|
in the case of safedisc (and probably the others), some 'simple' instructions (like mov eax, 4 etc) were 'emulated' by adjusting the context data and then using SetThreadContext.. there was a trick with some of these, that if they were executed lots (like maybe 4 times in succession) the 'stolen' bytes were then written back
|