I have a target that is packed with a home-made packer...
Now i defeated the Encryption part, i traced all the decryption routines and after the decryption, the code does not do more than an exception by mov[eax], eax (here eax is 0)
After this instruction, Neither TRW nor SICE cannot trace it
Maybe they do but i dont know what to do to make them trace it ?
Will you give me a hand please ?
Thanks in advance...

as always, I'll invite you to document yourself on the intel's pentium docs, section interrupts and seh.

this instruction generates an int 0 , sice will not trace this, unless you set a right bpmb into the right handler.
you have to look inside the idt, to find the handler's address so you can trace it.

Howdy don't know how usefull this will be to you but anyway..
Whenever a SEH handler is set, you are likely to see something like this:

PUSH OFFSET HANDLER
PUSH FS:0
MOV FS:0,ESP

Trace this program you are talking about till you get to the PUSH OFFSET HANDLER part.
This is the exception handler and that address is where the CPU will direct flow of execution after the interruption is generated.
You could BMP OFFSET HANDLER X to make sice stop there.
Those are my two centavos
Bye

Latigo

I meant BPM instead of BMP

Latigo

its ok latigo we get the picture ^_^

Ok Ok i passed it now i am going deeper...
BTW does this section map look familiar to any of you ?

.rdata RVA: 0008D000 Offset: 0008D000 Size: 00019000 Flags: C0000040
.data RVA: 000A6000 Offset: 000A6000 Size: 00008000 Flags: C0000040
_TEXTLH RVA: 000B3000 Offset: 000AE000 Size: 00001000 Flags: C0000040
_TEXT_HA RVA: 000B4000 Offset: 000AF000 Size: 00011000 Flags: C0000040
.rsrc RVA: 000C5000 Offset: 000C0000 Size: 00023000 Flags: 40000040
.protect RVA: 000E8000 Offset: 000E3000 Size: 00024000 Flags: E0000020