
Greetings to all of you.
I have been studying Asprotect lately (yes, I know: Be careful with posting questions about this soon to be "worned out" protections system- And it is with a certain fear of being flamed that I post one question. I have been reading most of teh stuff posted on this board, and I have learned a lot. But there is one thing that eludes me.
I have just read Splaj's splendid work on the subject. But therre is one thing I quite can't figure out. Take a look at this:
(Written originally by Splaj..):
0167:00E2CA17 90 NOP
0167:00E2CA18 6A00 PUSH 00
0167:00E2CA1A E8597AFFFF CALL KERNEL32!GetModuleHandleA <==DUMMY API for IAT rebuilders !
0167:00E2CA1F FF355036E300 PUSH DWORD PTR [00E33650] <==GetCommandLineA API
0167:00E2CA25 58 POP EAX <==POP'd into EAX !!!
0167:00E2CA26 C3 RET <==in aspr OK, but STACK WRONG for us
See the GetModuleHandleA in EAX is discarded, EAX is pop'd with GetCommandLineA ptr !!!
I understand what's going on, but exactly how do you guys know that it is the CetCommandlineA API that eax is pop'ed with? When I do a d eax or u eax, I don't see something I understand, or something that gives me a hint. When I do a u 00E33650, I come up with this:
016F:01154648 0000 ADD [EAX],AL
016F:0115464A 40 INC EAX
016F:0115464B 0041A4 ADD [ECX-5C],AL
016F:0115464E E4FF IN AL,FF
016F:01154650 FC CLD
016F:01154651 86F4 XCHG DH,AH
016F:01154653 810000000000 ADD DWORD PTR [EAX],00000000
016F:01154659 0000 ADD [EAX],AL
(the address is different than Splaj's listings; I'm on WinME right now...)
I can't see where to find a pointer to what kind of api that is the "valid one", and not the dummy one.
Is this something you just know from experience or what?
Some input on this would be very much appreciated. And if you want, email me your input.
regards,
hobgoblin
Greetings to all of you.
I have been studying Asprotect lately (yes, I know: Be careful with posting questions about this soon to be "worned out" protections system- And it is with a certain fear of being flamed that I post one question. I have been reading most of teh stuff posted on this board, and I have learned a lot. But there is one thing that eludes me.
I have just read Splaj's splendid work on the subject. But therre is one thing I quite can't figure out. Take a look at this:
(Written originally by Splaj..):
0167:00E2CA17 90 NOP
0167:00E2CA18 6A00 PUSH 00
0167:00E2CA1A E8597AFFFF CALL KERNEL32!GetModuleHandleA <==DUMMY API for IAT rebuilders !
0167:00E2CA1F FF355036E300 PUSH DWORD PTR [00E33650] <==GetCommandLineA API
0167:00E2CA25 58 POP EAX <==POP'd into EAX !!!
0167:00E2CA26 C3 RET <==in aspr OK, but STACK WRONG for us
See the GetModuleHandleA in EAX is discarded, EAX is pop'd with GetCommandLineA ptr !!!
I understand what's going on, but exactly how do you guys know that it is the CetCommandlineA API that eax is pop'ed with? When I do a d eax or u eax, I don't see something I understand, or something that gives me a hint. When I do a u 00E33650, I come up with this:
016F:01154648 0000 ADD [EAX],AL
016F:0115464A 40 INC EAX
016F:0115464B 0041A4 ADD [ECX-5C],AL
016F:0115464E E4FF IN AL,FF
016F:01154650 FC CLD
016F:01154651 86F4 XCHG DH,AH
016F:01154653 810000000000 ADD DWORD PTR [EAX],00000000
016F:01154659 0000 ADD [EAX],AL
(the address is different than Splaj's listings; I'm on WinME right now...)
I can't see where to find a pointer to what kind of api that is the "valid one", and not the dummy one.
Is this something you just know from experience or what?
Some input on this would be very much appreciated. And if you want, email me your input.
