Hi all!

I have a little problem, and I'm sure that you can help me.

Problem:

I found OEiP:

004432B0 0000 ADD [EAX],AL
004432B2 FF150C724700 CALL [0047720C] ; *** OEiP ***
004432B8 33D2 XOR EDX,EDX
004432BA 8AD4 MOV DL,AH
004432BC 891590B14D00 MOV [004DB190],EDX

but something is wrong. Look this:

014D5959 PUSH EBP ; *** part of original EXE ***
014D595A MOV EBP,ESP
014D595C PUSH FF
014D595E PUSH 004AF5A0
014D5963 PUSH 00447028
014D5968 MOV EAX,FS:[00000000]
014D596E PUSH EAX
014D596F MOV FS:[00000000],ESP
014D5976 SUB ESP,58
014D5979 PUSH EBX
014D597A PUSH ESI
014D597B PUSH EDI
014D597C MOV [EBP-18],ESP
014D597F PUSH 004432B2 ; *** OEiP ??? ***
014D5984 RET

How to dump this file (where) and how to fix it, please?

BruceLee

so why you not ACTIVATED youR fantasy?

IF you wrote:
>014D5959 PUSH EBP ; *** part of original EXE ***
it means you Can restore this bytes!

>014D597F PUSH 004432B2 ; *** OEiP ??? ***

Why?
OEP will place where you will put that bytes.

>Where I must put?(VirtualQuestionEx)

PUSH 004432B2
RET

I guess(why not you?) : this instructions returns executions to next code after riped peace.
So put that PART fo original code before 004432B2...

exclude:
PUSH 004432B2
RET

>Why exclude?

~:-0

**************
NOW I have Question to you!!

Why you think, this is ASPR1.3!??
Have you true info!?

else say: "zorry"

I don't think it's asprotect 1.3 but it sure is a new version. I got my hands on a complete new game that's protected by asprotect and it has the same thing as the target above. The first few executions are being executed in asprotect address space after that you get redirected to the normal address space where the rest is executed. The first few bytes have a different address where they are stored every time. I just cut and paste the bytes where they belong, adjust the oep and it worked fine...