Solomon
April 11th, 2002, 15:09
h**p://www.reget.com/redir/redir.asp?lang=default&product=dx&link=betanew
There are 3 redirected calls that I can't understand in this target.
Here is what I do:
1. make a full dump at OEP (4CEDE0)
2. rebuild the IT (IAT start RVA = F1000, IAT length = 6A0)
3. fix the dumped exe.
But when I run it, I get access violations at the following 3 places. Here it is:
I don't know what's the purpose of the above calls. Any one has the idea? I can be sure that rebuilt IT is correct.
I have tried the following way to fix the above problems, but still fails.
1. dump the whole ASPR code(RVA:6F0000-----70B000) at OEP.
2. add a new section to the rebuilt exe to hold ASPR code, and rebuild EXE header.
But it still crashes after I press the "Evaluate" button in the NAG.
There are 3 redirected calls that I can't understand in this target.
Here is what I do:
1. make a full dump at OEP (4CEDE0)
2. rebuild the IT (IAT start RVA = F1000, IAT length = 6A0)
3. fix the dumped exe.
But when I run it, I get access violations at the following 3 places. Here it is:
Code:
001B:0047914B MOV EAX,[ESP+04]
001B:0047914F MOV [0051CA4C],EAX //first
001B:00479154 RET
001B:00479155 MOV EAX,[ESP+04]
001B:00479159 MOV [0051CA50],EAX //second
001B:0047915E RET
001B:0047915F MOV EAX,[ESP+04]
001B:00479163 MOV [0051CA54],EAX //third
001B:00479168 RET
001B:00479169 PUSH EBP
001B:0047916A MOV EBP,ESP
001B:0047916C PUSH ECX
001B:0047916D MOV EAX,[0051CA54]
001B:00479172 MOV DWORD PTR [EBP-04],0000008C
001B:00479179 TEST EAX,EAX
001B:0047917B JZ 00479187
001B:0047917D LEA ECX,[EBP-04]
001B:00479180 PUSH 04
001B:00479182 PUSH ECX
001B:00479183 CALL EAX //call ASPR code
001B:00479185 LEAVE
001B:00479186 RET
001B:00479187 PUSH 10
001B:00479189 PUSH 00
001B:0047918B PUSH 005096D8
001B:00479190 PUSH 00
001B:00479192 CALL [004F14EC]
001B:00479198 PUSH 00
001B:0047919A CALL 004CDE79
001B:0047919F CMP DWORD PTR [0051CA58],00
001B:004791A6 JNZ 004791BD
001B:004791A8 MOV EAX,[0051CA4C]
001B:004791AD TEST EAX,EAX
001B:004791AF JZ 004791BE
001B:004791B1 CALL EAX //call ASPR code
001B:004791B3 MOV DWORD PTR [0051CA58],00000001
001B:004791BD RET
I don't know what's the purpose of the above calls. Any one has the idea? I can be sure that rebuilt IT is correct.
I have tried the following way to fix the above problems, but still fails.
1. dump the whole ASPR code(RVA:6F0000-----70B000) at OEP.
2. add a new section to the rebuilt exe to hold ASPR code, and rebuild EXE header.
But it still crashes after I press the "Evaluate" button in the NAG.