1/I can't open my target with WINDASM
2/My target is not packed .I have used PE-Identifier which said the compiler "Microsoft Visual C++ 6.0" and that's all .
3/My offsets are completly differents between Softice ex :
001B:77E7B19B 8BEC MOV EBP,ESP
001B:77E7B19D 83EC30 SUB ESP,30
(I am under my target I am sure)
and Hexworkshop ex : entry Point 0058BECC
so that I can't patch .I don't find the offset wich interrese me .I see that under Hexworkshop I have a lot of zero but the offset is higher under Softice without a lot of 00 (remplaced by 77)
What am i be able to do ?

Hi newbcrk,
Windasm crashes when it's loading the file or the output windasm gives you is empty? To fool windasm is very easy, a simple search in the board will help you. Btw, try to use IDA; it might be not much user friendly at first but it's very powerful.

Hmmm...are you really sure?
I think that these lines are not from your target file but from a dll used by the file (correct me if I am wrong).
Reading one of your recent messages I found this:

001B:77E7B19B 8BEC MOV EBP,ESP
001B:77E7B19D 83EC30 SUB ESP,30

These are two lines of code from GetFileTime function, inside Kernel32.dll. Is Kernel32.dll the file you want to patch?
First of all, you need to find the code of your target so, reread the thread "How to know where I am" trying to understand what the other guys have told you; after that, when you will be inside your target (and not in the dll used by your target) I am sure you will be able to find the right offset

ZaiRoN

Well by all apparences I understand nothing .

You may to try your hand at Ollydbg rather than Softice if your still a newbie...

IDA is another disassembler.

(I am under my target I am sure)

Well, you may be, but you are inside a call to Kernel32.dll as ZaiRoN pointed out. Don't just rely on the indication given on the lower right part of your Softice screen. When your executable calls an external function (a dll) you are assumed to be under your target but looking at an offset which does not exist in your target's .exe.

OllyDebug (another debugger) seems to be right choice for you, both for debugging and for any other purpose you'd expect from w32dasm.

wbe

Try this:

1. Get IDA Pro

2. Disassemble

3. Unless its VB or Delphi program, or one of the exotic unary languages, you should see the instructions.

4. If you do not, its probably encrypted/compressed, no matter what the identifier program says.

5. Search GOOGLE for "cracking <targetname>". or search it for "<targetname> compressed with" or "<targetname> encrypted with". This should let you know if its encrypted.

6. If that does not work, try "anti-disassembler <targetname>"

7. Go to programmerstools.org Go to the UTILITIES section and download some VA to RVA offset calculators (there is a good collection of them. Download them all)

8. This takes care of converting between raw addresses (as seen in hex editor) as against the virutal addresses (as seen in the debugger)

9. Finally, remember w32dasm has issues running in 2000 and XP. It HAS to be in a directory or two below the root. If its nested too deep, it'll balk on you. Make sure that you are having the full version of w32dasm too. (Wean yourself away from that to IDA)

Have Phun,