#1
|
||||
|
||||
int3 and stolen bytes !
Hi friends.
I think it's an old question. Tonight I played with CD-Cops and it defeated me !! The question is: How to find the stolen bytes in child process which is debugged by its father? I debugged the father, but I didn't understand where the original bytes written back to child. As you know, Armadillo with Nanomite protection, Safedisk and Securom use the same method. How do they execute original bytes? Father executes the codes virtually or child executes them when they were written back at original addresses? Regards -------------- edited: I red the haggar's tut on unpacking SafeDisk. Is there anybody to know the tricks of CD-COPS?
__________________
In memory of UnREal RCE... Last edited by Newbie_Cracker; 03-12-2007 at 20:00. |
#2
|
|||
|
|||
in the case of safedisc (and probably the others), some 'simple' instructions (like mov eax, 4 etc) were 'emulated' by adjusting the context data and then using SetThreadContext.. there was a trick with some of these, that if they were executed lots (like maybe 4 times in succession) the 'stolen' bytes were then written back
|
#3
|
|||
|
|||
@Newbie_Cracker: You can read two tutorials about Nanomite from Ricardo Narvaja. Hope it useful for your question "How do they execute original bytes?"
Best Regards. |
#4
|
||||
|
||||
trickyboy,thanks man, I'll read them carefully. I hadn't seen these tuts of Ricardo Narvaja.
and evlncrn8, I saw GetThreadContext and SetThreadContext in CD-COPS debugger, but I didn't understand what they are. Thanks for your info. I'll check them again.
__________________
In memory of UnREal RCE... |
#5
|
|||
|
|||
?etThreadContext
http://msdn2.microsoft.com/en-us/library/ms679362.aspx
http://msdn2.microsoft.com/en-us/library/ms680632.aspx http://win32assembly.online.fr/tut30.html http://win32assembly.online.fr/tut29.html http://www.koders.com/c/fidF957BCBB3511AC6EA623FAB6DEDE69B07CC0DE0B.aspx CONTEXT contains the context of the thread (EIP, Flags, EAX, .....). Regards |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Damaged stolen bytes | *RemedY* | General Discussion | 9 | 05-22-2004 16:58 |
DVDRegionFree 3.25 Stolen bytes | MaRKuS-DJM | General Discussion | 2 | 01-05-2004 00:23 |
22 stolen bytes? | SvensK | General Discussion | 2 | 11-06-2003 17:13 |
ASPR: stolen bytes neccessary?! | MaRKuS-DJM | General Discussion | 2 | 11-05-2003 09:13 |