|
int3 and stolen bytes !
Hi friends.
I think it's an old question. :) Tonight I played with CD-Cops and it defeated me !! :( The question is: How to find the stolen bytes in child process which is debugged by its father? I debugged the father, but I didn't understand where the original bytes written back to child. As you know, Armadillo with Nanomite protection, Safedisk and Securom use the same method. How do they execute original bytes? Father executes the codes virtually or child executes them when they were written back at original addresses? Regards -------------- edited: I red the haggar's tut on unpacking SafeDisk. Is there anybody to know the tricks of CD-COPS? |
in the case of safedisc (and probably the others), some 'simple' instructions (like mov eax, 4 etc) were 'emulated' by adjusting the context data and then using SetThreadContext.. there was a trick with some of these, that if they were executed lots (like maybe 4 times in succession) the 'stolen' bytes were then written back
|
2 Attachment(s)
@Newbie_Cracker: You can read two tutorials about Nanomite from Ricardo Narvaja. Hope it useful for your question "How do they execute original bytes?" :D
Best Regards. |
trickyboy,thanks man, I'll read them carefully. I hadn't seen these tuts of Ricardo Narvaja.
and evlncrn8, I saw GetThreadContext and SetThreadContext in CD-COPS debugger, but I didn't understand what they are. Thanks for your info. I'll check them again. |
?etThreadContext
http://msdn2.microsoft.com/en-us/library/ms679362.aspx
http://msdn2.microsoft.com/en-us/library/ms680632.aspx http://win32assembly.online.fr/tut30.html http://win32assembly.online.fr/tut29.html http://www.koders.com/c/fidF957BCBB3511AC6EA623FAB6DEDE69B07CC0DE0B.aspx CONTEXT contains the context of the thread (EIP, Flags, EAX, .....). Regards |
| All times are GMT +8. The time now is 10:23. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX