start:
PUSH 0
CALL GetModuleHandleA
PUSH -0AH ; nStdHandle
CALL GetStdHandle
MOV DWORD PTR DS:, EAX
PUSH -0BH ; nStdHandle
CALL GetStdHandle
MOV DWORD PTR DS:, EAX
PUSH 0 ; lpOverlapped
PUSH OFFSET NumberOfBytesWritten ; lpNumberOfBytesWritten
PUSH 3DH ; nNumberOfBytesToWrite
PUSH OFFSET Buffer
PUSH DWORD PTR DS: ; hFile
CALL WriteFile
PUSH 00H ; lpOverlapped
PUSH offset NumberOfBytesRead ; lpNumberOfBytesRead
PUSH 00000100H ; nNumberOfBytesToRead
PUSH OFFSET NumberOfBytesWritten ; lpBuffer
PUSH DWORD PTR DS: ; hFile
CALL ReadFile
MOV EDX,offset int31
XOR EBX, EBX
XOR EAX, EAX
MOV ECX, EAX
MOV EBP, 00000017H
MOV ESI, offset NumberOfBytesWritten
JMP ref_00401075
ref_0040106B:
cmp byte ptr , 1Fh
ja ref_00401075
and byte ptr , 9
ref_00401075:
DEC EBP
JZ ref_004010AF
MOV EDI,ref_00401096
LODSB
CMP BYTE PTR DS:,0DH
JNZ ref_00401088
MOV ESI,offset NumberOfBytesWritten
ref_00401088:
SUB CL, AL
ADD BL, AL
ROL BL, 04H
ROR CL, 03H
ADD BYTE PTR DS:,BL
MOV CH, 10H
ref_00401096:
XOR DWORD PTR DS:,EBX <------- Code crashes here.....
SBB AL,BYTE PTR DS:
ROL BYTE PTR DS:,1AH
RCL EAX, 3EH
SBB AL,BYTE PTR DS:
OR AL, AL
ADC CL,BYTE PTR DS:
NOP
INC EDI
DEC CH
JZ ref_0040106B
JMP EDI
ref_004010AF:
ADD EAX,0BCA270A4h
SUB DWORD PTR DS:,EAX
PUSH 0
PUSH NumberOfBytesWritten ; lpNumberOfBytesWritten
PUSH 2DH ; nNumberOfBytesToWrite
PUSH offset startfalse ; lpBuffer
PUSH DWORD PTR DS: ; hFile
CALL WriteFile
PUSH 00H ; uExitCode
CALL ExitProcess
end start
PUSH 0
CALL GetModuleHandleA
PUSH -0AH ; nStdHandle
CALL GetStdHandle
MOV DWORD PTR DS:, EAX
PUSH -0BH ; nStdHandle
CALL GetStdHandle
MOV DWORD PTR DS:, EAX
PUSH 0 ; lpOverlapped
PUSH OFFSET NumberOfBytesWritten ; lpNumberOfBytesWritten
PUSH 3DH ; nNumberOfBytesToWrite
PUSH OFFSET Buffer
PUSH DWORD PTR DS: ; hFile
CALL WriteFile
PUSH 00H ; lpOverlapped
PUSH offset NumberOfBytesRead ; lpNumberOfBytesRead
PUSH 00000100H ; nNumberOfBytesToRead
PUSH OFFSET NumberOfBytesWritten ; lpBuffer
PUSH DWORD PTR DS: ; hFile
CALL ReadFile
MOV EDX,offset int31
XOR EBX, EBX
XOR EAX, EAX
MOV ECX, EAX
MOV EBP, 00000017H
MOV ESI, offset NumberOfBytesWritten
JMP ref_00401075
ref_0040106B:
cmp byte ptr , 1Fh
ja ref_00401075
and byte ptr , 9
ref_00401075:
DEC EBP
JZ ref_004010AF
MOV EDI,ref_00401096
LODSB
CMP BYTE PTR DS:,0DH
JNZ ref_00401088
MOV ESI,offset NumberOfBytesWritten
ref_00401088:
SUB CL, AL
ADD BL, AL
ROL BL, 04H
ROR CL, 03H
ADD BYTE PTR DS:,BL
MOV CH, 10H
ref_00401096:
XOR DWORD PTR DS:,EBX <------- Code crashes here.....
SBB AL,BYTE PTR DS:
ROL BYTE PTR DS:,1AH
RCL EAX, 3EH
SBB AL,BYTE PTR DS:
OR AL, AL
ADC CL,BYTE PTR DS:
NOP
INC EDI
DEC CH
JZ ref_0040106B
JMP EDI
ref_004010AF:
ADD EAX,0BCA270A4h
SUB DWORD PTR DS:,EAX
PUSH 0
PUSH NumberOfBytesWritten ; lpNumberOfBytesWritten
PUSH 2DH ; nNumberOfBytesToWrite
PUSH offset startfalse ; lpBuffer
PUSH DWORD PTR DS: ; hFile
CALL WriteFile
PUSH 00H ; uExitCode
CALL ExitProcess
end start
Does anyone have any idea why its crashing????
what is "offset int31"? it impossible to change int table under xp/2k from user mode
Is that code even yours?
> what is "offset int31"? it impossible to change int table under xp/2k from user mode
> Is that code even yours?
label int31 surely doesn't point into the IDT (if it is a win32 program) and AFAIK it is allowed to post non-self-written code here, so these comments are pretty pointless.
shism2, this example of self-modifying code is a fragment only, post the full code!
From the "ref_" labels I'm guessing it's a disassembled source...
Yup the code isn't mine and it is dissambled source... I found the problem
PUSH 0
PUSH NumberOfBytesWritten ; lpNumberOfBytesWritten ------ > Should be Push offset numberofbyteswritten :)
PUSH 2DH ; nNumberOfBytesToWrite
PUSH offset startfalse ; lpBuffer
PUSH DWORD PTR DS: ; hFile
CALL WriteFile
PUSH 00H ; uExitCode
CALL ExitProcess
end start
PUSH 0
PUSH NumberOfBytesWritten ; lpNumberOfBytesWritten ------ > Should be Push offset numberofbyteswritten :)
PUSH 2DH ; nNumberOfBytesToWrite
PUSH offset startfalse ; lpBuffer
PUSH DWORD PTR DS: ; hFile
CALL WriteFile
PUSH 00H ; uExitCode
CALL ExitProcess
end start
Actually it was the full source