An example of what I explained above (FASM syntax because it is easier for stuff like this, imho):
call check_CC
; obfuscated this conditional jump using flags and known register values
je Bad_Thing_TM
Good_Thing_TM:
nop
Bad_Thing_TM:
; should try to hide this to prevent RE'ing backwards
jmp ExitProcess
; integrate this into depack routine
check_CC:
pushd CC_Magic
mov eax, 0CCh
mov edi, DepakChopra
mov ecx, DeepPack - DepakChopra
jmp esp
; the below code is executed on the stack...
virtual at 0
repne
scas byte [edi]
pop ebx
retn
load CC_Magic dword from 0
end virtual
DepakChopra:
repeat 73
db %
end repeat
DeepPack:I try to see if i can play with this code to get it to work :)
however what is
db %
alternative for in masm32? is it db ?
also this may be a bit off topic but i made my own lil code macro and if i execute it more then 1 time it messes up my code 0.0 and I dont know why maybe sum 1 will figure it out here it is:
however what is
db %
alternative for in masm32? is it db ?
also this may be a bit off topic but i made my own lil code macro and if i execute it more then 1 time it messes up my code 0.0 and I dont know why maybe sum 1 will figure it out here it is:
trick_jump macro
jmp $+3 ; Jump past the next jmp instruction and execute the nop instruction
jmp $+90 ; Fake jump, followed by nop the nop command we will execute :)
db 0EBh,001h ; jmp $+1 fixes it so we are back into correct alignment with code flow
endm
is check_bpx_point a local var on the stack? if not then since your injecting this code its offset will be different depending on where the code is and so should be accessed using the delta offset.
It is possible you have not been using the real check_bpx_point but infact some arbitary location in the host application.
mov edi, OFFSET check_bpx_point
add edi ebx
mov DWORD PTR [edi], 0It is possible you have not been using the real check_bpx_point but infact some arbitary location in the host application.
however what is
db %
alternative for in masm32? is it db ?