BlackBuster
September 26th, 2002, 06:38
hi
Could u point me where am i messing, this little proggie from gamehouse, whatword.exe. it is pack with asprotect. i was able to locate where to patch this to make it run as registered, locate the oep which i think its at eop=4f3495 and dump this with the patch. run imprec and revirgin. The imprec can only locate kernel.dll as the only imported dll and i was able to rebuild all the import table from kernel32.dll and fix the dump file.
But when i run the dump file it crush at addr=8a5674 which is called from
0177:0041C250 PUSH 00007FFE
0177:0041C255 PUSH 00
0177:0041C257 CALL [004E8B6C]
0177:0041C25D MOV [004C6254],EAX
0177:0041C262 C3 RET
dd 4e8b6c contains 8a5674
u 8a5674 contains the address of user32!LoadBitmapA
So the address from 4e8a88 to 4e8b84 contains address of a routine that jump to user32.dll imports.
I managed to replace all of the address from 4e8a88-4e8b84 with the address of the imports so that it calls directly to the user32 imports then dump again.
Run the dumped file. It runs perfectly. Reboot the system and run again. it runs but when i exit it crushed. i traced that it calls gdi32.dll imports that is were i crushed. i noticed that when icedump is loaded it runs perfectly and all of the imports address are all present that why it runs without problem..
What is icedump doing that this progie runs without problem or am i missing a thing here. Plz help.......................
TIA
Could u point me where am i messing, this little proggie from gamehouse, whatword.exe. it is pack with asprotect. i was able to locate where to patch this to make it run as registered, locate the oep which i think its at eop=4f3495 and dump this with the patch. run imprec and revirgin. The imprec can only locate kernel.dll as the only imported dll and i was able to rebuild all the import table from kernel32.dll and fix the dump file.
But when i run the dump file it crush at addr=8a5674 which is called from
0177:0041C250 PUSH 00007FFE
0177:0041C255 PUSH 00
0177:0041C257 CALL [004E8B6C]
0177:0041C25D MOV [004C6254],EAX
0177:0041C262 C3 RET
dd 4e8b6c contains 8a5674
u 8a5674 contains the address of user32!LoadBitmapA
So the address from 4e8a88 to 4e8b84 contains address of a routine that jump to user32.dll imports.
I managed to replace all of the address from 4e8a88-4e8b84 with the address of the imports so that it calls directly to the user32 imports then dump again.
Run the dumped file. It runs perfectly. Reboot the system and run again. it runs but when i exit it crushed. i traced that it calls gdi32.dll imports that is were i crushed. i noticed that when icedump is loaded it runs perfectly and all of the imports address are all present that why it runs without problem..
What is icedump doing that this progie runs without problem or am i missing a thing here. Plz help.......................
TIA