A few random observations from my own adventures with Ollydbg on this project. First, thanks to LaBBa for getting me interested enough in his tutorial that I finally installed Ollydbg and tried it on this target. I do note a few points which seem to differ with his tut, but do not know whether they may be the result of the fact that he appears to be using XP and I am using Win2kSP3.
First a comment on xybyre suggestion to use "REP STOS BYTE PTR ES:[EDI]" as the trace condition. I tried using this condition and after more than 1 hour on my 2.5 ghz P4, it was still "tracing" and hadn't reached the "rep stos" point yet. Was much faster to use the EIP<900000.
Having reached that point and noted that EAX was 57e318, I decided to start the program and Olly again and this time trace until "EAX==0057e318". Again, this was very quick and it disclosed the code immediately below the:
012C532C 60 PUSHAD <--- Returns to here
012C532D 9C PUSHFD
012C532E FC CLD
012C532F BF 42532C01 MOV EDI,12C5342
012C5334 B9 53010000 MOV ECX,153
012C5339 F3:AA REP STOS BYTE PTR ES:[EDI]
012C533B 9D POPFD
012C533C 61 POPAD
012C533D -E9 19972BFF JMP 0057EA5B
which was erased by the REP STOS BYTE PTR ES:[EDI]. That code is:
012C5342 03C3 ADD EAX,EBX
012C5344 BB 0B000000 MOV EBX,0B
012C5349 0BDB OR EBX,EBX
012C534B 75 02 JNZ SHORT 012C534F
012C534D 50 PUSH EAX
012C534E C3 RETN
012C534F E8 00000000 CALL 012C5354
012C5354 5D POP EBP
012C5355 81ED E27F4900 SUB EBP,497FE2
012C535B 8D8D D07F4900 LEA ECX,DWORD PTR SS:[EBP+497FD0]
012C5361 2BC1 SUB EAX,ECX
012C5363 8985 CC7F4900 MOV DWORD PTR SS:[EBP+497FCC],EAX
012C5369 8D85 BA7F4900 LEA EAX,DWORD PTR SS:[EBP+497FBA]
012C536F 8D8D 23804900 LEA ECX,DWORD PTR SS:[EBP+498023]
012C5375 03CB ADD ECX,EBX
012C5377 8941 01 MOV DWORD PTR DS:[ECX+1],EAX
012C537A 8D85 D07F4900 LEA EAX,DWORD PTR SS:[EBP+497FD0]
012C5380 8D8D BE7F4900 LEA ECX,DWORD PTR SS:[EBP+497FBE]
012C5386 8901 MOV DWORD PTR DS:[ECX],EAX
012C5388 B8 53010000 MOV EAX,153
012C538D 8D8D C37F4900 LEA ECX,DWORD PTR SS:[EBP+497FC3]
012C5393 8901 MOV DWORD PTR DS:[ECX],EAX
012C5395 55 PUSH EBP
012C5396 8BEC MOV EBP,ESP
012C5398 83C4 F0 ADD ESP,-10
012C539B B8 18E35700 MOV EAX,57E318 <------
012C53A0 68 2C532C01 PUSH 12C532C
012C53A5 C3 RETN
You will notice that the third instruction from the bottom is the one that puts "57e318" into EAX, then pushes the address of the PUSHAD above, and returns. It then erases this subroutine.
I also noted a difference on the "stolen bytes" from what LaBBa reported, and again I don't know if this is a result of my OS. Using the search for "PUSH EBX, PUSH ESI, PUSH EDI" I arrived at:
012C8989 51 PUSH ECX
012C898A 51 PUSH ECX
012C898B 83EC 10 SUB ESP,10
012C898E 53 PUSH EBX
012C898F 56 PUSH ESI
012C8990 57 PUSH EDI
012C8991 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]
While LaBBa reported his "stolen bytes" as "55,8b,ec,83,ec,54" + the MOV EAX 57e318 (or "b8 18 e3 57 00"

, mine appear to be as shown above plus the MOV EAX 57e318. If anyone has an explaination, I would be interested. I am still studying the program to see if it will search again after finding the first instance of the search criteria. For those of you who might not know, because you didn't bother to search, there is an Ollydbg forum where there is alot of information on how to make the program work. I'm busy reading my way through when I have some spare time for playing.
Regards.