I can patch the disc in whatever way i want, process always crashes here:
Code:
004A2E29 /$ 68 20644C00 PUSH Skittles.004C6420 ; /pModule = "mscoree.dll"
004A2E2E |. FF15 C8304B00 CALL DWORD PTR DS:[<&KERNEL32.GetModuleHan>; \GetModuleHandleA
004A2E34 |. 85C0 TEST EAX,EAX
004A2E36 |. 74 16 JE SHORT Skittles.004A2E4E
004A2E38 |. 68 10644C00 PUSH Skittles.004C6410 ; /ProcNameOrOrdinal = "CorExitProcess"
004A2E3D |. 50 PUSH EAX ; |hModule = NULL
004A2E3E |. FF15 C4304B00 CALL DWORD PTR DS:[<&KERNEL32.GetProcAddre>; \GetProcAddress
004A2E44 |. 85C0 TEST EAX,EAX
004A2E46 |. 74 06 JE SHORT Skittles.004A2E4E
004A2E48 |. FF7424 04 PUSH DWORD PTR SS:[ESP+4]
004A2E4C |. FFD0 CALL EAX
004A2E4E |> FF7424 04 PUSH DWORD PTR SS:[ESP+4] ; /ExitCode = FFFFFFFD
004A2E52 \. FF15 78314B00 CALL DWORD PTR DS:[<&KERNEL32.ExitProcess>>; \ExitProcess
GetModuleHandleA returns 0 in EAX, so ExitProcess is hit.
Here falls the decision to call the function.
Code:
004A2F5B |> \68 34E04C00 PUSH Skittles.004CE034
004A2F60 |. B8 28E04C00 MOV EAX,Skittles.004CE028
004A2F65 |. E8 01FFFFFF CALL Skittles.004A2E6B
004A2F6A |. 59 POP ECX
004A2F6B |> 68 40E04C00 PUSH Skittles.004CE040
004A2F70 |. B8 38E04C00 MOV EAX,Skittles.004CE038
004A2F75 |. E8 F1FEFFFF CALL Skittles.004A2E6B
004A2F7A |. 59 POP ECX
004A2F7B |. 834D FC FF OR [LOCAL.1],FFFFFFFF
004A2F7F |. E8 18000000 CALL Skittles.004A2F9C
004A2F84 |. 397D 10 CMP [ARG.3],EDI
004A2F87 |. 75 21 JNZ SHORT Skittles.004A2FAA
004A2F89 |. 8935 0CB34E00 MOV DWORD PTR DS:[4EB30C],ESI
004A2F8F |. FF75 08 PUSH [ARG.1]
004A2F92 |. E8 92FEFFFF CALL Skittles.004A2E29
004A2F97 |. 33FF XOR EDI,EDI
004A2F99 |. 33F6 XOR ESI,ESI
004A2F9B |. 46 INC ESI
004A2F9C |$ 397D 10 CMP [ARG.3],EDI
004A2F9F |. 74 08 JE SHORT Skittles.004A2FA9
004A2FA1 |. 6A 08 PUSH 8
004A2FA3 |. E8 A2130000 CALL Skittles.004A434A
004A2FA8 |. 59 POP ECX
004A2FA9 |> C3 RETN
004A2FAA |> E8 4C200000 CALL Skittles.004A4FFB
004A2FAF \. C3 RETN