Is the code at wrong direction? [Archive] - RCE Messageboard's Regroupment

View Full Version : Is the code at wrong direction?

Limee AKA Lamer

August 28th, 2004, 10:04

I trace the anti-debug code as follows,
Is the code at wrong direction?
as if this code will run and run until the
system be crashed!

0040DA3F > PUSHAD
0040DA40 CALL NOTEPAD.0040DA4B
0040DA45 MOV ESP,DWORD PTR SS:[ESP+8]
0040DA49 JMP SHORT NOTEPAD.0040DA65
0040DA4B > PUSH DWORD PTR FS:[0]
0040DA51 MOV DWORD PTR FS:[0],ESP
0040DA57 PUSHFD
0040DA58 OR DWORD PTR SS:[ESP],100
0040DA5F POPFD
0040DA60 CLC
0040DA61 JNB SHORT NOTEPAD.0040DA3F --->

evlncrn8

August 28th, 2004, 11:25

hmm looks like that codes setting up an int 1 exception, setting up the exception handler and anding the dword with 100h = setting the 'trace' flag in the eflags
which if im not mistaken would be set on the popfd, so the int 1 would 'happen' on 40da61 i think, so look at the exception handler to see where its meant to go, it looks like anti trace code heh

nino

August 29th, 2004, 17:33

I think this would be equivalent to
0040DA3F > PUSHAD
0040DA40 JMP NOTEPAD.0040DA65
0040DA42 NOPs
.
.
.
0040DA65