Question about false nanomites.

[Archer]

I've got a question about 88-th tutorial at Ricardo Narvaja's FTP. At the end of this tut it's written, that false nanomites should be separated from right ones (there are false nanomites in the nanomites tables). And said, that only 2 nanomites, that were patched, should not be patched (false nanomites in the tables). I don't understand why these ones are wrong. What's the criteria of searching for the wrong ones? How looking at the Olly's table of patches I can say which ones are wrong and which ones are right? I'd already mailed to author, but got no response. I would really appreciate any help.

[ricnar456]

you don´t mail me, my mail is [email protected] and have not mail over this theme i always return the mails.

Is simple look the code, if is a real nanomite and you don´t repair the code is a mess, and if is a false nanomite and you repair the code was perfect and when you remplace you make a mess of the code hehe, only looking is easy, the code is not ofuscated at all, for this reason try the two posibilities and you can conclude easy if are false or not.

Ricardo Narvaja

[Archer]

I didn't mail you, it's written, that author was Code R@ptor, I mailed him.
There is a screenshot in a tutorial.
OLD
call Dumped.0042B3EF
NEW
call Dumped.00426F0C
It's false nanomite, but why is it false? This code looks completely OK to me, it doesn't seem to be a mess at first look.

[ricnar456]

well if the CC is in the middle of the instruccion never will be executed how INT3 and is false,

there are CC is the middle of instructions

look this instruction by example

00635943 ^\72 CC JB SHORT BioSuite.00635911



there are a CC but the nanomite need generate a exception but in this position never generate a exception, the command is a conditional jump and when you execute the line a conditional jump wiil be executed not a INT3

other example

00635933 8D4484 CC LEA EAX,DWORD PTR SS:[ESP+EAX*4-34]

if the code near the instruction is correct the CC in this line never generate a exception and is a false nanomite.

Ricardo Narvaja

[Archer]

Ahhh, I guess command should start from CC, and command should not become a mess after patching, only then it's real nanomite. I got it, OK. But why then this command
OLD
mov dword ptr [ebp-34],esp
NEW
mov dword ptr [ebp-15],esp
is a real nanomite? Or there is mistake in this tut?

[ricnar456]

can be a mistake in the tut if the byte CC cannot produce exception is not a nanomite is false, all CC in middle of instructions are false.

Ricardo Narvaja

[Archer]

OK, I got it. Thanks a lot, Ricardo. Thread can be closed now.