howie
December 6th, 2002, 10:25
hi there,
i managed to rebuild the iat of many aspro targets thanks to the information provided here and hours of tracing
most of my dumps ran after eg. removing a filesize check, fixing "step backs" to aspro-layer or fixing further initialized variables.
but in new ones i more and more encounter stack-problems, if i fix the dump like i traced in real application
below is an piece of code i found in a programm. i assume this is the correct oeip, also i assume i managed to rebuild the iat (just the normal suspects). my question: am i fishing in the wrong seas? in otherwords, is this a valid oeip, and second how to fix it?
first loop fills some memory aera with zeros, this fails in the dump. i just nopped away instruction at 00401BB3. but the retn (and the following retn's in programm) produces errors caused by an invalid stack.
00401B9D > $ 833D 20B64F00 >CMP DWORD PTR DS:[4FB620],0
00401BA4 . 74 2F JE SHORT dumped.00401BD5
00401BA6 . B8 03000000 MOV EAX,3
00401BAB > 8B15 20B64F00 MOV EDX,DWORD PTR DS:[4FB620]
00401BB1 . 33C9 XOR ECX,ECX
00401BB3 . 894C82 F4 MOV DWORD PTR DS:[EDX+EAX*4-C],ECX
00401BB7 . 40 INC EAX
00401BB8 . 3D 01040000 CMP EAX,401
00401BBD .^75 EC JNZ SHORT dumped.00401BAB
00401BBF . B8 08B64F00 MOV EAX,dumped.004FB608
00401BC4 . 8940 04 MOV DWORD PTR DS:[EAX+4],EAX
00401BC7 . 8900 MOV DWORD PTR DS:[EAX],EAX
00401BC9 . A3 14B64F00 MOV DWORD PTR DS:[4FB614],EAX
00401BCE . C605 C0B54F00 >MOV BYTE PTR DS:[4FB5C0],1
00401BD5 > 33C0 XOR EAX,EAX
00401BD7 . 5A POP EDX
00401BD8 . 59 POP ECX
00401BD9 . 59 POP ECX
00401BDA . 64:8910 MOV DWORD PTR FS:[EAX],EDX
00401BDD . 68 FD1B4000 PUSH dumped.00401BFD
00401BE2 > 803D 4DB04F00 >CMP BYTE PTR DS:[4FB04D],0
00401BE9 . 74 0A JE SHORT dumped.00401BF5
00401BEB . 68 C8B54F00 PUSH dumped.004FB5C8 ; /pCriticalSection = dumped.004FB5C8
00401BF0 . E8 AFF8FFFF CALL <JMP.&KERNEL32.LeaveCriticalSection>; \LeaveCriticalSection
00401BF5 > C3 RETN ; RET used as a jump to 00401BFD
i managed to rebuild the iat of many aspro targets thanks to the information provided here and hours of tracing
most of my dumps ran after eg. removing a filesize check, fixing "step backs" to aspro-layer or fixing further initialized variables.
but in new ones i more and more encounter stack-problems, if i fix the dump like i traced in real application
below is an piece of code i found in a programm. i assume this is the correct oeip, also i assume i managed to rebuild the iat (just the normal suspects). my question: am i fishing in the wrong seas? in otherwords, is this a valid oeip, and second how to fix it?
first loop fills some memory aera with zeros, this fails in the dump. i just nopped away instruction at 00401BB3. but the retn (and the following retn's in programm) produces errors caused by an invalid stack.
00401B9D > $ 833D 20B64F00 >CMP DWORD PTR DS:[4FB620],0
00401BA4 . 74 2F JE SHORT dumped.00401BD5
00401BA6 . B8 03000000 MOV EAX,3
00401BAB > 8B15 20B64F00 MOV EDX,DWORD PTR DS:[4FB620]
00401BB1 . 33C9 XOR ECX,ECX
00401BB3 . 894C82 F4 MOV DWORD PTR DS:[EDX+EAX*4-C],ECX
00401BB7 . 40 INC EAX
00401BB8 . 3D 01040000 CMP EAX,401
00401BBD .^75 EC JNZ SHORT dumped.00401BAB
00401BBF . B8 08B64F00 MOV EAX,dumped.004FB608
00401BC4 . 8940 04 MOV DWORD PTR DS:[EAX+4],EAX
00401BC7 . 8900 MOV DWORD PTR DS:[EAX],EAX
00401BC9 . A3 14B64F00 MOV DWORD PTR DS:[4FB614],EAX
00401BCE . C605 C0B54F00 >MOV BYTE PTR DS:[4FB5C0],1
00401BD5 > 33C0 XOR EAX,EAX
00401BD7 . 5A POP EDX
00401BD8 . 59 POP ECX
00401BD9 . 59 POP ECX
00401BDA . 64:8910 MOV DWORD PTR FS:[EAX],EDX
00401BDD . 68 FD1B4000 PUSH dumped.00401BFD
00401BE2 > 803D 4DB04F00 >CMP BYTE PTR DS:[4FB04D],0
00401BE9 . 74 0A JE SHORT dumped.00401BF5
00401BEB . 68 C8B54F00 PUSH dumped.004FB5C8 ; /pCriticalSection = dumped.004FB5C8
00401BF0 . E8 AFF8FFFF CALL <JMP.&KERNEL32.LeaveCriticalSection>; \LeaveCriticalSection
00401BF5 > C3 RETN ; RET used as a jump to 00401BFD