Anyways I am not getting anywhere once I do any of those I end up with
Process terminated, exit code 0, no idea where it even screws up just all threads get terminated followed by process termination.
I just NOP -> [CALL EDI = LoadLibraryA]
(This would mean I gotta find the place where imports get called and somehow nop them too.)
I can't find out where the dll gets called I've stepped over 50,000 lines and still doesn't crash but as soon I run it without stepping instant crash.
I thought about just looking for GetProcAddress calls to XTrap.dll that could be crashing it as I've aborted the loading of the xtrap, but seems its's not used??
So then it hit me why not just look for TerminateProcess calls and nop them all out lol. err still doesn't work.
or just change
005C4525 -> JE to JNZ to quickly exit. (probably shouldn't do this, most likely this is if error occurs).
XTrap dll loading code
Code:
005C4500 /$ 81EC 04010000 SUB ESP,104
005C4506 |. 53 PUSH EBX
005C4507 |. 56 PUSH ESI
005C4508 |. 57 PUSH EDI
005C4509 |. B9 40000000 MOV ECX,40
005C450E |. 33C0 XOR EAX,EAX
005C4510 |. 8D7C24 0D LEA EDI,DWORD PTR SS:[ESP+D]
005C4514 |. C64424 0C 00 MOV BYTE PTR SS:[ESP+C],0
005C4519 |. F3:AB REP STOS DWORD PTR ES:[EDI]
005C451B |. 66:AB STOS WORD PTR ES:[EDI]
005C451D |. AA STOS BYTE PTR ES:[EDI]
005C451E |. A1 A0873802 MOV EAX,DWORD PTR DS:[23887A0]
005C4523 |. 85C0 TEST EAX,EAX
005C4525 74 18 JE SHORT AIKAEN_u.005C453F
005C4527 |. A1 CC873802 MOV EAX,DWORD PTR DS:[23887CC]
005C452C |. 5F POP EDI
005C452D |. 5E POP ESI
005C452E |. 5B POP EBX
005C452F |. C740 08 032000>MOV DWORD PTR DS:[EAX+8],2003
005C4536 |. 33C0 XOR EAX,EAX
005C4538 |. 81C4 04010000 ADD ESP,104
005C453E |. C3 RETN
005C453F |> 8B8C24 1401000>MOV ECX,DWORD PTR SS:[ESP+114]
005C4546 |. 68 94026100 PUSH AIKAEN_u.00610294 ; ASCII "XTrapVa.dll"
005C454B |. 51 PUSH ECX
005C454C |. 8D5424 14 LEA EDX,DWORD PTR SS:[ESP+14]
005C4550 |. 68 80026100 PUSH AIKAEN_u.00610280 ; ASCII "%s\%s"
005C4555 |. 52 PUSH EDX
005C4556 |. E8 8ECBFEFF CALL AIKAEN_u.005B10E9
005C455B |. 8B3D 74603A02 MOV EDI,DWORD PTR DS:[<&kernel32.LoadLib>; kernel32.LoadLibraryA
005C4561 |. 83C4 10 ADD ESP,10
005C4564 |. 8D4424 0C LEA EAX,DWORD PTR SS:[ESP+C]
005C4568 |. 50 PUSH EAX ; /FileName
005C4569 |. FFD7 CALL EDI ; \LoadLibraryA
005C456B |. 8BF0 MOV ESI,EAX
005C456D |. 85F6 TEST ESI,ESI
005C456F |. 75 52 JNZ SHORT AIKAEN_u.005C45C3
005C4571 |. FF15 00603A02 CALL DWORD PTR DS:[<&kernel32.GetLastErr>; [GetLastError
005C4577 |. 8BD8 MOV EBX,EAX
005C4579 |. 83FB 7E CMP EBX,7E
005C457C |. 75 24 JNZ SHORT AIKAEN_u.005C45A2
005C457E |. 68 94026100 PUSH AIKAEN_u.00610294 ; ASCII "XTrapVa.dll"
005C4583 |. 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
005C4587 |. 68 88026100 PUSH AIKAEN_u.00610288 ; ASCII ".\XTrap\%s"
005C458C |. 51 PUSH ECX
005C458D |. E8 57CBFEFF CALL AIKAEN_u.005B10E9
005C4592 |. 83C4 0C ADD ESP,0C
005C4595 |. 8D5424 0C LEA EDX,DWORD PTR SS:[ESP+C]
005C4599 |. 52 PUSH EDX
005C459A |. FFD7 CALL EDI
005C459C |. 8BF0 MOV ESI,EAX
005C459E |. 85F6 TEST ESI,ESI
005C45A0 |. 75 21 JNZ SHORT AIKAEN_u.005C45C3
005C45A2 |> A1 CC873802 MOV EAX,DWORD PTR DS:[23887CC]
005C45A7 |. 5F POP EDI
005C45A8 |. 5E POP ESI
005C45A9 |. 8958 04 MOV DWORD PTR DS:[EAX+4],EBX
005C45AC |. 8B0D CC873802 MOV ECX,DWORD PTR DS:[23887CC] ; AIKAEN_u.02388F70
005C45B2 |. 33C0 XOR EAX,EAX
005C45B4 |. 5B POP EBX
005C45B5 |. C741 08 042000>MOV DWORD PTR DS:[ECX+8],2004
005C45BC |. 81C4 04010000 ADD ESP,104
005C45C2 |. C3 RETN
005C45C3 |> 8D5424 0C LEA EDX,DWORD PTR SS:[ESP+C]
005C45C7 |. 56 PUSH ESI
005C45C8 |. 52 PUSH EDX
005C45C9 |. E8 12080000 CALL AIKAEN_u.005C4DE0
005C45CE |. 83C4 08 ADD ESP,8
005C45D1 |. 8935 A0873802 MOV DWORD PTR DS:[23887A0],ESI
005C45D7 |. E8 04070000 CALL AIKAEN_u.005C4CE0
005C45DC |. 56 PUSH ESI
005C45DD |. 8BC8 MOV ECX,EAX
005C45DF |. E8 BC070000 CALL AIKAEN_u.005C4DA0
005C45E4 |. 5F POP EDI
005C45E5 |. 5E POP ESI
005C45E6 |. B8 01000000 MOV EAX,1
005C45EB |. 5B POP EBX
005C45EC |. 81C4 04010000 ADD ESP,104
005C45F2 \. C3 RETN