Jump to content
tsungkarla

How to Patch this when it stops at LEAVE?

Recommended Posts

tsungkarla

I run it via olly and it stops on LEAVE this means that the app will automatically close upon start. Now my question is how qill I patch this so that it will run and open the main UI?


 


Your guidance is much appreciated.


 


2wfs75j.png


Edited by tsungkarla

Share this post


Link to post
Share on other sites
Phoenix

What is the application you are using? There are jumps which may lead to program execution. Have a try to that. It generally works. :)


Share this post


Link to post
Share on other sites
tsungkarla

Ok @Phoenix I will PM you.


Share this post


Link to post
Share on other sites
tsungkarla

I run a Search for All Intermodular calls and I lander here : CALL <JMP.&MSVBVM60.#100>


 


What should I do?


Share this post


Link to post
Share on other sites
Phoenix

Is it the main exe or the complete application? It is not making any sense to patch the Dll of the Microsoft Windows. 


Share this post


Link to post
Share on other sites
tsungkarla

Actually that is my error sorry for that. I click that and it landed in the LEAVE.


Share this post


Link to post
Share on other sites
Sipher

Sigh... that is only the .exe. Not the complete app.


 


It is a VB6 app with no protection developed by some JCDevelopers Inc.


 


If you asking for help in learning then have no hesitation in posting the file. It is for education purposes only.

Share this post


Link to post
Share on other sites
Blue Indian

As seems from your screenshot, you are in another module rather than the main application. If I am right you are in Kernel Module due to some exception, hence every time your application closes itself. You don't have to patch there, just find what causes that exception, probably any anti-debugger check or some missing files.


 


21l28uh.png


Share this post


Link to post
Share on other sites
tsungkarla

Actually the app calls for a database. And I wonder why it closes everytime I open it.


Share this post


Link to post
Share on other sites
Sipher

Ah Hah........... Bloody crap installation procedure!! :) That is why it terminates.


 



 


1. Install the app from the Main Install Folder



2. Extract the contents of Support main Folder to:


C:/System


 



 


Anyone see the error in the above quote?? :)


 


Also... sad to say this... but our Indian developed programs are so lousy in installing files. They do it indescriminately and when you want to uninstall the program, it is never a clean uninstall.


 


Anyways... having a look at the program now.

Share this post


Link to post
Share on other sites
tsungkarla

I hope someone can point me to the right direction of this. If you do guys please provide a tut so I may understand? Thanks in advance..


Share this post


Link to post
Share on other sites
Phoenix

The setup file itself shows many access violations before installation and creating problem while installing for me. :(


 


Others do try and say. :)


Share this post


Link to post
Share on other sites
Nieo

Can u post link over here..


Share this post


Link to post
Share on other sites
CybotX

I run it via olly and it stops on LEAVE this means that the app will automatically close upon start. Now my question is how qill I patch this so that it will run and open the main UI?

 

tsungkarla, that LEAVE instruction doesn't makes your application close upon start; to take a leave for vacations. :prankster: .

Your debugging itself starts at a wrong point, there's no point in discussing it so heavily as to how to proceed patching, please use ur GPS satellite tracking to see what is your co-ordinate location .

 

The 'leave' instruction makes sure that your application stack is balanced while routine returns to caller by de-allocating the bytes that were reserved when the call to the function was made, so that we don't have to deallocate them manually plus it resets the stack base pointer EBP by poping its reserved old value (mem addr to return to)  from the stack and any other CPU instruction that needs to be reset as they were backed up before the function was called. In this case its 10 bytes that were reserved for function arguments.

 

So, when you don't use 'LEAVE' you'll have to do this at the end of the day see below:

MOV ESP, EBP

POP EBP

RET X

 

where 'X' is the stack volume.

 

Instead you can just use 'LEAVE'. And it'll take care of the rest.

If you patch LEAVE, your stack will not be balanced and your application will end up crashing.

 

Stack:

Untitled.jpg

 

the stack grows in the direction of the lower addresses:

Param -> ret -> ebp -> local var -> registers

Share this post


Link to post
Share on other sites
tsungkarla

Oh I see sir. I think i'm at fault to understand it in a different way. Thank you for the clarity of this.


Share this post


Link to post
Share on other sites
CybotX

No problem ..! :prankster:


Share this post


Link to post
Share on other sites
Sipher

10:1 odds that he did not understand the above. :)

  • Upvote 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×

Important Information

Guidelines