reverse engineering a patch

Тема в разделе "WASM.ENGLISH", создана пользователем pragma, 22 мар 2006.

  1. pragma

    pragma New Member

    Публикаций:
    0
    Регистрация:
    22 мар 2006
    Сообщения:
    2
    so i have this x.exe and patch.exe

    patch.exe launches x.exe and writes some things in memmory.

    how can i find out what memmory address patch.exe writes in x.exe ?
     
    pragma, 22 мар 2006
    #1
  2. _BC_

    _BC_ БЦ

    Публикаций:
    0
    Регистрация:
    20 янв 2005
    Сообщения:
    759
    Dump patched image from memory and compare .code-sections (it won't help, if x.exe is packed/crypted). However, patch.exe can easily write to data-sections as well, thus better solution is to disassemble patch.exe, or, another method, to hook WriteProcessMemory function.
     
    _BC_, 23 мар 2006
    #2
  3. pragma

    pragma New Member

    Публикаций:
    0
    Регистрация:
    22 мар 2006
    Сообщения:
    2
    x.exe is packed with yoda's cryptor and patch.exe is packed with asprotect. did't work to unpack and dump.

    guess i will try hook.

    10x
     
    pragma, 23 мар 2006
    #3
  4. CARDINAL

    CARDINAL Member

    Публикаций:
    0
    Регистрация:
    23 янв 2004
    Сообщения:
    551
    Адрес:
    Moscow
    pragma

    Easily! WriteProcessMemory/ReadProcessMemory, set breakpoints on this functions with ntice & then analyze it.
     
    CARDINAL, 27 мар 2006
    #4