Quote:
|
Originally Posted by Messer
When to patch: I think it's the best to patch at EP.
|
better is when primary thread is suspended =) So some protectors like execryptor cann't use OutputDebugStringA from TLS callback =) I'm still wondering why don't protection developers create a shellcode instead of %s%s%s, shellcode that will redirect eip to ExitProcess in olly so it will take a while for someone that didn't patch OutputDebugStringA to figure what is going on =) just rewrite ret address with offset of: push 0, call ExitProcess witihin olly.
